TrustedFirmware Git Browser
Code Review Sign In
review.trustedfirmware.org / mirror / mbed-tls / 71ff969ca255d29180644d6b84fc94d3728daee8 / . / tests / ssl-opt.sh
blob: 1cc1115e0a52452c78f386528963f03b7a0ef31e [file] [log] [blame]
Manuel Pégourié-Gonnardeaadc502014-02-20 11:01:30 +0100[diff] [blame]1#!/bin/sh
2
Simon Butcher58eddef2016-05-19 23:43:11 +0100[diff] [blame]3# ssl-opt.sh
Manuel Pégourié-Gonnardeaadc502014-02-20 11:01:30 +0100[diff] [blame]4#
Bence Szépkúti1e148272020-08-07 13:07:28 +0200[diff] [blame]5# Copyright The Mbed TLS Contributors
Dave Rodgman16799db2023-11-02 19:47:20 +0000[diff] [blame]6# SPDX-License-Identifier: Apache-2.0 OR GPL-2.0-or-later
Bence Szépkútic7da1fe2020-05-26 01:54:15 +0200[diff] [blame]7#
Simon Butcher58eddef2016-05-19 23:43:11 +0100[diff] [blame]8# Purpose
9#
10# Executes tests to prove various TLS/SSL options and extensions.
11#
12# The goal is not to cover every ciphersuite/version, but instead to cover
13# specific options (max fragment length, truncated hmac, etc) or procedures
14# (session resumption from cache or ticket, renego, etc).
15#
16# The tests assume a build with default options, with exceptions expressed
17# with a dependency. The tests focus on functionality and do not consider
18# performance.
19#
Manuel Pégourié-Gonnardeaadc502014-02-20 11:01:30 +0100[diff] [blame]20
Manuel Pégourié-Gonnardfccd3252014-02-25 17:14:15 +0100[diff] [blame]21set -u
22
Jaeden Amero6e70eb22019-07-03 13:51:04 +0100[diff] [blame]23# Limit the size of each log to 10 GiB, in case of failures with this script
24# where it may output seemingly unlimited length error logs.
25ulimit -f 20971520
26
Gilles Peskine560280b2019-09-16 15:17:38 +0200[diff] [blame]27ORIGINAL_PWD=$PWD
28if ! cd "$(dirname "$0")"; then
29 exit 125
Angus Grattonc4dd0732018-04-11 16:28:39 +1000[diff] [blame]30fi
31
David Horstmann5ab92be2024-07-01 17:01:28 +0100[diff] [blame]32DATA_FILES_PATH=../framework/data_files
33
Antonin Décimo36e89b52019-01-23 15:24:37 +0100[diff] [blame]34# default values, can be overridden by the environment
Manuel Pégourié-Gonnardf7a26902014-02-27 12:25:54 +0100[diff] [blame]35: ${P_SRV:=../programs/ssl/ssl_server2}
36: ${P_CLI:=../programs/ssl/ssl_client2}
Manuel Pégourié-Gonnardbe9eb872014-09-05 17:45:19 +0200[diff] [blame]37: ${P_PXY:=../programs/test/udp_proxy}
Jerry Yud04fd352021-12-06 16:52:57 +0800[diff] [blame]38: ${P_QUERY:=../programs/test/query_compile_time_config}
Manuel Pégourié-Gonnardc5722462022-12-19 11:42:12 +0100[diff] [blame]39: ${OPENSSL:=openssl}
Manuel Pégourié-Gonnardbaa7f072014-08-20 20:15:53 +0200[diff] [blame]40: ${GNUTLS_CLI:=gnutls-cli}
41: ${GNUTLS_SERV:=gnutls-serv}
Gilles Peskined50177f2017-05-16 17:53:03 +0200[diff] [blame]42: ${PERL:=perl}
Manuel Pégourié-Gonnardeaadc502014-02-20 11:01:30 +0100[diff] [blame]43
Manuel Pégourié-Gonnardc5722462022-12-19 11:42:12 +0100[diff] [blame]44# The OPENSSL variable used to be OPENSSL_CMD for historical reasons.
45# To help the migration, error out if the old variable is set,
46# but only if it has a different value than the new one.
47if [ "${OPENSSL_CMD+set}" = set ]; then
48 # the variable is set, we can now check its value
49 if [ "$OPENSSL_CMD" != "$OPENSSL" ]; then
50 echo "Please use OPENSSL instead of OPENSSL_CMD." >&2
51 exit 125
52 fi
53fi
54
Gilles Peskine560280b2019-09-16 15:17:38 +0200[diff] [blame]55guess_config_name() {
Bence Szépkútibb0cfeb2021-05-28 09:42:25 +0200[diff] [blame]56 if git diff --quiet ../include/mbedtls/mbedtls_config.h 2>/dev/null; then
Gilles Peskine560280b2019-09-16 15:17:38 +0200[diff] [blame]57 echo "default"
58 else
59 echo "unknown"
60 fi
61}
62: ${MBEDTLS_TEST_OUTCOME_FILE=}
63: ${MBEDTLS_TEST_CONFIGURATION:="$(guess_config_name)"}
64: ${MBEDTLS_TEST_PLATFORM:="$(uname -s | tr -c \\n0-9A-Za-z _)-$(uname -m | tr -c \\n0-9A-Za-z _)"}
David Horstmann5ab92be2024-07-01 17:01:28 +0100[diff] [blame]65: ${EARLY_DATA_INPUT:="$DATA_FILES_PATH/tls13_early_data.txt"}
Gilles Peskine560280b2019-09-16 15:17:38 +0200[diff] [blame]66
David Horstmann5ab92be2024-07-01 17:01:28 +0100[diff] [blame]67O_SRV="$OPENSSL s_server -www -cert $DATA_FILES_PATH/server5.crt -key $DATA_FILES_PATH/server5.key"
Manuel Pégourié-Gonnardc5722462022-12-19 11:42:12 +0100[diff] [blame]68O_CLI="echo 'GET / HTTP/1.0' | $OPENSSL s_client"
David Horstmann5ab92be2024-07-01 17:01:28 +0100[diff] [blame]69G_SRV="$GNUTLS_SERV --x509certfile $DATA_FILES_PATH/server5.crt --x509keyfile $DATA_FILES_PATH/server5.key"
70G_CLI="echo 'GET / HTTP/1.0' | $GNUTLS_CLI --x509cafile $DATA_FILES_PATH/test-ca_cat12.crt"
Gilles Peskined50177f2017-05-16 17:53:03 +0200[diff] [blame]71TCP_CLIENT="$PERL scripts/tcp_client.pl"
Manuel Pégourié-Gonnardfccd3252014-02-25 17:14:15 +0100[diff] [blame]72
Manuel Pégourié-Gonnard38110df2018-08-17 12:44:54 +0200[diff] [blame]73# alternative versions of OpenSSL and GnuTLS (no default path)
74
Gilles Peskinef9c798c2024-04-29 17:46:24 +0200[diff] [blame]75# If $OPENSSL is at least 1.1.1, use it as OPENSSL_NEXT as well.
76if [ -z "${OPENSSL_NEXT:-}" ]; then
77 case $($OPENSSL version) in
78 OpenSSL\ 1.1.[1-9]*) OPENSSL_NEXT=$OPENSSL;;
79 OpenSSL\ [3-9]*) OPENSSL_NEXT=$OPENSSL;;
80 esac
81fi
82
83# If $GNUTLS_CLI is at least 3.7, use it as GNUTLS_NEXT_CLI as well.
84if [ -z "${GNUTLS_NEXT_CLI:-}" ]; then
85 case $($GNUTLS_CLI --version) in
86 gnutls-cli\ 3.[1-9][0-9]*) GNUTLS_NEXT_CLI=$GNUTLS_CLI;;
87 gnutls-cli\ 3.[7-9].*) GNUTLS_NEXT_CLI=$GNUTLS_CLI;;
88 gnutls-cli\ [4-9]*) GNUTLS_NEXT_CLI=$GNUTLS_CLI;;
89 esac
90fi
91
92# If $GNUTLS_SERV is at least 3.7, use it as GNUTLS_NEXT_SERV as well.
93if [ -z "${GNUTLS_NEXT_SERV:-}" ]; then
94 case $($GNUTLS_SERV --version) in
95 gnutls-cli\ 3.[1-9][0-9]*) GNUTLS_NEXT_SERV=$GNUTLS_SERV;;
96 gnutls-cli\ 3.[7-9].*) GNUTLS_NEXT_SERV=$GNUTLS_SERV;;
97 gnutls-cli\ [4-9]*) GNUTLS_NEXT_SERV=$GNUTLS_SERV;;
98 esac
99fi
100
Jerry Yu04029792021-08-10 16:45:37 +0800[diff] [blame]101if [ -n "${OPENSSL_NEXT:-}" ]; then
David Horstmann5ab92be2024-07-01 17:01:28 +0100[diff] [blame]102 O_NEXT_SRV="$OPENSSL_NEXT s_server -www -cert $DATA_FILES_PATH/server5.crt -key $DATA_FILES_PATH/server5.key"
103 O_NEXT_SRV_EARLY_DATA="$OPENSSL_NEXT s_server -early_data -cert $DATA_FILES_PATH/server5.crt -key $DATA_FILES_PATH/server5.key"
Jerry Yu305bfc32021-11-24 16:04:47 +0800[diff] [blame]104 O_NEXT_SRV_NO_CERT="$OPENSSL_NEXT s_server -www "
David Horstmann5ab92be2024-07-01 17:01:28 +0100[diff] [blame]105 O_NEXT_CLI="echo 'GET / HTTP/1.0' | $OPENSSL_NEXT s_client -CAfile $DATA_FILES_PATH/test-ca_cat12.crt"
XiaokangQiand5d5b602022-05-23 09:16:20 +0000[diff] [blame]106 O_NEXT_CLI_NO_CERT="echo 'GET / HTTP/1.0' | $OPENSSL_NEXT s_client"
Jerry Yu04029792021-08-10 16:45:37 +0800[diff] [blame]107else
108 O_NEXT_SRV=false
Jerry Yu305bfc32021-11-24 16:04:47 +0800[diff] [blame]109 O_NEXT_SRV_NO_CERT=false
Xiaokang Qianb0c32d82022-11-02 10:51:13 +0000[diff] [blame]110 O_NEXT_SRV_EARLY_DATA=false
XiaokangQianb1847a22022-06-08 07:49:31 +0000[diff] [blame]111 O_NEXT_CLI_NO_CERT=false
Jerry Yu04029792021-08-10 16:45:37 +0800[diff] [blame]112 O_NEXT_CLI=false
113fi
114
Hanno Becker58e9dc32018-08-17 15:53:21 +0100[diff] [blame]115if [ -n "${GNUTLS_NEXT_SERV:-}" ]; then
David Horstmann5ab92be2024-07-01 17:01:28 +0100[diff] [blame]116 G_NEXT_SRV="$GNUTLS_NEXT_SERV --x509certfile $DATA_FILES_PATH/server5.crt --x509keyfile $DATA_FILES_PATH/server5.key"
Jerry Yu305bfc32021-11-24 16:04:47 +0800[diff] [blame]117 G_NEXT_SRV_NO_CERT="$GNUTLS_NEXT_SERV"
Manuel Pégourié-Gonnard38110df2018-08-17 12:44:54 +0200[diff] [blame]118else
119 G_NEXT_SRV=false
Jerry Yu305bfc32021-11-24 16:04:47 +0800[diff] [blame]120 G_NEXT_SRV_NO_CERT=false
Manuel Pégourié-Gonnard38110df2018-08-17 12:44:54 +0200[diff] [blame]121fi
122
Hanno Becker58e9dc32018-08-17 15:53:21 +0100[diff] [blame]123if [ -n "${GNUTLS_NEXT_CLI:-}" ]; then
David Horstmann5ab92be2024-07-01 17:01:28 +0100[diff] [blame]124 G_NEXT_CLI="echo 'GET / HTTP/1.0' | $GNUTLS_NEXT_CLI --x509cafile $DATA_FILES_PATH/test-ca_cat12.crt"
XiaokangQiand5d5b602022-05-23 09:16:20 +0000[diff] [blame]125 G_NEXT_CLI_NO_CERT="echo 'GET / HTTP/1.0' | $GNUTLS_NEXT_CLI"
Manuel Pégourié-Gonnard38110df2018-08-17 12:44:54 +0200[diff] [blame]126else
127 G_NEXT_CLI=false
XiaokangQianfb1a3fe2022-06-09 06:37:33 +0000[diff] [blame]128 G_NEXT_CLI_NO_CERT=false
Manuel Pégourié-Gonnard38110df2018-08-17 12:44:54 +0200[diff] [blame]129fi
130
Manuel Pégourié-Gonnard33a752e2014-02-21 09:47:37 +0100[diff] [blame]131TESTS=0
132FAILS=0
Manuel Pégourié-Gonnard6f4fbbb2014-08-14 14:31:29 +0200[diff] [blame]133SKIPS=0
Manuel Pégourié-Gonnard33a752e2014-02-21 09:47:37 +0100[diff] [blame]134
Bence Szépkútibb0cfeb2021-05-28 09:42:25 +0200[diff] [blame]135CONFIG_H='../include/mbedtls/mbedtls_config.h'
Manuel Pégourié-Gonnard83d8c732014-04-07 13:24:21 +0200[diff] [blame]136
Manuel Pégourié-Gonnardc73339f2014-02-26 16:35:27 +0100[diff] [blame]137MEMCHECK=0
Manuel Pégourié-Gonnard417d46c2014-03-13 19:17:53 +0100[diff] [blame]138FILTER='.*'
Manuel Pégourié-Gonnard6f4fbbb2014-08-14 14:31:29 +0200[diff] [blame]139EXCLUDE='^$'
Manuel Pégourié-Gonnardc73339f2014-02-26 16:35:27 +0100[diff] [blame]140
Paul Bakkere20310a2016-05-10 11:18:17 +0100[diff] [blame]141SHOW_TEST_NUMBER=0
Tomás González24552ff2023-08-17 15:10:03 +0100[diff] [blame]142LIST_TESTS=0
Paul Bakkerb7584a52016-05-10 10:50:43 +0100[diff] [blame]143RUN_TEST_NUMBER=''
Jerry Yu50d07bd2023-11-06 10:49:01 +0800[diff] [blame]144RUN_TEST_SUITE=''
Paul Bakkerb7584a52016-05-10 10:50:43 +0100[diff] [blame]145
Gilles Peskinec75048c2024-05-17 11:55:15 +0200[diff] [blame]146MIN_TESTS=1
Paul Bakkeracaac852016-05-10 11:47:13 +0100[diff] [blame]147PRESERVE_LOGS=0
148
Gilles Peskinef93c7d32017-04-14 17:55:28 +0200[diff] [blame]149# Pick a "unique" server port in the range 10000-19999, and a proxy
150# port which is this plus 10000. Each port number may be independently
151# overridden by a command line option.
152SRV_PORT=$(($$ % 10000 + 10000))
153PXY_PORT=$((SRV_PORT + 10000))
154
Manuel Pégourié-Gonnardc73339f2014-02-26 16:35:27 +0100[diff] [blame]155print_usage() {
156 echo "Usage: $0 [options]"
Manuel Pégourié-Gonnardf46f1282014-12-11 11:51:28 +0100[diff] [blame]157 printf " -h|--help\tPrint this help.\n"
158 printf " -m|--memcheck\tCheck memory leaks and errors.\n"
Gilles Peskine9fa4ed62020-08-26 22:35:46 +0200[diff] [blame]159 printf " -f|--filter\tOnly matching tests are executed (substring or BRE)\n"
160 printf " -e|--exclude\tMatching tests are excluded (substring or BRE)\n"
Paul Bakkerb7584a52016-05-10 10:50:43 +0100[diff] [blame]161 printf " -n|--number\tExecute only numbered test (comma-separated, e.g. '245,256')\n"
Paul Bakkere20310a2016-05-10 11:18:17 +0100[diff] [blame]162 printf " -s|--show-numbers\tShow test numbers in front of test names\n"
Paul Bakkeracaac852016-05-10 11:47:13 +0100[diff] [blame]163 printf " -p|--preserve-logs\tPreserve logs of successful tests as well\n"
Tomás González12787c92023-09-04 10:26:00 +0100[diff] [blame]164 printf " --list-test-cases\tList all potential test cases (No Execution)\n"
Gilles Peskinec75048c2024-05-17 11:55:15 +0200[diff] [blame]165 printf " --min \tMinimum number of non-skipped tests (default 1)\n"
Gilles Peskine560280b2019-09-16 15:17:38 +0200[diff] [blame]166 printf " --outcome-file\tFile where test outcomes are written\n"
167 printf " \t(default: \$MBEDTLS_TEST_OUTCOME_FILE, none if empty)\n"
168 printf " --port \tTCP/UDP port (default: randomish 1xxxx)\n"
Gilles Peskinef93c7d32017-04-14 17:55:28 +0200[diff] [blame]169 printf " --proxy-port\tTCP/UDP proxy port (default: randomish 2xxxx)\n"
Gilles Peskine560280b2019-09-16 15:17:38 +0200[diff] [blame]170 printf " --seed \tInteger seed value to use for this test run\n"
Jerry Yu50d07bd2023-11-06 10:49:01 +0800[diff] [blame]171 printf " --test-suite\tOnly matching test suites are executed\n"
172 printf " \t(comma-separated, e.g. 'ssl-opt,tls13-compat')\n\n"
Manuel Pégourié-Gonnardc73339f2014-02-26 16:35:27 +0100[diff] [blame]173}
174
175get_options() {
176 while [ $# -gt 0 ]; do
177 case "$1" in
Manuel Pégourié-Gonnard417d46c2014-03-13 19:17:53 +0100[diff] [blame]178 -f|--filter)
179 shift; FILTER=$1
180 ;;
181 -e|--exclude)
182 shift; EXCLUDE=$1
183 ;;
Manuel Pégourié-Gonnardc73339f2014-02-26 16:35:27 +0100[diff] [blame]184 -m|--memcheck)
185 MEMCHECK=1
186 ;;
Paul Bakkerb7584a52016-05-10 10:50:43 +0100[diff] [blame]187 -n|--number)
188 shift; RUN_TEST_NUMBER=$1
189 ;;
Paul Bakkere20310a2016-05-10 11:18:17 +0100[diff] [blame]190 -s|--show-numbers)
191 SHOW_TEST_NUMBER=1
192 ;;
Tomás González4a86da22023-09-01 17:41:16 +0100[diff] [blame]193 -l|--list-test-cases)
Tomás González24552ff2023-08-17 15:10:03 +0100[diff] [blame]194 LIST_TESTS=1
195 ;;
Paul Bakkeracaac852016-05-10 11:47:13 +0100[diff] [blame]196 -p|--preserve-logs)
197 PRESERVE_LOGS=1
198 ;;
Gilles Peskinec75048c2024-05-17 11:55:15 +0200[diff] [blame]199 --min)
200 shift; MIN_TESTS=$1
201 ;;
Yanray Wang5b33f642023-02-28 11:56:59 +0800[diff] [blame]202 --outcome-file)
203 shift; MBEDTLS_TEST_OUTCOME_FILE=$1
204 ;;
Gilles Peskinef93c7d32017-04-14 17:55:28 +0200[diff] [blame]205 --port)
206 shift; SRV_PORT=$1
207 ;;
208 --proxy-port)
209 shift; PXY_PORT=$1
210 ;;
Andres AGf04f54d2016-10-10 15:46:20 +0100[diff] [blame]211 --seed)
212 shift; SEED="$1"
213 ;;
Jerry Yu50d07bd2023-11-06 10:49:01 +0800[diff] [blame]214 --test-suite)
215 shift; RUN_TEST_SUITE="$1"
216 ;;
Manuel Pégourié-Gonnardc73339f2014-02-26 16:35:27 +0100[diff] [blame]217 -h|--help)
218 print_usage
219 exit 0
220 ;;
221 *)
Paul Bakker1ebc0c52014-05-22 15:47:58 +0200[diff] [blame]222 echo "Unknown argument: '$1'"
Manuel Pégourié-Gonnardc73339f2014-02-26 16:35:27 +0100[diff] [blame]223 print_usage
224 exit 1
225 ;;
226 esac
227 shift
228 done
229}
230
Tomás González0e8a08a2023-08-23 15:29:57 +0100[diff] [blame]231get_options "$@"
232
Bence Szépkútibb0cfeb2021-05-28 09:42:25 +0200[diff] [blame]233# Read boolean configuration options from mbedtls_config.h for easy and quick
Gilles Peskine64457492020-08-26 21:53:33 +0200[diff] [blame]234# testing. Skip non-boolean options (with something other than spaces
235# and a comment after "#define SYMBOL"). The variable contains a
236# space-separated list of symbols.
Tomás Gonzálezf162b4f2023-08-23 15:31:12 +0100[diff] [blame]237if [ "$LIST_TESTS" -eq 0 ];then
238 CONFIGS_ENABLED=" $(echo `$P_QUERY -l` )"
239else
Tomás Gonzálezbe2c66e2023-09-01 10:34:49 +0100[diff] [blame]240 P_QUERY=":"
Tomás Gonzálezf162b4f2023-08-23 15:31:12 +0100[diff] [blame]241 CONFIGS_ENABLED=""
242fi
Hanno Becker3b8b40c2018-08-28 10:25:41 +0100[diff] [blame]243# Skip next test; use this macro to skip tests which are legitimate
244# in theory and expected to be re-introduced at some point, but
245# aren't expected to succeed at the moment due to problems outside
246# our control (such as bugs in other TLS implementations).
247skip_next_test() {
248 SKIP_NEXT="YES"
249}
250
Valerio Settid1f991c2023-02-22 12:54:13 +0100[diff] [blame]251# Check if the required configuration ($1) is enabled
252is_config_enabled()
253{
254 case $CONFIGS_ENABLED in
255 *" $1"[\ =]*) return 0;;
256 *) return 1;;
257 esac
258}
259
Bence Szépkútibb0cfeb2021-05-28 09:42:25 +0200[diff] [blame]260# skip next test if the flag is not enabled in mbedtls_config.h
Manuel Pégourié-Gonnard988209f2015-03-24 10:43:55 +0100[diff] [blame]261requires_config_enabled() {
Gilles Peskine64457492020-08-26 21:53:33 +0200[diff] [blame]262 case $CONFIGS_ENABLED in
Jerry Yu2e8b0012021-12-10 20:29:02 +0800[diff] [blame]263 *" $1"[\ =]*) :;;
Gilles Peskine64457492020-08-26 21:53:33 +0200[diff] [blame]264 *) SKIP_NEXT="YES";;
265 esac
Manuel Pégourié-Gonnard988209f2015-03-24 10:43:55 +0100[diff] [blame]266}
267
Bence Szépkútibb0cfeb2021-05-28 09:42:25 +0200[diff] [blame]268# skip next test if the flag is enabled in mbedtls_config.h
Manuel Pégourié-Gonnardaf63c212017-06-08 17:51:08 +0200[diff] [blame]269requires_config_disabled() {
Gilles Peskine64457492020-08-26 21:53:33 +0200[diff] [blame]270 case $CONFIGS_ENABLED in
Jerry Yu2e8b0012021-12-10 20:29:02 +0800[diff] [blame]271 *" $1"[\ =]*) SKIP_NEXT="YES";;
Gilles Peskine64457492020-08-26 21:53:33 +0200[diff] [blame]272 esac
Manuel Pégourié-Gonnardaf63c212017-06-08 17:51:08 +0200[diff] [blame]273}
274
Jerry Yu2fcb0562022-07-27 17:30:49 +0800[diff] [blame]275requires_all_configs_enabled() {
Jerry Yu9dd0cc02023-10-18 11:25:30 +0800[diff] [blame]276 if ! $P_QUERY -all $* 2>&1 > /dev/null
Jerry Yu2fcb0562022-07-27 17:30:49 +0800[diff] [blame]277 then
278 SKIP_NEXT="YES"
279 fi
280}
281
282requires_all_configs_disabled() {
Jerry Yu9dd0cc02023-10-18 11:25:30 +0800[diff] [blame]283 if $P_QUERY -any $* 2>&1 > /dev/null
Jerry Yu2fcb0562022-07-27 17:30:49 +0800[diff] [blame]284 then
285 SKIP_NEXT="YES"
286 fi
287}
288
289requires_any_configs_enabled() {
Jerry Yu9dd0cc02023-10-18 11:25:30 +0800[diff] [blame]290 if ! $P_QUERY -any $* 2>&1 > /dev/null
Jerry Yu2fcb0562022-07-27 17:30:49 +0800[diff] [blame]291 then
292 SKIP_NEXT="YES"
293 fi
294}
295
296requires_any_configs_disabled() {
Jerry Yu9dd0cc02023-10-18 11:25:30 +0800[diff] [blame]297 if $P_QUERY -all $* 2>&1 > /dev/null
Jerry Yu2fcb0562022-07-27 17:30:49 +0800[diff] [blame]298 then
299 SKIP_NEXT="YES"
300 fi
301}
302
Ronald Cron454eb912022-10-21 08:56:04 +0200[diff] [blame]303TLS1_2_KEY_EXCHANGES_WITH_CERT="MBEDTLS_KEY_EXCHANGE_RSA_ENABLED \
Ronald Cronbc5adf42022-10-04 11:06:14 +0200[diff] [blame]304 MBEDTLS_KEY_EXCHANGE_DHE_RSA_ENABLED \
305 MBEDTLS_KEY_EXCHANGE_ECDHE_RSA_ENABLED \
306 MBEDTLS_KEY_EXCHANGE_ECDHE_ECDSA_ENABLED \
307 MBEDTLS_KEY_EXCHANGE_RSA_PSK_ENABLED \
308 MBEDTLS_KEY_EXCHANGE_ECDH_RSA_ENABLED \
309 MBEDTLS_KEY_EXCHANGE_ECDH_ECDSA_ENABLED"
310
Valerio Settid1f991c2023-02-22 12:54:13 +0100[diff] [blame]311TLS1_2_KEY_EXCHANGES_WITH_ECDSA_CERT="MBEDTLS_KEY_EXCHANGE_ECDHE_ECDSA_ENABLED \
312 MBEDTLS_KEY_EXCHANGE_ECDH_ECDSA_ENABLED"
313
Valerio Setti6ba247c2023-03-14 17:13:43 +0100[diff] [blame]314TLS1_2_KEY_EXCHANGES_WITH_CERT_WO_ECDH="MBEDTLS_KEY_EXCHANGE_RSA_ENABLED \
315 MBEDTLS_KEY_EXCHANGE_DHE_RSA_ENABLED \
316 MBEDTLS_KEY_EXCHANGE_ECDHE_RSA_ENABLED \
317 MBEDTLS_KEY_EXCHANGE_ECDHE_ECDSA_ENABLED \
318 MBEDTLS_KEY_EXCHANGE_RSA_PSK_ENABLED"
319
Ronald Cronbc5adf42022-10-04 11:06:14 +0200[diff] [blame]320requires_key_exchange_with_cert_in_tls12_or_tls13_enabled() {
Ronald Cron928cbd32022-10-04 16:14:26 +0200[diff] [blame]321 if $P_QUERY -all MBEDTLS_SSL_PROTO_TLS1_2
322 then
Valerio Settie7f896d2023-03-13 13:55:28 +0100[diff] [blame]323 requires_any_configs_enabled $TLS1_2_KEY_EXCHANGES_WITH_CERT
Ronald Cron928cbd32022-10-04 16:14:26 +0200[diff] [blame]324 elif ! $P_QUERY -all MBEDTLS_SSL_TLS1_3_KEY_EXCHANGE_MODE_EPHEMERAL_ENABLED
325 then
326 SKIP_NEXT="YES"
327 fi
Ronald Cronbc5adf42022-10-04 11:06:14 +0200[diff] [blame]328}
329
Hanno Becker7c48dd12018-08-28 16:09:22 +0100[diff] [blame]330get_config_value_or_default() {
Andres Amaya Garcia3169dc02018-10-16 21:29:07 +0100[diff] [blame]331 # This function uses the query_config command line option to query the
332 # required Mbed TLS compile time configuration from the ssl_server2
333 # program. The command will always return a success value if the
334 # configuration is defined and the value will be printed to stdout.
335 #
336 # Note that if the configuration is not defined or is defined to nothing,
337 # the output of this function will be an empty string.
Tomás González06956a12023-08-23 15:46:20 +0100[diff] [blame]338 if [ "$LIST_TESTS" -eq 0 ];then
339 ${P_SRV} "query_config=${1}"
340 else
341 echo "1"
342 fi
343
Hanno Becker7c48dd12018-08-28 16:09:22 +0100[diff] [blame]344}
345
346requires_config_value_at_least() {
Andres Amaya Garcia3169dc02018-10-16 21:29:07 +0100[diff] [blame]347 VAL="$( get_config_value_or_default "$1" )"
348 if [ -z "$VAL" ]; then
349 # Should never happen
350 echo "Mbed TLS configuration $1 is not defined"
351 exit 1
352 elif [ "$VAL" -lt "$2" ]; then
Hanno Becker5cd017f2018-08-24 14:40:12 +0100[diff] [blame]353 SKIP_NEXT="YES"
354 fi
355}
356
357requires_config_value_at_most() {
Hanno Becker7c48dd12018-08-28 16:09:22 +0100[diff] [blame]358 VAL=$( get_config_value_or_default "$1" )
Andres Amaya Garcia3169dc02018-10-16 21:29:07 +0100[diff] [blame]359 if [ -z "$VAL" ]; then
360 # Should never happen
361 echo "Mbed TLS configuration $1 is not defined"
362 exit 1
363 elif [ "$VAL" -gt "$2" ]; then
Hanno Becker5cd017f2018-08-24 14:40:12 +0100[diff] [blame]364 SKIP_NEXT="YES"
365 fi
366}
367
Yuto Takano6f657432021-07-02 13:10:41 +0100[diff] [blame]368requires_config_value_equals() {
369 VAL=$( get_config_value_or_default "$1" )
370 if [ -z "$VAL" ]; then
371 # Should never happen
372 echo "Mbed TLS configuration $1 is not defined"
373 exit 1
374 elif [ "$VAL" -ne "$2" ]; then
375 SKIP_NEXT="YES"
376 fi
377}
378
Gilles Peskinec9126732022-04-08 19:33:07 +0200[diff] [blame]379# Require Mbed TLS to support the given protocol version.
380#
381# Inputs:
382# * $1: protocol version in mbedtls syntax (argument to force_version=)
383requires_protocol_version() {
384 # Support for DTLS is detected separately in detect_dtls().
385 case "$1" in
386 tls12|dtls12) requires_config_enabled MBEDTLS_SSL_PROTO_TLS1_2;;
387 tls13|dtls13) requires_config_enabled MBEDTLS_SSL_PROTO_TLS1_3;;
388 *) echo "Unknown required protocol version: $1"; exit 1;;
389 esac
390}
391
Gilles Peskine64457492020-08-26 21:53:33 +0200[diff] [blame]392# Space-separated list of ciphersuites supported by this build of
393# Mbed TLS.
Ronald Cron5b73de82023-11-28 15:49:25 +0100[diff] [blame]394P_CIPHERSUITES=""
395if [ "$LIST_TESTS" -eq 0 ]; then
396 P_CIPHERSUITES=" $($P_CLI help_ciphersuites 2>/dev/null |
397 grep 'TLS-\|TLS1-3' |
398 tr -s ' \n' ' ')"
399
400 if [ -z "${P_CIPHERSUITES# }" ]; then
401 echo >&2 "$0: fatal error: no cipher suites found!"
402 exit 125
403 fi
404fi
405
Hanno Becker9d76d562018-11-16 17:27:29 +0000[diff] [blame]406requires_ciphersuite_enabled() {
Gilles Peskine64457492020-08-26 21:53:33 +0200[diff] [blame]407 case $P_CIPHERSUITES in
408 *" $1 "*) :;;
409 *) SKIP_NEXT="YES";;
410 esac
Hanno Becker9d76d562018-11-16 17:27:29 +0000[diff] [blame]411}
412
Valerio Setti73d05312023-11-09 16:53:59 +0100[diff] [blame]413requires_cipher_enabled() {
414 KEY_TYPE=$1
415 MODE=${2:-}
416 if is_config_enabled MBEDTLS_USE_PSA_CRYPTO; then
417 case "$KEY_TYPE" in
418 CHACHA20)
419 requires_config_enabled PSA_WANT_ALG_CHACHA20_POLY1305
420 requires_config_enabled PSA_WANT_KEY_TYPE_CHACHA20
421 ;;
422 *)
423 requires_config_enabled PSA_WANT_ALG_${MODE}
424 requires_config_enabled PSA_WANT_KEY_TYPE_${KEY_TYPE}
425 ;;
426 esac
427 else
428 case "$KEY_TYPE" in
429 CHACHA20)
430 requires_config_enabled MBEDTLS_CHACHA20_C
431 requires_config_enabled MBEDTLS_CHACHAPOLY_C
432 ;;
433 *)
434 requires_config_enabled MBEDTLS_${MODE}_C
435 requires_config_enabled MBEDTLS_${KEY_TYPE}_C
436 ;;
437 esac
438 fi
439}
440
Valerio Setti1af76d12023-02-23 15:55:10 +0100[diff] [blame]441# Automatically detect required features based on command line parameters.
442# Parameters are:
443# - $1 = command line (call to a TLS client or server program)
444# - $2 = client/server
445# - $3 = TLS version (TLS12 or TLS13)
Valerio Setti6ba247c2023-03-14 17:13:43 +0100[diff] [blame]446# - $4 = Use an external tool without ECDH support
447# - $5 = run test options
Gilles Peskineb898b3d2022-04-08 19:26:26 +0200[diff] [blame]448detect_required_features() {
Valerio Setti6ba247c2023-03-14 17:13:43 +0100[diff] [blame]449 CMD_LINE=$1
450 ROLE=$2
451 TLS_VERSION=$3
452 EXT_WO_ECDH=$4
453 TEST_OPTIONS=${5:-}
454
455 case "$CMD_LINE" in
Gilles Peskinec9126732022-04-08 19:33:07 +0200[diff] [blame]456 *\ force_version=*)
Valerio Setti6ba247c2023-03-14 17:13:43 +0100[diff] [blame]457 tmp="${CMD_LINE##*\ force_version=}"
Gilles Peskinec9126732022-04-08 19:33:07 +0200[diff] [blame]458 tmp="${tmp%%[!-0-9A-Z_a-z]*}"
459 requires_protocol_version "$tmp";;
Gilles Peskine0d721652020-06-26 23:35:53 +0200[diff] [blame]460 esac
Gilles Peskine0d721652020-06-26 23:35:53 +0200[diff] [blame]461
Valerio Setti6ba247c2023-03-14 17:13:43 +0100[diff] [blame]462 case "$CMD_LINE" in
Gilles Peskineb898b3d2022-04-08 19:26:26 +0200[diff] [blame]463 *\ force_ciphersuite=*)
Valerio Setti6ba247c2023-03-14 17:13:43 +0100[diff] [blame]464 tmp="${CMD_LINE##*\ force_ciphersuite=}"
Gilles Peskineb898b3d2022-04-08 19:26:26 +0200[diff] [blame]465 tmp="${tmp%%[!-0-9A-Z_a-z]*}"
466 requires_ciphersuite_enabled "$tmp";;
Gilles Peskine0d721652020-06-26 23:35:53 +0200[diff] [blame]467 esac
Gilles Peskine0d721652020-06-26 23:35:53 +0200[diff] [blame]468
Valerio Setti6ba247c2023-03-14 17:13:43 +0100[diff] [blame]469 case " $CMD_LINE " in
Gilles Peskine740b7342022-04-08 19:29:27 +0200[diff] [blame]470 *[-_\ =]tickets=[^0]*)
471 requires_config_enabled MBEDTLS_SSL_TICKET_C;;
472 esac
Valerio Setti6ba247c2023-03-14 17:13:43 +0100[diff] [blame]473 case " $CMD_LINE " in
Gilles Peskine740b7342022-04-08 19:29:27 +0200[diff] [blame]474 *[-_\ =]alpn=*)
475 requires_config_enabled MBEDTLS_SSL_ALPN;;
476 esac
477
Valerio Setti6ba247c2023-03-14 17:13:43 +0100[diff] [blame]478 case "$CMD_LINE" in
Gilles Peskine1bc28fe2024-04-26 21:28:49 +0200[diff] [blame]479 */server5*|\
480 */server7*|\
481 */dir-maxpath*)
Valerio Setti6ba247c2023-03-14 17:13:43 +0100[diff] [blame]482 if [ "$TLS_VERSION" = "TLS13" ]; then
Valerio Setti1af76d12023-02-23 15:55:10 +0100[diff] [blame]483 # In case of TLS13 the support for ECDSA is enough
484 requires_pk_alg "ECDSA"
485 else
486 # For TLS12 requirements are different between server and client
Valerio Setti6ba247c2023-03-14 17:13:43 +0100[diff] [blame]487 if [ "$ROLE" = "server" ]; then
Valerio Setti194e2bd2023-03-02 17:18:10 +0100[diff] [blame]488 # If the server uses "server5*" certificates, then an ECDSA based
Valerio Setti6ba247c2023-03-14 17:13:43 +0100[diff] [blame]489 # key exchange is required. However gnutls also does not
490 # support ECDH, so this limit the choice to ECDHE-ECDSA
491 if [ "$EXT_WO_ECDH" = "yes" ]; then
492 requires_any_configs_enabled MBEDTLS_KEY_EXCHANGE_ECDHE_ECDSA_ENABLED
493 else
494 requires_any_configs_enabled $TLS1_2_KEY_EXCHANGES_WITH_ECDSA_CERT
495 fi
496 elif [ "$ROLE" = "client" ]; then
497 # On the client side it is enough to have any certificate
498 # based authentication together with support for ECDSA.
499 # Of course the GnuTLS limitation mentioned above applies
500 # also here.
501 if [ "$EXT_WO_ECDH" = "yes" ]; then
502 requires_any_configs_enabled $TLS1_2_KEY_EXCHANGES_WITH_CERT_WO_ECDH
503 else
504 requires_any_configs_enabled $TLS1_2_KEY_EXCHANGES_WITH_CERT
505 fi
Valerio Setti1af76d12023-02-23 15:55:10 +0100[diff] [blame]506 requires_pk_alg "ECDSA"
507 fi
508 fi
509 ;;
510 esac
511
Valerio Setti4f577f32023-07-31 18:58:25 +0200[diff] [blame]512 case "$CMD_LINE" in
Gilles Peskine121a7bf2024-04-29 16:03:02 +0200[diff] [blame]513 */server1*|\
Gilles Peskine1bc28fe2024-04-26 21:28:49 +0200[diff] [blame]514 */server2*|\
515 */server7*)
Gilles Peskine121a7bf2024-04-29 16:03:02 +0200[diff] [blame]516 # Certificates with an RSA key. The algorithm requirement is
517 # some subset of {PKCS#1v1.5 encryption, PKCS#1v1.5 signature,
518 # PSS signature}. We can't easily tell which subset works, and
519 # we aren't currently running ssl-opt.sh in configurations
520 # where partial RSA support is a problem, so generically, we
521 # just require RSA and it works out for our tests so far.
Valerio Setti4f577f32023-07-31 18:58:25 +0200[diff] [blame]522 requires_config_enabled "MBEDTLS_RSA_C"
523 esac
524
Gilles Peskineb898b3d2022-04-08 19:26:26 +0200[diff] [blame]525 unset tmp
Gilles Peskine0d721652020-06-26 23:35:53 +0200[diff] [blame]526}
527
Gilles Peskine6f160ca2022-03-14 18:21:24 +0100[diff] [blame]528requires_certificate_authentication () {
529 if [ "$PSK_ONLY" = "YES" ]; then
530 SKIP_NEXT="YES"
531 fi
532}
533
Gilles Peskine6e86e542022-02-25 19:52:52 +0100[diff] [blame]534adapt_cmd_for_psk () {
535 case "$2" in
Gilles Peskine02cd7162024-04-29 16:09:52 +0200[diff] [blame]536 *openssl*s_server*) s='-psk 73776f726466697368 -nocert';;
537 *openssl*) s='-psk 73776f726466697368';;
538 *gnutls-*) s='--pskusername=Client_identity --pskkey=73776f726466697368';;
539 *) s='psk=73776f726466697368';;
Gilles Peskine6e86e542022-02-25 19:52:52 +0100[diff] [blame]540 esac
541 eval $1='"$2 $s"'
542 unset s
543}
544
545# maybe_adapt_for_psk [RUN_TEST_OPTION...]
546# If running in a PSK-only build, maybe adapt the test to use a pre-shared key.
547#
548# If not running in a PSK-only build, do nothing.
549# If the test looks like it doesn't use a pre-shared key but can run with a
550# pre-shared key, pass a pre-shared key. If the test looks like it can't run
551# with a pre-shared key, skip it. If the test looks like it's already using
552# a pre-shared key, do nothing.
553#
Gilles Peskine59601d72022-04-05 22:00:17 +0200[diff] [blame]554# This code does not consider builds with ECDHE-PSK or RSA-PSK.
Gilles Peskine6e86e542022-02-25 19:52:52 +0100[diff] [blame]555#
556# Inputs:
557# * $CLI_CMD, $SRV_CMD, $PXY_CMD: client/server/proxy commands.
558# * $PSK_ONLY: YES if running in a PSK-only build (no asymmetric key exchanges).
559# * "$@": options passed to run_test.
560#
561# Outputs:
562# * $CLI_CMD, $SRV_CMD: may be modified to add PSK-relevant arguments.
563# * $SKIP_NEXT: set to YES if the test can't run with PSK.
564maybe_adapt_for_psk() {
565 if [ "$PSK_ONLY" != "YES" ]; then
566 return
567 fi
568 if [ "$SKIP_NEXT" = "YES" ]; then
569 return
570 fi
571 case "$CLI_CMD $SRV_CMD" in
572 *[-_\ =]psk*|*[-_\ =]PSK*)
573 return;;
574 *force_ciphersuite*)
575 # The test case forces a non-PSK cipher suite. In some cases, a
576 # PSK cipher suite could be substituted, but we're not ready for
577 # that yet.
578 SKIP_NEXT="YES"
579 return;;
580 *\ auth_mode=*|*[-_\ =]crt[_=]*)
581 # The test case involves certificates. PSK won't do.
582 SKIP_NEXT="YES"
583 return;;
584 esac
585 adapt_cmd_for_psk CLI_CMD "$CLI_CMD"
586 adapt_cmd_for_psk SRV_CMD "$SRV_CMD"
587}
588
589case " $CONFIGS_ENABLED " in
590 *\ MBEDTLS_KEY_EXCHANGE_[^P]*) PSK_ONLY="NO";;
591 *\ MBEDTLS_KEY_EXCHANGE_P[^S]*) PSK_ONLY="NO";;
592 *\ MBEDTLS_KEY_EXCHANGE_PS[^K]*) PSK_ONLY="NO";;
593 *\ MBEDTLS_KEY_EXCHANGE_PSK[^_]*) PSK_ONLY="NO";;
594 *\ MBEDTLS_KEY_EXCHANGE_PSK_ENABLED\ *) PSK_ONLY="YES";;
595 *) PSK_ONLY="NO";;
596esac
597
Andrzej Kurek9c061a22022-09-05 10:51:19 -0400[diff] [blame]598HAS_ALG_SHA_1="NO"
599HAS_ALG_SHA_224="NO"
600HAS_ALG_SHA_256="NO"
601HAS_ALG_SHA_384="NO"
602HAS_ALG_SHA_512="NO"
603
604check_for_hash_alg()
605{
606 CURR_ALG="INVALID";
607 USE_PSA="NO"
Valerio Settid1f991c2023-02-22 12:54:13 +0100[diff] [blame]608 if is_config_enabled "MBEDTLS_USE_PSA_CRYPTO"; then
609 USE_PSA="YES";
610 fi
Andrzej Kurek9c061a22022-09-05 10:51:19 -0400[diff] [blame]611 if [ $USE_PSA = "YES" ]; then
612 CURR_ALG=PSA_WANT_ALG_${1}
613 else
614 CURR_ALG=MBEDTLS_${1}_C
615 # Remove the second underscore to match MBEDTLS_* naming convention
616 CURR_ALG=$(echo "$CURR_ALG" | sed 's/_//2')
617 fi
618
619 case $CONFIGS_ENABLED in
620 *" $CURR_ALG"[\ =]*)
621 return 0
622 ;;
623 *) :;;
624 esac
625 return 1
626}
627
628populate_enabled_hash_algs()
629{
630 for hash_alg in SHA_1 SHA_224 SHA_256 SHA_384 SHA_512; do
631 if check_for_hash_alg "$hash_alg"; then
632 hash_alg_variable=HAS_ALG_${hash_alg}
633 eval ${hash_alg_variable}=YES
634 fi
Valerio Settie7f896d2023-03-13 13:55:28 +0100[diff] [blame]635 done
Andrzej Kurek9c061a22022-09-05 10:51:19 -0400[diff] [blame]636}
637
638# skip next test if the given hash alg is not supported
639requires_hash_alg() {
640 HASH_DEFINE="Invalid"
641 HAS_HASH_ALG="NO"
642 case $1 in
643 SHA_1):;;
644 SHA_224):;;
645 SHA_256):;;
646 SHA_384):;;
647 SHA_512):;;
648 *)
649 echo "Unsupported hash alg - $1"
650 exit 1
651 ;;
652 esac
653
654 HASH_DEFINE=HAS_ALG_${1}
655 eval "HAS_HASH_ALG=\${${HASH_DEFINE}}"
656 if [ "$HAS_HASH_ALG" = "NO" ]
657 then
658 SKIP_NEXT="YES"
659 fi
660}
661
Valerio Settid1f991c2023-02-22 12:54:13 +0100[diff] [blame]662# Skip next test if the given pk alg is not enabled
663requires_pk_alg() {
664 case $1 in
665 ECDSA)
666 if is_config_enabled MBEDTLS_USE_PSA_CRYPTO; then
667 requires_config_enabled PSA_WANT_ALG_ECDSA
668 else
669 requires_config_enabled MBEDTLS_ECDSA_C
670 fi
671 ;;
672 *)
673 echo "Unknown/unimplemented case $1 in requires_pk_alg"
674 exit 1
675 ;;
676 esac
677}
678
Manuel Pégourié-Gonnard1cbd39d2014-10-20 13:34:59 +0200[diff] [blame]679# skip next test if OpenSSL doesn't support FALLBACK_SCSV
680requires_openssl_with_fallback_scsv() {
681 if [ -z "${OPENSSL_HAS_FBSCSV:-}" ]; then
Manuel Pégourié-Gonnardc5722462022-12-19 11:42:12 +0100[diff] [blame]682 if $OPENSSL s_client -help 2>&1 | grep fallback_scsv >/dev/null
Manuel Pégourié-Gonnard1cbd39d2014-10-20 13:34:59 +0200[diff] [blame]683 then
684 OPENSSL_HAS_FBSCSV="YES"
685 else
686 OPENSSL_HAS_FBSCSV="NO"
687 fi
688 fi
689 if [ "$OPENSSL_HAS_FBSCSV" = "NO" ]; then
690 SKIP_NEXT="YES"
691 fi
692}
693
Yuto Takanob0a1c5b2021-07-02 10:10:49 +0100[diff] [blame]694# skip next test if either IN_CONTENT_LEN or MAX_CONTENT_LEN are below a value
695requires_max_content_len() {
696 requires_config_value_at_least "MBEDTLS_SSL_IN_CONTENT_LEN" $1
697 requires_config_value_at_least "MBEDTLS_SSL_OUT_CONTENT_LEN" $1
698}
699
Manuel Pégourié-Gonnardbaa7f072014-08-20 20:15:53 +0200[diff] [blame]700# skip next test if GnuTLS isn't available
701requires_gnutls() {
702 if [ -z "${GNUTLS_AVAILABLE:-}" ]; then
Manuel Pégourié-Gonnard03db6b02015-06-26 15:45:30 +0200[diff] [blame]703 if ( which "$GNUTLS_CLI" && which "$GNUTLS_SERV" ) >/dev/null 2>&1; then
Manuel Pégourié-Gonnardbaa7f072014-08-20 20:15:53 +0200[diff] [blame]704 GNUTLS_AVAILABLE="YES"
705 else
706 GNUTLS_AVAILABLE="NO"
707 fi
708 fi
709 if [ "$GNUTLS_AVAILABLE" = "NO" ]; then
710 SKIP_NEXT="YES"
711 fi
712}
713
Manuel Pégourié-Gonnard38110df2018-08-17 12:44:54 +0200[diff] [blame]714# skip next test if GnuTLS-next isn't available
715requires_gnutls_next() {
716 if [ -z "${GNUTLS_NEXT_AVAILABLE:-}" ]; then
717 if ( which "${GNUTLS_NEXT_CLI:-}" && which "${GNUTLS_NEXT_SERV:-}" ) >/dev/null 2>&1; then
718 GNUTLS_NEXT_AVAILABLE="YES"
719 else
720 GNUTLS_NEXT_AVAILABLE="NO"
721 fi
722 fi
723 if [ "$GNUTLS_NEXT_AVAILABLE" = "NO" ]; then
724 SKIP_NEXT="YES"
725 fi
726}
727
Jerry Yu04029792021-08-10 16:45:37 +0800[diff] [blame]728requires_openssl_next() {
729 if [ -z "${OPENSSL_NEXT_AVAILABLE:-}" ]; then
730 if which "${OPENSSL_NEXT:-}" >/dev/null 2>&1; then
731 OPENSSL_NEXT_AVAILABLE="YES"
732 else
733 OPENSSL_NEXT_AVAILABLE="NO"
734 fi
735 fi
736 if [ "$OPENSSL_NEXT_AVAILABLE" = "NO" ]; then
737 SKIP_NEXT="YES"
738 fi
739}
740
Przemek Stekiel422ab1f2023-06-14 11:04:28 +0200[diff] [blame]741# skip next test if openssl version is lower than 3.0
742requires_openssl_3_x() {
743 requires_openssl_next
744 if [ "$OPENSSL_NEXT_AVAILABLE" = "NO" ]; then
745 OPENSSL_3_X_AVAILABLE="NO"
746 fi
747 if [ -z "${OPENSSL_3_X_AVAILABLE:-}" ]; then
Przemek Stekiela53dca12023-06-14 20:53:09 +0200[diff] [blame]748 if $OPENSSL_NEXT version 2>&1 | grep "OpenSSL 3." >/dev/null
Przemek Stekiel422ab1f2023-06-14 11:04:28 +0200[diff] [blame]749 then
750 OPENSSL_3_X_AVAILABLE="YES"
751 else
752 OPENSSL_3_X_AVAILABLE="NO"
753 fi
754 fi
755 if [ "$OPENSSL_3_X_AVAILABLE" = "NO" ]; then
756 SKIP_NEXT="YES"
757 fi
758}
759
Przemek Stekiel8bfe8972023-06-26 12:59:45 +0200[diff] [blame]760# skip next test if openssl does not support ffdh keys
761requires_openssl_tls1_3_with_ffdh() {
762 requires_openssl_3_x
763}
764
Przemek Stekiel7dda2712023-06-27 14:43:33 +0200[diff] [blame]765# skip next test if openssl cannot handle ephemeral key exchange
Przemek Stekiel8bfe8972023-06-26 12:59:45 +0200[diff] [blame]766requires_openssl_tls1_3_with_compatible_ephemeral() {
767 requires_openssl_next
768
769 if !(is_config_enabled "PSA_WANT_ALG_ECDH"); then
770 requires_openssl_tls1_3_with_ffdh
771 fi
772}
773
Jerry Yu04029792021-08-10 16:45:37 +0800[diff] [blame]774# skip next test if tls1_3 is not available
Przemek Stekiel1f5c2ba2023-06-15 17:04:44 +0200[diff] [blame]775requires_openssl_tls1_3() {
Przemek Stekiel8bfe8972023-06-26 12:59:45 +0200[diff] [blame]776 requires_openssl_next
Przemek Stekiel1f5c2ba2023-06-15 17:04:44 +0200[diff] [blame]777 if [ "$OPENSSL_NEXT_AVAILABLE" = "NO" ]; then
778 OPENSSL_TLS1_3_AVAILABLE="NO"
779 fi
780 if [ -z "${OPENSSL_TLS1_3_AVAILABLE:-}" ]; then
781 if $OPENSSL_NEXT s_client -help 2>&1 | grep tls1_3 >/dev/null
782 then
783 OPENSSL_TLS1_3_AVAILABLE="YES"
784 else
785 OPENSSL_TLS1_3_AVAILABLE="NO"
786 fi
787 fi
Przemek Stekiel1f5c2ba2023-06-15 17:04:44 +0200[diff] [blame]788 if [ "$OPENSSL_TLS1_3_AVAILABLE" = "NO" ]; then
789 SKIP_NEXT="YES"
Przemek Stekiel1f5c2ba2023-06-15 17:04:44 +0200[diff] [blame]790 fi
791}
792
793# skip next test if tls1_3 is not available
Jerry Yu04029792021-08-10 16:45:37 +0800[diff] [blame]794requires_gnutls_tls1_3() {
795 requires_gnutls_next
796 if [ "$GNUTLS_NEXT_AVAILABLE" = "NO" ]; then
797 GNUTLS_TLS1_3_AVAILABLE="NO"
798 fi
799 if [ -z "${GNUTLS_TLS1_3_AVAILABLE:-}" ]; then
800 if $GNUTLS_NEXT_CLI -l 2>&1 | grep VERS-TLS1.3 >/dev/null
801 then
802 GNUTLS_TLS1_3_AVAILABLE="YES"
803 else
804 GNUTLS_TLS1_3_AVAILABLE="NO"
805 fi
806 fi
807 if [ "$GNUTLS_TLS1_3_AVAILABLE" = "NO" ]; then
808 SKIP_NEXT="YES"
809 fi
810}
811
Jerry Yu75261df2021-09-02 17:40:08 +0800[diff] [blame]812# Check %NO_TICKETS option
Jerry Yub12d81d2021-08-17 10:56:08 +0800[diff] [blame]813requires_gnutls_next_no_ticket() {
814 requires_gnutls_next
815 if [ "$GNUTLS_NEXT_AVAILABLE" = "NO" ]; then
816 GNUTLS_NO_TICKETS_AVAILABLE="NO"
817 fi
818 if [ -z "${GNUTLS_NO_TICKETS_AVAILABLE:-}" ]; then
819 if $GNUTLS_NEXT_CLI --priority-list 2>&1 | grep NO_TICKETS >/dev/null
820 then
821 GNUTLS_NO_TICKETS_AVAILABLE="YES"
822 else
823 GNUTLS_NO_TICKETS_AVAILABLE="NO"
824 fi
825 fi
826 if [ "$GNUTLS_NO_TICKETS_AVAILABLE" = "NO" ]; then
827 SKIP_NEXT="YES"
828 fi
829}
830
Jerry Yu75261df2021-09-02 17:40:08 +0800[diff] [blame]831# Check %DISABLE_TLS13_COMPAT_MODE option
Jerry Yub12d81d2021-08-17 10:56:08 +0800[diff] [blame]832requires_gnutls_next_disable_tls13_compat() {
833 requires_gnutls_next
834 if [ "$GNUTLS_NEXT_AVAILABLE" = "NO" ]; then
835 GNUTLS_DISABLE_TLS13_COMPAT_MODE_AVAILABLE="NO"
836 fi
837 if [ -z "${GNUTLS_DISABLE_TLS13_COMPAT_MODE_AVAILABLE:-}" ]; then
838 if $GNUTLS_NEXT_CLI --priority-list 2>&1 | grep DISABLE_TLS13_COMPAT_MODE >/dev/null
839 then
840 GNUTLS_DISABLE_TLS13_COMPAT_MODE_AVAILABLE="YES"
841 else
842 GNUTLS_DISABLE_TLS13_COMPAT_MODE_AVAILABLE="NO"
843 fi
844 fi
845 if [ "$GNUTLS_DISABLE_TLS13_COMPAT_MODE_AVAILABLE" = "NO" ]; then
846 SKIP_NEXT="YES"
847 fi
848}
849
Jan Bruckneraa31b192023-02-06 12:54:29 +0100[diff] [blame]850# skip next test if GnuTLS does not support the record size limit extension
851requires_gnutls_record_size_limit() {
852 requires_gnutls_next
853 if [ "$GNUTLS_NEXT_AVAILABLE" = "NO" ]; then
854 GNUTLS_RECORD_SIZE_LIMIT_AVAILABLE="NO"
855 else
856 GNUTLS_RECORD_SIZE_LIMIT_AVAILABLE="YES"
857 fi
858 if [ "$GNUTLS_RECORD_SIZE_LIMIT_AVAILABLE" = "NO" ]; then
859 SKIP_NEXT="YES"
860 fi
861}
862
Manuel Pégourié-Gonnard0eb6cab2014-07-23 20:17:47 +0200[diff] [blame]863# skip next test if IPv6 isn't available on this host
864requires_ipv6() {
865 if [ -z "${HAS_IPV6:-}" ]; then
866 $P_SRV server_addr='::1' > $SRV_OUT 2>&1 &
867 SRV_PID=$!
868 sleep 1
869 kill $SRV_PID >/dev/null 2>&1
870 if grep "NET - Binding of the socket failed" $SRV_OUT >/dev/null; then
871 HAS_IPV6="NO"
872 else
873 HAS_IPV6="YES"
874 fi
875 rm -r $SRV_OUT
876 fi
877
878 if [ "$HAS_IPV6" = "NO" ]; then
879 SKIP_NEXT="YES"
880 fi
881}
882
Andrzej Kurekb4593462018-10-11 08:43:30 -0400[diff] [blame]883# skip next test if it's i686 or uname is not available
884requires_not_i686() {
885 if [ -z "${IS_I686:-}" ]; then
886 IS_I686="YES"
887 if which "uname" >/dev/null 2>&1; then
888 if [ -z "$(uname -a | grep i686)" ]; then
889 IS_I686="NO"
890 fi
891 fi
892 fi
893 if [ "$IS_I686" = "YES" ]; then
894 SKIP_NEXT="YES"
895 fi
896}
897
David Horstmann95d516f2021-05-04 18:36:56 +0100[diff] [blame]898MAX_CONTENT_LEN=16384
Yuto Takano2be6f1a2021-06-22 07:16:40 +0100[diff] [blame]899MAX_IN_LEN=$( get_config_value_or_default "MBEDTLS_SSL_IN_CONTENT_LEN" )
900MAX_OUT_LEN=$( get_config_value_or_default "MBEDTLS_SSL_OUT_CONTENT_LEN" )
Tomás González06956a12023-08-23 15:46:20 +0100[diff] [blame]901if [ "$LIST_TESTS" -eq 0 ];then
902 # Calculate the input & output maximum content lengths set in the config
Angus Grattonc4dd0732018-04-11 16:28:39 +1000[diff] [blame]903
Tomás González06956a12023-08-23 15:46:20 +0100[diff] [blame]904 # Calculate the maximum content length that fits both
905 if [ "$MAX_IN_LEN" -lt "$MAX_CONTENT_LEN" ]; then
906 MAX_CONTENT_LEN="$MAX_IN_LEN"
907 fi
908 if [ "$MAX_OUT_LEN" -lt "$MAX_CONTENT_LEN" ]; then
909 MAX_CONTENT_LEN="$MAX_OUT_LEN"
910 fi
Angus Grattonc4dd0732018-04-11 16:28:39 +1000[diff] [blame]911fi
Angus Grattonc4dd0732018-04-11 16:28:39 +1000[diff] [blame]912# skip the next test if the SSL output buffer is less than 16KB
913requires_full_size_output_buffer() {
914 if [ "$MAX_OUT_LEN" -ne 16384 ]; then
915 SKIP_NEXT="YES"
916 fi
917}
918
Manuel Pégourié-Gonnard76fe9e42014-09-24 15:17:31 +0200[diff] [blame]919# skip the next test if valgrind is in use
920not_with_valgrind() {
921 if [ "$MEMCHECK" -gt 0 ]; then
922 SKIP_NEXT="YES"
923 fi
924}
925
Paul Bakker362689d2016-05-13 10:33:25 +0100[diff] [blame]926# skip the next test if valgrind is NOT in use
927only_with_valgrind() {
928 if [ "$MEMCHECK" -eq 0 ]; then
929 SKIP_NEXT="YES"
930 fi
931}
932
Manuel Pégourié-Gonnarda0719722014-09-20 12:46:27 +0200[diff] [blame]933# multiply the client timeout delay by the given factor for the next test
Janos Follath74537a62016-09-02 13:45:28 +0100[diff] [blame]934client_needs_more_time() {
Manuel Pégourié-Gonnarda0719722014-09-20 12:46:27 +0200[diff] [blame]935 CLI_DELAY_FACTOR=$1
936}
937
Janos Follath74537a62016-09-02 13:45:28 +0100[diff] [blame]938# wait for the given seconds after the client finished in the next test
939server_needs_more_time() {
940 SRV_DELAY_SECONDS=$1
941}
942
Manuel Pégourié-Gonnardf8bdbb52014-02-21 09:20:14 +0100[diff] [blame]943# print_name <name>
944print_name() {
Paul Bakkere20310a2016-05-10 11:18:17 +0100[diff] [blame]945 TESTS=$(( $TESTS + 1 ))
946 LINE=""
947
948 if [ "$SHOW_TEST_NUMBER" -gt 0 ]; then
949 LINE="$TESTS "
950 fi
951
952 LINE="$LINE$1"
Manuel Pégourié-Gonnard33a752e2014-02-21 09:47:37 +0100[diff] [blame]953
Tomás González378e3642023-09-04 10:41:37 +0100[diff] [blame]954 printf "%s " "$LINE"
955 LEN=$(( 72 - `echo "$LINE" | wc -c` ))
956 for i in `seq 1 $LEN`; do printf '.'; done
957 printf ' '
958
Manuel Pégourié-Gonnardf8bdbb52014-02-21 09:20:14 +0100[diff] [blame]959}
960
Gilles Peskine560280b2019-09-16 15:17:38 +0200[diff] [blame]961# record_outcome <outcome> [<failure-reason>]
962# The test name must be in $NAME.
Gilles Peskine5eb2b022022-01-07 15:47:02 +0100[diff] [blame]963# Use $TEST_SUITE_NAME as the test suite name if set.
Gilles Peskine560280b2019-09-16 15:17:38 +0200[diff] [blame]964record_outcome() {
965 echo "$1"
966 if [ -n "$MBEDTLS_TEST_OUTCOME_FILE" ]; then
967 printf '%s;%s;%s;%s;%s;%s\n' \
968 "$MBEDTLS_TEST_PLATFORM" "$MBEDTLS_TEST_CONFIGURATION" \
Jerry Yu9e47b262023-11-06 10:52:01 +0800[diff] [blame]969 "${TEST_SUITE_NAME:-ssl-opt}" "$NAME" \
Gilles Peskine560280b2019-09-16 15:17:38 +0200[diff] [blame]970 "$1" "${2-}" \
971 >>"$MBEDTLS_TEST_OUTCOME_FILE"
972 fi
973}
Gilles Peskine5eb2b022022-01-07 15:47:02 +0100[diff] [blame]974unset TEST_SUITE_NAME
Gilles Peskine560280b2019-09-16 15:17:38 +0200[diff] [blame]975
Gilles Peskine788ad332021-10-20 14:17:02 +0200[diff] [blame]976# True if the presence of the given pattern in a log definitely indicates
977# that the test has failed. False if the presence is inconclusive.
978#
979# Inputs:
980# * $1: pattern found in the logs
981# * $TIMES_LEFT: >0 if retrying is an option
982#
983# Outputs:
984# * $outcome: set to a retry reason if the pattern is inconclusive,
985# unchanged otherwise.
986# * Return value: 1 if the pattern is inconclusive,
987# 0 if the failure is definitive.
988log_pattern_presence_is_conclusive() {
989 # If we've run out of attempts, then don't retry no matter what.
990 if [ $TIMES_LEFT -eq 0 ]; then
991 return 0
992 fi
993 case $1 in
994 "resend")
995 # An undesired resend may have been caused by the OS dropping or
996 # delaying a packet at an inopportune time.
997 outcome="RETRY(resend)"
998 return 1;;
999 esac
1000}
1001
Manuel Pégourié-Gonnardf8bdbb52014-02-21 09:20:14 +0100[diff] [blame]1002# fail <message>
1003fail() {
Gilles Peskine560280b2019-09-16 15:17:38 +0200[diff] [blame]1004 record_outcome "FAIL" "$1"
Manuel Pégourié-Gonnard3eec6042014-02-27 15:37:24 +0100[diff] [blame]1005 echo " ! $1"
Manuel Pégourié-Gonnard33a752e2014-02-21 09:47:37 +0100[diff] [blame]1006
Manuel Pégourié-Gonnardc2b00922014-08-31 16:46:04 +0200[diff] [blame]1007 mv $SRV_OUT o-srv-${TESTS}.log
1008 mv $CLI_OUT o-cli-${TESTS}.log
Manuel Pégourié-Gonnardbe9eb872014-09-05 17:45:19 +0200[diff] [blame]1009 if [ -n "$PXY_CMD" ]; then
1010 mv $PXY_OUT o-pxy-${TESTS}.log
1011 fi
1012 echo " ! outputs saved to o-XXX-${TESTS}.log"
Manuel Pégourié-Gonnard33a752e2014-02-21 09:47:37 +0100[diff] [blame]1013
Manuel Pégourié-Gonnard3f3302f2020-06-08 11:49:05 +0200[diff] [blame]1014 if [ "${LOG_FAILURE_ON_STDOUT:-0}" != 0 ]; then
Manuel Pégourié-Gonnard7fa67722014-08-31 17:42:53 +0200[diff] [blame]1015 echo " ! server output:"
1016 cat o-srv-${TESTS}.log
Manuel Pégourié-Gonnardbe9eb872014-09-05 17:45:19 +0200[diff] [blame]1017 echo " ! ========================================================"
Manuel Pégourié-Gonnard7fa67722014-08-31 17:42:53 +0200[diff] [blame]1018 echo " ! client output:"
1019 cat o-cli-${TESTS}.log
Manuel Pégourié-Gonnardbe9eb872014-09-05 17:45:19 +0200[diff] [blame]1020 if [ -n "$PXY_CMD" ]; then
1021 echo " ! ========================================================"
1022 echo " ! proxy output:"
1023 cat o-pxy-${TESTS}.log
1024 fi
1025 echo ""
Manuel Pégourié-Gonnard7fa67722014-08-31 17:42:53 +0200[diff] [blame]1026 fi
1027
Manuel Pégourié-Gonnard72e51ee2014-08-31 10:22:11 +0200[diff] [blame]1028 FAILS=$(( $FAILS + 1 ))
Manuel Pégourié-Gonnardf8bdbb52014-02-21 09:20:14 +0100[diff] [blame]1029}
1030
Manuel Pégourié-Gonnard677884d2014-02-25 16:42:31 +0100[diff] [blame]1031# is_polar <cmd_line>
1032is_polar() {
Gilles Peskine64457492020-08-26 21:53:33 +0200[diff] [blame]1033 case "$1" in
1034 *ssl_client2*) true;;
1035 *ssl_server2*) true;;
1036 *) false;;
1037 esac
Manuel Pégourié-Gonnard677884d2014-02-25 16:42:31 +0100[diff] [blame]1038}
1039
Manuel Pégourié-Gonnardfa60f122014-09-26 16:07:29 +0200[diff] [blame]1040# openssl s_server doesn't have -www with DTLS
1041check_osrv_dtls() {
Gilles Peskine64457492020-08-26 21:53:33 +0200[diff] [blame]1042 case "$SRV_CMD" in
1043 *s_server*-dtls*)
1044 NEEDS_INPUT=1
1045 SRV_CMD="$( echo $SRV_CMD | sed s/-www// )";;
1046 *) NEEDS_INPUT=0;;
1047 esac
Manuel Pégourié-Gonnardfa60f122014-09-26 16:07:29 +0200[diff] [blame]1048}
1049
1050# provide input to commands that need it
1051provide_input() {
1052 if [ $NEEDS_INPUT -eq 0 ]; then
1053 return
1054 fi
1055
1056 while true; do
1057 echo "HTTP/1.0 200 OK"
1058 sleep 1
1059 done
1060}
1061
Manuel Pégourié-Gonnardc73339f2014-02-26 16:35:27 +0100[diff] [blame]1062# has_mem_err <log_file_name>
1063has_mem_err() {
1064 if ( grep -F 'All heap blocks were freed -- no leaks are possible' "$1" &&
1065 grep -F 'ERROR SUMMARY: 0 errors from 0 contexts' "$1" ) > /dev/null
1066 then
1067 return 1 # false: does not have errors
1068 else
1069 return 0 # true: has errors
1070 fi
1071}
1072
Unknownd364f4c2019-09-02 10:42:57 -0400[diff] [blame]1073# Wait for process $2 named $3 to be listening on port $1. Print error to $4.
Gilles Peskine418b5362017-12-14 18:58:42 +0100[diff] [blame]1074if type lsof >/dev/null 2>/dev/null; then
Unknownd364f4c2019-09-02 10:42:57 -0400[diff] [blame]1075 wait_app_start() {
Paul Elliotte05e1262021-10-20 15:59:33 +0100[diff] [blame]1076 newline='
1077'
Gilles Peskine418b5362017-12-14 18:58:42 +0100[diff] [blame]1078 START_TIME=$(date +%s)
Manuel Pégourié-Gonnard0eb6cab2014-07-23 20:17:47 +0200[diff] [blame]1079 if [ "$DTLS" -eq 1 ]; then
Gilles Peskine418b5362017-12-14 18:58:42 +0100[diff] [blame]1080 proto=UDP
Manuel Pégourié-Gonnard0eb6cab2014-07-23 20:17:47 +0200[diff] [blame]1081 else
Gilles Peskine418b5362017-12-14 18:58:42 +0100[diff] [blame]1082 proto=TCP
Manuel Pégourié-Gonnard0eb6cab2014-07-23 20:17:47 +0200[diff] [blame]1083 fi
Gilles Peskine418b5362017-12-14 18:58:42 +0100[diff] [blame]1084 # Make a tight loop, server normally takes less than 1s to start.
Paul Elliott58ed8a72021-10-19 17:56:39 +0100[diff] [blame]1085 while true; do
Gilles Peskine5bd0b512022-04-15 22:53:18 +0200[diff] [blame]1086 SERVER_PIDS=$(lsof -a -n -b -i "$proto:$1" -t)
Paul Elliotte05e1262021-10-20 15:59:33 +0100[diff] [blame]1087 # When we use a proxy, it will be listening on the same port we
1088 # are checking for as well as the server and lsof will list both.
Paul Elliotte05e1262021-10-20 15:59:33 +0100[diff] [blame]1089 case ${newline}${SERVER_PIDS}${newline} in
Gilles Peskine5bd0b512022-04-15 22:53:18 +0200[diff] [blame]1090 *${newline}${2}${newline}*) break;;
Paul Elliotte05e1262021-10-20 15:59:33 +0100[diff] [blame]1091 esac
Gilles Peskine418b5362017-12-14 18:58:42 +0100[diff] [blame]1092 if [ $(( $(date +%s) - $START_TIME )) -gt $DOG_DELAY ]; then
Unknownd364f4c2019-09-02 10:42:57 -0400[diff] [blame]1093 echo "$3 START TIMEOUT"
1094 echo "$3 START TIMEOUT" >> $4
Gilles Peskine418b5362017-12-14 18:58:42 +0100[diff] [blame]1095 break
1096 fi
1097 # Linux and *BSD support decimal arguments to sleep. On other
1098 # OSes this may be a tight loop.
1099 sleep 0.1 2>/dev/null || true
1100 done
1101 }
1102else
Unknownd364f4c2019-09-02 10:42:57 -0400[diff] [blame]1103 echo "Warning: lsof not available, wait_app_start = sleep"
1104 wait_app_start() {
Manuel Pégourié-Gonnard0c1ec472014-06-20 18:41:11 +0200[diff] [blame]1105 sleep "$START_DELAY"
Gilles Peskine418b5362017-12-14 18:58:42 +0100[diff] [blame]1106 }
1107fi
Manuel Pégourié-Gonnard0c1ec472014-06-20 18:41:11 +0200[diff] [blame]1108
Unknownd364f4c2019-09-02 10:42:57 -0400[diff] [blame]1109# Wait for server process $2 to be listening on port $1.
1110wait_server_start() {
1111 wait_app_start $1 $2 "SERVER" $SRV_OUT
1112}
1113
1114# Wait for proxy process $2 to be listening on port $1.
1115wait_proxy_start() {
1116 wait_app_start $1 $2 "PROXY" $PXY_OUT
1117}
1118
Andres Amaya Garciab84c40b2017-09-06 15:44:01 +0100[diff] [blame]1119# Given the client or server debug output, parse the unix timestamp that is
Andres Amaya Garcia3b1bdff2017-09-14 12:41:29 +0100[diff] [blame]1120# included in the first 4 bytes of the random bytes and check that it's within
Andres Amaya Garciab84c40b2017-09-06 15:44:01 +0100[diff] [blame]1121# acceptable bounds
1122check_server_hello_time() {
1123 # Extract the time from the debug (lvl 3) output of the client
Andres Amaya Garcia67d8da52017-09-15 15:49:24 +0100[diff] [blame]1124 SERVER_HELLO_TIME="$(sed -n 's/.*server hello, current time: //p' < "$1")"
Andres Amaya Garciab84c40b2017-09-06 15:44:01 +0100[diff] [blame]1125 # Get the Unix timestamp for now
1126 CUR_TIME=$(date +'%s')
1127 THRESHOLD_IN_SECS=300
1128
1129 # Check if the ServerHello time was printed
1130 if [ -z "$SERVER_HELLO_TIME" ]; then
1131 return 1
1132 fi
1133
1134 # Check the time in ServerHello is within acceptable bounds
1135 if [ $SERVER_HELLO_TIME -lt $(( $CUR_TIME - $THRESHOLD_IN_SECS )) ]; then
1136 # The time in ServerHello is at least 5 minutes before now
1137 return 1
1138 elif [ $SERVER_HELLO_TIME -gt $(( $CUR_TIME + $THRESHOLD_IN_SECS )) ]; then
Andres Amaya Garcia3b1bdff2017-09-14 12:41:29 +0100[diff] [blame]1139 # The time in ServerHello is at least 5 minutes later than now
Andres Amaya Garciab84c40b2017-09-06 15:44:01 +0100[diff] [blame]1140 return 1
1141 else
1142 return 0
1143 fi
1144}
1145
Piotr Nowicki0937ed22019-11-26 16:32:40 +0100[diff] [blame]1146# Get handshake memory usage from server or client output and put it into the variable specified by the first argument
1147handshake_memory_get() {
1148 OUTPUT_VARIABLE="$1"
1149 OUTPUT_FILE="$2"
1150
1151 # Get memory usage from a pattern like "Heap memory usage after handshake: 23112 bytes. Peak memory usage was 33112"
1152 MEM_USAGE=$(sed -n 's/.*Heap memory usage after handshake: //p' < "$OUTPUT_FILE" | grep -o "[0-9]*" | head -1)
1153
1154 # Check if memory usage was read
1155 if [ -z "$MEM_USAGE" ]; then
1156 echo "Error: Can not read the value of handshake memory usage"
1157 return 1
1158 else
1159 eval "$OUTPUT_VARIABLE=$MEM_USAGE"
1160 return 0
1161 fi
1162}
1163
1164# Get handshake memory usage from server or client output and check if this value
1165# is not higher than the maximum given by the first argument
1166handshake_memory_check() {
1167 MAX_MEMORY="$1"
1168 OUTPUT_FILE="$2"
1169
1170 # Get memory usage
1171 if ! handshake_memory_get "MEMORY_USAGE" "$OUTPUT_FILE"; then
1172 return 1
1173 fi
1174
1175 # Check if memory usage is below max value
1176 if [ "$MEMORY_USAGE" -gt "$MAX_MEMORY" ]; then
1177 echo "\nFailed: Handshake memory usage was $MEMORY_USAGE bytes," \
1178 "but should be below $MAX_MEMORY bytes"
1179 return 1
1180 else
1181 return 0
1182 fi
1183}
1184
Manuel Pégourié-Gonnardc0f6a692014-08-30 22:41:47 +0200[diff] [blame]1185# wait for client to terminate and set CLI_EXIT
1186# must be called right after starting the client
1187wait_client_done() {
1188 CLI_PID=$!
1189
Manuel Pégourié-Gonnarda0719722014-09-20 12:46:27 +0200[diff] [blame]1190 CLI_DELAY=$(( $DOG_DELAY * $CLI_DELAY_FACTOR ))
1191 CLI_DELAY_FACTOR=1
1192
Manuel Pégourié-Gonnarda365add2015-08-04 20:57:59 +0200[diff] [blame]1193 ( sleep $CLI_DELAY; echo "===CLIENT_TIMEOUT===" >> $CLI_OUT; kill $CLI_PID ) &
Manuel Pégourié-Gonnarda6189f02014-09-20 13:15:43 +0200[diff] [blame]1194 DOG_PID=$!
Manuel Pégourié-Gonnardc0f6a692014-08-30 22:41:47 +0200[diff] [blame]1195
Jerry Yud2d41102022-07-26 17:34:42 +0800[diff] [blame]1196 # For Ubuntu 22.04, `Terminated` message is outputed by wait command.
1197 # To remove it from stdout, redirect stdout/stderr to CLI_OUT
1198 wait $CLI_PID >> $CLI_OUT 2>&1
Manuel Pégourié-Gonnardc0f6a692014-08-30 22:41:47 +0200[diff] [blame]1199 CLI_EXIT=$?
1200
Manuel Pégourié-Gonnarda6189f02014-09-20 13:15:43 +0200[diff] [blame]1201 kill $DOG_PID >/dev/null 2>&1
Jerry Yufe52e552022-07-09 04:23:43 +0000[diff] [blame]1202 wait $DOG_PID >> $CLI_OUT 2>&1
Manuel Pégourié-Gonnardc0f6a692014-08-30 22:41:47 +0200[diff] [blame]1203
1204 echo "EXIT: $CLI_EXIT" >> $CLI_OUT
Janos Follath74537a62016-09-02 13:45:28 +0100[diff] [blame]1205
1206 sleep $SRV_DELAY_SECONDS
1207 SRV_DELAY_SECONDS=0
Manuel Pégourié-Gonnardc0f6a692014-08-30 22:41:47 +0200[diff] [blame]1208}
1209
Manuel Pégourié-Gonnard0eb6cab2014-07-23 20:17:47 +0200[diff] [blame]1210# check if the given command uses dtls and sets global variable DTLS
1211detect_dtls() {
Gilles Peskine64457492020-08-26 21:53:33 +0200[diff] [blame]1212 case "$1" in
Paul Elliott1428f252021-10-12 16:02:55 +0100[diff] [blame]1213 *dtls=1*|*-dtls*|*-u*) DTLS=1;;
Gilles Peskine64457492020-08-26 21:53:33 +0200[diff] [blame]1214 *) DTLS=0;;
1215 esac
Manuel Pégourié-Gonnard0eb6cab2014-07-23 20:17:47 +0200[diff] [blame]1216}
1217
Dave Rodgman0279c2f2021-02-10 12:45:41 +0000[diff] [blame]1218# check if the given command uses gnutls and sets global variable CMD_IS_GNUTLS
1219is_gnutls() {
1220 case "$1" in
1221 *gnutls-cli*)
1222 CMD_IS_GNUTLS=1
1223 ;;
1224 *gnutls-serv*)
1225 CMD_IS_GNUTLS=1
1226 ;;
1227 *)
1228 CMD_IS_GNUTLS=0
1229 ;;
1230 esac
Manuel Pégourié-Gonnardeaadc502014-02-20 11:01:30 +0100[diff] [blame]1231}
1232
Valerio Setti2f8eb622023-03-16 13:04:44 +0100[diff] [blame]1233# Some external tools (gnutls or openssl) might not have support for static ECDH
1234# and this limit the tests that can be run with them. This function checks server
Valerio Setti6ba247c2023-03-14 17:13:43 +0100[diff] [blame]1235# and client command lines, given as input, to verify if the current test
1236# is using one of these tools.
1237use_ext_tool_without_ecdh_support() {
1238 case "$1" in
1239 *$GNUTLS_SERV*|\
1240 *${GNUTLS_NEXT_SERV:-"gnutls-serv-dummy"}*|\
1241 *${OPENSSL_NEXT:-"openssl-dummy"}*)
1242 echo "yes"
1243 return;;
1244 esac
1245 case "$2" in
1246 *$GNUTLS_CLI*|\
1247 *${GNUTLS_NEXT_CLI:-"gnutls-cli-dummy"}*|\
1248 *${OPENSSL_NEXT:-"openssl-dummy"}*)
1249 echo "yes"
1250 return;;
1251 esac
1252 echo "no"
1253}
1254
Jerry Yuf467d462022-11-07 13:12:44 +0800[diff] [blame]1255# Generate random psk_list argument for ssl_server2
1256get_srv_psk_list ()
1257{
1258 case $(( TESTS % 3 )) in
1259 0) echo "psk_list=abc,dead,def,beef,Client_identity,6162636465666768696a6b6c6d6e6f70";;
1260 1) echo "psk_list=abc,dead,Client_identity,6162636465666768696a6b6c6d6e6f70,def,beef";;
1261 2) echo "psk_list=Client_identity,6162636465666768696a6b6c6d6e6f70,abc,dead,def,beef";;
1262 esac
1263}
1264
Gilles Peskine309ca652022-03-14 17:55:04 +0100[diff] [blame]1265# Determine what calc_verify trace is to be expected, if any.
1266#
1267# calc_verify is only called for two things: to calculate the
1268# extended master secret, and to process client authentication.
1269#
1270# Warning: the current implementation assumes that extended_ms is not
1271# disabled on the client or on the server.
1272#
1273# Inputs:
Gilles Peskinec8d242f2022-04-06 22:23:45 +0200[diff] [blame]1274# * $1: the value of the server auth_mode parameter.
1275# 'required' if client authentication is expected,
1276# 'none' or absent if not.
Gilles Peskine309ca652022-03-14 17:55:04 +0100[diff] [blame]1277# * $CONFIGS_ENABLED
1278#
1279# Outputs:
1280# * $maybe_calc_verify: set to a trace expected in the debug logs
1281set_maybe_calc_verify() {
1282 maybe_calc_verify=
1283 case $CONFIGS_ENABLED in
1284 *\ MBEDTLS_SSL_EXTENDED_MASTER_SECRET\ *) :;;
1285 *)
1286 case ${1-} in
Gilles Peskinec8d242f2022-04-06 22:23:45 +0200[diff] [blame]1287 ''|none) return;;
1288 required) :;;
Gilles Peskine309ca652022-03-14 17:55:04 +0100[diff] [blame]1289 *) echo "Bad parameter 1 to set_maybe_calc_verify: $1"; exit 1;;
1290 esac
1291 esac
1292 case $CONFIGS_ENABLED in
1293 *\ MBEDTLS_USE_PSA_CRYPTO\ *) maybe_calc_verify="PSA calc verify";;
1294 *) maybe_calc_verify="<= calc verify";;
1295 esac
1296}
1297
Johan Pascal9bc50b02020-09-24 12:01:13 +0200[diff] [blame]1298# Compare file content
1299# Usage: find_in_both pattern file1 file2
1300# extract from file1 the first line matching the pattern
1301# check in file2 that the same line can be found
1302find_in_both() {
1303 srv_pattern=$(grep -m 1 "$1" "$2");
1304 if [ -z "$srv_pattern" ]; then
1305 return 1;
1306 fi
1307
1308 if grep "$srv_pattern" $3 >/dev/null; then :
Johan Pascal10403152020-10-09 20:43:51 +0200[diff] [blame]1309 return 0;
Johan Pascal9bc50b02020-09-24 12:01:13 +0200[diff] [blame]1310 else
1311 return 1;
1312 fi
1313}
1314
Jerry Yuc46e9b42021-08-06 11:22:24 +0800[diff] [blame]1315SKIP_HANDSHAKE_CHECK="NO"
1316skip_handshake_stage_check() {
1317 SKIP_HANDSHAKE_CHECK="YES"
1318}
1319
Gilles Peskine236bf982021-10-19 16:25:10 +0200[diff] [blame]1320# Analyze the commands that will be used in a test.
1321#
1322# Analyze and possibly instrument $PXY_CMD, $CLI_CMD, $SRV_CMD to pass
1323# extra arguments or go through wrappers.
Gilles Peskine59601d72022-04-05 22:00:17 +0200[diff] [blame]1324#
1325# Inputs:
1326# * $@: supplemental options to run_test() (after the mandatory arguments).
1327# * $CLI_CMD, $PXY_CMD, $SRV_CMD: the client, proxy and server commands.
1328# * $DTLS: 1 if DTLS, otherwise 0.
1329#
1330# Outputs:
1331# * $CLI_CMD, $PXY_CMD, $SRV_CMD: may be tweaked.
Gilles Peskine236bf982021-10-19 16:25:10 +0200[diff] [blame]1332analyze_test_commands() {
Manuel Pégourié-Gonnardf4557862020-06-08 11:40:06 +0200[diff] [blame]1333 # if the test uses DTLS but no custom proxy, add a simple proxy
1334 # as it provides timing info that's useful to debug failures
Manuel Pégourié-Gonnard70fce982020-06-25 09:54:46 +0200[diff] [blame]1335 if [ -z "$PXY_CMD" ] && [ "$DTLS" -eq 1 ]; then
Manuel Pégourié-Gonnardf4557862020-06-08 11:40:06 +0200[diff] [blame]1336 PXY_CMD="$P_PXY"
Manuel Pégourié-Gonnard8779e9a2020-07-16 10:19:32 +0200[diff] [blame]1337 case " $SRV_CMD " in
1338 *' server_addr=::1 '*)
1339 PXY_CMD="$PXY_CMD server_addr=::1 listen_addr=::1";;
1340 esac
Manuel Pégourié-Gonnardf4557862020-06-08 11:40:06 +0200[diff] [blame]1341 fi
1342
Dave Rodgman0279c2f2021-02-10 12:45:41 +0000[diff] [blame]1343 # update CMD_IS_GNUTLS variable
1344 is_gnutls "$SRV_CMD"
1345
1346 # if the server uses gnutls but doesn't set priority, explicitly
1347 # set the default priority
1348 if [ "$CMD_IS_GNUTLS" -eq 1 ]; then
1349 case "$SRV_CMD" in
1350 *--priority*) :;;
1351 *) SRV_CMD="$SRV_CMD --priority=NORMAL";;
1352 esac
1353 fi
1354
1355 # update CMD_IS_GNUTLS variable
1356 is_gnutls "$CLI_CMD"
1357
1358 # if the client uses gnutls but doesn't set priority, explicitly
1359 # set the default priority
1360 if [ "$CMD_IS_GNUTLS" -eq 1 ]; then
1361 case "$CLI_CMD" in
1362 *--priority*) :;;
1363 *) CLI_CMD="$CLI_CMD --priority=NORMAL";;
1364 esac
1365 fi
1366
Manuel Pégourié-Gonnardbe9eb872014-09-05 17:45:19 +0200[diff] [blame]1367 # fix client port
1368 if [ -n "$PXY_CMD" ]; then
1369 CLI_CMD=$( echo "$CLI_CMD" | sed s/+SRV_PORT/$PXY_PORT/g )
1370 else
1371 CLI_CMD=$( echo "$CLI_CMD" | sed s/+SRV_PORT/$SRV_PORT/g )
1372 fi
1373
Manuel Pégourié-Gonnardc73339f2014-02-26 16:35:27 +0100[diff] [blame]1374 # prepend valgrind to our commands if active
1375 if [ "$MEMCHECK" -gt 0 ]; then
1376 if is_polar "$SRV_CMD"; then
1377 SRV_CMD="valgrind --leak-check=full $SRV_CMD"
1378 fi
1379 if is_polar "$CLI_CMD"; then
1380 CLI_CMD="valgrind --leak-check=full $CLI_CMD"
1381 fi
1382 fi
Gilles Peskine236bf982021-10-19 16:25:10 +0200[diff] [blame]1383}
Manuel Pégourié-Gonnardc73339f2014-02-26 16:35:27 +0100[diff] [blame]1384
Gilles Peskine236bf982021-10-19 16:25:10 +0200[diff] [blame]1385# Check for failure conditions after a test case.
1386#
1387# Inputs from run_test:
1388# * positional parameters: test options (see run_test documentation)
1389# * $CLI_EXIT: client return code
1390# * $CLI_EXPECT: expected client return code
1391# * $SRV_RET: server return code
1392# * $CLI_OUT, $SRV_OUT, $PXY_OUT: files containing client/server/proxy logs
Gilles Peskine0e3534c2021-10-19 17:23:25 +0200[diff] [blame]1393# * $TIMES_LEFT: if nonzero, a RETRY outcome is allowed
Gilles Peskine236bf982021-10-19 16:25:10 +0200[diff] [blame]1394#
1395# Outputs:
Gilles Peskinef11d30e2021-10-19 18:00:10 +0200[diff] [blame]1396# * $outcome: one of PASS/RETRY*/FAIL
Gilles Peskine236bf982021-10-19 16:25:10 +0200[diff] [blame]1397check_test_failure() {
Gilles Peskine0e3534c2021-10-19 17:23:25 +0200[diff] [blame]1398 outcome=FAIL
Manuel Pégourié-Gonnarda365add2015-08-04 20:57:59 +0200[diff] [blame]1399
Gilles Peskine0e3534c2021-10-19 17:23:25 +0200[diff] [blame]1400 if [ $TIMES_LEFT -gt 0 ] &&
1401 grep '===CLIENT_TIMEOUT===' $CLI_OUT >/dev/null
1402 then
Gilles Peskinef11d30e2021-10-19 18:00:10 +0200[diff] [blame]1403 outcome="RETRY(client-timeout)"
Gilles Peskine0e3534c2021-10-19 17:23:25 +0200[diff] [blame]1404 return
1405 fi
Manuel Pégourié-Gonnarda365add2015-08-04 20:57:59 +0200[diff] [blame]1406
Manuel Pégourié-Gonnard677884d2014-02-25 16:42:31 +0100[diff] [blame]1407 # check if the client and server went at least to the handshake stage
Paul Bakker1ebc0c52014-05-22 15:47:58 +0200[diff] [blame]1408 # (useful to avoid tests with only negative assertions and non-zero
Manuel Pégourié-Gonnard677884d2014-02-25 16:42:31 +0100[diff] [blame]1409 # expected client exit to incorrectly succeed in case of catastrophic
1410 # failure)
Jerry Yuc46e9b42021-08-06 11:22:24 +0800[diff] [blame]1411 if [ "X$SKIP_HANDSHAKE_CHECK" != "XYES" ]
1412 then
1413 if is_polar "$SRV_CMD"; then
1414 if grep "Performing the SSL/TLS handshake" $SRV_OUT >/dev/null; then :;
1415 else
1416 fail "server or client failed to reach handshake stage"
1417 return
1418 fi
Manuel Pégourié-Gonnard677884d2014-02-25 16:42:31 +0100[diff] [blame]1419 fi
Jerry Yuc46e9b42021-08-06 11:22:24 +0800[diff] [blame]1420 if is_polar "$CLI_CMD"; then
1421 if grep "Performing the SSL/TLS handshake" $CLI_OUT >/dev/null; then :;
1422 else
1423 fail "server or client failed to reach handshake stage"
1424 return
1425 fi
Manuel Pégourié-Gonnard677884d2014-02-25 16:42:31 +0100[diff] [blame]1426 fi
1427 fi
1428
Jerry Yuc46e9b42021-08-06 11:22:24 +0800[diff] [blame]1429 SKIP_HANDSHAKE_CHECK="NO"
Gilles Peskineaaf866e2021-02-09 21:01:33 +0100[diff] [blame]1430 # Check server exit code (only for Mbed TLS: GnuTLS and OpenSSL don't
1431 # exit with status 0 when interrupted by a signal, and we don't really
1432 # care anyway), in case e.g. the server reports a memory leak.
1433 if [ $SRV_RET != 0 ] && is_polar "$SRV_CMD"; then
Gilles Peskine7f919de2021-02-02 23:29:03 +0100[diff] [blame]1434 fail "Server exited with status $SRV_RET"
Manuel Pégourié-Gonnardf8bdbb52014-02-21 09:20:14 +0100[diff] [blame]1435 return
1436 fi
1437
Manuel Pégourié-Gonnardeaadc502014-02-20 11:01:30 +0100[diff] [blame]1438 # check client exit code
Manuel Pégourié-Gonnardfccd3252014-02-25 17:14:15 +0100[diff] [blame]1439 if [ \( "$CLI_EXPECT" = 0 -a "$CLI_EXIT" != 0 \) -o \
1440 \( "$CLI_EXPECT" != 0 -a "$CLI_EXIT" = 0 \) ]
Manuel Pégourié-Gonnard780d6712014-02-20 17:19:59 +0100[diff] [blame]1441 then
Manuel Pégourié-Gonnardbe9eb872014-09-05 17:45:19 +0200[diff] [blame]1442 fail "bad client exit code (expected $CLI_EXPECT, got $CLI_EXIT)"
Manuel Pégourié-Gonnardeaadc502014-02-20 11:01:30 +0100[diff] [blame]1443 return
1444 fi
Manuel Pégourié-Gonnardeaadc502014-02-20 11:01:30 +0100[diff] [blame]1445
Manuel Pégourié-Gonnardc73339f2014-02-26 16:35:27 +0100[diff] [blame]1446 # check other assertions
Manuel Pégourié-Gonnard480905d2014-08-21 19:38:32 +0200[diff] [blame]1447 # lines beginning with == are added by valgrind, ignore them
Paul Bakker1f650922016-05-13 10:16:46 +0100[diff] [blame]1448 # lines with 'Serious error when reading debug info', are valgrind issues as well
Manuel Pégourié-Gonnardeaadc502014-02-20 11:01:30 +0100[diff] [blame]1449 while [ $# -gt 0 ]
1450 do
1451 case $1 in
1452 "-s")
Paul Bakker1f650922016-05-13 10:16:46 +0100[diff] [blame]1453 if grep -v '^==' $SRV_OUT | grep -v 'Serious error when reading debug info' | grep "$2" >/dev/null; then :; else
Simon Butcher8e004102016-10-14 00:48:33 +0100[diff] [blame]1454 fail "pattern '$2' MUST be present in the Server output"
Manuel Pégourié-Gonnardeaadc502014-02-20 11:01:30 +0100[diff] [blame]1455 return
1456 fi
1457 ;;
1458
1459 "-c")
Paul Bakker1f650922016-05-13 10:16:46 +0100[diff] [blame]1460 if grep -v '^==' $CLI_OUT | grep -v 'Serious error when reading debug info' | grep "$2" >/dev/null; then :; else
Simon Butcher8e004102016-10-14 00:48:33 +0100[diff] [blame]1461 fail "pattern '$2' MUST be present in the Client output"
Manuel Pégourié-Gonnardeaadc502014-02-20 11:01:30 +0100[diff] [blame]1462 return
1463 fi
1464 ;;
1465
1466 "-S")
Paul Bakker1f650922016-05-13 10:16:46 +0100[diff] [blame]1467 if grep -v '^==' $SRV_OUT | grep -v 'Serious error when reading debug info' | grep "$2" >/dev/null; then
Gilles Peskine788ad332021-10-20 14:17:02 +0200[diff] [blame]1468 if log_pattern_presence_is_conclusive "$2"; then
Gilles Peskinef11d30e2021-10-19 18:00:10 +0200[diff] [blame]1469 fail "pattern '$2' MUST NOT be present in the Server output"
1470 fi
Manuel Pégourié-Gonnardeaadc502014-02-20 11:01:30 +0100[diff] [blame]1471 return
1472 fi
1473 ;;
1474
1475 "-C")
Paul Bakker1f650922016-05-13 10:16:46 +0100[diff] [blame]1476 if grep -v '^==' $CLI_OUT | grep -v 'Serious error when reading debug info' | grep "$2" >/dev/null; then
Gilles Peskine788ad332021-10-20 14:17:02 +0200[diff] [blame]1477 if log_pattern_presence_is_conclusive "$2"; then
Gilles Peskinef11d30e2021-10-19 18:00:10 +0200[diff] [blame]1478 fail "pattern '$2' MUST NOT be present in the Client output"
1479 fi
Simon Butcher8e004102016-10-14 00:48:33 +0100[diff] [blame]1480 return
1481 fi
1482 ;;
1483
1484 # The filtering in the following two options (-u and -U) do the following
1485 # - ignore valgrind output
Antonin Décimo36e89b52019-01-23 15:24:37 +0100[diff] [blame]1486 # - filter out everything but lines right after the pattern occurrences
Simon Butcher8e004102016-10-14 00:48:33 +0100[diff] [blame]1487 # - keep one of each non-unique line
1488 # - count how many lines remain
1489 # A line with '--' will remain in the result from previous outputs, so the number of lines in the result will be 1
1490 # if there were no duplicates.
1491 "-U")
1492 if [ $(grep -v '^==' $SRV_OUT | grep -v 'Serious error when reading debug info' | grep -A1 "$2" | grep -v "$2" | sort | uniq -d | wc -l) -gt 1 ]; then
1493 fail "lines following pattern '$2' must be unique in Server output"
1494 return
1495 fi
1496 ;;
1497
1498 "-u")
1499 if [ $(grep -v '^==' $CLI_OUT | grep -v 'Serious error when reading debug info' | grep -A1 "$2" | grep -v "$2" | sort | uniq -d | wc -l) -gt 1 ]; then
1500 fail "lines following pattern '$2' must be unique in Client output"
Manuel Pégourié-Gonnardeaadc502014-02-20 11:01:30 +0100[diff] [blame]1501 return
1502 fi
1503 ;;
Andres Amaya Garcia93993de2017-09-06 15:38:07 +0100[diff] [blame]1504 "-F")
1505 if ! $2 "$SRV_OUT"; then
1506 fail "function call to '$2' failed on Server output"
1507 return
1508 fi
1509 ;;
1510 "-f")
1511 if ! $2 "$CLI_OUT"; then
1512 fail "function call to '$2' failed on Client output"
1513 return
1514 fi
1515 ;;
Johan Pascal9bc50b02020-09-24 12:01:13 +0200[diff] [blame]1516 "-g")
1517 if ! eval "$2 '$SRV_OUT' '$CLI_OUT'"; then
1518 fail "function call to '$2' failed on Server and Client output"
1519 return
1520 fi
1521 ;;
Manuel Pégourié-Gonnardeaadc502014-02-20 11:01:30 +0100[diff] [blame]1522
1523 *)
Paul Bakker1ebc0c52014-05-22 15:47:58 +0200[diff] [blame]1524 echo "Unknown test: $1" >&2
Manuel Pégourié-Gonnardeaadc502014-02-20 11:01:30 +0100[diff] [blame]1525 exit 1
1526 esac
1527 shift 2
1528 done
1529
Manuel Pégourié-Gonnardc73339f2014-02-26 16:35:27 +0100[diff] [blame]1530 # check valgrind's results
1531 if [ "$MEMCHECK" -gt 0 ]; then
Manuel Pégourié-Gonnardbc3b16c2014-05-28 23:06:50 +0200[diff] [blame]1532 if is_polar "$SRV_CMD" && has_mem_err $SRV_OUT; then
Manuel Pégourié-Gonnardc73339f2014-02-26 16:35:27 +0100[diff] [blame]1533 fail "Server has memory errors"
1534 return
1535 fi
Manuel Pégourié-Gonnardbc3b16c2014-05-28 23:06:50 +0200[diff] [blame]1536 if is_polar "$CLI_CMD" && has_mem_err $CLI_OUT; then
Manuel Pégourié-Gonnardc73339f2014-02-26 16:35:27 +0100[diff] [blame]1537 fail "Client has memory errors"
1538 return
1539 fi
1540 fi
1541
Manuel Pégourié-Gonnardeaadc502014-02-20 11:01:30 +0100[diff] [blame]1542 # if we're here, everything is ok
Gilles Peskine0e3534c2021-10-19 17:23:25 +0200[diff] [blame]1543 outcome=PASS
Gilles Peskine236bf982021-10-19 16:25:10 +0200[diff] [blame]1544}
1545
Gilles Peskine196d73b2021-10-19 16:35:35 +0200[diff] [blame]1546# Run the current test case: start the server and if applicable the proxy, run
1547# the client, wait for all processes to finish or time out.
1548#
1549# Inputs:
1550# * $NAME: test case name
1551# * $CLI_CMD, $SRV_CMD, $PXY_CMD: commands to run
1552# * $CLI_OUT, $SRV_OUT, $PXY_OUT: files to contain client/server/proxy logs
1553#
1554# Outputs:
1555# * $CLI_EXIT: client return code
1556# * $SRV_RET: server return code
1557do_run_test_once() {
1558 # run the commands
1559 if [ -n "$PXY_CMD" ]; then
1560 printf "# %s\n%s\n" "$NAME" "$PXY_CMD" > $PXY_OUT
1561 $PXY_CMD >> $PXY_OUT 2>&1 &
1562 PXY_PID=$!
1563 wait_proxy_start "$PXY_PORT" "$PXY_PID"
1564 fi
1565
1566 check_osrv_dtls
1567 printf '# %s\n%s\n' "$NAME" "$SRV_CMD" > $SRV_OUT
1568 provide_input | $SRV_CMD >> $SRV_OUT 2>&1 &
1569 SRV_PID=$!
1570 wait_server_start "$SRV_PORT" "$SRV_PID"
1571
1572 printf '# %s\n%s\n' "$NAME" "$CLI_CMD" > $CLI_OUT
Andrzej Kurek140b5892022-05-27 06:44:19 -0400[diff] [blame]1573 # The client must be a subprocess of the script in order for killing it to
1574 # work properly, that's why the ampersand is placed inside the eval command,
1575 # not at the end of the line: the latter approach will spawn eval as a
1576 # subprocess, and the $CLI_CMD as a grandchild.
1577 eval "$CLI_CMD &" >> $CLI_OUT 2>&1
Gilles Peskine196d73b2021-10-19 16:35:35 +0200[diff] [blame]1578 wait_client_done
1579
1580 sleep 0.05
1581
1582 # terminate the server (and the proxy)
1583 kill $SRV_PID
Jerry Yud2d41102022-07-26 17:34:42 +0800[diff] [blame]1584 # For Ubuntu 22.04, `Terminated` message is outputed by wait command.
Jerry Yu27d80922022-08-02 21:28:55 +0800[diff] [blame]1585 # To remove it from stdout, redirect stdout/stderr to SRV_OUT
Jerry Yud2d41102022-07-26 17:34:42 +0800[diff] [blame]1586 wait $SRV_PID >> $SRV_OUT 2>&1
Gilles Peskine196d73b2021-10-19 16:35:35 +0200[diff] [blame]1587 SRV_RET=$?
1588
1589 if [ -n "$PXY_CMD" ]; then
1590 kill $PXY_PID >/dev/null 2>&1
Jerry Yu6969eee2022-10-10 10:25:26 +0800[diff] [blame]1591 wait $PXY_PID >> $PXY_OUT 2>&1
Gilles Peskine196d73b2021-10-19 16:35:35 +0200[diff] [blame]1592 fi
1593}
1594
Ronald Cron097ba142023-03-08 16:18:00 +0100[diff] [blame]1595# Detect if the current test is going to use TLS 1.3 or TLS 1.2.
Valerio Setti194e2bd2023-03-02 17:18:10 +0100[diff] [blame]1596# $1 and $2 contain the server and client command lines, respectively.
Valerio Setti213c4ea2023-03-07 19:29:57 +0100[diff] [blame]1597#
1598# Note: this function only provides some guess about TLS version by simply
Yanray Wang7b320fa2023-11-08 10:33:30 +0800[diff] [blame]1599# looking at the server/client command lines. Even though this works
Valerio Setti213c4ea2023-03-07 19:29:57 +0100[diff] [blame]1600# for the sake of tests' filtering (especially in conjunction with the
1601# detect_required_features() function), it does NOT guarantee that the
1602# result is accurate. It does not check other conditions, such as:
Valerio Setti213c4ea2023-03-07 19:29:57 +0100[diff] [blame]1603# - we can force a ciphersuite which contains "WITH" in its name, meaning
1604# that we are going to use TLS 1.2
1605# - etc etc
Valerio Setti1af76d12023-02-23 15:55:10 +0100[diff] [blame]1606get_tls_version() {
Ronald Cron097ba142023-03-08 16:18:00 +0100[diff] [blame]1607 # First check if the version is forced on an Mbed TLS peer
Valerio Setti1af76d12023-02-23 15:55:10 +0100[diff] [blame]1608 case $1 in
Ronald Cron097ba142023-03-08 16:18:00 +0100[diff] [blame]1609 *tls12*)
1610 echo "TLS12"
1611 return;;
1612 *tls13*)
Valerio Setti1af76d12023-02-23 15:55:10 +0100[diff] [blame]1613 echo "TLS13"
1614 return;;
1615 esac
1616 case $2 in
Ronald Cron097ba142023-03-08 16:18:00 +0100[diff] [blame]1617 *tls12*)
1618 echo "TLS12"
1619 return;;
1620 *tls13*)
Valerio Setti1af76d12023-02-23 15:55:10 +0100[diff] [blame]1621 echo "TLS13"
1622 return;;
1623 esac
Ronald Cron097ba142023-03-08 16:18:00 +0100[diff] [blame]1624 # Second check if the version is forced on an OpenSSL or GnuTLS peer
1625 case $1 in
1626 tls1_2*)
1627 echo "TLS12"
1628 return;;
1629 *tls1_3)
1630 echo "TLS13"
1631 return;;
1632 esac
1633 case $2 in
1634 *tls1_2)
1635 echo "TLS12"
1636 return;;
1637 *tls1_3)
1638 echo "TLS13"
1639 return;;
1640 esac
1641 # Third if the version is not forced, if TLS 1.3 is enabled then the test
1642 # is aimed to run a TLS 1.3 handshake.
1643 if $P_QUERY -all MBEDTLS_SSL_PROTO_TLS1_3
1644 then
1645 echo "TLS13"
1646 else
1647 echo "TLS12"
1648 fi
Valerio Setti1af76d12023-02-23 15:55:10 +0100[diff] [blame]1649}
1650
Gilles Peskine236bf982021-10-19 16:25:10 +0200[diff] [blame]1651# Usage: run_test name [-p proxy_cmd] srv_cmd cli_cmd cli_exit [option [...]]
1652# Options: -s pattern pattern that must be present in server output
1653# -c pattern pattern that must be present in client output
1654# -u pattern lines after pattern must be unique in client output
1655# -f call shell function on client output
1656# -S pattern pattern that must be absent in server output
1657# -C pattern pattern that must be absent in client output
1658# -U pattern lines after pattern must be unique in server output
1659# -F call shell function on server output
1660# -g call shell function on server and client output
1661run_test() {
1662 NAME="$1"
1663 shift 1
1664
Tomás González787428a2023-08-23 15:27:19 +0100[diff] [blame]1665 if is_excluded "$NAME"; then
1666 SKIP_NEXT="NO"
1667 # There was no request to run the test, so don't record its outcome.
1668 return
1669 fi
1670
Tomás González37a87392023-09-01 11:25:44 +0100[diff] [blame]1671 if [ "$LIST_TESTS" -gt 0 ]; then
Pengyu Lv3c170d32023-11-29 13:53:34 +0800[diff] [blame]1672 printf "%s\n" "${TEST_SUITE_NAME:-ssl-opt};$NAME"
Tomás González37a87392023-09-01 11:25:44 +0100[diff] [blame]1673 return
1674 fi
1675
Jerry Yu50d07bd2023-11-06 10:49:01 +0800[diff] [blame]1676 # Use ssl-opt as default test suite name. Also see record_outcome function
1677 if is_excluded_test_suite "${TEST_SUITE_NAME:-ssl-opt}"; then
1678 # Do not skip next test and skip current test.
1679 SKIP_NEXT="NO"
1680 return
1681 fi
1682
Tomás González51cb7042023-09-07 10:21:19 +0100[diff] [blame]1683 print_name "$NAME"
1684
Gilles Peskine236bf982021-10-19 16:25:10 +0200[diff] [blame]1685 # Do we only run numbered tests?
1686 if [ -n "$RUN_TEST_NUMBER" ]; then
1687 case ",$RUN_TEST_NUMBER," in
1688 *",$TESTS,"*) :;;
1689 *) SKIP_NEXT="YES";;
1690 esac
1691 fi
1692
1693 # does this test use a proxy?
1694 if [ "X$1" = "X-p" ]; then
1695 PXY_CMD="$2"
1696 shift 2
1697 else
1698 PXY_CMD=""
1699 fi
1700
1701 # get commands and client output
1702 SRV_CMD="$1"
1703 CLI_CMD="$2"
1704 CLI_EXPECT="$3"
1705 shift 3
1706
1707 # Check if test uses files
1708 case "$SRV_CMD $CLI_CMD" in
David Horstmann5ab92be2024-07-01 17:01:28 +0100[diff] [blame]1709 *$DATA_FILES_PATH/*)
Gilles Peskine236bf982021-10-19 16:25:10 +0200[diff] [blame]1710 requires_config_enabled MBEDTLS_FS_IO;;
1711 esac
1712
Gilles Peskine82a4ab22022-02-25 19:46:30 +0100[diff] [blame]1713 # Check if the test uses DTLS.
1714 detect_dtls "$SRV_CMD"
1715 if [ "$DTLS" -eq 1 ]; then
1716 requires_config_enabled MBEDTLS_SSL_PROTO_DTLS
1717 fi
1718
Yanray Wang7b320fa2023-11-08 10:33:30 +0800[diff] [blame]1719 # Check if we are trying to use an external tool which does not support ECDH
Valerio Setti6ba247c2023-03-14 17:13:43 +0100[diff] [blame]1720 EXT_WO_ECDH=$(use_ext_tool_without_ecdh_support "$SRV_CMD" "$CLI_CMD")
1721
Valerio Setti726ffbf2023-08-02 20:02:44 +0200[diff] [blame]1722 # Guess the TLS version which is going to be used
1723 if [ "$EXT_WO_ECDH" = "no" ]; then
1724 TLS_VERSION=$(get_tls_version "$SRV_CMD" "$CLI_CMD")
1725 else
1726 TLS_VERSION="TLS12"
1727 fi
1728
1729 # If the client or server requires certain features that can be detected
Manuel Pégourié-Gonnardf299efd2023-09-18 11:19:04 +0200[diff] [blame]1730 # from their command-line arguments, check whether they're enabled.
Valerio Setti6ba247c2023-03-14 17:13:43 +0100[diff] [blame]1731 detect_required_features "$SRV_CMD" "server" "$TLS_VERSION" "$EXT_WO_ECDH" "$@"
1732 detect_required_features "$CLI_CMD" "client" "$TLS_VERSION" "$EXT_WO_ECDH" "$@"
Gilles Peskine236bf982021-10-19 16:25:10 +0200[diff] [blame]1733
Gilles Peskine6e86e542022-02-25 19:52:52 +0100[diff] [blame]1734 # If we're in a PSK-only build and the test can be adapted to PSK, do that.
1735 maybe_adapt_for_psk "$@"
Gilles Peskine236bf982021-10-19 16:25:10 +0200[diff] [blame]1736
1737 # should we skip?
1738 if [ "X$SKIP_NEXT" = "XYES" ]; then
1739 SKIP_NEXT="NO"
1740 record_outcome "SKIP"
1741 SKIPS=$(( $SKIPS + 1 ))
1742 return
1743 fi
1744
1745 analyze_test_commands "$@"
1746
Andrzej Kurek8db7c0e2022-04-01 08:52:06 -0400[diff] [blame]1747 # One regular run and two retries
1748 TIMES_LEFT=3
Gilles Peskine236bf982021-10-19 16:25:10 +0200[diff] [blame]1749 while [ $TIMES_LEFT -gt 0 ]; do
1750 TIMES_LEFT=$(( $TIMES_LEFT - 1 ))
1751
Gilles Peskine196d73b2021-10-19 16:35:35 +0200[diff] [blame]1752 do_run_test_once
Gilles Peskine236bf982021-10-19 16:25:10 +0200[diff] [blame]1753
Gilles Peskine0e3534c2021-10-19 17:23:25 +0200[diff] [blame]1754 check_test_failure "$@"
1755 case $outcome in
1756 PASS) break;;
Gilles Peskinef11d30e2021-10-19 18:00:10 +0200[diff] [blame]1757 RETRY*) printf "$outcome ";;
Gilles Peskine0e3534c2021-10-19 17:23:25 +0200[diff] [blame]1758 FAIL) return;;
1759 esac
Gilles Peskine236bf982021-10-19 16:25:10 +0200[diff] [blame]1760 done
1761
Gilles Peskine0e3534c2021-10-19 17:23:25 +0200[diff] [blame]1762 # If we get this far, the test case passed.
Gilles Peskine560280b2019-09-16 15:17:38 +0200[diff] [blame]1763 record_outcome "PASS"
Paul Bakkeracaac852016-05-10 11:47:13 +0100[diff] [blame]1764 if [ "$PRESERVE_LOGS" -gt 0 ]; then
1765 mv $SRV_OUT o-srv-${TESTS}.log
1766 mv $CLI_OUT o-cli-${TESTS}.log
Hanno Becker7be2e5b2018-08-20 12:21:35 +0100[diff] [blame]1767 if [ -n "$PXY_CMD" ]; then
1768 mv $PXY_OUT o-pxy-${TESTS}.log
1769 fi
Paul Bakkeracaac852016-05-10 11:47:13 +0100[diff] [blame]1770 fi
1771
Manuel Pégourié-Gonnardbe9eb872014-09-05 17:45:19 +0200[diff] [blame]1772 rm -f $SRV_OUT $CLI_OUT $PXY_OUT
Manuel Pégourié-Gonnardeaadc502014-02-20 11:01:30 +0100[diff] [blame]1773}
1774
Hanno Becker9b5853c2018-11-16 17:28:40 +0000[diff] [blame]1775run_test_psa() {
1776 requires_config_enabled MBEDTLS_USE_PSA_CRYPTO
Gilles Peskine309ca652022-03-14 17:55:04 +0100[diff] [blame]1777 set_maybe_calc_verify none
Hanno Beckere9420c22018-11-20 11:37:34 +0000[diff] [blame]1778 run_test "PSA-supported ciphersuite: $1" \
Xiaofei Bai8b5c3822021-12-02 08:43:35 +0000[diff] [blame]1779 "$P_SRV debug_level=3 force_version=tls12" \
Ronald Cronf3b425b2022-03-17 16:45:09 +0100[diff] [blame]1780 "$P_CLI debug_level=3 force_ciphersuite=$1" \
Hanno Becker9b5853c2018-11-16 17:28:40 +0000[diff] [blame]1781 0 \
Gilles Peskine309ca652022-03-14 17:55:04 +0100[diff] [blame]1782 -c "$maybe_calc_verify" \
Andrzej Kurek92dd4d02019-01-30 04:10:19 -0500[diff] [blame]1783 -c "calc PSA finished" \
Gilles Peskine309ca652022-03-14 17:55:04 +0100[diff] [blame]1784 -s "$maybe_calc_verify" \
Andrzej Kurek92dd4d02019-01-30 04:10:19 -0500[diff] [blame]1785 -s "calc PSA finished" \
Hanno Becker9b5853c2018-11-16 17:28:40 +0000[diff] [blame]1786 -s "Protocol is TLSv1.2" \
Hanno Becker28f78442019-02-18 16:47:50 +0000[diff] [blame]1787 -c "Perform PSA-based ECDH computation."\
Andrzej Kureke85414e2019-01-15 05:23:59 -0500[diff] [blame]1788 -c "Perform PSA-based computation of digest of ServerKeyExchange" \
Hanno Becker9b5853c2018-11-16 17:28:40 +0000[diff] [blame]1789 -S "error" \
1790 -C "error"
Gilles Peskine309ca652022-03-14 17:55:04 +0100[diff] [blame]1791 unset maybe_calc_verify
Hanno Becker9b5853c2018-11-16 17:28:40 +0000[diff] [blame]1792}
1793
Hanno Becker354e2482019-01-08 11:40:25 +0000[diff] [blame]1794run_test_psa_force_curve() {
1795 requires_config_enabled MBEDTLS_USE_PSA_CRYPTO
Gilles Peskine309ca652022-03-14 17:55:04 +0100[diff] [blame]1796 set_maybe_calc_verify none
Hanno Becker354e2482019-01-08 11:40:25 +0000[diff] [blame]1797 run_test "PSA - ECDH with $1" \
Przemek Stekiel45255e42023-06-29 13:56:36 +0200[diff] [blame]1798 "$P_SRV debug_level=4 force_version=tls12 groups=$1" \
1799 "$P_CLI debug_level=4 force_ciphersuite=TLS-ECDHE-RSA-WITH-AES-128-GCM-SHA256 groups=$1" \
Hanno Becker354e2482019-01-08 11:40:25 +0000[diff] [blame]1800 0 \
Gilles Peskine309ca652022-03-14 17:55:04 +0100[diff] [blame]1801 -c "$maybe_calc_verify" \
Hanno Becker28f78442019-02-18 16:47:50 +0000[diff] [blame]1802 -c "calc PSA finished" \
Gilles Peskine309ca652022-03-14 17:55:04 +0100[diff] [blame]1803 -s "$maybe_calc_verify" \
Hanno Becker28f78442019-02-18 16:47:50 +0000[diff] [blame]1804 -s "calc PSA finished" \
Hanno Becker354e2482019-01-08 11:40:25 +0000[diff] [blame]1805 -s "Protocol is TLSv1.2" \
Hanno Becker28f78442019-02-18 16:47:50 +0000[diff] [blame]1806 -c "Perform PSA-based ECDH computation."\
Manuel Pégourié-Gonnarda9062e92014-02-25 16:21:22 +0100[diff] [blame]1807 -c "Perform PSA-based computation of digest of ServerKeyExchange" \
Manuel Pégourié-Gonnardbe9eb872014-09-05 17:45:19 +0200[diff] [blame]1808 -S "error" \
Manuel Pégourié-Gonnarda6189f02014-09-20 13:15:43 +0200[diff] [blame]1809 -C "error"
Gilles Peskine309ca652022-03-14 17:55:04 +0100[diff] [blame]1810 unset maybe_calc_verify
Manuel Pégourié-Gonnardeaadc502014-02-20 11:01:30 +0100[diff] [blame]1811}
1812
Piotr Nowicki0937ed22019-11-26 16:32:40 +0100[diff] [blame]1813# Test that the server's memory usage after a handshake is reduced when a client specifies
1814# a maximum fragment length.
1815# first argument ($1) is MFL for SSL client
1816# second argument ($2) is memory usage for SSL client with default MFL (16k)
1817run_test_memory_after_hanshake_with_mfl()
1818{
1819 # The test passes if the difference is around 2*(16k-MFL)
Gilles Peskine5b428d72020-08-26 21:52:23 +0200[diff] [blame]1820 MEMORY_USAGE_LIMIT="$(( $2 - ( 2 * ( 16384 - $1 )) ))"
Piotr Nowicki0937ed22019-11-26 16:32:40 +0100[diff] [blame]1821
1822 # Leave some margin for robustness
1823 MEMORY_USAGE_LIMIT="$(( ( MEMORY_USAGE_LIMIT * 110 ) / 100 ))"
1824
1825 run_test "Handshake memory usage (MFL $1)" \
Xiaofei Bai8b5c3822021-12-02 08:43:35 +0000[diff] [blame]1826 "$P_SRV debug_level=3 auth_mode=required force_version=tls12" \
Ronald Cronf3b425b2022-03-17 16:45:09 +0100[diff] [blame]1827 "$P_CLI debug_level=3 \
David Horstmann5ab92be2024-07-01 17:01:28 +0100[diff] [blame]1828 crt_file=$DATA_FILES_PATH/server5.crt key_file=$DATA_FILES_PATH/server5.key \
Piotr Nowicki0937ed22019-11-26 16:32:40 +0100[diff] [blame]1829 force_ciphersuite=TLS-ECDHE-ECDSA-WITH-AES-128-CCM max_frag_len=$1" \
1830 0 \
1831 -F "handshake_memory_check $MEMORY_USAGE_LIMIT"
1832}
1833
1834
1835# Test that the server's memory usage after a handshake is reduced when a client specifies
1836# different values of Maximum Fragment Length: default (16k), 4k, 2k, 1k and 512 bytes
1837run_tests_memory_after_hanshake()
1838{
1839 # all tests in this sequence requires the same configuration (see requires_config_enabled())
1840 SKIP_THIS_TESTS="$SKIP_NEXT"
1841
1842 # first test with default MFU is to get reference memory usage
1843 MEMORY_USAGE_MFL_16K=0
1844 run_test "Handshake memory usage initial (MFL 16384 - default)" \
Xiaofei Bai8b5c3822021-12-02 08:43:35 +0000[diff] [blame]1845 "$P_SRV debug_level=3 auth_mode=required force_version=tls12" \
Ronald Cronf3b425b2022-03-17 16:45:09 +0100[diff] [blame]1846 "$P_CLI debug_level=3 \
David Horstmann5ab92be2024-07-01 17:01:28 +0100[diff] [blame]1847 crt_file=$DATA_FILES_PATH/server5.crt key_file=$DATA_FILES_PATH/server5.key \
Piotr Nowicki0937ed22019-11-26 16:32:40 +0100[diff] [blame]1848 force_ciphersuite=TLS-ECDHE-ECDSA-WITH-AES-128-CCM" \
1849 0 \
1850 -F "handshake_memory_get MEMORY_USAGE_MFL_16K"
1851
1852 SKIP_NEXT="$SKIP_THIS_TESTS"
1853 run_test_memory_after_hanshake_with_mfl 4096 "$MEMORY_USAGE_MFL_16K"
1854
1855 SKIP_NEXT="$SKIP_THIS_TESTS"
1856 run_test_memory_after_hanshake_with_mfl 2048 "$MEMORY_USAGE_MFL_16K"
1857
1858 SKIP_NEXT="$SKIP_THIS_TESTS"
1859 run_test_memory_after_hanshake_with_mfl 1024 "$MEMORY_USAGE_MFL_16K"
1860
1861 SKIP_NEXT="$SKIP_THIS_TESTS"
1862 run_test_memory_after_hanshake_with_mfl 512 "$MEMORY_USAGE_MFL_16K"
1863}
1864
Manuel Pégourié-Gonnarda9062e92014-02-25 16:21:22 +0100[diff] [blame]1865cleanup() {
Manuel Pégourié-Gonnardbc3b16c2014-05-28 23:06:50 +0200[diff] [blame]1866 rm -f $CLI_OUT $SRV_OUT $PXY_OUT $SESSION
Piotr Nowicki3de298f2020-04-16 14:35:19 +0200[diff] [blame]1867 rm -f context_srv.txt
1868 rm -f context_cli.txt
Manuel Pégourié-Gonnarda6189f02014-09-20 13:15:43 +0200[diff] [blame]1869 test -n "${SRV_PID:-}" && kill $SRV_PID >/dev/null 2>&1
1870 test -n "${PXY_PID:-}" && kill $PXY_PID >/dev/null 2>&1
1871 test -n "${CLI_PID:-}" && kill $CLI_PID >/dev/null 2>&1
1872 test -n "${DOG_PID:-}" && kill $DOG_PID >/dev/null 2>&1
Manuel Pégourié-Gonnarda9062e92014-02-25 16:21:22 +0100[diff] [blame]1873 exit 1
1874}
1875
Manuel Pégourié-Gonnard9dea8bd2014-02-26 18:21:02 +0100[diff] [blame]1876#
1877# MAIN
1878#
1879
Yanray Wang5b33f642023-02-28 11:56:59 +0800[diff] [blame]1880# Make the outcome file path relative to the original directory, not
1881# to .../tests
1882case "$MBEDTLS_TEST_OUTCOME_FILE" in
1883 [!/]*)
1884 MBEDTLS_TEST_OUTCOME_FILE="$ORIGINAL_PWD/$MBEDTLS_TEST_OUTCOME_FILE"
1885 ;;
1886esac
1887
Andrzej Kurek9c061a22022-09-05 10:51:19 -0400[diff] [blame]1888populate_enabled_hash_algs
1889
Gilles Peskine9fa4ed62020-08-26 22:35:46 +0200[diff] [blame]1890# Optimize filters: if $FILTER and $EXCLUDE can be expressed as shell
1891# patterns rather than regular expressions, use a case statement instead
1892# of calling grep. To keep the optimizer simple, it is incomplete and only
1893# detects simple cases: plain substring, everything, nothing.
1894#
1895# As an exception, the character '.' is treated as an ordinary character
1896# if it is the only special character in the string. This is because it's
1897# rare to need "any one character", but needing a literal '.' is common
1898# (e.g. '-f "DTLS 1.2"').
1899need_grep=
1900case "$FILTER" in
1901 '^$') simple_filter=;;
1902 '.*') simple_filter='*';;
Gilles Peskineb09e0012020-09-29 23:48:39 +0200[diff] [blame]1903 *[][$+*?\\^{\|}]*) # Regexp special characters (other than .), we need grep
Gilles Peskine9fa4ed62020-08-26 22:35:46 +0200[diff] [blame]1904 need_grep=1;;
1905 *) # No regexp or shell-pattern special character
1906 simple_filter="*$FILTER*";;
1907esac
1908case "$EXCLUDE" in
1909 '^$') simple_exclude=;;
1910 '.*') simple_exclude='*';;
Gilles Peskineb09e0012020-09-29 23:48:39 +0200[diff] [blame]1911 *[][$+*?\\^{\|}]*) # Regexp special characters (other than .), we need grep
Gilles Peskine9fa4ed62020-08-26 22:35:46 +0200[diff] [blame]1912 need_grep=1;;
1913 *) # No regexp or shell-pattern special character
1914 simple_exclude="*$EXCLUDE*";;
1915esac
1916if [ -n "$need_grep" ]; then
1917 is_excluded () {
1918 ! echo "$1" | grep "$FILTER" | grep -q -v "$EXCLUDE"
1919 }
1920else
1921 is_excluded () {
1922 case "$1" in
1923 $simple_exclude) true;;
1924 $simple_filter) false;;
1925 *) true;;
1926 esac
1927 }
1928fi
1929
Jerry Yu50d07bd2023-11-06 10:49:01 +0800[diff] [blame]1930# Filter tests according to TEST_SUITE_NAME
1931is_excluded_test_suite () {
1932 if [ -n "$RUN_TEST_SUITE" ]
1933 then
1934 case ",$RUN_TEST_SUITE," in
1935 *",$1,"*) false;;
1936 *) true;;
1937 esac
1938 else
1939 false
1940 fi
1941
1942}
1943
1944
Tomás González06956a12023-08-23 15:46:20 +0100[diff] [blame]1945if [ "$LIST_TESTS" -eq 0 ];then
1946
1947 # sanity checks, avoid an avalanche of errors
1948 P_SRV_BIN="${P_SRV%%[ ]*}"
1949 P_CLI_BIN="${P_CLI%%[ ]*}"
1950 P_PXY_BIN="${P_PXY%%[ ]*}"
1951 if [ ! -x "$P_SRV_BIN" ]; then
1952 echo "Command '$P_SRV_BIN' is not an executable file"
Simon Butcher3c0d7b82016-05-23 11:13:17 +0100[diff] [blame]1953 exit 1
1954 fi
Tomás González06956a12023-08-23 15:46:20 +0100[diff] [blame]1955 if [ ! -x "$P_CLI_BIN" ]; then
1956 echo "Command '$P_CLI_BIN' is not an executable file"
1957 exit 1
1958 fi
1959 if [ ! -x "$P_PXY_BIN" ]; then
1960 echo "Command '$P_PXY_BIN' is not an executable file"
1961 exit 1
1962 fi
1963 if [ "$MEMCHECK" -gt 0 ]; then
1964 if which valgrind >/dev/null 2>&1; then :; else
1965 echo "Memcheck not possible. Valgrind not found"
1966 exit 1
1967 fi
1968 fi
1969 if which $OPENSSL >/dev/null 2>&1; then :; else
1970 echo "Command '$OPENSSL' not found"
1971 exit 1
1972 fi
1973
1974 # used by watchdog
1975 MAIN_PID="$$"
1976
1977 # We use somewhat arbitrary delays for tests:
1978 # - how long do we wait for the server to start (when lsof not available)?
1979 # - how long do we allow for the client to finish?
1980 # (not to check performance, just to avoid waiting indefinitely)
1981 # Things are slower with valgrind, so give extra time here.
1982 #
1983 # Note: without lsof, there is a trade-off between the running time of this
1984 # script and the risk of spurious errors because we didn't wait long enough.
1985 # The watchdog delay on the other hand doesn't affect normal running time of
1986 # the script, only the case where a client or server gets stuck.
1987 if [ "$MEMCHECK" -gt 0 ]; then
1988 START_DELAY=6
1989 DOG_DELAY=60
1990 else
1991 START_DELAY=2
1992 DOG_DELAY=20
1993 fi
1994
1995 # some particular tests need more time:
1996 # - for the client, we multiply the usual watchdog limit by a factor
1997 # - for the server, we sleep for a number of seconds after the client exits
1998 # see client_need_more_time() and server_needs_more_time()
1999 CLI_DELAY_FACTOR=1
2000 SRV_DELAY_SECONDS=0
2001
2002 # fix commands to use this port, force IPv4 while at it
2003 # +SRV_PORT will be replaced by either $SRV_PORT or $PXY_PORT later
2004 # Note: Using 'localhost' rather than 127.0.0.1 here is unwise, as on many
2005 # machines that will resolve to ::1, and we don't want ipv6 here.
2006 P_SRV="$P_SRV server_addr=127.0.0.1 server_port=$SRV_PORT"
2007 P_CLI="$P_CLI server_addr=127.0.0.1 server_port=+SRV_PORT"
2008 P_PXY="$P_PXY server_addr=127.0.0.1 server_port=$SRV_PORT listen_addr=127.0.0.1 listen_port=$PXY_PORT ${SEED:+"seed=$SEED"}"
2009 O_SRV="$O_SRV -accept $SRV_PORT"
2010 O_CLI="$O_CLI -connect 127.0.0.1:+SRV_PORT"
2011 G_SRV="$G_SRV -p $SRV_PORT"
2012 G_CLI="$G_CLI -p +SRV_PORT"
2013
2014 # Newer versions of OpenSSL have a syntax to enable all "ciphers", even
2015 # low-security ones. This covers not just cipher suites but also protocol
2016 # versions. It is necessary, for example, to use (D)TLS 1.0/1.1 on
2017 # OpenSSL 1.1.1f from Ubuntu 20.04. The syntax was only introduced in
2018 # OpenSSL 1.1.0 (21e0c1d23afff48601eb93135defddae51f7e2e3) and I can't find
2019 # a way to discover it from -help, so check the openssl version.
2020 case $($OPENSSL version) in
2021 "OpenSSL 0"*|"OpenSSL 1.0"*) :;;
2022 *)
2023 O_CLI="$O_CLI -cipher ALL@SECLEVEL=0"
2024 O_SRV="$O_SRV -cipher ALL@SECLEVEL=0"
2025 ;;
2026 esac
2027
2028 if [ -n "${OPENSSL_NEXT:-}" ]; then
2029 O_NEXT_SRV="$O_NEXT_SRV -accept $SRV_PORT"
2030 O_NEXT_SRV_NO_CERT="$O_NEXT_SRV_NO_CERT -accept $SRV_PORT"
2031 O_NEXT_SRV_EARLY_DATA="$O_NEXT_SRV_EARLY_DATA -accept $SRV_PORT"
2032 O_NEXT_CLI="$O_NEXT_CLI -connect 127.0.0.1:+SRV_PORT"
2033 O_NEXT_CLI_NO_CERT="$O_NEXT_CLI_NO_CERT -connect 127.0.0.1:+SRV_PORT"
2034 fi
2035
2036 if [ -n "${GNUTLS_NEXT_SERV:-}" ]; then
2037 G_NEXT_SRV="$G_NEXT_SRV -p $SRV_PORT"
2038 G_NEXT_SRV_NO_CERT="$G_NEXT_SRV_NO_CERT -p $SRV_PORT"
2039 fi
2040
2041 if [ -n "${GNUTLS_NEXT_CLI:-}" ]; then
2042 G_NEXT_CLI="$G_NEXT_CLI -p +SRV_PORT"
2043 G_NEXT_CLI_NO_CERT="$G_NEXT_CLI_NO_CERT -p +SRV_PORT localhost"
2044 fi
2045
2046 # Allow SHA-1, because many of our test certificates use it
2047 P_SRV="$P_SRV allow_sha1=1"
2048 P_CLI="$P_CLI allow_sha1=1"
2049
Simon Butcher3c0d7b82016-05-23 11:13:17 +0100[diff] [blame]2050fi
Manuel Pégourié-Gonnardbc3b16c2014-05-28 23:06:50 +0200[diff] [blame]2051# Also pick a unique name for intermediate files
2052SRV_OUT="srv_out.$$"
2053CLI_OUT="cli_out.$$"
Manuel Pégourié-Gonnardbe9eb872014-09-05 17:45:19 +0200[diff] [blame]2054PXY_OUT="pxy_out.$$"
Manuel Pégourié-Gonnardbc3b16c2014-05-28 23:06:50 +0200[diff] [blame]2055SESSION="session.$$"
2056
Manuel Pégourié-Gonnard6f4fbbb2014-08-14 14:31:29 +0200[diff] [blame]2057SKIP_NEXT="NO"
2058
Manuel Pégourié-Gonnarda9062e92014-02-25 16:21:22 +0100[diff] [blame]2059trap cleanup INT TERM HUP
Manuel Pégourié-Gonnardeaadc502014-02-20 11:01:30 +0100[diff] [blame]2060
Manuel Pégourié-Gonnarde73b2632014-07-12 04:00:00 +0200[diff] [blame]2061# Basic test
2062
Manuel Pégourié-Gonnard480905d2014-08-21 19:38:32 +0200[diff] [blame]2063# Checks that:
2064# - things work with all ciphersuites active (used with config-full in all.sh)
Gilles Peskine799eee62021-06-02 22:14:15 +0200[diff] [blame]2065# - the expected parameters are selected
Gilles Peskine35615262022-02-25 19:50:38 +0100[diff] [blame]2066requires_ciphersuite_enabled TLS-ECDHE-RSA-WITH-CHACHA20-POLY1305-SHA256
Andrzej Kurek934e9cd2022-09-05 14:44:46 -0400[diff] [blame]2067requires_hash_alg SHA_512 # "signature_algorithm ext: 6"
Valerio Setti482a0b92023-08-18 15:55:10 +0200[diff] [blame]2068requires_any_configs_enabled "MBEDTLS_ECP_DP_CURVE25519_ENABLED \
2069 PSA_WANT_ECC_MONTGOMERY_255"
Ronald Cronf95d1692023-03-14 17:19:42 +0100[diff] [blame]2070run_test "Default, TLS 1.2" \
Manuel Pégourié-Gonnard480905d2014-08-21 19:38:32 +0200[diff] [blame]2071 "$P_SRV debug_level=3" \
Ronald Cronf95d1692023-03-14 17:19:42 +0100[diff] [blame]2072 "$P_CLI force_version=tls12" \
Manuel Pégourié-Gonnarde73b2632014-07-12 04:00:00 +0200[diff] [blame]2073 0 \
Manuel Pégourié-Gonnard480905d2014-08-21 19:38:32 +0200[diff] [blame]2074 -s "Protocol is TLSv1.2" \
Manuel Pégourié-Gonnardce66d5e2018-06-14 11:11:15 +0200[diff] [blame]2075 -s "Ciphersuite is TLS-ECDHE-RSA-WITH-CHACHA20-POLY1305-SHA256" \
Manuel Pégourié-Gonnard480905d2014-08-21 19:38:32 +0200[diff] [blame]2076 -s "client hello v3, signature_algorithm ext: 6" \
Gilles Peskine799eee62021-06-02 22:14:15 +0200[diff] [blame]2077 -s "ECDHE curve: x25519" \
Manuel Pégourié-Gonnard480905d2014-08-21 19:38:32 +0200[diff] [blame]2078 -S "error" \
2079 -C "error"
Manuel Pégourié-Gonnarde73b2632014-07-12 04:00:00 +0200[diff] [blame]2080
Jerry Yuab082902021-12-23 18:02:22 +0800[diff] [blame]2081requires_config_enabled MBEDTLS_SSL_PROTO_TLS1_2
Gilles Peskine35615262022-02-25 19:50:38 +0100[diff] [blame]2082requires_ciphersuite_enabled TLS-ECDHE-RSA-WITH-CHACHA20-POLY1305-SHA256
Manuel Pégourié-Gonnard3bb08012015-01-22 13:34:21 +0000[diff] [blame]2083run_test "Default, DTLS" \
2084 "$P_SRV dtls=1" \
2085 "$P_CLI dtls=1" \
2086 0 \
2087 -s "Protocol is DTLSv1.2" \
Manuel Pégourié-Gonnardce66d5e2018-06-14 11:11:15 +0200[diff] [blame]2088 -s "Ciphersuite is TLS-ECDHE-RSA-WITH-CHACHA20-POLY1305-SHA256"
Manuel Pégourié-Gonnard3bb08012015-01-22 13:34:21 +0000[diff] [blame]2089
Ronald Cron92dca392023-03-10 16:11:15 +0100[diff] [blame]2090requires_key_exchange_with_cert_in_tls12_or_tls13_enabled
Hanno Becker721f7c12020-08-17 12:17:32 +0100[diff] [blame]2091run_test "TLS client auth: required" \
2092 "$P_SRV auth_mode=required" \
2093 "$P_CLI" \
2094 0 \
2095 -s "Verifying peer X.509 certificate... ok"
2096
Glenn Strauss6eef5632022-01-23 08:37:02 -0500[diff] [blame]2097run_test "key size: TLS-ECDHE-ECDSA-WITH-CHACHA20-POLY1305-SHA256" \
2098 "$P_SRV" \
2099 "$P_CLI force_ciphersuite=TLS-ECDHE-ECDSA-WITH-CHACHA20-POLY1305-SHA256" \
2100 0 \
2101 -c "Ciphersuite is TLS-ECDHE-ECDSA-WITH-CHACHA20-POLY1305-SHA256" \
2102 -c "Key size is 256"
2103
2104run_test "key size: TLS-ECDHE-ECDSA-WITH-AES-128-CCM-8" \
2105 "$P_SRV" \
2106 "$P_CLI force_ciphersuite=TLS-ECDHE-ECDSA-WITH-AES-128-CCM-8" \
2107 0 \
2108 -c "Ciphersuite is TLS-ECDHE-ECDSA-WITH-AES-128-CCM-8" \
2109 -c "Key size is 128"
2110
Hanno Becker2f54a3c2020-08-17 12:14:06 +0100[diff] [blame]2111requires_config_enabled MBEDTLS_X509_CRT_PARSE_C
Valerio Settidd43d7b2023-11-09 14:10:51 +0100[diff] [blame]2112requires_config_enabled MBEDTLS_MD_CAN_MD5
2113# server5.key.enc is in PEM format and AES-256-CBC crypted. Unfortunately PEM
2114# module does not support PSA dispatching so we need builtin support.
2115requires_config_enabled MBEDTLS_CIPHER_MODE_CBC
2116requires_config_enabled MBEDTLS_AES_C
Andrzej Kurek934e9cd2022-09-05 14:44:46 -0400[diff] [blame]2117requires_hash_alg SHA_256
Hanno Becker2f54a3c2020-08-17 12:14:06 +0100[diff] [blame]2118run_test "TLS: password protected client key" \
Ronald Cronf95d1692023-03-14 17:19:42 +0100[diff] [blame]2119 "$P_SRV force_version=tls12 auth_mode=required" \
David Horstmann5ab92be2024-07-01 17:01:28 +0100[diff] [blame]2120 "$P_CLI crt_file=$DATA_FILES_PATH/server5.crt key_file=$DATA_FILES_PATH/server5.key.enc key_pwd=PolarSSLTest" \
Hanno Becker2f54a3c2020-08-17 12:14:06 +0100[diff] [blame]2121 0
2122
2123requires_config_enabled MBEDTLS_X509_CRT_PARSE_C
Valerio Settidd43d7b2023-11-09 14:10:51 +0100[diff] [blame]2124requires_config_enabled MBEDTLS_MD_CAN_MD5
2125# server5.key.enc is in PEM format and AES-256-CBC crypted. Unfortunately PEM
2126# module does not support PSA dispatching so we need builtin support.
2127requires_config_enabled MBEDTLS_CIPHER_MODE_CBC
2128requires_config_enabled MBEDTLS_AES_C
Andrzej Kurek934e9cd2022-09-05 14:44:46 -0400[diff] [blame]2129requires_hash_alg SHA_256
Hanno Becker2f54a3c2020-08-17 12:14:06 +0100[diff] [blame]2130run_test "TLS: password protected server key" \
David Horstmann5ab92be2024-07-01 17:01:28 +0100[diff] [blame]2131 "$P_SRV crt_file=$DATA_FILES_PATH/server5.crt key_file=$DATA_FILES_PATH/server5.key.enc key_pwd=PolarSSLTest" \
Ronald Cronf95d1692023-03-14 17:19:42 +0100[diff] [blame]2132 "$P_CLI force_version=tls12" \
Hanno Becker2f54a3c2020-08-17 12:14:06 +0100[diff] [blame]2133 0
2134
2135requires_config_enabled MBEDTLS_X509_CRT_PARSE_C
Hanno Becker2f54a3c2020-08-17 12:14:06 +0100[diff] [blame]2136requires_config_enabled MBEDTLS_RSA_C
Valerio Settidd43d7b2023-11-09 14:10:51 +0100[diff] [blame]2137requires_config_enabled MBEDTLS_MD_CAN_MD5
2138# server5.key.enc is in PEM format and AES-256-CBC crypted. Unfortunately PEM
2139# module does not support PSA dispatching so we need builtin support.
2140requires_config_enabled MBEDTLS_CIPHER_MODE_CBC
2141requires_config_enabled MBEDTLS_AES_C
Andrzej Kurek934e9cd2022-09-05 14:44:46 -0400[diff] [blame]2142requires_hash_alg SHA_256
Hanno Becker2f54a3c2020-08-17 12:14:06 +0100[diff] [blame]2143run_test "TLS: password protected server key, two certificates" \
Ronald Cronf95d1692023-03-14 17:19:42 +0100[diff] [blame]2144 "$P_SRV force_version=tls12\
David Horstmann5ab92be2024-07-01 17:01:28 +0100[diff] [blame]2145 key_file=$DATA_FILES_PATH/server5.key.enc key_pwd=PolarSSLTest crt_file=$DATA_FILES_PATH/server5.crt \
2146 key_file2=$DATA_FILES_PATH/server2.key.enc key_pwd2=PolarSSLTest crt_file2=$DATA_FILES_PATH/server2.crt" \
Hanno Becker2f54a3c2020-08-17 12:14:06 +0100[diff] [blame]2147 "$P_CLI" \
2148 0
2149
Hanno Becker746aaf32019-03-28 15:25:23 +0000[diff] [blame]2150requires_config_enabled MBEDTLS_X509_TRUSTED_CERTIFICATE_CALLBACK
2151run_test "CA callback on client" \
2152 "$P_SRV debug_level=3" \
Ronald Cronfd4c6af2023-03-11 10:46:01 +0100[diff] [blame]2153 "$P_CLI force_version=tls12 ca_callback=1 debug_level=3 " \
Hanno Becker746aaf32019-03-28 15:25:23 +0000[diff] [blame]2154 0 \
Janos Follathd7ecbd62019-04-05 14:52:17 +0100[diff] [blame]2155 -c "use CA callback for X.509 CRT verification" \
Hanno Becker746aaf32019-03-28 15:25:23 +0000[diff] [blame]2156 -S "error" \
2157 -C "error"
2158
2159requires_config_enabled MBEDTLS_X509_TRUSTED_CERTIFICATE_CALLBACK
2160requires_config_enabled MBEDTLS_X509_CRT_PARSE_C
Andrzej Kurek934e9cd2022-09-05 14:44:46 -0400[diff] [blame]2161requires_hash_alg SHA_256
Hanno Becker746aaf32019-03-28 15:25:23 +0000[diff] [blame]2162run_test "CA callback on server" \
Ronald Cronfd4c6af2023-03-11 10:46:01 +0100[diff] [blame]2163 "$P_SRV force_version=tls12 auth_mode=required" \
David Horstmann5ab92be2024-07-01 17:01:28 +0100[diff] [blame]2164 "$P_CLI ca_callback=1 debug_level=3 crt_file=$DATA_FILES_PATH/server5.crt \
2165 key_file=$DATA_FILES_PATH/server5.key" \
Hanno Becker746aaf32019-03-28 15:25:23 +0000[diff] [blame]2166 0 \
Janos Follathd7ecbd62019-04-05 14:52:17 +0100[diff] [blame]2167 -c "use CA callback for X.509 CRT verification" \
Hanno Becker746aaf32019-03-28 15:25:23 +0000[diff] [blame]2168 -s "Verifying peer X.509 certificate... ok" \
2169 -S "error" \
2170 -C "error"
2171
Neil Armstrong3e9a1422022-03-21 10:03:46 +0100[diff] [blame]2172# Test using an EC opaque private key for client authentication
Manuel Pégourié-Gonnardcfdf8f42018-11-08 09:52:25 +0100[diff] [blame]2173requires_config_enabled MBEDTLS_USE_PSA_CRYPTO
2174requires_config_enabled MBEDTLS_X509_CRT_PARSE_C
Valerio Settid1f991c2023-02-22 12:54:13 +0100[diff] [blame]2175requires_config_enabled MBEDTLS_KEY_EXCHANGE_ECDHE_ECDSA_ENABLED
Andrzej Kurek934e9cd2022-09-05 14:44:46 -0400[diff] [blame]2176requires_hash_alg SHA_256
Neil Armstrong1948a202022-06-30 18:05:57 +0200[diff] [blame]2177run_test "Opaque key for client authentication: ECDHE-ECDSA" \
David Horstmann5ab92be2024-07-01 17:01:28 +0100[diff] [blame]2178 "$P_SRV force_version=tls12 auth_mode=required crt_file=$DATA_FILES_PATH/server5.crt \
2179 key_file=$DATA_FILES_PATH/server5.key" \
2180 "$P_CLI key_opaque=1 crt_file=$DATA_FILES_PATH/server5.crt \
2181 key_file=$DATA_FILES_PATH/server5.key key_opaque_algs=ecdsa-sign,none" \
Manuel Pégourié-Gonnardcfdf8f42018-11-08 09:52:25 +0100[diff] [blame]2182 0 \
2183 -c "key type: Opaque" \
Przemyslaw Stekielbb5d4832021-10-26 12:25:27 +0200[diff] [blame]2184 -c "Ciphersuite is TLS-ECDHE-ECDSA" \
Manuel Pégourié-Gonnardcfdf8f42018-11-08 09:52:25 +0100[diff] [blame]2185 -s "Verifying peer X.509 certificate... ok" \
Przemyslaw Stekielbb5d4832021-10-26 12:25:27 +0200[diff] [blame]2186 -s "Ciphersuite is TLS-ECDHE-ECDSA" \
Manuel Pégourié-Gonnardcfdf8f42018-11-08 09:52:25 +0100[diff] [blame]2187 -S "error" \
2188 -C "error"
2189
Neil Armstrong3e9a1422022-03-21 10:03:46 +0100[diff] [blame]2190# Test using a RSA opaque private key for client authentication
Neil Armstrong3e9a1422022-03-21 10:03:46 +0100[diff] [blame]2191requires_config_enabled MBEDTLS_USE_PSA_CRYPTO
2192requires_config_enabled MBEDTLS_X509_CRT_PARSE_C
Neil Armstrong3e9a1422022-03-21 10:03:46 +0100[diff] [blame]2193requires_config_enabled MBEDTLS_RSA_C
valeriof27472b2023-03-09 16:19:35 +0100[diff] [blame]2194requires_config_enabled MBEDTLS_KEY_EXCHANGE_ECDHE_RSA_ENABLED
Andrzej Kurek934e9cd2022-09-05 14:44:46 -0400[diff] [blame]2195requires_hash_alg SHA_256
Neil Armstrong1948a202022-06-30 18:05:57 +0200[diff] [blame]2196run_test "Opaque key for client authentication: ECDHE-RSA" \
David Horstmann5ab92be2024-07-01 17:01:28 +0100[diff] [blame]2197 "$P_SRV force_version=tls12 auth_mode=required crt_file=$DATA_FILES_PATH/server2-sha256.crt \
2198 key_file=$DATA_FILES_PATH/server2.key" \
2199 "$P_CLI key_opaque=1 crt_file=$DATA_FILES_PATH/server2-sha256.crt \
2200 key_file=$DATA_FILES_PATH/server2.key key_opaque_algs=rsa-sign-pkcs1,none" \
Neil Armstrong3e9a1422022-03-21 10:03:46 +0100[diff] [blame]2201 0 \
2202 -c "key type: Opaque" \
2203 -c "Ciphersuite is TLS-ECDHE-RSA" \
2204 -s "Verifying peer X.509 certificate... ok" \
2205 -s "Ciphersuite is TLS-ECDHE-RSA" \
2206 -S "error" \
2207 -C "error"
2208
Neil Armstronga4dbfdd2022-03-21 10:11:07 +0100[diff] [blame]2209requires_config_enabled MBEDTLS_USE_PSA_CRYPTO
2210requires_config_enabled MBEDTLS_X509_CRT_PARSE_C
2211requires_config_enabled MBEDTLS_RSA_C
Andrzej Kurek934e9cd2022-09-05 14:44:46 -0400[diff] [blame]2212requires_hash_alg SHA_256
Neil Armstrong1948a202022-06-30 18:05:57 +0200[diff] [blame]2213run_test "Opaque key for client authentication: DHE-RSA" \
David Horstmann5ab92be2024-07-01 17:01:28 +0100[diff] [blame]2214 "$P_SRV force_version=tls12 auth_mode=required crt_file=$DATA_FILES_PATH/server2-sha256.crt \
2215 key_file=$DATA_FILES_PATH/server2.key" \
2216 "$P_CLI key_opaque=1 crt_file=$DATA_FILES_PATH/server2-sha256.crt \
2217 key_file=$DATA_FILES_PATH/server2.key force_ciphersuite=TLS-DHE-RSA-WITH-AES-128-CBC-SHA \
Neil Armstrong36b02232022-06-30 11:16:53 +0200[diff] [blame]2218 key_opaque_algs=rsa-sign-pkcs1,none" \
Neil Armstronga4dbfdd2022-03-21 10:11:07 +0100[diff] [blame]2219 0 \
2220 -c "key type: Opaque" \
2221 -c "Ciphersuite is TLS-DHE-RSA" \
2222 -s "Verifying peer X.509 certificate... ok" \
2223 -s "Ciphersuite is TLS-DHE-RSA" \
2224 -S "error" \
2225 -C "error"
2226
Neil Armstrong3e9a1422022-03-21 10:03:46 +0100[diff] [blame]2227# Test using an EC opaque private key for server authentication
Przemyslaw Stekiel0483e3d2021-10-04 11:13:22 +0200[diff] [blame]2228requires_config_enabled MBEDTLS_USE_PSA_CRYPTO
2229requires_config_enabled MBEDTLS_X509_CRT_PARSE_C
Valerio Settid1f991c2023-02-22 12:54:13 +0100[diff] [blame]2230requires_config_enabled MBEDTLS_KEY_EXCHANGE_ECDHE_ECDSA_ENABLED
Andrzej Kurek934e9cd2022-09-05 14:44:46 -0400[diff] [blame]2231requires_hash_alg SHA_256
Neil Armstrong1948a202022-06-30 18:05:57 +0200[diff] [blame]2232run_test "Opaque key for server authentication: ECDHE-ECDSA" \
David Horstmann5ab92be2024-07-01 17:01:28 +0100[diff] [blame]2233 "$P_SRV key_opaque=1 crt_file=$DATA_FILES_PATH/server5.crt \
2234 key_file=$DATA_FILES_PATH/server5.key key_opaque_algs=ecdsa-sign,none" \
Ronald Cronf95d1692023-03-14 17:19:42 +0100[diff] [blame]2235 "$P_CLI force_version=tls12" \
Przemyslaw Stekiel0483e3d2021-10-04 11:13:22 +0200[diff] [blame]2236 0 \
2237 -c "Verifying peer X.509 certificate... ok" \
Przemyslaw Stekielbb5d4832021-10-26 12:25:27 +0200[diff] [blame]2238 -c "Ciphersuite is TLS-ECDHE-ECDSA" \
Gilles Peskine05bf89d2022-01-25 17:50:25 +0100[diff] [blame]2239 -s "key types: Opaque, none" \
Przemyslaw Stekielbb5d4832021-10-26 12:25:27 +0200[diff] [blame]2240 -s "Ciphersuite is TLS-ECDHE-ECDSA" \
Przemyslaw Stekiel0483e3d2021-10-04 11:13:22 +0200[diff] [blame]2241 -S "error" \
2242 -C "error"
2243
Neil Armstrong023bf8d2022-03-23 14:04:04 +0100[diff] [blame]2244requires_config_enabled MBEDTLS_USE_PSA_CRYPTO
2245requires_config_enabled MBEDTLS_X509_CRT_PARSE_C
Andrzej Kurek934e9cd2022-09-05 14:44:46 -0400[diff] [blame]2246requires_hash_alg SHA_256
Neil Armstrong1948a202022-06-30 18:05:57 +0200[diff] [blame]2247run_test "Opaque key for server authentication: ECDH-" \
Ronald Cronf95d1692023-03-14 17:19:42 +0100[diff] [blame]2248 "$P_SRV auth_mode=required key_opaque=1\
David Horstmann5ab92be2024-07-01 17:01:28 +0100[diff] [blame]2249 crt_file=$DATA_FILES_PATH/server5.ku-ka.crt\
2250 key_file=$DATA_FILES_PATH/server5.key key_opaque_algs=ecdh,none" \
Ronald Cronf95d1692023-03-14 17:19:42 +0100[diff] [blame]2251 "$P_CLI force_version=tls12" \
Neil Armstrong023bf8d2022-03-23 14:04:04 +0100[diff] [blame]2252 0 \
2253 -c "Verifying peer X.509 certificate... ok" \
2254 -c "Ciphersuite is TLS-ECDH-" \
2255 -s "key types: Opaque, none" \
2256 -s "Ciphersuite is TLS-ECDH-" \
2257 -S "error" \
2258 -C "error"
2259
Neil Armstrong1948a202022-06-30 18:05:57 +0200[diff] [blame]2260requires_config_enabled MBEDTLS_USE_PSA_CRYPTO
2261requires_config_enabled MBEDTLS_X509_CRT_PARSE_C
Andrzej Kurekd6817462022-09-06 14:32:00 -0400[diff] [blame]2262requires_config_disabled MBEDTLS_SSL_ASYNC_PRIVATE
Andrzej Kurek934e9cd2022-09-05 14:44:46 -0400[diff] [blame]2263requires_hash_alg SHA_256
Andrzej Kurekd6817462022-09-06 14:32:00 -0400[diff] [blame]2264run_test "Opaque key for server authentication: invalid key: decrypt with ECC key, no async" \
David Horstmann5ab92be2024-07-01 17:01:28 +0100[diff] [blame]2265 "$P_SRV key_opaque=1 crt_file=$DATA_FILES_PATH/server5.crt \
2266 key_file=$DATA_FILES_PATH/server5.key key_opaque_algs=rsa-decrypt,none \
Andrzej Kurekd6817462022-09-06 14:32:00 -0400[diff] [blame]2267 debug_level=1" \
Ronald Cronf95d1692023-03-14 17:19:42 +0100[diff] [blame]2268 "$P_CLI force_version=tls12" \
Andrzej Kurekd6817462022-09-06 14:32:00 -0400[diff] [blame]2269 1 \
2270 -s "key types: Opaque, none" \
2271 -s "error" \
2272 -c "error" \
2273 -c "Public key type mismatch"
2274
Andrzej Kurekd6817462022-09-06 14:32:00 -0400[diff] [blame]2275requires_config_enabled MBEDTLS_USE_PSA_CRYPTO
2276requires_config_enabled MBEDTLS_X509_CRT_PARSE_C
2277requires_config_enabled MBEDTLS_ECDSA_C
2278requires_config_enabled MBEDTLS_RSA_C
2279requires_config_disabled MBEDTLS_SSL_ASYNC_PRIVATE
2280requires_hash_alg SHA_256
2281run_test "Opaque key for server authentication: invalid key: ecdh with RSA key, no async" \
David Horstmann5ab92be2024-07-01 17:01:28 +0100[diff] [blame]2282 "$P_SRV key_opaque=1 crt_file=$DATA_FILES_PATH/server2-sha256.crt \
2283 key_file=$DATA_FILES_PATH/server2.key key_opaque_algs=ecdh,none \
Andrzej Kurekd6817462022-09-06 14:32:00 -0400[diff] [blame]2284 debug_level=1" \
Ronald Cronf95d1692023-03-14 17:19:42 +0100[diff] [blame]2285 "$P_CLI force_version=tls12" \
Andrzej Kurekd6817462022-09-06 14:32:00 -0400[diff] [blame]2286 1 \
2287 -s "key types: Opaque, none" \
2288 -s "error" \
2289 -c "error" \
2290 -c "Public key type mismatch"
2291
Andrzej Kurekd6817462022-09-06 14:32:00 -0400[diff] [blame]2292requires_config_enabled MBEDTLS_USE_PSA_CRYPTO
2293requires_config_enabled MBEDTLS_X509_CRT_PARSE_C
Andrzej Kurekd6817462022-09-06 14:32:00 -0400[diff] [blame]2294requires_config_enabled MBEDTLS_SSL_ASYNC_PRIVATE
2295requires_hash_alg SHA_256
2296run_test "Opaque key for server authentication: invalid alg: decrypt with ECC key, async" \
David Horstmann5ab92be2024-07-01 17:01:28 +0100[diff] [blame]2297 "$P_SRV key_opaque=1 crt_file=$DATA_FILES_PATH/server5.crt \
2298 key_file=$DATA_FILES_PATH/server5.key key_opaque_algs=rsa-decrypt,none \
Neil Armstrong36b02232022-06-30 11:16:53 +0200[diff] [blame]2299 debug_level=1" \
Ronald Cronf95d1692023-03-14 17:19:42 +0100[diff] [blame]2300 "$P_CLI force_version=tls12" \
Neil Armstrong36b02232022-06-30 11:16:53 +0200[diff] [blame]2301 1 \
2302 -s "key types: Opaque, none" \
2303 -s "got ciphersuites in common, but none of them usable" \
2304 -s "error" \
2305 -c "error"
2306
Neil Armstrong36b02232022-06-30 11:16:53 +0200[diff] [blame]2307requires_config_enabled MBEDTLS_USE_PSA_CRYPTO
2308requires_config_enabled MBEDTLS_X509_CRT_PARSE_C
Neil Armstrongeb4390b2022-05-27 10:26:02 +0200[diff] [blame]2309requires_config_enabled MBEDTLS_RSA_C
Andrzej Kurekd6817462022-09-06 14:32:00 -0400[diff] [blame]2310requires_config_enabled MBEDTLS_SSL_ASYNC_PRIVATE
Andrzej Kurek934e9cd2022-09-05 14:44:46 -0400[diff] [blame]2311requires_hash_alg SHA_256
Andrzej Kurekd6817462022-09-06 14:32:00 -0400[diff] [blame]2312run_test "Opaque key for server authentication: invalid alg: ecdh with RSA key, async" \
David Horstmann5ab92be2024-07-01 17:01:28 +0100[diff] [blame]2313 "$P_SRV key_opaque=1 crt_file=$DATA_FILES_PATH/server2-sha256.crt \
2314 key_file=$DATA_FILES_PATH/server2.key key_opaque_algs=ecdh,none \
Neil Armstrongeb4390b2022-05-27 10:26:02 +0200[diff] [blame]2315 debug_level=1" \
Ronald Cronf95d1692023-03-14 17:19:42 +0100[diff] [blame]2316 "$P_CLI force_version=tls12" \
Neil Armstrongeb4390b2022-05-27 10:26:02 +0200[diff] [blame]2317 1 \
2318 -s "key types: Opaque, none" \
2319 -s "got ciphersuites in common, but none of them usable" \
2320 -s "error" \
2321 -c "error"
2322
Neil Armstrongeb4390b2022-05-27 10:26:02 +0200[diff] [blame]2323requires_config_enabled MBEDTLS_USE_PSA_CRYPTO
2324requires_config_enabled MBEDTLS_X509_CRT_PARSE_C
Andrzej Kurek934e9cd2022-09-05 14:44:46 -0400[diff] [blame]2325requires_hash_alg SHA_256
Neil Armstrong1948a202022-06-30 18:05:57 +0200[diff] [blame]2326run_test "Opaque key for server authentication: invalid alg: ECDHE-ECDSA with ecdh" \
David Horstmann5ab92be2024-07-01 17:01:28 +0100[diff] [blame]2327 "$P_SRV key_opaque=1 crt_file=$DATA_FILES_PATH/server5.crt \
2328 key_file=$DATA_FILES_PATH/server5.key key_opaque_algs=ecdh,none \
Neil Armstrong36b02232022-06-30 11:16:53 +0200[diff] [blame]2329 debug_level=1" \
Ronald Cronf95d1692023-03-14 17:19:42 +0100[diff] [blame]2330 "$P_CLI force_version=tls12 force_ciphersuite=TLS-ECDHE-ECDSA-WITH-AES-256-CCM" \
Neil Armstrong36b02232022-06-30 11:16:53 +0200[diff] [blame]2331 1 \
2332 -s "key types: Opaque, none" \
2333 -s "got ciphersuites in common, but none of them usable" \
2334 -s "error" \
2335 -c "error"
2336
Neil Armstrong167d82c2022-06-30 11:32:00 +0200[diff] [blame]2337requires_config_enabled MBEDTLS_USE_PSA_CRYPTO
2338requires_config_enabled MBEDTLS_X509_CRT_PARSE_C
Valerio Settid1f991c2023-02-22 12:54:13 +0100[diff] [blame]2339requires_config_enabled MBEDTLS_KEY_EXCHANGE_ECDHE_ECDSA_ENABLED
Andrzej Kurek934e9cd2022-09-05 14:44:46 -0400[diff] [blame]2340requires_hash_alg SHA_256
Neil Armstrongc67e6e92022-07-01 15:48:10 +0200[diff] [blame]2341requires_config_disabled MBEDTLS_X509_REMOVE_INFO
Neil Armstrong4b102092022-07-01 09:42:29 +0200[diff] [blame]2342run_test "Opaque keys for server authentication: EC keys with different algs, force ECDHE-ECDSA" \
David Horstmann5ab92be2024-07-01 17:01:28 +0100[diff] [blame]2343 "$P_SRV force_version=tls12 key_opaque=1 crt_file=$DATA_FILES_PATH/server7.crt \
2344 key_file=$DATA_FILES_PATH/server7.key key_opaque_algs=ecdh,none \
2345 crt_file2=$DATA_FILES_PATH/server5.crt key_file2=$DATA_FILES_PATH/server5.key \
Neil Armstrong167d82c2022-06-30 11:32:00 +0200[diff] [blame]2346 key_opaque_algs2=ecdsa-sign,none" \
Ronald Cronf95d1692023-03-14 17:19:42 +0100[diff] [blame]2347 "$P_CLI force_version=tls12" \
Neil Armstrong167d82c2022-06-30 11:32:00 +0200[diff] [blame]2348 0 \
2349 -c "Verifying peer X.509 certificate... ok" \
2350 -c "Ciphersuite is TLS-ECDHE-ECDSA" \
Neil Armstrong4b102092022-07-01 09:42:29 +0200[diff] [blame]2351 -c "CN=Polarssl Test EC CA" \
Neil Armstrong167d82c2022-06-30 11:32:00 +0200[diff] [blame]2352 -s "key types: Opaque, Opaque" \
2353 -s "Ciphersuite is TLS-ECDHE-ECDSA" \
2354 -S "error" \
2355 -C "error"
2356
Neil Armstrong167d82c2022-06-30 11:32:00 +0200[diff] [blame]2357requires_config_enabled MBEDTLS_USE_PSA_CRYPTO
2358requires_config_enabled MBEDTLS_X509_CRT_PARSE_C
Andrzej Kurek934e9cd2022-09-05 14:44:46 -0400[diff] [blame]2359requires_hash_alg SHA_384
Neil Armstrongc67e6e92022-07-01 15:48:10 +0200[diff] [blame]2360requires_config_disabled MBEDTLS_X509_REMOVE_INFO
Neil Armstrong4b102092022-07-01 09:42:29 +0200[diff] [blame]2361run_test "Opaque keys for server authentication: EC keys with different algs, force ECDH-ECDSA" \
David Horstmann5ab92be2024-07-01 17:01:28 +0100[diff] [blame]2362 "$P_SRV key_opaque=1 crt_file=$DATA_FILES_PATH/server7.crt \
2363 key_file=$DATA_FILES_PATH/server7.key key_opaque_algs=ecdsa-sign,none \
2364 crt_file2=$DATA_FILES_PATH/server5.crt key_file2=$DATA_FILES_PATH/server5.key \
Neil Armstrong4b102092022-07-01 09:42:29 +0200[diff] [blame]2365 key_opaque_algs2=ecdh,none debug_level=3" \
Ronald Cronf95d1692023-03-14 17:19:42 +0100[diff] [blame]2366 "$P_CLI force_version=tls12 force_ciphersuite=TLS-ECDH-ECDSA-WITH-CAMELLIA-256-CBC-SHA384" \
Neil Armstrong4b102092022-07-01 09:42:29 +0200[diff] [blame]2367 0 \
2368 -c "Verifying peer X.509 certificate... ok" \
2369 -c "Ciphersuite is TLS-ECDH-ECDSA" \
2370 -c "CN=Polarssl Test EC CA" \
2371 -s "key types: Opaque, Opaque" \
2372 -s "Ciphersuite is TLS-ECDH-ECDSA" \
2373 -S "error" \
2374 -C "error"
2375
Neil Armstrong4b102092022-07-01 09:42:29 +0200[diff] [blame]2376requires_config_enabled MBEDTLS_USE_PSA_CRYPTO
2377requires_config_enabled MBEDTLS_X509_CRT_PARSE_C
Andrzej Kurek934e9cd2022-09-05 14:44:46 -0400[diff] [blame]2378requires_hash_alg SHA_384
Neil Armstrongc67e6e92022-07-01 15:48:10 +0200[diff] [blame]2379requires_config_disabled MBEDTLS_X509_REMOVE_INFO
Neil Armstrong1948a202022-06-30 18:05:57 +0200[diff] [blame]2380run_test "Opaque keys for server authentication: EC + RSA, force ECDHE-ECDSA" \
David Horstmann5ab92be2024-07-01 17:01:28 +0100[diff] [blame]2381 "$P_SRV key_opaque=1 crt_file=$DATA_FILES_PATH/server5.crt \
2382 key_file=$DATA_FILES_PATH/server5.key key_opaque_algs=ecdsa-sign,none \
2383 crt_file2=$DATA_FILES_PATH/server2-sha256.crt \
2384 key_file2=$DATA_FILES_PATH/server2.key key_opaque_algs2=rsa-sign-pkcs1,none" \
Ronald Cronf95d1692023-03-14 17:19:42 +0100[diff] [blame]2385 "$P_CLI force_version=tls12 force_ciphersuite=TLS-ECDHE-ECDSA-WITH-AES-256-CCM" \
Neil Armstrong167d82c2022-06-30 11:32:00 +0200[diff] [blame]2386 0 \
2387 -c "Verifying peer X.509 certificate... ok" \
2388 -c "Ciphersuite is TLS-ECDHE-ECDSA" \
Neil Armstrong4b102092022-07-01 09:42:29 +0200[diff] [blame]2389 -c "CN=Polarssl Test EC CA" \
Neil Armstrong167d82c2022-06-30 11:32:00 +0200[diff] [blame]2390 -s "key types: Opaque, Opaque" \
2391 -s "Ciphersuite is TLS-ECDHE-ECDSA" \
2392 -S "error" \
2393 -C "error"
2394
Przemek Stekielc454aba2022-07-07 09:56:13 +0200[diff] [blame]2395requires_config_enabled MBEDTLS_SSL_PROTO_TLS1_3
2396requires_config_enabled MBEDTLS_USE_PSA_CRYPTO
2397requires_config_enabled MBEDTLS_RSA_C
Jerry Yuddda0502022-12-01 19:43:12 +0800[diff] [blame]2398requires_config_enabled MBEDTLS_SSL_SRV_C
2399requires_config_enabled MBEDTLS_SSL_CLI_C
Ronald Cron6ec21232022-09-16 16:41:53 +0200[diff] [blame]2400run_test "TLS 1.3 opaque key: no suitable algorithm found" \
Ronald Cron50ae84e2023-03-14 08:59:56 +0100[diff] [blame]2401 "$P_SRV debug_level=4 auth_mode=required key_opaque=1 key_opaque_algs=rsa-decrypt,none" \
Ronald Crone3196d22022-09-16 16:43:35 +0200[diff] [blame]2402 "$P_CLI debug_level=4 key_opaque=1 key_opaque_algs=rsa-decrypt,rsa-sign-pss" \
Przemek Stekielc454aba2022-07-07 09:56:13 +0200[diff] [blame]2403 1 \
Przemek Stekielc454aba2022-07-07 09:56:13 +0200[diff] [blame]2404 -c "key type: Opaque" \
2405 -s "key types: Opaque, Opaque" \
2406 -c "error" \
Ronald Cron067a1e72022-09-16 13:44:49 +0200[diff] [blame]2407 -s "no suitable signature algorithm"
Przemek Stekielc454aba2022-07-07 09:56:13 +0200[diff] [blame]2408
2409requires_config_enabled MBEDTLS_SSL_PROTO_TLS1_3
2410requires_config_enabled MBEDTLS_USE_PSA_CRYPTO
2411requires_config_enabled MBEDTLS_RSA_C
Jerry Yuddda0502022-12-01 19:43:12 +0800[diff] [blame]2412requires_config_enabled MBEDTLS_SSL_SRV_C
2413requires_config_enabled MBEDTLS_SSL_CLI_C
Ronald Cron6ec21232022-09-16 16:41:53 +0200[diff] [blame]2414run_test "TLS 1.3 opaque key: suitable algorithm found" \
Ronald Cron50ae84e2023-03-14 08:59:56 +0100[diff] [blame]2415 "$P_SRV debug_level=4 auth_mode=required key_opaque=1 key_opaque_algs=rsa-decrypt,rsa-sign-pss" \
Ronald Crone3196d22022-09-16 16:43:35 +0200[diff] [blame]2416 "$P_CLI debug_level=4 key_opaque=1 key_opaque_algs=rsa-decrypt,rsa-sign-pss" \
Przemek Stekielc454aba2022-07-07 09:56:13 +0200[diff] [blame]2417 0 \
Przemek Stekielc454aba2022-07-07 09:56:13 +0200[diff] [blame]2418 -c "key type: Opaque" \
2419 -s "key types: Opaque, Opaque" \
2420 -C "error" \
Jerry Yuddda0502022-12-01 19:43:12 +0800[diff] [blame]2421 -S "error"
Przemek Stekielc454aba2022-07-07 09:56:13 +0200[diff] [blame]2422
2423requires_config_enabled MBEDTLS_SSL_PROTO_TLS1_3
2424requires_config_enabled MBEDTLS_USE_PSA_CRYPTO
2425requires_config_enabled MBEDTLS_RSA_C
Jerry Yuddda0502022-12-01 19:43:12 +0800[diff] [blame]2426requires_config_enabled MBEDTLS_SSL_SRV_C
2427requires_config_enabled MBEDTLS_SSL_CLI_C
Ronald Cron50969e32022-09-16 15:54:33 +0200[diff] [blame]2428run_test "TLS 1.3 opaque key: first client sig alg not suitable" \
Ronald Cron50ae84e2023-03-14 08:59:56 +0100[diff] [blame]2429 "$P_SRV debug_level=4 auth_mode=required key_opaque=1 key_opaque_algs=rsa-sign-pss-sha512,none" \
Ronald Cron50969e32022-09-16 15:54:33 +0200[diff] [blame]2430 "$P_CLI debug_level=4 sig_algs=rsa_pss_rsae_sha256,rsa_pss_rsae_sha512" \
2431 0 \
Ronald Cron50969e32022-09-16 15:54:33 +0200[diff] [blame]2432 -s "key types: Opaque, Opaque" \
2433 -s "CertificateVerify signature failed with rsa_pss_rsae_sha256" \
2434 -s "CertificateVerify signature with rsa_pss_rsae_sha512" \
2435 -C "error" \
2436 -S "error" \
2437
2438requires_config_enabled MBEDTLS_SSL_PROTO_TLS1_3
2439requires_config_enabled MBEDTLS_USE_PSA_CRYPTO
2440requires_config_enabled MBEDTLS_RSA_C
Jerry Yuddda0502022-12-01 19:43:12 +0800[diff] [blame]2441requires_config_enabled MBEDTLS_SSL_SRV_C
2442requires_config_enabled MBEDTLS_SSL_CLI_C
Ronald Cron6ec21232022-09-16 16:41:53 +0200[diff] [blame]2443run_test "TLS 1.3 opaque key: 2 keys on server, suitable algorithm found" \
Ronald Cron50ae84e2023-03-14 08:59:56 +0100[diff] [blame]2444 "$P_SRV debug_level=4 auth_mode=required key_opaque=1 key_opaque_algs2=ecdsa-sign,none key_opaque_algs=rsa-decrypt,rsa-sign-pss" \
Ronald Crone3196d22022-09-16 16:43:35 +0200[diff] [blame]2445 "$P_CLI debug_level=4 key_opaque=1 key_opaque_algs=rsa-decrypt,rsa-sign-pss" \
Przemek Stekielc454aba2022-07-07 09:56:13 +0200[diff] [blame]2446 0 \
Przemek Stekielc454aba2022-07-07 09:56:13 +0200[diff] [blame]2447 -c "key type: Opaque" \
2448 -s "key types: Opaque, Opaque" \
2449 -C "error" \
2450 -S "error" \
2451
Neil Armstrong3e9a1422022-03-21 10:03:46 +0100[diff] [blame]2452# Test using a RSA opaque private key for server authentication
Neil Armstrong3e9a1422022-03-21 10:03:46 +0100[diff] [blame]2453requires_config_enabled MBEDTLS_USE_PSA_CRYPTO
2454requires_config_enabled MBEDTLS_X509_CRT_PARSE_C
Neil Armstrong3e9a1422022-03-21 10:03:46 +0100[diff] [blame]2455requires_config_enabled MBEDTLS_RSA_C
valeriof27472b2023-03-09 16:19:35 +0100[diff] [blame]2456requires_config_enabled MBEDTLS_KEY_EXCHANGE_ECDHE_RSA_ENABLED
Andrzej Kurek934e9cd2022-09-05 14:44:46 -0400[diff] [blame]2457requires_hash_alg SHA_256
Neil Armstrong1948a202022-06-30 18:05:57 +0200[diff] [blame]2458run_test "Opaque key for server authentication: ECDHE-RSA" \
David Horstmann5ab92be2024-07-01 17:01:28 +0100[diff] [blame]2459 "$P_SRV key_opaque=1 crt_file=$DATA_FILES_PATH/server2-sha256.crt \
2460 key_file=$DATA_FILES_PATH/server2.key key_opaque_algs=rsa-sign-pkcs1,none" \
Ronald Cronf95d1692023-03-14 17:19:42 +0100[diff] [blame]2461 "$P_CLI force_version=tls12" \
Neil Armstrong3e9a1422022-03-21 10:03:46 +0100[diff] [blame]2462 0 \
2463 -c "Verifying peer X.509 certificate... ok" \
2464 -c "Ciphersuite is TLS-ECDHE-RSA" \
2465 -s "key types: Opaque, none" \
2466 -s "Ciphersuite is TLS-ECDHE-RSA" \
2467 -S "error" \
2468 -C "error"
2469
Neil Armstronga4dbfdd2022-03-21 10:11:07 +0100[diff] [blame]2470requires_config_enabled MBEDTLS_USE_PSA_CRYPTO
2471requires_config_enabled MBEDTLS_X509_CRT_PARSE_C
Neil Armstronga4dbfdd2022-03-21 10:11:07 +0100[diff] [blame]2472requires_config_enabled MBEDTLS_RSA_C
Andrzej Kurek934e9cd2022-09-05 14:44:46 -0400[diff] [blame]2473requires_hash_alg SHA_256
Neil Armstrong1948a202022-06-30 18:05:57 +0200[diff] [blame]2474run_test "Opaque key for server authentication: DHE-RSA" \
David Horstmann5ab92be2024-07-01 17:01:28 +0100[diff] [blame]2475 "$P_SRV key_opaque=1 crt_file=$DATA_FILES_PATH/server2-sha256.crt \
2476 key_file=$DATA_FILES_PATH/server2.key key_opaque_algs=rsa-sign-pkcs1,none" \
Ronald Cronf95d1692023-03-14 17:19:42 +0100[diff] [blame]2477 "$P_CLI force_version=tls12 force_ciphersuite=TLS-DHE-RSA-WITH-AES-128-CBC-SHA" \
Neil Armstronga4dbfdd2022-03-21 10:11:07 +0100[diff] [blame]2478 0 \
2479 -c "Verifying peer X.509 certificate... ok" \
2480 -c "Ciphersuite is TLS-DHE-RSA" \
2481 -s "key types: Opaque, none" \
2482 -s "Ciphersuite is TLS-DHE-RSA" \
2483 -S "error" \
2484 -C "error"
2485
Neil Armstrong36b02232022-06-30 11:16:53 +0200[diff] [blame]2486requires_config_enabled MBEDTLS_USE_PSA_CRYPTO
2487requires_config_enabled MBEDTLS_X509_CRT_PARSE_C
Neil Armstrong1948a202022-06-30 18:05:57 +0200[diff] [blame]2488requires_config_enabled MBEDTLS_RSA_C
Andrzej Kurek934e9cd2022-09-05 14:44:46 -0400[diff] [blame]2489requires_hash_alg SHA_256
Neil Armstrong1948a202022-06-30 18:05:57 +0200[diff] [blame]2490run_test "Opaque key for server authentication: RSA-PSK" \
2491 "$P_SRV debug_level=1 key_opaque=1 key_opaque_algs=rsa-decrypt,none \
Gilles Peskine02cd7162024-04-29 16:09:52 +0200[diff] [blame]2492 psk=73776f726466697368 psk_identity=foo" \
Ronald Cronf95d1692023-03-14 17:19:42 +0100[diff] [blame]2493 "$P_CLI force_version=tls12 force_ciphersuite=TLS-RSA-PSK-WITH-AES-128-CBC-SHA256 \
Gilles Peskine02cd7162024-04-29 16:09:52 +0200[diff] [blame]2494 psk=73776f726466697368 psk_identity=foo" \
Neil Armstrong1948a202022-06-30 18:05:57 +0200[diff] [blame]2495 0 \
2496 -c "Verifying peer X.509 certificate... ok" \
2497 -c "Ciphersuite is TLS-RSA-PSK-" \
2498 -s "key types: Opaque, Opaque" \
2499 -s "Ciphersuite is TLS-RSA-PSK-" \
2500 -S "error" \
2501 -C "error"
2502
Neil Armstrong1948a202022-06-30 18:05:57 +0200[diff] [blame]2503requires_config_enabled MBEDTLS_USE_PSA_CRYPTO
2504requires_config_enabled MBEDTLS_X509_CRT_PARSE_C
2505requires_config_enabled MBEDTLS_RSA_C
Andrzej Kurek934e9cd2022-09-05 14:44:46 -0400[diff] [blame]2506requires_hash_alg SHA_256
Neil Armstrong1948a202022-06-30 18:05:57 +0200[diff] [blame]2507run_test "Opaque key for server authentication: RSA-" \
2508 "$P_SRV debug_level=3 key_opaque=1 key_opaque_algs=rsa-decrypt,none " \
Ronald Cronf95d1692023-03-14 17:19:42 +0100[diff] [blame]2509 "$P_CLI force_version=tls12 force_ciphersuite=TLS-RSA-WITH-AES-256-CBC-SHA256" \
Neil Armstrong1948a202022-06-30 18:05:57 +0200[diff] [blame]2510 0 \
2511 -c "Verifying peer X.509 certificate... ok" \
2512 -c "Ciphersuite is TLS-RSA-" \
2513 -s "key types: Opaque, Opaque" \
2514 -s "Ciphersuite is TLS-RSA-" \
2515 -S "error" \
2516 -C "error"
2517
Neil Armstrong1948a202022-06-30 18:05:57 +0200[diff] [blame]2518requires_config_enabled MBEDTLS_USE_PSA_CRYPTO
2519requires_config_enabled MBEDTLS_X509_CRT_PARSE_C
Neil Armstrong36b02232022-06-30 11:16:53 +0200[diff] [blame]2520requires_config_enabled MBEDTLS_RSA_C
Andrzej Kurek934e9cd2022-09-05 14:44:46 -0400[diff] [blame]2521requires_hash_alg SHA_256
Neil Armstrong1948a202022-06-30 18:05:57 +0200[diff] [blame]2522run_test "Opaque key for server authentication: DHE-RSA, PSS instead of PKCS1" \
David Horstmann5ab92be2024-07-01 17:01:28 +0100[diff] [blame]2523 "$P_SRV auth_mode=required key_opaque=1 crt_file=$DATA_FILES_PATH/server2-sha256.crt \
2524 key_file=$DATA_FILES_PATH/server2.key key_opaque_algs=rsa-sign-pss,none debug_level=1" \
2525 "$P_CLI crt_file=$DATA_FILES_PATH/server2-sha256.crt \
2526 key_file=$DATA_FILES_PATH/server2.key force_ciphersuite=TLS-DHE-RSA-WITH-AES-128-CBC-SHA" \
Neil Armstrong36b02232022-06-30 11:16:53 +0200[diff] [blame]2527 1 \
2528 -s "key types: Opaque, none" \
2529 -s "got ciphersuites in common, but none of them usable" \
2530 -s "error" \
2531 -c "error"
2532
Neil Armstrong167d82c2022-06-30 11:32:00 +0200[diff] [blame]2533requires_config_enabled MBEDTLS_USE_PSA_CRYPTO
2534requires_config_enabled MBEDTLS_X509_CRT_PARSE_C
Neil Armstrong167d82c2022-06-30 11:32:00 +0200[diff] [blame]2535requires_config_enabled MBEDTLS_RSA_C
Andrzej Kurek934e9cd2022-09-05 14:44:46 -0400[diff] [blame]2536requires_hash_alg SHA_256
Neil Armstrongc67e6e92022-07-01 15:48:10 +0200[diff] [blame]2537requires_config_disabled MBEDTLS_X509_REMOVE_INFO
valeriof27472b2023-03-09 16:19:35 +0100[diff] [blame]2538requires_config_enabled MBEDTLS_KEY_EXCHANGE_ECDHE_RSA_ENABLED
Neil Armstrong1948a202022-06-30 18:05:57 +0200[diff] [blame]2539run_test "Opaque keys for server authentication: RSA keys with different algs" \
David Horstmann5ab92be2024-07-01 17:01:28 +0100[diff] [blame]2540 "$P_SRV force_version=tls12 auth_mode=required key_opaque=1 crt_file=$DATA_FILES_PATH/server2-sha256.crt \
2541 key_file=$DATA_FILES_PATH/server2.key key_opaque_algs=rsa-sign-pss,none \
2542 crt_file2=$DATA_FILES_PATH/server4.crt \
2543 key_file2=$DATA_FILES_PATH/server4.key key_opaque_algs2=rsa-sign-pkcs1,none" \
Ronald Cronf95d1692023-03-14 17:19:42 +0100[diff] [blame]2544 "$P_CLI force_version=tls12" \
Neil Armstrong167d82c2022-06-30 11:32:00 +0200[diff] [blame]2545 0 \
2546 -c "Verifying peer X.509 certificate... ok" \
2547 -c "Ciphersuite is TLS-ECDHE-RSA" \
Neil Armstrong4b102092022-07-01 09:42:29 +0200[diff] [blame]2548 -c "CN=Polarssl Test EC CA" \
Neil Armstrong167d82c2022-06-30 11:32:00 +0200[diff] [blame]2549 -s "key types: Opaque, Opaque" \
2550 -s "Ciphersuite is TLS-ECDHE-RSA" \
2551 -S "error" \
2552 -C "error"
2553
Neil Armstrong167d82c2022-06-30 11:32:00 +0200[diff] [blame]2554requires_config_enabled MBEDTLS_USE_PSA_CRYPTO
2555requires_config_enabled MBEDTLS_X509_CRT_PARSE_C
Neil Armstrong167d82c2022-06-30 11:32:00 +0200[diff] [blame]2556requires_config_enabled MBEDTLS_RSA_C
Andrzej Kurek934e9cd2022-09-05 14:44:46 -0400[diff] [blame]2557requires_hash_alg SHA_384
Neil Armstrongc67e6e92022-07-01 15:48:10 +0200[diff] [blame]2558requires_config_disabled MBEDTLS_X509_REMOVE_INFO
Neil Armstrong1948a202022-06-30 18:05:57 +0200[diff] [blame]2559run_test "Opaque keys for server authentication: EC + RSA, force DHE-RSA" \
David Horstmann5ab92be2024-07-01 17:01:28 +0100[diff] [blame]2560 "$P_SRV auth_mode=required key_opaque=1 crt_file=$DATA_FILES_PATH/server5.crt \
2561 key_file=$DATA_FILES_PATH/server5.key key_opaque_algs=ecdsa-sign,none \
2562 crt_file2=$DATA_FILES_PATH/server4.crt \
2563 key_file2=$DATA_FILES_PATH/server4.key key_opaque_algs2=rsa-sign-pkcs1,none" \
Neil Armstrong4b102092022-07-01 09:42:29 +0200[diff] [blame]2564 "$P_CLI force_ciphersuite=TLS-DHE-RSA-WITH-AES-128-CBC-SHA" \
Neil Armstrong167d82c2022-06-30 11:32:00 +0200[diff] [blame]2565 0 \
2566 -c "Verifying peer X.509 certificate... ok" \
2567 -c "Ciphersuite is TLS-DHE-RSA" \
Neil Armstrong4b102092022-07-01 09:42:29 +0200[diff] [blame]2568 -c "CN=Polarssl Test EC CA" \
Neil Armstrong167d82c2022-06-30 11:32:00 +0200[diff] [blame]2569 -s "key types: Opaque, Opaque" \
2570 -s "Ciphersuite is TLS-DHE-RSA" \
2571 -S "error" \
2572 -C "error"
2573
Neil Armstrong3e9a1422022-03-21 10:03:46 +0100[diff] [blame]2574# Test using an EC opaque private key for client/server authentication
Przemyslaw Stekiel575f23c2021-10-06 11:31:49 +0200[diff] [blame]2575requires_config_enabled MBEDTLS_USE_PSA_CRYPTO
2576requires_config_enabled MBEDTLS_X509_CRT_PARSE_C
Valerio Settid1f991c2023-02-22 12:54:13 +0100[diff] [blame]2577requires_config_enabled MBEDTLS_KEY_EXCHANGE_ECDHE_ECDSA_ENABLED
Andrzej Kurek934e9cd2022-09-05 14:44:46 -0400[diff] [blame]2578requires_hash_alg SHA_256
Neil Armstrong1948a202022-06-30 18:05:57 +0200[diff] [blame]2579run_test "Opaque key for client/server authentication: ECDHE-ECDSA" \
David Horstmann5ab92be2024-07-01 17:01:28 +0100[diff] [blame]2580 "$P_SRV force_version=tls12 auth_mode=required key_opaque=1 crt_file=$DATA_FILES_PATH/server5.crt \
2581 key_file=$DATA_FILES_PATH/server5.key key_opaque_algs=ecdsa-sign,none" \
2582 "$P_CLI key_opaque=1 crt_file=$DATA_FILES_PATH/server5.crt \
2583 key_file=$DATA_FILES_PATH/server5.key key_opaque_algs=ecdsa-sign,none" \
Przemyslaw Stekiel575f23c2021-10-06 11:31:49 +0200[diff] [blame]2584 0 \
2585 -c "key type: Opaque" \
2586 -c "Verifying peer X.509 certificate... ok" \
Przemyslaw Stekielbb5d4832021-10-26 12:25:27 +0200[diff] [blame]2587 -c "Ciphersuite is TLS-ECDHE-ECDSA" \
Gilles Peskine05bf89d2022-01-25 17:50:25 +0100[diff] [blame]2588 -s "key types: Opaque, none" \
Przemyslaw Stekiel575f23c2021-10-06 11:31:49 +0200[diff] [blame]2589 -s "Verifying peer X.509 certificate... ok" \
Przemyslaw Stekielbb5d4832021-10-26 12:25:27 +0200[diff] [blame]2590 -s "Ciphersuite is TLS-ECDHE-ECDSA" \
Simon Butcher8e004102016-10-14 00:48:33 +0100[diff] [blame]2591 -S "error" \
2592 -C "error"
2593
Neil Armstrong3e9a1422022-03-21 10:03:46 +0100[diff] [blame]2594# Test using a RSA opaque private key for client/server authentication
Neil Armstrong3e9a1422022-03-21 10:03:46 +0100[diff] [blame]2595requires_config_enabled MBEDTLS_USE_PSA_CRYPTO
2596requires_config_enabled MBEDTLS_X509_CRT_PARSE_C
Neil Armstrong3e9a1422022-03-21 10:03:46 +0100[diff] [blame]2597requires_config_enabled MBEDTLS_RSA_C
Andrzej Kurek934e9cd2022-09-05 14:44:46 -0400[diff] [blame]2598requires_hash_alg SHA_256
valeriof27472b2023-03-09 16:19:35 +0100[diff] [blame]2599requires_config_enabled MBEDTLS_KEY_EXCHANGE_ECDHE_RSA_ENABLED
Neil Armstrong1948a202022-06-30 18:05:57 +0200[diff] [blame]2600run_test "Opaque key for client/server authentication: ECDHE-RSA" \
David Horstmann5ab92be2024-07-01 17:01:28 +0100[diff] [blame]2601 "$P_SRV auth_mode=required key_opaque=1 crt_file=$DATA_FILES_PATH/server2-sha256.crt \
2602 key_file=$DATA_FILES_PATH/server2.key key_opaque_algs=rsa-sign-pkcs1,none" \
2603 "$P_CLI force_version=tls12 key_opaque=1 crt_file=$DATA_FILES_PATH/server2-sha256.crt \
2604 key_file=$DATA_FILES_PATH/server2.key key_opaque_algs=rsa-sign-pkcs1,none" \
Neil Armstrong3e9a1422022-03-21 10:03:46 +0100[diff] [blame]2605 0 \
2606 -c "key type: Opaque" \
2607 -c "Verifying peer X.509 certificate... ok" \
2608 -c "Ciphersuite is TLS-ECDHE-RSA" \
2609 -s "key types: Opaque, none" \
2610 -s "Verifying peer X.509 certificate... ok" \
2611 -s "Ciphersuite is TLS-ECDHE-RSA" \
2612 -S "error" \
2613 -C "error"
2614
Neil Armstronga4dbfdd2022-03-21 10:11:07 +0100[diff] [blame]2615requires_config_enabled MBEDTLS_USE_PSA_CRYPTO
2616requires_config_enabled MBEDTLS_X509_CRT_PARSE_C
Neil Armstronga4dbfdd2022-03-21 10:11:07 +0100[diff] [blame]2617requires_config_enabled MBEDTLS_RSA_C
Andrzej Kurek934e9cd2022-09-05 14:44:46 -0400[diff] [blame]2618requires_hash_alg SHA_256
Neil Armstrong1948a202022-06-30 18:05:57 +0200[diff] [blame]2619run_test "Opaque key for client/server authentication: DHE-RSA" \
David Horstmann5ab92be2024-07-01 17:01:28 +0100[diff] [blame]2620 "$P_SRV auth_mode=required key_opaque=1 crt_file=$DATA_FILES_PATH/server2-sha256.crt \
2621 key_file=$DATA_FILES_PATH/server2.key key_opaque_algs=rsa-sign-pkcs1,none" \
2622 "$P_CLI key_opaque=1 crt_file=$DATA_FILES_PATH/server2-sha256.crt \
2623 key_file=$DATA_FILES_PATH/server2.key key_opaque_algs=rsa-sign-pkcs1,none \
Neil Armstrong36b02232022-06-30 11:16:53 +0200[diff] [blame]2624 force_ciphersuite=TLS-DHE-RSA-WITH-AES-128-CBC-SHA" \
Neil Armstronga4dbfdd2022-03-21 10:11:07 +0100[diff] [blame]2625 0 \
2626 -c "key type: Opaque" \
2627 -c "Verifying peer X.509 certificate... ok" \
2628 -c "Ciphersuite is TLS-DHE-RSA" \
2629 -s "key types: Opaque, none" \
2630 -s "Verifying peer X.509 certificate... ok" \
2631 -s "Ciphersuite is TLS-DHE-RSA" \
2632 -S "error" \
2633 -C "error"
2634
Neil Armstrong36b02232022-06-30 11:16:53 +0200[diff] [blame]2635
Hanno Becker9b5853c2018-11-16 17:28:40 +0000[diff] [blame]2636# Test ciphersuites which we expect to be fully supported by PSA Crypto
2637# and check that we don't fall back to Mbed TLS' internal crypto primitives.
2638run_test_psa TLS-ECDHE-ECDSA-WITH-AES-128-CCM
2639run_test_psa TLS-ECDHE-ECDSA-WITH-AES-128-CCM-8
2640run_test_psa TLS-ECDHE-ECDSA-WITH-AES-256-CCM
2641run_test_psa TLS-ECDHE-ECDSA-WITH-AES-256-CCM-8
2642run_test_psa TLS-ECDHE-ECDSA-WITH-AES-128-GCM-SHA256
2643run_test_psa TLS-ECDHE-ECDSA-WITH-AES-256-GCM-SHA384
2644run_test_psa TLS-ECDHE-ECDSA-WITH-AES-128-CBC-SHA
2645run_test_psa TLS-ECDHE-ECDSA-WITH-AES-128-CBC-SHA256
2646run_test_psa TLS-ECDHE-ECDSA-WITH-AES-256-CBC-SHA384
2647
Manuel Pégourié-Gonnard22334a22023-10-19 11:27:33 +0200[diff] [blame]2648requires_config_enabled PSA_WANT_ECC_SECP_R1_521
Hanno Becker354e2482019-01-08 11:40:25 +0000[diff] [blame]2649run_test_psa_force_curve "secp521r1"
Manuel Pégourié-Gonnard22334a22023-10-19 11:27:33 +0200[diff] [blame]2650requires_config_enabled PSA_WANT_ECC_BRAINPOOL_P_R1_512
Hanno Becker354e2482019-01-08 11:40:25 +0000[diff] [blame]2651run_test_psa_force_curve "brainpoolP512r1"
Manuel Pégourié-Gonnard22334a22023-10-19 11:27:33 +0200[diff] [blame]2652requires_config_enabled PSA_WANT_ECC_SECP_R1_384
Hanno Becker354e2482019-01-08 11:40:25 +0000[diff] [blame]2653run_test_psa_force_curve "secp384r1"
Manuel Pégourié-Gonnard22334a22023-10-19 11:27:33 +0200[diff] [blame]2654requires_config_enabled PSA_WANT_ECC_BRAINPOOL_P_R1_384
Hanno Becker354e2482019-01-08 11:40:25 +0000[diff] [blame]2655run_test_psa_force_curve "brainpoolP384r1"
Manuel Pégourié-Gonnard22334a22023-10-19 11:27:33 +0200[diff] [blame]2656requires_config_enabled PSA_WANT_ECC_SECP_R1_256
Hanno Becker354e2482019-01-08 11:40:25 +0000[diff] [blame]2657run_test_psa_force_curve "secp256r1"
Manuel Pégourié-Gonnard22334a22023-10-19 11:27:33 +0200[diff] [blame]2658requires_config_enabled PSA_WANT_ECC_SECP_K1_256
Hanno Becker354e2482019-01-08 11:40:25 +0000[diff] [blame]2659run_test_psa_force_curve "secp256k1"
Manuel Pégourié-Gonnard22334a22023-10-19 11:27:33 +0200[diff] [blame]2660requires_config_enabled PSA_WANT_ECC_BRAINPOOL_P_R1_256
Hanno Becker354e2482019-01-08 11:40:25 +0000[diff] [blame]2661run_test_psa_force_curve "brainpoolP256r1"
Manuel Pégourié-Gonnard22334a22023-10-19 11:27:33 +0200[diff] [blame]2662requires_config_enabled PSA_WANT_ECC_SECP_R1_224
Hanno Becker354e2482019-01-08 11:40:25 +0000[diff] [blame]2663run_test_psa_force_curve "secp224r1"
Gilles Peskinedefdc3b2021-03-23 13:59:58 +0100[diff] [blame]2664## SECP224K1 is buggy via the PSA API
Dave Rodgman017a1992022-03-31 14:07:01 +0100[diff] [blame]2665## (https://github.com/Mbed-TLS/mbedtls/issues/3541),
Gilles Peskinedefdc3b2021-03-23 13:59:58 +0100[diff] [blame]2666## so it is disabled in PSA even when it's enabled in Mbed TLS.
2667## The proper dependency would be on PSA_WANT_ECC_SECP_K1_224 but
2668## dependencies on PSA symbols in ssl-opt.sh are not implemented yet.
Manuel Pégourié-Gonnard22334a22023-10-19 11:27:33 +0200[diff] [blame]2669#requires_config_enabled PSA_WANT_ECC_SECP_K1_224
Gilles Peskinedefdc3b2021-03-23 13:59:58 +0100[diff] [blame]2670#run_test_psa_force_curve "secp224k1"
Manuel Pégourié-Gonnard22334a22023-10-19 11:27:33 +0200[diff] [blame]2671requires_config_enabled PSA_WANT_ECC_SECP_R1_192
Hanno Becker354e2482019-01-08 11:40:25 +0000[diff] [blame]2672run_test_psa_force_curve "secp192r1"
Manuel Pégourié-Gonnard22334a22023-10-19 11:27:33 +0200[diff] [blame]2673requires_config_enabled PSA_WANT_ECC_SECP_K1_192
Hanno Becker354e2482019-01-08 11:40:25 +0000[diff] [blame]2674run_test_psa_force_curve "secp192k1"
2675
Manuel Pégourié-Gonnardbd47a582015-01-12 13:43:29 +0100[diff] [blame]2676# Test current time in ServerHello
2677requires_config_enabled MBEDTLS_HAVE_TIME
2678run_test "ServerHello contains gmt_unix_time" \
2679 "$P_SRV debug_level=3" \
Ronald Cronf95d1692023-03-14 17:19:42 +0100[diff] [blame]2680 "$P_CLI force_version=tls12 debug_level=3" \
Manuel Pégourié-Gonnardbd47a582015-01-12 13:43:29 +0100[diff] [blame]2681 0 \
2682 -f "check_server_hello_time" \
Manuel Pégourié-Gonnard51d81662015-01-14 17:20:46 +0100[diff] [blame]2683 -F "check_server_hello_time"
Manuel Pégourié-Gonnardbd47a582015-01-12 13:43:29 +0100[diff] [blame]2684
2685# Test for uniqueness of IVs in AEAD ciphersuites
Gilles Peskinebc70a182017-05-09 15:59:24 +0200[diff] [blame]2686run_test "Unique IV in GCM" \
2687 "$P_SRV exchanges=20 debug_level=4" \
Manuel Pégourié-Gonnardaf63c212017-06-08 17:51:08 +0200[diff] [blame]2688 "$P_CLI exchanges=20 debug_level=4 force_ciphersuite=TLS-ECDHE-ECDSA-WITH-AES-256-GCM-SHA384" \
Gilles Peskinebc70a182017-05-09 15:59:24 +0200[diff] [blame]2689 0 \
2690 -u "IV used" \
2691 -U "IV used"
2692
Andrzej Kurekec71b092022-11-15 10:21:50 -0500[diff] [blame]2693# Test for correctness of sent single supported algorithm
Valerio Setti482a0b92023-08-18 15:55:10 +0200[diff] [blame]2694requires_any_configs_enabled "MBEDTLS_ECP_DP_SECP256R1_ENABLED \
2695 PSA_WANT_ECC_SECP_R1_256"
Andrzej Kurekec71b092022-11-15 10:21:50 -0500[diff] [blame]2696requires_config_enabled MBEDTLS_DEBUG_C
2697requires_config_enabled MBEDTLS_SSL_CLI_C
Paul Elliott3b4ceda2022-11-17 12:47:10 +0000[diff] [blame]2698requires_config_enabled MBEDTLS_SSL_SRV_C
Valerio Settid1f991c2023-02-22 12:54:13 +0100[diff] [blame]2699requires_any_configs_enabled $TLS1_2_KEY_EXCHANGES_WITH_CERT
2700requires_pk_alg "ECDSA"
Andrzej Kurekec71b092022-11-15 10:21:50 -0500[diff] [blame]2701requires_hash_alg SHA_256
Paul Elliottf6e342c2022-11-17 12:50:29 +0000[diff] [blame]2702run_test "Single supported algorithm sending: mbedtls client" \
Andrzej Kurekec71b092022-11-15 10:21:50 -0500[diff] [blame]2703 "$P_SRV sig_algs=ecdsa_secp256r1_sha256 auth_mode=required" \
Ronald Cronf95d1692023-03-14 17:19:42 +0100[diff] [blame]2704 "$P_CLI force_version=tls12 sig_algs=ecdsa_secp256r1_sha256 debug_level=3" \
Andrzej Kurekec71b092022-11-15 10:21:50 -0500[diff] [blame]2705 0 \
2706 -c "Supported Signature Algorithm found: 04 03"
2707
Paul Elliottf6e342c2022-11-17 12:50:29 +0000[diff] [blame]2708requires_config_enabled MBEDTLS_SSL_PROTO_TLS1_2
2709requires_config_enabled MBEDTLS_SSL_SRV_C
Valerio Setti482a0b92023-08-18 15:55:10 +0200[diff] [blame]2710requires_any_configs_enabled "MBEDTLS_ECP_DP_SECP256R1_ENABLED \
2711 PSA_WANT_ECC_SECP_R1_256"
Paul Elliottf6e342c2022-11-17 12:50:29 +0000[diff] [blame]2712requires_hash_alg SHA_256
2713run_test "Single supported algorithm sending: openssl client" \
2714 "$P_SRV sig_algs=ecdsa_secp256r1_sha256 auth_mode=required" \
David Horstmann5ab92be2024-07-01 17:01:28 +0100[diff] [blame]2715 "$O_CLI -cert $DATA_FILES_PATH/server6.crt \
2716 -key $DATA_FILES_PATH/server6.key" \
Paul Elliottf6e342c2022-11-17 12:50:29 +0000[diff] [blame]2717 0
2718
Janos Follathee11be62019-04-04 12:03:30 +0100[diff] [blame]2719# Tests for certificate verification callback
2720run_test "Configuration-specific CRT verification callback" \
2721 "$P_SRV debug_level=3" \
Ronald Cronfd4c6af2023-03-11 10:46:01 +0100[diff] [blame]2722 "$P_CLI force_version=tls12 context_crt_cb=0 debug_level=3" \
Janos Follathee11be62019-04-04 12:03:30 +0100[diff] [blame]2723 0 \
Janos Follathee11be62019-04-04 12:03:30 +0100[diff] [blame]2724 -S "error" \
2725 -c "Verify requested for " \
2726 -c "Use configuration-specific verification callback" \
2727 -C "Use context-specific verification callback" \
2728 -C "error"
2729
Hanno Beckerefb440a2019-04-03 13:04:33 +0100[diff] [blame]2730run_test "Context-specific CRT verification callback" \
2731 "$P_SRV debug_level=3" \
Ronald Cronfd4c6af2023-03-11 10:46:01 +0100[diff] [blame]2732 "$P_CLI force_version=tls12 context_crt_cb=1 debug_level=3" \
Hanno Beckerefb440a2019-04-03 13:04:33 +0100[diff] [blame]2733 0 \
Hanno Beckerefb440a2019-04-03 13:04:33 +0100[diff] [blame]2734 -S "error" \
Janos Follathee11be62019-04-04 12:03:30 +0100[diff] [blame]2735 -c "Verify requested for " \
2736 -c "Use context-specific verification callback" \
2737 -C "Use configuration-specific verification callback" \
Hanno Beckerefb440a2019-04-03 13:04:33 +0100[diff] [blame]2738 -C "error"
2739
Manuel Pégourié-Gonnardc1da6642014-02-25 14:18:30 +0100[diff] [blame]2740# Tests for SHA-1 support
Gilles Peskine80e54a22024-04-29 17:42:52 +0200[diff] [blame]2741requires_hash_alg SHA_1
Gilles Peskinebc70a182017-05-09 15:59:24 +0200[diff] [blame]2742run_test "SHA-1 forbidden by default in server certificate" \
David Horstmann5ab92be2024-07-01 17:01:28 +0100[diff] [blame]2743 "$P_SRV key_file=$DATA_FILES_PATH/server2.key crt_file=$DATA_FILES_PATH/server2.crt" \
Ronald Cronf95d1692023-03-14 17:19:42 +0100[diff] [blame]2744 "$P_CLI debug_level=2 force_version=tls12 allow_sha1=0" \
Gilles Peskinebc70a182017-05-09 15:59:24 +0200[diff] [blame]2745 1 \
2746 -c "The certificate is signed with an unacceptable hash"
2747
Gilles Peskine80e54a22024-04-29 17:42:52 +0200[diff] [blame]2748requires_hash_alg SHA_1
Gilles Peskinebc70a182017-05-09 15:59:24 +0200[diff] [blame]2749run_test "SHA-1 explicitly allowed in server certificate" \
David Horstmann5ab92be2024-07-01 17:01:28 +0100[diff] [blame]2750 "$P_SRV key_file=$DATA_FILES_PATH/server2.key crt_file=$DATA_FILES_PATH/server2.crt" \
Ronald Cronf95d1692023-03-14 17:19:42 +0100[diff] [blame]2751 "$P_CLI force_version=tls12 allow_sha1=1" \
Gilles Peskinebc70a182017-05-09 15:59:24 +0200[diff] [blame]2752 0
2753
2754run_test "SHA-256 allowed by default in server certificate" \
David Horstmann5ab92be2024-07-01 17:01:28 +0100[diff] [blame]2755 "$P_SRV key_file=$DATA_FILES_PATH/server2.key crt_file=$DATA_FILES_PATH/server2-sha256.crt" \
Ronald Cronf95d1692023-03-14 17:19:42 +0100[diff] [blame]2756 "$P_CLI force_version=tls12 allow_sha1=0" \
Gilles Peskinebc70a182017-05-09 15:59:24 +0200[diff] [blame]2757 0
2758
Gilles Peskine80e54a22024-04-29 17:42:52 +0200[diff] [blame]2759requires_hash_alg SHA_1
2760requires_config_enabled MBEDTLS_RSA_C
Gilles Peskinebc70a182017-05-09 15:59:24 +0200[diff] [blame]2761run_test "SHA-1 forbidden by default in client certificate" \
Ronald Cronf95d1692023-03-14 17:19:42 +0100[diff] [blame]2762 "$P_SRV force_version=tls12 auth_mode=required allow_sha1=0" \
David Horstmann5ab92be2024-07-01 17:01:28 +0100[diff] [blame]2763 "$P_CLI key_file=$DATA_FILES_PATH/cli-rsa.key crt_file=$DATA_FILES_PATH/cli-rsa-sha1.crt" \
Gilles Peskinebc70a182017-05-09 15:59:24 +0200[diff] [blame]2764 1 \
2765 -s "The certificate is signed with an unacceptable hash"
2766
Gilles Peskine80e54a22024-04-29 17:42:52 +0200[diff] [blame]2767requires_hash_alg SHA_1
2768requires_config_enabled MBEDTLS_RSA_C
Gilles Peskinebc70a182017-05-09 15:59:24 +0200[diff] [blame]2769run_test "SHA-1 explicitly allowed in client certificate" \
Ronald Cronf95d1692023-03-14 17:19:42 +0100[diff] [blame]2770 "$P_SRV force_version=tls12 auth_mode=required allow_sha1=1" \
David Horstmann5ab92be2024-07-01 17:01:28 +0100[diff] [blame]2771 "$P_CLI key_file=$DATA_FILES_PATH/cli-rsa.key crt_file=$DATA_FILES_PATH/cli-rsa-sha1.crt" \
Gilles Peskinebc70a182017-05-09 15:59:24 +0200[diff] [blame]2772 0
2773
Gilles Peskine80e54a22024-04-29 17:42:52 +0200[diff] [blame]2774requires_config_enabled MBEDTLS_RSA_C
2775requires_hash_alg SHA_256
Gilles Peskinebc70a182017-05-09 15:59:24 +0200[diff] [blame]2776run_test "SHA-256 allowed by default in client certificate" \
Ronald Cronf95d1692023-03-14 17:19:42 +0100[diff] [blame]2777 "$P_SRV force_version=tls12 auth_mode=required allow_sha1=0" \
David Horstmann5ab92be2024-07-01 17:01:28 +0100[diff] [blame]2778 "$P_CLI key_file=$DATA_FILES_PATH/cli-rsa.key crt_file=$DATA_FILES_PATH/cli-rsa-sha256.crt" \
Gilles Peskinebc70a182017-05-09 15:59:24 +0200[diff] [blame]2779 0
2780
Hanno Becker7ae8a762018-08-14 15:43:35 +0100[diff] [blame]2781# Tests for datagram packing
Jerry Yuab082902021-12-23 18:02:22 +0800[diff] [blame]2782requires_config_enabled MBEDTLS_SSL_PROTO_TLS1_2
Hanno Becker7ae8a762018-08-14 15:43:35 +0100[diff] [blame]2783run_test "DTLS: multiple records in same datagram, client and server" \
2784 "$P_SRV dtls=1 dgram_packing=1 debug_level=2" \
2785 "$P_CLI dtls=1 dgram_packing=1 debug_level=2" \
2786 0 \
2787 -c "next record in same datagram" \
2788 -s "next record in same datagram"
2789
Jerry Yuab082902021-12-23 18:02:22 +0800[diff] [blame]2790requires_config_enabled MBEDTLS_SSL_PROTO_TLS1_2
Hanno Becker7ae8a762018-08-14 15:43:35 +0100[diff] [blame]2791run_test "DTLS: multiple records in same datagram, client only" \
2792 "$P_SRV dtls=1 dgram_packing=0 debug_level=2" \
2793 "$P_CLI dtls=1 dgram_packing=1 debug_level=2" \
2794 0 \
2795 -s "next record in same datagram" \
2796 -C "next record in same datagram"
2797
Jerry Yuab082902021-12-23 18:02:22 +0800[diff] [blame]2798requires_config_enabled MBEDTLS_SSL_PROTO_TLS1_2
Hanno Becker7ae8a762018-08-14 15:43:35 +0100[diff] [blame]2799run_test "DTLS: multiple records in same datagram, server only" \
2800 "$P_SRV dtls=1 dgram_packing=1 debug_level=2" \
2801 "$P_CLI dtls=1 dgram_packing=0 debug_level=2" \
2802 0 \
2803 -S "next record in same datagram" \
2804 -c "next record in same datagram"
2805
Jerry Yuab082902021-12-23 18:02:22 +0800[diff] [blame]2806requires_config_enabled MBEDTLS_SSL_PROTO_TLS1_2
Hanno Becker7ae8a762018-08-14 15:43:35 +0100[diff] [blame]2807run_test "DTLS: multiple records in same datagram, neither client nor server" \
2808 "$P_SRV dtls=1 dgram_packing=0 debug_level=2" \
2809 "$P_CLI dtls=1 dgram_packing=0 debug_level=2" \
2810 0 \
2811 -S "next record in same datagram" \
2812 -C "next record in same datagram"
2813
Jarno Lamsa2937d812019-06-04 11:33:23 +0300[diff] [blame]2814# Tests for Context serialization
2815
2816requires_config_enabled MBEDTLS_SSL_CONTEXT_SERIALIZATION
Hanno Beckere0b90ec2019-08-30 11:32:12 +0100[diff] [blame]2817run_test "Context serialization, client serializes, CCM" \
Manuel Pégourié-Gonnard862b3192019-07-23 14:13:43 +0200[diff] [blame]2818 "$P_SRV dtls=1 serialize=0 exchanges=2" \
Hanno Beckere0b90ec2019-08-30 11:32:12 +0100[diff] [blame]2819 "$P_CLI dtls=1 serialize=1 exchanges=2 force_ciphersuite=TLS-ECDHE-ECDSA-WITH-AES-128-CCM-8" \
2820 0 \
2821 -c "Deserializing connection..." \
2822 -S "Deserializing connection..."
2823
2824requires_config_enabled MBEDTLS_SSL_CONTEXT_SERIALIZATION
2825run_test "Context serialization, client serializes, ChaChaPoly" \
2826 "$P_SRV dtls=1 serialize=0 exchanges=2" \
2827 "$P_CLI dtls=1 serialize=1 exchanges=2 force_ciphersuite=TLS-ECDHE-ECDSA-WITH-CHACHA20-POLY1305-SHA256" \
2828 0 \
2829 -c "Deserializing connection..." \
2830 -S "Deserializing connection..."
2831
2832requires_config_enabled MBEDTLS_SSL_CONTEXT_SERIALIZATION
2833run_test "Context serialization, client serializes, GCM" \
2834 "$P_SRV dtls=1 serialize=0 exchanges=2" \
2835 "$P_CLI dtls=1 serialize=1 exchanges=2 force_ciphersuite=TLS-ECDHE-ECDSA-WITH-AES-128-GCM-SHA256" \
Jarno Lamsa2937d812019-06-04 11:33:23 +0300[diff] [blame]2836 0 \
Jarno Lamsacbee1b32019-06-04 15:18:19 +0300[diff] [blame]2837 -c "Deserializing connection..." \
Jarno Lamsa2937d812019-06-04 11:33:23 +0300[diff] [blame]2838 -S "Deserializing connection..."
2839
Jerry Yuab082902021-12-23 18:02:22 +0800[diff] [blame]2840requires_config_enabled MBEDTLS_SSL_PROTO_TLS1_2
Jarno Lamsa2937d812019-06-04 11:33:23 +0300[diff] [blame]2841requires_config_enabled MBEDTLS_SSL_CONTEXT_SERIALIZATION
Hanno Becker1b18fd32019-08-30 11:18:59 +0100[diff] [blame]2842requires_config_enabled MBEDTLS_SSL_DTLS_CONNECTION_ID
2843run_test "Context serialization, client serializes, with CID" \
2844 "$P_SRV dtls=1 serialize=0 exchanges=2 cid=1 cid_val=dead" \
2845 "$P_CLI dtls=1 serialize=1 exchanges=2 cid=1 cid_val=beef" \
2846 0 \
2847 -c "Deserializing connection..." \
2848 -S "Deserializing connection..."
2849
2850requires_config_enabled MBEDTLS_SSL_CONTEXT_SERIALIZATION
Hanno Beckere0b90ec2019-08-30 11:32:12 +0100[diff] [blame]2851run_test "Context serialization, server serializes, CCM" \
Manuel Pégourié-Gonnard862b3192019-07-23 14:13:43 +0200[diff] [blame]2852 "$P_SRV dtls=1 serialize=1 exchanges=2" \
Hanno Beckere0b90ec2019-08-30 11:32:12 +0100[diff] [blame]2853 "$P_CLI dtls=1 serialize=0 exchanges=2 force_ciphersuite=TLS-ECDHE-ECDSA-WITH-AES-128-CCM-8" \
2854 0 \
2855 -C "Deserializing connection..." \
2856 -s "Deserializing connection..."
2857
2858requires_config_enabled MBEDTLS_SSL_CONTEXT_SERIALIZATION
2859run_test "Context serialization, server serializes, ChaChaPoly" \
2860 "$P_SRV dtls=1 serialize=1 exchanges=2" \
2861 "$P_CLI dtls=1 serialize=0 exchanges=2 force_ciphersuite=TLS-ECDHE-ECDSA-WITH-CHACHA20-POLY1305-SHA256" \
2862 0 \
2863 -C "Deserializing connection..." \
2864 -s "Deserializing connection..."
2865
2866requires_config_enabled MBEDTLS_SSL_CONTEXT_SERIALIZATION
2867run_test "Context serialization, server serializes, GCM" \
2868 "$P_SRV dtls=1 serialize=1 exchanges=2" \
2869 "$P_CLI dtls=1 serialize=0 exchanges=2 force_ciphersuite=TLS-ECDHE-ECDSA-WITH-AES-128-GCM-SHA256" \
Jarno Lamsa2937d812019-06-04 11:33:23 +0300[diff] [blame]2870 0 \
Jarno Lamsacbee1b32019-06-04 15:18:19 +0300[diff] [blame]2871 -C "Deserializing connection..." \
Jarno Lamsa2937d812019-06-04 11:33:23 +0300[diff] [blame]2872 -s "Deserializing connection..."
2873
Jerry Yuab082902021-12-23 18:02:22 +0800[diff] [blame]2874requires_config_enabled MBEDTLS_SSL_PROTO_TLS1_2
Jarno Lamsa2937d812019-06-04 11:33:23 +0300[diff] [blame]2875requires_config_enabled MBEDTLS_SSL_CONTEXT_SERIALIZATION
Hanno Becker1b18fd32019-08-30 11:18:59 +0100[diff] [blame]2876requires_config_enabled MBEDTLS_SSL_DTLS_CONNECTION_ID
2877run_test "Context serialization, server serializes, with CID" \
2878 "$P_SRV dtls=1 serialize=1 exchanges=2 cid=1 cid_val=dead" \
2879 "$P_CLI dtls=1 serialize=0 exchanges=2 cid=1 cid_val=beef" \
2880 0 \
2881 -C "Deserializing connection..." \
2882 -s "Deserializing connection..."
2883
2884requires_config_enabled MBEDTLS_SSL_CONTEXT_SERIALIZATION
Hanno Beckere0b90ec2019-08-30 11:32:12 +0100[diff] [blame]2885run_test "Context serialization, both serialize, CCM" \
Manuel Pégourié-Gonnard862b3192019-07-23 14:13:43 +0200[diff] [blame]2886 "$P_SRV dtls=1 serialize=1 exchanges=2" \
Hanno Beckere0b90ec2019-08-30 11:32:12 +0100[diff] [blame]2887 "$P_CLI dtls=1 serialize=1 exchanges=2 force_ciphersuite=TLS-ECDHE-ECDSA-WITH-AES-128-CCM-8" \
2888 0 \
2889 -c "Deserializing connection..." \
2890 -s "Deserializing connection..."
2891
2892requires_config_enabled MBEDTLS_SSL_CONTEXT_SERIALIZATION
2893run_test "Context serialization, both serialize, ChaChaPoly" \
2894 "$P_SRV dtls=1 serialize=1 exchanges=2" \
2895 "$P_CLI dtls=1 serialize=1 exchanges=2 force_ciphersuite=TLS-ECDHE-ECDSA-WITH-CHACHA20-POLY1305-SHA256" \
2896 0 \
2897 -c "Deserializing connection..." \
2898 -s "Deserializing connection..."
2899
2900requires_config_enabled MBEDTLS_SSL_CONTEXT_SERIALIZATION
2901run_test "Context serialization, both serialize, GCM" \
2902 "$P_SRV dtls=1 serialize=1 exchanges=2" \
2903 "$P_CLI dtls=1 serialize=1 exchanges=2 force_ciphersuite=TLS-ECDHE-ECDSA-WITH-AES-128-GCM-SHA256" \
Jarno Lamsa2937d812019-06-04 11:33:23 +0300[diff] [blame]2904 0 \
Jarno Lamsacbee1b32019-06-04 15:18:19 +0300[diff] [blame]2905 -c "Deserializing connection..." \
Jarno Lamsa2937d812019-06-04 11:33:23 +0300[diff] [blame]2906 -s "Deserializing connection..."
2907
Jerry Yuab082902021-12-23 18:02:22 +0800[diff] [blame]2908requires_config_enabled MBEDTLS_SSL_PROTO_TLS1_2
Jarno Lamsac2376f02019-06-06 10:44:14 +0300[diff] [blame]2909requires_config_enabled MBEDTLS_SSL_CONTEXT_SERIALIZATION
Hanno Becker1b18fd32019-08-30 11:18:59 +0100[diff] [blame]2910requires_config_enabled MBEDTLS_SSL_DTLS_CONNECTION_ID
2911run_test "Context serialization, both serialize, with CID" \
2912 "$P_SRV dtls=1 serialize=1 exchanges=2 cid=1 cid_val=dead" \
2913 "$P_CLI dtls=1 serialize=1 exchanges=2 cid=1 cid_val=beef" \
2914 0 \
2915 -c "Deserializing connection..." \
2916 -s "Deserializing connection..."
2917
2918requires_config_enabled MBEDTLS_SSL_CONTEXT_SERIALIZATION
Hanno Beckere0b90ec2019-08-30 11:32:12 +0100[diff] [blame]2919run_test "Context serialization, re-init, client serializes, CCM" \
Manuel Pégourié-Gonnard862b3192019-07-23 14:13:43 +0200[diff] [blame]2920 "$P_SRV dtls=1 serialize=0 exchanges=2" \
Hanno Beckere0b90ec2019-08-30 11:32:12 +0100[diff] [blame]2921 "$P_CLI dtls=1 serialize=2 exchanges=2 force_ciphersuite=TLS-ECDHE-ECDSA-WITH-AES-128-CCM-8" \
2922 0 \
2923 -c "Deserializing connection..." \
2924 -S "Deserializing connection..."
2925
Jerry Yuab082902021-12-23 18:02:22 +0800[diff] [blame]2926requires_config_enabled MBEDTLS_SSL_PROTO_TLS1_2
Hanno Beckere0b90ec2019-08-30 11:32:12 +0100[diff] [blame]2927requires_config_enabled MBEDTLS_SSL_CONTEXT_SERIALIZATION
2928run_test "Context serialization, re-init, client serializes, ChaChaPoly" \
2929 "$P_SRV dtls=1 serialize=0 exchanges=2" \
2930 "$P_CLI dtls=1 serialize=2 exchanges=2 force_ciphersuite=TLS-ECDHE-ECDSA-WITH-CHACHA20-POLY1305-SHA256" \
2931 0 \
2932 -c "Deserializing connection..." \
2933 -S "Deserializing connection..."
2934
2935requires_config_enabled MBEDTLS_SSL_CONTEXT_SERIALIZATION
2936run_test "Context serialization, re-init, client serializes, GCM" \
2937 "$P_SRV dtls=1 serialize=0 exchanges=2" \
2938 "$P_CLI dtls=1 serialize=2 exchanges=2 force_ciphersuite=TLS-ECDHE-ECDSA-WITH-AES-128-GCM-SHA256" \
Jarno Lamsac2376f02019-06-06 10:44:14 +0300[diff] [blame]2939 0 \
2940 -c "Deserializing connection..." \
2941 -S "Deserializing connection..."
2942
Jerry Yuab082902021-12-23 18:02:22 +0800[diff] [blame]2943requires_config_enabled MBEDTLS_SSL_PROTO_TLS1_2
Jarno Lamsac2376f02019-06-06 10:44:14 +0300[diff] [blame]2944requires_config_enabled MBEDTLS_SSL_CONTEXT_SERIALIZATION
Hanno Becker1b18fd32019-08-30 11:18:59 +0100[diff] [blame]2945requires_config_enabled MBEDTLS_SSL_DTLS_CONNECTION_ID
2946run_test "Context serialization, re-init, client serializes, with CID" \
2947 "$P_SRV dtls=1 serialize=0 exchanges=2 cid=1 cid_val=dead" \
2948 "$P_CLI dtls=1 serialize=2 exchanges=2 cid=1 cid_val=beef" \
2949 0 \
2950 -c "Deserializing connection..." \
2951 -S "Deserializing connection..."
2952
2953requires_config_enabled MBEDTLS_SSL_CONTEXT_SERIALIZATION
Hanno Beckere0b90ec2019-08-30 11:32:12 +0100[diff] [blame]2954run_test "Context serialization, re-init, server serializes, CCM" \
Manuel Pégourié-Gonnard862b3192019-07-23 14:13:43 +0200[diff] [blame]2955 "$P_SRV dtls=1 serialize=2 exchanges=2" \
Hanno Beckere0b90ec2019-08-30 11:32:12 +0100[diff] [blame]2956 "$P_CLI dtls=1 serialize=0 exchanges=2 force_ciphersuite=TLS-ECDHE-ECDSA-WITH-AES-128-CCM-8" \
2957 0 \
2958 -C "Deserializing connection..." \
2959 -s "Deserializing connection..."
2960
2961requires_config_enabled MBEDTLS_SSL_CONTEXT_SERIALIZATION
2962run_test "Context serialization, re-init, server serializes, ChaChaPoly" \
2963 "$P_SRV dtls=1 serialize=2 exchanges=2" \
2964 "$P_CLI dtls=1 serialize=0 exchanges=2 force_ciphersuite=TLS-ECDHE-ECDSA-WITH-CHACHA20-POLY1305-SHA256" \
2965 0 \
2966 -C "Deserializing connection..." \
2967 -s "Deserializing connection..."
2968
2969requires_config_enabled MBEDTLS_SSL_CONTEXT_SERIALIZATION
2970run_test "Context serialization, re-init, server serializes, GCM" \
2971 "$P_SRV dtls=1 serialize=2 exchanges=2" \
2972 "$P_CLI dtls=1 serialize=0 exchanges=2 force_ciphersuite=TLS-ECDHE-ECDSA-WITH-CHACHA20-POLY1305-SHA256" \
Jarno Lamsac2376f02019-06-06 10:44:14 +0300[diff] [blame]2973 0 \
2974 -C "Deserializing connection..." \
2975 -s "Deserializing connection..."
2976
Jerry Yuab082902021-12-23 18:02:22 +0800[diff] [blame]2977requires_config_enabled MBEDTLS_SSL_PROTO_TLS1_2
Jarno Lamsac2376f02019-06-06 10:44:14 +0300[diff] [blame]2978requires_config_enabled MBEDTLS_SSL_CONTEXT_SERIALIZATION
Hanno Becker1b18fd32019-08-30 11:18:59 +0100[diff] [blame]2979requires_config_enabled MBEDTLS_SSL_DTLS_CONNECTION_ID
2980run_test "Context serialization, re-init, server serializes, with CID" \
2981 "$P_SRV dtls=1 serialize=2 exchanges=2 cid=1 cid_val=dead" \
2982 "$P_CLI dtls=1 serialize=0 exchanges=2 cid=1 cid_val=beef" \
2983 0 \
2984 -C "Deserializing connection..." \
2985 -s "Deserializing connection..."
2986
2987requires_config_enabled MBEDTLS_SSL_CONTEXT_SERIALIZATION
Hanno Beckere0b90ec2019-08-30 11:32:12 +0100[diff] [blame]2988run_test "Context serialization, re-init, both serialize, CCM" \
Manuel Pégourié-Gonnard862b3192019-07-23 14:13:43 +0200[diff] [blame]2989 "$P_SRV dtls=1 serialize=2 exchanges=2" \
Hanno Beckere0b90ec2019-08-30 11:32:12 +0100[diff] [blame]2990 "$P_CLI dtls=1 serialize=2 exchanges=2 force_ciphersuite=TLS-ECDHE-ECDSA-WITH-AES-128-CCM-8" \
2991 0 \
2992 -c "Deserializing connection..." \
2993 -s "Deserializing connection..."
2994
2995requires_config_enabled MBEDTLS_SSL_CONTEXT_SERIALIZATION
2996run_test "Context serialization, re-init, both serialize, ChaChaPoly" \
2997 "$P_SRV dtls=1 serialize=2 exchanges=2" \
2998 "$P_CLI dtls=1 serialize=2 exchanges=2 force_ciphersuite=TLS-ECDHE-ECDSA-WITH-CHACHA20-POLY1305-SHA256" \
2999 0 \
3000 -c "Deserializing connection..." \
3001 -s "Deserializing connection..."
3002
3003requires_config_enabled MBEDTLS_SSL_CONTEXT_SERIALIZATION
3004run_test "Context serialization, re-init, both serialize, GCM" \
3005 "$P_SRV dtls=1 serialize=2 exchanges=2" \
3006 "$P_CLI dtls=1 serialize=2 exchanges=2 force_ciphersuite=TLS-ECDHE-ECDSA-WITH-CHACHA20-POLY1305-SHA256" \
Jarno Lamsac2376f02019-06-06 10:44:14 +0300[diff] [blame]3007 0 \
3008 -c "Deserializing connection..." \
3009 -s "Deserializing connection..."
3010
Jerry Yuab082902021-12-23 18:02:22 +0800[diff] [blame]3011requires_config_enabled MBEDTLS_SSL_PROTO_TLS1_2
Hanno Becker1b18fd32019-08-30 11:18:59 +0100[diff] [blame]3012requires_config_enabled MBEDTLS_SSL_CONTEXT_SERIALIZATION
3013requires_config_enabled MBEDTLS_SSL_DTLS_CONNECTION_ID
3014run_test "Context serialization, re-init, both serialize, with CID" \
3015 "$P_SRV dtls=1 serialize=2 exchanges=2 cid=1 cid_val=dead" \
3016 "$P_CLI dtls=1 serialize=2 exchanges=2 cid=1 cid_val=beef" \
3017 0 \
3018 -c "Deserializing connection..." \
3019 -s "Deserializing connection..."
3020
Jerry Yuab082902021-12-23 18:02:22 +0800[diff] [blame]3021requires_config_enabled MBEDTLS_SSL_PROTO_TLS1_2
Piotr Nowicki3de298f2020-04-16 14:35:19 +0200[diff] [blame]3022requires_config_enabled MBEDTLS_SSL_CONTEXT_SERIALIZATION
3023run_test "Saving the serialized context to a file" \
3024 "$P_SRV dtls=1 serialize=1 context_file=context_srv.txt" \
3025 "$P_CLI dtls=1 serialize=1 context_file=context_cli.txt" \
3026 0 \
3027 -s "Save serialized context to a file... ok" \
3028 -c "Save serialized context to a file... ok"
3029rm -f context_srv.txt
3030rm -f context_cli.txt
3031
Hanno Becker7cf463e2019-04-09 18:08:47 +0100[diff] [blame]3032# Tests for DTLS Connection ID extension
3033
Hanno Becker7cf463e2019-04-09 18:08:47 +0100[diff] [blame]3034# So far, the CID API isn't implemented, so we can't
3035# grep for output witnessing its use. This needs to be
3036# changed once the CID extension is implemented.
3037
Jerry Yuab082902021-12-23 18:02:22 +0800[diff] [blame]3038requires_config_enabled MBEDTLS_SSL_PROTO_TLS1_2
Hanno Beckera0e20d02019-05-15 14:03:01 +0100[diff] [blame]3039requires_config_enabled MBEDTLS_SSL_DTLS_CONNECTION_ID
Hanno Becker78c91372019-05-08 13:31:15 +0100[diff] [blame]3040run_test "Connection ID: Cli enabled, Srv disabled" \
Hanno Beckerf157a972019-04-25 16:05:45 +0100[diff] [blame]3041 "$P_SRV debug_level=3 dtls=1 cid=0" \
3042 "$P_CLI debug_level=3 dtls=1 cid=1 cid_val=deadbeef" \
3043 0 \
3044 -s "Disable use of CID extension." \
Hanno Becker7dee2c62019-04-26 14:17:56 +0100[diff] [blame]3045 -s "found CID extension" \
3046 -s "Client sent CID extension, but CID disabled" \
Hanno Becker6b78c832019-04-25 17:01:43 +0100[diff] [blame]3047 -c "Enable use of CID extension." \
Hanno Becker4bc9e9d2019-04-26 16:00:29 +0100[diff] [blame]3048 -c "client hello, adding CID extension" \
Hanno Beckera6a4c762019-04-26 16:13:31 +0100[diff] [blame]3049 -S "server hello, adding CID extension" \
Hanno Becker9ecb6c62019-04-26 16:23:52 +0100[diff] [blame]3050 -C "found CID extension" \
3051 -S "Copy CIDs into SSL transform" \
Hanno Beckerfcffdcc2019-04-26 17:19:46 +0100[diff] [blame]3052 -C "Copy CIDs into SSL transform" \
3053 -c "Use of Connection ID was rejected by the server"
Hanno Becker7cf463e2019-04-09 18:08:47 +0100[diff] [blame]3054
Jerry Yuab082902021-12-23 18:02:22 +0800[diff] [blame]3055requires_config_enabled MBEDTLS_SSL_PROTO_TLS1_2
Hanno Beckera0e20d02019-05-15 14:03:01 +0100[diff] [blame]3056requires_config_enabled MBEDTLS_SSL_DTLS_CONNECTION_ID
Hanno Becker78c91372019-05-08 13:31:15 +0100[diff] [blame]3057run_test "Connection ID: Cli disabled, Srv enabled" \
Hanno Beckerf157a972019-04-25 16:05:45 +0100[diff] [blame]3058 "$P_SRV debug_level=3 dtls=1 cid=1 cid_val=deadbeef" \
3059 "$P_CLI debug_level=3 dtls=1 cid=0" \
3060 0 \
3061 -c "Disable use of CID extension." \
Hanno Becker6b78c832019-04-25 17:01:43 +0100[diff] [blame]3062 -C "client hello, adding CID extension" \
Hanno Becker7dee2c62019-04-26 14:17:56 +0100[diff] [blame]3063 -S "found CID extension" \
Hanno Becker4bc9e9d2019-04-26 16:00:29 +0100[diff] [blame]3064 -s "Enable use of CID extension." \
Hanno Beckera6a4c762019-04-26 16:13:31 +0100[diff] [blame]3065 -S "server hello, adding CID extension" \
Hanno Becker9ecb6c62019-04-26 16:23:52 +0100[diff] [blame]3066 -C "found CID extension" \
3067 -S "Copy CIDs into SSL transform" \
Hanno Beckerfcffdcc2019-04-26 17:19:46 +0100[diff] [blame]3068 -C "Copy CIDs into SSL transform" \
Hanno Beckerb3e9dd52019-05-08 13:19:53 +0100[diff] [blame]3069 -s "Use of Connection ID was not offered by client"
Hanno Becker7cf463e2019-04-09 18:08:47 +0100[diff] [blame]3070
Jerry Yuab082902021-12-23 18:02:22 +0800[diff] [blame]3071requires_config_enabled MBEDTLS_SSL_PROTO_TLS1_2
Hanno Beckera0e20d02019-05-15 14:03:01 +0100[diff] [blame]3072requires_config_enabled MBEDTLS_SSL_DTLS_CONNECTION_ID
Hanno Becker78c91372019-05-08 13:31:15 +0100[diff] [blame]3073run_test "Connection ID: Cli+Srv enabled, Cli+Srv CID nonempty" \
Hanno Beckerf157a972019-04-25 16:05:45 +0100[diff] [blame]3074 "$P_SRV debug_level=3 dtls=1 cid=1 cid_val=dead" \
3075 "$P_CLI debug_level=3 dtls=1 cid=1 cid_val=beef" \
3076 0 \
3077 -c "Enable use of CID extension." \
Hanno Becker6b78c832019-04-25 17:01:43 +0100[diff] [blame]3078 -s "Enable use of CID extension." \
Hanno Becker7dee2c62019-04-26 14:17:56 +0100[diff] [blame]3079 -c "client hello, adding CID extension" \
3080 -s "found CID extension" \
Hanno Becker4bc9e9d2019-04-26 16:00:29 +0100[diff] [blame]3081 -s "Use of CID extension negotiated" \
Hanno Beckera6a4c762019-04-26 16:13:31 +0100[diff] [blame]3082 -s "server hello, adding CID extension" \
3083 -c "found CID extension" \
Hanno Becker9ecb6c62019-04-26 16:23:52 +0100[diff] [blame]3084 -c "Use of CID extension negotiated" \
3085 -s "Copy CIDs into SSL transform" \
Hanno Becker2749a672019-05-03 17:04:23 +0100[diff] [blame]3086 -c "Copy CIDs into SSL transform" \
3087 -c "Peer CID (length 2 Bytes): de ad" \
3088 -s "Peer CID (length 2 Bytes): be ef" \
3089 -s "Use of Connection ID has been negotiated" \
3090 -c "Use of Connection ID has been negotiated"
Hanno Becker7cf463e2019-04-09 18:08:47 +0100[diff] [blame]3091
Jerry Yuab082902021-12-23 18:02:22 +0800[diff] [blame]3092requires_config_enabled MBEDTLS_SSL_PROTO_TLS1_2
Hanno Beckera0e20d02019-05-15 14:03:01 +0100[diff] [blame]3093requires_config_enabled MBEDTLS_SSL_DTLS_CONNECTION_ID
Hanno Becker78c91372019-05-08 13:31:15 +0100[diff] [blame]3094run_test "Connection ID, 3D: Cli+Srv enabled, Cli+Srv CID nonempty" \
Hanno Beckerd0ac5fa2019-05-24 10:11:23 +0100[diff] [blame]3095 -p "$P_PXY drop=5 delay=5 duplicate=5 bad_cid=1" \
Hanno Becker78c91372019-05-08 13:31:15 +0100[diff] [blame]3096 "$P_SRV debug_level=3 dtls=1 cid=1 dgram_packing=0 cid_val=dead" \
3097 "$P_CLI debug_level=3 dtls=1 cid=1 dgram_packing=0 cid_val=beef" \
3098 0 \
3099 -c "Enable use of CID extension." \
3100 -s "Enable use of CID extension." \
3101 -c "client hello, adding CID extension" \
3102 -s "found CID extension" \
3103 -s "Use of CID extension negotiated" \
3104 -s "server hello, adding CID extension" \
3105 -c "found CID extension" \
3106 -c "Use of CID extension negotiated" \
3107 -s "Copy CIDs into SSL transform" \
3108 -c "Copy CIDs into SSL transform" \
3109 -c "Peer CID (length 2 Bytes): de ad" \
3110 -s "Peer CID (length 2 Bytes): be ef" \
3111 -s "Use of Connection ID has been negotiated" \
Hanno Beckerd0ac5fa2019-05-24 10:11:23 +0100[diff] [blame]3112 -c "Use of Connection ID has been negotiated" \
3113 -c "ignoring unexpected CID" \
3114 -s "ignoring unexpected CID"
Hanno Becker78c91372019-05-08 13:31:15 +0100[diff] [blame]3115
Jerry Yuab082902021-12-23 18:02:22 +0800[diff] [blame]3116requires_config_enabled MBEDTLS_SSL_PROTO_TLS1_2
Hanno Beckera0e20d02019-05-15 14:03:01 +0100[diff] [blame]3117requires_config_enabled MBEDTLS_SSL_DTLS_CONNECTION_ID
Hanno Becker78c91372019-05-08 13:31:15 +0100[diff] [blame]3118run_test "Connection ID, MTU: Cli+Srv enabled, Cli+Srv CID nonempty" \
3119 -p "$P_PXY mtu=800" \
3120 "$P_SRV debug_level=3 mtu=800 dtls=1 cid=1 cid_val=dead" \
3121 "$P_CLI debug_level=3 mtu=800 dtls=1 cid=1 cid_val=beef" \
3122 0 \
3123 -c "Enable use of CID extension." \
3124 -s "Enable use of CID extension." \
3125 -c "client hello, adding CID extension" \
3126 -s "found CID extension" \
3127 -s "Use of CID extension negotiated" \
3128 -s "server hello, adding CID extension" \
3129 -c "found CID extension" \
3130 -c "Use of CID extension negotiated" \
3131 -s "Copy CIDs into SSL transform" \
3132 -c "Copy CIDs into SSL transform" \
3133 -c "Peer CID (length 2 Bytes): de ad" \
3134 -s "Peer CID (length 2 Bytes): be ef" \
3135 -s "Use of Connection ID has been negotiated" \
3136 -c "Use of Connection ID has been negotiated"
3137
Jerry Yuab082902021-12-23 18:02:22 +0800[diff] [blame]3138requires_config_enabled MBEDTLS_SSL_PROTO_TLS1_2
Hanno Beckera0e20d02019-05-15 14:03:01 +0100[diff] [blame]3139requires_config_enabled MBEDTLS_SSL_DTLS_CONNECTION_ID
Hanno Becker78c91372019-05-08 13:31:15 +0100[diff] [blame]3140run_test "Connection ID, 3D+MTU: Cli+Srv enabled, Cli+Srv CID nonempty" \
Hanno Beckerd0ac5fa2019-05-24 10:11:23 +0100[diff] [blame]3141 -p "$P_PXY mtu=800 drop=5 delay=5 duplicate=5 bad_cid=1" \
Hanno Becker78c91372019-05-08 13:31:15 +0100[diff] [blame]3142 "$P_SRV debug_level=3 mtu=800 dtls=1 cid=1 cid_val=dead" \
3143 "$P_CLI debug_level=3 mtu=800 dtls=1 cid=1 cid_val=beef" \
3144 0 \
3145 -c "Enable use of CID extension." \
3146 -s "Enable use of CID extension." \
3147 -c "client hello, adding CID extension" \
3148 -s "found CID extension" \
3149 -s "Use of CID extension negotiated" \
3150 -s "server hello, adding CID extension" \
3151 -c "found CID extension" \
3152 -c "Use of CID extension negotiated" \
3153 -s "Copy CIDs into SSL transform" \
3154 -c "Copy CIDs into SSL transform" \
3155 -c "Peer CID (length 2 Bytes): de ad" \
3156 -s "Peer CID (length 2 Bytes): be ef" \
3157 -s "Use of Connection ID has been negotiated" \
Hanno Beckerd0ac5fa2019-05-24 10:11:23 +0100[diff] [blame]3158 -c "Use of Connection ID has been negotiated" \
3159 -c "ignoring unexpected CID" \
3160 -s "ignoring unexpected CID"
Hanno Becker78c91372019-05-08 13:31:15 +0100[diff] [blame]3161
Jerry Yuab082902021-12-23 18:02:22 +0800[diff] [blame]3162requires_config_enabled MBEDTLS_SSL_PROTO_TLS1_2
Hanno Beckera0e20d02019-05-15 14:03:01 +0100[diff] [blame]3163requires_config_enabled MBEDTLS_SSL_DTLS_CONNECTION_ID
Hanno Becker78c91372019-05-08 13:31:15 +0100[diff] [blame]3164run_test "Connection ID: Cli+Srv enabled, Cli CID empty" \
Hanno Beckerf157a972019-04-25 16:05:45 +0100[diff] [blame]3165 "$P_SRV debug_level=3 dtls=1 cid=1 cid_val=deadbeef" \
3166 "$P_CLI debug_level=3 dtls=1 cid=1" \
3167 0 \
3168 -c "Enable use of CID extension." \
Hanno Becker6b78c832019-04-25 17:01:43 +0100[diff] [blame]3169 -s "Enable use of CID extension." \
Hanno Becker7dee2c62019-04-26 14:17:56 +0100[diff] [blame]3170 -c "client hello, adding CID extension" \
3171 -s "found CID extension" \
Hanno Becker4bc9e9d2019-04-26 16:00:29 +0100[diff] [blame]3172 -s "Use of CID extension negotiated" \
Hanno Beckera6a4c762019-04-26 16:13:31 +0100[diff] [blame]3173 -s "server hello, adding CID extension" \
3174 -c "found CID extension" \
Hanno Becker9ecb6c62019-04-26 16:23:52 +0100[diff] [blame]3175 -c "Use of CID extension negotiated" \
3176 -s "Copy CIDs into SSL transform" \
Hanno Becker2749a672019-05-03 17:04:23 +0100[diff] [blame]3177 -c "Copy CIDs into SSL transform" \
3178 -c "Peer CID (length 4 Bytes): de ad be ef" \
3179 -s "Peer CID (length 0 Bytes):" \
3180 -s "Use of Connection ID has been negotiated" \
3181 -c "Use of Connection ID has been negotiated"
Hanno Becker7cf463e2019-04-09 18:08:47 +0100[diff] [blame]3182
Jerry Yuab082902021-12-23 18:02:22 +0800[diff] [blame]3183requires_config_enabled MBEDTLS_SSL_PROTO_TLS1_2
Hanno Beckera0e20d02019-05-15 14:03:01 +0100[diff] [blame]3184requires_config_enabled MBEDTLS_SSL_DTLS_CONNECTION_ID
Hanno Becker78c91372019-05-08 13:31:15 +0100[diff] [blame]3185run_test "Connection ID: Cli+Srv enabled, Srv CID empty" \
Hanno Beckerf157a972019-04-25 16:05:45 +0100[diff] [blame]3186 "$P_SRV debug_level=3 dtls=1 cid=1" \
3187 "$P_CLI debug_level=3 dtls=1 cid=1 cid_val=deadbeef" \
3188 0 \
3189 -c "Enable use of CID extension." \
Hanno Becker6b78c832019-04-25 17:01:43 +0100[diff] [blame]3190 -s "Enable use of CID extension." \
Hanno Becker7dee2c62019-04-26 14:17:56 +0100[diff] [blame]3191 -c "client hello, adding CID extension" \
3192 -s "found CID extension" \
Hanno Becker4bc9e9d2019-04-26 16:00:29 +0100[diff] [blame]3193 -s "Use of CID extension negotiated" \
Hanno Beckera6a4c762019-04-26 16:13:31 +0100[diff] [blame]3194 -s "server hello, adding CID extension" \
3195 -c "found CID extension" \
Hanno Becker9ecb6c62019-04-26 16:23:52 +0100[diff] [blame]3196 -c "Use of CID extension negotiated" \
3197 -s "Copy CIDs into SSL transform" \
Hanno Becker2749a672019-05-03 17:04:23 +0100[diff] [blame]3198 -c "Copy CIDs into SSL transform" \
3199 -s "Peer CID (length 4 Bytes): de ad be ef" \
3200 -c "Peer CID (length 0 Bytes):" \
3201 -s "Use of Connection ID has been negotiated" \
3202 -c "Use of Connection ID has been negotiated"
Hanno Becker7cf463e2019-04-09 18:08:47 +0100[diff] [blame]3203
Jerry Yuab082902021-12-23 18:02:22 +0800[diff] [blame]3204requires_config_enabled MBEDTLS_SSL_PROTO_TLS1_2
Hanno Beckera0e20d02019-05-15 14:03:01 +0100[diff] [blame]3205requires_config_enabled MBEDTLS_SSL_DTLS_CONNECTION_ID
Hanno Becker78c91372019-05-08 13:31:15 +0100[diff] [blame]3206run_test "Connection ID: Cli+Srv enabled, Cli+Srv CID empty" \
Hanno Beckerf157a972019-04-25 16:05:45 +0100[diff] [blame]3207 "$P_SRV debug_level=3 dtls=1 cid=1" \
3208 "$P_CLI debug_level=3 dtls=1 cid=1" \
3209 0 \
3210 -c "Enable use of CID extension." \
Hanno Becker6b78c832019-04-25 17:01:43 +0100[diff] [blame]3211 -s "Enable use of CID extension." \
Hanno Becker7dee2c62019-04-26 14:17:56 +0100[diff] [blame]3212 -c "client hello, adding CID extension" \
3213 -s "found CID extension" \
Hanno Becker4bc9e9d2019-04-26 16:00:29 +0100[diff] [blame]3214 -s "Use of CID extension negotiated" \
Hanno Beckera6a4c762019-04-26 16:13:31 +0100[diff] [blame]3215 -s "server hello, adding CID extension" \
3216 -c "found CID extension" \
Hanno Becker9ecb6c62019-04-26 16:23:52 +0100[diff] [blame]3217 -c "Use of CID extension negotiated" \
3218 -s "Copy CIDs into SSL transform" \
Hanno Beckerfcffdcc2019-04-26 17:19:46 +0100[diff] [blame]3219 -c "Copy CIDs into SSL transform" \
3220 -S "Use of Connection ID has been negotiated" \
3221 -C "Use of Connection ID has been negotiated"
Hanno Becker7cf463e2019-04-09 18:08:47 +0100[diff] [blame]3222
Hanno Beckera0e20d02019-05-15 14:03:01 +0100[diff] [blame]3223requires_config_enabled MBEDTLS_SSL_DTLS_CONNECTION_ID
Hanno Becker78c91372019-05-08 13:31:15 +0100[diff] [blame]3224run_test "Connection ID: Cli+Srv enabled, Cli+Srv CID nonempty, AES-128-CCM-8" \
Hanno Beckerf157a972019-04-25 16:05:45 +0100[diff] [blame]3225 "$P_SRV debug_level=3 dtls=1 cid=1 cid_val=dead" \
3226 "$P_CLI debug_level=3 dtls=1 cid=1 cid_val=beef force_ciphersuite=TLS-ECDHE-ECDSA-WITH-AES-128-CCM-8" \
3227 0 \
3228 -c "Enable use of CID extension." \
Hanno Becker6b78c832019-04-25 17:01:43 +0100[diff] [blame]3229 -s "Enable use of CID extension." \
Hanno Becker7dee2c62019-04-26 14:17:56 +0100[diff] [blame]3230 -c "client hello, adding CID extension" \
3231 -s "found CID extension" \
Hanno Becker4bc9e9d2019-04-26 16:00:29 +0100[diff] [blame]3232 -s "Use of CID extension negotiated" \
Hanno Beckera6a4c762019-04-26 16:13:31 +0100[diff] [blame]3233 -s "server hello, adding CID extension" \
3234 -c "found CID extension" \
Hanno Becker9ecb6c62019-04-26 16:23:52 +0100[diff] [blame]3235 -c "Use of CID extension negotiated" \
3236 -s "Copy CIDs into SSL transform" \
Hanno Becker2749a672019-05-03 17:04:23 +0100[diff] [blame]3237 -c "Copy CIDs into SSL transform" \
3238 -c "Peer CID (length 2 Bytes): de ad" \
3239 -s "Peer CID (length 2 Bytes): be ef" \
3240 -s "Use of Connection ID has been negotiated" \
3241 -c "Use of Connection ID has been negotiated"
Hanno Becker7cf463e2019-04-09 18:08:47 +0100[diff] [blame]3242
Hanno Beckera0e20d02019-05-15 14:03:01 +0100[diff] [blame]3243requires_config_enabled MBEDTLS_SSL_DTLS_CONNECTION_ID
Hanno Becker78c91372019-05-08 13:31:15 +0100[diff] [blame]3244run_test "Connection ID: Cli+Srv enabled, Cli CID empty, AES-128-CCM-8" \
Hanno Beckerf157a972019-04-25 16:05:45 +0100[diff] [blame]3245 "$P_SRV debug_level=3 dtls=1 cid=1 cid_val=deadbeef" \
3246 "$P_CLI debug_level=3 dtls=1 cid=1 force_ciphersuite=TLS-ECDHE-ECDSA-WITH-AES-128-CCM-8" \
3247 0 \
3248 -c "Enable use of CID extension." \
Hanno Becker6b78c832019-04-25 17:01:43 +0100[diff] [blame]3249 -s "Enable use of CID extension." \
Hanno Becker7dee2c62019-04-26 14:17:56 +0100[diff] [blame]3250 -c "client hello, adding CID extension" \
3251 -s "found CID extension" \
Hanno Becker4bc9e9d2019-04-26 16:00:29 +0100[diff] [blame]3252 -s "Use of CID extension negotiated" \
Hanno Beckera6a4c762019-04-26 16:13:31 +0100[diff] [blame]3253 -s "server hello, adding CID extension" \
3254 -c "found CID extension" \
Hanno Becker9ecb6c62019-04-26 16:23:52 +0100[diff] [blame]3255 -c "Use of CID extension negotiated" \
3256 -s "Copy CIDs into SSL transform" \
Hanno Becker2749a672019-05-03 17:04:23 +0100[diff] [blame]3257 -c "Copy CIDs into SSL transform" \
3258 -c "Peer CID (length 4 Bytes): de ad be ef" \
3259 -s "Peer CID (length 0 Bytes):" \
3260 -s "Use of Connection ID has been negotiated" \
3261 -c "Use of Connection ID has been negotiated"
Hanno Becker7cf463e2019-04-09 18:08:47 +0100[diff] [blame]3262
Hanno Beckera0e20d02019-05-15 14:03:01 +0100[diff] [blame]3263requires_config_enabled MBEDTLS_SSL_DTLS_CONNECTION_ID
Hanno Becker78c91372019-05-08 13:31:15 +0100[diff] [blame]3264run_test "Connection ID: Cli+Srv enabled, Srv CID empty, AES-128-CCM-8" \
Hanno Beckerf157a972019-04-25 16:05:45 +0100[diff] [blame]3265 "$P_SRV debug_level=3 dtls=1 cid=1" \
3266 "$P_CLI debug_level=3 dtls=1 cid=1 cid_val=deadbeef force_ciphersuite=TLS-ECDHE-ECDSA-WITH-AES-128-CCM-8" \
3267 0 \
3268 -c "Enable use of CID extension." \
Hanno Becker6b78c832019-04-25 17:01:43 +0100[diff] [blame]3269 -s "Enable use of CID extension." \
Hanno Becker7dee2c62019-04-26 14:17:56 +0100[diff] [blame]3270 -c "client hello, adding CID extension" \
3271 -s "found CID extension" \
Hanno Becker4bc9e9d2019-04-26 16:00:29 +0100[diff] [blame]3272 -s "Use of CID extension negotiated" \
Hanno Beckera6a4c762019-04-26 16:13:31 +0100[diff] [blame]3273 -s "server hello, adding CID extension" \
3274 -c "found CID extension" \
Hanno Becker9ecb6c62019-04-26 16:23:52 +0100[diff] [blame]3275 -c "Use of CID extension negotiated" \
3276 -s "Copy CIDs into SSL transform" \
Hanno Becker2749a672019-05-03 17:04:23 +0100[diff] [blame]3277 -c "Copy CIDs into SSL transform" \
3278 -s "Peer CID (length 4 Bytes): de ad be ef" \
3279 -c "Peer CID (length 0 Bytes):" \
3280 -s "Use of Connection ID has been negotiated" \
3281 -c "Use of Connection ID has been negotiated"
Hanno Becker7cf463e2019-04-09 18:08:47 +0100[diff] [blame]3282
Hanno Beckera0e20d02019-05-15 14:03:01 +0100[diff] [blame]3283requires_config_enabled MBEDTLS_SSL_DTLS_CONNECTION_ID
Hanno Becker78c91372019-05-08 13:31:15 +0100[diff] [blame]3284run_test "Connection ID: Cli+Srv enabled, Cli+Srv CID empty, AES-128-CCM-8" \
Hanno Beckerf157a972019-04-25 16:05:45 +0100[diff] [blame]3285 "$P_SRV debug_level=3 dtls=1 cid=1" \
3286 "$P_CLI debug_level=3 dtls=1 cid=1 force_ciphersuite=TLS-ECDHE-ECDSA-WITH-AES-128-CCM-8" \
3287 0 \
3288 -c "Enable use of CID extension." \
Hanno Becker6b78c832019-04-25 17:01:43 +0100[diff] [blame]3289 -s "Enable use of CID extension." \
Hanno Becker7dee2c62019-04-26 14:17:56 +0100[diff] [blame]3290 -c "client hello, adding CID extension" \
3291 -s "found CID extension" \
Hanno Becker4bc9e9d2019-04-26 16:00:29 +0100[diff] [blame]3292 -s "Use of CID extension negotiated" \
Hanno Beckera6a4c762019-04-26 16:13:31 +0100[diff] [blame]3293 -s "server hello, adding CID extension" \
3294 -c "found CID extension" \
Hanno Becker9ecb6c62019-04-26 16:23:52 +0100[diff] [blame]3295 -c "Use of CID extension negotiated" \
3296 -s "Copy CIDs into SSL transform" \
Hanno Beckerfcffdcc2019-04-26 17:19:46 +0100[diff] [blame]3297 -c "Copy CIDs into SSL transform" \
3298 -S "Use of Connection ID has been negotiated" \
3299 -C "Use of Connection ID has been negotiated"
Hanno Becker7cf463e2019-04-09 18:08:47 +0100[diff] [blame]3300
Hanno Beckera0e20d02019-05-15 14:03:01 +0100[diff] [blame]3301requires_config_enabled MBEDTLS_SSL_DTLS_CONNECTION_ID
Hanno Becker78c91372019-05-08 13:31:15 +0100[diff] [blame]3302run_test "Connection ID: Cli+Srv enabled, Cli+Srv CID nonempty, AES-128-CBC" \
Hanno Beckerf157a972019-04-25 16:05:45 +0100[diff] [blame]3303 "$P_SRV debug_level=3 dtls=1 cid=1 cid_val=dead" \
3304 "$P_CLI debug_level=3 dtls=1 cid=1 cid_val=beef force_ciphersuite=TLS-ECDHE-ECDSA-WITH-AES-128-CBC-SHA256" \
3305 0 \
3306 -c "Enable use of CID extension." \
Hanno Becker6b78c832019-04-25 17:01:43 +0100[diff] [blame]3307 -s "Enable use of CID extension." \
Hanno Becker7dee2c62019-04-26 14:17:56 +0100[diff] [blame]3308 -c "client hello, adding CID extension" \
3309 -s "found CID extension" \
Hanno Becker4bc9e9d2019-04-26 16:00:29 +0100[diff] [blame]3310 -s "Use of CID extension negotiated" \
Hanno Beckera6a4c762019-04-26 16:13:31 +0100[diff] [blame]3311 -s "server hello, adding CID extension" \
3312 -c "found CID extension" \
Hanno Becker9ecb6c62019-04-26 16:23:52 +0100[diff] [blame]3313 -c "Use of CID extension negotiated" \
3314 -s "Copy CIDs into SSL transform" \
Hanno Becker2749a672019-05-03 17:04:23 +0100[diff] [blame]3315 -c "Copy CIDs into SSL transform" \
3316 -c "Peer CID (length 2 Bytes): de ad" \
3317 -s "Peer CID (length 2 Bytes): be ef" \
3318 -s "Use of Connection ID has been negotiated" \
3319 -c "Use of Connection ID has been negotiated"
Hanno Becker7cf463e2019-04-09 18:08:47 +0100[diff] [blame]3320
Hanno Beckera0e20d02019-05-15 14:03:01 +0100[diff] [blame]3321requires_config_enabled MBEDTLS_SSL_DTLS_CONNECTION_ID
Hanno Becker78c91372019-05-08 13:31:15 +0100[diff] [blame]3322run_test "Connection ID: Cli+Srv enabled, Cli CID empty, AES-128-CBC" \
Hanno Beckerf157a972019-04-25 16:05:45 +0100[diff] [blame]3323 "$P_SRV debug_level=3 dtls=1 cid=1 cid_val=deadbeef" \
3324 "$P_CLI debug_level=3 dtls=1 cid=1 force_ciphersuite=TLS-ECDHE-ECDSA-WITH-AES-128-CBC-SHA256" \
3325 0 \
3326 -c "Enable use of CID extension." \
Hanno Becker6b78c832019-04-25 17:01:43 +0100[diff] [blame]3327 -s "Enable use of CID extension." \
Hanno Becker7dee2c62019-04-26 14:17:56 +0100[diff] [blame]3328 -c "client hello, adding CID extension" \
3329 -s "found CID extension" \
Hanno Becker4bc9e9d2019-04-26 16:00:29 +0100[diff] [blame]3330 -s "Use of CID extension negotiated" \
Hanno Beckera6a4c762019-04-26 16:13:31 +0100[diff] [blame]3331 -s "server hello, adding CID extension" \
3332 -c "found CID extension" \
Hanno Becker9ecb6c62019-04-26 16:23:52 +0100[diff] [blame]3333 -c "Use of CID extension negotiated" \
3334 -s "Copy CIDs into SSL transform" \
Hanno Becker2749a672019-05-03 17:04:23 +0100[diff] [blame]3335 -c "Copy CIDs into SSL transform" \
3336 -c "Peer CID (length 4 Bytes): de ad be ef" \
3337 -s "Peer CID (length 0 Bytes):" \
3338 -s "Use of Connection ID has been negotiated" \
3339 -c "Use of Connection ID has been negotiated"
Hanno Becker7cf463e2019-04-09 18:08:47 +0100[diff] [blame]3340
Hanno Beckera0e20d02019-05-15 14:03:01 +0100[diff] [blame]3341requires_config_enabled MBEDTLS_SSL_DTLS_CONNECTION_ID
Hanno Becker78c91372019-05-08 13:31:15 +0100[diff] [blame]3342run_test "Connection ID: Cli+Srv enabled, Srv CID empty, AES-128-CBC" \
Hanno Beckerf157a972019-04-25 16:05:45 +0100[diff] [blame]3343 "$P_SRV debug_level=3 dtls=1 cid=1" \
3344 "$P_CLI debug_level=3 dtls=1 cid=1 cid_val=deadbeef force_ciphersuite=TLS-ECDHE-ECDSA-WITH-AES-128-CBC-SHA256" \
3345 0 \
3346 -c "Enable use of CID extension." \
Hanno Becker6b78c832019-04-25 17:01:43 +0100[diff] [blame]3347 -s "Enable use of CID extension." \
Hanno Becker7dee2c62019-04-26 14:17:56 +0100[diff] [blame]3348 -c "client hello, adding CID extension" \
3349 -s "found CID extension" \
Hanno Becker4bc9e9d2019-04-26 16:00:29 +0100[diff] [blame]3350 -s "Use of CID extension negotiated" \
Hanno Beckera6a4c762019-04-26 16:13:31 +0100[diff] [blame]3351 -s "server hello, adding CID extension" \
3352 -c "found CID extension" \
Hanno Becker9ecb6c62019-04-26 16:23:52 +0100[diff] [blame]3353 -c "Use of CID extension negotiated" \
3354 -s "Copy CIDs into SSL transform" \
Hanno Becker2749a672019-05-03 17:04:23 +0100[diff] [blame]3355 -c "Copy CIDs into SSL transform" \
3356 -s "Peer CID (length 4 Bytes): de ad be ef" \
3357 -c "Peer CID (length 0 Bytes):" \
3358 -s "Use of Connection ID has been negotiated" \
3359 -c "Use of Connection ID has been negotiated"
Hanno Becker7cf463e2019-04-09 18:08:47 +0100[diff] [blame]3360
Hanno Beckera0e20d02019-05-15 14:03:01 +0100[diff] [blame]3361requires_config_enabled MBEDTLS_SSL_DTLS_CONNECTION_ID
Hanno Becker78c91372019-05-08 13:31:15 +0100[diff] [blame]3362run_test "Connection ID: Cli+Srv enabled, Cli+Srv CID empty, AES-128-CBC" \
Hanno Beckerf157a972019-04-25 16:05:45 +0100[diff] [blame]3363 "$P_SRV debug_level=3 dtls=1 cid=1" \
3364 "$P_CLI debug_level=3 dtls=1 cid=1 force_ciphersuite=TLS-ECDHE-ECDSA-WITH-AES-128-CBC-SHA256" \
3365 0 \
3366 -c "Enable use of CID extension." \
Hanno Becker6b78c832019-04-25 17:01:43 +0100[diff] [blame]3367 -s "Enable use of CID extension." \
Hanno Becker7dee2c62019-04-26 14:17:56 +0100[diff] [blame]3368 -c "client hello, adding CID extension" \
3369 -s "found CID extension" \
Hanno Becker4bc9e9d2019-04-26 16:00:29 +0100[diff] [blame]3370 -s "Use of CID extension negotiated" \
Hanno Beckera6a4c762019-04-26 16:13:31 +0100[diff] [blame]3371 -s "server hello, adding CID extension" \
3372 -c "found CID extension" \
Hanno Becker9ecb6c62019-04-26 16:23:52 +0100[diff] [blame]3373 -c "Use of CID extension negotiated" \
3374 -s "Copy CIDs into SSL transform" \
Hanno Beckerfcffdcc2019-04-26 17:19:46 +0100[diff] [blame]3375 -c "Copy CIDs into SSL transform" \
3376 -S "Use of Connection ID has been negotiated" \
3377 -C "Use of Connection ID has been negotiated"
Hanno Becker7cf463e2019-04-09 18:08:47 +0100[diff] [blame]3378
Jerry Yuab082902021-12-23 18:02:22 +0800[diff] [blame]3379requires_config_enabled MBEDTLS_SSL_PROTO_TLS1_2
Hanno Beckera0e20d02019-05-15 14:03:01 +0100[diff] [blame]3380requires_config_enabled MBEDTLS_SSL_DTLS_CONNECTION_ID
Hanno Becker9bae30d2019-04-23 11:52:44 +0100[diff] [blame]3381requires_config_enabled MBEDTLS_SSL_RENEGOTIATION
Hanno Becker78c91372019-05-08 13:31:15 +0100[diff] [blame]3382run_test "Connection ID: Cli+Srv enabled, renegotiate without change of CID" \
Hanno Beckerf157a972019-04-25 16:05:45 +0100[diff] [blame]3383 "$P_SRV debug_level=3 dtls=1 cid=1 cid_val=dead renegotiation=1" \
3384 "$P_CLI debug_level=3 dtls=1 cid=1 cid_val=beef renegotiation=1 renegotiate=1" \
3385 0 \
Hanno Beckerb42ec0d2019-05-03 17:30:59 +0100[diff] [blame]3386 -c "(initial handshake) Peer CID (length 2 Bytes): de ad" \
3387 -s "(initial handshake) Peer CID (length 2 Bytes): be ef" \
3388 -s "(initial handshake) Use of Connection ID has been negotiated" \
3389 -c "(initial handshake) Use of Connection ID has been negotiated" \
3390 -c "(after renegotiation) Peer CID (length 2 Bytes): de ad" \
3391 -s "(after renegotiation) Peer CID (length 2 Bytes): be ef" \
3392 -s "(after renegotiation) Use of Connection ID has been negotiated" \
3393 -c "(after renegotiation) Use of Connection ID has been negotiated"
3394
Jerry Yuab082902021-12-23 18:02:22 +0800[diff] [blame]3395requires_config_enabled MBEDTLS_SSL_PROTO_TLS1_2
Hanno Beckera0e20d02019-05-15 14:03:01 +0100[diff] [blame]3396requires_config_enabled MBEDTLS_SSL_DTLS_CONNECTION_ID
Hanno Beckerb42ec0d2019-05-03 17:30:59 +0100[diff] [blame]3397requires_config_enabled MBEDTLS_SSL_RENEGOTIATION
Hanno Becker78c91372019-05-08 13:31:15 +0100[diff] [blame]3398run_test "Connection ID: Cli+Srv enabled, renegotiate with different CID" \
Hanno Beckerb42ec0d2019-05-03 17:30:59 +0100[diff] [blame]3399 "$P_SRV debug_level=3 dtls=1 cid=1 cid_val=dead cid_val_renego=beef renegotiation=1" \
3400 "$P_CLI debug_level=3 dtls=1 cid=1 cid_val=beef cid_val_renego=dead renegotiation=1 renegotiate=1" \
3401 0 \
3402 -c "(initial handshake) Peer CID (length 2 Bytes): de ad" \
3403 -s "(initial handshake) Peer CID (length 2 Bytes): be ef" \
3404 -s "(initial handshake) Use of Connection ID has been negotiated" \
3405 -c "(initial handshake) Use of Connection ID has been negotiated" \
3406 -c "(after renegotiation) Peer CID (length 2 Bytes): be ef" \
3407 -s "(after renegotiation) Peer CID (length 2 Bytes): de ad" \
3408 -s "(after renegotiation) Use of Connection ID has been negotiated" \
3409 -c "(after renegotiation) Use of Connection ID has been negotiated"
3410
Jerry Yuab082902021-12-23 18:02:22 +0800[diff] [blame]3411requires_config_enabled MBEDTLS_SSL_PROTO_TLS1_2
Hanno Beckera0e20d02019-05-15 14:03:01 +0100[diff] [blame]3412requires_config_enabled MBEDTLS_SSL_DTLS_CONNECTION_ID
Hanno Beckerb42ec0d2019-05-03 17:30:59 +0100[diff] [blame]3413requires_config_enabled MBEDTLS_SSL_RENEGOTIATION
Hanno Beckerc2045b02019-05-08 16:20:46 +0100[diff] [blame]3414run_test "Connection ID, no packing: Cli+Srv enabled, renegotiate with different CID" \
3415 "$P_SRV debug_level=3 dtls=1 cid=1 dgram_packing=0 cid_val=dead cid_val_renego=beef renegotiation=1" \
3416 "$P_CLI debug_level=3 dtls=1 cid=1 dgram_packing=0 cid_val=beef cid_val_renego=dead renegotiation=1 renegotiate=1" \
3417 0 \
3418 -c "(initial handshake) Peer CID (length 2 Bytes): de ad" \
3419 -s "(initial handshake) Peer CID (length 2 Bytes): be ef" \
3420 -s "(initial handshake) Use of Connection ID has been negotiated" \
3421 -c "(initial handshake) Use of Connection ID has been negotiated" \
3422 -c "(after renegotiation) Peer CID (length 2 Bytes): be ef" \
3423 -s "(after renegotiation) Peer CID (length 2 Bytes): de ad" \
3424 -s "(after renegotiation) Use of Connection ID has been negotiated" \
3425 -c "(after renegotiation) Use of Connection ID has been negotiated"
3426
Jerry Yuab082902021-12-23 18:02:22 +0800[diff] [blame]3427requires_config_enabled MBEDTLS_SSL_PROTO_TLS1_2
Hanno Beckera0e20d02019-05-15 14:03:01 +0100[diff] [blame]3428requires_config_enabled MBEDTLS_SSL_DTLS_CONNECTION_ID
Hanno Beckerc2045b02019-05-08 16:20:46 +0100[diff] [blame]3429requires_config_enabled MBEDTLS_SSL_RENEGOTIATION
Hanno Becker78c91372019-05-08 13:31:15 +0100[diff] [blame]3430run_test "Connection ID, 3D+MTU: Cli+Srv enabled, renegotiate with different CID" \
Hanno Beckerd0ac5fa2019-05-24 10:11:23 +0100[diff] [blame]3431 -p "$P_PXY mtu=800 drop=5 delay=5 duplicate=5 bad_cid=1" \
Hanno Becker78c91372019-05-08 13:31:15 +0100[diff] [blame]3432 "$P_SRV debug_level=3 mtu=800 dtls=1 cid=1 cid_val=dead cid_val_renego=beef renegotiation=1" \
3433 "$P_CLI debug_level=3 mtu=800 dtls=1 cid=1 cid_val=beef cid_val_renego=dead renegotiation=1 renegotiate=1" \
3434 0 \
3435 -c "(initial handshake) Peer CID (length 2 Bytes): de ad" \
3436 -s "(initial handshake) Peer CID (length 2 Bytes): be ef" \
3437 -s "(initial handshake) Use of Connection ID has been negotiated" \
3438 -c "(initial handshake) Use of Connection ID has been negotiated" \
3439 -c "(after renegotiation) Peer CID (length 2 Bytes): be ef" \
3440 -s "(after renegotiation) Peer CID (length 2 Bytes): de ad" \
3441 -s "(after renegotiation) Use of Connection ID has been negotiated" \
Hanno Beckerd0ac5fa2019-05-24 10:11:23 +0100[diff] [blame]3442 -c "(after renegotiation) Use of Connection ID has been negotiated" \
3443 -c "ignoring unexpected CID" \
3444 -s "ignoring unexpected CID"
Hanno Becker78c91372019-05-08 13:31:15 +0100[diff] [blame]3445
Jerry Yuab082902021-12-23 18:02:22 +0800[diff] [blame]3446requires_config_enabled MBEDTLS_SSL_PROTO_TLS1_2
Hanno Beckera0e20d02019-05-15 14:03:01 +0100[diff] [blame]3447requires_config_enabled MBEDTLS_SSL_DTLS_CONNECTION_ID
Hanno Becker78c91372019-05-08 13:31:15 +0100[diff] [blame]3448requires_config_enabled MBEDTLS_SSL_RENEGOTIATION
3449run_test "Connection ID: Cli+Srv enabled, renegotiate without CID" \
Hanno Beckerb42ec0d2019-05-03 17:30:59 +0100[diff] [blame]3450 "$P_SRV debug_level=3 dtls=1 cid=1 cid_val=dead cid_renego=0 renegotiation=1" \
3451 "$P_CLI debug_level=3 dtls=1 cid=1 cid_val=beef cid_renego=0 renegotiation=1 renegotiate=1" \
3452 0 \
3453 -c "(initial handshake) Peer CID (length 2 Bytes): de ad" \
3454 -s "(initial handshake) Peer CID (length 2 Bytes): be ef" \
3455 -s "(initial handshake) Use of Connection ID has been negotiated" \
3456 -c "(initial handshake) Use of Connection ID has been negotiated" \
3457 -C "(after renegotiation) Peer CID (length 2 Bytes): de ad" \
3458 -S "(after renegotiation) Peer CID (length 2 Bytes): be ef" \
3459 -C "(after renegotiation) Use of Connection ID has been negotiated" \
3460 -S "(after renegotiation) Use of Connection ID has been negotiated"
3461
Jerry Yuab082902021-12-23 18:02:22 +0800[diff] [blame]3462requires_config_enabled MBEDTLS_SSL_PROTO_TLS1_2
Hanno Beckera0e20d02019-05-15 14:03:01 +0100[diff] [blame]3463requires_config_enabled MBEDTLS_SSL_DTLS_CONNECTION_ID
Hanno Beckerb42ec0d2019-05-03 17:30:59 +0100[diff] [blame]3464requires_config_enabled MBEDTLS_SSL_RENEGOTIATION
Hanno Beckerc2045b02019-05-08 16:20:46 +0100[diff] [blame]3465run_test "Connection ID, no packing: Cli+Srv enabled, renegotiate without CID" \
3466 "$P_SRV debug_level=3 dtls=1 dgram_packing=0 cid=1 cid_val=dead cid_renego=0 renegotiation=1" \
3467 "$P_CLI debug_level=3 dtls=1 dgram_packing=0 cid=1 cid_val=beef cid_renego=0 renegotiation=1 renegotiate=1" \
3468 0 \
3469 -c "(initial handshake) Peer CID (length 2 Bytes): de ad" \
3470 -s "(initial handshake) Peer CID (length 2 Bytes): be ef" \
3471 -s "(initial handshake) Use of Connection ID has been negotiated" \
3472 -c "(initial handshake) Use of Connection ID has been negotiated" \
3473 -C "(after renegotiation) Peer CID (length 2 Bytes): de ad" \
3474 -S "(after renegotiation) Peer CID (length 2 Bytes): be ef" \
3475 -C "(after renegotiation) Use of Connection ID has been negotiated" \
3476 -S "(after renegotiation) Use of Connection ID has been negotiated"
3477
Jerry Yuab082902021-12-23 18:02:22 +0800[diff] [blame]3478requires_config_enabled MBEDTLS_SSL_PROTO_TLS1_2
Hanno Beckera0e20d02019-05-15 14:03:01 +0100[diff] [blame]3479requires_config_enabled MBEDTLS_SSL_DTLS_CONNECTION_ID
Hanno Beckerc2045b02019-05-08 16:20:46 +0100[diff] [blame]3480requires_config_enabled MBEDTLS_SSL_RENEGOTIATION
Hanno Becker78c91372019-05-08 13:31:15 +0100[diff] [blame]3481run_test "Connection ID, 3D+MTU: Cli+Srv enabled, renegotiate without CID" \
Hanno Beckerd0ac5fa2019-05-24 10:11:23 +0100[diff] [blame]3482 -p "$P_PXY drop=5 delay=5 duplicate=5 bad_cid=1" \
Hanno Becker78c91372019-05-08 13:31:15 +0100[diff] [blame]3483 "$P_SRV debug_level=3 mtu=800 dtls=1 cid=1 cid_val=dead cid_renego=0 renegotiation=1" \
3484 "$P_CLI debug_level=3 mtu=800 dtls=1 cid=1 cid_val=beef cid_renego=0 renegotiation=1 renegotiate=1" \
3485 0 \
3486 -c "(initial handshake) Peer CID (length 2 Bytes): de ad" \
3487 -s "(initial handshake) Peer CID (length 2 Bytes): be ef" \
3488 -s "(initial handshake) Use of Connection ID has been negotiated" \
3489 -c "(initial handshake) Use of Connection ID has been negotiated" \
3490 -C "(after renegotiation) Peer CID (length 2 Bytes): de ad" \
3491 -S "(after renegotiation) Peer CID (length 2 Bytes): be ef" \
3492 -C "(after renegotiation) Use of Connection ID has been negotiated" \
Hanno Beckerd0ac5fa2019-05-24 10:11:23 +0100[diff] [blame]3493 -S "(after renegotiation) Use of Connection ID has been negotiated" \
3494 -c "ignoring unexpected CID" \
3495 -s "ignoring unexpected CID"
Hanno Becker78c91372019-05-08 13:31:15 +0100[diff] [blame]3496
Jerry Yuab082902021-12-23 18:02:22 +0800[diff] [blame]3497requires_config_enabled MBEDTLS_SSL_PROTO_TLS1_2
Hanno Beckera0e20d02019-05-15 14:03:01 +0100[diff] [blame]3498requires_config_enabled MBEDTLS_SSL_DTLS_CONNECTION_ID
Hanno Becker78c91372019-05-08 13:31:15 +0100[diff] [blame]3499requires_config_enabled MBEDTLS_SSL_RENEGOTIATION
3500run_test "Connection ID: Cli+Srv enabled, CID on renegotiation" \
Hanno Beckerb42ec0d2019-05-03 17:30:59 +0100[diff] [blame]3501 "$P_SRV debug_level=3 dtls=1 cid=0 cid_renego=1 cid_val_renego=dead renegotiation=1" \
3502 "$P_CLI debug_level=3 dtls=1 cid=0 cid_renego=1 cid_val_renego=beef renegotiation=1 renegotiate=1" \
3503 0 \
3504 -S "(initial handshake) Use of Connection ID has been negotiated" \
3505 -C "(initial handshake) Use of Connection ID has been negotiated" \
3506 -c "(after renegotiation) Peer CID (length 2 Bytes): de ad" \
3507 -s "(after renegotiation) Peer CID (length 2 Bytes): be ef" \
3508 -c "(after renegotiation) Use of Connection ID has been negotiated" \
3509 -s "(after renegotiation) Use of Connection ID has been negotiated"
3510
Jerry Yuab082902021-12-23 18:02:22 +0800[diff] [blame]3511requires_config_enabled MBEDTLS_SSL_PROTO_TLS1_2
Hanno Beckera0e20d02019-05-15 14:03:01 +0100[diff] [blame]3512requires_config_enabled MBEDTLS_SSL_DTLS_CONNECTION_ID
Hanno Beckerb42ec0d2019-05-03 17:30:59 +0100[diff] [blame]3513requires_config_enabled MBEDTLS_SSL_RENEGOTIATION
Hanno Beckerc2045b02019-05-08 16:20:46 +0100[diff] [blame]3514run_test "Connection ID, no packing: Cli+Srv enabled, CID on renegotiation" \
3515 "$P_SRV debug_level=3 dtls=1 dgram_packing=0 cid=0 cid_renego=1 cid_val_renego=dead renegotiation=1" \
3516 "$P_CLI debug_level=3 dtls=1 dgram_packing=0 cid=0 cid_renego=1 cid_val_renego=beef renegotiation=1 renegotiate=1" \
3517 0 \
3518 -S "(initial handshake) Use of Connection ID has been negotiated" \
3519 -C "(initial handshake) Use of Connection ID has been negotiated" \
3520 -c "(after renegotiation) Peer CID (length 2 Bytes): de ad" \
3521 -s "(after renegotiation) Peer CID (length 2 Bytes): be ef" \
3522 -c "(after renegotiation) Use of Connection ID has been negotiated" \
3523 -s "(after renegotiation) Use of Connection ID has been negotiated"
3524
Jerry Yuab082902021-12-23 18:02:22 +0800[diff] [blame]3525requires_config_enabled MBEDTLS_SSL_PROTO_TLS1_2
Hanno Beckera0e20d02019-05-15 14:03:01 +0100[diff] [blame]3526requires_config_enabled MBEDTLS_SSL_DTLS_CONNECTION_ID
Hanno Beckerc2045b02019-05-08 16:20:46 +0100[diff] [blame]3527requires_config_enabled MBEDTLS_SSL_RENEGOTIATION
Hanno Becker78c91372019-05-08 13:31:15 +0100[diff] [blame]3528run_test "Connection ID, 3D+MTU: Cli+Srv enabled, CID on renegotiation" \
Hanno Beckerd0ac5fa2019-05-24 10:11:23 +0100[diff] [blame]3529 -p "$P_PXY mtu=800 drop=5 delay=5 duplicate=5 bad_cid=1" \
Hanno Becker78c91372019-05-08 13:31:15 +0100[diff] [blame]3530 "$P_SRV debug_level=3 mtu=800 dtls=1 dgram_packing=1 cid=0 cid_renego=1 cid_val_renego=dead renegotiation=1" \
3531 "$P_CLI debug_level=3 mtu=800 dtls=1 dgram_packing=1 cid=0 cid_renego=1 cid_val_renego=beef renegotiation=1 renegotiate=1" \
3532 0 \
3533 -S "(initial handshake) Use of Connection ID has been negotiated" \
3534 -C "(initial handshake) Use of Connection ID has been negotiated" \
3535 -c "(after renegotiation) Peer CID (length 2 Bytes): de ad" \
3536 -s "(after renegotiation) Peer CID (length 2 Bytes): be ef" \
3537 -c "(after renegotiation) Use of Connection ID has been negotiated" \
Hanno Beckerd0ac5fa2019-05-24 10:11:23 +0100[diff] [blame]3538 -s "(after renegotiation) Use of Connection ID has been negotiated" \
3539 -c "ignoring unexpected CID" \
3540 -s "ignoring unexpected CID"
Hanno Becker78c91372019-05-08 13:31:15 +0100[diff] [blame]3541
Jerry Yuab082902021-12-23 18:02:22 +0800[diff] [blame]3542requires_config_enabled MBEDTLS_SSL_PROTO_TLS1_2
Hanno Beckera0e20d02019-05-15 14:03:01 +0100[diff] [blame]3543requires_config_enabled MBEDTLS_SSL_DTLS_CONNECTION_ID
Hanno Becker78c91372019-05-08 13:31:15 +0100[diff] [blame]3544requires_config_enabled MBEDTLS_SSL_RENEGOTIATION
3545run_test "Connection ID: Cli+Srv enabled, Cli disables on renegotiation" \
Hanno Beckerb42ec0d2019-05-03 17:30:59 +0100[diff] [blame]3546 "$P_SRV debug_level=3 dtls=1 cid=1 cid_val=dead renegotiation=1" \
3547 "$P_CLI debug_level=3 dtls=1 cid=1 cid_val=beef cid_renego=0 renegotiation=1 renegotiate=1" \
3548 0 \
3549 -c "(initial handshake) Peer CID (length 2 Bytes): de ad" \
3550 -s "(initial handshake) Peer CID (length 2 Bytes): be ef" \
3551 -s "(initial handshake) Use of Connection ID has been negotiated" \
3552 -c "(initial handshake) Use of Connection ID has been negotiated" \
3553 -C "(after renegotiation) Peer CID (length 2 Bytes): de ad" \
3554 -S "(after renegotiation) Peer CID (length 2 Bytes): be ef" \
3555 -C "(after renegotiation) Use of Connection ID has been negotiated" \
3556 -S "(after renegotiation) Use of Connection ID has been negotiated" \
3557 -s "(after renegotiation) Use of Connection ID was not offered by client"
3558
Jerry Yuab082902021-12-23 18:02:22 +0800[diff] [blame]3559requires_config_enabled MBEDTLS_SSL_PROTO_TLS1_2
Hanno Beckera0e20d02019-05-15 14:03:01 +0100[diff] [blame]3560requires_config_enabled MBEDTLS_SSL_DTLS_CONNECTION_ID
Hanno Beckerb42ec0d2019-05-03 17:30:59 +0100[diff] [blame]3561requires_config_enabled MBEDTLS_SSL_RENEGOTIATION
Hanno Becker78c91372019-05-08 13:31:15 +0100[diff] [blame]3562run_test "Connection ID, 3D: Cli+Srv enabled, Cli disables on renegotiation" \
Hanno Beckerd0ac5fa2019-05-24 10:11:23 +0100[diff] [blame]3563 -p "$P_PXY drop=5 delay=5 duplicate=5 bad_cid=1" \
Hanno Becker78c91372019-05-08 13:31:15 +0100[diff] [blame]3564 "$P_SRV debug_level=3 dtls=1 cid=1 cid_val=dead renegotiation=1" \
3565 "$P_CLI debug_level=3 dtls=1 cid=1 cid_val=beef cid_renego=0 renegotiation=1 renegotiate=1" \
3566 0 \
3567 -c "(initial handshake) Peer CID (length 2 Bytes): de ad" \
3568 -s "(initial handshake) Peer CID (length 2 Bytes): be ef" \
3569 -s "(initial handshake) Use of Connection ID has been negotiated" \
3570 -c "(initial handshake) Use of Connection ID has been negotiated" \
3571 -C "(after renegotiation) Peer CID (length 2 Bytes): de ad" \
3572 -S "(after renegotiation) Peer CID (length 2 Bytes): be ef" \
3573 -C "(after renegotiation) Use of Connection ID has been negotiated" \
3574 -S "(after renegotiation) Use of Connection ID has been negotiated" \
Hanno Beckerd0ac5fa2019-05-24 10:11:23 +0100[diff] [blame]3575 -s "(after renegotiation) Use of Connection ID was not offered by client" \
3576 -c "ignoring unexpected CID" \
3577 -s "ignoring unexpected CID"
Hanno Becker78c91372019-05-08 13:31:15 +0100[diff] [blame]3578
Jerry Yuab082902021-12-23 18:02:22 +0800[diff] [blame]3579requires_config_enabled MBEDTLS_SSL_PROTO_TLS1_2
Hanno Beckera0e20d02019-05-15 14:03:01 +0100[diff] [blame]3580requires_config_enabled MBEDTLS_SSL_DTLS_CONNECTION_ID
Hanno Becker78c91372019-05-08 13:31:15 +0100[diff] [blame]3581requires_config_enabled MBEDTLS_SSL_RENEGOTIATION
3582run_test "Connection ID: Cli+Srv enabled, Srv disables on renegotiation" \
3583 "$P_SRV debug_level=3 dtls=1 cid=1 cid_val=dead cid_renego=0 renegotiation=1" \
3584 "$P_CLI debug_level=3 dtls=1 cid=1 cid_val=beef renegotiation=1 renegotiate=1" \
3585 0 \
3586 -c "(initial handshake) Peer CID (length 2 Bytes): de ad" \
3587 -s "(initial handshake) Peer CID (length 2 Bytes): be ef" \
3588 -s "(initial handshake) Use of Connection ID has been negotiated" \
3589 -c "(initial handshake) Use of Connection ID has been negotiated" \
3590 -C "(after renegotiation) Peer CID (length 2 Bytes): de ad" \
3591 -S "(after renegotiation) Peer CID (length 2 Bytes): be ef" \
3592 -C "(after renegotiation) Use of Connection ID has been negotiated" \
3593 -S "(after renegotiation) Use of Connection ID has been negotiated" \
3594 -c "(after renegotiation) Use of Connection ID was rejected by the server"
3595
Jerry Yuab082902021-12-23 18:02:22 +0800[diff] [blame]3596requires_config_enabled MBEDTLS_SSL_PROTO_TLS1_2
Hanno Beckera0e20d02019-05-15 14:03:01 +0100[diff] [blame]3597requires_config_enabled MBEDTLS_SSL_DTLS_CONNECTION_ID
Hanno Becker78c91372019-05-08 13:31:15 +0100[diff] [blame]3598requires_config_enabled MBEDTLS_SSL_RENEGOTIATION
3599run_test "Connection ID, 3D: Cli+Srv enabled, Srv disables on renegotiation" \
Hanno Beckerd0ac5fa2019-05-24 10:11:23 +0100[diff] [blame]3600 -p "$P_PXY drop=5 delay=5 duplicate=5 bad_cid=1" \
Hanno Beckerb42ec0d2019-05-03 17:30:59 +0100[diff] [blame]3601 "$P_SRV debug_level=3 dtls=1 cid=1 cid_val=dead cid_renego=0 renegotiation=1" \
3602 "$P_CLI debug_level=3 dtls=1 cid=1 cid_val=beef renegotiation=1 renegotiate=1" \
3603 0 \
3604 -c "(initial handshake) Peer CID (length 2 Bytes): de ad" \
3605 -s "(initial handshake) Peer CID (length 2 Bytes): be ef" \
3606 -s "(initial handshake) Use of Connection ID has been negotiated" \
3607 -c "(initial handshake) Use of Connection ID has been negotiated" \
3608 -C "(after renegotiation) Peer CID (length 2 Bytes): de ad" \
3609 -S "(after renegotiation) Peer CID (length 2 Bytes): be ef" \
3610 -C "(after renegotiation) Use of Connection ID has been negotiated" \
3611 -S "(after renegotiation) Use of Connection ID has been negotiated" \
Hanno Beckerd0ac5fa2019-05-24 10:11:23 +0100[diff] [blame]3612 -c "(after renegotiation) Use of Connection ID was rejected by the server" \
3613 -c "ignoring unexpected CID" \
3614 -s "ignoring unexpected CID"
Hanno Becker7cf463e2019-04-09 18:08:47 +0100[diff] [blame]3615
Yuto Takano3fa16732021-07-09 11:21:43 +0100[diff] [blame]3616# This and the test below it require MAX_CONTENT_LEN to be at least MFL+1, because the
Yuto Takano9c09d552021-07-08 16:03:44 +0100[diff] [blame]3617# tests check that the buffer contents are reallocated when the message is
3618# larger than the buffer.
Andrzej Kurekb6577832020-06-08 07:08:03 -0400[diff] [blame]3619requires_config_enabled MBEDTLS_SSL_DTLS_CONNECTION_ID
3620requires_config_enabled MBEDTLS_SSL_VARIABLE_BUFFER_LENGTH
Yuto Takano9c09d552021-07-08 16:03:44 +0100[diff] [blame]3621requires_max_content_len 513
Andrzej Kurekb6577832020-06-08 07:08:03 -0400[diff] [blame]3622run_test "Connection ID: Cli+Srv enabled, variable buffer lengths, MFL=512" \
3623 "$P_SRV dtls=1 cid=1 cid_val=dead debug_level=2" \
3624 "$P_CLI force_ciphersuite="TLS-ECDHE-ECDSA-WITH-AES-128-CCM-8" max_frag_len=512 dtls=1 cid=1 cid_val=beef" \
3625 0 \
3626 -c "(initial handshake) Peer CID (length 2 Bytes): de ad" \
3627 -s "(initial handshake) Peer CID (length 2 Bytes): be ef" \
3628 -s "(initial handshake) Use of Connection ID has been negotiated" \
3629 -c "(initial handshake) Use of Connection ID has been negotiated" \
3630 -s "Reallocating in_buf" \
3631 -s "Reallocating out_buf"
3632
3633requires_config_enabled MBEDTLS_SSL_DTLS_CONNECTION_ID
3634requires_config_enabled MBEDTLS_SSL_VARIABLE_BUFFER_LENGTH
Yuto Takano9c09d552021-07-08 16:03:44 +0100[diff] [blame]3635requires_max_content_len 1025
Andrzej Kurekb6577832020-06-08 07:08:03 -0400[diff] [blame]3636run_test "Connection ID: Cli+Srv enabled, variable buffer lengths, MFL=1024" \
3637 "$P_SRV dtls=1 cid=1 cid_val=dead debug_level=2" \
3638 "$P_CLI force_ciphersuite="TLS-ECDHE-ECDSA-WITH-AES-128-CCM-8" max_frag_len=1024 dtls=1 cid=1 cid_val=beef" \
3639 0 \
3640 -c "(initial handshake) Peer CID (length 2 Bytes): de ad" \
3641 -s "(initial handshake) Peer CID (length 2 Bytes): be ef" \
3642 -s "(initial handshake) Use of Connection ID has been negotiated" \
3643 -c "(initial handshake) Use of Connection ID has been negotiated" \
3644 -s "Reallocating in_buf" \
3645 -s "Reallocating out_buf"
3646
Manuel Pégourié-Gonnard699cafa2014-10-27 13:57:03 +0100[diff] [blame]3647# Tests for Encrypt-then-MAC extension
3648
3649run_test "Encrypt then MAC: default" \
Manuel Pégourié-Gonnard0098e7d2014-10-28 13:08:59 +0100[diff] [blame]3650 "$P_SRV debug_level=3 \
3651 force_ciphersuite=TLS-RSA-WITH-AES-128-CBC-SHA" \
Manuel Pégourié-Gonnard699cafa2014-10-27 13:57:03 +0100[diff] [blame]3652 "$P_CLI debug_level=3" \
3653 0 \
3654 -c "client hello, adding encrypt_then_mac extension" \
3655 -s "found encrypt then mac extension" \
3656 -s "server hello, adding encrypt then mac extension" \
3657 -c "found encrypt_then_mac extension" \
3658 -c "using encrypt then mac" \
3659 -s "using encrypt then mac"
3660
3661run_test "Encrypt then MAC: client enabled, server disabled" \
Manuel Pégourié-Gonnard0098e7d2014-10-28 13:08:59 +0100[diff] [blame]3662 "$P_SRV debug_level=3 etm=0 \
3663 force_ciphersuite=TLS-RSA-WITH-AES-128-CBC-SHA" \
Manuel Pégourié-Gonnard699cafa2014-10-27 13:57:03 +0100[diff] [blame]3664 "$P_CLI debug_level=3 etm=1" \
3665 0 \
3666 -c "client hello, adding encrypt_then_mac extension" \
3667 -s "found encrypt then mac extension" \
3668 -S "server hello, adding encrypt then mac extension" \
3669 -C "found encrypt_then_mac extension" \
3670 -C "using encrypt then mac" \
3671 -S "using encrypt then mac"
3672
Manuel Pégourié-Gonnard78e745f2014-11-04 15:44:06 +0100[diff] [blame]3673run_test "Encrypt then MAC: client enabled, aead cipher" \
3674 "$P_SRV debug_level=3 etm=1 \
3675 force_ciphersuite=TLS-RSA-WITH-AES-128-GCM-SHA256" \
3676 "$P_CLI debug_level=3 etm=1" \
3677 0 \
3678 -c "client hello, adding encrypt_then_mac extension" \
3679 -s "found encrypt then mac extension" \
3680 -S "server hello, adding encrypt then mac extension" \
3681 -C "found encrypt_then_mac extension" \
3682 -C "using encrypt then mac" \
3683 -S "using encrypt then mac"
3684
Manuel Pégourié-Gonnard699cafa2014-10-27 13:57:03 +0100[diff] [blame]3685run_test "Encrypt then MAC: client disabled, server enabled" \
Manuel Pégourié-Gonnard0098e7d2014-10-28 13:08:59 +0100[diff] [blame]3686 "$P_SRV debug_level=3 etm=1 \
3687 force_ciphersuite=TLS-RSA-WITH-AES-128-CBC-SHA" \
Manuel Pégourié-Gonnard699cafa2014-10-27 13:57:03 +0100[diff] [blame]3688 "$P_CLI debug_level=3 etm=0" \
3689 0 \
3690 -C "client hello, adding encrypt_then_mac extension" \
3691 -S "found encrypt then mac extension" \
3692 -S "server hello, adding encrypt then mac extension" \
3693 -C "found encrypt_then_mac extension" \
3694 -C "using encrypt then mac" \
3695 -S "using encrypt then mac"
3696
Manuel Pégourié-Gonnard367381f2014-10-20 18:40:56 +0200[diff] [blame]3697# Tests for Extended Master Secret extension
3698
Gilles Peskine2fe796f2022-02-25 19:51:52 +0100[diff] [blame]3699requires_config_enabled MBEDTLS_SSL_EXTENDED_MASTER_SECRET
Manuel Pégourié-Gonnard367381f2014-10-20 18:40:56 +0200[diff] [blame]3700run_test "Extended Master Secret: default" \
3701 "$P_SRV debug_level=3" \
Ronald Cronf95d1692023-03-14 17:19:42 +0100[diff] [blame]3702 "$P_CLI force_version=tls12 debug_level=3" \
Manuel Pégourié-Gonnard367381f2014-10-20 18:40:56 +0200[diff] [blame]3703 0 \
3704 -c "client hello, adding extended_master_secret extension" \
3705 -s "found extended master secret extension" \
3706 -s "server hello, adding extended master secret extension" \
3707 -c "found extended_master_secret extension" \
Manuel Pégourié-Gonnard8faa70e2019-05-20 12:09:50 +0200[diff] [blame]3708 -c "session hash for extended master secret" \
3709 -s "session hash for extended master secret"
Manuel Pégourié-Gonnard367381f2014-10-20 18:40:56 +0200[diff] [blame]3710
Gilles Peskine2fe796f2022-02-25 19:51:52 +0100[diff] [blame]3711requires_config_enabled MBEDTLS_SSL_EXTENDED_MASTER_SECRET
Manuel Pégourié-Gonnard367381f2014-10-20 18:40:56 +0200[diff] [blame]3712run_test "Extended Master Secret: client enabled, server disabled" \
3713 "$P_SRV debug_level=3 extended_ms=0" \
Ronald Cronf95d1692023-03-14 17:19:42 +0100[diff] [blame]3714 "$P_CLI force_version=tls12 debug_level=3 extended_ms=1" \
Manuel Pégourié-Gonnard367381f2014-10-20 18:40:56 +0200[diff] [blame]3715 0 \
3716 -c "client hello, adding extended_master_secret extension" \
3717 -s "found extended master secret extension" \
3718 -S "server hello, adding extended master secret extension" \
3719 -C "found extended_master_secret extension" \
Manuel Pégourié-Gonnard8faa70e2019-05-20 12:09:50 +0200[diff] [blame]3720 -C "session hash for extended master secret" \
3721 -S "session hash for extended master secret"
Manuel Pégourié-Gonnard367381f2014-10-20 18:40:56 +0200[diff] [blame]3722
Gilles Peskine2fe796f2022-02-25 19:51:52 +0100[diff] [blame]3723requires_config_enabled MBEDTLS_SSL_EXTENDED_MASTER_SECRET
Manuel Pégourié-Gonnard367381f2014-10-20 18:40:56 +0200[diff] [blame]3724run_test "Extended Master Secret: client disabled, server enabled" \
Ronald Cronf95d1692023-03-14 17:19:42 +0100[diff] [blame]3725 "$P_SRV force_version=tls12 debug_level=3 extended_ms=1" \
Manuel Pégourié-Gonnard367381f2014-10-20 18:40:56 +0200[diff] [blame]3726 "$P_CLI debug_level=3 extended_ms=0" \
3727 0 \
3728 -C "client hello, adding extended_master_secret extension" \
3729 -S "found extended master secret extension" \
3730 -S "server hello, adding extended master secret extension" \
3731 -C "found extended_master_secret extension" \
Manuel Pégourié-Gonnard8faa70e2019-05-20 12:09:50 +0200[diff] [blame]3732 -C "session hash for extended master secret" \
3733 -S "session hash for extended master secret"
Manuel Pégourié-Gonnard367381f2014-10-20 18:40:56 +0200[diff] [blame]3734
Andres Amaya Garcia4c761fa2018-07-10 20:08:04 +0100[diff] [blame]3735# Test sending and receiving empty application data records
3736
3737run_test "Encrypt then MAC: empty application data record" \
3738 "$P_SRV auth_mode=none debug_level=4 etm=1" \
3739 "$P_CLI auth_mode=none etm=1 request_size=0 force_ciphersuite=TLS-ECDHE-RSA-WITH-AES-256-CBC-SHA" \
3740 0 \
3741 -S "0000: 0f 0f 0f 0f 0f 0f 0f 0f 0f 0f 0f 0f 0f 0f 0f 0f" \
3742 -s "dumping 'input payload after decrypt' (0 bytes)" \
3743 -c "0 bytes written in 1 fragments"
3744
Jerry Yuab082902021-12-23 18:02:22 +0800[diff] [blame]3745requires_config_enabled MBEDTLS_SSL_PROTO_TLS1_2
Manuel Pégourié-Gonnard9e2c80f2020-03-24 10:53:39 +0100[diff] [blame]3746run_test "Encrypt then MAC: disabled, empty application data record" \
Andres Amaya Garcia4c761fa2018-07-10 20:08:04 +0100[diff] [blame]3747 "$P_SRV auth_mode=none debug_level=4 etm=0" \
3748 "$P_CLI auth_mode=none etm=0 request_size=0" \
3749 0 \
3750 -s "dumping 'input payload after decrypt' (0 bytes)" \
3751 -c "0 bytes written in 1 fragments"
3752
3753run_test "Encrypt then MAC, DTLS: empty application data record" \
3754 "$P_SRV auth_mode=none debug_level=4 etm=1 dtls=1" \
3755 "$P_CLI auth_mode=none etm=1 request_size=0 force_ciphersuite=TLS-ECDHE-RSA-WITH-AES-256-CBC-SHA dtls=1" \
3756 0 \
3757 -S "0000: 0f 0f 0f 0f 0f 0f 0f 0f 0f 0f 0f 0f 0f 0f 0f 0f" \
3758 -s "dumping 'input payload after decrypt' (0 bytes)" \
3759 -c "0 bytes written in 1 fragments"
3760
Jerry Yuab082902021-12-23 18:02:22 +0800[diff] [blame]3761requires_config_enabled MBEDTLS_SSL_PROTO_TLS1_2
Manuel Pégourié-Gonnard9e2c80f2020-03-24 10:53:39 +0100[diff] [blame]3762run_test "Encrypt then MAC, DTLS: disabled, empty application data record" \
Andres Amaya Garcia4c761fa2018-07-10 20:08:04 +0100[diff] [blame]3763 "$P_SRV auth_mode=none debug_level=4 etm=0 dtls=1" \
3764 "$P_CLI auth_mode=none etm=0 request_size=0 dtls=1" \
3765 0 \
3766 -s "dumping 'input payload after decrypt' (0 bytes)" \
3767 -c "0 bytes written in 1 fragments"
3768
Manuel Pégourié-Gonnard3ff78232015-01-08 11:15:09 +0100[diff] [blame]3769# Tests for CBC 1/n-1 record splitting
3770
3771run_test "CBC Record splitting: TLS 1.2, no splitting" \
Ronald Cronf3b425b2022-03-17 16:45:09 +0100[diff] [blame]3772 "$P_SRV force_version=tls12" \
Manuel Pégourié-Gonnard3ff78232015-01-08 11:15:09 +0100[diff] [blame]3773 "$P_CLI force_ciphersuite=TLS-RSA-WITH-AES-128-CBC-SHA \
Ronald Cronf3b425b2022-03-17 16:45:09 +0100[diff] [blame]3774 request_size=123" \
Manuel Pégourié-Gonnard3ff78232015-01-08 11:15:09 +0100[diff] [blame]3775 0 \
3776 -s "Read from client: 123 bytes read" \
3777 -S "Read from client: 1 bytes read" \
3778 -S "122 bytes read"
3779
Manuel Pégourié-Gonnard780d6712014-02-20 17:19:59 +0100[diff] [blame]3780# Tests for Session Tickets
3781
Norbert Fabritiusc93fc862023-04-12 09:50:30 +0200[diff] [blame]3782requires_config_enabled MBEDTLS_SSL_SESSION_TICKETS
Manuel Pégourié-Gonnard8e03c712014-08-30 21:42:40 +0200[diff] [blame]3783run_test "Session resume using tickets: basic" \
Manuel Pégourié-Gonnard644e8f32014-08-30 21:59:31 +0200[diff] [blame]3784 "$P_SRV debug_level=3 tickets=1" \
Ronald Cronf95d1692023-03-14 17:19:42 +0100[diff] [blame]3785 "$P_CLI force_version=tls12 debug_level=3 tickets=1 reconnect=1" \
Manuel Pégourié-Gonnardf7c52012014-02-20 11:43:46 +0100[diff] [blame]3786 0 \
Manuel Pégourié-Gonnardc55a5b72014-02-20 22:50:56 +0100[diff] [blame]3787 -c "client hello, adding session ticket extension" \
3788 -s "found session ticket extension" \
3789 -s "server hello, adding session ticket extension" \
3790 -c "found session_ticket extension" \
3791 -c "parse new session ticket" \
Manuel Pégourié-Gonnardf7c52012014-02-20 11:43:46 +0100[diff] [blame]3792 -S "session successfully restored from cache" \
3793 -s "session successfully restored from ticket" \
3794 -s "a session has been resumed" \
3795 -c "a session has been resumed"
3796
Norbert Fabritiusc93fc862023-04-12 09:50:30 +0200[diff] [blame]3797requires_config_enabled MBEDTLS_SSL_SESSION_TICKETS
Glenn Strausse3282452022-02-03 17:23:24 -0500[diff] [blame]3798run_test "Session resume using tickets: manual rotation" \
3799 "$P_SRV debug_level=3 tickets=1 ticket_rotate=1" \
Ronald Cronf95d1692023-03-14 17:19:42 +0100[diff] [blame]3800 "$P_CLI force_version=tls12 debug_level=3 tickets=1 reconnect=1" \
Glenn Strausse3282452022-02-03 17:23:24 -0500[diff] [blame]3801 0 \
3802 -c "client hello, adding session ticket extension" \
3803 -s "found session ticket extension" \
3804 -s "server hello, adding session ticket extension" \
3805 -c "found session_ticket extension" \
3806 -c "parse new session ticket" \
3807 -S "session successfully restored from cache" \
3808 -s "session successfully restored from ticket" \
3809 -s "a session has been resumed" \
3810 -c "a session has been resumed"
3811
Norbert Fabritiusc93fc862023-04-12 09:50:30 +0200[diff] [blame]3812requires_config_enabled MBEDTLS_SSL_SESSION_TICKETS
Manuel Pégourié-Gonnard8e03c712014-08-30 21:42:40 +0200[diff] [blame]3813run_test "Session resume using tickets: cache disabled" \
Manuel Pégourié-Gonnard644e8f32014-08-30 21:59:31 +0200[diff] [blame]3814 "$P_SRV debug_level=3 tickets=1 cache_max=0" \
Ronald Cronf95d1692023-03-14 17:19:42 +0100[diff] [blame]3815 "$P_CLI force_version=tls12 debug_level=3 tickets=1 reconnect=1" \
Manuel Pégourié-Gonnarddbe1ee12014-02-21 09:18:13 +0100[diff] [blame]3816 0 \
3817 -c "client hello, adding session ticket extension" \
3818 -s "found session ticket extension" \
3819 -s "server hello, adding session ticket extension" \
3820 -c "found session_ticket extension" \
3821 -c "parse new session ticket" \
3822 -S "session successfully restored from cache" \
3823 -s "session successfully restored from ticket" \
3824 -s "a session has been resumed" \
3825 -c "a session has been resumed"
3826
Norbert Fabritiusc93fc862023-04-12 09:50:30 +0200[diff] [blame]3827requires_config_enabled MBEDTLS_SSL_SESSION_TICKETS
Manuel Pégourié-Gonnard8e03c712014-08-30 21:42:40 +0200[diff] [blame]3828run_test "Session resume using tickets: timeout" \
Manuel Pégourié-Gonnard644e8f32014-08-30 21:59:31 +0200[diff] [blame]3829 "$P_SRV debug_level=3 tickets=1 cache_max=0 ticket_timeout=1" \
Ronald Cronf95d1692023-03-14 17:19:42 +0100[diff] [blame]3830 "$P_CLI force_version=tls12 debug_level=3 tickets=1 reconnect=1 reco_delay=2000" \
Manuel Pégourié-Gonnarddbe1ee12014-02-21 09:18:13 +0100[diff] [blame]3831 0 \
3832 -c "client hello, adding session ticket extension" \
3833 -s "found session ticket extension" \
3834 -s "server hello, adding session ticket extension" \
3835 -c "found session_ticket extension" \
3836 -c "parse new session ticket" \
3837 -S "session successfully restored from cache" \
3838 -S "session successfully restored from ticket" \
3839 -S "a session has been resumed" \
3840 -C "a session has been resumed"
3841
Norbert Fabritiusc93fc862023-04-12 09:50:30 +0200[diff] [blame]3842requires_config_enabled MBEDTLS_SSL_SESSION_TICKETS
Manuel Pégourié-Gonnarda7c37652019-05-20 12:46:26 +0200[diff] [blame]3843run_test "Session resume using tickets: session copy" \
3844 "$P_SRV debug_level=3 tickets=1 cache_max=0" \
Ronald Cronf95d1692023-03-14 17:19:42 +0100[diff] [blame]3845 "$P_CLI force_version=tls12 debug_level=3 tickets=1 reconnect=1 reco_mode=0" \
Manuel Pégourié-Gonnarda7c37652019-05-20 12:46:26 +0200[diff] [blame]3846 0 \
3847 -c "client hello, adding session ticket extension" \
3848 -s "found session ticket extension" \
3849 -s "server hello, adding session ticket extension" \
3850 -c "found session_ticket extension" \
3851 -c "parse new session ticket" \
3852 -S "session successfully restored from cache" \
3853 -s "session successfully restored from ticket" \
3854 -s "a session has been resumed" \
3855 -c "a session has been resumed"
3856
Jerry Yuab082902021-12-23 18:02:22 +0800[diff] [blame]3857requires_config_enabled MBEDTLS_SSL_PROTO_TLS1_2
Norbert Fabritiusc93fc862023-04-12 09:50:30 +0200[diff] [blame]3858requires_config_enabled MBEDTLS_SSL_SESSION_TICKETS
Manuel Pégourié-Gonnard8e03c712014-08-30 21:42:40 +0200[diff] [blame]3859run_test "Session resume using tickets: openssl server" \
Ronald Croncbd7bfd2022-03-31 18:19:56 +0200[diff] [blame]3860 "$O_SRV -tls1_2" \
Manuel Pégourié-Gonnard644e8f32014-08-30 21:59:31 +0200[diff] [blame]3861 "$P_CLI debug_level=3 tickets=1 reconnect=1" \
Manuel Pégourié-Gonnardfccd3252014-02-25 17:14:15 +0100[diff] [blame]3862 0 \
3863 -c "client hello, adding session ticket extension" \
3864 -c "found session_ticket extension" \
3865 -c "parse new session ticket" \
3866 -c "a session has been resumed"
3867
Jerry Yuab082902021-12-23 18:02:22 +0800[diff] [blame]3868requires_config_enabled MBEDTLS_SSL_PROTO_TLS1_2
Norbert Fabritiusc93fc862023-04-12 09:50:30 +0200[diff] [blame]3869requires_config_enabled MBEDTLS_SSL_SESSION_TICKETS
Manuel Pégourié-Gonnard8e03c712014-08-30 21:42:40 +0200[diff] [blame]3870run_test "Session resume using tickets: openssl client" \
Gilles Peskinee373c942024-04-29 17:44:19 +0200[diff] [blame]3871 "$P_SRV force_version=tls12 debug_level=3 tickets=1" \
Manuel Pégourié-Gonnardbc3b16c2014-05-28 23:06:50 +0200[diff] [blame]3872 "( $O_CLI -sess_out $SESSION; \
3873 $O_CLI -sess_in $SESSION; \
3874 rm -f $SESSION )" \
Manuel Pégourié-Gonnardfccd3252014-02-25 17:14:15 +0100[diff] [blame]3875 0 \
3876 -s "found session ticket extension" \
3877 -s "server hello, adding session ticket extension" \
3878 -S "session successfully restored from cache" \
3879 -s "session successfully restored from ticket" \
3880 -s "a session has been resumed"
3881
Valerio Setti73d05312023-11-09 16:53:59 +0100[diff] [blame]3882requires_cipher_enabled "AES" "GCM"
Norbert Fabritiusc93fc862023-04-12 09:50:30 +0200[diff] [blame]3883requires_config_enabled MBEDTLS_SSL_SESSION_TICKETS
Gabor Mezei6e5aae62022-01-12 16:29:58 +0100[diff] [blame]3884run_test "Session resume using tickets: AES-128-GCM" \
3885 "$P_SRV debug_level=3 tickets=1 ticket_aead=AES-128-GCM" \
Ronald Cronf95d1692023-03-14 17:19:42 +0100[diff] [blame]3886 "$P_CLI force_version=tls12 debug_level=3 tickets=1 reconnect=1" \
Gabor Mezei6e5aae62022-01-12 16:29:58 +0100[diff] [blame]3887 0 \
3888 -c "client hello, adding session ticket extension" \
3889 -s "found session ticket extension" \
3890 -s "server hello, adding session ticket extension" \
3891 -c "found session_ticket extension" \
3892 -c "parse new session ticket" \
3893 -S "session successfully restored from cache" \
3894 -s "session successfully restored from ticket" \
3895 -s "a session has been resumed" \
3896 -c "a session has been resumed"
3897
Valerio Setti73d05312023-11-09 16:53:59 +0100[diff] [blame]3898requires_cipher_enabled "AES" "GCM"
Norbert Fabritiusc93fc862023-04-12 09:50:30 +0200[diff] [blame]3899requires_config_enabled MBEDTLS_SSL_SESSION_TICKETS
Gabor Mezei6e5aae62022-01-12 16:29:58 +0100[diff] [blame]3900run_test "Session resume using tickets: AES-192-GCM" \
3901 "$P_SRV debug_level=3 tickets=1 ticket_aead=AES-192-GCM" \
Ronald Cronf95d1692023-03-14 17:19:42 +0100[diff] [blame]3902 "$P_CLI force_version=tls12 debug_level=3 tickets=1 reconnect=1" \
Gabor Mezei6e5aae62022-01-12 16:29:58 +0100[diff] [blame]3903 0 \
3904 -c "client hello, adding session ticket extension" \
3905 -s "found session ticket extension" \
3906 -s "server hello, adding session ticket extension" \
3907 -c "found session_ticket extension" \
3908 -c "parse new session ticket" \
3909 -S "session successfully restored from cache" \
3910 -s "session successfully restored from ticket" \
3911 -s "a session has been resumed" \
3912 -c "a session has been resumed"
3913
Valerio Setti73d05312023-11-09 16:53:59 +0100[diff] [blame]3914requires_cipher_enabled "AES" "CCM"
Norbert Fabritiusc93fc862023-04-12 09:50:30 +0200[diff] [blame]3915requires_config_enabled MBEDTLS_SSL_SESSION_TICKETS
Gabor Mezei6e5aae62022-01-12 16:29:58 +0100[diff] [blame]3916run_test "Session resume using tickets: AES-128-CCM" \
3917 "$P_SRV debug_level=3 tickets=1 ticket_aead=AES-128-CCM" \
Ronald Cronf95d1692023-03-14 17:19:42 +0100[diff] [blame]3918 "$P_CLI force_version=tls12 debug_level=3 tickets=1 reconnect=1" \
Gabor Mezei6e5aae62022-01-12 16:29:58 +0100[diff] [blame]3919 0 \
3920 -c "client hello, adding session ticket extension" \
3921 -s "found session ticket extension" \
3922 -s "server hello, adding session ticket extension" \
3923 -c "found session_ticket extension" \
3924 -c "parse new session ticket" \
3925 -S "session successfully restored from cache" \
3926 -s "session successfully restored from ticket" \
3927 -s "a session has been resumed" \
3928 -c "a session has been resumed"
3929
Valerio Setti73d05312023-11-09 16:53:59 +0100[diff] [blame]3930requires_cipher_enabled "AES" "CCM"
Norbert Fabritiusc93fc862023-04-12 09:50:30 +0200[diff] [blame]3931requires_config_enabled MBEDTLS_SSL_SESSION_TICKETS
Gabor Mezei6e5aae62022-01-12 16:29:58 +0100[diff] [blame]3932run_test "Session resume using tickets: AES-192-CCM" \
3933 "$P_SRV debug_level=3 tickets=1 ticket_aead=AES-192-CCM" \
Ronald Cronf95d1692023-03-14 17:19:42 +0100[diff] [blame]3934 "$P_CLI force_version=tls12 debug_level=3 tickets=1 reconnect=1" \
Gabor Mezei6e5aae62022-01-12 16:29:58 +0100[diff] [blame]3935 0 \
3936 -c "client hello, adding session ticket extension" \
3937 -s "found session ticket extension" \
3938 -s "server hello, adding session ticket extension" \
3939 -c "found session_ticket extension" \
3940 -c "parse new session ticket" \
3941 -S "session successfully restored from cache" \
3942 -s "session successfully restored from ticket" \
3943 -s "a session has been resumed" \
3944 -c "a session has been resumed"
3945
Valerio Setti73d05312023-11-09 16:53:59 +0100[diff] [blame]3946requires_cipher_enabled "AES" "CCM"
Norbert Fabritiusc93fc862023-04-12 09:50:30 +0200[diff] [blame]3947requires_config_enabled MBEDTLS_SSL_SESSION_TICKETS
Gabor Mezei6e5aae62022-01-12 16:29:58 +0100[diff] [blame]3948run_test "Session resume using tickets: AES-256-CCM" \
3949 "$P_SRV debug_level=3 tickets=1 ticket_aead=AES-256-CCM" \
Ronald Cronf95d1692023-03-14 17:19:42 +0100[diff] [blame]3950 "$P_CLI force_version=tls12 debug_level=3 tickets=1 reconnect=1" \
Gabor Mezei6e5aae62022-01-12 16:29:58 +0100[diff] [blame]3951 0 \
3952 -c "client hello, adding session ticket extension" \
3953 -s "found session ticket extension" \
3954 -s "server hello, adding session ticket extension" \
3955 -c "found session_ticket extension" \
3956 -c "parse new session ticket" \
3957 -S "session successfully restored from cache" \
3958 -s "session successfully restored from ticket" \
3959 -s "a session has been resumed" \
3960 -c "a session has been resumed"
3961
Valerio Setti73d05312023-11-09 16:53:59 +0100[diff] [blame]3962requires_cipher_enabled "CAMELLIA" "CCM"
Norbert Fabritiusc93fc862023-04-12 09:50:30 +0200[diff] [blame]3963requires_config_enabled MBEDTLS_SSL_SESSION_TICKETS
Gabor Mezei6e5aae62022-01-12 16:29:58 +0100[diff] [blame]3964run_test "Session resume using tickets: CAMELLIA-128-CCM" \
3965 "$P_SRV debug_level=3 tickets=1 ticket_aead=CAMELLIA-128-CCM" \
Ronald Cronf95d1692023-03-14 17:19:42 +0100[diff] [blame]3966 "$P_CLI force_version=tls12 debug_level=3 tickets=1 reconnect=1" \
Gabor Mezei6e5aae62022-01-12 16:29:58 +0100[diff] [blame]3967 0 \
3968 -c "client hello, adding session ticket extension" \
3969 -s "found session ticket extension" \
3970 -s "server hello, adding session ticket extension" \
3971 -c "found session_ticket extension" \
3972 -c "parse new session ticket" \
3973 -S "session successfully restored from cache" \
3974 -s "session successfully restored from ticket" \
3975 -s "a session has been resumed" \
3976 -c "a session has been resumed"
3977
Valerio Setti73d05312023-11-09 16:53:59 +0100[diff] [blame]3978requires_cipher_enabled "CAMELLIA" "CCM"
Norbert Fabritiusc93fc862023-04-12 09:50:30 +0200[diff] [blame]3979requires_config_enabled MBEDTLS_SSL_SESSION_TICKETS
Gabor Mezei6e5aae62022-01-12 16:29:58 +0100[diff] [blame]3980run_test "Session resume using tickets: CAMELLIA-192-CCM" \
3981 "$P_SRV debug_level=3 tickets=1 ticket_aead=CAMELLIA-192-CCM" \
Ronald Cronf95d1692023-03-14 17:19:42 +0100[diff] [blame]3982 "$P_CLI force_version=tls12 debug_level=3 tickets=1 reconnect=1" \
Gabor Mezei6e5aae62022-01-12 16:29:58 +0100[diff] [blame]3983 0 \
3984 -c "client hello, adding session ticket extension" \
3985 -s "found session ticket extension" \
3986 -s "server hello, adding session ticket extension" \
3987 -c "found session_ticket extension" \
3988 -c "parse new session ticket" \
3989 -S "session successfully restored from cache" \
3990 -s "session successfully restored from ticket" \
3991 -s "a session has been resumed" \
3992 -c "a session has been resumed"
3993
Valerio Setti73d05312023-11-09 16:53:59 +0100[diff] [blame]3994requires_cipher_enabled "CAMELLIA" "CCM"
Norbert Fabritiusc93fc862023-04-12 09:50:30 +0200[diff] [blame]3995requires_config_enabled MBEDTLS_SSL_SESSION_TICKETS
Gabor Mezei6e5aae62022-01-12 16:29:58 +0100[diff] [blame]3996run_test "Session resume using tickets: CAMELLIA-256-CCM" \
3997 "$P_SRV debug_level=3 tickets=1 ticket_aead=CAMELLIA-256-CCM" \
Ronald Cronf95d1692023-03-14 17:19:42 +0100[diff] [blame]3998 "$P_CLI force_version=tls12 debug_level=3 tickets=1 reconnect=1" \
Gabor Mezei6e5aae62022-01-12 16:29:58 +0100[diff] [blame]3999 0 \
4000 -c "client hello, adding session ticket extension" \
4001 -s "found session ticket extension" \
4002 -s "server hello, adding session ticket extension" \
4003 -c "found session_ticket extension" \
4004 -c "parse new session ticket" \
4005 -S "session successfully restored from cache" \
4006 -s "session successfully restored from ticket" \
4007 -s "a session has been resumed" \
4008 -c "a session has been resumed"
4009
Valerio Setti04c85e12023-11-13 10:54:05 +0100[diff] [blame]4010requires_cipher_enabled "ARIA" "GCM"
Norbert Fabritiusc93fc862023-04-12 09:50:30 +0200[diff] [blame]4011requires_config_enabled MBEDTLS_SSL_SESSION_TICKETS
Gabor Mezei6e5aae62022-01-12 16:29:58 +0100[diff] [blame]4012run_test "Session resume using tickets: ARIA-128-GCM" \
4013 "$P_SRV debug_level=3 tickets=1 ticket_aead=ARIA-128-GCM" \
Ronald Cronf95d1692023-03-14 17:19:42 +0100[diff] [blame]4014 "$P_CLI force_version=tls12 debug_level=3 tickets=1 reconnect=1" \
Gabor Mezei6e5aae62022-01-12 16:29:58 +0100[diff] [blame]4015 0 \
4016 -c "client hello, adding session ticket extension" \
4017 -s "found session ticket extension" \
4018 -s "server hello, adding session ticket extension" \
4019 -c "found session_ticket extension" \
4020 -c "parse new session ticket" \
4021 -S "session successfully restored from cache" \
4022 -s "session successfully restored from ticket" \
4023 -s "a session has been resumed" \
4024 -c "a session has been resumed"
4025
Valerio Setti04c85e12023-11-13 10:54:05 +0100[diff] [blame]4026requires_cipher_enabled "ARIA" "GCM"
Norbert Fabritiusc93fc862023-04-12 09:50:30 +0200[diff] [blame]4027requires_config_enabled MBEDTLS_SSL_SESSION_TICKETS
Gabor Mezei6e5aae62022-01-12 16:29:58 +0100[diff] [blame]4028run_test "Session resume using tickets: ARIA-192-GCM" \
4029 "$P_SRV debug_level=3 tickets=1 ticket_aead=ARIA-192-GCM" \
Ronald Cronf95d1692023-03-14 17:19:42 +0100[diff] [blame]4030 "$P_CLI force_version=tls12 debug_level=3 tickets=1 reconnect=1" \
Gabor Mezei6e5aae62022-01-12 16:29:58 +0100[diff] [blame]4031 0 \
4032 -c "client hello, adding session ticket extension" \
4033 -s "found session ticket extension" \
4034 -s "server hello, adding session ticket extension" \
4035 -c "found session_ticket extension" \
4036 -c "parse new session ticket" \
4037 -S "session successfully restored from cache" \
4038 -s "session successfully restored from ticket" \
4039 -s "a session has been resumed" \
4040 -c "a session has been resumed"
4041
Valerio Setti04c85e12023-11-13 10:54:05 +0100[diff] [blame]4042requires_cipher_enabled "ARIA" "GCM"
Norbert Fabritiusc93fc862023-04-12 09:50:30 +0200[diff] [blame]4043requires_config_enabled MBEDTLS_SSL_SESSION_TICKETS
Gabor Mezei6e5aae62022-01-12 16:29:58 +0100[diff] [blame]4044run_test "Session resume using tickets: ARIA-256-GCM" \
4045 "$P_SRV debug_level=3 tickets=1 ticket_aead=ARIA-256-GCM" \
Ronald Cronf95d1692023-03-14 17:19:42 +0100[diff] [blame]4046 "$P_CLI force_version=tls12 debug_level=3 tickets=1 reconnect=1" \
Gabor Mezei6e5aae62022-01-12 16:29:58 +0100[diff] [blame]4047 0 \
4048 -c "client hello, adding session ticket extension" \
4049 -s "found session ticket extension" \
4050 -s "server hello, adding session ticket extension" \
4051 -c "found session_ticket extension" \
4052 -c "parse new session ticket" \
4053 -S "session successfully restored from cache" \
4054 -s "session successfully restored from ticket" \
4055 -s "a session has been resumed" \
4056 -c "a session has been resumed"
4057
Valerio Setti73d05312023-11-09 16:53:59 +0100[diff] [blame]4058requires_cipher_enabled "ARIA" "CCM"
Norbert Fabritiusc93fc862023-04-12 09:50:30 +0200[diff] [blame]4059requires_config_enabled MBEDTLS_SSL_SESSION_TICKETS
Gabor Mezei6e5aae62022-01-12 16:29:58 +0100[diff] [blame]4060run_test "Session resume using tickets: ARIA-128-CCM" \
4061 "$P_SRV debug_level=3 tickets=1 ticket_aead=ARIA-128-CCM" \
Ronald Cronf95d1692023-03-14 17:19:42 +0100[diff] [blame]4062 "$P_CLI force_version=tls12 debug_level=3 tickets=1 reconnect=1" \
Gabor Mezei6e5aae62022-01-12 16:29:58 +0100[diff] [blame]4063 0 \
4064 -c "client hello, adding session ticket extension" \
4065 -s "found session ticket extension" \
4066 -s "server hello, adding session ticket extension" \
4067 -c "found session_ticket extension" \
4068 -c "parse new session ticket" \
4069 -S "session successfully restored from cache" \
4070 -s "session successfully restored from ticket" \
4071 -s "a session has been resumed" \
4072 -c "a session has been resumed"
4073
Valerio Setti73d05312023-11-09 16:53:59 +0100[diff] [blame]4074requires_cipher_enabled "ARIA" "CCM"
Norbert Fabritiusc93fc862023-04-12 09:50:30 +0200[diff] [blame]4075requires_config_enabled MBEDTLS_SSL_SESSION_TICKETS
Gabor Mezei6e5aae62022-01-12 16:29:58 +0100[diff] [blame]4076run_test "Session resume using tickets: ARIA-192-CCM" \
4077 "$P_SRV debug_level=3 tickets=1 ticket_aead=ARIA-192-CCM" \
Ronald Cronf95d1692023-03-14 17:19:42 +0100[diff] [blame]4078 "$P_CLI force_version=tls12 debug_level=3 tickets=1 reconnect=1" \
Gabor Mezei6e5aae62022-01-12 16:29:58 +0100[diff] [blame]4079 0 \
4080 -c "client hello, adding session ticket extension" \
4081 -s "found session ticket extension" \
4082 -s "server hello, adding session ticket extension" \
4083 -c "found session_ticket extension" \
4084 -c "parse new session ticket" \
4085 -S "session successfully restored from cache" \
4086 -s "session successfully restored from ticket" \
4087 -s "a session has been resumed" \
4088 -c "a session has been resumed"
4089
Valerio Setti73d05312023-11-09 16:53:59 +0100[diff] [blame]4090requires_cipher_enabled "ARIA" "CCM"
Norbert Fabritiusc93fc862023-04-12 09:50:30 +0200[diff] [blame]4091requires_config_enabled MBEDTLS_SSL_SESSION_TICKETS
Gabor Mezei6e5aae62022-01-12 16:29:58 +0100[diff] [blame]4092run_test "Session resume using tickets: ARIA-256-CCM" \
4093 "$P_SRV debug_level=3 tickets=1 ticket_aead=ARIA-256-CCM" \
Ronald Cronf95d1692023-03-14 17:19:42 +0100[diff] [blame]4094 "$P_CLI force_version=tls12 debug_level=3 tickets=1 reconnect=1" \
Gabor Mezei6e5aae62022-01-12 16:29:58 +0100[diff] [blame]4095 0 \
4096 -c "client hello, adding session ticket extension" \
4097 -s "found session ticket extension" \
4098 -s "server hello, adding session ticket extension" \
4099 -c "found session_ticket extension" \
4100 -c "parse new session ticket" \
4101 -S "session successfully restored from cache" \
4102 -s "session successfully restored from ticket" \
4103 -s "a session has been resumed" \
4104 -c "a session has been resumed"
4105
Valerio Setti73d05312023-11-09 16:53:59 +0100[diff] [blame]4106requires_cipher_enabled "CHACHA20"
Norbert Fabritiusc93fc862023-04-12 09:50:30 +0200[diff] [blame]4107requires_config_enabled MBEDTLS_SSL_SESSION_TICKETS
Gabor Mezei49c8eb32022-03-10 16:13:17 +0100[diff] [blame]4108run_test "Session resume using tickets: CHACHA20-POLY1305" \
4109 "$P_SRV debug_level=3 tickets=1 ticket_aead=CHACHA20-POLY1305" \
Ronald Cronf95d1692023-03-14 17:19:42 +0100[diff] [blame]4110 "$P_CLI force_version=tls12 debug_level=3 tickets=1 reconnect=1" \
Gabor Mezei49c8eb32022-03-10 16:13:17 +0100[diff] [blame]4111 0 \
4112 -c "client hello, adding session ticket extension" \
4113 -s "found session ticket extension" \
4114 -s "server hello, adding session ticket extension" \
4115 -c "found session_ticket extension" \
4116 -c "parse new session ticket" \
4117 -S "session successfully restored from cache" \
4118 -s "session successfully restored from ticket" \
4119 -s "a session has been resumed" \
4120 -c "a session has been resumed"
4121
Hanno Becker1d739932018-08-21 13:55:22 +0100[diff] [blame]4122# Tests for Session Tickets with DTLS
4123
Jerry Yuab082902021-12-23 18:02:22 +0800[diff] [blame]4124requires_config_enabled MBEDTLS_SSL_PROTO_TLS1_2
Norbert Fabritiusc93fc862023-04-12 09:50:30 +0200[diff] [blame]4125requires_config_enabled MBEDTLS_SSL_SESSION_TICKETS
Hanno Becker1d739932018-08-21 13:55:22 +0100[diff] [blame]4126run_test "Session resume using tickets, DTLS: basic" \
4127 "$P_SRV debug_level=3 dtls=1 tickets=1" \
Manuel Pégourié-Gonnard56941fe2020-02-17 11:04:33 +0100[diff] [blame]4128 "$P_CLI debug_level=3 dtls=1 tickets=1 reconnect=1 skip_close_notify=1" \
Hanno Becker1d739932018-08-21 13:55:22 +0100[diff] [blame]4129 0 \
4130 -c "client hello, adding session ticket extension" \
4131 -s "found session ticket extension" \
4132 -s "server hello, adding session ticket extension" \
4133 -c "found session_ticket extension" \
4134 -c "parse new session ticket" \
4135 -S "session successfully restored from cache" \
4136 -s "session successfully restored from ticket" \
4137 -s "a session has been resumed" \
4138 -c "a session has been resumed"
4139
Jerry Yuab082902021-12-23 18:02:22 +0800[diff] [blame]4140requires_config_enabled MBEDTLS_SSL_PROTO_TLS1_2
Norbert Fabritiusc93fc862023-04-12 09:50:30 +0200[diff] [blame]4141requires_config_enabled MBEDTLS_SSL_SESSION_TICKETS
Hanno Becker1d739932018-08-21 13:55:22 +0100[diff] [blame]4142run_test "Session resume using tickets, DTLS: cache disabled" \
4143 "$P_SRV debug_level=3 dtls=1 tickets=1 cache_max=0" \
Manuel Pégourié-Gonnard56941fe2020-02-17 11:04:33 +0100[diff] [blame]4144 "$P_CLI debug_level=3 dtls=1 tickets=1 reconnect=1 skip_close_notify=1" \
Hanno Becker1d739932018-08-21 13:55:22 +0100[diff] [blame]4145 0 \
4146 -c "client hello, adding session ticket extension" \
4147 -s "found session ticket extension" \
4148 -s "server hello, adding session ticket extension" \
4149 -c "found session_ticket extension" \
4150 -c "parse new session ticket" \
4151 -S "session successfully restored from cache" \
4152 -s "session successfully restored from ticket" \
4153 -s "a session has been resumed" \
4154 -c "a session has been resumed"
4155
Jerry Yuab082902021-12-23 18:02:22 +0800[diff] [blame]4156requires_config_enabled MBEDTLS_SSL_PROTO_TLS1_2
Norbert Fabritiusc93fc862023-04-12 09:50:30 +0200[diff] [blame]4157requires_config_enabled MBEDTLS_SSL_SESSION_TICKETS
Hanno Becker1d739932018-08-21 13:55:22 +0100[diff] [blame]4158run_test "Session resume using tickets, DTLS: timeout" \
4159 "$P_SRV debug_level=3 dtls=1 tickets=1 cache_max=0 ticket_timeout=1" \
Jerry Yua15af372022-12-05 15:55:24 +0800[diff] [blame]4160 "$P_CLI debug_level=3 dtls=1 tickets=1 reconnect=1 skip_close_notify=1 reco_delay=2000" \
Hanno Becker1d739932018-08-21 13:55:22 +0100[diff] [blame]4161 0 \
4162 -c "client hello, adding session ticket extension" \
4163 -s "found session ticket extension" \
4164 -s "server hello, adding session ticket extension" \
4165 -c "found session_ticket extension" \
4166 -c "parse new session ticket" \
4167 -S "session successfully restored from cache" \
4168 -S "session successfully restored from ticket" \
4169 -S "a session has been resumed" \
4170 -C "a session has been resumed"
4171
Jerry Yuab082902021-12-23 18:02:22 +0800[diff] [blame]4172requires_config_enabled MBEDTLS_SSL_PROTO_TLS1_2
Norbert Fabritiusc93fc862023-04-12 09:50:30 +0200[diff] [blame]4173requires_config_enabled MBEDTLS_SSL_SESSION_TICKETS
Manuel Pégourié-Gonnarda7c37652019-05-20 12:46:26 +0200[diff] [blame]4174run_test "Session resume using tickets, DTLS: session copy" \
4175 "$P_SRV debug_level=3 dtls=1 tickets=1 cache_max=0" \
Manuel Pégourié-Gonnard56941fe2020-02-17 11:04:33 +0100[diff] [blame]4176 "$P_CLI debug_level=3 dtls=1 tickets=1 reconnect=1 skip_close_notify=1 reco_mode=0" \
Manuel Pégourié-Gonnarda7c37652019-05-20 12:46:26 +0200[diff] [blame]4177 0 \
4178 -c "client hello, adding session ticket extension" \
4179 -s "found session ticket extension" \
4180 -s "server hello, adding session ticket extension" \
4181 -c "found session_ticket extension" \
4182 -c "parse new session ticket" \
4183 -S "session successfully restored from cache" \
4184 -s "session successfully restored from ticket" \
4185 -s "a session has been resumed" \
4186 -c "a session has been resumed"
4187
Jerry Yuab082902021-12-23 18:02:22 +0800[diff] [blame]4188requires_config_enabled MBEDTLS_SSL_PROTO_TLS1_2
Norbert Fabritiusc93fc862023-04-12 09:50:30 +0200[diff] [blame]4189requires_config_enabled MBEDTLS_SSL_SESSION_TICKETS
TRodziewicz4ca18aa2021-05-20 14:46:20 +0200[diff] [blame]4190run_test "Session resume using tickets, DTLS: openssl server" \
4191 "$O_SRV -dtls" \
4192 "$P_CLI dtls=1 debug_level=3 tickets=1 reconnect=1" \
4193 0 \
4194 -c "client hello, adding session ticket extension" \
4195 -c "found session_ticket extension" \
4196 -c "parse new session ticket" \
4197 -c "a session has been resumed"
4198
Manuel Pégourié-Gonnardd60950c2021-10-13 13:12:47 +0200[diff] [blame]4199# For reasons that aren't fully understood, this test randomly fails with high
Paul Elliott09cfa182021-10-13 16:13:44 +0100[diff] [blame]4200# probability with OpenSSL 1.0.2g on the CI, see #5012.
Manuel Pégourié-Gonnardd60950c2021-10-13 13:12:47 +0200[diff] [blame]4201requires_openssl_next
Jerry Yuab082902021-12-23 18:02:22 +0800[diff] [blame]4202requires_config_enabled MBEDTLS_SSL_PROTO_TLS1_2
Norbert Fabritiusc93fc862023-04-12 09:50:30 +0200[diff] [blame]4203requires_config_enabled MBEDTLS_SSL_SESSION_TICKETS
TRodziewicz4ca18aa2021-05-20 14:46:20 +0200[diff] [blame]4204run_test "Session resume using tickets, DTLS: openssl client" \
4205 "$P_SRV dtls=1 debug_level=3 tickets=1" \
Manuel Pégourié-Gonnardd60950c2021-10-13 13:12:47 +0200[diff] [blame]4206 "( $O_NEXT_CLI -dtls -sess_out $SESSION; \
4207 $O_NEXT_CLI -dtls -sess_in $SESSION; \
TRodziewicz4ca18aa2021-05-20 14:46:20 +0200[diff] [blame]4208 rm -f $SESSION )" \
4209 0 \
4210 -s "found session ticket extension" \
4211 -s "server hello, adding session ticket extension" \
4212 -S "session successfully restored from cache" \
4213 -s "session successfully restored from ticket" \
4214 -s "a session has been resumed"
4215
Manuel Pégourié-Gonnardc55a5b72014-02-20 22:50:56 +0100[diff] [blame]4216# Tests for Session Resume based on session-ID and cache
Manuel Pégourié-Gonnard780d6712014-02-20 17:19:59 +0100[diff] [blame]4217
Gilles Peskine2fe796f2022-02-25 19:51:52 +0100[diff] [blame]4218requires_config_enabled MBEDTLS_SSL_CACHE_C
Norbert Fabritiusc93fc862023-04-12 09:50:30 +0200[diff] [blame]4219requires_config_enabled MBEDTLS_SSL_SESSION_TICKETS
Manuel Pégourié-Gonnard8e03c712014-08-30 21:42:40 +0200[diff] [blame]4220run_test "Session resume using cache: tickets enabled on client" \
Manuel Pégourié-Gonnard644e8f32014-08-30 21:59:31 +0200[diff] [blame]4221 "$P_SRV debug_level=3 tickets=0" \
Ronald Cronf95d1692023-03-14 17:19:42 +0100[diff] [blame]4222 "$P_CLI force_version=tls12 debug_level=3 tickets=1 reconnect=1" \
Manuel Pégourié-Gonnardf7c52012014-02-20 11:43:46 +0100[diff] [blame]4223 0 \
Manuel Pégourié-Gonnardc55a5b72014-02-20 22:50:56 +0100[diff] [blame]4224 -c "client hello, adding session ticket extension" \
4225 -s "found session ticket extension" \
4226 -S "server hello, adding session ticket extension" \
4227 -C "found session_ticket extension" \
4228 -C "parse new session ticket" \
Manuel Pégourié-Gonnardf7c52012014-02-20 11:43:46 +0100[diff] [blame]4229 -s "session successfully restored from cache" \
4230 -S "session successfully restored from ticket" \
4231 -s "a session has been resumed" \
4232 -c "a session has been resumed"
4233
Gilles Peskine2fe796f2022-02-25 19:51:52 +0100[diff] [blame]4234requires_config_enabled MBEDTLS_SSL_CACHE_C
Norbert Fabritiusc93fc862023-04-12 09:50:30 +0200[diff] [blame]4235requires_config_enabled MBEDTLS_SSL_SESSION_TICKETS
Manuel Pégourié-Gonnard8e03c712014-08-30 21:42:40 +0200[diff] [blame]4236run_test "Session resume using cache: tickets enabled on server" \
Manuel Pégourié-Gonnard644e8f32014-08-30 21:59:31 +0200[diff] [blame]4237 "$P_SRV debug_level=3 tickets=1" \
Ronald Cronf95d1692023-03-14 17:19:42 +0100[diff] [blame]4238 "$P_CLI force_version=tls12 debug_level=3 tickets=0 reconnect=1" \
Manuel Pégourié-Gonnardf7c52012014-02-20 11:43:46 +0100[diff] [blame]4239 0 \
Manuel Pégourié-Gonnardc55a5b72014-02-20 22:50:56 +0100[diff] [blame]4240 -C "client hello, adding session ticket extension" \
4241 -S "found session ticket extension" \
4242 -S "server hello, adding session ticket extension" \
4243 -C "found session_ticket extension" \
4244 -C "parse new session ticket" \
Manuel Pégourié-Gonnardf7c52012014-02-20 11:43:46 +0100[diff] [blame]4245 -s "session successfully restored from cache" \
4246 -S "session successfully restored from ticket" \
4247 -s "a session has been resumed" \
4248 -c "a session has been resumed"
Manuel Pégourié-Gonnardde143782014-02-20 14:50:42 +0100[diff] [blame]4249
Gilles Peskine2fe796f2022-02-25 19:51:52 +0100[diff] [blame]4250requires_config_enabled MBEDTLS_SSL_CACHE_C
Manuel Pégourié-Gonnard8e03c712014-08-30 21:42:40 +0200[diff] [blame]4251run_test "Session resume using cache: cache_max=0" \
Manuel Pégourié-Gonnard644e8f32014-08-30 21:59:31 +0200[diff] [blame]4252 "$P_SRV debug_level=3 tickets=0 cache_max=0" \
Ronald Cronf95d1692023-03-14 17:19:42 +0100[diff] [blame]4253 "$P_CLI force_version=tls12 debug_level=3 tickets=0 reconnect=1" \
Manuel Pégourié-Gonnard4c883452014-02-20 21:32:41 +0100[diff] [blame]4254 0 \
4255 -S "session successfully restored from cache" \
4256 -S "session successfully restored from ticket" \
Manuel Pégourié-Gonnardc55a5b72014-02-20 22:50:56 +0100[diff] [blame]4257 -S "a session has been resumed" \
4258 -C "a session has been resumed"
Manuel Pégourié-Gonnard4c883452014-02-20 21:32:41 +0100[diff] [blame]4259
Gilles Peskine2fe796f2022-02-25 19:51:52 +0100[diff] [blame]4260requires_config_enabled MBEDTLS_SSL_CACHE_C
Manuel Pégourié-Gonnard8e03c712014-08-30 21:42:40 +0200[diff] [blame]4261run_test "Session resume using cache: cache_max=1" \
Manuel Pégourié-Gonnard644e8f32014-08-30 21:59:31 +0200[diff] [blame]4262 "$P_SRV debug_level=3 tickets=0 cache_max=1" \
Ronald Cronf95d1692023-03-14 17:19:42 +0100[diff] [blame]4263 "$P_CLI force_version=tls12 debug_level=3 tickets=0 reconnect=1" \
Manuel Pégourié-Gonnardc55a5b72014-02-20 22:50:56 +0100[diff] [blame]4264 0 \
4265 -s "session successfully restored from cache" \
4266 -S "session successfully restored from ticket" \
4267 -s "a session has been resumed" \
4268 -c "a session has been resumed"
4269
Gilles Peskine2fe796f2022-02-25 19:51:52 +0100[diff] [blame]4270requires_config_enabled MBEDTLS_SSL_CACHE_C
Pengyu Lv62ed1aa2023-03-07 14:52:47 +0800[diff] [blame]4271run_test "Session resume using cache: cache removed" \
4272 "$P_SRV debug_level=3 tickets=0 cache_remove=1" \
Ronald Cronf95d1692023-03-14 17:19:42 +0100[diff] [blame]4273 "$P_CLI force_version=tls12 debug_level=3 tickets=0 reconnect=1" \
Pengyu Lv62ed1aa2023-03-07 14:52:47 +0800[diff] [blame]4274 0 \
4275 -C "client hello, adding session ticket extension" \
4276 -S "found session ticket extension" \
4277 -S "server hello, adding session ticket extension" \
4278 -C "found session_ticket extension" \
4279 -C "parse new session ticket" \
4280 -S "session successfully restored from cache" \
4281 -S "session successfully restored from ticket" \
4282 -S "a session has been resumed" \
4283 -C "a session has been resumed"
4284
4285requires_config_enabled MBEDTLS_SSL_PROTO_TLS1_2
4286requires_config_enabled MBEDTLS_SSL_CACHE_C
Manuel Pégourié-Gonnard6df31962015-05-04 10:55:47 +0200[diff] [blame]4287run_test "Session resume using cache: timeout > delay" \
Manuel Pégourié-Gonnard644e8f32014-08-30 21:59:31 +0200[diff] [blame]4288 "$P_SRV debug_level=3 tickets=0" \
Ronald Cronf95d1692023-03-14 17:19:42 +0100[diff] [blame]4289 "$P_CLI force_version=tls12 debug_level=3 tickets=0 reconnect=1 reco_delay=0" \
Manuel Pégourié-Gonnardc55a5b72014-02-20 22:50:56 +0100[diff] [blame]4290 0 \
4291 -s "session successfully restored from cache" \
4292 -S "session successfully restored from ticket" \
4293 -s "a session has been resumed" \
4294 -c "a session has been resumed"
4295
Gilles Peskine2fe796f2022-02-25 19:51:52 +0100[diff] [blame]4296requires_config_enabled MBEDTLS_SSL_CACHE_C
Manuel Pégourié-Gonnard8e03c712014-08-30 21:42:40 +0200[diff] [blame]4297run_test "Session resume using cache: timeout < delay" \
Manuel Pégourié-Gonnard644e8f32014-08-30 21:59:31 +0200[diff] [blame]4298 "$P_SRV debug_level=3 tickets=0 cache_timeout=1" \
Ronald Cronf95d1692023-03-14 17:19:42 +0100[diff] [blame]4299 "$P_CLI force_version=tls12 debug_level=3 tickets=0 reconnect=1 reco_delay=2000" \
Manuel Pégourié-Gonnardc55a5b72014-02-20 22:50:56 +0100[diff] [blame]4300 0 \
4301 -S "session successfully restored from cache" \
4302 -S "session successfully restored from ticket" \
4303 -S "a session has been resumed" \
4304 -C "a session has been resumed"
4305
Gilles Peskine2fe796f2022-02-25 19:51:52 +0100[diff] [blame]4306requires_config_enabled MBEDTLS_SSL_CACHE_C
Manuel Pégourié-Gonnard8e03c712014-08-30 21:42:40 +0200[diff] [blame]4307run_test "Session resume using cache: no timeout" \
Manuel Pégourié-Gonnard644e8f32014-08-30 21:59:31 +0200[diff] [blame]4308 "$P_SRV debug_level=3 tickets=0 cache_timeout=0" \
Ronald Cronf95d1692023-03-14 17:19:42 +0100[diff] [blame]4309 "$P_CLI force_version=tls12 debug_level=3 tickets=0 reconnect=1 reco_delay=2000" \
Manuel Pégourié-Gonnard4c883452014-02-20 21:32:41 +0100[diff] [blame]4310 0 \
4311 -s "session successfully restored from cache" \
4312 -S "session successfully restored from ticket" \
4313 -s "a session has been resumed" \
4314 -c "a session has been resumed"
4315
Gilles Peskine2fe796f2022-02-25 19:51:52 +0100[diff] [blame]4316requires_config_enabled MBEDTLS_SSL_CACHE_C
Manuel Pégourié-Gonnarda7c37652019-05-20 12:46:26 +0200[diff] [blame]4317run_test "Session resume using cache: session copy" \
4318 "$P_SRV debug_level=3 tickets=0" \
Ronald Cronf95d1692023-03-14 17:19:42 +0100[diff] [blame]4319 "$P_CLI force_version=tls12 debug_level=3 tickets=0 reconnect=1 reco_mode=0" \
Manuel Pégourié-Gonnarda7c37652019-05-20 12:46:26 +0200[diff] [blame]4320 0 \
4321 -s "session successfully restored from cache" \
4322 -S "session successfully restored from ticket" \
4323 -s "a session has been resumed" \
4324 -c "a session has been resumed"
4325
Gilles Peskine2fe796f2022-02-25 19:51:52 +0100[diff] [blame]4326requires_config_enabled MBEDTLS_SSL_CACHE_C
Norbert Fabritiusc93fc862023-04-12 09:50:30 +0200[diff] [blame]4327requires_config_enabled MBEDTLS_SSL_SESSION_TICKETS
Manuel Pégourié-Gonnard8e03c712014-08-30 21:42:40 +0200[diff] [blame]4328run_test "Session resume using cache: openssl client" \
Ronald Cronf95d1692023-03-14 17:19:42 +0100[diff] [blame]4329 "$P_SRV force_version=tls12 debug_level=3 tickets=0" \
Manuel Pégourié-Gonnardbc3b16c2014-05-28 23:06:50 +0200[diff] [blame]4330 "( $O_CLI -sess_out $SESSION; \
4331 $O_CLI -sess_in $SESSION; \
4332 rm -f $SESSION )" \
Manuel Pégourié-Gonnarddb735f62014-02-25 17:57:59 +0100[diff] [blame]4333 0 \
4334 -s "found session ticket extension" \
4335 -S "server hello, adding session ticket extension" \
4336 -s "session successfully restored from cache" \
4337 -S "session successfully restored from ticket" \
4338 -s "a session has been resumed"
4339
Jerry Yuab082902021-12-23 18:02:22 +0800[diff] [blame]4340requires_config_enabled MBEDTLS_SSL_PROTO_TLS1_2
Gilles Peskine2fe796f2022-02-25 19:51:52 +0100[diff] [blame]4341requires_config_enabled MBEDTLS_SSL_CACHE_C
Manuel Pégourié-Gonnard8e03c712014-08-30 21:42:40 +0200[diff] [blame]4342run_test "Session resume using cache: openssl server" \
Ronald Croncbd7bfd2022-03-31 18:19:56 +0200[diff] [blame]4343 "$O_SRV -tls1_2" \
Manuel Pégourié-Gonnard644e8f32014-08-30 21:59:31 +0200[diff] [blame]4344 "$P_CLI debug_level=3 tickets=0 reconnect=1" \
Manuel Pégourié-Gonnarddb735f62014-02-25 17:57:59 +0100[diff] [blame]4345 0 \
4346 -C "found session_ticket extension" \
4347 -C "parse new session ticket" \
4348 -c "a session has been resumed"
4349
Andrzej Kurek7cf87252022-06-14 07:12:33 -0400[diff] [blame]4350# Tests for Session resume and extensions
4351
4352requires_config_enabled MBEDTLS_SSL_PROTO_TLS1_2
4353requires_config_enabled MBEDTLS_SSL_DTLS_CONNECTION_ID
4354run_test "Session resume and connection ID" \
4355 "$P_SRV debug_level=3 cid=1 cid_val=dead dtls=1 tickets=0" \
4356 "$P_CLI debug_level=3 cid=1 cid_val=beef dtls=1 tickets=0 reconnect=1" \
4357 0 \
4358 -c "Enable use of CID extension." \
4359 -s "Enable use of CID extension." \
4360 -c "client hello, adding CID extension" \
4361 -s "found CID extension" \
4362 -s "Use of CID extension negotiated" \
4363 -s "server hello, adding CID extension" \
4364 -c "found CID extension" \
4365 -c "Use of CID extension negotiated" \
4366 -s "Copy CIDs into SSL transform" \
4367 -c "Copy CIDs into SSL transform" \
4368 -c "Peer CID (length 2 Bytes): de ad" \
4369 -s "Peer CID (length 2 Bytes): be ef" \
4370 -s "Use of Connection ID has been negotiated" \
4371 -c "Use of Connection ID has been negotiated"
4372
Hanno Becker1d739932018-08-21 13:55:22 +0100[diff] [blame]4373# Tests for Session Resume based on session-ID and cache, DTLS
4374
Jerry Yuab082902021-12-23 18:02:22 +0800[diff] [blame]4375requires_config_enabled MBEDTLS_SSL_PROTO_TLS1_2
Gilles Peskine2fe796f2022-02-25 19:51:52 +0100[diff] [blame]4376requires_config_enabled MBEDTLS_SSL_CACHE_C
Norbert Fabritiusc93fc862023-04-12 09:50:30 +0200[diff] [blame]4377requires_config_enabled MBEDTLS_SSL_SESSION_TICKETS
Hanno Becker1d739932018-08-21 13:55:22 +0100[diff] [blame]4378run_test "Session resume using cache, DTLS: tickets enabled on client" \
4379 "$P_SRV dtls=1 debug_level=3 tickets=0" \
Manuel Pégourié-Gonnard56941fe2020-02-17 11:04:33 +0100[diff] [blame]4380 "$P_CLI dtls=1 debug_level=3 tickets=1 reconnect=1 skip_close_notify=1" \
Hanno Becker1d739932018-08-21 13:55:22 +0100[diff] [blame]4381 0 \
4382 -c "client hello, adding session ticket extension" \
4383 -s "found session ticket extension" \
4384 -S "server hello, adding session ticket extension" \
4385 -C "found session_ticket extension" \
4386 -C "parse new session ticket" \
4387 -s "session successfully restored from cache" \
4388 -S "session successfully restored from ticket" \
4389 -s "a session has been resumed" \
4390 -c "a session has been resumed"
4391
Jerry Yuab082902021-12-23 18:02:22 +0800[diff] [blame]4392requires_config_enabled MBEDTLS_SSL_PROTO_TLS1_2
Gilles Peskine2fe796f2022-02-25 19:51:52 +0100[diff] [blame]4393requires_config_enabled MBEDTLS_SSL_CACHE_C
Norbert Fabritiusc93fc862023-04-12 09:50:30 +0200[diff] [blame]4394requires_config_enabled MBEDTLS_SSL_SESSION_TICKETS
Hanno Becker1d739932018-08-21 13:55:22 +0100[diff] [blame]4395run_test "Session resume using cache, DTLS: tickets enabled on server" \
4396 "$P_SRV dtls=1 debug_level=3 tickets=1" \
Manuel Pégourié-Gonnard56941fe2020-02-17 11:04:33 +0100[diff] [blame]4397 "$P_CLI dtls=1 debug_level=3 tickets=0 reconnect=1 skip_close_notify=1" \
Hanno Becker1d739932018-08-21 13:55:22 +0100[diff] [blame]4398 0 \
4399 -C "client hello, adding session ticket extension" \
4400 -S "found session ticket extension" \
4401 -S "server hello, adding session ticket extension" \
4402 -C "found session_ticket extension" \
4403 -C "parse new session ticket" \
4404 -s "session successfully restored from cache" \
4405 -S "session successfully restored from ticket" \
4406 -s "a session has been resumed" \
4407 -c "a session has been resumed"
4408
Jerry Yuab082902021-12-23 18:02:22 +0800[diff] [blame]4409requires_config_enabled MBEDTLS_SSL_PROTO_TLS1_2
Gilles Peskine2fe796f2022-02-25 19:51:52 +0100[diff] [blame]4410requires_config_enabled MBEDTLS_SSL_CACHE_C
Hanno Becker1d739932018-08-21 13:55:22 +0100[diff] [blame]4411run_test "Session resume using cache, DTLS: cache_max=0" \
4412 "$P_SRV dtls=1 debug_level=3 tickets=0 cache_max=0" \
Manuel Pégourié-Gonnard56941fe2020-02-17 11:04:33 +0100[diff] [blame]4413 "$P_CLI dtls=1 debug_level=3 tickets=0 reconnect=1 skip_close_notify=1" \
Hanno Becker1d739932018-08-21 13:55:22 +0100[diff] [blame]4414 0 \
4415 -S "session successfully restored from cache" \
4416 -S "session successfully restored from ticket" \
4417 -S "a session has been resumed" \
4418 -C "a session has been resumed"
4419
Jerry Yuab082902021-12-23 18:02:22 +0800[diff] [blame]4420requires_config_enabled MBEDTLS_SSL_PROTO_TLS1_2
Gilles Peskine2fe796f2022-02-25 19:51:52 +0100[diff] [blame]4421requires_config_enabled MBEDTLS_SSL_CACHE_C
Hanno Becker1d739932018-08-21 13:55:22 +0100[diff] [blame]4422run_test "Session resume using cache, DTLS: cache_max=1" \
4423 "$P_SRV dtls=1 debug_level=3 tickets=0 cache_max=1" \
Manuel Pégourié-Gonnard56941fe2020-02-17 11:04:33 +0100[diff] [blame]4424 "$P_CLI dtls=1 debug_level=3 tickets=0 reconnect=1 skip_close_notify=1" \
Hanno Becker1d739932018-08-21 13:55:22 +0100[diff] [blame]4425 0 \
4426 -s "session successfully restored from cache" \
4427 -S "session successfully restored from ticket" \
4428 -s "a session has been resumed" \
4429 -c "a session has been resumed"
4430
Jerry Yuab082902021-12-23 18:02:22 +0800[diff] [blame]4431requires_config_enabled MBEDTLS_SSL_PROTO_TLS1_2
Gilles Peskine2fe796f2022-02-25 19:51:52 +0100[diff] [blame]4432requires_config_enabled MBEDTLS_SSL_CACHE_C
Hanno Becker1d739932018-08-21 13:55:22 +0100[diff] [blame]4433run_test "Session resume using cache, DTLS: timeout > delay" \
4434 "$P_SRV dtls=1 debug_level=3 tickets=0" \
Manuel Pégourié-Gonnard56941fe2020-02-17 11:04:33 +0100[diff] [blame]4435 "$P_CLI dtls=1 debug_level=3 tickets=0 reconnect=1 skip_close_notify=1 reco_delay=0" \
Hanno Becker1d739932018-08-21 13:55:22 +0100[diff] [blame]4436 0 \
4437 -s "session successfully restored from cache" \
4438 -S "session successfully restored from ticket" \
4439 -s "a session has been resumed" \
4440 -c "a session has been resumed"
4441
Jerry Yuab082902021-12-23 18:02:22 +0800[diff] [blame]4442requires_config_enabled MBEDTLS_SSL_PROTO_TLS1_2
Gilles Peskine2fe796f2022-02-25 19:51:52 +0100[diff] [blame]4443requires_config_enabled MBEDTLS_SSL_CACHE_C
Hanno Becker1d739932018-08-21 13:55:22 +0100[diff] [blame]4444run_test "Session resume using cache, DTLS: timeout < delay" \
4445 "$P_SRV dtls=1 debug_level=3 tickets=0 cache_timeout=1" \
Jerry Yua15af372022-12-05 15:55:24 +0800[diff] [blame]4446 "$P_CLI dtls=1 debug_level=3 tickets=0 reconnect=1 skip_close_notify=1 reco_delay=2000" \
Hanno Becker1d739932018-08-21 13:55:22 +0100[diff] [blame]4447 0 \
4448 -S "session successfully restored from cache" \
4449 -S "session successfully restored from ticket" \
4450 -S "a session has been resumed" \
4451 -C "a session has been resumed"
4452
Jerry Yuab082902021-12-23 18:02:22 +0800[diff] [blame]4453requires_config_enabled MBEDTLS_SSL_PROTO_TLS1_2
Gilles Peskine2fe796f2022-02-25 19:51:52 +0100[diff] [blame]4454requires_config_enabled MBEDTLS_SSL_CACHE_C
Hanno Becker1d739932018-08-21 13:55:22 +0100[diff] [blame]4455run_test "Session resume using cache, DTLS: no timeout" \
4456 "$P_SRV dtls=1 debug_level=3 tickets=0 cache_timeout=0" \
Jerry Yua15af372022-12-05 15:55:24 +0800[diff] [blame]4457 "$P_CLI dtls=1 debug_level=3 tickets=0 reconnect=1 skip_close_notify=1 reco_delay=2000" \
Hanno Becker1d739932018-08-21 13:55:22 +0100[diff] [blame]4458 0 \
4459 -s "session successfully restored from cache" \
4460 -S "session successfully restored from ticket" \
4461 -s "a session has been resumed" \
4462 -c "a session has been resumed"
4463
Jerry Yuab082902021-12-23 18:02:22 +0800[diff] [blame]4464requires_config_enabled MBEDTLS_SSL_PROTO_TLS1_2
Gilles Peskine2fe796f2022-02-25 19:51:52 +0100[diff] [blame]4465requires_config_enabled MBEDTLS_SSL_CACHE_C
Manuel Pégourié-Gonnarda7c37652019-05-20 12:46:26 +0200[diff] [blame]4466run_test "Session resume using cache, DTLS: session copy" \
4467 "$P_SRV dtls=1 debug_level=3 tickets=0" \
Manuel Pégourié-Gonnard56941fe2020-02-17 11:04:33 +0100[diff] [blame]4468 "$P_CLI dtls=1 debug_level=3 tickets=0 reconnect=1 skip_close_notify=1 reco_mode=0" \
Manuel Pégourié-Gonnarda7c37652019-05-20 12:46:26 +0200[diff] [blame]4469 0 \
4470 -s "session successfully restored from cache" \
4471 -S "session successfully restored from ticket" \
4472 -s "a session has been resumed" \
4473 -c "a session has been resumed"
4474
Manuel Pégourié-Gonnardd60950c2021-10-13 13:12:47 +0200[diff] [blame]4475# For reasons that aren't fully understood, this test randomly fails with high
Paul Elliott09cfa182021-10-13 16:13:44 +0100[diff] [blame]4476# probability with OpenSSL 1.0.2g on the CI, see #5012.
Manuel Pégourié-Gonnardd60950c2021-10-13 13:12:47 +0200[diff] [blame]4477requires_openssl_next
Jerry Yuab082902021-12-23 18:02:22 +0800[diff] [blame]4478requires_config_enabled MBEDTLS_SSL_PROTO_TLS1_2
Gilles Peskine2fe796f2022-02-25 19:51:52 +0100[diff] [blame]4479requires_config_enabled MBEDTLS_SSL_CACHE_C
Norbert Fabritiusc93fc862023-04-12 09:50:30 +0200[diff] [blame]4480requires_config_enabled MBEDTLS_SSL_SESSION_TICKETS
TRodziewicz4ca18aa2021-05-20 14:46:20 +0200[diff] [blame]4481run_test "Session resume using cache, DTLS: openssl client" \
4482 "$P_SRV dtls=1 debug_level=3 tickets=0" \
Manuel Pégourié-Gonnardd60950c2021-10-13 13:12:47 +0200[diff] [blame]4483 "( $O_NEXT_CLI -dtls -sess_out $SESSION; \
4484 $O_NEXT_CLI -dtls -sess_in $SESSION; \
TRodziewicz4ca18aa2021-05-20 14:46:20 +0200[diff] [blame]4485 rm -f $SESSION )" \
4486 0 \
4487 -s "found session ticket extension" \
4488 -S "server hello, adding session ticket extension" \
4489 -s "session successfully restored from cache" \
4490 -S "session successfully restored from ticket" \
4491 -s "a session has been resumed"
4492
Jerry Yuab082902021-12-23 18:02:22 +0800[diff] [blame]4493requires_config_enabled MBEDTLS_SSL_PROTO_TLS1_2
Gilles Peskine2fe796f2022-02-25 19:51:52 +0100[diff] [blame]4494requires_config_enabled MBEDTLS_SSL_CACHE_C
TRodziewicz4ca18aa2021-05-20 14:46:20 +0200[diff] [blame]4495run_test "Session resume using cache, DTLS: openssl server" \
4496 "$O_SRV -dtls" \
4497 "$P_CLI dtls=1 debug_level=3 tickets=0 reconnect=1" \
4498 0 \
4499 -C "found session_ticket extension" \
4500 -C "parse new session ticket" \
4501 -c "a session has been resumed"
4502
Manuel Pégourié-Gonnard780d6712014-02-20 17:19:59 +0100[diff] [blame]4503# Tests for Max Fragment Length extension
4504
Hanno Becker4aed27e2017-09-18 15:00:34 +0100[diff] [blame]4505requires_config_enabled MBEDTLS_SSL_MAX_FRAGMENT_LENGTH
Jerry Yuab082902021-12-23 18:02:22 +0800[diff] [blame]4506requires_config_enabled MBEDTLS_SSL_PROTO_TLS1_2
Hanno Beckerc5266962017-09-18 15:01:50 +0100[diff] [blame]4507run_test "Max fragment length: enabled, default" \
Waleed Elmelegy3d46b7f2024-01-01 20:50:53 +0000[diff] [blame]4508 "$P_SRV debug_level=3 force_version=tls12" \
Manuel Pégourié-Gonnard644e8f32014-08-30 21:59:31 +0200[diff] [blame]4509 "$P_CLI debug_level=3" \
Manuel Pégourié-Gonnardde143782014-02-20 14:50:42 +0100[diff] [blame]4510 0 \
Hanno Becker59d36702021-06-08 05:35:29 +0100[diff] [blame]4511 -c "Maximum incoming record payload length is $MAX_CONTENT_LEN" \
4512 -c "Maximum outgoing record payload length is $MAX_CONTENT_LEN" \
4513 -s "Maximum incoming record payload length is $MAX_CONTENT_LEN" \
4514 -s "Maximum outgoing record payload length is $MAX_CONTENT_LEN" \
Manuel Pégourié-Gonnardde143782014-02-20 14:50:42 +0100[diff] [blame]4515 -C "client hello, adding max_fragment_length extension" \
4516 -S "found max fragment length extension" \
4517 -S "server hello, max_fragment_length extension" \
4518 -C "found max_fragment_length extension"
4519
Hanno Becker4aed27e2017-09-18 15:00:34 +0100[diff] [blame]4520requires_config_enabled MBEDTLS_SSL_MAX_FRAGMENT_LENGTH
Jerry Yuab082902021-12-23 18:02:22 +0800[diff] [blame]4521requires_config_enabled MBEDTLS_SSL_PROTO_TLS1_2
Hanno Beckerc5266962017-09-18 15:01:50 +0100[diff] [blame]4522run_test "Max fragment length: enabled, default, larger message" \
Waleed Elmelegy3d46b7f2024-01-01 20:50:53 +0000[diff] [blame]4523 "$P_SRV debug_level=3 force_version=tls12" \
Angus Grattonc4dd0732018-04-11 16:28:39 +1000[diff] [blame]4524 "$P_CLI debug_level=3 request_size=$(( $MAX_CONTENT_LEN + 1))" \
Hanno Beckerc5266962017-09-18 15:01:50 +0100[diff] [blame]4525 0 \
Hanno Becker59d36702021-06-08 05:35:29 +0100[diff] [blame]4526 -c "Maximum incoming record payload length is $MAX_CONTENT_LEN" \
4527 -c "Maximum outgoing record payload length is $MAX_CONTENT_LEN" \
4528 -s "Maximum incoming record payload length is $MAX_CONTENT_LEN" \
4529 -s "Maximum outgoing record payload length is $MAX_CONTENT_LEN" \
Hanno Beckerc5266962017-09-18 15:01:50 +0100[diff] [blame]4530 -C "client hello, adding max_fragment_length extension" \
4531 -S "found max fragment length extension" \
4532 -S "server hello, max_fragment_length extension" \
4533 -C "found max_fragment_length extension" \
Angus Grattonc4dd0732018-04-11 16:28:39 +1000[diff] [blame]4534 -c "$(( $MAX_CONTENT_LEN + 1)) bytes written in 2 fragments" \
4535 -s "$MAX_CONTENT_LEN bytes read" \
Hanno Becker9cfabe32017-10-18 14:42:01 +0100[diff] [blame]4536 -s "1 bytes read"
Hanno Beckerc5266962017-09-18 15:01:50 +0100[diff] [blame]4537
4538requires_config_enabled MBEDTLS_SSL_MAX_FRAGMENT_LENGTH
Jerry Yuab082902021-12-23 18:02:22 +0800[diff] [blame]4539requires_config_enabled MBEDTLS_SSL_PROTO_TLS1_2
Hanno Beckerc5266962017-09-18 15:01:50 +0100[diff] [blame]4540run_test "Max fragment length, DTLS: enabled, default, larger message" \
4541 "$P_SRV debug_level=3 dtls=1" \
Angus Grattonc4dd0732018-04-11 16:28:39 +1000[diff] [blame]4542 "$P_CLI debug_level=3 dtls=1 request_size=$(( $MAX_CONTENT_LEN + 1))" \
Hanno Beckerc5266962017-09-18 15:01:50 +0100[diff] [blame]4543 1 \
Hanno Becker59d36702021-06-08 05:35:29 +0100[diff] [blame]4544 -c "Maximum incoming record payload length is $MAX_CONTENT_LEN" \
4545 -c "Maximum outgoing record payload length is $MAX_CONTENT_LEN" \
4546 -s "Maximum incoming record payload length is $MAX_CONTENT_LEN" \
4547 -s "Maximum outgoing record payload length is $MAX_CONTENT_LEN" \
Hanno Beckerc5266962017-09-18 15:01:50 +0100[diff] [blame]4548 -C "client hello, adding max_fragment_length extension" \
4549 -S "found max fragment length extension" \
4550 -S "server hello, max_fragment_length extension" \
4551 -C "found max_fragment_length extension" \
4552 -c "fragment larger than.*maximum "
4553
Angus Grattonc4dd0732018-04-11 16:28:39 +1000[diff] [blame]4554# Run some tests with MBEDTLS_SSL_MAX_FRAGMENT_LENGTH disabled
4555# (session fragment length will be 16384 regardless of mbedtls
4556# content length configuration.)
4557
Hanno Beckerc5266962017-09-18 15:01:50 +0100[diff] [blame]4558requires_config_disabled MBEDTLS_SSL_MAX_FRAGMENT_LENGTH
Jerry Yuab082902021-12-23 18:02:22 +0800[diff] [blame]4559requires_config_enabled MBEDTLS_SSL_PROTO_TLS1_2
Hanno Beckerc5266962017-09-18 15:01:50 +0100[diff] [blame]4560run_test "Max fragment length: disabled, larger message" \
Waleed Elmelegy3d46b7f2024-01-01 20:50:53 +0000[diff] [blame]4561 "$P_SRV debug_level=3 force_version=tls12" \
Angus Grattonc4dd0732018-04-11 16:28:39 +1000[diff] [blame]4562 "$P_CLI debug_level=3 request_size=$(( $MAX_CONTENT_LEN + 1))" \
Hanno Beckerc5266962017-09-18 15:01:50 +0100[diff] [blame]4563 0 \
Hanno Becker59d36702021-06-08 05:35:29 +0100[diff] [blame]4564 -C "Maximum incoming record payload length is 16384" \
4565 -C "Maximum outgoing record payload length is 16384" \
4566 -S "Maximum incoming record payload length is 16384" \
4567 -S "Maximum outgoing record payload length is 16384" \
Angus Grattonc4dd0732018-04-11 16:28:39 +1000[diff] [blame]4568 -c "$(( $MAX_CONTENT_LEN + 1)) bytes written in 2 fragments" \
4569 -s "$MAX_CONTENT_LEN bytes read" \
Hanno Becker9cfabe32017-10-18 14:42:01 +0100[diff] [blame]4570 -s "1 bytes read"
Hanno Beckerc5266962017-09-18 15:01:50 +0100[diff] [blame]4571
4572requires_config_disabled MBEDTLS_SSL_MAX_FRAGMENT_LENGTH
Jerry Yuab082902021-12-23 18:02:22 +0800[diff] [blame]4573requires_config_enabled MBEDTLS_SSL_PROTO_TLS1_2
Yuto Takano0509fea2021-06-21 19:43:33 +0100[diff] [blame]4574run_test "Max fragment length, DTLS: disabled, larger message" \
Waleed Elmelegy3d46b7f2024-01-01 20:50:53 +0000[diff] [blame]4575 "$P_SRV debug_level=3 dtls=1 force_version=tls12" \
Angus Grattonc4dd0732018-04-11 16:28:39 +1000[diff] [blame]4576 "$P_CLI debug_level=3 dtls=1 request_size=$(( $MAX_CONTENT_LEN + 1))" \
Hanno Beckerc5266962017-09-18 15:01:50 +0100[diff] [blame]4577 1 \
Hanno Becker59d36702021-06-08 05:35:29 +0100[diff] [blame]4578 -C "Maximum incoming record payload length is 16384" \
4579 -C "Maximum outgoing record payload length is 16384" \
4580 -S "Maximum incoming record payload length is 16384" \
4581 -S "Maximum outgoing record payload length is 16384" \
Hanno Beckerc5266962017-09-18 15:01:50 +0100[diff] [blame]4582 -c "fragment larger than.*maximum "
4583
Yuto Takanob0a1c5b2021-07-02 10:10:49 +0100[diff] [blame]4584requires_max_content_len 4096
Hanno Beckerc5266962017-09-18 15:01:50 +0100[diff] [blame]4585requires_config_enabled MBEDTLS_SSL_MAX_FRAGMENT_LENGTH
Manuel Pégourié-Gonnard8e03c712014-08-30 21:42:40 +0200[diff] [blame]4586run_test "Max fragment length: used by client" \
Manuel Pégourié-Gonnard644e8f32014-08-30 21:59:31 +0200[diff] [blame]4587 "$P_SRV debug_level=3" \
Ronald Cronfd4c6af2023-03-11 10:46:01 +0100[diff] [blame]4588 "$P_CLI force_version=tls12 debug_level=3 max_frag_len=4096" \
Manuel Pégourié-Gonnardde143782014-02-20 14:50:42 +0100[diff] [blame]4589 0 \
Hanno Becker59d36702021-06-08 05:35:29 +0100[diff] [blame]4590 -c "Maximum incoming record payload length is 4096" \
4591 -c "Maximum outgoing record payload length is 4096" \
4592 -s "Maximum incoming record payload length is 4096" \
4593 -s "Maximum outgoing record payload length is 4096" \
Andrzej Kurek90c6e842020-04-03 05:25:29 -0400[diff] [blame]4594 -c "client hello, adding max_fragment_length extension" \
4595 -s "found max fragment length extension" \
4596 -s "server hello, max_fragment_length extension" \
4597 -c "found max_fragment_length extension"
4598
Yuto Takanob0a1c5b2021-07-02 10:10:49 +0100[diff] [blame]4599requires_max_content_len 1024
Andrzej Kurek90c6e842020-04-03 05:25:29 -0400[diff] [blame]4600requires_config_enabled MBEDTLS_SSL_MAX_FRAGMENT_LENGTH
4601run_test "Max fragment length: client 512, server 1024" \
4602 "$P_SRV debug_level=3 max_frag_len=1024" \
Ronald Cronfd4c6af2023-03-11 10:46:01 +0100[diff] [blame]4603 "$P_CLI force_version=tls12 debug_level=3 max_frag_len=512" \
Andrzej Kurek90c6e842020-04-03 05:25:29 -0400[diff] [blame]4604 0 \
Hanno Becker59d36702021-06-08 05:35:29 +0100[diff] [blame]4605 -c "Maximum incoming record payload length is 512" \
4606 -c "Maximum outgoing record payload length is 512" \
4607 -s "Maximum incoming record payload length is 512" \
4608 -s "Maximum outgoing record payload length is 512" \
Andrzej Kurek90c6e842020-04-03 05:25:29 -0400[diff] [blame]4609 -c "client hello, adding max_fragment_length extension" \
4610 -s "found max fragment length extension" \
4611 -s "server hello, max_fragment_length extension" \
4612 -c "found max_fragment_length extension"
4613
Yuto Takanob0a1c5b2021-07-02 10:10:49 +0100[diff] [blame]4614requires_max_content_len 2048
Andrzej Kurek90c6e842020-04-03 05:25:29 -0400[diff] [blame]4615requires_config_enabled MBEDTLS_SSL_MAX_FRAGMENT_LENGTH
4616run_test "Max fragment length: client 512, server 2048" \
4617 "$P_SRV debug_level=3 max_frag_len=2048" \
Ronald Cronfd4c6af2023-03-11 10:46:01 +0100[diff] [blame]4618 "$P_CLI force_version=tls12 debug_level=3 max_frag_len=512" \
Andrzej Kurek90c6e842020-04-03 05:25:29 -0400[diff] [blame]4619 0 \
Hanno Becker59d36702021-06-08 05:35:29 +0100[diff] [blame]4620 -c "Maximum incoming record payload length is 512" \
4621 -c "Maximum outgoing record payload length is 512" \
4622 -s "Maximum incoming record payload length is 512" \
4623 -s "Maximum outgoing record payload length is 512" \
Andrzej Kurek90c6e842020-04-03 05:25:29 -0400[diff] [blame]4624 -c "client hello, adding max_fragment_length extension" \
4625 -s "found max fragment length extension" \
4626 -s "server hello, max_fragment_length extension" \
4627 -c "found max_fragment_length extension"
4628
Yuto Takanob0a1c5b2021-07-02 10:10:49 +0100[diff] [blame]4629requires_max_content_len 4096
Andrzej Kurek90c6e842020-04-03 05:25:29 -0400[diff] [blame]4630requires_config_enabled MBEDTLS_SSL_MAX_FRAGMENT_LENGTH
4631run_test "Max fragment length: client 512, server 4096" \
4632 "$P_SRV debug_level=3 max_frag_len=4096" \
Ronald Cronfd4c6af2023-03-11 10:46:01 +0100[diff] [blame]4633 "$P_CLI force_version=tls12 debug_level=3 max_frag_len=512" \
Andrzej Kurek90c6e842020-04-03 05:25:29 -0400[diff] [blame]4634 0 \
Hanno Becker59d36702021-06-08 05:35:29 +0100[diff] [blame]4635 -c "Maximum incoming record payload length is 512" \
4636 -c "Maximum outgoing record payload length is 512" \
4637 -s "Maximum incoming record payload length is 512" \
4638 -s "Maximum outgoing record payload length is 512" \
Andrzej Kurek90c6e842020-04-03 05:25:29 -0400[diff] [blame]4639 -c "client hello, adding max_fragment_length extension" \
4640 -s "found max fragment length extension" \
4641 -s "server hello, max_fragment_length extension" \
4642 -c "found max_fragment_length extension"
4643
Yuto Takanob0a1c5b2021-07-02 10:10:49 +0100[diff] [blame]4644requires_max_content_len 1024
Andrzej Kurek90c6e842020-04-03 05:25:29 -0400[diff] [blame]4645requires_config_enabled MBEDTLS_SSL_MAX_FRAGMENT_LENGTH
4646run_test "Max fragment length: client 1024, server 512" \
Ronald Cronfd4c6af2023-03-11 10:46:01 +0100[diff] [blame]4647 "$P_SRV force_version=tls12 debug_level=3 max_frag_len=512" \
Andrzej Kurek90c6e842020-04-03 05:25:29 -0400[diff] [blame]4648 "$P_CLI debug_level=3 max_frag_len=1024" \
4649 0 \
Hanno Becker59d36702021-06-08 05:35:29 +0100[diff] [blame]4650 -c "Maximum incoming record payload length is 1024" \
4651 -c "Maximum outgoing record payload length is 1024" \
4652 -s "Maximum incoming record payload length is 1024" \
4653 -s "Maximum outgoing record payload length is 512" \
Andrzej Kurek90c6e842020-04-03 05:25:29 -0400[diff] [blame]4654 -c "client hello, adding max_fragment_length extension" \
4655 -s "found max fragment length extension" \
4656 -s "server hello, max_fragment_length extension" \
4657 -c "found max_fragment_length extension"
4658
Yuto Takanob0a1c5b2021-07-02 10:10:49 +0100[diff] [blame]4659requires_max_content_len 2048
Andrzej Kurek90c6e842020-04-03 05:25:29 -0400[diff] [blame]4660requires_config_enabled MBEDTLS_SSL_MAX_FRAGMENT_LENGTH
4661run_test "Max fragment length: client 1024, server 2048" \
4662 "$P_SRV debug_level=3 max_frag_len=2048" \
Ronald Cronfd4c6af2023-03-11 10:46:01 +0100[diff] [blame]4663 "$P_CLI force_version=tls12 debug_level=3 max_frag_len=1024" \
Andrzej Kurek90c6e842020-04-03 05:25:29 -0400[diff] [blame]4664 0 \
Hanno Becker59d36702021-06-08 05:35:29 +0100[diff] [blame]4665 -c "Maximum incoming record payload length is 1024" \
4666 -c "Maximum outgoing record payload length is 1024" \
4667 -s "Maximum incoming record payload length is 1024" \
4668 -s "Maximum outgoing record payload length is 1024" \
Andrzej Kurek90c6e842020-04-03 05:25:29 -0400[diff] [blame]4669 -c "client hello, adding max_fragment_length extension" \
4670 -s "found max fragment length extension" \
4671 -s "server hello, max_fragment_length extension" \
4672 -c "found max_fragment_length extension"
4673
Yuto Takanob0a1c5b2021-07-02 10:10:49 +0100[diff] [blame]4674requires_max_content_len 4096
Andrzej Kurek90c6e842020-04-03 05:25:29 -0400[diff] [blame]4675requires_config_enabled MBEDTLS_SSL_MAX_FRAGMENT_LENGTH
4676run_test "Max fragment length: client 1024, server 4096" \
4677 "$P_SRV debug_level=3 max_frag_len=4096" \
Ronald Cronfd4c6af2023-03-11 10:46:01 +0100[diff] [blame]4678 "$P_CLI force_version=tls12 debug_level=3 max_frag_len=1024" \
Andrzej Kurek90c6e842020-04-03 05:25:29 -0400[diff] [blame]4679 0 \
Hanno Becker59d36702021-06-08 05:35:29 +0100[diff] [blame]4680 -c "Maximum incoming record payload length is 1024" \
4681 -c "Maximum outgoing record payload length is 1024" \
4682 -s "Maximum incoming record payload length is 1024" \
4683 -s "Maximum outgoing record payload length is 1024" \
Andrzej Kurek90c6e842020-04-03 05:25:29 -0400[diff] [blame]4684 -c "client hello, adding max_fragment_length extension" \
4685 -s "found max fragment length extension" \
4686 -s "server hello, max_fragment_length extension" \
4687 -c "found max_fragment_length extension"
4688
Yuto Takanob0a1c5b2021-07-02 10:10:49 +0100[diff] [blame]4689requires_max_content_len 2048
Andrzej Kurek90c6e842020-04-03 05:25:29 -0400[diff] [blame]4690requires_config_enabled MBEDTLS_SSL_MAX_FRAGMENT_LENGTH
4691run_test "Max fragment length: client 2048, server 512" \
Ronald Cronfd4c6af2023-03-11 10:46:01 +0100[diff] [blame]4692 "$P_SRV force_version=tls12 debug_level=3 max_frag_len=512" \
Andrzej Kurek90c6e842020-04-03 05:25:29 -0400[diff] [blame]4693 "$P_CLI debug_level=3 max_frag_len=2048" \
4694 0 \
Hanno Becker59d36702021-06-08 05:35:29 +0100[diff] [blame]4695 -c "Maximum incoming record payload length is 2048" \
4696 -c "Maximum outgoing record payload length is 2048" \
4697 -s "Maximum incoming record payload length is 2048" \
4698 -s "Maximum outgoing record payload length is 512" \
Andrzej Kurek90c6e842020-04-03 05:25:29 -0400[diff] [blame]4699 -c "client hello, adding max_fragment_length extension" \
4700 -s "found max fragment length extension" \
4701 -s "server hello, max_fragment_length extension" \
4702 -c "found max_fragment_length extension"
4703
Yuto Takanob0a1c5b2021-07-02 10:10:49 +0100[diff] [blame]4704requires_max_content_len 2048
Andrzej Kurek90c6e842020-04-03 05:25:29 -0400[diff] [blame]4705requires_config_enabled MBEDTLS_SSL_MAX_FRAGMENT_LENGTH
4706run_test "Max fragment length: client 2048, server 1024" \
Ronald Cronfd4c6af2023-03-11 10:46:01 +0100[diff] [blame]4707 "$P_SRV force_version=tls12 debug_level=3 max_frag_len=1024" \
Andrzej Kurek90c6e842020-04-03 05:25:29 -0400[diff] [blame]4708 "$P_CLI debug_level=3 max_frag_len=2048" \
4709 0 \
Hanno Becker59d36702021-06-08 05:35:29 +0100[diff] [blame]4710 -c "Maximum incoming record payload length is 2048" \
4711 -c "Maximum outgoing record payload length is 2048" \
4712 -s "Maximum incoming record payload length is 2048" \
4713 -s "Maximum outgoing record payload length is 1024" \
Andrzej Kurek90c6e842020-04-03 05:25:29 -0400[diff] [blame]4714 -c "client hello, adding max_fragment_length extension" \
4715 -s "found max fragment length extension" \
4716 -s "server hello, max_fragment_length extension" \
4717 -c "found max_fragment_length extension"
4718
Yuto Takanob0a1c5b2021-07-02 10:10:49 +0100[diff] [blame]4719requires_max_content_len 4096
Andrzej Kurek90c6e842020-04-03 05:25:29 -0400[diff] [blame]4720requires_config_enabled MBEDTLS_SSL_MAX_FRAGMENT_LENGTH
4721run_test "Max fragment length: client 2048, server 4096" \
4722 "$P_SRV debug_level=3 max_frag_len=4096" \
Ronald Cronfd4c6af2023-03-11 10:46:01 +0100[diff] [blame]4723 "$P_CLI force_version=tls12 debug_level=3 max_frag_len=2048" \
Andrzej Kurek90c6e842020-04-03 05:25:29 -0400[diff] [blame]4724 0 \
Hanno Becker59d36702021-06-08 05:35:29 +0100[diff] [blame]4725 -c "Maximum incoming record payload length is 2048" \
4726 -c "Maximum outgoing record payload length is 2048" \
4727 -s "Maximum incoming record payload length is 2048" \
4728 -s "Maximum outgoing record payload length is 2048" \
Andrzej Kurek90c6e842020-04-03 05:25:29 -0400[diff] [blame]4729 -c "client hello, adding max_fragment_length extension" \
4730 -s "found max fragment length extension" \
4731 -s "server hello, max_fragment_length extension" \
4732 -c "found max_fragment_length extension"
4733
Yuto Takanob0a1c5b2021-07-02 10:10:49 +0100[diff] [blame]4734requires_max_content_len 4096
Andrzej Kurek90c6e842020-04-03 05:25:29 -0400[diff] [blame]4735requires_config_enabled MBEDTLS_SSL_MAX_FRAGMENT_LENGTH
4736run_test "Max fragment length: client 4096, server 512" \
Ronald Cronfd4c6af2023-03-11 10:46:01 +0100[diff] [blame]4737 "$P_SRV force_version=tls12 debug_level=3 max_frag_len=512" \
Andrzej Kurek90c6e842020-04-03 05:25:29 -0400[diff] [blame]4738 "$P_CLI debug_level=3 max_frag_len=4096" \
4739 0 \
Hanno Becker59d36702021-06-08 05:35:29 +0100[diff] [blame]4740 -c "Maximum incoming record payload length is 4096" \
4741 -c "Maximum outgoing record payload length is 4096" \
4742 -s "Maximum incoming record payload length is 4096" \
4743 -s "Maximum outgoing record payload length is 512" \
Andrzej Kurek90c6e842020-04-03 05:25:29 -0400[diff] [blame]4744 -c "client hello, adding max_fragment_length extension" \
4745 -s "found max fragment length extension" \
4746 -s "server hello, max_fragment_length extension" \
4747 -c "found max_fragment_length extension"
4748
Yuto Takanob0a1c5b2021-07-02 10:10:49 +0100[diff] [blame]4749requires_max_content_len 4096
Andrzej Kurek90c6e842020-04-03 05:25:29 -0400[diff] [blame]4750requires_config_enabled MBEDTLS_SSL_MAX_FRAGMENT_LENGTH
4751run_test "Max fragment length: client 4096, server 1024" \
Ronald Cronfd4c6af2023-03-11 10:46:01 +0100[diff] [blame]4752 "$P_SRV force_version=tls12 debug_level=3 max_frag_len=1024" \
Andrzej Kurek90c6e842020-04-03 05:25:29 -0400[diff] [blame]4753 "$P_CLI debug_level=3 max_frag_len=4096" \
4754 0 \
Hanno Becker59d36702021-06-08 05:35:29 +0100[diff] [blame]4755 -c "Maximum incoming record payload length is 4096" \
4756 -c "Maximum outgoing record payload length is 4096" \
4757 -s "Maximum incoming record payload length is 4096" \
4758 -s "Maximum outgoing record payload length is 1024" \
Andrzej Kurek90c6e842020-04-03 05:25:29 -0400[diff] [blame]4759 -c "client hello, adding max_fragment_length extension" \
4760 -s "found max fragment length extension" \
4761 -s "server hello, max_fragment_length extension" \
4762 -c "found max_fragment_length extension"
4763
Yuto Takanob0a1c5b2021-07-02 10:10:49 +0100[diff] [blame]4764requires_max_content_len 4096
Andrzej Kurek90c6e842020-04-03 05:25:29 -0400[diff] [blame]4765requires_config_enabled MBEDTLS_SSL_MAX_FRAGMENT_LENGTH
4766run_test "Max fragment length: client 4096, server 2048" \
Ronald Cronfd4c6af2023-03-11 10:46:01 +0100[diff] [blame]4767 "$P_SRV force_version=tls12 debug_level=3 max_frag_len=2048" \
Andrzej Kurek90c6e842020-04-03 05:25:29 -0400[diff] [blame]4768 "$P_CLI debug_level=3 max_frag_len=4096" \
4769 0 \
Hanno Becker59d36702021-06-08 05:35:29 +0100[diff] [blame]4770 -c "Maximum incoming record payload length is 4096" \
4771 -c "Maximum outgoing record payload length is 4096" \
4772 -s "Maximum incoming record payload length is 4096" \
4773 -s "Maximum outgoing record payload length is 2048" \
Manuel Pégourié-Gonnardde143782014-02-20 14:50:42 +0100[diff] [blame]4774 -c "client hello, adding max_fragment_length extension" \
4775 -s "found max fragment length extension" \
4776 -s "server hello, max_fragment_length extension" \
4777 -c "found max_fragment_length extension"
4778
Yuto Takanob0a1c5b2021-07-02 10:10:49 +0100[diff] [blame]4779requires_max_content_len 4096
Hanno Becker4aed27e2017-09-18 15:00:34 +0100[diff] [blame]4780requires_config_enabled MBEDTLS_SSL_MAX_FRAGMENT_LENGTH
Manuel Pégourié-Gonnard8e03c712014-08-30 21:42:40 +0200[diff] [blame]4781run_test "Max fragment length: used by server" \
Ronald Cronfd4c6af2023-03-11 10:46:01 +0100[diff] [blame]4782 "$P_SRV force_version=tls12 debug_level=3 max_frag_len=4096" \
Manuel Pégourié-Gonnard644e8f32014-08-30 21:59:31 +0200[diff] [blame]4783 "$P_CLI debug_level=3" \
Manuel Pégourié-Gonnardde143782014-02-20 14:50:42 +0100[diff] [blame]4784 0 \
Hanno Becker59d36702021-06-08 05:35:29 +0100[diff] [blame]4785 -c "Maximum incoming record payload length is $MAX_CONTENT_LEN" \
4786 -c "Maximum outgoing record payload length is $MAX_CONTENT_LEN" \
4787 -s "Maximum incoming record payload length is $MAX_CONTENT_LEN" \
4788 -s "Maximum outgoing record payload length is 4096" \
Manuel Pégourié-Gonnardde143782014-02-20 14:50:42 +0100[diff] [blame]4789 -C "client hello, adding max_fragment_length extension" \
4790 -S "found max fragment length extension" \
4791 -S "server hello, max_fragment_length extension" \
4792 -C "found max_fragment_length extension"
Manuel Pégourié-Gonnard780d6712014-02-20 17:19:59 +0100[diff] [blame]4793
Yuto Takanob0a1c5b2021-07-02 10:10:49 +0100[diff] [blame]4794requires_max_content_len 4096
Hanno Becker4aed27e2017-09-18 15:00:34 +0100[diff] [blame]4795requires_config_enabled MBEDTLS_SSL_MAX_FRAGMENT_LENGTH
Manuel Pégourié-Gonnard8e03c712014-08-30 21:42:40 +0200[diff] [blame]4796requires_gnutls
Jerry Yuab082902021-12-23 18:02:22 +0800[diff] [blame]4797requires_config_enabled MBEDTLS_SSL_PROTO_TLS1_2
Manuel Pégourié-Gonnard8e03c712014-08-30 21:42:40 +0200[diff] [blame]4798run_test "Max fragment length: gnutls server" \
Ronald Croncbd7bfd2022-03-31 18:19:56 +0200[diff] [blame]4799 "$G_SRV --priority=NORMAL:-VERS-ALL:+VERS-TLS1.2" \
Manuel Pégourié-Gonnard644e8f32014-08-30 21:59:31 +0200[diff] [blame]4800 "$P_CLI debug_level=3 max_frag_len=4096" \
Manuel Pégourié-Gonnardbaa7f072014-08-20 20:15:53 +0200[diff] [blame]4801 0 \
Hanno Becker59d36702021-06-08 05:35:29 +0100[diff] [blame]4802 -c "Maximum incoming record payload length is 4096" \
4803 -c "Maximum outgoing record payload length is 4096" \
Manuel Pégourié-Gonnardbaa7f072014-08-20 20:15:53 +0200[diff] [blame]4804 -c "client hello, adding max_fragment_length extension" \
4805 -c "found max_fragment_length extension"
4806
Yuto Takanob0a1c5b2021-07-02 10:10:49 +0100[diff] [blame]4807requires_max_content_len 2048
Hanno Becker4aed27e2017-09-18 15:00:34 +0100[diff] [blame]4808requires_config_enabled MBEDTLS_SSL_MAX_FRAGMENT_LENGTH
Manuel Pégourié-Gonnard37e08e12014-10-13 17:55:52 +0200[diff] [blame]4809run_test "Max fragment length: client, message just fits" \
4810 "$P_SRV debug_level=3" \
Ronald Cronfd4c6af2023-03-11 10:46:01 +0100[diff] [blame]4811 "$P_CLI force_version=tls12 debug_level=3 max_frag_len=2048 request_size=2048" \
Manuel Pégourié-Gonnard37e08e12014-10-13 17:55:52 +0200[diff] [blame]4812 0 \
Hanno Becker59d36702021-06-08 05:35:29 +0100[diff] [blame]4813 -c "Maximum incoming record payload length is 2048" \
4814 -c "Maximum outgoing record payload length is 2048" \
4815 -s "Maximum incoming record payload length is 2048" \
4816 -s "Maximum outgoing record payload length is 2048" \
Manuel Pégourié-Gonnard37e08e12014-10-13 17:55:52 +0200[diff] [blame]4817 -c "client hello, adding max_fragment_length extension" \
4818 -s "found max fragment length extension" \
4819 -s "server hello, max_fragment_length extension" \
4820 -c "found max_fragment_length extension" \
4821 -c "2048 bytes written in 1 fragments" \
4822 -s "2048 bytes read"
4823
Yuto Takanob0a1c5b2021-07-02 10:10:49 +0100[diff] [blame]4824requires_max_content_len 2048
Hanno Becker4aed27e2017-09-18 15:00:34 +0100[diff] [blame]4825requires_config_enabled MBEDTLS_SSL_MAX_FRAGMENT_LENGTH
Manuel Pégourié-Gonnard37e08e12014-10-13 17:55:52 +0200[diff] [blame]4826run_test "Max fragment length: client, larger message" \
4827 "$P_SRV debug_level=3" \
Ronald Cronfd4c6af2023-03-11 10:46:01 +0100[diff] [blame]4828 "$P_CLI force_version=tls12 debug_level=3 max_frag_len=2048 request_size=2345" \
Manuel Pégourié-Gonnard37e08e12014-10-13 17:55:52 +0200[diff] [blame]4829 0 \
Hanno Becker59d36702021-06-08 05:35:29 +0100[diff] [blame]4830 -c "Maximum incoming record payload length is 2048" \
4831 -c "Maximum outgoing record payload length is 2048" \
4832 -s "Maximum incoming record payload length is 2048" \
4833 -s "Maximum outgoing record payload length is 2048" \
Manuel Pégourié-Gonnard37e08e12014-10-13 17:55:52 +0200[diff] [blame]4834 -c "client hello, adding max_fragment_length extension" \
4835 -s "found max fragment length extension" \
4836 -s "server hello, max_fragment_length extension" \
4837 -c "found max_fragment_length extension" \
4838 -c "2345 bytes written in 2 fragments" \
4839 -s "2048 bytes read" \
4840 -s "297 bytes read"
4841
Yuto Takanob0a1c5b2021-07-02 10:10:49 +0100[diff] [blame]4842requires_max_content_len 2048
Hanno Becker4aed27e2017-09-18 15:00:34 +0100[diff] [blame]4843requires_config_enabled MBEDTLS_SSL_MAX_FRAGMENT_LENGTH
Jerry Yuab082902021-12-23 18:02:22 +0800[diff] [blame]4844requires_config_enabled MBEDTLS_SSL_PROTO_TLS1_2
Manuel Pégourié-Gonnard23eb74d2015-01-21 14:37:13 +0000[diff] [blame]4845run_test "Max fragment length: DTLS client, larger message" \
Manuel Pégourié-Gonnard37e08e12014-10-13 17:55:52 +0200[diff] [blame]4846 "$P_SRV debug_level=3 dtls=1" \
4847 "$P_CLI debug_level=3 dtls=1 max_frag_len=2048 request_size=2345" \
4848 1 \
Hanno Becker59d36702021-06-08 05:35:29 +0100[diff] [blame]4849 -c "Maximum incoming record payload length is 2048" \
4850 -c "Maximum outgoing record payload length is 2048" \
4851 -s "Maximum incoming record payload length is 2048" \
4852 -s "Maximum outgoing record payload length is 2048" \
Manuel Pégourié-Gonnard37e08e12014-10-13 17:55:52 +0200[diff] [blame]4853 -c "client hello, adding max_fragment_length extension" \
4854 -s "found max fragment length extension" \
4855 -s "server hello, max_fragment_length extension" \
4856 -c "found max_fragment_length extension" \
4857 -c "fragment larger than.*maximum"
4858
Jan Bruckneraa31b192023-02-06 12:54:29 +0100[diff] [blame]4859# Tests for Record Size Limit extension
4860
Jan Bruckneraa31b192023-02-06 12:54:29 +0100[diff] [blame]4861requires_gnutls_tls1_3
4862requires_gnutls_record_size_limit
Waleed Elmelegy9457e672024-01-08 15:40:12 +0000[diff] [blame]4863requires_all_configs_enabled MBEDTLS_SSL_TLS1_3_COMPATIBILITY_MODE MBEDTLS_SSL_SRV_C MBEDTLS_DEBUG_C
Jan Bruckner151f6422023-02-10 12:45:19 +0100[diff] [blame]4864requires_config_enabled MBEDTLS_SSL_RECORD_SIZE_LIMIT
Waleed Elmelegy9457e672024-01-08 15:40:12 +0000[diff] [blame]4865requires_config_enabled MBEDTLS_SSL_TLS1_3_KEY_EXCHANGE_MODE_EPHEMERAL_ENABLED
Jan Brucknerf482dcc2023-03-15 09:09:06 +0100[diff] [blame]4866run_test "Record Size Limit: TLS 1.3: Server-side parsing and debug output" \
Jan Bruckner151f6422023-02-10 12:45:19 +0100[diff] [blame]4867 "$P_SRV debug_level=3 force_version=tls13" \
Jan Bruckneraa31b192023-02-06 12:54:29 +0100[diff] [blame]4868 "$G_NEXT_CLI localhost --priority=NORMAL:-VERS-ALL:+VERS-TLS1.3 -V -d 4" \
Jan Brucknerf482dcc2023-03-15 09:09:06 +0100[diff] [blame]4869 0 \
Jan Bruckner151f6422023-02-10 12:45:19 +0100[diff] [blame]4870 -s "RecordSizeLimit: 16385 Bytes" \
Jan Brucknerf482dcc2023-03-15 09:09:06 +0100[diff] [blame]4871 -s "ClientHello: record_size_limit(28) extension exists." \
Waleed Elmelegy87a373e2023-12-28 17:49:36 +0000[diff] [blame]4872 -s "Maximum outgoing record payload length is 16383" \
Jan Brucknerf482dcc2023-03-15 09:09:06 +0100[diff] [blame]4873 -s "bytes written in 1 fragments"
Jan Bruckner151f6422023-02-10 12:45:19 +0100[diff] [blame]4874
4875requires_gnutls_tls1_3
4876requires_gnutls_record_size_limit
Waleed Elmelegy9457e672024-01-08 15:40:12 +0000[diff] [blame]4877requires_all_configs_enabled MBEDTLS_SSL_TLS1_3_COMPATIBILITY_MODE MBEDTLS_SSL_CLI_C MBEDTLS_DEBUG_C
Jan Bruckner151f6422023-02-10 12:45:19 +0100[diff] [blame]4878requires_config_enabled MBEDTLS_SSL_RECORD_SIZE_LIMIT
Waleed Elmelegy9457e672024-01-08 15:40:12 +0000[diff] [blame]4879requires_config_enabled MBEDTLS_SSL_TLS1_3_KEY_EXCHANGE_MODE_EPHEMERAL_ENABLED
Jan Brucknerf482dcc2023-03-15 09:09:06 +0100[diff] [blame]4880run_test "Record Size Limit: TLS 1.3: Client-side parsing and debug output" \
Waleed Elmelegy9457e672024-01-08 15:40:12 +0000[diff] [blame]4881 "$G_NEXT_SRV --priority=NORMAL:-VERS-ALL:+VERS-TLS1.3:+CIPHER-ALL --disable-client-cert -d 4" \
Jan Bruckner151f6422023-02-10 12:45:19 +0100[diff] [blame]4882 "$P_CLI debug_level=4 force_version=tls13" \
Jan Bruckneraa31b192023-02-06 12:54:29 +0100[diff] [blame]4883 0 \
Yanray Wang42017cd2023-11-08 11:15:23 +0800[diff] [blame]4884 -c "Sent RecordSizeLimit: 16384 Bytes" \
Waleed Elmelegy3a377562024-01-05 18:13:42 +0000[diff] [blame]4885 -c "ClientHello: record_size_limit(28) extension exists." \
Waleed Elmelegy3a377562024-01-05 18:13:42 +0000[diff] [blame]4886 -c "EncryptedExtensions: record_size_limit(28) extension received." \
Yanray Wang42017cd2023-11-08 11:15:23 +0800[diff] [blame]4887 -c "RecordSizeLimit: 16385 Bytes" \
Jan Brucknerf482dcc2023-03-15 09:09:06 +0100[diff] [blame]4888
Waleed Elmelegyf5017902024-01-09 14:18:34 +0000[diff] [blame]4889# In the following tests, --recordsize is the value used by the G_NEXT_CLI (3.7.2) to configure the
4890# maximum record size using gnutls_record_set_max_size()
4891# (https://gnutls.org/reference/gnutls-gnutls.html#gnutls-record-set-max-size).
4892# There is currently a lower limit of 512, caused by gnutls_record_set_max_size()
4893# not respecting the "%ALLOW_SMALL_RECORDS" priority string and not using the
4894# more recent function gnutls_record_set_max_recv_size()
4895# (https://gnutls.org/reference/gnutls-gnutls.html#gnutls-record-set-max-recv-size).
Jan Brucknerf482dcc2023-03-15 09:09:06 +0100[diff] [blame]4896# There is currently an upper limit of 4096, caused by the cli arg parser:
4897# https://gitlab.com/gnutls/gnutls/-/blob/3.7.2/src/cli-args.def#L395.
Waleed Elmelegyf5017902024-01-09 14:18:34 +0000[diff] [blame]4898# Thus, these tests are currently limited to the value range 512-4096.
4899# Also, the value sent in the extension will be one larger than the value
4900# set at the command line:
Jan Brucknerf482dcc2023-03-15 09:09:06 +0100[diff] [blame]4901# https://gitlab.com/gnutls/gnutls/-/blob/3.7.2/lib/ext/record_size_limit.c#L142
Waleed Elmelegy9aec1c72023-12-05 20:08:51 +0000[diff] [blame]4902
4903# Currently test certificates being used do not fit in 513 record size limit
Waleed Elmelegy87a373e2023-12-28 17:49:36 +0000[diff] [blame]4904# so for 513 record size limit tests we use preshared key to avoid sending
4905# the certificate.
Waleed Elmelegy9aec1c72023-12-05 20:08:51 +0000[diff] [blame]4906
Waleed Elmelegy87a373e2023-12-28 17:49:36 +0000[diff] [blame]4907requires_gnutls_tls1_3
4908requires_gnutls_record_size_limit
4909requires_all_configs_enabled MBEDTLS_SSL_TLS1_3_COMPATIBILITY_MODE MBEDTLS_SSL_SRV_C MBEDTLS_DEBUG_C
4910requires_config_enabled MBEDTLS_SSL_RECORD_SIZE_LIMIT
4911requires_config_enabled MBEDTLS_SSL_TLS1_3_KEY_EXCHANGE_MODE_PSK_ENABLED
4912run_test "Record Size Limit: TLS 1.3: Server complies with record size limit (513), 1 fragment" \
4913 "$P_SRV debug_level=3 force_version=tls13 tls13_kex_modes=psk \
4914 psk_list=Client_identity,6162636465666768696a6b6c6d6e6f70 \
4915 response_size=256" \
Waleed Elmelegy9457e672024-01-08 15:40:12 +0000[diff] [blame]4916 "$G_NEXT_CLI localhost --priority=NORMAL:-VERS-ALL:+VERS-TLS1.3:+PSK --recordsize 512 \
4917 --pskusername Client_identity --pskkey=6162636465666768696a6b6c6d6e6f70" \
Waleed Elmelegy87a373e2023-12-28 17:49:36 +0000[diff] [blame]4918 0 \
4919 -s "RecordSizeLimit: 513 Bytes" \
Waleed Elmelegy9457e672024-01-08 15:40:12 +0000[diff] [blame]4920 -s "ClientHello: record_size_limit(28) extension exists." \
4921 -s "Sent RecordSizeLimit: 16384 Bytes" \
4922 -s "EncryptedExtensions: record_size_limit(28) extension exists." \
Waleed Elmelegy87a373e2023-12-28 17:49:36 +0000[diff] [blame]4923 -s "Maximum outgoing record payload length is 511" \
4924 -s "256 bytes written in 1 fragments"
Waleed Elmelegy9aec1c72023-12-05 20:08:51 +0000[diff] [blame]4925
Waleed Elmelegy87a373e2023-12-28 17:49:36 +0000[diff] [blame]4926requires_gnutls_tls1_3
4927requires_gnutls_record_size_limit
4928requires_all_configs_enabled MBEDTLS_SSL_TLS1_3_COMPATIBILITY_MODE MBEDTLS_SSL_SRV_C MBEDTLS_DEBUG_C
4929requires_config_enabled MBEDTLS_SSL_RECORD_SIZE_LIMIT
4930requires_config_enabled MBEDTLS_SSL_TLS1_3_KEY_EXCHANGE_MODE_PSK_ENABLED
4931run_test "Record Size Limit: TLS 1.3: Server complies with record size limit (513), 2 fragments" \
4932 "$P_SRV debug_level=3 force_version=tls13 tls13_kex_modes=psk \
4933 psk_list=Client_identity,6162636465666768696a6b6c6d6e6f70 \
4934 response_size=768" \
4935 "$G_NEXT_CLI localhost --priority=NORMAL:-VERS-ALL:+VERS-TLS1.3:+PSK --recordsize 512 \
4936 --pskusername Client_identity --pskkey=6162636465666768696a6b6c6d6e6f70" \
4937 0 \
4938 -s "RecordSizeLimit: 513 Bytes" \
Waleed Elmelegy9457e672024-01-08 15:40:12 +0000[diff] [blame]4939 -s "ClientHello: record_size_limit(28) extension exists." \
4940 -s "Sent RecordSizeLimit: 16384 Bytes" \
4941 -s "EncryptedExtensions: record_size_limit(28) extension exists." \
Waleed Elmelegy87a373e2023-12-28 17:49:36 +0000[diff] [blame]4942 -s "Maximum outgoing record payload length is 511" \
4943 -s "768 bytes written in 2 fragments"
Waleed Elmelegy9aec1c72023-12-05 20:08:51 +0000[diff] [blame]4944
Waleed Elmelegy87a373e2023-12-28 17:49:36 +0000[diff] [blame]4945requires_gnutls_tls1_3
4946requires_gnutls_record_size_limit
4947requires_all_configs_enabled MBEDTLS_SSL_TLS1_3_COMPATIBILITY_MODE MBEDTLS_SSL_SRV_C MBEDTLS_DEBUG_C
4948requires_config_enabled MBEDTLS_SSL_RECORD_SIZE_LIMIT
4949requires_config_enabled MBEDTLS_SSL_TLS1_3_KEY_EXCHANGE_MODE_PSK_ENABLED
4950run_test "Record Size Limit: TLS 1.3: Server complies with record size limit (513), 3 fragments" \
4951 "$P_SRV debug_level=3 force_version=tls13 tls13_kex_modes=psk \
4952 psk_list=Client_identity,6162636465666768696a6b6c6d6e6f70 \
4953 response_size=1280" \
4954 "$G_NEXT_CLI localhost --priority=NORMAL:-VERS-ALL:+VERS-TLS1.3:+PSK --recordsize 512 \
4955 --pskusername Client_identity --pskkey=6162636465666768696a6b6c6d6e6f70" \
4956 0 \
4957 -s "RecordSizeLimit: 513 Bytes" \
Waleed Elmelegy9457e672024-01-08 15:40:12 +0000[diff] [blame]4958 -s "ClientHello: record_size_limit(28) extension exists." \
4959 -s "Sent RecordSizeLimit: 16384 Bytes" \
4960 -s "EncryptedExtensions: record_size_limit(28) extension exists." \
Waleed Elmelegy87a373e2023-12-28 17:49:36 +0000[diff] [blame]4961 -s "Maximum outgoing record payload length is 511" \
4962 -s "1280 bytes written in 3 fragments"
Jan Brucknerf482dcc2023-03-15 09:09:06 +0100[diff] [blame]4963
4964requires_gnutls_tls1_3
4965requires_gnutls_record_size_limit
Waleed Elmelegy60f0f722024-01-04 14:57:31 +0000[diff] [blame]4966requires_all_configs_enabled MBEDTLS_SSL_TLS1_3_COMPATIBILITY_MODE MBEDTLS_SSL_SRV_C MBEDTLS_DEBUG_C
Jan Brucknerf482dcc2023-03-15 09:09:06 +0100[diff] [blame]4967requires_config_enabled MBEDTLS_SSL_RECORD_SIZE_LIMIT
Waleed Elmelegy60f0f722024-01-04 14:57:31 +0000[diff] [blame]4968requires_config_enabled MBEDTLS_SSL_TLS1_3_KEY_EXCHANGE_MODE_EPHEMERAL_ENABLED
Jan Brucknerf482dcc2023-03-15 09:09:06 +0100[diff] [blame]4969run_test "Record Size Limit: TLS 1.3: Server complies with record size limit (1024), 1 fragment" \
4970 "$P_SRV debug_level=3 force_version=tls13 response_size=512" \
4971 "$G_NEXT_CLI localhost --priority=NORMAL:-VERS-ALL:+VERS-TLS1.3 -V -d 4 --recordsize 1023" \
4972 0 \
Jan Brucknerf482dcc2023-03-15 09:09:06 +0100[diff] [blame]4973 -s "RecordSizeLimit: 1024 Bytes" \
4974 -s "ClientHello: record_size_limit(28) extension exists." \
Waleed Elmelegy47d29462024-01-03 17:31:52 +0000[diff] [blame]4975 -s "Sent RecordSizeLimit: 16384 Bytes" \
4976 -s "EncryptedExtensions: record_size_limit(28) extension exists." \
Jan Brucknerf482dcc2023-03-15 09:09:06 +0100[diff] [blame]4977 -s "Maximum outgoing record payload length is 1023" \
4978 -s "512 bytes written in 1 fragments"
4979
4980requires_gnutls_tls1_3
4981requires_gnutls_record_size_limit
Waleed Elmelegy60f0f722024-01-04 14:57:31 +0000[diff] [blame]4982requires_all_configs_enabled MBEDTLS_SSL_TLS1_3_COMPATIBILITY_MODE MBEDTLS_SSL_SRV_C MBEDTLS_DEBUG_C
Jan Brucknerf482dcc2023-03-15 09:09:06 +0100[diff] [blame]4983requires_config_enabled MBEDTLS_SSL_RECORD_SIZE_LIMIT
Waleed Elmelegy60f0f722024-01-04 14:57:31 +0000[diff] [blame]4984requires_config_enabled MBEDTLS_SSL_TLS1_3_KEY_EXCHANGE_MODE_EPHEMERAL_ENABLED
Jan Brucknerf482dcc2023-03-15 09:09:06 +0100[diff] [blame]4985run_test "Record Size Limit: TLS 1.3: Server complies with record size limit (1024), 2 fragments" \
4986 "$P_SRV debug_level=3 force_version=tls13 response_size=1536" \
4987 "$G_NEXT_CLI localhost --priority=NORMAL:-VERS-ALL:+VERS-TLS1.3 -V -d 4 --recordsize 1023" \
4988 0 \
Jan Brucknerf482dcc2023-03-15 09:09:06 +0100[diff] [blame]4989 -s "RecordSizeLimit: 1024 Bytes" \
4990 -s "ClientHello: record_size_limit(28) extension exists." \
Waleed Elmelegy47d29462024-01-03 17:31:52 +0000[diff] [blame]4991 -s "Sent RecordSizeLimit: 16384 Bytes" \
4992 -s "EncryptedExtensions: record_size_limit(28) extension exists." \
Jan Brucknerf482dcc2023-03-15 09:09:06 +0100[diff] [blame]4993 -s "Maximum outgoing record payload length is 1023" \
4994 -s "1536 bytes written in 2 fragments"
4995
4996requires_gnutls_tls1_3
4997requires_gnutls_record_size_limit
Waleed Elmelegy60f0f722024-01-04 14:57:31 +0000[diff] [blame]4998requires_all_configs_enabled MBEDTLS_SSL_TLS1_3_COMPATIBILITY_MODE MBEDTLS_SSL_SRV_C MBEDTLS_DEBUG_C
Jan Brucknerf482dcc2023-03-15 09:09:06 +0100[diff] [blame]4999requires_config_enabled MBEDTLS_SSL_RECORD_SIZE_LIMIT
Waleed Elmelegy60f0f722024-01-04 14:57:31 +0000[diff] [blame]5000requires_config_enabled MBEDTLS_SSL_TLS1_3_KEY_EXCHANGE_MODE_EPHEMERAL_ENABLED
Jan Brucknerf482dcc2023-03-15 09:09:06 +0100[diff] [blame]5001run_test "Record Size Limit: TLS 1.3: Server complies with record size limit (1024), 3 fragments" \
5002 "$P_SRV debug_level=3 force_version=tls13 response_size=2560" \
5003 "$G_NEXT_CLI localhost --priority=NORMAL:-VERS-ALL:+VERS-TLS1.3 -V -d 4 --recordsize 1023" \
5004 0 \
Jan Brucknerf482dcc2023-03-15 09:09:06 +0100[diff] [blame]5005 -s "RecordSizeLimit: 1024 Bytes" \
5006 -s "ClientHello: record_size_limit(28) extension exists." \
Waleed Elmelegy47d29462024-01-03 17:31:52 +0000[diff] [blame]5007 -s "Sent RecordSizeLimit: 16384 Bytes" \
5008 -s "EncryptedExtensions: record_size_limit(28) extension exists." \
Jan Brucknerf482dcc2023-03-15 09:09:06 +0100[diff] [blame]5009 -s "Maximum outgoing record payload length is 1023" \
5010 -s "2560 bytes written in 3 fragments"
5011
5012requires_gnutls_tls1_3
5013requires_gnutls_record_size_limit
Waleed Elmelegy60f0f722024-01-04 14:57:31 +0000[diff] [blame]5014requires_all_configs_enabled MBEDTLS_SSL_TLS1_3_COMPATIBILITY_MODE MBEDTLS_SSL_SRV_C MBEDTLS_DEBUG_C
Jan Brucknerf482dcc2023-03-15 09:09:06 +0100[diff] [blame]5015requires_config_enabled MBEDTLS_SSL_RECORD_SIZE_LIMIT
Waleed Elmelegy60f0f722024-01-04 14:57:31 +0000[diff] [blame]5016requires_config_enabled MBEDTLS_SSL_TLS1_3_KEY_EXCHANGE_MODE_EPHEMERAL_ENABLED
Jan Brucknerf482dcc2023-03-15 09:09:06 +0100[diff] [blame]5017run_test "Record Size Limit: TLS 1.3: Server complies with record size limit (4096), 1 fragment" \
5018 "$P_SRV debug_level=3 force_version=tls13 response_size=2048" \
5019 "$G_NEXT_CLI localhost --priority=NORMAL:-VERS-ALL:+VERS-TLS1.3 -V -d 4 --recordsize 4095" \
5020 0 \
Jan Brucknerf482dcc2023-03-15 09:09:06 +0100[diff] [blame]5021 -s "RecordSizeLimit: 4096 Bytes" \
5022 -s "ClientHello: record_size_limit(28) extension exists." \
Waleed Elmelegy47d29462024-01-03 17:31:52 +0000[diff] [blame]5023 -s "Sent RecordSizeLimit: 16384 Bytes" \
5024 -s "EncryptedExtensions: record_size_limit(28) extension exists." \
Jan Brucknerf482dcc2023-03-15 09:09:06 +0100[diff] [blame]5025 -s "Maximum outgoing record payload length is 4095" \
5026 -s "2048 bytes written in 1 fragments"
5027
5028requires_gnutls_tls1_3
5029requires_gnutls_record_size_limit
Waleed Elmelegy60f0f722024-01-04 14:57:31 +0000[diff] [blame]5030requires_all_configs_enabled MBEDTLS_SSL_TLS1_3_COMPATIBILITY_MODE MBEDTLS_SSL_SRV_C MBEDTLS_DEBUG_C
Jan Brucknerf482dcc2023-03-15 09:09:06 +0100[diff] [blame]5031requires_config_enabled MBEDTLS_SSL_RECORD_SIZE_LIMIT
Waleed Elmelegy60f0f722024-01-04 14:57:31 +0000[diff] [blame]5032requires_config_enabled MBEDTLS_SSL_TLS1_3_KEY_EXCHANGE_MODE_EPHEMERAL_ENABLED
Jan Brucknerf482dcc2023-03-15 09:09:06 +0100[diff] [blame]5033run_test "Record Size Limit: TLS 1.3: Server complies with record size limit (4096), 2 fragments" \
5034 "$P_SRV debug_level=3 force_version=tls13 response_size=6144" \
5035 "$G_NEXT_CLI localhost --priority=NORMAL:-VERS-ALL:+VERS-TLS1.3 -V -d 4 --recordsize 4095" \
5036 0 \
Jan Brucknerf482dcc2023-03-15 09:09:06 +0100[diff] [blame]5037 -s "RecordSizeLimit: 4096 Bytes" \
5038 -s "ClientHello: record_size_limit(28) extension exists." \
Waleed Elmelegy47d29462024-01-03 17:31:52 +0000[diff] [blame]5039 -s "Sent RecordSizeLimit: 16384 Bytes" \
5040 -s "EncryptedExtensions: record_size_limit(28) extension exists." \
Jan Brucknerf482dcc2023-03-15 09:09:06 +0100[diff] [blame]5041 -s "Maximum outgoing record payload length is 4095" \
5042 -s "6144 bytes written in 2 fragments"
5043
5044requires_gnutls_tls1_3
5045requires_gnutls_record_size_limit
Waleed Elmelegy60f0f722024-01-04 14:57:31 +0000[diff] [blame]5046requires_all_configs_enabled MBEDTLS_SSL_TLS1_3_COMPATIBILITY_MODE MBEDTLS_SSL_SRV_C MBEDTLS_DEBUG_C
Jan Brucknerf482dcc2023-03-15 09:09:06 +0100[diff] [blame]5047requires_config_enabled MBEDTLS_SSL_RECORD_SIZE_LIMIT
Waleed Elmelegy60f0f722024-01-04 14:57:31 +0000[diff] [blame]5048requires_config_enabled MBEDTLS_SSL_TLS1_3_KEY_EXCHANGE_MODE_EPHEMERAL_ENABLED
Jan Brucknerf482dcc2023-03-15 09:09:06 +0100[diff] [blame]5049run_test "Record Size Limit: TLS 1.3: Server complies with record size limit (4096), 3 fragments" \
5050 "$P_SRV debug_level=3 force_version=tls13 response_size=10240" \
5051 "$G_NEXT_CLI localhost --priority=NORMAL:-VERS-ALL:+VERS-TLS1.3 -V -d 4 --recordsize 4095" \
5052 0 \
Jan Brucknerf482dcc2023-03-15 09:09:06 +0100[diff] [blame]5053 -s "RecordSizeLimit: 4096 Bytes" \
5054 -s "ClientHello: record_size_limit(28) extension exists." \
Waleed Elmelegy598ea092024-01-03 17:34:03 +0000[diff] [blame]5055 -s "Sent RecordSizeLimit: 16384 Bytes" \
5056 -s "EncryptedExtensions: record_size_limit(28) extension exists." \
Jan Brucknerf482dcc2023-03-15 09:09:06 +0100[diff] [blame]5057 -s "Maximum outgoing record payload length is 4095" \
5058 -s "10240 bytes written in 3 fragments"
Jan Bruckneraa31b192023-02-06 12:54:29 +0100[diff] [blame]5059
Waleed Elmelegy2fa99b22024-01-09 17:15:03 +0000[diff] [blame]5060requires_gnutls_tls1_3
5061requires_gnutls_record_size_limit
5062requires_all_configs_enabled MBEDTLS_SSL_TLS1_3_COMPATIBILITY_MODE MBEDTLS_SSL_CLI_C MBEDTLS_DEBUG_C
5063requires_config_enabled MBEDTLS_SSL_RECORD_SIZE_LIMIT
5064requires_config_enabled MBEDTLS_SSL_TLS1_3_KEY_EXCHANGE_MODE_EPHEMERAL_ENABLED
5065run_test "Record Size Limit: TLS 1.3: Client complies with record size limit (513), 1 fragment" \
5066 "$G_NEXT_SRV --priority=NORMAL:-VERS-ALL:+VERS-TLS1.3:+CIPHER-ALL -d 4 --disable-client-cert --recordsize 512" \
5067 "$P_CLI debug_level=4 force_version=tls13 request_size=256" \
5068 0 \
Waleed Elmelegy2fa99b22024-01-09 17:15:03 +0000[diff] [blame]5069 -c "Sent RecordSizeLimit: 16384 Bytes" \
Waleed Elmelegy14877602024-01-10 16:15:08 +0000[diff] [blame]5070 -c "ClientHello: record_size_limit(28) extension exists." \
5071 -c "RecordSizeLimit: 513 Bytes" \
Waleed Elmelegy2fa99b22024-01-09 17:15:03 +0000[diff] [blame]5072 -c "EncryptedExtensions: record_size_limit(28) extension exists." \
5073 -c "Maximum outgoing record payload length is 511" \
5074 -c "256 bytes written in 1 fragments"
5075
5076requires_gnutls_tls1_3
5077requires_gnutls_record_size_limit
5078requires_all_configs_enabled MBEDTLS_SSL_TLS1_3_COMPATIBILITY_MODE MBEDTLS_SSL_CLI_C MBEDTLS_DEBUG_C
5079requires_config_enabled MBEDTLS_SSL_RECORD_SIZE_LIMIT
5080requires_config_enabled MBEDTLS_SSL_TLS1_3_KEY_EXCHANGE_MODE_EPHEMERAL_ENABLED
5081run_test "Record Size Limit: TLS 1.3: Client complies with record size limit (513), 2 fragments" \
5082 "$G_NEXT_SRV --priority=NORMAL:-VERS-ALL:+VERS-TLS1.3:+CIPHER-ALL -d 4 --disable-client-cert --recordsize 512" \
5083 "$P_CLI debug_level=4 force_version=tls13 request_size=768" \
5084 0 \
Waleed Elmelegy2fa99b22024-01-09 17:15:03 +0000[diff] [blame]5085 -c "Sent RecordSizeLimit: 16384 Bytes" \
Waleed Elmelegy14877602024-01-10 16:15:08 +0000[diff] [blame]5086 -c "ClientHello: record_size_limit(28) extension exists." \
5087 -c "RecordSizeLimit: 513 Bytes" \
Waleed Elmelegy2fa99b22024-01-09 17:15:03 +0000[diff] [blame]5088 -c "EncryptedExtensions: record_size_limit(28) extension exists." \
5089 -c "Maximum outgoing record payload length is 511" \
5090 -c "768 bytes written in 2 fragments"
5091
5092requires_gnutls_tls1_3
5093requires_gnutls_record_size_limit
5094requires_all_configs_enabled MBEDTLS_SSL_TLS1_3_COMPATIBILITY_MODE MBEDTLS_SSL_CLI_C MBEDTLS_DEBUG_C
5095requires_config_enabled MBEDTLS_SSL_RECORD_SIZE_LIMIT
5096requires_config_enabled MBEDTLS_SSL_TLS1_3_KEY_EXCHANGE_MODE_EPHEMERAL_ENABLED
5097run_test "Record Size Limit: TLS 1.3: Client complies with record size limit (513), 3 fragments" \
5098 "$G_NEXT_SRV --priority=NORMAL:-VERS-ALL:+VERS-TLS1.3:+CIPHER-ALL -d 4 --disable-client-cert --recordsize 512" \
5099 "$P_CLI debug_level=4 force_version=tls13 request_size=1280" \
5100 0 \
Waleed Elmelegy2fa99b22024-01-09 17:15:03 +0000[diff] [blame]5101 -c "Sent RecordSizeLimit: 16384 Bytes" \
Waleed Elmelegy14877602024-01-10 16:15:08 +0000[diff] [blame]5102 -c "ClientHello: record_size_limit(28) extension exists." \
5103 -c "RecordSizeLimit: 513 Bytes" \
Waleed Elmelegy2fa99b22024-01-09 17:15:03 +0000[diff] [blame]5104 -c "EncryptedExtensions: record_size_limit(28) extension exists." \
5105 -c "Maximum outgoing record payload length is 511" \
5106 -c "1280 bytes written in 3 fragments"
5107
5108requires_gnutls_tls1_3
5109requires_gnutls_record_size_limit
5110requires_all_configs_enabled MBEDTLS_SSL_TLS1_3_COMPATIBILITY_MODE MBEDTLS_SSL_CLI_C MBEDTLS_DEBUG_C
5111requires_config_enabled MBEDTLS_SSL_RECORD_SIZE_LIMIT
5112requires_config_enabled MBEDTLS_SSL_TLS1_3_KEY_EXCHANGE_MODE_EPHEMERAL_ENABLED
5113run_test "Record Size Limit: TLS 1.3: Client complies with record size limit (1024), 1 fragment" \
5114 "$G_NEXT_SRV --priority=NORMAL:-VERS-ALL:+VERS-TLS1.3:+CIPHER-ALL -d 4 --recordsize 1023" \
5115 "$P_CLI debug_level=4 force_version=tls13 request_size=512" \
5116 0 \
Waleed Elmelegy2fa99b22024-01-09 17:15:03 +0000[diff] [blame]5117 -c "Sent RecordSizeLimit: 16384 Bytes" \
Waleed Elmelegy14877602024-01-10 16:15:08 +0000[diff] [blame]5118 -c "ClientHello: record_size_limit(28) extension exists." \
5119 -c "RecordSizeLimit: 1024 Bytes" \
Waleed Elmelegy2fa99b22024-01-09 17:15:03 +0000[diff] [blame]5120 -c "EncryptedExtensions: record_size_limit(28) extension exists." \
5121 -c "Maximum outgoing record payload length is 1023" \
5122 -c "512 bytes written in 1 fragments"
5123
5124requires_gnutls_tls1_3
5125requires_gnutls_record_size_limit
5126requires_all_configs_enabled MBEDTLS_SSL_TLS1_3_COMPATIBILITY_MODE MBEDTLS_SSL_CLI_C MBEDTLS_DEBUG_C
5127requires_config_enabled MBEDTLS_SSL_RECORD_SIZE_LIMIT
5128requires_config_enabled MBEDTLS_SSL_TLS1_3_KEY_EXCHANGE_MODE_EPHEMERAL_ENABLED
5129run_test "Record Size Limit: TLS 1.3: Client complies with record size limit (1024), 2 fragments" \
5130 "$G_NEXT_SRV --priority=NORMAL:-VERS-ALL:+VERS-TLS1.3:+CIPHER-ALL -d 4 --recordsize 1023" \
5131 "$P_CLI debug_level=4 force_version=tls13 request_size=1536" \
5132 0 \
Waleed Elmelegy2fa99b22024-01-09 17:15:03 +0000[diff] [blame]5133 -c "Sent RecordSizeLimit: 16384 Bytes" \
Waleed Elmelegy14877602024-01-10 16:15:08 +0000[diff] [blame]5134 -c "ClientHello: record_size_limit(28) extension exists." \
5135 -c "RecordSizeLimit: 1024 Bytes" \
Waleed Elmelegy2fa99b22024-01-09 17:15:03 +0000[diff] [blame]5136 -c "EncryptedExtensions: record_size_limit(28) extension exists." \
5137 -c "Maximum outgoing record payload length is 1023" \
5138 -c "1536 bytes written in 2 fragments"
5139
5140requires_gnutls_tls1_3
5141requires_gnutls_record_size_limit
5142requires_all_configs_enabled MBEDTLS_SSL_TLS1_3_COMPATIBILITY_MODE MBEDTLS_SSL_CLI_C MBEDTLS_DEBUG_C
5143requires_config_enabled MBEDTLS_SSL_RECORD_SIZE_LIMIT
5144requires_config_enabled MBEDTLS_SSL_TLS1_3_KEY_EXCHANGE_MODE_EPHEMERAL_ENABLED
5145run_test "Record Size Limit: TLS 1.3: Client complies with record size limit (1024), 3 fragments" \
5146 "$G_NEXT_SRV --priority=NORMAL:-VERS-ALL:+VERS-TLS1.3:+CIPHER-ALL -d 4 --recordsize 1023" \
5147 "$P_CLI debug_level=4 force_version=tls13 request_size=2560" \
5148 0 \
Waleed Elmelegy2fa99b22024-01-09 17:15:03 +0000[diff] [blame]5149 -c "Sent RecordSizeLimit: 16384 Bytes" \
Waleed Elmelegy14877602024-01-10 16:15:08 +0000[diff] [blame]5150 -c "ClientHello: record_size_limit(28) extension exists." \
5151 -c "RecordSizeLimit: 1024 Bytes" \
Waleed Elmelegy2fa99b22024-01-09 17:15:03 +0000[diff] [blame]5152 -c "EncryptedExtensions: record_size_limit(28) extension exists." \
5153 -c "Maximum outgoing record payload length is 1023" \
5154 -c "2560 bytes written in 3 fragments"
5155
5156requires_gnutls_tls1_3
5157requires_gnutls_record_size_limit
5158requires_all_configs_enabled MBEDTLS_SSL_TLS1_3_COMPATIBILITY_MODE MBEDTLS_SSL_CLI_C MBEDTLS_DEBUG_C
5159requires_config_enabled MBEDTLS_SSL_RECORD_SIZE_LIMIT
5160requires_config_enabled MBEDTLS_SSL_TLS1_3_KEY_EXCHANGE_MODE_EPHEMERAL_ENABLED
5161run_test "Record Size Limit: TLS 1.3: Client complies with record size limit (4096), 1 fragment" \
5162 "$G_NEXT_SRV --priority=NORMAL:-VERS-ALL:+VERS-TLS1.3:+CIPHER-ALL -d 4 --recordsize 4095" \
5163 "$P_CLI debug_level=4 force_version=tls13 request_size=2048" \
5164 0 \
Waleed Elmelegy2fa99b22024-01-09 17:15:03 +0000[diff] [blame]5165 -c "Sent RecordSizeLimit: 16384 Bytes" \
Waleed Elmelegy14877602024-01-10 16:15:08 +0000[diff] [blame]5166 -c "ClientHello: record_size_limit(28) extension exists." \
5167 -c "RecordSizeLimit: 4096 Bytes" \
Waleed Elmelegy2fa99b22024-01-09 17:15:03 +0000[diff] [blame]5168 -c "EncryptedExtensions: record_size_limit(28) extension exists." \
5169 -c "Maximum outgoing record payload length is 4095" \
5170 -c "2048 bytes written in 1 fragments"
5171
5172requires_gnutls_tls1_3
5173requires_gnutls_record_size_limit
5174requires_all_configs_enabled MBEDTLS_SSL_TLS1_3_COMPATIBILITY_MODE MBEDTLS_SSL_CLI_C MBEDTLS_DEBUG_C
5175requires_config_enabled MBEDTLS_SSL_RECORD_SIZE_LIMIT
5176requires_config_enabled MBEDTLS_SSL_TLS1_3_KEY_EXCHANGE_MODE_EPHEMERAL_ENABLED
5177run_test "Record Size Limit: TLS 1.3: Client complies with record size limit (4096), 2 fragments" \
5178 "$G_NEXT_SRV --priority=NORMAL:-VERS-ALL:+VERS-TLS1.3:+CIPHER-ALL -d 4 --recordsize 4095" \
5179 "$P_CLI debug_level=4 force_version=tls13 request_size=6144" \
5180 0 \
Waleed Elmelegy2fa99b22024-01-09 17:15:03 +0000[diff] [blame]5181 -c "Sent RecordSizeLimit: 16384 Bytes" \
Waleed Elmelegy14877602024-01-10 16:15:08 +0000[diff] [blame]5182 -c "ClientHello: record_size_limit(28) extension exists." \
5183 -c "RecordSizeLimit: 4096 Bytes" \
Waleed Elmelegy2fa99b22024-01-09 17:15:03 +0000[diff] [blame]5184 -c "EncryptedExtensions: record_size_limit(28) extension exists." \
5185 -c "Maximum outgoing record payload length is 4095" \
5186 -c "6144 bytes written in 2 fragments"
5187
5188requires_gnutls_tls1_3
5189requires_gnutls_record_size_limit
5190requires_all_configs_enabled MBEDTLS_SSL_TLS1_3_COMPATIBILITY_MODE MBEDTLS_SSL_CLI_C MBEDTLS_DEBUG_C
5191requires_config_enabled MBEDTLS_SSL_RECORD_SIZE_LIMIT
5192requires_config_enabled MBEDTLS_SSL_TLS1_3_KEY_EXCHANGE_MODE_EPHEMERAL_ENABLED
5193run_test "Record Size Limit: TLS 1.3: Client complies with record size limit (4096), 3 fragments" \
5194 "$G_NEXT_SRV --priority=NORMAL:-VERS-ALL:+VERS-TLS1.3:+CIPHER-ALL -d 4 --recordsize 4095" \
5195 "$P_CLI debug_level=4 force_version=tls13 request_size=10240" \
5196 0 \
Waleed Elmelegy2fa99b22024-01-09 17:15:03 +0000[diff] [blame]5197 -c "Sent RecordSizeLimit: 16384 Bytes" \
Waleed Elmelegy14877602024-01-10 16:15:08 +0000[diff] [blame]5198 -c "ClientHello: record_size_limit(28) extension exists." \
5199 -c "RecordSizeLimit: 4096 Bytes" \
Waleed Elmelegy2fa99b22024-01-09 17:15:03 +0000[diff] [blame]5200 -c "EncryptedExtensions: record_size_limit(28) extension exists." \
5201 -c "Maximum outgoing record payload length is 4095" \
5202 -c "10240 bytes written in 3 fragments"
5203
Waleed Elmelegy598ea092024-01-03 17:34:03 +0000[diff] [blame]5204# TODO: For time being, we send fixed value of RecordSizeLimit defined by
5205# MBEDTLS_SSL_IN_CONTENT_LEN. Once we support variable buffer length of
5206# RecordSizeLimit, we need to modify value of RecordSizeLimit in below test.
Waleed Elmelegy3a377562024-01-05 18:13:42 +0000[diff] [blame]5207requires_config_value_equals "MBEDTLS_SSL_IN_CONTENT_LEN" 16384
5208requires_all_configs_enabled MBEDTLS_SSL_CLI_C MBEDTLS_SSL_SRV_C MBEDTLS_DEBUG_C
Waleed Elmelegy598ea092024-01-03 17:34:03 +0000[diff] [blame]5209requires_config_enabled MBEDTLS_SSL_RECORD_SIZE_LIMIT
Waleed Elmelegy3a377562024-01-05 18:13:42 +0000[diff] [blame]5210requires_config_enabled MBEDTLS_SSL_TLS1_3_KEY_EXCHANGE_MODE_EPHEMERAL_ENABLED
5211run_test "Record Size Limit: TLS 1.3 m->m: both peer comply with record size limit (default)" \
Waleed Elmelegy598ea092024-01-03 17:34:03 +0000[diff] [blame]5212 "$P_SRV debug_level=4 force_version=tls13" \
Waleed Elmelegy3a377562024-01-05 18:13:42 +0000[diff] [blame]5213 "$P_CLI debug_level=4" \
Waleed Elmelegy598ea092024-01-03 17:34:03 +0000[diff] [blame]5214 0 \
Waleed Elmelegy3a377562024-01-05 18:13:42 +0000[diff] [blame]5215 -c "Sent RecordSizeLimit: $MAX_IN_LEN Bytes" \
5216 -c "RecordSizeLimit: $MAX_IN_LEN Bytes" \
Waleed Elmelegy3a377562024-01-05 18:13:42 +0000[diff] [blame]5217 -s "RecordSizeLimit: $MAX_IN_LEN Bytes" \
5218 -s "Sent RecordSizeLimit: $MAX_IN_LEN Bytes" \
5219 -s "Maximum outgoing record payload length is 16383" \
Waleed Elmelegy598ea092024-01-03 17:34:03 +0000[diff] [blame]5220 -s "Maximum incoming record payload length is 16384"
5221
Waleed Elmelegyf5017902024-01-09 14:18:34 +0000[diff] [blame]5222# End of Record size limit tests
5223
Manuel Pégourié-Gonnard780d6712014-02-20 17:19:59 +0100[diff] [blame]5224# Tests for renegotiation
5225
Waleed Elmelegy4b09dcd2024-01-12 10:50:25 +0000[diff] [blame]5226# G_NEXT_SRV is used in renegotiation tests becuase of the increased
5227# extensions limit since we exceed the limit in G_SRV when we send
5228# TLS 1.3 extensions in the initial handshake.
5229
Hanno Becker6a243642017-10-12 15:18:45 +0100[diff] [blame]5230# Renegotiation SCSV always added, regardless of SSL_RENEGOTIATION
Manuel Pégourié-Gonnard8e03c712014-08-30 21:42:40 +0200[diff] [blame]5231run_test "Renegotiation: none, for reference" \
Manuel Pégourié-Gonnardfa44f202015-03-27 17:52:25 +0100[diff] [blame]5232 "$P_SRV debug_level=3 exchanges=2 auth_mode=optional" \
Ronald Cronf95d1692023-03-14 17:19:42 +0100[diff] [blame]5233 "$P_CLI force_version=tls12 debug_level=3 exchanges=2" \
Manuel Pégourié-Gonnard780d6712014-02-20 17:19:59 +0100[diff] [blame]5234 0 \
5235 -C "client hello, adding renegotiation extension" \
5236 -s "received TLS_EMPTY_RENEGOTIATION_INFO" \
5237 -S "found renegotiation extension" \
5238 -s "server hello, secure renegotiation extension" \
5239 -c "found renegotiation extension" \
Manuel Pégourié-Gonnardc73339f2014-02-26 16:35:27 +0100[diff] [blame]5240 -C "=> renegotiate" \
5241 -S "=> renegotiate" \
Manuel Pégourié-Gonnard780d6712014-02-20 17:19:59 +0100[diff] [blame]5242 -S "write hello request"
5243
Hanno Becker6a243642017-10-12 15:18:45 +0100[diff] [blame]5244requires_config_enabled MBEDTLS_SSL_RENEGOTIATION
Manuel Pégourié-Gonnard8e03c712014-08-30 21:42:40 +0200[diff] [blame]5245run_test "Renegotiation: client-initiated" \
Manuel Pégourié-Gonnardfa44f202015-03-27 17:52:25 +0100[diff] [blame]5246 "$P_SRV debug_level=3 exchanges=2 renegotiation=1 auth_mode=optional" \
Ronald Cronf95d1692023-03-14 17:19:42 +0100[diff] [blame]5247 "$P_CLI force_version=tls12 debug_level=3 exchanges=2 renegotiation=1 renegotiate=1" \
Manuel Pégourié-Gonnard780d6712014-02-20 17:19:59 +0100[diff] [blame]5248 0 \
5249 -c "client hello, adding renegotiation extension" \
5250 -s "received TLS_EMPTY_RENEGOTIATION_INFO" \
5251 -s "found renegotiation extension" \
5252 -s "server hello, secure renegotiation extension" \
5253 -c "found renegotiation extension" \
Manuel Pégourié-Gonnardc73339f2014-02-26 16:35:27 +0100[diff] [blame]5254 -c "=> renegotiate" \
5255 -s "=> renegotiate" \
Manuel Pégourié-Gonnard780d6712014-02-20 17:19:59 +0100[diff] [blame]5256 -S "write hello request"
5257
Hanno Becker6a243642017-10-12 15:18:45 +0100[diff] [blame]5258requires_config_enabled MBEDTLS_SSL_RENEGOTIATION
Manuel Pégourié-Gonnard8e03c712014-08-30 21:42:40 +0200[diff] [blame]5259run_test "Renegotiation: server-initiated" \
Ronald Cronf95d1692023-03-14 17:19:42 +0100[diff] [blame]5260 "$P_SRV force_version=tls12 debug_level=3 exchanges=2 renegotiation=1 auth_mode=optional renegotiate=1" \
Manuel Pégourié-Gonnard644e8f32014-08-30 21:59:31 +0200[diff] [blame]5261 "$P_CLI debug_level=3 exchanges=2 renegotiation=1" \
Manuel Pégourié-Gonnard780d6712014-02-20 17:19:59 +0100[diff] [blame]5262 0 \
5263 -c "client hello, adding renegotiation extension" \
5264 -s "received TLS_EMPTY_RENEGOTIATION_INFO" \
5265 -s "found renegotiation extension" \
5266 -s "server hello, secure renegotiation extension" \
5267 -c "found renegotiation extension" \
Manuel Pégourié-Gonnardc73339f2014-02-26 16:35:27 +0100[diff] [blame]5268 -c "=> renegotiate" \
5269 -s "=> renegotiate" \
Manuel Pégourié-Gonnard780d6712014-02-20 17:19:59 +0100[diff] [blame]5270 -s "write hello request"
5271
Janos Follathb0f148c2017-10-05 12:29:42 +0100[diff] [blame]5272# Checks that no Signature Algorithm with SHA-1 gets negotiated. Negotiating SHA-1 would mean that
5273# the server did not parse the Signature Algorithm extension. This test is valid only if an MD
Bence Szépkútibb0cfeb2021-05-28 09:42:25 +0200[diff] [blame]5274# algorithm stronger than SHA-1 is enabled in mbedtls_config.h
Hanno Becker6a243642017-10-12 15:18:45 +0100[diff] [blame]5275requires_config_enabled MBEDTLS_SSL_RENEGOTIATION
Janos Follathb0f148c2017-10-05 12:29:42 +0100[diff] [blame]5276run_test "Renegotiation: Signature Algorithms parsing, client-initiated" \
5277 "$P_SRV debug_level=3 exchanges=2 renegotiation=1 auth_mode=optional" \
Ronald Cronf95d1692023-03-14 17:19:42 +0100[diff] [blame]5278 "$P_CLI force_version=tls12 debug_level=3 exchanges=2 renegotiation=1 renegotiate=1" \
Janos Follathb0f148c2017-10-05 12:29:42 +0100[diff] [blame]5279 0 \
5280 -c "client hello, adding renegotiation extension" \
5281 -s "received TLS_EMPTY_RENEGOTIATION_INFO" \
5282 -s "found renegotiation extension" \
5283 -s "server hello, secure renegotiation extension" \
5284 -c "found renegotiation extension" \
5285 -c "=> renegotiate" \
5286 -s "=> renegotiate" \
5287 -S "write hello request" \
5288 -S "client hello v3, signature_algorithm ext: 2" # Is SHA-1 negotiated?
5289
5290# Checks that no Signature Algorithm with SHA-1 gets negotiated. Negotiating SHA-1 would mean that
5291# the server did not parse the Signature Algorithm extension. This test is valid only if an MD
Bence Szépkútibb0cfeb2021-05-28 09:42:25 +0200[diff] [blame]5292# algorithm stronger than SHA-1 is enabled in mbedtls_config.h
Hanno Becker6a243642017-10-12 15:18:45 +0100[diff] [blame]5293requires_config_enabled MBEDTLS_SSL_RENEGOTIATION
Janos Follathb0f148c2017-10-05 12:29:42 +0100[diff] [blame]5294run_test "Renegotiation: Signature Algorithms parsing, server-initiated" \
Ronald Cronf95d1692023-03-14 17:19:42 +0100[diff] [blame]5295 "$P_SRV force_version=tls12 debug_level=3 exchanges=2 renegotiation=1 auth_mode=optional renegotiate=1" \
Janos Follathb0f148c2017-10-05 12:29:42 +0100[diff] [blame]5296 "$P_CLI debug_level=3 exchanges=2 renegotiation=1" \
5297 0 \
5298 -c "client hello, adding renegotiation extension" \
5299 -s "received TLS_EMPTY_RENEGOTIATION_INFO" \
5300 -s "found renegotiation extension" \
5301 -s "server hello, secure renegotiation extension" \
5302 -c "found renegotiation extension" \
5303 -c "=> renegotiate" \
5304 -s "=> renegotiate" \
5305 -s "write hello request" \
5306 -S "client hello v3, signature_algorithm ext: 2" # Is SHA-1 negotiated?
5307
Hanno Becker6a243642017-10-12 15:18:45 +0100[diff] [blame]5308requires_config_enabled MBEDTLS_SSL_RENEGOTIATION
Manuel Pégourié-Gonnard8e03c712014-08-30 21:42:40 +0200[diff] [blame]5309run_test "Renegotiation: double" \
Manuel Pégourié-Gonnardfa44f202015-03-27 17:52:25 +0100[diff] [blame]5310 "$P_SRV debug_level=3 exchanges=2 renegotiation=1 auth_mode=optional renegotiate=1" \
Ronald Cronf95d1692023-03-14 17:19:42 +0100[diff] [blame]5311 "$P_CLI force_version=tls12 debug_level=3 exchanges=2 renegotiation=1 renegotiate=1" \
Manuel Pégourié-Gonnard780d6712014-02-20 17:19:59 +0100[diff] [blame]5312 0 \
5313 -c "client hello, adding renegotiation extension" \
5314 -s "received TLS_EMPTY_RENEGOTIATION_INFO" \
5315 -s "found renegotiation extension" \
5316 -s "server hello, secure renegotiation extension" \
5317 -c "found renegotiation extension" \
Manuel Pégourié-Gonnardc73339f2014-02-26 16:35:27 +0100[diff] [blame]5318 -c "=> renegotiate" \
5319 -s "=> renegotiate" \
Manuel Pégourié-Gonnard780d6712014-02-20 17:19:59 +0100[diff] [blame]5320 -s "write hello request"
5321
Hanno Becker6a243642017-10-12 15:18:45 +0100[diff] [blame]5322requires_config_enabled MBEDTLS_SSL_RENEGOTIATION
Andrzej Kurek8ea68722020-04-03 06:40:47 -0400[diff] [blame]5323requires_config_enabled MBEDTLS_SSL_MAX_FRAGMENT_LENGTH
Yuto Takanob0a1c5b2021-07-02 10:10:49 +0100[diff] [blame]5324requires_max_content_len 2048
Andrzej Kurek8ea68722020-04-03 06:40:47 -0400[diff] [blame]5325run_test "Renegotiation with max fragment length: client 2048, server 512" \
Ronald Cronf95d1692023-03-14 17:19:42 +0100[diff] [blame]5326 "$P_SRV force_version=tls12 debug_level=3 exchanges=2 renegotiation=1 auth_mode=optional renegotiate=1 max_frag_len=512" \
Andrzej Kurek8ea68722020-04-03 06:40:47 -0400[diff] [blame]5327 "$P_CLI debug_level=3 exchanges=2 renegotiation=1 renegotiate=1 max_frag_len=2048 force_ciphersuite=TLS-ECDHE-ECDSA-WITH-AES-128-CCM-8" \
5328 0 \
Hanno Becker59d36702021-06-08 05:35:29 +0100[diff] [blame]5329 -c "Maximum incoming record payload length is 2048" \
5330 -c "Maximum outgoing record payload length is 2048" \
5331 -s "Maximum incoming record payload length is 2048" \
5332 -s "Maximum outgoing record payload length is 512" \
Andrzej Kurek8ea68722020-04-03 06:40:47 -0400[diff] [blame]5333 -c "client hello, adding max_fragment_length extension" \
5334 -s "found max fragment length extension" \
5335 -s "server hello, max_fragment_length extension" \
5336 -c "found max_fragment_length extension" \
5337 -c "client hello, adding renegotiation extension" \
5338 -s "received TLS_EMPTY_RENEGOTIATION_INFO" \
5339 -s "found renegotiation extension" \
5340 -s "server hello, secure renegotiation extension" \
5341 -c "found renegotiation extension" \
5342 -c "=> renegotiate" \
5343 -s "=> renegotiate" \
5344 -s "write hello request"
5345
5346requires_config_enabled MBEDTLS_SSL_RENEGOTIATION
Manuel Pégourié-Gonnard8e03c712014-08-30 21:42:40 +0200[diff] [blame]5347run_test "Renegotiation: client-initiated, server-rejected" \
Manuel Pégourié-Gonnardfa44f202015-03-27 17:52:25 +0100[diff] [blame]5348 "$P_SRV debug_level=3 exchanges=2 renegotiation=0 auth_mode=optional" \
Ronald Cronf95d1692023-03-14 17:19:42 +0100[diff] [blame]5349 "$P_CLI force_version=tls12 debug_level=3 exchanges=2 renegotiation=1 renegotiate=1" \
Manuel Pégourié-Gonnard780d6712014-02-20 17:19:59 +0100[diff] [blame]5350 1 \
5351 -c "client hello, adding renegotiation extension" \
5352 -s "received TLS_EMPTY_RENEGOTIATION_INFO" \
5353 -S "found renegotiation extension" \
5354 -s "server hello, secure renegotiation extension" \
5355 -c "found renegotiation extension" \
Manuel Pégourié-Gonnardc73339f2014-02-26 16:35:27 +0100[diff] [blame]5356 -c "=> renegotiate" \
5357 -S "=> renegotiate" \
Manuel Pégourié-Gonnardfae355e2014-07-04 14:32:27 +0200[diff] [blame]5358 -S "write hello request" \
Manuel Pégourié-Gonnard65919622014-08-19 12:50:30 +0200[diff] [blame]5359 -c "SSL - Unexpected message at ServerHello in renegotiation" \
Manuel Pégourié-Gonnardfae355e2014-07-04 14:32:27 +0200[diff] [blame]5360 -c "failed"
Manuel Pégourié-Gonnard780d6712014-02-20 17:19:59 +0100[diff] [blame]5361
Hanno Becker6a243642017-10-12 15:18:45 +0100[diff] [blame]5362requires_config_enabled MBEDTLS_SSL_RENEGOTIATION
Manuel Pégourié-Gonnard8e03c712014-08-30 21:42:40 +0200[diff] [blame]5363run_test "Renegotiation: server-initiated, client-rejected, default" \
Ronald Cronf95d1692023-03-14 17:19:42 +0100[diff] [blame]5364 "$P_SRV force_version=tls12 debug_level=3 exchanges=2 renegotiation=1 renegotiate=1 auth_mode=optional" \
Manuel Pégourié-Gonnard644e8f32014-08-30 21:59:31 +0200[diff] [blame]5365 "$P_CLI debug_level=3 exchanges=2 renegotiation=0" \
Manuel Pégourié-Gonnard780d6712014-02-20 17:19:59 +0100[diff] [blame]5366 0 \
5367 -C "client hello, adding renegotiation extension" \
5368 -s "received TLS_EMPTY_RENEGOTIATION_INFO" \
5369 -S "found renegotiation extension" \
5370 -s "server hello, secure renegotiation extension" \
5371 -c "found renegotiation extension" \
Manuel Pégourié-Gonnardc73339f2014-02-26 16:35:27 +0100[diff] [blame]5372 -C "=> renegotiate" \
5373 -S "=> renegotiate" \
Manuel Pégourié-Gonnard780d6712014-02-20 17:19:59 +0100[diff] [blame]5374 -s "write hello request" \
Manuel Pégourié-Gonnarda9964db2014-07-03 19:29:16 +0200[diff] [blame]5375 -S "SSL - An unexpected message was received from our peer" \
5376 -S "failed"
Manuel Pégourié-Gonnard33a752e2014-02-21 09:47:37 +0100[diff] [blame]5377
Hanno Becker6a243642017-10-12 15:18:45 +0100[diff] [blame]5378requires_config_enabled MBEDTLS_SSL_RENEGOTIATION
Manuel Pégourié-Gonnard8e03c712014-08-30 21:42:40 +0200[diff] [blame]5379run_test "Renegotiation: server-initiated, client-rejected, not enforced" \
Ronald Cronf95d1692023-03-14 17:19:42 +0100[diff] [blame]5380 "$P_SRV force_version=tls12 debug_level=3 exchanges=2 renegotiation=1 renegotiate=1 \
Manuel Pégourié-Gonnardfa44f202015-03-27 17:52:25 +0100[diff] [blame]5381 renego_delay=-1 auth_mode=optional" \
Manuel Pégourié-Gonnard644e8f32014-08-30 21:59:31 +0200[diff] [blame]5382 "$P_CLI debug_level=3 exchanges=2 renegotiation=0" \
Manuel Pégourié-Gonnardfae355e2014-07-04 14:32:27 +0200[diff] [blame]5383 0 \
5384 -C "client hello, adding renegotiation extension" \
5385 -s "received TLS_EMPTY_RENEGOTIATION_INFO" \
5386 -S "found renegotiation extension" \
5387 -s "server hello, secure renegotiation extension" \
5388 -c "found renegotiation extension" \
5389 -C "=> renegotiate" \
5390 -S "=> renegotiate" \
5391 -s "write hello request" \
5392 -S "SSL - An unexpected message was received from our peer" \
5393 -S "failed"
5394
Manuel Pégourié-Gonnarda8c0a0d2014-08-15 12:07:38 +0200[diff] [blame]5395# delay 2 for 1 alert record + 1 application data record
Hanno Becker6a243642017-10-12 15:18:45 +0100[diff] [blame]5396requires_config_enabled MBEDTLS_SSL_RENEGOTIATION
Manuel Pégourié-Gonnard8e03c712014-08-30 21:42:40 +0200[diff] [blame]5397run_test "Renegotiation: server-initiated, client-rejected, delay 2" \
Ronald Cronf95d1692023-03-14 17:19:42 +0100[diff] [blame]5398 "$P_SRV force_version=tls12 debug_level=3 exchanges=2 renegotiation=1 renegotiate=1 \
Manuel Pégourié-Gonnardfa44f202015-03-27 17:52:25 +0100[diff] [blame]5399 renego_delay=2 auth_mode=optional" \
Manuel Pégourié-Gonnard644e8f32014-08-30 21:59:31 +0200[diff] [blame]5400 "$P_CLI debug_level=3 exchanges=2 renegotiation=0" \
Manuel Pégourié-Gonnardfae355e2014-07-04 14:32:27 +0200[diff] [blame]5401 0 \
5402 -C "client hello, adding renegotiation extension" \
5403 -s "received TLS_EMPTY_RENEGOTIATION_INFO" \
5404 -S "found renegotiation extension" \
5405 -s "server hello, secure renegotiation extension" \
5406 -c "found renegotiation extension" \
5407 -C "=> renegotiate" \
5408 -S "=> renegotiate" \
5409 -s "write hello request" \
5410 -S "SSL - An unexpected message was received from our peer" \
5411 -S "failed"
5412
Hanno Becker6a243642017-10-12 15:18:45 +0100[diff] [blame]5413requires_config_enabled MBEDTLS_SSL_RENEGOTIATION
Manuel Pégourié-Gonnard8e03c712014-08-30 21:42:40 +0200[diff] [blame]5414run_test "Renegotiation: server-initiated, client-rejected, delay 0" \
Ronald Cronf95d1692023-03-14 17:19:42 +0100[diff] [blame]5415 "$P_SRV force_version=tls12 debug_level=3 exchanges=2 renegotiation=1 renegotiate=1 \
Manuel Pégourié-Gonnardfa44f202015-03-27 17:52:25 +0100[diff] [blame]5416 renego_delay=0 auth_mode=optional" \
Manuel Pégourié-Gonnard644e8f32014-08-30 21:59:31 +0200[diff] [blame]5417 "$P_CLI debug_level=3 exchanges=2 renegotiation=0" \
Manuel Pégourié-Gonnardfae355e2014-07-04 14:32:27 +0200[diff] [blame]5418 0 \
5419 -C "client hello, adding renegotiation extension" \
5420 -s "received TLS_EMPTY_RENEGOTIATION_INFO" \
5421 -S "found renegotiation extension" \
5422 -s "server hello, secure renegotiation extension" \
5423 -c "found renegotiation extension" \
5424 -C "=> renegotiate" \
5425 -S "=> renegotiate" \
5426 -s "write hello request" \
Manuel Pégourié-Gonnarda8c0a0d2014-08-15 12:07:38 +0200[diff] [blame]5427 -s "SSL - An unexpected message was received from our peer"
Manuel Pégourié-Gonnardfae355e2014-07-04 14:32:27 +0200[diff] [blame]5428
Hanno Becker6a243642017-10-12 15:18:45 +0100[diff] [blame]5429requires_config_enabled MBEDTLS_SSL_RENEGOTIATION
Manuel Pégourié-Gonnard8e03c712014-08-30 21:42:40 +0200[diff] [blame]5430run_test "Renegotiation: server-initiated, client-accepted, delay 0" \
Ronald Cronf95d1692023-03-14 17:19:42 +0100[diff] [blame]5431 "$P_SRV force_version=tls12 debug_level=3 exchanges=2 renegotiation=1 renegotiate=1 \
Manuel Pégourié-Gonnardfa44f202015-03-27 17:52:25 +0100[diff] [blame]5432 renego_delay=0 auth_mode=optional" \
Manuel Pégourié-Gonnard644e8f32014-08-30 21:59:31 +0200[diff] [blame]5433 "$P_CLI debug_level=3 exchanges=2 renegotiation=1" \
Manuel Pégourié-Gonnardfae355e2014-07-04 14:32:27 +0200[diff] [blame]5434 0 \
5435 -c "client hello, adding renegotiation extension" \
5436 -s "received TLS_EMPTY_RENEGOTIATION_INFO" \
5437 -s "found renegotiation extension" \
5438 -s "server hello, secure renegotiation extension" \
5439 -c "found renegotiation extension" \
5440 -c "=> renegotiate" \
5441 -s "=> renegotiate" \
5442 -s "write hello request" \
5443 -S "SSL - An unexpected message was received from our peer" \
5444 -S "failed"
5445
Hanno Becker6a243642017-10-12 15:18:45 +0100[diff] [blame]5446requires_config_enabled MBEDTLS_SSL_RENEGOTIATION
Manuel Pégourié-Gonnard590f4162014-11-05 14:23:03 +0100[diff] [blame]5447run_test "Renegotiation: periodic, just below period" \
Manuel Pégourié-Gonnardfa44f202015-03-27 17:52:25 +0100[diff] [blame]5448 "$P_SRV debug_level=3 exchanges=9 renegotiation=1 renego_period=3 auth_mode=optional" \
Ronald Cronf95d1692023-03-14 17:19:42 +0100[diff] [blame]5449 "$P_CLI force_version=tls12 debug_level=3 exchanges=2 renegotiation=1" \
Manuel Pégourié-Gonnard590f4162014-11-05 14:23:03 +0100[diff] [blame]5450 0 \
5451 -C "client hello, adding renegotiation extension" \
5452 -s "received TLS_EMPTY_RENEGOTIATION_INFO" \
5453 -S "found renegotiation extension" \
5454 -s "server hello, secure renegotiation extension" \
5455 -c "found renegotiation extension" \
5456 -S "record counter limit reached: renegotiate" \
5457 -C "=> renegotiate" \
5458 -S "=> renegotiate" \
5459 -S "write hello request" \
5460 -S "SSL - An unexpected message was received from our peer" \
5461 -S "failed"
5462
Manuel Pégourié-Gonnard9835bc02015-01-14 14:41:58 +0100[diff] [blame]5463# one extra exchange to be able to complete renego
Hanno Becker6a243642017-10-12 15:18:45 +0100[diff] [blame]5464requires_config_enabled MBEDTLS_SSL_RENEGOTIATION
Manuel Pégourié-Gonnard590f4162014-11-05 14:23:03 +0100[diff] [blame]5465run_test "Renegotiation: periodic, just above period" \
Ronald Cronf95d1692023-03-14 17:19:42 +0100[diff] [blame]5466 "$P_SRV force_version=tls12 debug_level=3 exchanges=9 renegotiation=1 renego_period=3 auth_mode=optional" \
Manuel Pégourié-Gonnard9835bc02015-01-14 14:41:58 +0100[diff] [blame]5467 "$P_CLI debug_level=3 exchanges=4 renegotiation=1" \
Manuel Pégourié-Gonnard590f4162014-11-05 14:23:03 +0100[diff] [blame]5468 0 \
5469 -c "client hello, adding renegotiation extension" \
5470 -s "received TLS_EMPTY_RENEGOTIATION_INFO" \
5471 -s "found renegotiation extension" \
5472 -s "server hello, secure renegotiation extension" \
5473 -c "found renegotiation extension" \
5474 -s "record counter limit reached: renegotiate" \
5475 -c "=> renegotiate" \
5476 -s "=> renegotiate" \
5477 -s "write hello request" \
5478 -S "SSL - An unexpected message was received from our peer" \
5479 -S "failed"
5480
Hanno Becker6a243642017-10-12 15:18:45 +0100[diff] [blame]5481requires_config_enabled MBEDTLS_SSL_RENEGOTIATION
Manuel Pégourié-Gonnard590f4162014-11-05 14:23:03 +0100[diff] [blame]5482run_test "Renegotiation: periodic, two times period" \
Manuel Pégourié-Gonnardfa44f202015-03-27 17:52:25 +0100[diff] [blame]5483 "$P_SRV debug_level=3 exchanges=9 renegotiation=1 renego_period=3 auth_mode=optional" \
Ronald Cronf95d1692023-03-14 17:19:42 +0100[diff] [blame]5484 "$P_CLI force_version=tls12 debug_level=3 exchanges=7 renegotiation=1" \
Manuel Pégourié-Gonnard590f4162014-11-05 14:23:03 +0100[diff] [blame]5485 0 \
5486 -c "client hello, adding renegotiation extension" \
5487 -s "received TLS_EMPTY_RENEGOTIATION_INFO" \
5488 -s "found renegotiation extension" \
5489 -s "server hello, secure renegotiation extension" \
5490 -c "found renegotiation extension" \
5491 -s "record counter limit reached: renegotiate" \
5492 -c "=> renegotiate" \
5493 -s "=> renegotiate" \
5494 -s "write hello request" \
5495 -S "SSL - An unexpected message was received from our peer" \
5496 -S "failed"
5497
Hanno Becker6a243642017-10-12 15:18:45 +0100[diff] [blame]5498requires_config_enabled MBEDTLS_SSL_RENEGOTIATION
Manuel Pégourié-Gonnard590f4162014-11-05 14:23:03 +0100[diff] [blame]5499run_test "Renegotiation: periodic, above period, disabled" \
Ronald Cronf95d1692023-03-14 17:19:42 +0100[diff] [blame]5500 "$P_SRV force_version=tls12 debug_level=3 exchanges=9 renegotiation=0 renego_period=3 auth_mode=optional" \
Manuel Pégourié-Gonnard590f4162014-11-05 14:23:03 +0100[diff] [blame]5501 "$P_CLI debug_level=3 exchanges=4 renegotiation=1" \
5502 0 \
5503 -C "client hello, adding renegotiation extension" \
5504 -s "received TLS_EMPTY_RENEGOTIATION_INFO" \
5505 -S "found renegotiation extension" \
5506 -s "server hello, secure renegotiation extension" \
5507 -c "found renegotiation extension" \
5508 -S "record counter limit reached: renegotiate" \
5509 -C "=> renegotiate" \
5510 -S "=> renegotiate" \
5511 -S "write hello request" \
5512 -S "SSL - An unexpected message was received from our peer" \
5513 -S "failed"
5514
Hanno Becker6a243642017-10-12 15:18:45 +0100[diff] [blame]5515requires_config_enabled MBEDTLS_SSL_RENEGOTIATION
Manuel Pégourié-Gonnard8e03c712014-08-30 21:42:40 +0200[diff] [blame]5516run_test "Renegotiation: nbio, client-initiated" \
Manuel Pégourié-Gonnardfa44f202015-03-27 17:52:25 +0100[diff] [blame]5517 "$P_SRV debug_level=3 nbio=2 exchanges=2 renegotiation=1 auth_mode=optional" \
Ronald Cronf95d1692023-03-14 17:19:42 +0100[diff] [blame]5518 "$P_CLI force_version=tls12 debug_level=3 nbio=2 exchanges=2 renegotiation=1 renegotiate=1" \
Manuel Pégourié-Gonnardf07f4212014-08-15 19:04:47 +0200[diff] [blame]5519 0 \
5520 -c "client hello, adding renegotiation extension" \
5521 -s "received TLS_EMPTY_RENEGOTIATION_INFO" \
5522 -s "found renegotiation extension" \
5523 -s "server hello, secure renegotiation extension" \
5524 -c "found renegotiation extension" \
5525 -c "=> renegotiate" \
5526 -s "=> renegotiate" \
5527 -S "write hello request"
5528
Hanno Becker6a243642017-10-12 15:18:45 +0100[diff] [blame]5529requires_config_enabled MBEDTLS_SSL_RENEGOTIATION
Manuel Pégourié-Gonnard8e03c712014-08-30 21:42:40 +0200[diff] [blame]5530run_test "Renegotiation: nbio, server-initiated" \
Ronald Cronf95d1692023-03-14 17:19:42 +0100[diff] [blame]5531 "$P_SRV force_version=tls12 debug_level=3 nbio=2 exchanges=2 renegotiation=1 renegotiate=1 auth_mode=optional" \
Manuel Pégourié-Gonnard644e8f32014-08-30 21:59:31 +0200[diff] [blame]5532 "$P_CLI debug_level=3 nbio=2 exchanges=2 renegotiation=1" \
Manuel Pégourié-Gonnardf07f4212014-08-15 19:04:47 +0200[diff] [blame]5533 0 \
5534 -c "client hello, adding renegotiation extension" \
5535 -s "received TLS_EMPTY_RENEGOTIATION_INFO" \
5536 -s "found renegotiation extension" \
5537 -s "server hello, secure renegotiation extension" \
5538 -c "found renegotiation extension" \
5539 -c "=> renegotiate" \
5540 -s "=> renegotiate" \
5541 -s "write hello request"
5542
Hanno Becker6a243642017-10-12 15:18:45 +0100[diff] [blame]5543requires_config_enabled MBEDTLS_SSL_RENEGOTIATION
Jerry Yuab082902021-12-23 18:02:22 +0800[diff] [blame]5544requires_config_enabled MBEDTLS_SSL_PROTO_TLS1_2
Manuel Pégourié-Gonnard8e03c712014-08-30 21:42:40 +0200[diff] [blame]5545run_test "Renegotiation: openssl server, client-initiated" \
Ronald Croncbd7bfd2022-03-31 18:19:56 +0200[diff] [blame]5546 "$O_SRV -www -tls1_2" \
Manuel Pégourié-Gonnard644e8f32014-08-30 21:59:31 +0200[diff] [blame]5547 "$P_CLI debug_level=3 exchanges=1 renegotiation=1 renegotiate=1" \
Manuel Pégourié-Gonnard51362962014-08-30 21:22:47 +0200[diff] [blame]5548 0 \
5549 -c "client hello, adding renegotiation extension" \
5550 -c "found renegotiation extension" \
5551 -c "=> renegotiate" \
Manuel Pégourié-Gonnard85d915b2014-11-03 20:10:36 +0100[diff] [blame]5552 -C "ssl_hanshake() returned" \
Manuel Pégourié-Gonnard51362962014-08-30 21:22:47 +0200[diff] [blame]5553 -C "error" \
5554 -c "HTTP/1.0 200 [Oo][Kk]"
5555
Paul Bakker539d9722015-02-08 16:18:35 +0100[diff] [blame]5556requires_gnutls
Hanno Becker6a243642017-10-12 15:18:45 +0100[diff] [blame]5557requires_config_enabled MBEDTLS_SSL_RENEGOTIATION
Jerry Yuab082902021-12-23 18:02:22 +0800[diff] [blame]5558requires_config_enabled MBEDTLS_SSL_PROTO_TLS1_2
Manuel Pégourié-Gonnard85d915b2014-11-03 20:10:36 +0100[diff] [blame]5559run_test "Renegotiation: gnutls server strict, client-initiated" \
Waleed Elmelegy4b09dcd2024-01-12 10:50:25 +0000[diff] [blame]5560 "$G_NEXT_SRV --priority=NORMAL:-VERS-ALL:+VERS-TLS1.2:%SAFE_RENEGOTIATION" \
Manuel Pégourié-Gonnard644e8f32014-08-30 21:59:31 +0200[diff] [blame]5561 "$P_CLI debug_level=3 exchanges=1 renegotiation=1 renegotiate=1" \
Manuel Pégourié-Gonnard51362962014-08-30 21:22:47 +0200[diff] [blame]5562 0 \
5563 -c "client hello, adding renegotiation extension" \
5564 -c "found renegotiation extension" \
5565 -c "=> renegotiate" \
Manuel Pégourié-Gonnard85d915b2014-11-03 20:10:36 +0100[diff] [blame]5566 -C "ssl_hanshake() returned" \
Manuel Pégourié-Gonnard51362962014-08-30 21:22:47 +0200[diff] [blame]5567 -C "error" \
5568 -c "HTTP/1.0 200 [Oo][Kk]"
5569
Paul Bakker539d9722015-02-08 16:18:35 +0100[diff] [blame]5570requires_gnutls
Hanno Becker6a243642017-10-12 15:18:45 +0100[diff] [blame]5571requires_config_enabled MBEDTLS_SSL_RENEGOTIATION
Jerry Yuab082902021-12-23 18:02:22 +0800[diff] [blame]5572requires_config_enabled MBEDTLS_SSL_PROTO_TLS1_2
Manuel Pégourié-Gonnard85d915b2014-11-03 20:10:36 +0100[diff] [blame]5573run_test "Renegotiation: gnutls server unsafe, client-initiated default" \
Waleed Elmelegy4b09dcd2024-01-12 10:50:25 +0000[diff] [blame]5574 "$G_NEXT_SRV --priority=NORMAL:-VERS-ALL:+VERS-TLS1.2:%DISABLE_SAFE_RENEGOTIATION" \
Manuel Pégourié-Gonnard85d915b2014-11-03 20:10:36 +0100[diff] [blame]5575 "$P_CLI debug_level=3 exchanges=1 renegotiation=1 renegotiate=1" \
5576 1 \
5577 -c "client hello, adding renegotiation extension" \
5578 -C "found renegotiation extension" \
5579 -c "=> renegotiate" \
Manuel Pégourié-Gonnard2cf5a7c2015-04-08 12:49:31 +0200[diff] [blame]5580 -c "mbedtls_ssl_handshake() returned" \
Manuel Pégourié-Gonnard85d915b2014-11-03 20:10:36 +0100[diff] [blame]5581 -c "error" \
5582 -C "HTTP/1.0 200 [Oo][Kk]"
5583
Paul Bakker539d9722015-02-08 16:18:35 +0100[diff] [blame]5584requires_gnutls
Hanno Becker6a243642017-10-12 15:18:45 +0100[diff] [blame]5585requires_config_enabled MBEDTLS_SSL_RENEGOTIATION
Jerry Yuab082902021-12-23 18:02:22 +0800[diff] [blame]5586requires_config_enabled MBEDTLS_SSL_PROTO_TLS1_2
Manuel Pégourié-Gonnard85d915b2014-11-03 20:10:36 +0100[diff] [blame]5587run_test "Renegotiation: gnutls server unsafe, client-inititated no legacy" \
Waleed Elmelegy4b09dcd2024-01-12 10:50:25 +0000[diff] [blame]5588 "$G_NEXT_SRV --priority=NORMAL:-VERS-ALL:+VERS-TLS1.2:%DISABLE_SAFE_RENEGOTIATION" \
Manuel Pégourié-Gonnard85d915b2014-11-03 20:10:36 +0100[diff] [blame]5589 "$P_CLI debug_level=3 exchanges=1 renegotiation=1 renegotiate=1 \
5590 allow_legacy=0" \
5591 1 \
5592 -c "client hello, adding renegotiation extension" \
5593 -C "found renegotiation extension" \
5594 -c "=> renegotiate" \
Manuel Pégourié-Gonnard2cf5a7c2015-04-08 12:49:31 +0200[diff] [blame]5595 -c "mbedtls_ssl_handshake() returned" \
Manuel Pégourié-Gonnard85d915b2014-11-03 20:10:36 +0100[diff] [blame]5596 -c "error" \
5597 -C "HTTP/1.0 200 [Oo][Kk]"
5598
Paul Bakker539d9722015-02-08 16:18:35 +0100[diff] [blame]5599requires_gnutls
Hanno Becker6a243642017-10-12 15:18:45 +0100[diff] [blame]5600requires_config_enabled MBEDTLS_SSL_RENEGOTIATION
Jerry Yuab082902021-12-23 18:02:22 +0800[diff] [blame]5601requires_config_enabled MBEDTLS_SSL_PROTO_TLS1_2
Manuel Pégourié-Gonnard85d915b2014-11-03 20:10:36 +0100[diff] [blame]5602run_test "Renegotiation: gnutls server unsafe, client-inititated legacy" \
Waleed Elmelegy4b09dcd2024-01-12 10:50:25 +0000[diff] [blame]5603 "$G_NEXT_SRV --priority=NORMAL:-VERS-ALL:+VERS-TLS1.2:%DISABLE_SAFE_RENEGOTIATION" \
Manuel Pégourié-Gonnard85d915b2014-11-03 20:10:36 +0100[diff] [blame]5604 "$P_CLI debug_level=3 exchanges=1 renegotiation=1 renegotiate=1 \
5605 allow_legacy=1" \
5606 0 \
5607 -c "client hello, adding renegotiation extension" \
5608 -C "found renegotiation extension" \
5609 -c "=> renegotiate" \
5610 -C "ssl_hanshake() returned" \
Manuel Pégourié-Gonnard8520dac2014-02-21 12:12:23 +0100[diff] [blame]5611 -C "error" \
5612 -c "HTTP/1.0 200 [Oo][Kk]"
5613
Hanno Becker6a243642017-10-12 15:18:45 +0100[diff] [blame]5614requires_config_enabled MBEDTLS_SSL_RENEGOTIATION
Jerry Yuab082902021-12-23 18:02:22 +0800[diff] [blame]5615requires_config_enabled MBEDTLS_SSL_PROTO_TLS1_2
Manuel Pégourié-Gonnard30d16eb2014-08-19 17:43:50 +0200[diff] [blame]5616run_test "Renegotiation: DTLS, client-initiated" \
5617 "$P_SRV debug_level=3 dtls=1 exchanges=2 renegotiation=1" \
5618 "$P_CLI debug_level=3 dtls=1 exchanges=2 renegotiation=1 renegotiate=1" \
5619 0 \
5620 -c "client hello, adding renegotiation extension" \
5621 -s "received TLS_EMPTY_RENEGOTIATION_INFO" \
5622 -s "found renegotiation extension" \
5623 -s "server hello, secure renegotiation extension" \
5624 -c "found renegotiation extension" \
5625 -c "=> renegotiate" \
5626 -s "=> renegotiate" \
5627 -S "write hello request"
5628
Hanno Becker6a243642017-10-12 15:18:45 +0100[diff] [blame]5629requires_config_enabled MBEDTLS_SSL_RENEGOTIATION
Jerry Yuab082902021-12-23 18:02:22 +0800[diff] [blame]5630requires_config_enabled MBEDTLS_SSL_PROTO_TLS1_2
Manuel Pégourié-Gonnardc392b242014-08-19 17:53:11 +0200[diff] [blame]5631run_test "Renegotiation: DTLS, server-initiated" \
5632 "$P_SRV debug_level=3 dtls=1 exchanges=2 renegotiation=1 renegotiate=1" \
Manuel Pégourié-Gonnarddf9a0a82014-10-02 14:17:18 +0200[diff] [blame]5633 "$P_CLI debug_level=3 dtls=1 exchanges=2 renegotiation=1 \
5634 read_timeout=1000 max_resend=2" \
Manuel Pégourié-Gonnardc392b242014-08-19 17:53:11 +0200[diff] [blame]5635 0 \
5636 -c "client hello, adding renegotiation extension" \
5637 -s "received TLS_EMPTY_RENEGOTIATION_INFO" \
5638 -s "found renegotiation extension" \
5639 -s "server hello, secure renegotiation extension" \
5640 -c "found renegotiation extension" \
5641 -c "=> renegotiate" \
5642 -s "=> renegotiate" \
5643 -s "write hello request"
5644
Hanno Becker6a243642017-10-12 15:18:45 +0100[diff] [blame]5645requires_config_enabled MBEDTLS_SSL_RENEGOTIATION
Jerry Yuab082902021-12-23 18:02:22 +0800[diff] [blame]5646requires_config_enabled MBEDTLS_SSL_PROTO_TLS1_2
Andres AG692ad842017-01-19 16:30:57 +0000[diff] [blame]5647run_test "Renegotiation: DTLS, renego_period overflow" \
5648 "$P_SRV debug_level=3 dtls=1 exchanges=4 renegotiation=1 renego_period=18446462598732840962 auth_mode=optional" \
5649 "$P_CLI debug_level=3 dtls=1 exchanges=4 renegotiation=1" \
5650 0 \
5651 -c "client hello, adding renegotiation extension" \
5652 -s "received TLS_EMPTY_RENEGOTIATION_INFO" \
5653 -s "found renegotiation extension" \
5654 -s "server hello, secure renegotiation extension" \
5655 -s "record counter limit reached: renegotiate" \
5656 -c "=> renegotiate" \
5657 -s "=> renegotiate" \
Hanno Becker6a243642017-10-12 15:18:45 +0100[diff] [blame]5658 -s "write hello request"
Andres AG692ad842017-01-19 16:30:57 +0000[diff] [blame]5659
Manuel Pégourié-Gonnard96999962015-02-17 16:02:37 +0000[diff] [blame]5660requires_gnutls
Hanno Becker6a243642017-10-12 15:18:45 +0100[diff] [blame]5661requires_config_enabled MBEDTLS_SSL_RENEGOTIATION
Jerry Yuab082902021-12-23 18:02:22 +0800[diff] [blame]5662requires_config_enabled MBEDTLS_SSL_PROTO_TLS1_2
Manuel Pégourié-Gonnardf1499f62014-08-31 17:13:13 +0200[diff] [blame]5663run_test "Renegotiation: DTLS, gnutls server, client-initiated" \
Waleed Elmelegy4b09dcd2024-01-12 10:50:25 +0000[diff] [blame]5664 "$G_NEXT_SRV -u --mtu 4096" \
Manuel Pégourié-Gonnardf1499f62014-08-31 17:13:13 +0200[diff] [blame]5665 "$P_CLI debug_level=3 dtls=1 exchanges=1 renegotiation=1 renegotiate=1" \
5666 0 \
5667 -c "client hello, adding renegotiation extension" \
5668 -c "found renegotiation extension" \
5669 -c "=> renegotiate" \
Manuel Pégourié-Gonnard2cf5a7c2015-04-08 12:49:31 +0200[diff] [blame]5670 -C "mbedtls_ssl_handshake returned" \
Manuel Pégourié-Gonnardf1499f62014-08-31 17:13:13 +0200[diff] [blame]5671 -C "error" \
5672 -s "Extra-header:"
5673
Shaun Case8b0ecbc2021-12-20 21:14:10 -0800[diff] [blame]5674# Test for the "secure renegotiation" extension only (no actual renegotiation)
Manuel Pégourié-Gonnard85d915b2014-11-03 20:10:36 +0100[diff] [blame]5675
Paul Bakker539d9722015-02-08 16:18:35 +0100[diff] [blame]5676requires_gnutls
Gilles Peskine21ad5762024-04-29 17:47:35 +0200[diff] [blame]5677requires_config_enabled MBEDTLS_SSL_RENEGOTIATION
Jerry Yuab082902021-12-23 18:02:22 +0800[diff] [blame]5678requires_config_enabled MBEDTLS_SSL_PROTO_TLS1_2
Manuel Pégourié-Gonnard85d915b2014-11-03 20:10:36 +0100[diff] [blame]5679run_test "Renego ext: gnutls server strict, client default" \
Waleed Elmelegy4b09dcd2024-01-12 10:50:25 +0000[diff] [blame]5680 "$G_NEXT_SRV --priority=NORMAL:-VERS-ALL:+VERS-TLS1.2:%SAFE_RENEGOTIATION" \
Manuel Pégourié-Gonnard85d915b2014-11-03 20:10:36 +0100[diff] [blame]5681 "$P_CLI debug_level=3" \
5682 0 \
5683 -c "found renegotiation extension" \
5684 -C "error" \
5685 -c "HTTP/1.0 200 [Oo][Kk]"
5686
Paul Bakker539d9722015-02-08 16:18:35 +0100[diff] [blame]5687requires_gnutls
Gilles Peskine21ad5762024-04-29 17:47:35 +0200[diff] [blame]5688requires_config_enabled MBEDTLS_SSL_RENEGOTIATION
Jerry Yuab082902021-12-23 18:02:22 +0800[diff] [blame]5689requires_config_enabled MBEDTLS_SSL_PROTO_TLS1_2
Manuel Pégourié-Gonnard85d915b2014-11-03 20:10:36 +0100[diff] [blame]5690run_test "Renego ext: gnutls server unsafe, client default" \
Waleed Elmelegy4b09dcd2024-01-12 10:50:25 +0000[diff] [blame]5691 "$G_NEXT_SRV --priority=NORMAL:-VERS-ALL:+VERS-TLS1.2:%DISABLE_SAFE_RENEGOTIATION" \
Manuel Pégourié-Gonnard85d915b2014-11-03 20:10:36 +0100[diff] [blame]5692 "$P_CLI debug_level=3" \
5693 0 \
5694 -C "found renegotiation extension" \
5695 -C "error" \
5696 -c "HTTP/1.0 200 [Oo][Kk]"
5697
Paul Bakker539d9722015-02-08 16:18:35 +0100[diff] [blame]5698requires_gnutls
Gilles Peskine21ad5762024-04-29 17:47:35 +0200[diff] [blame]5699requires_config_enabled MBEDTLS_SSL_RENEGOTIATION
Jerry Yuab082902021-12-23 18:02:22 +0800[diff] [blame]5700requires_config_enabled MBEDTLS_SSL_PROTO_TLS1_2
Manuel Pégourié-Gonnard85d915b2014-11-03 20:10:36 +0100[diff] [blame]5701run_test "Renego ext: gnutls server unsafe, client break legacy" \
Waleed Elmelegy4b09dcd2024-01-12 10:50:25 +0000[diff] [blame]5702 "$G_NEXT_SRV --priority=NORMAL:-VERS-ALL:+VERS-TLS1.2:%DISABLE_SAFE_RENEGOTIATION" \
Manuel Pégourié-Gonnard85d915b2014-11-03 20:10:36 +0100[diff] [blame]5703 "$P_CLI debug_level=3 allow_legacy=-1" \
5704 1 \
5705 -C "found renegotiation extension" \
5706 -c "error" \
5707 -C "HTTP/1.0 200 [Oo][Kk]"
5708
Paul Bakker539d9722015-02-08 16:18:35 +0100[diff] [blame]5709requires_gnutls
Gilles Peskine21ad5762024-04-29 17:47:35 +0200[diff] [blame]5710requires_config_enabled MBEDTLS_SSL_RENEGOTIATION
Jerry Yuab082902021-12-23 18:02:22 +0800[diff] [blame]5711requires_config_enabled MBEDTLS_SSL_PROTO_TLS1_2
Manuel Pégourié-Gonnard85d915b2014-11-03 20:10:36 +0100[diff] [blame]5712run_test "Renego ext: gnutls client strict, server default" \
5713 "$P_SRV debug_level=3" \
Gilles Peskinee373c942024-04-29 17:44:19 +0200[diff] [blame]5714 "$G_CLI --priority=NORMAL:-VERS-ALL:+VERS-TLS1.2:%SAFE_RENEGOTIATION localhost" \
Manuel Pégourié-Gonnard85d915b2014-11-03 20:10:36 +0100[diff] [blame]5715 0 \
5716 -s "received TLS_EMPTY_RENEGOTIATION_INFO\|found renegotiation extension" \
5717 -s "server hello, secure renegotiation extension"
5718
Paul Bakker539d9722015-02-08 16:18:35 +0100[diff] [blame]5719requires_gnutls
Gilles Peskine21ad5762024-04-29 17:47:35 +0200[diff] [blame]5720requires_config_enabled MBEDTLS_SSL_RENEGOTIATION
Jerry Yuab082902021-12-23 18:02:22 +0800[diff] [blame]5721requires_config_enabled MBEDTLS_SSL_PROTO_TLS1_2
Manuel Pégourié-Gonnard85d915b2014-11-03 20:10:36 +0100[diff] [blame]5722run_test "Renego ext: gnutls client unsafe, server default" \
5723 "$P_SRV debug_level=3" \
Gilles Peskinee373c942024-04-29 17:44:19 +0200[diff] [blame]5724 "$G_CLI --priority=NORMAL:-VERS-ALL:+VERS-TLS1.2:%DISABLE_SAFE_RENEGOTIATION localhost" \
Manuel Pégourié-Gonnard85d915b2014-11-03 20:10:36 +0100[diff] [blame]5725 0 \
5726 -S "received TLS_EMPTY_RENEGOTIATION_INFO\|found renegotiation extension" \
5727 -S "server hello, secure renegotiation extension"
5728
Paul Bakker539d9722015-02-08 16:18:35 +0100[diff] [blame]5729requires_gnutls
Gilles Peskine21ad5762024-04-29 17:47:35 +0200[diff] [blame]5730requires_config_enabled MBEDTLS_SSL_RENEGOTIATION
Jerry Yuab082902021-12-23 18:02:22 +0800[diff] [blame]5731requires_config_enabled MBEDTLS_SSL_PROTO_TLS1_2
Manuel Pégourié-Gonnard85d915b2014-11-03 20:10:36 +0100[diff] [blame]5732run_test "Renego ext: gnutls client unsafe, server break legacy" \
5733 "$P_SRV debug_level=3 allow_legacy=-1" \
Gilles Peskinee373c942024-04-29 17:44:19 +0200[diff] [blame]5734 "$G_CLI --priority=NORMAL:-VERS-ALL:+VERS-TLS1.2:%DISABLE_SAFE_RENEGOTIATION localhost" \
Manuel Pégourié-Gonnard85d915b2014-11-03 20:10:36 +0100[diff] [blame]5735 1 \
5736 -S "received TLS_EMPTY_RENEGOTIATION_INFO\|found renegotiation extension" \
5737 -S "server hello, secure renegotiation extension"
5738
Janos Follath0b242342016-02-17 10:11:21 +0000[diff] [blame]5739# Tests for silently dropping trailing extra bytes in .der certificates
5740
5741requires_gnutls
Jerry Yuab082902021-12-23 18:02:22 +0800[diff] [blame]5742requires_config_enabled MBEDTLS_SSL_PROTO_TLS1_2
Janos Follath0b242342016-02-17 10:11:21 +0000[diff] [blame]5743run_test "DER format: no trailing bytes" \
David Horstmann5ab92be2024-07-01 17:01:28 +0100[diff] [blame]5744 "$P_SRV crt_file=$DATA_FILES_PATH/server5-der0.crt \
5745 key_file=$DATA_FILES_PATH/server5.key" \
Manuel Pégourié-Gonnard34aa1872018-08-23 19:07:15 +0200[diff] [blame]5746 "$G_CLI localhost" \
Janos Follath0b242342016-02-17 10:11:21 +0000[diff] [blame]5747 0 \
5748 -c "Handshake was completed" \
5749
5750requires_gnutls
Jerry Yuab082902021-12-23 18:02:22 +0800[diff] [blame]5751requires_config_enabled MBEDTLS_SSL_PROTO_TLS1_2
Janos Follath0b242342016-02-17 10:11:21 +0000[diff] [blame]5752run_test "DER format: with a trailing zero byte" \
David Horstmann5ab92be2024-07-01 17:01:28 +0100[diff] [blame]5753 "$P_SRV crt_file=$DATA_FILES_PATH/server5-der1a.crt \
5754 key_file=$DATA_FILES_PATH/server5.key" \
Manuel Pégourié-Gonnard34aa1872018-08-23 19:07:15 +0200[diff] [blame]5755 "$G_CLI localhost" \
Janos Follath0b242342016-02-17 10:11:21 +0000[diff] [blame]5756 0 \
5757 -c "Handshake was completed" \
5758
5759requires_gnutls
Jerry Yuab082902021-12-23 18:02:22 +0800[diff] [blame]5760requires_config_enabled MBEDTLS_SSL_PROTO_TLS1_2
Janos Follath0b242342016-02-17 10:11:21 +0000[diff] [blame]5761run_test "DER format: with a trailing random byte" \
David Horstmann5ab92be2024-07-01 17:01:28 +0100[diff] [blame]5762 "$P_SRV crt_file=$DATA_FILES_PATH/server5-der1b.crt \
5763 key_file=$DATA_FILES_PATH/server5.key" \
Manuel Pégourié-Gonnard34aa1872018-08-23 19:07:15 +0200[diff] [blame]5764 "$G_CLI localhost" \
Janos Follath0b242342016-02-17 10:11:21 +0000[diff] [blame]5765 0 \
5766 -c "Handshake was completed" \
5767
5768requires_gnutls
Jerry Yuab082902021-12-23 18:02:22 +0800[diff] [blame]5769requires_config_enabled MBEDTLS_SSL_PROTO_TLS1_2
Janos Follath0b242342016-02-17 10:11:21 +0000[diff] [blame]5770run_test "DER format: with 2 trailing random bytes" \
David Horstmann5ab92be2024-07-01 17:01:28 +0100[diff] [blame]5771 "$P_SRV crt_file=$DATA_FILES_PATH/server5-der2.crt \
5772 key_file=$DATA_FILES_PATH/server5.key" \
Manuel Pégourié-Gonnard34aa1872018-08-23 19:07:15 +0200[diff] [blame]5773 "$G_CLI localhost" \
Janos Follath0b242342016-02-17 10:11:21 +0000[diff] [blame]5774 0 \
5775 -c "Handshake was completed" \
5776
5777requires_gnutls
Jerry Yuab082902021-12-23 18:02:22 +0800[diff] [blame]5778requires_config_enabled MBEDTLS_SSL_PROTO_TLS1_2
Janos Follath0b242342016-02-17 10:11:21 +0000[diff] [blame]5779run_test "DER format: with 4 trailing random bytes" \
David Horstmann5ab92be2024-07-01 17:01:28 +0100[diff] [blame]5780 "$P_SRV crt_file=$DATA_FILES_PATH/server5-der4.crt \
5781 key_file=$DATA_FILES_PATH/server5.key" \
Manuel Pégourié-Gonnard34aa1872018-08-23 19:07:15 +0200[diff] [blame]5782 "$G_CLI localhost" \
Janos Follath0b242342016-02-17 10:11:21 +0000[diff] [blame]5783 0 \
5784 -c "Handshake was completed" \
5785
5786requires_gnutls
Jerry Yuab082902021-12-23 18:02:22 +0800[diff] [blame]5787requires_config_enabled MBEDTLS_SSL_PROTO_TLS1_2
Janos Follath0b242342016-02-17 10:11:21 +0000[diff] [blame]5788run_test "DER format: with 8 trailing random bytes" \
David Horstmann5ab92be2024-07-01 17:01:28 +0100[diff] [blame]5789 "$P_SRV crt_file=$DATA_FILES_PATH/server5-der8.crt \
5790 key_file=$DATA_FILES_PATH/server5.key" \
Manuel Pégourié-Gonnard34aa1872018-08-23 19:07:15 +0200[diff] [blame]5791 "$G_CLI localhost" \
Janos Follath0b242342016-02-17 10:11:21 +0000[diff] [blame]5792 0 \
5793 -c "Handshake was completed" \
5794
5795requires_gnutls
Jerry Yuab082902021-12-23 18:02:22 +0800[diff] [blame]5796requires_config_enabled MBEDTLS_SSL_PROTO_TLS1_2
Janos Follath0b242342016-02-17 10:11:21 +0000[diff] [blame]5797run_test "DER format: with 9 trailing random bytes" \
David Horstmann5ab92be2024-07-01 17:01:28 +0100[diff] [blame]5798 "$P_SRV crt_file=$DATA_FILES_PATH/server5-der9.crt \
5799 key_file=$DATA_FILES_PATH/server5.key" \
Manuel Pégourié-Gonnard34aa1872018-08-23 19:07:15 +0200[diff] [blame]5800 "$G_CLI localhost" \
Janos Follath0b242342016-02-17 10:11:21 +0000[diff] [blame]5801 0 \
5802 -c "Handshake was completed" \
5803
Jarno Lamsaf7a7f9e2019-04-01 15:11:54 +0300[diff] [blame]5804# Tests for auth_mode, there are duplicated tests using ca callback for authentication
5805# When updating these tests, modify the matching authentication tests accordingly
Manuel Pégourié-Gonnard8520dac2014-02-21 12:12:23 +0100[diff] [blame]5806
Ronald Cronbc5adf42022-10-04 11:06:14 +0200[diff] [blame]5807requires_key_exchange_with_cert_in_tls12_or_tls13_enabled
Manuel Pégourié-Gonnard8e03c712014-08-30 21:42:40 +0200[diff] [blame]5808run_test "Authentication: server badcert, client required" \
David Horstmann5ab92be2024-07-01 17:01:28 +0100[diff] [blame]5809 "$P_SRV crt_file=$DATA_FILES_PATH/server5-badsign.crt \
5810 key_file=$DATA_FILES_PATH/server5.key" \
Manuel Pégourié-Gonnard644e8f32014-08-30 21:59:31 +0200[diff] [blame]5811 "$P_CLI debug_level=1 auth_mode=required" \
Manuel Pégourié-Gonnard8520dac2014-02-21 12:12:23 +0100[diff] [blame]5812 1 \
5813 -c "x509_verify_cert() returned" \
Manuel Pégourié-Gonnard89addc42015-04-20 10:56:18 +0100[diff] [blame]5814 -c "! The certificate is not correctly signed by the trusted CA" \
Manuel Pégourié-Gonnard2cf5a7c2015-04-08 12:49:31 +0200[diff] [blame]5815 -c "! mbedtls_ssl_handshake returned" \
Manuel Pégourié-Gonnard8520dac2014-02-21 12:12:23 +0100[diff] [blame]5816 -c "X509 - Certificate verification failed"
5817
Manuel Pégourié-Gonnard8e03c712014-08-30 21:42:40 +0200[diff] [blame]5818run_test "Authentication: server badcert, client optional" \
David Horstmann5ab92be2024-07-01 17:01:28 +0100[diff] [blame]5819 "$P_SRV crt_file=$DATA_FILES_PATH/server5-badsign.crt \
5820 key_file=$DATA_FILES_PATH/server5.key" \
Ronald Cronf95d1692023-03-14 17:19:42 +0100[diff] [blame]5821 "$P_CLI force_version=tls12 debug_level=1 auth_mode=optional" \
Manuel Pégourié-Gonnard8520dac2014-02-21 12:12:23 +0100[diff] [blame]5822 0 \
5823 -c "x509_verify_cert() returned" \
Manuel Pégourié-Gonnard89addc42015-04-20 10:56:18 +0100[diff] [blame]5824 -c "! The certificate is not correctly signed by the trusted CA" \
Manuel Pégourié-Gonnard2cf5a7c2015-04-08 12:49:31 +0200[diff] [blame]5825 -C "! mbedtls_ssl_handshake returned" \
Manuel Pégourié-Gonnard8520dac2014-02-21 12:12:23 +0100[diff] [blame]5826 -C "X509 - Certificate verification failed"
5827
Ronald Cron5de538c2022-10-20 14:47:56 +0200[diff] [blame]5828requires_any_configs_enabled $TLS1_2_KEY_EXCHANGES_WITH_CERT
Hanno Beckere6706e62017-05-15 16:05:15 +0100[diff] [blame]5829run_test "Authentication: server goodcert, client optional, no trusted CA" \
5830 "$P_SRV" \
Ronald Cronf95d1692023-03-14 17:19:42 +0100[diff] [blame]5831 "$P_CLI force_version=tls12 debug_level=3 auth_mode=optional ca_file=none ca_path=none" \
Hanno Beckere6706e62017-05-15 16:05:15 +0100[diff] [blame]5832 0 \
5833 -c "x509_verify_cert() returned" \
5834 -c "! The certificate is not correctly signed by the trusted CA" \
5835 -c "! Certificate verification flags"\
5836 -C "! mbedtls_ssl_handshake returned" \
5837 -C "X509 - Certificate verification failed" \
5838 -C "SSL - No CA Chain is set, but required to operate"
5839
Ronald Cronbc5adf42022-10-04 11:06:14 +0200[diff] [blame]5840requires_key_exchange_with_cert_in_tls12_or_tls13_enabled
Hanno Beckere6706e62017-05-15 16:05:15 +0100[diff] [blame]5841run_test "Authentication: server goodcert, client required, no trusted CA" \
5842 "$P_SRV" \
5843 "$P_CLI debug_level=3 auth_mode=required ca_file=none ca_path=none" \
5844 1 \
5845 -c "x509_verify_cert() returned" \
5846 -c "! The certificate is not correctly signed by the trusted CA" \
5847 -c "! Certificate verification flags"\
5848 -c "! mbedtls_ssl_handshake returned" \
5849 -c "SSL - No CA Chain is set, but required to operate"
5850
5851# The purpose of the next two tests is to test the client's behaviour when receiving a server
5852# certificate with an unsupported elliptic curve. This should usually not happen because
5853# the client informs the server about the supported curves - it does, though, in the
5854# corner case of a static ECDH suite, because the server doesn't check the curve on that
5855# occasion (to be fixed). If that bug's fixed, the test needs to be altered to use a
5856# different means to have the server ignoring the client's supported curve list.
5857
Hanno Beckere6706e62017-05-15 16:05:15 +0100[diff] [blame]5858run_test "Authentication: server ECDH p256v1, client required, p256v1 unsupported" \
David Horstmann5ab92be2024-07-01 17:01:28 +0100[diff] [blame]5859 "$P_SRV debug_level=1 key_file=$DATA_FILES_PATH/server5.key \
5860 crt_file=$DATA_FILES_PATH/server5.ku-ka.crt" \
Przemek Stekiel45255e42023-06-29 13:56:36 +0200[diff] [blame]5861 "$P_CLI force_version=tls12 debug_level=3 auth_mode=required groups=secp521r1" \
Hanno Beckere6706e62017-05-15 16:05:15 +0100[diff] [blame]5862 1 \
5863 -c "bad certificate (EC key curve)"\
5864 -c "! Certificate verification flags"\
5865 -C "bad server certificate (ECDH curve)" # Expect failure at earlier verification stage
5866
Hanno Beckere6706e62017-05-15 16:05:15 +0100[diff] [blame]5867run_test "Authentication: server ECDH p256v1, client optional, p256v1 unsupported" \
David Horstmann5ab92be2024-07-01 17:01:28 +0100[diff] [blame]5868 "$P_SRV debug_level=1 key_file=$DATA_FILES_PATH/server5.key \
5869 crt_file=$DATA_FILES_PATH/server5.ku-ka.crt" \
Przemek Stekiel45255e42023-06-29 13:56:36 +0200[diff] [blame]5870 "$P_CLI force_version=tls12 debug_level=3 auth_mode=optional groups=secp521r1" \
Hanno Beckere6706e62017-05-15 16:05:15 +0100[diff] [blame]5871 1 \
5872 -c "bad certificate (EC key curve)"\
5873 -c "! Certificate verification flags"\
5874 -c "bad server certificate (ECDH curve)" # Expect failure only at ECDH params check
5875
Manuel Pégourié-Gonnard8e03c712014-08-30 21:42:40 +0200[diff] [blame]5876run_test "Authentication: server badcert, client none" \
David Horstmann5ab92be2024-07-01 17:01:28 +0100[diff] [blame]5877 "$P_SRV crt_file=$DATA_FILES_PATH/server5-badsign.crt \
5878 key_file=$DATA_FILES_PATH/server5.key" \
Ronald Cronf95d1692023-03-14 17:19:42 +0100[diff] [blame]5879 "$P_CLI force_version=tls12 debug_level=1 auth_mode=none" \
Manuel Pégourié-Gonnard8520dac2014-02-21 12:12:23 +0100[diff] [blame]5880 0 \
5881 -C "x509_verify_cert() returned" \
Manuel Pégourié-Gonnard89addc42015-04-20 10:56:18 +0100[diff] [blame]5882 -C "! The certificate is not correctly signed by the trusted CA" \
Manuel Pégourié-Gonnard2cf5a7c2015-04-08 12:49:31 +0200[diff] [blame]5883 -C "! mbedtls_ssl_handshake returned" \
Manuel Pégourié-Gonnard8520dac2014-02-21 12:12:23 +0100[diff] [blame]5884 -C "X509 - Certificate verification failed"
5885
Ronald Cron5de538c2022-10-20 14:47:56 +0200[diff] [blame]5886requires_any_configs_enabled $TLS1_2_KEY_EXCHANGES_WITH_CERT
Simon Butcher99000142016-10-13 17:21:01 +0100[diff] [blame]5887run_test "Authentication: client SHA256, server required" \
5888 "$P_SRV auth_mode=required" \
David Horstmann5ab92be2024-07-01 17:01:28 +0100[diff] [blame]5889 "$P_CLI debug_level=3 crt_file=$DATA_FILES_PATH/server6.crt \
5890 key_file=$DATA_FILES_PATH/server6.key \
Simon Butcher99000142016-10-13 17:21:01 +0100[diff] [blame]5891 force_ciphersuite=TLS-ECDHE-ECDSA-WITH-AES-256-GCM-SHA384" \
5892 0 \
Andrzej Kurekec71b092022-11-15 10:21:50 -0500[diff] [blame]5893 -c "Supported Signature Algorithm found: 04 " \
5894 -c "Supported Signature Algorithm found: 05 "
Simon Butcher99000142016-10-13 17:21:01 +0100[diff] [blame]5895
Ronald Cron5de538c2022-10-20 14:47:56 +0200[diff] [blame]5896requires_any_configs_enabled $TLS1_2_KEY_EXCHANGES_WITH_CERT
Simon Butcher99000142016-10-13 17:21:01 +0100[diff] [blame]5897run_test "Authentication: client SHA384, server required" \
5898 "$P_SRV auth_mode=required" \
David Horstmann5ab92be2024-07-01 17:01:28 +0100[diff] [blame]5899 "$P_CLI debug_level=3 crt_file=$DATA_FILES_PATH/server6.crt \
5900 key_file=$DATA_FILES_PATH/server6.key \
Simon Butcher99000142016-10-13 17:21:01 +0100[diff] [blame]5901 force_ciphersuite=TLS-ECDHE-ECDSA-WITH-AES-128-GCM-SHA256" \
5902 0 \
Andrzej Kurekec71b092022-11-15 10:21:50 -0500[diff] [blame]5903 -c "Supported Signature Algorithm found: 04 " \
5904 -c "Supported Signature Algorithm found: 05 "
Simon Butcher99000142016-10-13 17:21:01 +0100[diff] [blame]5905
Ronald Cronbc5adf42022-10-04 11:06:14 +0200[diff] [blame]5906requires_key_exchange_with_cert_in_tls12_or_tls13_enabled
Gilles Peskinefd8332e2017-05-03 16:25:07 +0200[diff] [blame]5907run_test "Authentication: client has no cert, server required (TLS)" \
5908 "$P_SRV debug_level=3 auth_mode=required" \
5909 "$P_CLI debug_level=3 crt_file=none \
David Horstmann5ab92be2024-07-01 17:01:28 +0100[diff] [blame]5910 key_file=$DATA_FILES_PATH/server5.key" \
Gilles Peskinefd8332e2017-05-03 16:25:07 +0200[diff] [blame]5911 1 \
5912 -S "skip write certificate request" \
5913 -C "skip parse certificate request" \
5914 -c "got a certificate request" \
5915 -c "= write certificate$" \
5916 -C "skip write certificate$" \
5917 -S "x509_verify_cert() returned" \
Ronald Cron19385882022-06-15 16:26:13 +0200[diff] [blame]5918 -s "peer has no certificate" \
Gilles Peskinefd8332e2017-05-03 16:25:07 +0200[diff] [blame]5919 -s "! mbedtls_ssl_handshake returned" \
Gilles Peskinefd8332e2017-05-03 16:25:07 +0200[diff] [blame]5920 -s "No client certification received from the client, but required by the authentication mode"
5921
Ronald Cronbc5adf42022-10-04 11:06:14 +0200[diff] [blame]5922requires_key_exchange_with_cert_in_tls12_or_tls13_enabled
Manuel Pégourié-Gonnard8e03c712014-08-30 21:42:40 +0200[diff] [blame]5923run_test "Authentication: client badcert, server required" \
Manuel Pégourié-Gonnard644e8f32014-08-30 21:59:31 +0200[diff] [blame]5924 "$P_SRV debug_level=3 auth_mode=required" \
David Horstmann5ab92be2024-07-01 17:01:28 +0100[diff] [blame]5925 "$P_CLI debug_level=3 crt_file=$DATA_FILES_PATH/server5-badsign.crt \
5926 key_file=$DATA_FILES_PATH/server5.key" \
Manuel Pégourié-Gonnard8520dac2014-02-21 12:12:23 +0100[diff] [blame]5927 1 \
5928 -S "skip write certificate request" \
5929 -C "skip parse certificate request" \
5930 -c "got a certificate request" \
5931 -C "skip write certificate" \
5932 -C "skip write certificate verify" \
5933 -S "skip parse certificate verify" \
5934 -s "x509_verify_cert() returned" \
Manuel Pégourié-Gonnard6ea831d2015-06-22 16:50:52 +0200[diff] [blame]5935 -s "! The certificate is not correctly signed by the trusted CA" \
Manuel Pégourié-Gonnard2cf5a7c2015-04-08 12:49:31 +0200[diff] [blame]5936 -s "! mbedtls_ssl_handshake returned" \
Gilles Peskine1cc8e342017-05-03 16:28:34 +0200[diff] [blame]5937 -s "send alert level=2 message=48" \
Manuel Pégourié-Gonnard8520dac2014-02-21 12:12:23 +0100[diff] [blame]5938 -s "X509 - Certificate verification failed"
Gilles Peskine1cc8e342017-05-03 16:28:34 +0200[diff] [blame]5939# We don't check that the client receives the alert because it might
5940# detect that its write end of the connection is closed and abort
5941# before reading the alert message.
Manuel Pégourié-Gonnard8520dac2014-02-21 12:12:23 +0100[diff] [blame]5942
Ronald Cronbc5adf42022-10-04 11:06:14 +0200[diff] [blame]5943requires_key_exchange_with_cert_in_tls12_or_tls13_enabled
Gilles Peskinee1cc60e2022-01-07 23:10:56 +0100[diff] [blame]5944run_test "Authentication: client cert self-signed and trusted, server required" \
David Horstmann5ab92be2024-07-01 17:01:28 +0100[diff] [blame]5945 "$P_SRV debug_level=3 auth_mode=required ca_file=$DATA_FILES_PATH/server5-selfsigned.crt" \
5946 "$P_CLI debug_level=3 crt_file=$DATA_FILES_PATH/server5-selfsigned.crt \
5947 key_file=$DATA_FILES_PATH/server5.key" \
Gilles Peskinee1cc60e2022-01-07 23:10:56 +0100[diff] [blame]5948 0 \
5949 -S "skip write certificate request" \
5950 -C "skip parse certificate request" \
5951 -c "got a certificate request" \
5952 -C "skip write certificate" \
5953 -C "skip write certificate verify" \
5954 -S "skip parse certificate verify" \
5955 -S "x509_verify_cert() returned" \
5956 -S "! The certificate is not correctly signed" \
5957 -S "X509 - Certificate verification failed"
5958
Ronald Cronbc5adf42022-10-04 11:06:14 +0200[diff] [blame]5959requires_key_exchange_with_cert_in_tls12_or_tls13_enabled
Janos Follath89baba22017-04-10 14:34:35 +0100[diff] [blame]5960run_test "Authentication: client cert not trusted, server required" \
5961 "$P_SRV debug_level=3 auth_mode=required" \
David Horstmann5ab92be2024-07-01 17:01:28 +0100[diff] [blame]5962 "$P_CLI debug_level=3 crt_file=$DATA_FILES_PATH/server5-selfsigned.crt \
5963 key_file=$DATA_FILES_PATH/server5.key" \
Janos Follath89baba22017-04-10 14:34:35 +0100[diff] [blame]5964 1 \
5965 -S "skip write certificate request" \
5966 -C "skip parse certificate request" \
5967 -c "got a certificate request" \
5968 -C "skip write certificate" \
5969 -C "skip write certificate verify" \
5970 -S "skip parse certificate verify" \
5971 -s "x509_verify_cert() returned" \
5972 -s "! The certificate is not correctly signed by the trusted CA" \
5973 -s "! mbedtls_ssl_handshake returned" \
Janos Follath89baba22017-04-10 14:34:35 +0100[diff] [blame]5974 -s "X509 - Certificate verification failed"
5975
Ronald Cronbc5adf42022-10-04 11:06:14 +0200[diff] [blame]5976requires_key_exchange_with_cert_in_tls12_or_tls13_enabled
Manuel Pégourié-Gonnard8e03c712014-08-30 21:42:40 +0200[diff] [blame]5977run_test "Authentication: client badcert, server optional" \
Manuel Pégourié-Gonnard644e8f32014-08-30 21:59:31 +0200[diff] [blame]5978 "$P_SRV debug_level=3 auth_mode=optional" \
David Horstmann5ab92be2024-07-01 17:01:28 +0100[diff] [blame]5979 "$P_CLI debug_level=3 crt_file=$DATA_FILES_PATH/server5-badsign.crt \
5980 key_file=$DATA_FILES_PATH/server5.key" \
Manuel Pégourié-Gonnard8520dac2014-02-21 12:12:23 +0100[diff] [blame]5981 0 \
5982 -S "skip write certificate request" \
5983 -C "skip parse certificate request" \
5984 -c "got a certificate request" \
5985 -C "skip write certificate" \
5986 -C "skip write certificate verify" \
5987 -S "skip parse certificate verify" \
5988 -s "x509_verify_cert() returned" \
Manuel Pégourié-Gonnard89addc42015-04-20 10:56:18 +0100[diff] [blame]5989 -s "! The certificate is not correctly signed by the trusted CA" \
Manuel Pégourié-Gonnard2cf5a7c2015-04-08 12:49:31 +0200[diff] [blame]5990 -S "! mbedtls_ssl_handshake returned" \
5991 -C "! mbedtls_ssl_handshake returned" \
Manuel Pégourié-Gonnard8520dac2014-02-21 12:12:23 +0100[diff] [blame]5992 -S "X509 - Certificate verification failed"
5993
Ronald Cronbc5adf42022-10-04 11:06:14 +0200[diff] [blame]5994requires_key_exchange_with_cert_in_tls12_or_tls13_enabled
Manuel Pégourié-Gonnard8e03c712014-08-30 21:42:40 +0200[diff] [blame]5995run_test "Authentication: client badcert, server none" \
Manuel Pégourié-Gonnard644e8f32014-08-30 21:59:31 +0200[diff] [blame]5996 "$P_SRV debug_level=3 auth_mode=none" \
David Horstmann5ab92be2024-07-01 17:01:28 +0100[diff] [blame]5997 "$P_CLI debug_level=3 crt_file=$DATA_FILES_PATH/server5-badsign.crt \
5998 key_file=$DATA_FILES_PATH/server5.key" \
Manuel Pégourié-Gonnard8520dac2014-02-21 12:12:23 +0100[diff] [blame]5999 0 \
6000 -s "skip write certificate request" \
6001 -C "skip parse certificate request" \
6002 -c "got no certificate request" \
6003 -c "skip write certificate" \
6004 -c "skip write certificate verify" \
6005 -s "skip parse certificate verify" \
6006 -S "x509_verify_cert() returned" \
Manuel Pégourié-Gonnard89addc42015-04-20 10:56:18 +0100[diff] [blame]6007 -S "! The certificate is not correctly signed by the trusted CA" \
Manuel Pégourié-Gonnard2cf5a7c2015-04-08 12:49:31 +0200[diff] [blame]6008 -S "! mbedtls_ssl_handshake returned" \
6009 -C "! mbedtls_ssl_handshake returned" \
Manuel Pégourié-Gonnard8520dac2014-02-21 12:12:23 +0100[diff] [blame]6010 -S "X509 - Certificate verification failed"
6011
Ronald Cronbc5adf42022-10-04 11:06:14 +0200[diff] [blame]6012requires_key_exchange_with_cert_in_tls12_or_tls13_enabled
Manuel Pégourié-Gonnard8e03c712014-08-30 21:42:40 +0200[diff] [blame]6013run_test "Authentication: client no cert, server optional" \
Manuel Pégourié-Gonnard644e8f32014-08-30 21:59:31 +0200[diff] [blame]6014 "$P_SRV debug_level=3 auth_mode=optional" \
6015 "$P_CLI debug_level=3 crt_file=none key_file=none" \
Manuel Pégourié-Gonnardde515cc2014-02-27 14:58:26 +0100[diff] [blame]6016 0 \
6017 -S "skip write certificate request" \
6018 -C "skip parse certificate request" \
6019 -c "got a certificate request" \
6020 -C "skip write certificate$" \
6021 -C "got no certificate to send" \
Manuel Pégourié-Gonnardde515cc2014-02-27 14:58:26 +0100[diff] [blame]6022 -c "skip write certificate verify" \
6023 -s "skip parse certificate verify" \
Manuel Pégourié-Gonnard89addc42015-04-20 10:56:18 +0100[diff] [blame]6024 -s "! Certificate was missing" \
Manuel Pégourié-Gonnard2cf5a7c2015-04-08 12:49:31 +0200[diff] [blame]6025 -S "! mbedtls_ssl_handshake returned" \
6026 -C "! mbedtls_ssl_handshake returned" \
Manuel Pégourié-Gonnardde515cc2014-02-27 14:58:26 +0100[diff] [blame]6027 -S "X509 - Certificate verification failed"
6028
Przemek Stekielc31a7982023-06-27 10:53:33 +0200[diff] [blame]6029requires_openssl_tls1_3_with_compatible_ephemeral
Ronald Cron92dca392023-03-10 16:11:15 +0100[diff] [blame]6030requires_key_exchange_with_cert_in_tls12_or_tls13_enabled
Manuel Pégourié-Gonnard8e03c712014-08-30 21:42:40 +0200[diff] [blame]6031run_test "Authentication: openssl client no cert, server optional" \
Manuel Pégourié-Gonnard644e8f32014-08-30 21:59:31 +0200[diff] [blame]6032 "$P_SRV debug_level=3 auth_mode=optional" \
Ronald Cron92dca392023-03-10 16:11:15 +0100[diff] [blame]6033 "$O_NEXT_CLI_NO_CERT -no_middlebox" \
Manuel Pégourié-Gonnardde515cc2014-02-27 14:58:26 +0100[diff] [blame]6034 0 \
6035 -S "skip write certificate request" \
6036 -s "skip parse certificate verify" \
Manuel Pégourié-Gonnard89addc42015-04-20 10:56:18 +0100[diff] [blame]6037 -s "! Certificate was missing" \
Manuel Pégourié-Gonnard2cf5a7c2015-04-08 12:49:31 +0200[diff] [blame]6038 -S "! mbedtls_ssl_handshake returned" \
Manuel Pégourié-Gonnardde515cc2014-02-27 14:58:26 +0100[diff] [blame]6039 -S "X509 - Certificate verification failed"
6040
Jerry Yuab082902021-12-23 18:02:22 +0800[diff] [blame]6041requires_config_enabled MBEDTLS_SSL_PROTO_TLS1_2
Manuel Pégourié-Gonnard8e03c712014-08-30 21:42:40 +0200[diff] [blame]6042run_test "Authentication: client no cert, openssl server optional" \
Ronald Croncbd7bfd2022-03-31 18:19:56 +0200[diff] [blame]6043 "$O_SRV -verify 10 -tls1_2" \
Manuel Pégourié-Gonnard644e8f32014-08-30 21:59:31 +0200[diff] [blame]6044 "$P_CLI debug_level=3 crt_file=none key_file=none" \
Manuel Pégourié-Gonnardde515cc2014-02-27 14:58:26 +0100[diff] [blame]6045 0 \
6046 -C "skip parse certificate request" \
6047 -c "got a certificate request" \
6048 -C "skip write certificate$" \
6049 -c "skip write certificate verify" \
Manuel Pégourié-Gonnard2cf5a7c2015-04-08 12:49:31 +0200[diff] [blame]6050 -C "! mbedtls_ssl_handshake returned"
Manuel Pégourié-Gonnardde515cc2014-02-27 14:58:26 +0100[diff] [blame]6051
Jerry Yuab082902021-12-23 18:02:22 +0800[diff] [blame]6052requires_config_enabled MBEDTLS_SSL_PROTO_TLS1_2
Gilles Peskinefd8332e2017-05-03 16:25:07 +0200[diff] [blame]6053run_test "Authentication: client no cert, openssl server required" \
Ronald Croncbd7bfd2022-03-31 18:19:56 +0200[diff] [blame]6054 "$O_SRV -Verify 10 -tls1_2" \
Gilles Peskinefd8332e2017-05-03 16:25:07 +0200[diff] [blame]6055 "$P_CLI debug_level=3 crt_file=none key_file=none" \
6056 1 \
6057 -C "skip parse certificate request" \
6058 -c "got a certificate request" \
6059 -C "skip write certificate$" \
6060 -c "skip write certificate verify" \
6061 -c "! mbedtls_ssl_handshake returned"
6062
Yuto Takano02485822021-07-02 13:05:15 +0100[diff] [blame]6063# This script assumes that MBEDTLS_X509_MAX_INTERMEDIATE_CA has its default
6064# value, defined here as MAX_IM_CA. Some test cases will be skipped if the
6065# library is configured with a different value.
Hanno Beckera6bca9f2017-07-26 13:35:11 +0100[diff] [blame]6066
Simon Butcherbcfa6f42017-07-28 15:59:35 +0100[diff] [blame]6067MAX_IM_CA='8'
Hanno Beckera6bca9f2017-07-26 13:35:11 +0100[diff] [blame]6068
Yuto Takano02485822021-07-02 13:05:15 +0100[diff] [blame]6069# The tests for the max_int tests can pass with any number higher than MAX_IM_CA
6070# because only a chain of MAX_IM_CA length is tested. Equally, the max_int+1
6071# tests can pass with any number less than MAX_IM_CA. However, stricter preconditions
6072# are in place so that the semantics are consistent with the test description.
Yuto Takano6f657432021-07-02 13:10:41 +0100[diff] [blame]6073requires_config_value_equals "MBEDTLS_X509_MAX_INTERMEDIATE_CA" $MAX_IM_CA
Angus Grattonc4dd0732018-04-11 16:28:39 +1000[diff] [blame]6074requires_full_size_output_buffer
Manuel Pégourié-Gonnard81bb6b62017-06-26 10:45:33 +0200[diff] [blame]6075run_test "Authentication: server max_int chain, client default" \
David Horstmann5ab92be2024-07-01 17:01:28 +0100[diff] [blame]6076 "$P_SRV crt_file=$DATA_FILES_PATH/dir-maxpath/c09.pem \
6077 key_file=$DATA_FILES_PATH/dir-maxpath/09.key" \
6078 "$P_CLI server_name=CA09 ca_file=$DATA_FILES_PATH/dir-maxpath/00.crt" \
Manuel Pégourié-Gonnard81bb6b62017-06-26 10:45:33 +0200[diff] [blame]6079 0 \
Antonin Décimo36e89b52019-01-23 15:24:37 +0100[diff] [blame]6080 -C "X509 - A fatal error occurred"
Manuel Pégourié-Gonnard81bb6b62017-06-26 10:45:33 +0200[diff] [blame]6081
Yuto Takano6f657432021-07-02 13:10:41 +0100[diff] [blame]6082requires_config_value_equals "MBEDTLS_X509_MAX_INTERMEDIATE_CA" $MAX_IM_CA
Angus Grattonc4dd0732018-04-11 16:28:39 +1000[diff] [blame]6083requires_full_size_output_buffer
Manuel Pégourié-Gonnard81bb6b62017-06-26 10:45:33 +0200[diff] [blame]6084run_test "Authentication: server max_int+1 chain, client default" \
David Horstmann5ab92be2024-07-01 17:01:28 +0100[diff] [blame]6085 "$P_SRV crt_file=$DATA_FILES_PATH/dir-maxpath/c10.pem \
6086 key_file=$DATA_FILES_PATH/dir-maxpath/10.key" \
6087 "$P_CLI server_name=CA10 ca_file=$DATA_FILES_PATH/dir-maxpath/00.crt" \
Manuel Pégourié-Gonnard81bb6b62017-06-26 10:45:33 +0200[diff] [blame]6088 1 \
Antonin Décimo36e89b52019-01-23 15:24:37 +0100[diff] [blame]6089 -c "X509 - A fatal error occurred"
Manuel Pégourié-Gonnard81bb6b62017-06-26 10:45:33 +0200[diff] [blame]6090
Yuto Takano6f657432021-07-02 13:10:41 +0100[diff] [blame]6091requires_config_value_equals "MBEDTLS_X509_MAX_INTERMEDIATE_CA" $MAX_IM_CA
Angus Grattonc4dd0732018-04-11 16:28:39 +1000[diff] [blame]6092requires_full_size_output_buffer
Manuel Pégourié-Gonnard81bb6b62017-06-26 10:45:33 +0200[diff] [blame]6093run_test "Authentication: server max_int+1 chain, client optional" \
David Horstmann5ab92be2024-07-01 17:01:28 +0100[diff] [blame]6094 "$P_SRV crt_file=$DATA_FILES_PATH/dir-maxpath/c10.pem \
6095 key_file=$DATA_FILES_PATH/dir-maxpath/10.key" \
6096 "$P_CLI force_version=tls12 server_name=CA10 ca_file=$DATA_FILES_PATH/dir-maxpath/00.crt \
Manuel Pégourié-Gonnard81bb6b62017-06-26 10:45:33 +0200[diff] [blame]6097 auth_mode=optional" \
6098 1 \
Antonin Décimo36e89b52019-01-23 15:24:37 +0100[diff] [blame]6099 -c "X509 - A fatal error occurred"
Manuel Pégourié-Gonnard81bb6b62017-06-26 10:45:33 +0200[diff] [blame]6100
Yuto Takano6f657432021-07-02 13:10:41 +0100[diff] [blame]6101requires_config_value_equals "MBEDTLS_X509_MAX_INTERMEDIATE_CA" $MAX_IM_CA
Angus Grattonc4dd0732018-04-11 16:28:39 +1000[diff] [blame]6102requires_full_size_output_buffer
Manuel Pégourié-Gonnard81bb6b62017-06-26 10:45:33 +0200[diff] [blame]6103run_test "Authentication: server max_int+1 chain, client none" \
David Horstmann5ab92be2024-07-01 17:01:28 +0100[diff] [blame]6104 "$P_SRV crt_file=$DATA_FILES_PATH/dir-maxpath/c10.pem \
6105 key_file=$DATA_FILES_PATH/dir-maxpath/10.key" \
6106 "$P_CLI force_version=tls12 server_name=CA10 ca_file=$DATA_FILES_PATH/dir-maxpath/00.crt \
Manuel Pégourié-Gonnard81bb6b62017-06-26 10:45:33 +0200[diff] [blame]6107 auth_mode=none" \
6108 0 \
Antonin Décimo36e89b52019-01-23 15:24:37 +0100[diff] [blame]6109 -C "X509 - A fatal error occurred"
Manuel Pégourié-Gonnard81bb6b62017-06-26 10:45:33 +0200[diff] [blame]6110
Yuto Takano6f657432021-07-02 13:10:41 +0100[diff] [blame]6111requires_config_value_equals "MBEDTLS_X509_MAX_INTERMEDIATE_CA" $MAX_IM_CA
Angus Grattonc4dd0732018-04-11 16:28:39 +1000[diff] [blame]6112requires_full_size_output_buffer
Manuel Pégourié-Gonnard81bb6b62017-06-26 10:45:33 +0200[diff] [blame]6113run_test "Authentication: client max_int+1 chain, server default" \
David Horstmann5ab92be2024-07-01 17:01:28 +0100[diff] [blame]6114 "$P_SRV ca_file=$DATA_FILES_PATH/dir-maxpath/00.crt" \
6115 "$P_CLI crt_file=$DATA_FILES_PATH/dir-maxpath/c10.pem \
6116 key_file=$DATA_FILES_PATH/dir-maxpath/10.key" \
Manuel Pégourié-Gonnard81bb6b62017-06-26 10:45:33 +0200[diff] [blame]6117 0 \
Antonin Décimo36e89b52019-01-23 15:24:37 +0100[diff] [blame]6118 -S "X509 - A fatal error occurred"
Manuel Pégourié-Gonnard81bb6b62017-06-26 10:45:33 +0200[diff] [blame]6119
Yuto Takano6f657432021-07-02 13:10:41 +0100[diff] [blame]6120requires_config_value_equals "MBEDTLS_X509_MAX_INTERMEDIATE_CA" $MAX_IM_CA
Angus Grattonc4dd0732018-04-11 16:28:39 +1000[diff] [blame]6121requires_full_size_output_buffer
Manuel Pégourié-Gonnard81bb6b62017-06-26 10:45:33 +0200[diff] [blame]6122run_test "Authentication: client max_int+1 chain, server optional" \
David Horstmann5ab92be2024-07-01 17:01:28 +0100[diff] [blame]6123 "$P_SRV ca_file=$DATA_FILES_PATH/dir-maxpath/00.crt auth_mode=optional" \
6124 "$P_CLI crt_file=$DATA_FILES_PATH/dir-maxpath/c10.pem \
6125 key_file=$DATA_FILES_PATH/dir-maxpath/10.key" \
Manuel Pégourié-Gonnard81bb6b62017-06-26 10:45:33 +0200[diff] [blame]6126 1 \
Antonin Décimo36e89b52019-01-23 15:24:37 +0100[diff] [blame]6127 -s "X509 - A fatal error occurred"
Manuel Pégourié-Gonnard81bb6b62017-06-26 10:45:33 +0200[diff] [blame]6128
Yuto Takano6f657432021-07-02 13:10:41 +0100[diff] [blame]6129requires_config_value_equals "MBEDTLS_X509_MAX_INTERMEDIATE_CA" $MAX_IM_CA
Angus Grattonc4dd0732018-04-11 16:28:39 +1000[diff] [blame]6130requires_full_size_output_buffer
Manuel Pégourié-Gonnard81bb6b62017-06-26 10:45:33 +0200[diff] [blame]6131run_test "Authentication: client max_int+1 chain, server required" \
David Horstmann5ab92be2024-07-01 17:01:28 +0100[diff] [blame]6132 "$P_SRV ca_file=$DATA_FILES_PATH/dir-maxpath/00.crt auth_mode=required" \
6133 "$P_CLI crt_file=$DATA_FILES_PATH/dir-maxpath/c10.pem \
6134 key_file=$DATA_FILES_PATH/dir-maxpath/10.key" \
Manuel Pégourié-Gonnard81bb6b62017-06-26 10:45:33 +0200[diff] [blame]6135 1 \
Antonin Décimo36e89b52019-01-23 15:24:37 +0100[diff] [blame]6136 -s "X509 - A fatal error occurred"
Manuel Pégourié-Gonnard81bb6b62017-06-26 10:45:33 +0200[diff] [blame]6137
Yuto Takano6f657432021-07-02 13:10:41 +0100[diff] [blame]6138requires_config_value_equals "MBEDTLS_X509_MAX_INTERMEDIATE_CA" $MAX_IM_CA
Angus Grattonc4dd0732018-04-11 16:28:39 +1000[diff] [blame]6139requires_full_size_output_buffer
Manuel Pégourié-Gonnard81bb6b62017-06-26 10:45:33 +0200[diff] [blame]6140run_test "Authentication: client max_int chain, server required" \
David Horstmann5ab92be2024-07-01 17:01:28 +0100[diff] [blame]6141 "$P_SRV ca_file=$DATA_FILES_PATH/dir-maxpath/00.crt auth_mode=required" \
6142 "$P_CLI crt_file=$DATA_FILES_PATH/dir-maxpath/c09.pem \
6143 key_file=$DATA_FILES_PATH/dir-maxpath/09.key" \
Manuel Pégourié-Gonnard81bb6b62017-06-26 10:45:33 +0200[diff] [blame]6144 0 \
Antonin Décimo36e89b52019-01-23 15:24:37 +0100[diff] [blame]6145 -S "X509 - A fatal error occurred"
Manuel Pégourié-Gonnard81bb6b62017-06-26 10:45:33 +0200[diff] [blame]6146
Janos Follath89baba22017-04-10 14:34:35 +0100[diff] [blame]6147# Tests for CA list in CertificateRequest messages
6148
Ronald Cron5de538c2022-10-20 14:47:56 +0200[diff] [blame]6149requires_any_configs_enabled $TLS1_2_KEY_EXCHANGES_WITH_CERT
Janos Follath89baba22017-04-10 14:34:35 +0100[diff] [blame]6150run_test "Authentication: send CA list in CertificateRequest (default)" \
6151 "$P_SRV debug_level=3 auth_mode=required" \
David Horstmann5ab92be2024-07-01 17:01:28 +0100[diff] [blame]6152 "$P_CLI force_version=tls12 crt_file=$DATA_FILES_PATH/server6.crt \
6153 key_file=$DATA_FILES_PATH/server6.key" \
Janos Follath89baba22017-04-10 14:34:35 +0100[diff] [blame]6154 0 \
6155 -s "requested DN"
6156
Ronald Cron5de538c2022-10-20 14:47:56 +0200[diff] [blame]6157requires_any_configs_enabled $TLS1_2_KEY_EXCHANGES_WITH_CERT
Janos Follath89baba22017-04-10 14:34:35 +0100[diff] [blame]6158run_test "Authentication: do not send CA list in CertificateRequest" \
6159 "$P_SRV debug_level=3 auth_mode=required cert_req_ca_list=0" \
David Horstmann5ab92be2024-07-01 17:01:28 +0100[diff] [blame]6160 "$P_CLI force_version=tls12 crt_file=$DATA_FILES_PATH/server6.crt \
6161 key_file=$DATA_FILES_PATH/server6.key" \
Janos Follath89baba22017-04-10 14:34:35 +0100[diff] [blame]6162 0 \
6163 -S "requested DN"
6164
6165run_test "Authentication: send CA list in CertificateRequest, client self signed" \
Ronald Cronf95d1692023-03-14 17:19:42 +0100[diff] [blame]6166 "$P_SRV force_version=tls12 debug_level=3 auth_mode=required cert_req_ca_list=0" \
David Horstmann5ab92be2024-07-01 17:01:28 +0100[diff] [blame]6167 "$P_CLI debug_level=3 crt_file=$DATA_FILES_PATH/server5-selfsigned.crt \
6168 key_file=$DATA_FILES_PATH/server5.key" \
Janos Follath89baba22017-04-10 14:34:35 +0100[diff] [blame]6169 1 \
6170 -S "requested DN" \
6171 -s "x509_verify_cert() returned" \
6172 -s "! The certificate is not correctly signed by the trusted CA" \
6173 -s "! mbedtls_ssl_handshake returned" \
6174 -c "! mbedtls_ssl_handshake returned" \
6175 -s "X509 - Certificate verification failed"
6176
Ronald Cron5de538c2022-10-20 14:47:56 +0200[diff] [blame]6177requires_any_configs_enabled $TLS1_2_KEY_EXCHANGES_WITH_CERT
Glenn Straussbd10c4e2022-06-25 03:15:48 -0400[diff] [blame]6178run_test "Authentication: send alt conf DN hints in CertificateRequest" \
6179 "$P_SRV debug_level=3 auth_mode=optional cert_req_ca_list=2 \
David Horstmann5ab92be2024-07-01 17:01:28 +0100[diff] [blame]6180 crt_file2=$DATA_FILES_PATH/server1.crt \
6181 key_file2=$DATA_FILES_PATH/server1.key" \
Ronald Cronf95d1692023-03-14 17:19:42 +0100[diff] [blame]6182 "$P_CLI force_version=tls12 debug_level=3 auth_mode=optional \
David Horstmann5ab92be2024-07-01 17:01:28 +0100[diff] [blame]6183 crt_file=$DATA_FILES_PATH/server6.crt \
6184 key_file=$DATA_FILES_PATH/server6.key" \
Glenn Straussbd10c4e2022-06-25 03:15:48 -0400[diff] [blame]6185 0 \
6186 -c "DN hint: C=NL, O=PolarSSL, CN=PolarSSL Server 1"
6187
Ronald Cron5de538c2022-10-20 14:47:56 +0200[diff] [blame]6188requires_any_configs_enabled $TLS1_2_KEY_EXCHANGES_WITH_CERT
Glenn Straussbd10c4e2022-06-25 03:15:48 -0400[diff] [blame]6189run_test "Authentication: send alt conf DN hints in CertificateRequest (2)" \
6190 "$P_SRV debug_level=3 auth_mode=optional cert_req_ca_list=2 \
David Horstmann5ab92be2024-07-01 17:01:28 +0100[diff] [blame]6191 crt_file2=$DATA_FILES_PATH/server2.crt \
6192 key_file2=$DATA_FILES_PATH/server2.key" \
Ronald Cronf95d1692023-03-14 17:19:42 +0100[diff] [blame]6193 "$P_CLI force_version=tls12 debug_level=3 auth_mode=optional \
David Horstmann5ab92be2024-07-01 17:01:28 +0100[diff] [blame]6194 crt_file=$DATA_FILES_PATH/server6.crt \
6195 key_file=$DATA_FILES_PATH/server6.key" \
Glenn Straussbd10c4e2022-06-25 03:15:48 -0400[diff] [blame]6196 0 \
6197 -c "DN hint: C=NL, O=PolarSSL, CN=localhost"
6198
Ronald Cron5de538c2022-10-20 14:47:56 +0200[diff] [blame]6199requires_any_configs_enabled $TLS1_2_KEY_EXCHANGES_WITH_CERT
Glenn Straussbd10c4e2022-06-25 03:15:48 -0400[diff] [blame]6200run_test "Authentication: send alt hs DN hints in CertificateRequest" \
6201 "$P_SRV debug_level=3 auth_mode=optional cert_req_ca_list=3 \
David Horstmann5ab92be2024-07-01 17:01:28 +0100[diff] [blame]6202 crt_file2=$DATA_FILES_PATH/server1.crt \
6203 key_file2=$DATA_FILES_PATH/server1.key" \
Ronald Cronf95d1692023-03-14 17:19:42 +0100[diff] [blame]6204 "$P_CLI force_version=tls12 debug_level=3 auth_mode=optional \
David Horstmann5ab92be2024-07-01 17:01:28 +0100[diff] [blame]6205 crt_file=$DATA_FILES_PATH/server6.crt \
6206 key_file=$DATA_FILES_PATH/server6.key" \
Glenn Straussbd10c4e2022-06-25 03:15:48 -0400[diff] [blame]6207 0 \
6208 -c "DN hint: C=NL, O=PolarSSL, CN=PolarSSL Server 1"
6209
Jarno Lamsaf7a7f9e2019-04-01 15:11:54 +0300[diff] [blame]6210# Tests for auth_mode, using CA callback, these are duplicated from the authentication tests
6211# When updating these tests, modify the matching authentication tests accordingly
Hanno Becker746aaf32019-03-28 15:25:23 +0000[diff] [blame]6212
6213requires_config_enabled MBEDTLS_X509_TRUSTED_CERTIFICATE_CALLBACK
6214run_test "Authentication, CA callback: server badcert, client required" \
David Horstmann5ab92be2024-07-01 17:01:28 +0100[diff] [blame]6215 "$P_SRV crt_file=$DATA_FILES_PATH/server5-badsign.crt \
6216 key_file=$DATA_FILES_PATH/server5.key" \
Ronald Cronfd4c6af2023-03-11 10:46:01 +0100[diff] [blame]6217 "$P_CLI force_version=tls12 ca_callback=1 debug_level=3 auth_mode=required" \
Hanno Becker746aaf32019-03-28 15:25:23 +0000[diff] [blame]6218 1 \
Janos Follathd7ecbd62019-04-05 14:52:17 +0100[diff] [blame]6219 -c "use CA callback for X.509 CRT verification" \
Hanno Becker746aaf32019-03-28 15:25:23 +0000[diff] [blame]6220 -c "x509_verify_cert() returned" \
6221 -c "! The certificate is not correctly signed by the trusted CA" \
6222 -c "! mbedtls_ssl_handshake returned" \
6223 -c "X509 - Certificate verification failed"
6224
6225requires_config_enabled MBEDTLS_X509_TRUSTED_CERTIFICATE_CALLBACK
6226run_test "Authentication, CA callback: server badcert, client optional" \
David Horstmann5ab92be2024-07-01 17:01:28 +0100[diff] [blame]6227 "$P_SRV crt_file=$DATA_FILES_PATH/server5-badsign.crt \
6228 key_file=$DATA_FILES_PATH/server5.key" \
Ronald Cronfd4c6af2023-03-11 10:46:01 +0100[diff] [blame]6229 "$P_CLI force_version=tls12 ca_callback=1 debug_level=3 auth_mode=optional" \
Hanno Becker746aaf32019-03-28 15:25:23 +0000[diff] [blame]6230 0 \
Janos Follathd7ecbd62019-04-05 14:52:17 +0100[diff] [blame]6231 -c "use CA callback for X.509 CRT verification" \
Hanno Becker746aaf32019-03-28 15:25:23 +0000[diff] [blame]6232 -c "x509_verify_cert() returned" \
6233 -c "! The certificate is not correctly signed by the trusted CA" \
6234 -C "! mbedtls_ssl_handshake returned" \
6235 -C "X509 - Certificate verification failed"
6236
6237# The purpose of the next two tests is to test the client's behaviour when receiving a server
6238# certificate with an unsupported elliptic curve. This should usually not happen because
6239# the client informs the server about the supported curves - it does, though, in the
6240# corner case of a static ECDH suite, because the server doesn't check the curve on that
6241# occasion (to be fixed). If that bug's fixed, the test needs to be altered to use a
6242# different means to have the server ignoring the client's supported curve list.
6243
Hanno Becker746aaf32019-03-28 15:25:23 +0000[diff] [blame]6244requires_config_enabled MBEDTLS_X509_TRUSTED_CERTIFICATE_CALLBACK
6245run_test "Authentication, CA callback: server ECDH p256v1, client required, p256v1 unsupported" \
David Horstmann5ab92be2024-07-01 17:01:28 +0100[diff] [blame]6246 "$P_SRV debug_level=1 key_file=$DATA_FILES_PATH/server5.key \
6247 crt_file=$DATA_FILES_PATH/server5.ku-ka.crt" \
Przemek Stekiel45255e42023-06-29 13:56:36 +0200[diff] [blame]6248 "$P_CLI force_version=tls12 ca_callback=1 debug_level=3 auth_mode=required groups=secp521r1" \
Hanno Becker746aaf32019-03-28 15:25:23 +0000[diff] [blame]6249 1 \
Janos Follathd7ecbd62019-04-05 14:52:17 +0100[diff] [blame]6250 -c "use CA callback for X.509 CRT verification" \
6251 -c "bad certificate (EC key curve)" \
6252 -c "! Certificate verification flags" \
Hanno Becker746aaf32019-03-28 15:25:23 +0000[diff] [blame]6253 -C "bad server certificate (ECDH curve)" # Expect failure at earlier verification stage
6254
Hanno Becker746aaf32019-03-28 15:25:23 +0000[diff] [blame]6255requires_config_enabled MBEDTLS_X509_TRUSTED_CERTIFICATE_CALLBACK
6256run_test "Authentication, CA callback: server ECDH p256v1, client optional, p256v1 unsupported" \
David Horstmann5ab92be2024-07-01 17:01:28 +0100[diff] [blame]6257 "$P_SRV debug_level=1 key_file=$DATA_FILES_PATH/server5.key \
6258 crt_file=$DATA_FILES_PATH/server5.ku-ka.crt" \
Przemek Stekiel45255e42023-06-29 13:56:36 +0200[diff] [blame]6259 "$P_CLI force_version=tls12 ca_callback=1 debug_level=3 auth_mode=optional groups=secp521r1" \
Hanno Becker746aaf32019-03-28 15:25:23 +0000[diff] [blame]6260 1 \
Janos Follathd7ecbd62019-04-05 14:52:17 +0100[diff] [blame]6261 -c "use CA callback for X.509 CRT verification" \
Hanno Becker746aaf32019-03-28 15:25:23 +0000[diff] [blame]6262 -c "bad certificate (EC key curve)"\
6263 -c "! Certificate verification flags"\
6264 -c "bad server certificate (ECDH curve)" # Expect failure only at ECDH params check
6265
6266requires_config_enabled MBEDTLS_X509_TRUSTED_CERTIFICATE_CALLBACK
Ronald Cron5de538c2022-10-20 14:47:56 +0200[diff] [blame]6267requires_any_configs_enabled $TLS1_2_KEY_EXCHANGES_WITH_CERT
Hanno Becker746aaf32019-03-28 15:25:23 +0000[diff] [blame]6268run_test "Authentication, CA callback: client SHA256, server required" \
6269 "$P_SRV ca_callback=1 debug_level=3 auth_mode=required" \
David Horstmann5ab92be2024-07-01 17:01:28 +0100[diff] [blame]6270 "$P_CLI debug_level=3 crt_file=$DATA_FILES_PATH/server6.crt \
6271 key_file=$DATA_FILES_PATH/server6.key \
Hanno Becker746aaf32019-03-28 15:25:23 +0000[diff] [blame]6272 force_ciphersuite=TLS-ECDHE-ECDSA-WITH-AES-256-GCM-SHA384" \
6273 0 \
Janos Follathd7ecbd62019-04-05 14:52:17 +0100[diff] [blame]6274 -s "use CA callback for X.509 CRT verification" \
Andrzej Kurekec71b092022-11-15 10:21:50 -0500[diff] [blame]6275 -c "Supported Signature Algorithm found: 04 " \
6276 -c "Supported Signature Algorithm found: 05 "
Hanno Becker746aaf32019-03-28 15:25:23 +0000[diff] [blame]6277
6278requires_config_enabled MBEDTLS_X509_TRUSTED_CERTIFICATE_CALLBACK
Ronald Cron5de538c2022-10-20 14:47:56 +0200[diff] [blame]6279requires_any_configs_enabled $TLS1_2_KEY_EXCHANGES_WITH_CERT
Hanno Becker746aaf32019-03-28 15:25:23 +0000[diff] [blame]6280run_test "Authentication, CA callback: client SHA384, server required" \
6281 "$P_SRV ca_callback=1 debug_level=3 auth_mode=required" \
David Horstmann5ab92be2024-07-01 17:01:28 +0100[diff] [blame]6282 "$P_CLI debug_level=3 crt_file=$DATA_FILES_PATH/server6.crt \
6283 key_file=$DATA_FILES_PATH/server6.key \
Hanno Becker746aaf32019-03-28 15:25:23 +0000[diff] [blame]6284 force_ciphersuite=TLS-ECDHE-ECDSA-WITH-AES-128-GCM-SHA256" \
6285 0 \
Janos Follathd7ecbd62019-04-05 14:52:17 +0100[diff] [blame]6286 -s "use CA callback for X.509 CRT verification" \
Andrzej Kurekec71b092022-11-15 10:21:50 -0500[diff] [blame]6287 -c "Supported Signature Algorithm found: 04 " \
6288 -c "Supported Signature Algorithm found: 05 "
Hanno Becker746aaf32019-03-28 15:25:23 +0000[diff] [blame]6289
6290requires_config_enabled MBEDTLS_X509_TRUSTED_CERTIFICATE_CALLBACK
6291run_test "Authentication, CA callback: client badcert, server required" \
Ronald Cronfd4c6af2023-03-11 10:46:01 +0100[diff] [blame]6292 "$P_SRV force_version=tls12 ca_callback=1 debug_level=3 auth_mode=required" \
David Horstmann5ab92be2024-07-01 17:01:28 +0100[diff] [blame]6293 "$P_CLI debug_level=3 crt_file=$DATA_FILES_PATH/server5-badsign.crt \
6294 key_file=$DATA_FILES_PATH/server5.key" \
Hanno Becker746aaf32019-03-28 15:25:23 +0000[diff] [blame]6295 1 \
Janos Follathd7ecbd62019-04-05 14:52:17 +0100[diff] [blame]6296 -s "use CA callback for X.509 CRT verification" \
Hanno Becker746aaf32019-03-28 15:25:23 +0000[diff] [blame]6297 -S "skip write certificate request" \
6298 -C "skip parse certificate request" \
6299 -c "got a certificate request" \
6300 -C "skip write certificate" \
6301 -C "skip write certificate verify" \
6302 -S "skip parse certificate verify" \
6303 -s "x509_verify_cert() returned" \
6304 -s "! The certificate is not correctly signed by the trusted CA" \
6305 -s "! mbedtls_ssl_handshake returned" \
6306 -s "send alert level=2 message=48" \
6307 -c "! mbedtls_ssl_handshake returned" \
6308 -s "X509 - Certificate verification failed"
6309# We don't check that the client receives the alert because it might
6310# detect that its write end of the connection is closed and abort
6311# before reading the alert message.
6312
6313requires_config_enabled MBEDTLS_X509_TRUSTED_CERTIFICATE_CALLBACK
6314run_test "Authentication, CA callback: client cert not trusted, server required" \
Ronald Cronfd4c6af2023-03-11 10:46:01 +0100[diff] [blame]6315 "$P_SRV force_version=tls12 ca_callback=1 debug_level=3 auth_mode=required" \
David Horstmann5ab92be2024-07-01 17:01:28 +0100[diff] [blame]6316 "$P_CLI debug_level=3 crt_file=$DATA_FILES_PATH/server5-selfsigned.crt \
6317 key_file=$DATA_FILES_PATH/server5.key" \
Hanno Becker746aaf32019-03-28 15:25:23 +0000[diff] [blame]6318 1 \
Janos Follathd7ecbd62019-04-05 14:52:17 +0100[diff] [blame]6319 -s "use CA callback for X.509 CRT verification" \
Hanno Becker746aaf32019-03-28 15:25:23 +0000[diff] [blame]6320 -S "skip write certificate request" \
6321 -C "skip parse certificate request" \
6322 -c "got a certificate request" \
6323 -C "skip write certificate" \
6324 -C "skip write certificate verify" \
6325 -S "skip parse certificate verify" \
6326 -s "x509_verify_cert() returned" \
6327 -s "! The certificate is not correctly signed by the trusted CA" \
6328 -s "! mbedtls_ssl_handshake returned" \
6329 -c "! mbedtls_ssl_handshake returned" \
6330 -s "X509 - Certificate verification failed"
6331
6332requires_config_enabled MBEDTLS_X509_TRUSTED_CERTIFICATE_CALLBACK
6333run_test "Authentication, CA callback: client badcert, server optional" \
Ronald Cronfd4c6af2023-03-11 10:46:01 +0100[diff] [blame]6334 "$P_SRV force_version=tls12 ca_callback=1 debug_level=3 auth_mode=optional" \
David Horstmann5ab92be2024-07-01 17:01:28 +0100[diff] [blame]6335 "$P_CLI debug_level=3 crt_file=$DATA_FILES_PATH/server5-badsign.crt \
6336 key_file=$DATA_FILES_PATH/server5.key" \
Hanno Becker746aaf32019-03-28 15:25:23 +0000[diff] [blame]6337 0 \
Janos Follathd7ecbd62019-04-05 14:52:17 +0100[diff] [blame]6338 -s "use CA callback for X.509 CRT verification" \
Hanno Becker746aaf32019-03-28 15:25:23 +0000[diff] [blame]6339 -S "skip write certificate request" \
6340 -C "skip parse certificate request" \
6341 -c "got a certificate request" \
6342 -C "skip write certificate" \
6343 -C "skip write certificate verify" \
6344 -S "skip parse certificate verify" \
6345 -s "x509_verify_cert() returned" \
6346 -s "! The certificate is not correctly signed by the trusted CA" \
6347 -S "! mbedtls_ssl_handshake returned" \
6348 -C "! mbedtls_ssl_handshake returned" \
6349 -S "X509 - Certificate verification failed"
6350
Yuto Takano6f657432021-07-02 13:10:41 +0100[diff] [blame]6351requires_config_value_equals "MBEDTLS_X509_MAX_INTERMEDIATE_CA" $MAX_IM_CA
Hanno Becker746aaf32019-03-28 15:25:23 +0000[diff] [blame]6352requires_full_size_output_buffer
6353requires_config_enabled MBEDTLS_X509_TRUSTED_CERTIFICATE_CALLBACK
6354run_test "Authentication, CA callback: server max_int chain, client default" \
David Horstmann5ab92be2024-07-01 17:01:28 +0100[diff] [blame]6355 "$P_SRV crt_file=$DATA_FILES_PATH/dir-maxpath/c09.pem \
6356 key_file=$DATA_FILES_PATH/dir-maxpath/09.key" \
6357 "$P_CLI force_version=tls12 ca_callback=1 debug_level=3 server_name=CA09 ca_file=$DATA_FILES_PATH/dir-maxpath/00.crt" \
Hanno Becker746aaf32019-03-28 15:25:23 +0000[diff] [blame]6358 0 \
Janos Follathd7ecbd62019-04-05 14:52:17 +0100[diff] [blame]6359 -c "use CA callback for X.509 CRT verification" \
Hanno Becker746aaf32019-03-28 15:25:23 +0000[diff] [blame]6360 -C "X509 - A fatal error occurred"
6361
Yuto Takano6f657432021-07-02 13:10:41 +0100[diff] [blame]6362requires_config_value_equals "MBEDTLS_X509_MAX_INTERMEDIATE_CA" $MAX_IM_CA
Hanno Becker746aaf32019-03-28 15:25:23 +0000[diff] [blame]6363requires_full_size_output_buffer
6364requires_config_enabled MBEDTLS_X509_TRUSTED_CERTIFICATE_CALLBACK
6365run_test "Authentication, CA callback: server max_int+1 chain, client default" \
David Horstmann5ab92be2024-07-01 17:01:28 +0100[diff] [blame]6366 "$P_SRV crt_file=$DATA_FILES_PATH/dir-maxpath/c10.pem \
6367 key_file=$DATA_FILES_PATH/dir-maxpath/10.key" \
6368 "$P_CLI force_version=tls12 debug_level=3 ca_callback=1 server_name=CA10 ca_file=$DATA_FILES_PATH/dir-maxpath/00.crt" \
Hanno Becker746aaf32019-03-28 15:25:23 +0000[diff] [blame]6369 1 \
Janos Follathd7ecbd62019-04-05 14:52:17 +0100[diff] [blame]6370 -c "use CA callback for X.509 CRT verification" \
Hanno Becker746aaf32019-03-28 15:25:23 +0000[diff] [blame]6371 -c "X509 - A fatal error occurred"
6372
Yuto Takano6f657432021-07-02 13:10:41 +0100[diff] [blame]6373requires_config_value_equals "MBEDTLS_X509_MAX_INTERMEDIATE_CA" $MAX_IM_CA
Hanno Becker746aaf32019-03-28 15:25:23 +0000[diff] [blame]6374requires_full_size_output_buffer
6375requires_config_enabled MBEDTLS_X509_TRUSTED_CERTIFICATE_CALLBACK
6376run_test "Authentication, CA callback: server max_int+1 chain, client optional" \
David Horstmann5ab92be2024-07-01 17:01:28 +0100[diff] [blame]6377 "$P_SRV crt_file=$DATA_FILES_PATH/dir-maxpath/c10.pem \
6378 key_file=$DATA_FILES_PATH/dir-maxpath/10.key" \
6379 "$P_CLI force_version=tls12 ca_callback=1 server_name=CA10 ca_file=$DATA_FILES_PATH/dir-maxpath/00.crt \
Hanno Becker746aaf32019-03-28 15:25:23 +0000[diff] [blame]6380 debug_level=3 auth_mode=optional" \
6381 1 \
Janos Follathd7ecbd62019-04-05 14:52:17 +0100[diff] [blame]6382 -c "use CA callback for X.509 CRT verification" \
Hanno Becker746aaf32019-03-28 15:25:23 +0000[diff] [blame]6383 -c "X509 - A fatal error occurred"
6384
Yuto Takano6f657432021-07-02 13:10:41 +0100[diff] [blame]6385requires_config_value_equals "MBEDTLS_X509_MAX_INTERMEDIATE_CA" $MAX_IM_CA
Hanno Becker746aaf32019-03-28 15:25:23 +0000[diff] [blame]6386requires_full_size_output_buffer
6387requires_config_enabled MBEDTLS_X509_TRUSTED_CERTIFICATE_CALLBACK
6388run_test "Authentication, CA callback: client max_int+1 chain, server optional" \
David Horstmann5ab92be2024-07-01 17:01:28 +0100[diff] [blame]6389 "$P_SRV force_version=tls12 ca_callback=1 debug_level=3 ca_file=$DATA_FILES_PATH/dir-maxpath/00.crt auth_mode=optional" \
6390 "$P_CLI crt_file=$DATA_FILES_PATH/dir-maxpath/c10.pem \
6391 key_file=$DATA_FILES_PATH/dir-maxpath/10.key" \
Hanno Becker746aaf32019-03-28 15:25:23 +0000[diff] [blame]6392 1 \
Janos Follathd7ecbd62019-04-05 14:52:17 +0100[diff] [blame]6393 -s "use CA callback for X.509 CRT verification" \
Hanno Becker746aaf32019-03-28 15:25:23 +0000[diff] [blame]6394 -s "X509 - A fatal error occurred"
6395
Yuto Takano6f657432021-07-02 13:10:41 +0100[diff] [blame]6396requires_config_value_equals "MBEDTLS_X509_MAX_INTERMEDIATE_CA" $MAX_IM_CA
Hanno Becker746aaf32019-03-28 15:25:23 +0000[diff] [blame]6397requires_full_size_output_buffer
6398requires_config_enabled MBEDTLS_X509_TRUSTED_CERTIFICATE_CALLBACK
6399run_test "Authentication, CA callback: client max_int+1 chain, server required" \
David Horstmann5ab92be2024-07-01 17:01:28 +0100[diff] [blame]6400 "$P_SRV force_version=tls12 ca_callback=1 debug_level=3 ca_file=$DATA_FILES_PATH/dir-maxpath/00.crt auth_mode=required" \
6401 "$P_CLI crt_file=$DATA_FILES_PATH/dir-maxpath/c10.pem \
6402 key_file=$DATA_FILES_PATH/dir-maxpath/10.key" \
Hanno Becker746aaf32019-03-28 15:25:23 +0000[diff] [blame]6403 1 \
Janos Follathd7ecbd62019-04-05 14:52:17 +0100[diff] [blame]6404 -s "use CA callback for X.509 CRT verification" \
Hanno Becker746aaf32019-03-28 15:25:23 +0000[diff] [blame]6405 -s "X509 - A fatal error occurred"
6406
Yuto Takano6f657432021-07-02 13:10:41 +0100[diff] [blame]6407requires_config_value_equals "MBEDTLS_X509_MAX_INTERMEDIATE_CA" $MAX_IM_CA
Hanno Becker746aaf32019-03-28 15:25:23 +0000[diff] [blame]6408requires_full_size_output_buffer
6409requires_config_enabled MBEDTLS_X509_TRUSTED_CERTIFICATE_CALLBACK
6410run_test "Authentication, CA callback: client max_int chain, server required" \
David Horstmann5ab92be2024-07-01 17:01:28 +0100[diff] [blame]6411 "$P_SRV force_version=tls12 ca_callback=1 debug_level=3 ca_file=$DATA_FILES_PATH/dir-maxpath/00.crt auth_mode=required" \
6412 "$P_CLI crt_file=$DATA_FILES_PATH/dir-maxpath/c09.pem \
6413 key_file=$DATA_FILES_PATH/dir-maxpath/09.key" \
Hanno Becker746aaf32019-03-28 15:25:23 +0000[diff] [blame]6414 0 \
Janos Follathd7ecbd62019-04-05 14:52:17 +0100[diff] [blame]6415 -s "use CA callback for X.509 CRT verification" \
Hanno Becker746aaf32019-03-28 15:25:23 +0000[diff] [blame]6416 -S "X509 - A fatal error occurred"
6417
Shaun Case8b0ecbc2021-12-20 21:14:10 -0800[diff] [blame]6418# Tests for certificate selection based on SHA version
Manuel Pégourié-Gonnarddf331a52015-01-08 16:43:07 +0100[diff] [blame]6419
Hanno Beckerc5722d12020-10-09 11:10:42 +0100[diff] [blame]6420requires_config_disabled MBEDTLS_X509_REMOVE_INFO
Manuel Pégourié-Gonnarddf331a52015-01-08 16:43:07 +0100[diff] [blame]6421run_test "Certificate hash: client TLS 1.2 -> SHA-2" \
David Horstmann5ab92be2024-07-01 17:01:28 +0100[diff] [blame]6422 "$P_SRV force_version=tls12 crt_file=$DATA_FILES_PATH/server5.crt \
6423 key_file=$DATA_FILES_PATH/server5.key \
6424 crt_file2=$DATA_FILES_PATH/server5-sha1.crt \
6425 key_file2=$DATA_FILES_PATH/server5.key" \
Ronald Cronf3b425b2022-03-17 16:45:09 +0100[diff] [blame]6426 "$P_CLI" \
Manuel Pégourié-Gonnarddf331a52015-01-08 16:43:07 +0100[diff] [blame]6427 0 \
6428 -c "signed using.*ECDSA with SHA256" \
6429 -C "signed using.*ECDSA with SHA1"
6430
Manuel Pégourié-Gonnard96ea2f22014-02-25 12:26:29 +0100[diff] [blame]6431# tests for SNI
6432
Hanno Beckerc5722d12020-10-09 11:10:42 +0100[diff] [blame]6433requires_config_disabled MBEDTLS_X509_REMOVE_INFO
Ronald Cronbc5adf42022-10-04 11:06:14 +0200[diff] [blame]6434requires_key_exchange_with_cert_in_tls12_or_tls13_enabled
Manuel Pégourié-Gonnard8e03c712014-08-30 21:42:40 +0200[diff] [blame]6435run_test "SNI: no SNI callback" \
Manuel Pégourié-Gonnard0eb6cab2014-07-23 20:17:47 +0200[diff] [blame]6436 "$P_SRV debug_level=3 \
David Horstmann5ab92be2024-07-01 17:01:28 +0100[diff] [blame]6437 crt_file=$DATA_FILES_PATH/server5.crt key_file=$DATA_FILES_PATH/server5.key" \
Manuel Pégourié-Gonnard0eb6cab2014-07-23 20:17:47 +0200[diff] [blame]6438 "$P_CLI server_name=localhost" \
Manuel Pégourié-Gonnard6ea831d2015-06-22 16:50:52 +0200[diff] [blame]6439 0 \
Manuel Pégourié-Gonnard6ea831d2015-06-22 16:50:52 +0200[diff] [blame]6440 -c "issuer name *: C=NL, O=PolarSSL, CN=Polarssl Test EC CA" \
6441 -c "subject name *: C=NL, O=PolarSSL, CN=localhost"
Manuel Pégourié-Gonnard96ea2f22014-02-25 12:26:29 +0100[diff] [blame]6442
Hanno Beckerc5722d12020-10-09 11:10:42 +0100[diff] [blame]6443requires_config_disabled MBEDTLS_X509_REMOVE_INFO
Ronald Cronbc5adf42022-10-04 11:06:14 +0200[diff] [blame]6444requires_key_exchange_with_cert_in_tls12_or_tls13_enabled
Manuel Pégourié-Gonnard8e03c712014-08-30 21:42:40 +0200[diff] [blame]6445run_test "SNI: matching cert 1" \
Manuel Pégourié-Gonnard0eb6cab2014-07-23 20:17:47 +0200[diff] [blame]6446 "$P_SRV debug_level=3 \
David Horstmann5ab92be2024-07-01 17:01:28 +0100[diff] [blame]6447 crt_file=$DATA_FILES_PATH/server5.crt key_file=$DATA_FILES_PATH/server5.key \
6448 sni=localhost,$DATA_FILES_PATH/server2.crt,$DATA_FILES_PATH/server2.key,-,-,-,polarssl.example,$DATA_FILES_PATH/server1-nospace.crt,$DATA_FILES_PATH/server1.key,-,-,-" \
Manuel Pégourié-Gonnard0eb6cab2014-07-23 20:17:47 +0200[diff] [blame]6449 "$P_CLI server_name=localhost" \
Manuel Pégourié-Gonnard6ea831d2015-06-22 16:50:52 +0200[diff] [blame]6450 0 \
6451 -s "parse ServerName extension" \
6452 -c "issuer name *: C=NL, O=PolarSSL, CN=PolarSSL Test CA" \
6453 -c "subject name *: C=NL, O=PolarSSL, CN=localhost"
Manuel Pégourié-Gonnard96ea2f22014-02-25 12:26:29 +0100[diff] [blame]6454
Hanno Beckerc5722d12020-10-09 11:10:42 +0100[diff] [blame]6455requires_config_disabled MBEDTLS_X509_REMOVE_INFO
Ronald Cronbc5adf42022-10-04 11:06:14 +0200[diff] [blame]6456requires_key_exchange_with_cert_in_tls12_or_tls13_enabled
Manuel Pégourié-Gonnard8e03c712014-08-30 21:42:40 +0200[diff] [blame]6457run_test "SNI: matching cert 2" \
Manuel Pégourié-Gonnard0eb6cab2014-07-23 20:17:47 +0200[diff] [blame]6458 "$P_SRV debug_level=3 \
David Horstmann5ab92be2024-07-01 17:01:28 +0100[diff] [blame]6459 crt_file=$DATA_FILES_PATH/server5.crt key_file=$DATA_FILES_PATH/server5.key \
6460 sni=localhost,$DATA_FILES_PATH/server2.crt,$DATA_FILES_PATH/server2.key,-,-,-,polarssl.example,$DATA_FILES_PATH/server1-nospace.crt,$DATA_FILES_PATH/server1.key,-,-,-" \
Manuel Pégourié-Gonnard0eb6cab2014-07-23 20:17:47 +0200[diff] [blame]6461 "$P_CLI server_name=polarssl.example" \
Manuel Pégourié-Gonnard6ea831d2015-06-22 16:50:52 +0200[diff] [blame]6462 0 \
6463 -s "parse ServerName extension" \
6464 -c "issuer name *: C=NL, O=PolarSSL, CN=PolarSSL Test CA" \
6465 -c "subject name *: C=NL, O=PolarSSL, CN=polarssl.example"
Manuel Pégourié-Gonnard96ea2f22014-02-25 12:26:29 +0100[diff] [blame]6466
Hanno Beckerc5722d12020-10-09 11:10:42 +0100[diff] [blame]6467requires_config_disabled MBEDTLS_X509_REMOVE_INFO
Ronald Cronbc5adf42022-10-04 11:06:14 +0200[diff] [blame]6468requires_key_exchange_with_cert_in_tls12_or_tls13_enabled
Manuel Pégourié-Gonnard8e03c712014-08-30 21:42:40 +0200[diff] [blame]6469run_test "SNI: no matching cert" \
Manuel Pégourié-Gonnard0eb6cab2014-07-23 20:17:47 +0200[diff] [blame]6470 "$P_SRV debug_level=3 \
David Horstmann5ab92be2024-07-01 17:01:28 +0100[diff] [blame]6471 crt_file=$DATA_FILES_PATH/server5.crt key_file=$DATA_FILES_PATH/server5.key \
6472 sni=localhost,$DATA_FILES_PATH/server2.crt,$DATA_FILES_PATH/server2.key,-,-,-,polarssl.example,$DATA_FILES_PATH/server1-nospace.crt,$DATA_FILES_PATH/server1.key,-,-,-" \
Manuel Pégourié-Gonnard0eb6cab2014-07-23 20:17:47 +0200[diff] [blame]6473 "$P_CLI server_name=nonesuch.example" \
Manuel Pégourié-Gonnard6ea831d2015-06-22 16:50:52 +0200[diff] [blame]6474 1 \
6475 -s "parse ServerName extension" \
6476 -s "ssl_sni_wrapper() returned" \
6477 -s "mbedtls_ssl_handshake returned" \
6478 -c "mbedtls_ssl_handshake returned" \
6479 -c "SSL - A fatal alert message was received from our peer"
Manuel Pégourié-Gonnard96ea2f22014-02-25 12:26:29 +0100[diff] [blame]6480
Ronald Cronbc5adf42022-10-04 11:06:14 +0200[diff] [blame]6481requires_key_exchange_with_cert_in_tls12_or_tls13_enabled
Manuel Pégourié-Gonnardc948a792015-06-22 16:04:20 +0200[diff] [blame]6482run_test "SNI: client auth no override: optional" \
6483 "$P_SRV debug_level=3 auth_mode=optional \
David Horstmann5ab92be2024-07-01 17:01:28 +0100[diff] [blame]6484 crt_file=$DATA_FILES_PATH/server5.crt key_file=$DATA_FILES_PATH/server5.key \
6485 sni=localhost,$DATA_FILES_PATH/server2.crt,$DATA_FILES_PATH/server2.key,-,-,-" \
Manuel Pégourié-Gonnardc948a792015-06-22 16:04:20 +0200[diff] [blame]6486 "$P_CLI debug_level=3 server_name=localhost" \
Manuel Pégourié-Gonnard6ea831d2015-06-22 16:50:52 +0200[diff] [blame]6487 0 \
Manuel Pégourié-Gonnardc948a792015-06-22 16:04:20 +0200[diff] [blame]6488 -S "skip write certificate request" \
6489 -C "skip parse certificate request" \
6490 -c "got a certificate request" \
6491 -C "skip write certificate" \
6492 -C "skip write certificate verify" \
6493 -S "skip parse certificate verify"
6494
Ronald Cronbc5adf42022-10-04 11:06:14 +0200[diff] [blame]6495requires_key_exchange_with_cert_in_tls12_or_tls13_enabled
Manuel Pégourié-Gonnardc948a792015-06-22 16:04:20 +0200[diff] [blame]6496run_test "SNI: client auth override: none -> optional" \
6497 "$P_SRV debug_level=3 auth_mode=none \
David Horstmann5ab92be2024-07-01 17:01:28 +0100[diff] [blame]6498 crt_file=$DATA_FILES_PATH/server5.crt key_file=$DATA_FILES_PATH/server5.key \
6499 sni=localhost,$DATA_FILES_PATH/server2.crt,$DATA_FILES_PATH/server2.key,-,-,optional" \
Manuel Pégourié-Gonnardc948a792015-06-22 16:04:20 +0200[diff] [blame]6500 "$P_CLI debug_level=3 server_name=localhost" \
Manuel Pégourié-Gonnard6ea831d2015-06-22 16:50:52 +0200[diff] [blame]6501 0 \
Manuel Pégourié-Gonnardc948a792015-06-22 16:04:20 +0200[diff] [blame]6502 -S "skip write certificate request" \
6503 -C "skip parse certificate request" \
6504 -c "got a certificate request" \
6505 -C "skip write certificate" \
6506 -C "skip write certificate verify" \
6507 -S "skip parse certificate verify"
6508
Ronald Cronbc5adf42022-10-04 11:06:14 +0200[diff] [blame]6509requires_key_exchange_with_cert_in_tls12_or_tls13_enabled
Manuel Pégourié-Gonnardc948a792015-06-22 16:04:20 +0200[diff] [blame]6510run_test "SNI: client auth override: optional -> none" \
6511 "$P_SRV debug_level=3 auth_mode=optional \
David Horstmann5ab92be2024-07-01 17:01:28 +0100[diff] [blame]6512 crt_file=$DATA_FILES_PATH/server5.crt key_file=$DATA_FILES_PATH/server5.key \
6513 sni=localhost,$DATA_FILES_PATH/server2.crt,$DATA_FILES_PATH/server2.key,-,-,none" \
Manuel Pégourié-Gonnardc948a792015-06-22 16:04:20 +0200[diff] [blame]6514 "$P_CLI debug_level=3 server_name=localhost" \
Manuel Pégourié-Gonnard6ea831d2015-06-22 16:50:52 +0200[diff] [blame]6515 0 \
Manuel Pégourié-Gonnardc948a792015-06-22 16:04:20 +0200[diff] [blame]6516 -s "skip write certificate request" \
6517 -C "skip parse certificate request" \
6518 -c "got no certificate request" \
XiaokangQian23c5be62022-06-07 02:04:34 +0000[diff] [blame]6519 -c "skip write certificate"
Manuel Pégourié-Gonnardc948a792015-06-22 16:04:20 +0200[diff] [blame]6520
Ronald Cronbc5adf42022-10-04 11:06:14 +0200[diff] [blame]6521requires_key_exchange_with_cert_in_tls12_or_tls13_enabled
Manuel Pégourié-Gonnard6ea831d2015-06-22 16:50:52 +0200[diff] [blame]6522run_test "SNI: CA no override" \
6523 "$P_SRV debug_level=3 auth_mode=optional \
David Horstmann5ab92be2024-07-01 17:01:28 +0100[diff] [blame]6524 crt_file=$DATA_FILES_PATH/server5.crt key_file=$DATA_FILES_PATH/server5.key \
6525 ca_file=$DATA_FILES_PATH/test-ca.crt \
6526 sni=localhost,$DATA_FILES_PATH/server2.crt,$DATA_FILES_PATH/server2.key,-,-,required" \
Manuel Pégourié-Gonnard6ea831d2015-06-22 16:50:52 +0200[diff] [blame]6527 "$P_CLI debug_level=3 server_name=localhost \
David Horstmann5ab92be2024-07-01 17:01:28 +0100[diff] [blame]6528 crt_file=$DATA_FILES_PATH/server6.crt key_file=$DATA_FILES_PATH/server6.key" \
Manuel Pégourié-Gonnard6ea831d2015-06-22 16:50:52 +0200[diff] [blame]6529 1 \
6530 -S "skip write certificate request" \
6531 -C "skip parse certificate request" \
6532 -c "got a certificate request" \
6533 -C "skip write certificate" \
6534 -C "skip write certificate verify" \
6535 -S "skip parse certificate verify" \
6536 -s "x509_verify_cert() returned" \
6537 -s "! The certificate is not correctly signed by the trusted CA" \
6538 -S "The certificate has been revoked (is on a CRL)"
6539
Ronald Cronbc5adf42022-10-04 11:06:14 +0200[diff] [blame]6540requires_key_exchange_with_cert_in_tls12_or_tls13_enabled
Manuel Pégourié-Gonnard6ea831d2015-06-22 16:50:52 +0200[diff] [blame]6541run_test "SNI: CA override" \
6542 "$P_SRV debug_level=3 auth_mode=optional \
David Horstmann5ab92be2024-07-01 17:01:28 +0100[diff] [blame]6543 crt_file=$DATA_FILES_PATH/server5.crt key_file=$DATA_FILES_PATH/server5.key \
6544 ca_file=$DATA_FILES_PATH/test-ca.crt \
6545 sni=localhost,$DATA_FILES_PATH/server2.crt,$DATA_FILES_PATH/server2.key,$DATA_FILES_PATH/test-ca2.crt,-,required" \
Manuel Pégourié-Gonnard6ea831d2015-06-22 16:50:52 +0200[diff] [blame]6546 "$P_CLI debug_level=3 server_name=localhost \
David Horstmann5ab92be2024-07-01 17:01:28 +0100[diff] [blame]6547 crt_file=$DATA_FILES_PATH/server6.crt key_file=$DATA_FILES_PATH/server6.key" \
Manuel Pégourié-Gonnard6ea831d2015-06-22 16:50:52 +0200[diff] [blame]6548 0 \
6549 -S "skip write certificate request" \
6550 -C "skip parse certificate request" \
6551 -c "got a certificate request" \
6552 -C "skip write certificate" \
6553 -C "skip write certificate verify" \
6554 -S "skip parse certificate verify" \
6555 -S "x509_verify_cert() returned" \
6556 -S "! The certificate is not correctly signed by the trusted CA" \
6557 -S "The certificate has been revoked (is on a CRL)"
6558
Ronald Cronbc5adf42022-10-04 11:06:14 +0200[diff] [blame]6559requires_key_exchange_with_cert_in_tls12_or_tls13_enabled
Manuel Pégourié-Gonnard6ea831d2015-06-22 16:50:52 +0200[diff] [blame]6560run_test "SNI: CA override with CRL" \
6561 "$P_SRV debug_level=3 auth_mode=optional \
David Horstmann5ab92be2024-07-01 17:01:28 +0100[diff] [blame]6562 crt_file=$DATA_FILES_PATH/server5.crt key_file=$DATA_FILES_PATH/server5.key \
6563 ca_file=$DATA_FILES_PATH/test-ca.crt \
6564 sni=localhost,$DATA_FILES_PATH/server2.crt,$DATA_FILES_PATH/server2.key,$DATA_FILES_PATH/test-ca2.crt,$DATA_FILES_PATH/crl-ec-sha256.pem,required" \
Manuel Pégourié-Gonnard6ea831d2015-06-22 16:50:52 +0200[diff] [blame]6565 "$P_CLI debug_level=3 server_name=localhost \
David Horstmann5ab92be2024-07-01 17:01:28 +0100[diff] [blame]6566 crt_file=$DATA_FILES_PATH/server6.crt key_file=$DATA_FILES_PATH/server6.key" \
Manuel Pégourié-Gonnard6ea831d2015-06-22 16:50:52 +0200[diff] [blame]6567 1 \
6568 -S "skip write certificate request" \
6569 -C "skip parse certificate request" \
6570 -c "got a certificate request" \
6571 -C "skip write certificate" \
6572 -C "skip write certificate verify" \
6573 -S "skip parse certificate verify" \
6574 -s "x509_verify_cert() returned" \
6575 -S "! The certificate is not correctly signed by the trusted CA" \
6576 -s "The certificate has been revoked (is on a CRL)"
6577
Andres AG1a834452016-12-07 10:01:30 +0000[diff] [blame]6578# Tests for SNI and DTLS
6579
Hanno Beckerc5722d12020-10-09 11:10:42 +0100[diff] [blame]6580requires_config_disabled MBEDTLS_X509_REMOVE_INFO
Jerry Yuab082902021-12-23 18:02:22 +0800[diff] [blame]6581requires_config_enabled MBEDTLS_SSL_PROTO_TLS1_2
Andres Amaya Garcia54306c12018-05-01 20:27:37 +0100[diff] [blame]6582run_test "SNI: DTLS, no SNI callback" \
6583 "$P_SRV debug_level=3 dtls=1 \
David Horstmann5ab92be2024-07-01 17:01:28 +0100[diff] [blame]6584 crt_file=$DATA_FILES_PATH/server5.crt key_file=$DATA_FILES_PATH/server5.key" \
Andres Amaya Garcia54306c12018-05-01 20:27:37 +0100[diff] [blame]6585 "$P_CLI server_name=localhost dtls=1" \
6586 0 \
Andres Amaya Garcia54306c12018-05-01 20:27:37 +0100[diff] [blame]6587 -c "issuer name *: C=NL, O=PolarSSL, CN=Polarssl Test EC CA" \
6588 -c "subject name *: C=NL, O=PolarSSL, CN=localhost"
6589
Hanno Beckerc5722d12020-10-09 11:10:42 +0100[diff] [blame]6590requires_config_disabled MBEDTLS_X509_REMOVE_INFO
Jerry Yuab082902021-12-23 18:02:22 +0800[diff] [blame]6591requires_config_enabled MBEDTLS_SSL_PROTO_TLS1_2
Andres Amaya Garciaf77d3d32018-05-01 20:26:47 +0100[diff] [blame]6592run_test "SNI: DTLS, matching cert 1" \
Andres AG1a834452016-12-07 10:01:30 +0000[diff] [blame]6593 "$P_SRV debug_level=3 dtls=1 \
David Horstmann5ab92be2024-07-01 17:01:28 +0100[diff] [blame]6594 crt_file=$DATA_FILES_PATH/server5.crt key_file=$DATA_FILES_PATH/server5.key \
6595 sni=localhost,$DATA_FILES_PATH/server2.crt,$DATA_FILES_PATH/server2.key,-,-,-,polarssl.example,$DATA_FILES_PATH/server1-nospace.crt,$DATA_FILES_PATH/server1.key,-,-,-" \
Andres AG1a834452016-12-07 10:01:30 +0000[diff] [blame]6596 "$P_CLI server_name=localhost dtls=1" \
6597 0 \
6598 -s "parse ServerName extension" \
6599 -c "issuer name *: C=NL, O=PolarSSL, CN=PolarSSL Test CA" \
6600 -c "subject name *: C=NL, O=PolarSSL, CN=localhost"
6601
Hanno Beckerc5722d12020-10-09 11:10:42 +0100[diff] [blame]6602requires_config_disabled MBEDTLS_X509_REMOVE_INFO
Jerry Yuab082902021-12-23 18:02:22 +0800[diff] [blame]6603requires_config_enabled MBEDTLS_SSL_PROTO_TLS1_2
Andres Amaya Garcia54306c12018-05-01 20:27:37 +0100[diff] [blame]6604run_test "SNI: DTLS, matching cert 2" \
6605 "$P_SRV debug_level=3 dtls=1 \
David Horstmann5ab92be2024-07-01 17:01:28 +0100[diff] [blame]6606 crt_file=$DATA_FILES_PATH/server5.crt key_file=$DATA_FILES_PATH/server5.key \
6607 sni=localhost,$DATA_FILES_PATH/server2.crt,$DATA_FILES_PATH/server2.key,-,-,-,polarssl.example,$DATA_FILES_PATH/server1-nospace.crt,$DATA_FILES_PATH/server1.key,-,-,-" \
Andres Amaya Garcia54306c12018-05-01 20:27:37 +0100[diff] [blame]6608 "$P_CLI server_name=polarssl.example dtls=1" \
6609 0 \
6610 -s "parse ServerName extension" \
6611 -c "issuer name *: C=NL, O=PolarSSL, CN=PolarSSL Test CA" \
6612 -c "subject name *: C=NL, O=PolarSSL, CN=polarssl.example"
6613
Jerry Yuab082902021-12-23 18:02:22 +0800[diff] [blame]6614requires_config_enabled MBEDTLS_SSL_PROTO_TLS1_2
Andres Amaya Garcia54306c12018-05-01 20:27:37 +0100[diff] [blame]6615run_test "SNI: DTLS, no matching cert" \
6616 "$P_SRV debug_level=3 dtls=1 \
David Horstmann5ab92be2024-07-01 17:01:28 +0100[diff] [blame]6617 crt_file=$DATA_FILES_PATH/server5.crt key_file=$DATA_FILES_PATH/server5.key \
6618 sni=localhost,$DATA_FILES_PATH/server2.crt,$DATA_FILES_PATH/server2.key,-,-,-,polarssl.example,$DATA_FILES_PATH/server1-nospace.crt,$DATA_FILES_PATH/server1.key,-,-,-" \
Andres Amaya Garcia54306c12018-05-01 20:27:37 +0100[diff] [blame]6619 "$P_CLI server_name=nonesuch.example dtls=1" \
6620 1 \
6621 -s "parse ServerName extension" \
6622 -s "ssl_sni_wrapper() returned" \
6623 -s "mbedtls_ssl_handshake returned" \
6624 -c "mbedtls_ssl_handshake returned" \
6625 -c "SSL - A fatal alert message was received from our peer"
6626
Jerry Yuab082902021-12-23 18:02:22 +0800[diff] [blame]6627requires_config_enabled MBEDTLS_SSL_PROTO_TLS1_2
Andres Amaya Garcia54306c12018-05-01 20:27:37 +0100[diff] [blame]6628run_test "SNI: DTLS, client auth no override: optional" \
6629 "$P_SRV debug_level=3 auth_mode=optional dtls=1 \
David Horstmann5ab92be2024-07-01 17:01:28 +0100[diff] [blame]6630 crt_file=$DATA_FILES_PATH/server5.crt key_file=$DATA_FILES_PATH/server5.key \
6631 sni=localhost,$DATA_FILES_PATH/server2.crt,$DATA_FILES_PATH/server2.key,-,-,-" \
Andres Amaya Garcia54306c12018-05-01 20:27:37 +0100[diff] [blame]6632 "$P_CLI debug_level=3 server_name=localhost dtls=1" \
6633 0 \
6634 -S "skip write certificate request" \
6635 -C "skip parse certificate request" \
6636 -c "got a certificate request" \
6637 -C "skip write certificate" \
6638 -C "skip write certificate verify" \
6639 -S "skip parse certificate verify"
6640
Jerry Yuab082902021-12-23 18:02:22 +0800[diff] [blame]6641requires_config_enabled MBEDTLS_SSL_PROTO_TLS1_2
Andres Amaya Garcia54306c12018-05-01 20:27:37 +0100[diff] [blame]6642run_test "SNI: DTLS, client auth override: none -> optional" \
6643 "$P_SRV debug_level=3 auth_mode=none dtls=1 \
David Horstmann5ab92be2024-07-01 17:01:28 +0100[diff] [blame]6644 crt_file=$DATA_FILES_PATH/server5.crt key_file=$DATA_FILES_PATH/server5.key \
6645 sni=localhost,$DATA_FILES_PATH/server2.crt,$DATA_FILES_PATH/server2.key,-,-,optional" \
Andres Amaya Garcia54306c12018-05-01 20:27:37 +0100[diff] [blame]6646 "$P_CLI debug_level=3 server_name=localhost dtls=1" \
6647 0 \
6648 -S "skip write certificate request" \
6649 -C "skip parse certificate request" \
6650 -c "got a certificate request" \
6651 -C "skip write certificate" \
6652 -C "skip write certificate verify" \
6653 -S "skip parse certificate verify"
6654
Jerry Yuab082902021-12-23 18:02:22 +0800[diff] [blame]6655requires_config_enabled MBEDTLS_SSL_PROTO_TLS1_2
Andres Amaya Garcia54306c12018-05-01 20:27:37 +0100[diff] [blame]6656run_test "SNI: DTLS, client auth override: optional -> none" \
6657 "$P_SRV debug_level=3 auth_mode=optional dtls=1 \
David Horstmann5ab92be2024-07-01 17:01:28 +0100[diff] [blame]6658 crt_file=$DATA_FILES_PATH/server5.crt key_file=$DATA_FILES_PATH/server5.key \
6659 sni=localhost,$DATA_FILES_PATH/server2.crt,$DATA_FILES_PATH/server2.key,-,-,none" \
Andres Amaya Garcia54306c12018-05-01 20:27:37 +0100[diff] [blame]6660 "$P_CLI debug_level=3 server_name=localhost dtls=1" \
6661 0 \
6662 -s "skip write certificate request" \
6663 -C "skip parse certificate request" \
6664 -c "got no certificate request" \
6665 -c "skip write certificate" \
6666 -c "skip write certificate verify" \
6667 -s "skip parse certificate verify"
6668
Jerry Yuab082902021-12-23 18:02:22 +0800[diff] [blame]6669requires_config_enabled MBEDTLS_SSL_PROTO_TLS1_2
Andres Amaya Garcia54306c12018-05-01 20:27:37 +0100[diff] [blame]6670run_test "SNI: DTLS, CA no override" \
6671 "$P_SRV debug_level=3 auth_mode=optional dtls=1 \
David Horstmann5ab92be2024-07-01 17:01:28 +0100[diff] [blame]6672 crt_file=$DATA_FILES_PATH/server5.crt key_file=$DATA_FILES_PATH/server5.key \
6673 ca_file=$DATA_FILES_PATH/test-ca.crt \
6674 sni=localhost,$DATA_FILES_PATH/server2.crt,$DATA_FILES_PATH/server2.key,-,-,required" \
Andres Amaya Garcia54306c12018-05-01 20:27:37 +0100[diff] [blame]6675 "$P_CLI debug_level=3 server_name=localhost dtls=1 \
David Horstmann5ab92be2024-07-01 17:01:28 +0100[diff] [blame]6676 crt_file=$DATA_FILES_PATH/server6.crt key_file=$DATA_FILES_PATH/server6.key" \
Andres Amaya Garcia54306c12018-05-01 20:27:37 +0100[diff] [blame]6677 1 \
6678 -S "skip write certificate request" \
6679 -C "skip parse certificate request" \
6680 -c "got a certificate request" \
6681 -C "skip write certificate" \
6682 -C "skip write certificate verify" \
6683 -S "skip parse certificate verify" \
6684 -s "x509_verify_cert() returned" \
6685 -s "! The certificate is not correctly signed by the trusted CA" \
6686 -S "The certificate has been revoked (is on a CRL)"
6687
Jerry Yuab082902021-12-23 18:02:22 +0800[diff] [blame]6688requires_config_enabled MBEDTLS_SSL_PROTO_TLS1_2
Andres Amaya Garciaf77d3d32018-05-01 20:26:47 +0100[diff] [blame]6689run_test "SNI: DTLS, CA override" \
Andres AG1a834452016-12-07 10:01:30 +0000[diff] [blame]6690 "$P_SRV debug_level=3 auth_mode=optional dtls=1 \
David Horstmann5ab92be2024-07-01 17:01:28 +0100[diff] [blame]6691 crt_file=$DATA_FILES_PATH/server5.crt key_file=$DATA_FILES_PATH/server5.key \
6692 ca_file=$DATA_FILES_PATH/test-ca.crt \
6693 sni=localhost,$DATA_FILES_PATH/server2.crt,$DATA_FILES_PATH/server2.key,$DATA_FILES_PATH/test-ca2.crt,-,required" \
Andres AG1a834452016-12-07 10:01:30 +0000[diff] [blame]6694 "$P_CLI debug_level=3 server_name=localhost dtls=1 \
David Horstmann5ab92be2024-07-01 17:01:28 +0100[diff] [blame]6695 crt_file=$DATA_FILES_PATH/server6.crt key_file=$DATA_FILES_PATH/server6.key" \
Andres AG1a834452016-12-07 10:01:30 +0000[diff] [blame]6696 0 \
6697 -S "skip write certificate request" \
6698 -C "skip parse certificate request" \
6699 -c "got a certificate request" \
6700 -C "skip write certificate" \
6701 -C "skip write certificate verify" \
6702 -S "skip parse certificate verify" \
6703 -S "x509_verify_cert() returned" \
6704 -S "! The certificate is not correctly signed by the trusted CA" \
6705 -S "The certificate has been revoked (is on a CRL)"
6706
Jerry Yuab082902021-12-23 18:02:22 +0800[diff] [blame]6707requires_config_enabled MBEDTLS_SSL_PROTO_TLS1_2
Andres Amaya Garciaf77d3d32018-05-01 20:26:47 +0100[diff] [blame]6708run_test "SNI: DTLS, CA override with CRL" \
Andres AG1a834452016-12-07 10:01:30 +0000[diff] [blame]6709 "$P_SRV debug_level=3 auth_mode=optional \
David Horstmann5ab92be2024-07-01 17:01:28 +0100[diff] [blame]6710 crt_file=$DATA_FILES_PATH/server5.crt key_file=$DATA_FILES_PATH/server5.key dtls=1 \
6711 ca_file=$DATA_FILES_PATH/test-ca.crt \
6712 sni=localhost,$DATA_FILES_PATH/server2.crt,$DATA_FILES_PATH/server2.key,$DATA_FILES_PATH/test-ca2.crt,$DATA_FILES_PATH/crl-ec-sha256.pem,required" \
Andres AG1a834452016-12-07 10:01:30 +0000[diff] [blame]6713 "$P_CLI debug_level=3 server_name=localhost dtls=1 \
David Horstmann5ab92be2024-07-01 17:01:28 +0100[diff] [blame]6714 crt_file=$DATA_FILES_PATH/server6.crt key_file=$DATA_FILES_PATH/server6.key" \
Andres AG1a834452016-12-07 10:01:30 +0000[diff] [blame]6715 1 \
6716 -S "skip write certificate request" \
6717 -C "skip parse certificate request" \
6718 -c "got a certificate request" \
6719 -C "skip write certificate" \
6720 -C "skip write certificate verify" \
6721 -S "skip parse certificate verify" \
6722 -s "x509_verify_cert() returned" \
6723 -S "! The certificate is not correctly signed by the trusted CA" \
6724 -s "The certificate has been revoked (is on a CRL)"
6725
Manuel Pégourié-Gonnard0b6609b2014-02-26 14:45:12 +0100[diff] [blame]6726# Tests for non-blocking I/O: exercise a variety of handshake flows
6727
Ronald Cronbc5adf42022-10-04 11:06:14 +0200[diff] [blame]6728requires_key_exchange_with_cert_in_tls12_or_tls13_enabled
Manuel Pégourié-Gonnard8e03c712014-08-30 21:42:40 +0200[diff] [blame]6729run_test "Non-blocking I/O: basic handshake" \
Manuel Pégourié-Gonnard0b6609b2014-02-26 14:45:12 +0100[diff] [blame]6730 "$P_SRV nbio=2 tickets=0 auth_mode=none" \
6731 "$P_CLI nbio=2 tickets=0" \
6732 0 \
Manuel Pégourié-Gonnard2cf5a7c2015-04-08 12:49:31 +0200[diff] [blame]6733 -S "mbedtls_ssl_handshake returned" \
6734 -C "mbedtls_ssl_handshake returned" \
Manuel Pégourié-Gonnard0b6609b2014-02-26 14:45:12 +0100[diff] [blame]6735 -c "Read from server: .* bytes read"
6736
Ronald Cronbc5adf42022-10-04 11:06:14 +0200[diff] [blame]6737requires_key_exchange_with_cert_in_tls12_or_tls13_enabled
Manuel Pégourié-Gonnard8e03c712014-08-30 21:42:40 +0200[diff] [blame]6738run_test "Non-blocking I/O: client auth" \
Manuel Pégourié-Gonnard0b6609b2014-02-26 14:45:12 +0100[diff] [blame]6739 "$P_SRV nbio=2 tickets=0 auth_mode=required" \
6740 "$P_CLI nbio=2 tickets=0" \
6741 0 \
Manuel Pégourié-Gonnard2cf5a7c2015-04-08 12:49:31 +0200[diff] [blame]6742 -S "mbedtls_ssl_handshake returned" \
6743 -C "mbedtls_ssl_handshake returned" \
Manuel Pégourié-Gonnard0b6609b2014-02-26 14:45:12 +0100[diff] [blame]6744 -c "Read from server: .* bytes read"
6745
Ronald Cron92dca392023-03-10 16:11:15 +0100[diff] [blame]6746requires_key_exchange_with_cert_in_tls12_or_tls13_enabled
Norbert Fabritiusc93fc862023-04-12 09:50:30 +0200[diff] [blame]6747requires_config_enabled MBEDTLS_SSL_SESSION_TICKETS
Manuel Pégourié-Gonnard8e03c712014-08-30 21:42:40 +0200[diff] [blame]6748run_test "Non-blocking I/O: ticket" \
Manuel Pégourié-Gonnard0b6609b2014-02-26 14:45:12 +0100[diff] [blame]6749 "$P_SRV nbio=2 tickets=1 auth_mode=none" \
6750 "$P_CLI nbio=2 tickets=1" \
6751 0 \
Manuel Pégourié-Gonnard2cf5a7c2015-04-08 12:49:31 +0200[diff] [blame]6752 -S "mbedtls_ssl_handshake returned" \
6753 -C "mbedtls_ssl_handshake returned" \
Manuel Pégourié-Gonnard0b6609b2014-02-26 14:45:12 +0100[diff] [blame]6754 -c "Read from server: .* bytes read"
6755
Ronald Cron92dca392023-03-10 16:11:15 +0100[diff] [blame]6756requires_key_exchange_with_cert_in_tls12_or_tls13_enabled
Norbert Fabritiusc93fc862023-04-12 09:50:30 +0200[diff] [blame]6757requires_config_enabled MBEDTLS_SSL_SESSION_TICKETS
Manuel Pégourié-Gonnard8e03c712014-08-30 21:42:40 +0200[diff] [blame]6758run_test "Non-blocking I/O: ticket + client auth" \
Manuel Pégourié-Gonnard0b6609b2014-02-26 14:45:12 +0100[diff] [blame]6759 "$P_SRV nbio=2 tickets=1 auth_mode=required" \
6760 "$P_CLI nbio=2 tickets=1" \
6761 0 \
Manuel Pégourié-Gonnard2cf5a7c2015-04-08 12:49:31 +0200[diff] [blame]6762 -S "mbedtls_ssl_handshake returned" \
6763 -C "mbedtls_ssl_handshake returned" \
Manuel Pégourié-Gonnard0b6609b2014-02-26 14:45:12 +0100[diff] [blame]6764 -c "Read from server: .* bytes read"
6765
Ronald Cron5de538c2022-10-20 14:47:56 +0200[diff] [blame]6766requires_any_configs_enabled $TLS1_2_KEY_EXCHANGES_WITH_CERT
Norbert Fabritiusc93fc862023-04-12 09:50:30 +0200[diff] [blame]6767requires_config_enabled MBEDTLS_SSL_SESSION_TICKETS
Ronald Cron92dca392023-03-10 16:11:15 +0100[diff] [blame]6768run_test "Non-blocking I/O: TLS 1.2 + ticket + client auth + resume" \
Manuel Pégourié-Gonnard0b6609b2014-02-26 14:45:12 +0100[diff] [blame]6769 "$P_SRV nbio=2 tickets=1 auth_mode=required" \
Ronald Cron92dca392023-03-10 16:11:15 +0100[diff] [blame]6770 "$P_CLI force_version=tls12 nbio=2 tickets=1 reconnect=1" \
Manuel Pégourié-Gonnard0b6609b2014-02-26 14:45:12 +0100[diff] [blame]6771 0 \
Manuel Pégourié-Gonnard2cf5a7c2015-04-08 12:49:31 +0200[diff] [blame]6772 -S "mbedtls_ssl_handshake returned" \
6773 -C "mbedtls_ssl_handshake returned" \
Manuel Pégourié-Gonnard0b6609b2014-02-26 14:45:12 +0100[diff] [blame]6774 -c "Read from server: .* bytes read"
6775
Ronald Cron92dca392023-03-10 16:11:15 +0100[diff] [blame]6776requires_config_enabled MBEDTLS_SSL_PROTO_TLS1_3
6777requires_config_enabled MBEDTLS_SSL_TLS1_3_KEY_EXCHANGE_MODE_EPHEMERAL_ENABLED
6778requires_config_enabled MBEDTLS_SSL_TLS1_3_KEY_EXCHANGE_MODE_PSK_EPHEMERAL_ENABLED
Norbert Fabritiusc93fc862023-04-12 09:50:30 +0200[diff] [blame]6779requires_config_enabled MBEDTLS_SSL_SESSION_TICKETS
Ronald Cron92dca392023-03-10 16:11:15 +0100[diff] [blame]6780run_test "Non-blocking I/O: TLS 1.3 + ticket + client auth + resume" \
6781 "$P_SRV nbio=2 tickets=1 auth_mode=required" \
Ronald Cron50ae84e2023-03-14 08:59:56 +0100[diff] [blame]6782 "$P_CLI nbio=2 tickets=1 reconnect=1" \
Ronald Cron92dca392023-03-10 16:11:15 +0100[diff] [blame]6783 0 \
6784 -S "mbedtls_ssl_handshake returned" \
6785 -C "mbedtls_ssl_handshake returned" \
6786 -c "Read from server: .* bytes read"
6787
Ronald Cron5de538c2022-10-20 14:47:56 +0200[diff] [blame]6788requires_any_configs_enabled $TLS1_2_KEY_EXCHANGES_WITH_CERT
Norbert Fabritiusc93fc862023-04-12 09:50:30 +0200[diff] [blame]6789requires_config_enabled MBEDTLS_SSL_SESSION_TICKETS
Ronald Cron92dca392023-03-10 16:11:15 +0100[diff] [blame]6790run_test "Non-blocking I/O: TLS 1.2 + ticket + resume" \
Manuel Pégourié-Gonnard0b6609b2014-02-26 14:45:12 +0100[diff] [blame]6791 "$P_SRV nbio=2 tickets=1 auth_mode=none" \
Ronald Cron92dca392023-03-10 16:11:15 +0100[diff] [blame]6792 "$P_CLI force_version=tls12 nbio=2 tickets=1 reconnect=1" \
6793 0 \
6794 -S "mbedtls_ssl_handshake returned" \
6795 -C "mbedtls_ssl_handshake returned" \
6796 -c "Read from server: .* bytes read"
6797
6798requires_config_enabled MBEDTLS_SSL_PROTO_TLS1_3
6799requires_config_enabled MBEDTLS_SSL_TLS1_3_KEY_EXCHANGE_MODE_EPHEMERAL_ENABLED
6800requires_config_enabled MBEDTLS_SSL_TLS1_3_KEY_EXCHANGE_MODE_PSK_EPHEMERAL_ENABLED
Norbert Fabritiusc93fc862023-04-12 09:50:30 +0200[diff] [blame]6801requires_config_enabled MBEDTLS_SSL_SESSION_TICKETS
Ronald Cron92dca392023-03-10 16:11:15 +0100[diff] [blame]6802run_test "Non-blocking I/O: TLS 1.3 + ticket + resume" \
6803 "$P_SRV nbio=2 tickets=1 auth_mode=none" \
Ronald Cron50ae84e2023-03-14 08:59:56 +0100[diff] [blame]6804 "$P_CLI nbio=2 tickets=1 reconnect=1" \
Manuel Pégourié-Gonnard0b6609b2014-02-26 14:45:12 +0100[diff] [blame]6805 0 \
Manuel Pégourié-Gonnard2cf5a7c2015-04-08 12:49:31 +0200[diff] [blame]6806 -S "mbedtls_ssl_handshake returned" \
6807 -C "mbedtls_ssl_handshake returned" \
Manuel Pégourié-Gonnard0b6609b2014-02-26 14:45:12 +0100[diff] [blame]6808 -c "Read from server: .* bytes read"
6809
Ronald Cron5de538c2022-10-20 14:47:56 +0200[diff] [blame]6810requires_any_configs_enabled $TLS1_2_KEY_EXCHANGES_WITH_CERT
Manuel Pégourié-Gonnard8e03c712014-08-30 21:42:40 +0200[diff] [blame]6811run_test "Non-blocking I/O: session-id resume" \
Manuel Pégourié-Gonnard0b6609b2014-02-26 14:45:12 +0100[diff] [blame]6812 "$P_SRV nbio=2 tickets=0 auth_mode=none" \
Ronald Cronf95d1692023-03-14 17:19:42 +0100[diff] [blame]6813 "$P_CLI force_version=tls12 nbio=2 tickets=0 reconnect=1" \
Manuel Pégourié-Gonnard0b6609b2014-02-26 14:45:12 +0100[diff] [blame]6814 0 \
Manuel Pégourié-Gonnard2cf5a7c2015-04-08 12:49:31 +0200[diff] [blame]6815 -S "mbedtls_ssl_handshake returned" \
6816 -C "mbedtls_ssl_handshake returned" \
Manuel Pégourié-Gonnard0b6609b2014-02-26 14:45:12 +0100[diff] [blame]6817 -c "Read from server: .* bytes read"
6818
Hanno Becker00076712017-11-15 16:39:08 +0000[diff] [blame]6819# Tests for event-driven I/O: exercise a variety of handshake flows
6820
Ronald Cronbc5adf42022-10-04 11:06:14 +0200[diff] [blame]6821requires_key_exchange_with_cert_in_tls12_or_tls13_enabled
Hanno Becker00076712017-11-15 16:39:08 +0000[diff] [blame]6822run_test "Event-driven I/O: basic handshake" \
6823 "$P_SRV event=1 tickets=0 auth_mode=none" \
6824 "$P_CLI event=1 tickets=0" \
6825 0 \
6826 -S "mbedtls_ssl_handshake returned" \
6827 -C "mbedtls_ssl_handshake returned" \
6828 -c "Read from server: .* bytes read"
6829
Ronald Cronbc5adf42022-10-04 11:06:14 +0200[diff] [blame]6830requires_key_exchange_with_cert_in_tls12_or_tls13_enabled
Hanno Becker00076712017-11-15 16:39:08 +0000[diff] [blame]6831run_test "Event-driven I/O: client auth" \
6832 "$P_SRV event=1 tickets=0 auth_mode=required" \
6833 "$P_CLI event=1 tickets=0" \
6834 0 \
6835 -S "mbedtls_ssl_handshake returned" \
6836 -C "mbedtls_ssl_handshake returned" \
6837 -c "Read from server: .* bytes read"
6838
Ronald Cron92dca392023-03-10 16:11:15 +0100[diff] [blame]6839requires_key_exchange_with_cert_in_tls12_or_tls13_enabled
Norbert Fabritiusc93fc862023-04-12 09:50:30 +0200[diff] [blame]6840requires_config_enabled MBEDTLS_SSL_SESSION_TICKETS
Hanno Becker00076712017-11-15 16:39:08 +0000[diff] [blame]6841run_test "Event-driven I/O: ticket" \
6842 "$P_SRV event=1 tickets=1 auth_mode=none" \
6843 "$P_CLI event=1 tickets=1" \
6844 0 \
6845 -S "mbedtls_ssl_handshake returned" \
6846 -C "mbedtls_ssl_handshake returned" \
6847 -c "Read from server: .* bytes read"
6848
Ronald Cron92dca392023-03-10 16:11:15 +0100[diff] [blame]6849requires_key_exchange_with_cert_in_tls12_or_tls13_enabled
Norbert Fabritiusc93fc862023-04-12 09:50:30 +0200[diff] [blame]6850requires_config_enabled MBEDTLS_SSL_SESSION_TICKETS
Hanno Becker00076712017-11-15 16:39:08 +0000[diff] [blame]6851run_test "Event-driven I/O: ticket + client auth" \
6852 "$P_SRV event=1 tickets=1 auth_mode=required" \
6853 "$P_CLI event=1 tickets=1" \
6854 0 \
6855 -S "mbedtls_ssl_handshake returned" \
6856 -C "mbedtls_ssl_handshake returned" \
6857 -c "Read from server: .* bytes read"
6858
Ronald Cron5de538c2022-10-20 14:47:56 +0200[diff] [blame]6859requires_any_configs_enabled $TLS1_2_KEY_EXCHANGES_WITH_CERT
Norbert Fabritiusc93fc862023-04-12 09:50:30 +0200[diff] [blame]6860requires_config_enabled MBEDTLS_SSL_SESSION_TICKETS
Ronald Cron92dca392023-03-10 16:11:15 +0100[diff] [blame]6861run_test "Event-driven I/O: TLS 1.2 + ticket + client auth + resume" \
Hanno Becker00076712017-11-15 16:39:08 +0000[diff] [blame]6862 "$P_SRV event=1 tickets=1 auth_mode=required" \
Ronald Cron92dca392023-03-10 16:11:15 +0100[diff] [blame]6863 "$P_CLI force_version=tls12 event=1 tickets=1 reconnect=1" \
Hanno Becker00076712017-11-15 16:39:08 +0000[diff] [blame]6864 0 \
6865 -S "mbedtls_ssl_handshake returned" \
6866 -C "mbedtls_ssl_handshake returned" \
6867 -c "Read from server: .* bytes read"
6868
Ronald Cron92dca392023-03-10 16:11:15 +0100[diff] [blame]6869requires_config_enabled MBEDTLS_SSL_PROTO_TLS1_3
6870requires_config_enabled MBEDTLS_SSL_TLS1_3_KEY_EXCHANGE_MODE_EPHEMERAL_ENABLED
6871requires_config_enabled MBEDTLS_SSL_TLS1_3_KEY_EXCHANGE_MODE_PSK_EPHEMERAL_ENABLED
Norbert Fabritiusc93fc862023-04-12 09:50:30 +0200[diff] [blame]6872requires_config_enabled MBEDTLS_SSL_SESSION_TICKETS
Ronald Cron92dca392023-03-10 16:11:15 +0100[diff] [blame]6873run_test "Event-driven I/O: TLS 1.3 + ticket + client auth + resume" \
6874 "$P_SRV event=1 tickets=1 auth_mode=required" \
Ronald Cron50ae84e2023-03-14 08:59:56 +0100[diff] [blame]6875 "$P_CLI event=1 tickets=1 reconnect=1" \
Ronald Cron92dca392023-03-10 16:11:15 +0100[diff] [blame]6876 0 \
6877 -S "mbedtls_ssl_handshake returned" \
6878 -C "mbedtls_ssl_handshake returned" \
6879 -c "Read from server: .* bytes read"
6880
Ronald Cron5de538c2022-10-20 14:47:56 +0200[diff] [blame]6881requires_any_configs_enabled $TLS1_2_KEY_EXCHANGES_WITH_CERT
Norbert Fabritiusc93fc862023-04-12 09:50:30 +0200[diff] [blame]6882requires_config_enabled MBEDTLS_SSL_SESSION_TICKETS
Ronald Cron92dca392023-03-10 16:11:15 +0100[diff] [blame]6883run_test "Event-driven I/O: TLS 1.2 + ticket + resume" \
Hanno Becker00076712017-11-15 16:39:08 +0000[diff] [blame]6884 "$P_SRV event=1 tickets=1 auth_mode=none" \
Ronald Cron92dca392023-03-10 16:11:15 +0100[diff] [blame]6885 "$P_CLI force_version=tls12 event=1 tickets=1 reconnect=1" \
6886 0 \
6887 -S "mbedtls_ssl_handshake returned" \
6888 -C "mbedtls_ssl_handshake returned" \
6889 -c "Read from server: .* bytes read"
6890
6891requires_config_enabled MBEDTLS_SSL_PROTO_TLS1_3
6892requires_config_enabled MBEDTLS_SSL_TLS1_3_KEY_EXCHANGE_MODE_EPHEMERAL_ENABLED
6893requires_config_enabled MBEDTLS_SSL_TLS1_3_KEY_EXCHANGE_MODE_PSK_EPHEMERAL_ENABLED
Norbert Fabritiusc93fc862023-04-12 09:50:30 +0200[diff] [blame]6894requires_config_enabled MBEDTLS_SSL_SESSION_TICKETS
Ronald Cron92dca392023-03-10 16:11:15 +0100[diff] [blame]6895run_test "Event-driven I/O: TLS 1.3 + ticket + resume" \
6896 "$P_SRV event=1 tickets=1 auth_mode=none" \
Ronald Cron50ae84e2023-03-14 08:59:56 +0100[diff] [blame]6897 "$P_CLI event=1 tickets=1 reconnect=1" \
Hanno Becker00076712017-11-15 16:39:08 +0000[diff] [blame]6898 0 \
6899 -S "mbedtls_ssl_handshake returned" \
6900 -C "mbedtls_ssl_handshake returned" \
6901 -c "Read from server: .* bytes read"
6902
Ronald Cron5de538c2022-10-20 14:47:56 +0200[diff] [blame]6903requires_any_configs_enabled $TLS1_2_KEY_EXCHANGES_WITH_CERT
Hanno Becker00076712017-11-15 16:39:08 +0000[diff] [blame]6904run_test "Event-driven I/O: session-id resume" \
6905 "$P_SRV event=1 tickets=0 auth_mode=none" \
Ronald Cronf95d1692023-03-14 17:19:42 +0100[diff] [blame]6906 "$P_CLI force_version=tls12 event=1 tickets=0 reconnect=1" \
Hanno Becker00076712017-11-15 16:39:08 +0000[diff] [blame]6907 0 \
6908 -S "mbedtls_ssl_handshake returned" \
6909 -C "mbedtls_ssl_handshake returned" \
6910 -c "Read from server: .* bytes read"
6911
Jerry Yuab082902021-12-23 18:02:22 +0800[diff] [blame]6912requires_config_enabled MBEDTLS_SSL_PROTO_TLS1_2
Hanno Becker6a33f592018-03-13 11:38:46 +0000[diff] [blame]6913run_test "Event-driven I/O, DTLS: basic handshake" \
6914 "$P_SRV dtls=1 event=1 tickets=0 auth_mode=none" \
6915 "$P_CLI dtls=1 event=1 tickets=0" \
6916 0 \
6917 -c "Read from server: .* bytes read"
6918
Jerry Yuab082902021-12-23 18:02:22 +0800[diff] [blame]6919requires_config_enabled MBEDTLS_SSL_PROTO_TLS1_2
Hanno Becker6a33f592018-03-13 11:38:46 +0000[diff] [blame]6920run_test "Event-driven I/O, DTLS: client auth" \
6921 "$P_SRV dtls=1 event=1 tickets=0 auth_mode=required" \
6922 "$P_CLI dtls=1 event=1 tickets=0" \
6923 0 \
6924 -c "Read from server: .* bytes read"
6925
Jerry Yuab082902021-12-23 18:02:22 +0800[diff] [blame]6926requires_config_enabled MBEDTLS_SSL_PROTO_TLS1_2
Norbert Fabritiusc93fc862023-04-12 09:50:30 +0200[diff] [blame]6927requires_config_enabled MBEDTLS_SSL_SESSION_TICKETS
Hanno Becker6a33f592018-03-13 11:38:46 +0000[diff] [blame]6928run_test "Event-driven I/O, DTLS: ticket" \
6929 "$P_SRV dtls=1 event=1 tickets=1 auth_mode=none" \
6930 "$P_CLI dtls=1 event=1 tickets=1" \
6931 0 \
6932 -c "Read from server: .* bytes read"
6933
Jerry Yuab082902021-12-23 18:02:22 +0800[diff] [blame]6934requires_config_enabled MBEDTLS_SSL_PROTO_TLS1_2
Norbert Fabritiusc93fc862023-04-12 09:50:30 +0200[diff] [blame]6935requires_config_enabled MBEDTLS_SSL_SESSION_TICKETS
Hanno Becker6a33f592018-03-13 11:38:46 +0000[diff] [blame]6936run_test "Event-driven I/O, DTLS: ticket + client auth" \
6937 "$P_SRV dtls=1 event=1 tickets=1 auth_mode=required" \
6938 "$P_CLI dtls=1 event=1 tickets=1" \
6939 0 \
6940 -c "Read from server: .* bytes read"
6941
Jerry Yuab082902021-12-23 18:02:22 +0800[diff] [blame]6942requires_config_enabled MBEDTLS_SSL_PROTO_TLS1_2
Norbert Fabritiusc93fc862023-04-12 09:50:30 +0200[diff] [blame]6943requires_config_enabled MBEDTLS_SSL_SESSION_TICKETS
Hanno Becker6a33f592018-03-13 11:38:46 +0000[diff] [blame]6944run_test "Event-driven I/O, DTLS: ticket + client auth + resume" \
6945 "$P_SRV dtls=1 event=1 tickets=1 auth_mode=required" \
Manuel Pégourié-Gonnard56941fe2020-02-17 11:04:33 +0100[diff] [blame]6946 "$P_CLI dtls=1 event=1 tickets=1 reconnect=1 skip_close_notify=1" \
Hanno Becker6a33f592018-03-13 11:38:46 +0000[diff] [blame]6947 0 \
6948 -c "Read from server: .* bytes read"
6949
Jerry Yuab082902021-12-23 18:02:22 +0800[diff] [blame]6950requires_config_enabled MBEDTLS_SSL_PROTO_TLS1_2
Norbert Fabritiusc93fc862023-04-12 09:50:30 +0200[diff] [blame]6951requires_config_enabled MBEDTLS_SSL_SESSION_TICKETS
Hanno Becker6a33f592018-03-13 11:38:46 +0000[diff] [blame]6952run_test "Event-driven I/O, DTLS: ticket + resume" \
6953 "$P_SRV dtls=1 event=1 tickets=1 auth_mode=none" \
Manuel Pégourié-Gonnard56941fe2020-02-17 11:04:33 +0100[diff] [blame]6954 "$P_CLI dtls=1 event=1 tickets=1 reconnect=1 skip_close_notify=1" \
Hanno Becker6a33f592018-03-13 11:38:46 +0000[diff] [blame]6955 0 \
6956 -c "Read from server: .* bytes read"
6957
Jerry Yuab082902021-12-23 18:02:22 +0800[diff] [blame]6958requires_config_enabled MBEDTLS_SSL_PROTO_TLS1_2
Hanno Becker6a33f592018-03-13 11:38:46 +0000[diff] [blame]6959run_test "Event-driven I/O, DTLS: session-id resume" \
6960 "$P_SRV dtls=1 event=1 tickets=0 auth_mode=none" \
Manuel Pégourié-Gonnard56941fe2020-02-17 11:04:33 +0100[diff] [blame]6961 "$P_CLI dtls=1 event=1 tickets=0 reconnect=1 skip_close_notify=1" \
Hanno Becker6a33f592018-03-13 11:38:46 +0000[diff] [blame]6962 0 \
6963 -c "Read from server: .* bytes read"
Hanno Beckerbc6c1102018-03-13 11:39:40 +0000[diff] [blame]6964
6965# This test demonstrates the need for the mbedtls_ssl_check_pending function.
6966# During session resumption, the client will send its ApplicationData record
6967# within the same datagram as the Finished messages. In this situation, the
6968# server MUST NOT idle on the underlying transport after handshake completion,
6969# because the ApplicationData request has already been queued internally.
Jerry Yuab082902021-12-23 18:02:22 +0800[diff] [blame]6970requires_config_enabled MBEDTLS_SSL_PROTO_TLS1_2
Hanno Beckerbc6c1102018-03-13 11:39:40 +0000[diff] [blame]6971run_test "Event-driven I/O, DTLS: session-id resume, UDP packing" \
Hanno Becker8d832182018-03-15 10:14:19 +0000[diff] [blame]6972 -p "$P_PXY pack=50" \
Hanno Beckerbc6c1102018-03-13 11:39:40 +0000[diff] [blame]6973 "$P_SRV dtls=1 event=1 tickets=0 auth_mode=required" \
Manuel Pégourié-Gonnard56941fe2020-02-17 11:04:33 +0100[diff] [blame]6974 "$P_CLI dtls=1 event=1 tickets=0 reconnect=1 skip_close_notify=1" \
Hanno Beckerbc6c1102018-03-13 11:39:40 +0000[diff] [blame]6975 0 \
6976 -c "Read from server: .* bytes read"
6977
Ronald Cron35884a42024-03-15 15:43:14 +0100[diff] [blame]6978# Tests for version negotiation. Some information to ease the understanding
6979# of the version negotiation test titles below:
6980# . 1.2/1.3 means that only TLS 1.2/TLS 1.3 is enabled.
6981# . 1.2+1.3 means that both TLS 1.2 and TLS 1.3 are enabled.
6982# . 1.2+(1.3)/(1.2)+1.3 means that TLS 1.2/1.3 is enabled and that
6983# TLS 1.3/1.2 may be enabled or not.
6984# . max=1.2 means that both TLS 1.2 and TLS 1.3 are enabled at build time but
6985# TLS 1.3 is disabled at runtime (maximum negotiable version is TLS 1.2).
6986# . min=1.3 means that both TLS 1.2 and TLS 1.3 are enabled at build time but
6987# TLS 1.2 is disabled at runtime (minimum negotiable version is TLS 1.3).
6988
Ronald Cronfe18d8d2024-03-06 15:19:55 +0100[diff] [blame]6989# Tests for version negotiation, MbedTLS client and server
Manuel Pégourié-Gonnardf6521de2014-04-07 12:42:04 +0200[diff] [blame]6990
Ronald Cron114c5f02024-03-06 15:24:41 +0100[diff] [blame]6991requires_all_configs_enabled MBEDTLS_SSL_CLI_C MBEDTLS_SSL_SRV_C
6992requires_config_disabled MBEDTLS_SSL_PROTO_TLS1_3
6993requires_any_configs_enabled $TLS1_2_KEY_EXCHANGES_WITH_CERT
Ronald Cron35884a42024-03-15 15:43:14 +0100[diff] [blame]6994run_test "Version nego m->m: cli 1.2, srv 1.2 -> 1.2" \
Manuel Pégourié-Gonnarda3d808e2014-02-26 16:33:03 +0100[diff] [blame]6995 "$P_SRV" \
Ronald Cron114c5f02024-03-06 15:24:41 +0100[diff] [blame]6996 "$P_CLI" \
Manuel Pégourié-Gonnarda3d808e2014-02-26 16:33:03 +0100[diff] [blame]6997 0 \
Manuel Pégourié-Gonnard2cf5a7c2015-04-08 12:49:31 +0200[diff] [blame]6998 -S "mbedtls_ssl_handshake returned" \
6999 -C "mbedtls_ssl_handshake returned" \
Manuel Pégourié-Gonnarda3d808e2014-02-26 16:33:03 +0100[diff] [blame]7000 -s "Protocol is TLSv1.2" \
7001 -c "Protocol is TLSv1.2"
7002
Ronald Cron114c5f02024-03-06 15:24:41 +0100[diff] [blame]7003requires_all_configs_enabled MBEDTLS_SSL_CLI_C MBEDTLS_SSL_SRV_C \
7004 MBEDTLS_SSL_PROTO_TLS1_2 MBEDTLS_SSL_PROTO_TLS1_3
7005requires_any_configs_enabled $TLS1_2_KEY_EXCHANGES_WITH_CERT
Ronald Cron35884a42024-03-15 15:43:14 +0100[diff] [blame]7006run_test "Version nego m->m: cli max=1.2, srv max=1.2 -> 1.2" \
Ronald Cron114c5f02024-03-06 15:24:41 +0100[diff] [blame]7007 "$P_SRV max_version=tls12" \
7008 "$P_CLI max_version=tls12" \
7009 0 \
7010 -S "mbedtls_ssl_handshake returned" \
7011 -C "mbedtls_ssl_handshake returned" \
7012 -s "Protocol is TLSv1.2" \
7013 -c "Protocol is TLSv1.2"
7014
7015requires_all_configs_enabled MBEDTLS_SSL_CLI_C MBEDTLS_SSL_SRV_C \
7016 MBEDTLS_SSL_TLS1_3_KEY_EXCHANGE_MODE_EPHEMERAL_ENABLED
7017requires_config_disabled MBEDTLS_SSL_PROTO_TLS1_2
Ronald Cron35884a42024-03-15 15:43:14 +0100[diff] [blame]7018run_test "Version nego m->m: cli 1.3, srv 1.3 -> 1.3" \
Ronald Cron114c5f02024-03-06 15:24:41 +0100[diff] [blame]7019 "$P_SRV" \
7020 "$P_CLI" \
7021 0 \
7022 -S "mbedtls_ssl_handshake returned" \
7023 -C "mbedtls_ssl_handshake returned" \
7024 -s "Protocol is TLSv1.3" \
7025 -c "Protocol is TLSv1.3"
7026
Ronald Crondcfd00c2024-03-06 15:58:50 +0100[diff] [blame]7027requires_all_configs_enabled MBEDTLS_SSL_CLI_C MBEDTLS_SSL_SRV_C \
7028 MBEDTLS_SSL_PROTO_TLS1_2 MBEDTLS_SSL_PROTO_TLS1_3 \
7029 MBEDTLS_SSL_TLS1_3_KEY_EXCHANGE_MODE_EPHEMERAL_ENABLED
Ronald Cron35884a42024-03-15 15:43:14 +0100[diff] [blame]7030run_test "Version nego m->m: cli min=1.3, srv min=1.3 -> 1.3" \
Ronald Cron114c5f02024-03-06 15:24:41 +0100[diff] [blame]7031 "$P_SRV min_version=tls13" \
7032 "$P_CLI min_version=tls13" \
7033 0 \
7034 -S "mbedtls_ssl_handshake returned" \
7035 -C "mbedtls_ssl_handshake returned" \
7036 -s "Protocol is TLSv1.3" \
7037 -c "Protocol is TLSv1.3"
7038
7039requires_all_configs_enabled MBEDTLS_SSL_CLI_C MBEDTLS_SSL_SRV_C \
7040 MBEDTLS_SSL_PROTO_TLS1_2 MBEDTLS_SSL_PROTO_TLS1_3 \
7041 MBEDTLS_SSL_TLS1_3_KEY_EXCHANGE_MODE_EPHEMERAL_ENABLED
Ronald Cron35884a42024-03-15 15:43:14 +0100[diff] [blame]7042run_test "Version nego m->m: cli 1.2+1.3, srv 1.2+1.3 -> 1.3" \
Ronald Cron114c5f02024-03-06 15:24:41 +0100[diff] [blame]7043 "$P_SRV" \
7044 "$P_CLI" \
7045 0 \
7046 -S "mbedtls_ssl_handshake returned" \
7047 -C "mbedtls_ssl_handshake returned" \
7048 -s "Protocol is TLSv1.3" \
7049 -c "Protocol is TLSv1.3"
7050
7051requires_all_configs_enabled MBEDTLS_SSL_CLI_C MBEDTLS_SSL_SRV_C \
7052 MBEDTLS_SSL_PROTO_TLS1_2 MBEDTLS_SSL_PROTO_TLS1_3 \
7053 MBEDTLS_SSL_TLS1_3_KEY_EXCHANGE_MODE_EPHEMERAL_ENABLED
Ronald Cron35884a42024-03-15 15:43:14 +0100[diff] [blame]7054run_test "Version nego m->m: cli 1.2+1.3, srv min=1.3 -> 1.3" \
Ronald Cron114c5f02024-03-06 15:24:41 +0100[diff] [blame]7055 "$P_SRV min_version=tls13" \
7056 "$P_CLI" \
7057 0 \
7058 -S "mbedtls_ssl_handshake returned" \
7059 -C "mbedtls_ssl_handshake returned" \
7060 -s "Protocol is TLSv1.3" \
7061 -c "Protocol is TLSv1.3"
7062
7063requires_all_configs_enabled MBEDTLS_SSL_CLI_C MBEDTLS_SSL_SRV_C \
7064 MBEDTLS_SSL_PROTO_TLS1_2 MBEDTLS_SSL_PROTO_TLS1_3
7065requires_any_configs_enabled $TLS1_2_KEY_EXCHANGES_WITH_CERT
Ronald Cron35884a42024-03-15 15:43:14 +0100[diff] [blame]7066run_test "Version nego m->m: cli 1.2+1.3, srv max=1.2 -> 1.2" \
Ronald Cron114c5f02024-03-06 15:24:41 +0100[diff] [blame]7067 "$P_SRV max_version=tls12" \
7068 "$P_CLI" \
7069 0 \
7070 -S "mbedtls_ssl_handshake returned" \
7071 -C "mbedtls_ssl_handshake returned" \
7072 -s "Protocol is TLSv1.2" \
7073 -c "Protocol is TLSv1.2"
7074
7075requires_all_configs_enabled MBEDTLS_SSL_CLI_C MBEDTLS_SSL_SRV_C \
7076 MBEDTLS_SSL_PROTO_TLS1_2 MBEDTLS_SSL_PROTO_TLS1_3
7077requires_any_configs_enabled $TLS1_2_KEY_EXCHANGES_WITH_CERT
Ronald Cron35884a42024-03-15 15:43:14 +0100[diff] [blame]7078run_test "Version nego m->m: cli max=1.2, srv 1.2+1.3 -> 1.2" \
Manuel Pégourié-Gonnarda3d808e2014-02-26 16:33:03 +0100[diff] [blame]7079 "$P_SRV" \
Ronald Crondcfd00c2024-03-06 15:58:50 +0100[diff] [blame]7080 "$P_CLI max_version=tls12" \
Manuel Pégourié-Gonnarda3d808e2014-02-26 16:33:03 +0100[diff] [blame]7081 0 \
7082 -S "mbedtls_ssl_handshake returned" \
7083 -C "mbedtls_ssl_handshake returned" \
7084 -s "Protocol is TLSv1.2" \
7085 -c "Protocol is TLSv1.2"
7086
Ronald Crondcfd00c2024-03-06 15:58:50 +0100[diff] [blame]7087requires_all_configs_enabled MBEDTLS_SSL_CLI_C MBEDTLS_SSL_SRV_C \
7088 MBEDTLS_SSL_PROTO_TLS1_2 MBEDTLS_SSL_PROTO_TLS1_3 \
7089 MBEDTLS_SSL_TLS1_3_KEY_EXCHANGE_MODE_EPHEMERAL_ENABLED
Ronald Cron35884a42024-03-15 15:43:14 +0100[diff] [blame]7090run_test "Version nego m->m: cli min=1.3, srv 1.2+1.3 -> 1.3" \
Ronald Cron114c5f02024-03-06 15:24:41 +0100[diff] [blame]7091 "$P_SRV" \
7092 "$P_CLI min_version=tls13" \
7093 0 \
7094 -S "mbedtls_ssl_handshake returned" \
7095 -C "mbedtls_ssl_handshake returned" \
7096 -s "Protocol is TLSv1.3" \
7097 -c "Protocol is TLSv1.3"
7098
7099requires_all_configs_enabled MBEDTLS_SSL_CLI_C MBEDTLS_SSL_SRV_C \
7100 MBEDTLS_SSL_PROTO_TLS1_2 MBEDTLS_SSL_PROTO_TLS1_3
Ronald Cron35884a42024-03-15 15:43:14 +0100[diff] [blame]7101run_test "Not supported version m->m: cli max=1.2, srv min=1.3" \
Ronald Crondcfd00c2024-03-06 15:58:50 +0100[diff] [blame]7102 "$P_SRV min_version=tls13" \
7103 "$P_CLI max_version=tls12" \
7104 1 \
7105 -s "Handshake protocol not within min/max boundaries" \
7106 -S "Protocol is TLSv1.2" \
7107 -C "Protocol is TLSv1.2" \
7108 -S "Protocol is TLSv1.3" \
7109 -C "Protocol is TLSv1.3"
Ronald Cronfe18d8d2024-03-06 15:19:55 +0100[diff] [blame]7110
Ronald Cron114c5f02024-03-06 15:24:41 +0100[diff] [blame]7111requires_all_configs_enabled MBEDTLS_SSL_CLI_C MBEDTLS_SSL_SRV_C \
7112 MBEDTLS_SSL_PROTO_TLS1_2 MBEDTLS_SSL_PROTO_TLS1_3
Ronald Cron35884a42024-03-15 15:43:14 +0100[diff] [blame]7113run_test "Not supported version m->m: cli min=1.3, srv max=1.2" \
Ronald Cron114c5f02024-03-06 15:24:41 +0100[diff] [blame]7114 "$P_SRV max_version=tls12" \
7115 "$P_CLI min_version=tls13" \
7116 1 \
7117 -s "The handshake negotiation failed" \
7118 -S "Protocol is TLSv1.2" \
7119 -C "Protocol is TLSv1.2" \
7120 -S "Protocol is TLSv1.3" \
7121 -C "Protocol is TLSv1.3"
7122
Ronald Croncd1370e2024-03-12 16:07:48 +0100[diff] [blame]7123# Tests of version negotiation on server side against GnuTLS client
7124
Ronald Crondfad4932024-03-06 15:05:14 +0100[diff] [blame]7125requires_all_configs_enabled MBEDTLS_SSL_SRV_C MBEDTLS_SSL_PROTO_TLS1_2
Ronald Cron98bdcc42024-03-06 15:00:42 +0100[diff] [blame]7126requires_any_configs_enabled $TLS1_2_KEY_EXCHANGES_WITH_CERT
Ronald Cron35884a42024-03-15 15:43:14 +0100[diff] [blame]7127run_test "Server version nego G->m: cli 1.2, srv 1.2+(1.3) -> 1.2" \
Ronald Cron98bdcc42024-03-06 15:00:42 +0100[diff] [blame]7128 "$P_SRV" \
Ronald Crondfad4932024-03-06 15:05:14 +0100[diff] [blame]7129 "$G_CLI localhost --priority=NORMAL:-VERS-ALL:+VERS-TLS1.2" \
Ronald Croncd1370e2024-03-12 16:07:48 +0100[diff] [blame]7130 0 \
Ronald Cron98bdcc42024-03-06 15:00:42 +0100[diff] [blame]7131 -S "mbedtls_ssl_handshake returned" \
7132 -s "Protocol is TLSv1.2"
Ronald Croncd1370e2024-03-12 16:07:48 +0100[diff] [blame]7133
Ronald Crondfad4932024-03-06 15:05:14 +0100[diff] [blame]7134requires_all_configs_enabled MBEDTLS_SSL_SRV_C \
7135 MBEDTLS_SSL_PROTO_TLS1_2 MBEDTLS_SSL_PROTO_TLS1_3
7136requires_any_configs_enabled $TLS1_2_KEY_EXCHANGES_WITH_CERT
Ronald Cron35884a42024-03-15 15:43:14 +0100[diff] [blame]7137run_test "Server version nego G->m: cli 1.2, srv max=1.2 -> 1.2" \
Ronald Crondfad4932024-03-06 15:05:14 +0100[diff] [blame]7138 "$P_SRV max_version=tls12" \
7139 "$G_CLI localhost --priority=NORMAL:-VERS-ALL:+VERS-TLS1.2" \
7140 0 \
7141 -S "mbedtls_ssl_handshake returned" \
7142 -s "Protocol is TLSv1.2"
7143
7144requires_all_configs_enabled MBEDTLS_SSL_SRV_C MBEDTLS_SSL_PROTO_TLS1_3 \
7145 MBEDTLS_SSL_TLS1_3_KEY_EXCHANGE_MODE_EPHEMERAL_ENABLED \
7146 MBEDTLS_SSL_TLS1_3_COMPATIBILITY_MODE
Ronald Cron35884a42024-03-15 15:43:14 +0100[diff] [blame]7147run_test "Server version nego G->m: cli 1.3, srv (1.2)+1.3 -> 1.3" \
Ronald Crondfad4932024-03-06 15:05:14 +0100[diff] [blame]7148 "$P_SRV" \
7149 "$G_NEXT_CLI localhost --priority=NORMAL:-VERS-ALL:+VERS-TLS1.3" \
7150 0 \
7151 -S "mbedtls_ssl_handshake returned" \
7152 -s "Protocol is TLSv1.3"
7153
7154requires_all_configs_enabled MBEDTLS_SSL_SRV_C \
7155 MBEDTLS_SSL_PROTO_TLS1_2 MBEDTLS_SSL_PROTO_TLS1_3 \
7156 MBEDTLS_SSL_TLS1_3_KEY_EXCHANGE_MODE_EPHEMERAL_ENABLED \
7157 MBEDTLS_SSL_TLS1_3_COMPATIBILITY_MODE
Ronald Cron35884a42024-03-15 15:43:14 +0100[diff] [blame]7158run_test "Server version nego G->m: cli 1.3, srv min=1.3 -> 1.3" \
Ronald Crondfad4932024-03-06 15:05:14 +0100[diff] [blame]7159 "$P_SRV min_version=tls13" \
7160 "$G_NEXT_CLI localhost --priority=NORMAL:-VERS-ALL:+VERS-TLS1.3" \
7161 0 \
7162 -S "mbedtls_ssl_handshake returned" \
7163 -s "Protocol is TLSv1.3"
7164
Ronald Cron98bdcc42024-03-06 15:00:42 +0100[diff] [blame]7165requires_all_configs_enabled MBEDTLS_SSL_SRV_C MBEDTLS_SSL_PROTO_TLS1_3 \
7166 MBEDTLS_SSL_TLS1_3_KEY_EXCHANGE_MODE_EPHEMERAL_ENABLED \
7167 MBEDTLS_SSL_TLS1_3_COMPATIBILITY_MODE
Ronald Cron35884a42024-03-15 15:43:14 +0100[diff] [blame]7168run_test "Server version nego G->m: cli 1.2+1.3, srv (1.2)+1.3 -> 1.3" \
Ronald Cron98bdcc42024-03-06 15:00:42 +0100[diff] [blame]7169 "$P_SRV" \
7170 "$G_NEXT_CLI localhost --priority=NORMAL" \
Ronald Croncd1370e2024-03-12 16:07:48 +0100[diff] [blame]7171 0 \
Ronald Cron98bdcc42024-03-06 15:00:42 +0100[diff] [blame]7172 -S "mbedtls_ssl_handshake returned" \
7173 -s "Protocol is TLSv1.3"
Ronald Croncd1370e2024-03-12 16:07:48 +0100[diff] [blame]7174
Ronald Cron98bdcc42024-03-06 15:00:42 +0100[diff] [blame]7175requires_gnutls_next_disable_tls13_compat
7176requires_all_configs_enabled MBEDTLS_SSL_SRV_C MBEDTLS_SSL_PROTO_TLS1_3 \
7177 MBEDTLS_SSL_TLS1_3_KEY_EXCHANGE_MODE_EPHEMERAL_ENABLED
Ronald Cron35884a42024-03-15 15:43:14 +0100[diff] [blame]7178run_test "Server version nego G->m (no compat): cli 1.2+1.3, srv (1.2)+1.3 -> 1.3" \
Ronald Cron98bdcc42024-03-06 15:00:42 +0100[diff] [blame]7179 "$P_SRV" \
7180 "$G_NEXT_CLI localhost --priority=NORMAL:%DISABLE_TLS13_COMPAT_MODE" \
Ronald Croncd1370e2024-03-12 16:07:48 +0100[diff] [blame]7181 0 \
Ronald Cron98bdcc42024-03-06 15:00:42 +0100[diff] [blame]7182 -S "mbedtls_ssl_handshake returned" \
7183 -s "Protocol is TLSv1.3"
Ronald Croncd1370e2024-03-12 16:07:48 +0100[diff] [blame]7184
7185# GnuTLS can be setup to send a ClientHello containing a supported versions
7186# extension proposing TLS 1.2 (preferred) and then TLS 1.3. In that case,
7187# a TLS 1.3 and TLS 1.2 capable server is supposed to negotiate TLS 1.2 and
7188# to indicate in the ServerHello that it downgrades from TLS 1.3. The GnuTLS
7189# client then detects the downgrade indication and aborts the handshake even
7190# if TLS 1.2 was its preferred version. Keeping the test even if the
7191# handshake fails eventually as it exercices parts of the Mbed TLS
7192# implementation that are otherwise not exercised.
Ronald Cron98bdcc42024-03-06 15:00:42 +0100[diff] [blame]7193requires_all_configs_enabled MBEDTLS_SSL_SRV_C \
7194 MBEDTLS_SSL_PROTO_TLS1_2 MBEDTLS_SSL_PROTO_TLS1_3 \
7195 MBEDTLS_SSL_TLS1_3_COMPATIBILITY_MODE
Ronald Cron35884a42024-03-15 15:43:14 +0100[diff] [blame]7196run_test "Server version nego G->m: cli 1.2+1.3 (1.2 preferred!), srv 1.2+1.3 -> 1.2" \
Ronald Cron98bdcc42024-03-06 15:00:42 +0100[diff] [blame]7197 "$P_SRV" \
Ronald Croncd1370e2024-03-12 16:07:48 +0100[diff] [blame]7198 "$G_NEXT_CLI localhost --priority=NORMAL:-VERS-ALL:+VERS-TLS1.2:+VERS-TLS1.3" \
7199 1 \
7200 -c "Detected downgrade to TLS 1.2 from TLS 1.3"
7201
Ronald Crondfad4932024-03-06 15:05:14 +0100[diff] [blame]7202requires_all_configs_enabled MBEDTLS_SSL_SRV_C \
7203 MBEDTLS_SSL_PROTO_TLS1_2 MBEDTLS_SSL_PROTO_TLS1_3 \
7204 MBEDTLS_SSL_TLS1_3_KEY_EXCHANGE_MODE_EPHEMERAL_ENABLED \
7205 MBEDTLS_SSL_TLS1_3_COMPATIBILITY_MODE
Ronald Cron35884a42024-03-15 15:43:14 +0100[diff] [blame]7206run_test "Server version nego G->m: cli 1.2+1.3, srv min=1.3 -> 1.3" \
Ronald Crondfad4932024-03-06 15:05:14 +0100[diff] [blame]7207 "$P_SRV min_version=tls13" \
7208 "$G_NEXT_CLI localhost --priority=NORMAL" \
7209 0 \
7210 -S "mbedtls_ssl_handshake returned" \
7211 -s "Protocol is TLSv1.3"
7212
7213requires_config_enabled MBEDTLS_SSL_SRV_C
7214requires_config_disabled MBEDTLS_SSL_PROTO_TLS1_3
7215requires_any_configs_enabled $TLS1_2_KEY_EXCHANGES_WITH_CERT
Ronald Cron35884a42024-03-15 15:43:14 +0100[diff] [blame]7216run_test "Server version nego G->m: cli 1.2+1.3, srv 1.2 -> 1.2" \
Ronald Crondfad4932024-03-06 15:05:14 +0100[diff] [blame]7217 "$P_SRV" \
7218 "$G_NEXT_CLI localhost --priority=NORMAL" \
7219 0 \
7220 -S "mbedtls_ssl_handshake returned" \
7221 -s "Protocol is TLSv1.2"
7222
7223requires_all_configs_enabled MBEDTLS_SSL_SRV_C \
7224 MBEDTLS_SSL_PROTO_TLS1_2 MBEDTLS_SSL_PROTO_TLS1_3
7225requires_any_configs_enabled $TLS1_2_KEY_EXCHANGES_WITH_CERT
Ronald Cron35884a42024-03-15 15:43:14 +0100[diff] [blame]7226run_test "Server version nego G->m: cli 1.2+1.3, max=1.2 -> 1.2" \
Ronald Crondfad4932024-03-06 15:05:14 +0100[diff] [blame]7227 "$P_SRV max_version=tls12" \
7228 "$G_NEXT_CLI localhost --priority=NORMAL" \
7229 0 \
7230 -S "mbedtls_ssl_handshake returned" \
7231 -s "Protocol is TLSv1.2"
7232
Ronald Cron98bdcc42024-03-06 15:00:42 +0100[diff] [blame]7233requires_config_enabled MBEDTLS_SSL_SRV_C
Ronald Cron35884a42024-03-15 15:43:14 +0100[diff] [blame]7234run_test "Not supported version G->m: cli 1.0, (1.2)+(1.3)" \
TRodziewicz2abf03c2021-06-25 14:40:09 +0200[diff] [blame]7235 "$P_SRV" \
7236 "$G_CLI localhost --priority=NORMAL:-VERS-ALL:+VERS-TLS1.0" \
7237 1 \
7238 -s "Handshake protocol not within min/max boundaries" \
Ronald Cron98bdcc42024-03-06 15:00:42 +0100[diff] [blame]7239 -S "Protocol is TLSv1.0"
TRodziewicz2abf03c2021-06-25 14:40:09 +0200[diff] [blame]7240
Ronald Cron98bdcc42024-03-06 15:00:42 +0100[diff] [blame]7241requires_config_enabled MBEDTLS_SSL_SRV_C
Ronald Cron35884a42024-03-15 15:43:14 +0100[diff] [blame]7242run_test "Not supported version G->m: cli 1.1, (1.2)+(1.3)" \
TRodziewicz2abf03c2021-06-25 14:40:09 +0200[diff] [blame]7243 "$P_SRV" \
7244 "$G_CLI localhost --priority=NORMAL:-VERS-ALL:+VERS-TLS1.1" \
7245 1 \
7246 -s "Handshake protocol not within min/max boundaries" \
Ronald Cron98bdcc42024-03-06 15:00:42 +0100[diff] [blame]7247 -S "Protocol is TLSv1.1"
TRodziewicz2abf03c2021-06-25 14:40:09 +0200[diff] [blame]7248
Ronald Crondfad4932024-03-06 15:05:14 +0100[diff] [blame]7249requires_config_enabled MBEDTLS_SSL_SRV_C
7250requires_config_disabled MBEDTLS_SSL_PROTO_TLS1_2
Ronald Cron35884a42024-03-15 15:43:14 +0100[diff] [blame]7251run_test "Not supported version G->m: cli 1.2, srv 1.3" \
Ronald Crondfad4932024-03-06 15:05:14 +0100[diff] [blame]7252 "$P_SRV" \
7253 "$G_CLI localhost --priority=NORMAL:-VERS-ALL:+VERS-TLS1.2" \
7254 1 \
7255 -s "Handshake protocol not within min/max boundaries" \
7256 -S "Protocol is TLSv1.2"
7257
7258requires_config_enabled MBEDTLS_SSL_SRV_C
7259requires_config_disabled MBEDTLS_SSL_PROTO_TLS1_3
Ronald Cron35884a42024-03-15 15:43:14 +0100[diff] [blame]7260run_test "Not supported version G->m: cli 1.3, srv 1.2" \
Ronald Crondfad4932024-03-06 15:05:14 +0100[diff] [blame]7261 "$P_SRV" \
7262 "$G_NEXT_CLI localhost --priority=NORMAL:-VERS-ALL:+VERS-TLS1.3" \
7263 1 \
7264 -S "Handshake protocol not within min/max boundaries" \
7265 -s "The handshake negotiation failed" \
7266 -S "Protocol is TLSv1.3"
7267
7268requires_all_configs_enabled MBEDTLS_SSL_SRV_C \
7269 MBEDTLS_SSL_PROTO_TLS1_2 MBEDTLS_SSL_PROTO_TLS1_3
Ronald Cron35884a42024-03-15 15:43:14 +0100[diff] [blame]7270run_test "Not supported version G->m: cli 1.2, srv min=1.3" \
Ronald Crondfad4932024-03-06 15:05:14 +0100[diff] [blame]7271 "$P_SRV min_version=tls13" \
7272 "$G_CLI localhost --priority=NORMAL:-VERS-ALL:+VERS-TLS1.2" \
7273 1 \
7274 -s "Handshake protocol not within min/max boundaries" \
7275 -S "Protocol is TLSv1.2"
7276
7277requires_all_configs_enabled MBEDTLS_SSL_SRV_C \
7278 MBEDTLS_SSL_PROTO_TLS1_2 MBEDTLS_SSL_PROTO_TLS1_3
Ronald Cron35884a42024-03-15 15:43:14 +0100[diff] [blame]7279run_test "Not supported version G->m: cli 1.3, srv max=1.2" \
Ronald Crondfad4932024-03-06 15:05:14 +0100[diff] [blame]7280 "$P_SRV max_version=tls12" \
7281 "$G_NEXT_CLI localhost --priority=NORMAL:-VERS-ALL:+VERS-TLS1.3" \
7282 1 \
7283 -S "Handshake protocol not within min/max boundaries" \
7284 -s "The handshake negotiation failed" \
7285 -S "Protocol is TLSv1.3"
7286
Ronald Cron10797e32024-03-07 08:27:24 +0100[diff] [blame]7287# Tests of version negotiation on server side against OpenSSL client
7288
7289requires_all_configs_enabled MBEDTLS_SSL_SRV_C MBEDTLS_SSL_PROTO_TLS1_2
7290requires_any_configs_enabled $TLS1_2_KEY_EXCHANGES_WITH_CERT
Ronald Cron35884a42024-03-15 15:43:14 +0100[diff] [blame]7291run_test "Server version nego O->m: cli 1.2, srv 1.2+(1.3) -> 1.2" \
Ronald Cron10797e32024-03-07 08:27:24 +0100[diff] [blame]7292 "$P_SRV" \
7293 "$O_NEXT_CLI -tls1_2" \
7294 0 \
7295 -S "mbedtls_ssl_handshake returned" \
7296 -s "Protocol is TLSv1.2"
7297
7298requires_all_configs_enabled MBEDTLS_SSL_SRV_C \
7299 MBEDTLS_SSL_PROTO_TLS1_2 MBEDTLS_SSL_PROTO_TLS1_3
7300requires_any_configs_enabled $TLS1_2_KEY_EXCHANGES_WITH_CERT
Ronald Cron35884a42024-03-15 15:43:14 +0100[diff] [blame]7301run_test "Server version nego O->m: cli 1.2, srv max=1.2 -> 1.2" \
Ronald Cron10797e32024-03-07 08:27:24 +0100[diff] [blame]7302 "$P_SRV max_version=tls12" \
7303 "$O_NEXT_CLI -tls1_2" \
7304 0 \
7305 -S "mbedtls_ssl_handshake returned" \
7306 -s "Protocol is TLSv1.2"
7307
7308requires_openssl_tls1_3_with_compatible_ephemeral
7309requires_all_configs_enabled MBEDTLS_SSL_SRV_C MBEDTLS_SSL_PROTO_TLS1_3 \
7310 MBEDTLS_SSL_TLS1_3_KEY_EXCHANGE_MODE_EPHEMERAL_ENABLED \
7311 MBEDTLS_SSL_TLS1_3_COMPATIBILITY_MODE
Ronald Cron35884a42024-03-15 15:43:14 +0100[diff] [blame]7312run_test "Server version nego O->m: cli 1.3, srv (1.2)+1.3 -> 1.3" \
Ronald Cron10797e32024-03-07 08:27:24 +0100[diff] [blame]7313 "$P_SRV" \
7314 "$O_NEXT_CLI -tls1_3" \
7315 0 \
7316 -S "mbedtls_ssl_handshake returned" \
7317 -s "Protocol is TLSv1.3"
7318
7319requires_openssl_tls1_3_with_compatible_ephemeral
7320requires_all_configs_enabled MBEDTLS_SSL_SRV_C \
7321 MBEDTLS_SSL_PROTO_TLS1_2 MBEDTLS_SSL_PROTO_TLS1_3 \
7322 MBEDTLS_SSL_TLS1_3_KEY_EXCHANGE_MODE_EPHEMERAL_ENABLED \
7323 MBEDTLS_SSL_TLS1_3_COMPATIBILITY_MODE
Ronald Cron35884a42024-03-15 15:43:14 +0100[diff] [blame]7324run_test "Server version nego O->m: cli 1.3, srv min=1.3 -> 1.3" \
Ronald Cron10797e32024-03-07 08:27:24 +0100[diff] [blame]7325 "$P_SRV min_version=tls13" \
7326 "$O_NEXT_CLI -tls1_3" \
7327 0 \
7328 -S "mbedtls_ssl_handshake returned" \
7329 -s "Protocol is TLSv1.3"
7330
7331requires_openssl_tls1_3_with_compatible_ephemeral
7332requires_all_configs_enabled MBEDTLS_SSL_SRV_C MBEDTLS_SSL_PROTO_TLS1_3 \
7333 MBEDTLS_SSL_TLS1_3_KEY_EXCHANGE_MODE_EPHEMERAL_ENABLED \
7334 MBEDTLS_SSL_TLS1_3_COMPATIBILITY_MODE
Ronald Cron35884a42024-03-15 15:43:14 +0100[diff] [blame]7335run_test "Server version nego O->m: cli 1.2+1.3, srv (1.2)+1.3 -> 1.3" \
Ronald Cron10797e32024-03-07 08:27:24 +0100[diff] [blame]7336 "$P_SRV" \
7337 "$O_NEXT_CLI" \
7338 0 \
7339 -S "mbedtls_ssl_handshake returned" \
7340 -s "Protocol is TLSv1.3"
7341
7342requires_openssl_tls1_3_with_compatible_ephemeral
7343requires_all_configs_enabled MBEDTLS_SSL_SRV_C MBEDTLS_SSL_PROTO_TLS1_3 \
7344 MBEDTLS_SSL_TLS1_3_KEY_EXCHANGE_MODE_EPHEMERAL_ENABLED
Ronald Cron35884a42024-03-15 15:43:14 +0100[diff] [blame]7345run_test "Server version nego O->m (no compat): cli 1.2+1.3, srv (1.2)+1.3 -> 1.3" \
Ronald Cron10797e32024-03-07 08:27:24 +0100[diff] [blame]7346 "$P_SRV" \
7347 "$O_NEXT_CLI -no_middlebox" \
7348 0 \
7349 -S "mbedtls_ssl_handshake returned" \
7350 -s "Protocol is TLSv1.3"
7351
7352requires_openssl_tls1_3_with_compatible_ephemeral
7353requires_all_configs_enabled MBEDTLS_SSL_SRV_C \
7354 MBEDTLS_SSL_PROTO_TLS1_2 MBEDTLS_SSL_PROTO_TLS1_3 \
7355 MBEDTLS_SSL_TLS1_3_KEY_EXCHANGE_MODE_EPHEMERAL_ENABLED \
7356 MBEDTLS_SSL_TLS1_3_COMPATIBILITY_MODE
Ronald Cron35884a42024-03-15 15:43:14 +0100[diff] [blame]7357run_test "Server version nego O->m: cli 1.2+1.3, srv min=1.3 -> 1.3" \
Ronald Cron10797e32024-03-07 08:27:24 +0100[diff] [blame]7358 "$P_SRV min_version=tls13" \
7359 "$O_NEXT_CLI" \
7360 0 \
7361 -S "mbedtls_ssl_handshake returned" \
7362 -s "Protocol is TLSv1.3"
7363
7364requires_config_enabled MBEDTLS_SSL_SRV_C
7365requires_config_disabled MBEDTLS_SSL_PROTO_TLS1_3
7366requires_any_configs_enabled $TLS1_2_KEY_EXCHANGES_WITH_CERT
Ronald Cron35884a42024-03-15 15:43:14 +0100[diff] [blame]7367run_test "Server version nego O->m: cli 1.2+1.3, srv 1.2 -> 1.2" \
Ronald Cron10797e32024-03-07 08:27:24 +0100[diff] [blame]7368 "$P_SRV" \
7369 "$O_NEXT_CLI" \
7370 0 \
7371 -S "mbedtls_ssl_handshake returned" \
7372 -s "Protocol is TLSv1.2"
7373
7374requires_all_configs_enabled MBEDTLS_SSL_SRV_C \
7375 MBEDTLS_SSL_PROTO_TLS1_2 MBEDTLS_SSL_PROTO_TLS1_3
7376requires_any_configs_enabled $TLS1_2_KEY_EXCHANGES_WITH_CERT
Ronald Cron35884a42024-03-15 15:43:14 +0100[diff] [blame]7377run_test "Server version nego O->m: cli 1.2+1.3, srv max=1.2 -> 1.2" \
Ronald Cron10797e32024-03-07 08:27:24 +0100[diff] [blame]7378 "$P_SRV max_version=tls12" \
7379 "$O_NEXT_CLI" \
7380 0 \
7381 -S "mbedtls_ssl_handshake returned" \
7382 -s "Protocol is TLSv1.2"
7383
7384requires_config_enabled MBEDTLS_SSL_SRV_C
Ronald Cron35884a42024-03-15 15:43:14 +0100[diff] [blame]7385run_test "Not supported version O->m: cli 1.0, srv (1.2)+(1.3)" \
Ronald Cron10797e32024-03-07 08:27:24 +0100[diff] [blame]7386 "$P_SRV" \
7387 "$O_CLI -tls1" \
7388 1 \
7389 -s "Handshake protocol not within min/max boundaries" \
7390 -S "Protocol is TLSv1.0"
7391
7392requires_config_enabled MBEDTLS_SSL_SRV_C
Ronald Cron35884a42024-03-15 15:43:14 +0100[diff] [blame]7393run_test "Not supported version O->m: cli 1.1, srv (1.2)+(1.3)" \
Ronald Cron10797e32024-03-07 08:27:24 +0100[diff] [blame]7394 "$P_SRV" \
7395 "$O_CLI -tls1_1" \
7396 1 \
7397 -s "Handshake protocol not within min/max boundaries" \
7398 -S "Protocol is TLSv1.1"
7399
7400requires_config_enabled MBEDTLS_SSL_SRV_C
7401requires_config_disabled MBEDTLS_SSL_PROTO_TLS1_2
Ronald Cron35884a42024-03-15 15:43:14 +0100[diff] [blame]7402run_test "Not supported version O->m: cli 1.2, srv 1.3" \
Ronald Cron10797e32024-03-07 08:27:24 +0100[diff] [blame]7403 "$P_SRV" \
7404 "$O_NEXT_CLI -tls1_2" \
7405 1 \
7406 -s "Handshake protocol not within min/max boundaries" \
7407 -S "Protocol is TLSv1.2"
7408
7409requires_config_enabled MBEDTLS_SSL_SRV_C
7410requires_config_disabled MBEDTLS_SSL_PROTO_TLS1_3
Ronald Cron35884a42024-03-15 15:43:14 +0100[diff] [blame]7411run_test "Not supported version O->m: cli 1.3, srv 1.2" \
Ronald Cron10797e32024-03-07 08:27:24 +0100[diff] [blame]7412 "$P_SRV" \
7413 "$O_NEXT_CLI -tls1_3" \
7414 1 \
7415 -S "Handshake protocol not within min/max boundaries" \
7416 -s "The handshake negotiation failed" \
7417 -S "Protocol is TLSv1.3"
7418
7419requires_all_configs_enabled MBEDTLS_SSL_SRV_C \
7420 MBEDTLS_SSL_PROTO_TLS1_2 MBEDTLS_SSL_PROTO_TLS1_3
Ronald Cron35884a42024-03-15 15:43:14 +0100[diff] [blame]7421run_test "Not supported version O->m: cli 1.2, srv min=1.3" \
Ronald Cron10797e32024-03-07 08:27:24 +0100[diff] [blame]7422 "$P_SRV min_version=tls13" \
7423 "$O_NEXT_CLI -tls1_2" \
7424 1 \
7425 -s "Handshake protocol not within min/max boundaries" \
7426 -S "Protocol is TLSv1.2"
7427
7428requires_all_configs_enabled MBEDTLS_SSL_SRV_C \
7429 MBEDTLS_SSL_PROTO_TLS1_2 MBEDTLS_SSL_PROTO_TLS1_3
Ronald Cron35884a42024-03-15 15:43:14 +0100[diff] [blame]7430run_test "Not supported version O->m: cli 1.3, srv max=1.2" \
Ronald Cron10797e32024-03-07 08:27:24 +0100[diff] [blame]7431 "$P_SRV max_version=tls12" \
7432 "$O_NEXT_CLI -tls1_3" \
7433 1 \
7434 -S "Handshake protocol not within min/max boundaries" \
7435 -s "The handshake negotiation failed" \
7436 -S "Protocol is TLSv1.3"
7437
Ronald Crona1e7b6a2024-03-06 15:13:49 +0100[diff] [blame]7438# Tests of version negotiation on client side against GnuTLS and OpenSSL server
TRodziewicz2abf03c2021-06-25 14:40:09 +0200[diff] [blame]7439
Jerry Yuab082902021-12-23 18:02:22 +0800[diff] [blame]7440requires_config_enabled MBEDTLS_SSL_PROTO_TLS1_2
Ronald Cron35884a42024-03-15 15:43:14 +0100[diff] [blame]7441run_test "Not supported version: srv max TLS 1.0" \
TRodziewicz2abf03c2021-06-25 14:40:09 +0200[diff] [blame]7442 "$G_SRV --priority=NORMAL:-VERS-TLS-ALL:+VERS-TLS1.0" \
7443 "$P_CLI" \
7444 1 \
7445 -s "Error in protocol version" \
7446 -c "Handshake protocol not within min/max boundaries" \
7447 -S "Version: TLS1.0" \
7448 -C "Protocol is TLSv1.0"
7449
Jerry Yuab082902021-12-23 18:02:22 +0800[diff] [blame]7450requires_config_enabled MBEDTLS_SSL_PROTO_TLS1_2
Ronald Cron35884a42024-03-15 15:43:14 +0100[diff] [blame]7451run_test "Not supported version: srv max TLS 1.1" \
TRodziewicz2abf03c2021-06-25 14:40:09 +0200[diff] [blame]7452 "$G_SRV --priority=NORMAL:-VERS-TLS-ALL:+VERS-TLS1.1" \
7453 "$P_CLI" \
7454 1 \
7455 -s "Error in protocol version" \
7456 -c "Handshake protocol not within min/max boundaries" \
7457 -S "Version: TLS1.1" \
7458 -C "Protocol is TLSv1.1"
7459
Ronald Crona1e7b6a2024-03-06 15:13:49 +0100[diff] [blame]7460requires_config_enabled MBEDTLS_SSL_PROTO_TLS1_3
7461requires_config_enabled MBEDTLS_DEBUG_C
7462requires_config_enabled MBEDTLS_SSL_CLI_C
7463skip_handshake_stage_check
7464requires_gnutls_tls1_3
Ronald Cron35884a42024-03-15 15:43:14 +0100[diff] [blame]7465run_test "TLS 1.3: Not supported version:gnutls: srv max TLS 1.0" \
Ronald Crona1e7b6a2024-03-06 15:13:49 +0100[diff] [blame]7466 "$G_NEXT_SRV --priority=NORMAL:-VERS-TLS-ALL:+VERS-TLS1.0 -d 4" \
7467 "$P_CLI debug_level=4" \
7468 1 \
7469 -s "Client's version: 3.3" \
7470 -S "Version: TLS1.0" \
7471 -C "Protocol is TLSv1.0"
7472
7473requires_config_enabled MBEDTLS_SSL_PROTO_TLS1_3
7474requires_config_enabled MBEDTLS_DEBUG_C
7475requires_config_enabled MBEDTLS_SSL_CLI_C
7476skip_handshake_stage_check
7477requires_gnutls_tls1_3
Ronald Cron35884a42024-03-15 15:43:14 +0100[diff] [blame]7478run_test "TLS 1.3: Not supported version:gnutls: srv max TLS 1.1" \
Ronald Crona1e7b6a2024-03-06 15:13:49 +0100[diff] [blame]7479 "$G_NEXT_SRV --priority=NORMAL:-VERS-TLS-ALL:+VERS-TLS1.1 -d 4" \
7480 "$P_CLI debug_level=4" \
7481 1 \
7482 -s "Client's version: 3.3" \
7483 -S "Version: TLS1.1" \
7484 -C "Protocol is TLSv1.1"
7485
7486requires_config_enabled MBEDTLS_SSL_PROTO_TLS1_3
7487requires_config_enabled MBEDTLS_DEBUG_C
7488requires_config_enabled MBEDTLS_SSL_CLI_C
7489skip_handshake_stage_check
7490requires_gnutls_tls1_3
Ronald Cron35884a42024-03-15 15:43:14 +0100[diff] [blame]7491run_test "TLS 1.3: Not supported version:gnutls: srv max TLS 1.2" \
Ronald Crona1e7b6a2024-03-06 15:13:49 +0100[diff] [blame]7492 "$G_NEXT_SRV --priority=NORMAL:-VERS-TLS-ALL:+VERS-TLS1.2 -d 4" \
7493 "$P_CLI force_version=tls13 debug_level=4" \
7494 1 \
7495 -s "Client's version: 3.3" \
7496 -c "is a fatal alert message (msg 40)" \
7497 -S "Version: TLS1.2" \
7498 -C "Protocol is TLSv1.2"
7499
7500requires_config_enabled MBEDTLS_SSL_PROTO_TLS1_3
7501requires_config_enabled MBEDTLS_DEBUG_C
7502requires_config_enabled MBEDTLS_SSL_CLI_C
7503skip_handshake_stage_check
7504requires_openssl_next
Ronald Cron35884a42024-03-15 15:43:14 +0100[diff] [blame]7505run_test "TLS 1.3: Not supported version:openssl: srv max TLS 1.0" \
Ronald Crona1e7b6a2024-03-06 15:13:49 +0100[diff] [blame]7506 "$O_NEXT_SRV -msg -tls1" \
7507 "$P_CLI debug_level=4" \
7508 1 \
7509 -s "fatal protocol_version" \
7510 -c "is a fatal alert message (msg 70)" \
7511 -S "Version: TLS1.0" \
7512 -C "Protocol : TLSv1.0"
7513
7514requires_config_enabled MBEDTLS_SSL_PROTO_TLS1_3
7515requires_config_enabled MBEDTLS_DEBUG_C
7516requires_config_enabled MBEDTLS_SSL_CLI_C
7517skip_handshake_stage_check
7518requires_openssl_next
Ronald Cron35884a42024-03-15 15:43:14 +0100[diff] [blame]7519run_test "TLS 1.3: Not supported version:openssl: srv max TLS 1.1" \
Ronald Crona1e7b6a2024-03-06 15:13:49 +0100[diff] [blame]7520 "$O_NEXT_SRV -msg -tls1_1" \
7521 "$P_CLI debug_level=4" \
7522 1 \
7523 -s "fatal protocol_version" \
7524 -c "is a fatal alert message (msg 70)" \
7525 -S "Version: TLS1.1" \
7526 -C "Protocol : TLSv1.1"
7527
7528requires_config_enabled MBEDTLS_SSL_PROTO_TLS1_3
7529requires_config_enabled MBEDTLS_DEBUG_C
7530requires_config_enabled MBEDTLS_SSL_CLI_C
7531skip_handshake_stage_check
7532requires_openssl_next
Ronald Cron35884a42024-03-15 15:43:14 +0100[diff] [blame]7533run_test "TLS 1.3: Not supported version:openssl: srv max TLS 1.2" \
Ronald Crona1e7b6a2024-03-06 15:13:49 +0100[diff] [blame]7534 "$O_NEXT_SRV -msg -tls1_2" \
7535 "$P_CLI force_version=tls13 debug_level=4" \
7536 1 \
7537 -s "fatal protocol_version" \
7538 -c "is a fatal alert message (msg 70)" \
7539 -S "Version: TLS1.2" \
7540 -C "Protocol : TLSv1.2"
7541
Manuel Pégourié-Gonnardf6521de2014-04-07 12:42:04 +0200[diff] [blame]7542# Tests for ALPN extension
7543
Ronald Cronbc5adf42022-10-04 11:06:14 +0200[diff] [blame]7544requires_key_exchange_with_cert_in_tls12_or_tls13_enabled
Manuel Pégourié-Gonnard8e03c712014-08-30 21:42:40 +0200[diff] [blame]7545run_test "ALPN: none" \
Manuel Pégourié-Gonnard644e8f32014-08-30 21:59:31 +0200[diff] [blame]7546 "$P_SRV debug_level=3" \
7547 "$P_CLI debug_level=3" \
Manuel Pégourié-Gonnardf6521de2014-04-07 12:42:04 +0200[diff] [blame]7548 0 \
7549 -C "client hello, adding alpn extension" \
7550 -S "found alpn extension" \
7551 -C "got an alert message, type: \\[2:120]" \
XiaokangQianacb39922022-06-17 10:18:48 +0000[diff] [blame]7552 -S "server side, adding alpn extension" \
Manuel Pégourié-Gonnardf6521de2014-04-07 12:42:04 +0200[diff] [blame]7553 -C "found alpn extension " \
7554 -C "Application Layer Protocol is" \
7555 -S "Application Layer Protocol is"
7556
Ronald Cronbc5adf42022-10-04 11:06:14 +0200[diff] [blame]7557requires_key_exchange_with_cert_in_tls12_or_tls13_enabled
Manuel Pégourié-Gonnard8e03c712014-08-30 21:42:40 +0200[diff] [blame]7558run_test "ALPN: client only" \
Manuel Pégourié-Gonnard644e8f32014-08-30 21:59:31 +0200[diff] [blame]7559 "$P_SRV debug_level=3" \
7560 "$P_CLI debug_level=3 alpn=abc,1234" \
Manuel Pégourié-Gonnardf6521de2014-04-07 12:42:04 +0200[diff] [blame]7561 0 \
7562 -c "client hello, adding alpn extension" \
7563 -s "found alpn extension" \
7564 -C "got an alert message, type: \\[2:120]" \
XiaokangQianacb39922022-06-17 10:18:48 +0000[diff] [blame]7565 -S "server side, adding alpn extension" \
Manuel Pégourié-Gonnardf6521de2014-04-07 12:42:04 +0200[diff] [blame]7566 -C "found alpn extension " \
7567 -c "Application Layer Protocol is (none)" \
7568 -S "Application Layer Protocol is"
7569
Ronald Cronbc5adf42022-10-04 11:06:14 +0200[diff] [blame]7570requires_key_exchange_with_cert_in_tls12_or_tls13_enabled
Manuel Pégourié-Gonnard8e03c712014-08-30 21:42:40 +0200[diff] [blame]7571run_test "ALPN: server only" \
Manuel Pégourié-Gonnard644e8f32014-08-30 21:59:31 +0200[diff] [blame]7572 "$P_SRV debug_level=3 alpn=abc,1234" \
7573 "$P_CLI debug_level=3" \
Manuel Pégourié-Gonnardf6521de2014-04-07 12:42:04 +0200[diff] [blame]7574 0 \
7575 -C "client hello, adding alpn extension" \
7576 -S "found alpn extension" \
7577 -C "got an alert message, type: \\[2:120]" \
XiaokangQianacb39922022-06-17 10:18:48 +0000[diff] [blame]7578 -S "server side, adding alpn extension" \
Manuel Pégourié-Gonnardf6521de2014-04-07 12:42:04 +0200[diff] [blame]7579 -C "found alpn extension " \
7580 -C "Application Layer Protocol is" \
7581 -s "Application Layer Protocol is (none)"
7582
Ronald Cronbc5adf42022-10-04 11:06:14 +0200[diff] [blame]7583requires_key_exchange_with_cert_in_tls12_or_tls13_enabled
Manuel Pégourié-Gonnard8e03c712014-08-30 21:42:40 +0200[diff] [blame]7584run_test "ALPN: both, common cli1-srv1" \
Manuel Pégourié-Gonnard644e8f32014-08-30 21:59:31 +0200[diff] [blame]7585 "$P_SRV debug_level=3 alpn=abc,1234" \
7586 "$P_CLI debug_level=3 alpn=abc,1234" \
Manuel Pégourié-Gonnardf6521de2014-04-07 12:42:04 +0200[diff] [blame]7587 0 \
7588 -c "client hello, adding alpn extension" \
7589 -s "found alpn extension" \
7590 -C "got an alert message, type: \\[2:120]" \
XiaokangQianacb39922022-06-17 10:18:48 +0000[diff] [blame]7591 -s "server side, adding alpn extension" \
Manuel Pégourié-Gonnardf6521de2014-04-07 12:42:04 +0200[diff] [blame]7592 -c "found alpn extension" \
7593 -c "Application Layer Protocol is abc" \
7594 -s "Application Layer Protocol is abc"
7595
Ronald Cronbc5adf42022-10-04 11:06:14 +0200[diff] [blame]7596requires_key_exchange_with_cert_in_tls12_or_tls13_enabled
Manuel Pégourié-Gonnard8e03c712014-08-30 21:42:40 +0200[diff] [blame]7597run_test "ALPN: both, common cli2-srv1" \
Manuel Pégourié-Gonnard644e8f32014-08-30 21:59:31 +0200[diff] [blame]7598 "$P_SRV debug_level=3 alpn=abc,1234" \
7599 "$P_CLI debug_level=3 alpn=1234,abc" \
Manuel Pégourié-Gonnardf6521de2014-04-07 12:42:04 +0200[diff] [blame]7600 0 \
7601 -c "client hello, adding alpn extension" \
7602 -s "found alpn extension" \
7603 -C "got an alert message, type: \\[2:120]" \
XiaokangQianacb39922022-06-17 10:18:48 +0000[diff] [blame]7604 -s "server side, adding alpn extension" \
Manuel Pégourié-Gonnardf6521de2014-04-07 12:42:04 +0200[diff] [blame]7605 -c "found alpn extension" \
7606 -c "Application Layer Protocol is abc" \
7607 -s "Application Layer Protocol is abc"
7608
Ronald Cronbc5adf42022-10-04 11:06:14 +0200[diff] [blame]7609requires_key_exchange_with_cert_in_tls12_or_tls13_enabled
Manuel Pégourié-Gonnard8e03c712014-08-30 21:42:40 +0200[diff] [blame]7610run_test "ALPN: both, common cli1-srv2" \
Manuel Pégourié-Gonnard644e8f32014-08-30 21:59:31 +0200[diff] [blame]7611 "$P_SRV debug_level=3 alpn=abc,1234" \
7612 "$P_CLI debug_level=3 alpn=1234,abcde" \
Manuel Pégourié-Gonnardf6521de2014-04-07 12:42:04 +0200[diff] [blame]7613 0 \
7614 -c "client hello, adding alpn extension" \
7615 -s "found alpn extension" \
7616 -C "got an alert message, type: \\[2:120]" \
XiaokangQianacb39922022-06-17 10:18:48 +0000[diff] [blame]7617 -s "server side, adding alpn extension" \
Manuel Pégourié-Gonnardf6521de2014-04-07 12:42:04 +0200[diff] [blame]7618 -c "found alpn extension" \
7619 -c "Application Layer Protocol is 1234" \
7620 -s "Application Layer Protocol is 1234"
7621
Ronald Cronbc5adf42022-10-04 11:06:14 +0200[diff] [blame]7622requires_key_exchange_with_cert_in_tls12_or_tls13_enabled
Manuel Pégourié-Gonnard8e03c712014-08-30 21:42:40 +0200[diff] [blame]7623run_test "ALPN: both, no common" \
Manuel Pégourié-Gonnard644e8f32014-08-30 21:59:31 +0200[diff] [blame]7624 "$P_SRV debug_level=3 alpn=abc,123" \
7625 "$P_CLI debug_level=3 alpn=1234,abcde" \
Manuel Pégourié-Gonnardf6521de2014-04-07 12:42:04 +0200[diff] [blame]7626 1 \
7627 -c "client hello, adding alpn extension" \
7628 -s "found alpn extension" \
7629 -c "got an alert message, type: \\[2:120]" \
XiaokangQianacb39922022-06-17 10:18:48 +0000[diff] [blame]7630 -S "server side, adding alpn extension" \
Manuel Pégourié-Gonnardf6521de2014-04-07 12:42:04 +0200[diff] [blame]7631 -C "found alpn extension" \
7632 -C "Application Layer Protocol is 1234" \
7633 -S "Application Layer Protocol is 1234"
7634
Manuel Pégourié-Gonnard83d8c732014-04-07 13:24:21 +0200[diff] [blame]7635
Manuel Pégourié-Gonnard7f2a07d2014-04-09 09:50:57 +0200[diff] [blame]7636# Tests for keyUsage in leaf certificates, part 1:
7637# server-side certificate/suite selection
7638
Manuel Pégourié-Gonnard8e03c712014-08-30 21:42:40 +0200[diff] [blame]7639run_test "keyUsage srv: RSA, digitalSignature -> (EC)DHE-RSA" \
David Horstmann5ab92be2024-07-01 17:01:28 +0100[diff] [blame]7640 "$P_SRV force_version=tls12 key_file=$DATA_FILES_PATH/server2.key \
7641 crt_file=$DATA_FILES_PATH/server2.ku-ds.crt" \
Manuel Pégourié-Gonnard7f2a07d2014-04-09 09:50:57 +0200[diff] [blame]7642 "$P_CLI" \
7643 0 \
Manuel Pégourié-Gonnard17cde5f2014-05-22 14:42:39 +0200[diff] [blame]7644 -c "Ciphersuite is TLS-[EC]*DHE-RSA-WITH-"
Manuel Pégourié-Gonnard7f2a07d2014-04-09 09:50:57 +0200[diff] [blame]7645
Manuel Pégourié-Gonnard8e03c712014-08-30 21:42:40 +0200[diff] [blame]7646run_test "keyUsage srv: RSA, keyEncipherment -> RSA" \
David Horstmann5ab92be2024-07-01 17:01:28 +0100[diff] [blame]7647 "$P_SRV force_version=tls12 key_file=$DATA_FILES_PATH/server2.key \
7648 crt_file=$DATA_FILES_PATH/server2.ku-ke.crt" \
Manuel Pégourié-Gonnard7f2a07d2014-04-09 09:50:57 +0200[diff] [blame]7649 "$P_CLI" \
7650 0 \
7651 -c "Ciphersuite is TLS-RSA-WITH-"
7652
Manuel Pégourié-Gonnard8e03c712014-08-30 21:42:40 +0200[diff] [blame]7653run_test "keyUsage srv: RSA, keyAgreement -> fail" \
David Horstmann5ab92be2024-07-01 17:01:28 +0100[diff] [blame]7654 "$P_SRV force_version=tls12 key_file=$DATA_FILES_PATH/server2.key \
7655 crt_file=$DATA_FILES_PATH/server2.ku-ka.crt" \
Manuel Pégourié-Gonnardf2629b92014-08-30 14:20:14 +0200[diff] [blame]7656 "$P_CLI" \
Manuel Pégourié-Gonnard7f2a07d2014-04-09 09:50:57 +0200[diff] [blame]7657 1 \
7658 -C "Ciphersuite is "
7659
Valerio Settid1f991c2023-02-22 12:54:13 +0100[diff] [blame]7660requires_config_enabled MBEDTLS_KEY_EXCHANGE_ECDHE_ECDSA_ENABLED
Manuel Pégourié-Gonnard8e03c712014-08-30 21:42:40 +0200[diff] [blame]7661run_test "keyUsage srv: ECDSA, digitalSignature -> ECDHE-ECDSA" \
David Horstmann5ab92be2024-07-01 17:01:28 +0100[diff] [blame]7662 "$P_SRV force_version=tls12 key_file=$DATA_FILES_PATH/server5.key \
7663 crt_file=$DATA_FILES_PATH/server5.ku-ds.crt" \
Manuel Pégourié-Gonnard7f2a07d2014-04-09 09:50:57 +0200[diff] [blame]7664 "$P_CLI" \
7665 0 \
7666 -c "Ciphersuite is TLS-ECDHE-ECDSA-WITH-"
7667
7668
Manuel Pégourié-Gonnard8e03c712014-08-30 21:42:40 +0200[diff] [blame]7669run_test "keyUsage srv: ECDSA, keyAgreement -> ECDH-" \
David Horstmann5ab92be2024-07-01 17:01:28 +0100[diff] [blame]7670 "$P_SRV force_version=tls12 key_file=$DATA_FILES_PATH/server5.key \
7671 crt_file=$DATA_FILES_PATH/server5.ku-ka.crt" \
Manuel Pégourié-Gonnard7f2a07d2014-04-09 09:50:57 +0200[diff] [blame]7672 "$P_CLI" \
7673 0 \
7674 -c "Ciphersuite is TLS-ECDH-"
7675
Manuel Pégourié-Gonnard8e03c712014-08-30 21:42:40 +0200[diff] [blame]7676run_test "keyUsage srv: ECDSA, keyEncipherment -> fail" \
David Horstmann5ab92be2024-07-01 17:01:28 +0100[diff] [blame]7677 "$P_SRV force_version=tls12 key_file=$DATA_FILES_PATH/server5.key \
7678 crt_file=$DATA_FILES_PATH/server5.ku-ke.crt" \
Manuel Pégourié-Gonnardf2629b92014-08-30 14:20:14 +0200[diff] [blame]7679 "$P_CLI" \
Manuel Pégourié-Gonnard7f2a07d2014-04-09 09:50:57 +0200[diff] [blame]7680 1 \
7681 -C "Ciphersuite is "
7682
7683# Tests for keyUsage in leaf certificates, part 2:
Manuel Pégourié-Gonnarda9db85d2014-04-09 14:53:05 +0200[diff] [blame]7684# client-side checking of server cert
Manuel Pégourié-Gonnard7f2a07d2014-04-09 09:50:57 +0200[diff] [blame]7685
Manuel Pégourié-Gonnard8e03c712014-08-30 21:42:40 +0200[diff] [blame]7686run_test "keyUsage cli: DigitalSignature+KeyEncipherment, RSA: OK" \
David Horstmann5ab92be2024-07-01 17:01:28 +0100[diff] [blame]7687 "$O_SRV -tls1_2 -key $DATA_FILES_PATH/server2.key \
7688 -cert $DATA_FILES_PATH/server2.ku-ds_ke.crt" \
Manuel Pégourié-Gonnard644e8f32014-08-30 21:59:31 +0200[diff] [blame]7689 "$P_CLI debug_level=1 \
Manuel Pégourié-Gonnard7f2a07d2014-04-09 09:50:57 +0200[diff] [blame]7690 force_ciphersuite=TLS-RSA-WITH-AES-128-CBC-SHA" \
7691 0 \
Manuel Pégourié-Gonnarda9db85d2014-04-09 14:53:05 +0200[diff] [blame]7692 -C "bad certificate (usage extensions)" \
Manuel Pégourié-Gonnard7f2a07d2014-04-09 09:50:57 +0200[diff] [blame]7693 -C "Processing of the Certificate handshake message failed" \
7694 -c "Ciphersuite is TLS-"
7695
Manuel Pégourié-Gonnard8e03c712014-08-30 21:42:40 +0200[diff] [blame]7696run_test "keyUsage cli: DigitalSignature+KeyEncipherment, DHE-RSA: OK" \
David Horstmann5ab92be2024-07-01 17:01:28 +0100[diff] [blame]7697 "$O_SRV -tls1_2 -key $DATA_FILES_PATH/server2.key \
7698 -cert $DATA_FILES_PATH/server2.ku-ds_ke.crt" \
Manuel Pégourié-Gonnard644e8f32014-08-30 21:59:31 +0200[diff] [blame]7699 "$P_CLI debug_level=1 \
Manuel Pégourié-Gonnard7f2a07d2014-04-09 09:50:57 +0200[diff] [blame]7700 force_ciphersuite=TLS-DHE-RSA-WITH-AES-128-CBC-SHA" \
7701 0 \
Manuel Pégourié-Gonnarda9db85d2014-04-09 14:53:05 +0200[diff] [blame]7702 -C "bad certificate (usage extensions)" \
Manuel Pégourié-Gonnard7f2a07d2014-04-09 09:50:57 +0200[diff] [blame]7703 -C "Processing of the Certificate handshake message failed" \
7704 -c "Ciphersuite is TLS-"
7705
Manuel Pégourié-Gonnard8e03c712014-08-30 21:42:40 +0200[diff] [blame]7706run_test "keyUsage cli: KeyEncipherment, RSA: OK" \
David Horstmann5ab92be2024-07-01 17:01:28 +0100[diff] [blame]7707 "$O_SRV -tls1_2 -key $DATA_FILES_PATH/server2.key \
7708 -cert $DATA_FILES_PATH/server2.ku-ke.crt" \
Manuel Pégourié-Gonnard644e8f32014-08-30 21:59:31 +0200[diff] [blame]7709 "$P_CLI debug_level=1 \
Manuel Pégourié-Gonnard7f2a07d2014-04-09 09:50:57 +0200[diff] [blame]7710 force_ciphersuite=TLS-RSA-WITH-AES-128-CBC-SHA" \
7711 0 \
Manuel Pégourié-Gonnarda9db85d2014-04-09 14:53:05 +0200[diff] [blame]7712 -C "bad certificate (usage extensions)" \
Manuel Pégourié-Gonnard7f2a07d2014-04-09 09:50:57 +0200[diff] [blame]7713 -C "Processing of the Certificate handshake message failed" \
7714 -c "Ciphersuite is TLS-"
7715
Manuel Pégourié-Gonnard8e03c712014-08-30 21:42:40 +0200[diff] [blame]7716run_test "keyUsage cli: KeyEncipherment, DHE-RSA: fail" \
David Horstmann5ab92be2024-07-01 17:01:28 +0100[diff] [blame]7717 "$O_SRV -tls1_2 -key $DATA_FILES_PATH/server2.key \
7718 -cert $DATA_FILES_PATH/server2.ku-ke.crt" \
Manuel Pégourié-Gonnard644e8f32014-08-30 21:59:31 +0200[diff] [blame]7719 "$P_CLI debug_level=1 \
Manuel Pégourié-Gonnard7f2a07d2014-04-09 09:50:57 +0200[diff] [blame]7720 force_ciphersuite=TLS-DHE-RSA-WITH-AES-128-CBC-SHA" \
7721 1 \
Manuel Pégourié-Gonnarda9db85d2014-04-09 14:53:05 +0200[diff] [blame]7722 -c "bad certificate (usage extensions)" \
Manuel Pégourié-Gonnard7f2a07d2014-04-09 09:50:57 +0200[diff] [blame]7723 -c "Processing of the Certificate handshake message failed" \
7724 -C "Ciphersuite is TLS-"
7725
Manuel Pégourié-Gonnarde6efa6f2015-04-20 11:01:48 +0100[diff] [blame]7726run_test "keyUsage cli: KeyEncipherment, DHE-RSA: fail, soft" \
David Horstmann5ab92be2024-07-01 17:01:28 +0100[diff] [blame]7727 "$O_SRV -tls1_2 -key $DATA_FILES_PATH/server2.key \
7728 -cert $DATA_FILES_PATH/server2.ku-ke.crt" \
Manuel Pégourié-Gonnarde6efa6f2015-04-20 11:01:48 +0100[diff] [blame]7729 "$P_CLI debug_level=1 auth_mode=optional \
7730 force_ciphersuite=TLS-DHE-RSA-WITH-AES-128-CBC-SHA" \
7731 0 \
7732 -c "bad certificate (usage extensions)" \
7733 -C "Processing of the Certificate handshake message failed" \
7734 -c "Ciphersuite is TLS-" \
7735 -c "! Usage does not match the keyUsage extension"
7736
Manuel Pégourié-Gonnard8e03c712014-08-30 21:42:40 +0200[diff] [blame]7737run_test "keyUsage cli: DigitalSignature, DHE-RSA: OK" \
David Horstmann5ab92be2024-07-01 17:01:28 +0100[diff] [blame]7738 "$O_SRV -tls1_2 -key $DATA_FILES_PATH/server2.key \
7739 -cert $DATA_FILES_PATH/server2.ku-ds.crt" \
Manuel Pégourié-Gonnard644e8f32014-08-30 21:59:31 +0200[diff] [blame]7740 "$P_CLI debug_level=1 \
Manuel Pégourié-Gonnard7f2a07d2014-04-09 09:50:57 +0200[diff] [blame]7741 force_ciphersuite=TLS-DHE-RSA-WITH-AES-128-CBC-SHA" \
7742 0 \
Manuel Pégourié-Gonnarda9db85d2014-04-09 14:53:05 +0200[diff] [blame]7743 -C "bad certificate (usage extensions)" \
Manuel Pégourié-Gonnard7f2a07d2014-04-09 09:50:57 +0200[diff] [blame]7744 -C "Processing of the Certificate handshake message failed" \
7745 -c "Ciphersuite is TLS-"
7746
Manuel Pégourié-Gonnard8e03c712014-08-30 21:42:40 +0200[diff] [blame]7747run_test "keyUsage cli: DigitalSignature, RSA: fail" \
David Horstmann5ab92be2024-07-01 17:01:28 +0100[diff] [blame]7748 "$O_SRV -tls1_2 -key $DATA_FILES_PATH/server2.key \
7749 -cert $DATA_FILES_PATH/server2.ku-ds.crt" \
Manuel Pégourié-Gonnard644e8f32014-08-30 21:59:31 +0200[diff] [blame]7750 "$P_CLI debug_level=1 \
Manuel Pégourié-Gonnard7f2a07d2014-04-09 09:50:57 +0200[diff] [blame]7751 force_ciphersuite=TLS-RSA-WITH-AES-128-CBC-SHA" \
7752 1 \
Manuel Pégourié-Gonnarda9db85d2014-04-09 14:53:05 +0200[diff] [blame]7753 -c "bad certificate (usage extensions)" \
Manuel Pégourié-Gonnard7f2a07d2014-04-09 09:50:57 +0200[diff] [blame]7754 -c "Processing of the Certificate handshake message failed" \
7755 -C "Ciphersuite is TLS-"
7756
Manuel Pégourié-Gonnarde6efa6f2015-04-20 11:01:48 +0100[diff] [blame]7757run_test "keyUsage cli: DigitalSignature, RSA: fail, soft" \
David Horstmann5ab92be2024-07-01 17:01:28 +0100[diff] [blame]7758 "$O_SRV -tls1_2 -key $DATA_FILES_PATH/server2.key \
7759 -cert $DATA_FILES_PATH/server2.ku-ds.crt" \
Manuel Pégourié-Gonnarde6efa6f2015-04-20 11:01:48 +0100[diff] [blame]7760 "$P_CLI debug_level=1 auth_mode=optional \
7761 force_ciphersuite=TLS-RSA-WITH-AES-128-CBC-SHA" \
7762 0 \
7763 -c "bad certificate (usage extensions)" \
7764 -C "Processing of the Certificate handshake message failed" \
7765 -c "Ciphersuite is TLS-" \
7766 -c "! Usage does not match the keyUsage extension"
7767
Przemek Stekiel8bfe8972023-06-26 12:59:45 +0200[diff] [blame]7768requires_openssl_tls1_3_with_compatible_ephemeral
Ronald Cron70ed4172022-10-20 15:48:19 +0200[diff] [blame]7769requires_all_configs_enabled MBEDTLS_SSL_TLS1_3_COMPATIBILITY_MODE \
7770 MBEDTLS_SSL_TLS1_3_KEY_EXCHANGE_MODE_EPHEMERAL_ENABLED
Ronald Crond28f5a92022-06-16 19:27:25 +0200[diff] [blame]7771run_test "keyUsage cli 1.3: DigitalSignature+KeyEncipherment, RSA: OK" \
David Horstmann5ab92be2024-07-01 17:01:28 +0100[diff] [blame]7772 "$O_NEXT_SRV_NO_CERT -tls1_3 -num_tickets=0 -key $DATA_FILES_PATH/server2.key \
7773 -cert $DATA_FILES_PATH/server2-sha256.ku-ds_ke.crt" \
Ronald Crond28f5a92022-06-16 19:27:25 +0200[diff] [blame]7774 "$P_CLI debug_level=3" \
7775 0 \
7776 -C "bad certificate (usage extensions)" \
7777 -C "Processing of the Certificate handshake message failed" \
7778 -c "Ciphersuite is"
7779
Przemek Stekiel8bfe8972023-06-26 12:59:45 +0200[diff] [blame]7780requires_openssl_tls1_3_with_compatible_ephemeral
Ronald Cron70ed4172022-10-20 15:48:19 +0200[diff] [blame]7781requires_all_configs_enabled MBEDTLS_SSL_TLS1_3_COMPATIBILITY_MODE \
7782 MBEDTLS_SSL_TLS1_3_KEY_EXCHANGE_MODE_EPHEMERAL_ENABLED
Ronald Cronba65fbb2022-06-22 14:35:05 +0200[diff] [blame]7783run_test "keyUsage cli 1.3: KeyEncipherment, RSA: fail" \
David Horstmann5ab92be2024-07-01 17:01:28 +0100[diff] [blame]7784 "$O_NEXT_SRV_NO_CERT -tls1_3 -num_tickets=0 -key $DATA_FILES_PATH/server2.key \
7785 -cert $DATA_FILES_PATH/server2-sha256.ku-ke.crt" \
Ronald Crond28f5a92022-06-16 19:27:25 +0200[diff] [blame]7786 "$P_CLI debug_level=1" \
7787 1 \
7788 -c "bad certificate (usage extensions)" \
7789 -c "Processing of the Certificate handshake message failed" \
7790 -C "Ciphersuite is"
7791
Przemek Stekiel8bfe8972023-06-26 12:59:45 +0200[diff] [blame]7792requires_openssl_tls1_3_with_compatible_ephemeral
Ronald Cron70ed4172022-10-20 15:48:19 +0200[diff] [blame]7793requires_all_configs_enabled MBEDTLS_SSL_TLS1_3_COMPATIBILITY_MODE \
7794 MBEDTLS_SSL_TLS1_3_KEY_EXCHANGE_MODE_EPHEMERAL_ENABLED
Ronald Cronba65fbb2022-06-22 14:35:05 +0200[diff] [blame]7795run_test "keyUsage cli 1.3: KeyAgreement, RSA: fail" \
David Horstmann5ab92be2024-07-01 17:01:28 +0100[diff] [blame]7796 "$O_NEXT_SRV_NO_CERT -tls1_3 -num_tickets=0 -key $DATA_FILES_PATH/server2.key \
7797 -cert $DATA_FILES_PATH/server2-sha256.ku-ka.crt" \
Ronald Crond28f5a92022-06-16 19:27:25 +0200[diff] [blame]7798 "$P_CLI debug_level=1" \
7799 1 \
7800 -c "bad certificate (usage extensions)" \
7801 -c "Processing of the Certificate handshake message failed" \
7802 -C "Ciphersuite is"
7803
Przemek Stekiel8bfe8972023-06-26 12:59:45 +0200[diff] [blame]7804requires_openssl_tls1_3_with_compatible_ephemeral
Ronald Cron70ed4172022-10-20 15:48:19 +0200[diff] [blame]7805requires_all_configs_enabled MBEDTLS_SSL_TLS1_3_COMPATIBILITY_MODE \
7806 MBEDTLS_SSL_TLS1_3_KEY_EXCHANGE_MODE_EPHEMERAL_ENABLED
Ronald Crond28f5a92022-06-16 19:27:25 +0200[diff] [blame]7807run_test "keyUsage cli 1.3: DigitalSignature, ECDSA: OK" \
David Horstmann5ab92be2024-07-01 17:01:28 +0100[diff] [blame]7808 "$O_NEXT_SRV_NO_CERT -tls1_3 -num_tickets=0 -key $DATA_FILES_PATH/server5.key \
7809 -cert $DATA_FILES_PATH/server5.ku-ds.crt" \
Ronald Crond28f5a92022-06-16 19:27:25 +0200[diff] [blame]7810 "$P_CLI debug_level=3" \
7811 0 \
7812 -C "bad certificate (usage extensions)" \
7813 -C "Processing of the Certificate handshake message failed" \
7814 -c "Ciphersuite is"
7815
Przemek Stekiel8bfe8972023-06-26 12:59:45 +0200[diff] [blame]7816requires_openssl_tls1_3_with_compatible_ephemeral
Ronald Cron70ed4172022-10-20 15:48:19 +0200[diff] [blame]7817requires_all_configs_enabled MBEDTLS_SSL_TLS1_3_COMPATIBILITY_MODE \
7818 MBEDTLS_SSL_TLS1_3_KEY_EXCHANGE_MODE_EPHEMERAL_ENABLED
Ronald Cronba65fbb2022-06-22 14:35:05 +0200[diff] [blame]7819run_test "keyUsage cli 1.3: KeyEncipherment, ECDSA: fail" \
David Horstmann5ab92be2024-07-01 17:01:28 +0100[diff] [blame]7820 "$O_NEXT_SRV_NO_CERT -tls1_3 -num_tickets=0 -key $DATA_FILES_PATH/server5.key \
7821 -cert $DATA_FILES_PATH/server5.ku-ke.crt" \
Ronald Crond28f5a92022-06-16 19:27:25 +0200[diff] [blame]7822 "$P_CLI debug_level=1" \
7823 1 \
7824 -c "bad certificate (usage extensions)" \
7825 -c "Processing of the Certificate handshake message failed" \
7826 -C "Ciphersuite is"
7827
Przemek Stekiel8bfe8972023-06-26 12:59:45 +0200[diff] [blame]7828requires_openssl_tls1_3_with_compatible_ephemeral
Ronald Cron70ed4172022-10-20 15:48:19 +0200[diff] [blame]7829requires_all_configs_enabled MBEDTLS_SSL_TLS1_3_COMPATIBILITY_MODE \
7830 MBEDTLS_SSL_TLS1_3_KEY_EXCHANGE_MODE_EPHEMERAL_ENABLED
Ronald Cronba65fbb2022-06-22 14:35:05 +0200[diff] [blame]7831run_test "keyUsage cli 1.3: KeyAgreement, ECDSA: fail" \
David Horstmann5ab92be2024-07-01 17:01:28 +0100[diff] [blame]7832 "$O_NEXT_SRV_NO_CERT -tls1_3 -num_tickets=0 -key $DATA_FILES_PATH/server5.key \
7833 -cert $DATA_FILES_PATH/server5.ku-ka.crt" \
Ronald Crond28f5a92022-06-16 19:27:25 +0200[diff] [blame]7834 "$P_CLI debug_level=1" \
7835 1 \
7836 -c "bad certificate (usage extensions)" \
7837 -c "Processing of the Certificate handshake message failed" \
7838 -C "Ciphersuite is"
7839
Manuel Pégourié-Gonnarda9db85d2014-04-09 14:53:05 +0200[diff] [blame]7840# Tests for keyUsage in leaf certificates, part 3:
7841# server-side checking of client cert
7842
Jerry Yuab082902021-12-23 18:02:22 +0800[diff] [blame]7843requires_config_enabled MBEDTLS_SSL_PROTO_TLS1_2
Manuel Pégourié-Gonnard8e03c712014-08-30 21:42:40 +0200[diff] [blame]7844run_test "keyUsage cli-auth: RSA, DigitalSignature: OK" \
Manuel Pégourié-Gonnard644e8f32014-08-30 21:59:31 +0200[diff] [blame]7845 "$P_SRV debug_level=1 auth_mode=optional" \
David Horstmann5ab92be2024-07-01 17:01:28 +0100[diff] [blame]7846 "$O_CLI -tls1_2 -key $DATA_FILES_PATH/server2.key \
7847 -cert $DATA_FILES_PATH/server2.ku-ds.crt" \
Manuel Pégourié-Gonnarda9db85d2014-04-09 14:53:05 +0200[diff] [blame]7848 0 \
Ronald Cronf9c13fe2022-06-22 14:35:17 +0200[diff] [blame]7849 -s "Verifying peer X.509 certificate... ok" \
Manuel Pégourié-Gonnarda9db85d2014-04-09 14:53:05 +0200[diff] [blame]7850 -S "bad certificate (usage extensions)" \
7851 -S "Processing of the Certificate handshake message failed"
7852
Jerry Yuab082902021-12-23 18:02:22 +0800[diff] [blame]7853requires_config_enabled MBEDTLS_SSL_PROTO_TLS1_2
Manuel Pégourié-Gonnard8e03c712014-08-30 21:42:40 +0200[diff] [blame]7854run_test "keyUsage cli-auth: RSA, KeyEncipherment: fail (soft)" \
Manuel Pégourié-Gonnard644e8f32014-08-30 21:59:31 +0200[diff] [blame]7855 "$P_SRV debug_level=1 auth_mode=optional" \
David Horstmann5ab92be2024-07-01 17:01:28 +0100[diff] [blame]7856 "$O_CLI -tls1_2 -key $DATA_FILES_PATH/server2.key \
7857 -cert $DATA_FILES_PATH/server2.ku-ke.crt" \
Manuel Pégourié-Gonnarda9db85d2014-04-09 14:53:05 +0200[diff] [blame]7858 0 \
7859 -s "bad certificate (usage extensions)" \
7860 -S "Processing of the Certificate handshake message failed"
7861
Jerry Yuab082902021-12-23 18:02:22 +0800[diff] [blame]7862requires_config_enabled MBEDTLS_SSL_PROTO_TLS1_2
Manuel Pégourié-Gonnard8e03c712014-08-30 21:42:40 +0200[diff] [blame]7863run_test "keyUsage cli-auth: RSA, KeyEncipherment: fail (hard)" \
Gilles Peskinee373c942024-04-29 17:44:19 +0200[diff] [blame]7864 "$P_SRV debug_level=1 force_version=tls12 auth_mode=required" \
David Horstmann5ab92be2024-07-01 17:01:28 +0100[diff] [blame]7865 "$O_CLI -tls1_2 -key $DATA_FILES_PATH/server2.key \
7866 -cert $DATA_FILES_PATH/server2.ku-ke.crt" \
Manuel Pégourié-Gonnarda9db85d2014-04-09 14:53:05 +0200[diff] [blame]7867 1 \
7868 -s "bad certificate (usage extensions)" \
7869 -s "Processing of the Certificate handshake message failed"
7870
Jerry Yuab082902021-12-23 18:02:22 +0800[diff] [blame]7871requires_config_enabled MBEDTLS_SSL_PROTO_TLS1_2
Manuel Pégourié-Gonnard8e03c712014-08-30 21:42:40 +0200[diff] [blame]7872run_test "keyUsage cli-auth: ECDSA, DigitalSignature: OK" \
Manuel Pégourié-Gonnard644e8f32014-08-30 21:59:31 +0200[diff] [blame]7873 "$P_SRV debug_level=1 auth_mode=optional" \
David Horstmann5ab92be2024-07-01 17:01:28 +0100[diff] [blame]7874 "$O_CLI -tls1_2 -key $DATA_FILES_PATH/server5.key \
7875 -cert $DATA_FILES_PATH/server5.ku-ds.crt" \
Manuel Pégourié-Gonnarda9db85d2014-04-09 14:53:05 +0200[diff] [blame]7876 0 \
Ronald Cronf9c13fe2022-06-22 14:35:17 +0200[diff] [blame]7877 -s "Verifying peer X.509 certificate... ok" \
Manuel Pégourié-Gonnarda9db85d2014-04-09 14:53:05 +0200[diff] [blame]7878 -S "bad certificate (usage extensions)" \
7879 -S "Processing of the Certificate handshake message failed"
7880
Jerry Yuab082902021-12-23 18:02:22 +0800[diff] [blame]7881requires_config_enabled MBEDTLS_SSL_PROTO_TLS1_2
Manuel Pégourié-Gonnard8e03c712014-08-30 21:42:40 +0200[diff] [blame]7882run_test "keyUsage cli-auth: ECDSA, KeyAgreement: fail (soft)" \
Manuel Pégourié-Gonnard644e8f32014-08-30 21:59:31 +0200[diff] [blame]7883 "$P_SRV debug_level=1 auth_mode=optional" \
David Horstmann5ab92be2024-07-01 17:01:28 +0100[diff] [blame]7884 "$O_CLI -tls1_2 -key $DATA_FILES_PATH/server5.key \
7885 -cert $DATA_FILES_PATH/server5.ku-ka.crt" \
Manuel Pégourié-Gonnarda9db85d2014-04-09 14:53:05 +0200[diff] [blame]7886 0 \
7887 -s "bad certificate (usage extensions)" \
7888 -S "Processing of the Certificate handshake message failed"
7889
Przemek Stekiel8bfe8972023-06-26 12:59:45 +0200[diff] [blame]7890requires_openssl_tls1_3_with_compatible_ephemeral
Ronald Cron70ed4172022-10-20 15:48:19 +0200[diff] [blame]7891requires_all_configs_enabled MBEDTLS_SSL_TLS1_3_COMPATIBILITY_MODE \
7892 MBEDTLS_SSL_TLS1_3_KEY_EXCHANGE_MODE_EPHEMERAL_ENABLED
Ronald Crond28f5a92022-06-16 19:27:25 +0200[diff] [blame]7893run_test "keyUsage cli-auth 1.3: RSA, DigitalSignature: OK" \
Ronald Cron89ca9772022-10-17 14:56:45 +0200[diff] [blame]7894 "$P_SRV debug_level=1 force_version=tls13 auth_mode=optional" \
David Horstmann5ab92be2024-07-01 17:01:28 +0100[diff] [blame]7895 "$O_NEXT_CLI_NO_CERT -key $DATA_FILES_PATH/server2.key \
7896 -cert $DATA_FILES_PATH/server2-sha256.ku-ds.crt" \
Ronald Crond28f5a92022-06-16 19:27:25 +0200[diff] [blame]7897 0 \
Ronald Cronf9c13fe2022-06-22 14:35:17 +0200[diff] [blame]7898 -s "Verifying peer X.509 certificate... ok" \
Ronald Crond28f5a92022-06-16 19:27:25 +0200[diff] [blame]7899 -S "bad certificate (usage extensions)" \
7900 -S "Processing of the Certificate handshake message failed"
7901
Przemek Stekiel8bfe8972023-06-26 12:59:45 +0200[diff] [blame]7902requires_openssl_tls1_3_with_compatible_ephemeral
Ronald Cron70ed4172022-10-20 15:48:19 +0200[diff] [blame]7903requires_all_configs_enabled MBEDTLS_SSL_TLS1_3_COMPATIBILITY_MODE \
7904 MBEDTLS_SSL_TLS1_3_KEY_EXCHANGE_MODE_EPHEMERAL_ENABLED
Ronald Crond28f5a92022-06-16 19:27:25 +0200[diff] [blame]7905run_test "keyUsage cli-auth 1.3: RSA, KeyEncipherment: fail (soft)" \
Ronald Cron89ca9772022-10-17 14:56:45 +0200[diff] [blame]7906 "$P_SRV debug_level=1 force_version=tls13 auth_mode=optional" \
David Horstmann5ab92be2024-07-01 17:01:28 +0100[diff] [blame]7907 "$O_NEXT_CLI_NO_CERT -key $DATA_FILES_PATH/server2.key \
7908 -cert $DATA_FILES_PATH/server2-sha256.ku-ke.crt" \
Ronald Crond28f5a92022-06-16 19:27:25 +0200[diff] [blame]7909 0 \
7910 -s "bad certificate (usage extensions)" \
7911 -S "Processing of the Certificate handshake message failed"
7912
Przemek Stekiel8bfe8972023-06-26 12:59:45 +0200[diff] [blame]7913requires_openssl_tls1_3_with_compatible_ephemeral
Ronald Cron70ed4172022-10-20 15:48:19 +0200[diff] [blame]7914requires_all_configs_enabled MBEDTLS_SSL_TLS1_3_COMPATIBILITY_MODE \
7915 MBEDTLS_SSL_TLS1_3_KEY_EXCHANGE_MODE_EPHEMERAL_ENABLED
Ronald Crond28f5a92022-06-16 19:27:25 +0200[diff] [blame]7916run_test "keyUsage cli-auth 1.3: ECDSA, DigitalSignature: OK" \
Ronald Cron89ca9772022-10-17 14:56:45 +0200[diff] [blame]7917 "$P_SRV debug_level=1 force_version=tls13 auth_mode=optional" \
David Horstmann5ab92be2024-07-01 17:01:28 +0100[diff] [blame]7918 "$O_NEXT_CLI_NO_CERT -key $DATA_FILES_PATH/server5.key \
7919 -cert $DATA_FILES_PATH/server5.ku-ds.crt" \
Ronald Crond28f5a92022-06-16 19:27:25 +0200[diff] [blame]7920 0 \
Ronald Cronf9c13fe2022-06-22 14:35:17 +0200[diff] [blame]7921 -s "Verifying peer X.509 certificate... ok" \
Ronald Crond28f5a92022-06-16 19:27:25 +0200[diff] [blame]7922 -S "bad certificate (usage extensions)" \
7923 -S "Processing of the Certificate handshake message failed"
7924
Przemek Stekiel8bfe8972023-06-26 12:59:45 +0200[diff] [blame]7925requires_openssl_tls1_3_with_compatible_ephemeral
Ronald Cron70ed4172022-10-20 15:48:19 +0200[diff] [blame]7926requires_all_configs_enabled MBEDTLS_SSL_TLS1_3_COMPATIBILITY_MODE \
7927 MBEDTLS_SSL_TLS1_3_KEY_EXCHANGE_MODE_EPHEMERAL_ENABLED
Ronald Crond28f5a92022-06-16 19:27:25 +0200[diff] [blame]7928run_test "keyUsage cli-auth 1.3: ECDSA, KeyAgreement: fail (soft)" \
Ronald Cron89ca9772022-10-17 14:56:45 +0200[diff] [blame]7929 "$P_SRV debug_level=1 force_version=tls13 auth_mode=optional" \
David Horstmann5ab92be2024-07-01 17:01:28 +0100[diff] [blame]7930 "$O_NEXT_CLI_NO_CERT -key $DATA_FILES_PATH/server5.key \
7931 -cert $DATA_FILES_PATH/server5.ku-ka.crt" \
Ronald Crond28f5a92022-06-16 19:27:25 +0200[diff] [blame]7932 0 \
7933 -s "bad certificate (usage extensions)" \
7934 -S "Processing of the Certificate handshake message failed"
7935
Manuel Pégourié-Gonnard0408fd12014-04-11 11:06:22 +0200[diff] [blame]7936# Tests for extendedKeyUsage, part 1: server-side certificate/suite selection
7937
Ronald Cron92dca392023-03-10 16:11:15 +0100[diff] [blame]7938requires_key_exchange_with_cert_in_tls12_or_tls13_enabled
Manuel Pégourié-Gonnard8e03c712014-08-30 21:42:40 +0200[diff] [blame]7939run_test "extKeyUsage srv: serverAuth -> OK" \
David Horstmann5ab92be2024-07-01 17:01:28 +0100[diff] [blame]7940 "$P_SRV key_file=$DATA_FILES_PATH/server5.key \
7941 crt_file=$DATA_FILES_PATH/server5.eku-srv.crt" \
Manuel Pégourié-Gonnard0408fd12014-04-11 11:06:22 +0200[diff] [blame]7942 "$P_CLI" \
7943 0
7944
Ronald Cron92dca392023-03-10 16:11:15 +0100[diff] [blame]7945requires_key_exchange_with_cert_in_tls12_or_tls13_enabled
Manuel Pégourié-Gonnard8e03c712014-08-30 21:42:40 +0200[diff] [blame]7946run_test "extKeyUsage srv: serverAuth,clientAuth -> OK" \
David Horstmann5ab92be2024-07-01 17:01:28 +0100[diff] [blame]7947 "$P_SRV key_file=$DATA_FILES_PATH/server5.key \
7948 crt_file=$DATA_FILES_PATH/server5.eku-srv.crt" \
Manuel Pégourié-Gonnard0408fd12014-04-11 11:06:22 +0200[diff] [blame]7949 "$P_CLI" \
7950 0
7951
Ronald Cron92dca392023-03-10 16:11:15 +0100[diff] [blame]7952requires_key_exchange_with_cert_in_tls12_or_tls13_enabled
Manuel Pégourié-Gonnard8e03c712014-08-30 21:42:40 +0200[diff] [blame]7953run_test "extKeyUsage srv: codeSign,anyEKU -> OK" \
David Horstmann5ab92be2024-07-01 17:01:28 +0100[diff] [blame]7954 "$P_SRV key_file=$DATA_FILES_PATH/server5.key \
7955 crt_file=$DATA_FILES_PATH/server5.eku-cs_any.crt" \
Manuel Pégourié-Gonnard0408fd12014-04-11 11:06:22 +0200[diff] [blame]7956 "$P_CLI" \
7957 0
7958
Ronald Cron92dca392023-03-10 16:11:15 +0100[diff] [blame]7959requires_key_exchange_with_cert_in_tls12_or_tls13_enabled
Manuel Pégourié-Gonnard8e03c712014-08-30 21:42:40 +0200[diff] [blame]7960run_test "extKeyUsage srv: codeSign -> fail" \
David Horstmann5ab92be2024-07-01 17:01:28 +0100[diff] [blame]7961 "$P_SRV key_file=$DATA_FILES_PATH/server5.key \
7962 crt_file=$DATA_FILES_PATH/server5.eku-cli.crt" \
Manuel Pégourié-Gonnard7eb58cb2015-07-07 11:54:14 +0200[diff] [blame]7963 "$P_CLI" \
Manuel Pégourié-Gonnard0408fd12014-04-11 11:06:22 +0200[diff] [blame]7964 1
7965
7966# Tests for extendedKeyUsage, part 2: client-side checking of server cert
7967
Jerry Yuab082902021-12-23 18:02:22 +0800[diff] [blame]7968requires_config_enabled MBEDTLS_SSL_PROTO_TLS1_2
Manuel Pégourié-Gonnard8e03c712014-08-30 21:42:40 +0200[diff] [blame]7969run_test "extKeyUsage cli: serverAuth -> OK" \
David Horstmann5ab92be2024-07-01 17:01:28 +0100[diff] [blame]7970 "$O_SRV -tls1_2 -key $DATA_FILES_PATH/server5.key \
7971 -cert $DATA_FILES_PATH/server5.eku-srv.crt" \
Manuel Pégourié-Gonnard644e8f32014-08-30 21:59:31 +0200[diff] [blame]7972 "$P_CLI debug_level=1" \
Manuel Pégourié-Gonnard0408fd12014-04-11 11:06:22 +0200[diff] [blame]7973 0 \
7974 -C "bad certificate (usage extensions)" \
7975 -C "Processing of the Certificate handshake message failed" \
7976 -c "Ciphersuite is TLS-"
7977
Jerry Yuab082902021-12-23 18:02:22 +0800[diff] [blame]7978requires_config_enabled MBEDTLS_SSL_PROTO_TLS1_2
Manuel Pégourié-Gonnard8e03c712014-08-30 21:42:40 +0200[diff] [blame]7979run_test "extKeyUsage cli: serverAuth,clientAuth -> OK" \
David Horstmann5ab92be2024-07-01 17:01:28 +0100[diff] [blame]7980 "$O_SRV -tls1_2 -key $DATA_FILES_PATH/server5.key \
7981 -cert $DATA_FILES_PATH/server5.eku-srv_cli.crt" \
Manuel Pégourié-Gonnard644e8f32014-08-30 21:59:31 +0200[diff] [blame]7982 "$P_CLI debug_level=1" \
Manuel Pégourié-Gonnard0408fd12014-04-11 11:06:22 +0200[diff] [blame]7983 0 \
7984 -C "bad certificate (usage extensions)" \
7985 -C "Processing of the Certificate handshake message failed" \
7986 -c "Ciphersuite is TLS-"
7987
Jerry Yuab082902021-12-23 18:02:22 +0800[diff] [blame]7988requires_config_enabled MBEDTLS_SSL_PROTO_TLS1_2
Manuel Pégourié-Gonnard8e03c712014-08-30 21:42:40 +0200[diff] [blame]7989run_test "extKeyUsage cli: codeSign,anyEKU -> OK" \
David Horstmann5ab92be2024-07-01 17:01:28 +0100[diff] [blame]7990 "$O_SRV -tls1_2 -key $DATA_FILES_PATH/server5.key \
7991 -cert $DATA_FILES_PATH/server5.eku-cs_any.crt" \
Manuel Pégourié-Gonnard644e8f32014-08-30 21:59:31 +0200[diff] [blame]7992 "$P_CLI debug_level=1" \
Manuel Pégourié-Gonnard0408fd12014-04-11 11:06:22 +0200[diff] [blame]7993 0 \
7994 -C "bad certificate (usage extensions)" \
7995 -C "Processing of the Certificate handshake message failed" \
7996 -c "Ciphersuite is TLS-"
7997
Jerry Yuab082902021-12-23 18:02:22 +0800[diff] [blame]7998requires_config_enabled MBEDTLS_SSL_PROTO_TLS1_2
Manuel Pégourié-Gonnard8e03c712014-08-30 21:42:40 +0200[diff] [blame]7999run_test "extKeyUsage cli: codeSign -> fail" \
David Horstmann5ab92be2024-07-01 17:01:28 +0100[diff] [blame]8000 "$O_SRV -tls1_2 -key $DATA_FILES_PATH/server5.key \
8001 -cert $DATA_FILES_PATH/server5.eku-cs.crt" \
Manuel Pégourié-Gonnard644e8f32014-08-30 21:59:31 +0200[diff] [blame]8002 "$P_CLI debug_level=1" \
Manuel Pégourié-Gonnard0408fd12014-04-11 11:06:22 +0200[diff] [blame]8003 1 \
8004 -c "bad certificate (usage extensions)" \
8005 -c "Processing of the Certificate handshake message failed" \
8006 -C "Ciphersuite is TLS-"
8007
Przemek Stekiel8bfe8972023-06-26 12:59:45 +0200[diff] [blame]8008requires_openssl_tls1_3_with_compatible_ephemeral
Ronald Cron70ed4172022-10-20 15:48:19 +0200[diff] [blame]8009requires_all_configs_enabled MBEDTLS_SSL_TLS1_3_COMPATIBILITY_MODE \
8010 MBEDTLS_SSL_TLS1_3_KEY_EXCHANGE_MODE_EPHEMERAL_ENABLED
Ronald Crond28f5a92022-06-16 19:27:25 +0200[diff] [blame]8011run_test "extKeyUsage cli 1.3: serverAuth -> OK" \
David Horstmann5ab92be2024-07-01 17:01:28 +0100[diff] [blame]8012 "$O_NEXT_SRV_NO_CERT -tls1_3 -num_tickets=0 -key $DATA_FILES_PATH/server5.key \
8013 -cert $DATA_FILES_PATH/server5.eku-srv.crt" \
Ronald Crond28f5a92022-06-16 19:27:25 +0200[diff] [blame]8014 "$P_CLI debug_level=1" \
8015 0 \
8016 -C "bad certificate (usage extensions)" \
8017 -C "Processing of the Certificate handshake message failed" \
8018 -c "Ciphersuite is"
8019
Przemek Stekiel8bfe8972023-06-26 12:59:45 +0200[diff] [blame]8020requires_openssl_tls1_3_with_compatible_ephemeral
Ronald Cron70ed4172022-10-20 15:48:19 +0200[diff] [blame]8021requires_all_configs_enabled MBEDTLS_SSL_TLS1_3_COMPATIBILITY_MODE \
8022 MBEDTLS_SSL_TLS1_3_KEY_EXCHANGE_MODE_EPHEMERAL_ENABLED
Ronald Crond28f5a92022-06-16 19:27:25 +0200[diff] [blame]8023run_test "extKeyUsage cli 1.3: serverAuth,clientAuth -> OK" \
David Horstmann5ab92be2024-07-01 17:01:28 +0100[diff] [blame]8024 "$O_NEXT_SRV_NO_CERT -tls1_3 -num_tickets=0 -key $DATA_FILES_PATH/server5.key \
8025 -cert $DATA_FILES_PATH/server5.eku-srv_cli.crt" \
Ronald Crond28f5a92022-06-16 19:27:25 +0200[diff] [blame]8026 "$P_CLI debug_level=1" \
8027 0 \
8028 -C "bad certificate (usage extensions)" \
8029 -C "Processing of the Certificate handshake message failed" \
8030 -c "Ciphersuite is"
8031
Przemek Stekiel8bfe8972023-06-26 12:59:45 +0200[diff] [blame]8032requires_openssl_tls1_3_with_compatible_ephemeral
Ronald Cron70ed4172022-10-20 15:48:19 +0200[diff] [blame]8033requires_all_configs_enabled MBEDTLS_SSL_TLS1_3_COMPATIBILITY_MODE \
8034 MBEDTLS_SSL_TLS1_3_KEY_EXCHANGE_MODE_EPHEMERAL_ENABLED
Ronald Crond28f5a92022-06-16 19:27:25 +0200[diff] [blame]8035run_test "extKeyUsage cli 1.3: codeSign,anyEKU -> OK" \
David Horstmann5ab92be2024-07-01 17:01:28 +0100[diff] [blame]8036 "$O_NEXT_SRV_NO_CERT -tls1_3 -num_tickets=0 -key $DATA_FILES_PATH/server5.key \
8037 -cert $DATA_FILES_PATH/server5.eku-cs_any.crt" \
Ronald Crond28f5a92022-06-16 19:27:25 +0200[diff] [blame]8038 "$P_CLI debug_level=1" \
8039 0 \
8040 -C "bad certificate (usage extensions)" \
8041 -C "Processing of the Certificate handshake message failed" \
8042 -c "Ciphersuite is"
8043
Przemek Stekiel8bfe8972023-06-26 12:59:45 +0200[diff] [blame]8044requires_openssl_tls1_3_with_compatible_ephemeral
Ronald Cron70ed4172022-10-20 15:48:19 +0200[diff] [blame]8045requires_all_configs_enabled MBEDTLS_SSL_TLS1_3_COMPATIBILITY_MODE \
8046 MBEDTLS_SSL_TLS1_3_KEY_EXCHANGE_MODE_EPHEMERAL_ENABLED
Ronald Crond28f5a92022-06-16 19:27:25 +0200[diff] [blame]8047run_test "extKeyUsage cli 1.3: codeSign -> fail" \
David Horstmann5ab92be2024-07-01 17:01:28 +0100[diff] [blame]8048 "$O_NEXT_SRV_NO_CERT -tls1_3 -num_tickets=0 -key $DATA_FILES_PATH/server5.key \
8049 -cert $DATA_FILES_PATH/server5.eku-cs.crt" \
Ronald Crond28f5a92022-06-16 19:27:25 +0200[diff] [blame]8050 "$P_CLI debug_level=1" \
8051 1 \
8052 -c "bad certificate (usage extensions)" \
8053 -c "Processing of the Certificate handshake message failed" \
8054 -C "Ciphersuite is"
8055
Manuel Pégourié-Gonnard0408fd12014-04-11 11:06:22 +0200[diff] [blame]8056# Tests for extendedKeyUsage, part 3: server-side checking of client cert
8057
Jerry Yuab082902021-12-23 18:02:22 +0800[diff] [blame]8058requires_config_enabled MBEDTLS_SSL_PROTO_TLS1_2
Manuel Pégourié-Gonnard8e03c712014-08-30 21:42:40 +0200[diff] [blame]8059run_test "extKeyUsage cli-auth: clientAuth -> OK" \
Manuel Pégourié-Gonnard644e8f32014-08-30 21:59:31 +0200[diff] [blame]8060 "$P_SRV debug_level=1 auth_mode=optional" \
David Horstmann5ab92be2024-07-01 17:01:28 +0100[diff] [blame]8061 "$O_CLI -tls1_2 -key $DATA_FILES_PATH/server5.key \
8062 -cert $DATA_FILES_PATH/server5.eku-cli.crt" \
Manuel Pégourié-Gonnard0408fd12014-04-11 11:06:22 +0200[diff] [blame]8063 0 \
8064 -S "bad certificate (usage extensions)" \
8065 -S "Processing of the Certificate handshake message failed"
8066
Jerry Yuab082902021-12-23 18:02:22 +0800[diff] [blame]8067requires_config_enabled MBEDTLS_SSL_PROTO_TLS1_2
Manuel Pégourié-Gonnard8e03c712014-08-30 21:42:40 +0200[diff] [blame]8068run_test "extKeyUsage cli-auth: serverAuth,clientAuth -> OK" \
Manuel Pégourié-Gonnard644e8f32014-08-30 21:59:31 +0200[diff] [blame]8069 "$P_SRV debug_level=1 auth_mode=optional" \
David Horstmann5ab92be2024-07-01 17:01:28 +0100[diff] [blame]8070 "$O_CLI -tls1_2 -key $DATA_FILES_PATH/server5.key \
8071 -cert $DATA_FILES_PATH/server5.eku-srv_cli.crt" \
Manuel Pégourié-Gonnard0408fd12014-04-11 11:06:22 +0200[diff] [blame]8072 0 \
8073 -S "bad certificate (usage extensions)" \
8074 -S "Processing of the Certificate handshake message failed"
8075
Jerry Yuab082902021-12-23 18:02:22 +0800[diff] [blame]8076requires_config_enabled MBEDTLS_SSL_PROTO_TLS1_2
Manuel Pégourié-Gonnard8e03c712014-08-30 21:42:40 +0200[diff] [blame]8077run_test "extKeyUsage cli-auth: codeSign,anyEKU -> OK" \
Manuel Pégourié-Gonnard644e8f32014-08-30 21:59:31 +0200[diff] [blame]8078 "$P_SRV debug_level=1 auth_mode=optional" \
David Horstmann5ab92be2024-07-01 17:01:28 +0100[diff] [blame]8079 "$O_CLI -tls1_2 -key $DATA_FILES_PATH/server5.key \
8080 -cert $DATA_FILES_PATH/server5.eku-cs_any.crt" \
Manuel Pégourié-Gonnard0408fd12014-04-11 11:06:22 +0200[diff] [blame]8081 0 \
8082 -S "bad certificate (usage extensions)" \
8083 -S "Processing of the Certificate handshake message failed"
8084
Jerry Yuab082902021-12-23 18:02:22 +0800[diff] [blame]8085requires_config_enabled MBEDTLS_SSL_PROTO_TLS1_2
Manuel Pégourié-Gonnard8e03c712014-08-30 21:42:40 +0200[diff] [blame]8086run_test "extKeyUsage cli-auth: codeSign -> fail (soft)" \
Manuel Pégourié-Gonnard644e8f32014-08-30 21:59:31 +0200[diff] [blame]8087 "$P_SRV debug_level=1 auth_mode=optional" \
David Horstmann5ab92be2024-07-01 17:01:28 +0100[diff] [blame]8088 "$O_CLI -tls1_2 -key $DATA_FILES_PATH/server5.key \
8089 -cert $DATA_FILES_PATH/server5.eku-cs.crt" \
Manuel Pégourié-Gonnard0408fd12014-04-11 11:06:22 +0200[diff] [blame]8090 0 \
8091 -s "bad certificate (usage extensions)" \
8092 -S "Processing of the Certificate handshake message failed"
8093
Jerry Yuab082902021-12-23 18:02:22 +0800[diff] [blame]8094requires_config_enabled MBEDTLS_SSL_PROTO_TLS1_2
Manuel Pégourié-Gonnard8e03c712014-08-30 21:42:40 +0200[diff] [blame]8095run_test "extKeyUsage cli-auth: codeSign -> fail (hard)" \
Gilles Peskine5194ff82024-05-13 21:17:35 +0200[diff] [blame]8096 "$P_SRV debug_level=1 auth_mode=required" \
David Horstmann5ab92be2024-07-01 17:01:28 +0100[diff] [blame]8097 "$O_CLI -tls1_2 -key $DATA_FILES_PATH/server5.key \
8098 -cert $DATA_FILES_PATH/server5.eku-cs.crt" \
Manuel Pégourié-Gonnard0408fd12014-04-11 11:06:22 +0200[diff] [blame]8099 1 \
8100 -s "bad certificate (usage extensions)" \
8101 -s "Processing of the Certificate handshake message failed"
8102
Przemek Stekiel8bfe8972023-06-26 12:59:45 +0200[diff] [blame]8103requires_openssl_tls1_3_with_compatible_ephemeral
Ronald Cron70ed4172022-10-20 15:48:19 +0200[diff] [blame]8104requires_all_configs_enabled MBEDTLS_SSL_TLS1_3_COMPATIBILITY_MODE \
8105 MBEDTLS_SSL_TLS1_3_KEY_EXCHANGE_MODE_EPHEMERAL_ENABLED
Ronald Crond28f5a92022-06-16 19:27:25 +0200[diff] [blame]8106run_test "extKeyUsage cli-auth 1.3: clientAuth -> OK" \
Ronald Cron89ca9772022-10-17 14:56:45 +0200[diff] [blame]8107 "$P_SRV debug_level=1 force_version=tls13 auth_mode=optional" \
David Horstmann5ab92be2024-07-01 17:01:28 +0100[diff] [blame]8108 "$O_NEXT_CLI_NO_CERT -key $DATA_FILES_PATH/server5.key \
8109 -cert $DATA_FILES_PATH/server5.eku-cli.crt" \
Ronald Crond28f5a92022-06-16 19:27:25 +0200[diff] [blame]8110 0 \
8111 -S "bad certificate (usage extensions)" \
8112 -S "Processing of the Certificate handshake message failed"
8113
Przemek Stekiel8bfe8972023-06-26 12:59:45 +0200[diff] [blame]8114requires_openssl_tls1_3_with_compatible_ephemeral
Ronald Cron70ed4172022-10-20 15:48:19 +0200[diff] [blame]8115requires_all_configs_enabled MBEDTLS_SSL_TLS1_3_COMPATIBILITY_MODE \
8116 MBEDTLS_SSL_TLS1_3_KEY_EXCHANGE_MODE_EPHEMERAL_ENABLED
Ronald Crond28f5a92022-06-16 19:27:25 +0200[diff] [blame]8117run_test "extKeyUsage cli-auth 1.3: serverAuth,clientAuth -> OK" \
Ronald Cron89ca9772022-10-17 14:56:45 +0200[diff] [blame]8118 "$P_SRV debug_level=1 force_version=tls13 auth_mode=optional" \
David Horstmann5ab92be2024-07-01 17:01:28 +0100[diff] [blame]8119 "$O_NEXT_CLI_NO_CERT -key $DATA_FILES_PATH/server5.key \
8120 -cert $DATA_FILES_PATH/server5.eku-srv_cli.crt" \
Ronald Crond28f5a92022-06-16 19:27:25 +0200[diff] [blame]8121 0 \
8122 -S "bad certificate (usage extensions)" \
8123 -S "Processing of the Certificate handshake message failed"
8124
Przemek Stekiel8bfe8972023-06-26 12:59:45 +0200[diff] [blame]8125requires_openssl_tls1_3_with_compatible_ephemeral
Ronald Cron70ed4172022-10-20 15:48:19 +0200[diff] [blame]8126requires_all_configs_enabled MBEDTLS_SSL_TLS1_3_COMPATIBILITY_MODE \
8127 MBEDTLS_SSL_TLS1_3_KEY_EXCHANGE_MODE_EPHEMERAL_ENABLED
Ronald Crond28f5a92022-06-16 19:27:25 +0200[diff] [blame]8128run_test "extKeyUsage cli-auth 1.3: codeSign,anyEKU -> OK" \
Ronald Cron89ca9772022-10-17 14:56:45 +0200[diff] [blame]8129 "$P_SRV debug_level=1 force_version=tls13 auth_mode=optional" \
David Horstmann5ab92be2024-07-01 17:01:28 +0100[diff] [blame]8130 "$O_NEXT_CLI_NO_CERT -key $DATA_FILES_PATH/server5.key \
8131 -cert $DATA_FILES_PATH/server5.eku-cs_any.crt" \
Ronald Crond28f5a92022-06-16 19:27:25 +0200[diff] [blame]8132 0 \
8133 -S "bad certificate (usage extensions)" \
8134 -S "Processing of the Certificate handshake message failed"
8135
Przemek Stekiel8bfe8972023-06-26 12:59:45 +0200[diff] [blame]8136requires_openssl_tls1_3_with_compatible_ephemeral
Ronald Cron70ed4172022-10-20 15:48:19 +0200[diff] [blame]8137requires_all_configs_enabled MBEDTLS_SSL_TLS1_3_COMPATIBILITY_MODE \
8138 MBEDTLS_SSL_TLS1_3_KEY_EXCHANGE_MODE_EPHEMERAL_ENABLED
Ronald Crond28f5a92022-06-16 19:27:25 +0200[diff] [blame]8139run_test "extKeyUsage cli-auth 1.3: codeSign -> fail (soft)" \
Ronald Cron89ca9772022-10-17 14:56:45 +0200[diff] [blame]8140 "$P_SRV debug_level=1 force_version=tls13 auth_mode=optional" \
David Horstmann5ab92be2024-07-01 17:01:28 +0100[diff] [blame]8141 "$O_NEXT_CLI_NO_CERT -key $DATA_FILES_PATH/server5.key \
8142 -cert $DATA_FILES_PATH/server5.eku-cs.crt" \
Ronald Crond28f5a92022-06-16 19:27:25 +0200[diff] [blame]8143 0 \
8144 -s "bad certificate (usage extensions)" \
8145 -S "Processing of the Certificate handshake message failed"
8146
Manuel Pégourié-Gonnard0cc7e312014-06-09 11:36:47 +0200[diff] [blame]8147# Tests for DHM parameters loading
8148
Manuel Pégourié-Gonnard8e03c712014-08-30 21:42:40 +0200[diff] [blame]8149run_test "DHM parameters: reference" \
Manuel Pégourié-Gonnard0cc7e312014-06-09 11:36:47 +0200[diff] [blame]8150 "$P_SRV" \
8151 "$P_CLI force_ciphersuite=TLS-DHE-RSA-WITH-AES-128-CBC-SHA \
8152 debug_level=3" \
8153 0 \
8154 -c "value of 'DHM: P ' (2048 bits)" \
Hanno Becker13be9902017-09-27 17:17:30 +0100[diff] [blame]8155 -c "value of 'DHM: G ' (2 bits)"
Manuel Pégourié-Gonnard0cc7e312014-06-09 11:36:47 +0200[diff] [blame]8156
Manuel Pégourié-Gonnard8e03c712014-08-30 21:42:40 +0200[diff] [blame]8157run_test "DHM parameters: other parameters" \
David Horstmann5ab92be2024-07-01 17:01:28 +0100[diff] [blame]8158 "$P_SRV dhm_file=$DATA_FILES_PATH/dhparams.pem" \
Manuel Pégourié-Gonnard0cc7e312014-06-09 11:36:47 +0200[diff] [blame]8159 "$P_CLI force_ciphersuite=TLS-DHE-RSA-WITH-AES-128-CBC-SHA \
8160 debug_level=3" \
8161 0 \
8162 -c "value of 'DHM: P ' (1024 bits)" \
8163 -c "value of 'DHM: G ' (2 bits)"
8164
Manuel Pégourié-Gonnard7a010aa2015-06-12 11:19:10 +0200[diff] [blame]8165# Tests for DHM client-side size checking
8166
8167run_test "DHM size: server default, client default, OK" \
8168 "$P_SRV" \
8169 "$P_CLI force_ciphersuite=TLS-DHE-RSA-WITH-AES-128-CBC-SHA \
8170 debug_level=1" \
8171 0 \
8172 -C "DHM prime too short:"
8173
8174run_test "DHM size: server default, client 2048, OK" \
8175 "$P_SRV" \
8176 "$P_CLI force_ciphersuite=TLS-DHE-RSA-WITH-AES-128-CBC-SHA \
8177 debug_level=1 dhmlen=2048" \
8178 0 \
8179 -C "DHM prime too short:"
8180
8181run_test "DHM size: server 1024, client default, OK" \
David Horstmann5ab92be2024-07-01 17:01:28 +0100[diff] [blame]8182 "$P_SRV dhm_file=$DATA_FILES_PATH/dhparams.pem" \
Manuel Pégourié-Gonnard7a010aa2015-06-12 11:19:10 +0200[diff] [blame]8183 "$P_CLI force_ciphersuite=TLS-DHE-RSA-WITH-AES-128-CBC-SHA \
8184 debug_level=1" \
8185 0 \
8186 -C "DHM prime too short:"
8187
Gilles Peskinec6b0d962020-12-08 22:31:52 +0100[diff] [blame]8188run_test "DHM size: server 999, client 999, OK" \
David Horstmann5ab92be2024-07-01 17:01:28 +0100[diff] [blame]8189 "$P_SRV dhm_file=$DATA_FILES_PATH/dh.999.pem" \
Gilles Peskinec6b0d962020-12-08 22:31:52 +0100[diff] [blame]8190 "$P_CLI force_ciphersuite=TLS-DHE-RSA-WITH-AES-128-CBC-SHA \
8191 debug_level=1 dhmlen=999" \
8192 0 \
8193 -C "DHM prime too short:"
8194
8195run_test "DHM size: server 1000, client 1000, OK" \
David Horstmann5ab92be2024-07-01 17:01:28 +0100[diff] [blame]8196 "$P_SRV dhm_file=$DATA_FILES_PATH/dh.1000.pem" \
Gilles Peskinec6b0d962020-12-08 22:31:52 +0100[diff] [blame]8197 "$P_CLI force_ciphersuite=TLS-DHE-RSA-WITH-AES-128-CBC-SHA \
8198 debug_level=1 dhmlen=1000" \
8199 0 \
8200 -C "DHM prime too short:"
8201
Manuel Pégourié-Gonnard7a010aa2015-06-12 11:19:10 +0200[diff] [blame]8202run_test "DHM size: server 1000, client default, rejected" \
David Horstmann5ab92be2024-07-01 17:01:28 +0100[diff] [blame]8203 "$P_SRV dhm_file=$DATA_FILES_PATH/dh.1000.pem" \
Manuel Pégourié-Gonnard7a010aa2015-06-12 11:19:10 +0200[diff] [blame]8204 "$P_CLI force_ciphersuite=TLS-DHE-RSA-WITH-AES-128-CBC-SHA \
8205 debug_level=1" \
8206 1 \
8207 -c "DHM prime too short:"
8208
Gilles Peskinec6b0d962020-12-08 22:31:52 +0100[diff] [blame]8209run_test "DHM size: server 1000, client 1001, rejected" \
David Horstmann5ab92be2024-07-01 17:01:28 +0100[diff] [blame]8210 "$P_SRV dhm_file=$DATA_FILES_PATH/dh.1000.pem" \
Gilles Peskinec6b0d962020-12-08 22:31:52 +0100[diff] [blame]8211 "$P_CLI force_ciphersuite=TLS-DHE-RSA-WITH-AES-128-CBC-SHA \
8212 debug_level=1 dhmlen=1001" \
8213 1 \
8214 -c "DHM prime too short:"
8215
8216run_test "DHM size: server 999, client 1000, rejected" \
David Horstmann5ab92be2024-07-01 17:01:28 +0100[diff] [blame]8217 "$P_SRV dhm_file=$DATA_FILES_PATH/dh.999.pem" \
Gilles Peskinec6b0d962020-12-08 22:31:52 +0100[diff] [blame]8218 "$P_CLI force_ciphersuite=TLS-DHE-RSA-WITH-AES-128-CBC-SHA \
8219 debug_level=1 dhmlen=1000" \
8220 1 \
8221 -c "DHM prime too short:"
8222
8223run_test "DHM size: server 998, client 999, rejected" \
David Horstmann5ab92be2024-07-01 17:01:28 +0100[diff] [blame]8224 "$P_SRV dhm_file=$DATA_FILES_PATH/dh.998.pem" \
Gilles Peskinec6b0d962020-12-08 22:31:52 +0100[diff] [blame]8225 "$P_CLI force_ciphersuite=TLS-DHE-RSA-WITH-AES-128-CBC-SHA \
8226 debug_level=1 dhmlen=999" \
8227 1 \
8228 -c "DHM prime too short:"
8229
Manuel Pégourié-Gonnard7a010aa2015-06-12 11:19:10 +0200[diff] [blame]8230run_test "DHM size: server default, client 2049, rejected" \
8231 "$P_SRV" \
8232 "$P_CLI force_ciphersuite=TLS-DHE-RSA-WITH-AES-128-CBC-SHA \
8233 debug_level=1 dhmlen=2049" \
8234 1 \
8235 -c "DHM prime too short:"
8236
Manuel Pégourié-Gonnarda6781c92014-06-10 15:00:46 +0200[diff] [blame]8237# Tests for PSK callback
8238
Manuel Pégourié-Gonnard8e03c712014-08-30 21:42:40 +0200[diff] [blame]8239run_test "PSK callback: psk, no callback" \
Gilles Peskine02cd7162024-04-29 16:09:52 +0200[diff] [blame]8240 "$P_SRV psk=73776f726466697368 psk_identity=foo" \
Manuel Pégourié-Gonnarda6781c92014-06-10 15:00:46 +0200[diff] [blame]8241 "$P_CLI force_ciphersuite=TLS-PSK-WITH-AES-128-CBC-SHA \
Gilles Peskine02cd7162024-04-29 16:09:52 +0200[diff] [blame]8242 psk_identity=foo psk=73776f726466697368" \
Manuel Pégourié-Gonnarda6781c92014-06-10 15:00:46 +0200[diff] [blame]8243 0 \
Dave Rodgmane5b828c2021-06-29 19:05:34 +0100[diff] [blame]8244 -S "SSL - The handshake negotiation failed" \
Manuel Pégourié-Gonnard10c3c9f2014-06-10 15:28:52 +0200[diff] [blame]8245 -S "SSL - Unknown identity received" \
8246 -S "SSL - Verification of the message MAC failed"
8247
Hanno Beckerf7027512018-10-23 15:27:39 +0100[diff] [blame]8248requires_config_enabled MBEDTLS_USE_PSA_CRYPTO
8249run_test "PSK callback: opaque psk on client, no callback" \
Gilles Peskine02cd7162024-04-29 16:09:52 +0200[diff] [blame]8250 "$P_SRV extended_ms=0 debug_level=1 psk=73776f726466697368 psk_identity=foo" \
Xiaofei Bai8b5c3822021-12-02 08:43:35 +0000[diff] [blame]8251 "$P_CLI extended_ms=0 debug_level=1 min_version=tls12 force_ciphersuite=TLS-PSK-WITH-AES-128-CBC-SHA \
Gilles Peskine02cd7162024-04-29 16:09:52 +0200[diff] [blame]8252 psk_identity=foo psk=73776f726466697368 psk_opaque=1" \
Hanno Beckerf7027512018-10-23 15:27:39 +0100[diff] [blame]8253 0 \
Manuel Pégourié-Gonnard8faa70e2019-05-20 12:09:50 +0200[diff] [blame]8254 -C "session hash for extended master secret"\
8255 -S "session hash for extended master secret"\
Dave Rodgmane5b828c2021-06-29 19:05:34 +0100[diff] [blame]8256 -S "SSL - The handshake negotiation failed" \
Hanno Beckerf7027512018-10-23 15:27:39 +0100[diff] [blame]8257 -S "SSL - Unknown identity received" \
8258 -S "SSL - Verification of the message MAC failed"
8259
8260requires_config_enabled MBEDTLS_USE_PSA_CRYPTO
8261run_test "PSK callback: opaque psk on client, no callback, SHA-384" \
Gilles Peskine02cd7162024-04-29 16:09:52 +0200[diff] [blame]8262 "$P_SRV extended_ms=0 debug_level=1 psk=73776f726466697368 psk_identity=foo" \
Xiaofei Bai8b5c3822021-12-02 08:43:35 +0000[diff] [blame]8263 "$P_CLI extended_ms=0 debug_level=1 min_version=tls12 force_ciphersuite=TLS-PSK-WITH-AES-256-CBC-SHA384 \
Gilles Peskine02cd7162024-04-29 16:09:52 +0200[diff] [blame]8264 psk_identity=foo psk=73776f726466697368 psk_opaque=1" \
Hanno Beckerf7027512018-10-23 15:27:39 +0100[diff] [blame]8265 0 \
Manuel Pégourié-Gonnard8faa70e2019-05-20 12:09:50 +0200[diff] [blame]8266 -C "session hash for extended master secret"\
8267 -S "session hash for extended master secret"\
Dave Rodgmane5b828c2021-06-29 19:05:34 +0100[diff] [blame]8268 -S "SSL - The handshake negotiation failed" \
Hanno Beckerf7027512018-10-23 15:27:39 +0100[diff] [blame]8269 -S "SSL - Unknown identity received" \
8270 -S "SSL - Verification of the message MAC failed"
8271
8272requires_config_enabled MBEDTLS_USE_PSA_CRYPTO
8273run_test "PSK callback: opaque psk on client, no callback, EMS" \
Gilles Peskine02cd7162024-04-29 16:09:52 +0200[diff] [blame]8274 "$P_SRV extended_ms=1 debug_level=3 psk=73776f726466697368 psk_identity=foo" \
Xiaofei Bai8b5c3822021-12-02 08:43:35 +0000[diff] [blame]8275 "$P_CLI extended_ms=1 debug_level=3 min_version=tls12 force_ciphersuite=TLS-PSK-WITH-AES-128-CBC-SHA \
Gilles Peskine02cd7162024-04-29 16:09:52 +0200[diff] [blame]8276 psk_identity=foo psk=73776f726466697368 psk_opaque=1" \
Hanno Beckerf7027512018-10-23 15:27:39 +0100[diff] [blame]8277 0 \
Manuel Pégourié-Gonnard8faa70e2019-05-20 12:09:50 +0200[diff] [blame]8278 -c "session hash for extended master secret"\
8279 -s "session hash for extended master secret"\
Dave Rodgmane5b828c2021-06-29 19:05:34 +0100[diff] [blame]8280 -S "SSL - The handshake negotiation failed" \
Hanno Beckerf7027512018-10-23 15:27:39 +0100[diff] [blame]8281 -S "SSL - Unknown identity received" \
8282 -S "SSL - Verification of the message MAC failed"
8283
8284requires_config_enabled MBEDTLS_USE_PSA_CRYPTO
8285run_test "PSK callback: opaque psk on client, no callback, SHA-384, EMS" \
Gilles Peskine02cd7162024-04-29 16:09:52 +0200[diff] [blame]8286 "$P_SRV extended_ms=1 debug_level=3 psk=73776f726466697368 psk_identity=foo" \
Xiaofei Bai8b5c3822021-12-02 08:43:35 +0000[diff] [blame]8287 "$P_CLI extended_ms=1 debug_level=3 min_version=tls12 force_ciphersuite=TLS-PSK-WITH-AES-256-CBC-SHA384 \
Gilles Peskine02cd7162024-04-29 16:09:52 +0200[diff] [blame]8288 psk_identity=foo psk=73776f726466697368 psk_opaque=1" \
Hanno Beckerf7027512018-10-23 15:27:39 +0100[diff] [blame]8289 0 \
Manuel Pégourié-Gonnard8faa70e2019-05-20 12:09:50 +0200[diff] [blame]8290 -c "session hash for extended master secret"\
8291 -s "session hash for extended master secret"\
Dave Rodgmane5b828c2021-06-29 19:05:34 +0100[diff] [blame]8292 -S "SSL - The handshake negotiation failed" \
Hanno Beckerf7027512018-10-23 15:27:39 +0100[diff] [blame]8293 -S "SSL - Unknown identity received" \
8294 -S "SSL - Verification of the message MAC failed"
8295
Hanno Becker28c79dc2018-10-26 13:15:08 +0100[diff] [blame]8296requires_config_enabled MBEDTLS_USE_PSA_CRYPTO
Przemek Stekiel8e0495e2022-04-05 23:00:04 +0200[diff] [blame]8297run_test "PSK callback: opaque rsa-psk on client, no callback" \
Gilles Peskine02cd7162024-04-29 16:09:52 +0200[diff] [blame]8298 "$P_SRV extended_ms=0 debug_level=1 psk=73776f726466697368 psk_identity=foo" \
Przemek Stekiel8e0495e2022-04-05 23:00:04 +0200[diff] [blame]8299 "$P_CLI extended_ms=0 debug_level=1 min_version=tls12 force_ciphersuite=TLS-RSA-PSK-WITH-AES-128-CBC-SHA256 \
Gilles Peskine02cd7162024-04-29 16:09:52 +0200[diff] [blame]8300 psk_identity=foo psk=73776f726466697368 psk_opaque=1" \
Przemek Stekiel8e0495e2022-04-05 23:00:04 +0200[diff] [blame]8301 0 \
Przemek Stekiel8e0495e2022-04-05 23:00:04 +0200[diff] [blame]8302 -C "session hash for extended master secret"\
8303 -S "session hash for extended master secret"\
8304 -S "SSL - The handshake negotiation failed" \
8305 -S "SSL - Unknown identity received" \
8306 -S "SSL - Verification of the message MAC failed"
8307
8308requires_config_enabled MBEDTLS_USE_PSA_CRYPTO
Przemek Stekiel8e0495e2022-04-05 23:00:04 +0200[diff] [blame]8309run_test "PSK callback: opaque rsa-psk on client, no callback, SHA-384" \
Gilles Peskine02cd7162024-04-29 16:09:52 +0200[diff] [blame]8310 "$P_SRV extended_ms=0 debug_level=1 psk=73776f726466697368 psk_identity=foo" \
Przemek Stekiel8e0495e2022-04-05 23:00:04 +0200[diff] [blame]8311 "$P_CLI extended_ms=0 debug_level=1 min_version=tls12 force_ciphersuite=TLS-RSA-PSK-WITH-AES-256-CBC-SHA384 \
Gilles Peskine02cd7162024-04-29 16:09:52 +0200[diff] [blame]8312 psk_identity=foo psk=73776f726466697368 psk_opaque=1" \
Przemek Stekiel8e0495e2022-04-05 23:00:04 +0200[diff] [blame]8313 0 \
Przemek Stekiel8e0495e2022-04-05 23:00:04 +0200[diff] [blame]8314 -C "session hash for extended master secret"\
8315 -S "session hash for extended master secret"\
8316 -S "SSL - The handshake negotiation failed" \
8317 -S "SSL - Unknown identity received" \
8318 -S "SSL - Verification of the message MAC failed"
8319
8320requires_config_enabled MBEDTLS_USE_PSA_CRYPTO
Przemek Stekiel8e0495e2022-04-05 23:00:04 +0200[diff] [blame]8321run_test "PSK callback: opaque rsa-psk on client, no callback, EMS" \
Gilles Peskine02cd7162024-04-29 16:09:52 +0200[diff] [blame]8322 "$P_SRV extended_ms=1 debug_level=3 psk=73776f726466697368 psk_identity=foo" \
Przemek Stekiel8e0495e2022-04-05 23:00:04 +0200[diff] [blame]8323 "$P_CLI extended_ms=1 debug_level=3 min_version=tls12 force_ciphersuite=TLS-RSA-PSK-WITH-AES-128-CBC-SHA \
Gilles Peskine02cd7162024-04-29 16:09:52 +0200[diff] [blame]8324 psk_identity=foo psk=73776f726466697368 psk_opaque=1" \
Przemek Stekiel8e0495e2022-04-05 23:00:04 +0200[diff] [blame]8325 0 \
Przemek Stekiel8e0495e2022-04-05 23:00:04 +0200[diff] [blame]8326 -c "session hash for extended master secret"\
8327 -s "session hash for extended master secret"\
8328 -S "SSL - The handshake negotiation failed" \
8329 -S "SSL - Unknown identity received" \
8330 -S "SSL - Verification of the message MAC failed"
8331
8332requires_config_enabled MBEDTLS_USE_PSA_CRYPTO
Przemek Stekiel8e0495e2022-04-05 23:00:04 +0200[diff] [blame]8333run_test "PSK callback: opaque rsa-psk on client, no callback, SHA-384, EMS" \
Gilles Peskine02cd7162024-04-29 16:09:52 +0200[diff] [blame]8334 "$P_SRV extended_ms=1 debug_level=3 psk=73776f726466697368 psk_identity=foo" \
Przemek Stekiel8e0495e2022-04-05 23:00:04 +0200[diff] [blame]8335 "$P_CLI extended_ms=1 debug_level=3 min_version=tls12 force_ciphersuite=TLS-RSA-PSK-WITH-AES-256-CBC-SHA384 \
Gilles Peskine02cd7162024-04-29 16:09:52 +0200[diff] [blame]8336 psk_identity=foo psk=73776f726466697368 psk_opaque=1" \
Przemek Stekiel8e0495e2022-04-05 23:00:04 +0200[diff] [blame]8337 0 \
Przemek Stekiel8e0495e2022-04-05 23:00:04 +0200[diff] [blame]8338 -c "session hash for extended master secret"\
8339 -s "session hash for extended master secret"\
8340 -S "SSL - The handshake negotiation failed" \
8341 -S "SSL - Unknown identity received" \
8342 -S "SSL - Verification of the message MAC failed"
8343
8344requires_config_enabled MBEDTLS_USE_PSA_CRYPTO
Przemek Stekielb6a05032022-04-14 10:22:18 +0200[diff] [blame]8345run_test "PSK callback: opaque ecdhe-psk on client, no callback" \
Gilles Peskine02cd7162024-04-29 16:09:52 +0200[diff] [blame]8346 "$P_SRV extended_ms=0 debug_level=1 psk=73776f726466697368 psk_identity=foo" \
Przemek Stekielb6a05032022-04-14 10:22:18 +0200[diff] [blame]8347 "$P_CLI extended_ms=0 debug_level=1 min_version=tls12 force_ciphersuite=TLS-ECDHE-PSK-WITH-AES-128-CBC-SHA256 \
Gilles Peskine02cd7162024-04-29 16:09:52 +0200[diff] [blame]8348 psk_identity=foo psk=73776f726466697368 psk_opaque=1" \
Przemek Stekielb6a05032022-04-14 10:22:18 +0200[diff] [blame]8349 0 \
Przemek Stekielb6a05032022-04-14 10:22:18 +0200[diff] [blame]8350 -C "session hash for extended master secret"\
8351 -S "session hash for extended master secret"\
8352 -S "SSL - The handshake negotiation failed" \
8353 -S "SSL - Unknown identity received" \
8354 -S "SSL - Verification of the message MAC failed"
8355
8356requires_config_enabled MBEDTLS_USE_PSA_CRYPTO
Przemek Stekielb6a05032022-04-14 10:22:18 +0200[diff] [blame]8357run_test "PSK callback: opaque ecdhe-psk on client, no callback, SHA-384" \
Gilles Peskine02cd7162024-04-29 16:09:52 +0200[diff] [blame]8358 "$P_SRV extended_ms=0 debug_level=1 psk=73776f726466697368 psk_identity=foo" \
Przemek Stekielb6a05032022-04-14 10:22:18 +0200[diff] [blame]8359 "$P_CLI extended_ms=0 debug_level=1 min_version=tls12 force_ciphersuite=TLS-ECDHE-PSK-WITH-AES-256-CBC-SHA384 \
Gilles Peskine02cd7162024-04-29 16:09:52 +0200[diff] [blame]8360 psk_identity=foo psk=73776f726466697368 psk_opaque=1" \
Przemek Stekielb6a05032022-04-14 10:22:18 +0200[diff] [blame]8361 0 \
Przemek Stekielb6a05032022-04-14 10:22:18 +0200[diff] [blame]8362 -C "session hash for extended master secret"\
8363 -S "session hash for extended master secret"\
8364 -S "SSL - The handshake negotiation failed" \
8365 -S "SSL - Unknown identity received" \
8366 -S "SSL - Verification of the message MAC failed"
8367
8368requires_config_enabled MBEDTLS_USE_PSA_CRYPTO
Przemek Stekielb6a05032022-04-14 10:22:18 +0200[diff] [blame]8369run_test "PSK callback: opaque ecdhe-psk on client, no callback, EMS" \
Gilles Peskine02cd7162024-04-29 16:09:52 +0200[diff] [blame]8370 "$P_SRV extended_ms=1 debug_level=3 psk=73776f726466697368 psk_identity=foo" \
Przemek Stekielb6a05032022-04-14 10:22:18 +0200[diff] [blame]8371 "$P_CLI extended_ms=1 debug_level=3 min_version=tls12 force_ciphersuite=TLS-ECDHE-PSK-WITH-AES-128-CBC-SHA \
Gilles Peskine02cd7162024-04-29 16:09:52 +0200[diff] [blame]8372 psk_identity=foo psk=73776f726466697368 psk_opaque=1" \
Przemek Stekielb6a05032022-04-14 10:22:18 +0200[diff] [blame]8373 0 \
Przemek Stekielb6a05032022-04-14 10:22:18 +0200[diff] [blame]8374 -c "session hash for extended master secret"\
8375 -s "session hash for extended master secret"\
8376 -S "SSL - The handshake negotiation failed" \
8377 -S "SSL - Unknown identity received" \
8378 -S "SSL - Verification of the message MAC failed"
8379
8380requires_config_enabled MBEDTLS_USE_PSA_CRYPTO
Przemek Stekielb6a05032022-04-14 10:22:18 +0200[diff] [blame]8381run_test "PSK callback: opaque ecdhe-psk on client, no callback, SHA-384, EMS" \
Gilles Peskine02cd7162024-04-29 16:09:52 +0200[diff] [blame]8382 "$P_SRV extended_ms=1 debug_level=3 psk=73776f726466697368 psk_identity=foo" \
Przemek Stekielb6a05032022-04-14 10:22:18 +0200[diff] [blame]8383 "$P_CLI extended_ms=1 debug_level=3 min_version=tls12 force_ciphersuite=TLS-ECDHE-PSK-WITH-AES-256-CBC-SHA384 \
Gilles Peskine02cd7162024-04-29 16:09:52 +0200[diff] [blame]8384 psk_identity=foo psk=73776f726466697368 psk_opaque=1" \
Przemek Stekielb6a05032022-04-14 10:22:18 +0200[diff] [blame]8385 0 \
Przemek Stekielb6a05032022-04-14 10:22:18 +0200[diff] [blame]8386 -c "session hash for extended master secret"\
8387 -s "session hash for extended master secret"\
8388 -S "SSL - The handshake negotiation failed" \
8389 -S "SSL - Unknown identity received" \
8390 -S "SSL - Verification of the message MAC failed"
8391
Przemek Stekiel85d46fe2022-04-19 12:47:48 +0200[diff] [blame]8392requires_config_enabled MBEDTLS_USE_PSA_CRYPTO
Przemek Stekiel85d46fe2022-04-19 12:47:48 +0200[diff] [blame]8393run_test "PSK callback: opaque dhe-psk on client, no callback" \
Gilles Peskine02cd7162024-04-29 16:09:52 +0200[diff] [blame]8394 "$P_SRV extended_ms=0 debug_level=1 psk=73776f726466697368 psk_identity=foo" \
Przemek Stekiel85d46fe2022-04-19 12:47:48 +0200[diff] [blame]8395 "$P_CLI extended_ms=0 debug_level=1 min_version=tls12 force_ciphersuite=TLS-DHE-PSK-WITH-AES-128-CBC-SHA256 \
Gilles Peskine02cd7162024-04-29 16:09:52 +0200[diff] [blame]8396 psk_identity=foo psk=73776f726466697368 psk_opaque=1" \
Przemek Stekiel85d46fe2022-04-19 12:47:48 +0200[diff] [blame]8397 0 \
Przemek Stekiel85d46fe2022-04-19 12:47:48 +0200[diff] [blame]8398 -C "session hash for extended master secret"\
8399 -S "session hash for extended master secret"\
8400 -S "SSL - The handshake negotiation failed" \
8401 -S "SSL - Unknown identity received" \
8402 -S "SSL - Verification of the message MAC failed"
8403
8404requires_config_enabled MBEDTLS_USE_PSA_CRYPTO
Przemek Stekiel85d46fe2022-04-19 12:47:48 +0200[diff] [blame]8405run_test "PSK callback: opaque dhe-psk on client, no callback, SHA-384" \
Gilles Peskine02cd7162024-04-29 16:09:52 +0200[diff] [blame]8406 "$P_SRV extended_ms=0 debug_level=1 psk=73776f726466697368 psk_identity=foo" \
Przemek Stekiel85d46fe2022-04-19 12:47:48 +0200[diff] [blame]8407 "$P_CLI extended_ms=0 debug_level=1 min_version=tls12 force_ciphersuite=TLS-DHE-PSK-WITH-AES-256-CBC-SHA384 \
Gilles Peskine02cd7162024-04-29 16:09:52 +0200[diff] [blame]8408 psk_identity=foo psk=73776f726466697368 psk_opaque=1" \
Przemek Stekiel85d46fe2022-04-19 12:47:48 +0200[diff] [blame]8409 0 \
Przemek Stekiel85d46fe2022-04-19 12:47:48 +0200[diff] [blame]8410 -C "session hash for extended master secret"\
8411 -S "session hash for extended master secret"\
8412 -S "SSL - The handshake negotiation failed" \
8413 -S "SSL - Unknown identity received" \
8414 -S "SSL - Verification of the message MAC failed"
8415
8416requires_config_enabled MBEDTLS_USE_PSA_CRYPTO
Przemek Stekiel85d46fe2022-04-19 12:47:48 +0200[diff] [blame]8417run_test "PSK callback: opaque dhe-psk on client, no callback, EMS" \
Gilles Peskine02cd7162024-04-29 16:09:52 +0200[diff] [blame]8418 "$P_SRV extended_ms=1 debug_level=3 psk=73776f726466697368 psk_identity=foo" \
Przemek Stekiel85d46fe2022-04-19 12:47:48 +0200[diff] [blame]8419 "$P_CLI extended_ms=1 debug_level=3 min_version=tls12 force_ciphersuite=TLS-DHE-PSK-WITH-AES-128-CBC-SHA \
Gilles Peskine02cd7162024-04-29 16:09:52 +0200[diff] [blame]8420 psk_identity=foo psk=73776f726466697368 psk_opaque=1" \
Przemek Stekiel85d46fe2022-04-19 12:47:48 +0200[diff] [blame]8421 0 \
Przemek Stekiel85d46fe2022-04-19 12:47:48 +0200[diff] [blame]8422 -c "session hash for extended master secret"\
8423 -s "session hash for extended master secret"\
8424 -S "SSL - The handshake negotiation failed" \
8425 -S "SSL - Unknown identity received" \
8426 -S "SSL - Verification of the message MAC failed"
8427
8428requires_config_enabled MBEDTLS_USE_PSA_CRYPTO
Przemek Stekiel85d46fe2022-04-19 12:47:48 +0200[diff] [blame]8429run_test "PSK callback: opaque dhe-psk on client, no callback, SHA-384, EMS" \
Gilles Peskine02cd7162024-04-29 16:09:52 +0200[diff] [blame]8430 "$P_SRV extended_ms=1 debug_level=3 psk=73776f726466697368 psk_identity=foo" \
Przemek Stekiel85d46fe2022-04-19 12:47:48 +0200[diff] [blame]8431 "$P_CLI extended_ms=1 debug_level=3 min_version=tls12 force_ciphersuite=TLS-DHE-PSK-WITH-AES-256-CBC-SHA384 \
Gilles Peskine02cd7162024-04-29 16:09:52 +0200[diff] [blame]8432 psk_identity=foo psk=73776f726466697368 psk_opaque=1" \
Przemek Stekiel85d46fe2022-04-19 12:47:48 +0200[diff] [blame]8433 0 \
Przemek Stekiel85d46fe2022-04-19 12:47:48 +0200[diff] [blame]8434 -c "session hash for extended master secret"\
8435 -s "session hash for extended master secret"\
8436 -S "SSL - The handshake negotiation failed" \
8437 -S "SSL - Unknown identity received" \
8438 -S "SSL - Verification of the message MAC failed"
Przemek Stekielb6a05032022-04-14 10:22:18 +0200[diff] [blame]8439
8440requires_config_enabled MBEDTLS_USE_PSA_CRYPTO
Hanno Becker28c79dc2018-10-26 13:15:08 +0100[diff] [blame]8441run_test "PSK callback: raw psk on client, static opaque on server, no callback" \
Gilles Peskine02cd7162024-04-29 16:09:52 +0200[diff] [blame]8442 "$P_SRV extended_ms=0 debug_level=1 psk=73776f726466697368 psk_identity=foo psk_opaque=1 min_version=tls12 force_ciphersuite=TLS-PSK-WITH-AES-128-CBC-SHA" \
Xiaofei Bai8b5c3822021-12-02 08:43:35 +0000[diff] [blame]8443 "$P_CLI extended_ms=0 debug_level=1 min_version=tls12 force_ciphersuite=TLS-PSK-WITH-AES-128-CBC-SHA \
Gilles Peskine02cd7162024-04-29 16:09:52 +0200[diff] [blame]8444 psk_identity=foo psk=73776f726466697368" \
Hanno Becker28c79dc2018-10-26 13:15:08 +0100[diff] [blame]8445 0 \
Manuel Pégourié-Gonnard8faa70e2019-05-20 12:09:50 +0200[diff] [blame]8446 -C "session hash for extended master secret"\
8447 -S "session hash for extended master secret"\
Dave Rodgmane5b828c2021-06-29 19:05:34 +0100[diff] [blame]8448 -S "SSL - The handshake negotiation failed" \
Hanno Becker28c79dc2018-10-26 13:15:08 +0100[diff] [blame]8449 -S "SSL - Unknown identity received" \
8450 -S "SSL - Verification of the message MAC failed"
8451
8452requires_config_enabled MBEDTLS_USE_PSA_CRYPTO
8453run_test "PSK callback: raw psk on client, static opaque on server, no callback, SHA-384" \
Gilles Peskine02cd7162024-04-29 16:09:52 +0200[diff] [blame]8454 "$P_SRV extended_ms=0 debug_level=1 psk=73776f726466697368 psk_identity=foo psk_opaque=1 min_version=tls12 force_ciphersuite=TLS-PSK-WITH-AES-256-CBC-SHA384" \
Xiaofei Bai8b5c3822021-12-02 08:43:35 +0000[diff] [blame]8455 "$P_CLI extended_ms=0 debug_level=1 min_version=tls12 force_ciphersuite=TLS-PSK-WITH-AES-256-CBC-SHA384 \
Gilles Peskine02cd7162024-04-29 16:09:52 +0200[diff] [blame]8456 psk_identity=foo psk=73776f726466697368" \
Hanno Becker28c79dc2018-10-26 13:15:08 +0100[diff] [blame]8457 0 \
Manuel Pégourié-Gonnard8faa70e2019-05-20 12:09:50 +0200[diff] [blame]8458 -C "session hash for extended master secret"\
8459 -S "session hash for extended master secret"\
Dave Rodgmane5b828c2021-06-29 19:05:34 +0100[diff] [blame]8460 -S "SSL - The handshake negotiation failed" \
Hanno Becker28c79dc2018-10-26 13:15:08 +0100[diff] [blame]8461 -S "SSL - Unknown identity received" \
8462 -S "SSL - Verification of the message MAC failed"
8463
8464requires_config_enabled MBEDTLS_USE_PSA_CRYPTO
8465run_test "PSK callback: raw psk on client, static opaque on server, no callback, EMS" \
Gilles Peskine02cd7162024-04-29 16:09:52 +0200[diff] [blame]8466 "$P_SRV debug_level=3 psk=73776f726466697368 psk_identity=foo psk_opaque=1 min_version=tls12 \
Hanno Becker28c79dc2018-10-26 13:15:08 +0100[diff] [blame]8467 force_ciphersuite=TLS-PSK-WITH-AES-128-CBC-SHA extended_ms=1" \
Xiaofei Bai8b5c3822021-12-02 08:43:35 +0000[diff] [blame]8468 "$P_CLI debug_level=3 min_version=tls12 force_ciphersuite=TLS-PSK-WITH-AES-128-CBC-SHA \
Gilles Peskine02cd7162024-04-29 16:09:52 +0200[diff] [blame]8469 psk_identity=foo psk=73776f726466697368 extended_ms=1" \
Hanno Becker28c79dc2018-10-26 13:15:08 +0100[diff] [blame]8470 0 \
Manuel Pégourié-Gonnard8faa70e2019-05-20 12:09:50 +0200[diff] [blame]8471 -c "session hash for extended master secret"\
8472 -s "session hash for extended master secret"\
Dave Rodgmane5b828c2021-06-29 19:05:34 +0100[diff] [blame]8473 -S "SSL - The handshake negotiation failed" \
Hanno Becker28c79dc2018-10-26 13:15:08 +0100[diff] [blame]8474 -S "SSL - Unknown identity received" \
8475 -S "SSL - Verification of the message MAC failed"
8476
8477requires_config_enabled MBEDTLS_USE_PSA_CRYPTO
8478run_test "PSK callback: raw psk on client, static opaque on server, no callback, EMS, SHA384" \
Gilles Peskine02cd7162024-04-29 16:09:52 +0200[diff] [blame]8479 "$P_SRV debug_level=3 psk=73776f726466697368 psk_identity=foo psk_opaque=1 min_version=tls12 \
Hanno Becker28c79dc2018-10-26 13:15:08 +0100[diff] [blame]8480 force_ciphersuite=TLS-PSK-WITH-AES-256-CBC-SHA384 extended_ms=1" \
Xiaofei Bai8b5c3822021-12-02 08:43:35 +0000[diff] [blame]8481 "$P_CLI debug_level=3 min_version=tls12 force_ciphersuite=TLS-PSK-WITH-AES-256-CBC-SHA384 \
Gilles Peskine02cd7162024-04-29 16:09:52 +0200[diff] [blame]8482 psk_identity=foo psk=73776f726466697368 extended_ms=1" \
Hanno Becker28c79dc2018-10-26 13:15:08 +0100[diff] [blame]8483 0 \
Manuel Pégourié-Gonnard8faa70e2019-05-20 12:09:50 +0200[diff] [blame]8484 -c "session hash for extended master secret"\
8485 -s "session hash for extended master secret"\
Dave Rodgmane5b828c2021-06-29 19:05:34 +0100[diff] [blame]8486 -S "SSL - The handshake negotiation failed" \
Hanno Becker28c79dc2018-10-26 13:15:08 +0100[diff] [blame]8487 -S "SSL - Unknown identity received" \
8488 -S "SSL - Verification of the message MAC failed"
8489
8490requires_config_enabled MBEDTLS_USE_PSA_CRYPTO
Przemek Stekielb270b562022-04-06 13:12:48 +0200[diff] [blame]8491run_test "PSK callback: raw rsa-psk on client, static opaque on server, no callback" \
Gilles Peskine02cd7162024-04-29 16:09:52 +0200[diff] [blame]8492 "$P_SRV extended_ms=0 debug_level=5 psk=73776f726466697368 psk_identity=foo psk_opaque=1 min_version=tls12 force_ciphersuite=TLS-RSA-PSK-WITH-AES-128-CBC-SHA" \
Przemek Stekielb270b562022-04-06 13:12:48 +0200[diff] [blame]8493 "$P_CLI extended_ms=0 debug_level=5 min_version=tls12 force_ciphersuite=TLS-RSA-PSK-WITH-AES-128-CBC-SHA \
Gilles Peskine02cd7162024-04-29 16:09:52 +0200[diff] [blame]8494 psk_identity=foo psk=73776f726466697368" \
Przemek Stekielb270b562022-04-06 13:12:48 +0200[diff] [blame]8495 0 \
Przemek Stekielb270b562022-04-06 13:12:48 +0200[diff] [blame]8496 -C "session hash for extended master secret"\
8497 -S "session hash for extended master secret"\
8498 -S "SSL - The handshake negotiation failed" \
8499 -S "SSL - Unknown identity received" \
8500 -S "SSL - Verification of the message MAC failed"
8501
8502requires_config_enabled MBEDTLS_USE_PSA_CRYPTO
Przemek Stekielb270b562022-04-06 13:12:48 +0200[diff] [blame]8503run_test "PSK callback: raw rsa-psk on client, static opaque on server, no callback, SHA-384" \
Gilles Peskine02cd7162024-04-29 16:09:52 +0200[diff] [blame]8504 "$P_SRV extended_ms=0 debug_level=1 psk=73776f726466697368 psk_identity=foo psk_opaque=1 min_version=tls12 force_ciphersuite=TLS-RSA-PSK-WITH-AES-256-CBC-SHA384" \
Przemek Stekielb270b562022-04-06 13:12:48 +0200[diff] [blame]8505 "$P_CLI extended_ms=0 debug_level=1 min_version=tls12 force_ciphersuite=TLS-RSA-PSK-WITH-AES-256-CBC-SHA384 \
Gilles Peskine02cd7162024-04-29 16:09:52 +0200[diff] [blame]8506 psk_identity=foo psk=73776f726466697368" \
Przemek Stekielb270b562022-04-06 13:12:48 +0200[diff] [blame]8507 0 \
Przemek Stekielb270b562022-04-06 13:12:48 +0200[diff] [blame]8508 -C "session hash for extended master secret"\
8509 -S "session hash for extended master secret"\
8510 -S "SSL - The handshake negotiation failed" \
8511 -S "SSL - Unknown identity received" \
8512 -S "SSL - Verification of the message MAC failed"
8513
8514requires_config_enabled MBEDTLS_USE_PSA_CRYPTO
Przemek Stekielb270b562022-04-06 13:12:48 +0200[diff] [blame]8515run_test "PSK callback: raw rsa-psk on client, static opaque on server, no callback, EMS" \
Gilles Peskine02cd7162024-04-29 16:09:52 +0200[diff] [blame]8516 "$P_SRV debug_level=3 psk=73776f726466697368 psk_identity=foo psk_opaque=1 min_version=tls12 \
Przemek Stekielb270b562022-04-06 13:12:48 +0200[diff] [blame]8517 force_ciphersuite=TLS-RSA-PSK-WITH-AES-128-CBC-SHA extended_ms=1" \
8518 "$P_CLI debug_level=3 min_version=tls12 force_ciphersuite=TLS-RSA-PSK-WITH-AES-128-CBC-SHA \
Gilles Peskine02cd7162024-04-29 16:09:52 +0200[diff] [blame]8519 psk_identity=foo psk=73776f726466697368 extended_ms=1" \
Przemek Stekielb270b562022-04-06 13:12:48 +0200[diff] [blame]8520 0 \
8521 -c "session hash for extended master secret"\
8522 -s "session hash for extended master secret"\
Przemek Stekielb270b562022-04-06 13:12:48 +0200[diff] [blame]8523 -S "SSL - The handshake negotiation failed" \
8524 -S "SSL - Unknown identity received" \
8525 -S "SSL - Verification of the message MAC failed"
8526
8527requires_config_enabled MBEDTLS_USE_PSA_CRYPTO
Przemek Stekielb270b562022-04-06 13:12:48 +0200[diff] [blame]8528run_test "PSK callback: raw rsa-psk on client, static opaque on server, no callback, EMS, SHA384" \
Gilles Peskine02cd7162024-04-29 16:09:52 +0200[diff] [blame]8529 "$P_SRV debug_level=3 psk=73776f726466697368 psk_identity=foo psk_opaque=1 min_version=tls12 \
Przemek Stekielb270b562022-04-06 13:12:48 +0200[diff] [blame]8530 force_ciphersuite=TLS-RSA-PSK-WITH-AES-256-CBC-SHA384 extended_ms=1" \
8531 "$P_CLI debug_level=3 min_version=tls12 force_ciphersuite=TLS-RSA-PSK-WITH-AES-256-CBC-SHA384 \
Gilles Peskine02cd7162024-04-29 16:09:52 +0200[diff] [blame]8532 psk_identity=foo psk=73776f726466697368 extended_ms=1" \
Przemek Stekielb270b562022-04-06 13:12:48 +0200[diff] [blame]8533 0 \
8534 -c "session hash for extended master secret"\
8535 -s "session hash for extended master secret"\
Przemek Stekielb270b562022-04-06 13:12:48 +0200[diff] [blame]8536 -S "SSL - The handshake negotiation failed" \
8537 -S "SSL - Unknown identity received" \
8538 -S "SSL - Verification of the message MAC failed"
8539
8540requires_config_enabled MBEDTLS_USE_PSA_CRYPTO
Przemek Stekielb6a05032022-04-14 10:22:18 +0200[diff] [blame]8541run_test "PSK callback: raw ecdhe-psk on client, static opaque on server, no callback" \
Gilles Peskine02cd7162024-04-29 16:09:52 +0200[diff] [blame]8542 "$P_SRV extended_ms=0 debug_level=5 psk=73776f726466697368 psk_identity=foo psk_opaque=1 min_version=tls12 force_ciphersuite=TLS-ECDHE-PSK-WITH-AES-128-CBC-SHA" \
Przemek Stekielb6a05032022-04-14 10:22:18 +0200[diff] [blame]8543 "$P_CLI extended_ms=0 debug_level=5 min_version=tls12 force_ciphersuite=TLS-ECDHE-PSK-WITH-AES-128-CBC-SHA \
Gilles Peskine02cd7162024-04-29 16:09:52 +0200[diff] [blame]8544 psk_identity=foo psk=73776f726466697368" \
Przemek Stekielb6a05032022-04-14 10:22:18 +0200[diff] [blame]8545 0 \
Przemek Stekielb6a05032022-04-14 10:22:18 +0200[diff] [blame]8546 -C "session hash for extended master secret"\
8547 -S "session hash for extended master secret"\
8548 -S "SSL - The handshake negotiation failed" \
8549 -S "SSL - Unknown identity received" \
8550 -S "SSL - Verification of the message MAC failed"
8551
8552requires_config_enabled MBEDTLS_USE_PSA_CRYPTO
Przemek Stekielb6a05032022-04-14 10:22:18 +0200[diff] [blame]8553run_test "PSK callback: raw ecdhe-psk on client, static opaque on server, no callback, SHA-384" \
Gilles Peskine02cd7162024-04-29 16:09:52 +0200[diff] [blame]8554 "$P_SRV extended_ms=0 debug_level=1 psk=73776f726466697368 psk_identity=foo psk_opaque=1 min_version=tls12 force_ciphersuite=TLS-ECDHE-PSK-WITH-AES-256-CBC-SHA384" \
Przemek Stekielb6a05032022-04-14 10:22:18 +0200[diff] [blame]8555 "$P_CLI extended_ms=0 debug_level=1 min_version=tls12 force_ciphersuite=TLS-ECDHE-PSK-WITH-AES-256-CBC-SHA384 \
Gilles Peskine02cd7162024-04-29 16:09:52 +0200[diff] [blame]8556 psk_identity=foo psk=73776f726466697368" \
Przemek Stekielb6a05032022-04-14 10:22:18 +0200[diff] [blame]8557 0 \
Przemek Stekielb6a05032022-04-14 10:22:18 +0200[diff] [blame]8558 -C "session hash for extended master secret"\
8559 -S "session hash for extended master secret"\
8560 -S "SSL - The handshake negotiation failed" \
8561 -S "SSL - Unknown identity received" \
8562 -S "SSL - Verification of the message MAC failed"
8563
8564requires_config_enabled MBEDTLS_USE_PSA_CRYPTO
Przemek Stekielb6a05032022-04-14 10:22:18 +0200[diff] [blame]8565run_test "PSK callback: raw ecdhe-psk on client, static opaque on server, no callback, EMS" \
Gilles Peskine02cd7162024-04-29 16:09:52 +0200[diff] [blame]8566 "$P_SRV debug_level=3 psk=73776f726466697368 psk_identity=foo psk_opaque=1 min_version=tls12 \
Przemek Stekielb6a05032022-04-14 10:22:18 +0200[diff] [blame]8567 force_ciphersuite=TLS-ECDHE-PSK-WITH-AES-128-CBC-SHA extended_ms=1" \
8568 "$P_CLI debug_level=3 min_version=tls12 force_ciphersuite=TLS-ECDHE-PSK-WITH-AES-128-CBC-SHA \
Gilles Peskine02cd7162024-04-29 16:09:52 +0200[diff] [blame]8569 psk_identity=foo psk=73776f726466697368 extended_ms=1" \
Przemek Stekielb6a05032022-04-14 10:22:18 +0200[diff] [blame]8570 0 \
8571 -c "session hash for extended master secret"\
8572 -s "session hash for extended master secret"\
Przemek Stekielb6a05032022-04-14 10:22:18 +0200[diff] [blame]8573 -S "SSL - The handshake negotiation failed" \
8574 -S "SSL - Unknown identity received" \
8575 -S "SSL - Verification of the message MAC failed"
8576
8577requires_config_enabled MBEDTLS_USE_PSA_CRYPTO
Przemek Stekielb6a05032022-04-14 10:22:18 +0200[diff] [blame]8578run_test "PSK callback: raw ecdhe-psk on client, static opaque on server, no callback, EMS, SHA384" \
Gilles Peskine02cd7162024-04-29 16:09:52 +0200[diff] [blame]8579 "$P_SRV debug_level=3 psk=73776f726466697368 psk_identity=foo psk_opaque=1 min_version=tls12 \
Przemek Stekielb6a05032022-04-14 10:22:18 +0200[diff] [blame]8580 force_ciphersuite=TLS-ECDHE-PSK-WITH-AES-256-CBC-SHA384 extended_ms=1" \
8581 "$P_CLI debug_level=3 min_version=tls12 force_ciphersuite=TLS-ECDHE-PSK-WITH-AES-256-CBC-SHA384 \
Gilles Peskine02cd7162024-04-29 16:09:52 +0200[diff] [blame]8582 psk_identity=foo psk=73776f726466697368 extended_ms=1" \
Przemek Stekielb6a05032022-04-14 10:22:18 +0200[diff] [blame]8583 0 \
8584 -c "session hash for extended master secret"\
8585 -s "session hash for extended master secret"\
Przemek Stekielb6a05032022-04-14 10:22:18 +0200[diff] [blame]8586 -S "SSL - The handshake negotiation failed" \
8587 -S "SSL - Unknown identity received" \
8588 -S "SSL - Verification of the message MAC failed"
8589
8590requires_config_enabled MBEDTLS_USE_PSA_CRYPTO
Przemek Stekiel85d46fe2022-04-19 12:47:48 +0200[diff] [blame]8591run_test "PSK callback: raw dhe-psk on client, static opaque on server, no callback" \
Gilles Peskine02cd7162024-04-29 16:09:52 +0200[diff] [blame]8592 "$P_SRV extended_ms=0 debug_level=5 psk=73776f726466697368 psk_identity=foo psk_opaque=1 min_version=tls12 force_ciphersuite=TLS-DHE-PSK-WITH-AES-128-CBC-SHA" \
Przemek Stekiel85d46fe2022-04-19 12:47:48 +0200[diff] [blame]8593 "$P_CLI extended_ms=0 debug_level=5 min_version=tls12 force_ciphersuite=TLS-DHE-PSK-WITH-AES-128-CBC-SHA \
Gilles Peskine02cd7162024-04-29 16:09:52 +0200[diff] [blame]8594 psk_identity=foo psk=73776f726466697368" \
Przemek Stekiel85d46fe2022-04-19 12:47:48 +0200[diff] [blame]8595 0 \
Przemek Stekiel85d46fe2022-04-19 12:47:48 +0200[diff] [blame]8596 -C "session hash for extended master secret"\
8597 -S "session hash for extended master secret"\
8598 -S "SSL - The handshake negotiation failed" \
8599 -S "SSL - Unknown identity received" \
8600 -S "SSL - Verification of the message MAC failed"
8601
8602requires_config_enabled MBEDTLS_USE_PSA_CRYPTO
Przemek Stekiel85d46fe2022-04-19 12:47:48 +0200[diff] [blame]8603run_test "PSK callback: raw dhe-psk on client, static opaque on server, no callback, SHA-384" \
Gilles Peskine02cd7162024-04-29 16:09:52 +0200[diff] [blame]8604 "$P_SRV extended_ms=0 debug_level=1 psk=73776f726466697368 psk_identity=foo psk_opaque=1 min_version=tls12 force_ciphersuite=TLS-DHE-PSK-WITH-AES-256-CBC-SHA384" \
Przemek Stekiel85d46fe2022-04-19 12:47:48 +0200[diff] [blame]8605 "$P_CLI extended_ms=0 debug_level=1 min_version=tls12 force_ciphersuite=TLS-DHE-PSK-WITH-AES-256-CBC-SHA384 \
Gilles Peskine02cd7162024-04-29 16:09:52 +0200[diff] [blame]8606 psk_identity=foo psk=73776f726466697368" \
Przemek Stekiel85d46fe2022-04-19 12:47:48 +0200[diff] [blame]8607 0 \
Przemek Stekiel85d46fe2022-04-19 12:47:48 +0200[diff] [blame]8608 -C "session hash for extended master secret"\
8609 -S "session hash for extended master secret"\
8610 -S "SSL - The handshake negotiation failed" \
8611 -S "SSL - Unknown identity received" \
8612 -S "SSL - Verification of the message MAC failed"
8613
8614requires_config_enabled MBEDTLS_USE_PSA_CRYPTO
Przemek Stekiel85d46fe2022-04-19 12:47:48 +0200[diff] [blame]8615run_test "PSK callback: raw dhe-psk on client, static opaque on server, no callback, EMS" \
Gilles Peskine02cd7162024-04-29 16:09:52 +0200[diff] [blame]8616 "$P_SRV debug_level=3 psk=73776f726466697368 psk_identity=foo psk_opaque=1 min_version=tls12 \
Przemek Stekiel85d46fe2022-04-19 12:47:48 +0200[diff] [blame]8617 force_ciphersuite=TLS-DHE-PSK-WITH-AES-128-CBC-SHA extended_ms=1" \
8618 "$P_CLI debug_level=3 min_version=tls12 force_ciphersuite=TLS-DHE-PSK-WITH-AES-128-CBC-SHA \
Gilles Peskine02cd7162024-04-29 16:09:52 +0200[diff] [blame]8619 psk_identity=foo psk=73776f726466697368 extended_ms=1" \
Przemek Stekiel85d46fe2022-04-19 12:47:48 +0200[diff] [blame]8620 0 \
8621 -c "session hash for extended master secret"\
8622 -s "session hash for extended master secret"\
Przemek Stekiel85d46fe2022-04-19 12:47:48 +0200[diff] [blame]8623 -S "SSL - The handshake negotiation failed" \
8624 -S "SSL - Unknown identity received" \
8625 -S "SSL - Verification of the message MAC failed"
8626
8627requires_config_enabled MBEDTLS_USE_PSA_CRYPTO
Przemek Stekiel85d46fe2022-04-19 12:47:48 +0200[diff] [blame]8628run_test "PSK callback: raw dhe-psk on client, static opaque on server, no callback, EMS, SHA384" \
Gilles Peskine02cd7162024-04-29 16:09:52 +0200[diff] [blame]8629 "$P_SRV debug_level=3 psk=73776f726466697368 psk_identity=foo psk_opaque=1 min_version=tls12 \
Przemek Stekiel85d46fe2022-04-19 12:47:48 +0200[diff] [blame]8630 force_ciphersuite=TLS-DHE-PSK-WITH-AES-256-CBC-SHA384 extended_ms=1" \
8631 "$P_CLI debug_level=3 min_version=tls12 force_ciphersuite=TLS-DHE-PSK-WITH-AES-256-CBC-SHA384 \
Gilles Peskine02cd7162024-04-29 16:09:52 +0200[diff] [blame]8632 psk_identity=foo psk=73776f726466697368 extended_ms=1" \
Przemek Stekiel85d46fe2022-04-19 12:47:48 +0200[diff] [blame]8633 0 \
8634 -c "session hash for extended master secret"\
8635 -s "session hash for extended master secret"\
Przemek Stekiel85d46fe2022-04-19 12:47:48 +0200[diff] [blame]8636 -S "SSL - The handshake negotiation failed" \
8637 -S "SSL - Unknown identity received" \
8638 -S "SSL - Verification of the message MAC failed"
8639
8640requires_config_enabled MBEDTLS_USE_PSA_CRYPTO
Hanno Becker28c79dc2018-10-26 13:15:08 +0100[diff] [blame]8641run_test "PSK callback: raw psk on client, no static PSK on server, opaque PSK from callback" \
Xiaofei Bai8b5c3822021-12-02 08:43:35 +0000[diff] [blame]8642 "$P_SRV extended_ms=0 debug_level=3 psk_list=abc,dead,def,beef psk_list_opaque=1 min_version=tls12 force_ciphersuite=TLS-PSK-WITH-AES-128-CBC-SHA" \
8643 "$P_CLI extended_ms=0 debug_level=3 min_version=tls12 force_ciphersuite=TLS-PSK-WITH-AES-128-CBC-SHA \
Hanno Becker28c79dc2018-10-26 13:15:08 +0100[diff] [blame]8644 psk_identity=def psk=beef" \
8645 0 \
Manuel Pégourié-Gonnard8faa70e2019-05-20 12:09:50 +0200[diff] [blame]8646 -C "session hash for extended master secret"\
8647 -S "session hash for extended master secret"\
Dave Rodgmane5b828c2021-06-29 19:05:34 +0100[diff] [blame]8648 -S "SSL - The handshake negotiation failed" \
Hanno Becker28c79dc2018-10-26 13:15:08 +0100[diff] [blame]8649 -S "SSL - Unknown identity received" \
8650 -S "SSL - Verification of the message MAC failed"
8651
8652requires_config_enabled MBEDTLS_USE_PSA_CRYPTO
8653run_test "PSK callback: raw psk on client, no static PSK on server, opaque PSK from callback, SHA-384" \
Xiaofei Bai8b5c3822021-12-02 08:43:35 +0000[diff] [blame]8654 "$P_SRV extended_ms=0 debug_level=3 psk_list=abc,dead,def,beef psk_list_opaque=1 min_version=tls12 force_ciphersuite=TLS-PSK-WITH-AES-256-CBC-SHA384" \
8655 "$P_CLI extended_ms=0 debug_level=3 min_version=tls12 force_ciphersuite=TLS-PSK-WITH-AES-256-CBC-SHA384 \
Hanno Becker28c79dc2018-10-26 13:15:08 +0100[diff] [blame]8656 psk_identity=def psk=beef" \
8657 0 \
Manuel Pégourié-Gonnard8faa70e2019-05-20 12:09:50 +0200[diff] [blame]8658 -C "session hash for extended master secret"\
8659 -S "session hash for extended master secret"\
Dave Rodgmane5b828c2021-06-29 19:05:34 +0100[diff] [blame]8660 -S "SSL - The handshake negotiation failed" \
Hanno Becker28c79dc2018-10-26 13:15:08 +0100[diff] [blame]8661 -S "SSL - Unknown identity received" \
8662 -S "SSL - Verification of the message MAC failed"
8663
8664requires_config_enabled MBEDTLS_USE_PSA_CRYPTO
8665run_test "PSK callback: raw psk on client, no static PSK on server, opaque PSK from callback, EMS" \
Xiaofei Bai8b5c3822021-12-02 08:43:35 +0000[diff] [blame]8666 "$P_SRV debug_level=3 psk_list=abc,dead,def,beef psk_list_opaque=1 min_version=tls12 \
Hanno Becker28c79dc2018-10-26 13:15:08 +0100[diff] [blame]8667 force_ciphersuite=TLS-PSK-WITH-AES-128-CBC-SHA extended_ms=1" \
Xiaofei Bai8b5c3822021-12-02 08:43:35 +0000[diff] [blame]8668 "$P_CLI debug_level=3 min_version=tls12 force_ciphersuite=TLS-PSK-WITH-AES-128-CBC-SHA \
Hanno Becker28c79dc2018-10-26 13:15:08 +0100[diff] [blame]8669 psk_identity=abc psk=dead extended_ms=1" \
8670 0 \
Manuel Pégourié-Gonnard8faa70e2019-05-20 12:09:50 +0200[diff] [blame]8671 -c "session hash for extended master secret"\
8672 -s "session hash for extended master secret"\
Dave Rodgmane5b828c2021-06-29 19:05:34 +0100[diff] [blame]8673 -S "SSL - The handshake negotiation failed" \
Hanno Becker28c79dc2018-10-26 13:15:08 +0100[diff] [blame]8674 -S "SSL - Unknown identity received" \
8675 -S "SSL - Verification of the message MAC failed"
8676
8677requires_config_enabled MBEDTLS_USE_PSA_CRYPTO
8678run_test "PSK callback: raw psk on client, no static PSK on server, opaque PSK from callback, EMS, SHA384" \
Xiaofei Bai8b5c3822021-12-02 08:43:35 +0000[diff] [blame]8679 "$P_SRV debug_level=3 psk_list=abc,dead,def,beef psk_list_opaque=1 min_version=tls12 \
Hanno Becker28c79dc2018-10-26 13:15:08 +0100[diff] [blame]8680 force_ciphersuite=TLS-PSK-WITH-AES-256-CBC-SHA384 extended_ms=1" \
Xiaofei Bai8b5c3822021-12-02 08:43:35 +0000[diff] [blame]8681 "$P_CLI debug_level=3 min_version=tls12 force_ciphersuite=TLS-PSK-WITH-AES-256-CBC-SHA384 \
Hanno Becker28c79dc2018-10-26 13:15:08 +0100[diff] [blame]8682 psk_identity=abc psk=dead extended_ms=1" \
8683 0 \
Manuel Pégourié-Gonnard8faa70e2019-05-20 12:09:50 +0200[diff] [blame]8684 -c "session hash for extended master secret"\
8685 -s "session hash for extended master secret"\
Dave Rodgmane5b828c2021-06-29 19:05:34 +0100[diff] [blame]8686 -S "SSL - The handshake negotiation failed" \
Hanno Becker28c79dc2018-10-26 13:15:08 +0100[diff] [blame]8687 -S "SSL - Unknown identity received" \
8688 -S "SSL - Verification of the message MAC failed"
8689
8690requires_config_enabled MBEDTLS_USE_PSA_CRYPTO
Przemek Stekielb270b562022-04-06 13:12:48 +0200[diff] [blame]8691run_test "PSK callback: raw rsa-psk on client, no static RSA-PSK on server, opaque RSA-PSK from callback" \
8692 "$P_SRV extended_ms=0 debug_level=3 psk_list=abc,dead,def,beef psk_list_opaque=1 min_version=tls12 force_ciphersuite=TLS-RSA-PSK-WITH-AES-128-CBC-SHA" \
8693 "$P_CLI extended_ms=0 debug_level=3 min_version=tls12 force_ciphersuite=TLS-RSA-PSK-WITH-AES-128-CBC-SHA \
8694 psk_identity=def psk=beef" \
8695 0 \
Przemek Stekielb270b562022-04-06 13:12:48 +0200[diff] [blame]8696 -C "session hash for extended master secret"\
8697 -S "session hash for extended master secret"\
8698 -S "SSL - The handshake negotiation failed" \
8699 -S "SSL - Unknown identity received" \
8700 -S "SSL - Verification of the message MAC failed"
8701
8702requires_config_enabled MBEDTLS_USE_PSA_CRYPTO
Przemek Stekielb270b562022-04-06 13:12:48 +0200[diff] [blame]8703run_test "PSK callback: raw rsa-psk on client, no static RSA-PSK on server, opaque RSA-PSK from callback, SHA-384" \
8704 "$P_SRV extended_ms=0 debug_level=3 psk_list=abc,dead,def,beef psk_list_opaque=1 min_version=tls12 force_ciphersuite=TLS-RSA-PSK-WITH-AES-256-CBC-SHA384" \
8705 "$P_CLI extended_ms=0 debug_level=3 min_version=tls12 force_ciphersuite=TLS-RSA-PSK-WITH-AES-256-CBC-SHA384 \
8706 psk_identity=def psk=beef" \
8707 0 \
Przemek Stekielb270b562022-04-06 13:12:48 +0200[diff] [blame]8708 -C "session hash for extended master secret"\
8709 -S "session hash for extended master secret"\
8710 -S "SSL - The handshake negotiation failed" \
8711 -S "SSL - Unknown identity received" \
8712 -S "SSL - Verification of the message MAC failed"
8713
8714requires_config_enabled MBEDTLS_USE_PSA_CRYPTO
Przemek Stekielb270b562022-04-06 13:12:48 +0200[diff] [blame]8715run_test "PSK callback: raw rsa-psk on client, no static RSA-PSK on server, opaque RSA-PSK from callback, EMS" \
8716 "$P_SRV debug_level=3 psk_list=abc,dead,def,beef psk_list_opaque=1 min_version=tls12 \
8717 force_ciphersuite=TLS-RSA-PSK-WITH-AES-128-CBC-SHA extended_ms=1" \
8718 "$P_CLI debug_level=3 min_version=tls12 force_ciphersuite=TLS-RSA-PSK-WITH-AES-128-CBC-SHA \
8719 psk_identity=abc psk=dead extended_ms=1" \
8720 0 \
8721 -c "session hash for extended master secret"\
8722 -s "session hash for extended master secret"\
Przemek Stekielb270b562022-04-06 13:12:48 +0200[diff] [blame]8723 -S "SSL - The handshake negotiation failed" \
8724 -S "SSL - Unknown identity received" \
8725 -S "SSL - Verification of the message MAC failed"
8726
8727requires_config_enabled MBEDTLS_USE_PSA_CRYPTO
Przemek Stekielb270b562022-04-06 13:12:48 +0200[diff] [blame]8728run_test "PSK callback: raw rsa-psk on client, no static RSA-PSK on server, opaque RSA-PSK from callback, EMS, SHA384" \
8729 "$P_SRV debug_level=3 psk_list=abc,dead,def,beef psk_list_opaque=1 min_version=tls12 \
8730 force_ciphersuite=TLS-RSA-PSK-WITH-AES-256-CBC-SHA384 extended_ms=1" \
8731 "$P_CLI debug_level=3 min_version=tls12 force_ciphersuite=TLS-RSA-PSK-WITH-AES-256-CBC-SHA384 \
8732 psk_identity=abc psk=dead extended_ms=1" \
8733 0 \
8734 -c "session hash for extended master secret"\
8735 -s "session hash for extended master secret"\
Przemek Stekielb270b562022-04-06 13:12:48 +0200[diff] [blame]8736 -S "SSL - The handshake negotiation failed" \
8737 -S "SSL - Unknown identity received" \
8738 -S "SSL - Verification of the message MAC failed"
8739
8740requires_config_enabled MBEDTLS_USE_PSA_CRYPTO
Przemek Stekielb6a05032022-04-14 10:22:18 +0200[diff] [blame]8741run_test "PSK callback: raw ecdhe-psk on client, no static ECDHE-PSK on server, opaque ECDHE-PSK from callback" \
8742 "$P_SRV extended_ms=0 debug_level=3 psk_list=abc,dead,def,beef psk_list_opaque=1 min_version=tls12 force_ciphersuite=TLS-ECDHE-PSK-WITH-AES-128-CBC-SHA" \
8743 "$P_CLI extended_ms=0 debug_level=3 min_version=tls12 force_ciphersuite=TLS-ECDHE-PSK-WITH-AES-128-CBC-SHA \
8744 psk_identity=def psk=beef" \
8745 0 \
Przemek Stekielb6a05032022-04-14 10:22:18 +0200[diff] [blame]8746 -C "session hash for extended master secret"\
8747 -S "session hash for extended master secret"\
8748 -S "SSL - The handshake negotiation failed" \
8749 -S "SSL - Unknown identity received" \
8750 -S "SSL - Verification of the message MAC failed"
8751
8752requires_config_enabled MBEDTLS_USE_PSA_CRYPTO
Przemek Stekielb6a05032022-04-14 10:22:18 +0200[diff] [blame]8753run_test "PSK callback: raw ecdhe-psk on client, no static ECDHE-PSK on server, opaque ECDHE-PSK from callback, SHA-384" \
8754 "$P_SRV extended_ms=0 debug_level=3 psk_list=abc,dead,def,beef psk_list_opaque=1 min_version=tls12 force_ciphersuite=TLS-ECDHE-PSK-WITH-AES-256-CBC-SHA384" \
8755 "$P_CLI extended_ms=0 debug_level=3 min_version=tls12 force_ciphersuite=TLS-ECDHE-PSK-WITH-AES-256-CBC-SHA384 \
8756 psk_identity=def psk=beef" \
8757 0 \
Przemek Stekielb6a05032022-04-14 10:22:18 +0200[diff] [blame]8758 -C "session hash for extended master secret"\
8759 -S "session hash for extended master secret"\
8760 -S "SSL - The handshake negotiation failed" \
8761 -S "SSL - Unknown identity received" \
8762 -S "SSL - Verification of the message MAC failed"
8763
8764requires_config_enabled MBEDTLS_USE_PSA_CRYPTO
Przemek Stekielb6a05032022-04-14 10:22:18 +0200[diff] [blame]8765run_test "PSK callback: raw ecdhe-psk on client, no static ECDHE-PSK on server, opaque ECDHE-PSK from callback, EMS" \
8766 "$P_SRV debug_level=3 psk_list=abc,dead,def,beef psk_list_opaque=1 min_version=tls12 \
8767 force_ciphersuite=TLS-ECDHE-PSK-WITH-AES-128-CBC-SHA extended_ms=1" \
8768 "$P_CLI debug_level=3 min_version=tls12 force_ciphersuite=TLS-ECDHE-PSK-WITH-AES-128-CBC-SHA \
8769 psk_identity=abc psk=dead extended_ms=1" \
8770 0 \
8771 -c "session hash for extended master secret"\
8772 -s "session hash for extended master secret"\
Przemek Stekielb6a05032022-04-14 10:22:18 +0200[diff] [blame]8773 -S "SSL - The handshake negotiation failed" \
8774 -S "SSL - Unknown identity received" \
8775 -S "SSL - Verification of the message MAC failed"
8776
8777requires_config_enabled MBEDTLS_USE_PSA_CRYPTO
Przemek Stekielb6a05032022-04-14 10:22:18 +0200[diff] [blame]8778run_test "PSK callback: raw ecdhe-psk on client, no static ECDHE-PSK on server, opaque ECDHE-PSK from callback, EMS, SHA384" \
8779 "$P_SRV debug_level=3 psk_list=abc,dead,def,beef psk_list_opaque=1 min_version=tls12 \
8780 force_ciphersuite=TLS-ECDHE-PSK-WITH-AES-256-CBC-SHA384 extended_ms=1" \
8781 "$P_CLI debug_level=3 min_version=tls12 force_ciphersuite=TLS-ECDHE-PSK-WITH-AES-256-CBC-SHA384 \
8782 psk_identity=abc psk=dead extended_ms=1" \
8783 0 \
8784 -c "session hash for extended master secret"\
8785 -s "session hash for extended master secret"\
Przemek Stekielb6a05032022-04-14 10:22:18 +0200[diff] [blame]8786 -S "SSL - The handshake negotiation failed" \
8787 -S "SSL - Unknown identity received" \
8788 -S "SSL - Verification of the message MAC failed"
8789
8790requires_config_enabled MBEDTLS_USE_PSA_CRYPTO
Przemek Stekiel85d46fe2022-04-19 12:47:48 +0200[diff] [blame]8791run_test "PSK callback: raw dhe-psk on client, no static DHE-PSK on server, opaque DHE-PSK from callback" \
8792 "$P_SRV extended_ms=0 debug_level=3 psk_list=abc,dead,def,beef psk_list_opaque=1 min_version=tls12 force_ciphersuite=TLS-DHE-PSK-WITH-AES-128-CBC-SHA" \
8793 "$P_CLI extended_ms=0 debug_level=3 min_version=tls12 force_ciphersuite=TLS-DHE-PSK-WITH-AES-128-CBC-SHA \
8794 psk_identity=def psk=beef" \
8795 0 \
Przemek Stekiel85d46fe2022-04-19 12:47:48 +0200[diff] [blame]8796 -C "session hash for extended master secret"\
8797 -S "session hash for extended master secret"\
8798 -S "SSL - The handshake negotiation failed" \
8799 -S "SSL - Unknown identity received" \
8800 -S "SSL - Verification of the message MAC failed"
8801
8802requires_config_enabled MBEDTLS_USE_PSA_CRYPTO
Przemek Stekiel85d46fe2022-04-19 12:47:48 +0200[diff] [blame]8803run_test "PSK callback: raw dhe-psk on client, no static DHE-PSK on server, opaque DHE-PSK from callback, SHA-384" \
8804 "$P_SRV extended_ms=0 debug_level=3 psk_list=abc,dead,def,beef psk_list_opaque=1 min_version=tls12 force_ciphersuite=TLS-DHE-PSK-WITH-AES-256-CBC-SHA384" \
8805 "$P_CLI extended_ms=0 debug_level=3 min_version=tls12 force_ciphersuite=TLS-DHE-PSK-WITH-AES-256-CBC-SHA384 \
8806 psk_identity=def psk=beef" \
8807 0 \
Przemek Stekiel85d46fe2022-04-19 12:47:48 +0200[diff] [blame]8808 -C "session hash for extended master secret"\
8809 -S "session hash for extended master secret"\
8810 -S "SSL - The handshake negotiation failed" \
8811 -S "SSL - Unknown identity received" \
8812 -S "SSL - Verification of the message MAC failed"
8813
8814requires_config_enabled MBEDTLS_USE_PSA_CRYPTO
Przemek Stekiel85d46fe2022-04-19 12:47:48 +0200[diff] [blame]8815run_test "PSK callback: raw dhe-psk on client, no static DHE-PSK on server, opaque DHE-PSK from callback, EMS" \
8816 "$P_SRV debug_level=3 psk_list=abc,dead,def,beef psk_list_opaque=1 min_version=tls12 \
8817 force_ciphersuite=TLS-DHE-PSK-WITH-AES-128-CBC-SHA extended_ms=1" \
8818 "$P_CLI debug_level=3 min_version=tls12 force_ciphersuite=TLS-DHE-PSK-WITH-AES-128-CBC-SHA \
8819 psk_identity=abc psk=dead extended_ms=1" \
8820 0 \
8821 -c "session hash for extended master secret"\
8822 -s "session hash for extended master secret"\
Przemek Stekiel85d46fe2022-04-19 12:47:48 +0200[diff] [blame]8823 -S "SSL - The handshake negotiation failed" \
8824 -S "SSL - Unknown identity received" \
8825 -S "SSL - Verification of the message MAC failed"
8826
8827requires_config_enabled MBEDTLS_USE_PSA_CRYPTO
Przemek Stekiel85d46fe2022-04-19 12:47:48 +0200[diff] [blame]8828run_test "PSK callback: raw dhe-psk on client, no static DHE-PSK on server, opaque DHE-PSK from callback, EMS, SHA384" \
8829 "$P_SRV debug_level=3 psk_list=abc,dead,def,beef psk_list_opaque=1 min_version=tls12 \
8830 force_ciphersuite=TLS-DHE-PSK-WITH-AES-256-CBC-SHA384 extended_ms=1" \
8831 "$P_CLI debug_level=3 min_version=tls12 force_ciphersuite=TLS-DHE-PSK-WITH-AES-256-CBC-SHA384 \
8832 psk_identity=abc psk=dead extended_ms=1" \
8833 0 \
8834 -c "session hash for extended master secret"\
8835 -s "session hash for extended master secret"\
Przemek Stekiel85d46fe2022-04-19 12:47:48 +0200[diff] [blame]8836 -S "SSL - The handshake negotiation failed" \
8837 -S "SSL - Unknown identity received" \
8838 -S "SSL - Verification of the message MAC failed"
8839
8840requires_config_enabled MBEDTLS_USE_PSA_CRYPTO
Hanno Becker28c79dc2018-10-26 13:15:08 +0100[diff] [blame]8841run_test "PSK callback: raw psk on client, mismatching static raw PSK on server, opaque PSK from callback" \
Gilles Peskine02cd7162024-04-29 16:09:52 +0200[diff] [blame]8842 "$P_SRV extended_ms=0 psk_identity=foo psk=73776f726466697368 debug_level=3 psk_list=abc,dead,def,beef psk_list_opaque=1 min_version=tls12 force_ciphersuite=TLS-PSK-WITH-AES-128-CBC-SHA" \
Xiaofei Bai8b5c3822021-12-02 08:43:35 +0000[diff] [blame]8843 "$P_CLI extended_ms=0 debug_level=3 min_version=tls12 force_ciphersuite=TLS-PSK-WITH-AES-128-CBC-SHA \
Hanno Becker28c79dc2018-10-26 13:15:08 +0100[diff] [blame]8844 psk_identity=def psk=beef" \
8845 0 \
Manuel Pégourié-Gonnard8faa70e2019-05-20 12:09:50 +0200[diff] [blame]8846 -C "session hash for extended master secret"\
8847 -S "session hash for extended master secret"\
Dave Rodgmane5b828c2021-06-29 19:05:34 +0100[diff] [blame]8848 -S "SSL - The handshake negotiation failed" \
Hanno Becker28c79dc2018-10-26 13:15:08 +0100[diff] [blame]8849 -S "SSL - Unknown identity received" \
8850 -S "SSL - Verification of the message MAC failed"
8851
8852requires_config_enabled MBEDTLS_USE_PSA_CRYPTO
8853run_test "PSK callback: raw psk on client, mismatching static opaque PSK on server, opaque PSK from callback" \
Gilles Peskine02cd7162024-04-29 16:09:52 +0200[diff] [blame]8854 "$P_SRV extended_ms=0 psk_opaque=1 psk_identity=foo psk=73776f726466697368 debug_level=3 psk_list=abc,dead,def,beef psk_list_opaque=1 min_version=tls12 force_ciphersuite=TLS-PSK-WITH-AES-128-CBC-SHA" \
Xiaofei Bai8b5c3822021-12-02 08:43:35 +0000[diff] [blame]8855 "$P_CLI extended_ms=0 debug_level=3 min_version=tls12 force_ciphersuite=TLS-PSK-WITH-AES-128-CBC-SHA \
Hanno Becker28c79dc2018-10-26 13:15:08 +0100[diff] [blame]8856 psk_identity=def psk=beef" \
8857 0 \
Manuel Pégourié-Gonnard8faa70e2019-05-20 12:09:50 +0200[diff] [blame]8858 -C "session hash for extended master secret"\
8859 -S "session hash for extended master secret"\
Dave Rodgmane5b828c2021-06-29 19:05:34 +0100[diff] [blame]8860 -S "SSL - The handshake negotiation failed" \
Hanno Becker28c79dc2018-10-26 13:15:08 +0100[diff] [blame]8861 -S "SSL - Unknown identity received" \
8862 -S "SSL - Verification of the message MAC failed"
8863
8864requires_config_enabled MBEDTLS_USE_PSA_CRYPTO
8865run_test "PSK callback: raw psk on client, mismatching static opaque PSK on server, raw PSK from callback" \
Gilles Peskine02cd7162024-04-29 16:09:52 +0200[diff] [blame]8866 "$P_SRV extended_ms=0 psk_opaque=1 psk_identity=foo psk=73776f726466697368 debug_level=3 psk_list=abc,dead,def,beef min_version=tls12 force_ciphersuite=TLS-PSK-WITH-AES-128-CBC-SHA" \
Xiaofei Bai8b5c3822021-12-02 08:43:35 +0000[diff] [blame]8867 "$P_CLI extended_ms=0 debug_level=3 min_version=tls12 force_ciphersuite=TLS-PSK-WITH-AES-128-CBC-SHA \
Hanno Becker28c79dc2018-10-26 13:15:08 +0100[diff] [blame]8868 psk_identity=def psk=beef" \
8869 0 \
Manuel Pégourié-Gonnard8faa70e2019-05-20 12:09:50 +0200[diff] [blame]8870 -C "session hash for extended master secret"\
8871 -S "session hash for extended master secret"\
Dave Rodgmane5b828c2021-06-29 19:05:34 +0100[diff] [blame]8872 -S "SSL - The handshake negotiation failed" \
Hanno Becker28c79dc2018-10-26 13:15:08 +0100[diff] [blame]8873 -S "SSL - Unknown identity received" \
8874 -S "SSL - Verification of the message MAC failed"
8875
8876requires_config_enabled MBEDTLS_USE_PSA_CRYPTO
8877run_test "PSK callback: raw psk on client, id-matching but wrong raw PSK on server, opaque PSK from callback" \
Gilles Peskine02cd7162024-04-29 16:09:52 +0200[diff] [blame]8878 "$P_SRV extended_ms=0 psk_opaque=1 psk_identity=def psk=73776f726466697368 debug_level=3 psk_list=abc,dead,def,beef min_version=tls12 force_ciphersuite=TLS-PSK-WITH-AES-128-CBC-SHA" \
Xiaofei Bai8b5c3822021-12-02 08:43:35 +0000[diff] [blame]8879 "$P_CLI extended_ms=0 debug_level=3 min_version=tls12 force_ciphersuite=TLS-PSK-WITH-AES-128-CBC-SHA \
Hanno Becker28c79dc2018-10-26 13:15:08 +0100[diff] [blame]8880 psk_identity=def psk=beef" \
8881 0 \
Manuel Pégourié-Gonnard8faa70e2019-05-20 12:09:50 +0200[diff] [blame]8882 -C "session hash for extended master secret"\
8883 -S "session hash for extended master secret"\
Dave Rodgmane5b828c2021-06-29 19:05:34 +0100[diff] [blame]8884 -S "SSL - The handshake negotiation failed" \
Hanno Becker28c79dc2018-10-26 13:15:08 +0100[diff] [blame]8885 -S "SSL - Unknown identity received" \
8886 -S "SSL - Verification of the message MAC failed"
8887
8888requires_config_enabled MBEDTLS_USE_PSA_CRYPTO
8889run_test "PSK callback: raw psk on client, matching opaque PSK on server, wrong opaque PSK from callback" \
Gilles Peskine02cd7162024-04-29 16:09:52 +0200[diff] [blame]8890 "$P_SRV extended_ms=0 psk_opaque=1 psk_identity=def psk=beef debug_level=3 psk_list=abc,dead,def,73776f726466697368 min_version=tls12 force_ciphersuite=TLS-PSK-WITH-AES-128-CBC-SHA" \
Xiaofei Bai8b5c3822021-12-02 08:43:35 +0000[diff] [blame]8891 "$P_CLI extended_ms=0 debug_level=3 min_version=tls12 force_ciphersuite=TLS-PSK-WITH-AES-128-CBC-SHA \
Hanno Becker28c79dc2018-10-26 13:15:08 +0100[diff] [blame]8892 psk_identity=def psk=beef" \
8893 1 \
8894 -s "SSL - Verification of the message MAC failed"
8895
Manuel Pégourié-Gonnard8e03c712014-08-30 21:42:40 +0200[diff] [blame]8896run_test "PSK callback: no psk, no callback" \
Manuel Pégourié-Gonnard10c3c9f2014-06-10 15:28:52 +0200[diff] [blame]8897 "$P_SRV" \
8898 "$P_CLI force_ciphersuite=TLS-PSK-WITH-AES-128-CBC-SHA \
Gilles Peskine02cd7162024-04-29 16:09:52 +0200[diff] [blame]8899 psk_identity=foo psk=73776f726466697368" \
Manuel Pégourié-Gonnard10c3c9f2014-06-10 15:28:52 +0200[diff] [blame]8900 1 \
Dave Rodgman6ce10be2021-06-29 14:20:31 +0100[diff] [blame]8901 -s "SSL - The handshake negotiation failed" \
Manuel Pégourié-Gonnarda6781c92014-06-10 15:00:46 +0200[diff] [blame]8902 -S "SSL - Unknown identity received" \
8903 -S "SSL - Verification of the message MAC failed"
8904
Manuel Pégourié-Gonnard8e03c712014-08-30 21:42:40 +0200[diff] [blame]8905run_test "PSK callback: callback overrides other settings" \
Gilles Peskine02cd7162024-04-29 16:09:52 +0200[diff] [blame]8906 "$P_SRV psk=73776f726466697368 psk_identity=foo psk_list=abc,dead,def,beef" \
Manuel Pégourié-Gonnarda6781c92014-06-10 15:00:46 +0200[diff] [blame]8907 "$P_CLI force_ciphersuite=TLS-PSK-WITH-AES-128-CBC-SHA \
Gilles Peskine02cd7162024-04-29 16:09:52 +0200[diff] [blame]8908 psk_identity=foo psk=73776f726466697368" \
Manuel Pégourié-Gonnarda6781c92014-06-10 15:00:46 +0200[diff] [blame]8909 1 \
Dave Rodgmane5b828c2021-06-29 19:05:34 +0100[diff] [blame]8910 -S "SSL - The handshake negotiation failed" \
Manuel Pégourié-Gonnarda6781c92014-06-10 15:00:46 +0200[diff] [blame]8911 -s "SSL - Unknown identity received" \
8912 -S "SSL - Verification of the message MAC failed"
8913
Manuel Pégourié-Gonnard8e03c712014-08-30 21:42:40 +0200[diff] [blame]8914run_test "PSK callback: first id matches" \
Manuel Pégourié-Gonnarda6781c92014-06-10 15:00:46 +0200[diff] [blame]8915 "$P_SRV psk_list=abc,dead,def,beef" \
8916 "$P_CLI force_ciphersuite=TLS-PSK-WITH-AES-128-CBC-SHA \
8917 psk_identity=abc psk=dead" \
8918 0 \
Dave Rodgmane5b828c2021-06-29 19:05:34 +0100[diff] [blame]8919 -S "SSL - The handshake negotiation failed" \
Manuel Pégourié-Gonnarda6781c92014-06-10 15:00:46 +0200[diff] [blame]8920 -S "SSL - Unknown identity received" \
8921 -S "SSL - Verification of the message MAC failed"
8922
Manuel Pégourié-Gonnard8e03c712014-08-30 21:42:40 +0200[diff] [blame]8923run_test "PSK callback: second id matches" \
Manuel Pégourié-Gonnarda6781c92014-06-10 15:00:46 +0200[diff] [blame]8924 "$P_SRV psk_list=abc,dead,def,beef" \
8925 "$P_CLI force_ciphersuite=TLS-PSK-WITH-AES-128-CBC-SHA \
8926 psk_identity=def psk=beef" \
8927 0 \
Dave Rodgmane5b828c2021-06-29 19:05:34 +0100[diff] [blame]8928 -S "SSL - The handshake negotiation failed" \
Manuel Pégourié-Gonnarda6781c92014-06-10 15:00:46 +0200[diff] [blame]8929 -S "SSL - Unknown identity received" \
8930 -S "SSL - Verification of the message MAC failed"
8931
Manuel Pégourié-Gonnard8e03c712014-08-30 21:42:40 +0200[diff] [blame]8932run_test "PSK callback: no match" \
Manuel Pégourié-Gonnarda6781c92014-06-10 15:00:46 +0200[diff] [blame]8933 "$P_SRV psk_list=abc,dead,def,beef" \
8934 "$P_CLI force_ciphersuite=TLS-PSK-WITH-AES-128-CBC-SHA \
8935 psk_identity=ghi psk=beef" \
8936 1 \
Dave Rodgmane5b828c2021-06-29 19:05:34 +0100[diff] [blame]8937 -S "SSL - The handshake negotiation failed" \
Manuel Pégourié-Gonnarda6781c92014-06-10 15:00:46 +0200[diff] [blame]8938 -s "SSL - Unknown identity received" \
8939 -S "SSL - Verification of the message MAC failed"
8940
Manuel Pégourié-Gonnard8e03c712014-08-30 21:42:40 +0200[diff] [blame]8941run_test "PSK callback: wrong key" \
Manuel Pégourié-Gonnarda6781c92014-06-10 15:00:46 +0200[diff] [blame]8942 "$P_SRV psk_list=abc,dead,def,beef" \
8943 "$P_CLI force_ciphersuite=TLS-PSK-WITH-AES-128-CBC-SHA \
8944 psk_identity=abc psk=beef" \
8945 1 \
Dave Rodgmane5b828c2021-06-29 19:05:34 +0100[diff] [blame]8946 -S "SSL - The handshake negotiation failed" \
Manuel Pégourié-Gonnarda6781c92014-06-10 15:00:46 +0200[diff] [blame]8947 -S "SSL - Unknown identity received" \
8948 -s "SSL - Verification of the message MAC failed"
Manuel Pégourié-Gonnard0cc7e312014-06-09 11:36:47 +0200[diff] [blame]8949
Manuel Pégourié-Gonnarde511b4e2015-09-16 14:11:09 +0200[diff] [blame]8950# Tests for EC J-PAKE
8951
Hanno Beckerfa452c42020-08-14 15:42:49 +0100[diff] [blame]8952requires_config_enabled MBEDTLS_KEY_EXCHANGE_ECJPAKE_ENABLED
Jerry Yuab082902021-12-23 18:02:22 +0800[diff] [blame]8953requires_config_enabled MBEDTLS_SSL_PROTO_TLS1_2
Manuel Pégourié-Gonnarde511b4e2015-09-16 14:11:09 +0200[diff] [blame]8954run_test "ECJPAKE: client not configured" \
8955 "$P_SRV debug_level=3" \
8956 "$P_CLI debug_level=3" \
8957 0 \
Hanno Beckeree63af62020-08-14 15:41:23 +0100[diff] [blame]8958 -C "add ciphersuite: 0xc0ff" \
Manuel Pégourié-Gonnarde511b4e2015-09-16 14:11:09 +0200[diff] [blame]8959 -C "adding ecjpake_kkpp extension" \
Manuel Pégourié-Gonnardbf57be62015-09-16 15:04:01 +0200[diff] [blame]8960 -S "found ecjpake kkpp extension" \
8961 -S "skip ecjpake kkpp extension" \
Manuel Pégourié-Gonnarde511b4e2015-09-16 14:11:09 +0200[diff] [blame]8962 -S "ciphersuite mismatch: ecjpake not configured" \
Manuel Pégourié-Gonnard55c7f992015-09-16 15:35:27 +0200[diff] [blame]8963 -S "server hello, ecjpake kkpp extension" \
Manuel Pégourié-Gonnard0a1324a2015-09-16 16:01:00 +0200[diff] [blame]8964 -C "found ecjpake_kkpp extension" \
Dave Rodgman737237f2021-06-29 19:07:57 +0100[diff] [blame]8965 -S "SSL - The handshake negotiation failed"
Manuel Pégourié-Gonnarde511b4e2015-09-16 14:11:09 +0200[diff] [blame]8966
Hanno Beckerfa452c42020-08-14 15:42:49 +0100[diff] [blame]8967requires_config_enabled MBEDTLS_KEY_EXCHANGE_ECJPAKE_ENABLED
Manuel Pégourié-Gonnarde511b4e2015-09-16 14:11:09 +0200[diff] [blame]8968run_test "ECJPAKE: server not configured" \
8969 "$P_SRV debug_level=3" \
8970 "$P_CLI debug_level=3 ecjpake_pw=bla \
8971 force_ciphersuite=TLS-ECJPAKE-WITH-AES-128-CCM-8" \
8972 1 \
Ronald Cron7320e642022-03-08 13:34:49 +0100[diff] [blame]8973 -c "add ciphersuite: c0ff" \
Manuel Pégourié-Gonnarde511b4e2015-09-16 14:11:09 +0200[diff] [blame]8974 -c "adding ecjpake_kkpp extension" \
Manuel Pégourié-Gonnardbf57be62015-09-16 15:04:01 +0200[diff] [blame]8975 -s "found ecjpake kkpp extension" \
8976 -s "skip ecjpake kkpp extension" \
Manuel Pégourié-Gonnarde511b4e2015-09-16 14:11:09 +0200[diff] [blame]8977 -s "ciphersuite mismatch: ecjpake not configured" \
Manuel Pégourié-Gonnard55c7f992015-09-16 15:35:27 +0200[diff] [blame]8978 -S "server hello, ecjpake kkpp extension" \
Manuel Pégourié-Gonnard0a1324a2015-09-16 16:01:00 +0200[diff] [blame]8979 -C "found ecjpake_kkpp extension" \
Dave Rodgman737237f2021-06-29 19:07:57 +0100[diff] [blame]8980 -s "SSL - The handshake negotiation failed"
Manuel Pégourié-Gonnarde511b4e2015-09-16 14:11:09 +0200[diff] [blame]8981
Valerio Settif11e05a2022-12-07 15:41:05 +0100[diff] [blame]8982# Note: if the name of this test is changed, then please adjust the corresponding
8983# filtering label in "test_tls1_2_ecjpake_compatibility" (in "all.sh")
Hanno Beckerfa452c42020-08-14 15:42:49 +0100[diff] [blame]8984requires_config_enabled MBEDTLS_KEY_EXCHANGE_ECJPAKE_ENABLED
Manuel Pégourié-Gonnardbf57be62015-09-16 15:04:01 +0200[diff] [blame]8985run_test "ECJPAKE: working, TLS" \
8986 "$P_SRV debug_level=3 ecjpake_pw=bla" \
8987 "$P_CLI debug_level=3 ecjpake_pw=bla \
8988 force_ciphersuite=TLS-ECJPAKE-WITH-AES-128-CCM-8" \
Manuel Pégourié-Gonnard0f1660a2015-09-16 22:41:06 +0200[diff] [blame]8989 0 \
Ronald Cron7320e642022-03-08 13:34:49 +0100[diff] [blame]8990 -c "add ciphersuite: c0ff" \
Manuel Pégourié-Gonnardbf57be62015-09-16 15:04:01 +0200[diff] [blame]8991 -c "adding ecjpake_kkpp extension" \
Manuel Pégourié-Gonnardd0d8cb32015-09-17 14:16:30 +0200[diff] [blame]8992 -C "re-using cached ecjpake parameters" \
Manuel Pégourié-Gonnardbf57be62015-09-16 15:04:01 +0200[diff] [blame]8993 -s "found ecjpake kkpp extension" \
8994 -S "skip ecjpake kkpp extension" \
8995 -S "ciphersuite mismatch: ecjpake not configured" \
Manuel Pégourié-Gonnard55c7f992015-09-16 15:35:27 +0200[diff] [blame]8996 -s "server hello, ecjpake kkpp extension" \
Manuel Pégourié-Gonnard0a1324a2015-09-16 16:01:00 +0200[diff] [blame]8997 -c "found ecjpake_kkpp extension" \
Dave Rodgman737237f2021-06-29 19:07:57 +0100[diff] [blame]8998 -S "SSL - The handshake negotiation failed" \
Manuel Pégourié-Gonnard921f2d02015-09-16 22:52:18 +0200[diff] [blame]8999 -S "SSL - Verification of the message MAC failed"
9000
Valerio Settid572a822022-11-28 18:27:51 +0100[diff] [blame]9001requires_config_enabled MBEDTLS_KEY_EXCHANGE_ECJPAKE_ENABLED
Valerio Settia6b69da2022-11-30 16:44:49 +0100[diff] [blame]9002requires_config_enabled MBEDTLS_USE_PSA_CRYPTO
Valerio Setti70e02902022-12-02 16:21:56 +0100[diff] [blame]9003run_test "ECJPAKE: opaque password client+server, working, TLS" \
Valerio Settid572a822022-11-28 18:27:51 +0100[diff] [blame]9004 "$P_SRV debug_level=3 ecjpake_pw=bla ecjpake_pw_opaque=1" \
9005 "$P_CLI debug_level=3 ecjpake_pw=bla ecjpake_pw_opaque=1\
9006 force_ciphersuite=TLS-ECJPAKE-WITH-AES-128-CCM-8" \
9007 0 \
9008 -c "add ciphersuite: c0ff" \
9009 -c "adding ecjpake_kkpp extension" \
Valerio Setti661b9bc2022-11-29 17:19:25 +0100[diff] [blame]9010 -c "using opaque password" \
9011 -s "using opaque password" \
Valerio Settid572a822022-11-28 18:27:51 +0100[diff] [blame]9012 -C "re-using cached ecjpake parameters" \
9013 -s "found ecjpake kkpp extension" \
9014 -S "skip ecjpake kkpp extension" \
9015 -S "ciphersuite mismatch: ecjpake not configured" \
9016 -s "server hello, ecjpake kkpp extension" \
9017 -c "found ecjpake_kkpp extension" \
9018 -S "SSL - The handshake negotiation failed" \
9019 -S "SSL - Verification of the message MAC failed"
9020
Valerio Settif11e05a2022-12-07 15:41:05 +0100[diff] [blame]9021# Note: if the name of this test is changed, then please adjust the corresponding
9022# filtering label in "test_tls1_2_ecjpake_compatibility" (in "all.sh")
Valerio Settib287ddf2022-12-01 16:18:12 +0100[diff] [blame]9023requires_config_enabled MBEDTLS_KEY_EXCHANGE_ECJPAKE_ENABLED
9024requires_config_enabled MBEDTLS_USE_PSA_CRYPTO
Valerio Setti70e02902022-12-02 16:21:56 +0100[diff] [blame]9025run_test "ECJPAKE: opaque password client only, working, TLS" \
Valerio Settib287ddf2022-12-01 16:18:12 +0100[diff] [blame]9026 "$P_SRV debug_level=3 ecjpake_pw=bla" \
9027 "$P_CLI debug_level=3 ecjpake_pw=bla ecjpake_pw_opaque=1\
9028 force_ciphersuite=TLS-ECJPAKE-WITH-AES-128-CCM-8" \
9029 0 \
9030 -c "add ciphersuite: c0ff" \
9031 -c "adding ecjpake_kkpp extension" \
9032 -c "using opaque password" \
9033 -S "using opaque password" \
9034 -C "re-using cached ecjpake parameters" \
9035 -s "found ecjpake kkpp extension" \
9036 -S "skip ecjpake kkpp extension" \
9037 -S "ciphersuite mismatch: ecjpake not configured" \
9038 -s "server hello, ecjpake kkpp extension" \
9039 -c "found ecjpake_kkpp extension" \
9040 -S "SSL - The handshake negotiation failed" \
9041 -S "SSL - Verification of the message MAC failed"
9042
Valerio Settif11e05a2022-12-07 15:41:05 +0100[diff] [blame]9043# Note: if the name of this test is changed, then please adjust the corresponding
9044# filtering label in "test_tls1_2_ecjpake_compatibility" (in "all.sh")
Valerio Settib287ddf2022-12-01 16:18:12 +0100[diff] [blame]9045requires_config_enabled MBEDTLS_KEY_EXCHANGE_ECJPAKE_ENABLED
9046requires_config_enabled MBEDTLS_USE_PSA_CRYPTO
Valerio Setti70e02902022-12-02 16:21:56 +0100[diff] [blame]9047run_test "ECJPAKE: opaque password server only, working, TLS" \
Valerio Settib287ddf2022-12-01 16:18:12 +0100[diff] [blame]9048 "$P_SRV debug_level=3 ecjpake_pw=bla ecjpake_pw_opaque=1" \
9049 "$P_CLI debug_level=3 ecjpake_pw=bla\
9050 force_ciphersuite=TLS-ECJPAKE-WITH-AES-128-CCM-8" \
9051 0 \
9052 -c "add ciphersuite: c0ff" \
9053 -c "adding ecjpake_kkpp extension" \
9054 -C "using opaque password" \
9055 -s "using opaque password" \
9056 -C "re-using cached ecjpake parameters" \
9057 -s "found ecjpake kkpp extension" \
9058 -S "skip ecjpake kkpp extension" \
9059 -S "ciphersuite mismatch: ecjpake not configured" \
9060 -s "server hello, ecjpake kkpp extension" \
9061 -c "found ecjpake_kkpp extension" \
9062 -S "SSL - The handshake negotiation failed" \
9063 -S "SSL - Verification of the message MAC failed"
9064
Janos Follath74537a62016-09-02 13:45:28 +0100[diff] [blame]9065server_needs_more_time 1
Dave Rodgmanbec7caf2021-06-29 19:05:34 +0100[diff] [blame]9066requires_config_enabled MBEDTLS_KEY_EXCHANGE_ECJPAKE_ENABLED
Manuel Pégourié-Gonnard921f2d02015-09-16 22:52:18 +0200[diff] [blame]9067run_test "ECJPAKE: password mismatch, TLS" \
9068 "$P_SRV debug_level=3 ecjpake_pw=bla" \
9069 "$P_CLI debug_level=3 ecjpake_pw=bad \
9070 force_ciphersuite=TLS-ECJPAKE-WITH-AES-128-CCM-8" \
9071 1 \
Manuel Pégourié-Gonnardd0d8cb32015-09-17 14:16:30 +0200[diff] [blame]9072 -C "re-using cached ecjpake parameters" \
Manuel Pégourié-Gonnard921f2d02015-09-16 22:52:18 +0200[diff] [blame]9073 -s "SSL - Verification of the message MAC failed"
9074
Valerio Settib287ddf2022-12-01 16:18:12 +0100[diff] [blame]9075server_needs_more_time 1
9076requires_config_enabled MBEDTLS_KEY_EXCHANGE_ECJPAKE_ENABLED
9077requires_config_enabled MBEDTLS_USE_PSA_CRYPTO
Valerio Settib287ddf2022-12-01 16:18:12 +0100[diff] [blame]9078run_test "ECJPAKE_OPAQUE_PW: opaque password mismatch, TLS" \
9079 "$P_SRV debug_level=3 ecjpake_pw=bla ecjpake_pw_opaque=1" \
9080 "$P_CLI debug_level=3 ecjpake_pw=bad ecjpake_pw_opaque=1 \
9081 force_ciphersuite=TLS-ECJPAKE-WITH-AES-128-CCM-8" \
9082 1 \
9083 -c "using opaque password" \
9084 -s "using opaque password" \
9085 -C "re-using cached ecjpake parameters" \
9086 -s "SSL - Verification of the message MAC failed"
9087
Dave Rodgmanbec7caf2021-06-29 19:05:34 +0100[diff] [blame]9088requires_config_enabled MBEDTLS_KEY_EXCHANGE_ECJPAKE_ENABLED
Manuel Pégourié-Gonnard921f2d02015-09-16 22:52:18 +0200[diff] [blame]9089run_test "ECJPAKE: working, DTLS" \
9090 "$P_SRV debug_level=3 dtls=1 ecjpake_pw=bla" \
9091 "$P_CLI debug_level=3 dtls=1 ecjpake_pw=bla \
9092 force_ciphersuite=TLS-ECJPAKE-WITH-AES-128-CCM-8" \
9093 0 \
Manuel Pégourié-Gonnardd0d8cb32015-09-17 14:16:30 +0200[diff] [blame]9094 -c "re-using cached ecjpake parameters" \
9095 -S "SSL - Verification of the message MAC failed"
9096
Dave Rodgmanbec7caf2021-06-29 19:05:34 +0100[diff] [blame]9097requires_config_enabled MBEDTLS_KEY_EXCHANGE_ECJPAKE_ENABLED
Manuel Pégourié-Gonnardd0d8cb32015-09-17 14:16:30 +0200[diff] [blame]9098run_test "ECJPAKE: working, DTLS, no cookie" \
9099 "$P_SRV debug_level=3 dtls=1 ecjpake_pw=bla cookies=0" \
9100 "$P_CLI debug_level=3 dtls=1 ecjpake_pw=bla \
9101 force_ciphersuite=TLS-ECJPAKE-WITH-AES-128-CCM-8" \
9102 0 \
9103 -C "re-using cached ecjpake parameters" \
Manuel Pégourié-Gonnard921f2d02015-09-16 22:52:18 +0200[diff] [blame]9104 -S "SSL - Verification of the message MAC failed"
9105
Janos Follath74537a62016-09-02 13:45:28 +0100[diff] [blame]9106server_needs_more_time 1
Dave Rodgmanbec7caf2021-06-29 19:05:34 +0100[diff] [blame]9107requires_config_enabled MBEDTLS_KEY_EXCHANGE_ECJPAKE_ENABLED
Manuel Pégourié-Gonnard921f2d02015-09-16 22:52:18 +0200[diff] [blame]9108run_test "ECJPAKE: password mismatch, DTLS" \
9109 "$P_SRV debug_level=3 dtls=1 ecjpake_pw=bla" \
9110 "$P_CLI debug_level=3 dtls=1 ecjpake_pw=bad \
9111 force_ciphersuite=TLS-ECJPAKE-WITH-AES-128-CCM-8" \
9112 1 \
Manuel Pégourié-Gonnardd0d8cb32015-09-17 14:16:30 +0200[diff] [blame]9113 -c "re-using cached ecjpake parameters" \
Manuel Pégourié-Gonnard921f2d02015-09-16 22:52:18 +0200[diff] [blame]9114 -s "SSL - Verification of the message MAC failed"
Manuel Pégourié-Gonnardbf57be62015-09-16 15:04:01 +0200[diff] [blame]9115
Manuel Pégourié-Gonnardca700b22015-10-20 14:47:00 +0200[diff] [blame]9116# for tests with configs/config-thread.h
Dave Rodgmanbec7caf2021-06-29 19:05:34 +0100[diff] [blame]9117requires_config_enabled MBEDTLS_KEY_EXCHANGE_ECJPAKE_ENABLED
Manuel Pégourié-Gonnardca700b22015-10-20 14:47:00 +0200[diff] [blame]9118run_test "ECJPAKE: working, DTLS, nolog" \
9119 "$P_SRV dtls=1 ecjpake_pw=bla" \
9120 "$P_CLI dtls=1 ecjpake_pw=bla \
9121 force_ciphersuite=TLS-ECJPAKE-WITH-AES-128-CCM-8" \
9122 0
9123
Manuel Pégourié-Gonnard4cc8c632015-07-23 12:24:03 +0200[diff] [blame]9124# Test for ClientHello without extensions
9125
Gilles Peskine80e54a22024-04-29 17:42:52 +0200[diff] [blame]9126# Without extensions, ECC is impossible (no curve negotiation).
9127requires_config_enabled MBEDTLS_RSA_C
Manuel Pégourié-Gonnardd55bc202015-08-04 16:22:30 +0200[diff] [blame]9128requires_gnutls
Gilles Peskine80e54a22024-04-29 17:42:52 +0200[diff] [blame]9129run_test "ClientHello without extensions: RSA" \
Ronald Cronf95d1692023-03-14 17:19:42 +0100[diff] [blame]9130 "$P_SRV force_version=tls12 debug_level=3" \
Manuel Pégourié-Gonnard34aa1872018-08-23 19:07:15 +0200[diff] [blame]9131 "$G_CLI --priority=NORMAL:%NO_EXTENSIONS:%DISABLE_SAFE_RENEGOTIATION localhost" \
Gilles Peskine5d2511c2017-05-12 13:16:40 +0200[diff] [blame]9132 0 \
Gilles Peskine80e54a22024-04-29 17:42:52 +0200[diff] [blame]9133 -s "Ciphersuite is .*-RSA-WITH-.*" \
9134 -S "Ciphersuite is .*-EC.*" \
9135 -s "dumping 'client hello extensions' (0 bytes)"
9136
Gilles Peskinef2876912024-05-13 21:18:41 +0200[diff] [blame]9137requires_config_enabled MBEDTLS_KEY_EXCHANGE_PSK_ENABLED
Gilles Peskine80e54a22024-04-29 17:42:52 +0200[diff] [blame]9138requires_gnutls
9139run_test "ClientHello without extensions: PSK" \
9140 "$P_SRV force_version=tls12 debug_level=3 psk=73776f726466697368" \
9141 "$G_CLI --priority=NORMAL:+PSK:-RSA:-DHE-RSA:%NO_EXTENSIONS:%DISABLE_SAFE_RENEGOTIATION --pskusername=Client_identity --pskkey=73776f726466697368 localhost" \
9142 0 \
9143 -s "Ciphersuite is .*-PSK-.*" \
9144 -S "Ciphersuite is .*-EC.*" \
Gilles Peskine5d2511c2017-05-12 13:16:40 +0200[diff] [blame]9145 -s "dumping 'client hello extensions' (0 bytes)"
9146
Manuel Pégourié-Gonnard2cf5a7c2015-04-08 12:49:31 +0200[diff] [blame]9147# Tests for mbedtls_ssl_get_bytes_avail()
Manuel Pégourié-Gonnard95c0a632014-06-11 18:32:36 +0200[diff] [blame]9148
Gilles Peskined2d90af2022-04-06 23:35:56 +0200[diff] [blame]9149# The server first reads buffer_size-1 bytes, then reads the remainder.
Jerry Yuab082902021-12-23 18:02:22 +0800[diff] [blame]9150requires_config_enabled MBEDTLS_SSL_PROTO_TLS1_2
Manuel Pégourié-Gonnard2cf5a7c2015-04-08 12:49:31 +0200[diff] [blame]9151run_test "mbedtls_ssl_get_bytes_avail: no extra data" \
Gilles Peskined2d90af2022-04-06 23:35:56 +0200[diff] [blame]9152 "$P_SRV buffer_size=100" \
Manuel Pégourié-Gonnard95c0a632014-06-11 18:32:36 +0200[diff] [blame]9153 "$P_CLI request_size=100" \
9154 0 \
9155 -s "Read from client: 100 bytes read$"
9156
Jerry Yuab082902021-12-23 18:02:22 +0800[diff] [blame]9157requires_config_enabled MBEDTLS_SSL_PROTO_TLS1_2
Gilles Peskined2d90af2022-04-06 23:35:56 +0200[diff] [blame]9158run_test "mbedtls_ssl_get_bytes_avail: extra data (+1)" \
9159 "$P_SRV buffer_size=100" \
9160 "$P_CLI request_size=101" \
Manuel Pégourié-Gonnard95c0a632014-06-11 18:32:36 +0200[diff] [blame]9161 0 \
Gilles Peskined2d90af2022-04-06 23:35:56 +0200[diff] [blame]9162 -s "Read from client: 101 bytes read (100 + 1)"
9163
9164requires_config_enabled MBEDTLS_SSL_PROTO_TLS1_2
9165requires_max_content_len 200
9166run_test "mbedtls_ssl_get_bytes_avail: extra data (*2)" \
9167 "$P_SRV buffer_size=100" \
9168 "$P_CLI request_size=200" \
9169 0 \
9170 -s "Read from client: 200 bytes read (100 + 100)"
9171
9172requires_config_enabled MBEDTLS_SSL_PROTO_TLS1_2
9173run_test "mbedtls_ssl_get_bytes_avail: extra data (max)" \
Waleed Elmelegybae705c2024-01-01 14:21:21 +0000[diff] [blame]9174 "$P_SRV buffer_size=100 force_version=tls12" \
Gilles Peskined2d90af2022-04-06 23:35:56 +0200[diff] [blame]9175 "$P_CLI request_size=$MAX_CONTENT_LEN" \
9176 0 \
9177 -s "Read from client: $MAX_CONTENT_LEN bytes read (100 + $((MAX_CONTENT_LEN - 100)))"
Manuel Pégourié-Gonnard90805a82014-06-11 14:06:01 +0200[diff] [blame]9178
Andrzej Kurekc19fc552018-06-19 09:37:30 -0400[diff] [blame]9179# Tests for small client packets
Manuel Pégourié-Gonnardee415032014-06-18 15:08:56 +0200[diff] [blame]9180
Andrzej Kurekc19fc552018-06-19 09:37:30 -0400[diff] [blame]9181run_test "Small client packet TLS 1.2 BlockCipher" \
Ronald Cronf3b425b2022-03-17 16:45:09 +0100[diff] [blame]9182 "$P_SRV force_version=tls12" \
9183 "$P_CLI request_size=1 \
Manuel Pégourié-Gonnardee415032014-06-18 15:08:56 +0200[diff] [blame]9184 force_ciphersuite=TLS-RSA-WITH-AES-256-CBC-SHA" \
9185 0 \
9186 -s "Read from client: 1 bytes read"
9187
Andrzej Kurekc19fc552018-06-19 09:37:30 -0400[diff] [blame]9188run_test "Small client packet TLS 1.2 BlockCipher, without EtM" \
Ronald Cronf3b425b2022-03-17 16:45:09 +0100[diff] [blame]9189 "$P_SRV force_version=tls12" \
9190 "$P_CLI request_size=1 \
Hanno Becker909f9a32017-11-21 17:10:12 +0000[diff] [blame]9191 force_ciphersuite=TLS-RSA-WITH-AES-256-CBC-SHA etm=0" \
Manuel Pégourié-Gonnard169dd6a2014-11-04 16:15:39 +0100[diff] [blame]9192 0 \
9193 -s "Read from client: 1 bytes read"
9194
Andrzej Kurekc19fc552018-06-19 09:37:30 -0400[diff] [blame]9195run_test "Small client packet TLS 1.2 BlockCipher larger MAC" \
Ronald Cronf3b425b2022-03-17 16:45:09 +0100[diff] [blame]9196 "$P_SRV force_version=tls12" \
9197 "$P_CLI request_size=1 \
Manuel Pégourié-Gonnardc82ee352015-01-07 16:35:25 +0100[diff] [blame]9198 force_ciphersuite=TLS-ECDHE-RSA-WITH-AES-256-CBC-SHA384" \
Manuel Pégourié-Gonnardee415032014-06-18 15:08:56 +0200[diff] [blame]9199 0 \
9200 -s "Read from client: 1 bytes read"
9201
Andrzej Kurekc19fc552018-06-19 09:37:30 -0400[diff] [blame]9202run_test "Small client packet TLS 1.2 AEAD" \
Ronald Cronf3b425b2022-03-17 16:45:09 +0100[diff] [blame]9203 "$P_SRV force_version=tls12" \
9204 "$P_CLI request_size=1 \
Manuel Pégourié-Gonnardee415032014-06-18 15:08:56 +0200[diff] [blame]9205 force_ciphersuite=TLS-RSA-WITH-AES-256-CCM" \
9206 0 \
9207 -s "Read from client: 1 bytes read"
9208
Andrzej Kurekc19fc552018-06-19 09:37:30 -0400[diff] [blame]9209run_test "Small client packet TLS 1.2 AEAD shorter tag" \
Ronald Cronf3b425b2022-03-17 16:45:09 +0100[diff] [blame]9210 "$P_SRV force_version=tls12" \
9211 "$P_CLI request_size=1 \
Manuel Pégourié-Gonnardee415032014-06-18 15:08:56 +0200[diff] [blame]9212 force_ciphersuite=TLS-RSA-WITH-AES-256-CCM-8" \
9213 0 \
9214 -s "Read from client: 1 bytes read"
9215
Ronald Cron928cbd32022-10-04 16:14:26 +0200[diff] [blame]9216requires_config_enabled MBEDTLS_SSL_TLS1_3_KEY_EXCHANGE_MODE_EPHEMERAL_ENABLED
Ronald Crona4417c12022-06-23 16:06:28 +0200[diff] [blame]9217run_test "Small client packet TLS 1.3 AEAD" \
Ronald Cron50ae84e2023-03-14 08:59:56 +0100[diff] [blame]9218 "$P_SRV" \
Ronald Crona4417c12022-06-23 16:06:28 +0200[diff] [blame]9219 "$P_CLI request_size=1 \
9220 force_ciphersuite=TLS1-3-AES-128-CCM-SHA256" \
9221 0 \
9222 -s "Read from client: 1 bytes read"
9223
Ronald Cron928cbd32022-10-04 16:14:26 +0200[diff] [blame]9224requires_config_enabled MBEDTLS_SSL_TLS1_3_KEY_EXCHANGE_MODE_EPHEMERAL_ENABLED
Ronald Crona4417c12022-06-23 16:06:28 +0200[diff] [blame]9225run_test "Small client packet TLS 1.3 AEAD shorter tag" \
Ronald Cron50ae84e2023-03-14 08:59:56 +0100[diff] [blame]9226 "$P_SRV" \
Ronald Crona4417c12022-06-23 16:06:28 +0200[diff] [blame]9227 "$P_CLI request_size=1 \
9228 force_ciphersuite=TLS1-3-AES-128-CCM-8-SHA256" \
9229 0 \
9230 -s "Read from client: 1 bytes read"
9231
Andrzej Kurekc19fc552018-06-19 09:37:30 -0400[diff] [blame]9232# Tests for small client packets in DTLS
Hanno Beckere2148042017-11-10 08:59:18 +0000[diff] [blame]9233
9234requires_config_enabled MBEDTLS_SSL_PROTO_DTLS
Andrzej Kurekc19fc552018-06-19 09:37:30 -0400[diff] [blame]9235run_test "Small client packet DTLS 1.2" \
Xiaofei Bai8b5c3822021-12-02 08:43:35 +0000[diff] [blame]9236 "$P_SRV dtls=1 force_version=dtls12" \
Hanno Beckere2148042017-11-10 08:59:18 +0000[diff] [blame]9237 "$P_CLI dtls=1 request_size=1 \
9238 force_ciphersuite=TLS-RSA-WITH-AES-256-CBC-SHA" \
9239 0 \
9240 -s "Read from client: 1 bytes read"
9241
9242requires_config_enabled MBEDTLS_SSL_PROTO_DTLS
Andrzej Kurekc19fc552018-06-19 09:37:30 -0400[diff] [blame]9243run_test "Small client packet DTLS 1.2, without EtM" \
Xiaofei Bai8b5c3822021-12-02 08:43:35 +0000[diff] [blame]9244 "$P_SRV dtls=1 force_version=dtls12 etm=0" \
Hanno Beckere2148042017-11-10 08:59:18 +0000[diff] [blame]9245 "$P_CLI dtls=1 request_size=1 \
9246 force_ciphersuite=TLS-RSA-WITH-AES-256-CBC-SHA" \
9247 0 \
9248 -s "Read from client: 1 bytes read"
9249
Andrzej Kurekc19fc552018-06-19 09:37:30 -0400[diff] [blame]9250# Tests for small server packets
9251
Andrzej Kurekc19fc552018-06-19 09:37:30 -0400[diff] [blame]9252run_test "Small server packet TLS 1.2 BlockCipher" \
Ronald Cronf3b425b2022-03-17 16:45:09 +0100[diff] [blame]9253 "$P_SRV response_size=1 force_version=tls12" \
9254 "$P_CLI force_ciphersuite=TLS-RSA-WITH-AES-256-CBC-SHA" \
Andrzej Kurekc19fc552018-06-19 09:37:30 -0400[diff] [blame]9255 0 \
9256 -c "Read from server: 1 bytes read"
9257
9258run_test "Small server packet TLS 1.2 BlockCipher, without EtM" \
Ronald Cronf3b425b2022-03-17 16:45:09 +0100[diff] [blame]9259 "$P_SRV response_size=1 force_version=tls12" \
9260 "$P_CLI force_ciphersuite=TLS-RSA-WITH-AES-256-CBC-SHA etm=0" \
Andrzej Kurekc19fc552018-06-19 09:37:30 -0400[diff] [blame]9261 0 \
9262 -c "Read from server: 1 bytes read"
9263
9264run_test "Small server packet TLS 1.2 BlockCipher larger MAC" \
Ronald Cronf3b425b2022-03-17 16:45:09 +0100[diff] [blame]9265 "$P_SRV response_size=1 force_version=tls12" \
9266 "$P_CLI force_ciphersuite=TLS-ECDHE-RSA-WITH-AES-256-CBC-SHA384" \
Andrzej Kurekc19fc552018-06-19 09:37:30 -0400[diff] [blame]9267 0 \
9268 -c "Read from server: 1 bytes read"
9269
Andrzej Kurekc19fc552018-06-19 09:37:30 -0400[diff] [blame]9270run_test "Small server packet TLS 1.2 AEAD" \
Ronald Cronf3b425b2022-03-17 16:45:09 +0100[diff] [blame]9271 "$P_SRV response_size=1 force_version=tls12" \
9272 "$P_CLI force_ciphersuite=TLS-RSA-WITH-AES-256-CCM" \
Andrzej Kurekc19fc552018-06-19 09:37:30 -0400[diff] [blame]9273 0 \
9274 -c "Read from server: 1 bytes read"
9275
9276run_test "Small server packet TLS 1.2 AEAD shorter tag" \
Ronald Cronf3b425b2022-03-17 16:45:09 +0100[diff] [blame]9277 "$P_SRV response_size=1 force_version=tls12" \
9278 "$P_CLI force_ciphersuite=TLS-RSA-WITH-AES-256-CCM-8" \
Andrzej Kurekc19fc552018-06-19 09:37:30 -0400[diff] [blame]9279 0 \
9280 -c "Read from server: 1 bytes read"
9281
Ronald Cron928cbd32022-10-04 16:14:26 +0200[diff] [blame]9282requires_config_enabled MBEDTLS_SSL_TLS1_3_KEY_EXCHANGE_MODE_EPHEMERAL_ENABLED
Ronald Crona4417c12022-06-23 16:06:28 +0200[diff] [blame]9283run_test "Small server packet TLS 1.3 AEAD" \
Ronald Cron50ae84e2023-03-14 08:59:56 +0100[diff] [blame]9284 "$P_SRV response_size=1" \
Ronald Crona4417c12022-06-23 16:06:28 +0200[diff] [blame]9285 "$P_CLI force_ciphersuite=TLS1-3-AES-128-CCM-SHA256" \
9286 0 \
9287 -c "Read from server: 1 bytes read"
9288
Ronald Cron928cbd32022-10-04 16:14:26 +0200[diff] [blame]9289requires_config_enabled MBEDTLS_SSL_TLS1_3_KEY_EXCHANGE_MODE_EPHEMERAL_ENABLED
Ronald Crona4417c12022-06-23 16:06:28 +0200[diff] [blame]9290run_test "Small server packet TLS 1.3 AEAD shorter tag" \
Ronald Cron50ae84e2023-03-14 08:59:56 +0100[diff] [blame]9291 "$P_SRV response_size=1" \
Ronald Crona4417c12022-06-23 16:06:28 +0200[diff] [blame]9292 "$P_CLI force_ciphersuite=TLS1-3-AES-128-CCM-8-SHA256" \
9293 0 \
9294 -c "Read from server: 1 bytes read"
9295
Andrzej Kurekc19fc552018-06-19 09:37:30 -0400[diff] [blame]9296# Tests for small server packets in DTLS
9297
9298requires_config_enabled MBEDTLS_SSL_PROTO_DTLS
Andrzej Kurekc19fc552018-06-19 09:37:30 -0400[diff] [blame]9299run_test "Small server packet DTLS 1.2" \
Xiaofei Bai8b5c3822021-12-02 08:43:35 +0000[diff] [blame]9300 "$P_SRV dtls=1 response_size=1 force_version=dtls12" \
Andrzej Kurekc19fc552018-06-19 09:37:30 -0400[diff] [blame]9301 "$P_CLI dtls=1 \
9302 force_ciphersuite=TLS-RSA-WITH-AES-256-CBC-SHA" \
9303 0 \
9304 -c "Read from server: 1 bytes read"
9305
9306requires_config_enabled MBEDTLS_SSL_PROTO_DTLS
9307run_test "Small server packet DTLS 1.2, without EtM" \
Xiaofei Bai8b5c3822021-12-02 08:43:35 +0000[diff] [blame]9308 "$P_SRV dtls=1 response_size=1 force_version=dtls12 etm=0" \
Andrzej Kurekc19fc552018-06-19 09:37:30 -0400[diff] [blame]9309 "$P_CLI dtls=1 \
9310 force_ciphersuite=TLS-RSA-WITH-AES-256-CBC-SHA" \
9311 0 \
9312 -c "Read from server: 1 bytes read"
9313
Andrzej Kurek30e731d2017-10-12 13:50:29 +0200[diff] [blame]9314# Test for large client packets
Manuel Pégourié-Gonnard8920f692014-06-18 22:05:08 +0200[diff] [blame]9315
Angus Grattonc4dd0732018-04-11 16:28:39 +1000[diff] [blame]9316# How many fragments do we expect to write $1 bytes?
9317fragments_for_write() {
9318 echo "$(( ( $1 + $MAX_OUT_LEN - 1 ) / $MAX_OUT_LEN ))"
9319}
9320
Andrzej Kurek30e731d2017-10-12 13:50:29 +0200[diff] [blame]9321run_test "Large client packet TLS 1.2 BlockCipher" \
Ronald Cronf3b425b2022-03-17 16:45:09 +0100[diff] [blame]9322 "$P_SRV force_version=tls12" \
9323 "$P_CLI request_size=16384 \
Manuel Pégourié-Gonnard8920f692014-06-18 22:05:08 +0200[diff] [blame]9324 force_ciphersuite=TLS-RSA-WITH-AES-256-CBC-SHA" \
9325 0 \
Angus Grattonc4dd0732018-04-11 16:28:39 +1000[diff] [blame]9326 -c "16384 bytes written in $(fragments_for_write 16384) fragments" \
9327 -s "Read from client: $MAX_CONTENT_LEN bytes read"
Manuel Pégourié-Gonnard8920f692014-06-18 22:05:08 +0200[diff] [blame]9328
Andrzej Kurek30e731d2017-10-12 13:50:29 +0200[diff] [blame]9329run_test "Large client packet TLS 1.2 BlockCipher, without EtM" \
Ronald Cronf3b425b2022-03-17 16:45:09 +0100[diff] [blame]9330 "$P_SRV force_version=tls12" \
9331 "$P_CLI request_size=16384 etm=0 \
Hanno Becker278fc7a2017-11-10 09:16:28 +0000[diff] [blame]9332 force_ciphersuite=TLS-RSA-WITH-AES-256-CBC-SHA" \
9333 0 \
Angus Grattonc4dd0732018-04-11 16:28:39 +1000[diff] [blame]9334 -s "Read from client: $MAX_CONTENT_LEN bytes read"
Hanno Becker278fc7a2017-11-10 09:16:28 +0000[diff] [blame]9335
Andrzej Kurek30e731d2017-10-12 13:50:29 +0200[diff] [blame]9336run_test "Large client packet TLS 1.2 BlockCipher larger MAC" \
Ronald Cronf3b425b2022-03-17 16:45:09 +0100[diff] [blame]9337 "$P_SRV force_version=tls12" \
9338 "$P_CLI request_size=16384 \
Manuel Pégourié-Gonnardc82ee352015-01-07 16:35:25 +0100[diff] [blame]9339 force_ciphersuite=TLS-ECDHE-RSA-WITH-AES-256-CBC-SHA384" \
Manuel Pégourié-Gonnard8920f692014-06-18 22:05:08 +0200[diff] [blame]9340 0 \
Angus Grattonc4dd0732018-04-11 16:28:39 +1000[diff] [blame]9341 -c "16384 bytes written in $(fragments_for_write 16384) fragments" \
9342 -s "Read from client: $MAX_CONTENT_LEN bytes read"
Manuel Pégourié-Gonnard8920f692014-06-18 22:05:08 +0200[diff] [blame]9343
Andrzej Kurek30e731d2017-10-12 13:50:29 +0200[diff] [blame]9344run_test "Large client packet TLS 1.2 AEAD" \
Ronald Cronf3b425b2022-03-17 16:45:09 +0100[diff] [blame]9345 "$P_SRV force_version=tls12" \
9346 "$P_CLI request_size=16384 \
Manuel Pégourié-Gonnard8920f692014-06-18 22:05:08 +0200[diff] [blame]9347 force_ciphersuite=TLS-RSA-WITH-AES-256-CCM" \
9348 0 \
Angus Grattonc4dd0732018-04-11 16:28:39 +1000[diff] [blame]9349 -c "16384 bytes written in $(fragments_for_write 16384) fragments" \
9350 -s "Read from client: $MAX_CONTENT_LEN bytes read"
Manuel Pégourié-Gonnard8920f692014-06-18 22:05:08 +0200[diff] [blame]9351
Andrzej Kurek30e731d2017-10-12 13:50:29 +0200[diff] [blame]9352run_test "Large client packet TLS 1.2 AEAD shorter tag" \
Ronald Cronf3b425b2022-03-17 16:45:09 +0100[diff] [blame]9353 "$P_SRV force_version=tls12" \
9354 "$P_CLI request_size=16384 \
Manuel Pégourié-Gonnard8920f692014-06-18 22:05:08 +0200[diff] [blame]9355 force_ciphersuite=TLS-RSA-WITH-AES-256-CCM-8" \
9356 0 \
Angus Grattonc4dd0732018-04-11 16:28:39 +1000[diff] [blame]9357 -c "16384 bytes written in $(fragments_for_write 16384) fragments" \
9358 -s "Read from client: $MAX_CONTENT_LEN bytes read"
Manuel Pégourié-Gonnard8920f692014-06-18 22:05:08 +0200[diff] [blame]9359
Ronald Cron928cbd32022-10-04 16:14:26 +0200[diff] [blame]9360requires_config_enabled MBEDTLS_SSL_TLS1_3_KEY_EXCHANGE_MODE_EPHEMERAL_ENABLED
Ronald Crona4417c12022-06-23 16:06:28 +0200[diff] [blame]9361run_test "Large client packet TLS 1.3 AEAD" \
Ronald Cron50ae84e2023-03-14 08:59:56 +0100[diff] [blame]9362 "$P_SRV" \
Waleed Elmelegyea031832023-12-29 15:36:51 +0000[diff] [blame]9363 "$P_CLI request_size=16383 \
Ronald Crona4417c12022-06-23 16:06:28 +0200[diff] [blame]9364 force_ciphersuite=TLS1-3-AES-128-CCM-SHA256" \
9365 0 \
Waleed Elmelegyea031832023-12-29 15:36:51 +0000[diff] [blame]9366 -c "16383 bytes written in $(fragments_for_write 16383) fragments" \
9367 -s "Read from client: 16383 bytes read"
Ronald Crona4417c12022-06-23 16:06:28 +0200[diff] [blame]9368
Ronald Cron928cbd32022-10-04 16:14:26 +0200[diff] [blame]9369requires_config_enabled MBEDTLS_SSL_TLS1_3_KEY_EXCHANGE_MODE_EPHEMERAL_ENABLED
Ronald Crona4417c12022-06-23 16:06:28 +0200[diff] [blame]9370run_test "Large client packet TLS 1.3 AEAD shorter tag" \
Ronald Cron50ae84e2023-03-14 08:59:56 +0100[diff] [blame]9371 "$P_SRV" \
Waleed Elmelegyea031832023-12-29 15:36:51 +0000[diff] [blame]9372 "$P_CLI request_size=16383 \
Ronald Crona4417c12022-06-23 16:06:28 +0200[diff] [blame]9373 force_ciphersuite=TLS1-3-AES-128-CCM-8-SHA256" \
9374 0 \
Waleed Elmelegyea031832023-12-29 15:36:51 +0000[diff] [blame]9375 -c "16383 bytes written in $(fragments_for_write 16383) fragments" \
9376 -s "Read from client: 16383 bytes read"
Ronald Crona4417c12022-06-23 16:06:28 +0200[diff] [blame]9377
Yuto Takanobc87b1d2021-07-08 15:56:33 +0100[diff] [blame]9378# The tests below fail when the server's OUT_CONTENT_LEN is less than 16384.
Andrzej Kurek30e731d2017-10-12 13:50:29 +0200[diff] [blame]9379run_test "Large server packet TLS 1.2 BlockCipher" \
Ronald Cronf3b425b2022-03-17 16:45:09 +0100[diff] [blame]9380 "$P_SRV response_size=16384 force_version=tls12" \
9381 "$P_CLI force_ciphersuite=TLS-RSA-WITH-AES-256-CBC-SHA" \
Andrzej Kurek30e731d2017-10-12 13:50:29 +0200[diff] [blame]9382 0 \
9383 -c "Read from server: 16384 bytes read"
9384
Andrzej Kurekc19fc552018-06-19 09:37:30 -0400[diff] [blame]9385run_test "Large server packet TLS 1.2 BlockCipher, without EtM" \
Ronald Cronf3b425b2022-03-17 16:45:09 +0100[diff] [blame]9386 "$P_SRV response_size=16384 force_version=tls12" \
9387 "$P_CLI etm=0 force_ciphersuite=TLS-RSA-WITH-AES-256-CBC-SHA" \
Andrzej Kurekc19fc552018-06-19 09:37:30 -0400[diff] [blame]9388 0 \
9389 -s "16384 bytes written in 1 fragments" \
9390 -c "Read from server: 16384 bytes read"
9391
Andrzej Kurek30e731d2017-10-12 13:50:29 +0200[diff] [blame]9392run_test "Large server packet TLS 1.2 BlockCipher larger MAC" \
Ronald Cronf3b425b2022-03-17 16:45:09 +0100[diff] [blame]9393 "$P_SRV response_size=16384 force_version=tls12" \
9394 "$P_CLI force_ciphersuite=TLS-ECDHE-RSA-WITH-AES-256-CBC-SHA384" \
Andrzej Kurek30e731d2017-10-12 13:50:29 +0200[diff] [blame]9395 0 \
9396 -c "Read from server: 16384 bytes read"
9397
Andrzej Kurekc19fc552018-06-19 09:37:30 -0400[diff] [blame]9398run_test "Large server packet TLS 1.2 BlockCipher, without EtM, truncated MAC" \
Ronald Cronf3b425b2022-03-17 16:45:09 +0100[diff] [blame]9399 "$P_SRV response_size=16384 trunc_hmac=1 force_version=tls12" \
9400 "$P_CLI force_ciphersuite=TLS-RSA-WITH-AES-256-CBC-SHA trunc_hmac=1 etm=0" \
Andrzej Kurekc19fc552018-06-19 09:37:30 -0400[diff] [blame]9401 0 \
9402 -s "16384 bytes written in 1 fragments" \
9403 -c "Read from server: 16384 bytes read"
9404
Andrzej Kurek30e731d2017-10-12 13:50:29 +0200[diff] [blame]9405run_test "Large server packet TLS 1.2 AEAD" \
Ronald Cronf3b425b2022-03-17 16:45:09 +0100[diff] [blame]9406 "$P_SRV response_size=16384 force_version=tls12" \
9407 "$P_CLI force_ciphersuite=TLS-RSA-WITH-AES-256-CCM" \
Andrzej Kurek30e731d2017-10-12 13:50:29 +0200[diff] [blame]9408 0 \
9409 -c "Read from server: 16384 bytes read"
9410
9411run_test "Large server packet TLS 1.2 AEAD shorter tag" \
Ronald Cronf3b425b2022-03-17 16:45:09 +0100[diff] [blame]9412 "$P_SRV response_size=16384 force_version=tls12" \
9413 "$P_CLI force_ciphersuite=TLS-RSA-WITH-AES-256-CCM-8" \
Andrzej Kurek30e731d2017-10-12 13:50:29 +0200[diff] [blame]9414 0 \
9415 -c "Read from server: 16384 bytes read"
9416
Ronald Cron928cbd32022-10-04 16:14:26 +0200[diff] [blame]9417requires_config_enabled MBEDTLS_SSL_TLS1_3_KEY_EXCHANGE_MODE_EPHEMERAL_ENABLED
Ronald Crona4417c12022-06-23 16:06:28 +0200[diff] [blame]9418run_test "Large server packet TLS 1.3 AEAD" \
Waleed Elmelegyea031832023-12-29 15:36:51 +0000[diff] [blame]9419 "$P_SRV response_size=16383" \
Ronald Crona4417c12022-06-23 16:06:28 +0200[diff] [blame]9420 "$P_CLI force_ciphersuite=TLS1-3-AES-128-CCM-SHA256" \
9421 0 \
Waleed Elmelegyea031832023-12-29 15:36:51 +0000[diff] [blame]9422 -c "Read from server: 16383 bytes read"
Ronald Crona4417c12022-06-23 16:06:28 +0200[diff] [blame]9423
Ronald Cron928cbd32022-10-04 16:14:26 +0200[diff] [blame]9424requires_config_enabled MBEDTLS_SSL_TLS1_3_KEY_EXCHANGE_MODE_EPHEMERAL_ENABLED
Ronald Crona4417c12022-06-23 16:06:28 +0200[diff] [blame]9425run_test "Large server packet TLS 1.3 AEAD shorter tag" \
Waleed Elmelegyea031832023-12-29 15:36:51 +0000[diff] [blame]9426 "$P_SRV response_size=16383" \
Ronald Crona4417c12022-06-23 16:06:28 +0200[diff] [blame]9427 "$P_CLI force_ciphersuite=TLS1-3-AES-128-CCM-8-SHA256" \
9428 0 \
Waleed Elmelegyea031832023-12-29 15:36:51 +0000[diff] [blame]9429 -c "Read from server: 16383 bytes read"
Ronald Crona4417c12022-06-23 16:06:28 +0200[diff] [blame]9430
Manuel Pégourié-Gonnard2350b4e2017-05-16 09:26:48 +0200[diff] [blame]9431# Tests for restartable ECC
9432
Gilles Peskine4a02cef2021-06-03 11:12:40 +0200[diff] [blame]9433# Force the use of a curve that supports restartable ECC (secp256r1).
9434
Manuel Pégourié-Gonnard2350b4e2017-05-16 09:26:48 +0200[diff] [blame]9435requires_config_enabled MBEDTLS_ECP_RESTARTABLE
Gilles Peskine4a02cef2021-06-03 11:12:40 +0200[diff] [blame]9436requires_config_enabled MBEDTLS_ECP_DP_SECP256R1_ENABLED
Manuel Pégourié-Gonnard2350b4e2017-05-16 09:26:48 +0200[diff] [blame]9437run_test "EC restart: TLS, default" \
Przemek Stekiel45255e42023-06-29 13:56:36 +0200[diff] [blame]9438 "$P_SRV groups=secp256r1 auth_mode=required" \
Manuel Pégourié-Gonnard2350b4e2017-05-16 09:26:48 +0200[diff] [blame]9439 "$P_CLI force_ciphersuite=TLS-ECDHE-ECDSA-WITH-AES-128-GCM-SHA256 \
David Horstmann5ab92be2024-07-01 17:01:28 +0100[diff] [blame]9440 key_file=$DATA_FILES_PATH/server5.key crt_file=$DATA_FILES_PATH/server5.crt \
Manuel Pégourié-Gonnard2350b4e2017-05-16 09:26:48 +0200[diff] [blame]9441 debug_level=1" \
9442 0 \
Manuel Pégourié-Gonnardb5d668a2018-06-13 11:22:01 +0200[diff] [blame]9443 -C "x509_verify_cert.*4b00" \
9444 -C "mbedtls_pk_verify.*4b00" \
9445 -C "mbedtls_ecdh_make_public.*4b00" \
9446 -C "mbedtls_pk_sign.*4b00"
Manuel Pégourié-Gonnard2350b4e2017-05-16 09:26:48 +0200[diff] [blame]9447
9448requires_config_enabled MBEDTLS_ECP_RESTARTABLE
Gilles Peskine4a02cef2021-06-03 11:12:40 +0200[diff] [blame]9449requires_config_enabled MBEDTLS_ECP_DP_SECP256R1_ENABLED
Manuel Pégourié-Gonnard2350b4e2017-05-16 09:26:48 +0200[diff] [blame]9450run_test "EC restart: TLS, max_ops=0" \
Przemek Stekiel45255e42023-06-29 13:56:36 +0200[diff] [blame]9451 "$P_SRV groups=secp256r1 auth_mode=required" \
Manuel Pégourié-Gonnard2350b4e2017-05-16 09:26:48 +0200[diff] [blame]9452 "$P_CLI force_ciphersuite=TLS-ECDHE-ECDSA-WITH-AES-128-GCM-SHA256 \
David Horstmann5ab92be2024-07-01 17:01:28 +0100[diff] [blame]9453 key_file=$DATA_FILES_PATH/server5.key crt_file=$DATA_FILES_PATH/server5.crt \
Manuel Pégourié-Gonnard2350b4e2017-05-16 09:26:48 +0200[diff] [blame]9454 debug_level=1 ec_max_ops=0" \
9455 0 \
Manuel Pégourié-Gonnardb5d668a2018-06-13 11:22:01 +0200[diff] [blame]9456 -C "x509_verify_cert.*4b00" \
9457 -C "mbedtls_pk_verify.*4b00" \
9458 -C "mbedtls_ecdh_make_public.*4b00" \
9459 -C "mbedtls_pk_sign.*4b00"
Manuel Pégourié-Gonnard2350b4e2017-05-16 09:26:48 +0200[diff] [blame]9460
9461requires_config_enabled MBEDTLS_ECP_RESTARTABLE
Gilles Peskine4a02cef2021-06-03 11:12:40 +0200[diff] [blame]9462requires_config_enabled MBEDTLS_ECP_DP_SECP256R1_ENABLED
Manuel Pégourié-Gonnard2350b4e2017-05-16 09:26:48 +0200[diff] [blame]9463run_test "EC restart: TLS, max_ops=65535" \
Przemek Stekiel45255e42023-06-29 13:56:36 +0200[diff] [blame]9464 "$P_SRV groups=secp256r1 auth_mode=required" \
Manuel Pégourié-Gonnard2350b4e2017-05-16 09:26:48 +0200[diff] [blame]9465 "$P_CLI force_ciphersuite=TLS-ECDHE-ECDSA-WITH-AES-128-GCM-SHA256 \
David Horstmann5ab92be2024-07-01 17:01:28 +0100[diff] [blame]9466 key_file=$DATA_FILES_PATH/server5.key crt_file=$DATA_FILES_PATH/server5.crt \
Manuel Pégourié-Gonnard2350b4e2017-05-16 09:26:48 +0200[diff] [blame]9467 debug_level=1 ec_max_ops=65535" \
9468 0 \
Manuel Pégourié-Gonnardb5d668a2018-06-13 11:22:01 +0200[diff] [blame]9469 -C "x509_verify_cert.*4b00" \
9470 -C "mbedtls_pk_verify.*4b00" \
9471 -C "mbedtls_ecdh_make_public.*4b00" \
9472 -C "mbedtls_pk_sign.*4b00"
Manuel Pégourié-Gonnard2350b4e2017-05-16 09:26:48 +0200[diff] [blame]9473
Manuel Pégourié-Gonnard55a188b2022-12-06 12:00:33 +0100[diff] [blame]9474# With USE_PSA disabled we expect full restartable behaviour.
Manuel Pégourié-Gonnard2350b4e2017-05-16 09:26:48 +0200[diff] [blame]9475requires_config_enabled MBEDTLS_ECP_RESTARTABLE
Gilles Peskine4a02cef2021-06-03 11:12:40 +0200[diff] [blame]9476requires_config_enabled MBEDTLS_ECP_DP_SECP256R1_ENABLED
Manuel Pégourié-Gonnard55a188b2022-12-06 12:00:33 +0100[diff] [blame]9477requires_config_disabled MBEDTLS_USE_PSA_CRYPTO
9478run_test "EC restart: TLS, max_ops=1000 (no USE_PSA)" \
Przemek Stekiel45255e42023-06-29 13:56:36 +0200[diff] [blame]9479 "$P_SRV groups=secp256r1 auth_mode=required" \
Manuel Pégourié-Gonnard2350b4e2017-05-16 09:26:48 +0200[diff] [blame]9480 "$P_CLI force_ciphersuite=TLS-ECDHE-ECDSA-WITH-AES-128-GCM-SHA256 \
David Horstmann5ab92be2024-07-01 17:01:28 +0100[diff] [blame]9481 key_file=$DATA_FILES_PATH/server5.key crt_file=$DATA_FILES_PATH/server5.crt \
Manuel Pégourié-Gonnard2350b4e2017-05-16 09:26:48 +0200[diff] [blame]9482 debug_level=1 ec_max_ops=1000" \
9483 0 \
Manuel Pégourié-Gonnardb5d668a2018-06-13 11:22:01 +0200[diff] [blame]9484 -c "x509_verify_cert.*4b00" \
9485 -c "mbedtls_pk_verify.*4b00" \
9486 -c "mbedtls_ecdh_make_public.*4b00" \
9487 -c "mbedtls_pk_sign.*4b00"
Manuel Pégourié-Gonnard2350b4e2017-05-16 09:26:48 +0200[diff] [blame]9488
Manuel Pégourié-Gonnard55a188b2022-12-06 12:00:33 +0100[diff] [blame]9489# With USE_PSA enabled we expect only partial restartable behaviour:
9490# everything except ECDH (where TLS calls PSA directly).
9491requires_config_enabled MBEDTLS_ECP_RESTARTABLE
9492requires_config_enabled MBEDTLS_ECP_DP_SECP256R1_ENABLED
Manuel Pégourié-Gonnard55a188b2022-12-06 12:00:33 +0100[diff] [blame]9493requires_config_enabled MBEDTLS_USE_PSA_CRYPTO
9494run_test "EC restart: TLS, max_ops=1000 (USE_PSA)" \
Przemek Stekiel45255e42023-06-29 13:56:36 +0200[diff] [blame]9495 "$P_SRV groups=secp256r1 auth_mode=required" \
Manuel Pégourié-Gonnard55a188b2022-12-06 12:00:33 +0100[diff] [blame]9496 "$P_CLI force_ciphersuite=TLS-ECDHE-ECDSA-WITH-AES-128-GCM-SHA256 \
David Horstmann5ab92be2024-07-01 17:01:28 +0100[diff] [blame]9497 key_file=$DATA_FILES_PATH/server5.key crt_file=$DATA_FILES_PATH/server5.crt \
Manuel Pégourié-Gonnard55a188b2022-12-06 12:00:33 +0100[diff] [blame]9498 debug_level=1 ec_max_ops=1000" \
9499 0 \
9500 -c "x509_verify_cert.*4b00" \
9501 -c "mbedtls_pk_verify.*4b00" \
9502 -C "mbedtls_ecdh_make_public.*4b00" \
9503 -c "mbedtls_pk_sign.*4b00"
9504
9505# This works the same with & without USE_PSA as we never get to ECDH:
9506# we abort as soon as we determined the cert is bad.
Manuel Pégourié-Gonnard2350b4e2017-05-16 09:26:48 +0200[diff] [blame]9507requires_config_enabled MBEDTLS_ECP_RESTARTABLE
Gilles Peskine4a02cef2021-06-03 11:12:40 +0200[diff] [blame]9508requires_config_enabled MBEDTLS_ECP_DP_SECP256R1_ENABLED
Manuel Pégourié-Gonnard3bf49c42017-08-15 13:47:06 +0200[diff] [blame]9509run_test "EC restart: TLS, max_ops=1000, badsign" \
Przemek Stekiel45255e42023-06-29 13:56:36 +0200[diff] [blame]9510 "$P_SRV groups=secp256r1 auth_mode=required \
David Horstmann5ab92be2024-07-01 17:01:28 +0100[diff] [blame]9511 crt_file=$DATA_FILES_PATH/server5-badsign.crt \
9512 key_file=$DATA_FILES_PATH/server5.key" \
Manuel Pégourié-Gonnard3bf49c42017-08-15 13:47:06 +0200[diff] [blame]9513 "$P_CLI force_ciphersuite=TLS-ECDHE-ECDSA-WITH-AES-128-GCM-SHA256 \
David Horstmann5ab92be2024-07-01 17:01:28 +0100[diff] [blame]9514 key_file=$DATA_FILES_PATH/server5.key crt_file=$DATA_FILES_PATH/server5.crt \
Manuel Pégourié-Gonnard3bf49c42017-08-15 13:47:06 +0200[diff] [blame]9515 debug_level=1 ec_max_ops=1000" \
9516 1 \
Manuel Pégourié-Gonnardb5d668a2018-06-13 11:22:01 +0200[diff] [blame]9517 -c "x509_verify_cert.*4b00" \
9518 -C "mbedtls_pk_verify.*4b00" \
9519 -C "mbedtls_ecdh_make_public.*4b00" \
9520 -C "mbedtls_pk_sign.*4b00" \
Manuel Pégourié-Gonnard3bf49c42017-08-15 13:47:06 +0200[diff] [blame]9521 -c "! The certificate is not correctly signed by the trusted CA" \
9522 -c "! mbedtls_ssl_handshake returned" \
9523 -c "X509 - Certificate verification failed"
9524
Manuel Pégourié-Gonnard55a188b2022-12-06 12:00:33 +0100[diff] [blame]9525# With USE_PSA disabled we expect full restartable behaviour.
Manuel Pégourié-Gonnard3bf49c42017-08-15 13:47:06 +0200[diff] [blame]9526requires_config_enabled MBEDTLS_ECP_RESTARTABLE
Gilles Peskine4a02cef2021-06-03 11:12:40 +0200[diff] [blame]9527requires_config_enabled MBEDTLS_ECP_DP_SECP256R1_ENABLED
Manuel Pégourié-Gonnard55a188b2022-12-06 12:00:33 +0100[diff] [blame]9528requires_config_disabled MBEDTLS_USE_PSA_CRYPTO
9529run_test "EC restart: TLS, max_ops=1000, auth_mode=optional badsign (no USE_PSA)" \
Przemek Stekiel45255e42023-06-29 13:56:36 +0200[diff] [blame]9530 "$P_SRV groups=secp256r1 auth_mode=required \
David Horstmann5ab92be2024-07-01 17:01:28 +0100[diff] [blame]9531 crt_file=$DATA_FILES_PATH/server5-badsign.crt \
9532 key_file=$DATA_FILES_PATH/server5.key" \
Manuel Pégourié-Gonnard3bf49c42017-08-15 13:47:06 +0200[diff] [blame]9533 "$P_CLI force_ciphersuite=TLS-ECDHE-ECDSA-WITH-AES-128-GCM-SHA256 \
David Horstmann5ab92be2024-07-01 17:01:28 +0100[diff] [blame]9534 key_file=$DATA_FILES_PATH/server5.key crt_file=$DATA_FILES_PATH/server5.crt \
Manuel Pégourié-Gonnard3bf49c42017-08-15 13:47:06 +0200[diff] [blame]9535 debug_level=1 ec_max_ops=1000 auth_mode=optional" \
9536 0 \
Manuel Pégourié-Gonnardb5d668a2018-06-13 11:22:01 +0200[diff] [blame]9537 -c "x509_verify_cert.*4b00" \
9538 -c "mbedtls_pk_verify.*4b00" \
9539 -c "mbedtls_ecdh_make_public.*4b00" \
9540 -c "mbedtls_pk_sign.*4b00" \
Manuel Pégourié-Gonnard3bf49c42017-08-15 13:47:06 +0200[diff] [blame]9541 -c "! The certificate is not correctly signed by the trusted CA" \
9542 -C "! mbedtls_ssl_handshake returned" \
9543 -C "X509 - Certificate verification failed"
9544
Manuel Pégourié-Gonnard55a188b2022-12-06 12:00:33 +0100[diff] [blame]9545# With USE_PSA enabled we expect only partial restartable behaviour:
9546# everything except ECDH (where TLS calls PSA directly).
Manuel Pégourié-Gonnard3bf49c42017-08-15 13:47:06 +0200[diff] [blame]9547requires_config_enabled MBEDTLS_ECP_RESTARTABLE
Gilles Peskine4a02cef2021-06-03 11:12:40 +0200[diff] [blame]9548requires_config_enabled MBEDTLS_ECP_DP_SECP256R1_ENABLED
Manuel Pégourié-Gonnard55a188b2022-12-06 12:00:33 +0100[diff] [blame]9549requires_config_enabled MBEDTLS_USE_PSA_CRYPTO
9550run_test "EC restart: TLS, max_ops=1000, auth_mode=optional badsign (USE_PSA)" \
Przemek Stekiel45255e42023-06-29 13:56:36 +0200[diff] [blame]9551 "$P_SRV groups=secp256r1 auth_mode=required \
David Horstmann5ab92be2024-07-01 17:01:28 +0100[diff] [blame]9552 crt_file=$DATA_FILES_PATH/server5-badsign.crt \
9553 key_file=$DATA_FILES_PATH/server5.key" \
Manuel Pégourié-Gonnard55a188b2022-12-06 12:00:33 +0100[diff] [blame]9554 "$P_CLI force_ciphersuite=TLS-ECDHE-ECDSA-WITH-AES-128-GCM-SHA256 \
David Horstmann5ab92be2024-07-01 17:01:28 +0100[diff] [blame]9555 key_file=$DATA_FILES_PATH/server5.key crt_file=$DATA_FILES_PATH/server5.crt \
Manuel Pégourié-Gonnard55a188b2022-12-06 12:00:33 +0100[diff] [blame]9556 debug_level=1 ec_max_ops=1000 auth_mode=optional" \
9557 0 \
9558 -c "x509_verify_cert.*4b00" \
9559 -c "mbedtls_pk_verify.*4b00" \
9560 -C "mbedtls_ecdh_make_public.*4b00" \
9561 -c "mbedtls_pk_sign.*4b00" \
9562 -c "! The certificate is not correctly signed by the trusted CA" \
9563 -C "! mbedtls_ssl_handshake returned" \
9564 -C "X509 - Certificate verification failed"
9565
9566# With USE_PSA disabled we expect full restartable behaviour.
9567requires_config_enabled MBEDTLS_ECP_RESTARTABLE
9568requires_config_enabled MBEDTLS_ECP_DP_SECP256R1_ENABLED
Manuel Pégourié-Gonnard55a188b2022-12-06 12:00:33 +0100[diff] [blame]9569requires_config_disabled MBEDTLS_USE_PSA_CRYPTO
9570run_test "EC restart: TLS, max_ops=1000, auth_mode=none badsign (no USE_PSA)" \
Przemek Stekiel45255e42023-06-29 13:56:36 +0200[diff] [blame]9571 "$P_SRV groups=secp256r1 auth_mode=required \
David Horstmann5ab92be2024-07-01 17:01:28 +0100[diff] [blame]9572 crt_file=$DATA_FILES_PATH/server5-badsign.crt \
9573 key_file=$DATA_FILES_PATH/server5.key" \
Manuel Pégourié-Gonnard3bf49c42017-08-15 13:47:06 +0200[diff] [blame]9574 "$P_CLI force_ciphersuite=TLS-ECDHE-ECDSA-WITH-AES-128-GCM-SHA256 \
David Horstmann5ab92be2024-07-01 17:01:28 +0100[diff] [blame]9575 key_file=$DATA_FILES_PATH/server5.key crt_file=$DATA_FILES_PATH/server5.crt \
Manuel Pégourié-Gonnard3bf49c42017-08-15 13:47:06 +0200[diff] [blame]9576 debug_level=1 ec_max_ops=1000 auth_mode=none" \
9577 0 \
Manuel Pégourié-Gonnardb5d668a2018-06-13 11:22:01 +0200[diff] [blame]9578 -C "x509_verify_cert.*4b00" \
9579 -c "mbedtls_pk_verify.*4b00" \
9580 -c "mbedtls_ecdh_make_public.*4b00" \
9581 -c "mbedtls_pk_sign.*4b00" \
Manuel Pégourié-Gonnard3bf49c42017-08-15 13:47:06 +0200[diff] [blame]9582 -C "! The certificate is not correctly signed by the trusted CA" \
9583 -C "! mbedtls_ssl_handshake returned" \
9584 -C "X509 - Certificate verification failed"
9585
Manuel Pégourié-Gonnard55a188b2022-12-06 12:00:33 +0100[diff] [blame]9586# With USE_PSA enabled we expect only partial restartable behaviour:
9587# everything except ECDH (where TLS calls PSA directly).
Manuel Pégourié-Gonnard3bf49c42017-08-15 13:47:06 +0200[diff] [blame]9588requires_config_enabled MBEDTLS_ECP_RESTARTABLE
Gilles Peskine4a02cef2021-06-03 11:12:40 +0200[diff] [blame]9589requires_config_enabled MBEDTLS_ECP_DP_SECP256R1_ENABLED
Manuel Pégourié-Gonnard55a188b2022-12-06 12:00:33 +0100[diff] [blame]9590requires_config_enabled MBEDTLS_USE_PSA_CRYPTO
9591run_test "EC restart: TLS, max_ops=1000, auth_mode=none badsign (USE_PSA)" \
Przemek Stekiel45255e42023-06-29 13:56:36 +0200[diff] [blame]9592 "$P_SRV groups=secp256r1 auth_mode=required \
David Horstmann5ab92be2024-07-01 17:01:28 +0100[diff] [blame]9593 crt_file=$DATA_FILES_PATH/server5-badsign.crt \
9594 key_file=$DATA_FILES_PATH/server5.key" \
Manuel Pégourié-Gonnard55a188b2022-12-06 12:00:33 +0100[diff] [blame]9595 "$P_CLI force_ciphersuite=TLS-ECDHE-ECDSA-WITH-AES-128-GCM-SHA256 \
David Horstmann5ab92be2024-07-01 17:01:28 +0100[diff] [blame]9596 key_file=$DATA_FILES_PATH/server5.key crt_file=$DATA_FILES_PATH/server5.crt \
Manuel Pégourié-Gonnard55a188b2022-12-06 12:00:33 +0100[diff] [blame]9597 debug_level=1 ec_max_ops=1000 auth_mode=none" \
9598 0 \
9599 -C "x509_verify_cert.*4b00" \
9600 -c "mbedtls_pk_verify.*4b00" \
9601 -C "mbedtls_ecdh_make_public.*4b00" \
9602 -c "mbedtls_pk_sign.*4b00" \
9603 -C "! The certificate is not correctly signed by the trusted CA" \
9604 -C "! mbedtls_ssl_handshake returned" \
9605 -C "X509 - Certificate verification failed"
9606
9607# With USE_PSA disabled we expect full restartable behaviour.
9608requires_config_enabled MBEDTLS_ECP_RESTARTABLE
9609requires_config_enabled MBEDTLS_ECP_DP_SECP256R1_ENABLED
Manuel Pégourié-Gonnard55a188b2022-12-06 12:00:33 +0100[diff] [blame]9610requires_config_disabled MBEDTLS_USE_PSA_CRYPTO
9611run_test "EC restart: DTLS, max_ops=1000 (no USE_PSA)" \
Przemek Stekiel45255e42023-06-29 13:56:36 +0200[diff] [blame]9612 "$P_SRV groups=secp256r1 auth_mode=required dtls=1" \
Manuel Pégourié-Gonnard2350b4e2017-05-16 09:26:48 +0200[diff] [blame]9613 "$P_CLI force_ciphersuite=TLS-ECDHE-ECDSA-WITH-AES-128-GCM-SHA256 \
David Horstmann5ab92be2024-07-01 17:01:28 +0100[diff] [blame]9614 key_file=$DATA_FILES_PATH/server5.key crt_file=$DATA_FILES_PATH/server5.crt \
Manuel Pégourié-Gonnard2350b4e2017-05-16 09:26:48 +0200[diff] [blame]9615 dtls=1 debug_level=1 ec_max_ops=1000" \
9616 0 \
Manuel Pégourié-Gonnardb5d668a2018-06-13 11:22:01 +0200[diff] [blame]9617 -c "x509_verify_cert.*4b00" \
9618 -c "mbedtls_pk_verify.*4b00" \
9619 -c "mbedtls_ecdh_make_public.*4b00" \
9620 -c "mbedtls_pk_sign.*4b00"
Manuel Pégourié-Gonnard2350b4e2017-05-16 09:26:48 +0200[diff] [blame]9621
Manuel Pégourié-Gonnard55a188b2022-12-06 12:00:33 +0100[diff] [blame]9622# With USE_PSA enabled we expect only partial restartable behaviour:
9623# everything except ECDH (where TLS calls PSA directly).
Manuel Pégourié-Gonnard32033da2017-05-18 12:49:27 +0200[diff] [blame]9624requires_config_enabled MBEDTLS_ECP_RESTARTABLE
Gilles Peskine4a02cef2021-06-03 11:12:40 +0200[diff] [blame]9625requires_config_enabled MBEDTLS_ECP_DP_SECP256R1_ENABLED
Manuel Pégourié-Gonnard55a188b2022-12-06 12:00:33 +0100[diff] [blame]9626requires_config_enabled MBEDTLS_USE_PSA_CRYPTO
9627run_test "EC restart: DTLS, max_ops=1000 (USE_PSA)" \
Przemek Stekiel45255e42023-06-29 13:56:36 +0200[diff] [blame]9628 "$P_SRV groups=secp256r1 auth_mode=required dtls=1" \
Manuel Pégourié-Gonnard55a188b2022-12-06 12:00:33 +0100[diff] [blame]9629 "$P_CLI force_ciphersuite=TLS-ECDHE-ECDSA-WITH-AES-128-GCM-SHA256 \
David Horstmann5ab92be2024-07-01 17:01:28 +0100[diff] [blame]9630 key_file=$DATA_FILES_PATH/server5.key crt_file=$DATA_FILES_PATH/server5.crt \
Manuel Pégourié-Gonnard55a188b2022-12-06 12:00:33 +0100[diff] [blame]9631 dtls=1 debug_level=1 ec_max_ops=1000" \
9632 0 \
9633 -c "x509_verify_cert.*4b00" \
9634 -c "mbedtls_pk_verify.*4b00" \
9635 -C "mbedtls_ecdh_make_public.*4b00" \
9636 -c "mbedtls_pk_sign.*4b00"
9637
9638# With USE_PSA disabled we expect full restartable behaviour.
9639requires_config_enabled MBEDTLS_ECP_RESTARTABLE
9640requires_config_enabled MBEDTLS_ECP_DP_SECP256R1_ENABLED
Manuel Pégourié-Gonnard55a188b2022-12-06 12:00:33 +0100[diff] [blame]9641requires_config_disabled MBEDTLS_USE_PSA_CRYPTO
9642run_test "EC restart: TLS, max_ops=1000 no client auth (no USE_PSA)" \
Przemek Stekiel45255e42023-06-29 13:56:36 +0200[diff] [blame]9643 "$P_SRV groups=secp256r1" \
Manuel Pégourié-Gonnard32033da2017-05-18 12:49:27 +0200[diff] [blame]9644 "$P_CLI force_ciphersuite=TLS-ECDHE-ECDSA-WITH-AES-128-GCM-SHA256 \
9645 debug_level=1 ec_max_ops=1000" \
9646 0 \
Manuel Pégourié-Gonnardb5d668a2018-06-13 11:22:01 +0200[diff] [blame]9647 -c "x509_verify_cert.*4b00" \
9648 -c "mbedtls_pk_verify.*4b00" \
9649 -c "mbedtls_ecdh_make_public.*4b00" \
9650 -C "mbedtls_pk_sign.*4b00"
Manuel Pégourié-Gonnard32033da2017-05-18 12:49:27 +0200[diff] [blame]9651
Manuel Pégourié-Gonnard2b7ad642022-12-06 10:42:44 +0100[diff] [blame]9652
Manuel Pégourié-Gonnard55a188b2022-12-06 12:00:33 +0100[diff] [blame]9653# With USE_PSA enabled we expect only partial restartable behaviour:
9654# everything except ECDH (where TLS calls PSA directly).
Manuel Pégourié-Gonnard32033da2017-05-18 12:49:27 +0200[diff] [blame]9655requires_config_enabled MBEDTLS_ECP_RESTARTABLE
Gilles Peskine4a02cef2021-06-03 11:12:40 +0200[diff] [blame]9656requires_config_enabled MBEDTLS_ECP_DP_SECP256R1_ENABLED
Manuel Pégourié-Gonnard55a188b2022-12-06 12:00:33 +0100[diff] [blame]9657requires_config_enabled MBEDTLS_USE_PSA_CRYPTO
9658run_test "EC restart: TLS, max_ops=1000 no client auth (USE_PSA)" \
Przemek Stekiel45255e42023-06-29 13:56:36 +0200[diff] [blame]9659 "$P_SRV groups=secp256r1" \
Manuel Pégourié-Gonnard55a188b2022-12-06 12:00:33 +0100[diff] [blame]9660 "$P_CLI force_ciphersuite=TLS-ECDHE-ECDSA-WITH-AES-128-GCM-SHA256 \
9661 debug_level=1 ec_max_ops=1000" \
9662 0 \
9663 -c "x509_verify_cert.*4b00" \
9664 -c "mbedtls_pk_verify.*4b00" \
9665 -C "mbedtls_ecdh_make_public.*4b00" \
9666 -C "mbedtls_pk_sign.*4b00"
9667
Manuel Pégourié-Gonnard2b7ad642022-12-06 10:42:44 +0100[diff] [blame]9668# Restartable is only for ECDHE-ECDSA, with another ciphersuite we expect no
9669# restartable behaviour at all (not even client auth).
9670# This is the same as "EC restart: TLS, max_ops=1000" except with ECDHE-RSA,
9671# and all 4 assertions negated.
Manuel Pégourié-Gonnard32033da2017-05-18 12:49:27 +0200[diff] [blame]9672requires_config_enabled MBEDTLS_ECP_RESTARTABLE
9673requires_config_enabled MBEDTLS_ECP_DP_SECP256R1_ENABLED
Manuel Pégourié-Gonnard2b7ad642022-12-06 10:42:44 +0100[diff] [blame]9674run_test "EC restart: TLS, max_ops=1000, ECDHE-RSA" \
Przemek Stekiel45255e42023-06-29 13:56:36 +0200[diff] [blame]9675 "$P_SRV groups=secp256r1 auth_mode=required" \
Manuel Pégourié-Gonnard2b7ad642022-12-06 10:42:44 +0100[diff] [blame]9676 "$P_CLI force_ciphersuite=TLS-ECDHE-RSA-WITH-AES-128-GCM-SHA256 \
David Horstmann5ab92be2024-07-01 17:01:28 +0100[diff] [blame]9677 key_file=$DATA_FILES_PATH/server5.key crt_file=$DATA_FILES_PATH/server5.crt \
Manuel Pégourié-Gonnard2b7ad642022-12-06 10:42:44 +0100[diff] [blame]9678 debug_level=1 ec_max_ops=1000" \
Manuel Pégourié-Gonnard32033da2017-05-18 12:49:27 +0200[diff] [blame]9679 0 \
Manuel Pégourié-Gonnardb5d668a2018-06-13 11:22:01 +0200[diff] [blame]9680 -C "x509_verify_cert.*4b00" \
9681 -C "mbedtls_pk_verify.*4b00" \
9682 -C "mbedtls_ecdh_make_public.*4b00" \
9683 -C "mbedtls_pk_sign.*4b00"
Manuel Pégourié-Gonnard32033da2017-05-18 12:49:27 +0200[diff] [blame]9684
Gilles Peskine3665f1d2018-01-05 21:22:12 +0100[diff] [blame]9685# Tests of asynchronous private key support in SSL
9686
Gilles Peskineb74a1c72018-04-24 13:09:22 +0200[diff] [blame]9687requires_config_enabled MBEDTLS_SSL_ASYNC_PRIVATE
Gilles Peskinefcca9d82018-01-12 13:47:48 +0100[diff] [blame]9688run_test "SSL async private: sign, delay=0" \
Ronald Cronfd4c6af2023-03-11 10:46:01 +0100[diff] [blame]9689 "$P_SRV force_version=tls12 \
Gilles Peskinefcca9d82018-01-12 13:47:48 +0100[diff] [blame]9690 async_operations=s async_private_delay1=0 async_private_delay2=0" \
Gilles Peskine3665f1d2018-01-05 21:22:12 +0100[diff] [blame]9691 "$P_CLI" \
9692 0 \
9693 -s "Async sign callback: using key slot " \
Gilles Peskinefcca9d82018-01-12 13:47:48 +0100[diff] [blame]9694 -s "Async resume (slot [0-9]): sign done, status=0"
Gilles Peskine3665f1d2018-01-05 21:22:12 +0100[diff] [blame]9695
Gilles Peskineb74a1c72018-04-24 13:09:22 +0200[diff] [blame]9696requires_config_enabled MBEDTLS_SSL_ASYNC_PRIVATE
Gilles Peskinefcca9d82018-01-12 13:47:48 +0100[diff] [blame]9697run_test "SSL async private: sign, delay=1" \
Ronald Cronfd4c6af2023-03-11 10:46:01 +0100[diff] [blame]9698 "$P_SRV force_version=tls12 \
Gilles Peskinefcca9d82018-01-12 13:47:48 +0100[diff] [blame]9699 async_operations=s async_private_delay1=1 async_private_delay2=1" \
Gilles Peskine3665f1d2018-01-05 21:22:12 +0100[diff] [blame]9700 "$P_CLI" \
9701 0 \
9702 -s "Async sign callback: using key slot " \
9703 -s "Async resume (slot [0-9]): call 0 more times." \
Gilles Peskinefcca9d82018-01-12 13:47:48 +0100[diff] [blame]9704 -s "Async resume (slot [0-9]): sign done, status=0"
9705
Gilles Peskine12d0cc12018-04-26 15:06:56 +0200[diff] [blame]9706requires_config_enabled MBEDTLS_SSL_ASYNC_PRIVATE
9707run_test "SSL async private: sign, delay=2" \
Ronald Cronfd4c6af2023-03-11 10:46:01 +0100[diff] [blame]9708 "$P_SRV force_version=tls12 \
Gilles Peskine12d0cc12018-04-26 15:06:56 +0200[diff] [blame]9709 async_operations=s async_private_delay1=2 async_private_delay2=2" \
9710 "$P_CLI" \
9711 0 \
9712 -s "Async sign callback: using key slot " \
9713 -U "Async sign callback: using key slot " \
9714 -s "Async resume (slot [0-9]): call 1 more times." \
9715 -s "Async resume (slot [0-9]): call 0 more times." \
9716 -s "Async resume (slot [0-9]): sign done, status=0"
9717
Gilles Peskineb74a1c72018-04-24 13:09:22 +0200[diff] [blame]9718requires_config_enabled MBEDTLS_SSL_ASYNC_PRIVATE
Hanno Beckerc5722d12020-10-09 11:10:42 +0100[diff] [blame]9719requires_config_disabled MBEDTLS_X509_REMOVE_INFO
Gilles Peskine807d74a2018-04-30 10:30:49 +0200[diff] [blame]9720run_test "SSL async private: sign, SNI" \
Ronald Cronfd4c6af2023-03-11 10:46:01 +0100[diff] [blame]9721 "$P_SRV force_version=tls12 debug_level=3 \
Gilles Peskine807d74a2018-04-30 10:30:49 +0200[diff] [blame]9722 async_operations=s async_private_delay1=0 async_private_delay2=0 \
David Horstmann5ab92be2024-07-01 17:01:28 +0100[diff] [blame]9723 crt_file=$DATA_FILES_PATH/server5.crt key_file=$DATA_FILES_PATH/server5.key \
9724 sni=localhost,$DATA_FILES_PATH/server2.crt,$DATA_FILES_PATH/server2.key,-,-,-,polarssl.example,$DATA_FILES_PATH/server1-nospace.crt,$DATA_FILES_PATH/server1.key,-,-,-" \
Gilles Peskine807d74a2018-04-30 10:30:49 +0200[diff] [blame]9725 "$P_CLI server_name=polarssl.example" \
9726 0 \
9727 -s "Async sign callback: using key slot " \
9728 -s "Async resume (slot [0-9]): sign done, status=0" \
9729 -s "parse ServerName extension" \
9730 -c "issuer name *: C=NL, O=PolarSSL, CN=PolarSSL Test CA" \
9731 -c "subject name *: C=NL, O=PolarSSL, CN=polarssl.example"
9732
9733requires_config_enabled MBEDTLS_SSL_ASYNC_PRIVATE
Gilles Peskinefcca9d82018-01-12 13:47:48 +0100[diff] [blame]9734run_test "SSL async private: decrypt, delay=0" \
9735 "$P_SRV \
9736 async_operations=d async_private_delay1=0 async_private_delay2=0" \
9737 "$P_CLI force_ciphersuite=TLS-RSA-WITH-AES-128-CBC-SHA" \
9738 0 \
9739 -s "Async decrypt callback: using key slot " \
9740 -s "Async resume (slot [0-9]): decrypt done, status=0"
9741
Gilles Peskineb74a1c72018-04-24 13:09:22 +0200[diff] [blame]9742requires_config_enabled MBEDTLS_SSL_ASYNC_PRIVATE
Gilles Peskinefcca9d82018-01-12 13:47:48 +0100[diff] [blame]9743run_test "SSL async private: decrypt, delay=1" \
9744 "$P_SRV \
9745 async_operations=d async_private_delay1=1 async_private_delay2=1" \
9746 "$P_CLI force_ciphersuite=TLS-RSA-WITH-AES-128-CBC-SHA" \
9747 0 \
9748 -s "Async decrypt callback: using key slot " \
9749 -s "Async resume (slot [0-9]): call 0 more times." \
9750 -s "Async resume (slot [0-9]): decrypt done, status=0"
9751
Gilles Peskineb74a1c72018-04-24 13:09:22 +0200[diff] [blame]9752requires_config_enabled MBEDTLS_SSL_ASYNC_PRIVATE
Gilles Peskinefcca9d82018-01-12 13:47:48 +0100[diff] [blame]9753run_test "SSL async private: decrypt RSA-PSK, delay=0" \
Gilles Peskine02cd7162024-04-29 16:09:52 +0200[diff] [blame]9754 "$P_SRV psk=73776f726466697368 \
Gilles Peskinefcca9d82018-01-12 13:47:48 +0100[diff] [blame]9755 async_operations=d async_private_delay1=0 async_private_delay2=0" \
Gilles Peskine02cd7162024-04-29 16:09:52 +0200[diff] [blame]9756 "$P_CLI psk=73776f726466697368 \
Gilles Peskinefcca9d82018-01-12 13:47:48 +0100[diff] [blame]9757 force_ciphersuite=TLS-RSA-PSK-WITH-AES-128-CBC-SHA256" \
9758 0 \
9759 -s "Async decrypt callback: using key slot " \
9760 -s "Async resume (slot [0-9]): decrypt done, status=0"
9761
Gilles Peskineb74a1c72018-04-24 13:09:22 +0200[diff] [blame]9762requires_config_enabled MBEDTLS_SSL_ASYNC_PRIVATE
Gilles Peskinefcca9d82018-01-12 13:47:48 +0100[diff] [blame]9763run_test "SSL async private: decrypt RSA-PSK, delay=1" \
Gilles Peskine02cd7162024-04-29 16:09:52 +0200[diff] [blame]9764 "$P_SRV psk=73776f726466697368 \
Gilles Peskinefcca9d82018-01-12 13:47:48 +0100[diff] [blame]9765 async_operations=d async_private_delay1=1 async_private_delay2=1" \
Gilles Peskine02cd7162024-04-29 16:09:52 +0200[diff] [blame]9766 "$P_CLI psk=73776f726466697368 \
Gilles Peskinefcca9d82018-01-12 13:47:48 +0100[diff] [blame]9767 force_ciphersuite=TLS-RSA-PSK-WITH-AES-128-CBC-SHA256" \
9768 0 \
9769 -s "Async decrypt callback: using key slot " \
9770 -s "Async resume (slot [0-9]): call 0 more times." \
9771 -s "Async resume (slot [0-9]): decrypt done, status=0"
9772
Gilles Peskineb74a1c72018-04-24 13:09:22 +0200[diff] [blame]9773requires_config_enabled MBEDTLS_SSL_ASYNC_PRIVATE
Gilles Peskinefcca9d82018-01-12 13:47:48 +0100[diff] [blame]9774run_test "SSL async private: sign callback not present" \
9775 "$P_SRV \
9776 async_operations=d async_private_delay1=1 async_private_delay2=1" \
Ronald Cronfd4c6af2023-03-11 10:46:01 +0100[diff] [blame]9777 "$P_CLI force_version=tls12; [ \$? -eq 1 ] &&
Gilles Peskinefcca9d82018-01-12 13:47:48 +0100[diff] [blame]9778 $P_CLI force_ciphersuite=TLS-RSA-WITH-AES-128-CBC-SHA" \
9779 0 \
9780 -S "Async sign callback" \
9781 -s "! mbedtls_ssl_handshake returned" \
9782 -s "The own private key or pre-shared key is not set, but needed" \
9783 -s "Async resume (slot [0-9]): decrypt done, status=0" \
9784 -s "Successful connection"
9785
Gilles Peskineb74a1c72018-04-24 13:09:22 +0200[diff] [blame]9786requires_config_enabled MBEDTLS_SSL_ASYNC_PRIVATE
Gilles Peskinefcca9d82018-01-12 13:47:48 +0100[diff] [blame]9787run_test "SSL async private: decrypt callback not present" \
9788 "$P_SRV debug_level=1 \
9789 async_operations=s async_private_delay1=1 async_private_delay2=1" \
9790 "$P_CLI force_ciphersuite=TLS-RSA-WITH-AES-128-CBC-SHA;
Ronald Cronc5649382023-04-04 15:33:42 +0200[diff] [blame]9791 [ \$? -eq 1 ] && $P_CLI force_version=tls12" \
Gilles Peskinefcca9d82018-01-12 13:47:48 +0100[diff] [blame]9792 0 \
9793 -S "Async decrypt callback" \
9794 -s "! mbedtls_ssl_handshake returned" \
9795 -s "got no RSA private key" \
9796 -s "Async resume (slot [0-9]): sign done, status=0" \
9797 -s "Successful connection"
Gilles Peskine3665f1d2018-01-05 21:22:12 +0100[diff] [blame]9798
9799# key1: ECDSA, key2: RSA; use key1 from slot 0
Gilles Peskineb74a1c72018-04-24 13:09:22 +0200[diff] [blame]9800requires_config_enabled MBEDTLS_SSL_ASYNC_PRIVATE
Gilles Peskine3665f1d2018-01-05 21:22:12 +0100[diff] [blame]9801run_test "SSL async private: slot 0 used with key1" \
Gilles Peskinefcca9d82018-01-12 13:47:48 +0100[diff] [blame]9802 "$P_SRV \
9803 async_operations=s async_private_delay1=1 \
David Horstmann5ab92be2024-07-01 17:01:28 +0100[diff] [blame]9804 key_file=$DATA_FILES_PATH/server5.key crt_file=$DATA_FILES_PATH/server5.crt \
9805 key_file2=$DATA_FILES_PATH/server2.key crt_file2=$DATA_FILES_PATH/server2.crt" \
Gilles Peskine3665f1d2018-01-05 21:22:12 +0100[diff] [blame]9806 "$P_CLI force_ciphersuite=TLS-ECDHE-ECDSA-WITH-AES-128-CBC-SHA256" \
9807 0 \
9808 -s "Async sign callback: using key slot 0," \
9809 -s "Async resume (slot 0): call 0 more times." \
Gilles Peskinefcca9d82018-01-12 13:47:48 +0100[diff] [blame]9810 -s "Async resume (slot 0): sign done, status=0"
Gilles Peskine3665f1d2018-01-05 21:22:12 +0100[diff] [blame]9811
9812# key1: ECDSA, key2: RSA; use key2 from slot 0
Gilles Peskineb74a1c72018-04-24 13:09:22 +0200[diff] [blame]9813requires_config_enabled MBEDTLS_SSL_ASYNC_PRIVATE
Gilles Peskine3665f1d2018-01-05 21:22:12 +0100[diff] [blame]9814run_test "SSL async private: slot 0 used with key2" \
Gilles Peskinefcca9d82018-01-12 13:47:48 +0100[diff] [blame]9815 "$P_SRV \
9816 async_operations=s async_private_delay2=1 \
David Horstmann5ab92be2024-07-01 17:01:28 +0100[diff] [blame]9817 key_file=$DATA_FILES_PATH/server5.key crt_file=$DATA_FILES_PATH/server5.crt \
9818 key_file2=$DATA_FILES_PATH/server2.key crt_file2=$DATA_FILES_PATH/server2.crt" \
Gilles Peskine3665f1d2018-01-05 21:22:12 +0100[diff] [blame]9819 "$P_CLI force_ciphersuite=TLS-ECDHE-RSA-WITH-AES-128-CBC-SHA256" \
9820 0 \
9821 -s "Async sign callback: using key slot 0," \
9822 -s "Async resume (slot 0): call 0 more times." \
Gilles Peskinefcca9d82018-01-12 13:47:48 +0100[diff] [blame]9823 -s "Async resume (slot 0): sign done, status=0"
Gilles Peskine3665f1d2018-01-05 21:22:12 +0100[diff] [blame]9824
9825# key1: ECDSA, key2: RSA; use key2 from slot 1
Gilles Peskineb74a1c72018-04-24 13:09:22 +0200[diff] [blame]9826requires_config_enabled MBEDTLS_SSL_ASYNC_PRIVATE
Gilles Peskinead28bf02018-04-26 00:19:16 +0200[diff] [blame]9827run_test "SSL async private: slot 1 used with key2" \
Gilles Peskinefcca9d82018-01-12 13:47:48 +0100[diff] [blame]9828 "$P_SRV \
Gilles Peskine168dae82018-04-25 23:35:42 +0200[diff] [blame]9829 async_operations=s async_private_delay1=1 async_private_delay2=1 \
David Horstmann5ab92be2024-07-01 17:01:28 +0100[diff] [blame]9830 key_file=$DATA_FILES_PATH/server5.key crt_file=$DATA_FILES_PATH/server5.crt \
9831 key_file2=$DATA_FILES_PATH/server2.key crt_file2=$DATA_FILES_PATH/server2.crt" \
Gilles Peskine3665f1d2018-01-05 21:22:12 +0100[diff] [blame]9832 "$P_CLI force_ciphersuite=TLS-ECDHE-RSA-WITH-AES-128-CBC-SHA256" \
9833 0 \
9834 -s "Async sign callback: using key slot 1," \
9835 -s "Async resume (slot 1): call 0 more times." \
Gilles Peskinefcca9d82018-01-12 13:47:48 +0100[diff] [blame]9836 -s "Async resume (slot 1): sign done, status=0"
Gilles Peskine3665f1d2018-01-05 21:22:12 +0100[diff] [blame]9837
9838# key1: ECDSA, key2: RSA; use key2 directly
Gilles Peskineb74a1c72018-04-24 13:09:22 +0200[diff] [blame]9839requires_config_enabled MBEDTLS_SSL_ASYNC_PRIVATE
Gilles Peskine3665f1d2018-01-05 21:22:12 +0100[diff] [blame]9840run_test "SSL async private: fall back to transparent key" \
Gilles Peskinefcca9d82018-01-12 13:47:48 +0100[diff] [blame]9841 "$P_SRV \
9842 async_operations=s async_private_delay1=1 \
David Horstmann5ab92be2024-07-01 17:01:28 +0100[diff] [blame]9843 key_file=$DATA_FILES_PATH/server5.key crt_file=$DATA_FILES_PATH/server5.crt \
9844 key_file2=$DATA_FILES_PATH/server2.key crt_file2=$DATA_FILES_PATH/server2.crt " \
Gilles Peskine3665f1d2018-01-05 21:22:12 +0100[diff] [blame]9845 "$P_CLI force_ciphersuite=TLS-ECDHE-RSA-WITH-AES-128-CBC-SHA256" \
9846 0 \
9847 -s "Async sign callback: no key matches this certificate."
9848
Gilles Peskineb74a1c72018-04-24 13:09:22 +0200[diff] [blame]9849requires_config_enabled MBEDTLS_SSL_ASYNC_PRIVATE
Gilles Peskine725f1cb2018-06-12 15:06:40 +0200[diff] [blame]9850run_test "SSL async private: sign, error in start" \
Ronald Cronfd4c6af2023-03-11 10:46:01 +0100[diff] [blame]9851 "$P_SRV force_version=tls12 \
Gilles Peskinefcca9d82018-01-12 13:47:48 +0100[diff] [blame]9852 async_operations=s async_private_delay1=1 async_private_delay2=1 \
9853 async_private_error=1" \
Gilles Peskine3665f1d2018-01-05 21:22:12 +0100[diff] [blame]9854 "$P_CLI" \
9855 1 \
9856 -s "Async sign callback: injected error" \
9857 -S "Async resume" \
Gilles Peskine37289cd2018-04-27 11:50:14 +0200[diff] [blame]9858 -S "Async cancel" \
Gilles Peskine3665f1d2018-01-05 21:22:12 +0100[diff] [blame]9859 -s "! mbedtls_ssl_handshake returned"
9860
Gilles Peskineb74a1c72018-04-24 13:09:22 +0200[diff] [blame]9861requires_config_enabled MBEDTLS_SSL_ASYNC_PRIVATE
Gilles Peskine725f1cb2018-06-12 15:06:40 +0200[diff] [blame]9862run_test "SSL async private: sign, cancel after start" \
Ronald Cronfd4c6af2023-03-11 10:46:01 +0100[diff] [blame]9863 "$P_SRV force_version=tls12 \
Gilles Peskinefcca9d82018-01-12 13:47:48 +0100[diff] [blame]9864 async_operations=s async_private_delay1=1 async_private_delay2=1 \
9865 async_private_error=2" \
Gilles Peskine3665f1d2018-01-05 21:22:12 +0100[diff] [blame]9866 "$P_CLI" \
9867 1 \
9868 -s "Async sign callback: using key slot " \
9869 -S "Async resume" \
9870 -s "Async cancel"
9871
Gilles Peskineb74a1c72018-04-24 13:09:22 +0200[diff] [blame]9872requires_config_enabled MBEDTLS_SSL_ASYNC_PRIVATE
Gilles Peskine725f1cb2018-06-12 15:06:40 +0200[diff] [blame]9873run_test "SSL async private: sign, error in resume" \
Ronald Cronfd4c6af2023-03-11 10:46:01 +0100[diff] [blame]9874 "$P_SRV force_version=tls12 \
Gilles Peskinefcca9d82018-01-12 13:47:48 +0100[diff] [blame]9875 async_operations=s async_private_delay1=1 async_private_delay2=1 \
9876 async_private_error=3" \
Gilles Peskine3665f1d2018-01-05 21:22:12 +0100[diff] [blame]9877 "$P_CLI" \
9878 1 \
9879 -s "Async sign callback: using key slot " \
Gilles Peskinefcca9d82018-01-12 13:47:48 +0100[diff] [blame]9880 -s "Async resume callback: sign done but injected error" \
Gilles Peskine37289cd2018-04-27 11:50:14 +0200[diff] [blame]9881 -S "Async cancel" \
Gilles Peskine3665f1d2018-01-05 21:22:12 +0100[diff] [blame]9882 -s "! mbedtls_ssl_handshake returned"
9883
Gilles Peskineb74a1c72018-04-24 13:09:22 +0200[diff] [blame]9884requires_config_enabled MBEDTLS_SSL_ASYNC_PRIVATE
Gilles Peskine725f1cb2018-06-12 15:06:40 +0200[diff] [blame]9885run_test "SSL async private: decrypt, error in start" \
9886 "$P_SRV \
9887 async_operations=d async_private_delay1=1 async_private_delay2=1 \
9888 async_private_error=1" \
9889 "$P_CLI force_ciphersuite=TLS-RSA-WITH-AES-128-CBC-SHA" \
9890 1 \
9891 -s "Async decrypt callback: injected error" \
9892 -S "Async resume" \
9893 -S "Async cancel" \
9894 -s "! mbedtls_ssl_handshake returned"
9895
9896requires_config_enabled MBEDTLS_SSL_ASYNC_PRIVATE
9897run_test "SSL async private: decrypt, cancel after start" \
9898 "$P_SRV \
9899 async_operations=d async_private_delay1=1 async_private_delay2=1 \
9900 async_private_error=2" \
9901 "$P_CLI force_ciphersuite=TLS-RSA-WITH-AES-128-CBC-SHA" \
9902 1 \
9903 -s "Async decrypt callback: using key slot " \
9904 -S "Async resume" \
9905 -s "Async cancel"
9906
9907requires_config_enabled MBEDTLS_SSL_ASYNC_PRIVATE
9908run_test "SSL async private: decrypt, error in resume" \
9909 "$P_SRV \
9910 async_operations=d async_private_delay1=1 async_private_delay2=1 \
9911 async_private_error=3" \
9912 "$P_CLI force_ciphersuite=TLS-RSA-WITH-AES-128-CBC-SHA" \
9913 1 \
9914 -s "Async decrypt callback: using key slot " \
9915 -s "Async resume callback: decrypt done but injected error" \
9916 -S "Async cancel" \
9917 -s "! mbedtls_ssl_handshake returned"
9918
9919requires_config_enabled MBEDTLS_SSL_ASYNC_PRIVATE
Gilles Peskine60ee4ca2018-01-08 11:28:05 +0100[diff] [blame]9920run_test "SSL async private: cancel after start then operate correctly" \
Ronald Cronfd4c6af2023-03-11 10:46:01 +0100[diff] [blame]9921 "$P_SRV force_version=tls12 \
Gilles Peskinefcca9d82018-01-12 13:47:48 +0100[diff] [blame]9922 async_operations=s async_private_delay1=1 async_private_delay2=1 \
9923 async_private_error=-2" \
Gilles Peskine60ee4ca2018-01-08 11:28:05 +0100[diff] [blame]9924 "$P_CLI; [ \$? -eq 1 ] && $P_CLI" \
9925 0 \
9926 -s "Async cancel" \
9927 -s "! mbedtls_ssl_handshake returned" \
9928 -s "Async resume" \
9929 -s "Successful connection"
9930
Gilles Peskineb74a1c72018-04-24 13:09:22 +0200[diff] [blame]9931requires_config_enabled MBEDTLS_SSL_ASYNC_PRIVATE
Gilles Peskine60ee4ca2018-01-08 11:28:05 +0100[diff] [blame]9932run_test "SSL async private: error in resume then operate correctly" \
Ronald Cronfd4c6af2023-03-11 10:46:01 +0100[diff] [blame]9933 "$P_SRV force_version=tls12 \
Gilles Peskinefcca9d82018-01-12 13:47:48 +0100[diff] [blame]9934 async_operations=s async_private_delay1=1 async_private_delay2=1 \
9935 async_private_error=-3" \
Gilles Peskine60ee4ca2018-01-08 11:28:05 +0100[diff] [blame]9936 "$P_CLI; [ \$? -eq 1 ] && $P_CLI" \
9937 0 \
9938 -s "! mbedtls_ssl_handshake returned" \
9939 -s "Async resume" \
9940 -s "Successful connection"
9941
9942# key1: ECDSA, key2: RSA; use key1 through async, then key2 directly
Gilles Peskineb74a1c72018-04-24 13:09:22 +0200[diff] [blame]9943requires_config_enabled MBEDTLS_SSL_ASYNC_PRIVATE
Valerio Setti3f2309f2023-02-23 13:47:30 +0100[diff] [blame]9944# Note: the function "detect_required_features()" is not able to detect more than
9945# one "force_ciphersuite" per client/server and it only picks the 2nd one.
9946# Therefore the 1st one is added explicitly here
Valerio Settid1f991c2023-02-22 12:54:13 +0100[diff] [blame]9947requires_config_enabled MBEDTLS_KEY_EXCHANGE_ECDHE_ECDSA_ENABLED
Gilles Peskine60ee4ca2018-01-08 11:28:05 +0100[diff] [blame]9948run_test "SSL async private: cancel after start then fall back to transparent key" \
Gilles Peskinefcca9d82018-01-12 13:47:48 +0100[diff] [blame]9949 "$P_SRV \
9950 async_operations=s async_private_delay1=1 async_private_error=-2 \
David Horstmann5ab92be2024-07-01 17:01:28 +0100[diff] [blame]9951 key_file=$DATA_FILES_PATH/server5.key crt_file=$DATA_FILES_PATH/server5.crt \
9952 key_file2=$DATA_FILES_PATH/server2.key crt_file2=$DATA_FILES_PATH/server2.crt" \
Gilles Peskine60ee4ca2018-01-08 11:28:05 +0100[diff] [blame]9953 "$P_CLI force_ciphersuite=TLS-ECDHE-ECDSA-WITH-AES-128-CBC-SHA256;
9954 [ \$? -eq 1 ] &&
9955 $P_CLI force_ciphersuite=TLS-ECDHE-RSA-WITH-AES-128-CBC-SHA256" \
9956 0 \
Gilles Peskinededa75a2018-04-30 10:02:45 +0200[diff] [blame]9957 -s "Async sign callback: using key slot 0" \
Gilles Peskine60ee4ca2018-01-08 11:28:05 +0100[diff] [blame]9958 -S "Async resume" \
9959 -s "Async cancel" \
9960 -s "! mbedtls_ssl_handshake returned" \
9961 -s "Async sign callback: no key matches this certificate." \
9962 -s "Successful connection"
9963
9964# key1: ECDSA, key2: RSA; use key1 through async, then key2 directly
Gilles Peskineb74a1c72018-04-24 13:09:22 +0200[diff] [blame]9965requires_config_enabled MBEDTLS_SSL_ASYNC_PRIVATE
Valerio Setti3f2309f2023-02-23 13:47:30 +0100[diff] [blame]9966# Note: the function "detect_required_features()" is not able to detect more than
9967# one "force_ciphersuite" per client/server and it only picks the 2nd one.
9968# Therefore the 1st one is added explicitly here
Valerio Settid1f991c2023-02-22 12:54:13 +0100[diff] [blame]9969requires_config_enabled MBEDTLS_KEY_EXCHANGE_ECDHE_ECDSA_ENABLED
Gilles Peskine725f1cb2018-06-12 15:06:40 +0200[diff] [blame]9970run_test "SSL async private: sign, error in resume then fall back to transparent key" \
Gilles Peskinefcca9d82018-01-12 13:47:48 +0100[diff] [blame]9971 "$P_SRV \
9972 async_operations=s async_private_delay1=1 async_private_error=-3 \
David Horstmann5ab92be2024-07-01 17:01:28 +0100[diff] [blame]9973 key_file=$DATA_FILES_PATH/server5.key crt_file=$DATA_FILES_PATH/server5.crt \
9974 key_file2=$DATA_FILES_PATH/server2.key crt_file2=$DATA_FILES_PATH/server2.crt" \
Gilles Peskine60ee4ca2018-01-08 11:28:05 +0100[diff] [blame]9975 "$P_CLI force_ciphersuite=TLS-ECDHE-ECDSA-WITH-AES-128-CBC-SHA256;
9976 [ \$? -eq 1 ] &&
9977 $P_CLI force_ciphersuite=TLS-ECDHE-RSA-WITH-AES-128-CBC-SHA256" \
9978 0 \
9979 -s "Async resume" \
9980 -s "! mbedtls_ssl_handshake returned" \
9981 -s "Async sign callback: no key matches this certificate." \
9982 -s "Successful connection"
9983
Gilles Peskineb74a1c72018-04-24 13:09:22 +0200[diff] [blame]9984requires_config_enabled MBEDTLS_SSL_ASYNC_PRIVATE
Gilles Peskine3665f1d2018-01-05 21:22:12 +0100[diff] [blame]9985requires_config_enabled MBEDTLS_SSL_RENEGOTIATION
Gilles Peskine654bab72019-09-16 15:19:20 +0200[diff] [blame]9986run_test "SSL async private: renegotiation: client-initiated, sign" \
Ronald Cronfd4c6af2023-03-11 10:46:01 +0100[diff] [blame]9987 "$P_SRV force_version=tls12 \
Gilles Peskinefcca9d82018-01-12 13:47:48 +0100[diff] [blame]9988 async_operations=s async_private_delay1=1 async_private_delay2=1 \
Gilles Peskine3665f1d2018-01-05 21:22:12 +0100[diff] [blame]9989 exchanges=2 renegotiation=1" \
9990 "$P_CLI exchanges=2 renegotiation=1 renegotiate=1" \
9991 0 \
9992 -s "Async sign callback: using key slot " \
Gilles Peskinefcca9d82018-01-12 13:47:48 +0100[diff] [blame]9993 -s "Async resume (slot [0-9]): sign done, status=0"
Gilles Peskine3665f1d2018-01-05 21:22:12 +0100[diff] [blame]9994
Gilles Peskineb74a1c72018-04-24 13:09:22 +0200[diff] [blame]9995requires_config_enabled MBEDTLS_SSL_ASYNC_PRIVATE
Gilles Peskine3665f1d2018-01-05 21:22:12 +0100[diff] [blame]9996requires_config_enabled MBEDTLS_SSL_RENEGOTIATION
Gilles Peskine654bab72019-09-16 15:19:20 +0200[diff] [blame]9997run_test "SSL async private: renegotiation: server-initiated, sign" \
Ronald Cronfd4c6af2023-03-11 10:46:01 +0100[diff] [blame]9998 "$P_SRV force_version=tls12 \
Gilles Peskinefcca9d82018-01-12 13:47:48 +0100[diff] [blame]9999 async_operations=s async_private_delay1=1 async_private_delay2=1 \
Gilles Peskine3665f1d2018-01-05 21:22:12 +0100[diff] [blame]10000 exchanges=2 renegotiation=1 renegotiate=1" \
10001 "$P_CLI exchanges=2 renegotiation=1" \
10002 0 \
10003 -s "Async sign callback: using key slot " \
Gilles Peskinefcca9d82018-01-12 13:47:48 +0100[diff] [blame]10004 -s "Async resume (slot [0-9]): sign done, status=0"
10005
Gilles Peskineb74a1c72018-04-24 13:09:22 +0200[diff] [blame]10006requires_config_enabled MBEDTLS_SSL_ASYNC_PRIVATE
Gilles Peskinefcca9d82018-01-12 13:47:48 +0100[diff] [blame]10007requires_config_enabled MBEDTLS_SSL_RENEGOTIATION
Gilles Peskine654bab72019-09-16 15:19:20 +0200[diff] [blame]10008run_test "SSL async private: renegotiation: client-initiated, decrypt" \
Gilles Peskinefcca9d82018-01-12 13:47:48 +0100[diff] [blame]10009 "$P_SRV \
10010 async_operations=d async_private_delay1=1 async_private_delay2=1 \
10011 exchanges=2 renegotiation=1" \
10012 "$P_CLI exchanges=2 renegotiation=1 renegotiate=1 \
10013 force_ciphersuite=TLS-RSA-WITH-AES-128-CBC-SHA" \
10014 0 \
10015 -s "Async decrypt callback: using key slot " \
10016 -s "Async resume (slot [0-9]): decrypt done, status=0"
10017
Gilles Peskineb74a1c72018-04-24 13:09:22 +0200[diff] [blame]10018requires_config_enabled MBEDTLS_SSL_ASYNC_PRIVATE
Gilles Peskinefcca9d82018-01-12 13:47:48 +0100[diff] [blame]10019requires_config_enabled MBEDTLS_SSL_RENEGOTIATION
Gilles Peskine654bab72019-09-16 15:19:20 +0200[diff] [blame]10020run_test "SSL async private: renegotiation: server-initiated, decrypt" \
Gilles Peskinefcca9d82018-01-12 13:47:48 +0100[diff] [blame]10021 "$P_SRV \
10022 async_operations=d async_private_delay1=1 async_private_delay2=1 \
10023 exchanges=2 renegotiation=1 renegotiate=1" \
10024 "$P_CLI exchanges=2 renegotiation=1 \
10025 force_ciphersuite=TLS-RSA-WITH-AES-128-CBC-SHA" \
10026 0 \
10027 -s "Async decrypt callback: using key slot " \
10028 -s "Async resume (slot [0-9]): decrypt done, status=0"
Gilles Peskine3665f1d2018-01-05 21:22:12 +0100[diff] [blame]10029
Ron Eldor58093c82018-06-28 13:22:05 +0300[diff] [blame]10030# Tests for ECC extensions (rfc 4492)
10031
Andrzej Kurek934e9cd2022-09-05 14:44:46 -0400[diff] [blame]10032requires_hash_alg SHA_256
Ron Eldor643df7c2018-06-28 16:17:00 +0300[diff] [blame]10033requires_config_enabled MBEDTLS_KEY_EXCHANGE_RSA_ENABLED
Ron Eldor58093c82018-06-28 13:22:05 +0300[diff] [blame]10034run_test "Force a non ECC ciphersuite in the client side" \
10035 "$P_SRV debug_level=3" \
Ron Eldor643df7c2018-06-28 16:17:00 +0300[diff] [blame]10036 "$P_CLI debug_level=3 force_ciphersuite=TLS-RSA-WITH-AES-128-CBC-SHA256" \
Ron Eldor58093c82018-06-28 13:22:05 +0300[diff] [blame]10037 0 \
Jerry Yu136320b2021-12-21 17:09:00 +0800[diff] [blame]10038 -C "client hello, adding supported_groups extension" \
Ron Eldor58093c82018-06-28 13:22:05 +0300[diff] [blame]10039 -C "client hello, adding supported_point_formats extension" \
10040 -S "found supported elliptic curves extension" \
10041 -S "found supported point formats extension"
10042
Andrzej Kurek934e9cd2022-09-05 14:44:46 -0400[diff] [blame]10043requires_hash_alg SHA_256
Ron Eldor643df7c2018-06-28 16:17:00 +0300[diff] [blame]10044requires_config_enabled MBEDTLS_KEY_EXCHANGE_RSA_ENABLED
Ron Eldor58093c82018-06-28 13:22:05 +0300[diff] [blame]10045run_test "Force a non ECC ciphersuite in the server side" \
Ron Eldor643df7c2018-06-28 16:17:00 +0300[diff] [blame]10046 "$P_SRV debug_level=3 force_ciphersuite=TLS-RSA-WITH-AES-128-CBC-SHA256" \
Ron Eldor58093c82018-06-28 13:22:05 +0300[diff] [blame]10047 "$P_CLI debug_level=3" \
10048 0 \
10049 -C "found supported_point_formats extension" \
10050 -S "server hello, supported_point_formats extension"
10051
Andrzej Kurek934e9cd2022-09-05 14:44:46 -0400[diff] [blame]10052requires_hash_alg SHA_256
Ron Eldor58093c82018-06-28 13:22:05 +0300[diff] [blame]10053run_test "Force an ECC ciphersuite in the client side" \
10054 "$P_SRV debug_level=3" \
10055 "$P_CLI debug_level=3 force_ciphersuite=TLS-ECDHE-ECDSA-WITH-AES-128-CBC-SHA256" \
10056 0 \
Jerry Yu136320b2021-12-21 17:09:00 +0800[diff] [blame]10057 -c "client hello, adding supported_groups extension" \
Ron Eldor58093c82018-06-28 13:22:05 +0300[diff] [blame]10058 -c "client hello, adding supported_point_formats extension" \
10059 -s "found supported elliptic curves extension" \
10060 -s "found supported point formats extension"
10061
Andrzej Kurek934e9cd2022-09-05 14:44:46 -0400[diff] [blame]10062requires_hash_alg SHA_256
Ron Eldor58093c82018-06-28 13:22:05 +0300[diff] [blame]10063run_test "Force an ECC ciphersuite in the server side" \
10064 "$P_SRV debug_level=3 force_ciphersuite=TLS-ECDHE-ECDSA-WITH-AES-128-CBC-SHA256" \
10065 "$P_CLI debug_level=3" \
10066 0 \
10067 -c "found supported_point_formats extension" \
10068 -s "server hello, supported_point_formats extension"
10069
Manuel Pégourié-Gonnard0eb6cab2014-07-23 20:17:47 +0200[diff] [blame]10070# Tests for DTLS HelloVerifyRequest
10071
Jerry Yuab082902021-12-23 18:02:22 +0800[diff] [blame]10072requires_config_enabled MBEDTLS_SSL_PROTO_TLS1_2
Manuel Pégourié-Gonnard0eb6cab2014-07-23 20:17:47 +0200[diff] [blame]10073run_test "DTLS cookie: enabled" \
10074 "$P_SRV dtls=1 debug_level=2" \
10075 "$P_CLI dtls=1 debug_level=2" \
10076 0 \
10077 -s "cookie verification failed" \
10078 -s "cookie verification passed" \
10079 -S "cookie verification skipped" \
10080 -c "received hello verify request" \
Manuel Pégourié-Gonnardcaecdae2014-10-13 19:04:37 +0200[diff] [blame]10081 -s "hello verification requested" \
Manuel Pégourié-Gonnard0eb6cab2014-07-23 20:17:47 +0200[diff] [blame]10082 -S "SSL - The requested feature is not available"
10083
Jerry Yuab082902021-12-23 18:02:22 +0800[diff] [blame]10084requires_config_enabled MBEDTLS_SSL_PROTO_TLS1_2
Manuel Pégourié-Gonnard0eb6cab2014-07-23 20:17:47 +0200[diff] [blame]10085run_test "DTLS cookie: disabled" \
10086 "$P_SRV dtls=1 debug_level=2 cookies=0" \
10087 "$P_CLI dtls=1 debug_level=2" \
10088 0 \
10089 -S "cookie verification failed" \
10090 -S "cookie verification passed" \
10091 -s "cookie verification skipped" \
10092 -C "received hello verify request" \
Manuel Pégourié-Gonnardcaecdae2014-10-13 19:04:37 +0200[diff] [blame]10093 -S "hello verification requested" \
Manuel Pégourié-Gonnard0eb6cab2014-07-23 20:17:47 +0200[diff] [blame]10094 -S "SSL - The requested feature is not available"
10095
Jerry Yuab082902021-12-23 18:02:22 +0800[diff] [blame]10096requires_config_enabled MBEDTLS_SSL_PROTO_TLS1_2
Manuel Pégourié-Gonnardcaecdae2014-10-13 19:04:37 +0200[diff] [blame]10097run_test "DTLS cookie: default (failing)" \
10098 "$P_SRV dtls=1 debug_level=2 cookies=-1" \
10099 "$P_CLI dtls=1 debug_level=2 hs_timeout=100-400" \
10100 1 \
10101 -s "cookie verification failed" \
10102 -S "cookie verification passed" \
10103 -S "cookie verification skipped" \
10104 -C "received hello verify request" \
10105 -S "hello verification requested" \
10106 -s "SSL - The requested feature is not available"
Manuel Pégourié-Gonnard0eb6cab2014-07-23 20:17:47 +0200[diff] [blame]10107
10108requires_ipv6
Jerry Yuab082902021-12-23 18:02:22 +0800[diff] [blame]10109requires_config_enabled MBEDTLS_SSL_PROTO_TLS1_2
Manuel Pégourié-Gonnard0eb6cab2014-07-23 20:17:47 +0200[diff] [blame]10110run_test "DTLS cookie: enabled, IPv6" \
10111 "$P_SRV dtls=1 debug_level=2 server_addr=::1" \
10112 "$P_CLI dtls=1 debug_level=2 server_addr=::1" \
10113 0 \
10114 -s "cookie verification failed" \
10115 -s "cookie verification passed" \
10116 -S "cookie verification skipped" \
10117 -c "received hello verify request" \
Manuel Pégourié-Gonnardcaecdae2014-10-13 19:04:37 +0200[diff] [blame]10118 -s "hello verification requested" \
Manuel Pégourié-Gonnard0eb6cab2014-07-23 20:17:47 +0200[diff] [blame]10119 -S "SSL - The requested feature is not available"
10120
Jerry Yuab082902021-12-23 18:02:22 +0800[diff] [blame]10121requires_config_enabled MBEDTLS_SSL_PROTO_TLS1_2
Manuel Pégourié-Gonnard579950c2014-09-29 17:47:33 +0200[diff] [blame]10122run_test "DTLS cookie: enabled, nbio" \
10123 "$P_SRV dtls=1 nbio=2 debug_level=2" \
10124 "$P_CLI dtls=1 nbio=2 debug_level=2" \
10125 0 \
10126 -s "cookie verification failed" \
10127 -s "cookie verification passed" \
10128 -S "cookie verification skipped" \
10129 -c "received hello verify request" \
Manuel Pégourié-Gonnardcaecdae2014-10-13 19:04:37 +0200[diff] [blame]10130 -s "hello verification requested" \
Manuel Pégourié-Gonnard579950c2014-09-29 17:47:33 +0200[diff] [blame]10131 -S "SSL - The requested feature is not available"
10132
Manuel Pégourié-Gonnardd745a1a2015-09-08 12:40:43 +0200[diff] [blame]10133# Tests for client reconnecting from the same port with DTLS
10134
Manuel Pégourié-Gonnard259db912015-09-09 11:37:17 +0200[diff] [blame]10135not_with_valgrind # spurious resend
Jerry Yuab082902021-12-23 18:02:22 +0800[diff] [blame]10136requires_config_enabled MBEDTLS_SSL_PROTO_TLS1_2
Manuel Pégourié-Gonnardd745a1a2015-09-08 12:40:43 +0200[diff] [blame]10137run_test "DTLS client reconnect from same port: reference" \
Manuel Pégourié-Gonnardb6929892019-09-09 11:14:37 +0200[diff] [blame]10138 "$P_SRV dtls=1 exchanges=2 read_timeout=20000 hs_timeout=10000-20000" \
10139 "$P_CLI dtls=1 exchanges=2 debug_level=2 hs_timeout=10000-20000" \
Manuel Pégourié-Gonnardd745a1a2015-09-08 12:40:43 +0200[diff] [blame]10140 0 \
10141 -C "resend" \
Manuel Pégourié-Gonnard259db912015-09-09 11:37:17 +0200[diff] [blame]10142 -S "The operation timed out" \
Manuel Pégourié-Gonnardd745a1a2015-09-08 12:40:43 +0200[diff] [blame]10143 -S "Client initiated reconnection from same port"
10144
Manuel Pégourié-Gonnard259db912015-09-09 11:37:17 +0200[diff] [blame]10145not_with_valgrind # spurious resend
Jerry Yuab082902021-12-23 18:02:22 +0800[diff] [blame]10146requires_config_enabled MBEDTLS_SSL_PROTO_TLS1_2
Manuel Pégourié-Gonnardd745a1a2015-09-08 12:40:43 +0200[diff] [blame]10147run_test "DTLS client reconnect from same port: reconnect" \
Manuel Pégourié-Gonnardb6929892019-09-09 11:14:37 +0200[diff] [blame]10148 "$P_SRV dtls=1 exchanges=2 read_timeout=20000 hs_timeout=10000-20000" \
10149 "$P_CLI dtls=1 exchanges=2 debug_level=2 hs_timeout=10000-20000 reconnect_hard=1" \
Manuel Pégourié-Gonnardd745a1a2015-09-08 12:40:43 +0200[diff] [blame]10150 0 \
10151 -C "resend" \
Manuel Pégourié-Gonnard259db912015-09-09 11:37:17 +0200[diff] [blame]10152 -S "The operation timed out" \
Manuel Pégourié-Gonnardd745a1a2015-09-08 12:40:43 +0200[diff] [blame]10153 -s "Client initiated reconnection from same port"
10154
Paul Bakker362689d2016-05-13 10:33:25 +0100[diff] [blame]10155not_with_valgrind # server/client too slow to respond in time (next test has higher timeouts)
Jerry Yuab082902021-12-23 18:02:22 +0800[diff] [blame]10156requires_config_enabled MBEDTLS_SSL_PROTO_TLS1_2
Paul Bakker362689d2016-05-13 10:33:25 +0100[diff] [blame]10157run_test "DTLS client reconnect from same port: reconnect, nbio, no valgrind" \
Manuel Pégourié-Gonnard259db912015-09-09 11:37:17 +0200[diff] [blame]10158 "$P_SRV dtls=1 exchanges=2 read_timeout=1000 nbio=2" \
10159 "$P_CLI dtls=1 exchanges=2 debug_level=2 hs_timeout=500-1000 reconnect_hard=1" \
Manuel Pégourié-Gonnardd745a1a2015-09-08 12:40:43 +0200[diff] [blame]10160 0 \
Manuel Pégourié-Gonnard259db912015-09-09 11:37:17 +0200[diff] [blame]10161 -S "The operation timed out" \
Manuel Pégourié-Gonnardd745a1a2015-09-08 12:40:43 +0200[diff] [blame]10162 -s "Client initiated reconnection from same port"
10163
Paul Bakker362689d2016-05-13 10:33:25 +0100[diff] [blame]10164only_with_valgrind # Only with valgrind, do previous test but with higher read_timeout and hs_timeout
Jerry Yuab082902021-12-23 18:02:22 +0800[diff] [blame]10165requires_config_enabled MBEDTLS_SSL_PROTO_TLS1_2
Paul Bakker362689d2016-05-13 10:33:25 +0100[diff] [blame]10166run_test "DTLS client reconnect from same port: reconnect, nbio, valgrind" \
10167 "$P_SRV dtls=1 exchanges=2 read_timeout=2000 nbio=2 hs_timeout=1500-6000" \
10168 "$P_CLI dtls=1 exchanges=2 debug_level=2 hs_timeout=1500-3000 reconnect_hard=1" \
10169 0 \
10170 -S "The operation timed out" \
10171 -s "Client initiated reconnection from same port"
10172
Jerry Yuab082902021-12-23 18:02:22 +0800[diff] [blame]10173requires_config_enabled MBEDTLS_SSL_PROTO_TLS1_2
Manuel Pégourié-Gonnard259db912015-09-09 11:37:17 +0200[diff] [blame]10174run_test "DTLS client reconnect from same port: no cookies" \
10175 "$P_SRV dtls=1 exchanges=2 read_timeout=1000 cookies=0" \
Manuel Pégourié-Gonnard6ad23b92015-09-15 12:57:46 +0200[diff] [blame]10176 "$P_CLI dtls=1 exchanges=2 debug_level=2 hs_timeout=500-8000 reconnect_hard=1" \
10177 0 \
Manuel Pégourié-Gonnard259db912015-09-09 11:37:17 +0200[diff] [blame]10178 -s "The operation timed out" \
10179 -S "Client initiated reconnection from same port"
10180
Jerry Yuab082902021-12-23 18:02:22 +0800[diff] [blame]10181requires_config_enabled MBEDTLS_SSL_PROTO_TLS1_2
Manuel Pégourié-Gonnardbaad2de2020-03-13 11:11:02 +0100[diff] [blame]10182run_test "DTLS client reconnect from same port: attacker-injected" \
10183 -p "$P_PXY inject_clihlo=1" \
10184 "$P_SRV dtls=1 exchanges=2 debug_level=1" \
10185 "$P_CLI dtls=1 exchanges=2" \
10186 0 \
10187 -s "possible client reconnect from the same port" \
10188 -S "Client initiated reconnection from same port"
10189
Manuel Pégourié-Gonnard08a1d4b2014-09-26 10:35:50 +0200[diff] [blame]10190# Tests for various cases of client authentication with DTLS
10191# (focused on handshake flows and message parsing)
10192
Jerry Yuab082902021-12-23 18:02:22 +0800[diff] [blame]10193requires_config_enabled MBEDTLS_SSL_PROTO_TLS1_2
Manuel Pégourié-Gonnard08a1d4b2014-09-26 10:35:50 +0200[diff] [blame]10194run_test "DTLS client auth: required" \
10195 "$P_SRV dtls=1 auth_mode=required" \
10196 "$P_CLI dtls=1" \
10197 0 \
10198 -s "Verifying peer X.509 certificate... ok"
10199
Jerry Yuab082902021-12-23 18:02:22 +0800[diff] [blame]10200requires_config_enabled MBEDTLS_SSL_PROTO_TLS1_2
Manuel Pégourié-Gonnard08a1d4b2014-09-26 10:35:50 +0200[diff] [blame]10201run_test "DTLS client auth: optional, client has no cert" \
10202 "$P_SRV dtls=1 auth_mode=optional" \
10203 "$P_CLI dtls=1 crt_file=none key_file=none" \
10204 0 \
Manuel Pégourié-Gonnard89addc42015-04-20 10:56:18 +0100[diff] [blame]10205 -s "! Certificate was missing"
Manuel Pégourié-Gonnard08a1d4b2014-09-26 10:35:50 +0200[diff] [blame]10206
Jerry Yuab082902021-12-23 18:02:22 +0800[diff] [blame]10207requires_config_enabled MBEDTLS_SSL_PROTO_TLS1_2
Manuel Pégourié-Gonnard89addc42015-04-20 10:56:18 +0100[diff] [blame]10208run_test "DTLS client auth: none, client has no cert" \
Manuel Pégourié-Gonnard08a1d4b2014-09-26 10:35:50 +0200[diff] [blame]10209 "$P_SRV dtls=1 auth_mode=none" \
10210 "$P_CLI dtls=1 crt_file=none key_file=none debug_level=2" \
10211 0 \
10212 -c "skip write certificate$" \
Manuel Pégourié-Gonnard89addc42015-04-20 10:56:18 +0100[diff] [blame]10213 -s "! Certificate verification was skipped"
Manuel Pégourié-Gonnard08a1d4b2014-09-26 10:35:50 +0200[diff] [blame]10214
Manuel Pégourié-Gonnard0a885742015-08-04 12:08:35 +0200[diff] [blame]10215run_test "DTLS wrong PSK: badmac alert" \
Gilles Peskine02cd7162024-04-29 16:09:52 +0200[diff] [blame]10216 "$P_SRV dtls=1 psk=73776f726466697368 force_ciphersuite=TLS-PSK-WITH-AES-128-GCM-SHA256" \
Gilles Peskineabb1c222024-05-13 21:06:26 +0200[diff] [blame]10217 "$P_CLI dtls=1 psk=73776f726466697374" \
Manuel Pégourié-Gonnard0a885742015-08-04 12:08:35 +0200[diff] [blame]10218 1 \
10219 -s "SSL - Verification of the message MAC failed" \
10220 -c "SSL - A fatal alert message was received from our peer"
10221
Manuel Pégourié-Gonnard502bf302014-08-20 13:12:58 +0200[diff] [blame]10222# Tests for receiving fragmented handshake messages with DTLS
10223
10224requires_gnutls
Jerry Yuab082902021-12-23 18:02:22 +0800[diff] [blame]10225requires_config_enabled MBEDTLS_SSL_PROTO_TLS1_2
Manuel Pégourié-Gonnard502bf302014-08-20 13:12:58 +0200[diff] [blame]10226run_test "DTLS reassembly: no fragmentation (gnutls server)" \
10227 "$G_SRV -u --mtu 2048 -a" \
10228 "$P_CLI dtls=1 debug_level=2" \
10229 0 \
10230 -C "found fragmented DTLS handshake message" \
10231 -C "error"
10232
10233requires_gnutls
Jerry Yuab082902021-12-23 18:02:22 +0800[diff] [blame]10234requires_config_enabled MBEDTLS_SSL_PROTO_TLS1_2
Manuel Pégourié-Gonnard502bf302014-08-20 13:12:58 +0200[diff] [blame]10235run_test "DTLS reassembly: some fragmentation (gnutls server)" \
10236 "$G_SRV -u --mtu 512" \
10237 "$P_CLI dtls=1 debug_level=2" \
10238 0 \
10239 -c "found fragmented DTLS handshake message" \
10240 -C "error"
10241
10242requires_gnutls
Jerry Yuab082902021-12-23 18:02:22 +0800[diff] [blame]10243requires_config_enabled MBEDTLS_SSL_PROTO_TLS1_2
Manuel Pégourié-Gonnard502bf302014-08-20 13:12:58 +0200[diff] [blame]10244run_test "DTLS reassembly: more fragmentation (gnutls server)" \
10245 "$G_SRV -u --mtu 128" \
10246 "$P_CLI dtls=1 debug_level=2" \
10247 0 \
10248 -c "found fragmented DTLS handshake message" \
10249 -C "error"
10250
10251requires_gnutls
Jerry Yuab082902021-12-23 18:02:22 +0800[diff] [blame]10252requires_config_enabled MBEDTLS_SSL_PROTO_TLS1_2
Manuel Pégourié-Gonnard502bf302014-08-20 13:12:58 +0200[diff] [blame]10253run_test "DTLS reassembly: more fragmentation, nbio (gnutls server)" \
10254 "$G_SRV -u --mtu 128" \
10255 "$P_CLI dtls=1 nbio=2 debug_level=2" \
10256 0 \
10257 -c "found fragmented DTLS handshake message" \
10258 -C "error"
10259
Manuel Pégourié-Gonnard0c4cbc72014-09-02 14:47:31 +0200[diff] [blame]10260requires_gnutls
Hanno Becker6a243642017-10-12 15:18:45 +0100[diff] [blame]10261requires_config_enabled MBEDTLS_SSL_RENEGOTIATION
Jerry Yuab082902021-12-23 18:02:22 +0800[diff] [blame]10262requires_config_enabled MBEDTLS_SSL_PROTO_TLS1_2
Manuel Pégourié-Gonnard0c4cbc72014-09-02 14:47:31 +0200[diff] [blame]10263run_test "DTLS reassembly: fragmentation, renego (gnutls server)" \
10264 "$G_SRV -u --mtu 256" \
10265 "$P_CLI debug_level=3 dtls=1 renegotiation=1 renegotiate=1" \
10266 0 \
10267 -c "found fragmented DTLS handshake message" \
10268 -c "client hello, adding renegotiation extension" \
10269 -c "found renegotiation extension" \
10270 -c "=> renegotiate" \
Manuel Pégourié-Gonnard2cf5a7c2015-04-08 12:49:31 +0200[diff] [blame]10271 -C "mbedtls_ssl_handshake returned" \
Manuel Pégourié-Gonnard0c4cbc72014-09-02 14:47:31 +0200[diff] [blame]10272 -C "error" \
10273 -s "Extra-header:"
10274
10275requires_gnutls
Hanno Becker6a243642017-10-12 15:18:45 +0100[diff] [blame]10276requires_config_enabled MBEDTLS_SSL_RENEGOTIATION
Jerry Yuab082902021-12-23 18:02:22 +0800[diff] [blame]10277requires_config_enabled MBEDTLS_SSL_PROTO_TLS1_2
Manuel Pégourié-Gonnard0c4cbc72014-09-02 14:47:31 +0200[diff] [blame]10278run_test "DTLS reassembly: fragmentation, nbio, renego (gnutls server)" \
10279 "$G_SRV -u --mtu 256" \
10280 "$P_CLI debug_level=3 nbio=2 dtls=1 renegotiation=1 renegotiate=1" \
10281 0 \
10282 -c "found fragmented DTLS handshake message" \
10283 -c "client hello, adding renegotiation extension" \
10284 -c "found renegotiation extension" \
10285 -c "=> renegotiate" \
Manuel Pégourié-Gonnard2cf5a7c2015-04-08 12:49:31 +0200[diff] [blame]10286 -C "mbedtls_ssl_handshake returned" \
Manuel Pégourié-Gonnard0c4cbc72014-09-02 14:47:31 +0200[diff] [blame]10287 -C "error" \
10288 -s "Extra-header:"
10289
Jerry Yuab082902021-12-23 18:02:22 +0800[diff] [blame]10290requires_config_enabled MBEDTLS_SSL_PROTO_TLS1_2
TRodziewicz4ca18aa2021-05-20 14:46:20 +0200[diff] [blame]10291run_test "DTLS reassembly: no fragmentation (openssl server)" \
10292 "$O_SRV -dtls -mtu 2048" \
10293 "$P_CLI dtls=1 debug_level=2" \
10294 0 \
10295 -C "found fragmented DTLS handshake message" \
10296 -C "error"
10297
Jerry Yuab082902021-12-23 18:02:22 +0800[diff] [blame]10298requires_config_enabled MBEDTLS_SSL_PROTO_TLS1_2
TRodziewicz4ca18aa2021-05-20 14:46:20 +0200[diff] [blame]10299run_test "DTLS reassembly: some fragmentation (openssl server)" \
Valerio Setti6ba247c2023-03-14 17:13:43 +0100[diff] [blame]10300 "$O_SRV -dtls -mtu 256" \
TRodziewicz4ca18aa2021-05-20 14:46:20 +0200[diff] [blame]10301 "$P_CLI dtls=1 debug_level=2" \
10302 0 \
10303 -c "found fragmented DTLS handshake message" \
10304 -C "error"
10305
Jerry Yuab082902021-12-23 18:02:22 +0800[diff] [blame]10306requires_config_enabled MBEDTLS_SSL_PROTO_TLS1_2
TRodziewicz4ca18aa2021-05-20 14:46:20 +0200[diff] [blame]10307run_test "DTLS reassembly: more fragmentation (openssl server)" \
10308 "$O_SRV -dtls -mtu 256" \
10309 "$P_CLI dtls=1 debug_level=2" \
10310 0 \
10311 -c "found fragmented DTLS handshake message" \
10312 -C "error"
10313
Jerry Yuab082902021-12-23 18:02:22 +0800[diff] [blame]10314requires_config_enabled MBEDTLS_SSL_PROTO_TLS1_2
TRodziewicz4ca18aa2021-05-20 14:46:20 +0200[diff] [blame]10315run_test "DTLS reassembly: fragmentation, nbio (openssl server)" \
10316 "$O_SRV -dtls -mtu 256" \
10317 "$P_CLI dtls=1 nbio=2 debug_level=2" \
10318 0 \
10319 -c "found fragmented DTLS handshake message" \
10320 -C "error"
10321
Manuel Pégourié-Gonnard2cb17e22017-09-19 13:00:47 +0200[diff] [blame]10322# Tests for sending fragmented handshake messages with DTLS
10323#
10324# Use client auth when we need the client to send large messages,
10325# and use large cert chains on both sides too (the long chains we have all use
10326# both RSA and ECDSA, but ideally we should have long chains with either).
10327# Sizes reached (UDP payload):
10328# - 2037B for server certificate
10329# - 1542B for client certificate
10330# - 1013B for newsessionticket
10331# - all others below 512B
10332# All those tests assume MAX_CONTENT_LEN is at least 2048
10333
10334requires_config_enabled MBEDTLS_SSL_PROTO_DTLS
10335requires_config_enabled MBEDTLS_RSA_C
Manuel Pégourié-Gonnard2cb17e22017-09-19 13:00:47 +0200[diff] [blame]10336requires_config_enabled MBEDTLS_SSL_MAX_FRAGMENT_LENGTH
Yuto Takanobc87b1d2021-07-08 15:56:33 +0100[diff] [blame]10337requires_max_content_len 4096
Jerry Yuab082902021-12-23 18:02:22 +0800[diff] [blame]10338requires_config_enabled MBEDTLS_SSL_PROTO_TLS1_2
Manuel Pégourié-Gonnard2cb17e22017-09-19 13:00:47 +0200[diff] [blame]10339run_test "DTLS fragmenting: none (for reference)" \
10340 "$P_SRV dtls=1 debug_level=2 auth_mode=required \
David Horstmann5ab92be2024-07-01 17:01:28 +0100[diff] [blame]10341 crt_file=$DATA_FILES_PATH/server7_int-ca.crt \
10342 key_file=$DATA_FILES_PATH/server7.key \
Andrzej Kurek52f84912018-10-05 07:53:40 -0400[diff] [blame]10343 hs_timeout=2500-60000 \
Hanno Becker12405e72018-08-13 16:45:46 +0100[diff] [blame]10344 max_frag_len=4096" \
Manuel Pégourié-Gonnard2cb17e22017-09-19 13:00:47 +0200[diff] [blame]10345 "$P_CLI dtls=1 debug_level=2 \
David Horstmann5ab92be2024-07-01 17:01:28 +0100[diff] [blame]10346 crt_file=$DATA_FILES_PATH/server8_int-ca2.crt \
10347 key_file=$DATA_FILES_PATH/server8.key \
Andrzej Kurek52f84912018-10-05 07:53:40 -0400[diff] [blame]10348 hs_timeout=2500-60000 \
Hanno Becker12405e72018-08-13 16:45:46 +0100[diff] [blame]10349 max_frag_len=4096" \
Manuel Pégourié-Gonnard2cb17e22017-09-19 13:00:47 +0200[diff] [blame]10350 0 \
10351 -S "found fragmented DTLS handshake message" \
10352 -C "found fragmented DTLS handshake message" \
10353 -C "error"
10354
10355requires_config_enabled MBEDTLS_SSL_PROTO_DTLS
10356requires_config_enabled MBEDTLS_RSA_C
Manuel Pégourié-Gonnard2cb17e22017-09-19 13:00:47 +0200[diff] [blame]10357requires_config_enabled MBEDTLS_SSL_MAX_FRAGMENT_LENGTH
Yuto Takanobc87b1d2021-07-08 15:56:33 +0100[diff] [blame]10358requires_max_content_len 2048
Jerry Yuab082902021-12-23 18:02:22 +0800[diff] [blame]10359requires_config_enabled MBEDTLS_SSL_PROTO_TLS1_2
Manuel Pégourié-Gonnardb747c6c2018-08-12 13:28:53 +0200[diff] [blame]10360run_test "DTLS fragmenting: server only (max_frag_len)" \
Manuel Pégourié-Gonnard2cb17e22017-09-19 13:00:47 +0200[diff] [blame]10361 "$P_SRV dtls=1 debug_level=2 auth_mode=required \
David Horstmann5ab92be2024-07-01 17:01:28 +0100[diff] [blame]10362 crt_file=$DATA_FILES_PATH/server7_int-ca.crt \
10363 key_file=$DATA_FILES_PATH/server7.key \
Andrzej Kurek52f84912018-10-05 07:53:40 -0400[diff] [blame]10364 hs_timeout=2500-60000 \
Manuel Pégourié-Gonnard2cb17e22017-09-19 13:00:47 +0200[diff] [blame]10365 max_frag_len=1024" \
10366 "$P_CLI dtls=1 debug_level=2 \
David Horstmann5ab92be2024-07-01 17:01:28 +0100[diff] [blame]10367 crt_file=$DATA_FILES_PATH/server8_int-ca2.crt \
10368 key_file=$DATA_FILES_PATH/server8.key \
Andrzej Kurek52f84912018-10-05 07:53:40 -0400[diff] [blame]10369 hs_timeout=2500-60000 \
Manuel Pégourié-Gonnard2cb17e22017-09-19 13:00:47 +0200[diff] [blame]10370 max_frag_len=2048" \
10371 0 \
10372 -S "found fragmented DTLS handshake message" \
10373 -c "found fragmented DTLS handshake message" \
10374 -C "error"
10375
Hanno Becker69ca0ad2018-08-24 12:11:35 +0100[diff] [blame]10376# With the MFL extension, the server has no way of forcing
10377# the client to not exceed a certain MTU; hence, the following
10378# test can't be replicated with an MTU proxy such as the one
10379# `client-initiated, server only (max_frag_len)` below.
Manuel Pégourié-Gonnard2cb17e22017-09-19 13:00:47 +0200[diff] [blame]10380requires_config_enabled MBEDTLS_SSL_PROTO_DTLS
10381requires_config_enabled MBEDTLS_RSA_C
Manuel Pégourié-Gonnard2cb17e22017-09-19 13:00:47 +0200[diff] [blame]10382requires_config_enabled MBEDTLS_SSL_MAX_FRAGMENT_LENGTH
Yuto Takanobc87b1d2021-07-08 15:56:33 +0100[diff] [blame]10383requires_max_content_len 4096
Jerry Yuab082902021-12-23 18:02:22 +0800[diff] [blame]10384requires_config_enabled MBEDTLS_SSL_PROTO_TLS1_2
Manuel Pégourié-Gonnardb747c6c2018-08-12 13:28:53 +0200[diff] [blame]10385run_test "DTLS fragmenting: server only (more) (max_frag_len)" \
Manuel Pégourié-Gonnard2cb17e22017-09-19 13:00:47 +0200[diff] [blame]10386 "$P_SRV dtls=1 debug_level=2 auth_mode=required \
David Horstmann5ab92be2024-07-01 17:01:28 +0100[diff] [blame]10387 crt_file=$DATA_FILES_PATH/server7_int-ca.crt \
10388 key_file=$DATA_FILES_PATH/server7.key \
Andrzej Kurek52f84912018-10-05 07:53:40 -0400[diff] [blame]10389 hs_timeout=2500-60000 \
Manuel Pégourié-Gonnard2cb17e22017-09-19 13:00:47 +0200[diff] [blame]10390 max_frag_len=512" \
10391 "$P_CLI dtls=1 debug_level=2 \
David Horstmann5ab92be2024-07-01 17:01:28 +0100[diff] [blame]10392 crt_file=$DATA_FILES_PATH/server8_int-ca2.crt \
10393 key_file=$DATA_FILES_PATH/server8.key \
Andrzej Kurek52f84912018-10-05 07:53:40 -0400[diff] [blame]10394 hs_timeout=2500-60000 \
Hanno Becker69ca0ad2018-08-24 12:11:35 +0100[diff] [blame]10395 max_frag_len=4096" \
Manuel Pégourié-Gonnard2cb17e22017-09-19 13:00:47 +0200[diff] [blame]10396 0 \
10397 -S "found fragmented DTLS handshake message" \
10398 -c "found fragmented DTLS handshake message" \
10399 -C "error"
10400
10401requires_config_enabled MBEDTLS_SSL_PROTO_DTLS
10402requires_config_enabled MBEDTLS_RSA_C
Manuel Pégourié-Gonnard2cb17e22017-09-19 13:00:47 +0200[diff] [blame]10403requires_config_enabled MBEDTLS_SSL_MAX_FRAGMENT_LENGTH
Yuto Takanobc87b1d2021-07-08 15:56:33 +0100[diff] [blame]10404requires_max_content_len 2048
Jerry Yuab082902021-12-23 18:02:22 +0800[diff] [blame]10405requires_config_enabled MBEDTLS_SSL_PROTO_TLS1_2
Manuel Pégourié-Gonnardb747c6c2018-08-12 13:28:53 +0200[diff] [blame]10406run_test "DTLS fragmenting: client-initiated, server only (max_frag_len)" \
Manuel Pégourié-Gonnard2cb17e22017-09-19 13:00:47 +0200[diff] [blame]10407 "$P_SRV dtls=1 debug_level=2 auth_mode=none \
David Horstmann5ab92be2024-07-01 17:01:28 +0100[diff] [blame]10408 crt_file=$DATA_FILES_PATH/server7_int-ca.crt \
10409 key_file=$DATA_FILES_PATH/server7.key \
Andrzej Kurek52f84912018-10-05 07:53:40 -0400[diff] [blame]10410 hs_timeout=2500-60000 \
Manuel Pégourié-Gonnard2cb17e22017-09-19 13:00:47 +0200[diff] [blame]10411 max_frag_len=2048" \
10412 "$P_CLI dtls=1 debug_level=2 \
David Horstmann5ab92be2024-07-01 17:01:28 +0100[diff] [blame]10413 crt_file=$DATA_FILES_PATH/server8_int-ca2.crt \
10414 key_file=$DATA_FILES_PATH/server8.key \
Andrzej Kurek52f84912018-10-05 07:53:40 -0400[diff] [blame]10415 hs_timeout=2500-60000 \
10416 max_frag_len=1024" \
10417 0 \
Manuel Pégourié-Gonnard2cb17e22017-09-19 13:00:47 +0200[diff] [blame]10418 -S "found fragmented DTLS handshake message" \
10419 -c "found fragmented DTLS handshake message" \
10420 -C "error"
10421
Hanno Beckerc92b5c82018-08-24 11:48:01 +0100[diff] [blame]10422# While not required by the standard defining the MFL extension
10423# (according to which it only applies to records, not to datagrams),
10424# Mbed TLS will never send datagrams larger than MFL + { Max record expansion },
10425# as otherwise there wouldn't be any means to communicate MTU restrictions
10426# to the peer.
10427# The next test checks that no datagrams significantly larger than the
10428# negotiated MFL are sent.
10429requires_config_enabled MBEDTLS_SSL_PROTO_DTLS
10430requires_config_enabled MBEDTLS_RSA_C
Hanno Beckerc92b5c82018-08-24 11:48:01 +0100[diff] [blame]10431requires_config_enabled MBEDTLS_SSL_MAX_FRAGMENT_LENGTH
Yuto Takanobc87b1d2021-07-08 15:56:33 +0100[diff] [blame]10432requires_max_content_len 2048
Jerry Yuab082902021-12-23 18:02:22 +0800[diff] [blame]10433requires_config_enabled MBEDTLS_SSL_PROTO_TLS1_2
Hanno Beckerc92b5c82018-08-24 11:48:01 +0100[diff] [blame]10434run_test "DTLS fragmenting: client-initiated, server only (max_frag_len), proxy MTU" \
Andrzej Kurek0fc9cf42018-10-09 03:09:41 -0400[diff] [blame]10435 -p "$P_PXY mtu=1110" \
Hanno Beckerc92b5c82018-08-24 11:48:01 +0100[diff] [blame]10436 "$P_SRV dtls=1 debug_level=2 auth_mode=none \
David Horstmann5ab92be2024-07-01 17:01:28 +0100[diff] [blame]10437 crt_file=$DATA_FILES_PATH/server7_int-ca.crt \
10438 key_file=$DATA_FILES_PATH/server7.key \
Andrzej Kurek52f84912018-10-05 07:53:40 -0400[diff] [blame]10439 hs_timeout=2500-60000 \
Hanno Beckerc92b5c82018-08-24 11:48:01 +0100[diff] [blame]10440 max_frag_len=2048" \
10441 "$P_CLI dtls=1 debug_level=2 \
David Horstmann5ab92be2024-07-01 17:01:28 +0100[diff] [blame]10442 crt_file=$DATA_FILES_PATH/server8_int-ca2.crt \
10443 key_file=$DATA_FILES_PATH/server8.key \
Andrzej Kurek52f84912018-10-05 07:53:40 -0400[diff] [blame]10444 hs_timeout=2500-60000 \
10445 max_frag_len=1024" \
Hanno Beckerc92b5c82018-08-24 11:48:01 +0100[diff] [blame]10446 0 \
10447 -S "found fragmented DTLS handshake message" \
10448 -c "found fragmented DTLS handshake message" \
10449 -C "error"
10450
Manuel Pégourié-Gonnard2cb17e22017-09-19 13:00:47 +0200[diff] [blame]10451requires_config_enabled MBEDTLS_SSL_PROTO_DTLS
10452requires_config_enabled MBEDTLS_RSA_C
Manuel Pégourié-Gonnard2cb17e22017-09-19 13:00:47 +0200[diff] [blame]10453requires_config_enabled MBEDTLS_SSL_MAX_FRAGMENT_LENGTH
Yuto Takanobc87b1d2021-07-08 15:56:33 +0100[diff] [blame]10454requires_max_content_len 2048
Jerry Yuab082902021-12-23 18:02:22 +0800[diff] [blame]10455requires_config_enabled MBEDTLS_SSL_PROTO_TLS1_2
Manuel Pégourié-Gonnardb747c6c2018-08-12 13:28:53 +0200[diff] [blame]10456run_test "DTLS fragmenting: client-initiated, both (max_frag_len)" \
Manuel Pégourié-Gonnard2cb17e22017-09-19 13:00:47 +0200[diff] [blame]10457 "$P_SRV dtls=1 debug_level=2 auth_mode=required \
David Horstmann5ab92be2024-07-01 17:01:28 +0100[diff] [blame]10458 crt_file=$DATA_FILES_PATH/server7_int-ca.crt \
10459 key_file=$DATA_FILES_PATH/server7.key \
Andrzej Kurek52f84912018-10-05 07:53:40 -0400[diff] [blame]10460 hs_timeout=2500-60000 \
Manuel Pégourié-Gonnard2cb17e22017-09-19 13:00:47 +0200[diff] [blame]10461 max_frag_len=2048" \
10462 "$P_CLI dtls=1 debug_level=2 \
David Horstmann5ab92be2024-07-01 17:01:28 +0100[diff] [blame]10463 crt_file=$DATA_FILES_PATH/server8_int-ca2.crt \
10464 key_file=$DATA_FILES_PATH/server8.key \
Andrzej Kurek52f84912018-10-05 07:53:40 -0400[diff] [blame]10465 hs_timeout=2500-60000 \
10466 max_frag_len=1024" \
Manuel Pégourié-Gonnard2cb17e22017-09-19 13:00:47 +0200[diff] [blame]10467 0 \
10468 -s "found fragmented DTLS handshake message" \
10469 -c "found fragmented DTLS handshake message" \
10470 -C "error"
10471
Hanno Beckerc92b5c82018-08-24 11:48:01 +0100[diff] [blame]10472# While not required by the standard defining the MFL extension
10473# (according to which it only applies to records, not to datagrams),
10474# Mbed TLS will never send datagrams larger than MFL + { Max record expansion },
10475# as otherwise there wouldn't be any means to communicate MTU restrictions
10476# to the peer.
10477# The next test checks that no datagrams significantly larger than the
10478# negotiated MFL are sent.
10479requires_config_enabled MBEDTLS_SSL_PROTO_DTLS
10480requires_config_enabled MBEDTLS_RSA_C
Hanno Beckerc92b5c82018-08-24 11:48:01 +0100[diff] [blame]10481requires_config_enabled MBEDTLS_SSL_MAX_FRAGMENT_LENGTH
Yuto Takanobc87b1d2021-07-08 15:56:33 +0100[diff] [blame]10482requires_max_content_len 2048
Jerry Yuab082902021-12-23 18:02:22 +0800[diff] [blame]10483requires_config_enabled MBEDTLS_SSL_PROTO_TLS1_2
Hanno Beckerc92b5c82018-08-24 11:48:01 +0100[diff] [blame]10484run_test "DTLS fragmenting: client-initiated, both (max_frag_len), proxy MTU" \
Andrzej Kurek0fc9cf42018-10-09 03:09:41 -0400[diff] [blame]10485 -p "$P_PXY mtu=1110" \
Hanno Beckerc92b5c82018-08-24 11:48:01 +0100[diff] [blame]10486 "$P_SRV dtls=1 debug_level=2 auth_mode=required \
David Horstmann5ab92be2024-07-01 17:01:28 +0100[diff] [blame]10487 crt_file=$DATA_FILES_PATH/server7_int-ca.crt \
10488 key_file=$DATA_FILES_PATH/server7.key \
Andrzej Kurek52f84912018-10-05 07:53:40 -0400[diff] [blame]10489 hs_timeout=2500-60000 \
Hanno Beckerc92b5c82018-08-24 11:48:01 +0100[diff] [blame]10490 max_frag_len=2048" \
10491 "$P_CLI dtls=1 debug_level=2 \
David Horstmann5ab92be2024-07-01 17:01:28 +0100[diff] [blame]10492 crt_file=$DATA_FILES_PATH/server8_int-ca2.crt \
10493 key_file=$DATA_FILES_PATH/server8.key \
Andrzej Kurek52f84912018-10-05 07:53:40 -0400[diff] [blame]10494 hs_timeout=2500-60000 \
10495 max_frag_len=1024" \
Hanno Beckerc92b5c82018-08-24 11:48:01 +0100[diff] [blame]10496 0 \
10497 -s "found fragmented DTLS handshake message" \
10498 -c "found fragmented DTLS handshake message" \
10499 -C "error"
10500
Manuel Pégourié-Gonnardb747c6c2018-08-12 13:28:53 +0200[diff] [blame]10501requires_config_enabled MBEDTLS_SSL_PROTO_DTLS
10502requires_config_enabled MBEDTLS_RSA_C
Yuto Takanobc87b1d2021-07-08 15:56:33 +0100[diff] [blame]10503requires_max_content_len 4096
Jerry Yuab082902021-12-23 18:02:22 +0800[diff] [blame]10504requires_config_enabled MBEDTLS_SSL_PROTO_TLS1_2
Manuel Pégourié-Gonnardb747c6c2018-08-12 13:28:53 +0200[diff] [blame]10505run_test "DTLS fragmenting: none (for reference) (MTU)" \
10506 "$P_SRV dtls=1 debug_level=2 auth_mode=required \
David Horstmann5ab92be2024-07-01 17:01:28 +0100[diff] [blame]10507 crt_file=$DATA_FILES_PATH/server7_int-ca.crt \
10508 key_file=$DATA_FILES_PATH/server7.key \
Andrzej Kurek52f84912018-10-05 07:53:40 -0400[diff] [blame]10509 hs_timeout=2500-60000 \
Hanno Becker12405e72018-08-13 16:45:46 +0100[diff] [blame]10510 mtu=4096" \
Manuel Pégourié-Gonnardb747c6c2018-08-12 13:28:53 +0200[diff] [blame]10511 "$P_CLI dtls=1 debug_level=2 \
David Horstmann5ab92be2024-07-01 17:01:28 +0100[diff] [blame]10512 crt_file=$DATA_FILES_PATH/server8_int-ca2.crt \
10513 key_file=$DATA_FILES_PATH/server8.key \
Andrzej Kurek52f84912018-10-05 07:53:40 -0400[diff] [blame]10514 hs_timeout=2500-60000 \
Hanno Becker12405e72018-08-13 16:45:46 +0100[diff] [blame]10515 mtu=4096" \
Manuel Pégourié-Gonnardb747c6c2018-08-12 13:28:53 +0200[diff] [blame]10516 0 \
10517 -S "found fragmented DTLS handshake message" \
10518 -C "found fragmented DTLS handshake message" \
10519 -C "error"
10520
10521requires_config_enabled MBEDTLS_SSL_PROTO_DTLS
10522requires_config_enabled MBEDTLS_RSA_C
Yuto Takanobc87b1d2021-07-08 15:56:33 +0100[diff] [blame]10523requires_max_content_len 4096
Jerry Yuab082902021-12-23 18:02:22 +0800[diff] [blame]10524requires_config_enabled MBEDTLS_SSL_PROTO_TLS1_2
Manuel Pégourié-Gonnardb747c6c2018-08-12 13:28:53 +0200[diff] [blame]10525run_test "DTLS fragmenting: client (MTU)" \
10526 "$P_SRV dtls=1 debug_level=2 auth_mode=required \
David Horstmann5ab92be2024-07-01 17:01:28 +0100[diff] [blame]10527 crt_file=$DATA_FILES_PATH/server7_int-ca.crt \
10528 key_file=$DATA_FILES_PATH/server7.key \
Andrzej Kurek948fe802018-10-05 15:42:44 -0400[diff] [blame]10529 hs_timeout=3500-60000 \
Hanno Becker12405e72018-08-13 16:45:46 +0100[diff] [blame]10530 mtu=4096" \
Manuel Pégourié-Gonnardb747c6c2018-08-12 13:28:53 +0200[diff] [blame]10531 "$P_CLI dtls=1 debug_level=2 \
David Horstmann5ab92be2024-07-01 17:01:28 +0100[diff] [blame]10532 crt_file=$DATA_FILES_PATH/server8_int-ca2.crt \
10533 key_file=$DATA_FILES_PATH/server8.key \
Andrzej Kurek948fe802018-10-05 15:42:44 -0400[diff] [blame]10534 hs_timeout=3500-60000 \
Andrzej Kurek52f84912018-10-05 07:53:40 -0400[diff] [blame]10535 mtu=1024" \
Manuel Pégourié-Gonnardb747c6c2018-08-12 13:28:53 +0200[diff] [blame]10536 0 \
10537 -s "found fragmented DTLS handshake message" \
10538 -C "found fragmented DTLS handshake message" \
10539 -C "error"
10540
10541requires_config_enabled MBEDTLS_SSL_PROTO_DTLS
10542requires_config_enabled MBEDTLS_RSA_C
Yuto Takanobc87b1d2021-07-08 15:56:33 +0100[diff] [blame]10543requires_max_content_len 2048
Jerry Yuab082902021-12-23 18:02:22 +0800[diff] [blame]10544requires_config_enabled MBEDTLS_SSL_PROTO_TLS1_2
Manuel Pégourié-Gonnardb747c6c2018-08-12 13:28:53 +0200[diff] [blame]10545run_test "DTLS fragmenting: server (MTU)" \
10546 "$P_SRV dtls=1 debug_level=2 auth_mode=required \
David Horstmann5ab92be2024-07-01 17:01:28 +0100[diff] [blame]10547 crt_file=$DATA_FILES_PATH/server7_int-ca.crt \
10548 key_file=$DATA_FILES_PATH/server7.key \
Andrzej Kurek52f84912018-10-05 07:53:40 -0400[diff] [blame]10549 hs_timeout=2500-60000 \
Manuel Pégourié-Gonnardb747c6c2018-08-12 13:28:53 +0200[diff] [blame]10550 mtu=512" \
10551 "$P_CLI dtls=1 debug_level=2 \
David Horstmann5ab92be2024-07-01 17:01:28 +0100[diff] [blame]10552 crt_file=$DATA_FILES_PATH/server8_int-ca2.crt \
10553 key_file=$DATA_FILES_PATH/server8.key \
Andrzej Kurek52f84912018-10-05 07:53:40 -0400[diff] [blame]10554 hs_timeout=2500-60000 \
Manuel Pégourié-Gonnardb747c6c2018-08-12 13:28:53 +0200[diff] [blame]10555 mtu=2048" \
10556 0 \
10557 -S "found fragmented DTLS handshake message" \
10558 -c "found fragmented DTLS handshake message" \
10559 -C "error"
10560
10561requires_config_enabled MBEDTLS_SSL_PROTO_DTLS
10562requires_config_enabled MBEDTLS_RSA_C
Yuto Takanobc87b1d2021-07-08 15:56:33 +0100[diff] [blame]10563requires_max_content_len 2048
Jerry Yuab082902021-12-23 18:02:22 +0800[diff] [blame]10564requires_config_enabled MBEDTLS_SSL_PROTO_TLS1_2
Andrzej Kurek7311c782018-10-11 06:49:41 -0400[diff] [blame]10565run_test "DTLS fragmenting: both (MTU=1024)" \
Andrzej Kurek52f84912018-10-05 07:53:40 -0400[diff] [blame]10566 -p "$P_PXY mtu=1024" \
Manuel Pégourié-Gonnardb747c6c2018-08-12 13:28:53 +0200[diff] [blame]10567 "$P_SRV dtls=1 debug_level=2 auth_mode=required \
David Horstmann5ab92be2024-07-01 17:01:28 +0100[diff] [blame]10568 crt_file=$DATA_FILES_PATH/server7_int-ca.crt \
10569 key_file=$DATA_FILES_PATH/server7.key \
Andrzej Kurek52f84912018-10-05 07:53:40 -0400[diff] [blame]10570 hs_timeout=2500-60000 \
Andrzej Kurek95805282018-10-11 08:55:37 -0400[diff] [blame]10571 mtu=1024" \
Manuel Pégourié-Gonnardb747c6c2018-08-12 13:28:53 +0200[diff] [blame]10572 "$P_CLI dtls=1 debug_level=2 \
David Horstmann5ab92be2024-07-01 17:01:28 +0100[diff] [blame]10573 crt_file=$DATA_FILES_PATH/server8_int-ca2.crt \
10574 key_file=$DATA_FILES_PATH/server8.key \
Andrzej Kurek52f84912018-10-05 07:53:40 -0400[diff] [blame]10575 hs_timeout=2500-60000 \
10576 mtu=1024" \
Manuel Pégourié-Gonnardb747c6c2018-08-12 13:28:53 +0200[diff] [blame]10577 0 \
10578 -s "found fragmented DTLS handshake message" \
10579 -c "found fragmented DTLS handshake message" \
10580 -C "error"
10581
Andrzej Kurek77826052018-10-11 07:34:08 -0400[diff] [blame]10582# Forcing ciphersuite for this test to fit the MTU of 512 with full config.
Andrzej Kurek7311c782018-10-11 06:49:41 -0400[diff] [blame]10583requires_config_enabled MBEDTLS_SSL_PROTO_DTLS
10584requires_config_enabled MBEDTLS_RSA_C
Andrzej Kurek934e9cd2022-09-05 14:44:46 -0400[diff] [blame]10585requires_hash_alg SHA_256
Yuto Takanobc87b1d2021-07-08 15:56:33 +0100[diff] [blame]10586requires_max_content_len 2048
Andrzej Kurek7311c782018-10-11 06:49:41 -0400[diff] [blame]10587run_test "DTLS fragmenting: both (MTU=512)" \
Hanno Becker8d832182018-03-15 10:14:19 +0000[diff] [blame]10588 -p "$P_PXY mtu=512" \
Hanno Becker72a4f032017-11-15 16:39:20 +0000[diff] [blame]10589 "$P_SRV dtls=1 debug_level=2 auth_mode=required \
David Horstmann5ab92be2024-07-01 17:01:28 +0100[diff] [blame]10590 crt_file=$DATA_FILES_PATH/server7_int-ca.crt \
10591 key_file=$DATA_FILES_PATH/server7.key \
Andrzej Kurek7311c782018-10-11 06:49:41 -0400[diff] [blame]10592 hs_timeout=2500-60000 \
Hanno Becker72a4f032017-11-15 16:39:20 +0000[diff] [blame]10593 mtu=512" \
10594 "$P_CLI dtls=1 debug_level=2 \
David Horstmann5ab92be2024-07-01 17:01:28 +0100[diff] [blame]10595 crt_file=$DATA_FILES_PATH/server8_int-ca2.crt \
10596 key_file=$DATA_FILES_PATH/server8.key \
Andrzej Kurek7311c782018-10-11 06:49:41 -0400[diff] [blame]10597 force_ciphersuite=TLS-ECDHE-ECDSA-WITH-AES-128-GCM-SHA256 \
10598 hs_timeout=2500-60000 \
Manuel Pégourié-Gonnarde698f592014-10-14 19:36:36 +0200[diff] [blame]10599 mtu=512" \
Manuel Pégourié-Gonnard63eca932014-09-08 16:39:08 +0200[diff] [blame]10600 0 \
Manuel Pégourié-Gonnard246c13a2014-09-24 13:56:09 +0200[diff] [blame]10601 -s "found fragmented DTLS handshake message" \
Manuel Pégourié-Gonnarde698f592014-10-14 19:36:36 +0200[diff] [blame]10602 -c "found fragmented DTLS handshake message" \
Manuel Pégourié-Gonnard825a49e2014-09-23 11:00:37 +0200[diff] [blame]10603 -C "error"
Manuel Pégourié-Gonnard74a13782014-10-14 22:34:08 +0200[diff] [blame]10604
Andrzej Kurek7311c782018-10-11 06:49:41 -0400[diff] [blame]10605# Test for automatic MTU reduction on repeated resend.
Andrzej Kurek77826052018-10-11 07:34:08 -0400[diff] [blame]10606# Forcing ciphersuite for this test to fit the MTU of 508 with full config.
Andrzej Kurek7311c782018-10-11 06:49:41 -0400[diff] [blame]10607# The ratio of max/min timeout should ideally equal 4 to accept two
10608# retransmissions, but in some cases (like both the server and client using
10609# fragmentation and auto-reduction) an extra retransmission might occur,
10610# hence the ratio of 8.
Hanno Becker37029eb2018-08-29 17:01:40 +0100[diff] [blame]10611not_with_valgrind
Manuel Pégourié-Gonnardb8eec192018-08-20 09:34:02 +0200[diff] [blame]10612requires_config_enabled MBEDTLS_SSL_PROTO_DTLS
10613requires_config_enabled MBEDTLS_RSA_C
Yuto Takanobc87b1d2021-07-08 15:56:33 +0100[diff] [blame]10614requires_max_content_len 2048
Gilles Peskine0d8b86a2019-09-20 18:03:11 +0200[diff] [blame]10615run_test "DTLS fragmenting: proxy MTU: auto-reduction (not valgrind)" \
Manuel Pégourié-Gonnardb8eec192018-08-20 09:34:02 +0200[diff] [blame]10616 -p "$P_PXY mtu=508" \
10617 "$P_SRV dtls=1 debug_level=2 auth_mode=required \
David Horstmann5ab92be2024-07-01 17:01:28 +0100[diff] [blame]10618 crt_file=$DATA_FILES_PATH/server7_int-ca.crt \
10619 key_file=$DATA_FILES_PATH/server7.key \
Andrzej Kurek7311c782018-10-11 06:49:41 -0400[diff] [blame]10620 hs_timeout=400-3200" \
Manuel Pégourié-Gonnardb8eec192018-08-20 09:34:02 +0200[diff] [blame]10621 "$P_CLI dtls=1 debug_level=2 \
David Horstmann5ab92be2024-07-01 17:01:28 +0100[diff] [blame]10622 crt_file=$DATA_FILES_PATH/server8_int-ca2.crt \
10623 key_file=$DATA_FILES_PATH/server8.key \
Andrzej Kurek7311c782018-10-11 06:49:41 -0400[diff] [blame]10624 force_ciphersuite=TLS-ECDHE-ECDSA-WITH-AES-128-GCM-SHA256 \
10625 hs_timeout=400-3200" \
Manuel Pégourié-Gonnardb8eec192018-08-20 09:34:02 +0200[diff] [blame]10626 0 \
10627 -s "found fragmented DTLS handshake message" \
10628 -c "found fragmented DTLS handshake message" \
10629 -C "error"
10630
Andrzej Kurek77826052018-10-11 07:34:08 -0400[diff] [blame]10631# Forcing ciphersuite for this test to fit the MTU of 508 with full config.
Hanno Becker108992e2018-08-29 17:04:18 +0100[diff] [blame]10632only_with_valgrind
10633requires_config_enabled MBEDTLS_SSL_PROTO_DTLS
10634requires_config_enabled MBEDTLS_RSA_C
Yuto Takanobc87b1d2021-07-08 15:56:33 +0100[diff] [blame]10635requires_max_content_len 2048
Gilles Peskine0d8b86a2019-09-20 18:03:11 +0200[diff] [blame]10636run_test "DTLS fragmenting: proxy MTU: auto-reduction (with valgrind)" \
Hanno Becker108992e2018-08-29 17:04:18 +0100[diff] [blame]10637 -p "$P_PXY mtu=508" \
10638 "$P_SRV dtls=1 debug_level=2 auth_mode=required \
David Horstmann5ab92be2024-07-01 17:01:28 +0100[diff] [blame]10639 crt_file=$DATA_FILES_PATH/server7_int-ca.crt \
10640 key_file=$DATA_FILES_PATH/server7.key \
Hanno Becker108992e2018-08-29 17:04:18 +0100[diff] [blame]10641 hs_timeout=250-10000" \
10642 "$P_CLI dtls=1 debug_level=2 \
David Horstmann5ab92be2024-07-01 17:01:28 +0100[diff] [blame]10643 crt_file=$DATA_FILES_PATH/server8_int-ca2.crt \
10644 key_file=$DATA_FILES_PATH/server8.key \
Andrzej Kurek7311c782018-10-11 06:49:41 -0400[diff] [blame]10645 force_ciphersuite=TLS-ECDHE-ECDSA-WITH-AES-128-GCM-SHA256 \
Hanno Becker108992e2018-08-29 17:04:18 +0100[diff] [blame]10646 hs_timeout=250-10000" \
10647 0 \
10648 -s "found fragmented DTLS handshake message" \
10649 -c "found fragmented DTLS handshake message" \
10650 -C "error"
10651
Manuel Pégourié-Gonnard72c27072018-08-13 12:37:51 +0200[diff] [blame]10652# the proxy shouldn't drop or mess up anything, so we shouldn't need to resend
Manuel Pégourié-Gonnard3d183ce2018-08-22 09:56:22 +0200[diff] [blame]10653# OTOH the client might resend if the server is to slow to reset after sending
10654# a HelloVerifyRequest, so only check for no retransmission server-side
Andrzej Kurek35f2f302018-10-09 08:52:14 -0400[diff] [blame]10655not_with_valgrind # spurious autoreduction due to timeout
Manuel Pégourié-Gonnard72c27072018-08-13 12:37:51 +0200[diff] [blame]10656requires_config_enabled MBEDTLS_SSL_PROTO_DTLS
10657requires_config_enabled MBEDTLS_RSA_C
Yuto Takanobc87b1d2021-07-08 15:56:33 +0100[diff] [blame]10658requires_max_content_len 2048
Jerry Yuab082902021-12-23 18:02:22 +0800[diff] [blame]10659requires_config_enabled MBEDTLS_SSL_PROTO_TLS1_2
Andrzej Kurek7311c782018-10-11 06:49:41 -0400[diff] [blame]10660run_test "DTLS fragmenting: proxy MTU, simple handshake (MTU=1024)" \
Andrzej Kurek52f84912018-10-05 07:53:40 -0400[diff] [blame]10661 -p "$P_PXY mtu=1024" \
Manuel Pégourié-Gonnard72c27072018-08-13 12:37:51 +0200[diff] [blame]10662 "$P_SRV dtls=1 debug_level=2 auth_mode=required \
David Horstmann5ab92be2024-07-01 17:01:28 +0100[diff] [blame]10663 crt_file=$DATA_FILES_PATH/server7_int-ca.crt \
10664 key_file=$DATA_FILES_PATH/server7.key \
Andrzej Kurek52f84912018-10-05 07:53:40 -0400[diff] [blame]10665 hs_timeout=10000-60000 \
10666 mtu=1024" \
Manuel Pégourié-Gonnard72c27072018-08-13 12:37:51 +0200[diff] [blame]10667 "$P_CLI dtls=1 debug_level=2 \
David Horstmann5ab92be2024-07-01 17:01:28 +0100[diff] [blame]10668 crt_file=$DATA_FILES_PATH/server8_int-ca2.crt \
10669 key_file=$DATA_FILES_PATH/server8.key \
Andrzej Kurek52f84912018-10-05 07:53:40 -0400[diff] [blame]10670 hs_timeout=10000-60000 \
10671 mtu=1024" \
Manuel Pégourié-Gonnard72c27072018-08-13 12:37:51 +0200[diff] [blame]10672 0 \
Andrzej Kurek35f2f302018-10-09 08:52:14 -0400[diff] [blame]10673 -S "autoreduction" \
Manuel Pégourié-Gonnard72c27072018-08-13 12:37:51 +0200[diff] [blame]10674 -s "found fragmented DTLS handshake message" \
10675 -c "found fragmented DTLS handshake message" \
10676 -C "error"
10677
Andrzej Kurek77826052018-10-11 07:34:08 -0400[diff] [blame]10678# Forcing ciphersuite for this test to fit the MTU of 512 with full config.
Andrzej Kurek7311c782018-10-11 06:49:41 -0400[diff] [blame]10679# the proxy shouldn't drop or mess up anything, so we shouldn't need to resend
10680# OTOH the client might resend if the server is to slow to reset after sending
10681# a HelloVerifyRequest, so only check for no retransmission server-side
Andrzej Kurek35f2f302018-10-09 08:52:14 -0400[diff] [blame]10682not_with_valgrind # spurious autoreduction due to timeout
Manuel Pégourié-Gonnardc1d54b72018-08-22 10:02:59 +0200[diff] [blame]10683requires_config_enabled MBEDTLS_SSL_PROTO_DTLS
10684requires_config_enabled MBEDTLS_RSA_C
Yuto Takanobc87b1d2021-07-08 15:56:33 +0100[diff] [blame]10685requires_max_content_len 2048
Andrzej Kurek7311c782018-10-11 06:49:41 -0400[diff] [blame]10686run_test "DTLS fragmenting: proxy MTU, simple handshake (MTU=512)" \
Manuel Pégourié-Gonnardc1d54b72018-08-22 10:02:59 +0200[diff] [blame]10687 -p "$P_PXY mtu=512" \
10688 "$P_SRV dtls=1 debug_level=2 auth_mode=required \
David Horstmann5ab92be2024-07-01 17:01:28 +0100[diff] [blame]10689 crt_file=$DATA_FILES_PATH/server7_int-ca.crt \
10690 key_file=$DATA_FILES_PATH/server7.key \
Andrzej Kurek7311c782018-10-11 06:49:41 -0400[diff] [blame]10691 hs_timeout=10000-60000 \
10692 mtu=512" \
Manuel Pégourié-Gonnardc1d54b72018-08-22 10:02:59 +0200[diff] [blame]10693 "$P_CLI dtls=1 debug_level=2 \
David Horstmann5ab92be2024-07-01 17:01:28 +0100[diff] [blame]10694 crt_file=$DATA_FILES_PATH/server8_int-ca2.crt \
10695 key_file=$DATA_FILES_PATH/server8.key \
Andrzej Kurek7311c782018-10-11 06:49:41 -0400[diff] [blame]10696 force_ciphersuite=TLS-ECDHE-ECDSA-WITH-AES-128-GCM-SHA256 \
10697 hs_timeout=10000-60000 \
10698 mtu=512" \
Manuel Pégourié-Gonnardc1d54b72018-08-22 10:02:59 +0200[diff] [blame]10699 0 \
Andrzej Kurek7311c782018-10-11 06:49:41 -0400[diff] [blame]10700 -S "autoreduction" \
Manuel Pégourié-Gonnardc1d54b72018-08-22 10:02:59 +0200[diff] [blame]10701 -s "found fragmented DTLS handshake message" \
10702 -c "found fragmented DTLS handshake message" \
10703 -C "error"
10704
Andrzej Kurek7311c782018-10-11 06:49:41 -0400[diff] [blame]10705not_with_valgrind # spurious autoreduction due to timeout
10706requires_config_enabled MBEDTLS_SSL_PROTO_DTLS
10707requires_config_enabled MBEDTLS_RSA_C
Yuto Takanobc87b1d2021-07-08 15:56:33 +0100[diff] [blame]10708requires_max_content_len 2048
Jerry Yuab082902021-12-23 18:02:22 +0800[diff] [blame]10709requires_config_enabled MBEDTLS_SSL_PROTO_TLS1_2
Andrzej Kurek7311c782018-10-11 06:49:41 -0400[diff] [blame]10710run_test "DTLS fragmenting: proxy MTU, simple handshake, nbio (MTU=1024)" \
Andrzej Kurek52f84912018-10-05 07:53:40 -0400[diff] [blame]10711 -p "$P_PXY mtu=1024" \
Manuel Pégourié-Gonnard72c27072018-08-13 12:37:51 +0200[diff] [blame]10712 "$P_SRV dtls=1 debug_level=2 auth_mode=required \
David Horstmann5ab92be2024-07-01 17:01:28 +0100[diff] [blame]10713 crt_file=$DATA_FILES_PATH/server7_int-ca.crt \
10714 key_file=$DATA_FILES_PATH/server7.key \
Andrzej Kurek7311c782018-10-11 06:49:41 -0400[diff] [blame]10715 hs_timeout=10000-60000 \
10716 mtu=1024 nbio=2" \
Manuel Pégourié-Gonnard72c27072018-08-13 12:37:51 +0200[diff] [blame]10717 "$P_CLI dtls=1 debug_level=2 \
David Horstmann5ab92be2024-07-01 17:01:28 +0100[diff] [blame]10718 crt_file=$DATA_FILES_PATH/server8_int-ca2.crt \
10719 key_file=$DATA_FILES_PATH/server8.key \
Andrzej Kurek7311c782018-10-11 06:49:41 -0400[diff] [blame]10720 hs_timeout=10000-60000 \
10721 mtu=1024 nbio=2" \
10722 0 \
10723 -S "autoreduction" \
10724 -s "found fragmented DTLS handshake message" \
10725 -c "found fragmented DTLS handshake message" \
10726 -C "error"
10727
Andrzej Kurek77826052018-10-11 07:34:08 -0400[diff] [blame]10728# Forcing ciphersuite for this test to fit the MTU of 512 with full config.
Andrzej Kurek7311c782018-10-11 06:49:41 -0400[diff] [blame]10729not_with_valgrind # spurious autoreduction due to timeout
10730requires_config_enabled MBEDTLS_SSL_PROTO_DTLS
10731requires_config_enabled MBEDTLS_RSA_C
Yuto Takanobc87b1d2021-07-08 15:56:33 +0100[diff] [blame]10732requires_max_content_len 2048
Andrzej Kurek7311c782018-10-11 06:49:41 -0400[diff] [blame]10733run_test "DTLS fragmenting: proxy MTU, simple handshake, nbio (MTU=512)" \
10734 -p "$P_PXY mtu=512" \
10735 "$P_SRV dtls=1 debug_level=2 auth_mode=required \
David Horstmann5ab92be2024-07-01 17:01:28 +0100[diff] [blame]10736 crt_file=$DATA_FILES_PATH/server7_int-ca.crt \
10737 key_file=$DATA_FILES_PATH/server7.key \
Andrzej Kurek7311c782018-10-11 06:49:41 -0400[diff] [blame]10738 hs_timeout=10000-60000 \
10739 mtu=512 nbio=2" \
10740 "$P_CLI dtls=1 debug_level=2 \
David Horstmann5ab92be2024-07-01 17:01:28 +0100[diff] [blame]10741 crt_file=$DATA_FILES_PATH/server8_int-ca2.crt \
10742 key_file=$DATA_FILES_PATH/server8.key \
Andrzej Kurek7311c782018-10-11 06:49:41 -0400[diff] [blame]10743 force_ciphersuite=TLS-ECDHE-ECDSA-WITH-AES-128-GCM-SHA256 \
10744 hs_timeout=10000-60000 \
10745 mtu=512 nbio=2" \
Manuel Pégourié-Gonnard72c27072018-08-13 12:37:51 +0200[diff] [blame]10746 0 \
Andrzej Kurek35f2f302018-10-09 08:52:14 -0400[diff] [blame]10747 -S "autoreduction" \
Manuel Pégourié-Gonnard72c27072018-08-13 12:37:51 +0200[diff] [blame]10748 -s "found fragmented DTLS handshake message" \
10749 -c "found fragmented DTLS handshake message" \
10750 -C "error"
10751
Andrzej Kurek77826052018-10-11 07:34:08 -0400[diff] [blame]10752# Forcing ciphersuite for this test to fit the MTU of 1450 with full config.
Hanno Beckerb841b4f2018-08-28 10:25:51 +0100[diff] [blame]10753# This ensures things still work after session_reset().
10754# It also exercises the "resumed handshake" flow.
Manuel Pégourié-Gonnard19c62f92018-08-16 10:50:39 +0200[diff] [blame]10755# Since we don't support reading fragmented ClientHello yet,
10756# up the MTU to 1450 (larger than ClientHello with session ticket,
10757# but still smaller than client's Certificate to ensure fragmentation).
Andrzej Kurek35f2f302018-10-09 08:52:14 -0400[diff] [blame]10758# An autoreduction on the client-side might happen if the server is
10759# slow to reset, therefore omitting '-C "autoreduction"' below.
Manuel Pégourié-Gonnard2f2d9022018-08-21 12:17:54 +0200[diff] [blame]10760# reco_delay avoids races where the client reconnects before the server has
Andrzej Kurek35f2f302018-10-09 08:52:14 -0400[diff] [blame]10761# resumed listening, which would result in a spurious autoreduction.
10762not_with_valgrind # spurious autoreduction due to timeout
Manuel Pégourié-Gonnard19c62f92018-08-16 10:50:39 +0200[diff] [blame]10763requires_config_enabled MBEDTLS_SSL_PROTO_DTLS
10764requires_config_enabled MBEDTLS_RSA_C
Yuto Takanobc87b1d2021-07-08 15:56:33 +0100[diff] [blame]10765requires_max_content_len 2048
Manuel Pégourié-Gonnard19c62f92018-08-16 10:50:39 +0200[diff] [blame]10766run_test "DTLS fragmenting: proxy MTU, resumed handshake" \
10767 -p "$P_PXY mtu=1450" \
10768 "$P_SRV dtls=1 debug_level=2 auth_mode=required \
David Horstmann5ab92be2024-07-01 17:01:28 +0100[diff] [blame]10769 crt_file=$DATA_FILES_PATH/server7_int-ca.crt \
10770 key_file=$DATA_FILES_PATH/server7.key \
Andrzej Kurek52f84912018-10-05 07:53:40 -0400[diff] [blame]10771 hs_timeout=10000-60000 \
Manuel Pégourié-Gonnard19c62f92018-08-16 10:50:39 +0200[diff] [blame]10772 mtu=1450" \
10773 "$P_CLI dtls=1 debug_level=2 \
David Horstmann5ab92be2024-07-01 17:01:28 +0100[diff] [blame]10774 crt_file=$DATA_FILES_PATH/server8_int-ca2.crt \
10775 key_file=$DATA_FILES_PATH/server8.key \
Andrzej Kurek52f84912018-10-05 07:53:40 -0400[diff] [blame]10776 hs_timeout=10000-60000 \
Andrzej Kurek7311c782018-10-11 06:49:41 -0400[diff] [blame]10777 force_ciphersuite=TLS-ECDHE-ECDSA-WITH-AES-128-GCM-SHA256 \
Jerry Yua15af372022-12-05 15:55:24 +0800[diff] [blame]10778 mtu=1450 reconnect=1 skip_close_notify=1 reco_delay=1000" \
Manuel Pégourié-Gonnard19c62f92018-08-16 10:50:39 +0200[diff] [blame]10779 0 \
Andrzej Kurek35f2f302018-10-09 08:52:14 -0400[diff] [blame]10780 -S "autoreduction" \
Manuel Pégourié-Gonnard19c62f92018-08-16 10:50:39 +0200[diff] [blame]10781 -s "found fragmented DTLS handshake message" \
10782 -c "found fragmented DTLS handshake message" \
10783 -C "error"
10784
Andrzej Kurek35f2f302018-10-09 08:52:14 -0400[diff] [blame]10785# An autoreduction on the client-side might happen if the server is
10786# slow to reset, therefore omitting '-C "autoreduction"' below.
10787not_with_valgrind # spurious autoreduction due to timeout
Manuel Pégourié-Gonnard72c27072018-08-13 12:37:51 +0200[diff] [blame]10788requires_config_enabled MBEDTLS_SSL_PROTO_DTLS
10789requires_config_enabled MBEDTLS_RSA_C
Andrzej Kurek934e9cd2022-09-05 14:44:46 -0400[diff] [blame]10790requires_hash_alg SHA_256
Manuel Pégourié-Gonnard72c27072018-08-13 12:37:51 +0200[diff] [blame]10791requires_config_enabled MBEDTLS_SSL_RENEGOTIATION
Yuto Takanobc87b1d2021-07-08 15:56:33 +0100[diff] [blame]10792requires_max_content_len 2048
Manuel Pégourié-Gonnard72c27072018-08-13 12:37:51 +0200[diff] [blame]10793run_test "DTLS fragmenting: proxy MTU, ChachaPoly renego" \
10794 -p "$P_PXY mtu=512" \
10795 "$P_SRV dtls=1 debug_level=2 auth_mode=required \
David Horstmann5ab92be2024-07-01 17:01:28 +0100[diff] [blame]10796 crt_file=$DATA_FILES_PATH/server7_int-ca.crt \
10797 key_file=$DATA_FILES_PATH/server7.key \
Manuel Pégourié-Gonnard72c27072018-08-13 12:37:51 +0200[diff] [blame]10798 exchanges=2 renegotiation=1 \
Andrzej Kurek52f84912018-10-05 07:53:40 -0400[diff] [blame]10799 hs_timeout=10000-60000 \
Manuel Pégourié-Gonnard72c27072018-08-13 12:37:51 +0200[diff] [blame]10800 mtu=512" \
10801 "$P_CLI dtls=1 debug_level=2 \
David Horstmann5ab92be2024-07-01 17:01:28 +0100[diff] [blame]10802 crt_file=$DATA_FILES_PATH/server8_int-ca2.crt \
10803 key_file=$DATA_FILES_PATH/server8.key \
Manuel Pégourié-Gonnard72c27072018-08-13 12:37:51 +0200[diff] [blame]10804 exchanges=2 renegotiation=1 renegotiate=1 \
Ronald Cron60f76662023-11-28 17:52:42 +0100[diff] [blame]10805 force_ciphersuite=TLS-ECDHE-ECDSA-WITH-CHACHA20-POLY1305-SHA256 \
Andrzej Kurek52f84912018-10-05 07:53:40 -0400[diff] [blame]10806 hs_timeout=10000-60000 \
Manuel Pégourié-Gonnard72c27072018-08-13 12:37:51 +0200[diff] [blame]10807 mtu=512" \
10808 0 \
Andrzej Kurek35f2f302018-10-09 08:52:14 -0400[diff] [blame]10809 -S "autoreduction" \
Manuel Pégourié-Gonnard72c27072018-08-13 12:37:51 +0200[diff] [blame]10810 -s "found fragmented DTLS handshake message" \
10811 -c "found fragmented DTLS handshake message" \
10812 -C "error"
10813
Andrzej Kurek35f2f302018-10-09 08:52:14 -0400[diff] [blame]10814# An autoreduction on the client-side might happen if the server is
10815# slow to reset, therefore omitting '-C "autoreduction"' below.
10816not_with_valgrind # spurious autoreduction due to timeout
Manuel Pégourié-Gonnard72c27072018-08-13 12:37:51 +0200[diff] [blame]10817requires_config_enabled MBEDTLS_SSL_PROTO_DTLS
10818requires_config_enabled MBEDTLS_RSA_C
Andrzej Kurek934e9cd2022-09-05 14:44:46 -0400[diff] [blame]10819requires_hash_alg SHA_256
Manuel Pégourié-Gonnard72c27072018-08-13 12:37:51 +0200[diff] [blame]10820requires_config_enabled MBEDTLS_SSL_RENEGOTIATION
Yuto Takanobc87b1d2021-07-08 15:56:33 +0100[diff] [blame]10821requires_max_content_len 2048
Manuel Pégourié-Gonnard72c27072018-08-13 12:37:51 +0200[diff] [blame]10822run_test "DTLS fragmenting: proxy MTU, AES-GCM renego" \
10823 -p "$P_PXY mtu=512" \
10824 "$P_SRV dtls=1 debug_level=2 auth_mode=required \
David Horstmann5ab92be2024-07-01 17:01:28 +0100[diff] [blame]10825 crt_file=$DATA_FILES_PATH/server7_int-ca.crt \
10826 key_file=$DATA_FILES_PATH/server7.key \
Manuel Pégourié-Gonnard72c27072018-08-13 12:37:51 +0200[diff] [blame]10827 exchanges=2 renegotiation=1 \
Andrzej Kurek52f84912018-10-05 07:53:40 -0400[diff] [blame]10828 hs_timeout=10000-60000 \
Manuel Pégourié-Gonnard72c27072018-08-13 12:37:51 +0200[diff] [blame]10829 mtu=512" \
10830 "$P_CLI dtls=1 debug_level=2 \
David Horstmann5ab92be2024-07-01 17:01:28 +0100[diff] [blame]10831 crt_file=$DATA_FILES_PATH/server8_int-ca2.crt \
10832 key_file=$DATA_FILES_PATH/server8.key \
Manuel Pégourié-Gonnard72c27072018-08-13 12:37:51 +0200[diff] [blame]10833 exchanges=2 renegotiation=1 renegotiate=1 \
Andrzej Kurek7311c782018-10-11 06:49:41 -0400[diff] [blame]10834 force_ciphersuite=TLS-ECDHE-ECDSA-WITH-AES-128-GCM-SHA256 \
Andrzej Kurek52f84912018-10-05 07:53:40 -0400[diff] [blame]10835 hs_timeout=10000-60000 \
Manuel Pégourié-Gonnard72c27072018-08-13 12:37:51 +0200[diff] [blame]10836 mtu=512" \
10837 0 \
Andrzej Kurek35f2f302018-10-09 08:52:14 -0400[diff] [blame]10838 -S "autoreduction" \
Manuel Pégourié-Gonnard72c27072018-08-13 12:37:51 +0200[diff] [blame]10839 -s "found fragmented DTLS handshake message" \
10840 -c "found fragmented DTLS handshake message" \
10841 -C "error"
10842
Andrzej Kurek35f2f302018-10-09 08:52:14 -0400[diff] [blame]10843# An autoreduction on the client-side might happen if the server is
10844# slow to reset, therefore omitting '-C "autoreduction"' below.
10845not_with_valgrind # spurious autoreduction due to timeout
Manuel Pégourié-Gonnard72c27072018-08-13 12:37:51 +0200[diff] [blame]10846requires_config_enabled MBEDTLS_SSL_PROTO_DTLS
10847requires_config_enabled MBEDTLS_RSA_C
Andrzej Kurek934e9cd2022-09-05 14:44:46 -0400[diff] [blame]10848requires_hash_alg SHA_256
Manuel Pégourié-Gonnard72c27072018-08-13 12:37:51 +0200[diff] [blame]10849requires_config_enabled MBEDTLS_SSL_RENEGOTIATION
Yuto Takanobc87b1d2021-07-08 15:56:33 +0100[diff] [blame]10850requires_max_content_len 2048
Manuel Pégourié-Gonnard72c27072018-08-13 12:37:51 +0200[diff] [blame]10851run_test "DTLS fragmenting: proxy MTU, AES-CCM renego" \
Andrzej Kurek52f84912018-10-05 07:53:40 -0400[diff] [blame]10852 -p "$P_PXY mtu=1024" \
Manuel Pégourié-Gonnard72c27072018-08-13 12:37:51 +0200[diff] [blame]10853 "$P_SRV dtls=1 debug_level=2 auth_mode=required \
David Horstmann5ab92be2024-07-01 17:01:28 +0100[diff] [blame]10854 crt_file=$DATA_FILES_PATH/server7_int-ca.crt \
10855 key_file=$DATA_FILES_PATH/server7.key \
Manuel Pégourié-Gonnard72c27072018-08-13 12:37:51 +0200[diff] [blame]10856 exchanges=2 renegotiation=1 \
10857 force_ciphersuite=TLS-ECDHE-ECDSA-WITH-AES-128-CCM-8 \
Andrzej Kurek52f84912018-10-05 07:53:40 -0400[diff] [blame]10858 hs_timeout=10000-60000 \
10859 mtu=1024" \
Manuel Pégourié-Gonnard72c27072018-08-13 12:37:51 +0200[diff] [blame]10860 "$P_CLI dtls=1 debug_level=2 \
David Horstmann5ab92be2024-07-01 17:01:28 +0100[diff] [blame]10861 crt_file=$DATA_FILES_PATH/server8_int-ca2.crt \
10862 key_file=$DATA_FILES_PATH/server8.key \
Manuel Pégourié-Gonnard72c27072018-08-13 12:37:51 +0200[diff] [blame]10863 exchanges=2 renegotiation=1 renegotiate=1 \
Andrzej Kurek52f84912018-10-05 07:53:40 -0400[diff] [blame]10864 hs_timeout=10000-60000 \
10865 mtu=1024" \
Manuel Pégourié-Gonnard72c27072018-08-13 12:37:51 +0200[diff] [blame]10866 0 \
Andrzej Kurek35f2f302018-10-09 08:52:14 -0400[diff] [blame]10867 -S "autoreduction" \
Manuel Pégourié-Gonnard72c27072018-08-13 12:37:51 +0200[diff] [blame]10868 -s "found fragmented DTLS handshake message" \
10869 -c "found fragmented DTLS handshake message" \
10870 -C "error"
10871
Andrzej Kurek35f2f302018-10-09 08:52:14 -0400[diff] [blame]10872# An autoreduction on the client-side might happen if the server is
10873# slow to reset, therefore omitting '-C "autoreduction"' below.
10874not_with_valgrind # spurious autoreduction due to timeout
Manuel Pégourié-Gonnard72c27072018-08-13 12:37:51 +0200[diff] [blame]10875requires_config_enabled MBEDTLS_SSL_PROTO_DTLS
10876requires_config_enabled MBEDTLS_RSA_C
Andrzej Kurek934e9cd2022-09-05 14:44:46 -0400[diff] [blame]10877requires_hash_alg SHA_256
Manuel Pégourié-Gonnard72c27072018-08-13 12:37:51 +0200[diff] [blame]10878requires_config_enabled MBEDTLS_SSL_RENEGOTIATION
Manuel Pégourié-Gonnard72c27072018-08-13 12:37:51 +0200[diff] [blame]10879requires_config_enabled MBEDTLS_SSL_ENCRYPT_THEN_MAC
Yuto Takanobc87b1d2021-07-08 15:56:33 +0100[diff] [blame]10880requires_max_content_len 2048
Manuel Pégourié-Gonnard72c27072018-08-13 12:37:51 +0200[diff] [blame]10881run_test "DTLS fragmenting: proxy MTU, AES-CBC EtM renego" \
Andrzej Kurek52f84912018-10-05 07:53:40 -0400[diff] [blame]10882 -p "$P_PXY mtu=1024" \
Manuel Pégourié-Gonnard72c27072018-08-13 12:37:51 +0200[diff] [blame]10883 "$P_SRV dtls=1 debug_level=2 auth_mode=required \
David Horstmann5ab92be2024-07-01 17:01:28 +0100[diff] [blame]10884 crt_file=$DATA_FILES_PATH/server7_int-ca.crt \
10885 key_file=$DATA_FILES_PATH/server7.key \
Manuel Pégourié-Gonnard72c27072018-08-13 12:37:51 +0200[diff] [blame]10886 exchanges=2 renegotiation=1 \
10887 force_ciphersuite=TLS-ECDHE-ECDSA-WITH-AES-128-CBC-SHA256 \
Andrzej Kurek52f84912018-10-05 07:53:40 -0400[diff] [blame]10888 hs_timeout=10000-60000 \
10889 mtu=1024" \
Manuel Pégourié-Gonnard72c27072018-08-13 12:37:51 +0200[diff] [blame]10890 "$P_CLI dtls=1 debug_level=2 \
David Horstmann5ab92be2024-07-01 17:01:28 +0100[diff] [blame]10891 crt_file=$DATA_FILES_PATH/server8_int-ca2.crt \
10892 key_file=$DATA_FILES_PATH/server8.key \
Manuel Pégourié-Gonnard72c27072018-08-13 12:37:51 +0200[diff] [blame]10893 exchanges=2 renegotiation=1 renegotiate=1 \
Andrzej Kurek52f84912018-10-05 07:53:40 -0400[diff] [blame]10894 hs_timeout=10000-60000 \
10895 mtu=1024" \
Manuel Pégourié-Gonnard72c27072018-08-13 12:37:51 +0200[diff] [blame]10896 0 \
Andrzej Kurek35f2f302018-10-09 08:52:14 -0400[diff] [blame]10897 -S "autoreduction" \
Manuel Pégourié-Gonnard72c27072018-08-13 12:37:51 +0200[diff] [blame]10898 -s "found fragmented DTLS handshake message" \
10899 -c "found fragmented DTLS handshake message" \
10900 -C "error"
10901
Andrzej Kurek35f2f302018-10-09 08:52:14 -0400[diff] [blame]10902# An autoreduction on the client-side might happen if the server is
10903# slow to reset, therefore omitting '-C "autoreduction"' below.
10904not_with_valgrind # spurious autoreduction due to timeout
Manuel Pégourié-Gonnard72c27072018-08-13 12:37:51 +0200[diff] [blame]10905requires_config_enabled MBEDTLS_SSL_PROTO_DTLS
10906requires_config_enabled MBEDTLS_RSA_C
Andrzej Kurek934e9cd2022-09-05 14:44:46 -0400[diff] [blame]10907requires_hash_alg SHA_256
Manuel Pégourié-Gonnard72c27072018-08-13 12:37:51 +0200[diff] [blame]10908requires_config_enabled MBEDTLS_SSL_RENEGOTIATION
Yuto Takanobc87b1d2021-07-08 15:56:33 +0100[diff] [blame]10909requires_max_content_len 2048
Manuel Pégourié-Gonnard72c27072018-08-13 12:37:51 +0200[diff] [blame]10910run_test "DTLS fragmenting: proxy MTU, AES-CBC non-EtM renego" \
Andrzej Kurek52f84912018-10-05 07:53:40 -0400[diff] [blame]10911 -p "$P_PXY mtu=1024" \
Manuel Pégourié-Gonnard72c27072018-08-13 12:37:51 +0200[diff] [blame]10912 "$P_SRV dtls=1 debug_level=2 auth_mode=required \
David Horstmann5ab92be2024-07-01 17:01:28 +0100[diff] [blame]10913 crt_file=$DATA_FILES_PATH/server7_int-ca.crt \
10914 key_file=$DATA_FILES_PATH/server7.key \
Manuel Pégourié-Gonnard72c27072018-08-13 12:37:51 +0200[diff] [blame]10915 exchanges=2 renegotiation=1 \
10916 force_ciphersuite=TLS-ECDHE-ECDSA-WITH-AES-128-CBC-SHA256 etm=0 \
Andrzej Kurek52f84912018-10-05 07:53:40 -0400[diff] [blame]10917 hs_timeout=10000-60000 \
10918 mtu=1024" \
Manuel Pégourié-Gonnard72c27072018-08-13 12:37:51 +0200[diff] [blame]10919 "$P_CLI dtls=1 debug_level=2 \
David Horstmann5ab92be2024-07-01 17:01:28 +0100[diff] [blame]10920 crt_file=$DATA_FILES_PATH/server8_int-ca2.crt \
10921 key_file=$DATA_FILES_PATH/server8.key \
Manuel Pégourié-Gonnard72c27072018-08-13 12:37:51 +0200[diff] [blame]10922 exchanges=2 renegotiation=1 renegotiate=1 \
Andrzej Kurek52f84912018-10-05 07:53:40 -0400[diff] [blame]10923 hs_timeout=10000-60000 \
10924 mtu=1024" \
Manuel Pégourié-Gonnard72c27072018-08-13 12:37:51 +0200[diff] [blame]10925 0 \
Andrzej Kurek35f2f302018-10-09 08:52:14 -0400[diff] [blame]10926 -S "autoreduction" \
Manuel Pégourié-Gonnard72c27072018-08-13 12:37:51 +0200[diff] [blame]10927 -s "found fragmented DTLS handshake message" \
10928 -c "found fragmented DTLS handshake message" \
10929 -C "error"
10930
Andrzej Kurek77826052018-10-11 07:34:08 -0400[diff] [blame]10931# Forcing ciphersuite for this test to fit the MTU of 512 with full config.
Manuel Pégourié-Gonnard2d56f0d2018-08-16 11:09:03 +0200[diff] [blame]10932requires_config_enabled MBEDTLS_SSL_PROTO_DTLS
10933requires_config_enabled MBEDTLS_RSA_C
Manuel Pégourié-Gonnard2d56f0d2018-08-16 11:09:03 +0200[diff] [blame]10934client_needs_more_time 2
Yuto Takanobc87b1d2021-07-08 15:56:33 +0100[diff] [blame]10935requires_max_content_len 2048
Manuel Pégourié-Gonnard2d56f0d2018-08-16 11:09:03 +0200[diff] [blame]10936run_test "DTLS fragmenting: proxy MTU + 3d" \
10937 -p "$P_PXY mtu=512 drop=8 delay=8 duplicate=8" \
Hanno Becker1c9a24c2018-08-14 13:46:33 +0100[diff] [blame]10938 "$P_SRV dgram_packing=0 dtls=1 debug_level=2 auth_mode=required \
David Horstmann5ab92be2024-07-01 17:01:28 +0100[diff] [blame]10939 crt_file=$DATA_FILES_PATH/server7_int-ca.crt \
10940 key_file=$DATA_FILES_PATH/server7.key \
Manuel Pégourié-Gonnard02f3a8a2018-08-20 10:49:28 +0200[diff] [blame]10941 hs_timeout=250-10000 mtu=512" \
Hanno Becker1c9a24c2018-08-14 13:46:33 +0100[diff] [blame]10942 "$P_CLI dgram_packing=0 dtls=1 debug_level=2 \
David Horstmann5ab92be2024-07-01 17:01:28 +0100[diff] [blame]10943 crt_file=$DATA_FILES_PATH/server8_int-ca2.crt \
10944 key_file=$DATA_FILES_PATH/server8.key \
Andrzej Kurek7311c782018-10-11 06:49:41 -0400[diff] [blame]10945 force_ciphersuite=TLS-ECDHE-ECDSA-WITH-AES-128-GCM-SHA256 \
Manuel Pégourié-Gonnard02f3a8a2018-08-20 10:49:28 +0200[diff] [blame]10946 hs_timeout=250-10000 mtu=512" \
Manuel Pégourié-Gonnard2d56f0d2018-08-16 11:09:03 +0200[diff] [blame]10947 0 \
10948 -s "found fragmented DTLS handshake message" \
10949 -c "found fragmented DTLS handshake message" \
10950 -C "error"
10951
Andrzej Kurek77826052018-10-11 07:34:08 -0400[diff] [blame]10952# Forcing ciphersuite for this test to fit the MTU of 512 with full config.
Manuel Pégourié-Gonnardc1d54b72018-08-22 10:02:59 +0200[diff] [blame]10953requires_config_enabled MBEDTLS_SSL_PROTO_DTLS
10954requires_config_enabled MBEDTLS_RSA_C
Manuel Pégourié-Gonnardc1d54b72018-08-22 10:02:59 +0200[diff] [blame]10955client_needs_more_time 2
Yuto Takanobc87b1d2021-07-08 15:56:33 +0100[diff] [blame]10956requires_max_content_len 2048
Manuel Pégourié-Gonnardc1d54b72018-08-22 10:02:59 +0200[diff] [blame]10957run_test "DTLS fragmenting: proxy MTU + 3d, nbio" \
10958 -p "$P_PXY mtu=512 drop=8 delay=8 duplicate=8" \
10959 "$P_SRV dtls=1 debug_level=2 auth_mode=required \
David Horstmann5ab92be2024-07-01 17:01:28 +0100[diff] [blame]10960 crt_file=$DATA_FILES_PATH/server7_int-ca.crt \
10961 key_file=$DATA_FILES_PATH/server7.key \
Manuel Pégourié-Gonnardc1d54b72018-08-22 10:02:59 +0200[diff] [blame]10962 hs_timeout=250-10000 mtu=512 nbio=2" \
10963 "$P_CLI dtls=1 debug_level=2 \
David Horstmann5ab92be2024-07-01 17:01:28 +0100[diff] [blame]10964 crt_file=$DATA_FILES_PATH/server8_int-ca2.crt \
10965 key_file=$DATA_FILES_PATH/server8.key \
Andrzej Kurek7311c782018-10-11 06:49:41 -0400[diff] [blame]10966 force_ciphersuite=TLS-ECDHE-ECDSA-WITH-AES-128-GCM-SHA256 \
Manuel Pégourié-Gonnardc1d54b72018-08-22 10:02:59 +0200[diff] [blame]10967 hs_timeout=250-10000 mtu=512 nbio=2" \
10968 0 \
10969 -s "found fragmented DTLS handshake message" \
10970 -c "found fragmented DTLS handshake message" \
10971 -C "error"
10972
Manuel Pégourié-Gonnard38110df2018-08-17 12:44:54 +0200[diff] [blame]10973# interop tests for DTLS fragmentating with reliable connection
10974#
Manuel Pégourié-Gonnard1218bc02018-08-17 10:51:26 +0200[diff] [blame]10975# here and below we just want to test that the we fragment in a way that
10976# pleases other implementations, so we don't need the peer to fragment
10977requires_config_enabled MBEDTLS_SSL_PROTO_DTLS
10978requires_config_enabled MBEDTLS_RSA_C
Manuel Pégourié-Gonnard61512982018-08-21 09:40:07 +0200[diff] [blame]10979requires_gnutls
Yuto Takanobc87b1d2021-07-08 15:56:33 +0100[diff] [blame]10980requires_max_content_len 2048
Manuel Pégourié-Gonnard1218bc02018-08-17 10:51:26 +0200[diff] [blame]10981run_test "DTLS fragmenting: gnutls server, DTLS 1.2" \
10982 "$G_SRV -u" \
10983 "$P_CLI dtls=1 debug_level=2 \
David Horstmann5ab92be2024-07-01 17:01:28 +0100[diff] [blame]10984 crt_file=$DATA_FILES_PATH/server8_int-ca2.crt \
10985 key_file=$DATA_FILES_PATH/server8.key \
Xiaofei Bai8b5c3822021-12-02 08:43:35 +0000[diff] [blame]10986 mtu=512 force_version=dtls12" \
Manuel Pégourié-Gonnard1218bc02018-08-17 10:51:26 +0200[diff] [blame]10987 0 \
10988 -c "fragmenting handshake message" \
10989 -C "error"
10990
Hanno Beckerb9a00862018-08-28 10:20:22 +0100[diff] [blame]10991# We use --insecure for the GnuTLS client because it expects
10992# the hostname / IP it connects to to be the name used in the
10993# certificate obtained from the server. Here, however, it
10994# connects to 127.0.0.1 while our test certificates use 'localhost'
10995# as the server name in the certificate. This will make the
Shaun Case8b0ecbc2021-12-20 21:14:10 -0800[diff] [blame]10996# certificate validation fail, but passing --insecure makes
Hanno Beckerb9a00862018-08-28 10:20:22 +0100[diff] [blame]10997# GnuTLS continue the connection nonetheless.
Manuel Pégourié-Gonnard1218bc02018-08-17 10:51:26 +0200[diff] [blame]10998requires_config_enabled MBEDTLS_SSL_PROTO_DTLS
10999requires_config_enabled MBEDTLS_RSA_C
Manuel Pégourié-Gonnard61512982018-08-21 09:40:07 +0200[diff] [blame]11000requires_gnutls
Andrzej Kurekb4593462018-10-11 08:43:30 -0400[diff] [blame]11001requires_not_i686
Yuto Takanobc87b1d2021-07-08 15:56:33 +0100[diff] [blame]11002requires_max_content_len 2048
Manuel Pégourié-Gonnard1218bc02018-08-17 10:51:26 +0200[diff] [blame]11003run_test "DTLS fragmenting: gnutls client, DTLS 1.2" \
Valerio Setti3b2c0282023-03-08 10:22:29 +0100[diff] [blame]11004 "$P_SRV dtls=1 debug_level=2 \
David Horstmann5ab92be2024-07-01 17:01:28 +0100[diff] [blame]11005 crt_file=$DATA_FILES_PATH/server7_int-ca.crt \
11006 key_file=$DATA_FILES_PATH/server7.key \
Xiaofei Bai8b5c3822021-12-02 08:43:35 +0000[diff] [blame]11007 mtu=512 force_version=dtls12" \
Manuel Pégourié-Gonnard34aa1872018-08-23 19:07:15 +0200[diff] [blame]11008 "$G_CLI -u --insecure 127.0.0.1" \
Manuel Pégourié-Gonnard1218bc02018-08-17 10:51:26 +0200[diff] [blame]11009 0 \
11010 -s "fragmenting handshake message"
11011
Manuel Pégourié-Gonnard1218bc02018-08-17 10:51:26 +0200[diff] [blame]11012requires_config_enabled MBEDTLS_SSL_PROTO_DTLS
11013requires_config_enabled MBEDTLS_RSA_C
Yuto Takanobc87b1d2021-07-08 15:56:33 +0100[diff] [blame]11014requires_max_content_len 2048
Manuel Pégourié-Gonnard1218bc02018-08-17 10:51:26 +0200[diff] [blame]11015run_test "DTLS fragmenting: openssl server, DTLS 1.2" \
11016 "$O_SRV -dtls1_2 -verify 10" \
11017 "$P_CLI dtls=1 debug_level=2 \
David Horstmann5ab92be2024-07-01 17:01:28 +0100[diff] [blame]11018 crt_file=$DATA_FILES_PATH/server8_int-ca2.crt \
11019 key_file=$DATA_FILES_PATH/server8.key \
Xiaofei Bai8b5c3822021-12-02 08:43:35 +0000[diff] [blame]11020 mtu=512 force_version=dtls12" \
Manuel Pégourié-Gonnard1218bc02018-08-17 10:51:26 +0200[diff] [blame]11021 0 \
11022 -c "fragmenting handshake message" \
11023 -C "error"
11024
11025requires_config_enabled MBEDTLS_SSL_PROTO_DTLS
11026requires_config_enabled MBEDTLS_RSA_C
Yuto Takanobc87b1d2021-07-08 15:56:33 +0100[diff] [blame]11027requires_max_content_len 2048
Manuel Pégourié-Gonnard1218bc02018-08-17 10:51:26 +0200[diff] [blame]11028run_test "DTLS fragmenting: openssl client, DTLS 1.2" \
11029 "$P_SRV dtls=1 debug_level=2 \
David Horstmann5ab92be2024-07-01 17:01:28 +0100[diff] [blame]11030 crt_file=$DATA_FILES_PATH/server7_int-ca.crt \
11031 key_file=$DATA_FILES_PATH/server7.key \
Xiaofei Bai8b5c3822021-12-02 08:43:35 +0000[diff] [blame]11032 mtu=512 force_version=dtls12" \
Manuel Pégourié-Gonnard1218bc02018-08-17 10:51:26 +0200[diff] [blame]11033 "$O_CLI -dtls1_2" \
11034 0 \
11035 -s "fragmenting handshake message"
11036
Manuel Pégourié-Gonnard38110df2018-08-17 12:44:54 +0200[diff] [blame]11037# interop tests for DTLS fragmentating with unreliable connection
11038#
11039# again we just want to test that the we fragment in a way that
11040# pleases other implementations, so we don't need the peer to fragment
11041requires_gnutls_next
11042requires_config_enabled MBEDTLS_SSL_PROTO_DTLS
11043requires_config_enabled MBEDTLS_RSA_C
Manuel Pégourié-Gonnard02f3a8a2018-08-20 10:49:28 +0200[diff] [blame]11044client_needs_more_time 4
Yuto Takanobc87b1d2021-07-08 15:56:33 +0100[diff] [blame]11045requires_max_content_len 2048
Manuel Pégourié-Gonnard38110df2018-08-17 12:44:54 +0200[diff] [blame]11046run_test "DTLS fragmenting: 3d, gnutls server, DTLS 1.2" \
11047 -p "$P_PXY drop=8 delay=8 duplicate=8" \
11048 "$G_NEXT_SRV -u" \
Hanno Becker1c9a24c2018-08-14 13:46:33 +0100[diff] [blame]11049 "$P_CLI dgram_packing=0 dtls=1 debug_level=2 \
David Horstmann5ab92be2024-07-01 17:01:28 +0100[diff] [blame]11050 crt_file=$DATA_FILES_PATH/server8_int-ca2.crt \
11051 key_file=$DATA_FILES_PATH/server8.key \
Xiaofei Bai8b5c3822021-12-02 08:43:35 +0000[diff] [blame]11052 hs_timeout=250-60000 mtu=512 force_version=dtls12" \
Manuel Pégourié-Gonnard38110df2018-08-17 12:44:54 +0200[diff] [blame]11053 0 \
11054 -c "fragmenting handshake message" \
11055 -C "error"
11056
11057requires_gnutls_next
11058requires_config_enabled MBEDTLS_SSL_PROTO_DTLS
11059requires_config_enabled MBEDTLS_RSA_C
Hanno Becker3b8b40c2018-08-28 10:25:41 +0100[diff] [blame]11060client_needs_more_time 4
Yuto Takanobc87b1d2021-07-08 15:56:33 +0100[diff] [blame]11061requires_max_content_len 2048
Hanno Becker3b8b40c2018-08-28 10:25:41 +0100[diff] [blame]11062run_test "DTLS fragmenting: 3d, gnutls client, DTLS 1.2" \
11063 -p "$P_PXY drop=8 delay=8 duplicate=8" \
11064 "$P_SRV dtls=1 debug_level=2 \
David Horstmann5ab92be2024-07-01 17:01:28 +0100[diff] [blame]11065 crt_file=$DATA_FILES_PATH/server7_int-ca.crt \
11066 key_file=$DATA_FILES_PATH/server7.key \
Xiaofei Bai8b5c3822021-12-02 08:43:35 +0000[diff] [blame]11067 hs_timeout=250-60000 mtu=512 force_version=dtls12" \
k-stachowiak17a38d32019-02-18 15:29:56 +0100[diff] [blame]11068 "$G_NEXT_CLI -u --insecure 127.0.0.1" \
Hanno Becker3b8b40c2018-08-28 10:25:41 +0100[diff] [blame]11069 0 \
11070 -s "fragmenting handshake message"
11071
Zhangsen Wang91385122022-07-12 01:48:17 +0000[diff] [blame]11072## The test below requires 1.1.1a or higher version of openssl, otherwise
11073## it might trigger a bug due to openssl server (https://github.com/openssl/openssl/issues/6902)
Zhangsen Wang87a9c862022-06-28 06:10:35 +0000[diff] [blame]11074requires_openssl_next
Hanno Becker3b8b40c2018-08-28 10:25:41 +0100[diff] [blame]11075requires_config_enabled MBEDTLS_SSL_PROTO_DTLS
11076requires_config_enabled MBEDTLS_RSA_C
Hanno Becker3b8b40c2018-08-28 10:25:41 +0100[diff] [blame]11077client_needs_more_time 4
Yuto Takanobc87b1d2021-07-08 15:56:33 +0100[diff] [blame]11078requires_max_content_len 2048
Hanno Becker3b8b40c2018-08-28 10:25:41 +0100[diff] [blame]11079run_test "DTLS fragmenting: 3d, openssl server, DTLS 1.2" \
11080 -p "$P_PXY drop=8 delay=8 duplicate=8" \
Zhangsen Wang87a9c862022-06-28 06:10:35 +0000[diff] [blame]11081 "$O_NEXT_SRV -dtls1_2 -verify 10" \
Hanno Becker3b8b40c2018-08-28 10:25:41 +0100[diff] [blame]11082 "$P_CLI dtls=1 debug_level=2 \
David Horstmann5ab92be2024-07-01 17:01:28 +0100[diff] [blame]11083 crt_file=$DATA_FILES_PATH/server8_int-ca2.crt \
11084 key_file=$DATA_FILES_PATH/server8.key \
Xiaofei Bai8b5c3822021-12-02 08:43:35 +0000[diff] [blame]11085 hs_timeout=250-60000 mtu=512 force_version=dtls12" \
Hanno Becker3b8b40c2018-08-28 10:25:41 +0100[diff] [blame]11086 0 \
11087 -c "fragmenting handshake message" \
11088 -C "error"
Manuel Pégourié-Gonnard38110df2018-08-17 12:44:54 +0200[diff] [blame]11089
Zhangsen Wangd5e8a482022-07-29 07:53:36 +0000[diff] [blame]11090## the test below will time out with certain seed.
Zhangsen Wangbaeffbb2022-07-29 06:34:47 +0000[diff] [blame]11091## The cause is an openssl bug (https://github.com/openssl/openssl/issues/18887)
11092skip_next_test
Manuel Pégourié-Gonnard38110df2018-08-17 12:44:54 +0200[diff] [blame]11093requires_config_enabled MBEDTLS_SSL_PROTO_DTLS
11094requires_config_enabled MBEDTLS_RSA_C
Manuel Pégourié-Gonnardc1eda672018-09-03 10:41:49 +0200[diff] [blame]11095client_needs_more_time 4
Yuto Takanobc87b1d2021-07-08 15:56:33 +0100[diff] [blame]11096requires_max_content_len 2048
Manuel Pégourié-Gonnardc1eda672018-09-03 10:41:49 +0200[diff] [blame]11097run_test "DTLS fragmenting: 3d, openssl client, DTLS 1.2" \
11098 -p "$P_PXY drop=8 delay=8 duplicate=8" \
11099 "$P_SRV dtls=1 debug_level=2 \
David Horstmann5ab92be2024-07-01 17:01:28 +0100[diff] [blame]11100 crt_file=$DATA_FILES_PATH/server7_int-ca.crt \
11101 key_file=$DATA_FILES_PATH/server7.key \
Xiaofei Bai8b5c3822021-12-02 08:43:35 +0000[diff] [blame]11102 hs_timeout=250-60000 mtu=512 force_version=dtls12" \
Manuel Pégourié-Gonnardc1eda672018-09-03 10:41:49 +0200[diff] [blame]11103 "$O_CLI -dtls1_2" \
11104 0 \
11105 -s "fragmenting handshake message"
Manuel Pégourié-Gonnard38110df2018-08-17 12:44:54 +0200[diff] [blame]11106
Ron Eldorb4655392018-07-05 18:25:39 +0300[diff] [blame]11107# Tests for DTLS-SRTP (RFC 5764)
11108requires_config_enabled MBEDTLS_SSL_DTLS_SRTP
Jerry Yuab082902021-12-23 18:02:22 +0800[diff] [blame]11109requires_config_enabled MBEDTLS_SSL_PROTO_TLS1_2
Ron Eldorb4655392018-07-05 18:25:39 +0300[diff] [blame]11110run_test "DTLS-SRTP all profiles supported" \
11111 "$P_SRV dtls=1 use_srtp=1 debug_level=3" \
11112 "$P_CLI dtls=1 use_srtp=1 debug_level=3" \
11113 0 \
11114 -s "found use_srtp extension" \
11115 -s "found srtp profile" \
11116 -s "selected srtp profile" \
11117 -s "server hello, adding use_srtp extension" \
Johan Pascal9bc97ca2020-09-21 23:44:45 +0200[diff] [blame]11118 -s "DTLS-SRTP key material is"\
Ron Eldorb4655392018-07-05 18:25:39 +0300[diff] [blame]11119 -c "client hello, adding use_srtp extension" \
11120 -c "found use_srtp extension" \
11121 -c "found srtp profile" \
11122 -c "selected srtp profile" \
Johan Pascal9bc97ca2020-09-21 23:44:45 +0200[diff] [blame]11123 -c "DTLS-SRTP key material is"\
Johan Pascal9bc50b02020-09-24 12:01:13 +0200[diff] [blame]11124 -g "find_in_both '^ *Keying material: [0-9A-F]*$'"\
Ron Eldorb4655392018-07-05 18:25:39 +0300[diff] [blame]11125 -C "error"
11126
Johan Pascal9bc50b02020-09-24 12:01:13 +0200[diff] [blame]11127
Ron Eldorb4655392018-07-05 18:25:39 +0300[diff] [blame]11128requires_config_enabled MBEDTLS_SSL_DTLS_SRTP
Jerry Yuab082902021-12-23 18:02:22 +0800[diff] [blame]11129requires_config_enabled MBEDTLS_SSL_PROTO_TLS1_2
Ron Eldorb4655392018-07-05 18:25:39 +0300[diff] [blame]11130run_test "DTLS-SRTP server supports all profiles. Client supports one profile." \
11131 "$P_SRV dtls=1 use_srtp=1 debug_level=3" \
Johan Pascal43f94902020-09-22 12:25:52 +0200[diff] [blame]11132 "$P_CLI dtls=1 use_srtp=1 srtp_force_profile=5 debug_level=3" \
Ron Eldorb4655392018-07-05 18:25:39 +0300[diff] [blame]11133 0 \
11134 -s "found use_srtp extension" \
Johan Pascal43f94902020-09-22 12:25:52 +0200[diff] [blame]11135 -s "found srtp profile: MBEDTLS_TLS_SRTP_NULL_HMAC_SHA1_80" \
11136 -s "selected srtp profile: MBEDTLS_TLS_SRTP_NULL_HMAC_SHA1_80" \
Ron Eldorb4655392018-07-05 18:25:39 +0300[diff] [blame]11137 -s "server hello, adding use_srtp extension" \
Johan Pascal9bc97ca2020-09-21 23:44:45 +0200[diff] [blame]11138 -s "DTLS-SRTP key material is"\
Ron Eldorb4655392018-07-05 18:25:39 +0300[diff] [blame]11139 -c "client hello, adding use_srtp extension" \
11140 -c "found use_srtp extension" \
Johan Pascal43f94902020-09-22 12:25:52 +0200[diff] [blame]11141 -c "found srtp profile: MBEDTLS_TLS_SRTP_NULL_HMAC_SHA1_80" \
Ron Eldorb4655392018-07-05 18:25:39 +0300[diff] [blame]11142 -c "selected srtp profile" \
Johan Pascal9bc97ca2020-09-21 23:44:45 +0200[diff] [blame]11143 -c "DTLS-SRTP key material is"\
Johan Pascal9bc50b02020-09-24 12:01:13 +0200[diff] [blame]11144 -g "find_in_both '^ *Keying material: [0-9A-F]*$'"\
Ron Eldorb4655392018-07-05 18:25:39 +0300[diff] [blame]11145 -C "error"
11146
11147requires_config_enabled MBEDTLS_SSL_DTLS_SRTP
Jerry Yuab082902021-12-23 18:02:22 +0800[diff] [blame]11148requires_config_enabled MBEDTLS_SSL_PROTO_TLS1_2
Ron Eldor3c6a44b2018-07-10 10:32:10 +0300[diff] [blame]11149run_test "DTLS-SRTP server supports one profile. Client supports all profiles." \
Johan Pascal43f94902020-09-22 12:25:52 +0200[diff] [blame]11150 "$P_SRV dtls=1 use_srtp=1 srtp_force_profile=6 debug_level=3" \
Ron Eldorb4655392018-07-05 18:25:39 +0300[diff] [blame]11151 "$P_CLI dtls=1 use_srtp=1 debug_level=3" \
11152 0 \
11153 -s "found use_srtp extension" \
11154 -s "found srtp profile" \
Johan Pascal43f94902020-09-22 12:25:52 +0200[diff] [blame]11155 -s "selected srtp profile: MBEDTLS_TLS_SRTP_NULL_HMAC_SHA1_32" \
Ron Eldorb4655392018-07-05 18:25:39 +0300[diff] [blame]11156 -s "server hello, adding use_srtp extension" \
Johan Pascal9bc97ca2020-09-21 23:44:45 +0200[diff] [blame]11157 -s "DTLS-SRTP key material is"\
Ron Eldorb4655392018-07-05 18:25:39 +0300[diff] [blame]11158 -c "client hello, adding use_srtp extension" \
11159 -c "found use_srtp extension" \
Johan Pascal43f94902020-09-22 12:25:52 +0200[diff] [blame]11160 -c "found srtp profile: MBEDTLS_TLS_SRTP_NULL_HMAC_SHA1_32" \
Ron Eldorb4655392018-07-05 18:25:39 +0300[diff] [blame]11161 -c "selected srtp profile" \
Johan Pascal9bc97ca2020-09-21 23:44:45 +0200[diff] [blame]11162 -c "DTLS-SRTP key material is"\
Johan Pascal9bc50b02020-09-24 12:01:13 +0200[diff] [blame]11163 -g "find_in_both '^ *Keying material: [0-9A-F]*$'"\
Ron Eldorb4655392018-07-05 18:25:39 +0300[diff] [blame]11164 -C "error"
11165
11166requires_config_enabled MBEDTLS_SSL_DTLS_SRTP
Jerry Yuab082902021-12-23 18:02:22 +0800[diff] [blame]11167requires_config_enabled MBEDTLS_SSL_PROTO_TLS1_2
Ron Eldorb4655392018-07-05 18:25:39 +0300[diff] [blame]11168run_test "DTLS-SRTP server and Client support only one matching profile." \
11169 "$P_SRV dtls=1 use_srtp=1 srtp_force_profile=2 debug_level=3" \
11170 "$P_CLI dtls=1 use_srtp=1 srtp_force_profile=2 debug_level=3" \
11171 0 \
11172 -s "found use_srtp extension" \
Johan Pascal43f94902020-09-22 12:25:52 +0200[diff] [blame]11173 -s "found srtp profile: MBEDTLS_TLS_SRTP_AES128_CM_HMAC_SHA1_32" \
11174 -s "selected srtp profile: MBEDTLS_TLS_SRTP_AES128_CM_HMAC_SHA1_32" \
Ron Eldorb4655392018-07-05 18:25:39 +0300[diff] [blame]11175 -s "server hello, adding use_srtp extension" \
Johan Pascal9bc97ca2020-09-21 23:44:45 +0200[diff] [blame]11176 -s "DTLS-SRTP key material is"\
Ron Eldorb4655392018-07-05 18:25:39 +0300[diff] [blame]11177 -c "client hello, adding use_srtp extension" \
11178 -c "found use_srtp extension" \
Johan Pascal43f94902020-09-22 12:25:52 +0200[diff] [blame]11179 -c "found srtp profile: MBEDTLS_TLS_SRTP_AES128_CM_HMAC_SHA1_32" \
Ron Eldorb4655392018-07-05 18:25:39 +0300[diff] [blame]11180 -c "selected srtp profile" \
Johan Pascal9bc97ca2020-09-21 23:44:45 +0200[diff] [blame]11181 -c "DTLS-SRTP key material is"\
Johan Pascal9bc50b02020-09-24 12:01:13 +0200[diff] [blame]11182 -g "find_in_both '^ *Keying material: [0-9A-F]*$'"\
Ron Eldorb4655392018-07-05 18:25:39 +0300[diff] [blame]11183 -C "error"
11184
11185requires_config_enabled MBEDTLS_SSL_DTLS_SRTP
Jerry Yuab082902021-12-23 18:02:22 +0800[diff] [blame]11186requires_config_enabled MBEDTLS_SSL_PROTO_TLS1_2
Ron Eldorb4655392018-07-05 18:25:39 +0300[diff] [blame]11187run_test "DTLS-SRTP server and Client support only one different profile." \
11188 "$P_SRV dtls=1 use_srtp=1 srtp_force_profile=2 debug_level=3" \
Johan Pascal43f94902020-09-22 12:25:52 +0200[diff] [blame]11189 "$P_CLI dtls=1 use_srtp=1 srtp_force_profile=6 debug_level=3" \
Ron Eldorb4655392018-07-05 18:25:39 +0300[diff] [blame]11190 0 \
11191 -s "found use_srtp extension" \
Johan Pascal43f94902020-09-22 12:25:52 +0200[diff] [blame]11192 -s "found srtp profile: MBEDTLS_TLS_SRTP_NULL_HMAC_SHA1_32" \
Ron Eldorb4655392018-07-05 18:25:39 +0300[diff] [blame]11193 -S "selected srtp profile" \
11194 -S "server hello, adding use_srtp extension" \
Johan Pascal9bc97ca2020-09-21 23:44:45 +0200[diff] [blame]11195 -S "DTLS-SRTP key material is"\
Ron Eldorb4655392018-07-05 18:25:39 +0300[diff] [blame]11196 -c "client hello, adding use_srtp extension" \
11197 -C "found use_srtp extension" \
11198 -C "found srtp profile" \
11199 -C "selected srtp profile" \
Johan Pascal9bc97ca2020-09-21 23:44:45 +0200[diff] [blame]11200 -C "DTLS-SRTP key material is"\
Ron Eldorb4655392018-07-05 18:25:39 +0300[diff] [blame]11201 -C "error"
11202
11203requires_config_enabled MBEDTLS_SSL_DTLS_SRTP
Jerry Yuab082902021-12-23 18:02:22 +0800[diff] [blame]11204requires_config_enabled MBEDTLS_SSL_PROTO_TLS1_2
Ron Eldorb4655392018-07-05 18:25:39 +0300[diff] [blame]11205run_test "DTLS-SRTP server doesn't support use_srtp extension." \
11206 "$P_SRV dtls=1 debug_level=3" \
11207 "$P_CLI dtls=1 use_srtp=1 debug_level=3" \
11208 0 \
11209 -s "found use_srtp extension" \
11210 -S "server hello, adding use_srtp extension" \
Johan Pascal9bc97ca2020-09-21 23:44:45 +0200[diff] [blame]11211 -S "DTLS-SRTP key material is"\
Ron Eldorb4655392018-07-05 18:25:39 +0300[diff] [blame]11212 -c "client hello, adding use_srtp extension" \
11213 -C "found use_srtp extension" \
11214 -C "found srtp profile" \
11215 -C "selected srtp profile" \
Johan Pascal9bc97ca2020-09-21 23:44:45 +0200[diff] [blame]11216 -C "DTLS-SRTP key material is"\
Ron Eldorb4655392018-07-05 18:25:39 +0300[diff] [blame]11217 -C "error"
11218
11219requires_config_enabled MBEDTLS_SSL_DTLS_SRTP
Jerry Yuab082902021-12-23 18:02:22 +0800[diff] [blame]11220requires_config_enabled MBEDTLS_SSL_PROTO_TLS1_2
Ron Eldorb4655392018-07-05 18:25:39 +0300[diff] [blame]11221run_test "DTLS-SRTP all profiles supported. mki used" \
11222 "$P_SRV dtls=1 use_srtp=1 support_mki=1 debug_level=3" \
11223 "$P_CLI dtls=1 use_srtp=1 mki=542310ab34290481 debug_level=3" \
11224 0 \
11225 -s "found use_srtp extension" \
11226 -s "found srtp profile" \
11227 -s "selected srtp profile" \
11228 -s "server hello, adding use_srtp extension" \
11229 -s "dumping 'using mki' (8 bytes)" \
Johan Pascal9bc97ca2020-09-21 23:44:45 +0200[diff] [blame]11230 -s "DTLS-SRTP key material is"\
Ron Eldorb4655392018-07-05 18:25:39 +0300[diff] [blame]11231 -c "client hello, adding use_srtp extension" \
11232 -c "found use_srtp extension" \
11233 -c "found srtp profile" \
11234 -c "selected srtp profile" \
11235 -c "dumping 'sending mki' (8 bytes)" \
11236 -c "dumping 'received mki' (8 bytes)" \
Johan Pascal9bc97ca2020-09-21 23:44:45 +0200[diff] [blame]11237 -c "DTLS-SRTP key material is"\
Johan Pascal9bc50b02020-09-24 12:01:13 +0200[diff] [blame]11238 -g "find_in_both '^ *Keying material: [0-9A-F]*$'"\
Johan Pascal20c7db32020-10-26 22:45:58 +0100[diff] [blame]11239 -g "find_in_both '^ *DTLS-SRTP mki value: [0-9A-F]*$'"\
Ron Eldorb4655392018-07-05 18:25:39 +0300[diff] [blame]11240 -C "error"
11241
11242requires_config_enabled MBEDTLS_SSL_DTLS_SRTP
Jerry Yuab082902021-12-23 18:02:22 +0800[diff] [blame]11243requires_config_enabled MBEDTLS_SSL_PROTO_TLS1_2
Ron Eldorb4655392018-07-05 18:25:39 +0300[diff] [blame]11244run_test "DTLS-SRTP all profiles supported. server doesn't support mki." \
11245 "$P_SRV dtls=1 use_srtp=1 debug_level=3" \
11246 "$P_CLI dtls=1 use_srtp=1 mki=542310ab34290481 debug_level=3" \
11247 0 \
11248 -s "found use_srtp extension" \
11249 -s "found srtp profile" \
11250 -s "selected srtp profile" \
11251 -s "server hello, adding use_srtp extension" \
Johan Pascal9bc97ca2020-09-21 23:44:45 +0200[diff] [blame]11252 -s "DTLS-SRTP key material is"\
Johan Pascal5ef72d22020-10-28 17:05:47 +0100[diff] [blame]11253 -s "DTLS-SRTP no mki value negotiated"\
Ron Eldorb4655392018-07-05 18:25:39 +0300[diff] [blame]11254 -S "dumping 'using mki' (8 bytes)" \
11255 -c "client hello, adding use_srtp extension" \
11256 -c "found use_srtp extension" \
11257 -c "found srtp profile" \
11258 -c "selected srtp profile" \
Johan Pascal9bc97ca2020-09-21 23:44:45 +0200[diff] [blame]11259 -c "DTLS-SRTP key material is"\
Johan Pascal5ef72d22020-10-28 17:05:47 +0100[diff] [blame]11260 -c "DTLS-SRTP no mki value negotiated"\
Johan Pascal9bc50b02020-09-24 12:01:13 +0200[diff] [blame]11261 -g "find_in_both '^ *Keying material: [0-9A-F]*$'"\
Ron Eldorb4655392018-07-05 18:25:39 +0300[diff] [blame]11262 -c "dumping 'sending mki' (8 bytes)" \
11263 -C "dumping 'received mki' (8 bytes)" \
11264 -C "error"
11265
Ron Eldor3c6a44b2018-07-10 10:32:10 +0300[diff] [blame]11266requires_config_enabled MBEDTLS_SSL_DTLS_SRTP
Jerry Yuab082902021-12-23 18:02:22 +0800[diff] [blame]11267requires_config_enabled MBEDTLS_SSL_PROTO_TLS1_2
TRodziewicz4ca18aa2021-05-20 14:46:20 +0200[diff] [blame]11268run_test "DTLS-SRTP all profiles supported. openssl client." \
11269 "$P_SRV dtls=1 use_srtp=1 debug_level=3" \
11270 "$O_CLI -dtls -use_srtp SRTP_AES128_CM_SHA1_80:SRTP_AES128_CM_SHA1_32 -keymatexport 'EXTRACTOR-dtls_srtp' -keymatexportlen 60" \
11271 0 \
11272 -s "found use_srtp extension" \
11273 -s "found srtp profile" \
11274 -s "selected srtp profile" \
11275 -s "server hello, adding use_srtp extension" \
11276 -s "DTLS-SRTP key material is"\
11277 -g "find_in_both '^ *Keying material: [0-9A-F]*$'"\
11278 -c "SRTP Extension negotiated, profile=SRTP_AES128_CM_SHA1_80"
11279
11280requires_config_enabled MBEDTLS_SSL_DTLS_SRTP
Jerry Yuab082902021-12-23 18:02:22 +0800[diff] [blame]11281requires_config_enabled MBEDTLS_SSL_PROTO_TLS1_2
TRodziewicz4ca18aa2021-05-20 14:46:20 +0200[diff] [blame]11282run_test "DTLS-SRTP server supports all profiles. Client supports all profiles, in different order. openssl client." \
11283 "$P_SRV dtls=1 use_srtp=1 debug_level=3" \
11284 "$O_CLI -dtls -use_srtp SRTP_AES128_CM_SHA1_32:SRTP_AES128_CM_SHA1_80 -keymatexport 'EXTRACTOR-dtls_srtp' -keymatexportlen 60" \
11285 0 \
11286 -s "found use_srtp extension" \
11287 -s "found srtp profile" \
11288 -s "selected srtp profile" \
11289 -s "server hello, adding use_srtp extension" \
11290 -s "DTLS-SRTP key material is"\
11291 -g "find_in_both '^ *Keying material: [0-9A-F]*$'"\
11292 -c "SRTP Extension negotiated, profile=SRTP_AES128_CM_SHA1_32"
11293
11294requires_config_enabled MBEDTLS_SSL_DTLS_SRTP
Jerry Yuab082902021-12-23 18:02:22 +0800[diff] [blame]11295requires_config_enabled MBEDTLS_SSL_PROTO_TLS1_2
TRodziewicz4ca18aa2021-05-20 14:46:20 +0200[diff] [blame]11296run_test "DTLS-SRTP server supports all profiles. Client supports one profile. openssl client." \
11297 "$P_SRV dtls=1 use_srtp=1 debug_level=3" \
11298 "$O_CLI -dtls -use_srtp SRTP_AES128_CM_SHA1_32 -keymatexport 'EXTRACTOR-dtls_srtp' -keymatexportlen 60" \
11299 0 \
11300 -s "found use_srtp extension" \
11301 -s "found srtp profile" \
11302 -s "selected srtp profile" \
11303 -s "server hello, adding use_srtp extension" \
11304 -s "DTLS-SRTP key material is"\
11305 -g "find_in_both '^ *Keying material: [0-9A-F]*$'"\
11306 -c "SRTP Extension negotiated, profile=SRTP_AES128_CM_SHA1_32"
11307
11308requires_config_enabled MBEDTLS_SSL_DTLS_SRTP
Jerry Yuab082902021-12-23 18:02:22 +0800[diff] [blame]11309requires_config_enabled MBEDTLS_SSL_PROTO_TLS1_2
TRodziewicz4ca18aa2021-05-20 14:46:20 +0200[diff] [blame]11310run_test "DTLS-SRTP server supports one profile. Client supports all profiles. openssl client." \
11311 "$P_SRV dtls=1 use_srtp=1 srtp_force_profile=2 debug_level=3" \
11312 "$O_CLI -dtls -use_srtp SRTP_AES128_CM_SHA1_80:SRTP_AES128_CM_SHA1_32 -keymatexport 'EXTRACTOR-dtls_srtp' -keymatexportlen 60" \
11313 0 \
11314 -s "found use_srtp extension" \
11315 -s "found srtp profile" \
11316 -s "selected srtp profile" \
11317 -s "server hello, adding use_srtp extension" \
11318 -s "DTLS-SRTP key material is"\
11319 -g "find_in_both '^ *Keying material: [0-9A-F]*$'"\
11320 -c "SRTP Extension negotiated, profile=SRTP_AES128_CM_SHA1_32"
11321
11322requires_config_enabled MBEDTLS_SSL_DTLS_SRTP
Jerry Yuab082902021-12-23 18:02:22 +0800[diff] [blame]11323requires_config_enabled MBEDTLS_SSL_PROTO_TLS1_2
TRodziewicz4ca18aa2021-05-20 14:46:20 +0200[diff] [blame]11324run_test "DTLS-SRTP server and Client support only one matching profile. openssl client." \
11325 "$P_SRV dtls=1 use_srtp=1 srtp_force_profile=2 debug_level=3" \
11326 "$O_CLI -dtls -use_srtp SRTP_AES128_CM_SHA1_32 -keymatexport 'EXTRACTOR-dtls_srtp' -keymatexportlen 60" \
11327 0 \
11328 -s "found use_srtp extension" \
11329 -s "found srtp profile" \
11330 -s "selected srtp profile" \
11331 -s "server hello, adding use_srtp extension" \
11332 -s "DTLS-SRTP key material is"\
11333 -g "find_in_both '^ *Keying material: [0-9A-F]*$'"\
11334 -c "SRTP Extension negotiated, profile=SRTP_AES128_CM_SHA1_32"
11335
11336requires_config_enabled MBEDTLS_SSL_DTLS_SRTP
Jerry Yuab082902021-12-23 18:02:22 +0800[diff] [blame]11337requires_config_enabled MBEDTLS_SSL_PROTO_TLS1_2
TRodziewicz4ca18aa2021-05-20 14:46:20 +0200[diff] [blame]11338run_test "DTLS-SRTP server and Client support only one different profile. openssl client." \
11339 "$P_SRV dtls=1 use_srtp=1 srtp_force_profile=1 debug_level=3" \
11340 "$O_CLI -dtls -use_srtp SRTP_AES128_CM_SHA1_32 -keymatexport 'EXTRACTOR-dtls_srtp' -keymatexportlen 60" \
11341 0 \
11342 -s "found use_srtp extension" \
11343 -s "found srtp profile" \
11344 -S "selected srtp profile" \
11345 -S "server hello, adding use_srtp extension" \
11346 -S "DTLS-SRTP key material is"\
11347 -C "SRTP Extension negotiated, profile"
11348
11349requires_config_enabled MBEDTLS_SSL_DTLS_SRTP
Jerry Yuab082902021-12-23 18:02:22 +0800[diff] [blame]11350requires_config_enabled MBEDTLS_SSL_PROTO_TLS1_2
TRodziewicz4ca18aa2021-05-20 14:46:20 +0200[diff] [blame]11351run_test "DTLS-SRTP server doesn't support use_srtp extension. openssl client" \
11352 "$P_SRV dtls=1 debug_level=3" \
11353 "$O_CLI -dtls -use_srtp SRTP_AES128_CM_SHA1_80:SRTP_AES128_CM_SHA1_32 -keymatexport 'EXTRACTOR-dtls_srtp' -keymatexportlen 60" \
11354 0 \
11355 -s "found use_srtp extension" \
11356 -S "server hello, adding use_srtp extension" \
11357 -S "DTLS-SRTP key material is"\
11358 -C "SRTP Extension negotiated, profile"
11359
11360requires_config_enabled MBEDTLS_SSL_DTLS_SRTP
Jerry Yuab082902021-12-23 18:02:22 +0800[diff] [blame]11361requires_config_enabled MBEDTLS_SSL_PROTO_TLS1_2
TRodziewicz4ca18aa2021-05-20 14:46:20 +0200[diff] [blame]11362run_test "DTLS-SRTP all profiles supported. openssl server" \
11363 "$O_SRV -dtls -verify 0 -use_srtp SRTP_AES128_CM_SHA1_80:SRTP_AES128_CM_SHA1_32 -keymatexport 'EXTRACTOR-dtls_srtp' -keymatexportlen 60" \
11364 "$P_CLI dtls=1 use_srtp=1 debug_level=3" \
11365 0 \
11366 -c "client hello, adding use_srtp extension" \
11367 -c "found use_srtp extension" \
11368 -c "found srtp profile" \
11369 -c "selected srtp profile: MBEDTLS_TLS_SRTP_AES128_CM_HMAC_SHA1_80" \
11370 -c "DTLS-SRTP key material is"\
11371 -C "error"
11372
11373requires_config_enabled MBEDTLS_SSL_DTLS_SRTP
Jerry Yuab082902021-12-23 18:02:22 +0800[diff] [blame]11374requires_config_enabled MBEDTLS_SSL_PROTO_TLS1_2
TRodziewicz4ca18aa2021-05-20 14:46:20 +0200[diff] [blame]11375run_test "DTLS-SRTP server supports all profiles. Client supports all profiles, in different order. openssl server." \
11376 "$O_SRV -dtls -verify 0 -use_srtp SRTP_AES128_CM_SHA1_32:SRTP_AES128_CM_SHA1_80 -keymatexport 'EXTRACTOR-dtls_srtp' -keymatexportlen 60" \
11377 "$P_CLI dtls=1 use_srtp=1 debug_level=3" \
11378 0 \
11379 -c "client hello, adding use_srtp extension" \
11380 -c "found use_srtp extension" \
11381 -c "found srtp profile" \
11382 -c "selected srtp profile" \
11383 -c "DTLS-SRTP key material is"\
11384 -C "error"
11385
11386requires_config_enabled MBEDTLS_SSL_DTLS_SRTP
Jerry Yuab082902021-12-23 18:02:22 +0800[diff] [blame]11387requires_config_enabled MBEDTLS_SSL_PROTO_TLS1_2
TRodziewicz4ca18aa2021-05-20 14:46:20 +0200[diff] [blame]11388run_test "DTLS-SRTP server supports all profiles. Client supports one profile. openssl server." \
11389 "$O_SRV -dtls -verify 0 -use_srtp SRTP_AES128_CM_SHA1_80:SRTP_AES128_CM_SHA1_32 -keymatexport 'EXTRACTOR-dtls_srtp' -keymatexportlen 60" \
11390 "$P_CLI dtls=1 use_srtp=1 srtp_force_profile=2 debug_level=3" \
11391 0 \
11392 -c "client hello, adding use_srtp extension" \
11393 -c "found use_srtp extension" \
11394 -c "found srtp profile: MBEDTLS_TLS_SRTP_AES128_CM_HMAC_SHA1_32" \
11395 -c "selected srtp profile" \
11396 -c "DTLS-SRTP key material is"\
11397 -C "error"
11398
11399requires_config_enabled MBEDTLS_SSL_DTLS_SRTP
Jerry Yuab082902021-12-23 18:02:22 +0800[diff] [blame]11400requires_config_enabled MBEDTLS_SSL_PROTO_TLS1_2
TRodziewicz4ca18aa2021-05-20 14:46:20 +0200[diff] [blame]11401run_test "DTLS-SRTP server supports one profile. Client supports all profiles. openssl server." \
11402 "$O_SRV -dtls -verify 0 -use_srtp SRTP_AES128_CM_SHA1_32 -keymatexport 'EXTRACTOR-dtls_srtp' -keymatexportlen 60" \
11403 "$P_CLI dtls=1 use_srtp=1 debug_level=3" \
11404 0 \
11405 -c "client hello, adding use_srtp extension" \
11406 -c "found use_srtp extension" \
11407 -c "found srtp profile: MBEDTLS_TLS_SRTP_AES128_CM_HMAC_SHA1_32" \
11408 -c "selected srtp profile" \
11409 -c "DTLS-SRTP key material is"\
11410 -C "error"
11411
11412requires_config_enabled MBEDTLS_SSL_DTLS_SRTP
Jerry Yuab082902021-12-23 18:02:22 +0800[diff] [blame]11413requires_config_enabled MBEDTLS_SSL_PROTO_TLS1_2
TRodziewicz4ca18aa2021-05-20 14:46:20 +0200[diff] [blame]11414run_test "DTLS-SRTP server and Client support only one matching profile. openssl server." \
11415 "$O_SRV -dtls -verify 0 -use_srtp SRTP_AES128_CM_SHA1_32 -keymatexport 'EXTRACTOR-dtls_srtp' -keymatexportlen 60" \
11416 "$P_CLI dtls=1 use_srtp=1 srtp_force_profile=2 debug_level=3" \
11417 0 \
11418 -c "client hello, adding use_srtp extension" \
11419 -c "found use_srtp extension" \
11420 -c "found srtp profile: MBEDTLS_TLS_SRTP_AES128_CM_HMAC_SHA1_32" \
11421 -c "selected srtp profile" \
11422 -c "DTLS-SRTP key material is"\
11423 -C "error"
11424
11425requires_config_enabled MBEDTLS_SSL_DTLS_SRTP
Jerry Yuab082902021-12-23 18:02:22 +0800[diff] [blame]11426requires_config_enabled MBEDTLS_SSL_PROTO_TLS1_2
TRodziewicz4ca18aa2021-05-20 14:46:20 +0200[diff] [blame]11427run_test "DTLS-SRTP server and Client support only one different profile. openssl server." \
11428 "$O_SRV -dtls -verify 0 -use_srtp SRTP_AES128_CM_SHA1_32 -keymatexport 'EXTRACTOR-dtls_srtp' -keymatexportlen 60" \
11429 "$P_CLI dtls=1 use_srtp=1 srtp_force_profile=6 debug_level=3" \
11430 0 \
11431 -c "client hello, adding use_srtp extension" \
11432 -C "found use_srtp extension" \
11433 -C "found srtp profile" \
11434 -C "selected srtp profile" \
11435 -C "DTLS-SRTP key material is"\
11436 -C "error"
11437
11438requires_config_enabled MBEDTLS_SSL_DTLS_SRTP
Jerry Yuab082902021-12-23 18:02:22 +0800[diff] [blame]11439requires_config_enabled MBEDTLS_SSL_PROTO_TLS1_2
TRodziewicz4ca18aa2021-05-20 14:46:20 +0200[diff] [blame]11440run_test "DTLS-SRTP server doesn't support use_srtp extension. openssl server" \
11441 "$O_SRV -dtls" \
11442 "$P_CLI dtls=1 use_srtp=1 debug_level=3" \
11443 0 \
11444 -c "client hello, adding use_srtp extension" \
11445 -C "found use_srtp extension" \
11446 -C "found srtp profile" \
11447 -C "selected srtp profile" \
11448 -C "DTLS-SRTP key material is"\
11449 -C "error"
11450
11451requires_config_enabled MBEDTLS_SSL_DTLS_SRTP
Jerry Yuab082902021-12-23 18:02:22 +0800[diff] [blame]11452requires_config_enabled MBEDTLS_SSL_PROTO_TLS1_2
TRodziewicz4ca18aa2021-05-20 14:46:20 +0200[diff] [blame]11453run_test "DTLS-SRTP all profiles supported. server doesn't support mki. openssl server." \
11454 "$O_SRV -dtls -verify 0 -use_srtp SRTP_AES128_CM_SHA1_80:SRTP_AES128_CM_SHA1_32 -keymatexport 'EXTRACTOR-dtls_srtp' -keymatexportlen 60" \
11455 "$P_CLI dtls=1 use_srtp=1 mki=542310ab34290481 debug_level=3" \
11456 0 \
11457 -c "client hello, adding use_srtp extension" \
11458 -c "found use_srtp extension" \
11459 -c "found srtp profile" \
11460 -c "selected srtp profile" \
11461 -c "DTLS-SRTP key material is"\
11462 -c "DTLS-SRTP no mki value negotiated"\
11463 -c "dumping 'sending mki' (8 bytes)" \
11464 -C "dumping 'received mki' (8 bytes)" \
11465 -C "error"
11466
11467requires_config_enabled MBEDTLS_SSL_DTLS_SRTP
Ron Eldor5d991c92019-01-15 18:54:03 +0200[diff] [blame]11468requires_gnutls
Jerry Yuab082902021-12-23 18:02:22 +0800[diff] [blame]11469requires_config_enabled MBEDTLS_SSL_PROTO_TLS1_2
Ron Eldor3c6a44b2018-07-10 10:32:10 +0300[diff] [blame]11470run_test "DTLS-SRTP all profiles supported. gnutls client." \
Ron Eldor5d991c92019-01-15 18:54:03 +0200[diff] [blame]11471 "$P_SRV dtls=1 use_srtp=1 debug_level=3" \
11472 "$G_CLI -u --srtp-profiles=SRTP_AES128_CM_HMAC_SHA1_80:SRTP_AES128_CM_HMAC_SHA1_32:SRTP_NULL_HMAC_SHA1_80:SRTP_NULL_SHA1_32 --insecure 127.0.0.1" \
Ron Eldor3c6a44b2018-07-10 10:32:10 +0300[diff] [blame]11473 0 \
11474 -s "found use_srtp extension" \
11475 -s "found srtp profile" \
11476 -s "selected srtp profile" \
11477 -s "server hello, adding use_srtp extension" \
Johan Pascal9bc97ca2020-09-21 23:44:45 +0200[diff] [blame]11478 -s "DTLS-SRTP key material is"\
Ron Eldor3c6a44b2018-07-10 10:32:10 +0300[diff] [blame]11479 -c "SRTP profile: SRTP_AES128_CM_HMAC_SHA1_80"
11480
11481requires_config_enabled MBEDTLS_SSL_DTLS_SRTP
Ron Eldor5d991c92019-01-15 18:54:03 +0200[diff] [blame]11482requires_gnutls
Jerry Yuab082902021-12-23 18:02:22 +0800[diff] [blame]11483requires_config_enabled MBEDTLS_SSL_PROTO_TLS1_2
Ron Eldor3c6a44b2018-07-10 10:32:10 +0300[diff] [blame]11484run_test "DTLS-SRTP server supports all profiles. Client supports all profiles, in different order. gnutls client." \
Ron Eldor5d991c92019-01-15 18:54:03 +0200[diff] [blame]11485 "$P_SRV dtls=1 use_srtp=1 debug_level=3" \
11486 "$G_CLI -u --srtp-profiles=SRTP_NULL_HMAC_SHA1_80:SRTP_AES128_CM_HMAC_SHA1_80:SRTP_NULL_SHA1_32:SRTP_AES128_CM_HMAC_SHA1_32 --insecure 127.0.0.1" \
Ron Eldor3c6a44b2018-07-10 10:32:10 +0300[diff] [blame]11487 0 \
11488 -s "found use_srtp extension" \
11489 -s "found srtp profile" \
11490 -s "selected srtp profile" \
11491 -s "server hello, adding use_srtp extension" \
Johan Pascal9bc97ca2020-09-21 23:44:45 +0200[diff] [blame]11492 -s "DTLS-SRTP key material is"\
Ron Eldor3c6a44b2018-07-10 10:32:10 +0300[diff] [blame]11493 -c "SRTP profile: SRTP_NULL_HMAC_SHA1_80"
11494
11495requires_config_enabled MBEDTLS_SSL_DTLS_SRTP
Ron Eldor5d991c92019-01-15 18:54:03 +0200[diff] [blame]11496requires_gnutls
Jerry Yuab082902021-12-23 18:02:22 +0800[diff] [blame]11497requires_config_enabled MBEDTLS_SSL_PROTO_TLS1_2
Ron Eldor3c6a44b2018-07-10 10:32:10 +0300[diff] [blame]11498run_test "DTLS-SRTP server supports all profiles. Client supports one profile. gnutls client." \
Ron Eldor5d991c92019-01-15 18:54:03 +0200[diff] [blame]11499 "$P_SRV dtls=1 use_srtp=1 debug_level=3" \
11500 "$G_CLI -u --srtp-profiles=SRTP_AES128_CM_HMAC_SHA1_32 --insecure 127.0.0.1" \
Ron Eldor3c6a44b2018-07-10 10:32:10 +0300[diff] [blame]11501 0 \
11502 -s "found use_srtp extension" \
Johan Pascal43f94902020-09-22 12:25:52 +0200[diff] [blame]11503 -s "found srtp profile: MBEDTLS_TLS_SRTP_AES128_CM_HMAC_SHA1_32" \
11504 -s "selected srtp profile: MBEDTLS_TLS_SRTP_AES128_CM_HMAC_SHA1_32" \
Ron Eldor3c6a44b2018-07-10 10:32:10 +0300[diff] [blame]11505 -s "server hello, adding use_srtp extension" \
Johan Pascal9bc97ca2020-09-21 23:44:45 +0200[diff] [blame]11506 -s "DTLS-SRTP key material is"\
Ron Eldor3c6a44b2018-07-10 10:32:10 +0300[diff] [blame]11507 -c "SRTP profile: SRTP_AES128_CM_HMAC_SHA1_32"
11508
11509requires_config_enabled MBEDTLS_SSL_DTLS_SRTP
Ron Eldor5d991c92019-01-15 18:54:03 +0200[diff] [blame]11510requires_gnutls
Jerry Yuab082902021-12-23 18:02:22 +0800[diff] [blame]11511requires_config_enabled MBEDTLS_SSL_PROTO_TLS1_2
Ron Eldor3c6a44b2018-07-10 10:32:10 +0300[diff] [blame]11512run_test "DTLS-SRTP server supports one profile. Client supports all profiles. gnutls client." \
Johan Pascal43f94902020-09-22 12:25:52 +0200[diff] [blame]11513 "$P_SRV dtls=1 use_srtp=1 srtp_force_profile=6 debug_level=3" \
Ron Eldor5d991c92019-01-15 18:54:03 +0200[diff] [blame]11514 "$G_CLI -u --srtp-profiles=SRTP_AES128_CM_HMAC_SHA1_80:SRTP_AES128_CM_HMAC_SHA1_32:SRTP_NULL_HMAC_SHA1_80:SRTP_NULL_SHA1_32 --insecure 127.0.0.1" \
Ron Eldor3c6a44b2018-07-10 10:32:10 +0300[diff] [blame]11515 0 \
11516 -s "found use_srtp extension" \
11517 -s "found srtp profile" \
Johan Pascal43f94902020-09-22 12:25:52 +0200[diff] [blame]11518 -s "selected srtp profile: MBEDTLS_TLS_SRTP_NULL_HMAC_SHA1_32" \
Ron Eldor3c6a44b2018-07-10 10:32:10 +0300[diff] [blame]11519 -s "server hello, adding use_srtp extension" \
Johan Pascal9bc97ca2020-09-21 23:44:45 +0200[diff] [blame]11520 -s "DTLS-SRTP key material is"\
Ron Eldor3c6a44b2018-07-10 10:32:10 +0300[diff] [blame]11521 -c "SRTP profile: SRTP_NULL_SHA1_32"
11522
11523requires_config_enabled MBEDTLS_SSL_DTLS_SRTP
Ron Eldor5d991c92019-01-15 18:54:03 +0200[diff] [blame]11524requires_gnutls
Jerry Yuab082902021-12-23 18:02:22 +0800[diff] [blame]11525requires_config_enabled MBEDTLS_SSL_PROTO_TLS1_2
Ron Eldor3c6a44b2018-07-10 10:32:10 +0300[diff] [blame]11526run_test "DTLS-SRTP server and Client support only one matching profile. gnutls client." \
Ron Eldor5d991c92019-01-15 18:54:03 +0200[diff] [blame]11527 "$P_SRV dtls=1 use_srtp=1 srtp_force_profile=2 debug_level=3" \
11528 "$G_CLI -u --srtp-profiles=SRTP_AES128_CM_HMAC_SHA1_32 --insecure 127.0.0.1" \
Ron Eldor3c6a44b2018-07-10 10:32:10 +0300[diff] [blame]11529 0 \
11530 -s "found use_srtp extension" \
11531 -s "found srtp profile" \
11532 -s "selected srtp profile" \
11533 -s "server hello, adding use_srtp extension" \
Johan Pascal9bc97ca2020-09-21 23:44:45 +0200[diff] [blame]11534 -s "DTLS-SRTP key material is"\
Ron Eldor3c6a44b2018-07-10 10:32:10 +0300[diff] [blame]11535 -c "SRTP profile: SRTP_AES128_CM_HMAC_SHA1_32"
11536
11537requires_config_enabled MBEDTLS_SSL_DTLS_SRTP
Ron Eldor5d991c92019-01-15 18:54:03 +0200[diff] [blame]11538requires_gnutls
Jerry Yuab082902021-12-23 18:02:22 +0800[diff] [blame]11539requires_config_enabled MBEDTLS_SSL_PROTO_TLS1_2
Ron Eldor3c6a44b2018-07-10 10:32:10 +0300[diff] [blame]11540run_test "DTLS-SRTP server and Client support only one different profile. gnutls client." \
Ron Eldor5d991c92019-01-15 18:54:03 +0200[diff] [blame]11541 "$P_SRV dtls=1 use_srtp=1 srtp_force_profile=1 debug_level=3" \
11542 "$G_CLI -u --srtp-profiles=SRTP_AES128_CM_HMAC_SHA1_32 --insecure 127.0.0.1" \
Ron Eldor3c6a44b2018-07-10 10:32:10 +0300[diff] [blame]11543 0 \
11544 -s "found use_srtp extension" \
11545 -s "found srtp profile" \
11546 -S "selected srtp profile" \
11547 -S "server hello, adding use_srtp extension" \
Johan Pascal9bc97ca2020-09-21 23:44:45 +0200[diff] [blame]11548 -S "DTLS-SRTP key material is"\
Ron Eldor3c6a44b2018-07-10 10:32:10 +0300[diff] [blame]11549 -C "SRTP profile:"
11550
11551requires_config_enabled MBEDTLS_SSL_DTLS_SRTP
Ron Eldor5d991c92019-01-15 18:54:03 +0200[diff] [blame]11552requires_gnutls
Jerry Yuab082902021-12-23 18:02:22 +0800[diff] [blame]11553requires_config_enabled MBEDTLS_SSL_PROTO_TLS1_2
Ron Eldor3c6a44b2018-07-10 10:32:10 +0300[diff] [blame]11554run_test "DTLS-SRTP server doesn't support use_srtp extension. gnutls client" \
Ron Eldor5d991c92019-01-15 18:54:03 +0200[diff] [blame]11555 "$P_SRV dtls=1 debug_level=3" \
11556 "$G_CLI -u --srtp-profiles=SRTP_AES128_CM_HMAC_SHA1_80:SRTP_AES128_CM_HMAC_SHA1_32:SRTP_NULL_HMAC_SHA1_80:SRTP_NULL_SHA1_32 --insecure 127.0.0.1" \
Ron Eldor3c6a44b2018-07-10 10:32:10 +0300[diff] [blame]11557 0 \
11558 -s "found use_srtp extension" \
11559 -S "server hello, adding use_srtp extension" \
Johan Pascal9bc97ca2020-09-21 23:44:45 +0200[diff] [blame]11560 -S "DTLS-SRTP key material is"\
Ron Eldor3c6a44b2018-07-10 10:32:10 +0300[diff] [blame]11561 -C "SRTP profile:"
11562
11563requires_config_enabled MBEDTLS_SSL_DTLS_SRTP
Ron Eldor5d991c92019-01-15 18:54:03 +0200[diff] [blame]11564requires_gnutls
Jerry Yuab082902021-12-23 18:02:22 +0800[diff] [blame]11565requires_config_enabled MBEDTLS_SSL_PROTO_TLS1_2
Ron Eldor3c6a44b2018-07-10 10:32:10 +0300[diff] [blame]11566run_test "DTLS-SRTP all profiles supported. gnutls server" \
11567 "$G_SRV -u --srtp-profiles=SRTP_AES128_CM_HMAC_SHA1_80:SRTP_AES128_CM_HMAC_SHA1_32:SRTP_NULL_HMAC_SHA1_80:SRTP_NULL_SHA1_32" \
11568 "$P_CLI dtls=1 use_srtp=1 debug_level=3" \
11569 0 \
11570 -c "client hello, adding use_srtp extension" \
11571 -c "found use_srtp extension" \
11572 -c "found srtp profile" \
Johan Pascal43f94902020-09-22 12:25:52 +0200[diff] [blame]11573 -c "selected srtp profile: MBEDTLS_TLS_SRTP_AES128_CM_HMAC_SHA1_80" \
Johan Pascal9bc97ca2020-09-21 23:44:45 +0200[diff] [blame]11574 -c "DTLS-SRTP key material is"\
Ron Eldor3c6a44b2018-07-10 10:32:10 +0300[diff] [blame]11575 -C "error"
11576
11577requires_config_enabled MBEDTLS_SSL_DTLS_SRTP
Ron Eldor5d991c92019-01-15 18:54:03 +0200[diff] [blame]11578requires_gnutls
Jerry Yuab082902021-12-23 18:02:22 +0800[diff] [blame]11579requires_config_enabled MBEDTLS_SSL_PROTO_TLS1_2
Ron Eldor3c6a44b2018-07-10 10:32:10 +0300[diff] [blame]11580run_test "DTLS-SRTP server supports all profiles. Client supports all profiles, in different order. gnutls server." \
11581 "$G_SRV -u --srtp-profiles=SRTP_NULL_SHA1_32:SRTP_AES128_CM_HMAC_SHA1_32:SRTP_AES128_CM_HMAC_SHA1_80:SRTP_NULL_HMAC_SHA1_80:SRTP_NULL_SHA1_32" \
11582 "$P_CLI dtls=1 use_srtp=1 debug_level=3" \
11583 0 \
11584 -c "client hello, adding use_srtp extension" \
11585 -c "found use_srtp extension" \
11586 -c "found srtp profile" \
Johan Pascal43f94902020-09-22 12:25:52 +0200[diff] [blame]11587 -c "selected srtp profile: MBEDTLS_TLS_SRTP_AES128_CM_HMAC_SHA1_80" \
Johan Pascal9bc97ca2020-09-21 23:44:45 +0200[diff] [blame]11588 -c "DTLS-SRTP key material is"\
Ron Eldor3c6a44b2018-07-10 10:32:10 +0300[diff] [blame]11589 -C "error"
11590
11591requires_config_enabled MBEDTLS_SSL_DTLS_SRTP
Ron Eldor5d991c92019-01-15 18:54:03 +0200[diff] [blame]11592requires_gnutls
Jerry Yuab082902021-12-23 18:02:22 +0800[diff] [blame]11593requires_config_enabled MBEDTLS_SSL_PROTO_TLS1_2
Ron Eldor3c6a44b2018-07-10 10:32:10 +0300[diff] [blame]11594run_test "DTLS-SRTP server supports all profiles. Client supports one profile. gnutls server." \
11595 "$G_SRV -u --srtp-profiles=SRTP_NULL_SHA1_32:SRTP_AES128_CM_HMAC_SHA1_32:SRTP_AES128_CM_HMAC_SHA1_80:SRTP_NULL_HMAC_SHA1_80:SRTP_NULL_SHA1_32" \
11596 "$P_CLI dtls=1 use_srtp=1 srtp_force_profile=2 debug_level=3" \
11597 0 \
11598 -c "client hello, adding use_srtp extension" \
11599 -c "found use_srtp extension" \
Johan Pascal43f94902020-09-22 12:25:52 +0200[diff] [blame]11600 -c "found srtp profile: MBEDTLS_TLS_SRTP_AES128_CM_HMAC_SHA1_32" \
Ron Eldor3c6a44b2018-07-10 10:32:10 +0300[diff] [blame]11601 -c "selected srtp profile" \
Johan Pascal9bc97ca2020-09-21 23:44:45 +0200[diff] [blame]11602 -c "DTLS-SRTP key material is"\
Ron Eldor3c6a44b2018-07-10 10:32:10 +0300[diff] [blame]11603 -C "error"
11604
11605requires_config_enabled MBEDTLS_SSL_DTLS_SRTP
Ron Eldor5d991c92019-01-15 18:54:03 +0200[diff] [blame]11606requires_gnutls
Jerry Yuab082902021-12-23 18:02:22 +0800[diff] [blame]11607requires_config_enabled MBEDTLS_SSL_PROTO_TLS1_2
Ron Eldor3c6a44b2018-07-10 10:32:10 +0300[diff] [blame]11608run_test "DTLS-SRTP server supports one profile. Client supports all profiles. gnutls server." \
11609 "$G_SRV -u --srtp-profiles=SRTP_NULL_HMAC_SHA1_80" \
Johan Pascal9bc97ca2020-09-21 23:44:45 +0200[diff] [blame]11610 "$P_CLI dtls=1 use_srtp=1 debug_level=3" \
Ron Eldor3c6a44b2018-07-10 10:32:10 +0300[diff] [blame]11611 0 \
11612 -c "client hello, adding use_srtp extension" \
11613 -c "found use_srtp extension" \
Johan Pascal43f94902020-09-22 12:25:52 +0200[diff] [blame]11614 -c "found srtp profile: MBEDTLS_TLS_SRTP_NULL_HMAC_SHA1_80" \
Ron Eldor3c6a44b2018-07-10 10:32:10 +0300[diff] [blame]11615 -c "selected srtp profile" \
Johan Pascal9bc97ca2020-09-21 23:44:45 +0200[diff] [blame]11616 -c "DTLS-SRTP key material is"\
Ron Eldor3c6a44b2018-07-10 10:32:10 +0300[diff] [blame]11617 -C "error"
11618
11619requires_config_enabled MBEDTLS_SSL_DTLS_SRTP
Ron Eldor5d991c92019-01-15 18:54:03 +0200[diff] [blame]11620requires_gnutls
Jerry Yuab082902021-12-23 18:02:22 +0800[diff] [blame]11621requires_config_enabled MBEDTLS_SSL_PROTO_TLS1_2
Ron Eldor3c6a44b2018-07-10 10:32:10 +0300[diff] [blame]11622run_test "DTLS-SRTP server and Client support only one matching profile. gnutls server." \
11623 "$G_SRV -u --srtp-profiles=SRTP_AES128_CM_HMAC_SHA1_32" \
11624 "$P_CLI dtls=1 use_srtp=1 srtp_force_profile=2 debug_level=3" \
11625 0 \
11626 -c "client hello, adding use_srtp extension" \
11627 -c "found use_srtp extension" \
Johan Pascal43f94902020-09-22 12:25:52 +0200[diff] [blame]11628 -c "found srtp profile: MBEDTLS_TLS_SRTP_AES128_CM_HMAC_SHA1_32" \
Ron Eldor3c6a44b2018-07-10 10:32:10 +0300[diff] [blame]11629 -c "selected srtp profile" \
Johan Pascal9bc97ca2020-09-21 23:44:45 +0200[diff] [blame]11630 -c "DTLS-SRTP key material is"\
Ron Eldor3c6a44b2018-07-10 10:32:10 +0300[diff] [blame]11631 -C "error"
11632
11633requires_config_enabled MBEDTLS_SSL_DTLS_SRTP
Ron Eldor5d991c92019-01-15 18:54:03 +0200[diff] [blame]11634requires_gnutls
Jerry Yuab082902021-12-23 18:02:22 +0800[diff] [blame]11635requires_config_enabled MBEDTLS_SSL_PROTO_TLS1_2
Ron Eldor3c6a44b2018-07-10 10:32:10 +0300[diff] [blame]11636run_test "DTLS-SRTP server and Client support only one different profile. gnutls server." \
11637 "$G_SRV -u --srtp-profiles=SRTP_AES128_CM_HMAC_SHA1_32" \
Johan Pascal43f94902020-09-22 12:25:52 +0200[diff] [blame]11638 "$P_CLI dtls=1 use_srtp=1 srtp_force_profile=6 debug_level=3" \
Ron Eldor3c6a44b2018-07-10 10:32:10 +0300[diff] [blame]11639 0 \
11640 -c "client hello, adding use_srtp extension" \
11641 -C "found use_srtp extension" \
11642 -C "found srtp profile" \
11643 -C "selected srtp profile" \
Johan Pascal9bc97ca2020-09-21 23:44:45 +0200[diff] [blame]11644 -C "DTLS-SRTP key material is"\
Ron Eldor3c6a44b2018-07-10 10:32:10 +0300[diff] [blame]11645 -C "error"
11646
11647requires_config_enabled MBEDTLS_SSL_DTLS_SRTP
Ron Eldor5d991c92019-01-15 18:54:03 +0200[diff] [blame]11648requires_gnutls
Jerry Yuab082902021-12-23 18:02:22 +0800[diff] [blame]11649requires_config_enabled MBEDTLS_SSL_PROTO_TLS1_2
Ron Eldor3c6a44b2018-07-10 10:32:10 +0300[diff] [blame]11650run_test "DTLS-SRTP server doesn't support use_srtp extension. gnutls server" \
11651 "$G_SRV -u" \
11652 "$P_CLI dtls=1 use_srtp=1 debug_level=3" \
11653 0 \
11654 -c "client hello, adding use_srtp extension" \
11655 -C "found use_srtp extension" \
11656 -C "found srtp profile" \
11657 -C "selected srtp profile" \
Johan Pascal9bc97ca2020-09-21 23:44:45 +0200[diff] [blame]11658 -C "DTLS-SRTP key material is"\
Ron Eldor3c6a44b2018-07-10 10:32:10 +0300[diff] [blame]11659 -C "error"
11660
11661requires_config_enabled MBEDTLS_SSL_DTLS_SRTP
Ron Eldor5d991c92019-01-15 18:54:03 +0200[diff] [blame]11662requires_gnutls
Jerry Yuab082902021-12-23 18:02:22 +0800[diff] [blame]11663requires_config_enabled MBEDTLS_SSL_PROTO_TLS1_2
Ron Eldor3c6a44b2018-07-10 10:32:10 +0300[diff] [blame]11664run_test "DTLS-SRTP all profiles supported. mki used. gnutls server." \
11665 "$G_SRV -u --srtp-profiles=SRTP_AES128_CM_HMAC_SHA1_80:SRTP_AES128_CM_HMAC_SHA1_32:SRTP_NULL_HMAC_SHA1_80:SRTP_NULL_SHA1_32" \
11666 "$P_CLI dtls=1 use_srtp=1 mki=542310ab34290481 debug_level=3" \
11667 0 \
11668 -c "client hello, adding use_srtp extension" \
11669 -c "found use_srtp extension" \
11670 -c "found srtp profile" \
11671 -c "selected srtp profile" \
Johan Pascal9bc97ca2020-09-21 23:44:45 +0200[diff] [blame]11672 -c "DTLS-SRTP key material is"\
Johan Pascal20c7db32020-10-26 22:45:58 +0100[diff] [blame]11673 -c "DTLS-SRTP mki value:"\
Ron Eldor3c6a44b2018-07-10 10:32:10 +0300[diff] [blame]11674 -c "dumping 'sending mki' (8 bytes)" \
11675 -c "dumping 'received mki' (8 bytes)" \
11676 -C "error"
11677
Manuel Pégourié-Gonnard64dffc52014-09-02 13:39:16 +0200[diff] [blame]11678# Tests for specific things with "unreliable" UDP connection
11679
11680not_with_valgrind # spurious resend due to timeout
Jerry Yuab082902021-12-23 18:02:22 +0800[diff] [blame]11681requires_config_enabled MBEDTLS_SSL_PROTO_TLS1_2
Manuel Pégourié-Gonnard64dffc52014-09-02 13:39:16 +0200[diff] [blame]11682run_test "DTLS proxy: reference" \
11683 -p "$P_PXY" \
Manuel Pégourié-Gonnardb6929892019-09-09 11:14:37 +0200[diff] [blame]11684 "$P_SRV dtls=1 debug_level=2 hs_timeout=10000-20000" \
11685 "$P_CLI dtls=1 debug_level=2 hs_timeout=10000-20000" \
Manuel Pégourié-Gonnard64dffc52014-09-02 13:39:16 +0200[diff] [blame]11686 0 \
11687 -C "replayed record" \
11688 -S "replayed record" \
Hanno Beckerb2a86c32019-07-19 15:43:09 +0100[diff] [blame]11689 -C "Buffer record from epoch" \
11690 -S "Buffer record from epoch" \
11691 -C "ssl_buffer_message" \
11692 -S "ssl_buffer_message" \
Manuel Pégourié-Gonnarda7756172014-08-31 18:37:01 +0200[diff] [blame]11693 -C "discarding invalid record" \
Manuel Pégourié-Gonnard990f9e42014-09-06 12:27:02 +0200[diff] [blame]11694 -S "discarding invalid record" \
Manuel Pégourié-Gonnardbe9eb872014-09-05 17:45:19 +0200[diff] [blame]11695 -S "resend" \
Manuel Pégourié-Gonnard990f9e42014-09-06 12:27:02 +0200[diff] [blame]11696 -s "Extra-header:" \
Manuel Pégourié-Gonnardbe9eb872014-09-05 17:45:19 +0200[diff] [blame]11697 -c "HTTP/1.0 200 OK"
11698
11699not_with_valgrind # spurious resend due to timeout
Jerry Yuab082902021-12-23 18:02:22 +0800[diff] [blame]11700requires_config_enabled MBEDTLS_SSL_PROTO_TLS1_2
Manuel Pégourié-Gonnard990f9e42014-09-06 12:27:02 +0200[diff] [blame]11701run_test "DTLS proxy: duplicate every packet" \
11702 -p "$P_PXY duplicate=1" \
Manuel Pégourié-Gonnardb6929892019-09-09 11:14:37 +0200[diff] [blame]11703 "$P_SRV dtls=1 dgram_packing=0 debug_level=2 hs_timeout=10000-20000" \
11704 "$P_CLI dtls=1 dgram_packing=0 debug_level=2 hs_timeout=10000-20000" \
Manuel Pégourié-Gonnard990f9e42014-09-06 12:27:02 +0200[diff] [blame]11705 0 \
11706 -c "replayed record" \
11707 -s "replayed record" \
11708 -c "record from another epoch" \
11709 -s "record from another epoch" \
11710 -S "resend" \
11711 -s "Extra-header:" \
11712 -c "HTTP/1.0 200 OK"
11713
Jerry Yuab082902021-12-23 18:02:22 +0800[diff] [blame]11714requires_config_enabled MBEDTLS_SSL_PROTO_TLS1_2
Manuel Pégourié-Gonnard990f9e42014-09-06 12:27:02 +0200[diff] [blame]11715run_test "DTLS proxy: duplicate every packet, server anti-replay off" \
11716 -p "$P_PXY duplicate=1" \
Hanno Becker1c9a24c2018-08-14 13:46:33 +0100[diff] [blame]11717 "$P_SRV dtls=1 dgram_packing=0 debug_level=2 anti_replay=0" \
11718 "$P_CLI dtls=1 dgram_packing=0 debug_level=2" \
Manuel Pégourié-Gonnard63eca932014-09-08 16:39:08 +0200[diff] [blame]11719 0 \
11720 -c "replayed record" \
11721 -S "replayed record" \
11722 -c "record from another epoch" \
Manuel Pégourié-Gonnard825a49e2014-09-23 11:00:37 +0200[diff] [blame]11723 -s "record from another epoch" \
11724 -c "resend" \
11725 -s "resend" \
Manuel Pégourié-Gonnard246c13a2014-09-24 13:56:09 +0200[diff] [blame]11726 -s "Extra-header:" \
Manuel Pégourié-Gonnard825a49e2014-09-23 11:00:37 +0200[diff] [blame]11727 -c "HTTP/1.0 200 OK"
11728
Jerry Yuab082902021-12-23 18:02:22 +0800[diff] [blame]11729requires_config_enabled MBEDTLS_SSL_PROTO_TLS1_2
Manuel Pégourié-Gonnard246c13a2014-09-24 13:56:09 +0200[diff] [blame]11730run_test "DTLS proxy: multiple records in same datagram" \
11731 -p "$P_PXY pack=50" \
Hanno Becker1c9a24c2018-08-14 13:46:33 +0100[diff] [blame]11732 "$P_SRV dtls=1 dgram_packing=0 debug_level=2" \
11733 "$P_CLI dtls=1 dgram_packing=0 debug_level=2" \
Manuel Pégourié-Gonnard63eca932014-09-08 16:39:08 +0200[diff] [blame]11734 0 \
Manuel Pégourié-Gonnard825a49e2014-09-23 11:00:37 +0200[diff] [blame]11735 -c "next record in same datagram" \
11736 -s "next record in same datagram"
11737
Jerry Yuab082902021-12-23 18:02:22 +0800[diff] [blame]11738requires_config_enabled MBEDTLS_SSL_PROTO_TLS1_2
Manuel Pégourié-Gonnard825a49e2014-09-23 11:00:37 +0200[diff] [blame]11739run_test "DTLS proxy: multiple records in same datagram, duplicate every packet" \
11740 -p "$P_PXY pack=50 duplicate=1" \
Hanno Becker1c9a24c2018-08-14 13:46:33 +0100[diff] [blame]11741 "$P_SRV dtls=1 dgram_packing=0 debug_level=2" \
11742 "$P_CLI dtls=1 dgram_packing=0 debug_level=2" \
Manuel Pégourié-Gonnard246c13a2014-09-24 13:56:09 +0200[diff] [blame]11743 0 \
11744 -c "next record in same datagram" \
11745 -s "next record in same datagram"
Manuel Pégourié-Gonnard825a49e2014-09-23 11:00:37 +0200[diff] [blame]11746
Jerry Yuab082902021-12-23 18:02:22 +0800[diff] [blame]11747requires_config_enabled MBEDTLS_SSL_PROTO_TLS1_2
Manuel Pégourié-Gonnard63eca932014-09-08 16:39:08 +0200[diff] [blame]11748run_test "DTLS proxy: inject invalid AD record, default badmac_limit" \
11749 -p "$P_PXY bad_ad=1" \
Hanno Becker1c9a24c2018-08-14 13:46:33 +0100[diff] [blame]11750 "$P_SRV dtls=1 dgram_packing=0 debug_level=1" \
11751 "$P_CLI dtls=1 dgram_packing=0 debug_level=1 read_timeout=100" \
Manuel Pégourié-Gonnard825a49e2014-09-23 11:00:37 +0200[diff] [blame]11752 0 \
Manuel Pégourié-Gonnard74a13782014-10-14 22:34:08 +0200[diff] [blame]11753 -c "discarding invalid record (mac)" \
11754 -s "discarding invalid record (mac)" \
Manuel Pégourié-Gonnard825a49e2014-09-23 11:00:37 +0200[diff] [blame]11755 -s "Extra-header:" \
Manuel Pégourié-Gonnarde698f592014-10-14 19:36:36 +0200[diff] [blame]11756 -c "HTTP/1.0 200 OK" \
11757 -S "too many records with bad MAC" \
11758 -S "Verification of the message MAC failed"
11759
Jerry Yuab082902021-12-23 18:02:22 +0800[diff] [blame]11760requires_config_enabled MBEDTLS_SSL_PROTO_TLS1_2
Manuel Pégourié-Gonnarde698f592014-10-14 19:36:36 +0200[diff] [blame]11761run_test "DTLS proxy: inject invalid AD record, badmac_limit 1" \
11762 -p "$P_PXY bad_ad=1" \
Hanno Becker1c9a24c2018-08-14 13:46:33 +0100[diff] [blame]11763 "$P_SRV dtls=1 dgram_packing=0 debug_level=1 badmac_limit=1" \
11764 "$P_CLI dtls=1 dgram_packing=0 debug_level=1 read_timeout=100" \
Manuel Pégourié-Gonnarde698f592014-10-14 19:36:36 +0200[diff] [blame]11765 1 \
Manuel Pégourié-Gonnard74a13782014-10-14 22:34:08 +0200[diff] [blame]11766 -C "discarding invalid record (mac)" \
11767 -S "discarding invalid record (mac)" \
Manuel Pégourié-Gonnarde698f592014-10-14 19:36:36 +0200[diff] [blame]11768 -S "Extra-header:" \
11769 -C "HTTP/1.0 200 OK" \
11770 -s "too many records with bad MAC" \
11771 -s "Verification of the message MAC failed"
11772
Jerry Yuab082902021-12-23 18:02:22 +0800[diff] [blame]11773requires_config_enabled MBEDTLS_SSL_PROTO_TLS1_2
Manuel Pégourié-Gonnarde698f592014-10-14 19:36:36 +0200[diff] [blame]11774run_test "DTLS proxy: inject invalid AD record, badmac_limit 2" \
11775 -p "$P_PXY bad_ad=1" \
Hanno Becker1c9a24c2018-08-14 13:46:33 +0100[diff] [blame]11776 "$P_SRV dtls=1 dgram_packing=0 debug_level=1 badmac_limit=2" \
11777 "$P_CLI dtls=1 dgram_packing=0 debug_level=1 read_timeout=100" \
Manuel Pégourié-Gonnarde698f592014-10-14 19:36:36 +0200[diff] [blame]11778 0 \
Manuel Pégourié-Gonnard74a13782014-10-14 22:34:08 +0200[diff] [blame]11779 -c "discarding invalid record (mac)" \
11780 -s "discarding invalid record (mac)" \
Manuel Pégourié-Gonnarde698f592014-10-14 19:36:36 +0200[diff] [blame]11781 -s "Extra-header:" \
11782 -c "HTTP/1.0 200 OK" \
11783 -S "too many records with bad MAC" \
11784 -S "Verification of the message MAC failed"
11785
Jerry Yuab082902021-12-23 18:02:22 +0800[diff] [blame]11786requires_config_enabled MBEDTLS_SSL_PROTO_TLS1_2
Manuel Pégourié-Gonnarde698f592014-10-14 19:36:36 +0200[diff] [blame]11787run_test "DTLS proxy: inject invalid AD record, badmac_limit 2, exchanges 2"\
11788 -p "$P_PXY bad_ad=1" \
Hanno Becker1c9a24c2018-08-14 13:46:33 +0100[diff] [blame]11789 "$P_SRV dtls=1 dgram_packing=0 debug_level=1 badmac_limit=2 exchanges=2" \
11790 "$P_CLI dtls=1 dgram_packing=0 debug_level=1 read_timeout=100 exchanges=2" \
Manuel Pégourié-Gonnarde698f592014-10-14 19:36:36 +0200[diff] [blame]11791 1 \
Manuel Pégourié-Gonnard74a13782014-10-14 22:34:08 +0200[diff] [blame]11792 -c "discarding invalid record (mac)" \
11793 -s "discarding invalid record (mac)" \
Manuel Pégourié-Gonnarde698f592014-10-14 19:36:36 +0200[diff] [blame]11794 -s "Extra-header:" \
11795 -c "HTTP/1.0 200 OK" \
11796 -s "too many records with bad MAC" \
11797 -s "Verification of the message MAC failed"
Manuel Pégourié-Gonnard825a49e2014-09-23 11:00:37 +0200[diff] [blame]11798
Jerry Yuab082902021-12-23 18:02:22 +0800[diff] [blame]11799requires_config_enabled MBEDTLS_SSL_PROTO_TLS1_2
Manuel Pégourié-Gonnard825a49e2014-09-23 11:00:37 +0200[diff] [blame]11800run_test "DTLS proxy: delay ChangeCipherSpec" \
11801 -p "$P_PXY delay_ccs=1" \
Hanno Beckerc4305232018-08-14 13:41:21 +0100[diff] [blame]11802 "$P_SRV dtls=1 debug_level=1 dgram_packing=0" \
11803 "$P_CLI dtls=1 debug_level=1 dgram_packing=0" \
Manuel Pégourié-Gonnard825a49e2014-09-23 11:00:37 +0200[diff] [blame]11804 0 \
Manuel Pégourié-Gonnard246c13a2014-09-24 13:56:09 +0200[diff] [blame]11805 -c "record from another epoch" \
11806 -s "record from another epoch" \
Manuel Pégourié-Gonnard825a49e2014-09-23 11:00:37 +0200[diff] [blame]11807 -s "Extra-header:" \
11808 -c "HTTP/1.0 200 OK"
11809
Hanno Beckeraa5d0c42018-08-16 13:15:19 +0100[diff] [blame]11810# Tests for reordering support with DTLS
11811
Gilles Peskine6f160ca2022-03-14 18:21:24 +0100[diff] [blame]11812requires_certificate_authentication
Jerry Yuab082902021-12-23 18:02:22 +0800[diff] [blame]11813requires_config_enabled MBEDTLS_SSL_PROTO_TLS1_2
Hanno Becker56cdfd12018-08-17 13:42:15 +0100[diff] [blame]11814run_test "DTLS reordering: Buffer out-of-order handshake message on client" \
11815 -p "$P_PXY delay_srv=ServerHello" \
Andrzej Kurek948fe802018-10-05 15:42:44 -0400[diff] [blame]11816 "$P_SRV dgram_packing=0 cookies=0 dtls=1 debug_level=2 \
11817 hs_timeout=2500-60000" \
11818 "$P_CLI dgram_packing=0 dtls=1 debug_level=2 \
11819 hs_timeout=2500-60000" \
Hanno Beckere3842212018-08-16 15:28:59 +0100[diff] [blame]11820 0 \
11821 -c "Buffering HS message" \
Hanno Becker56cdfd12018-08-17 13:42:15 +0100[diff] [blame]11822 -c "Next handshake message has been buffered - load"\
11823 -S "Buffering HS message" \
11824 -S "Next handshake message has been buffered - load"\
Hanno Becker39b8bc92018-08-28 17:17:13 +0100[diff] [blame]11825 -C "Injecting buffered CCS message" \
Hanno Becker56cdfd12018-08-17 13:42:15 +0100[diff] [blame]11826 -C "Remember CCS message" \
Hanno Becker39b8bc92018-08-28 17:17:13 +0100[diff] [blame]11827 -S "Injecting buffered CCS message" \
Hanno Becker56cdfd12018-08-17 13:42:15 +0100[diff] [blame]11828 -S "Remember CCS message"
Hanno Beckere3842212018-08-16 15:28:59 +0100[diff] [blame]11829
Gilles Peskine6f160ca2022-03-14 18:21:24 +0100[diff] [blame]11830requires_certificate_authentication
Jerry Yuab082902021-12-23 18:02:22 +0800[diff] [blame]11831requires_config_enabled MBEDTLS_SSL_PROTO_TLS1_2
Hanno Beckerdc1e9502018-08-28 16:02:33 +0100[diff] [blame]11832run_test "DTLS reordering: Buffer out-of-order handshake message fragment on client" \
11833 -p "$P_PXY delay_srv=ServerHello" \
Andrzej Kurek948fe802018-10-05 15:42:44 -0400[diff] [blame]11834 "$P_SRV mtu=512 dgram_packing=0 cookies=0 dtls=1 debug_level=2 \
11835 hs_timeout=2500-60000" \
11836 "$P_CLI dgram_packing=0 dtls=1 debug_level=2 \
11837 hs_timeout=2500-60000" \
Hanno Beckerdc1e9502018-08-28 16:02:33 +0100[diff] [blame]11838 0 \
11839 -c "Buffering HS message" \
11840 -c "found fragmented DTLS handshake message"\
11841 -c "Next handshake message 1 not or only partially bufffered" \
11842 -c "Next handshake message has been buffered - load"\
11843 -S "Buffering HS message" \
11844 -S "Next handshake message has been buffered - load"\
Hanno Becker39b8bc92018-08-28 17:17:13 +0100[diff] [blame]11845 -C "Injecting buffered CCS message" \
Hanno Beckerdc1e9502018-08-28 16:02:33 +0100[diff] [blame]11846 -C "Remember CCS message" \
Hanno Becker39b8bc92018-08-28 17:17:13 +0100[diff] [blame]11847 -S "Injecting buffered CCS message" \
Hanno Beckeraa5d0c42018-08-16 13:15:19 +0100[diff] [blame]11848 -S "Remember CCS message"
11849
Hanno Beckera1adcca2018-08-24 14:41:07 +0100[diff] [blame]11850# The client buffers the ServerKeyExchange before receiving the fragmented
11851# Certificate message; at the time of writing, together these are aroudn 1200b
11852# in size, so that the bound below ensures that the certificate can be reassembled
11853# while keeping the ServerKeyExchange.
Gilles Peskine6f160ca2022-03-14 18:21:24 +0100[diff] [blame]11854requires_certificate_authentication
Hanno Beckera1adcca2018-08-24 14:41:07 +0100[diff] [blame]11855requires_config_value_at_least "MBEDTLS_SSL_DTLS_MAX_BUFFERING" 1300
Jerry Yuab082902021-12-23 18:02:22 +0800[diff] [blame]11856requires_config_enabled MBEDTLS_SSL_PROTO_TLS1_2
Hanno Beckera1adcca2018-08-24 14:41:07 +0100[diff] [blame]11857run_test "DTLS reordering: Buffer out-of-order hs msg before reassembling next" \
Hanno Beckere3567052018-08-21 16:50:43 +0100[diff] [blame]11858 -p "$P_PXY delay_srv=Certificate delay_srv=Certificate" \
Andrzej Kurek948fe802018-10-05 15:42:44 -0400[diff] [blame]11859 "$P_SRV mtu=512 dgram_packing=0 cookies=0 dtls=1 debug_level=2 \
11860 hs_timeout=2500-60000" \
11861 "$P_CLI dgram_packing=0 dtls=1 debug_level=2 \
11862 hs_timeout=2500-60000" \
Hanno Beckere3567052018-08-21 16:50:43 +0100[diff] [blame]11863 0 \
11864 -c "Buffering HS message" \
11865 -c "Next handshake message has been buffered - load"\
Hanno Beckera1adcca2018-08-24 14:41:07 +0100[diff] [blame]11866 -C "attempt to make space by freeing buffered messages" \
11867 -S "Buffering HS message" \
11868 -S "Next handshake message has been buffered - load"\
Hanno Becker39b8bc92018-08-28 17:17:13 +0100[diff] [blame]11869 -C "Injecting buffered CCS message" \
Hanno Beckera1adcca2018-08-24 14:41:07 +0100[diff] [blame]11870 -C "Remember CCS message" \
Hanno Becker39b8bc92018-08-28 17:17:13 +0100[diff] [blame]11871 -S "Injecting buffered CCS message" \
Hanno Beckera1adcca2018-08-24 14:41:07 +0100[diff] [blame]11872 -S "Remember CCS message"
11873
11874# The size constraints ensure that the delayed certificate message can't
11875# be reassembled while keeping the ServerKeyExchange message, but it can
11876# when dropping it first.
Gilles Peskine6f160ca2022-03-14 18:21:24 +0100[diff] [blame]11877requires_certificate_authentication
Hanno Beckera1adcca2018-08-24 14:41:07 +0100[diff] [blame]11878requires_config_value_at_least "MBEDTLS_SSL_DTLS_MAX_BUFFERING" 900
11879requires_config_value_at_most "MBEDTLS_SSL_DTLS_MAX_BUFFERING" 1299
Jerry Yuab082902021-12-23 18:02:22 +0800[diff] [blame]11880requires_config_enabled MBEDTLS_SSL_PROTO_TLS1_2
Hanno Beckera1adcca2018-08-24 14:41:07 +0100[diff] [blame]11881run_test "DTLS reordering: Buffer out-of-order hs msg before reassembling next, free buffered msg" \
11882 -p "$P_PXY delay_srv=Certificate delay_srv=Certificate" \
Andrzej Kurek948fe802018-10-05 15:42:44 -0400[diff] [blame]11883 "$P_SRV mtu=512 dgram_packing=0 cookies=0 dtls=1 debug_level=2 \
11884 hs_timeout=2500-60000" \
11885 "$P_CLI dgram_packing=0 dtls=1 debug_level=2 \
11886 hs_timeout=2500-60000" \
Hanno Beckera1adcca2018-08-24 14:41:07 +0100[diff] [blame]11887 0 \
11888 -c "Buffering HS message" \
11889 -c "attempt to make space by freeing buffered future messages" \
11890 -c "Enough space available after freeing buffered HS messages" \
Hanno Beckere3567052018-08-21 16:50:43 +0100[diff] [blame]11891 -S "Buffering HS message" \
11892 -S "Next handshake message has been buffered - load"\
Hanno Becker39b8bc92018-08-28 17:17:13 +0100[diff] [blame]11893 -C "Injecting buffered CCS message" \
Hanno Beckere3567052018-08-21 16:50:43 +0100[diff] [blame]11894 -C "Remember CCS message" \
Hanno Becker39b8bc92018-08-28 17:17:13 +0100[diff] [blame]11895 -S "Injecting buffered CCS message" \
Hanno Beckere3567052018-08-21 16:50:43 +0100[diff] [blame]11896 -S "Remember CCS message"
11897
Gilles Peskine6f160ca2022-03-14 18:21:24 +0100[diff] [blame]11898requires_certificate_authentication
Jerry Yuab082902021-12-23 18:02:22 +0800[diff] [blame]11899requires_config_enabled MBEDTLS_SSL_PROTO_TLS1_2
Hanno Becker56cdfd12018-08-17 13:42:15 +0100[diff] [blame]11900run_test "DTLS reordering: Buffer out-of-order handshake message on server" \
11901 -p "$P_PXY delay_cli=Certificate" \
Andrzej Kurek948fe802018-10-05 15:42:44 -0400[diff] [blame]11902 "$P_SRV dgram_packing=0 auth_mode=required cookies=0 dtls=1 debug_level=2 \
11903 hs_timeout=2500-60000" \
11904 "$P_CLI dgram_packing=0 dtls=1 debug_level=2 \
11905 hs_timeout=2500-60000" \
Hanno Becker56cdfd12018-08-17 13:42:15 +0100[diff] [blame]11906 0 \
11907 -C "Buffering HS message" \
11908 -C "Next handshake message has been buffered - load"\
11909 -s "Buffering HS message" \
11910 -s "Next handshake message has been buffered - load" \
Hanno Becker39b8bc92018-08-28 17:17:13 +0100[diff] [blame]11911 -C "Injecting buffered CCS message" \
Hanno Becker56cdfd12018-08-17 13:42:15 +0100[diff] [blame]11912 -C "Remember CCS message" \
Hanno Becker39b8bc92018-08-28 17:17:13 +0100[diff] [blame]11913 -S "Injecting buffered CCS message" \
Hanno Becker56cdfd12018-08-17 13:42:15 +0100[diff] [blame]11914 -S "Remember CCS message"
11915
Gilles Peskine6f160ca2022-03-14 18:21:24 +0100[diff] [blame]11916requires_certificate_authentication
Jerry Yuab082902021-12-23 18:02:22 +0800[diff] [blame]11917requires_config_enabled MBEDTLS_SSL_PROTO_TLS1_2
Norbert Fabritiusc93fc862023-04-12 09:50:30 +0200[diff] [blame]11918requires_config_enabled MBEDTLS_SSL_SESSION_TICKETS
Hanno Becker56cdfd12018-08-17 13:42:15 +0100[diff] [blame]11919run_test "DTLS reordering: Buffer out-of-order CCS message on client"\
11920 -p "$P_PXY delay_srv=NewSessionTicket" \
Andrzej Kurek948fe802018-10-05 15:42:44 -0400[diff] [blame]11921 "$P_SRV dgram_packing=0 cookies=0 dtls=1 debug_level=2 \
11922 hs_timeout=2500-60000" \
11923 "$P_CLI dgram_packing=0 dtls=1 debug_level=2 \
11924 hs_timeout=2500-60000" \
Hanno Becker56cdfd12018-08-17 13:42:15 +0100[diff] [blame]11925 0 \
11926 -C "Buffering HS message" \
11927 -C "Next handshake message has been buffered - load"\
11928 -S "Buffering HS message" \
11929 -S "Next handshake message has been buffered - load" \
Hanno Becker39b8bc92018-08-28 17:17:13 +0100[diff] [blame]11930 -c "Injecting buffered CCS message" \
Hanno Becker56cdfd12018-08-17 13:42:15 +0100[diff] [blame]11931 -c "Remember CCS message" \
Hanno Becker39b8bc92018-08-28 17:17:13 +0100[diff] [blame]11932 -S "Injecting buffered CCS message" \
Hanno Becker56cdfd12018-08-17 13:42:15 +0100[diff] [blame]11933 -S "Remember CCS message"
11934
Gilles Peskine6f160ca2022-03-14 18:21:24 +0100[diff] [blame]11935requires_certificate_authentication
Jerry Yuab082902021-12-23 18:02:22 +0800[diff] [blame]11936requires_config_enabled MBEDTLS_SSL_PROTO_TLS1_2
Hanno Becker56cdfd12018-08-17 13:42:15 +0100[diff] [blame]11937run_test "DTLS reordering: Buffer out-of-order CCS message on server"\
11938 -p "$P_PXY delay_cli=ClientKeyExchange" \
Andrzej Kurek948fe802018-10-05 15:42:44 -0400[diff] [blame]11939 "$P_SRV dgram_packing=0 cookies=0 dtls=1 debug_level=2 \
11940 hs_timeout=2500-60000" \
11941 "$P_CLI dgram_packing=0 dtls=1 debug_level=2 \
11942 hs_timeout=2500-60000" \
Hanno Becker56cdfd12018-08-17 13:42:15 +0100[diff] [blame]11943 0 \
11944 -C "Buffering HS message" \
11945 -C "Next handshake message has been buffered - load"\
11946 -S "Buffering HS message" \
11947 -S "Next handshake message has been buffered - load" \
Hanno Becker39b8bc92018-08-28 17:17:13 +0100[diff] [blame]11948 -C "Injecting buffered CCS message" \
Hanno Becker56cdfd12018-08-17 13:42:15 +0100[diff] [blame]11949 -C "Remember CCS message" \
Hanno Becker39b8bc92018-08-28 17:17:13 +0100[diff] [blame]11950 -s "Injecting buffered CCS message" \
Hanno Becker56cdfd12018-08-17 13:42:15 +0100[diff] [blame]11951 -s "Remember CCS message"
11952
Jerry Yuab082902021-12-23 18:02:22 +0800[diff] [blame]11953requires_config_enabled MBEDTLS_SSL_PROTO_TLS1_2
Hanno Beckera1adcca2018-08-24 14:41:07 +0100[diff] [blame]11954run_test "DTLS reordering: Buffer encrypted Finished message" \
Hanno Becker56cdfd12018-08-17 13:42:15 +0100[diff] [blame]11955 -p "$P_PXY delay_ccs=1" \
Andrzej Kurek948fe802018-10-05 15:42:44 -0400[diff] [blame]11956 "$P_SRV dgram_packing=0 cookies=0 dtls=1 debug_level=2 \
11957 hs_timeout=2500-60000" \
11958 "$P_CLI dgram_packing=0 dtls=1 debug_level=2 \
11959 hs_timeout=2500-60000" \
Hanno Beckerb34149c2018-08-16 15:29:06 +0100[diff] [blame]11960 0 \
11961 -s "Buffer record from epoch 1" \
Hanno Becker56cdfd12018-08-17 13:42:15 +0100[diff] [blame]11962 -s "Found buffered record from current epoch - load" \
11963 -c "Buffer record from epoch 1" \
11964 -c "Found buffered record from current epoch - load"
Manuel Pégourié-Gonnard18e519a2014-09-24 19:09:17 +0200[diff] [blame]11965
Hanno Beckera1adcca2018-08-24 14:41:07 +0100[diff] [blame]11966# In this test, both the fragmented NewSessionTicket and the ChangeCipherSpec
11967# from the server are delayed, so that the encrypted Finished message
11968# is received and buffered. When the fragmented NewSessionTicket comes
11969# in afterwards, the encrypted Finished message must be freed in order
11970# to make space for the NewSessionTicket to be reassembled.
11971# This works only in very particular circumstances:
11972# - MBEDTLS_SSL_DTLS_MAX_BUFFERING must be large enough to allow buffering
11973# of the NewSessionTicket, but small enough to also allow buffering of
11974# the encrypted Finished message.
11975# - The MTU setting on the server must be so small that the NewSessionTicket
11976# needs to be fragmented.
11977# - All messages sent by the server must be small enough to be either sent
11978# without fragmentation or be reassembled within the bounds of
11979# MBEDTLS_SSL_DTLS_MAX_BUFFERING. Achieve this by testing with a PSK-based
11980# handshake, omitting CRTs.
Manuel Pégourié-Gonnardeef4c752019-05-28 10:21:30 +0200[diff] [blame]11981requires_config_value_at_least "MBEDTLS_SSL_DTLS_MAX_BUFFERING" 190
11982requires_config_value_at_most "MBEDTLS_SSL_DTLS_MAX_BUFFERING" 230
Hanno Beckera1adcca2018-08-24 14:41:07 +0100[diff] [blame]11983run_test "DTLS reordering: Buffer encrypted Finished message, drop for fragmented NewSessionTicket" \
11984 -p "$P_PXY delay_srv=NewSessionTicket delay_srv=NewSessionTicket delay_ccs=1" \
Gilles Peskine02cd7162024-04-29 16:09:52 +0200[diff] [blame]11985 "$P_SRV mtu=140 response_size=90 dgram_packing=0 psk=73776f726466697368 psk_identity=foo cookies=0 dtls=1 debug_level=2" \
11986 "$P_CLI dgram_packing=0 dtls=1 debug_level=2 force_ciphersuite=TLS-PSK-WITH-AES-128-CCM-8 psk=73776f726466697368 psk_identity=foo" \
Hanno Beckera1adcca2018-08-24 14:41:07 +0100[diff] [blame]11987 0 \
11988 -s "Buffer record from epoch 1" \
11989 -s "Found buffered record from current epoch - load" \
11990 -c "Buffer record from epoch 1" \
11991 -C "Found buffered record from current epoch - load" \
11992 -c "Enough space available after freeing future epoch record"
11993
Manuel Pégourié-Gonnarda0719722014-09-20 12:46:27 +0200[diff] [blame]11994# Tests for "randomly unreliable connection": try a variety of flows and peers
11995
11996client_needs_more_time 2
Manuel Pégourié-Gonnard825a49e2014-09-23 11:00:37 +0200[diff] [blame]11997run_test "DTLS proxy: 3d (drop, delay, duplicate), \"short\" PSK handshake" \
11998 -p "$P_PXY drop=5 delay=5 duplicate=5" \
Andrzej Kurek948fe802018-10-05 15:42:44 -0400[diff] [blame]11999 "$P_SRV dtls=1 dgram_packing=0 hs_timeout=500-10000 tickets=0 auth_mode=none \
Gilles Peskine02cd7162024-04-29 16:09:52 +0200[diff] [blame]12000 psk=73776f726466697368" \
12001 "$P_CLI dtls=1 dgram_packing=0 hs_timeout=500-10000 tickets=0 psk=73776f726466697368 \
Manuel Pégourié-Gonnard18e519a2014-09-24 19:09:17 +0200[diff] [blame]12002 force_ciphersuite=TLS-PSK-WITH-AES-128-CCM-8" \
12003 0 \
12004 -s "Extra-header:" \
12005 -c "HTTP/1.0 200 OK"
12006
Janos Follath74537a62016-09-02 13:45:28 +0100[diff] [blame]12007client_needs_more_time 2
Manuel Pégourié-Gonnard18e519a2014-09-24 19:09:17 +0200[diff] [blame]12008run_test "DTLS proxy: 3d, \"short\" RSA handshake" \
12009 -p "$P_PXY drop=5 delay=5 duplicate=5" \
Andrzej Kurek948fe802018-10-05 15:42:44 -0400[diff] [blame]12010 "$P_SRV dtls=1 dgram_packing=0 hs_timeout=500-10000 tickets=0 auth_mode=none" \
12011 "$P_CLI dtls=1 dgram_packing=0 hs_timeout=500-10000 tickets=0 \
Manuel Pégourié-Gonnard18e519a2014-09-24 19:09:17 +0200[diff] [blame]12012 force_ciphersuite=TLS-RSA-WITH-AES-128-CBC-SHA" \
12013 0 \
12014 -s "Extra-header:" \
12015 -c "HTTP/1.0 200 OK"
12016
Janos Follath74537a62016-09-02 13:45:28 +0100[diff] [blame]12017client_needs_more_time 2
Jerry Yuab082902021-12-23 18:02:22 +0800[diff] [blame]12018requires_config_enabled MBEDTLS_SSL_PROTO_TLS1_2
Manuel Pégourié-Gonnard18e519a2014-09-24 19:09:17 +0200[diff] [blame]12019run_test "DTLS proxy: 3d, \"short\" (no ticket, no cli_auth) FS handshake" \
12020 -p "$P_PXY drop=5 delay=5 duplicate=5" \
Andrzej Kurek948fe802018-10-05 15:42:44 -0400[diff] [blame]12021 "$P_SRV dtls=1 dgram_packing=0 hs_timeout=500-10000 tickets=0 auth_mode=none" \
12022 "$P_CLI dtls=1 dgram_packing=0 hs_timeout=500-10000 tickets=0" \
Manuel Pégourié-Gonnard18e519a2014-09-24 19:09:17 +0200[diff] [blame]12023 0 \
12024 -s "Extra-header:" \
12025 -c "HTTP/1.0 200 OK"
12026
Janos Follath74537a62016-09-02 13:45:28 +0100[diff] [blame]12027client_needs_more_time 2
Jerry Yuab082902021-12-23 18:02:22 +0800[diff] [blame]12028requires_config_enabled MBEDTLS_SSL_PROTO_TLS1_2
Manuel Pégourié-Gonnard18e519a2014-09-24 19:09:17 +0200[diff] [blame]12029run_test "DTLS proxy: 3d, FS, client auth" \
12030 -p "$P_PXY drop=5 delay=5 duplicate=5" \
Andrzej Kurek948fe802018-10-05 15:42:44 -0400[diff] [blame]12031 "$P_SRV dtls=1 dgram_packing=0 hs_timeout=500-10000 tickets=0 auth_mode=required" \
12032 "$P_CLI dtls=1 dgram_packing=0 hs_timeout=500-10000 tickets=0" \
Manuel Pégourié-Gonnard18e519a2014-09-24 19:09:17 +0200[diff] [blame]12033 0 \
12034 -s "Extra-header:" \
12035 -c "HTTP/1.0 200 OK"
12036
Janos Follath74537a62016-09-02 13:45:28 +0100[diff] [blame]12037client_needs_more_time 2
Jerry Yuab082902021-12-23 18:02:22 +0800[diff] [blame]12038requires_config_enabled MBEDTLS_SSL_PROTO_TLS1_2
Norbert Fabritiusc93fc862023-04-12 09:50:30 +0200[diff] [blame]12039requires_config_enabled MBEDTLS_SSL_SESSION_TICKETS
Manuel Pégourié-Gonnard18e519a2014-09-24 19:09:17 +0200[diff] [blame]12040run_test "DTLS proxy: 3d, FS, ticket" \
12041 -p "$P_PXY drop=5 delay=5 duplicate=5" \
Andrzej Kurek948fe802018-10-05 15:42:44 -0400[diff] [blame]12042 "$P_SRV dtls=1 dgram_packing=0 hs_timeout=500-10000 tickets=1 auth_mode=none" \
12043 "$P_CLI dtls=1 dgram_packing=0 hs_timeout=500-10000 tickets=1" \
Manuel Pégourié-Gonnard18e519a2014-09-24 19:09:17 +0200[diff] [blame]12044 0 \
12045 -s "Extra-header:" \
12046 -c "HTTP/1.0 200 OK"
12047
Janos Follath74537a62016-09-02 13:45:28 +0100[diff] [blame]12048client_needs_more_time 2
Jerry Yuab082902021-12-23 18:02:22 +0800[diff] [blame]12049requires_config_enabled MBEDTLS_SSL_PROTO_TLS1_2
Norbert Fabritiusc93fc862023-04-12 09:50:30 +0200[diff] [blame]12050requires_config_enabled MBEDTLS_SSL_SESSION_TICKETS
Manuel Pégourié-Gonnard18e519a2014-09-24 19:09:17 +0200[diff] [blame]12051run_test "DTLS proxy: 3d, max handshake (FS, ticket + client auth)" \
12052 -p "$P_PXY drop=5 delay=5 duplicate=5" \
Andrzej Kurek948fe802018-10-05 15:42:44 -0400[diff] [blame]12053 "$P_SRV dtls=1 dgram_packing=0 hs_timeout=500-10000 tickets=1 auth_mode=required" \
12054 "$P_CLI dtls=1 dgram_packing=0 hs_timeout=500-10000 tickets=1" \
Manuel Pégourié-Gonnard825a49e2014-09-23 11:00:37 +0200[diff] [blame]12055 0 \
12056 -s "Extra-header:" \
12057 -c "HTTP/1.0 200 OK"
12058
Janos Follath74537a62016-09-02 13:45:28 +0100[diff] [blame]12059client_needs_more_time 2
Jerry Yuab082902021-12-23 18:02:22 +0800[diff] [blame]12060requires_config_enabled MBEDTLS_SSL_PROTO_TLS1_2
Norbert Fabritiusc93fc862023-04-12 09:50:30 +0200[diff] [blame]12061requires_config_enabled MBEDTLS_SSL_SESSION_TICKETS
Manuel Pégourié-Gonnard6093d812014-09-29 17:52:57 +0200[diff] [blame]12062run_test "DTLS proxy: 3d, max handshake, nbio" \
12063 -p "$P_PXY drop=5 delay=5 duplicate=5" \
Andrzej Kurek948fe802018-10-05 15:42:44 -0400[diff] [blame]12064 "$P_SRV dtls=1 dgram_packing=0 hs_timeout=500-10000 nbio=2 tickets=1 \
Manuel Pégourié-Gonnard37a4de22014-10-01 16:38:03 +0200[diff] [blame]12065 auth_mode=required" \
Andrzej Kurek948fe802018-10-05 15:42:44 -0400[diff] [blame]12066 "$P_CLI dtls=1 dgram_packing=0 hs_timeout=500-10000 nbio=2 tickets=1" \
Manuel Pégourié-Gonnard6093d812014-09-29 17:52:57 +0200[diff] [blame]12067 0 \
12068 -s "Extra-header:" \
12069 -c "HTTP/1.0 200 OK"
12070
Janos Follath74537a62016-09-02 13:45:28 +0100[diff] [blame]12071client_needs_more_time 4
Gilles Peskine2fe796f2022-02-25 19:51:52 +0100[diff] [blame]12072requires_config_enabled MBEDTLS_SSL_CACHE_C
Manuel Pégourié-Gonnard7a26d732014-10-02 14:50:46 +0200[diff] [blame]12073run_test "DTLS proxy: 3d, min handshake, resumption" \
12074 -p "$P_PXY drop=5 delay=5 duplicate=5" \
Andrzej Kurek948fe802018-10-05 15:42:44 -0400[diff] [blame]12075 "$P_SRV dtls=1 dgram_packing=0 hs_timeout=500-10000 tickets=0 auth_mode=none \
Gilles Peskine02cd7162024-04-29 16:09:52 +0200[diff] [blame]12076 psk=73776f726466697368 debug_level=3" \
12077 "$P_CLI dtls=1 dgram_packing=0 hs_timeout=500-10000 tickets=0 psk=73776f726466697368 \
Manuel Pégourié-Gonnard56941fe2020-02-17 11:04:33 +0100[diff] [blame]12078 debug_level=3 reconnect=1 skip_close_notify=1 read_timeout=1000 max_resend=10 \
Manuel Pégourié-Gonnard7a26d732014-10-02 14:50:46 +0200[diff] [blame]12079 force_ciphersuite=TLS-PSK-WITH-AES-128-CCM-8" \
12080 0 \
12081 -s "a session has been resumed" \
12082 -c "a session has been resumed" \
12083 -s "Extra-header:" \
12084 -c "HTTP/1.0 200 OK"
12085
Janos Follath74537a62016-09-02 13:45:28 +0100[diff] [blame]12086client_needs_more_time 4
Gilles Peskine2fe796f2022-02-25 19:51:52 +0100[diff] [blame]12087requires_config_enabled MBEDTLS_SSL_CACHE_C
Manuel Pégourié-Gonnard85beb302014-10-02 17:59:19 +0200[diff] [blame]12088run_test "DTLS proxy: 3d, min handshake, resumption, nbio" \
12089 -p "$P_PXY drop=5 delay=5 duplicate=5" \
Andrzej Kurek948fe802018-10-05 15:42:44 -0400[diff] [blame]12090 "$P_SRV dtls=1 dgram_packing=0 hs_timeout=500-10000 tickets=0 auth_mode=none \
Gilles Peskine02cd7162024-04-29 16:09:52 +0200[diff] [blame]12091 psk=73776f726466697368 debug_level=3 nbio=2" \
12092 "$P_CLI dtls=1 dgram_packing=0 hs_timeout=500-10000 tickets=0 psk=73776f726466697368 \
Manuel Pégourié-Gonnard56941fe2020-02-17 11:04:33 +0100[diff] [blame]12093 debug_level=3 reconnect=1 skip_close_notify=1 read_timeout=1000 max_resend=10 \
Manuel Pégourié-Gonnard85beb302014-10-02 17:59:19 +0200[diff] [blame]12094 force_ciphersuite=TLS-PSK-WITH-AES-128-CCM-8 nbio=2" \
12095 0 \
12096 -s "a session has been resumed" \
12097 -c "a session has been resumed" \
12098 -s "Extra-header:" \
12099 -c "HTTP/1.0 200 OK"
12100
Janos Follath74537a62016-09-02 13:45:28 +0100[diff] [blame]12101client_needs_more_time 4
Hanno Becker6a243642017-10-12 15:18:45 +0100[diff] [blame]12102requires_config_enabled MBEDTLS_SSL_RENEGOTIATION
Manuel Pégourié-Gonnard6093d812014-09-29 17:52:57 +0200[diff] [blame]12103run_test "DTLS proxy: 3d, min handshake, client-initiated renego" \
Manuel Pégourié-Gonnard1b753f12014-09-25 16:09:36 +0200[diff] [blame]12104 -p "$P_PXY drop=5 delay=5 duplicate=5" \
Andrzej Kurek948fe802018-10-05 15:42:44 -0400[diff] [blame]12105 "$P_SRV dtls=1 dgram_packing=0 hs_timeout=500-10000 tickets=0 auth_mode=none \
Gilles Peskine02cd7162024-04-29 16:09:52 +0200[diff] [blame]12106 psk=73776f726466697368 renegotiation=1 debug_level=2" \
12107 "$P_CLI dtls=1 dgram_packing=0 hs_timeout=500-10000 tickets=0 psk=73776f726466697368 \
Manuel Pégourié-Gonnard37a4de22014-10-01 16:38:03 +0200[diff] [blame]12108 renegotiate=1 debug_level=2 \
Manuel Pégourié-Gonnard1b753f12014-09-25 16:09:36 +0200[diff] [blame]12109 force_ciphersuite=TLS-PSK-WITH-AES-128-CCM-8" \
12110 0 \
12111 -c "=> renegotiate" \
12112 -s "=> renegotiate" \
12113 -s "Extra-header:" \
12114 -c "HTTP/1.0 200 OK"
12115
Janos Follath74537a62016-09-02 13:45:28 +0100[diff] [blame]12116client_needs_more_time 4
Hanno Becker6a243642017-10-12 15:18:45 +0100[diff] [blame]12117requires_config_enabled MBEDTLS_SSL_RENEGOTIATION
Manuel Pégourié-Gonnard6093d812014-09-29 17:52:57 +0200[diff] [blame]12118run_test "DTLS proxy: 3d, min handshake, client-initiated renego, nbio" \
12119 -p "$P_PXY drop=5 delay=5 duplicate=5" \
Andrzej Kurek948fe802018-10-05 15:42:44 -0400[diff] [blame]12120 "$P_SRV dtls=1 dgram_packing=0 hs_timeout=500-10000 tickets=0 auth_mode=none \
Gilles Peskine02cd7162024-04-29 16:09:52 +0200[diff] [blame]12121 psk=73776f726466697368 renegotiation=1 debug_level=2" \
12122 "$P_CLI dtls=1 dgram_packing=0 hs_timeout=500-10000 tickets=0 psk=73776f726466697368 \
Manuel Pégourié-Gonnard37a4de22014-10-01 16:38:03 +0200[diff] [blame]12123 renegotiate=1 debug_level=2 \
Manuel Pégourié-Gonnard6093d812014-09-29 17:52:57 +0200[diff] [blame]12124 force_ciphersuite=TLS-PSK-WITH-AES-128-CCM-8" \
12125 0 \
12126 -c "=> renegotiate" \
12127 -s "=> renegotiate" \
12128 -s "Extra-header:" \
12129 -c "HTTP/1.0 200 OK"
12130
Janos Follath74537a62016-09-02 13:45:28 +0100[diff] [blame]12131client_needs_more_time 4
Hanno Becker6a243642017-10-12 15:18:45 +0100[diff] [blame]12132requires_config_enabled MBEDTLS_SSL_RENEGOTIATION
Manuel Pégourié-Gonnardba958b82014-10-09 16:13:44 +0200[diff] [blame]12133run_test "DTLS proxy: 3d, min handshake, server-initiated renego" \
Manuel Pégourié-Gonnarda6ace042014-10-15 12:44:41 +0200[diff] [blame]12134 -p "$P_PXY drop=5 delay=5 duplicate=5" \
Andrzej Kurek948fe802018-10-05 15:42:44 -0400[diff] [blame]12135 "$P_SRV dtls=1 dgram_packing=0 hs_timeout=500-10000 tickets=0 auth_mode=none \
Gilles Peskine02cd7162024-04-29 16:09:52 +0200[diff] [blame]12136 psk=73776f726466697368 renegotiate=1 renegotiation=1 exchanges=4 \
Manuel Pégourié-Gonnardba958b82014-10-09 16:13:44 +0200[diff] [blame]12137 debug_level=2" \
Gilles Peskine02cd7162024-04-29 16:09:52 +0200[diff] [blame]12138 "$P_CLI dtls=1 dgram_packing=0 hs_timeout=500-10000 tickets=0 psk=73776f726466697368 \
Manuel Pégourié-Gonnarda6ace042014-10-15 12:44:41 +0200[diff] [blame]12139 renegotiation=1 exchanges=4 debug_level=2 \
Manuel Pégourié-Gonnardba958b82014-10-09 16:13:44 +0200[diff] [blame]12140 force_ciphersuite=TLS-PSK-WITH-AES-128-CCM-8" \
12141 0 \
12142 -c "=> renegotiate" \
12143 -s "=> renegotiate" \
12144 -s "Extra-header:" \
12145 -c "HTTP/1.0 200 OK"
12146
Janos Follath74537a62016-09-02 13:45:28 +0100[diff] [blame]12147client_needs_more_time 4
Hanno Becker6a243642017-10-12 15:18:45 +0100[diff] [blame]12148requires_config_enabled MBEDTLS_SSL_RENEGOTIATION
Manuel Pégourié-Gonnardba958b82014-10-09 16:13:44 +0200[diff] [blame]12149run_test "DTLS proxy: 3d, min handshake, server-initiated renego, nbio" \
Manuel Pégourié-Gonnarda6ace042014-10-15 12:44:41 +0200[diff] [blame]12150 -p "$P_PXY drop=5 delay=5 duplicate=5" \
Andrzej Kurek948fe802018-10-05 15:42:44 -0400[diff] [blame]12151 "$P_SRV dtls=1 dgram_packing=0 hs_timeout=500-10000 tickets=0 auth_mode=none \
Gilles Peskine02cd7162024-04-29 16:09:52 +0200[diff] [blame]12152 psk=73776f726466697368 renegotiate=1 renegotiation=1 exchanges=4 \
Manuel Pégourié-Gonnardba958b82014-10-09 16:13:44 +0200[diff] [blame]12153 debug_level=2 nbio=2" \
Gilles Peskine02cd7162024-04-29 16:09:52 +0200[diff] [blame]12154 "$P_CLI dtls=1 dgram_packing=0 hs_timeout=500-10000 tickets=0 psk=73776f726466697368 \
Manuel Pégourié-Gonnarda6ace042014-10-15 12:44:41 +0200[diff] [blame]12155 renegotiation=1 exchanges=4 debug_level=2 nbio=2 \
Manuel Pégourié-Gonnardba958b82014-10-09 16:13:44 +0200[diff] [blame]12156 force_ciphersuite=TLS-PSK-WITH-AES-128-CCM-8" \
12157 0 \
12158 -c "=> renegotiate" \
12159 -s "=> renegotiate" \
12160 -s "Extra-header:" \
12161 -c "HTTP/1.0 200 OK"
12162
Zhangsen Wang87a9c862022-06-28 06:10:35 +0000[diff] [blame]12163## The three tests below require 1.1.1a or higher version of openssl, otherwise
12164## it might trigger a bug due to openssl (https://github.com/openssl/openssl/issues/6902)
12165## Besides, openssl should use dtls1_2 or dtls, otherwise it will cause "SSL alert number 70" error
12166requires_openssl_next
Janos Follath74537a62016-09-02 13:45:28 +0100[diff] [blame]12167client_needs_more_time 6
Manuel Pégourié-Gonnardd68434e2015-08-31 12:48:22 +0200[diff] [blame]12168not_with_valgrind # risk of non-mbedtls peer timing out
Jerry Yuab082902021-12-23 18:02:22 +0800[diff] [blame]12169requires_config_enabled MBEDTLS_SSL_PROTO_TLS1_2
Manuel Pégourié-Gonnard9590e0a2014-09-26 16:27:59 +0200[diff] [blame]12170run_test "DTLS proxy: 3d, openssl server" \
Manuel Pégourié-Gonnardd0fd1da2014-09-25 17:00:27 +0200[diff] [blame]12171 -p "$P_PXY drop=5 delay=5 duplicate=5 protect_hvr=1" \
Valerio Setti2f8eb622023-03-16 13:04:44 +0100[diff] [blame]12172 "$O_NEXT_SRV -dtls1_2 -mtu 2048" \
12173 "$P_CLI dgram_packing=0 dtls=1 hs_timeout=500-60000 tickets=0" \
Manuel Pégourié-Gonnardd0fd1da2014-09-25 17:00:27 +0200[diff] [blame]12174 0 \
Manuel Pégourié-Gonnardd0fd1da2014-09-25 17:00:27 +0200[diff] [blame]12175 -c "HTTP/1.0 200 OK"
12176
Zhangsen Wang87a9c862022-06-28 06:10:35 +0000[diff] [blame]12177requires_openssl_next
Janos Follath74537a62016-09-02 13:45:28 +0100[diff] [blame]12178client_needs_more_time 8
Manuel Pégourié-Gonnardd68434e2015-08-31 12:48:22 +0200[diff] [blame]12179not_with_valgrind # risk of non-mbedtls peer timing out
Jerry Yuab082902021-12-23 18:02:22 +0800[diff] [blame]12180requires_config_enabled MBEDTLS_SSL_PROTO_TLS1_2
Manuel Pégourié-Gonnard9590e0a2014-09-26 16:27:59 +0200[diff] [blame]12181run_test "DTLS proxy: 3d, openssl server, fragmentation" \
12182 -p "$P_PXY drop=5 delay=5 duplicate=5 protect_hvr=1" \
Zhangsen Wang87a9c862022-06-28 06:10:35 +0000[diff] [blame]12183 "$O_NEXT_SRV -dtls1_2 -mtu 768" \
Andrzej Kurek948fe802018-10-05 15:42:44 -0400[diff] [blame]12184 "$P_CLI dgram_packing=0 dtls=1 hs_timeout=500-60000 tickets=0" \
Manuel Pégourié-Gonnard9590e0a2014-09-26 16:27:59 +0200[diff] [blame]12185 0 \
Manuel Pégourié-Gonnard9590e0a2014-09-26 16:27:59 +0200[diff] [blame]12186 -c "HTTP/1.0 200 OK"
12187
Zhangsen Wang87a9c862022-06-28 06:10:35 +0000[diff] [blame]12188requires_openssl_next
Janos Follath74537a62016-09-02 13:45:28 +0100[diff] [blame]12189client_needs_more_time 8
Manuel Pégourié-Gonnardd68434e2015-08-31 12:48:22 +0200[diff] [blame]12190not_with_valgrind # risk of non-mbedtls peer timing out
Jerry Yuab082902021-12-23 18:02:22 +0800[diff] [blame]12191requires_config_enabled MBEDTLS_SSL_PROTO_TLS1_2
Manuel Pégourié-Gonnard6093d812014-09-29 17:52:57 +0200[diff] [blame]12192run_test "DTLS proxy: 3d, openssl server, fragmentation, nbio" \
12193 -p "$P_PXY drop=5 delay=5 duplicate=5 protect_hvr=1" \
Zhangsen Wang87a9c862022-06-28 06:10:35 +0000[diff] [blame]12194 "$O_NEXT_SRV -dtls1_2 -mtu 768" \
Andrzej Kurek948fe802018-10-05 15:42:44 -0400[diff] [blame]12195 "$P_CLI dgram_packing=0 dtls=1 hs_timeout=500-60000 nbio=2 tickets=0" \
Manuel Pégourié-Gonnard6093d812014-09-29 17:52:57 +0200[diff] [blame]12196 0 \
Manuel Pégourié-Gonnard6093d812014-09-29 17:52:57 +0200[diff] [blame]12197 -c "HTTP/1.0 200 OK"
12198
Manuel Pégourié-Gonnard96999962015-02-17 16:02:37 +0000[diff] [blame]12199requires_gnutls
Janos Follath74537a62016-09-02 13:45:28 +0100[diff] [blame]12200client_needs_more_time 6
Manuel Pégourié-Gonnardd68434e2015-08-31 12:48:22 +0200[diff] [blame]12201not_with_valgrind # risk of non-mbedtls peer timing out
Jerry Yuab082902021-12-23 18:02:22 +0800[diff] [blame]12202requires_config_enabled MBEDTLS_SSL_PROTO_TLS1_2
Manuel Pégourié-Gonnard9590e0a2014-09-26 16:27:59 +0200[diff] [blame]12203run_test "DTLS proxy: 3d, gnutls server" \
12204 -p "$P_PXY drop=5 delay=5 duplicate=5" \
12205 "$G_SRV -u --mtu 2048 -a" \
Andrzej Kurek948fe802018-10-05 15:42:44 -0400[diff] [blame]12206 "$P_CLI dgram_packing=0 dtls=1 hs_timeout=500-60000" \
Manuel Pégourié-Gonnard9590e0a2014-09-26 16:27:59 +0200[diff] [blame]12207 0 \
12208 -s "Extra-header:" \
12209 -c "Extra-header:"
12210
k-stachowiak17a38d32019-02-18 15:29:56 +0100[diff] [blame]12211requires_gnutls_next
Janos Follath74537a62016-09-02 13:45:28 +0100[diff] [blame]12212client_needs_more_time 8
Manuel Pégourié-Gonnardd68434e2015-08-31 12:48:22 +0200[diff] [blame]12213not_with_valgrind # risk of non-mbedtls peer timing out
Jerry Yuab082902021-12-23 18:02:22 +0800[diff] [blame]12214requires_config_enabled MBEDTLS_SSL_PROTO_TLS1_2
Manuel Pégourié-Gonnard9590e0a2014-09-26 16:27:59 +0200[diff] [blame]12215run_test "DTLS proxy: 3d, gnutls server, fragmentation" \
12216 -p "$P_PXY drop=5 delay=5 duplicate=5" \
k-stachowiak17a38d32019-02-18 15:29:56 +0100[diff] [blame]12217 "$G_NEXT_SRV -u --mtu 512" \
Andrzej Kurek948fe802018-10-05 15:42:44 -0400[diff] [blame]12218 "$P_CLI dgram_packing=0 dtls=1 hs_timeout=500-60000" \
Manuel Pégourié-Gonnard9590e0a2014-09-26 16:27:59 +0200[diff] [blame]12219 0 \
12220 -s "Extra-header:" \
12221 -c "Extra-header:"
12222
k-stachowiak17a38d32019-02-18 15:29:56 +0100[diff] [blame]12223requires_gnutls_next
Janos Follath74537a62016-09-02 13:45:28 +0100[diff] [blame]12224client_needs_more_time 8
Manuel Pégourié-Gonnardd68434e2015-08-31 12:48:22 +0200[diff] [blame]12225not_with_valgrind # risk of non-mbedtls peer timing out
Jerry Yuab082902021-12-23 18:02:22 +0800[diff] [blame]12226requires_config_enabled MBEDTLS_SSL_PROTO_TLS1_2
Manuel Pégourié-Gonnard6093d812014-09-29 17:52:57 +0200[diff] [blame]12227run_test "DTLS proxy: 3d, gnutls server, fragmentation, nbio" \
12228 -p "$P_PXY drop=5 delay=5 duplicate=5" \
k-stachowiak17a38d32019-02-18 15:29:56 +0100[diff] [blame]12229 "$G_NEXT_SRV -u --mtu 512" \
Andrzej Kurek948fe802018-10-05 15:42:44 -0400[diff] [blame]12230 "$P_CLI dgram_packing=0 dtls=1 hs_timeout=500-60000 nbio=2" \
Manuel Pégourié-Gonnard6093d812014-09-29 17:52:57 +0200[diff] [blame]12231 0 \
12232 -s "Extra-header:" \
12233 -c "Extra-header:"
12234
Jerry Yuab082902021-12-23 18:02:22 +0800[diff] [blame]12235requires_config_enabled MBEDTLS_SSL_PROTO_TLS1_2
Ron Eldorf75e2522019-05-14 20:38:49 +0300[diff] [blame]12236run_test "export keys functionality" \
12237 "$P_SRV eap_tls=1 debug_level=3" \
Ronald Cronf95d1692023-03-14 17:19:42 +0100[diff] [blame]12238 "$P_CLI force_version=tls12 eap_tls=1 debug_level=3" \
Ron Eldorf75e2522019-05-14 20:38:49 +0300[diff] [blame]12239 0 \
Ron Eldor65d8c262019-06-04 13:05:36 +0300[diff] [blame]12240 -c "EAP-TLS key material is:"\
12241 -s "EAP-TLS key material is:"\
12242 -c "EAP-TLS IV is:" \
12243 -s "EAP-TLS IV is:"
Ron Eldorf75e2522019-05-14 20:38:49 +0300[diff] [blame]12244
Jerry Yu04029792021-08-10 16:45:37 +0800[diff] [blame]12245# openssl feature tests: check if tls1.3 exists.
12246requires_openssl_tls1_3
Jerry Yuc502dff2021-12-03 10:04:08 +0800[diff] [blame]12247run_test "TLS 1.3: Test openssl tls1_3 feature" \
Jerry Yu04029792021-08-10 16:45:37 +0800[diff] [blame]12248 "$O_NEXT_SRV -tls1_3 -msg" \
12249 "$O_NEXT_CLI -tls1_3 -msg" \
12250 0 \
12251 -c "TLS 1.3" \
12252 -s "TLS 1.3"
12253
Jerry Yu75261df2021-09-02 17:40:08 +0800[diff] [blame]12254# gnutls feature tests: check if TLS 1.3 is supported as well as the NO_TICKETS and DISABLE_TLS13_COMPAT_MODE options.
Jerry Yu04029792021-08-10 16:45:37 +0800[diff] [blame]12255requires_gnutls_tls1_3
Jerry Yub12d81d2021-08-17 10:56:08 +0800[diff] [blame]12256requires_gnutls_next_no_ticket
12257requires_gnutls_next_disable_tls13_compat
Jerry Yuc502dff2021-12-03 10:04:08 +0800[diff] [blame]12258run_test "TLS 1.3: Test gnutls tls1_3 feature" \
Jerry Yu937ac672021-10-28 17:39:28 +0800[diff] [blame]12259 "$G_NEXT_SRV --priority=NORMAL:-VERS-ALL:+VERS-TLS1.3:+CIPHER-ALL:%NO_TICKETS:%DISABLE_TLS13_COMPAT_MODE --disable-client-cert " \
Jerry Yub12d81d2021-08-17 10:56:08 +0800[diff] [blame]12260 "$G_NEXT_CLI localhost --priority=NORMAL:-VERS-ALL:+VERS-TLS1.3:%NO_TICKETS:%DISABLE_TLS13_COMPAT_MODE -V" \
Jerry Yu04029792021-08-10 16:45:37 +0800[diff] [blame]12261 0 \
12262 -s "Version: TLS1.3" \
12263 -c "Version: TLS1.3"
12264
Jerry Yuc46e9b42021-08-06 11:22:24 +0800[diff] [blame]12265# TLS1.3 test cases
Ronald Cronb18c67a2023-02-16 16:57:16 +0100[diff] [blame]12266requires_config_enabled MBEDTLS_SSL_PROTO_TLS1_3
12267requires_config_enabled MBEDTLS_SSL_TLS1_3_KEY_EXCHANGE_MODE_EPHEMERAL_ENABLED
Ronald Cron4bb67732023-02-16 15:51:18 +0100[diff] [blame]12268requires_ciphersuite_enabled TLS1-3-CHACHA20-POLY1305-SHA256
Valerio Setticf29c5d2023-09-01 09:03:41 +0200[diff] [blame]12269requires_any_configs_enabled "PSA_WANT_ECC_MONTGOMERY_255"
12270requires_any_configs_enabled "PSA_WANT_ECC_SECP_R1_256"
Ronald Cronb18c67a2023-02-16 16:57:16 +0100[diff] [blame]12271run_test "TLS 1.3: Default" \
David Horstmann5ab92be2024-07-01 17:01:28 +0100[diff] [blame]12272 "$P_SRV allow_sha1=0 debug_level=3 crt_file=$DATA_FILES_PATH/server5.crt key_file=$DATA_FILES_PATH/server5.key force_version=tls13" \
Ronald Cronb18c67a2023-02-16 16:57:16 +0100[diff] [blame]12273 "$P_CLI allow_sha1=0" \
12274 0 \
12275 -s "Protocol is TLSv1.3" \
Ronald Cron4bb67732023-02-16 15:51:18 +0100[diff] [blame]12276 -s "Ciphersuite is TLS1-3-CHACHA20-POLY1305-SHA256" \
Przemek Stekiel1f5c2ba2023-06-15 17:04:44 +0200[diff] [blame]12277 -s "ECDH/FFDH group: " \
Ronald Cronb18c67a2023-02-16 16:57:16 +0100[diff] [blame]12278 -s "selected signature algorithm ecdsa_secp256r1_sha256"
12279
Ronald Cron587cfe62024-02-08 08:56:09 +0100[diff] [blame]12280requires_config_enabled MBEDTLS_SSL_PROTO_TLS1_2
12281requires_config_enabled MBEDTLS_SSL_PROTO_TLS1_3
12282requires_config_enabled MBEDTLS_SSL_TLS1_3_KEY_EXCHANGE_MODE_EPHEMERAL_ENABLED
12283requires_any_configs_enabled $TLS1_2_KEY_EXCHANGES_WITH_CERT
12284run_test "Establish TLS 1.2 then TLS 1.3 session" \
12285 "$P_SRV" \
12286 "( $P_CLI force_version=tls12; \
12287 $P_CLI force_version=tls13 )" \
12288 0 \
12289 -s "Protocol is TLSv1.2" \
12290 -s "Protocol is TLSv1.3" \
12291
Ronald Cron90abb222024-02-08 09:02:49 +0100[diff] [blame]12292requires_config_enabled MBEDTLS_SSL_PROTO_TLS1_2
12293requires_config_enabled MBEDTLS_SSL_PROTO_TLS1_3
12294requires_config_enabled MBEDTLS_SSL_TLS1_3_KEY_EXCHANGE_MODE_EPHEMERAL_ENABLED
12295requires_any_configs_enabled $TLS1_2_KEY_EXCHANGES_WITH_CERT
12296run_test "Establish TLS 1.3 then TLS 1.2 session" \
12297 "$P_SRV" \
12298 "( $P_CLI force_version=tls13; \
12299 $P_CLI force_version=tls12 )" \
12300 0 \
12301 -s "Protocol is TLSv1.3" \
12302 -s "Protocol is TLSv1.2" \
12303
Przemek Stekiel8bfe8972023-06-26 12:59:45 +0200[diff] [blame]12304requires_openssl_tls1_3_with_compatible_ephemeral
Ronald Cron7c0185f2021-11-30 09:16:24 +0100[diff] [blame]12305requires_config_enabled MBEDTLS_DEBUG_C
12306requires_config_enabled MBEDTLS_SSL_CLI_C
Ronald Cron70ed4172022-10-20 15:48:19 +0200[diff] [blame]12307requires_all_configs_enabled MBEDTLS_SSL_TLS1_3_COMPATIBILITY_MODE \
12308 MBEDTLS_SSL_TLS1_3_KEY_EXCHANGE_MODE_EPHEMERAL_ENABLED
Jerry Yuc502dff2021-12-03 10:04:08 +0800[diff] [blame]12309run_test "TLS 1.3: minimal feature sets - openssl" \
Ronald Cronfdb0e3f2021-12-09 10:39:19 +0100[diff] [blame]12310 "$O_NEXT_SRV -msg -tls1_3 -num_tickets 0 -no_resume_ephemeral -no_cache" \
Ronald Crona1b8f6e2022-03-18 14:04:12 +0100[diff] [blame]12311 "$P_CLI debug_level=3" \
Jerry Yue1b1e2d2021-10-29 17:46:32 +0800[diff] [blame]12312 0 \
Ronald Cron27c85e72022-03-08 11:37:55 +0100[diff] [blame]12313 -c "client state: MBEDTLS_SSL_HELLO_REQUEST" \
12314 -c "client state: MBEDTLS_SSL_SERVER_HELLO" \
12315 -c "client state: MBEDTLS_SSL_ENCRYPTED_EXTENSIONS" \
12316 -c "client state: MBEDTLS_SSL_CERTIFICATE_REQUEST" \
12317 -c "client state: MBEDTLS_SSL_SERVER_CERTIFICATE" \
12318 -c "client state: MBEDTLS_SSL_CERTIFICATE_VERIFY" \
12319 -c "client state: MBEDTLS_SSL_SERVER_FINISHED" \
12320 -c "client state: MBEDTLS_SSL_CLIENT_FINISHED" \
12321 -c "client state: MBEDTLS_SSL_FLUSH_BUFFERS" \
12322 -c "client state: MBEDTLS_SSL_HANDSHAKE_WRAPUP" \
Xiaofei Bai746f9482021-11-12 08:53:56 +0000[diff] [blame]12323 -c "<= ssl_tls13_process_server_hello" \
Ronald Cron4bb67732023-02-16 15:51:18 +0100[diff] [blame]12324 -c "server hello, chosen ciphersuite: ( 1303 ) - TLS1-3-CHACHA20-POLY1305-SHA256" \
Przemek Stekiel1f5c2ba2023-06-15 17:04:44 +0200[diff] [blame]12325 -c "DHE group name: " \
Xiaofei Bai746f9482021-11-12 08:53:56 +0000[diff] [blame]12326 -c "=> ssl_tls13_process_server_hello" \
Ronald Cron27c85e72022-03-08 11:37:55 +0100[diff] [blame]12327 -c "<= parse encrypted extensions" \
Jerry Yu834886d2021-10-30 13:26:15 +0800[diff] [blame]12328 -c "Certificate verification flags clear" \
Ronald Cron27c85e72022-03-08 11:37:55 +0100[diff] [blame]12329 -c "=> parse certificate verify" \
12330 -c "<= parse certificate verify" \
XiaokangQiand0aa3e92021-11-10 06:17:40 +0000[diff] [blame]12331 -c "mbedtls_ssl_tls13_process_certificate_verify() returned 0" \
Jerry Yu6d38c192021-11-15 14:01:04 +0800[diff] [blame]12332 -c "<= parse finished message" \
Gilles Peskinec63a1e02022-01-13 01:10:24 +0100[diff] [blame]12333 -c "Protocol is TLSv1.3" \
Jerry Yu6d38c192021-11-15 14:01:04 +0800[diff] [blame]12334 -c "HTTP/1.0 200 ok"
Jerry Yued2ef2d2021-08-19 18:11:43 +0800[diff] [blame]12335
Jerry Yu76e31ec2021-09-22 21:16:27 +0800[diff] [blame]12336requires_gnutls_tls1_3
Jerry Yu937ac672021-10-28 17:39:28 +0800[diff] [blame]12337requires_gnutls_next_no_ticket
Ronald Cron7c0185f2021-11-30 09:16:24 +0100[diff] [blame]12338requires_config_enabled MBEDTLS_DEBUG_C
12339requires_config_enabled MBEDTLS_SSL_CLI_C
Ronald Cron70ed4172022-10-20 15:48:19 +0200[diff] [blame]12340requires_all_configs_enabled MBEDTLS_SSL_TLS1_3_COMPATIBILITY_MODE \
12341 MBEDTLS_SSL_TLS1_3_KEY_EXCHANGE_MODE_EPHEMERAL_ENABLED
Jerry Yuc502dff2021-12-03 10:04:08 +0800[diff] [blame]12342run_test "TLS 1.3: minimal feature sets - gnutls" \
Ronald Cronfdb0e3f2021-12-09 10:39:19 +0100[diff] [blame]12343 "$G_NEXT_SRV --debug=4 --priority=NORMAL:-VERS-ALL:+VERS-TLS1.3:+CIPHER-ALL:%NO_TICKETS --disable-client-cert" \
Ronald Crona1b8f6e2022-03-18 14:04:12 +0100[diff] [blame]12344 "$P_CLI debug_level=3" \
Jerry Yue1b1e2d2021-10-29 17:46:32 +0800[diff] [blame]12345 0 \
Ronald Cron27c85e72022-03-08 11:37:55 +0100[diff] [blame]12346 -s "SERVER HELLO was queued" \
12347 -c "client state: MBEDTLS_SSL_HELLO_REQUEST" \
12348 -c "client state: MBEDTLS_SSL_SERVER_HELLO" \
12349 -c "client state: MBEDTLS_SSL_ENCRYPTED_EXTENSIONS" \
12350 -c "client state: MBEDTLS_SSL_CERTIFICATE_REQUEST" \
12351 -c "client state: MBEDTLS_SSL_SERVER_CERTIFICATE" \
12352 -c "client state: MBEDTLS_SSL_CERTIFICATE_VERIFY" \
12353 -c "client state: MBEDTLS_SSL_SERVER_FINISHED" \
12354 -c "client state: MBEDTLS_SSL_CLIENT_FINISHED" \
12355 -c "client state: MBEDTLS_SSL_FLUSH_BUFFERS" \
12356 -c "client state: MBEDTLS_SSL_HANDSHAKE_WRAPUP" \
Xiaofei Bai746f9482021-11-12 08:53:56 +0000[diff] [blame]12357 -c "<= ssl_tls13_process_server_hello" \
Ronald Cron4bb67732023-02-16 15:51:18 +0100[diff] [blame]12358 -c "server hello, chosen ciphersuite: ( 1303 ) - TLS1-3-CHACHA20-POLY1305-SHA256" \
Przemek Stekiel1f5c2ba2023-06-15 17:04:44 +0200[diff] [blame]12359 -c "DHE group name: " \
Xiaofei Bai746f9482021-11-12 08:53:56 +0000[diff] [blame]12360 -c "=> ssl_tls13_process_server_hello" \
Ronald Cron27c85e72022-03-08 11:37:55 +0100[diff] [blame]12361 -c "<= parse encrypted extensions" \
Jerry Yu834886d2021-10-30 13:26:15 +0800[diff] [blame]12362 -c "Certificate verification flags clear" \
Ronald Cron27c85e72022-03-08 11:37:55 +0100[diff] [blame]12363 -c "=> parse certificate verify" \
12364 -c "<= parse certificate verify" \
XiaokangQiand0aa3e92021-11-10 06:17:40 +0000[diff] [blame]12365 -c "mbedtls_ssl_tls13_process_certificate_verify() returned 0" \
Jerry Yu6d38c192021-11-15 14:01:04 +0800[diff] [blame]12366 -c "<= parse finished message" \
Gilles Peskine860429f2022-02-12 00:44:48 +0100[diff] [blame]12367 -c "Protocol is TLSv1.3" \
Jerry Yu6d38c192021-11-15 14:01:04 +0800[diff] [blame]12368 -c "HTTP/1.0 200 OK"
XiaokangQiand0aa3e92021-11-10 06:17:40 +0000[diff] [blame]12369
Przemek Stekiel8bfe8972023-06-26 12:59:45 +0200[diff] [blame]12370requires_openssl_tls1_3_with_compatible_ephemeral
lhuang0486cacac2022-01-21 07:34:27 -0800[diff] [blame]12371requires_config_enabled MBEDTLS_DEBUG_C
12372requires_config_enabled MBEDTLS_SSL_CLI_C
12373requires_config_enabled MBEDTLS_SSL_ALPN
Ronald Cron70ed4172022-10-20 15:48:19 +0200[diff] [blame]12374requires_all_configs_enabled MBEDTLS_SSL_TLS1_3_COMPATIBILITY_MODE \
12375 MBEDTLS_SSL_TLS1_3_KEY_EXCHANGE_MODE_EPHEMERAL_ENABLED
lhuang0486cacac2022-01-21 07:34:27 -0800[diff] [blame]12376run_test "TLS 1.3: alpn - openssl" \
12377 "$O_NEXT_SRV -msg -tls1_3 -num_tickets 0 -no_resume_ephemeral -no_cache -alpn h2" \
Ronald Crona1b8f6e2022-03-18 14:04:12 +0100[diff] [blame]12378 "$P_CLI debug_level=3 alpn=h2" \
lhuang0486cacac2022-01-21 07:34:27 -0800[diff] [blame]12379 0 \
Ronald Cron27c85e72022-03-08 11:37:55 +0100[diff] [blame]12380 -c "client state: MBEDTLS_SSL_HELLO_REQUEST" \
12381 -c "client state: MBEDTLS_SSL_SERVER_HELLO" \
12382 -c "client state: MBEDTLS_SSL_ENCRYPTED_EXTENSIONS" \
12383 -c "client state: MBEDTLS_SSL_CERTIFICATE_REQUEST" \
12384 -c "client state: MBEDTLS_SSL_SERVER_CERTIFICATE" \
12385 -c "client state: MBEDTLS_SSL_CERTIFICATE_VERIFY" \
12386 -c "client state: MBEDTLS_SSL_SERVER_FINISHED" \
12387 -c "client state: MBEDTLS_SSL_CLIENT_FINISHED" \
12388 -c "client state: MBEDTLS_SSL_FLUSH_BUFFERS" \
12389 -c "client state: MBEDTLS_SSL_HANDSHAKE_WRAPUP" \
lhuang0486cacac2022-01-21 07:34:27 -0800[diff] [blame]12390 -c "<= ssl_tls13_process_server_hello" \
Ronald Cron4bb67732023-02-16 15:51:18 +0100[diff] [blame]12391 -c "server hello, chosen ciphersuite: ( 1303 ) - TLS1-3-CHACHA20-POLY1305-SHA256" \
Przemek Stekiel1f5c2ba2023-06-15 17:04:44 +0200[diff] [blame]12392 -c "DHE group name: " \
lhuang0486cacac2022-01-21 07:34:27 -0800[diff] [blame]12393 -c "=> ssl_tls13_process_server_hello" \
Ronald Cron27c85e72022-03-08 11:37:55 +0100[diff] [blame]12394 -c "<= parse encrypted extensions" \
lhuang0486cacac2022-01-21 07:34:27 -0800[diff] [blame]12395 -c "Certificate verification flags clear" \
Ronald Cron27c85e72022-03-08 11:37:55 +0100[diff] [blame]12396 -c "=> parse certificate verify" \
12397 -c "<= parse certificate verify" \
lhuang0486cacac2022-01-21 07:34:27 -0800[diff] [blame]12398 -c "mbedtls_ssl_tls13_process_certificate_verify() returned 0" \
12399 -c "<= parse finished message" \
Ronald Crona1b8f6e2022-03-18 14:04:12 +0100[diff] [blame]12400 -c "Protocol is TLSv1.3" \
lhuang0486cacac2022-01-21 07:34:27 -0800[diff] [blame]12401 -c "HTTP/1.0 200 ok" \
12402 -c "Application Layer Protocol is h2"
12403
12404requires_gnutls_tls1_3
12405requires_gnutls_next_no_ticket
lhuang0486cacac2022-01-21 07:34:27 -0800[diff] [blame]12406requires_config_enabled MBEDTLS_DEBUG_C
12407requires_config_enabled MBEDTLS_SSL_CLI_C
12408requires_config_enabled MBEDTLS_SSL_ALPN
Ronald Cron70ed4172022-10-20 15:48:19 +0200[diff] [blame]12409requires_all_configs_enabled MBEDTLS_SSL_TLS1_3_COMPATIBILITY_MODE \
12410 MBEDTLS_SSL_TLS1_3_KEY_EXCHANGE_MODE_EPHEMERAL_ENABLED
lhuang0486cacac2022-01-21 07:34:27 -0800[diff] [blame]12411run_test "TLS 1.3: alpn - gnutls" \
12412 "$G_NEXT_SRV --debug=4 --priority=NORMAL:-VERS-ALL:+VERS-TLS1.3:+CIPHER-ALL:%NO_TICKETS --disable-client-cert --alpn=h2" \
Ronald Crona1b8f6e2022-03-18 14:04:12 +0100[diff] [blame]12413 "$P_CLI debug_level=3 alpn=h2" \
lhuang0486cacac2022-01-21 07:34:27 -0800[diff] [blame]12414 0 \
Ronald Cron27c85e72022-03-08 11:37:55 +0100[diff] [blame]12415 -s "SERVER HELLO was queued" \
12416 -c "client state: MBEDTLS_SSL_HELLO_REQUEST" \
12417 -c "client state: MBEDTLS_SSL_SERVER_HELLO" \
12418 -c "client state: MBEDTLS_SSL_ENCRYPTED_EXTENSIONS" \
12419 -c "client state: MBEDTLS_SSL_CERTIFICATE_REQUEST" \
12420 -c "client state: MBEDTLS_SSL_SERVER_CERTIFICATE" \
12421 -c "client state: MBEDTLS_SSL_CERTIFICATE_VERIFY" \
12422 -c "client state: MBEDTLS_SSL_SERVER_FINISHED" \
12423 -c "client state: MBEDTLS_SSL_CLIENT_FINISHED" \
12424 -c "client state: MBEDTLS_SSL_FLUSH_BUFFERS" \
12425 -c "client state: MBEDTLS_SSL_HANDSHAKE_WRAPUP" \
lhuang0486cacac2022-01-21 07:34:27 -0800[diff] [blame]12426 -c "<= ssl_tls13_process_server_hello" \
Ronald Cron4bb67732023-02-16 15:51:18 +0100[diff] [blame]12427 -c "server hello, chosen ciphersuite: ( 1303 ) - TLS1-3-CHACHA20-POLY1305-SHA256" \
Przemek Stekiel1f5c2ba2023-06-15 17:04:44 +0200[diff] [blame]12428 -c "DHE group name: " \
lhuang0486cacac2022-01-21 07:34:27 -0800[diff] [blame]12429 -c "=> ssl_tls13_process_server_hello" \
Ronald Cron27c85e72022-03-08 11:37:55 +0100[diff] [blame]12430 -c "<= parse encrypted extensions" \
lhuang0486cacac2022-01-21 07:34:27 -0800[diff] [blame]12431 -c "Certificate verification flags clear" \
Ronald Cron27c85e72022-03-08 11:37:55 +0100[diff] [blame]12432 -c "=> parse certificate verify" \
12433 -c "<= parse certificate verify" \
lhuang0486cacac2022-01-21 07:34:27 -0800[diff] [blame]12434 -c "mbedtls_ssl_tls13_process_certificate_verify() returned 0" \
12435 -c "<= parse finished message" \
Ronald Crona1b8f6e2022-03-18 14:04:12 +0100[diff] [blame]12436 -c "Protocol is TLSv1.3" \
lhuang0486cacac2022-01-21 07:34:27 -0800[diff] [blame]12437 -c "HTTP/1.0 200 OK" \
12438 -c "Application Layer Protocol is h2"
12439
Przemek Stekiel8bfe8972023-06-26 12:59:45 +0200[diff] [blame]12440requires_openssl_tls1_3_with_compatible_ephemeral
XiaokangQianacb39922022-06-17 10:18:48 +0000[diff] [blame]12441requires_config_enabled MBEDTLS_DEBUG_C
XiaokangQian95d5f542022-06-24 02:29:26 +0000[diff] [blame]12442requires_config_enabled MBEDTLS_SSL_SRV_C
XiaokangQianacb39922022-06-17 10:18:48 +0000[diff] [blame]12443requires_config_enabled MBEDTLS_SSL_ALPN
Ronald Cron928cbd32022-10-04 16:14:26 +0200[diff] [blame]12444requires_config_enabled MBEDTLS_SSL_TLS1_3_KEY_EXCHANGE_MODE_EPHEMERAL_ENABLED
XiaokangQianacb39922022-06-17 10:18:48 +0000[diff] [blame]12445run_test "TLS 1.3: server alpn - openssl" \
David Horstmann5ab92be2024-07-01 17:01:28 +0100[diff] [blame]12446 "$P_SRV debug_level=3 tickets=0 crt_file=$DATA_FILES_PATH/server5.crt key_file=$DATA_FILES_PATH/server5.key alpn=h2" \
XiaokangQianacb39922022-06-17 10:18:48 +0000[diff] [blame]12447 "$O_NEXT_CLI -msg -tls1_3 -no_middlebox -alpn h2" \
12448 0 \
XiaokangQianc7403452022-06-23 03:24:12 +0000[diff] [blame]12449 -s "found alpn extension" \
12450 -s "server side, adding alpn extension" \
12451 -s "Protocol is TLSv1.3" \
12452 -s "HTTP/1.0 200 OK" \
12453 -s "Application Layer Protocol is h2"
12454
12455requires_gnutls_tls1_3
XiaokangQianc7403452022-06-23 03:24:12 +0000[diff] [blame]12456requires_config_enabled MBEDTLS_DEBUG_C
XiaokangQian95d5f542022-06-24 02:29:26 +0000[diff] [blame]12457requires_config_enabled MBEDTLS_SSL_SRV_C
XiaokangQianc7403452022-06-23 03:24:12 +0000[diff] [blame]12458requires_config_enabled MBEDTLS_SSL_ALPN
Ronald Cron928cbd32022-10-04 16:14:26 +0200[diff] [blame]12459requires_config_enabled MBEDTLS_SSL_TLS1_3_KEY_EXCHANGE_MODE_EPHEMERAL_ENABLED
XiaokangQianc7403452022-06-23 03:24:12 +0000[diff] [blame]12460run_test "TLS 1.3: server alpn - gnutls" \
David Horstmann5ab92be2024-07-01 17:01:28 +0100[diff] [blame]12461 "$P_SRV debug_level=3 tickets=0 crt_file=$DATA_FILES_PATH/server5.crt key_file=$DATA_FILES_PATH/server5.key alpn=h2" \
XiaokangQianc7403452022-06-23 03:24:12 +0000[diff] [blame]12462 "$G_NEXT_CLI localhost -d 4 --priority=NORMAL:-VERS-ALL:+VERS-TLS1.3:%NO_TICKETS:%DISABLE_TLS13_COMPAT_MODE -V --alpn h2" \
12463 0 \
XiaokangQianacb39922022-06-17 10:18:48 +0000[diff] [blame]12464 -s "found alpn extension" \
12465 -s "server side, adding alpn extension" \
12466 -s "Protocol is TLSv1.3" \
12467 -s "HTTP/1.0 200 OK" \
12468 -s "Application Layer Protocol is h2"
12469
Przemek Stekiel8bfe8972023-06-26 12:59:45 +0200[diff] [blame]12470requires_openssl_tls1_3_with_compatible_ephemeral
Jerry Yuaa6214a2022-01-30 19:53:28 +0800[diff] [blame]12471requires_config_enabled MBEDTLS_DEBUG_C
12472requires_config_enabled MBEDTLS_SSL_CLI_C
Ronald Cron70ed4172022-10-20 15:48:19 +0200[diff] [blame]12473requires_all_configs_enabled MBEDTLS_SSL_TLS1_3_COMPATIBILITY_MODE \
12474 MBEDTLS_SSL_TLS1_3_KEY_EXCHANGE_MODE_EPHEMERAL_ENABLED
Jerry Yu6c3d8212022-02-18 15:23:23 +0800[diff] [blame]12475run_test "TLS 1.3: Client authentication, no client certificate - openssl" \
Jerry Yu819f2972022-02-22 10:14:24 +0800[diff] [blame]12476 "$O_NEXT_SRV -msg -tls1_3 -num_tickets 0 -no_resume_ephemeral -no_cache -verify 10" \
Ronald Crona1b8f6e2022-03-18 14:04:12 +0100[diff] [blame]12477 "$P_CLI debug_level=4 crt_file=none key_file=none" \
Jerry Yuaa6214a2022-01-30 19:53:28 +0800[diff] [blame]12478 0 \
Jerry Yuaa6214a2022-01-30 19:53:28 +0800[diff] [blame]12479 -c "got a certificate request" \
Jerry Yu6c3d8212022-02-18 15:23:23 +0800[diff] [blame]12480 -c "client state: MBEDTLS_SSL_CLIENT_CERTIFICATE" \
12481 -s "TLS 1.3" \
Jerry Yu562a0fd2022-02-18 15:35:11 +0800[diff] [blame]12482 -c "HTTP/1.0 200 ok" \
12483 -c "Protocol is TLSv1.3"
Jerry Yu6c3d8212022-02-18 15:23:23 +0800[diff] [blame]12484
12485requires_gnutls_tls1_3
12486requires_gnutls_next_no_ticket
Jerry Yu6c3d8212022-02-18 15:23:23 +0800[diff] [blame]12487requires_config_enabled MBEDTLS_DEBUG_C
12488requires_config_enabled MBEDTLS_SSL_CLI_C
Ronald Cron70ed4172022-10-20 15:48:19 +0200[diff] [blame]12489requires_all_configs_enabled MBEDTLS_SSL_TLS1_3_COMPATIBILITY_MODE \
12490 MBEDTLS_SSL_TLS1_3_KEY_EXCHANGE_MODE_EPHEMERAL_ENABLED
Jerry Yu6c3d8212022-02-18 15:23:23 +0800[diff] [blame]12491run_test "TLS 1.3: Client authentication, no client certificate - gnutls" \
Jerry Yu819f2972022-02-22 10:14:24 +0800[diff] [blame]12492 "$G_NEXT_SRV --debug=4 --priority=NORMAL:-VERS-ALL:+VERS-TLS1.3:+CIPHER-ALL:%NO_TICKETS --verify-client-cert" \
Ronald Crona1b8f6e2022-03-18 14:04:12 +0100[diff] [blame]12493 "$P_CLI debug_level=3 crt_file=none key_file=none" \
Jerry Yu6c3d8212022-02-18 15:23:23 +0800[diff] [blame]12494 0 \
12495 -c "got a certificate request" \
12496 -c "client state: MBEDTLS_SSL_CLIENT_CERTIFICATE"\
12497 -s "Version: TLS1.3" \
Jerry Yu562a0fd2022-02-18 15:35:11 +0800[diff] [blame]12498 -c "HTTP/1.0 200 OK" \
12499 -c "Protocol is TLSv1.3"
12500
Jerry Yuaa6214a2022-01-30 19:53:28 +0800[diff] [blame]12501
Przemek Stekiel8bfe8972023-06-26 12:59:45 +0200[diff] [blame]12502requires_openssl_tls1_3_with_compatible_ephemeral
Jerry Yu960bc282022-01-26 11:12:34 +0800[diff] [blame]12503requires_config_enabled MBEDTLS_DEBUG_C
12504requires_config_enabled MBEDTLS_SSL_CLI_C
Ronald Cron928cbd32022-10-04 16:14:26 +0200[diff] [blame]12505requires_config_enabled MBEDTLS_SSL_TLS1_3_KEY_EXCHANGE_MODE_EPHEMERAL_ENABLED
Jerry Yu819f2972022-02-22 10:14:24 +0800[diff] [blame]12506run_test "TLS 1.3: Client authentication, no server middlebox compat - openssl" \
Jerry Yu960bc282022-01-26 11:12:34 +0800[diff] [blame]12507 "$O_NEXT_SRV -msg -tls1_3 -num_tickets 0 -no_resume_ephemeral -no_cache -Verify 10 -no_middlebox" \
David Horstmann5ab92be2024-07-01 17:01:28 +0100[diff] [blame]12508 "$P_CLI debug_level=4 crt_file=$DATA_FILES_PATH/cli2.crt key_file=$DATA_FILES_PATH/cli2.key" \
Jerry Yuc19884f2022-01-29 10:44:44 +0800[diff] [blame]12509 0 \
Jerry Yu960bc282022-01-26 11:12:34 +0800[diff] [blame]12510 -c "got a certificate request" \
Jerry Yu200b47b2022-01-28 14:26:30 +0800[diff] [blame]12511 -c "client state: MBEDTLS_SSL_CLIENT_CERTIFICATE" \
Jerry Yu562a0fd2022-02-18 15:35:11 +0800[diff] [blame]12512 -c "client state: MBEDTLS_SSL_CLIENT_CERTIFICATE_VERIFY" \
12513 -c "Protocol is TLSv1.3"
Jerry Yu960bc282022-01-26 11:12:34 +0800[diff] [blame]12514
12515requires_gnutls_tls1_3
12516requires_gnutls_next_no_ticket
Jerry Yu960bc282022-01-26 11:12:34 +0800[diff] [blame]12517requires_config_enabled MBEDTLS_DEBUG_C
12518requires_config_enabled MBEDTLS_SSL_CLI_C
Ronald Cron928cbd32022-10-04 16:14:26 +0200[diff] [blame]12519requires_config_enabled MBEDTLS_SSL_TLS1_3_KEY_EXCHANGE_MODE_EPHEMERAL_ENABLED
Jerry Yu819f2972022-02-22 10:14:24 +0800[diff] [blame]12520run_test "TLS 1.3: Client authentication, no server middlebox compat - gnutls" \
Jerry Yu960bc282022-01-26 11:12:34 +0800[diff] [blame]12521 "$G_NEXT_SRV --debug=4 --priority=NORMAL:-VERS-ALL:+VERS-TLS1.3:+CIPHER-ALL:%NO_TICKETS:%DISABLE_TLS13_COMPAT_MODE" \
David Horstmann5ab92be2024-07-01 17:01:28 +0100[diff] [blame]12522 "$P_CLI debug_level=3 crt_file=$DATA_FILES_PATH/cli2.crt \
12523 key_file=$DATA_FILES_PATH/cli2.key" \
Jerry Yuc19884f2022-01-29 10:44:44 +0800[diff] [blame]12524 0 \
Jerry Yu960bc282022-01-26 11:12:34 +0800[diff] [blame]12525 -c "got a certificate request" \
Jerry Yu200b47b2022-01-28 14:26:30 +0800[diff] [blame]12526 -c "client state: MBEDTLS_SSL_CLIENT_CERTIFICATE" \
Jerry Yu562a0fd2022-02-18 15:35:11 +0800[diff] [blame]12527 -c "client state: MBEDTLS_SSL_CLIENT_CERTIFICATE_VERIFY" \
12528 -c "Protocol is TLSv1.3"
Jerry Yu200b47b2022-01-28 14:26:30 +0800[diff] [blame]12529
Przemek Stekiel8bfe8972023-06-26 12:59:45 +0200[diff] [blame]12530requires_openssl_tls1_3_with_compatible_ephemeral
Jerry Yu200b47b2022-01-28 14:26:30 +0800[diff] [blame]12531requires_config_enabled MBEDTLS_DEBUG_C
12532requires_config_enabled MBEDTLS_SSL_CLI_C
Ronald Cron70ed4172022-10-20 15:48:19 +0200[diff] [blame]12533requires_all_configs_enabled MBEDTLS_SSL_TLS1_3_COMPATIBILITY_MODE \
12534 MBEDTLS_SSL_TLS1_3_KEY_EXCHANGE_MODE_EPHEMERAL_ENABLED
Jerry Yu6c3d8212022-02-18 15:23:23 +0800[diff] [blame]12535run_test "TLS 1.3: Client authentication, ecdsa_secp256r1_sha256 - openssl" \
Jerry Yu819f2972022-02-22 10:14:24 +0800[diff] [blame]12536 "$O_NEXT_SRV -msg -tls1_3 -num_tickets 0 -no_resume_ephemeral -no_cache -Verify 10" \
David Horstmann5ab92be2024-07-01 17:01:28 +0100[diff] [blame]12537 "$P_CLI debug_level=4 crt_file=$DATA_FILES_PATH/ecdsa_secp256r1.crt \
12538 key_file=$DATA_FILES_PATH/ecdsa_secp256r1.key" \
Jerry Yu6c3d8212022-02-18 15:23:23 +0800[diff] [blame]12539 0 \
12540 -c "got a certificate request" \
12541 -c "client state: MBEDTLS_SSL_CLIENT_CERTIFICATE" \
Jerry Yu562a0fd2022-02-18 15:35:11 +0800[diff] [blame]12542 -c "client state: MBEDTLS_SSL_CLIENT_CERTIFICATE_VERIFY" \
12543 -c "Protocol is TLSv1.3"
Jerry Yu6c3d8212022-02-18 15:23:23 +0800[diff] [blame]12544
12545requires_gnutls_tls1_3
12546requires_gnutls_next_no_ticket
Jerry Yu6c3d8212022-02-18 15:23:23 +0800[diff] [blame]12547requires_config_enabled MBEDTLS_DEBUG_C
12548requires_config_enabled MBEDTLS_SSL_CLI_C
Ronald Cron70ed4172022-10-20 15:48:19 +0200[diff] [blame]12549requires_all_configs_enabled MBEDTLS_SSL_TLS1_3_COMPATIBILITY_MODE \
12550 MBEDTLS_SSL_TLS1_3_KEY_EXCHANGE_MODE_EPHEMERAL_ENABLED
Jerry Yu6c3d8212022-02-18 15:23:23 +0800[diff] [blame]12551run_test "TLS 1.3: Client authentication, ecdsa_secp256r1_sha256 - gnutls" \
Jerry Yu819f2972022-02-22 10:14:24 +0800[diff] [blame]12552 "$G_NEXT_SRV --debug=4 --priority=NORMAL:-VERS-ALL:+VERS-TLS1.3:+CIPHER-ALL:%NO_TICKETS" \
David Horstmann5ab92be2024-07-01 17:01:28 +0100[diff] [blame]12553 "$P_CLI debug_level=3 crt_file=$DATA_FILES_PATH/ecdsa_secp256r1.crt \
12554 key_file=$DATA_FILES_PATH/ecdsa_secp256r1.key" \
Jerry Yu6c3d8212022-02-18 15:23:23 +0800[diff] [blame]12555 0 \
12556 -c "got a certificate request" \
12557 -c "client state: MBEDTLS_SSL_CLIENT_CERTIFICATE" \
Jerry Yu562a0fd2022-02-18 15:35:11 +0800[diff] [blame]12558 -c "client state: MBEDTLS_SSL_CLIENT_CERTIFICATE_VERIFY" \
12559 -c "Protocol is TLSv1.3"
Jerry Yu6c3d8212022-02-18 15:23:23 +0800[diff] [blame]12560
Przemek Stekiel8bfe8972023-06-26 12:59:45 +0200[diff] [blame]12561requires_openssl_tls1_3_with_compatible_ephemeral
Jerry Yu6c3d8212022-02-18 15:23:23 +0800[diff] [blame]12562requires_config_enabled MBEDTLS_DEBUG_C
12563requires_config_enabled MBEDTLS_SSL_CLI_C
Ronald Cron70ed4172022-10-20 15:48:19 +0200[diff] [blame]12564requires_all_configs_enabled MBEDTLS_SSL_TLS1_3_COMPATIBILITY_MODE \
12565 MBEDTLS_SSL_TLS1_3_KEY_EXCHANGE_MODE_EPHEMERAL_ENABLED
Jerry Yu6c3d8212022-02-18 15:23:23 +0800[diff] [blame]12566run_test "TLS 1.3: Client authentication, ecdsa_secp384r1_sha384 - openssl" \
Jerry Yu819f2972022-02-22 10:14:24 +0800[diff] [blame]12567 "$O_NEXT_SRV -msg -tls1_3 -num_tickets 0 -no_resume_ephemeral -no_cache -Verify 10" \
David Horstmann5ab92be2024-07-01 17:01:28 +0100[diff] [blame]12568 "$P_CLI debug_level=4 crt_file=$DATA_FILES_PATH/ecdsa_secp384r1.crt \
12569 key_file=$DATA_FILES_PATH/ecdsa_secp384r1.key" \
Jerry Yu6c3d8212022-02-18 15:23:23 +0800[diff] [blame]12570 0 \
12571 -c "got a certificate request" \
12572 -c "client state: MBEDTLS_SSL_CLIENT_CERTIFICATE" \
Jerry Yu562a0fd2022-02-18 15:35:11 +0800[diff] [blame]12573 -c "client state: MBEDTLS_SSL_CLIENT_CERTIFICATE_VERIFY" \
12574 -c "Protocol is TLSv1.3"
Jerry Yu6c3d8212022-02-18 15:23:23 +0800[diff] [blame]12575
12576requires_gnutls_tls1_3
12577requires_gnutls_next_no_ticket
Jerry Yu6c3d8212022-02-18 15:23:23 +0800[diff] [blame]12578requires_config_enabled MBEDTLS_DEBUG_C
12579requires_config_enabled MBEDTLS_SSL_CLI_C
Ronald Cron70ed4172022-10-20 15:48:19 +0200[diff] [blame]12580requires_all_configs_enabled MBEDTLS_SSL_TLS1_3_COMPATIBILITY_MODE \
12581 MBEDTLS_SSL_TLS1_3_KEY_EXCHANGE_MODE_EPHEMERAL_ENABLED
Jerry Yu6c3d8212022-02-18 15:23:23 +0800[diff] [blame]12582run_test "TLS 1.3: Client authentication, ecdsa_secp384r1_sha384 - gnutls" \
Jerry Yu819f2972022-02-22 10:14:24 +0800[diff] [blame]12583 "$G_NEXT_SRV --debug=4 --priority=NORMAL:-VERS-ALL:+VERS-TLS1.3:+CIPHER-ALL:%NO_TICKETS" \
David Horstmann5ab92be2024-07-01 17:01:28 +0100[diff] [blame]12584 "$P_CLI debug_level=3 crt_file=$DATA_FILES_PATH/ecdsa_secp384r1.crt \
12585 key_file=$DATA_FILES_PATH/ecdsa_secp384r1.key" \
Jerry Yu6c3d8212022-02-18 15:23:23 +0800[diff] [blame]12586 0 \
12587 -c "got a certificate request" \
12588 -c "client state: MBEDTLS_SSL_CLIENT_CERTIFICATE" \
Jerry Yu562a0fd2022-02-18 15:35:11 +0800[diff] [blame]12589 -c "client state: MBEDTLS_SSL_CLIENT_CERTIFICATE_VERIFY" \
12590 -c "Protocol is TLSv1.3"
Jerry Yu6c3d8212022-02-18 15:23:23 +0800[diff] [blame]12591
Przemek Stekiel8bfe8972023-06-26 12:59:45 +0200[diff] [blame]12592requires_openssl_tls1_3_with_compatible_ephemeral
Jerry Yu6c3d8212022-02-18 15:23:23 +0800[diff] [blame]12593requires_config_enabled MBEDTLS_DEBUG_C
12594requires_config_enabled MBEDTLS_SSL_CLI_C
Ronald Cron70ed4172022-10-20 15:48:19 +0200[diff] [blame]12595requires_all_configs_enabled MBEDTLS_SSL_TLS1_3_COMPATIBILITY_MODE \
12596 MBEDTLS_SSL_TLS1_3_KEY_EXCHANGE_MODE_EPHEMERAL_ENABLED
Jerry Yu6c3d8212022-02-18 15:23:23 +0800[diff] [blame]12597run_test "TLS 1.3: Client authentication, ecdsa_secp521r1_sha512 - openssl" \
Jerry Yu819f2972022-02-22 10:14:24 +0800[diff] [blame]12598 "$O_NEXT_SRV -msg -tls1_3 -num_tickets 0 -no_resume_ephemeral -no_cache -Verify 10" \
David Horstmann5ab92be2024-07-01 17:01:28 +0100[diff] [blame]12599 "$P_CLI debug_level=4 crt_file=$DATA_FILES_PATH/ecdsa_secp521r1.crt \
12600 key_file=$DATA_FILES_PATH/ecdsa_secp521r1.key" \
Jerry Yu6c3d8212022-02-18 15:23:23 +0800[diff] [blame]12601 0 \
12602 -c "got a certificate request" \
12603 -c "client state: MBEDTLS_SSL_CLIENT_CERTIFICATE" \
Jerry Yu562a0fd2022-02-18 15:35:11 +0800[diff] [blame]12604 -c "client state: MBEDTLS_SSL_CLIENT_CERTIFICATE_VERIFY" \
12605 -c "Protocol is TLSv1.3"
Jerry Yu6c3d8212022-02-18 15:23:23 +0800[diff] [blame]12606
12607requires_gnutls_tls1_3
12608requires_gnutls_next_no_ticket
Jerry Yu6c3d8212022-02-18 15:23:23 +0800[diff] [blame]12609requires_config_enabled MBEDTLS_DEBUG_C
12610requires_config_enabled MBEDTLS_SSL_CLI_C
Ronald Cron70ed4172022-10-20 15:48:19 +0200[diff] [blame]12611requires_all_configs_enabled MBEDTLS_SSL_TLS1_3_COMPATIBILITY_MODE \
12612 MBEDTLS_SSL_TLS1_3_KEY_EXCHANGE_MODE_EPHEMERAL_ENABLED
Jerry Yu6c3d8212022-02-18 15:23:23 +0800[diff] [blame]12613run_test "TLS 1.3: Client authentication, ecdsa_secp521r1_sha512 - gnutls" \
Jerry Yu819f2972022-02-22 10:14:24 +0800[diff] [blame]12614 "$G_NEXT_SRV --debug=4 --priority=NORMAL:-VERS-ALL:+VERS-TLS1.3:+CIPHER-ALL:%NO_TICKETS" \
David Horstmann5ab92be2024-07-01 17:01:28 +0100[diff] [blame]12615 "$P_CLI debug_level=3 crt_file=$DATA_FILES_PATH/ecdsa_secp521r1.crt \
12616 key_file=$DATA_FILES_PATH/ecdsa_secp521r1.key" \
Jerry Yu6c3d8212022-02-18 15:23:23 +0800[diff] [blame]12617 0 \
12618 -c "got a certificate request" \
12619 -c "client state: MBEDTLS_SSL_CLIENT_CERTIFICATE" \
Jerry Yu562a0fd2022-02-18 15:35:11 +0800[diff] [blame]12620 -c "client state: MBEDTLS_SSL_CLIENT_CERTIFICATE_VERIFY" \
12621 -c "Protocol is TLSv1.3"
Jerry Yu6c3d8212022-02-18 15:23:23 +0800[diff] [blame]12622
Przemek Stekiel8bfe8972023-06-26 12:59:45 +0200[diff] [blame]12623requires_openssl_tls1_3_with_compatible_ephemeral
Jerry Yu6c3d8212022-02-18 15:23:23 +0800[diff] [blame]12624requires_config_enabled MBEDTLS_DEBUG_C
12625requires_config_enabled MBEDTLS_SSL_CLI_C
12626requires_config_enabled MBEDTLS_RSA_C
Ronald Cron70ed4172022-10-20 15:48:19 +0200[diff] [blame]12627requires_all_configs_enabled MBEDTLS_SSL_TLS1_3_COMPATIBILITY_MODE \
12628 MBEDTLS_SSL_TLS1_3_KEY_EXCHANGE_MODE_EPHEMERAL_ENABLED
Jerry Yu6c3d8212022-02-18 15:23:23 +0800[diff] [blame]12629run_test "TLS 1.3: Client authentication, rsa_pss_rsae_sha256 - openssl" \
Jerry Yu819f2972022-02-22 10:14:24 +0800[diff] [blame]12630 "$O_NEXT_SRV -msg -tls1_3 -num_tickets 0 -no_resume_ephemeral -no_cache -Verify 10" \
David Horstmann5ab92be2024-07-01 17:01:28 +0100[diff] [blame]12631 "$P_CLI debug_level=4 crt_file=$DATA_FILES_PATH/cert_sha256.crt \
12632 key_file=$DATA_FILES_PATH/server1.key sig_algs=ecdsa_secp256r1_sha256,rsa_pss_rsae_sha256" \
Jerry Yu919130c2022-02-23 10:40:19 +0800[diff] [blame]12633 0 \
Jerry Yu6c3d8212022-02-18 15:23:23 +0800[diff] [blame]12634 -c "got a certificate request" \
12635 -c "client state: MBEDTLS_SSL_CLIENT_CERTIFICATE" \
Jerry Yu562a0fd2022-02-18 15:35:11 +0800[diff] [blame]12636 -c "client state: MBEDTLS_SSL_CLIENT_CERTIFICATE_VERIFY" \
Jerry Yu919130c2022-02-23 10:40:19 +0800[diff] [blame]12637 -c "Protocol is TLSv1.3"
Jerry Yu6c3d8212022-02-18 15:23:23 +0800[diff] [blame]12638
12639requires_gnutls_tls1_3
12640requires_gnutls_next_no_ticket
Jerry Yu6c3d8212022-02-18 15:23:23 +0800[diff] [blame]12641requires_config_enabled MBEDTLS_DEBUG_C
12642requires_config_enabled MBEDTLS_SSL_CLI_C
12643requires_config_enabled MBEDTLS_RSA_C
Ronald Cron70ed4172022-10-20 15:48:19 +0200[diff] [blame]12644requires_all_configs_enabled MBEDTLS_SSL_TLS1_3_COMPATIBILITY_MODE \
12645 MBEDTLS_SSL_TLS1_3_KEY_EXCHANGE_MODE_EPHEMERAL_ENABLED
Jerry Yu6c3d8212022-02-18 15:23:23 +0800[diff] [blame]12646run_test "TLS 1.3: Client authentication, rsa_pss_rsae_sha256 - gnutls" \
Jerry Yu819f2972022-02-22 10:14:24 +0800[diff] [blame]12647 "$G_NEXT_SRV --debug=4 --priority=NORMAL:-VERS-ALL:+VERS-TLS1.3:+CIPHER-ALL:%NO_TICKETS" \
David Horstmann5ab92be2024-07-01 17:01:28 +0100[diff] [blame]12648 "$P_CLI debug_level=3 crt_file=$DATA_FILES_PATH/server2-sha256.crt \
12649 key_file=$DATA_FILES_PATH/server2.key sig_algs=ecdsa_secp256r1_sha256,rsa_pss_rsae_sha256" \
Jerry Yu919130c2022-02-23 10:40:19 +0800[diff] [blame]12650 0 \
Jerry Yu6c3d8212022-02-18 15:23:23 +0800[diff] [blame]12651 -c "got a certificate request" \
12652 -c "client state: MBEDTLS_SSL_CLIENT_CERTIFICATE" \
Jerry Yu562a0fd2022-02-18 15:35:11 +0800[diff] [blame]12653 -c "client state: MBEDTLS_SSL_CLIENT_CERTIFICATE_VERIFY" \
Jerry Yu919130c2022-02-23 10:40:19 +0800[diff] [blame]12654 -c "Protocol is TLSv1.3"
Jerry Yu960bc282022-01-26 11:12:34 +0800[diff] [blame]12655
Przemek Stekiel8bfe8972023-06-26 12:59:45 +0200[diff] [blame]12656requires_openssl_tls1_3_with_compatible_ephemeral
Jerry Yu2124d052022-02-18 21:07:18 +0800[diff] [blame]12657requires_config_enabled MBEDTLS_DEBUG_C
12658requires_config_enabled MBEDTLS_SSL_CLI_C
12659requires_config_enabled MBEDTLS_RSA_C
Ronald Cron70ed4172022-10-20 15:48:19 +0200[diff] [blame]12660requires_all_configs_enabled MBEDTLS_SSL_TLS1_3_COMPATIBILITY_MODE \
12661 MBEDTLS_SSL_TLS1_3_KEY_EXCHANGE_MODE_EPHEMERAL_ENABLED
Jerry Yu3a58b462022-02-22 16:42:29 +0800[diff] [blame]12662run_test "TLS 1.3: Client authentication, rsa_pss_rsae_sha384 - openssl" \
12663 "$O_NEXT_SRV -msg -tls1_3 -num_tickets 0 -no_resume_ephemeral -no_cache -Verify 10" \
David Horstmann5ab92be2024-07-01 17:01:28 +0100[diff] [blame]12664 "$P_CLI debug_level=4 crt_file=$DATA_FILES_PATH/cert_sha256.crt \
12665 key_file=$DATA_FILES_PATH/server1.key sig_algs=ecdsa_secp256r1_sha256,rsa_pss_rsae_sha384" \
Jerry Yu3a58b462022-02-22 16:42:29 +0800[diff] [blame]12666 0 \
12667 -c "got a certificate request" \
12668 -c "client state: MBEDTLS_SSL_CLIENT_CERTIFICATE" \
12669 -c "client state: MBEDTLS_SSL_CLIENT_CERTIFICATE_VERIFY" \
12670 -c "Protocol is TLSv1.3"
12671
12672requires_gnutls_tls1_3
12673requires_gnutls_next_no_ticket
Jerry Yu3a58b462022-02-22 16:42:29 +0800[diff] [blame]12674requires_config_enabled MBEDTLS_DEBUG_C
12675requires_config_enabled MBEDTLS_SSL_CLI_C
12676requires_config_enabled MBEDTLS_RSA_C
Ronald Cron70ed4172022-10-20 15:48:19 +0200[diff] [blame]12677requires_all_configs_enabled MBEDTLS_SSL_TLS1_3_COMPATIBILITY_MODE \
12678 MBEDTLS_SSL_TLS1_3_KEY_EXCHANGE_MODE_EPHEMERAL_ENABLED
Jerry Yu3a58b462022-02-22 16:42:29 +0800[diff] [blame]12679run_test "TLS 1.3: Client authentication, rsa_pss_rsae_sha384 - gnutls" \
12680 "$G_NEXT_SRV --debug=4 --priority=NORMAL:-VERS-ALL:+VERS-TLS1.3:+CIPHER-ALL:%NO_TICKETS" \
David Horstmann5ab92be2024-07-01 17:01:28 +0100[diff] [blame]12681 "$P_CLI debug_level=3 crt_file=$DATA_FILES_PATH/server2-sha256.crt \
12682 key_file=$DATA_FILES_PATH/server2.key sig_algs=ecdsa_secp256r1_sha256,rsa_pss_rsae_sha384" \
Jerry Yu3a58b462022-02-22 16:42:29 +0800[diff] [blame]12683 0 \
12684 -c "got a certificate request" \
12685 -c "client state: MBEDTLS_SSL_CLIENT_CERTIFICATE" \
12686 -c "client state: MBEDTLS_SSL_CLIENT_CERTIFICATE_VERIFY" \
12687 -c "Protocol is TLSv1.3"
12688
Przemek Stekiel8bfe8972023-06-26 12:59:45 +0200[diff] [blame]12689requires_openssl_tls1_3_with_compatible_ephemeral
Jerry Yu3a58b462022-02-22 16:42:29 +0800[diff] [blame]12690requires_config_enabled MBEDTLS_DEBUG_C
12691requires_config_enabled MBEDTLS_SSL_CLI_C
12692requires_config_enabled MBEDTLS_RSA_C
Ronald Cron70ed4172022-10-20 15:48:19 +0200[diff] [blame]12693requires_all_configs_enabled MBEDTLS_SSL_TLS1_3_COMPATIBILITY_MODE \
12694 MBEDTLS_SSL_TLS1_3_KEY_EXCHANGE_MODE_EPHEMERAL_ENABLED
Jerry Yu3a58b462022-02-22 16:42:29 +0800[diff] [blame]12695run_test "TLS 1.3: Client authentication, rsa_pss_rsae_sha512 - openssl" \
12696 "$O_NEXT_SRV -msg -tls1_3 -num_tickets 0 -no_resume_ephemeral -no_cache -Verify 10" \
David Horstmann5ab92be2024-07-01 17:01:28 +0100[diff] [blame]12697 "$P_CLI debug_level=4 crt_file=$DATA_FILES_PATH/cert_sha256.crt \
12698 key_file=$DATA_FILES_PATH/server1.key sig_algs=ecdsa_secp256r1_sha256,rsa_pss_rsae_sha512" \
Jerry Yu3a58b462022-02-22 16:42:29 +0800[diff] [blame]12699 0 \
12700 -c "got a certificate request" \
12701 -c "client state: MBEDTLS_SSL_CLIENT_CERTIFICATE" \
12702 -c "client state: MBEDTLS_SSL_CLIENT_CERTIFICATE_VERIFY" \
12703 -c "Protocol is TLSv1.3"
12704
12705requires_gnutls_tls1_3
12706requires_gnutls_next_no_ticket
Jerry Yu3a58b462022-02-22 16:42:29 +0800[diff] [blame]12707requires_config_enabled MBEDTLS_DEBUG_C
12708requires_config_enabled MBEDTLS_SSL_CLI_C
12709requires_config_enabled MBEDTLS_RSA_C
Ronald Cron70ed4172022-10-20 15:48:19 +0200[diff] [blame]12710requires_all_configs_enabled MBEDTLS_SSL_TLS1_3_COMPATIBILITY_MODE \
12711 MBEDTLS_SSL_TLS1_3_KEY_EXCHANGE_MODE_EPHEMERAL_ENABLED
Jerry Yu3a58b462022-02-22 16:42:29 +0800[diff] [blame]12712run_test "TLS 1.3: Client authentication, rsa_pss_rsae_sha512 - gnutls" \
12713 "$G_NEXT_SRV --debug=4 --priority=NORMAL:-VERS-ALL:+VERS-TLS1.3:+CIPHER-ALL:%NO_TICKETS" \
David Horstmann5ab92be2024-07-01 17:01:28 +0100[diff] [blame]12714 "$P_CLI debug_level=3 crt_file=$DATA_FILES_PATH/server2-sha256.crt \
12715 key_file=$DATA_FILES_PATH/server2.key sig_algs=ecdsa_secp256r1_sha256,rsa_pss_rsae_sha512" \
Jerry Yu3a58b462022-02-22 16:42:29 +0800[diff] [blame]12716 0 \
12717 -c "got a certificate request" \
12718 -c "client state: MBEDTLS_SSL_CLIENT_CERTIFICATE" \
12719 -c "client state: MBEDTLS_SSL_CLIENT_CERTIFICATE_VERIFY" \
12720 -c "Protocol is TLSv1.3"
12721
Przemek Stekiel8bfe8972023-06-26 12:59:45 +0200[diff] [blame]12722requires_openssl_tls1_3_with_compatible_ephemeral
Jerry Yu3a58b462022-02-22 16:42:29 +0800[diff] [blame]12723requires_config_enabled MBEDTLS_DEBUG_C
12724requires_config_enabled MBEDTLS_SSL_CLI_C
12725requires_config_enabled MBEDTLS_RSA_C
Ronald Cron70ed4172022-10-20 15:48:19 +0200[diff] [blame]12726requires_all_configs_enabled MBEDTLS_SSL_TLS1_3_COMPATIBILITY_MODE \
12727 MBEDTLS_SSL_TLS1_3_KEY_EXCHANGE_MODE_EPHEMERAL_ENABLED
Jerry Yuccb005e2022-02-22 17:38:34 +0800[diff] [blame]12728run_test "TLS 1.3: Client authentication, client alg not in server list - openssl" \
Jerry Yu819f2972022-02-22 10:14:24 +0800[diff] [blame]12729 "$O_NEXT_SRV -msg -tls1_3 -num_tickets 0 -no_resume_ephemeral -no_cache -Verify 10
Jerry Yu2124d052022-02-18 21:07:18 +0800[diff] [blame]12730 -sigalgs ecdsa_secp256r1_sha256" \
David Horstmann5ab92be2024-07-01 17:01:28 +0100[diff] [blame]12731 "$P_CLI debug_level=3 crt_file=$DATA_FILES_PATH/ecdsa_secp521r1.crt \
12732 key_file=$DATA_FILES_PATH/ecdsa_secp521r1.key sig_algs=ecdsa_secp256r1_sha256,ecdsa_secp521r1_sha512" \
Jerry Yu2124d052022-02-18 21:07:18 +0800[diff] [blame]12733 1 \
12734 -c "got a certificate request" \
12735 -c "client state: MBEDTLS_SSL_CLIENT_CERTIFICATE" \
12736 -c "client state: MBEDTLS_SSL_CLIENT_CERTIFICATE_VERIFY" \
Xiaokang Qianea3d9332022-12-07 06:19:49 +0000[diff] [blame]12737 -c "no suitable signature algorithm"
Jerry Yu2124d052022-02-18 21:07:18 +0800[diff] [blame]12738
12739requires_gnutls_tls1_3
12740requires_gnutls_next_no_ticket
Jerry Yu2124d052022-02-18 21:07:18 +0800[diff] [blame]12741requires_config_enabled MBEDTLS_DEBUG_C
12742requires_config_enabled MBEDTLS_SSL_CLI_C
12743requires_config_enabled MBEDTLS_RSA_C
Ronald Cron70ed4172022-10-20 15:48:19 +0200[diff] [blame]12744requires_all_configs_enabled MBEDTLS_SSL_TLS1_3_COMPATIBILITY_MODE \
12745 MBEDTLS_SSL_TLS1_3_KEY_EXCHANGE_MODE_EPHEMERAL_ENABLED
Jerry Yu819f2972022-02-22 10:14:24 +0800[diff] [blame]12746run_test "TLS 1.3: Client authentication, client alg not in server list - gnutls" \
12747 "$G_NEXT_SRV --debug=4 --priority=NORMAL:-VERS-ALL:+VERS-TLS1.3:+CIPHER-ALL:-SIGN-ALL:+SIGN-ECDSA-SECP256R1-SHA256:%NO_TICKETS" \
David Horstmann5ab92be2024-07-01 17:01:28 +0100[diff] [blame]12748 "$P_CLI debug_level=3 crt_file=$DATA_FILES_PATH/ecdsa_secp521r1.crt \
12749 key_file=$DATA_FILES_PATH/ecdsa_secp521r1.key sig_algs=ecdsa_secp256r1_sha256,ecdsa_secp521r1_sha512" \
Jerry Yu2124d052022-02-18 21:07:18 +0800[diff] [blame]12750 1 \
12751 -c "got a certificate request" \
12752 -c "client state: MBEDTLS_SSL_CLIENT_CERTIFICATE" \
12753 -c "client state: MBEDTLS_SSL_CLIENT_CERTIFICATE_VERIFY" \
Xiaokang Qianea3d9332022-12-07 06:19:49 +0000[diff] [blame]12754 -c "no suitable signature algorithm"
Jerry Yu2124d052022-02-18 21:07:18 +0800[diff] [blame]12755
Neil Armstrong7f6f6722022-04-15 10:09:11 +0200[diff] [blame]12756# Test using an opaque private key for client authentication
Przemek Stekiel8bfe8972023-06-26 12:59:45 +0200[diff] [blame]12757requires_openssl_tls1_3_with_compatible_ephemeral
Neil Armstrong7f6f6722022-04-15 10:09:11 +0200[diff] [blame]12758requires_config_enabled MBEDTLS_DEBUG_C
12759requires_config_enabled MBEDTLS_SSL_CLI_C
12760requires_config_enabled MBEDTLS_USE_PSA_CRYPTO
Ronald Cron928cbd32022-10-04 16:14:26 +0200[diff] [blame]12761requires_config_enabled MBEDTLS_SSL_TLS1_3_KEY_EXCHANGE_MODE_EPHEMERAL_ENABLED
Neil Armstrong7f6f6722022-04-15 10:09:11 +0200[diff] [blame]12762run_test "TLS 1.3: Client authentication - opaque key, no server middlebox compat - openssl" \
12763 "$O_NEXT_SRV -msg -tls1_3 -num_tickets 0 -no_resume_ephemeral -no_cache -Verify 10 -no_middlebox" \
David Horstmann5ab92be2024-07-01 17:01:28 +0100[diff] [blame]12764 "$P_CLI debug_level=4 crt_file=$DATA_FILES_PATH/cli2.crt key_file=$DATA_FILES_PATH/cli2.key key_opaque=1" \
Neil Armstrong7f6f6722022-04-15 10:09:11 +0200[diff] [blame]12765 0 \
12766 -c "got a certificate request" \
12767 -c "client state: MBEDTLS_SSL_CLIENT_CERTIFICATE" \
12768 -c "client state: MBEDTLS_SSL_CLIENT_CERTIFICATE_VERIFY" \
12769 -c "Protocol is TLSv1.3"
12770
12771requires_gnutls_tls1_3
12772requires_gnutls_next_no_ticket
Neil Armstrong7f6f6722022-04-15 10:09:11 +0200[diff] [blame]12773requires_config_enabled MBEDTLS_DEBUG_C
12774requires_config_enabled MBEDTLS_SSL_CLI_C
12775requires_config_enabled MBEDTLS_USE_PSA_CRYPTO
Ronald Cron928cbd32022-10-04 16:14:26 +0200[diff] [blame]12776requires_config_enabled MBEDTLS_SSL_TLS1_3_KEY_EXCHANGE_MODE_EPHEMERAL_ENABLED
Neil Armstrong7f6f6722022-04-15 10:09:11 +0200[diff] [blame]12777run_test "TLS 1.3: Client authentication - opaque key, no server middlebox compat - gnutls" \
12778 "$G_NEXT_SRV --debug=4 --priority=NORMAL:-VERS-ALL:+VERS-TLS1.3:+CIPHER-ALL:%NO_TICKETS:%DISABLE_TLS13_COMPAT_MODE" \
David Horstmann5ab92be2024-07-01 17:01:28 +0100[diff] [blame]12779 "$P_CLI debug_level=3 crt_file=$DATA_FILES_PATH/cli2.crt \
12780 key_file=$DATA_FILES_PATH/cli2.key key_opaque=1" \
Neil Armstrong7f6f6722022-04-15 10:09:11 +0200[diff] [blame]12781 0 \
12782 -c "got a certificate request" \
12783 -c "client state: MBEDTLS_SSL_CLIENT_CERTIFICATE" \
12784 -c "client state: MBEDTLS_SSL_CLIENT_CERTIFICATE_VERIFY" \
12785 -c "Protocol is TLSv1.3"
12786
Przemek Stekiel8bfe8972023-06-26 12:59:45 +0200[diff] [blame]12787requires_openssl_tls1_3_with_compatible_ephemeral
Neil Armstrong7f6f6722022-04-15 10:09:11 +0200[diff] [blame]12788requires_config_enabled MBEDTLS_DEBUG_C
12789requires_config_enabled MBEDTLS_SSL_CLI_C
Neil Armstrong7f6f6722022-04-15 10:09:11 +0200[diff] [blame]12790requires_config_enabled MBEDTLS_USE_PSA_CRYPTO
Ronald Cron70ed4172022-10-20 15:48:19 +0200[diff] [blame]12791requires_all_configs_enabled MBEDTLS_SSL_TLS1_3_COMPATIBILITY_MODE \
12792 MBEDTLS_SSL_TLS1_3_KEY_EXCHANGE_MODE_EPHEMERAL_ENABLED
Neil Armstrong7f6f6722022-04-15 10:09:11 +0200[diff] [blame]12793run_test "TLS 1.3: Client authentication - opaque key, ecdsa_secp256r1_sha256 - openssl" \
12794 "$O_NEXT_SRV -msg -tls1_3 -num_tickets 0 -no_resume_ephemeral -no_cache -Verify 10" \
David Horstmann5ab92be2024-07-01 17:01:28 +0100[diff] [blame]12795 "$P_CLI debug_level=4 crt_file=$DATA_FILES_PATH/ecdsa_secp256r1.crt \
12796 key_file=$DATA_FILES_PATH/ecdsa_secp256r1.key key_opaque=1" \
Neil Armstrong7f6f6722022-04-15 10:09:11 +0200[diff] [blame]12797 0 \
12798 -c "got a certificate request" \
12799 -c "client state: MBEDTLS_SSL_CLIENT_CERTIFICATE" \
12800 -c "client state: MBEDTLS_SSL_CLIENT_CERTIFICATE_VERIFY" \
12801 -c "Protocol is TLSv1.3"
12802
12803requires_gnutls_tls1_3
12804requires_gnutls_next_no_ticket
Neil Armstrong7f6f6722022-04-15 10:09:11 +0200[diff] [blame]12805requires_config_enabled MBEDTLS_DEBUG_C
12806requires_config_enabled MBEDTLS_SSL_CLI_C
Neil Armstrong7f6f6722022-04-15 10:09:11 +0200[diff] [blame]12807requires_config_enabled MBEDTLS_USE_PSA_CRYPTO
Ronald Cron70ed4172022-10-20 15:48:19 +0200[diff] [blame]12808requires_all_configs_enabled MBEDTLS_SSL_TLS1_3_COMPATIBILITY_MODE \
12809 MBEDTLS_SSL_TLS1_3_KEY_EXCHANGE_MODE_EPHEMERAL_ENABLED
Neil Armstrong7f6f6722022-04-15 10:09:11 +0200[diff] [blame]12810run_test "TLS 1.3: Client authentication - opaque key, ecdsa_secp256r1_sha256 - gnutls" \
12811 "$G_NEXT_SRV --debug=4 --priority=NORMAL:-VERS-ALL:+VERS-TLS1.3:+CIPHER-ALL:%NO_TICKETS" \
David Horstmann5ab92be2024-07-01 17:01:28 +0100[diff] [blame]12812 "$P_CLI debug_level=3 crt_file=$DATA_FILES_PATH/ecdsa_secp256r1.crt \
12813 key_file=$DATA_FILES_PATH/ecdsa_secp256r1.key key_opaque=1" \
Neil Armstrong7f6f6722022-04-15 10:09:11 +0200[diff] [blame]12814 0 \
12815 -c "got a certificate request" \
12816 -c "client state: MBEDTLS_SSL_CLIENT_CERTIFICATE" \
12817 -c "client state: MBEDTLS_SSL_CLIENT_CERTIFICATE_VERIFY" \
12818 -c "Protocol is TLSv1.3"
12819
Przemek Stekiel8bfe8972023-06-26 12:59:45 +0200[diff] [blame]12820requires_openssl_tls1_3_with_compatible_ephemeral
Neil Armstrong7f6f6722022-04-15 10:09:11 +0200[diff] [blame]12821requires_config_enabled MBEDTLS_DEBUG_C
12822requires_config_enabled MBEDTLS_SSL_CLI_C
Neil Armstrong7f6f6722022-04-15 10:09:11 +0200[diff] [blame]12823requires_config_enabled MBEDTLS_USE_PSA_CRYPTO
Ronald Cron70ed4172022-10-20 15:48:19 +0200[diff] [blame]12824requires_all_configs_enabled MBEDTLS_SSL_TLS1_3_COMPATIBILITY_MODE \
12825 MBEDTLS_SSL_TLS1_3_KEY_EXCHANGE_MODE_EPHEMERAL_ENABLED
Neil Armstrong7f6f6722022-04-15 10:09:11 +0200[diff] [blame]12826run_test "TLS 1.3: Client authentication - opaque key, ecdsa_secp384r1_sha384 - openssl" \
12827 "$O_NEXT_SRV -msg -tls1_3 -num_tickets 0 -no_resume_ephemeral -no_cache -Verify 10" \
David Horstmann5ab92be2024-07-01 17:01:28 +0100[diff] [blame]12828 "$P_CLI debug_level=4 crt_file=$DATA_FILES_PATH/ecdsa_secp384r1.crt \
12829 key_file=$DATA_FILES_PATH/ecdsa_secp384r1.key key_opaque=1" \
Neil Armstrong7f6f6722022-04-15 10:09:11 +0200[diff] [blame]12830 0 \
12831 -c "got a certificate request" \
12832 -c "client state: MBEDTLS_SSL_CLIENT_CERTIFICATE" \
12833 -c "client state: MBEDTLS_SSL_CLIENT_CERTIFICATE_VERIFY" \
12834 -c "Protocol is TLSv1.3"
12835
12836requires_gnutls_tls1_3
12837requires_gnutls_next_no_ticket
Neil Armstrong7f6f6722022-04-15 10:09:11 +0200[diff] [blame]12838requires_config_enabled MBEDTLS_DEBUG_C
12839requires_config_enabled MBEDTLS_SSL_CLI_C
Neil Armstrong7f6f6722022-04-15 10:09:11 +0200[diff] [blame]12840requires_config_enabled MBEDTLS_USE_PSA_CRYPTO
Ronald Cron70ed4172022-10-20 15:48:19 +0200[diff] [blame]12841requires_all_configs_enabled MBEDTLS_SSL_TLS1_3_COMPATIBILITY_MODE \
12842 MBEDTLS_SSL_TLS1_3_KEY_EXCHANGE_MODE_EPHEMERAL_ENABLED
Neil Armstrong7f6f6722022-04-15 10:09:11 +0200[diff] [blame]12843run_test "TLS 1.3: Client authentication - opaque key, ecdsa_secp384r1_sha384 - gnutls" \
12844 "$G_NEXT_SRV --debug=4 --priority=NORMAL:-VERS-ALL:+VERS-TLS1.3:+CIPHER-ALL:%NO_TICKETS" \
David Horstmann5ab92be2024-07-01 17:01:28 +0100[diff] [blame]12845 "$P_CLI debug_level=3 crt_file=$DATA_FILES_PATH/ecdsa_secp384r1.crt \
12846 key_file=$DATA_FILES_PATH/ecdsa_secp384r1.key key_opaque=1" \
Neil Armstrong7f6f6722022-04-15 10:09:11 +0200[diff] [blame]12847 0 \
12848 -c "got a certificate request" \
12849 -c "client state: MBEDTLS_SSL_CLIENT_CERTIFICATE" \
12850 -c "client state: MBEDTLS_SSL_CLIENT_CERTIFICATE_VERIFY" \
12851 -c "Protocol is TLSv1.3"
12852
Przemek Stekiel8bfe8972023-06-26 12:59:45 +0200[diff] [blame]12853requires_openssl_tls1_3_with_compatible_ephemeral
Neil Armstrong7f6f6722022-04-15 10:09:11 +0200[diff] [blame]12854requires_config_enabled MBEDTLS_DEBUG_C
12855requires_config_enabled MBEDTLS_SSL_CLI_C
Neil Armstrong7f6f6722022-04-15 10:09:11 +0200[diff] [blame]12856requires_config_enabled MBEDTLS_USE_PSA_CRYPTO
Ronald Cron70ed4172022-10-20 15:48:19 +0200[diff] [blame]12857requires_all_configs_enabled MBEDTLS_SSL_TLS1_3_COMPATIBILITY_MODE \
12858 MBEDTLS_SSL_TLS1_3_KEY_EXCHANGE_MODE_EPHEMERAL_ENABLED
Neil Armstrong7f6f6722022-04-15 10:09:11 +0200[diff] [blame]12859run_test "TLS 1.3: Client authentication - opaque key, ecdsa_secp521r1_sha512 - openssl" \
12860 "$O_NEXT_SRV -msg -tls1_3 -num_tickets 0 -no_resume_ephemeral -no_cache -Verify 10" \
David Horstmann5ab92be2024-07-01 17:01:28 +0100[diff] [blame]12861 "$P_CLI debug_level=4 crt_file=$DATA_FILES_PATH/ecdsa_secp521r1.crt \
12862 key_file=$DATA_FILES_PATH/ecdsa_secp521r1.key key_opaque=1" \
Neil Armstrong7f6f6722022-04-15 10:09:11 +0200[diff] [blame]12863 0 \
12864 -c "got a certificate request" \
12865 -c "client state: MBEDTLS_SSL_CLIENT_CERTIFICATE" \
12866 -c "client state: MBEDTLS_SSL_CLIENT_CERTIFICATE_VERIFY" \
12867 -c "Protocol is TLSv1.3"
12868
12869requires_gnutls_tls1_3
12870requires_gnutls_next_no_ticket
Neil Armstrong7f6f6722022-04-15 10:09:11 +0200[diff] [blame]12871requires_config_enabled MBEDTLS_DEBUG_C
12872requires_config_enabled MBEDTLS_SSL_CLI_C
Neil Armstrong7f6f6722022-04-15 10:09:11 +0200[diff] [blame]12873requires_config_enabled MBEDTLS_USE_PSA_CRYPTO
Ronald Cron70ed4172022-10-20 15:48:19 +0200[diff] [blame]12874requires_all_configs_enabled MBEDTLS_SSL_TLS1_3_COMPATIBILITY_MODE \
12875 MBEDTLS_SSL_TLS1_3_KEY_EXCHANGE_MODE_EPHEMERAL_ENABLED
Neil Armstrong7f6f6722022-04-15 10:09:11 +0200[diff] [blame]12876run_test "TLS 1.3: Client authentication - opaque key, ecdsa_secp521r1_sha512 - gnutls" \
12877 "$G_NEXT_SRV --debug=4 --priority=NORMAL:-VERS-ALL:+VERS-TLS1.3:+CIPHER-ALL:%NO_TICKETS" \
David Horstmann5ab92be2024-07-01 17:01:28 +0100[diff] [blame]12878 "$P_CLI debug_level=3 crt_file=$DATA_FILES_PATH/ecdsa_secp521r1.crt \
12879 key_file=$DATA_FILES_PATH/ecdsa_secp521r1.key key_opaque=1" \
Neil Armstrong7f6f6722022-04-15 10:09:11 +0200[diff] [blame]12880 0 \
12881 -c "got a certificate request" \
12882 -c "client state: MBEDTLS_SSL_CLIENT_CERTIFICATE" \
12883 -c "client state: MBEDTLS_SSL_CLIENT_CERTIFICATE_VERIFY" \
12884 -c "Protocol is TLSv1.3"
12885
Przemek Stekiel8bfe8972023-06-26 12:59:45 +0200[diff] [blame]12886requires_openssl_tls1_3_with_compatible_ephemeral
Neil Armstrong7f6f6722022-04-15 10:09:11 +0200[diff] [blame]12887requires_config_enabled MBEDTLS_DEBUG_C
12888requires_config_enabled MBEDTLS_SSL_CLI_C
12889requires_config_enabled MBEDTLS_RSA_C
Neil Armstrong7f6f6722022-04-15 10:09:11 +0200[diff] [blame]12890requires_config_enabled MBEDTLS_USE_PSA_CRYPTO
Ronald Cron70ed4172022-10-20 15:48:19 +0200[diff] [blame]12891requires_all_configs_enabled MBEDTLS_SSL_TLS1_3_COMPATIBILITY_MODE \
12892 MBEDTLS_SSL_TLS1_3_KEY_EXCHANGE_MODE_EPHEMERAL_ENABLED
Neil Armstrong7f6f6722022-04-15 10:09:11 +0200[diff] [blame]12893run_test "TLS 1.3: Client authentication - opaque key, rsa_pss_rsae_sha256 - openssl" \
12894 "$O_NEXT_SRV -msg -tls1_3 -num_tickets 0 -no_resume_ephemeral -no_cache -Verify 10" \
David Horstmann5ab92be2024-07-01 17:01:28 +0100[diff] [blame]12895 "$P_CLI debug_level=4 crt_file=$DATA_FILES_PATH/cert_sha256.crt \
12896 key_file=$DATA_FILES_PATH/server1.key sig_algs=ecdsa_secp256r1_sha256,rsa_pss_rsae_sha256 key_opaque=1" \
Neil Armstrong7f6f6722022-04-15 10:09:11 +0200[diff] [blame]12897 0 \
12898 -c "got a certificate request" \
12899 -c "client state: MBEDTLS_SSL_CLIENT_CERTIFICATE" \
12900 -c "client state: MBEDTLS_SSL_CLIENT_CERTIFICATE_VERIFY" \
12901 -c "Protocol is TLSv1.3"
12902
12903requires_gnutls_tls1_3
12904requires_gnutls_next_no_ticket
Neil Armstrong7f6f6722022-04-15 10:09:11 +0200[diff] [blame]12905requires_config_enabled MBEDTLS_DEBUG_C
12906requires_config_enabled MBEDTLS_SSL_CLI_C
12907requires_config_enabled MBEDTLS_RSA_C
Neil Armstrong7f6f6722022-04-15 10:09:11 +0200[diff] [blame]12908requires_config_enabled MBEDTLS_USE_PSA_CRYPTO
Ronald Cron70ed4172022-10-20 15:48:19 +0200[diff] [blame]12909requires_all_configs_enabled MBEDTLS_SSL_TLS1_3_COMPATIBILITY_MODE \
12910 MBEDTLS_SSL_TLS1_3_KEY_EXCHANGE_MODE_EPHEMERAL_ENABLED
Neil Armstrong7f6f6722022-04-15 10:09:11 +0200[diff] [blame]12911run_test "TLS 1.3: Client authentication - opaque key, rsa_pss_rsae_sha256 - gnutls" \
12912 "$G_NEXT_SRV --debug=4 --priority=NORMAL:-VERS-ALL:+VERS-TLS1.3:+CIPHER-ALL:%NO_TICKETS" \
David Horstmann5ab92be2024-07-01 17:01:28 +0100[diff] [blame]12913 "$P_CLI debug_level=3 crt_file=$DATA_FILES_PATH/server2-sha256.crt \
12914 key_file=$DATA_FILES_PATH/server2.key sig_algs=ecdsa_secp256r1_sha256,rsa_pss_rsae_sha256 key_opaque=1" \
Neil Armstrong7f6f6722022-04-15 10:09:11 +0200[diff] [blame]12915 0 \
12916 -c "got a certificate request" \
12917 -c "client state: MBEDTLS_SSL_CLIENT_CERTIFICATE" \
12918 -c "client state: MBEDTLS_SSL_CLIENT_CERTIFICATE_VERIFY" \
12919 -c "Protocol is TLSv1.3"
12920
Przemek Stekiel8bfe8972023-06-26 12:59:45 +0200[diff] [blame]12921requires_openssl_tls1_3_with_compatible_ephemeral
Neil Armstrong7f6f6722022-04-15 10:09:11 +0200[diff] [blame]12922requires_config_enabled MBEDTLS_DEBUG_C
12923requires_config_enabled MBEDTLS_SSL_CLI_C
12924requires_config_enabled MBEDTLS_RSA_C
Neil Armstrong7f6f6722022-04-15 10:09:11 +0200[diff] [blame]12925requires_config_enabled MBEDTLS_USE_PSA_CRYPTO
Ronald Cron70ed4172022-10-20 15:48:19 +0200[diff] [blame]12926requires_all_configs_enabled MBEDTLS_SSL_TLS1_3_COMPATIBILITY_MODE \
12927 MBEDTLS_SSL_TLS1_3_KEY_EXCHANGE_MODE_EPHEMERAL_ENABLED
Neil Armstrong7f6f6722022-04-15 10:09:11 +0200[diff] [blame]12928run_test "TLS 1.3: Client authentication - opaque key, rsa_pss_rsae_sha384 - openssl" \
12929 "$O_NEXT_SRV -msg -tls1_3 -num_tickets 0 -no_resume_ephemeral -no_cache -Verify 10" \
David Horstmann5ab92be2024-07-01 17:01:28 +0100[diff] [blame]12930 "$P_CLI debug_level=4 crt_file=$DATA_FILES_PATH/cert_sha256.crt \
12931 key_file=$DATA_FILES_PATH/server1.key sig_algs=ecdsa_secp256r1_sha256,rsa_pss_rsae_sha384 key_opaque=1" \
Neil Armstrong7f6f6722022-04-15 10:09:11 +0200[diff] [blame]12932 0 \
12933 -c "got a certificate request" \
12934 -c "client state: MBEDTLS_SSL_CLIENT_CERTIFICATE" \
12935 -c "client state: MBEDTLS_SSL_CLIENT_CERTIFICATE_VERIFY" \
12936 -c "Protocol is TLSv1.3"
12937
12938requires_gnutls_tls1_3
12939requires_gnutls_next_no_ticket
Neil Armstrong7f6f6722022-04-15 10:09:11 +0200[diff] [blame]12940requires_config_enabled MBEDTLS_DEBUG_C
12941requires_config_enabled MBEDTLS_SSL_CLI_C
12942requires_config_enabled MBEDTLS_RSA_C
Neil Armstrong7f6f6722022-04-15 10:09:11 +0200[diff] [blame]12943requires_config_enabled MBEDTLS_USE_PSA_CRYPTO
Ronald Cron70ed4172022-10-20 15:48:19 +0200[diff] [blame]12944requires_all_configs_enabled MBEDTLS_SSL_TLS1_3_COMPATIBILITY_MODE \
12945 MBEDTLS_SSL_TLS1_3_KEY_EXCHANGE_MODE_EPHEMERAL_ENABLED
Neil Armstrong7f6f6722022-04-15 10:09:11 +0200[diff] [blame]12946run_test "TLS 1.3: Client authentication - opaque key, rsa_pss_rsae_sha384 - gnutls" \
12947 "$G_NEXT_SRV --debug=4 --priority=NORMAL:-VERS-ALL:+VERS-TLS1.3:+CIPHER-ALL:%NO_TICKETS" \
David Horstmann5ab92be2024-07-01 17:01:28 +0100[diff] [blame]12948 "$P_CLI debug_level=3 crt_file=$DATA_FILES_PATH/server2-sha256.crt \
12949 key_file=$DATA_FILES_PATH/server2.key sig_algs=ecdsa_secp256r1_sha256,rsa_pss_rsae_sha384 key_opaque=1" \
Neil Armstrong7f6f6722022-04-15 10:09:11 +0200[diff] [blame]12950 0 \
12951 -c "got a certificate request" \
12952 -c "client state: MBEDTLS_SSL_CLIENT_CERTIFICATE" \
12953 -c "client state: MBEDTLS_SSL_CLIENT_CERTIFICATE_VERIFY" \
12954 -c "Protocol is TLSv1.3"
12955
Przemek Stekiel8bfe8972023-06-26 12:59:45 +0200[diff] [blame]12956requires_openssl_tls1_3_with_compatible_ephemeral
Neil Armstrong7f6f6722022-04-15 10:09:11 +0200[diff] [blame]12957requires_config_enabled MBEDTLS_DEBUG_C
12958requires_config_enabled MBEDTLS_SSL_CLI_C
12959requires_config_enabled MBEDTLS_RSA_C
Neil Armstrong7f6f6722022-04-15 10:09:11 +0200[diff] [blame]12960requires_config_enabled MBEDTLS_USE_PSA_CRYPTO
Ronald Cron70ed4172022-10-20 15:48:19 +0200[diff] [blame]12961requires_all_configs_enabled MBEDTLS_SSL_TLS1_3_COMPATIBILITY_MODE \
12962 MBEDTLS_SSL_TLS1_3_KEY_EXCHANGE_MODE_EPHEMERAL_ENABLED
Neil Armstrong7f6f6722022-04-15 10:09:11 +0200[diff] [blame]12963run_test "TLS 1.3: Client authentication - opaque key, rsa_pss_rsae_sha512 - openssl" \
12964 "$O_NEXT_SRV -msg -tls1_3 -num_tickets 0 -no_resume_ephemeral -no_cache -Verify 10" \
David Horstmann5ab92be2024-07-01 17:01:28 +0100[diff] [blame]12965 "$P_CLI debug_level=4 crt_file=$DATA_FILES_PATH/cert_sha256.crt \
12966 key_file=$DATA_FILES_PATH/server1.key sig_algs=ecdsa_secp256r1_sha256,rsa_pss_rsae_sha512 key_opaque=1" \
Neil Armstrong7f6f6722022-04-15 10:09:11 +0200[diff] [blame]12967 0 \
12968 -c "got a certificate request" \
12969 -c "client state: MBEDTLS_SSL_CLIENT_CERTIFICATE" \
12970 -c "client state: MBEDTLS_SSL_CLIENT_CERTIFICATE_VERIFY" \
12971 -c "Protocol is TLSv1.3"
12972
12973requires_gnutls_tls1_3
12974requires_gnutls_next_no_ticket
Neil Armstrong7f6f6722022-04-15 10:09:11 +0200[diff] [blame]12975requires_config_enabled MBEDTLS_DEBUG_C
12976requires_config_enabled MBEDTLS_SSL_CLI_C
12977requires_config_enabled MBEDTLS_RSA_C
Neil Armstrong7f6f6722022-04-15 10:09:11 +0200[diff] [blame]12978requires_config_enabled MBEDTLS_USE_PSA_CRYPTO
Ronald Cron70ed4172022-10-20 15:48:19 +0200[diff] [blame]12979requires_all_configs_enabled MBEDTLS_SSL_TLS1_3_COMPATIBILITY_MODE \
12980 MBEDTLS_SSL_TLS1_3_KEY_EXCHANGE_MODE_EPHEMERAL_ENABLED
Neil Armstrong7f6f6722022-04-15 10:09:11 +0200[diff] [blame]12981run_test "TLS 1.3: Client authentication - opaque key, rsa_pss_rsae_sha512 - gnutls" \
12982 "$G_NEXT_SRV --debug=4 --priority=NORMAL:-VERS-ALL:+VERS-TLS1.3:+CIPHER-ALL:%NO_TICKETS" \
David Horstmann5ab92be2024-07-01 17:01:28 +0100[diff] [blame]12983 "$P_CLI debug_level=3 crt_file=$DATA_FILES_PATH/server2-sha256.crt \
12984 key_file=$DATA_FILES_PATH/server2.key sig_algs=ecdsa_secp256r1_sha256,rsa_pss_rsae_sha512 key_opaque=1" \
Neil Armstrong7f6f6722022-04-15 10:09:11 +0200[diff] [blame]12985 0 \
12986 -c "got a certificate request" \
12987 -c "client state: MBEDTLS_SSL_CLIENT_CERTIFICATE" \
12988 -c "client state: MBEDTLS_SSL_CLIENT_CERTIFICATE_VERIFY" \
12989 -c "Protocol is TLSv1.3"
12990
Przemek Stekiel8bfe8972023-06-26 12:59:45 +0200[diff] [blame]12991requires_openssl_tls1_3_with_compatible_ephemeral
Neil Armstrong7f6f6722022-04-15 10:09:11 +0200[diff] [blame]12992requires_config_enabled MBEDTLS_DEBUG_C
12993requires_config_enabled MBEDTLS_SSL_CLI_C
12994requires_config_enabled MBEDTLS_RSA_C
Neil Armstrong7f6f6722022-04-15 10:09:11 +0200[diff] [blame]12995requires_config_enabled MBEDTLS_USE_PSA_CRYPTO
Ronald Cron70ed4172022-10-20 15:48:19 +0200[diff] [blame]12996requires_all_configs_enabled MBEDTLS_SSL_TLS1_3_COMPATIBILITY_MODE \
12997 MBEDTLS_SSL_TLS1_3_KEY_EXCHANGE_MODE_EPHEMERAL_ENABLED
Neil Armstrong7f6f6722022-04-15 10:09:11 +0200[diff] [blame]12998run_test "TLS 1.3: Client authentication - opaque key, client alg not in server list - openssl" \
12999 "$O_NEXT_SRV -msg -tls1_3 -num_tickets 0 -no_resume_ephemeral -no_cache -Verify 10
13000 -sigalgs ecdsa_secp256r1_sha256" \
David Horstmann5ab92be2024-07-01 17:01:28 +0100[diff] [blame]13001 "$P_CLI debug_level=3 crt_file=$DATA_FILES_PATH/ecdsa_secp521r1.crt \
13002 key_file=$DATA_FILES_PATH/ecdsa_secp521r1.key sig_algs=ecdsa_secp256r1_sha256,ecdsa_secp521r1_sha512 key_opaque=1" \
Neil Armstrong7f6f6722022-04-15 10:09:11 +0200[diff] [blame]13003 1 \
13004 -c "got a certificate request" \
13005 -c "client state: MBEDTLS_SSL_CLIENT_CERTIFICATE" \
13006 -c "client state: MBEDTLS_SSL_CLIENT_CERTIFICATE_VERIFY" \
Xiaokang Qianea3d9332022-12-07 06:19:49 +0000[diff] [blame]13007 -c "no suitable signature algorithm"
Neil Armstrong7f6f6722022-04-15 10:09:11 +0200[diff] [blame]13008
13009requires_gnutls_tls1_3
13010requires_gnutls_next_no_ticket
Neil Armstrong7f6f6722022-04-15 10:09:11 +0200[diff] [blame]13011requires_config_enabled MBEDTLS_DEBUG_C
13012requires_config_enabled MBEDTLS_SSL_CLI_C
13013requires_config_enabled MBEDTLS_RSA_C
Neil Armstrong7f6f6722022-04-15 10:09:11 +0200[diff] [blame]13014requires_config_enabled MBEDTLS_USE_PSA_CRYPTO
Ronald Cron70ed4172022-10-20 15:48:19 +0200[diff] [blame]13015requires_all_configs_enabled MBEDTLS_SSL_TLS1_3_COMPATIBILITY_MODE \
13016 MBEDTLS_SSL_TLS1_3_KEY_EXCHANGE_MODE_EPHEMERAL_ENABLED
Neil Armstrong7f6f6722022-04-15 10:09:11 +0200[diff] [blame]13017run_test "TLS 1.3: Client authentication - opaque key, client alg not in server list - gnutls" \
13018 "$G_NEXT_SRV --debug=4 --priority=NORMAL:-VERS-ALL:+VERS-TLS1.3:+CIPHER-ALL:-SIGN-ALL:+SIGN-ECDSA-SECP256R1-SHA256:%NO_TICKETS" \
David Horstmann5ab92be2024-07-01 17:01:28 +0100[diff] [blame]13019 "$P_CLI debug_level=3 crt_file=$DATA_FILES_PATH/ecdsa_secp521r1.crt \
13020 key_file=$DATA_FILES_PATH/ecdsa_secp521r1.key sig_algs=ecdsa_secp256r1_sha256,ecdsa_secp521r1_sha512 key_opaque=1" \
Neil Armstrong7f6f6722022-04-15 10:09:11 +0200[diff] [blame]13021 1 \
13022 -c "got a certificate request" \
13023 -c "client state: MBEDTLS_SSL_CLIENT_CERTIFICATE" \
13024 -c "client state: MBEDTLS_SSL_CLIENT_CERTIFICATE_VERIFY" \
Xiaokang Qianea3d9332022-12-07 06:19:49 +0000[diff] [blame]13025 -c "no suitable signature algorithm"
Neil Armstrong7f6f6722022-04-15 10:09:11 +0200[diff] [blame]13026
Przemek Stekiel8bfe8972023-06-26 12:59:45 +0200[diff] [blame]13027requires_openssl_tls1_3_with_compatible_ephemeral
Ronald Cron7c0185f2021-11-30 09:16:24 +0100[diff] [blame]13028requires_config_enabled MBEDTLS_DEBUG_C
13029requires_config_enabled MBEDTLS_SSL_CLI_C
Ronald Cron70ed4172022-10-20 15:48:19 +0200[diff] [blame]13030requires_all_configs_enabled MBEDTLS_SSL_TLS1_3_COMPATIBILITY_MODE \
13031 MBEDTLS_SSL_TLS1_3_KEY_EXCHANGE_MODE_EPHEMERAL_ENABLED
Ronald Crondf5f8682022-04-05 16:01:03 +0200[diff] [blame]13032run_test "TLS 1.3: HRR check, ciphersuite TLS_AES_128_GCM_SHA256 - openssl" \
XiaokangQian7bae3b62022-01-26 06:31:39 +0000[diff] [blame]13033 "$O_NEXT_SRV -ciphersuites TLS_AES_128_GCM_SHA256 -sigalgs ecdsa_secp256r1_sha256 -groups P-256 -msg -tls1_3 -num_tickets 0 -no_resume_ephemeral -no_cache" \
Ronald Crona1b8f6e2022-03-18 14:04:12 +0100[diff] [blame]13034 "$P_CLI debug_level=4" \
XiaokangQian7bae3b62022-01-26 06:31:39 +0000[diff] [blame]13035 0 \
13036 -c "received HelloRetryRequest message" \
XiaokangQiana9090612022-01-27 03:48:27 +0000[diff] [blame]13037 -c "<= ssl_tls13_process_server_hello ( HelloRetryRequest )" \
Ronald Cron27c85e72022-03-08 11:37:55 +0100[diff] [blame]13038 -c "client state: MBEDTLS_SSL_CLIENT_HELLO" \
Ronald Crona1b8f6e2022-03-18 14:04:12 +0100[diff] [blame]13039 -c "Protocol is TLSv1.3" \
XiaokangQian7bae3b62022-01-26 06:31:39 +0000[diff] [blame]13040 -c "HTTP/1.0 200 ok"
13041
Przemek Stekiel8bfe8972023-06-26 12:59:45 +0200[diff] [blame]13042requires_openssl_tls1_3_with_compatible_ephemeral
XiaokangQian7bae3b62022-01-26 06:31:39 +0000[diff] [blame]13043requires_config_enabled MBEDTLS_DEBUG_C
13044requires_config_enabled MBEDTLS_SSL_CLI_C
Ronald Cron70ed4172022-10-20 15:48:19 +0200[diff] [blame]13045requires_all_configs_enabled MBEDTLS_SSL_TLS1_3_COMPATIBILITY_MODE \
13046 MBEDTLS_SSL_TLS1_3_KEY_EXCHANGE_MODE_EPHEMERAL_ENABLED
Ronald Crondf5f8682022-04-05 16:01:03 +0200[diff] [blame]13047run_test "TLS 1.3: HRR check, ciphersuite TLS_AES_256_GCM_SHA384 - openssl" \
Ronald Cronfdb0e3f2021-12-09 10:39:19 +0100[diff] [blame]13048 "$O_NEXT_SRV -ciphersuites TLS_AES_256_GCM_SHA384 -sigalgs ecdsa_secp256r1_sha256 -groups P-256 -msg -tls1_3 -num_tickets 0 -no_resume_ephemeral -no_cache" \
Ronald Crona1b8f6e2022-03-18 14:04:12 +0100[diff] [blame]13049 "$P_CLI debug_level=4" \
XiaokangQian6db08dd2022-01-18 06:36:23 +0000[diff] [blame]13050 0 \
Jerry Yu8c5559d2021-11-22 21:15:41 +0800[diff] [blame]13051 -c "received HelloRetryRequest message" \
XiaokangQiana9090612022-01-27 03:48:27 +0000[diff] [blame]13052 -c "<= ssl_tls13_process_server_hello ( HelloRetryRequest )" \
Ronald Cron27c85e72022-03-08 11:37:55 +0100[diff] [blame]13053 -c "client state: MBEDTLS_SSL_CLIENT_HELLO" \
Ronald Crona1b8f6e2022-03-18 14:04:12 +0100[diff] [blame]13054 -c "Protocol is TLSv1.3" \
XiaokangQian6db08dd2022-01-18 06:36:23 +0000[diff] [blame]13055 -c "HTTP/1.0 200 ok"
Jerry Yu8c5559d2021-11-22 21:15:41 +0800[diff] [blame]13056
13057requires_gnutls_tls1_3
13058requires_gnutls_next_no_ticket
Ronald Cron7c0185f2021-11-30 09:16:24 +0100[diff] [blame]13059requires_config_enabled MBEDTLS_DEBUG_C
13060requires_config_enabled MBEDTLS_SSL_CLI_C
Przemek Stekielc31a7982023-06-27 10:53:33 +0200[diff] [blame]13061requires_config_enabled PSA_WANT_ALG_ECDH
Ronald Cron70ed4172022-10-20 15:48:19 +0200[diff] [blame]13062requires_all_configs_enabled MBEDTLS_SSL_TLS1_3_COMPATIBILITY_MODE \
13063 MBEDTLS_SSL_TLS1_3_KEY_EXCHANGE_MODE_EPHEMERAL_ENABLED
Ronald Crondf5f8682022-04-05 16:01:03 +0200[diff] [blame]13064run_test "TLS 1.3: HRR check, ciphersuite TLS_AES_128_GCM_SHA256 - gnutls" \
XiaokangQian7bae3b62022-01-26 06:31:39 +0000[diff] [blame]13065 "$G_NEXT_SRV -d 4 --priority=NONE:+GROUP-SECP256R1:+AES-128-GCM:+SHA256:+AEAD:+SIGN-ECDSA-SECP256R1-SHA256:+VERS-TLS1.3:%NO_TICKETS --disable-client-cert" \
Ronald Crona1b8f6e2022-03-18 14:04:12 +0100[diff] [blame]13066 "$P_CLI debug_level=4" \
XiaokangQian7bae3b62022-01-26 06:31:39 +0000[diff] [blame]13067 0 \
13068 -c "received HelloRetryRequest message" \
XiaokangQiana9090612022-01-27 03:48:27 +0000[diff] [blame]13069 -c "<= ssl_tls13_process_server_hello ( HelloRetryRequest )" \
Ronald Cron27c85e72022-03-08 11:37:55 +0100[diff] [blame]13070 -c "client state: MBEDTLS_SSL_CLIENT_HELLO" \
Ronald Crona1b8f6e2022-03-18 14:04:12 +0100[diff] [blame]13071 -c "Protocol is TLSv1.3" \
XiaokangQian7bae3b62022-01-26 06:31:39 +0000[diff] [blame]13072 -c "HTTP/1.0 200 OK"
13073
13074requires_gnutls_tls1_3
13075requires_gnutls_next_no_ticket
XiaokangQian7bae3b62022-01-26 06:31:39 +0000[diff] [blame]13076requires_config_enabled MBEDTLS_DEBUG_C
13077requires_config_enabled MBEDTLS_SSL_CLI_C
Przemek Stekielc31a7982023-06-27 10:53:33 +0200[diff] [blame]13078requires_config_enabled PSA_WANT_ALG_ECDH
Ronald Cron70ed4172022-10-20 15:48:19 +0200[diff] [blame]13079requires_all_configs_enabled MBEDTLS_SSL_TLS1_3_COMPATIBILITY_MODE \
13080 MBEDTLS_SSL_TLS1_3_KEY_EXCHANGE_MODE_EPHEMERAL_ENABLED
Ronald Crondf5f8682022-04-05 16:01:03 +0200[diff] [blame]13081run_test "TLS 1.3: HRR check, ciphersuite TLS_AES_256_GCM_SHA384 - gnutls" \
XiaokangQian355e09a2022-01-20 11:14:50 +0000[diff] [blame]13082 "$G_NEXT_SRV -d 4 --priority=NONE:+GROUP-SECP256R1:+AES-256-GCM:+SHA384:+AEAD:+SIGN-ECDSA-SECP256R1-SHA256:+VERS-TLS1.3:%NO_TICKETS --disable-client-cert" \
Ronald Crona1b8f6e2022-03-18 14:04:12 +0100[diff] [blame]13083 "$P_CLI debug_level=4" \
XiaokangQian355e09a2022-01-20 11:14:50 +0000[diff] [blame]13084 0 \
Jerry Yu8c5559d2021-11-22 21:15:41 +0800[diff] [blame]13085 -c "received HelloRetryRequest message" \
XiaokangQiana9090612022-01-27 03:48:27 +0000[diff] [blame]13086 -c "<= ssl_tls13_process_server_hello ( HelloRetryRequest )" \
Ronald Cron27c85e72022-03-08 11:37:55 +0100[diff] [blame]13087 -c "client state: MBEDTLS_SSL_CLIENT_HELLO" \
Ronald Crona1b8f6e2022-03-18 14:04:12 +0100[diff] [blame]13088 -c "Protocol is TLSv1.3" \
XiaokangQian355e09a2022-01-20 11:14:50 +0000[diff] [blame]13089 -c "HTTP/1.0 200 OK"
Ronald Cronfdb0e3f2021-12-09 10:39:19 +0100[diff] [blame]13090
Przemek Stekiel8bfe8972023-06-26 12:59:45 +0200[diff] [blame]13091requires_openssl_tls1_3_with_compatible_ephemeral
XiaokangQian5e4528c2022-02-17 07:51:12 +0000[diff] [blame]13092requires_config_enabled MBEDTLS_DEBUG_C
XiaokangQiane8ff3502022-04-22 02:34:40 +0000[diff] [blame]13093requires_config_enabled MBEDTLS_SSL_SRV_C
Ronald Cron928cbd32022-10-04 16:14:26 +0200[diff] [blame]13094requires_config_enabled MBEDTLS_SSL_TLS1_3_KEY_EXCHANGE_MODE_EPHEMERAL_ENABLED
XiaokangQian318dc762022-04-20 09:43:51 +0000[diff] [blame]13095run_test "TLS 1.3: Server side check - openssl" \
David Horstmann5ab92be2024-07-01 17:01:28 +0100[diff] [blame]13096 "$P_SRV debug_level=4 crt_file=$DATA_FILES_PATH/server5.crt key_file=$DATA_FILES_PATH/server5.key tickets=0" \
Jerry Yu66220492022-04-23 13:53:36 +0800[diff] [blame]13097 "$O_NEXT_CLI -msg -debug -tls1_3 -no_middlebox" \
Jerry Yu4d8567f2022-04-17 10:57:57 +0800[diff] [blame]13098 0 \
Jerry Yuabf20c72022-04-14 18:36:14 +0800[diff] [blame]13099 -s "tls13 server state: MBEDTLS_SSL_CLIENT_HELLO" \
13100 -s "tls13 server state: MBEDTLS_SSL_SERVER_HELLO" \
13101 -s "tls13 server state: MBEDTLS_SSL_ENCRYPTED_EXTENSIONS" \
Jerry Yucef55db2022-04-23 11:02:05 +0800[diff] [blame]13102 -s "tls13 server state: MBEDTLS_SSL_SERVER_CERTIFICATE" \
Jerry Yuc8bdbf72022-04-23 12:37:35 +0800[diff] [blame]13103 -s "tls13 server state: MBEDTLS_SSL_CERTIFICATE_VERIFY" \
13104 -s "tls13 server state: MBEDTLS_SSL_SERVER_FINISHED" \
Jerry Yu66220492022-04-23 13:53:36 +0800[diff] [blame]13105 -s "tls13 server state: MBEDTLS_SSL_CLIENT_FINISHED" \
Jerry Yu155493d2022-04-25 13:30:18 +0800[diff] [blame]13106 -s "tls13 server state: MBEDTLS_SSL_HANDSHAKE_WRAPUP"
XiaokangQian5e4528c2022-02-17 07:51:12 +0000[diff] [blame]13107
Przemek Stekiel8bfe8972023-06-26 12:59:45 +0200[diff] [blame]13108requires_openssl_tls1_3_with_compatible_ephemeral
XiaokangQian2f150e12022-04-29 02:01:19 +0000[diff] [blame]13109requires_config_enabled MBEDTLS_DEBUG_C
13110requires_config_enabled MBEDTLS_SSL_SRV_C
Ronald Cron928cbd32022-10-04 16:14:26 +0200[diff] [blame]13111requires_config_enabled MBEDTLS_SSL_TLS1_3_KEY_EXCHANGE_MODE_EPHEMERAL_ENABLED
XiaokangQiana987e1d2022-05-07 01:25:58 +0000[diff] [blame]13112run_test "TLS 1.3: Server side check - openssl with client authentication" \
David Horstmann5ab92be2024-07-01 17:01:28 +0100[diff] [blame]13113 "$P_SRV debug_level=4 auth_mode=required crt_file=$DATA_FILES_PATH/server5.crt key_file=$DATA_FILES_PATH/server5.key tickets=0" \
13114 "$O_NEXT_CLI -msg -debug -cert $DATA_FILES_PATH/server5.crt -key $DATA_FILES_PATH/server5.key -tls1_3 -no_middlebox" \
XiaokangQian9a4e1dd2022-05-26 00:58:11 +0000[diff] [blame]13115 0 \
XiaokangQian2f150e12022-04-29 02:01:19 +0000[diff] [blame]13116 -s "tls13 server state: MBEDTLS_SSL_CLIENT_HELLO" \
13117 -s "tls13 server state: MBEDTLS_SSL_SERVER_HELLO" \
13118 -s "tls13 server state: MBEDTLS_SSL_ENCRYPTED_EXTENSIONS" \
13119 -s "tls13 server state: MBEDTLS_SSL_CERTIFICATE_REQUEST" \
13120 -s "tls13 server state: MBEDTLS_SSL_SERVER_CERTIFICATE" \
Jerry Yuc4505662022-05-10 20:39:21 +0800[diff] [blame]13121 -s "tls13 server state: MBEDTLS_SSL_CERTIFICATE_VERIFY" \
13122 -s "tls13 server state: MBEDTLS_SSL_SERVER_FINISHED" \
XiaokangQiana987e1d2022-05-07 01:25:58 +0000[diff] [blame]13123 -s "=> write certificate request" \
XiaokangQian2f150e12022-04-29 02:01:19 +0000[diff] [blame]13124 -s "=> parse client hello" \
13125 -s "<= parse client hello"
13126
XiaokangQian5e4528c2022-02-17 07:51:12 +0000[diff] [blame]13127requires_gnutls_tls1_3
13128requires_gnutls_next_no_ticket
XiaokangQian5e4528c2022-02-17 07:51:12 +0000[diff] [blame]13129requires_config_enabled MBEDTLS_DEBUG_C
XiaokangQiane8ff3502022-04-22 02:34:40 +0000[diff] [blame]13130requires_config_enabled MBEDTLS_SSL_SRV_C
Ronald Cron928cbd32022-10-04 16:14:26 +0200[diff] [blame]13131requires_config_enabled MBEDTLS_SSL_TLS1_3_KEY_EXCHANGE_MODE_EPHEMERAL_ENABLED
XiaokangQian318dc762022-04-20 09:43:51 +0000[diff] [blame]13132run_test "TLS 1.3: Server side check - gnutls" \
David Horstmann5ab92be2024-07-01 17:01:28 +0100[diff] [blame]13133 "$P_SRV debug_level=4 crt_file=$DATA_FILES_PATH/server5.crt key_file=$DATA_FILES_PATH/server5.key tickets=0" \
XiaokangQian3f84d5d2022-04-19 06:36:17 +0000[diff] [blame]13134 "$G_NEXT_CLI localhost -d 4 --priority=NORMAL:-VERS-ALL:+VERS-TLS1.3:%NO_TICKETS:%DISABLE_TLS13_COMPAT_MODE -V" \
Jerry Yu66220492022-04-23 13:53:36 +0800[diff] [blame]13135 0 \
Jerry Yuabf20c72022-04-14 18:36:14 +0800[diff] [blame]13136 -s "tls13 server state: MBEDTLS_SSL_CLIENT_HELLO" \
13137 -s "tls13 server state: MBEDTLS_SSL_SERVER_HELLO" \
13138 -s "tls13 server state: MBEDTLS_SSL_ENCRYPTED_EXTENSIONS" \
Jerry Yucef55db2022-04-23 11:02:05 +0800[diff] [blame]13139 -s "tls13 server state: MBEDTLS_SSL_SERVER_CERTIFICATE" \
Jerry Yuc8bdbf72022-04-23 12:37:35 +0800[diff] [blame]13140 -s "tls13 server state: MBEDTLS_SSL_CERTIFICATE_VERIFY" \
13141 -s "tls13 server state: MBEDTLS_SSL_SERVER_FINISHED" \
Jerry Yu66220492022-04-23 13:53:36 +0800[diff] [blame]13142 -s "tls13 server state: MBEDTLS_SSL_CLIENT_FINISHED" \
13143 -s "tls13 server state: MBEDTLS_SSL_HANDSHAKE_WRAPUP" \
13144 -c "HTTP/1.0 200 OK"
XiaokangQian5e4528c2022-02-17 07:51:12 +0000[diff] [blame]13145
XiaokangQian2f150e12022-04-29 02:01:19 +0000[diff] [blame]13146requires_gnutls_tls1_3
13147requires_gnutls_next_no_ticket
XiaokangQian2f150e12022-04-29 02:01:19 +0000[diff] [blame]13148requires_config_enabled MBEDTLS_DEBUG_C
13149requires_config_enabled MBEDTLS_SSL_SRV_C
Ronald Cron928cbd32022-10-04 16:14:26 +0200[diff] [blame]13150requires_config_enabled MBEDTLS_SSL_TLS1_3_KEY_EXCHANGE_MODE_EPHEMERAL_ENABLED
XiaokangQiana987e1d2022-05-07 01:25:58 +0000[diff] [blame]13151run_test "TLS 1.3: Server side check - gnutls with client authentication" \
David Horstmann5ab92be2024-07-01 17:01:28 +0100[diff] [blame]13152 "$P_SRV debug_level=4 auth_mode=required crt_file=$DATA_FILES_PATH/server5.crt key_file=$DATA_FILES_PATH/server5.key tickets=0" \
13153 "$G_NEXT_CLI localhost -d 4 --x509certfile $DATA_FILES_PATH/server5.crt --x509keyfile $DATA_FILES_PATH/server5.key --priority=NORMAL:-VERS-ALL:+VERS-TLS1.3:%NO_TICKETS:%DISABLE_TLS13_COMPAT_MODE -V" \
XiaokangQianc3017f62022-05-13 05:55:41 +0000[diff] [blame]13154 0 \
XiaokangQian2f150e12022-04-29 02:01:19 +0000[diff] [blame]13155 -s "tls13 server state: MBEDTLS_SSL_CLIENT_HELLO" \
13156 -s "tls13 server state: MBEDTLS_SSL_SERVER_HELLO" \
13157 -s "tls13 server state: MBEDTLS_SSL_ENCRYPTED_EXTENSIONS" \
13158 -s "tls13 server state: MBEDTLS_SSL_CERTIFICATE_REQUEST" \
13159 -s "tls13 server state: MBEDTLS_SSL_SERVER_CERTIFICATE" \
Jerry Yuc4505662022-05-10 20:39:21 +0800[diff] [blame]13160 -s "tls13 server state: MBEDTLS_SSL_CERTIFICATE_VERIFY" \
13161 -s "tls13 server state: MBEDTLS_SSL_SERVER_FINISHED" \
XiaokangQiana987e1d2022-05-07 01:25:58 +0000[diff] [blame]13162 -s "=> write certificate request" \
XiaokangQian2f150e12022-04-29 02:01:19 +0000[diff] [blame]13163 -s "=> parse client hello" \
13164 -s "<= parse client hello"
13165
Jerry Yu8b9fd372022-04-14 20:55:12 +0800[diff] [blame]13166requires_config_enabled MBEDTLS_DEBUG_C
13167requires_config_enabled MBEDTLS_SSL_SRV_C
Jerry Yu955ddd72022-04-22 22:27:33 +0800[diff] [blame]13168requires_config_enabled MBEDTLS_SSL_CLI_C
Ronald Cron928cbd32022-10-04 16:14:26 +0200[diff] [blame]13169requires_config_enabled MBEDTLS_SSL_TLS1_3_KEY_EXCHANGE_MODE_EPHEMERAL_ENABLED
Jerry Yu8b9fd372022-04-14 20:55:12 +0800[diff] [blame]13170run_test "TLS 1.3: Server side check - mbedtls" \
David Horstmann5ab92be2024-07-01 17:01:28 +0100[diff] [blame]13171 "$P_SRV debug_level=4 crt_file=$DATA_FILES_PATH/server5.crt key_file=$DATA_FILES_PATH/server5.key tickets=0" \
Ronald Cron65f90292023-03-13 17:38:12 +0100[diff] [blame]13172 "$P_CLI debug_level=4" \
XiaokangQianc3017f62022-05-13 05:55:41 +0000[diff] [blame]13173 0 \
Jerry Yu8b9fd372022-04-14 20:55:12 +0800[diff] [blame]13174 -s "tls13 server state: MBEDTLS_SSL_CLIENT_HELLO" \
13175 -s "tls13 server state: MBEDTLS_SSL_SERVER_HELLO" \
13176 -s "tls13 server state: MBEDTLS_SSL_ENCRYPTED_EXTENSIONS" \
Jerry Yua7abc5e2022-05-11 13:32:03 +0800[diff] [blame]13177 -s "tls13 server state: MBEDTLS_SSL_CERTIFICATE_REQUEST" \
Jerry Yucef55db2022-04-23 11:02:05 +0800[diff] [blame]13178 -s "tls13 server state: MBEDTLS_SSL_SERVER_CERTIFICATE" \
Jerry Yua7abc5e2022-05-11 13:32:03 +0800[diff] [blame]13179 -s "tls13 server state: MBEDTLS_SSL_CERTIFICATE_VERIFY" \
13180 -s "tls13 server state: MBEDTLS_SSL_SERVER_FINISHED" \
13181 -s "tls13 server state: MBEDTLS_SSL_CLIENT_FINISHED" \
13182 -s "tls13 server state: MBEDTLS_SSL_HANDSHAKE_WRAPUP" \
13183 -c "HTTP/1.0 200 OK"
Jerry Yu8b9fd372022-04-14 20:55:12 +0800[diff] [blame]13184
XiaokangQian45c22202022-05-06 06:54:09 +0000[diff] [blame]13185requires_config_enabled MBEDTLS_DEBUG_C
13186requires_config_enabled MBEDTLS_SSL_SRV_C
13187requires_config_enabled MBEDTLS_SSL_CLI_C
Ronald Cron928cbd32022-10-04 16:14:26 +0200[diff] [blame]13188requires_config_enabled MBEDTLS_SSL_TLS1_3_KEY_EXCHANGE_MODE_EPHEMERAL_ENABLED
XiaokangQiana987e1d2022-05-07 01:25:58 +0000[diff] [blame]13189run_test "TLS 1.3: Server side check - mbedtls with client authentication" \
David Horstmann5ab92be2024-07-01 17:01:28 +0100[diff] [blame]13190 "$P_SRV debug_level=4 auth_mode=required crt_file=$DATA_FILES_PATH/server5.crt key_file=$DATA_FILES_PATH/server5.key tickets=0" \
13191 "$P_CLI debug_level=4 crt_file=$DATA_FILES_PATH/server5.crt key_file=$DATA_FILES_PATH/server5.key" \
XiaokangQianc3017f62022-05-13 05:55:41 +0000[diff] [blame]13192 0 \
XiaokangQian45c22202022-05-06 06:54:09 +0000[diff] [blame]13193 -s "tls13 server state: MBEDTLS_SSL_CLIENT_HELLO" \
13194 -s "tls13 server state: MBEDTLS_SSL_SERVER_HELLO" \
13195 -s "tls13 server state: MBEDTLS_SSL_ENCRYPTED_EXTENSIONS" \
13196 -s "tls13 server state: MBEDTLS_SSL_SERVER_CERTIFICATE" \
Jerry Yua7abc5e2022-05-11 13:32:03 +0800[diff] [blame]13197 -s "=> write certificate request" \
XiaokangQian45c22202022-05-06 06:54:09 +0000[diff] [blame]13198 -c "client state: MBEDTLS_SSL_CERTIFICATE_REQUEST" \
XiaokangQian45c22202022-05-06 06:54:09 +0000[diff] [blame]13199 -s "=> parse client hello" \
13200 -s "<= parse client hello"
13201
XiaokangQianaca90482022-05-19 07:19:31 +0000[diff] [blame]13202requires_config_enabled MBEDTLS_DEBUG_C
13203requires_config_enabled MBEDTLS_SSL_SRV_C
13204requires_config_enabled MBEDTLS_SSL_CLI_C
Ronald Cron928cbd32022-10-04 16:14:26 +0200[diff] [blame]13205requires_config_enabled MBEDTLS_SSL_TLS1_3_KEY_EXCHANGE_MODE_EPHEMERAL_ENABLED
XiaokangQianaca90482022-05-19 07:19:31 +0000[diff] [blame]13206run_test "TLS 1.3: Server side check - mbedtls with client empty certificate" \
David Horstmann5ab92be2024-07-01 17:01:28 +0100[diff] [blame]13207 "$P_SRV debug_level=4 auth_mode=required crt_file=$DATA_FILES_PATH/server5.crt key_file=$DATA_FILES_PATH/server5.key tickets=0" \
Ronald Cron65f90292023-03-13 17:38:12 +0100[diff] [blame]13208 "$P_CLI debug_level=4 crt_file=none key_file=none" \
XiaokangQianaca90482022-05-19 07:19:31 +0000[diff] [blame]13209 1 \
13210 -s "tls13 server state: MBEDTLS_SSL_CLIENT_HELLO" \
13211 -s "tls13 server state: MBEDTLS_SSL_SERVER_HELLO" \
13212 -s "tls13 server state: MBEDTLS_SSL_ENCRYPTED_EXTENSIONS" \
13213 -s "tls13 server state: MBEDTLS_SSL_SERVER_CERTIFICATE" \
13214 -s "=> write certificate request" \
13215 -s "SSL - No client certification received from the client, but required by the authentication mode" \
13216 -c "client state: MBEDTLS_SSL_CERTIFICATE_REQUEST" \
13217 -s "=> parse client hello" \
13218 -s "<= parse client hello"
13219
XiaokangQianaca90482022-05-19 07:19:31 +0000[diff] [blame]13220requires_config_enabled MBEDTLS_DEBUG_C
13221requires_config_enabled MBEDTLS_SSL_SRV_C
13222requires_config_enabled MBEDTLS_SSL_CLI_C
Ronald Cron928cbd32022-10-04 16:14:26 +0200[diff] [blame]13223requires_config_enabled MBEDTLS_SSL_TLS1_3_KEY_EXCHANGE_MODE_EPHEMERAL_ENABLED
XiaokangQianaca90482022-05-19 07:19:31 +0000[diff] [blame]13224run_test "TLS 1.3: Server side check - mbedtls with optional client authentication" \
David Horstmann5ab92be2024-07-01 17:01:28 +0100[diff] [blame]13225 "$P_SRV debug_level=4 auth_mode=optional crt_file=$DATA_FILES_PATH/server5.crt key_file=$DATA_FILES_PATH/server5.key tickets=0" \
Ronald Cron65f90292023-03-13 17:38:12 +0100[diff] [blame]13226 "$P_CLI debug_level=4 crt_file=none key_file=none" \
XiaokangQianaca90482022-05-19 07:19:31 +0000[diff] [blame]13227 0 \
13228 -s "tls13 server state: MBEDTLS_SSL_CLIENT_HELLO" \
13229 -s "tls13 server state: MBEDTLS_SSL_SERVER_HELLO" \
13230 -s "tls13 server state: MBEDTLS_SSL_ENCRYPTED_EXTENSIONS" \
13231 -s "tls13 server state: MBEDTLS_SSL_SERVER_CERTIFICATE" \
13232 -s "=> write certificate request" \
13233 -c "client state: MBEDTLS_SSL_CERTIFICATE_REQUEST" \
13234 -s "=> parse client hello" \
13235 -s "<= parse client hello"
Jerry Yuede50ea2022-05-05 11:21:20 +0800[diff] [blame]13236
13237requires_config_enabled MBEDTLS_DEBUG_C
13238requires_config_enabled MBEDTLS_SSL_CLI_C
13239requires_config_enabled MBEDTLS_SSL_SRV_C
Ronald Cron928cbd32022-10-04 16:14:26 +0200[diff] [blame]13240requires_config_enabled MBEDTLS_SSL_TLS1_3_KEY_EXCHANGE_MODE_EPHEMERAL_ENABLED
Przemek Stekielc31a7982023-06-27 10:53:33 +0200[diff] [blame]13241requires_config_enabled PSA_WANT_ALG_ECDH
Jerry Yuede50ea2022-05-05 11:21:20 +0800[diff] [blame]13242run_test "TLS 1.3: server: HRR check - mbedtls" \
Przemek Stekiel45255e42023-06-29 13:56:36 +0200[diff] [blame]13243 "$P_SRV debug_level=4 groups=secp384r1" \
13244 "$P_CLI debug_level=4 groups=secp256r1,secp384r1" \
Jerry Yu36becb12022-05-12 16:57:20 +0800[diff] [blame]13245 0 \
Jerry Yuede50ea2022-05-05 11:21:20 +0800[diff] [blame]13246 -s "tls13 server state: MBEDTLS_SSL_CLIENT_HELLO" \
13247 -s "tls13 server state: MBEDTLS_SSL_SERVER_HELLO" \
13248 -s "tls13 server state: MBEDTLS_SSL_ENCRYPTED_EXTENSIONS" \
13249 -s "tls13 server state: MBEDTLS_SSL_HELLO_RETRY_REQUEST" \
13250 -c "client state: MBEDTLS_SSL_ENCRYPTED_EXTENSIONS" \
13251 -s "selected_group: secp384r1" \
Jerry Yuede50ea2022-05-05 11:21:20 +0800[diff] [blame]13252 -s "=> write hello retry request" \
13253 -s "<= write hello retry request"
13254
Jerry Yub89125b2022-05-13 15:45:49 +0800[diff] [blame]13255requires_config_enabled MBEDTLS_DEBUG_C
13256requires_config_enabled MBEDTLS_SSL_SRV_C
13257requires_config_enabled MBEDTLS_SSL_CLI_C
Ronald Cron928cbd32022-10-04 16:14:26 +0200[diff] [blame]13258requires_config_enabled MBEDTLS_SSL_TLS1_3_KEY_EXCHANGE_MODE_EPHEMERAL_ENABLED
Jerry Yub89125b2022-05-13 15:45:49 +0800[diff] [blame]13259run_test "TLS 1.3: Server side check, no server certificate available" \
Ronald Cron50ae84e2023-03-14 08:59:56 +0100[diff] [blame]13260 "$P_SRV debug_level=4 crt_file=none key_file=none" \
Ronald Cron65f90292023-03-13 17:38:12 +0100[diff] [blame]13261 "$P_CLI debug_level=4" \
Jerry Yub89125b2022-05-13 15:45:49 +0800[diff] [blame]13262 1 \
13263 -s "tls13 server state: MBEDTLS_SSL_SERVER_CERTIFICATE" \
13264 -s "No certificate available."
13265
Przemek Stekiel8bfe8972023-06-26 12:59:45 +0200[diff] [blame]13266requires_openssl_tls1_3_with_compatible_ephemeral
XiaokangQianf2a94202022-05-20 06:44:24 +0000[diff] [blame]13267requires_config_enabled MBEDTLS_DEBUG_C
13268requires_config_enabled MBEDTLS_SSL_SRV_C
Ronald Cron70ed4172022-10-20 15:48:19 +0200[diff] [blame]13269requires_all_configs_enabled MBEDTLS_SSL_TLS1_3_COMPATIBILITY_MODE \
13270 MBEDTLS_SSL_TLS1_3_KEY_EXCHANGE_MODE_EPHEMERAL_ENABLED
XiaokangQian2ccd97b2022-05-31 08:30:17 +0000[diff] [blame]13271run_test "TLS 1.3: Server side check - openssl with sni" \
David Horstmann5ab92be2024-07-01 17:01:28 +0100[diff] [blame]13272 "$P_SRV debug_level=4 auth_mode=required crt_file=$DATA_FILES_PATH/server5.crt key_file=$DATA_FILES_PATH/server5.key tickets=0 \
13273 sni=localhost,$DATA_FILES_PATH/server5.crt,$DATA_FILES_PATH/server5.key,$DATA_FILES_PATH/test-ca_cat12.crt,-,-,polarssl.example,$DATA_FILES_PATH/server1-nospace.crt,$DATA_FILES_PATH/server1.key,-,-,-" \
13274 "$O_NEXT_CLI -msg -debug -servername localhost -CAfile $DATA_FILES_PATH/test-ca_cat12.crt -cert $DATA_FILES_PATH/server5.crt -key $DATA_FILES_PATH/server5.key -tls1_3" \
XiaokangQianf2a94202022-05-20 06:44:24 +0000[diff] [blame]13275 0 \
XiaokangQianf2a94202022-05-20 06:44:24 +0000[diff] [blame]13276 -s "parse ServerName extension" \
XiaokangQian129aeb92022-06-02 09:29:18 +0000[diff] [blame]13277 -s "HTTP/1.0 200 OK"
XiaokangQianf2a94202022-05-20 06:44:24 +0000[diff] [blame]13278
XiaokangQianac41edf2022-05-31 13:22:13 +0000[diff] [blame]13279requires_gnutls_tls1_3
XiaokangQianf2a94202022-05-20 06:44:24 +0000[diff] [blame]13280requires_config_enabled MBEDTLS_DEBUG_C
13281requires_config_enabled MBEDTLS_SSL_SRV_C
Ronald Cron70ed4172022-10-20 15:48:19 +0200[diff] [blame]13282requires_all_configs_enabled MBEDTLS_SSL_TLS1_3_COMPATIBILITY_MODE \
13283 MBEDTLS_SSL_TLS1_3_KEY_EXCHANGE_MODE_EPHEMERAL_ENABLED
XiaokangQian2ccd97b2022-05-31 08:30:17 +0000[diff] [blame]13284run_test "TLS 1.3: Server side check - gnutls with sni" \
David Horstmann5ab92be2024-07-01 17:01:28 +0100[diff] [blame]13285 "$P_SRV debug_level=4 auth_mode=required crt_file=$DATA_FILES_PATH/server5.crt key_file=$DATA_FILES_PATH/server5.key tickets=0 \
13286 sni=localhost,$DATA_FILES_PATH/server5.crt,$DATA_FILES_PATH/server5.key,$DATA_FILES_PATH/test-ca_cat12.crt,-,-,polarssl.example,$DATA_FILES_PATH/server1-nospace.crt,$DATA_FILES_PATH/server1.key,-,-,-" \
13287 "$G_NEXT_CLI localhost -d 4 --sni-hostname=localhost --x509certfile $DATA_FILES_PATH/server5.crt --x509keyfile $DATA_FILES_PATH/server5.key --priority=NORMAL:-VERS-ALL:+VERS-TLS1.3:%NO_TICKETS -V" \
XiaokangQianf2a94202022-05-20 06:44:24 +0000[diff] [blame]13288 0 \
XiaokangQianf2a94202022-05-20 06:44:24 +0000[diff] [blame]13289 -s "parse ServerName extension" \
XiaokangQian129aeb92022-06-02 09:29:18 +0000[diff] [blame]13290 -s "HTTP/1.0 200 OK"
XiaokangQianf2a94202022-05-20 06:44:24 +0000[diff] [blame]13291
XiaokangQian40a35232022-05-07 09:02:40 +0000[diff] [blame]13292requires_config_enabled MBEDTLS_DEBUG_C
13293requires_config_enabled MBEDTLS_SSL_SRV_C
13294requires_config_enabled MBEDTLS_SSL_CLI_C
Ronald Cron70ed4172022-10-20 15:48:19 +0200[diff] [blame]13295requires_all_configs_enabled MBEDTLS_SSL_TLS1_3_COMPATIBILITY_MODE \
13296 MBEDTLS_SSL_TLS1_3_KEY_EXCHANGE_MODE_EPHEMERAL_ENABLED
XiaokangQian2ccd97b2022-05-31 08:30:17 +0000[diff] [blame]13297run_test "TLS 1.3: Server side check - mbedtls with sni" \
David Horstmann5ab92be2024-07-01 17:01:28 +0100[diff] [blame]13298 "$P_SRV debug_level=4 auth_mode=required crt_file=$DATA_FILES_PATH/server5.crt key_file=$DATA_FILES_PATH/server5.key tickets=0 \
13299 sni=localhost,$DATA_FILES_PATH/server2.crt,$DATA_FILES_PATH/server2.key,-,-,-,polarssl.example,$DATA_FILES_PATH/server1-nospace.crt,$DATA_FILES_PATH/server1.key,-,-,-" \
13300 "$P_CLI debug_level=4 server_name=localhost crt_file=$DATA_FILES_PATH/server5.crt key_file=$DATA_FILES_PATH/server5.key" \
XiaokangQianf2a94202022-05-20 06:44:24 +0000[diff] [blame]13301 0 \
XiaokangQianf2a94202022-05-20 06:44:24 +0000[diff] [blame]13302 -s "parse ServerName extension" \
XiaokangQian129aeb92022-06-02 09:29:18 +0000[diff] [blame]13303 -s "HTTP/1.0 200 OK"
XiaokangQian40a35232022-05-07 09:02:40 +0000[diff] [blame]13304
Gilles Peskine2baaf602022-01-07 15:46:12 +0100[diff] [blame]13305for i in opt-testcases/*.sh
Jerry Yucdcb6832021-11-29 16:50:13 +0800[diff] [blame]13306do
Gilles Peskine5eb2b022022-01-07 15:47:02 +0100[diff] [blame]13307 TEST_SUITE_NAME=${i##*/}
13308 TEST_SUITE_NAME=${TEST_SUITE_NAME%.*}
13309 . "$i"
Jerry Yucdcb6832021-11-29 16:50:13 +0800[diff] [blame]13310done
Gilles Peskine5eb2b022022-01-07 15:47:02 +0100[diff] [blame]13311unset TEST_SUITE_NAME
Jerry Yu305bfc32021-11-24 16:04:47 +0800[diff] [blame]13312
Gabor Mezei7e2dbaf2022-05-24 16:05:29 +0200[diff] [blame]13313# Test 1.3 compatibility mode
Gabor Mezei7e2dbaf2022-05-24 16:05:29 +0200[diff] [blame]13314requires_config_disabled MBEDTLS_SSL_TLS1_3_COMPATIBILITY_MODE
13315requires_config_enabled MBEDTLS_DEBUG_C
13316requires_config_enabled MBEDTLS_SSL_SRV_C
13317requires_config_enabled MBEDTLS_SSL_CLI_C
Ronald Cron928cbd32022-10-04 16:14:26 +0200[diff] [blame]13318requires_config_enabled MBEDTLS_SSL_TLS1_3_KEY_EXCHANGE_MODE_EPHEMERAL_ENABLED
Gabor Mezei7e2dbaf2022-05-24 16:05:29 +0200[diff] [blame]13319run_test "TLS 1.3 m->m both peers do not support middlebox compatibility" \
Ronald Cron50ae84e2023-03-14 08:59:56 +0100[diff] [blame]13320 "$P_SRV debug_level=4 tickets=0" \
Gabor Mezei9e4b7bd2022-06-28 16:22:14 +0200[diff] [blame]13321 "$P_CLI debug_level=4" \
Gabor Mezei7e2dbaf2022-05-24 16:05:29 +0200[diff] [blame]13322 0 \
Gabor Mezei9e4b7bd2022-06-28 16:22:14 +0200[diff] [blame]13323 -s "Protocol is TLSv1.3" \
13324 -c "Protocol is TLSv1.3" \
Gabor Mezei7e2dbaf2022-05-24 16:05:29 +0200[diff] [blame]13325 -S "tls13 server state: MBEDTLS_SSL_SERVER_CCS_AFTER_SERVER_HELLO" \
13326 -C "Ignore ChangeCipherSpec in TLS 1.3 compatibility mode"
13327
Gabor Mezei7e2dbaf2022-05-24 16:05:29 +0200[diff] [blame]13328requires_config_enabled MBEDTLS_DEBUG_C
13329requires_config_enabled MBEDTLS_SSL_SRV_C
13330requires_config_enabled MBEDTLS_SSL_CLI_C
Ronald Cron70ed4172022-10-20 15:48:19 +0200[diff] [blame]13331requires_all_configs_enabled MBEDTLS_SSL_TLS1_3_COMPATIBILITY_MODE \
13332 MBEDTLS_SSL_TLS1_3_KEY_EXCHANGE_MODE_EPHEMERAL_ENABLED
Gabor Mezei7e2dbaf2022-05-24 16:05:29 +0200[diff] [blame]13333run_test "TLS 1.3 m->m both with middlebox compat support" \
Ronald Cron50ae84e2023-03-14 08:59:56 +0100[diff] [blame]13334 "$P_SRV debug_level=4 tickets=0" \
Gabor Mezei9e4b7bd2022-06-28 16:22:14 +0200[diff] [blame]13335 "$P_CLI debug_level=4" \
Gabor Mezei7e2dbaf2022-05-24 16:05:29 +0200[diff] [blame]13336 0 \
Gabor Mezei9e4b7bd2022-06-28 16:22:14 +0200[diff] [blame]13337 -s "Protocol is TLSv1.3" \
13338 -c "Protocol is TLSv1.3" \
Gabor Mezei7e2dbaf2022-05-24 16:05:29 +0200[diff] [blame]13339 -s "tls13 server state: MBEDTLS_SSL_SERVER_CCS_AFTER_SERVER_HELLO" \
13340 -c "Ignore ChangeCipherSpec in TLS 1.3 compatibility mode"
13341
Przemek Stekiel8bfe8972023-06-26 12:59:45 +0200[diff] [blame]13342requires_openssl_tls1_3_with_compatible_ephemeral
Ronald Cronfdb0e3f2021-12-09 10:39:19 +0100[diff] [blame]13343requires_config_disabled MBEDTLS_SSL_TLS1_3_COMPATIBILITY_MODE
Ronald Cron7c0185f2021-11-30 09:16:24 +0100[diff] [blame]13344requires_config_enabled MBEDTLS_DEBUG_C
13345requires_config_enabled MBEDTLS_SSL_CLI_C
Ronald Cron928cbd32022-10-04 16:14:26 +0200[diff] [blame]13346requires_config_enabled MBEDTLS_SSL_TLS1_3_KEY_EXCHANGE_MODE_EPHEMERAL_ENABLED
Ronald Crona55c5a12021-11-30 09:32:47 +0100[diff] [blame]13347run_test "TLS 1.3 m->O both peers do not support middlebox compatibility" \
Ronald Cronfdb0e3f2021-12-09 10:39:19 +0100[diff] [blame]13348 "$O_NEXT_SRV -msg -tls1_3 -no_middlebox -num_tickets 0 -no_resume_ephemeral -no_cache" \
Gabor Mezei9e4b7bd2022-06-28 16:22:14 +0200[diff] [blame]13349 "$P_CLI debug_level=4" \
Ronald Cronfdb0e3f2021-12-09 10:39:19 +0100[diff] [blame]13350 0 \
Ronald Crona1b8f6e2022-03-18 14:04:12 +0100[diff] [blame]13351 -c "Protocol is TLSv1.3" \
Gabor Mezei7e2dbaf2022-05-24 16:05:29 +0200[diff] [blame]13352 -C "ChangeCipherSpec invalid in TLS 1.3 without compatibility mode" \
13353 -C "Ignore ChangeCipherSpec in TLS 1.3 compatibility mode"
Ronald Cronfdb0e3f2021-12-09 10:39:19 +0100[diff] [blame]13354
Przemek Stekiel8bfe8972023-06-26 12:59:45 +0200[diff] [blame]13355requires_openssl_tls1_3_with_compatible_ephemeral
Ronald Cronfdb0e3f2021-12-09 10:39:19 +0100[diff] [blame]13356requires_config_disabled MBEDTLS_SSL_TLS1_3_COMPATIBILITY_MODE
Ronald Cron7c0185f2021-11-30 09:16:24 +0100[diff] [blame]13357requires_config_enabled MBEDTLS_DEBUG_C
13358requires_config_enabled MBEDTLS_SSL_CLI_C
Ronald Cron928cbd32022-10-04 16:14:26 +0200[diff] [blame]13359requires_config_enabled MBEDTLS_SSL_TLS1_3_KEY_EXCHANGE_MODE_EPHEMERAL_ENABLED
Ronald Crona55c5a12021-11-30 09:32:47 +0100[diff] [blame]13360run_test "TLS 1.3 m->O server with middlebox compat support, not client" \
Ronald Cronfdb0e3f2021-12-09 10:39:19 +0100[diff] [blame]13361 "$O_NEXT_SRV -msg -tls1_3 -num_tickets 0 -no_resume_ephemeral -no_cache" \
Gabor Mezei9e4b7bd2022-06-28 16:22:14 +0200[diff] [blame]13362 "$P_CLI debug_level=4" \
Ronald Cronfdb0e3f2021-12-09 10:39:19 +0100[diff] [blame]13363 1 \
13364 -c "ChangeCipherSpec invalid in TLS 1.3 without compatibility mode"
13365
Przemek Stekiel8bfe8972023-06-26 12:59:45 +0200[diff] [blame]13366requires_openssl_tls1_3_with_compatible_ephemeral
Gabor Mezei7e2dbaf2022-05-24 16:05:29 +0200[diff] [blame]13367requires_config_enabled MBEDTLS_DEBUG_C
13368requires_config_enabled MBEDTLS_SSL_CLI_C
Ronald Cron70ed4172022-10-20 15:48:19 +0200[diff] [blame]13369requires_all_configs_enabled MBEDTLS_SSL_TLS1_3_COMPATIBILITY_MODE \
13370 MBEDTLS_SSL_TLS1_3_KEY_EXCHANGE_MODE_EPHEMERAL_ENABLED
Gabor Mezei7e2dbaf2022-05-24 16:05:29 +0200[diff] [blame]13371run_test "TLS 1.3 m->O both with middlebox compat support" \
13372 "$O_NEXT_SRV -msg -tls1_3 -num_tickets 0 -no_resume_ephemeral -no_cache" \
Gabor Mezei9e4b7bd2022-06-28 16:22:14 +0200[diff] [blame]13373 "$P_CLI debug_level=4" \
Gabor Mezei7e2dbaf2022-05-24 16:05:29 +0200[diff] [blame]13374 0 \
Gabor Mezei9e4b7bd2022-06-28 16:22:14 +0200[diff] [blame]13375 -c "Protocol is TLSv1.3" \
Gabor Mezei7e2dbaf2022-05-24 16:05:29 +0200[diff] [blame]13376 -c "Ignore ChangeCipherSpec in TLS 1.3 compatibility mode"
13377
Ronald Crona55c5a12021-11-30 09:32:47 +0100[diff] [blame]13378requires_gnutls_tls1_3
13379requires_gnutls_next_no_ticket
13380requires_gnutls_next_disable_tls13_compat
Ronald Crona55c5a12021-11-30 09:32:47 +0100[diff] [blame]13381requires_config_disabled MBEDTLS_SSL_TLS1_3_COMPATIBILITY_MODE
13382requires_config_enabled MBEDTLS_DEBUG_C
13383requires_config_enabled MBEDTLS_SSL_CLI_C
Ronald Cron928cbd32022-10-04 16:14:26 +0200[diff] [blame]13384requires_config_enabled MBEDTLS_SSL_TLS1_3_KEY_EXCHANGE_MODE_EPHEMERAL_ENABLED
Ronald Crona55c5a12021-11-30 09:32:47 +0100[diff] [blame]13385run_test "TLS 1.3 m->G both peers do not support middlebox compatibility" \
13386 "$G_NEXT_SRV --priority=NORMAL:-VERS-ALL:+VERS-TLS1.3:+CIPHER-ALL:%NO_TICKETS:%DISABLE_TLS13_COMPAT_MODE --disable-client-cert" \
Gabor Mezei9e4b7bd2022-06-28 16:22:14 +0200[diff] [blame]13387 "$P_CLI debug_level=4" \
Ronald Crona55c5a12021-11-30 09:32:47 +0100[diff] [blame]13388 0 \
Ronald Crona1b8f6e2022-03-18 14:04:12 +0100[diff] [blame]13389 -c "Protocol is TLSv1.3" \
Gabor Mezei7e2dbaf2022-05-24 16:05:29 +0200[diff] [blame]13390 -C "ChangeCipherSpec invalid in TLS 1.3 without compatibility mode" \
13391 -C "Ignore ChangeCipherSpec in TLS 1.3 compatibility mode"
Ronald Crona55c5a12021-11-30 09:32:47 +0100[diff] [blame]13392
13393requires_gnutls_tls1_3
13394requires_gnutls_next_no_ticket
Ronald Crona55c5a12021-11-30 09:32:47 +0100[diff] [blame]13395requires_config_disabled MBEDTLS_SSL_TLS1_3_COMPATIBILITY_MODE
13396requires_config_enabled MBEDTLS_DEBUG_C
13397requires_config_enabled MBEDTLS_SSL_CLI_C
Ronald Cron928cbd32022-10-04 16:14:26 +0200[diff] [blame]13398requires_config_enabled MBEDTLS_SSL_TLS1_3_KEY_EXCHANGE_MODE_EPHEMERAL_ENABLED
Ronald Crona55c5a12021-11-30 09:32:47 +0100[diff] [blame]13399run_test "TLS 1.3 m->G server with middlebox compat support, not client" \
13400 "$G_NEXT_SRV --priority=NORMAL:-VERS-ALL:+VERS-TLS1.3:+CIPHER-ALL:%NO_TICKETS --disable-client-cert" \
Gabor Mezei9e4b7bd2022-06-28 16:22:14 +0200[diff] [blame]13401 "$P_CLI debug_level=4" \
Ronald Crona55c5a12021-11-30 09:32:47 +0100[diff] [blame]13402 1 \
13403 -c "ChangeCipherSpec invalid in TLS 1.3 without compatibility mode"
13404
Gabor Mezei7e2dbaf2022-05-24 16:05:29 +0200[diff] [blame]13405requires_gnutls_tls1_3
13406requires_gnutls_next_no_ticket
Gabor Mezei7e2dbaf2022-05-24 16:05:29 +0200[diff] [blame]13407requires_config_enabled MBEDTLS_DEBUG_C
13408requires_config_enabled MBEDTLS_SSL_CLI_C
Ronald Cron70ed4172022-10-20 15:48:19 +0200[diff] [blame]13409requires_all_configs_enabled MBEDTLS_SSL_TLS1_3_COMPATIBILITY_MODE \
13410 MBEDTLS_SSL_TLS1_3_KEY_EXCHANGE_MODE_EPHEMERAL_ENABLED
Gabor Mezei7e2dbaf2022-05-24 16:05:29 +0200[diff] [blame]13411run_test "TLS 1.3 m->G both with middlebox compat support" \
13412 "$G_NEXT_SRV --priority=NORMAL:-VERS-ALL:+VERS-TLS1.3:+CIPHER-ALL:%NO_TICKETS --disable-client-cert" \
Gabor Mezei9e4b7bd2022-06-28 16:22:14 +0200[diff] [blame]13413 "$P_CLI debug_level=4" \
Gabor Mezei7e2dbaf2022-05-24 16:05:29 +0200[diff] [blame]13414 0 \
Gabor Mezei9e4b7bd2022-06-28 16:22:14 +0200[diff] [blame]13415 -c "Protocol is TLSv1.3" \
Gabor Mezei7e2dbaf2022-05-24 16:05:29 +0200[diff] [blame]13416 -c "Ignore ChangeCipherSpec in TLS 1.3 compatibility mode"
13417
Przemek Stekiel8bfe8972023-06-26 12:59:45 +0200[diff] [blame]13418requires_openssl_tls1_3_with_compatible_ephemeral
Gabor Mezei7e2dbaf2022-05-24 16:05:29 +0200[diff] [blame]13419requires_config_disabled MBEDTLS_SSL_TLS1_3_COMPATIBILITY_MODE
13420requires_config_enabled MBEDTLS_DEBUG_C
13421requires_config_enabled MBEDTLS_SSL_SRV_C
Ronald Cron928cbd32022-10-04 16:14:26 +0200[diff] [blame]13422requires_config_enabled MBEDTLS_SSL_TLS1_3_KEY_EXCHANGE_MODE_EPHEMERAL_ENABLED
Gabor Mezei7e2dbaf2022-05-24 16:05:29 +0200[diff] [blame]13423run_test "TLS 1.3 O->m both peers do not support middlebox compatibility" \
David Horstmann5ab92be2024-07-01 17:01:28 +0100[diff] [blame]13424 "$P_SRV debug_level=4 crt_file=$DATA_FILES_PATH/server5.crt key_file=$DATA_FILES_PATH/server5.key tickets=0" \
Gabor Mezei9e4b7bd2022-06-28 16:22:14 +0200[diff] [blame]13425 "$O_NEXT_CLI -msg -debug -no_middlebox" \
Gabor Mezei7e2dbaf2022-05-24 16:05:29 +0200[diff] [blame]13426 0 \
Gabor Mezei9e4b7bd2022-06-28 16:22:14 +0200[diff] [blame]13427 -s "Protocol is TLSv1.3" \
Gabor Mezei7e2dbaf2022-05-24 16:05:29 +0200[diff] [blame]13428 -S "tls13 server state: MBEDTLS_SSL_SERVER_CCS_AFTER_SERVER_HELLO" \
13429 -C "14 03 03 00 01"
13430
Przemek Stekiel8bfe8972023-06-26 12:59:45 +0200[diff] [blame]13431requires_openssl_tls1_3_with_compatible_ephemeral
Gabor Mezei7e2dbaf2022-05-24 16:05:29 +0200[diff] [blame]13432requires_config_enabled MBEDTLS_DEBUG_C
13433requires_config_enabled MBEDTLS_SSL_SRV_C
Ronald Cron70ed4172022-10-20 15:48:19 +0200[diff] [blame]13434requires_all_configs_enabled MBEDTLS_SSL_TLS1_3_COMPATIBILITY_MODE \
13435 MBEDTLS_SSL_TLS1_3_KEY_EXCHANGE_MODE_EPHEMERAL_ENABLED
Gabor Mezei7e2dbaf2022-05-24 16:05:29 +0200[diff] [blame]13436run_test "TLS 1.3 O->m server with middlebox compat support, not client" \
David Horstmann5ab92be2024-07-01 17:01:28 +0100[diff] [blame]13437 "$P_SRV debug_level=4 crt_file=$DATA_FILES_PATH/server5.crt key_file=$DATA_FILES_PATH/server5.key tickets=0" \
Gabor Mezei9e4b7bd2022-06-28 16:22:14 +0200[diff] [blame]13438 "$O_NEXT_CLI -msg -debug -no_middlebox" \
Gabor Mezei7e2dbaf2022-05-24 16:05:29 +0200[diff] [blame]13439 0 \
Gabor Mezei9e4b7bd2022-06-28 16:22:14 +0200[diff] [blame]13440 -s "Protocol is TLSv1.3" \
Gabor Mezei7e2dbaf2022-05-24 16:05:29 +0200[diff] [blame]13441 -s "tls13 server state: MBEDTLS_SSL_SERVER_CCS_AFTER_SERVER_HELLO"
13442
Przemek Stekiel8bfe8972023-06-26 12:59:45 +0200[diff] [blame]13443requires_openssl_tls1_3_with_compatible_ephemeral
Gabor Mezei7e2dbaf2022-05-24 16:05:29 +0200[diff] [blame]13444requires_config_enabled MBEDTLS_DEBUG_C
13445requires_config_enabled MBEDTLS_SSL_SRV_C
Ronald Cron70ed4172022-10-20 15:48:19 +0200[diff] [blame]13446requires_all_configs_enabled MBEDTLS_SSL_TLS1_3_COMPATIBILITY_MODE \
13447 MBEDTLS_SSL_TLS1_3_KEY_EXCHANGE_MODE_EPHEMERAL_ENABLED
Gabor Mezei7e2dbaf2022-05-24 16:05:29 +0200[diff] [blame]13448run_test "TLS 1.3 O->m both with middlebox compat support" \
David Horstmann5ab92be2024-07-01 17:01:28 +0100[diff] [blame]13449 "$P_SRV debug_level=4 crt_file=$DATA_FILES_PATH/server5.crt key_file=$DATA_FILES_PATH/server5.key tickets=0" \
Gabor Mezei9e4b7bd2022-06-28 16:22:14 +0200[diff] [blame]13450 "$O_NEXT_CLI -msg -debug" \
Gabor Mezei7e2dbaf2022-05-24 16:05:29 +0200[diff] [blame]13451 0 \
Gabor Mezei9e4b7bd2022-06-28 16:22:14 +0200[diff] [blame]13452 -s "Protocol is TLSv1.3" \
Gabor Mezei7e2dbaf2022-05-24 16:05:29 +0200[diff] [blame]13453 -s "tls13 server state: MBEDTLS_SSL_SERVER_CCS_AFTER_SERVER_HELLO" \
13454 -c "14 03 03 00 01"
13455
13456requires_gnutls_tls1_3
13457requires_gnutls_next_no_ticket
13458requires_gnutls_next_disable_tls13_compat
Gabor Mezei7e2dbaf2022-05-24 16:05:29 +0200[diff] [blame]13459requires_config_disabled MBEDTLS_SSL_TLS1_3_COMPATIBILITY_MODE
13460requires_config_enabled MBEDTLS_DEBUG_C
13461requires_config_enabled MBEDTLS_SSL_SRV_C
Ronald Cron928cbd32022-10-04 16:14:26 +0200[diff] [blame]13462requires_config_enabled MBEDTLS_SSL_TLS1_3_KEY_EXCHANGE_MODE_EPHEMERAL_ENABLED
Gabor Mezei7e2dbaf2022-05-24 16:05:29 +0200[diff] [blame]13463run_test "TLS 1.3 G->m both peers do not support middlebox compatibility" \
David Horstmann5ab92be2024-07-01 17:01:28 +0100[diff] [blame]13464 "$P_SRV debug_level=4 crt_file=$DATA_FILES_PATH/server5.crt key_file=$DATA_FILES_PATH/server5.key tickets=0" \
Gabor Mezei9e4b7bd2022-06-28 16:22:14 +0200[diff] [blame]13465 "$G_NEXT_CLI localhost --priority=NORMAL:%NO_TICKETS:%DISABLE_TLS13_COMPAT_MODE -V" \
Gabor Mezei7e2dbaf2022-05-24 16:05:29 +0200[diff] [blame]13466 0 \
Gabor Mezei9e4b7bd2022-06-28 16:22:14 +0200[diff] [blame]13467 -s "Protocol is TLSv1.3" \
Gabor Mezei7e2dbaf2022-05-24 16:05:29 +0200[diff] [blame]13468 -S "tls13 server state: MBEDTLS_SSL_SERVER_CCS_AFTER_SERVER_HELLO" \
13469 -C "SSL 3.3 ChangeCipherSpec packet received"
13470
13471requires_gnutls_tls1_3
13472requires_gnutls_next_no_ticket
13473requires_gnutls_next_disable_tls13_compat
Gabor Mezei7e2dbaf2022-05-24 16:05:29 +0200[diff] [blame]13474requires_config_enabled MBEDTLS_DEBUG_C
13475requires_config_enabled MBEDTLS_SSL_SRV_C
Ronald Cron70ed4172022-10-20 15:48:19 +0200[diff] [blame]13476requires_all_configs_enabled MBEDTLS_SSL_TLS1_3_COMPATIBILITY_MODE \
13477 MBEDTLS_SSL_TLS1_3_KEY_EXCHANGE_MODE_EPHEMERAL_ENABLED
Gabor Mezei7e2dbaf2022-05-24 16:05:29 +0200[diff] [blame]13478run_test "TLS 1.3 G->m server with middlebox compat support, not client" \
David Horstmann5ab92be2024-07-01 17:01:28 +0100[diff] [blame]13479 "$P_SRV debug_level=4 crt_file=$DATA_FILES_PATH/server5.crt key_file=$DATA_FILES_PATH/server5.key tickets=0" \
Gabor Mezei9e4b7bd2022-06-28 16:22:14 +0200[diff] [blame]13480 "$G_NEXT_CLI localhost --debug=10 --priority=NORMAL:%NO_TICKETS:%DISABLE_TLS13_COMPAT_MODE -V" \
Gabor Mezei7e2dbaf2022-05-24 16:05:29 +0200[diff] [blame]13481 0 \
Gabor Mezei9e4b7bd2022-06-28 16:22:14 +0200[diff] [blame]13482 -s "Protocol is TLSv1.3" \
Gabor Mezei7e2dbaf2022-05-24 16:05:29 +0200[diff] [blame]13483 -s "tls13 server state: MBEDTLS_SSL_SERVER_CCS_AFTER_SERVER_HELLO" \
13484 -c "SSL 3.3 ChangeCipherSpec packet received" \
13485 -c "discarding change cipher spec in TLS1.3"
13486
13487requires_gnutls_tls1_3
13488requires_gnutls_next_no_ticket
13489requires_gnutls_next_disable_tls13_compat
Gabor Mezei7e2dbaf2022-05-24 16:05:29 +0200[diff] [blame]13490requires_config_enabled MBEDTLS_DEBUG_C
13491requires_config_enabled MBEDTLS_SSL_SRV_C
Ronald Cron70ed4172022-10-20 15:48:19 +0200[diff] [blame]13492requires_all_configs_enabled MBEDTLS_SSL_TLS1_3_COMPATIBILITY_MODE \
13493 MBEDTLS_SSL_TLS1_3_KEY_EXCHANGE_MODE_EPHEMERAL_ENABLED
Gabor Mezei7e2dbaf2022-05-24 16:05:29 +0200[diff] [blame]13494run_test "TLS 1.3 G->m both with middlebox compat support" \
David Horstmann5ab92be2024-07-01 17:01:28 +0100[diff] [blame]13495 "$P_SRV debug_level=4 crt_file=$DATA_FILES_PATH/server5.crt key_file=$DATA_FILES_PATH/server5.key tickets=0" \
Gabor Mezei9e4b7bd2022-06-28 16:22:14 +0200[diff] [blame]13496 "$G_NEXT_CLI localhost --debug=10 --priority=NORMAL:%NO_TICKETS:%DISABLE_TLS13_COMPAT_MODE -V" \
Gabor Mezei7e2dbaf2022-05-24 16:05:29 +0200[diff] [blame]13497 0 \
Gabor Mezei9e4b7bd2022-06-28 16:22:14 +0200[diff] [blame]13498 -s "Protocol is TLSv1.3" \
Gabor Mezei7e2dbaf2022-05-24 16:05:29 +0200[diff] [blame]13499 -s "tls13 server state: MBEDTLS_SSL_SERVER_CCS_AFTER_SERVER_HELLO" \
13500 -c "SSL 3.3 ChangeCipherSpec packet received"
13501
Gabor Mezei7e2dbaf2022-05-24 16:05:29 +0200[diff] [blame]13502requires_config_disabled MBEDTLS_SSL_TLS1_3_COMPATIBILITY_MODE
13503requires_config_enabled MBEDTLS_DEBUG_C
13504requires_config_enabled MBEDTLS_SSL_SRV_C
13505requires_config_enabled MBEDTLS_SSL_CLI_C
Ronald Cron928cbd32022-10-04 16:14:26 +0200[diff] [blame]13506requires_config_enabled MBEDTLS_SSL_TLS1_3_KEY_EXCHANGE_MODE_EPHEMERAL_ENABLED
Gabor Mezei7e2dbaf2022-05-24 16:05:29 +0200[diff] [blame]13507run_test "TLS 1.3 m->m HRR both peers do not support middlebox compatibility" \
Przemek Stekiel45255e42023-06-29 13:56:36 +0200[diff] [blame]13508 "$P_SRV debug_level=4 groups=secp384r1 tickets=0" \
13509 "$P_CLI debug_level=4 groups=secp256r1,secp384r1" \
Gabor Mezei7e2dbaf2022-05-24 16:05:29 +0200[diff] [blame]13510 0 \
Gabor Mezei9e4b7bd2022-06-28 16:22:14 +0200[diff] [blame]13511 -s "Protocol is TLSv1.3" \
Gabor Mezei7e2dbaf2022-05-24 16:05:29 +0200[diff] [blame]13512 -c "Protocol is TLSv1.3" \
13513 -s "tls13 server state: MBEDTLS_SSL_HELLO_RETRY_REQUEST" \
Gabor Mezeif7044ea2022-06-28 16:01:49 +0200[diff] [blame]13514 -S "tls13 server state: MBEDTLS_SSL_SERVER_CCS_AFTER_HELLO_RETRY_REQUEST" \
Gabor Mezei7e2dbaf2022-05-24 16:05:29 +0200[diff] [blame]13515 -C "Ignore ChangeCipherSpec in TLS 1.3 compatibility mode"
13516
Gabor Mezei7e2dbaf2022-05-24 16:05:29 +0200[diff] [blame]13517requires_config_enabled MBEDTLS_DEBUG_C
13518requires_config_enabled MBEDTLS_SSL_SRV_C
13519requires_config_enabled MBEDTLS_SSL_CLI_C
Przemek Stekielc31a7982023-06-27 10:53:33 +0200[diff] [blame]13520requires_config_enabled PSA_WANT_ALG_ECDH
Ronald Cron70ed4172022-10-20 15:48:19 +0200[diff] [blame]13521requires_all_configs_enabled MBEDTLS_SSL_TLS1_3_COMPATIBILITY_MODE \
13522 MBEDTLS_SSL_TLS1_3_KEY_EXCHANGE_MODE_EPHEMERAL_ENABLED
Gabor Mezei7e2dbaf2022-05-24 16:05:29 +0200[diff] [blame]13523run_test "TLS 1.3 m->m HRR both with middlebox compat support" \
Przemek Stekiel45255e42023-06-29 13:56:36 +0200[diff] [blame]13524 "$P_SRV debug_level=4 groups=secp384r1 tickets=0" \
13525 "$P_CLI debug_level=4 groups=secp256r1,secp384r1" \
Gabor Mezei7e2dbaf2022-05-24 16:05:29 +0200[diff] [blame]13526 0 \
Gabor Mezei9e4b7bd2022-06-28 16:22:14 +0200[diff] [blame]13527 -s "Protocol is TLSv1.3" \
Gabor Mezei7e2dbaf2022-05-24 16:05:29 +0200[diff] [blame]13528 -c "Protocol is TLSv1.3" \
13529 -s "tls13 server state: MBEDTLS_SSL_HELLO_RETRY_REQUEST" \
Gabor Mezeif7044ea2022-06-28 16:01:49 +0200[diff] [blame]13530 -s "tls13 server state: MBEDTLS_SSL_SERVER_CCS_AFTER_HELLO_RETRY_REQUEST" \
Gabor Mezei7e2dbaf2022-05-24 16:05:29 +0200[diff] [blame]13531 -c "Ignore ChangeCipherSpec in TLS 1.3 compatibility mode"
13532
Przemek Stekiel8bfe8972023-06-26 12:59:45 +0200[diff] [blame]13533requires_openssl_tls1_3_with_compatible_ephemeral
Gabor Mezei7e2dbaf2022-05-24 16:05:29 +0200[diff] [blame]13534requires_config_disabled MBEDTLS_SSL_TLS1_3_COMPATIBILITY_MODE
13535requires_config_enabled MBEDTLS_DEBUG_C
13536requires_config_enabled MBEDTLS_SSL_CLI_C
Ronald Cron928cbd32022-10-04 16:14:26 +0200[diff] [blame]13537requires_config_enabled MBEDTLS_SSL_TLS1_3_KEY_EXCHANGE_MODE_EPHEMERAL_ENABLED
Gabor Mezei7e2dbaf2022-05-24 16:05:29 +0200[diff] [blame]13538run_test "TLS 1.3 m->O HRR both peers do not support middlebox compatibility" \
13539 "$O_NEXT_SRV -msg -tls1_3 -groups P-384 -no_middlebox -num_tickets 0 -no_cache" \
Przemek Stekiel45255e42023-06-29 13:56:36 +0200[diff] [blame]13540 "$P_CLI debug_level=4 groups=secp256r1,secp384r1" \
Gabor Mezei7e2dbaf2022-05-24 16:05:29 +0200[diff] [blame]13541 0 \
Gabor Mezei9e4b7bd2022-06-28 16:22:14 +0200[diff] [blame]13542 -c "Protocol is TLSv1.3" \
Gabor Mezei7e2dbaf2022-05-24 16:05:29 +0200[diff] [blame]13543 -c "received HelloRetryRequest message" \
13544 -C "ChangeCipherSpec invalid in TLS 1.3 without compatibility mode" \
13545 -C "Ignore ChangeCipherSpec in TLS 1.3 compatibility mode"
13546
Przemek Stekiel8bfe8972023-06-26 12:59:45 +0200[diff] [blame]13547requires_openssl_tls1_3_with_compatible_ephemeral
Gabor Mezei7e2dbaf2022-05-24 16:05:29 +0200[diff] [blame]13548requires_config_disabled MBEDTLS_SSL_TLS1_3_COMPATIBILITY_MODE
13549requires_config_enabled MBEDTLS_DEBUG_C
13550requires_config_enabled MBEDTLS_SSL_CLI_C
Ronald Cron928cbd32022-10-04 16:14:26 +0200[diff] [blame]13551requires_config_enabled MBEDTLS_SSL_TLS1_3_KEY_EXCHANGE_MODE_EPHEMERAL_ENABLED
Gabor Mezei7e2dbaf2022-05-24 16:05:29 +0200[diff] [blame]13552run_test "TLS 1.3 m->O HRR server with middlebox compat support, not client" \
13553 "$O_NEXT_SRV -msg -tls1_3 -groups P-384 -num_tickets 0 -no_cache" \
Przemek Stekiel45255e42023-06-29 13:56:36 +0200[diff] [blame]13554 "$P_CLI debug_level=4 groups=secp256r1,secp384r1" \
Gabor Mezei7e2dbaf2022-05-24 16:05:29 +0200[diff] [blame]13555 1 \
Gabor Mezei7e2dbaf2022-05-24 16:05:29 +0200[diff] [blame]13556 -c "received HelloRetryRequest message" \
13557 -c "ChangeCipherSpec invalid in TLS 1.3 without compatibility mode"
13558
Przemek Stekiel8bfe8972023-06-26 12:59:45 +0200[diff] [blame]13559requires_openssl_tls1_3_with_compatible_ephemeral
Gabor Mezei7e2dbaf2022-05-24 16:05:29 +0200[diff] [blame]13560requires_config_enabled MBEDTLS_DEBUG_C
13561requires_config_enabled MBEDTLS_SSL_CLI_C
Ronald Cron70ed4172022-10-20 15:48:19 +0200[diff] [blame]13562requires_all_configs_enabled MBEDTLS_SSL_TLS1_3_COMPATIBILITY_MODE \
13563 MBEDTLS_SSL_TLS1_3_KEY_EXCHANGE_MODE_EPHEMERAL_ENABLED
Gabor Mezei7e2dbaf2022-05-24 16:05:29 +0200[diff] [blame]13564run_test "TLS 1.3 m->O HRR both with middlebox compat support" \
13565 "$O_NEXT_SRV -msg -tls1_3 -groups P-384 -num_tickets 0 -no_resume_ephemeral -no_cache" \
Przemek Stekiel45255e42023-06-29 13:56:36 +0200[diff] [blame]13566 "$P_CLI debug_level=4 groups=secp256r1,secp384r1" \
Gabor Mezei7e2dbaf2022-05-24 16:05:29 +0200[diff] [blame]13567 0 \
Gabor Mezei9e4b7bd2022-06-28 16:22:14 +0200[diff] [blame]13568 -c "Protocol is TLSv1.3" \
Gabor Mezei7e2dbaf2022-05-24 16:05:29 +0200[diff] [blame]13569 -c "Ignore ChangeCipherSpec in TLS 1.3 compatibility mode"
13570
13571requires_gnutls_tls1_3
13572requires_gnutls_next_no_ticket
13573requires_gnutls_next_disable_tls13_compat
Gabor Mezei7e2dbaf2022-05-24 16:05:29 +0200[diff] [blame]13574requires_config_disabled MBEDTLS_SSL_TLS1_3_COMPATIBILITY_MODE
13575requires_config_enabled MBEDTLS_DEBUG_C
13576requires_config_enabled MBEDTLS_SSL_CLI_C
Ronald Cron928cbd32022-10-04 16:14:26 +0200[diff] [blame]13577requires_config_enabled MBEDTLS_SSL_TLS1_3_KEY_EXCHANGE_MODE_EPHEMERAL_ENABLED
Gabor Mezei7e2dbaf2022-05-24 16:05:29 +0200[diff] [blame]13578run_test "TLS 1.3 m->G HRR both peers do not support middlebox compatibility" \
13579 "$G_NEXT_SRV --priority=NORMAL:-GROUP-ALL:+GROUP-SECP384R1:-VERS-ALL:+VERS-TLS1.3:%NO_TICKETS:%DISABLE_TLS13_COMPAT_MODE --disable-client-cert" \
Przemek Stekiel45255e42023-06-29 13:56:36 +0200[diff] [blame]13580 "$P_CLI debug_level=4 groups=secp256r1,secp384r1" \
Gabor Mezei7e2dbaf2022-05-24 16:05:29 +0200[diff] [blame]13581 0 \
Gabor Mezei9e4b7bd2022-06-28 16:22:14 +0200[diff] [blame]13582 -c "Protocol is TLSv1.3" \
Gabor Mezei7e2dbaf2022-05-24 16:05:29 +0200[diff] [blame]13583 -c "received HelloRetryRequest message" \
13584 -C "ChangeCipherSpec invalid in TLS 1.3 without compatibility mode" \
13585 -C "Ignore ChangeCipherSpec in TLS 1.3 compatibility mode"
13586
13587requires_gnutls_tls1_3
13588requires_gnutls_next_no_ticket
Gabor Mezei7e2dbaf2022-05-24 16:05:29 +0200[diff] [blame]13589requires_config_disabled MBEDTLS_SSL_TLS1_3_COMPATIBILITY_MODE
13590requires_config_enabled MBEDTLS_DEBUG_C
13591requires_config_enabled MBEDTLS_SSL_CLI_C
Ronald Cron928cbd32022-10-04 16:14:26 +0200[diff] [blame]13592requires_config_enabled MBEDTLS_SSL_TLS1_3_KEY_EXCHANGE_MODE_EPHEMERAL_ENABLED
Gabor Mezei7e2dbaf2022-05-24 16:05:29 +0200[diff] [blame]13593run_test "TLS 1.3 m->G HRR server with middlebox compat support, not client" \
13594 "$G_NEXT_SRV --priority=NORMAL:-GROUP-ALL:+GROUP-SECP384R1:-VERS-ALL:+VERS-TLS1.3:%NO_TICKETS --disable-client-cert" \
Przemek Stekiel45255e42023-06-29 13:56:36 +0200[diff] [blame]13595 "$P_CLI debug_level=4 groups=secp256r1,secp384r1" \
Gabor Mezei7e2dbaf2022-05-24 16:05:29 +0200[diff] [blame]13596 1 \
Gabor Mezei7e2dbaf2022-05-24 16:05:29 +0200[diff] [blame]13597 -c "received HelloRetryRequest message" \
13598 -c "ChangeCipherSpec invalid in TLS 1.3 without compatibility mode"
13599
13600requires_gnutls_tls1_3
13601requires_gnutls_next_no_ticket
Gabor Mezei7e2dbaf2022-05-24 16:05:29 +0200[diff] [blame]13602requires_config_enabled MBEDTLS_DEBUG_C
13603requires_config_enabled MBEDTLS_SSL_CLI_C
Przemek Stekielc31a7982023-06-27 10:53:33 +0200[diff] [blame]13604requires_config_enabled PSA_WANT_ALG_ECDH
Ronald Cron70ed4172022-10-20 15:48:19 +0200[diff] [blame]13605requires_all_configs_enabled MBEDTLS_SSL_TLS1_3_COMPATIBILITY_MODE \
13606 MBEDTLS_SSL_TLS1_3_KEY_EXCHANGE_MODE_EPHEMERAL_ENABLED
Gabor Mezei7e2dbaf2022-05-24 16:05:29 +0200[diff] [blame]13607run_test "TLS 1.3 m->G HRR both with middlebox compat support" \
13608 "$G_NEXT_SRV --priority=NORMAL:-GROUP-ALL:+GROUP-SECP384R1:-VERS-ALL:+VERS-TLS1.3:+CIPHER-ALL:%NO_TICKETS --disable-client-cert" \
Przemek Stekiel45255e42023-06-29 13:56:36 +0200[diff] [blame]13609 "$P_CLI debug_level=4 groups=secp256r1,secp384r1" \
Gabor Mezei7e2dbaf2022-05-24 16:05:29 +0200[diff] [blame]13610 0 \
Gabor Mezei9e4b7bd2022-06-28 16:22:14 +0200[diff] [blame]13611 -c "Protocol is TLSv1.3" \
Gabor Mezei7e2dbaf2022-05-24 16:05:29 +0200[diff] [blame]13612 -c "Ignore ChangeCipherSpec in TLS 1.3 compatibility mode"
13613
Przemek Stekiel8bfe8972023-06-26 12:59:45 +0200[diff] [blame]13614requires_openssl_tls1_3_with_compatible_ephemeral
Gabor Mezei7e2dbaf2022-05-24 16:05:29 +0200[diff] [blame]13615requires_config_disabled MBEDTLS_SSL_TLS1_3_COMPATIBILITY_MODE
13616requires_config_enabled MBEDTLS_DEBUG_C
13617requires_config_enabled MBEDTLS_SSL_SRV_C
Ronald Cron928cbd32022-10-04 16:14:26 +0200[diff] [blame]13618requires_config_enabled MBEDTLS_SSL_TLS1_3_KEY_EXCHANGE_MODE_EPHEMERAL_ENABLED
Gabor Mezei7e2dbaf2022-05-24 16:05:29 +0200[diff] [blame]13619run_test "TLS 1.3 O->m HRR both peers do not support middlebox compatibility" \
David Horstmann5ab92be2024-07-01 17:01:28 +0100[diff] [blame]13620 "$P_SRV debug_level=4 crt_file=$DATA_FILES_PATH/server5.crt key_file=$DATA_FILES_PATH/server5.key groups=secp384r1 tickets=0" \
Gabor Mezei9e4b7bd2022-06-28 16:22:14 +0200[diff] [blame]13621 "$O_NEXT_CLI -msg -debug -groups P-256:P-384 -no_middlebox" \
Gabor Mezei7e2dbaf2022-05-24 16:05:29 +0200[diff] [blame]13622 0 \
Gabor Mezei9e4b7bd2022-06-28 16:22:14 +0200[diff] [blame]13623 -s "Protocol is TLSv1.3" \
Gabor Mezeif7044ea2022-06-28 16:01:49 +0200[diff] [blame]13624 -S "tls13 server state: MBEDTLS_SSL_SERVER_CCS_AFTER_HELLO_RETRY_REQUEST" \
Gabor Mezei7e2dbaf2022-05-24 16:05:29 +0200[diff] [blame]13625 -C "14 03 03 00 01"
13626
Przemek Stekiel8bfe8972023-06-26 12:59:45 +0200[diff] [blame]13627requires_openssl_tls1_3_with_compatible_ephemeral
Gabor Mezei7e2dbaf2022-05-24 16:05:29 +0200[diff] [blame]13628requires_config_enabled MBEDTLS_DEBUG_C
13629requires_config_enabled MBEDTLS_SSL_SRV_C
Ronald Cron70ed4172022-10-20 15:48:19 +0200[diff] [blame]13630requires_all_configs_enabled MBEDTLS_SSL_TLS1_3_COMPATIBILITY_MODE \
13631 MBEDTLS_SSL_TLS1_3_KEY_EXCHANGE_MODE_EPHEMERAL_ENABLED
Gabor Mezei7e2dbaf2022-05-24 16:05:29 +0200[diff] [blame]13632run_test "TLS 1.3 O->m HRR server with middlebox compat support, not client" \
David Horstmann5ab92be2024-07-01 17:01:28 +0100[diff] [blame]13633 "$P_SRV debug_level=4 crt_file=$DATA_FILES_PATH/server5.crt key_file=$DATA_FILES_PATH/server5.key groups=secp384r1 tickets=0" \
Gabor Mezei9e4b7bd2022-06-28 16:22:14 +0200[diff] [blame]13634 "$O_NEXT_CLI -msg -debug -groups P-256:P-384 -no_middlebox" \
Gabor Mezei7e2dbaf2022-05-24 16:05:29 +0200[diff] [blame]13635 0 \
Gabor Mezei9e4b7bd2022-06-28 16:22:14 +0200[diff] [blame]13636 -s "Protocol is TLSv1.3" \
Gabor Mezeif7044ea2022-06-28 16:01:49 +0200[diff] [blame]13637 -s "tls13 server state: MBEDTLS_SSL_SERVER_CCS_AFTER_HELLO_RETRY_REQUEST" \
Gabor Mezei7e2dbaf2022-05-24 16:05:29 +0200[diff] [blame]13638
Przemek Stekiel8bfe8972023-06-26 12:59:45 +0200[diff] [blame]13639requires_openssl_tls1_3_with_compatible_ephemeral
Gabor Mezei7e2dbaf2022-05-24 16:05:29 +0200[diff] [blame]13640requires_config_enabled MBEDTLS_DEBUG_C
13641requires_config_enabled MBEDTLS_SSL_SRV_C
Ronald Cron70ed4172022-10-20 15:48:19 +0200[diff] [blame]13642requires_all_configs_enabled MBEDTLS_SSL_TLS1_3_COMPATIBILITY_MODE \
13643 MBEDTLS_SSL_TLS1_3_KEY_EXCHANGE_MODE_EPHEMERAL_ENABLED
Gabor Mezei7e2dbaf2022-05-24 16:05:29 +0200[diff] [blame]13644run_test "TLS 1.3 O->m HRR both with middlebox compat support" \
David Horstmann5ab92be2024-07-01 17:01:28 +0100[diff] [blame]13645 "$P_SRV debug_level=4 crt_file=$DATA_FILES_PATH/server5.crt key_file=$DATA_FILES_PATH/server5.key groups=secp384r1 tickets=0" \
Gabor Mezei9e4b7bd2022-06-28 16:22:14 +0200[diff] [blame]13646 "$O_NEXT_CLI -msg -debug -groups P-256:P-384" \
Gabor Mezei7e2dbaf2022-05-24 16:05:29 +0200[diff] [blame]13647 0 \
Gabor Mezei9e4b7bd2022-06-28 16:22:14 +0200[diff] [blame]13648 -s "Protocol is TLSv1.3" \
Gabor Mezeif7044ea2022-06-28 16:01:49 +0200[diff] [blame]13649 -s "tls13 server state: MBEDTLS_SSL_SERVER_CCS_AFTER_HELLO_RETRY_REQUEST" \
Gabor Mezei7e2dbaf2022-05-24 16:05:29 +0200[diff] [blame]13650 -c "14 03 03 00 01"
13651
13652requires_gnutls_tls1_3
13653requires_gnutls_next_no_ticket
13654requires_gnutls_next_disable_tls13_compat
Gabor Mezei7e2dbaf2022-05-24 16:05:29 +0200[diff] [blame]13655requires_config_disabled MBEDTLS_SSL_TLS1_3_COMPATIBILITY_MODE
13656requires_config_enabled MBEDTLS_DEBUG_C
13657requires_config_enabled MBEDTLS_SSL_SRV_C
Ronald Cron928cbd32022-10-04 16:14:26 +0200[diff] [blame]13658requires_config_enabled MBEDTLS_SSL_TLS1_3_KEY_EXCHANGE_MODE_EPHEMERAL_ENABLED
Gabor Mezei7e2dbaf2022-05-24 16:05:29 +0200[diff] [blame]13659run_test "TLS 1.3 G->m HRR both peers do not support middlebox compatibility" \
David Horstmann5ab92be2024-07-01 17:01:28 +0100[diff] [blame]13660 "$P_SRV debug_level=4 crt_file=$DATA_FILES_PATH/server5.crt key_file=$DATA_FILES_PATH/server5.key groups=secp384r1 tickets=0" \
Gabor Mezei9e4b7bd2022-06-28 16:22:14 +0200[diff] [blame]13661 "$G_NEXT_CLI localhost --priority=NORMAL:-GROUP-ALL:+GROUP-SECP256R1:+GROUP-SECP384R1:%NO_TICKETS:%DISABLE_TLS13_COMPAT_MODE -V" \
Gabor Mezei7e2dbaf2022-05-24 16:05:29 +0200[diff] [blame]13662 0 \
Gabor Mezei9e4b7bd2022-06-28 16:22:14 +0200[diff] [blame]13663 -s "Protocol is TLSv1.3" \
Gabor Mezeif7044ea2022-06-28 16:01:49 +0200[diff] [blame]13664 -S "tls13 server state: MBEDTLS_SSL_SERVER_CCS_AFTER_HELLO_RETRY_REQUEST" \
Gabor Mezei7e2dbaf2022-05-24 16:05:29 +0200[diff] [blame]13665 -C "SSL 3.3 ChangeCipherSpec packet received"
13666
13667requires_gnutls_tls1_3
13668requires_gnutls_next_no_ticket
13669requires_gnutls_next_disable_tls13_compat
Gabor Mezei7e2dbaf2022-05-24 16:05:29 +0200[diff] [blame]13670requires_config_enabled MBEDTLS_DEBUG_C
13671requires_config_enabled MBEDTLS_SSL_SRV_C
Przemek Stekielc31a7982023-06-27 10:53:33 +0200[diff] [blame]13672requires_config_enabled PSA_WANT_ALG_ECDH
Ronald Cron70ed4172022-10-20 15:48:19 +0200[diff] [blame]13673requires_all_configs_enabled MBEDTLS_SSL_TLS1_3_COMPATIBILITY_MODE \
13674 MBEDTLS_SSL_TLS1_3_KEY_EXCHANGE_MODE_EPHEMERAL_ENABLED
Gabor Mezei7e2dbaf2022-05-24 16:05:29 +0200[diff] [blame]13675run_test "TLS 1.3 G->m HRR server with middlebox compat support, not client" \
David Horstmann5ab92be2024-07-01 17:01:28 +0100[diff] [blame]13676 "$P_SRV debug_level=4 crt_file=$DATA_FILES_PATH/server5.crt key_file=$DATA_FILES_PATH/server5.key groups=secp384r1 tickets=0" \
Gabor Mezei9e4b7bd2022-06-28 16:22:14 +0200[diff] [blame]13677 "$G_NEXT_CLI localhost --debug=10 --priority=NORMAL:-GROUP-ALL:+GROUP-SECP256R1:+GROUP-SECP384R1:%NO_TICKETS:%DISABLE_TLS13_COMPAT_MODE -V" \
Gabor Mezei7e2dbaf2022-05-24 16:05:29 +0200[diff] [blame]13678 0 \
Gabor Mezei9e4b7bd2022-06-28 16:22:14 +0200[diff] [blame]13679 -s "Protocol is TLSv1.3" \
Gabor Mezeif7044ea2022-06-28 16:01:49 +0200[diff] [blame]13680 -s "tls13 server state: MBEDTLS_SSL_SERVER_CCS_AFTER_HELLO_RETRY_REQUEST" \
Gabor Mezei7e2dbaf2022-05-24 16:05:29 +0200[diff] [blame]13681 -c "SSL 3.3 ChangeCipherSpec packet received" \
13682 -c "discarding change cipher spec in TLS1.3"
13683
13684requires_gnutls_tls1_3
13685requires_gnutls_next_no_ticket
13686requires_gnutls_next_disable_tls13_compat
Gabor Mezei7e2dbaf2022-05-24 16:05:29 +0200[diff] [blame]13687requires_config_enabled MBEDTLS_DEBUG_C
13688requires_config_enabled MBEDTLS_SSL_SRV_C
Przemek Stekielc31a7982023-06-27 10:53:33 +0200[diff] [blame]13689requires_config_enabled PSA_WANT_ALG_ECDH
Ronald Cron70ed4172022-10-20 15:48:19 +0200[diff] [blame]13690requires_all_configs_enabled MBEDTLS_SSL_TLS1_3_COMPATIBILITY_MODE \
13691 MBEDTLS_SSL_TLS1_3_KEY_EXCHANGE_MODE_EPHEMERAL_ENABLED
Gabor Mezei7e2dbaf2022-05-24 16:05:29 +0200[diff] [blame]13692run_test "TLS 1.3 G->m HRR both with middlebox compat support" \
David Horstmann5ab92be2024-07-01 17:01:28 +0100[diff] [blame]13693 "$P_SRV debug_level=4 crt_file=$DATA_FILES_PATH/server5.crt key_file=$DATA_FILES_PATH/server5.key groups=secp384r1 tickets=0" \
Gabor Mezei9e4b7bd2022-06-28 16:22:14 +0200[diff] [blame]13694 "$G_NEXT_CLI localhost --debug=10 --priority=NORMAL:-GROUP-ALL:+GROUP-SECP256R1:+GROUP-SECP384R1:%NO_TICKETS:%DISABLE_TLS13_COMPAT_MODE -V" \
Gabor Mezei7e2dbaf2022-05-24 16:05:29 +0200[diff] [blame]13695 0 \
Gabor Mezei9e4b7bd2022-06-28 16:22:14 +0200[diff] [blame]13696 -s "Protocol is TLSv1.3" \
Gabor Mezeif7044ea2022-06-28 16:01:49 +0200[diff] [blame]13697 -s "tls13 server state: MBEDTLS_SSL_SERVER_CCS_AFTER_HELLO_RETRY_REQUEST" \
Gabor Mezei7e2dbaf2022-05-24 16:05:29 +0200[diff] [blame]13698 -c "SSL 3.3 ChangeCipherSpec packet received"
13699
Przemek Stekiel8bfe8972023-06-26 12:59:45 +0200[diff] [blame]13700requires_openssl_tls1_3_with_compatible_ephemeral
Jerry Yuaae28f12022-06-29 16:21:32 +0800[diff] [blame]13701requires_config_enabled MBEDTLS_DEBUG_C
13702requires_config_enabled MBEDTLS_SSL_CLI_C
Ronald Cron70ed4172022-10-20 15:48:19 +0200[diff] [blame]13703requires_all_configs_enabled MBEDTLS_SSL_TLS1_3_COMPATIBILITY_MODE \
13704 MBEDTLS_SSL_TLS1_3_KEY_EXCHANGE_MODE_EPHEMERAL_ENABLED
Jerry Yuaae28f12022-06-29 16:21:32 +0800[diff] [blame]13705run_test "TLS 1.3: Check signature algorithm order, m->O" \
David Horstmann5ab92be2024-07-01 17:01:28 +0100[diff] [blame]13706 "$O_NEXT_SRV_NO_CERT -cert $DATA_FILES_PATH/server2-sha256.crt -key $DATA_FILES_PATH/server2.key
Jerry Yuaae28f12022-06-29 16:21:32 +0800[diff] [blame]13707 -msg -tls1_3 -num_tickets 0 -no_resume_ephemeral -no_cache
13708 -Verify 10 -sigalgs rsa_pkcs1_sha512:rsa_pss_rsae_sha512:rsa_pss_rsae_sha384:ecdsa_secp256r1_sha256" \
David Horstmann5ab92be2024-07-01 17:01:28 +0100[diff] [blame]13709 "$P_CLI debug_level=4 crt_file=$DATA_FILES_PATH/server2-sha256.crt key_file=$DATA_FILES_PATH/server2.key \
Jerry Yu7ac0d492022-07-01 19:29:30 +0800[diff] [blame]13710 sig_algs=rsa_pkcs1_sha512,rsa_pss_rsae_sha512,rsa_pss_rsae_sha384,ecdsa_secp256r1_sha256" \
Jerry Yuaae28f12022-06-29 16:21:32 +0800[diff] [blame]13711 0 \
13712 -c "Protocol is TLSv1.3" \
Ronald Cron067a1e72022-09-16 13:44:49 +0200[diff] [blame]13713 -c "CertificateVerify signature with rsa_pss_rsae_sha512" \
Jerry Yuaae28f12022-06-29 16:21:32 +0800[diff] [blame]13714 -c "HTTP/1.0 200 [Oo][Kk]"
13715
13716requires_gnutls_tls1_3
Jerry Yuaae28f12022-06-29 16:21:32 +0800[diff] [blame]13717requires_config_enabled MBEDTLS_DEBUG_C
13718requires_config_enabled MBEDTLS_SSL_CLI_C
Ronald Cron70ed4172022-10-20 15:48:19 +0200[diff] [blame]13719requires_all_configs_enabled MBEDTLS_SSL_TLS1_3_COMPATIBILITY_MODE \
13720 MBEDTLS_SSL_TLS1_3_KEY_EXCHANGE_MODE_EPHEMERAL_ENABLED
Jerry Yuaae28f12022-06-29 16:21:32 +0800[diff] [blame]13721run_test "TLS 1.3: Check signature algorithm order, m->G" \
David Horstmann5ab92be2024-07-01 17:01:28 +0100[diff] [blame]13722 "$G_NEXT_SRV_NO_CERT --x509certfile $DATA_FILES_PATH/server2-sha256.crt --x509keyfile $DATA_FILES_PATH/server2.key
Jerry Yuaae28f12022-06-29 16:21:32 +0800[diff] [blame]13723 -d 4
13724 --priority=NORMAL:-VERS-ALL:-SIGN-ALL:+SIGN-RSA-SHA512:+SIGN-RSA-PSS-RSAE-SHA512:+SIGN-RSA-PSS-RSAE-SHA384:+VERS-TLS1.3:+CIPHER-ALL:%NO_TICKETS " \
David Horstmann5ab92be2024-07-01 17:01:28 +0100[diff] [blame]13725 "$P_CLI debug_level=4 crt_file=$DATA_FILES_PATH/server2-sha256.crt key_file=$DATA_FILES_PATH/server2.key \
Jerry Yu7ac0d492022-07-01 19:29:30 +0800[diff] [blame]13726 sig_algs=rsa_pkcs1_sha512,rsa_pss_rsae_sha512,rsa_pss_rsae_sha384,ecdsa_secp256r1_sha256" \
Jerry Yuaae28f12022-06-29 16:21:32 +0800[diff] [blame]13727 0 \
13728 -c "Protocol is TLSv1.3" \
Ronald Cron067a1e72022-09-16 13:44:49 +0200[diff] [blame]13729 -c "CertificateVerify signature with rsa_pss_rsae_sha512" \
Jerry Yuaae28f12022-06-29 16:21:32 +0800[diff] [blame]13730 -c "HTTP/1.0 200 [Oo][Kk]"
13731
Jerry Yuaae28f12022-06-29 16:21:32 +0800[diff] [blame]13732requires_config_enabled MBEDTLS_DEBUG_C
13733requires_config_enabled MBEDTLS_SSL_SRV_C
13734requires_config_enabled MBEDTLS_SSL_CLI_C
Ronald Cron70ed4172022-10-20 15:48:19 +0200[diff] [blame]13735requires_all_configs_enabled MBEDTLS_SSL_TLS1_3_COMPATIBILITY_MODE \
13736 MBEDTLS_SSL_TLS1_3_KEY_EXCHANGE_MODE_EPHEMERAL_ENABLED
Jerry Yuaae28f12022-06-29 16:21:32 +0800[diff] [blame]13737run_test "TLS 1.3: Check signature algorithm order, m->m" \
Ronald Cron50ae84e2023-03-14 08:59:56 +0100[diff] [blame]13738 "$P_SRV debug_level=4 auth_mode=required
David Horstmann5ab92be2024-07-01 17:01:28 +0100[diff] [blame]13739 crt_file2=$DATA_FILES_PATH/server2-sha256.crt key_file2=$DATA_FILES_PATH/server2.key
13740 crt_file=$DATA_FILES_PATH/server5.crt key_file=$DATA_FILES_PATH/server5.key
Jerry Yuaae28f12022-06-29 16:21:32 +0800[diff] [blame]13741 sig_algs=rsa_pkcs1_sha512,rsa_pss_rsae_sha512,rsa_pss_rsae_sha384,ecdsa_secp256r1_sha256 " \
David Horstmann5ab92be2024-07-01 17:01:28 +0100[diff] [blame]13742 "$P_CLI debug_level=4 crt_file=$DATA_FILES_PATH/server2-sha256.crt key_file=$DATA_FILES_PATH/server2.key \
Jerry Yu7ac0d492022-07-01 19:29:30 +0800[diff] [blame]13743 sig_algs=rsa_pkcs1_sha512,rsa_pss_rsae_sha512,rsa_pss_rsae_sha384,ecdsa_secp256r1_sha256" \
Jerry Yuaae28f12022-06-29 16:21:32 +0800[diff] [blame]13744 0 \
13745 -c "Protocol is TLSv1.3" \
Ronald Cron067a1e72022-09-16 13:44:49 +0200[diff] [blame]13746 -c "CertificateVerify signature with rsa_pss_rsae_sha512" \
13747 -s "CertificateVerify signature with rsa_pss_rsae_sha512" \
Jerry Yuaae28f12022-06-29 16:21:32 +0800[diff] [blame]13748 -s "ssl_tls13_pick_key_cert:selected signature algorithm rsa_pss_rsae_sha512" \
13749 -c "HTTP/1.0 200 [Oo][Kk]"
13750
Przemek Stekiel8bfe8972023-06-26 12:59:45 +0200[diff] [blame]13751requires_openssl_tls1_3_with_compatible_ephemeral
Jerry Yuaae28f12022-06-29 16:21:32 +0800[diff] [blame]13752requires_config_enabled MBEDTLS_DEBUG_C
13753requires_config_enabled MBEDTLS_SSL_SRV_C
Ronald Cron70ed4172022-10-20 15:48:19 +0200[diff] [blame]13754requires_all_configs_enabled MBEDTLS_SSL_TLS1_3_COMPATIBILITY_MODE \
13755 MBEDTLS_SSL_TLS1_3_KEY_EXCHANGE_MODE_EPHEMERAL_ENABLED
Jerry Yuaae28f12022-06-29 16:21:32 +0800[diff] [blame]13756run_test "TLS 1.3: Check signature algorithm order, O->m" \
Ronald Cron50ae84e2023-03-14 08:59:56 +0100[diff] [blame]13757 "$P_SRV debug_level=4 auth_mode=required
David Horstmann5ab92be2024-07-01 17:01:28 +0100[diff] [blame]13758 crt_file2=$DATA_FILES_PATH/server2-sha256.crt key_file2=$DATA_FILES_PATH/server2.key
13759 crt_file=$DATA_FILES_PATH/server5.crt key_file=$DATA_FILES_PATH/server5.key
Jerry Yuaae28f12022-06-29 16:21:32 +0800[diff] [blame]13760 sig_algs=rsa_pkcs1_sha512,rsa_pss_rsae_sha512,rsa_pss_rsae_sha384,ecdsa_secp256r1_sha256 " \
David Horstmann5ab92be2024-07-01 17:01:28 +0100[diff] [blame]13761 "$O_NEXT_CLI_NO_CERT -msg -CAfile $DATA_FILES_PATH/test-ca_cat12.crt \
13762 -cert $DATA_FILES_PATH/server2-sha256.crt -key $DATA_FILES_PATH/server2.key \
Jerry Yuaae28f12022-06-29 16:21:32 +0800[diff] [blame]13763 -sigalgs rsa_pkcs1_sha512:rsa_pss_rsae_sha512:rsa_pss_rsae_sha384:ecdsa_secp256r1_sha256" \
13764 0 \
13765 -c "TLSv1.3" \
Ronald Cron067a1e72022-09-16 13:44:49 +0200[diff] [blame]13766 -s "CertificateVerify signature with rsa_pss_rsae_sha512" \
Jerry Yuaae28f12022-06-29 16:21:32 +0800[diff] [blame]13767 -s "ssl_tls13_pick_key_cert:selected signature algorithm rsa_pss_rsae_sha512"
13768
13769requires_gnutls_tls1_3
Jerry Yuaae28f12022-06-29 16:21:32 +0800[diff] [blame]13770requires_config_enabled MBEDTLS_DEBUG_C
13771requires_config_enabled MBEDTLS_SSL_SRV_C
Ronald Cron70ed4172022-10-20 15:48:19 +0200[diff] [blame]13772requires_all_configs_enabled MBEDTLS_SSL_TLS1_3_COMPATIBILITY_MODE \
13773 MBEDTLS_SSL_TLS1_3_KEY_EXCHANGE_MODE_EPHEMERAL_ENABLED
Jerry Yuaae28f12022-06-29 16:21:32 +0800[diff] [blame]13774run_test "TLS 1.3: Check signature algorithm order, G->m" \
Ronald Cron50ae84e2023-03-14 08:59:56 +0100[diff] [blame]13775 "$P_SRV debug_level=4 auth_mode=required
David Horstmann5ab92be2024-07-01 17:01:28 +0100[diff] [blame]13776 crt_file2=$DATA_FILES_PATH/server2-sha256.crt key_file2=$DATA_FILES_PATH/server2.key
13777 crt_file=$DATA_FILES_PATH/server5.crt key_file=$DATA_FILES_PATH/server5.key
Jerry Yuaae28f12022-06-29 16:21:32 +0800[diff] [blame]13778 sig_algs=rsa_pkcs1_sha512,rsa_pss_rsae_sha512,rsa_pss_rsae_sha384,ecdsa_secp256r1_sha256 " \
David Horstmann5ab92be2024-07-01 17:01:28 +0100[diff] [blame]13779 "$G_NEXT_CLI_NO_CERT localhost -d 4 --x509cafile $DATA_FILES_PATH/test-ca_cat12.crt \
13780 --x509certfile $DATA_FILES_PATH/server2-sha256.crt --x509keyfile $DATA_FILES_PATH/server2.key \
Jerry Yuaae28f12022-06-29 16:21:32 +0800[diff] [blame]13781 --priority=NORMAL:-SIGN-ALL:+SIGN-RSA-SHA512:+SIGN-RSA-PSS-RSAE-SHA512:+SIGN-RSA-PSS-RSAE-SHA384" \
13782 0 \
13783 -c "Negotiated version: 3.4" \
13784 -c "HTTP/1.0 200 [Oo][Kk]" \
Ronald Cron067a1e72022-09-16 13:44:49 +0200[diff] [blame]13785 -s "CertificateVerify signature with rsa_pss_rsae_sha512" \
Jerry Yuaae28f12022-06-29 16:21:32 +0800[diff] [blame]13786 -s "ssl_tls13_pick_key_cert:selected signature algorithm rsa_pss_rsae_sha512"
13787
13788requires_gnutls_tls1_3
Jerry Yuaae28f12022-06-29 16:21:32 +0800[diff] [blame]13789requires_config_enabled MBEDTLS_DEBUG_C
13790requires_config_enabled MBEDTLS_SSL_SRV_C
Ronald Cron70ed4172022-10-20 15:48:19 +0200[diff] [blame]13791requires_all_configs_enabled MBEDTLS_SSL_TLS1_3_COMPATIBILITY_MODE \
13792 MBEDTLS_SSL_TLS1_3_KEY_EXCHANGE_MODE_EPHEMERAL_ENABLED
Jerry Yuaae28f12022-06-29 16:21:32 +0800[diff] [blame]13793run_test "TLS 1.3: Check server no suitable signature algorithm, G->m" \
Ronald Cron50ae84e2023-03-14 08:59:56 +0100[diff] [blame]13794 "$P_SRV debug_level=4 auth_mode=required
David Horstmann5ab92be2024-07-01 17:01:28 +0100[diff] [blame]13795 crt_file2=$DATA_FILES_PATH/server2-sha256.crt key_file2=$DATA_FILES_PATH/server2.key
13796 crt_file=$DATA_FILES_PATH/server5.crt key_file=$DATA_FILES_PATH/server5.key
Jerry Yuaae28f12022-06-29 16:21:32 +0800[diff] [blame]13797 sig_algs=rsa_pkcs1_sha512,ecdsa_secp256r1_sha256 " \
David Horstmann5ab92be2024-07-01 17:01:28 +0100[diff] [blame]13798 "$G_NEXT_CLI_NO_CERT localhost -d 4 --x509cafile $DATA_FILES_PATH/test-ca_cat12.crt \
13799 --x509certfile $DATA_FILES_PATH/server2-sha256.crt --x509keyfile $DATA_FILES_PATH/server2.key \
Jerry Yuaae28f12022-06-29 16:21:32 +0800[diff] [blame]13800 --priority=NORMAL:-SIGN-ALL:+SIGN-RSA-SHA512:+SIGN-RSA-PSS-RSAE-SHA512:+SIGN-ECDSA-SECP521R1-SHA512" \
13801 1 \
Ronald Cron67ea2542022-09-15 17:34:42 +0200[diff] [blame]13802 -S "ssl_tls13_pick_key_cert:check signature algorithm"
Jerry Yuaae28f12022-06-29 16:21:32 +0800[diff] [blame]13803
Przemek Stekiel8bfe8972023-06-26 12:59:45 +0200[diff] [blame]13804requires_openssl_tls1_3_with_compatible_ephemeral
Jerry Yuaae28f12022-06-29 16:21:32 +0800[diff] [blame]13805requires_config_enabled MBEDTLS_DEBUG_C
13806requires_config_enabled MBEDTLS_SSL_SRV_C
Ronald Cron70ed4172022-10-20 15:48:19 +0200[diff] [blame]13807requires_all_configs_enabled MBEDTLS_SSL_TLS1_3_COMPATIBILITY_MODE \
13808 MBEDTLS_SSL_TLS1_3_KEY_EXCHANGE_MODE_EPHEMERAL_ENABLED
Jerry Yuaae28f12022-06-29 16:21:32 +0800[diff] [blame]13809run_test "TLS 1.3: Check server no suitable signature algorithm, O->m" \
Ronald Cron50ae84e2023-03-14 08:59:56 +0100[diff] [blame]13810 "$P_SRV debug_level=4 auth_mode=required
David Horstmann5ab92be2024-07-01 17:01:28 +0100[diff] [blame]13811 crt_file2=$DATA_FILES_PATH/server2-sha256.crt key_file2=$DATA_FILES_PATH/server2.key
13812 crt_file=$DATA_FILES_PATH/server5.crt key_file=$DATA_FILES_PATH/server5.key
Jerry Yuaae28f12022-06-29 16:21:32 +0800[diff] [blame]13813 sig_algs=rsa_pkcs1_sha512,ecdsa_secp256r1_sha256" \
David Horstmann5ab92be2024-07-01 17:01:28 +0100[diff] [blame]13814 "$O_NEXT_CLI_NO_CERT -msg -CAfile $DATA_FILES_PATH/test-ca_cat12.crt \
13815 -cert $DATA_FILES_PATH/server2-sha256.crt -key $DATA_FILES_PATH/server2.key \
Jerry Yuaae28f12022-06-29 16:21:32 +0800[diff] [blame]13816 -sigalgs rsa_pkcs1_sha512:rsa_pss_rsae_sha512:ecdsa_secp521r1_sha512" \
13817 1 \
Ronald Cron67ea2542022-09-15 17:34:42 +0200[diff] [blame]13818 -S "ssl_tls13_pick_key_cert:check signature algorithm"
Jerry Yuaae28f12022-06-29 16:21:32 +0800[diff] [blame]13819
Jerry Yuaae28f12022-06-29 16:21:32 +0800[diff] [blame]13820requires_config_enabled MBEDTLS_DEBUG_C
13821requires_config_enabled MBEDTLS_SSL_SRV_C
13822requires_config_enabled MBEDTLS_SSL_CLI_C
Ronald Cron70ed4172022-10-20 15:48:19 +0200[diff] [blame]13823requires_all_configs_enabled MBEDTLS_SSL_TLS1_3_COMPATIBILITY_MODE \
13824 MBEDTLS_SSL_TLS1_3_KEY_EXCHANGE_MODE_EPHEMERAL_ENABLED
Jerry Yuaae28f12022-06-29 16:21:32 +0800[diff] [blame]13825run_test "TLS 1.3: Check server no suitable signature algorithm, m->m" \
Ronald Cron50ae84e2023-03-14 08:59:56 +0100[diff] [blame]13826 "$P_SRV debug_level=4 auth_mode=required
David Horstmann5ab92be2024-07-01 17:01:28 +0100[diff] [blame]13827 crt_file2=$DATA_FILES_PATH/server2-sha256.crt key_file2=$DATA_FILES_PATH/server2.key
13828 crt_file=$DATA_FILES_PATH/server5.crt key_file=$DATA_FILES_PATH/server5.key
Jerry Yuaae28f12022-06-29 16:21:32 +0800[diff] [blame]13829 sig_algs=rsa_pkcs1_sha512,ecdsa_secp256r1_sha256 " \
David Horstmann5ab92be2024-07-01 17:01:28 +0100[diff] [blame]13830 "$P_CLI allow_sha1=0 debug_level=4 crt_file=$DATA_FILES_PATH/server2-sha256.crt key_file=$DATA_FILES_PATH/server2.key \
Jerry Yu7ac0d492022-07-01 19:29:30 +0800[diff] [blame]13831 sig_algs=rsa_pkcs1_sha512,rsa_pss_rsae_sha512,ecdsa_secp521r1_sha512" \
Jerry Yuaae28f12022-06-29 16:21:32 +0800[diff] [blame]13832 1 \
Ronald Cron67ea2542022-09-15 17:34:42 +0200[diff] [blame]13833 -S "ssl_tls13_pick_key_cert:check signature algorithm"
Jerry Yuaae28f12022-06-29 16:21:32 +0800[diff] [blame]13834
13835requires_gnutls_tls1_3
Jerry Yuaae28f12022-06-29 16:21:32 +0800[diff] [blame]13836requires_config_enabled MBEDTLS_DEBUG_C
13837requires_config_enabled MBEDTLS_SSL_SRV_C
Ronald Cron70ed4172022-10-20 15:48:19 +0200[diff] [blame]13838requires_all_configs_enabled MBEDTLS_SSL_TLS1_3_COMPATIBILITY_MODE \
13839 MBEDTLS_SSL_TLS1_3_KEY_EXCHANGE_MODE_EPHEMERAL_ENABLED
Jerry Yuaae28f12022-06-29 16:21:32 +0800[diff] [blame]13840run_test "TLS 1.3: Check server no suitable certificate, G->m" \
Ronald Cron50ae84e2023-03-14 08:59:56 +0100[diff] [blame]13841 "$P_SRV debug_level=4
David Horstmann5ab92be2024-07-01 17:01:28 +0100[diff] [blame]13842 crt_file=$DATA_FILES_PATH/server2-sha256.crt key_file=$DATA_FILES_PATH/server2.key
Jerry Yuaae28f12022-06-29 16:21:32 +0800[diff] [blame]13843 sig_algs=rsa_pkcs1_sha512,rsa_pss_rsae_sha512,rsa_pss_rsae_sha384,ecdsa_secp256r1_sha256 " \
David Horstmann5ab92be2024-07-01 17:01:28 +0100[diff] [blame]13844 "$G_NEXT_CLI_NO_CERT localhost -d 4 --x509cafile $DATA_FILES_PATH/test-ca_cat12.crt \
Jerry Yuaae28f12022-06-29 16:21:32 +0800[diff] [blame]13845 --priority=NORMAL:-SIGN-ALL:+SIGN-ECDSA-SECP521R1-SHA512:+SIGN-ECDSA-SECP256R1-SHA256" \
13846 1 \
13847 -s "ssl_tls13_pick_key_cert:no suitable certificate found"
13848
Przemek Stekiel8bfe8972023-06-26 12:59:45 +0200[diff] [blame]13849requires_openssl_tls1_3_with_compatible_ephemeral
Jerry Yuaae28f12022-06-29 16:21:32 +0800[diff] [blame]13850requires_config_enabled MBEDTLS_DEBUG_C
13851requires_config_enabled MBEDTLS_SSL_SRV_C
Ronald Cron70ed4172022-10-20 15:48:19 +0200[diff] [blame]13852requires_all_configs_enabled MBEDTLS_SSL_TLS1_3_COMPATIBILITY_MODE \
13853 MBEDTLS_SSL_TLS1_3_KEY_EXCHANGE_MODE_EPHEMERAL_ENABLED
Jerry Yuaae28f12022-06-29 16:21:32 +0800[diff] [blame]13854run_test "TLS 1.3: Check server no suitable certificate, O->m" \
Ronald Cron50ae84e2023-03-14 08:59:56 +0100[diff] [blame]13855 "$P_SRV debug_level=4
David Horstmann5ab92be2024-07-01 17:01:28 +0100[diff] [blame]13856 crt_file=$DATA_FILES_PATH/server2-sha256.crt key_file=$DATA_FILES_PATH/server2.key
Jerry Yuaae28f12022-06-29 16:21:32 +0800[diff] [blame]13857 sig_algs=rsa_pkcs1_sha512,rsa_pss_rsae_sha512,rsa_pss_rsae_sha384,ecdsa_secp256r1_sha256 " \
David Horstmann5ab92be2024-07-01 17:01:28 +0100[diff] [blame]13858 "$O_NEXT_CLI_NO_CERT -msg -CAfile $DATA_FILES_PATH/test-ca_cat12.crt \
Jerry Yuaae28f12022-06-29 16:21:32 +0800[diff] [blame]13859 -sigalgs ecdsa_secp521r1_sha512:ecdsa_secp256r1_sha256" \
13860 1 \
13861 -s "ssl_tls13_pick_key_cert:no suitable certificate found"
13862
Jerry Yuaae28f12022-06-29 16:21:32 +0800[diff] [blame]13863requires_config_enabled MBEDTLS_DEBUG_C
13864requires_config_enabled MBEDTLS_SSL_SRV_C
13865requires_config_enabled MBEDTLS_SSL_CLI_C
Ronald Cron70ed4172022-10-20 15:48:19 +0200[diff] [blame]13866requires_all_configs_enabled MBEDTLS_SSL_TLS1_3_COMPATIBILITY_MODE \
13867 MBEDTLS_SSL_TLS1_3_KEY_EXCHANGE_MODE_EPHEMERAL_ENABLED
Jerry Yuaae28f12022-06-29 16:21:32 +0800[diff] [blame]13868run_test "TLS 1.3: Check server no suitable certificate, m->m" \
Ronald Cron50ae84e2023-03-14 08:59:56 +0100[diff] [blame]13869 "$P_SRV debug_level=4
David Horstmann5ab92be2024-07-01 17:01:28 +0100[diff] [blame]13870 crt_file=$DATA_FILES_PATH/server2-sha256.crt key_file=$DATA_FILES_PATH/server2.key
Jerry Yuaae28f12022-06-29 16:21:32 +0800[diff] [blame]13871 sig_algs=rsa_pkcs1_sha512,rsa_pss_rsae_sha512,rsa_pss_rsae_sha384,ecdsa_secp256r1_sha256 " \
13872 "$P_CLI allow_sha1=0 debug_level=4 \
Jerry Yu7ac0d492022-07-01 19:29:30 +0800[diff] [blame]13873 sig_algs=ecdsa_secp521r1_sha512,ecdsa_secp256r1_sha256" \
Jerry Yuaae28f12022-06-29 16:21:32 +0800[diff] [blame]13874 1 \
13875 -s "ssl_tls13_pick_key_cert:no suitable certificate found"
13876
Przemek Stekiel8bfe8972023-06-26 12:59:45 +0200[diff] [blame]13877requires_openssl_tls1_3_with_compatible_ephemeral
Jerry Yuaae28f12022-06-29 16:21:32 +0800[diff] [blame]13878requires_config_enabled MBEDTLS_DEBUG_C
13879requires_config_enabled MBEDTLS_SSL_CLI_C
Ronald Cron70ed4172022-10-20 15:48:19 +0200[diff] [blame]13880requires_all_configs_enabled MBEDTLS_SSL_TLS1_3_COMPATIBILITY_MODE \
13881 MBEDTLS_SSL_TLS1_3_KEY_EXCHANGE_MODE_EPHEMERAL_ENABLED
Jerry Yuaae28f12022-06-29 16:21:32 +0800[diff] [blame]13882run_test "TLS 1.3: Check client no signature algorithm, m->O" \
David Horstmann5ab92be2024-07-01 17:01:28 +0100[diff] [blame]13883 "$O_NEXT_SRV_NO_CERT -cert $DATA_FILES_PATH/server2-sha256.crt -key $DATA_FILES_PATH/server2.key
Jerry Yuaae28f12022-06-29 16:21:32 +0800[diff] [blame]13884 -msg -tls1_3 -num_tickets 0 -no_resume_ephemeral -no_cache
13885 -Verify 10 -sigalgs rsa_pkcs1_sha512:rsa_pss_rsae_sha512:rsa_pss_rsae_sha384:ecdsa_secp521r1_sha512" \
David Horstmann5ab92be2024-07-01 17:01:28 +0100[diff] [blame]13886 "$P_CLI debug_level=4 crt_file=$DATA_FILES_PATH/server5.crt key_file=$DATA_FILES_PATH/server5.key \
Jerry Yu7ac0d492022-07-01 19:29:30 +0800[diff] [blame]13887 sig_algs=rsa_pkcs1_sha512,rsa_pss_rsae_sha512,rsa_pss_rsae_sha384,ecdsa_secp256r1_sha256" \
Jerry Yuaae28f12022-06-29 16:21:32 +0800[diff] [blame]13888 1 \
Ronald Cron067a1e72022-09-16 13:44:49 +0200[diff] [blame]13889 -c "no suitable signature algorithm"
Jerry Yuaae28f12022-06-29 16:21:32 +0800[diff] [blame]13890
13891requires_gnutls_tls1_3
Jerry Yuaae28f12022-06-29 16:21:32 +0800[diff] [blame]13892requires_config_enabled MBEDTLS_DEBUG_C
13893requires_config_enabled MBEDTLS_SSL_CLI_C
Ronald Cron70ed4172022-10-20 15:48:19 +0200[diff] [blame]13894requires_all_configs_enabled MBEDTLS_SSL_TLS1_3_COMPATIBILITY_MODE \
13895 MBEDTLS_SSL_TLS1_3_KEY_EXCHANGE_MODE_EPHEMERAL_ENABLED
Jerry Yuaae28f12022-06-29 16:21:32 +0800[diff] [blame]13896run_test "TLS 1.3: Check client no signature algorithm, m->G" \
David Horstmann5ab92be2024-07-01 17:01:28 +0100[diff] [blame]13897 "$G_NEXT_SRV_NO_CERT --x509certfile $DATA_FILES_PATH/server2-sha256.crt --x509keyfile $DATA_FILES_PATH/server2.key
Jerry Yuaae28f12022-06-29 16:21:32 +0800[diff] [blame]13898 -d 4
13899 --priority=NORMAL:-VERS-ALL:-SIGN-ALL:+SIGN-RSA-SHA512:+SIGN-RSA-PSS-RSAE-SHA512:+SIGN-RSA-PSS-RSAE-SHA384:+VERS-TLS1.3:+CIPHER-ALL:%NO_TICKETS " \
David Horstmann5ab92be2024-07-01 17:01:28 +0100[diff] [blame]13900 "$P_CLI debug_level=4 crt_file=$DATA_FILES_PATH/server5.crt key_file=$DATA_FILES_PATH/server5.key \
Jerry Yu7ac0d492022-07-01 19:29:30 +0800[diff] [blame]13901 sig_algs=rsa_pkcs1_sha512,rsa_pss_rsae_sha512,rsa_pss_rsae_sha384,ecdsa_secp256r1_sha256" \
Jerry Yuaae28f12022-06-29 16:21:32 +0800[diff] [blame]13902 1 \
Ronald Cron067a1e72022-09-16 13:44:49 +0200[diff] [blame]13903 -c "no suitable signature algorithm"
Jerry Yuaae28f12022-06-29 16:21:32 +0800[diff] [blame]13904
Jerry Yuaae28f12022-06-29 16:21:32 +0800[diff] [blame]13905requires_config_enabled MBEDTLS_DEBUG_C
13906requires_config_enabled MBEDTLS_SSL_SRV_C
13907requires_config_enabled MBEDTLS_SSL_CLI_C
Ronald Cron70ed4172022-10-20 15:48:19 +0200[diff] [blame]13908requires_all_configs_enabled MBEDTLS_SSL_TLS1_3_COMPATIBILITY_MODE \
13909 MBEDTLS_SSL_TLS1_3_KEY_EXCHANGE_MODE_EPHEMERAL_ENABLED
Jerry Yuaae28f12022-06-29 16:21:32 +0800[diff] [blame]13910run_test "TLS 1.3: Check client no signature algorithm, m->m" \
Ronald Cron50ae84e2023-03-14 08:59:56 +0100[diff] [blame]13911 "$P_SRV debug_level=4 auth_mode=required
David Horstmann5ab92be2024-07-01 17:01:28 +0100[diff] [blame]13912 crt_file2=$DATA_FILES_PATH/server2-sha256.crt key_file2=$DATA_FILES_PATH/server2.key
13913 crt_file=$DATA_FILES_PATH/server5.crt key_file=$DATA_FILES_PATH/server5.key
Jerry Yuaae28f12022-06-29 16:21:32 +0800[diff] [blame]13914 sig_algs=rsa_pkcs1_sha512,rsa_pss_rsae_sha512,rsa_pss_rsae_sha384,ecdsa_secp521r1_sha512" \
David Horstmann5ab92be2024-07-01 17:01:28 +0100[diff] [blame]13915 "$P_CLI debug_level=4 crt_file=$DATA_FILES_PATH/server5.crt key_file=$DATA_FILES_PATH/server5.key \
Jerry Yu7ac0d492022-07-01 19:29:30 +0800[diff] [blame]13916 sig_algs=rsa_pkcs1_sha512,rsa_pss_rsae_sha512,rsa_pss_rsae_sha384,ecdsa_secp256r1_sha256" \
Jerry Yuaae28f12022-06-29 16:21:32 +0800[diff] [blame]13917 1 \
Ronald Cron067a1e72022-09-16 13:44:49 +0200[diff] [blame]13918 -c "no suitable signature algorithm"
Jerry Yuaae28f12022-06-29 16:21:32 +0800[diff] [blame]13919
Przemek Stekiel8bfe8972023-06-26 12:59:45 +0200[diff] [blame]13920requires_openssl_tls1_3_with_compatible_ephemeral
Jerry Yu6455b682022-06-27 14:18:29 +0800[diff] [blame]13921requires_config_enabled MBEDTLS_SSL_PROTO_TLS1_2
13922requires_config_enabled MBEDTLS_DEBUG_C
13923requires_config_enabled MBEDTLS_SSL_CLI_C
Jerry Yueec4f032022-07-23 11:31:51 +0800[diff] [blame]13924run_test "TLS 1.2: Check rsa_pss_rsae compatibility issue, m->O" \
David Horstmann5ab92be2024-07-01 17:01:28 +0100[diff] [blame]13925 "$O_NEXT_SRV_NO_CERT -cert $DATA_FILES_PATH/server2-sha256.crt -key $DATA_FILES_PATH/server2.key
Jerry Yu6455b682022-06-27 14:18:29 +0800[diff] [blame]13926 -msg -tls1_2
13927 -Verify 10 " \
David Horstmann5ab92be2024-07-01 17:01:28 +0100[diff] [blame]13928 "$P_CLI debug_level=4 crt_file=$DATA_FILES_PATH/server2-sha256.crt key_file=$DATA_FILES_PATH/server2.key
Jerry Yu6455b682022-06-27 14:18:29 +0800[diff] [blame]13929 sig_algs=rsa_pss_rsae_sha512,rsa_pkcs1_sha512
13930 min_version=tls12 max_version=tls13 " \
13931 0 \
13932 -c "Protocol is TLSv1.2" \
13933 -c "HTTP/1.0 200 [Oo][Kk]"
13934
13935
13936requires_gnutls_tls1_3
13937requires_config_enabled MBEDTLS_SSL_PROTO_TLS1_2
13938requires_config_enabled MBEDTLS_DEBUG_C
13939requires_config_enabled MBEDTLS_SSL_CLI_C
Jerry Yueec4f032022-07-23 11:31:51 +0800[diff] [blame]13940run_test "TLS 1.2: Check rsa_pss_rsae compatibility issue, m->G" \
David Horstmann5ab92be2024-07-01 17:01:28 +0100[diff] [blame]13941 "$G_NEXT_SRV_NO_CERT --x509certfile $DATA_FILES_PATH/server2-sha256.crt --x509keyfile $DATA_FILES_PATH/server2.key
Jerry Yu6455b682022-06-27 14:18:29 +0800[diff] [blame]13942 -d 4
13943 --priority=NORMAL:-VERS-ALL:+VERS-TLS1.2" \
David Horstmann5ab92be2024-07-01 17:01:28 +0100[diff] [blame]13944 "$P_CLI debug_level=4 crt_file=$DATA_FILES_PATH/server2-sha256.crt key_file=$DATA_FILES_PATH/server2.key
Jerry Yu6455b682022-06-27 14:18:29 +0800[diff] [blame]13945 sig_algs=rsa_pss_rsae_sha512,rsa_pkcs1_sha512
13946 min_version=tls12 max_version=tls13 " \
13947 0 \
13948 -c "Protocol is TLSv1.2" \
13949 -c "HTTP/1.0 200 [Oo][Kk]"
13950
Przemek Stekiel3484db42023-06-28 13:31:38 +0200[diff] [blame]13951requires_config_enabled MBEDTLS_SSL_SRV_C
13952requires_config_enabled MBEDTLS_DEBUG_C
13953requires_config_enabled MBEDTLS_SSL_TLS1_3_KEY_EXCHANGE_MODE_EPHEMERAL_ENABLED
13954requires_config_enabled MBEDTLS_SSL_TLS1_3_COMPATIBILITY_MODE
13955requires_config_enabled MBEDTLS_X509_RSASSA_PSS_SUPPORT
13956requires_config_enabled PSA_WANT_ALG_FFDH
Valerio Setti05754d82024-01-18 09:47:00 +0100[diff] [blame]13957requires_config_enabled PSA_WANT_DH_RFC7919_3072
Przemek Stekiel3484db42023-06-28 13:31:38 +0200[diff] [blame]13958requires_gnutls_tls1_3
13959requires_gnutls_next_no_ticket
13960requires_gnutls_next_disable_tls13_compat
13961run_test "TLS 1.3 G->m: AES_128_GCM_SHA256,ffdhe3072,rsa_pss_rsae_sha256" \
David Horstmann5ab92be2024-07-01 17:01:28 +0100[diff] [blame]13962 "$P_SRV crt_file=$DATA_FILES_PATH/server2-sha256.crt key_file=$DATA_FILES_PATH/server2.key debug_level=4 force_ciphersuite=TLS1-3-AES-128-GCM-SHA256 sig_algs=rsa_pss_rsae_sha256 groups=ffdhe3072 tls13_kex_modes=ephemeral cookies=0 tickets=0" \
13963 "$G_NEXT_CLI_NO_CERT --debug=4 --single-key-share --x509cafile $DATA_FILES_PATH/test-ca_cat12.crt --priority=NONE:+AES-128-GCM:+SHA256:+AEAD:+SIGN-RSA-PSS-RSAE-SHA256:+GROUP-FFDHE3072:+VERS-TLS1.3:%NO_TICKETS" \
Przemek Stekiel3484db42023-06-28 13:31:38 +0200[diff] [blame]13964 0 \
13965 -s "Protocol is TLSv1.3" \
13966 -s "server hello, chosen ciphersuite: TLS1-3-AES-128-GCM-SHA256 ( id=4865 )" \
13967 -s "received signature algorithm: 0x804" \
13968 -s "got named group: ffdhe3072(0101)" \
13969 -s "Certificate verification was skipped" \
13970 -C "received HelloRetryRequest message"
13971
13972
13973requires_gnutls_tls1_3
13974requires_gnutls_next_no_ticket
13975requires_gnutls_next_disable_tls13_compat
13976requires_config_enabled MBEDTLS_SSL_CLI_C
13977requires_config_enabled MBEDTLS_DEBUG_C
13978requires_config_enabled MBEDTLS_SSL_TLS1_3_KEY_EXCHANGE_MODE_EPHEMERAL_ENABLED
13979requires_config_enabled MBEDTLS_SSL_TLS1_3_COMPATIBILITY_MODE
13980requires_config_enabled MBEDTLS_X509_RSASSA_PSS_SUPPORT
13981requires_config_enabled PSA_WANT_ALG_FFDH
Valerio Setti05754d82024-01-18 09:47:00 +0100[diff] [blame]13982requires_config_enabled PSA_WANT_DH_RFC7919_3072
Przemek Stekiel3484db42023-06-28 13:31:38 +0200[diff] [blame]13983run_test "TLS 1.3 m->G: AES_128_GCM_SHA256,ffdhe3072,rsa_pss_rsae_sha256" \
David Horstmann5ab92be2024-07-01 17:01:28 +0100[diff] [blame]13984 "$G_NEXT_SRV_NO_CERT --http --disable-client-cert --debug=4 --x509certfile $DATA_FILES_PATH/server2-sha256.crt --x509keyfile $DATA_FILES_PATH/server2.key --priority=NONE:+AES-128-GCM:+SHA256:+AEAD:+SIGN-RSA-PSS-RSAE-SHA256:+GROUP-FFDHE3072:+VERS-TLS1.3:%NO_TICKETS" \
13985 "$P_CLI ca_file=$DATA_FILES_PATH/test-ca_cat12.crt debug_level=4 force_ciphersuite=TLS1-3-AES-128-GCM-SHA256 sig_algs=rsa_pss_rsae_sha256 groups=ffdhe3072" \
Przemek Stekiel3484db42023-06-28 13:31:38 +0200[diff] [blame]13986 0 \
13987 -c "HTTP/1.0 200 OK" \
13988 -c "Protocol is TLSv1.3" \
13989 -c "server hello, chosen ciphersuite: ( 1301 ) - TLS1-3-AES-128-GCM-SHA256" \
13990 -c "Certificate Verify: Signature algorithm ( 0804 )" \
13991 -c "NamedGroup: ffdhe3072 ( 101 )" \
13992 -c "Verifying peer X.509 certificate... ok" \
13993 -C "received HelloRetryRequest message"
13994
13995requires_config_enabled MBEDTLS_SSL_SRV_C
13996requires_config_enabled MBEDTLS_DEBUG_C
13997requires_config_enabled MBEDTLS_SSL_TLS1_3_KEY_EXCHANGE_MODE_EPHEMERAL_ENABLED
13998requires_config_enabled MBEDTLS_SSL_TLS1_3_COMPATIBILITY_MODE
13999requires_config_enabled MBEDTLS_X509_RSASSA_PSS_SUPPORT
14000requires_config_enabled PSA_WANT_ALG_FFDH
Valerio Setti05754d82024-01-18 09:47:00 +0100[diff] [blame]14001requires_config_enabled PSA_WANT_DH_RFC7919_4096
Przemek Stekiel3484db42023-06-28 13:31:38 +0200[diff] [blame]14002requires_gnutls_tls1_3
14003requires_gnutls_next_no_ticket
14004requires_gnutls_next_disable_tls13_compat
14005run_test "TLS 1.3 G->m: AES_128_GCM_SHA256,ffdhe4096,rsa_pss_rsae_sha256" \
David Horstmann5ab92be2024-07-01 17:01:28 +0100[diff] [blame]14006 "$P_SRV crt_file=$DATA_FILES_PATH/server2-sha256.crt key_file=$DATA_FILES_PATH/server2.key debug_level=4 force_ciphersuite=TLS1-3-AES-128-GCM-SHA256 sig_algs=rsa_pss_rsae_sha256 groups=ffdhe4096 tls13_kex_modes=ephemeral cookies=0 tickets=0" \
14007 "$G_NEXT_CLI_NO_CERT --debug=4 --single-key-share --x509cafile $DATA_FILES_PATH/test-ca_cat12.crt --priority=NONE:+AES-128-GCM:+SHA256:+AEAD:+SIGN-RSA-PSS-RSAE-SHA256:+GROUP-FFDHE4096:+VERS-TLS1.3:%NO_TICKETS" \
Przemek Stekiel3484db42023-06-28 13:31:38 +0200[diff] [blame]14008 0 \
14009 -s "Protocol is TLSv1.3" \
14010 -s "server hello, chosen ciphersuite: TLS1-3-AES-128-GCM-SHA256 ( id=4865 )" \
14011 -s "received signature algorithm: 0x804" \
14012 -s "got named group: ffdhe4096(0102)" \
14013 -s "Certificate verification was skipped" \
14014 -C "received HelloRetryRequest message"
14015
14016
14017requires_gnutls_tls1_3
14018requires_gnutls_next_no_ticket
14019requires_gnutls_next_disable_tls13_compat
14020requires_config_enabled MBEDTLS_SSL_CLI_C
14021requires_config_enabled MBEDTLS_DEBUG_C
14022requires_config_enabled MBEDTLS_SSL_TLS1_3_KEY_EXCHANGE_MODE_EPHEMERAL_ENABLED
14023requires_config_enabled MBEDTLS_SSL_TLS1_3_COMPATIBILITY_MODE
14024requires_config_enabled MBEDTLS_X509_RSASSA_PSS_SUPPORT
14025requires_config_enabled PSA_WANT_ALG_FFDH
Valerio Setti05754d82024-01-18 09:47:00 +0100[diff] [blame]14026requires_config_enabled PSA_WANT_DH_RFC7919_4096
Przemek Stekiel3484db42023-06-28 13:31:38 +0200[diff] [blame]14027run_test "TLS 1.3 m->G: AES_128_GCM_SHA256,ffdhe4096,rsa_pss_rsae_sha256" \
David Horstmann5ab92be2024-07-01 17:01:28 +0100[diff] [blame]14028 "$G_NEXT_SRV_NO_CERT --http --disable-client-cert --debug=4 --x509certfile $DATA_FILES_PATH/server2-sha256.crt --x509keyfile $DATA_FILES_PATH/server2.key --priority=NONE:+AES-128-GCM:+SHA256:+AEAD:+SIGN-RSA-PSS-RSAE-SHA256:+GROUP-FFDHE4096:+VERS-TLS1.3:%NO_TICKETS" \
14029 "$P_CLI ca_file=$DATA_FILES_PATH/test-ca_cat12.crt debug_level=4 force_ciphersuite=TLS1-3-AES-128-GCM-SHA256 sig_algs=rsa_pss_rsae_sha256 groups=ffdhe4096" \
Przemek Stekiel3484db42023-06-28 13:31:38 +0200[diff] [blame]14030 0 \
14031 -c "HTTP/1.0 200 OK" \
14032 -c "Protocol is TLSv1.3" \
14033 -c "server hello, chosen ciphersuite: ( 1301 ) - TLS1-3-AES-128-GCM-SHA256" \
14034 -c "Certificate Verify: Signature algorithm ( 0804 )" \
14035 -c "NamedGroup: ffdhe4096 ( 102 )" \
14036 -c "Verifying peer X.509 certificate... ok" \
14037 -C "received HelloRetryRequest message"
14038
14039requires_config_enabled MBEDTLS_SSL_SRV_C
14040requires_config_enabled MBEDTLS_DEBUG_C
14041requires_config_enabled MBEDTLS_SSL_TLS1_3_KEY_EXCHANGE_MODE_EPHEMERAL_ENABLED
14042requires_config_enabled MBEDTLS_SSL_TLS1_3_COMPATIBILITY_MODE
14043requires_config_enabled MBEDTLS_X509_RSASSA_PSS_SUPPORT
14044requires_config_enabled PSA_WANT_ALG_FFDH
Valerio Setti05754d82024-01-18 09:47:00 +0100[diff] [blame]14045requires_config_enabled PSA_WANT_DH_RFC7919_6144
Przemek Stekiel3484db42023-06-28 13:31:38 +0200[diff] [blame]14046requires_gnutls_tls1_3
14047requires_gnutls_next_no_ticket
14048requires_gnutls_next_disable_tls13_compat
14049run_test "TLS 1.3 G->m: AES_128_GCM_SHA256,ffdhe6144,rsa_pss_rsae_sha256" \
David Horstmann5ab92be2024-07-01 17:01:28 +0100[diff] [blame]14050 "$P_SRV crt_file=$DATA_FILES_PATH/server2-sha256.crt key_file=$DATA_FILES_PATH/server2.key debug_level=4 force_ciphersuite=TLS1-3-AES-128-GCM-SHA256 sig_algs=rsa_pss_rsae_sha256 groups=ffdhe6144 tls13_kex_modes=ephemeral cookies=0 tickets=0" \
14051 "$G_NEXT_CLI_NO_CERT --debug=4 --single-key-share --x509cafile $DATA_FILES_PATH/test-ca_cat12.crt --priority=NONE:+AES-128-GCM:+SHA256:+AEAD:+SIGN-RSA-PSS-RSAE-SHA256:+GROUP-FFDHE6144:+VERS-TLS1.3:%NO_TICKETS" \
Przemek Stekiel3484db42023-06-28 13:31:38 +0200[diff] [blame]14052 0 \
14053 -s "Protocol is TLSv1.3" \
14054 -s "server hello, chosen ciphersuite: TLS1-3-AES-128-GCM-SHA256 ( id=4865 )" \
14055 -s "received signature algorithm: 0x804" \
14056 -s "got named group: ffdhe6144(0103)" \
14057 -s "Certificate verification was skipped" \
14058 -C "received HelloRetryRequest message"
14059
14060requires_gnutls_tls1_3
14061requires_gnutls_next_no_ticket
14062requires_gnutls_next_disable_tls13_compat
14063requires_config_enabled MBEDTLS_SSL_CLI_C
14064requires_config_enabled MBEDTLS_DEBUG_C
14065requires_config_enabled MBEDTLS_SSL_TLS1_3_KEY_EXCHANGE_MODE_EPHEMERAL_ENABLED
14066requires_config_enabled MBEDTLS_SSL_TLS1_3_COMPATIBILITY_MODE
14067requires_config_enabled MBEDTLS_X509_RSASSA_PSS_SUPPORT
14068requires_config_enabled PSA_WANT_ALG_FFDH
Valerio Setti05754d82024-01-18 09:47:00 +0100[diff] [blame]14069requires_config_enabled PSA_WANT_DH_RFC7919_6144
Przemek Stekiel3484db42023-06-28 13:31:38 +0200[diff] [blame]14070run_test "TLS 1.3 m->G: AES_128_GCM_SHA256,ffdhe6144,rsa_pss_rsae_sha256" \
David Horstmann5ab92be2024-07-01 17:01:28 +0100[diff] [blame]14071 "$G_NEXT_SRV_NO_CERT --http --disable-client-cert --debug=4 --x509certfile $DATA_FILES_PATH/server2-sha256.crt --x509keyfile $DATA_FILES_PATH/server2.key --priority=NONE:+AES-128-GCM:+SHA256:+AEAD:+SIGN-RSA-PSS-RSAE-SHA256:+GROUP-FFDHE6144:+VERS-TLS1.3:%NO_TICKETS" \
14072 "$P_CLI ca_file=$DATA_FILES_PATH/test-ca_cat12.crt debug_level=4 force_ciphersuite=TLS1-3-AES-128-GCM-SHA256 sig_algs=rsa_pss_rsae_sha256 groups=ffdhe6144" \
Przemek Stekiel3484db42023-06-28 13:31:38 +0200[diff] [blame]14073 0 \
14074 -c "HTTP/1.0 200 OK" \
14075 -c "Protocol is TLSv1.3" \
14076 -c "server hello, chosen ciphersuite: ( 1301 ) - TLS1-3-AES-128-GCM-SHA256" \
14077 -c "Certificate Verify: Signature algorithm ( 0804 )" \
14078 -c "NamedGroup: ffdhe6144 ( 103 )" \
14079 -c "Verifying peer X.509 certificate... ok" \
14080 -C "received HelloRetryRequest message"
14081
14082requires_config_enabled MBEDTLS_SSL_SRV_C
14083requires_config_enabled MBEDTLS_DEBUG_C
14084requires_config_enabled MBEDTLS_SSL_TLS1_3_KEY_EXCHANGE_MODE_EPHEMERAL_ENABLED
14085requires_config_enabled MBEDTLS_SSL_TLS1_3_COMPATIBILITY_MODE
14086requires_config_enabled MBEDTLS_X509_RSASSA_PSS_SUPPORT
14087requires_config_enabled PSA_WANT_ALG_FFDH
Valerio Setti05754d82024-01-18 09:47:00 +0100[diff] [blame]14088requires_config_enabled PSA_WANT_DH_RFC7919_8192
Przemek Stekiel3484db42023-06-28 13:31:38 +0200[diff] [blame]14089requires_gnutls_tls1_3
14090requires_gnutls_next_no_ticket
14091requires_gnutls_next_disable_tls13_compat
14092client_needs_more_time 4
14093run_test "TLS 1.3 G->m: AES_128_GCM_SHA256,ffdhe8192,rsa_pss_rsae_sha256" \
David Horstmann5ab92be2024-07-01 17:01:28 +0100[diff] [blame]14094 "$P_SRV crt_file=$DATA_FILES_PATH/server2-sha256.crt key_file=$DATA_FILES_PATH/server2.key debug_level=4 force_ciphersuite=TLS1-3-AES-128-GCM-SHA256 sig_algs=rsa_pss_rsae_sha256 groups=ffdhe8192 tls13_kex_modes=ephemeral cookies=0 tickets=0" \
14095 "$G_NEXT_CLI_NO_CERT --debug=4 --single-key-share --x509cafile $DATA_FILES_PATH/test-ca_cat12.crt --priority=NONE:+AES-128-GCM:+SHA256:+AEAD:+SIGN-RSA-PSS-RSAE-SHA256:+GROUP-FFDHE8192:+VERS-TLS1.3:%NO_TICKETS" \
Przemek Stekiel3484db42023-06-28 13:31:38 +0200[diff] [blame]14096 0 \
14097 -s "Protocol is TLSv1.3" \
14098 -s "server hello, chosen ciphersuite: TLS1-3-AES-128-GCM-SHA256 ( id=4865 )" \
14099 -s "received signature algorithm: 0x804" \
14100 -s "got named group: ffdhe8192(0104)" \
14101 -s "Certificate verification was skipped" \
14102 -C "received HelloRetryRequest message"
14103
14104requires_gnutls_tls1_3
14105requires_gnutls_next_no_ticket
14106requires_gnutls_next_disable_tls13_compat
14107requires_config_enabled MBEDTLS_SSL_CLI_C
14108requires_config_enabled MBEDTLS_DEBUG_C
14109requires_config_enabled MBEDTLS_SSL_TLS1_3_KEY_EXCHANGE_MODE_EPHEMERAL_ENABLED
14110requires_config_enabled MBEDTLS_SSL_TLS1_3_COMPATIBILITY_MODE
14111requires_config_enabled MBEDTLS_X509_RSASSA_PSS_SUPPORT
14112requires_config_enabled PSA_WANT_ALG_FFDH
Valerio Setti05754d82024-01-18 09:47:00 +0100[diff] [blame]14113requires_config_enabled PSA_WANT_DH_RFC7919_8192
Przemek Stekiel3484db42023-06-28 13:31:38 +0200[diff] [blame]14114client_needs_more_time 4
14115run_test "TLS 1.3 m->G: AES_128_GCM_SHA256,ffdhe8192,rsa_pss_rsae_sha256" \
David Horstmann5ab92be2024-07-01 17:01:28 +0100[diff] [blame]14116 "$G_NEXT_SRV_NO_CERT --http --disable-client-cert --debug=4 --x509certfile $DATA_FILES_PATH/server2-sha256.crt --x509keyfile $DATA_FILES_PATH/server2.key --priority=NONE:+AES-128-GCM:+SHA256:+AEAD:+SIGN-RSA-PSS-RSAE-SHA256:+GROUP-FFDHE8192:+VERS-TLS1.3:%NO_TICKETS" \
14117 "$P_CLI ca_file=$DATA_FILES_PATH/test-ca_cat12.crt debug_level=4 force_ciphersuite=TLS1-3-AES-128-GCM-SHA256 sig_algs=rsa_pss_rsae_sha256 groups=ffdhe8192" \
Przemek Stekiel3484db42023-06-28 13:31:38 +0200[diff] [blame]14118 0 \
14119 -c "HTTP/1.0 200 OK" \
14120 -c "Protocol is TLSv1.3" \
14121 -c "server hello, chosen ciphersuite: ( 1301 ) - TLS1-3-AES-128-GCM-SHA256" \
14122 -c "Certificate Verify: Signature algorithm ( 0804 )" \
14123 -c "NamedGroup: ffdhe8192 ( 104 )" \
14124 -c "Verifying peer X.509 certificate... ok" \
14125 -C "received HelloRetryRequest message"
14126
Ronald Cron8a74f072023-06-14 17:59:29 +0200[diff] [blame]14127requires_config_enabled MBEDTLS_SSL_PROTO_TLS1_3
14128requires_config_enabled MBEDTLS_SSL_SRV_C
14129requires_config_enabled MBEDTLS_SSL_CLI_C
14130requires_config_enabled MBEDTLS_SSL_TLS1_3_KEY_EXCHANGE_MODE_PSK_ENABLED
14131requires_config_enabled MBEDTLS_SSL_TLS1_3_KEY_EXCHANGE_MODE_EPHEMERAL_ENABLED
14132run_test "TLS 1.3: no HRR in case of PSK key exchange mode" \
Gilles Peskineabb1c222024-05-13 21:06:26 +0200[diff] [blame]14133 "$P_SRV nbio=2 psk=73776f726466697368 psk_identity=0a0b0c tls13_kex_modes=psk groups=none" \
14134 "$P_CLI nbio=2 debug_level=3 psk=73776f726466697368 psk_identity=0a0b0c tls13_kex_modes=all" \
Ronald Cron8a74f072023-06-14 17:59:29 +0200[diff] [blame]14135 0 \
14136 -C "received HelloRetryRequest message" \
14137 -c "Selected key exchange mode: psk$" \
14138 -c "HTTP/1.0 200 OK"
14139
Piotr Nowicki0937ed22019-11-26 16:32:40 +0100[diff] [blame]14140# Test heap memory usage after handshake
Jerry Yuab082902021-12-23 18:02:22 +0800[diff] [blame]14141requires_config_enabled MBEDTLS_SSL_PROTO_TLS1_2
Piotr Nowicki0937ed22019-11-26 16:32:40 +0100[diff] [blame]14142requires_config_enabled MBEDTLS_MEMORY_DEBUG
14143requires_config_enabled MBEDTLS_MEMORY_BUFFER_ALLOC_C
14144requires_config_enabled MBEDTLS_SSL_MAX_FRAGMENT_LENGTH
Yuto Takanobc87b1d2021-07-08 15:56:33 +0100[diff] [blame]14145requires_max_content_len 16384
Piotr Nowicki0937ed22019-11-26 16:32:40 +0100[diff] [blame]14146run_tests_memory_after_hanshake
14147
Tomás González24552ff2023-08-17 15:10:03 +0100[diff] [blame]14148if [ "$LIST_TESTS" -eq 0 ]; then
Manuel Pégourié-Gonnard8520dac2014-02-21 12:12:23 +0100[diff] [blame]14149
Tomás González24552ff2023-08-17 15:10:03 +0100[diff] [blame]14150 # Final report
Manuel Pégourié-Gonnard33a752e2014-02-21 09:47:37 +0100[diff] [blame]14151
Tomás González24552ff2023-08-17 15:10:03 +0100[diff] [blame]14152 echo "------------------------------------------------------------------------"
14153
14154 if [ $FAILS = 0 ]; then
14155 printf "PASSED"
14156 else
14157 printf "FAILED"
14158 fi
14159 PASSES=$(( $TESTS - $FAILS ))
14160 echo " ($PASSES / $TESTS tests ($SKIPS skipped))"
14161
Gilles Peskinec75048c2024-05-17 11:55:15 +0200[diff] [blame]14162 if [ $((TESTS - SKIPS)) -lt $MIN_TESTS ]; then
14163 cat <<EOF
14164Error: Expected to run at least $MIN_TESTS, but only ran $((TESTS - SKIPS)).
14165Maybe a bad filter ('$FILTER') or a bad configuration?
14166EOF
14167 if [ $FAILS -eq 0 ]; then
14168 FAILS=1
14169 fi
14170 fi
Manuel Pégourié-Gonnard33a752e2014-02-21 09:47:37 +0100[diff] [blame]14171fi
Manuel Pégourié-Gonnard33a752e2014-02-21 09:47:37 +0100[diff] [blame]14172
Tom Cosgrovefc0e79e2023-01-13 12:13:41 +0000[diff] [blame]14173if [ $FAILS -gt 255 ]; then
14174 # Clamp at 255 as caller gets exit code & 0xFF
14175 # (so 256 would be 0, or success, etc)
14176 FAILS=255
14177fi
Manuel Pégourié-Gonnard33a752e2014-02-21 09:47:37 +0100[diff] [blame]14178exit $FAILS