TrustedFirmware Git Browser
Code Review Sign In
review.trustedfirmware.org / mirror / mbed-tls / 9107b5fdd3d436ef3e6537c35bbb2d200445cb7b / . / tests / ssl-opt.sh
blob: 98d55f51ceff01d4c287f5ee80ddc6105ffcdb73 [file] [log] [blame]
Manuel Pégourié-Gonnardeaadc502014-02-20 11:01:30 +0100[diff] [blame]1#!/bin/sh
2
Simon Butcher58eddef2016-05-19 23:43:11 +0100[diff] [blame]3# ssl-opt.sh
Manuel Pégourié-Gonnardeaadc502014-02-20 11:01:30 +0100[diff] [blame]4#
Simon Butcher58eddef2016-05-19 23:43:11 +0100[diff] [blame]5# This file is part of mbed TLS (https://tls.mbed.org)
Manuel Pégourié-Gonnardeaadc502014-02-20 11:01:30 +0100[diff] [blame]6#
Simon Butcher58eddef2016-05-19 23:43:11 +0100[diff] [blame]7# Copyright (c) 2016, ARM Limited, All Rights Reserved
8#
9# Purpose
10#
11# Executes tests to prove various TLS/SSL options and extensions.
12#
13# The goal is not to cover every ciphersuite/version, but instead to cover
14# specific options (max fragment length, truncated hmac, etc) or procedures
15# (session resumption from cache or ticket, renego, etc).
16#
17# The tests assume a build with default options, with exceptions expressed
18# with a dependency. The tests focus on functionality and do not consider
19# performance.
20#
Manuel Pégourié-Gonnardeaadc502014-02-20 11:01:30 +0100[diff] [blame]21
Manuel Pégourié-Gonnardfccd3252014-02-25 17:14:15 +0100[diff] [blame]22set -u
23
Manuel Pégourié-Gonnardf7a26902014-02-27 12:25:54 +0100[diff] [blame]24# default values, can be overriden by the environment
25: ${P_SRV:=../programs/ssl/ssl_server2}
26: ${P_CLI:=../programs/ssl/ssl_client2}
Manuel Pégourié-Gonnardbe9eb872014-09-05 17:45:19 +0200[diff] [blame]27: ${P_PXY:=../programs/test/udp_proxy}
Manuel Pégourié-Gonnard74faf3c2014-03-13 18:47:44 +0100[diff] [blame]28: ${OPENSSL_CMD:=openssl} # OPENSSL would conflict with the build system
Manuel Pégourié-Gonnardbaa7f072014-08-20 20:15:53 +0200[diff] [blame]29: ${GNUTLS_CLI:=gnutls-cli}
30: ${GNUTLS_SERV:=gnutls-serv}
Gilles Peskined50177f2017-05-16 17:53:03 +0200[diff] [blame]31: ${PERL:=perl}
Manuel Pégourié-Gonnardeaadc502014-02-20 11:01:30 +0100[diff] [blame]32
Manuel Pégourié-Gonnardfa60f122014-09-26 16:07:29 +0200[diff] [blame]33O_SRV="$OPENSSL_CMD s_server -www -cert data_files/server5.crt -key data_files/server5.key"
Manuel Pégourié-Gonnard74faf3c2014-03-13 18:47:44 +0100[diff] [blame]34O_CLI="echo 'GET / HTTP/1.0' | $OPENSSL_CMD s_client"
Manuel Pégourié-Gonnardbaa7f072014-08-20 20:15:53 +0200[diff] [blame]35G_SRV="$GNUTLS_SERV --x509certfile data_files/server5.crt --x509keyfile data_files/server5.key"
Manuel Pégourié-Gonnard85d915b2014-11-03 20:10:36 +0100[diff] [blame]36G_CLI="echo 'GET / HTTP/1.0' | $GNUTLS_CLI --x509cafile data_files/test-ca_cat12.crt"
Gilles Peskined50177f2017-05-16 17:53:03 +0200[diff] [blame]37TCP_CLIENT="$PERL scripts/tcp_client.pl"
Manuel Pégourié-Gonnardfccd3252014-02-25 17:14:15 +0100[diff] [blame]38
Manuel Pégourié-Gonnard33a752e2014-02-21 09:47:37 +0100[diff] [blame]39TESTS=0
40FAILS=0
Manuel Pégourié-Gonnard6f4fbbb2014-08-14 14:31:29 +0200[diff] [blame]41SKIPS=0
Manuel Pégourié-Gonnard33a752e2014-02-21 09:47:37 +0100[diff] [blame]42
Manuel Pégourié-Gonnard7f809972015-03-09 17:05:11 +0000[diff] [blame]43CONFIG_H='../include/mbedtls/config.h'
Manuel Pégourié-Gonnard83d8c732014-04-07 13:24:21 +0200[diff] [blame]44
Manuel Pégourié-Gonnardc73339f2014-02-26 16:35:27 +0100[diff] [blame]45MEMCHECK=0
Manuel Pégourié-Gonnard417d46c2014-03-13 19:17:53 +0100[diff] [blame]46FILTER='.*'
Manuel Pégourié-Gonnard6f4fbbb2014-08-14 14:31:29 +0200[diff] [blame]47EXCLUDE='^$'
Manuel Pégourié-Gonnardc73339f2014-02-26 16:35:27 +0100[diff] [blame]48
Paul Bakkere20310a2016-05-10 11:18:17 +0100[diff] [blame]49SHOW_TEST_NUMBER=0
Paul Bakkerb7584a52016-05-10 10:50:43 +0100[diff] [blame]50RUN_TEST_NUMBER=''
51
Paul Bakkeracaac852016-05-10 11:47:13 +0100[diff] [blame]52PRESERVE_LOGS=0
53
Gilles Peskinef93c7d32017-04-14 17:55:28 +0200[diff] [blame]54# Pick a "unique" server port in the range 10000-19999, and a proxy
55# port which is this plus 10000. Each port number may be independently
56# overridden by a command line option.
57SRV_PORT=$(($$ % 10000 + 10000))
58PXY_PORT=$((SRV_PORT + 10000))
59
Manuel Pégourié-Gonnardc73339f2014-02-26 16:35:27 +0100[diff] [blame]60print_usage() {
61 echo "Usage: $0 [options]"
Manuel Pégourié-Gonnardf46f1282014-12-11 11:51:28 +0100[diff] [blame]62 printf " -h|--help\tPrint this help.\n"
63 printf " -m|--memcheck\tCheck memory leaks and errors.\n"
Gilles Peskinef93c7d32017-04-14 17:55:28 +0200[diff] [blame]64 printf " -f|--filter\tOnly matching tests are executed (BRE; default: '$FILTER')\n"
65 printf " -e|--exclude\tMatching tests are excluded (BRE; default: '$EXCLUDE')\n"
Paul Bakkerb7584a52016-05-10 10:50:43 +0100[diff] [blame]66 printf " -n|--number\tExecute only numbered test (comma-separated, e.g. '245,256')\n"
Paul Bakkere20310a2016-05-10 11:18:17 +0100[diff] [blame]67 printf " -s|--show-numbers\tShow test numbers in front of test names\n"
Paul Bakkeracaac852016-05-10 11:47:13 +0100[diff] [blame]68 printf " -p|--preserve-logs\tPreserve logs of successful tests as well\n"
Gilles Peskinef93c7d32017-04-14 17:55:28 +0200[diff] [blame]69 printf " --port\tTCP/UDP port (default: randomish 1xxxx)\n"
70 printf " --proxy-port\tTCP/UDP proxy port (default: randomish 2xxxx)\n"
Andres AGf04f54d2016-10-10 15:46:20 +0100[diff] [blame]71 printf " --seed\tInteger seed value to use for this test run\n"
Manuel Pégourié-Gonnardc73339f2014-02-26 16:35:27 +0100[diff] [blame]72}
73
74get_options() {
75 while [ $# -gt 0 ]; do
76 case "$1" in
Manuel Pégourié-Gonnard417d46c2014-03-13 19:17:53 +0100[diff] [blame]77 -f|--filter)
78 shift; FILTER=$1
79 ;;
80 -e|--exclude)
81 shift; EXCLUDE=$1
82 ;;
Manuel Pégourié-Gonnardc73339f2014-02-26 16:35:27 +0100[diff] [blame]83 -m|--memcheck)
84 MEMCHECK=1
85 ;;
Paul Bakkerb7584a52016-05-10 10:50:43 +0100[diff] [blame]86 -n|--number)
87 shift; RUN_TEST_NUMBER=$1
88 ;;
Paul Bakkere20310a2016-05-10 11:18:17 +0100[diff] [blame]89 -s|--show-numbers)
90 SHOW_TEST_NUMBER=1
91 ;;
Paul Bakkeracaac852016-05-10 11:47:13 +0100[diff] [blame]92 -p|--preserve-logs)
93 PRESERVE_LOGS=1
94 ;;
Gilles Peskinef93c7d32017-04-14 17:55:28 +0200[diff] [blame]95 --port)
96 shift; SRV_PORT=$1
97 ;;
98 --proxy-port)
99 shift; PXY_PORT=$1
100 ;;
Andres AGf04f54d2016-10-10 15:46:20 +0100[diff] [blame]101 --seed)
102 shift; SEED="$1"
103 ;;
Manuel Pégourié-Gonnardc73339f2014-02-26 16:35:27 +0100[diff] [blame]104 -h|--help)
105 print_usage
106 exit 0
107 ;;
108 *)
Paul Bakker1ebc0c52014-05-22 15:47:58 +0200[diff] [blame]109 echo "Unknown argument: '$1'"
Manuel Pégourié-Gonnardc73339f2014-02-26 16:35:27 +0100[diff] [blame]110 print_usage
111 exit 1
112 ;;
113 esac
114 shift
115 done
116}
117
Manuel Pégourié-Gonnard988209f2015-03-24 10:43:55 +0100[diff] [blame]118# skip next test if the flag is not enabled in config.h
119requires_config_enabled() {
120 if grep "^#define $1" $CONFIG_H > /dev/null; then :; else
121 SKIP_NEXT="YES"
122 fi
123}
124
Manuel Pégourié-Gonnardaf63c212017-06-08 17:51:08 +0200[diff] [blame]125# skip next test if the flag is enabled in config.h
126requires_config_disabled() {
127 if grep "^#define $1" $CONFIG_H > /dev/null; then
128 SKIP_NEXT="YES"
129 fi
130}
131
Manuel Pégourié-Gonnard1cbd39d2014-10-20 13:34:59 +0200[diff] [blame]132# skip next test if OpenSSL doesn't support FALLBACK_SCSV
133requires_openssl_with_fallback_scsv() {
134 if [ -z "${OPENSSL_HAS_FBSCSV:-}" ]; then
135 if $OPENSSL_CMD s_client -help 2>&1 | grep fallback_scsv >/dev/null
136 then
137 OPENSSL_HAS_FBSCSV="YES"
138 else
139 OPENSSL_HAS_FBSCSV="NO"
140 fi
141 fi
142 if [ "$OPENSSL_HAS_FBSCSV" = "NO" ]; then
143 SKIP_NEXT="YES"
144 fi
145}
146
Manuel Pégourié-Gonnardbaa7f072014-08-20 20:15:53 +0200[diff] [blame]147# skip next test if GnuTLS isn't available
148requires_gnutls() {
149 if [ -z "${GNUTLS_AVAILABLE:-}" ]; then
Manuel Pégourié-Gonnard03db6b02015-06-26 15:45:30 +0200[diff] [blame]150 if ( which "$GNUTLS_CLI" && which "$GNUTLS_SERV" ) >/dev/null 2>&1; then
Manuel Pégourié-Gonnardbaa7f072014-08-20 20:15:53 +0200[diff] [blame]151 GNUTLS_AVAILABLE="YES"
152 else
153 GNUTLS_AVAILABLE="NO"
154 fi
155 fi
156 if [ "$GNUTLS_AVAILABLE" = "NO" ]; then
157 SKIP_NEXT="YES"
158 fi
159}
160
Manuel Pégourié-Gonnard0eb6cab2014-07-23 20:17:47 +0200[diff] [blame]161# skip next test if IPv6 isn't available on this host
162requires_ipv6() {
163 if [ -z "${HAS_IPV6:-}" ]; then
164 $P_SRV server_addr='::1' > $SRV_OUT 2>&1 &
165 SRV_PID=$!
166 sleep 1
167 kill $SRV_PID >/dev/null 2>&1
168 if grep "NET - Binding of the socket failed" $SRV_OUT >/dev/null; then
169 HAS_IPV6="NO"
170 else
171 HAS_IPV6="YES"
172 fi
173 rm -r $SRV_OUT
174 fi
175
176 if [ "$HAS_IPV6" = "NO" ]; then
177 SKIP_NEXT="YES"
178 fi
179}
180
Manuel Pégourié-Gonnard76fe9e42014-09-24 15:17:31 +0200[diff] [blame]181# skip the next test if valgrind is in use
182not_with_valgrind() {
183 if [ "$MEMCHECK" -gt 0 ]; then
184 SKIP_NEXT="YES"
185 fi
186}
187
Paul Bakker362689d2016-05-13 10:33:25 +0100[diff] [blame]188# skip the next test if valgrind is NOT in use
189only_with_valgrind() {
190 if [ "$MEMCHECK" -eq 0 ]; then
191 SKIP_NEXT="YES"
192 fi
193}
194
Manuel Pégourié-Gonnarda0719722014-09-20 12:46:27 +0200[diff] [blame]195# multiply the client timeout delay by the given factor for the next test
Janos Follath74537a62016-09-02 13:45:28 +0100[diff] [blame]196client_needs_more_time() {
Manuel Pégourié-Gonnarda0719722014-09-20 12:46:27 +0200[diff] [blame]197 CLI_DELAY_FACTOR=$1
198}
199
Janos Follath74537a62016-09-02 13:45:28 +0100[diff] [blame]200# wait for the given seconds after the client finished in the next test
201server_needs_more_time() {
202 SRV_DELAY_SECONDS=$1
203}
204
Manuel Pégourié-Gonnardf8bdbb52014-02-21 09:20:14 +0100[diff] [blame]205# print_name <name>
206print_name() {
Paul Bakkere20310a2016-05-10 11:18:17 +0100[diff] [blame]207 TESTS=$(( $TESTS + 1 ))
208 LINE=""
209
210 if [ "$SHOW_TEST_NUMBER" -gt 0 ]; then
211 LINE="$TESTS "
212 fi
213
214 LINE="$LINE$1"
215 printf "$LINE "
216 LEN=$(( 72 - `echo "$LINE" | wc -c` ))
Manuel Pégourié-Gonnardf46f1282014-12-11 11:51:28 +0100[diff] [blame]217 for i in `seq 1 $LEN`; do printf '.'; done
218 printf ' '
Manuel Pégourié-Gonnard33a752e2014-02-21 09:47:37 +0100[diff] [blame]219
Manuel Pégourié-Gonnardf8bdbb52014-02-21 09:20:14 +0100[diff] [blame]220}
221
222# fail <message>
223fail() {
224 echo "FAIL"
Manuel Pégourié-Gonnard3eec6042014-02-27 15:37:24 +0100[diff] [blame]225 echo " ! $1"
Manuel Pégourié-Gonnard33a752e2014-02-21 09:47:37 +0100[diff] [blame]226
Manuel Pégourié-Gonnardc2b00922014-08-31 16:46:04 +0200[diff] [blame]227 mv $SRV_OUT o-srv-${TESTS}.log
228 mv $CLI_OUT o-cli-${TESTS}.log
Manuel Pégourié-Gonnardbe9eb872014-09-05 17:45:19 +0200[diff] [blame]229 if [ -n "$PXY_CMD" ]; then
230 mv $PXY_OUT o-pxy-${TESTS}.log
231 fi
232 echo " ! outputs saved to o-XXX-${TESTS}.log"
Manuel Pégourié-Gonnard33a752e2014-02-21 09:47:37 +0100[diff] [blame]233
Manuel Pégourié-Gonnard7fa67722014-08-31 17:42:53 +0200[diff] [blame]234 if [ "X${USER:-}" = Xbuildbot -o "X${LOGNAME:-}" = Xbuildbot ]; then
235 echo " ! server output:"
236 cat o-srv-${TESTS}.log
Manuel Pégourié-Gonnardbe9eb872014-09-05 17:45:19 +0200[diff] [blame]237 echo " ! ========================================================"
Manuel Pégourié-Gonnard7fa67722014-08-31 17:42:53 +0200[diff] [blame]238 echo " ! client output:"
239 cat o-cli-${TESTS}.log
Manuel Pégourié-Gonnardbe9eb872014-09-05 17:45:19 +0200[diff] [blame]240 if [ -n "$PXY_CMD" ]; then
241 echo " ! ========================================================"
242 echo " ! proxy output:"
243 cat o-pxy-${TESTS}.log
244 fi
245 echo ""
Manuel Pégourié-Gonnard7fa67722014-08-31 17:42:53 +0200[diff] [blame]246 fi
247
Manuel Pégourié-Gonnard72e51ee2014-08-31 10:22:11 +0200[diff] [blame]248 FAILS=$(( $FAILS + 1 ))
Manuel Pégourié-Gonnardf8bdbb52014-02-21 09:20:14 +0100[diff] [blame]249}
250
Manuel Pégourié-Gonnard677884d2014-02-25 16:42:31 +0100[diff] [blame]251# is_polar <cmd_line>
252is_polar() {
253 echo "$1" | grep 'ssl_server2\|ssl_client2' > /dev/null
254}
255
Manuel Pégourié-Gonnardfa60f122014-09-26 16:07:29 +0200[diff] [blame]256# openssl s_server doesn't have -www with DTLS
257check_osrv_dtls() {
258 if echo "$SRV_CMD" | grep 's_server.*-dtls' >/dev/null; then
259 NEEDS_INPUT=1
260 SRV_CMD="$( echo $SRV_CMD | sed s/-www// )"
261 else
262 NEEDS_INPUT=0
263 fi
264}
265
266# provide input to commands that need it
267provide_input() {
268 if [ $NEEDS_INPUT -eq 0 ]; then
269 return
270 fi
271
272 while true; do
273 echo "HTTP/1.0 200 OK"
274 sleep 1
275 done
276}
277
Manuel Pégourié-Gonnardc73339f2014-02-26 16:35:27 +0100[diff] [blame]278# has_mem_err <log_file_name>
279has_mem_err() {
280 if ( grep -F 'All heap blocks were freed -- no leaks are possible' "$1" &&
281 grep -F 'ERROR SUMMARY: 0 errors from 0 contexts' "$1" ) > /dev/null
282 then
283 return 1 # false: does not have errors
284 else
285 return 0 # true: has errors
286 fi
287}
288
Manuel Pégourié-Gonnard0c1ec472014-06-20 18:41:11 +0200[diff] [blame]289# wait for server to start: two versions depending on lsof availability
290wait_server_start() {
Manuel Pégourié-Gonnard03db6b02015-06-26 15:45:30 +0200[diff] [blame]291 if which lsof >/dev/null 2>&1; then
Manuel Pégourié-Gonnard74681fa2015-08-04 20:34:39 +0200[diff] [blame]292 START_TIME=$( date +%s )
293 DONE=0
Manuel Pégourié-Gonnard0c1ec472014-06-20 18:41:11 +0200[diff] [blame]294
295 # make a tight loop, server usually takes less than 1 sec to start
Manuel Pégourié-Gonnard0eb6cab2014-07-23 20:17:47 +0200[diff] [blame]296 if [ "$DTLS" -eq 1 ]; then
Manuel Pégourié-Gonnard74681fa2015-08-04 20:34:39 +0200[diff] [blame]297 while [ $DONE -eq 0 ]; do
298 if lsof -nbi UDP:"$SRV_PORT" 2>/dev/null | grep UDP >/dev/null
299 then
300 DONE=1
301 elif [ $(( $( date +%s ) - $START_TIME )) -gt $DOG_DELAY ]; then
302 echo "SERVERSTART TIMEOUT"
303 echo "SERVERSTART TIMEOUT" >> $SRV_OUT
304 DONE=1
305 fi
306 done
Manuel Pégourié-Gonnard0eb6cab2014-07-23 20:17:47 +0200[diff] [blame]307 else
Manuel Pégourié-Gonnard74681fa2015-08-04 20:34:39 +0200[diff] [blame]308 while [ $DONE -eq 0 ]; do
309 if lsof -nbi TCP:"$SRV_PORT" 2>/dev/null | grep LISTEN >/dev/null
310 then
311 DONE=1
312 elif [ $(( $( date +%s ) - $START_TIME )) -gt $DOG_DELAY ]; then
313 echo "SERVERSTART TIMEOUT"
314 echo "SERVERSTART TIMEOUT" >> $SRV_OUT
315 DONE=1
316 fi
317 done
Manuel Pégourié-Gonnard0eb6cab2014-07-23 20:17:47 +0200[diff] [blame]318 fi
Manuel Pégourié-Gonnard0c1ec472014-06-20 18:41:11 +0200[diff] [blame]319 else
320 sleep "$START_DELAY"
321 fi
322}
323
Manuel Pégourié-Gonnardc0f6a692014-08-30 22:41:47 +0200[diff] [blame]324# wait for client to terminate and set CLI_EXIT
325# must be called right after starting the client
326wait_client_done() {
327 CLI_PID=$!
328
Manuel Pégourié-Gonnarda0719722014-09-20 12:46:27 +0200[diff] [blame]329 CLI_DELAY=$(( $DOG_DELAY * $CLI_DELAY_FACTOR ))
330 CLI_DELAY_FACTOR=1
331
Manuel Pégourié-Gonnarda365add2015-08-04 20:57:59 +0200[diff] [blame]332 ( sleep $CLI_DELAY; echo "===CLIENT_TIMEOUT===" >> $CLI_OUT; kill $CLI_PID ) &
Manuel Pégourié-Gonnarda6189f02014-09-20 13:15:43 +0200[diff] [blame]333 DOG_PID=$!
Manuel Pégourié-Gonnardc0f6a692014-08-30 22:41:47 +0200[diff] [blame]334
335 wait $CLI_PID
336 CLI_EXIT=$?
337
Manuel Pégourié-Gonnarda6189f02014-09-20 13:15:43 +0200[diff] [blame]338 kill $DOG_PID >/dev/null 2>&1
339 wait $DOG_PID
Manuel Pégourié-Gonnardc0f6a692014-08-30 22:41:47 +0200[diff] [blame]340
341 echo "EXIT: $CLI_EXIT" >> $CLI_OUT
Janos Follath74537a62016-09-02 13:45:28 +0100[diff] [blame]342
343 sleep $SRV_DELAY_SECONDS
344 SRV_DELAY_SECONDS=0
Manuel Pégourié-Gonnardc0f6a692014-08-30 22:41:47 +0200[diff] [blame]345}
346
Manuel Pégourié-Gonnard0eb6cab2014-07-23 20:17:47 +0200[diff] [blame]347# check if the given command uses dtls and sets global variable DTLS
348detect_dtls() {
Manuel Pégourié-Gonnardbe9eb872014-09-05 17:45:19 +0200[diff] [blame]349 if echo "$1" | grep 'dtls=1\|-dtls1\|-u' >/dev/null; then
Manuel Pégourié-Gonnard0eb6cab2014-07-23 20:17:47 +0200[diff] [blame]350 DTLS=1
351 else
352 DTLS=0
353 fi
354}
355
Manuel Pégourié-Gonnardbe9eb872014-09-05 17:45:19 +0200[diff] [blame]356# Usage: run_test name [-p proxy_cmd] srv_cmd cli_cmd cli_exit [option [...]]
Manuel Pégourié-Gonnardeaadc502014-02-20 11:01:30 +0100[diff] [blame]357# Options: -s pattern pattern that must be present in server output
358# -c pattern pattern that must be present in client output
Simon Butcher8e004102016-10-14 00:48:33 +0100[diff] [blame]359# -u pattern lines after pattern must be unique in client output
Manuel Pégourié-Gonnardeaadc502014-02-20 11:01:30 +0100[diff] [blame]360# -S pattern pattern that must be absent in server output
361# -C pattern pattern that must be absent in client output
Simon Butcher8e004102016-10-14 00:48:33 +0100[diff] [blame]362# -U pattern lines after pattern must be unique in server output
Manuel Pégourié-Gonnardeaadc502014-02-20 11:01:30 +0100[diff] [blame]363run_test() {
Manuel Pégourié-Gonnardfccd3252014-02-25 17:14:15 +0100[diff] [blame]364 NAME="$1"
Manuel Pégourié-Gonnardbe9eb872014-09-05 17:45:19 +0200[diff] [blame]365 shift 1
Manuel Pégourié-Gonnardfccd3252014-02-25 17:14:15 +0100[diff] [blame]366
Manuel Pégourié-Gonnard417d46c2014-03-13 19:17:53 +0100[diff] [blame]367 if echo "$NAME" | grep "$FILTER" | grep -v "$EXCLUDE" >/dev/null; then :
368 else
Manuel Pégourié-Gonnard74a13782014-10-14 22:34:08 +0200[diff] [blame]369 SKIP_NEXT="NO"
Manuel Pégourié-Gonnard417d46c2014-03-13 19:17:53 +0100[diff] [blame]370 return
371 fi
372
Manuel Pégourié-Gonnardfccd3252014-02-25 17:14:15 +0100[diff] [blame]373 print_name "$NAME"
Manuel Pégourié-Gonnardeaadc502014-02-20 11:01:30 +0100[diff] [blame]374
Paul Bakkerb7584a52016-05-10 10:50:43 +0100[diff] [blame]375 # Do we only run numbered tests?
376 if [ "X$RUN_TEST_NUMBER" = "X" ]; then :
377 elif echo ",$RUN_TEST_NUMBER," | grep ",$TESTS," >/dev/null; then :
378 else
379 SKIP_NEXT="YES"
380 fi
381
Manuel Pégourié-Gonnard6f4fbbb2014-08-14 14:31:29 +0200[diff] [blame]382 # should we skip?
383 if [ "X$SKIP_NEXT" = "XYES" ]; then
384 SKIP_NEXT="NO"
385 echo "SKIP"
Manuel Pégourié-Gonnard72e51ee2014-08-31 10:22:11 +0200[diff] [blame]386 SKIPS=$(( $SKIPS + 1 ))
Manuel Pégourié-Gonnard6f4fbbb2014-08-14 14:31:29 +0200[diff] [blame]387 return
388 fi
389
Manuel Pégourié-Gonnardbe9eb872014-09-05 17:45:19 +0200[diff] [blame]390 # does this test use a proxy?
391 if [ "X$1" = "X-p" ]; then
392 PXY_CMD="$2"
393 shift 2
394 else
395 PXY_CMD=""
396 fi
397
398 # get commands and client output
399 SRV_CMD="$1"
400 CLI_CMD="$2"
401 CLI_EXPECT="$3"
402 shift 3
403
404 # fix client port
405 if [ -n "$PXY_CMD" ]; then
406 CLI_CMD=$( echo "$CLI_CMD" | sed s/+SRV_PORT/$PXY_PORT/g )
407 else
408 CLI_CMD=$( echo "$CLI_CMD" | sed s/+SRV_PORT/$SRV_PORT/g )
409 fi
410
Manuel Pégourié-Gonnard0eb6cab2014-07-23 20:17:47 +0200[diff] [blame]411 # update DTLS variable
412 detect_dtls "$SRV_CMD"
413
Manuel Pégourié-Gonnardc73339f2014-02-26 16:35:27 +0100[diff] [blame]414 # prepend valgrind to our commands if active
415 if [ "$MEMCHECK" -gt 0 ]; then
416 if is_polar "$SRV_CMD"; then
417 SRV_CMD="valgrind --leak-check=full $SRV_CMD"
418 fi
419 if is_polar "$CLI_CMD"; then
420 CLI_CMD="valgrind --leak-check=full $CLI_CMD"
421 fi
422 fi
423
Manuel Pégourié-Gonnarda365add2015-08-04 20:57:59 +0200[diff] [blame]424 TIMES_LEFT=2
425 while [ $TIMES_LEFT -gt 0 ]; do
Manuel Pégourié-Gonnardab5f7b42015-08-04 21:01:37 +0200[diff] [blame]426 TIMES_LEFT=$(( $TIMES_LEFT - 1 ))
Manuel Pégourié-Gonnarda365add2015-08-04 20:57:59 +0200[diff] [blame]427
Manuel Pégourié-Gonnardab5f7b42015-08-04 21:01:37 +0200[diff] [blame]428 # run the commands
429 if [ -n "$PXY_CMD" ]; then
430 echo "$PXY_CMD" > $PXY_OUT
431 $PXY_CMD >> $PXY_OUT 2>&1 &
432 PXY_PID=$!
433 # assume proxy starts faster than server
434 fi
Manuel Pégourié-Gonnardbe9eb872014-09-05 17:45:19 +0200[diff] [blame]435
Manuel Pégourié-Gonnardab5f7b42015-08-04 21:01:37 +0200[diff] [blame]436 check_osrv_dtls
437 echo "$SRV_CMD" > $SRV_OUT
438 provide_input | $SRV_CMD >> $SRV_OUT 2>&1 &
439 SRV_PID=$!
440 wait_server_start
Manuel Pégourié-Gonnardc0f6a692014-08-30 22:41:47 +0200[diff] [blame]441
Manuel Pégourié-Gonnardab5f7b42015-08-04 21:01:37 +0200[diff] [blame]442 echo "$CLI_CMD" > $CLI_OUT
443 eval "$CLI_CMD" >> $CLI_OUT 2>&1 &
444 wait_client_done
Manuel Pégourié-Gonnarde01af4c2014-03-25 14:16:44 +0100[diff] [blame]445
Manuel Pégourié-Gonnardab5f7b42015-08-04 21:01:37 +0200[diff] [blame]446 # terminate the server (and the proxy)
447 kill $SRV_PID
448 wait $SRV_PID
449 if [ -n "$PXY_CMD" ]; then
450 kill $PXY_PID >/dev/null 2>&1
451 wait $PXY_PID
452 fi
Manuel Pégourié-Gonnard677884d2014-02-25 16:42:31 +0100[diff] [blame]453
Manuel Pégourié-Gonnardab5f7b42015-08-04 21:01:37 +0200[diff] [blame]454 # retry only on timeouts
455 if grep '===CLIENT_TIMEOUT===' $CLI_OUT >/dev/null; then
456 printf "RETRY "
457 else
458 TIMES_LEFT=0
459 fi
Manuel Pégourié-Gonnarda365add2015-08-04 20:57:59 +0200[diff] [blame]460 done
461
Manuel Pégourié-Gonnard677884d2014-02-25 16:42:31 +0100[diff] [blame]462 # check if the client and server went at least to the handshake stage
Paul Bakker1ebc0c52014-05-22 15:47:58 +0200[diff] [blame]463 # (useful to avoid tests with only negative assertions and non-zero
Manuel Pégourié-Gonnard677884d2014-02-25 16:42:31 +0100[diff] [blame]464 # expected client exit to incorrectly succeed in case of catastrophic
465 # failure)
Manuel Pégourié-Gonnardfccd3252014-02-25 17:14:15 +0100[diff] [blame]466 if is_polar "$SRV_CMD"; then
Manuel Pégourié-Gonnardbc3b16c2014-05-28 23:06:50 +0200[diff] [blame]467 if grep "Performing the SSL/TLS handshake" $SRV_OUT >/dev/null; then :;
Manuel Pégourié-Gonnard677884d2014-02-25 16:42:31 +0100[diff] [blame]468 else
Manuel Pégourié-Gonnard699cafa2014-10-27 13:57:03 +0100[diff] [blame]469 fail "server or client failed to reach handshake stage"
Manuel Pégourié-Gonnard677884d2014-02-25 16:42:31 +0100[diff] [blame]470 return
471 fi
472 fi
Manuel Pégourié-Gonnardfccd3252014-02-25 17:14:15 +0100[diff] [blame]473 if is_polar "$CLI_CMD"; then
Manuel Pégourié-Gonnardbc3b16c2014-05-28 23:06:50 +0200[diff] [blame]474 if grep "Performing the SSL/TLS handshake" $CLI_OUT >/dev/null; then :;
Manuel Pégourié-Gonnard677884d2014-02-25 16:42:31 +0100[diff] [blame]475 else
Manuel Pégourié-Gonnard699cafa2014-10-27 13:57:03 +0100[diff] [blame]476 fail "server or client failed to reach handshake stage"
Manuel Pégourié-Gonnard677884d2014-02-25 16:42:31 +0100[diff] [blame]477 return
478 fi
479 fi
480
Manuel Pégourié-Gonnardf8bdbb52014-02-21 09:20:14 +0100[diff] [blame]481 # check server exit code
482 if [ $? != 0 ]; then
483 fail "server fail"
484 return
485 fi
486
Manuel Pégourié-Gonnardeaadc502014-02-20 11:01:30 +0100[diff] [blame]487 # check client exit code
Manuel Pégourié-Gonnardfccd3252014-02-25 17:14:15 +0100[diff] [blame]488 if [ \( "$CLI_EXPECT" = 0 -a "$CLI_EXIT" != 0 \) -o \
489 \( "$CLI_EXPECT" != 0 -a "$CLI_EXIT" = 0 \) ]
Manuel Pégourié-Gonnard780d6712014-02-20 17:19:59 +0100[diff] [blame]490 then
Manuel Pégourié-Gonnardbe9eb872014-09-05 17:45:19 +0200[diff] [blame]491 fail "bad client exit code (expected $CLI_EXPECT, got $CLI_EXIT)"
Manuel Pégourié-Gonnardeaadc502014-02-20 11:01:30 +0100[diff] [blame]492 return
493 fi
Manuel Pégourié-Gonnardeaadc502014-02-20 11:01:30 +0100[diff] [blame]494
Manuel Pégourié-Gonnardc73339f2014-02-26 16:35:27 +0100[diff] [blame]495 # check other assertions
Manuel Pégourié-Gonnard480905d2014-08-21 19:38:32 +0200[diff] [blame]496 # lines beginning with == are added by valgrind, ignore them
Paul Bakker1f650922016-05-13 10:16:46 +0100[diff] [blame]497 # lines with 'Serious error when reading debug info', are valgrind issues as well
Manuel Pégourié-Gonnardeaadc502014-02-20 11:01:30 +0100[diff] [blame]498 while [ $# -gt 0 ]
499 do
500 case $1 in
501 "-s")
Paul Bakker1f650922016-05-13 10:16:46 +0100[diff] [blame]502 if grep -v '^==' $SRV_OUT | grep -v 'Serious error when reading debug info' | grep "$2" >/dev/null; then :; else
Simon Butcher8e004102016-10-14 00:48:33 +0100[diff] [blame]503 fail "pattern '$2' MUST be present in the Server output"
Manuel Pégourié-Gonnardeaadc502014-02-20 11:01:30 +0100[diff] [blame]504 return
505 fi
506 ;;
507
508 "-c")
Paul Bakker1f650922016-05-13 10:16:46 +0100[diff] [blame]509 if grep -v '^==' $CLI_OUT | grep -v 'Serious error when reading debug info' | grep "$2" >/dev/null; then :; else
Simon Butcher8e004102016-10-14 00:48:33 +0100[diff] [blame]510 fail "pattern '$2' MUST be present in the Client output"
Manuel Pégourié-Gonnardeaadc502014-02-20 11:01:30 +0100[diff] [blame]511 return
512 fi
513 ;;
514
515 "-S")
Paul Bakker1f650922016-05-13 10:16:46 +0100[diff] [blame]516 if grep -v '^==' $SRV_OUT | grep -v 'Serious error when reading debug info' | grep "$2" >/dev/null; then
Simon Butcher8e004102016-10-14 00:48:33 +0100[diff] [blame]517 fail "pattern '$2' MUST NOT be present in the Server output"
Manuel Pégourié-Gonnardeaadc502014-02-20 11:01:30 +0100[diff] [blame]518 return
519 fi
520 ;;
521
522 "-C")
Paul Bakker1f650922016-05-13 10:16:46 +0100[diff] [blame]523 if grep -v '^==' $CLI_OUT | grep -v 'Serious error when reading debug info' | grep "$2" >/dev/null; then
Simon Butcher8e004102016-10-14 00:48:33 +0100[diff] [blame]524 fail "pattern '$2' MUST NOT be present in the Client output"
525 return
526 fi
527 ;;
528
529 # The filtering in the following two options (-u and -U) do the following
530 # - ignore valgrind output
531 # - filter out everything but lines right after the pattern occurances
532 # - keep one of each non-unique line
533 # - count how many lines remain
534 # A line with '--' will remain in the result from previous outputs, so the number of lines in the result will be 1
535 # if there were no duplicates.
536 "-U")
537 if [ $(grep -v '^==' $SRV_OUT | grep -v 'Serious error when reading debug info' | grep -A1 "$2" | grep -v "$2" | sort | uniq -d | wc -l) -gt 1 ]; then
538 fail "lines following pattern '$2' must be unique in Server output"
539 return
540 fi
541 ;;
542
543 "-u")
544 if [ $(grep -v '^==' $CLI_OUT | grep -v 'Serious error when reading debug info' | grep -A1 "$2" | grep -v "$2" | sort | uniq -d | wc -l) -gt 1 ]; then
545 fail "lines following pattern '$2' must be unique in Client output"
Manuel Pégourié-Gonnardeaadc502014-02-20 11:01:30 +0100[diff] [blame]546 return
547 fi
548 ;;
549
550 *)
Paul Bakker1ebc0c52014-05-22 15:47:58 +0200[diff] [blame]551 echo "Unknown test: $1" >&2
Manuel Pégourié-Gonnardeaadc502014-02-20 11:01:30 +0100[diff] [blame]552 exit 1
553 esac
554 shift 2
555 done
556
Manuel Pégourié-Gonnardc73339f2014-02-26 16:35:27 +0100[diff] [blame]557 # check valgrind's results
558 if [ "$MEMCHECK" -gt 0 ]; then
Manuel Pégourié-Gonnardbc3b16c2014-05-28 23:06:50 +0200[diff] [blame]559 if is_polar "$SRV_CMD" && has_mem_err $SRV_OUT; then
Manuel Pégourié-Gonnardc73339f2014-02-26 16:35:27 +0100[diff] [blame]560 fail "Server has memory errors"
561 return
562 fi
Manuel Pégourié-Gonnardbc3b16c2014-05-28 23:06:50 +0200[diff] [blame]563 if is_polar "$CLI_CMD" && has_mem_err $CLI_OUT; then
Manuel Pégourié-Gonnardc73339f2014-02-26 16:35:27 +0100[diff] [blame]564 fail "Client has memory errors"
565 return
566 fi
567 fi
568
Manuel Pégourié-Gonnardeaadc502014-02-20 11:01:30 +0100[diff] [blame]569 # if we're here, everything is ok
570 echo "PASS"
Paul Bakkeracaac852016-05-10 11:47:13 +0100[diff] [blame]571 if [ "$PRESERVE_LOGS" -gt 0 ]; then
572 mv $SRV_OUT o-srv-${TESTS}.log
573 mv $CLI_OUT o-cli-${TESTS}.log
574 fi
575
Manuel Pégourié-Gonnardbe9eb872014-09-05 17:45:19 +0200[diff] [blame]576 rm -f $SRV_OUT $CLI_OUT $PXY_OUT
Manuel Pégourié-Gonnardeaadc502014-02-20 11:01:30 +0100[diff] [blame]577}
578
Manuel Pégourié-Gonnarda9062e92014-02-25 16:21:22 +0100[diff] [blame]579cleanup() {
Manuel Pégourié-Gonnardbe9eb872014-09-05 17:45:19 +0200[diff] [blame]580 rm -f $CLI_OUT $SRV_OUT $PXY_OUT $SESSION
Manuel Pégourié-Gonnarda6189f02014-09-20 13:15:43 +0200[diff] [blame]581 test -n "${SRV_PID:-}" && kill $SRV_PID >/dev/null 2>&1
582 test -n "${PXY_PID:-}" && kill $PXY_PID >/dev/null 2>&1
583 test -n "${CLI_PID:-}" && kill $CLI_PID >/dev/null 2>&1
584 test -n "${DOG_PID:-}" && kill $DOG_PID >/dev/null 2>&1
Manuel Pégourié-Gonnarda9062e92014-02-25 16:21:22 +0100[diff] [blame]585 exit 1
586}
587
Manuel Pégourié-Gonnard9dea8bd2014-02-26 18:21:02 +0100[diff] [blame]588#
589# MAIN
590#
591
Manuel Pégourié-Gonnard19db8ea2015-03-10 13:41:04 +0000[diff] [blame]592if cd $( dirname $0 ); then :; else
593 echo "cd $( dirname $0 ) failed" >&2
594 exit 1
595fi
596
Manuel Pégourié-Gonnard913030c2014-03-28 10:12:38 +0100[diff] [blame]597get_options "$@"
598
Manuel Pégourié-Gonnardf7a26902014-02-27 12:25:54 +0100[diff] [blame]599# sanity checks, avoid an avalanche of errors
600if [ ! -x "$P_SRV" ]; then
601 echo "Command '$P_SRV' is not an executable file"
602 exit 1
603fi
604if [ ! -x "$P_CLI" ]; then
605 echo "Command '$P_CLI' is not an executable file"
606 exit 1
607fi
Manuel Pégourié-Gonnardbe9eb872014-09-05 17:45:19 +0200[diff] [blame]608if [ ! -x "$P_PXY" ]; then
609 echo "Command '$P_PXY' is not an executable file"
610 exit 1
611fi
Simon Butcher3c0d7b82016-05-23 11:13:17 +0100[diff] [blame]612if [ "$MEMCHECK" -gt 0 ]; then
613 if which valgrind >/dev/null 2>&1; then :; else
614 echo "Memcheck not possible. Valgrind not found"
615 exit 1
616 fi
617fi
Manuel Pégourié-Gonnard74faf3c2014-03-13 18:47:44 +0100[diff] [blame]618if which $OPENSSL_CMD >/dev/null 2>&1; then :; else
619 echo "Command '$OPENSSL_CMD' not found"
Manuel Pégourié-Gonnardf7a26902014-02-27 12:25:54 +0100[diff] [blame]620 exit 1
621fi
622
Manuel Pégourié-Gonnard32f8f4d2014-05-29 11:31:20 +0200[diff] [blame]623# used by watchdog
624MAIN_PID="$$"
625
Manuel Pégourié-Gonnard0c1ec472014-06-20 18:41:11 +0200[diff] [blame]626# be more patient with valgrind
627if [ "$MEMCHECK" -gt 0 ]; then
628 START_DELAY=3
629 DOG_DELAY=30
630else
631 START_DELAY=1
632 DOG_DELAY=10
633fi
Manuel Pégourié-Gonnarda0719722014-09-20 12:46:27 +0200[diff] [blame]634CLI_DELAY_FACTOR=1
Janos Follath74537a62016-09-02 13:45:28 +0100[diff] [blame]635SRV_DELAY_SECONDS=0
Manuel Pégourié-Gonnard0c1ec472014-06-20 18:41:11 +0200[diff] [blame]636
Manuel Pégourié-Gonnard0eb6cab2014-07-23 20:17:47 +0200[diff] [blame]637# fix commands to use this port, force IPv4 while at it
Manuel Pégourié-Gonnard0af1ba32015-01-21 11:44:33 +0000[diff] [blame]638# +SRV_PORT will be replaced by either $SRV_PORT or $PXY_PORT later
Manuel Pégourié-Gonnardbe9eb872014-09-05 17:45:19 +0200[diff] [blame]639P_SRV="$P_SRV server_addr=127.0.0.1 server_port=$SRV_PORT"
640P_CLI="$P_CLI server_addr=127.0.0.1 server_port=+SRV_PORT"
Andres AGf04f54d2016-10-10 15:46:20 +0100[diff] [blame]641P_PXY="$P_PXY server_addr=127.0.0.1 server_port=$SRV_PORT listen_addr=127.0.0.1 listen_port=$PXY_PORT ${SEED:+"seed=$SEED"}"
Manuel Pégourié-Gonnard61957672015-06-18 17:54:58 +0200[diff] [blame]642O_SRV="$O_SRV -accept $SRV_PORT -dhparam data_files/dhparams.pem"
Manuel Pégourié-Gonnardbe9eb872014-09-05 17:45:19 +0200[diff] [blame]643O_CLI="$O_CLI -connect localhost:+SRV_PORT"
644G_SRV="$G_SRV -p $SRV_PORT"
Manuel Pégourié-Gonnard0af1ba32015-01-21 11:44:33 +0000[diff] [blame]645G_CLI="$G_CLI -p +SRV_PORT localhost"
Manuel Pégourié-Gonnard8066b812014-05-28 22:59:30 +0200[diff] [blame]646
Gilles Peskine62469d92017-05-10 10:13:59 +0200[diff] [blame]647# Allow SHA-1, because many of our test certificates use it
648P_SRV="$P_SRV allow_sha1=1"
649P_CLI="$P_CLI allow_sha1=1"
650
Manuel Pégourié-Gonnardbc3b16c2014-05-28 23:06:50 +0200[diff] [blame]651# Also pick a unique name for intermediate files
652SRV_OUT="srv_out.$$"
653CLI_OUT="cli_out.$$"
Manuel Pégourié-Gonnardbe9eb872014-09-05 17:45:19 +0200[diff] [blame]654PXY_OUT="pxy_out.$$"
Manuel Pégourié-Gonnardbc3b16c2014-05-28 23:06:50 +0200[diff] [blame]655SESSION="session.$$"
656
Manuel Pégourié-Gonnard6f4fbbb2014-08-14 14:31:29 +0200[diff] [blame]657SKIP_NEXT="NO"
658
Manuel Pégourié-Gonnarda9062e92014-02-25 16:21:22 +0100[diff] [blame]659trap cleanup INT TERM HUP
Manuel Pégourié-Gonnardeaadc502014-02-20 11:01:30 +0100[diff] [blame]660
Manuel Pégourié-Gonnarde73b2632014-07-12 04:00:00 +0200[diff] [blame]661# Basic test
662
Manuel Pégourié-Gonnard480905d2014-08-21 19:38:32 +0200[diff] [blame]663# Checks that:
664# - things work with all ciphersuites active (used with config-full in all.sh)
665# - the expected (highest security) parameters are selected
666# ("signature_algorithm ext: 6" means SHA-512 (highest common hash))
Manuel Pégourié-Gonnarde73b2632014-07-12 04:00:00 +0200[diff] [blame]667run_test "Default" \
Manuel Pégourié-Gonnard480905d2014-08-21 19:38:32 +0200[diff] [blame]668 "$P_SRV debug_level=3" \
Manuel Pégourié-Gonnarde73b2632014-07-12 04:00:00 +0200[diff] [blame]669 "$P_CLI" \
670 0 \
Manuel Pégourié-Gonnard480905d2014-08-21 19:38:32 +0200[diff] [blame]671 -s "Protocol is TLSv1.2" \
672 -s "Ciphersuite is TLS-ECDHE-ECDSA-WITH-AES-256-GCM-SHA384" \
673 -s "client hello v3, signature_algorithm ext: 6" \
674 -s "ECDHE curve: secp521r1" \
675 -S "error" \
676 -C "error"
Manuel Pégourié-Gonnarde73b2632014-07-12 04:00:00 +0200[diff] [blame]677
Manuel Pégourié-Gonnard3bb08012015-01-22 13:34:21 +0000[diff] [blame]678run_test "Default, DTLS" \
679 "$P_SRV dtls=1" \
680 "$P_CLI dtls=1" \
681 0 \
682 -s "Protocol is DTLSv1.2" \
683 -s "Ciphersuite is TLS-ECDHE-ECDSA-WITH-AES-256-GCM-SHA384"
684
Simon Butcher8e004102016-10-14 00:48:33 +0100[diff] [blame]685# Test for uniqueness of IVs in AEAD ciphersuites
686run_test "Unique IV in GCM" \
687 "$P_SRV exchanges=20 debug_level=4" \
688 "$P_CLI exchanges=20 debug_level=4 force_ciphersuite=TLS-ECDHE-ECDSA-WITH-AES-256-GCM-SHA384" \
689 0 \
690 -u "IV used" \
691 -U "IV used"
692
Manuel Pégourié-Gonnardbd47a582015-01-12 13:43:29 +0100[diff] [blame]693# Tests for rc4 option
694
Simon Butchera410af52016-05-19 22:12:18 +0100[diff] [blame]695requires_config_enabled MBEDTLS_REMOVE_ARC4_CIPHERSUITES
Manuel Pégourié-Gonnardbd47a582015-01-12 13:43:29 +0100[diff] [blame]696run_test "RC4: server disabled, client enabled" \
697 "$P_SRV" \
698 "$P_CLI force_ciphersuite=TLS-RSA-WITH-RC4-128-SHA" \
699 1 \
Manuel Pégourié-Gonnardea0920f2015-03-24 09:50:15 +0100[diff] [blame]700 -s "SSL - The server has no ciphersuites in common"
701
Simon Butchera410af52016-05-19 22:12:18 +0100[diff] [blame]702requires_config_enabled MBEDTLS_REMOVE_ARC4_CIPHERSUITES
Manuel Pégourié-Gonnardea0920f2015-03-24 09:50:15 +0100[diff] [blame]703run_test "RC4: server half, client enabled" \
704 "$P_SRV arc4=1" \
705 "$P_CLI force_ciphersuite=TLS-RSA-WITH-RC4-128-SHA" \
706 1 \
707 -s "SSL - The server has no ciphersuites in common"
Manuel Pégourié-Gonnardbd47a582015-01-12 13:43:29 +0100[diff] [blame]708
709run_test "RC4: server enabled, client disabled" \
710 "$P_SRV force_ciphersuite=TLS-RSA-WITH-RC4-128-SHA" \
711 "$P_CLI" \
712 1 \
713 -s "SSL - The server has no ciphersuites in common"
714
715run_test "RC4: both enabled" \
Manuel Pégourié-Gonnardea0920f2015-03-24 09:50:15 +0100[diff] [blame]716 "$P_SRV force_ciphersuite=TLS-RSA-WITH-RC4-128-SHA" \
Manuel Pégourié-Gonnardbd47a582015-01-12 13:43:29 +0100[diff] [blame]717 "$P_CLI force_ciphersuite=TLS-RSA-WITH-RC4-128-SHA" \
718 0 \
Manuel Pégourié-Gonnard51d81662015-01-14 17:20:46 +0100[diff] [blame]719 -S "SSL - None of the common ciphersuites is usable" \
Manuel Pégourié-Gonnardbd47a582015-01-12 13:43:29 +0100[diff] [blame]720 -S "SSL - The server has no ciphersuites in common"
721
Gilles Peskinebc70a182017-05-09 15:59:24 +0200[diff] [blame]722# Tests for SHA-1 support
723
Manuel Pégourié-Gonnardaf63c212017-06-08 17:51:08 +0200[diff] [blame]724requires_config_disabled MBEDTLS_TLS_DEFAULT_ALLOW_SHA1_IN_CERTIFICATES
Gilles Peskinebc70a182017-05-09 15:59:24 +0200[diff] [blame]725run_test "SHA-1 forbidden by default in server certificate" \
726 "$P_SRV key_file=data_files/server2.key crt_file=data_files/server2.crt" \
727 "$P_CLI debug_level=2 allow_sha1=0" \
728 1 \
729 -c "The certificate is signed with an unacceptable hash"
730
Manuel Pégourié-Gonnardaf63c212017-06-08 17:51:08 +0200[diff] [blame]731requires_config_enabled MBEDTLS_TLS_DEFAULT_ALLOW_SHA1_IN_CERTIFICATES
732run_test "SHA-1 forbidden by default in server certificate" \
733 "$P_SRV key_file=data_files/server2.key crt_file=data_files/server2.crt" \
734 "$P_CLI debug_level=2 allow_sha1=0" \
735 0
736
Gilles Peskinebc70a182017-05-09 15:59:24 +0200[diff] [blame]737run_test "SHA-1 explicitly allowed in server certificate" \
738 "$P_SRV key_file=data_files/server2.key crt_file=data_files/server2.crt" \
739 "$P_CLI allow_sha1=1" \
740 0
741
742run_test "SHA-256 allowed by default in server certificate" \
743 "$P_SRV key_file=data_files/server2.key crt_file=data_files/server2-sha256.crt" \
744 "$P_CLI allow_sha1=0" \
745 0
746
Manuel Pégourié-Gonnardaf63c212017-06-08 17:51:08 +0200[diff] [blame]747requires_config_disabled MBEDTLS_TLS_DEFAULT_ALLOW_SHA1_IN_CERTIFICATES
Gilles Peskinebc70a182017-05-09 15:59:24 +0200[diff] [blame]748run_test "SHA-1 forbidden by default in client certificate" \
749 "$P_SRV auth_mode=required allow_sha1=0" \
750 "$P_CLI key_file=data_files/cli-rsa.key crt_file=data_files/cli-rsa-sha1.crt" \
751 1 \
752 -s "The certificate is signed with an unacceptable hash"
753
Manuel Pégourié-Gonnardaf63c212017-06-08 17:51:08 +0200[diff] [blame]754requires_config_enabled MBEDTLS_TLS_DEFAULT_ALLOW_SHA1_IN_CERTIFICATES
755run_test "SHA-1 forbidden by default in client certificate" \
756 "$P_SRV auth_mode=required allow_sha1=0" \
757 "$P_CLI key_file=data_files/cli-rsa.key crt_file=data_files/cli-rsa-sha1.crt" \
758 0
759
Gilles Peskinebc70a182017-05-09 15:59:24 +0200[diff] [blame]760run_test "SHA-1 explicitly allowed in client certificate" \
761 "$P_SRV auth_mode=required allow_sha1=1" \
762 "$P_CLI key_file=data_files/cli-rsa.key crt_file=data_files/cli-rsa-sha1.crt" \
763 0
764
765run_test "SHA-256 allowed by default in client certificate" \
766 "$P_SRV auth_mode=required allow_sha1=0" \
767 "$P_CLI key_file=data_files/cli-rsa.key crt_file=data_files/cli-rsa-sha256.crt" \
768 0
769
Manuel Pégourié-Gonnard780d6712014-02-20 17:19:59 +0100[diff] [blame]770# Tests for Truncated HMAC extension
771
Manuel Pégourié-Gonnarde117a8f2015-01-09 12:39:35 +0100[diff] [blame]772run_test "Truncated HMAC: client default, server default" \
Manuel Pégourié-Gonnard644e8f32014-08-30 21:59:31 +0200[diff] [blame]773 "$P_SRV debug_level=4" \
Manuel Pégourié-Gonnarde117a8f2015-01-09 12:39:35 +0100[diff] [blame]774 "$P_CLI force_ciphersuite=TLS-RSA-WITH-AES-128-CBC-SHA" \
Manuel Pégourié-Gonnard780d6712014-02-20 17:19:59 +0100[diff] [blame]775 0 \
Manuel Pégourié-Gonnarde117a8f2015-01-09 12:39:35 +0100[diff] [blame]776 -s "dumping 'computed mac' (20 bytes)" \
777 -S "dumping 'computed mac' (10 bytes)"
Manuel Pégourié-Gonnard780d6712014-02-20 17:19:59 +0100[diff] [blame]778
Manuel Pégourié-Gonnarde117a8f2015-01-09 12:39:35 +0100[diff] [blame]779run_test "Truncated HMAC: client disabled, server default" \
Manuel Pégourié-Gonnard644e8f32014-08-30 21:59:31 +0200[diff] [blame]780 "$P_SRV debug_level=4" \
Manuel Pégourié-Gonnarde117a8f2015-01-09 12:39:35 +0100[diff] [blame]781 "$P_CLI force_ciphersuite=TLS-RSA-WITH-AES-128-CBC-SHA \
782 trunc_hmac=0" \
Manuel Pégourié-Gonnardeaadc502014-02-20 11:01:30 +0100[diff] [blame]783 0 \
Manuel Pégourié-Gonnarde117a8f2015-01-09 12:39:35 +0100[diff] [blame]784 -s "dumping 'computed mac' (20 bytes)" \
785 -S "dumping 'computed mac' (10 bytes)"
786
787run_test "Truncated HMAC: client enabled, server default" \
788 "$P_SRV debug_level=4" \
789 "$P_CLI force_ciphersuite=TLS-RSA-WITH-AES-128-CBC-SHA \
790 trunc_hmac=1" \
791 0 \
Manuel Pégourié-Gonnard662c6e82015-05-06 17:39:23 +0100[diff] [blame]792 -s "dumping 'computed mac' (20 bytes)" \
793 -S "dumping 'computed mac' (10 bytes)"
Manuel Pégourié-Gonnarde117a8f2015-01-09 12:39:35 +0100[diff] [blame]794
795run_test "Truncated HMAC: client enabled, server disabled" \
796 "$P_SRV debug_level=4 trunc_hmac=0" \
797 "$P_CLI force_ciphersuite=TLS-RSA-WITH-AES-128-CBC-SHA \
798 trunc_hmac=1" \
799 0 \
800 -s "dumping 'computed mac' (20 bytes)" \
801 -S "dumping 'computed mac' (10 bytes)"
802
803run_test "Truncated HMAC: client enabled, server enabled" \
804 "$P_SRV debug_level=4 trunc_hmac=1" \
805 "$P_CLI force_ciphersuite=TLS-RSA-WITH-AES-128-CBC-SHA \
806 trunc_hmac=1" \
807 0 \
808 -S "dumping 'computed mac' (20 bytes)" \
Manuel Pégourié-Gonnardf7c52012014-02-20 11:43:46 +0100[diff] [blame]809 -s "dumping 'computed mac' (10 bytes)"
810
Manuel Pégourié-Gonnard699cafa2014-10-27 13:57:03 +0100[diff] [blame]811# Tests for Encrypt-then-MAC extension
812
813run_test "Encrypt then MAC: default" \
Manuel Pégourié-Gonnard0098e7d2014-10-28 13:08:59 +0100[diff] [blame]814 "$P_SRV debug_level=3 \
815 force_ciphersuite=TLS-RSA-WITH-AES-128-CBC-SHA" \
Manuel Pégourié-Gonnard699cafa2014-10-27 13:57:03 +0100[diff] [blame]816 "$P_CLI debug_level=3" \
817 0 \
818 -c "client hello, adding encrypt_then_mac extension" \
819 -s "found encrypt then mac extension" \
820 -s "server hello, adding encrypt then mac extension" \
821 -c "found encrypt_then_mac extension" \
822 -c "using encrypt then mac" \
823 -s "using encrypt then mac"
824
825run_test "Encrypt then MAC: client enabled, server disabled" \
Manuel Pégourié-Gonnard0098e7d2014-10-28 13:08:59 +0100[diff] [blame]826 "$P_SRV debug_level=3 etm=0 \
827 force_ciphersuite=TLS-RSA-WITH-AES-128-CBC-SHA" \
Manuel Pégourié-Gonnard699cafa2014-10-27 13:57:03 +0100[diff] [blame]828 "$P_CLI debug_level=3 etm=1" \
829 0 \
830 -c "client hello, adding encrypt_then_mac extension" \
831 -s "found encrypt then mac extension" \
832 -S "server hello, adding encrypt then mac extension" \
833 -C "found encrypt_then_mac extension" \
834 -C "using encrypt then mac" \
835 -S "using encrypt then mac"
836
Manuel Pégourié-Gonnard78e745f2014-11-04 15:44:06 +0100[diff] [blame]837run_test "Encrypt then MAC: client enabled, aead cipher" \
838 "$P_SRV debug_level=3 etm=1 \
839 force_ciphersuite=TLS-RSA-WITH-AES-128-GCM-SHA256" \
840 "$P_CLI debug_level=3 etm=1" \
841 0 \
842 -c "client hello, adding encrypt_then_mac extension" \
843 -s "found encrypt then mac extension" \
844 -S "server hello, adding encrypt then mac extension" \
845 -C "found encrypt_then_mac extension" \
846 -C "using encrypt then mac" \
847 -S "using encrypt then mac"
848
849run_test "Encrypt then MAC: client enabled, stream cipher" \
850 "$P_SRV debug_level=3 etm=1 \
851 force_ciphersuite=TLS-RSA-WITH-RC4-128-SHA" \
Manuel Pégourié-Gonnardea0920f2015-03-24 09:50:15 +0100[diff] [blame]852 "$P_CLI debug_level=3 etm=1 arc4=1 force_ciphersuite=TLS-RSA-WITH-RC4-128-SHA" \
Manuel Pégourié-Gonnard78e745f2014-11-04 15:44:06 +0100[diff] [blame]853 0 \
854 -c "client hello, adding encrypt_then_mac extension" \
855 -s "found encrypt then mac extension" \
856 -S "server hello, adding encrypt then mac extension" \
857 -C "found encrypt_then_mac extension" \
858 -C "using encrypt then mac" \
859 -S "using encrypt then mac"
860
Manuel Pégourié-Gonnard699cafa2014-10-27 13:57:03 +0100[diff] [blame]861run_test "Encrypt then MAC: client disabled, server enabled" \
Manuel Pégourié-Gonnard0098e7d2014-10-28 13:08:59 +0100[diff] [blame]862 "$P_SRV debug_level=3 etm=1 \
863 force_ciphersuite=TLS-RSA-WITH-AES-128-CBC-SHA" \
Manuel Pégourié-Gonnard699cafa2014-10-27 13:57:03 +0100[diff] [blame]864 "$P_CLI debug_level=3 etm=0" \
865 0 \
866 -C "client hello, adding encrypt_then_mac extension" \
867 -S "found encrypt then mac extension" \
868 -S "server hello, adding encrypt then mac extension" \
869 -C "found encrypt_then_mac extension" \
870 -C "using encrypt then mac" \
871 -S "using encrypt then mac"
872
Janos Follathe2681a42016-03-07 15:57:05 +0000[diff] [blame]873requires_config_enabled MBEDTLS_SSL_PROTO_SSL3
Manuel Pégourié-Gonnard699cafa2014-10-27 13:57:03 +0100[diff] [blame]874run_test "Encrypt then MAC: client SSLv3, server enabled" \
Manuel Pégourié-Gonnard51d81662015-01-14 17:20:46 +0100[diff] [blame]875 "$P_SRV debug_level=3 min_version=ssl3 \
Manuel Pégourié-Gonnard0098e7d2014-10-28 13:08:59 +0100[diff] [blame]876 force_ciphersuite=TLS-RSA-WITH-AES-128-CBC-SHA" \
Manuel Pégourié-Gonnard699cafa2014-10-27 13:57:03 +0100[diff] [blame]877 "$P_CLI debug_level=3 force_version=ssl3" \
878 0 \
879 -C "client hello, adding encrypt_then_mac extension" \
880 -S "found encrypt then mac extension" \
881 -S "server hello, adding encrypt then mac extension" \
882 -C "found encrypt_then_mac extension" \
883 -C "using encrypt then mac" \
884 -S "using encrypt then mac"
885
Janos Follathe2681a42016-03-07 15:57:05 +0000[diff] [blame]886requires_config_enabled MBEDTLS_SSL_PROTO_SSL3
Manuel Pégourié-Gonnard699cafa2014-10-27 13:57:03 +0100[diff] [blame]887run_test "Encrypt then MAC: client enabled, server SSLv3" \
Manuel Pégourié-Gonnard0098e7d2014-10-28 13:08:59 +0100[diff] [blame]888 "$P_SRV debug_level=3 force_version=ssl3 \
889 force_ciphersuite=TLS-RSA-WITH-AES-128-CBC-SHA" \
Manuel Pégourié-Gonnard51d81662015-01-14 17:20:46 +0100[diff] [blame]890 "$P_CLI debug_level=3 min_version=ssl3" \
Manuel Pégourié-Gonnard699cafa2014-10-27 13:57:03 +0100[diff] [blame]891 0 \
892 -c "client hello, adding encrypt_then_mac extension" \
Janos Follath00efff72016-05-06 13:48:23 +0100[diff] [blame]893 -S "found encrypt then mac extension" \
Manuel Pégourié-Gonnard699cafa2014-10-27 13:57:03 +0100[diff] [blame]894 -S "server hello, adding encrypt then mac extension" \
895 -C "found encrypt_then_mac extension" \
896 -C "using encrypt then mac" \
897 -S "using encrypt then mac"
898
Manuel Pégourié-Gonnard367381f2014-10-20 18:40:56 +0200[diff] [blame]899# Tests for Extended Master Secret extension
900
901run_test "Extended Master Secret: default" \
902 "$P_SRV debug_level=3" \
903 "$P_CLI debug_level=3" \
904 0 \
905 -c "client hello, adding extended_master_secret extension" \
906 -s "found extended master secret extension" \
907 -s "server hello, adding extended master secret extension" \
908 -c "found extended_master_secret extension" \
909 -c "using extended master secret" \
910 -s "using extended master secret"
911
912run_test "Extended Master Secret: client enabled, server disabled" \
913 "$P_SRV debug_level=3 extended_ms=0" \
914 "$P_CLI debug_level=3 extended_ms=1" \
915 0 \
916 -c "client hello, adding extended_master_secret extension" \
917 -s "found extended master secret extension" \
918 -S "server hello, adding extended master secret extension" \
919 -C "found extended_master_secret extension" \
920 -C "using extended master secret" \
921 -S "using extended master secret"
922
923run_test "Extended Master Secret: client disabled, server enabled" \
924 "$P_SRV debug_level=3 extended_ms=1" \
925 "$P_CLI debug_level=3 extended_ms=0" \
926 0 \
927 -C "client hello, adding extended_master_secret extension" \
928 -S "found extended master secret extension" \
929 -S "server hello, adding extended master secret extension" \
930 -C "found extended_master_secret extension" \
931 -C "using extended master secret" \
932 -S "using extended master secret"
933
Janos Follathe2681a42016-03-07 15:57:05 +0000[diff] [blame]934requires_config_enabled MBEDTLS_SSL_PROTO_SSL3
Manuel Pégourié-Gonnardb575b542014-10-24 15:12:31 +0200[diff] [blame]935run_test "Extended Master Secret: client SSLv3, server enabled" \
Manuel Pégourié-Gonnard51d81662015-01-14 17:20:46 +0100[diff] [blame]936 "$P_SRV debug_level=3 min_version=ssl3" \
Manuel Pégourié-Gonnardb575b542014-10-24 15:12:31 +0200[diff] [blame]937 "$P_CLI debug_level=3 force_version=ssl3" \
938 0 \
939 -C "client hello, adding extended_master_secret extension" \
940 -S "found extended master secret extension" \
941 -S "server hello, adding extended master secret extension" \
942 -C "found extended_master_secret extension" \
943 -C "using extended master secret" \
944 -S "using extended master secret"
945
Janos Follathe2681a42016-03-07 15:57:05 +0000[diff] [blame]946requires_config_enabled MBEDTLS_SSL_PROTO_SSL3
Manuel Pégourié-Gonnardb575b542014-10-24 15:12:31 +0200[diff] [blame]947run_test "Extended Master Secret: client enabled, server SSLv3" \
948 "$P_SRV debug_level=3 force_version=ssl3" \
Manuel Pégourié-Gonnard51d81662015-01-14 17:20:46 +0100[diff] [blame]949 "$P_CLI debug_level=3 min_version=ssl3" \
Manuel Pégourié-Gonnardb575b542014-10-24 15:12:31 +0200[diff] [blame]950 0 \
951 -c "client hello, adding extended_master_secret extension" \
Janos Follath00efff72016-05-06 13:48:23 +0100[diff] [blame]952 -S "found extended master secret extension" \
Manuel Pégourié-Gonnardb575b542014-10-24 15:12:31 +0200[diff] [blame]953 -S "server hello, adding extended master secret extension" \
954 -C "found extended_master_secret extension" \
955 -C "using extended master secret" \
956 -S "using extended master secret"
957
Manuel Pégourié-Gonnard1cbd39d2014-10-20 13:34:59 +0200[diff] [blame]958# Tests for FALLBACK_SCSV
959
960run_test "Fallback SCSV: default" \
Manuel Pégourié-Gonnard4268ae02015-08-04 12:44:10 +0200[diff] [blame]961 "$P_SRV debug_level=2" \
Manuel Pégourié-Gonnard1cbd39d2014-10-20 13:34:59 +0200[diff] [blame]962 "$P_CLI debug_level=3 force_version=tls1_1" \
963 0 \
964 -C "adding FALLBACK_SCSV" \
Manuel Pégourié-Gonnard01b26992014-10-20 14:05:28 +0200[diff] [blame]965 -S "received FALLBACK_SCSV" \
966 -S "inapropriate fallback" \
Manuel Pégourié-Gonnard1cbd39d2014-10-20 13:34:59 +0200[diff] [blame]967 -C "is a fatal alert message (msg 86)"
968
969run_test "Fallback SCSV: explicitly disabled" \
Manuel Pégourié-Gonnard4268ae02015-08-04 12:44:10 +0200[diff] [blame]970 "$P_SRV debug_level=2" \
Manuel Pégourié-Gonnard1cbd39d2014-10-20 13:34:59 +0200[diff] [blame]971 "$P_CLI debug_level=3 force_version=tls1_1 fallback=0" \
972 0 \
973 -C "adding FALLBACK_SCSV" \
Manuel Pégourié-Gonnard01b26992014-10-20 14:05:28 +0200[diff] [blame]974 -S "received FALLBACK_SCSV" \
975 -S "inapropriate fallback" \
Manuel Pégourié-Gonnard1cbd39d2014-10-20 13:34:59 +0200[diff] [blame]976 -C "is a fatal alert message (msg 86)"
977
978run_test "Fallback SCSV: enabled" \
Manuel Pégourié-Gonnard4268ae02015-08-04 12:44:10 +0200[diff] [blame]979 "$P_SRV debug_level=2" \
Manuel Pégourié-Gonnard1cbd39d2014-10-20 13:34:59 +0200[diff] [blame]980 "$P_CLI debug_level=3 force_version=tls1_1 fallback=1" \
Manuel Pégourié-Gonnard01b26992014-10-20 14:05:28 +0200[diff] [blame]981 1 \
982 -c "adding FALLBACK_SCSV" \
983 -s "received FALLBACK_SCSV" \
984 -s "inapropriate fallback" \
985 -c "is a fatal alert message (msg 86)"
986
987run_test "Fallback SCSV: enabled, max version" \
Manuel Pégourié-Gonnard4268ae02015-08-04 12:44:10 +0200[diff] [blame]988 "$P_SRV debug_level=2" \
Manuel Pégourié-Gonnard01b26992014-10-20 14:05:28 +0200[diff] [blame]989 "$P_CLI debug_level=3 fallback=1" \
Manuel Pégourié-Gonnard1cbd39d2014-10-20 13:34:59 +0200[diff] [blame]990 0 \
991 -c "adding FALLBACK_SCSV" \
Manuel Pégourié-Gonnard01b26992014-10-20 14:05:28 +0200[diff] [blame]992 -s "received FALLBACK_SCSV" \
993 -S "inapropriate fallback" \
Manuel Pégourié-Gonnard1cbd39d2014-10-20 13:34:59 +0200[diff] [blame]994 -C "is a fatal alert message (msg 86)"
995
996requires_openssl_with_fallback_scsv
997run_test "Fallback SCSV: default, openssl server" \
998 "$O_SRV" \
999 "$P_CLI debug_level=3 force_version=tls1_1 fallback=0" \
1000 0 \
1001 -C "adding FALLBACK_SCSV" \
1002 -C "is a fatal alert message (msg 86)"
1003
1004requires_openssl_with_fallback_scsv
1005run_test "Fallback SCSV: enabled, openssl server" \
1006 "$O_SRV" \
1007 "$P_CLI debug_level=3 force_version=tls1_1 fallback=1" \
1008 1 \
1009 -c "adding FALLBACK_SCSV" \
1010 -c "is a fatal alert message (msg 86)"
1011
Manuel Pégourié-Gonnard01b26992014-10-20 14:05:28 +0200[diff] [blame]1012requires_openssl_with_fallback_scsv
1013run_test "Fallback SCSV: disabled, openssl client" \
Manuel Pégourié-Gonnard4268ae02015-08-04 12:44:10 +0200[diff] [blame]1014 "$P_SRV debug_level=2" \
Manuel Pégourié-Gonnard01b26992014-10-20 14:05:28 +0200[diff] [blame]1015 "$O_CLI -tls1_1" \
1016 0 \
1017 -S "received FALLBACK_SCSV" \
1018 -S "inapropriate fallback"
1019
1020requires_openssl_with_fallback_scsv
1021run_test "Fallback SCSV: enabled, openssl client" \
Manuel Pégourié-Gonnard4268ae02015-08-04 12:44:10 +0200[diff] [blame]1022 "$P_SRV debug_level=2" \
Manuel Pégourié-Gonnard01b26992014-10-20 14:05:28 +0200[diff] [blame]1023 "$O_CLI -tls1_1 -fallback_scsv" \
1024 1 \
1025 -s "received FALLBACK_SCSV" \
1026 -s "inapropriate fallback"
1027
1028requires_openssl_with_fallback_scsv
1029run_test "Fallback SCSV: enabled, max version, openssl client" \
Manuel Pégourié-Gonnard4268ae02015-08-04 12:44:10 +0200[diff] [blame]1030 "$P_SRV debug_level=2" \
Manuel Pégourié-Gonnard01b26992014-10-20 14:05:28 +0200[diff] [blame]1031 "$O_CLI -fallback_scsv" \
1032 0 \
1033 -s "received FALLBACK_SCSV" \
1034 -S "inapropriate fallback"
1035
Gilles Peskined50177f2017-05-16 17:53:03 +0200[diff] [blame]1036## ClientHello generated with
1037## "openssl s_client -CAfile tests/data_files/test-ca.crt -tls1_1 -connect localhost:4433 -cipher ..."
1038## then manually twiddling the ciphersuite list.
1039## The ClientHello content is spelled out below as a hex string as
1040## "prefix ciphersuite1 ciphersuite2 ciphersuite3 ciphersuite4 suffix".
1041## The expected response is an inappropriate_fallback alert.
1042requires_openssl_with_fallback_scsv
1043run_test "Fallback SCSV: beginning of list" \
1044 "$P_SRV debug_level=2" \
1045 "$TCP_CLIENT localhost $SRV_PORT '160301003e0100003a03022aafb94308dc22ca1086c65acc00e414384d76b61ecab37df1633b1ae1034dbe000008 5600 0031 0032 0033 0100000900230000000f000101' '15030200020256'" \
1046 0 \
1047 -s "received FALLBACK_SCSV" \
1048 -s "inapropriate fallback"
1049
1050requires_openssl_with_fallback_scsv
1051run_test "Fallback SCSV: end of list" \
1052 "$P_SRV debug_level=2" \
1053 "$TCP_CLIENT localhost $SRV_PORT '160301003e0100003a03022aafb94308dc22ca1086c65acc00e414384d76b61ecab37df1633b1ae1034dbe000008 0031 0032 0033 5600 0100000900230000000f000101' '15030200020256'" \
1054 0 \
1055 -s "received FALLBACK_SCSV" \
1056 -s "inapropriate fallback"
1057
1058## Here the expected response is a valid ServerHello prefix, up to the random.
1059requires_openssl_with_fallback_scsv
1060run_test "Fallback SCSV: not in list" \
1061 "$P_SRV debug_level=2" \
1062 "$TCP_CLIENT localhost $SRV_PORT '160301003e0100003a03022aafb94308dc22ca1086c65acc00e414384d76b61ecab37df1633b1ae1034dbe000008 0056 0031 0032 0033 0100000900230000000f000101' '16030200300200002c0302'" \
1063 0 \
1064 -S "received FALLBACK_SCSV" \
1065 -S "inapropriate fallback"
1066
Manuel Pégourié-Gonnard3ff78232015-01-08 11:15:09 +0100[diff] [blame]1067# Tests for CBC 1/n-1 record splitting
1068
1069run_test "CBC Record splitting: TLS 1.2, no splitting" \
1070 "$P_SRV" \
1071 "$P_CLI force_ciphersuite=TLS-RSA-WITH-AES-128-CBC-SHA \
1072 request_size=123 force_version=tls1_2" \
1073 0 \
1074 -s "Read from client: 123 bytes read" \
1075 -S "Read from client: 1 bytes read" \
1076 -S "122 bytes read"
1077
1078run_test "CBC Record splitting: TLS 1.1, no splitting" \
1079 "$P_SRV" \
1080 "$P_CLI force_ciphersuite=TLS-RSA-WITH-AES-128-CBC-SHA \
1081 request_size=123 force_version=tls1_1" \
1082 0 \
1083 -s "Read from client: 123 bytes read" \
1084 -S "Read from client: 1 bytes read" \
1085 -S "122 bytes read"
1086
1087run_test "CBC Record splitting: TLS 1.0, splitting" \
1088 "$P_SRV" \
1089 "$P_CLI force_ciphersuite=TLS-RSA-WITH-AES-128-CBC-SHA \
1090 request_size=123 force_version=tls1" \
1091 0 \
1092 -S "Read from client: 123 bytes read" \
1093 -s "Read from client: 1 bytes read" \
1094 -s "122 bytes read"
1095
Janos Follathe2681a42016-03-07 15:57:05 +0000[diff] [blame]1096requires_config_enabled MBEDTLS_SSL_PROTO_SSL3
Manuel Pégourié-Gonnard3ff78232015-01-08 11:15:09 +0100[diff] [blame]1097run_test "CBC Record splitting: SSLv3, splitting" \
Manuel Pégourié-Gonnard51d81662015-01-14 17:20:46 +0100[diff] [blame]1098 "$P_SRV min_version=ssl3" \
Manuel Pégourié-Gonnard3ff78232015-01-08 11:15:09 +0100[diff] [blame]1099 "$P_CLI force_ciphersuite=TLS-RSA-WITH-AES-128-CBC-SHA \
1100 request_size=123 force_version=ssl3" \
1101 0 \
1102 -S "Read from client: 123 bytes read" \
1103 -s "Read from client: 1 bytes read" \
1104 -s "122 bytes read"
1105
1106run_test "CBC Record splitting: TLS 1.0 RC4, no splitting" \
Manuel Pégourié-Gonnardea0920f2015-03-24 09:50:15 +0100[diff] [blame]1107 "$P_SRV arc4=1 force_ciphersuite=TLS-RSA-WITH-RC4-128-SHA" \
Manuel Pégourié-Gonnard3ff78232015-01-08 11:15:09 +0100[diff] [blame]1108 "$P_CLI force_ciphersuite=TLS-RSA-WITH-RC4-128-SHA \
1109 request_size=123 force_version=tls1" \
1110 0 \
1111 -s "Read from client: 123 bytes read" \
1112 -S "Read from client: 1 bytes read" \
1113 -S "122 bytes read"
1114
1115run_test "CBC Record splitting: TLS 1.0, splitting disabled" \
1116 "$P_SRV" \
1117 "$P_CLI force_ciphersuite=TLS-RSA-WITH-AES-128-CBC-SHA \
1118 request_size=123 force_version=tls1 recsplit=0" \
1119 0 \
1120 -s "Read from client: 123 bytes read" \
1121 -S "Read from client: 1 bytes read" \
1122 -S "122 bytes read"
1123
Manuel Pégourié-Gonnarda852cf42015-01-13 20:56:15 +0100[diff] [blame]1124run_test "CBC Record splitting: TLS 1.0, splitting, nbio" \
1125 "$P_SRV nbio=2" \
1126 "$P_CLI nbio=2 force_ciphersuite=TLS-RSA-WITH-AES-128-CBC-SHA \
1127 request_size=123 force_version=tls1" \
1128 0 \
1129 -S "Read from client: 123 bytes read" \
1130 -s "Read from client: 1 bytes read" \
1131 -s "122 bytes read"
1132
Manuel Pégourié-Gonnard780d6712014-02-20 17:19:59 +0100[diff] [blame]1133# Tests for Session Tickets
1134
Manuel Pégourié-Gonnard8e03c712014-08-30 21:42:40 +0200[diff] [blame]1135run_test "Session resume using tickets: basic" \
Manuel Pégourié-Gonnard644e8f32014-08-30 21:59:31 +0200[diff] [blame]1136 "$P_SRV debug_level=3 tickets=1" \
1137 "$P_CLI debug_level=3 tickets=1 reconnect=1" \
Manuel Pégourié-Gonnardf7c52012014-02-20 11:43:46 +0100[diff] [blame]1138 0 \
Manuel Pégourié-Gonnardc55a5b72014-02-20 22:50:56 +0100[diff] [blame]1139 -c "client hello, adding session ticket extension" \
1140 -s "found session ticket extension" \
1141 -s "server hello, adding session ticket extension" \
1142 -c "found session_ticket extension" \
1143 -c "parse new session ticket" \
Manuel Pégourié-Gonnardf7c52012014-02-20 11:43:46 +0100[diff] [blame]1144 -S "session successfully restored from cache" \
1145 -s "session successfully restored from ticket" \
1146 -s "a session has been resumed" \
1147 -c "a session has been resumed"
1148
Manuel Pégourié-Gonnard8e03c712014-08-30 21:42:40 +0200[diff] [blame]1149run_test "Session resume using tickets: cache disabled" \
Manuel Pégourié-Gonnard644e8f32014-08-30 21:59:31 +0200[diff] [blame]1150 "$P_SRV debug_level=3 tickets=1 cache_max=0" \
1151 "$P_CLI debug_level=3 tickets=1 reconnect=1" \
Manuel Pégourié-Gonnarddbe1ee12014-02-21 09:18:13 +0100[diff] [blame]1152 0 \
1153 -c "client hello, adding session ticket extension" \
1154 -s "found session ticket extension" \
1155 -s "server hello, adding session ticket extension" \
1156 -c "found session_ticket extension" \
1157 -c "parse new session ticket" \
1158 -S "session successfully restored from cache" \
1159 -s "session successfully restored from ticket" \
1160 -s "a session has been resumed" \
1161 -c "a session has been resumed"
1162
Manuel Pégourié-Gonnard8e03c712014-08-30 21:42:40 +0200[diff] [blame]1163run_test "Session resume using tickets: timeout" \
Manuel Pégourié-Gonnard644e8f32014-08-30 21:59:31 +0200[diff] [blame]1164 "$P_SRV debug_level=3 tickets=1 cache_max=0 ticket_timeout=1" \
1165 "$P_CLI debug_level=3 tickets=1 reconnect=1 reco_delay=2" \
Manuel Pégourié-Gonnarddbe1ee12014-02-21 09:18:13 +0100[diff] [blame]1166 0 \
1167 -c "client hello, adding session ticket extension" \
1168 -s "found session ticket extension" \
1169 -s "server hello, adding session ticket extension" \
1170 -c "found session_ticket extension" \
1171 -c "parse new session ticket" \
1172 -S "session successfully restored from cache" \
1173 -S "session successfully restored from ticket" \
1174 -S "a session has been resumed" \
1175 -C "a session has been resumed"
1176
Manuel Pégourié-Gonnard8e03c712014-08-30 21:42:40 +0200[diff] [blame]1177run_test "Session resume using tickets: openssl server" \
Manuel Pégourié-Gonnardf7a26902014-02-27 12:25:54 +0100[diff] [blame]1178 "$O_SRV" \
Manuel Pégourié-Gonnard644e8f32014-08-30 21:59:31 +0200[diff] [blame]1179 "$P_CLI debug_level=3 tickets=1 reconnect=1" \
Manuel Pégourié-Gonnardfccd3252014-02-25 17:14:15 +0100[diff] [blame]1180 0 \
1181 -c "client hello, adding session ticket extension" \
1182 -c "found session_ticket extension" \
1183 -c "parse new session ticket" \
1184 -c "a session has been resumed"
1185
Manuel Pégourié-Gonnard8e03c712014-08-30 21:42:40 +0200[diff] [blame]1186run_test "Session resume using tickets: openssl client" \
Manuel Pégourié-Gonnard644e8f32014-08-30 21:59:31 +0200[diff] [blame]1187 "$P_SRV debug_level=3 tickets=1" \
Manuel Pégourié-Gonnardbc3b16c2014-05-28 23:06:50 +0200[diff] [blame]1188 "( $O_CLI -sess_out $SESSION; \
1189 $O_CLI -sess_in $SESSION; \
1190 rm -f $SESSION )" \
Manuel Pégourié-Gonnardfccd3252014-02-25 17:14:15 +0100[diff] [blame]1191 0 \
1192 -s "found session ticket extension" \
1193 -s "server hello, adding session ticket extension" \
1194 -S "session successfully restored from cache" \
1195 -s "session successfully restored from ticket" \
1196 -s "a session has been resumed"
1197
Manuel Pégourié-Gonnardc55a5b72014-02-20 22:50:56 +0100[diff] [blame]1198# Tests for Session Resume based on session-ID and cache
Manuel Pégourié-Gonnard780d6712014-02-20 17:19:59 +0100[diff] [blame]1199
Manuel Pégourié-Gonnard8e03c712014-08-30 21:42:40 +0200[diff] [blame]1200run_test "Session resume using cache: tickets enabled on client" \
Manuel Pégourié-Gonnard644e8f32014-08-30 21:59:31 +0200[diff] [blame]1201 "$P_SRV debug_level=3 tickets=0" \
1202 "$P_CLI debug_level=3 tickets=1 reconnect=1" \
Manuel Pégourié-Gonnardf7c52012014-02-20 11:43:46 +0100[diff] [blame]1203 0 \
Manuel Pégourié-Gonnardc55a5b72014-02-20 22:50:56 +0100[diff] [blame]1204 -c "client hello, adding session ticket extension" \
1205 -s "found session ticket extension" \
1206 -S "server hello, adding session ticket extension" \
1207 -C "found session_ticket extension" \
1208 -C "parse new session ticket" \
Manuel Pégourié-Gonnardf7c52012014-02-20 11:43:46 +0100[diff] [blame]1209 -s "session successfully restored from cache" \
1210 -S "session successfully restored from ticket" \
1211 -s "a session has been resumed" \
1212 -c "a session has been resumed"
1213
Manuel Pégourié-Gonnard8e03c712014-08-30 21:42:40 +0200[diff] [blame]1214run_test "Session resume using cache: tickets enabled on server" \
Manuel Pégourié-Gonnard644e8f32014-08-30 21:59:31 +0200[diff] [blame]1215 "$P_SRV debug_level=3 tickets=1" \
1216 "$P_CLI debug_level=3 tickets=0 reconnect=1" \
Manuel Pégourié-Gonnardf7c52012014-02-20 11:43:46 +0100[diff] [blame]1217 0 \
Manuel Pégourié-Gonnardc55a5b72014-02-20 22:50:56 +0100[diff] [blame]1218 -C "client hello, adding session ticket extension" \
1219 -S "found session ticket extension" \
1220 -S "server hello, adding session ticket extension" \
1221 -C "found session_ticket extension" \
1222 -C "parse new session ticket" \
Manuel Pégourié-Gonnardf7c52012014-02-20 11:43:46 +0100[diff] [blame]1223 -s "session successfully restored from cache" \
1224 -S "session successfully restored from ticket" \
1225 -s "a session has been resumed" \
1226 -c "a session has been resumed"
Manuel Pégourié-Gonnardde143782014-02-20 14:50:42 +0100[diff] [blame]1227
Manuel Pégourié-Gonnard8e03c712014-08-30 21:42:40 +0200[diff] [blame]1228run_test "Session resume using cache: cache_max=0" \
Manuel Pégourié-Gonnard644e8f32014-08-30 21:59:31 +0200[diff] [blame]1229 "$P_SRV debug_level=3 tickets=0 cache_max=0" \
1230 "$P_CLI debug_level=3 tickets=0 reconnect=1" \
Manuel Pégourié-Gonnard4c883452014-02-20 21:32:41 +0100[diff] [blame]1231 0 \
1232 -S "session successfully restored from cache" \
1233 -S "session successfully restored from ticket" \
Manuel Pégourié-Gonnardc55a5b72014-02-20 22:50:56 +0100[diff] [blame]1234 -S "a session has been resumed" \
1235 -C "a session has been resumed"
Manuel Pégourié-Gonnard4c883452014-02-20 21:32:41 +0100[diff] [blame]1236
Manuel Pégourié-Gonnard8e03c712014-08-30 21:42:40 +0200[diff] [blame]1237run_test "Session resume using cache: cache_max=1" \
Manuel Pégourié-Gonnard644e8f32014-08-30 21:59:31 +0200[diff] [blame]1238 "$P_SRV debug_level=3 tickets=0 cache_max=1" \
1239 "$P_CLI debug_level=3 tickets=0 reconnect=1" \
Manuel Pégourié-Gonnardc55a5b72014-02-20 22:50:56 +0100[diff] [blame]1240 0 \
1241 -s "session successfully restored from cache" \
1242 -S "session successfully restored from ticket" \
1243 -s "a session has been resumed" \
1244 -c "a session has been resumed"
1245
Manuel Pégourié-Gonnard6df31962015-05-04 10:55:47 +0200[diff] [blame]1246run_test "Session resume using cache: timeout > delay" \
Manuel Pégourié-Gonnard644e8f32014-08-30 21:59:31 +0200[diff] [blame]1247 "$P_SRV debug_level=3 tickets=0" \
1248 "$P_CLI debug_level=3 tickets=0 reconnect=1 reco_delay=0" \
Manuel Pégourié-Gonnardc55a5b72014-02-20 22:50:56 +0100[diff] [blame]1249 0 \
1250 -s "session successfully restored from cache" \
1251 -S "session successfully restored from ticket" \
1252 -s "a session has been resumed" \
1253 -c "a session has been resumed"
1254
Manuel Pégourié-Gonnard8e03c712014-08-30 21:42:40 +0200[diff] [blame]1255run_test "Session resume using cache: timeout < delay" \
Manuel Pégourié-Gonnard644e8f32014-08-30 21:59:31 +0200[diff] [blame]1256 "$P_SRV debug_level=3 tickets=0 cache_timeout=1" \
1257 "$P_CLI debug_level=3 tickets=0 reconnect=1 reco_delay=2" \
Manuel Pégourié-Gonnardc55a5b72014-02-20 22:50:56 +0100[diff] [blame]1258 0 \
1259 -S "session successfully restored from cache" \
1260 -S "session successfully restored from ticket" \
1261 -S "a session has been resumed" \
1262 -C "a session has been resumed"
1263
Manuel Pégourié-Gonnard8e03c712014-08-30 21:42:40 +0200[diff] [blame]1264run_test "Session resume using cache: no timeout" \
Manuel Pégourié-Gonnard644e8f32014-08-30 21:59:31 +0200[diff] [blame]1265 "$P_SRV debug_level=3 tickets=0 cache_timeout=0" \
1266 "$P_CLI debug_level=3 tickets=0 reconnect=1 reco_delay=2" \
Manuel Pégourié-Gonnard4c883452014-02-20 21:32:41 +0100[diff] [blame]1267 0 \
1268 -s "session successfully restored from cache" \
1269 -S "session successfully restored from ticket" \
1270 -s "a session has been resumed" \
1271 -c "a session has been resumed"
1272
Manuel Pégourié-Gonnard8e03c712014-08-30 21:42:40 +0200[diff] [blame]1273run_test "Session resume using cache: openssl client" \
Manuel Pégourié-Gonnard644e8f32014-08-30 21:59:31 +0200[diff] [blame]1274 "$P_SRV debug_level=3 tickets=0" \
Manuel Pégourié-Gonnardbc3b16c2014-05-28 23:06:50 +0200[diff] [blame]1275 "( $O_CLI -sess_out $SESSION; \
1276 $O_CLI -sess_in $SESSION; \
1277 rm -f $SESSION )" \
Manuel Pégourié-Gonnarddb735f62014-02-25 17:57:59 +0100[diff] [blame]1278 0 \
1279 -s "found session ticket extension" \
1280 -S "server hello, adding session ticket extension" \
1281 -s "session successfully restored from cache" \
1282 -S "session successfully restored from ticket" \
1283 -s "a session has been resumed"
1284
Manuel Pégourié-Gonnard8e03c712014-08-30 21:42:40 +0200[diff] [blame]1285run_test "Session resume using cache: openssl server" \
Manuel Pégourié-Gonnardf7a26902014-02-27 12:25:54 +0100[diff] [blame]1286 "$O_SRV" \
Manuel Pégourié-Gonnard644e8f32014-08-30 21:59:31 +0200[diff] [blame]1287 "$P_CLI debug_level=3 tickets=0 reconnect=1" \
Manuel Pégourié-Gonnarddb735f62014-02-25 17:57:59 +0100[diff] [blame]1288 0 \
1289 -C "found session_ticket extension" \
1290 -C "parse new session ticket" \
1291 -c "a session has been resumed"
1292
Manuel Pégourié-Gonnard780d6712014-02-20 17:19:59 +0100[diff] [blame]1293# Tests for Max Fragment Length extension
1294
Manuel Pégourié-Gonnard8e03c712014-08-30 21:42:40 +0200[diff] [blame]1295run_test "Max fragment length: not used, reference" \
Manuel Pégourié-Gonnard644e8f32014-08-30 21:59:31 +0200[diff] [blame]1296 "$P_SRV debug_level=3" \
1297 "$P_CLI debug_level=3" \
Manuel Pégourié-Gonnardde143782014-02-20 14:50:42 +0100[diff] [blame]1298 0 \
Manuel Pégourié-Gonnarda2cda6b2015-08-31 18:30:52 +0200[diff] [blame]1299 -c "Maximum fragment length is 16384" \
1300 -s "Maximum fragment length is 16384" \
Manuel Pégourié-Gonnardde143782014-02-20 14:50:42 +0100[diff] [blame]1301 -C "client hello, adding max_fragment_length extension" \
1302 -S "found max fragment length extension" \
1303 -S "server hello, max_fragment_length extension" \
1304 -C "found max_fragment_length extension"
1305
Manuel Pégourié-Gonnard8e03c712014-08-30 21:42:40 +0200[diff] [blame]1306run_test "Max fragment length: used by client" \
Manuel Pégourié-Gonnard644e8f32014-08-30 21:59:31 +0200[diff] [blame]1307 "$P_SRV debug_level=3" \
1308 "$P_CLI debug_level=3 max_frag_len=4096" \
Manuel Pégourié-Gonnardde143782014-02-20 14:50:42 +0100[diff] [blame]1309 0 \
Manuel Pégourié-Gonnarda2cda6b2015-08-31 18:30:52 +0200[diff] [blame]1310 -c "Maximum fragment length is 4096" \
1311 -s "Maximum fragment length is 4096" \
Manuel Pégourié-Gonnardde143782014-02-20 14:50:42 +0100[diff] [blame]1312 -c "client hello, adding max_fragment_length extension" \
1313 -s "found max fragment length extension" \
1314 -s "server hello, max_fragment_length extension" \
1315 -c "found max_fragment_length extension"
1316
Manuel Pégourié-Gonnard8e03c712014-08-30 21:42:40 +0200[diff] [blame]1317run_test "Max fragment length: used by server" \
Manuel Pégourié-Gonnard644e8f32014-08-30 21:59:31 +0200[diff] [blame]1318 "$P_SRV debug_level=3 max_frag_len=4096" \
1319 "$P_CLI debug_level=3" \
Manuel Pégourié-Gonnardde143782014-02-20 14:50:42 +0100[diff] [blame]1320 0 \
Manuel Pégourié-Gonnarda2cda6b2015-08-31 18:30:52 +0200[diff] [blame]1321 -c "Maximum fragment length is 16384" \
1322 -s "Maximum fragment length is 4096" \
Manuel Pégourié-Gonnardde143782014-02-20 14:50:42 +0100[diff] [blame]1323 -C "client hello, adding max_fragment_length extension" \
1324 -S "found max fragment length extension" \
1325 -S "server hello, max_fragment_length extension" \
1326 -C "found max_fragment_length extension"
Manuel Pégourié-Gonnard780d6712014-02-20 17:19:59 +0100[diff] [blame]1327
Manuel Pégourié-Gonnard8e03c712014-08-30 21:42:40 +0200[diff] [blame]1328requires_gnutls
1329run_test "Max fragment length: gnutls server" \
Manuel Pégourié-Gonnardbaa7f072014-08-20 20:15:53 +0200[diff] [blame]1330 "$G_SRV" \
Manuel Pégourié-Gonnard644e8f32014-08-30 21:59:31 +0200[diff] [blame]1331 "$P_CLI debug_level=3 max_frag_len=4096" \
Manuel Pégourié-Gonnardbaa7f072014-08-20 20:15:53 +0200[diff] [blame]1332 0 \
Manuel Pégourié-Gonnarda2cda6b2015-08-31 18:30:52 +0200[diff] [blame]1333 -c "Maximum fragment length is 4096" \
Manuel Pégourié-Gonnardbaa7f072014-08-20 20:15:53 +0200[diff] [blame]1334 -c "client hello, adding max_fragment_length extension" \
1335 -c "found max_fragment_length extension"
1336
Manuel Pégourié-Gonnard37e08e12014-10-13 17:55:52 +0200[diff] [blame]1337run_test "Max fragment length: client, message just fits" \
1338 "$P_SRV debug_level=3" \
1339 "$P_CLI debug_level=3 max_frag_len=2048 request_size=2048" \
1340 0 \
Manuel Pégourié-Gonnarda2cda6b2015-08-31 18:30:52 +0200[diff] [blame]1341 -c "Maximum fragment length is 2048" \
1342 -s "Maximum fragment length is 2048" \
Manuel Pégourié-Gonnard37e08e12014-10-13 17:55:52 +0200[diff] [blame]1343 -c "client hello, adding max_fragment_length extension" \
1344 -s "found max fragment length extension" \
1345 -s "server hello, max_fragment_length extension" \
1346 -c "found max_fragment_length extension" \
1347 -c "2048 bytes written in 1 fragments" \
1348 -s "2048 bytes read"
1349
1350run_test "Max fragment length: client, larger message" \
1351 "$P_SRV debug_level=3" \
1352 "$P_CLI debug_level=3 max_frag_len=2048 request_size=2345" \
1353 0 \
Manuel Pégourié-Gonnarda2cda6b2015-08-31 18:30:52 +0200[diff] [blame]1354 -c "Maximum fragment length is 2048" \
1355 -s "Maximum fragment length is 2048" \
Manuel Pégourié-Gonnard37e08e12014-10-13 17:55:52 +0200[diff] [blame]1356 -c "client hello, adding max_fragment_length extension" \
1357 -s "found max fragment length extension" \
1358 -s "server hello, max_fragment_length extension" \
1359 -c "found max_fragment_length extension" \
1360 -c "2345 bytes written in 2 fragments" \
1361 -s "2048 bytes read" \
1362 -s "297 bytes read"
1363
Manuel Pégourié-Gonnard23eb74d2015-01-21 14:37:13 +0000[diff] [blame]1364run_test "Max fragment length: DTLS client, larger message" \
Manuel Pégourié-Gonnard37e08e12014-10-13 17:55:52 +0200[diff] [blame]1365 "$P_SRV debug_level=3 dtls=1" \
1366 "$P_CLI debug_level=3 dtls=1 max_frag_len=2048 request_size=2345" \
1367 1 \
Manuel Pégourié-Gonnarda2cda6b2015-08-31 18:30:52 +0200[diff] [blame]1368 -c "Maximum fragment length is 2048" \
1369 -s "Maximum fragment length is 2048" \
Manuel Pégourié-Gonnard37e08e12014-10-13 17:55:52 +0200[diff] [blame]1370 -c "client hello, adding max_fragment_length extension" \
1371 -s "found max fragment length extension" \
1372 -s "server hello, max_fragment_length extension" \
1373 -c "found max_fragment_length extension" \
1374 -c "fragment larger than.*maximum"
1375
Manuel Pégourié-Gonnard780d6712014-02-20 17:19:59 +0100[diff] [blame]1376# Tests for renegotiation
1377
Manuel Pégourié-Gonnard8e03c712014-08-30 21:42:40 +0200[diff] [blame]1378run_test "Renegotiation: none, for reference" \
Manuel Pégourié-Gonnardfa44f202015-03-27 17:52:25 +0100[diff] [blame]1379 "$P_SRV debug_level=3 exchanges=2 auth_mode=optional" \
Manuel Pégourié-Gonnard644e8f32014-08-30 21:59:31 +0200[diff] [blame]1380 "$P_CLI debug_level=3 exchanges=2" \
Manuel Pégourié-Gonnard780d6712014-02-20 17:19:59 +0100[diff] [blame]1381 0 \
1382 -C "client hello, adding renegotiation extension" \
1383 -s "received TLS_EMPTY_RENEGOTIATION_INFO" \
1384 -S "found renegotiation extension" \
1385 -s "server hello, secure renegotiation extension" \
1386 -c "found renegotiation extension" \
Manuel Pégourié-Gonnardc73339f2014-02-26 16:35:27 +0100[diff] [blame]1387 -C "=> renegotiate" \
1388 -S "=> renegotiate" \
Manuel Pégourié-Gonnard780d6712014-02-20 17:19:59 +0100[diff] [blame]1389 -S "write hello request"
1390
Manuel Pégourié-Gonnard8e03c712014-08-30 21:42:40 +0200[diff] [blame]1391run_test "Renegotiation: client-initiated" \
Manuel Pégourié-Gonnardfa44f202015-03-27 17:52:25 +0100[diff] [blame]1392 "$P_SRV debug_level=3 exchanges=2 renegotiation=1 auth_mode=optional" \
Manuel Pégourié-Gonnard644e8f32014-08-30 21:59:31 +0200[diff] [blame]1393 "$P_CLI debug_level=3 exchanges=2 renegotiation=1 renegotiate=1" \
Manuel Pégourié-Gonnard780d6712014-02-20 17:19:59 +0100[diff] [blame]1394 0 \
1395 -c "client hello, adding renegotiation extension" \
1396 -s "received TLS_EMPTY_RENEGOTIATION_INFO" \
1397 -s "found renegotiation extension" \
1398 -s "server hello, secure renegotiation extension" \
1399 -c "found renegotiation extension" \
Manuel Pégourié-Gonnardc73339f2014-02-26 16:35:27 +0100[diff] [blame]1400 -c "=> renegotiate" \
1401 -s "=> renegotiate" \
Manuel Pégourié-Gonnard780d6712014-02-20 17:19:59 +0100[diff] [blame]1402 -S "write hello request"
1403
Manuel Pégourié-Gonnard8e03c712014-08-30 21:42:40 +0200[diff] [blame]1404run_test "Renegotiation: server-initiated" \
Manuel Pégourié-Gonnardfa44f202015-03-27 17:52:25 +0100[diff] [blame]1405 "$P_SRV debug_level=3 exchanges=2 renegotiation=1 auth_mode=optional renegotiate=1" \
Manuel Pégourié-Gonnard644e8f32014-08-30 21:59:31 +0200[diff] [blame]1406 "$P_CLI debug_level=3 exchanges=2 renegotiation=1" \
Manuel Pégourié-Gonnard780d6712014-02-20 17:19:59 +0100[diff] [blame]1407 0 \
1408 -c "client hello, adding renegotiation extension" \
1409 -s "received TLS_EMPTY_RENEGOTIATION_INFO" \
1410 -s "found renegotiation extension" \
1411 -s "server hello, secure renegotiation extension" \
1412 -c "found renegotiation extension" \
Manuel Pégourié-Gonnardc73339f2014-02-26 16:35:27 +0100[diff] [blame]1413 -c "=> renegotiate" \
1414 -s "=> renegotiate" \
Manuel Pégourié-Gonnard780d6712014-02-20 17:19:59 +0100[diff] [blame]1415 -s "write hello request"
1416
Manuel Pégourié-Gonnard8e03c712014-08-30 21:42:40 +0200[diff] [blame]1417run_test "Renegotiation: double" \
Manuel Pégourié-Gonnardfa44f202015-03-27 17:52:25 +0100[diff] [blame]1418 "$P_SRV debug_level=3 exchanges=2 renegotiation=1 auth_mode=optional renegotiate=1" \
Manuel Pégourié-Gonnard644e8f32014-08-30 21:59:31 +0200[diff] [blame]1419 "$P_CLI debug_level=3 exchanges=2 renegotiation=1 renegotiate=1" \
Manuel Pégourié-Gonnard780d6712014-02-20 17:19:59 +0100[diff] [blame]1420 0 \
1421 -c "client hello, adding renegotiation extension" \
1422 -s "received TLS_EMPTY_RENEGOTIATION_INFO" \
1423 -s "found renegotiation extension" \
1424 -s "server hello, secure renegotiation extension" \
1425 -c "found renegotiation extension" \
Manuel Pégourié-Gonnardc73339f2014-02-26 16:35:27 +0100[diff] [blame]1426 -c "=> renegotiate" \
1427 -s "=> renegotiate" \
Manuel Pégourié-Gonnard780d6712014-02-20 17:19:59 +0100[diff] [blame]1428 -s "write hello request"
1429
Manuel Pégourié-Gonnard8e03c712014-08-30 21:42:40 +0200[diff] [blame]1430run_test "Renegotiation: client-initiated, server-rejected" \
Manuel Pégourié-Gonnardfa44f202015-03-27 17:52:25 +0100[diff] [blame]1431 "$P_SRV debug_level=3 exchanges=2 renegotiation=0 auth_mode=optional" \
Manuel Pégourié-Gonnard644e8f32014-08-30 21:59:31 +0200[diff] [blame]1432 "$P_CLI debug_level=3 exchanges=2 renegotiation=1 renegotiate=1" \
Manuel Pégourié-Gonnard780d6712014-02-20 17:19:59 +0100[diff] [blame]1433 1 \
1434 -c "client hello, adding renegotiation extension" \
1435 -s "received TLS_EMPTY_RENEGOTIATION_INFO" \
1436 -S "found renegotiation extension" \
1437 -s "server hello, secure renegotiation extension" \
1438 -c "found renegotiation extension" \
Manuel Pégourié-Gonnardc73339f2014-02-26 16:35:27 +0100[diff] [blame]1439 -c "=> renegotiate" \
1440 -S "=> renegotiate" \
Manuel Pégourié-Gonnardfae355e2014-07-04 14:32:27 +0200[diff] [blame]1441 -S "write hello request" \
Manuel Pégourié-Gonnard65919622014-08-19 12:50:30 +0200[diff] [blame]1442 -c "SSL - Unexpected message at ServerHello in renegotiation" \
Manuel Pégourié-Gonnardfae355e2014-07-04 14:32:27 +0200[diff] [blame]1443 -c "failed"
Manuel Pégourié-Gonnard780d6712014-02-20 17:19:59 +0100[diff] [blame]1444
Manuel Pégourié-Gonnard8e03c712014-08-30 21:42:40 +0200[diff] [blame]1445run_test "Renegotiation: server-initiated, client-rejected, default" \
Manuel Pégourié-Gonnardfa44f202015-03-27 17:52:25 +0100[diff] [blame]1446 "$P_SRV debug_level=3 exchanges=2 renegotiation=1 renegotiate=1 auth_mode=optional" \
Manuel Pégourié-Gonnard644e8f32014-08-30 21:59:31 +0200[diff] [blame]1447 "$P_CLI debug_level=3 exchanges=2 renegotiation=0" \
Manuel Pégourié-Gonnard780d6712014-02-20 17:19:59 +0100[diff] [blame]1448 0 \
1449 -C "client hello, adding renegotiation extension" \
1450 -s "received TLS_EMPTY_RENEGOTIATION_INFO" \
1451 -S "found renegotiation extension" \
1452 -s "server hello, secure renegotiation extension" \
1453 -c "found renegotiation extension" \
Manuel Pégourié-Gonnardc73339f2014-02-26 16:35:27 +0100[diff] [blame]1454 -C "=> renegotiate" \
1455 -S "=> renegotiate" \
Manuel Pégourié-Gonnard780d6712014-02-20 17:19:59 +0100[diff] [blame]1456 -s "write hello request" \
Manuel Pégourié-Gonnarda9964db2014-07-03 19:29:16 +0200[diff] [blame]1457 -S "SSL - An unexpected message was received from our peer" \
1458 -S "failed"
Manuel Pégourié-Gonnard33a752e2014-02-21 09:47:37 +0100[diff] [blame]1459
Manuel Pégourié-Gonnard8e03c712014-08-30 21:42:40 +0200[diff] [blame]1460run_test "Renegotiation: server-initiated, client-rejected, not enforced" \
Manuel Pégourié-Gonnard644e8f32014-08-30 21:59:31 +0200[diff] [blame]1461 "$P_SRV debug_level=3 exchanges=2 renegotiation=1 renegotiate=1 \
Manuel Pégourié-Gonnardfa44f202015-03-27 17:52:25 +0100[diff] [blame]1462 renego_delay=-1 auth_mode=optional" \
Manuel Pégourié-Gonnard644e8f32014-08-30 21:59:31 +0200[diff] [blame]1463 "$P_CLI debug_level=3 exchanges=2 renegotiation=0" \
Manuel Pégourié-Gonnardfae355e2014-07-04 14:32:27 +0200[diff] [blame]1464 0 \
1465 -C "client hello, adding renegotiation extension" \
1466 -s "received TLS_EMPTY_RENEGOTIATION_INFO" \
1467 -S "found renegotiation extension" \
1468 -s "server hello, secure renegotiation extension" \
1469 -c "found renegotiation extension" \
1470 -C "=> renegotiate" \
1471 -S "=> renegotiate" \
1472 -s "write hello request" \
1473 -S "SSL - An unexpected message was received from our peer" \
1474 -S "failed"
1475
Manuel Pégourié-Gonnarda8c0a0d2014-08-15 12:07:38 +0200[diff] [blame]1476# delay 2 for 1 alert record + 1 application data record
Manuel Pégourié-Gonnard8e03c712014-08-30 21:42:40 +0200[diff] [blame]1477run_test "Renegotiation: server-initiated, client-rejected, delay 2" \
Manuel Pégourié-Gonnard644e8f32014-08-30 21:59:31 +0200[diff] [blame]1478 "$P_SRV debug_level=3 exchanges=2 renegotiation=1 renegotiate=1 \
Manuel Pégourié-Gonnardfa44f202015-03-27 17:52:25 +0100[diff] [blame]1479 renego_delay=2 auth_mode=optional" \
Manuel Pégourié-Gonnard644e8f32014-08-30 21:59:31 +0200[diff] [blame]1480 "$P_CLI debug_level=3 exchanges=2 renegotiation=0" \
Manuel Pégourié-Gonnardfae355e2014-07-04 14:32:27 +0200[diff] [blame]1481 0 \
1482 -C "client hello, adding renegotiation extension" \
1483 -s "received TLS_EMPTY_RENEGOTIATION_INFO" \
1484 -S "found renegotiation extension" \
1485 -s "server hello, secure renegotiation extension" \
1486 -c "found renegotiation extension" \
1487 -C "=> renegotiate" \
1488 -S "=> renegotiate" \
1489 -s "write hello request" \
1490 -S "SSL - An unexpected message was received from our peer" \
1491 -S "failed"
1492
Manuel Pégourié-Gonnard8e03c712014-08-30 21:42:40 +0200[diff] [blame]1493run_test "Renegotiation: server-initiated, client-rejected, delay 0" \
Manuel Pégourié-Gonnard644e8f32014-08-30 21:59:31 +0200[diff] [blame]1494 "$P_SRV debug_level=3 exchanges=2 renegotiation=1 renegotiate=1 \
Manuel Pégourié-Gonnardfa44f202015-03-27 17:52:25 +0100[diff] [blame]1495 renego_delay=0 auth_mode=optional" \
Manuel Pégourié-Gonnard644e8f32014-08-30 21:59:31 +0200[diff] [blame]1496 "$P_CLI debug_level=3 exchanges=2 renegotiation=0" \
Manuel Pégourié-Gonnardfae355e2014-07-04 14:32:27 +0200[diff] [blame]1497 0 \
1498 -C "client hello, adding renegotiation extension" \
1499 -s "received TLS_EMPTY_RENEGOTIATION_INFO" \
1500 -S "found renegotiation extension" \
1501 -s "server hello, secure renegotiation extension" \
1502 -c "found renegotiation extension" \
1503 -C "=> renegotiate" \
1504 -S "=> renegotiate" \
1505 -s "write hello request" \
Manuel Pégourié-Gonnarda8c0a0d2014-08-15 12:07:38 +0200[diff] [blame]1506 -s "SSL - An unexpected message was received from our peer"
Manuel Pégourié-Gonnardfae355e2014-07-04 14:32:27 +0200[diff] [blame]1507
Manuel Pégourié-Gonnard8e03c712014-08-30 21:42:40 +0200[diff] [blame]1508run_test "Renegotiation: server-initiated, client-accepted, delay 0" \
Manuel Pégourié-Gonnard644e8f32014-08-30 21:59:31 +0200[diff] [blame]1509 "$P_SRV debug_level=3 exchanges=2 renegotiation=1 renegotiate=1 \
Manuel Pégourié-Gonnardfa44f202015-03-27 17:52:25 +0100[diff] [blame]1510 renego_delay=0 auth_mode=optional" \
Manuel Pégourié-Gonnard644e8f32014-08-30 21:59:31 +0200[diff] [blame]1511 "$P_CLI debug_level=3 exchanges=2 renegotiation=1" \
Manuel Pégourié-Gonnardfae355e2014-07-04 14:32:27 +0200[diff] [blame]1512 0 \
1513 -c "client hello, adding renegotiation extension" \
1514 -s "received TLS_EMPTY_RENEGOTIATION_INFO" \
1515 -s "found renegotiation extension" \
1516 -s "server hello, secure renegotiation extension" \
1517 -c "found renegotiation extension" \
1518 -c "=> renegotiate" \
1519 -s "=> renegotiate" \
1520 -s "write hello request" \
1521 -S "SSL - An unexpected message was received from our peer" \
1522 -S "failed"
1523
Manuel Pégourié-Gonnard590f4162014-11-05 14:23:03 +0100[diff] [blame]1524run_test "Renegotiation: periodic, just below period" \
Manuel Pégourié-Gonnardfa44f202015-03-27 17:52:25 +0100[diff] [blame]1525 "$P_SRV debug_level=3 exchanges=9 renegotiation=1 renego_period=3 auth_mode=optional" \
Manuel Pégourié-Gonnard590f4162014-11-05 14:23:03 +0100[diff] [blame]1526 "$P_CLI debug_level=3 exchanges=2 renegotiation=1" \
1527 0 \
1528 -C "client hello, adding renegotiation extension" \
1529 -s "received TLS_EMPTY_RENEGOTIATION_INFO" \
1530 -S "found renegotiation extension" \
1531 -s "server hello, secure renegotiation extension" \
1532 -c "found renegotiation extension" \
1533 -S "record counter limit reached: renegotiate" \
1534 -C "=> renegotiate" \
1535 -S "=> renegotiate" \
1536 -S "write hello request" \
1537 -S "SSL - An unexpected message was received from our peer" \
1538 -S "failed"
1539
Manuel Pégourié-Gonnard9835bc02015-01-14 14:41:58 +0100[diff] [blame]1540# one extra exchange to be able to complete renego
Manuel Pégourié-Gonnard590f4162014-11-05 14:23:03 +0100[diff] [blame]1541run_test "Renegotiation: periodic, just above period" \
Manuel Pégourié-Gonnardfa44f202015-03-27 17:52:25 +0100[diff] [blame]1542 "$P_SRV debug_level=3 exchanges=9 renegotiation=1 renego_period=3 auth_mode=optional" \
Manuel Pégourié-Gonnard9835bc02015-01-14 14:41:58 +0100[diff] [blame]1543 "$P_CLI debug_level=3 exchanges=4 renegotiation=1" \
Manuel Pégourié-Gonnard590f4162014-11-05 14:23:03 +0100[diff] [blame]1544 0 \
1545 -c "client hello, adding renegotiation extension" \
1546 -s "received TLS_EMPTY_RENEGOTIATION_INFO" \
1547 -s "found renegotiation extension" \
1548 -s "server hello, secure renegotiation extension" \
1549 -c "found renegotiation extension" \
1550 -s "record counter limit reached: renegotiate" \
1551 -c "=> renegotiate" \
1552 -s "=> renegotiate" \
1553 -s "write hello request" \
1554 -S "SSL - An unexpected message was received from our peer" \
1555 -S "failed"
1556
1557run_test "Renegotiation: periodic, two times period" \
Manuel Pégourié-Gonnardfa44f202015-03-27 17:52:25 +0100[diff] [blame]1558 "$P_SRV debug_level=3 exchanges=9 renegotiation=1 renego_period=3 auth_mode=optional" \
Manuel Pégourié-Gonnard9835bc02015-01-14 14:41:58 +0100[diff] [blame]1559 "$P_CLI debug_level=3 exchanges=7 renegotiation=1" \
Manuel Pégourié-Gonnard590f4162014-11-05 14:23:03 +0100[diff] [blame]1560 0 \
1561 -c "client hello, adding renegotiation extension" \
1562 -s "received TLS_EMPTY_RENEGOTIATION_INFO" \
1563 -s "found renegotiation extension" \
1564 -s "server hello, secure renegotiation extension" \
1565 -c "found renegotiation extension" \
1566 -s "record counter limit reached: renegotiate" \
1567 -c "=> renegotiate" \
1568 -s "=> renegotiate" \
1569 -s "write hello request" \
1570 -S "SSL - An unexpected message was received from our peer" \
1571 -S "failed"
1572
1573run_test "Renegotiation: periodic, above period, disabled" \
Manuel Pégourié-Gonnardfa44f202015-03-27 17:52:25 +0100[diff] [blame]1574 "$P_SRV debug_level=3 exchanges=9 renegotiation=0 renego_period=3 auth_mode=optional" \
Manuel Pégourié-Gonnard590f4162014-11-05 14:23:03 +0100[diff] [blame]1575 "$P_CLI debug_level=3 exchanges=4 renegotiation=1" \
1576 0 \
1577 -C "client hello, adding renegotiation extension" \
1578 -s "received TLS_EMPTY_RENEGOTIATION_INFO" \
1579 -S "found renegotiation extension" \
1580 -s "server hello, secure renegotiation extension" \
1581 -c "found renegotiation extension" \
1582 -S "record counter limit reached: renegotiate" \
1583 -C "=> renegotiate" \
1584 -S "=> renegotiate" \
1585 -S "write hello request" \
1586 -S "SSL - An unexpected message was received from our peer" \
1587 -S "failed"
1588
Manuel Pégourié-Gonnard8e03c712014-08-30 21:42:40 +0200[diff] [blame]1589run_test "Renegotiation: nbio, client-initiated" \
Manuel Pégourié-Gonnardfa44f202015-03-27 17:52:25 +0100[diff] [blame]1590 "$P_SRV debug_level=3 nbio=2 exchanges=2 renegotiation=1 auth_mode=optional" \
Manuel Pégourié-Gonnard644e8f32014-08-30 21:59:31 +0200[diff] [blame]1591 "$P_CLI debug_level=3 nbio=2 exchanges=2 renegotiation=1 renegotiate=1" \
Manuel Pégourié-Gonnardf07f4212014-08-15 19:04:47 +0200[diff] [blame]1592 0 \
1593 -c "client hello, adding renegotiation extension" \
1594 -s "received TLS_EMPTY_RENEGOTIATION_INFO" \
1595 -s "found renegotiation extension" \
1596 -s "server hello, secure renegotiation extension" \
1597 -c "found renegotiation extension" \
1598 -c "=> renegotiate" \
1599 -s "=> renegotiate" \
1600 -S "write hello request"
1601
Manuel Pégourié-Gonnard8e03c712014-08-30 21:42:40 +0200[diff] [blame]1602run_test "Renegotiation: nbio, server-initiated" \
Manuel Pégourié-Gonnardfa44f202015-03-27 17:52:25 +0100[diff] [blame]1603 "$P_SRV debug_level=3 nbio=2 exchanges=2 renegotiation=1 renegotiate=1 auth_mode=optional" \
Manuel Pégourié-Gonnard644e8f32014-08-30 21:59:31 +0200[diff] [blame]1604 "$P_CLI debug_level=3 nbio=2 exchanges=2 renegotiation=1" \
Manuel Pégourié-Gonnardf07f4212014-08-15 19:04:47 +0200[diff] [blame]1605 0 \
1606 -c "client hello, adding renegotiation extension" \
1607 -s "received TLS_EMPTY_RENEGOTIATION_INFO" \
1608 -s "found renegotiation extension" \
1609 -s "server hello, secure renegotiation extension" \
1610 -c "found renegotiation extension" \
1611 -c "=> renegotiate" \
1612 -s "=> renegotiate" \
1613 -s "write hello request"
1614
Manuel Pégourié-Gonnard8e03c712014-08-30 21:42:40 +0200[diff] [blame]1615run_test "Renegotiation: openssl server, client-initiated" \
Manuel Pégourié-Gonnarda7756172014-08-31 18:37:01 +0200[diff] [blame]1616 "$O_SRV -www" \
Manuel Pégourié-Gonnard644e8f32014-08-30 21:59:31 +0200[diff] [blame]1617 "$P_CLI debug_level=3 exchanges=1 renegotiation=1 renegotiate=1" \
Manuel Pégourié-Gonnard51362962014-08-30 21:22:47 +0200[diff] [blame]1618 0 \
1619 -c "client hello, adding renegotiation extension" \
1620 -c "found renegotiation extension" \
1621 -c "=> renegotiate" \
Manuel Pégourié-Gonnard85d915b2014-11-03 20:10:36 +0100[diff] [blame]1622 -C "ssl_hanshake() returned" \
Manuel Pégourié-Gonnard51362962014-08-30 21:22:47 +0200[diff] [blame]1623 -C "error" \
1624 -c "HTTP/1.0 200 [Oo][Kk]"
1625
Paul Bakker539d9722015-02-08 16:18:35 +0100[diff] [blame]1626requires_gnutls
Manuel Pégourié-Gonnard85d915b2014-11-03 20:10:36 +0100[diff] [blame]1627run_test "Renegotiation: gnutls server strict, client-initiated" \
1628 "$G_SRV --priority=NORMAL:%SAFE_RENEGOTIATION" \
Manuel Pégourié-Gonnard644e8f32014-08-30 21:59:31 +0200[diff] [blame]1629 "$P_CLI debug_level=3 exchanges=1 renegotiation=1 renegotiate=1" \
Manuel Pégourié-Gonnard51362962014-08-30 21:22:47 +0200[diff] [blame]1630 0 \
1631 -c "client hello, adding renegotiation extension" \
1632 -c "found renegotiation extension" \
1633 -c "=> renegotiate" \
Manuel Pégourié-Gonnard85d915b2014-11-03 20:10:36 +0100[diff] [blame]1634 -C "ssl_hanshake() returned" \
Manuel Pégourié-Gonnard51362962014-08-30 21:22:47 +0200[diff] [blame]1635 -C "error" \
1636 -c "HTTP/1.0 200 [Oo][Kk]"
1637
Paul Bakker539d9722015-02-08 16:18:35 +0100[diff] [blame]1638requires_gnutls
Manuel Pégourié-Gonnard85d915b2014-11-03 20:10:36 +0100[diff] [blame]1639run_test "Renegotiation: gnutls server unsafe, client-initiated default" \
1640 "$G_SRV --priority=NORMAL:%DISABLE_SAFE_RENEGOTIATION" \
1641 "$P_CLI debug_level=3 exchanges=1 renegotiation=1 renegotiate=1" \
1642 1 \
1643 -c "client hello, adding renegotiation extension" \
1644 -C "found renegotiation extension" \
1645 -c "=> renegotiate" \
Manuel Pégourié-Gonnard2cf5a7c2015-04-08 12:49:31 +0200[diff] [blame]1646 -c "mbedtls_ssl_handshake() returned" \
Manuel Pégourié-Gonnard85d915b2014-11-03 20:10:36 +0100[diff] [blame]1647 -c "error" \
1648 -C "HTTP/1.0 200 [Oo][Kk]"
1649
Paul Bakker539d9722015-02-08 16:18:35 +0100[diff] [blame]1650requires_gnutls
Manuel Pégourié-Gonnard85d915b2014-11-03 20:10:36 +0100[diff] [blame]1651run_test "Renegotiation: gnutls server unsafe, client-inititated no legacy" \
1652 "$G_SRV --priority=NORMAL:%DISABLE_SAFE_RENEGOTIATION" \
1653 "$P_CLI debug_level=3 exchanges=1 renegotiation=1 renegotiate=1 \
1654 allow_legacy=0" \
1655 1 \
1656 -c "client hello, adding renegotiation extension" \
1657 -C "found renegotiation extension" \
1658 -c "=> renegotiate" \
Manuel Pégourié-Gonnard2cf5a7c2015-04-08 12:49:31 +0200[diff] [blame]1659 -c "mbedtls_ssl_handshake() returned" \
Manuel Pégourié-Gonnard85d915b2014-11-03 20:10:36 +0100[diff] [blame]1660 -c "error" \
1661 -C "HTTP/1.0 200 [Oo][Kk]"
1662
Paul Bakker539d9722015-02-08 16:18:35 +0100[diff] [blame]1663requires_gnutls
Manuel Pégourié-Gonnard85d915b2014-11-03 20:10:36 +0100[diff] [blame]1664run_test "Renegotiation: gnutls server unsafe, client-inititated legacy" \
1665 "$G_SRV --priority=NORMAL:%DISABLE_SAFE_RENEGOTIATION" \
1666 "$P_CLI debug_level=3 exchanges=1 renegotiation=1 renegotiate=1 \
1667 allow_legacy=1" \
1668 0 \
1669 -c "client hello, adding renegotiation extension" \
1670 -C "found renegotiation extension" \
1671 -c "=> renegotiate" \
1672 -C "ssl_hanshake() returned" \
Manuel Pégourié-Gonnard8520dac2014-02-21 12:12:23 +0100[diff] [blame]1673 -C "error" \
1674 -c "HTTP/1.0 200 [Oo][Kk]"
1675
Manuel Pégourié-Gonnard30d16eb2014-08-19 17:43:50 +0200[diff] [blame]1676run_test "Renegotiation: DTLS, client-initiated" \
1677 "$P_SRV debug_level=3 dtls=1 exchanges=2 renegotiation=1" \
1678 "$P_CLI debug_level=3 dtls=1 exchanges=2 renegotiation=1 renegotiate=1" \
1679 0 \
1680 -c "client hello, adding renegotiation extension" \
1681 -s "received TLS_EMPTY_RENEGOTIATION_INFO" \
1682 -s "found renegotiation extension" \
1683 -s "server hello, secure renegotiation extension" \
1684 -c "found renegotiation extension" \
1685 -c "=> renegotiate" \
1686 -s "=> renegotiate" \
1687 -S "write hello request"
1688
Manuel Pégourié-Gonnardc392b242014-08-19 17:53:11 +0200[diff] [blame]1689run_test "Renegotiation: DTLS, server-initiated" \
1690 "$P_SRV debug_level=3 dtls=1 exchanges=2 renegotiation=1 renegotiate=1" \
Manuel Pégourié-Gonnarddf9a0a82014-10-02 14:17:18 +0200[diff] [blame]1691 "$P_CLI debug_level=3 dtls=1 exchanges=2 renegotiation=1 \
1692 read_timeout=1000 max_resend=2" \
Manuel Pégourié-Gonnardc392b242014-08-19 17:53:11 +0200[diff] [blame]1693 0 \
1694 -c "client hello, adding renegotiation extension" \
1695 -s "received TLS_EMPTY_RENEGOTIATION_INFO" \
1696 -s "found renegotiation extension" \
1697 -s "server hello, secure renegotiation extension" \
1698 -c "found renegotiation extension" \
1699 -c "=> renegotiate" \
1700 -s "=> renegotiate" \
1701 -s "write hello request"
1702
Andres AG692ad842017-01-19 16:30:57 +0000[diff] [blame]1703run_test "Renegotiation: DTLS, renego_period overflow" \
1704 "$P_SRV debug_level=3 dtls=1 exchanges=4 renegotiation=1 renego_period=18446462598732840962 auth_mode=optional" \
1705 "$P_CLI debug_level=3 dtls=1 exchanges=4 renegotiation=1" \
1706 0 \
1707 -c "client hello, adding renegotiation extension" \
1708 -s "received TLS_EMPTY_RENEGOTIATION_INFO" \
1709 -s "found renegotiation extension" \
1710 -s "server hello, secure renegotiation extension" \
1711 -s "record counter limit reached: renegotiate" \
1712 -c "=> renegotiate" \
1713 -s "=> renegotiate" \
1714 -s "write hello request" \
1715
Manuel Pégourié-Gonnard96999962015-02-17 16:02:37 +0000[diff] [blame]1716requires_gnutls
Manuel Pégourié-Gonnardf1499f62014-08-31 17:13:13 +0200[diff] [blame]1717run_test "Renegotiation: DTLS, gnutls server, client-initiated" \
1718 "$G_SRV -u --mtu 4096" \
1719 "$P_CLI debug_level=3 dtls=1 exchanges=1 renegotiation=1 renegotiate=1" \
1720 0 \
1721 -c "client hello, adding renegotiation extension" \
1722 -c "found renegotiation extension" \
1723 -c "=> renegotiate" \
Manuel Pégourié-Gonnard2cf5a7c2015-04-08 12:49:31 +0200[diff] [blame]1724 -C "mbedtls_ssl_handshake returned" \
Manuel Pégourié-Gonnardf1499f62014-08-31 17:13:13 +0200[diff] [blame]1725 -C "error" \
1726 -s "Extra-header:"
1727
Manuel Pégourié-Gonnard85d915b2014-11-03 20:10:36 +0100[diff] [blame]1728# Test for the "secure renegotation" extension only (no actual renegotiation)
1729
Paul Bakker539d9722015-02-08 16:18:35 +0100[diff] [blame]1730requires_gnutls
Manuel Pégourié-Gonnard85d915b2014-11-03 20:10:36 +0100[diff] [blame]1731run_test "Renego ext: gnutls server strict, client default" \
1732 "$G_SRV --priority=NORMAL:%SAFE_RENEGOTIATION" \
1733 "$P_CLI debug_level=3" \
1734 0 \
1735 -c "found renegotiation extension" \
1736 -C "error" \
1737 -c "HTTP/1.0 200 [Oo][Kk]"
1738
Paul Bakker539d9722015-02-08 16:18:35 +0100[diff] [blame]1739requires_gnutls
Manuel Pégourié-Gonnard85d915b2014-11-03 20:10:36 +0100[diff] [blame]1740run_test "Renego ext: gnutls server unsafe, client default" \
1741 "$G_SRV --priority=NORMAL:%DISABLE_SAFE_RENEGOTIATION" \
1742 "$P_CLI debug_level=3" \
1743 0 \
1744 -C "found renegotiation extension" \
1745 -C "error" \
1746 -c "HTTP/1.0 200 [Oo][Kk]"
1747
Paul Bakker539d9722015-02-08 16:18:35 +0100[diff] [blame]1748requires_gnutls
Manuel Pégourié-Gonnard85d915b2014-11-03 20:10:36 +0100[diff] [blame]1749run_test "Renego ext: gnutls server unsafe, client break legacy" \
1750 "$G_SRV --priority=NORMAL:%DISABLE_SAFE_RENEGOTIATION" \
1751 "$P_CLI debug_level=3 allow_legacy=-1" \
1752 1 \
1753 -C "found renegotiation extension" \
1754 -c "error" \
1755 -C "HTTP/1.0 200 [Oo][Kk]"
1756
Paul Bakker539d9722015-02-08 16:18:35 +0100[diff] [blame]1757requires_gnutls
Manuel Pégourié-Gonnard85d915b2014-11-03 20:10:36 +0100[diff] [blame]1758run_test "Renego ext: gnutls client strict, server default" \
1759 "$P_SRV debug_level=3" \
1760 "$G_CLI --priority=NORMAL:%SAFE_RENEGOTIATION" \
1761 0 \
1762 -s "received TLS_EMPTY_RENEGOTIATION_INFO\|found renegotiation extension" \
1763 -s "server hello, secure renegotiation extension"
1764
Paul Bakker539d9722015-02-08 16:18:35 +0100[diff] [blame]1765requires_gnutls
Manuel Pégourié-Gonnard85d915b2014-11-03 20:10:36 +0100[diff] [blame]1766run_test "Renego ext: gnutls client unsafe, server default" \
1767 "$P_SRV debug_level=3" \
1768 "$G_CLI --priority=NORMAL:%DISABLE_SAFE_RENEGOTIATION" \
1769 0 \
1770 -S "received TLS_EMPTY_RENEGOTIATION_INFO\|found renegotiation extension" \
1771 -S "server hello, secure renegotiation extension"
1772
Paul Bakker539d9722015-02-08 16:18:35 +0100[diff] [blame]1773requires_gnutls
Manuel Pégourié-Gonnard85d915b2014-11-03 20:10:36 +0100[diff] [blame]1774run_test "Renego ext: gnutls client unsafe, server break legacy" \
1775 "$P_SRV debug_level=3 allow_legacy=-1" \
1776 "$G_CLI --priority=NORMAL:%DISABLE_SAFE_RENEGOTIATION" \
1777 1 \
1778 -S "received TLS_EMPTY_RENEGOTIATION_INFO\|found renegotiation extension" \
1779 -S "server hello, secure renegotiation extension"
1780
Janos Follath0b242342016-02-17 10:11:21 +0000[diff] [blame]1781# Tests for silently dropping trailing extra bytes in .der certificates
1782
1783requires_gnutls
1784run_test "DER format: no trailing bytes" \
1785 "$P_SRV crt_file=data_files/server5-der0.crt \
1786 key_file=data_files/server5.key" \
1787 "$G_CLI " \
1788 0 \
1789 -c "Handshake was completed" \
1790
1791requires_gnutls
1792run_test "DER format: with a trailing zero byte" \
1793 "$P_SRV crt_file=data_files/server5-der1a.crt \
1794 key_file=data_files/server5.key" \
1795 "$G_CLI " \
1796 0 \
1797 -c "Handshake was completed" \
1798
1799requires_gnutls
1800run_test "DER format: with a trailing random byte" \
1801 "$P_SRV crt_file=data_files/server5-der1b.crt \
1802 key_file=data_files/server5.key" \
1803 "$G_CLI " \
1804 0 \
1805 -c "Handshake was completed" \
1806
1807requires_gnutls
1808run_test "DER format: with 2 trailing random bytes" \
1809 "$P_SRV crt_file=data_files/server5-der2.crt \
1810 key_file=data_files/server5.key" \
1811 "$G_CLI " \
1812 0 \
1813 -c "Handshake was completed" \
1814
1815requires_gnutls
1816run_test "DER format: with 4 trailing random bytes" \
1817 "$P_SRV crt_file=data_files/server5-der4.crt \
1818 key_file=data_files/server5.key" \
1819 "$G_CLI " \
1820 0 \
1821 -c "Handshake was completed" \
1822
1823requires_gnutls
1824run_test "DER format: with 8 trailing random bytes" \
1825 "$P_SRV crt_file=data_files/server5-der8.crt \
1826 key_file=data_files/server5.key" \
1827 "$G_CLI " \
1828 0 \
1829 -c "Handshake was completed" \
1830
1831requires_gnutls
1832run_test "DER format: with 9 trailing random bytes" \
1833 "$P_SRV crt_file=data_files/server5-der9.crt \
1834 key_file=data_files/server5.key" \
1835 "$G_CLI " \
1836 0 \
1837 -c "Handshake was completed" \
1838
Manuel Pégourié-Gonnard8520dac2014-02-21 12:12:23 +0100[diff] [blame]1839# Tests for auth_mode
1840
Manuel Pégourié-Gonnard8e03c712014-08-30 21:42:40 +0200[diff] [blame]1841run_test "Authentication: server badcert, client required" \
Manuel Pégourié-Gonnard8520dac2014-02-21 12:12:23 +0100[diff] [blame]1842 "$P_SRV crt_file=data_files/server5-badsign.crt \
1843 key_file=data_files/server5.key" \
Manuel Pégourié-Gonnard644e8f32014-08-30 21:59:31 +0200[diff] [blame]1844 "$P_CLI debug_level=1 auth_mode=required" \
Manuel Pégourié-Gonnard8520dac2014-02-21 12:12:23 +0100[diff] [blame]1845 1 \
1846 -c "x509_verify_cert() returned" \
Manuel Pégourié-Gonnard89addc42015-04-20 10:56:18 +0100[diff] [blame]1847 -c "! The certificate is not correctly signed by the trusted CA" \
Manuel Pégourié-Gonnard2cf5a7c2015-04-08 12:49:31 +0200[diff] [blame]1848 -c "! mbedtls_ssl_handshake returned" \
Manuel Pégourié-Gonnard8520dac2014-02-21 12:12:23 +0100[diff] [blame]1849 -c "X509 - Certificate verification failed"
1850
Manuel Pégourié-Gonnard8e03c712014-08-30 21:42:40 +0200[diff] [blame]1851run_test "Authentication: server badcert, client optional" \
Manuel Pégourié-Gonnard8520dac2014-02-21 12:12:23 +0100[diff] [blame]1852 "$P_SRV crt_file=data_files/server5-badsign.crt \
1853 key_file=data_files/server5.key" \
Manuel Pégourié-Gonnard644e8f32014-08-30 21:59:31 +0200[diff] [blame]1854 "$P_CLI debug_level=1 auth_mode=optional" \
Manuel Pégourié-Gonnard8520dac2014-02-21 12:12:23 +0100[diff] [blame]1855 0 \
1856 -c "x509_verify_cert() returned" \
Manuel Pégourié-Gonnard89addc42015-04-20 10:56:18 +0100[diff] [blame]1857 -c "! The certificate is not correctly signed by the trusted CA" \
Manuel Pégourié-Gonnard2cf5a7c2015-04-08 12:49:31 +0200[diff] [blame]1858 -C "! mbedtls_ssl_handshake returned" \
Manuel Pégourié-Gonnard8520dac2014-02-21 12:12:23 +0100[diff] [blame]1859 -C "X509 - Certificate verification failed"
1860
Hanno Beckere6706e62017-05-15 16:05:15 +0100[diff] [blame]1861run_test "Authentication: server goodcert, client optional, no trusted CA" \
1862 "$P_SRV" \
1863 "$P_CLI debug_level=3 auth_mode=optional ca_file=none ca_path=none" \
1864 0 \
1865 -c "x509_verify_cert() returned" \
1866 -c "! The certificate is not correctly signed by the trusted CA" \
1867 -c "! Certificate verification flags"\
1868 -C "! mbedtls_ssl_handshake returned" \
1869 -C "X509 - Certificate verification failed" \
1870 -C "SSL - No CA Chain is set, but required to operate"
1871
1872run_test "Authentication: server goodcert, client required, no trusted CA" \
1873 "$P_SRV" \
1874 "$P_CLI debug_level=3 auth_mode=required ca_file=none ca_path=none" \
1875 1 \
1876 -c "x509_verify_cert() returned" \
1877 -c "! The certificate is not correctly signed by the trusted CA" \
1878 -c "! Certificate verification flags"\
1879 -c "! mbedtls_ssl_handshake returned" \
1880 -c "SSL - No CA Chain is set, but required to operate"
1881
1882# The purpose of the next two tests is to test the client's behaviour when receiving a server
1883# certificate with an unsupported elliptic curve. This should usually not happen because
1884# the client informs the server about the supported curves - it does, though, in the
1885# corner case of a static ECDH suite, because the server doesn't check the curve on that
1886# occasion (to be fixed). If that bug's fixed, the test needs to be altered to use a
1887# different means to have the server ignoring the client's supported curve list.
1888
1889requires_config_enabled MBEDTLS_ECP_C
1890run_test "Authentication: server ECDH p256v1, client required, p256v1 unsupported" \
1891 "$P_SRV debug_level=1 key_file=data_files/server5.key \
1892 crt_file=data_files/server5.ku-ka.crt" \
1893 "$P_CLI debug_level=3 auth_mode=required curves=secp521r1" \
1894 1 \
1895 -c "bad certificate (EC key curve)"\
1896 -c "! Certificate verification flags"\
1897 -C "bad server certificate (ECDH curve)" # Expect failure at earlier verification stage
1898
1899requires_config_enabled MBEDTLS_ECP_C
1900run_test "Authentication: server ECDH p256v1, client optional, p256v1 unsupported" \
1901 "$P_SRV debug_level=1 key_file=data_files/server5.key \
1902 crt_file=data_files/server5.ku-ka.crt" \
1903 "$P_CLI debug_level=3 auth_mode=optional curves=secp521r1" \
1904 1 \
1905 -c "bad certificate (EC key curve)"\
1906 -c "! Certificate verification flags"\
1907 -c "bad server certificate (ECDH curve)" # Expect failure only at ECDH params check
1908
Manuel Pégourié-Gonnard8e03c712014-08-30 21:42:40 +0200[diff] [blame]1909run_test "Authentication: server badcert, client none" \
Manuel Pégourié-Gonnardc1da6642014-02-25 14:18:30 +0100[diff] [blame]1910 "$P_SRV crt_file=data_files/server5-badsign.crt \
Manuel Pégourié-Gonnard8520dac2014-02-21 12:12:23 +0100[diff] [blame]1911 key_file=data_files/server5.key" \
Manuel Pégourié-Gonnard644e8f32014-08-30 21:59:31 +0200[diff] [blame]1912 "$P_CLI debug_level=1 auth_mode=none" \
Manuel Pégourié-Gonnard8520dac2014-02-21 12:12:23 +0100[diff] [blame]1913 0 \
1914 -C "x509_verify_cert() returned" \
Manuel Pégourié-Gonnard89addc42015-04-20 10:56:18 +0100[diff] [blame]1915 -C "! The certificate is not correctly signed by the trusted CA" \
Manuel Pégourié-Gonnard2cf5a7c2015-04-08 12:49:31 +0200[diff] [blame]1916 -C "! mbedtls_ssl_handshake returned" \
Manuel Pégourié-Gonnard8520dac2014-02-21 12:12:23 +0100[diff] [blame]1917 -C "X509 - Certificate verification failed"
1918
Simon Butcher99000142016-10-13 17:21:01 +0100[diff] [blame]1919run_test "Authentication: client SHA256, server required" \
1920 "$P_SRV auth_mode=required" \
1921 "$P_CLI debug_level=3 crt_file=data_files/server6.crt \
1922 key_file=data_files/server6.key \
1923 force_ciphersuite=TLS-ECDHE-ECDSA-WITH-AES-256-GCM-SHA384" \
1924 0 \
1925 -c "Supported Signature Algorithm found: 4," \
1926 -c "Supported Signature Algorithm found: 5,"
1927
1928run_test "Authentication: client SHA384, server required" \
1929 "$P_SRV auth_mode=required" \
1930 "$P_CLI debug_level=3 crt_file=data_files/server6.crt \
1931 key_file=data_files/server6.key \
1932 force_ciphersuite=TLS-ECDHE-ECDSA-WITH-AES-128-GCM-SHA256" \
1933 0 \
1934 -c "Supported Signature Algorithm found: 4," \
1935 -c "Supported Signature Algorithm found: 5,"
1936
Gilles Peskinefd8332e2017-05-03 16:25:07 +0200[diff] [blame]1937requires_config_enabled MBEDTLS_SSL_PROTO_SSL3
1938run_test "Authentication: client has no cert, server required (SSLv3)" \
1939 "$P_SRV debug_level=3 min_version=ssl3 auth_mode=required" \
1940 "$P_CLI debug_level=3 force_version=ssl3 crt_file=none \
1941 key_file=data_files/server5.key" \
1942 1 \
1943 -S "skip write certificate request" \
1944 -C "skip parse certificate request" \
1945 -c "got a certificate request" \
1946 -c "got no certificate to send" \
1947 -S "x509_verify_cert() returned" \
1948 -s "client has no certificate" \
1949 -s "! mbedtls_ssl_handshake returned" \
1950 -c "! mbedtls_ssl_handshake returned" \
1951 -s "No client certification received from the client, but required by the authentication mode"
1952
1953run_test "Authentication: client has no cert, server required (TLS)" \
1954 "$P_SRV debug_level=3 auth_mode=required" \
1955 "$P_CLI debug_level=3 crt_file=none \
1956 key_file=data_files/server5.key" \
1957 1 \
1958 -S "skip write certificate request" \
1959 -C "skip parse certificate request" \
1960 -c "got a certificate request" \
1961 -c "= write certificate$" \
1962 -C "skip write certificate$" \
1963 -S "x509_verify_cert() returned" \
1964 -s "client has no certificate" \
1965 -s "! mbedtls_ssl_handshake returned" \
1966 -c "! mbedtls_ssl_handshake returned" \
1967 -s "No client certification received from the client, but required by the authentication mode"
1968
Manuel Pégourié-Gonnard8e03c712014-08-30 21:42:40 +0200[diff] [blame]1969run_test "Authentication: client badcert, server required" \
Manuel Pégourié-Gonnard644e8f32014-08-30 21:59:31 +0200[diff] [blame]1970 "$P_SRV debug_level=3 auth_mode=required" \
1971 "$P_CLI debug_level=3 crt_file=data_files/server5-badsign.crt \
Manuel Pégourié-Gonnard8520dac2014-02-21 12:12:23 +0100[diff] [blame]1972 key_file=data_files/server5.key" \
1973 1 \
1974 -S "skip write certificate request" \
1975 -C "skip parse certificate request" \
1976 -c "got a certificate request" \
1977 -C "skip write certificate" \
1978 -C "skip write certificate verify" \
1979 -S "skip parse certificate verify" \
1980 -s "x509_verify_cert() returned" \
Manuel Pégourié-Gonnard6ea831d2015-06-22 16:50:52 +0200[diff] [blame]1981 -s "! The certificate is not correctly signed by the trusted CA" \
Manuel Pégourié-Gonnard2cf5a7c2015-04-08 12:49:31 +0200[diff] [blame]1982 -s "! mbedtls_ssl_handshake returned" \
Gilles Peskine1cc8e342017-05-03 16:28:34 +0200[diff] [blame]1983 -s "send alert level=2 message=48" \
Manuel Pégourié-Gonnard2cf5a7c2015-04-08 12:49:31 +0200[diff] [blame]1984 -c "! mbedtls_ssl_handshake returned" \
Manuel Pégourié-Gonnard8520dac2014-02-21 12:12:23 +0100[diff] [blame]1985 -s "X509 - Certificate verification failed"
Gilles Peskine1cc8e342017-05-03 16:28:34 +0200[diff] [blame]1986# We don't check that the client receives the alert because it might
1987# detect that its write end of the connection is closed and abort
1988# before reading the alert message.
Manuel Pégourié-Gonnard8520dac2014-02-21 12:12:23 +0100[diff] [blame]1989
Janos Follath89baba22017-04-10 14:34:35 +0100[diff] [blame]1990run_test "Authentication: client cert not trusted, server required" \
1991 "$P_SRV debug_level=3 auth_mode=required" \
1992 "$P_CLI debug_level=3 crt_file=data_files/server5-selfsigned.crt \
1993 key_file=data_files/server5.key" \
1994 1 \
1995 -S "skip write certificate request" \
1996 -C "skip parse certificate request" \
1997 -c "got a certificate request" \
1998 -C "skip write certificate" \
1999 -C "skip write certificate verify" \
2000 -S "skip parse certificate verify" \
2001 -s "x509_verify_cert() returned" \
2002 -s "! The certificate is not correctly signed by the trusted CA" \
2003 -s "! mbedtls_ssl_handshake returned" \
2004 -c "! mbedtls_ssl_handshake returned" \
2005 -s "X509 - Certificate verification failed"
2006
Manuel Pégourié-Gonnard8e03c712014-08-30 21:42:40 +0200[diff] [blame]2007run_test "Authentication: client badcert, server optional" \
Manuel Pégourié-Gonnard644e8f32014-08-30 21:59:31 +0200[diff] [blame]2008 "$P_SRV debug_level=3 auth_mode=optional" \
2009 "$P_CLI debug_level=3 crt_file=data_files/server5-badsign.crt \
Manuel Pégourié-Gonnard8520dac2014-02-21 12:12:23 +0100[diff] [blame]2010 key_file=data_files/server5.key" \
2011 0 \
2012 -S "skip write certificate request" \
2013 -C "skip parse certificate request" \
2014 -c "got a certificate request" \
2015 -C "skip write certificate" \
2016 -C "skip write certificate verify" \
2017 -S "skip parse certificate verify" \
2018 -s "x509_verify_cert() returned" \
Manuel Pégourié-Gonnard89addc42015-04-20 10:56:18 +0100[diff] [blame]2019 -s "! The certificate is not correctly signed by the trusted CA" \
Manuel Pégourié-Gonnard2cf5a7c2015-04-08 12:49:31 +0200[diff] [blame]2020 -S "! mbedtls_ssl_handshake returned" \
2021 -C "! mbedtls_ssl_handshake returned" \
Manuel Pégourié-Gonnard8520dac2014-02-21 12:12:23 +0100[diff] [blame]2022 -S "X509 - Certificate verification failed"
2023
Manuel Pégourié-Gonnard8e03c712014-08-30 21:42:40 +0200[diff] [blame]2024run_test "Authentication: client badcert, server none" \
Manuel Pégourié-Gonnard644e8f32014-08-30 21:59:31 +0200[diff] [blame]2025 "$P_SRV debug_level=3 auth_mode=none" \
2026 "$P_CLI debug_level=3 crt_file=data_files/server5-badsign.crt \
Manuel Pégourié-Gonnard8520dac2014-02-21 12:12:23 +0100[diff] [blame]2027 key_file=data_files/server5.key" \
2028 0 \
2029 -s "skip write certificate request" \
2030 -C "skip parse certificate request" \
2031 -c "got no certificate request" \
2032 -c "skip write certificate" \
2033 -c "skip write certificate verify" \
2034 -s "skip parse certificate verify" \
2035 -S "x509_verify_cert() returned" \
Manuel Pégourié-Gonnard89addc42015-04-20 10:56:18 +0100[diff] [blame]2036 -S "! The certificate is not correctly signed by the trusted CA" \
Manuel Pégourié-Gonnard2cf5a7c2015-04-08 12:49:31 +0200[diff] [blame]2037 -S "! mbedtls_ssl_handshake returned" \
2038 -C "! mbedtls_ssl_handshake returned" \
Manuel Pégourié-Gonnard8520dac2014-02-21 12:12:23 +0100[diff] [blame]2039 -S "X509 - Certificate verification failed"
2040
Manuel Pégourié-Gonnard8e03c712014-08-30 21:42:40 +0200[diff] [blame]2041run_test "Authentication: client no cert, server optional" \
Manuel Pégourié-Gonnard644e8f32014-08-30 21:59:31 +0200[diff] [blame]2042 "$P_SRV debug_level=3 auth_mode=optional" \
2043 "$P_CLI debug_level=3 crt_file=none key_file=none" \
Manuel Pégourié-Gonnardde515cc2014-02-27 14:58:26 +0100[diff] [blame]2044 0 \
2045 -S "skip write certificate request" \
2046 -C "skip parse certificate request" \
2047 -c "got a certificate request" \
2048 -C "skip write certificate$" \
2049 -C "got no certificate to send" \
2050 -S "SSLv3 client has no certificate" \
2051 -c "skip write certificate verify" \
2052 -s "skip parse certificate verify" \
Manuel Pégourié-Gonnard89addc42015-04-20 10:56:18 +0100[diff] [blame]2053 -s "! Certificate was missing" \
Manuel Pégourié-Gonnard2cf5a7c2015-04-08 12:49:31 +0200[diff] [blame]2054 -S "! mbedtls_ssl_handshake returned" \
2055 -C "! mbedtls_ssl_handshake returned" \
Manuel Pégourié-Gonnardde515cc2014-02-27 14:58:26 +0100[diff] [blame]2056 -S "X509 - Certificate verification failed"
2057
Manuel Pégourié-Gonnard8e03c712014-08-30 21:42:40 +0200[diff] [blame]2058run_test "Authentication: openssl client no cert, server optional" \
Manuel Pégourié-Gonnard644e8f32014-08-30 21:59:31 +0200[diff] [blame]2059 "$P_SRV debug_level=3 auth_mode=optional" \
Manuel Pégourié-Gonnardde515cc2014-02-27 14:58:26 +0100[diff] [blame]2060 "$O_CLI" \
2061 0 \
2062 -S "skip write certificate request" \
2063 -s "skip parse certificate verify" \
Manuel Pégourié-Gonnard89addc42015-04-20 10:56:18 +0100[diff] [blame]2064 -s "! Certificate was missing" \
Manuel Pégourié-Gonnard2cf5a7c2015-04-08 12:49:31 +0200[diff] [blame]2065 -S "! mbedtls_ssl_handshake returned" \
Manuel Pégourié-Gonnardde515cc2014-02-27 14:58:26 +0100[diff] [blame]2066 -S "X509 - Certificate verification failed"
2067
Manuel Pégourié-Gonnard8e03c712014-08-30 21:42:40 +0200[diff] [blame]2068run_test "Authentication: client no cert, openssl server optional" \
Manuel Pégourié-Gonnardde515cc2014-02-27 14:58:26 +0100[diff] [blame]2069 "$O_SRV -verify 10" \
Manuel Pégourié-Gonnard644e8f32014-08-30 21:59:31 +0200[diff] [blame]2070 "$P_CLI debug_level=3 crt_file=none key_file=none" \
Manuel Pégourié-Gonnardde515cc2014-02-27 14:58:26 +0100[diff] [blame]2071 0 \
2072 -C "skip parse certificate request" \
2073 -c "got a certificate request" \
2074 -C "skip write certificate$" \
2075 -c "skip write certificate verify" \
Manuel Pégourié-Gonnard2cf5a7c2015-04-08 12:49:31 +0200[diff] [blame]2076 -C "! mbedtls_ssl_handshake returned"
Manuel Pégourié-Gonnardde515cc2014-02-27 14:58:26 +0100[diff] [blame]2077
Gilles Peskinefd8332e2017-05-03 16:25:07 +0200[diff] [blame]2078run_test "Authentication: client no cert, openssl server required" \
2079 "$O_SRV -Verify 10" \
2080 "$P_CLI debug_level=3 crt_file=none key_file=none" \
2081 1 \
2082 -C "skip parse certificate request" \
2083 -c "got a certificate request" \
2084 -C "skip write certificate$" \
2085 -c "skip write certificate verify" \
2086 -c "! mbedtls_ssl_handshake returned"
2087
Janos Follathe2681a42016-03-07 15:57:05 +0000[diff] [blame]2088requires_config_enabled MBEDTLS_SSL_PROTO_SSL3
Manuel Pégourié-Gonnard8e03c712014-08-30 21:42:40 +0200[diff] [blame]2089run_test "Authentication: client no cert, ssl3" \
Manuel Pégourié-Gonnard644e8f32014-08-30 21:59:31 +0200[diff] [blame]2090 "$P_SRV debug_level=3 auth_mode=optional force_version=ssl3" \
Manuel Pégourié-Gonnard448ea502015-01-12 11:40:14 +0100[diff] [blame]2091 "$P_CLI debug_level=3 crt_file=none key_file=none min_version=ssl3" \
Manuel Pégourié-Gonnardde515cc2014-02-27 14:58:26 +0100[diff] [blame]2092 0 \
2093 -S "skip write certificate request" \
2094 -C "skip parse certificate request" \
2095 -c "got a certificate request" \
2096 -C "skip write certificate$" \
2097 -c "skip write certificate verify" \
2098 -c "got no certificate to send" \
2099 -s "SSLv3 client has no certificate" \
2100 -s "skip parse certificate verify" \
Manuel Pégourié-Gonnard89addc42015-04-20 10:56:18 +0100[diff] [blame]2101 -s "! Certificate was missing" \
Manuel Pégourié-Gonnard2cf5a7c2015-04-08 12:49:31 +0200[diff] [blame]2102 -S "! mbedtls_ssl_handshake returned" \
2103 -C "! mbedtls_ssl_handshake returned" \
Manuel Pégourié-Gonnardde515cc2014-02-27 14:58:26 +0100[diff] [blame]2104 -S "X509 - Certificate verification failed"
2105
Manuel Pégourié-Gonnard9107b5f2017-07-06 12:16:25 +0200[diff] [blame^]2106# The "max_int chain" tests assume that MAX_INTERMEDIATE_CA is set to its
2107# default value (8)
Manuel Pégourié-Gonnard81bb6b62017-06-26 10:45:33 +0200[diff] [blame]2108run_test "Authentication: server max_int chain, client default" \
2109 "$P_SRV crt_file=data_files/dir-maxpath/c09.pem \
2110 key_file=data_files/dir-maxpath/09.key" \
2111 "$P_CLI server_name=CA09 ca_file=data_files/dir-maxpath/00.crt" \
2112 0 \
2113 -C "X509 - A fatal error occured"
2114
2115run_test "Authentication: server max_int+1 chain, client default" \
2116 "$P_SRV crt_file=data_files/dir-maxpath/c10.pem \
2117 key_file=data_files/dir-maxpath/10.key" \
2118 "$P_CLI server_name=CA10 ca_file=data_files/dir-maxpath/00.crt" \
2119 1 \
2120 -c "X509 - A fatal error occured"
2121
2122run_test "Authentication: server max_int+1 chain, client optional" \
2123 "$P_SRV crt_file=data_files/dir-maxpath/c10.pem \
2124 key_file=data_files/dir-maxpath/10.key" \
2125 "$P_CLI server_name=CA10 ca_file=data_files/dir-maxpath/00.crt \
2126 auth_mode=optional" \
2127 1 \
2128 -c "X509 - A fatal error occured"
2129
2130run_test "Authentication: server max_int+1 chain, client none" \
2131 "$P_SRV crt_file=data_files/dir-maxpath/c10.pem \
2132 key_file=data_files/dir-maxpath/10.key" \
2133 "$P_CLI server_name=CA10 ca_file=data_files/dir-maxpath/00.crt \
2134 auth_mode=none" \
2135 0 \
2136 -C "X509 - A fatal error occured"
2137
2138run_test "Authentication: client max_int+1 chain, server default" \
2139 "$P_SRV ca_file=data_files/dir-maxpath/00.crt" \
2140 "$P_CLI crt_file=data_files/dir-maxpath/c10.pem \
2141 key_file=data_files/dir-maxpath/10.key" \
2142 0 \
2143 -S "X509 - A fatal error occured"
2144
2145run_test "Authentication: client max_int+1 chain, server optional" \
2146 "$P_SRV ca_file=data_files/dir-maxpath/00.crt auth_mode=optional" \
2147 "$P_CLI crt_file=data_files/dir-maxpath/c10.pem \
2148 key_file=data_files/dir-maxpath/10.key" \
2149 1 \
2150 -s "X509 - A fatal error occured"
2151
2152run_test "Authentication: client max_int+1 chain, server required" \
2153 "$P_SRV ca_file=data_files/dir-maxpath/00.crt auth_mode=required" \
2154 "$P_CLI crt_file=data_files/dir-maxpath/c10.pem \
2155 key_file=data_files/dir-maxpath/10.key" \
2156 1 \
2157 -s "X509 - A fatal error occured"
2158
2159run_test "Authentication: client max_int chain, server required" \
2160 "$P_SRV ca_file=data_files/dir-maxpath/00.crt auth_mode=required" \
2161 "$P_CLI crt_file=data_files/dir-maxpath/c09.pem \
2162 key_file=data_files/dir-maxpath/09.key" \
2163 0 \
2164 -S "X509 - A fatal error occured"
2165
Janos Follath89baba22017-04-10 14:34:35 +0100[diff] [blame]2166# Tests for CA list in CertificateRequest messages
2167
2168run_test "Authentication: send CA list in CertificateRequest (default)" \
2169 "$P_SRV debug_level=3 auth_mode=required" \
2170 "$P_CLI crt_file=data_files/server6.crt \
2171 key_file=data_files/server6.key" \
2172 0 \
2173 -s "requested DN"
2174
2175run_test "Authentication: do not send CA list in CertificateRequest" \
2176 "$P_SRV debug_level=3 auth_mode=required cert_req_ca_list=0" \
2177 "$P_CLI crt_file=data_files/server6.crt \
2178 key_file=data_files/server6.key" \
2179 0 \
2180 -S "requested DN"
2181
2182run_test "Authentication: send CA list in CertificateRequest, client self signed" \
2183 "$P_SRV debug_level=3 auth_mode=required cert_req_ca_list=0" \
2184 "$P_CLI debug_level=3 crt_file=data_files/server5-selfsigned.crt \
2185 key_file=data_files/server5.key" \
2186 1 \
2187 -S "requested DN" \
2188 -s "x509_verify_cert() returned" \
2189 -s "! The certificate is not correctly signed by the trusted CA" \
2190 -s "! mbedtls_ssl_handshake returned" \
2191 -c "! mbedtls_ssl_handshake returned" \
2192 -s "X509 - Certificate verification failed"
2193
Manuel Pégourié-Gonnarddf331a52015-01-08 16:43:07 +0100[diff] [blame]2194# Tests for certificate selection based on SHA verson
2195
2196run_test "Certificate hash: client TLS 1.2 -> SHA-2" \
2197 "$P_SRV crt_file=data_files/server5.crt \
2198 key_file=data_files/server5.key \
2199 crt_file2=data_files/server5-sha1.crt \
2200 key_file2=data_files/server5.key" \
2201 "$P_CLI force_version=tls1_2" \
2202 0 \
2203 -c "signed using.*ECDSA with SHA256" \
2204 -C "signed using.*ECDSA with SHA1"
2205
2206run_test "Certificate hash: client TLS 1.1 -> SHA-1" \
2207 "$P_SRV crt_file=data_files/server5.crt \
2208 key_file=data_files/server5.key \
2209 crt_file2=data_files/server5-sha1.crt \
2210 key_file2=data_files/server5.key" \
2211 "$P_CLI force_version=tls1_1" \
2212 0 \
2213 -C "signed using.*ECDSA with SHA256" \
2214 -c "signed using.*ECDSA with SHA1"
2215
2216run_test "Certificate hash: client TLS 1.0 -> SHA-1" \
2217 "$P_SRV crt_file=data_files/server5.crt \
2218 key_file=data_files/server5.key \
2219 crt_file2=data_files/server5-sha1.crt \
2220 key_file2=data_files/server5.key" \
2221 "$P_CLI force_version=tls1" \
2222 0 \
2223 -C "signed using.*ECDSA with SHA256" \
2224 -c "signed using.*ECDSA with SHA1"
2225
2226run_test "Certificate hash: client TLS 1.1, no SHA-1 -> SHA-2 (order 1)" \
2227 "$P_SRV crt_file=data_files/server5.crt \
2228 key_file=data_files/server5.key \
2229 crt_file2=data_files/server6.crt \
2230 key_file2=data_files/server6.key" \
2231 "$P_CLI force_version=tls1_1" \
2232 0 \
2233 -c "serial number.*09" \
2234 -c "signed using.*ECDSA with SHA256" \
2235 -C "signed using.*ECDSA with SHA1"
2236
2237run_test "Certificate hash: client TLS 1.1, no SHA-1 -> SHA-2 (order 2)" \
2238 "$P_SRV crt_file=data_files/server6.crt \
2239 key_file=data_files/server6.key \
2240 crt_file2=data_files/server5.crt \
2241 key_file2=data_files/server5.key" \
2242 "$P_CLI force_version=tls1_1" \
2243 0 \
2244 -c "serial number.*0A" \
2245 -c "signed using.*ECDSA with SHA256" \
2246 -C "signed using.*ECDSA with SHA1"
2247
Manuel Pégourié-Gonnard96ea2f22014-02-25 12:26:29 +0100[diff] [blame]2248# tests for SNI
2249
Manuel Pégourié-Gonnard8e03c712014-08-30 21:42:40 +0200[diff] [blame]2250run_test "SNI: no SNI callback" \
Manuel Pégourié-Gonnard0eb6cab2014-07-23 20:17:47 +0200[diff] [blame]2251 "$P_SRV debug_level=3 \
Manuel Pégourié-Gonnard96ea2f22014-02-25 12:26:29 +0100[diff] [blame]2252 crt_file=data_files/server5.crt key_file=data_files/server5.key" \
Manuel Pégourié-Gonnard0eb6cab2014-07-23 20:17:47 +0200[diff] [blame]2253 "$P_CLI server_name=localhost" \
Manuel Pégourié-Gonnard6ea831d2015-06-22 16:50:52 +0200[diff] [blame]2254 0 \
2255 -S "parse ServerName extension" \
2256 -c "issuer name *: C=NL, O=PolarSSL, CN=Polarssl Test EC CA" \
2257 -c "subject name *: C=NL, O=PolarSSL, CN=localhost"
Manuel Pégourié-Gonnard96ea2f22014-02-25 12:26:29 +0100[diff] [blame]2258
Manuel Pégourié-Gonnard8e03c712014-08-30 21:42:40 +0200[diff] [blame]2259run_test "SNI: matching cert 1" \
Manuel Pégourié-Gonnard0eb6cab2014-07-23 20:17:47 +0200[diff] [blame]2260 "$P_SRV debug_level=3 \
Manuel Pégourié-Gonnard96ea2f22014-02-25 12:26:29 +0100[diff] [blame]2261 crt_file=data_files/server5.crt key_file=data_files/server5.key \
Manuel Pégourié-Gonnard4d6f1782015-06-19 14:40:39 +0200[diff] [blame]2262 sni=localhost,data_files/server2.crt,data_files/server2.key,-,-,-,polarssl.example,data_files/server1-nospace.crt,data_files/server1.key,-,-,-" \
Manuel Pégourié-Gonnard0eb6cab2014-07-23 20:17:47 +0200[diff] [blame]2263 "$P_CLI server_name=localhost" \
Manuel Pégourié-Gonnard6ea831d2015-06-22 16:50:52 +0200[diff] [blame]2264 0 \
2265 -s "parse ServerName extension" \
2266 -c "issuer name *: C=NL, O=PolarSSL, CN=PolarSSL Test CA" \
2267 -c "subject name *: C=NL, O=PolarSSL, CN=localhost"
Manuel Pégourié-Gonnard96ea2f22014-02-25 12:26:29 +0100[diff] [blame]2268
Manuel Pégourié-Gonnard8e03c712014-08-30 21:42:40 +0200[diff] [blame]2269run_test "SNI: matching cert 2" \
Manuel Pégourié-Gonnard0eb6cab2014-07-23 20:17:47 +0200[diff] [blame]2270 "$P_SRV debug_level=3 \
Manuel Pégourié-Gonnard96ea2f22014-02-25 12:26:29 +0100[diff] [blame]2271 crt_file=data_files/server5.crt key_file=data_files/server5.key \
Manuel Pégourié-Gonnard4d6f1782015-06-19 14:40:39 +0200[diff] [blame]2272 sni=localhost,data_files/server2.crt,data_files/server2.key,-,-,-,polarssl.example,data_files/server1-nospace.crt,data_files/server1.key,-,-,-" \
Manuel Pégourié-Gonnard0eb6cab2014-07-23 20:17:47 +0200[diff] [blame]2273 "$P_CLI server_name=polarssl.example" \
Manuel Pégourié-Gonnard6ea831d2015-06-22 16:50:52 +0200[diff] [blame]2274 0 \
2275 -s "parse ServerName extension" \
2276 -c "issuer name *: C=NL, O=PolarSSL, CN=PolarSSL Test CA" \
2277 -c "subject name *: C=NL, O=PolarSSL, CN=polarssl.example"
Manuel Pégourié-Gonnard96ea2f22014-02-25 12:26:29 +0100[diff] [blame]2278
Manuel Pégourié-Gonnard8e03c712014-08-30 21:42:40 +0200[diff] [blame]2279run_test "SNI: no matching cert" \
Manuel Pégourié-Gonnard0eb6cab2014-07-23 20:17:47 +0200[diff] [blame]2280 "$P_SRV debug_level=3 \
Manuel Pégourié-Gonnard96ea2f22014-02-25 12:26:29 +0100[diff] [blame]2281 crt_file=data_files/server5.crt key_file=data_files/server5.key \
Manuel Pégourié-Gonnard4d6f1782015-06-19 14:40:39 +0200[diff] [blame]2282 sni=localhost,data_files/server2.crt,data_files/server2.key,-,-,-,polarssl.example,data_files/server1-nospace.crt,data_files/server1.key,-,-,-" \
Manuel Pégourié-Gonnard0eb6cab2014-07-23 20:17:47 +0200[diff] [blame]2283 "$P_CLI server_name=nonesuch.example" \
Manuel Pégourié-Gonnard6ea831d2015-06-22 16:50:52 +0200[diff] [blame]2284 1 \
2285 -s "parse ServerName extension" \
2286 -s "ssl_sni_wrapper() returned" \
2287 -s "mbedtls_ssl_handshake returned" \
2288 -c "mbedtls_ssl_handshake returned" \
2289 -c "SSL - A fatal alert message was received from our peer"
Manuel Pégourié-Gonnard96ea2f22014-02-25 12:26:29 +0100[diff] [blame]2290
Manuel Pégourié-Gonnardc948a792015-06-22 16:04:20 +0200[diff] [blame]2291run_test "SNI: client auth no override: optional" \
2292 "$P_SRV debug_level=3 auth_mode=optional \
2293 crt_file=data_files/server5.crt key_file=data_files/server5.key \
2294 sni=localhost,data_files/server2.crt,data_files/server2.key,-,-,-" \
2295 "$P_CLI debug_level=3 server_name=localhost" \
Manuel Pégourié-Gonnard6ea831d2015-06-22 16:50:52 +0200[diff] [blame]2296 0 \
Manuel Pégourié-Gonnardc948a792015-06-22 16:04:20 +0200[diff] [blame]2297 -S "skip write certificate request" \
2298 -C "skip parse certificate request" \
2299 -c "got a certificate request" \
2300 -C "skip write certificate" \
2301 -C "skip write certificate verify" \
2302 -S "skip parse certificate verify"
2303
2304run_test "SNI: client auth override: none -> optional" \
2305 "$P_SRV debug_level=3 auth_mode=none \
2306 crt_file=data_files/server5.crt key_file=data_files/server5.key \
2307 sni=localhost,data_files/server2.crt,data_files/server2.key,-,-,optional" \
2308 "$P_CLI debug_level=3 server_name=localhost" \
Manuel Pégourié-Gonnard6ea831d2015-06-22 16:50:52 +0200[diff] [blame]2309 0 \
Manuel Pégourié-Gonnardc948a792015-06-22 16:04:20 +0200[diff] [blame]2310 -S "skip write certificate request" \
2311 -C "skip parse certificate request" \
2312 -c "got a certificate request" \
2313 -C "skip write certificate" \
2314 -C "skip write certificate verify" \
2315 -S "skip parse certificate verify"
2316
2317run_test "SNI: client auth override: optional -> none" \
2318 "$P_SRV debug_level=3 auth_mode=optional \
2319 crt_file=data_files/server5.crt key_file=data_files/server5.key \
2320 sni=localhost,data_files/server2.crt,data_files/server2.key,-,-,none" \
2321 "$P_CLI debug_level=3 server_name=localhost" \
Manuel Pégourié-Gonnard6ea831d2015-06-22 16:50:52 +0200[diff] [blame]2322 0 \
Manuel Pégourié-Gonnardc948a792015-06-22 16:04:20 +0200[diff] [blame]2323 -s "skip write certificate request" \
2324 -C "skip parse certificate request" \
2325 -c "got no certificate request" \
2326 -c "skip write certificate" \
2327 -c "skip write certificate verify" \
2328 -s "skip parse certificate verify"
2329
Manuel Pégourié-Gonnard6ea831d2015-06-22 16:50:52 +0200[diff] [blame]2330run_test "SNI: CA no override" \
2331 "$P_SRV debug_level=3 auth_mode=optional \
2332 crt_file=data_files/server5.crt key_file=data_files/server5.key \
2333 ca_file=data_files/test-ca.crt \
2334 sni=localhost,data_files/server2.crt,data_files/server2.key,-,-,required" \
2335 "$P_CLI debug_level=3 server_name=localhost \
2336 crt_file=data_files/server6.crt key_file=data_files/server6.key" \
2337 1 \
2338 -S "skip write certificate request" \
2339 -C "skip parse certificate request" \
2340 -c "got a certificate request" \
2341 -C "skip write certificate" \
2342 -C "skip write certificate verify" \
2343 -S "skip parse certificate verify" \
2344 -s "x509_verify_cert() returned" \
2345 -s "! The certificate is not correctly signed by the trusted CA" \
2346 -S "The certificate has been revoked (is on a CRL)"
2347
2348run_test "SNI: CA override" \
2349 "$P_SRV debug_level=3 auth_mode=optional \
2350 crt_file=data_files/server5.crt key_file=data_files/server5.key \
2351 ca_file=data_files/test-ca.crt \
2352 sni=localhost,data_files/server2.crt,data_files/server2.key,data_files/test-ca2.crt,-,required" \
2353 "$P_CLI debug_level=3 server_name=localhost \
2354 crt_file=data_files/server6.crt key_file=data_files/server6.key" \
2355 0 \
2356 -S "skip write certificate request" \
2357 -C "skip parse certificate request" \
2358 -c "got a certificate request" \
2359 -C "skip write certificate" \
2360 -C "skip write certificate verify" \
2361 -S "skip parse certificate verify" \
2362 -S "x509_verify_cert() returned" \
2363 -S "! The certificate is not correctly signed by the trusted CA" \
2364 -S "The certificate has been revoked (is on a CRL)"
2365
2366run_test "SNI: CA override with CRL" \
2367 "$P_SRV debug_level=3 auth_mode=optional \
2368 crt_file=data_files/server5.crt key_file=data_files/server5.key \
2369 ca_file=data_files/test-ca.crt \
2370 sni=localhost,data_files/server2.crt,data_files/server2.key,data_files/test-ca2.crt,data_files/crl-ec-sha256.pem,required" \
2371 "$P_CLI debug_level=3 server_name=localhost \
2372 crt_file=data_files/server6.crt key_file=data_files/server6.key" \
2373 1 \
2374 -S "skip write certificate request" \
2375 -C "skip parse certificate request" \
2376 -c "got a certificate request" \
2377 -C "skip write certificate" \
2378 -C "skip write certificate verify" \
2379 -S "skip parse certificate verify" \
2380 -s "x509_verify_cert() returned" \
2381 -S "! The certificate is not correctly signed by the trusted CA" \
2382 -s "The certificate has been revoked (is on a CRL)"
2383
Manuel Pégourié-Gonnard0b6609b2014-02-26 14:45:12 +0100[diff] [blame]2384# Tests for non-blocking I/O: exercise a variety of handshake flows
2385
Manuel Pégourié-Gonnard8e03c712014-08-30 21:42:40 +0200[diff] [blame]2386run_test "Non-blocking I/O: basic handshake" \
Manuel Pégourié-Gonnard0b6609b2014-02-26 14:45:12 +0100[diff] [blame]2387 "$P_SRV nbio=2 tickets=0 auth_mode=none" \
2388 "$P_CLI nbio=2 tickets=0" \
2389 0 \
Manuel Pégourié-Gonnard2cf5a7c2015-04-08 12:49:31 +0200[diff] [blame]2390 -S "mbedtls_ssl_handshake returned" \
2391 -C "mbedtls_ssl_handshake returned" \
Manuel Pégourié-Gonnard0b6609b2014-02-26 14:45:12 +0100[diff] [blame]2392 -c "Read from server: .* bytes read"
2393
Manuel Pégourié-Gonnard8e03c712014-08-30 21:42:40 +0200[diff] [blame]2394run_test "Non-blocking I/O: client auth" \
Manuel Pégourié-Gonnard0b6609b2014-02-26 14:45:12 +0100[diff] [blame]2395 "$P_SRV nbio=2 tickets=0 auth_mode=required" \
2396 "$P_CLI nbio=2 tickets=0" \
2397 0 \
Manuel Pégourié-Gonnard2cf5a7c2015-04-08 12:49:31 +0200[diff] [blame]2398 -S "mbedtls_ssl_handshake returned" \
2399 -C "mbedtls_ssl_handshake returned" \
Manuel Pégourié-Gonnard0b6609b2014-02-26 14:45:12 +0100[diff] [blame]2400 -c "Read from server: .* bytes read"
2401
Manuel Pégourié-Gonnard8e03c712014-08-30 21:42:40 +0200[diff] [blame]2402run_test "Non-blocking I/O: ticket" \
Manuel Pégourié-Gonnard0b6609b2014-02-26 14:45:12 +0100[diff] [blame]2403 "$P_SRV nbio=2 tickets=1 auth_mode=none" \
2404 "$P_CLI nbio=2 tickets=1" \
2405 0 \
Manuel Pégourié-Gonnard2cf5a7c2015-04-08 12:49:31 +0200[diff] [blame]2406 -S "mbedtls_ssl_handshake returned" \
2407 -C "mbedtls_ssl_handshake returned" \
Manuel Pégourié-Gonnard0b6609b2014-02-26 14:45:12 +0100[diff] [blame]2408 -c "Read from server: .* bytes read"
2409
Manuel Pégourié-Gonnard8e03c712014-08-30 21:42:40 +0200[diff] [blame]2410run_test "Non-blocking I/O: ticket + client auth" \
Manuel Pégourié-Gonnard0b6609b2014-02-26 14:45:12 +0100[diff] [blame]2411 "$P_SRV nbio=2 tickets=1 auth_mode=required" \
2412 "$P_CLI nbio=2 tickets=1" \
2413 0 \
Manuel Pégourié-Gonnard2cf5a7c2015-04-08 12:49:31 +0200[diff] [blame]2414 -S "mbedtls_ssl_handshake returned" \
2415 -C "mbedtls_ssl_handshake returned" \
Manuel Pégourié-Gonnard0b6609b2014-02-26 14:45:12 +0100[diff] [blame]2416 -c "Read from server: .* bytes read"
2417
Manuel Pégourié-Gonnard8e03c712014-08-30 21:42:40 +0200[diff] [blame]2418run_test "Non-blocking I/O: ticket + client auth + resume" \
Manuel Pégourié-Gonnard0b6609b2014-02-26 14:45:12 +0100[diff] [blame]2419 "$P_SRV nbio=2 tickets=1 auth_mode=required" \
2420 "$P_CLI nbio=2 tickets=1 reconnect=1" \
2421 0 \
Manuel Pégourié-Gonnard2cf5a7c2015-04-08 12:49:31 +0200[diff] [blame]2422 -S "mbedtls_ssl_handshake returned" \
2423 -C "mbedtls_ssl_handshake returned" \
Manuel Pégourié-Gonnard0b6609b2014-02-26 14:45:12 +0100[diff] [blame]2424 -c "Read from server: .* bytes read"
2425
Manuel Pégourié-Gonnard8e03c712014-08-30 21:42:40 +0200[diff] [blame]2426run_test "Non-blocking I/O: ticket + resume" \
Manuel Pégourié-Gonnard0b6609b2014-02-26 14:45:12 +0100[diff] [blame]2427 "$P_SRV nbio=2 tickets=1 auth_mode=none" \
2428 "$P_CLI nbio=2 tickets=1 reconnect=1" \
2429 0 \
Manuel Pégourié-Gonnard2cf5a7c2015-04-08 12:49:31 +0200[diff] [blame]2430 -S "mbedtls_ssl_handshake returned" \
2431 -C "mbedtls_ssl_handshake returned" \
Manuel Pégourié-Gonnard0b6609b2014-02-26 14:45:12 +0100[diff] [blame]2432 -c "Read from server: .* bytes read"
2433
Manuel Pégourié-Gonnard8e03c712014-08-30 21:42:40 +0200[diff] [blame]2434run_test "Non-blocking I/O: session-id resume" \
Manuel Pégourié-Gonnard0b6609b2014-02-26 14:45:12 +0100[diff] [blame]2435 "$P_SRV nbio=2 tickets=0 auth_mode=none" \
2436 "$P_CLI nbio=2 tickets=0 reconnect=1" \
2437 0 \
Manuel Pégourié-Gonnard2cf5a7c2015-04-08 12:49:31 +0200[diff] [blame]2438 -S "mbedtls_ssl_handshake returned" \
2439 -C "mbedtls_ssl_handshake returned" \
Manuel Pégourié-Gonnard0b6609b2014-02-26 14:45:12 +0100[diff] [blame]2440 -c "Read from server: .* bytes read"
2441
Manuel Pégourié-Gonnardf6521de2014-04-07 12:42:04 +0200[diff] [blame]2442# Tests for version negotiation
2443
Manuel Pégourié-Gonnard8e03c712014-08-30 21:42:40 +0200[diff] [blame]2444run_test "Version check: all -> 1.2" \
Manuel Pégourié-Gonnarda3d808e2014-02-26 16:33:03 +0100[diff] [blame]2445 "$P_SRV" \
2446 "$P_CLI" \
2447 0 \
Manuel Pégourié-Gonnard2cf5a7c2015-04-08 12:49:31 +0200[diff] [blame]2448 -S "mbedtls_ssl_handshake returned" \
2449 -C "mbedtls_ssl_handshake returned" \
Manuel Pégourié-Gonnarda3d808e2014-02-26 16:33:03 +0100[diff] [blame]2450 -s "Protocol is TLSv1.2" \
2451 -c "Protocol is TLSv1.2"
2452
Manuel Pégourié-Gonnard8e03c712014-08-30 21:42:40 +0200[diff] [blame]2453run_test "Version check: cli max 1.1 -> 1.1" \
Manuel Pégourié-Gonnarda3d808e2014-02-26 16:33:03 +0100[diff] [blame]2454 "$P_SRV" \
2455 "$P_CLI max_version=tls1_1" \
2456 0 \
Manuel Pégourié-Gonnard2cf5a7c2015-04-08 12:49:31 +0200[diff] [blame]2457 -S "mbedtls_ssl_handshake returned" \
2458 -C "mbedtls_ssl_handshake returned" \
Manuel Pégourié-Gonnarda3d808e2014-02-26 16:33:03 +0100[diff] [blame]2459 -s "Protocol is TLSv1.1" \
2460 -c "Protocol is TLSv1.1"
2461
Manuel Pégourié-Gonnard8e03c712014-08-30 21:42:40 +0200[diff] [blame]2462run_test "Version check: srv max 1.1 -> 1.1" \
Manuel Pégourié-Gonnarda3d808e2014-02-26 16:33:03 +0100[diff] [blame]2463 "$P_SRV max_version=tls1_1" \
2464 "$P_CLI" \
2465 0 \
Manuel Pégourié-Gonnard2cf5a7c2015-04-08 12:49:31 +0200[diff] [blame]2466 -S "mbedtls_ssl_handshake returned" \
2467 -C "mbedtls_ssl_handshake returned" \
Manuel Pégourié-Gonnarda3d808e2014-02-26 16:33:03 +0100[diff] [blame]2468 -s "Protocol is TLSv1.1" \
2469 -c "Protocol is TLSv1.1"
2470
Manuel Pégourié-Gonnard8e03c712014-08-30 21:42:40 +0200[diff] [blame]2471run_test "Version check: cli+srv max 1.1 -> 1.1" \
Manuel Pégourié-Gonnarda3d808e2014-02-26 16:33:03 +0100[diff] [blame]2472 "$P_SRV max_version=tls1_1" \
2473 "$P_CLI max_version=tls1_1" \
2474 0 \
Manuel Pégourié-Gonnard2cf5a7c2015-04-08 12:49:31 +0200[diff] [blame]2475 -S "mbedtls_ssl_handshake returned" \
2476 -C "mbedtls_ssl_handshake returned" \
Manuel Pégourié-Gonnarda3d808e2014-02-26 16:33:03 +0100[diff] [blame]2477 -s "Protocol is TLSv1.1" \
2478 -c "Protocol is TLSv1.1"
2479
Manuel Pégourié-Gonnard8e03c712014-08-30 21:42:40 +0200[diff] [blame]2480run_test "Version check: cli max 1.1, srv min 1.1 -> 1.1" \
Manuel Pégourié-Gonnarda3d808e2014-02-26 16:33:03 +0100[diff] [blame]2481 "$P_SRV min_version=tls1_1" \
2482 "$P_CLI max_version=tls1_1" \
2483 0 \
Manuel Pégourié-Gonnard2cf5a7c2015-04-08 12:49:31 +0200[diff] [blame]2484 -S "mbedtls_ssl_handshake returned" \
2485 -C "mbedtls_ssl_handshake returned" \
Manuel Pégourié-Gonnarda3d808e2014-02-26 16:33:03 +0100[diff] [blame]2486 -s "Protocol is TLSv1.1" \
2487 -c "Protocol is TLSv1.1"
2488
Manuel Pégourié-Gonnard8e03c712014-08-30 21:42:40 +0200[diff] [blame]2489run_test "Version check: cli min 1.1, srv max 1.1 -> 1.1" \
Manuel Pégourié-Gonnarda3d808e2014-02-26 16:33:03 +0100[diff] [blame]2490 "$P_SRV max_version=tls1_1" \
2491 "$P_CLI min_version=tls1_1" \
2492 0 \
Manuel Pégourié-Gonnard2cf5a7c2015-04-08 12:49:31 +0200[diff] [blame]2493 -S "mbedtls_ssl_handshake returned" \
2494 -C "mbedtls_ssl_handshake returned" \
Manuel Pégourié-Gonnarda3d808e2014-02-26 16:33:03 +0100[diff] [blame]2495 -s "Protocol is TLSv1.1" \
2496 -c "Protocol is TLSv1.1"
2497
Manuel Pégourié-Gonnard8e03c712014-08-30 21:42:40 +0200[diff] [blame]2498run_test "Version check: cli min 1.2, srv max 1.1 -> fail" \
Manuel Pégourié-Gonnarda3d808e2014-02-26 16:33:03 +0100[diff] [blame]2499 "$P_SRV max_version=tls1_1" \
2500 "$P_CLI min_version=tls1_2" \
2501 1 \
Manuel Pégourié-Gonnard2cf5a7c2015-04-08 12:49:31 +0200[diff] [blame]2502 -s "mbedtls_ssl_handshake returned" \
2503 -c "mbedtls_ssl_handshake returned" \
Manuel Pégourié-Gonnarda3d808e2014-02-26 16:33:03 +0100[diff] [blame]2504 -c "SSL - Handshake protocol not within min/max boundaries"
2505
Manuel Pégourié-Gonnard8e03c712014-08-30 21:42:40 +0200[diff] [blame]2506run_test "Version check: srv min 1.2, cli max 1.1 -> fail" \
Manuel Pégourié-Gonnarda3d808e2014-02-26 16:33:03 +0100[diff] [blame]2507 "$P_SRV min_version=tls1_2" \
2508 "$P_CLI max_version=tls1_1" \
2509 1 \
Manuel Pégourié-Gonnard2cf5a7c2015-04-08 12:49:31 +0200[diff] [blame]2510 -s "mbedtls_ssl_handshake returned" \
2511 -c "mbedtls_ssl_handshake returned" \
Manuel Pégourié-Gonnarda3d808e2014-02-26 16:33:03 +0100[diff] [blame]2512 -s "SSL - Handshake protocol not within min/max boundaries"
2513
Manuel Pégourié-Gonnardf6521de2014-04-07 12:42:04 +0200[diff] [blame]2514# Tests for ALPN extension
2515
Manuel Pégourié-Gonnard8e03c712014-08-30 21:42:40 +0200[diff] [blame]2516run_test "ALPN: none" \
Manuel Pégourié-Gonnard644e8f32014-08-30 21:59:31 +0200[diff] [blame]2517 "$P_SRV debug_level=3" \
2518 "$P_CLI debug_level=3" \
Manuel Pégourié-Gonnardf6521de2014-04-07 12:42:04 +0200[diff] [blame]2519 0 \
2520 -C "client hello, adding alpn extension" \
2521 -S "found alpn extension" \
2522 -C "got an alert message, type: \\[2:120]" \
2523 -S "server hello, adding alpn extension" \
2524 -C "found alpn extension " \
2525 -C "Application Layer Protocol is" \
2526 -S "Application Layer Protocol is"
2527
Manuel Pégourié-Gonnard8e03c712014-08-30 21:42:40 +0200[diff] [blame]2528run_test "ALPN: client only" \
Manuel Pégourié-Gonnard644e8f32014-08-30 21:59:31 +0200[diff] [blame]2529 "$P_SRV debug_level=3" \
2530 "$P_CLI debug_level=3 alpn=abc,1234" \
Manuel Pégourié-Gonnardf6521de2014-04-07 12:42:04 +0200[diff] [blame]2531 0 \
2532 -c "client hello, adding alpn extension" \
2533 -s "found alpn extension" \
2534 -C "got an alert message, type: \\[2:120]" \
2535 -S "server hello, adding alpn extension" \
2536 -C "found alpn extension " \
2537 -c "Application Layer Protocol is (none)" \
2538 -S "Application Layer Protocol is"
2539
Manuel Pégourié-Gonnard8e03c712014-08-30 21:42:40 +0200[diff] [blame]2540run_test "ALPN: server only" \
Manuel Pégourié-Gonnard644e8f32014-08-30 21:59:31 +0200[diff] [blame]2541 "$P_SRV debug_level=3 alpn=abc,1234" \
2542 "$P_CLI debug_level=3" \
Manuel Pégourié-Gonnardf6521de2014-04-07 12:42:04 +0200[diff] [blame]2543 0 \
2544 -C "client hello, adding alpn extension" \
2545 -S "found alpn extension" \
2546 -C "got an alert message, type: \\[2:120]" \
2547 -S "server hello, adding alpn extension" \
2548 -C "found alpn extension " \
2549 -C "Application Layer Protocol is" \
2550 -s "Application Layer Protocol is (none)"
2551
Manuel Pégourié-Gonnard8e03c712014-08-30 21:42:40 +0200[diff] [blame]2552run_test "ALPN: both, common cli1-srv1" \
Manuel Pégourié-Gonnard644e8f32014-08-30 21:59:31 +0200[diff] [blame]2553 "$P_SRV debug_level=3 alpn=abc,1234" \
2554 "$P_CLI debug_level=3 alpn=abc,1234" \
Manuel Pégourié-Gonnardf6521de2014-04-07 12:42:04 +0200[diff] [blame]2555 0 \
2556 -c "client hello, adding alpn extension" \
2557 -s "found alpn extension" \
2558 -C "got an alert message, type: \\[2:120]" \
2559 -s "server hello, adding alpn extension" \
2560 -c "found alpn extension" \
2561 -c "Application Layer Protocol is abc" \
2562 -s "Application Layer Protocol is abc"
2563
Manuel Pégourié-Gonnard8e03c712014-08-30 21:42:40 +0200[diff] [blame]2564run_test "ALPN: both, common cli2-srv1" \
Manuel Pégourié-Gonnard644e8f32014-08-30 21:59:31 +0200[diff] [blame]2565 "$P_SRV debug_level=3 alpn=abc,1234" \
2566 "$P_CLI debug_level=3 alpn=1234,abc" \
Manuel Pégourié-Gonnardf6521de2014-04-07 12:42:04 +0200[diff] [blame]2567 0 \
2568 -c "client hello, adding alpn extension" \
2569 -s "found alpn extension" \
2570 -C "got an alert message, type: \\[2:120]" \
2571 -s "server hello, adding alpn extension" \
2572 -c "found alpn extension" \
2573 -c "Application Layer Protocol is abc" \
2574 -s "Application Layer Protocol is abc"
2575
Manuel Pégourié-Gonnard8e03c712014-08-30 21:42:40 +0200[diff] [blame]2576run_test "ALPN: both, common cli1-srv2" \
Manuel Pégourié-Gonnard644e8f32014-08-30 21:59:31 +0200[diff] [blame]2577 "$P_SRV debug_level=3 alpn=abc,1234" \
2578 "$P_CLI debug_level=3 alpn=1234,abcde" \
Manuel Pégourié-Gonnardf6521de2014-04-07 12:42:04 +0200[diff] [blame]2579 0 \
2580 -c "client hello, adding alpn extension" \
2581 -s "found alpn extension" \
2582 -C "got an alert message, type: \\[2:120]" \
2583 -s "server hello, adding alpn extension" \
2584 -c "found alpn extension" \
2585 -c "Application Layer Protocol is 1234" \
2586 -s "Application Layer Protocol is 1234"
2587
Manuel Pégourié-Gonnard8e03c712014-08-30 21:42:40 +0200[diff] [blame]2588run_test "ALPN: both, no common" \
Manuel Pégourié-Gonnard644e8f32014-08-30 21:59:31 +0200[diff] [blame]2589 "$P_SRV debug_level=3 alpn=abc,123" \
2590 "$P_CLI debug_level=3 alpn=1234,abcde" \
Manuel Pégourié-Gonnardf6521de2014-04-07 12:42:04 +0200[diff] [blame]2591 1 \
2592 -c "client hello, adding alpn extension" \
2593 -s "found alpn extension" \
2594 -c "got an alert message, type: \\[2:120]" \
2595 -S "server hello, adding alpn extension" \
2596 -C "found alpn extension" \
2597 -C "Application Layer Protocol is 1234" \
2598 -S "Application Layer Protocol is 1234"
2599
Manuel Pégourié-Gonnard83d8c732014-04-07 13:24:21 +0200[diff] [blame]2600
Manuel Pégourié-Gonnard7f2a07d2014-04-09 09:50:57 +0200[diff] [blame]2601# Tests for keyUsage in leaf certificates, part 1:
2602# server-side certificate/suite selection
2603
Manuel Pégourié-Gonnard8e03c712014-08-30 21:42:40 +0200[diff] [blame]2604run_test "keyUsage srv: RSA, digitalSignature -> (EC)DHE-RSA" \
Manuel Pégourié-Gonnard7f2a07d2014-04-09 09:50:57 +0200[diff] [blame]2605 "$P_SRV key_file=data_files/server2.key \
2606 crt_file=data_files/server2.ku-ds.crt" \
2607 "$P_CLI" \
2608 0 \
Manuel Pégourié-Gonnard17cde5f2014-05-22 14:42:39 +0200[diff] [blame]2609 -c "Ciphersuite is TLS-[EC]*DHE-RSA-WITH-"
Manuel Pégourié-Gonnard7f2a07d2014-04-09 09:50:57 +0200[diff] [blame]2610
2611
Manuel Pégourié-Gonnard8e03c712014-08-30 21:42:40 +0200[diff] [blame]2612run_test "keyUsage srv: RSA, keyEncipherment -> RSA" \
Manuel Pégourié-Gonnard7f2a07d2014-04-09 09:50:57 +0200[diff] [blame]2613 "$P_SRV key_file=data_files/server2.key \
2614 crt_file=data_files/server2.ku-ke.crt" \
2615 "$P_CLI" \
2616 0 \
2617 -c "Ciphersuite is TLS-RSA-WITH-"
2618
Manuel Pégourié-Gonnard8e03c712014-08-30 21:42:40 +0200[diff] [blame]2619run_test "keyUsage srv: RSA, keyAgreement -> fail" \
Manuel Pégourié-Gonnardf2629b92014-08-30 14:20:14 +0200[diff] [blame]2620 "$P_SRV key_file=data_files/server2.key \
Manuel Pégourié-Gonnard7f2a07d2014-04-09 09:50:57 +0200[diff] [blame]2621 crt_file=data_files/server2.ku-ka.crt" \
Manuel Pégourié-Gonnardf2629b92014-08-30 14:20:14 +0200[diff] [blame]2622 "$P_CLI" \
Manuel Pégourié-Gonnard7f2a07d2014-04-09 09:50:57 +0200[diff] [blame]2623 1 \
2624 -C "Ciphersuite is "
2625
Manuel Pégourié-Gonnard8e03c712014-08-30 21:42:40 +0200[diff] [blame]2626run_test "keyUsage srv: ECDSA, digitalSignature -> ECDHE-ECDSA" \
Manuel Pégourié-Gonnard7f2a07d2014-04-09 09:50:57 +0200[diff] [blame]2627 "$P_SRV key_file=data_files/server5.key \
2628 crt_file=data_files/server5.ku-ds.crt" \
2629 "$P_CLI" \
2630 0 \
2631 -c "Ciphersuite is TLS-ECDHE-ECDSA-WITH-"
2632
2633
Manuel Pégourié-Gonnard8e03c712014-08-30 21:42:40 +0200[diff] [blame]2634run_test "keyUsage srv: ECDSA, keyAgreement -> ECDH-" \
Manuel Pégourié-Gonnard7f2a07d2014-04-09 09:50:57 +0200[diff] [blame]2635 "$P_SRV key_file=data_files/server5.key \
2636 crt_file=data_files/server5.ku-ka.crt" \
2637 "$P_CLI" \
2638 0 \
2639 -c "Ciphersuite is TLS-ECDH-"
2640
Manuel Pégourié-Gonnard8e03c712014-08-30 21:42:40 +0200[diff] [blame]2641run_test "keyUsage srv: ECDSA, keyEncipherment -> fail" \
Manuel Pégourié-Gonnardf2629b92014-08-30 14:20:14 +0200[diff] [blame]2642 "$P_SRV key_file=data_files/server5.key \
Manuel Pégourié-Gonnard7f2a07d2014-04-09 09:50:57 +0200[diff] [blame]2643 crt_file=data_files/server5.ku-ke.crt" \
Manuel Pégourié-Gonnardf2629b92014-08-30 14:20:14 +0200[diff] [blame]2644 "$P_CLI" \
Manuel Pégourié-Gonnard7f2a07d2014-04-09 09:50:57 +0200[diff] [blame]2645 1 \
2646 -C "Ciphersuite is "
2647
2648# Tests for keyUsage in leaf certificates, part 2:
Manuel Pégourié-Gonnarda9db85d2014-04-09 14:53:05 +0200[diff] [blame]2649# client-side checking of server cert
Manuel Pégourié-Gonnard7f2a07d2014-04-09 09:50:57 +0200[diff] [blame]2650
Manuel Pégourié-Gonnard8e03c712014-08-30 21:42:40 +0200[diff] [blame]2651run_test "keyUsage cli: DigitalSignature+KeyEncipherment, RSA: OK" \
Manuel Pégourié-Gonnard7f2a07d2014-04-09 09:50:57 +0200[diff] [blame]2652 "$O_SRV -key data_files/server2.key \
2653 -cert data_files/server2.ku-ds_ke.crt" \
Manuel Pégourié-Gonnard644e8f32014-08-30 21:59:31 +0200[diff] [blame]2654 "$P_CLI debug_level=1 \
Manuel Pégourié-Gonnard7f2a07d2014-04-09 09:50:57 +0200[diff] [blame]2655 force_ciphersuite=TLS-RSA-WITH-AES-128-CBC-SHA" \
2656 0 \
Manuel Pégourié-Gonnarda9db85d2014-04-09 14:53:05 +0200[diff] [blame]2657 -C "bad certificate (usage extensions)" \
Manuel Pégourié-Gonnard7f2a07d2014-04-09 09:50:57 +0200[diff] [blame]2658 -C "Processing of the Certificate handshake message failed" \
2659 -c "Ciphersuite is TLS-"
2660
Manuel Pégourié-Gonnard8e03c712014-08-30 21:42:40 +0200[diff] [blame]2661run_test "keyUsage cli: DigitalSignature+KeyEncipherment, DHE-RSA: OK" \
Manuel Pégourié-Gonnard7f2a07d2014-04-09 09:50:57 +0200[diff] [blame]2662 "$O_SRV -key data_files/server2.key \
2663 -cert data_files/server2.ku-ds_ke.crt" \
Manuel Pégourié-Gonnard644e8f32014-08-30 21:59:31 +0200[diff] [blame]2664 "$P_CLI debug_level=1 \
Manuel Pégourié-Gonnard7f2a07d2014-04-09 09:50:57 +0200[diff] [blame]2665 force_ciphersuite=TLS-DHE-RSA-WITH-AES-128-CBC-SHA" \
2666 0 \
Manuel Pégourié-Gonnarda9db85d2014-04-09 14:53:05 +0200[diff] [blame]2667 -C "bad certificate (usage extensions)" \
Manuel Pégourié-Gonnard7f2a07d2014-04-09 09:50:57 +0200[diff] [blame]2668 -C "Processing of the Certificate handshake message failed" \
2669 -c "Ciphersuite is TLS-"
2670
Manuel Pégourié-Gonnard8e03c712014-08-30 21:42:40 +0200[diff] [blame]2671run_test "keyUsage cli: KeyEncipherment, RSA: OK" \
Manuel Pégourié-Gonnard7f2a07d2014-04-09 09:50:57 +0200[diff] [blame]2672 "$O_SRV -key data_files/server2.key \
2673 -cert data_files/server2.ku-ke.crt" \
Manuel Pégourié-Gonnard644e8f32014-08-30 21:59:31 +0200[diff] [blame]2674 "$P_CLI debug_level=1 \
Manuel Pégourié-Gonnard7f2a07d2014-04-09 09:50:57 +0200[diff] [blame]2675 force_ciphersuite=TLS-RSA-WITH-AES-128-CBC-SHA" \
2676 0 \
Manuel Pégourié-Gonnarda9db85d2014-04-09 14:53:05 +0200[diff] [blame]2677 -C "bad certificate (usage extensions)" \
Manuel Pégourié-Gonnard7f2a07d2014-04-09 09:50:57 +0200[diff] [blame]2678 -C "Processing of the Certificate handshake message failed" \
2679 -c "Ciphersuite is TLS-"
2680
Manuel Pégourié-Gonnard8e03c712014-08-30 21:42:40 +0200[diff] [blame]2681run_test "keyUsage cli: KeyEncipherment, DHE-RSA: fail" \
Manuel Pégourié-Gonnard7f2a07d2014-04-09 09:50:57 +0200[diff] [blame]2682 "$O_SRV -key data_files/server2.key \
2683 -cert data_files/server2.ku-ke.crt" \
Manuel Pégourié-Gonnard644e8f32014-08-30 21:59:31 +0200[diff] [blame]2684 "$P_CLI debug_level=1 \
Manuel Pégourié-Gonnard7f2a07d2014-04-09 09:50:57 +0200[diff] [blame]2685 force_ciphersuite=TLS-DHE-RSA-WITH-AES-128-CBC-SHA" \
2686 1 \
Manuel Pégourié-Gonnarda9db85d2014-04-09 14:53:05 +0200[diff] [blame]2687 -c "bad certificate (usage extensions)" \
Manuel Pégourié-Gonnard7f2a07d2014-04-09 09:50:57 +0200[diff] [blame]2688 -c "Processing of the Certificate handshake message failed" \
2689 -C "Ciphersuite is TLS-"
2690
Manuel Pégourié-Gonnarde6efa6f2015-04-20 11:01:48 +0100[diff] [blame]2691run_test "keyUsage cli: KeyEncipherment, DHE-RSA: fail, soft" \
2692 "$O_SRV -key data_files/server2.key \
2693 -cert data_files/server2.ku-ke.crt" \
2694 "$P_CLI debug_level=1 auth_mode=optional \
2695 force_ciphersuite=TLS-DHE-RSA-WITH-AES-128-CBC-SHA" \
2696 0 \
2697 -c "bad certificate (usage extensions)" \
2698 -C "Processing of the Certificate handshake message failed" \
2699 -c "Ciphersuite is TLS-" \
2700 -c "! Usage does not match the keyUsage extension"
2701
Manuel Pégourié-Gonnard8e03c712014-08-30 21:42:40 +0200[diff] [blame]2702run_test "keyUsage cli: DigitalSignature, DHE-RSA: OK" \
Manuel Pégourié-Gonnard7f2a07d2014-04-09 09:50:57 +0200[diff] [blame]2703 "$O_SRV -key data_files/server2.key \
2704 -cert data_files/server2.ku-ds.crt" \
Manuel Pégourié-Gonnard644e8f32014-08-30 21:59:31 +0200[diff] [blame]2705 "$P_CLI debug_level=1 \
Manuel Pégourié-Gonnard7f2a07d2014-04-09 09:50:57 +0200[diff] [blame]2706 force_ciphersuite=TLS-DHE-RSA-WITH-AES-128-CBC-SHA" \
2707 0 \
Manuel Pégourié-Gonnarda9db85d2014-04-09 14:53:05 +0200[diff] [blame]2708 -C "bad certificate (usage extensions)" \
Manuel Pégourié-Gonnard7f2a07d2014-04-09 09:50:57 +0200[diff] [blame]2709 -C "Processing of the Certificate handshake message failed" \
2710 -c "Ciphersuite is TLS-"
2711
Manuel Pégourié-Gonnard8e03c712014-08-30 21:42:40 +0200[diff] [blame]2712run_test "keyUsage cli: DigitalSignature, RSA: fail" \
Manuel Pégourié-Gonnard7f2a07d2014-04-09 09:50:57 +0200[diff] [blame]2713 "$O_SRV -key data_files/server2.key \
2714 -cert data_files/server2.ku-ds.crt" \
Manuel Pégourié-Gonnard644e8f32014-08-30 21:59:31 +0200[diff] [blame]2715 "$P_CLI debug_level=1 \
Manuel Pégourié-Gonnard7f2a07d2014-04-09 09:50:57 +0200[diff] [blame]2716 force_ciphersuite=TLS-RSA-WITH-AES-128-CBC-SHA" \
2717 1 \
Manuel Pégourié-Gonnarda9db85d2014-04-09 14:53:05 +0200[diff] [blame]2718 -c "bad certificate (usage extensions)" \
Manuel Pégourié-Gonnard7f2a07d2014-04-09 09:50:57 +0200[diff] [blame]2719 -c "Processing of the Certificate handshake message failed" \
2720 -C "Ciphersuite is TLS-"
2721
Manuel Pégourié-Gonnarde6efa6f2015-04-20 11:01:48 +0100[diff] [blame]2722run_test "keyUsage cli: DigitalSignature, RSA: fail, soft" \
2723 "$O_SRV -key data_files/server2.key \
2724 -cert data_files/server2.ku-ds.crt" \
2725 "$P_CLI debug_level=1 auth_mode=optional \
2726 force_ciphersuite=TLS-RSA-WITH-AES-128-CBC-SHA" \
2727 0 \
2728 -c "bad certificate (usage extensions)" \
2729 -C "Processing of the Certificate handshake message failed" \
2730 -c "Ciphersuite is TLS-" \
2731 -c "! Usage does not match the keyUsage extension"
2732
Manuel Pégourié-Gonnarda9db85d2014-04-09 14:53:05 +0200[diff] [blame]2733# Tests for keyUsage in leaf certificates, part 3:
2734# server-side checking of client cert
2735
Manuel Pégourié-Gonnard8e03c712014-08-30 21:42:40 +0200[diff] [blame]2736run_test "keyUsage cli-auth: RSA, DigitalSignature: OK" \
Manuel Pégourié-Gonnard644e8f32014-08-30 21:59:31 +0200[diff] [blame]2737 "$P_SRV debug_level=1 auth_mode=optional" \
Manuel Pégourié-Gonnarda9db85d2014-04-09 14:53:05 +0200[diff] [blame]2738 "$O_CLI -key data_files/server2.key \
2739 -cert data_files/server2.ku-ds.crt" \
2740 0 \
2741 -S "bad certificate (usage extensions)" \
2742 -S "Processing of the Certificate handshake message failed"
2743
Manuel Pégourié-Gonnard8e03c712014-08-30 21:42:40 +0200[diff] [blame]2744run_test "keyUsage cli-auth: RSA, KeyEncipherment: fail (soft)" \
Manuel Pégourié-Gonnard644e8f32014-08-30 21:59:31 +0200[diff] [blame]2745 "$P_SRV debug_level=1 auth_mode=optional" \
Manuel Pégourié-Gonnarda9db85d2014-04-09 14:53:05 +0200[diff] [blame]2746 "$O_CLI -key data_files/server2.key \
2747 -cert data_files/server2.ku-ke.crt" \
2748 0 \
2749 -s "bad certificate (usage extensions)" \
2750 -S "Processing of the Certificate handshake message failed"
2751
Manuel Pégourié-Gonnard8e03c712014-08-30 21:42:40 +0200[diff] [blame]2752run_test "keyUsage cli-auth: RSA, KeyEncipherment: fail (hard)" \
Manuel Pégourié-Gonnard644e8f32014-08-30 21:59:31 +0200[diff] [blame]2753 "$P_SRV debug_level=1 auth_mode=required" \
Manuel Pégourié-Gonnarda9db85d2014-04-09 14:53:05 +0200[diff] [blame]2754 "$O_CLI -key data_files/server2.key \
2755 -cert data_files/server2.ku-ke.crt" \
2756 1 \
2757 -s "bad certificate (usage extensions)" \
2758 -s "Processing of the Certificate handshake message failed"
2759
Manuel Pégourié-Gonnard8e03c712014-08-30 21:42:40 +0200[diff] [blame]2760run_test "keyUsage cli-auth: ECDSA, DigitalSignature: OK" \
Manuel Pégourié-Gonnard644e8f32014-08-30 21:59:31 +0200[diff] [blame]2761 "$P_SRV debug_level=1 auth_mode=optional" \
Manuel Pégourié-Gonnarda9db85d2014-04-09 14:53:05 +0200[diff] [blame]2762 "$O_CLI -key data_files/server5.key \
2763 -cert data_files/server5.ku-ds.crt" \
2764 0 \
2765 -S "bad certificate (usage extensions)" \
2766 -S "Processing of the Certificate handshake message failed"
2767
Manuel Pégourié-Gonnard8e03c712014-08-30 21:42:40 +0200[diff] [blame]2768run_test "keyUsage cli-auth: ECDSA, KeyAgreement: fail (soft)" \
Manuel Pégourié-Gonnard644e8f32014-08-30 21:59:31 +0200[diff] [blame]2769 "$P_SRV debug_level=1 auth_mode=optional" \
Manuel Pégourié-Gonnarda9db85d2014-04-09 14:53:05 +0200[diff] [blame]2770 "$O_CLI -key data_files/server5.key \
2771 -cert data_files/server5.ku-ka.crt" \
2772 0 \
2773 -s "bad certificate (usage extensions)" \
2774 -S "Processing of the Certificate handshake message failed"
2775
Manuel Pégourié-Gonnard0408fd12014-04-11 11:06:22 +0200[diff] [blame]2776# Tests for extendedKeyUsage, part 1: server-side certificate/suite selection
2777
Manuel Pégourié-Gonnard8e03c712014-08-30 21:42:40 +0200[diff] [blame]2778run_test "extKeyUsage srv: serverAuth -> OK" \
Manuel Pégourié-Gonnard0408fd12014-04-11 11:06:22 +0200[diff] [blame]2779 "$P_SRV key_file=data_files/server5.key \
2780 crt_file=data_files/server5.eku-srv.crt" \
2781 "$P_CLI" \
2782 0
2783
Manuel Pégourié-Gonnard8e03c712014-08-30 21:42:40 +0200[diff] [blame]2784run_test "extKeyUsage srv: serverAuth,clientAuth -> OK" \
Manuel Pégourié-Gonnard0408fd12014-04-11 11:06:22 +0200[diff] [blame]2785 "$P_SRV key_file=data_files/server5.key \
2786 crt_file=data_files/server5.eku-srv.crt" \
2787 "$P_CLI" \
2788 0
2789
Manuel Pégourié-Gonnard8e03c712014-08-30 21:42:40 +0200[diff] [blame]2790run_test "extKeyUsage srv: codeSign,anyEKU -> OK" \
Manuel Pégourié-Gonnard0408fd12014-04-11 11:06:22 +0200[diff] [blame]2791 "$P_SRV key_file=data_files/server5.key \
2792 crt_file=data_files/server5.eku-cs_any.crt" \
2793 "$P_CLI" \
2794 0
2795
Manuel Pégourié-Gonnard8e03c712014-08-30 21:42:40 +0200[diff] [blame]2796run_test "extKeyUsage srv: codeSign -> fail" \
Manuel Pégourié-Gonnard7eb58cb2015-07-07 11:54:14 +0200[diff] [blame]2797 "$P_SRV key_file=data_files/server5.key \
Manuel Pégourié-Gonnard0408fd12014-04-11 11:06:22 +0200[diff] [blame]2798 crt_file=data_files/server5.eku-cli.crt" \
Manuel Pégourié-Gonnard7eb58cb2015-07-07 11:54:14 +0200[diff] [blame]2799 "$P_CLI" \
Manuel Pégourié-Gonnard0408fd12014-04-11 11:06:22 +0200[diff] [blame]2800 1
2801
2802# Tests for extendedKeyUsage, part 2: client-side checking of server cert
2803
Manuel Pégourié-Gonnard8e03c712014-08-30 21:42:40 +0200[diff] [blame]2804run_test "extKeyUsage cli: serverAuth -> OK" \
Manuel Pégourié-Gonnard0408fd12014-04-11 11:06:22 +0200[diff] [blame]2805 "$O_SRV -key data_files/server5.key \
2806 -cert data_files/server5.eku-srv.crt" \
Manuel Pégourié-Gonnard644e8f32014-08-30 21:59:31 +0200[diff] [blame]2807 "$P_CLI debug_level=1" \
Manuel Pégourié-Gonnard0408fd12014-04-11 11:06:22 +0200[diff] [blame]2808 0 \
2809 -C "bad certificate (usage extensions)" \
2810 -C "Processing of the Certificate handshake message failed" \
2811 -c "Ciphersuite is TLS-"
2812
Manuel Pégourié-Gonnard8e03c712014-08-30 21:42:40 +0200[diff] [blame]2813run_test "extKeyUsage cli: serverAuth,clientAuth -> OK" \
Manuel Pégourié-Gonnard0408fd12014-04-11 11:06:22 +0200[diff] [blame]2814 "$O_SRV -key data_files/server5.key \
2815 -cert data_files/server5.eku-srv_cli.crt" \
Manuel Pégourié-Gonnard644e8f32014-08-30 21:59:31 +0200[diff] [blame]2816 "$P_CLI debug_level=1" \
Manuel Pégourié-Gonnard0408fd12014-04-11 11:06:22 +0200[diff] [blame]2817 0 \
2818 -C "bad certificate (usage extensions)" \
2819 -C "Processing of the Certificate handshake message failed" \
2820 -c "Ciphersuite is TLS-"
2821
Manuel Pégourié-Gonnard8e03c712014-08-30 21:42:40 +0200[diff] [blame]2822run_test "extKeyUsage cli: codeSign,anyEKU -> OK" \
Manuel Pégourié-Gonnard0408fd12014-04-11 11:06:22 +0200[diff] [blame]2823 "$O_SRV -key data_files/server5.key \
2824 -cert data_files/server5.eku-cs_any.crt" \
Manuel Pégourié-Gonnard644e8f32014-08-30 21:59:31 +0200[diff] [blame]2825 "$P_CLI debug_level=1" \
Manuel Pégourié-Gonnard0408fd12014-04-11 11:06:22 +0200[diff] [blame]2826 0 \
2827 -C "bad certificate (usage extensions)" \
2828 -C "Processing of the Certificate handshake message failed" \
2829 -c "Ciphersuite is TLS-"
2830
Manuel Pégourié-Gonnard8e03c712014-08-30 21:42:40 +0200[diff] [blame]2831run_test "extKeyUsage cli: codeSign -> fail" \
Manuel Pégourié-Gonnard0408fd12014-04-11 11:06:22 +0200[diff] [blame]2832 "$O_SRV -key data_files/server5.key \
2833 -cert data_files/server5.eku-cs.crt" \
Manuel Pégourié-Gonnard644e8f32014-08-30 21:59:31 +0200[diff] [blame]2834 "$P_CLI debug_level=1" \
Manuel Pégourié-Gonnard0408fd12014-04-11 11:06:22 +0200[diff] [blame]2835 1 \
2836 -c "bad certificate (usage extensions)" \
2837 -c "Processing of the Certificate handshake message failed" \
2838 -C "Ciphersuite is TLS-"
2839
2840# Tests for extendedKeyUsage, part 3: server-side checking of client cert
2841
Manuel Pégourié-Gonnard8e03c712014-08-30 21:42:40 +0200[diff] [blame]2842run_test "extKeyUsage cli-auth: clientAuth -> OK" \
Manuel Pégourié-Gonnard644e8f32014-08-30 21:59:31 +0200[diff] [blame]2843 "$P_SRV debug_level=1 auth_mode=optional" \
Manuel Pégourié-Gonnard0408fd12014-04-11 11:06:22 +0200[diff] [blame]2844 "$O_CLI -key data_files/server5.key \
2845 -cert data_files/server5.eku-cli.crt" \
2846 0 \
2847 -S "bad certificate (usage extensions)" \
2848 -S "Processing of the Certificate handshake message failed"
2849
Manuel Pégourié-Gonnard8e03c712014-08-30 21:42:40 +0200[diff] [blame]2850run_test "extKeyUsage cli-auth: serverAuth,clientAuth -> OK" \
Manuel Pégourié-Gonnard644e8f32014-08-30 21:59:31 +0200[diff] [blame]2851 "$P_SRV debug_level=1 auth_mode=optional" \
Manuel Pégourié-Gonnard0408fd12014-04-11 11:06:22 +0200[diff] [blame]2852 "$O_CLI -key data_files/server5.key \
2853 -cert data_files/server5.eku-srv_cli.crt" \
2854 0 \
2855 -S "bad certificate (usage extensions)" \
2856 -S "Processing of the Certificate handshake message failed"
2857
Manuel Pégourié-Gonnard8e03c712014-08-30 21:42:40 +0200[diff] [blame]2858run_test "extKeyUsage cli-auth: codeSign,anyEKU -> OK" \
Manuel Pégourié-Gonnard644e8f32014-08-30 21:59:31 +0200[diff] [blame]2859 "$P_SRV debug_level=1 auth_mode=optional" \
Manuel Pégourié-Gonnard0408fd12014-04-11 11:06:22 +0200[diff] [blame]2860 "$O_CLI -key data_files/server5.key \
2861 -cert data_files/server5.eku-cs_any.crt" \
2862 0 \
2863 -S "bad certificate (usage extensions)" \
2864 -S "Processing of the Certificate handshake message failed"
2865
Manuel Pégourié-Gonnard8e03c712014-08-30 21:42:40 +0200[diff] [blame]2866run_test "extKeyUsage cli-auth: codeSign -> fail (soft)" \
Manuel Pégourié-Gonnard644e8f32014-08-30 21:59:31 +0200[diff] [blame]2867 "$P_SRV debug_level=1 auth_mode=optional" \
Manuel Pégourié-Gonnard0408fd12014-04-11 11:06:22 +0200[diff] [blame]2868 "$O_CLI -key data_files/server5.key \
2869 -cert data_files/server5.eku-cs.crt" \
2870 0 \
2871 -s "bad certificate (usage extensions)" \
2872 -S "Processing of the Certificate handshake message failed"
2873
Manuel Pégourié-Gonnard8e03c712014-08-30 21:42:40 +0200[diff] [blame]2874run_test "extKeyUsage cli-auth: codeSign -> fail (hard)" \
Manuel Pégourié-Gonnard644e8f32014-08-30 21:59:31 +0200[diff] [blame]2875 "$P_SRV debug_level=1 auth_mode=required" \
Manuel Pégourié-Gonnard0408fd12014-04-11 11:06:22 +0200[diff] [blame]2876 "$O_CLI -key data_files/server5.key \
2877 -cert data_files/server5.eku-cs.crt" \
2878 1 \
2879 -s "bad certificate (usage extensions)" \
2880 -s "Processing of the Certificate handshake message failed"
2881
Manuel Pégourié-Gonnard0cc7e312014-06-09 11:36:47 +0200[diff] [blame]2882# Tests for DHM parameters loading
2883
Manuel Pégourié-Gonnard8e03c712014-08-30 21:42:40 +0200[diff] [blame]2884run_test "DHM parameters: reference" \
Manuel Pégourié-Gonnard0cc7e312014-06-09 11:36:47 +0200[diff] [blame]2885 "$P_SRV" \
2886 "$P_CLI force_ciphersuite=TLS-DHE-RSA-WITH-AES-128-CBC-SHA \
2887 debug_level=3" \
2888 0 \
2889 -c "value of 'DHM: P ' (2048 bits)" \
2890 -c "value of 'DHM: G ' (2048 bits)"
2891
Manuel Pégourié-Gonnard8e03c712014-08-30 21:42:40 +0200[diff] [blame]2892run_test "DHM parameters: other parameters" \
Manuel Pégourié-Gonnard0cc7e312014-06-09 11:36:47 +0200[diff] [blame]2893 "$P_SRV dhm_file=data_files/dhparams.pem" \
2894 "$P_CLI force_ciphersuite=TLS-DHE-RSA-WITH-AES-128-CBC-SHA \
2895 debug_level=3" \
2896 0 \
2897 -c "value of 'DHM: P ' (1024 bits)" \
2898 -c "value of 'DHM: G ' (2 bits)"
2899
Manuel Pégourié-Gonnard7a010aa2015-06-12 11:19:10 +0200[diff] [blame]2900# Tests for DHM client-side size checking
2901
2902run_test "DHM size: server default, client default, OK" \
2903 "$P_SRV" \
2904 "$P_CLI force_ciphersuite=TLS-DHE-RSA-WITH-AES-128-CBC-SHA \
2905 debug_level=1" \
2906 0 \
2907 -C "DHM prime too short:"
2908
2909run_test "DHM size: server default, client 2048, OK" \
2910 "$P_SRV" \
2911 "$P_CLI force_ciphersuite=TLS-DHE-RSA-WITH-AES-128-CBC-SHA \
2912 debug_level=1 dhmlen=2048" \
2913 0 \
2914 -C "DHM prime too short:"
2915
2916run_test "DHM size: server 1024, client default, OK" \
2917 "$P_SRV dhm_file=data_files/dhparams.pem" \
2918 "$P_CLI force_ciphersuite=TLS-DHE-RSA-WITH-AES-128-CBC-SHA \
2919 debug_level=1" \
2920 0 \
2921 -C "DHM prime too short:"
2922
2923run_test "DHM size: server 1000, client default, rejected" \
2924 "$P_SRV dhm_file=data_files/dh.1000.pem" \
2925 "$P_CLI force_ciphersuite=TLS-DHE-RSA-WITH-AES-128-CBC-SHA \
2926 debug_level=1" \
2927 1 \
2928 -c "DHM prime too short:"
2929
2930run_test "DHM size: server default, client 2049, rejected" \
2931 "$P_SRV" \
2932 "$P_CLI force_ciphersuite=TLS-DHE-RSA-WITH-AES-128-CBC-SHA \
2933 debug_level=1 dhmlen=2049" \
2934 1 \
2935 -c "DHM prime too short:"
2936
Manuel Pégourié-Gonnarda6781c92014-06-10 15:00:46 +0200[diff] [blame]2937# Tests for PSK callback
2938
Manuel Pégourié-Gonnard8e03c712014-08-30 21:42:40 +0200[diff] [blame]2939run_test "PSK callback: psk, no callback" \
Manuel Pégourié-Gonnarda6781c92014-06-10 15:00:46 +0200[diff] [blame]2940 "$P_SRV psk=abc123 psk_identity=foo" \
2941 "$P_CLI force_ciphersuite=TLS-PSK-WITH-AES-128-CBC-SHA \
2942 psk_identity=foo psk=abc123" \
2943 0 \
Manuel Pégourié-Gonnardf01768c2015-01-08 17:06:16 +0100[diff] [blame]2944 -S "SSL - None of the common ciphersuites is usable" \
Manuel Pégourié-Gonnard10c3c9f2014-06-10 15:28:52 +0200[diff] [blame]2945 -S "SSL - Unknown identity received" \
2946 -S "SSL - Verification of the message MAC failed"
2947
Manuel Pégourié-Gonnard8e03c712014-08-30 21:42:40 +0200[diff] [blame]2948run_test "PSK callback: no psk, no callback" \
Manuel Pégourié-Gonnard10c3c9f2014-06-10 15:28:52 +0200[diff] [blame]2949 "$P_SRV" \
2950 "$P_CLI force_ciphersuite=TLS-PSK-WITH-AES-128-CBC-SHA \
2951 psk_identity=foo psk=abc123" \
2952 1 \
Manuel Pégourié-Gonnardf01768c2015-01-08 17:06:16 +0100[diff] [blame]2953 -s "SSL - None of the common ciphersuites is usable" \
Manuel Pégourié-Gonnarda6781c92014-06-10 15:00:46 +0200[diff] [blame]2954 -S "SSL - Unknown identity received" \
2955 -S "SSL - Verification of the message MAC failed"
2956
Manuel Pégourié-Gonnard8e03c712014-08-30 21:42:40 +0200[diff] [blame]2957run_test "PSK callback: callback overrides other settings" \
Manuel Pégourié-Gonnarda6781c92014-06-10 15:00:46 +0200[diff] [blame]2958 "$P_SRV psk=abc123 psk_identity=foo psk_list=abc,dead,def,beef" \
2959 "$P_CLI force_ciphersuite=TLS-PSK-WITH-AES-128-CBC-SHA \
2960 psk_identity=foo psk=abc123" \
2961 1 \
Manuel Pégourié-Gonnardf01768c2015-01-08 17:06:16 +0100[diff] [blame]2962 -S "SSL - None of the common ciphersuites is usable" \
Manuel Pégourié-Gonnarda6781c92014-06-10 15:00:46 +0200[diff] [blame]2963 -s "SSL - Unknown identity received" \
2964 -S "SSL - Verification of the message MAC failed"
2965
Manuel Pégourié-Gonnard8e03c712014-08-30 21:42:40 +0200[diff] [blame]2966run_test "PSK callback: first id matches" \
Manuel Pégourié-Gonnarda6781c92014-06-10 15:00:46 +0200[diff] [blame]2967 "$P_SRV psk_list=abc,dead,def,beef" \
2968 "$P_CLI force_ciphersuite=TLS-PSK-WITH-AES-128-CBC-SHA \
2969 psk_identity=abc psk=dead" \
2970 0 \
Manuel Pégourié-Gonnardf01768c2015-01-08 17:06:16 +0100[diff] [blame]2971 -S "SSL - None of the common ciphersuites is usable" \
Manuel Pégourié-Gonnarda6781c92014-06-10 15:00:46 +0200[diff] [blame]2972 -S "SSL - Unknown identity received" \
2973 -S "SSL - Verification of the message MAC failed"
2974
Manuel Pégourié-Gonnard8e03c712014-08-30 21:42:40 +0200[diff] [blame]2975run_test "PSK callback: second id matches" \
Manuel Pégourié-Gonnarda6781c92014-06-10 15:00:46 +0200[diff] [blame]2976 "$P_SRV psk_list=abc,dead,def,beef" \
2977 "$P_CLI force_ciphersuite=TLS-PSK-WITH-AES-128-CBC-SHA \
2978 psk_identity=def psk=beef" \
2979 0 \
Manuel Pégourié-Gonnardf01768c2015-01-08 17:06:16 +0100[diff] [blame]2980 -S "SSL - None of the common ciphersuites is usable" \
Manuel Pégourié-Gonnarda6781c92014-06-10 15:00:46 +0200[diff] [blame]2981 -S "SSL - Unknown identity received" \
2982 -S "SSL - Verification of the message MAC failed"
2983
Manuel Pégourié-Gonnard8e03c712014-08-30 21:42:40 +0200[diff] [blame]2984run_test "PSK callback: no match" \
Manuel Pégourié-Gonnarda6781c92014-06-10 15:00:46 +0200[diff] [blame]2985 "$P_SRV psk_list=abc,dead,def,beef" \
2986 "$P_CLI force_ciphersuite=TLS-PSK-WITH-AES-128-CBC-SHA \
2987 psk_identity=ghi psk=beef" \
2988 1 \
Manuel Pégourié-Gonnardf01768c2015-01-08 17:06:16 +0100[diff] [blame]2989 -S "SSL - None of the common ciphersuites is usable" \
Manuel Pégourié-Gonnarda6781c92014-06-10 15:00:46 +0200[diff] [blame]2990 -s "SSL - Unknown identity received" \
2991 -S "SSL - Verification of the message MAC failed"
2992
Manuel Pégourié-Gonnard8e03c712014-08-30 21:42:40 +0200[diff] [blame]2993run_test "PSK callback: wrong key" \
Manuel Pégourié-Gonnarda6781c92014-06-10 15:00:46 +0200[diff] [blame]2994 "$P_SRV psk_list=abc,dead,def,beef" \
2995 "$P_CLI force_ciphersuite=TLS-PSK-WITH-AES-128-CBC-SHA \
2996 psk_identity=abc psk=beef" \
2997 1 \
Manuel Pégourié-Gonnardf01768c2015-01-08 17:06:16 +0100[diff] [blame]2998 -S "SSL - None of the common ciphersuites is usable" \
Manuel Pégourié-Gonnarda6781c92014-06-10 15:00:46 +0200[diff] [blame]2999 -S "SSL - Unknown identity received" \
3000 -s "SSL - Verification of the message MAC failed"
Manuel Pégourié-Gonnard0cc7e312014-06-09 11:36:47 +0200[diff] [blame]3001
Manuel Pégourié-Gonnarde511b4e2015-09-16 14:11:09 +0200[diff] [blame]3002# Tests for EC J-PAKE
3003
Manuel Pégourié-Gonnard12ca6f52015-10-20 15:24:51 +0200[diff] [blame]3004requires_config_enabled MBEDTLS_KEY_EXCHANGE_ECJPAKE
Manuel Pégourié-Gonnarde511b4e2015-09-16 14:11:09 +0200[diff] [blame]3005run_test "ECJPAKE: client not configured" \
3006 "$P_SRV debug_level=3" \
3007 "$P_CLI debug_level=3" \
3008 0 \
3009 -C "add ciphersuite: c0ff" \
3010 -C "adding ecjpake_kkpp extension" \
Manuel Pégourié-Gonnardbf57be62015-09-16 15:04:01 +0200[diff] [blame]3011 -S "found ecjpake kkpp extension" \
3012 -S "skip ecjpake kkpp extension" \
Manuel Pégourié-Gonnarde511b4e2015-09-16 14:11:09 +0200[diff] [blame]3013 -S "ciphersuite mismatch: ecjpake not configured" \
Manuel Pégourié-Gonnard55c7f992015-09-16 15:35:27 +0200[diff] [blame]3014 -S "server hello, ecjpake kkpp extension" \
Manuel Pégourié-Gonnard0a1324a2015-09-16 16:01:00 +0200[diff] [blame]3015 -C "found ecjpake_kkpp extension" \
Manuel Pégourié-Gonnarde511b4e2015-09-16 14:11:09 +0200[diff] [blame]3016 -S "None of the common ciphersuites is usable"
3017
Manuel Pégourié-Gonnard12ca6f52015-10-20 15:24:51 +0200[diff] [blame]3018requires_config_enabled MBEDTLS_KEY_EXCHANGE_ECJPAKE
Manuel Pégourié-Gonnarde511b4e2015-09-16 14:11:09 +0200[diff] [blame]3019run_test "ECJPAKE: server not configured" \
3020 "$P_SRV debug_level=3" \
3021 "$P_CLI debug_level=3 ecjpake_pw=bla \
3022 force_ciphersuite=TLS-ECJPAKE-WITH-AES-128-CCM-8" \
3023 1 \
3024 -c "add ciphersuite: c0ff" \
3025 -c "adding ecjpake_kkpp extension" \
Manuel Pégourié-Gonnardbf57be62015-09-16 15:04:01 +0200[diff] [blame]3026 -s "found ecjpake kkpp extension" \
3027 -s "skip ecjpake kkpp extension" \
Manuel Pégourié-Gonnarde511b4e2015-09-16 14:11:09 +0200[diff] [blame]3028 -s "ciphersuite mismatch: ecjpake not configured" \
Manuel Pégourié-Gonnard55c7f992015-09-16 15:35:27 +0200[diff] [blame]3029 -S "server hello, ecjpake kkpp extension" \
Manuel Pégourié-Gonnard0a1324a2015-09-16 16:01:00 +0200[diff] [blame]3030 -C "found ecjpake_kkpp extension" \
Manuel Pégourié-Gonnarde511b4e2015-09-16 14:11:09 +0200[diff] [blame]3031 -s "None of the common ciphersuites is usable"
3032
Manuel Pégourié-Gonnard12ca6f52015-10-20 15:24:51 +0200[diff] [blame]3033requires_config_enabled MBEDTLS_KEY_EXCHANGE_ECJPAKE
Manuel Pégourié-Gonnardbf57be62015-09-16 15:04:01 +0200[diff] [blame]3034run_test "ECJPAKE: working, TLS" \
3035 "$P_SRV debug_level=3 ecjpake_pw=bla" \
3036 "$P_CLI debug_level=3 ecjpake_pw=bla \
3037 force_ciphersuite=TLS-ECJPAKE-WITH-AES-128-CCM-8" \
Manuel Pégourié-Gonnard0f1660a2015-09-16 22:41:06 +0200[diff] [blame]3038 0 \
Manuel Pégourié-Gonnardbf57be62015-09-16 15:04:01 +0200[diff] [blame]3039 -c "add ciphersuite: c0ff" \
3040 -c "adding ecjpake_kkpp extension" \
Manuel Pégourié-Gonnardd0d8cb32015-09-17 14:16:30 +0200[diff] [blame]3041 -C "re-using cached ecjpake parameters" \
Manuel Pégourié-Gonnardbf57be62015-09-16 15:04:01 +0200[diff] [blame]3042 -s "found ecjpake kkpp extension" \
3043 -S "skip ecjpake kkpp extension" \
3044 -S "ciphersuite mismatch: ecjpake not configured" \
Manuel Pégourié-Gonnard55c7f992015-09-16 15:35:27 +0200[diff] [blame]3045 -s "server hello, ecjpake kkpp extension" \
Manuel Pégourié-Gonnard0a1324a2015-09-16 16:01:00 +0200[diff] [blame]3046 -c "found ecjpake_kkpp extension" \
Manuel Pégourié-Gonnard921f2d02015-09-16 22:52:18 +0200[diff] [blame]3047 -S "None of the common ciphersuites is usable" \
3048 -S "SSL - Verification of the message MAC failed"
3049
Janos Follath74537a62016-09-02 13:45:28 +0100[diff] [blame]3050server_needs_more_time 1
Manuel Pégourié-Gonnard12ca6f52015-10-20 15:24:51 +0200[diff] [blame]3051requires_config_enabled MBEDTLS_KEY_EXCHANGE_ECJPAKE
Manuel Pégourié-Gonnard921f2d02015-09-16 22:52:18 +0200[diff] [blame]3052run_test "ECJPAKE: password mismatch, TLS" \
3053 "$P_SRV debug_level=3 ecjpake_pw=bla" \
3054 "$P_CLI debug_level=3 ecjpake_pw=bad \
3055 force_ciphersuite=TLS-ECJPAKE-WITH-AES-128-CCM-8" \
3056 1 \
Manuel Pégourié-Gonnardd0d8cb32015-09-17 14:16:30 +0200[diff] [blame]3057 -C "re-using cached ecjpake parameters" \
Manuel Pégourié-Gonnard921f2d02015-09-16 22:52:18 +0200[diff] [blame]3058 -s "SSL - Verification of the message MAC failed"
3059
Manuel Pégourié-Gonnard12ca6f52015-10-20 15:24:51 +0200[diff] [blame]3060requires_config_enabled MBEDTLS_KEY_EXCHANGE_ECJPAKE
Manuel Pégourié-Gonnard921f2d02015-09-16 22:52:18 +0200[diff] [blame]3061run_test "ECJPAKE: working, DTLS" \
3062 "$P_SRV debug_level=3 dtls=1 ecjpake_pw=bla" \
3063 "$P_CLI debug_level=3 dtls=1 ecjpake_pw=bla \
3064 force_ciphersuite=TLS-ECJPAKE-WITH-AES-128-CCM-8" \
3065 0 \
Manuel Pégourié-Gonnardd0d8cb32015-09-17 14:16:30 +0200[diff] [blame]3066 -c "re-using cached ecjpake parameters" \
3067 -S "SSL - Verification of the message MAC failed"
3068
Manuel Pégourié-Gonnard12ca6f52015-10-20 15:24:51 +0200[diff] [blame]3069requires_config_enabled MBEDTLS_KEY_EXCHANGE_ECJPAKE
Manuel Pégourié-Gonnardd0d8cb32015-09-17 14:16:30 +0200[diff] [blame]3070run_test "ECJPAKE: working, DTLS, no cookie" \
3071 "$P_SRV debug_level=3 dtls=1 ecjpake_pw=bla cookies=0" \
3072 "$P_CLI debug_level=3 dtls=1 ecjpake_pw=bla \
3073 force_ciphersuite=TLS-ECJPAKE-WITH-AES-128-CCM-8" \
3074 0 \
3075 -C "re-using cached ecjpake parameters" \
Manuel Pégourié-Gonnard921f2d02015-09-16 22:52:18 +0200[diff] [blame]3076 -S "SSL - Verification of the message MAC failed"
3077
Janos Follath74537a62016-09-02 13:45:28 +0100[diff] [blame]3078server_needs_more_time 1
Manuel Pégourié-Gonnard12ca6f52015-10-20 15:24:51 +0200[diff] [blame]3079requires_config_enabled MBEDTLS_KEY_EXCHANGE_ECJPAKE
Manuel Pégourié-Gonnard921f2d02015-09-16 22:52:18 +0200[diff] [blame]3080run_test "ECJPAKE: password mismatch, DTLS" \
3081 "$P_SRV debug_level=3 dtls=1 ecjpake_pw=bla" \
3082 "$P_CLI debug_level=3 dtls=1 ecjpake_pw=bad \
3083 force_ciphersuite=TLS-ECJPAKE-WITH-AES-128-CCM-8" \
3084 1 \
Manuel Pégourié-Gonnardd0d8cb32015-09-17 14:16:30 +0200[diff] [blame]3085 -c "re-using cached ecjpake parameters" \
Manuel Pégourié-Gonnard921f2d02015-09-16 22:52:18 +0200[diff] [blame]3086 -s "SSL - Verification of the message MAC failed"
Manuel Pégourié-Gonnardbf57be62015-09-16 15:04:01 +0200[diff] [blame]3087
Manuel Pégourié-Gonnardca700b22015-10-20 14:47:00 +0200[diff] [blame]3088# for tests with configs/config-thread.h
Manuel Pégourié-Gonnard12ca6f52015-10-20 15:24:51 +0200[diff] [blame]3089requires_config_enabled MBEDTLS_KEY_EXCHANGE_ECJPAKE
Manuel Pégourié-Gonnardca700b22015-10-20 14:47:00 +0200[diff] [blame]3090run_test "ECJPAKE: working, DTLS, nolog" \
3091 "$P_SRV dtls=1 ecjpake_pw=bla" \
3092 "$P_CLI dtls=1 ecjpake_pw=bla \
3093 force_ciphersuite=TLS-ECJPAKE-WITH-AES-128-CCM-8" \
3094 0
3095
Manuel Pégourié-Gonnard90805a82014-06-11 14:06:01 +0200[diff] [blame]3096# Tests for ciphersuites per version
3097
Janos Follathe2681a42016-03-07 15:57:05 +0000[diff] [blame]3098requires_config_enabled MBEDTLS_SSL_PROTO_SSL3
Manuel Pégourié-Gonnard8e03c712014-08-30 21:42:40 +0200[diff] [blame]3099run_test "Per-version suites: SSL3" \
Manuel Pégourié-Gonnardea0920f2015-03-24 09:50:15 +0100[diff] [blame]3100 "$P_SRV min_version=ssl3 version_suites=TLS-RSA-WITH-3DES-EDE-CBC-SHA,TLS-RSA-WITH-AES-256-CBC-SHA,TLS-RSA-WITH-AES-128-CBC-SHA,TLS-RSA-WITH-AES-128-GCM-SHA256" \
Manuel Pégourié-Gonnard90805a82014-06-11 14:06:01 +0200[diff] [blame]3101 "$P_CLI force_version=ssl3" \
3102 0 \
3103 -c "Ciphersuite is TLS-RSA-WITH-3DES-EDE-CBC-SHA"
3104
Manuel Pégourié-Gonnard8e03c712014-08-30 21:42:40 +0200[diff] [blame]3105run_test "Per-version suites: TLS 1.0" \
Manuel Pégourié-Gonnardea0920f2015-03-24 09:50:15 +0100[diff] [blame]3106 "$P_SRV arc4=1 version_suites=TLS-RSA-WITH-3DES-EDE-CBC-SHA,TLS-RSA-WITH-AES-256-CBC-SHA,TLS-RSA-WITH-AES-128-CBC-SHA,TLS-RSA-WITH-AES-128-GCM-SHA256" \
Manuel Pégourié-Gonnardbd47a582015-01-12 13:43:29 +0100[diff] [blame]3107 "$P_CLI force_version=tls1 arc4=1" \
Manuel Pégourié-Gonnard90805a82014-06-11 14:06:01 +0200[diff] [blame]3108 0 \
Manuel Pégourié-Gonnardea0920f2015-03-24 09:50:15 +0100[diff] [blame]3109 -c "Ciphersuite is TLS-RSA-WITH-AES-256-CBC-SHA"
Manuel Pégourié-Gonnard90805a82014-06-11 14:06:01 +0200[diff] [blame]3110
Manuel Pégourié-Gonnard8e03c712014-08-30 21:42:40 +0200[diff] [blame]3111run_test "Per-version suites: TLS 1.1" \
Manuel Pégourié-Gonnardea0920f2015-03-24 09:50:15 +0100[diff] [blame]3112 "$P_SRV version_suites=TLS-RSA-WITH-3DES-EDE-CBC-SHA,TLS-RSA-WITH-AES-256-CBC-SHA,TLS-RSA-WITH-AES-128-CBC-SHA,TLS-RSA-WITH-AES-128-GCM-SHA256" \
Manuel Pégourié-Gonnard90805a82014-06-11 14:06:01 +0200[diff] [blame]3113 "$P_CLI force_version=tls1_1" \
3114 0 \
3115 -c "Ciphersuite is TLS-RSA-WITH-AES-128-CBC-SHA"
3116
Manuel Pégourié-Gonnard8e03c712014-08-30 21:42:40 +0200[diff] [blame]3117run_test "Per-version suites: TLS 1.2" \
Manuel Pégourié-Gonnardea0920f2015-03-24 09:50:15 +0100[diff] [blame]3118 "$P_SRV version_suites=TLS-RSA-WITH-3DES-EDE-CBC-SHA,TLS-RSA-WITH-AES-256-CBC-SHA,TLS-RSA-WITH-AES-128-CBC-SHA,TLS-RSA-WITH-AES-128-GCM-SHA256" \
Manuel Pégourié-Gonnard90805a82014-06-11 14:06:01 +0200[diff] [blame]3119 "$P_CLI force_version=tls1_2" \
3120 0 \
3121 -c "Ciphersuite is TLS-RSA-WITH-AES-128-GCM-SHA256"
3122
Manuel Pégourié-Gonnard4cc8c632015-07-23 12:24:03 +0200[diff] [blame]3123# Test for ClientHello without extensions
3124
Manuel Pégourié-Gonnardd55bc202015-08-04 16:22:30 +0200[diff] [blame]3125requires_gnutls
Gilles Peskine5d2511c2017-05-12 13:16:40 +0200[diff] [blame]3126run_test "ClientHello without extensions, SHA-1 allowed" \
Manuel Pégourié-Gonnard4cc8c632015-07-23 12:24:03 +0200[diff] [blame]3127 "$P_SRV debug_level=3" \
3128 "$G_CLI --priority=NORMAL:%NO_EXTENSIONS:%DISABLE_SAFE_RENEGOTIATION" \
3129 0 \
3130 -s "dumping 'client hello extensions' (0 bytes)"
3131
Gilles Peskine5d2511c2017-05-12 13:16:40 +0200[diff] [blame]3132requires_gnutls
3133run_test "ClientHello without extensions, SHA-1 forbidden in certificates on server" \
3134 "$P_SRV debug_level=3 key_file=data_files/server2.key crt_file=data_files/server2.crt allow_sha1=0" \
3135 "$G_CLI --priority=NORMAL:%NO_EXTENSIONS:%DISABLE_SAFE_RENEGOTIATION" \
3136 0 \
3137 -s "dumping 'client hello extensions' (0 bytes)"
3138
Manuel Pégourié-Gonnard2cf5a7c2015-04-08 12:49:31 +0200[diff] [blame]3139# Tests for mbedtls_ssl_get_bytes_avail()
Manuel Pégourié-Gonnard95c0a632014-06-11 18:32:36 +0200[diff] [blame]3140
Manuel Pégourié-Gonnard2cf5a7c2015-04-08 12:49:31 +0200[diff] [blame]3141run_test "mbedtls_ssl_get_bytes_avail: no extra data" \
Manuel Pégourié-Gonnard95c0a632014-06-11 18:32:36 +0200[diff] [blame]3142 "$P_SRV" \
3143 "$P_CLI request_size=100" \
3144 0 \
3145 -s "Read from client: 100 bytes read$"
3146
Manuel Pégourié-Gonnard2cf5a7c2015-04-08 12:49:31 +0200[diff] [blame]3147run_test "mbedtls_ssl_get_bytes_avail: extra data" \
Manuel Pégourié-Gonnard95c0a632014-06-11 18:32:36 +0200[diff] [blame]3148 "$P_SRV" \
3149 "$P_CLI request_size=500" \
3150 0 \
3151 -s "Read from client: 500 bytes read (.*+.*)"
Manuel Pégourié-Gonnard90805a82014-06-11 14:06:01 +0200[diff] [blame]3152
Manuel Pégourié-Gonnardee415032014-06-18 15:08:56 +0200[diff] [blame]3153# Tests for small packets
3154
Janos Follathe2681a42016-03-07 15:57:05 +0000[diff] [blame]3155requires_config_enabled MBEDTLS_SSL_PROTO_SSL3
Manuel Pégourié-Gonnardee415032014-06-18 15:08:56 +0200[diff] [blame]3156run_test "Small packet SSLv3 BlockCipher" \
Manuel Pégourié-Gonnard448ea502015-01-12 11:40:14 +0100[diff] [blame]3157 "$P_SRV min_version=ssl3" \
Manuel Pégourié-Gonnardee415032014-06-18 15:08:56 +0200[diff] [blame]3158 "$P_CLI request_size=1 force_version=ssl3 \
3159 force_ciphersuite=TLS-RSA-WITH-AES-256-CBC-SHA" \
3160 0 \
3161 -s "Read from client: 1 bytes read"
3162
Janos Follathe2681a42016-03-07 15:57:05 +0000[diff] [blame]3163requires_config_enabled MBEDTLS_SSL_PROTO_SSL3
Manuel Pégourié-Gonnardee415032014-06-18 15:08:56 +0200[diff] [blame]3164run_test "Small packet SSLv3 StreamCipher" \
Manuel Pégourié-Gonnardea0920f2015-03-24 09:50:15 +0100[diff] [blame]3165 "$P_SRV min_version=ssl3 arc4=1 force_ciphersuite=TLS-RSA-WITH-RC4-128-SHA" \
Manuel Pégourié-Gonnardee415032014-06-18 15:08:56 +0200[diff] [blame]3166 "$P_CLI request_size=1 force_version=ssl3 \
3167 force_ciphersuite=TLS-RSA-WITH-RC4-128-SHA" \
3168 0 \
3169 -s "Read from client: 1 bytes read"
3170
3171run_test "Small packet TLS 1.0 BlockCipher" \
3172 "$P_SRV" \
3173 "$P_CLI request_size=1 force_version=tls1 \
3174 force_ciphersuite=TLS-RSA-WITH-AES-256-CBC-SHA" \
3175 0 \
3176 -s "Read from client: 1 bytes read"
3177
Manuel Pégourié-Gonnard169dd6a2014-11-04 16:15:39 +0100[diff] [blame]3178run_test "Small packet TLS 1.0 BlockCipher without EtM" \
3179 "$P_SRV" \
3180 "$P_CLI request_size=1 force_version=tls1 etm=0 \
3181 force_ciphersuite=TLS-RSA-WITH-AES-256-CBC-SHA" \
3182 0 \
3183 -s "Read from client: 1 bytes read"
3184
Manuel Pégourié-Gonnardee415032014-06-18 15:08:56 +0200[diff] [blame]3185run_test "Small packet TLS 1.0 BlockCipher truncated MAC" \
3186 "$P_SRV" \
3187 "$P_CLI request_size=1 force_version=tls1 \
3188 force_ciphersuite=TLS-RSA-WITH-AES-256-CBC-SHA \
3189 trunc_hmac=1" \
3190 0 \
3191 -s "Read from client: 1 bytes read"
3192
3193run_test "Small packet TLS 1.0 StreamCipher truncated MAC" \
Manuel Pégourié-Gonnardea0920f2015-03-24 09:50:15 +0100[diff] [blame]3194 "$P_SRV arc4=1 force_ciphersuite=TLS-RSA-WITH-RC4-128-SHA" \
Manuel Pégourié-Gonnardee415032014-06-18 15:08:56 +0200[diff] [blame]3195 "$P_CLI request_size=1 force_version=tls1 \
3196 force_ciphersuite=TLS-RSA-WITH-RC4-128-SHA \
3197 trunc_hmac=1" \
3198 0 \
3199 -s "Read from client: 1 bytes read"
3200
3201run_test "Small packet TLS 1.1 BlockCipher" \
3202 "$P_SRV" \
3203 "$P_CLI request_size=1 force_version=tls1_1 \
3204 force_ciphersuite=TLS-RSA-WITH-AES-256-CBC-SHA" \
3205 0 \
3206 -s "Read from client: 1 bytes read"
3207
Manuel Pégourié-Gonnard169dd6a2014-11-04 16:15:39 +0100[diff] [blame]3208run_test "Small packet TLS 1.1 BlockCipher without EtM" \
3209 "$P_SRV" \
3210 "$P_CLI request_size=1 force_version=tls1_1 etm=0 \
3211 force_ciphersuite=TLS-RSA-WITH-AES-256-CBC-SHA" \
3212 0 \
3213 -s "Read from client: 1 bytes read"
3214
Manuel Pégourié-Gonnardee415032014-06-18 15:08:56 +0200[diff] [blame]3215run_test "Small packet TLS 1.1 StreamCipher" \
Manuel Pégourié-Gonnardea0920f2015-03-24 09:50:15 +0100[diff] [blame]3216 "$P_SRV arc4=1 force_ciphersuite=TLS-RSA-WITH-RC4-128-SHA" \
Manuel Pégourié-Gonnardee415032014-06-18 15:08:56 +0200[diff] [blame]3217 "$P_CLI request_size=1 force_version=tls1_1 \
3218 force_ciphersuite=TLS-RSA-WITH-RC4-128-SHA" \
3219 0 \
3220 -s "Read from client: 1 bytes read"
3221
3222run_test "Small packet TLS 1.1 BlockCipher truncated MAC" \
3223 "$P_SRV" \
3224 "$P_CLI request_size=1 force_version=tls1_1 \
3225 force_ciphersuite=TLS-RSA-WITH-AES-256-CBC-SHA \
3226 trunc_hmac=1" \
3227 0 \
3228 -s "Read from client: 1 bytes read"
3229
3230run_test "Small packet TLS 1.1 StreamCipher truncated MAC" \
Manuel Pégourié-Gonnardea0920f2015-03-24 09:50:15 +0100[diff] [blame]3231 "$P_SRV arc4=1 force_ciphersuite=TLS-RSA-WITH-RC4-128-SHA" \
Manuel Pégourié-Gonnardee415032014-06-18 15:08:56 +0200[diff] [blame]3232 "$P_CLI request_size=1 force_version=tls1_1 \
3233 force_ciphersuite=TLS-RSA-WITH-RC4-128-SHA \
3234 trunc_hmac=1" \
3235 0 \
3236 -s "Read from client: 1 bytes read"
3237
3238run_test "Small packet TLS 1.2 BlockCipher" \
3239 "$P_SRV" \
3240 "$P_CLI request_size=1 force_version=tls1_2 \
3241 force_ciphersuite=TLS-RSA-WITH-AES-256-CBC-SHA" \
3242 0 \
3243 -s "Read from client: 1 bytes read"
3244
Manuel Pégourié-Gonnard169dd6a2014-11-04 16:15:39 +0100[diff] [blame]3245run_test "Small packet TLS 1.2 BlockCipher without EtM" \
3246 "$P_SRV" \
3247 "$P_CLI request_size=1 force_version=tls1_2 etm=0 \
3248 force_ciphersuite=TLS-RSA-WITH-AES-256-CBC-SHA" \
3249 0 \
3250 -s "Read from client: 1 bytes read"
3251
Manuel Pégourié-Gonnardee415032014-06-18 15:08:56 +0200[diff] [blame]3252run_test "Small packet TLS 1.2 BlockCipher larger MAC" \
3253 "$P_SRV" \
Manuel Pégourié-Gonnardc82ee352015-01-07 16:35:25 +0100[diff] [blame]3254 "$P_CLI request_size=1 force_version=tls1_2 \
3255 force_ciphersuite=TLS-ECDHE-RSA-WITH-AES-256-CBC-SHA384" \
Manuel Pégourié-Gonnardee415032014-06-18 15:08:56 +0200[diff] [blame]3256 0 \
3257 -s "Read from client: 1 bytes read"
3258
3259run_test "Small packet TLS 1.2 BlockCipher truncated MAC" \
3260 "$P_SRV" \
3261 "$P_CLI request_size=1 force_version=tls1_2 \
3262 force_ciphersuite=TLS-RSA-WITH-AES-256-CBC-SHA \
3263 trunc_hmac=1" \
3264 0 \
3265 -s "Read from client: 1 bytes read"
3266
3267run_test "Small packet TLS 1.2 StreamCipher" \
Manuel Pégourié-Gonnardea0920f2015-03-24 09:50:15 +0100[diff] [blame]3268 "$P_SRV arc4=1 force_ciphersuite=TLS-RSA-WITH-RC4-128-SHA" \
Manuel Pégourié-Gonnardee415032014-06-18 15:08:56 +0200[diff] [blame]3269 "$P_CLI request_size=1 force_version=tls1_2 \
3270 force_ciphersuite=TLS-RSA-WITH-RC4-128-SHA" \
3271 0 \
3272 -s "Read from client: 1 bytes read"
3273
3274run_test "Small packet TLS 1.2 StreamCipher truncated MAC" \
Manuel Pégourié-Gonnardea0920f2015-03-24 09:50:15 +0100[diff] [blame]3275 "$P_SRV arc4=1 force_ciphersuite=TLS-RSA-WITH-RC4-128-SHA" \
Manuel Pégourié-Gonnardee415032014-06-18 15:08:56 +0200[diff] [blame]3276 "$P_CLI request_size=1 force_version=tls1_2 \
3277 force_ciphersuite=TLS-RSA-WITH-RC4-128-SHA \
3278 trunc_hmac=1" \
3279 0 \
3280 -s "Read from client: 1 bytes read"
3281
3282run_test "Small packet TLS 1.2 AEAD" \
3283 "$P_SRV" \
3284 "$P_CLI request_size=1 force_version=tls1_2 \
3285 force_ciphersuite=TLS-RSA-WITH-AES-256-CCM" \
3286 0 \
3287 -s "Read from client: 1 bytes read"
3288
3289run_test "Small packet TLS 1.2 AEAD shorter tag" \
3290 "$P_SRV" \
3291 "$P_CLI request_size=1 force_version=tls1_2 \
3292 force_ciphersuite=TLS-RSA-WITH-AES-256-CCM-8" \
3293 0 \
3294 -s "Read from client: 1 bytes read"
3295
Janos Follath00efff72016-05-06 13:48:23 +0100[diff] [blame]3296# A test for extensions in SSLv3
3297
3298requires_config_enabled MBEDTLS_SSL_PROTO_SSL3
3299run_test "SSLv3 with extensions, server side" \
3300 "$P_SRV min_version=ssl3 debug_level=3" \
3301 "$P_CLI force_version=ssl3 tickets=1 max_frag_len=4096 alpn=abc,1234" \
3302 0 \
3303 -S "dumping 'client hello extensions'" \
3304 -S "server hello, total extension length:"
3305
Manuel Pégourié-Gonnard8920f692014-06-18 22:05:08 +0200[diff] [blame]3306# Test for large packets
3307
Janos Follathe2681a42016-03-07 15:57:05 +0000[diff] [blame]3308requires_config_enabled MBEDTLS_SSL_PROTO_SSL3
Manuel Pégourié-Gonnard8920f692014-06-18 22:05:08 +0200[diff] [blame]3309run_test "Large packet SSLv3 BlockCipher" \
Manuel Pégourié-Gonnard448ea502015-01-12 11:40:14 +0100[diff] [blame]3310 "$P_SRV min_version=ssl3" \
Manuel Pégourié-Gonnardc82ee352015-01-07 16:35:25 +0100[diff] [blame]3311 "$P_CLI request_size=16384 force_version=ssl3 recsplit=0 \
Manuel Pégourié-Gonnard8920f692014-06-18 22:05:08 +0200[diff] [blame]3312 force_ciphersuite=TLS-RSA-WITH-AES-256-CBC-SHA" \
3313 0 \
3314 -s "Read from client: 16384 bytes read"
3315
Janos Follathe2681a42016-03-07 15:57:05 +0000[diff] [blame]3316requires_config_enabled MBEDTLS_SSL_PROTO_SSL3
Manuel Pégourié-Gonnard8920f692014-06-18 22:05:08 +0200[diff] [blame]3317run_test "Large packet SSLv3 StreamCipher" \
Manuel Pégourié-Gonnardea0920f2015-03-24 09:50:15 +0100[diff] [blame]3318 "$P_SRV min_version=ssl3 arc4=1 force_ciphersuite=TLS-RSA-WITH-RC4-128-SHA" \
Manuel Pégourié-Gonnard8920f692014-06-18 22:05:08 +0200[diff] [blame]3319 "$P_CLI request_size=16384 force_version=ssl3 \
3320 force_ciphersuite=TLS-RSA-WITH-RC4-128-SHA" \
3321 0 \
3322 -s "Read from client: 16384 bytes read"
3323
3324run_test "Large packet TLS 1.0 BlockCipher" \
3325 "$P_SRV" \
Manuel Pégourié-Gonnardc82ee352015-01-07 16:35:25 +0100[diff] [blame]3326 "$P_CLI request_size=16384 force_version=tls1 recsplit=0 \
Manuel Pégourié-Gonnard8920f692014-06-18 22:05:08 +0200[diff] [blame]3327 force_ciphersuite=TLS-RSA-WITH-AES-256-CBC-SHA" \
3328 0 \
3329 -s "Read from client: 16384 bytes read"
3330
3331run_test "Large packet TLS 1.0 BlockCipher truncated MAC" \
3332 "$P_SRV" \
Manuel Pégourié-Gonnardc82ee352015-01-07 16:35:25 +0100[diff] [blame]3333 "$P_CLI request_size=16384 force_version=tls1 recsplit=0 \
Manuel Pégourié-Gonnard8920f692014-06-18 22:05:08 +0200[diff] [blame]3334 force_ciphersuite=TLS-RSA-WITH-AES-256-CBC-SHA \
3335 trunc_hmac=1" \
3336 0 \
3337 -s "Read from client: 16384 bytes read"
3338
3339run_test "Large packet TLS 1.0 StreamCipher truncated MAC" \
Manuel Pégourié-Gonnardea0920f2015-03-24 09:50:15 +0100[diff] [blame]3340 "$P_SRV arc4=1 force_ciphersuite=TLS-RSA-WITH-RC4-128-SHA" \
Manuel Pégourié-Gonnard8920f692014-06-18 22:05:08 +0200[diff] [blame]3341 "$P_CLI request_size=16384 force_version=tls1 \
3342 force_ciphersuite=TLS-RSA-WITH-RC4-128-SHA \
3343 trunc_hmac=1" \
3344 0 \
3345 -s "Read from client: 16384 bytes read"
3346
3347run_test "Large packet TLS 1.1 BlockCipher" \
3348 "$P_SRV" \
3349 "$P_CLI request_size=16384 force_version=tls1_1 \
3350 force_ciphersuite=TLS-RSA-WITH-AES-256-CBC-SHA" \
3351 0 \
3352 -s "Read from client: 16384 bytes read"
3353
3354run_test "Large packet TLS 1.1 StreamCipher" \
Manuel Pégourié-Gonnardea0920f2015-03-24 09:50:15 +0100[diff] [blame]3355 "$P_SRV arc4=1 force_ciphersuite=TLS-RSA-WITH-RC4-128-SHA" \
Manuel Pégourié-Gonnard8920f692014-06-18 22:05:08 +0200[diff] [blame]3356 "$P_CLI request_size=16384 force_version=tls1_1 \
3357 force_ciphersuite=TLS-RSA-WITH-RC4-128-SHA" \
3358 0 \
3359 -s "Read from client: 16384 bytes read"
3360
3361run_test "Large packet TLS 1.1 BlockCipher truncated MAC" \
3362 "$P_SRV" \
3363 "$P_CLI request_size=16384 force_version=tls1_1 \
3364 force_ciphersuite=TLS-RSA-WITH-AES-256-CBC-SHA \
3365 trunc_hmac=1" \
3366 0 \
3367 -s "Read from client: 16384 bytes read"
3368
3369run_test "Large packet TLS 1.1 StreamCipher truncated MAC" \
Manuel Pégourié-Gonnardea0920f2015-03-24 09:50:15 +0100[diff] [blame]3370 "$P_SRV arc4=1 force_ciphersuite=TLS-RSA-WITH-RC4-128-SHA" \
Manuel Pégourié-Gonnard8920f692014-06-18 22:05:08 +0200[diff] [blame]3371 "$P_CLI request_size=16384 force_version=tls1_1 \
3372 force_ciphersuite=TLS-RSA-WITH-RC4-128-SHA \
3373 trunc_hmac=1" \
3374 0 \
3375 -s "Read from client: 16384 bytes read"
3376
3377run_test "Large packet TLS 1.2 BlockCipher" \
3378 "$P_SRV" \
3379 "$P_CLI request_size=16384 force_version=tls1_2 \
3380 force_ciphersuite=TLS-RSA-WITH-AES-256-CBC-SHA" \
3381 0 \
3382 -s "Read from client: 16384 bytes read"
3383
3384run_test "Large packet TLS 1.2 BlockCipher larger MAC" \
3385 "$P_SRV" \
Manuel Pégourié-Gonnardc82ee352015-01-07 16:35:25 +0100[diff] [blame]3386 "$P_CLI request_size=16384 force_version=tls1_2 \
3387 force_ciphersuite=TLS-ECDHE-RSA-WITH-AES-256-CBC-SHA384" \
Manuel Pégourié-Gonnard8920f692014-06-18 22:05:08 +0200[diff] [blame]3388 0 \
3389 -s "Read from client: 16384 bytes read"
3390
3391run_test "Large packet TLS 1.2 BlockCipher truncated MAC" \
3392 "$P_SRV" \
3393 "$P_CLI request_size=16384 force_version=tls1_2 \
3394 force_ciphersuite=TLS-RSA-WITH-AES-256-CBC-SHA \
3395 trunc_hmac=1" \
3396 0 \
3397 -s "Read from client: 16384 bytes read"
3398
3399run_test "Large packet TLS 1.2 StreamCipher" \
Manuel Pégourié-Gonnardea0920f2015-03-24 09:50:15 +0100[diff] [blame]3400 "$P_SRV arc4=1 force_ciphersuite=TLS-RSA-WITH-RC4-128-SHA" \
Manuel Pégourié-Gonnard8920f692014-06-18 22:05:08 +0200[diff] [blame]3401 "$P_CLI request_size=16384 force_version=tls1_2 \
3402 force_ciphersuite=TLS-RSA-WITH-RC4-128-SHA" \
3403 0 \
3404 -s "Read from client: 16384 bytes read"
3405
3406run_test "Large packet TLS 1.2 StreamCipher truncated MAC" \
Manuel Pégourié-Gonnardea0920f2015-03-24 09:50:15 +0100[diff] [blame]3407 "$P_SRV arc4=1 force_ciphersuite=TLS-RSA-WITH-RC4-128-SHA" \
Manuel Pégourié-Gonnard8920f692014-06-18 22:05:08 +0200[diff] [blame]3408 "$P_CLI request_size=16384 force_version=tls1_2 \
3409 force_ciphersuite=TLS-RSA-WITH-RC4-128-SHA \
3410 trunc_hmac=1" \
3411 0 \
3412 -s "Read from client: 16384 bytes read"
3413
3414run_test "Large packet TLS 1.2 AEAD" \
3415 "$P_SRV" \
3416 "$P_CLI request_size=16384 force_version=tls1_2 \
3417 force_ciphersuite=TLS-RSA-WITH-AES-256-CCM" \
3418 0 \
3419 -s "Read from client: 16384 bytes read"
3420
3421run_test "Large packet TLS 1.2 AEAD shorter tag" \
3422 "$P_SRV" \
3423 "$P_CLI request_size=16384 force_version=tls1_2 \
3424 force_ciphersuite=TLS-RSA-WITH-AES-256-CCM-8" \
3425 0 \
3426 -s "Read from client: 16384 bytes read"
3427
Manuel Pégourié-Gonnard0eb6cab2014-07-23 20:17:47 +0200[diff] [blame]3428# Tests for DTLS HelloVerifyRequest
3429
3430run_test "DTLS cookie: enabled" \
3431 "$P_SRV dtls=1 debug_level=2" \
3432 "$P_CLI dtls=1 debug_level=2" \
3433 0 \
3434 -s "cookie verification failed" \
3435 -s "cookie verification passed" \
3436 -S "cookie verification skipped" \
3437 -c "received hello verify request" \
Manuel Pégourié-Gonnardcaecdae2014-10-13 19:04:37 +0200[diff] [blame]3438 -s "hello verification requested" \
Manuel Pégourié-Gonnard0eb6cab2014-07-23 20:17:47 +0200[diff] [blame]3439 -S "SSL - The requested feature is not available"
3440
3441run_test "DTLS cookie: disabled" \
3442 "$P_SRV dtls=1 debug_level=2 cookies=0" \
3443 "$P_CLI dtls=1 debug_level=2" \
3444 0 \
3445 -S "cookie verification failed" \
3446 -S "cookie verification passed" \
3447 -s "cookie verification skipped" \
3448 -C "received hello verify request" \
Manuel Pégourié-Gonnardcaecdae2014-10-13 19:04:37 +0200[diff] [blame]3449 -S "hello verification requested" \
Manuel Pégourié-Gonnard0eb6cab2014-07-23 20:17:47 +0200[diff] [blame]3450 -S "SSL - The requested feature is not available"
3451
Manuel Pégourié-Gonnardcaecdae2014-10-13 19:04:37 +0200[diff] [blame]3452run_test "DTLS cookie: default (failing)" \
3453 "$P_SRV dtls=1 debug_level=2 cookies=-1" \
3454 "$P_CLI dtls=1 debug_level=2 hs_timeout=100-400" \
3455 1 \
3456 -s "cookie verification failed" \
3457 -S "cookie verification passed" \
3458 -S "cookie verification skipped" \
3459 -C "received hello verify request" \
3460 -S "hello verification requested" \
3461 -s "SSL - The requested feature is not available"
Manuel Pégourié-Gonnard0eb6cab2014-07-23 20:17:47 +0200[diff] [blame]3462
3463requires_ipv6
3464run_test "DTLS cookie: enabled, IPv6" \
3465 "$P_SRV dtls=1 debug_level=2 server_addr=::1" \
3466 "$P_CLI dtls=1 debug_level=2 server_addr=::1" \
3467 0 \
3468 -s "cookie verification failed" \
3469 -s "cookie verification passed" \
3470 -S "cookie verification skipped" \
3471 -c "received hello verify request" \
Manuel Pégourié-Gonnardcaecdae2014-10-13 19:04:37 +0200[diff] [blame]3472 -s "hello verification requested" \
Manuel Pégourié-Gonnard0eb6cab2014-07-23 20:17:47 +0200[diff] [blame]3473 -S "SSL - The requested feature is not available"
3474
Manuel Pégourié-Gonnard579950c2014-09-29 17:47:33 +0200[diff] [blame]3475run_test "DTLS cookie: enabled, nbio" \
3476 "$P_SRV dtls=1 nbio=2 debug_level=2" \
3477 "$P_CLI dtls=1 nbio=2 debug_level=2" \
3478 0 \
3479 -s "cookie verification failed" \
3480 -s "cookie verification passed" \
3481 -S "cookie verification skipped" \
3482 -c "received hello verify request" \
Manuel Pégourié-Gonnardcaecdae2014-10-13 19:04:37 +0200[diff] [blame]3483 -s "hello verification requested" \
Manuel Pégourié-Gonnard579950c2014-09-29 17:47:33 +0200[diff] [blame]3484 -S "SSL - The requested feature is not available"
3485
Manuel Pégourié-Gonnardd745a1a2015-09-08 12:40:43 +0200[diff] [blame]3486# Tests for client reconnecting from the same port with DTLS
3487
Manuel Pégourié-Gonnard259db912015-09-09 11:37:17 +0200[diff] [blame]3488not_with_valgrind # spurious resend
Manuel Pégourié-Gonnardd745a1a2015-09-08 12:40:43 +0200[diff] [blame]3489run_test "DTLS client reconnect from same port: reference" \
Manuel Pégourié-Gonnard259db912015-09-09 11:37:17 +0200[diff] [blame]3490 "$P_SRV dtls=1 exchanges=2 read_timeout=1000" \
3491 "$P_CLI dtls=1 exchanges=2 debug_level=2 hs_timeout=500-1000" \
Manuel Pégourié-Gonnardd745a1a2015-09-08 12:40:43 +0200[diff] [blame]3492 0 \
3493 -C "resend" \
Manuel Pégourié-Gonnard259db912015-09-09 11:37:17 +0200[diff] [blame]3494 -S "The operation timed out" \
Manuel Pégourié-Gonnardd745a1a2015-09-08 12:40:43 +0200[diff] [blame]3495 -S "Client initiated reconnection from same port"
3496
Manuel Pégourié-Gonnard259db912015-09-09 11:37:17 +0200[diff] [blame]3497not_with_valgrind # spurious resend
Manuel Pégourié-Gonnardd745a1a2015-09-08 12:40:43 +0200[diff] [blame]3498run_test "DTLS client reconnect from same port: reconnect" \
Manuel Pégourié-Gonnard259db912015-09-09 11:37:17 +0200[diff] [blame]3499 "$P_SRV dtls=1 exchanges=2 read_timeout=1000" \
3500 "$P_CLI dtls=1 exchanges=2 debug_level=2 hs_timeout=500-1000 reconnect_hard=1" \
Manuel Pégourié-Gonnardd745a1a2015-09-08 12:40:43 +0200[diff] [blame]3501 0 \
3502 -C "resend" \
Manuel Pégourié-Gonnard259db912015-09-09 11:37:17 +0200[diff] [blame]3503 -S "The operation timed out" \
Manuel Pégourié-Gonnardd745a1a2015-09-08 12:40:43 +0200[diff] [blame]3504 -s "Client initiated reconnection from same port"
3505
Paul Bakker362689d2016-05-13 10:33:25 +0100[diff] [blame]3506not_with_valgrind # server/client too slow to respond in time (next test has higher timeouts)
3507run_test "DTLS client reconnect from same port: reconnect, nbio, no valgrind" \
Manuel Pégourié-Gonnard259db912015-09-09 11:37:17 +0200[diff] [blame]3508 "$P_SRV dtls=1 exchanges=2 read_timeout=1000 nbio=2" \
3509 "$P_CLI dtls=1 exchanges=2 debug_level=2 hs_timeout=500-1000 reconnect_hard=1" \
Manuel Pégourié-Gonnardd745a1a2015-09-08 12:40:43 +0200[diff] [blame]3510 0 \
Manuel Pégourié-Gonnard259db912015-09-09 11:37:17 +0200[diff] [blame]3511 -S "The operation timed out" \
Manuel Pégourié-Gonnardd745a1a2015-09-08 12:40:43 +0200[diff] [blame]3512 -s "Client initiated reconnection from same port"
3513
Paul Bakker362689d2016-05-13 10:33:25 +0100[diff] [blame]3514only_with_valgrind # Only with valgrind, do previous test but with higher read_timeout and hs_timeout
3515run_test "DTLS client reconnect from same port: reconnect, nbio, valgrind" \
3516 "$P_SRV dtls=1 exchanges=2 read_timeout=2000 nbio=2 hs_timeout=1500-6000" \
3517 "$P_CLI dtls=1 exchanges=2 debug_level=2 hs_timeout=1500-3000 reconnect_hard=1" \
3518 0 \
3519 -S "The operation timed out" \
3520 -s "Client initiated reconnection from same port"
3521
Manuel Pégourié-Gonnard259db912015-09-09 11:37:17 +0200[diff] [blame]3522run_test "DTLS client reconnect from same port: no cookies" \
3523 "$P_SRV dtls=1 exchanges=2 read_timeout=1000 cookies=0" \
Manuel Pégourié-Gonnard6ad23b92015-09-15 12:57:46 +0200[diff] [blame]3524 "$P_CLI dtls=1 exchanges=2 debug_level=2 hs_timeout=500-8000 reconnect_hard=1" \
3525 0 \
Manuel Pégourié-Gonnard259db912015-09-09 11:37:17 +0200[diff] [blame]3526 -s "The operation timed out" \
3527 -S "Client initiated reconnection from same port"
3528
Manuel Pégourié-Gonnard08a1d4b2014-09-26 10:35:50 +0200[diff] [blame]3529# Tests for various cases of client authentication with DTLS
3530# (focused on handshake flows and message parsing)
3531
3532run_test "DTLS client auth: required" \
3533 "$P_SRV dtls=1 auth_mode=required" \
3534 "$P_CLI dtls=1" \
3535 0 \
3536 -s "Verifying peer X.509 certificate... ok"
3537
3538run_test "DTLS client auth: optional, client has no cert" \
3539 "$P_SRV dtls=1 auth_mode=optional" \
3540 "$P_CLI dtls=1 crt_file=none key_file=none" \
3541 0 \
Manuel Pégourié-Gonnard89addc42015-04-20 10:56:18 +0100[diff] [blame]3542 -s "! Certificate was missing"
Manuel Pégourié-Gonnard08a1d4b2014-09-26 10:35:50 +0200[diff] [blame]3543
Manuel Pégourié-Gonnard89addc42015-04-20 10:56:18 +0100[diff] [blame]3544run_test "DTLS client auth: none, client has no cert" \
Manuel Pégourié-Gonnard08a1d4b2014-09-26 10:35:50 +0200[diff] [blame]3545 "$P_SRV dtls=1 auth_mode=none" \
3546 "$P_CLI dtls=1 crt_file=none key_file=none debug_level=2" \
3547 0 \
3548 -c "skip write certificate$" \
Manuel Pégourié-Gonnard89addc42015-04-20 10:56:18 +0100[diff] [blame]3549 -s "! Certificate verification was skipped"
Manuel Pégourié-Gonnard08a1d4b2014-09-26 10:35:50 +0200[diff] [blame]3550
Manuel Pégourié-Gonnard0a885742015-08-04 12:08:35 +0200[diff] [blame]3551run_test "DTLS wrong PSK: badmac alert" \
3552 "$P_SRV dtls=1 psk=abc123 force_ciphersuite=TLS-PSK-WITH-AES-128-GCM-SHA256" \
3553 "$P_CLI dtls=1 psk=abc124" \
3554 1 \
3555 -s "SSL - Verification of the message MAC failed" \
3556 -c "SSL - A fatal alert message was received from our peer"
3557
Manuel Pégourié-Gonnard502bf302014-08-20 13:12:58 +0200[diff] [blame]3558# Tests for receiving fragmented handshake messages with DTLS
3559
3560requires_gnutls
3561run_test "DTLS reassembly: no fragmentation (gnutls server)" \
3562 "$G_SRV -u --mtu 2048 -a" \
3563 "$P_CLI dtls=1 debug_level=2" \
3564 0 \
3565 -C "found fragmented DTLS handshake message" \
3566 -C "error"
3567
3568requires_gnutls
3569run_test "DTLS reassembly: some fragmentation (gnutls server)" \
3570 "$G_SRV -u --mtu 512" \
3571 "$P_CLI dtls=1 debug_level=2" \
3572 0 \
3573 -c "found fragmented DTLS handshake message" \
3574 -C "error"
3575
3576requires_gnutls
3577run_test "DTLS reassembly: more fragmentation (gnutls server)" \
3578 "$G_SRV -u --mtu 128" \
3579 "$P_CLI dtls=1 debug_level=2" \
3580 0 \
3581 -c "found fragmented DTLS handshake message" \
3582 -C "error"
3583
3584requires_gnutls
3585run_test "DTLS reassembly: more fragmentation, nbio (gnutls server)" \
3586 "$G_SRV -u --mtu 128" \
3587 "$P_CLI dtls=1 nbio=2 debug_level=2" \
3588 0 \
3589 -c "found fragmented DTLS handshake message" \
3590 -C "error"
3591
Manuel Pégourié-Gonnard0c4cbc72014-09-02 14:47:31 +0200[diff] [blame]3592requires_gnutls
Manuel Pégourié-Gonnard0c4cbc72014-09-02 14:47:31 +0200[diff] [blame]3593run_test "DTLS reassembly: fragmentation, renego (gnutls server)" \
3594 "$G_SRV -u --mtu 256" \
3595 "$P_CLI debug_level=3 dtls=1 renegotiation=1 renegotiate=1" \
3596 0 \
3597 -c "found fragmented DTLS handshake message" \
3598 -c "client hello, adding renegotiation extension" \
3599 -c "found renegotiation extension" \
3600 -c "=> renegotiate" \
Manuel Pégourié-Gonnard2cf5a7c2015-04-08 12:49:31 +0200[diff] [blame]3601 -C "mbedtls_ssl_handshake returned" \
Manuel Pégourié-Gonnard0c4cbc72014-09-02 14:47:31 +0200[diff] [blame]3602 -C "error" \
3603 -s "Extra-header:"
3604
3605requires_gnutls
Manuel Pégourié-Gonnard0c4cbc72014-09-02 14:47:31 +0200[diff] [blame]3606run_test "DTLS reassembly: fragmentation, nbio, renego (gnutls server)" \
3607 "$G_SRV -u --mtu 256" \
3608 "$P_CLI debug_level=3 nbio=2 dtls=1 renegotiation=1 renegotiate=1" \
3609 0 \
3610 -c "found fragmented DTLS handshake message" \
3611 -c "client hello, adding renegotiation extension" \
3612 -c "found renegotiation extension" \
3613 -c "=> renegotiate" \
Manuel Pégourié-Gonnard2cf5a7c2015-04-08 12:49:31 +0200[diff] [blame]3614 -C "mbedtls_ssl_handshake returned" \
Manuel Pégourié-Gonnard0c4cbc72014-09-02 14:47:31 +0200[diff] [blame]3615 -C "error" \
3616 -s "Extra-header:"
3617
Manuel Pégourié-Gonnarda7756172014-08-31 18:37:01 +0200[diff] [blame]3618run_test "DTLS reassembly: no fragmentation (openssl server)" \
3619 "$O_SRV -dtls1 -mtu 2048" \
3620 "$P_CLI dtls=1 debug_level=2" \
3621 0 \
3622 -C "found fragmented DTLS handshake message" \
3623 -C "error"
3624
Manuel Pégourié-Gonnard825a49e2014-09-23 11:00:37 +0200[diff] [blame]3625run_test "DTLS reassembly: some fragmentation (openssl server)" \
3626 "$O_SRV -dtls1 -mtu 768" \
Manuel Pégourié-Gonnard64dffc52014-09-02 13:39:16 +0200[diff] [blame]3627 "$P_CLI dtls=1 debug_level=2" \
3628 0 \
3629 -c "found fragmented DTLS handshake message" \
3630 -C "error"
3631
Manuel Pégourié-Gonnard825a49e2014-09-23 11:00:37 +0200[diff] [blame]3632run_test "DTLS reassembly: more fragmentation (openssl server)" \
Manuel Pégourié-Gonnard64dffc52014-09-02 13:39:16 +0200[diff] [blame]3633 "$O_SRV -dtls1 -mtu 256" \
3634 "$P_CLI dtls=1 debug_level=2" \
3635 0 \
3636 -c "found fragmented DTLS handshake message" \
3637 -C "error"
3638
3639run_test "DTLS reassembly: fragmentation, nbio (openssl server)" \
3640 "$O_SRV -dtls1 -mtu 256" \
3641 "$P_CLI dtls=1 nbio=2 debug_level=2" \
3642 0 \
3643 -c "found fragmented DTLS handshake message" \
3644 -C "error"
Manuel Pégourié-Gonnarda7756172014-08-31 18:37:01 +0200[diff] [blame]3645
Manuel Pégourié-Gonnard7a66cbc2014-09-26 16:31:46 +0200[diff] [blame]3646# Tests for specific things with "unreliable" UDP connection
Manuel Pégourié-Gonnardbe9eb872014-09-05 17:45:19 +0200[diff] [blame]3647
Manuel Pégourié-Gonnard76fe9e42014-09-24 15:17:31 +0200[diff] [blame]3648not_with_valgrind # spurious resend due to timeout
Manuel Pégourié-Gonnard990f9e42014-09-06 12:27:02 +0200[diff] [blame]3649run_test "DTLS proxy: reference" \
Manuel Pégourié-Gonnardbe9eb872014-09-05 17:45:19 +0200[diff] [blame]3650 -p "$P_PXY" \
Manuel Pégourié-Gonnard76fe9e42014-09-24 15:17:31 +0200[diff] [blame]3651 "$P_SRV dtls=1 debug_level=2" \
3652 "$P_CLI dtls=1 debug_level=2" \
Manuel Pégourié-Gonnard990f9e42014-09-06 12:27:02 +0200[diff] [blame]3653 0 \
Manuel Pégourié-Gonnard246c13a2014-09-24 13:56:09 +0200[diff] [blame]3654 -C "replayed record" \
3655 -S "replayed record" \
3656 -C "record from another epoch" \
3657 -S "record from another epoch" \
3658 -C "discarding invalid record" \
3659 -S "discarding invalid record" \
Manuel Pégourié-Gonnard76fe9e42014-09-24 15:17:31 +0200[diff] [blame]3660 -S "resend" \
Manuel Pégourié-Gonnard63eca932014-09-08 16:39:08 +0200[diff] [blame]3661 -s "Extra-header:" \
Manuel Pégourié-Gonnard990f9e42014-09-06 12:27:02 +0200[diff] [blame]3662 -c "HTTP/1.0 200 OK"
3663
Manuel Pégourié-Gonnard76fe9e42014-09-24 15:17:31 +0200[diff] [blame]3664not_with_valgrind # spurious resend due to timeout
Manuel Pégourié-Gonnardb47368a2014-09-24 13:29:58 +0200[diff] [blame]3665run_test "DTLS proxy: duplicate every packet" \
Manuel Pégourié-Gonnard990f9e42014-09-06 12:27:02 +0200[diff] [blame]3666 -p "$P_PXY duplicate=1" \
Manuel Pégourié-Gonnard76fe9e42014-09-24 15:17:31 +0200[diff] [blame]3667 "$P_SRV dtls=1 debug_level=2" \
3668 "$P_CLI dtls=1 debug_level=2" \
Manuel Pégourié-Gonnard990f9e42014-09-06 12:27:02 +0200[diff] [blame]3669 0 \
Manuel Pégourié-Gonnardb47368a2014-09-24 13:29:58 +0200[diff] [blame]3670 -c "replayed record" \
3671 -s "replayed record" \
Manuel Pégourié-Gonnard246c13a2014-09-24 13:56:09 +0200[diff] [blame]3672 -c "discarding invalid record" \
3673 -s "discarding invalid record" \
Manuel Pégourié-Gonnard76fe9e42014-09-24 15:17:31 +0200[diff] [blame]3674 -S "resend" \
Manuel Pégourié-Gonnard63eca932014-09-08 16:39:08 +0200[diff] [blame]3675 -s "Extra-header:" \
3676 -c "HTTP/1.0 200 OK"
3677
Manuel Pégourié-Gonnard27393132014-09-24 14:41:11 +0200[diff] [blame]3678run_test "DTLS proxy: duplicate every packet, server anti-replay off" \
3679 -p "$P_PXY duplicate=1" \
Manuel Pégourié-Gonnard76fe9e42014-09-24 15:17:31 +0200[diff] [blame]3680 "$P_SRV dtls=1 debug_level=2 anti_replay=0" \
3681 "$P_CLI dtls=1 debug_level=2" \
Manuel Pégourié-Gonnard27393132014-09-24 14:41:11 +0200[diff] [blame]3682 0 \
3683 -c "replayed record" \
3684 -S "replayed record" \
3685 -c "discarding invalid record" \
3686 -s "discarding invalid record" \
Manuel Pégourié-Gonnard76fe9e42014-09-24 15:17:31 +0200[diff] [blame]3687 -c "resend" \
3688 -s "resend" \
Manuel Pégourié-Gonnard27393132014-09-24 14:41:11 +0200[diff] [blame]3689 -s "Extra-header:" \
3690 -c "HTTP/1.0 200 OK"
3691
Manuel Pégourié-Gonnarde698f592014-10-14 19:36:36 +0200[diff] [blame]3692run_test "DTLS proxy: inject invalid AD record, default badmac_limit" \
Manuel Pégourié-Gonnard63eca932014-09-08 16:39:08 +0200[diff] [blame]3693 -p "$P_PXY bad_ad=1" \
Manuel Pégourié-Gonnard246c13a2014-09-24 13:56:09 +0200[diff] [blame]3694 "$P_SRV dtls=1 debug_level=1" \
Manuel Pégourié-Gonnarde698f592014-10-14 19:36:36 +0200[diff] [blame]3695 "$P_CLI dtls=1 debug_level=1 read_timeout=100" \
Manuel Pégourié-Gonnard825a49e2014-09-23 11:00:37 +0200[diff] [blame]3696 0 \
Manuel Pégourié-Gonnard74a13782014-10-14 22:34:08 +0200[diff] [blame]3697 -c "discarding invalid record (mac)" \
3698 -s "discarding invalid record (mac)" \
Manuel Pégourié-Gonnard825a49e2014-09-23 11:00:37 +0200[diff] [blame]3699 -s "Extra-header:" \
Manuel Pégourié-Gonnarde698f592014-10-14 19:36:36 +0200[diff] [blame]3700 -c "HTTP/1.0 200 OK" \
3701 -S "too many records with bad MAC" \
3702 -S "Verification of the message MAC failed"
3703
3704run_test "DTLS proxy: inject invalid AD record, badmac_limit 1" \
3705 -p "$P_PXY bad_ad=1" \
3706 "$P_SRV dtls=1 debug_level=1 badmac_limit=1" \
3707 "$P_CLI dtls=1 debug_level=1 read_timeout=100" \
3708 1 \
Manuel Pégourié-Gonnard74a13782014-10-14 22:34:08 +0200[diff] [blame]3709 -C "discarding invalid record (mac)" \
3710 -S "discarding invalid record (mac)" \
Manuel Pégourié-Gonnarde698f592014-10-14 19:36:36 +0200[diff] [blame]3711 -S "Extra-header:" \
3712 -C "HTTP/1.0 200 OK" \
3713 -s "too many records with bad MAC" \
3714 -s "Verification of the message MAC failed"
3715
3716run_test "DTLS proxy: inject invalid AD record, badmac_limit 2" \
3717 -p "$P_PXY bad_ad=1" \
3718 "$P_SRV dtls=1 debug_level=1 badmac_limit=2" \
3719 "$P_CLI dtls=1 debug_level=1 read_timeout=100" \
3720 0 \
Manuel Pégourié-Gonnard74a13782014-10-14 22:34:08 +0200[diff] [blame]3721 -c "discarding invalid record (mac)" \
3722 -s "discarding invalid record (mac)" \
Manuel Pégourié-Gonnarde698f592014-10-14 19:36:36 +0200[diff] [blame]3723 -s "Extra-header:" \
3724 -c "HTTP/1.0 200 OK" \
3725 -S "too many records with bad MAC" \
3726 -S "Verification of the message MAC failed"
3727
3728run_test "DTLS proxy: inject invalid AD record, badmac_limit 2, exchanges 2"\
3729 -p "$P_PXY bad_ad=1" \
3730 "$P_SRV dtls=1 debug_level=1 badmac_limit=2 exchanges=2" \
3731 "$P_CLI dtls=1 debug_level=1 read_timeout=100 exchanges=2" \
3732 1 \
Manuel Pégourié-Gonnard74a13782014-10-14 22:34:08 +0200[diff] [blame]3733 -c "discarding invalid record (mac)" \
3734 -s "discarding invalid record (mac)" \
Manuel Pégourié-Gonnarde698f592014-10-14 19:36:36 +0200[diff] [blame]3735 -s "Extra-header:" \
3736 -c "HTTP/1.0 200 OK" \
3737 -s "too many records with bad MAC" \
3738 -s "Verification of the message MAC failed"
Manuel Pégourié-Gonnard825a49e2014-09-23 11:00:37 +0200[diff] [blame]3739
3740run_test "DTLS proxy: delay ChangeCipherSpec" \
Manuel Pégourié-Gonnard246c13a2014-09-24 13:56:09 +0200[diff] [blame]3741 -p "$P_PXY delay_ccs=1" \
3742 "$P_SRV dtls=1 debug_level=1" \
3743 "$P_CLI dtls=1 debug_level=1" \
Manuel Pégourié-Gonnard825a49e2014-09-23 11:00:37 +0200[diff] [blame]3744 0 \
Manuel Pégourié-Gonnard246c13a2014-09-24 13:56:09 +0200[diff] [blame]3745 -c "record from another epoch" \
3746 -s "record from another epoch" \
Manuel Pégourié-Gonnard825a49e2014-09-23 11:00:37 +0200[diff] [blame]3747 -c "discarding invalid record" \
Manuel Pégourié-Gonnard246c13a2014-09-24 13:56:09 +0200[diff] [blame]3748 -s "discarding invalid record" \
Manuel Pégourié-Gonnard825a49e2014-09-23 11:00:37 +0200[diff] [blame]3749 -s "Extra-header:" \
3750 -c "HTTP/1.0 200 OK"
3751
Manuel Pégourié-Gonnard7a66cbc2014-09-26 16:31:46 +0200[diff] [blame]3752# Tests for "randomly unreliable connection": try a variety of flows and peers
Manuel Pégourié-Gonnard18e519a2014-09-24 19:09:17 +0200[diff] [blame]3753
Janos Follath74537a62016-09-02 13:45:28 +0100[diff] [blame]3754client_needs_more_time 2
Manuel Pégourié-Gonnard18e519a2014-09-24 19:09:17 +0200[diff] [blame]3755run_test "DTLS proxy: 3d (drop, delay, duplicate), \"short\" PSK handshake" \
Manuel Pégourié-Gonnard825a49e2014-09-23 11:00:37 +0200[diff] [blame]3756 -p "$P_PXY drop=5 delay=5 duplicate=5" \
Manuel Pégourié-Gonnard37a4de22014-10-01 16:38:03 +0200[diff] [blame]3757 "$P_SRV dtls=1 hs_timeout=250-10000 tickets=0 auth_mode=none \
3758 psk=abc123" \
3759 "$P_CLI dtls=1 hs_timeout=250-10000 tickets=0 psk=abc123 \
Manuel Pégourié-Gonnard18e519a2014-09-24 19:09:17 +0200[diff] [blame]3760 force_ciphersuite=TLS-PSK-WITH-AES-128-CCM-8" \
3761 0 \
3762 -s "Extra-header:" \
3763 -c "HTTP/1.0 200 OK"
3764
Janos Follath74537a62016-09-02 13:45:28 +0100[diff] [blame]3765client_needs_more_time 2
Manuel Pégourié-Gonnard18e519a2014-09-24 19:09:17 +0200[diff] [blame]3766run_test "DTLS proxy: 3d, \"short\" RSA handshake" \
3767 -p "$P_PXY drop=5 delay=5 duplicate=5" \
Manuel Pégourié-Gonnard37a4de22014-10-01 16:38:03 +0200[diff] [blame]3768 "$P_SRV dtls=1 hs_timeout=250-10000 tickets=0 auth_mode=none" \
3769 "$P_CLI dtls=1 hs_timeout=250-10000 tickets=0 \
Manuel Pégourié-Gonnard18e519a2014-09-24 19:09:17 +0200[diff] [blame]3770 force_ciphersuite=TLS-RSA-WITH-AES-128-CBC-SHA" \
3771 0 \
3772 -s "Extra-header:" \
3773 -c "HTTP/1.0 200 OK"
3774
Janos Follath74537a62016-09-02 13:45:28 +0100[diff] [blame]3775client_needs_more_time 2
Manuel Pégourié-Gonnard18e519a2014-09-24 19:09:17 +0200[diff] [blame]3776run_test "DTLS proxy: 3d, \"short\" (no ticket, no cli_auth) FS handshake" \
3777 -p "$P_PXY drop=5 delay=5 duplicate=5" \
Manuel Pégourié-Gonnard37a4de22014-10-01 16:38:03 +0200[diff] [blame]3778 "$P_SRV dtls=1 hs_timeout=250-10000 tickets=0 auth_mode=none" \
3779 "$P_CLI dtls=1 hs_timeout=250-10000 tickets=0" \
Manuel Pégourié-Gonnard18e519a2014-09-24 19:09:17 +0200[diff] [blame]3780 0 \
3781 -s "Extra-header:" \
3782 -c "HTTP/1.0 200 OK"
3783
Janos Follath74537a62016-09-02 13:45:28 +0100[diff] [blame]3784client_needs_more_time 2
Manuel Pégourié-Gonnard18e519a2014-09-24 19:09:17 +0200[diff] [blame]3785run_test "DTLS proxy: 3d, FS, client auth" \
3786 -p "$P_PXY drop=5 delay=5 duplicate=5" \
Manuel Pégourié-Gonnard37a4de22014-10-01 16:38:03 +0200[diff] [blame]3787 "$P_SRV dtls=1 hs_timeout=250-10000 tickets=0 auth_mode=required" \
3788 "$P_CLI dtls=1 hs_timeout=250-10000 tickets=0" \
Manuel Pégourié-Gonnard18e519a2014-09-24 19:09:17 +0200[diff] [blame]3789 0 \
3790 -s "Extra-header:" \
3791 -c "HTTP/1.0 200 OK"
3792
Janos Follath74537a62016-09-02 13:45:28 +0100[diff] [blame]3793client_needs_more_time 2
Manuel Pégourié-Gonnard18e519a2014-09-24 19:09:17 +0200[diff] [blame]3794run_test "DTLS proxy: 3d, FS, ticket" \
3795 -p "$P_PXY drop=5 delay=5 duplicate=5" \
Manuel Pégourié-Gonnard37a4de22014-10-01 16:38:03 +0200[diff] [blame]3796 "$P_SRV dtls=1 hs_timeout=250-10000 tickets=1 auth_mode=none" \
3797 "$P_CLI dtls=1 hs_timeout=250-10000 tickets=1" \
Manuel Pégourié-Gonnard18e519a2014-09-24 19:09:17 +0200[diff] [blame]3798 0 \
3799 -s "Extra-header:" \
3800 -c "HTTP/1.0 200 OK"
3801
Janos Follath74537a62016-09-02 13:45:28 +0100[diff] [blame]3802client_needs_more_time 2
Manuel Pégourié-Gonnard18e519a2014-09-24 19:09:17 +0200[diff] [blame]3803run_test "DTLS proxy: 3d, max handshake (FS, ticket + client auth)" \
3804 -p "$P_PXY drop=5 delay=5 duplicate=5" \
Manuel Pégourié-Gonnard37a4de22014-10-01 16:38:03 +0200[diff] [blame]3805 "$P_SRV dtls=1 hs_timeout=250-10000 tickets=1 auth_mode=required" \
3806 "$P_CLI dtls=1 hs_timeout=250-10000 tickets=1" \
Manuel Pégourié-Gonnard825a49e2014-09-23 11:00:37 +0200[diff] [blame]3807 0 \
3808 -s "Extra-header:" \
3809 -c "HTTP/1.0 200 OK"
3810
Janos Follath74537a62016-09-02 13:45:28 +0100[diff] [blame]3811client_needs_more_time 2
Manuel Pégourié-Gonnard6093d812014-09-29 17:52:57 +0200[diff] [blame]3812run_test "DTLS proxy: 3d, max handshake, nbio" \
3813 -p "$P_PXY drop=5 delay=5 duplicate=5" \
Manuel Pégourié-Gonnard37a4de22014-10-01 16:38:03 +0200[diff] [blame]3814 "$P_SRV dtls=1 hs_timeout=250-10000 nbio=2 tickets=1 \
3815 auth_mode=required" \
3816 "$P_CLI dtls=1 hs_timeout=250-10000 nbio=2 tickets=1" \
Manuel Pégourié-Gonnard6093d812014-09-29 17:52:57 +0200[diff] [blame]3817 0 \
3818 -s "Extra-header:" \
3819 -c "HTTP/1.0 200 OK"
3820
Janos Follath74537a62016-09-02 13:45:28 +0100[diff] [blame]3821client_needs_more_time 4
Manuel Pégourié-Gonnard7a26d732014-10-02 14:50:46 +0200[diff] [blame]3822run_test "DTLS proxy: 3d, min handshake, resumption" \
3823 -p "$P_PXY drop=5 delay=5 duplicate=5" \
3824 "$P_SRV dtls=1 hs_timeout=250-10000 tickets=0 auth_mode=none \
3825 psk=abc123 debug_level=3" \
3826 "$P_CLI dtls=1 hs_timeout=250-10000 tickets=0 psk=abc123 \
3827 debug_level=3 reconnect=1 read_timeout=1000 max_resend=10 \
3828 force_ciphersuite=TLS-PSK-WITH-AES-128-CCM-8" \
3829 0 \
3830 -s "a session has been resumed" \
3831 -c "a session has been resumed" \
3832 -s "Extra-header:" \
3833 -c "HTTP/1.0 200 OK"
3834
Janos Follath74537a62016-09-02 13:45:28 +0100[diff] [blame]3835client_needs_more_time 4
Manuel Pégourié-Gonnard85beb302014-10-02 17:59:19 +0200[diff] [blame]3836run_test "DTLS proxy: 3d, min handshake, resumption, nbio" \
3837 -p "$P_PXY drop=5 delay=5 duplicate=5" \
3838 "$P_SRV dtls=1 hs_timeout=250-10000 tickets=0 auth_mode=none \
3839 psk=abc123 debug_level=3 nbio=2" \
3840 "$P_CLI dtls=1 hs_timeout=250-10000 tickets=0 psk=abc123 \
3841 debug_level=3 reconnect=1 read_timeout=1000 max_resend=10 \
3842 force_ciphersuite=TLS-PSK-WITH-AES-128-CCM-8 nbio=2" \
3843 0 \
3844 -s "a session has been resumed" \
3845 -c "a session has been resumed" \
3846 -s "Extra-header:" \
3847 -c "HTTP/1.0 200 OK"
3848
Janos Follath74537a62016-09-02 13:45:28 +0100[diff] [blame]3849client_needs_more_time 4
Manuel Pégourié-Gonnard6093d812014-09-29 17:52:57 +0200[diff] [blame]3850run_test "DTLS proxy: 3d, min handshake, client-initiated renego" \
Manuel Pégourié-Gonnard1b753f12014-09-25 16:09:36 +0200[diff] [blame]3851 -p "$P_PXY drop=5 delay=5 duplicate=5" \
Manuel Pégourié-Gonnard37a4de22014-10-01 16:38:03 +0200[diff] [blame]3852 "$P_SRV dtls=1 hs_timeout=250-10000 tickets=0 auth_mode=none \
3853 psk=abc123 renegotiation=1 debug_level=2" \
3854 "$P_CLI dtls=1 hs_timeout=250-10000 tickets=0 psk=abc123 \
3855 renegotiate=1 debug_level=2 \
Manuel Pégourié-Gonnard1b753f12014-09-25 16:09:36 +0200[diff] [blame]3856 force_ciphersuite=TLS-PSK-WITH-AES-128-CCM-8" \
3857 0 \
3858 -c "=> renegotiate" \
3859 -s "=> renegotiate" \
3860 -s "Extra-header:" \
3861 -c "HTTP/1.0 200 OK"
3862
Janos Follath74537a62016-09-02 13:45:28 +0100[diff] [blame]3863client_needs_more_time 4
Manuel Pégourié-Gonnard6093d812014-09-29 17:52:57 +0200[diff] [blame]3864run_test "DTLS proxy: 3d, min handshake, client-initiated renego, nbio" \
3865 -p "$P_PXY drop=5 delay=5 duplicate=5" \
Manuel Pégourié-Gonnard37a4de22014-10-01 16:38:03 +0200[diff] [blame]3866 "$P_SRV dtls=1 hs_timeout=250-10000 tickets=0 auth_mode=none \
3867 psk=abc123 renegotiation=1 debug_level=2" \
3868 "$P_CLI dtls=1 hs_timeout=250-10000 tickets=0 psk=abc123 \
3869 renegotiate=1 debug_level=2 \
Manuel Pégourié-Gonnard6093d812014-09-29 17:52:57 +0200[diff] [blame]3870 force_ciphersuite=TLS-PSK-WITH-AES-128-CCM-8" \
3871 0 \
3872 -c "=> renegotiate" \
3873 -s "=> renegotiate" \
3874 -s "Extra-header:" \
3875 -c "HTTP/1.0 200 OK"
3876
Janos Follath74537a62016-09-02 13:45:28 +0100[diff] [blame]3877client_needs_more_time 4
Manuel Pégourié-Gonnardba958b82014-10-09 16:13:44 +0200[diff] [blame]3878run_test "DTLS proxy: 3d, min handshake, server-initiated renego" \
Manuel Pégourié-Gonnarda6ace042014-10-15 12:44:41 +0200[diff] [blame]3879 -p "$P_PXY drop=5 delay=5 duplicate=5" \
Manuel Pégourié-Gonnardba958b82014-10-09 16:13:44 +0200[diff] [blame]3880 "$P_SRV dtls=1 hs_timeout=250-10000 tickets=0 auth_mode=none \
Manuel Pégourié-Gonnarda6ace042014-10-15 12:44:41 +0200[diff] [blame]3881 psk=abc123 renegotiate=1 renegotiation=1 exchanges=4 \
Manuel Pégourié-Gonnardba958b82014-10-09 16:13:44 +0200[diff] [blame]3882 debug_level=2" \
3883 "$P_CLI dtls=1 hs_timeout=250-10000 tickets=0 psk=abc123 \
Manuel Pégourié-Gonnarda6ace042014-10-15 12:44:41 +0200[diff] [blame]3884 renegotiation=1 exchanges=4 debug_level=2 \
Manuel Pégourié-Gonnardba958b82014-10-09 16:13:44 +0200[diff] [blame]3885 force_ciphersuite=TLS-PSK-WITH-AES-128-CCM-8" \
3886 0 \
3887 -c "=> renegotiate" \
3888 -s "=> renegotiate" \
3889 -s "Extra-header:" \
3890 -c "HTTP/1.0 200 OK"
3891
Janos Follath74537a62016-09-02 13:45:28 +0100[diff] [blame]3892client_needs_more_time 4
Manuel Pégourié-Gonnardba958b82014-10-09 16:13:44 +0200[diff] [blame]3893run_test "DTLS proxy: 3d, min handshake, server-initiated renego, nbio" \
Manuel Pégourié-Gonnarda6ace042014-10-15 12:44:41 +0200[diff] [blame]3894 -p "$P_PXY drop=5 delay=5 duplicate=5" \
Manuel Pégourié-Gonnardba958b82014-10-09 16:13:44 +0200[diff] [blame]3895 "$P_SRV dtls=1 hs_timeout=250-10000 tickets=0 auth_mode=none \
Manuel Pégourié-Gonnarda6ace042014-10-15 12:44:41 +0200[diff] [blame]3896 psk=abc123 renegotiate=1 renegotiation=1 exchanges=4 \
Manuel Pégourié-Gonnardba958b82014-10-09 16:13:44 +0200[diff] [blame]3897 debug_level=2 nbio=2" \
3898 "$P_CLI dtls=1 hs_timeout=250-10000 tickets=0 psk=abc123 \
Manuel Pégourié-Gonnarda6ace042014-10-15 12:44:41 +0200[diff] [blame]3899 renegotiation=1 exchanges=4 debug_level=2 nbio=2 \
Manuel Pégourié-Gonnardba958b82014-10-09 16:13:44 +0200[diff] [blame]3900 force_ciphersuite=TLS-PSK-WITH-AES-128-CCM-8" \
3901 0 \
3902 -c "=> renegotiate" \
3903 -s "=> renegotiate" \
3904 -s "Extra-header:" \
3905 -c "HTTP/1.0 200 OK"
3906
Janos Follath74537a62016-09-02 13:45:28 +0100[diff] [blame]3907client_needs_more_time 6
Manuel Pégourié-Gonnardd68434e2015-08-31 12:48:22 +0200[diff] [blame]3908not_with_valgrind # risk of non-mbedtls peer timing out
Manuel Pégourié-Gonnard9590e0a2014-09-26 16:27:59 +0200[diff] [blame]3909run_test "DTLS proxy: 3d, openssl server" \
Manuel Pégourié-Gonnardd0fd1da2014-09-25 17:00:27 +0200[diff] [blame]3910 -p "$P_PXY drop=5 delay=5 duplicate=5 protect_hvr=1" \
3911 "$O_SRV -dtls1 -mtu 2048" \
Manuel Pégourié-Gonnard8fe411e2015-03-09 16:09:53 +0000[diff] [blame]3912 "$P_CLI dtls=1 hs_timeout=250-60000 tickets=0" \
Manuel Pégourié-Gonnardd0fd1da2014-09-25 17:00:27 +0200[diff] [blame]3913 0 \
Manuel Pégourié-Gonnardd0fd1da2014-09-25 17:00:27 +0200[diff] [blame]3914 -c "HTTP/1.0 200 OK"
3915
Janos Follath74537a62016-09-02 13:45:28 +0100[diff] [blame]3916client_needs_more_time 8
Manuel Pégourié-Gonnardd68434e2015-08-31 12:48:22 +0200[diff] [blame]3917not_with_valgrind # risk of non-mbedtls peer timing out
Manuel Pégourié-Gonnard9590e0a2014-09-26 16:27:59 +0200[diff] [blame]3918run_test "DTLS proxy: 3d, openssl server, fragmentation" \
3919 -p "$P_PXY drop=5 delay=5 duplicate=5 protect_hvr=1" \
3920 "$O_SRV -dtls1 -mtu 768" \
Manuel Pégourié-Gonnard8fe411e2015-03-09 16:09:53 +0000[diff] [blame]3921 "$P_CLI dtls=1 hs_timeout=250-60000 tickets=0" \
Manuel Pégourié-Gonnard9590e0a2014-09-26 16:27:59 +0200[diff] [blame]3922 0 \
Manuel Pégourié-Gonnard9590e0a2014-09-26 16:27:59 +0200[diff] [blame]3923 -c "HTTP/1.0 200 OK"
3924
Janos Follath74537a62016-09-02 13:45:28 +0100[diff] [blame]3925client_needs_more_time 8
Manuel Pégourié-Gonnardd68434e2015-08-31 12:48:22 +0200[diff] [blame]3926not_with_valgrind # risk of non-mbedtls peer timing out
Manuel Pégourié-Gonnard6093d812014-09-29 17:52:57 +0200[diff] [blame]3927run_test "DTLS proxy: 3d, openssl server, fragmentation, nbio" \
3928 -p "$P_PXY drop=5 delay=5 duplicate=5 protect_hvr=1" \
3929 "$O_SRV -dtls1 -mtu 768" \
Manuel Pégourié-Gonnard8fe411e2015-03-09 16:09:53 +0000[diff] [blame]3930 "$P_CLI dtls=1 hs_timeout=250-60000 nbio=2 tickets=0" \
Manuel Pégourié-Gonnard6093d812014-09-29 17:52:57 +0200[diff] [blame]3931 0 \
Manuel Pégourié-Gonnard6093d812014-09-29 17:52:57 +0200[diff] [blame]3932 -c "HTTP/1.0 200 OK"
3933
Manuel Pégourié-Gonnard96999962015-02-17 16:02:37 +0000[diff] [blame]3934requires_gnutls
Janos Follath74537a62016-09-02 13:45:28 +0100[diff] [blame]3935client_needs_more_time 6
Manuel Pégourié-Gonnardd68434e2015-08-31 12:48:22 +0200[diff] [blame]3936not_with_valgrind # risk of non-mbedtls peer timing out
Manuel Pégourié-Gonnard9590e0a2014-09-26 16:27:59 +0200[diff] [blame]3937run_test "DTLS proxy: 3d, gnutls server" \
3938 -p "$P_PXY drop=5 delay=5 duplicate=5" \
3939 "$G_SRV -u --mtu 2048 -a" \
Manuel Pégourié-Gonnardf1384472014-10-14 22:57:46 +0200[diff] [blame]3940 "$P_CLI dtls=1 hs_timeout=250-60000" \
Manuel Pégourié-Gonnard9590e0a2014-09-26 16:27:59 +0200[diff] [blame]3941 0 \
3942 -s "Extra-header:" \
3943 -c "Extra-header:"
3944
Manuel Pégourié-Gonnard96999962015-02-17 16:02:37 +0000[diff] [blame]3945requires_gnutls
Janos Follath74537a62016-09-02 13:45:28 +0100[diff] [blame]3946client_needs_more_time 8
Manuel Pégourié-Gonnardd68434e2015-08-31 12:48:22 +0200[diff] [blame]3947not_with_valgrind # risk of non-mbedtls peer timing out
Manuel Pégourié-Gonnard9590e0a2014-09-26 16:27:59 +0200[diff] [blame]3948run_test "DTLS proxy: 3d, gnutls server, fragmentation" \
3949 -p "$P_PXY drop=5 delay=5 duplicate=5" \
3950 "$G_SRV -u --mtu 512" \
Manuel Pégourié-Gonnardf1384472014-10-14 22:57:46 +0200[diff] [blame]3951 "$P_CLI dtls=1 hs_timeout=250-60000" \
Manuel Pégourié-Gonnard9590e0a2014-09-26 16:27:59 +0200[diff] [blame]3952 0 \
3953 -s "Extra-header:" \
3954 -c "Extra-header:"
3955
Manuel Pégourié-Gonnard96999962015-02-17 16:02:37 +0000[diff] [blame]3956requires_gnutls
Janos Follath74537a62016-09-02 13:45:28 +0100[diff] [blame]3957client_needs_more_time 8
Manuel Pégourié-Gonnardd68434e2015-08-31 12:48:22 +0200[diff] [blame]3958not_with_valgrind # risk of non-mbedtls peer timing out
Manuel Pégourié-Gonnard6093d812014-09-29 17:52:57 +0200[diff] [blame]3959run_test "DTLS proxy: 3d, gnutls server, fragmentation, nbio" \
3960 -p "$P_PXY drop=5 delay=5 duplicate=5" \
3961 "$G_SRV -u --mtu 512" \
Manuel Pégourié-Gonnardf1384472014-10-14 22:57:46 +0200[diff] [blame]3962 "$P_CLI dtls=1 hs_timeout=250-60000 nbio=2" \
Manuel Pégourié-Gonnard6093d812014-09-29 17:52:57 +0200[diff] [blame]3963 0 \
3964 -s "Extra-header:" \
3965 -c "Extra-header:"
3966
Manuel Pégourié-Gonnard8520dac2014-02-21 12:12:23 +0100[diff] [blame]3967# Final report
3968
Manuel Pégourié-Gonnard33a752e2014-02-21 09:47:37 +0100[diff] [blame]3969echo "------------------------------------------------------------------------"
3970
3971if [ $FAILS = 0 ]; then
Manuel Pégourié-Gonnardf46f1282014-12-11 11:51:28 +0100[diff] [blame]3972 printf "PASSED"
Manuel Pégourié-Gonnard33a752e2014-02-21 09:47:37 +0100[diff] [blame]3973else
Manuel Pégourié-Gonnardf46f1282014-12-11 11:51:28 +0100[diff] [blame]3974 printf "FAILED"
Manuel Pégourié-Gonnard33a752e2014-02-21 09:47:37 +0100[diff] [blame]3975fi
Manuel Pégourié-Gonnard72e51ee2014-08-31 10:22:11 +0200[diff] [blame]3976PASSES=$(( $TESTS - $FAILS ))
Manuel Pégourié-Gonnard6f4fbbb2014-08-14 14:31:29 +0200[diff] [blame]3977echo " ($PASSES / $TESTS tests ($SKIPS skipped))"
Manuel Pégourié-Gonnard33a752e2014-02-21 09:47:37 +0100[diff] [blame]3978
3979exit $FAILS