TrustedFirmware Git Browser
Code Review Sign In
review.trustedfirmware.org / mirror / mbed-tls / 6428f8d78e620c9c4853dd64b14d75b9ce941972 / . / tests / ssl-opt.sh
blob: 4865043b285d1ec81d78cea18c5eebb847494135 [file] [log] [blame]
Manuel Pégourié-Gonnardeaadc502014-02-20 11:01:30 +0100[diff] [blame]1#!/bin/sh
2
Simon Butcher58eddef2016-05-19 23:43:11 +0100[diff] [blame]3# ssl-opt.sh
Manuel Pégourié-Gonnardeaadc502014-02-20 11:01:30 +0100[diff] [blame]4#
Simon Butcher58eddef2016-05-19 23:43:11 +0100[diff] [blame]5# This file is part of mbed TLS (https://tls.mbed.org)
Manuel Pégourié-Gonnardeaadc502014-02-20 11:01:30 +0100[diff] [blame]6#
Simon Butcher58eddef2016-05-19 23:43:11 +0100[diff] [blame]7# Copyright (c) 2016, ARM Limited, All Rights Reserved
8#
9# Purpose
10#
11# Executes tests to prove various TLS/SSL options and extensions.
12#
13# The goal is not to cover every ciphersuite/version, but instead to cover
14# specific options (max fragment length, truncated hmac, etc) or procedures
15# (session resumption from cache or ticket, renego, etc).
16#
17# The tests assume a build with default options, with exceptions expressed
18# with a dependency. The tests focus on functionality and do not consider
19# performance.
20#
Manuel Pégourié-Gonnardeaadc502014-02-20 11:01:30 +0100[diff] [blame]21
Manuel Pégourié-Gonnardfccd3252014-02-25 17:14:15 +0100[diff] [blame]22set -u
23
Manuel Pégourié-Gonnardf7a26902014-02-27 12:25:54 +0100[diff] [blame]24# default values, can be overriden by the environment
25: ${P_SRV:=../programs/ssl/ssl_server2}
26: ${P_CLI:=../programs/ssl/ssl_client2}
Manuel Pégourié-Gonnardbe9eb872014-09-05 17:45:19 +0200[diff] [blame]27: ${P_PXY:=../programs/test/udp_proxy}
Manuel Pégourié-Gonnard74faf3c2014-03-13 18:47:44 +0100[diff] [blame]28: ${OPENSSL_CMD:=openssl} # OPENSSL would conflict with the build system
Manuel Pégourié-Gonnardbaa7f072014-08-20 20:15:53 +0200[diff] [blame]29: ${GNUTLS_CLI:=gnutls-cli}
30: ${GNUTLS_SERV:=gnutls-serv}
Gilles Peskined50177f2017-05-16 17:53:03 +0200[diff] [blame]31: ${PERL:=perl}
Manuel Pégourié-Gonnardeaadc502014-02-20 11:01:30 +0100[diff] [blame]32
Manuel Pégourié-Gonnardfa60f122014-09-26 16:07:29 +0200[diff] [blame]33O_SRV="$OPENSSL_CMD s_server -www -cert data_files/server5.crt -key data_files/server5.key"
Manuel Pégourié-Gonnard74faf3c2014-03-13 18:47:44 +0100[diff] [blame]34O_CLI="echo 'GET / HTTP/1.0' | $OPENSSL_CMD s_client"
Manuel Pégourié-Gonnardbaa7f072014-08-20 20:15:53 +0200[diff] [blame]35G_SRV="$GNUTLS_SERV --x509certfile data_files/server5.crt --x509keyfile data_files/server5.key"
Manuel Pégourié-Gonnard85d915b2014-11-03 20:10:36 +0100[diff] [blame]36G_CLI="echo 'GET / HTTP/1.0' | $GNUTLS_CLI --x509cafile data_files/test-ca_cat12.crt"
Gilles Peskined50177f2017-05-16 17:53:03 +0200[diff] [blame]37TCP_CLIENT="$PERL scripts/tcp_client.pl"
Manuel Pégourié-Gonnardfccd3252014-02-25 17:14:15 +0100[diff] [blame]38
Manuel Pégourié-Gonnard33a752e2014-02-21 09:47:37 +0100[diff] [blame]39TESTS=0
40FAILS=0
Manuel Pégourié-Gonnard6f4fbbb2014-08-14 14:31:29 +0200[diff] [blame]41SKIPS=0
Manuel Pégourié-Gonnard33a752e2014-02-21 09:47:37 +0100[diff] [blame]42
Manuel Pégourié-Gonnard7f809972015-03-09 17:05:11 +0000[diff] [blame]43CONFIG_H='../include/mbedtls/config.h'
Manuel Pégourié-Gonnard83d8c732014-04-07 13:24:21 +0200[diff] [blame]44
Manuel Pégourié-Gonnardc73339f2014-02-26 16:35:27 +0100[diff] [blame]45MEMCHECK=0
Manuel Pégourié-Gonnard417d46c2014-03-13 19:17:53 +0100[diff] [blame]46FILTER='.*'
Manuel Pégourié-Gonnard6f4fbbb2014-08-14 14:31:29 +0200[diff] [blame]47EXCLUDE='^$'
Manuel Pégourié-Gonnardc73339f2014-02-26 16:35:27 +0100[diff] [blame]48
Paul Bakkere20310a2016-05-10 11:18:17 +0100[diff] [blame]49SHOW_TEST_NUMBER=0
Paul Bakkerb7584a52016-05-10 10:50:43 +0100[diff] [blame]50RUN_TEST_NUMBER=''
51
Paul Bakkeracaac852016-05-10 11:47:13 +0100[diff] [blame]52PRESERVE_LOGS=0
53
Gilles Peskinef93c7d32017-04-14 17:55:28 +0200[diff] [blame]54# Pick a "unique" server port in the range 10000-19999, and a proxy
55# port which is this plus 10000. Each port number may be independently
56# overridden by a command line option.
57SRV_PORT=$(($$ % 10000 + 10000))
58PXY_PORT=$((SRV_PORT + 10000))
59
Manuel Pégourié-Gonnardc73339f2014-02-26 16:35:27 +0100[diff] [blame]60print_usage() {
61 echo "Usage: $0 [options]"
Manuel Pégourié-Gonnardf46f1282014-12-11 11:51:28 +0100[diff] [blame]62 printf " -h|--help\tPrint this help.\n"
63 printf " -m|--memcheck\tCheck memory leaks and errors.\n"
Gilles Peskinef93c7d32017-04-14 17:55:28 +0200[diff] [blame]64 printf " -f|--filter\tOnly matching tests are executed (BRE; default: '$FILTER')\n"
65 printf " -e|--exclude\tMatching tests are excluded (BRE; default: '$EXCLUDE')\n"
Paul Bakkerb7584a52016-05-10 10:50:43 +0100[diff] [blame]66 printf " -n|--number\tExecute only numbered test (comma-separated, e.g. '245,256')\n"
Paul Bakkere20310a2016-05-10 11:18:17 +0100[diff] [blame]67 printf " -s|--show-numbers\tShow test numbers in front of test names\n"
Paul Bakkeracaac852016-05-10 11:47:13 +0100[diff] [blame]68 printf " -p|--preserve-logs\tPreserve logs of successful tests as well\n"
Gilles Peskinef93c7d32017-04-14 17:55:28 +0200[diff] [blame]69 printf " --port\tTCP/UDP port (default: randomish 1xxxx)\n"
70 printf " --proxy-port\tTCP/UDP proxy port (default: randomish 2xxxx)\n"
Andres AGf04f54d2016-10-10 15:46:20 +0100[diff] [blame]71 printf " --seed\tInteger seed value to use for this test run\n"
Manuel Pégourié-Gonnardc73339f2014-02-26 16:35:27 +0100[diff] [blame]72}
73
74get_options() {
75 while [ $# -gt 0 ]; do
76 case "$1" in
Manuel Pégourié-Gonnard417d46c2014-03-13 19:17:53 +0100[diff] [blame]77 -f|--filter)
78 shift; FILTER=$1
79 ;;
80 -e|--exclude)
81 shift; EXCLUDE=$1
82 ;;
Manuel Pégourié-Gonnardc73339f2014-02-26 16:35:27 +0100[diff] [blame]83 -m|--memcheck)
84 MEMCHECK=1
85 ;;
Paul Bakkerb7584a52016-05-10 10:50:43 +0100[diff] [blame]86 -n|--number)
87 shift; RUN_TEST_NUMBER=$1
88 ;;
Paul Bakkere20310a2016-05-10 11:18:17 +0100[diff] [blame]89 -s|--show-numbers)
90 SHOW_TEST_NUMBER=1
91 ;;
Paul Bakkeracaac852016-05-10 11:47:13 +0100[diff] [blame]92 -p|--preserve-logs)
93 PRESERVE_LOGS=1
94 ;;
Gilles Peskinef93c7d32017-04-14 17:55:28 +0200[diff] [blame]95 --port)
96 shift; SRV_PORT=$1
97 ;;
98 --proxy-port)
99 shift; PXY_PORT=$1
100 ;;
Andres AGf04f54d2016-10-10 15:46:20 +0100[diff] [blame]101 --seed)
102 shift; SEED="$1"
103 ;;
Manuel Pégourié-Gonnardc73339f2014-02-26 16:35:27 +0100[diff] [blame]104 -h|--help)
105 print_usage
106 exit 0
107 ;;
108 *)
Paul Bakker1ebc0c52014-05-22 15:47:58 +0200[diff] [blame]109 echo "Unknown argument: '$1'"
Manuel Pégourié-Gonnardc73339f2014-02-26 16:35:27 +0100[diff] [blame]110 print_usage
111 exit 1
112 ;;
113 esac
114 shift
115 done
116}
117
Manuel Pégourié-Gonnard988209f2015-03-24 10:43:55 +0100[diff] [blame]118# skip next test if the flag is not enabled in config.h
119requires_config_enabled() {
120 if grep "^#define $1" $CONFIG_H > /dev/null; then :; else
121 SKIP_NEXT="YES"
122 fi
123}
124
Manuel Pégourié-Gonnardaf63c212017-06-08 17:51:08 +0200[diff] [blame]125# skip next test if the flag is enabled in config.h
126requires_config_disabled() {
127 if grep "^#define $1" $CONFIG_H > /dev/null; then
128 SKIP_NEXT="YES"
129 fi
130}
131
Manuel Pégourié-Gonnard1cbd39d2014-10-20 13:34:59 +0200[diff] [blame]132# skip next test if OpenSSL doesn't support FALLBACK_SCSV
133requires_openssl_with_fallback_scsv() {
134 if [ -z "${OPENSSL_HAS_FBSCSV:-}" ]; then
135 if $OPENSSL_CMD s_client -help 2>&1 | grep fallback_scsv >/dev/null
136 then
137 OPENSSL_HAS_FBSCSV="YES"
138 else
139 OPENSSL_HAS_FBSCSV="NO"
140 fi
141 fi
142 if [ "$OPENSSL_HAS_FBSCSV" = "NO" ]; then
143 SKIP_NEXT="YES"
144 fi
145}
146
Manuel Pégourié-Gonnardbaa7f072014-08-20 20:15:53 +0200[diff] [blame]147# skip next test if GnuTLS isn't available
148requires_gnutls() {
149 if [ -z "${GNUTLS_AVAILABLE:-}" ]; then
Manuel Pégourié-Gonnard03db6b02015-06-26 15:45:30 +0200[diff] [blame]150 if ( which "$GNUTLS_CLI" && which "$GNUTLS_SERV" ) >/dev/null 2>&1; then
Manuel Pégourié-Gonnardbaa7f072014-08-20 20:15:53 +0200[diff] [blame]151 GNUTLS_AVAILABLE="YES"
152 else
153 GNUTLS_AVAILABLE="NO"
154 fi
155 fi
156 if [ "$GNUTLS_AVAILABLE" = "NO" ]; then
157 SKIP_NEXT="YES"
158 fi
159}
160
Manuel Pégourié-Gonnard0eb6cab2014-07-23 20:17:47 +0200[diff] [blame]161# skip next test if IPv6 isn't available on this host
162requires_ipv6() {
163 if [ -z "${HAS_IPV6:-}" ]; then
164 $P_SRV server_addr='::1' > $SRV_OUT 2>&1 &
165 SRV_PID=$!
166 sleep 1
167 kill $SRV_PID >/dev/null 2>&1
168 if grep "NET - Binding of the socket failed" $SRV_OUT >/dev/null; then
169 HAS_IPV6="NO"
170 else
171 HAS_IPV6="YES"
172 fi
173 rm -r $SRV_OUT
174 fi
175
176 if [ "$HAS_IPV6" = "NO" ]; then
177 SKIP_NEXT="YES"
178 fi
179}
180
Manuel Pégourié-Gonnard76fe9e42014-09-24 15:17:31 +0200[diff] [blame]181# skip the next test if valgrind is in use
182not_with_valgrind() {
183 if [ "$MEMCHECK" -gt 0 ]; then
184 SKIP_NEXT="YES"
185 fi
186}
187
Paul Bakker362689d2016-05-13 10:33:25 +0100[diff] [blame]188# skip the next test if valgrind is NOT in use
189only_with_valgrind() {
190 if [ "$MEMCHECK" -eq 0 ]; then
191 SKIP_NEXT="YES"
192 fi
193}
194
Manuel Pégourié-Gonnarda0719722014-09-20 12:46:27 +0200[diff] [blame]195# multiply the client timeout delay by the given factor for the next test
Janos Follath74537a62016-09-02 13:45:28 +0100[diff] [blame]196client_needs_more_time() {
Manuel Pégourié-Gonnarda0719722014-09-20 12:46:27 +0200[diff] [blame]197 CLI_DELAY_FACTOR=$1
198}
199
Janos Follath74537a62016-09-02 13:45:28 +0100[diff] [blame]200# wait for the given seconds after the client finished in the next test
201server_needs_more_time() {
202 SRV_DELAY_SECONDS=$1
203}
204
Manuel Pégourié-Gonnardf8bdbb52014-02-21 09:20:14 +0100[diff] [blame]205# print_name <name>
206print_name() {
Paul Bakkere20310a2016-05-10 11:18:17 +0100[diff] [blame]207 TESTS=$(( $TESTS + 1 ))
208 LINE=""
209
210 if [ "$SHOW_TEST_NUMBER" -gt 0 ]; then
211 LINE="$TESTS "
212 fi
213
214 LINE="$LINE$1"
215 printf "$LINE "
216 LEN=$(( 72 - `echo "$LINE" | wc -c` ))
Manuel Pégourié-Gonnardf46f1282014-12-11 11:51:28 +0100[diff] [blame]217 for i in `seq 1 $LEN`; do printf '.'; done
218 printf ' '
Manuel Pégourié-Gonnard33a752e2014-02-21 09:47:37 +0100[diff] [blame]219
Manuel Pégourié-Gonnardf8bdbb52014-02-21 09:20:14 +0100[diff] [blame]220}
221
222# fail <message>
223fail() {
224 echo "FAIL"
Manuel Pégourié-Gonnard3eec6042014-02-27 15:37:24 +0100[diff] [blame]225 echo " ! $1"
Manuel Pégourié-Gonnard33a752e2014-02-21 09:47:37 +0100[diff] [blame]226
Manuel Pégourié-Gonnardc2b00922014-08-31 16:46:04 +0200[diff] [blame]227 mv $SRV_OUT o-srv-${TESTS}.log
228 mv $CLI_OUT o-cli-${TESTS}.log
Manuel Pégourié-Gonnardbe9eb872014-09-05 17:45:19 +0200[diff] [blame]229 if [ -n "$PXY_CMD" ]; then
230 mv $PXY_OUT o-pxy-${TESTS}.log
231 fi
232 echo " ! outputs saved to o-XXX-${TESTS}.log"
Manuel Pégourié-Gonnard33a752e2014-02-21 09:47:37 +0100[diff] [blame]233
Manuel Pégourié-Gonnard7fa67722014-08-31 17:42:53 +0200[diff] [blame]234 if [ "X${USER:-}" = Xbuildbot -o "X${LOGNAME:-}" = Xbuildbot ]; then
235 echo " ! server output:"
236 cat o-srv-${TESTS}.log
Manuel Pégourié-Gonnardbe9eb872014-09-05 17:45:19 +0200[diff] [blame]237 echo " ! ========================================================"
Manuel Pégourié-Gonnard7fa67722014-08-31 17:42:53 +0200[diff] [blame]238 echo " ! client output:"
239 cat o-cli-${TESTS}.log
Manuel Pégourié-Gonnardbe9eb872014-09-05 17:45:19 +0200[diff] [blame]240 if [ -n "$PXY_CMD" ]; then
241 echo " ! ========================================================"
242 echo " ! proxy output:"
243 cat o-pxy-${TESTS}.log
244 fi
245 echo ""
Manuel Pégourié-Gonnard7fa67722014-08-31 17:42:53 +0200[diff] [blame]246 fi
247
Manuel Pégourié-Gonnard72e51ee2014-08-31 10:22:11 +0200[diff] [blame]248 FAILS=$(( $FAILS + 1 ))
Manuel Pégourié-Gonnardf8bdbb52014-02-21 09:20:14 +0100[diff] [blame]249}
250
Manuel Pégourié-Gonnard677884d2014-02-25 16:42:31 +0100[diff] [blame]251# is_polar <cmd_line>
252is_polar() {
253 echo "$1" | grep 'ssl_server2\|ssl_client2' > /dev/null
254}
255
Manuel Pégourié-Gonnardfa60f122014-09-26 16:07:29 +0200[diff] [blame]256# openssl s_server doesn't have -www with DTLS
257check_osrv_dtls() {
258 if echo "$SRV_CMD" | grep 's_server.*-dtls' >/dev/null; then
259 NEEDS_INPUT=1
260 SRV_CMD="$( echo $SRV_CMD | sed s/-www// )"
261 else
262 NEEDS_INPUT=0
263 fi
264}
265
266# provide input to commands that need it
267provide_input() {
268 if [ $NEEDS_INPUT -eq 0 ]; then
269 return
270 fi
271
272 while true; do
273 echo "HTTP/1.0 200 OK"
274 sleep 1
275 done
276}
277
Manuel Pégourié-Gonnardc73339f2014-02-26 16:35:27 +0100[diff] [blame]278# has_mem_err <log_file_name>
279has_mem_err() {
280 if ( grep -F 'All heap blocks were freed -- no leaks are possible' "$1" &&
281 grep -F 'ERROR SUMMARY: 0 errors from 0 contexts' "$1" ) > /dev/null
282 then
283 return 1 # false: does not have errors
284 else
285 return 0 # true: has errors
286 fi
287}
288
Manuel Pégourié-Gonnard0c1ec472014-06-20 18:41:11 +0200[diff] [blame]289# wait for server to start: two versions depending on lsof availability
290wait_server_start() {
Manuel Pégourié-Gonnard03db6b02015-06-26 15:45:30 +0200[diff] [blame]291 if which lsof >/dev/null 2>&1; then
Manuel Pégourié-Gonnard74681fa2015-08-04 20:34:39 +0200[diff] [blame]292 START_TIME=$( date +%s )
293 DONE=0
Manuel Pégourié-Gonnard0c1ec472014-06-20 18:41:11 +0200[diff] [blame]294
295 # make a tight loop, server usually takes less than 1 sec to start
Manuel Pégourié-Gonnard0eb6cab2014-07-23 20:17:47 +0200[diff] [blame]296 if [ "$DTLS" -eq 1 ]; then
Manuel Pégourié-Gonnard74681fa2015-08-04 20:34:39 +0200[diff] [blame]297 while [ $DONE -eq 0 ]; do
298 if lsof -nbi UDP:"$SRV_PORT" 2>/dev/null | grep UDP >/dev/null
299 then
300 DONE=1
301 elif [ $(( $( date +%s ) - $START_TIME )) -gt $DOG_DELAY ]; then
302 echo "SERVERSTART TIMEOUT"
303 echo "SERVERSTART TIMEOUT" >> $SRV_OUT
304 DONE=1
305 fi
306 done
Manuel Pégourié-Gonnard0eb6cab2014-07-23 20:17:47 +0200[diff] [blame]307 else
Manuel Pégourié-Gonnard74681fa2015-08-04 20:34:39 +0200[diff] [blame]308 while [ $DONE -eq 0 ]; do
309 if lsof -nbi TCP:"$SRV_PORT" 2>/dev/null | grep LISTEN >/dev/null
310 then
311 DONE=1
312 elif [ $(( $( date +%s ) - $START_TIME )) -gt $DOG_DELAY ]; then
313 echo "SERVERSTART TIMEOUT"
314 echo "SERVERSTART TIMEOUT" >> $SRV_OUT
315 DONE=1
316 fi
317 done
Manuel Pégourié-Gonnard0eb6cab2014-07-23 20:17:47 +0200[diff] [blame]318 fi
Manuel Pégourié-Gonnard0c1ec472014-06-20 18:41:11 +0200[diff] [blame]319 else
320 sleep "$START_DELAY"
321 fi
322}
323
Manuel Pégourié-Gonnardc0f6a692014-08-30 22:41:47 +0200[diff] [blame]324# wait for client to terminate and set CLI_EXIT
325# must be called right after starting the client
326wait_client_done() {
327 CLI_PID=$!
328
Manuel Pégourié-Gonnarda0719722014-09-20 12:46:27 +0200[diff] [blame]329 CLI_DELAY=$(( $DOG_DELAY * $CLI_DELAY_FACTOR ))
330 CLI_DELAY_FACTOR=1
331
Manuel Pégourié-Gonnarda365add2015-08-04 20:57:59 +0200[diff] [blame]332 ( sleep $CLI_DELAY; echo "===CLIENT_TIMEOUT===" >> $CLI_OUT; kill $CLI_PID ) &
Manuel Pégourié-Gonnarda6189f02014-09-20 13:15:43 +0200[diff] [blame]333 DOG_PID=$!
Manuel Pégourié-Gonnardc0f6a692014-08-30 22:41:47 +0200[diff] [blame]334
335 wait $CLI_PID
336 CLI_EXIT=$?
337
Manuel Pégourié-Gonnarda6189f02014-09-20 13:15:43 +0200[diff] [blame]338 kill $DOG_PID >/dev/null 2>&1
339 wait $DOG_PID
Manuel Pégourié-Gonnardc0f6a692014-08-30 22:41:47 +0200[diff] [blame]340
341 echo "EXIT: $CLI_EXIT" >> $CLI_OUT
Janos Follath74537a62016-09-02 13:45:28 +0100[diff] [blame]342
343 sleep $SRV_DELAY_SECONDS
344 SRV_DELAY_SECONDS=0
Manuel Pégourié-Gonnardc0f6a692014-08-30 22:41:47 +0200[diff] [blame]345}
346
Manuel Pégourié-Gonnard0eb6cab2014-07-23 20:17:47 +0200[diff] [blame]347# check if the given command uses dtls and sets global variable DTLS
348detect_dtls() {
Manuel Pégourié-Gonnardbe9eb872014-09-05 17:45:19 +0200[diff] [blame]349 if echo "$1" | grep 'dtls=1\|-dtls1\|-u' >/dev/null; then
Manuel Pégourié-Gonnard0eb6cab2014-07-23 20:17:47 +0200[diff] [blame]350 DTLS=1
351 else
352 DTLS=0
353 fi
354}
355
Manuel Pégourié-Gonnardbe9eb872014-09-05 17:45:19 +0200[diff] [blame]356# Usage: run_test name [-p proxy_cmd] srv_cmd cli_cmd cli_exit [option [...]]
Manuel Pégourié-Gonnardeaadc502014-02-20 11:01:30 +0100[diff] [blame]357# Options: -s pattern pattern that must be present in server output
358# -c pattern pattern that must be present in client output
Simon Butcher8e004102016-10-14 00:48:33 +0100[diff] [blame]359# -u pattern lines after pattern must be unique in client output
Manuel Pégourié-Gonnardeaadc502014-02-20 11:01:30 +0100[diff] [blame]360# -S pattern pattern that must be absent in server output
361# -C pattern pattern that must be absent in client output
Simon Butcher8e004102016-10-14 00:48:33 +0100[diff] [blame]362# -U pattern lines after pattern must be unique in server output
Manuel Pégourié-Gonnardeaadc502014-02-20 11:01:30 +0100[diff] [blame]363run_test() {
Manuel Pégourié-Gonnardfccd3252014-02-25 17:14:15 +0100[diff] [blame]364 NAME="$1"
Manuel Pégourié-Gonnardbe9eb872014-09-05 17:45:19 +0200[diff] [blame]365 shift 1
Manuel Pégourié-Gonnardfccd3252014-02-25 17:14:15 +0100[diff] [blame]366
Manuel Pégourié-Gonnard417d46c2014-03-13 19:17:53 +0100[diff] [blame]367 if echo "$NAME" | grep "$FILTER" | grep -v "$EXCLUDE" >/dev/null; then :
368 else
Manuel Pégourié-Gonnard74a13782014-10-14 22:34:08 +0200[diff] [blame]369 SKIP_NEXT="NO"
Manuel Pégourié-Gonnard417d46c2014-03-13 19:17:53 +0100[diff] [blame]370 return
371 fi
372
Manuel Pégourié-Gonnardfccd3252014-02-25 17:14:15 +0100[diff] [blame]373 print_name "$NAME"
Manuel Pégourié-Gonnardeaadc502014-02-20 11:01:30 +0100[diff] [blame]374
Paul Bakkerb7584a52016-05-10 10:50:43 +0100[diff] [blame]375 # Do we only run numbered tests?
376 if [ "X$RUN_TEST_NUMBER" = "X" ]; then :
377 elif echo ",$RUN_TEST_NUMBER," | grep ",$TESTS," >/dev/null; then :
378 else
379 SKIP_NEXT="YES"
380 fi
381
Manuel Pégourié-Gonnard6f4fbbb2014-08-14 14:31:29 +0200[diff] [blame]382 # should we skip?
383 if [ "X$SKIP_NEXT" = "XYES" ]; then
384 SKIP_NEXT="NO"
385 echo "SKIP"
Manuel Pégourié-Gonnard72e51ee2014-08-31 10:22:11 +0200[diff] [blame]386 SKIPS=$(( $SKIPS + 1 ))
Manuel Pégourié-Gonnard6f4fbbb2014-08-14 14:31:29 +0200[diff] [blame]387 return
388 fi
389
Manuel Pégourié-Gonnardbe9eb872014-09-05 17:45:19 +0200[diff] [blame]390 # does this test use a proxy?
391 if [ "X$1" = "X-p" ]; then
392 PXY_CMD="$2"
393 shift 2
394 else
395 PXY_CMD=""
396 fi
397
398 # get commands and client output
399 SRV_CMD="$1"
400 CLI_CMD="$2"
401 CLI_EXPECT="$3"
402 shift 3
403
404 # fix client port
405 if [ -n "$PXY_CMD" ]; then
406 CLI_CMD=$( echo "$CLI_CMD" | sed s/+SRV_PORT/$PXY_PORT/g )
407 else
408 CLI_CMD=$( echo "$CLI_CMD" | sed s/+SRV_PORT/$SRV_PORT/g )
409 fi
410
Manuel Pégourié-Gonnard0eb6cab2014-07-23 20:17:47 +0200[diff] [blame]411 # update DTLS variable
412 detect_dtls "$SRV_CMD"
413
Manuel Pégourié-Gonnardc73339f2014-02-26 16:35:27 +0100[diff] [blame]414 # prepend valgrind to our commands if active
415 if [ "$MEMCHECK" -gt 0 ]; then
416 if is_polar "$SRV_CMD"; then
417 SRV_CMD="valgrind --leak-check=full $SRV_CMD"
418 fi
419 if is_polar "$CLI_CMD"; then
420 CLI_CMD="valgrind --leak-check=full $CLI_CMD"
421 fi
422 fi
423
Manuel Pégourié-Gonnarda365add2015-08-04 20:57:59 +0200[diff] [blame]424 TIMES_LEFT=2
425 while [ $TIMES_LEFT -gt 0 ]; do
Manuel Pégourié-Gonnardab5f7b42015-08-04 21:01:37 +0200[diff] [blame]426 TIMES_LEFT=$(( $TIMES_LEFT - 1 ))
Manuel Pégourié-Gonnarda365add2015-08-04 20:57:59 +0200[diff] [blame]427
Manuel Pégourié-Gonnardab5f7b42015-08-04 21:01:37 +0200[diff] [blame]428 # run the commands
429 if [ -n "$PXY_CMD" ]; then
430 echo "$PXY_CMD" > $PXY_OUT
431 $PXY_CMD >> $PXY_OUT 2>&1 &
432 PXY_PID=$!
433 # assume proxy starts faster than server
434 fi
Manuel Pégourié-Gonnardbe9eb872014-09-05 17:45:19 +0200[diff] [blame]435
Manuel Pégourié-Gonnardab5f7b42015-08-04 21:01:37 +0200[diff] [blame]436 check_osrv_dtls
437 echo "$SRV_CMD" > $SRV_OUT
438 provide_input | $SRV_CMD >> $SRV_OUT 2>&1 &
439 SRV_PID=$!
440 wait_server_start
Manuel Pégourié-Gonnardc0f6a692014-08-30 22:41:47 +0200[diff] [blame]441
Manuel Pégourié-Gonnardab5f7b42015-08-04 21:01:37 +0200[diff] [blame]442 echo "$CLI_CMD" > $CLI_OUT
443 eval "$CLI_CMD" >> $CLI_OUT 2>&1 &
444 wait_client_done
Manuel Pégourié-Gonnarde01af4c2014-03-25 14:16:44 +0100[diff] [blame]445
Manuel Pégourié-Gonnardab5f7b42015-08-04 21:01:37 +0200[diff] [blame]446 # terminate the server (and the proxy)
447 kill $SRV_PID
448 wait $SRV_PID
449 if [ -n "$PXY_CMD" ]; then
450 kill $PXY_PID >/dev/null 2>&1
451 wait $PXY_PID
452 fi
Manuel Pégourié-Gonnard677884d2014-02-25 16:42:31 +0100[diff] [blame]453
Manuel Pégourié-Gonnardab5f7b42015-08-04 21:01:37 +0200[diff] [blame]454 # retry only on timeouts
455 if grep '===CLIENT_TIMEOUT===' $CLI_OUT >/dev/null; then
456 printf "RETRY "
457 else
458 TIMES_LEFT=0
459 fi
Manuel Pégourié-Gonnarda365add2015-08-04 20:57:59 +0200[diff] [blame]460 done
461
Manuel Pégourié-Gonnard677884d2014-02-25 16:42:31 +0100[diff] [blame]462 # check if the client and server went at least to the handshake stage
Paul Bakker1ebc0c52014-05-22 15:47:58 +0200[diff] [blame]463 # (useful to avoid tests with only negative assertions and non-zero
Manuel Pégourié-Gonnard677884d2014-02-25 16:42:31 +0100[diff] [blame]464 # expected client exit to incorrectly succeed in case of catastrophic
465 # failure)
Manuel Pégourié-Gonnardfccd3252014-02-25 17:14:15 +0100[diff] [blame]466 if is_polar "$SRV_CMD"; then
Manuel Pégourié-Gonnardbc3b16c2014-05-28 23:06:50 +0200[diff] [blame]467 if grep "Performing the SSL/TLS handshake" $SRV_OUT >/dev/null; then :;
Manuel Pégourié-Gonnard677884d2014-02-25 16:42:31 +0100[diff] [blame]468 else
Manuel Pégourié-Gonnard699cafa2014-10-27 13:57:03 +0100[diff] [blame]469 fail "server or client failed to reach handshake stage"
Manuel Pégourié-Gonnard677884d2014-02-25 16:42:31 +0100[diff] [blame]470 return
471 fi
472 fi
Manuel Pégourié-Gonnardfccd3252014-02-25 17:14:15 +0100[diff] [blame]473 if is_polar "$CLI_CMD"; then
Manuel Pégourié-Gonnardbc3b16c2014-05-28 23:06:50 +0200[diff] [blame]474 if grep "Performing the SSL/TLS handshake" $CLI_OUT >/dev/null; then :;
Manuel Pégourié-Gonnard677884d2014-02-25 16:42:31 +0100[diff] [blame]475 else
Manuel Pégourié-Gonnard699cafa2014-10-27 13:57:03 +0100[diff] [blame]476 fail "server or client failed to reach handshake stage"
Manuel Pégourié-Gonnard677884d2014-02-25 16:42:31 +0100[diff] [blame]477 return
478 fi
479 fi
480
Manuel Pégourié-Gonnardf8bdbb52014-02-21 09:20:14 +0100[diff] [blame]481 # check server exit code
482 if [ $? != 0 ]; then
483 fail "server fail"
484 return
485 fi
486
Manuel Pégourié-Gonnardeaadc502014-02-20 11:01:30 +0100[diff] [blame]487 # check client exit code
Manuel Pégourié-Gonnardfccd3252014-02-25 17:14:15 +0100[diff] [blame]488 if [ \( "$CLI_EXPECT" = 0 -a "$CLI_EXIT" != 0 \) -o \
489 \( "$CLI_EXPECT" != 0 -a "$CLI_EXIT" = 0 \) ]
Manuel Pégourié-Gonnard780d6712014-02-20 17:19:59 +0100[diff] [blame]490 then
Manuel Pégourié-Gonnardbe9eb872014-09-05 17:45:19 +0200[diff] [blame]491 fail "bad client exit code (expected $CLI_EXPECT, got $CLI_EXIT)"
Manuel Pégourié-Gonnardeaadc502014-02-20 11:01:30 +0100[diff] [blame]492 return
493 fi
Manuel Pégourié-Gonnardeaadc502014-02-20 11:01:30 +0100[diff] [blame]494
Manuel Pégourié-Gonnardc73339f2014-02-26 16:35:27 +0100[diff] [blame]495 # check other assertions
Manuel Pégourié-Gonnard480905d2014-08-21 19:38:32 +0200[diff] [blame]496 # lines beginning with == are added by valgrind, ignore them
Paul Bakker1f650922016-05-13 10:16:46 +0100[diff] [blame]497 # lines with 'Serious error when reading debug info', are valgrind issues as well
Manuel Pégourié-Gonnardeaadc502014-02-20 11:01:30 +0100[diff] [blame]498 while [ $# -gt 0 ]
499 do
500 case $1 in
501 "-s")
Paul Bakker1f650922016-05-13 10:16:46 +0100[diff] [blame]502 if grep -v '^==' $SRV_OUT | grep -v 'Serious error when reading debug info' | grep "$2" >/dev/null; then :; else
Simon Butcher8e004102016-10-14 00:48:33 +0100[diff] [blame]503 fail "pattern '$2' MUST be present in the Server output"
Manuel Pégourié-Gonnardeaadc502014-02-20 11:01:30 +0100[diff] [blame]504 return
505 fi
506 ;;
507
508 "-c")
Paul Bakker1f650922016-05-13 10:16:46 +0100[diff] [blame]509 if grep -v '^==' $CLI_OUT | grep -v 'Serious error when reading debug info' | grep "$2" >/dev/null; then :; else
Simon Butcher8e004102016-10-14 00:48:33 +0100[diff] [blame]510 fail "pattern '$2' MUST be present in the Client output"
Manuel Pégourié-Gonnardeaadc502014-02-20 11:01:30 +0100[diff] [blame]511 return
512 fi
513 ;;
514
515 "-S")
Paul Bakker1f650922016-05-13 10:16:46 +0100[diff] [blame]516 if grep -v '^==' $SRV_OUT | grep -v 'Serious error when reading debug info' | grep "$2" >/dev/null; then
Simon Butcher8e004102016-10-14 00:48:33 +0100[diff] [blame]517 fail "pattern '$2' MUST NOT be present in the Server output"
Manuel Pégourié-Gonnardeaadc502014-02-20 11:01:30 +0100[diff] [blame]518 return
519 fi
520 ;;
521
522 "-C")
Paul Bakker1f650922016-05-13 10:16:46 +0100[diff] [blame]523 if grep -v '^==' $CLI_OUT | grep -v 'Serious error when reading debug info' | grep "$2" >/dev/null; then
Simon Butcher8e004102016-10-14 00:48:33 +0100[diff] [blame]524 fail "pattern '$2' MUST NOT be present in the Client output"
525 return
526 fi
527 ;;
528
529 # The filtering in the following two options (-u and -U) do the following
530 # - ignore valgrind output
531 # - filter out everything but lines right after the pattern occurances
532 # - keep one of each non-unique line
533 # - count how many lines remain
534 # A line with '--' will remain in the result from previous outputs, so the number of lines in the result will be 1
535 # if there were no duplicates.
536 "-U")
537 if [ $(grep -v '^==' $SRV_OUT | grep -v 'Serious error when reading debug info' | grep -A1 "$2" | grep -v "$2" | sort | uniq -d | wc -l) -gt 1 ]; then
538 fail "lines following pattern '$2' must be unique in Server output"
539 return
540 fi
541 ;;
542
543 "-u")
544 if [ $(grep -v '^==' $CLI_OUT | grep -v 'Serious error when reading debug info' | grep -A1 "$2" | grep -v "$2" | sort | uniq -d | wc -l) -gt 1 ]; then
545 fail "lines following pattern '$2' must be unique in Client output"
Manuel Pégourié-Gonnardeaadc502014-02-20 11:01:30 +0100[diff] [blame]546 return
547 fi
548 ;;
549
550 *)
Paul Bakker1ebc0c52014-05-22 15:47:58 +0200[diff] [blame]551 echo "Unknown test: $1" >&2
Manuel Pégourié-Gonnardeaadc502014-02-20 11:01:30 +0100[diff] [blame]552 exit 1
553 esac
554 shift 2
555 done
556
Manuel Pégourié-Gonnardc73339f2014-02-26 16:35:27 +0100[diff] [blame]557 # check valgrind's results
558 if [ "$MEMCHECK" -gt 0 ]; then
Manuel Pégourié-Gonnardbc3b16c2014-05-28 23:06:50 +0200[diff] [blame]559 if is_polar "$SRV_CMD" && has_mem_err $SRV_OUT; then
Manuel Pégourié-Gonnardc73339f2014-02-26 16:35:27 +0100[diff] [blame]560 fail "Server has memory errors"
561 return
562 fi
Manuel Pégourié-Gonnardbc3b16c2014-05-28 23:06:50 +0200[diff] [blame]563 if is_polar "$CLI_CMD" && has_mem_err $CLI_OUT; then
Manuel Pégourié-Gonnardc73339f2014-02-26 16:35:27 +0100[diff] [blame]564 fail "Client has memory errors"
565 return
566 fi
567 fi
568
Manuel Pégourié-Gonnardeaadc502014-02-20 11:01:30 +0100[diff] [blame]569 # if we're here, everything is ok
570 echo "PASS"
Paul Bakkeracaac852016-05-10 11:47:13 +0100[diff] [blame]571 if [ "$PRESERVE_LOGS" -gt 0 ]; then
572 mv $SRV_OUT o-srv-${TESTS}.log
573 mv $CLI_OUT o-cli-${TESTS}.log
574 fi
575
Manuel Pégourié-Gonnardbe9eb872014-09-05 17:45:19 +0200[diff] [blame]576 rm -f $SRV_OUT $CLI_OUT $PXY_OUT
Manuel Pégourié-Gonnardeaadc502014-02-20 11:01:30 +0100[diff] [blame]577}
578
Manuel Pégourié-Gonnarda9062e92014-02-25 16:21:22 +0100[diff] [blame]579cleanup() {
Manuel Pégourié-Gonnardbe9eb872014-09-05 17:45:19 +0200[diff] [blame]580 rm -f $CLI_OUT $SRV_OUT $PXY_OUT $SESSION
Manuel Pégourié-Gonnarda6189f02014-09-20 13:15:43 +0200[diff] [blame]581 test -n "${SRV_PID:-}" && kill $SRV_PID >/dev/null 2>&1
582 test -n "${PXY_PID:-}" && kill $PXY_PID >/dev/null 2>&1
583 test -n "${CLI_PID:-}" && kill $CLI_PID >/dev/null 2>&1
584 test -n "${DOG_PID:-}" && kill $DOG_PID >/dev/null 2>&1
Manuel Pégourié-Gonnarda9062e92014-02-25 16:21:22 +0100[diff] [blame]585 exit 1
586}
587
Manuel Pégourié-Gonnard9dea8bd2014-02-26 18:21:02 +0100[diff] [blame]588#
589# MAIN
590#
591
Manuel Pégourié-Gonnard19db8ea2015-03-10 13:41:04 +0000[diff] [blame]592if cd $( dirname $0 ); then :; else
593 echo "cd $( dirname $0 ) failed" >&2
594 exit 1
595fi
596
Manuel Pégourié-Gonnard913030c2014-03-28 10:12:38 +0100[diff] [blame]597get_options "$@"
598
Manuel Pégourié-Gonnardf7a26902014-02-27 12:25:54 +0100[diff] [blame]599# sanity checks, avoid an avalanche of errors
600if [ ! -x "$P_SRV" ]; then
601 echo "Command '$P_SRV' is not an executable file"
602 exit 1
603fi
604if [ ! -x "$P_CLI" ]; then
605 echo "Command '$P_CLI' is not an executable file"
606 exit 1
607fi
Manuel Pégourié-Gonnardbe9eb872014-09-05 17:45:19 +0200[diff] [blame]608if [ ! -x "$P_PXY" ]; then
609 echo "Command '$P_PXY' is not an executable file"
610 exit 1
611fi
Simon Butcher3c0d7b82016-05-23 11:13:17 +0100[diff] [blame]612if [ "$MEMCHECK" -gt 0 ]; then
613 if which valgrind >/dev/null 2>&1; then :; else
614 echo "Memcheck not possible. Valgrind not found"
615 exit 1
616 fi
617fi
Manuel Pégourié-Gonnard74faf3c2014-03-13 18:47:44 +0100[diff] [blame]618if which $OPENSSL_CMD >/dev/null 2>&1; then :; else
619 echo "Command '$OPENSSL_CMD' not found"
Manuel Pégourié-Gonnardf7a26902014-02-27 12:25:54 +0100[diff] [blame]620 exit 1
621fi
622
Manuel Pégourié-Gonnard32f8f4d2014-05-29 11:31:20 +0200[diff] [blame]623# used by watchdog
624MAIN_PID="$$"
625
Manuel Pégourié-Gonnard0c1ec472014-06-20 18:41:11 +0200[diff] [blame]626# be more patient with valgrind
627if [ "$MEMCHECK" -gt 0 ]; then
628 START_DELAY=3
629 DOG_DELAY=30
630else
631 START_DELAY=1
632 DOG_DELAY=10
633fi
Manuel Pégourié-Gonnarda0719722014-09-20 12:46:27 +0200[diff] [blame]634CLI_DELAY_FACTOR=1
Janos Follath74537a62016-09-02 13:45:28 +0100[diff] [blame]635SRV_DELAY_SECONDS=0
Manuel Pégourié-Gonnard0c1ec472014-06-20 18:41:11 +0200[diff] [blame]636
Manuel Pégourié-Gonnard0eb6cab2014-07-23 20:17:47 +0200[diff] [blame]637# fix commands to use this port, force IPv4 while at it
Manuel Pégourié-Gonnard0af1ba32015-01-21 11:44:33 +0000[diff] [blame]638# +SRV_PORT will be replaced by either $SRV_PORT or $PXY_PORT later
Manuel Pégourié-Gonnardbe9eb872014-09-05 17:45:19 +0200[diff] [blame]639P_SRV="$P_SRV server_addr=127.0.0.1 server_port=$SRV_PORT"
640P_CLI="$P_CLI server_addr=127.0.0.1 server_port=+SRV_PORT"
Andres AGf04f54d2016-10-10 15:46:20 +0100[diff] [blame]641P_PXY="$P_PXY server_addr=127.0.0.1 server_port=$SRV_PORT listen_addr=127.0.0.1 listen_port=$PXY_PORT ${SEED:+"seed=$SEED"}"
Manuel Pégourié-Gonnard61957672015-06-18 17:54:58 +0200[diff] [blame]642O_SRV="$O_SRV -accept $SRV_PORT -dhparam data_files/dhparams.pem"
Manuel Pégourié-Gonnardbe9eb872014-09-05 17:45:19 +0200[diff] [blame]643O_CLI="$O_CLI -connect localhost:+SRV_PORT"
644G_SRV="$G_SRV -p $SRV_PORT"
Manuel Pégourié-Gonnard0af1ba32015-01-21 11:44:33 +0000[diff] [blame]645G_CLI="$G_CLI -p +SRV_PORT localhost"
Manuel Pégourié-Gonnard8066b812014-05-28 22:59:30 +0200[diff] [blame]646
Gilles Peskine62469d92017-05-10 10:13:59 +0200[diff] [blame]647# Allow SHA-1, because many of our test certificates use it
648P_SRV="$P_SRV allow_sha1=1"
649P_CLI="$P_CLI allow_sha1=1"
650
Manuel Pégourié-Gonnardbc3b16c2014-05-28 23:06:50 +0200[diff] [blame]651# Also pick a unique name for intermediate files
652SRV_OUT="srv_out.$$"
653CLI_OUT="cli_out.$$"
Manuel Pégourié-Gonnardbe9eb872014-09-05 17:45:19 +0200[diff] [blame]654PXY_OUT="pxy_out.$$"
Manuel Pégourié-Gonnardbc3b16c2014-05-28 23:06:50 +0200[diff] [blame]655SESSION="session.$$"
656
Manuel Pégourié-Gonnard6f4fbbb2014-08-14 14:31:29 +0200[diff] [blame]657SKIP_NEXT="NO"
658
Manuel Pégourié-Gonnarda9062e92014-02-25 16:21:22 +0100[diff] [blame]659trap cleanup INT TERM HUP
Manuel Pégourié-Gonnardeaadc502014-02-20 11:01:30 +0100[diff] [blame]660
Manuel Pégourié-Gonnarde73b2632014-07-12 04:00:00 +0200[diff] [blame]661# Basic test
662
Manuel Pégourié-Gonnard480905d2014-08-21 19:38:32 +0200[diff] [blame]663# Checks that:
664# - things work with all ciphersuites active (used with config-full in all.sh)
665# - the expected (highest security) parameters are selected
666# ("signature_algorithm ext: 6" means SHA-512 (highest common hash))
Manuel Pégourié-Gonnarde73b2632014-07-12 04:00:00 +0200[diff] [blame]667run_test "Default" \
Manuel Pégourié-Gonnard480905d2014-08-21 19:38:32 +0200[diff] [blame]668 "$P_SRV debug_level=3" \
Manuel Pégourié-Gonnarde73b2632014-07-12 04:00:00 +0200[diff] [blame]669 "$P_CLI" \
670 0 \
Manuel Pégourié-Gonnard480905d2014-08-21 19:38:32 +0200[diff] [blame]671 -s "Protocol is TLSv1.2" \
672 -s "Ciphersuite is TLS-ECDHE-ECDSA-WITH-AES-256-GCM-SHA384" \
673 -s "client hello v3, signature_algorithm ext: 6" \
674 -s "ECDHE curve: secp521r1" \
675 -S "error" \
676 -C "error"
Manuel Pégourié-Gonnarde73b2632014-07-12 04:00:00 +0200[diff] [blame]677
Manuel Pégourié-Gonnard3bb08012015-01-22 13:34:21 +0000[diff] [blame]678run_test "Default, DTLS" \
679 "$P_SRV dtls=1" \
680 "$P_CLI dtls=1" \
681 0 \
682 -s "Protocol is DTLSv1.2" \
683 -s "Ciphersuite is TLS-ECDHE-ECDSA-WITH-AES-256-GCM-SHA384"
684
Simon Butcher8e004102016-10-14 00:48:33 +0100[diff] [blame]685# Test for uniqueness of IVs in AEAD ciphersuites
686run_test "Unique IV in GCM" \
687 "$P_SRV exchanges=20 debug_level=4" \
688 "$P_CLI exchanges=20 debug_level=4 force_ciphersuite=TLS-ECDHE-ECDSA-WITH-AES-256-GCM-SHA384" \
689 0 \
690 -u "IV used" \
691 -U "IV used"
692
Manuel Pégourié-Gonnardbd47a582015-01-12 13:43:29 +0100[diff] [blame]693# Tests for rc4 option
694
Simon Butchera410af52016-05-19 22:12:18 +0100[diff] [blame]695requires_config_enabled MBEDTLS_REMOVE_ARC4_CIPHERSUITES
Manuel Pégourié-Gonnardbd47a582015-01-12 13:43:29 +0100[diff] [blame]696run_test "RC4: server disabled, client enabled" \
697 "$P_SRV" \
698 "$P_CLI force_ciphersuite=TLS-RSA-WITH-RC4-128-SHA" \
699 1 \
Manuel Pégourié-Gonnardea0920f2015-03-24 09:50:15 +0100[diff] [blame]700 -s "SSL - The server has no ciphersuites in common"
701
Simon Butchera410af52016-05-19 22:12:18 +0100[diff] [blame]702requires_config_enabled MBEDTLS_REMOVE_ARC4_CIPHERSUITES
Manuel Pégourié-Gonnardea0920f2015-03-24 09:50:15 +0100[diff] [blame]703run_test "RC4: server half, client enabled" \
704 "$P_SRV arc4=1" \
705 "$P_CLI force_ciphersuite=TLS-RSA-WITH-RC4-128-SHA" \
706 1 \
707 -s "SSL - The server has no ciphersuites in common"
Manuel Pégourié-Gonnardbd47a582015-01-12 13:43:29 +0100[diff] [blame]708
709run_test "RC4: server enabled, client disabled" \
710 "$P_SRV force_ciphersuite=TLS-RSA-WITH-RC4-128-SHA" \
711 "$P_CLI" \
712 1 \
713 -s "SSL - The server has no ciphersuites in common"
714
715run_test "RC4: both enabled" \
Manuel Pégourié-Gonnardea0920f2015-03-24 09:50:15 +0100[diff] [blame]716 "$P_SRV force_ciphersuite=TLS-RSA-WITH-RC4-128-SHA" \
Manuel Pégourié-Gonnardbd47a582015-01-12 13:43:29 +0100[diff] [blame]717 "$P_CLI force_ciphersuite=TLS-RSA-WITH-RC4-128-SHA" \
718 0 \
Manuel Pégourié-Gonnard51d81662015-01-14 17:20:46 +0100[diff] [blame]719 -S "SSL - None of the common ciphersuites is usable" \
Manuel Pégourié-Gonnardbd47a582015-01-12 13:43:29 +0100[diff] [blame]720 -S "SSL - The server has no ciphersuites in common"
721
Gilles Peskinebc70a182017-05-09 15:59:24 +0200[diff] [blame]722# Tests for SHA-1 support
723
Manuel Pégourié-Gonnardaf63c212017-06-08 17:51:08 +0200[diff] [blame]724requires_config_disabled MBEDTLS_TLS_DEFAULT_ALLOW_SHA1_IN_CERTIFICATES
Gilles Peskinebc70a182017-05-09 15:59:24 +0200[diff] [blame]725run_test "SHA-1 forbidden by default in server certificate" \
726 "$P_SRV key_file=data_files/server2.key crt_file=data_files/server2.crt" \
727 "$P_CLI debug_level=2 allow_sha1=0" \
728 1 \
729 -c "The certificate is signed with an unacceptable hash"
730
Manuel Pégourié-Gonnardaf63c212017-06-08 17:51:08 +0200[diff] [blame]731requires_config_enabled MBEDTLS_TLS_DEFAULT_ALLOW_SHA1_IN_CERTIFICATES
732run_test "SHA-1 forbidden by default in server certificate" \
733 "$P_SRV key_file=data_files/server2.key crt_file=data_files/server2.crt" \
734 "$P_CLI debug_level=2 allow_sha1=0" \
735 0
736
Gilles Peskinebc70a182017-05-09 15:59:24 +0200[diff] [blame]737run_test "SHA-1 explicitly allowed in server certificate" \
738 "$P_SRV key_file=data_files/server2.key crt_file=data_files/server2.crt" \
739 "$P_CLI allow_sha1=1" \
740 0
741
742run_test "SHA-256 allowed by default in server certificate" \
743 "$P_SRV key_file=data_files/server2.key crt_file=data_files/server2-sha256.crt" \
744 "$P_CLI allow_sha1=0" \
745 0
746
Manuel Pégourié-Gonnardaf63c212017-06-08 17:51:08 +0200[diff] [blame]747requires_config_disabled MBEDTLS_TLS_DEFAULT_ALLOW_SHA1_IN_CERTIFICATES
Gilles Peskinebc70a182017-05-09 15:59:24 +0200[diff] [blame]748run_test "SHA-1 forbidden by default in client certificate" \
749 "$P_SRV auth_mode=required allow_sha1=0" \
750 "$P_CLI key_file=data_files/cli-rsa.key crt_file=data_files/cli-rsa-sha1.crt" \
751 1 \
752 -s "The certificate is signed with an unacceptable hash"
753
Manuel Pégourié-Gonnardaf63c212017-06-08 17:51:08 +0200[diff] [blame]754requires_config_enabled MBEDTLS_TLS_DEFAULT_ALLOW_SHA1_IN_CERTIFICATES
755run_test "SHA-1 forbidden by default in client certificate" \
756 "$P_SRV auth_mode=required allow_sha1=0" \
757 "$P_CLI key_file=data_files/cli-rsa.key crt_file=data_files/cli-rsa-sha1.crt" \
758 0
759
Gilles Peskinebc70a182017-05-09 15:59:24 +0200[diff] [blame]760run_test "SHA-1 explicitly allowed in client certificate" \
761 "$P_SRV auth_mode=required allow_sha1=1" \
762 "$P_CLI key_file=data_files/cli-rsa.key crt_file=data_files/cli-rsa-sha1.crt" \
763 0
764
765run_test "SHA-256 allowed by default in client certificate" \
766 "$P_SRV auth_mode=required allow_sha1=0" \
767 "$P_CLI key_file=data_files/cli-rsa.key crt_file=data_files/cli-rsa-sha256.crt" \
768 0
769
Manuel Pégourié-Gonnard780d6712014-02-20 17:19:59 +0100[diff] [blame]770# Tests for Truncated HMAC extension
771
Manuel Pégourié-Gonnarde117a8f2015-01-09 12:39:35 +0100[diff] [blame]772run_test "Truncated HMAC: client default, server default" \
Manuel Pégourié-Gonnard644e8f32014-08-30 21:59:31 +0200[diff] [blame]773 "$P_SRV debug_level=4" \
Manuel Pégourié-Gonnarde117a8f2015-01-09 12:39:35 +0100[diff] [blame]774 "$P_CLI force_ciphersuite=TLS-RSA-WITH-AES-128-CBC-SHA" \
Manuel Pégourié-Gonnard780d6712014-02-20 17:19:59 +0100[diff] [blame]775 0 \
Manuel Pégourié-Gonnarde117a8f2015-01-09 12:39:35 +0100[diff] [blame]776 -s "dumping 'computed mac' (20 bytes)" \
777 -S "dumping 'computed mac' (10 bytes)"
Manuel Pégourié-Gonnard780d6712014-02-20 17:19:59 +0100[diff] [blame]778
Manuel Pégourié-Gonnarde117a8f2015-01-09 12:39:35 +0100[diff] [blame]779run_test "Truncated HMAC: client disabled, server default" \
Manuel Pégourié-Gonnard644e8f32014-08-30 21:59:31 +0200[diff] [blame]780 "$P_SRV debug_level=4" \
Manuel Pégourié-Gonnarde117a8f2015-01-09 12:39:35 +0100[diff] [blame]781 "$P_CLI force_ciphersuite=TLS-RSA-WITH-AES-128-CBC-SHA \
782 trunc_hmac=0" \
Manuel Pégourié-Gonnardeaadc502014-02-20 11:01:30 +0100[diff] [blame]783 0 \
Manuel Pégourié-Gonnarde117a8f2015-01-09 12:39:35 +0100[diff] [blame]784 -s "dumping 'computed mac' (20 bytes)" \
785 -S "dumping 'computed mac' (10 bytes)"
786
787run_test "Truncated HMAC: client enabled, server default" \
788 "$P_SRV debug_level=4" \
789 "$P_CLI force_ciphersuite=TLS-RSA-WITH-AES-128-CBC-SHA \
790 trunc_hmac=1" \
791 0 \
Manuel Pégourié-Gonnard662c6e82015-05-06 17:39:23 +0100[diff] [blame]792 -s "dumping 'computed mac' (20 bytes)" \
793 -S "dumping 'computed mac' (10 bytes)"
Manuel Pégourié-Gonnarde117a8f2015-01-09 12:39:35 +0100[diff] [blame]794
795run_test "Truncated HMAC: client enabled, server disabled" \
796 "$P_SRV debug_level=4 trunc_hmac=0" \
797 "$P_CLI force_ciphersuite=TLS-RSA-WITH-AES-128-CBC-SHA \
798 trunc_hmac=1" \
799 0 \
800 -s "dumping 'computed mac' (20 bytes)" \
801 -S "dumping 'computed mac' (10 bytes)"
802
803run_test "Truncated HMAC: client enabled, server enabled" \
804 "$P_SRV debug_level=4 trunc_hmac=1" \
805 "$P_CLI force_ciphersuite=TLS-RSA-WITH-AES-128-CBC-SHA \
806 trunc_hmac=1" \
807 0 \
808 -S "dumping 'computed mac' (20 bytes)" \
Manuel Pégourié-Gonnardf7c52012014-02-20 11:43:46 +0100[diff] [blame]809 -s "dumping 'computed mac' (10 bytes)"
810
Manuel Pégourié-Gonnard699cafa2014-10-27 13:57:03 +0100[diff] [blame]811# Tests for Encrypt-then-MAC extension
812
813run_test "Encrypt then MAC: default" \
Manuel Pégourié-Gonnard0098e7d2014-10-28 13:08:59 +0100[diff] [blame]814 "$P_SRV debug_level=3 \
815 force_ciphersuite=TLS-RSA-WITH-AES-128-CBC-SHA" \
Manuel Pégourié-Gonnard699cafa2014-10-27 13:57:03 +0100[diff] [blame]816 "$P_CLI debug_level=3" \
817 0 \
818 -c "client hello, adding encrypt_then_mac extension" \
819 -s "found encrypt then mac extension" \
820 -s "server hello, adding encrypt then mac extension" \
821 -c "found encrypt_then_mac extension" \
822 -c "using encrypt then mac" \
823 -s "using encrypt then mac"
824
825run_test "Encrypt then MAC: client enabled, server disabled" \
Manuel Pégourié-Gonnard0098e7d2014-10-28 13:08:59 +0100[diff] [blame]826 "$P_SRV debug_level=3 etm=0 \
827 force_ciphersuite=TLS-RSA-WITH-AES-128-CBC-SHA" \
Manuel Pégourié-Gonnard699cafa2014-10-27 13:57:03 +0100[diff] [blame]828 "$P_CLI debug_level=3 etm=1" \
829 0 \
830 -c "client hello, adding encrypt_then_mac extension" \
831 -s "found encrypt then mac extension" \
832 -S "server hello, adding encrypt then mac extension" \
833 -C "found encrypt_then_mac extension" \
834 -C "using encrypt then mac" \
835 -S "using encrypt then mac"
836
Manuel Pégourié-Gonnard78e745f2014-11-04 15:44:06 +0100[diff] [blame]837run_test "Encrypt then MAC: client enabled, aead cipher" \
838 "$P_SRV debug_level=3 etm=1 \
839 force_ciphersuite=TLS-RSA-WITH-AES-128-GCM-SHA256" \
840 "$P_CLI debug_level=3 etm=1" \
841 0 \
842 -c "client hello, adding encrypt_then_mac extension" \
843 -s "found encrypt then mac extension" \
844 -S "server hello, adding encrypt then mac extension" \
845 -C "found encrypt_then_mac extension" \
846 -C "using encrypt then mac" \
847 -S "using encrypt then mac"
848
849run_test "Encrypt then MAC: client enabled, stream cipher" \
850 "$P_SRV debug_level=3 etm=1 \
851 force_ciphersuite=TLS-RSA-WITH-RC4-128-SHA" \
Manuel Pégourié-Gonnardea0920f2015-03-24 09:50:15 +0100[diff] [blame]852 "$P_CLI debug_level=3 etm=1 arc4=1 force_ciphersuite=TLS-RSA-WITH-RC4-128-SHA" \
Manuel Pégourié-Gonnard78e745f2014-11-04 15:44:06 +0100[diff] [blame]853 0 \
854 -c "client hello, adding encrypt_then_mac extension" \
855 -s "found encrypt then mac extension" \
856 -S "server hello, adding encrypt then mac extension" \
857 -C "found encrypt_then_mac extension" \
858 -C "using encrypt then mac" \
859 -S "using encrypt then mac"
860
Manuel Pégourié-Gonnard699cafa2014-10-27 13:57:03 +0100[diff] [blame]861run_test "Encrypt then MAC: client disabled, server enabled" \
Manuel Pégourié-Gonnard0098e7d2014-10-28 13:08:59 +0100[diff] [blame]862 "$P_SRV debug_level=3 etm=1 \
863 force_ciphersuite=TLS-RSA-WITH-AES-128-CBC-SHA" \
Manuel Pégourié-Gonnard699cafa2014-10-27 13:57:03 +0100[diff] [blame]864 "$P_CLI debug_level=3 etm=0" \
865 0 \
866 -C "client hello, adding encrypt_then_mac extension" \
867 -S "found encrypt then mac extension" \
868 -S "server hello, adding encrypt then mac extension" \
869 -C "found encrypt_then_mac extension" \
870 -C "using encrypt then mac" \
871 -S "using encrypt then mac"
872
Janos Follathe2681a42016-03-07 15:57:05 +0000[diff] [blame]873requires_config_enabled MBEDTLS_SSL_PROTO_SSL3
Manuel Pégourié-Gonnard699cafa2014-10-27 13:57:03 +0100[diff] [blame]874run_test "Encrypt then MAC: client SSLv3, server enabled" \
Manuel Pégourié-Gonnard51d81662015-01-14 17:20:46 +0100[diff] [blame]875 "$P_SRV debug_level=3 min_version=ssl3 \
Manuel Pégourié-Gonnard0098e7d2014-10-28 13:08:59 +0100[diff] [blame]876 force_ciphersuite=TLS-RSA-WITH-AES-128-CBC-SHA" \
Manuel Pégourié-Gonnard699cafa2014-10-27 13:57:03 +0100[diff] [blame]877 "$P_CLI debug_level=3 force_version=ssl3" \
878 0 \
879 -C "client hello, adding encrypt_then_mac extension" \
880 -S "found encrypt then mac extension" \
881 -S "server hello, adding encrypt then mac extension" \
882 -C "found encrypt_then_mac extension" \
883 -C "using encrypt then mac" \
884 -S "using encrypt then mac"
885
Janos Follathe2681a42016-03-07 15:57:05 +0000[diff] [blame]886requires_config_enabled MBEDTLS_SSL_PROTO_SSL3
Manuel Pégourié-Gonnard699cafa2014-10-27 13:57:03 +0100[diff] [blame]887run_test "Encrypt then MAC: client enabled, server SSLv3" \
Manuel Pégourié-Gonnard0098e7d2014-10-28 13:08:59 +0100[diff] [blame]888 "$P_SRV debug_level=3 force_version=ssl3 \
889 force_ciphersuite=TLS-RSA-WITH-AES-128-CBC-SHA" \
Manuel Pégourié-Gonnard51d81662015-01-14 17:20:46 +0100[diff] [blame]890 "$P_CLI debug_level=3 min_version=ssl3" \
Manuel Pégourié-Gonnard699cafa2014-10-27 13:57:03 +0100[diff] [blame]891 0 \
892 -c "client hello, adding encrypt_then_mac extension" \
Janos Follath00efff72016-05-06 13:48:23 +0100[diff] [blame]893 -S "found encrypt then mac extension" \
Manuel Pégourié-Gonnard699cafa2014-10-27 13:57:03 +0100[diff] [blame]894 -S "server hello, adding encrypt then mac extension" \
895 -C "found encrypt_then_mac extension" \
896 -C "using encrypt then mac" \
897 -S "using encrypt then mac"
898
Manuel Pégourié-Gonnard367381f2014-10-20 18:40:56 +0200[diff] [blame]899# Tests for Extended Master Secret extension
900
901run_test "Extended Master Secret: default" \
902 "$P_SRV debug_level=3" \
903 "$P_CLI debug_level=3" \
904 0 \
905 -c "client hello, adding extended_master_secret extension" \
906 -s "found extended master secret extension" \
907 -s "server hello, adding extended master secret extension" \
908 -c "found extended_master_secret extension" \
909 -c "using extended master secret" \
910 -s "using extended master secret"
911
912run_test "Extended Master Secret: client enabled, server disabled" \
913 "$P_SRV debug_level=3 extended_ms=0" \
914 "$P_CLI debug_level=3 extended_ms=1" \
915 0 \
916 -c "client hello, adding extended_master_secret extension" \
917 -s "found extended master secret extension" \
918 -S "server hello, adding extended master secret extension" \
919 -C "found extended_master_secret extension" \
920 -C "using extended master secret" \
921 -S "using extended master secret"
922
923run_test "Extended Master Secret: client disabled, server enabled" \
924 "$P_SRV debug_level=3 extended_ms=1" \
925 "$P_CLI debug_level=3 extended_ms=0" \
926 0 \
927 -C "client hello, adding extended_master_secret extension" \
928 -S "found extended master secret extension" \
929 -S "server hello, adding extended master secret extension" \
930 -C "found extended_master_secret extension" \
931 -C "using extended master secret" \
932 -S "using extended master secret"
933
Janos Follathe2681a42016-03-07 15:57:05 +0000[diff] [blame]934requires_config_enabled MBEDTLS_SSL_PROTO_SSL3
Manuel Pégourié-Gonnardb575b542014-10-24 15:12:31 +0200[diff] [blame]935run_test "Extended Master Secret: client SSLv3, server enabled" \
Manuel Pégourié-Gonnard51d81662015-01-14 17:20:46 +0100[diff] [blame]936 "$P_SRV debug_level=3 min_version=ssl3" \
Manuel Pégourié-Gonnardb575b542014-10-24 15:12:31 +0200[diff] [blame]937 "$P_CLI debug_level=3 force_version=ssl3" \
938 0 \
939 -C "client hello, adding extended_master_secret extension" \
940 -S "found extended master secret extension" \
941 -S "server hello, adding extended master secret extension" \
942 -C "found extended_master_secret extension" \
943 -C "using extended master secret" \
944 -S "using extended master secret"
945
Janos Follathe2681a42016-03-07 15:57:05 +0000[diff] [blame]946requires_config_enabled MBEDTLS_SSL_PROTO_SSL3
Manuel Pégourié-Gonnardb575b542014-10-24 15:12:31 +0200[diff] [blame]947run_test "Extended Master Secret: client enabled, server SSLv3" \
948 "$P_SRV debug_level=3 force_version=ssl3" \
Manuel Pégourié-Gonnard51d81662015-01-14 17:20:46 +0100[diff] [blame]949 "$P_CLI debug_level=3 min_version=ssl3" \
Manuel Pégourié-Gonnardb575b542014-10-24 15:12:31 +0200[diff] [blame]950 0 \
951 -c "client hello, adding extended_master_secret extension" \
Janos Follath00efff72016-05-06 13:48:23 +0100[diff] [blame]952 -S "found extended master secret extension" \
Manuel Pégourié-Gonnardb575b542014-10-24 15:12:31 +0200[diff] [blame]953 -S "server hello, adding extended master secret extension" \
954 -C "found extended_master_secret extension" \
955 -C "using extended master secret" \
956 -S "using extended master secret"
957
Manuel Pégourié-Gonnard1cbd39d2014-10-20 13:34:59 +0200[diff] [blame]958# Tests for FALLBACK_SCSV
959
960run_test "Fallback SCSV: default" \
Manuel Pégourié-Gonnard4268ae02015-08-04 12:44:10 +0200[diff] [blame]961 "$P_SRV debug_level=2" \
Manuel Pégourié-Gonnard1cbd39d2014-10-20 13:34:59 +0200[diff] [blame]962 "$P_CLI debug_level=3 force_version=tls1_1" \
963 0 \
964 -C "adding FALLBACK_SCSV" \
Manuel Pégourié-Gonnard01b26992014-10-20 14:05:28 +0200[diff] [blame]965 -S "received FALLBACK_SCSV" \
966 -S "inapropriate fallback" \
Manuel Pégourié-Gonnard1cbd39d2014-10-20 13:34:59 +0200[diff] [blame]967 -C "is a fatal alert message (msg 86)"
968
969run_test "Fallback SCSV: explicitly disabled" \
Manuel Pégourié-Gonnard4268ae02015-08-04 12:44:10 +0200[diff] [blame]970 "$P_SRV debug_level=2" \
Manuel Pégourié-Gonnard1cbd39d2014-10-20 13:34:59 +0200[diff] [blame]971 "$P_CLI debug_level=3 force_version=tls1_1 fallback=0" \
972 0 \
973 -C "adding FALLBACK_SCSV" \
Manuel Pégourié-Gonnard01b26992014-10-20 14:05:28 +0200[diff] [blame]974 -S "received FALLBACK_SCSV" \
975 -S "inapropriate fallback" \
Manuel Pégourié-Gonnard1cbd39d2014-10-20 13:34:59 +0200[diff] [blame]976 -C "is a fatal alert message (msg 86)"
977
978run_test "Fallback SCSV: enabled" \
Manuel Pégourié-Gonnard4268ae02015-08-04 12:44:10 +0200[diff] [blame]979 "$P_SRV debug_level=2" \
Manuel Pégourié-Gonnard1cbd39d2014-10-20 13:34:59 +0200[diff] [blame]980 "$P_CLI debug_level=3 force_version=tls1_1 fallback=1" \
Manuel Pégourié-Gonnard01b26992014-10-20 14:05:28 +0200[diff] [blame]981 1 \
982 -c "adding FALLBACK_SCSV" \
983 -s "received FALLBACK_SCSV" \
984 -s "inapropriate fallback" \
985 -c "is a fatal alert message (msg 86)"
986
987run_test "Fallback SCSV: enabled, max version" \
Manuel Pégourié-Gonnard4268ae02015-08-04 12:44:10 +0200[diff] [blame]988 "$P_SRV debug_level=2" \
Manuel Pégourié-Gonnard01b26992014-10-20 14:05:28 +0200[diff] [blame]989 "$P_CLI debug_level=3 fallback=1" \
Manuel Pégourié-Gonnard1cbd39d2014-10-20 13:34:59 +0200[diff] [blame]990 0 \
991 -c "adding FALLBACK_SCSV" \
Manuel Pégourié-Gonnard01b26992014-10-20 14:05:28 +0200[diff] [blame]992 -s "received FALLBACK_SCSV" \
993 -S "inapropriate fallback" \
Manuel Pégourié-Gonnard1cbd39d2014-10-20 13:34:59 +0200[diff] [blame]994 -C "is a fatal alert message (msg 86)"
995
996requires_openssl_with_fallback_scsv
997run_test "Fallback SCSV: default, openssl server" \
998 "$O_SRV" \
999 "$P_CLI debug_level=3 force_version=tls1_1 fallback=0" \
1000 0 \
1001 -C "adding FALLBACK_SCSV" \
1002 -C "is a fatal alert message (msg 86)"
1003
1004requires_openssl_with_fallback_scsv
1005run_test "Fallback SCSV: enabled, openssl server" \
1006 "$O_SRV" \
1007 "$P_CLI debug_level=3 force_version=tls1_1 fallback=1" \
1008 1 \
1009 -c "adding FALLBACK_SCSV" \
1010 -c "is a fatal alert message (msg 86)"
1011
Manuel Pégourié-Gonnard01b26992014-10-20 14:05:28 +0200[diff] [blame]1012requires_openssl_with_fallback_scsv
1013run_test "Fallback SCSV: disabled, openssl client" \
Manuel Pégourié-Gonnard4268ae02015-08-04 12:44:10 +0200[diff] [blame]1014 "$P_SRV debug_level=2" \
Manuel Pégourié-Gonnard01b26992014-10-20 14:05:28 +0200[diff] [blame]1015 "$O_CLI -tls1_1" \
1016 0 \
1017 -S "received FALLBACK_SCSV" \
1018 -S "inapropriate fallback"
1019
1020requires_openssl_with_fallback_scsv
1021run_test "Fallback SCSV: enabled, openssl client" \
Manuel Pégourié-Gonnard4268ae02015-08-04 12:44:10 +0200[diff] [blame]1022 "$P_SRV debug_level=2" \
Manuel Pégourié-Gonnard01b26992014-10-20 14:05:28 +0200[diff] [blame]1023 "$O_CLI -tls1_1 -fallback_scsv" \
1024 1 \
1025 -s "received FALLBACK_SCSV" \
1026 -s "inapropriate fallback"
1027
1028requires_openssl_with_fallback_scsv
1029run_test "Fallback SCSV: enabled, max version, openssl client" \
Manuel Pégourié-Gonnard4268ae02015-08-04 12:44:10 +0200[diff] [blame]1030 "$P_SRV debug_level=2" \
Manuel Pégourié-Gonnard01b26992014-10-20 14:05:28 +0200[diff] [blame]1031 "$O_CLI -fallback_scsv" \
1032 0 \
1033 -s "received FALLBACK_SCSV" \
1034 -S "inapropriate fallback"
1035
Gilles Peskined50177f2017-05-16 17:53:03 +0200[diff] [blame]1036## ClientHello generated with
1037## "openssl s_client -CAfile tests/data_files/test-ca.crt -tls1_1 -connect localhost:4433 -cipher ..."
1038## then manually twiddling the ciphersuite list.
1039## The ClientHello content is spelled out below as a hex string as
1040## "prefix ciphersuite1 ciphersuite2 ciphersuite3 ciphersuite4 suffix".
1041## The expected response is an inappropriate_fallback alert.
1042requires_openssl_with_fallback_scsv
1043run_test "Fallback SCSV: beginning of list" \
1044 "$P_SRV debug_level=2" \
1045 "$TCP_CLIENT localhost $SRV_PORT '160301003e0100003a03022aafb94308dc22ca1086c65acc00e414384d76b61ecab37df1633b1ae1034dbe000008 5600 0031 0032 0033 0100000900230000000f000101' '15030200020256'" \
1046 0 \
1047 -s "received FALLBACK_SCSV" \
1048 -s "inapropriate fallback"
1049
1050requires_openssl_with_fallback_scsv
1051run_test "Fallback SCSV: end of list" \
1052 "$P_SRV debug_level=2" \
1053 "$TCP_CLIENT localhost $SRV_PORT '160301003e0100003a03022aafb94308dc22ca1086c65acc00e414384d76b61ecab37df1633b1ae1034dbe000008 0031 0032 0033 5600 0100000900230000000f000101' '15030200020256'" \
1054 0 \
1055 -s "received FALLBACK_SCSV" \
1056 -s "inapropriate fallback"
1057
1058## Here the expected response is a valid ServerHello prefix, up to the random.
1059requires_openssl_with_fallback_scsv
1060run_test "Fallback SCSV: not in list" \
1061 "$P_SRV debug_level=2" \
1062 "$TCP_CLIENT localhost $SRV_PORT '160301003e0100003a03022aafb94308dc22ca1086c65acc00e414384d76b61ecab37df1633b1ae1034dbe000008 0056 0031 0032 0033 0100000900230000000f000101' '16030200300200002c0302'" \
1063 0 \
1064 -S "received FALLBACK_SCSV" \
1065 -S "inapropriate fallback"
1066
Manuel Pégourié-Gonnard3ff78232015-01-08 11:15:09 +0100[diff] [blame]1067# Tests for CBC 1/n-1 record splitting
1068
1069run_test "CBC Record splitting: TLS 1.2, no splitting" \
1070 "$P_SRV" \
1071 "$P_CLI force_ciphersuite=TLS-RSA-WITH-AES-128-CBC-SHA \
1072 request_size=123 force_version=tls1_2" \
1073 0 \
1074 -s "Read from client: 123 bytes read" \
1075 -S "Read from client: 1 bytes read" \
1076 -S "122 bytes read"
1077
1078run_test "CBC Record splitting: TLS 1.1, no splitting" \
1079 "$P_SRV" \
1080 "$P_CLI force_ciphersuite=TLS-RSA-WITH-AES-128-CBC-SHA \
1081 request_size=123 force_version=tls1_1" \
1082 0 \
1083 -s "Read from client: 123 bytes read" \
1084 -S "Read from client: 1 bytes read" \
1085 -S "122 bytes read"
1086
1087run_test "CBC Record splitting: TLS 1.0, splitting" \
1088 "$P_SRV" \
1089 "$P_CLI force_ciphersuite=TLS-RSA-WITH-AES-128-CBC-SHA \
1090 request_size=123 force_version=tls1" \
1091 0 \
1092 -S "Read from client: 123 bytes read" \
1093 -s "Read from client: 1 bytes read" \
1094 -s "122 bytes read"
1095
Janos Follathe2681a42016-03-07 15:57:05 +0000[diff] [blame]1096requires_config_enabled MBEDTLS_SSL_PROTO_SSL3
Manuel Pégourié-Gonnard3ff78232015-01-08 11:15:09 +0100[diff] [blame]1097run_test "CBC Record splitting: SSLv3, splitting" \
Manuel Pégourié-Gonnard51d81662015-01-14 17:20:46 +0100[diff] [blame]1098 "$P_SRV min_version=ssl3" \
Manuel Pégourié-Gonnard3ff78232015-01-08 11:15:09 +0100[diff] [blame]1099 "$P_CLI force_ciphersuite=TLS-RSA-WITH-AES-128-CBC-SHA \
1100 request_size=123 force_version=ssl3" \
1101 0 \
1102 -S "Read from client: 123 bytes read" \
1103 -s "Read from client: 1 bytes read" \
1104 -s "122 bytes read"
1105
1106run_test "CBC Record splitting: TLS 1.0 RC4, no splitting" \
Manuel Pégourié-Gonnardea0920f2015-03-24 09:50:15 +0100[diff] [blame]1107 "$P_SRV arc4=1 force_ciphersuite=TLS-RSA-WITH-RC4-128-SHA" \
Manuel Pégourié-Gonnard3ff78232015-01-08 11:15:09 +0100[diff] [blame]1108 "$P_CLI force_ciphersuite=TLS-RSA-WITH-RC4-128-SHA \
1109 request_size=123 force_version=tls1" \
1110 0 \
1111 -s "Read from client: 123 bytes read" \
1112 -S "Read from client: 1 bytes read" \
1113 -S "122 bytes read"
1114
1115run_test "CBC Record splitting: TLS 1.0, splitting disabled" \
1116 "$P_SRV" \
1117 "$P_CLI force_ciphersuite=TLS-RSA-WITH-AES-128-CBC-SHA \
1118 request_size=123 force_version=tls1 recsplit=0" \
1119 0 \
1120 -s "Read from client: 123 bytes read" \
1121 -S "Read from client: 1 bytes read" \
1122 -S "122 bytes read"
1123
Manuel Pégourié-Gonnarda852cf42015-01-13 20:56:15 +0100[diff] [blame]1124run_test "CBC Record splitting: TLS 1.0, splitting, nbio" \
1125 "$P_SRV nbio=2" \
1126 "$P_CLI nbio=2 force_ciphersuite=TLS-RSA-WITH-AES-128-CBC-SHA \
1127 request_size=123 force_version=tls1" \
1128 0 \
1129 -S "Read from client: 123 bytes read" \
1130 -s "Read from client: 1 bytes read" \
1131 -s "122 bytes read"
1132
Manuel Pégourié-Gonnard780d6712014-02-20 17:19:59 +0100[diff] [blame]1133# Tests for Session Tickets
1134
Manuel Pégourié-Gonnard8e03c712014-08-30 21:42:40 +0200[diff] [blame]1135run_test "Session resume using tickets: basic" \
Manuel Pégourié-Gonnard644e8f32014-08-30 21:59:31 +0200[diff] [blame]1136 "$P_SRV debug_level=3 tickets=1" \
1137 "$P_CLI debug_level=3 tickets=1 reconnect=1" \
Manuel Pégourié-Gonnardf7c52012014-02-20 11:43:46 +0100[diff] [blame]1138 0 \
Manuel Pégourié-Gonnardc55a5b72014-02-20 22:50:56 +0100[diff] [blame]1139 -c "client hello, adding session ticket extension" \
1140 -s "found session ticket extension" \
1141 -s "server hello, adding session ticket extension" \
1142 -c "found session_ticket extension" \
1143 -c "parse new session ticket" \
Manuel Pégourié-Gonnardf7c52012014-02-20 11:43:46 +0100[diff] [blame]1144 -S "session successfully restored from cache" \
1145 -s "session successfully restored from ticket" \
1146 -s "a session has been resumed" \
1147 -c "a session has been resumed"
1148
Manuel Pégourié-Gonnard8e03c712014-08-30 21:42:40 +0200[diff] [blame]1149run_test "Session resume using tickets: cache disabled" \
Manuel Pégourié-Gonnard644e8f32014-08-30 21:59:31 +0200[diff] [blame]1150 "$P_SRV debug_level=3 tickets=1 cache_max=0" \
1151 "$P_CLI debug_level=3 tickets=1 reconnect=1" \
Manuel Pégourié-Gonnarddbe1ee12014-02-21 09:18:13 +0100[diff] [blame]1152 0 \
1153 -c "client hello, adding session ticket extension" \
1154 -s "found session ticket extension" \
1155 -s "server hello, adding session ticket extension" \
1156 -c "found session_ticket extension" \
1157 -c "parse new session ticket" \
1158 -S "session successfully restored from cache" \
1159 -s "session successfully restored from ticket" \
1160 -s "a session has been resumed" \
1161 -c "a session has been resumed"
1162
Manuel Pégourié-Gonnard8e03c712014-08-30 21:42:40 +0200[diff] [blame]1163run_test "Session resume using tickets: timeout" \
Manuel Pégourié-Gonnard644e8f32014-08-30 21:59:31 +0200[diff] [blame]1164 "$P_SRV debug_level=3 tickets=1 cache_max=0 ticket_timeout=1" \
1165 "$P_CLI debug_level=3 tickets=1 reconnect=1 reco_delay=2" \
Manuel Pégourié-Gonnarddbe1ee12014-02-21 09:18:13 +0100[diff] [blame]1166 0 \
1167 -c "client hello, adding session ticket extension" \
1168 -s "found session ticket extension" \
1169 -s "server hello, adding session ticket extension" \
1170 -c "found session_ticket extension" \
1171 -c "parse new session ticket" \
1172 -S "session successfully restored from cache" \
1173 -S "session successfully restored from ticket" \
1174 -S "a session has been resumed" \
1175 -C "a session has been resumed"
1176
Manuel Pégourié-Gonnard8e03c712014-08-30 21:42:40 +0200[diff] [blame]1177run_test "Session resume using tickets: openssl server" \
Manuel Pégourié-Gonnardf7a26902014-02-27 12:25:54 +0100[diff] [blame]1178 "$O_SRV" \
Manuel Pégourié-Gonnard644e8f32014-08-30 21:59:31 +0200[diff] [blame]1179 "$P_CLI debug_level=3 tickets=1 reconnect=1" \
Manuel Pégourié-Gonnardfccd3252014-02-25 17:14:15 +0100[diff] [blame]1180 0 \
1181 -c "client hello, adding session ticket extension" \
1182 -c "found session_ticket extension" \
1183 -c "parse new session ticket" \
1184 -c "a session has been resumed"
1185
Manuel Pégourié-Gonnard8e03c712014-08-30 21:42:40 +0200[diff] [blame]1186run_test "Session resume using tickets: openssl client" \
Manuel Pégourié-Gonnard644e8f32014-08-30 21:59:31 +0200[diff] [blame]1187 "$P_SRV debug_level=3 tickets=1" \
Manuel Pégourié-Gonnardbc3b16c2014-05-28 23:06:50 +0200[diff] [blame]1188 "( $O_CLI -sess_out $SESSION; \
1189 $O_CLI -sess_in $SESSION; \
1190 rm -f $SESSION )" \
Manuel Pégourié-Gonnardfccd3252014-02-25 17:14:15 +0100[diff] [blame]1191 0 \
1192 -s "found session ticket extension" \
1193 -s "server hello, adding session ticket extension" \
1194 -S "session successfully restored from cache" \
1195 -s "session successfully restored from ticket" \
1196 -s "a session has been resumed"
1197
Manuel Pégourié-Gonnardc55a5b72014-02-20 22:50:56 +0100[diff] [blame]1198# Tests for Session Resume based on session-ID and cache
Manuel Pégourié-Gonnard780d6712014-02-20 17:19:59 +0100[diff] [blame]1199
Manuel Pégourié-Gonnard8e03c712014-08-30 21:42:40 +0200[diff] [blame]1200run_test "Session resume using cache: tickets enabled on client" \
Manuel Pégourié-Gonnard644e8f32014-08-30 21:59:31 +0200[diff] [blame]1201 "$P_SRV debug_level=3 tickets=0" \
1202 "$P_CLI debug_level=3 tickets=1 reconnect=1" \
Manuel Pégourié-Gonnardf7c52012014-02-20 11:43:46 +0100[diff] [blame]1203 0 \
Manuel Pégourié-Gonnardc55a5b72014-02-20 22:50:56 +0100[diff] [blame]1204 -c "client hello, adding session ticket extension" \
1205 -s "found session ticket extension" \
1206 -S "server hello, adding session ticket extension" \
1207 -C "found session_ticket extension" \
1208 -C "parse new session ticket" \
Manuel Pégourié-Gonnardf7c52012014-02-20 11:43:46 +0100[diff] [blame]1209 -s "session successfully restored from cache" \
1210 -S "session successfully restored from ticket" \
1211 -s "a session has been resumed" \
1212 -c "a session has been resumed"
1213
Manuel Pégourié-Gonnard8e03c712014-08-30 21:42:40 +0200[diff] [blame]1214run_test "Session resume using cache: tickets enabled on server" \
Manuel Pégourié-Gonnard644e8f32014-08-30 21:59:31 +0200[diff] [blame]1215 "$P_SRV debug_level=3 tickets=1" \
1216 "$P_CLI debug_level=3 tickets=0 reconnect=1" \
Manuel Pégourié-Gonnardf7c52012014-02-20 11:43:46 +0100[diff] [blame]1217 0 \
Manuel Pégourié-Gonnardc55a5b72014-02-20 22:50:56 +0100[diff] [blame]1218 -C "client hello, adding session ticket extension" \
1219 -S "found session ticket extension" \
1220 -S "server hello, adding session ticket extension" \
1221 -C "found session_ticket extension" \
1222 -C "parse new session ticket" \
Manuel Pégourié-Gonnardf7c52012014-02-20 11:43:46 +0100[diff] [blame]1223 -s "session successfully restored from cache" \
1224 -S "session successfully restored from ticket" \
1225 -s "a session has been resumed" \
1226 -c "a session has been resumed"
Manuel Pégourié-Gonnardde143782014-02-20 14:50:42 +0100[diff] [blame]1227
Manuel Pégourié-Gonnard8e03c712014-08-30 21:42:40 +0200[diff] [blame]1228run_test "Session resume using cache: cache_max=0" \
Manuel Pégourié-Gonnard644e8f32014-08-30 21:59:31 +0200[diff] [blame]1229 "$P_SRV debug_level=3 tickets=0 cache_max=0" \
1230 "$P_CLI debug_level=3 tickets=0 reconnect=1" \
Manuel Pégourié-Gonnard4c883452014-02-20 21:32:41 +0100[diff] [blame]1231 0 \
1232 -S "session successfully restored from cache" \
1233 -S "session successfully restored from ticket" \
Manuel Pégourié-Gonnardc55a5b72014-02-20 22:50:56 +0100[diff] [blame]1234 -S "a session has been resumed" \
1235 -C "a session has been resumed"
Manuel Pégourié-Gonnard4c883452014-02-20 21:32:41 +0100[diff] [blame]1236
Manuel Pégourié-Gonnard8e03c712014-08-30 21:42:40 +0200[diff] [blame]1237run_test "Session resume using cache: cache_max=1" \
Manuel Pégourié-Gonnard644e8f32014-08-30 21:59:31 +0200[diff] [blame]1238 "$P_SRV debug_level=3 tickets=0 cache_max=1" \
1239 "$P_CLI debug_level=3 tickets=0 reconnect=1" \
Manuel Pégourié-Gonnardc55a5b72014-02-20 22:50:56 +0100[diff] [blame]1240 0 \
1241 -s "session successfully restored from cache" \
1242 -S "session successfully restored from ticket" \
1243 -s "a session has been resumed" \
1244 -c "a session has been resumed"
1245
Manuel Pégourié-Gonnard6df31962015-05-04 10:55:47 +0200[diff] [blame]1246run_test "Session resume using cache: timeout > delay" \
Manuel Pégourié-Gonnard644e8f32014-08-30 21:59:31 +0200[diff] [blame]1247 "$P_SRV debug_level=3 tickets=0" \
1248 "$P_CLI debug_level=3 tickets=0 reconnect=1 reco_delay=0" \
Manuel Pégourié-Gonnardc55a5b72014-02-20 22:50:56 +0100[diff] [blame]1249 0 \
1250 -s "session successfully restored from cache" \
1251 -S "session successfully restored from ticket" \
1252 -s "a session has been resumed" \
1253 -c "a session has been resumed"
1254
Manuel Pégourié-Gonnard8e03c712014-08-30 21:42:40 +0200[diff] [blame]1255run_test "Session resume using cache: timeout < delay" \
Manuel Pégourié-Gonnard644e8f32014-08-30 21:59:31 +0200[diff] [blame]1256 "$P_SRV debug_level=3 tickets=0 cache_timeout=1" \
1257 "$P_CLI debug_level=3 tickets=0 reconnect=1 reco_delay=2" \
Manuel Pégourié-Gonnardc55a5b72014-02-20 22:50:56 +0100[diff] [blame]1258 0 \
1259 -S "session successfully restored from cache" \
1260 -S "session successfully restored from ticket" \
1261 -S "a session has been resumed" \
1262 -C "a session has been resumed"
1263
Manuel Pégourié-Gonnard8e03c712014-08-30 21:42:40 +0200[diff] [blame]1264run_test "Session resume using cache: no timeout" \
Manuel Pégourié-Gonnard644e8f32014-08-30 21:59:31 +0200[diff] [blame]1265 "$P_SRV debug_level=3 tickets=0 cache_timeout=0" \
1266 "$P_CLI debug_level=3 tickets=0 reconnect=1 reco_delay=2" \
Manuel Pégourié-Gonnard4c883452014-02-20 21:32:41 +0100[diff] [blame]1267 0 \
1268 -s "session successfully restored from cache" \
1269 -S "session successfully restored from ticket" \
1270 -s "a session has been resumed" \
1271 -c "a session has been resumed"
1272
Manuel Pégourié-Gonnard8e03c712014-08-30 21:42:40 +0200[diff] [blame]1273run_test "Session resume using cache: openssl client" \
Manuel Pégourié-Gonnard644e8f32014-08-30 21:59:31 +0200[diff] [blame]1274 "$P_SRV debug_level=3 tickets=0" \
Manuel Pégourié-Gonnardbc3b16c2014-05-28 23:06:50 +0200[diff] [blame]1275 "( $O_CLI -sess_out $SESSION; \
1276 $O_CLI -sess_in $SESSION; \
1277 rm -f $SESSION )" \
Manuel Pégourié-Gonnarddb735f62014-02-25 17:57:59 +0100[diff] [blame]1278 0 \
1279 -s "found session ticket extension" \
1280 -S "server hello, adding session ticket extension" \
1281 -s "session successfully restored from cache" \
1282 -S "session successfully restored from ticket" \
1283 -s "a session has been resumed"
1284
Manuel Pégourié-Gonnard8e03c712014-08-30 21:42:40 +0200[diff] [blame]1285run_test "Session resume using cache: openssl server" \
Manuel Pégourié-Gonnardf7a26902014-02-27 12:25:54 +0100[diff] [blame]1286 "$O_SRV" \
Manuel Pégourié-Gonnard644e8f32014-08-30 21:59:31 +0200[diff] [blame]1287 "$P_CLI debug_level=3 tickets=0 reconnect=1" \
Manuel Pégourié-Gonnarddb735f62014-02-25 17:57:59 +0100[diff] [blame]1288 0 \
1289 -C "found session_ticket extension" \
1290 -C "parse new session ticket" \
1291 -c "a session has been resumed"
1292
Manuel Pégourié-Gonnard780d6712014-02-20 17:19:59 +0100[diff] [blame]1293# Tests for Max Fragment Length extension
1294
Hanno Becker6428f8d2017-09-22 16:58:50 +0100[diff] [blame^]1295MAX_CONTENT_LEN_EXPECT='16384'
1296MAX_CONTENT_LEN_CONFIG=$( ../scripts/config.pl get MBEDTLS_SSL_MAX_CONTENT_LEN)
1297
1298if [ -n "$MAX_CONTENT_LEN_CONFIG" ] && [ "$MAX_CONTENT_LEN_CONFIG" -ne "$MAX_CONTENT_LEN_EXPECT" ]; then
1299 printf "The ${CONFIG_H} file contains a value for the configuration of\n"
1300 printf "MBEDTLS_SSL_MAX_CONTENT_LEN that is different from the script’s\n"
1301 printf "test value of ${MAX_CONTENT_LEN_EXPECT}. \n"
1302 printf "\n"
1303 printf "The tests assume this value and if it changes, the tests in this\n"
1304 printf "script should also be adjusted.\n"
1305 printf "\n"
1306
1307 exit 1
1308fi
1309
Hanno Becker4aed27e2017-09-18 15:00:34 +0100[diff] [blame]1310requires_config_enabled MBEDTLS_SSL_MAX_FRAGMENT_LENGTH
Hanno Beckerc5266962017-09-18 15:01:50 +0100[diff] [blame]1311run_test "Max fragment length: enabled, default" \
Manuel Pégourié-Gonnard644e8f32014-08-30 21:59:31 +0200[diff] [blame]1312 "$P_SRV debug_level=3" \
1313 "$P_CLI debug_level=3" \
Manuel Pégourié-Gonnardde143782014-02-20 14:50:42 +0100[diff] [blame]1314 0 \
Manuel Pégourié-Gonnarda2cda6b2015-08-31 18:30:52 +0200[diff] [blame]1315 -c "Maximum fragment length is 16384" \
1316 -s "Maximum fragment length is 16384" \
Manuel Pégourié-Gonnardde143782014-02-20 14:50:42 +0100[diff] [blame]1317 -C "client hello, adding max_fragment_length extension" \
1318 -S "found max fragment length extension" \
1319 -S "server hello, max_fragment_length extension" \
1320 -C "found max_fragment_length extension"
1321
Hanno Becker4aed27e2017-09-18 15:00:34 +0100[diff] [blame]1322requires_config_enabled MBEDTLS_SSL_MAX_FRAGMENT_LENGTH
Hanno Beckerc5266962017-09-18 15:01:50 +0100[diff] [blame]1323run_test "Max fragment length: enabled, default, larger message" \
1324 "$P_SRV debug_level=3" \
1325 "$P_CLI debug_level=3 request_size=20000" \
1326 0 \
1327 -c "Maximum fragment length is 16384" \
1328 -s "Maximum fragment length is 16384" \
1329 -C "client hello, adding max_fragment_length extension" \
1330 -S "found max fragment length extension" \
1331 -S "server hello, max_fragment_length extension" \
1332 -C "found max_fragment_length extension" \
1333 -c "20000 bytes written in 2 fragments" \
1334 -s "16384 bytes read" \
1335 -s "3616 bytes read"
1336
1337requires_config_enabled MBEDTLS_SSL_MAX_FRAGMENT_LENGTH
1338run_test "Max fragment length, DTLS: enabled, default, larger message" \
1339 "$P_SRV debug_level=3 dtls=1" \
1340 "$P_CLI debug_level=3 dtls=1 request_size=20000" \
1341 1 \
1342 -c "Maximum fragment length is 16384" \
1343 -s "Maximum fragment length is 16384" \
1344 -C "client hello, adding max_fragment_length extension" \
1345 -S "found max fragment length extension" \
1346 -S "server hello, max_fragment_length extension" \
1347 -C "found max_fragment_length extension" \
1348 -c "fragment larger than.*maximum "
1349
1350requires_config_disabled MBEDTLS_SSL_MAX_FRAGMENT_LENGTH
1351run_test "Max fragment length: disabled, larger message" \
1352 "$P_SRV debug_level=3" \
1353 "$P_CLI debug_level=3 request_size=20000" \
1354 0 \
1355 -C "Maximum fragment length is 16384" \
1356 -S "Maximum fragment length is 16384" \
1357 -c "20000 bytes written in 2 fragments" \
1358 -s "16384 bytes read" \
1359 -s "3616 bytes read"
1360
1361requires_config_disabled MBEDTLS_SSL_MAX_FRAGMENT_LENGTH
1362run_test "Max fragment length DTLS: disabled, larger message" \
1363 "$P_SRV debug_level=3 dtls=1" \
1364 "$P_CLI debug_level=3 dtls=1 request_size=20000" \
1365 1 \
1366 -C "Maximum fragment length is 16384" \
1367 -S "Maximum fragment length is 16384" \
1368 -c "fragment larger than.*maximum "
1369
1370requires_config_enabled MBEDTLS_SSL_MAX_FRAGMENT_LENGTH
Manuel Pégourié-Gonnard8e03c712014-08-30 21:42:40 +0200[diff] [blame]1371run_test "Max fragment length: used by client" \
Manuel Pégourié-Gonnard644e8f32014-08-30 21:59:31 +0200[diff] [blame]1372 "$P_SRV debug_level=3" \
1373 "$P_CLI debug_level=3 max_frag_len=4096" \
Manuel Pégourié-Gonnardde143782014-02-20 14:50:42 +0100[diff] [blame]1374 0 \
Manuel Pégourié-Gonnarda2cda6b2015-08-31 18:30:52 +0200[diff] [blame]1375 -c "Maximum fragment length is 4096" \
1376 -s "Maximum fragment length is 4096" \
Manuel Pégourié-Gonnardde143782014-02-20 14:50:42 +0100[diff] [blame]1377 -c "client hello, adding max_fragment_length extension" \
1378 -s "found max fragment length extension" \
1379 -s "server hello, max_fragment_length extension" \
1380 -c "found max_fragment_length extension"
1381
Hanno Becker4aed27e2017-09-18 15:00:34 +0100[diff] [blame]1382requires_config_enabled MBEDTLS_SSL_MAX_FRAGMENT_LENGTH
Manuel Pégourié-Gonnard8e03c712014-08-30 21:42:40 +0200[diff] [blame]1383run_test "Max fragment length: used by server" \
Manuel Pégourié-Gonnard644e8f32014-08-30 21:59:31 +0200[diff] [blame]1384 "$P_SRV debug_level=3 max_frag_len=4096" \
1385 "$P_CLI debug_level=3" \
Manuel Pégourié-Gonnardde143782014-02-20 14:50:42 +0100[diff] [blame]1386 0 \
Manuel Pégourié-Gonnarda2cda6b2015-08-31 18:30:52 +0200[diff] [blame]1387 -c "Maximum fragment length is 16384" \
1388 -s "Maximum fragment length is 4096" \
Manuel Pégourié-Gonnardde143782014-02-20 14:50:42 +0100[diff] [blame]1389 -C "client hello, adding max_fragment_length extension" \
1390 -S "found max fragment length extension" \
1391 -S "server hello, max_fragment_length extension" \
1392 -C "found max_fragment_length extension"
Manuel Pégourié-Gonnard780d6712014-02-20 17:19:59 +0100[diff] [blame]1393
Hanno Becker4aed27e2017-09-18 15:00:34 +0100[diff] [blame]1394requires_config_enabled MBEDTLS_SSL_MAX_FRAGMENT_LENGTH
Manuel Pégourié-Gonnard8e03c712014-08-30 21:42:40 +0200[diff] [blame]1395requires_gnutls
1396run_test "Max fragment length: gnutls server" \
Manuel Pégourié-Gonnardbaa7f072014-08-20 20:15:53 +0200[diff] [blame]1397 "$G_SRV" \
Manuel Pégourié-Gonnard644e8f32014-08-30 21:59:31 +0200[diff] [blame]1398 "$P_CLI debug_level=3 max_frag_len=4096" \
Manuel Pégourié-Gonnardbaa7f072014-08-20 20:15:53 +0200[diff] [blame]1399 0 \
Manuel Pégourié-Gonnarda2cda6b2015-08-31 18:30:52 +0200[diff] [blame]1400 -c "Maximum fragment length is 4096" \
Manuel Pégourié-Gonnardbaa7f072014-08-20 20:15:53 +0200[diff] [blame]1401 -c "client hello, adding max_fragment_length extension" \
1402 -c "found max_fragment_length extension"
1403
Hanno Becker4aed27e2017-09-18 15:00:34 +0100[diff] [blame]1404requires_config_enabled MBEDTLS_SSL_MAX_FRAGMENT_LENGTH
Manuel Pégourié-Gonnard37e08e12014-10-13 17:55:52 +0200[diff] [blame]1405run_test "Max fragment length: client, message just fits" \
1406 "$P_SRV debug_level=3" \
1407 "$P_CLI debug_level=3 max_frag_len=2048 request_size=2048" \
1408 0 \
Manuel Pégourié-Gonnarda2cda6b2015-08-31 18:30:52 +0200[diff] [blame]1409 -c "Maximum fragment length is 2048" \
1410 -s "Maximum fragment length is 2048" \
Manuel Pégourié-Gonnard37e08e12014-10-13 17:55:52 +0200[diff] [blame]1411 -c "client hello, adding max_fragment_length extension" \
1412 -s "found max fragment length extension" \
1413 -s "server hello, max_fragment_length extension" \
1414 -c "found max_fragment_length extension" \
1415 -c "2048 bytes written in 1 fragments" \
1416 -s "2048 bytes read"
1417
Hanno Becker4aed27e2017-09-18 15:00:34 +0100[diff] [blame]1418requires_config_enabled MBEDTLS_SSL_MAX_FRAGMENT_LENGTH
Manuel Pégourié-Gonnard37e08e12014-10-13 17:55:52 +0200[diff] [blame]1419run_test "Max fragment length: client, larger message" \
1420 "$P_SRV debug_level=3" \
1421 "$P_CLI debug_level=3 max_frag_len=2048 request_size=2345" \
1422 0 \
Manuel Pégourié-Gonnarda2cda6b2015-08-31 18:30:52 +0200[diff] [blame]1423 -c "Maximum fragment length is 2048" \
1424 -s "Maximum fragment length is 2048" \
Manuel Pégourié-Gonnard37e08e12014-10-13 17:55:52 +0200[diff] [blame]1425 -c "client hello, adding max_fragment_length extension" \
1426 -s "found max fragment length extension" \
1427 -s "server hello, max_fragment_length extension" \
1428 -c "found max_fragment_length extension" \
1429 -c "2345 bytes written in 2 fragments" \
1430 -s "2048 bytes read" \
1431 -s "297 bytes read"
1432
Hanno Becker4aed27e2017-09-18 15:00:34 +0100[diff] [blame]1433requires_config_enabled MBEDTLS_SSL_MAX_FRAGMENT_LENGTH
Manuel Pégourié-Gonnard23eb74d2015-01-21 14:37:13 +0000[diff] [blame]1434run_test "Max fragment length: DTLS client, larger message" \
Manuel Pégourié-Gonnard37e08e12014-10-13 17:55:52 +0200[diff] [blame]1435 "$P_SRV debug_level=3 dtls=1" \
1436 "$P_CLI debug_level=3 dtls=1 max_frag_len=2048 request_size=2345" \
1437 1 \
Manuel Pégourié-Gonnarda2cda6b2015-08-31 18:30:52 +0200[diff] [blame]1438 -c "Maximum fragment length is 2048" \
1439 -s "Maximum fragment length is 2048" \
Manuel Pégourié-Gonnard37e08e12014-10-13 17:55:52 +0200[diff] [blame]1440 -c "client hello, adding max_fragment_length extension" \
1441 -s "found max fragment length extension" \
1442 -s "server hello, max_fragment_length extension" \
1443 -c "found max_fragment_length extension" \
1444 -c "fragment larger than.*maximum"
1445
Manuel Pégourié-Gonnard780d6712014-02-20 17:19:59 +0100[diff] [blame]1446# Tests for renegotiation
1447
Manuel Pégourié-Gonnard8e03c712014-08-30 21:42:40 +0200[diff] [blame]1448run_test "Renegotiation: none, for reference" \
Manuel Pégourié-Gonnardfa44f202015-03-27 17:52:25 +0100[diff] [blame]1449 "$P_SRV debug_level=3 exchanges=2 auth_mode=optional" \
Manuel Pégourié-Gonnard644e8f32014-08-30 21:59:31 +0200[diff] [blame]1450 "$P_CLI debug_level=3 exchanges=2" \
Manuel Pégourié-Gonnard780d6712014-02-20 17:19:59 +0100[diff] [blame]1451 0 \
1452 -C "client hello, adding renegotiation extension" \
1453 -s "received TLS_EMPTY_RENEGOTIATION_INFO" \
1454 -S "found renegotiation extension" \
1455 -s "server hello, secure renegotiation extension" \
1456 -c "found renegotiation extension" \
Manuel Pégourié-Gonnardc73339f2014-02-26 16:35:27 +0100[diff] [blame]1457 -C "=> renegotiate" \
1458 -S "=> renegotiate" \
Manuel Pégourié-Gonnard780d6712014-02-20 17:19:59 +0100[diff] [blame]1459 -S "write hello request"
1460
Manuel Pégourié-Gonnard8e03c712014-08-30 21:42:40 +0200[diff] [blame]1461run_test "Renegotiation: client-initiated" \
Manuel Pégourié-Gonnardfa44f202015-03-27 17:52:25 +0100[diff] [blame]1462 "$P_SRV debug_level=3 exchanges=2 renegotiation=1 auth_mode=optional" \
Manuel Pégourié-Gonnard644e8f32014-08-30 21:59:31 +0200[diff] [blame]1463 "$P_CLI debug_level=3 exchanges=2 renegotiation=1 renegotiate=1" \
Manuel Pégourié-Gonnard780d6712014-02-20 17:19:59 +0100[diff] [blame]1464 0 \
1465 -c "client hello, adding renegotiation extension" \
1466 -s "received TLS_EMPTY_RENEGOTIATION_INFO" \
1467 -s "found renegotiation extension" \
1468 -s "server hello, secure renegotiation extension" \
1469 -c "found renegotiation extension" \
Manuel Pégourié-Gonnardc73339f2014-02-26 16:35:27 +0100[diff] [blame]1470 -c "=> renegotiate" \
1471 -s "=> renegotiate" \
Manuel Pégourié-Gonnard780d6712014-02-20 17:19:59 +0100[diff] [blame]1472 -S "write hello request"
1473
Manuel Pégourié-Gonnard8e03c712014-08-30 21:42:40 +0200[diff] [blame]1474run_test "Renegotiation: server-initiated" \
Manuel Pégourié-Gonnardfa44f202015-03-27 17:52:25 +0100[diff] [blame]1475 "$P_SRV debug_level=3 exchanges=2 renegotiation=1 auth_mode=optional renegotiate=1" \
Manuel Pégourié-Gonnard644e8f32014-08-30 21:59:31 +0200[diff] [blame]1476 "$P_CLI debug_level=3 exchanges=2 renegotiation=1" \
Manuel Pégourié-Gonnard780d6712014-02-20 17:19:59 +0100[diff] [blame]1477 0 \
1478 -c "client hello, adding renegotiation extension" \
1479 -s "received TLS_EMPTY_RENEGOTIATION_INFO" \
1480 -s "found renegotiation extension" \
1481 -s "server hello, secure renegotiation extension" \
1482 -c "found renegotiation extension" \
Manuel Pégourié-Gonnardc73339f2014-02-26 16:35:27 +0100[diff] [blame]1483 -c "=> renegotiate" \
1484 -s "=> renegotiate" \
Manuel Pégourié-Gonnard780d6712014-02-20 17:19:59 +0100[diff] [blame]1485 -s "write hello request"
1486
Manuel Pégourié-Gonnard8e03c712014-08-30 21:42:40 +0200[diff] [blame]1487run_test "Renegotiation: double" \
Manuel Pégourié-Gonnardfa44f202015-03-27 17:52:25 +0100[diff] [blame]1488 "$P_SRV debug_level=3 exchanges=2 renegotiation=1 auth_mode=optional renegotiate=1" \
Manuel Pégourié-Gonnard644e8f32014-08-30 21:59:31 +0200[diff] [blame]1489 "$P_CLI debug_level=3 exchanges=2 renegotiation=1 renegotiate=1" \
Manuel Pégourié-Gonnard780d6712014-02-20 17:19:59 +0100[diff] [blame]1490 0 \
1491 -c "client hello, adding renegotiation extension" \
1492 -s "received TLS_EMPTY_RENEGOTIATION_INFO" \
1493 -s "found renegotiation extension" \
1494 -s "server hello, secure renegotiation extension" \
1495 -c "found renegotiation extension" \
Manuel Pégourié-Gonnardc73339f2014-02-26 16:35:27 +0100[diff] [blame]1496 -c "=> renegotiate" \
1497 -s "=> renegotiate" \
Manuel Pégourié-Gonnard780d6712014-02-20 17:19:59 +0100[diff] [blame]1498 -s "write hello request"
1499
Manuel Pégourié-Gonnard8e03c712014-08-30 21:42:40 +0200[diff] [blame]1500run_test "Renegotiation: client-initiated, server-rejected" \
Manuel Pégourié-Gonnardfa44f202015-03-27 17:52:25 +0100[diff] [blame]1501 "$P_SRV debug_level=3 exchanges=2 renegotiation=0 auth_mode=optional" \
Manuel Pégourié-Gonnard644e8f32014-08-30 21:59:31 +0200[diff] [blame]1502 "$P_CLI debug_level=3 exchanges=2 renegotiation=1 renegotiate=1" \
Manuel Pégourié-Gonnard780d6712014-02-20 17:19:59 +0100[diff] [blame]1503 1 \
1504 -c "client hello, adding renegotiation extension" \
1505 -s "received TLS_EMPTY_RENEGOTIATION_INFO" \
1506 -S "found renegotiation extension" \
1507 -s "server hello, secure renegotiation extension" \
1508 -c "found renegotiation extension" \
Manuel Pégourié-Gonnardc73339f2014-02-26 16:35:27 +0100[diff] [blame]1509 -c "=> renegotiate" \
1510 -S "=> renegotiate" \
Manuel Pégourié-Gonnardfae355e2014-07-04 14:32:27 +0200[diff] [blame]1511 -S "write hello request" \
Manuel Pégourié-Gonnard65919622014-08-19 12:50:30 +0200[diff] [blame]1512 -c "SSL - Unexpected message at ServerHello in renegotiation" \
Manuel Pégourié-Gonnardfae355e2014-07-04 14:32:27 +0200[diff] [blame]1513 -c "failed"
Manuel Pégourié-Gonnard780d6712014-02-20 17:19:59 +0100[diff] [blame]1514
Manuel Pégourié-Gonnard8e03c712014-08-30 21:42:40 +0200[diff] [blame]1515run_test "Renegotiation: server-initiated, client-rejected, default" \
Manuel Pégourié-Gonnardfa44f202015-03-27 17:52:25 +0100[diff] [blame]1516 "$P_SRV debug_level=3 exchanges=2 renegotiation=1 renegotiate=1 auth_mode=optional" \
Manuel Pégourié-Gonnard644e8f32014-08-30 21:59:31 +0200[diff] [blame]1517 "$P_CLI debug_level=3 exchanges=2 renegotiation=0" \
Manuel Pégourié-Gonnard780d6712014-02-20 17:19:59 +0100[diff] [blame]1518 0 \
1519 -C "client hello, adding renegotiation extension" \
1520 -s "received TLS_EMPTY_RENEGOTIATION_INFO" \
1521 -S "found renegotiation extension" \
1522 -s "server hello, secure renegotiation extension" \
1523 -c "found renegotiation extension" \
Manuel Pégourié-Gonnardc73339f2014-02-26 16:35:27 +0100[diff] [blame]1524 -C "=> renegotiate" \
1525 -S "=> renegotiate" \
Manuel Pégourié-Gonnard780d6712014-02-20 17:19:59 +0100[diff] [blame]1526 -s "write hello request" \
Manuel Pégourié-Gonnarda9964db2014-07-03 19:29:16 +0200[diff] [blame]1527 -S "SSL - An unexpected message was received from our peer" \
1528 -S "failed"
Manuel Pégourié-Gonnard33a752e2014-02-21 09:47:37 +0100[diff] [blame]1529
Manuel Pégourié-Gonnard8e03c712014-08-30 21:42:40 +0200[diff] [blame]1530run_test "Renegotiation: server-initiated, client-rejected, not enforced" \
Manuel Pégourié-Gonnard644e8f32014-08-30 21:59:31 +0200[diff] [blame]1531 "$P_SRV debug_level=3 exchanges=2 renegotiation=1 renegotiate=1 \
Manuel Pégourié-Gonnardfa44f202015-03-27 17:52:25 +0100[diff] [blame]1532 renego_delay=-1 auth_mode=optional" \
Manuel Pégourié-Gonnard644e8f32014-08-30 21:59:31 +0200[diff] [blame]1533 "$P_CLI debug_level=3 exchanges=2 renegotiation=0" \
Manuel Pégourié-Gonnardfae355e2014-07-04 14:32:27 +0200[diff] [blame]1534 0 \
1535 -C "client hello, adding renegotiation extension" \
1536 -s "received TLS_EMPTY_RENEGOTIATION_INFO" \
1537 -S "found renegotiation extension" \
1538 -s "server hello, secure renegotiation extension" \
1539 -c "found renegotiation extension" \
1540 -C "=> renegotiate" \
1541 -S "=> renegotiate" \
1542 -s "write hello request" \
1543 -S "SSL - An unexpected message was received from our peer" \
1544 -S "failed"
1545
Manuel Pégourié-Gonnarda8c0a0d2014-08-15 12:07:38 +0200[diff] [blame]1546# delay 2 for 1 alert record + 1 application data record
Manuel Pégourié-Gonnard8e03c712014-08-30 21:42:40 +0200[diff] [blame]1547run_test "Renegotiation: server-initiated, client-rejected, delay 2" \
Manuel Pégourié-Gonnard644e8f32014-08-30 21:59:31 +0200[diff] [blame]1548 "$P_SRV debug_level=3 exchanges=2 renegotiation=1 renegotiate=1 \
Manuel Pégourié-Gonnardfa44f202015-03-27 17:52:25 +0100[diff] [blame]1549 renego_delay=2 auth_mode=optional" \
Manuel Pégourié-Gonnard644e8f32014-08-30 21:59:31 +0200[diff] [blame]1550 "$P_CLI debug_level=3 exchanges=2 renegotiation=0" \
Manuel Pégourié-Gonnardfae355e2014-07-04 14:32:27 +0200[diff] [blame]1551 0 \
1552 -C "client hello, adding renegotiation extension" \
1553 -s "received TLS_EMPTY_RENEGOTIATION_INFO" \
1554 -S "found renegotiation extension" \
1555 -s "server hello, secure renegotiation extension" \
1556 -c "found renegotiation extension" \
1557 -C "=> renegotiate" \
1558 -S "=> renegotiate" \
1559 -s "write hello request" \
1560 -S "SSL - An unexpected message was received from our peer" \
1561 -S "failed"
1562
Manuel Pégourié-Gonnard8e03c712014-08-30 21:42:40 +0200[diff] [blame]1563run_test "Renegotiation: server-initiated, client-rejected, delay 0" \
Manuel Pégourié-Gonnard644e8f32014-08-30 21:59:31 +0200[diff] [blame]1564 "$P_SRV debug_level=3 exchanges=2 renegotiation=1 renegotiate=1 \
Manuel Pégourié-Gonnardfa44f202015-03-27 17:52:25 +0100[diff] [blame]1565 renego_delay=0 auth_mode=optional" \
Manuel Pégourié-Gonnard644e8f32014-08-30 21:59:31 +0200[diff] [blame]1566 "$P_CLI debug_level=3 exchanges=2 renegotiation=0" \
Manuel Pégourié-Gonnardfae355e2014-07-04 14:32:27 +0200[diff] [blame]1567 0 \
1568 -C "client hello, adding renegotiation extension" \
1569 -s "received TLS_EMPTY_RENEGOTIATION_INFO" \
1570 -S "found renegotiation extension" \
1571 -s "server hello, secure renegotiation extension" \
1572 -c "found renegotiation extension" \
1573 -C "=> renegotiate" \
1574 -S "=> renegotiate" \
1575 -s "write hello request" \
Manuel Pégourié-Gonnarda8c0a0d2014-08-15 12:07:38 +0200[diff] [blame]1576 -s "SSL - An unexpected message was received from our peer"
Manuel Pégourié-Gonnardfae355e2014-07-04 14:32:27 +0200[diff] [blame]1577
Manuel Pégourié-Gonnard8e03c712014-08-30 21:42:40 +0200[diff] [blame]1578run_test "Renegotiation: server-initiated, client-accepted, delay 0" \
Manuel Pégourié-Gonnard644e8f32014-08-30 21:59:31 +0200[diff] [blame]1579 "$P_SRV debug_level=3 exchanges=2 renegotiation=1 renegotiate=1 \
Manuel Pégourié-Gonnardfa44f202015-03-27 17:52:25 +0100[diff] [blame]1580 renego_delay=0 auth_mode=optional" \
Manuel Pégourié-Gonnard644e8f32014-08-30 21:59:31 +0200[diff] [blame]1581 "$P_CLI debug_level=3 exchanges=2 renegotiation=1" \
Manuel Pégourié-Gonnardfae355e2014-07-04 14:32:27 +0200[diff] [blame]1582 0 \
1583 -c "client hello, adding renegotiation extension" \
1584 -s "received TLS_EMPTY_RENEGOTIATION_INFO" \
1585 -s "found renegotiation extension" \
1586 -s "server hello, secure renegotiation extension" \
1587 -c "found renegotiation extension" \
1588 -c "=> renegotiate" \
1589 -s "=> renegotiate" \
1590 -s "write hello request" \
1591 -S "SSL - An unexpected message was received from our peer" \
1592 -S "failed"
1593
Manuel Pégourié-Gonnard590f4162014-11-05 14:23:03 +0100[diff] [blame]1594run_test "Renegotiation: periodic, just below period" \
Manuel Pégourié-Gonnardfa44f202015-03-27 17:52:25 +0100[diff] [blame]1595 "$P_SRV debug_level=3 exchanges=9 renegotiation=1 renego_period=3 auth_mode=optional" \
Manuel Pégourié-Gonnard590f4162014-11-05 14:23:03 +0100[diff] [blame]1596 "$P_CLI debug_level=3 exchanges=2 renegotiation=1" \
1597 0 \
1598 -C "client hello, adding renegotiation extension" \
1599 -s "received TLS_EMPTY_RENEGOTIATION_INFO" \
1600 -S "found renegotiation extension" \
1601 -s "server hello, secure renegotiation extension" \
1602 -c "found renegotiation extension" \
1603 -S "record counter limit reached: renegotiate" \
1604 -C "=> renegotiate" \
1605 -S "=> renegotiate" \
1606 -S "write hello request" \
1607 -S "SSL - An unexpected message was received from our peer" \
1608 -S "failed"
1609
Manuel Pégourié-Gonnard9835bc02015-01-14 14:41:58 +0100[diff] [blame]1610# one extra exchange to be able to complete renego
Manuel Pégourié-Gonnard590f4162014-11-05 14:23:03 +0100[diff] [blame]1611run_test "Renegotiation: periodic, just above period" \
Manuel Pégourié-Gonnardfa44f202015-03-27 17:52:25 +0100[diff] [blame]1612 "$P_SRV debug_level=3 exchanges=9 renegotiation=1 renego_period=3 auth_mode=optional" \
Manuel Pégourié-Gonnard9835bc02015-01-14 14:41:58 +0100[diff] [blame]1613 "$P_CLI debug_level=3 exchanges=4 renegotiation=1" \
Manuel Pégourié-Gonnard590f4162014-11-05 14:23:03 +0100[diff] [blame]1614 0 \
1615 -c "client hello, adding renegotiation extension" \
1616 -s "received TLS_EMPTY_RENEGOTIATION_INFO" \
1617 -s "found renegotiation extension" \
1618 -s "server hello, secure renegotiation extension" \
1619 -c "found renegotiation extension" \
1620 -s "record counter limit reached: renegotiate" \
1621 -c "=> renegotiate" \
1622 -s "=> renegotiate" \
1623 -s "write hello request" \
1624 -S "SSL - An unexpected message was received from our peer" \
1625 -S "failed"
1626
1627run_test "Renegotiation: periodic, two times period" \
Manuel Pégourié-Gonnardfa44f202015-03-27 17:52:25 +0100[diff] [blame]1628 "$P_SRV debug_level=3 exchanges=9 renegotiation=1 renego_period=3 auth_mode=optional" \
Manuel Pégourié-Gonnard9835bc02015-01-14 14:41:58 +0100[diff] [blame]1629 "$P_CLI debug_level=3 exchanges=7 renegotiation=1" \
Manuel Pégourié-Gonnard590f4162014-11-05 14:23:03 +0100[diff] [blame]1630 0 \
1631 -c "client hello, adding renegotiation extension" \
1632 -s "received TLS_EMPTY_RENEGOTIATION_INFO" \
1633 -s "found renegotiation extension" \
1634 -s "server hello, secure renegotiation extension" \
1635 -c "found renegotiation extension" \
1636 -s "record counter limit reached: renegotiate" \
1637 -c "=> renegotiate" \
1638 -s "=> renegotiate" \
1639 -s "write hello request" \
1640 -S "SSL - An unexpected message was received from our peer" \
1641 -S "failed"
1642
1643run_test "Renegotiation: periodic, above period, disabled" \
Manuel Pégourié-Gonnardfa44f202015-03-27 17:52:25 +0100[diff] [blame]1644 "$P_SRV debug_level=3 exchanges=9 renegotiation=0 renego_period=3 auth_mode=optional" \
Manuel Pégourié-Gonnard590f4162014-11-05 14:23:03 +0100[diff] [blame]1645 "$P_CLI debug_level=3 exchanges=4 renegotiation=1" \
1646 0 \
1647 -C "client hello, adding renegotiation extension" \
1648 -s "received TLS_EMPTY_RENEGOTIATION_INFO" \
1649 -S "found renegotiation extension" \
1650 -s "server hello, secure renegotiation extension" \
1651 -c "found renegotiation extension" \
1652 -S "record counter limit reached: renegotiate" \
1653 -C "=> renegotiate" \
1654 -S "=> renegotiate" \
1655 -S "write hello request" \
1656 -S "SSL - An unexpected message was received from our peer" \
1657 -S "failed"
1658
Manuel Pégourié-Gonnard8e03c712014-08-30 21:42:40 +0200[diff] [blame]1659run_test "Renegotiation: nbio, client-initiated" \
Manuel Pégourié-Gonnardfa44f202015-03-27 17:52:25 +0100[diff] [blame]1660 "$P_SRV debug_level=3 nbio=2 exchanges=2 renegotiation=1 auth_mode=optional" \
Manuel Pégourié-Gonnard644e8f32014-08-30 21:59:31 +0200[diff] [blame]1661 "$P_CLI debug_level=3 nbio=2 exchanges=2 renegotiation=1 renegotiate=1" \
Manuel Pégourié-Gonnardf07f4212014-08-15 19:04:47 +0200[diff] [blame]1662 0 \
1663 -c "client hello, adding renegotiation extension" \
1664 -s "received TLS_EMPTY_RENEGOTIATION_INFO" \
1665 -s "found renegotiation extension" \
1666 -s "server hello, secure renegotiation extension" \
1667 -c "found renegotiation extension" \
1668 -c "=> renegotiate" \
1669 -s "=> renegotiate" \
1670 -S "write hello request"
1671
Manuel Pégourié-Gonnard8e03c712014-08-30 21:42:40 +0200[diff] [blame]1672run_test "Renegotiation: nbio, server-initiated" \
Manuel Pégourié-Gonnardfa44f202015-03-27 17:52:25 +0100[diff] [blame]1673 "$P_SRV debug_level=3 nbio=2 exchanges=2 renegotiation=1 renegotiate=1 auth_mode=optional" \
Manuel Pégourié-Gonnard644e8f32014-08-30 21:59:31 +0200[diff] [blame]1674 "$P_CLI debug_level=3 nbio=2 exchanges=2 renegotiation=1" \
Manuel Pégourié-Gonnardf07f4212014-08-15 19:04:47 +0200[diff] [blame]1675 0 \
1676 -c "client hello, adding renegotiation extension" \
1677 -s "received TLS_EMPTY_RENEGOTIATION_INFO" \
1678 -s "found renegotiation extension" \
1679 -s "server hello, secure renegotiation extension" \
1680 -c "found renegotiation extension" \
1681 -c "=> renegotiate" \
1682 -s "=> renegotiate" \
1683 -s "write hello request"
1684
Manuel Pégourié-Gonnard8e03c712014-08-30 21:42:40 +0200[diff] [blame]1685run_test "Renegotiation: openssl server, client-initiated" \
Manuel Pégourié-Gonnarda7756172014-08-31 18:37:01 +0200[diff] [blame]1686 "$O_SRV -www" \
Manuel Pégourié-Gonnard644e8f32014-08-30 21:59:31 +0200[diff] [blame]1687 "$P_CLI debug_level=3 exchanges=1 renegotiation=1 renegotiate=1" \
Manuel Pégourié-Gonnard51362962014-08-30 21:22:47 +0200[diff] [blame]1688 0 \
1689 -c "client hello, adding renegotiation extension" \
1690 -c "found renegotiation extension" \
1691 -c "=> renegotiate" \
Manuel Pégourié-Gonnard85d915b2014-11-03 20:10:36 +0100[diff] [blame]1692 -C "ssl_hanshake() returned" \
Manuel Pégourié-Gonnard51362962014-08-30 21:22:47 +0200[diff] [blame]1693 -C "error" \
1694 -c "HTTP/1.0 200 [Oo][Kk]"
1695
Paul Bakker539d9722015-02-08 16:18:35 +0100[diff] [blame]1696requires_gnutls
Manuel Pégourié-Gonnard85d915b2014-11-03 20:10:36 +0100[diff] [blame]1697run_test "Renegotiation: gnutls server strict, client-initiated" \
1698 "$G_SRV --priority=NORMAL:%SAFE_RENEGOTIATION" \
Manuel Pégourié-Gonnard644e8f32014-08-30 21:59:31 +0200[diff] [blame]1699 "$P_CLI debug_level=3 exchanges=1 renegotiation=1 renegotiate=1" \
Manuel Pégourié-Gonnard51362962014-08-30 21:22:47 +0200[diff] [blame]1700 0 \
1701 -c "client hello, adding renegotiation extension" \
1702 -c "found renegotiation extension" \
1703 -c "=> renegotiate" \
Manuel Pégourié-Gonnard85d915b2014-11-03 20:10:36 +0100[diff] [blame]1704 -C "ssl_hanshake() returned" \
Manuel Pégourié-Gonnard51362962014-08-30 21:22:47 +0200[diff] [blame]1705 -C "error" \
1706 -c "HTTP/1.0 200 [Oo][Kk]"
1707
Paul Bakker539d9722015-02-08 16:18:35 +0100[diff] [blame]1708requires_gnutls
Manuel Pégourié-Gonnard85d915b2014-11-03 20:10:36 +0100[diff] [blame]1709run_test "Renegotiation: gnutls server unsafe, client-initiated default" \
1710 "$G_SRV --priority=NORMAL:%DISABLE_SAFE_RENEGOTIATION" \
1711 "$P_CLI debug_level=3 exchanges=1 renegotiation=1 renegotiate=1" \
1712 1 \
1713 -c "client hello, adding renegotiation extension" \
1714 -C "found renegotiation extension" \
1715 -c "=> renegotiate" \
Manuel Pégourié-Gonnard2cf5a7c2015-04-08 12:49:31 +0200[diff] [blame]1716 -c "mbedtls_ssl_handshake() returned" \
Manuel Pégourié-Gonnard85d915b2014-11-03 20:10:36 +0100[diff] [blame]1717 -c "error" \
1718 -C "HTTP/1.0 200 [Oo][Kk]"
1719
Paul Bakker539d9722015-02-08 16:18:35 +0100[diff] [blame]1720requires_gnutls
Manuel Pégourié-Gonnard85d915b2014-11-03 20:10:36 +0100[diff] [blame]1721run_test "Renegotiation: gnutls server unsafe, client-inititated no legacy" \
1722 "$G_SRV --priority=NORMAL:%DISABLE_SAFE_RENEGOTIATION" \
1723 "$P_CLI debug_level=3 exchanges=1 renegotiation=1 renegotiate=1 \
1724 allow_legacy=0" \
1725 1 \
1726 -c "client hello, adding renegotiation extension" \
1727 -C "found renegotiation extension" \
1728 -c "=> renegotiate" \
Manuel Pégourié-Gonnard2cf5a7c2015-04-08 12:49:31 +0200[diff] [blame]1729 -c "mbedtls_ssl_handshake() returned" \
Manuel Pégourié-Gonnard85d915b2014-11-03 20:10:36 +0100[diff] [blame]1730 -c "error" \
1731 -C "HTTP/1.0 200 [Oo][Kk]"
1732
Paul Bakker539d9722015-02-08 16:18:35 +0100[diff] [blame]1733requires_gnutls
Manuel Pégourié-Gonnard85d915b2014-11-03 20:10:36 +0100[diff] [blame]1734run_test "Renegotiation: gnutls server unsafe, client-inititated legacy" \
1735 "$G_SRV --priority=NORMAL:%DISABLE_SAFE_RENEGOTIATION" \
1736 "$P_CLI debug_level=3 exchanges=1 renegotiation=1 renegotiate=1 \
1737 allow_legacy=1" \
1738 0 \
1739 -c "client hello, adding renegotiation extension" \
1740 -C "found renegotiation extension" \
1741 -c "=> renegotiate" \
1742 -C "ssl_hanshake() returned" \
Manuel Pégourié-Gonnard8520dac2014-02-21 12:12:23 +0100[diff] [blame]1743 -C "error" \
1744 -c "HTTP/1.0 200 [Oo][Kk]"
1745
Manuel Pégourié-Gonnard30d16eb2014-08-19 17:43:50 +0200[diff] [blame]1746run_test "Renegotiation: DTLS, client-initiated" \
1747 "$P_SRV debug_level=3 dtls=1 exchanges=2 renegotiation=1" \
1748 "$P_CLI debug_level=3 dtls=1 exchanges=2 renegotiation=1 renegotiate=1" \
1749 0 \
1750 -c "client hello, adding renegotiation extension" \
1751 -s "received TLS_EMPTY_RENEGOTIATION_INFO" \
1752 -s "found renegotiation extension" \
1753 -s "server hello, secure renegotiation extension" \
1754 -c "found renegotiation extension" \
1755 -c "=> renegotiate" \
1756 -s "=> renegotiate" \
1757 -S "write hello request"
1758
Manuel Pégourié-Gonnardc392b242014-08-19 17:53:11 +0200[diff] [blame]1759run_test "Renegotiation: DTLS, server-initiated" \
1760 "$P_SRV debug_level=3 dtls=1 exchanges=2 renegotiation=1 renegotiate=1" \
Manuel Pégourié-Gonnarddf9a0a82014-10-02 14:17:18 +0200[diff] [blame]1761 "$P_CLI debug_level=3 dtls=1 exchanges=2 renegotiation=1 \
1762 read_timeout=1000 max_resend=2" \
Manuel Pégourié-Gonnardc392b242014-08-19 17:53:11 +0200[diff] [blame]1763 0 \
1764 -c "client hello, adding renegotiation extension" \
1765 -s "received TLS_EMPTY_RENEGOTIATION_INFO" \
1766 -s "found renegotiation extension" \
1767 -s "server hello, secure renegotiation extension" \
1768 -c "found renegotiation extension" \
1769 -c "=> renegotiate" \
1770 -s "=> renegotiate" \
1771 -s "write hello request"
1772
Andres AG692ad842017-01-19 16:30:57 +0000[diff] [blame]1773run_test "Renegotiation: DTLS, renego_period overflow" \
1774 "$P_SRV debug_level=3 dtls=1 exchanges=4 renegotiation=1 renego_period=18446462598732840962 auth_mode=optional" \
1775 "$P_CLI debug_level=3 dtls=1 exchanges=4 renegotiation=1" \
1776 0 \
1777 -c "client hello, adding renegotiation extension" \
1778 -s "received TLS_EMPTY_RENEGOTIATION_INFO" \
1779 -s "found renegotiation extension" \
1780 -s "server hello, secure renegotiation extension" \
1781 -s "record counter limit reached: renegotiate" \
1782 -c "=> renegotiate" \
1783 -s "=> renegotiate" \
1784 -s "write hello request" \
1785
Manuel Pégourié-Gonnard96999962015-02-17 16:02:37 +0000[diff] [blame]1786requires_gnutls
Manuel Pégourié-Gonnardf1499f62014-08-31 17:13:13 +0200[diff] [blame]1787run_test "Renegotiation: DTLS, gnutls server, client-initiated" \
1788 "$G_SRV -u --mtu 4096" \
1789 "$P_CLI debug_level=3 dtls=1 exchanges=1 renegotiation=1 renegotiate=1" \
1790 0 \
1791 -c "client hello, adding renegotiation extension" \
1792 -c "found renegotiation extension" \
1793 -c "=> renegotiate" \
Manuel Pégourié-Gonnard2cf5a7c2015-04-08 12:49:31 +0200[diff] [blame]1794 -C "mbedtls_ssl_handshake returned" \
Manuel Pégourié-Gonnardf1499f62014-08-31 17:13:13 +0200[diff] [blame]1795 -C "error" \
1796 -s "Extra-header:"
1797
Manuel Pégourié-Gonnard85d915b2014-11-03 20:10:36 +0100[diff] [blame]1798# Test for the "secure renegotation" extension only (no actual renegotiation)
1799
Paul Bakker539d9722015-02-08 16:18:35 +0100[diff] [blame]1800requires_gnutls
Manuel Pégourié-Gonnard85d915b2014-11-03 20:10:36 +0100[diff] [blame]1801run_test "Renego ext: gnutls server strict, client default" \
1802 "$G_SRV --priority=NORMAL:%SAFE_RENEGOTIATION" \
1803 "$P_CLI debug_level=3" \
1804 0 \
1805 -c "found renegotiation extension" \
1806 -C "error" \
1807 -c "HTTP/1.0 200 [Oo][Kk]"
1808
Paul Bakker539d9722015-02-08 16:18:35 +0100[diff] [blame]1809requires_gnutls
Manuel Pégourié-Gonnard85d915b2014-11-03 20:10:36 +0100[diff] [blame]1810run_test "Renego ext: gnutls server unsafe, client default" \
1811 "$G_SRV --priority=NORMAL:%DISABLE_SAFE_RENEGOTIATION" \
1812 "$P_CLI debug_level=3" \
1813 0 \
1814 -C "found renegotiation extension" \
1815 -C "error" \
1816 -c "HTTP/1.0 200 [Oo][Kk]"
1817
Paul Bakker539d9722015-02-08 16:18:35 +0100[diff] [blame]1818requires_gnutls
Manuel Pégourié-Gonnard85d915b2014-11-03 20:10:36 +0100[diff] [blame]1819run_test "Renego ext: gnutls server unsafe, client break legacy" \
1820 "$G_SRV --priority=NORMAL:%DISABLE_SAFE_RENEGOTIATION" \
1821 "$P_CLI debug_level=3 allow_legacy=-1" \
1822 1 \
1823 -C "found renegotiation extension" \
1824 -c "error" \
1825 -C "HTTP/1.0 200 [Oo][Kk]"
1826
Paul Bakker539d9722015-02-08 16:18:35 +0100[diff] [blame]1827requires_gnutls
Manuel Pégourié-Gonnard85d915b2014-11-03 20:10:36 +0100[diff] [blame]1828run_test "Renego ext: gnutls client strict, server default" \
1829 "$P_SRV debug_level=3" \
1830 "$G_CLI --priority=NORMAL:%SAFE_RENEGOTIATION" \
1831 0 \
1832 -s "received TLS_EMPTY_RENEGOTIATION_INFO\|found renegotiation extension" \
1833 -s "server hello, secure renegotiation extension"
1834
Paul Bakker539d9722015-02-08 16:18:35 +0100[diff] [blame]1835requires_gnutls
Manuel Pégourié-Gonnard85d915b2014-11-03 20:10:36 +0100[diff] [blame]1836run_test "Renego ext: gnutls client unsafe, server default" \
1837 "$P_SRV debug_level=3" \
1838 "$G_CLI --priority=NORMAL:%DISABLE_SAFE_RENEGOTIATION" \
1839 0 \
1840 -S "received TLS_EMPTY_RENEGOTIATION_INFO\|found renegotiation extension" \
1841 -S "server hello, secure renegotiation extension"
1842
Paul Bakker539d9722015-02-08 16:18:35 +0100[diff] [blame]1843requires_gnutls
Manuel Pégourié-Gonnard85d915b2014-11-03 20:10:36 +0100[diff] [blame]1844run_test "Renego ext: gnutls client unsafe, server break legacy" \
1845 "$P_SRV debug_level=3 allow_legacy=-1" \
1846 "$G_CLI --priority=NORMAL:%DISABLE_SAFE_RENEGOTIATION" \
1847 1 \
1848 -S "received TLS_EMPTY_RENEGOTIATION_INFO\|found renegotiation extension" \
1849 -S "server hello, secure renegotiation extension"
1850
Janos Follath0b242342016-02-17 10:11:21 +0000[diff] [blame]1851# Tests for silently dropping trailing extra bytes in .der certificates
1852
1853requires_gnutls
1854run_test "DER format: no trailing bytes" \
1855 "$P_SRV crt_file=data_files/server5-der0.crt \
1856 key_file=data_files/server5.key" \
1857 "$G_CLI " \
1858 0 \
1859 -c "Handshake was completed" \
1860
1861requires_gnutls
1862run_test "DER format: with a trailing zero byte" \
1863 "$P_SRV crt_file=data_files/server5-der1a.crt \
1864 key_file=data_files/server5.key" \
1865 "$G_CLI " \
1866 0 \
1867 -c "Handshake was completed" \
1868
1869requires_gnutls
1870run_test "DER format: with a trailing random byte" \
1871 "$P_SRV crt_file=data_files/server5-der1b.crt \
1872 key_file=data_files/server5.key" \
1873 "$G_CLI " \
1874 0 \
1875 -c "Handshake was completed" \
1876
1877requires_gnutls
1878run_test "DER format: with 2 trailing random bytes" \
1879 "$P_SRV crt_file=data_files/server5-der2.crt \
1880 key_file=data_files/server5.key" \
1881 "$G_CLI " \
1882 0 \
1883 -c "Handshake was completed" \
1884
1885requires_gnutls
1886run_test "DER format: with 4 trailing random bytes" \
1887 "$P_SRV crt_file=data_files/server5-der4.crt \
1888 key_file=data_files/server5.key" \
1889 "$G_CLI " \
1890 0 \
1891 -c "Handshake was completed" \
1892
1893requires_gnutls
1894run_test "DER format: with 8 trailing random bytes" \
1895 "$P_SRV crt_file=data_files/server5-der8.crt \
1896 key_file=data_files/server5.key" \
1897 "$G_CLI " \
1898 0 \
1899 -c "Handshake was completed" \
1900
1901requires_gnutls
1902run_test "DER format: with 9 trailing random bytes" \
1903 "$P_SRV crt_file=data_files/server5-der9.crt \
1904 key_file=data_files/server5.key" \
1905 "$G_CLI " \
1906 0 \
1907 -c "Handshake was completed" \
1908
Manuel Pégourié-Gonnard8520dac2014-02-21 12:12:23 +0100[diff] [blame]1909# Tests for auth_mode
1910
Manuel Pégourié-Gonnard8e03c712014-08-30 21:42:40 +0200[diff] [blame]1911run_test "Authentication: server badcert, client required" \
Manuel Pégourié-Gonnard8520dac2014-02-21 12:12:23 +0100[diff] [blame]1912 "$P_SRV crt_file=data_files/server5-badsign.crt \
1913 key_file=data_files/server5.key" \
Manuel Pégourié-Gonnard644e8f32014-08-30 21:59:31 +0200[diff] [blame]1914 "$P_CLI debug_level=1 auth_mode=required" \
Manuel Pégourié-Gonnard8520dac2014-02-21 12:12:23 +0100[diff] [blame]1915 1 \
1916 -c "x509_verify_cert() returned" \
Manuel Pégourié-Gonnard89addc42015-04-20 10:56:18 +0100[diff] [blame]1917 -c "! The certificate is not correctly signed by the trusted CA" \
Manuel Pégourié-Gonnard2cf5a7c2015-04-08 12:49:31 +0200[diff] [blame]1918 -c "! mbedtls_ssl_handshake returned" \
Manuel Pégourié-Gonnard8520dac2014-02-21 12:12:23 +0100[diff] [blame]1919 -c "X509 - Certificate verification failed"
1920
Manuel Pégourié-Gonnard8e03c712014-08-30 21:42:40 +0200[diff] [blame]1921run_test "Authentication: server badcert, client optional" \
Manuel Pégourié-Gonnard8520dac2014-02-21 12:12:23 +0100[diff] [blame]1922 "$P_SRV crt_file=data_files/server5-badsign.crt \
1923 key_file=data_files/server5.key" \
Manuel Pégourié-Gonnard644e8f32014-08-30 21:59:31 +0200[diff] [blame]1924 "$P_CLI debug_level=1 auth_mode=optional" \
Manuel Pégourié-Gonnard8520dac2014-02-21 12:12:23 +0100[diff] [blame]1925 0 \
1926 -c "x509_verify_cert() returned" \
Manuel Pégourié-Gonnard89addc42015-04-20 10:56:18 +0100[diff] [blame]1927 -c "! The certificate is not correctly signed by the trusted CA" \
Manuel Pégourié-Gonnard2cf5a7c2015-04-08 12:49:31 +0200[diff] [blame]1928 -C "! mbedtls_ssl_handshake returned" \
Manuel Pégourié-Gonnard8520dac2014-02-21 12:12:23 +0100[diff] [blame]1929 -C "X509 - Certificate verification failed"
1930
Hanno Beckere6706e62017-05-15 16:05:15 +0100[diff] [blame]1931run_test "Authentication: server goodcert, client optional, no trusted CA" \
1932 "$P_SRV" \
1933 "$P_CLI debug_level=3 auth_mode=optional ca_file=none ca_path=none" \
1934 0 \
1935 -c "x509_verify_cert() returned" \
1936 -c "! The certificate is not correctly signed by the trusted CA" \
1937 -c "! Certificate verification flags"\
1938 -C "! mbedtls_ssl_handshake returned" \
1939 -C "X509 - Certificate verification failed" \
1940 -C "SSL - No CA Chain is set, but required to operate"
1941
1942run_test "Authentication: server goodcert, client required, no trusted CA" \
1943 "$P_SRV" \
1944 "$P_CLI debug_level=3 auth_mode=required ca_file=none ca_path=none" \
1945 1 \
1946 -c "x509_verify_cert() returned" \
1947 -c "! The certificate is not correctly signed by the trusted CA" \
1948 -c "! Certificate verification flags"\
1949 -c "! mbedtls_ssl_handshake returned" \
1950 -c "SSL - No CA Chain is set, but required to operate"
1951
1952# The purpose of the next two tests is to test the client's behaviour when receiving a server
1953# certificate with an unsupported elliptic curve. This should usually not happen because
1954# the client informs the server about the supported curves - it does, though, in the
1955# corner case of a static ECDH suite, because the server doesn't check the curve on that
1956# occasion (to be fixed). If that bug's fixed, the test needs to be altered to use a
1957# different means to have the server ignoring the client's supported curve list.
1958
1959requires_config_enabled MBEDTLS_ECP_C
1960run_test "Authentication: server ECDH p256v1, client required, p256v1 unsupported" \
1961 "$P_SRV debug_level=1 key_file=data_files/server5.key \
1962 crt_file=data_files/server5.ku-ka.crt" \
1963 "$P_CLI debug_level=3 auth_mode=required curves=secp521r1" \
1964 1 \
1965 -c "bad certificate (EC key curve)"\
1966 -c "! Certificate verification flags"\
1967 -C "bad server certificate (ECDH curve)" # Expect failure at earlier verification stage
1968
1969requires_config_enabled MBEDTLS_ECP_C
1970run_test "Authentication: server ECDH p256v1, client optional, p256v1 unsupported" \
1971 "$P_SRV debug_level=1 key_file=data_files/server5.key \
1972 crt_file=data_files/server5.ku-ka.crt" \
1973 "$P_CLI debug_level=3 auth_mode=optional curves=secp521r1" \
1974 1 \
1975 -c "bad certificate (EC key curve)"\
1976 -c "! Certificate verification flags"\
1977 -c "bad server certificate (ECDH curve)" # Expect failure only at ECDH params check
1978
Manuel Pégourié-Gonnard8e03c712014-08-30 21:42:40 +0200[diff] [blame]1979run_test "Authentication: server badcert, client none" \
Manuel Pégourié-Gonnardc1da6642014-02-25 14:18:30 +0100[diff] [blame]1980 "$P_SRV crt_file=data_files/server5-badsign.crt \
Manuel Pégourié-Gonnard8520dac2014-02-21 12:12:23 +0100[diff] [blame]1981 key_file=data_files/server5.key" \
Manuel Pégourié-Gonnard644e8f32014-08-30 21:59:31 +0200[diff] [blame]1982 "$P_CLI debug_level=1 auth_mode=none" \
Manuel Pégourié-Gonnard8520dac2014-02-21 12:12:23 +0100[diff] [blame]1983 0 \
1984 -C "x509_verify_cert() returned" \
Manuel Pégourié-Gonnard89addc42015-04-20 10:56:18 +0100[diff] [blame]1985 -C "! The certificate is not correctly signed by the trusted CA" \
Manuel Pégourié-Gonnard2cf5a7c2015-04-08 12:49:31 +0200[diff] [blame]1986 -C "! mbedtls_ssl_handshake returned" \
Manuel Pégourié-Gonnard8520dac2014-02-21 12:12:23 +0100[diff] [blame]1987 -C "X509 - Certificate verification failed"
1988
Simon Butcher99000142016-10-13 17:21:01 +0100[diff] [blame]1989run_test "Authentication: client SHA256, server required" \
1990 "$P_SRV auth_mode=required" \
1991 "$P_CLI debug_level=3 crt_file=data_files/server6.crt \
1992 key_file=data_files/server6.key \
1993 force_ciphersuite=TLS-ECDHE-ECDSA-WITH-AES-256-GCM-SHA384" \
1994 0 \
1995 -c "Supported Signature Algorithm found: 4," \
1996 -c "Supported Signature Algorithm found: 5,"
1997
1998run_test "Authentication: client SHA384, server required" \
1999 "$P_SRV auth_mode=required" \
2000 "$P_CLI debug_level=3 crt_file=data_files/server6.crt \
2001 key_file=data_files/server6.key \
2002 force_ciphersuite=TLS-ECDHE-ECDSA-WITH-AES-128-GCM-SHA256" \
2003 0 \
2004 -c "Supported Signature Algorithm found: 4," \
2005 -c "Supported Signature Algorithm found: 5,"
2006
Gilles Peskinefd8332e2017-05-03 16:25:07 +0200[diff] [blame]2007requires_config_enabled MBEDTLS_SSL_PROTO_SSL3
2008run_test "Authentication: client has no cert, server required (SSLv3)" \
2009 "$P_SRV debug_level=3 min_version=ssl3 auth_mode=required" \
2010 "$P_CLI debug_level=3 force_version=ssl3 crt_file=none \
2011 key_file=data_files/server5.key" \
2012 1 \
2013 -S "skip write certificate request" \
2014 -C "skip parse certificate request" \
2015 -c "got a certificate request" \
2016 -c "got no certificate to send" \
2017 -S "x509_verify_cert() returned" \
2018 -s "client has no certificate" \
2019 -s "! mbedtls_ssl_handshake returned" \
2020 -c "! mbedtls_ssl_handshake returned" \
2021 -s "No client certification received from the client, but required by the authentication mode"
2022
2023run_test "Authentication: client has no cert, server required (TLS)" \
2024 "$P_SRV debug_level=3 auth_mode=required" \
2025 "$P_CLI debug_level=3 crt_file=none \
2026 key_file=data_files/server5.key" \
2027 1 \
2028 -S "skip write certificate request" \
2029 -C "skip parse certificate request" \
2030 -c "got a certificate request" \
2031 -c "= write certificate$" \
2032 -C "skip write certificate$" \
2033 -S "x509_verify_cert() returned" \
2034 -s "client has no certificate" \
2035 -s "! mbedtls_ssl_handshake returned" \
2036 -c "! mbedtls_ssl_handshake returned" \
2037 -s "No client certification received from the client, but required by the authentication mode"
2038
Manuel Pégourié-Gonnard8e03c712014-08-30 21:42:40 +0200[diff] [blame]2039run_test "Authentication: client badcert, server required" \
Manuel Pégourié-Gonnard644e8f32014-08-30 21:59:31 +0200[diff] [blame]2040 "$P_SRV debug_level=3 auth_mode=required" \
2041 "$P_CLI debug_level=3 crt_file=data_files/server5-badsign.crt \
Manuel Pégourié-Gonnard8520dac2014-02-21 12:12:23 +0100[diff] [blame]2042 key_file=data_files/server5.key" \
2043 1 \
2044 -S "skip write certificate request" \
2045 -C "skip parse certificate request" \
2046 -c "got a certificate request" \
2047 -C "skip write certificate" \
2048 -C "skip write certificate verify" \
2049 -S "skip parse certificate verify" \
2050 -s "x509_verify_cert() returned" \
Manuel Pégourié-Gonnard6ea831d2015-06-22 16:50:52 +0200[diff] [blame]2051 -s "! The certificate is not correctly signed by the trusted CA" \
Manuel Pégourié-Gonnard2cf5a7c2015-04-08 12:49:31 +0200[diff] [blame]2052 -s "! mbedtls_ssl_handshake returned" \
Gilles Peskine1cc8e342017-05-03 16:28:34 +0200[diff] [blame]2053 -s "send alert level=2 message=48" \
Manuel Pégourié-Gonnard2cf5a7c2015-04-08 12:49:31 +0200[diff] [blame]2054 -c "! mbedtls_ssl_handshake returned" \
Manuel Pégourié-Gonnard8520dac2014-02-21 12:12:23 +0100[diff] [blame]2055 -s "X509 - Certificate verification failed"
Gilles Peskine1cc8e342017-05-03 16:28:34 +0200[diff] [blame]2056# We don't check that the client receives the alert because it might
2057# detect that its write end of the connection is closed and abort
2058# before reading the alert message.
Manuel Pégourié-Gonnard8520dac2014-02-21 12:12:23 +0100[diff] [blame]2059
Janos Follath89baba22017-04-10 14:34:35 +0100[diff] [blame]2060run_test "Authentication: client cert not trusted, server required" \
2061 "$P_SRV debug_level=3 auth_mode=required" \
2062 "$P_CLI debug_level=3 crt_file=data_files/server5-selfsigned.crt \
2063 key_file=data_files/server5.key" \
2064 1 \
2065 -S "skip write certificate request" \
2066 -C "skip parse certificate request" \
2067 -c "got a certificate request" \
2068 -C "skip write certificate" \
2069 -C "skip write certificate verify" \
2070 -S "skip parse certificate verify" \
2071 -s "x509_verify_cert() returned" \
2072 -s "! The certificate is not correctly signed by the trusted CA" \
2073 -s "! mbedtls_ssl_handshake returned" \
2074 -c "! mbedtls_ssl_handshake returned" \
2075 -s "X509 - Certificate verification failed"
2076
Manuel Pégourié-Gonnard8e03c712014-08-30 21:42:40 +0200[diff] [blame]2077run_test "Authentication: client badcert, server optional" \
Manuel Pégourié-Gonnard644e8f32014-08-30 21:59:31 +0200[diff] [blame]2078 "$P_SRV debug_level=3 auth_mode=optional" \
2079 "$P_CLI debug_level=3 crt_file=data_files/server5-badsign.crt \
Manuel Pégourié-Gonnard8520dac2014-02-21 12:12:23 +0100[diff] [blame]2080 key_file=data_files/server5.key" \
2081 0 \
2082 -S "skip write certificate request" \
2083 -C "skip parse certificate request" \
2084 -c "got a certificate request" \
2085 -C "skip write certificate" \
2086 -C "skip write certificate verify" \
2087 -S "skip parse certificate verify" \
2088 -s "x509_verify_cert() returned" \
Manuel Pégourié-Gonnard89addc42015-04-20 10:56:18 +0100[diff] [blame]2089 -s "! The certificate is not correctly signed by the trusted CA" \
Manuel Pégourié-Gonnard2cf5a7c2015-04-08 12:49:31 +0200[diff] [blame]2090 -S "! mbedtls_ssl_handshake returned" \
2091 -C "! mbedtls_ssl_handshake returned" \
Manuel Pégourié-Gonnard8520dac2014-02-21 12:12:23 +0100[diff] [blame]2092 -S "X509 - Certificate verification failed"
2093
Manuel Pégourié-Gonnard8e03c712014-08-30 21:42:40 +0200[diff] [blame]2094run_test "Authentication: client badcert, server none" \
Manuel Pégourié-Gonnard644e8f32014-08-30 21:59:31 +0200[diff] [blame]2095 "$P_SRV debug_level=3 auth_mode=none" \
2096 "$P_CLI debug_level=3 crt_file=data_files/server5-badsign.crt \
Manuel Pégourié-Gonnard8520dac2014-02-21 12:12:23 +0100[diff] [blame]2097 key_file=data_files/server5.key" \
2098 0 \
2099 -s "skip write certificate request" \
2100 -C "skip parse certificate request" \
2101 -c "got no certificate request" \
2102 -c "skip write certificate" \
2103 -c "skip write certificate verify" \
2104 -s "skip parse certificate verify" \
2105 -S "x509_verify_cert() returned" \
Manuel Pégourié-Gonnard89addc42015-04-20 10:56:18 +0100[diff] [blame]2106 -S "! The certificate is not correctly signed by the trusted CA" \
Manuel Pégourié-Gonnard2cf5a7c2015-04-08 12:49:31 +0200[diff] [blame]2107 -S "! mbedtls_ssl_handshake returned" \
2108 -C "! mbedtls_ssl_handshake returned" \
Manuel Pégourié-Gonnard8520dac2014-02-21 12:12:23 +0100[diff] [blame]2109 -S "X509 - Certificate verification failed"
2110
Manuel Pégourié-Gonnard8e03c712014-08-30 21:42:40 +0200[diff] [blame]2111run_test "Authentication: client no cert, server optional" \
Manuel Pégourié-Gonnard644e8f32014-08-30 21:59:31 +0200[diff] [blame]2112 "$P_SRV debug_level=3 auth_mode=optional" \
2113 "$P_CLI debug_level=3 crt_file=none key_file=none" \
Manuel Pégourié-Gonnardde515cc2014-02-27 14:58:26 +0100[diff] [blame]2114 0 \
2115 -S "skip write certificate request" \
2116 -C "skip parse certificate request" \
2117 -c "got a certificate request" \
2118 -C "skip write certificate$" \
2119 -C "got no certificate to send" \
2120 -S "SSLv3 client has no certificate" \
2121 -c "skip write certificate verify" \
2122 -s "skip parse certificate verify" \
Manuel Pégourié-Gonnard89addc42015-04-20 10:56:18 +0100[diff] [blame]2123 -s "! Certificate was missing" \
Manuel Pégourié-Gonnard2cf5a7c2015-04-08 12:49:31 +0200[diff] [blame]2124 -S "! mbedtls_ssl_handshake returned" \
2125 -C "! mbedtls_ssl_handshake returned" \
Manuel Pégourié-Gonnardde515cc2014-02-27 14:58:26 +0100[diff] [blame]2126 -S "X509 - Certificate verification failed"
2127
Manuel Pégourié-Gonnard8e03c712014-08-30 21:42:40 +0200[diff] [blame]2128run_test "Authentication: openssl client no cert, server optional" \
Manuel Pégourié-Gonnard644e8f32014-08-30 21:59:31 +0200[diff] [blame]2129 "$P_SRV debug_level=3 auth_mode=optional" \
Manuel Pégourié-Gonnardde515cc2014-02-27 14:58:26 +0100[diff] [blame]2130 "$O_CLI" \
2131 0 \
2132 -S "skip write certificate request" \
2133 -s "skip parse certificate verify" \
Manuel Pégourié-Gonnard89addc42015-04-20 10:56:18 +0100[diff] [blame]2134 -s "! Certificate was missing" \
Manuel Pégourié-Gonnard2cf5a7c2015-04-08 12:49:31 +0200[diff] [blame]2135 -S "! mbedtls_ssl_handshake returned" \
Manuel Pégourié-Gonnardde515cc2014-02-27 14:58:26 +0100[diff] [blame]2136 -S "X509 - Certificate verification failed"
2137
Manuel Pégourié-Gonnard8e03c712014-08-30 21:42:40 +0200[diff] [blame]2138run_test "Authentication: client no cert, openssl server optional" \
Manuel Pégourié-Gonnardde515cc2014-02-27 14:58:26 +0100[diff] [blame]2139 "$O_SRV -verify 10" \
Manuel Pégourié-Gonnard644e8f32014-08-30 21:59:31 +0200[diff] [blame]2140 "$P_CLI debug_level=3 crt_file=none key_file=none" \
Manuel Pégourié-Gonnardde515cc2014-02-27 14:58:26 +0100[diff] [blame]2141 0 \
2142 -C "skip parse certificate request" \
2143 -c "got a certificate request" \
2144 -C "skip write certificate$" \
2145 -c "skip write certificate verify" \
Manuel Pégourié-Gonnard2cf5a7c2015-04-08 12:49:31 +0200[diff] [blame]2146 -C "! mbedtls_ssl_handshake returned"
Manuel Pégourié-Gonnardde515cc2014-02-27 14:58:26 +0100[diff] [blame]2147
Gilles Peskinefd8332e2017-05-03 16:25:07 +0200[diff] [blame]2148run_test "Authentication: client no cert, openssl server required" \
2149 "$O_SRV -Verify 10" \
2150 "$P_CLI debug_level=3 crt_file=none key_file=none" \
2151 1 \
2152 -C "skip parse certificate request" \
2153 -c "got a certificate request" \
2154 -C "skip write certificate$" \
2155 -c "skip write certificate verify" \
2156 -c "! mbedtls_ssl_handshake returned"
2157
Janos Follathe2681a42016-03-07 15:57:05 +0000[diff] [blame]2158requires_config_enabled MBEDTLS_SSL_PROTO_SSL3
Manuel Pégourié-Gonnard8e03c712014-08-30 21:42:40 +0200[diff] [blame]2159run_test "Authentication: client no cert, ssl3" \
Manuel Pégourié-Gonnard644e8f32014-08-30 21:59:31 +0200[diff] [blame]2160 "$P_SRV debug_level=3 auth_mode=optional force_version=ssl3" \
Manuel Pégourié-Gonnard448ea502015-01-12 11:40:14 +0100[diff] [blame]2161 "$P_CLI debug_level=3 crt_file=none key_file=none min_version=ssl3" \
Manuel Pégourié-Gonnardde515cc2014-02-27 14:58:26 +0100[diff] [blame]2162 0 \
2163 -S "skip write certificate request" \
2164 -C "skip parse certificate request" \
2165 -c "got a certificate request" \
2166 -C "skip write certificate$" \
2167 -c "skip write certificate verify" \
2168 -c "got no certificate to send" \
2169 -s "SSLv3 client has no certificate" \
2170 -s "skip parse certificate verify" \
Manuel Pégourié-Gonnard89addc42015-04-20 10:56:18 +0100[diff] [blame]2171 -s "! Certificate was missing" \
Manuel Pégourié-Gonnard2cf5a7c2015-04-08 12:49:31 +0200[diff] [blame]2172 -S "! mbedtls_ssl_handshake returned" \
2173 -C "! mbedtls_ssl_handshake returned" \
Manuel Pégourié-Gonnardde515cc2014-02-27 14:58:26 +0100[diff] [blame]2174 -S "X509 - Certificate verification failed"
2175
Manuel Pégourié-Gonnard9107b5f2017-07-06 12:16:25 +0200[diff] [blame]2176# The "max_int chain" tests assume that MAX_INTERMEDIATE_CA is set to its
2177# default value (8)
Hanno Beckera6bca9f2017-07-26 13:35:11 +0100[diff] [blame]2178
Simon Butcherbcfa6f42017-07-28 15:59:35 +0100[diff] [blame]2179MAX_IM_CA='8'
Simon Butcher06b78632017-07-28 01:00:17 +0100[diff] [blame]2180MAX_IM_CA_CONFIG=$( ../scripts/config.pl get MBEDTLS_X509_MAX_INTERMEDIATE_CA)
Hanno Beckera6bca9f2017-07-26 13:35:11 +0100[diff] [blame]2181
Simon Butcherbcfa6f42017-07-28 15:59:35 +0100[diff] [blame]2182if [ -n "$MAX_IM_CA_CONFIG" ] && [ "$MAX_IM_CA_CONFIG" -ne "$MAX_IM_CA" ]; then
Simon Butcher06b78632017-07-28 01:00:17 +0100[diff] [blame]2183 printf "The ${CONFIG_H} file contains a value for the configuration of\n"
Simon Butcherbcfa6f42017-07-28 15:59:35 +0100[diff] [blame]2184 printf "MBEDTLS_X509_MAX_INTERMEDIATE_CA that is different from the script’s\n"
Simon Butcher06b78632017-07-28 01:00:17 +0100[diff] [blame]2185 printf "test value of ${MAX_IM_CA}. \n"
2186 printf "\n"
Simon Butcherbcfa6f42017-07-28 15:59:35 +0100[diff] [blame]2187 printf "The tests assume this value and if it changes, the tests in this\n"
2188 printf "script should also be adjusted.\n"
Simon Butcher06b78632017-07-28 01:00:17 +0100[diff] [blame]2189 printf "\n"
Simon Butcher06b78632017-07-28 01:00:17 +0100[diff] [blame]2190
2191 exit 1
Hanno Beckera6bca9f2017-07-26 13:35:11 +0100[diff] [blame]2192fi
2193
Manuel Pégourié-Gonnard81bb6b62017-06-26 10:45:33 +0200[diff] [blame]2194run_test "Authentication: server max_int chain, client default" \
2195 "$P_SRV crt_file=data_files/dir-maxpath/c09.pem \
2196 key_file=data_files/dir-maxpath/09.key" \
2197 "$P_CLI server_name=CA09 ca_file=data_files/dir-maxpath/00.crt" \
2198 0 \
2199 -C "X509 - A fatal error occured"
2200
2201run_test "Authentication: server max_int+1 chain, client default" \
2202 "$P_SRV crt_file=data_files/dir-maxpath/c10.pem \
2203 key_file=data_files/dir-maxpath/10.key" \
2204 "$P_CLI server_name=CA10 ca_file=data_files/dir-maxpath/00.crt" \
2205 1 \
2206 -c "X509 - A fatal error occured"
2207
2208run_test "Authentication: server max_int+1 chain, client optional" \
2209 "$P_SRV crt_file=data_files/dir-maxpath/c10.pem \
2210 key_file=data_files/dir-maxpath/10.key" \
2211 "$P_CLI server_name=CA10 ca_file=data_files/dir-maxpath/00.crt \
2212 auth_mode=optional" \
2213 1 \
2214 -c "X509 - A fatal error occured"
2215
2216run_test "Authentication: server max_int+1 chain, client none" \
2217 "$P_SRV crt_file=data_files/dir-maxpath/c10.pem \
2218 key_file=data_files/dir-maxpath/10.key" \
2219 "$P_CLI server_name=CA10 ca_file=data_files/dir-maxpath/00.crt \
2220 auth_mode=none" \
2221 0 \
2222 -C "X509 - A fatal error occured"
2223
2224run_test "Authentication: client max_int+1 chain, server default" \
2225 "$P_SRV ca_file=data_files/dir-maxpath/00.crt" \
2226 "$P_CLI crt_file=data_files/dir-maxpath/c10.pem \
2227 key_file=data_files/dir-maxpath/10.key" \
2228 0 \
2229 -S "X509 - A fatal error occured"
2230
2231run_test "Authentication: client max_int+1 chain, server optional" \
2232 "$P_SRV ca_file=data_files/dir-maxpath/00.crt auth_mode=optional" \
2233 "$P_CLI crt_file=data_files/dir-maxpath/c10.pem \
2234 key_file=data_files/dir-maxpath/10.key" \
2235 1 \
2236 -s "X509 - A fatal error occured"
2237
2238run_test "Authentication: client max_int+1 chain, server required" \
2239 "$P_SRV ca_file=data_files/dir-maxpath/00.crt auth_mode=required" \
2240 "$P_CLI crt_file=data_files/dir-maxpath/c10.pem \
2241 key_file=data_files/dir-maxpath/10.key" \
2242 1 \
2243 -s "X509 - A fatal error occured"
2244
2245run_test "Authentication: client max_int chain, server required" \
2246 "$P_SRV ca_file=data_files/dir-maxpath/00.crt auth_mode=required" \
2247 "$P_CLI crt_file=data_files/dir-maxpath/c09.pem \
2248 key_file=data_files/dir-maxpath/09.key" \
2249 0 \
2250 -S "X509 - A fatal error occured"
2251
Janos Follath89baba22017-04-10 14:34:35 +0100[diff] [blame]2252# Tests for CA list in CertificateRequest messages
2253
2254run_test "Authentication: send CA list in CertificateRequest (default)" \
2255 "$P_SRV debug_level=3 auth_mode=required" \
2256 "$P_CLI crt_file=data_files/server6.crt \
2257 key_file=data_files/server6.key" \
2258 0 \
2259 -s "requested DN"
2260
2261run_test "Authentication: do not send CA list in CertificateRequest" \
2262 "$P_SRV debug_level=3 auth_mode=required cert_req_ca_list=0" \
2263 "$P_CLI crt_file=data_files/server6.crt \
2264 key_file=data_files/server6.key" \
2265 0 \
2266 -S "requested DN"
2267
2268run_test "Authentication: send CA list in CertificateRequest, client self signed" \
2269 "$P_SRV debug_level=3 auth_mode=required cert_req_ca_list=0" \
2270 "$P_CLI debug_level=3 crt_file=data_files/server5-selfsigned.crt \
2271 key_file=data_files/server5.key" \
2272 1 \
2273 -S "requested DN" \
2274 -s "x509_verify_cert() returned" \
2275 -s "! The certificate is not correctly signed by the trusted CA" \
2276 -s "! mbedtls_ssl_handshake returned" \
2277 -c "! mbedtls_ssl_handshake returned" \
2278 -s "X509 - Certificate verification failed"
2279
Manuel Pégourié-Gonnarddf331a52015-01-08 16:43:07 +0100[diff] [blame]2280# Tests for certificate selection based on SHA verson
2281
2282run_test "Certificate hash: client TLS 1.2 -> SHA-2" \
2283 "$P_SRV crt_file=data_files/server5.crt \
2284 key_file=data_files/server5.key \
2285 crt_file2=data_files/server5-sha1.crt \
2286 key_file2=data_files/server5.key" \
2287 "$P_CLI force_version=tls1_2" \
2288 0 \
2289 -c "signed using.*ECDSA with SHA256" \
2290 -C "signed using.*ECDSA with SHA1"
2291
2292run_test "Certificate hash: client TLS 1.1 -> SHA-1" \
2293 "$P_SRV crt_file=data_files/server5.crt \
2294 key_file=data_files/server5.key \
2295 crt_file2=data_files/server5-sha1.crt \
2296 key_file2=data_files/server5.key" \
2297 "$P_CLI force_version=tls1_1" \
2298 0 \
2299 -C "signed using.*ECDSA with SHA256" \
2300 -c "signed using.*ECDSA with SHA1"
2301
2302run_test "Certificate hash: client TLS 1.0 -> SHA-1" \
2303 "$P_SRV crt_file=data_files/server5.crt \
2304 key_file=data_files/server5.key \
2305 crt_file2=data_files/server5-sha1.crt \
2306 key_file2=data_files/server5.key" \
2307 "$P_CLI force_version=tls1" \
2308 0 \
2309 -C "signed using.*ECDSA with SHA256" \
2310 -c "signed using.*ECDSA with SHA1"
2311
2312run_test "Certificate hash: client TLS 1.1, no SHA-1 -> SHA-2 (order 1)" \
2313 "$P_SRV crt_file=data_files/server5.crt \
2314 key_file=data_files/server5.key \
2315 crt_file2=data_files/server6.crt \
2316 key_file2=data_files/server6.key" \
2317 "$P_CLI force_version=tls1_1" \
2318 0 \
2319 -c "serial number.*09" \
2320 -c "signed using.*ECDSA with SHA256" \
2321 -C "signed using.*ECDSA with SHA1"
2322
2323run_test "Certificate hash: client TLS 1.1, no SHA-1 -> SHA-2 (order 2)" \
2324 "$P_SRV crt_file=data_files/server6.crt \
2325 key_file=data_files/server6.key \
2326 crt_file2=data_files/server5.crt \
2327 key_file2=data_files/server5.key" \
2328 "$P_CLI force_version=tls1_1" \
2329 0 \
2330 -c "serial number.*0A" \
2331 -c "signed using.*ECDSA with SHA256" \
2332 -C "signed using.*ECDSA with SHA1"
2333
Manuel Pégourié-Gonnard96ea2f22014-02-25 12:26:29 +0100[diff] [blame]2334# tests for SNI
2335
Manuel Pégourié-Gonnard8e03c712014-08-30 21:42:40 +0200[diff] [blame]2336run_test "SNI: no SNI callback" \
Manuel Pégourié-Gonnard0eb6cab2014-07-23 20:17:47 +0200[diff] [blame]2337 "$P_SRV debug_level=3 \
Manuel Pégourié-Gonnard96ea2f22014-02-25 12:26:29 +0100[diff] [blame]2338 crt_file=data_files/server5.crt key_file=data_files/server5.key" \
Manuel Pégourié-Gonnard0eb6cab2014-07-23 20:17:47 +0200[diff] [blame]2339 "$P_CLI server_name=localhost" \
Manuel Pégourié-Gonnard6ea831d2015-06-22 16:50:52 +0200[diff] [blame]2340 0 \
2341 -S "parse ServerName extension" \
2342 -c "issuer name *: C=NL, O=PolarSSL, CN=Polarssl Test EC CA" \
2343 -c "subject name *: C=NL, O=PolarSSL, CN=localhost"
Manuel Pégourié-Gonnard96ea2f22014-02-25 12:26:29 +0100[diff] [blame]2344
Manuel Pégourié-Gonnard8e03c712014-08-30 21:42:40 +0200[diff] [blame]2345run_test "SNI: matching cert 1" \
Manuel Pégourié-Gonnard0eb6cab2014-07-23 20:17:47 +0200[diff] [blame]2346 "$P_SRV debug_level=3 \
Manuel Pégourié-Gonnard96ea2f22014-02-25 12:26:29 +0100[diff] [blame]2347 crt_file=data_files/server5.crt key_file=data_files/server5.key \
Manuel Pégourié-Gonnard4d6f1782015-06-19 14:40:39 +0200[diff] [blame]2348 sni=localhost,data_files/server2.crt,data_files/server2.key,-,-,-,polarssl.example,data_files/server1-nospace.crt,data_files/server1.key,-,-,-" \
Manuel Pégourié-Gonnard0eb6cab2014-07-23 20:17:47 +0200[diff] [blame]2349 "$P_CLI server_name=localhost" \
Manuel Pégourié-Gonnard6ea831d2015-06-22 16:50:52 +0200[diff] [blame]2350 0 \
2351 -s "parse ServerName extension" \
2352 -c "issuer name *: C=NL, O=PolarSSL, CN=PolarSSL Test CA" \
2353 -c "subject name *: C=NL, O=PolarSSL, CN=localhost"
Manuel Pégourié-Gonnard96ea2f22014-02-25 12:26:29 +0100[diff] [blame]2354
Manuel Pégourié-Gonnard8e03c712014-08-30 21:42:40 +0200[diff] [blame]2355run_test "SNI: matching cert 2" \
Manuel Pégourié-Gonnard0eb6cab2014-07-23 20:17:47 +0200[diff] [blame]2356 "$P_SRV debug_level=3 \
Manuel Pégourié-Gonnard96ea2f22014-02-25 12:26:29 +0100[diff] [blame]2357 crt_file=data_files/server5.crt key_file=data_files/server5.key \
Manuel Pégourié-Gonnard4d6f1782015-06-19 14:40:39 +0200[diff] [blame]2358 sni=localhost,data_files/server2.crt,data_files/server2.key,-,-,-,polarssl.example,data_files/server1-nospace.crt,data_files/server1.key,-,-,-" \
Manuel Pégourié-Gonnard0eb6cab2014-07-23 20:17:47 +0200[diff] [blame]2359 "$P_CLI server_name=polarssl.example" \
Manuel Pégourié-Gonnard6ea831d2015-06-22 16:50:52 +0200[diff] [blame]2360 0 \
2361 -s "parse ServerName extension" \
2362 -c "issuer name *: C=NL, O=PolarSSL, CN=PolarSSL Test CA" \
2363 -c "subject name *: C=NL, O=PolarSSL, CN=polarssl.example"
Manuel Pégourié-Gonnard96ea2f22014-02-25 12:26:29 +0100[diff] [blame]2364
Manuel Pégourié-Gonnard8e03c712014-08-30 21:42:40 +0200[diff] [blame]2365run_test "SNI: no matching cert" \
Manuel Pégourié-Gonnard0eb6cab2014-07-23 20:17:47 +0200[diff] [blame]2366 "$P_SRV debug_level=3 \
Manuel Pégourié-Gonnard96ea2f22014-02-25 12:26:29 +0100[diff] [blame]2367 crt_file=data_files/server5.crt key_file=data_files/server5.key \
Manuel Pégourié-Gonnard4d6f1782015-06-19 14:40:39 +0200[diff] [blame]2368 sni=localhost,data_files/server2.crt,data_files/server2.key,-,-,-,polarssl.example,data_files/server1-nospace.crt,data_files/server1.key,-,-,-" \
Manuel Pégourié-Gonnard0eb6cab2014-07-23 20:17:47 +0200[diff] [blame]2369 "$P_CLI server_name=nonesuch.example" \
Manuel Pégourié-Gonnard6ea831d2015-06-22 16:50:52 +0200[diff] [blame]2370 1 \
2371 -s "parse ServerName extension" \
2372 -s "ssl_sni_wrapper() returned" \
2373 -s "mbedtls_ssl_handshake returned" \
2374 -c "mbedtls_ssl_handshake returned" \
2375 -c "SSL - A fatal alert message was received from our peer"
Manuel Pégourié-Gonnard96ea2f22014-02-25 12:26:29 +0100[diff] [blame]2376
Manuel Pégourié-Gonnardc948a792015-06-22 16:04:20 +0200[diff] [blame]2377run_test "SNI: client auth no override: optional" \
2378 "$P_SRV debug_level=3 auth_mode=optional \
2379 crt_file=data_files/server5.crt key_file=data_files/server5.key \
2380 sni=localhost,data_files/server2.crt,data_files/server2.key,-,-,-" \
2381 "$P_CLI debug_level=3 server_name=localhost" \
Manuel Pégourié-Gonnard6ea831d2015-06-22 16:50:52 +0200[diff] [blame]2382 0 \
Manuel Pégourié-Gonnardc948a792015-06-22 16:04:20 +0200[diff] [blame]2383 -S "skip write certificate request" \
2384 -C "skip parse certificate request" \
2385 -c "got a certificate request" \
2386 -C "skip write certificate" \
2387 -C "skip write certificate verify" \
2388 -S "skip parse certificate verify"
2389
2390run_test "SNI: client auth override: none -> optional" \
2391 "$P_SRV debug_level=3 auth_mode=none \
2392 crt_file=data_files/server5.crt key_file=data_files/server5.key \
2393 sni=localhost,data_files/server2.crt,data_files/server2.key,-,-,optional" \
2394 "$P_CLI debug_level=3 server_name=localhost" \
Manuel Pégourié-Gonnard6ea831d2015-06-22 16:50:52 +0200[diff] [blame]2395 0 \
Manuel Pégourié-Gonnardc948a792015-06-22 16:04:20 +0200[diff] [blame]2396 -S "skip write certificate request" \
2397 -C "skip parse certificate request" \
2398 -c "got a certificate request" \
2399 -C "skip write certificate" \
2400 -C "skip write certificate verify" \
2401 -S "skip parse certificate verify"
2402
2403run_test "SNI: client auth override: optional -> none" \
2404 "$P_SRV debug_level=3 auth_mode=optional \
2405 crt_file=data_files/server5.crt key_file=data_files/server5.key \
2406 sni=localhost,data_files/server2.crt,data_files/server2.key,-,-,none" \
2407 "$P_CLI debug_level=3 server_name=localhost" \
Manuel Pégourié-Gonnard6ea831d2015-06-22 16:50:52 +0200[diff] [blame]2408 0 \
Manuel Pégourié-Gonnardc948a792015-06-22 16:04:20 +0200[diff] [blame]2409 -s "skip write certificate request" \
2410 -C "skip parse certificate request" \
2411 -c "got no certificate request" \
2412 -c "skip write certificate" \
2413 -c "skip write certificate verify" \
2414 -s "skip parse certificate verify"
2415
Manuel Pégourié-Gonnard6ea831d2015-06-22 16:50:52 +0200[diff] [blame]2416run_test "SNI: CA no override" \
2417 "$P_SRV debug_level=3 auth_mode=optional \
2418 crt_file=data_files/server5.crt key_file=data_files/server5.key \
2419 ca_file=data_files/test-ca.crt \
2420 sni=localhost,data_files/server2.crt,data_files/server2.key,-,-,required" \
2421 "$P_CLI debug_level=3 server_name=localhost \
2422 crt_file=data_files/server6.crt key_file=data_files/server6.key" \
2423 1 \
2424 -S "skip write certificate request" \
2425 -C "skip parse certificate request" \
2426 -c "got a certificate request" \
2427 -C "skip write certificate" \
2428 -C "skip write certificate verify" \
2429 -S "skip parse certificate verify" \
2430 -s "x509_verify_cert() returned" \
2431 -s "! The certificate is not correctly signed by the trusted CA" \
2432 -S "The certificate has been revoked (is on a CRL)"
2433
2434run_test "SNI: CA override" \
2435 "$P_SRV debug_level=3 auth_mode=optional \
2436 crt_file=data_files/server5.crt key_file=data_files/server5.key \
2437 ca_file=data_files/test-ca.crt \
2438 sni=localhost,data_files/server2.crt,data_files/server2.key,data_files/test-ca2.crt,-,required" \
2439 "$P_CLI debug_level=3 server_name=localhost \
2440 crt_file=data_files/server6.crt key_file=data_files/server6.key" \
2441 0 \
2442 -S "skip write certificate request" \
2443 -C "skip parse certificate request" \
2444 -c "got a certificate request" \
2445 -C "skip write certificate" \
2446 -C "skip write certificate verify" \
2447 -S "skip parse certificate verify" \
2448 -S "x509_verify_cert() returned" \
2449 -S "! The certificate is not correctly signed by the trusted CA" \
2450 -S "The certificate has been revoked (is on a CRL)"
2451
2452run_test "SNI: CA override with CRL" \
2453 "$P_SRV debug_level=3 auth_mode=optional \
2454 crt_file=data_files/server5.crt key_file=data_files/server5.key \
2455 ca_file=data_files/test-ca.crt \
2456 sni=localhost,data_files/server2.crt,data_files/server2.key,data_files/test-ca2.crt,data_files/crl-ec-sha256.pem,required" \
2457 "$P_CLI debug_level=3 server_name=localhost \
2458 crt_file=data_files/server6.crt key_file=data_files/server6.key" \
2459 1 \
2460 -S "skip write certificate request" \
2461 -C "skip parse certificate request" \
2462 -c "got a certificate request" \
2463 -C "skip write certificate" \
2464 -C "skip write certificate verify" \
2465 -S "skip parse certificate verify" \
2466 -s "x509_verify_cert() returned" \
2467 -S "! The certificate is not correctly signed by the trusted CA" \
2468 -s "The certificate has been revoked (is on a CRL)"
2469
Manuel Pégourié-Gonnard0b6609b2014-02-26 14:45:12 +0100[diff] [blame]2470# Tests for non-blocking I/O: exercise a variety of handshake flows
2471
Manuel Pégourié-Gonnard8e03c712014-08-30 21:42:40 +0200[diff] [blame]2472run_test "Non-blocking I/O: basic handshake" \
Manuel Pégourié-Gonnard0b6609b2014-02-26 14:45:12 +0100[diff] [blame]2473 "$P_SRV nbio=2 tickets=0 auth_mode=none" \
2474 "$P_CLI nbio=2 tickets=0" \
2475 0 \
Manuel Pégourié-Gonnard2cf5a7c2015-04-08 12:49:31 +0200[diff] [blame]2476 -S "mbedtls_ssl_handshake returned" \
2477 -C "mbedtls_ssl_handshake returned" \
Manuel Pégourié-Gonnard0b6609b2014-02-26 14:45:12 +0100[diff] [blame]2478 -c "Read from server: .* bytes read"
2479
Manuel Pégourié-Gonnard8e03c712014-08-30 21:42:40 +0200[diff] [blame]2480run_test "Non-blocking I/O: client auth" \
Manuel Pégourié-Gonnard0b6609b2014-02-26 14:45:12 +0100[diff] [blame]2481 "$P_SRV nbio=2 tickets=0 auth_mode=required" \
2482 "$P_CLI nbio=2 tickets=0" \
2483 0 \
Manuel Pégourié-Gonnard2cf5a7c2015-04-08 12:49:31 +0200[diff] [blame]2484 -S "mbedtls_ssl_handshake returned" \
2485 -C "mbedtls_ssl_handshake returned" \
Manuel Pégourié-Gonnard0b6609b2014-02-26 14:45:12 +0100[diff] [blame]2486 -c "Read from server: .* bytes read"
2487
Manuel Pégourié-Gonnard8e03c712014-08-30 21:42:40 +0200[diff] [blame]2488run_test "Non-blocking I/O: ticket" \
Manuel Pégourié-Gonnard0b6609b2014-02-26 14:45:12 +0100[diff] [blame]2489 "$P_SRV nbio=2 tickets=1 auth_mode=none" \
2490 "$P_CLI nbio=2 tickets=1" \
2491 0 \
Manuel Pégourié-Gonnard2cf5a7c2015-04-08 12:49:31 +0200[diff] [blame]2492 -S "mbedtls_ssl_handshake returned" \
2493 -C "mbedtls_ssl_handshake returned" \
Manuel Pégourié-Gonnard0b6609b2014-02-26 14:45:12 +0100[diff] [blame]2494 -c "Read from server: .* bytes read"
2495
Manuel Pégourié-Gonnard8e03c712014-08-30 21:42:40 +0200[diff] [blame]2496run_test "Non-blocking I/O: ticket + client auth" \
Manuel Pégourié-Gonnard0b6609b2014-02-26 14:45:12 +0100[diff] [blame]2497 "$P_SRV nbio=2 tickets=1 auth_mode=required" \
2498 "$P_CLI nbio=2 tickets=1" \
2499 0 \
Manuel Pégourié-Gonnard2cf5a7c2015-04-08 12:49:31 +0200[diff] [blame]2500 -S "mbedtls_ssl_handshake returned" \
2501 -C "mbedtls_ssl_handshake returned" \
Manuel Pégourié-Gonnard0b6609b2014-02-26 14:45:12 +0100[diff] [blame]2502 -c "Read from server: .* bytes read"
2503
Manuel Pégourié-Gonnard8e03c712014-08-30 21:42:40 +0200[diff] [blame]2504run_test "Non-blocking I/O: ticket + client auth + resume" \
Manuel Pégourié-Gonnard0b6609b2014-02-26 14:45:12 +0100[diff] [blame]2505 "$P_SRV nbio=2 tickets=1 auth_mode=required" \
2506 "$P_CLI nbio=2 tickets=1 reconnect=1" \
2507 0 \
Manuel Pégourié-Gonnard2cf5a7c2015-04-08 12:49:31 +0200[diff] [blame]2508 -S "mbedtls_ssl_handshake returned" \
2509 -C "mbedtls_ssl_handshake returned" \
Manuel Pégourié-Gonnard0b6609b2014-02-26 14:45:12 +0100[diff] [blame]2510 -c "Read from server: .* bytes read"
2511
Manuel Pégourié-Gonnard8e03c712014-08-30 21:42:40 +0200[diff] [blame]2512run_test "Non-blocking I/O: ticket + resume" \
Manuel Pégourié-Gonnard0b6609b2014-02-26 14:45:12 +0100[diff] [blame]2513 "$P_SRV nbio=2 tickets=1 auth_mode=none" \
2514 "$P_CLI nbio=2 tickets=1 reconnect=1" \
2515 0 \
Manuel Pégourié-Gonnard2cf5a7c2015-04-08 12:49:31 +0200[diff] [blame]2516 -S "mbedtls_ssl_handshake returned" \
2517 -C "mbedtls_ssl_handshake returned" \
Manuel Pégourié-Gonnard0b6609b2014-02-26 14:45:12 +0100[diff] [blame]2518 -c "Read from server: .* bytes read"
2519
Manuel Pégourié-Gonnard8e03c712014-08-30 21:42:40 +0200[diff] [blame]2520run_test "Non-blocking I/O: session-id resume" \
Manuel Pégourié-Gonnard0b6609b2014-02-26 14:45:12 +0100[diff] [blame]2521 "$P_SRV nbio=2 tickets=0 auth_mode=none" \
2522 "$P_CLI nbio=2 tickets=0 reconnect=1" \
2523 0 \
Manuel Pégourié-Gonnard2cf5a7c2015-04-08 12:49:31 +0200[diff] [blame]2524 -S "mbedtls_ssl_handshake returned" \
2525 -C "mbedtls_ssl_handshake returned" \
Manuel Pégourié-Gonnard0b6609b2014-02-26 14:45:12 +0100[diff] [blame]2526 -c "Read from server: .* bytes read"
2527
Manuel Pégourié-Gonnardf6521de2014-04-07 12:42:04 +0200[diff] [blame]2528# Tests for version negotiation
2529
Manuel Pégourié-Gonnard8e03c712014-08-30 21:42:40 +0200[diff] [blame]2530run_test "Version check: all -> 1.2" \
Manuel Pégourié-Gonnarda3d808e2014-02-26 16:33:03 +0100[diff] [blame]2531 "$P_SRV" \
2532 "$P_CLI" \
2533 0 \
Manuel Pégourié-Gonnard2cf5a7c2015-04-08 12:49:31 +0200[diff] [blame]2534 -S "mbedtls_ssl_handshake returned" \
2535 -C "mbedtls_ssl_handshake returned" \
Manuel Pégourié-Gonnarda3d808e2014-02-26 16:33:03 +0100[diff] [blame]2536 -s "Protocol is TLSv1.2" \
2537 -c "Protocol is TLSv1.2"
2538
Manuel Pégourié-Gonnard8e03c712014-08-30 21:42:40 +0200[diff] [blame]2539run_test "Version check: cli max 1.1 -> 1.1" \
Manuel Pégourié-Gonnarda3d808e2014-02-26 16:33:03 +0100[diff] [blame]2540 "$P_SRV" \
2541 "$P_CLI max_version=tls1_1" \
2542 0 \
Manuel Pégourié-Gonnard2cf5a7c2015-04-08 12:49:31 +0200[diff] [blame]2543 -S "mbedtls_ssl_handshake returned" \
2544 -C "mbedtls_ssl_handshake returned" \
Manuel Pégourié-Gonnarda3d808e2014-02-26 16:33:03 +0100[diff] [blame]2545 -s "Protocol is TLSv1.1" \
2546 -c "Protocol is TLSv1.1"
2547
Manuel Pégourié-Gonnard8e03c712014-08-30 21:42:40 +0200[diff] [blame]2548run_test "Version check: srv max 1.1 -> 1.1" \
Manuel Pégourié-Gonnarda3d808e2014-02-26 16:33:03 +0100[diff] [blame]2549 "$P_SRV max_version=tls1_1" \
2550 "$P_CLI" \
2551 0 \
Manuel Pégourié-Gonnard2cf5a7c2015-04-08 12:49:31 +0200[diff] [blame]2552 -S "mbedtls_ssl_handshake returned" \
2553 -C "mbedtls_ssl_handshake returned" \
Manuel Pégourié-Gonnarda3d808e2014-02-26 16:33:03 +0100[diff] [blame]2554 -s "Protocol is TLSv1.1" \
2555 -c "Protocol is TLSv1.1"
2556
Manuel Pégourié-Gonnard8e03c712014-08-30 21:42:40 +0200[diff] [blame]2557run_test "Version check: cli+srv max 1.1 -> 1.1" \
Manuel Pégourié-Gonnarda3d808e2014-02-26 16:33:03 +0100[diff] [blame]2558 "$P_SRV max_version=tls1_1" \
2559 "$P_CLI max_version=tls1_1" \
2560 0 \
Manuel Pégourié-Gonnard2cf5a7c2015-04-08 12:49:31 +0200[diff] [blame]2561 -S "mbedtls_ssl_handshake returned" \
2562 -C "mbedtls_ssl_handshake returned" \
Manuel Pégourié-Gonnarda3d808e2014-02-26 16:33:03 +0100[diff] [blame]2563 -s "Protocol is TLSv1.1" \
2564 -c "Protocol is TLSv1.1"
2565
Manuel Pégourié-Gonnard8e03c712014-08-30 21:42:40 +0200[diff] [blame]2566run_test "Version check: cli max 1.1, srv min 1.1 -> 1.1" \
Manuel Pégourié-Gonnarda3d808e2014-02-26 16:33:03 +0100[diff] [blame]2567 "$P_SRV min_version=tls1_1" \
2568 "$P_CLI max_version=tls1_1" \
2569 0 \
Manuel Pégourié-Gonnard2cf5a7c2015-04-08 12:49:31 +0200[diff] [blame]2570 -S "mbedtls_ssl_handshake returned" \
2571 -C "mbedtls_ssl_handshake returned" \
Manuel Pégourié-Gonnarda3d808e2014-02-26 16:33:03 +0100[diff] [blame]2572 -s "Protocol is TLSv1.1" \
2573 -c "Protocol is TLSv1.1"
2574
Manuel Pégourié-Gonnard8e03c712014-08-30 21:42:40 +0200[diff] [blame]2575run_test "Version check: cli min 1.1, srv max 1.1 -> 1.1" \
Manuel Pégourié-Gonnarda3d808e2014-02-26 16:33:03 +0100[diff] [blame]2576 "$P_SRV max_version=tls1_1" \
2577 "$P_CLI min_version=tls1_1" \
2578 0 \
Manuel Pégourié-Gonnard2cf5a7c2015-04-08 12:49:31 +0200[diff] [blame]2579 -S "mbedtls_ssl_handshake returned" \
2580 -C "mbedtls_ssl_handshake returned" \
Manuel Pégourié-Gonnarda3d808e2014-02-26 16:33:03 +0100[diff] [blame]2581 -s "Protocol is TLSv1.1" \
2582 -c "Protocol is TLSv1.1"
2583
Manuel Pégourié-Gonnard8e03c712014-08-30 21:42:40 +0200[diff] [blame]2584run_test "Version check: cli min 1.2, srv max 1.1 -> fail" \
Manuel Pégourié-Gonnarda3d808e2014-02-26 16:33:03 +0100[diff] [blame]2585 "$P_SRV max_version=tls1_1" \
2586 "$P_CLI min_version=tls1_2" \
2587 1 \
Manuel Pégourié-Gonnard2cf5a7c2015-04-08 12:49:31 +0200[diff] [blame]2588 -s "mbedtls_ssl_handshake returned" \
2589 -c "mbedtls_ssl_handshake returned" \
Manuel Pégourié-Gonnarda3d808e2014-02-26 16:33:03 +0100[diff] [blame]2590 -c "SSL - Handshake protocol not within min/max boundaries"
2591
Manuel Pégourié-Gonnard8e03c712014-08-30 21:42:40 +0200[diff] [blame]2592run_test "Version check: srv min 1.2, cli max 1.1 -> fail" \
Manuel Pégourié-Gonnarda3d808e2014-02-26 16:33:03 +0100[diff] [blame]2593 "$P_SRV min_version=tls1_2" \
2594 "$P_CLI max_version=tls1_1" \
2595 1 \
Manuel Pégourié-Gonnard2cf5a7c2015-04-08 12:49:31 +0200[diff] [blame]2596 -s "mbedtls_ssl_handshake returned" \
2597 -c "mbedtls_ssl_handshake returned" \
Manuel Pégourié-Gonnarda3d808e2014-02-26 16:33:03 +0100[diff] [blame]2598 -s "SSL - Handshake protocol not within min/max boundaries"
2599
Manuel Pégourié-Gonnardf6521de2014-04-07 12:42:04 +0200[diff] [blame]2600# Tests for ALPN extension
2601
Manuel Pégourié-Gonnard8e03c712014-08-30 21:42:40 +0200[diff] [blame]2602run_test "ALPN: none" \
Manuel Pégourié-Gonnard644e8f32014-08-30 21:59:31 +0200[diff] [blame]2603 "$P_SRV debug_level=3" \
2604 "$P_CLI debug_level=3" \
Manuel Pégourié-Gonnardf6521de2014-04-07 12:42:04 +0200[diff] [blame]2605 0 \
2606 -C "client hello, adding alpn extension" \
2607 -S "found alpn extension" \
2608 -C "got an alert message, type: \\[2:120]" \
2609 -S "server hello, adding alpn extension" \
2610 -C "found alpn extension " \
2611 -C "Application Layer Protocol is" \
2612 -S "Application Layer Protocol is"
2613
Manuel Pégourié-Gonnard8e03c712014-08-30 21:42:40 +0200[diff] [blame]2614run_test "ALPN: client only" \
Manuel Pégourié-Gonnard644e8f32014-08-30 21:59:31 +0200[diff] [blame]2615 "$P_SRV debug_level=3" \
2616 "$P_CLI debug_level=3 alpn=abc,1234" \
Manuel Pégourié-Gonnardf6521de2014-04-07 12:42:04 +0200[diff] [blame]2617 0 \
2618 -c "client hello, adding alpn extension" \
2619 -s "found alpn extension" \
2620 -C "got an alert message, type: \\[2:120]" \
2621 -S "server hello, adding alpn extension" \
2622 -C "found alpn extension " \
2623 -c "Application Layer Protocol is (none)" \
2624 -S "Application Layer Protocol is"
2625
Manuel Pégourié-Gonnard8e03c712014-08-30 21:42:40 +0200[diff] [blame]2626run_test "ALPN: server only" \
Manuel Pégourié-Gonnard644e8f32014-08-30 21:59:31 +0200[diff] [blame]2627 "$P_SRV debug_level=3 alpn=abc,1234" \
2628 "$P_CLI debug_level=3" \
Manuel Pégourié-Gonnardf6521de2014-04-07 12:42:04 +0200[diff] [blame]2629 0 \
2630 -C "client hello, adding alpn extension" \
2631 -S "found alpn extension" \
2632 -C "got an alert message, type: \\[2:120]" \
2633 -S "server hello, adding alpn extension" \
2634 -C "found alpn extension " \
2635 -C "Application Layer Protocol is" \
2636 -s "Application Layer Protocol is (none)"
2637
Manuel Pégourié-Gonnard8e03c712014-08-30 21:42:40 +0200[diff] [blame]2638run_test "ALPN: both, common cli1-srv1" \
Manuel Pégourié-Gonnard644e8f32014-08-30 21:59:31 +0200[diff] [blame]2639 "$P_SRV debug_level=3 alpn=abc,1234" \
2640 "$P_CLI debug_level=3 alpn=abc,1234" \
Manuel Pégourié-Gonnardf6521de2014-04-07 12:42:04 +0200[diff] [blame]2641 0 \
2642 -c "client hello, adding alpn extension" \
2643 -s "found alpn extension" \
2644 -C "got an alert message, type: \\[2:120]" \
2645 -s "server hello, adding alpn extension" \
2646 -c "found alpn extension" \
2647 -c "Application Layer Protocol is abc" \
2648 -s "Application Layer Protocol is abc"
2649
Manuel Pégourié-Gonnard8e03c712014-08-30 21:42:40 +0200[diff] [blame]2650run_test "ALPN: both, common cli2-srv1" \
Manuel Pégourié-Gonnard644e8f32014-08-30 21:59:31 +0200[diff] [blame]2651 "$P_SRV debug_level=3 alpn=abc,1234" \
2652 "$P_CLI debug_level=3 alpn=1234,abc" \
Manuel Pégourié-Gonnardf6521de2014-04-07 12:42:04 +0200[diff] [blame]2653 0 \
2654 -c "client hello, adding alpn extension" \
2655 -s "found alpn extension" \
2656 -C "got an alert message, type: \\[2:120]" \
2657 -s "server hello, adding alpn extension" \
2658 -c "found alpn extension" \
2659 -c "Application Layer Protocol is abc" \
2660 -s "Application Layer Protocol is abc"
2661
Manuel Pégourié-Gonnard8e03c712014-08-30 21:42:40 +0200[diff] [blame]2662run_test "ALPN: both, common cli1-srv2" \
Manuel Pégourié-Gonnard644e8f32014-08-30 21:59:31 +0200[diff] [blame]2663 "$P_SRV debug_level=3 alpn=abc,1234" \
2664 "$P_CLI debug_level=3 alpn=1234,abcde" \
Manuel Pégourié-Gonnardf6521de2014-04-07 12:42:04 +0200[diff] [blame]2665 0 \
2666 -c "client hello, adding alpn extension" \
2667 -s "found alpn extension" \
2668 -C "got an alert message, type: \\[2:120]" \
2669 -s "server hello, adding alpn extension" \
2670 -c "found alpn extension" \
2671 -c "Application Layer Protocol is 1234" \
2672 -s "Application Layer Protocol is 1234"
2673
Manuel Pégourié-Gonnard8e03c712014-08-30 21:42:40 +0200[diff] [blame]2674run_test "ALPN: both, no common" \
Manuel Pégourié-Gonnard644e8f32014-08-30 21:59:31 +0200[diff] [blame]2675 "$P_SRV debug_level=3 alpn=abc,123" \
2676 "$P_CLI debug_level=3 alpn=1234,abcde" \
Manuel Pégourié-Gonnardf6521de2014-04-07 12:42:04 +0200[diff] [blame]2677 1 \
2678 -c "client hello, adding alpn extension" \
2679 -s "found alpn extension" \
2680 -c "got an alert message, type: \\[2:120]" \
2681 -S "server hello, adding alpn extension" \
2682 -C "found alpn extension" \
2683 -C "Application Layer Protocol is 1234" \
2684 -S "Application Layer Protocol is 1234"
2685
Manuel Pégourié-Gonnard83d8c732014-04-07 13:24:21 +0200[diff] [blame]2686
Manuel Pégourié-Gonnard7f2a07d2014-04-09 09:50:57 +0200[diff] [blame]2687# Tests for keyUsage in leaf certificates, part 1:
2688# server-side certificate/suite selection
2689
Manuel Pégourié-Gonnard8e03c712014-08-30 21:42:40 +0200[diff] [blame]2690run_test "keyUsage srv: RSA, digitalSignature -> (EC)DHE-RSA" \
Manuel Pégourié-Gonnard7f2a07d2014-04-09 09:50:57 +0200[diff] [blame]2691 "$P_SRV key_file=data_files/server2.key \
2692 crt_file=data_files/server2.ku-ds.crt" \
2693 "$P_CLI" \
2694 0 \
Manuel Pégourié-Gonnard17cde5f2014-05-22 14:42:39 +0200[diff] [blame]2695 -c "Ciphersuite is TLS-[EC]*DHE-RSA-WITH-"
Manuel Pégourié-Gonnard7f2a07d2014-04-09 09:50:57 +0200[diff] [blame]2696
2697
Manuel Pégourié-Gonnard8e03c712014-08-30 21:42:40 +0200[diff] [blame]2698run_test "keyUsage srv: RSA, keyEncipherment -> RSA" \
Manuel Pégourié-Gonnard7f2a07d2014-04-09 09:50:57 +0200[diff] [blame]2699 "$P_SRV key_file=data_files/server2.key \
2700 crt_file=data_files/server2.ku-ke.crt" \
2701 "$P_CLI" \
2702 0 \
2703 -c "Ciphersuite is TLS-RSA-WITH-"
2704
Manuel Pégourié-Gonnard8e03c712014-08-30 21:42:40 +0200[diff] [blame]2705run_test "keyUsage srv: RSA, keyAgreement -> fail" \
Manuel Pégourié-Gonnardf2629b92014-08-30 14:20:14 +0200[diff] [blame]2706 "$P_SRV key_file=data_files/server2.key \
Manuel Pégourié-Gonnard7f2a07d2014-04-09 09:50:57 +0200[diff] [blame]2707 crt_file=data_files/server2.ku-ka.crt" \
Manuel Pégourié-Gonnardf2629b92014-08-30 14:20:14 +0200[diff] [blame]2708 "$P_CLI" \
Manuel Pégourié-Gonnard7f2a07d2014-04-09 09:50:57 +0200[diff] [blame]2709 1 \
2710 -C "Ciphersuite is "
2711
Manuel Pégourié-Gonnard8e03c712014-08-30 21:42:40 +0200[diff] [blame]2712run_test "keyUsage srv: ECDSA, digitalSignature -> ECDHE-ECDSA" \
Manuel Pégourié-Gonnard7f2a07d2014-04-09 09:50:57 +0200[diff] [blame]2713 "$P_SRV key_file=data_files/server5.key \
2714 crt_file=data_files/server5.ku-ds.crt" \
2715 "$P_CLI" \
2716 0 \
2717 -c "Ciphersuite is TLS-ECDHE-ECDSA-WITH-"
2718
2719
Manuel Pégourié-Gonnard8e03c712014-08-30 21:42:40 +0200[diff] [blame]2720run_test "keyUsage srv: ECDSA, keyAgreement -> ECDH-" \
Manuel Pégourié-Gonnard7f2a07d2014-04-09 09:50:57 +0200[diff] [blame]2721 "$P_SRV key_file=data_files/server5.key \
2722 crt_file=data_files/server5.ku-ka.crt" \
2723 "$P_CLI" \
2724 0 \
2725 -c "Ciphersuite is TLS-ECDH-"
2726
Manuel Pégourié-Gonnard8e03c712014-08-30 21:42:40 +0200[diff] [blame]2727run_test "keyUsage srv: ECDSA, keyEncipherment -> fail" \
Manuel Pégourié-Gonnardf2629b92014-08-30 14:20:14 +0200[diff] [blame]2728 "$P_SRV key_file=data_files/server5.key \
Manuel Pégourié-Gonnard7f2a07d2014-04-09 09:50:57 +0200[diff] [blame]2729 crt_file=data_files/server5.ku-ke.crt" \
Manuel Pégourié-Gonnardf2629b92014-08-30 14:20:14 +0200[diff] [blame]2730 "$P_CLI" \
Manuel Pégourié-Gonnard7f2a07d2014-04-09 09:50:57 +0200[diff] [blame]2731 1 \
2732 -C "Ciphersuite is "
2733
2734# Tests for keyUsage in leaf certificates, part 2:
Manuel Pégourié-Gonnarda9db85d2014-04-09 14:53:05 +0200[diff] [blame]2735# client-side checking of server cert
Manuel Pégourié-Gonnard7f2a07d2014-04-09 09:50:57 +0200[diff] [blame]2736
Manuel Pégourié-Gonnard8e03c712014-08-30 21:42:40 +0200[diff] [blame]2737run_test "keyUsage cli: DigitalSignature+KeyEncipherment, RSA: OK" \
Manuel Pégourié-Gonnard7f2a07d2014-04-09 09:50:57 +0200[diff] [blame]2738 "$O_SRV -key data_files/server2.key \
2739 -cert data_files/server2.ku-ds_ke.crt" \
Manuel Pégourié-Gonnard644e8f32014-08-30 21:59:31 +0200[diff] [blame]2740 "$P_CLI debug_level=1 \
Manuel Pégourié-Gonnard7f2a07d2014-04-09 09:50:57 +0200[diff] [blame]2741 force_ciphersuite=TLS-RSA-WITH-AES-128-CBC-SHA" \
2742 0 \
Manuel Pégourié-Gonnarda9db85d2014-04-09 14:53:05 +0200[diff] [blame]2743 -C "bad certificate (usage extensions)" \
Manuel Pégourié-Gonnard7f2a07d2014-04-09 09:50:57 +0200[diff] [blame]2744 -C "Processing of the Certificate handshake message failed" \
2745 -c "Ciphersuite is TLS-"
2746
Manuel Pégourié-Gonnard8e03c712014-08-30 21:42:40 +0200[diff] [blame]2747run_test "keyUsage cli: DigitalSignature+KeyEncipherment, DHE-RSA: OK" \
Manuel Pégourié-Gonnard7f2a07d2014-04-09 09:50:57 +0200[diff] [blame]2748 "$O_SRV -key data_files/server2.key \
2749 -cert data_files/server2.ku-ds_ke.crt" \
Manuel Pégourié-Gonnard644e8f32014-08-30 21:59:31 +0200[diff] [blame]2750 "$P_CLI debug_level=1 \
Manuel Pégourié-Gonnard7f2a07d2014-04-09 09:50:57 +0200[diff] [blame]2751 force_ciphersuite=TLS-DHE-RSA-WITH-AES-128-CBC-SHA" \
2752 0 \
Manuel Pégourié-Gonnarda9db85d2014-04-09 14:53:05 +0200[diff] [blame]2753 -C "bad certificate (usage extensions)" \
Manuel Pégourié-Gonnard7f2a07d2014-04-09 09:50:57 +0200[diff] [blame]2754 -C "Processing of the Certificate handshake message failed" \
2755 -c "Ciphersuite is TLS-"
2756
Manuel Pégourié-Gonnard8e03c712014-08-30 21:42:40 +0200[diff] [blame]2757run_test "keyUsage cli: KeyEncipherment, RSA: OK" \
Manuel Pégourié-Gonnard7f2a07d2014-04-09 09:50:57 +0200[diff] [blame]2758 "$O_SRV -key data_files/server2.key \
2759 -cert data_files/server2.ku-ke.crt" \
Manuel Pégourié-Gonnard644e8f32014-08-30 21:59:31 +0200[diff] [blame]2760 "$P_CLI debug_level=1 \
Manuel Pégourié-Gonnard7f2a07d2014-04-09 09:50:57 +0200[diff] [blame]2761 force_ciphersuite=TLS-RSA-WITH-AES-128-CBC-SHA" \
2762 0 \
Manuel Pégourié-Gonnarda9db85d2014-04-09 14:53:05 +0200[diff] [blame]2763 -C "bad certificate (usage extensions)" \
Manuel Pégourié-Gonnard7f2a07d2014-04-09 09:50:57 +0200[diff] [blame]2764 -C "Processing of the Certificate handshake message failed" \
2765 -c "Ciphersuite is TLS-"
2766
Manuel Pégourié-Gonnard8e03c712014-08-30 21:42:40 +0200[diff] [blame]2767run_test "keyUsage cli: KeyEncipherment, DHE-RSA: fail" \
Manuel Pégourié-Gonnard7f2a07d2014-04-09 09:50:57 +0200[diff] [blame]2768 "$O_SRV -key data_files/server2.key \
2769 -cert data_files/server2.ku-ke.crt" \
Manuel Pégourié-Gonnard644e8f32014-08-30 21:59:31 +0200[diff] [blame]2770 "$P_CLI debug_level=1 \
Manuel Pégourié-Gonnard7f2a07d2014-04-09 09:50:57 +0200[diff] [blame]2771 force_ciphersuite=TLS-DHE-RSA-WITH-AES-128-CBC-SHA" \
2772 1 \
Manuel Pégourié-Gonnarda9db85d2014-04-09 14:53:05 +0200[diff] [blame]2773 -c "bad certificate (usage extensions)" \
Manuel Pégourié-Gonnard7f2a07d2014-04-09 09:50:57 +0200[diff] [blame]2774 -c "Processing of the Certificate handshake message failed" \
2775 -C "Ciphersuite is TLS-"
2776
Manuel Pégourié-Gonnarde6efa6f2015-04-20 11:01:48 +0100[diff] [blame]2777run_test "keyUsage cli: KeyEncipherment, DHE-RSA: fail, soft" \
2778 "$O_SRV -key data_files/server2.key \
2779 -cert data_files/server2.ku-ke.crt" \
2780 "$P_CLI debug_level=1 auth_mode=optional \
2781 force_ciphersuite=TLS-DHE-RSA-WITH-AES-128-CBC-SHA" \
2782 0 \
2783 -c "bad certificate (usage extensions)" \
2784 -C "Processing of the Certificate handshake message failed" \
2785 -c "Ciphersuite is TLS-" \
2786 -c "! Usage does not match the keyUsage extension"
2787
Manuel Pégourié-Gonnard8e03c712014-08-30 21:42:40 +0200[diff] [blame]2788run_test "keyUsage cli: DigitalSignature, DHE-RSA: OK" \
Manuel Pégourié-Gonnard7f2a07d2014-04-09 09:50:57 +0200[diff] [blame]2789 "$O_SRV -key data_files/server2.key \
2790 -cert data_files/server2.ku-ds.crt" \
Manuel Pégourié-Gonnard644e8f32014-08-30 21:59:31 +0200[diff] [blame]2791 "$P_CLI debug_level=1 \
Manuel Pégourié-Gonnard7f2a07d2014-04-09 09:50:57 +0200[diff] [blame]2792 force_ciphersuite=TLS-DHE-RSA-WITH-AES-128-CBC-SHA" \
2793 0 \
Manuel Pégourié-Gonnarda9db85d2014-04-09 14:53:05 +0200[diff] [blame]2794 -C "bad certificate (usage extensions)" \
Manuel Pégourié-Gonnard7f2a07d2014-04-09 09:50:57 +0200[diff] [blame]2795 -C "Processing of the Certificate handshake message failed" \
2796 -c "Ciphersuite is TLS-"
2797
Manuel Pégourié-Gonnard8e03c712014-08-30 21:42:40 +0200[diff] [blame]2798run_test "keyUsage cli: DigitalSignature, RSA: fail" \
Manuel Pégourié-Gonnard7f2a07d2014-04-09 09:50:57 +0200[diff] [blame]2799 "$O_SRV -key data_files/server2.key \
2800 -cert data_files/server2.ku-ds.crt" \
Manuel Pégourié-Gonnard644e8f32014-08-30 21:59:31 +0200[diff] [blame]2801 "$P_CLI debug_level=1 \
Manuel Pégourié-Gonnard7f2a07d2014-04-09 09:50:57 +0200[diff] [blame]2802 force_ciphersuite=TLS-RSA-WITH-AES-128-CBC-SHA" \
2803 1 \
Manuel Pégourié-Gonnarda9db85d2014-04-09 14:53:05 +0200[diff] [blame]2804 -c "bad certificate (usage extensions)" \
Manuel Pégourié-Gonnard7f2a07d2014-04-09 09:50:57 +0200[diff] [blame]2805 -c "Processing of the Certificate handshake message failed" \
2806 -C "Ciphersuite is TLS-"
2807
Manuel Pégourié-Gonnarde6efa6f2015-04-20 11:01:48 +0100[diff] [blame]2808run_test "keyUsage cli: DigitalSignature, RSA: fail, soft" \
2809 "$O_SRV -key data_files/server2.key \
2810 -cert data_files/server2.ku-ds.crt" \
2811 "$P_CLI debug_level=1 auth_mode=optional \
2812 force_ciphersuite=TLS-RSA-WITH-AES-128-CBC-SHA" \
2813 0 \
2814 -c "bad certificate (usage extensions)" \
2815 -C "Processing of the Certificate handshake message failed" \
2816 -c "Ciphersuite is TLS-" \
2817 -c "! Usage does not match the keyUsage extension"
2818
Manuel Pégourié-Gonnarda9db85d2014-04-09 14:53:05 +0200[diff] [blame]2819# Tests for keyUsage in leaf certificates, part 3:
2820# server-side checking of client cert
2821
Manuel Pégourié-Gonnard8e03c712014-08-30 21:42:40 +0200[diff] [blame]2822run_test "keyUsage cli-auth: RSA, DigitalSignature: OK" \
Manuel Pégourié-Gonnard644e8f32014-08-30 21:59:31 +0200[diff] [blame]2823 "$P_SRV debug_level=1 auth_mode=optional" \
Manuel Pégourié-Gonnarda9db85d2014-04-09 14:53:05 +0200[diff] [blame]2824 "$O_CLI -key data_files/server2.key \
2825 -cert data_files/server2.ku-ds.crt" \
2826 0 \
2827 -S "bad certificate (usage extensions)" \
2828 -S "Processing of the Certificate handshake message failed"
2829
Manuel Pégourié-Gonnard8e03c712014-08-30 21:42:40 +0200[diff] [blame]2830run_test "keyUsage cli-auth: RSA, KeyEncipherment: fail (soft)" \
Manuel Pégourié-Gonnard644e8f32014-08-30 21:59:31 +0200[diff] [blame]2831 "$P_SRV debug_level=1 auth_mode=optional" \
Manuel Pégourié-Gonnarda9db85d2014-04-09 14:53:05 +0200[diff] [blame]2832 "$O_CLI -key data_files/server2.key \
2833 -cert data_files/server2.ku-ke.crt" \
2834 0 \
2835 -s "bad certificate (usage extensions)" \
2836 -S "Processing of the Certificate handshake message failed"
2837
Manuel Pégourié-Gonnard8e03c712014-08-30 21:42:40 +0200[diff] [blame]2838run_test "keyUsage cli-auth: RSA, KeyEncipherment: fail (hard)" \
Manuel Pégourié-Gonnard644e8f32014-08-30 21:59:31 +0200[diff] [blame]2839 "$P_SRV debug_level=1 auth_mode=required" \
Manuel Pégourié-Gonnarda9db85d2014-04-09 14:53:05 +0200[diff] [blame]2840 "$O_CLI -key data_files/server2.key \
2841 -cert data_files/server2.ku-ke.crt" \
2842 1 \
2843 -s "bad certificate (usage extensions)" \
2844 -s "Processing of the Certificate handshake message failed"
2845
Manuel Pégourié-Gonnard8e03c712014-08-30 21:42:40 +0200[diff] [blame]2846run_test "keyUsage cli-auth: ECDSA, DigitalSignature: OK" \
Manuel Pégourié-Gonnard644e8f32014-08-30 21:59:31 +0200[diff] [blame]2847 "$P_SRV debug_level=1 auth_mode=optional" \
Manuel Pégourié-Gonnarda9db85d2014-04-09 14:53:05 +0200[diff] [blame]2848 "$O_CLI -key data_files/server5.key \
2849 -cert data_files/server5.ku-ds.crt" \
2850 0 \
2851 -S "bad certificate (usage extensions)" \
2852 -S "Processing of the Certificate handshake message failed"
2853
Manuel Pégourié-Gonnard8e03c712014-08-30 21:42:40 +0200[diff] [blame]2854run_test "keyUsage cli-auth: ECDSA, KeyAgreement: fail (soft)" \
Manuel Pégourié-Gonnard644e8f32014-08-30 21:59:31 +0200[diff] [blame]2855 "$P_SRV debug_level=1 auth_mode=optional" \
Manuel Pégourié-Gonnarda9db85d2014-04-09 14:53:05 +0200[diff] [blame]2856 "$O_CLI -key data_files/server5.key \
2857 -cert data_files/server5.ku-ka.crt" \
2858 0 \
2859 -s "bad certificate (usage extensions)" \
2860 -S "Processing of the Certificate handshake message failed"
2861
Manuel Pégourié-Gonnard0408fd12014-04-11 11:06:22 +0200[diff] [blame]2862# Tests for extendedKeyUsage, part 1: server-side certificate/suite selection
2863
Manuel Pégourié-Gonnard8e03c712014-08-30 21:42:40 +0200[diff] [blame]2864run_test "extKeyUsage srv: serverAuth -> OK" \
Manuel Pégourié-Gonnard0408fd12014-04-11 11:06:22 +0200[diff] [blame]2865 "$P_SRV key_file=data_files/server5.key \
2866 crt_file=data_files/server5.eku-srv.crt" \
2867 "$P_CLI" \
2868 0
2869
Manuel Pégourié-Gonnard8e03c712014-08-30 21:42:40 +0200[diff] [blame]2870run_test "extKeyUsage srv: serverAuth,clientAuth -> OK" \
Manuel Pégourié-Gonnard0408fd12014-04-11 11:06:22 +0200[diff] [blame]2871 "$P_SRV key_file=data_files/server5.key \
2872 crt_file=data_files/server5.eku-srv.crt" \
2873 "$P_CLI" \
2874 0
2875
Manuel Pégourié-Gonnard8e03c712014-08-30 21:42:40 +0200[diff] [blame]2876run_test "extKeyUsage srv: codeSign,anyEKU -> OK" \
Manuel Pégourié-Gonnard0408fd12014-04-11 11:06:22 +0200[diff] [blame]2877 "$P_SRV key_file=data_files/server5.key \
2878 crt_file=data_files/server5.eku-cs_any.crt" \
2879 "$P_CLI" \
2880 0
2881
Manuel Pégourié-Gonnard8e03c712014-08-30 21:42:40 +0200[diff] [blame]2882run_test "extKeyUsage srv: codeSign -> fail" \
Manuel Pégourié-Gonnard7eb58cb2015-07-07 11:54:14 +0200[diff] [blame]2883 "$P_SRV key_file=data_files/server5.key \
Manuel Pégourié-Gonnard0408fd12014-04-11 11:06:22 +0200[diff] [blame]2884 crt_file=data_files/server5.eku-cli.crt" \
Manuel Pégourié-Gonnard7eb58cb2015-07-07 11:54:14 +0200[diff] [blame]2885 "$P_CLI" \
Manuel Pégourié-Gonnard0408fd12014-04-11 11:06:22 +0200[diff] [blame]2886 1
2887
2888# Tests for extendedKeyUsage, part 2: client-side checking of server cert
2889
Manuel Pégourié-Gonnard8e03c712014-08-30 21:42:40 +0200[diff] [blame]2890run_test "extKeyUsage cli: serverAuth -> OK" \
Manuel Pégourié-Gonnard0408fd12014-04-11 11:06:22 +0200[diff] [blame]2891 "$O_SRV -key data_files/server5.key \
2892 -cert data_files/server5.eku-srv.crt" \
Manuel Pégourié-Gonnard644e8f32014-08-30 21:59:31 +0200[diff] [blame]2893 "$P_CLI debug_level=1" \
Manuel Pégourié-Gonnard0408fd12014-04-11 11:06:22 +0200[diff] [blame]2894 0 \
2895 -C "bad certificate (usage extensions)" \
2896 -C "Processing of the Certificate handshake message failed" \
2897 -c "Ciphersuite is TLS-"
2898
Manuel Pégourié-Gonnard8e03c712014-08-30 21:42:40 +0200[diff] [blame]2899run_test "extKeyUsage cli: serverAuth,clientAuth -> OK" \
Manuel Pégourié-Gonnard0408fd12014-04-11 11:06:22 +0200[diff] [blame]2900 "$O_SRV -key data_files/server5.key \
2901 -cert data_files/server5.eku-srv_cli.crt" \
Manuel Pégourié-Gonnard644e8f32014-08-30 21:59:31 +0200[diff] [blame]2902 "$P_CLI debug_level=1" \
Manuel Pégourié-Gonnard0408fd12014-04-11 11:06:22 +0200[diff] [blame]2903 0 \
2904 -C "bad certificate (usage extensions)" \
2905 -C "Processing of the Certificate handshake message failed" \
2906 -c "Ciphersuite is TLS-"
2907
Manuel Pégourié-Gonnard8e03c712014-08-30 21:42:40 +0200[diff] [blame]2908run_test "extKeyUsage cli: codeSign,anyEKU -> OK" \
Manuel Pégourié-Gonnard0408fd12014-04-11 11:06:22 +0200[diff] [blame]2909 "$O_SRV -key data_files/server5.key \
2910 -cert data_files/server5.eku-cs_any.crt" \
Manuel Pégourié-Gonnard644e8f32014-08-30 21:59:31 +0200[diff] [blame]2911 "$P_CLI debug_level=1" \
Manuel Pégourié-Gonnard0408fd12014-04-11 11:06:22 +0200[diff] [blame]2912 0 \
2913 -C "bad certificate (usage extensions)" \
2914 -C "Processing of the Certificate handshake message failed" \
2915 -c "Ciphersuite is TLS-"
2916
Manuel Pégourié-Gonnard8e03c712014-08-30 21:42:40 +0200[diff] [blame]2917run_test "extKeyUsage cli: codeSign -> fail" \
Manuel Pégourié-Gonnard0408fd12014-04-11 11:06:22 +0200[diff] [blame]2918 "$O_SRV -key data_files/server5.key \
2919 -cert data_files/server5.eku-cs.crt" \
Manuel Pégourié-Gonnard644e8f32014-08-30 21:59:31 +0200[diff] [blame]2920 "$P_CLI debug_level=1" \
Manuel Pégourié-Gonnard0408fd12014-04-11 11:06:22 +0200[diff] [blame]2921 1 \
2922 -c "bad certificate (usage extensions)" \
2923 -c "Processing of the Certificate handshake message failed" \
2924 -C "Ciphersuite is TLS-"
2925
2926# Tests for extendedKeyUsage, part 3: server-side checking of client cert
2927
Manuel Pégourié-Gonnard8e03c712014-08-30 21:42:40 +0200[diff] [blame]2928run_test "extKeyUsage cli-auth: clientAuth -> OK" \
Manuel Pégourié-Gonnard644e8f32014-08-30 21:59:31 +0200[diff] [blame]2929 "$P_SRV debug_level=1 auth_mode=optional" \
Manuel Pégourié-Gonnard0408fd12014-04-11 11:06:22 +0200[diff] [blame]2930 "$O_CLI -key data_files/server5.key \
2931 -cert data_files/server5.eku-cli.crt" \
2932 0 \
2933 -S "bad certificate (usage extensions)" \
2934 -S "Processing of the Certificate handshake message failed"
2935
Manuel Pégourié-Gonnard8e03c712014-08-30 21:42:40 +0200[diff] [blame]2936run_test "extKeyUsage cli-auth: serverAuth,clientAuth -> OK" \
Manuel Pégourié-Gonnard644e8f32014-08-30 21:59:31 +0200[diff] [blame]2937 "$P_SRV debug_level=1 auth_mode=optional" \
Manuel Pégourié-Gonnard0408fd12014-04-11 11:06:22 +0200[diff] [blame]2938 "$O_CLI -key data_files/server5.key \
2939 -cert data_files/server5.eku-srv_cli.crt" \
2940 0 \
2941 -S "bad certificate (usage extensions)" \
2942 -S "Processing of the Certificate handshake message failed"
2943
Manuel Pégourié-Gonnard8e03c712014-08-30 21:42:40 +0200[diff] [blame]2944run_test "extKeyUsage cli-auth: codeSign,anyEKU -> OK" \
Manuel Pégourié-Gonnard644e8f32014-08-30 21:59:31 +0200[diff] [blame]2945 "$P_SRV debug_level=1 auth_mode=optional" \
Manuel Pégourié-Gonnard0408fd12014-04-11 11:06:22 +0200[diff] [blame]2946 "$O_CLI -key data_files/server5.key \
2947 -cert data_files/server5.eku-cs_any.crt" \
2948 0 \
2949 -S "bad certificate (usage extensions)" \
2950 -S "Processing of the Certificate handshake message failed"
2951
Manuel Pégourié-Gonnard8e03c712014-08-30 21:42:40 +0200[diff] [blame]2952run_test "extKeyUsage cli-auth: codeSign -> fail (soft)" \
Manuel Pégourié-Gonnard644e8f32014-08-30 21:59:31 +0200[diff] [blame]2953 "$P_SRV debug_level=1 auth_mode=optional" \
Manuel Pégourié-Gonnard0408fd12014-04-11 11:06:22 +0200[diff] [blame]2954 "$O_CLI -key data_files/server5.key \
2955 -cert data_files/server5.eku-cs.crt" \
2956 0 \
2957 -s "bad certificate (usage extensions)" \
2958 -S "Processing of the Certificate handshake message failed"
2959
Manuel Pégourié-Gonnard8e03c712014-08-30 21:42:40 +0200[diff] [blame]2960run_test "extKeyUsage cli-auth: codeSign -> fail (hard)" \
Manuel Pégourié-Gonnard644e8f32014-08-30 21:59:31 +0200[diff] [blame]2961 "$P_SRV debug_level=1 auth_mode=required" \
Manuel Pégourié-Gonnard0408fd12014-04-11 11:06:22 +0200[diff] [blame]2962 "$O_CLI -key data_files/server5.key \
2963 -cert data_files/server5.eku-cs.crt" \
2964 1 \
2965 -s "bad certificate (usage extensions)" \
2966 -s "Processing of the Certificate handshake message failed"
2967
Manuel Pégourié-Gonnard0cc7e312014-06-09 11:36:47 +0200[diff] [blame]2968# Tests for DHM parameters loading
2969
Manuel Pégourié-Gonnard8e03c712014-08-30 21:42:40 +0200[diff] [blame]2970run_test "DHM parameters: reference" \
Manuel Pégourié-Gonnard0cc7e312014-06-09 11:36:47 +0200[diff] [blame]2971 "$P_SRV" \
2972 "$P_CLI force_ciphersuite=TLS-DHE-RSA-WITH-AES-128-CBC-SHA \
2973 debug_level=3" \
2974 0 \
2975 -c "value of 'DHM: P ' (2048 bits)" \
2976 -c "value of 'DHM: G ' (2048 bits)"
2977
Manuel Pégourié-Gonnard8e03c712014-08-30 21:42:40 +0200[diff] [blame]2978run_test "DHM parameters: other parameters" \
Manuel Pégourié-Gonnard0cc7e312014-06-09 11:36:47 +0200[diff] [blame]2979 "$P_SRV dhm_file=data_files/dhparams.pem" \
2980 "$P_CLI force_ciphersuite=TLS-DHE-RSA-WITH-AES-128-CBC-SHA \
2981 debug_level=3" \
2982 0 \
2983 -c "value of 'DHM: P ' (1024 bits)" \
2984 -c "value of 'DHM: G ' (2 bits)"
2985
Manuel Pégourié-Gonnard7a010aa2015-06-12 11:19:10 +0200[diff] [blame]2986# Tests for DHM client-side size checking
2987
2988run_test "DHM size: server default, client default, OK" \
2989 "$P_SRV" \
2990 "$P_CLI force_ciphersuite=TLS-DHE-RSA-WITH-AES-128-CBC-SHA \
2991 debug_level=1" \
2992 0 \
2993 -C "DHM prime too short:"
2994
2995run_test "DHM size: server default, client 2048, OK" \
2996 "$P_SRV" \
2997 "$P_CLI force_ciphersuite=TLS-DHE-RSA-WITH-AES-128-CBC-SHA \
2998 debug_level=1 dhmlen=2048" \
2999 0 \
3000 -C "DHM prime too short:"
3001
3002run_test "DHM size: server 1024, client default, OK" \
3003 "$P_SRV dhm_file=data_files/dhparams.pem" \
3004 "$P_CLI force_ciphersuite=TLS-DHE-RSA-WITH-AES-128-CBC-SHA \
3005 debug_level=1" \
3006 0 \
3007 -C "DHM prime too short:"
3008
3009run_test "DHM size: server 1000, client default, rejected" \
3010 "$P_SRV dhm_file=data_files/dh.1000.pem" \
3011 "$P_CLI force_ciphersuite=TLS-DHE-RSA-WITH-AES-128-CBC-SHA \
3012 debug_level=1" \
3013 1 \
3014 -c "DHM prime too short:"
3015
3016run_test "DHM size: server default, client 2049, rejected" \
3017 "$P_SRV" \
3018 "$P_CLI force_ciphersuite=TLS-DHE-RSA-WITH-AES-128-CBC-SHA \
3019 debug_level=1 dhmlen=2049" \
3020 1 \
3021 -c "DHM prime too short:"
3022
Manuel Pégourié-Gonnarda6781c92014-06-10 15:00:46 +0200[diff] [blame]3023# Tests for PSK callback
3024
Manuel Pégourié-Gonnard8e03c712014-08-30 21:42:40 +0200[diff] [blame]3025run_test "PSK callback: psk, no callback" \
Manuel Pégourié-Gonnarda6781c92014-06-10 15:00:46 +0200[diff] [blame]3026 "$P_SRV psk=abc123 psk_identity=foo" \
3027 "$P_CLI force_ciphersuite=TLS-PSK-WITH-AES-128-CBC-SHA \
3028 psk_identity=foo psk=abc123" \
3029 0 \
Manuel Pégourié-Gonnardf01768c2015-01-08 17:06:16 +0100[diff] [blame]3030 -S "SSL - None of the common ciphersuites is usable" \
Manuel Pégourié-Gonnard10c3c9f2014-06-10 15:28:52 +0200[diff] [blame]3031 -S "SSL - Unknown identity received" \
3032 -S "SSL - Verification of the message MAC failed"
3033
Manuel Pégourié-Gonnard8e03c712014-08-30 21:42:40 +0200[diff] [blame]3034run_test "PSK callback: no psk, no callback" \
Manuel Pégourié-Gonnard10c3c9f2014-06-10 15:28:52 +0200[diff] [blame]3035 "$P_SRV" \
3036 "$P_CLI force_ciphersuite=TLS-PSK-WITH-AES-128-CBC-SHA \
3037 psk_identity=foo psk=abc123" \
3038 1 \
Manuel Pégourié-Gonnardf01768c2015-01-08 17:06:16 +0100[diff] [blame]3039 -s "SSL - None of the common ciphersuites is usable" \
Manuel Pégourié-Gonnarda6781c92014-06-10 15:00:46 +0200[diff] [blame]3040 -S "SSL - Unknown identity received" \
3041 -S "SSL - Verification of the message MAC failed"
3042
Manuel Pégourié-Gonnard8e03c712014-08-30 21:42:40 +0200[diff] [blame]3043run_test "PSK callback: callback overrides other settings" \
Manuel Pégourié-Gonnarda6781c92014-06-10 15:00:46 +0200[diff] [blame]3044 "$P_SRV psk=abc123 psk_identity=foo psk_list=abc,dead,def,beef" \
3045 "$P_CLI force_ciphersuite=TLS-PSK-WITH-AES-128-CBC-SHA \
3046 psk_identity=foo psk=abc123" \
3047 1 \
Manuel Pégourié-Gonnardf01768c2015-01-08 17:06:16 +0100[diff] [blame]3048 -S "SSL - None of the common ciphersuites is usable" \
Manuel Pégourié-Gonnarda6781c92014-06-10 15:00:46 +0200[diff] [blame]3049 -s "SSL - Unknown identity received" \
3050 -S "SSL - Verification of the message MAC failed"
3051
Manuel Pégourié-Gonnard8e03c712014-08-30 21:42:40 +0200[diff] [blame]3052run_test "PSK callback: first id matches" \
Manuel Pégourié-Gonnarda6781c92014-06-10 15:00:46 +0200[diff] [blame]3053 "$P_SRV psk_list=abc,dead,def,beef" \
3054 "$P_CLI force_ciphersuite=TLS-PSK-WITH-AES-128-CBC-SHA \
3055 psk_identity=abc psk=dead" \
3056 0 \
Manuel Pégourié-Gonnardf01768c2015-01-08 17:06:16 +0100[diff] [blame]3057 -S "SSL - None of the common ciphersuites is usable" \
Manuel Pégourié-Gonnarda6781c92014-06-10 15:00:46 +0200[diff] [blame]3058 -S "SSL - Unknown identity received" \
3059 -S "SSL - Verification of the message MAC failed"
3060
Manuel Pégourié-Gonnard8e03c712014-08-30 21:42:40 +0200[diff] [blame]3061run_test "PSK callback: second id matches" \
Manuel Pégourié-Gonnarda6781c92014-06-10 15:00:46 +0200[diff] [blame]3062 "$P_SRV psk_list=abc,dead,def,beef" \
3063 "$P_CLI force_ciphersuite=TLS-PSK-WITH-AES-128-CBC-SHA \
3064 psk_identity=def psk=beef" \
3065 0 \
Manuel Pégourié-Gonnardf01768c2015-01-08 17:06:16 +0100[diff] [blame]3066 -S "SSL - None of the common ciphersuites is usable" \
Manuel Pégourié-Gonnarda6781c92014-06-10 15:00:46 +0200[diff] [blame]3067 -S "SSL - Unknown identity received" \
3068 -S "SSL - Verification of the message MAC failed"
3069
Manuel Pégourié-Gonnard8e03c712014-08-30 21:42:40 +0200[diff] [blame]3070run_test "PSK callback: no match" \
Manuel Pégourié-Gonnarda6781c92014-06-10 15:00:46 +0200[diff] [blame]3071 "$P_SRV psk_list=abc,dead,def,beef" \
3072 "$P_CLI force_ciphersuite=TLS-PSK-WITH-AES-128-CBC-SHA \
3073 psk_identity=ghi psk=beef" \
3074 1 \
Manuel Pégourié-Gonnardf01768c2015-01-08 17:06:16 +0100[diff] [blame]3075 -S "SSL - None of the common ciphersuites is usable" \
Manuel Pégourié-Gonnarda6781c92014-06-10 15:00:46 +0200[diff] [blame]3076 -s "SSL - Unknown identity received" \
3077 -S "SSL - Verification of the message MAC failed"
3078
Manuel Pégourié-Gonnard8e03c712014-08-30 21:42:40 +0200[diff] [blame]3079run_test "PSK callback: wrong key" \
Manuel Pégourié-Gonnarda6781c92014-06-10 15:00:46 +0200[diff] [blame]3080 "$P_SRV psk_list=abc,dead,def,beef" \
3081 "$P_CLI force_ciphersuite=TLS-PSK-WITH-AES-128-CBC-SHA \
3082 psk_identity=abc psk=beef" \
3083 1 \
Manuel Pégourié-Gonnardf01768c2015-01-08 17:06:16 +0100[diff] [blame]3084 -S "SSL - None of the common ciphersuites is usable" \
Manuel Pégourié-Gonnarda6781c92014-06-10 15:00:46 +0200[diff] [blame]3085 -S "SSL - Unknown identity received" \
3086 -s "SSL - Verification of the message MAC failed"
Manuel Pégourié-Gonnard0cc7e312014-06-09 11:36:47 +0200[diff] [blame]3087
Manuel Pégourié-Gonnarde511b4e2015-09-16 14:11:09 +0200[diff] [blame]3088# Tests for EC J-PAKE
3089
Manuel Pégourié-Gonnard12ca6f52015-10-20 15:24:51 +0200[diff] [blame]3090requires_config_enabled MBEDTLS_KEY_EXCHANGE_ECJPAKE
Manuel Pégourié-Gonnarde511b4e2015-09-16 14:11:09 +0200[diff] [blame]3091run_test "ECJPAKE: client not configured" \
3092 "$P_SRV debug_level=3" \
3093 "$P_CLI debug_level=3" \
3094 0 \
3095 -C "add ciphersuite: c0ff" \
3096 -C "adding ecjpake_kkpp extension" \
Manuel Pégourié-Gonnardbf57be62015-09-16 15:04:01 +0200[diff] [blame]3097 -S "found ecjpake kkpp extension" \
3098 -S "skip ecjpake kkpp extension" \
Manuel Pégourié-Gonnarde511b4e2015-09-16 14:11:09 +0200[diff] [blame]3099 -S "ciphersuite mismatch: ecjpake not configured" \
Manuel Pégourié-Gonnard55c7f992015-09-16 15:35:27 +0200[diff] [blame]3100 -S "server hello, ecjpake kkpp extension" \
Manuel Pégourié-Gonnard0a1324a2015-09-16 16:01:00 +0200[diff] [blame]3101 -C "found ecjpake_kkpp extension" \
Manuel Pégourié-Gonnarde511b4e2015-09-16 14:11:09 +0200[diff] [blame]3102 -S "None of the common ciphersuites is usable"
3103
Manuel Pégourié-Gonnard12ca6f52015-10-20 15:24:51 +0200[diff] [blame]3104requires_config_enabled MBEDTLS_KEY_EXCHANGE_ECJPAKE
Manuel Pégourié-Gonnarde511b4e2015-09-16 14:11:09 +0200[diff] [blame]3105run_test "ECJPAKE: server not configured" \
3106 "$P_SRV debug_level=3" \
3107 "$P_CLI debug_level=3 ecjpake_pw=bla \
3108 force_ciphersuite=TLS-ECJPAKE-WITH-AES-128-CCM-8" \
3109 1 \
3110 -c "add ciphersuite: c0ff" \
3111 -c "adding ecjpake_kkpp extension" \
Manuel Pégourié-Gonnardbf57be62015-09-16 15:04:01 +0200[diff] [blame]3112 -s "found ecjpake kkpp extension" \
3113 -s "skip ecjpake kkpp extension" \
Manuel Pégourié-Gonnarde511b4e2015-09-16 14:11:09 +0200[diff] [blame]3114 -s "ciphersuite mismatch: ecjpake not configured" \
Manuel Pégourié-Gonnard55c7f992015-09-16 15:35:27 +0200[diff] [blame]3115 -S "server hello, ecjpake kkpp extension" \
Manuel Pégourié-Gonnard0a1324a2015-09-16 16:01:00 +0200[diff] [blame]3116 -C "found ecjpake_kkpp extension" \
Manuel Pégourié-Gonnarde511b4e2015-09-16 14:11:09 +0200[diff] [blame]3117 -s "None of the common ciphersuites is usable"
3118
Manuel Pégourié-Gonnard12ca6f52015-10-20 15:24:51 +0200[diff] [blame]3119requires_config_enabled MBEDTLS_KEY_EXCHANGE_ECJPAKE
Manuel Pégourié-Gonnardbf57be62015-09-16 15:04:01 +0200[diff] [blame]3120run_test "ECJPAKE: working, TLS" \
3121 "$P_SRV debug_level=3 ecjpake_pw=bla" \
3122 "$P_CLI debug_level=3 ecjpake_pw=bla \
3123 force_ciphersuite=TLS-ECJPAKE-WITH-AES-128-CCM-8" \
Manuel Pégourié-Gonnard0f1660a2015-09-16 22:41:06 +0200[diff] [blame]3124 0 \
Manuel Pégourié-Gonnardbf57be62015-09-16 15:04:01 +0200[diff] [blame]3125 -c "add ciphersuite: c0ff" \
3126 -c "adding ecjpake_kkpp extension" \
Manuel Pégourié-Gonnardd0d8cb32015-09-17 14:16:30 +0200[diff] [blame]3127 -C "re-using cached ecjpake parameters" \
Manuel Pégourié-Gonnardbf57be62015-09-16 15:04:01 +0200[diff] [blame]3128 -s "found ecjpake kkpp extension" \
3129 -S "skip ecjpake kkpp extension" \
3130 -S "ciphersuite mismatch: ecjpake not configured" \
Manuel Pégourié-Gonnard55c7f992015-09-16 15:35:27 +0200[diff] [blame]3131 -s "server hello, ecjpake kkpp extension" \
Manuel Pégourié-Gonnard0a1324a2015-09-16 16:01:00 +0200[diff] [blame]3132 -c "found ecjpake_kkpp extension" \
Manuel Pégourié-Gonnard921f2d02015-09-16 22:52:18 +0200[diff] [blame]3133 -S "None of the common ciphersuites is usable" \
3134 -S "SSL - Verification of the message MAC failed"
3135
Janos Follath74537a62016-09-02 13:45:28 +0100[diff] [blame]3136server_needs_more_time 1
Manuel Pégourié-Gonnard12ca6f52015-10-20 15:24:51 +0200[diff] [blame]3137requires_config_enabled MBEDTLS_KEY_EXCHANGE_ECJPAKE
Manuel Pégourié-Gonnard921f2d02015-09-16 22:52:18 +0200[diff] [blame]3138run_test "ECJPAKE: password mismatch, TLS" \
3139 "$P_SRV debug_level=3 ecjpake_pw=bla" \
3140 "$P_CLI debug_level=3 ecjpake_pw=bad \
3141 force_ciphersuite=TLS-ECJPAKE-WITH-AES-128-CCM-8" \
3142 1 \
Manuel Pégourié-Gonnardd0d8cb32015-09-17 14:16:30 +0200[diff] [blame]3143 -C "re-using cached ecjpake parameters" \
Manuel Pégourié-Gonnard921f2d02015-09-16 22:52:18 +0200[diff] [blame]3144 -s "SSL - Verification of the message MAC failed"
3145
Manuel Pégourié-Gonnard12ca6f52015-10-20 15:24:51 +0200[diff] [blame]3146requires_config_enabled MBEDTLS_KEY_EXCHANGE_ECJPAKE
Manuel Pégourié-Gonnard921f2d02015-09-16 22:52:18 +0200[diff] [blame]3147run_test "ECJPAKE: working, DTLS" \
3148 "$P_SRV debug_level=3 dtls=1 ecjpake_pw=bla" \
3149 "$P_CLI debug_level=3 dtls=1 ecjpake_pw=bla \
3150 force_ciphersuite=TLS-ECJPAKE-WITH-AES-128-CCM-8" \
3151 0 \
Manuel Pégourié-Gonnardd0d8cb32015-09-17 14:16:30 +0200[diff] [blame]3152 -c "re-using cached ecjpake parameters" \
3153 -S "SSL - Verification of the message MAC failed"
3154
Manuel Pégourié-Gonnard12ca6f52015-10-20 15:24:51 +0200[diff] [blame]3155requires_config_enabled MBEDTLS_KEY_EXCHANGE_ECJPAKE
Manuel Pégourié-Gonnardd0d8cb32015-09-17 14:16:30 +0200[diff] [blame]3156run_test "ECJPAKE: working, DTLS, no cookie" \
3157 "$P_SRV debug_level=3 dtls=1 ecjpake_pw=bla cookies=0" \
3158 "$P_CLI debug_level=3 dtls=1 ecjpake_pw=bla \
3159 force_ciphersuite=TLS-ECJPAKE-WITH-AES-128-CCM-8" \
3160 0 \
3161 -C "re-using cached ecjpake parameters" \
Manuel Pégourié-Gonnard921f2d02015-09-16 22:52:18 +0200[diff] [blame]3162 -S "SSL - Verification of the message MAC failed"
3163
Janos Follath74537a62016-09-02 13:45:28 +0100[diff] [blame]3164server_needs_more_time 1
Manuel Pégourié-Gonnard12ca6f52015-10-20 15:24:51 +0200[diff] [blame]3165requires_config_enabled MBEDTLS_KEY_EXCHANGE_ECJPAKE
Manuel Pégourié-Gonnard921f2d02015-09-16 22:52:18 +0200[diff] [blame]3166run_test "ECJPAKE: password mismatch, DTLS" \
3167 "$P_SRV debug_level=3 dtls=1 ecjpake_pw=bla" \
3168 "$P_CLI debug_level=3 dtls=1 ecjpake_pw=bad \
3169 force_ciphersuite=TLS-ECJPAKE-WITH-AES-128-CCM-8" \
3170 1 \
Manuel Pégourié-Gonnardd0d8cb32015-09-17 14:16:30 +0200[diff] [blame]3171 -c "re-using cached ecjpake parameters" \
Manuel Pégourié-Gonnard921f2d02015-09-16 22:52:18 +0200[diff] [blame]3172 -s "SSL - Verification of the message MAC failed"
Manuel Pégourié-Gonnardbf57be62015-09-16 15:04:01 +0200[diff] [blame]3173
Manuel Pégourié-Gonnardca700b22015-10-20 14:47:00 +0200[diff] [blame]3174# for tests with configs/config-thread.h
Manuel Pégourié-Gonnard12ca6f52015-10-20 15:24:51 +0200[diff] [blame]3175requires_config_enabled MBEDTLS_KEY_EXCHANGE_ECJPAKE
Manuel Pégourié-Gonnardca700b22015-10-20 14:47:00 +0200[diff] [blame]3176run_test "ECJPAKE: working, DTLS, nolog" \
3177 "$P_SRV dtls=1 ecjpake_pw=bla" \
3178 "$P_CLI dtls=1 ecjpake_pw=bla \
3179 force_ciphersuite=TLS-ECJPAKE-WITH-AES-128-CCM-8" \
3180 0
3181
Manuel Pégourié-Gonnard90805a82014-06-11 14:06:01 +0200[diff] [blame]3182# Tests for ciphersuites per version
3183
Janos Follathe2681a42016-03-07 15:57:05 +0000[diff] [blame]3184requires_config_enabled MBEDTLS_SSL_PROTO_SSL3
Manuel Pégourié-Gonnard8e03c712014-08-30 21:42:40 +0200[diff] [blame]3185run_test "Per-version suites: SSL3" \
Manuel Pégourié-Gonnardea0920f2015-03-24 09:50:15 +0100[diff] [blame]3186 "$P_SRV min_version=ssl3 version_suites=TLS-RSA-WITH-3DES-EDE-CBC-SHA,TLS-RSA-WITH-AES-256-CBC-SHA,TLS-RSA-WITH-AES-128-CBC-SHA,TLS-RSA-WITH-AES-128-GCM-SHA256" \
Manuel Pégourié-Gonnard90805a82014-06-11 14:06:01 +0200[diff] [blame]3187 "$P_CLI force_version=ssl3" \
3188 0 \
3189 -c "Ciphersuite is TLS-RSA-WITH-3DES-EDE-CBC-SHA"
3190
Manuel Pégourié-Gonnard8e03c712014-08-30 21:42:40 +0200[diff] [blame]3191run_test "Per-version suites: TLS 1.0" \
Manuel Pégourié-Gonnardea0920f2015-03-24 09:50:15 +0100[diff] [blame]3192 "$P_SRV arc4=1 version_suites=TLS-RSA-WITH-3DES-EDE-CBC-SHA,TLS-RSA-WITH-AES-256-CBC-SHA,TLS-RSA-WITH-AES-128-CBC-SHA,TLS-RSA-WITH-AES-128-GCM-SHA256" \
Manuel Pégourié-Gonnardbd47a582015-01-12 13:43:29 +0100[diff] [blame]3193 "$P_CLI force_version=tls1 arc4=1" \
Manuel Pégourié-Gonnard90805a82014-06-11 14:06:01 +0200[diff] [blame]3194 0 \
Manuel Pégourié-Gonnardea0920f2015-03-24 09:50:15 +0100[diff] [blame]3195 -c "Ciphersuite is TLS-RSA-WITH-AES-256-CBC-SHA"
Manuel Pégourié-Gonnard90805a82014-06-11 14:06:01 +0200[diff] [blame]3196
Manuel Pégourié-Gonnard8e03c712014-08-30 21:42:40 +0200[diff] [blame]3197run_test "Per-version suites: TLS 1.1" \
Manuel Pégourié-Gonnardea0920f2015-03-24 09:50:15 +0100[diff] [blame]3198 "$P_SRV version_suites=TLS-RSA-WITH-3DES-EDE-CBC-SHA,TLS-RSA-WITH-AES-256-CBC-SHA,TLS-RSA-WITH-AES-128-CBC-SHA,TLS-RSA-WITH-AES-128-GCM-SHA256" \
Manuel Pégourié-Gonnard90805a82014-06-11 14:06:01 +0200[diff] [blame]3199 "$P_CLI force_version=tls1_1" \
3200 0 \
3201 -c "Ciphersuite is TLS-RSA-WITH-AES-128-CBC-SHA"
3202
Manuel Pégourié-Gonnard8e03c712014-08-30 21:42:40 +0200[diff] [blame]3203run_test "Per-version suites: TLS 1.2" \
Manuel Pégourié-Gonnardea0920f2015-03-24 09:50:15 +0100[diff] [blame]3204 "$P_SRV version_suites=TLS-RSA-WITH-3DES-EDE-CBC-SHA,TLS-RSA-WITH-AES-256-CBC-SHA,TLS-RSA-WITH-AES-128-CBC-SHA,TLS-RSA-WITH-AES-128-GCM-SHA256" \
Manuel Pégourié-Gonnard90805a82014-06-11 14:06:01 +0200[diff] [blame]3205 "$P_CLI force_version=tls1_2" \
3206 0 \
3207 -c "Ciphersuite is TLS-RSA-WITH-AES-128-GCM-SHA256"
3208
Manuel Pégourié-Gonnard4cc8c632015-07-23 12:24:03 +0200[diff] [blame]3209# Test for ClientHello without extensions
3210
Manuel Pégourié-Gonnardd55bc202015-08-04 16:22:30 +0200[diff] [blame]3211requires_gnutls
Gilles Peskine5d2511c2017-05-12 13:16:40 +0200[diff] [blame]3212run_test "ClientHello without extensions, SHA-1 allowed" \
Manuel Pégourié-Gonnard4cc8c632015-07-23 12:24:03 +0200[diff] [blame]3213 "$P_SRV debug_level=3" \
3214 "$G_CLI --priority=NORMAL:%NO_EXTENSIONS:%DISABLE_SAFE_RENEGOTIATION" \
3215 0 \
3216 -s "dumping 'client hello extensions' (0 bytes)"
3217
Gilles Peskine5d2511c2017-05-12 13:16:40 +0200[diff] [blame]3218requires_gnutls
3219run_test "ClientHello without extensions, SHA-1 forbidden in certificates on server" \
3220 "$P_SRV debug_level=3 key_file=data_files/server2.key crt_file=data_files/server2.crt allow_sha1=0" \
3221 "$G_CLI --priority=NORMAL:%NO_EXTENSIONS:%DISABLE_SAFE_RENEGOTIATION" \
3222 0 \
3223 -s "dumping 'client hello extensions' (0 bytes)"
3224
Manuel Pégourié-Gonnard2cf5a7c2015-04-08 12:49:31 +0200[diff] [blame]3225# Tests for mbedtls_ssl_get_bytes_avail()
Manuel Pégourié-Gonnard95c0a632014-06-11 18:32:36 +0200[diff] [blame]3226
Manuel Pégourié-Gonnard2cf5a7c2015-04-08 12:49:31 +0200[diff] [blame]3227run_test "mbedtls_ssl_get_bytes_avail: no extra data" \
Manuel Pégourié-Gonnard95c0a632014-06-11 18:32:36 +0200[diff] [blame]3228 "$P_SRV" \
3229 "$P_CLI request_size=100" \
3230 0 \
3231 -s "Read from client: 100 bytes read$"
3232
Manuel Pégourié-Gonnard2cf5a7c2015-04-08 12:49:31 +0200[diff] [blame]3233run_test "mbedtls_ssl_get_bytes_avail: extra data" \
Manuel Pégourié-Gonnard95c0a632014-06-11 18:32:36 +0200[diff] [blame]3234 "$P_SRV" \
3235 "$P_CLI request_size=500" \
3236 0 \
3237 -s "Read from client: 500 bytes read (.*+.*)"
Manuel Pégourié-Gonnard90805a82014-06-11 14:06:01 +0200[diff] [blame]3238
Manuel Pégourié-Gonnardee415032014-06-18 15:08:56 +0200[diff] [blame]3239# Tests for small packets
3240
Janos Follathe2681a42016-03-07 15:57:05 +0000[diff] [blame]3241requires_config_enabled MBEDTLS_SSL_PROTO_SSL3
Manuel Pégourié-Gonnardee415032014-06-18 15:08:56 +0200[diff] [blame]3242run_test "Small packet SSLv3 BlockCipher" \
Manuel Pégourié-Gonnard448ea502015-01-12 11:40:14 +0100[diff] [blame]3243 "$P_SRV min_version=ssl3" \
Manuel Pégourié-Gonnardee415032014-06-18 15:08:56 +0200[diff] [blame]3244 "$P_CLI request_size=1 force_version=ssl3 \
3245 force_ciphersuite=TLS-RSA-WITH-AES-256-CBC-SHA" \
3246 0 \
3247 -s "Read from client: 1 bytes read"
3248
Janos Follathe2681a42016-03-07 15:57:05 +0000[diff] [blame]3249requires_config_enabled MBEDTLS_SSL_PROTO_SSL3
Manuel Pégourié-Gonnardee415032014-06-18 15:08:56 +0200[diff] [blame]3250run_test "Small packet SSLv3 StreamCipher" \
Manuel Pégourié-Gonnardea0920f2015-03-24 09:50:15 +0100[diff] [blame]3251 "$P_SRV min_version=ssl3 arc4=1 force_ciphersuite=TLS-RSA-WITH-RC4-128-SHA" \
Manuel Pégourié-Gonnardee415032014-06-18 15:08:56 +0200[diff] [blame]3252 "$P_CLI request_size=1 force_version=ssl3 \
3253 force_ciphersuite=TLS-RSA-WITH-RC4-128-SHA" \
3254 0 \
3255 -s "Read from client: 1 bytes read"
3256
3257run_test "Small packet TLS 1.0 BlockCipher" \
3258 "$P_SRV" \
3259 "$P_CLI request_size=1 force_version=tls1 \
3260 force_ciphersuite=TLS-RSA-WITH-AES-256-CBC-SHA" \
3261 0 \
3262 -s "Read from client: 1 bytes read"
3263
Manuel Pégourié-Gonnard169dd6a2014-11-04 16:15:39 +0100[diff] [blame]3264run_test "Small packet TLS 1.0 BlockCipher without EtM" \
3265 "$P_SRV" \
3266 "$P_CLI request_size=1 force_version=tls1 etm=0 \
3267 force_ciphersuite=TLS-RSA-WITH-AES-256-CBC-SHA" \
3268 0 \
3269 -s "Read from client: 1 bytes read"
3270
Manuel Pégourié-Gonnardee415032014-06-18 15:08:56 +0200[diff] [blame]3271run_test "Small packet TLS 1.0 BlockCipher truncated MAC" \
3272 "$P_SRV" \
3273 "$P_CLI request_size=1 force_version=tls1 \
3274 force_ciphersuite=TLS-RSA-WITH-AES-256-CBC-SHA \
3275 trunc_hmac=1" \
3276 0 \
3277 -s "Read from client: 1 bytes read"
3278
3279run_test "Small packet TLS 1.0 StreamCipher truncated MAC" \
Manuel Pégourié-Gonnardea0920f2015-03-24 09:50:15 +0100[diff] [blame]3280 "$P_SRV arc4=1 force_ciphersuite=TLS-RSA-WITH-RC4-128-SHA" \
Manuel Pégourié-Gonnardee415032014-06-18 15:08:56 +0200[diff] [blame]3281 "$P_CLI request_size=1 force_version=tls1 \
3282 force_ciphersuite=TLS-RSA-WITH-RC4-128-SHA \
3283 trunc_hmac=1" \
3284 0 \
3285 -s "Read from client: 1 bytes read"
3286
3287run_test "Small packet TLS 1.1 BlockCipher" \
3288 "$P_SRV" \
3289 "$P_CLI request_size=1 force_version=tls1_1 \
3290 force_ciphersuite=TLS-RSA-WITH-AES-256-CBC-SHA" \
3291 0 \
3292 -s "Read from client: 1 bytes read"
3293
Manuel Pégourié-Gonnard169dd6a2014-11-04 16:15:39 +0100[diff] [blame]3294run_test "Small packet TLS 1.1 BlockCipher without EtM" \
3295 "$P_SRV" \
3296 "$P_CLI request_size=1 force_version=tls1_1 etm=0 \
3297 force_ciphersuite=TLS-RSA-WITH-AES-256-CBC-SHA" \
3298 0 \
3299 -s "Read from client: 1 bytes read"
3300
Manuel Pégourié-Gonnardee415032014-06-18 15:08:56 +0200[diff] [blame]3301run_test "Small packet TLS 1.1 StreamCipher" \
Manuel Pégourié-Gonnardea0920f2015-03-24 09:50:15 +0100[diff] [blame]3302 "$P_SRV arc4=1 force_ciphersuite=TLS-RSA-WITH-RC4-128-SHA" \
Manuel Pégourié-Gonnardee415032014-06-18 15:08:56 +0200[diff] [blame]3303 "$P_CLI request_size=1 force_version=tls1_1 \
3304 force_ciphersuite=TLS-RSA-WITH-RC4-128-SHA" \
3305 0 \
3306 -s "Read from client: 1 bytes read"
3307
3308run_test "Small packet TLS 1.1 BlockCipher truncated MAC" \
3309 "$P_SRV" \
3310 "$P_CLI request_size=1 force_version=tls1_1 \
3311 force_ciphersuite=TLS-RSA-WITH-AES-256-CBC-SHA \
3312 trunc_hmac=1" \
3313 0 \
3314 -s "Read from client: 1 bytes read"
3315
3316run_test "Small packet TLS 1.1 StreamCipher truncated MAC" \
Manuel Pégourié-Gonnardea0920f2015-03-24 09:50:15 +0100[diff] [blame]3317 "$P_SRV arc4=1 force_ciphersuite=TLS-RSA-WITH-RC4-128-SHA" \
Manuel Pégourié-Gonnardee415032014-06-18 15:08:56 +0200[diff] [blame]3318 "$P_CLI request_size=1 force_version=tls1_1 \
3319 force_ciphersuite=TLS-RSA-WITH-RC4-128-SHA \
3320 trunc_hmac=1" \
3321 0 \
3322 -s "Read from client: 1 bytes read"
3323
3324run_test "Small packet TLS 1.2 BlockCipher" \
3325 "$P_SRV" \
3326 "$P_CLI request_size=1 force_version=tls1_2 \
3327 force_ciphersuite=TLS-RSA-WITH-AES-256-CBC-SHA" \
3328 0 \
3329 -s "Read from client: 1 bytes read"
3330
Manuel Pégourié-Gonnard169dd6a2014-11-04 16:15:39 +0100[diff] [blame]3331run_test "Small packet TLS 1.2 BlockCipher without EtM" \
3332 "$P_SRV" \
3333 "$P_CLI request_size=1 force_version=tls1_2 etm=0 \
3334 force_ciphersuite=TLS-RSA-WITH-AES-256-CBC-SHA" \
3335 0 \
3336 -s "Read from client: 1 bytes read"
3337
Manuel Pégourié-Gonnardee415032014-06-18 15:08:56 +0200[diff] [blame]3338run_test "Small packet TLS 1.2 BlockCipher larger MAC" \
3339 "$P_SRV" \
Manuel Pégourié-Gonnardc82ee352015-01-07 16:35:25 +0100[diff] [blame]3340 "$P_CLI request_size=1 force_version=tls1_2 \
3341 force_ciphersuite=TLS-ECDHE-RSA-WITH-AES-256-CBC-SHA384" \
Manuel Pégourié-Gonnardee415032014-06-18 15:08:56 +0200[diff] [blame]3342 0 \
3343 -s "Read from client: 1 bytes read"
3344
3345run_test "Small packet TLS 1.2 BlockCipher truncated MAC" \
3346 "$P_SRV" \
3347 "$P_CLI request_size=1 force_version=tls1_2 \
3348 force_ciphersuite=TLS-RSA-WITH-AES-256-CBC-SHA \
3349 trunc_hmac=1" \
3350 0 \
3351 -s "Read from client: 1 bytes read"
3352
3353run_test "Small packet TLS 1.2 StreamCipher" \
Manuel Pégourié-Gonnardea0920f2015-03-24 09:50:15 +0100[diff] [blame]3354 "$P_SRV arc4=1 force_ciphersuite=TLS-RSA-WITH-RC4-128-SHA" \
Manuel Pégourié-Gonnardee415032014-06-18 15:08:56 +0200[diff] [blame]3355 "$P_CLI request_size=1 force_version=tls1_2 \
3356 force_ciphersuite=TLS-RSA-WITH-RC4-128-SHA" \
3357 0 \
3358 -s "Read from client: 1 bytes read"
3359
3360run_test "Small packet TLS 1.2 StreamCipher truncated MAC" \
Manuel Pégourié-Gonnardea0920f2015-03-24 09:50:15 +0100[diff] [blame]3361 "$P_SRV arc4=1 force_ciphersuite=TLS-RSA-WITH-RC4-128-SHA" \
Manuel Pégourié-Gonnardee415032014-06-18 15:08:56 +0200[diff] [blame]3362 "$P_CLI request_size=1 force_version=tls1_2 \
3363 force_ciphersuite=TLS-RSA-WITH-RC4-128-SHA \
3364 trunc_hmac=1" \
3365 0 \
3366 -s "Read from client: 1 bytes read"
3367
3368run_test "Small packet TLS 1.2 AEAD" \
3369 "$P_SRV" \
3370 "$P_CLI request_size=1 force_version=tls1_2 \
3371 force_ciphersuite=TLS-RSA-WITH-AES-256-CCM" \
3372 0 \
3373 -s "Read from client: 1 bytes read"
3374
3375run_test "Small packet TLS 1.2 AEAD shorter tag" \
3376 "$P_SRV" \
3377 "$P_CLI request_size=1 force_version=tls1_2 \
3378 force_ciphersuite=TLS-RSA-WITH-AES-256-CCM-8" \
3379 0 \
3380 -s "Read from client: 1 bytes read"
3381
Janos Follath00efff72016-05-06 13:48:23 +0100[diff] [blame]3382# A test for extensions in SSLv3
3383
3384requires_config_enabled MBEDTLS_SSL_PROTO_SSL3
3385run_test "SSLv3 with extensions, server side" \
3386 "$P_SRV min_version=ssl3 debug_level=3" \
3387 "$P_CLI force_version=ssl3 tickets=1 max_frag_len=4096 alpn=abc,1234" \
3388 0 \
3389 -S "dumping 'client hello extensions'" \
3390 -S "server hello, total extension length:"
3391
Manuel Pégourié-Gonnard8920f692014-06-18 22:05:08 +0200[diff] [blame]3392# Test for large packets
3393
Janos Follathe2681a42016-03-07 15:57:05 +0000[diff] [blame]3394requires_config_enabled MBEDTLS_SSL_PROTO_SSL3
Manuel Pégourié-Gonnard8920f692014-06-18 22:05:08 +0200[diff] [blame]3395run_test "Large packet SSLv3 BlockCipher" \
Manuel Pégourié-Gonnard448ea502015-01-12 11:40:14 +0100[diff] [blame]3396 "$P_SRV min_version=ssl3" \
Manuel Pégourié-Gonnardc82ee352015-01-07 16:35:25 +0100[diff] [blame]3397 "$P_CLI request_size=16384 force_version=ssl3 recsplit=0 \
Manuel Pégourié-Gonnard8920f692014-06-18 22:05:08 +0200[diff] [blame]3398 force_ciphersuite=TLS-RSA-WITH-AES-256-CBC-SHA" \
3399 0 \
Hanno Becker09930d12017-09-18 15:04:19 +0100[diff] [blame]3400 -c "16384 bytes written in 1 fragments" \
Manuel Pégourié-Gonnard8920f692014-06-18 22:05:08 +0200[diff] [blame]3401 -s "Read from client: 16384 bytes read"
3402
Janos Follathe2681a42016-03-07 15:57:05 +0000[diff] [blame]3403requires_config_enabled MBEDTLS_SSL_PROTO_SSL3
Manuel Pégourié-Gonnard8920f692014-06-18 22:05:08 +0200[diff] [blame]3404run_test "Large packet SSLv3 StreamCipher" \
Manuel Pégourié-Gonnardea0920f2015-03-24 09:50:15 +0100[diff] [blame]3405 "$P_SRV min_version=ssl3 arc4=1 force_ciphersuite=TLS-RSA-WITH-RC4-128-SHA" \
Manuel Pégourié-Gonnard8920f692014-06-18 22:05:08 +0200[diff] [blame]3406 "$P_CLI request_size=16384 force_version=ssl3 \
3407 force_ciphersuite=TLS-RSA-WITH-RC4-128-SHA" \
3408 0 \
Hanno Becker09930d12017-09-18 15:04:19 +0100[diff] [blame]3409 -c "16384 bytes written in 1 fragments" \
Manuel Pégourié-Gonnard8920f692014-06-18 22:05:08 +0200[diff] [blame]3410 -s "Read from client: 16384 bytes read"
3411
3412run_test "Large packet TLS 1.0 BlockCipher" \
3413 "$P_SRV" \
Manuel Pégourié-Gonnardc82ee352015-01-07 16:35:25 +0100[diff] [blame]3414 "$P_CLI request_size=16384 force_version=tls1 recsplit=0 \
Manuel Pégourié-Gonnard8920f692014-06-18 22:05:08 +0200[diff] [blame]3415 force_ciphersuite=TLS-RSA-WITH-AES-256-CBC-SHA" \
3416 0 \
Hanno Becker09930d12017-09-18 15:04:19 +0100[diff] [blame]3417 -c "16384 bytes written in 1 fragments" \
Manuel Pégourié-Gonnard8920f692014-06-18 22:05:08 +0200[diff] [blame]3418 -s "Read from client: 16384 bytes read"
3419
3420run_test "Large packet TLS 1.0 BlockCipher truncated MAC" \
3421 "$P_SRV" \
Manuel Pégourié-Gonnardc82ee352015-01-07 16:35:25 +0100[diff] [blame]3422 "$P_CLI request_size=16384 force_version=tls1 recsplit=0 \
Manuel Pégourié-Gonnard8920f692014-06-18 22:05:08 +0200[diff] [blame]3423 force_ciphersuite=TLS-RSA-WITH-AES-256-CBC-SHA \
3424 trunc_hmac=1" \
3425 0 \
Hanno Becker09930d12017-09-18 15:04:19 +0100[diff] [blame]3426 -c "16384 bytes written in 1 fragments" \
Manuel Pégourié-Gonnard8920f692014-06-18 22:05:08 +0200[diff] [blame]3427 -s "Read from client: 16384 bytes read"
3428
3429run_test "Large packet TLS 1.0 StreamCipher truncated MAC" \
Manuel Pégourié-Gonnardea0920f2015-03-24 09:50:15 +0100[diff] [blame]3430 "$P_SRV arc4=1 force_ciphersuite=TLS-RSA-WITH-RC4-128-SHA" \
Manuel Pégourié-Gonnard8920f692014-06-18 22:05:08 +0200[diff] [blame]3431 "$P_CLI request_size=16384 force_version=tls1 \
3432 force_ciphersuite=TLS-RSA-WITH-RC4-128-SHA \
3433 trunc_hmac=1" \
3434 0 \
Hanno Becker09930d12017-09-18 15:04:19 +0100[diff] [blame]3435 -c "16384 bytes written in 1 fragments" \
Manuel Pégourié-Gonnard8920f692014-06-18 22:05:08 +0200[diff] [blame]3436 -s "Read from client: 16384 bytes read"
3437
3438run_test "Large packet TLS 1.1 BlockCipher" \
3439 "$P_SRV" \
3440 "$P_CLI request_size=16384 force_version=tls1_1 \
3441 force_ciphersuite=TLS-RSA-WITH-AES-256-CBC-SHA" \
3442 0 \
Hanno Becker09930d12017-09-18 15:04:19 +0100[diff] [blame]3443 -c "16384 bytes written in 1 fragments" \
Manuel Pégourié-Gonnard8920f692014-06-18 22:05:08 +0200[diff] [blame]3444 -s "Read from client: 16384 bytes read"
3445
3446run_test "Large packet TLS 1.1 StreamCipher" \
Manuel Pégourié-Gonnardea0920f2015-03-24 09:50:15 +0100[diff] [blame]3447 "$P_SRV arc4=1 force_ciphersuite=TLS-RSA-WITH-RC4-128-SHA" \
Manuel Pégourié-Gonnard8920f692014-06-18 22:05:08 +0200[diff] [blame]3448 "$P_CLI request_size=16384 force_version=tls1_1 \
3449 force_ciphersuite=TLS-RSA-WITH-RC4-128-SHA" \
3450 0 \
Hanno Becker09930d12017-09-18 15:04:19 +0100[diff] [blame]3451 -c "16384 bytes written in 1 fragments" \
Manuel Pégourié-Gonnard8920f692014-06-18 22:05:08 +0200[diff] [blame]3452 -s "Read from client: 16384 bytes read"
3453
3454run_test "Large packet TLS 1.1 BlockCipher truncated MAC" \
3455 "$P_SRV" \
3456 "$P_CLI request_size=16384 force_version=tls1_1 \
3457 force_ciphersuite=TLS-RSA-WITH-AES-256-CBC-SHA \
3458 trunc_hmac=1" \
3459 0 \
Hanno Becker09930d12017-09-18 15:04:19 +0100[diff] [blame]3460 -c "16384 bytes written in 1 fragments" \
Manuel Pégourié-Gonnard8920f692014-06-18 22:05:08 +0200[diff] [blame]3461 -s "Read from client: 16384 bytes read"
3462
3463run_test "Large packet TLS 1.1 StreamCipher truncated MAC" \
Manuel Pégourié-Gonnardea0920f2015-03-24 09:50:15 +0100[diff] [blame]3464 "$P_SRV arc4=1 force_ciphersuite=TLS-RSA-WITH-RC4-128-SHA" \
Manuel Pégourié-Gonnard8920f692014-06-18 22:05:08 +0200[diff] [blame]3465 "$P_CLI request_size=16384 force_version=tls1_1 \
3466 force_ciphersuite=TLS-RSA-WITH-RC4-128-SHA \
3467 trunc_hmac=1" \
3468 0 \
Hanno Becker09930d12017-09-18 15:04:19 +0100[diff] [blame]3469 -c "16384 bytes written in 1 fragments" \
Manuel Pégourié-Gonnard8920f692014-06-18 22:05:08 +0200[diff] [blame]3470 -s "Read from client: 16384 bytes read"
3471
3472run_test "Large packet TLS 1.2 BlockCipher" \
3473 "$P_SRV" \
3474 "$P_CLI request_size=16384 force_version=tls1_2 \
3475 force_ciphersuite=TLS-RSA-WITH-AES-256-CBC-SHA" \
3476 0 \
Hanno Becker09930d12017-09-18 15:04:19 +0100[diff] [blame]3477 -c "16384 bytes written in 1 fragments" \
Manuel Pégourié-Gonnard8920f692014-06-18 22:05:08 +0200[diff] [blame]3478 -s "Read from client: 16384 bytes read"
3479
3480run_test "Large packet TLS 1.2 BlockCipher larger MAC" \
3481 "$P_SRV" \
Manuel Pégourié-Gonnardc82ee352015-01-07 16:35:25 +0100[diff] [blame]3482 "$P_CLI request_size=16384 force_version=tls1_2 \
3483 force_ciphersuite=TLS-ECDHE-RSA-WITH-AES-256-CBC-SHA384" \
Manuel Pégourié-Gonnard8920f692014-06-18 22:05:08 +0200[diff] [blame]3484 0 \
Hanno Becker09930d12017-09-18 15:04:19 +0100[diff] [blame]3485 -c "16384 bytes written in 1 fragments" \
Manuel Pégourié-Gonnard8920f692014-06-18 22:05:08 +0200[diff] [blame]3486 -s "Read from client: 16384 bytes read"
3487
3488run_test "Large packet TLS 1.2 BlockCipher truncated MAC" \
3489 "$P_SRV" \
3490 "$P_CLI request_size=16384 force_version=tls1_2 \
3491 force_ciphersuite=TLS-RSA-WITH-AES-256-CBC-SHA \
3492 trunc_hmac=1" \
3493 0 \
Hanno Becker09930d12017-09-18 15:04:19 +0100[diff] [blame]3494 -c "16384 bytes written in 1 fragments" \
Manuel Pégourié-Gonnard8920f692014-06-18 22:05:08 +0200[diff] [blame]3495 -s "Read from client: 16384 bytes read"
3496
3497run_test "Large packet TLS 1.2 StreamCipher" \
Manuel Pégourié-Gonnardea0920f2015-03-24 09:50:15 +0100[diff] [blame]3498 "$P_SRV arc4=1 force_ciphersuite=TLS-RSA-WITH-RC4-128-SHA" \
Manuel Pégourié-Gonnard8920f692014-06-18 22:05:08 +0200[diff] [blame]3499 "$P_CLI request_size=16384 force_version=tls1_2 \
3500 force_ciphersuite=TLS-RSA-WITH-RC4-128-SHA" \
3501 0 \
Hanno Becker09930d12017-09-18 15:04:19 +0100[diff] [blame]3502 -c "16384 bytes written in 1 fragments" \
Manuel Pégourié-Gonnard8920f692014-06-18 22:05:08 +0200[diff] [blame]3503 -s "Read from client: 16384 bytes read"
3504
3505run_test "Large packet TLS 1.2 StreamCipher truncated MAC" \
Manuel Pégourié-Gonnardea0920f2015-03-24 09:50:15 +0100[diff] [blame]3506 "$P_SRV arc4=1 force_ciphersuite=TLS-RSA-WITH-RC4-128-SHA" \
Manuel Pégourié-Gonnard8920f692014-06-18 22:05:08 +0200[diff] [blame]3507 "$P_CLI request_size=16384 force_version=tls1_2 \
3508 force_ciphersuite=TLS-RSA-WITH-RC4-128-SHA \
3509 trunc_hmac=1" \
3510 0 \
Hanno Becker09930d12017-09-18 15:04:19 +0100[diff] [blame]3511 -c "16384 bytes written in 1 fragments" \
Manuel Pégourié-Gonnard8920f692014-06-18 22:05:08 +0200[diff] [blame]3512 -s "Read from client: 16384 bytes read"
3513
3514run_test "Large packet TLS 1.2 AEAD" \
3515 "$P_SRV" \
3516 "$P_CLI request_size=16384 force_version=tls1_2 \
3517 force_ciphersuite=TLS-RSA-WITH-AES-256-CCM" \
3518 0 \
Hanno Becker09930d12017-09-18 15:04:19 +0100[diff] [blame]3519 -c "16384 bytes written in 1 fragments" \
Manuel Pégourié-Gonnard8920f692014-06-18 22:05:08 +0200[diff] [blame]3520 -s "Read from client: 16384 bytes read"
3521
3522run_test "Large packet TLS 1.2 AEAD shorter tag" \
3523 "$P_SRV" \
3524 "$P_CLI request_size=16384 force_version=tls1_2 \
3525 force_ciphersuite=TLS-RSA-WITH-AES-256-CCM-8" \
3526 0 \
Hanno Becker09930d12017-09-18 15:04:19 +0100[diff] [blame]3527 -c "16384 bytes written in 1 fragments" \
Manuel Pégourié-Gonnard8920f692014-06-18 22:05:08 +0200[diff] [blame]3528 -s "Read from client: 16384 bytes read"
3529
Manuel Pégourié-Gonnard0eb6cab2014-07-23 20:17:47 +0200[diff] [blame]3530# Tests for DTLS HelloVerifyRequest
3531
3532run_test "DTLS cookie: enabled" \
3533 "$P_SRV dtls=1 debug_level=2" \
3534 "$P_CLI dtls=1 debug_level=2" \
3535 0 \
3536 -s "cookie verification failed" \
3537 -s "cookie verification passed" \
3538 -S "cookie verification skipped" \
3539 -c "received hello verify request" \
Manuel Pégourié-Gonnardcaecdae2014-10-13 19:04:37 +0200[diff] [blame]3540 -s "hello verification requested" \
Manuel Pégourié-Gonnard0eb6cab2014-07-23 20:17:47 +0200[diff] [blame]3541 -S "SSL - The requested feature is not available"
3542
3543run_test "DTLS cookie: disabled" \
3544 "$P_SRV dtls=1 debug_level=2 cookies=0" \
3545 "$P_CLI dtls=1 debug_level=2" \
3546 0 \
3547 -S "cookie verification failed" \
3548 -S "cookie verification passed" \
3549 -s "cookie verification skipped" \
3550 -C "received hello verify request" \
Manuel Pégourié-Gonnardcaecdae2014-10-13 19:04:37 +0200[diff] [blame]3551 -S "hello verification requested" \
Manuel Pégourié-Gonnard0eb6cab2014-07-23 20:17:47 +0200[diff] [blame]3552 -S "SSL - The requested feature is not available"
3553
Manuel Pégourié-Gonnardcaecdae2014-10-13 19:04:37 +0200[diff] [blame]3554run_test "DTLS cookie: default (failing)" \
3555 "$P_SRV dtls=1 debug_level=2 cookies=-1" \
3556 "$P_CLI dtls=1 debug_level=2 hs_timeout=100-400" \
3557 1 \
3558 -s "cookie verification failed" \
3559 -S "cookie verification passed" \
3560 -S "cookie verification skipped" \
3561 -C "received hello verify request" \
3562 -S "hello verification requested" \
3563 -s "SSL - The requested feature is not available"
Manuel Pégourié-Gonnard0eb6cab2014-07-23 20:17:47 +0200[diff] [blame]3564
3565requires_ipv6
3566run_test "DTLS cookie: enabled, IPv6" \
3567 "$P_SRV dtls=1 debug_level=2 server_addr=::1" \
3568 "$P_CLI dtls=1 debug_level=2 server_addr=::1" \
3569 0 \
3570 -s "cookie verification failed" \
3571 -s "cookie verification passed" \
3572 -S "cookie verification skipped" \
3573 -c "received hello verify request" \
Manuel Pégourié-Gonnardcaecdae2014-10-13 19:04:37 +0200[diff] [blame]3574 -s "hello verification requested" \
Manuel Pégourié-Gonnard0eb6cab2014-07-23 20:17:47 +0200[diff] [blame]3575 -S "SSL - The requested feature is not available"
3576
Manuel Pégourié-Gonnard579950c2014-09-29 17:47:33 +0200[diff] [blame]3577run_test "DTLS cookie: enabled, nbio" \
3578 "$P_SRV dtls=1 nbio=2 debug_level=2" \
3579 "$P_CLI dtls=1 nbio=2 debug_level=2" \
3580 0 \
3581 -s "cookie verification failed" \
3582 -s "cookie verification passed" \
3583 -S "cookie verification skipped" \
3584 -c "received hello verify request" \
Manuel Pégourié-Gonnardcaecdae2014-10-13 19:04:37 +0200[diff] [blame]3585 -s "hello verification requested" \
Manuel Pégourié-Gonnard579950c2014-09-29 17:47:33 +0200[diff] [blame]3586 -S "SSL - The requested feature is not available"
3587
Manuel Pégourié-Gonnardd745a1a2015-09-08 12:40:43 +0200[diff] [blame]3588# Tests for client reconnecting from the same port with DTLS
3589
Manuel Pégourié-Gonnard259db912015-09-09 11:37:17 +0200[diff] [blame]3590not_with_valgrind # spurious resend
Manuel Pégourié-Gonnardd745a1a2015-09-08 12:40:43 +0200[diff] [blame]3591run_test "DTLS client reconnect from same port: reference" \
Manuel Pégourié-Gonnard259db912015-09-09 11:37:17 +0200[diff] [blame]3592 "$P_SRV dtls=1 exchanges=2 read_timeout=1000" \
3593 "$P_CLI dtls=1 exchanges=2 debug_level=2 hs_timeout=500-1000" \
Manuel Pégourié-Gonnardd745a1a2015-09-08 12:40:43 +0200[diff] [blame]3594 0 \
3595 -C "resend" \
Manuel Pégourié-Gonnard259db912015-09-09 11:37:17 +0200[diff] [blame]3596 -S "The operation timed out" \
Manuel Pégourié-Gonnardd745a1a2015-09-08 12:40:43 +0200[diff] [blame]3597 -S "Client initiated reconnection from same port"
3598
Manuel Pégourié-Gonnard259db912015-09-09 11:37:17 +0200[diff] [blame]3599not_with_valgrind # spurious resend
Manuel Pégourié-Gonnardd745a1a2015-09-08 12:40:43 +0200[diff] [blame]3600run_test "DTLS client reconnect from same port: reconnect" \
Manuel Pégourié-Gonnard259db912015-09-09 11:37:17 +0200[diff] [blame]3601 "$P_SRV dtls=1 exchanges=2 read_timeout=1000" \
3602 "$P_CLI dtls=1 exchanges=2 debug_level=2 hs_timeout=500-1000 reconnect_hard=1" \
Manuel Pégourié-Gonnardd745a1a2015-09-08 12:40:43 +0200[diff] [blame]3603 0 \
3604 -C "resend" \
Manuel Pégourié-Gonnard259db912015-09-09 11:37:17 +0200[diff] [blame]3605 -S "The operation timed out" \
Manuel Pégourié-Gonnardd745a1a2015-09-08 12:40:43 +0200[diff] [blame]3606 -s "Client initiated reconnection from same port"
3607
Paul Bakker362689d2016-05-13 10:33:25 +0100[diff] [blame]3608not_with_valgrind # server/client too slow to respond in time (next test has higher timeouts)
3609run_test "DTLS client reconnect from same port: reconnect, nbio, no valgrind" \
Manuel Pégourié-Gonnard259db912015-09-09 11:37:17 +0200[diff] [blame]3610 "$P_SRV dtls=1 exchanges=2 read_timeout=1000 nbio=2" \
3611 "$P_CLI dtls=1 exchanges=2 debug_level=2 hs_timeout=500-1000 reconnect_hard=1" \
Manuel Pégourié-Gonnardd745a1a2015-09-08 12:40:43 +0200[diff] [blame]3612 0 \
Manuel Pégourié-Gonnard259db912015-09-09 11:37:17 +0200[diff] [blame]3613 -S "The operation timed out" \
Manuel Pégourié-Gonnardd745a1a2015-09-08 12:40:43 +0200[diff] [blame]3614 -s "Client initiated reconnection from same port"
3615
Paul Bakker362689d2016-05-13 10:33:25 +0100[diff] [blame]3616only_with_valgrind # Only with valgrind, do previous test but with higher read_timeout and hs_timeout
3617run_test "DTLS client reconnect from same port: reconnect, nbio, valgrind" \
3618 "$P_SRV dtls=1 exchanges=2 read_timeout=2000 nbio=2 hs_timeout=1500-6000" \
3619 "$P_CLI dtls=1 exchanges=2 debug_level=2 hs_timeout=1500-3000 reconnect_hard=1" \
3620 0 \
3621 -S "The operation timed out" \
3622 -s "Client initiated reconnection from same port"
3623
Manuel Pégourié-Gonnard259db912015-09-09 11:37:17 +0200[diff] [blame]3624run_test "DTLS client reconnect from same port: no cookies" \
3625 "$P_SRV dtls=1 exchanges=2 read_timeout=1000 cookies=0" \
Manuel Pégourié-Gonnard6ad23b92015-09-15 12:57:46 +0200[diff] [blame]3626 "$P_CLI dtls=1 exchanges=2 debug_level=2 hs_timeout=500-8000 reconnect_hard=1" \
3627 0 \
Manuel Pégourié-Gonnard259db912015-09-09 11:37:17 +0200[diff] [blame]3628 -s "The operation timed out" \
3629 -S "Client initiated reconnection from same port"
3630
Manuel Pégourié-Gonnard08a1d4b2014-09-26 10:35:50 +0200[diff] [blame]3631# Tests for various cases of client authentication with DTLS
3632# (focused on handshake flows and message parsing)
3633
3634run_test "DTLS client auth: required" \
3635 "$P_SRV dtls=1 auth_mode=required" \
3636 "$P_CLI dtls=1" \
3637 0 \
3638 -s "Verifying peer X.509 certificate... ok"
3639
3640run_test "DTLS client auth: optional, client has no cert" \
3641 "$P_SRV dtls=1 auth_mode=optional" \
3642 "$P_CLI dtls=1 crt_file=none key_file=none" \
3643 0 \
Manuel Pégourié-Gonnard89addc42015-04-20 10:56:18 +0100[diff] [blame]3644 -s "! Certificate was missing"
Manuel Pégourié-Gonnard08a1d4b2014-09-26 10:35:50 +0200[diff] [blame]3645
Manuel Pégourié-Gonnard89addc42015-04-20 10:56:18 +0100[diff] [blame]3646run_test "DTLS client auth: none, client has no cert" \
Manuel Pégourié-Gonnard08a1d4b2014-09-26 10:35:50 +0200[diff] [blame]3647 "$P_SRV dtls=1 auth_mode=none" \
3648 "$P_CLI dtls=1 crt_file=none key_file=none debug_level=2" \
3649 0 \
3650 -c "skip write certificate$" \
Manuel Pégourié-Gonnard89addc42015-04-20 10:56:18 +0100[diff] [blame]3651 -s "! Certificate verification was skipped"
Manuel Pégourié-Gonnard08a1d4b2014-09-26 10:35:50 +0200[diff] [blame]3652
Manuel Pégourié-Gonnard0a885742015-08-04 12:08:35 +0200[diff] [blame]3653run_test "DTLS wrong PSK: badmac alert" \
3654 "$P_SRV dtls=1 psk=abc123 force_ciphersuite=TLS-PSK-WITH-AES-128-GCM-SHA256" \
3655 "$P_CLI dtls=1 psk=abc124" \
3656 1 \
3657 -s "SSL - Verification of the message MAC failed" \
3658 -c "SSL - A fatal alert message was received from our peer"
3659
Manuel Pégourié-Gonnard502bf302014-08-20 13:12:58 +0200[diff] [blame]3660# Tests for receiving fragmented handshake messages with DTLS
3661
3662requires_gnutls
3663run_test "DTLS reassembly: no fragmentation (gnutls server)" \
3664 "$G_SRV -u --mtu 2048 -a" \
3665 "$P_CLI dtls=1 debug_level=2" \
3666 0 \
3667 -C "found fragmented DTLS handshake message" \
3668 -C "error"
3669
3670requires_gnutls
3671run_test "DTLS reassembly: some fragmentation (gnutls server)" \
3672 "$G_SRV -u --mtu 512" \
3673 "$P_CLI dtls=1 debug_level=2" \
3674 0 \
3675 -c "found fragmented DTLS handshake message" \
3676 -C "error"
3677
3678requires_gnutls
3679run_test "DTLS reassembly: more fragmentation (gnutls server)" \
3680 "$G_SRV -u --mtu 128" \
3681 "$P_CLI dtls=1 debug_level=2" \
3682 0 \
3683 -c "found fragmented DTLS handshake message" \
3684 -C "error"
3685
3686requires_gnutls
3687run_test "DTLS reassembly: more fragmentation, nbio (gnutls server)" \
3688 "$G_SRV -u --mtu 128" \
3689 "$P_CLI dtls=1 nbio=2 debug_level=2" \
3690 0 \
3691 -c "found fragmented DTLS handshake message" \
3692 -C "error"
3693
Manuel Pégourié-Gonnard0c4cbc72014-09-02 14:47:31 +0200[diff] [blame]3694requires_gnutls
Manuel Pégourié-Gonnard0c4cbc72014-09-02 14:47:31 +0200[diff] [blame]3695run_test "DTLS reassembly: fragmentation, renego (gnutls server)" \
3696 "$G_SRV -u --mtu 256" \
3697 "$P_CLI debug_level=3 dtls=1 renegotiation=1 renegotiate=1" \
3698 0 \
3699 -c "found fragmented DTLS handshake message" \
3700 -c "client hello, adding renegotiation extension" \
3701 -c "found renegotiation extension" \
3702 -c "=> renegotiate" \
Manuel Pégourié-Gonnard2cf5a7c2015-04-08 12:49:31 +0200[diff] [blame]3703 -C "mbedtls_ssl_handshake returned" \
Manuel Pégourié-Gonnard0c4cbc72014-09-02 14:47:31 +0200[diff] [blame]3704 -C "error" \
3705 -s "Extra-header:"
3706
3707requires_gnutls
Manuel Pégourié-Gonnard0c4cbc72014-09-02 14:47:31 +0200[diff] [blame]3708run_test "DTLS reassembly: fragmentation, nbio, renego (gnutls server)" \
3709 "$G_SRV -u --mtu 256" \
3710 "$P_CLI debug_level=3 nbio=2 dtls=1 renegotiation=1 renegotiate=1" \
3711 0 \
3712 -c "found fragmented DTLS handshake message" \
3713 -c "client hello, adding renegotiation extension" \
3714 -c "found renegotiation extension" \
3715 -c "=> renegotiate" \
Manuel Pégourié-Gonnard2cf5a7c2015-04-08 12:49:31 +0200[diff] [blame]3716 -C "mbedtls_ssl_handshake returned" \
Manuel Pégourié-Gonnard0c4cbc72014-09-02 14:47:31 +0200[diff] [blame]3717 -C "error" \
3718 -s "Extra-header:"
3719
Manuel Pégourié-Gonnarda7756172014-08-31 18:37:01 +0200[diff] [blame]3720run_test "DTLS reassembly: no fragmentation (openssl server)" \
3721 "$O_SRV -dtls1 -mtu 2048" \
3722 "$P_CLI dtls=1 debug_level=2" \
3723 0 \
3724 -C "found fragmented DTLS handshake message" \
3725 -C "error"
3726
Manuel Pégourié-Gonnard825a49e2014-09-23 11:00:37 +0200[diff] [blame]3727run_test "DTLS reassembly: some fragmentation (openssl server)" \
3728 "$O_SRV -dtls1 -mtu 768" \
Manuel Pégourié-Gonnard64dffc52014-09-02 13:39:16 +0200[diff] [blame]3729 "$P_CLI dtls=1 debug_level=2" \
3730 0 \
3731 -c "found fragmented DTLS handshake message" \
3732 -C "error"
3733
Manuel Pégourié-Gonnard825a49e2014-09-23 11:00:37 +0200[diff] [blame]3734run_test "DTLS reassembly: more fragmentation (openssl server)" \
Manuel Pégourié-Gonnard64dffc52014-09-02 13:39:16 +0200[diff] [blame]3735 "$O_SRV -dtls1 -mtu 256" \
3736 "$P_CLI dtls=1 debug_level=2" \
3737 0 \
3738 -c "found fragmented DTLS handshake message" \
3739 -C "error"
3740
3741run_test "DTLS reassembly: fragmentation, nbio (openssl server)" \
3742 "$O_SRV -dtls1 -mtu 256" \
3743 "$P_CLI dtls=1 nbio=2 debug_level=2" \
3744 0 \
3745 -c "found fragmented DTLS handshake message" \
3746 -C "error"
Manuel Pégourié-Gonnarda7756172014-08-31 18:37:01 +0200[diff] [blame]3747
Manuel Pégourié-Gonnard7a66cbc2014-09-26 16:31:46 +0200[diff] [blame]3748# Tests for specific things with "unreliable" UDP connection
Manuel Pégourié-Gonnardbe9eb872014-09-05 17:45:19 +0200[diff] [blame]3749
Manuel Pégourié-Gonnard76fe9e42014-09-24 15:17:31 +0200[diff] [blame]3750not_with_valgrind # spurious resend due to timeout
Manuel Pégourié-Gonnard990f9e42014-09-06 12:27:02 +0200[diff] [blame]3751run_test "DTLS proxy: reference" \
Manuel Pégourié-Gonnardbe9eb872014-09-05 17:45:19 +0200[diff] [blame]3752 -p "$P_PXY" \
Manuel Pégourié-Gonnard76fe9e42014-09-24 15:17:31 +0200[diff] [blame]3753 "$P_SRV dtls=1 debug_level=2" \
3754 "$P_CLI dtls=1 debug_level=2" \
Manuel Pégourié-Gonnard990f9e42014-09-06 12:27:02 +0200[diff] [blame]3755 0 \
Manuel Pégourié-Gonnard246c13a2014-09-24 13:56:09 +0200[diff] [blame]3756 -C "replayed record" \
3757 -S "replayed record" \
3758 -C "record from another epoch" \
3759 -S "record from another epoch" \
3760 -C "discarding invalid record" \
3761 -S "discarding invalid record" \
Manuel Pégourié-Gonnard76fe9e42014-09-24 15:17:31 +0200[diff] [blame]3762 -S "resend" \
Manuel Pégourié-Gonnard63eca932014-09-08 16:39:08 +0200[diff] [blame]3763 -s "Extra-header:" \
Manuel Pégourié-Gonnard990f9e42014-09-06 12:27:02 +0200[diff] [blame]3764 -c "HTTP/1.0 200 OK"
3765
Manuel Pégourié-Gonnard76fe9e42014-09-24 15:17:31 +0200[diff] [blame]3766not_with_valgrind # spurious resend due to timeout
Manuel Pégourié-Gonnardb47368a2014-09-24 13:29:58 +0200[diff] [blame]3767run_test "DTLS proxy: duplicate every packet" \
Manuel Pégourié-Gonnard990f9e42014-09-06 12:27:02 +0200[diff] [blame]3768 -p "$P_PXY duplicate=1" \
Manuel Pégourié-Gonnard76fe9e42014-09-24 15:17:31 +0200[diff] [blame]3769 "$P_SRV dtls=1 debug_level=2" \
3770 "$P_CLI dtls=1 debug_level=2" \
Manuel Pégourié-Gonnard990f9e42014-09-06 12:27:02 +0200[diff] [blame]3771 0 \
Manuel Pégourié-Gonnardb47368a2014-09-24 13:29:58 +0200[diff] [blame]3772 -c "replayed record" \
3773 -s "replayed record" \
Manuel Pégourié-Gonnard246c13a2014-09-24 13:56:09 +0200[diff] [blame]3774 -c "discarding invalid record" \
3775 -s "discarding invalid record" \
Manuel Pégourié-Gonnard76fe9e42014-09-24 15:17:31 +0200[diff] [blame]3776 -S "resend" \
Manuel Pégourié-Gonnard63eca932014-09-08 16:39:08 +0200[diff] [blame]3777 -s "Extra-header:" \
3778 -c "HTTP/1.0 200 OK"
3779
Manuel Pégourié-Gonnard27393132014-09-24 14:41:11 +0200[diff] [blame]3780run_test "DTLS proxy: duplicate every packet, server anti-replay off" \
3781 -p "$P_PXY duplicate=1" \
Manuel Pégourié-Gonnard76fe9e42014-09-24 15:17:31 +0200[diff] [blame]3782 "$P_SRV dtls=1 debug_level=2 anti_replay=0" \
3783 "$P_CLI dtls=1 debug_level=2" \
Manuel Pégourié-Gonnard27393132014-09-24 14:41:11 +0200[diff] [blame]3784 0 \
3785 -c "replayed record" \
3786 -S "replayed record" \
3787 -c "discarding invalid record" \
3788 -s "discarding invalid record" \
Manuel Pégourié-Gonnard76fe9e42014-09-24 15:17:31 +0200[diff] [blame]3789 -c "resend" \
3790 -s "resend" \
Manuel Pégourié-Gonnard27393132014-09-24 14:41:11 +0200[diff] [blame]3791 -s "Extra-header:" \
3792 -c "HTTP/1.0 200 OK"
3793
Manuel Pégourié-Gonnarde698f592014-10-14 19:36:36 +0200[diff] [blame]3794run_test "DTLS proxy: inject invalid AD record, default badmac_limit" \
Manuel Pégourié-Gonnard63eca932014-09-08 16:39:08 +0200[diff] [blame]3795 -p "$P_PXY bad_ad=1" \
Manuel Pégourié-Gonnard246c13a2014-09-24 13:56:09 +0200[diff] [blame]3796 "$P_SRV dtls=1 debug_level=1" \
Manuel Pégourié-Gonnarde698f592014-10-14 19:36:36 +0200[diff] [blame]3797 "$P_CLI dtls=1 debug_level=1 read_timeout=100" \
Manuel Pégourié-Gonnard825a49e2014-09-23 11:00:37 +0200[diff] [blame]3798 0 \
Manuel Pégourié-Gonnard74a13782014-10-14 22:34:08 +0200[diff] [blame]3799 -c "discarding invalid record (mac)" \
3800 -s "discarding invalid record (mac)" \
Manuel Pégourié-Gonnard825a49e2014-09-23 11:00:37 +0200[diff] [blame]3801 -s "Extra-header:" \
Manuel Pégourié-Gonnarde698f592014-10-14 19:36:36 +0200[diff] [blame]3802 -c "HTTP/1.0 200 OK" \
3803 -S "too many records with bad MAC" \
3804 -S "Verification of the message MAC failed"
3805
3806run_test "DTLS proxy: inject invalid AD record, badmac_limit 1" \
3807 -p "$P_PXY bad_ad=1" \
3808 "$P_SRV dtls=1 debug_level=1 badmac_limit=1" \
3809 "$P_CLI dtls=1 debug_level=1 read_timeout=100" \
3810 1 \
Manuel Pégourié-Gonnard74a13782014-10-14 22:34:08 +0200[diff] [blame]3811 -C "discarding invalid record (mac)" \
3812 -S "discarding invalid record (mac)" \
Manuel Pégourié-Gonnarde698f592014-10-14 19:36:36 +0200[diff] [blame]3813 -S "Extra-header:" \
3814 -C "HTTP/1.0 200 OK" \
3815 -s "too many records with bad MAC" \
3816 -s "Verification of the message MAC failed"
3817
3818run_test "DTLS proxy: inject invalid AD record, badmac_limit 2" \
3819 -p "$P_PXY bad_ad=1" \
3820 "$P_SRV dtls=1 debug_level=1 badmac_limit=2" \
3821 "$P_CLI dtls=1 debug_level=1 read_timeout=100" \
3822 0 \
Manuel Pégourié-Gonnard74a13782014-10-14 22:34:08 +0200[diff] [blame]3823 -c "discarding invalid record (mac)" \
3824 -s "discarding invalid record (mac)" \
Manuel Pégourié-Gonnarde698f592014-10-14 19:36:36 +0200[diff] [blame]3825 -s "Extra-header:" \
3826 -c "HTTP/1.0 200 OK" \
3827 -S "too many records with bad MAC" \
3828 -S "Verification of the message MAC failed"
3829
3830run_test "DTLS proxy: inject invalid AD record, badmac_limit 2, exchanges 2"\
3831 -p "$P_PXY bad_ad=1" \
3832 "$P_SRV dtls=1 debug_level=1 badmac_limit=2 exchanges=2" \
3833 "$P_CLI dtls=1 debug_level=1 read_timeout=100 exchanges=2" \
3834 1 \
Manuel Pégourié-Gonnard74a13782014-10-14 22:34:08 +0200[diff] [blame]3835 -c "discarding invalid record (mac)" \
3836 -s "discarding invalid record (mac)" \
Manuel Pégourié-Gonnarde698f592014-10-14 19:36:36 +0200[diff] [blame]3837 -s "Extra-header:" \
3838 -c "HTTP/1.0 200 OK" \
3839 -s "too many records with bad MAC" \
3840 -s "Verification of the message MAC failed"
Manuel Pégourié-Gonnard825a49e2014-09-23 11:00:37 +0200[diff] [blame]3841
3842run_test "DTLS proxy: delay ChangeCipherSpec" \
Manuel Pégourié-Gonnard246c13a2014-09-24 13:56:09 +0200[diff] [blame]3843 -p "$P_PXY delay_ccs=1" \
3844 "$P_SRV dtls=1 debug_level=1" \
3845 "$P_CLI dtls=1 debug_level=1" \
Manuel Pégourié-Gonnard825a49e2014-09-23 11:00:37 +0200[diff] [blame]3846 0 \
Manuel Pégourié-Gonnard246c13a2014-09-24 13:56:09 +0200[diff] [blame]3847 -c "record from another epoch" \
3848 -s "record from another epoch" \
Manuel Pégourié-Gonnard825a49e2014-09-23 11:00:37 +0200[diff] [blame]3849 -c "discarding invalid record" \
Manuel Pégourié-Gonnard246c13a2014-09-24 13:56:09 +0200[diff] [blame]3850 -s "discarding invalid record" \
Manuel Pégourié-Gonnard825a49e2014-09-23 11:00:37 +0200[diff] [blame]3851 -s "Extra-header:" \
3852 -c "HTTP/1.0 200 OK"
3853
Manuel Pégourié-Gonnard7a66cbc2014-09-26 16:31:46 +0200[diff] [blame]3854# Tests for "randomly unreliable connection": try a variety of flows and peers
Manuel Pégourié-Gonnard18e519a2014-09-24 19:09:17 +0200[diff] [blame]3855
Janos Follath74537a62016-09-02 13:45:28 +0100[diff] [blame]3856client_needs_more_time 2
Manuel Pégourié-Gonnard18e519a2014-09-24 19:09:17 +0200[diff] [blame]3857run_test "DTLS proxy: 3d (drop, delay, duplicate), \"short\" PSK handshake" \
Manuel Pégourié-Gonnard825a49e2014-09-23 11:00:37 +0200[diff] [blame]3858 -p "$P_PXY drop=5 delay=5 duplicate=5" \
Manuel Pégourié-Gonnard37a4de22014-10-01 16:38:03 +0200[diff] [blame]3859 "$P_SRV dtls=1 hs_timeout=250-10000 tickets=0 auth_mode=none \
3860 psk=abc123" \
3861 "$P_CLI dtls=1 hs_timeout=250-10000 tickets=0 psk=abc123 \
Manuel Pégourié-Gonnard18e519a2014-09-24 19:09:17 +0200[diff] [blame]3862 force_ciphersuite=TLS-PSK-WITH-AES-128-CCM-8" \
3863 0 \
3864 -s "Extra-header:" \
3865 -c "HTTP/1.0 200 OK"
3866
Janos Follath74537a62016-09-02 13:45:28 +0100[diff] [blame]3867client_needs_more_time 2
Manuel Pégourié-Gonnard18e519a2014-09-24 19:09:17 +0200[diff] [blame]3868run_test "DTLS proxy: 3d, \"short\" RSA handshake" \
3869 -p "$P_PXY drop=5 delay=5 duplicate=5" \
Manuel Pégourié-Gonnard37a4de22014-10-01 16:38:03 +0200[diff] [blame]3870 "$P_SRV dtls=1 hs_timeout=250-10000 tickets=0 auth_mode=none" \
3871 "$P_CLI dtls=1 hs_timeout=250-10000 tickets=0 \
Manuel Pégourié-Gonnard18e519a2014-09-24 19:09:17 +0200[diff] [blame]3872 force_ciphersuite=TLS-RSA-WITH-AES-128-CBC-SHA" \
3873 0 \
3874 -s "Extra-header:" \
3875 -c "HTTP/1.0 200 OK"
3876
Janos Follath74537a62016-09-02 13:45:28 +0100[diff] [blame]3877client_needs_more_time 2
Manuel Pégourié-Gonnard18e519a2014-09-24 19:09:17 +0200[diff] [blame]3878run_test "DTLS proxy: 3d, \"short\" (no ticket, no cli_auth) FS handshake" \
3879 -p "$P_PXY drop=5 delay=5 duplicate=5" \
Manuel Pégourié-Gonnard37a4de22014-10-01 16:38:03 +0200[diff] [blame]3880 "$P_SRV dtls=1 hs_timeout=250-10000 tickets=0 auth_mode=none" \
3881 "$P_CLI dtls=1 hs_timeout=250-10000 tickets=0" \
Manuel Pégourié-Gonnard18e519a2014-09-24 19:09:17 +0200[diff] [blame]3882 0 \
3883 -s "Extra-header:" \
3884 -c "HTTP/1.0 200 OK"
3885
Janos Follath74537a62016-09-02 13:45:28 +0100[diff] [blame]3886client_needs_more_time 2
Manuel Pégourié-Gonnard18e519a2014-09-24 19:09:17 +0200[diff] [blame]3887run_test "DTLS proxy: 3d, FS, client auth" \
3888 -p "$P_PXY drop=5 delay=5 duplicate=5" \
Manuel Pégourié-Gonnard37a4de22014-10-01 16:38:03 +0200[diff] [blame]3889 "$P_SRV dtls=1 hs_timeout=250-10000 tickets=0 auth_mode=required" \
3890 "$P_CLI dtls=1 hs_timeout=250-10000 tickets=0" \
Manuel Pégourié-Gonnard18e519a2014-09-24 19:09:17 +0200[diff] [blame]3891 0 \
3892 -s "Extra-header:" \
3893 -c "HTTP/1.0 200 OK"
3894
Janos Follath74537a62016-09-02 13:45:28 +0100[diff] [blame]3895client_needs_more_time 2
Manuel Pégourié-Gonnard18e519a2014-09-24 19:09:17 +0200[diff] [blame]3896run_test "DTLS proxy: 3d, FS, ticket" \
3897 -p "$P_PXY drop=5 delay=5 duplicate=5" \
Manuel Pégourié-Gonnard37a4de22014-10-01 16:38:03 +0200[diff] [blame]3898 "$P_SRV dtls=1 hs_timeout=250-10000 tickets=1 auth_mode=none" \
3899 "$P_CLI dtls=1 hs_timeout=250-10000 tickets=1" \
Manuel Pégourié-Gonnard18e519a2014-09-24 19:09:17 +0200[diff] [blame]3900 0 \
3901 -s "Extra-header:" \
3902 -c "HTTP/1.0 200 OK"
3903
Janos Follath74537a62016-09-02 13:45:28 +0100[diff] [blame]3904client_needs_more_time 2
Manuel Pégourié-Gonnard18e519a2014-09-24 19:09:17 +0200[diff] [blame]3905run_test "DTLS proxy: 3d, max handshake (FS, ticket + client auth)" \
3906 -p "$P_PXY drop=5 delay=5 duplicate=5" \
Manuel Pégourié-Gonnard37a4de22014-10-01 16:38:03 +0200[diff] [blame]3907 "$P_SRV dtls=1 hs_timeout=250-10000 tickets=1 auth_mode=required" \
3908 "$P_CLI dtls=1 hs_timeout=250-10000 tickets=1" \
Manuel Pégourié-Gonnard825a49e2014-09-23 11:00:37 +0200[diff] [blame]3909 0 \
3910 -s "Extra-header:" \
3911 -c "HTTP/1.0 200 OK"
3912
Janos Follath74537a62016-09-02 13:45:28 +0100[diff] [blame]3913client_needs_more_time 2
Manuel Pégourié-Gonnard6093d812014-09-29 17:52:57 +0200[diff] [blame]3914run_test "DTLS proxy: 3d, max handshake, nbio" \
3915 -p "$P_PXY drop=5 delay=5 duplicate=5" \
Manuel Pégourié-Gonnard37a4de22014-10-01 16:38:03 +0200[diff] [blame]3916 "$P_SRV dtls=1 hs_timeout=250-10000 nbio=2 tickets=1 \
3917 auth_mode=required" \
3918 "$P_CLI dtls=1 hs_timeout=250-10000 nbio=2 tickets=1" \
Manuel Pégourié-Gonnard6093d812014-09-29 17:52:57 +0200[diff] [blame]3919 0 \
3920 -s "Extra-header:" \
3921 -c "HTTP/1.0 200 OK"
3922
Janos Follath74537a62016-09-02 13:45:28 +0100[diff] [blame]3923client_needs_more_time 4
Manuel Pégourié-Gonnard7a26d732014-10-02 14:50:46 +0200[diff] [blame]3924run_test "DTLS proxy: 3d, min handshake, resumption" \
3925 -p "$P_PXY drop=5 delay=5 duplicate=5" \
3926 "$P_SRV dtls=1 hs_timeout=250-10000 tickets=0 auth_mode=none \
3927 psk=abc123 debug_level=3" \
3928 "$P_CLI dtls=1 hs_timeout=250-10000 tickets=0 psk=abc123 \
3929 debug_level=3 reconnect=1 read_timeout=1000 max_resend=10 \
3930 force_ciphersuite=TLS-PSK-WITH-AES-128-CCM-8" \
3931 0 \
3932 -s "a session has been resumed" \
3933 -c "a session has been resumed" \
3934 -s "Extra-header:" \
3935 -c "HTTP/1.0 200 OK"
3936
Janos Follath74537a62016-09-02 13:45:28 +0100[diff] [blame]3937client_needs_more_time 4
Manuel Pégourié-Gonnard85beb302014-10-02 17:59:19 +0200[diff] [blame]3938run_test "DTLS proxy: 3d, min handshake, resumption, nbio" \
3939 -p "$P_PXY drop=5 delay=5 duplicate=5" \
3940 "$P_SRV dtls=1 hs_timeout=250-10000 tickets=0 auth_mode=none \
3941 psk=abc123 debug_level=3 nbio=2" \
3942 "$P_CLI dtls=1 hs_timeout=250-10000 tickets=0 psk=abc123 \
3943 debug_level=3 reconnect=1 read_timeout=1000 max_resend=10 \
3944 force_ciphersuite=TLS-PSK-WITH-AES-128-CCM-8 nbio=2" \
3945 0 \
3946 -s "a session has been resumed" \
3947 -c "a session has been resumed" \
3948 -s "Extra-header:" \
3949 -c "HTTP/1.0 200 OK"
3950
Janos Follath74537a62016-09-02 13:45:28 +0100[diff] [blame]3951client_needs_more_time 4
Manuel Pégourié-Gonnard6093d812014-09-29 17:52:57 +0200[diff] [blame]3952run_test "DTLS proxy: 3d, min handshake, client-initiated renego" \
Manuel Pégourié-Gonnard1b753f12014-09-25 16:09:36 +0200[diff] [blame]3953 -p "$P_PXY drop=5 delay=5 duplicate=5" \
Manuel Pégourié-Gonnard37a4de22014-10-01 16:38:03 +0200[diff] [blame]3954 "$P_SRV dtls=1 hs_timeout=250-10000 tickets=0 auth_mode=none \
3955 psk=abc123 renegotiation=1 debug_level=2" \
3956 "$P_CLI dtls=1 hs_timeout=250-10000 tickets=0 psk=abc123 \
3957 renegotiate=1 debug_level=2 \
Manuel Pégourié-Gonnard1b753f12014-09-25 16:09:36 +0200[diff] [blame]3958 force_ciphersuite=TLS-PSK-WITH-AES-128-CCM-8" \
3959 0 \
3960 -c "=> renegotiate" \
3961 -s "=> renegotiate" \
3962 -s "Extra-header:" \
3963 -c "HTTP/1.0 200 OK"
3964
Janos Follath74537a62016-09-02 13:45:28 +0100[diff] [blame]3965client_needs_more_time 4
Manuel Pégourié-Gonnard6093d812014-09-29 17:52:57 +0200[diff] [blame]3966run_test "DTLS proxy: 3d, min handshake, client-initiated renego, nbio" \
3967 -p "$P_PXY drop=5 delay=5 duplicate=5" \
Manuel Pégourié-Gonnard37a4de22014-10-01 16:38:03 +0200[diff] [blame]3968 "$P_SRV dtls=1 hs_timeout=250-10000 tickets=0 auth_mode=none \
3969 psk=abc123 renegotiation=1 debug_level=2" \
3970 "$P_CLI dtls=1 hs_timeout=250-10000 tickets=0 psk=abc123 \
3971 renegotiate=1 debug_level=2 \
Manuel Pégourié-Gonnard6093d812014-09-29 17:52:57 +0200[diff] [blame]3972 force_ciphersuite=TLS-PSK-WITH-AES-128-CCM-8" \
3973 0 \
3974 -c "=> renegotiate" \
3975 -s "=> renegotiate" \
3976 -s "Extra-header:" \
3977 -c "HTTP/1.0 200 OK"
3978
Janos Follath74537a62016-09-02 13:45:28 +0100[diff] [blame]3979client_needs_more_time 4
Manuel Pégourié-Gonnardba958b82014-10-09 16:13:44 +0200[diff] [blame]3980run_test "DTLS proxy: 3d, min handshake, server-initiated renego" \
Manuel Pégourié-Gonnarda6ace042014-10-15 12:44:41 +0200[diff] [blame]3981 -p "$P_PXY drop=5 delay=5 duplicate=5" \
Manuel Pégourié-Gonnardba958b82014-10-09 16:13:44 +0200[diff] [blame]3982 "$P_SRV dtls=1 hs_timeout=250-10000 tickets=0 auth_mode=none \
Manuel Pégourié-Gonnarda6ace042014-10-15 12:44:41 +0200[diff] [blame]3983 psk=abc123 renegotiate=1 renegotiation=1 exchanges=4 \
Manuel Pégourié-Gonnardba958b82014-10-09 16:13:44 +0200[diff] [blame]3984 debug_level=2" \
3985 "$P_CLI dtls=1 hs_timeout=250-10000 tickets=0 psk=abc123 \
Manuel Pégourié-Gonnarda6ace042014-10-15 12:44:41 +0200[diff] [blame]3986 renegotiation=1 exchanges=4 debug_level=2 \
Manuel Pégourié-Gonnardba958b82014-10-09 16:13:44 +0200[diff] [blame]3987 force_ciphersuite=TLS-PSK-WITH-AES-128-CCM-8" \
3988 0 \
3989 -c "=> renegotiate" \
3990 -s "=> renegotiate" \
3991 -s "Extra-header:" \
3992 -c "HTTP/1.0 200 OK"
3993
Janos Follath74537a62016-09-02 13:45:28 +0100[diff] [blame]3994client_needs_more_time 4
Manuel Pégourié-Gonnardba958b82014-10-09 16:13:44 +0200[diff] [blame]3995run_test "DTLS proxy: 3d, min handshake, server-initiated renego, nbio" \
Manuel Pégourié-Gonnarda6ace042014-10-15 12:44:41 +0200[diff] [blame]3996 -p "$P_PXY drop=5 delay=5 duplicate=5" \
Manuel Pégourié-Gonnardba958b82014-10-09 16:13:44 +0200[diff] [blame]3997 "$P_SRV dtls=1 hs_timeout=250-10000 tickets=0 auth_mode=none \
Manuel Pégourié-Gonnarda6ace042014-10-15 12:44:41 +0200[diff] [blame]3998 psk=abc123 renegotiate=1 renegotiation=1 exchanges=4 \
Manuel Pégourié-Gonnardba958b82014-10-09 16:13:44 +0200[diff] [blame]3999 debug_level=2 nbio=2" \
4000 "$P_CLI dtls=1 hs_timeout=250-10000 tickets=0 psk=abc123 \
Manuel Pégourié-Gonnarda6ace042014-10-15 12:44:41 +0200[diff] [blame]4001 renegotiation=1 exchanges=4 debug_level=2 nbio=2 \
Manuel Pégourié-Gonnardba958b82014-10-09 16:13:44 +0200[diff] [blame]4002 force_ciphersuite=TLS-PSK-WITH-AES-128-CCM-8" \
4003 0 \
4004 -c "=> renegotiate" \
4005 -s "=> renegotiate" \
4006 -s "Extra-header:" \
4007 -c "HTTP/1.0 200 OK"
4008
Janos Follath74537a62016-09-02 13:45:28 +0100[diff] [blame]4009client_needs_more_time 6
Manuel Pégourié-Gonnardd68434e2015-08-31 12:48:22 +0200[diff] [blame]4010not_with_valgrind # risk of non-mbedtls peer timing out
Manuel Pégourié-Gonnard9590e0a2014-09-26 16:27:59 +0200[diff] [blame]4011run_test "DTLS proxy: 3d, openssl server" \
Manuel Pégourié-Gonnardd0fd1da2014-09-25 17:00:27 +0200[diff] [blame]4012 -p "$P_PXY drop=5 delay=5 duplicate=5 protect_hvr=1" \
4013 "$O_SRV -dtls1 -mtu 2048" \
Manuel Pégourié-Gonnard8fe411e2015-03-09 16:09:53 +0000[diff] [blame]4014 "$P_CLI dtls=1 hs_timeout=250-60000 tickets=0" \
Manuel Pégourié-Gonnardd0fd1da2014-09-25 17:00:27 +0200[diff] [blame]4015 0 \
Manuel Pégourié-Gonnardd0fd1da2014-09-25 17:00:27 +0200[diff] [blame]4016 -c "HTTP/1.0 200 OK"
4017
Janos Follath74537a62016-09-02 13:45:28 +0100[diff] [blame]4018client_needs_more_time 8
Manuel Pégourié-Gonnardd68434e2015-08-31 12:48:22 +0200[diff] [blame]4019not_with_valgrind # risk of non-mbedtls peer timing out
Manuel Pégourié-Gonnard9590e0a2014-09-26 16:27:59 +0200[diff] [blame]4020run_test "DTLS proxy: 3d, openssl server, fragmentation" \
4021 -p "$P_PXY drop=5 delay=5 duplicate=5 protect_hvr=1" \
4022 "$O_SRV -dtls1 -mtu 768" \
Manuel Pégourié-Gonnard8fe411e2015-03-09 16:09:53 +0000[diff] [blame]4023 "$P_CLI dtls=1 hs_timeout=250-60000 tickets=0" \
Manuel Pégourié-Gonnard9590e0a2014-09-26 16:27:59 +0200[diff] [blame]4024 0 \
Manuel Pégourié-Gonnard9590e0a2014-09-26 16:27:59 +0200[diff] [blame]4025 -c "HTTP/1.0 200 OK"
4026
Janos Follath74537a62016-09-02 13:45:28 +0100[diff] [blame]4027client_needs_more_time 8
Manuel Pégourié-Gonnardd68434e2015-08-31 12:48:22 +0200[diff] [blame]4028not_with_valgrind # risk of non-mbedtls peer timing out
Manuel Pégourié-Gonnard6093d812014-09-29 17:52:57 +0200[diff] [blame]4029run_test "DTLS proxy: 3d, openssl server, fragmentation, nbio" \
4030 -p "$P_PXY drop=5 delay=5 duplicate=5 protect_hvr=1" \
4031 "$O_SRV -dtls1 -mtu 768" \
Manuel Pégourié-Gonnard8fe411e2015-03-09 16:09:53 +0000[diff] [blame]4032 "$P_CLI dtls=1 hs_timeout=250-60000 nbio=2 tickets=0" \
Manuel Pégourié-Gonnard6093d812014-09-29 17:52:57 +0200[diff] [blame]4033 0 \
Manuel Pégourié-Gonnard6093d812014-09-29 17:52:57 +0200[diff] [blame]4034 -c "HTTP/1.0 200 OK"
4035
Manuel Pégourié-Gonnard96999962015-02-17 16:02:37 +0000[diff] [blame]4036requires_gnutls
Janos Follath74537a62016-09-02 13:45:28 +0100[diff] [blame]4037client_needs_more_time 6
Manuel Pégourié-Gonnardd68434e2015-08-31 12:48:22 +0200[diff] [blame]4038not_with_valgrind # risk of non-mbedtls peer timing out
Manuel Pégourié-Gonnard9590e0a2014-09-26 16:27:59 +0200[diff] [blame]4039run_test "DTLS proxy: 3d, gnutls server" \
4040 -p "$P_PXY drop=5 delay=5 duplicate=5" \
4041 "$G_SRV -u --mtu 2048 -a" \
Manuel Pégourié-Gonnardf1384472014-10-14 22:57:46 +0200[diff] [blame]4042 "$P_CLI dtls=1 hs_timeout=250-60000" \
Manuel Pégourié-Gonnard9590e0a2014-09-26 16:27:59 +0200[diff] [blame]4043 0 \
4044 -s "Extra-header:" \
4045 -c "Extra-header:"
4046
Manuel Pégourié-Gonnard96999962015-02-17 16:02:37 +0000[diff] [blame]4047requires_gnutls
Janos Follath74537a62016-09-02 13:45:28 +0100[diff] [blame]4048client_needs_more_time 8
Manuel Pégourié-Gonnardd68434e2015-08-31 12:48:22 +0200[diff] [blame]4049not_with_valgrind # risk of non-mbedtls peer timing out
Manuel Pégourié-Gonnard9590e0a2014-09-26 16:27:59 +0200[diff] [blame]4050run_test "DTLS proxy: 3d, gnutls server, fragmentation" \
4051 -p "$P_PXY drop=5 delay=5 duplicate=5" \
4052 "$G_SRV -u --mtu 512" \
Manuel Pégourié-Gonnardf1384472014-10-14 22:57:46 +0200[diff] [blame]4053 "$P_CLI dtls=1 hs_timeout=250-60000" \
Manuel Pégourié-Gonnard9590e0a2014-09-26 16:27:59 +0200[diff] [blame]4054 0 \
4055 -s "Extra-header:" \
4056 -c "Extra-header:"
4057
Manuel Pégourié-Gonnard96999962015-02-17 16:02:37 +0000[diff] [blame]4058requires_gnutls
Janos Follath74537a62016-09-02 13:45:28 +0100[diff] [blame]4059client_needs_more_time 8
Manuel Pégourié-Gonnardd68434e2015-08-31 12:48:22 +0200[diff] [blame]4060not_with_valgrind # risk of non-mbedtls peer timing out
Manuel Pégourié-Gonnard6093d812014-09-29 17:52:57 +0200[diff] [blame]4061run_test "DTLS proxy: 3d, gnutls server, fragmentation, nbio" \
4062 -p "$P_PXY drop=5 delay=5 duplicate=5" \
4063 "$G_SRV -u --mtu 512" \
Manuel Pégourié-Gonnardf1384472014-10-14 22:57:46 +0200[diff] [blame]4064 "$P_CLI dtls=1 hs_timeout=250-60000 nbio=2" \
Manuel Pégourié-Gonnard6093d812014-09-29 17:52:57 +0200[diff] [blame]4065 0 \
4066 -s "Extra-header:" \
4067 -c "Extra-header:"
4068
Manuel Pégourié-Gonnard8520dac2014-02-21 12:12:23 +0100[diff] [blame]4069# Final report
4070
Manuel Pégourié-Gonnard33a752e2014-02-21 09:47:37 +0100[diff] [blame]4071echo "------------------------------------------------------------------------"
4072
4073if [ $FAILS = 0 ]; then
Manuel Pégourié-Gonnardf46f1282014-12-11 11:51:28 +0100[diff] [blame]4074 printf "PASSED"
Manuel Pégourié-Gonnard33a752e2014-02-21 09:47:37 +0100[diff] [blame]4075else
Manuel Pégourié-Gonnardf46f1282014-12-11 11:51:28 +0100[diff] [blame]4076 printf "FAILED"
Manuel Pégourié-Gonnard33a752e2014-02-21 09:47:37 +0100[diff] [blame]4077fi
Manuel Pégourié-Gonnard72e51ee2014-08-31 10:22:11 +0200[diff] [blame]4078PASSES=$(( $TESTS - $FAILS ))
Manuel Pégourié-Gonnard6f4fbbb2014-08-14 14:31:29 +0200[diff] [blame]4079echo " ($PASSES / $TESTS tests ($SKIPS skipped))"
Manuel Pégourié-Gonnard33a752e2014-02-21 09:47:37 +0100[diff] [blame]4080
4081exit $FAILS