TrustedFirmware Git Browser
Code Review Sign In
review.trustedfirmware.org / mirror / mbed-tls / ebcc9137ca8ce33e6868be9c72f5d9dc2afe97ac / . / tests / ssl-opt.sh
blob: e34f9b4765b3832f34719cf4590d94580ee581a0 [file] [log] [blame]
Manuel Pégourié-Gonnardeaadc502014-02-20 11:01:30 +0100[diff] [blame]1#!/bin/sh
2
Simon Butcher58eddef2016-05-19 23:43:11 +0100[diff] [blame]3# ssl-opt.sh
Manuel Pégourié-Gonnardeaadc502014-02-20 11:01:30 +0100[diff] [blame]4#
Simon Butcher58eddef2016-05-19 23:43:11 +0100[diff] [blame]5# This file is part of mbed TLS (https://tls.mbed.org)
Manuel Pégourié-Gonnardeaadc502014-02-20 11:01:30 +0100[diff] [blame]6#
Simon Butcher58eddef2016-05-19 23:43:11 +0100[diff] [blame]7# Copyright (c) 2016, ARM Limited, All Rights Reserved
8#
9# Purpose
10#
11# Executes tests to prove various TLS/SSL options and extensions.
12#
13# The goal is not to cover every ciphersuite/version, but instead to cover
14# specific options (max fragment length, truncated hmac, etc) or procedures
15# (session resumption from cache or ticket, renego, etc).
16#
17# The tests assume a build with default options, with exceptions expressed
18# with a dependency. The tests focus on functionality and do not consider
19# performance.
20#
Manuel Pégourié-Gonnardeaadc502014-02-20 11:01:30 +0100[diff] [blame]21
Manuel Pégourié-Gonnardfccd3252014-02-25 17:14:15 +0100[diff] [blame]22set -u
23
Angus Grattonc4dd0732018-04-11 16:28:39 +1000[diff] [blame]24if cd $( dirname $0 ); then :; else
25 echo "cd $( dirname $0 ) failed" >&2
26 exit 1
27fi
28
Antonin Décimo36e89b52019-01-23 15:24:37 +0100[diff] [blame]29# default values, can be overridden by the environment
Manuel Pégourié-Gonnardf7a26902014-02-27 12:25:54 +0100[diff] [blame]30: ${P_SRV:=../programs/ssl/ssl_server2}
31: ${P_CLI:=../programs/ssl/ssl_client2}
Manuel Pégourié-Gonnardbe9eb872014-09-05 17:45:19 +0200[diff] [blame]32: ${P_PXY:=../programs/test/udp_proxy}
Manuel Pégourié-Gonnard74faf3c2014-03-13 18:47:44 +0100[diff] [blame]33: ${OPENSSL_CMD:=openssl} # OPENSSL would conflict with the build system
Manuel Pégourié-Gonnardbaa7f072014-08-20 20:15:53 +0200[diff] [blame]34: ${GNUTLS_CLI:=gnutls-cli}
35: ${GNUTLS_SERV:=gnutls-serv}
Gilles Peskined50177f2017-05-16 17:53:03 +0200[diff] [blame]36: ${PERL:=perl}
Manuel Pégourié-Gonnardeaadc502014-02-20 11:01:30 +0100[diff] [blame]37
Manuel Pégourié-Gonnardfa60f122014-09-26 16:07:29 +0200[diff] [blame]38O_SRV="$OPENSSL_CMD s_server -www -cert data_files/server5.crt -key data_files/server5.key"
Manuel Pégourié-Gonnard74faf3c2014-03-13 18:47:44 +0100[diff] [blame]39O_CLI="echo 'GET / HTTP/1.0' | $OPENSSL_CMD s_client"
Manuel Pégourié-Gonnardbaa7f072014-08-20 20:15:53 +0200[diff] [blame]40G_SRV="$GNUTLS_SERV --x509certfile data_files/server5.crt --x509keyfile data_files/server5.key"
Manuel Pégourié-Gonnard85d915b2014-11-03 20:10:36 +0100[diff] [blame]41G_CLI="echo 'GET / HTTP/1.0' | $GNUTLS_CLI --x509cafile data_files/test-ca_cat12.crt"
Gilles Peskined50177f2017-05-16 17:53:03 +0200[diff] [blame]42TCP_CLIENT="$PERL scripts/tcp_client.pl"
Manuel Pégourié-Gonnardfccd3252014-02-25 17:14:15 +0100[diff] [blame]43
Manuel Pégourié-Gonnard38110df2018-08-17 12:44:54 +0200[diff] [blame]44# alternative versions of OpenSSL and GnuTLS (no default path)
45
46if [ -n "${OPENSSL_LEGACY:-}" ]; then
47 O_LEGACY_SRV="$OPENSSL_LEGACY s_server -www -cert data_files/server5.crt -key data_files/server5.key"
48 O_LEGACY_CLI="echo 'GET / HTTP/1.0' | $OPENSSL_LEGACY s_client"
49else
50 O_LEGACY_SRV=false
51 O_LEGACY_CLI=false
52fi
53
Hanno Becker58e9dc32018-08-17 15:53:21 +0100[diff] [blame]54if [ -n "${GNUTLS_NEXT_SERV:-}" ]; then
Manuel Pégourié-Gonnard38110df2018-08-17 12:44:54 +0200[diff] [blame]55 G_NEXT_SRV="$GNUTLS_NEXT_SERV --x509certfile data_files/server5.crt --x509keyfile data_files/server5.key"
56else
57 G_NEXT_SRV=false
58fi
59
Hanno Becker58e9dc32018-08-17 15:53:21 +0100[diff] [blame]60if [ -n "${GNUTLS_NEXT_CLI:-}" ]; then
Manuel Pégourié-Gonnard38110df2018-08-17 12:44:54 +0200[diff] [blame]61 G_NEXT_CLI="echo 'GET / HTTP/1.0' | $GNUTLS_NEXT_CLI --x509cafile data_files/test-ca_cat12.crt"
62else
63 G_NEXT_CLI=false
64fi
65
Manuel Pégourié-Gonnard33a752e2014-02-21 09:47:37 +0100[diff] [blame]66TESTS=0
67FAILS=0
Manuel Pégourié-Gonnard6f4fbbb2014-08-14 14:31:29 +0200[diff] [blame]68SKIPS=0
Manuel Pégourié-Gonnard33a752e2014-02-21 09:47:37 +0100[diff] [blame]69
Manuel Pégourié-Gonnard7f809972015-03-09 17:05:11 +0000[diff] [blame]70CONFIG_H='../include/mbedtls/config.h'
Manuel Pégourié-Gonnard83d8c732014-04-07 13:24:21 +0200[diff] [blame]71
Manuel Pégourié-Gonnardc73339f2014-02-26 16:35:27 +0100[diff] [blame]72MEMCHECK=0
Manuel Pégourié-Gonnard417d46c2014-03-13 19:17:53 +0100[diff] [blame]73FILTER='.*'
Manuel Pégourié-Gonnard6f4fbbb2014-08-14 14:31:29 +0200[diff] [blame]74EXCLUDE='^$'
Manuel Pégourié-Gonnardc73339f2014-02-26 16:35:27 +0100[diff] [blame]75
Paul Bakkere20310a2016-05-10 11:18:17 +0100[diff] [blame]76SHOW_TEST_NUMBER=0
Paul Bakkerb7584a52016-05-10 10:50:43 +0100[diff] [blame]77RUN_TEST_NUMBER=''
78
Paul Bakkeracaac852016-05-10 11:47:13 +0100[diff] [blame]79PRESERVE_LOGS=0
80
Gilles Peskinef93c7d32017-04-14 17:55:28 +0200[diff] [blame]81# Pick a "unique" server port in the range 10000-19999, and a proxy
82# port which is this plus 10000. Each port number may be independently
83# overridden by a command line option.
84SRV_PORT=$(($$ % 10000 + 10000))
85PXY_PORT=$((SRV_PORT + 10000))
86
Manuel Pégourié-Gonnardc73339f2014-02-26 16:35:27 +0100[diff] [blame]87print_usage() {
88 echo "Usage: $0 [options]"
Manuel Pégourié-Gonnardf46f1282014-12-11 11:51:28 +0100[diff] [blame]89 printf " -h|--help\tPrint this help.\n"
90 printf " -m|--memcheck\tCheck memory leaks and errors.\n"
Gilles Peskinef93c7d32017-04-14 17:55:28 +0200[diff] [blame]91 printf " -f|--filter\tOnly matching tests are executed (BRE; default: '$FILTER')\n"
92 printf " -e|--exclude\tMatching tests are excluded (BRE; default: '$EXCLUDE')\n"
Paul Bakkerb7584a52016-05-10 10:50:43 +0100[diff] [blame]93 printf " -n|--number\tExecute only numbered test (comma-separated, e.g. '245,256')\n"
Paul Bakkere20310a2016-05-10 11:18:17 +0100[diff] [blame]94 printf " -s|--show-numbers\tShow test numbers in front of test names\n"
Paul Bakkeracaac852016-05-10 11:47:13 +0100[diff] [blame]95 printf " -p|--preserve-logs\tPreserve logs of successful tests as well\n"
Gilles Peskinef93c7d32017-04-14 17:55:28 +0200[diff] [blame]96 printf " --port\tTCP/UDP port (default: randomish 1xxxx)\n"
97 printf " --proxy-port\tTCP/UDP proxy port (default: randomish 2xxxx)\n"
Andres AGf04f54d2016-10-10 15:46:20 +0100[diff] [blame]98 printf " --seed\tInteger seed value to use for this test run\n"
Manuel Pégourié-Gonnardc73339f2014-02-26 16:35:27 +0100[diff] [blame]99}
100
101get_options() {
102 while [ $# -gt 0 ]; do
103 case "$1" in
Manuel Pégourié-Gonnard417d46c2014-03-13 19:17:53 +0100[diff] [blame]104 -f|--filter)
105 shift; FILTER=$1
106 ;;
107 -e|--exclude)
108 shift; EXCLUDE=$1
109 ;;
Manuel Pégourié-Gonnardc73339f2014-02-26 16:35:27 +0100[diff] [blame]110 -m|--memcheck)
111 MEMCHECK=1
112 ;;
Paul Bakkerb7584a52016-05-10 10:50:43 +0100[diff] [blame]113 -n|--number)
114 shift; RUN_TEST_NUMBER=$1
115 ;;
Paul Bakkere20310a2016-05-10 11:18:17 +0100[diff] [blame]116 -s|--show-numbers)
117 SHOW_TEST_NUMBER=1
118 ;;
Paul Bakkeracaac852016-05-10 11:47:13 +0100[diff] [blame]119 -p|--preserve-logs)
120 PRESERVE_LOGS=1
121 ;;
Gilles Peskinef93c7d32017-04-14 17:55:28 +0200[diff] [blame]122 --port)
123 shift; SRV_PORT=$1
124 ;;
125 --proxy-port)
126 shift; PXY_PORT=$1
127 ;;
Andres AGf04f54d2016-10-10 15:46:20 +0100[diff] [blame]128 --seed)
129 shift; SEED="$1"
130 ;;
Manuel Pégourié-Gonnardc73339f2014-02-26 16:35:27 +0100[diff] [blame]131 -h|--help)
132 print_usage
133 exit 0
134 ;;
135 *)
Paul Bakker1ebc0c52014-05-22 15:47:58 +0200[diff] [blame]136 echo "Unknown argument: '$1'"
Manuel Pégourié-Gonnardc73339f2014-02-26 16:35:27 +0100[diff] [blame]137 print_usage
138 exit 1
139 ;;
140 esac
141 shift
142 done
143}
144
Hanno Becker3b8b40c2018-08-28 10:25:41 +0100[diff] [blame]145# Skip next test; use this macro to skip tests which are legitimate
146# in theory and expected to be re-introduced at some point, but
147# aren't expected to succeed at the moment due to problems outside
148# our control (such as bugs in other TLS implementations).
149skip_next_test() {
150 SKIP_NEXT="YES"
151}
152
Manuel Pégourié-Gonnard988209f2015-03-24 10:43:55 +0100[diff] [blame]153# skip next test if the flag is not enabled in config.h
154requires_config_enabled() {
155 if grep "^#define $1" $CONFIG_H > /dev/null; then :; else
156 SKIP_NEXT="YES"
157 fi
158}
159
Manuel Pégourié-Gonnardaf63c212017-06-08 17:51:08 +0200[diff] [blame]160# skip next test if the flag is enabled in config.h
161requires_config_disabled() {
162 if grep "^#define $1" $CONFIG_H > /dev/null; then
163 SKIP_NEXT="YES"
164 fi
165}
166
Hanno Becker7c48dd12018-08-28 16:09:22 +0100[diff] [blame]167get_config_value_or_default() {
Andres Amaya Garcia3169dc02018-10-16 21:29:07 +0100[diff] [blame]168 # This function uses the query_config command line option to query the
169 # required Mbed TLS compile time configuration from the ssl_server2
170 # program. The command will always return a success value if the
171 # configuration is defined and the value will be printed to stdout.
172 #
173 # Note that if the configuration is not defined or is defined to nothing,
174 # the output of this function will be an empty string.
175 ${P_SRV} "query_config=${1}"
Hanno Becker7c48dd12018-08-28 16:09:22 +0100[diff] [blame]176}
177
178requires_config_value_at_least() {
Andres Amaya Garcia3169dc02018-10-16 21:29:07 +0100[diff] [blame]179 VAL="$( get_config_value_or_default "$1" )"
180 if [ -z "$VAL" ]; then
181 # Should never happen
182 echo "Mbed TLS configuration $1 is not defined"
183 exit 1
184 elif [ "$VAL" -lt "$2" ]; then
Hanno Becker5cd017f2018-08-24 14:40:12 +0100[diff] [blame]185 SKIP_NEXT="YES"
186 fi
187}
188
189requires_config_value_at_most() {
Hanno Becker7c48dd12018-08-28 16:09:22 +0100[diff] [blame]190 VAL=$( get_config_value_or_default "$1" )
Andres Amaya Garcia3169dc02018-10-16 21:29:07 +0100[diff] [blame]191 if [ -z "$VAL" ]; then
192 # Should never happen
193 echo "Mbed TLS configuration $1 is not defined"
194 exit 1
195 elif [ "$VAL" -gt "$2" ]; then
Hanno Becker5cd017f2018-08-24 14:40:12 +0100[diff] [blame]196 SKIP_NEXT="YES"
197 fi
198}
199
Hanno Becker9d76d562018-11-16 17:27:29 +0000[diff] [blame]200requires_ciphersuite_enabled() {
Hanno Beckera0dc9cf2018-11-20 11:31:17 +0000[diff] [blame]201 if [ -z "$($P_CLI --help | grep $1)" ]; then
Hanno Becker9d76d562018-11-16 17:27:29 +0000[diff] [blame]202 SKIP_NEXT="YES"
203 fi
204}
205
Manuel Pégourié-Gonnard1cbd39d2014-10-20 13:34:59 +0200[diff] [blame]206# skip next test if OpenSSL doesn't support FALLBACK_SCSV
207requires_openssl_with_fallback_scsv() {
208 if [ -z "${OPENSSL_HAS_FBSCSV:-}" ]; then
209 if $OPENSSL_CMD s_client -help 2>&1 | grep fallback_scsv >/dev/null
210 then
211 OPENSSL_HAS_FBSCSV="YES"
212 else
213 OPENSSL_HAS_FBSCSV="NO"
214 fi
215 fi
216 if [ "$OPENSSL_HAS_FBSCSV" = "NO" ]; then
217 SKIP_NEXT="YES"
218 fi
219}
220
Manuel Pégourié-Gonnardbaa7f072014-08-20 20:15:53 +0200[diff] [blame]221# skip next test if GnuTLS isn't available
222requires_gnutls() {
223 if [ -z "${GNUTLS_AVAILABLE:-}" ]; then
Manuel Pégourié-Gonnard03db6b02015-06-26 15:45:30 +0200[diff] [blame]224 if ( which "$GNUTLS_CLI" && which "$GNUTLS_SERV" ) >/dev/null 2>&1; then
Manuel Pégourié-Gonnardbaa7f072014-08-20 20:15:53 +0200[diff] [blame]225 GNUTLS_AVAILABLE="YES"
226 else
227 GNUTLS_AVAILABLE="NO"
228 fi
229 fi
230 if [ "$GNUTLS_AVAILABLE" = "NO" ]; then
231 SKIP_NEXT="YES"
232 fi
233}
234
Manuel Pégourié-Gonnard38110df2018-08-17 12:44:54 +0200[diff] [blame]235# skip next test if GnuTLS-next isn't available
236requires_gnutls_next() {
237 if [ -z "${GNUTLS_NEXT_AVAILABLE:-}" ]; then
238 if ( which "${GNUTLS_NEXT_CLI:-}" && which "${GNUTLS_NEXT_SERV:-}" ) >/dev/null 2>&1; then
239 GNUTLS_NEXT_AVAILABLE="YES"
240 else
241 GNUTLS_NEXT_AVAILABLE="NO"
242 fi
243 fi
244 if [ "$GNUTLS_NEXT_AVAILABLE" = "NO" ]; then
245 SKIP_NEXT="YES"
246 fi
247}
248
249# skip next test if OpenSSL-legacy isn't available
250requires_openssl_legacy() {
251 if [ -z "${OPENSSL_LEGACY_AVAILABLE:-}" ]; then
252 if which "${OPENSSL_LEGACY:-}" >/dev/null 2>&1; then
253 OPENSSL_LEGACY_AVAILABLE="YES"
254 else
255 OPENSSL_LEGACY_AVAILABLE="NO"
256 fi
257 fi
258 if [ "$OPENSSL_LEGACY_AVAILABLE" = "NO" ]; then
259 SKIP_NEXT="YES"
260 fi
261}
262
Manuel Pégourié-Gonnard0eb6cab2014-07-23 20:17:47 +0200[diff] [blame]263# skip next test if IPv6 isn't available on this host
264requires_ipv6() {
265 if [ -z "${HAS_IPV6:-}" ]; then
266 $P_SRV server_addr='::1' > $SRV_OUT 2>&1 &
267 SRV_PID=$!
268 sleep 1
269 kill $SRV_PID >/dev/null 2>&1
270 if grep "NET - Binding of the socket failed" $SRV_OUT >/dev/null; then
271 HAS_IPV6="NO"
272 else
273 HAS_IPV6="YES"
274 fi
275 rm -r $SRV_OUT
276 fi
277
278 if [ "$HAS_IPV6" = "NO" ]; then
279 SKIP_NEXT="YES"
280 fi
281}
282
Andrzej Kurekb4593462018-10-11 08:43:30 -0400[diff] [blame]283# skip next test if it's i686 or uname is not available
284requires_not_i686() {
285 if [ -z "${IS_I686:-}" ]; then
286 IS_I686="YES"
287 if which "uname" >/dev/null 2>&1; then
288 if [ -z "$(uname -a | grep i686)" ]; then
289 IS_I686="NO"
290 fi
291 fi
292 fi
293 if [ "$IS_I686" = "YES" ]; then
294 SKIP_NEXT="YES"
295 fi
296}
297
Angus Grattonc4dd0732018-04-11 16:28:39 +1000[diff] [blame]298# Calculate the input & output maximum content lengths set in the config
299MAX_CONTENT_LEN=$( ../scripts/config.pl get MBEDTLS_SSL_MAX_CONTENT_LEN || echo "16384")
300MAX_IN_LEN=$( ../scripts/config.pl get MBEDTLS_SSL_IN_CONTENT_LEN || echo "$MAX_CONTENT_LEN")
301MAX_OUT_LEN=$( ../scripts/config.pl get MBEDTLS_SSL_OUT_CONTENT_LEN || echo "$MAX_CONTENT_LEN")
302
303if [ "$MAX_IN_LEN" -lt "$MAX_CONTENT_LEN" ]; then
304 MAX_CONTENT_LEN="$MAX_IN_LEN"
305fi
306if [ "$MAX_OUT_LEN" -lt "$MAX_CONTENT_LEN" ]; then
307 MAX_CONTENT_LEN="$MAX_OUT_LEN"
308fi
309
310# skip the next test if the SSL output buffer is less than 16KB
311requires_full_size_output_buffer() {
312 if [ "$MAX_OUT_LEN" -ne 16384 ]; then
313 SKIP_NEXT="YES"
314 fi
315}
316
Manuel Pégourié-Gonnard76fe9e42014-09-24 15:17:31 +0200[diff] [blame]317# skip the next test if valgrind is in use
318not_with_valgrind() {
319 if [ "$MEMCHECK" -gt 0 ]; then
320 SKIP_NEXT="YES"
321 fi
322}
323
Paul Bakker362689d2016-05-13 10:33:25 +0100[diff] [blame]324# skip the next test if valgrind is NOT in use
325only_with_valgrind() {
326 if [ "$MEMCHECK" -eq 0 ]; then
327 SKIP_NEXT="YES"
328 fi
329}
330
Manuel Pégourié-Gonnarda0719722014-09-20 12:46:27 +0200[diff] [blame]331# multiply the client timeout delay by the given factor for the next test
Janos Follath74537a62016-09-02 13:45:28 +0100[diff] [blame]332client_needs_more_time() {
Manuel Pégourié-Gonnarda0719722014-09-20 12:46:27 +0200[diff] [blame]333 CLI_DELAY_FACTOR=$1
334}
335
Janos Follath74537a62016-09-02 13:45:28 +0100[diff] [blame]336# wait for the given seconds after the client finished in the next test
337server_needs_more_time() {
338 SRV_DELAY_SECONDS=$1
339}
340
Manuel Pégourié-Gonnardf8bdbb52014-02-21 09:20:14 +0100[diff] [blame]341# print_name <name>
342print_name() {
Paul Bakkere20310a2016-05-10 11:18:17 +0100[diff] [blame]343 TESTS=$(( $TESTS + 1 ))
344 LINE=""
345
346 if [ "$SHOW_TEST_NUMBER" -gt 0 ]; then
347 LINE="$TESTS "
348 fi
349
350 LINE="$LINE$1"
351 printf "$LINE "
352 LEN=$(( 72 - `echo "$LINE" | wc -c` ))
Manuel Pégourié-Gonnardf46f1282014-12-11 11:51:28 +0100[diff] [blame]353 for i in `seq 1 $LEN`; do printf '.'; done
354 printf ' '
Manuel Pégourié-Gonnard33a752e2014-02-21 09:47:37 +0100[diff] [blame]355
Manuel Pégourié-Gonnardf8bdbb52014-02-21 09:20:14 +0100[diff] [blame]356}
357
358# fail <message>
359fail() {
360 echo "FAIL"
Manuel Pégourié-Gonnard3eec6042014-02-27 15:37:24 +0100[diff] [blame]361 echo " ! $1"
Manuel Pégourié-Gonnard33a752e2014-02-21 09:47:37 +0100[diff] [blame]362
Manuel Pégourié-Gonnardc2b00922014-08-31 16:46:04 +0200[diff] [blame]363 mv $SRV_OUT o-srv-${TESTS}.log
364 mv $CLI_OUT o-cli-${TESTS}.log
Manuel Pégourié-Gonnardbe9eb872014-09-05 17:45:19 +0200[diff] [blame]365 if [ -n "$PXY_CMD" ]; then
366 mv $PXY_OUT o-pxy-${TESTS}.log
367 fi
368 echo " ! outputs saved to o-XXX-${TESTS}.log"
Manuel Pégourié-Gonnard33a752e2014-02-21 09:47:37 +0100[diff] [blame]369
Azim Khan19d13732018-03-29 11:04:20 +0100[diff] [blame]370 if [ "X${USER:-}" = Xbuildbot -o "X${LOGNAME:-}" = Xbuildbot -o "${LOG_FAILURE_ON_STDOUT:-0}" != 0 ]; then
Manuel Pégourié-Gonnard7fa67722014-08-31 17:42:53 +0200[diff] [blame]371 echo " ! server output:"
372 cat o-srv-${TESTS}.log
Manuel Pégourié-Gonnardbe9eb872014-09-05 17:45:19 +0200[diff] [blame]373 echo " ! ========================================================"
Manuel Pégourié-Gonnard7fa67722014-08-31 17:42:53 +0200[diff] [blame]374 echo " ! client output:"
375 cat o-cli-${TESTS}.log
Manuel Pégourié-Gonnardbe9eb872014-09-05 17:45:19 +0200[diff] [blame]376 if [ -n "$PXY_CMD" ]; then
377 echo " ! ========================================================"
378 echo " ! proxy output:"
379 cat o-pxy-${TESTS}.log
380 fi
381 echo ""
Manuel Pégourié-Gonnard7fa67722014-08-31 17:42:53 +0200[diff] [blame]382 fi
383
Manuel Pégourié-Gonnard72e51ee2014-08-31 10:22:11 +0200[diff] [blame]384 FAILS=$(( $FAILS + 1 ))
Manuel Pégourié-Gonnardf8bdbb52014-02-21 09:20:14 +0100[diff] [blame]385}
386
Manuel Pégourié-Gonnard677884d2014-02-25 16:42:31 +0100[diff] [blame]387# is_polar <cmd_line>
388is_polar() {
389 echo "$1" | grep 'ssl_server2\|ssl_client2' > /dev/null
390}
391
Manuel Pégourié-Gonnardfa60f122014-09-26 16:07:29 +0200[diff] [blame]392# openssl s_server doesn't have -www with DTLS
393check_osrv_dtls() {
394 if echo "$SRV_CMD" | grep 's_server.*-dtls' >/dev/null; then
395 NEEDS_INPUT=1
396 SRV_CMD="$( echo $SRV_CMD | sed s/-www// )"
397 else
398 NEEDS_INPUT=0
399 fi
400}
401
402# provide input to commands that need it
403provide_input() {
404 if [ $NEEDS_INPUT -eq 0 ]; then
405 return
406 fi
407
408 while true; do
409 echo "HTTP/1.0 200 OK"
410 sleep 1
411 done
412}
413
Manuel Pégourié-Gonnardc73339f2014-02-26 16:35:27 +0100[diff] [blame]414# has_mem_err <log_file_name>
415has_mem_err() {
416 if ( grep -F 'All heap blocks were freed -- no leaks are possible' "$1" &&
417 grep -F 'ERROR SUMMARY: 0 errors from 0 contexts' "$1" ) > /dev/null
418 then
419 return 1 # false: does not have errors
420 else
421 return 0 # true: has errors
422 fi
423}
424
Gilles Peskine418b5362017-12-14 18:58:42 +0100[diff] [blame]425# Wait for process $2 to be listening on port $1
426if type lsof >/dev/null 2>/dev/null; then
427 wait_server_start() {
428 START_TIME=$(date +%s)
Manuel Pégourié-Gonnard0eb6cab2014-07-23 20:17:47 +0200[diff] [blame]429 if [ "$DTLS" -eq 1 ]; then
Gilles Peskine418b5362017-12-14 18:58:42 +0100[diff] [blame]430 proto=UDP
Manuel Pégourié-Gonnard0eb6cab2014-07-23 20:17:47 +0200[diff] [blame]431 else
Gilles Peskine418b5362017-12-14 18:58:42 +0100[diff] [blame]432 proto=TCP
Manuel Pégourié-Gonnard0eb6cab2014-07-23 20:17:47 +0200[diff] [blame]433 fi
Gilles Peskine418b5362017-12-14 18:58:42 +0100[diff] [blame]434 # Make a tight loop, server normally takes less than 1s to start.
435 while ! lsof -a -n -b -i "$proto:$1" -p "$2" >/dev/null 2>/dev/null; do
436 if [ $(( $(date +%s) - $START_TIME )) -gt $DOG_DELAY ]; then
437 echo "SERVERSTART TIMEOUT"
438 echo "SERVERSTART TIMEOUT" >> $SRV_OUT
439 break
440 fi
441 # Linux and *BSD support decimal arguments to sleep. On other
442 # OSes this may be a tight loop.
443 sleep 0.1 2>/dev/null || true
444 done
445 }
446else
Gilles Peskinea9312652018-06-29 15:48:13 +0200[diff] [blame]447 echo "Warning: lsof not available, wait_server_start = sleep"
Gilles Peskine418b5362017-12-14 18:58:42 +0100[diff] [blame]448 wait_server_start() {
Manuel Pégourié-Gonnard0c1ec472014-06-20 18:41:11 +0200[diff] [blame]449 sleep "$START_DELAY"
Gilles Peskine418b5362017-12-14 18:58:42 +0100[diff] [blame]450 }
451fi
Manuel Pégourié-Gonnard0c1ec472014-06-20 18:41:11 +0200[diff] [blame]452
Andres Amaya Garciab84c40b2017-09-06 15:44:01 +0100[diff] [blame]453# Given the client or server debug output, parse the unix timestamp that is
Andres Amaya Garcia3b1bdff2017-09-14 12:41:29 +0100[diff] [blame]454# included in the first 4 bytes of the random bytes and check that it's within
Andres Amaya Garciab84c40b2017-09-06 15:44:01 +0100[diff] [blame]455# acceptable bounds
456check_server_hello_time() {
457 # Extract the time from the debug (lvl 3) output of the client
Andres Amaya Garcia67d8da52017-09-15 15:49:24 +0100[diff] [blame]458 SERVER_HELLO_TIME="$(sed -n 's/.*server hello, current time: //p' < "$1")"
Andres Amaya Garciab84c40b2017-09-06 15:44:01 +0100[diff] [blame]459 # Get the Unix timestamp for now
460 CUR_TIME=$(date +'%s')
461 THRESHOLD_IN_SECS=300
462
463 # Check if the ServerHello time was printed
464 if [ -z "$SERVER_HELLO_TIME" ]; then
465 return 1
466 fi
467
468 # Check the time in ServerHello is within acceptable bounds
469 if [ $SERVER_HELLO_TIME -lt $(( $CUR_TIME - $THRESHOLD_IN_SECS )) ]; then
470 # The time in ServerHello is at least 5 minutes before now
471 return 1
472 elif [ $SERVER_HELLO_TIME -gt $(( $CUR_TIME + $THRESHOLD_IN_SECS )) ]; then
Andres Amaya Garcia3b1bdff2017-09-14 12:41:29 +0100[diff] [blame]473 # The time in ServerHello is at least 5 minutes later than now
Andres Amaya Garciab84c40b2017-09-06 15:44:01 +0100[diff] [blame]474 return 1
475 else
476 return 0
477 fi
478}
479
Manuel Pégourié-Gonnardc0f6a692014-08-30 22:41:47 +0200[diff] [blame]480# wait for client to terminate and set CLI_EXIT
481# must be called right after starting the client
482wait_client_done() {
483 CLI_PID=$!
484
Manuel Pégourié-Gonnarda0719722014-09-20 12:46:27 +0200[diff] [blame]485 CLI_DELAY=$(( $DOG_DELAY * $CLI_DELAY_FACTOR ))
486 CLI_DELAY_FACTOR=1
487
Manuel Pégourié-Gonnarda365add2015-08-04 20:57:59 +0200[diff] [blame]488 ( sleep $CLI_DELAY; echo "===CLIENT_TIMEOUT===" >> $CLI_OUT; kill $CLI_PID ) &
Manuel Pégourié-Gonnarda6189f02014-09-20 13:15:43 +0200[diff] [blame]489 DOG_PID=$!
Manuel Pégourié-Gonnardc0f6a692014-08-30 22:41:47 +0200[diff] [blame]490
491 wait $CLI_PID
492 CLI_EXIT=$?
493
Manuel Pégourié-Gonnarda6189f02014-09-20 13:15:43 +0200[diff] [blame]494 kill $DOG_PID >/dev/null 2>&1
495 wait $DOG_PID
Manuel Pégourié-Gonnardc0f6a692014-08-30 22:41:47 +0200[diff] [blame]496
497 echo "EXIT: $CLI_EXIT" >> $CLI_OUT
Janos Follath74537a62016-09-02 13:45:28 +0100[diff] [blame]498
499 sleep $SRV_DELAY_SECONDS
500 SRV_DELAY_SECONDS=0
Manuel Pégourié-Gonnardc0f6a692014-08-30 22:41:47 +0200[diff] [blame]501}
502
Manuel Pégourié-Gonnard0eb6cab2014-07-23 20:17:47 +0200[diff] [blame]503# check if the given command uses dtls and sets global variable DTLS
504detect_dtls() {
Manuel Pégourié-Gonnardbe9eb872014-09-05 17:45:19 +0200[diff] [blame]505 if echo "$1" | grep 'dtls=1\|-dtls1\|-u' >/dev/null; then
Manuel Pégourié-Gonnard0eb6cab2014-07-23 20:17:47 +0200[diff] [blame]506 DTLS=1
507 else
508 DTLS=0
509 fi
510}
511
Manuel Pégourié-Gonnardbe9eb872014-09-05 17:45:19 +0200[diff] [blame]512# Usage: run_test name [-p proxy_cmd] srv_cmd cli_cmd cli_exit [option [...]]
Manuel Pégourié-Gonnardeaadc502014-02-20 11:01:30 +0100[diff] [blame]513# Options: -s pattern pattern that must be present in server output
514# -c pattern pattern that must be present in client output
Simon Butcher8e004102016-10-14 00:48:33 +0100[diff] [blame]515# -u pattern lines after pattern must be unique in client output
Andres Amaya Garcia93993de2017-09-06 15:38:07 +0100[diff] [blame]516# -f call shell function on client output
Manuel Pégourié-Gonnardeaadc502014-02-20 11:01:30 +0100[diff] [blame]517# -S pattern pattern that must be absent in server output
518# -C pattern pattern that must be absent in client output
Simon Butcher8e004102016-10-14 00:48:33 +0100[diff] [blame]519# -U pattern lines after pattern must be unique in server output
Andres Amaya Garcia93993de2017-09-06 15:38:07 +0100[diff] [blame]520# -F call shell function on server output
Manuel Pégourié-Gonnardeaadc502014-02-20 11:01:30 +0100[diff] [blame]521run_test() {
Manuel Pégourié-Gonnardfccd3252014-02-25 17:14:15 +0100[diff] [blame]522 NAME="$1"
Manuel Pégourié-Gonnardbe9eb872014-09-05 17:45:19 +0200[diff] [blame]523 shift 1
Manuel Pégourié-Gonnardfccd3252014-02-25 17:14:15 +0100[diff] [blame]524
Manuel Pégourié-Gonnard417d46c2014-03-13 19:17:53 +0100[diff] [blame]525 if echo "$NAME" | grep "$FILTER" | grep -v "$EXCLUDE" >/dev/null; then :
526 else
Manuel Pégourié-Gonnard74a13782014-10-14 22:34:08 +0200[diff] [blame]527 SKIP_NEXT="NO"
Manuel Pégourié-Gonnard417d46c2014-03-13 19:17:53 +0100[diff] [blame]528 return
529 fi
530
Manuel Pégourié-Gonnardfccd3252014-02-25 17:14:15 +0100[diff] [blame]531 print_name "$NAME"
Manuel Pégourié-Gonnardeaadc502014-02-20 11:01:30 +0100[diff] [blame]532
Paul Bakkerb7584a52016-05-10 10:50:43 +0100[diff] [blame]533 # Do we only run numbered tests?
534 if [ "X$RUN_TEST_NUMBER" = "X" ]; then :
535 elif echo ",$RUN_TEST_NUMBER," | grep ",$TESTS," >/dev/null; then :
536 else
537 SKIP_NEXT="YES"
538 fi
539
Manuel Pégourié-Gonnardbe9eb872014-09-05 17:45:19 +0200[diff] [blame]540 # does this test use a proxy?
541 if [ "X$1" = "X-p" ]; then
542 PXY_CMD="$2"
543 shift 2
544 else
545 PXY_CMD=""
546 fi
547
548 # get commands and client output
549 SRV_CMD="$1"
550 CLI_CMD="$2"
551 CLI_EXPECT="$3"
552 shift 3
553
Hanno Becker9d76d562018-11-16 17:27:29 +0000[diff] [blame]554 # Check if server forces ciphersuite
555 FORCE_CIPHERSUITE=$(echo "$SRV_CMD" | sed -n 's/^.*force_ciphersuite=\([a-zA-Z0-9\-]*\).*$/\1/p')
556 if [ ! -z "$FORCE_CIPHERSUITE" ]; then
557 requires_ciphersuite_enabled $FORCE_CIPHERSUITE
558 fi
559
560 # Check if client forces ciphersuite
561 FORCE_CIPHERSUITE=$(echo "$CLI_CMD" | sed -n 's/^.*force_ciphersuite=\([a-zA-Z0-9\-]*\).*$/\1/p')
562 if [ ! -z "$FORCE_CIPHERSUITE" ]; then
563 requires_ciphersuite_enabled $FORCE_CIPHERSUITE
564 fi
565
566 # should we skip?
567 if [ "X$SKIP_NEXT" = "XYES" ]; then
568 SKIP_NEXT="NO"
569 echo "SKIP"
570 SKIPS=$(( $SKIPS + 1 ))
571 return
572 fi
573
Manuel Pégourié-Gonnardbe9eb872014-09-05 17:45:19 +0200[diff] [blame]574 # fix client port
575 if [ -n "$PXY_CMD" ]; then
576 CLI_CMD=$( echo "$CLI_CMD" | sed s/+SRV_PORT/$PXY_PORT/g )
577 else
578 CLI_CMD=$( echo "$CLI_CMD" | sed s/+SRV_PORT/$SRV_PORT/g )
579 fi
580
Manuel Pégourié-Gonnard0eb6cab2014-07-23 20:17:47 +0200[diff] [blame]581 # update DTLS variable
582 detect_dtls "$SRV_CMD"
583
Manuel Pégourié-Gonnardc73339f2014-02-26 16:35:27 +0100[diff] [blame]584 # prepend valgrind to our commands if active
585 if [ "$MEMCHECK" -gt 0 ]; then
586 if is_polar "$SRV_CMD"; then
587 SRV_CMD="valgrind --leak-check=full $SRV_CMD"
588 fi
589 if is_polar "$CLI_CMD"; then
590 CLI_CMD="valgrind --leak-check=full $CLI_CMD"
591 fi
592 fi
593
Manuel Pégourié-Gonnarda365add2015-08-04 20:57:59 +0200[diff] [blame]594 TIMES_LEFT=2
595 while [ $TIMES_LEFT -gt 0 ]; do
Manuel Pégourié-Gonnardab5f7b42015-08-04 21:01:37 +0200[diff] [blame]596 TIMES_LEFT=$(( $TIMES_LEFT - 1 ))
Manuel Pégourié-Gonnarda365add2015-08-04 20:57:59 +0200[diff] [blame]597
Manuel Pégourié-Gonnardab5f7b42015-08-04 21:01:37 +0200[diff] [blame]598 # run the commands
599 if [ -n "$PXY_CMD" ]; then
600 echo "$PXY_CMD" > $PXY_OUT
601 $PXY_CMD >> $PXY_OUT 2>&1 &
602 PXY_PID=$!
603 # assume proxy starts faster than server
604 fi
Manuel Pégourié-Gonnardbe9eb872014-09-05 17:45:19 +0200[diff] [blame]605
Manuel Pégourié-Gonnardab5f7b42015-08-04 21:01:37 +0200[diff] [blame]606 check_osrv_dtls
607 echo "$SRV_CMD" > $SRV_OUT
608 provide_input | $SRV_CMD >> $SRV_OUT 2>&1 &
609 SRV_PID=$!
Gilles Peskine418b5362017-12-14 18:58:42 +0100[diff] [blame]610 wait_server_start "$SRV_PORT" "$SRV_PID"
Manuel Pégourié-Gonnardc0f6a692014-08-30 22:41:47 +0200[diff] [blame]611
Manuel Pégourié-Gonnardab5f7b42015-08-04 21:01:37 +0200[diff] [blame]612 echo "$CLI_CMD" > $CLI_OUT
613 eval "$CLI_CMD" >> $CLI_OUT 2>&1 &
614 wait_client_done
Manuel Pégourié-Gonnarde01af4c2014-03-25 14:16:44 +0100[diff] [blame]615
Hanno Beckercadb5bb2017-05-26 13:56:10 +0100[diff] [blame]616 sleep 0.05
617
Manuel Pégourié-Gonnardab5f7b42015-08-04 21:01:37 +0200[diff] [blame]618 # terminate the server (and the proxy)
619 kill $SRV_PID
620 wait $SRV_PID
Hanno Beckerd82d8462017-05-29 21:37:46 +0100[diff] [blame]621
Manuel Pégourié-Gonnardab5f7b42015-08-04 21:01:37 +0200[diff] [blame]622 if [ -n "$PXY_CMD" ]; then
623 kill $PXY_PID >/dev/null 2>&1
624 wait $PXY_PID
625 fi
Manuel Pégourié-Gonnard677884d2014-02-25 16:42:31 +0100[diff] [blame]626
Manuel Pégourié-Gonnardab5f7b42015-08-04 21:01:37 +0200[diff] [blame]627 # retry only on timeouts
628 if grep '===CLIENT_TIMEOUT===' $CLI_OUT >/dev/null; then
629 printf "RETRY "
630 else
631 TIMES_LEFT=0
632 fi
Manuel Pégourié-Gonnarda365add2015-08-04 20:57:59 +0200[diff] [blame]633 done
634
Manuel Pégourié-Gonnard677884d2014-02-25 16:42:31 +0100[diff] [blame]635 # check if the client and server went at least to the handshake stage
Paul Bakker1ebc0c52014-05-22 15:47:58 +0200[diff] [blame]636 # (useful to avoid tests with only negative assertions and non-zero
Manuel Pégourié-Gonnard677884d2014-02-25 16:42:31 +0100[diff] [blame]637 # expected client exit to incorrectly succeed in case of catastrophic
638 # failure)
Manuel Pégourié-Gonnardfccd3252014-02-25 17:14:15 +0100[diff] [blame]639 if is_polar "$SRV_CMD"; then
Manuel Pégourié-Gonnardbc3b16c2014-05-28 23:06:50 +0200[diff] [blame]640 if grep "Performing the SSL/TLS handshake" $SRV_OUT >/dev/null; then :;
Manuel Pégourié-Gonnard677884d2014-02-25 16:42:31 +0100[diff] [blame]641 else
Manuel Pégourié-Gonnard699cafa2014-10-27 13:57:03 +0100[diff] [blame]642 fail "server or client failed to reach handshake stage"
Manuel Pégourié-Gonnard677884d2014-02-25 16:42:31 +0100[diff] [blame]643 return
644 fi
645 fi
Manuel Pégourié-Gonnardfccd3252014-02-25 17:14:15 +0100[diff] [blame]646 if is_polar "$CLI_CMD"; then
Manuel Pégourié-Gonnardbc3b16c2014-05-28 23:06:50 +0200[diff] [blame]647 if grep "Performing the SSL/TLS handshake" $CLI_OUT >/dev/null; then :;
Manuel Pégourié-Gonnard677884d2014-02-25 16:42:31 +0100[diff] [blame]648 else
Manuel Pégourié-Gonnard699cafa2014-10-27 13:57:03 +0100[diff] [blame]649 fail "server or client failed to reach handshake stage"
Manuel Pégourié-Gonnard677884d2014-02-25 16:42:31 +0100[diff] [blame]650 return
651 fi
652 fi
653
Manuel Pégourié-Gonnardf8bdbb52014-02-21 09:20:14 +0100[diff] [blame]654 # check server exit code
655 if [ $? != 0 ]; then
656 fail "server fail"
657 return
658 fi
659
Manuel Pégourié-Gonnardeaadc502014-02-20 11:01:30 +0100[diff] [blame]660 # check client exit code
Manuel Pégourié-Gonnardfccd3252014-02-25 17:14:15 +0100[diff] [blame]661 if [ \( "$CLI_EXPECT" = 0 -a "$CLI_EXIT" != 0 \) -o \
662 \( "$CLI_EXPECT" != 0 -a "$CLI_EXIT" = 0 \) ]
Manuel Pégourié-Gonnard780d6712014-02-20 17:19:59 +0100[diff] [blame]663 then
Manuel Pégourié-Gonnardbe9eb872014-09-05 17:45:19 +0200[diff] [blame]664 fail "bad client exit code (expected $CLI_EXPECT, got $CLI_EXIT)"
Manuel Pégourié-Gonnardeaadc502014-02-20 11:01:30 +0100[diff] [blame]665 return
666 fi
Manuel Pégourié-Gonnardeaadc502014-02-20 11:01:30 +0100[diff] [blame]667
Manuel Pégourié-Gonnardc73339f2014-02-26 16:35:27 +0100[diff] [blame]668 # check other assertions
Manuel Pégourié-Gonnard480905d2014-08-21 19:38:32 +0200[diff] [blame]669 # lines beginning with == are added by valgrind, ignore them
Paul Bakker1f650922016-05-13 10:16:46 +0100[diff] [blame]670 # lines with 'Serious error when reading debug info', are valgrind issues as well
Manuel Pégourié-Gonnardeaadc502014-02-20 11:01:30 +0100[diff] [blame]671 while [ $# -gt 0 ]
672 do
673 case $1 in
674 "-s")
Paul Bakker1f650922016-05-13 10:16:46 +0100[diff] [blame]675 if grep -v '^==' $SRV_OUT | grep -v 'Serious error when reading debug info' | grep "$2" >/dev/null; then :; else
Simon Butcher8e004102016-10-14 00:48:33 +0100[diff] [blame]676 fail "pattern '$2' MUST be present in the Server output"
Manuel Pégourié-Gonnardeaadc502014-02-20 11:01:30 +0100[diff] [blame]677 return
678 fi
679 ;;
680
681 "-c")
Paul Bakker1f650922016-05-13 10:16:46 +0100[diff] [blame]682 if grep -v '^==' $CLI_OUT | grep -v 'Serious error when reading debug info' | grep "$2" >/dev/null; then :; else
Simon Butcher8e004102016-10-14 00:48:33 +0100[diff] [blame]683 fail "pattern '$2' MUST be present in the Client output"
Manuel Pégourié-Gonnardeaadc502014-02-20 11:01:30 +0100[diff] [blame]684 return
685 fi
686 ;;
687
688 "-S")
Paul Bakker1f650922016-05-13 10:16:46 +0100[diff] [blame]689 if grep -v '^==' $SRV_OUT | grep -v 'Serious error when reading debug info' | grep "$2" >/dev/null; then
Simon Butcher8e004102016-10-14 00:48:33 +0100[diff] [blame]690 fail "pattern '$2' MUST NOT be present in the Server output"
Manuel Pégourié-Gonnardeaadc502014-02-20 11:01:30 +0100[diff] [blame]691 return
692 fi
693 ;;
694
695 "-C")
Paul Bakker1f650922016-05-13 10:16:46 +0100[diff] [blame]696 if grep -v '^==' $CLI_OUT | grep -v 'Serious error when reading debug info' | grep "$2" >/dev/null; then
Simon Butcher8e004102016-10-14 00:48:33 +0100[diff] [blame]697 fail "pattern '$2' MUST NOT be present in the Client output"
698 return
699 fi
700 ;;
701
702 # The filtering in the following two options (-u and -U) do the following
703 # - ignore valgrind output
Antonin Décimo36e89b52019-01-23 15:24:37 +0100[diff] [blame]704 # - filter out everything but lines right after the pattern occurrences
Simon Butcher8e004102016-10-14 00:48:33 +0100[diff] [blame]705 # - keep one of each non-unique line
706 # - count how many lines remain
707 # A line with '--' will remain in the result from previous outputs, so the number of lines in the result will be 1
708 # if there were no duplicates.
709 "-U")
710 if [ $(grep -v '^==' $SRV_OUT | grep -v 'Serious error when reading debug info' | grep -A1 "$2" | grep -v "$2" | sort | uniq -d | wc -l) -gt 1 ]; then
711 fail "lines following pattern '$2' must be unique in Server output"
712 return
713 fi
714 ;;
715
716 "-u")
717 if [ $(grep -v '^==' $CLI_OUT | grep -v 'Serious error when reading debug info' | grep -A1 "$2" | grep -v "$2" | sort | uniq -d | wc -l) -gt 1 ]; then
718 fail "lines following pattern '$2' must be unique in Client output"
Manuel Pégourié-Gonnardeaadc502014-02-20 11:01:30 +0100[diff] [blame]719 return
720 fi
721 ;;
Andres Amaya Garcia93993de2017-09-06 15:38:07 +0100[diff] [blame]722 "-F")
723 if ! $2 "$SRV_OUT"; then
724 fail "function call to '$2' failed on Server output"
725 return
726 fi
727 ;;
728 "-f")
729 if ! $2 "$CLI_OUT"; then
730 fail "function call to '$2' failed on Client output"
731 return
732 fi
733 ;;
Manuel Pégourié-Gonnardeaadc502014-02-20 11:01:30 +0100[diff] [blame]734
735 *)
Paul Bakker1ebc0c52014-05-22 15:47:58 +0200[diff] [blame]736 echo "Unknown test: $1" >&2
Manuel Pégourié-Gonnardeaadc502014-02-20 11:01:30 +0100[diff] [blame]737 exit 1
738 esac
739 shift 2
740 done
741
Manuel Pégourié-Gonnardc73339f2014-02-26 16:35:27 +0100[diff] [blame]742 # check valgrind's results
743 if [ "$MEMCHECK" -gt 0 ]; then
Manuel Pégourié-Gonnardbc3b16c2014-05-28 23:06:50 +0200[diff] [blame]744 if is_polar "$SRV_CMD" && has_mem_err $SRV_OUT; then
Manuel Pégourié-Gonnardc73339f2014-02-26 16:35:27 +0100[diff] [blame]745 fail "Server has memory errors"
746 return
747 fi
Manuel Pégourié-Gonnardbc3b16c2014-05-28 23:06:50 +0200[diff] [blame]748 if is_polar "$CLI_CMD" && has_mem_err $CLI_OUT; then
Manuel Pégourié-Gonnardc73339f2014-02-26 16:35:27 +0100[diff] [blame]749 fail "Client has memory errors"
750 return
751 fi
752 fi
753
Manuel Pégourié-Gonnardeaadc502014-02-20 11:01:30 +0100[diff] [blame]754 # if we're here, everything is ok
755 echo "PASS"
Paul Bakkeracaac852016-05-10 11:47:13 +0100[diff] [blame]756 if [ "$PRESERVE_LOGS" -gt 0 ]; then
757 mv $SRV_OUT o-srv-${TESTS}.log
758 mv $CLI_OUT o-cli-${TESTS}.log
Hanno Becker7be2e5b2018-08-20 12:21:35 +0100[diff] [blame]759 if [ -n "$PXY_CMD" ]; then
760 mv $PXY_OUT o-pxy-${TESTS}.log
761 fi
Paul Bakkeracaac852016-05-10 11:47:13 +0100[diff] [blame]762 fi
763
Manuel Pégourié-Gonnardbe9eb872014-09-05 17:45:19 +0200[diff] [blame]764 rm -f $SRV_OUT $CLI_OUT $PXY_OUT
Manuel Pégourié-Gonnardeaadc502014-02-20 11:01:30 +0100[diff] [blame]765}
766
Hanno Becker9b5853c2018-11-16 17:28:40 +0000[diff] [blame]767run_test_psa() {
768 requires_config_enabled MBEDTLS_USE_PSA_CRYPTO
Hanno Beckere9420c22018-11-20 11:37:34 +0000[diff] [blame]769 run_test "PSA-supported ciphersuite: $1" \
Hanno Becker4c8c7aa2019-04-10 09:25:41 +0100[diff] [blame]770 "$P_SRV debug_level=3 force_version=tls1_2" \
771 "$P_CLI debug_level=3 force_version=tls1_2 force_ciphersuite=$1" \
Hanno Becker9b5853c2018-11-16 17:28:40 +0000[diff] [blame]772 0 \
773 -c "Successfully setup PSA-based decryption cipher context" \
774 -c "Successfully setup PSA-based encryption cipher context" \
Andrzej Kurek683d77e2019-01-30 03:50:42 -0500[diff] [blame]775 -c "PSA calc verify" \
Andrzej Kurek92dd4d02019-01-30 04:10:19 -0500[diff] [blame]776 -c "calc PSA finished" \
Hanno Becker9b5853c2018-11-16 17:28:40 +0000[diff] [blame]777 -s "Successfully setup PSA-based decryption cipher context" \
778 -s "Successfully setup PSA-based encryption cipher context" \
Andrzej Kurek683d77e2019-01-30 03:50:42 -0500[diff] [blame]779 -s "PSA calc verify" \
Andrzej Kurek92dd4d02019-01-30 04:10:19 -0500[diff] [blame]780 -s "calc PSA finished" \
Hanno Becker9b5853c2018-11-16 17:28:40 +0000[diff] [blame]781 -C "Failed to setup PSA-based cipher context"\
782 -S "Failed to setup PSA-based cipher context"\
783 -s "Protocol is TLSv1.2" \
Hanno Becker28f78442019-02-18 16:47:50 +0000[diff] [blame]784 -c "Perform PSA-based ECDH computation."\
Andrzej Kureke85414e2019-01-15 05:23:59 -0500[diff] [blame]785 -c "Perform PSA-based computation of digest of ServerKeyExchange" \
Hanno Becker9b5853c2018-11-16 17:28:40 +0000[diff] [blame]786 -S "error" \
787 -C "error"
788}
789
Hanno Becker354e2482019-01-08 11:40:25 +0000[diff] [blame]790run_test_psa_force_curve() {
791 requires_config_enabled MBEDTLS_USE_PSA_CRYPTO
792 run_test "PSA - ECDH with $1" \
793 "$P_SRV debug_level=4 force_version=tls1_2" \
794 "$P_CLI debug_level=4 force_version=tls1_2 force_ciphersuite=TLS-ECDHE-RSA-WITH-AES-128-GCM-SHA256 curves=$1" \
795 0 \
Hanno Becker28f78442019-02-18 16:47:50 +0000[diff] [blame]796 -c "Successfully setup PSA-based decryption cipher context" \
797 -c "Successfully setup PSA-based encryption cipher context" \
798 -c "PSA calc verify" \
799 -c "calc PSA finished" \
800 -s "Successfully setup PSA-based decryption cipher context" \
801 -s "Successfully setup PSA-based encryption cipher context" \
802 -s "PSA calc verify" \
803 -s "calc PSA finished" \
804 -C "Failed to setup PSA-based cipher context"\
805 -S "Failed to setup PSA-based cipher context"\
Hanno Becker354e2482019-01-08 11:40:25 +0000[diff] [blame]806 -s "Protocol is TLSv1.2" \
Hanno Becker28f78442019-02-18 16:47:50 +0000[diff] [blame]807 -c "Perform PSA-based ECDH computation."\
Manuel Pégourié-Gonnarda9062e92014-02-25 16:21:22 +0100[diff] [blame]808 -c "Perform PSA-based computation of digest of ServerKeyExchange" \
Manuel Pégourié-Gonnardbe9eb872014-09-05 17:45:19 +0200[diff] [blame]809 -S "error" \
Manuel Pégourié-Gonnarda6189f02014-09-20 13:15:43 +0200[diff] [blame]810 -C "error"
811}
812
813cleanup() {
Manuel Pégourié-Gonnarda9062e92014-02-25 16:21:22 +0100[diff] [blame]814 rm -f $CLI_OUT $SRV_OUT $PXY_OUT $SESSION
815 test -n "${SRV_PID:-}" && kill $SRV_PID >/dev/null 2>&1
816 test -n "${PXY_PID:-}" && kill $PXY_PID >/dev/null 2>&1
Manuel Pégourié-Gonnard9dea8bd2014-02-26 18:21:02 +0100[diff] [blame]817 test -n "${CLI_PID:-}" && kill $CLI_PID >/dev/null 2>&1
818 test -n "${DOG_PID:-}" && kill $DOG_PID >/dev/null 2>&1
819 exit 1
820}
Manuel Pégourié-Gonnard913030c2014-03-28 10:12:38 +0100[diff] [blame]821
822#
Manuel Pégourié-Gonnardf7a26902014-02-27 12:25:54 +0100[diff] [blame]823# MAIN
Hanno Becker4ac73e72017-10-23 15:27:37 +0100[diff] [blame]824#
825
826get_options "$@"
Hanno Becker17c04932017-10-10 14:44:53 +0100[diff] [blame]827
828# sanity checks, avoid an avalanche of errors
Manuel Pégourié-Gonnardf7a26902014-02-27 12:25:54 +0100[diff] [blame]829P_SRV_BIN="${P_SRV%%[ ]*}"
830P_CLI_BIN="${P_CLI%%[ ]*}"
Hanno Becker17c04932017-10-10 14:44:53 +0100[diff] [blame]831P_PXY_BIN="${P_PXY%%[ ]*}"
832if [ ! -x "$P_SRV_BIN" ]; then
Manuel Pégourié-Gonnardf7a26902014-02-27 12:25:54 +0100[diff] [blame]833 echo "Command '$P_SRV_BIN' is not an executable file"
834 exit 1
Hanno Becker17c04932017-10-10 14:44:53 +0100[diff] [blame]835fi
836if [ ! -x "$P_CLI_BIN" ]; then
Manuel Pégourié-Gonnardbe9eb872014-09-05 17:45:19 +0200[diff] [blame]837 echo "Command '$P_CLI_BIN' is not an executable file"
838 exit 1
Simon Butcher3c0d7b82016-05-23 11:13:17 +0100[diff] [blame]839fi
840if [ ! -x "$P_PXY_BIN" ]; then
841 echo "Command '$P_PXY_BIN' is not an executable file"
842 exit 1
843fi
844if [ "$MEMCHECK" -gt 0 ]; then
Manuel Pégourié-Gonnard74faf3c2014-03-13 18:47:44 +0100[diff] [blame]845 if which valgrind >/dev/null 2>&1; then :; else
846 echo "Memcheck not possible. Valgrind not found"
Manuel Pégourié-Gonnardf7a26902014-02-27 12:25:54 +0100[diff] [blame]847 exit 1
848 fi
849fi
Manuel Pégourié-Gonnard32f8f4d2014-05-29 11:31:20 +0200[diff] [blame]850if which $OPENSSL_CMD >/dev/null 2>&1; then :; else
851 echo "Command '$OPENSSL_CMD' not found"
852 exit 1
Manuel Pégourié-Gonnard0d225da2018-01-22 10:22:09 +0100[diff] [blame]853fi
854
855# used by watchdog
856MAIN_PID="$$"
857
858# We use somewhat arbitrary delays for tests:
859# - how long do we wait for the server to start (when lsof not available)?
860# - how long do we allow for the client to finish?
861# (not to check performance, just to avoid waiting indefinitely)
862# Things are slower with valgrind, so give extra time here.
Manuel Pégourié-Gonnard0c1ec472014-06-20 18:41:11 +0200[diff] [blame]863#
Manuel Pégourié-Gonnard0d225da2018-01-22 10:22:09 +0100[diff] [blame]864# Note: without lsof, there is a trade-off between the running time of this
865# script and the risk of spurious errors because we didn't wait long enough.
Manuel Pégourié-Gonnard0c1ec472014-06-20 18:41:11 +0200[diff] [blame]866# The watchdog delay on the other hand doesn't affect normal running time of
Manuel Pégourié-Gonnard0d225da2018-01-22 10:22:09 +0100[diff] [blame]867# the script, only the case where a client or server gets stuck.
868if [ "$MEMCHECK" -gt 0 ]; then
Manuel Pégourié-Gonnard0c1ec472014-06-20 18:41:11 +0200[diff] [blame]869 START_DELAY=6
Manuel Pégourié-Gonnard0d225da2018-01-22 10:22:09 +0100[diff] [blame]870 DOG_DELAY=60
871else
872 START_DELAY=2
873 DOG_DELAY=20
874fi
Manuel Pégourié-Gonnarda0719722014-09-20 12:46:27 +0200[diff] [blame]875
Janos Follath74537a62016-09-02 13:45:28 +0100[diff] [blame]876# some particular tests need more time:
Manuel Pégourié-Gonnard0c1ec472014-06-20 18:41:11 +0200[diff] [blame]877# - for the client, we multiply the usual watchdog limit by a factor
Manuel Pégourié-Gonnard0eb6cab2014-07-23 20:17:47 +0200[diff] [blame]878# - for the server, we sleep for a number of seconds after the client exits
Manuel Pégourié-Gonnard0af1ba32015-01-21 11:44:33 +0000[diff] [blame]879# see client_need_more_time() and server_needs_more_time()
Manuel Pégourié-Gonnardbe9eb872014-09-05 17:45:19 +0200[diff] [blame]880CLI_DELAY_FACTOR=1
881SRV_DELAY_SECONDS=0
Andres AGf04f54d2016-10-10 15:46:20 +0100[diff] [blame]882
Manuel Pégourié-Gonnard61957672015-06-18 17:54:58 +0200[diff] [blame]883# fix commands to use this port, force IPv4 while at it
Manuel Pégourié-Gonnardbe9eb872014-09-05 17:45:19 +0200[diff] [blame]884# +SRV_PORT will be replaced by either $SRV_PORT or $PXY_PORT later
885P_SRV="$P_SRV server_addr=127.0.0.1 server_port=$SRV_PORT"
Manuel Pégourié-Gonnard34aa1872018-08-23 19:07:15 +0200[diff] [blame]886P_CLI="$P_CLI server_addr=127.0.0.1 server_port=+SRV_PORT"
Manuel Pégourié-Gonnard8066b812014-05-28 22:59:30 +0200[diff] [blame]887P_PXY="$P_PXY server_addr=127.0.0.1 server_port=$SRV_PORT listen_addr=127.0.0.1 listen_port=$PXY_PORT ${SEED:+"seed=$SEED"}"
Manuel Pégourié-Gonnard38110df2018-08-17 12:44:54 +0200[diff] [blame]888O_SRV="$O_SRV -accept $SRV_PORT -dhparam data_files/dhparams.pem"
889O_CLI="$O_CLI -connect localhost:+SRV_PORT"
890G_SRV="$G_SRV -p $SRV_PORT"
891G_CLI="$G_CLI -p +SRV_PORT"
892
Hanno Becker58e9dc32018-08-17 15:53:21 +0100[diff] [blame]893if [ -n "${OPENSSL_LEGACY:-}" ]; then
Manuel Pégourié-Gonnard38110df2018-08-17 12:44:54 +0200[diff] [blame]894 O_LEGACY_SRV="$O_LEGACY_SRV -accept $SRV_PORT -dhparam data_files/dhparams.pem"
895 O_LEGACY_CLI="$O_LEGACY_CLI -connect localhost:+SRV_PORT"
896fi
Hanno Becker58e9dc32018-08-17 15:53:21 +0100[diff] [blame]897
Manuel Pégourié-Gonnard34aa1872018-08-23 19:07:15 +0200[diff] [blame]898if [ -n "${GNUTLS_NEXT_SERV:-}" ]; then
Manuel Pégourié-Gonnard38110df2018-08-17 12:44:54 +0200[diff] [blame]899 G_NEXT_SRV="$G_NEXT_SRV -p $SRV_PORT"
Manuel Pégourié-Gonnardc1da6642014-02-25 14:18:30 +0100[diff] [blame]900fi
Gilles Peskine62469d92017-05-10 10:13:59 +0200[diff] [blame]901
902if [ -n "${GNUTLS_NEXT_CLI:-}" ]; then
903 G_NEXT_CLI="$G_NEXT_CLI -p +SRV_PORT"
904fi
Manuel Pégourié-Gonnardbc3b16c2014-05-28 23:06:50 +0200[diff] [blame]905
906# Allow SHA-1, because many of our test certificates use it
907P_SRV="$P_SRV allow_sha1=1"
Manuel Pégourié-Gonnardbe9eb872014-09-05 17:45:19 +0200[diff] [blame]908P_CLI="$P_CLI allow_sha1=1"
Manuel Pégourié-Gonnardbc3b16c2014-05-28 23:06:50 +0200[diff] [blame]909
910# Also pick a unique name for intermediate files
Manuel Pégourié-Gonnard6f4fbbb2014-08-14 14:31:29 +0200[diff] [blame]911SRV_OUT="srv_out.$$"
912CLI_OUT="cli_out.$$"
Manuel Pégourié-Gonnardc1da6642014-02-25 14:18:30 +0100[diff] [blame]913PXY_OUT="pxy_out.$$"
914SESSION="session.$$"
Manuel Pégourié-Gonnarde73b2632014-07-12 04:00:00 +0200[diff] [blame]915
916SKIP_NEXT="NO"
Manuel Pégourié-Gonnard480905d2014-08-21 19:38:32 +0200[diff] [blame]917
918trap cleanup INT TERM HUP
919
920# Basic test
Manuel Pégourié-Gonnarde73b2632014-07-12 04:00:00 +0200[diff] [blame]921
Manuel Pégourié-Gonnard480905d2014-08-21 19:38:32 +0200[diff] [blame]922# Checks that:
Manuel Pégourié-Gonnarde73b2632014-07-12 04:00:00 +0200[diff] [blame]923# - things work with all ciphersuites active (used with config-full in all.sh)
924# - the expected (highest security) parameters are selected
Manuel Pégourié-Gonnard480905d2014-08-21 19:38:32 +0200[diff] [blame]925# ("signature_algorithm ext: 6" means SHA-512 (highest common hash))
Manuel Pégourié-Gonnardce66d5e2018-06-14 11:11:15 +0200[diff] [blame]926run_test "Default" \
Manuel Pégourié-Gonnard480905d2014-08-21 19:38:32 +0200[diff] [blame]927 "$P_SRV debug_level=3" \
928 "$P_CLI" \
929 0 \
930 -s "Protocol is TLSv1.2" \
Manuel Pégourié-Gonnarde73b2632014-07-12 04:00:00 +0200[diff] [blame]931 -s "Ciphersuite is TLS-ECDHE-RSA-WITH-CHACHA20-POLY1305-SHA256" \
Manuel Pégourié-Gonnard3bb08012015-01-22 13:34:21 +0000[diff] [blame]932 -s "client hello v3, signature_algorithm ext: 6" \
933 -s "ECDHE curve: secp521r1" \
934 -S "error" \
935 -C "error"
936
Manuel Pégourié-Gonnardce66d5e2018-06-14 11:11:15 +0200[diff] [blame]937run_test "Default, DTLS" \
Manuel Pégourié-Gonnard3bb08012015-01-22 13:34:21 +0000[diff] [blame]938 "$P_SRV dtls=1" \
Manuel Pégourié-Gonnardcfdf8f42018-11-08 09:52:25 +0100[diff] [blame]939 "$P_CLI dtls=1" \
940 0 \
941 -s "Protocol is DTLSv1.2" \
942 -s "Ciphersuite is TLS-ECDHE-RSA-WITH-CHACHA20-POLY1305-SHA256"
943
Hanno Becker746aaf32019-03-28 15:25:23 +0000[diff] [blame]944requires_config_enabled MBEDTLS_X509_TRUSTED_CERTIFICATE_CALLBACK
945run_test "CA callback on client" \
946 "$P_SRV debug_level=3" \
947 "$P_CLI ca_callback=1 debug_level=3 " \
948 0 \
Janos Follathd7ecbd62019-04-05 14:52:17 +0100[diff] [blame]949 -c "use CA callback for X.509 CRT verification" \
Hanno Becker746aaf32019-03-28 15:25:23 +0000[diff] [blame]950 -S "error" \
951 -C "error"
952
953requires_config_enabled MBEDTLS_X509_TRUSTED_CERTIFICATE_CALLBACK
954requires_config_enabled MBEDTLS_X509_CRT_PARSE_C
955requires_config_enabled MBEDTLS_ECDSA_C
956requires_config_enabled MBEDTLS_SHA256_C
957run_test "CA callback on server" \
958 "$P_SRV auth_mode=required" \
959 "$P_CLI ca_callback=1 debug_level=3 crt_file=data_files/server5.crt \
960 key_file=data_files/server5.key" \
961 0 \
Janos Follathd7ecbd62019-04-05 14:52:17 +0100[diff] [blame]962 -c "use CA callback for X.509 CRT verification" \
Hanno Becker746aaf32019-03-28 15:25:23 +0000[diff] [blame]963 -s "Verifying peer X.509 certificate... ok" \
964 -S "error" \
965 -C "error"
966
Manuel Pégourié-Gonnardcfdf8f42018-11-08 09:52:25 +0100[diff] [blame]967# Test using an opaque private key for client authentication
968requires_config_enabled MBEDTLS_USE_PSA_CRYPTO
969requires_config_enabled MBEDTLS_X509_CRT_PARSE_C
970requires_config_enabled MBEDTLS_ECDSA_C
971requires_config_enabled MBEDTLS_SHA256_C
972run_test "Opaque key for client authentication" \
973 "$P_SRV auth_mode=required" \
974 "$P_CLI key_opaque=1 crt_file=data_files/server5.crt \
975 key_file=data_files/server5.key" \
976 0 \
977 -c "key type: Opaque" \
978 -s "Verifying peer X.509 certificate... ok" \
979 -S "error" \
980 -C "error"
981
Hanno Becker9b5853c2018-11-16 17:28:40 +0000[diff] [blame]982# Test ciphersuites which we expect to be fully supported by PSA Crypto
983# and check that we don't fall back to Mbed TLS' internal crypto primitives.
984run_test_psa TLS-ECDHE-ECDSA-WITH-AES-128-CCM
985run_test_psa TLS-ECDHE-ECDSA-WITH-AES-128-CCM-8
986run_test_psa TLS-ECDHE-ECDSA-WITH-AES-256-CCM
987run_test_psa TLS-ECDHE-ECDSA-WITH-AES-256-CCM-8
988run_test_psa TLS-ECDHE-ECDSA-WITH-AES-128-GCM-SHA256
989run_test_psa TLS-ECDHE-ECDSA-WITH-AES-256-GCM-SHA384
990run_test_psa TLS-ECDHE-ECDSA-WITH-AES-128-CBC-SHA
991run_test_psa TLS-ECDHE-ECDSA-WITH-AES-128-CBC-SHA256
992run_test_psa TLS-ECDHE-ECDSA-WITH-AES-256-CBC-SHA384
993
Hanno Becker354e2482019-01-08 11:40:25 +0000[diff] [blame]994requires_config_enabled MBEDTLS_ECP_DP_SECP521R1_ENABLED
995run_test_psa_force_curve "secp521r1"
996requires_config_enabled MBEDTLS_ECP_DP_BP512R1_ENABLED
997run_test_psa_force_curve "brainpoolP512r1"
998requires_config_enabled MBEDTLS_ECP_DP_SECP384R1_ENABLED
999run_test_psa_force_curve "secp384r1"
1000requires_config_enabled MBEDTLS_ECP_DP_BP384R1_ENABLED
1001run_test_psa_force_curve "brainpoolP384r1"
1002requires_config_enabled MBEDTLS_ECP_DP_SECP256R1_ENABLED
1003run_test_psa_force_curve "secp256r1"
1004requires_config_enabled MBEDTLS_ECP_DP_SECP256K1_ENABLED
1005run_test_psa_force_curve "secp256k1"
1006requires_config_enabled MBEDTLS_ECP_DP_BP256R1_ENABLED
1007run_test_psa_force_curve "brainpoolP256r1"
1008requires_config_enabled MBEDTLS_ECP_DP_SECP224R1_ENABLED
1009run_test_psa_force_curve "secp224r1"
1010requires_config_enabled MBEDTLS_ECP_DP_SECP224K1_ENABLED
1011run_test_psa_force_curve "secp224k1"
1012requires_config_enabled MBEDTLS_ECP_DP_SECP192R1_ENABLED
1013run_test_psa_force_curve "secp192r1"
1014requires_config_enabled MBEDTLS_ECP_DP_SECP192K1_ENABLED
1015run_test_psa_force_curve "secp192k1"
1016
Andres Amaya Garciab84c40b2017-09-06 15:44:01 +0100[diff] [blame]1017# Test current time in ServerHello
1018requires_config_enabled MBEDTLS_HAVE_TIME
Manuel Pégourié-Gonnardce66d5e2018-06-14 11:11:15 +0200[diff] [blame]1019run_test "ServerHello contains gmt_unix_time" \
Andres Amaya Garciab84c40b2017-09-06 15:44:01 +0100[diff] [blame]1020 "$P_SRV debug_level=3" \
1021 "$P_CLI debug_level=3" \
1022 0 \
Andres Amaya Garciab84c40b2017-09-06 15:44:01 +0100[diff] [blame]1023 -f "check_server_hello_time" \
1024 -F "check_server_hello_time"
1025
Simon Butcher8e004102016-10-14 00:48:33 +0100[diff] [blame]1026# Test for uniqueness of IVs in AEAD ciphersuites
1027run_test "Unique IV in GCM" \
1028 "$P_SRV exchanges=20 debug_level=4" \
1029 "$P_CLI exchanges=20 debug_level=4 force_ciphersuite=TLS-ECDHE-ECDSA-WITH-AES-256-GCM-SHA384" \
1030 0 \
1031 -u "IV used" \
1032 -U "IV used"
1033
Janos Follathee11be62019-04-04 12:03:30 +0100[diff] [blame]1034# Tests for certificate verification callback
1035run_test "Configuration-specific CRT verification callback" \
1036 "$P_SRV debug_level=3" \
1037 "$P_CLI context_crt_cb=0 debug_level=3" \
1038 0 \
Janos Follathee11be62019-04-04 12:03:30 +0100[diff] [blame]1039 -S "error" \
1040 -c "Verify requested for " \
1041 -c "Use configuration-specific verification callback" \
1042 -C "Use context-specific verification callback" \
1043 -C "error"
1044
Hanno Beckerefb440a2019-04-03 13:04:33 +0100[diff] [blame]1045run_test "Context-specific CRT verification callback" \
1046 "$P_SRV debug_level=3" \
1047 "$P_CLI context_crt_cb=1 debug_level=3" \
1048 0 \
Hanno Beckerefb440a2019-04-03 13:04:33 +0100[diff] [blame]1049 -S "error" \
Janos Follathee11be62019-04-04 12:03:30 +0100[diff] [blame]1050 -c "Verify requested for " \
1051 -c "Use context-specific verification callback" \
1052 -C "Use configuration-specific verification callback" \
Hanno Beckerefb440a2019-04-03 13:04:33 +0100[diff] [blame]1053 -C "error"
1054
Manuel Pégourié-Gonnardbd47a582015-01-12 13:43:29 +0100[diff] [blame]1055# Tests for rc4 option
1056
Simon Butchera410af52016-05-19 22:12:18 +0100[diff] [blame]1057requires_config_enabled MBEDTLS_REMOVE_ARC4_CIPHERSUITES
Manuel Pégourié-Gonnardbd47a582015-01-12 13:43:29 +0100[diff] [blame]1058run_test "RC4: server disabled, client enabled" \
1059 "$P_SRV" \
1060 "$P_CLI force_ciphersuite=TLS-RSA-WITH-RC4-128-SHA" \
1061 1 \
Manuel Pégourié-Gonnardea0920f2015-03-24 09:50:15 +0100[diff] [blame]1062 -s "SSL - The server has no ciphersuites in common"
1063
Simon Butchera410af52016-05-19 22:12:18 +0100[diff] [blame]1064requires_config_enabled MBEDTLS_REMOVE_ARC4_CIPHERSUITES
Manuel Pégourié-Gonnardea0920f2015-03-24 09:50:15 +0100[diff] [blame]1065run_test "RC4: server half, client enabled" \
1066 "$P_SRV arc4=1" \
1067 "$P_CLI force_ciphersuite=TLS-RSA-WITH-RC4-128-SHA" \
1068 1 \
1069 -s "SSL - The server has no ciphersuites in common"
Manuel Pégourié-Gonnardbd47a582015-01-12 13:43:29 +0100[diff] [blame]1070
1071run_test "RC4: server enabled, client disabled" \
1072 "$P_SRV force_ciphersuite=TLS-RSA-WITH-RC4-128-SHA" \
1073 "$P_CLI" \
1074 1 \
1075 -s "SSL - The server has no ciphersuites in common"
1076
1077run_test "RC4: both enabled" \
Manuel Pégourié-Gonnardea0920f2015-03-24 09:50:15 +0100[diff] [blame]1078 "$P_SRV force_ciphersuite=TLS-RSA-WITH-RC4-128-SHA" \
Manuel Pégourié-Gonnardbd47a582015-01-12 13:43:29 +0100[diff] [blame]1079 "$P_CLI force_ciphersuite=TLS-RSA-WITH-RC4-128-SHA" \
1080 0 \
Manuel Pégourié-Gonnard51d81662015-01-14 17:20:46 +0100[diff] [blame]1081 -S "SSL - None of the common ciphersuites is usable" \
Manuel Pégourié-Gonnardbd47a582015-01-12 13:43:29 +0100[diff] [blame]1082 -S "SSL - The server has no ciphersuites in common"
1083
Hanno Beckerd26bb202018-08-17 09:54:10 +0100[diff] [blame]1084# Test empty CA list in CertificateRequest in TLS 1.1 and earlier
1085
1086requires_gnutls
1087requires_config_enabled MBEDTLS_SSL_PROTO_TLS1_1
1088run_test "CertificateRequest with empty CA list, TLS 1.1 (GnuTLS server)" \
1089 "$G_SRV"\
1090 "$P_CLI force_version=tls1_1" \
1091 0
1092
1093requires_gnutls
1094requires_config_enabled MBEDTLS_SSL_PROTO_TLS1
1095run_test "CertificateRequest with empty CA list, TLS 1.0 (GnuTLS server)" \
1096 "$G_SRV"\
1097 "$P_CLI force_version=tls1" \
1098 0
1099
Gilles Peskinebc70a182017-05-09 15:59:24 +0200[diff] [blame]1100# Tests for SHA-1 support
1101
Manuel Pégourié-Gonnardaf63c212017-06-08 17:51:08 +0200[diff] [blame]1102requires_config_disabled MBEDTLS_TLS_DEFAULT_ALLOW_SHA1_IN_CERTIFICATES
Gilles Peskinebc70a182017-05-09 15:59:24 +0200[diff] [blame]1103run_test "SHA-1 forbidden by default in server certificate" \
1104 "$P_SRV key_file=data_files/server2.key crt_file=data_files/server2.crt" \
1105 "$P_CLI debug_level=2 allow_sha1=0" \
1106 1 \
1107 -c "The certificate is signed with an unacceptable hash"
1108
Manuel Pégourié-Gonnardaf63c212017-06-08 17:51:08 +0200[diff] [blame]1109requires_config_enabled MBEDTLS_TLS_DEFAULT_ALLOW_SHA1_IN_CERTIFICATES
1110run_test "SHA-1 forbidden by default in server certificate" \
1111 "$P_SRV key_file=data_files/server2.key crt_file=data_files/server2.crt" \
1112 "$P_CLI debug_level=2 allow_sha1=0" \
1113 0
1114
Gilles Peskinebc70a182017-05-09 15:59:24 +0200[diff] [blame]1115run_test "SHA-1 explicitly allowed in server certificate" \
1116 "$P_SRV key_file=data_files/server2.key crt_file=data_files/server2.crt" \
1117 "$P_CLI allow_sha1=1" \
1118 0
1119
1120run_test "SHA-256 allowed by default in server certificate" \
1121 "$P_SRV key_file=data_files/server2.key crt_file=data_files/server2-sha256.crt" \
1122 "$P_CLI allow_sha1=0" \
1123 0
1124
Manuel Pégourié-Gonnardaf63c212017-06-08 17:51:08 +0200[diff] [blame]1125requires_config_disabled MBEDTLS_TLS_DEFAULT_ALLOW_SHA1_IN_CERTIFICATES
Gilles Peskinebc70a182017-05-09 15:59:24 +0200[diff] [blame]1126run_test "SHA-1 forbidden by default in client certificate" \
1127 "$P_SRV auth_mode=required allow_sha1=0" \
1128 "$P_CLI key_file=data_files/cli-rsa.key crt_file=data_files/cli-rsa-sha1.crt" \
1129 1 \
1130 -s "The certificate is signed with an unacceptable hash"
1131
Manuel Pégourié-Gonnardaf63c212017-06-08 17:51:08 +0200[diff] [blame]1132requires_config_enabled MBEDTLS_TLS_DEFAULT_ALLOW_SHA1_IN_CERTIFICATES
1133run_test "SHA-1 forbidden by default in client certificate" \
1134 "$P_SRV auth_mode=required allow_sha1=0" \
1135 "$P_CLI key_file=data_files/cli-rsa.key crt_file=data_files/cli-rsa-sha1.crt" \
1136 0
1137
Gilles Peskinebc70a182017-05-09 15:59:24 +0200[diff] [blame]1138run_test "SHA-1 explicitly allowed in client certificate" \
1139 "$P_SRV auth_mode=required allow_sha1=1" \
1140 "$P_CLI key_file=data_files/cli-rsa.key crt_file=data_files/cli-rsa-sha1.crt" \
1141 0
1142
1143run_test "SHA-256 allowed by default in client certificate" \
1144 "$P_SRV auth_mode=required allow_sha1=0" \
1145 "$P_CLI key_file=data_files/cli-rsa.key crt_file=data_files/cli-rsa-sha256.crt" \
1146 0
1147
Hanno Becker7ae8a762018-08-14 15:43:35 +0100[diff] [blame]1148# Tests for datagram packing
1149run_test "DTLS: multiple records in same datagram, client and server" \
1150 "$P_SRV dtls=1 dgram_packing=1 debug_level=2" \
1151 "$P_CLI dtls=1 dgram_packing=1 debug_level=2" \
1152 0 \
1153 -c "next record in same datagram" \
1154 -s "next record in same datagram"
1155
1156run_test "DTLS: multiple records in same datagram, client only" \
1157 "$P_SRV dtls=1 dgram_packing=0 debug_level=2" \
1158 "$P_CLI dtls=1 dgram_packing=1 debug_level=2" \
1159 0 \
1160 -s "next record in same datagram" \
1161 -C "next record in same datagram"
1162
1163run_test "DTLS: multiple records in same datagram, server only" \
1164 "$P_SRV dtls=1 dgram_packing=1 debug_level=2" \
1165 "$P_CLI dtls=1 dgram_packing=0 debug_level=2" \
1166 0 \
1167 -S "next record in same datagram" \
1168 -c "next record in same datagram"
1169
1170run_test "DTLS: multiple records in same datagram, neither client nor server" \
1171 "$P_SRV dtls=1 dgram_packing=0 debug_level=2" \
1172 "$P_CLI dtls=1 dgram_packing=0 debug_level=2" \
1173 0 \
1174 -S "next record in same datagram" \
1175 -C "next record in same datagram"
1176
Manuel Pégourié-Gonnard780d6712014-02-20 17:19:59 +0100[diff] [blame]1177# Tests for Truncated HMAC extension
1178
Manuel Pégourié-Gonnarde117a8f2015-01-09 12:39:35 +0100[diff] [blame]1179run_test "Truncated HMAC: client default, server default" \
Manuel Pégourié-Gonnard644e8f32014-08-30 21:59:31 +0200[diff] [blame]1180 "$P_SRV debug_level=4" \
Manuel Pégourié-Gonnarde117a8f2015-01-09 12:39:35 +0100[diff] [blame]1181 "$P_CLI force_ciphersuite=TLS-RSA-WITH-AES-128-CBC-SHA" \
Manuel Pégourié-Gonnard780d6712014-02-20 17:19:59 +0100[diff] [blame]1182 0 \
Hanno Becker992b6872017-11-09 18:57:39 +0000[diff] [blame]1183 -s "dumping 'expected mac' (20 bytes)" \
1184 -S "dumping 'expected mac' (10 bytes)"
Manuel Pégourié-Gonnard780d6712014-02-20 17:19:59 +0100[diff] [blame]1185
Hanno Becker32c55012017-11-10 08:42:54 +0000[diff] [blame]1186requires_config_enabled MBEDTLS_SSL_TRUNCATED_HMAC
Manuel Pégourié-Gonnarde117a8f2015-01-09 12:39:35 +0100[diff] [blame]1187run_test "Truncated HMAC: client disabled, server default" \
Manuel Pégourié-Gonnard644e8f32014-08-30 21:59:31 +0200[diff] [blame]1188 "$P_SRV debug_level=4" \
Hanno Becker909f9a32017-11-21 17:10:12 +0000[diff] [blame]1189 "$P_CLI force_ciphersuite=TLS-RSA-WITH-AES-128-CBC-SHA trunc_hmac=0" \
Manuel Pégourié-Gonnardeaadc502014-02-20 11:01:30 +0100[diff] [blame]1190 0 \
Hanno Becker992b6872017-11-09 18:57:39 +0000[diff] [blame]1191 -s "dumping 'expected mac' (20 bytes)" \
1192 -S "dumping 'expected mac' (10 bytes)"
Manuel Pégourié-Gonnarde117a8f2015-01-09 12:39:35 +0100[diff] [blame]1193
Hanno Becker32c55012017-11-10 08:42:54 +0000[diff] [blame]1194requires_config_enabled MBEDTLS_SSL_TRUNCATED_HMAC
Manuel Pégourié-Gonnarde117a8f2015-01-09 12:39:35 +0100[diff] [blame]1195run_test "Truncated HMAC: client enabled, server default" \
1196 "$P_SRV debug_level=4" \
Hanno Becker909f9a32017-11-21 17:10:12 +0000[diff] [blame]1197 "$P_CLI force_ciphersuite=TLS-RSA-WITH-AES-128-CBC-SHA trunc_hmac=1" \
Manuel Pégourié-Gonnarde117a8f2015-01-09 12:39:35 +0100[diff] [blame]1198 0 \
Hanno Becker992b6872017-11-09 18:57:39 +0000[diff] [blame]1199 -s "dumping 'expected mac' (20 bytes)" \
1200 -S "dumping 'expected mac' (10 bytes)"
Manuel Pégourié-Gonnarde117a8f2015-01-09 12:39:35 +0100[diff] [blame]1201
Hanno Becker32c55012017-11-10 08:42:54 +0000[diff] [blame]1202requires_config_enabled MBEDTLS_SSL_TRUNCATED_HMAC
Manuel Pégourié-Gonnarde117a8f2015-01-09 12:39:35 +0100[diff] [blame]1203run_test "Truncated HMAC: client enabled, server disabled" \
1204 "$P_SRV debug_level=4 trunc_hmac=0" \
Hanno Becker909f9a32017-11-21 17:10:12 +0000[diff] [blame]1205 "$P_CLI force_ciphersuite=TLS-RSA-WITH-AES-128-CBC-SHA trunc_hmac=1" \
Manuel Pégourié-Gonnarde117a8f2015-01-09 12:39:35 +0100[diff] [blame]1206 0 \
Hanno Becker992b6872017-11-09 18:57:39 +0000[diff] [blame]1207 -s "dumping 'expected mac' (20 bytes)" \
1208 -S "dumping 'expected mac' (10 bytes)"
Manuel Pégourié-Gonnarde117a8f2015-01-09 12:39:35 +0100[diff] [blame]1209
Hanno Becker32c55012017-11-10 08:42:54 +0000[diff] [blame]1210requires_config_enabled MBEDTLS_SSL_TRUNCATED_HMAC
Hanno Becker34d0c3f2017-11-17 15:46:24 +0000[diff] [blame]1211run_test "Truncated HMAC: client disabled, server enabled" \
1212 "$P_SRV debug_level=4 trunc_hmac=1" \
Hanno Becker909f9a32017-11-21 17:10:12 +0000[diff] [blame]1213 "$P_CLI force_ciphersuite=TLS-RSA-WITH-AES-128-CBC-SHA trunc_hmac=0" \
Hanno Becker34d0c3f2017-11-17 15:46:24 +0000[diff] [blame]1214 0 \
1215 -s "dumping 'expected mac' (20 bytes)" \
1216 -S "dumping 'expected mac' (10 bytes)"
1217
1218requires_config_enabled MBEDTLS_SSL_TRUNCATED_HMAC
Manuel Pégourié-Gonnarde117a8f2015-01-09 12:39:35 +0100[diff] [blame]1219run_test "Truncated HMAC: client enabled, server enabled" \
1220 "$P_SRV debug_level=4 trunc_hmac=1" \
Hanno Becker909f9a32017-11-21 17:10:12 +0000[diff] [blame]1221 "$P_CLI force_ciphersuite=TLS-RSA-WITH-AES-128-CBC-SHA trunc_hmac=1" \
Manuel Pégourié-Gonnarde117a8f2015-01-09 12:39:35 +0100[diff] [blame]1222 0 \
Hanno Becker992b6872017-11-09 18:57:39 +0000[diff] [blame]1223 -S "dumping 'expected mac' (20 bytes)" \
1224 -s "dumping 'expected mac' (10 bytes)"
Manuel Pégourié-Gonnardf7c52012014-02-20 11:43:46 +0100[diff] [blame]1225
Hanno Becker4c4f4102017-11-10 09:16:05 +0000[diff] [blame]1226run_test "Truncated HMAC, DTLS: client default, server default" \
1227 "$P_SRV dtls=1 debug_level=4" \
1228 "$P_CLI dtls=1 force_ciphersuite=TLS-RSA-WITH-AES-128-CBC-SHA" \
1229 0 \
1230 -s "dumping 'expected mac' (20 bytes)" \
1231 -S "dumping 'expected mac' (10 bytes)"
1232
1233requires_config_enabled MBEDTLS_SSL_TRUNCATED_HMAC
1234run_test "Truncated HMAC, DTLS: client disabled, server default" \
1235 "$P_SRV dtls=1 debug_level=4" \
Hanno Becker909f9a32017-11-21 17:10:12 +0000[diff] [blame]1236 "$P_CLI dtls=1 force_ciphersuite=TLS-RSA-WITH-AES-128-CBC-SHA trunc_hmac=0" \
Hanno Becker4c4f4102017-11-10 09:16:05 +0000[diff] [blame]1237 0 \
1238 -s "dumping 'expected mac' (20 bytes)" \
1239 -S "dumping 'expected mac' (10 bytes)"
1240
1241requires_config_enabled MBEDTLS_SSL_TRUNCATED_HMAC
1242run_test "Truncated HMAC, DTLS: client enabled, server default" \
1243 "$P_SRV dtls=1 debug_level=4" \
Hanno Becker909f9a32017-11-21 17:10:12 +0000[diff] [blame]1244 "$P_CLI dtls=1 force_ciphersuite=TLS-RSA-WITH-AES-128-CBC-SHA trunc_hmac=1" \
Hanno Becker4c4f4102017-11-10 09:16:05 +0000[diff] [blame]1245 0 \
1246 -s "dumping 'expected mac' (20 bytes)" \
1247 -S "dumping 'expected mac' (10 bytes)"
1248
1249requires_config_enabled MBEDTLS_SSL_TRUNCATED_HMAC
1250run_test "Truncated HMAC, DTLS: client enabled, server disabled" \
1251 "$P_SRV dtls=1 debug_level=4 trunc_hmac=0" \
Hanno Becker909f9a32017-11-21 17:10:12 +0000[diff] [blame]1252 "$P_CLI dtls=1 force_ciphersuite=TLS-RSA-WITH-AES-128-CBC-SHA trunc_hmac=1" \
Hanno Becker4c4f4102017-11-10 09:16:05 +0000[diff] [blame]1253 0 \
1254 -s "dumping 'expected mac' (20 bytes)" \
1255 -S "dumping 'expected mac' (10 bytes)"
1256
1257requires_config_enabled MBEDTLS_SSL_TRUNCATED_HMAC
1258run_test "Truncated HMAC, DTLS: client disabled, server enabled" \
1259 "$P_SRV dtls=1 debug_level=4 trunc_hmac=1" \
Hanno Becker909f9a32017-11-21 17:10:12 +0000[diff] [blame]1260 "$P_CLI dtls=1 force_ciphersuite=TLS-RSA-WITH-AES-128-CBC-SHA trunc_hmac=0" \
Hanno Becker4c4f4102017-11-10 09:16:05 +0000[diff] [blame]1261 0 \
1262 -s "dumping 'expected mac' (20 bytes)" \
1263 -S "dumping 'expected mac' (10 bytes)"
1264
1265requires_config_enabled MBEDTLS_SSL_TRUNCATED_HMAC
1266run_test "Truncated HMAC, DTLS: client enabled, server enabled" \
1267 "$P_SRV dtls=1 debug_level=4 trunc_hmac=1" \
Hanno Becker909f9a32017-11-21 17:10:12 +0000[diff] [blame]1268 "$P_CLI dtls=1 force_ciphersuite=TLS-RSA-WITH-AES-128-CBC-SHA trunc_hmac=1" \
Manuel Pégourié-Gonnardeaadc502014-02-20 11:01:30 +0100[diff] [blame]1269 0 \
1270 -S "dumping 'expected mac' (20 bytes)" \
Manuel Pégourié-Gonnardf7c52012014-02-20 11:43:46 +0100[diff] [blame]1271 -s "dumping 'expected mac' (10 bytes)"
1272
Hanno Becker7cf463e2019-04-09 18:08:47 +0100[diff] [blame]1273# Tests for DTLS Connection ID extension
1274
Hanno Becker7cf463e2019-04-09 18:08:47 +0100[diff] [blame]1275# So far, the CID API isn't implemented, so we can't
1276# grep for output witnessing its use. This needs to be
1277# changed once the CID extension is implemented.
1278
1279requires_config_enabled MBEDTLS_SSL_CID
Hanno Becker78c91372019-05-08 13:31:15 +0100[diff] [blame]1280run_test "Connection ID: Cli enabled, Srv disabled" \
Hanno Beckerf157a972019-04-25 16:05:45 +0100[diff] [blame]1281 "$P_SRV debug_level=3 dtls=1 cid=0" \
1282 "$P_CLI debug_level=3 dtls=1 cid=1 cid_val=deadbeef" \
1283 0 \
1284 -s "Disable use of CID extension." \
Hanno Becker7dee2c62019-04-26 14:17:56 +0100[diff] [blame]1285 -s "found CID extension" \
1286 -s "Client sent CID extension, but CID disabled" \
Hanno Becker6b78c832019-04-25 17:01:43 +0100[diff] [blame]1287 -c "Enable use of CID extension." \
Hanno Becker4bc9e9d2019-04-26 16:00:29 +0100[diff] [blame]1288 -c "client hello, adding CID extension" \
Hanno Beckera6a4c762019-04-26 16:13:31 +0100[diff] [blame]1289 -S "server hello, adding CID extension" \
Hanno Becker9ecb6c62019-04-26 16:23:52 +0100[diff] [blame]1290 -C "found CID extension" \
1291 -S "Copy CIDs into SSL transform" \
Hanno Beckerfcffdcc2019-04-26 17:19:46 +0100[diff] [blame]1292 -C "Copy CIDs into SSL transform" \
1293 -c "Use of Connection ID was rejected by the server"
Hanno Becker7cf463e2019-04-09 18:08:47 +0100[diff] [blame]1294
1295requires_config_enabled MBEDTLS_SSL_CID
Hanno Becker78c91372019-05-08 13:31:15 +0100[diff] [blame]1296run_test "Connection ID: Cli disabled, Srv enabled" \
Hanno Beckerf157a972019-04-25 16:05:45 +0100[diff] [blame]1297 "$P_SRV debug_level=3 dtls=1 cid=1 cid_val=deadbeef" \
1298 "$P_CLI debug_level=3 dtls=1 cid=0" \
1299 0 \
1300 -c "Disable use of CID extension." \
Hanno Becker6b78c832019-04-25 17:01:43 +0100[diff] [blame]1301 -C "client hello, adding CID extension" \
Hanno Becker7dee2c62019-04-26 14:17:56 +0100[diff] [blame]1302 -S "found CID extension" \
Hanno Becker4bc9e9d2019-04-26 16:00:29 +0100[diff] [blame]1303 -s "Enable use of CID extension." \
Hanno Beckera6a4c762019-04-26 16:13:31 +0100[diff] [blame]1304 -S "server hello, adding CID extension" \
Hanno Becker9ecb6c62019-04-26 16:23:52 +0100[diff] [blame]1305 -C "found CID extension" \
1306 -S "Copy CIDs into SSL transform" \
Hanno Beckerfcffdcc2019-04-26 17:19:46 +0100[diff] [blame]1307 -C "Copy CIDs into SSL transform" \
Hanno Beckerb3e9dd52019-05-08 13:19:53 +0100[diff] [blame]1308 -s "Use of Connection ID was not offered by client"
Hanno Becker7cf463e2019-04-09 18:08:47 +0100[diff] [blame]1309
1310requires_config_enabled MBEDTLS_SSL_CID
Hanno Becker78c91372019-05-08 13:31:15 +0100[diff] [blame]1311run_test "Connection ID: Cli+Srv enabled, Cli+Srv CID nonempty" \
Hanno Beckerf157a972019-04-25 16:05:45 +0100[diff] [blame]1312 "$P_SRV debug_level=3 dtls=1 cid=1 cid_val=dead" \
1313 "$P_CLI debug_level=3 dtls=1 cid=1 cid_val=beef" \
1314 0 \
1315 -c "Enable use of CID extension." \
Hanno Becker6b78c832019-04-25 17:01:43 +0100[diff] [blame]1316 -s "Enable use of CID extension." \
Hanno Becker7dee2c62019-04-26 14:17:56 +0100[diff] [blame]1317 -c "client hello, adding CID extension" \
1318 -s "found CID extension" \
Hanno Becker4bc9e9d2019-04-26 16:00:29 +0100[diff] [blame]1319 -s "Use of CID extension negotiated" \
Hanno Beckera6a4c762019-04-26 16:13:31 +0100[diff] [blame]1320 -s "server hello, adding CID extension" \
1321 -c "found CID extension" \
Hanno Becker9ecb6c62019-04-26 16:23:52 +0100[diff] [blame]1322 -c "Use of CID extension negotiated" \
1323 -s "Copy CIDs into SSL transform" \
Hanno Becker2749a672019-05-03 17:04:23 +0100[diff] [blame]1324 -c "Copy CIDs into SSL transform" \
1325 -c "Peer CID (length 2 Bytes): de ad" \
1326 -s "Peer CID (length 2 Bytes): be ef" \
1327 -s "Use of Connection ID has been negotiated" \
1328 -c "Use of Connection ID has been negotiated"
Hanno Becker7cf463e2019-04-09 18:08:47 +0100[diff] [blame]1329
1330requires_config_enabled MBEDTLS_SSL_CID
Hanno Becker78c91372019-05-08 13:31:15 +0100[diff] [blame]1331run_test "Connection ID, 3D: Cli+Srv enabled, Cli+Srv CID nonempty" \
1332 -p "$P_PXY drop=5 delay=5 duplicate=5" \
1333 "$P_SRV debug_level=3 dtls=1 cid=1 dgram_packing=0 cid_val=dead" \
1334 "$P_CLI debug_level=3 dtls=1 cid=1 dgram_packing=0 cid_val=beef" \
1335 0 \
1336 -c "Enable use of CID extension." \
1337 -s "Enable use of CID extension." \
1338 -c "client hello, adding CID extension" \
1339 -s "found CID extension" \
1340 -s "Use of CID extension negotiated" \
1341 -s "server hello, adding CID extension" \
1342 -c "found CID extension" \
1343 -c "Use of CID extension negotiated" \
1344 -s "Copy CIDs into SSL transform" \
1345 -c "Copy CIDs into SSL transform" \
1346 -c "Peer CID (length 2 Bytes): de ad" \
1347 -s "Peer CID (length 2 Bytes): be ef" \
1348 -s "Use of Connection ID has been negotiated" \
1349 -c "Use of Connection ID has been negotiated"
1350
1351requires_config_enabled MBEDTLS_SSL_CID
1352run_test "Connection ID, MTU: Cli+Srv enabled, Cli+Srv CID nonempty" \
1353 -p "$P_PXY mtu=800" \
1354 "$P_SRV debug_level=3 mtu=800 dtls=1 cid=1 cid_val=dead" \
1355 "$P_CLI debug_level=3 mtu=800 dtls=1 cid=1 cid_val=beef" \
1356 0 \
1357 -c "Enable use of CID extension." \
1358 -s "Enable use of CID extension." \
1359 -c "client hello, adding CID extension" \
1360 -s "found CID extension" \
1361 -s "Use of CID extension negotiated" \
1362 -s "server hello, adding CID extension" \
1363 -c "found CID extension" \
1364 -c "Use of CID extension negotiated" \
1365 -s "Copy CIDs into SSL transform" \
1366 -c "Copy CIDs into SSL transform" \
1367 -c "Peer CID (length 2 Bytes): de ad" \
1368 -s "Peer CID (length 2 Bytes): be ef" \
1369 -s "Use of Connection ID has been negotiated" \
1370 -c "Use of Connection ID has been negotiated"
1371
1372requires_config_enabled MBEDTLS_SSL_CID
1373run_test "Connection ID, 3D+MTU: Cli+Srv enabled, Cli+Srv CID nonempty" \
1374 -p "$P_PXY mtu=800 drop=5 delay=5 duplicate=5" \
1375 "$P_SRV debug_level=3 mtu=800 dtls=1 cid=1 cid_val=dead" \
1376 "$P_CLI debug_level=3 mtu=800 dtls=1 cid=1 cid_val=beef" \
1377 0 \
1378 -c "Enable use of CID extension." \
1379 -s "Enable use of CID extension." \
1380 -c "client hello, adding CID extension" \
1381 -s "found CID extension" \
1382 -s "Use of CID extension negotiated" \
1383 -s "server hello, adding CID extension" \
1384 -c "found CID extension" \
1385 -c "Use of CID extension negotiated" \
1386 -s "Copy CIDs into SSL transform" \
1387 -c "Copy CIDs into SSL transform" \
1388 -c "Peer CID (length 2 Bytes): de ad" \
1389 -s "Peer CID (length 2 Bytes): be ef" \
1390 -s "Use of Connection ID has been negotiated" \
1391 -c "Use of Connection ID has been negotiated"
1392
1393requires_config_enabled MBEDTLS_SSL_CID
1394run_test "Connection ID: Cli+Srv enabled, Cli CID empty" \
Hanno Beckerf157a972019-04-25 16:05:45 +0100[diff] [blame]1395 "$P_SRV debug_level=3 dtls=1 cid=1 cid_val=deadbeef" \
1396 "$P_CLI debug_level=3 dtls=1 cid=1" \
1397 0 \
1398 -c "Enable use of CID extension." \
Hanno Becker6b78c832019-04-25 17:01:43 +0100[diff] [blame]1399 -s "Enable use of CID extension." \
Hanno Becker7dee2c62019-04-26 14:17:56 +0100[diff] [blame]1400 -c "client hello, adding CID extension" \
1401 -s "found CID extension" \
Hanno Becker4bc9e9d2019-04-26 16:00:29 +0100[diff] [blame]1402 -s "Use of CID extension negotiated" \
Hanno Beckera6a4c762019-04-26 16:13:31 +0100[diff] [blame]1403 -s "server hello, adding CID extension" \
1404 -c "found CID extension" \
Hanno Becker9ecb6c62019-04-26 16:23:52 +0100[diff] [blame]1405 -c "Use of CID extension negotiated" \
1406 -s "Copy CIDs into SSL transform" \
Hanno Becker2749a672019-05-03 17:04:23 +0100[diff] [blame]1407 -c "Copy CIDs into SSL transform" \
1408 -c "Peer CID (length 4 Bytes): de ad be ef" \
1409 -s "Peer CID (length 0 Bytes):" \
1410 -s "Use of Connection ID has been negotiated" \
1411 -c "Use of Connection ID has been negotiated"
Hanno Becker7cf463e2019-04-09 18:08:47 +0100[diff] [blame]1412
1413requires_config_enabled MBEDTLS_SSL_CID
Hanno Becker78c91372019-05-08 13:31:15 +0100[diff] [blame]1414run_test "Connection ID: Cli+Srv enabled, Srv CID empty" \
Hanno Beckerf157a972019-04-25 16:05:45 +0100[diff] [blame]1415 "$P_SRV debug_level=3 dtls=1 cid=1" \
1416 "$P_CLI debug_level=3 dtls=1 cid=1 cid_val=deadbeef" \
1417 0 \
1418 -c "Enable use of CID extension." \
Hanno Becker6b78c832019-04-25 17:01:43 +0100[diff] [blame]1419 -s "Enable use of CID extension." \
Hanno Becker7dee2c62019-04-26 14:17:56 +0100[diff] [blame]1420 -c "client hello, adding CID extension" \
1421 -s "found CID extension" \
Hanno Becker4bc9e9d2019-04-26 16:00:29 +0100[diff] [blame]1422 -s "Use of CID extension negotiated" \
Hanno Beckera6a4c762019-04-26 16:13:31 +0100[diff] [blame]1423 -s "server hello, adding CID extension" \
1424 -c "found CID extension" \
Hanno Becker9ecb6c62019-04-26 16:23:52 +0100[diff] [blame]1425 -c "Use of CID extension negotiated" \
1426 -s "Copy CIDs into SSL transform" \
Hanno Becker2749a672019-05-03 17:04:23 +0100[diff] [blame]1427 -c "Copy CIDs into SSL transform" \
1428 -s "Peer CID (length 4 Bytes): de ad be ef" \
1429 -c "Peer CID (length 0 Bytes):" \
1430 -s "Use of Connection ID has been negotiated" \
1431 -c "Use of Connection ID has been negotiated"
Hanno Becker7cf463e2019-04-09 18:08:47 +0100[diff] [blame]1432
1433requires_config_enabled MBEDTLS_SSL_CID
Hanno Becker78c91372019-05-08 13:31:15 +0100[diff] [blame]1434run_test "Connection ID: Cli+Srv enabled, Cli+Srv CID empty" \
Hanno Beckerf157a972019-04-25 16:05:45 +0100[diff] [blame]1435 "$P_SRV debug_level=3 dtls=1 cid=1" \
1436 "$P_CLI debug_level=3 dtls=1 cid=1" \
1437 0 \
1438 -c "Enable use of CID extension." \
Hanno Becker6b78c832019-04-25 17:01:43 +0100[diff] [blame]1439 -s "Enable use of CID extension." \
Hanno Becker7dee2c62019-04-26 14:17:56 +0100[diff] [blame]1440 -c "client hello, adding CID extension" \
1441 -s "found CID extension" \
Hanno Becker4bc9e9d2019-04-26 16:00:29 +0100[diff] [blame]1442 -s "Use of CID extension negotiated" \
Hanno Beckera6a4c762019-04-26 16:13:31 +0100[diff] [blame]1443 -s "server hello, adding CID extension" \
1444 -c "found CID extension" \
Hanno Becker9ecb6c62019-04-26 16:23:52 +0100[diff] [blame]1445 -c "Use of CID extension negotiated" \
1446 -s "Copy CIDs into SSL transform" \
Hanno Beckerfcffdcc2019-04-26 17:19:46 +0100[diff] [blame]1447 -c "Copy CIDs into SSL transform" \
1448 -S "Use of Connection ID has been negotiated" \
1449 -C "Use of Connection ID has been negotiated"
Hanno Becker7cf463e2019-04-09 18:08:47 +0100[diff] [blame]1450
1451requires_config_enabled MBEDTLS_SSL_CID
Hanno Becker78c91372019-05-08 13:31:15 +0100[diff] [blame]1452run_test "Connection ID: Cli+Srv enabled, Cli+Srv CID nonempty, AES-128-CCM-8" \
Hanno Beckerf157a972019-04-25 16:05:45 +0100[diff] [blame]1453 "$P_SRV debug_level=3 dtls=1 cid=1 cid_val=dead" \
1454 "$P_CLI debug_level=3 dtls=1 cid=1 cid_val=beef force_ciphersuite=TLS-ECDHE-ECDSA-WITH-AES-128-CCM-8" \
1455 0 \
1456 -c "Enable use of CID extension." \
Hanno Becker6b78c832019-04-25 17:01:43 +0100[diff] [blame]1457 -s "Enable use of CID extension." \
Hanno Becker7dee2c62019-04-26 14:17:56 +0100[diff] [blame]1458 -c "client hello, adding CID extension" \
1459 -s "found CID extension" \
Hanno Becker4bc9e9d2019-04-26 16:00:29 +0100[diff] [blame]1460 -s "Use of CID extension negotiated" \
Hanno Beckera6a4c762019-04-26 16:13:31 +0100[diff] [blame]1461 -s "server hello, adding CID extension" \
1462 -c "found CID extension" \
Hanno Becker9ecb6c62019-04-26 16:23:52 +0100[diff] [blame]1463 -c "Use of CID extension negotiated" \
1464 -s "Copy CIDs into SSL transform" \
Hanno Becker2749a672019-05-03 17:04:23 +0100[diff] [blame]1465 -c "Copy CIDs into SSL transform" \
1466 -c "Peer CID (length 2 Bytes): de ad" \
1467 -s "Peer CID (length 2 Bytes): be ef" \
1468 -s "Use of Connection ID has been negotiated" \
1469 -c "Use of Connection ID has been negotiated"
Hanno Becker7cf463e2019-04-09 18:08:47 +0100[diff] [blame]1470
1471requires_config_enabled MBEDTLS_SSL_CID
Hanno Becker78c91372019-05-08 13:31:15 +0100[diff] [blame]1472run_test "Connection ID: Cli+Srv enabled, Cli CID empty, AES-128-CCM-8" \
Hanno Beckerf157a972019-04-25 16:05:45 +0100[diff] [blame]1473 "$P_SRV debug_level=3 dtls=1 cid=1 cid_val=deadbeef" \
1474 "$P_CLI debug_level=3 dtls=1 cid=1 force_ciphersuite=TLS-ECDHE-ECDSA-WITH-AES-128-CCM-8" \
1475 0 \
1476 -c "Enable use of CID extension." \
Hanno Becker6b78c832019-04-25 17:01:43 +0100[diff] [blame]1477 -s "Enable use of CID extension." \
Hanno Becker7dee2c62019-04-26 14:17:56 +0100[diff] [blame]1478 -c "client hello, adding CID extension" \
1479 -s "found CID extension" \
Hanno Becker4bc9e9d2019-04-26 16:00:29 +0100[diff] [blame]1480 -s "Use of CID extension negotiated" \
Hanno Beckera6a4c762019-04-26 16:13:31 +0100[diff] [blame]1481 -s "server hello, adding CID extension" \
1482 -c "found CID extension" \
Hanno Becker9ecb6c62019-04-26 16:23:52 +0100[diff] [blame]1483 -c "Use of CID extension negotiated" \
1484 -s "Copy CIDs into SSL transform" \
Hanno Becker2749a672019-05-03 17:04:23 +0100[diff] [blame]1485 -c "Copy CIDs into SSL transform" \
1486 -c "Peer CID (length 4 Bytes): de ad be ef" \
1487 -s "Peer CID (length 0 Bytes):" \
1488 -s "Use of Connection ID has been negotiated" \
1489 -c "Use of Connection ID has been negotiated"
Hanno Becker7cf463e2019-04-09 18:08:47 +0100[diff] [blame]1490
1491requires_config_enabled MBEDTLS_SSL_CID
Hanno Becker78c91372019-05-08 13:31:15 +0100[diff] [blame]1492run_test "Connection ID: Cli+Srv enabled, Srv CID empty, AES-128-CCM-8" \
Hanno Beckerf157a972019-04-25 16:05:45 +0100[diff] [blame]1493 "$P_SRV debug_level=3 dtls=1 cid=1" \
1494 "$P_CLI debug_level=3 dtls=1 cid=1 cid_val=deadbeef force_ciphersuite=TLS-ECDHE-ECDSA-WITH-AES-128-CCM-8" \
1495 0 \
1496 -c "Enable use of CID extension." \
Hanno Becker6b78c832019-04-25 17:01:43 +0100[diff] [blame]1497 -s "Enable use of CID extension." \
Hanno Becker7dee2c62019-04-26 14:17:56 +0100[diff] [blame]1498 -c "client hello, adding CID extension" \
1499 -s "found CID extension" \
Hanno Becker4bc9e9d2019-04-26 16:00:29 +0100[diff] [blame]1500 -s "Use of CID extension negotiated" \
Hanno Beckera6a4c762019-04-26 16:13:31 +0100[diff] [blame]1501 -s "server hello, adding CID extension" \
1502 -c "found CID extension" \
Hanno Becker9ecb6c62019-04-26 16:23:52 +0100[diff] [blame]1503 -c "Use of CID extension negotiated" \
1504 -s "Copy CIDs into SSL transform" \
Hanno Becker2749a672019-05-03 17:04:23 +0100[diff] [blame]1505 -c "Copy CIDs into SSL transform" \
1506 -s "Peer CID (length 4 Bytes): de ad be ef" \
1507 -c "Peer CID (length 0 Bytes):" \
1508 -s "Use of Connection ID has been negotiated" \
1509 -c "Use of Connection ID has been negotiated"
Hanno Becker7cf463e2019-04-09 18:08:47 +0100[diff] [blame]1510
1511requires_config_enabled MBEDTLS_SSL_CID
Hanno Becker78c91372019-05-08 13:31:15 +0100[diff] [blame]1512run_test "Connection ID: Cli+Srv enabled, Cli+Srv CID empty, AES-128-CCM-8" \
Hanno Beckerf157a972019-04-25 16:05:45 +0100[diff] [blame]1513 "$P_SRV debug_level=3 dtls=1 cid=1" \
1514 "$P_CLI debug_level=3 dtls=1 cid=1 force_ciphersuite=TLS-ECDHE-ECDSA-WITH-AES-128-CCM-8" \
1515 0 \
1516 -c "Enable use of CID extension." \
Hanno Becker6b78c832019-04-25 17:01:43 +0100[diff] [blame]1517 -s "Enable use of CID extension." \
Hanno Becker7dee2c62019-04-26 14:17:56 +0100[diff] [blame]1518 -c "client hello, adding CID extension" \
1519 -s "found CID extension" \
Hanno Becker4bc9e9d2019-04-26 16:00:29 +0100[diff] [blame]1520 -s "Use of CID extension negotiated" \
Hanno Beckera6a4c762019-04-26 16:13:31 +0100[diff] [blame]1521 -s "server hello, adding CID extension" \
1522 -c "found CID extension" \
Hanno Becker9ecb6c62019-04-26 16:23:52 +0100[diff] [blame]1523 -c "Use of CID extension negotiated" \
1524 -s "Copy CIDs into SSL transform" \
Hanno Beckerfcffdcc2019-04-26 17:19:46 +0100[diff] [blame]1525 -c "Copy CIDs into SSL transform" \
1526 -S "Use of Connection ID has been negotiated" \
1527 -C "Use of Connection ID has been negotiated"
Hanno Becker7cf463e2019-04-09 18:08:47 +0100[diff] [blame]1528
1529requires_config_enabled MBEDTLS_SSL_CID
Hanno Becker78c91372019-05-08 13:31:15 +0100[diff] [blame]1530run_test "Connection ID: Cli+Srv enabled, Cli+Srv CID nonempty, AES-128-CBC" \
Hanno Beckerf157a972019-04-25 16:05:45 +0100[diff] [blame]1531 "$P_SRV debug_level=3 dtls=1 cid=1 cid_val=dead" \
1532 "$P_CLI debug_level=3 dtls=1 cid=1 cid_val=beef force_ciphersuite=TLS-ECDHE-ECDSA-WITH-AES-128-CBC-SHA256" \
1533 0 \
1534 -c "Enable use of CID extension." \
Hanno Becker6b78c832019-04-25 17:01:43 +0100[diff] [blame]1535 -s "Enable use of CID extension." \
Hanno Becker7dee2c62019-04-26 14:17:56 +0100[diff] [blame]1536 -c "client hello, adding CID extension" \
1537 -s "found CID extension" \
Hanno Becker4bc9e9d2019-04-26 16:00:29 +0100[diff] [blame]1538 -s "Use of CID extension negotiated" \
Hanno Beckera6a4c762019-04-26 16:13:31 +0100[diff] [blame]1539 -s "server hello, adding CID extension" \
1540 -c "found CID extension" \
Hanno Becker9ecb6c62019-04-26 16:23:52 +0100[diff] [blame]1541 -c "Use of CID extension negotiated" \
1542 -s "Copy CIDs into SSL transform" \
Hanno Becker2749a672019-05-03 17:04:23 +0100[diff] [blame]1543 -c "Copy CIDs into SSL transform" \
1544 -c "Peer CID (length 2 Bytes): de ad" \
1545 -s "Peer CID (length 2 Bytes): be ef" \
1546 -s "Use of Connection ID has been negotiated" \
1547 -c "Use of Connection ID has been negotiated"
Hanno Becker7cf463e2019-04-09 18:08:47 +0100[diff] [blame]1548
1549requires_config_enabled MBEDTLS_SSL_CID
Hanno Becker78c91372019-05-08 13:31:15 +0100[diff] [blame]1550run_test "Connection ID: Cli+Srv enabled, Cli CID empty, AES-128-CBC" \
Hanno Beckerf157a972019-04-25 16:05:45 +0100[diff] [blame]1551 "$P_SRV debug_level=3 dtls=1 cid=1 cid_val=deadbeef" \
1552 "$P_CLI debug_level=3 dtls=1 cid=1 force_ciphersuite=TLS-ECDHE-ECDSA-WITH-AES-128-CBC-SHA256" \
1553 0 \
1554 -c "Enable use of CID extension." \
Hanno Becker6b78c832019-04-25 17:01:43 +0100[diff] [blame]1555 -s "Enable use of CID extension." \
Hanno Becker7dee2c62019-04-26 14:17:56 +0100[diff] [blame]1556 -c "client hello, adding CID extension" \
1557 -s "found CID extension" \
Hanno Becker4bc9e9d2019-04-26 16:00:29 +0100[diff] [blame]1558 -s "Use of CID extension negotiated" \
Hanno Beckera6a4c762019-04-26 16:13:31 +0100[diff] [blame]1559 -s "server hello, adding CID extension" \
1560 -c "found CID extension" \
Hanno Becker9ecb6c62019-04-26 16:23:52 +0100[diff] [blame]1561 -c "Use of CID extension negotiated" \
1562 -s "Copy CIDs into SSL transform" \
Hanno Becker2749a672019-05-03 17:04:23 +0100[diff] [blame]1563 -c "Copy CIDs into SSL transform" \
1564 -c "Peer CID (length 4 Bytes): de ad be ef" \
1565 -s "Peer CID (length 0 Bytes):" \
1566 -s "Use of Connection ID has been negotiated" \
1567 -c "Use of Connection ID has been negotiated"
Hanno Becker7cf463e2019-04-09 18:08:47 +0100[diff] [blame]1568
1569requires_config_enabled MBEDTLS_SSL_CID
Hanno Becker78c91372019-05-08 13:31:15 +0100[diff] [blame]1570run_test "Connection ID: Cli+Srv enabled, Srv CID empty, AES-128-CBC" \
Hanno Beckerf157a972019-04-25 16:05:45 +0100[diff] [blame]1571 "$P_SRV debug_level=3 dtls=1 cid=1" \
1572 "$P_CLI debug_level=3 dtls=1 cid=1 cid_val=deadbeef force_ciphersuite=TLS-ECDHE-ECDSA-WITH-AES-128-CBC-SHA256" \
1573 0 \
1574 -c "Enable use of CID extension." \
Hanno Becker6b78c832019-04-25 17:01:43 +0100[diff] [blame]1575 -s "Enable use of CID extension." \
Hanno Becker7dee2c62019-04-26 14:17:56 +0100[diff] [blame]1576 -c "client hello, adding CID extension" \
1577 -s "found CID extension" \
Hanno Becker4bc9e9d2019-04-26 16:00:29 +0100[diff] [blame]1578 -s "Use of CID extension negotiated" \
Hanno Beckera6a4c762019-04-26 16:13:31 +0100[diff] [blame]1579 -s "server hello, adding CID extension" \
1580 -c "found CID extension" \
Hanno Becker9ecb6c62019-04-26 16:23:52 +0100[diff] [blame]1581 -c "Use of CID extension negotiated" \
1582 -s "Copy CIDs into SSL transform" \
Hanno Becker2749a672019-05-03 17:04:23 +0100[diff] [blame]1583 -c "Copy CIDs into SSL transform" \
1584 -s "Peer CID (length 4 Bytes): de ad be ef" \
1585 -c "Peer CID (length 0 Bytes):" \
1586 -s "Use of Connection ID has been negotiated" \
1587 -c "Use of Connection ID has been negotiated"
Hanno Becker7cf463e2019-04-09 18:08:47 +0100[diff] [blame]1588
1589requires_config_enabled MBEDTLS_SSL_CID
Hanno Becker78c91372019-05-08 13:31:15 +0100[diff] [blame]1590run_test "Connection ID: Cli+Srv enabled, Cli+Srv CID empty, AES-128-CBC" \
Hanno Beckerf157a972019-04-25 16:05:45 +0100[diff] [blame]1591 "$P_SRV debug_level=3 dtls=1 cid=1" \
1592 "$P_CLI debug_level=3 dtls=1 cid=1 force_ciphersuite=TLS-ECDHE-ECDSA-WITH-AES-128-CBC-SHA256" \
1593 0 \
1594 -c "Enable use of CID extension." \
Hanno Becker6b78c832019-04-25 17:01:43 +0100[diff] [blame]1595 -s "Enable use of CID extension." \
Hanno Becker7dee2c62019-04-26 14:17:56 +0100[diff] [blame]1596 -c "client hello, adding CID extension" \
1597 -s "found CID extension" \
Hanno Becker4bc9e9d2019-04-26 16:00:29 +0100[diff] [blame]1598 -s "Use of CID extension negotiated" \
Hanno Beckera6a4c762019-04-26 16:13:31 +0100[diff] [blame]1599 -s "server hello, adding CID extension" \
1600 -c "found CID extension" \
Hanno Becker9ecb6c62019-04-26 16:23:52 +0100[diff] [blame]1601 -c "Use of CID extension negotiated" \
1602 -s "Copy CIDs into SSL transform" \
Hanno Beckerfcffdcc2019-04-26 17:19:46 +0100[diff] [blame]1603 -c "Copy CIDs into SSL transform" \
1604 -S "Use of Connection ID has been negotiated" \
1605 -C "Use of Connection ID has been negotiated"
Hanno Becker7cf463e2019-04-09 18:08:47 +0100[diff] [blame]1606
Hanno Becker9bae30d2019-04-23 11:52:44 +0100[diff] [blame]1607requires_config_enabled MBEDTLS_SSL_CID
1608requires_config_enabled MBEDTLS_SSL_RENEGOTIATION
Hanno Becker78c91372019-05-08 13:31:15 +0100[diff] [blame]1609run_test "Connection ID: Cli+Srv enabled, renegotiate without change of CID" \
Hanno Beckerf157a972019-04-25 16:05:45 +0100[diff] [blame]1610 "$P_SRV debug_level=3 dtls=1 cid=1 cid_val=dead renegotiation=1" \
1611 "$P_CLI debug_level=3 dtls=1 cid=1 cid_val=beef renegotiation=1 renegotiate=1" \
1612 0 \
Hanno Beckerb42ec0d2019-05-03 17:30:59 +0100[diff] [blame]1613 -c "(initial handshake) Peer CID (length 2 Bytes): de ad" \
1614 -s "(initial handshake) Peer CID (length 2 Bytes): be ef" \
1615 -s "(initial handshake) Use of Connection ID has been negotiated" \
1616 -c "(initial handshake) Use of Connection ID has been negotiated" \
1617 -c "(after renegotiation) Peer CID (length 2 Bytes): de ad" \
1618 -s "(after renegotiation) Peer CID (length 2 Bytes): be ef" \
1619 -s "(after renegotiation) Use of Connection ID has been negotiated" \
1620 -c "(after renegotiation) Use of Connection ID has been negotiated"
1621
1622requires_config_enabled MBEDTLS_SSL_CID
1623requires_config_enabled MBEDTLS_SSL_RENEGOTIATION
Hanno Becker78c91372019-05-08 13:31:15 +0100[diff] [blame]1624run_test "Connection ID: Cli+Srv enabled, renegotiate with different CID" \
Hanno Beckerb42ec0d2019-05-03 17:30:59 +0100[diff] [blame]1625 "$P_SRV debug_level=3 dtls=1 cid=1 cid_val=dead cid_val_renego=beef renegotiation=1" \
1626 "$P_CLI debug_level=3 dtls=1 cid=1 cid_val=beef cid_val_renego=dead renegotiation=1 renegotiate=1" \
1627 0 \
1628 -c "(initial handshake) Peer CID (length 2 Bytes): de ad" \
1629 -s "(initial handshake) Peer CID (length 2 Bytes): be ef" \
1630 -s "(initial handshake) Use of Connection ID has been negotiated" \
1631 -c "(initial handshake) Use of Connection ID has been negotiated" \
1632 -c "(after renegotiation) Peer CID (length 2 Bytes): be ef" \
1633 -s "(after renegotiation) Peer CID (length 2 Bytes): de ad" \
1634 -s "(after renegotiation) Use of Connection ID has been negotiated" \
1635 -c "(after renegotiation) Use of Connection ID has been negotiated"
1636
1637requires_config_enabled MBEDTLS_SSL_CID
1638requires_config_enabled MBEDTLS_SSL_RENEGOTIATION
Hanno Beckerc2045b02019-05-08 16:20:46 +0100[diff] [blame]1639run_test "Connection ID, no packing: Cli+Srv enabled, renegotiate with different CID" \
1640 "$P_SRV debug_level=3 dtls=1 cid=1 dgram_packing=0 cid_val=dead cid_val_renego=beef renegotiation=1" \
1641 "$P_CLI debug_level=3 dtls=1 cid=1 dgram_packing=0 cid_val=beef cid_val_renego=dead renegotiation=1 renegotiate=1" \
1642 0 \
1643 -c "(initial handshake) Peer CID (length 2 Bytes): de ad" \
1644 -s "(initial handshake) Peer CID (length 2 Bytes): be ef" \
1645 -s "(initial handshake) Use of Connection ID has been negotiated" \
1646 -c "(initial handshake) Use of Connection ID has been negotiated" \
1647 -c "(after renegotiation) Peer CID (length 2 Bytes): be ef" \
1648 -s "(after renegotiation) Peer CID (length 2 Bytes): de ad" \
1649 -s "(after renegotiation) Use of Connection ID has been negotiated" \
1650 -c "(after renegotiation) Use of Connection ID has been negotiated"
1651
1652requires_config_enabled MBEDTLS_SSL_CID
1653requires_config_enabled MBEDTLS_SSL_RENEGOTIATION
Hanno Becker78c91372019-05-08 13:31:15 +0100[diff] [blame]1654run_test "Connection ID, 3D+MTU: Cli+Srv enabled, renegotiate with different CID" \
1655 -p "$P_PXY mtu=800 drop=5 delay=5 duplicate=5" \
1656 "$P_SRV debug_level=3 mtu=800 dtls=1 cid=1 cid_val=dead cid_val_renego=beef renegotiation=1" \
1657 "$P_CLI debug_level=3 mtu=800 dtls=1 cid=1 cid_val=beef cid_val_renego=dead renegotiation=1 renegotiate=1" \
1658 0 \
1659 -c "(initial handshake) Peer CID (length 2 Bytes): de ad" \
1660 -s "(initial handshake) Peer CID (length 2 Bytes): be ef" \
1661 -s "(initial handshake) Use of Connection ID has been negotiated" \
1662 -c "(initial handshake) Use of Connection ID has been negotiated" \
1663 -c "(after renegotiation) Peer CID (length 2 Bytes): be ef" \
1664 -s "(after renegotiation) Peer CID (length 2 Bytes): de ad" \
1665 -s "(after renegotiation) Use of Connection ID has been negotiated" \
1666 -c "(after renegotiation) Use of Connection ID has been negotiated"
1667
1668requires_config_enabled MBEDTLS_SSL_CID
1669requires_config_enabled MBEDTLS_SSL_RENEGOTIATION
1670run_test "Connection ID: Cli+Srv enabled, renegotiate without CID" \
Hanno Beckerb42ec0d2019-05-03 17:30:59 +0100[diff] [blame]1671 "$P_SRV debug_level=3 dtls=1 cid=1 cid_val=dead cid_renego=0 renegotiation=1" \
1672 "$P_CLI debug_level=3 dtls=1 cid=1 cid_val=beef cid_renego=0 renegotiation=1 renegotiate=1" \
1673 0 \
1674 -c "(initial handshake) Peer CID (length 2 Bytes): de ad" \
1675 -s "(initial handshake) Peer CID (length 2 Bytes): be ef" \
1676 -s "(initial handshake) Use of Connection ID has been negotiated" \
1677 -c "(initial handshake) Use of Connection ID has been negotiated" \
1678 -C "(after renegotiation) Peer CID (length 2 Bytes): de ad" \
1679 -S "(after renegotiation) Peer CID (length 2 Bytes): be ef" \
1680 -C "(after renegotiation) Use of Connection ID has been negotiated" \
1681 -S "(after renegotiation) Use of Connection ID has been negotiated"
1682
1683requires_config_enabled MBEDTLS_SSL_CID
1684requires_config_enabled MBEDTLS_SSL_RENEGOTIATION
Hanno Beckerc2045b02019-05-08 16:20:46 +0100[diff] [blame]1685run_test "Connection ID, no packing: Cli+Srv enabled, renegotiate without CID" \
1686 "$P_SRV debug_level=3 dtls=1 dgram_packing=0 cid=1 cid_val=dead cid_renego=0 renegotiation=1" \
1687 "$P_CLI debug_level=3 dtls=1 dgram_packing=0 cid=1 cid_val=beef cid_renego=0 renegotiation=1 renegotiate=1" \
1688 0 \
1689 -c "(initial handshake) Peer CID (length 2 Bytes): de ad" \
1690 -s "(initial handshake) Peer CID (length 2 Bytes): be ef" \
1691 -s "(initial handshake) Use of Connection ID has been negotiated" \
1692 -c "(initial handshake) Use of Connection ID has been negotiated" \
1693 -C "(after renegotiation) Peer CID (length 2 Bytes): de ad" \
1694 -S "(after renegotiation) Peer CID (length 2 Bytes): be ef" \
1695 -C "(after renegotiation) Use of Connection ID has been negotiated" \
1696 -S "(after renegotiation) Use of Connection ID has been negotiated"
1697
1698requires_config_enabled MBEDTLS_SSL_CID
1699requires_config_enabled MBEDTLS_SSL_RENEGOTIATION
Hanno Becker78c91372019-05-08 13:31:15 +0100[diff] [blame]1700run_test "Connection ID, 3D+MTU: Cli+Srv enabled, renegotiate without CID" \
1701 -p "$P_PXY drop=5 delay=5 duplicate=5" \
1702 "$P_SRV debug_level=3 mtu=800 dtls=1 cid=1 cid_val=dead cid_renego=0 renegotiation=1" \
1703 "$P_CLI debug_level=3 mtu=800 dtls=1 cid=1 cid_val=beef cid_renego=0 renegotiation=1 renegotiate=1" \
1704 0 \
1705 -c "(initial handshake) Peer CID (length 2 Bytes): de ad" \
1706 -s "(initial handshake) Peer CID (length 2 Bytes): be ef" \
1707 -s "(initial handshake) Use of Connection ID has been negotiated" \
1708 -c "(initial handshake) Use of Connection ID has been negotiated" \
1709 -C "(after renegotiation) Peer CID (length 2 Bytes): de ad" \
1710 -S "(after renegotiation) Peer CID (length 2 Bytes): be ef" \
1711 -C "(after renegotiation) Use of Connection ID has been negotiated" \
1712 -S "(after renegotiation) Use of Connection ID has been negotiated"
1713
1714requires_config_enabled MBEDTLS_SSL_CID
1715requires_config_enabled MBEDTLS_SSL_RENEGOTIATION
1716run_test "Connection ID: Cli+Srv enabled, CID on renegotiation" \
Hanno Beckerb42ec0d2019-05-03 17:30:59 +0100[diff] [blame]1717 "$P_SRV debug_level=3 dtls=1 cid=0 cid_renego=1 cid_val_renego=dead renegotiation=1" \
1718 "$P_CLI debug_level=3 dtls=1 cid=0 cid_renego=1 cid_val_renego=beef renegotiation=1 renegotiate=1" \
1719 0 \
1720 -S "(initial handshake) Use of Connection ID has been negotiated" \
1721 -C "(initial handshake) Use of Connection ID has been negotiated" \
1722 -c "(after renegotiation) Peer CID (length 2 Bytes): de ad" \
1723 -s "(after renegotiation) Peer CID (length 2 Bytes): be ef" \
1724 -c "(after renegotiation) Use of Connection ID has been negotiated" \
1725 -s "(after renegotiation) Use of Connection ID has been negotiated"
1726
1727requires_config_enabled MBEDTLS_SSL_CID
1728requires_config_enabled MBEDTLS_SSL_RENEGOTIATION
Hanno Beckerc2045b02019-05-08 16:20:46 +0100[diff] [blame]1729run_test "Connection ID, no packing: Cli+Srv enabled, CID on renegotiation" \
1730 "$P_SRV debug_level=3 dtls=1 dgram_packing=0 cid=0 cid_renego=1 cid_val_renego=dead renegotiation=1" \
1731 "$P_CLI debug_level=3 dtls=1 dgram_packing=0 cid=0 cid_renego=1 cid_val_renego=beef renegotiation=1 renegotiate=1" \
1732 0 \
1733 -S "(initial handshake) Use of Connection ID has been negotiated" \
1734 -C "(initial handshake) Use of Connection ID has been negotiated" \
1735 -c "(after renegotiation) Peer CID (length 2 Bytes): de ad" \
1736 -s "(after renegotiation) Peer CID (length 2 Bytes): be ef" \
1737 -c "(after renegotiation) Use of Connection ID has been negotiated" \
1738 -s "(after renegotiation) Use of Connection ID has been negotiated"
1739
1740requires_config_enabled MBEDTLS_SSL_CID
1741requires_config_enabled MBEDTLS_SSL_RENEGOTIATION
Hanno Becker78c91372019-05-08 13:31:15 +0100[diff] [blame]1742run_test "Connection ID, 3D+MTU: Cli+Srv enabled, CID on renegotiation" \
1743 -p "$P_PXY mtu=800 drop=5 delay=5 duplicate=5" \
1744 "$P_SRV debug_level=3 mtu=800 dtls=1 dgram_packing=1 cid=0 cid_renego=1 cid_val_renego=dead renegotiation=1" \
1745 "$P_CLI debug_level=3 mtu=800 dtls=1 dgram_packing=1 cid=0 cid_renego=1 cid_val_renego=beef renegotiation=1 renegotiate=1" \
1746 0 \
1747 -S "(initial handshake) Use of Connection ID has been negotiated" \
1748 -C "(initial handshake) Use of Connection ID has been negotiated" \
1749 -c "(after renegotiation) Peer CID (length 2 Bytes): de ad" \
1750 -s "(after renegotiation) Peer CID (length 2 Bytes): be ef" \
1751 -c "(after renegotiation) Use of Connection ID has been negotiated" \
1752 -s "(after renegotiation) Use of Connection ID has been negotiated"
1753
1754requires_config_enabled MBEDTLS_SSL_CID
1755requires_config_enabled MBEDTLS_SSL_RENEGOTIATION
1756run_test "Connection ID: Cli+Srv enabled, Cli disables on renegotiation" \
Hanno Beckerb42ec0d2019-05-03 17:30:59 +0100[diff] [blame]1757 "$P_SRV debug_level=3 dtls=1 cid=1 cid_val=dead renegotiation=1" \
1758 "$P_CLI debug_level=3 dtls=1 cid=1 cid_val=beef cid_renego=0 renegotiation=1 renegotiate=1" \
1759 0 \
1760 -c "(initial handshake) Peer CID (length 2 Bytes): de ad" \
1761 -s "(initial handshake) Peer CID (length 2 Bytes): be ef" \
1762 -s "(initial handshake) Use of Connection ID has been negotiated" \
1763 -c "(initial handshake) Use of Connection ID has been negotiated" \
1764 -C "(after renegotiation) Peer CID (length 2 Bytes): de ad" \
1765 -S "(after renegotiation) Peer CID (length 2 Bytes): be ef" \
1766 -C "(after renegotiation) Use of Connection ID has been negotiated" \
1767 -S "(after renegotiation) Use of Connection ID has been negotiated" \
1768 -s "(after renegotiation) Use of Connection ID was not offered by client"
1769
1770requires_config_enabled MBEDTLS_SSL_CID
1771requires_config_enabled MBEDTLS_SSL_RENEGOTIATION
Hanno Becker78c91372019-05-08 13:31:15 +0100[diff] [blame]1772run_test "Connection ID, 3D: Cli+Srv enabled, Cli disables on renegotiation" \
1773 -p "$P_PXY drop=5 delay=5 duplicate=5" \
1774 "$P_SRV debug_level=3 dtls=1 cid=1 cid_val=dead renegotiation=1" \
1775 "$P_CLI debug_level=3 dtls=1 cid=1 cid_val=beef cid_renego=0 renegotiation=1 renegotiate=1" \
1776 0 \
1777 -c "(initial handshake) Peer CID (length 2 Bytes): de ad" \
1778 -s "(initial handshake) Peer CID (length 2 Bytes): be ef" \
1779 -s "(initial handshake) Use of Connection ID has been negotiated" \
1780 -c "(initial handshake) Use of Connection ID has been negotiated" \
1781 -C "(after renegotiation) Peer CID (length 2 Bytes): de ad" \
1782 -S "(after renegotiation) Peer CID (length 2 Bytes): be ef" \
1783 -C "(after renegotiation) Use of Connection ID has been negotiated" \
1784 -S "(after renegotiation) Use of Connection ID has been negotiated" \
1785 -s "(after renegotiation) Use of Connection ID was not offered by client"
1786
1787requires_config_enabled MBEDTLS_SSL_CID
1788requires_config_enabled MBEDTLS_SSL_RENEGOTIATION
1789run_test "Connection ID: Cli+Srv enabled, Srv disables on renegotiation" \
1790 "$P_SRV debug_level=3 dtls=1 cid=1 cid_val=dead cid_renego=0 renegotiation=1" \
1791 "$P_CLI debug_level=3 dtls=1 cid=1 cid_val=beef renegotiation=1 renegotiate=1" \
1792 0 \
1793 -c "(initial handshake) Peer CID (length 2 Bytes): de ad" \
1794 -s "(initial handshake) Peer CID (length 2 Bytes): be ef" \
1795 -s "(initial handshake) Use of Connection ID has been negotiated" \
1796 -c "(initial handshake) Use of Connection ID has been negotiated" \
1797 -C "(after renegotiation) Peer CID (length 2 Bytes): de ad" \
1798 -S "(after renegotiation) Peer CID (length 2 Bytes): be ef" \
1799 -C "(after renegotiation) Use of Connection ID has been negotiated" \
1800 -S "(after renegotiation) Use of Connection ID has been negotiated" \
1801 -c "(after renegotiation) Use of Connection ID was rejected by the server"
1802
1803requires_config_enabled MBEDTLS_SSL_CID
1804requires_config_enabled MBEDTLS_SSL_RENEGOTIATION
1805run_test "Connection ID, 3D: Cli+Srv enabled, Srv disables on renegotiation" \
1806 -p "$P_PXY drop=5 delay=5 duplicate=5" \
Hanno Beckerb42ec0d2019-05-03 17:30:59 +0100[diff] [blame]1807 "$P_SRV debug_level=3 dtls=1 cid=1 cid_val=dead cid_renego=0 renegotiation=1" \
1808 "$P_CLI debug_level=3 dtls=1 cid=1 cid_val=beef renegotiation=1 renegotiate=1" \
1809 0 \
1810 -c "(initial handshake) Peer CID (length 2 Bytes): de ad" \
1811 -s "(initial handshake) Peer CID (length 2 Bytes): be ef" \
1812 -s "(initial handshake) Use of Connection ID has been negotiated" \
1813 -c "(initial handshake) Use of Connection ID has been negotiated" \
1814 -C "(after renegotiation) Peer CID (length 2 Bytes): de ad" \
1815 -S "(after renegotiation) Peer CID (length 2 Bytes): be ef" \
1816 -C "(after renegotiation) Use of Connection ID has been negotiated" \
1817 -S "(after renegotiation) Use of Connection ID has been negotiated" \
1818 -c "(after renegotiation) Use of Connection ID was rejected by the server"
Hanno Becker7cf463e2019-04-09 18:08:47 +0100[diff] [blame]1819
Manuel Pégourié-Gonnard699cafa2014-10-27 13:57:03 +0100[diff] [blame]1820# Tests for Encrypt-then-MAC extension
1821
1822run_test "Encrypt then MAC: default" \
Manuel Pégourié-Gonnard0098e7d2014-10-28 13:08:59 +0100[diff] [blame]1823 "$P_SRV debug_level=3 \
1824 force_ciphersuite=TLS-RSA-WITH-AES-128-CBC-SHA" \
Manuel Pégourié-Gonnard699cafa2014-10-27 13:57:03 +0100[diff] [blame]1825 "$P_CLI debug_level=3" \
1826 0 \
1827 -c "client hello, adding encrypt_then_mac extension" \
1828 -s "found encrypt then mac extension" \
1829 -s "server hello, adding encrypt then mac extension" \
1830 -c "found encrypt_then_mac extension" \
1831 -c "using encrypt then mac" \
1832 -s "using encrypt then mac"
1833
1834run_test "Encrypt then MAC: client enabled, server disabled" \
Manuel Pégourié-Gonnard0098e7d2014-10-28 13:08:59 +0100[diff] [blame]1835 "$P_SRV debug_level=3 etm=0 \
1836 force_ciphersuite=TLS-RSA-WITH-AES-128-CBC-SHA" \
Manuel Pégourié-Gonnard699cafa2014-10-27 13:57:03 +0100[diff] [blame]1837 "$P_CLI debug_level=3 etm=1" \
1838 0 \
1839 -c "client hello, adding encrypt_then_mac extension" \
1840 -s "found encrypt then mac extension" \
1841 -S "server hello, adding encrypt then mac extension" \
1842 -C "found encrypt_then_mac extension" \
1843 -C "using encrypt then mac" \
1844 -S "using encrypt then mac"
1845
Manuel Pégourié-Gonnard78e745f2014-11-04 15:44:06 +0100[diff] [blame]1846run_test "Encrypt then MAC: client enabled, aead cipher" \
1847 "$P_SRV debug_level=3 etm=1 \
1848 force_ciphersuite=TLS-RSA-WITH-AES-128-GCM-SHA256" \
1849 "$P_CLI debug_level=3 etm=1" \
1850 0 \
1851 -c "client hello, adding encrypt_then_mac extension" \
1852 -s "found encrypt then mac extension" \
1853 -S "server hello, adding encrypt then mac extension" \
1854 -C "found encrypt_then_mac extension" \
1855 -C "using encrypt then mac" \
1856 -S "using encrypt then mac"
1857
1858run_test "Encrypt then MAC: client enabled, stream cipher" \
1859 "$P_SRV debug_level=3 etm=1 \
1860 force_ciphersuite=TLS-RSA-WITH-RC4-128-SHA" \
Manuel Pégourié-Gonnardea0920f2015-03-24 09:50:15 +0100[diff] [blame]1861 "$P_CLI debug_level=3 etm=1 arc4=1 force_ciphersuite=TLS-RSA-WITH-RC4-128-SHA" \
Manuel Pégourié-Gonnard78e745f2014-11-04 15:44:06 +0100[diff] [blame]1862 0 \
1863 -c "client hello, adding encrypt_then_mac extension" \
1864 -s "found encrypt then mac extension" \
1865 -S "server hello, adding encrypt then mac extension" \
1866 -C "found encrypt_then_mac extension" \
1867 -C "using encrypt then mac" \
1868 -S "using encrypt then mac"
1869
Manuel Pégourié-Gonnard699cafa2014-10-27 13:57:03 +0100[diff] [blame]1870run_test "Encrypt then MAC: client disabled, server enabled" \
Manuel Pégourié-Gonnard0098e7d2014-10-28 13:08:59 +0100[diff] [blame]1871 "$P_SRV debug_level=3 etm=1 \
1872 force_ciphersuite=TLS-RSA-WITH-AES-128-CBC-SHA" \
Manuel Pégourié-Gonnard699cafa2014-10-27 13:57:03 +0100[diff] [blame]1873 "$P_CLI debug_level=3 etm=0" \
1874 0 \
1875 -C "client hello, adding encrypt_then_mac extension" \
1876 -S "found encrypt then mac extension" \
1877 -S "server hello, adding encrypt then mac extension" \
1878 -C "found encrypt_then_mac extension" \
1879 -C "using encrypt then mac" \
1880 -S "using encrypt then mac"
1881
Janos Follathe2681a42016-03-07 15:57:05 +0000[diff] [blame]1882requires_config_enabled MBEDTLS_SSL_PROTO_SSL3
Manuel Pégourié-Gonnard699cafa2014-10-27 13:57:03 +0100[diff] [blame]1883run_test "Encrypt then MAC: client SSLv3, server enabled" \
Manuel Pégourié-Gonnard51d81662015-01-14 17:20:46 +0100[diff] [blame]1884 "$P_SRV debug_level=3 min_version=ssl3 \
Manuel Pégourié-Gonnard0098e7d2014-10-28 13:08:59 +0100[diff] [blame]1885 force_ciphersuite=TLS-RSA-WITH-AES-128-CBC-SHA" \
Manuel Pégourié-Gonnard699cafa2014-10-27 13:57:03 +0100[diff] [blame]1886 "$P_CLI debug_level=3 force_version=ssl3" \
1887 0 \
1888 -C "client hello, adding encrypt_then_mac extension" \
1889 -S "found encrypt then mac extension" \
1890 -S "server hello, adding encrypt then mac extension" \
1891 -C "found encrypt_then_mac extension" \
1892 -C "using encrypt then mac" \
1893 -S "using encrypt then mac"
1894
Janos Follathe2681a42016-03-07 15:57:05 +0000[diff] [blame]1895requires_config_enabled MBEDTLS_SSL_PROTO_SSL3
Manuel Pégourié-Gonnard699cafa2014-10-27 13:57:03 +0100[diff] [blame]1896run_test "Encrypt then MAC: client enabled, server SSLv3" \
Manuel Pégourié-Gonnard0098e7d2014-10-28 13:08:59 +0100[diff] [blame]1897 "$P_SRV debug_level=3 force_version=ssl3 \
1898 force_ciphersuite=TLS-RSA-WITH-AES-128-CBC-SHA" \
Manuel Pégourié-Gonnard51d81662015-01-14 17:20:46 +0100[diff] [blame]1899 "$P_CLI debug_level=3 min_version=ssl3" \
Manuel Pégourié-Gonnard699cafa2014-10-27 13:57:03 +0100[diff] [blame]1900 0 \
1901 -c "client hello, adding encrypt_then_mac extension" \
Janos Follath00efff72016-05-06 13:48:23 +0100[diff] [blame]1902 -S "found encrypt then mac extension" \
Manuel Pégourié-Gonnard699cafa2014-10-27 13:57:03 +0100[diff] [blame]1903 -S "server hello, adding encrypt then mac extension" \
1904 -C "found encrypt_then_mac extension" \
1905 -C "using encrypt then mac" \
1906 -S "using encrypt then mac"
1907
Manuel Pégourié-Gonnard367381f2014-10-20 18:40:56 +0200[diff] [blame]1908# Tests for Extended Master Secret extension
1909
1910run_test "Extended Master Secret: default" \
1911 "$P_SRV debug_level=3" \
1912 "$P_CLI debug_level=3" \
1913 0 \
1914 -c "client hello, adding extended_master_secret extension" \
1915 -s "found extended master secret extension" \
1916 -s "server hello, adding extended master secret extension" \
1917 -c "found extended_master_secret extension" \
1918 -c "using extended master secret" \
1919 -s "using extended master secret"
1920
1921run_test "Extended Master Secret: client enabled, server disabled" \
1922 "$P_SRV debug_level=3 extended_ms=0" \
1923 "$P_CLI debug_level=3 extended_ms=1" \
1924 0 \
1925 -c "client hello, adding extended_master_secret extension" \
1926 -s "found extended master secret extension" \
1927 -S "server hello, adding extended master secret extension" \
1928 -C "found extended_master_secret extension" \
1929 -C "using extended master secret" \
1930 -S "using extended master secret"
1931
1932run_test "Extended Master Secret: client disabled, server enabled" \
1933 "$P_SRV debug_level=3 extended_ms=1" \
1934 "$P_CLI debug_level=3 extended_ms=0" \
1935 0 \
1936 -C "client hello, adding extended_master_secret extension" \
1937 -S "found extended master secret extension" \
1938 -S "server hello, adding extended master secret extension" \
1939 -C "found extended_master_secret extension" \
1940 -C "using extended master secret" \
1941 -S "using extended master secret"
1942
Janos Follathe2681a42016-03-07 15:57:05 +0000[diff] [blame]1943requires_config_enabled MBEDTLS_SSL_PROTO_SSL3
Manuel Pégourié-Gonnardb575b542014-10-24 15:12:31 +0200[diff] [blame]1944run_test "Extended Master Secret: client SSLv3, server enabled" \
Manuel Pégourié-Gonnard51d81662015-01-14 17:20:46 +0100[diff] [blame]1945 "$P_SRV debug_level=3 min_version=ssl3" \
Manuel Pégourié-Gonnardb575b542014-10-24 15:12:31 +0200[diff] [blame]1946 "$P_CLI debug_level=3 force_version=ssl3" \
1947 0 \
1948 -C "client hello, adding extended_master_secret extension" \
1949 -S "found extended master secret extension" \
1950 -S "server hello, adding extended master secret extension" \
1951 -C "found extended_master_secret extension" \
1952 -C "using extended master secret" \
1953 -S "using extended master secret"
1954
Janos Follathe2681a42016-03-07 15:57:05 +0000[diff] [blame]1955requires_config_enabled MBEDTLS_SSL_PROTO_SSL3
Manuel Pégourié-Gonnardb575b542014-10-24 15:12:31 +0200[diff] [blame]1956run_test "Extended Master Secret: client enabled, server SSLv3" \
1957 "$P_SRV debug_level=3 force_version=ssl3" \
Manuel Pégourié-Gonnard51d81662015-01-14 17:20:46 +0100[diff] [blame]1958 "$P_CLI debug_level=3 min_version=ssl3" \
Manuel Pégourié-Gonnardb575b542014-10-24 15:12:31 +0200[diff] [blame]1959 0 \
1960 -c "client hello, adding extended_master_secret extension" \
Janos Follath00efff72016-05-06 13:48:23 +0100[diff] [blame]1961 -S "found extended master secret extension" \
Manuel Pégourié-Gonnardb575b542014-10-24 15:12:31 +0200[diff] [blame]1962 -S "server hello, adding extended master secret extension" \
1963 -C "found extended_master_secret extension" \
1964 -C "using extended master secret" \
1965 -S "using extended master secret"
1966
Manuel Pégourié-Gonnard1cbd39d2014-10-20 13:34:59 +0200[diff] [blame]1967# Tests for FALLBACK_SCSV
1968
1969run_test "Fallback SCSV: default" \
Manuel Pégourié-Gonnard4268ae02015-08-04 12:44:10 +0200[diff] [blame]1970 "$P_SRV debug_level=2" \
Manuel Pégourié-Gonnard1cbd39d2014-10-20 13:34:59 +0200[diff] [blame]1971 "$P_CLI debug_level=3 force_version=tls1_1" \
1972 0 \
1973 -C "adding FALLBACK_SCSV" \
Manuel Pégourié-Gonnard01b26992014-10-20 14:05:28 +0200[diff] [blame]1974 -S "received FALLBACK_SCSV" \
1975 -S "inapropriate fallback" \
Manuel Pégourié-Gonnard1cbd39d2014-10-20 13:34:59 +0200[diff] [blame]1976 -C "is a fatal alert message (msg 86)"
1977
1978run_test "Fallback SCSV: explicitly disabled" \
Manuel Pégourié-Gonnard4268ae02015-08-04 12:44:10 +0200[diff] [blame]1979 "$P_SRV debug_level=2" \
Manuel Pégourié-Gonnard1cbd39d2014-10-20 13:34:59 +0200[diff] [blame]1980 "$P_CLI debug_level=3 force_version=tls1_1 fallback=0" \
1981 0 \
1982 -C "adding FALLBACK_SCSV" \
Manuel Pégourié-Gonnard01b26992014-10-20 14:05:28 +0200[diff] [blame]1983 -S "received FALLBACK_SCSV" \
1984 -S "inapropriate fallback" \
Manuel Pégourié-Gonnard1cbd39d2014-10-20 13:34:59 +0200[diff] [blame]1985 -C "is a fatal alert message (msg 86)"
1986
1987run_test "Fallback SCSV: enabled" \
Manuel Pégourié-Gonnard4268ae02015-08-04 12:44:10 +0200[diff] [blame]1988 "$P_SRV debug_level=2" \
Manuel Pégourié-Gonnard1cbd39d2014-10-20 13:34:59 +0200[diff] [blame]1989 "$P_CLI debug_level=3 force_version=tls1_1 fallback=1" \
Manuel Pégourié-Gonnard01b26992014-10-20 14:05:28 +0200[diff] [blame]1990 1 \
1991 -c "adding FALLBACK_SCSV" \
1992 -s "received FALLBACK_SCSV" \
1993 -s "inapropriate fallback" \
1994 -c "is a fatal alert message (msg 86)"
1995
1996run_test "Fallback SCSV: enabled, max version" \
Manuel Pégourié-Gonnard4268ae02015-08-04 12:44:10 +0200[diff] [blame]1997 "$P_SRV debug_level=2" \
Manuel Pégourié-Gonnard01b26992014-10-20 14:05:28 +0200[diff] [blame]1998 "$P_CLI debug_level=3 fallback=1" \
Manuel Pégourié-Gonnard1cbd39d2014-10-20 13:34:59 +0200[diff] [blame]1999 0 \
2000 -c "adding FALLBACK_SCSV" \
Manuel Pégourié-Gonnard01b26992014-10-20 14:05:28 +0200[diff] [blame]2001 -s "received FALLBACK_SCSV" \
2002 -S "inapropriate fallback" \
Manuel Pégourié-Gonnard1cbd39d2014-10-20 13:34:59 +0200[diff] [blame]2003 -C "is a fatal alert message (msg 86)"
2004
2005requires_openssl_with_fallback_scsv
2006run_test "Fallback SCSV: default, openssl server" \
2007 "$O_SRV" \
2008 "$P_CLI debug_level=3 force_version=tls1_1 fallback=0" \
2009 0 \
2010 -C "adding FALLBACK_SCSV" \
2011 -C "is a fatal alert message (msg 86)"
2012
2013requires_openssl_with_fallback_scsv
2014run_test "Fallback SCSV: enabled, openssl server" \
2015 "$O_SRV" \
2016 "$P_CLI debug_level=3 force_version=tls1_1 fallback=1" \
2017 1 \
2018 -c "adding FALLBACK_SCSV" \
2019 -c "is a fatal alert message (msg 86)"
2020
Manuel Pégourié-Gonnard01b26992014-10-20 14:05:28 +0200[diff] [blame]2021requires_openssl_with_fallback_scsv
2022run_test "Fallback SCSV: disabled, openssl client" \
Manuel Pégourié-Gonnard4268ae02015-08-04 12:44:10 +0200[diff] [blame]2023 "$P_SRV debug_level=2" \
Manuel Pégourié-Gonnard01b26992014-10-20 14:05:28 +0200[diff] [blame]2024 "$O_CLI -tls1_1" \
2025 0 \
2026 -S "received FALLBACK_SCSV" \
2027 -S "inapropriate fallback"
2028
2029requires_openssl_with_fallback_scsv
2030run_test "Fallback SCSV: enabled, openssl client" \
Manuel Pégourié-Gonnard4268ae02015-08-04 12:44:10 +0200[diff] [blame]2031 "$P_SRV debug_level=2" \
Manuel Pégourié-Gonnard01b26992014-10-20 14:05:28 +0200[diff] [blame]2032 "$O_CLI -tls1_1 -fallback_scsv" \
2033 1 \
2034 -s "received FALLBACK_SCSV" \
2035 -s "inapropriate fallback"
2036
2037requires_openssl_with_fallback_scsv
2038run_test "Fallback SCSV: enabled, max version, openssl client" \
Manuel Pégourié-Gonnard4268ae02015-08-04 12:44:10 +0200[diff] [blame]2039 "$P_SRV debug_level=2" \
Manuel Pégourié-Gonnard01b26992014-10-20 14:05:28 +0200[diff] [blame]2040 "$O_CLI -fallback_scsv" \
2041 0 \
2042 -s "received FALLBACK_SCSV" \
2043 -S "inapropriate fallback"
2044
Andres Amaya Garcia4c761fa2018-07-10 20:08:04 +0100[diff] [blame]2045# Test sending and receiving empty application data records
2046
2047run_test "Encrypt then MAC: empty application data record" \
2048 "$P_SRV auth_mode=none debug_level=4 etm=1" \
2049 "$P_CLI auth_mode=none etm=1 request_size=0 force_ciphersuite=TLS-ECDHE-RSA-WITH-AES-256-CBC-SHA" \
2050 0 \
2051 -S "0000: 0f 0f 0f 0f 0f 0f 0f 0f 0f 0f 0f 0f 0f 0f 0f 0f" \
2052 -s "dumping 'input payload after decrypt' (0 bytes)" \
2053 -c "0 bytes written in 1 fragments"
2054
2055run_test "Default, no Encrypt then MAC: empty application data record" \
2056 "$P_SRV auth_mode=none debug_level=4 etm=0" \
2057 "$P_CLI auth_mode=none etm=0 request_size=0" \
2058 0 \
2059 -s "dumping 'input payload after decrypt' (0 bytes)" \
2060 -c "0 bytes written in 1 fragments"
2061
2062run_test "Encrypt then MAC, DTLS: empty application data record" \
2063 "$P_SRV auth_mode=none debug_level=4 etm=1 dtls=1" \
2064 "$P_CLI auth_mode=none etm=1 request_size=0 force_ciphersuite=TLS-ECDHE-RSA-WITH-AES-256-CBC-SHA dtls=1" \
2065 0 \
2066 -S "0000: 0f 0f 0f 0f 0f 0f 0f 0f 0f 0f 0f 0f 0f 0f 0f 0f" \
2067 -s "dumping 'input payload after decrypt' (0 bytes)" \
2068 -c "0 bytes written in 1 fragments"
2069
2070run_test "Default, no Encrypt then MAC, DTLS: empty application data record" \
2071 "$P_SRV auth_mode=none debug_level=4 etm=0 dtls=1" \
2072 "$P_CLI auth_mode=none etm=0 request_size=0 dtls=1" \
2073 0 \
2074 -s "dumping 'input payload after decrypt' (0 bytes)" \
2075 -c "0 bytes written in 1 fragments"
2076
Gilles Peskined50177f2017-05-16 17:53:03 +0200[diff] [blame]2077## ClientHello generated with
2078## "openssl s_client -CAfile tests/data_files/test-ca.crt -tls1_1 -connect localhost:4433 -cipher ..."
2079## then manually twiddling the ciphersuite list.
2080## The ClientHello content is spelled out below as a hex string as
2081## "prefix ciphersuite1 ciphersuite2 ciphersuite3 ciphersuite4 suffix".
2082## The expected response is an inappropriate_fallback alert.
2083requires_openssl_with_fallback_scsv
2084run_test "Fallback SCSV: beginning of list" \
2085 "$P_SRV debug_level=2" \
2086 "$TCP_CLIENT localhost $SRV_PORT '160301003e0100003a03022aafb94308dc22ca1086c65acc00e414384d76b61ecab37df1633b1ae1034dbe000008 5600 0031 0032 0033 0100000900230000000f000101' '15030200020256'" \
2087 0 \
2088 -s "received FALLBACK_SCSV" \
2089 -s "inapropriate fallback"
2090
2091requires_openssl_with_fallback_scsv
2092run_test "Fallback SCSV: end of list" \
2093 "$P_SRV debug_level=2" \
2094 "$TCP_CLIENT localhost $SRV_PORT '160301003e0100003a03022aafb94308dc22ca1086c65acc00e414384d76b61ecab37df1633b1ae1034dbe000008 0031 0032 0033 5600 0100000900230000000f000101' '15030200020256'" \
2095 0 \
2096 -s "received FALLBACK_SCSV" \
2097 -s "inapropriate fallback"
2098
2099## Here the expected response is a valid ServerHello prefix, up to the random.
2100requires_openssl_with_fallback_scsv
2101run_test "Fallback SCSV: not in list" \
2102 "$P_SRV debug_level=2" \
2103 "$TCP_CLIENT localhost $SRV_PORT '160301003e0100003a03022aafb94308dc22ca1086c65acc00e414384d76b61ecab37df1633b1ae1034dbe000008 0056 0031 0032 0033 0100000900230000000f000101' '16030200300200002c0302'" \
2104 0 \
2105 -S "received FALLBACK_SCSV" \
2106 -S "inapropriate fallback"
2107
Manuel Pégourié-Gonnard3ff78232015-01-08 11:15:09 +0100[diff] [blame]2108# Tests for CBC 1/n-1 record splitting
2109
2110run_test "CBC Record splitting: TLS 1.2, no splitting" \
2111 "$P_SRV" \
2112 "$P_CLI force_ciphersuite=TLS-RSA-WITH-AES-128-CBC-SHA \
2113 request_size=123 force_version=tls1_2" \
2114 0 \
2115 -s "Read from client: 123 bytes read" \
2116 -S "Read from client: 1 bytes read" \
2117 -S "122 bytes read"
2118
2119run_test "CBC Record splitting: TLS 1.1, no splitting" \
2120 "$P_SRV" \
2121 "$P_CLI force_ciphersuite=TLS-RSA-WITH-AES-128-CBC-SHA \
2122 request_size=123 force_version=tls1_1" \
2123 0 \
2124 -s "Read from client: 123 bytes read" \
2125 -S "Read from client: 1 bytes read" \
2126 -S "122 bytes read"
2127
2128run_test "CBC Record splitting: TLS 1.0, splitting" \
2129 "$P_SRV" \
2130 "$P_CLI force_ciphersuite=TLS-RSA-WITH-AES-128-CBC-SHA \
2131 request_size=123 force_version=tls1" \
2132 0 \
2133 -S "Read from client: 123 bytes read" \
2134 -s "Read from client: 1 bytes read" \
2135 -s "122 bytes read"
2136
Janos Follathe2681a42016-03-07 15:57:05 +0000[diff] [blame]2137requires_config_enabled MBEDTLS_SSL_PROTO_SSL3
Manuel Pégourié-Gonnard3ff78232015-01-08 11:15:09 +0100[diff] [blame]2138run_test "CBC Record splitting: SSLv3, splitting" \
Manuel Pégourié-Gonnard51d81662015-01-14 17:20:46 +0100[diff] [blame]2139 "$P_SRV min_version=ssl3" \
Manuel Pégourié-Gonnard3ff78232015-01-08 11:15:09 +0100[diff] [blame]2140 "$P_CLI force_ciphersuite=TLS-RSA-WITH-AES-128-CBC-SHA \
2141 request_size=123 force_version=ssl3" \
2142 0 \
2143 -S "Read from client: 123 bytes read" \
2144 -s "Read from client: 1 bytes read" \
2145 -s "122 bytes read"
2146
2147run_test "CBC Record splitting: TLS 1.0 RC4, no splitting" \
Manuel Pégourié-Gonnardea0920f2015-03-24 09:50:15 +0100[diff] [blame]2148 "$P_SRV arc4=1 force_ciphersuite=TLS-RSA-WITH-RC4-128-SHA" \
Manuel Pégourié-Gonnard3ff78232015-01-08 11:15:09 +0100[diff] [blame]2149 "$P_CLI force_ciphersuite=TLS-RSA-WITH-RC4-128-SHA \
2150 request_size=123 force_version=tls1" \
2151 0 \
2152 -s "Read from client: 123 bytes read" \
2153 -S "Read from client: 1 bytes read" \
2154 -S "122 bytes read"
2155
2156run_test "CBC Record splitting: TLS 1.0, splitting disabled" \
2157 "$P_SRV" \
2158 "$P_CLI force_ciphersuite=TLS-RSA-WITH-AES-128-CBC-SHA \
2159 request_size=123 force_version=tls1 recsplit=0" \
2160 0 \
2161 -s "Read from client: 123 bytes read" \
2162 -S "Read from client: 1 bytes read" \
2163 -S "122 bytes read"
2164
Manuel Pégourié-Gonnarda852cf42015-01-13 20:56:15 +0100[diff] [blame]2165run_test "CBC Record splitting: TLS 1.0, splitting, nbio" \
2166 "$P_SRV nbio=2" \
2167 "$P_CLI nbio=2 force_ciphersuite=TLS-RSA-WITH-AES-128-CBC-SHA \
2168 request_size=123 force_version=tls1" \
2169 0 \
2170 -S "Read from client: 123 bytes read" \
2171 -s "Read from client: 1 bytes read" \
2172 -s "122 bytes read"
2173
Manuel Pégourié-Gonnard780d6712014-02-20 17:19:59 +0100[diff] [blame]2174# Tests for Session Tickets
2175
Manuel Pégourié-Gonnard8e03c712014-08-30 21:42:40 +0200[diff] [blame]2176run_test "Session resume using tickets: basic" \
Manuel Pégourié-Gonnard644e8f32014-08-30 21:59:31 +0200[diff] [blame]2177 "$P_SRV debug_level=3 tickets=1" \
2178 "$P_CLI debug_level=3 tickets=1 reconnect=1" \
Manuel Pégourié-Gonnardf7c52012014-02-20 11:43:46 +0100[diff] [blame]2179 0 \
Manuel Pégourié-Gonnardc55a5b72014-02-20 22:50:56 +0100[diff] [blame]2180 -c "client hello, adding session ticket extension" \
2181 -s "found session ticket extension" \
2182 -s "server hello, adding session ticket extension" \
2183 -c "found session_ticket extension" \
2184 -c "parse new session ticket" \
Manuel Pégourié-Gonnardf7c52012014-02-20 11:43:46 +0100[diff] [blame]2185 -S "session successfully restored from cache" \
2186 -s "session successfully restored from ticket" \
2187 -s "a session has been resumed" \
2188 -c "a session has been resumed"
2189
Manuel Pégourié-Gonnard8e03c712014-08-30 21:42:40 +0200[diff] [blame]2190run_test "Session resume using tickets: cache disabled" \
Manuel Pégourié-Gonnard644e8f32014-08-30 21:59:31 +0200[diff] [blame]2191 "$P_SRV debug_level=3 tickets=1 cache_max=0" \
2192 "$P_CLI debug_level=3 tickets=1 reconnect=1" \
Manuel Pégourié-Gonnarddbe1ee12014-02-21 09:18:13 +0100[diff] [blame]2193 0 \
2194 -c "client hello, adding session ticket extension" \
2195 -s "found session ticket extension" \
2196 -s "server hello, adding session ticket extension" \
2197 -c "found session_ticket extension" \
2198 -c "parse new session ticket" \
2199 -S "session successfully restored from cache" \
2200 -s "session successfully restored from ticket" \
2201 -s "a session has been resumed" \
2202 -c "a session has been resumed"
2203
Manuel Pégourié-Gonnard8e03c712014-08-30 21:42:40 +0200[diff] [blame]2204run_test "Session resume using tickets: timeout" \
Manuel Pégourié-Gonnard644e8f32014-08-30 21:59:31 +0200[diff] [blame]2205 "$P_SRV debug_level=3 tickets=1 cache_max=0 ticket_timeout=1" \
2206 "$P_CLI debug_level=3 tickets=1 reconnect=1 reco_delay=2" \
Manuel Pégourié-Gonnarddbe1ee12014-02-21 09:18:13 +0100[diff] [blame]2207 0 \
2208 -c "client hello, adding session ticket extension" \
2209 -s "found session ticket extension" \
2210 -s "server hello, adding session ticket extension" \
2211 -c "found session_ticket extension" \
2212 -c "parse new session ticket" \
2213 -S "session successfully restored from cache" \
2214 -S "session successfully restored from ticket" \
2215 -S "a session has been resumed" \
2216 -C "a session has been resumed"
2217
Manuel Pégourié-Gonnard8e03c712014-08-30 21:42:40 +0200[diff] [blame]2218run_test "Session resume using tickets: openssl server" \
Manuel Pégourié-Gonnardf7a26902014-02-27 12:25:54 +0100[diff] [blame]2219 "$O_SRV" \
Manuel Pégourié-Gonnard644e8f32014-08-30 21:59:31 +0200[diff] [blame]2220 "$P_CLI debug_level=3 tickets=1 reconnect=1" \
Manuel Pégourié-Gonnardfccd3252014-02-25 17:14:15 +0100[diff] [blame]2221 0 \
2222 -c "client hello, adding session ticket extension" \
2223 -c "found session_ticket extension" \
2224 -c "parse new session ticket" \
2225 -c "a session has been resumed"
2226
Manuel Pégourié-Gonnard8e03c712014-08-30 21:42:40 +0200[diff] [blame]2227run_test "Session resume using tickets: openssl client" \
Manuel Pégourié-Gonnard644e8f32014-08-30 21:59:31 +0200[diff] [blame]2228 "$P_SRV debug_level=3 tickets=1" \
Manuel Pégourié-Gonnardbc3b16c2014-05-28 23:06:50 +0200[diff] [blame]2229 "( $O_CLI -sess_out $SESSION; \
2230 $O_CLI -sess_in $SESSION; \
2231 rm -f $SESSION )" \
Manuel Pégourié-Gonnardfccd3252014-02-25 17:14:15 +0100[diff] [blame]2232 0 \
2233 -s "found session ticket extension" \
2234 -s "server hello, adding session ticket extension" \
2235 -S "session successfully restored from cache" \
2236 -s "session successfully restored from ticket" \
2237 -s "a session has been resumed"
2238
Hanno Becker1d739932018-08-21 13:55:22 +0100[diff] [blame]2239# Tests for Session Tickets with DTLS
2240
2241run_test "Session resume using tickets, DTLS: basic" \
2242 "$P_SRV debug_level=3 dtls=1 tickets=1" \
2243 "$P_CLI debug_level=3 dtls=1 tickets=1 reconnect=1" \
2244 0 \
2245 -c "client hello, adding session ticket extension" \
2246 -s "found session ticket extension" \
2247 -s "server hello, adding session ticket extension" \
2248 -c "found session_ticket extension" \
2249 -c "parse new session ticket" \
2250 -S "session successfully restored from cache" \
2251 -s "session successfully restored from ticket" \
2252 -s "a session has been resumed" \
2253 -c "a session has been resumed"
2254
2255run_test "Session resume using tickets, DTLS: cache disabled" \
2256 "$P_SRV debug_level=3 dtls=1 tickets=1 cache_max=0" \
2257 "$P_CLI debug_level=3 dtls=1 tickets=1 reconnect=1" \
2258 0 \
2259 -c "client hello, adding session ticket extension" \
2260 -s "found session ticket extension" \
2261 -s "server hello, adding session ticket extension" \
2262 -c "found session_ticket extension" \
2263 -c "parse new session ticket" \
2264 -S "session successfully restored from cache" \
2265 -s "session successfully restored from ticket" \
2266 -s "a session has been resumed" \
2267 -c "a session has been resumed"
2268
2269run_test "Session resume using tickets, DTLS: timeout" \
2270 "$P_SRV debug_level=3 dtls=1 tickets=1 cache_max=0 ticket_timeout=1" \
2271 "$P_CLI debug_level=3 dtls=1 tickets=1 reconnect=1 reco_delay=2" \
2272 0 \
2273 -c "client hello, adding session ticket extension" \
2274 -s "found session ticket extension" \
2275 -s "server hello, adding session ticket extension" \
2276 -c "found session_ticket extension" \
2277 -c "parse new session ticket" \
2278 -S "session successfully restored from cache" \
2279 -S "session successfully restored from ticket" \
2280 -S "a session has been resumed" \
2281 -C "a session has been resumed"
2282
2283run_test "Session resume using tickets, DTLS: openssl server" \
2284 "$O_SRV -dtls1" \
2285 "$P_CLI dtls=1 debug_level=3 tickets=1 reconnect=1" \
2286 0 \
2287 -c "client hello, adding session ticket extension" \
2288 -c "found session_ticket extension" \
2289 -c "parse new session ticket" \
2290 -c "a session has been resumed"
2291
2292run_test "Session resume using tickets, DTLS: openssl client" \
2293 "$P_SRV dtls=1 debug_level=3 tickets=1" \
2294 "( $O_CLI -dtls1 -sess_out $SESSION; \
2295 $O_CLI -dtls1 -sess_in $SESSION; \
2296 rm -f $SESSION )" \
2297 0 \
2298 -s "found session ticket extension" \
2299 -s "server hello, adding session ticket extension" \
2300 -S "session successfully restored from cache" \
2301 -s "session successfully restored from ticket" \
2302 -s "a session has been resumed"
2303
Manuel Pégourié-Gonnardc55a5b72014-02-20 22:50:56 +0100[diff] [blame]2304# Tests for Session Resume based on session-ID and cache
Manuel Pégourié-Gonnard780d6712014-02-20 17:19:59 +0100[diff] [blame]2305
Manuel Pégourié-Gonnard8e03c712014-08-30 21:42:40 +0200[diff] [blame]2306run_test "Session resume using cache: tickets enabled on client" \
Manuel Pégourié-Gonnard644e8f32014-08-30 21:59:31 +0200[diff] [blame]2307 "$P_SRV debug_level=3 tickets=0" \
2308 "$P_CLI debug_level=3 tickets=1 reconnect=1" \
Manuel Pégourié-Gonnardf7c52012014-02-20 11:43:46 +0100[diff] [blame]2309 0 \
Manuel Pégourié-Gonnardc55a5b72014-02-20 22:50:56 +0100[diff] [blame]2310 -c "client hello, adding session ticket extension" \
2311 -s "found session ticket extension" \
2312 -S "server hello, adding session ticket extension" \
2313 -C "found session_ticket extension" \
2314 -C "parse new session ticket" \
Manuel Pégourié-Gonnardf7c52012014-02-20 11:43:46 +0100[diff] [blame]2315 -s "session successfully restored from cache" \
2316 -S "session successfully restored from ticket" \
2317 -s "a session has been resumed" \
2318 -c "a session has been resumed"
2319
Manuel Pégourié-Gonnard8e03c712014-08-30 21:42:40 +0200[diff] [blame]2320run_test "Session resume using cache: tickets enabled on server" \
Manuel Pégourié-Gonnard644e8f32014-08-30 21:59:31 +0200[diff] [blame]2321 "$P_SRV debug_level=3 tickets=1" \
2322 "$P_CLI debug_level=3 tickets=0 reconnect=1" \
Manuel Pégourié-Gonnardf7c52012014-02-20 11:43:46 +0100[diff] [blame]2323 0 \
Manuel Pégourié-Gonnardc55a5b72014-02-20 22:50:56 +0100[diff] [blame]2324 -C "client hello, adding session ticket extension" \
2325 -S "found session ticket extension" \
2326 -S "server hello, adding session ticket extension" \
2327 -C "found session_ticket extension" \
2328 -C "parse new session ticket" \
Manuel Pégourié-Gonnardf7c52012014-02-20 11:43:46 +0100[diff] [blame]2329 -s "session successfully restored from cache" \
2330 -S "session successfully restored from ticket" \
2331 -s "a session has been resumed" \
2332 -c "a session has been resumed"
Manuel Pégourié-Gonnardde143782014-02-20 14:50:42 +0100[diff] [blame]2333
Manuel Pégourié-Gonnard8e03c712014-08-30 21:42:40 +0200[diff] [blame]2334run_test "Session resume using cache: cache_max=0" \
Manuel Pégourié-Gonnard644e8f32014-08-30 21:59:31 +0200[diff] [blame]2335 "$P_SRV debug_level=3 tickets=0 cache_max=0" \
2336 "$P_CLI debug_level=3 tickets=0 reconnect=1" \
Manuel Pégourié-Gonnard4c883452014-02-20 21:32:41 +0100[diff] [blame]2337 0 \
2338 -S "session successfully restored from cache" \
2339 -S "session successfully restored from ticket" \
Manuel Pégourié-Gonnardc55a5b72014-02-20 22:50:56 +0100[diff] [blame]2340 -S "a session has been resumed" \
2341 -C "a session has been resumed"
Manuel Pégourié-Gonnard4c883452014-02-20 21:32:41 +0100[diff] [blame]2342
Manuel Pégourié-Gonnard8e03c712014-08-30 21:42:40 +0200[diff] [blame]2343run_test "Session resume using cache: cache_max=1" \
Manuel Pégourié-Gonnard644e8f32014-08-30 21:59:31 +0200[diff] [blame]2344 "$P_SRV debug_level=3 tickets=0 cache_max=1" \
2345 "$P_CLI debug_level=3 tickets=0 reconnect=1" \
Manuel Pégourié-Gonnardc55a5b72014-02-20 22:50:56 +0100[diff] [blame]2346 0 \
2347 -s "session successfully restored from cache" \
2348 -S "session successfully restored from ticket" \
2349 -s "a session has been resumed" \
2350 -c "a session has been resumed"
2351
Manuel Pégourié-Gonnard6df31962015-05-04 10:55:47 +0200[diff] [blame]2352run_test "Session resume using cache: timeout > delay" \
Manuel Pégourié-Gonnard644e8f32014-08-30 21:59:31 +0200[diff] [blame]2353 "$P_SRV debug_level=3 tickets=0" \
2354 "$P_CLI debug_level=3 tickets=0 reconnect=1 reco_delay=0" \
Manuel Pégourié-Gonnardc55a5b72014-02-20 22:50:56 +0100[diff] [blame]2355 0 \
2356 -s "session successfully restored from cache" \
2357 -S "session successfully restored from ticket" \
2358 -s "a session has been resumed" \
2359 -c "a session has been resumed"
2360
Manuel Pégourié-Gonnard8e03c712014-08-30 21:42:40 +0200[diff] [blame]2361run_test "Session resume using cache: timeout < delay" \
Manuel Pégourié-Gonnard644e8f32014-08-30 21:59:31 +0200[diff] [blame]2362 "$P_SRV debug_level=3 tickets=0 cache_timeout=1" \
2363 "$P_CLI debug_level=3 tickets=0 reconnect=1 reco_delay=2" \
Manuel Pégourié-Gonnardc55a5b72014-02-20 22:50:56 +0100[diff] [blame]2364 0 \
2365 -S "session successfully restored from cache" \
2366 -S "session successfully restored from ticket" \
2367 -S "a session has been resumed" \
2368 -C "a session has been resumed"
2369
Manuel Pégourié-Gonnard8e03c712014-08-30 21:42:40 +0200[diff] [blame]2370run_test "Session resume using cache: no timeout" \
Manuel Pégourié-Gonnard644e8f32014-08-30 21:59:31 +0200[diff] [blame]2371 "$P_SRV debug_level=3 tickets=0 cache_timeout=0" \
2372 "$P_CLI debug_level=3 tickets=0 reconnect=1 reco_delay=2" \
Manuel Pégourié-Gonnard4c883452014-02-20 21:32:41 +0100[diff] [blame]2373 0 \
2374 -s "session successfully restored from cache" \
2375 -S "session successfully restored from ticket" \
2376 -s "a session has been resumed" \
2377 -c "a session has been resumed"
2378
Manuel Pégourié-Gonnard8e03c712014-08-30 21:42:40 +0200[diff] [blame]2379run_test "Session resume using cache: openssl client" \
Manuel Pégourié-Gonnard644e8f32014-08-30 21:59:31 +0200[diff] [blame]2380 "$P_SRV debug_level=3 tickets=0" \
Manuel Pégourié-Gonnardbc3b16c2014-05-28 23:06:50 +0200[diff] [blame]2381 "( $O_CLI -sess_out $SESSION; \
2382 $O_CLI -sess_in $SESSION; \
2383 rm -f $SESSION )" \
Manuel Pégourié-Gonnarddb735f62014-02-25 17:57:59 +0100[diff] [blame]2384 0 \
2385 -s "found session ticket extension" \
2386 -S "server hello, adding session ticket extension" \
2387 -s "session successfully restored from cache" \
2388 -S "session successfully restored from ticket" \
2389 -s "a session has been resumed"
2390
Manuel Pégourié-Gonnard8e03c712014-08-30 21:42:40 +0200[diff] [blame]2391run_test "Session resume using cache: openssl server" \
Manuel Pégourié-Gonnardf7a26902014-02-27 12:25:54 +0100[diff] [blame]2392 "$O_SRV" \
Manuel Pégourié-Gonnard644e8f32014-08-30 21:59:31 +0200[diff] [blame]2393 "$P_CLI debug_level=3 tickets=0 reconnect=1" \
Manuel Pégourié-Gonnarddb735f62014-02-25 17:57:59 +0100[diff] [blame]2394 0 \
2395 -C "found session_ticket extension" \
2396 -C "parse new session ticket" \
2397 -c "a session has been resumed"
2398
Hanno Becker1d739932018-08-21 13:55:22 +0100[diff] [blame]2399# Tests for Session Resume based on session-ID and cache, DTLS
2400
2401run_test "Session resume using cache, DTLS: tickets enabled on client" \
2402 "$P_SRV dtls=1 debug_level=3 tickets=0" \
2403 "$P_CLI dtls=1 debug_level=3 tickets=1 reconnect=1" \
2404 0 \
2405 -c "client hello, adding session ticket extension" \
2406 -s "found session ticket extension" \
2407 -S "server hello, adding session ticket extension" \
2408 -C "found session_ticket extension" \
2409 -C "parse new session ticket" \
2410 -s "session successfully restored from cache" \
2411 -S "session successfully restored from ticket" \
2412 -s "a session has been resumed" \
2413 -c "a session has been resumed"
2414
2415run_test "Session resume using cache, DTLS: tickets enabled on server" \
2416 "$P_SRV dtls=1 debug_level=3 tickets=1" \
2417 "$P_CLI dtls=1 debug_level=3 tickets=0 reconnect=1" \
2418 0 \
2419 -C "client hello, adding session ticket extension" \
2420 -S "found session ticket extension" \
2421 -S "server hello, adding session ticket extension" \
2422 -C "found session_ticket extension" \
2423 -C "parse new session ticket" \
2424 -s "session successfully restored from cache" \
2425 -S "session successfully restored from ticket" \
2426 -s "a session has been resumed" \
2427 -c "a session has been resumed"
2428
2429run_test "Session resume using cache, DTLS: cache_max=0" \
2430 "$P_SRV dtls=1 debug_level=3 tickets=0 cache_max=0" \
2431 "$P_CLI dtls=1 debug_level=3 tickets=0 reconnect=1" \
2432 0 \
2433 -S "session successfully restored from cache" \
2434 -S "session successfully restored from ticket" \
2435 -S "a session has been resumed" \
2436 -C "a session has been resumed"
2437
2438run_test "Session resume using cache, DTLS: cache_max=1" \
2439 "$P_SRV dtls=1 debug_level=3 tickets=0 cache_max=1" \
2440 "$P_CLI dtls=1 debug_level=3 tickets=0 reconnect=1" \
2441 0 \
2442 -s "session successfully restored from cache" \
2443 -S "session successfully restored from ticket" \
2444 -s "a session has been resumed" \
2445 -c "a session has been resumed"
2446
2447run_test "Session resume using cache, DTLS: timeout > delay" \
2448 "$P_SRV dtls=1 debug_level=3 tickets=0" \
2449 "$P_CLI dtls=1 debug_level=3 tickets=0 reconnect=1 reco_delay=0" \
2450 0 \
2451 -s "session successfully restored from cache" \
2452 -S "session successfully restored from ticket" \
2453 -s "a session has been resumed" \
2454 -c "a session has been resumed"
2455
2456run_test "Session resume using cache, DTLS: timeout < delay" \
2457 "$P_SRV dtls=1 debug_level=3 tickets=0 cache_timeout=1" \
2458 "$P_CLI dtls=1 debug_level=3 tickets=0 reconnect=1 reco_delay=2" \
2459 0 \
2460 -S "session successfully restored from cache" \
2461 -S "session successfully restored from ticket" \
2462 -S "a session has been resumed" \
2463 -C "a session has been resumed"
2464
2465run_test "Session resume using cache, DTLS: no timeout" \
2466 "$P_SRV dtls=1 debug_level=3 tickets=0 cache_timeout=0" \
2467 "$P_CLI dtls=1 debug_level=3 tickets=0 reconnect=1 reco_delay=2" \
2468 0 \
2469 -s "session successfully restored from cache" \
2470 -S "session successfully restored from ticket" \
2471 -s "a session has been resumed" \
2472 -c "a session has been resumed"
2473
2474run_test "Session resume using cache, DTLS: openssl client" \
2475 "$P_SRV dtls=1 debug_level=3 tickets=0" \
2476 "( $O_CLI -dtls1 -sess_out $SESSION; \
2477 $O_CLI -dtls1 -sess_in $SESSION; \
2478 rm -f $SESSION )" \
2479 0 \
2480 -s "found session ticket extension" \
2481 -S "server hello, adding session ticket extension" \
2482 -s "session successfully restored from cache" \
2483 -S "session successfully restored from ticket" \
2484 -s "a session has been resumed"
2485
2486run_test "Session resume using cache, DTLS: openssl server" \
2487 "$O_SRV -dtls1" \
2488 "$P_CLI dtls=1 debug_level=3 tickets=0 reconnect=1" \
2489 0 \
2490 -C "found session_ticket extension" \
2491 -C "parse new session ticket" \
2492 -c "a session has been resumed"
2493
Manuel Pégourié-Gonnard780d6712014-02-20 17:19:59 +0100[diff] [blame]2494# Tests for Max Fragment Length extension
2495
Angus Grattonc4dd0732018-04-11 16:28:39 +1000[diff] [blame]2496if [ "$MAX_CONTENT_LEN" -lt "4096" ]; then
2497 printf "${CONFIG_H} defines MBEDTLS_SSL_MAX_CONTENT_LEN to be less than 4096. Fragment length tests will fail.\n"
Hanno Becker6428f8d2017-09-22 16:58:50 +0100[diff] [blame]2498 exit 1
2499fi
2500
Angus Grattonc4dd0732018-04-11 16:28:39 +1000[diff] [blame]2501if [ $MAX_CONTENT_LEN -ne 16384 ]; then
2502 printf "Using non-default maximum content length $MAX_CONTENT_LEN\n"
2503fi
2504
Hanno Becker4aed27e2017-09-18 15:00:34 +0100[diff] [blame]2505requires_config_enabled MBEDTLS_SSL_MAX_FRAGMENT_LENGTH
Hanno Beckerc5266962017-09-18 15:01:50 +0100[diff] [blame]2506run_test "Max fragment length: enabled, default" \
Manuel Pégourié-Gonnard644e8f32014-08-30 21:59:31 +0200[diff] [blame]2507 "$P_SRV debug_level=3" \
2508 "$P_CLI debug_level=3" \
Manuel Pégourié-Gonnardde143782014-02-20 14:50:42 +0100[diff] [blame]2509 0 \
Angus Grattonc4dd0732018-04-11 16:28:39 +1000[diff] [blame]2510 -c "Maximum fragment length is $MAX_CONTENT_LEN" \
2511 -s "Maximum fragment length is $MAX_CONTENT_LEN" \
Manuel Pégourié-Gonnardde143782014-02-20 14:50:42 +0100[diff] [blame]2512 -C "client hello, adding max_fragment_length extension" \
2513 -S "found max fragment length extension" \
2514 -S "server hello, max_fragment_length extension" \
2515 -C "found max_fragment_length extension"
2516
Hanno Becker4aed27e2017-09-18 15:00:34 +0100[diff] [blame]2517requires_config_enabled MBEDTLS_SSL_MAX_FRAGMENT_LENGTH
Hanno Beckerc5266962017-09-18 15:01:50 +0100[diff] [blame]2518run_test "Max fragment length: enabled, default, larger message" \
2519 "$P_SRV debug_level=3" \
Angus Grattonc4dd0732018-04-11 16:28:39 +1000[diff] [blame]2520 "$P_CLI debug_level=3 request_size=$(( $MAX_CONTENT_LEN + 1))" \
Hanno Beckerc5266962017-09-18 15:01:50 +0100[diff] [blame]2521 0 \
Angus Grattonc4dd0732018-04-11 16:28:39 +1000[diff] [blame]2522 -c "Maximum fragment length is $MAX_CONTENT_LEN" \
2523 -s "Maximum fragment length is $MAX_CONTENT_LEN" \
Hanno Beckerc5266962017-09-18 15:01:50 +0100[diff] [blame]2524 -C "client hello, adding max_fragment_length extension" \
2525 -S "found max fragment length extension" \
2526 -S "server hello, max_fragment_length extension" \
2527 -C "found max_fragment_length extension" \
Angus Grattonc4dd0732018-04-11 16:28:39 +1000[diff] [blame]2528 -c "$(( $MAX_CONTENT_LEN + 1)) bytes written in 2 fragments" \
2529 -s "$MAX_CONTENT_LEN bytes read" \
Hanno Becker9cfabe32017-10-18 14:42:01 +0100[diff] [blame]2530 -s "1 bytes read"
Hanno Beckerc5266962017-09-18 15:01:50 +0100[diff] [blame]2531
2532requires_config_enabled MBEDTLS_SSL_MAX_FRAGMENT_LENGTH
2533run_test "Max fragment length, DTLS: enabled, default, larger message" \
2534 "$P_SRV debug_level=3 dtls=1" \
Angus Grattonc4dd0732018-04-11 16:28:39 +1000[diff] [blame]2535 "$P_CLI debug_level=3 dtls=1 request_size=$(( $MAX_CONTENT_LEN + 1))" \
Hanno Beckerc5266962017-09-18 15:01:50 +0100[diff] [blame]2536 1 \
Angus Grattonc4dd0732018-04-11 16:28:39 +1000[diff] [blame]2537 -c "Maximum fragment length is $MAX_CONTENT_LEN" \
2538 -s "Maximum fragment length is $MAX_CONTENT_LEN" \
Hanno Beckerc5266962017-09-18 15:01:50 +0100[diff] [blame]2539 -C "client hello, adding max_fragment_length extension" \
2540 -S "found max fragment length extension" \
2541 -S "server hello, max_fragment_length extension" \
2542 -C "found max_fragment_length extension" \
2543 -c "fragment larger than.*maximum "
2544
Angus Grattonc4dd0732018-04-11 16:28:39 +1000[diff] [blame]2545# Run some tests with MBEDTLS_SSL_MAX_FRAGMENT_LENGTH disabled
2546# (session fragment length will be 16384 regardless of mbedtls
2547# content length configuration.)
2548
Hanno Beckerc5266962017-09-18 15:01:50 +0100[diff] [blame]2549requires_config_disabled MBEDTLS_SSL_MAX_FRAGMENT_LENGTH
2550run_test "Max fragment length: disabled, larger message" \
2551 "$P_SRV debug_level=3" \
Angus Grattonc4dd0732018-04-11 16:28:39 +1000[diff] [blame]2552 "$P_CLI debug_level=3 request_size=$(( $MAX_CONTENT_LEN + 1))" \
Hanno Beckerc5266962017-09-18 15:01:50 +0100[diff] [blame]2553 0 \
2554 -C "Maximum fragment length is 16384" \
2555 -S "Maximum fragment length is 16384" \
Angus Grattonc4dd0732018-04-11 16:28:39 +1000[diff] [blame]2556 -c "$(( $MAX_CONTENT_LEN + 1)) bytes written in 2 fragments" \
2557 -s "$MAX_CONTENT_LEN bytes read" \
Hanno Becker9cfabe32017-10-18 14:42:01 +0100[diff] [blame]2558 -s "1 bytes read"
Hanno Beckerc5266962017-09-18 15:01:50 +0100[diff] [blame]2559
2560requires_config_disabled MBEDTLS_SSL_MAX_FRAGMENT_LENGTH
2561run_test "Max fragment length DTLS: disabled, larger message" \
2562 "$P_SRV debug_level=3 dtls=1" \
Angus Grattonc4dd0732018-04-11 16:28:39 +1000[diff] [blame]2563 "$P_CLI debug_level=3 dtls=1 request_size=$(( $MAX_CONTENT_LEN + 1))" \
Hanno Beckerc5266962017-09-18 15:01:50 +0100[diff] [blame]2564 1 \
2565 -C "Maximum fragment length is 16384" \
2566 -S "Maximum fragment length is 16384" \
2567 -c "fragment larger than.*maximum "
2568
2569requires_config_enabled MBEDTLS_SSL_MAX_FRAGMENT_LENGTH
Manuel Pégourié-Gonnard8e03c712014-08-30 21:42:40 +0200[diff] [blame]2570run_test "Max fragment length: used by client" \
Manuel Pégourié-Gonnard644e8f32014-08-30 21:59:31 +0200[diff] [blame]2571 "$P_SRV debug_level=3" \
2572 "$P_CLI debug_level=3 max_frag_len=4096" \
Manuel Pégourié-Gonnardde143782014-02-20 14:50:42 +0100[diff] [blame]2573 0 \
Manuel Pégourié-Gonnarda2cda6b2015-08-31 18:30:52 +0200[diff] [blame]2574 -c "Maximum fragment length is 4096" \
2575 -s "Maximum fragment length is 4096" \
Manuel Pégourié-Gonnardde143782014-02-20 14:50:42 +0100[diff] [blame]2576 -c "client hello, adding max_fragment_length extension" \
2577 -s "found max fragment length extension" \
2578 -s "server hello, max_fragment_length extension" \
2579 -c "found max_fragment_length extension"
2580
Hanno Becker4aed27e2017-09-18 15:00:34 +0100[diff] [blame]2581requires_config_enabled MBEDTLS_SSL_MAX_FRAGMENT_LENGTH
Manuel Pégourié-Gonnard8e03c712014-08-30 21:42:40 +0200[diff] [blame]2582run_test "Max fragment length: used by server" \
Manuel Pégourié-Gonnard644e8f32014-08-30 21:59:31 +0200[diff] [blame]2583 "$P_SRV debug_level=3 max_frag_len=4096" \
2584 "$P_CLI debug_level=3" \
Manuel Pégourié-Gonnardde143782014-02-20 14:50:42 +0100[diff] [blame]2585 0 \
Angus Grattonc4dd0732018-04-11 16:28:39 +1000[diff] [blame]2586 -c "Maximum fragment length is $MAX_CONTENT_LEN" \
Manuel Pégourié-Gonnarda2cda6b2015-08-31 18:30:52 +0200[diff] [blame]2587 -s "Maximum fragment length is 4096" \
Manuel Pégourié-Gonnardde143782014-02-20 14:50:42 +0100[diff] [blame]2588 -C "client hello, adding max_fragment_length extension" \
2589 -S "found max fragment length extension" \
2590 -S "server hello, max_fragment_length extension" \
2591 -C "found max_fragment_length extension"
Manuel Pégourié-Gonnard780d6712014-02-20 17:19:59 +0100[diff] [blame]2592
Hanno Becker4aed27e2017-09-18 15:00:34 +0100[diff] [blame]2593requires_config_enabled MBEDTLS_SSL_MAX_FRAGMENT_LENGTH
Manuel Pégourié-Gonnard8e03c712014-08-30 21:42:40 +0200[diff] [blame]2594requires_gnutls
2595run_test "Max fragment length: gnutls server" \
Manuel Pégourié-Gonnardbaa7f072014-08-20 20:15:53 +0200[diff] [blame]2596 "$G_SRV" \
Manuel Pégourié-Gonnard644e8f32014-08-30 21:59:31 +0200[diff] [blame]2597 "$P_CLI debug_level=3 max_frag_len=4096" \
Manuel Pégourié-Gonnardbaa7f072014-08-20 20:15:53 +0200[diff] [blame]2598 0 \
Manuel Pégourié-Gonnarda2cda6b2015-08-31 18:30:52 +0200[diff] [blame]2599 -c "Maximum fragment length is 4096" \
Manuel Pégourié-Gonnardbaa7f072014-08-20 20:15:53 +0200[diff] [blame]2600 -c "client hello, adding max_fragment_length extension" \
2601 -c "found max_fragment_length extension"
2602
Hanno Becker4aed27e2017-09-18 15:00:34 +0100[diff] [blame]2603requires_config_enabled MBEDTLS_SSL_MAX_FRAGMENT_LENGTH
Manuel Pégourié-Gonnard37e08e12014-10-13 17:55:52 +0200[diff] [blame]2604run_test "Max fragment length: client, message just fits" \
2605 "$P_SRV debug_level=3" \
2606 "$P_CLI debug_level=3 max_frag_len=2048 request_size=2048" \
2607 0 \
Manuel Pégourié-Gonnarda2cda6b2015-08-31 18:30:52 +0200[diff] [blame]2608 -c "Maximum fragment length is 2048" \
2609 -s "Maximum fragment length is 2048" \
Manuel Pégourié-Gonnard37e08e12014-10-13 17:55:52 +0200[diff] [blame]2610 -c "client hello, adding max_fragment_length extension" \
2611 -s "found max fragment length extension" \
2612 -s "server hello, max_fragment_length extension" \
2613 -c "found max_fragment_length extension" \
2614 -c "2048 bytes written in 1 fragments" \
2615 -s "2048 bytes read"
2616
Hanno Becker4aed27e2017-09-18 15:00:34 +0100[diff] [blame]2617requires_config_enabled MBEDTLS_SSL_MAX_FRAGMENT_LENGTH
Manuel Pégourié-Gonnard37e08e12014-10-13 17:55:52 +0200[diff] [blame]2618run_test "Max fragment length: client, larger message" \
2619 "$P_SRV debug_level=3" \
2620 "$P_CLI debug_level=3 max_frag_len=2048 request_size=2345" \
2621 0 \
Manuel Pégourié-Gonnarda2cda6b2015-08-31 18:30:52 +0200[diff] [blame]2622 -c "Maximum fragment length is 2048" \
2623 -s "Maximum fragment length is 2048" \
Manuel Pégourié-Gonnard37e08e12014-10-13 17:55:52 +0200[diff] [blame]2624 -c "client hello, adding max_fragment_length extension" \
2625 -s "found max fragment length extension" \
2626 -s "server hello, max_fragment_length extension" \
2627 -c "found max_fragment_length extension" \
2628 -c "2345 bytes written in 2 fragments" \
2629 -s "2048 bytes read" \
2630 -s "297 bytes read"
2631
Hanno Becker4aed27e2017-09-18 15:00:34 +0100[diff] [blame]2632requires_config_enabled MBEDTLS_SSL_MAX_FRAGMENT_LENGTH
Manuel Pégourié-Gonnard23eb74d2015-01-21 14:37:13 +0000[diff] [blame]2633run_test "Max fragment length: DTLS client, larger message" \
Manuel Pégourié-Gonnard37e08e12014-10-13 17:55:52 +0200[diff] [blame]2634 "$P_SRV debug_level=3 dtls=1" \
2635 "$P_CLI debug_level=3 dtls=1 max_frag_len=2048 request_size=2345" \
2636 1 \
Manuel Pégourié-Gonnarda2cda6b2015-08-31 18:30:52 +0200[diff] [blame]2637 -c "Maximum fragment length is 2048" \
2638 -s "Maximum fragment length is 2048" \
Manuel Pégourié-Gonnard37e08e12014-10-13 17:55:52 +0200[diff] [blame]2639 -c "client hello, adding max_fragment_length extension" \
2640 -s "found max fragment length extension" \
2641 -s "server hello, max_fragment_length extension" \
2642 -c "found max_fragment_length extension" \
2643 -c "fragment larger than.*maximum"
2644
Manuel Pégourié-Gonnard780d6712014-02-20 17:19:59 +0100[diff] [blame]2645# Tests for renegotiation
2646
Hanno Becker6a243642017-10-12 15:18:45 +0100[diff] [blame]2647# Renegotiation SCSV always added, regardless of SSL_RENEGOTIATION
Manuel Pégourié-Gonnard8e03c712014-08-30 21:42:40 +0200[diff] [blame]2648run_test "Renegotiation: none, for reference" \
Manuel Pégourié-Gonnardfa44f202015-03-27 17:52:25 +0100[diff] [blame]2649 "$P_SRV debug_level=3 exchanges=2 auth_mode=optional" \
Manuel Pégourié-Gonnard644e8f32014-08-30 21:59:31 +0200[diff] [blame]2650 "$P_CLI debug_level=3 exchanges=2" \
Manuel Pégourié-Gonnard780d6712014-02-20 17:19:59 +0100[diff] [blame]2651 0 \
2652 -C "client hello, adding renegotiation extension" \
2653 -s "received TLS_EMPTY_RENEGOTIATION_INFO" \
2654 -S "found renegotiation extension" \
2655 -s "server hello, secure renegotiation extension" \
2656 -c "found renegotiation extension" \
Manuel Pégourié-Gonnardc73339f2014-02-26 16:35:27 +0100[diff] [blame]2657 -C "=> renegotiate" \
2658 -S "=> renegotiate" \
Manuel Pégourié-Gonnard780d6712014-02-20 17:19:59 +0100[diff] [blame]2659 -S "write hello request"
2660
Hanno Becker6a243642017-10-12 15:18:45 +0100[diff] [blame]2661requires_config_enabled MBEDTLS_SSL_RENEGOTIATION
Manuel Pégourié-Gonnard8e03c712014-08-30 21:42:40 +0200[diff] [blame]2662run_test "Renegotiation: client-initiated" \
Manuel Pégourié-Gonnardfa44f202015-03-27 17:52:25 +0100[diff] [blame]2663 "$P_SRV debug_level=3 exchanges=2 renegotiation=1 auth_mode=optional" \
Manuel Pégourié-Gonnard644e8f32014-08-30 21:59:31 +0200[diff] [blame]2664 "$P_CLI debug_level=3 exchanges=2 renegotiation=1 renegotiate=1" \
Manuel Pégourié-Gonnard780d6712014-02-20 17:19:59 +0100[diff] [blame]2665 0 \
2666 -c "client hello, adding renegotiation extension" \
2667 -s "received TLS_EMPTY_RENEGOTIATION_INFO" \
2668 -s "found renegotiation extension" \
2669 -s "server hello, secure renegotiation extension" \
2670 -c "found renegotiation extension" \
Manuel Pégourié-Gonnardc73339f2014-02-26 16:35:27 +0100[diff] [blame]2671 -c "=> renegotiate" \
2672 -s "=> renegotiate" \
Manuel Pégourié-Gonnard780d6712014-02-20 17:19:59 +0100[diff] [blame]2673 -S "write hello request"
2674
Hanno Becker6a243642017-10-12 15:18:45 +0100[diff] [blame]2675requires_config_enabled MBEDTLS_SSL_RENEGOTIATION
Manuel Pégourié-Gonnard8e03c712014-08-30 21:42:40 +0200[diff] [blame]2676run_test "Renegotiation: server-initiated" \
Manuel Pégourié-Gonnardfa44f202015-03-27 17:52:25 +0100[diff] [blame]2677 "$P_SRV debug_level=3 exchanges=2 renegotiation=1 auth_mode=optional renegotiate=1" \
Manuel Pégourié-Gonnard644e8f32014-08-30 21:59:31 +0200[diff] [blame]2678 "$P_CLI debug_level=3 exchanges=2 renegotiation=1" \
Manuel Pégourié-Gonnard780d6712014-02-20 17:19:59 +0100[diff] [blame]2679 0 \
2680 -c "client hello, adding renegotiation extension" \
2681 -s "received TLS_EMPTY_RENEGOTIATION_INFO" \
2682 -s "found renegotiation extension" \
2683 -s "server hello, secure renegotiation extension" \
2684 -c "found renegotiation extension" \
Manuel Pégourié-Gonnardc73339f2014-02-26 16:35:27 +0100[diff] [blame]2685 -c "=> renegotiate" \
2686 -s "=> renegotiate" \
Manuel Pégourié-Gonnard780d6712014-02-20 17:19:59 +0100[diff] [blame]2687 -s "write hello request"
2688
Janos Follathb0f148c2017-10-05 12:29:42 +0100[diff] [blame]2689# Checks that no Signature Algorithm with SHA-1 gets negotiated. Negotiating SHA-1 would mean that
2690# the server did not parse the Signature Algorithm extension. This test is valid only if an MD
2691# algorithm stronger than SHA-1 is enabled in config.h
Hanno Becker6a243642017-10-12 15:18:45 +0100[diff] [blame]2692requires_config_enabled MBEDTLS_SSL_RENEGOTIATION
Janos Follathb0f148c2017-10-05 12:29:42 +0100[diff] [blame]2693run_test "Renegotiation: Signature Algorithms parsing, client-initiated" \
2694 "$P_SRV debug_level=3 exchanges=2 renegotiation=1 auth_mode=optional" \
2695 "$P_CLI debug_level=3 exchanges=2 renegotiation=1 renegotiate=1" \
2696 0 \
2697 -c "client hello, adding renegotiation extension" \
2698 -s "received TLS_EMPTY_RENEGOTIATION_INFO" \
2699 -s "found renegotiation extension" \
2700 -s "server hello, secure renegotiation extension" \
2701 -c "found renegotiation extension" \
2702 -c "=> renegotiate" \
2703 -s "=> renegotiate" \
2704 -S "write hello request" \
2705 -S "client hello v3, signature_algorithm ext: 2" # Is SHA-1 negotiated?
2706
2707# Checks that no Signature Algorithm with SHA-1 gets negotiated. Negotiating SHA-1 would mean that
2708# the server did not parse the Signature Algorithm extension. This test is valid only if an MD
2709# algorithm stronger than SHA-1 is enabled in config.h
Hanno Becker6a243642017-10-12 15:18:45 +0100[diff] [blame]2710requires_config_enabled MBEDTLS_SSL_RENEGOTIATION
Janos Follathb0f148c2017-10-05 12:29:42 +0100[diff] [blame]2711run_test "Renegotiation: Signature Algorithms parsing, server-initiated" \
2712 "$P_SRV debug_level=3 exchanges=2 renegotiation=1 auth_mode=optional renegotiate=1" \
2713 "$P_CLI debug_level=3 exchanges=2 renegotiation=1" \
2714 0 \
2715 -c "client hello, adding renegotiation extension" \
2716 -s "received TLS_EMPTY_RENEGOTIATION_INFO" \
2717 -s "found renegotiation extension" \
2718 -s "server hello, secure renegotiation extension" \
2719 -c "found renegotiation extension" \
2720 -c "=> renegotiate" \
2721 -s "=> renegotiate" \
2722 -s "write hello request" \
2723 -S "client hello v3, signature_algorithm ext: 2" # Is SHA-1 negotiated?
2724
Hanno Becker6a243642017-10-12 15:18:45 +0100[diff] [blame]2725requires_config_enabled MBEDTLS_SSL_RENEGOTIATION
Manuel Pégourié-Gonnard8e03c712014-08-30 21:42:40 +0200[diff] [blame]2726run_test "Renegotiation: double" \
Manuel Pégourié-Gonnardfa44f202015-03-27 17:52:25 +0100[diff] [blame]2727 "$P_SRV debug_level=3 exchanges=2 renegotiation=1 auth_mode=optional renegotiate=1" \
Manuel Pégourié-Gonnard644e8f32014-08-30 21:59:31 +0200[diff] [blame]2728 "$P_CLI debug_level=3 exchanges=2 renegotiation=1 renegotiate=1" \
Manuel Pégourié-Gonnard780d6712014-02-20 17:19:59 +0100[diff] [blame]2729 0 \
2730 -c "client hello, adding renegotiation extension" \
2731 -s "received TLS_EMPTY_RENEGOTIATION_INFO" \
2732 -s "found renegotiation extension" \
2733 -s "server hello, secure renegotiation extension" \
2734 -c "found renegotiation extension" \
Manuel Pégourié-Gonnardc73339f2014-02-26 16:35:27 +0100[diff] [blame]2735 -c "=> renegotiate" \
2736 -s "=> renegotiate" \
Manuel Pégourié-Gonnard780d6712014-02-20 17:19:59 +0100[diff] [blame]2737 -s "write hello request"
2738
Hanno Becker6a243642017-10-12 15:18:45 +0100[diff] [blame]2739requires_config_enabled MBEDTLS_SSL_RENEGOTIATION
Manuel Pégourié-Gonnard8e03c712014-08-30 21:42:40 +0200[diff] [blame]2740run_test "Renegotiation: client-initiated, server-rejected" \
Manuel Pégourié-Gonnardfa44f202015-03-27 17:52:25 +0100[diff] [blame]2741 "$P_SRV debug_level=3 exchanges=2 renegotiation=0 auth_mode=optional" \
Manuel Pégourié-Gonnard644e8f32014-08-30 21:59:31 +0200[diff] [blame]2742 "$P_CLI debug_level=3 exchanges=2 renegotiation=1 renegotiate=1" \
Manuel Pégourié-Gonnard780d6712014-02-20 17:19:59 +0100[diff] [blame]2743 1 \
2744 -c "client hello, adding renegotiation extension" \
2745 -s "received TLS_EMPTY_RENEGOTIATION_INFO" \
2746 -S "found renegotiation extension" \
2747 -s "server hello, secure renegotiation extension" \
2748 -c "found renegotiation extension" \
Manuel Pégourié-Gonnardc73339f2014-02-26 16:35:27 +0100[diff] [blame]2749 -c "=> renegotiate" \
2750 -S "=> renegotiate" \
Manuel Pégourié-Gonnardfae355e2014-07-04 14:32:27 +0200[diff] [blame]2751 -S "write hello request" \
Manuel Pégourié-Gonnard65919622014-08-19 12:50:30 +0200[diff] [blame]2752 -c "SSL - Unexpected message at ServerHello in renegotiation" \
Manuel Pégourié-Gonnardfae355e2014-07-04 14:32:27 +0200[diff] [blame]2753 -c "failed"
Manuel Pégourié-Gonnard780d6712014-02-20 17:19:59 +0100[diff] [blame]2754
Hanno Becker6a243642017-10-12 15:18:45 +0100[diff] [blame]2755requires_config_enabled MBEDTLS_SSL_RENEGOTIATION
Manuel Pégourié-Gonnard8e03c712014-08-30 21:42:40 +0200[diff] [blame]2756run_test "Renegotiation: server-initiated, client-rejected, default" \
Manuel Pégourié-Gonnardfa44f202015-03-27 17:52:25 +0100[diff] [blame]2757 "$P_SRV debug_level=3 exchanges=2 renegotiation=1 renegotiate=1 auth_mode=optional" \
Manuel Pégourié-Gonnard644e8f32014-08-30 21:59:31 +0200[diff] [blame]2758 "$P_CLI debug_level=3 exchanges=2 renegotiation=0" \
Manuel Pégourié-Gonnard780d6712014-02-20 17:19:59 +0100[diff] [blame]2759 0 \
2760 -C "client hello, adding renegotiation extension" \
2761 -s "received TLS_EMPTY_RENEGOTIATION_INFO" \
2762 -S "found renegotiation extension" \
2763 -s "server hello, secure renegotiation extension" \
2764 -c "found renegotiation extension" \
Manuel Pégourié-Gonnardc73339f2014-02-26 16:35:27 +0100[diff] [blame]2765 -C "=> renegotiate" \
2766 -S "=> renegotiate" \
Manuel Pégourié-Gonnard780d6712014-02-20 17:19:59 +0100[diff] [blame]2767 -s "write hello request" \
Manuel Pégourié-Gonnarda9964db2014-07-03 19:29:16 +0200[diff] [blame]2768 -S "SSL - An unexpected message was received from our peer" \
2769 -S "failed"
Manuel Pégourié-Gonnard33a752e2014-02-21 09:47:37 +0100[diff] [blame]2770
Hanno Becker6a243642017-10-12 15:18:45 +0100[diff] [blame]2771requires_config_enabled MBEDTLS_SSL_RENEGOTIATION
Manuel Pégourié-Gonnard8e03c712014-08-30 21:42:40 +0200[diff] [blame]2772run_test "Renegotiation: server-initiated, client-rejected, not enforced" \
Manuel Pégourié-Gonnard644e8f32014-08-30 21:59:31 +0200[diff] [blame]2773 "$P_SRV debug_level=3 exchanges=2 renegotiation=1 renegotiate=1 \
Manuel Pégourié-Gonnardfa44f202015-03-27 17:52:25 +0100[diff] [blame]2774 renego_delay=-1 auth_mode=optional" \
Manuel Pégourié-Gonnard644e8f32014-08-30 21:59:31 +0200[diff] [blame]2775 "$P_CLI debug_level=3 exchanges=2 renegotiation=0" \
Manuel Pégourié-Gonnardfae355e2014-07-04 14:32:27 +0200[diff] [blame]2776 0 \
2777 -C "client hello, adding renegotiation extension" \
2778 -s "received TLS_EMPTY_RENEGOTIATION_INFO" \
2779 -S "found renegotiation extension" \
2780 -s "server hello, secure renegotiation extension" \
2781 -c "found renegotiation extension" \
2782 -C "=> renegotiate" \
2783 -S "=> renegotiate" \
2784 -s "write hello request" \
2785 -S "SSL - An unexpected message was received from our peer" \
2786 -S "failed"
2787
Manuel Pégourié-Gonnarda8c0a0d2014-08-15 12:07:38 +0200[diff] [blame]2788# delay 2 for 1 alert record + 1 application data record
Hanno Becker6a243642017-10-12 15:18:45 +0100[diff] [blame]2789requires_config_enabled MBEDTLS_SSL_RENEGOTIATION
Manuel Pégourié-Gonnard8e03c712014-08-30 21:42:40 +0200[diff] [blame]2790run_test "Renegotiation: server-initiated, client-rejected, delay 2" \
Manuel Pégourié-Gonnard644e8f32014-08-30 21:59:31 +0200[diff] [blame]2791 "$P_SRV debug_level=3 exchanges=2 renegotiation=1 renegotiate=1 \
Manuel Pégourié-Gonnardfa44f202015-03-27 17:52:25 +0100[diff] [blame]2792 renego_delay=2 auth_mode=optional" \
Manuel Pégourié-Gonnard644e8f32014-08-30 21:59:31 +0200[diff] [blame]2793 "$P_CLI debug_level=3 exchanges=2 renegotiation=0" \
Manuel Pégourié-Gonnardfae355e2014-07-04 14:32:27 +0200[diff] [blame]2794 0 \
2795 -C "client hello, adding renegotiation extension" \
2796 -s "received TLS_EMPTY_RENEGOTIATION_INFO" \
2797 -S "found renegotiation extension" \
2798 -s "server hello, secure renegotiation extension" \
2799 -c "found renegotiation extension" \
2800 -C "=> renegotiate" \
2801 -S "=> renegotiate" \
2802 -s "write hello request" \
2803 -S "SSL - An unexpected message was received from our peer" \
2804 -S "failed"
2805
Hanno Becker6a243642017-10-12 15:18:45 +0100[diff] [blame]2806requires_config_enabled MBEDTLS_SSL_RENEGOTIATION
Manuel Pégourié-Gonnard8e03c712014-08-30 21:42:40 +0200[diff] [blame]2807run_test "Renegotiation: server-initiated, client-rejected, delay 0" \
Manuel Pégourié-Gonnard644e8f32014-08-30 21:59:31 +0200[diff] [blame]2808 "$P_SRV debug_level=3 exchanges=2 renegotiation=1 renegotiate=1 \
Manuel Pégourié-Gonnardfa44f202015-03-27 17:52:25 +0100[diff] [blame]2809 renego_delay=0 auth_mode=optional" \
Manuel Pégourié-Gonnard644e8f32014-08-30 21:59:31 +0200[diff] [blame]2810 "$P_CLI debug_level=3 exchanges=2 renegotiation=0" \
Manuel Pégourié-Gonnardfae355e2014-07-04 14:32:27 +0200[diff] [blame]2811 0 \
2812 -C "client hello, adding renegotiation extension" \
2813 -s "received TLS_EMPTY_RENEGOTIATION_INFO" \
2814 -S "found renegotiation extension" \
2815 -s "server hello, secure renegotiation extension" \
2816 -c "found renegotiation extension" \
2817 -C "=> renegotiate" \
2818 -S "=> renegotiate" \
2819 -s "write hello request" \
Manuel Pégourié-Gonnarda8c0a0d2014-08-15 12:07:38 +0200[diff] [blame]2820 -s "SSL - An unexpected message was received from our peer"
Manuel Pégourié-Gonnardfae355e2014-07-04 14:32:27 +0200[diff] [blame]2821
Hanno Becker6a243642017-10-12 15:18:45 +0100[diff] [blame]2822requires_config_enabled MBEDTLS_SSL_RENEGOTIATION
Manuel Pégourié-Gonnard8e03c712014-08-30 21:42:40 +0200[diff] [blame]2823run_test "Renegotiation: server-initiated, client-accepted, delay 0" \
Manuel Pégourié-Gonnard644e8f32014-08-30 21:59:31 +0200[diff] [blame]2824 "$P_SRV debug_level=3 exchanges=2 renegotiation=1 renegotiate=1 \
Manuel Pégourié-Gonnardfa44f202015-03-27 17:52:25 +0100[diff] [blame]2825 renego_delay=0 auth_mode=optional" \
Manuel Pégourié-Gonnard644e8f32014-08-30 21:59:31 +0200[diff] [blame]2826 "$P_CLI debug_level=3 exchanges=2 renegotiation=1" \
Manuel Pégourié-Gonnardfae355e2014-07-04 14:32:27 +0200[diff] [blame]2827 0 \
2828 -c "client hello, adding renegotiation extension" \
2829 -s "received TLS_EMPTY_RENEGOTIATION_INFO" \
2830 -s "found renegotiation extension" \
2831 -s "server hello, secure renegotiation extension" \
2832 -c "found renegotiation extension" \
2833 -c "=> renegotiate" \
2834 -s "=> renegotiate" \
2835 -s "write hello request" \
2836 -S "SSL - An unexpected message was received from our peer" \
2837 -S "failed"
2838
Hanno Becker6a243642017-10-12 15:18:45 +0100[diff] [blame]2839requires_config_enabled MBEDTLS_SSL_RENEGOTIATION
Manuel Pégourié-Gonnard590f4162014-11-05 14:23:03 +0100[diff] [blame]2840run_test "Renegotiation: periodic, just below period" \
Manuel Pégourié-Gonnardfa44f202015-03-27 17:52:25 +0100[diff] [blame]2841 "$P_SRV debug_level=3 exchanges=9 renegotiation=1 renego_period=3 auth_mode=optional" \
Manuel Pégourié-Gonnard590f4162014-11-05 14:23:03 +0100[diff] [blame]2842 "$P_CLI debug_level=3 exchanges=2 renegotiation=1" \
2843 0 \
2844 -C "client hello, adding renegotiation extension" \
2845 -s "received TLS_EMPTY_RENEGOTIATION_INFO" \
2846 -S "found renegotiation extension" \
2847 -s "server hello, secure renegotiation extension" \
2848 -c "found renegotiation extension" \
2849 -S "record counter limit reached: renegotiate" \
2850 -C "=> renegotiate" \
2851 -S "=> renegotiate" \
2852 -S "write hello request" \
2853 -S "SSL - An unexpected message was received from our peer" \
2854 -S "failed"
2855
Manuel Pégourié-Gonnard9835bc02015-01-14 14:41:58 +0100[diff] [blame]2856# one extra exchange to be able to complete renego
Hanno Becker6a243642017-10-12 15:18:45 +0100[diff] [blame]2857requires_config_enabled MBEDTLS_SSL_RENEGOTIATION
Manuel Pégourié-Gonnard590f4162014-11-05 14:23:03 +0100[diff] [blame]2858run_test "Renegotiation: periodic, just above period" \
Manuel Pégourié-Gonnardfa44f202015-03-27 17:52:25 +0100[diff] [blame]2859 "$P_SRV debug_level=3 exchanges=9 renegotiation=1 renego_period=3 auth_mode=optional" \
Manuel Pégourié-Gonnard9835bc02015-01-14 14:41:58 +0100[diff] [blame]2860 "$P_CLI debug_level=3 exchanges=4 renegotiation=1" \
Manuel Pégourié-Gonnard590f4162014-11-05 14:23:03 +0100[diff] [blame]2861 0 \
2862 -c "client hello, adding renegotiation extension" \
2863 -s "received TLS_EMPTY_RENEGOTIATION_INFO" \
2864 -s "found renegotiation extension" \
2865 -s "server hello, secure renegotiation extension" \
2866 -c "found renegotiation extension" \
2867 -s "record counter limit reached: renegotiate" \
2868 -c "=> renegotiate" \
2869 -s "=> renegotiate" \
2870 -s "write hello request" \
2871 -S "SSL - An unexpected message was received from our peer" \
2872 -S "failed"
2873
Hanno Becker6a243642017-10-12 15:18:45 +0100[diff] [blame]2874requires_config_enabled MBEDTLS_SSL_RENEGOTIATION
Manuel Pégourié-Gonnard590f4162014-11-05 14:23:03 +0100[diff] [blame]2875run_test "Renegotiation: periodic, two times period" \
Manuel Pégourié-Gonnardfa44f202015-03-27 17:52:25 +0100[diff] [blame]2876 "$P_SRV debug_level=3 exchanges=9 renegotiation=1 renego_period=3 auth_mode=optional" \
Manuel Pégourié-Gonnard9835bc02015-01-14 14:41:58 +0100[diff] [blame]2877 "$P_CLI debug_level=3 exchanges=7 renegotiation=1" \
Manuel Pégourié-Gonnard590f4162014-11-05 14:23:03 +0100[diff] [blame]2878 0 \
2879 -c "client hello, adding renegotiation extension" \
2880 -s "received TLS_EMPTY_RENEGOTIATION_INFO" \
2881 -s "found renegotiation extension" \
2882 -s "server hello, secure renegotiation extension" \
2883 -c "found renegotiation extension" \
2884 -s "record counter limit reached: renegotiate" \
2885 -c "=> renegotiate" \
2886 -s "=> renegotiate" \
2887 -s "write hello request" \
2888 -S "SSL - An unexpected message was received from our peer" \
2889 -S "failed"
2890
Hanno Becker6a243642017-10-12 15:18:45 +0100[diff] [blame]2891requires_config_enabled MBEDTLS_SSL_RENEGOTIATION
Manuel Pégourié-Gonnard590f4162014-11-05 14:23:03 +0100[diff] [blame]2892run_test "Renegotiation: periodic, above period, disabled" \
Manuel Pégourié-Gonnardfa44f202015-03-27 17:52:25 +0100[diff] [blame]2893 "$P_SRV debug_level=3 exchanges=9 renegotiation=0 renego_period=3 auth_mode=optional" \
Manuel Pégourié-Gonnard590f4162014-11-05 14:23:03 +0100[diff] [blame]2894 "$P_CLI debug_level=3 exchanges=4 renegotiation=1" \
2895 0 \
2896 -C "client hello, adding renegotiation extension" \
2897 -s "received TLS_EMPTY_RENEGOTIATION_INFO" \
2898 -S "found renegotiation extension" \
2899 -s "server hello, secure renegotiation extension" \
2900 -c "found renegotiation extension" \
2901 -S "record counter limit reached: renegotiate" \
2902 -C "=> renegotiate" \
2903 -S "=> renegotiate" \
2904 -S "write hello request" \
2905 -S "SSL - An unexpected message was received from our peer" \
2906 -S "failed"
2907
Hanno Becker6a243642017-10-12 15:18:45 +0100[diff] [blame]2908requires_config_enabled MBEDTLS_SSL_RENEGOTIATION
Manuel Pégourié-Gonnard8e03c712014-08-30 21:42:40 +0200[diff] [blame]2909run_test "Renegotiation: nbio, client-initiated" \
Manuel Pégourié-Gonnardfa44f202015-03-27 17:52:25 +0100[diff] [blame]2910 "$P_SRV debug_level=3 nbio=2 exchanges=2 renegotiation=1 auth_mode=optional" \
Manuel Pégourié-Gonnard644e8f32014-08-30 21:59:31 +0200[diff] [blame]2911 "$P_CLI debug_level=3 nbio=2 exchanges=2 renegotiation=1 renegotiate=1" \
Manuel Pégourié-Gonnardf07f4212014-08-15 19:04:47 +0200[diff] [blame]2912 0 \
2913 -c "client hello, adding renegotiation extension" \
2914 -s "received TLS_EMPTY_RENEGOTIATION_INFO" \
2915 -s "found renegotiation extension" \
2916 -s "server hello, secure renegotiation extension" \
2917 -c "found renegotiation extension" \
2918 -c "=> renegotiate" \
2919 -s "=> renegotiate" \
2920 -S "write hello request"
2921
Hanno Becker6a243642017-10-12 15:18:45 +0100[diff] [blame]2922requires_config_enabled MBEDTLS_SSL_RENEGOTIATION
Manuel Pégourié-Gonnard8e03c712014-08-30 21:42:40 +0200[diff] [blame]2923run_test "Renegotiation: nbio, server-initiated" \
Manuel Pégourié-Gonnardfa44f202015-03-27 17:52:25 +0100[diff] [blame]2924 "$P_SRV debug_level=3 nbio=2 exchanges=2 renegotiation=1 renegotiate=1 auth_mode=optional" \
Manuel Pégourié-Gonnard644e8f32014-08-30 21:59:31 +0200[diff] [blame]2925 "$P_CLI debug_level=3 nbio=2 exchanges=2 renegotiation=1" \
Manuel Pégourié-Gonnardf07f4212014-08-15 19:04:47 +0200[diff] [blame]2926 0 \
2927 -c "client hello, adding renegotiation extension" \
2928 -s "received TLS_EMPTY_RENEGOTIATION_INFO" \
2929 -s "found renegotiation extension" \
2930 -s "server hello, secure renegotiation extension" \
2931 -c "found renegotiation extension" \
2932 -c "=> renegotiate" \
2933 -s "=> renegotiate" \
2934 -s "write hello request"
2935
Hanno Becker6a243642017-10-12 15:18:45 +0100[diff] [blame]2936requires_config_enabled MBEDTLS_SSL_RENEGOTIATION
Manuel Pégourié-Gonnard8e03c712014-08-30 21:42:40 +0200[diff] [blame]2937run_test "Renegotiation: openssl server, client-initiated" \
Manuel Pégourié-Gonnarda7756172014-08-31 18:37:01 +0200[diff] [blame]2938 "$O_SRV -www" \
Manuel Pégourié-Gonnard644e8f32014-08-30 21:59:31 +0200[diff] [blame]2939 "$P_CLI debug_level=3 exchanges=1 renegotiation=1 renegotiate=1" \
Manuel Pégourié-Gonnard51362962014-08-30 21:22:47 +0200[diff] [blame]2940 0 \
2941 -c "client hello, adding renegotiation extension" \
2942 -c "found renegotiation extension" \
2943 -c "=> renegotiate" \
Manuel Pégourié-Gonnard85d915b2014-11-03 20:10:36 +0100[diff] [blame]2944 -C "ssl_hanshake() returned" \
Manuel Pégourié-Gonnard51362962014-08-30 21:22:47 +0200[diff] [blame]2945 -C "error" \
2946 -c "HTTP/1.0 200 [Oo][Kk]"
2947
Paul Bakker539d9722015-02-08 16:18:35 +0100[diff] [blame]2948requires_gnutls
Hanno Becker6a243642017-10-12 15:18:45 +0100[diff] [blame]2949requires_config_enabled MBEDTLS_SSL_RENEGOTIATION
Manuel Pégourié-Gonnard85d915b2014-11-03 20:10:36 +0100[diff] [blame]2950run_test "Renegotiation: gnutls server strict, client-initiated" \
2951 "$G_SRV --priority=NORMAL:%SAFE_RENEGOTIATION" \
Manuel Pégourié-Gonnard644e8f32014-08-30 21:59:31 +0200[diff] [blame]2952 "$P_CLI debug_level=3 exchanges=1 renegotiation=1 renegotiate=1" \
Manuel Pégourié-Gonnard51362962014-08-30 21:22:47 +0200[diff] [blame]2953 0 \
2954 -c "client hello, adding renegotiation extension" \
2955 -c "found renegotiation extension" \
2956 -c "=> renegotiate" \
Manuel Pégourié-Gonnard85d915b2014-11-03 20:10:36 +0100[diff] [blame]2957 -C "ssl_hanshake() returned" \
Manuel Pégourié-Gonnard51362962014-08-30 21:22:47 +0200[diff] [blame]2958 -C "error" \
2959 -c "HTTP/1.0 200 [Oo][Kk]"
2960
Paul Bakker539d9722015-02-08 16:18:35 +0100[diff] [blame]2961requires_gnutls
Hanno Becker6a243642017-10-12 15:18:45 +0100[diff] [blame]2962requires_config_enabled MBEDTLS_SSL_RENEGOTIATION
Manuel Pégourié-Gonnard85d915b2014-11-03 20:10:36 +0100[diff] [blame]2963run_test "Renegotiation: gnutls server unsafe, client-initiated default" \
2964 "$G_SRV --priority=NORMAL:%DISABLE_SAFE_RENEGOTIATION" \
2965 "$P_CLI debug_level=3 exchanges=1 renegotiation=1 renegotiate=1" \
2966 1 \
2967 -c "client hello, adding renegotiation extension" \
2968 -C "found renegotiation extension" \
2969 -c "=> renegotiate" \
Manuel Pégourié-Gonnard2cf5a7c2015-04-08 12:49:31 +0200[diff] [blame]2970 -c "mbedtls_ssl_handshake() returned" \
Manuel Pégourié-Gonnard85d915b2014-11-03 20:10:36 +0100[diff] [blame]2971 -c "error" \
2972 -C "HTTP/1.0 200 [Oo][Kk]"
2973
Paul Bakker539d9722015-02-08 16:18:35 +0100[diff] [blame]2974requires_gnutls
Hanno Becker6a243642017-10-12 15:18:45 +0100[diff] [blame]2975requires_config_enabled MBEDTLS_SSL_RENEGOTIATION
Manuel Pégourié-Gonnard85d915b2014-11-03 20:10:36 +0100[diff] [blame]2976run_test "Renegotiation: gnutls server unsafe, client-inititated no legacy" \
2977 "$G_SRV --priority=NORMAL:%DISABLE_SAFE_RENEGOTIATION" \
2978 "$P_CLI debug_level=3 exchanges=1 renegotiation=1 renegotiate=1 \
2979 allow_legacy=0" \
2980 1 \
2981 -c "client hello, adding renegotiation extension" \
2982 -C "found renegotiation extension" \
2983 -c "=> renegotiate" \
Manuel Pégourié-Gonnard2cf5a7c2015-04-08 12:49:31 +0200[diff] [blame]2984 -c "mbedtls_ssl_handshake() returned" \
Manuel Pégourié-Gonnard85d915b2014-11-03 20:10:36 +0100[diff] [blame]2985 -c "error" \
2986 -C "HTTP/1.0 200 [Oo][Kk]"
2987
Paul Bakker539d9722015-02-08 16:18:35 +0100[diff] [blame]2988requires_gnutls
Hanno Becker6a243642017-10-12 15:18:45 +0100[diff] [blame]2989requires_config_enabled MBEDTLS_SSL_RENEGOTIATION
Manuel Pégourié-Gonnard85d915b2014-11-03 20:10:36 +0100[diff] [blame]2990run_test "Renegotiation: gnutls server unsafe, client-inititated legacy" \
2991 "$G_SRV --priority=NORMAL:%DISABLE_SAFE_RENEGOTIATION" \
2992 "$P_CLI debug_level=3 exchanges=1 renegotiation=1 renegotiate=1 \
2993 allow_legacy=1" \
2994 0 \
2995 -c "client hello, adding renegotiation extension" \
2996 -C "found renegotiation extension" \
2997 -c "=> renegotiate" \
2998 -C "ssl_hanshake() returned" \
Manuel Pégourié-Gonnard8520dac2014-02-21 12:12:23 +0100[diff] [blame]2999 -C "error" \
3000 -c "HTTP/1.0 200 [Oo][Kk]"
3001
Hanno Becker6a243642017-10-12 15:18:45 +0100[diff] [blame]3002requires_config_enabled MBEDTLS_SSL_RENEGOTIATION
Manuel Pégourié-Gonnard30d16eb2014-08-19 17:43:50 +0200[diff] [blame]3003run_test "Renegotiation: DTLS, client-initiated" \
3004 "$P_SRV debug_level=3 dtls=1 exchanges=2 renegotiation=1" \
3005 "$P_CLI debug_level=3 dtls=1 exchanges=2 renegotiation=1 renegotiate=1" \
3006 0 \
3007 -c "client hello, adding renegotiation extension" \
3008 -s "received TLS_EMPTY_RENEGOTIATION_INFO" \
3009 -s "found renegotiation extension" \
3010 -s "server hello, secure renegotiation extension" \
3011 -c "found renegotiation extension" \
3012 -c "=> renegotiate" \
3013 -s "=> renegotiate" \
3014 -S "write hello request"
3015
Hanno Becker6a243642017-10-12 15:18:45 +0100[diff] [blame]3016requires_config_enabled MBEDTLS_SSL_RENEGOTIATION
Manuel Pégourié-Gonnardc392b242014-08-19 17:53:11 +0200[diff] [blame]3017run_test "Renegotiation: DTLS, server-initiated" \
3018 "$P_SRV debug_level=3 dtls=1 exchanges=2 renegotiation=1 renegotiate=1" \
Manuel Pégourié-Gonnarddf9a0a82014-10-02 14:17:18 +0200[diff] [blame]3019 "$P_CLI debug_level=3 dtls=1 exchanges=2 renegotiation=1 \
3020 read_timeout=1000 max_resend=2" \
Manuel Pégourié-Gonnardc392b242014-08-19 17:53:11 +0200[diff] [blame]3021 0 \
3022 -c "client hello, adding renegotiation extension" \
3023 -s "received TLS_EMPTY_RENEGOTIATION_INFO" \
3024 -s "found renegotiation extension" \
3025 -s "server hello, secure renegotiation extension" \
3026 -c "found renegotiation extension" \
3027 -c "=> renegotiate" \
3028 -s "=> renegotiate" \
3029 -s "write hello request"
3030
Hanno Becker6a243642017-10-12 15:18:45 +0100[diff] [blame]3031requires_config_enabled MBEDTLS_SSL_RENEGOTIATION
Andres AG692ad842017-01-19 16:30:57 +0000[diff] [blame]3032run_test "Renegotiation: DTLS, renego_period overflow" \
3033 "$P_SRV debug_level=3 dtls=1 exchanges=4 renegotiation=1 renego_period=18446462598732840962 auth_mode=optional" \
3034 "$P_CLI debug_level=3 dtls=1 exchanges=4 renegotiation=1" \
3035 0 \
3036 -c "client hello, adding renegotiation extension" \
3037 -s "received TLS_EMPTY_RENEGOTIATION_INFO" \
3038 -s "found renegotiation extension" \
3039 -s "server hello, secure renegotiation extension" \
3040 -s "record counter limit reached: renegotiate" \
3041 -c "=> renegotiate" \
3042 -s "=> renegotiate" \
Hanno Becker6a243642017-10-12 15:18:45 +0100[diff] [blame]3043 -s "write hello request"
Andres AG692ad842017-01-19 16:30:57 +0000[diff] [blame]3044
Manuel Pégourié-Gonnard96999962015-02-17 16:02:37 +0000[diff] [blame]3045requires_gnutls
Hanno Becker6a243642017-10-12 15:18:45 +0100[diff] [blame]3046requires_config_enabled MBEDTLS_SSL_RENEGOTIATION
Manuel Pégourié-Gonnardf1499f62014-08-31 17:13:13 +0200[diff] [blame]3047run_test "Renegotiation: DTLS, gnutls server, client-initiated" \
3048 "$G_SRV -u --mtu 4096" \
3049 "$P_CLI debug_level=3 dtls=1 exchanges=1 renegotiation=1 renegotiate=1" \
3050 0 \
3051 -c "client hello, adding renegotiation extension" \
3052 -c "found renegotiation extension" \
3053 -c "=> renegotiate" \
Manuel Pégourié-Gonnard2cf5a7c2015-04-08 12:49:31 +0200[diff] [blame]3054 -C "mbedtls_ssl_handshake returned" \
Manuel Pégourié-Gonnardf1499f62014-08-31 17:13:13 +0200[diff] [blame]3055 -C "error" \
3056 -s "Extra-header:"
3057
Manuel Pégourié-Gonnard85d915b2014-11-03 20:10:36 +0100[diff] [blame]3058# Test for the "secure renegotation" extension only (no actual renegotiation)
3059
Paul Bakker539d9722015-02-08 16:18:35 +0100[diff] [blame]3060requires_gnutls
Manuel Pégourié-Gonnard85d915b2014-11-03 20:10:36 +0100[diff] [blame]3061run_test "Renego ext: gnutls server strict, client default" \
3062 "$G_SRV --priority=NORMAL:%SAFE_RENEGOTIATION" \
3063 "$P_CLI debug_level=3" \
3064 0 \
3065 -c "found renegotiation extension" \
3066 -C "error" \
3067 -c "HTTP/1.0 200 [Oo][Kk]"
3068
Paul Bakker539d9722015-02-08 16:18:35 +0100[diff] [blame]3069requires_gnutls
Manuel Pégourié-Gonnard85d915b2014-11-03 20:10:36 +0100[diff] [blame]3070run_test "Renego ext: gnutls server unsafe, client default" \
3071 "$G_SRV --priority=NORMAL:%DISABLE_SAFE_RENEGOTIATION" \
3072 "$P_CLI debug_level=3" \
3073 0 \
3074 -C "found renegotiation extension" \
3075 -C "error" \
3076 -c "HTTP/1.0 200 [Oo][Kk]"
3077
Paul Bakker539d9722015-02-08 16:18:35 +0100[diff] [blame]3078requires_gnutls
Manuel Pégourié-Gonnard85d915b2014-11-03 20:10:36 +0100[diff] [blame]3079run_test "Renego ext: gnutls server unsafe, client break legacy" \
3080 "$G_SRV --priority=NORMAL:%DISABLE_SAFE_RENEGOTIATION" \
3081 "$P_CLI debug_level=3 allow_legacy=-1" \
3082 1 \
3083 -C "found renegotiation extension" \
3084 -c "error" \
3085 -C "HTTP/1.0 200 [Oo][Kk]"
3086
Paul Bakker539d9722015-02-08 16:18:35 +0100[diff] [blame]3087requires_gnutls
Manuel Pégourié-Gonnard85d915b2014-11-03 20:10:36 +0100[diff] [blame]3088run_test "Renego ext: gnutls client strict, server default" \
3089 "$P_SRV debug_level=3" \
Manuel Pégourié-Gonnard34aa1872018-08-23 19:07:15 +0200[diff] [blame]3090 "$G_CLI --priority=NORMAL:%SAFE_RENEGOTIATION localhost" \
Manuel Pégourié-Gonnard85d915b2014-11-03 20:10:36 +0100[diff] [blame]3091 0 \
3092 -s "received TLS_EMPTY_RENEGOTIATION_INFO\|found renegotiation extension" \
3093 -s "server hello, secure renegotiation extension"
3094
Paul Bakker539d9722015-02-08 16:18:35 +0100[diff] [blame]3095requires_gnutls
Manuel Pégourié-Gonnard85d915b2014-11-03 20:10:36 +0100[diff] [blame]3096run_test "Renego ext: gnutls client unsafe, server default" \
3097 "$P_SRV debug_level=3" \
Manuel Pégourié-Gonnard34aa1872018-08-23 19:07:15 +0200[diff] [blame]3098 "$G_CLI --priority=NORMAL:%DISABLE_SAFE_RENEGOTIATION localhost" \
Manuel Pégourié-Gonnard85d915b2014-11-03 20:10:36 +0100[diff] [blame]3099 0 \
3100 -S "received TLS_EMPTY_RENEGOTIATION_INFO\|found renegotiation extension" \
3101 -S "server hello, secure renegotiation extension"
3102
Paul Bakker539d9722015-02-08 16:18:35 +0100[diff] [blame]3103requires_gnutls
Manuel Pégourié-Gonnard85d915b2014-11-03 20:10:36 +0100[diff] [blame]3104run_test "Renego ext: gnutls client unsafe, server break legacy" \
3105 "$P_SRV debug_level=3 allow_legacy=-1" \
Manuel Pégourié-Gonnard34aa1872018-08-23 19:07:15 +0200[diff] [blame]3106 "$G_CLI --priority=NORMAL:%DISABLE_SAFE_RENEGOTIATION localhost" \
Manuel Pégourié-Gonnard85d915b2014-11-03 20:10:36 +0100[diff] [blame]3107 1 \
3108 -S "received TLS_EMPTY_RENEGOTIATION_INFO\|found renegotiation extension" \
3109 -S "server hello, secure renegotiation extension"
3110
Janos Follath0b242342016-02-17 10:11:21 +0000[diff] [blame]3111# Tests for silently dropping trailing extra bytes in .der certificates
3112
3113requires_gnutls
3114run_test "DER format: no trailing bytes" \
3115 "$P_SRV crt_file=data_files/server5-der0.crt \
3116 key_file=data_files/server5.key" \
Manuel Pégourié-Gonnard34aa1872018-08-23 19:07:15 +0200[diff] [blame]3117 "$G_CLI localhost" \
Janos Follath0b242342016-02-17 10:11:21 +0000[diff] [blame]3118 0 \
3119 -c "Handshake was completed" \
3120
3121requires_gnutls
3122run_test "DER format: with a trailing zero byte" \
3123 "$P_SRV crt_file=data_files/server5-der1a.crt \
3124 key_file=data_files/server5.key" \
Manuel Pégourié-Gonnard34aa1872018-08-23 19:07:15 +0200[diff] [blame]3125 "$G_CLI localhost" \
Janos Follath0b242342016-02-17 10:11:21 +0000[diff] [blame]3126 0 \
3127 -c "Handshake was completed" \
3128
3129requires_gnutls
3130run_test "DER format: with a trailing random byte" \
3131 "$P_SRV crt_file=data_files/server5-der1b.crt \
3132 key_file=data_files/server5.key" \
Manuel Pégourié-Gonnard34aa1872018-08-23 19:07:15 +0200[diff] [blame]3133 "$G_CLI localhost" \
Janos Follath0b242342016-02-17 10:11:21 +0000[diff] [blame]3134 0 \
3135 -c "Handshake was completed" \
3136
3137requires_gnutls
3138run_test "DER format: with 2 trailing random bytes" \
3139 "$P_SRV crt_file=data_files/server5-der2.crt \
3140 key_file=data_files/server5.key" \
Manuel Pégourié-Gonnard34aa1872018-08-23 19:07:15 +0200[diff] [blame]3141 "$G_CLI localhost" \
Janos Follath0b242342016-02-17 10:11:21 +0000[diff] [blame]3142 0 \
3143 -c "Handshake was completed" \
3144
3145requires_gnutls
3146run_test "DER format: with 4 trailing random bytes" \
3147 "$P_SRV crt_file=data_files/server5-der4.crt \
3148 key_file=data_files/server5.key" \
Manuel Pégourié-Gonnard34aa1872018-08-23 19:07:15 +0200[diff] [blame]3149 "$G_CLI localhost" \
Janos Follath0b242342016-02-17 10:11:21 +0000[diff] [blame]3150 0 \
3151 -c "Handshake was completed" \
3152
3153requires_gnutls
3154run_test "DER format: with 8 trailing random bytes" \
3155 "$P_SRV crt_file=data_files/server5-der8.crt \
3156 key_file=data_files/server5.key" \
Manuel Pégourié-Gonnard34aa1872018-08-23 19:07:15 +0200[diff] [blame]3157 "$G_CLI localhost" \
Janos Follath0b242342016-02-17 10:11:21 +0000[diff] [blame]3158 0 \
3159 -c "Handshake was completed" \
3160
3161requires_gnutls
3162run_test "DER format: with 9 trailing random bytes" \
3163 "$P_SRV crt_file=data_files/server5-der9.crt \
3164 key_file=data_files/server5.key" \
Manuel Pégourié-Gonnard34aa1872018-08-23 19:07:15 +0200[diff] [blame]3165 "$G_CLI localhost" \
Janos Follath0b242342016-02-17 10:11:21 +0000[diff] [blame]3166 0 \
3167 -c "Handshake was completed" \
3168
Jarno Lamsaf7a7f9e2019-04-01 15:11:54 +0300[diff] [blame]3169# Tests for auth_mode, there are duplicated tests using ca callback for authentication
3170# When updating these tests, modify the matching authentication tests accordingly
Manuel Pégourié-Gonnard8520dac2014-02-21 12:12:23 +0100[diff] [blame]3171
Manuel Pégourié-Gonnard8e03c712014-08-30 21:42:40 +0200[diff] [blame]3172run_test "Authentication: server badcert, client required" \
Manuel Pégourié-Gonnard8520dac2014-02-21 12:12:23 +0100[diff] [blame]3173 "$P_SRV crt_file=data_files/server5-badsign.crt \
3174 key_file=data_files/server5.key" \
Manuel Pégourié-Gonnard644e8f32014-08-30 21:59:31 +0200[diff] [blame]3175 "$P_CLI debug_level=1 auth_mode=required" \
Manuel Pégourié-Gonnard8520dac2014-02-21 12:12:23 +0100[diff] [blame]3176 1 \
3177 -c "x509_verify_cert() returned" \
Manuel Pégourié-Gonnard89addc42015-04-20 10:56:18 +0100[diff] [blame]3178 -c "! The certificate is not correctly signed by the trusted CA" \
Manuel Pégourié-Gonnard2cf5a7c2015-04-08 12:49:31 +0200[diff] [blame]3179 -c "! mbedtls_ssl_handshake returned" \
Manuel Pégourié-Gonnard8520dac2014-02-21 12:12:23 +0100[diff] [blame]3180 -c "X509 - Certificate verification failed"
3181
Manuel Pégourié-Gonnard8e03c712014-08-30 21:42:40 +0200[diff] [blame]3182run_test "Authentication: server badcert, client optional" \
Manuel Pégourié-Gonnard8520dac2014-02-21 12:12:23 +0100[diff] [blame]3183 "$P_SRV crt_file=data_files/server5-badsign.crt \
3184 key_file=data_files/server5.key" \
Manuel Pégourié-Gonnard644e8f32014-08-30 21:59:31 +0200[diff] [blame]3185 "$P_CLI debug_level=1 auth_mode=optional" \
Manuel Pégourié-Gonnard8520dac2014-02-21 12:12:23 +0100[diff] [blame]3186 0 \
3187 -c "x509_verify_cert() returned" \
Manuel Pégourié-Gonnard89addc42015-04-20 10:56:18 +0100[diff] [blame]3188 -c "! The certificate is not correctly signed by the trusted CA" \
Manuel Pégourié-Gonnard2cf5a7c2015-04-08 12:49:31 +0200[diff] [blame]3189 -C "! mbedtls_ssl_handshake returned" \
Manuel Pégourié-Gonnard8520dac2014-02-21 12:12:23 +0100[diff] [blame]3190 -C "X509 - Certificate verification failed"
3191
Hanno Beckere6706e62017-05-15 16:05:15 +0100[diff] [blame]3192run_test "Authentication: server goodcert, client optional, no trusted CA" \
3193 "$P_SRV" \
3194 "$P_CLI debug_level=3 auth_mode=optional ca_file=none ca_path=none" \
3195 0 \
3196 -c "x509_verify_cert() returned" \
3197 -c "! The certificate is not correctly signed by the trusted CA" \
3198 -c "! Certificate verification flags"\
3199 -C "! mbedtls_ssl_handshake returned" \
3200 -C "X509 - Certificate verification failed" \
3201 -C "SSL - No CA Chain is set, but required to operate"
3202
3203run_test "Authentication: server goodcert, client required, no trusted CA" \
3204 "$P_SRV" \
3205 "$P_CLI debug_level=3 auth_mode=required ca_file=none ca_path=none" \
3206 1 \
3207 -c "x509_verify_cert() returned" \
3208 -c "! The certificate is not correctly signed by the trusted CA" \
3209 -c "! Certificate verification flags"\
3210 -c "! mbedtls_ssl_handshake returned" \
3211 -c "SSL - No CA Chain is set, but required to operate"
3212
3213# The purpose of the next two tests is to test the client's behaviour when receiving a server
3214# certificate with an unsupported elliptic curve. This should usually not happen because
3215# the client informs the server about the supported curves - it does, though, in the
3216# corner case of a static ECDH suite, because the server doesn't check the curve on that
3217# occasion (to be fixed). If that bug's fixed, the test needs to be altered to use a
3218# different means to have the server ignoring the client's supported curve list.
3219
3220requires_config_enabled MBEDTLS_ECP_C
3221run_test "Authentication: server ECDH p256v1, client required, p256v1 unsupported" \
3222 "$P_SRV debug_level=1 key_file=data_files/server5.key \
3223 crt_file=data_files/server5.ku-ka.crt" \
3224 "$P_CLI debug_level=3 auth_mode=required curves=secp521r1" \
3225 1 \
3226 -c "bad certificate (EC key curve)"\
3227 -c "! Certificate verification flags"\
3228 -C "bad server certificate (ECDH curve)" # Expect failure at earlier verification stage
3229
3230requires_config_enabled MBEDTLS_ECP_C
3231run_test "Authentication: server ECDH p256v1, client optional, p256v1 unsupported" \
3232 "$P_SRV debug_level=1 key_file=data_files/server5.key \
3233 crt_file=data_files/server5.ku-ka.crt" \
3234 "$P_CLI debug_level=3 auth_mode=optional curves=secp521r1" \
3235 1 \
3236 -c "bad certificate (EC key curve)"\
3237 -c "! Certificate verification flags"\
3238 -c "bad server certificate (ECDH curve)" # Expect failure only at ECDH params check
3239
Manuel Pégourié-Gonnard8e03c712014-08-30 21:42:40 +0200[diff] [blame]3240run_test "Authentication: server badcert, client none" \
Manuel Pégourié-Gonnardc1da6642014-02-25 14:18:30 +0100[diff] [blame]3241 "$P_SRV crt_file=data_files/server5-badsign.crt \
Manuel Pégourié-Gonnard8520dac2014-02-21 12:12:23 +0100[diff] [blame]3242 key_file=data_files/server5.key" \
Manuel Pégourié-Gonnard644e8f32014-08-30 21:59:31 +0200[diff] [blame]3243 "$P_CLI debug_level=1 auth_mode=none" \
Manuel Pégourié-Gonnard8520dac2014-02-21 12:12:23 +0100[diff] [blame]3244 0 \
3245 -C "x509_verify_cert() returned" \
Manuel Pégourié-Gonnard89addc42015-04-20 10:56:18 +0100[diff] [blame]3246 -C "! The certificate is not correctly signed by the trusted CA" \
Manuel Pégourié-Gonnard2cf5a7c2015-04-08 12:49:31 +0200[diff] [blame]3247 -C "! mbedtls_ssl_handshake returned" \
Manuel Pégourié-Gonnard8520dac2014-02-21 12:12:23 +0100[diff] [blame]3248 -C "X509 - Certificate verification failed"
3249
Simon Butcher99000142016-10-13 17:21:01 +0100[diff] [blame]3250run_test "Authentication: client SHA256, server required" \
3251 "$P_SRV auth_mode=required" \
3252 "$P_CLI debug_level=3 crt_file=data_files/server6.crt \
3253 key_file=data_files/server6.key \
3254 force_ciphersuite=TLS-ECDHE-ECDSA-WITH-AES-256-GCM-SHA384" \
3255 0 \
3256 -c "Supported Signature Algorithm found: 4," \
3257 -c "Supported Signature Algorithm found: 5,"
3258
3259run_test "Authentication: client SHA384, server required" \
3260 "$P_SRV auth_mode=required" \
3261 "$P_CLI debug_level=3 crt_file=data_files/server6.crt \
3262 key_file=data_files/server6.key \
3263 force_ciphersuite=TLS-ECDHE-ECDSA-WITH-AES-128-GCM-SHA256" \
3264 0 \
3265 -c "Supported Signature Algorithm found: 4," \
3266 -c "Supported Signature Algorithm found: 5,"
3267
Gilles Peskinefd8332e2017-05-03 16:25:07 +0200[diff] [blame]3268requires_config_enabled MBEDTLS_SSL_PROTO_SSL3
3269run_test "Authentication: client has no cert, server required (SSLv3)" \
3270 "$P_SRV debug_level=3 min_version=ssl3 auth_mode=required" \
3271 "$P_CLI debug_level=3 force_version=ssl3 crt_file=none \
3272 key_file=data_files/server5.key" \
3273 1 \
3274 -S "skip write certificate request" \
3275 -C "skip parse certificate request" \
3276 -c "got a certificate request" \
3277 -c "got no certificate to send" \
3278 -S "x509_verify_cert() returned" \
3279 -s "client has no certificate" \
3280 -s "! mbedtls_ssl_handshake returned" \
3281 -c "! mbedtls_ssl_handshake returned" \
3282 -s "No client certification received from the client, but required by the authentication mode"
3283
3284run_test "Authentication: client has no cert, server required (TLS)" \
3285 "$P_SRV debug_level=3 auth_mode=required" \
3286 "$P_CLI debug_level=3 crt_file=none \
3287 key_file=data_files/server5.key" \
3288 1 \
3289 -S "skip write certificate request" \
3290 -C "skip parse certificate request" \
3291 -c "got a certificate request" \
3292 -c "= write certificate$" \
3293 -C "skip write certificate$" \
3294 -S "x509_verify_cert() returned" \
3295 -s "client has no certificate" \
3296 -s "! mbedtls_ssl_handshake returned" \
3297 -c "! mbedtls_ssl_handshake returned" \
3298 -s "No client certification received from the client, but required by the authentication mode"
3299
Manuel Pégourié-Gonnard8e03c712014-08-30 21:42:40 +0200[diff] [blame]3300run_test "Authentication: client badcert, server required" \
Manuel Pégourié-Gonnard644e8f32014-08-30 21:59:31 +0200[diff] [blame]3301 "$P_SRV debug_level=3 auth_mode=required" \
3302 "$P_CLI debug_level=3 crt_file=data_files/server5-badsign.crt \
Manuel Pégourié-Gonnard8520dac2014-02-21 12:12:23 +0100[diff] [blame]3303 key_file=data_files/server5.key" \
3304 1 \
3305 -S "skip write certificate request" \
3306 -C "skip parse certificate request" \
3307 -c "got a certificate request" \
3308 -C "skip write certificate" \
3309 -C "skip write certificate verify" \
3310 -S "skip parse certificate verify" \
3311 -s "x509_verify_cert() returned" \
Manuel Pégourié-Gonnard6ea831d2015-06-22 16:50:52 +0200[diff] [blame]3312 -s "! The certificate is not correctly signed by the trusted CA" \
Manuel Pégourié-Gonnard2cf5a7c2015-04-08 12:49:31 +0200[diff] [blame]3313 -s "! mbedtls_ssl_handshake returned" \
Gilles Peskine1cc8e342017-05-03 16:28:34 +0200[diff] [blame]3314 -s "send alert level=2 message=48" \
Manuel Pégourié-Gonnard2cf5a7c2015-04-08 12:49:31 +0200[diff] [blame]3315 -c "! mbedtls_ssl_handshake returned" \
Manuel Pégourié-Gonnard8520dac2014-02-21 12:12:23 +0100[diff] [blame]3316 -s "X509 - Certificate verification failed"
Gilles Peskine1cc8e342017-05-03 16:28:34 +0200[diff] [blame]3317# We don't check that the client receives the alert because it might
3318# detect that its write end of the connection is closed and abort
3319# before reading the alert message.
Manuel Pégourié-Gonnard8520dac2014-02-21 12:12:23 +0100[diff] [blame]3320
Janos Follath89baba22017-04-10 14:34:35 +0100[diff] [blame]3321run_test "Authentication: client cert not trusted, server required" \
3322 "$P_SRV debug_level=3 auth_mode=required" \
3323 "$P_CLI debug_level=3 crt_file=data_files/server5-selfsigned.crt \
3324 key_file=data_files/server5.key" \
3325 1 \
3326 -S "skip write certificate request" \
3327 -C "skip parse certificate request" \
3328 -c "got a certificate request" \
3329 -C "skip write certificate" \
3330 -C "skip write certificate verify" \
3331 -S "skip parse certificate verify" \
3332 -s "x509_verify_cert() returned" \
3333 -s "! The certificate is not correctly signed by the trusted CA" \
3334 -s "! mbedtls_ssl_handshake returned" \
3335 -c "! mbedtls_ssl_handshake returned" \
3336 -s "X509 - Certificate verification failed"
3337
Manuel Pégourié-Gonnard8e03c712014-08-30 21:42:40 +0200[diff] [blame]3338run_test "Authentication: client badcert, server optional" \
Manuel Pégourié-Gonnard644e8f32014-08-30 21:59:31 +0200[diff] [blame]3339 "$P_SRV debug_level=3 auth_mode=optional" \
3340 "$P_CLI debug_level=3 crt_file=data_files/server5-badsign.crt \
Manuel Pégourié-Gonnard8520dac2014-02-21 12:12:23 +0100[diff] [blame]3341 key_file=data_files/server5.key" \
3342 0 \
3343 -S "skip write certificate request" \
3344 -C "skip parse certificate request" \
3345 -c "got a certificate request" \
3346 -C "skip write certificate" \
3347 -C "skip write certificate verify" \
3348 -S "skip parse certificate verify" \
3349 -s "x509_verify_cert() returned" \
Manuel Pégourié-Gonnard89addc42015-04-20 10:56:18 +0100[diff] [blame]3350 -s "! The certificate is not correctly signed by the trusted CA" \
Manuel Pégourié-Gonnard2cf5a7c2015-04-08 12:49:31 +0200[diff] [blame]3351 -S "! mbedtls_ssl_handshake returned" \
3352 -C "! mbedtls_ssl_handshake returned" \
Manuel Pégourié-Gonnard8520dac2014-02-21 12:12:23 +0100[diff] [blame]3353 -S "X509 - Certificate verification failed"
3354
Manuel Pégourié-Gonnard8e03c712014-08-30 21:42:40 +0200[diff] [blame]3355run_test "Authentication: client badcert, server none" \
Manuel Pégourié-Gonnard644e8f32014-08-30 21:59:31 +0200[diff] [blame]3356 "$P_SRV debug_level=3 auth_mode=none" \
3357 "$P_CLI debug_level=3 crt_file=data_files/server5-badsign.crt \
Manuel Pégourié-Gonnard8520dac2014-02-21 12:12:23 +0100[diff] [blame]3358 key_file=data_files/server5.key" \
3359 0 \
3360 -s "skip write certificate request" \
3361 -C "skip parse certificate request" \
3362 -c "got no certificate request" \
3363 -c "skip write certificate" \
3364 -c "skip write certificate verify" \
3365 -s "skip parse certificate verify" \
3366 -S "x509_verify_cert() returned" \
Manuel Pégourié-Gonnard89addc42015-04-20 10:56:18 +0100[diff] [blame]3367 -S "! The certificate is not correctly signed by the trusted CA" \
Manuel Pégourié-Gonnard2cf5a7c2015-04-08 12:49:31 +0200[diff] [blame]3368 -S "! mbedtls_ssl_handshake returned" \
3369 -C "! mbedtls_ssl_handshake returned" \
Manuel Pégourié-Gonnard8520dac2014-02-21 12:12:23 +0100[diff] [blame]3370 -S "X509 - Certificate verification failed"
3371
Manuel Pégourié-Gonnard8e03c712014-08-30 21:42:40 +0200[diff] [blame]3372run_test "Authentication: client no cert, server optional" \
Manuel Pégourié-Gonnard644e8f32014-08-30 21:59:31 +0200[diff] [blame]3373 "$P_SRV debug_level=3 auth_mode=optional" \
3374 "$P_CLI debug_level=3 crt_file=none key_file=none" \
Manuel Pégourié-Gonnardde515cc2014-02-27 14:58:26 +0100[diff] [blame]3375 0 \
3376 -S "skip write certificate request" \
3377 -C "skip parse certificate request" \
3378 -c "got a certificate request" \
3379 -C "skip write certificate$" \
3380 -C "got no certificate to send" \
3381 -S "SSLv3 client has no certificate" \
3382 -c "skip write certificate verify" \
3383 -s "skip parse certificate verify" \
Manuel Pégourié-Gonnard89addc42015-04-20 10:56:18 +0100[diff] [blame]3384 -s "! Certificate was missing" \
Manuel Pégourié-Gonnard2cf5a7c2015-04-08 12:49:31 +0200[diff] [blame]3385 -S "! mbedtls_ssl_handshake returned" \
3386 -C "! mbedtls_ssl_handshake returned" \
Manuel Pégourié-Gonnardde515cc2014-02-27 14:58:26 +0100[diff] [blame]3387 -S "X509 - Certificate verification failed"
3388
Manuel Pégourié-Gonnard8e03c712014-08-30 21:42:40 +0200[diff] [blame]3389run_test "Authentication: openssl client no cert, server optional" \
Manuel Pégourié-Gonnard644e8f32014-08-30 21:59:31 +0200[diff] [blame]3390 "$P_SRV debug_level=3 auth_mode=optional" \
Manuel Pégourié-Gonnardde515cc2014-02-27 14:58:26 +0100[diff] [blame]3391 "$O_CLI" \
3392 0 \
3393 -S "skip write certificate request" \
3394 -s "skip parse certificate verify" \
Manuel Pégourié-Gonnard89addc42015-04-20 10:56:18 +0100[diff] [blame]3395 -s "! Certificate was missing" \
Manuel Pégourié-Gonnard2cf5a7c2015-04-08 12:49:31 +0200[diff] [blame]3396 -S "! mbedtls_ssl_handshake returned" \
Manuel Pégourié-Gonnardde515cc2014-02-27 14:58:26 +0100[diff] [blame]3397 -S "X509 - Certificate verification failed"
3398
Manuel Pégourié-Gonnard8e03c712014-08-30 21:42:40 +0200[diff] [blame]3399run_test "Authentication: client no cert, openssl server optional" \
Manuel Pégourié-Gonnardde515cc2014-02-27 14:58:26 +0100[diff] [blame]3400 "$O_SRV -verify 10" \
Manuel Pégourié-Gonnard644e8f32014-08-30 21:59:31 +0200[diff] [blame]3401 "$P_CLI debug_level=3 crt_file=none key_file=none" \
Manuel Pégourié-Gonnardde515cc2014-02-27 14:58:26 +0100[diff] [blame]3402 0 \
3403 -C "skip parse certificate request" \
3404 -c "got a certificate request" \
3405 -C "skip write certificate$" \
3406 -c "skip write certificate verify" \
Manuel Pégourié-Gonnard2cf5a7c2015-04-08 12:49:31 +0200[diff] [blame]3407 -C "! mbedtls_ssl_handshake returned"
Manuel Pégourié-Gonnardde515cc2014-02-27 14:58:26 +0100[diff] [blame]3408
Gilles Peskinefd8332e2017-05-03 16:25:07 +0200[diff] [blame]3409run_test "Authentication: client no cert, openssl server required" \
3410 "$O_SRV -Verify 10" \
3411 "$P_CLI debug_level=3 crt_file=none key_file=none" \
3412 1 \
3413 -C "skip parse certificate request" \
3414 -c "got a certificate request" \
3415 -C "skip write certificate$" \
3416 -c "skip write certificate verify" \
3417 -c "! mbedtls_ssl_handshake returned"
3418
Janos Follathe2681a42016-03-07 15:57:05 +0000[diff] [blame]3419requires_config_enabled MBEDTLS_SSL_PROTO_SSL3
Manuel Pégourié-Gonnard8e03c712014-08-30 21:42:40 +0200[diff] [blame]3420run_test "Authentication: client no cert, ssl3" \
Manuel Pégourié-Gonnard644e8f32014-08-30 21:59:31 +0200[diff] [blame]3421 "$P_SRV debug_level=3 auth_mode=optional force_version=ssl3" \
Manuel Pégourié-Gonnard448ea502015-01-12 11:40:14 +0100[diff] [blame]3422 "$P_CLI debug_level=3 crt_file=none key_file=none min_version=ssl3" \
Manuel Pégourié-Gonnardde515cc2014-02-27 14:58:26 +0100[diff] [blame]3423 0 \
3424 -S "skip write certificate request" \
3425 -C "skip parse certificate request" \
3426 -c "got a certificate request" \
3427 -C "skip write certificate$" \
3428 -c "skip write certificate verify" \
3429 -c "got no certificate to send" \
3430 -s "SSLv3 client has no certificate" \
3431 -s "skip parse certificate verify" \
Manuel Pégourié-Gonnard89addc42015-04-20 10:56:18 +0100[diff] [blame]3432 -s "! Certificate was missing" \
Manuel Pégourié-Gonnard2cf5a7c2015-04-08 12:49:31 +0200[diff] [blame]3433 -S "! mbedtls_ssl_handshake returned" \
3434 -C "! mbedtls_ssl_handshake returned" \
Manuel Pégourié-Gonnardde515cc2014-02-27 14:58:26 +0100[diff] [blame]3435 -S "X509 - Certificate verification failed"
3436
Manuel Pégourié-Gonnard9107b5f2017-07-06 12:16:25 +0200[diff] [blame]3437# The "max_int chain" tests assume that MAX_INTERMEDIATE_CA is set to its
3438# default value (8)
Hanno Beckera6bca9f2017-07-26 13:35:11 +0100[diff] [blame]3439
Simon Butcherbcfa6f42017-07-28 15:59:35 +0100[diff] [blame]3440MAX_IM_CA='8'
Simon Butcher06b78632017-07-28 01:00:17 +0100[diff] [blame]3441MAX_IM_CA_CONFIG=$( ../scripts/config.pl get MBEDTLS_X509_MAX_INTERMEDIATE_CA)
Hanno Beckera6bca9f2017-07-26 13:35:11 +0100[diff] [blame]3442
Simon Butcherbcfa6f42017-07-28 15:59:35 +0100[diff] [blame]3443if [ -n "$MAX_IM_CA_CONFIG" ] && [ "$MAX_IM_CA_CONFIG" -ne "$MAX_IM_CA" ]; then
Simon Butcher06b78632017-07-28 01:00:17 +0100[diff] [blame]3444 printf "The ${CONFIG_H} file contains a value for the configuration of\n"
Simon Butcherbcfa6f42017-07-28 15:59:35 +0100[diff] [blame]3445 printf "MBEDTLS_X509_MAX_INTERMEDIATE_CA that is different from the script’s\n"
Simon Butcher06b78632017-07-28 01:00:17 +0100[diff] [blame]3446 printf "test value of ${MAX_IM_CA}. \n"
3447 printf "\n"
Simon Butcherbcfa6f42017-07-28 15:59:35 +0100[diff] [blame]3448 printf "The tests assume this value and if it changes, the tests in this\n"
3449 printf "script should also be adjusted.\n"
Simon Butcher06b78632017-07-28 01:00:17 +0100[diff] [blame]3450 printf "\n"
Simon Butcher06b78632017-07-28 01:00:17 +0100[diff] [blame]3451
3452 exit 1
Hanno Beckera6bca9f2017-07-26 13:35:11 +0100[diff] [blame]3453fi
3454
Angus Grattonc4dd0732018-04-11 16:28:39 +1000[diff] [blame]3455requires_full_size_output_buffer
Manuel Pégourié-Gonnard81bb6b62017-06-26 10:45:33 +0200[diff] [blame]3456run_test "Authentication: server max_int chain, client default" \
3457 "$P_SRV crt_file=data_files/dir-maxpath/c09.pem \
3458 key_file=data_files/dir-maxpath/09.key" \
3459 "$P_CLI server_name=CA09 ca_file=data_files/dir-maxpath/00.crt" \
3460 0 \
Antonin Décimo36e89b52019-01-23 15:24:37 +0100[diff] [blame]3461 -C "X509 - A fatal error occurred"
Manuel Pégourié-Gonnard81bb6b62017-06-26 10:45:33 +0200[diff] [blame]3462
Angus Grattonc4dd0732018-04-11 16:28:39 +1000[diff] [blame]3463requires_full_size_output_buffer
Manuel Pégourié-Gonnard81bb6b62017-06-26 10:45:33 +0200[diff] [blame]3464run_test "Authentication: server max_int+1 chain, client default" \
3465 "$P_SRV crt_file=data_files/dir-maxpath/c10.pem \
3466 key_file=data_files/dir-maxpath/10.key" \
3467 "$P_CLI server_name=CA10 ca_file=data_files/dir-maxpath/00.crt" \
3468 1 \
Antonin Décimo36e89b52019-01-23 15:24:37 +0100[diff] [blame]3469 -c "X509 - A fatal error occurred"
Manuel Pégourié-Gonnard81bb6b62017-06-26 10:45:33 +0200[diff] [blame]3470
Angus Grattonc4dd0732018-04-11 16:28:39 +1000[diff] [blame]3471requires_full_size_output_buffer
Manuel Pégourié-Gonnard81bb6b62017-06-26 10:45:33 +0200[diff] [blame]3472run_test "Authentication: server max_int+1 chain, client optional" \
3473 "$P_SRV crt_file=data_files/dir-maxpath/c10.pem \
3474 key_file=data_files/dir-maxpath/10.key" \
3475 "$P_CLI server_name=CA10 ca_file=data_files/dir-maxpath/00.crt \
3476 auth_mode=optional" \
3477 1 \
Antonin Décimo36e89b52019-01-23 15:24:37 +0100[diff] [blame]3478 -c "X509 - A fatal error occurred"
Manuel Pégourié-Gonnard81bb6b62017-06-26 10:45:33 +0200[diff] [blame]3479
Angus Grattonc4dd0732018-04-11 16:28:39 +1000[diff] [blame]3480requires_full_size_output_buffer
Manuel Pégourié-Gonnard81bb6b62017-06-26 10:45:33 +0200[diff] [blame]3481run_test "Authentication: server max_int+1 chain, client none" \
3482 "$P_SRV crt_file=data_files/dir-maxpath/c10.pem \
3483 key_file=data_files/dir-maxpath/10.key" \
3484 "$P_CLI server_name=CA10 ca_file=data_files/dir-maxpath/00.crt \
3485 auth_mode=none" \
3486 0 \
Antonin Décimo36e89b52019-01-23 15:24:37 +0100[diff] [blame]3487 -C "X509 - A fatal error occurred"
Manuel Pégourié-Gonnard81bb6b62017-06-26 10:45:33 +0200[diff] [blame]3488
Angus Grattonc4dd0732018-04-11 16:28:39 +1000[diff] [blame]3489requires_full_size_output_buffer
Manuel Pégourié-Gonnard81bb6b62017-06-26 10:45:33 +0200[diff] [blame]3490run_test "Authentication: client max_int+1 chain, server default" \
3491 "$P_SRV ca_file=data_files/dir-maxpath/00.crt" \
3492 "$P_CLI crt_file=data_files/dir-maxpath/c10.pem \
3493 key_file=data_files/dir-maxpath/10.key" \
3494 0 \
Antonin Décimo36e89b52019-01-23 15:24:37 +0100[diff] [blame]3495 -S "X509 - A fatal error occurred"
Manuel Pégourié-Gonnard81bb6b62017-06-26 10:45:33 +0200[diff] [blame]3496
Angus Grattonc4dd0732018-04-11 16:28:39 +1000[diff] [blame]3497requires_full_size_output_buffer
Manuel Pégourié-Gonnard81bb6b62017-06-26 10:45:33 +0200[diff] [blame]3498run_test "Authentication: client max_int+1 chain, server optional" \
3499 "$P_SRV ca_file=data_files/dir-maxpath/00.crt auth_mode=optional" \
3500 "$P_CLI crt_file=data_files/dir-maxpath/c10.pem \
3501 key_file=data_files/dir-maxpath/10.key" \
3502 1 \
Antonin Décimo36e89b52019-01-23 15:24:37 +0100[diff] [blame]3503 -s "X509 - A fatal error occurred"
Manuel Pégourié-Gonnard81bb6b62017-06-26 10:45:33 +0200[diff] [blame]3504
Angus Grattonc4dd0732018-04-11 16:28:39 +1000[diff] [blame]3505requires_full_size_output_buffer
Manuel Pégourié-Gonnard81bb6b62017-06-26 10:45:33 +0200[diff] [blame]3506run_test "Authentication: client max_int+1 chain, server required" \
3507 "$P_SRV ca_file=data_files/dir-maxpath/00.crt auth_mode=required" \
3508 "$P_CLI crt_file=data_files/dir-maxpath/c10.pem \
3509 key_file=data_files/dir-maxpath/10.key" \
3510 1 \
Antonin Décimo36e89b52019-01-23 15:24:37 +0100[diff] [blame]3511 -s "X509 - A fatal error occurred"
Manuel Pégourié-Gonnard81bb6b62017-06-26 10:45:33 +0200[diff] [blame]3512
Angus Grattonc4dd0732018-04-11 16:28:39 +1000[diff] [blame]3513requires_full_size_output_buffer
Manuel Pégourié-Gonnard81bb6b62017-06-26 10:45:33 +0200[diff] [blame]3514run_test "Authentication: client max_int chain, server required" \
3515 "$P_SRV ca_file=data_files/dir-maxpath/00.crt auth_mode=required" \
3516 "$P_CLI crt_file=data_files/dir-maxpath/c09.pem \
3517 key_file=data_files/dir-maxpath/09.key" \
3518 0 \
Antonin Décimo36e89b52019-01-23 15:24:37 +0100[diff] [blame]3519 -S "X509 - A fatal error occurred"
Manuel Pégourié-Gonnard81bb6b62017-06-26 10:45:33 +0200[diff] [blame]3520
Janos Follath89baba22017-04-10 14:34:35 +0100[diff] [blame]3521# Tests for CA list in CertificateRequest messages
3522
3523run_test "Authentication: send CA list in CertificateRequest (default)" \
3524 "$P_SRV debug_level=3 auth_mode=required" \
3525 "$P_CLI crt_file=data_files/server6.crt \
3526 key_file=data_files/server6.key" \
3527 0 \
3528 -s "requested DN"
3529
3530run_test "Authentication: do not send CA list in CertificateRequest" \
3531 "$P_SRV debug_level=3 auth_mode=required cert_req_ca_list=0" \
3532 "$P_CLI crt_file=data_files/server6.crt \
3533 key_file=data_files/server6.key" \
3534 0 \
3535 -S "requested DN"
3536
3537run_test "Authentication: send CA list in CertificateRequest, client self signed" \
3538 "$P_SRV debug_level=3 auth_mode=required cert_req_ca_list=0" \
3539 "$P_CLI debug_level=3 crt_file=data_files/server5-selfsigned.crt \
3540 key_file=data_files/server5.key" \
3541 1 \
3542 -S "requested DN" \
3543 -s "x509_verify_cert() returned" \
3544 -s "! The certificate is not correctly signed by the trusted CA" \
3545 -s "! mbedtls_ssl_handshake returned" \
3546 -c "! mbedtls_ssl_handshake returned" \
3547 -s "X509 - Certificate verification failed"
3548
Jarno Lamsaf7a7f9e2019-04-01 15:11:54 +0300[diff] [blame]3549# Tests for auth_mode, using CA callback, these are duplicated from the authentication tests
3550# When updating these tests, modify the matching authentication tests accordingly
Hanno Becker746aaf32019-03-28 15:25:23 +0000[diff] [blame]3551
3552requires_config_enabled MBEDTLS_X509_TRUSTED_CERTIFICATE_CALLBACK
3553run_test "Authentication, CA callback: server badcert, client required" \
3554 "$P_SRV crt_file=data_files/server5-badsign.crt \
3555 key_file=data_files/server5.key" \
3556 "$P_CLI ca_callback=1 debug_level=3 auth_mode=required" \
3557 1 \
Janos Follathd7ecbd62019-04-05 14:52:17 +0100[diff] [blame]3558 -c "use CA callback for X.509 CRT verification" \
Hanno Becker746aaf32019-03-28 15:25:23 +0000[diff] [blame]3559 -c "x509_verify_cert() returned" \
3560 -c "! The certificate is not correctly signed by the trusted CA" \
3561 -c "! mbedtls_ssl_handshake returned" \
3562 -c "X509 - Certificate verification failed"
3563
3564requires_config_enabled MBEDTLS_X509_TRUSTED_CERTIFICATE_CALLBACK
3565run_test "Authentication, CA callback: server badcert, client optional" \
3566 "$P_SRV crt_file=data_files/server5-badsign.crt \
3567 key_file=data_files/server5.key" \
3568 "$P_CLI ca_callback=1 debug_level=3 auth_mode=optional" \
3569 0 \
Janos Follathd7ecbd62019-04-05 14:52:17 +0100[diff] [blame]3570 -c "use CA callback for X.509 CRT verification" \
Hanno Becker746aaf32019-03-28 15:25:23 +0000[diff] [blame]3571 -c "x509_verify_cert() returned" \
3572 -c "! The certificate is not correctly signed by the trusted CA" \
3573 -C "! mbedtls_ssl_handshake returned" \
3574 -C "X509 - Certificate verification failed"
3575
3576# The purpose of the next two tests is to test the client's behaviour when receiving a server
3577# certificate with an unsupported elliptic curve. This should usually not happen because
3578# the client informs the server about the supported curves - it does, though, in the
3579# corner case of a static ECDH suite, because the server doesn't check the curve on that
3580# occasion (to be fixed). If that bug's fixed, the test needs to be altered to use a
3581# different means to have the server ignoring the client's supported curve list.
3582
3583requires_config_enabled MBEDTLS_ECP_C
3584requires_config_enabled MBEDTLS_X509_TRUSTED_CERTIFICATE_CALLBACK
3585run_test "Authentication, CA callback: server ECDH p256v1, client required, p256v1 unsupported" \
3586 "$P_SRV debug_level=1 key_file=data_files/server5.key \
3587 crt_file=data_files/server5.ku-ka.crt" \
3588 "$P_CLI ca_callback=1 debug_level=3 auth_mode=required curves=secp521r1" \
3589 1 \
Janos Follathd7ecbd62019-04-05 14:52:17 +0100[diff] [blame]3590 -c "use CA callback for X.509 CRT verification" \
3591 -c "bad certificate (EC key curve)" \
3592 -c "! Certificate verification flags" \
Hanno Becker746aaf32019-03-28 15:25:23 +0000[diff] [blame]3593 -C "bad server certificate (ECDH curve)" # Expect failure at earlier verification stage
3594
3595requires_config_enabled MBEDTLS_ECP_C
3596requires_config_enabled MBEDTLS_X509_TRUSTED_CERTIFICATE_CALLBACK
3597run_test "Authentication, CA callback: server ECDH p256v1, client optional, p256v1 unsupported" \
3598 "$P_SRV debug_level=1 key_file=data_files/server5.key \
3599 crt_file=data_files/server5.ku-ka.crt" \
3600 "$P_CLI ca_callback=1 debug_level=3 auth_mode=optional curves=secp521r1" \
3601 1 \
Janos Follathd7ecbd62019-04-05 14:52:17 +0100[diff] [blame]3602 -c "use CA callback for X.509 CRT verification" \
Hanno Becker746aaf32019-03-28 15:25:23 +0000[diff] [blame]3603 -c "bad certificate (EC key curve)"\
3604 -c "! Certificate verification flags"\
3605 -c "bad server certificate (ECDH curve)" # Expect failure only at ECDH params check
3606
3607requires_config_enabled MBEDTLS_X509_TRUSTED_CERTIFICATE_CALLBACK
3608run_test "Authentication, CA callback: client SHA256, server required" \
3609 "$P_SRV ca_callback=1 debug_level=3 auth_mode=required" \
3610 "$P_CLI debug_level=3 crt_file=data_files/server6.crt \
3611 key_file=data_files/server6.key \
3612 force_ciphersuite=TLS-ECDHE-ECDSA-WITH-AES-256-GCM-SHA384" \
3613 0 \
Janos Follathd7ecbd62019-04-05 14:52:17 +0100[diff] [blame]3614 -s "use CA callback for X.509 CRT verification" \
Hanno Becker746aaf32019-03-28 15:25:23 +0000[diff] [blame]3615 -c "Supported Signature Algorithm found: 4," \
3616 -c "Supported Signature Algorithm found: 5,"
3617
3618requires_config_enabled MBEDTLS_X509_TRUSTED_CERTIFICATE_CALLBACK
3619run_test "Authentication, CA callback: client SHA384, server required" \
3620 "$P_SRV ca_callback=1 debug_level=3 auth_mode=required" \
3621 "$P_CLI debug_level=3 crt_file=data_files/server6.crt \
3622 key_file=data_files/server6.key \
3623 force_ciphersuite=TLS-ECDHE-ECDSA-WITH-AES-128-GCM-SHA256" \
3624 0 \
Janos Follathd7ecbd62019-04-05 14:52:17 +0100[diff] [blame]3625 -s "use CA callback for X.509 CRT verification" \
Hanno Becker746aaf32019-03-28 15:25:23 +0000[diff] [blame]3626 -c "Supported Signature Algorithm found: 4," \
3627 -c "Supported Signature Algorithm found: 5,"
3628
3629requires_config_enabled MBEDTLS_X509_TRUSTED_CERTIFICATE_CALLBACK
3630run_test "Authentication, CA callback: client badcert, server required" \
3631 "$P_SRV ca_callback=1 debug_level=3 auth_mode=required" \
3632 "$P_CLI debug_level=3 crt_file=data_files/server5-badsign.crt \
3633 key_file=data_files/server5.key" \
3634 1 \
Janos Follathd7ecbd62019-04-05 14:52:17 +0100[diff] [blame]3635 -s "use CA callback for X.509 CRT verification" \
Hanno Becker746aaf32019-03-28 15:25:23 +0000[diff] [blame]3636 -S "skip write certificate request" \
3637 -C "skip parse certificate request" \
3638 -c "got a certificate request" \
3639 -C "skip write certificate" \
3640 -C "skip write certificate verify" \
3641 -S "skip parse certificate verify" \
3642 -s "x509_verify_cert() returned" \
3643 -s "! The certificate is not correctly signed by the trusted CA" \
3644 -s "! mbedtls_ssl_handshake returned" \
3645 -s "send alert level=2 message=48" \
3646 -c "! mbedtls_ssl_handshake returned" \
3647 -s "X509 - Certificate verification failed"
3648# We don't check that the client receives the alert because it might
3649# detect that its write end of the connection is closed and abort
3650# before reading the alert message.
3651
3652requires_config_enabled MBEDTLS_X509_TRUSTED_CERTIFICATE_CALLBACK
3653run_test "Authentication, CA callback: client cert not trusted, server required" \
3654 "$P_SRV ca_callback=1 debug_level=3 auth_mode=required" \
3655 "$P_CLI debug_level=3 crt_file=data_files/server5-selfsigned.crt \
3656 key_file=data_files/server5.key" \
3657 1 \
Janos Follathd7ecbd62019-04-05 14:52:17 +0100[diff] [blame]3658 -s "use CA callback for X.509 CRT verification" \
Hanno Becker746aaf32019-03-28 15:25:23 +0000[diff] [blame]3659 -S "skip write certificate request" \
3660 -C "skip parse certificate request" \
3661 -c "got a certificate request" \
3662 -C "skip write certificate" \
3663 -C "skip write certificate verify" \
3664 -S "skip parse certificate verify" \
3665 -s "x509_verify_cert() returned" \
3666 -s "! The certificate is not correctly signed by the trusted CA" \
3667 -s "! mbedtls_ssl_handshake returned" \
3668 -c "! mbedtls_ssl_handshake returned" \
3669 -s "X509 - Certificate verification failed"
3670
3671requires_config_enabled MBEDTLS_X509_TRUSTED_CERTIFICATE_CALLBACK
3672run_test "Authentication, CA callback: client badcert, server optional" \
3673 "$P_SRV ca_callback=1 debug_level=3 auth_mode=optional" \
3674 "$P_CLI debug_level=3 crt_file=data_files/server5-badsign.crt \
3675 key_file=data_files/server5.key" \
3676 0 \
Janos Follathd7ecbd62019-04-05 14:52:17 +0100[diff] [blame]3677 -s "use CA callback for X.509 CRT verification" \
Hanno Becker746aaf32019-03-28 15:25:23 +0000[diff] [blame]3678 -S "skip write certificate request" \
3679 -C "skip parse certificate request" \
3680 -c "got a certificate request" \
3681 -C "skip write certificate" \
3682 -C "skip write certificate verify" \
3683 -S "skip parse certificate verify" \
3684 -s "x509_verify_cert() returned" \
3685 -s "! The certificate is not correctly signed by the trusted CA" \
3686 -S "! mbedtls_ssl_handshake returned" \
3687 -C "! mbedtls_ssl_handshake returned" \
3688 -S "X509 - Certificate verification failed"
3689
3690requires_full_size_output_buffer
3691requires_config_enabled MBEDTLS_X509_TRUSTED_CERTIFICATE_CALLBACK
3692run_test "Authentication, CA callback: server max_int chain, client default" \
3693 "$P_SRV crt_file=data_files/dir-maxpath/c09.pem \
3694 key_file=data_files/dir-maxpath/09.key" \
3695 "$P_CLI ca_callback=1 debug_level=3 server_name=CA09 ca_file=data_files/dir-maxpath/00.crt" \
3696 0 \
Janos Follathd7ecbd62019-04-05 14:52:17 +0100[diff] [blame]3697 -c "use CA callback for X.509 CRT verification" \
Hanno Becker746aaf32019-03-28 15:25:23 +0000[diff] [blame]3698 -C "X509 - A fatal error occurred"
3699
3700requires_full_size_output_buffer
3701requires_config_enabled MBEDTLS_X509_TRUSTED_CERTIFICATE_CALLBACK
3702run_test "Authentication, CA callback: server max_int+1 chain, client default" \
3703 "$P_SRV crt_file=data_files/dir-maxpath/c10.pem \
3704 key_file=data_files/dir-maxpath/10.key" \
3705 "$P_CLI debug_level=3 ca_callback=1 server_name=CA10 ca_file=data_files/dir-maxpath/00.crt" \
3706 1 \
Janos Follathd7ecbd62019-04-05 14:52:17 +0100[diff] [blame]3707 -c "use CA callback for X.509 CRT verification" \
Hanno Becker746aaf32019-03-28 15:25:23 +0000[diff] [blame]3708 -c "X509 - A fatal error occurred"
3709
3710requires_full_size_output_buffer
3711requires_config_enabled MBEDTLS_X509_TRUSTED_CERTIFICATE_CALLBACK
3712run_test "Authentication, CA callback: server max_int+1 chain, client optional" \
3713 "$P_SRV crt_file=data_files/dir-maxpath/c10.pem \
3714 key_file=data_files/dir-maxpath/10.key" \
3715 "$P_CLI ca_callback=1 server_name=CA10 ca_file=data_files/dir-maxpath/00.crt \
3716 debug_level=3 auth_mode=optional" \
3717 1 \
Janos Follathd7ecbd62019-04-05 14:52:17 +0100[diff] [blame]3718 -c "use CA callback for X.509 CRT verification" \
Hanno Becker746aaf32019-03-28 15:25:23 +0000[diff] [blame]3719 -c "X509 - A fatal error occurred"
3720
3721requires_full_size_output_buffer
3722requires_config_enabled MBEDTLS_X509_TRUSTED_CERTIFICATE_CALLBACK
3723run_test "Authentication, CA callback: client max_int+1 chain, server optional" \
3724 "$P_SRV ca_callback=1 debug_level=3 ca_file=data_files/dir-maxpath/00.crt auth_mode=optional" \
3725 "$P_CLI crt_file=data_files/dir-maxpath/c10.pem \
3726 key_file=data_files/dir-maxpath/10.key" \
3727 1 \
Janos Follathd7ecbd62019-04-05 14:52:17 +0100[diff] [blame]3728 -s "use CA callback for X.509 CRT verification" \
Hanno Becker746aaf32019-03-28 15:25:23 +0000[diff] [blame]3729 -s "X509 - A fatal error occurred"
3730
3731requires_full_size_output_buffer
3732requires_config_enabled MBEDTLS_X509_TRUSTED_CERTIFICATE_CALLBACK
3733run_test "Authentication, CA callback: client max_int+1 chain, server required" \
3734 "$P_SRV ca_callback=1 debug_level=3 ca_file=data_files/dir-maxpath/00.crt auth_mode=required" \
3735 "$P_CLI crt_file=data_files/dir-maxpath/c10.pem \
3736 key_file=data_files/dir-maxpath/10.key" \
3737 1 \
Janos Follathd7ecbd62019-04-05 14:52:17 +0100[diff] [blame]3738 -s "use CA callback for X.509 CRT verification" \
Hanno Becker746aaf32019-03-28 15:25:23 +0000[diff] [blame]3739 -s "X509 - A fatal error occurred"
3740
3741requires_full_size_output_buffer
3742requires_config_enabled MBEDTLS_X509_TRUSTED_CERTIFICATE_CALLBACK
3743run_test "Authentication, CA callback: client max_int chain, server required" \
3744 "$P_SRV ca_callback=1 debug_level=3 ca_file=data_files/dir-maxpath/00.crt auth_mode=required" \
3745 "$P_CLI crt_file=data_files/dir-maxpath/c09.pem \
3746 key_file=data_files/dir-maxpath/09.key" \
3747 0 \
Janos Follathd7ecbd62019-04-05 14:52:17 +0100[diff] [blame]3748 -s "use CA callback for X.509 CRT verification" \
Hanno Becker746aaf32019-03-28 15:25:23 +0000[diff] [blame]3749 -S "X509 - A fatal error occurred"
3750
Manuel Pégourié-Gonnarddf331a52015-01-08 16:43:07 +0100[diff] [blame]3751# Tests for certificate selection based on SHA verson
3752
3753run_test "Certificate hash: client TLS 1.2 -> SHA-2" \
3754 "$P_SRV crt_file=data_files/server5.crt \
3755 key_file=data_files/server5.key \
3756 crt_file2=data_files/server5-sha1.crt \
3757 key_file2=data_files/server5.key" \
3758 "$P_CLI force_version=tls1_2" \
3759 0 \
3760 -c "signed using.*ECDSA with SHA256" \
3761 -C "signed using.*ECDSA with SHA1"
3762
3763run_test "Certificate hash: client TLS 1.1 -> SHA-1" \
3764 "$P_SRV crt_file=data_files/server5.crt \
3765 key_file=data_files/server5.key \
3766 crt_file2=data_files/server5-sha1.crt \
3767 key_file2=data_files/server5.key" \
3768 "$P_CLI force_version=tls1_1" \
3769 0 \
3770 -C "signed using.*ECDSA with SHA256" \
3771 -c "signed using.*ECDSA with SHA1"
3772
3773run_test "Certificate hash: client TLS 1.0 -> SHA-1" \
3774 "$P_SRV crt_file=data_files/server5.crt \
3775 key_file=data_files/server5.key \
3776 crt_file2=data_files/server5-sha1.crt \
3777 key_file2=data_files/server5.key" \
3778 "$P_CLI force_version=tls1" \
3779 0 \
3780 -C "signed using.*ECDSA with SHA256" \
3781 -c "signed using.*ECDSA with SHA1"
3782
3783run_test "Certificate hash: client TLS 1.1, no SHA-1 -> SHA-2 (order 1)" \
3784 "$P_SRV crt_file=data_files/server5.crt \
3785 key_file=data_files/server5.key \
3786 crt_file2=data_files/server6.crt \
3787 key_file2=data_files/server6.key" \
3788 "$P_CLI force_version=tls1_1" \
3789 0 \
3790 -c "serial number.*09" \
3791 -c "signed using.*ECDSA with SHA256" \
3792 -C "signed using.*ECDSA with SHA1"
3793
3794run_test "Certificate hash: client TLS 1.1, no SHA-1 -> SHA-2 (order 2)" \
3795 "$P_SRV crt_file=data_files/server6.crt \
3796 key_file=data_files/server6.key \
3797 crt_file2=data_files/server5.crt \
3798 key_file2=data_files/server5.key" \
3799 "$P_CLI force_version=tls1_1" \
3800 0 \
3801 -c "serial number.*0A" \
3802 -c "signed using.*ECDSA with SHA256" \
3803 -C "signed using.*ECDSA with SHA1"
3804
Manuel Pégourié-Gonnard96ea2f22014-02-25 12:26:29 +0100[diff] [blame]3805# tests for SNI
3806
Manuel Pégourié-Gonnard8e03c712014-08-30 21:42:40 +0200[diff] [blame]3807run_test "SNI: no SNI callback" \
Manuel Pégourié-Gonnard0eb6cab2014-07-23 20:17:47 +0200[diff] [blame]3808 "$P_SRV debug_level=3 \
Manuel Pégourié-Gonnard96ea2f22014-02-25 12:26:29 +0100[diff] [blame]3809 crt_file=data_files/server5.crt key_file=data_files/server5.key" \
Manuel Pégourié-Gonnard0eb6cab2014-07-23 20:17:47 +0200[diff] [blame]3810 "$P_CLI server_name=localhost" \
Manuel Pégourié-Gonnard6ea831d2015-06-22 16:50:52 +0200[diff] [blame]3811 0 \
3812 -S "parse ServerName extension" \
3813 -c "issuer name *: C=NL, O=PolarSSL, CN=Polarssl Test EC CA" \
3814 -c "subject name *: C=NL, O=PolarSSL, CN=localhost"
Manuel Pégourié-Gonnard96ea2f22014-02-25 12:26:29 +0100[diff] [blame]3815
Manuel Pégourié-Gonnard8e03c712014-08-30 21:42:40 +0200[diff] [blame]3816run_test "SNI: matching cert 1" \
Manuel Pégourié-Gonnard0eb6cab2014-07-23 20:17:47 +0200[diff] [blame]3817 "$P_SRV debug_level=3 \
Manuel Pégourié-Gonnard96ea2f22014-02-25 12:26:29 +0100[diff] [blame]3818 crt_file=data_files/server5.crt key_file=data_files/server5.key \
Manuel Pégourié-Gonnard4d6f1782015-06-19 14:40:39 +0200[diff] [blame]3819 sni=localhost,data_files/server2.crt,data_files/server2.key,-,-,-,polarssl.example,data_files/server1-nospace.crt,data_files/server1.key,-,-,-" \
Manuel Pégourié-Gonnard0eb6cab2014-07-23 20:17:47 +0200[diff] [blame]3820 "$P_CLI server_name=localhost" \
Manuel Pégourié-Gonnard6ea831d2015-06-22 16:50:52 +0200[diff] [blame]3821 0 \
3822 -s "parse ServerName extension" \
3823 -c "issuer name *: C=NL, O=PolarSSL, CN=PolarSSL Test CA" \
3824 -c "subject name *: C=NL, O=PolarSSL, CN=localhost"
Manuel Pégourié-Gonnard96ea2f22014-02-25 12:26:29 +0100[diff] [blame]3825
Manuel Pégourié-Gonnard8e03c712014-08-30 21:42:40 +0200[diff] [blame]3826run_test "SNI: matching cert 2" \
Manuel Pégourié-Gonnard0eb6cab2014-07-23 20:17:47 +0200[diff] [blame]3827 "$P_SRV debug_level=3 \
Manuel Pégourié-Gonnard96ea2f22014-02-25 12:26:29 +0100[diff] [blame]3828 crt_file=data_files/server5.crt key_file=data_files/server5.key \
Manuel Pégourié-Gonnard4d6f1782015-06-19 14:40:39 +0200[diff] [blame]3829 sni=localhost,data_files/server2.crt,data_files/server2.key,-,-,-,polarssl.example,data_files/server1-nospace.crt,data_files/server1.key,-,-,-" \
Manuel Pégourié-Gonnard0eb6cab2014-07-23 20:17:47 +0200[diff] [blame]3830 "$P_CLI server_name=polarssl.example" \
Manuel Pégourié-Gonnard6ea831d2015-06-22 16:50:52 +0200[diff] [blame]3831 0 \
3832 -s "parse ServerName extension" \
3833 -c "issuer name *: C=NL, O=PolarSSL, CN=PolarSSL Test CA" \
3834 -c "subject name *: C=NL, O=PolarSSL, CN=polarssl.example"
Manuel Pégourié-Gonnard96ea2f22014-02-25 12:26:29 +0100[diff] [blame]3835
Manuel Pégourié-Gonnard8e03c712014-08-30 21:42:40 +0200[diff] [blame]3836run_test "SNI: no matching cert" \
Manuel Pégourié-Gonnard0eb6cab2014-07-23 20:17:47 +0200[diff] [blame]3837 "$P_SRV debug_level=3 \
Manuel Pégourié-Gonnard96ea2f22014-02-25 12:26:29 +0100[diff] [blame]3838 crt_file=data_files/server5.crt key_file=data_files/server5.key \
Manuel Pégourié-Gonnard4d6f1782015-06-19 14:40:39 +0200[diff] [blame]3839 sni=localhost,data_files/server2.crt,data_files/server2.key,-,-,-,polarssl.example,data_files/server1-nospace.crt,data_files/server1.key,-,-,-" \
Manuel Pégourié-Gonnard0eb6cab2014-07-23 20:17:47 +0200[diff] [blame]3840 "$P_CLI server_name=nonesuch.example" \
Manuel Pégourié-Gonnard6ea831d2015-06-22 16:50:52 +0200[diff] [blame]3841 1 \
3842 -s "parse ServerName extension" \
3843 -s "ssl_sni_wrapper() returned" \
3844 -s "mbedtls_ssl_handshake returned" \
3845 -c "mbedtls_ssl_handshake returned" \
3846 -c "SSL - A fatal alert message was received from our peer"
Manuel Pégourié-Gonnard96ea2f22014-02-25 12:26:29 +0100[diff] [blame]3847
Manuel Pégourié-Gonnardc948a792015-06-22 16:04:20 +0200[diff] [blame]3848run_test "SNI: client auth no override: optional" \
3849 "$P_SRV debug_level=3 auth_mode=optional \
3850 crt_file=data_files/server5.crt key_file=data_files/server5.key \
3851 sni=localhost,data_files/server2.crt,data_files/server2.key,-,-,-" \
3852 "$P_CLI debug_level=3 server_name=localhost" \
Manuel Pégourié-Gonnard6ea831d2015-06-22 16:50:52 +0200[diff] [blame]3853 0 \
Manuel Pégourié-Gonnardc948a792015-06-22 16:04:20 +0200[diff] [blame]3854 -S "skip write certificate request" \
3855 -C "skip parse certificate request" \
3856 -c "got a certificate request" \
3857 -C "skip write certificate" \
3858 -C "skip write certificate verify" \
3859 -S "skip parse certificate verify"
3860
3861run_test "SNI: client auth override: none -> optional" \
3862 "$P_SRV debug_level=3 auth_mode=none \
3863 crt_file=data_files/server5.crt key_file=data_files/server5.key \
3864 sni=localhost,data_files/server2.crt,data_files/server2.key,-,-,optional" \
3865 "$P_CLI debug_level=3 server_name=localhost" \
Manuel Pégourié-Gonnard6ea831d2015-06-22 16:50:52 +0200[diff] [blame]3866 0 \
Manuel Pégourié-Gonnardc948a792015-06-22 16:04:20 +0200[diff] [blame]3867 -S "skip write certificate request" \
3868 -C "skip parse certificate request" \
3869 -c "got a certificate request" \
3870 -C "skip write certificate" \
3871 -C "skip write certificate verify" \
3872 -S "skip parse certificate verify"
3873
3874run_test "SNI: client auth override: optional -> none" \
3875 "$P_SRV debug_level=3 auth_mode=optional \
3876 crt_file=data_files/server5.crt key_file=data_files/server5.key \
3877 sni=localhost,data_files/server2.crt,data_files/server2.key,-,-,none" \
3878 "$P_CLI debug_level=3 server_name=localhost" \
Manuel Pégourié-Gonnard6ea831d2015-06-22 16:50:52 +0200[diff] [blame]3879 0 \
Manuel Pégourié-Gonnardc948a792015-06-22 16:04:20 +0200[diff] [blame]3880 -s "skip write certificate request" \
3881 -C "skip parse certificate request" \
3882 -c "got no certificate request" \
3883 -c "skip write certificate" \
3884 -c "skip write certificate verify" \
3885 -s "skip parse certificate verify"
3886
Manuel Pégourié-Gonnard6ea831d2015-06-22 16:50:52 +0200[diff] [blame]3887run_test "SNI: CA no override" \
3888 "$P_SRV debug_level=3 auth_mode=optional \
3889 crt_file=data_files/server5.crt key_file=data_files/server5.key \
3890 ca_file=data_files/test-ca.crt \
3891 sni=localhost,data_files/server2.crt,data_files/server2.key,-,-,required" \
3892 "$P_CLI debug_level=3 server_name=localhost \
3893 crt_file=data_files/server6.crt key_file=data_files/server6.key" \
3894 1 \
3895 -S "skip write certificate request" \
3896 -C "skip parse certificate request" \
3897 -c "got a certificate request" \
3898 -C "skip write certificate" \
3899 -C "skip write certificate verify" \
3900 -S "skip parse certificate verify" \
3901 -s "x509_verify_cert() returned" \
3902 -s "! The certificate is not correctly signed by the trusted CA" \
3903 -S "The certificate has been revoked (is on a CRL)"
3904
3905run_test "SNI: CA override" \
3906 "$P_SRV debug_level=3 auth_mode=optional \
3907 crt_file=data_files/server5.crt key_file=data_files/server5.key \
3908 ca_file=data_files/test-ca.crt \
3909 sni=localhost,data_files/server2.crt,data_files/server2.key,data_files/test-ca2.crt,-,required" \
3910 "$P_CLI debug_level=3 server_name=localhost \
3911 crt_file=data_files/server6.crt key_file=data_files/server6.key" \
3912 0 \
3913 -S "skip write certificate request" \
3914 -C "skip parse certificate request" \
3915 -c "got a certificate request" \
3916 -C "skip write certificate" \
3917 -C "skip write certificate verify" \
3918 -S "skip parse certificate verify" \
3919 -S "x509_verify_cert() returned" \
3920 -S "! The certificate is not correctly signed by the trusted CA" \
3921 -S "The certificate has been revoked (is on a CRL)"
3922
3923run_test "SNI: CA override with CRL" \
3924 "$P_SRV debug_level=3 auth_mode=optional \
3925 crt_file=data_files/server5.crt key_file=data_files/server5.key \
3926 ca_file=data_files/test-ca.crt \
3927 sni=localhost,data_files/server2.crt,data_files/server2.key,data_files/test-ca2.crt,data_files/crl-ec-sha256.pem,required" \
3928 "$P_CLI debug_level=3 server_name=localhost \
3929 crt_file=data_files/server6.crt key_file=data_files/server6.key" \
3930 1 \
3931 -S "skip write certificate request" \
3932 -C "skip parse certificate request" \
3933 -c "got a certificate request" \
3934 -C "skip write certificate" \
3935 -C "skip write certificate verify" \
3936 -S "skip parse certificate verify" \
3937 -s "x509_verify_cert() returned" \
3938 -S "! The certificate is not correctly signed by the trusted CA" \
3939 -s "The certificate has been revoked (is on a CRL)"
3940
Andres AG1a834452016-12-07 10:01:30 +0000[diff] [blame]3941# Tests for SNI and DTLS
3942
Andres Amaya Garcia54306c12018-05-01 20:27:37 +0100[diff] [blame]3943run_test "SNI: DTLS, no SNI callback" \
3944 "$P_SRV debug_level=3 dtls=1 \
3945 crt_file=data_files/server5.crt key_file=data_files/server5.key" \
3946 "$P_CLI server_name=localhost dtls=1" \
3947 0 \
3948 -S "parse ServerName extension" \
3949 -c "issuer name *: C=NL, O=PolarSSL, CN=Polarssl Test EC CA" \
3950 -c "subject name *: C=NL, O=PolarSSL, CN=localhost"
3951
Andres Amaya Garciaf77d3d32018-05-01 20:26:47 +0100[diff] [blame]3952run_test "SNI: DTLS, matching cert 1" \
Andres AG1a834452016-12-07 10:01:30 +0000[diff] [blame]3953 "$P_SRV debug_level=3 dtls=1 \
3954 crt_file=data_files/server5.crt key_file=data_files/server5.key \
3955 sni=localhost,data_files/server2.crt,data_files/server2.key,-,-,-,polarssl.example,data_files/server1-nospace.crt,data_files/server1.key,-,-,-" \
3956 "$P_CLI server_name=localhost dtls=1" \
3957 0 \
3958 -s "parse ServerName extension" \
3959 -c "issuer name *: C=NL, O=PolarSSL, CN=PolarSSL Test CA" \
3960 -c "subject name *: C=NL, O=PolarSSL, CN=localhost"
3961
Andres Amaya Garcia54306c12018-05-01 20:27:37 +0100[diff] [blame]3962run_test "SNI: DTLS, matching cert 2" \
3963 "$P_SRV debug_level=3 dtls=1 \
3964 crt_file=data_files/server5.crt key_file=data_files/server5.key \
3965 sni=localhost,data_files/server2.crt,data_files/server2.key,-,-,-,polarssl.example,data_files/server1-nospace.crt,data_files/server1.key,-,-,-" \
3966 "$P_CLI server_name=polarssl.example dtls=1" \
3967 0 \
3968 -s "parse ServerName extension" \
3969 -c "issuer name *: C=NL, O=PolarSSL, CN=PolarSSL Test CA" \
3970 -c "subject name *: C=NL, O=PolarSSL, CN=polarssl.example"
3971
3972run_test "SNI: DTLS, no matching cert" \
3973 "$P_SRV debug_level=3 dtls=1 \
3974 crt_file=data_files/server5.crt key_file=data_files/server5.key \
3975 sni=localhost,data_files/server2.crt,data_files/server2.key,-,-,-,polarssl.example,data_files/server1-nospace.crt,data_files/server1.key,-,-,-" \
3976 "$P_CLI server_name=nonesuch.example dtls=1" \
3977 1 \
3978 -s "parse ServerName extension" \
3979 -s "ssl_sni_wrapper() returned" \
3980 -s "mbedtls_ssl_handshake returned" \
3981 -c "mbedtls_ssl_handshake returned" \
3982 -c "SSL - A fatal alert message was received from our peer"
3983
3984run_test "SNI: DTLS, client auth no override: optional" \
3985 "$P_SRV debug_level=3 auth_mode=optional dtls=1 \
3986 crt_file=data_files/server5.crt key_file=data_files/server5.key \
3987 sni=localhost,data_files/server2.crt,data_files/server2.key,-,-,-" \
3988 "$P_CLI debug_level=3 server_name=localhost dtls=1" \
3989 0 \
3990 -S "skip write certificate request" \
3991 -C "skip parse certificate request" \
3992 -c "got a certificate request" \
3993 -C "skip write certificate" \
3994 -C "skip write certificate verify" \
3995 -S "skip parse certificate verify"
3996
3997run_test "SNI: DTLS, client auth override: none -> optional" \
3998 "$P_SRV debug_level=3 auth_mode=none dtls=1 \
3999 crt_file=data_files/server5.crt key_file=data_files/server5.key \
4000 sni=localhost,data_files/server2.crt,data_files/server2.key,-,-,optional" \
4001 "$P_CLI debug_level=3 server_name=localhost dtls=1" \
4002 0 \
4003 -S "skip write certificate request" \
4004 -C "skip parse certificate request" \
4005 -c "got a certificate request" \
4006 -C "skip write certificate" \
4007 -C "skip write certificate verify" \
4008 -S "skip parse certificate verify"
4009
4010run_test "SNI: DTLS, client auth override: optional -> none" \
4011 "$P_SRV debug_level=3 auth_mode=optional dtls=1 \
4012 crt_file=data_files/server5.crt key_file=data_files/server5.key \
4013 sni=localhost,data_files/server2.crt,data_files/server2.key,-,-,none" \
4014 "$P_CLI debug_level=3 server_name=localhost dtls=1" \
4015 0 \
4016 -s "skip write certificate request" \
4017 -C "skip parse certificate request" \
4018 -c "got no certificate request" \
4019 -c "skip write certificate" \
4020 -c "skip write certificate verify" \
4021 -s "skip parse certificate verify"
4022
4023run_test "SNI: DTLS, CA no override" \
4024 "$P_SRV debug_level=3 auth_mode=optional dtls=1 \
4025 crt_file=data_files/server5.crt key_file=data_files/server5.key \
4026 ca_file=data_files/test-ca.crt \
4027 sni=localhost,data_files/server2.crt,data_files/server2.key,-,-,required" \
4028 "$P_CLI debug_level=3 server_name=localhost dtls=1 \
4029 crt_file=data_files/server6.crt key_file=data_files/server6.key" \
4030 1 \
4031 -S "skip write certificate request" \
4032 -C "skip parse certificate request" \
4033 -c "got a certificate request" \
4034 -C "skip write certificate" \
4035 -C "skip write certificate verify" \
4036 -S "skip parse certificate verify" \
4037 -s "x509_verify_cert() returned" \
4038 -s "! The certificate is not correctly signed by the trusted CA" \
4039 -S "The certificate has been revoked (is on a CRL)"
4040
Andres Amaya Garciaf77d3d32018-05-01 20:26:47 +0100[diff] [blame]4041run_test "SNI: DTLS, CA override" \
Andres AG1a834452016-12-07 10:01:30 +0000[diff] [blame]4042 "$P_SRV debug_level=3 auth_mode=optional dtls=1 \
4043 crt_file=data_files/server5.crt key_file=data_files/server5.key \
4044 ca_file=data_files/test-ca.crt \
4045 sni=localhost,data_files/server2.crt,data_files/server2.key,data_files/test-ca2.crt,-,required" \
4046 "$P_CLI debug_level=3 server_name=localhost dtls=1 \
4047 crt_file=data_files/server6.crt key_file=data_files/server6.key" \
4048 0 \
4049 -S "skip write certificate request" \
4050 -C "skip parse certificate request" \
4051 -c "got a certificate request" \
4052 -C "skip write certificate" \
4053 -C "skip write certificate verify" \
4054 -S "skip parse certificate verify" \
4055 -S "x509_verify_cert() returned" \
4056 -S "! The certificate is not correctly signed by the trusted CA" \
4057 -S "The certificate has been revoked (is on a CRL)"
4058
Andres Amaya Garciaf77d3d32018-05-01 20:26:47 +0100[diff] [blame]4059run_test "SNI: DTLS, CA override with CRL" \
Andres AG1a834452016-12-07 10:01:30 +0000[diff] [blame]4060 "$P_SRV debug_level=3 auth_mode=optional \
4061 crt_file=data_files/server5.crt key_file=data_files/server5.key dtls=1 \
4062 ca_file=data_files/test-ca.crt \
4063 sni=localhost,data_files/server2.crt,data_files/server2.key,data_files/test-ca2.crt,data_files/crl-ec-sha256.pem,required" \
4064 "$P_CLI debug_level=3 server_name=localhost dtls=1 \
4065 crt_file=data_files/server6.crt key_file=data_files/server6.key" \
4066 1 \
4067 -S "skip write certificate request" \
4068 -C "skip parse certificate request" \
4069 -c "got a certificate request" \
4070 -C "skip write certificate" \
4071 -C "skip write certificate verify" \
4072 -S "skip parse certificate verify" \
4073 -s "x509_verify_cert() returned" \
4074 -S "! The certificate is not correctly signed by the trusted CA" \
4075 -s "The certificate has been revoked (is on a CRL)"
4076
Manuel Pégourié-Gonnard0b6609b2014-02-26 14:45:12 +0100[diff] [blame]4077# Tests for non-blocking I/O: exercise a variety of handshake flows
4078
Manuel Pégourié-Gonnard8e03c712014-08-30 21:42:40 +0200[diff] [blame]4079run_test "Non-blocking I/O: basic handshake" \
Manuel Pégourié-Gonnard0b6609b2014-02-26 14:45:12 +0100[diff] [blame]4080 "$P_SRV nbio=2 tickets=0 auth_mode=none" \
4081 "$P_CLI nbio=2 tickets=0" \
4082 0 \
Manuel Pégourié-Gonnard2cf5a7c2015-04-08 12:49:31 +0200[diff] [blame]4083 -S "mbedtls_ssl_handshake returned" \
4084 -C "mbedtls_ssl_handshake returned" \
Manuel Pégourié-Gonnard0b6609b2014-02-26 14:45:12 +0100[diff] [blame]4085 -c "Read from server: .* bytes read"
4086
Manuel Pégourié-Gonnard8e03c712014-08-30 21:42:40 +0200[diff] [blame]4087run_test "Non-blocking I/O: client auth" \
Manuel Pégourié-Gonnard0b6609b2014-02-26 14:45:12 +0100[diff] [blame]4088 "$P_SRV nbio=2 tickets=0 auth_mode=required" \
4089 "$P_CLI nbio=2 tickets=0" \
4090 0 \
Manuel Pégourié-Gonnard2cf5a7c2015-04-08 12:49:31 +0200[diff] [blame]4091 -S "mbedtls_ssl_handshake returned" \
4092 -C "mbedtls_ssl_handshake returned" \
Manuel Pégourié-Gonnard0b6609b2014-02-26 14:45:12 +0100[diff] [blame]4093 -c "Read from server: .* bytes read"
4094
Manuel Pégourié-Gonnard8e03c712014-08-30 21:42:40 +0200[diff] [blame]4095run_test "Non-blocking I/O: ticket" \
Manuel Pégourié-Gonnard0b6609b2014-02-26 14:45:12 +0100[diff] [blame]4096 "$P_SRV nbio=2 tickets=1 auth_mode=none" \
4097 "$P_CLI nbio=2 tickets=1" \
4098 0 \
Manuel Pégourié-Gonnard2cf5a7c2015-04-08 12:49:31 +0200[diff] [blame]4099 -S "mbedtls_ssl_handshake returned" \
4100 -C "mbedtls_ssl_handshake returned" \
Manuel Pégourié-Gonnard0b6609b2014-02-26 14:45:12 +0100[diff] [blame]4101 -c "Read from server: .* bytes read"
4102
Manuel Pégourié-Gonnard8e03c712014-08-30 21:42:40 +0200[diff] [blame]4103run_test "Non-blocking I/O: ticket + client auth" \
Manuel Pégourié-Gonnard0b6609b2014-02-26 14:45:12 +0100[diff] [blame]4104 "$P_SRV nbio=2 tickets=1 auth_mode=required" \
4105 "$P_CLI nbio=2 tickets=1" \
4106 0 \
Manuel Pégourié-Gonnard2cf5a7c2015-04-08 12:49:31 +0200[diff] [blame]4107 -S "mbedtls_ssl_handshake returned" \
4108 -C "mbedtls_ssl_handshake returned" \
Manuel Pégourié-Gonnard0b6609b2014-02-26 14:45:12 +0100[diff] [blame]4109 -c "Read from server: .* bytes read"
4110
Manuel Pégourié-Gonnard8e03c712014-08-30 21:42:40 +0200[diff] [blame]4111run_test "Non-blocking I/O: ticket + client auth + resume" \
Manuel Pégourié-Gonnard0b6609b2014-02-26 14:45:12 +0100[diff] [blame]4112 "$P_SRV nbio=2 tickets=1 auth_mode=required" \
4113 "$P_CLI nbio=2 tickets=1 reconnect=1" \
4114 0 \
Manuel Pégourié-Gonnard2cf5a7c2015-04-08 12:49:31 +0200[diff] [blame]4115 -S "mbedtls_ssl_handshake returned" \
4116 -C "mbedtls_ssl_handshake returned" \
Manuel Pégourié-Gonnard0b6609b2014-02-26 14:45:12 +0100[diff] [blame]4117 -c "Read from server: .* bytes read"
4118
Manuel Pégourié-Gonnard8e03c712014-08-30 21:42:40 +0200[diff] [blame]4119run_test "Non-blocking I/O: ticket + resume" \
Manuel Pégourié-Gonnard0b6609b2014-02-26 14:45:12 +0100[diff] [blame]4120 "$P_SRV nbio=2 tickets=1 auth_mode=none" \
4121 "$P_CLI nbio=2 tickets=1 reconnect=1" \
4122 0 \
Manuel Pégourié-Gonnard2cf5a7c2015-04-08 12:49:31 +0200[diff] [blame]4123 -S "mbedtls_ssl_handshake returned" \
4124 -C "mbedtls_ssl_handshake returned" \
Manuel Pégourié-Gonnard0b6609b2014-02-26 14:45:12 +0100[diff] [blame]4125 -c "Read from server: .* bytes read"
4126
Manuel Pégourié-Gonnard8e03c712014-08-30 21:42:40 +0200[diff] [blame]4127run_test "Non-blocking I/O: session-id resume" \
Manuel Pégourié-Gonnard0b6609b2014-02-26 14:45:12 +0100[diff] [blame]4128 "$P_SRV nbio=2 tickets=0 auth_mode=none" \
4129 "$P_CLI nbio=2 tickets=0 reconnect=1" \
4130 0 \
Manuel Pégourié-Gonnard2cf5a7c2015-04-08 12:49:31 +0200[diff] [blame]4131 -S "mbedtls_ssl_handshake returned" \
4132 -C "mbedtls_ssl_handshake returned" \
Manuel Pégourié-Gonnard0b6609b2014-02-26 14:45:12 +0100[diff] [blame]4133 -c "Read from server: .* bytes read"
4134
Hanno Becker00076712017-11-15 16:39:08 +0000[diff] [blame]4135# Tests for event-driven I/O: exercise a variety of handshake flows
4136
4137run_test "Event-driven I/O: basic handshake" \
4138 "$P_SRV event=1 tickets=0 auth_mode=none" \
4139 "$P_CLI event=1 tickets=0" \
4140 0 \
4141 -S "mbedtls_ssl_handshake returned" \
4142 -C "mbedtls_ssl_handshake returned" \
4143 -c "Read from server: .* bytes read"
4144
4145run_test "Event-driven I/O: client auth" \
4146 "$P_SRV event=1 tickets=0 auth_mode=required" \
4147 "$P_CLI event=1 tickets=0" \
4148 0 \
4149 -S "mbedtls_ssl_handshake returned" \
4150 -C "mbedtls_ssl_handshake returned" \
4151 -c "Read from server: .* bytes read"
4152
4153run_test "Event-driven I/O: ticket" \
4154 "$P_SRV event=1 tickets=1 auth_mode=none" \
4155 "$P_CLI event=1 tickets=1" \
4156 0 \
4157 -S "mbedtls_ssl_handshake returned" \
4158 -C "mbedtls_ssl_handshake returned" \
4159 -c "Read from server: .* bytes read"
4160
4161run_test "Event-driven I/O: ticket + client auth" \
4162 "$P_SRV event=1 tickets=1 auth_mode=required" \
4163 "$P_CLI event=1 tickets=1" \
4164 0 \
4165 -S "mbedtls_ssl_handshake returned" \
4166 -C "mbedtls_ssl_handshake returned" \
4167 -c "Read from server: .* bytes read"
4168
4169run_test "Event-driven I/O: ticket + client auth + resume" \
4170 "$P_SRV event=1 tickets=1 auth_mode=required" \
4171 "$P_CLI event=1 tickets=1 reconnect=1" \
4172 0 \
4173 -S "mbedtls_ssl_handshake returned" \
4174 -C "mbedtls_ssl_handshake returned" \
4175 -c "Read from server: .* bytes read"
4176
4177run_test "Event-driven I/O: ticket + resume" \
4178 "$P_SRV event=1 tickets=1 auth_mode=none" \
4179 "$P_CLI event=1 tickets=1 reconnect=1" \
4180 0 \
4181 -S "mbedtls_ssl_handshake returned" \
4182 -C "mbedtls_ssl_handshake returned" \
4183 -c "Read from server: .* bytes read"
4184
4185run_test "Event-driven I/O: session-id resume" \
4186 "$P_SRV event=1 tickets=0 auth_mode=none" \
4187 "$P_CLI event=1 tickets=0 reconnect=1" \
4188 0 \
4189 -S "mbedtls_ssl_handshake returned" \
4190 -C "mbedtls_ssl_handshake returned" \
4191 -c "Read from server: .* bytes read"
4192
Hanno Becker6a33f592018-03-13 11:38:46 +0000[diff] [blame]4193run_test "Event-driven I/O, DTLS: basic handshake" \
4194 "$P_SRV dtls=1 event=1 tickets=0 auth_mode=none" \
4195 "$P_CLI dtls=1 event=1 tickets=0" \
4196 0 \
4197 -c "Read from server: .* bytes read"
4198
4199run_test "Event-driven I/O, DTLS: client auth" \
4200 "$P_SRV dtls=1 event=1 tickets=0 auth_mode=required" \
4201 "$P_CLI dtls=1 event=1 tickets=0" \
4202 0 \
4203 -c "Read from server: .* bytes read"
4204
4205run_test "Event-driven I/O, DTLS: ticket" \
4206 "$P_SRV dtls=1 event=1 tickets=1 auth_mode=none" \
4207 "$P_CLI dtls=1 event=1 tickets=1" \
4208 0 \
4209 -c "Read from server: .* bytes read"
4210
4211run_test "Event-driven I/O, DTLS: ticket + client auth" \
4212 "$P_SRV dtls=1 event=1 tickets=1 auth_mode=required" \
4213 "$P_CLI dtls=1 event=1 tickets=1" \
4214 0 \
4215 -c "Read from server: .* bytes read"
4216
4217run_test "Event-driven I/O, DTLS: ticket + client auth + resume" \
4218 "$P_SRV dtls=1 event=1 tickets=1 auth_mode=required" \
4219 "$P_CLI dtls=1 event=1 tickets=1 reconnect=1" \
4220 0 \
4221 -c "Read from server: .* bytes read"
4222
4223run_test "Event-driven I/O, DTLS: ticket + resume" \
4224 "$P_SRV dtls=1 event=1 tickets=1 auth_mode=none" \
4225 "$P_CLI dtls=1 event=1 tickets=1 reconnect=1" \
4226 0 \
4227 -c "Read from server: .* bytes read"
4228
4229run_test "Event-driven I/O, DTLS: session-id resume" \
4230 "$P_SRV dtls=1 event=1 tickets=0 auth_mode=none" \
4231 "$P_CLI dtls=1 event=1 tickets=0 reconnect=1" \
4232 0 \
4233 -c "Read from server: .* bytes read"
Hanno Beckerbc6c1102018-03-13 11:39:40 +0000[diff] [blame]4234
4235# This test demonstrates the need for the mbedtls_ssl_check_pending function.
4236# During session resumption, the client will send its ApplicationData record
4237# within the same datagram as the Finished messages. In this situation, the
4238# server MUST NOT idle on the underlying transport after handshake completion,
4239# because the ApplicationData request has already been queued internally.
4240run_test "Event-driven I/O, DTLS: session-id resume, UDP packing" \
Hanno Becker8d832182018-03-15 10:14:19 +0000[diff] [blame]4241 -p "$P_PXY pack=50" \
Hanno Beckerbc6c1102018-03-13 11:39:40 +0000[diff] [blame]4242 "$P_SRV dtls=1 event=1 tickets=0 auth_mode=required" \
4243 "$P_CLI dtls=1 event=1 tickets=0 reconnect=1" \
4244 0 \
4245 -c "Read from server: .* bytes read"
4246
Manuel Pégourié-Gonnardf6521de2014-04-07 12:42:04 +0200[diff] [blame]4247# Tests for version negotiation
4248
Manuel Pégourié-Gonnard8e03c712014-08-30 21:42:40 +0200[diff] [blame]4249run_test "Version check: all -> 1.2" \
Manuel Pégourié-Gonnarda3d808e2014-02-26 16:33:03 +0100[diff] [blame]4250 "$P_SRV" \
4251 "$P_CLI" \
4252 0 \
Manuel Pégourié-Gonnard2cf5a7c2015-04-08 12:49:31 +0200[diff] [blame]4253 -S "mbedtls_ssl_handshake returned" \
4254 -C "mbedtls_ssl_handshake returned" \
Manuel Pégourié-Gonnarda3d808e2014-02-26 16:33:03 +0100[diff] [blame]4255 -s "Protocol is TLSv1.2" \
4256 -c "Protocol is TLSv1.2"
4257
Manuel Pégourié-Gonnard8e03c712014-08-30 21:42:40 +0200[diff] [blame]4258run_test "Version check: cli max 1.1 -> 1.1" \
Manuel Pégourié-Gonnarda3d808e2014-02-26 16:33:03 +0100[diff] [blame]4259 "$P_SRV" \
4260 "$P_CLI max_version=tls1_1" \
4261 0 \
Manuel Pégourié-Gonnard2cf5a7c2015-04-08 12:49:31 +0200[diff] [blame]4262 -S "mbedtls_ssl_handshake returned" \
4263 -C "mbedtls_ssl_handshake returned" \
Manuel Pégourié-Gonnarda3d808e2014-02-26 16:33:03 +0100[diff] [blame]4264 -s "Protocol is TLSv1.1" \
4265 -c "Protocol is TLSv1.1"
4266
Manuel Pégourié-Gonnard8e03c712014-08-30 21:42:40 +0200[diff] [blame]4267run_test "Version check: srv max 1.1 -> 1.1" \
Manuel Pégourié-Gonnarda3d808e2014-02-26 16:33:03 +0100[diff] [blame]4268 "$P_SRV max_version=tls1_1" \
4269 "$P_CLI" \
4270 0 \
Manuel Pégourié-Gonnard2cf5a7c2015-04-08 12:49:31 +0200[diff] [blame]4271 -S "mbedtls_ssl_handshake returned" \
4272 -C "mbedtls_ssl_handshake returned" \
Manuel Pégourié-Gonnarda3d808e2014-02-26 16:33:03 +0100[diff] [blame]4273 -s "Protocol is TLSv1.1" \
4274 -c "Protocol is TLSv1.1"
4275
Manuel Pégourié-Gonnard8e03c712014-08-30 21:42:40 +0200[diff] [blame]4276run_test "Version check: cli+srv max 1.1 -> 1.1" \
Manuel Pégourié-Gonnarda3d808e2014-02-26 16:33:03 +0100[diff] [blame]4277 "$P_SRV max_version=tls1_1" \
4278 "$P_CLI max_version=tls1_1" \
4279 0 \
Manuel Pégourié-Gonnard2cf5a7c2015-04-08 12:49:31 +0200[diff] [blame]4280 -S "mbedtls_ssl_handshake returned" \
4281 -C "mbedtls_ssl_handshake returned" \
Manuel Pégourié-Gonnarda3d808e2014-02-26 16:33:03 +0100[diff] [blame]4282 -s "Protocol is TLSv1.1" \
4283 -c "Protocol is TLSv1.1"
4284
Manuel Pégourié-Gonnard8e03c712014-08-30 21:42:40 +0200[diff] [blame]4285run_test "Version check: cli max 1.1, srv min 1.1 -> 1.1" \
Manuel Pégourié-Gonnarda3d808e2014-02-26 16:33:03 +0100[diff] [blame]4286 "$P_SRV min_version=tls1_1" \
4287 "$P_CLI max_version=tls1_1" \
4288 0 \
Manuel Pégourié-Gonnard2cf5a7c2015-04-08 12:49:31 +0200[diff] [blame]4289 -S "mbedtls_ssl_handshake returned" \
4290 -C "mbedtls_ssl_handshake returned" \
Manuel Pégourié-Gonnarda3d808e2014-02-26 16:33:03 +0100[diff] [blame]4291 -s "Protocol is TLSv1.1" \
4292 -c "Protocol is TLSv1.1"
4293
Manuel Pégourié-Gonnard8e03c712014-08-30 21:42:40 +0200[diff] [blame]4294run_test "Version check: cli min 1.1, srv max 1.1 -> 1.1" \
Manuel Pégourié-Gonnarda3d808e2014-02-26 16:33:03 +0100[diff] [blame]4295 "$P_SRV max_version=tls1_1" \
4296 "$P_CLI min_version=tls1_1" \
4297 0 \
Manuel Pégourié-Gonnard2cf5a7c2015-04-08 12:49:31 +0200[diff] [blame]4298 -S "mbedtls_ssl_handshake returned" \
4299 -C "mbedtls_ssl_handshake returned" \
Manuel Pégourié-Gonnarda3d808e2014-02-26 16:33:03 +0100[diff] [blame]4300 -s "Protocol is TLSv1.1" \
4301 -c "Protocol is TLSv1.1"
4302
Manuel Pégourié-Gonnard8e03c712014-08-30 21:42:40 +0200[diff] [blame]4303run_test "Version check: cli min 1.2, srv max 1.1 -> fail" \
Manuel Pégourié-Gonnarda3d808e2014-02-26 16:33:03 +0100[diff] [blame]4304 "$P_SRV max_version=tls1_1" \
4305 "$P_CLI min_version=tls1_2" \
4306 1 \
Manuel Pégourié-Gonnard2cf5a7c2015-04-08 12:49:31 +0200[diff] [blame]4307 -s "mbedtls_ssl_handshake returned" \
4308 -c "mbedtls_ssl_handshake returned" \
Manuel Pégourié-Gonnarda3d808e2014-02-26 16:33:03 +0100[diff] [blame]4309 -c "SSL - Handshake protocol not within min/max boundaries"
4310
Manuel Pégourié-Gonnard8e03c712014-08-30 21:42:40 +0200[diff] [blame]4311run_test "Version check: srv min 1.2, cli max 1.1 -> fail" \
Manuel Pégourié-Gonnarda3d808e2014-02-26 16:33:03 +0100[diff] [blame]4312 "$P_SRV min_version=tls1_2" \
4313 "$P_CLI max_version=tls1_1" \
4314 1 \
Manuel Pégourié-Gonnard2cf5a7c2015-04-08 12:49:31 +0200[diff] [blame]4315 -s "mbedtls_ssl_handshake returned" \
4316 -c "mbedtls_ssl_handshake returned" \
Manuel Pégourié-Gonnarda3d808e2014-02-26 16:33:03 +0100[diff] [blame]4317 -s "SSL - Handshake protocol not within min/max boundaries"
4318
Manuel Pégourié-Gonnardf6521de2014-04-07 12:42:04 +0200[diff] [blame]4319# Tests for ALPN extension
4320
Manuel Pégourié-Gonnard8e03c712014-08-30 21:42:40 +0200[diff] [blame]4321run_test "ALPN: none" \
Manuel Pégourié-Gonnard644e8f32014-08-30 21:59:31 +0200[diff] [blame]4322 "$P_SRV debug_level=3" \
4323 "$P_CLI debug_level=3" \
Manuel Pégourié-Gonnardf6521de2014-04-07 12:42:04 +0200[diff] [blame]4324 0 \
4325 -C "client hello, adding alpn extension" \
4326 -S "found alpn extension" \
4327 -C "got an alert message, type: \\[2:120]" \
4328 -S "server hello, adding alpn extension" \
4329 -C "found alpn extension " \
4330 -C "Application Layer Protocol is" \
4331 -S "Application Layer Protocol is"
4332
Manuel Pégourié-Gonnard8e03c712014-08-30 21:42:40 +0200[diff] [blame]4333run_test "ALPN: client only" \
Manuel Pégourié-Gonnard644e8f32014-08-30 21:59:31 +0200[diff] [blame]4334 "$P_SRV debug_level=3" \
4335 "$P_CLI debug_level=3 alpn=abc,1234" \
Manuel Pégourié-Gonnardf6521de2014-04-07 12:42:04 +0200[diff] [blame]4336 0 \
4337 -c "client hello, adding alpn extension" \
4338 -s "found alpn extension" \
4339 -C "got an alert message, type: \\[2:120]" \
4340 -S "server hello, adding alpn extension" \
4341 -C "found alpn extension " \
4342 -c "Application Layer Protocol is (none)" \
4343 -S "Application Layer Protocol is"
4344
Manuel Pégourié-Gonnard8e03c712014-08-30 21:42:40 +0200[diff] [blame]4345run_test "ALPN: server only" \
Manuel Pégourié-Gonnard644e8f32014-08-30 21:59:31 +0200[diff] [blame]4346 "$P_SRV debug_level=3 alpn=abc,1234" \
4347 "$P_CLI debug_level=3" \
Manuel Pégourié-Gonnardf6521de2014-04-07 12:42:04 +0200[diff] [blame]4348 0 \
4349 -C "client hello, adding alpn extension" \
4350 -S "found alpn extension" \
4351 -C "got an alert message, type: \\[2:120]" \
4352 -S "server hello, adding alpn extension" \
4353 -C "found alpn extension " \
4354 -C "Application Layer Protocol is" \
4355 -s "Application Layer Protocol is (none)"
4356
Manuel Pégourié-Gonnard8e03c712014-08-30 21:42:40 +0200[diff] [blame]4357run_test "ALPN: both, common cli1-srv1" \
Manuel Pégourié-Gonnard644e8f32014-08-30 21:59:31 +0200[diff] [blame]4358 "$P_SRV debug_level=3 alpn=abc,1234" \
4359 "$P_CLI debug_level=3 alpn=abc,1234" \
Manuel Pégourié-Gonnardf6521de2014-04-07 12:42:04 +0200[diff] [blame]4360 0 \
4361 -c "client hello, adding alpn extension" \
4362 -s "found alpn extension" \
4363 -C "got an alert message, type: \\[2:120]" \
4364 -s "server hello, adding alpn extension" \
4365 -c "found alpn extension" \
4366 -c "Application Layer Protocol is abc" \
4367 -s "Application Layer Protocol is abc"
4368
Manuel Pégourié-Gonnard8e03c712014-08-30 21:42:40 +0200[diff] [blame]4369run_test "ALPN: both, common cli2-srv1" \
Manuel Pégourié-Gonnard644e8f32014-08-30 21:59:31 +0200[diff] [blame]4370 "$P_SRV debug_level=3 alpn=abc,1234" \
4371 "$P_CLI debug_level=3 alpn=1234,abc" \
Manuel Pégourié-Gonnardf6521de2014-04-07 12:42:04 +0200[diff] [blame]4372 0 \
4373 -c "client hello, adding alpn extension" \
4374 -s "found alpn extension" \
4375 -C "got an alert message, type: \\[2:120]" \
4376 -s "server hello, adding alpn extension" \
4377 -c "found alpn extension" \
4378 -c "Application Layer Protocol is abc" \
4379 -s "Application Layer Protocol is abc"
4380
Manuel Pégourié-Gonnard8e03c712014-08-30 21:42:40 +0200[diff] [blame]4381run_test "ALPN: both, common cli1-srv2" \
Manuel Pégourié-Gonnard644e8f32014-08-30 21:59:31 +0200[diff] [blame]4382 "$P_SRV debug_level=3 alpn=abc,1234" \
4383 "$P_CLI debug_level=3 alpn=1234,abcde" \
Manuel Pégourié-Gonnardf6521de2014-04-07 12:42:04 +0200[diff] [blame]4384 0 \
4385 -c "client hello, adding alpn extension" \
4386 -s "found alpn extension" \
4387 -C "got an alert message, type: \\[2:120]" \
4388 -s "server hello, adding alpn extension" \
4389 -c "found alpn extension" \
4390 -c "Application Layer Protocol is 1234" \
4391 -s "Application Layer Protocol is 1234"
4392
Manuel Pégourié-Gonnard8e03c712014-08-30 21:42:40 +0200[diff] [blame]4393run_test "ALPN: both, no common" \
Manuel Pégourié-Gonnard644e8f32014-08-30 21:59:31 +0200[diff] [blame]4394 "$P_SRV debug_level=3 alpn=abc,123" \
4395 "$P_CLI debug_level=3 alpn=1234,abcde" \
Manuel Pégourié-Gonnardf6521de2014-04-07 12:42:04 +0200[diff] [blame]4396 1 \
4397 -c "client hello, adding alpn extension" \
4398 -s "found alpn extension" \
4399 -c "got an alert message, type: \\[2:120]" \
4400 -S "server hello, adding alpn extension" \
4401 -C "found alpn extension" \
4402 -C "Application Layer Protocol is 1234" \
4403 -S "Application Layer Protocol is 1234"
4404
Manuel Pégourié-Gonnard83d8c732014-04-07 13:24:21 +0200[diff] [blame]4405
Manuel Pégourié-Gonnard7f2a07d2014-04-09 09:50:57 +0200[diff] [blame]4406# Tests for keyUsage in leaf certificates, part 1:
4407# server-side certificate/suite selection
4408
Manuel Pégourié-Gonnard8e03c712014-08-30 21:42:40 +0200[diff] [blame]4409run_test "keyUsage srv: RSA, digitalSignature -> (EC)DHE-RSA" \
Manuel Pégourié-Gonnard7f2a07d2014-04-09 09:50:57 +0200[diff] [blame]4410 "$P_SRV key_file=data_files/server2.key \
4411 crt_file=data_files/server2.ku-ds.crt" \
4412 "$P_CLI" \
4413 0 \
Manuel Pégourié-Gonnard17cde5f2014-05-22 14:42:39 +0200[diff] [blame]4414 -c "Ciphersuite is TLS-[EC]*DHE-RSA-WITH-"
Manuel Pégourié-Gonnard7f2a07d2014-04-09 09:50:57 +0200[diff] [blame]4415
4416
Manuel Pégourié-Gonnard8e03c712014-08-30 21:42:40 +0200[diff] [blame]4417run_test "keyUsage srv: RSA, keyEncipherment -> RSA" \
Manuel Pégourié-Gonnard7f2a07d2014-04-09 09:50:57 +0200[diff] [blame]4418 "$P_SRV key_file=data_files/server2.key \
4419 crt_file=data_files/server2.ku-ke.crt" \
4420 "$P_CLI" \
4421 0 \
4422 -c "Ciphersuite is TLS-RSA-WITH-"
4423
Manuel Pégourié-Gonnard8e03c712014-08-30 21:42:40 +0200[diff] [blame]4424run_test "keyUsage srv: RSA, keyAgreement -> fail" \
Manuel Pégourié-Gonnardf2629b92014-08-30 14:20:14 +0200[diff] [blame]4425 "$P_SRV key_file=data_files/server2.key \
Manuel Pégourié-Gonnard7f2a07d2014-04-09 09:50:57 +0200[diff] [blame]4426 crt_file=data_files/server2.ku-ka.crt" \
Manuel Pégourié-Gonnardf2629b92014-08-30 14:20:14 +0200[diff] [blame]4427 "$P_CLI" \
Manuel Pégourié-Gonnard7f2a07d2014-04-09 09:50:57 +0200[diff] [blame]4428 1 \
4429 -C "Ciphersuite is "
4430
Manuel Pégourié-Gonnard8e03c712014-08-30 21:42:40 +0200[diff] [blame]4431run_test "keyUsage srv: ECDSA, digitalSignature -> ECDHE-ECDSA" \
Manuel Pégourié-Gonnard7f2a07d2014-04-09 09:50:57 +0200[diff] [blame]4432 "$P_SRV key_file=data_files/server5.key \
4433 crt_file=data_files/server5.ku-ds.crt" \
4434 "$P_CLI" \
4435 0 \
4436 -c "Ciphersuite is TLS-ECDHE-ECDSA-WITH-"
4437
4438
Manuel Pégourié-Gonnard8e03c712014-08-30 21:42:40 +0200[diff] [blame]4439run_test "keyUsage srv: ECDSA, keyAgreement -> ECDH-" \
Manuel Pégourié-Gonnard7f2a07d2014-04-09 09:50:57 +0200[diff] [blame]4440 "$P_SRV key_file=data_files/server5.key \
4441 crt_file=data_files/server5.ku-ka.crt" \
4442 "$P_CLI" \
4443 0 \
4444 -c "Ciphersuite is TLS-ECDH-"
4445
Manuel Pégourié-Gonnard8e03c712014-08-30 21:42:40 +0200[diff] [blame]4446run_test "keyUsage srv: ECDSA, keyEncipherment -> fail" \
Manuel Pégourié-Gonnardf2629b92014-08-30 14:20:14 +0200[diff] [blame]4447 "$P_SRV key_file=data_files/server5.key \
Manuel Pégourié-Gonnard7f2a07d2014-04-09 09:50:57 +0200[diff] [blame]4448 crt_file=data_files/server5.ku-ke.crt" \
Manuel Pégourié-Gonnardf2629b92014-08-30 14:20:14 +0200[diff] [blame]4449 "$P_CLI" \
Manuel Pégourié-Gonnard7f2a07d2014-04-09 09:50:57 +0200[diff] [blame]4450 1 \
4451 -C "Ciphersuite is "
4452
4453# Tests for keyUsage in leaf certificates, part 2:
Manuel Pégourié-Gonnarda9db85d2014-04-09 14:53:05 +0200[diff] [blame]4454# client-side checking of server cert
Manuel Pégourié-Gonnard7f2a07d2014-04-09 09:50:57 +0200[diff] [blame]4455
Manuel Pégourié-Gonnard8e03c712014-08-30 21:42:40 +0200[diff] [blame]4456run_test "keyUsage cli: DigitalSignature+KeyEncipherment, RSA: OK" \
Manuel Pégourié-Gonnard7f2a07d2014-04-09 09:50:57 +0200[diff] [blame]4457 "$O_SRV -key data_files/server2.key \
4458 -cert data_files/server2.ku-ds_ke.crt" \
Manuel Pégourié-Gonnard644e8f32014-08-30 21:59:31 +0200[diff] [blame]4459 "$P_CLI debug_level=1 \
Manuel Pégourié-Gonnard7f2a07d2014-04-09 09:50:57 +0200[diff] [blame]4460 force_ciphersuite=TLS-RSA-WITH-AES-128-CBC-SHA" \
4461 0 \
Manuel Pégourié-Gonnarda9db85d2014-04-09 14:53:05 +0200[diff] [blame]4462 -C "bad certificate (usage extensions)" \
Manuel Pégourié-Gonnard7f2a07d2014-04-09 09:50:57 +0200[diff] [blame]4463 -C "Processing of the Certificate handshake message failed" \
4464 -c "Ciphersuite is TLS-"
4465
Manuel Pégourié-Gonnard8e03c712014-08-30 21:42:40 +0200[diff] [blame]4466run_test "keyUsage cli: DigitalSignature+KeyEncipherment, DHE-RSA: OK" \
Manuel Pégourié-Gonnard7f2a07d2014-04-09 09:50:57 +0200[diff] [blame]4467 "$O_SRV -key data_files/server2.key \
4468 -cert data_files/server2.ku-ds_ke.crt" \
Manuel Pégourié-Gonnard644e8f32014-08-30 21:59:31 +0200[diff] [blame]4469 "$P_CLI debug_level=1 \
Manuel Pégourié-Gonnard7f2a07d2014-04-09 09:50:57 +0200[diff] [blame]4470 force_ciphersuite=TLS-DHE-RSA-WITH-AES-128-CBC-SHA" \
4471 0 \
Manuel Pégourié-Gonnarda9db85d2014-04-09 14:53:05 +0200[diff] [blame]4472 -C "bad certificate (usage extensions)" \
Manuel Pégourié-Gonnard7f2a07d2014-04-09 09:50:57 +0200[diff] [blame]4473 -C "Processing of the Certificate handshake message failed" \
4474 -c "Ciphersuite is TLS-"
4475
Manuel Pégourié-Gonnard8e03c712014-08-30 21:42:40 +0200[diff] [blame]4476run_test "keyUsage cli: KeyEncipherment, RSA: OK" \
Manuel Pégourié-Gonnard7f2a07d2014-04-09 09:50:57 +0200[diff] [blame]4477 "$O_SRV -key data_files/server2.key \
4478 -cert data_files/server2.ku-ke.crt" \
Manuel Pégourié-Gonnard644e8f32014-08-30 21:59:31 +0200[diff] [blame]4479 "$P_CLI debug_level=1 \
Manuel Pégourié-Gonnard7f2a07d2014-04-09 09:50:57 +0200[diff] [blame]4480 force_ciphersuite=TLS-RSA-WITH-AES-128-CBC-SHA" \
4481 0 \
Manuel Pégourié-Gonnarda9db85d2014-04-09 14:53:05 +0200[diff] [blame]4482 -C "bad certificate (usage extensions)" \
Manuel Pégourié-Gonnard7f2a07d2014-04-09 09:50:57 +0200[diff] [blame]4483 -C "Processing of the Certificate handshake message failed" \
4484 -c "Ciphersuite is TLS-"
4485
Manuel Pégourié-Gonnard8e03c712014-08-30 21:42:40 +0200[diff] [blame]4486run_test "keyUsage cli: KeyEncipherment, DHE-RSA: fail" \
Manuel Pégourié-Gonnard7f2a07d2014-04-09 09:50:57 +0200[diff] [blame]4487 "$O_SRV -key data_files/server2.key \
4488 -cert data_files/server2.ku-ke.crt" \
Manuel Pégourié-Gonnard644e8f32014-08-30 21:59:31 +0200[diff] [blame]4489 "$P_CLI debug_level=1 \
Manuel Pégourié-Gonnard7f2a07d2014-04-09 09:50:57 +0200[diff] [blame]4490 force_ciphersuite=TLS-DHE-RSA-WITH-AES-128-CBC-SHA" \
4491 1 \
Manuel Pégourié-Gonnarda9db85d2014-04-09 14:53:05 +0200[diff] [blame]4492 -c "bad certificate (usage extensions)" \
Manuel Pégourié-Gonnard7f2a07d2014-04-09 09:50:57 +0200[diff] [blame]4493 -c "Processing of the Certificate handshake message failed" \
4494 -C "Ciphersuite is TLS-"
4495
Manuel Pégourié-Gonnarde6efa6f2015-04-20 11:01:48 +0100[diff] [blame]4496run_test "keyUsage cli: KeyEncipherment, DHE-RSA: fail, soft" \
4497 "$O_SRV -key data_files/server2.key \
4498 -cert data_files/server2.ku-ke.crt" \
4499 "$P_CLI debug_level=1 auth_mode=optional \
4500 force_ciphersuite=TLS-DHE-RSA-WITH-AES-128-CBC-SHA" \
4501 0 \
4502 -c "bad certificate (usage extensions)" \
4503 -C "Processing of the Certificate handshake message failed" \
4504 -c "Ciphersuite is TLS-" \
4505 -c "! Usage does not match the keyUsage extension"
4506
Manuel Pégourié-Gonnard8e03c712014-08-30 21:42:40 +0200[diff] [blame]4507run_test "keyUsage cli: DigitalSignature, DHE-RSA: OK" \
Manuel Pégourié-Gonnard7f2a07d2014-04-09 09:50:57 +0200[diff] [blame]4508 "$O_SRV -key data_files/server2.key \
4509 -cert data_files/server2.ku-ds.crt" \
Manuel Pégourié-Gonnard644e8f32014-08-30 21:59:31 +0200[diff] [blame]4510 "$P_CLI debug_level=1 \
Manuel Pégourié-Gonnard7f2a07d2014-04-09 09:50:57 +0200[diff] [blame]4511 force_ciphersuite=TLS-DHE-RSA-WITH-AES-128-CBC-SHA" \
4512 0 \
Manuel Pégourié-Gonnarda9db85d2014-04-09 14:53:05 +0200[diff] [blame]4513 -C "bad certificate (usage extensions)" \
Manuel Pégourié-Gonnard7f2a07d2014-04-09 09:50:57 +0200[diff] [blame]4514 -C "Processing of the Certificate handshake message failed" \
4515 -c "Ciphersuite is TLS-"
4516
Manuel Pégourié-Gonnard8e03c712014-08-30 21:42:40 +0200[diff] [blame]4517run_test "keyUsage cli: DigitalSignature, RSA: fail" \
Manuel Pégourié-Gonnard7f2a07d2014-04-09 09:50:57 +0200[diff] [blame]4518 "$O_SRV -key data_files/server2.key \
4519 -cert data_files/server2.ku-ds.crt" \
Manuel Pégourié-Gonnard644e8f32014-08-30 21:59:31 +0200[diff] [blame]4520 "$P_CLI debug_level=1 \
Manuel Pégourié-Gonnard7f2a07d2014-04-09 09:50:57 +0200[diff] [blame]4521 force_ciphersuite=TLS-RSA-WITH-AES-128-CBC-SHA" \
4522 1 \
Manuel Pégourié-Gonnarda9db85d2014-04-09 14:53:05 +0200[diff] [blame]4523 -c "bad certificate (usage extensions)" \
Manuel Pégourié-Gonnard7f2a07d2014-04-09 09:50:57 +0200[diff] [blame]4524 -c "Processing of the Certificate handshake message failed" \
4525 -C "Ciphersuite is TLS-"
4526
Manuel Pégourié-Gonnarde6efa6f2015-04-20 11:01:48 +0100[diff] [blame]4527run_test "keyUsage cli: DigitalSignature, RSA: fail, soft" \
4528 "$O_SRV -key data_files/server2.key \
4529 -cert data_files/server2.ku-ds.crt" \
4530 "$P_CLI debug_level=1 auth_mode=optional \
4531 force_ciphersuite=TLS-RSA-WITH-AES-128-CBC-SHA" \
4532 0 \
4533 -c "bad certificate (usage extensions)" \
4534 -C "Processing of the Certificate handshake message failed" \
4535 -c "Ciphersuite is TLS-" \
4536 -c "! Usage does not match the keyUsage extension"
4537
Manuel Pégourié-Gonnarda9db85d2014-04-09 14:53:05 +0200[diff] [blame]4538# Tests for keyUsage in leaf certificates, part 3:
4539# server-side checking of client cert
4540
Manuel Pégourié-Gonnard8e03c712014-08-30 21:42:40 +0200[diff] [blame]4541run_test "keyUsage cli-auth: RSA, DigitalSignature: OK" \
Manuel Pégourié-Gonnard644e8f32014-08-30 21:59:31 +0200[diff] [blame]4542 "$P_SRV debug_level=1 auth_mode=optional" \
Manuel Pégourié-Gonnarda9db85d2014-04-09 14:53:05 +0200[diff] [blame]4543 "$O_CLI -key data_files/server2.key \
4544 -cert data_files/server2.ku-ds.crt" \
4545 0 \
4546 -S "bad certificate (usage extensions)" \
4547 -S "Processing of the Certificate handshake message failed"
4548
Manuel Pégourié-Gonnard8e03c712014-08-30 21:42:40 +0200[diff] [blame]4549run_test "keyUsage cli-auth: RSA, KeyEncipherment: fail (soft)" \
Manuel Pégourié-Gonnard644e8f32014-08-30 21:59:31 +0200[diff] [blame]4550 "$P_SRV debug_level=1 auth_mode=optional" \
Manuel Pégourié-Gonnarda9db85d2014-04-09 14:53:05 +0200[diff] [blame]4551 "$O_CLI -key data_files/server2.key \
4552 -cert data_files/server2.ku-ke.crt" \
4553 0 \
4554 -s "bad certificate (usage extensions)" \
4555 -S "Processing of the Certificate handshake message failed"
4556
Manuel Pégourié-Gonnard8e03c712014-08-30 21:42:40 +0200[diff] [blame]4557run_test "keyUsage cli-auth: RSA, KeyEncipherment: fail (hard)" \
Manuel Pégourié-Gonnard644e8f32014-08-30 21:59:31 +0200[diff] [blame]4558 "$P_SRV debug_level=1 auth_mode=required" \
Manuel Pégourié-Gonnarda9db85d2014-04-09 14:53:05 +0200[diff] [blame]4559 "$O_CLI -key data_files/server2.key \
4560 -cert data_files/server2.ku-ke.crt" \
4561 1 \
4562 -s "bad certificate (usage extensions)" \
4563 -s "Processing of the Certificate handshake message failed"
4564
Manuel Pégourié-Gonnard8e03c712014-08-30 21:42:40 +0200[diff] [blame]4565run_test "keyUsage cli-auth: ECDSA, DigitalSignature: OK" \
Manuel Pégourié-Gonnard644e8f32014-08-30 21:59:31 +0200[diff] [blame]4566 "$P_SRV debug_level=1 auth_mode=optional" \
Manuel Pégourié-Gonnarda9db85d2014-04-09 14:53:05 +0200[diff] [blame]4567 "$O_CLI -key data_files/server5.key \
4568 -cert data_files/server5.ku-ds.crt" \
4569 0 \
4570 -S "bad certificate (usage extensions)" \
4571 -S "Processing of the Certificate handshake message failed"
4572
Manuel Pégourié-Gonnard8e03c712014-08-30 21:42:40 +0200[diff] [blame]4573run_test "keyUsage cli-auth: ECDSA, KeyAgreement: fail (soft)" \
Manuel Pégourié-Gonnard644e8f32014-08-30 21:59:31 +0200[diff] [blame]4574 "$P_SRV debug_level=1 auth_mode=optional" \
Manuel Pégourié-Gonnarda9db85d2014-04-09 14:53:05 +0200[diff] [blame]4575 "$O_CLI -key data_files/server5.key \
4576 -cert data_files/server5.ku-ka.crt" \
4577 0 \
4578 -s "bad certificate (usage extensions)" \
4579 -S "Processing of the Certificate handshake message failed"
4580
Manuel Pégourié-Gonnard0408fd12014-04-11 11:06:22 +0200[diff] [blame]4581# Tests for extendedKeyUsage, part 1: server-side certificate/suite selection
4582
Manuel Pégourié-Gonnard8e03c712014-08-30 21:42:40 +0200[diff] [blame]4583run_test "extKeyUsage srv: serverAuth -> OK" \
Manuel Pégourié-Gonnard0408fd12014-04-11 11:06:22 +0200[diff] [blame]4584 "$P_SRV key_file=data_files/server5.key \
4585 crt_file=data_files/server5.eku-srv.crt" \
4586 "$P_CLI" \
4587 0
4588
Manuel Pégourié-Gonnard8e03c712014-08-30 21:42:40 +0200[diff] [blame]4589run_test "extKeyUsage srv: serverAuth,clientAuth -> OK" \
Manuel Pégourié-Gonnard0408fd12014-04-11 11:06:22 +0200[diff] [blame]4590 "$P_SRV key_file=data_files/server5.key \
4591 crt_file=data_files/server5.eku-srv.crt" \
4592 "$P_CLI" \
4593 0
4594
Manuel Pégourié-Gonnard8e03c712014-08-30 21:42:40 +0200[diff] [blame]4595run_test "extKeyUsage srv: codeSign,anyEKU -> OK" \
Manuel Pégourié-Gonnard0408fd12014-04-11 11:06:22 +0200[diff] [blame]4596 "$P_SRV key_file=data_files/server5.key \
4597 crt_file=data_files/server5.eku-cs_any.crt" \
4598 "$P_CLI" \
4599 0
4600
Manuel Pégourié-Gonnard8e03c712014-08-30 21:42:40 +0200[diff] [blame]4601run_test "extKeyUsage srv: codeSign -> fail" \
Manuel Pégourié-Gonnard7eb58cb2015-07-07 11:54:14 +0200[diff] [blame]4602 "$P_SRV key_file=data_files/server5.key \
Manuel Pégourié-Gonnard0408fd12014-04-11 11:06:22 +0200[diff] [blame]4603 crt_file=data_files/server5.eku-cli.crt" \
Manuel Pégourié-Gonnard7eb58cb2015-07-07 11:54:14 +0200[diff] [blame]4604 "$P_CLI" \
Manuel Pégourié-Gonnard0408fd12014-04-11 11:06:22 +0200[diff] [blame]4605 1
4606
4607# Tests for extendedKeyUsage, part 2: client-side checking of server cert
4608
Manuel Pégourié-Gonnard8e03c712014-08-30 21:42:40 +0200[diff] [blame]4609run_test "extKeyUsage cli: serverAuth -> OK" \
Manuel Pégourié-Gonnard0408fd12014-04-11 11:06:22 +0200[diff] [blame]4610 "$O_SRV -key data_files/server5.key \
4611 -cert data_files/server5.eku-srv.crt" \
Manuel Pégourié-Gonnard644e8f32014-08-30 21:59:31 +0200[diff] [blame]4612 "$P_CLI debug_level=1" \
Manuel Pégourié-Gonnard0408fd12014-04-11 11:06:22 +0200[diff] [blame]4613 0 \
4614 -C "bad certificate (usage extensions)" \
4615 -C "Processing of the Certificate handshake message failed" \
4616 -c "Ciphersuite is TLS-"
4617
Manuel Pégourié-Gonnard8e03c712014-08-30 21:42:40 +0200[diff] [blame]4618run_test "extKeyUsage cli: serverAuth,clientAuth -> OK" \
Manuel Pégourié-Gonnard0408fd12014-04-11 11:06:22 +0200[diff] [blame]4619 "$O_SRV -key data_files/server5.key \
4620 -cert data_files/server5.eku-srv_cli.crt" \
Manuel Pégourié-Gonnard644e8f32014-08-30 21:59:31 +0200[diff] [blame]4621 "$P_CLI debug_level=1" \
Manuel Pégourié-Gonnard0408fd12014-04-11 11:06:22 +0200[diff] [blame]4622 0 \
4623 -C "bad certificate (usage extensions)" \
4624 -C "Processing of the Certificate handshake message failed" \
4625 -c "Ciphersuite is TLS-"
4626
Manuel Pégourié-Gonnard8e03c712014-08-30 21:42:40 +0200[diff] [blame]4627run_test "extKeyUsage cli: codeSign,anyEKU -> OK" \
Manuel Pégourié-Gonnard0408fd12014-04-11 11:06:22 +0200[diff] [blame]4628 "$O_SRV -key data_files/server5.key \
4629 -cert data_files/server5.eku-cs_any.crt" \
Manuel Pégourié-Gonnard644e8f32014-08-30 21:59:31 +0200[diff] [blame]4630 "$P_CLI debug_level=1" \
Manuel Pégourié-Gonnard0408fd12014-04-11 11:06:22 +0200[diff] [blame]4631 0 \
4632 -C "bad certificate (usage extensions)" \
4633 -C "Processing of the Certificate handshake message failed" \
4634 -c "Ciphersuite is TLS-"
4635
Manuel Pégourié-Gonnard8e03c712014-08-30 21:42:40 +0200[diff] [blame]4636run_test "extKeyUsage cli: codeSign -> fail" \
Manuel Pégourié-Gonnard0408fd12014-04-11 11:06:22 +0200[diff] [blame]4637 "$O_SRV -key data_files/server5.key \
4638 -cert data_files/server5.eku-cs.crt" \
Manuel Pégourié-Gonnard644e8f32014-08-30 21:59:31 +0200[diff] [blame]4639 "$P_CLI debug_level=1" \
Manuel Pégourié-Gonnard0408fd12014-04-11 11:06:22 +0200[diff] [blame]4640 1 \
4641 -c "bad certificate (usage extensions)" \
4642 -c "Processing of the Certificate handshake message failed" \
4643 -C "Ciphersuite is TLS-"
4644
4645# Tests for extendedKeyUsage, part 3: server-side checking of client cert
4646
Manuel Pégourié-Gonnard8e03c712014-08-30 21:42:40 +0200[diff] [blame]4647run_test "extKeyUsage cli-auth: clientAuth -> OK" \
Manuel Pégourié-Gonnard644e8f32014-08-30 21:59:31 +0200[diff] [blame]4648 "$P_SRV debug_level=1 auth_mode=optional" \
Manuel Pégourié-Gonnard0408fd12014-04-11 11:06:22 +0200[diff] [blame]4649 "$O_CLI -key data_files/server5.key \
4650 -cert data_files/server5.eku-cli.crt" \
4651 0 \
4652 -S "bad certificate (usage extensions)" \
4653 -S "Processing of the Certificate handshake message failed"
4654
Manuel Pégourié-Gonnard8e03c712014-08-30 21:42:40 +0200[diff] [blame]4655run_test "extKeyUsage cli-auth: serverAuth,clientAuth -> OK" \
Manuel Pégourié-Gonnard644e8f32014-08-30 21:59:31 +0200[diff] [blame]4656 "$P_SRV debug_level=1 auth_mode=optional" \
Manuel Pégourié-Gonnard0408fd12014-04-11 11:06:22 +0200[diff] [blame]4657 "$O_CLI -key data_files/server5.key \
4658 -cert data_files/server5.eku-srv_cli.crt" \
4659 0 \
4660 -S "bad certificate (usage extensions)" \
4661 -S "Processing of the Certificate handshake message failed"
4662
Manuel Pégourié-Gonnard8e03c712014-08-30 21:42:40 +0200[diff] [blame]4663run_test "extKeyUsage cli-auth: codeSign,anyEKU -> OK" \
Manuel Pégourié-Gonnard644e8f32014-08-30 21:59:31 +0200[diff] [blame]4664 "$P_SRV debug_level=1 auth_mode=optional" \
Manuel Pégourié-Gonnard0408fd12014-04-11 11:06:22 +0200[diff] [blame]4665 "$O_CLI -key data_files/server5.key \
4666 -cert data_files/server5.eku-cs_any.crt" \
4667 0 \
4668 -S "bad certificate (usage extensions)" \
4669 -S "Processing of the Certificate handshake message failed"
4670
Manuel Pégourié-Gonnard8e03c712014-08-30 21:42:40 +0200[diff] [blame]4671run_test "extKeyUsage cli-auth: codeSign -> fail (soft)" \
Manuel Pégourié-Gonnard644e8f32014-08-30 21:59:31 +0200[diff] [blame]4672 "$P_SRV debug_level=1 auth_mode=optional" \
Manuel Pégourié-Gonnard0408fd12014-04-11 11:06:22 +0200[diff] [blame]4673 "$O_CLI -key data_files/server5.key \
4674 -cert data_files/server5.eku-cs.crt" \
4675 0 \
4676 -s "bad certificate (usage extensions)" \
4677 -S "Processing of the Certificate handshake message failed"
4678
Manuel Pégourié-Gonnard8e03c712014-08-30 21:42:40 +0200[diff] [blame]4679run_test "extKeyUsage cli-auth: codeSign -> fail (hard)" \
Manuel Pégourié-Gonnard644e8f32014-08-30 21:59:31 +0200[diff] [blame]4680 "$P_SRV debug_level=1 auth_mode=required" \
Manuel Pégourié-Gonnard0408fd12014-04-11 11:06:22 +0200[diff] [blame]4681 "$O_CLI -key data_files/server5.key \
4682 -cert data_files/server5.eku-cs.crt" \
4683 1 \
4684 -s "bad certificate (usage extensions)" \
4685 -s "Processing of the Certificate handshake message failed"
4686
Manuel Pégourié-Gonnard0cc7e312014-06-09 11:36:47 +0200[diff] [blame]4687# Tests for DHM parameters loading
4688
Manuel Pégourié-Gonnard8e03c712014-08-30 21:42:40 +0200[diff] [blame]4689run_test "DHM parameters: reference" \
Manuel Pégourié-Gonnard0cc7e312014-06-09 11:36:47 +0200[diff] [blame]4690 "$P_SRV" \
4691 "$P_CLI force_ciphersuite=TLS-DHE-RSA-WITH-AES-128-CBC-SHA \
4692 debug_level=3" \
4693 0 \
4694 -c "value of 'DHM: P ' (2048 bits)" \
Hanno Becker13be9902017-09-27 17:17:30 +0100[diff] [blame]4695 -c "value of 'DHM: G ' (2 bits)"
Manuel Pégourié-Gonnard0cc7e312014-06-09 11:36:47 +0200[diff] [blame]4696
Manuel Pégourié-Gonnard8e03c712014-08-30 21:42:40 +0200[diff] [blame]4697run_test "DHM parameters: other parameters" \
Manuel Pégourié-Gonnard0cc7e312014-06-09 11:36:47 +0200[diff] [blame]4698 "$P_SRV dhm_file=data_files/dhparams.pem" \
4699 "$P_CLI force_ciphersuite=TLS-DHE-RSA-WITH-AES-128-CBC-SHA \
4700 debug_level=3" \
4701 0 \
4702 -c "value of 'DHM: P ' (1024 bits)" \
4703 -c "value of 'DHM: G ' (2 bits)"
4704
Manuel Pégourié-Gonnard7a010aa2015-06-12 11:19:10 +0200[diff] [blame]4705# Tests for DHM client-side size checking
4706
4707run_test "DHM size: server default, client default, OK" \
4708 "$P_SRV" \
4709 "$P_CLI force_ciphersuite=TLS-DHE-RSA-WITH-AES-128-CBC-SHA \
4710 debug_level=1" \
4711 0 \
4712 -C "DHM prime too short:"
4713
4714run_test "DHM size: server default, client 2048, OK" \
4715 "$P_SRV" \
4716 "$P_CLI force_ciphersuite=TLS-DHE-RSA-WITH-AES-128-CBC-SHA \
4717 debug_level=1 dhmlen=2048" \
4718 0 \
4719 -C "DHM prime too short:"
4720
4721run_test "DHM size: server 1024, client default, OK" \
4722 "$P_SRV dhm_file=data_files/dhparams.pem" \
4723 "$P_CLI force_ciphersuite=TLS-DHE-RSA-WITH-AES-128-CBC-SHA \
4724 debug_level=1" \
4725 0 \
4726 -C "DHM prime too short:"
4727
4728run_test "DHM size: server 1000, client default, rejected" \
4729 "$P_SRV dhm_file=data_files/dh.1000.pem" \
4730 "$P_CLI force_ciphersuite=TLS-DHE-RSA-WITH-AES-128-CBC-SHA \
4731 debug_level=1" \
4732 1 \
4733 -c "DHM prime too short:"
4734
4735run_test "DHM size: server default, client 2049, rejected" \
4736 "$P_SRV" \
4737 "$P_CLI force_ciphersuite=TLS-DHE-RSA-WITH-AES-128-CBC-SHA \
4738 debug_level=1 dhmlen=2049" \
4739 1 \
4740 -c "DHM prime too short:"
4741
Manuel Pégourié-Gonnarda6781c92014-06-10 15:00:46 +0200[diff] [blame]4742# Tests for PSK callback
4743
Manuel Pégourié-Gonnard8e03c712014-08-30 21:42:40 +0200[diff] [blame]4744run_test "PSK callback: psk, no callback" \
Manuel Pégourié-Gonnarda6781c92014-06-10 15:00:46 +0200[diff] [blame]4745 "$P_SRV psk=abc123 psk_identity=foo" \
4746 "$P_CLI force_ciphersuite=TLS-PSK-WITH-AES-128-CBC-SHA \
4747 psk_identity=foo psk=abc123" \
4748 0 \
Manuel Pégourié-Gonnardf01768c2015-01-08 17:06:16 +0100[diff] [blame]4749 -S "SSL - None of the common ciphersuites is usable" \
Manuel Pégourié-Gonnard10c3c9f2014-06-10 15:28:52 +0200[diff] [blame]4750 -S "SSL - Unknown identity received" \
4751 -S "SSL - Verification of the message MAC failed"
4752
Hanno Beckerf7027512018-10-23 15:27:39 +0100[diff] [blame]4753requires_config_enabled MBEDTLS_USE_PSA_CRYPTO
4754run_test "PSK callback: opaque psk on client, no callback" \
4755 "$P_SRV extended_ms=0 debug_level=1 psk=abc123 psk_identity=foo" \
4756 "$P_CLI extended_ms=0 debug_level=1 min_version=tls1_2 force_ciphersuite=TLS-PSK-WITH-AES-128-CBC-SHA \
Hanno Becker1d911cd2018-11-15 13:06:09 +0000[diff] [blame]4757 psk_identity=foo psk=abc123 psk_opaque=1" \
Hanno Beckerf7027512018-10-23 15:27:39 +0100[diff] [blame]4758 0 \
4759 -c "skip PMS generation for opaque PSK"\
4760 -S "skip PMS generation for opaque PSK"\
4761 -C "using extended master secret"\
4762 -S "using extended master secret"\
4763 -S "SSL - None of the common ciphersuites is usable" \
4764 -S "SSL - Unknown identity received" \
4765 -S "SSL - Verification of the message MAC failed"
4766
4767requires_config_enabled MBEDTLS_USE_PSA_CRYPTO
4768run_test "PSK callback: opaque psk on client, no callback, SHA-384" \
4769 "$P_SRV extended_ms=0 debug_level=1 psk=abc123 psk_identity=foo" \
4770 "$P_CLI extended_ms=0 debug_level=1 min_version=tls1_2 force_ciphersuite=TLS-PSK-WITH-AES-256-CBC-SHA384 \
Hanno Becker1d911cd2018-11-15 13:06:09 +0000[diff] [blame]4771 psk_identity=foo psk=abc123 psk_opaque=1" \
Hanno Beckerf7027512018-10-23 15:27:39 +0100[diff] [blame]4772 0 \
4773 -c "skip PMS generation for opaque PSK"\
4774 -S "skip PMS generation for opaque PSK"\
4775 -C "using extended master secret"\
4776 -S "using extended master secret"\
4777 -S "SSL - None of the common ciphersuites is usable" \
4778 -S "SSL - Unknown identity received" \
4779 -S "SSL - Verification of the message MAC failed"
4780
4781requires_config_enabled MBEDTLS_USE_PSA_CRYPTO
4782run_test "PSK callback: opaque psk on client, no callback, EMS" \
4783 "$P_SRV extended_ms=1 debug_level=3 psk=abc123 psk_identity=foo" \
4784 "$P_CLI extended_ms=1 debug_level=3 min_version=tls1_2 force_ciphersuite=TLS-PSK-WITH-AES-128-CBC-SHA \
Hanno Becker1d911cd2018-11-15 13:06:09 +0000[diff] [blame]4785 psk_identity=foo psk=abc123 psk_opaque=1" \
Hanno Beckerf7027512018-10-23 15:27:39 +0100[diff] [blame]4786 0 \
4787 -c "skip PMS generation for opaque PSK"\
4788 -S "skip PMS generation for opaque PSK"\
4789 -c "using extended master secret"\
4790 -s "using extended master secret"\
4791 -S "SSL - None of the common ciphersuites is usable" \
4792 -S "SSL - Unknown identity received" \
4793 -S "SSL - Verification of the message MAC failed"
4794
4795requires_config_enabled MBEDTLS_USE_PSA_CRYPTO
4796run_test "PSK callback: opaque psk on client, no callback, SHA-384, EMS" \
4797 "$P_SRV extended_ms=1 debug_level=3 psk=abc123 psk_identity=foo" \
4798 "$P_CLI extended_ms=1 debug_level=3 min_version=tls1_2 force_ciphersuite=TLS-PSK-WITH-AES-256-CBC-SHA384 \
Hanno Becker1d911cd2018-11-15 13:06:09 +0000[diff] [blame]4799 psk_identity=foo psk=abc123 psk_opaque=1" \
Hanno Beckerf7027512018-10-23 15:27:39 +0100[diff] [blame]4800 0 \
4801 -c "skip PMS generation for opaque PSK"\
4802 -S "skip PMS generation for opaque PSK"\
4803 -c "using extended master secret"\
4804 -s "using extended master secret"\
4805 -S "SSL - None of the common ciphersuites is usable" \
4806 -S "SSL - Unknown identity received" \
4807 -S "SSL - Verification of the message MAC failed"
4808
Hanno Becker28c79dc2018-10-26 13:15:08 +0100[diff] [blame]4809requires_config_enabled MBEDTLS_USE_PSA_CRYPTO
4810run_test "PSK callback: raw psk on client, static opaque on server, no callback" \
Hanno Becker1d911cd2018-11-15 13:06:09 +0000[diff] [blame]4811 "$P_SRV extended_ms=0 debug_level=1 psk=abc123 psk_identity=foo psk_opaque=1 min_version=tls1_2 force_ciphersuite=TLS-PSK-WITH-AES-128-CBC-SHA" \
Hanno Becker28c79dc2018-10-26 13:15:08 +0100[diff] [blame]4812 "$P_CLI extended_ms=0 debug_level=1 min_version=tls1_2 force_ciphersuite=TLS-PSK-WITH-AES-128-CBC-SHA \
4813 psk_identity=foo psk=abc123" \
4814 0 \
4815 -C "skip PMS generation for opaque PSK"\
4816 -s "skip PMS generation for opaque PSK"\
4817 -C "using extended master secret"\
4818 -S "using extended master secret"\
4819 -S "SSL - None of the common ciphersuites is usable" \
4820 -S "SSL - Unknown identity received" \
4821 -S "SSL - Verification of the message MAC failed"
4822
4823requires_config_enabled MBEDTLS_USE_PSA_CRYPTO
4824run_test "PSK callback: raw psk on client, static opaque on server, no callback, SHA-384" \
Hanno Becker1d911cd2018-11-15 13:06:09 +0000[diff] [blame]4825 "$P_SRV extended_ms=0 debug_level=1 psk=abc123 psk_identity=foo psk_opaque=1 min_version=tls1_2 force_ciphersuite=TLS-PSK-WITH-AES-256-CBC-SHA384" \
Hanno Becker28c79dc2018-10-26 13:15:08 +0100[diff] [blame]4826 "$P_CLI extended_ms=0 debug_level=1 min_version=tls1_2 force_ciphersuite=TLS-PSK-WITH-AES-256-CBC-SHA384 \
4827 psk_identity=foo psk=abc123" \
4828 0 \
4829 -C "skip PMS generation for opaque PSK"\
4830 -s "skip PMS generation for opaque PSK"\
4831 -C "using extended master secret"\
4832 -S "using extended master secret"\
4833 -S "SSL - None of the common ciphersuites is usable" \
4834 -S "SSL - Unknown identity received" \
4835 -S "SSL - Verification of the message MAC failed"
4836
4837requires_config_enabled MBEDTLS_USE_PSA_CRYPTO
4838run_test "PSK callback: raw psk on client, static opaque on server, no callback, EMS" \
Hanno Becker1d911cd2018-11-15 13:06:09 +0000[diff] [blame]4839 "$P_SRV debug_level=3 psk=abc123 psk_identity=foo psk_opaque=1 min_version=tls1_2 \
Hanno Becker28c79dc2018-10-26 13:15:08 +0100[diff] [blame]4840 force_ciphersuite=TLS-PSK-WITH-AES-128-CBC-SHA extended_ms=1" \
4841 "$P_CLI debug_level=3 min_version=tls1_2 force_ciphersuite=TLS-PSK-WITH-AES-128-CBC-SHA \
4842 psk_identity=foo psk=abc123 extended_ms=1" \
4843 0 \
4844 -c "using extended master secret"\
4845 -s "using extended master secret"\
4846 -C "skip PMS generation for opaque PSK"\
4847 -s "skip PMS generation for opaque PSK"\
4848 -S "SSL - None of the common ciphersuites is usable" \
4849 -S "SSL - Unknown identity received" \
4850 -S "SSL - Verification of the message MAC failed"
4851
4852requires_config_enabled MBEDTLS_USE_PSA_CRYPTO
4853run_test "PSK callback: raw psk on client, static opaque on server, no callback, EMS, SHA384" \
Hanno Becker1d911cd2018-11-15 13:06:09 +0000[diff] [blame]4854 "$P_SRV debug_level=3 psk=abc123 psk_identity=foo psk_opaque=1 min_version=tls1_2 \
Hanno Becker28c79dc2018-10-26 13:15:08 +0100[diff] [blame]4855 force_ciphersuite=TLS-PSK-WITH-AES-256-CBC-SHA384 extended_ms=1" \
4856 "$P_CLI debug_level=3 min_version=tls1_2 force_ciphersuite=TLS-PSK-WITH-AES-256-CBC-SHA384 \
4857 psk_identity=foo psk=abc123 extended_ms=1" \
4858 0 \
4859 -c "using extended master secret"\
4860 -s "using extended master secret"\
4861 -C "skip PMS generation for opaque PSK"\
4862 -s "skip PMS generation for opaque PSK"\
4863 -S "SSL - None of the common ciphersuites is usable" \
4864 -S "SSL - Unknown identity received" \
4865 -S "SSL - Verification of the message MAC failed"
4866
4867requires_config_enabled MBEDTLS_USE_PSA_CRYPTO
4868run_test "PSK callback: raw psk on client, no static PSK on server, opaque PSK from callback" \
Hanno Becker1d911cd2018-11-15 13:06:09 +0000[diff] [blame]4869 "$P_SRV extended_ms=0 debug_level=3 psk_list=abc,dead,def,beef psk_list_opaque=1 min_version=tls1_2 force_ciphersuite=TLS-PSK-WITH-AES-128-CBC-SHA" \
Hanno Becker28c79dc2018-10-26 13:15:08 +0100[diff] [blame]4870 "$P_CLI extended_ms=0 debug_level=3 min_version=tls1_2 force_ciphersuite=TLS-PSK-WITH-AES-128-CBC-SHA \
4871 psk_identity=def psk=beef" \
4872 0 \
4873 -C "skip PMS generation for opaque PSK"\
4874 -s "skip PMS generation for opaque PSK"\
4875 -C "using extended master secret"\
4876 -S "using extended master secret"\
4877 -S "SSL - None of the common ciphersuites is usable" \
4878 -S "SSL - Unknown identity received" \
4879 -S "SSL - Verification of the message MAC failed"
4880
4881requires_config_enabled MBEDTLS_USE_PSA_CRYPTO
4882run_test "PSK callback: raw psk on client, no static PSK on server, opaque PSK from callback, SHA-384" \
Hanno Becker1d911cd2018-11-15 13:06:09 +0000[diff] [blame]4883 "$P_SRV extended_ms=0 debug_level=3 psk_list=abc,dead,def,beef psk_list_opaque=1 min_version=tls1_2 force_ciphersuite=TLS-PSK-WITH-AES-256-CBC-SHA384" \
Hanno Becker28c79dc2018-10-26 13:15:08 +0100[diff] [blame]4884 "$P_CLI extended_ms=0 debug_level=3 min_version=tls1_2 force_ciphersuite=TLS-PSK-WITH-AES-256-CBC-SHA384 \
4885 psk_identity=def psk=beef" \
4886 0 \
4887 -C "skip PMS generation for opaque PSK"\
4888 -s "skip PMS generation for opaque PSK"\
4889 -C "using extended master secret"\
4890 -S "using extended master secret"\
4891 -S "SSL - None of the common ciphersuites is usable" \
4892 -S "SSL - Unknown identity received" \
4893 -S "SSL - Verification of the message MAC failed"
4894
4895requires_config_enabled MBEDTLS_USE_PSA_CRYPTO
4896run_test "PSK callback: raw psk on client, no static PSK on server, opaque PSK from callback, EMS" \
Hanno Becker1d911cd2018-11-15 13:06:09 +0000[diff] [blame]4897 "$P_SRV debug_level=3 psk_list=abc,dead,def,beef psk_list_opaque=1 min_version=tls1_2 \
Hanno Becker28c79dc2018-10-26 13:15:08 +0100[diff] [blame]4898 force_ciphersuite=TLS-PSK-WITH-AES-128-CBC-SHA extended_ms=1" \
4899 "$P_CLI debug_level=3 min_version=tls1_2 force_ciphersuite=TLS-PSK-WITH-AES-128-CBC-SHA \
4900 psk_identity=abc psk=dead extended_ms=1" \
4901 0 \
4902 -c "using extended master secret"\
4903 -s "using extended master secret"\
4904 -C "skip PMS generation for opaque PSK"\
4905 -s "skip PMS generation for opaque PSK"\
4906 -S "SSL - None of the common ciphersuites is usable" \
4907 -S "SSL - Unknown identity received" \
4908 -S "SSL - Verification of the message MAC failed"
4909
4910requires_config_enabled MBEDTLS_USE_PSA_CRYPTO
4911run_test "PSK callback: raw psk on client, no static PSK on server, opaque PSK from callback, EMS, SHA384" \
Hanno Becker1d911cd2018-11-15 13:06:09 +0000[diff] [blame]4912 "$P_SRV debug_level=3 psk_list=abc,dead,def,beef psk_list_opaque=1 min_version=tls1_2 \
Hanno Becker28c79dc2018-10-26 13:15:08 +0100[diff] [blame]4913 force_ciphersuite=TLS-PSK-WITH-AES-256-CBC-SHA384 extended_ms=1" \
4914 "$P_CLI debug_level=3 min_version=tls1_2 force_ciphersuite=TLS-PSK-WITH-AES-256-CBC-SHA384 \
4915 psk_identity=abc psk=dead extended_ms=1" \
4916 0 \
4917 -c "using extended master secret"\
4918 -s "using extended master secret"\
4919 -C "skip PMS generation for opaque PSK"\
4920 -s "skip PMS generation for opaque PSK"\
4921 -S "SSL - None of the common ciphersuites is usable" \
4922 -S "SSL - Unknown identity received" \
4923 -S "SSL - Verification of the message MAC failed"
4924
4925requires_config_enabled MBEDTLS_USE_PSA_CRYPTO
4926run_test "PSK callback: raw psk on client, mismatching static raw PSK on server, opaque PSK from callback" \
Hanno Becker1d911cd2018-11-15 13:06:09 +0000[diff] [blame]4927 "$P_SRV extended_ms=0 psk_identity=foo psk=abc123 debug_level=3 psk_list=abc,dead,def,beef psk_list_opaque=1 min_version=tls1_2 force_ciphersuite=TLS-PSK-WITH-AES-128-CBC-SHA" \
Hanno Becker28c79dc2018-10-26 13:15:08 +0100[diff] [blame]4928 "$P_CLI extended_ms=0 debug_level=3 min_version=tls1_2 force_ciphersuite=TLS-PSK-WITH-AES-128-CBC-SHA \
4929 psk_identity=def psk=beef" \
4930 0 \
4931 -C "skip PMS generation for opaque PSK"\
4932 -s "skip PMS generation for opaque PSK"\
4933 -C "using extended master secret"\
4934 -S "using extended master secret"\
4935 -S "SSL - None of the common ciphersuites is usable" \
4936 -S "SSL - Unknown identity received" \
4937 -S "SSL - Verification of the message MAC failed"
4938
4939requires_config_enabled MBEDTLS_USE_PSA_CRYPTO
4940run_test "PSK callback: raw psk on client, mismatching static opaque PSK on server, opaque PSK from callback" \
Hanno Becker1d911cd2018-11-15 13:06:09 +0000[diff] [blame]4941 "$P_SRV extended_ms=0 psk_opaque=1 psk_identity=foo psk=abc123 debug_level=3 psk_list=abc,dead,def,beef psk_list_opaque=1 min_version=tls1_2 force_ciphersuite=TLS-PSK-WITH-AES-128-CBC-SHA" \
Hanno Becker28c79dc2018-10-26 13:15:08 +0100[diff] [blame]4942 "$P_CLI extended_ms=0 debug_level=3 min_version=tls1_2 force_ciphersuite=TLS-PSK-WITH-AES-128-CBC-SHA \
4943 psk_identity=def psk=beef" \
4944 0 \
4945 -C "skip PMS generation for opaque PSK"\
4946 -s "skip PMS generation for opaque PSK"\
4947 -C "using extended master secret"\
4948 -S "using extended master secret"\
4949 -S "SSL - None of the common ciphersuites is usable" \
4950 -S "SSL - Unknown identity received" \
4951 -S "SSL - Verification of the message MAC failed"
4952
4953requires_config_enabled MBEDTLS_USE_PSA_CRYPTO
4954run_test "PSK callback: raw psk on client, mismatching static opaque PSK on server, raw PSK from callback" \
Hanno Becker1d911cd2018-11-15 13:06:09 +0000[diff] [blame]4955 "$P_SRV extended_ms=0 psk_opaque=1 psk_identity=foo psk=abc123 debug_level=3 psk_list=abc,dead,def,beef min_version=tls1_2 force_ciphersuite=TLS-PSK-WITH-AES-128-CBC-SHA" \
Hanno Becker28c79dc2018-10-26 13:15:08 +0100[diff] [blame]4956 "$P_CLI extended_ms=0 debug_level=3 min_version=tls1_2 force_ciphersuite=TLS-PSK-WITH-AES-128-CBC-SHA \
4957 psk_identity=def psk=beef" \
4958 0 \
4959 -C "skip PMS generation for opaque PSK"\
4960 -C "using extended master secret"\
4961 -S "using extended master secret"\
4962 -S "SSL - None of the common ciphersuites is usable" \
4963 -S "SSL - Unknown identity received" \
4964 -S "SSL - Verification of the message MAC failed"
4965
4966requires_config_enabled MBEDTLS_USE_PSA_CRYPTO
4967run_test "PSK callback: raw psk on client, id-matching but wrong raw PSK on server, opaque PSK from callback" \
Hanno Becker1d911cd2018-11-15 13:06:09 +0000[diff] [blame]4968 "$P_SRV extended_ms=0 psk_opaque=1 psk_identity=def psk=abc123 debug_level=3 psk_list=abc,dead,def,beef min_version=tls1_2 force_ciphersuite=TLS-PSK-WITH-AES-128-CBC-SHA" \
Hanno Becker28c79dc2018-10-26 13:15:08 +0100[diff] [blame]4969 "$P_CLI extended_ms=0 debug_level=3 min_version=tls1_2 force_ciphersuite=TLS-PSK-WITH-AES-128-CBC-SHA \
4970 psk_identity=def psk=beef" \
4971 0 \
4972 -C "skip PMS generation for opaque PSK"\
4973 -C "using extended master secret"\
4974 -S "using extended master secret"\
4975 -S "SSL - None of the common ciphersuites is usable" \
4976 -S "SSL - Unknown identity received" \
4977 -S "SSL - Verification of the message MAC failed"
4978
4979requires_config_enabled MBEDTLS_USE_PSA_CRYPTO
4980run_test "PSK callback: raw psk on client, matching opaque PSK on server, wrong opaque PSK from callback" \
Hanno Becker1d911cd2018-11-15 13:06:09 +0000[diff] [blame]4981 "$P_SRV extended_ms=0 psk_opaque=1 psk_identity=def psk=beef debug_level=3 psk_list=abc,dead,def,abc123 min_version=tls1_2 force_ciphersuite=TLS-PSK-WITH-AES-128-CBC-SHA" \
Hanno Becker28c79dc2018-10-26 13:15:08 +0100[diff] [blame]4982 "$P_CLI extended_ms=0 debug_level=3 min_version=tls1_2 force_ciphersuite=TLS-PSK-WITH-AES-128-CBC-SHA \
4983 psk_identity=def psk=beef" \
4984 1 \
4985 -s "SSL - Verification of the message MAC failed"
4986
Manuel Pégourié-Gonnard8e03c712014-08-30 21:42:40 +0200[diff] [blame]4987run_test "PSK callback: no psk, no callback" \
Manuel Pégourié-Gonnard10c3c9f2014-06-10 15:28:52 +0200[diff] [blame]4988 "$P_SRV" \
4989 "$P_CLI force_ciphersuite=TLS-PSK-WITH-AES-128-CBC-SHA \
4990 psk_identity=foo psk=abc123" \
4991 1 \
Manuel Pégourié-Gonnardf01768c2015-01-08 17:06:16 +0100[diff] [blame]4992 -s "SSL - None of the common ciphersuites is usable" \
Manuel Pégourié-Gonnarda6781c92014-06-10 15:00:46 +0200[diff] [blame]4993 -S "SSL - Unknown identity received" \
4994 -S "SSL - Verification of the message MAC failed"
4995
Manuel Pégourié-Gonnard8e03c712014-08-30 21:42:40 +0200[diff] [blame]4996run_test "PSK callback: callback overrides other settings" \
Manuel Pégourié-Gonnarda6781c92014-06-10 15:00:46 +0200[diff] [blame]4997 "$P_SRV psk=abc123 psk_identity=foo psk_list=abc,dead,def,beef" \
4998 "$P_CLI force_ciphersuite=TLS-PSK-WITH-AES-128-CBC-SHA \
4999 psk_identity=foo psk=abc123" \
5000 1 \
Manuel Pégourié-Gonnardf01768c2015-01-08 17:06:16 +0100[diff] [blame]5001 -S "SSL - None of the common ciphersuites is usable" \
Manuel Pégourié-Gonnarda6781c92014-06-10 15:00:46 +0200[diff] [blame]5002 -s "SSL - Unknown identity received" \
5003 -S "SSL - Verification of the message MAC failed"
5004
Manuel Pégourié-Gonnard8e03c712014-08-30 21:42:40 +0200[diff] [blame]5005run_test "PSK callback: first id matches" \
Manuel Pégourié-Gonnarda6781c92014-06-10 15:00:46 +0200[diff] [blame]5006 "$P_SRV psk_list=abc,dead,def,beef" \
5007 "$P_CLI force_ciphersuite=TLS-PSK-WITH-AES-128-CBC-SHA \
5008 psk_identity=abc psk=dead" \
5009 0 \
Manuel Pégourié-Gonnardf01768c2015-01-08 17:06:16 +0100[diff] [blame]5010 -S "SSL - None of the common ciphersuites is usable" \
Manuel Pégourié-Gonnarda6781c92014-06-10 15:00:46 +0200[diff] [blame]5011 -S "SSL - Unknown identity received" \
5012 -S "SSL - Verification of the message MAC failed"
5013
Manuel Pégourié-Gonnard8e03c712014-08-30 21:42:40 +0200[diff] [blame]5014run_test "PSK callback: second id matches" \
Manuel Pégourié-Gonnarda6781c92014-06-10 15:00:46 +0200[diff] [blame]5015 "$P_SRV psk_list=abc,dead,def,beef" \
5016 "$P_CLI force_ciphersuite=TLS-PSK-WITH-AES-128-CBC-SHA \
5017 psk_identity=def psk=beef" \
5018 0 \
Manuel Pégourié-Gonnardf01768c2015-01-08 17:06:16 +0100[diff] [blame]5019 -S "SSL - None of the common ciphersuites is usable" \
Manuel Pégourié-Gonnarda6781c92014-06-10 15:00:46 +0200[diff] [blame]5020 -S "SSL - Unknown identity received" \
5021 -S "SSL - Verification of the message MAC failed"
5022
Manuel Pégourié-Gonnard8e03c712014-08-30 21:42:40 +0200[diff] [blame]5023run_test "PSK callback: no match" \
Manuel Pégourié-Gonnarda6781c92014-06-10 15:00:46 +0200[diff] [blame]5024 "$P_SRV psk_list=abc,dead,def,beef" \
5025 "$P_CLI force_ciphersuite=TLS-PSK-WITH-AES-128-CBC-SHA \
5026 psk_identity=ghi psk=beef" \
5027 1 \
Manuel Pégourié-Gonnardf01768c2015-01-08 17:06:16 +0100[diff] [blame]5028 -S "SSL - None of the common ciphersuites is usable" \
Manuel Pégourié-Gonnarda6781c92014-06-10 15:00:46 +0200[diff] [blame]5029 -s "SSL - Unknown identity received" \
5030 -S "SSL - Verification of the message MAC failed"
5031
Manuel Pégourié-Gonnard8e03c712014-08-30 21:42:40 +0200[diff] [blame]5032run_test "PSK callback: wrong key" \
Manuel Pégourié-Gonnarda6781c92014-06-10 15:00:46 +0200[diff] [blame]5033 "$P_SRV psk_list=abc,dead,def,beef" \
5034 "$P_CLI force_ciphersuite=TLS-PSK-WITH-AES-128-CBC-SHA \
5035 psk_identity=abc psk=beef" \
5036 1 \
Manuel Pégourié-Gonnardf01768c2015-01-08 17:06:16 +0100[diff] [blame]5037 -S "SSL - None of the common ciphersuites is usable" \
Manuel Pégourié-Gonnarda6781c92014-06-10 15:00:46 +0200[diff] [blame]5038 -S "SSL - Unknown identity received" \
5039 -s "SSL - Verification of the message MAC failed"
Manuel Pégourié-Gonnard0cc7e312014-06-09 11:36:47 +0200[diff] [blame]5040
Manuel Pégourié-Gonnarde511b4e2015-09-16 14:11:09 +0200[diff] [blame]5041# Tests for EC J-PAKE
5042
Manuel Pégourié-Gonnard12ca6f52015-10-20 15:24:51 +0200[diff] [blame]5043requires_config_enabled MBEDTLS_KEY_EXCHANGE_ECJPAKE
Manuel Pégourié-Gonnarde511b4e2015-09-16 14:11:09 +0200[diff] [blame]5044run_test "ECJPAKE: client not configured" \
5045 "$P_SRV debug_level=3" \
5046 "$P_CLI debug_level=3" \
5047 0 \
5048 -C "add ciphersuite: c0ff" \
5049 -C "adding ecjpake_kkpp extension" \
Manuel Pégourié-Gonnardbf57be62015-09-16 15:04:01 +0200[diff] [blame]5050 -S "found ecjpake kkpp extension" \
5051 -S "skip ecjpake kkpp extension" \
Manuel Pégourié-Gonnarde511b4e2015-09-16 14:11:09 +0200[diff] [blame]5052 -S "ciphersuite mismatch: ecjpake not configured" \
Manuel Pégourié-Gonnard55c7f992015-09-16 15:35:27 +0200[diff] [blame]5053 -S "server hello, ecjpake kkpp extension" \
Manuel Pégourié-Gonnard0a1324a2015-09-16 16:01:00 +0200[diff] [blame]5054 -C "found ecjpake_kkpp extension" \
Manuel Pégourié-Gonnarde511b4e2015-09-16 14:11:09 +0200[diff] [blame]5055 -S "None of the common ciphersuites is usable"
5056
Manuel Pégourié-Gonnard12ca6f52015-10-20 15:24:51 +0200[diff] [blame]5057requires_config_enabled MBEDTLS_KEY_EXCHANGE_ECJPAKE
Manuel Pégourié-Gonnarde511b4e2015-09-16 14:11:09 +0200[diff] [blame]5058run_test "ECJPAKE: server not configured" \
5059 "$P_SRV debug_level=3" \
5060 "$P_CLI debug_level=3 ecjpake_pw=bla \
5061 force_ciphersuite=TLS-ECJPAKE-WITH-AES-128-CCM-8" \
5062 1 \
5063 -c "add ciphersuite: c0ff" \
5064 -c "adding ecjpake_kkpp extension" \
Manuel Pégourié-Gonnardbf57be62015-09-16 15:04:01 +0200[diff] [blame]5065 -s "found ecjpake kkpp extension" \
5066 -s "skip ecjpake kkpp extension" \
Manuel Pégourié-Gonnarde511b4e2015-09-16 14:11:09 +0200[diff] [blame]5067 -s "ciphersuite mismatch: ecjpake not configured" \
Manuel Pégourié-Gonnard55c7f992015-09-16 15:35:27 +0200[diff] [blame]5068 -S "server hello, ecjpake kkpp extension" \
Manuel Pégourié-Gonnard0a1324a2015-09-16 16:01:00 +0200[diff] [blame]5069 -C "found ecjpake_kkpp extension" \
Manuel Pégourié-Gonnarde511b4e2015-09-16 14:11:09 +0200[diff] [blame]5070 -s "None of the common ciphersuites is usable"
5071
Manuel Pégourié-Gonnard12ca6f52015-10-20 15:24:51 +0200[diff] [blame]5072requires_config_enabled MBEDTLS_KEY_EXCHANGE_ECJPAKE
Manuel Pégourié-Gonnardbf57be62015-09-16 15:04:01 +0200[diff] [blame]5073run_test "ECJPAKE: working, TLS" \
5074 "$P_SRV debug_level=3 ecjpake_pw=bla" \
5075 "$P_CLI debug_level=3 ecjpake_pw=bla \
5076 force_ciphersuite=TLS-ECJPAKE-WITH-AES-128-CCM-8" \
Manuel Pégourié-Gonnard0f1660a2015-09-16 22:41:06 +0200[diff] [blame]5077 0 \
Manuel Pégourié-Gonnardbf57be62015-09-16 15:04:01 +0200[diff] [blame]5078 -c "add ciphersuite: c0ff" \
5079 -c "adding ecjpake_kkpp extension" \
Manuel Pégourié-Gonnardd0d8cb32015-09-17 14:16:30 +0200[diff] [blame]5080 -C "re-using cached ecjpake parameters" \
Manuel Pégourié-Gonnardbf57be62015-09-16 15:04:01 +0200[diff] [blame]5081 -s "found ecjpake kkpp extension" \
5082 -S "skip ecjpake kkpp extension" \
5083 -S "ciphersuite mismatch: ecjpake not configured" \
Manuel Pégourié-Gonnard55c7f992015-09-16 15:35:27 +0200[diff] [blame]5084 -s "server hello, ecjpake kkpp extension" \
Manuel Pégourié-Gonnard0a1324a2015-09-16 16:01:00 +0200[diff] [blame]5085 -c "found ecjpake_kkpp extension" \
Manuel Pégourié-Gonnard921f2d02015-09-16 22:52:18 +0200[diff] [blame]5086 -S "None of the common ciphersuites is usable" \
5087 -S "SSL - Verification of the message MAC failed"
5088
Janos Follath74537a62016-09-02 13:45:28 +0100[diff] [blame]5089server_needs_more_time 1
Manuel Pégourié-Gonnard12ca6f52015-10-20 15:24:51 +0200[diff] [blame]5090requires_config_enabled MBEDTLS_KEY_EXCHANGE_ECJPAKE
Manuel Pégourié-Gonnard921f2d02015-09-16 22:52:18 +0200[diff] [blame]5091run_test "ECJPAKE: password mismatch, TLS" \
5092 "$P_SRV debug_level=3 ecjpake_pw=bla" \
5093 "$P_CLI debug_level=3 ecjpake_pw=bad \
5094 force_ciphersuite=TLS-ECJPAKE-WITH-AES-128-CCM-8" \
5095 1 \
Manuel Pégourié-Gonnardd0d8cb32015-09-17 14:16:30 +0200[diff] [blame]5096 -C "re-using cached ecjpake parameters" \
Manuel Pégourié-Gonnard921f2d02015-09-16 22:52:18 +0200[diff] [blame]5097 -s "SSL - Verification of the message MAC failed"
5098
Manuel Pégourié-Gonnard12ca6f52015-10-20 15:24:51 +0200[diff] [blame]5099requires_config_enabled MBEDTLS_KEY_EXCHANGE_ECJPAKE
Manuel Pégourié-Gonnard921f2d02015-09-16 22:52:18 +0200[diff] [blame]5100run_test "ECJPAKE: working, DTLS" \
5101 "$P_SRV debug_level=3 dtls=1 ecjpake_pw=bla" \
5102 "$P_CLI debug_level=3 dtls=1 ecjpake_pw=bla \
5103 force_ciphersuite=TLS-ECJPAKE-WITH-AES-128-CCM-8" \
5104 0 \
Manuel Pégourié-Gonnardd0d8cb32015-09-17 14:16:30 +0200[diff] [blame]5105 -c "re-using cached ecjpake parameters" \
5106 -S "SSL - Verification of the message MAC failed"
5107
Manuel Pégourié-Gonnard12ca6f52015-10-20 15:24:51 +0200[diff] [blame]5108requires_config_enabled MBEDTLS_KEY_EXCHANGE_ECJPAKE
Manuel Pégourié-Gonnardd0d8cb32015-09-17 14:16:30 +0200[diff] [blame]5109run_test "ECJPAKE: working, DTLS, no cookie" \
5110 "$P_SRV debug_level=3 dtls=1 ecjpake_pw=bla cookies=0" \
5111 "$P_CLI debug_level=3 dtls=1 ecjpake_pw=bla \
5112 force_ciphersuite=TLS-ECJPAKE-WITH-AES-128-CCM-8" \
5113 0 \
5114 -C "re-using cached ecjpake parameters" \
Manuel Pégourié-Gonnard921f2d02015-09-16 22:52:18 +0200[diff] [blame]5115 -S "SSL - Verification of the message MAC failed"
5116
Janos Follath74537a62016-09-02 13:45:28 +0100[diff] [blame]5117server_needs_more_time 1
Manuel Pégourié-Gonnard12ca6f52015-10-20 15:24:51 +0200[diff] [blame]5118requires_config_enabled MBEDTLS_KEY_EXCHANGE_ECJPAKE
Manuel Pégourié-Gonnard921f2d02015-09-16 22:52:18 +0200[diff] [blame]5119run_test "ECJPAKE: password mismatch, DTLS" \
5120 "$P_SRV debug_level=3 dtls=1 ecjpake_pw=bla" \
5121 "$P_CLI debug_level=3 dtls=1 ecjpake_pw=bad \
5122 force_ciphersuite=TLS-ECJPAKE-WITH-AES-128-CCM-8" \
5123 1 \
Manuel Pégourié-Gonnardd0d8cb32015-09-17 14:16:30 +0200[diff] [blame]5124 -c "re-using cached ecjpake parameters" \
Manuel Pégourié-Gonnard921f2d02015-09-16 22:52:18 +0200[diff] [blame]5125 -s "SSL - Verification of the message MAC failed"
Manuel Pégourié-Gonnardbf57be62015-09-16 15:04:01 +0200[diff] [blame]5126
Manuel Pégourié-Gonnardca700b22015-10-20 14:47:00 +0200[diff] [blame]5127# for tests with configs/config-thread.h
Manuel Pégourié-Gonnard12ca6f52015-10-20 15:24:51 +0200[diff] [blame]5128requires_config_enabled MBEDTLS_KEY_EXCHANGE_ECJPAKE
Manuel Pégourié-Gonnardca700b22015-10-20 14:47:00 +0200[diff] [blame]5129run_test "ECJPAKE: working, DTLS, nolog" \
5130 "$P_SRV dtls=1 ecjpake_pw=bla" \
5131 "$P_CLI dtls=1 ecjpake_pw=bla \
5132 force_ciphersuite=TLS-ECJPAKE-WITH-AES-128-CCM-8" \
5133 0
5134
Manuel Pégourié-Gonnard90805a82014-06-11 14:06:01 +0200[diff] [blame]5135# Tests for ciphersuites per version
5136
Janos Follathe2681a42016-03-07 15:57:05 +0000[diff] [blame]5137requires_config_enabled MBEDTLS_SSL_PROTO_SSL3
Manuel Pégourié-Gonnardaa946b22019-03-01 10:14:58 +0100[diff] [blame]5138requires_config_enabled MBEDTLS_CAMELLIA_C
5139requires_config_enabled MBEDTLS_AES_C
Manuel Pégourié-Gonnard8e03c712014-08-30 21:42:40 +0200[diff] [blame]5140run_test "Per-version suites: SSL3" \
Manuel Pégourié-Gonnardaa946b22019-03-01 10:14:58 +0100[diff] [blame]5141 "$P_SRV min_version=ssl3 version_suites=TLS-RSA-WITH-CAMELLIA-128-CBC-SHA,TLS-RSA-WITH-AES-256-CBC-SHA,TLS-RSA-WITH-AES-128-CBC-SHA,TLS-RSA-WITH-AES-128-GCM-SHA256" \
Manuel Pégourié-Gonnard90805a82014-06-11 14:06:01 +0200[diff] [blame]5142 "$P_CLI force_version=ssl3" \
5143 0 \
Manuel Pégourié-Gonnardaa946b22019-03-01 10:14:58 +0100[diff] [blame]5144 -c "Ciphersuite is TLS-RSA-WITH-CAMELLIA-128-CBC-SHA"
Manuel Pégourié-Gonnard90805a82014-06-11 14:06:01 +0200[diff] [blame]5145
Manuel Pégourié-Gonnardaa946b22019-03-01 10:14:58 +0100[diff] [blame]5146requires_config_enabled MBEDTLS_SSL_PROTO_TLS1
5147requires_config_enabled MBEDTLS_CAMELLIA_C
5148requires_config_enabled MBEDTLS_AES_C
Manuel Pégourié-Gonnard8e03c712014-08-30 21:42:40 +0200[diff] [blame]5149run_test "Per-version suites: TLS 1.0" \
Manuel Pégourié-Gonnardaa946b22019-03-01 10:14:58 +0100[diff] [blame]5150 "$P_SRV version_suites=TLS-RSA-WITH-CAMELLIA-128-CBC-SHA,TLS-RSA-WITH-AES-256-CBC-SHA,TLS-RSA-WITH-AES-128-CBC-SHA,TLS-RSA-WITH-AES-128-GCM-SHA256" \
Manuel Pégourié-Gonnardbd47a582015-01-12 13:43:29 +0100[diff] [blame]5151 "$P_CLI force_version=tls1 arc4=1" \
Manuel Pégourié-Gonnard90805a82014-06-11 14:06:01 +0200[diff] [blame]5152 0 \
Manuel Pégourié-Gonnardea0920f2015-03-24 09:50:15 +0100[diff] [blame]5153 -c "Ciphersuite is TLS-RSA-WITH-AES-256-CBC-SHA"
Manuel Pégourié-Gonnard90805a82014-06-11 14:06:01 +0200[diff] [blame]5154
Manuel Pégourié-Gonnardaa946b22019-03-01 10:14:58 +0100[diff] [blame]5155requires_config_enabled MBEDTLS_SSL_PROTO_TLS1_1
5156requires_config_enabled MBEDTLS_CAMELLIA_C
5157requires_config_enabled MBEDTLS_AES_C
Manuel Pégourié-Gonnard8e03c712014-08-30 21:42:40 +0200[diff] [blame]5158run_test "Per-version suites: TLS 1.1" \
Manuel Pégourié-Gonnardaa946b22019-03-01 10:14:58 +0100[diff] [blame]5159 "$P_SRV version_suites=TLS-RSA-WITH-CAMELLIA-128-CBC-SHA,TLS-RSA-WITH-AES-256-CBC-SHA,TLS-RSA-WITH-AES-128-CBC-SHA,TLS-RSA-WITH-AES-128-GCM-SHA256" \
Manuel Pégourié-Gonnard90805a82014-06-11 14:06:01 +0200[diff] [blame]5160 "$P_CLI force_version=tls1_1" \
5161 0 \
5162 -c "Ciphersuite is TLS-RSA-WITH-AES-128-CBC-SHA"
5163
Manuel Pégourié-Gonnardaa946b22019-03-01 10:14:58 +0100[diff] [blame]5164requires_config_enabled MBEDTLS_SSL_PROTO_TLS1_2
5165requires_config_enabled MBEDTLS_CAMELLIA_C
5166requires_config_enabled MBEDTLS_AES_C
Manuel Pégourié-Gonnard8e03c712014-08-30 21:42:40 +0200[diff] [blame]5167run_test "Per-version suites: TLS 1.2" \
Manuel Pégourié-Gonnardaa946b22019-03-01 10:14:58 +0100[diff] [blame]5168 "$P_SRV version_suites=TLS-RSA-WITH-CAMELLIA-128-CBC-SHA,TLS-RSA-WITH-AES-256-CBC-SHA,TLS-RSA-WITH-AES-128-CBC-SHA,TLS-RSA-WITH-AES-128-GCM-SHA256" \
Manuel Pégourié-Gonnard90805a82014-06-11 14:06:01 +0200[diff] [blame]5169 "$P_CLI force_version=tls1_2" \
5170 0 \
5171 -c "Ciphersuite is TLS-RSA-WITH-AES-128-GCM-SHA256"
5172
Manuel Pégourié-Gonnard4cc8c632015-07-23 12:24:03 +0200[diff] [blame]5173# Test for ClientHello without extensions
5174
Manuel Pégourié-Gonnardd55bc202015-08-04 16:22:30 +0200[diff] [blame]5175requires_gnutls
Gilles Peskine5d2511c2017-05-12 13:16:40 +0200[diff] [blame]5176run_test "ClientHello without extensions, SHA-1 allowed" \
Ron Eldor574ac572019-01-16 23:14:41 +0200[diff] [blame]5177 "$P_SRV debug_level=3 key_file=data_files/server2.key crt_file=data_files/server2.crt" \
Manuel Pégourié-Gonnard34aa1872018-08-23 19:07:15 +0200[diff] [blame]5178 "$G_CLI --priority=NORMAL:%NO_EXTENSIONS:%DISABLE_SAFE_RENEGOTIATION localhost" \
Manuel Pégourié-Gonnard4cc8c632015-07-23 12:24:03 +0200[diff] [blame]5179 0 \
5180 -s "dumping 'client hello extensions' (0 bytes)"
5181
Gilles Peskine5d2511c2017-05-12 13:16:40 +0200[diff] [blame]5182requires_gnutls
5183run_test "ClientHello without extensions, SHA-1 forbidden in certificates on server" \
5184 "$P_SRV debug_level=3 key_file=data_files/server2.key crt_file=data_files/server2.crt allow_sha1=0" \
Manuel Pégourié-Gonnard34aa1872018-08-23 19:07:15 +0200[diff] [blame]5185 "$G_CLI --priority=NORMAL:%NO_EXTENSIONS:%DISABLE_SAFE_RENEGOTIATION localhost" \
Gilles Peskine5d2511c2017-05-12 13:16:40 +0200[diff] [blame]5186 0 \
5187 -s "dumping 'client hello extensions' (0 bytes)"
5188
Manuel Pégourié-Gonnard2cf5a7c2015-04-08 12:49:31 +0200[diff] [blame]5189# Tests for mbedtls_ssl_get_bytes_avail()
Manuel Pégourié-Gonnard95c0a632014-06-11 18:32:36 +0200[diff] [blame]5190
Manuel Pégourié-Gonnard2cf5a7c2015-04-08 12:49:31 +0200[diff] [blame]5191run_test "mbedtls_ssl_get_bytes_avail: no extra data" \
Manuel Pégourié-Gonnard95c0a632014-06-11 18:32:36 +0200[diff] [blame]5192 "$P_SRV" \
5193 "$P_CLI request_size=100" \
5194 0 \
5195 -s "Read from client: 100 bytes read$"
5196
Manuel Pégourié-Gonnard2cf5a7c2015-04-08 12:49:31 +0200[diff] [blame]5197run_test "mbedtls_ssl_get_bytes_avail: extra data" \
Manuel Pégourié-Gonnard95c0a632014-06-11 18:32:36 +0200[diff] [blame]5198 "$P_SRV" \
5199 "$P_CLI request_size=500" \
5200 0 \
5201 -s "Read from client: 500 bytes read (.*+.*)"
Manuel Pégourié-Gonnard90805a82014-06-11 14:06:01 +0200[diff] [blame]5202
Andrzej Kurekc19fc552018-06-19 09:37:30 -0400[diff] [blame]5203# Tests for small client packets
Manuel Pégourié-Gonnardee415032014-06-18 15:08:56 +0200[diff] [blame]5204
Janos Follathe2681a42016-03-07 15:57:05 +0000[diff] [blame]5205requires_config_enabled MBEDTLS_SSL_PROTO_SSL3
Andrzej Kurekc19fc552018-06-19 09:37:30 -0400[diff] [blame]5206run_test "Small client packet SSLv3 BlockCipher" \
Manuel Pégourié-Gonnard448ea502015-01-12 11:40:14 +0100[diff] [blame]5207 "$P_SRV min_version=ssl3" \
Manuel Pégourié-Gonnardee415032014-06-18 15:08:56 +0200[diff] [blame]5208 "$P_CLI request_size=1 force_version=ssl3 \
5209 force_ciphersuite=TLS-RSA-WITH-AES-256-CBC-SHA" \
5210 0 \
5211 -s "Read from client: 1 bytes read"
5212
Janos Follathe2681a42016-03-07 15:57:05 +0000[diff] [blame]5213requires_config_enabled MBEDTLS_SSL_PROTO_SSL3
Andrzej Kurekc19fc552018-06-19 09:37:30 -0400[diff] [blame]5214run_test "Small client packet SSLv3 StreamCipher" \
Manuel Pégourié-Gonnardea0920f2015-03-24 09:50:15 +0100[diff] [blame]5215 "$P_SRV min_version=ssl3 arc4=1 force_ciphersuite=TLS-RSA-WITH-RC4-128-SHA" \
Manuel Pégourié-Gonnardee415032014-06-18 15:08:56 +0200[diff] [blame]5216 "$P_CLI request_size=1 force_version=ssl3 \
5217 force_ciphersuite=TLS-RSA-WITH-RC4-128-SHA" \
5218 0 \
5219 -s "Read from client: 1 bytes read"
5220
Andrzej Kurekc19fc552018-06-19 09:37:30 -0400[diff] [blame]5221run_test "Small client packet TLS 1.0 BlockCipher" \
Manuel Pégourié-Gonnardee415032014-06-18 15:08:56 +0200[diff] [blame]5222 "$P_SRV" \
5223 "$P_CLI request_size=1 force_version=tls1 \
5224 force_ciphersuite=TLS-RSA-WITH-AES-256-CBC-SHA" \
5225 0 \
5226 -s "Read from client: 1 bytes read"
5227
Andrzej Kurekc19fc552018-06-19 09:37:30 -0400[diff] [blame]5228run_test "Small client packet TLS 1.0 BlockCipher, without EtM" \
Manuel Pégourié-Gonnard169dd6a2014-11-04 16:15:39 +0100[diff] [blame]5229 "$P_SRV" \
5230 "$P_CLI request_size=1 force_version=tls1 etm=0 \
5231 force_ciphersuite=TLS-RSA-WITH-AES-256-CBC-SHA" \
5232 0 \
5233 -s "Read from client: 1 bytes read"
5234
Hanno Becker32c55012017-11-10 08:42:54 +0000[diff] [blame]5235requires_config_enabled MBEDTLS_SSL_TRUNCATED_HMAC
Andrzej Kurekc19fc552018-06-19 09:37:30 -0400[diff] [blame]5236run_test "Small client packet TLS 1.0 BlockCipher, truncated MAC" \
Hanno Becker909f9a32017-11-21 17:10:12 +0000[diff] [blame]5237 "$P_SRV trunc_hmac=1" \
Manuel Pégourié-Gonnardee415032014-06-18 15:08:56 +0200[diff] [blame]5238 "$P_CLI request_size=1 force_version=tls1 \
Hanno Becker909f9a32017-11-21 17:10:12 +0000[diff] [blame]5239 force_ciphersuite=TLS-RSA-WITH-AES-256-CBC-SHA trunc_hmac=1" \
Manuel Pégourié-Gonnardee415032014-06-18 15:08:56 +0200[diff] [blame]5240 0 \
5241 -s "Read from client: 1 bytes read"
5242
Hanno Becker32c55012017-11-10 08:42:54 +0000[diff] [blame]5243requires_config_enabled MBEDTLS_SSL_TRUNCATED_HMAC
Andrzej Kurekc19fc552018-06-19 09:37:30 -0400[diff] [blame]5244run_test "Small client packet TLS 1.0 BlockCipher, without EtM, truncated MAC" \
Hanno Becker909f9a32017-11-21 17:10:12 +0000[diff] [blame]5245 "$P_SRV trunc_hmac=1" \
Hanno Becker8501f982017-11-10 08:59:04 +0000[diff] [blame]5246 "$P_CLI request_size=1 force_version=tls1 \
Hanno Becker909f9a32017-11-21 17:10:12 +0000[diff] [blame]5247 force_ciphersuite=TLS-RSA-WITH-AES-256-CBC-SHA trunc_hmac=1 etm=0" \
Hanno Becker8501f982017-11-10 08:59:04 +0000[diff] [blame]5248 0 \
5249 -s "Read from client: 1 bytes read"
5250
Andrzej Kurekc19fc552018-06-19 09:37:30 -0400[diff] [blame]5251run_test "Small client packet TLS 1.0 StreamCipher" \
Manuel Pégourié-Gonnardea0920f2015-03-24 09:50:15 +0100[diff] [blame]5252 "$P_SRV arc4=1 force_ciphersuite=TLS-RSA-WITH-RC4-128-SHA" \
Manuel Pégourié-Gonnardee415032014-06-18 15:08:56 +0200[diff] [blame]5253 "$P_CLI request_size=1 force_version=tls1 \
Hanno Becker8501f982017-11-10 08:59:04 +0000[diff] [blame]5254 force_ciphersuite=TLS-RSA-WITH-RC4-128-SHA" \
5255 0 \
5256 -s "Read from client: 1 bytes read"
5257
Andrzej Kurekc19fc552018-06-19 09:37:30 -0400[diff] [blame]5258run_test "Small client packet TLS 1.0 StreamCipher, without EtM" \
Hanno Becker8501f982017-11-10 08:59:04 +0000[diff] [blame]5259 "$P_SRV arc4=1 force_ciphersuite=TLS-RSA-WITH-RC4-128-SHA" \
5260 "$P_CLI request_size=1 force_version=tls1 \
Hanno Becker909f9a32017-11-21 17:10:12 +0000[diff] [blame]5261 force_ciphersuite=TLS-RSA-WITH-RC4-128-SHA etm=0" \
Hanno Becker8501f982017-11-10 08:59:04 +0000[diff] [blame]5262 0 \
5263 -s "Read from client: 1 bytes read"
5264
5265requires_config_enabled MBEDTLS_SSL_TRUNCATED_HMAC
Andrzej Kurekc19fc552018-06-19 09:37:30 -0400[diff] [blame]5266run_test "Small client packet TLS 1.0 StreamCipher, truncated MAC" \
Hanno Becker909f9a32017-11-21 17:10:12 +0000[diff] [blame]5267 "$P_SRV arc4=1 force_ciphersuite=TLS-RSA-WITH-RC4-128-SHA trunc_hmac=1" \
Manuel Pégourié-Gonnardee415032014-06-18 15:08:56 +0200[diff] [blame]5268 "$P_CLI request_size=1 force_version=tls1 \
Hanno Becker909f9a32017-11-21 17:10:12 +0000[diff] [blame]5269 force_ciphersuite=TLS-RSA-WITH-RC4-128-SHA trunc_hmac=1" \
Manuel Pégourié-Gonnardee415032014-06-18 15:08:56 +0200[diff] [blame]5270 0 \
5271 -s "Read from client: 1 bytes read"
5272
Hanno Becker8501f982017-11-10 08:59:04 +0000[diff] [blame]5273requires_config_enabled MBEDTLS_SSL_TRUNCATED_HMAC
Andrzej Kurekc19fc552018-06-19 09:37:30 -0400[diff] [blame]5274run_test "Small client packet TLS 1.0 StreamCipher, without EtM, truncated MAC" \
Hanno Becker909f9a32017-11-21 17:10:12 +0000[diff] [blame]5275 "$P_SRV arc4=1 force_ciphersuite=TLS-RSA-WITH-RC4-128-SHA trunc_hmac=1" \
5276 "$P_CLI request_size=1 force_version=tls1 force_ciphersuite=TLS-RSA-WITH-RC4-128-SHA \
5277 trunc_hmac=1 etm=0" \
Manuel Pégourié-Gonnardee415032014-06-18 15:08:56 +0200[diff] [blame]5278 0 \
5279 -s "Read from client: 1 bytes read"
5280
Andrzej Kurekc19fc552018-06-19 09:37:30 -0400[diff] [blame]5281run_test "Small client packet TLS 1.1 BlockCipher" \
Manuel Pégourié-Gonnardee415032014-06-18 15:08:56 +0200[diff] [blame]5282 "$P_SRV" \
5283 "$P_CLI request_size=1 force_version=tls1_1 \
5284 force_ciphersuite=TLS-RSA-WITH-AES-256-CBC-SHA" \
5285 0 \
5286 -s "Read from client: 1 bytes read"
5287
Andrzej Kurekc19fc552018-06-19 09:37:30 -0400[diff] [blame]5288run_test "Small client packet TLS 1.1 BlockCipher, without EtM" \
Manuel Pégourié-Gonnard169dd6a2014-11-04 16:15:39 +0100[diff] [blame]5289 "$P_SRV" \
Hanno Becker8501f982017-11-10 08:59:04 +0000[diff] [blame]5290 "$P_CLI request_size=1 force_version=tls1_1 \
Hanno Becker909f9a32017-11-21 17:10:12 +0000[diff] [blame]5291 force_ciphersuite=TLS-RSA-WITH-AES-256-CBC-SHA etm=0" \
Hanno Becker8501f982017-11-10 08:59:04 +0000[diff] [blame]5292 0 \
5293 -s "Read from client: 1 bytes read"
5294
5295requires_config_enabled MBEDTLS_SSL_TRUNCATED_HMAC
Andrzej Kurekc19fc552018-06-19 09:37:30 -0400[diff] [blame]5296run_test "Small client packet TLS 1.1 BlockCipher, truncated MAC" \
Hanno Becker909f9a32017-11-21 17:10:12 +0000[diff] [blame]5297 "$P_SRV trunc_hmac=1" \
Hanno Becker8501f982017-11-10 08:59:04 +0000[diff] [blame]5298 "$P_CLI request_size=1 force_version=tls1_1 \
Hanno Becker909f9a32017-11-21 17:10:12 +0000[diff] [blame]5299 force_ciphersuite=TLS-RSA-WITH-AES-256-CBC-SHA trunc_hmac=1" \
Hanno Becker8501f982017-11-10 08:59:04 +0000[diff] [blame]5300 0 \
5301 -s "Read from client: 1 bytes read"
5302
5303requires_config_enabled MBEDTLS_SSL_TRUNCATED_HMAC
Andrzej Kurekc19fc552018-06-19 09:37:30 -0400[diff] [blame]5304run_test "Small client packet TLS 1.1 BlockCipher, without EtM, truncated MAC" \
Hanno Becker909f9a32017-11-21 17:10:12 +0000[diff] [blame]5305 "$P_SRV trunc_hmac=1" \
Hanno Becker8501f982017-11-10 08:59:04 +0000[diff] [blame]5306 "$P_CLI request_size=1 force_version=tls1_1 \
Hanno Becker909f9a32017-11-21 17:10:12 +0000[diff] [blame]5307 force_ciphersuite=TLS-RSA-WITH-AES-256-CBC-SHA trunc_hmac=1 etm=0" \
Manuel Pégourié-Gonnard169dd6a2014-11-04 16:15:39 +0100[diff] [blame]5308 0 \
5309 -s "Read from client: 1 bytes read"
5310
Andrzej Kurekc19fc552018-06-19 09:37:30 -0400[diff] [blame]5311run_test "Small client packet TLS 1.1 StreamCipher" \
Manuel Pégourié-Gonnardea0920f2015-03-24 09:50:15 +0100[diff] [blame]5312 "$P_SRV arc4=1 force_ciphersuite=TLS-RSA-WITH-RC4-128-SHA" \
Manuel Pégourié-Gonnardee415032014-06-18 15:08:56 +0200[diff] [blame]5313 "$P_CLI request_size=1 force_version=tls1_1 \
5314 force_ciphersuite=TLS-RSA-WITH-RC4-128-SHA" \
5315 0 \
5316 -s "Read from client: 1 bytes read"
5317
Andrzej Kurekc19fc552018-06-19 09:37:30 -0400[diff] [blame]5318run_test "Small client packet TLS 1.1 StreamCipher, without EtM" \
Hanno Becker8501f982017-11-10 08:59:04 +0000[diff] [blame]5319 "$P_SRV arc4=1 force_ciphersuite=TLS-RSA-WITH-RC4-128-SHA" \
Manuel Pégourié-Gonnardee415032014-06-18 15:08:56 +0200[diff] [blame]5320 "$P_CLI request_size=1 force_version=tls1_1 \
Hanno Becker909f9a32017-11-21 17:10:12 +0000[diff] [blame]5321 force_ciphersuite=TLS-RSA-WITH-RC4-128-SHA etm=0" \
Manuel Pégourié-Gonnardee415032014-06-18 15:08:56 +0200[diff] [blame]5322 0 \
5323 -s "Read from client: 1 bytes read"
5324
Hanno Becker8501f982017-11-10 08:59:04 +0000[diff] [blame]5325requires_config_enabled MBEDTLS_SSL_TRUNCATED_HMAC
Andrzej Kurekc19fc552018-06-19 09:37:30 -0400[diff] [blame]5326run_test "Small client packet TLS 1.1 StreamCipher, truncated MAC" \
Hanno Becker909f9a32017-11-21 17:10:12 +0000[diff] [blame]5327 "$P_SRV arc4=1 force_ciphersuite=TLS-RSA-WITH-RC4-128-SHA trunc_hmac=1" \
Manuel Pégourié-Gonnardee415032014-06-18 15:08:56 +0200[diff] [blame]5328 "$P_CLI request_size=1 force_version=tls1_1 \
Hanno Becker909f9a32017-11-21 17:10:12 +0000[diff] [blame]5329 force_ciphersuite=TLS-RSA-WITH-RC4-128-SHA trunc_hmac=1" \
Manuel Pégourié-Gonnardee415032014-06-18 15:08:56 +0200[diff] [blame]5330 0 \
5331 -s "Read from client: 1 bytes read"
5332
Hanno Becker32c55012017-11-10 08:42:54 +0000[diff] [blame]5333requires_config_enabled MBEDTLS_SSL_TRUNCATED_HMAC
Andrzej Kurekc19fc552018-06-19 09:37:30 -0400[diff] [blame]5334run_test "Small client packet TLS 1.1 StreamCipher, without EtM, truncated MAC" \
Hanno Becker909f9a32017-11-21 17:10:12 +0000[diff] [blame]5335 "$P_SRV arc4=1 force_ciphersuite=TLS-RSA-WITH-RC4-128-SHA trunc_hmac=1" \
Manuel Pégourié-Gonnardee415032014-06-18 15:08:56 +0200[diff] [blame]5336 "$P_CLI request_size=1 force_version=tls1_1 \
Hanno Becker909f9a32017-11-21 17:10:12 +0000[diff] [blame]5337 force_ciphersuite=TLS-RSA-WITH-RC4-128-SHA trunc_hmac=1 etm=0" \
Manuel Pégourié-Gonnardee415032014-06-18 15:08:56 +0200[diff] [blame]5338 0 \
5339 -s "Read from client: 1 bytes read"
5340
Andrzej Kurekc19fc552018-06-19 09:37:30 -0400[diff] [blame]5341run_test "Small client packet TLS 1.2 BlockCipher" \
Manuel Pégourié-Gonnardee415032014-06-18 15:08:56 +0200[diff] [blame]5342 "$P_SRV" \
5343 "$P_CLI request_size=1 force_version=tls1_2 \
5344 force_ciphersuite=TLS-RSA-WITH-AES-256-CBC-SHA" \
5345 0 \
5346 -s "Read from client: 1 bytes read"
5347
Andrzej Kurekc19fc552018-06-19 09:37:30 -0400[diff] [blame]5348run_test "Small client packet TLS 1.2 BlockCipher, without EtM" \
Manuel Pégourié-Gonnard169dd6a2014-11-04 16:15:39 +0100[diff] [blame]5349 "$P_SRV" \
Hanno Becker8501f982017-11-10 08:59:04 +0000[diff] [blame]5350 "$P_CLI request_size=1 force_version=tls1_2 \
Hanno Becker909f9a32017-11-21 17:10:12 +0000[diff] [blame]5351 force_ciphersuite=TLS-RSA-WITH-AES-256-CBC-SHA etm=0" \
Manuel Pégourié-Gonnard169dd6a2014-11-04 16:15:39 +0100[diff] [blame]5352 0 \
5353 -s "Read from client: 1 bytes read"
5354
Andrzej Kurekc19fc552018-06-19 09:37:30 -0400[diff] [blame]5355run_test "Small client packet TLS 1.2 BlockCipher larger MAC" \
Manuel Pégourié-Gonnardee415032014-06-18 15:08:56 +0200[diff] [blame]5356 "$P_SRV" \
Manuel Pégourié-Gonnardc82ee352015-01-07 16:35:25 +0100[diff] [blame]5357 "$P_CLI request_size=1 force_version=tls1_2 \
5358 force_ciphersuite=TLS-ECDHE-RSA-WITH-AES-256-CBC-SHA384" \
Manuel Pégourié-Gonnardee415032014-06-18 15:08:56 +0200[diff] [blame]5359 0 \
5360 -s "Read from client: 1 bytes read"
5361
Hanno Becker32c55012017-11-10 08:42:54 +0000[diff] [blame]5362requires_config_enabled MBEDTLS_SSL_TRUNCATED_HMAC
Andrzej Kurekc19fc552018-06-19 09:37:30 -0400[diff] [blame]5363run_test "Small client packet TLS 1.2 BlockCipher, truncated MAC" \
Hanno Becker909f9a32017-11-21 17:10:12 +0000[diff] [blame]5364 "$P_SRV trunc_hmac=1" \
Manuel Pégourié-Gonnardee415032014-06-18 15:08:56 +0200[diff] [blame]5365 "$P_CLI request_size=1 force_version=tls1_2 \
Hanno Becker909f9a32017-11-21 17:10:12 +0000[diff] [blame]5366 force_ciphersuite=TLS-RSA-WITH-AES-256-CBC-SHA trunc_hmac=1" \
Manuel Pégourié-Gonnardee415032014-06-18 15:08:56 +0200[diff] [blame]5367 0 \
5368 -s "Read from client: 1 bytes read"
5369
Hanno Becker8501f982017-11-10 08:59:04 +0000[diff] [blame]5370requires_config_enabled MBEDTLS_SSL_TRUNCATED_HMAC
Andrzej Kurekc19fc552018-06-19 09:37:30 -0400[diff] [blame]5371run_test "Small client packet TLS 1.2 BlockCipher, without EtM, truncated MAC" \
Hanno Becker909f9a32017-11-21 17:10:12 +0000[diff] [blame]5372 "$P_SRV trunc_hmac=1" \
Hanno Becker8501f982017-11-10 08:59:04 +0000[diff] [blame]5373 "$P_CLI request_size=1 force_version=tls1_2 \
Hanno Becker909f9a32017-11-21 17:10:12 +0000[diff] [blame]5374 force_ciphersuite=TLS-RSA-WITH-AES-256-CBC-SHA trunc_hmac=1 etm=0" \
Manuel Pégourié-Gonnardee415032014-06-18 15:08:56 +0200[diff] [blame]5375 0 \
5376 -s "Read from client: 1 bytes read"
5377
Andrzej Kurekc19fc552018-06-19 09:37:30 -0400[diff] [blame]5378run_test "Small client packet TLS 1.2 StreamCipher" \
Manuel Pégourié-Gonnardea0920f2015-03-24 09:50:15 +0100[diff] [blame]5379 "$P_SRV arc4=1 force_ciphersuite=TLS-RSA-WITH-RC4-128-SHA" \
Manuel Pégourié-Gonnardee415032014-06-18 15:08:56 +0200[diff] [blame]5380 "$P_CLI request_size=1 force_version=tls1_2 \
5381 force_ciphersuite=TLS-RSA-WITH-RC4-128-SHA" \
5382 0 \
5383 -s "Read from client: 1 bytes read"
5384
Andrzej Kurekc19fc552018-06-19 09:37:30 -0400[diff] [blame]5385run_test "Small client packet TLS 1.2 StreamCipher, without EtM" \
Manuel Pégourié-Gonnardea0920f2015-03-24 09:50:15 +0100[diff] [blame]5386 "$P_SRV arc4=1 force_ciphersuite=TLS-RSA-WITH-RC4-128-SHA" \
Manuel Pégourié-Gonnardee415032014-06-18 15:08:56 +0200[diff] [blame]5387 "$P_CLI request_size=1 force_version=tls1_2 \
Hanno Becker909f9a32017-11-21 17:10:12 +0000[diff] [blame]5388 force_ciphersuite=TLS-RSA-WITH-RC4-128-SHA etm=0" \
Hanno Becker8501f982017-11-10 08:59:04 +0000[diff] [blame]5389 0 \
5390 -s "Read from client: 1 bytes read"
5391
Hanno Becker32c55012017-11-10 08:42:54 +0000[diff] [blame]5392requires_config_enabled MBEDTLS_SSL_TRUNCATED_HMAC
Andrzej Kurekc19fc552018-06-19 09:37:30 -0400[diff] [blame]5393run_test "Small client packet TLS 1.2 StreamCipher, truncated MAC" \
Hanno Becker909f9a32017-11-21 17:10:12 +0000[diff] [blame]5394 "$P_SRV arc4=1 force_ciphersuite=TLS-RSA-WITH-RC4-128-SHA trunc_hmac=1" \
Manuel Pégourié-Gonnardee415032014-06-18 15:08:56 +0200[diff] [blame]5395 "$P_CLI request_size=1 force_version=tls1_2 \
Hanno Becker909f9a32017-11-21 17:10:12 +0000[diff] [blame]5396 force_ciphersuite=TLS-RSA-WITH-RC4-128-SHA trunc_hmac=1" \
Manuel Pégourié-Gonnardee415032014-06-18 15:08:56 +0200[diff] [blame]5397 0 \
5398 -s "Read from client: 1 bytes read"
5399
Hanno Becker8501f982017-11-10 08:59:04 +0000[diff] [blame]5400requires_config_enabled MBEDTLS_SSL_TRUNCATED_HMAC
Andrzej Kurekc19fc552018-06-19 09:37:30 -0400[diff] [blame]5401run_test "Small client packet TLS 1.2 StreamCipher, without EtM, truncated MAC" \
Hanno Becker909f9a32017-11-21 17:10:12 +0000[diff] [blame]5402 "$P_SRV arc4=1 force_ciphersuite=TLS-RSA-WITH-RC4-128-SHA trunc_hmac=1" \
Hanno Becker8501f982017-11-10 08:59:04 +0000[diff] [blame]5403 "$P_CLI request_size=1 force_version=tls1_2 \
Hanno Becker909f9a32017-11-21 17:10:12 +0000[diff] [blame]5404 force_ciphersuite=TLS-RSA-WITH-RC4-128-SHA trunc_hmac=1 etm=0" \
Manuel Pégourié-Gonnardee415032014-06-18 15:08:56 +0200[diff] [blame]5405 0 \
5406 -s "Read from client: 1 bytes read"
5407
Andrzej Kurekc19fc552018-06-19 09:37:30 -0400[diff] [blame]5408run_test "Small client packet TLS 1.2 AEAD" \
Manuel Pégourié-Gonnardee415032014-06-18 15:08:56 +0200[diff] [blame]5409 "$P_SRV" \
5410 "$P_CLI request_size=1 force_version=tls1_2 \
5411 force_ciphersuite=TLS-RSA-WITH-AES-256-CCM" \
5412 0 \
5413 -s "Read from client: 1 bytes read"
5414
Andrzej Kurekc19fc552018-06-19 09:37:30 -0400[diff] [blame]5415run_test "Small client packet TLS 1.2 AEAD shorter tag" \
Manuel Pégourié-Gonnardee415032014-06-18 15:08:56 +0200[diff] [blame]5416 "$P_SRV" \
5417 "$P_CLI request_size=1 force_version=tls1_2 \
5418 force_ciphersuite=TLS-RSA-WITH-AES-256-CCM-8" \
5419 0 \
5420 -s "Read from client: 1 bytes read"
5421
Andrzej Kurekc19fc552018-06-19 09:37:30 -0400[diff] [blame]5422# Tests for small client packets in DTLS
Hanno Beckere2148042017-11-10 08:59:18 +0000[diff] [blame]5423
5424requires_config_enabled MBEDTLS_SSL_PROTO_DTLS
Andrzej Kurekc19fc552018-06-19 09:37:30 -0400[diff] [blame]5425run_test "Small client packet DTLS 1.0" \
Hanno Beckere2148042017-11-10 08:59:18 +0000[diff] [blame]5426 "$P_SRV dtls=1 force_version=dtls1" \
5427 "$P_CLI dtls=1 request_size=1 \
5428 force_ciphersuite=TLS-RSA-WITH-AES-256-CBC-SHA" \
5429 0 \
5430 -s "Read from client: 1 bytes read"
5431
5432requires_config_enabled MBEDTLS_SSL_PROTO_DTLS
Andrzej Kurekc19fc552018-06-19 09:37:30 -0400[diff] [blame]5433run_test "Small client packet DTLS 1.0, without EtM" \
Hanno Beckere2148042017-11-10 08:59:18 +0000[diff] [blame]5434 "$P_SRV dtls=1 force_version=dtls1 etm=0" \
5435 "$P_CLI dtls=1 request_size=1 \
5436 force_ciphersuite=TLS-RSA-WITH-AES-256-CBC-SHA" \
5437 0 \
5438 -s "Read from client: 1 bytes read"
5439
5440requires_config_enabled MBEDTLS_SSL_PROTO_DTLS
5441requires_config_enabled MBEDTLS_SSL_TRUNCATED_HMAC
Andrzej Kurekc19fc552018-06-19 09:37:30 -0400[diff] [blame]5442run_test "Small client packet DTLS 1.0, truncated hmac" \
Hanno Becker909f9a32017-11-21 17:10:12 +0000[diff] [blame]5443 "$P_SRV dtls=1 force_version=dtls1 trunc_hmac=1" \
5444 "$P_CLI dtls=1 request_size=1 trunc_hmac=1 \
Hanno Beckere2148042017-11-10 08:59:18 +0000[diff] [blame]5445 force_ciphersuite=TLS-RSA-WITH-AES-256-CBC-SHA" \
5446 0 \
5447 -s "Read from client: 1 bytes read"
5448
5449requires_config_enabled MBEDTLS_SSL_PROTO_DTLS
5450requires_config_enabled MBEDTLS_SSL_TRUNCATED_HMAC
Andrzej Kurekc19fc552018-06-19 09:37:30 -0400[diff] [blame]5451run_test "Small client packet DTLS 1.0, without EtM, truncated MAC" \
Hanno Becker909f9a32017-11-21 17:10:12 +0000[diff] [blame]5452 "$P_SRV dtls=1 force_version=dtls1 trunc_hmac=1 etm=0" \
Hanno Beckere2148042017-11-10 08:59:18 +0000[diff] [blame]5453 "$P_CLI dtls=1 request_size=1 \
Hanno Becker909f9a32017-11-21 17:10:12 +0000[diff] [blame]5454 force_ciphersuite=TLS-RSA-WITH-AES-256-CBC-SHA trunc_hmac=1"\
Hanno Beckere2148042017-11-10 08:59:18 +0000[diff] [blame]5455 0 \
5456 -s "Read from client: 1 bytes read"
5457
5458requires_config_enabled MBEDTLS_SSL_PROTO_DTLS
Andrzej Kurekc19fc552018-06-19 09:37:30 -0400[diff] [blame]5459run_test "Small client packet DTLS 1.2" \
Hanno Beckere2148042017-11-10 08:59:18 +0000[diff] [blame]5460 "$P_SRV dtls=1 force_version=dtls1_2" \
5461 "$P_CLI dtls=1 request_size=1 \
5462 force_ciphersuite=TLS-RSA-WITH-AES-256-CBC-SHA" \
5463 0 \
5464 -s "Read from client: 1 bytes read"
5465
5466requires_config_enabled MBEDTLS_SSL_PROTO_DTLS
Andrzej Kurekc19fc552018-06-19 09:37:30 -0400[diff] [blame]5467run_test "Small client packet DTLS 1.2, without EtM" \
Hanno Becker909f9a32017-11-21 17:10:12 +0000[diff] [blame]5468 "$P_SRV dtls=1 force_version=dtls1_2 etm=0" \
Hanno Beckere2148042017-11-10 08:59:18 +0000[diff] [blame]5469 "$P_CLI dtls=1 request_size=1 \
5470 force_ciphersuite=TLS-RSA-WITH-AES-256-CBC-SHA" \
5471 0 \
5472 -s "Read from client: 1 bytes read"
5473
5474requires_config_enabled MBEDTLS_SSL_PROTO_DTLS
5475requires_config_enabled MBEDTLS_SSL_TRUNCATED_HMAC
Andrzej Kurekc19fc552018-06-19 09:37:30 -0400[diff] [blame]5476run_test "Small client packet DTLS 1.2, truncated hmac" \
Hanno Becker909f9a32017-11-21 17:10:12 +0000[diff] [blame]5477 "$P_SRV dtls=1 force_version=dtls1_2 trunc_hmac=1" \
Hanno Beckere2148042017-11-10 08:59:18 +0000[diff] [blame]5478 "$P_CLI dtls=1 request_size=1 \
Hanno Becker909f9a32017-11-21 17:10:12 +0000[diff] [blame]5479 force_ciphersuite=TLS-RSA-WITH-AES-256-CBC-SHA trunc_hmac=1" \
Hanno Beckere2148042017-11-10 08:59:18 +0000[diff] [blame]5480 0 \
5481 -s "Read from client: 1 bytes read"
5482
5483requires_config_enabled MBEDTLS_SSL_PROTO_DTLS
5484requires_config_enabled MBEDTLS_SSL_TRUNCATED_HMAC
Andrzej Kurekc19fc552018-06-19 09:37:30 -0400[diff] [blame]5485run_test "Small client packet DTLS 1.2, without EtM, truncated MAC" \
Hanno Becker909f9a32017-11-21 17:10:12 +0000[diff] [blame]5486 "$P_SRV dtls=1 force_version=dtls1_2 trunc_hmac=1 etm=0" \
Hanno Beckere2148042017-11-10 08:59:18 +0000[diff] [blame]5487 "$P_CLI dtls=1 request_size=1 \
Hanno Becker909f9a32017-11-21 17:10:12 +0000[diff] [blame]5488 force_ciphersuite=TLS-RSA-WITH-AES-256-CBC-SHA trunc_hmac=1"\
Hanno Beckere2148042017-11-10 08:59:18 +0000[diff] [blame]5489 0 \
5490 -s "Read from client: 1 bytes read"
5491
Andrzej Kurekc19fc552018-06-19 09:37:30 -0400[diff] [blame]5492# Tests for small server packets
5493
5494requires_config_enabled MBEDTLS_SSL_PROTO_SSL3
5495run_test "Small server packet SSLv3 BlockCipher" \
5496 "$P_SRV response_size=1 min_version=ssl3" \
5497 "$P_CLI force_version=ssl3 \
5498 force_ciphersuite=TLS-RSA-WITH-AES-256-CBC-SHA" \
5499 0 \
5500 -c "Read from server: 1 bytes read"
5501
5502requires_config_enabled MBEDTLS_SSL_PROTO_SSL3
5503run_test "Small server packet SSLv3 StreamCipher" \
5504 "$P_SRV response_size=1 min_version=ssl3 arc4=1 force_ciphersuite=TLS-RSA-WITH-RC4-128-SHA" \
5505 "$P_CLI force_version=ssl3 \
5506 force_ciphersuite=TLS-RSA-WITH-RC4-128-SHA" \
5507 0 \
5508 -c "Read from server: 1 bytes read"
5509
5510run_test "Small server packet TLS 1.0 BlockCipher" \
5511 "$P_SRV response_size=1" \
5512 "$P_CLI force_version=tls1 \
5513 force_ciphersuite=TLS-RSA-WITH-AES-256-CBC-SHA" \
5514 0 \
5515 -c "Read from server: 1 bytes read"
5516
5517run_test "Small server packet TLS 1.0 BlockCipher, without EtM" \
5518 "$P_SRV response_size=1" \
5519 "$P_CLI force_version=tls1 etm=0 \
5520 force_ciphersuite=TLS-RSA-WITH-AES-256-CBC-SHA" \
5521 0 \
5522 -c "Read from server: 1 bytes read"
5523
5524requires_config_enabled MBEDTLS_SSL_TRUNCATED_HMAC
5525run_test "Small server packet TLS 1.0 BlockCipher, truncated MAC" \
5526 "$P_SRV response_size=1 trunc_hmac=1" \
5527 "$P_CLI force_version=tls1 \
5528 force_ciphersuite=TLS-RSA-WITH-AES-256-CBC-SHA trunc_hmac=1" \
5529 0 \
5530 -c "Read from server: 1 bytes read"
5531
5532requires_config_enabled MBEDTLS_SSL_TRUNCATED_HMAC
5533run_test "Small server packet TLS 1.0 BlockCipher, without EtM, truncated MAC" \
5534 "$P_SRV response_size=1 trunc_hmac=1" \
5535 "$P_CLI force_version=tls1 \
5536 force_ciphersuite=TLS-RSA-WITH-AES-256-CBC-SHA trunc_hmac=1 etm=0" \
5537 0 \
5538 -c "Read from server: 1 bytes read"
5539
5540run_test "Small server packet TLS 1.0 StreamCipher" \
5541 "$P_SRV response_size=1 arc4=1 force_ciphersuite=TLS-RSA-WITH-RC4-128-SHA" \
5542 "$P_CLI force_version=tls1 \
5543 force_ciphersuite=TLS-RSA-WITH-RC4-128-SHA" \
5544 0 \
5545 -c "Read from server: 1 bytes read"
5546
5547run_test "Small server packet TLS 1.0 StreamCipher, without EtM" \
5548 "$P_SRV response_size=1 arc4=1 force_ciphersuite=TLS-RSA-WITH-RC4-128-SHA" \
5549 "$P_CLI force_version=tls1 \
5550 force_ciphersuite=TLS-RSA-WITH-RC4-128-SHA etm=0" \
5551 0 \
5552 -c "Read from server: 1 bytes read"
5553
5554requires_config_enabled MBEDTLS_SSL_TRUNCATED_HMAC
5555run_test "Small server packet TLS 1.0 StreamCipher, truncated MAC" \
5556 "$P_SRV response_size=1 arc4=1 force_ciphersuite=TLS-RSA-WITH-RC4-128-SHA trunc_hmac=1" \
5557 "$P_CLI force_version=tls1 \
5558 force_ciphersuite=TLS-RSA-WITH-RC4-128-SHA trunc_hmac=1" \
5559 0 \
5560 -c "Read from server: 1 bytes read"
5561
5562requires_config_enabled MBEDTLS_SSL_TRUNCATED_HMAC
5563run_test "Small server packet TLS 1.0 StreamCipher, without EtM, truncated MAC" \
5564 "$P_SRV response_size=1 arc4=1 force_ciphersuite=TLS-RSA-WITH-RC4-128-SHA trunc_hmac=1" \
5565 "$P_CLI force_version=tls1 force_ciphersuite=TLS-RSA-WITH-RC4-128-SHA \
5566 trunc_hmac=1 etm=0" \
5567 0 \
5568 -c "Read from server: 1 bytes read"
5569
5570run_test "Small server packet TLS 1.1 BlockCipher" \
5571 "$P_SRV response_size=1" \
5572 "$P_CLI force_version=tls1_1 \
5573 force_ciphersuite=TLS-RSA-WITH-AES-256-CBC-SHA" \
5574 0 \
5575 -c "Read from server: 1 bytes read"
5576
5577run_test "Small server packet TLS 1.1 BlockCipher, without EtM" \
5578 "$P_SRV response_size=1" \
5579 "$P_CLI force_version=tls1_1 \
5580 force_ciphersuite=TLS-RSA-WITH-AES-256-CBC-SHA etm=0" \
5581 0 \
5582 -c "Read from server: 1 bytes read"
5583
5584requires_config_enabled MBEDTLS_SSL_TRUNCATED_HMAC
5585run_test "Small server packet TLS 1.1 BlockCipher, truncated MAC" \
5586 "$P_SRV response_size=1 trunc_hmac=1" \
5587 "$P_CLI force_version=tls1_1 \
5588 force_ciphersuite=TLS-RSA-WITH-AES-256-CBC-SHA trunc_hmac=1" \
5589 0 \
5590 -c "Read from server: 1 bytes read"
5591
5592requires_config_enabled MBEDTLS_SSL_TRUNCATED_HMAC
5593run_test "Small server packet TLS 1.1 BlockCipher, without EtM, truncated MAC" \
5594 "$P_SRV response_size=1 trunc_hmac=1" \
5595 "$P_CLI force_version=tls1_1 \
5596 force_ciphersuite=TLS-RSA-WITH-AES-256-CBC-SHA trunc_hmac=1 etm=0" \
5597 0 \
5598 -c "Read from server: 1 bytes read"
5599
5600run_test "Small server packet TLS 1.1 StreamCipher" \
5601 "$P_SRV response_size=1 arc4=1 force_ciphersuite=TLS-RSA-WITH-RC4-128-SHA" \
5602 "$P_CLI force_version=tls1_1 \
5603 force_ciphersuite=TLS-RSA-WITH-RC4-128-SHA" \
5604 0 \
5605 -c "Read from server: 1 bytes read"
5606
5607run_test "Small server packet TLS 1.1 StreamCipher, without EtM" \
5608 "$P_SRV response_size=1 arc4=1 force_ciphersuite=TLS-RSA-WITH-RC4-128-SHA" \
5609 "$P_CLI force_version=tls1_1 \
5610 force_ciphersuite=TLS-RSA-WITH-RC4-128-SHA etm=0" \
5611 0 \
5612 -c "Read from server: 1 bytes read"
5613
5614requires_config_enabled MBEDTLS_SSL_TRUNCATED_HMAC
5615run_test "Small server packet TLS 1.1 StreamCipher, truncated MAC" \
5616 "$P_SRV response_size=1 arc4=1 force_ciphersuite=TLS-RSA-WITH-RC4-128-SHA trunc_hmac=1" \
5617 "$P_CLI force_version=tls1_1 \
5618 force_ciphersuite=TLS-RSA-WITH-RC4-128-SHA trunc_hmac=1" \
5619 0 \
5620 -c "Read from server: 1 bytes read"
5621
5622requires_config_enabled MBEDTLS_SSL_TRUNCATED_HMAC
5623run_test "Small server packet TLS 1.1 StreamCipher, without EtM, truncated MAC" \
5624 "$P_SRV response_size=1 arc4=1 force_ciphersuite=TLS-RSA-WITH-RC4-128-SHA trunc_hmac=1" \
5625 "$P_CLI force_version=tls1_1 \
5626 force_ciphersuite=TLS-RSA-WITH-RC4-128-SHA trunc_hmac=1 etm=0" \
5627 0 \
5628 -c "Read from server: 1 bytes read"
5629
5630run_test "Small server packet TLS 1.2 BlockCipher" \
5631 "$P_SRV response_size=1" \
5632 "$P_CLI force_version=tls1_2 \
5633 force_ciphersuite=TLS-RSA-WITH-AES-256-CBC-SHA" \
5634 0 \
5635 -c "Read from server: 1 bytes read"
5636
5637run_test "Small server packet TLS 1.2 BlockCipher, without EtM" \
5638 "$P_SRV response_size=1" \
5639 "$P_CLI force_version=tls1_2 \
5640 force_ciphersuite=TLS-RSA-WITH-AES-256-CBC-SHA etm=0" \
5641 0 \
5642 -c "Read from server: 1 bytes read"
5643
5644run_test "Small server packet TLS 1.2 BlockCipher larger MAC" \
5645 "$P_SRV response_size=1" \
5646 "$P_CLI force_version=tls1_2 \
5647 force_ciphersuite=TLS-ECDHE-RSA-WITH-AES-256-CBC-SHA384" \
5648 0 \
5649 -c "Read from server: 1 bytes read"
5650
5651requires_config_enabled MBEDTLS_SSL_TRUNCATED_HMAC
5652run_test "Small server packet TLS 1.2 BlockCipher, truncated MAC" \
5653 "$P_SRV response_size=1 trunc_hmac=1" \
5654 "$P_CLI force_version=tls1_2 \
5655 force_ciphersuite=TLS-RSA-WITH-AES-256-CBC-SHA trunc_hmac=1" \
5656 0 \
5657 -c "Read from server: 1 bytes read"
5658
5659requires_config_enabled MBEDTLS_SSL_TRUNCATED_HMAC
5660run_test "Small server packet TLS 1.2 BlockCipher, without EtM, truncated MAC" \
5661 "$P_SRV response_size=1 trunc_hmac=1" \
5662 "$P_CLI force_version=tls1_2 \
5663 force_ciphersuite=TLS-RSA-WITH-AES-256-CBC-SHA trunc_hmac=1 etm=0" \
5664 0 \
5665 -c "Read from server: 1 bytes read"
5666
5667run_test "Small server packet TLS 1.2 StreamCipher" \
5668 "$P_SRV response_size=1 arc4=1 force_ciphersuite=TLS-RSA-WITH-RC4-128-SHA" \
5669 "$P_CLI force_version=tls1_2 \
5670 force_ciphersuite=TLS-RSA-WITH-RC4-128-SHA" \
5671 0 \
5672 -c "Read from server: 1 bytes read"
5673
5674run_test "Small server packet TLS 1.2 StreamCipher, without EtM" \
5675 "$P_SRV response_size=1 arc4=1 force_ciphersuite=TLS-RSA-WITH-RC4-128-SHA" \
5676 "$P_CLI force_version=tls1_2 \
5677 force_ciphersuite=TLS-RSA-WITH-RC4-128-SHA etm=0" \
5678 0 \
5679 -c "Read from server: 1 bytes read"
5680
5681requires_config_enabled MBEDTLS_SSL_TRUNCATED_HMAC
5682run_test "Small server packet TLS 1.2 StreamCipher, truncated MAC" \
5683 "$P_SRV response_size=1 arc4=1 force_ciphersuite=TLS-RSA-WITH-RC4-128-SHA trunc_hmac=1" \
5684 "$P_CLI force_version=tls1_2 \
5685 force_ciphersuite=TLS-RSA-WITH-RC4-128-SHA trunc_hmac=1" \
5686 0 \
5687 -c "Read from server: 1 bytes read"
5688
5689requires_config_enabled MBEDTLS_SSL_TRUNCATED_HMAC
5690run_test "Small server packet TLS 1.2 StreamCipher, without EtM, truncated MAC" \
5691 "$P_SRV response_size=1 arc4=1 force_ciphersuite=TLS-RSA-WITH-RC4-128-SHA trunc_hmac=1" \
5692 "$P_CLI force_version=tls1_2 \
5693 force_ciphersuite=TLS-RSA-WITH-RC4-128-SHA trunc_hmac=1 etm=0" \
5694 0 \
5695 -c "Read from server: 1 bytes read"
5696
5697run_test "Small server packet TLS 1.2 AEAD" \
5698 "$P_SRV response_size=1" \
5699 "$P_CLI force_version=tls1_2 \
5700 force_ciphersuite=TLS-RSA-WITH-AES-256-CCM" \
5701 0 \
5702 -c "Read from server: 1 bytes read"
5703
5704run_test "Small server packet TLS 1.2 AEAD shorter tag" \
5705 "$P_SRV response_size=1" \
5706 "$P_CLI force_version=tls1_2 \
5707 force_ciphersuite=TLS-RSA-WITH-AES-256-CCM-8" \
5708 0 \
5709 -c "Read from server: 1 bytes read"
5710
5711# Tests for small server packets in DTLS
5712
5713requires_config_enabled MBEDTLS_SSL_PROTO_DTLS
5714run_test "Small server packet DTLS 1.0" \
5715 "$P_SRV dtls=1 response_size=1 force_version=dtls1" \
5716 "$P_CLI dtls=1 \
5717 force_ciphersuite=TLS-RSA-WITH-AES-256-CBC-SHA" \
5718 0 \
5719 -c "Read from server: 1 bytes read"
5720
5721requires_config_enabled MBEDTLS_SSL_PROTO_DTLS
5722run_test "Small server packet DTLS 1.0, without EtM" \
5723 "$P_SRV dtls=1 response_size=1 force_version=dtls1 etm=0" \
5724 "$P_CLI dtls=1 \
5725 force_ciphersuite=TLS-RSA-WITH-AES-256-CBC-SHA" \
5726 0 \
5727 -c "Read from server: 1 bytes read"
5728
5729requires_config_enabled MBEDTLS_SSL_PROTO_DTLS
5730requires_config_enabled MBEDTLS_SSL_TRUNCATED_HMAC
5731run_test "Small server packet DTLS 1.0, truncated hmac" \
5732 "$P_SRV dtls=1 response_size=1 force_version=dtls1 trunc_hmac=1" \
5733 "$P_CLI dtls=1 trunc_hmac=1 \
5734 force_ciphersuite=TLS-RSA-WITH-AES-256-CBC-SHA" \
5735 0 \
5736 -c "Read from server: 1 bytes read"
5737
5738requires_config_enabled MBEDTLS_SSL_PROTO_DTLS
5739requires_config_enabled MBEDTLS_SSL_TRUNCATED_HMAC
5740run_test "Small server packet DTLS 1.0, without EtM, truncated MAC" \
5741 "$P_SRV dtls=1 response_size=1 force_version=dtls1 trunc_hmac=1 etm=0" \
5742 "$P_CLI dtls=1 \
5743 force_ciphersuite=TLS-RSA-WITH-AES-256-CBC-SHA trunc_hmac=1"\
5744 0 \
5745 -c "Read from server: 1 bytes read"
5746
5747requires_config_enabled MBEDTLS_SSL_PROTO_DTLS
5748run_test "Small server packet DTLS 1.2" \
5749 "$P_SRV dtls=1 response_size=1 force_version=dtls1_2" \
5750 "$P_CLI dtls=1 \
5751 force_ciphersuite=TLS-RSA-WITH-AES-256-CBC-SHA" \
5752 0 \
5753 -c "Read from server: 1 bytes read"
5754
5755requires_config_enabled MBEDTLS_SSL_PROTO_DTLS
5756run_test "Small server packet DTLS 1.2, without EtM" \
5757 "$P_SRV dtls=1 response_size=1 force_version=dtls1_2 etm=0" \
5758 "$P_CLI dtls=1 \
5759 force_ciphersuite=TLS-RSA-WITH-AES-256-CBC-SHA" \
5760 0 \
5761 -c "Read from server: 1 bytes read"
5762
5763requires_config_enabled MBEDTLS_SSL_PROTO_DTLS
5764requires_config_enabled MBEDTLS_SSL_TRUNCATED_HMAC
5765run_test "Small server packet DTLS 1.2, truncated hmac" \
5766 "$P_SRV dtls=1 response_size=1 force_version=dtls1_2 trunc_hmac=1" \
5767 "$P_CLI dtls=1 \
5768 force_ciphersuite=TLS-RSA-WITH-AES-256-CBC-SHA trunc_hmac=1" \
5769 0 \
5770 -c "Read from server: 1 bytes read"
5771
5772requires_config_enabled MBEDTLS_SSL_PROTO_DTLS
5773requires_config_enabled MBEDTLS_SSL_TRUNCATED_HMAC
5774run_test "Small server packet DTLS 1.2, without EtM, truncated MAC" \
5775 "$P_SRV dtls=1 response_size=1 force_version=dtls1_2 trunc_hmac=1 etm=0" \
5776 "$P_CLI dtls=1 \
5777 force_ciphersuite=TLS-RSA-WITH-AES-256-CBC-SHA trunc_hmac=1"\
5778 0 \
5779 -c "Read from server: 1 bytes read"
5780
Janos Follath00efff72016-05-06 13:48:23 +0100[diff] [blame]5781# A test for extensions in SSLv3
5782
5783requires_config_enabled MBEDTLS_SSL_PROTO_SSL3
5784run_test "SSLv3 with extensions, server side" \
5785 "$P_SRV min_version=ssl3 debug_level=3" \
5786 "$P_CLI force_version=ssl3 tickets=1 max_frag_len=4096 alpn=abc,1234" \
5787 0 \
5788 -S "dumping 'client hello extensions'" \
5789 -S "server hello, total extension length:"
5790
Andrzej Kurek30e731d2017-10-12 13:50:29 +0200[diff] [blame]5791# Test for large client packets
Manuel Pégourié-Gonnard8920f692014-06-18 22:05:08 +0200[diff] [blame]5792
Angus Grattonc4dd0732018-04-11 16:28:39 +1000[diff] [blame]5793# How many fragments do we expect to write $1 bytes?
5794fragments_for_write() {
5795 echo "$(( ( $1 + $MAX_OUT_LEN - 1 ) / $MAX_OUT_LEN ))"
5796}
5797
Janos Follathe2681a42016-03-07 15:57:05 +0000[diff] [blame]5798requires_config_enabled MBEDTLS_SSL_PROTO_SSL3
Andrzej Kurek30e731d2017-10-12 13:50:29 +0200[diff] [blame]5799run_test "Large client packet SSLv3 BlockCipher" \
Manuel Pégourié-Gonnard448ea502015-01-12 11:40:14 +0100[diff] [blame]5800 "$P_SRV min_version=ssl3" \
Manuel Pégourié-Gonnardc82ee352015-01-07 16:35:25 +0100[diff] [blame]5801 "$P_CLI request_size=16384 force_version=ssl3 recsplit=0 \
Manuel Pégourié-Gonnard8920f692014-06-18 22:05:08 +0200[diff] [blame]5802 force_ciphersuite=TLS-RSA-WITH-AES-256-CBC-SHA" \
5803 0 \
Angus Grattonc4dd0732018-04-11 16:28:39 +1000[diff] [blame]5804 -c "16384 bytes written in $(fragments_for_write 16384) fragments" \
5805 -s "Read from client: $MAX_CONTENT_LEN bytes read"
Manuel Pégourié-Gonnard8920f692014-06-18 22:05:08 +0200[diff] [blame]5806
Janos Follathe2681a42016-03-07 15:57:05 +0000[diff] [blame]5807requires_config_enabled MBEDTLS_SSL_PROTO_SSL3
Andrzej Kurek30e731d2017-10-12 13:50:29 +0200[diff] [blame]5808run_test "Large client packet SSLv3 StreamCipher" \
Manuel Pégourié-Gonnardea0920f2015-03-24 09:50:15 +0100[diff] [blame]5809 "$P_SRV min_version=ssl3 arc4=1 force_ciphersuite=TLS-RSA-WITH-RC4-128-SHA" \
Manuel Pégourié-Gonnard8920f692014-06-18 22:05:08 +0200[diff] [blame]5810 "$P_CLI request_size=16384 force_version=ssl3 \
5811 force_ciphersuite=TLS-RSA-WITH-RC4-128-SHA" \
5812 0 \
Angus Grattonc4dd0732018-04-11 16:28:39 +1000[diff] [blame]5813 -c "16384 bytes written in $(fragments_for_write 16384) fragments" \
5814 -s "Read from client: $MAX_CONTENT_LEN bytes read"
Manuel Pégourié-Gonnard8920f692014-06-18 22:05:08 +0200[diff] [blame]5815
Andrzej Kurek30e731d2017-10-12 13:50:29 +0200[diff] [blame]5816run_test "Large client packet TLS 1.0 BlockCipher" \
Manuel Pégourié-Gonnard8920f692014-06-18 22:05:08 +0200[diff] [blame]5817 "$P_SRV" \
Manuel Pégourié-Gonnardc82ee352015-01-07 16:35:25 +0100[diff] [blame]5818 "$P_CLI request_size=16384 force_version=tls1 recsplit=0 \
Manuel Pégourié-Gonnard8920f692014-06-18 22:05:08 +0200[diff] [blame]5819 force_ciphersuite=TLS-RSA-WITH-AES-256-CBC-SHA" \
5820 0 \
Angus Grattonc4dd0732018-04-11 16:28:39 +1000[diff] [blame]5821 -c "16384 bytes written in $(fragments_for_write 16384) fragments" \
5822 -s "Read from client: $MAX_CONTENT_LEN bytes read"
Manuel Pégourié-Gonnard8920f692014-06-18 22:05:08 +0200[diff] [blame]5823
Andrzej Kurek30e731d2017-10-12 13:50:29 +0200[diff] [blame]5824run_test "Large client packet TLS 1.0 BlockCipher, without EtM" \
Manuel Pégourié-Gonnard8920f692014-06-18 22:05:08 +0200[diff] [blame]5825 "$P_SRV" \
Hanno Becker278fc7a2017-11-10 09:16:28 +0000[diff] [blame]5826 "$P_CLI request_size=16384 force_version=tls1 etm=0 recsplit=0 \
5827 force_ciphersuite=TLS-RSA-WITH-AES-256-CBC-SHA" \
5828 0 \
Angus Grattonc4dd0732018-04-11 16:28:39 +1000[diff] [blame]5829 -s "Read from client: $MAX_CONTENT_LEN bytes read"
Hanno Becker278fc7a2017-11-10 09:16:28 +0000[diff] [blame]5830
Hanno Becker32c55012017-11-10 08:42:54 +0000[diff] [blame]5831requires_config_enabled MBEDTLS_SSL_TRUNCATED_HMAC
Andrzej Kurek30e731d2017-10-12 13:50:29 +0200[diff] [blame]5832run_test "Large client packet TLS 1.0 BlockCipher, truncated MAC" \
Hanno Becker909f9a32017-11-21 17:10:12 +0000[diff] [blame]5833 "$P_SRV trunc_hmac=1" \
Manuel Pégourié-Gonnardc82ee352015-01-07 16:35:25 +0100[diff] [blame]5834 "$P_CLI request_size=16384 force_version=tls1 recsplit=0 \
Hanno Becker909f9a32017-11-21 17:10:12 +0000[diff] [blame]5835 force_ciphersuite=TLS-RSA-WITH-AES-256-CBC-SHA trunc_hmac=1" \
Manuel Pégourié-Gonnard8920f692014-06-18 22:05:08 +0200[diff] [blame]5836 0 \
Angus Grattonc4dd0732018-04-11 16:28:39 +1000[diff] [blame]5837 -c "16384 bytes written in $(fragments_for_write 16384) fragments" \
5838 -s "Read from client: $MAX_CONTENT_LEN bytes read"
Manuel Pégourié-Gonnard8920f692014-06-18 22:05:08 +0200[diff] [blame]5839
Hanno Becker32c55012017-11-10 08:42:54 +0000[diff] [blame]5840requires_config_enabled MBEDTLS_SSL_TRUNCATED_HMAC
Andrzej Kurek30e731d2017-10-12 13:50:29 +0200[diff] [blame]5841run_test "Large client packet TLS 1.0 BlockCipher, without EtM, truncated MAC" \
Hanno Becker909f9a32017-11-21 17:10:12 +0000[diff] [blame]5842 "$P_SRV trunc_hmac=1" \
Hanno Becker278fc7a2017-11-10 09:16:28 +0000[diff] [blame]5843 "$P_CLI request_size=16384 force_version=tls1 etm=0 recsplit=0 \
Hanno Becker909f9a32017-11-21 17:10:12 +0000[diff] [blame]5844 force_ciphersuite=TLS-RSA-WITH-AES-256-CBC-SHA trunc_hmac=1" \
Hanno Becker278fc7a2017-11-10 09:16:28 +0000[diff] [blame]5845 0 \
Angus Grattonc4dd0732018-04-11 16:28:39 +1000[diff] [blame]5846 -s "Read from client: $MAX_CONTENT_LEN bytes read"
Hanno Becker278fc7a2017-11-10 09:16:28 +0000[diff] [blame]5847
Andrzej Kurek30e731d2017-10-12 13:50:29 +0200[diff] [blame]5848run_test "Large client packet TLS 1.0 StreamCipher" \
Manuel Pégourié-Gonnardea0920f2015-03-24 09:50:15 +0100[diff] [blame]5849 "$P_SRV arc4=1 force_ciphersuite=TLS-RSA-WITH-RC4-128-SHA" \
Manuel Pégourié-Gonnard8920f692014-06-18 22:05:08 +0200[diff] [blame]5850 "$P_CLI request_size=16384 force_version=tls1 \
Hanno Becker278fc7a2017-11-10 09:16:28 +0000[diff] [blame]5851 force_ciphersuite=TLS-RSA-WITH-RC4-128-SHA" \
5852 0 \
Angus Grattonc4dd0732018-04-11 16:28:39 +1000[diff] [blame]5853 -s "Read from client: $MAX_CONTENT_LEN bytes read"
Hanno Becker278fc7a2017-11-10 09:16:28 +0000[diff] [blame]5854
Andrzej Kurek30e731d2017-10-12 13:50:29 +0200[diff] [blame]5855run_test "Large client packet TLS 1.0 StreamCipher, without EtM" \
Hanno Becker278fc7a2017-11-10 09:16:28 +0000[diff] [blame]5856 "$P_SRV arc4=1 force_ciphersuite=TLS-RSA-WITH-RC4-128-SHA" \
5857 "$P_CLI request_size=16384 force_version=tls1 \
Hanno Becker909f9a32017-11-21 17:10:12 +0000[diff] [blame]5858 force_ciphersuite=TLS-RSA-WITH-RC4-128-SHA etm=0" \
Hanno Becker278fc7a2017-11-10 09:16:28 +0000[diff] [blame]5859 0 \
Angus Grattonc4dd0732018-04-11 16:28:39 +1000[diff] [blame]5860 -s "Read from client: $MAX_CONTENT_LEN bytes read"
Hanno Becker278fc7a2017-11-10 09:16:28 +0000[diff] [blame]5861
5862requires_config_enabled MBEDTLS_SSL_TRUNCATED_HMAC
Andrzej Kurek30e731d2017-10-12 13:50:29 +0200[diff] [blame]5863run_test "Large client packet TLS 1.0 StreamCipher, truncated MAC" \
Hanno Becker909f9a32017-11-21 17:10:12 +0000[diff] [blame]5864 "$P_SRV arc4=1 force_ciphersuite=TLS-RSA-WITH-RC4-128-SHA trunc_hmac=1" \
Manuel Pégourié-Gonnard8920f692014-06-18 22:05:08 +0200[diff] [blame]5865 "$P_CLI request_size=16384 force_version=tls1 \
Hanno Becker909f9a32017-11-21 17:10:12 +0000[diff] [blame]5866 force_ciphersuite=TLS-RSA-WITH-RC4-128-SHA trunc_hmac=1" \
Manuel Pégourié-Gonnard8920f692014-06-18 22:05:08 +0200[diff] [blame]5867 0 \
Angus Grattonc4dd0732018-04-11 16:28:39 +1000[diff] [blame]5868 -s "Read from client: $MAX_CONTENT_LEN bytes read"
Manuel Pégourié-Gonnard8920f692014-06-18 22:05:08 +0200[diff] [blame]5869
Hanno Becker278fc7a2017-11-10 09:16:28 +0000[diff] [blame]5870requires_config_enabled MBEDTLS_SSL_TRUNCATED_HMAC
Andrzej Kurek30e731d2017-10-12 13:50:29 +0200[diff] [blame]5871run_test "Large client packet TLS 1.0 StreamCipher, without EtM, truncated MAC" \
Hanno Becker909f9a32017-11-21 17:10:12 +0000[diff] [blame]5872 "$P_SRV arc4=1 force_ciphersuite=TLS-RSA-WITH-RC4-128-SHA trunc_hmac=1" \
Hanno Becker278fc7a2017-11-10 09:16:28 +0000[diff] [blame]5873 "$P_CLI request_size=16384 force_version=tls1 \
Hanno Becker909f9a32017-11-21 17:10:12 +0000[diff] [blame]5874 force_ciphersuite=TLS-RSA-WITH-RC4-128-SHA trunc_hmac=1 etm=0" \
Manuel Pégourié-Gonnard8920f692014-06-18 22:05:08 +0200[diff] [blame]5875 0 \
Angus Grattonc4dd0732018-04-11 16:28:39 +1000[diff] [blame]5876 -c "16384 bytes written in $(fragments_for_write 16384) fragments" \
5877 -s "Read from client: $MAX_CONTENT_LEN bytes read"
Manuel Pégourié-Gonnard8920f692014-06-18 22:05:08 +0200[diff] [blame]5878
Andrzej Kurek30e731d2017-10-12 13:50:29 +0200[diff] [blame]5879run_test "Large client packet TLS 1.1 BlockCipher" \
Manuel Pégourié-Gonnard8920f692014-06-18 22:05:08 +0200[diff] [blame]5880 "$P_SRV" \
5881 "$P_CLI request_size=16384 force_version=tls1_1 \
5882 force_ciphersuite=TLS-RSA-WITH-AES-256-CBC-SHA" \
5883 0 \
Angus Grattonc4dd0732018-04-11 16:28:39 +1000[diff] [blame]5884 -c "16384 bytes written in $(fragments_for_write 16384) fragments" \
5885 -s "Read from client: $MAX_CONTENT_LEN bytes read"
Manuel Pégourié-Gonnard8920f692014-06-18 22:05:08 +0200[diff] [blame]5886
Andrzej Kurek30e731d2017-10-12 13:50:29 +0200[diff] [blame]5887run_test "Large client packet TLS 1.1 BlockCipher, without EtM" \
Hanno Becker278fc7a2017-11-10 09:16:28 +0000[diff] [blame]5888 "$P_SRV" \
5889 "$P_CLI request_size=16384 force_version=tls1_1 etm=0 \
5890 force_ciphersuite=TLS-RSA-WITH-AES-256-CBC-SHA" \
Manuel Pégourié-Gonnard8920f692014-06-18 22:05:08 +0200[diff] [blame]5891 0 \
Angus Grattonc4dd0732018-04-11 16:28:39 +1000[diff] [blame]5892 -s "Read from client: $MAX_CONTENT_LEN bytes read"
Manuel Pégourié-Gonnard8920f692014-06-18 22:05:08 +0200[diff] [blame]5893
Hanno Becker32c55012017-11-10 08:42:54 +0000[diff] [blame]5894requires_config_enabled MBEDTLS_SSL_TRUNCATED_HMAC
Andrzej Kurek30e731d2017-10-12 13:50:29 +0200[diff] [blame]5895run_test "Large client packet TLS 1.1 BlockCipher, truncated MAC" \
Hanno Becker909f9a32017-11-21 17:10:12 +0000[diff] [blame]5896 "$P_SRV trunc_hmac=1" \
Manuel Pégourié-Gonnard8920f692014-06-18 22:05:08 +0200[diff] [blame]5897 "$P_CLI request_size=16384 force_version=tls1_1 \
Hanno Becker909f9a32017-11-21 17:10:12 +0000[diff] [blame]5898 force_ciphersuite=TLS-RSA-WITH-AES-256-CBC-SHA trunc_hmac=1" \
Manuel Pégourié-Gonnard8920f692014-06-18 22:05:08 +0200[diff] [blame]5899 0 \
Angus Grattonc4dd0732018-04-11 16:28:39 +1000[diff] [blame]5900 -s "Read from client: $MAX_CONTENT_LEN bytes read"
Manuel Pégourié-Gonnard8920f692014-06-18 22:05:08 +0200[diff] [blame]5901
Hanno Becker32c55012017-11-10 08:42:54 +0000[diff] [blame]5902requires_config_enabled MBEDTLS_SSL_TRUNCATED_HMAC
Andrzej Kurek30e731d2017-10-12 13:50:29 +0200[diff] [blame]5903run_test "Large client packet TLS 1.1 BlockCipher, without EtM, truncated MAC" \
Hanno Becker909f9a32017-11-21 17:10:12 +0000[diff] [blame]5904 "$P_SRV trunc_hmac=1" \
Hanno Becker278fc7a2017-11-10 09:16:28 +0000[diff] [blame]5905 "$P_CLI request_size=16384 force_version=tls1_1 \
Hanno Becker909f9a32017-11-21 17:10:12 +0000[diff] [blame]5906 force_ciphersuite=TLS-RSA-WITH-AES-256-CBC-SHA trunc_hmac=1 etm=0" \
Hanno Becker278fc7a2017-11-10 09:16:28 +0000[diff] [blame]5907 0 \
Angus Grattonc4dd0732018-04-11 16:28:39 +1000[diff] [blame]5908 -s "Read from client: $MAX_CONTENT_LEN bytes read"
Hanno Becker278fc7a2017-11-10 09:16:28 +0000[diff] [blame]5909
Andrzej Kurek30e731d2017-10-12 13:50:29 +0200[diff] [blame]5910run_test "Large client packet TLS 1.1 StreamCipher" \
Manuel Pégourié-Gonnard8920f692014-06-18 22:05:08 +0200[diff] [blame]5911 "$P_SRV arc4=1 force_ciphersuite=TLS-RSA-WITH-RC4-128-SHA" \
5912 "$P_CLI request_size=16384 force_version=tls1_1 \
5913 force_ciphersuite=TLS-RSA-WITH-RC4-128-SHA" \
5914 0 \
Angus Grattonc4dd0732018-04-11 16:28:39 +1000[diff] [blame]5915 -c "16384 bytes written in $(fragments_for_write 16384) fragments" \
5916 -s "Read from client: $MAX_CONTENT_LEN bytes read"
Manuel Pégourié-Gonnard8920f692014-06-18 22:05:08 +0200[diff] [blame]5917
Andrzej Kurek30e731d2017-10-12 13:50:29 +0200[diff] [blame]5918run_test "Large client packet TLS 1.1 StreamCipher, without EtM" \
Hanno Becker278fc7a2017-11-10 09:16:28 +0000[diff] [blame]5919 "$P_SRV arc4=1 force_ciphersuite=TLS-RSA-WITH-RC4-128-SHA" \
Manuel Pégourié-Gonnard8920f692014-06-18 22:05:08 +0200[diff] [blame]5920 "$P_CLI request_size=16384 force_version=tls1_1 \
Hanno Becker909f9a32017-11-21 17:10:12 +0000[diff] [blame]5921 force_ciphersuite=TLS-RSA-WITH-RC4-128-SHA etm=0" \
Manuel Pégourié-Gonnard8920f692014-06-18 22:05:08 +0200[diff] [blame]5922 0 \
Angus Grattonc4dd0732018-04-11 16:28:39 +1000[diff] [blame]5923 -c "16384 bytes written in $(fragments_for_write 16384) fragments" \
5924 -s "Read from client: $MAX_CONTENT_LEN bytes read"
Manuel Pégourié-Gonnard8920f692014-06-18 22:05:08 +0200[diff] [blame]5925
Hanno Becker278fc7a2017-11-10 09:16:28 +0000[diff] [blame]5926requires_config_enabled MBEDTLS_SSL_TRUNCATED_HMAC
Andrzej Kurek30e731d2017-10-12 13:50:29 +0200[diff] [blame]5927run_test "Large client packet TLS 1.1 StreamCipher, truncated MAC" \
Hanno Becker909f9a32017-11-21 17:10:12 +0000[diff] [blame]5928 "$P_SRV arc4=1 force_ciphersuite=TLS-RSA-WITH-RC4-128-SHA trunc_hmac=1" \
Manuel Pégourié-Gonnard8920f692014-06-18 22:05:08 +0200[diff] [blame]5929 "$P_CLI request_size=16384 force_version=tls1_1 \
Hanno Becker909f9a32017-11-21 17:10:12 +0000[diff] [blame]5930 force_ciphersuite=TLS-RSA-WITH-RC4-128-SHA trunc_hmac=1" \
Manuel Pégourié-Gonnard8920f692014-06-18 22:05:08 +0200[diff] [blame]5931 0 \
Angus Grattonc4dd0732018-04-11 16:28:39 +1000[diff] [blame]5932 -s "Read from client: $MAX_CONTENT_LEN bytes read"
Manuel Pégourié-Gonnard8920f692014-06-18 22:05:08 +0200[diff] [blame]5933
Hanno Becker278fc7a2017-11-10 09:16:28 +0000[diff] [blame]5934requires_config_enabled MBEDTLS_SSL_TRUNCATED_HMAC
Andrzej Kurek30e731d2017-10-12 13:50:29 +0200[diff] [blame]5935run_test "Large client packet TLS 1.1 StreamCipher, without EtM, truncated MAC" \
Hanno Becker909f9a32017-11-21 17:10:12 +0000[diff] [blame]5936 "$P_SRV arc4=1 force_ciphersuite=TLS-RSA-WITH-RC4-128-SHA trunc_hmac=1" \
Hanno Becker278fc7a2017-11-10 09:16:28 +0000[diff] [blame]5937 "$P_CLI request_size=16384 force_version=tls1_1 \
Hanno Becker909f9a32017-11-21 17:10:12 +0000[diff] [blame]5938 force_ciphersuite=TLS-RSA-WITH-RC4-128-SHA trunc_hmac=1 etm=0" \
Manuel Pégourié-Gonnard8920f692014-06-18 22:05:08 +0200[diff] [blame]5939 0 \
Angus Grattonc4dd0732018-04-11 16:28:39 +1000[diff] [blame]5940 -c "16384 bytes written in $(fragments_for_write 16384) fragments" \
5941 -s "Read from client: $MAX_CONTENT_LEN bytes read"
Manuel Pégourié-Gonnard8920f692014-06-18 22:05:08 +0200[diff] [blame]5942
Andrzej Kurek30e731d2017-10-12 13:50:29 +0200[diff] [blame]5943run_test "Large client packet TLS 1.2 BlockCipher" \
Manuel Pégourié-Gonnard8920f692014-06-18 22:05:08 +0200[diff] [blame]5944 "$P_SRV" \
5945 "$P_CLI request_size=16384 force_version=tls1_2 \
5946 force_ciphersuite=TLS-RSA-WITH-AES-256-CBC-SHA" \
5947 0 \
Angus Grattonc4dd0732018-04-11 16:28:39 +1000[diff] [blame]5948 -c "16384 bytes written in $(fragments_for_write 16384) fragments" \
5949 -s "Read from client: $MAX_CONTENT_LEN bytes read"
Manuel Pégourié-Gonnard8920f692014-06-18 22:05:08 +0200[diff] [blame]5950
Andrzej Kurek30e731d2017-10-12 13:50:29 +0200[diff] [blame]5951run_test "Large client packet TLS 1.2 BlockCipher, without EtM" \
Hanno Becker278fc7a2017-11-10 09:16:28 +0000[diff] [blame]5952 "$P_SRV" \
5953 "$P_CLI request_size=16384 force_version=tls1_2 etm=0 \
5954 force_ciphersuite=TLS-RSA-WITH-AES-256-CBC-SHA" \
5955 0 \
Angus Grattonc4dd0732018-04-11 16:28:39 +1000[diff] [blame]5956 -s "Read from client: $MAX_CONTENT_LEN bytes read"
Hanno Becker278fc7a2017-11-10 09:16:28 +0000[diff] [blame]5957
Andrzej Kurek30e731d2017-10-12 13:50:29 +0200[diff] [blame]5958run_test "Large client packet TLS 1.2 BlockCipher larger MAC" \
Manuel Pégourié-Gonnard8920f692014-06-18 22:05:08 +0200[diff] [blame]5959 "$P_SRV" \
Manuel Pégourié-Gonnardc82ee352015-01-07 16:35:25 +0100[diff] [blame]5960 "$P_CLI request_size=16384 force_version=tls1_2 \
5961 force_ciphersuite=TLS-ECDHE-RSA-WITH-AES-256-CBC-SHA384" \
Manuel Pégourié-Gonnard8920f692014-06-18 22:05:08 +0200[diff] [blame]5962 0 \
Angus Grattonc4dd0732018-04-11 16:28:39 +1000[diff] [blame]5963 -c "16384 bytes written in $(fragments_for_write 16384) fragments" \
5964 -s "Read from client: $MAX_CONTENT_LEN bytes read"
Manuel Pégourié-Gonnard8920f692014-06-18 22:05:08 +0200[diff] [blame]5965
Hanno Becker32c55012017-11-10 08:42:54 +0000[diff] [blame]5966requires_config_enabled MBEDTLS_SSL_TRUNCATED_HMAC
Andrzej Kurek30e731d2017-10-12 13:50:29 +0200[diff] [blame]5967run_test "Large client packet TLS 1.2 BlockCipher, truncated MAC" \
Hanno Becker909f9a32017-11-21 17:10:12 +0000[diff] [blame]5968 "$P_SRV trunc_hmac=1" \
Manuel Pégourié-Gonnard8920f692014-06-18 22:05:08 +0200[diff] [blame]5969 "$P_CLI request_size=16384 force_version=tls1_2 \
Hanno Becker909f9a32017-11-21 17:10:12 +0000[diff] [blame]5970 force_ciphersuite=TLS-RSA-WITH-AES-256-CBC-SHA trunc_hmac=1" \
Manuel Pégourié-Gonnard8920f692014-06-18 22:05:08 +0200[diff] [blame]5971 0 \
Angus Grattonc4dd0732018-04-11 16:28:39 +1000[diff] [blame]5972 -s "Read from client: $MAX_CONTENT_LEN bytes read"
Manuel Pégourié-Gonnard8920f692014-06-18 22:05:08 +0200[diff] [blame]5973
Hanno Becker278fc7a2017-11-10 09:16:28 +0000[diff] [blame]5974requires_config_enabled MBEDTLS_SSL_TRUNCATED_HMAC
Andrzej Kurek30e731d2017-10-12 13:50:29 +0200[diff] [blame]5975run_test "Large client packet TLS 1.2 BlockCipher, without EtM, truncated MAC" \
Hanno Becker909f9a32017-11-21 17:10:12 +0000[diff] [blame]5976 "$P_SRV trunc_hmac=1" \
Hanno Becker278fc7a2017-11-10 09:16:28 +0000[diff] [blame]5977 "$P_CLI request_size=16384 force_version=tls1_2 \
Hanno Becker909f9a32017-11-21 17:10:12 +0000[diff] [blame]5978 force_ciphersuite=TLS-RSA-WITH-AES-256-CBC-SHA trunc_hmac=1 etm=0" \
Manuel Pégourié-Gonnard8920f692014-06-18 22:05:08 +0200[diff] [blame]5979 0 \
Angus Grattonc4dd0732018-04-11 16:28:39 +1000[diff] [blame]5980 -c "16384 bytes written in $(fragments_for_write 16384) fragments" \
5981 -s "Read from client: $MAX_CONTENT_LEN bytes read"
Manuel Pégourié-Gonnard8920f692014-06-18 22:05:08 +0200[diff] [blame]5982
Andrzej Kurek30e731d2017-10-12 13:50:29 +0200[diff] [blame]5983run_test "Large client packet TLS 1.2 StreamCipher" \
Manuel Pégourié-Gonnardea0920f2015-03-24 09:50:15 +0100[diff] [blame]5984 "$P_SRV arc4=1 force_ciphersuite=TLS-RSA-WITH-RC4-128-SHA" \
Manuel Pégourié-Gonnard8920f692014-06-18 22:05:08 +0200[diff] [blame]5985 "$P_CLI request_size=16384 force_version=tls1_2 \
5986 force_ciphersuite=TLS-RSA-WITH-RC4-128-SHA" \
5987 0 \
Angus Grattonc4dd0732018-04-11 16:28:39 +1000[diff] [blame]5988 -c "16384 bytes written in $(fragments_for_write 16384) fragments" \
5989 -s "Read from client: $MAX_CONTENT_LEN bytes read"
Manuel Pégourié-Gonnard8920f692014-06-18 22:05:08 +0200[diff] [blame]5990
Andrzej Kurek30e731d2017-10-12 13:50:29 +0200[diff] [blame]5991run_test "Large client packet TLS 1.2 StreamCipher, without EtM" \
Manuel Pégourié-Gonnardea0920f2015-03-24 09:50:15 +0100[diff] [blame]5992 "$P_SRV arc4=1 force_ciphersuite=TLS-RSA-WITH-RC4-128-SHA" \
Manuel Pégourié-Gonnard8920f692014-06-18 22:05:08 +0200[diff] [blame]5993 "$P_CLI request_size=16384 force_version=tls1_2 \
Hanno Becker278fc7a2017-11-10 09:16:28 +0000[diff] [blame]5994 force_ciphersuite=TLS-RSA-WITH-RC4-128-SHA etm=0" \
5995 0 \
Angus Grattonc4dd0732018-04-11 16:28:39 +1000[diff] [blame]5996 -s "Read from client: $MAX_CONTENT_LEN bytes read"
Hanno Becker278fc7a2017-11-10 09:16:28 +0000[diff] [blame]5997
Hanno Becker32c55012017-11-10 08:42:54 +0000[diff] [blame]5998requires_config_enabled MBEDTLS_SSL_TRUNCATED_HMAC
Andrzej Kurek30e731d2017-10-12 13:50:29 +0200[diff] [blame]5999run_test "Large client packet TLS 1.2 StreamCipher, truncated MAC" \
Hanno Becker909f9a32017-11-21 17:10:12 +0000[diff] [blame]6000 "$P_SRV arc4=1 force_ciphersuite=TLS-RSA-WITH-RC4-128-SHA trunc_hmac=1" \
Manuel Pégourié-Gonnard8920f692014-06-18 22:05:08 +0200[diff] [blame]6001 "$P_CLI request_size=16384 force_version=tls1_2 \
Hanno Becker909f9a32017-11-21 17:10:12 +0000[diff] [blame]6002 force_ciphersuite=TLS-RSA-WITH-RC4-128-SHA trunc_hmac=1" \
Manuel Pégourié-Gonnard8920f692014-06-18 22:05:08 +0200[diff] [blame]6003 0 \
Angus Grattonc4dd0732018-04-11 16:28:39 +1000[diff] [blame]6004 -s "Read from client: $MAX_CONTENT_LEN bytes read"
Manuel Pégourié-Gonnard8920f692014-06-18 22:05:08 +0200[diff] [blame]6005
Hanno Becker278fc7a2017-11-10 09:16:28 +0000[diff] [blame]6006requires_config_enabled MBEDTLS_SSL_TRUNCATED_HMAC
Andrzej Kurek30e731d2017-10-12 13:50:29 +0200[diff] [blame]6007run_test "Large client packet TLS 1.2 StreamCipher, without EtM, truncated MAC" \
Hanno Becker909f9a32017-11-21 17:10:12 +0000[diff] [blame]6008 "$P_SRV arc4=1 force_ciphersuite=TLS-RSA-WITH-RC4-128-SHA trunc_hmac=1" \
Hanno Becker278fc7a2017-11-10 09:16:28 +0000[diff] [blame]6009 "$P_CLI request_size=16384 force_version=tls1_2 \
Hanno Becker909f9a32017-11-21 17:10:12 +0000[diff] [blame]6010 force_ciphersuite=TLS-RSA-WITH-RC4-128-SHA trunc_hmac=1 etm=0" \
Manuel Pégourié-Gonnard8920f692014-06-18 22:05:08 +0200[diff] [blame]6011 0 \
Angus Grattonc4dd0732018-04-11 16:28:39 +1000[diff] [blame]6012 -c "16384 bytes written in $(fragments_for_write 16384) fragments" \
6013 -s "Read from client: $MAX_CONTENT_LEN bytes read"
Manuel Pégourié-Gonnard8920f692014-06-18 22:05:08 +0200[diff] [blame]6014
Andrzej Kurek30e731d2017-10-12 13:50:29 +0200[diff] [blame]6015run_test "Large client packet TLS 1.2 AEAD" \
Manuel Pégourié-Gonnard8920f692014-06-18 22:05:08 +0200[diff] [blame]6016 "$P_SRV" \
6017 "$P_CLI request_size=16384 force_version=tls1_2 \
6018 force_ciphersuite=TLS-RSA-WITH-AES-256-CCM" \
6019 0 \
Angus Grattonc4dd0732018-04-11 16:28:39 +1000[diff] [blame]6020 -c "16384 bytes written in $(fragments_for_write 16384) fragments" \
6021 -s "Read from client: $MAX_CONTENT_LEN bytes read"
Manuel Pégourié-Gonnard8920f692014-06-18 22:05:08 +0200[diff] [blame]6022
Andrzej Kurek30e731d2017-10-12 13:50:29 +0200[diff] [blame]6023run_test "Large client packet TLS 1.2 AEAD shorter tag" \
Manuel Pégourié-Gonnard8920f692014-06-18 22:05:08 +0200[diff] [blame]6024 "$P_SRV" \
6025 "$P_CLI request_size=16384 force_version=tls1_2 \
6026 force_ciphersuite=TLS-RSA-WITH-AES-256-CCM-8" \
6027 0 \
Angus Grattonc4dd0732018-04-11 16:28:39 +1000[diff] [blame]6028 -c "16384 bytes written in $(fragments_for_write 16384) fragments" \
6029 -s "Read from client: $MAX_CONTENT_LEN bytes read"
Manuel Pégourié-Gonnard8920f692014-06-18 22:05:08 +0200[diff] [blame]6030
Andrzej Kurek30e731d2017-10-12 13:50:29 +0200[diff] [blame]6031# Test for large server packets
Andrzej Kurek30e731d2017-10-12 13:50:29 +0200[diff] [blame]6032requires_config_enabled MBEDTLS_SSL_PROTO_SSL3
6033run_test "Large server packet SSLv3 StreamCipher" \
6034 "$P_SRV response_size=16384 min_version=ssl3 arc4=1 force_ciphersuite=TLS-RSA-WITH-RC4-128-SHA" \
6035 "$P_CLI force_version=ssl3 \
6036 force_ciphersuite=TLS-RSA-WITH-RC4-128-SHA" \
6037 0 \
6038 -c "Read from server: 16384 bytes read"
6039
Andrzej Kurek6a4f2242018-08-27 08:00:13 -0400[diff] [blame]6040# Checking next 4 tests logs for 1n-1 split against BEAST too
6041requires_config_enabled MBEDTLS_SSL_PROTO_SSL3
6042run_test "Large server packet SSLv3 BlockCipher" \
6043 "$P_SRV response_size=16384 min_version=ssl3" \
6044 "$P_CLI force_version=ssl3 recsplit=0 \
6045 force_ciphersuite=TLS-RSA-WITH-AES-256-CBC-SHA" \
6046 0 \
6047 -c "Read from server: 1 bytes read"\
6048 -c "16383 bytes read"\
6049 -C "Read from server: 16384 bytes read"
6050
Andrzej Kurek30e731d2017-10-12 13:50:29 +0200[diff] [blame]6051run_test "Large server packet TLS 1.0 BlockCipher" \
6052 "$P_SRV response_size=16384" \
6053 "$P_CLI force_version=tls1 recsplit=0 \
6054 force_ciphersuite=TLS-RSA-WITH-AES-256-CBC-SHA" \
6055 0 \
6056 -c "Read from server: 1 bytes read"\
6057 -c "16383 bytes read"\
6058 -C "Read from server: 16384 bytes read"
6059
Andrzej Kurekc19fc552018-06-19 09:37:30 -0400[diff] [blame]6060run_test "Large server packet TLS 1.0 BlockCipher, without EtM" \
6061 "$P_SRV response_size=16384" \
6062 "$P_CLI force_version=tls1 etm=0 recsplit=0 \
6063 force_ciphersuite=TLS-RSA-WITH-AES-256-CBC-SHA" \
6064 0 \
6065 -c "Read from server: 1 bytes read"\
6066 -c "16383 bytes read"\
6067 -C "Read from server: 16384 bytes read"
6068
Andrzej Kurek30e731d2017-10-12 13:50:29 +0200[diff] [blame]6069requires_config_enabled MBEDTLS_SSL_TRUNCATED_HMAC
6070run_test "Large server packet TLS 1.0 BlockCipher truncated MAC" \
6071 "$P_SRV response_size=16384" \
6072 "$P_CLI force_version=tls1 recsplit=0 \
6073 force_ciphersuite=TLS-RSA-WITH-AES-256-CBC-SHA \
6074 trunc_hmac=1" \
6075 0 \
6076 -c "Read from server: 1 bytes read"\
6077 -c "16383 bytes read"\
6078 -C "Read from server: 16384 bytes read"
6079
6080requires_config_enabled MBEDTLS_SSL_TRUNCATED_HMAC
6081run_test "Large server packet TLS 1.0 StreamCipher truncated MAC" \
6082 "$P_SRV response_size=16384 arc4=1 force_ciphersuite=TLS-RSA-WITH-RC4-128-SHA" \
6083 "$P_CLI force_version=tls1 \
6084 force_ciphersuite=TLS-RSA-WITH-RC4-128-SHA \
6085 trunc_hmac=1" \
6086 0 \
Andrzej Kurekc19fc552018-06-19 09:37:30 -0400[diff] [blame]6087 -s "16384 bytes written in 1 fragments" \
6088 -c "Read from server: 16384 bytes read"
6089
6090run_test "Large server packet TLS 1.0 StreamCipher" \
6091 "$P_SRV response_size=16384 arc4=1 force_ciphersuite=TLS-RSA-WITH-RC4-128-SHA" \
6092 "$P_CLI force_version=tls1 \
6093 force_ciphersuite=TLS-RSA-WITH-RC4-128-SHA" \
6094 0 \
6095 -s "16384 bytes written in 1 fragments" \
6096 -c "Read from server: 16384 bytes read"
6097
6098run_test "Large server packet TLS 1.0 StreamCipher, without EtM" \
6099 "$P_SRV response_size=16384 arc4=1 force_ciphersuite=TLS-RSA-WITH-RC4-128-SHA" \
6100 "$P_CLI force_version=tls1 \
6101 force_ciphersuite=TLS-RSA-WITH-RC4-128-SHA etm=0" \
6102 0 \
6103 -s "16384 bytes written in 1 fragments" \
6104 -c "Read from server: 16384 bytes read"
6105
6106requires_config_enabled MBEDTLS_SSL_TRUNCATED_HMAC
6107run_test "Large server packet TLS 1.0 StreamCipher, truncated MAC" \
6108 "$P_SRV response_size=16384 arc4=1 force_ciphersuite=TLS-RSA-WITH-RC4-128-SHA trunc_hmac=1" \
6109 "$P_CLI force_version=tls1 \
6110 force_ciphersuite=TLS-RSA-WITH-RC4-128-SHA trunc_hmac=1" \
6111 0 \
6112 -s "16384 bytes written in 1 fragments" \
6113 -c "Read from server: 16384 bytes read"
6114
6115requires_config_enabled MBEDTLS_SSL_TRUNCATED_HMAC
6116run_test "Large server packet TLS 1.0 StreamCipher, without EtM, truncated MAC" \
6117 "$P_SRV response_size=16384 arc4=1 force_ciphersuite=TLS-RSA-WITH-RC4-128-SHA trunc_hmac=1" \
6118 "$P_CLI force_version=tls1 \
6119 force_ciphersuite=TLS-RSA-WITH-RC4-128-SHA trunc_hmac=1 etm=0" \
6120 0 \
6121 -s "16384 bytes written in 1 fragments" \
Andrzej Kurek30e731d2017-10-12 13:50:29 +0200[diff] [blame]6122 -c "Read from server: 16384 bytes read"
6123
6124run_test "Large server packet TLS 1.1 BlockCipher" \
6125 "$P_SRV response_size=16384" \
6126 "$P_CLI force_version=tls1_1 \
6127 force_ciphersuite=TLS-RSA-WITH-AES-256-CBC-SHA" \
6128 0 \
6129 -c "Read from server: 16384 bytes read"
6130
Andrzej Kurekc19fc552018-06-19 09:37:30 -0400[diff] [blame]6131run_test "Large server packet TLS 1.1 BlockCipher, without EtM" \
6132 "$P_SRV response_size=16384" \
6133 "$P_CLI force_version=tls1_1 etm=0 \
6134 force_ciphersuite=TLS-RSA-WITH-AES-256-CBC-SHA" \
Andrzej Kurek30e731d2017-10-12 13:50:29 +0200[diff] [blame]6135 0 \
Andrzej Kurekc19fc552018-06-19 09:37:30 -0400[diff] [blame]6136 -s "16384 bytes written in 1 fragments" \
Andrzej Kurek30e731d2017-10-12 13:50:29 +0200[diff] [blame]6137 -c "Read from server: 16384 bytes read"
6138
6139requires_config_enabled MBEDTLS_SSL_TRUNCATED_HMAC
6140run_test "Large server packet TLS 1.1 BlockCipher truncated MAC" \
6141 "$P_SRV response_size=16384" \
6142 "$P_CLI force_version=tls1_1 \
6143 force_ciphersuite=TLS-RSA-WITH-AES-256-CBC-SHA \
6144 trunc_hmac=1" \
6145 0 \
6146 -c "Read from server: 16384 bytes read"
6147
6148requires_config_enabled MBEDTLS_SSL_TRUNCATED_HMAC
Andrzej Kurekc19fc552018-06-19 09:37:30 -0400[diff] [blame]6149run_test "Large server packet TLS 1.1 BlockCipher, without EtM, truncated MAC" \
6150 "$P_SRV response_size=16384 trunc_hmac=1" \
6151 "$P_CLI force_version=tls1_1 \
6152 force_ciphersuite=TLS-RSA-WITH-AES-256-CBC-SHA trunc_hmac=1 etm=0" \
6153 0 \
6154 -s "16384 bytes written in 1 fragments" \
6155 -c "Read from server: 16384 bytes read"
6156
6157run_test "Large server packet TLS 1.1 StreamCipher" \
6158 "$P_SRV response_size=16384 arc4=1 force_ciphersuite=TLS-RSA-WITH-RC4-128-SHA" \
6159 "$P_CLI force_version=tls1_1 \
6160 force_ciphersuite=TLS-RSA-WITH-RC4-128-SHA" \
6161 0 \
6162 -c "Read from server: 16384 bytes read"
6163
6164run_test "Large server packet TLS 1.1 StreamCipher, without EtM" \
6165 "$P_SRV response_size=16384 arc4=1 force_ciphersuite=TLS-RSA-WITH-RC4-128-SHA" \
6166 "$P_CLI force_version=tls1_1 \
6167 force_ciphersuite=TLS-RSA-WITH-RC4-128-SHA etm=0" \
6168 0 \
6169 -s "16384 bytes written in 1 fragments" \
6170 -c "Read from server: 16384 bytes read"
6171
6172requires_config_enabled MBEDTLS_SSL_TRUNCATED_HMAC
Andrzej Kurek30e731d2017-10-12 13:50:29 +0200[diff] [blame]6173run_test "Large server packet TLS 1.1 StreamCipher truncated MAC" \
6174 "$P_SRV response_size=16384 arc4=1 force_ciphersuite=TLS-RSA-WITH-RC4-128-SHA" \
6175 "$P_CLI force_version=tls1_1 \
6176 force_ciphersuite=TLS-RSA-WITH-RC4-128-SHA \
6177 trunc_hmac=1" \
6178 0 \
6179 -c "Read from server: 16384 bytes read"
6180
Andrzej Kurekc19fc552018-06-19 09:37:30 -0400[diff] [blame]6181run_test "Large server packet TLS 1.1 StreamCipher, without EtM, truncated MAC" \
6182 "$P_SRV response_size=16384 arc4=1 force_ciphersuite=TLS-RSA-WITH-RC4-128-SHA trunc_hmac=1" \
6183 "$P_CLI force_version=tls1_1 \
6184 force_ciphersuite=TLS-RSA-WITH-RC4-128-SHA trunc_hmac=1 etm=0" \
6185 0 \
6186 -s "16384 bytes written in 1 fragments" \
6187 -c "Read from server: 16384 bytes read"
6188
Andrzej Kurek30e731d2017-10-12 13:50:29 +0200[diff] [blame]6189run_test "Large server packet TLS 1.2 BlockCipher" \
6190 "$P_SRV response_size=16384" \
6191 "$P_CLI force_version=tls1_2 \
6192 force_ciphersuite=TLS-RSA-WITH-AES-256-CBC-SHA" \
6193 0 \
6194 -c "Read from server: 16384 bytes read"
6195
Andrzej Kurekc19fc552018-06-19 09:37:30 -0400[diff] [blame]6196run_test "Large server packet TLS 1.2 BlockCipher, without EtM" \
6197 "$P_SRV response_size=16384" \
6198 "$P_CLI force_version=tls1_2 etm=0 \
6199 force_ciphersuite=TLS-RSA-WITH-AES-256-CBC-SHA" \
6200 0 \
6201 -s "16384 bytes written in 1 fragments" \
6202 -c "Read from server: 16384 bytes read"
6203
Andrzej Kurek30e731d2017-10-12 13:50:29 +0200[diff] [blame]6204run_test "Large server packet TLS 1.2 BlockCipher larger MAC" \
6205 "$P_SRV response_size=16384" \
6206 "$P_CLI force_version=tls1_2 \
6207 force_ciphersuite=TLS-ECDHE-RSA-WITH-AES-256-CBC-SHA384" \
6208 0 \
6209 -c "Read from server: 16384 bytes read"
6210
6211requires_config_enabled MBEDTLS_SSL_TRUNCATED_HMAC
6212run_test "Large server packet TLS 1.2 BlockCipher truncated MAC" \
6213 "$P_SRV response_size=16384" \
6214 "$P_CLI force_version=tls1_2 \
6215 force_ciphersuite=TLS-RSA-WITH-AES-256-CBC-SHA \
6216 trunc_hmac=1" \
6217 0 \
6218 -c "Read from server: 16384 bytes read"
6219
Andrzej Kurekc19fc552018-06-19 09:37:30 -0400[diff] [blame]6220run_test "Large server packet TLS 1.2 BlockCipher, without EtM, truncated MAC" \
6221 "$P_SRV response_size=16384 trunc_hmac=1" \
6222 "$P_CLI force_version=tls1_2 \
6223 force_ciphersuite=TLS-RSA-WITH-AES-256-CBC-SHA trunc_hmac=1 etm=0" \
6224 0 \
6225 -s "16384 bytes written in 1 fragments" \
6226 -c "Read from server: 16384 bytes read"
6227
Andrzej Kurek30e731d2017-10-12 13:50:29 +0200[diff] [blame]6228run_test "Large server packet TLS 1.2 StreamCipher" \
6229 "$P_SRV response_size=16384 arc4=1 force_ciphersuite=TLS-RSA-WITH-RC4-128-SHA" \
6230 "$P_CLI force_version=tls1_2 \
6231 force_ciphersuite=TLS-RSA-WITH-RC4-128-SHA" \
6232 0 \
Andrzej Kurekc19fc552018-06-19 09:37:30 -0400[diff] [blame]6233 -s "16384 bytes written in 1 fragments" \
6234 -c "Read from server: 16384 bytes read"
6235
6236run_test "Large server packet TLS 1.2 StreamCipher, without EtM" \
6237 "$P_SRV response_size=16384 arc4=1 force_ciphersuite=TLS-RSA-WITH-RC4-128-SHA" \
6238 "$P_CLI force_version=tls1_2 \
6239 force_ciphersuite=TLS-RSA-WITH-RC4-128-SHA etm=0" \
6240 0 \
6241 -s "16384 bytes written in 1 fragments" \
Andrzej Kurek30e731d2017-10-12 13:50:29 +0200[diff] [blame]6242 -c "Read from server: 16384 bytes read"
6243
6244requires_config_enabled MBEDTLS_SSL_TRUNCATED_HMAC
6245run_test "Large server packet TLS 1.2 StreamCipher truncated MAC" \
6246 "$P_SRV response_size=16384 arc4=1 force_ciphersuite=TLS-RSA-WITH-RC4-128-SHA" \
6247 "$P_CLI force_version=tls1_2 \
6248 force_ciphersuite=TLS-RSA-WITH-RC4-128-SHA \
6249 trunc_hmac=1" \
6250 0 \
6251 -c "Read from server: 16384 bytes read"
6252
Andrzej Kurekc19fc552018-06-19 09:37:30 -0400[diff] [blame]6253requires_config_enabled MBEDTLS_SSL_TRUNCATED_HMAC
6254run_test "Large server packet TLS 1.2 StreamCipher, without EtM, truncated MAC" \
6255 "$P_SRV response_size=16384 arc4=1 force_ciphersuite=TLS-RSA-WITH-RC4-128-SHA trunc_hmac=1" \
6256 "$P_CLI force_version=tls1_2 \
6257 force_ciphersuite=TLS-RSA-WITH-RC4-128-SHA trunc_hmac=1 etm=0" \
6258 0 \
6259 -s "16384 bytes written in 1 fragments" \
6260 -c "Read from server: 16384 bytes read"
6261
Andrzej Kurek30e731d2017-10-12 13:50:29 +0200[diff] [blame]6262run_test "Large server packet TLS 1.2 AEAD" \
6263 "$P_SRV response_size=16384" \
6264 "$P_CLI force_version=tls1_2 \
6265 force_ciphersuite=TLS-RSA-WITH-AES-256-CCM" \
6266 0 \
6267 -c "Read from server: 16384 bytes read"
6268
6269run_test "Large server packet TLS 1.2 AEAD shorter tag" \
6270 "$P_SRV response_size=16384" \
6271 "$P_CLI force_version=tls1_2 \
6272 force_ciphersuite=TLS-RSA-WITH-AES-256-CCM-8" \
6273 0 \
6274 -c "Read from server: 16384 bytes read"
6275
Manuel Pégourié-Gonnard2350b4e2017-05-16 09:26:48 +0200[diff] [blame]6276# Tests for restartable ECC
6277
6278requires_config_enabled MBEDTLS_ECP_RESTARTABLE
6279run_test "EC restart: TLS, default" \
Manuel Pégourié-Gonnard862cde52017-05-17 11:56:15 +0200[diff] [blame]6280 "$P_SRV auth_mode=required" \
Manuel Pégourié-Gonnard2350b4e2017-05-16 09:26:48 +0200[diff] [blame]6281 "$P_CLI force_ciphersuite=TLS-ECDHE-ECDSA-WITH-AES-128-GCM-SHA256 \
Manuel Pégourié-Gonnard862cde52017-05-17 11:56:15 +0200[diff] [blame]6282 key_file=data_files/server5.key crt_file=data_files/server5.crt \
Manuel Pégourié-Gonnard2350b4e2017-05-16 09:26:48 +0200[diff] [blame]6283 debug_level=1" \
6284 0 \
Manuel Pégourié-Gonnardb5d668a2018-06-13 11:22:01 +0200[diff] [blame]6285 -C "x509_verify_cert.*4b00" \
6286 -C "mbedtls_pk_verify.*4b00" \
6287 -C "mbedtls_ecdh_make_public.*4b00" \
6288 -C "mbedtls_pk_sign.*4b00"
Manuel Pégourié-Gonnard2350b4e2017-05-16 09:26:48 +0200[diff] [blame]6289
6290requires_config_enabled MBEDTLS_ECP_RESTARTABLE
6291run_test "EC restart: TLS, max_ops=0" \
Manuel Pégourié-Gonnard862cde52017-05-17 11:56:15 +0200[diff] [blame]6292 "$P_SRV auth_mode=required" \
Manuel Pégourié-Gonnard2350b4e2017-05-16 09:26:48 +0200[diff] [blame]6293 "$P_CLI force_ciphersuite=TLS-ECDHE-ECDSA-WITH-AES-128-GCM-SHA256 \
Manuel Pégourié-Gonnard862cde52017-05-17 11:56:15 +0200[diff] [blame]6294 key_file=data_files/server5.key crt_file=data_files/server5.crt \
Manuel Pégourié-Gonnard2350b4e2017-05-16 09:26:48 +0200[diff] [blame]6295 debug_level=1 ec_max_ops=0" \
6296 0 \
Manuel Pégourié-Gonnardb5d668a2018-06-13 11:22:01 +0200[diff] [blame]6297 -C "x509_verify_cert.*4b00" \
6298 -C "mbedtls_pk_verify.*4b00" \
6299 -C "mbedtls_ecdh_make_public.*4b00" \
6300 -C "mbedtls_pk_sign.*4b00"
Manuel Pégourié-Gonnard2350b4e2017-05-16 09:26:48 +0200[diff] [blame]6301
6302requires_config_enabled MBEDTLS_ECP_RESTARTABLE
6303run_test "EC restart: TLS, max_ops=65535" \
Manuel Pégourié-Gonnard862cde52017-05-17 11:56:15 +0200[diff] [blame]6304 "$P_SRV auth_mode=required" \
Manuel Pégourié-Gonnard2350b4e2017-05-16 09:26:48 +0200[diff] [blame]6305 "$P_CLI force_ciphersuite=TLS-ECDHE-ECDSA-WITH-AES-128-GCM-SHA256 \
Manuel Pégourié-Gonnard862cde52017-05-17 11:56:15 +0200[diff] [blame]6306 key_file=data_files/server5.key crt_file=data_files/server5.crt \
Manuel Pégourié-Gonnard2350b4e2017-05-16 09:26:48 +0200[diff] [blame]6307 debug_level=1 ec_max_ops=65535" \
6308 0 \
Manuel Pégourié-Gonnardb5d668a2018-06-13 11:22:01 +0200[diff] [blame]6309 -C "x509_verify_cert.*4b00" \
6310 -C "mbedtls_pk_verify.*4b00" \
6311 -C "mbedtls_ecdh_make_public.*4b00" \
6312 -C "mbedtls_pk_sign.*4b00"
Manuel Pégourié-Gonnard2350b4e2017-05-16 09:26:48 +0200[diff] [blame]6313
6314requires_config_enabled MBEDTLS_ECP_RESTARTABLE
6315run_test "EC restart: TLS, max_ops=1000" \
Manuel Pégourié-Gonnard862cde52017-05-17 11:56:15 +0200[diff] [blame]6316 "$P_SRV auth_mode=required" \
Manuel Pégourié-Gonnard2350b4e2017-05-16 09:26:48 +0200[diff] [blame]6317 "$P_CLI force_ciphersuite=TLS-ECDHE-ECDSA-WITH-AES-128-GCM-SHA256 \
Manuel Pégourié-Gonnard862cde52017-05-17 11:56:15 +0200[diff] [blame]6318 key_file=data_files/server5.key crt_file=data_files/server5.crt \
Manuel Pégourié-Gonnard2350b4e2017-05-16 09:26:48 +0200[diff] [blame]6319 debug_level=1 ec_max_ops=1000" \
6320 0 \
Manuel Pégourié-Gonnardb5d668a2018-06-13 11:22:01 +0200[diff] [blame]6321 -c "x509_verify_cert.*4b00" \
6322 -c "mbedtls_pk_verify.*4b00" \
6323 -c "mbedtls_ecdh_make_public.*4b00" \
6324 -c "mbedtls_pk_sign.*4b00"
Manuel Pégourié-Gonnard2350b4e2017-05-16 09:26:48 +0200[diff] [blame]6325
6326requires_config_enabled MBEDTLS_ECP_RESTARTABLE
Manuel Pégourié-Gonnard3bf49c42017-08-15 13:47:06 +0200[diff] [blame]6327run_test "EC restart: TLS, max_ops=1000, badsign" \
6328 "$P_SRV auth_mode=required \
6329 crt_file=data_files/server5-badsign.crt \
6330 key_file=data_files/server5.key" \
6331 "$P_CLI force_ciphersuite=TLS-ECDHE-ECDSA-WITH-AES-128-GCM-SHA256 \
6332 key_file=data_files/server5.key crt_file=data_files/server5.crt \
6333 debug_level=1 ec_max_ops=1000" \
6334 1 \
Manuel Pégourié-Gonnardb5d668a2018-06-13 11:22:01 +0200[diff] [blame]6335 -c "x509_verify_cert.*4b00" \
6336 -C "mbedtls_pk_verify.*4b00" \
6337 -C "mbedtls_ecdh_make_public.*4b00" \
6338 -C "mbedtls_pk_sign.*4b00" \
Manuel Pégourié-Gonnard3bf49c42017-08-15 13:47:06 +0200[diff] [blame]6339 -c "! The certificate is not correctly signed by the trusted CA" \
6340 -c "! mbedtls_ssl_handshake returned" \
6341 -c "X509 - Certificate verification failed"
6342
6343requires_config_enabled MBEDTLS_ECP_RESTARTABLE
6344run_test "EC restart: TLS, max_ops=1000, auth_mode=optional badsign" \
6345 "$P_SRV auth_mode=required \
6346 crt_file=data_files/server5-badsign.crt \
6347 key_file=data_files/server5.key" \
6348 "$P_CLI force_ciphersuite=TLS-ECDHE-ECDSA-WITH-AES-128-GCM-SHA256 \
6349 key_file=data_files/server5.key crt_file=data_files/server5.crt \
6350 debug_level=1 ec_max_ops=1000 auth_mode=optional" \
6351 0 \
Manuel Pégourié-Gonnardb5d668a2018-06-13 11:22:01 +0200[diff] [blame]6352 -c "x509_verify_cert.*4b00" \
6353 -c "mbedtls_pk_verify.*4b00" \
6354 -c "mbedtls_ecdh_make_public.*4b00" \
6355 -c "mbedtls_pk_sign.*4b00" \
Manuel Pégourié-Gonnard3bf49c42017-08-15 13:47:06 +0200[diff] [blame]6356 -c "! The certificate is not correctly signed by the trusted CA" \
6357 -C "! mbedtls_ssl_handshake returned" \
6358 -C "X509 - Certificate verification failed"
6359
6360requires_config_enabled MBEDTLS_ECP_RESTARTABLE
6361run_test "EC restart: TLS, max_ops=1000, auth_mode=none badsign" \
6362 "$P_SRV auth_mode=required \
6363 crt_file=data_files/server5-badsign.crt \
6364 key_file=data_files/server5.key" \
6365 "$P_CLI force_ciphersuite=TLS-ECDHE-ECDSA-WITH-AES-128-GCM-SHA256 \
6366 key_file=data_files/server5.key crt_file=data_files/server5.crt \
6367 debug_level=1 ec_max_ops=1000 auth_mode=none" \
6368 0 \
Manuel Pégourié-Gonnardb5d668a2018-06-13 11:22:01 +0200[diff] [blame]6369 -C "x509_verify_cert.*4b00" \
6370 -c "mbedtls_pk_verify.*4b00" \
6371 -c "mbedtls_ecdh_make_public.*4b00" \
6372 -c "mbedtls_pk_sign.*4b00" \
Manuel Pégourié-Gonnard3bf49c42017-08-15 13:47:06 +0200[diff] [blame]6373 -C "! The certificate is not correctly signed by the trusted CA" \
6374 -C "! mbedtls_ssl_handshake returned" \
6375 -C "X509 - Certificate verification failed"
6376
6377requires_config_enabled MBEDTLS_ECP_RESTARTABLE
Manuel Pégourié-Gonnard2350b4e2017-05-16 09:26:48 +0200[diff] [blame]6378run_test "EC restart: DTLS, max_ops=1000" \
Manuel Pégourié-Gonnard862cde52017-05-17 11:56:15 +0200[diff] [blame]6379 "$P_SRV auth_mode=required dtls=1" \
Manuel Pégourié-Gonnard2350b4e2017-05-16 09:26:48 +0200[diff] [blame]6380 "$P_CLI force_ciphersuite=TLS-ECDHE-ECDSA-WITH-AES-128-GCM-SHA256 \
Manuel Pégourié-Gonnard862cde52017-05-17 11:56:15 +0200[diff] [blame]6381 key_file=data_files/server5.key crt_file=data_files/server5.crt \
Manuel Pégourié-Gonnard2350b4e2017-05-16 09:26:48 +0200[diff] [blame]6382 dtls=1 debug_level=1 ec_max_ops=1000" \
6383 0 \
Manuel Pégourié-Gonnardb5d668a2018-06-13 11:22:01 +0200[diff] [blame]6384 -c "x509_verify_cert.*4b00" \
6385 -c "mbedtls_pk_verify.*4b00" \
6386 -c "mbedtls_ecdh_make_public.*4b00" \
6387 -c "mbedtls_pk_sign.*4b00"
Manuel Pégourié-Gonnard2350b4e2017-05-16 09:26:48 +0200[diff] [blame]6388
Manuel Pégourié-Gonnard32033da2017-05-18 12:49:27 +0200[diff] [blame]6389requires_config_enabled MBEDTLS_ECP_RESTARTABLE
6390run_test "EC restart: TLS, max_ops=1000 no client auth" \
6391 "$P_SRV" \
6392 "$P_CLI force_ciphersuite=TLS-ECDHE-ECDSA-WITH-AES-128-GCM-SHA256 \
6393 debug_level=1 ec_max_ops=1000" \
6394 0 \
Manuel Pégourié-Gonnardb5d668a2018-06-13 11:22:01 +0200[diff] [blame]6395 -c "x509_verify_cert.*4b00" \
6396 -c "mbedtls_pk_verify.*4b00" \
6397 -c "mbedtls_ecdh_make_public.*4b00" \
6398 -C "mbedtls_pk_sign.*4b00"
Manuel Pégourié-Gonnard32033da2017-05-18 12:49:27 +0200[diff] [blame]6399
6400requires_config_enabled MBEDTLS_ECP_RESTARTABLE
6401run_test "EC restart: TLS, max_ops=1000, ECDHE-PSK" \
6402 "$P_SRV psk=abc123" \
6403 "$P_CLI force_ciphersuite=TLS-ECDHE-PSK-WITH-AES-128-CBC-SHA256 \
6404 psk=abc123 debug_level=1 ec_max_ops=1000" \
6405 0 \
Manuel Pégourié-Gonnardb5d668a2018-06-13 11:22:01 +0200[diff] [blame]6406 -C "x509_verify_cert.*4b00" \
6407 -C "mbedtls_pk_verify.*4b00" \
6408 -C "mbedtls_ecdh_make_public.*4b00" \
6409 -C "mbedtls_pk_sign.*4b00"
Manuel Pégourié-Gonnard32033da2017-05-18 12:49:27 +0200[diff] [blame]6410
Gilles Peskine3665f1d2018-01-05 21:22:12 +0100[diff] [blame]6411# Tests of asynchronous private key support in SSL
6412
Gilles Peskineb74a1c72018-04-24 13:09:22 +0200[diff] [blame]6413requires_config_enabled MBEDTLS_SSL_ASYNC_PRIVATE
Gilles Peskinefcca9d82018-01-12 13:47:48 +0100[diff] [blame]6414run_test "SSL async private: sign, delay=0" \
6415 "$P_SRV \
6416 async_operations=s async_private_delay1=0 async_private_delay2=0" \
Gilles Peskine3665f1d2018-01-05 21:22:12 +0100[diff] [blame]6417 "$P_CLI" \
6418 0 \
6419 -s "Async sign callback: using key slot " \
Gilles Peskinefcca9d82018-01-12 13:47:48 +0100[diff] [blame]6420 -s "Async resume (slot [0-9]): sign done, status=0"
Gilles Peskine3665f1d2018-01-05 21:22:12 +0100[diff] [blame]6421
Gilles Peskineb74a1c72018-04-24 13:09:22 +0200[diff] [blame]6422requires_config_enabled MBEDTLS_SSL_ASYNC_PRIVATE
Gilles Peskinefcca9d82018-01-12 13:47:48 +0100[diff] [blame]6423run_test "SSL async private: sign, delay=1" \
6424 "$P_SRV \
6425 async_operations=s async_private_delay1=1 async_private_delay2=1" \
Gilles Peskine3665f1d2018-01-05 21:22:12 +0100[diff] [blame]6426 "$P_CLI" \
6427 0 \
6428 -s "Async sign callback: using key slot " \
6429 -s "Async resume (slot [0-9]): call 0 more times." \
Gilles Peskinefcca9d82018-01-12 13:47:48 +0100[diff] [blame]6430 -s "Async resume (slot [0-9]): sign done, status=0"
6431
Gilles Peskine12d0cc12018-04-26 15:06:56 +0200[diff] [blame]6432requires_config_enabled MBEDTLS_SSL_ASYNC_PRIVATE
6433run_test "SSL async private: sign, delay=2" \
6434 "$P_SRV \
6435 async_operations=s async_private_delay1=2 async_private_delay2=2" \
6436 "$P_CLI" \
6437 0 \
6438 -s "Async sign callback: using key slot " \
6439 -U "Async sign callback: using key slot " \
6440 -s "Async resume (slot [0-9]): call 1 more times." \
6441 -s "Async resume (slot [0-9]): call 0 more times." \
6442 -s "Async resume (slot [0-9]): sign done, status=0"
6443
Gilles Peskined3268832018-04-26 06:23:59 +0200[diff] [blame]6444# Test that the async callback correctly signs the 36-byte hash of TLS 1.0/1.1
6445# with RSA PKCS#1v1.5 as used in TLS 1.0/1.1.
6446requires_config_enabled MBEDTLS_SSL_ASYNC_PRIVATE
6447requires_config_enabled MBEDTLS_SSL_PROTO_TLS1_1
6448run_test "SSL async private: sign, RSA, TLS 1.1" \
6449 "$P_SRV key_file=data_files/server2.key crt_file=data_files/server2.crt \
6450 async_operations=s async_private_delay1=0 async_private_delay2=0" \
6451 "$P_CLI force_version=tls1_1" \
6452 0 \
6453 -s "Async sign callback: using key slot " \
6454 -s "Async resume (slot [0-9]): sign done, status=0"
6455
Gilles Peskineb74a1c72018-04-24 13:09:22 +0200[diff] [blame]6456requires_config_enabled MBEDTLS_SSL_ASYNC_PRIVATE
Gilles Peskine807d74a2018-04-30 10:30:49 +0200[diff] [blame]6457run_test "SSL async private: sign, SNI" \
6458 "$P_SRV debug_level=3 \
6459 async_operations=s async_private_delay1=0 async_private_delay2=0 \
6460 crt_file=data_files/server5.crt key_file=data_files/server5.key \
6461 sni=localhost,data_files/server2.crt,data_files/server2.key,-,-,-,polarssl.example,data_files/server1-nospace.crt,data_files/server1.key,-,-,-" \
6462 "$P_CLI server_name=polarssl.example" \
6463 0 \
6464 -s "Async sign callback: using key slot " \
6465 -s "Async resume (slot [0-9]): sign done, status=0" \
6466 -s "parse ServerName extension" \
6467 -c "issuer name *: C=NL, O=PolarSSL, CN=PolarSSL Test CA" \
6468 -c "subject name *: C=NL, O=PolarSSL, CN=polarssl.example"
6469
6470requires_config_enabled MBEDTLS_SSL_ASYNC_PRIVATE
Gilles Peskinefcca9d82018-01-12 13:47:48 +0100[diff] [blame]6471run_test "SSL async private: decrypt, delay=0" \
6472 "$P_SRV \
6473 async_operations=d async_private_delay1=0 async_private_delay2=0" \
6474 "$P_CLI force_ciphersuite=TLS-RSA-WITH-AES-128-CBC-SHA" \
6475 0 \
6476 -s "Async decrypt callback: using key slot " \
6477 -s "Async resume (slot [0-9]): decrypt done, status=0"
6478
Gilles Peskineb74a1c72018-04-24 13:09:22 +0200[diff] [blame]6479requires_config_enabled MBEDTLS_SSL_ASYNC_PRIVATE
Gilles Peskinefcca9d82018-01-12 13:47:48 +0100[diff] [blame]6480run_test "SSL async private: decrypt, delay=1" \
6481 "$P_SRV \
6482 async_operations=d async_private_delay1=1 async_private_delay2=1" \
6483 "$P_CLI force_ciphersuite=TLS-RSA-WITH-AES-128-CBC-SHA" \
6484 0 \
6485 -s "Async decrypt callback: using key slot " \
6486 -s "Async resume (slot [0-9]): call 0 more times." \
6487 -s "Async resume (slot [0-9]): decrypt done, status=0"
6488
Gilles Peskineb74a1c72018-04-24 13:09:22 +0200[diff] [blame]6489requires_config_enabled MBEDTLS_SSL_ASYNC_PRIVATE
Gilles Peskinefcca9d82018-01-12 13:47:48 +0100[diff] [blame]6490run_test "SSL async private: decrypt RSA-PSK, delay=0" \
6491 "$P_SRV psk=abc123 \
6492 async_operations=d async_private_delay1=0 async_private_delay2=0" \
6493 "$P_CLI psk=abc123 \
6494 force_ciphersuite=TLS-RSA-PSK-WITH-AES-128-CBC-SHA256" \
6495 0 \
6496 -s "Async decrypt callback: using key slot " \
6497 -s "Async resume (slot [0-9]): decrypt done, status=0"
6498
Gilles Peskineb74a1c72018-04-24 13:09:22 +0200[diff] [blame]6499requires_config_enabled MBEDTLS_SSL_ASYNC_PRIVATE
Gilles Peskinefcca9d82018-01-12 13:47:48 +0100[diff] [blame]6500run_test "SSL async private: decrypt RSA-PSK, delay=1" \
6501 "$P_SRV psk=abc123 \
6502 async_operations=d async_private_delay1=1 async_private_delay2=1" \
6503 "$P_CLI psk=abc123 \
6504 force_ciphersuite=TLS-RSA-PSK-WITH-AES-128-CBC-SHA256" \
6505 0 \
6506 -s "Async decrypt callback: using key slot " \
6507 -s "Async resume (slot [0-9]): call 0 more times." \
6508 -s "Async resume (slot [0-9]): decrypt done, status=0"
6509
Gilles Peskineb74a1c72018-04-24 13:09:22 +0200[diff] [blame]6510requires_config_enabled MBEDTLS_SSL_ASYNC_PRIVATE
Gilles Peskinefcca9d82018-01-12 13:47:48 +0100[diff] [blame]6511run_test "SSL async private: sign callback not present" \
6512 "$P_SRV \
6513 async_operations=d async_private_delay1=1 async_private_delay2=1" \
6514 "$P_CLI; [ \$? -eq 1 ] &&
6515 $P_CLI force_ciphersuite=TLS-RSA-WITH-AES-128-CBC-SHA" \
6516 0 \
6517 -S "Async sign callback" \
6518 -s "! mbedtls_ssl_handshake returned" \
6519 -s "The own private key or pre-shared key is not set, but needed" \
6520 -s "Async resume (slot [0-9]): decrypt done, status=0" \
6521 -s "Successful connection"
6522
Gilles Peskineb74a1c72018-04-24 13:09:22 +0200[diff] [blame]6523requires_config_enabled MBEDTLS_SSL_ASYNC_PRIVATE
Gilles Peskinefcca9d82018-01-12 13:47:48 +0100[diff] [blame]6524run_test "SSL async private: decrypt callback not present" \
6525 "$P_SRV debug_level=1 \
6526 async_operations=s async_private_delay1=1 async_private_delay2=1" \
6527 "$P_CLI force_ciphersuite=TLS-RSA-WITH-AES-128-CBC-SHA;
6528 [ \$? -eq 1 ] && $P_CLI" \
6529 0 \
6530 -S "Async decrypt callback" \
6531 -s "! mbedtls_ssl_handshake returned" \
6532 -s "got no RSA private key" \
6533 -s "Async resume (slot [0-9]): sign done, status=0" \
6534 -s "Successful connection"
Gilles Peskine3665f1d2018-01-05 21:22:12 +0100[diff] [blame]6535
6536# key1: ECDSA, key2: RSA; use key1 from slot 0
Gilles Peskineb74a1c72018-04-24 13:09:22 +0200[diff] [blame]6537requires_config_enabled MBEDTLS_SSL_ASYNC_PRIVATE
Gilles Peskine3665f1d2018-01-05 21:22:12 +0100[diff] [blame]6538run_test "SSL async private: slot 0 used with key1" \
Gilles Peskinefcca9d82018-01-12 13:47:48 +0100[diff] [blame]6539 "$P_SRV \
6540 async_operations=s async_private_delay1=1 \
6541 key_file=data_files/server5.key crt_file=data_files/server5.crt \
6542 key_file2=data_files/server2.key crt_file2=data_files/server2.crt" \
Gilles Peskine3665f1d2018-01-05 21:22:12 +0100[diff] [blame]6543 "$P_CLI force_ciphersuite=TLS-ECDHE-ECDSA-WITH-AES-128-CBC-SHA256" \
6544 0 \
6545 -s "Async sign callback: using key slot 0," \
6546 -s "Async resume (slot 0): call 0 more times." \
Gilles Peskinefcca9d82018-01-12 13:47:48 +0100[diff] [blame]6547 -s "Async resume (slot 0): sign done, status=0"
Gilles Peskine3665f1d2018-01-05 21:22:12 +0100[diff] [blame]6548
6549# key1: ECDSA, key2: RSA; use key2 from slot 0
Gilles Peskineb74a1c72018-04-24 13:09:22 +0200[diff] [blame]6550requires_config_enabled MBEDTLS_SSL_ASYNC_PRIVATE
Gilles Peskine3665f1d2018-01-05 21:22:12 +0100[diff] [blame]6551run_test "SSL async private: slot 0 used with key2" \
Gilles Peskinefcca9d82018-01-12 13:47:48 +0100[diff] [blame]6552 "$P_SRV \
6553 async_operations=s async_private_delay2=1 \
6554 key_file=data_files/server5.key crt_file=data_files/server5.crt \
6555 key_file2=data_files/server2.key crt_file2=data_files/server2.crt" \
Gilles Peskine3665f1d2018-01-05 21:22:12 +0100[diff] [blame]6556 "$P_CLI force_ciphersuite=TLS-ECDHE-RSA-WITH-AES-128-CBC-SHA256" \
6557 0 \
6558 -s "Async sign callback: using key slot 0," \
6559 -s "Async resume (slot 0): call 0 more times." \
Gilles Peskinefcca9d82018-01-12 13:47:48 +0100[diff] [blame]6560 -s "Async resume (slot 0): sign done, status=0"
Gilles Peskine3665f1d2018-01-05 21:22:12 +0100[diff] [blame]6561
6562# key1: ECDSA, key2: RSA; use key2 from slot 1
Gilles Peskineb74a1c72018-04-24 13:09:22 +0200[diff] [blame]6563requires_config_enabled MBEDTLS_SSL_ASYNC_PRIVATE
Gilles Peskinead28bf02018-04-26 00:19:16 +0200[diff] [blame]6564run_test "SSL async private: slot 1 used with key2" \
Gilles Peskinefcca9d82018-01-12 13:47:48 +0100[diff] [blame]6565 "$P_SRV \
Gilles Peskine168dae82018-04-25 23:35:42 +0200[diff] [blame]6566 async_operations=s async_private_delay1=1 async_private_delay2=1 \
Gilles Peskinefcca9d82018-01-12 13:47:48 +0100[diff] [blame]6567 key_file=data_files/server5.key crt_file=data_files/server5.crt \
6568 key_file2=data_files/server2.key crt_file2=data_files/server2.crt" \
Gilles Peskine3665f1d2018-01-05 21:22:12 +0100[diff] [blame]6569 "$P_CLI force_ciphersuite=TLS-ECDHE-RSA-WITH-AES-128-CBC-SHA256" \
6570 0 \
6571 -s "Async sign callback: using key slot 1," \
6572 -s "Async resume (slot 1): call 0 more times." \
Gilles Peskinefcca9d82018-01-12 13:47:48 +0100[diff] [blame]6573 -s "Async resume (slot 1): sign done, status=0"
Gilles Peskine3665f1d2018-01-05 21:22:12 +0100[diff] [blame]6574
6575# key1: ECDSA, key2: RSA; use key2 directly
Gilles Peskineb74a1c72018-04-24 13:09:22 +0200[diff] [blame]6576requires_config_enabled MBEDTLS_SSL_ASYNC_PRIVATE
Gilles Peskine3665f1d2018-01-05 21:22:12 +0100[diff] [blame]6577run_test "SSL async private: fall back to transparent key" \
Gilles Peskinefcca9d82018-01-12 13:47:48 +0100[diff] [blame]6578 "$P_SRV \
6579 async_operations=s async_private_delay1=1 \
6580 key_file=data_files/server5.key crt_file=data_files/server5.crt \
6581 key_file2=data_files/server2.key crt_file2=data_files/server2.crt " \
Gilles Peskine3665f1d2018-01-05 21:22:12 +0100[diff] [blame]6582 "$P_CLI force_ciphersuite=TLS-ECDHE-RSA-WITH-AES-128-CBC-SHA256" \
6583 0 \
6584 -s "Async sign callback: no key matches this certificate."
6585
Gilles Peskineb74a1c72018-04-24 13:09:22 +0200[diff] [blame]6586requires_config_enabled MBEDTLS_SSL_ASYNC_PRIVATE
Gilles Peskine725f1cb2018-06-12 15:06:40 +0200[diff] [blame]6587run_test "SSL async private: sign, error in start" \
Gilles Peskinefcca9d82018-01-12 13:47:48 +0100[diff] [blame]6588 "$P_SRV \
6589 async_operations=s async_private_delay1=1 async_private_delay2=1 \
6590 async_private_error=1" \
Gilles Peskine3665f1d2018-01-05 21:22:12 +0100[diff] [blame]6591 "$P_CLI" \
6592 1 \
6593 -s "Async sign callback: injected error" \
6594 -S "Async resume" \
Gilles Peskine37289cd2018-04-27 11:50:14 +0200[diff] [blame]6595 -S "Async cancel" \
Gilles Peskine3665f1d2018-01-05 21:22:12 +0100[diff] [blame]6596 -s "! mbedtls_ssl_handshake returned"
6597
Gilles Peskineb74a1c72018-04-24 13:09:22 +0200[diff] [blame]6598requires_config_enabled MBEDTLS_SSL_ASYNC_PRIVATE
Gilles Peskine725f1cb2018-06-12 15:06:40 +0200[diff] [blame]6599run_test "SSL async private: sign, cancel after start" \
Gilles Peskinefcca9d82018-01-12 13:47:48 +0100[diff] [blame]6600 "$P_SRV \
6601 async_operations=s async_private_delay1=1 async_private_delay2=1 \
6602 async_private_error=2" \
Gilles Peskine3665f1d2018-01-05 21:22:12 +0100[diff] [blame]6603 "$P_CLI" \
6604 1 \
6605 -s "Async sign callback: using key slot " \
6606 -S "Async resume" \
6607 -s "Async cancel"
6608
Gilles Peskineb74a1c72018-04-24 13:09:22 +0200[diff] [blame]6609requires_config_enabled MBEDTLS_SSL_ASYNC_PRIVATE
Gilles Peskine725f1cb2018-06-12 15:06:40 +0200[diff] [blame]6610run_test "SSL async private: sign, error in resume" \
Gilles Peskinefcca9d82018-01-12 13:47:48 +0100[diff] [blame]6611 "$P_SRV \
6612 async_operations=s async_private_delay1=1 async_private_delay2=1 \
6613 async_private_error=3" \
Gilles Peskine3665f1d2018-01-05 21:22:12 +0100[diff] [blame]6614 "$P_CLI" \
6615 1 \
6616 -s "Async sign callback: using key slot " \
Gilles Peskinefcca9d82018-01-12 13:47:48 +0100[diff] [blame]6617 -s "Async resume callback: sign done but injected error" \
Gilles Peskine37289cd2018-04-27 11:50:14 +0200[diff] [blame]6618 -S "Async cancel" \
Gilles Peskine3665f1d2018-01-05 21:22:12 +0100[diff] [blame]6619 -s "! mbedtls_ssl_handshake returned"
6620
Gilles Peskineb74a1c72018-04-24 13:09:22 +0200[diff] [blame]6621requires_config_enabled MBEDTLS_SSL_ASYNC_PRIVATE
Gilles Peskine725f1cb2018-06-12 15:06:40 +0200[diff] [blame]6622run_test "SSL async private: decrypt, error in start" \
6623 "$P_SRV \
6624 async_operations=d async_private_delay1=1 async_private_delay2=1 \
6625 async_private_error=1" \
6626 "$P_CLI force_ciphersuite=TLS-RSA-WITH-AES-128-CBC-SHA" \
6627 1 \
6628 -s "Async decrypt callback: injected error" \
6629 -S "Async resume" \
6630 -S "Async cancel" \
6631 -s "! mbedtls_ssl_handshake returned"
6632
6633requires_config_enabled MBEDTLS_SSL_ASYNC_PRIVATE
6634run_test "SSL async private: decrypt, cancel after start" \
6635 "$P_SRV \
6636 async_operations=d async_private_delay1=1 async_private_delay2=1 \
6637 async_private_error=2" \
6638 "$P_CLI force_ciphersuite=TLS-RSA-WITH-AES-128-CBC-SHA" \
6639 1 \
6640 -s "Async decrypt callback: using key slot " \
6641 -S "Async resume" \
6642 -s "Async cancel"
6643
6644requires_config_enabled MBEDTLS_SSL_ASYNC_PRIVATE
6645run_test "SSL async private: decrypt, error in resume" \
6646 "$P_SRV \
6647 async_operations=d async_private_delay1=1 async_private_delay2=1 \
6648 async_private_error=3" \
6649 "$P_CLI force_ciphersuite=TLS-RSA-WITH-AES-128-CBC-SHA" \
6650 1 \
6651 -s "Async decrypt callback: using key slot " \
6652 -s "Async resume callback: decrypt done but injected error" \
6653 -S "Async cancel" \
6654 -s "! mbedtls_ssl_handshake returned"
6655
6656requires_config_enabled MBEDTLS_SSL_ASYNC_PRIVATE
Gilles Peskine60ee4ca2018-01-08 11:28:05 +0100[diff] [blame]6657run_test "SSL async private: cancel after start then operate correctly" \
Gilles Peskinefcca9d82018-01-12 13:47:48 +0100[diff] [blame]6658 "$P_SRV \
6659 async_operations=s async_private_delay1=1 async_private_delay2=1 \
6660 async_private_error=-2" \
Gilles Peskine60ee4ca2018-01-08 11:28:05 +0100[diff] [blame]6661 "$P_CLI; [ \$? -eq 1 ] && $P_CLI" \
6662 0 \
6663 -s "Async cancel" \
6664 -s "! mbedtls_ssl_handshake returned" \
6665 -s "Async resume" \
6666 -s "Successful connection"
6667
Gilles Peskineb74a1c72018-04-24 13:09:22 +0200[diff] [blame]6668requires_config_enabled MBEDTLS_SSL_ASYNC_PRIVATE
Gilles Peskine60ee4ca2018-01-08 11:28:05 +0100[diff] [blame]6669run_test "SSL async private: error in resume then operate correctly" \
Gilles Peskinefcca9d82018-01-12 13:47:48 +0100[diff] [blame]6670 "$P_SRV \
6671 async_operations=s async_private_delay1=1 async_private_delay2=1 \
6672 async_private_error=-3" \
Gilles Peskine60ee4ca2018-01-08 11:28:05 +0100[diff] [blame]6673 "$P_CLI; [ \$? -eq 1 ] && $P_CLI" \
6674 0 \
6675 -s "! mbedtls_ssl_handshake returned" \
6676 -s "Async resume" \
6677 -s "Successful connection"
6678
6679# key1: ECDSA, key2: RSA; use key1 through async, then key2 directly
Gilles Peskineb74a1c72018-04-24 13:09:22 +0200[diff] [blame]6680requires_config_enabled MBEDTLS_SSL_ASYNC_PRIVATE
Gilles Peskine60ee4ca2018-01-08 11:28:05 +0100[diff] [blame]6681run_test "SSL async private: cancel after start then fall back to transparent key" \
Gilles Peskinefcca9d82018-01-12 13:47:48 +0100[diff] [blame]6682 "$P_SRV \
6683 async_operations=s async_private_delay1=1 async_private_error=-2 \
6684 key_file=data_files/server5.key crt_file=data_files/server5.crt \
6685 key_file2=data_files/server2.key crt_file2=data_files/server2.crt" \
Gilles Peskine60ee4ca2018-01-08 11:28:05 +0100[diff] [blame]6686 "$P_CLI force_ciphersuite=TLS-ECDHE-ECDSA-WITH-AES-128-CBC-SHA256;
6687 [ \$? -eq 1 ] &&
6688 $P_CLI force_ciphersuite=TLS-ECDHE-RSA-WITH-AES-128-CBC-SHA256" \
6689 0 \
Gilles Peskinededa75a2018-04-30 10:02:45 +0200[diff] [blame]6690 -s "Async sign callback: using key slot 0" \
Gilles Peskine60ee4ca2018-01-08 11:28:05 +0100[diff] [blame]6691 -S "Async resume" \
6692 -s "Async cancel" \
6693 -s "! mbedtls_ssl_handshake returned" \
6694 -s "Async sign callback: no key matches this certificate." \
6695 -s "Successful connection"
6696
6697# key1: ECDSA, key2: RSA; use key1 through async, then key2 directly
Gilles Peskineb74a1c72018-04-24 13:09:22 +0200[diff] [blame]6698requires_config_enabled MBEDTLS_SSL_ASYNC_PRIVATE
Gilles Peskine725f1cb2018-06-12 15:06:40 +0200[diff] [blame]6699run_test "SSL async private: sign, error in resume then fall back to transparent key" \
Gilles Peskinefcca9d82018-01-12 13:47:48 +0100[diff] [blame]6700 "$P_SRV \
6701 async_operations=s async_private_delay1=1 async_private_error=-3 \
6702 key_file=data_files/server5.key crt_file=data_files/server5.crt \
6703 key_file2=data_files/server2.key crt_file2=data_files/server2.crt" \
Gilles Peskine60ee4ca2018-01-08 11:28:05 +0100[diff] [blame]6704 "$P_CLI force_ciphersuite=TLS-ECDHE-ECDSA-WITH-AES-128-CBC-SHA256;
6705 [ \$? -eq 1 ] &&
6706 $P_CLI force_ciphersuite=TLS-ECDHE-RSA-WITH-AES-128-CBC-SHA256" \
6707 0 \
6708 -s "Async resume" \
6709 -s "! mbedtls_ssl_handshake returned" \
6710 -s "Async sign callback: no key matches this certificate." \
6711 -s "Successful connection"
6712
Gilles Peskineb74a1c72018-04-24 13:09:22 +0200[diff] [blame]6713requires_config_enabled MBEDTLS_SSL_ASYNC_PRIVATE
Gilles Peskine3665f1d2018-01-05 21:22:12 +0100[diff] [blame]6714requires_config_enabled MBEDTLS_SSL_RENEGOTIATION
Gilles Peskinefcca9d82018-01-12 13:47:48 +0100[diff] [blame]6715run_test "SSL async private: renegotiation: client-initiated; sign" \
6716 "$P_SRV \
6717 async_operations=s async_private_delay1=1 async_private_delay2=1 \
Gilles Peskine3665f1d2018-01-05 21:22:12 +0100[diff] [blame]6718 exchanges=2 renegotiation=1" \
6719 "$P_CLI exchanges=2 renegotiation=1 renegotiate=1" \
6720 0 \
6721 -s "Async sign callback: using key slot " \
Gilles Peskinefcca9d82018-01-12 13:47:48 +0100[diff] [blame]6722 -s "Async resume (slot [0-9]): sign done, status=0"
Gilles Peskine3665f1d2018-01-05 21:22:12 +0100[diff] [blame]6723
Gilles Peskineb74a1c72018-04-24 13:09:22 +0200[diff] [blame]6724requires_config_enabled MBEDTLS_SSL_ASYNC_PRIVATE
Gilles Peskine3665f1d2018-01-05 21:22:12 +0100[diff] [blame]6725requires_config_enabled MBEDTLS_SSL_RENEGOTIATION
Gilles Peskinefcca9d82018-01-12 13:47:48 +0100[diff] [blame]6726run_test "SSL async private: renegotiation: server-initiated; sign" \
6727 "$P_SRV \
6728 async_operations=s async_private_delay1=1 async_private_delay2=1 \
Gilles Peskine3665f1d2018-01-05 21:22:12 +0100[diff] [blame]6729 exchanges=2 renegotiation=1 renegotiate=1" \
6730 "$P_CLI exchanges=2 renegotiation=1" \
6731 0 \
6732 -s "Async sign callback: using key slot " \
Gilles Peskinefcca9d82018-01-12 13:47:48 +0100[diff] [blame]6733 -s "Async resume (slot [0-9]): sign done, status=0"
6734
Gilles Peskineb74a1c72018-04-24 13:09:22 +0200[diff] [blame]6735requires_config_enabled MBEDTLS_SSL_ASYNC_PRIVATE
Gilles Peskinefcca9d82018-01-12 13:47:48 +0100[diff] [blame]6736requires_config_enabled MBEDTLS_SSL_RENEGOTIATION
6737run_test "SSL async private: renegotiation: client-initiated; decrypt" \
6738 "$P_SRV \
6739 async_operations=d async_private_delay1=1 async_private_delay2=1 \
6740 exchanges=2 renegotiation=1" \
6741 "$P_CLI exchanges=2 renegotiation=1 renegotiate=1 \
6742 force_ciphersuite=TLS-RSA-WITH-AES-128-CBC-SHA" \
6743 0 \
6744 -s "Async decrypt callback: using key slot " \
6745 -s "Async resume (slot [0-9]): decrypt done, status=0"
6746
Gilles Peskineb74a1c72018-04-24 13:09:22 +0200[diff] [blame]6747requires_config_enabled MBEDTLS_SSL_ASYNC_PRIVATE
Gilles Peskinefcca9d82018-01-12 13:47:48 +0100[diff] [blame]6748requires_config_enabled MBEDTLS_SSL_RENEGOTIATION
6749run_test "SSL async private: renegotiation: server-initiated; decrypt" \
6750 "$P_SRV \
6751 async_operations=d async_private_delay1=1 async_private_delay2=1 \
6752 exchanges=2 renegotiation=1 renegotiate=1" \
6753 "$P_CLI exchanges=2 renegotiation=1 \
6754 force_ciphersuite=TLS-RSA-WITH-AES-128-CBC-SHA" \
6755 0 \
6756 -s "Async decrypt callback: using key slot " \
6757 -s "Async resume (slot [0-9]): decrypt done, status=0"
Gilles Peskine3665f1d2018-01-05 21:22:12 +0100[diff] [blame]6758
Ron Eldor58093c82018-06-28 13:22:05 +0300[diff] [blame]6759# Tests for ECC extensions (rfc 4492)
6760
Ron Eldor643df7c2018-06-28 16:17:00 +0300[diff] [blame]6761requires_config_enabled MBEDTLS_AES_C
6762requires_config_enabled MBEDTLS_CIPHER_MODE_CBC
6763requires_config_enabled MBEDTLS_SHA256_C
6764requires_config_enabled MBEDTLS_KEY_EXCHANGE_RSA_ENABLED
Ron Eldor58093c82018-06-28 13:22:05 +0300[diff] [blame]6765run_test "Force a non ECC ciphersuite in the client side" \
6766 "$P_SRV debug_level=3" \
Ron Eldor643df7c2018-06-28 16:17:00 +0300[diff] [blame]6767 "$P_CLI debug_level=3 force_ciphersuite=TLS-RSA-WITH-AES-128-CBC-SHA256" \
Ron Eldor58093c82018-06-28 13:22:05 +0300[diff] [blame]6768 0 \
6769 -C "client hello, adding supported_elliptic_curves extension" \
6770 -C "client hello, adding supported_point_formats extension" \
6771 -S "found supported elliptic curves extension" \
6772 -S "found supported point formats extension"
6773
Ron Eldor643df7c2018-06-28 16:17:00 +0300[diff] [blame]6774requires_config_enabled MBEDTLS_AES_C
6775requires_config_enabled MBEDTLS_CIPHER_MODE_CBC
6776requires_config_enabled MBEDTLS_SHA256_C
6777requires_config_enabled MBEDTLS_KEY_EXCHANGE_RSA_ENABLED
Ron Eldor58093c82018-06-28 13:22:05 +0300[diff] [blame]6778run_test "Force a non ECC ciphersuite in the server side" \
Ron Eldor643df7c2018-06-28 16:17:00 +0300[diff] [blame]6779 "$P_SRV debug_level=3 force_ciphersuite=TLS-RSA-WITH-AES-128-CBC-SHA256" \
Ron Eldor58093c82018-06-28 13:22:05 +0300[diff] [blame]6780 "$P_CLI debug_level=3" \
6781 0 \
6782 -C "found supported_point_formats extension" \
6783 -S "server hello, supported_point_formats extension"
6784
Ron Eldor643df7c2018-06-28 16:17:00 +0300[diff] [blame]6785requires_config_enabled MBEDTLS_AES_C
6786requires_config_enabled MBEDTLS_CIPHER_MODE_CBC
6787requires_config_enabled MBEDTLS_SHA256_C
6788requires_config_enabled MBEDTLS_KEY_EXCHANGE_ECDHE_ECDSA_ENABLED
Ron Eldor58093c82018-06-28 13:22:05 +0300[diff] [blame]6789run_test "Force an ECC ciphersuite in the client side" \
6790 "$P_SRV debug_level=3" \
6791 "$P_CLI debug_level=3 force_ciphersuite=TLS-ECDHE-ECDSA-WITH-AES-128-CBC-SHA256" \
6792 0 \
6793 -c "client hello, adding supported_elliptic_curves extension" \
6794 -c "client hello, adding supported_point_formats extension" \
6795 -s "found supported elliptic curves extension" \
6796 -s "found supported point formats extension"
6797
Ron Eldor643df7c2018-06-28 16:17:00 +0300[diff] [blame]6798requires_config_enabled MBEDTLS_AES_C
6799requires_config_enabled MBEDTLS_CIPHER_MODE_CBC
6800requires_config_enabled MBEDTLS_SHA256_C
6801requires_config_enabled MBEDTLS_KEY_EXCHANGE_ECDHE_ECDSA_ENABLED
Ron Eldor58093c82018-06-28 13:22:05 +0300[diff] [blame]6802run_test "Force an ECC ciphersuite in the server side" \
6803 "$P_SRV debug_level=3 force_ciphersuite=TLS-ECDHE-ECDSA-WITH-AES-128-CBC-SHA256" \
6804 "$P_CLI debug_level=3" \
6805 0 \
6806 -c "found supported_point_formats extension" \
6807 -s "server hello, supported_point_formats extension"
6808
Manuel Pégourié-Gonnard0eb6cab2014-07-23 20:17:47 +0200[diff] [blame]6809# Tests for DTLS HelloVerifyRequest
6810
6811run_test "DTLS cookie: enabled" \
6812 "$P_SRV dtls=1 debug_level=2" \
6813 "$P_CLI dtls=1 debug_level=2" \
6814 0 \
6815 -s "cookie verification failed" \
6816 -s "cookie verification passed" \
6817 -S "cookie verification skipped" \
6818 -c "received hello verify request" \
Manuel Pégourié-Gonnardcaecdae2014-10-13 19:04:37 +0200[diff] [blame]6819 -s "hello verification requested" \
Manuel Pégourié-Gonnard0eb6cab2014-07-23 20:17:47 +0200[diff] [blame]6820 -S "SSL - The requested feature is not available"
6821
6822run_test "DTLS cookie: disabled" \
6823 "$P_SRV dtls=1 debug_level=2 cookies=0" \
6824 "$P_CLI dtls=1 debug_level=2" \
6825 0 \
6826 -S "cookie verification failed" \
6827 -S "cookie verification passed" \
6828 -s "cookie verification skipped" \
6829 -C "received hello verify request" \
Manuel Pégourié-Gonnardcaecdae2014-10-13 19:04:37 +0200[diff] [blame]6830 -S "hello verification requested" \
Manuel Pégourié-Gonnard0eb6cab2014-07-23 20:17:47 +0200[diff] [blame]6831 -S "SSL - The requested feature is not available"
6832
Manuel Pégourié-Gonnardcaecdae2014-10-13 19:04:37 +0200[diff] [blame]6833run_test "DTLS cookie: default (failing)" \
6834 "$P_SRV dtls=1 debug_level=2 cookies=-1" \
6835 "$P_CLI dtls=1 debug_level=2 hs_timeout=100-400" \
6836 1 \
6837 -s "cookie verification failed" \
6838 -S "cookie verification passed" \
6839 -S "cookie verification skipped" \
6840 -C "received hello verify request" \
6841 -S "hello verification requested" \
6842 -s "SSL - The requested feature is not available"
Manuel Pégourié-Gonnard0eb6cab2014-07-23 20:17:47 +0200[diff] [blame]6843
6844requires_ipv6
6845run_test "DTLS cookie: enabled, IPv6" \
6846 "$P_SRV dtls=1 debug_level=2 server_addr=::1" \
6847 "$P_CLI dtls=1 debug_level=2 server_addr=::1" \
6848 0 \
6849 -s "cookie verification failed" \
6850 -s "cookie verification passed" \
6851 -S "cookie verification skipped" \
6852 -c "received hello verify request" \
Manuel Pégourié-Gonnardcaecdae2014-10-13 19:04:37 +0200[diff] [blame]6853 -s "hello verification requested" \
Manuel Pégourié-Gonnard0eb6cab2014-07-23 20:17:47 +0200[diff] [blame]6854 -S "SSL - The requested feature is not available"
6855
Manuel Pégourié-Gonnard579950c2014-09-29 17:47:33 +0200[diff] [blame]6856run_test "DTLS cookie: enabled, nbio" \
6857 "$P_SRV dtls=1 nbio=2 debug_level=2" \
6858 "$P_CLI dtls=1 nbio=2 debug_level=2" \
6859 0 \
6860 -s "cookie verification failed" \
6861 -s "cookie verification passed" \
6862 -S "cookie verification skipped" \
6863 -c "received hello verify request" \
Manuel Pégourié-Gonnardcaecdae2014-10-13 19:04:37 +0200[diff] [blame]6864 -s "hello verification requested" \
Manuel Pégourié-Gonnard579950c2014-09-29 17:47:33 +0200[diff] [blame]6865 -S "SSL - The requested feature is not available"
6866
Manuel Pégourié-Gonnardd745a1a2015-09-08 12:40:43 +0200[diff] [blame]6867# Tests for client reconnecting from the same port with DTLS
6868
Manuel Pégourié-Gonnard259db912015-09-09 11:37:17 +0200[diff] [blame]6869not_with_valgrind # spurious resend
Manuel Pégourié-Gonnardd745a1a2015-09-08 12:40:43 +0200[diff] [blame]6870run_test "DTLS client reconnect from same port: reference" \
Manuel Pégourié-Gonnard259db912015-09-09 11:37:17 +0200[diff] [blame]6871 "$P_SRV dtls=1 exchanges=2 read_timeout=1000" \
6872 "$P_CLI dtls=1 exchanges=2 debug_level=2 hs_timeout=500-1000" \
Manuel Pégourié-Gonnardd745a1a2015-09-08 12:40:43 +0200[diff] [blame]6873 0 \
6874 -C "resend" \
Manuel Pégourié-Gonnard259db912015-09-09 11:37:17 +0200[diff] [blame]6875 -S "The operation timed out" \
Manuel Pégourié-Gonnardd745a1a2015-09-08 12:40:43 +0200[diff] [blame]6876 -S "Client initiated reconnection from same port"
6877
Manuel Pégourié-Gonnard259db912015-09-09 11:37:17 +0200[diff] [blame]6878not_with_valgrind # spurious resend
Manuel Pégourié-Gonnardd745a1a2015-09-08 12:40:43 +0200[diff] [blame]6879run_test "DTLS client reconnect from same port: reconnect" \
Manuel Pégourié-Gonnard259db912015-09-09 11:37:17 +0200[diff] [blame]6880 "$P_SRV dtls=1 exchanges=2 read_timeout=1000" \
6881 "$P_CLI dtls=1 exchanges=2 debug_level=2 hs_timeout=500-1000 reconnect_hard=1" \
Manuel Pégourié-Gonnardd745a1a2015-09-08 12:40:43 +0200[diff] [blame]6882 0 \
6883 -C "resend" \
Manuel Pégourié-Gonnard259db912015-09-09 11:37:17 +0200[diff] [blame]6884 -S "The operation timed out" \
Manuel Pégourié-Gonnardd745a1a2015-09-08 12:40:43 +0200[diff] [blame]6885 -s "Client initiated reconnection from same port"
6886
Paul Bakker362689d2016-05-13 10:33:25 +0100[diff] [blame]6887not_with_valgrind # server/client too slow to respond in time (next test has higher timeouts)
6888run_test "DTLS client reconnect from same port: reconnect, nbio, no valgrind" \
Manuel Pégourié-Gonnard259db912015-09-09 11:37:17 +0200[diff] [blame]6889 "$P_SRV dtls=1 exchanges=2 read_timeout=1000 nbio=2" \
6890 "$P_CLI dtls=1 exchanges=2 debug_level=2 hs_timeout=500-1000 reconnect_hard=1" \
Manuel Pégourié-Gonnardd745a1a2015-09-08 12:40:43 +0200[diff] [blame]6891 0 \
Manuel Pégourié-Gonnard259db912015-09-09 11:37:17 +0200[diff] [blame]6892 -S "The operation timed out" \
Manuel Pégourié-Gonnardd745a1a2015-09-08 12:40:43 +0200[diff] [blame]6893 -s "Client initiated reconnection from same port"
6894
Paul Bakker362689d2016-05-13 10:33:25 +0100[diff] [blame]6895only_with_valgrind # Only with valgrind, do previous test but with higher read_timeout and hs_timeout
6896run_test "DTLS client reconnect from same port: reconnect, nbio, valgrind" \
6897 "$P_SRV dtls=1 exchanges=2 read_timeout=2000 nbio=2 hs_timeout=1500-6000" \
6898 "$P_CLI dtls=1 exchanges=2 debug_level=2 hs_timeout=1500-3000 reconnect_hard=1" \
6899 0 \
6900 -S "The operation timed out" \
6901 -s "Client initiated reconnection from same port"
6902
Manuel Pégourié-Gonnard259db912015-09-09 11:37:17 +0200[diff] [blame]6903run_test "DTLS client reconnect from same port: no cookies" \
6904 "$P_SRV dtls=1 exchanges=2 read_timeout=1000 cookies=0" \
Manuel Pégourié-Gonnard6ad23b92015-09-15 12:57:46 +0200[diff] [blame]6905 "$P_CLI dtls=1 exchanges=2 debug_level=2 hs_timeout=500-8000 reconnect_hard=1" \
6906 0 \
Manuel Pégourié-Gonnard259db912015-09-09 11:37:17 +0200[diff] [blame]6907 -s "The operation timed out" \
6908 -S "Client initiated reconnection from same port"
6909
Manuel Pégourié-Gonnard08a1d4b2014-09-26 10:35:50 +0200[diff] [blame]6910# Tests for various cases of client authentication with DTLS
6911# (focused on handshake flows and message parsing)
6912
6913run_test "DTLS client auth: required" \
6914 "$P_SRV dtls=1 auth_mode=required" \
6915 "$P_CLI dtls=1" \
6916 0 \
6917 -s "Verifying peer X.509 certificate... ok"
6918
6919run_test "DTLS client auth: optional, client has no cert" \
6920 "$P_SRV dtls=1 auth_mode=optional" \
6921 "$P_CLI dtls=1 crt_file=none key_file=none" \
6922 0 \
Manuel Pégourié-Gonnard89addc42015-04-20 10:56:18 +0100[diff] [blame]6923 -s "! Certificate was missing"
Manuel Pégourié-Gonnard08a1d4b2014-09-26 10:35:50 +0200[diff] [blame]6924
Manuel Pégourié-Gonnard89addc42015-04-20 10:56:18 +0100[diff] [blame]6925run_test "DTLS client auth: none, client has no cert" \
Manuel Pégourié-Gonnard08a1d4b2014-09-26 10:35:50 +0200[diff] [blame]6926 "$P_SRV dtls=1 auth_mode=none" \
6927 "$P_CLI dtls=1 crt_file=none key_file=none debug_level=2" \
6928 0 \
6929 -c "skip write certificate$" \
Manuel Pégourié-Gonnard89addc42015-04-20 10:56:18 +0100[diff] [blame]6930 -s "! Certificate verification was skipped"
Manuel Pégourié-Gonnard08a1d4b2014-09-26 10:35:50 +0200[diff] [blame]6931
Manuel Pégourié-Gonnard0a885742015-08-04 12:08:35 +0200[diff] [blame]6932run_test "DTLS wrong PSK: badmac alert" \
6933 "$P_SRV dtls=1 psk=abc123 force_ciphersuite=TLS-PSK-WITH-AES-128-GCM-SHA256" \
6934 "$P_CLI dtls=1 psk=abc124" \
6935 1 \
6936 -s "SSL - Verification of the message MAC failed" \
6937 -c "SSL - A fatal alert message was received from our peer"
6938
Manuel Pégourié-Gonnard502bf302014-08-20 13:12:58 +0200[diff] [blame]6939# Tests for receiving fragmented handshake messages with DTLS
6940
6941requires_gnutls
6942run_test "DTLS reassembly: no fragmentation (gnutls server)" \
6943 "$G_SRV -u --mtu 2048 -a" \
6944 "$P_CLI dtls=1 debug_level=2" \
6945 0 \
6946 -C "found fragmented DTLS handshake message" \
6947 -C "error"
6948
6949requires_gnutls
6950run_test "DTLS reassembly: some fragmentation (gnutls server)" \
6951 "$G_SRV -u --mtu 512" \
6952 "$P_CLI dtls=1 debug_level=2" \
6953 0 \
6954 -c "found fragmented DTLS handshake message" \
6955 -C "error"
6956
6957requires_gnutls
6958run_test "DTLS reassembly: more fragmentation (gnutls server)" \
6959 "$G_SRV -u --mtu 128" \
6960 "$P_CLI dtls=1 debug_level=2" \
6961 0 \
6962 -c "found fragmented DTLS handshake message" \
6963 -C "error"
6964
6965requires_gnutls
6966run_test "DTLS reassembly: more fragmentation, nbio (gnutls server)" \
6967 "$G_SRV -u --mtu 128" \
6968 "$P_CLI dtls=1 nbio=2 debug_level=2" \
6969 0 \
6970 -c "found fragmented DTLS handshake message" \
6971 -C "error"
6972
Manuel Pégourié-Gonnard0c4cbc72014-09-02 14:47:31 +0200[diff] [blame]6973requires_gnutls
Hanno Becker6a243642017-10-12 15:18:45 +0100[diff] [blame]6974requires_config_enabled MBEDTLS_SSL_RENEGOTIATION
Manuel Pégourié-Gonnard0c4cbc72014-09-02 14:47:31 +0200[diff] [blame]6975run_test "DTLS reassembly: fragmentation, renego (gnutls server)" \
6976 "$G_SRV -u --mtu 256" \
6977 "$P_CLI debug_level=3 dtls=1 renegotiation=1 renegotiate=1" \
6978 0 \
6979 -c "found fragmented DTLS handshake message" \
6980 -c "client hello, adding renegotiation extension" \
6981 -c "found renegotiation extension" \
6982 -c "=> renegotiate" \
Manuel Pégourié-Gonnard2cf5a7c2015-04-08 12:49:31 +0200[diff] [blame]6983 -C "mbedtls_ssl_handshake returned" \
Manuel Pégourié-Gonnard0c4cbc72014-09-02 14:47:31 +0200[diff] [blame]6984 -C "error" \
6985 -s "Extra-header:"
6986
6987requires_gnutls
Hanno Becker6a243642017-10-12 15:18:45 +0100[diff] [blame]6988requires_config_enabled MBEDTLS_SSL_RENEGOTIATION
Manuel Pégourié-Gonnard0c4cbc72014-09-02 14:47:31 +0200[diff] [blame]6989run_test "DTLS reassembly: fragmentation, nbio, renego (gnutls server)" \
6990 "$G_SRV -u --mtu 256" \
6991 "$P_CLI debug_level=3 nbio=2 dtls=1 renegotiation=1 renegotiate=1" \
6992 0 \
6993 -c "found fragmented DTLS handshake message" \
6994 -c "client hello, adding renegotiation extension" \
6995 -c "found renegotiation extension" \
6996 -c "=> renegotiate" \
Manuel Pégourié-Gonnard2cf5a7c2015-04-08 12:49:31 +0200[diff] [blame]6997 -C "mbedtls_ssl_handshake returned" \
Manuel Pégourié-Gonnard0c4cbc72014-09-02 14:47:31 +0200[diff] [blame]6998 -C "error" \
6999 -s "Extra-header:"
7000
Manuel Pégourié-Gonnarda7756172014-08-31 18:37:01 +0200[diff] [blame]7001run_test "DTLS reassembly: no fragmentation (openssl server)" \
7002 "$O_SRV -dtls1 -mtu 2048" \
7003 "$P_CLI dtls=1 debug_level=2" \
7004 0 \
7005 -C "found fragmented DTLS handshake message" \
7006 -C "error"
7007
Manuel Pégourié-Gonnard825a49e2014-09-23 11:00:37 +0200[diff] [blame]7008run_test "DTLS reassembly: some fragmentation (openssl server)" \
7009 "$O_SRV -dtls1 -mtu 768" \
Manuel Pégourié-Gonnard64dffc52014-09-02 13:39:16 +0200[diff] [blame]7010 "$P_CLI dtls=1 debug_level=2" \
7011 0 \
7012 -c "found fragmented DTLS handshake message" \
7013 -C "error"
7014
Manuel Pégourié-Gonnard825a49e2014-09-23 11:00:37 +0200[diff] [blame]7015run_test "DTLS reassembly: more fragmentation (openssl server)" \
Manuel Pégourié-Gonnard64dffc52014-09-02 13:39:16 +0200[diff] [blame]7016 "$O_SRV -dtls1 -mtu 256" \
7017 "$P_CLI dtls=1 debug_level=2" \
7018 0 \
7019 -c "found fragmented DTLS handshake message" \
7020 -C "error"
7021
7022run_test "DTLS reassembly: fragmentation, nbio (openssl server)" \
7023 "$O_SRV -dtls1 -mtu 256" \
7024 "$P_CLI dtls=1 nbio=2 debug_level=2" \
7025 0 \
7026 -c "found fragmented DTLS handshake message" \
7027 -C "error"
Manuel Pégourié-Gonnarda7756172014-08-31 18:37:01 +0200[diff] [blame]7028
Manuel Pégourié-Gonnard2cb17e22017-09-19 13:00:47 +0200[diff] [blame]7029# Tests for sending fragmented handshake messages with DTLS
7030#
7031# Use client auth when we need the client to send large messages,
7032# and use large cert chains on both sides too (the long chains we have all use
7033# both RSA and ECDSA, but ideally we should have long chains with either).
7034# Sizes reached (UDP payload):
7035# - 2037B for server certificate
7036# - 1542B for client certificate
7037# - 1013B for newsessionticket
7038# - all others below 512B
7039# All those tests assume MAX_CONTENT_LEN is at least 2048
7040
7041requires_config_enabled MBEDTLS_SSL_PROTO_DTLS
7042requires_config_enabled MBEDTLS_RSA_C
7043requires_config_enabled MBEDTLS_ECDSA_C
7044requires_config_enabled MBEDTLS_SSL_MAX_FRAGMENT_LENGTH
7045run_test "DTLS fragmenting: none (for reference)" \
7046 "$P_SRV dtls=1 debug_level=2 auth_mode=required \
7047 crt_file=data_files/server7_int-ca.crt \
7048 key_file=data_files/server7.key \
Andrzej Kurek52f84912018-10-05 07:53:40 -0400[diff] [blame]7049 hs_timeout=2500-60000 \
Hanno Becker12405e72018-08-13 16:45:46 +0100[diff] [blame]7050 max_frag_len=4096" \
Manuel Pégourié-Gonnard2cb17e22017-09-19 13:00:47 +0200[diff] [blame]7051 "$P_CLI dtls=1 debug_level=2 \
7052 crt_file=data_files/server8_int-ca2.crt \
7053 key_file=data_files/server8.key \
Andrzej Kurek52f84912018-10-05 07:53:40 -0400[diff] [blame]7054 hs_timeout=2500-60000 \
Hanno Becker12405e72018-08-13 16:45:46 +0100[diff] [blame]7055 max_frag_len=4096" \
Manuel Pégourié-Gonnard2cb17e22017-09-19 13:00:47 +0200[diff] [blame]7056 0 \
7057 -S "found fragmented DTLS handshake message" \
7058 -C "found fragmented DTLS handshake message" \
7059 -C "error"
7060
7061requires_config_enabled MBEDTLS_SSL_PROTO_DTLS
7062requires_config_enabled MBEDTLS_RSA_C
7063requires_config_enabled MBEDTLS_ECDSA_C
7064requires_config_enabled MBEDTLS_SSL_MAX_FRAGMENT_LENGTH
Manuel Pégourié-Gonnardb747c6c2018-08-12 13:28:53 +0200[diff] [blame]7065run_test "DTLS fragmenting: server only (max_frag_len)" \
Manuel Pégourié-Gonnard2cb17e22017-09-19 13:00:47 +0200[diff] [blame]7066 "$P_SRV dtls=1 debug_level=2 auth_mode=required \
7067 crt_file=data_files/server7_int-ca.crt \
7068 key_file=data_files/server7.key \
Andrzej Kurek52f84912018-10-05 07:53:40 -0400[diff] [blame]7069 hs_timeout=2500-60000 \
Manuel Pégourié-Gonnard2cb17e22017-09-19 13:00:47 +0200[diff] [blame]7070 max_frag_len=1024" \
7071 "$P_CLI dtls=1 debug_level=2 \
7072 crt_file=data_files/server8_int-ca2.crt \
7073 key_file=data_files/server8.key \
Andrzej Kurek52f84912018-10-05 07:53:40 -0400[diff] [blame]7074 hs_timeout=2500-60000 \
Manuel Pégourié-Gonnard2cb17e22017-09-19 13:00:47 +0200[diff] [blame]7075 max_frag_len=2048" \
7076 0 \
7077 -S "found fragmented DTLS handshake message" \
7078 -c "found fragmented DTLS handshake message" \
7079 -C "error"
7080
Hanno Becker69ca0ad2018-08-24 12:11:35 +0100[diff] [blame]7081# With the MFL extension, the server has no way of forcing
7082# the client to not exceed a certain MTU; hence, the following
7083# test can't be replicated with an MTU proxy such as the one
7084# `client-initiated, server only (max_frag_len)` below.
Manuel Pégourié-Gonnard2cb17e22017-09-19 13:00:47 +0200[diff] [blame]7085requires_config_enabled MBEDTLS_SSL_PROTO_DTLS
7086requires_config_enabled MBEDTLS_RSA_C
7087requires_config_enabled MBEDTLS_ECDSA_C
7088requires_config_enabled MBEDTLS_SSL_MAX_FRAGMENT_LENGTH
Manuel Pégourié-Gonnardb747c6c2018-08-12 13:28:53 +0200[diff] [blame]7089run_test "DTLS fragmenting: server only (more) (max_frag_len)" \
Manuel Pégourié-Gonnard2cb17e22017-09-19 13:00:47 +0200[diff] [blame]7090 "$P_SRV dtls=1 debug_level=2 auth_mode=required \
7091 crt_file=data_files/server7_int-ca.crt \
7092 key_file=data_files/server7.key \
Andrzej Kurek52f84912018-10-05 07:53:40 -0400[diff] [blame]7093 hs_timeout=2500-60000 \
Manuel Pégourié-Gonnard2cb17e22017-09-19 13:00:47 +0200[diff] [blame]7094 max_frag_len=512" \
7095 "$P_CLI dtls=1 debug_level=2 \
7096 crt_file=data_files/server8_int-ca2.crt \
7097 key_file=data_files/server8.key \
Andrzej Kurek52f84912018-10-05 07:53:40 -0400[diff] [blame]7098 hs_timeout=2500-60000 \
Hanno Becker69ca0ad2018-08-24 12:11:35 +0100[diff] [blame]7099 max_frag_len=4096" \
Manuel Pégourié-Gonnard2cb17e22017-09-19 13:00:47 +0200[diff] [blame]7100 0 \
7101 -S "found fragmented DTLS handshake message" \
7102 -c "found fragmented DTLS handshake message" \
7103 -C "error"
7104
7105requires_config_enabled MBEDTLS_SSL_PROTO_DTLS
7106requires_config_enabled MBEDTLS_RSA_C
7107requires_config_enabled MBEDTLS_ECDSA_C
7108requires_config_enabled MBEDTLS_SSL_MAX_FRAGMENT_LENGTH
Manuel Pégourié-Gonnardb747c6c2018-08-12 13:28:53 +0200[diff] [blame]7109run_test "DTLS fragmenting: client-initiated, server only (max_frag_len)" \
Manuel Pégourié-Gonnard2cb17e22017-09-19 13:00:47 +0200[diff] [blame]7110 "$P_SRV dtls=1 debug_level=2 auth_mode=none \
7111 crt_file=data_files/server7_int-ca.crt \
7112 key_file=data_files/server7.key \
Andrzej Kurek52f84912018-10-05 07:53:40 -0400[diff] [blame]7113 hs_timeout=2500-60000 \
Manuel Pégourié-Gonnard2cb17e22017-09-19 13:00:47 +0200[diff] [blame]7114 max_frag_len=2048" \
7115 "$P_CLI dtls=1 debug_level=2 \
7116 crt_file=data_files/server8_int-ca2.crt \
7117 key_file=data_files/server8.key \
Andrzej Kurek52f84912018-10-05 07:53:40 -0400[diff] [blame]7118 hs_timeout=2500-60000 \
7119 max_frag_len=1024" \
7120 0 \
Manuel Pégourié-Gonnard2cb17e22017-09-19 13:00:47 +0200[diff] [blame]7121 -S "found fragmented DTLS handshake message" \
7122 -c "found fragmented DTLS handshake message" \
7123 -C "error"
7124
Hanno Beckerc92b5c82018-08-24 11:48:01 +0100[diff] [blame]7125# While not required by the standard defining the MFL extension
7126# (according to which it only applies to records, not to datagrams),
7127# Mbed TLS will never send datagrams larger than MFL + { Max record expansion },
7128# as otherwise there wouldn't be any means to communicate MTU restrictions
7129# to the peer.
7130# The next test checks that no datagrams significantly larger than the
7131# negotiated MFL are sent.
7132requires_config_enabled MBEDTLS_SSL_PROTO_DTLS
7133requires_config_enabled MBEDTLS_RSA_C
7134requires_config_enabled MBEDTLS_ECDSA_C
7135requires_config_enabled MBEDTLS_SSL_MAX_FRAGMENT_LENGTH
7136run_test "DTLS fragmenting: client-initiated, server only (max_frag_len), proxy MTU" \
Andrzej Kurek0fc9cf42018-10-09 03:09:41 -0400[diff] [blame]7137 -p "$P_PXY mtu=1110" \
Hanno Beckerc92b5c82018-08-24 11:48:01 +0100[diff] [blame]7138 "$P_SRV dtls=1 debug_level=2 auth_mode=none \
7139 crt_file=data_files/server7_int-ca.crt \
7140 key_file=data_files/server7.key \
Andrzej Kurek52f84912018-10-05 07:53:40 -0400[diff] [blame]7141 hs_timeout=2500-60000 \
Hanno Beckerc92b5c82018-08-24 11:48:01 +0100[diff] [blame]7142 max_frag_len=2048" \
7143 "$P_CLI dtls=1 debug_level=2 \
7144 crt_file=data_files/server8_int-ca2.crt \
7145 key_file=data_files/server8.key \
Andrzej Kurek52f84912018-10-05 07:53:40 -0400[diff] [blame]7146 hs_timeout=2500-60000 \
7147 max_frag_len=1024" \
Hanno Beckerc92b5c82018-08-24 11:48:01 +0100[diff] [blame]7148 0 \
7149 -S "found fragmented DTLS handshake message" \
7150 -c "found fragmented DTLS handshake message" \
7151 -C "error"
7152
Manuel Pégourié-Gonnard2cb17e22017-09-19 13:00:47 +0200[diff] [blame]7153requires_config_enabled MBEDTLS_SSL_PROTO_DTLS
7154requires_config_enabled MBEDTLS_RSA_C
7155requires_config_enabled MBEDTLS_ECDSA_C
7156requires_config_enabled MBEDTLS_SSL_MAX_FRAGMENT_LENGTH
Manuel Pégourié-Gonnardb747c6c2018-08-12 13:28:53 +0200[diff] [blame]7157run_test "DTLS fragmenting: client-initiated, both (max_frag_len)" \
Manuel Pégourié-Gonnard2cb17e22017-09-19 13:00:47 +0200[diff] [blame]7158 "$P_SRV dtls=1 debug_level=2 auth_mode=required \
7159 crt_file=data_files/server7_int-ca.crt \
7160 key_file=data_files/server7.key \
Andrzej Kurek52f84912018-10-05 07:53:40 -0400[diff] [blame]7161 hs_timeout=2500-60000 \
Manuel Pégourié-Gonnard2cb17e22017-09-19 13:00:47 +0200[diff] [blame]7162 max_frag_len=2048" \
7163 "$P_CLI dtls=1 debug_level=2 \
7164 crt_file=data_files/server8_int-ca2.crt \
7165 key_file=data_files/server8.key \
Andrzej Kurek52f84912018-10-05 07:53:40 -0400[diff] [blame]7166 hs_timeout=2500-60000 \
7167 max_frag_len=1024" \
Manuel Pégourié-Gonnard2cb17e22017-09-19 13:00:47 +0200[diff] [blame]7168 0 \
7169 -s "found fragmented DTLS handshake message" \
7170 -c "found fragmented DTLS handshake message" \
7171 -C "error"
7172
Hanno Beckerc92b5c82018-08-24 11:48:01 +0100[diff] [blame]7173# While not required by the standard defining the MFL extension
7174# (according to which it only applies to records, not to datagrams),
7175# Mbed TLS will never send datagrams larger than MFL + { Max record expansion },
7176# as otherwise there wouldn't be any means to communicate MTU restrictions
7177# to the peer.
7178# The next test checks that no datagrams significantly larger than the
7179# negotiated MFL are sent.
7180requires_config_enabled MBEDTLS_SSL_PROTO_DTLS
7181requires_config_enabled MBEDTLS_RSA_C
7182requires_config_enabled MBEDTLS_ECDSA_C
7183requires_config_enabled MBEDTLS_SSL_MAX_FRAGMENT_LENGTH
7184run_test "DTLS fragmenting: client-initiated, both (max_frag_len), proxy MTU" \
Andrzej Kurek0fc9cf42018-10-09 03:09:41 -0400[diff] [blame]7185 -p "$P_PXY mtu=1110" \
Hanno Beckerc92b5c82018-08-24 11:48:01 +0100[diff] [blame]7186 "$P_SRV dtls=1 debug_level=2 auth_mode=required \
7187 crt_file=data_files/server7_int-ca.crt \
7188 key_file=data_files/server7.key \
Andrzej Kurek52f84912018-10-05 07:53:40 -0400[diff] [blame]7189 hs_timeout=2500-60000 \
Hanno Beckerc92b5c82018-08-24 11:48:01 +0100[diff] [blame]7190 max_frag_len=2048" \
7191 "$P_CLI dtls=1 debug_level=2 \
7192 crt_file=data_files/server8_int-ca2.crt \
7193 key_file=data_files/server8.key \
Andrzej Kurek52f84912018-10-05 07:53:40 -0400[diff] [blame]7194 hs_timeout=2500-60000 \
7195 max_frag_len=1024" \
Hanno Beckerc92b5c82018-08-24 11:48:01 +0100[diff] [blame]7196 0 \
7197 -s "found fragmented DTLS handshake message" \
7198 -c "found fragmented DTLS handshake message" \
7199 -C "error"
7200
Manuel Pégourié-Gonnardb747c6c2018-08-12 13:28:53 +0200[diff] [blame]7201requires_config_enabled MBEDTLS_SSL_PROTO_DTLS
7202requires_config_enabled MBEDTLS_RSA_C
7203requires_config_enabled MBEDTLS_ECDSA_C
7204run_test "DTLS fragmenting: none (for reference) (MTU)" \
7205 "$P_SRV dtls=1 debug_level=2 auth_mode=required \
7206 crt_file=data_files/server7_int-ca.crt \
7207 key_file=data_files/server7.key \
Andrzej Kurek52f84912018-10-05 07:53:40 -0400[diff] [blame]7208 hs_timeout=2500-60000 \
Hanno Becker12405e72018-08-13 16:45:46 +0100[diff] [blame]7209 mtu=4096" \
Manuel Pégourié-Gonnardb747c6c2018-08-12 13:28:53 +0200[diff] [blame]7210 "$P_CLI dtls=1 debug_level=2 \
7211 crt_file=data_files/server8_int-ca2.crt \
7212 key_file=data_files/server8.key \
Andrzej Kurek52f84912018-10-05 07:53:40 -0400[diff] [blame]7213 hs_timeout=2500-60000 \
Hanno Becker12405e72018-08-13 16:45:46 +0100[diff] [blame]7214 mtu=4096" \
Manuel Pégourié-Gonnardb747c6c2018-08-12 13:28:53 +0200[diff] [blame]7215 0 \
7216 -S "found fragmented DTLS handshake message" \
7217 -C "found fragmented DTLS handshake message" \
7218 -C "error"
7219
7220requires_config_enabled MBEDTLS_SSL_PROTO_DTLS
7221requires_config_enabled MBEDTLS_RSA_C
7222requires_config_enabled MBEDTLS_ECDSA_C
7223run_test "DTLS fragmenting: client (MTU)" \
7224 "$P_SRV dtls=1 debug_level=2 auth_mode=required \
7225 crt_file=data_files/server7_int-ca.crt \
7226 key_file=data_files/server7.key \
Andrzej Kurek948fe802018-10-05 15:42:44 -0400[diff] [blame]7227 hs_timeout=3500-60000 \
Hanno Becker12405e72018-08-13 16:45:46 +0100[diff] [blame]7228 mtu=4096" \
Manuel Pégourié-Gonnardb747c6c2018-08-12 13:28:53 +0200[diff] [blame]7229 "$P_CLI dtls=1 debug_level=2 \
7230 crt_file=data_files/server8_int-ca2.crt \
7231 key_file=data_files/server8.key \
Andrzej Kurek948fe802018-10-05 15:42:44 -0400[diff] [blame]7232 hs_timeout=3500-60000 \
Andrzej Kurek52f84912018-10-05 07:53:40 -0400[diff] [blame]7233 mtu=1024" \
Manuel Pégourié-Gonnardb747c6c2018-08-12 13:28:53 +0200[diff] [blame]7234 0 \
7235 -s "found fragmented DTLS handshake message" \
7236 -C "found fragmented DTLS handshake message" \
7237 -C "error"
7238
7239requires_config_enabled MBEDTLS_SSL_PROTO_DTLS
7240requires_config_enabled MBEDTLS_RSA_C
7241requires_config_enabled MBEDTLS_ECDSA_C
7242run_test "DTLS fragmenting: server (MTU)" \
7243 "$P_SRV dtls=1 debug_level=2 auth_mode=required \
7244 crt_file=data_files/server7_int-ca.crt \
7245 key_file=data_files/server7.key \
Andrzej Kurek52f84912018-10-05 07:53:40 -0400[diff] [blame]7246 hs_timeout=2500-60000 \
Manuel Pégourié-Gonnardb747c6c2018-08-12 13:28:53 +0200[diff] [blame]7247 mtu=512" \
7248 "$P_CLI dtls=1 debug_level=2 \
7249 crt_file=data_files/server8_int-ca2.crt \
7250 key_file=data_files/server8.key \
Andrzej Kurek52f84912018-10-05 07:53:40 -0400[diff] [blame]7251 hs_timeout=2500-60000 \
Manuel Pégourié-Gonnardb747c6c2018-08-12 13:28:53 +0200[diff] [blame]7252 mtu=2048" \
7253 0 \
7254 -S "found fragmented DTLS handshake message" \
7255 -c "found fragmented DTLS handshake message" \
7256 -C "error"
7257
7258requires_config_enabled MBEDTLS_SSL_PROTO_DTLS
7259requires_config_enabled MBEDTLS_RSA_C
7260requires_config_enabled MBEDTLS_ECDSA_C
Andrzej Kurek7311c782018-10-11 06:49:41 -0400[diff] [blame]7261run_test "DTLS fragmenting: both (MTU=1024)" \
Andrzej Kurek52f84912018-10-05 07:53:40 -0400[diff] [blame]7262 -p "$P_PXY mtu=1024" \
Manuel Pégourié-Gonnardb747c6c2018-08-12 13:28:53 +0200[diff] [blame]7263 "$P_SRV dtls=1 debug_level=2 auth_mode=required \
7264 crt_file=data_files/server7_int-ca.crt \
7265 key_file=data_files/server7.key \
Andrzej Kurek52f84912018-10-05 07:53:40 -0400[diff] [blame]7266 hs_timeout=2500-60000 \
Andrzej Kurek95805282018-10-11 08:55:37 -0400[diff] [blame]7267 mtu=1024" \
Manuel Pégourié-Gonnardb747c6c2018-08-12 13:28:53 +0200[diff] [blame]7268 "$P_CLI dtls=1 debug_level=2 \
7269 crt_file=data_files/server8_int-ca2.crt \
7270 key_file=data_files/server8.key \
Andrzej Kurek52f84912018-10-05 07:53:40 -0400[diff] [blame]7271 hs_timeout=2500-60000 \
7272 mtu=1024" \
Manuel Pégourié-Gonnardb747c6c2018-08-12 13:28:53 +0200[diff] [blame]7273 0 \
7274 -s "found fragmented DTLS handshake message" \
7275 -c "found fragmented DTLS handshake message" \
7276 -C "error"
7277
Andrzej Kurek77826052018-10-11 07:34:08 -0400[diff] [blame]7278# Forcing ciphersuite for this test to fit the MTU of 512 with full config.
Andrzej Kurek7311c782018-10-11 06:49:41 -0400[diff] [blame]7279requires_config_enabled MBEDTLS_SSL_PROTO_DTLS
7280requires_config_enabled MBEDTLS_RSA_C
7281requires_config_enabled MBEDTLS_ECDSA_C
7282requires_config_enabled MBEDTLS_SHA256_C
7283requires_config_enabled MBEDTLS_KEY_EXCHANGE_ECDHE_ECDSA
7284requires_config_enabled MBEDTLS_AES_C
7285requires_config_enabled MBEDTLS_GCM_C
7286run_test "DTLS fragmenting: both (MTU=512)" \
Hanno Becker8d832182018-03-15 10:14:19 +0000[diff] [blame]7287 -p "$P_PXY mtu=512" \
Hanno Becker72a4f032017-11-15 16:39:20 +0000[diff] [blame]7288 "$P_SRV dtls=1 debug_level=2 auth_mode=required \
7289 crt_file=data_files/server7_int-ca.crt \
7290 key_file=data_files/server7.key \
Andrzej Kurek7311c782018-10-11 06:49:41 -0400[diff] [blame]7291 hs_timeout=2500-60000 \
Hanno Becker72a4f032017-11-15 16:39:20 +0000[diff] [blame]7292 mtu=512" \
7293 "$P_CLI dtls=1 debug_level=2 \
7294 crt_file=data_files/server8_int-ca2.crt \
7295 key_file=data_files/server8.key \
Andrzej Kurek7311c782018-10-11 06:49:41 -0400[diff] [blame]7296 force_ciphersuite=TLS-ECDHE-ECDSA-WITH-AES-128-GCM-SHA256 \
7297 hs_timeout=2500-60000 \
Manuel Pégourié-Gonnarde698f592014-10-14 19:36:36 +0200[diff] [blame]7298 mtu=512" \
Manuel Pégourié-Gonnard63eca932014-09-08 16:39:08 +0200[diff] [blame]7299 0 \
Manuel Pégourié-Gonnard246c13a2014-09-24 13:56:09 +0200[diff] [blame]7300 -s "found fragmented DTLS handshake message" \
Manuel Pégourié-Gonnarde698f592014-10-14 19:36:36 +0200[diff] [blame]7301 -c "found fragmented DTLS handshake message" \
Manuel Pégourié-Gonnard825a49e2014-09-23 11:00:37 +0200[diff] [blame]7302 -C "error"
Manuel Pégourié-Gonnard74a13782014-10-14 22:34:08 +0200[diff] [blame]7303
Andrzej Kurek7311c782018-10-11 06:49:41 -0400[diff] [blame]7304# Test for automatic MTU reduction on repeated resend.
Andrzej Kurek77826052018-10-11 07:34:08 -0400[diff] [blame]7305# Forcing ciphersuite for this test to fit the MTU of 508 with full config.
Andrzej Kurek7311c782018-10-11 06:49:41 -0400[diff] [blame]7306# The ratio of max/min timeout should ideally equal 4 to accept two
7307# retransmissions, but in some cases (like both the server and client using
7308# fragmentation and auto-reduction) an extra retransmission might occur,
7309# hence the ratio of 8.
Hanno Becker37029eb2018-08-29 17:01:40 +0100[diff] [blame]7310not_with_valgrind
Manuel Pégourié-Gonnardb8eec192018-08-20 09:34:02 +0200[diff] [blame]7311requires_config_enabled MBEDTLS_SSL_PROTO_DTLS
7312requires_config_enabled MBEDTLS_RSA_C
7313requires_config_enabled MBEDTLS_ECDSA_C
Andrzej Kurek7311c782018-10-11 06:49:41 -0400[diff] [blame]7314requires_config_enabled MBEDTLS_KEY_EXCHANGE_ECDHE_ECDSA
7315requires_config_enabled MBEDTLS_AES_C
7316requires_config_enabled MBEDTLS_GCM_C
Manuel Pégourié-Gonnardb8eec192018-08-20 09:34:02 +0200[diff] [blame]7317run_test "DTLS fragmenting: proxy MTU: auto-reduction" \
7318 -p "$P_PXY mtu=508" \
7319 "$P_SRV dtls=1 debug_level=2 auth_mode=required \
7320 crt_file=data_files/server7_int-ca.crt \
Andrzej Kurek7311c782018-10-11 06:49:41 -0400[diff] [blame]7321 key_file=data_files/server7.key \
7322 hs_timeout=400-3200" \
Manuel Pégourié-Gonnardb8eec192018-08-20 09:34:02 +0200[diff] [blame]7323 "$P_CLI dtls=1 debug_level=2 \
7324 crt_file=data_files/server8_int-ca2.crt \
7325 key_file=data_files/server8.key \
Andrzej Kurek7311c782018-10-11 06:49:41 -0400[diff] [blame]7326 force_ciphersuite=TLS-ECDHE-ECDSA-WITH-AES-128-GCM-SHA256 \
7327 hs_timeout=400-3200" \
Manuel Pégourié-Gonnardb8eec192018-08-20 09:34:02 +0200[diff] [blame]7328 0 \
7329 -s "found fragmented DTLS handshake message" \
7330 -c "found fragmented DTLS handshake message" \
7331 -C "error"
7332
Andrzej Kurek77826052018-10-11 07:34:08 -0400[diff] [blame]7333# Forcing ciphersuite for this test to fit the MTU of 508 with full config.
Hanno Becker108992e2018-08-29 17:04:18 +0100[diff] [blame]7334only_with_valgrind
7335requires_config_enabled MBEDTLS_SSL_PROTO_DTLS
7336requires_config_enabled MBEDTLS_RSA_C
7337requires_config_enabled MBEDTLS_ECDSA_C
Andrzej Kurek7311c782018-10-11 06:49:41 -0400[diff] [blame]7338requires_config_enabled MBEDTLS_KEY_EXCHANGE_ECDHE_ECDSA
7339requires_config_enabled MBEDTLS_AES_C
7340requires_config_enabled MBEDTLS_GCM_C
Hanno Becker108992e2018-08-29 17:04:18 +0100[diff] [blame]7341run_test "DTLS fragmenting: proxy MTU: auto-reduction" \
7342 -p "$P_PXY mtu=508" \
7343 "$P_SRV dtls=1 debug_level=2 auth_mode=required \
7344 crt_file=data_files/server7_int-ca.crt \
Andrzej Kurek7311c782018-10-11 06:49:41 -0400[diff] [blame]7345 key_file=data_files/server7.key \
Hanno Becker108992e2018-08-29 17:04:18 +0100[diff] [blame]7346 hs_timeout=250-10000" \
7347 "$P_CLI dtls=1 debug_level=2 \
7348 crt_file=data_files/server8_int-ca2.crt \
7349 key_file=data_files/server8.key \
Andrzej Kurek7311c782018-10-11 06:49:41 -0400[diff] [blame]7350 force_ciphersuite=TLS-ECDHE-ECDSA-WITH-AES-128-GCM-SHA256 \
Hanno Becker108992e2018-08-29 17:04:18 +0100[diff] [blame]7351 hs_timeout=250-10000" \
7352 0 \
7353 -s "found fragmented DTLS handshake message" \
7354 -c "found fragmented DTLS handshake message" \
7355 -C "error"
7356
Manuel Pégourié-Gonnard72c27072018-08-13 12:37:51 +0200[diff] [blame]7357# the proxy shouldn't drop or mess up anything, so we shouldn't need to resend
Manuel Pégourié-Gonnard3d183ce2018-08-22 09:56:22 +0200[diff] [blame]7358# OTOH the client might resend if the server is to slow to reset after sending
7359# a HelloVerifyRequest, so only check for no retransmission server-side
Andrzej Kurek35f2f302018-10-09 08:52:14 -0400[diff] [blame]7360not_with_valgrind # spurious autoreduction due to timeout
Manuel Pégourié-Gonnard72c27072018-08-13 12:37:51 +0200[diff] [blame]7361requires_config_enabled MBEDTLS_SSL_PROTO_DTLS
7362requires_config_enabled MBEDTLS_RSA_C
7363requires_config_enabled MBEDTLS_ECDSA_C
Andrzej Kurek7311c782018-10-11 06:49:41 -0400[diff] [blame]7364run_test "DTLS fragmenting: proxy MTU, simple handshake (MTU=1024)" \
Andrzej Kurek52f84912018-10-05 07:53:40 -0400[diff] [blame]7365 -p "$P_PXY mtu=1024" \
Manuel Pégourié-Gonnard72c27072018-08-13 12:37:51 +0200[diff] [blame]7366 "$P_SRV dtls=1 debug_level=2 auth_mode=required \
7367 crt_file=data_files/server7_int-ca.crt \
7368 key_file=data_files/server7.key \
Andrzej Kurek52f84912018-10-05 07:53:40 -0400[diff] [blame]7369 hs_timeout=10000-60000 \
7370 mtu=1024" \
Manuel Pégourié-Gonnard72c27072018-08-13 12:37:51 +0200[diff] [blame]7371 "$P_CLI dtls=1 debug_level=2 \
7372 crt_file=data_files/server8_int-ca2.crt \
7373 key_file=data_files/server8.key \
Andrzej Kurek52f84912018-10-05 07:53:40 -0400[diff] [blame]7374 hs_timeout=10000-60000 \
7375 mtu=1024" \
Manuel Pégourié-Gonnard72c27072018-08-13 12:37:51 +0200[diff] [blame]7376 0 \
Andrzej Kurek35f2f302018-10-09 08:52:14 -0400[diff] [blame]7377 -S "autoreduction" \
Manuel Pégourié-Gonnard72c27072018-08-13 12:37:51 +0200[diff] [blame]7378 -s "found fragmented DTLS handshake message" \
7379 -c "found fragmented DTLS handshake message" \
7380 -C "error"
7381
Andrzej Kurek77826052018-10-11 07:34:08 -0400[diff] [blame]7382# Forcing ciphersuite for this test to fit the MTU of 512 with full config.
Andrzej Kurek7311c782018-10-11 06:49:41 -0400[diff] [blame]7383# the proxy shouldn't drop or mess up anything, so we shouldn't need to resend
7384# OTOH the client might resend if the server is to slow to reset after sending
7385# a HelloVerifyRequest, so only check for no retransmission server-side
Andrzej Kurek35f2f302018-10-09 08:52:14 -0400[diff] [blame]7386not_with_valgrind # spurious autoreduction due to timeout
Manuel Pégourié-Gonnardc1d54b72018-08-22 10:02:59 +0200[diff] [blame]7387requires_config_enabled MBEDTLS_SSL_PROTO_DTLS
7388requires_config_enabled MBEDTLS_RSA_C
7389requires_config_enabled MBEDTLS_ECDSA_C
Andrzej Kurek7311c782018-10-11 06:49:41 -0400[diff] [blame]7390requires_config_enabled MBEDTLS_KEY_EXCHANGE_ECDHE_ECDSA
7391requires_config_enabled MBEDTLS_AES_C
7392requires_config_enabled MBEDTLS_GCM_C
7393run_test "DTLS fragmenting: proxy MTU, simple handshake (MTU=512)" \
Manuel Pégourié-Gonnardc1d54b72018-08-22 10:02:59 +0200[diff] [blame]7394 -p "$P_PXY mtu=512" \
7395 "$P_SRV dtls=1 debug_level=2 auth_mode=required \
7396 crt_file=data_files/server7_int-ca.crt \
7397 key_file=data_files/server7.key \
Andrzej Kurek7311c782018-10-11 06:49:41 -0400[diff] [blame]7398 hs_timeout=10000-60000 \
7399 mtu=512" \
Manuel Pégourié-Gonnardc1d54b72018-08-22 10:02:59 +0200[diff] [blame]7400 "$P_CLI dtls=1 debug_level=2 \
7401 crt_file=data_files/server8_int-ca2.crt \
7402 key_file=data_files/server8.key \
Andrzej Kurek7311c782018-10-11 06:49:41 -0400[diff] [blame]7403 force_ciphersuite=TLS-ECDHE-ECDSA-WITH-AES-128-GCM-SHA256 \
7404 hs_timeout=10000-60000 \
7405 mtu=512" \
Manuel Pégourié-Gonnardc1d54b72018-08-22 10:02:59 +0200[diff] [blame]7406 0 \
Andrzej Kurek7311c782018-10-11 06:49:41 -0400[diff] [blame]7407 -S "autoreduction" \
Manuel Pégourié-Gonnardc1d54b72018-08-22 10:02:59 +0200[diff] [blame]7408 -s "found fragmented DTLS handshake message" \
7409 -c "found fragmented DTLS handshake message" \
7410 -C "error"
7411
Andrzej Kurek7311c782018-10-11 06:49:41 -0400[diff] [blame]7412not_with_valgrind # spurious autoreduction due to timeout
7413requires_config_enabled MBEDTLS_SSL_PROTO_DTLS
7414requires_config_enabled MBEDTLS_RSA_C
7415requires_config_enabled MBEDTLS_ECDSA_C
7416run_test "DTLS fragmenting: proxy MTU, simple handshake, nbio (MTU=1024)" \
Andrzej Kurek52f84912018-10-05 07:53:40 -0400[diff] [blame]7417 -p "$P_PXY mtu=1024" \
Manuel Pégourié-Gonnard72c27072018-08-13 12:37:51 +0200[diff] [blame]7418 "$P_SRV dtls=1 debug_level=2 auth_mode=required \
7419 crt_file=data_files/server7_int-ca.crt \
7420 key_file=data_files/server7.key \
Andrzej Kurek7311c782018-10-11 06:49:41 -0400[diff] [blame]7421 hs_timeout=10000-60000 \
7422 mtu=1024 nbio=2" \
Manuel Pégourié-Gonnard72c27072018-08-13 12:37:51 +0200[diff] [blame]7423 "$P_CLI dtls=1 debug_level=2 \
7424 crt_file=data_files/server8_int-ca2.crt \
7425 key_file=data_files/server8.key \
Andrzej Kurek7311c782018-10-11 06:49:41 -0400[diff] [blame]7426 hs_timeout=10000-60000 \
7427 mtu=1024 nbio=2" \
7428 0 \
7429 -S "autoreduction" \
7430 -s "found fragmented DTLS handshake message" \
7431 -c "found fragmented DTLS handshake message" \
7432 -C "error"
7433
Andrzej Kurek77826052018-10-11 07:34:08 -0400[diff] [blame]7434# Forcing ciphersuite for this test to fit the MTU of 512 with full config.
Andrzej Kurek7311c782018-10-11 06:49:41 -0400[diff] [blame]7435not_with_valgrind # spurious autoreduction due to timeout
7436requires_config_enabled MBEDTLS_SSL_PROTO_DTLS
7437requires_config_enabled MBEDTLS_RSA_C
7438requires_config_enabled MBEDTLS_ECDSA_C
7439requires_config_enabled MBEDTLS_KEY_EXCHANGE_ECDHE_ECDSA
7440requires_config_enabled MBEDTLS_AES_C
7441requires_config_enabled MBEDTLS_GCM_C
7442run_test "DTLS fragmenting: proxy MTU, simple handshake, nbio (MTU=512)" \
7443 -p "$P_PXY mtu=512" \
7444 "$P_SRV dtls=1 debug_level=2 auth_mode=required \
7445 crt_file=data_files/server7_int-ca.crt \
7446 key_file=data_files/server7.key \
7447 hs_timeout=10000-60000 \
7448 mtu=512 nbio=2" \
7449 "$P_CLI dtls=1 debug_level=2 \
7450 crt_file=data_files/server8_int-ca2.crt \
7451 key_file=data_files/server8.key \
7452 force_ciphersuite=TLS-ECDHE-ECDSA-WITH-AES-128-GCM-SHA256 \
7453 hs_timeout=10000-60000 \
7454 mtu=512 nbio=2" \
Manuel Pégourié-Gonnard72c27072018-08-13 12:37:51 +0200[diff] [blame]7455 0 \
Andrzej Kurek35f2f302018-10-09 08:52:14 -0400[diff] [blame]7456 -S "autoreduction" \
Manuel Pégourié-Gonnard72c27072018-08-13 12:37:51 +0200[diff] [blame]7457 -s "found fragmented DTLS handshake message" \
7458 -c "found fragmented DTLS handshake message" \
7459 -C "error"
7460
Andrzej Kurek77826052018-10-11 07:34:08 -0400[diff] [blame]7461# Forcing ciphersuite for this test to fit the MTU of 1450 with full config.
Hanno Beckerb841b4f2018-08-28 10:25:51 +0100[diff] [blame]7462# This ensures things still work after session_reset().
7463# It also exercises the "resumed handshake" flow.
Manuel Pégourié-Gonnard19c62f92018-08-16 10:50:39 +0200[diff] [blame]7464# Since we don't support reading fragmented ClientHello yet,
7465# up the MTU to 1450 (larger than ClientHello with session ticket,
7466# but still smaller than client's Certificate to ensure fragmentation).
Andrzej Kurek35f2f302018-10-09 08:52:14 -0400[diff] [blame]7467# An autoreduction on the client-side might happen if the server is
7468# slow to reset, therefore omitting '-C "autoreduction"' below.
Manuel Pégourié-Gonnard2f2d9022018-08-21 12:17:54 +0200[diff] [blame]7469# reco_delay avoids races where the client reconnects before the server has
Andrzej Kurek35f2f302018-10-09 08:52:14 -0400[diff] [blame]7470# resumed listening, which would result in a spurious autoreduction.
7471not_with_valgrind # spurious autoreduction due to timeout
Manuel Pégourié-Gonnard19c62f92018-08-16 10:50:39 +0200[diff] [blame]7472requires_config_enabled MBEDTLS_SSL_PROTO_DTLS
7473requires_config_enabled MBEDTLS_RSA_C
7474requires_config_enabled MBEDTLS_ECDSA_C
Andrzej Kurek7311c782018-10-11 06:49:41 -0400[diff] [blame]7475requires_config_enabled MBEDTLS_KEY_EXCHANGE_ECDHE_ECDSA
7476requires_config_enabled MBEDTLS_AES_C
7477requires_config_enabled MBEDTLS_GCM_C
Manuel Pégourié-Gonnard19c62f92018-08-16 10:50:39 +0200[diff] [blame]7478run_test "DTLS fragmenting: proxy MTU, resumed handshake" \
7479 -p "$P_PXY mtu=1450" \
7480 "$P_SRV dtls=1 debug_level=2 auth_mode=required \
7481 crt_file=data_files/server7_int-ca.crt \
7482 key_file=data_files/server7.key \
Andrzej Kurek52f84912018-10-05 07:53:40 -0400[diff] [blame]7483 hs_timeout=10000-60000 \
Manuel Pégourié-Gonnard19c62f92018-08-16 10:50:39 +0200[diff] [blame]7484 mtu=1450" \
7485 "$P_CLI dtls=1 debug_level=2 \
7486 crt_file=data_files/server8_int-ca2.crt \
7487 key_file=data_files/server8.key \
Andrzej Kurek52f84912018-10-05 07:53:40 -0400[diff] [blame]7488 hs_timeout=10000-60000 \
Andrzej Kurek7311c782018-10-11 06:49:41 -0400[diff] [blame]7489 force_ciphersuite=TLS-ECDHE-ECDSA-WITH-AES-128-GCM-SHA256 \
Manuel Pégourié-Gonnard2f2d9022018-08-21 12:17:54 +0200[diff] [blame]7490 mtu=1450 reconnect=1 reco_delay=1" \
Manuel Pégourié-Gonnard19c62f92018-08-16 10:50:39 +0200[diff] [blame]7491 0 \
Andrzej Kurek35f2f302018-10-09 08:52:14 -0400[diff] [blame]7492 -S "autoreduction" \
Manuel Pégourié-Gonnard19c62f92018-08-16 10:50:39 +0200[diff] [blame]7493 -s "found fragmented DTLS handshake message" \
7494 -c "found fragmented DTLS handshake message" \
7495 -C "error"
7496
Andrzej Kurek35f2f302018-10-09 08:52:14 -0400[diff] [blame]7497# An autoreduction on the client-side might happen if the server is
7498# slow to reset, therefore omitting '-C "autoreduction"' below.
7499not_with_valgrind # spurious autoreduction due to timeout
Manuel Pégourié-Gonnard72c27072018-08-13 12:37:51 +0200[diff] [blame]7500requires_config_enabled MBEDTLS_SSL_PROTO_DTLS
7501requires_config_enabled MBEDTLS_RSA_C
7502requires_config_enabled MBEDTLS_ECDSA_C
7503requires_config_enabled MBEDTLS_SHA256_C
7504requires_config_enabled MBEDTLS_KEY_EXCHANGE_ECDHE_ECDSA
7505requires_config_enabled MBEDTLS_SSL_RENEGOTIATION
7506requires_config_enabled MBEDTLS_CHACHAPOLY_C
7507run_test "DTLS fragmenting: proxy MTU, ChachaPoly renego" \
7508 -p "$P_PXY mtu=512" \
7509 "$P_SRV dtls=1 debug_level=2 auth_mode=required \
7510 crt_file=data_files/server7_int-ca.crt \
7511 key_file=data_files/server7.key \
7512 exchanges=2 renegotiation=1 \
Andrzej Kurek52f84912018-10-05 07:53:40 -0400[diff] [blame]7513 hs_timeout=10000-60000 \
Manuel Pégourié-Gonnard72c27072018-08-13 12:37:51 +0200[diff] [blame]7514 mtu=512" \
7515 "$P_CLI dtls=1 debug_level=2 \
7516 crt_file=data_files/server8_int-ca2.crt \
7517 key_file=data_files/server8.key \
7518 exchanges=2 renegotiation=1 renegotiate=1 \
Andrzej Kurek7311c782018-10-11 06:49:41 -0400[diff] [blame]7519 force_ciphersuite=TLS-ECDHE-ECDSA-WITH-AES-128-GCM-SHA256 \
Andrzej Kurek52f84912018-10-05 07:53:40 -0400[diff] [blame]7520 hs_timeout=10000-60000 \
Manuel Pégourié-Gonnard72c27072018-08-13 12:37:51 +0200[diff] [blame]7521 mtu=512" \
7522 0 \
Andrzej Kurek35f2f302018-10-09 08:52:14 -0400[diff] [blame]7523 -S "autoreduction" \
Manuel Pégourié-Gonnard72c27072018-08-13 12:37:51 +0200[diff] [blame]7524 -s "found fragmented DTLS handshake message" \
7525 -c "found fragmented DTLS handshake message" \
7526 -C "error"
7527
Andrzej Kurek35f2f302018-10-09 08:52:14 -0400[diff] [blame]7528# An autoreduction on the client-side might happen if the server is
7529# slow to reset, therefore omitting '-C "autoreduction"' below.
7530not_with_valgrind # spurious autoreduction due to timeout
Manuel Pégourié-Gonnard72c27072018-08-13 12:37:51 +0200[diff] [blame]7531requires_config_enabled MBEDTLS_SSL_PROTO_DTLS
7532requires_config_enabled MBEDTLS_RSA_C
7533requires_config_enabled MBEDTLS_ECDSA_C
7534requires_config_enabled MBEDTLS_SHA256_C
7535requires_config_enabled MBEDTLS_KEY_EXCHANGE_ECDHE_ECDSA
7536requires_config_enabled MBEDTLS_SSL_RENEGOTIATION
7537requires_config_enabled MBEDTLS_AES_C
7538requires_config_enabled MBEDTLS_GCM_C
7539run_test "DTLS fragmenting: proxy MTU, AES-GCM renego" \
7540 -p "$P_PXY mtu=512" \
7541 "$P_SRV dtls=1 debug_level=2 auth_mode=required \
7542 crt_file=data_files/server7_int-ca.crt \
7543 key_file=data_files/server7.key \
7544 exchanges=2 renegotiation=1 \
Andrzej Kurek52f84912018-10-05 07:53:40 -0400[diff] [blame]7545 hs_timeout=10000-60000 \
Manuel Pégourié-Gonnard72c27072018-08-13 12:37:51 +0200[diff] [blame]7546 mtu=512" \
7547 "$P_CLI dtls=1 debug_level=2 \
7548 crt_file=data_files/server8_int-ca2.crt \
7549 key_file=data_files/server8.key \
7550 exchanges=2 renegotiation=1 renegotiate=1 \
Andrzej Kurek7311c782018-10-11 06:49:41 -0400[diff] [blame]7551 force_ciphersuite=TLS-ECDHE-ECDSA-WITH-AES-128-GCM-SHA256 \
Andrzej Kurek52f84912018-10-05 07:53:40 -0400[diff] [blame]7552 hs_timeout=10000-60000 \
Manuel Pégourié-Gonnard72c27072018-08-13 12:37:51 +0200[diff] [blame]7553 mtu=512" \
7554 0 \
Andrzej Kurek35f2f302018-10-09 08:52:14 -0400[diff] [blame]7555 -S "autoreduction" \
Manuel Pégourié-Gonnard72c27072018-08-13 12:37:51 +0200[diff] [blame]7556 -s "found fragmented DTLS handshake message" \
7557 -c "found fragmented DTLS handshake message" \
7558 -C "error"
7559
Andrzej Kurek35f2f302018-10-09 08:52:14 -0400[diff] [blame]7560# An autoreduction on the client-side might happen if the server is
7561# slow to reset, therefore omitting '-C "autoreduction"' below.
7562not_with_valgrind # spurious autoreduction due to timeout
Manuel Pégourié-Gonnard72c27072018-08-13 12:37:51 +0200[diff] [blame]7563requires_config_enabled MBEDTLS_SSL_PROTO_DTLS
7564requires_config_enabled MBEDTLS_RSA_C
7565requires_config_enabled MBEDTLS_ECDSA_C
7566requires_config_enabled MBEDTLS_SHA256_C
7567requires_config_enabled MBEDTLS_KEY_EXCHANGE_ECDHE_ECDSA
7568requires_config_enabled MBEDTLS_SSL_RENEGOTIATION
7569requires_config_enabled MBEDTLS_AES_C
7570requires_config_enabled MBEDTLS_CCM_C
7571run_test "DTLS fragmenting: proxy MTU, AES-CCM renego" \
Andrzej Kurek52f84912018-10-05 07:53:40 -0400[diff] [blame]7572 -p "$P_PXY mtu=1024" \
Manuel Pégourié-Gonnard72c27072018-08-13 12:37:51 +0200[diff] [blame]7573 "$P_SRV dtls=1 debug_level=2 auth_mode=required \
7574 crt_file=data_files/server7_int-ca.crt \
7575 key_file=data_files/server7.key \
7576 exchanges=2 renegotiation=1 \
7577 force_ciphersuite=TLS-ECDHE-ECDSA-WITH-AES-128-CCM-8 \
Andrzej Kurek52f84912018-10-05 07:53:40 -0400[diff] [blame]7578 hs_timeout=10000-60000 \
7579 mtu=1024" \
Manuel Pégourié-Gonnard72c27072018-08-13 12:37:51 +0200[diff] [blame]7580 "$P_CLI dtls=1 debug_level=2 \
7581 crt_file=data_files/server8_int-ca2.crt \
7582 key_file=data_files/server8.key \
7583 exchanges=2 renegotiation=1 renegotiate=1 \
Andrzej Kurek52f84912018-10-05 07:53:40 -0400[diff] [blame]7584 hs_timeout=10000-60000 \
7585 mtu=1024" \
Manuel Pégourié-Gonnard72c27072018-08-13 12:37:51 +0200[diff] [blame]7586 0 \
Andrzej Kurek35f2f302018-10-09 08:52:14 -0400[diff] [blame]7587 -S "autoreduction" \
Manuel Pégourié-Gonnard72c27072018-08-13 12:37:51 +0200[diff] [blame]7588 -s "found fragmented DTLS handshake message" \
7589 -c "found fragmented DTLS handshake message" \
7590 -C "error"
7591
Andrzej Kurek35f2f302018-10-09 08:52:14 -0400[diff] [blame]7592# An autoreduction on the client-side might happen if the server is
7593# slow to reset, therefore omitting '-C "autoreduction"' below.
7594not_with_valgrind # spurious autoreduction due to timeout
Manuel Pégourié-Gonnard72c27072018-08-13 12:37:51 +0200[diff] [blame]7595requires_config_enabled MBEDTLS_SSL_PROTO_DTLS
7596requires_config_enabled MBEDTLS_RSA_C
7597requires_config_enabled MBEDTLS_ECDSA_C
7598requires_config_enabled MBEDTLS_SHA256_C
7599requires_config_enabled MBEDTLS_KEY_EXCHANGE_ECDHE_ECDSA
7600requires_config_enabled MBEDTLS_SSL_RENEGOTIATION
7601requires_config_enabled MBEDTLS_AES_C
7602requires_config_enabled MBEDTLS_CIPHER_MODE_CBC
7603requires_config_enabled MBEDTLS_SSL_ENCRYPT_THEN_MAC
7604run_test "DTLS fragmenting: proxy MTU, AES-CBC EtM renego" \
Andrzej Kurek52f84912018-10-05 07:53:40 -0400[diff] [blame]7605 -p "$P_PXY mtu=1024" \
Manuel Pégourié-Gonnard72c27072018-08-13 12:37:51 +0200[diff] [blame]7606 "$P_SRV dtls=1 debug_level=2 auth_mode=required \
7607 crt_file=data_files/server7_int-ca.crt \
7608 key_file=data_files/server7.key \
7609 exchanges=2 renegotiation=1 \
7610 force_ciphersuite=TLS-ECDHE-ECDSA-WITH-AES-128-CBC-SHA256 \
Andrzej Kurek52f84912018-10-05 07:53:40 -0400[diff] [blame]7611 hs_timeout=10000-60000 \
7612 mtu=1024" \
Manuel Pégourié-Gonnard72c27072018-08-13 12:37:51 +0200[diff] [blame]7613 "$P_CLI dtls=1 debug_level=2 \
7614 crt_file=data_files/server8_int-ca2.crt \
7615 key_file=data_files/server8.key \
7616 exchanges=2 renegotiation=1 renegotiate=1 \
Andrzej Kurek52f84912018-10-05 07:53:40 -0400[diff] [blame]7617 hs_timeout=10000-60000 \
7618 mtu=1024" \
Manuel Pégourié-Gonnard72c27072018-08-13 12:37:51 +0200[diff] [blame]7619 0 \
Andrzej Kurek35f2f302018-10-09 08:52:14 -0400[diff] [blame]7620 -S "autoreduction" \
Manuel Pégourié-Gonnard72c27072018-08-13 12:37:51 +0200[diff] [blame]7621 -s "found fragmented DTLS handshake message" \
7622 -c "found fragmented DTLS handshake message" \
7623 -C "error"
7624
Andrzej Kurek35f2f302018-10-09 08:52:14 -0400[diff] [blame]7625# An autoreduction on the client-side might happen if the server is
7626# slow to reset, therefore omitting '-C "autoreduction"' below.
7627not_with_valgrind # spurious autoreduction due to timeout
Manuel Pégourié-Gonnard72c27072018-08-13 12:37:51 +0200[diff] [blame]7628requires_config_enabled MBEDTLS_SSL_PROTO_DTLS
7629requires_config_enabled MBEDTLS_RSA_C
7630requires_config_enabled MBEDTLS_ECDSA_C
7631requires_config_enabled MBEDTLS_SHA256_C
7632requires_config_enabled MBEDTLS_KEY_EXCHANGE_ECDHE_ECDSA
7633requires_config_enabled MBEDTLS_SSL_RENEGOTIATION
7634requires_config_enabled MBEDTLS_AES_C
7635requires_config_enabled MBEDTLS_CIPHER_MODE_CBC
7636run_test "DTLS fragmenting: proxy MTU, AES-CBC non-EtM renego" \
Andrzej Kurek52f84912018-10-05 07:53:40 -0400[diff] [blame]7637 -p "$P_PXY mtu=1024" \
Manuel Pégourié-Gonnard72c27072018-08-13 12:37:51 +0200[diff] [blame]7638 "$P_SRV dtls=1 debug_level=2 auth_mode=required \
7639 crt_file=data_files/server7_int-ca.crt \
7640 key_file=data_files/server7.key \
7641 exchanges=2 renegotiation=1 \
7642 force_ciphersuite=TLS-ECDHE-ECDSA-WITH-AES-128-CBC-SHA256 etm=0 \
Andrzej Kurek52f84912018-10-05 07:53:40 -0400[diff] [blame]7643 hs_timeout=10000-60000 \
7644 mtu=1024" \
Manuel Pégourié-Gonnard72c27072018-08-13 12:37:51 +0200[diff] [blame]7645 "$P_CLI dtls=1 debug_level=2 \
7646 crt_file=data_files/server8_int-ca2.crt \
7647 key_file=data_files/server8.key \
7648 exchanges=2 renegotiation=1 renegotiate=1 \
Andrzej Kurek52f84912018-10-05 07:53:40 -0400[diff] [blame]7649 hs_timeout=10000-60000 \
7650 mtu=1024" \
Manuel Pégourié-Gonnard72c27072018-08-13 12:37:51 +0200[diff] [blame]7651 0 \
Andrzej Kurek35f2f302018-10-09 08:52:14 -0400[diff] [blame]7652 -S "autoreduction" \
Manuel Pégourié-Gonnard72c27072018-08-13 12:37:51 +0200[diff] [blame]7653 -s "found fragmented DTLS handshake message" \
7654 -c "found fragmented DTLS handshake message" \
7655 -C "error"
7656
Andrzej Kurek77826052018-10-11 07:34:08 -0400[diff] [blame]7657# Forcing ciphersuite for this test to fit the MTU of 512 with full config.
Manuel Pégourié-Gonnard2d56f0d2018-08-16 11:09:03 +0200[diff] [blame]7658requires_config_enabled MBEDTLS_SSL_PROTO_DTLS
7659requires_config_enabled MBEDTLS_RSA_C
7660requires_config_enabled MBEDTLS_ECDSA_C
Andrzej Kurek7311c782018-10-11 06:49:41 -0400[diff] [blame]7661requires_config_enabled MBEDTLS_KEY_EXCHANGE_ECDHE_ECDSA
7662requires_config_enabled MBEDTLS_AES_C
7663requires_config_enabled MBEDTLS_GCM_C
Manuel Pégourié-Gonnard2d56f0d2018-08-16 11:09:03 +0200[diff] [blame]7664client_needs_more_time 2
7665run_test "DTLS fragmenting: proxy MTU + 3d" \
7666 -p "$P_PXY mtu=512 drop=8 delay=8 duplicate=8" \
Hanno Becker1c9a24c2018-08-14 13:46:33 +0100[diff] [blame]7667 "$P_SRV dgram_packing=0 dtls=1 debug_level=2 auth_mode=required \
Manuel Pégourié-Gonnard2d56f0d2018-08-16 11:09:03 +0200[diff] [blame]7668 crt_file=data_files/server7_int-ca.crt \
7669 key_file=data_files/server7.key \
Manuel Pégourié-Gonnard02f3a8a2018-08-20 10:49:28 +0200[diff] [blame]7670 hs_timeout=250-10000 mtu=512" \
Hanno Becker1c9a24c2018-08-14 13:46:33 +0100[diff] [blame]7671 "$P_CLI dgram_packing=0 dtls=1 debug_level=2 \
Manuel Pégourié-Gonnard2d56f0d2018-08-16 11:09:03 +0200[diff] [blame]7672 crt_file=data_files/server8_int-ca2.crt \
7673 key_file=data_files/server8.key \
Andrzej Kurek7311c782018-10-11 06:49:41 -0400[diff] [blame]7674 force_ciphersuite=TLS-ECDHE-ECDSA-WITH-AES-128-GCM-SHA256 \
Manuel Pégourié-Gonnard02f3a8a2018-08-20 10:49:28 +0200[diff] [blame]7675 hs_timeout=250-10000 mtu=512" \
Manuel Pégourié-Gonnard2d56f0d2018-08-16 11:09:03 +0200[diff] [blame]7676 0 \
7677 -s "found fragmented DTLS handshake message" \
7678 -c "found fragmented DTLS handshake message" \
7679 -C "error"
7680
Andrzej Kurek77826052018-10-11 07:34:08 -0400[diff] [blame]7681# Forcing ciphersuite for this test to fit the MTU of 512 with full config.
Manuel Pégourié-Gonnardc1d54b72018-08-22 10:02:59 +0200[diff] [blame]7682requires_config_enabled MBEDTLS_SSL_PROTO_DTLS
7683requires_config_enabled MBEDTLS_RSA_C
7684requires_config_enabled MBEDTLS_ECDSA_C
Andrzej Kurek7311c782018-10-11 06:49:41 -0400[diff] [blame]7685requires_config_enabled MBEDTLS_KEY_EXCHANGE_ECDHE_ECDSA
7686requires_config_enabled MBEDTLS_AES_C
7687requires_config_enabled MBEDTLS_GCM_C
Manuel Pégourié-Gonnardc1d54b72018-08-22 10:02:59 +0200[diff] [blame]7688client_needs_more_time 2
7689run_test "DTLS fragmenting: proxy MTU + 3d, nbio" \
7690 -p "$P_PXY mtu=512 drop=8 delay=8 duplicate=8" \
7691 "$P_SRV dtls=1 debug_level=2 auth_mode=required \
7692 crt_file=data_files/server7_int-ca.crt \
7693 key_file=data_files/server7.key \
7694 hs_timeout=250-10000 mtu=512 nbio=2" \
7695 "$P_CLI dtls=1 debug_level=2 \
7696 crt_file=data_files/server8_int-ca2.crt \
7697 key_file=data_files/server8.key \
Andrzej Kurek7311c782018-10-11 06:49:41 -0400[diff] [blame]7698 force_ciphersuite=TLS-ECDHE-ECDSA-WITH-AES-128-GCM-SHA256 \
Manuel Pégourié-Gonnardc1d54b72018-08-22 10:02:59 +0200[diff] [blame]7699 hs_timeout=250-10000 mtu=512 nbio=2" \
7700 0 \
7701 -s "found fragmented DTLS handshake message" \
7702 -c "found fragmented DTLS handshake message" \
7703 -C "error"
7704
Manuel Pégourié-Gonnard38110df2018-08-17 12:44:54 +0200[diff] [blame]7705# interop tests for DTLS fragmentating with reliable connection
7706#
Manuel Pégourié-Gonnard1218bc02018-08-17 10:51:26 +0200[diff] [blame]7707# here and below we just want to test that the we fragment in a way that
7708# pleases other implementations, so we don't need the peer to fragment
7709requires_config_enabled MBEDTLS_SSL_PROTO_DTLS
7710requires_config_enabled MBEDTLS_RSA_C
7711requires_config_enabled MBEDTLS_ECDSA_C
7712requires_config_enabled MBEDTLS_SSL_PROTO_TLS1_2
Manuel Pégourié-Gonnard61512982018-08-21 09:40:07 +0200[diff] [blame]7713requires_gnutls
Manuel Pégourié-Gonnard1218bc02018-08-17 10:51:26 +0200[diff] [blame]7714run_test "DTLS fragmenting: gnutls server, DTLS 1.2" \
7715 "$G_SRV -u" \
7716 "$P_CLI dtls=1 debug_level=2 \
7717 crt_file=data_files/server8_int-ca2.crt \
7718 key_file=data_files/server8.key \
7719 mtu=512 force_version=dtls1_2" \
7720 0 \
7721 -c "fragmenting handshake message" \
7722 -C "error"
7723
7724requires_config_enabled MBEDTLS_SSL_PROTO_DTLS
7725requires_config_enabled MBEDTLS_RSA_C
7726requires_config_enabled MBEDTLS_ECDSA_C
7727requires_config_enabled MBEDTLS_SSL_PROTO_TLS1_1
Manuel Pégourié-Gonnard61512982018-08-21 09:40:07 +0200[diff] [blame]7728requires_gnutls
Manuel Pégourié-Gonnard1218bc02018-08-17 10:51:26 +0200[diff] [blame]7729run_test "DTLS fragmenting: gnutls server, DTLS 1.0" \
7730 "$G_SRV -u" \
7731 "$P_CLI dtls=1 debug_level=2 \
7732 crt_file=data_files/server8_int-ca2.crt \
7733 key_file=data_files/server8.key \
Manuel Pégourié-Gonnard02f3a8a2018-08-20 10:49:28 +0200[diff] [blame]7734 mtu=512 force_version=dtls1" \
Manuel Pégourié-Gonnard1218bc02018-08-17 10:51:26 +0200[diff] [blame]7735 0 \
7736 -c "fragmenting handshake message" \
7737 -C "error"
7738
Hanno Beckerb9a00862018-08-28 10:20:22 +0100[diff] [blame]7739# We use --insecure for the GnuTLS client because it expects
7740# the hostname / IP it connects to to be the name used in the
7741# certificate obtained from the server. Here, however, it
7742# connects to 127.0.0.1 while our test certificates use 'localhost'
7743# as the server name in the certificate. This will make the
7744# certifiate validation fail, but passing --insecure makes
7745# GnuTLS continue the connection nonetheless.
Manuel Pégourié-Gonnard1218bc02018-08-17 10:51:26 +0200[diff] [blame]7746requires_config_enabled MBEDTLS_SSL_PROTO_DTLS
7747requires_config_enabled MBEDTLS_RSA_C
7748requires_config_enabled MBEDTLS_ECDSA_C
7749requires_config_enabled MBEDTLS_SSL_PROTO_TLS1_2
Manuel Pégourié-Gonnard61512982018-08-21 09:40:07 +0200[diff] [blame]7750requires_gnutls
Andrzej Kurekb4593462018-10-11 08:43:30 -0400[diff] [blame]7751requires_not_i686
Manuel Pégourié-Gonnard1218bc02018-08-17 10:51:26 +0200[diff] [blame]7752run_test "DTLS fragmenting: gnutls client, DTLS 1.2" \
Manuel Pégourié-Gonnard34aa1872018-08-23 19:07:15 +0200[diff] [blame]7753 "$P_SRV dtls=1 debug_level=2 \
Manuel Pégourié-Gonnard1218bc02018-08-17 10:51:26 +0200[diff] [blame]7754 crt_file=data_files/server7_int-ca.crt \
7755 key_file=data_files/server7.key \
7756 mtu=512 force_version=dtls1_2" \
Manuel Pégourié-Gonnard34aa1872018-08-23 19:07:15 +0200[diff] [blame]7757 "$G_CLI -u --insecure 127.0.0.1" \
Manuel Pégourié-Gonnard1218bc02018-08-17 10:51:26 +0200[diff] [blame]7758 0 \
7759 -s "fragmenting handshake message"
7760
Hanno Beckerb9a00862018-08-28 10:20:22 +0100[diff] [blame]7761# See previous test for the reason to use --insecure
Manuel Pégourié-Gonnard1218bc02018-08-17 10:51:26 +0200[diff] [blame]7762requires_config_enabled MBEDTLS_SSL_PROTO_DTLS
7763requires_config_enabled MBEDTLS_RSA_C
7764requires_config_enabled MBEDTLS_ECDSA_C
7765requires_config_enabled MBEDTLS_SSL_PROTO_TLS1_1
Manuel Pégourié-Gonnard61512982018-08-21 09:40:07 +0200[diff] [blame]7766requires_gnutls
Andrzej Kurekb4593462018-10-11 08:43:30 -0400[diff] [blame]7767requires_not_i686
Manuel Pégourié-Gonnard1218bc02018-08-17 10:51:26 +0200[diff] [blame]7768run_test "DTLS fragmenting: gnutls client, DTLS 1.0" \
Manuel Pégourié-Gonnard34aa1872018-08-23 19:07:15 +0200[diff] [blame]7769 "$P_SRV dtls=1 debug_level=2 \
Manuel Pégourié-Gonnard1218bc02018-08-17 10:51:26 +0200[diff] [blame]7770 crt_file=data_files/server7_int-ca.crt \
7771 key_file=data_files/server7.key \
7772 mtu=512 force_version=dtls1" \
Manuel Pégourié-Gonnard34aa1872018-08-23 19:07:15 +0200[diff] [blame]7773 "$G_CLI -u --insecure 127.0.0.1" \
Manuel Pégourié-Gonnard1218bc02018-08-17 10:51:26 +0200[diff] [blame]7774 0 \
7775 -s "fragmenting handshake message"
7776
7777requires_config_enabled MBEDTLS_SSL_PROTO_DTLS
7778requires_config_enabled MBEDTLS_RSA_C
7779requires_config_enabled MBEDTLS_ECDSA_C
7780requires_config_enabled MBEDTLS_SSL_PROTO_TLS1_2
7781run_test "DTLS fragmenting: openssl server, DTLS 1.2" \
7782 "$O_SRV -dtls1_2 -verify 10" \
7783 "$P_CLI dtls=1 debug_level=2 \
7784 crt_file=data_files/server8_int-ca2.crt \
7785 key_file=data_files/server8.key \
7786 mtu=512 force_version=dtls1_2" \
7787 0 \
7788 -c "fragmenting handshake message" \
7789 -C "error"
7790
7791requires_config_enabled MBEDTLS_SSL_PROTO_DTLS
7792requires_config_enabled MBEDTLS_RSA_C
7793requires_config_enabled MBEDTLS_ECDSA_C
7794requires_config_enabled MBEDTLS_SSL_PROTO_TLS1_1
7795run_test "DTLS fragmenting: openssl server, DTLS 1.0" \
7796 "$O_SRV -dtls1 -verify 10" \
7797 "$P_CLI dtls=1 debug_level=2 \
7798 crt_file=data_files/server8_int-ca2.crt \
7799 key_file=data_files/server8.key \
7800 mtu=512 force_version=dtls1" \
7801 0 \
7802 -c "fragmenting handshake message" \
7803 -C "error"
7804
7805requires_config_enabled MBEDTLS_SSL_PROTO_DTLS
7806requires_config_enabled MBEDTLS_RSA_C
7807requires_config_enabled MBEDTLS_ECDSA_C
7808requires_config_enabled MBEDTLS_SSL_PROTO_TLS1_2
7809run_test "DTLS fragmenting: openssl client, DTLS 1.2" \
7810 "$P_SRV dtls=1 debug_level=2 \
7811 crt_file=data_files/server7_int-ca.crt \
7812 key_file=data_files/server7.key \
7813 mtu=512 force_version=dtls1_2" \
7814 "$O_CLI -dtls1_2" \
7815 0 \
7816 -s "fragmenting handshake message"
7817
7818requires_config_enabled MBEDTLS_SSL_PROTO_DTLS
7819requires_config_enabled MBEDTLS_RSA_C
7820requires_config_enabled MBEDTLS_ECDSA_C
7821requires_config_enabled MBEDTLS_SSL_PROTO_TLS1_1
7822run_test "DTLS fragmenting: openssl client, DTLS 1.0" \
7823 "$P_SRV dtls=1 debug_level=2 \
7824 crt_file=data_files/server7_int-ca.crt \
7825 key_file=data_files/server7.key \
7826 mtu=512 force_version=dtls1" \
7827 "$O_CLI -dtls1" \
7828 0 \
7829 -s "fragmenting handshake message"
7830
Manuel Pégourié-Gonnard38110df2018-08-17 12:44:54 +0200[diff] [blame]7831# interop tests for DTLS fragmentating with unreliable connection
7832#
7833# again we just want to test that the we fragment in a way that
7834# pleases other implementations, so we don't need the peer to fragment
7835requires_gnutls_next
7836requires_config_enabled MBEDTLS_SSL_PROTO_DTLS
7837requires_config_enabled MBEDTLS_RSA_C
7838requires_config_enabled MBEDTLS_ECDSA_C
7839requires_config_enabled MBEDTLS_SSL_PROTO_TLS1_2
Manuel Pégourié-Gonnard02f3a8a2018-08-20 10:49:28 +0200[diff] [blame]7840client_needs_more_time 4
Manuel Pégourié-Gonnard38110df2018-08-17 12:44:54 +0200[diff] [blame]7841run_test "DTLS fragmenting: 3d, gnutls server, DTLS 1.2" \
7842 -p "$P_PXY drop=8 delay=8 duplicate=8" \
7843 "$G_NEXT_SRV -u" \
Hanno Becker1c9a24c2018-08-14 13:46:33 +0100[diff] [blame]7844 "$P_CLI dgram_packing=0 dtls=1 debug_level=2 \
Manuel Pégourié-Gonnard38110df2018-08-17 12:44:54 +0200[diff] [blame]7845 crt_file=data_files/server8_int-ca2.crt \
7846 key_file=data_files/server8.key \
Manuel Pégourié-Gonnard02f3a8a2018-08-20 10:49:28 +0200[diff] [blame]7847 hs_timeout=250-60000 mtu=512 force_version=dtls1_2" \
Manuel Pégourié-Gonnard38110df2018-08-17 12:44:54 +0200[diff] [blame]7848 0 \
7849 -c "fragmenting handshake message" \
7850 -C "error"
7851
7852requires_gnutls_next
7853requires_config_enabled MBEDTLS_SSL_PROTO_DTLS
7854requires_config_enabled MBEDTLS_RSA_C
7855requires_config_enabled MBEDTLS_ECDSA_C
7856requires_config_enabled MBEDTLS_SSL_PROTO_TLS1_1
Manuel Pégourié-Gonnard02f3a8a2018-08-20 10:49:28 +0200[diff] [blame]7857client_needs_more_time 4
Manuel Pégourié-Gonnard38110df2018-08-17 12:44:54 +0200[diff] [blame]7858run_test "DTLS fragmenting: 3d, gnutls server, DTLS 1.0" \
7859 -p "$P_PXY drop=8 delay=8 duplicate=8" \
7860 "$G_NEXT_SRV -u" \
Hanno Becker1c9a24c2018-08-14 13:46:33 +0100[diff] [blame]7861 "$P_CLI dgram_packing=0 dtls=1 debug_level=2 \
Manuel Pégourié-Gonnard38110df2018-08-17 12:44:54 +0200[diff] [blame]7862 crt_file=data_files/server8_int-ca2.crt \
7863 key_file=data_files/server8.key \
Manuel Pégourié-Gonnard02f3a8a2018-08-20 10:49:28 +0200[diff] [blame]7864 hs_timeout=250-60000 mtu=512 force_version=dtls1" \
Manuel Pégourié-Gonnard38110df2018-08-17 12:44:54 +0200[diff] [blame]7865 0 \
7866 -c "fragmenting handshake message" \
7867 -C "error"
7868
k-stachowiak17a38d32019-02-18 15:29:56 +0100[diff] [blame]7869requires_gnutls_next
Hanno Becker3b8b40c2018-08-28 10:25:41 +0100[diff] [blame]7870requires_config_enabled MBEDTLS_SSL_PROTO_DTLS
7871requires_config_enabled MBEDTLS_RSA_C
7872requires_config_enabled MBEDTLS_ECDSA_C
7873requires_config_enabled MBEDTLS_SSL_PROTO_TLS1_2
7874client_needs_more_time 4
7875run_test "DTLS fragmenting: 3d, gnutls client, DTLS 1.2" \
7876 -p "$P_PXY drop=8 delay=8 duplicate=8" \
7877 "$P_SRV dtls=1 debug_level=2 \
7878 crt_file=data_files/server7_int-ca.crt \
7879 key_file=data_files/server7.key \
7880 hs_timeout=250-60000 mtu=512 force_version=dtls1_2" \
k-stachowiak17a38d32019-02-18 15:29:56 +0100[diff] [blame]7881 "$G_NEXT_CLI -u --insecure 127.0.0.1" \
Hanno Becker3b8b40c2018-08-28 10:25:41 +0100[diff] [blame]7882 0 \
7883 -s "fragmenting handshake message"
7884
k-stachowiak17a38d32019-02-18 15:29:56 +0100[diff] [blame]7885requires_gnutls_next
Hanno Becker3b8b40c2018-08-28 10:25:41 +0100[diff] [blame]7886requires_config_enabled MBEDTLS_SSL_PROTO_DTLS
7887requires_config_enabled MBEDTLS_RSA_C
7888requires_config_enabled MBEDTLS_ECDSA_C
7889requires_config_enabled MBEDTLS_SSL_PROTO_TLS1_1
7890client_needs_more_time 4
7891run_test "DTLS fragmenting: 3d, gnutls client, DTLS 1.0" \
7892 -p "$P_PXY drop=8 delay=8 duplicate=8" \
7893 "$P_SRV dtls=1 debug_level=2 \
7894 crt_file=data_files/server7_int-ca.crt \
7895 key_file=data_files/server7.key \
7896 hs_timeout=250-60000 mtu=512 force_version=dtls1" \
k-stachowiak17a38d32019-02-18 15:29:56 +0100[diff] [blame]7897 "$G_NEXT_CLI -u --insecure 127.0.0.1" \
Hanno Becker3b8b40c2018-08-28 10:25:41 +0100[diff] [blame]7898 0 \
7899 -s "fragmenting handshake message"
Manuel Pégourié-Gonnard38110df2018-08-17 12:44:54 +0200[diff] [blame]7900
Manuel Pégourié-Gonnardc1eda672018-09-03 10:41:49 +0200[diff] [blame]7901## Interop test with OpenSSL might trigger a bug in recent versions (including
7902## all versions installed on the CI machines), reported here:
Manuel Pégourié-Gonnard38110df2018-08-17 12:44:54 +0200[diff] [blame]7903## Bug report: https://github.com/openssl/openssl/issues/6902
Manuel Pégourié-Gonnardc1eda672018-09-03 10:41:49 +0200[diff] [blame]7904## They should be re-enabled once a fixed version of OpenSSL is available
7905## (this should happen in some 1.1.1_ release according to the ticket).
Hanno Becker3b8b40c2018-08-28 10:25:41 +0100[diff] [blame]7906skip_next_test
7907requires_config_enabled MBEDTLS_SSL_PROTO_DTLS
7908requires_config_enabled MBEDTLS_RSA_C
7909requires_config_enabled MBEDTLS_ECDSA_C
7910requires_config_enabled MBEDTLS_SSL_PROTO_TLS1_2
7911client_needs_more_time 4
7912run_test "DTLS fragmenting: 3d, openssl server, DTLS 1.2" \
7913 -p "$P_PXY drop=8 delay=8 duplicate=8" \
7914 "$O_SRV -dtls1_2 -verify 10" \
7915 "$P_CLI dtls=1 debug_level=2 \
7916 crt_file=data_files/server8_int-ca2.crt \
7917 key_file=data_files/server8.key \
7918 hs_timeout=250-60000 mtu=512 force_version=dtls1_2" \
7919 0 \
7920 -c "fragmenting handshake message" \
7921 -C "error"
Manuel Pégourié-Gonnard38110df2018-08-17 12:44:54 +0200[diff] [blame]7922
Manuel Pégourié-Gonnardc1eda672018-09-03 10:41:49 +0200[diff] [blame]7923skip_next_test
Manuel Pégourié-Gonnard38110df2018-08-17 12:44:54 +0200[diff] [blame]7924requires_config_enabled MBEDTLS_SSL_PROTO_DTLS
7925requires_config_enabled MBEDTLS_RSA_C
7926requires_config_enabled MBEDTLS_ECDSA_C
7927requires_config_enabled MBEDTLS_SSL_PROTO_TLS1_1
Manuel Pégourié-Gonnard02f3a8a2018-08-20 10:49:28 +0200[diff] [blame]7928client_needs_more_time 4
Manuel Pégourié-Gonnard38110df2018-08-17 12:44:54 +0200[diff] [blame]7929run_test "DTLS fragmenting: 3d, openssl server, DTLS 1.0" \
7930 -p "$P_PXY drop=8 delay=8 duplicate=8" \
Manuel Pégourié-Gonnardc1eda672018-09-03 10:41:49 +0200[diff] [blame]7931 "$O_SRV -dtls1 -verify 10" \
Hanno Becker1c9a24c2018-08-14 13:46:33 +0100[diff] [blame]7932 "$P_CLI dgram_packing=0 dtls=1 debug_level=2 \
Manuel Pégourié-Gonnard38110df2018-08-17 12:44:54 +0200[diff] [blame]7933 crt_file=data_files/server8_int-ca2.crt \
7934 key_file=data_files/server8.key \
Manuel Pégourié-Gonnard02f3a8a2018-08-20 10:49:28 +0200[diff] [blame]7935 hs_timeout=250-60000 mtu=512 force_version=dtls1" \
Manuel Pégourié-Gonnard38110df2018-08-17 12:44:54 +0200[diff] [blame]7936 0 \
7937 -c "fragmenting handshake message" \
7938 -C "error"
7939
Manuel Pégourié-Gonnardc1eda672018-09-03 10:41:49 +0200[diff] [blame]7940skip_next_test
7941requires_config_enabled MBEDTLS_SSL_PROTO_DTLS
7942requires_config_enabled MBEDTLS_RSA_C
7943requires_config_enabled MBEDTLS_ECDSA_C
7944requires_config_enabled MBEDTLS_SSL_PROTO_TLS1_2
7945client_needs_more_time 4
7946run_test "DTLS fragmenting: 3d, openssl client, DTLS 1.2" \
7947 -p "$P_PXY drop=8 delay=8 duplicate=8" \
7948 "$P_SRV dtls=1 debug_level=2 \
7949 crt_file=data_files/server7_int-ca.crt \
7950 key_file=data_files/server7.key \
7951 hs_timeout=250-60000 mtu=512 force_version=dtls1_2" \
7952 "$O_CLI -dtls1_2" \
7953 0 \
7954 -s "fragmenting handshake message"
Manuel Pégourié-Gonnard38110df2018-08-17 12:44:54 +0200[diff] [blame]7955
7956# -nbio is added to prevent s_client from blocking in case of duplicated
7957# messages at the end of the handshake
Manuel Pégourié-Gonnardc1eda672018-09-03 10:41:49 +0200[diff] [blame]7958skip_next_test
Manuel Pégourié-Gonnard38110df2018-08-17 12:44:54 +0200[diff] [blame]7959requires_config_enabled MBEDTLS_SSL_PROTO_DTLS
7960requires_config_enabled MBEDTLS_RSA_C
7961requires_config_enabled MBEDTLS_ECDSA_C
7962requires_config_enabled MBEDTLS_SSL_PROTO_TLS1_1
Manuel Pégourié-Gonnard02f3a8a2018-08-20 10:49:28 +0200[diff] [blame]7963client_needs_more_time 4
Manuel Pégourié-Gonnard38110df2018-08-17 12:44:54 +0200[diff] [blame]7964run_test "DTLS fragmenting: 3d, openssl client, DTLS 1.0" \
7965 -p "$P_PXY drop=8 delay=8 duplicate=8" \
Hanno Becker1c9a24c2018-08-14 13:46:33 +0100[diff] [blame]7966 "$P_SRV dgram_packing=0 dtls=1 debug_level=2 \
Manuel Pégourié-Gonnard38110df2018-08-17 12:44:54 +0200[diff] [blame]7967 crt_file=data_files/server7_int-ca.crt \
7968 key_file=data_files/server7.key \
Manuel Pégourié-Gonnard02f3a8a2018-08-20 10:49:28 +0200[diff] [blame]7969 hs_timeout=250-60000 mtu=512 force_version=dtls1" \
Manuel Pégourié-Gonnardc1eda672018-09-03 10:41:49 +0200[diff] [blame]7970 "$O_CLI -nbio -dtls1" \
Manuel Pégourié-Gonnard38110df2018-08-17 12:44:54 +0200[diff] [blame]7971 0 \
7972 -s "fragmenting handshake message"
7973
Manuel Pégourié-Gonnarda7756172014-08-31 18:37:01 +0200[diff] [blame]7974# Tests for specific things with "unreliable" UDP connection
7975
7976not_with_valgrind # spurious resend due to timeout
7977run_test "DTLS proxy: reference" \
7978 -p "$P_PXY" \
7979 "$P_SRV dtls=1 debug_level=2" \
7980 "$P_CLI dtls=1 debug_level=2" \
7981 0 \
7982 -C "replayed record" \
7983 -S "replayed record" \
7984 -C "record from another epoch" \
7985 -S "record from another epoch" \
7986 -C "discarding invalid record" \
Manuel Pégourié-Gonnard990f9e42014-09-06 12:27:02 +0200[diff] [blame]7987 -S "discarding invalid record" \
Manuel Pégourié-Gonnardbe9eb872014-09-05 17:45:19 +0200[diff] [blame]7988 -S "resend" \
Manuel Pégourié-Gonnard990f9e42014-09-06 12:27:02 +0200[diff] [blame]7989 -s "Extra-header:" \
Manuel Pégourié-Gonnardbe9eb872014-09-05 17:45:19 +0200[diff] [blame]7990 -c "HTTP/1.0 200 OK"
7991
7992not_with_valgrind # spurious resend due to timeout
Manuel Pégourié-Gonnard990f9e42014-09-06 12:27:02 +0200[diff] [blame]7993run_test "DTLS proxy: duplicate every packet" \
7994 -p "$P_PXY duplicate=1" \
Hanno Becker1c9a24c2018-08-14 13:46:33 +0100[diff] [blame]7995 "$P_SRV dtls=1 dgram_packing=0 debug_level=2" \
7996 "$P_CLI dtls=1 dgram_packing=0 debug_level=2" \
Manuel Pégourié-Gonnard990f9e42014-09-06 12:27:02 +0200[diff] [blame]7997 0 \
7998 -c "replayed record" \
7999 -s "replayed record" \
8000 -c "record from another epoch" \
8001 -s "record from another epoch" \
8002 -S "resend" \
8003 -s "Extra-header:" \
8004 -c "HTTP/1.0 200 OK"
8005
8006run_test "DTLS proxy: duplicate every packet, server anti-replay off" \
8007 -p "$P_PXY duplicate=1" \
Hanno Becker1c9a24c2018-08-14 13:46:33 +0100[diff] [blame]8008 "$P_SRV dtls=1 dgram_packing=0 debug_level=2 anti_replay=0" \
8009 "$P_CLI dtls=1 dgram_packing=0 debug_level=2" \
Manuel Pégourié-Gonnard63eca932014-09-08 16:39:08 +0200[diff] [blame]8010 0 \
8011 -c "replayed record" \
8012 -S "replayed record" \
8013 -c "record from another epoch" \
Manuel Pégourié-Gonnard825a49e2014-09-23 11:00:37 +0200[diff] [blame]8014 -s "record from another epoch" \
8015 -c "resend" \
8016 -s "resend" \
Manuel Pégourié-Gonnard246c13a2014-09-24 13:56:09 +0200[diff] [blame]8017 -s "Extra-header:" \
Manuel Pégourié-Gonnard825a49e2014-09-23 11:00:37 +0200[diff] [blame]8018 -c "HTTP/1.0 200 OK"
8019
8020run_test "DTLS proxy: multiple records in same datagram" \
8021 -p "$P_PXY pack=50" \
Hanno Becker1c9a24c2018-08-14 13:46:33 +0100[diff] [blame]8022 "$P_SRV dtls=1 dgram_packing=0 debug_level=2" \
8023 "$P_CLI dtls=1 dgram_packing=0 debug_level=2" \
Manuel Pégourié-Gonnard63eca932014-09-08 16:39:08 +0200[diff] [blame]8024 0 \
Manuel Pégourié-Gonnard825a49e2014-09-23 11:00:37 +0200[diff] [blame]8025 -c "next record in same datagram" \
8026 -s "next record in same datagram"
8027
8028run_test "DTLS proxy: multiple records in same datagram, duplicate every packet" \
8029 -p "$P_PXY pack=50 duplicate=1" \
Hanno Becker1c9a24c2018-08-14 13:46:33 +0100[diff] [blame]8030 "$P_SRV dtls=1 dgram_packing=0 debug_level=2" \
8031 "$P_CLI dtls=1 dgram_packing=0 debug_level=2" \
Manuel Pégourié-Gonnard246c13a2014-09-24 13:56:09 +0200[diff] [blame]8032 0 \
8033 -c "next record in same datagram" \
8034 -s "next record in same datagram"
Manuel Pégourié-Gonnard825a49e2014-09-23 11:00:37 +0200[diff] [blame]8035
Manuel Pégourié-Gonnard246c13a2014-09-24 13:56:09 +0200[diff] [blame]8036run_test "DTLS proxy: inject invalid AD record, default badmac_limit" \
8037 -p "$P_PXY bad_ad=1" \
Hanno Becker1c9a24c2018-08-14 13:46:33 +0100[diff] [blame]8038 "$P_SRV dtls=1 dgram_packing=0 debug_level=1" \
8039 "$P_CLI dtls=1 dgram_packing=0 debug_level=1 read_timeout=100" \
Manuel Pégourié-Gonnard63eca932014-09-08 16:39:08 +0200[diff] [blame]8040 0 \
Manuel Pégourié-Gonnard74a13782014-10-14 22:34:08 +0200[diff] [blame]8041 -c "discarding invalid record (mac)" \
8042 -s "discarding invalid record (mac)" \
Manuel Pégourié-Gonnard825a49e2014-09-23 11:00:37 +0200[diff] [blame]8043 -s "Extra-header:" \
Manuel Pégourié-Gonnarde698f592014-10-14 19:36:36 +0200[diff] [blame]8044 -c "HTTP/1.0 200 OK" \
8045 -S "too many records with bad MAC" \
8046 -S "Verification of the message MAC failed"
8047
8048run_test "DTLS proxy: inject invalid AD record, badmac_limit 1" \
8049 -p "$P_PXY bad_ad=1" \
Hanno Becker1c9a24c2018-08-14 13:46:33 +0100[diff] [blame]8050 "$P_SRV dtls=1 dgram_packing=0 debug_level=1 badmac_limit=1" \
8051 "$P_CLI dtls=1 dgram_packing=0 debug_level=1 read_timeout=100" \
Manuel Pégourié-Gonnarde698f592014-10-14 19:36:36 +0200[diff] [blame]8052 1 \
Manuel Pégourié-Gonnard74a13782014-10-14 22:34:08 +0200[diff] [blame]8053 -C "discarding invalid record (mac)" \
8054 -S "discarding invalid record (mac)" \
Manuel Pégourié-Gonnarde698f592014-10-14 19:36:36 +0200[diff] [blame]8055 -S "Extra-header:" \
8056 -C "HTTP/1.0 200 OK" \
8057 -s "too many records with bad MAC" \
8058 -s "Verification of the message MAC failed"
8059
8060run_test "DTLS proxy: inject invalid AD record, badmac_limit 2" \
8061 -p "$P_PXY bad_ad=1" \
Hanno Becker1c9a24c2018-08-14 13:46:33 +0100[diff] [blame]8062 "$P_SRV dtls=1 dgram_packing=0 debug_level=1 badmac_limit=2" \
8063 "$P_CLI dtls=1 dgram_packing=0 debug_level=1 read_timeout=100" \
Manuel Pégourié-Gonnarde698f592014-10-14 19:36:36 +0200[diff] [blame]8064 0 \
Manuel Pégourié-Gonnard74a13782014-10-14 22:34:08 +0200[diff] [blame]8065 -c "discarding invalid record (mac)" \
8066 -s "discarding invalid record (mac)" \
Manuel Pégourié-Gonnarde698f592014-10-14 19:36:36 +0200[diff] [blame]8067 -s "Extra-header:" \
8068 -c "HTTP/1.0 200 OK" \
8069 -S "too many records with bad MAC" \
8070 -S "Verification of the message MAC failed"
8071
8072run_test "DTLS proxy: inject invalid AD record, badmac_limit 2, exchanges 2"\
8073 -p "$P_PXY bad_ad=1" \
Hanno Becker1c9a24c2018-08-14 13:46:33 +0100[diff] [blame]8074 "$P_SRV dtls=1 dgram_packing=0 debug_level=1 badmac_limit=2 exchanges=2" \
8075 "$P_CLI dtls=1 dgram_packing=0 debug_level=1 read_timeout=100 exchanges=2" \
Manuel Pégourié-Gonnarde698f592014-10-14 19:36:36 +0200[diff] [blame]8076 1 \
Manuel Pégourié-Gonnard74a13782014-10-14 22:34:08 +0200[diff] [blame]8077 -c "discarding invalid record (mac)" \
8078 -s "discarding invalid record (mac)" \
Manuel Pégourié-Gonnarde698f592014-10-14 19:36:36 +0200[diff] [blame]8079 -s "Extra-header:" \
8080 -c "HTTP/1.0 200 OK" \
8081 -s "too many records with bad MAC" \
8082 -s "Verification of the message MAC failed"
Manuel Pégourié-Gonnard825a49e2014-09-23 11:00:37 +0200[diff] [blame]8083
8084run_test "DTLS proxy: delay ChangeCipherSpec" \
8085 -p "$P_PXY delay_ccs=1" \
Hanno Beckerc4305232018-08-14 13:41:21 +0100[diff] [blame]8086 "$P_SRV dtls=1 debug_level=1 dgram_packing=0" \
8087 "$P_CLI dtls=1 debug_level=1 dgram_packing=0" \
Manuel Pégourié-Gonnard825a49e2014-09-23 11:00:37 +0200[diff] [blame]8088 0 \
8089 -c "record from another epoch" \
8090 -s "record from another epoch" \
Manuel Pégourié-Gonnard825a49e2014-09-23 11:00:37 +0200[diff] [blame]8091 -s "Extra-header:" \
8092 -c "HTTP/1.0 200 OK"
8093
Hanno Beckeraa5d0c42018-08-16 13:15:19 +0100[diff] [blame]8094# Tests for reordering support with DTLS
8095
Hanno Becker56cdfd12018-08-17 13:42:15 +0100[diff] [blame]8096run_test "DTLS reordering: Buffer out-of-order handshake message on client" \
8097 -p "$P_PXY delay_srv=ServerHello" \
Andrzej Kurek948fe802018-10-05 15:42:44 -0400[diff] [blame]8098 "$P_SRV dgram_packing=0 cookies=0 dtls=1 debug_level=2 \
8099 hs_timeout=2500-60000" \
8100 "$P_CLI dgram_packing=0 dtls=1 debug_level=2 \
8101 hs_timeout=2500-60000" \
Hanno Beckere3842212018-08-16 15:28:59 +0100[diff] [blame]8102 0 \
8103 -c "Buffering HS message" \
Hanno Becker56cdfd12018-08-17 13:42:15 +0100[diff] [blame]8104 -c "Next handshake message has been buffered - load"\
8105 -S "Buffering HS message" \
8106 -S "Next handshake message has been buffered - load"\
Hanno Becker39b8bc92018-08-28 17:17:13 +0100[diff] [blame]8107 -C "Injecting buffered CCS message" \
Hanno Becker56cdfd12018-08-17 13:42:15 +0100[diff] [blame]8108 -C "Remember CCS message" \
Hanno Becker39b8bc92018-08-28 17:17:13 +0100[diff] [blame]8109 -S "Injecting buffered CCS message" \
Hanno Becker56cdfd12018-08-17 13:42:15 +0100[diff] [blame]8110 -S "Remember CCS message"
Hanno Beckere3842212018-08-16 15:28:59 +0100[diff] [blame]8111
Hanno Beckerdc1e9502018-08-28 16:02:33 +0100[diff] [blame]8112run_test "DTLS reordering: Buffer out-of-order handshake message fragment on client" \
8113 -p "$P_PXY delay_srv=ServerHello" \
Andrzej Kurek948fe802018-10-05 15:42:44 -0400[diff] [blame]8114 "$P_SRV mtu=512 dgram_packing=0 cookies=0 dtls=1 debug_level=2 \
8115 hs_timeout=2500-60000" \
8116 "$P_CLI dgram_packing=0 dtls=1 debug_level=2 \
8117 hs_timeout=2500-60000" \
Hanno Beckerdc1e9502018-08-28 16:02:33 +0100[diff] [blame]8118 0 \
8119 -c "Buffering HS message" \
8120 -c "found fragmented DTLS handshake message"\
8121 -c "Next handshake message 1 not or only partially bufffered" \
8122 -c "Next handshake message has been buffered - load"\
8123 -S "Buffering HS message" \
8124 -S "Next handshake message has been buffered - load"\
Hanno Becker39b8bc92018-08-28 17:17:13 +0100[diff] [blame]8125 -C "Injecting buffered CCS message" \
Hanno Beckerdc1e9502018-08-28 16:02:33 +0100[diff] [blame]8126 -C "Remember CCS message" \
Hanno Becker39b8bc92018-08-28 17:17:13 +0100[diff] [blame]8127 -S "Injecting buffered CCS message" \
Hanno Beckeraa5d0c42018-08-16 13:15:19 +0100[diff] [blame]8128 -S "Remember CCS message"
8129
Hanno Beckera1adcca2018-08-24 14:41:07 +0100[diff] [blame]8130# The client buffers the ServerKeyExchange before receiving the fragmented
8131# Certificate message; at the time of writing, together these are aroudn 1200b
8132# in size, so that the bound below ensures that the certificate can be reassembled
8133# while keeping the ServerKeyExchange.
8134requires_config_value_at_least "MBEDTLS_SSL_DTLS_MAX_BUFFERING" 1300
8135run_test "DTLS reordering: Buffer out-of-order hs msg before reassembling next" \
Hanno Beckere3567052018-08-21 16:50:43 +0100[diff] [blame]8136 -p "$P_PXY delay_srv=Certificate delay_srv=Certificate" \
Andrzej Kurek948fe802018-10-05 15:42:44 -0400[diff] [blame]8137 "$P_SRV mtu=512 dgram_packing=0 cookies=0 dtls=1 debug_level=2 \
8138 hs_timeout=2500-60000" \
8139 "$P_CLI dgram_packing=0 dtls=1 debug_level=2 \
8140 hs_timeout=2500-60000" \
Hanno Beckere3567052018-08-21 16:50:43 +0100[diff] [blame]8141 0 \
8142 -c "Buffering HS message" \
8143 -c "Next handshake message has been buffered - load"\
Hanno Beckera1adcca2018-08-24 14:41:07 +0100[diff] [blame]8144 -C "attempt to make space by freeing buffered messages" \
8145 -S "Buffering HS message" \
8146 -S "Next handshake message has been buffered - load"\
Hanno Becker39b8bc92018-08-28 17:17:13 +0100[diff] [blame]8147 -C "Injecting buffered CCS message" \
Hanno Beckera1adcca2018-08-24 14:41:07 +0100[diff] [blame]8148 -C "Remember CCS message" \
Hanno Becker39b8bc92018-08-28 17:17:13 +0100[diff] [blame]8149 -S "Injecting buffered CCS message" \
Hanno Beckera1adcca2018-08-24 14:41:07 +0100[diff] [blame]8150 -S "Remember CCS message"
8151
8152# The size constraints ensure that the delayed certificate message can't
8153# be reassembled while keeping the ServerKeyExchange message, but it can
8154# when dropping it first.
8155requires_config_value_at_least "MBEDTLS_SSL_DTLS_MAX_BUFFERING" 900
8156requires_config_value_at_most "MBEDTLS_SSL_DTLS_MAX_BUFFERING" 1299
8157run_test "DTLS reordering: Buffer out-of-order hs msg before reassembling next, free buffered msg" \
8158 -p "$P_PXY delay_srv=Certificate delay_srv=Certificate" \
Andrzej Kurek948fe802018-10-05 15:42:44 -0400[diff] [blame]8159 "$P_SRV mtu=512 dgram_packing=0 cookies=0 dtls=1 debug_level=2 \
8160 hs_timeout=2500-60000" \
8161 "$P_CLI dgram_packing=0 dtls=1 debug_level=2 \
8162 hs_timeout=2500-60000" \
Hanno Beckera1adcca2018-08-24 14:41:07 +0100[diff] [blame]8163 0 \
8164 -c "Buffering HS message" \
8165 -c "attempt to make space by freeing buffered future messages" \
8166 -c "Enough space available after freeing buffered HS messages" \
Hanno Beckere3567052018-08-21 16:50:43 +0100[diff] [blame]8167 -S "Buffering HS message" \
8168 -S "Next handshake message has been buffered - load"\
Hanno Becker39b8bc92018-08-28 17:17:13 +0100[diff] [blame]8169 -C "Injecting buffered CCS message" \
Hanno Beckere3567052018-08-21 16:50:43 +0100[diff] [blame]8170 -C "Remember CCS message" \
Hanno Becker39b8bc92018-08-28 17:17:13 +0100[diff] [blame]8171 -S "Injecting buffered CCS message" \
Hanno Beckere3567052018-08-21 16:50:43 +0100[diff] [blame]8172 -S "Remember CCS message"
8173
Hanno Becker56cdfd12018-08-17 13:42:15 +0100[diff] [blame]8174run_test "DTLS reordering: Buffer out-of-order handshake message on server" \
8175 -p "$P_PXY delay_cli=Certificate" \
Andrzej Kurek948fe802018-10-05 15:42:44 -0400[diff] [blame]8176 "$P_SRV dgram_packing=0 auth_mode=required cookies=0 dtls=1 debug_level=2 \
8177 hs_timeout=2500-60000" \
8178 "$P_CLI dgram_packing=0 dtls=1 debug_level=2 \
8179 hs_timeout=2500-60000" \
Hanno Becker56cdfd12018-08-17 13:42:15 +0100[diff] [blame]8180 0 \
8181 -C "Buffering HS message" \
8182 -C "Next handshake message has been buffered - load"\
8183 -s "Buffering HS message" \
8184 -s "Next handshake message has been buffered - load" \
Hanno Becker39b8bc92018-08-28 17:17:13 +0100[diff] [blame]8185 -C "Injecting buffered CCS message" \
Hanno Becker56cdfd12018-08-17 13:42:15 +0100[diff] [blame]8186 -C "Remember CCS message" \
Hanno Becker39b8bc92018-08-28 17:17:13 +0100[diff] [blame]8187 -S "Injecting buffered CCS message" \
Hanno Becker56cdfd12018-08-17 13:42:15 +0100[diff] [blame]8188 -S "Remember CCS message"
8189
8190run_test "DTLS reordering: Buffer out-of-order CCS message on client"\
8191 -p "$P_PXY delay_srv=NewSessionTicket" \
Andrzej Kurek948fe802018-10-05 15:42:44 -0400[diff] [blame]8192 "$P_SRV dgram_packing=0 cookies=0 dtls=1 debug_level=2 \
8193 hs_timeout=2500-60000" \
8194 "$P_CLI dgram_packing=0 dtls=1 debug_level=2 \
8195 hs_timeout=2500-60000" \
Hanno Becker56cdfd12018-08-17 13:42:15 +0100[diff] [blame]8196 0 \
8197 -C "Buffering HS message" \
8198 -C "Next handshake message has been buffered - load"\
8199 -S "Buffering HS message" \
8200 -S "Next handshake message has been buffered - load" \
Hanno Becker39b8bc92018-08-28 17:17:13 +0100[diff] [blame]8201 -c "Injecting buffered CCS message" \
Hanno Becker56cdfd12018-08-17 13:42:15 +0100[diff] [blame]8202 -c "Remember CCS message" \
Hanno Becker39b8bc92018-08-28 17:17:13 +0100[diff] [blame]8203 -S "Injecting buffered CCS message" \
Hanno Becker56cdfd12018-08-17 13:42:15 +0100[diff] [blame]8204 -S "Remember CCS message"
8205
8206run_test "DTLS reordering: Buffer out-of-order CCS message on server"\
8207 -p "$P_PXY delay_cli=ClientKeyExchange" \
Andrzej Kurek948fe802018-10-05 15:42:44 -0400[diff] [blame]8208 "$P_SRV dgram_packing=0 cookies=0 dtls=1 debug_level=2 \
8209 hs_timeout=2500-60000" \
8210 "$P_CLI dgram_packing=0 dtls=1 debug_level=2 \
8211 hs_timeout=2500-60000" \
Hanno Becker56cdfd12018-08-17 13:42:15 +0100[diff] [blame]8212 0 \
8213 -C "Buffering HS message" \
8214 -C "Next handshake message has been buffered - load"\
8215 -S "Buffering HS message" \
8216 -S "Next handshake message has been buffered - load" \
Hanno Becker39b8bc92018-08-28 17:17:13 +0100[diff] [blame]8217 -C "Injecting buffered CCS message" \
Hanno Becker56cdfd12018-08-17 13:42:15 +0100[diff] [blame]8218 -C "Remember CCS message" \
Hanno Becker39b8bc92018-08-28 17:17:13 +0100[diff] [blame]8219 -s "Injecting buffered CCS message" \
Hanno Becker56cdfd12018-08-17 13:42:15 +0100[diff] [blame]8220 -s "Remember CCS message"
8221
Hanno Beckera1adcca2018-08-24 14:41:07 +0100[diff] [blame]8222run_test "DTLS reordering: Buffer encrypted Finished message" \
Hanno Becker56cdfd12018-08-17 13:42:15 +0100[diff] [blame]8223 -p "$P_PXY delay_ccs=1" \
Andrzej Kurek948fe802018-10-05 15:42:44 -0400[diff] [blame]8224 "$P_SRV dgram_packing=0 cookies=0 dtls=1 debug_level=2 \
8225 hs_timeout=2500-60000" \
8226 "$P_CLI dgram_packing=0 dtls=1 debug_level=2 \
8227 hs_timeout=2500-60000" \
Hanno Beckerb34149c2018-08-16 15:29:06 +0100[diff] [blame]8228 0 \
8229 -s "Buffer record from epoch 1" \
Hanno Becker56cdfd12018-08-17 13:42:15 +0100[diff] [blame]8230 -s "Found buffered record from current epoch - load" \
8231 -c "Buffer record from epoch 1" \
8232 -c "Found buffered record from current epoch - load"
Manuel Pégourié-Gonnard18e519a2014-09-24 19:09:17 +0200[diff] [blame]8233
Hanno Beckera1adcca2018-08-24 14:41:07 +0100[diff] [blame]8234# In this test, both the fragmented NewSessionTicket and the ChangeCipherSpec
8235# from the server are delayed, so that the encrypted Finished message
8236# is received and buffered. When the fragmented NewSessionTicket comes
8237# in afterwards, the encrypted Finished message must be freed in order
8238# to make space for the NewSessionTicket to be reassembled.
8239# This works only in very particular circumstances:
8240# - MBEDTLS_SSL_DTLS_MAX_BUFFERING must be large enough to allow buffering
8241# of the NewSessionTicket, but small enough to also allow buffering of
8242# the encrypted Finished message.
8243# - The MTU setting on the server must be so small that the NewSessionTicket
8244# needs to be fragmented.
8245# - All messages sent by the server must be small enough to be either sent
8246# without fragmentation or be reassembled within the bounds of
8247# MBEDTLS_SSL_DTLS_MAX_BUFFERING. Achieve this by testing with a PSK-based
8248# handshake, omitting CRTs.
8249requires_config_value_at_least "MBEDTLS_SSL_DTLS_MAX_BUFFERING" 240
8250requires_config_value_at_most "MBEDTLS_SSL_DTLS_MAX_BUFFERING" 280
8251run_test "DTLS reordering: Buffer encrypted Finished message, drop for fragmented NewSessionTicket" \
8252 -p "$P_PXY delay_srv=NewSessionTicket delay_srv=NewSessionTicket delay_ccs=1" \
8253 "$P_SRV mtu=190 dgram_packing=0 psk=abc123 psk_identity=foo cookies=0 dtls=1 debug_level=2" \
8254 "$P_CLI dgram_packing=0 dtls=1 debug_level=2 force_ciphersuite=TLS-PSK-WITH-AES-128-CCM-8 psk=abc123 psk_identity=foo" \
8255 0 \
8256 -s "Buffer record from epoch 1" \
8257 -s "Found buffered record from current epoch - load" \
8258 -c "Buffer record from epoch 1" \
8259 -C "Found buffered record from current epoch - load" \
8260 -c "Enough space available after freeing future epoch record"
8261
Manuel Pégourié-Gonnarda0719722014-09-20 12:46:27 +0200[diff] [blame]8262# Tests for "randomly unreliable connection": try a variety of flows and peers
8263
8264client_needs_more_time 2
Manuel Pégourié-Gonnard825a49e2014-09-23 11:00:37 +0200[diff] [blame]8265run_test "DTLS proxy: 3d (drop, delay, duplicate), \"short\" PSK handshake" \
8266 -p "$P_PXY drop=5 delay=5 duplicate=5" \
Andrzej Kurek948fe802018-10-05 15:42:44 -0400[diff] [blame]8267 "$P_SRV dtls=1 dgram_packing=0 hs_timeout=500-10000 tickets=0 auth_mode=none \
Manuel Pégourié-Gonnard18e519a2014-09-24 19:09:17 +0200[diff] [blame]8268 psk=abc123" \
Andrzej Kurek948fe802018-10-05 15:42:44 -0400[diff] [blame]8269 "$P_CLI dtls=1 dgram_packing=0 hs_timeout=500-10000 tickets=0 psk=abc123 \
Manuel Pégourié-Gonnard18e519a2014-09-24 19:09:17 +0200[diff] [blame]8270 force_ciphersuite=TLS-PSK-WITH-AES-128-CCM-8" \
8271 0 \
8272 -s "Extra-header:" \
8273 -c "HTTP/1.0 200 OK"
8274
Janos Follath74537a62016-09-02 13:45:28 +0100[diff] [blame]8275client_needs_more_time 2
Manuel Pégourié-Gonnard18e519a2014-09-24 19:09:17 +0200[diff] [blame]8276run_test "DTLS proxy: 3d, \"short\" RSA handshake" \
8277 -p "$P_PXY drop=5 delay=5 duplicate=5" \
Andrzej Kurek948fe802018-10-05 15:42:44 -0400[diff] [blame]8278 "$P_SRV dtls=1 dgram_packing=0 hs_timeout=500-10000 tickets=0 auth_mode=none" \
8279 "$P_CLI dtls=1 dgram_packing=0 hs_timeout=500-10000 tickets=0 \
Manuel Pégourié-Gonnard18e519a2014-09-24 19:09:17 +0200[diff] [blame]8280 force_ciphersuite=TLS-RSA-WITH-AES-128-CBC-SHA" \
8281 0 \
8282 -s "Extra-header:" \
8283 -c "HTTP/1.0 200 OK"
8284
Janos Follath74537a62016-09-02 13:45:28 +0100[diff] [blame]8285client_needs_more_time 2
Manuel Pégourié-Gonnard18e519a2014-09-24 19:09:17 +0200[diff] [blame]8286run_test "DTLS proxy: 3d, \"short\" (no ticket, no cli_auth) FS handshake" \
8287 -p "$P_PXY drop=5 delay=5 duplicate=5" \
Andrzej Kurek948fe802018-10-05 15:42:44 -0400[diff] [blame]8288 "$P_SRV dtls=1 dgram_packing=0 hs_timeout=500-10000 tickets=0 auth_mode=none" \
8289 "$P_CLI dtls=1 dgram_packing=0 hs_timeout=500-10000 tickets=0" \
Manuel Pégourié-Gonnard18e519a2014-09-24 19:09:17 +0200[diff] [blame]8290 0 \
8291 -s "Extra-header:" \
8292 -c "HTTP/1.0 200 OK"
8293
Janos Follath74537a62016-09-02 13:45:28 +0100[diff] [blame]8294client_needs_more_time 2
Manuel Pégourié-Gonnard18e519a2014-09-24 19:09:17 +0200[diff] [blame]8295run_test "DTLS proxy: 3d, FS, client auth" \
8296 -p "$P_PXY drop=5 delay=5 duplicate=5" \
Andrzej Kurek948fe802018-10-05 15:42:44 -0400[diff] [blame]8297 "$P_SRV dtls=1 dgram_packing=0 hs_timeout=500-10000 tickets=0 auth_mode=required" \
8298 "$P_CLI dtls=1 dgram_packing=0 hs_timeout=500-10000 tickets=0" \
Manuel Pégourié-Gonnard18e519a2014-09-24 19:09:17 +0200[diff] [blame]8299 0 \
8300 -s "Extra-header:" \
8301 -c "HTTP/1.0 200 OK"
8302
Janos Follath74537a62016-09-02 13:45:28 +0100[diff] [blame]8303client_needs_more_time 2
Manuel Pégourié-Gonnard18e519a2014-09-24 19:09:17 +0200[diff] [blame]8304run_test "DTLS proxy: 3d, FS, ticket" \
8305 -p "$P_PXY drop=5 delay=5 duplicate=5" \
Andrzej Kurek948fe802018-10-05 15:42:44 -0400[diff] [blame]8306 "$P_SRV dtls=1 dgram_packing=0 hs_timeout=500-10000 tickets=1 auth_mode=none" \
8307 "$P_CLI dtls=1 dgram_packing=0 hs_timeout=500-10000 tickets=1" \
Manuel Pégourié-Gonnard18e519a2014-09-24 19:09:17 +0200[diff] [blame]8308 0 \
8309 -s "Extra-header:" \
8310 -c "HTTP/1.0 200 OK"
8311
Janos Follath74537a62016-09-02 13:45:28 +0100[diff] [blame]8312client_needs_more_time 2
Manuel Pégourié-Gonnard18e519a2014-09-24 19:09:17 +0200[diff] [blame]8313run_test "DTLS proxy: 3d, max handshake (FS, ticket + client auth)" \
8314 -p "$P_PXY drop=5 delay=5 duplicate=5" \
Andrzej Kurek948fe802018-10-05 15:42:44 -0400[diff] [blame]8315 "$P_SRV dtls=1 dgram_packing=0 hs_timeout=500-10000 tickets=1 auth_mode=required" \
8316 "$P_CLI dtls=1 dgram_packing=0 hs_timeout=500-10000 tickets=1" \
Manuel Pégourié-Gonnard825a49e2014-09-23 11:00:37 +0200[diff] [blame]8317 0 \
8318 -s "Extra-header:" \
8319 -c "HTTP/1.0 200 OK"
8320
Janos Follath74537a62016-09-02 13:45:28 +0100[diff] [blame]8321client_needs_more_time 2
Manuel Pégourié-Gonnard6093d812014-09-29 17:52:57 +0200[diff] [blame]8322run_test "DTLS proxy: 3d, max handshake, nbio" \
8323 -p "$P_PXY drop=5 delay=5 duplicate=5" \
Andrzej Kurek948fe802018-10-05 15:42:44 -0400[diff] [blame]8324 "$P_SRV dtls=1 dgram_packing=0 hs_timeout=500-10000 nbio=2 tickets=1 \
Manuel Pégourié-Gonnard37a4de22014-10-01 16:38:03 +0200[diff] [blame]8325 auth_mode=required" \
Andrzej Kurek948fe802018-10-05 15:42:44 -0400[diff] [blame]8326 "$P_CLI dtls=1 dgram_packing=0 hs_timeout=500-10000 nbio=2 tickets=1" \
Manuel Pégourié-Gonnard6093d812014-09-29 17:52:57 +0200[diff] [blame]8327 0 \
8328 -s "Extra-header:" \
8329 -c "HTTP/1.0 200 OK"
8330
Janos Follath74537a62016-09-02 13:45:28 +0100[diff] [blame]8331client_needs_more_time 4
Manuel Pégourié-Gonnard7a26d732014-10-02 14:50:46 +0200[diff] [blame]8332run_test "DTLS proxy: 3d, min handshake, resumption" \
8333 -p "$P_PXY drop=5 delay=5 duplicate=5" \
Andrzej Kurek948fe802018-10-05 15:42:44 -0400[diff] [blame]8334 "$P_SRV dtls=1 dgram_packing=0 hs_timeout=500-10000 tickets=0 auth_mode=none \
Manuel Pégourié-Gonnard7a26d732014-10-02 14:50:46 +0200[diff] [blame]8335 psk=abc123 debug_level=3" \
Andrzej Kurek948fe802018-10-05 15:42:44 -0400[diff] [blame]8336 "$P_CLI dtls=1 dgram_packing=0 hs_timeout=500-10000 tickets=0 psk=abc123 \
Manuel Pégourié-Gonnard7a26d732014-10-02 14:50:46 +0200[diff] [blame]8337 debug_level=3 reconnect=1 read_timeout=1000 max_resend=10 \
8338 force_ciphersuite=TLS-PSK-WITH-AES-128-CCM-8" \
8339 0 \
8340 -s "a session has been resumed" \
8341 -c "a session has been resumed" \
8342 -s "Extra-header:" \
8343 -c "HTTP/1.0 200 OK"
8344
Janos Follath74537a62016-09-02 13:45:28 +0100[diff] [blame]8345client_needs_more_time 4
Manuel Pégourié-Gonnard85beb302014-10-02 17:59:19 +0200[diff] [blame]8346run_test "DTLS proxy: 3d, min handshake, resumption, nbio" \
8347 -p "$P_PXY drop=5 delay=5 duplicate=5" \
Andrzej Kurek948fe802018-10-05 15:42:44 -0400[diff] [blame]8348 "$P_SRV dtls=1 dgram_packing=0 hs_timeout=500-10000 tickets=0 auth_mode=none \
Manuel Pégourié-Gonnard85beb302014-10-02 17:59:19 +0200[diff] [blame]8349 psk=abc123 debug_level=3 nbio=2" \
Andrzej Kurek948fe802018-10-05 15:42:44 -0400[diff] [blame]8350 "$P_CLI dtls=1 dgram_packing=0 hs_timeout=500-10000 tickets=0 psk=abc123 \
Manuel Pégourié-Gonnard85beb302014-10-02 17:59:19 +0200[diff] [blame]8351 debug_level=3 reconnect=1 read_timeout=1000 max_resend=10 \
8352 force_ciphersuite=TLS-PSK-WITH-AES-128-CCM-8 nbio=2" \
8353 0 \
8354 -s "a session has been resumed" \
8355 -c "a session has been resumed" \
8356 -s "Extra-header:" \
8357 -c "HTTP/1.0 200 OK"
8358
Janos Follath74537a62016-09-02 13:45:28 +0100[diff] [blame]8359client_needs_more_time 4
Hanno Becker6a243642017-10-12 15:18:45 +0100[diff] [blame]8360requires_config_enabled MBEDTLS_SSL_RENEGOTIATION
Manuel Pégourié-Gonnard6093d812014-09-29 17:52:57 +0200[diff] [blame]8361run_test "DTLS proxy: 3d, min handshake, client-initiated renego" \
Manuel Pégourié-Gonnard1b753f12014-09-25 16:09:36 +0200[diff] [blame]8362 -p "$P_PXY drop=5 delay=5 duplicate=5" \
Andrzej Kurek948fe802018-10-05 15:42:44 -0400[diff] [blame]8363 "$P_SRV dtls=1 dgram_packing=0 hs_timeout=500-10000 tickets=0 auth_mode=none \
Manuel Pégourié-Gonnard37a4de22014-10-01 16:38:03 +0200[diff] [blame]8364 psk=abc123 renegotiation=1 debug_level=2" \
Andrzej Kurek948fe802018-10-05 15:42:44 -0400[diff] [blame]8365 "$P_CLI dtls=1 dgram_packing=0 hs_timeout=500-10000 tickets=0 psk=abc123 \
Manuel Pégourié-Gonnard37a4de22014-10-01 16:38:03 +0200[diff] [blame]8366 renegotiate=1 debug_level=2 \
Manuel Pégourié-Gonnard1b753f12014-09-25 16:09:36 +0200[diff] [blame]8367 force_ciphersuite=TLS-PSK-WITH-AES-128-CCM-8" \
8368 0 \
8369 -c "=> renegotiate" \
8370 -s "=> renegotiate" \
8371 -s "Extra-header:" \
8372 -c "HTTP/1.0 200 OK"
8373
Janos Follath74537a62016-09-02 13:45:28 +0100[diff] [blame]8374client_needs_more_time 4
Hanno Becker6a243642017-10-12 15:18:45 +0100[diff] [blame]8375requires_config_enabled MBEDTLS_SSL_RENEGOTIATION
Manuel Pégourié-Gonnard6093d812014-09-29 17:52:57 +0200[diff] [blame]8376run_test "DTLS proxy: 3d, min handshake, client-initiated renego, nbio" \
8377 -p "$P_PXY drop=5 delay=5 duplicate=5" \
Andrzej Kurek948fe802018-10-05 15:42:44 -0400[diff] [blame]8378 "$P_SRV dtls=1 dgram_packing=0 hs_timeout=500-10000 tickets=0 auth_mode=none \
Manuel Pégourié-Gonnard37a4de22014-10-01 16:38:03 +0200[diff] [blame]8379 psk=abc123 renegotiation=1 debug_level=2" \
Andrzej Kurek948fe802018-10-05 15:42:44 -0400[diff] [blame]8380 "$P_CLI dtls=1 dgram_packing=0 hs_timeout=500-10000 tickets=0 psk=abc123 \
Manuel Pégourié-Gonnard37a4de22014-10-01 16:38:03 +0200[diff] [blame]8381 renegotiate=1 debug_level=2 \
Manuel Pégourié-Gonnard6093d812014-09-29 17:52:57 +0200[diff] [blame]8382 force_ciphersuite=TLS-PSK-WITH-AES-128-CCM-8" \
8383 0 \
8384 -c "=> renegotiate" \
8385 -s "=> renegotiate" \
8386 -s "Extra-header:" \
8387 -c "HTTP/1.0 200 OK"
8388
Janos Follath74537a62016-09-02 13:45:28 +0100[diff] [blame]8389client_needs_more_time 4
Hanno Becker6a243642017-10-12 15:18:45 +0100[diff] [blame]8390requires_config_enabled MBEDTLS_SSL_RENEGOTIATION
Manuel Pégourié-Gonnardba958b82014-10-09 16:13:44 +0200[diff] [blame]8391run_test "DTLS proxy: 3d, min handshake, server-initiated renego" \
Manuel Pégourié-Gonnarda6ace042014-10-15 12:44:41 +0200[diff] [blame]8392 -p "$P_PXY drop=5 delay=5 duplicate=5" \
Andrzej Kurek948fe802018-10-05 15:42:44 -0400[diff] [blame]8393 "$P_SRV dtls=1 dgram_packing=0 hs_timeout=500-10000 tickets=0 auth_mode=none \
Manuel Pégourié-Gonnarda6ace042014-10-15 12:44:41 +0200[diff] [blame]8394 psk=abc123 renegotiate=1 renegotiation=1 exchanges=4 \
Manuel Pégourié-Gonnardba958b82014-10-09 16:13:44 +0200[diff] [blame]8395 debug_level=2" \
Andrzej Kurek948fe802018-10-05 15:42:44 -0400[diff] [blame]8396 "$P_CLI dtls=1 dgram_packing=0 hs_timeout=500-10000 tickets=0 psk=abc123 \
Manuel Pégourié-Gonnarda6ace042014-10-15 12:44:41 +0200[diff] [blame]8397 renegotiation=1 exchanges=4 debug_level=2 \
Manuel Pégourié-Gonnardba958b82014-10-09 16:13:44 +0200[diff] [blame]8398 force_ciphersuite=TLS-PSK-WITH-AES-128-CCM-8" \
8399 0 \
8400 -c "=> renegotiate" \
8401 -s "=> renegotiate" \
8402 -s "Extra-header:" \
8403 -c "HTTP/1.0 200 OK"
8404
Janos Follath74537a62016-09-02 13:45:28 +0100[diff] [blame]8405client_needs_more_time 4
Hanno Becker6a243642017-10-12 15:18:45 +0100[diff] [blame]8406requires_config_enabled MBEDTLS_SSL_RENEGOTIATION
Manuel Pégourié-Gonnardba958b82014-10-09 16:13:44 +0200[diff] [blame]8407run_test "DTLS proxy: 3d, min handshake, server-initiated renego, nbio" \
Manuel Pégourié-Gonnarda6ace042014-10-15 12:44:41 +0200[diff] [blame]8408 -p "$P_PXY drop=5 delay=5 duplicate=5" \
Andrzej Kurek948fe802018-10-05 15:42:44 -0400[diff] [blame]8409 "$P_SRV dtls=1 dgram_packing=0 hs_timeout=500-10000 tickets=0 auth_mode=none \
Manuel Pégourié-Gonnarda6ace042014-10-15 12:44:41 +0200[diff] [blame]8410 psk=abc123 renegotiate=1 renegotiation=1 exchanges=4 \
Manuel Pégourié-Gonnardba958b82014-10-09 16:13:44 +0200[diff] [blame]8411 debug_level=2 nbio=2" \
Andrzej Kurek948fe802018-10-05 15:42:44 -0400[diff] [blame]8412 "$P_CLI dtls=1 dgram_packing=0 hs_timeout=500-10000 tickets=0 psk=abc123 \
Manuel Pégourié-Gonnarda6ace042014-10-15 12:44:41 +0200[diff] [blame]8413 renegotiation=1 exchanges=4 debug_level=2 nbio=2 \
Manuel Pégourié-Gonnardba958b82014-10-09 16:13:44 +0200[diff] [blame]8414 force_ciphersuite=TLS-PSK-WITH-AES-128-CCM-8" \
8415 0 \
8416 -c "=> renegotiate" \
8417 -s "=> renegotiate" \
8418 -s "Extra-header:" \
8419 -c "HTTP/1.0 200 OK"
8420
Manuel Pégourié-Gonnard82986c12018-09-03 10:50:21 +0200[diff] [blame]8421## Interop tests with OpenSSL might trigger a bug in recent versions (including
8422## all versions installed on the CI machines), reported here:
8423## Bug report: https://github.com/openssl/openssl/issues/6902
8424## They should be re-enabled once a fixed version of OpenSSL is available
8425## (this should happen in some 1.1.1_ release according to the ticket).
8426skip_next_test
Janos Follath74537a62016-09-02 13:45:28 +0100[diff] [blame]8427client_needs_more_time 6
Manuel Pégourié-Gonnardd68434e2015-08-31 12:48:22 +0200[diff] [blame]8428not_with_valgrind # risk of non-mbedtls peer timing out
Manuel Pégourié-Gonnard9590e0a2014-09-26 16:27:59 +0200[diff] [blame]8429run_test "DTLS proxy: 3d, openssl server" \
Manuel Pégourié-Gonnardd0fd1da2014-09-25 17:00:27 +0200[diff] [blame]8430 -p "$P_PXY drop=5 delay=5 duplicate=5 protect_hvr=1" \
8431 "$O_SRV -dtls1 -mtu 2048" \
Andrzej Kurek948fe802018-10-05 15:42:44 -0400[diff] [blame]8432 "$P_CLI dgram_packing=0 dtls=1 hs_timeout=500-60000 tickets=0" \
Manuel Pégourié-Gonnardd0fd1da2014-09-25 17:00:27 +0200[diff] [blame]8433 0 \
Manuel Pégourié-Gonnardd0fd1da2014-09-25 17:00:27 +0200[diff] [blame]8434 -c "HTTP/1.0 200 OK"
8435
Manuel Pégourié-Gonnard82986c12018-09-03 10:50:21 +0200[diff] [blame]8436skip_next_test # see above
Janos Follath74537a62016-09-02 13:45:28 +0100[diff] [blame]8437client_needs_more_time 8
Manuel Pégourié-Gonnardd68434e2015-08-31 12:48:22 +0200[diff] [blame]8438not_with_valgrind # risk of non-mbedtls peer timing out
Manuel Pégourié-Gonnard9590e0a2014-09-26 16:27:59 +0200[diff] [blame]8439run_test "DTLS proxy: 3d, openssl server, fragmentation" \
8440 -p "$P_PXY drop=5 delay=5 duplicate=5 protect_hvr=1" \
8441 "$O_SRV -dtls1 -mtu 768" \
Andrzej Kurek948fe802018-10-05 15:42:44 -0400[diff] [blame]8442 "$P_CLI dgram_packing=0 dtls=1 hs_timeout=500-60000 tickets=0" \
Manuel Pégourié-Gonnard9590e0a2014-09-26 16:27:59 +0200[diff] [blame]8443 0 \
Manuel Pégourié-Gonnard9590e0a2014-09-26 16:27:59 +0200[diff] [blame]8444 -c "HTTP/1.0 200 OK"
8445
Manuel Pégourié-Gonnard82986c12018-09-03 10:50:21 +0200[diff] [blame]8446skip_next_test # see above
Janos Follath74537a62016-09-02 13:45:28 +0100[diff] [blame]8447client_needs_more_time 8
Manuel Pégourié-Gonnardd68434e2015-08-31 12:48:22 +0200[diff] [blame]8448not_with_valgrind # risk of non-mbedtls peer timing out
Manuel Pégourié-Gonnard6093d812014-09-29 17:52:57 +0200[diff] [blame]8449run_test "DTLS proxy: 3d, openssl server, fragmentation, nbio" \
8450 -p "$P_PXY drop=5 delay=5 duplicate=5 protect_hvr=1" \
8451 "$O_SRV -dtls1 -mtu 768" \
Andrzej Kurek948fe802018-10-05 15:42:44 -0400[diff] [blame]8452 "$P_CLI dgram_packing=0 dtls=1 hs_timeout=500-60000 nbio=2 tickets=0" \
Manuel Pégourié-Gonnard6093d812014-09-29 17:52:57 +0200[diff] [blame]8453 0 \
Manuel Pégourié-Gonnard6093d812014-09-29 17:52:57 +0200[diff] [blame]8454 -c "HTTP/1.0 200 OK"
8455
Manuel Pégourié-Gonnard96999962015-02-17 16:02:37 +0000[diff] [blame]8456requires_gnutls
Janos Follath74537a62016-09-02 13:45:28 +0100[diff] [blame]8457client_needs_more_time 6
Manuel Pégourié-Gonnardd68434e2015-08-31 12:48:22 +0200[diff] [blame]8458not_with_valgrind # risk of non-mbedtls peer timing out
Manuel Pégourié-Gonnard9590e0a2014-09-26 16:27:59 +0200[diff] [blame]8459run_test "DTLS proxy: 3d, gnutls server" \
8460 -p "$P_PXY drop=5 delay=5 duplicate=5" \
8461 "$G_SRV -u --mtu 2048 -a" \
Andrzej Kurek948fe802018-10-05 15:42:44 -0400[diff] [blame]8462 "$P_CLI dgram_packing=0 dtls=1 hs_timeout=500-60000" \
Manuel Pégourié-Gonnard9590e0a2014-09-26 16:27:59 +0200[diff] [blame]8463 0 \
8464 -s "Extra-header:" \
8465 -c "Extra-header:"
8466
k-stachowiak17a38d32019-02-18 15:29:56 +0100[diff] [blame]8467requires_gnutls_next
Janos Follath74537a62016-09-02 13:45:28 +0100[diff] [blame]8468client_needs_more_time 8
Manuel Pégourié-Gonnardd68434e2015-08-31 12:48:22 +0200[diff] [blame]8469not_with_valgrind # risk of non-mbedtls peer timing out
Manuel Pégourié-Gonnard9590e0a2014-09-26 16:27:59 +0200[diff] [blame]8470run_test "DTLS proxy: 3d, gnutls server, fragmentation" \
8471 -p "$P_PXY drop=5 delay=5 duplicate=5" \
k-stachowiak17a38d32019-02-18 15:29:56 +0100[diff] [blame]8472 "$G_NEXT_SRV -u --mtu 512" \
Andrzej Kurek948fe802018-10-05 15:42:44 -0400[diff] [blame]8473 "$P_CLI dgram_packing=0 dtls=1 hs_timeout=500-60000" \
Manuel Pégourié-Gonnard9590e0a2014-09-26 16:27:59 +0200[diff] [blame]8474 0 \
8475 -s "Extra-header:" \
8476 -c "Extra-header:"
8477
k-stachowiak17a38d32019-02-18 15:29:56 +0100[diff] [blame]8478requires_gnutls_next
Janos Follath74537a62016-09-02 13:45:28 +0100[diff] [blame]8479client_needs_more_time 8
Manuel Pégourié-Gonnardd68434e2015-08-31 12:48:22 +0200[diff] [blame]8480not_with_valgrind # risk of non-mbedtls peer timing out
Manuel Pégourié-Gonnard6093d812014-09-29 17:52:57 +0200[diff] [blame]8481run_test "DTLS proxy: 3d, gnutls server, fragmentation, nbio" \
8482 -p "$P_PXY drop=5 delay=5 duplicate=5" \
k-stachowiak17a38d32019-02-18 15:29:56 +0100[diff] [blame]8483 "$G_NEXT_SRV -u --mtu 512" \
Andrzej Kurek948fe802018-10-05 15:42:44 -0400[diff] [blame]8484 "$P_CLI dgram_packing=0 dtls=1 hs_timeout=500-60000 nbio=2" \
Manuel Pégourié-Gonnard6093d812014-09-29 17:52:57 +0200[diff] [blame]8485 0 \
8486 -s "Extra-header:" \
8487 -c "Extra-header:"
8488
Ron Eldorf75e2522019-05-14 20:38:49 +0300[diff] [blame]8489requires_config_enabled MBEDTLS_SSL_EXPORT_KEYS
8490run_test "export keys functionality" \
8491 "$P_SRV eap_tls=1 debug_level=3" \
8492 "$P_CLI eap_tls=1 debug_level=3" \
8493 0 \
8494 -s "exported maclen is " \
8495 -s "exported keylen is " \
8496 -s "exported ivlen is " \
8497 -c "exported maclen is " \
8498 -c "exported keylen is " \
8499 -c "exported ivlen is "
8500
Manuel Pégourié-Gonnard8520dac2014-02-21 12:12:23 +0100[diff] [blame]8501# Final report
8502
Manuel Pégourié-Gonnard33a752e2014-02-21 09:47:37 +0100[diff] [blame]8503echo "------------------------------------------------------------------------"
8504
8505if [ $FAILS = 0 ]; then
Manuel Pégourié-Gonnardf46f1282014-12-11 11:51:28 +0100[diff] [blame]8506 printf "PASSED"
Manuel Pégourié-Gonnard33a752e2014-02-21 09:47:37 +0100[diff] [blame]8507else
Manuel Pégourié-Gonnardf46f1282014-12-11 11:51:28 +0100[diff] [blame]8508 printf "FAILED"
Manuel Pégourié-Gonnard33a752e2014-02-21 09:47:37 +0100[diff] [blame]8509fi
Manuel Pégourié-Gonnard72e51ee2014-08-31 10:22:11 +0200[diff] [blame]8510PASSES=$(( $TESTS - $FAILS ))
Manuel Pégourié-Gonnard6f4fbbb2014-08-14 14:31:29 +0200[diff] [blame]8511echo " ($PASSES / $TESTS tests ($SKIPS skipped))"
Manuel Pégourié-Gonnard33a752e2014-02-21 09:47:37 +0100[diff] [blame]8512
8513exit $FAILS