TrustedFirmware Git Browser
Code Review Sign In
review.trustedfirmware.org / mirror / mbed-tls / b5546362369ff323513de466b53b2cb956f786a3 / . / tests / ssl-opt.sh
blob: 6694f7368f078d4b5cd1c8051894cacca8833be5 [file] [log] [blame]
Manuel Pégourié-Gonnardeaadc502014-02-20 11:01:30 +0100[diff] [blame]1#!/bin/sh
2
Simon Butcher58eddef2016-05-19 23:43:11 +0100[diff] [blame]3# ssl-opt.sh
Manuel Pégourié-Gonnardeaadc502014-02-20 11:01:30 +0100[diff] [blame]4#
Simon Butcher58eddef2016-05-19 23:43:11 +0100[diff] [blame]5# This file is part of mbed TLS (https://tls.mbed.org)
Manuel Pégourié-Gonnardeaadc502014-02-20 11:01:30 +0100[diff] [blame]6#
Simon Butcher58eddef2016-05-19 23:43:11 +0100[diff] [blame]7# Copyright (c) 2016, ARM Limited, All Rights Reserved
8#
9# Purpose
10#
11# Executes tests to prove various TLS/SSL options and extensions.
12#
13# The goal is not to cover every ciphersuite/version, but instead to cover
14# specific options (max fragment length, truncated hmac, etc) or procedures
15# (session resumption from cache or ticket, renego, etc).
16#
17# The tests assume a build with default options, with exceptions expressed
18# with a dependency. The tests focus on functionality and do not consider
19# performance.
20#
Manuel Pégourié-Gonnardeaadc502014-02-20 11:01:30 +0100[diff] [blame]21
Manuel Pégourié-Gonnardfccd3252014-02-25 17:14:15 +0100[diff] [blame]22set -u
23
Manuel Pégourié-Gonnardf7a26902014-02-27 12:25:54 +0100[diff] [blame]24# default values, can be overriden by the environment
25: ${P_SRV:=../programs/ssl/ssl_server2}
26: ${P_CLI:=../programs/ssl/ssl_client2}
Manuel Pégourié-Gonnardbe9eb872014-09-05 17:45:19 +0200[diff] [blame]27: ${P_PXY:=../programs/test/udp_proxy}
Manuel Pégourié-Gonnard74faf3c2014-03-13 18:47:44 +0100[diff] [blame]28: ${OPENSSL_CMD:=openssl} # OPENSSL would conflict with the build system
Manuel Pégourié-Gonnardbaa7f072014-08-20 20:15:53 +0200[diff] [blame]29: ${GNUTLS_CLI:=gnutls-cli}
30: ${GNUTLS_SERV:=gnutls-serv}
Gilles Peskined50177f2017-05-16 17:53:03 +0200[diff] [blame]31: ${PERL:=perl}
Manuel Pégourié-Gonnardeaadc502014-02-20 11:01:30 +0100[diff] [blame]32
Manuel Pégourié-Gonnardfa60f122014-09-26 16:07:29 +0200[diff] [blame]33O_SRV="$OPENSSL_CMD s_server -www -cert data_files/server5.crt -key data_files/server5.key"
Manuel Pégourié-Gonnard74faf3c2014-03-13 18:47:44 +0100[diff] [blame]34O_CLI="echo 'GET / HTTP/1.0' | $OPENSSL_CMD s_client"
Manuel Pégourié-Gonnardbaa7f072014-08-20 20:15:53 +0200[diff] [blame]35G_SRV="$GNUTLS_SERV --x509certfile data_files/server5.crt --x509keyfile data_files/server5.key"
Manuel Pégourié-Gonnard85d915b2014-11-03 20:10:36 +0100[diff] [blame]36G_CLI="echo 'GET / HTTP/1.0' | $GNUTLS_CLI --x509cafile data_files/test-ca_cat12.crt"
Gilles Peskined50177f2017-05-16 17:53:03 +0200[diff] [blame]37TCP_CLIENT="$PERL scripts/tcp_client.pl"
Manuel Pégourié-Gonnardfccd3252014-02-25 17:14:15 +0100[diff] [blame]38
Manuel Pégourié-Gonnard33a752e2014-02-21 09:47:37 +0100[diff] [blame]39TESTS=0
40FAILS=0
Manuel Pégourié-Gonnard6f4fbbb2014-08-14 14:31:29 +0200[diff] [blame]41SKIPS=0
Manuel Pégourié-Gonnard33a752e2014-02-21 09:47:37 +0100[diff] [blame]42
Manuel Pégourié-Gonnard7f809972015-03-09 17:05:11 +0000[diff] [blame]43CONFIG_H='../include/mbedtls/config.h'
Manuel Pégourié-Gonnard83d8c732014-04-07 13:24:21 +0200[diff] [blame]44
Manuel Pégourié-Gonnardc73339f2014-02-26 16:35:27 +0100[diff] [blame]45MEMCHECK=0
Manuel Pégourié-Gonnard417d46c2014-03-13 19:17:53 +0100[diff] [blame]46FILTER='.*'
Manuel Pégourié-Gonnard6f4fbbb2014-08-14 14:31:29 +0200[diff] [blame]47EXCLUDE='^$'
Manuel Pégourié-Gonnardc73339f2014-02-26 16:35:27 +0100[diff] [blame]48
Paul Bakkere20310a2016-05-10 11:18:17 +0100[diff] [blame]49SHOW_TEST_NUMBER=0
Paul Bakkerb7584a52016-05-10 10:50:43 +0100[diff] [blame]50RUN_TEST_NUMBER=''
51
Paul Bakkeracaac852016-05-10 11:47:13 +0100[diff] [blame]52PRESERVE_LOGS=0
53
Gilles Peskinef93c7d32017-04-14 17:55:28 +0200[diff] [blame]54# Pick a "unique" server port in the range 10000-19999, and a proxy
55# port which is this plus 10000. Each port number may be independently
56# overridden by a command line option.
57SRV_PORT=$(($$ % 10000 + 10000))
58PXY_PORT=$((SRV_PORT + 10000))
59
Manuel Pégourié-Gonnardc73339f2014-02-26 16:35:27 +0100[diff] [blame]60print_usage() {
61 echo "Usage: $0 [options]"
Manuel Pégourié-Gonnardf46f1282014-12-11 11:51:28 +0100[diff] [blame]62 printf " -h|--help\tPrint this help.\n"
63 printf " -m|--memcheck\tCheck memory leaks and errors.\n"
Gilles Peskinef93c7d32017-04-14 17:55:28 +0200[diff] [blame]64 printf " -f|--filter\tOnly matching tests are executed (BRE; default: '$FILTER')\n"
65 printf " -e|--exclude\tMatching tests are excluded (BRE; default: '$EXCLUDE')\n"
Paul Bakkerb7584a52016-05-10 10:50:43 +0100[diff] [blame]66 printf " -n|--number\tExecute only numbered test (comma-separated, e.g. '245,256')\n"
Paul Bakkere20310a2016-05-10 11:18:17 +0100[diff] [blame]67 printf " -s|--show-numbers\tShow test numbers in front of test names\n"
Paul Bakkeracaac852016-05-10 11:47:13 +0100[diff] [blame]68 printf " -p|--preserve-logs\tPreserve logs of successful tests as well\n"
Gilles Peskinef93c7d32017-04-14 17:55:28 +0200[diff] [blame]69 printf " --port\tTCP/UDP port (default: randomish 1xxxx)\n"
70 printf " --proxy-port\tTCP/UDP proxy port (default: randomish 2xxxx)\n"
Andres AGf04f54d2016-10-10 15:46:20 +0100[diff] [blame]71 printf " --seed\tInteger seed value to use for this test run\n"
Manuel Pégourié-Gonnardc73339f2014-02-26 16:35:27 +0100[diff] [blame]72}
73
74get_options() {
75 while [ $# -gt 0 ]; do
76 case "$1" in
Manuel Pégourié-Gonnard417d46c2014-03-13 19:17:53 +0100[diff] [blame]77 -f|--filter)
78 shift; FILTER=$1
79 ;;
80 -e|--exclude)
81 shift; EXCLUDE=$1
82 ;;
Manuel Pégourié-Gonnardc73339f2014-02-26 16:35:27 +0100[diff] [blame]83 -m|--memcheck)
84 MEMCHECK=1
85 ;;
Paul Bakkerb7584a52016-05-10 10:50:43 +0100[diff] [blame]86 -n|--number)
87 shift; RUN_TEST_NUMBER=$1
88 ;;
Paul Bakkere20310a2016-05-10 11:18:17 +0100[diff] [blame]89 -s|--show-numbers)
90 SHOW_TEST_NUMBER=1
91 ;;
Paul Bakkeracaac852016-05-10 11:47:13 +0100[diff] [blame]92 -p|--preserve-logs)
93 PRESERVE_LOGS=1
94 ;;
Gilles Peskinef93c7d32017-04-14 17:55:28 +0200[diff] [blame]95 --port)
96 shift; SRV_PORT=$1
97 ;;
98 --proxy-port)
99 shift; PXY_PORT=$1
100 ;;
Andres AGf04f54d2016-10-10 15:46:20 +0100[diff] [blame]101 --seed)
102 shift; SEED="$1"
103 ;;
Manuel Pégourié-Gonnardc73339f2014-02-26 16:35:27 +0100[diff] [blame]104 -h|--help)
105 print_usage
106 exit 0
107 ;;
108 *)
Paul Bakker1ebc0c52014-05-22 15:47:58 +0200[diff] [blame]109 echo "Unknown argument: '$1'"
Manuel Pégourié-Gonnardc73339f2014-02-26 16:35:27 +0100[diff] [blame]110 print_usage
111 exit 1
112 ;;
113 esac
114 shift
115 done
116}
117
Manuel Pégourié-Gonnard988209f2015-03-24 10:43:55 +0100[diff] [blame]118# skip next test if the flag is not enabled in config.h
119requires_config_enabled() {
120 if grep "^#define $1" $CONFIG_H > /dev/null; then :; else
121 SKIP_NEXT="YES"
122 fi
123}
124
Manuel Pégourié-Gonnardaf63c212017-06-08 17:51:08 +0200[diff] [blame]125# skip next test if the flag is enabled in config.h
126requires_config_disabled() {
127 if grep "^#define $1" $CONFIG_H > /dev/null; then
128 SKIP_NEXT="YES"
129 fi
130}
131
Manuel Pégourié-Gonnard1cbd39d2014-10-20 13:34:59 +0200[diff] [blame]132# skip next test if OpenSSL doesn't support FALLBACK_SCSV
133requires_openssl_with_fallback_scsv() {
134 if [ -z "${OPENSSL_HAS_FBSCSV:-}" ]; then
135 if $OPENSSL_CMD s_client -help 2>&1 | grep fallback_scsv >/dev/null
136 then
137 OPENSSL_HAS_FBSCSV="YES"
138 else
139 OPENSSL_HAS_FBSCSV="NO"
140 fi
141 fi
142 if [ "$OPENSSL_HAS_FBSCSV" = "NO" ]; then
143 SKIP_NEXT="YES"
144 fi
145}
146
Manuel Pégourié-Gonnardbaa7f072014-08-20 20:15:53 +0200[diff] [blame]147# skip next test if GnuTLS isn't available
148requires_gnutls() {
149 if [ -z "${GNUTLS_AVAILABLE:-}" ]; then
Manuel Pégourié-Gonnard03db6b02015-06-26 15:45:30 +0200[diff] [blame]150 if ( which "$GNUTLS_CLI" && which "$GNUTLS_SERV" ) >/dev/null 2>&1; then
Manuel Pégourié-Gonnardbaa7f072014-08-20 20:15:53 +0200[diff] [blame]151 GNUTLS_AVAILABLE="YES"
152 else
153 GNUTLS_AVAILABLE="NO"
154 fi
155 fi
156 if [ "$GNUTLS_AVAILABLE" = "NO" ]; then
157 SKIP_NEXT="YES"
158 fi
159}
160
Manuel Pégourié-Gonnard0eb6cab2014-07-23 20:17:47 +0200[diff] [blame]161# skip next test if IPv6 isn't available on this host
162requires_ipv6() {
163 if [ -z "${HAS_IPV6:-}" ]; then
164 $P_SRV server_addr='::1' > $SRV_OUT 2>&1 &
165 SRV_PID=$!
166 sleep 1
167 kill $SRV_PID >/dev/null 2>&1
168 if grep "NET - Binding of the socket failed" $SRV_OUT >/dev/null; then
169 HAS_IPV6="NO"
170 else
171 HAS_IPV6="YES"
172 fi
173 rm -r $SRV_OUT
174 fi
175
176 if [ "$HAS_IPV6" = "NO" ]; then
177 SKIP_NEXT="YES"
178 fi
179}
180
Manuel Pégourié-Gonnard76fe9e42014-09-24 15:17:31 +0200[diff] [blame]181# skip the next test if valgrind is in use
182not_with_valgrind() {
183 if [ "$MEMCHECK" -gt 0 ]; then
184 SKIP_NEXT="YES"
185 fi
186}
187
Paul Bakker362689d2016-05-13 10:33:25 +0100[diff] [blame]188# skip the next test if valgrind is NOT in use
189only_with_valgrind() {
190 if [ "$MEMCHECK" -eq 0 ]; then
191 SKIP_NEXT="YES"
192 fi
193}
194
Manuel Pégourié-Gonnarda0719722014-09-20 12:46:27 +0200[diff] [blame]195# multiply the client timeout delay by the given factor for the next test
Janos Follath74537a62016-09-02 13:45:28 +0100[diff] [blame]196client_needs_more_time() {
Manuel Pégourié-Gonnarda0719722014-09-20 12:46:27 +0200[diff] [blame]197 CLI_DELAY_FACTOR=$1
198}
199
Janos Follath74537a62016-09-02 13:45:28 +0100[diff] [blame]200# wait for the given seconds after the client finished in the next test
201server_needs_more_time() {
202 SRV_DELAY_SECONDS=$1
203}
204
Manuel Pégourié-Gonnardf8bdbb52014-02-21 09:20:14 +0100[diff] [blame]205# print_name <name>
206print_name() {
Paul Bakkere20310a2016-05-10 11:18:17 +0100[diff] [blame]207 TESTS=$(( $TESTS + 1 ))
208 LINE=""
209
210 if [ "$SHOW_TEST_NUMBER" -gt 0 ]; then
211 LINE="$TESTS "
212 fi
213
214 LINE="$LINE$1"
215 printf "$LINE "
216 LEN=$(( 72 - `echo "$LINE" | wc -c` ))
Manuel Pégourié-Gonnardf46f1282014-12-11 11:51:28 +0100[diff] [blame]217 for i in `seq 1 $LEN`; do printf '.'; done
218 printf ' '
Manuel Pégourié-Gonnard33a752e2014-02-21 09:47:37 +0100[diff] [blame]219
Manuel Pégourié-Gonnardf8bdbb52014-02-21 09:20:14 +0100[diff] [blame]220}
221
222# fail <message>
223fail() {
224 echo "FAIL"
Manuel Pégourié-Gonnard3eec6042014-02-27 15:37:24 +0100[diff] [blame]225 echo " ! $1"
Manuel Pégourié-Gonnard33a752e2014-02-21 09:47:37 +0100[diff] [blame]226
Manuel Pégourié-Gonnardc2b00922014-08-31 16:46:04 +0200[diff] [blame]227 mv $SRV_OUT o-srv-${TESTS}.log
228 mv $CLI_OUT o-cli-${TESTS}.log
Manuel Pégourié-Gonnardbe9eb872014-09-05 17:45:19 +0200[diff] [blame]229 if [ -n "$PXY_CMD" ]; then
230 mv $PXY_OUT o-pxy-${TESTS}.log
231 fi
232 echo " ! outputs saved to o-XXX-${TESTS}.log"
Manuel Pégourié-Gonnard33a752e2014-02-21 09:47:37 +0100[diff] [blame]233
Azim Khan03da1212018-03-29 11:04:20 +0100[diff] [blame]234 if [ "X${USER:-}" = Xbuildbot -o "X${LOGNAME:-}" = Xbuildbot -o "${LOG_FAILURE_ON_STDOUT:-0}" != 0 ]; then
Manuel Pégourié-Gonnard7fa67722014-08-31 17:42:53 +0200[diff] [blame]235 echo " ! server output:"
236 cat o-srv-${TESTS}.log
Manuel Pégourié-Gonnardbe9eb872014-09-05 17:45:19 +0200[diff] [blame]237 echo " ! ========================================================"
Manuel Pégourié-Gonnard7fa67722014-08-31 17:42:53 +0200[diff] [blame]238 echo " ! client output:"
239 cat o-cli-${TESTS}.log
Manuel Pégourié-Gonnardbe9eb872014-09-05 17:45:19 +0200[diff] [blame]240 if [ -n "$PXY_CMD" ]; then
241 echo " ! ========================================================"
242 echo " ! proxy output:"
243 cat o-pxy-${TESTS}.log
244 fi
245 echo ""
Manuel Pégourié-Gonnard7fa67722014-08-31 17:42:53 +0200[diff] [blame]246 fi
247
Manuel Pégourié-Gonnard72e51ee2014-08-31 10:22:11 +0200[diff] [blame]248 FAILS=$(( $FAILS + 1 ))
Manuel Pégourié-Gonnardf8bdbb52014-02-21 09:20:14 +0100[diff] [blame]249}
250
Manuel Pégourié-Gonnard677884d2014-02-25 16:42:31 +0100[diff] [blame]251# is_polar <cmd_line>
252is_polar() {
253 echo "$1" | grep 'ssl_server2\|ssl_client2' > /dev/null
254}
255
Manuel Pégourié-Gonnardfa60f122014-09-26 16:07:29 +0200[diff] [blame]256# openssl s_server doesn't have -www with DTLS
257check_osrv_dtls() {
258 if echo "$SRV_CMD" | grep 's_server.*-dtls' >/dev/null; then
259 NEEDS_INPUT=1
260 SRV_CMD="$( echo $SRV_CMD | sed s/-www// )"
261 else
262 NEEDS_INPUT=0
263 fi
264}
265
266# provide input to commands that need it
267provide_input() {
268 if [ $NEEDS_INPUT -eq 0 ]; then
269 return
270 fi
271
272 while true; do
273 echo "HTTP/1.0 200 OK"
274 sleep 1
275 done
276}
277
Manuel Pégourié-Gonnardc73339f2014-02-26 16:35:27 +0100[diff] [blame]278# has_mem_err <log_file_name>
279has_mem_err() {
280 if ( grep -F 'All heap blocks were freed -- no leaks are possible' "$1" &&
281 grep -F 'ERROR SUMMARY: 0 errors from 0 contexts' "$1" ) > /dev/null
282 then
283 return 1 # false: does not have errors
284 else
285 return 0 # true: has errors
286 fi
287}
288
Gilles Peskine418b5362017-12-14 18:58:42 +0100[diff] [blame]289# Wait for process $2 to be listening on port $1
290if type lsof >/dev/null 2>/dev/null; then
291 wait_server_start() {
292 START_TIME=$(date +%s)
Manuel Pégourié-Gonnard0eb6cab2014-07-23 20:17:47 +0200[diff] [blame]293 if [ "$DTLS" -eq 1 ]; then
Gilles Peskine418b5362017-12-14 18:58:42 +0100[diff] [blame]294 proto=UDP
Manuel Pégourié-Gonnard0eb6cab2014-07-23 20:17:47 +0200[diff] [blame]295 else
Gilles Peskine418b5362017-12-14 18:58:42 +0100[diff] [blame]296 proto=TCP
Manuel Pégourié-Gonnard0eb6cab2014-07-23 20:17:47 +0200[diff] [blame]297 fi
Gilles Peskine418b5362017-12-14 18:58:42 +0100[diff] [blame]298 # Make a tight loop, server normally takes less than 1s to start.
299 while ! lsof -a -n -b -i "$proto:$1" -p "$2" >/dev/null 2>/dev/null; do
300 if [ $(( $(date +%s) - $START_TIME )) -gt $DOG_DELAY ]; then
301 echo "SERVERSTART TIMEOUT"
302 echo "SERVERSTART TIMEOUT" >> $SRV_OUT
303 break
304 fi
305 # Linux and *BSD support decimal arguments to sleep. On other
306 # OSes this may be a tight loop.
307 sleep 0.1 2>/dev/null || true
308 done
309 }
310else
Gilles Peskine7163a6a2018-06-29 15:48:13 +0200[diff] [blame]311 echo "Warning: lsof not available, wait_server_start = sleep"
Gilles Peskine418b5362017-12-14 18:58:42 +0100[diff] [blame]312 wait_server_start() {
Manuel Pégourié-Gonnard0c1ec472014-06-20 18:41:11 +0200[diff] [blame]313 sleep "$START_DELAY"
Gilles Peskine418b5362017-12-14 18:58:42 +0100[diff] [blame]314 }
315fi
Manuel Pégourié-Gonnard0c1ec472014-06-20 18:41:11 +0200[diff] [blame]316
Andres Amaya Garciab84c40b2017-09-06 15:44:01 +0100[diff] [blame]317# Given the client or server debug output, parse the unix timestamp that is
Andres Amaya Garcia3b1bdff2017-09-14 12:41:29 +0100[diff] [blame]318# included in the first 4 bytes of the random bytes and check that it's within
Andres Amaya Garciab84c40b2017-09-06 15:44:01 +0100[diff] [blame]319# acceptable bounds
320check_server_hello_time() {
321 # Extract the time from the debug (lvl 3) output of the client
Andres Amaya Garcia67d8da52017-09-15 15:49:24 +0100[diff] [blame]322 SERVER_HELLO_TIME="$(sed -n 's/.*server hello, current time: //p' < "$1")"
Andres Amaya Garciab84c40b2017-09-06 15:44:01 +0100[diff] [blame]323 # Get the Unix timestamp for now
324 CUR_TIME=$(date +'%s')
325 THRESHOLD_IN_SECS=300
326
327 # Check if the ServerHello time was printed
328 if [ -z "$SERVER_HELLO_TIME" ]; then
329 return 1
330 fi
331
332 # Check the time in ServerHello is within acceptable bounds
333 if [ $SERVER_HELLO_TIME -lt $(( $CUR_TIME - $THRESHOLD_IN_SECS )) ]; then
334 # The time in ServerHello is at least 5 minutes before now
335 return 1
336 elif [ $SERVER_HELLO_TIME -gt $(( $CUR_TIME + $THRESHOLD_IN_SECS )) ]; then
Andres Amaya Garcia3b1bdff2017-09-14 12:41:29 +0100[diff] [blame]337 # The time in ServerHello is at least 5 minutes later than now
Andres Amaya Garciab84c40b2017-09-06 15:44:01 +0100[diff] [blame]338 return 1
339 else
340 return 0
341 fi
342}
343
Manuel Pégourié-Gonnardc0f6a692014-08-30 22:41:47 +0200[diff] [blame]344# wait for client to terminate and set CLI_EXIT
345# must be called right after starting the client
346wait_client_done() {
347 CLI_PID=$!
348
Manuel Pégourié-Gonnarda0719722014-09-20 12:46:27 +0200[diff] [blame]349 CLI_DELAY=$(( $DOG_DELAY * $CLI_DELAY_FACTOR ))
350 CLI_DELAY_FACTOR=1
351
Manuel Pégourié-Gonnarda365add2015-08-04 20:57:59 +0200[diff] [blame]352 ( sleep $CLI_DELAY; echo "===CLIENT_TIMEOUT===" >> $CLI_OUT; kill $CLI_PID ) &
Manuel Pégourié-Gonnarda6189f02014-09-20 13:15:43 +0200[diff] [blame]353 DOG_PID=$!
Manuel Pégourié-Gonnardc0f6a692014-08-30 22:41:47 +0200[diff] [blame]354
355 wait $CLI_PID
356 CLI_EXIT=$?
357
Manuel Pégourié-Gonnarda6189f02014-09-20 13:15:43 +0200[diff] [blame]358 kill $DOG_PID >/dev/null 2>&1
359 wait $DOG_PID
Manuel Pégourié-Gonnardc0f6a692014-08-30 22:41:47 +0200[diff] [blame]360
361 echo "EXIT: $CLI_EXIT" >> $CLI_OUT
Janos Follath74537a62016-09-02 13:45:28 +0100[diff] [blame]362
363 sleep $SRV_DELAY_SECONDS
364 SRV_DELAY_SECONDS=0
Manuel Pégourié-Gonnardc0f6a692014-08-30 22:41:47 +0200[diff] [blame]365}
366
Manuel Pégourié-Gonnard0eb6cab2014-07-23 20:17:47 +0200[diff] [blame]367# check if the given command uses dtls and sets global variable DTLS
368detect_dtls() {
Manuel Pégourié-Gonnardbe9eb872014-09-05 17:45:19 +0200[diff] [blame]369 if echo "$1" | grep 'dtls=1\|-dtls1\|-u' >/dev/null; then
Manuel Pégourié-Gonnard0eb6cab2014-07-23 20:17:47 +0200[diff] [blame]370 DTLS=1
371 else
372 DTLS=0
373 fi
374}
375
Manuel Pégourié-Gonnardbe9eb872014-09-05 17:45:19 +0200[diff] [blame]376# Usage: run_test name [-p proxy_cmd] srv_cmd cli_cmd cli_exit [option [...]]
Manuel Pégourié-Gonnardeaadc502014-02-20 11:01:30 +0100[diff] [blame]377# Options: -s pattern pattern that must be present in server output
378# -c pattern pattern that must be present in client output
Simon Butcher8e004102016-10-14 00:48:33 +0100[diff] [blame]379# -u pattern lines after pattern must be unique in client output
Andres Amaya Garcia93993de2017-09-06 15:38:07 +0100[diff] [blame]380# -f call shell function on client output
Manuel Pégourié-Gonnardeaadc502014-02-20 11:01:30 +0100[diff] [blame]381# -S pattern pattern that must be absent in server output
382# -C pattern pattern that must be absent in client output
Simon Butcher8e004102016-10-14 00:48:33 +0100[diff] [blame]383# -U pattern lines after pattern must be unique in server output
Andres Amaya Garcia93993de2017-09-06 15:38:07 +0100[diff] [blame]384# -F call shell function on server output
Manuel Pégourié-Gonnardeaadc502014-02-20 11:01:30 +0100[diff] [blame]385run_test() {
Manuel Pégourié-Gonnardfccd3252014-02-25 17:14:15 +0100[diff] [blame]386 NAME="$1"
Manuel Pégourié-Gonnardbe9eb872014-09-05 17:45:19 +0200[diff] [blame]387 shift 1
Manuel Pégourié-Gonnardfccd3252014-02-25 17:14:15 +0100[diff] [blame]388
Manuel Pégourié-Gonnard417d46c2014-03-13 19:17:53 +0100[diff] [blame]389 if echo "$NAME" | grep "$FILTER" | grep -v "$EXCLUDE" >/dev/null; then :
390 else
Manuel Pégourié-Gonnard74a13782014-10-14 22:34:08 +0200[diff] [blame]391 SKIP_NEXT="NO"
Manuel Pégourié-Gonnard417d46c2014-03-13 19:17:53 +0100[diff] [blame]392 return
393 fi
394
Manuel Pégourié-Gonnardfccd3252014-02-25 17:14:15 +0100[diff] [blame]395 print_name "$NAME"
Manuel Pégourié-Gonnardeaadc502014-02-20 11:01:30 +0100[diff] [blame]396
Paul Bakkerb7584a52016-05-10 10:50:43 +0100[diff] [blame]397 # Do we only run numbered tests?
398 if [ "X$RUN_TEST_NUMBER" = "X" ]; then :
399 elif echo ",$RUN_TEST_NUMBER," | grep ",$TESTS," >/dev/null; then :
400 else
401 SKIP_NEXT="YES"
402 fi
403
Manuel Pégourié-Gonnard6f4fbbb2014-08-14 14:31:29 +0200[diff] [blame]404 # should we skip?
405 if [ "X$SKIP_NEXT" = "XYES" ]; then
406 SKIP_NEXT="NO"
407 echo "SKIP"
Manuel Pégourié-Gonnard72e51ee2014-08-31 10:22:11 +0200[diff] [blame]408 SKIPS=$(( $SKIPS + 1 ))
Manuel Pégourié-Gonnard6f4fbbb2014-08-14 14:31:29 +0200[diff] [blame]409 return
410 fi
411
Manuel Pégourié-Gonnardbe9eb872014-09-05 17:45:19 +0200[diff] [blame]412 # does this test use a proxy?
413 if [ "X$1" = "X-p" ]; then
414 PXY_CMD="$2"
415 shift 2
416 else
417 PXY_CMD=""
418 fi
419
420 # get commands and client output
421 SRV_CMD="$1"
422 CLI_CMD="$2"
423 CLI_EXPECT="$3"
424 shift 3
425
426 # fix client port
427 if [ -n "$PXY_CMD" ]; then
428 CLI_CMD=$( echo "$CLI_CMD" | sed s/+SRV_PORT/$PXY_PORT/g )
429 else
430 CLI_CMD=$( echo "$CLI_CMD" | sed s/+SRV_PORT/$SRV_PORT/g )
431 fi
432
Manuel Pégourié-Gonnard0eb6cab2014-07-23 20:17:47 +0200[diff] [blame]433 # update DTLS variable
434 detect_dtls "$SRV_CMD"
435
Manuel Pégourié-Gonnardc73339f2014-02-26 16:35:27 +0100[diff] [blame]436 # prepend valgrind to our commands if active
437 if [ "$MEMCHECK" -gt 0 ]; then
438 if is_polar "$SRV_CMD"; then
439 SRV_CMD="valgrind --leak-check=full $SRV_CMD"
440 fi
441 if is_polar "$CLI_CMD"; then
442 CLI_CMD="valgrind --leak-check=full $CLI_CMD"
443 fi
444 fi
445
Manuel Pégourié-Gonnarda365add2015-08-04 20:57:59 +0200[diff] [blame]446 TIMES_LEFT=2
447 while [ $TIMES_LEFT -gt 0 ]; do
Manuel Pégourié-Gonnardab5f7b42015-08-04 21:01:37 +0200[diff] [blame]448 TIMES_LEFT=$(( $TIMES_LEFT - 1 ))
Manuel Pégourié-Gonnarda365add2015-08-04 20:57:59 +0200[diff] [blame]449
Manuel Pégourié-Gonnardab5f7b42015-08-04 21:01:37 +0200[diff] [blame]450 # run the commands
451 if [ -n "$PXY_CMD" ]; then
452 echo "$PXY_CMD" > $PXY_OUT
453 $PXY_CMD >> $PXY_OUT 2>&1 &
454 PXY_PID=$!
455 # assume proxy starts faster than server
456 fi
Manuel Pégourié-Gonnardbe9eb872014-09-05 17:45:19 +0200[diff] [blame]457
Manuel Pégourié-Gonnardab5f7b42015-08-04 21:01:37 +0200[diff] [blame]458 check_osrv_dtls
459 echo "$SRV_CMD" > $SRV_OUT
460 provide_input | $SRV_CMD >> $SRV_OUT 2>&1 &
461 SRV_PID=$!
Gilles Peskine418b5362017-12-14 18:58:42 +0100[diff] [blame]462 wait_server_start "$SRV_PORT" "$SRV_PID"
Manuel Pégourié-Gonnardc0f6a692014-08-30 22:41:47 +0200[diff] [blame]463
Manuel Pégourié-Gonnardab5f7b42015-08-04 21:01:37 +0200[diff] [blame]464 echo "$CLI_CMD" > $CLI_OUT
465 eval "$CLI_CMD" >> $CLI_OUT 2>&1 &
466 wait_client_done
Manuel Pégourié-Gonnarde01af4c2014-03-25 14:16:44 +0100[diff] [blame]467
Manuel Pégourié-Gonnardab5f7b42015-08-04 21:01:37 +0200[diff] [blame]468 # terminate the server (and the proxy)
469 kill $SRV_PID
470 wait $SRV_PID
471 if [ -n "$PXY_CMD" ]; then
472 kill $PXY_PID >/dev/null 2>&1
473 wait $PXY_PID
474 fi
Manuel Pégourié-Gonnard677884d2014-02-25 16:42:31 +0100[diff] [blame]475
Manuel Pégourié-Gonnardab5f7b42015-08-04 21:01:37 +0200[diff] [blame]476 # retry only on timeouts
477 if grep '===CLIENT_TIMEOUT===' $CLI_OUT >/dev/null; then
478 printf "RETRY "
479 else
480 TIMES_LEFT=0
481 fi
Manuel Pégourié-Gonnarda365add2015-08-04 20:57:59 +0200[diff] [blame]482 done
483
Manuel Pégourié-Gonnard677884d2014-02-25 16:42:31 +0100[diff] [blame]484 # check if the client and server went at least to the handshake stage
Paul Bakker1ebc0c52014-05-22 15:47:58 +0200[diff] [blame]485 # (useful to avoid tests with only negative assertions and non-zero
Manuel Pégourié-Gonnard677884d2014-02-25 16:42:31 +0100[diff] [blame]486 # expected client exit to incorrectly succeed in case of catastrophic
487 # failure)
Manuel Pégourié-Gonnardfccd3252014-02-25 17:14:15 +0100[diff] [blame]488 if is_polar "$SRV_CMD"; then
Manuel Pégourié-Gonnardbc3b16c2014-05-28 23:06:50 +0200[diff] [blame]489 if grep "Performing the SSL/TLS handshake" $SRV_OUT >/dev/null; then :;
Manuel Pégourié-Gonnard677884d2014-02-25 16:42:31 +0100[diff] [blame]490 else
Manuel Pégourié-Gonnard699cafa2014-10-27 13:57:03 +0100[diff] [blame]491 fail "server or client failed to reach handshake stage"
Manuel Pégourié-Gonnard677884d2014-02-25 16:42:31 +0100[diff] [blame]492 return
493 fi
494 fi
Manuel Pégourié-Gonnardfccd3252014-02-25 17:14:15 +0100[diff] [blame]495 if is_polar "$CLI_CMD"; then
Manuel Pégourié-Gonnardbc3b16c2014-05-28 23:06:50 +0200[diff] [blame]496 if grep "Performing the SSL/TLS handshake" $CLI_OUT >/dev/null; then :;
Manuel Pégourié-Gonnard677884d2014-02-25 16:42:31 +0100[diff] [blame]497 else
Manuel Pégourié-Gonnard699cafa2014-10-27 13:57:03 +0100[diff] [blame]498 fail "server or client failed to reach handshake stage"
Manuel Pégourié-Gonnard677884d2014-02-25 16:42:31 +0100[diff] [blame]499 return
500 fi
501 fi
502
Manuel Pégourié-Gonnardf8bdbb52014-02-21 09:20:14 +0100[diff] [blame]503 # check server exit code
504 if [ $? != 0 ]; then
505 fail "server fail"
506 return
507 fi
508
Manuel Pégourié-Gonnardeaadc502014-02-20 11:01:30 +0100[diff] [blame]509 # check client exit code
Manuel Pégourié-Gonnardfccd3252014-02-25 17:14:15 +0100[diff] [blame]510 if [ \( "$CLI_EXPECT" = 0 -a "$CLI_EXIT" != 0 \) -o \
511 \( "$CLI_EXPECT" != 0 -a "$CLI_EXIT" = 0 \) ]
Manuel Pégourié-Gonnard780d6712014-02-20 17:19:59 +0100[diff] [blame]512 then
Manuel Pégourié-Gonnardbe9eb872014-09-05 17:45:19 +0200[diff] [blame]513 fail "bad client exit code (expected $CLI_EXPECT, got $CLI_EXIT)"
Manuel Pégourié-Gonnardeaadc502014-02-20 11:01:30 +0100[diff] [blame]514 return
515 fi
Manuel Pégourié-Gonnardeaadc502014-02-20 11:01:30 +0100[diff] [blame]516
Manuel Pégourié-Gonnardc73339f2014-02-26 16:35:27 +0100[diff] [blame]517 # check other assertions
Manuel Pégourié-Gonnard480905d2014-08-21 19:38:32 +0200[diff] [blame]518 # lines beginning with == are added by valgrind, ignore them
Paul Bakker1f650922016-05-13 10:16:46 +0100[diff] [blame]519 # lines with 'Serious error when reading debug info', are valgrind issues as well
Manuel Pégourié-Gonnardeaadc502014-02-20 11:01:30 +0100[diff] [blame]520 while [ $# -gt 0 ]
521 do
522 case $1 in
523 "-s")
Paul Bakker1f650922016-05-13 10:16:46 +0100[diff] [blame]524 if grep -v '^==' $SRV_OUT | grep -v 'Serious error when reading debug info' | grep "$2" >/dev/null; then :; else
Simon Butcher8e004102016-10-14 00:48:33 +0100[diff] [blame]525 fail "pattern '$2' MUST be present in the Server output"
Manuel Pégourié-Gonnardeaadc502014-02-20 11:01:30 +0100[diff] [blame]526 return
527 fi
528 ;;
529
530 "-c")
Paul Bakker1f650922016-05-13 10:16:46 +0100[diff] [blame]531 if grep -v '^==' $CLI_OUT | grep -v 'Serious error when reading debug info' | grep "$2" >/dev/null; then :; else
Simon Butcher8e004102016-10-14 00:48:33 +0100[diff] [blame]532 fail "pattern '$2' MUST be present in the Client output"
Manuel Pégourié-Gonnardeaadc502014-02-20 11:01:30 +0100[diff] [blame]533 return
534 fi
535 ;;
536
537 "-S")
Paul Bakker1f650922016-05-13 10:16:46 +0100[diff] [blame]538 if grep -v '^==' $SRV_OUT | grep -v 'Serious error when reading debug info' | grep "$2" >/dev/null; then
Simon Butcher8e004102016-10-14 00:48:33 +0100[diff] [blame]539 fail "pattern '$2' MUST NOT be present in the Server output"
Manuel Pégourié-Gonnardeaadc502014-02-20 11:01:30 +0100[diff] [blame]540 return
541 fi
542 ;;
543
544 "-C")
Paul Bakker1f650922016-05-13 10:16:46 +0100[diff] [blame]545 if grep -v '^==' $CLI_OUT | grep -v 'Serious error when reading debug info' | grep "$2" >/dev/null; then
Simon Butcher8e004102016-10-14 00:48:33 +0100[diff] [blame]546 fail "pattern '$2' MUST NOT be present in the Client output"
547 return
548 fi
549 ;;
550
551 # The filtering in the following two options (-u and -U) do the following
552 # - ignore valgrind output
553 # - filter out everything but lines right after the pattern occurances
554 # - keep one of each non-unique line
555 # - count how many lines remain
556 # A line with '--' will remain in the result from previous outputs, so the number of lines in the result will be 1
557 # if there were no duplicates.
558 "-U")
559 if [ $(grep -v '^==' $SRV_OUT | grep -v 'Serious error when reading debug info' | grep -A1 "$2" | grep -v "$2" | sort | uniq -d | wc -l) -gt 1 ]; then
560 fail "lines following pattern '$2' must be unique in Server output"
561 return
562 fi
563 ;;
564
565 "-u")
566 if [ $(grep -v '^==' $CLI_OUT | grep -v 'Serious error when reading debug info' | grep -A1 "$2" | grep -v "$2" | sort | uniq -d | wc -l) -gt 1 ]; then
567 fail "lines following pattern '$2' must be unique in Client output"
Manuel Pégourié-Gonnardeaadc502014-02-20 11:01:30 +0100[diff] [blame]568 return
569 fi
570 ;;
Andres Amaya Garcia93993de2017-09-06 15:38:07 +0100[diff] [blame]571 "-F")
572 if ! $2 "$SRV_OUT"; then
573 fail "function call to '$2' failed on Server output"
574 return
575 fi
576 ;;
577 "-f")
578 if ! $2 "$CLI_OUT"; then
579 fail "function call to '$2' failed on Client output"
580 return
581 fi
582 ;;
Manuel Pégourié-Gonnardeaadc502014-02-20 11:01:30 +0100[diff] [blame]583
584 *)
Paul Bakker1ebc0c52014-05-22 15:47:58 +0200[diff] [blame]585 echo "Unknown test: $1" >&2
Manuel Pégourié-Gonnardeaadc502014-02-20 11:01:30 +0100[diff] [blame]586 exit 1
587 esac
588 shift 2
589 done
590
Manuel Pégourié-Gonnardc73339f2014-02-26 16:35:27 +0100[diff] [blame]591 # check valgrind's results
592 if [ "$MEMCHECK" -gt 0 ]; then
Manuel Pégourié-Gonnardbc3b16c2014-05-28 23:06:50 +0200[diff] [blame]593 if is_polar "$SRV_CMD" && has_mem_err $SRV_OUT; then
Manuel Pégourié-Gonnardc73339f2014-02-26 16:35:27 +0100[diff] [blame]594 fail "Server has memory errors"
595 return
596 fi
Manuel Pégourié-Gonnardbc3b16c2014-05-28 23:06:50 +0200[diff] [blame]597 if is_polar "$CLI_CMD" && has_mem_err $CLI_OUT; then
Manuel Pégourié-Gonnardc73339f2014-02-26 16:35:27 +0100[diff] [blame]598 fail "Client has memory errors"
599 return
600 fi
601 fi
602
Manuel Pégourié-Gonnardeaadc502014-02-20 11:01:30 +0100[diff] [blame]603 # if we're here, everything is ok
604 echo "PASS"
Paul Bakkeracaac852016-05-10 11:47:13 +0100[diff] [blame]605 if [ "$PRESERVE_LOGS" -gt 0 ]; then
606 mv $SRV_OUT o-srv-${TESTS}.log
607 mv $CLI_OUT o-cli-${TESTS}.log
608 fi
609
Manuel Pégourié-Gonnardbe9eb872014-09-05 17:45:19 +0200[diff] [blame]610 rm -f $SRV_OUT $CLI_OUT $PXY_OUT
Manuel Pégourié-Gonnardeaadc502014-02-20 11:01:30 +0100[diff] [blame]611}
612
Manuel Pégourié-Gonnarda9062e92014-02-25 16:21:22 +0100[diff] [blame]613cleanup() {
Manuel Pégourié-Gonnardbe9eb872014-09-05 17:45:19 +0200[diff] [blame]614 rm -f $CLI_OUT $SRV_OUT $PXY_OUT $SESSION
Manuel Pégourié-Gonnarda6189f02014-09-20 13:15:43 +0200[diff] [blame]615 test -n "${SRV_PID:-}" && kill $SRV_PID >/dev/null 2>&1
616 test -n "${PXY_PID:-}" && kill $PXY_PID >/dev/null 2>&1
617 test -n "${CLI_PID:-}" && kill $CLI_PID >/dev/null 2>&1
618 test -n "${DOG_PID:-}" && kill $DOG_PID >/dev/null 2>&1
Manuel Pégourié-Gonnarda9062e92014-02-25 16:21:22 +0100[diff] [blame]619 exit 1
620}
621
Manuel Pégourié-Gonnard9dea8bd2014-02-26 18:21:02 +0100[diff] [blame]622#
623# MAIN
624#
625
Manuel Pégourié-Gonnard19db8ea2015-03-10 13:41:04 +0000[diff] [blame]626if cd $( dirname $0 ); then :; else
627 echo "cd $( dirname $0 ) failed" >&2
628 exit 1
629fi
630
Manuel Pégourié-Gonnard913030c2014-03-28 10:12:38 +0100[diff] [blame]631get_options "$@"
632
Manuel Pégourié-Gonnardf7a26902014-02-27 12:25:54 +0100[diff] [blame]633# sanity checks, avoid an avalanche of errors
634if [ ! -x "$P_SRV" ]; then
635 echo "Command '$P_SRV' is not an executable file"
636 exit 1
637fi
638if [ ! -x "$P_CLI" ]; then
639 echo "Command '$P_CLI' is not an executable file"
640 exit 1
641fi
Manuel Pégourié-Gonnardbe9eb872014-09-05 17:45:19 +0200[diff] [blame]642if [ ! -x "$P_PXY" ]; then
643 echo "Command '$P_PXY' is not an executable file"
644 exit 1
645fi
Simon Butcher3c0d7b82016-05-23 11:13:17 +0100[diff] [blame]646if [ "$MEMCHECK" -gt 0 ]; then
647 if which valgrind >/dev/null 2>&1; then :; else
648 echo "Memcheck not possible. Valgrind not found"
649 exit 1
650 fi
651fi
Manuel Pégourié-Gonnard74faf3c2014-03-13 18:47:44 +0100[diff] [blame]652if which $OPENSSL_CMD >/dev/null 2>&1; then :; else
653 echo "Command '$OPENSSL_CMD' not found"
Manuel Pégourié-Gonnardf7a26902014-02-27 12:25:54 +0100[diff] [blame]654 exit 1
655fi
656
Manuel Pégourié-Gonnard32f8f4d2014-05-29 11:31:20 +0200[diff] [blame]657# used by watchdog
658MAIN_PID="$$"
659
Manuel Pégourié-Gonnard0d225da2018-01-22 10:22:09 +0100[diff] [blame]660# We use somewhat arbitrary delays for tests:
661# - how long do we wait for the server to start (when lsof not available)?
662# - how long do we allow for the client to finish?
663# (not to check performance, just to avoid waiting indefinitely)
664# Things are slower with valgrind, so give extra time here.
665#
666# Note: without lsof, there is a trade-off between the running time of this
667# script and the risk of spurious errors because we didn't wait long enough.
668# The watchdog delay on the other hand doesn't affect normal running time of
669# the script, only the case where a client or server gets stuck.
Manuel Pégourié-Gonnard0c1ec472014-06-20 18:41:11 +0200[diff] [blame]670if [ "$MEMCHECK" -gt 0 ]; then
Manuel Pégourié-Gonnard0d225da2018-01-22 10:22:09 +0100[diff] [blame]671 START_DELAY=6
672 DOG_DELAY=60
Manuel Pégourié-Gonnard0c1ec472014-06-20 18:41:11 +0200[diff] [blame]673else
Manuel Pégourié-Gonnard0d225da2018-01-22 10:22:09 +0100[diff] [blame]674 START_DELAY=2
675 DOG_DELAY=20
Manuel Pégourié-Gonnard0c1ec472014-06-20 18:41:11 +0200[diff] [blame]676fi
Manuel Pégourié-Gonnard0d225da2018-01-22 10:22:09 +0100[diff] [blame]677
678# some particular tests need more time:
679# - for the client, we multiply the usual watchdog limit by a factor
680# - for the server, we sleep for a number of seconds after the client exits
681# see client_need_more_time() and server_needs_more_time()
Manuel Pégourié-Gonnarda0719722014-09-20 12:46:27 +0200[diff] [blame]682CLI_DELAY_FACTOR=1
Janos Follath74537a62016-09-02 13:45:28 +0100[diff] [blame]683SRV_DELAY_SECONDS=0
Manuel Pégourié-Gonnard0c1ec472014-06-20 18:41:11 +0200[diff] [blame]684
Manuel Pégourié-Gonnard0eb6cab2014-07-23 20:17:47 +0200[diff] [blame]685# fix commands to use this port, force IPv4 while at it
Manuel Pégourié-Gonnard0af1ba32015-01-21 11:44:33 +0000[diff] [blame]686# +SRV_PORT will be replaced by either $SRV_PORT or $PXY_PORT later
Manuel Pégourié-Gonnardbe9eb872014-09-05 17:45:19 +0200[diff] [blame]687P_SRV="$P_SRV server_addr=127.0.0.1 server_port=$SRV_PORT"
688P_CLI="$P_CLI server_addr=127.0.0.1 server_port=+SRV_PORT"
Andres AGf04f54d2016-10-10 15:46:20 +0100[diff] [blame]689P_PXY="$P_PXY server_addr=127.0.0.1 server_port=$SRV_PORT listen_addr=127.0.0.1 listen_port=$PXY_PORT ${SEED:+"seed=$SEED"}"
Manuel Pégourié-Gonnard61957672015-06-18 17:54:58 +0200[diff] [blame]690O_SRV="$O_SRV -accept $SRV_PORT -dhparam data_files/dhparams.pem"
Manuel Pégourié-Gonnardbe9eb872014-09-05 17:45:19 +0200[diff] [blame]691O_CLI="$O_CLI -connect localhost:+SRV_PORT"
692G_SRV="$G_SRV -p $SRV_PORT"
Manuel Pégourié-Gonnard0af1ba32015-01-21 11:44:33 +0000[diff] [blame]693G_CLI="$G_CLI -p +SRV_PORT localhost"
Manuel Pégourié-Gonnard8066b812014-05-28 22:59:30 +0200[diff] [blame]694
Gilles Peskine62469d92017-05-10 10:13:59 +0200[diff] [blame]695# Allow SHA-1, because many of our test certificates use it
696P_SRV="$P_SRV allow_sha1=1"
697P_CLI="$P_CLI allow_sha1=1"
698
Manuel Pégourié-Gonnardbc3b16c2014-05-28 23:06:50 +0200[diff] [blame]699# Also pick a unique name for intermediate files
700SRV_OUT="srv_out.$$"
701CLI_OUT="cli_out.$$"
Manuel Pégourié-Gonnardbe9eb872014-09-05 17:45:19 +0200[diff] [blame]702PXY_OUT="pxy_out.$$"
Manuel Pégourié-Gonnardbc3b16c2014-05-28 23:06:50 +0200[diff] [blame]703SESSION="session.$$"
704
Manuel Pégourié-Gonnard6f4fbbb2014-08-14 14:31:29 +0200[diff] [blame]705SKIP_NEXT="NO"
706
Manuel Pégourié-Gonnarda9062e92014-02-25 16:21:22 +0100[diff] [blame]707trap cleanup INT TERM HUP
Manuel Pégourié-Gonnardeaadc502014-02-20 11:01:30 +0100[diff] [blame]708
Manuel Pégourié-Gonnarde73b2632014-07-12 04:00:00 +0200[diff] [blame]709# Basic test
710
Manuel Pégourié-Gonnard480905d2014-08-21 19:38:32 +0200[diff] [blame]711# Checks that:
712# - things work with all ciphersuites active (used with config-full in all.sh)
713# - the expected (highest security) parameters are selected
714# ("signature_algorithm ext: 6" means SHA-512 (highest common hash))
Manuel Pégourié-Gonnarde73b2632014-07-12 04:00:00 +0200[diff] [blame]715run_test "Default" \
Manuel Pégourié-Gonnard480905d2014-08-21 19:38:32 +0200[diff] [blame]716 "$P_SRV debug_level=3" \
Manuel Pégourié-Gonnarde73b2632014-07-12 04:00:00 +0200[diff] [blame]717 "$P_CLI" \
718 0 \
Manuel Pégourié-Gonnard480905d2014-08-21 19:38:32 +0200[diff] [blame]719 -s "Protocol is TLSv1.2" \
720 -s "Ciphersuite is TLS-ECDHE-ECDSA-WITH-AES-256-GCM-SHA384" \
721 -s "client hello v3, signature_algorithm ext: 6" \
722 -s "ECDHE curve: secp521r1" \
723 -S "error" \
724 -C "error"
Manuel Pégourié-Gonnarde73b2632014-07-12 04:00:00 +0200[diff] [blame]725
Manuel Pégourié-Gonnard3bb08012015-01-22 13:34:21 +0000[diff] [blame]726run_test "Default, DTLS" \
727 "$P_SRV dtls=1" \
728 "$P_CLI dtls=1" \
729 0 \
730 -s "Protocol is DTLSv1.2" \
731 -s "Ciphersuite is TLS-ECDHE-ECDSA-WITH-AES-256-GCM-SHA384"
732
Andres Amaya Garciab84c40b2017-09-06 15:44:01 +0100[diff] [blame]733# Test current time in ServerHello
734requires_config_enabled MBEDTLS_HAVE_TIME
735run_test "Default, ServerHello contains gmt_unix_time" \
736 "$P_SRV debug_level=3" \
737 "$P_CLI debug_level=3" \
738 0 \
739 -s "Protocol is TLSv1.2" \
740 -s "Ciphersuite is TLS-ECDHE-ECDSA-WITH-AES-256-GCM-SHA384" \
741 -s "client hello v3, signature_algorithm ext: 6" \
742 -s "ECDHE curve: secp521r1" \
743 -S "error" \
744 -C "error" \
745 -f "check_server_hello_time" \
746 -F "check_server_hello_time"
747
Simon Butcher8e004102016-10-14 00:48:33 +0100[diff] [blame]748# Test for uniqueness of IVs in AEAD ciphersuites
749run_test "Unique IV in GCM" \
750 "$P_SRV exchanges=20 debug_level=4" \
751 "$P_CLI exchanges=20 debug_level=4 force_ciphersuite=TLS-ECDHE-ECDSA-WITH-AES-256-GCM-SHA384" \
752 0 \
753 -u "IV used" \
754 -U "IV used"
755
Manuel Pégourié-Gonnardbd47a582015-01-12 13:43:29 +0100[diff] [blame]756# Tests for rc4 option
757
Simon Butchera410af52016-05-19 22:12:18 +0100[diff] [blame]758requires_config_enabled MBEDTLS_REMOVE_ARC4_CIPHERSUITES
Manuel Pégourié-Gonnardbd47a582015-01-12 13:43:29 +0100[diff] [blame]759run_test "RC4: server disabled, client enabled" \
760 "$P_SRV" \
761 "$P_CLI force_ciphersuite=TLS-RSA-WITH-RC4-128-SHA" \
762 1 \
Manuel Pégourié-Gonnardea0920f2015-03-24 09:50:15 +0100[diff] [blame]763 -s "SSL - The server has no ciphersuites in common"
764
Simon Butchera410af52016-05-19 22:12:18 +0100[diff] [blame]765requires_config_enabled MBEDTLS_REMOVE_ARC4_CIPHERSUITES
Manuel Pégourié-Gonnardea0920f2015-03-24 09:50:15 +0100[diff] [blame]766run_test "RC4: server half, client enabled" \
767 "$P_SRV arc4=1" \
768 "$P_CLI force_ciphersuite=TLS-RSA-WITH-RC4-128-SHA" \
769 1 \
770 -s "SSL - The server has no ciphersuites in common"
Manuel Pégourié-Gonnardbd47a582015-01-12 13:43:29 +0100[diff] [blame]771
772run_test "RC4: server enabled, client disabled" \
773 "$P_SRV force_ciphersuite=TLS-RSA-WITH-RC4-128-SHA" \
774 "$P_CLI" \
775 1 \
776 -s "SSL - The server has no ciphersuites in common"
777
778run_test "RC4: both enabled" \
Manuel Pégourié-Gonnardea0920f2015-03-24 09:50:15 +0100[diff] [blame]779 "$P_SRV force_ciphersuite=TLS-RSA-WITH-RC4-128-SHA" \
Manuel Pégourié-Gonnardbd47a582015-01-12 13:43:29 +0100[diff] [blame]780 "$P_CLI force_ciphersuite=TLS-RSA-WITH-RC4-128-SHA" \
781 0 \
Manuel Pégourié-Gonnard51d81662015-01-14 17:20:46 +0100[diff] [blame]782 -S "SSL - None of the common ciphersuites is usable" \
Manuel Pégourié-Gonnardbd47a582015-01-12 13:43:29 +0100[diff] [blame]783 -S "SSL - The server has no ciphersuites in common"
784
Gilles Peskinebc70a182017-05-09 15:59:24 +0200[diff] [blame]785# Tests for SHA-1 support
786
Manuel Pégourié-Gonnardaf63c212017-06-08 17:51:08 +0200[diff] [blame]787requires_config_disabled MBEDTLS_TLS_DEFAULT_ALLOW_SHA1_IN_CERTIFICATES
Gilles Peskinebc70a182017-05-09 15:59:24 +0200[diff] [blame]788run_test "SHA-1 forbidden by default in server certificate" \
789 "$P_SRV key_file=data_files/server2.key crt_file=data_files/server2.crt" \
790 "$P_CLI debug_level=2 allow_sha1=0" \
791 1 \
792 -c "The certificate is signed with an unacceptable hash"
793
Manuel Pégourié-Gonnardaf63c212017-06-08 17:51:08 +0200[diff] [blame]794requires_config_enabled MBEDTLS_TLS_DEFAULT_ALLOW_SHA1_IN_CERTIFICATES
795run_test "SHA-1 forbidden by default in server certificate" \
796 "$P_SRV key_file=data_files/server2.key crt_file=data_files/server2.crt" \
797 "$P_CLI debug_level=2 allow_sha1=0" \
798 0
799
Gilles Peskinebc70a182017-05-09 15:59:24 +0200[diff] [blame]800run_test "SHA-1 explicitly allowed in server certificate" \
801 "$P_SRV key_file=data_files/server2.key crt_file=data_files/server2.crt" \
802 "$P_CLI allow_sha1=1" \
803 0
804
805run_test "SHA-256 allowed by default in server certificate" \
806 "$P_SRV key_file=data_files/server2.key crt_file=data_files/server2-sha256.crt" \
807 "$P_CLI allow_sha1=0" \
808 0
809
Manuel Pégourié-Gonnardaf63c212017-06-08 17:51:08 +0200[diff] [blame]810requires_config_disabled MBEDTLS_TLS_DEFAULT_ALLOW_SHA1_IN_CERTIFICATES
Gilles Peskinebc70a182017-05-09 15:59:24 +0200[diff] [blame]811run_test "SHA-1 forbidden by default in client certificate" \
812 "$P_SRV auth_mode=required allow_sha1=0" \
813 "$P_CLI key_file=data_files/cli-rsa.key crt_file=data_files/cli-rsa-sha1.crt" \
814 1 \
815 -s "The certificate is signed with an unacceptable hash"
816
Manuel Pégourié-Gonnardaf63c212017-06-08 17:51:08 +0200[diff] [blame]817requires_config_enabled MBEDTLS_TLS_DEFAULT_ALLOW_SHA1_IN_CERTIFICATES
818run_test "SHA-1 forbidden by default in client certificate" \
819 "$P_SRV auth_mode=required allow_sha1=0" \
820 "$P_CLI key_file=data_files/cli-rsa.key crt_file=data_files/cli-rsa-sha1.crt" \
821 0
822
Gilles Peskinebc70a182017-05-09 15:59:24 +0200[diff] [blame]823run_test "SHA-1 explicitly allowed in client certificate" \
824 "$P_SRV auth_mode=required allow_sha1=1" \
825 "$P_CLI key_file=data_files/cli-rsa.key crt_file=data_files/cli-rsa-sha1.crt" \
826 0
827
828run_test "SHA-256 allowed by default in client certificate" \
829 "$P_SRV auth_mode=required allow_sha1=0" \
830 "$P_CLI key_file=data_files/cli-rsa.key crt_file=data_files/cli-rsa-sha256.crt" \
831 0
832
Manuel Pégourié-Gonnard780d6712014-02-20 17:19:59 +0100[diff] [blame]833# Tests for Truncated HMAC extension
834
Manuel Pégourié-Gonnarde117a8f2015-01-09 12:39:35 +0100[diff] [blame]835run_test "Truncated HMAC: client default, server default" \
Manuel Pégourié-Gonnard644e8f32014-08-30 21:59:31 +0200[diff] [blame]836 "$P_SRV debug_level=4" \
Manuel Pégourié-Gonnarde117a8f2015-01-09 12:39:35 +0100[diff] [blame]837 "$P_CLI force_ciphersuite=TLS-RSA-WITH-AES-128-CBC-SHA" \
Manuel Pégourié-Gonnard780d6712014-02-20 17:19:59 +0100[diff] [blame]838 0 \
Hanno Becker992b6872017-11-09 18:57:39 +0000[diff] [blame]839 -s "dumping 'expected mac' (20 bytes)" \
840 -S "dumping 'expected mac' (10 bytes)"
Manuel Pégourié-Gonnard780d6712014-02-20 17:19:59 +0100[diff] [blame]841
Hanno Becker32c55012017-11-10 08:42:54 +0000[diff] [blame]842requires_config_enabled MBEDTLS_SSL_TRUNCATED_HMAC
Manuel Pégourié-Gonnarde117a8f2015-01-09 12:39:35 +0100[diff] [blame]843run_test "Truncated HMAC: client disabled, server default" \
Manuel Pégourié-Gonnard644e8f32014-08-30 21:59:31 +0200[diff] [blame]844 "$P_SRV debug_level=4" \
Hanno Becker909f9a32017-11-21 17:10:12 +0000[diff] [blame]845 "$P_CLI force_ciphersuite=TLS-RSA-WITH-AES-128-CBC-SHA trunc_hmac=0" \
Manuel Pégourié-Gonnardeaadc502014-02-20 11:01:30 +0100[diff] [blame]846 0 \
Hanno Becker992b6872017-11-09 18:57:39 +0000[diff] [blame]847 -s "dumping 'expected mac' (20 bytes)" \
848 -S "dumping 'expected mac' (10 bytes)"
Manuel Pégourié-Gonnarde117a8f2015-01-09 12:39:35 +0100[diff] [blame]849
Hanno Becker32c55012017-11-10 08:42:54 +0000[diff] [blame]850requires_config_enabled MBEDTLS_SSL_TRUNCATED_HMAC
Manuel Pégourié-Gonnarde117a8f2015-01-09 12:39:35 +0100[diff] [blame]851run_test "Truncated HMAC: client enabled, server default" \
852 "$P_SRV debug_level=4" \
Hanno Becker909f9a32017-11-21 17:10:12 +0000[diff] [blame]853 "$P_CLI force_ciphersuite=TLS-RSA-WITH-AES-128-CBC-SHA trunc_hmac=1" \
Manuel Pégourié-Gonnarde117a8f2015-01-09 12:39:35 +0100[diff] [blame]854 0 \
Hanno Becker992b6872017-11-09 18:57:39 +0000[diff] [blame]855 -s "dumping 'expected mac' (20 bytes)" \
856 -S "dumping 'expected mac' (10 bytes)"
Manuel Pégourié-Gonnarde117a8f2015-01-09 12:39:35 +0100[diff] [blame]857
Hanno Becker32c55012017-11-10 08:42:54 +0000[diff] [blame]858requires_config_enabled MBEDTLS_SSL_TRUNCATED_HMAC
Manuel Pégourié-Gonnarde117a8f2015-01-09 12:39:35 +0100[diff] [blame]859run_test "Truncated HMAC: client enabled, server disabled" \
860 "$P_SRV debug_level=4 trunc_hmac=0" \
Hanno Becker909f9a32017-11-21 17:10:12 +0000[diff] [blame]861 "$P_CLI force_ciphersuite=TLS-RSA-WITH-AES-128-CBC-SHA trunc_hmac=1" \
Manuel Pégourié-Gonnarde117a8f2015-01-09 12:39:35 +0100[diff] [blame]862 0 \
Hanno Becker992b6872017-11-09 18:57:39 +0000[diff] [blame]863 -s "dumping 'expected mac' (20 bytes)" \
864 -S "dumping 'expected mac' (10 bytes)"
Manuel Pégourié-Gonnarde117a8f2015-01-09 12:39:35 +0100[diff] [blame]865
Hanno Becker32c55012017-11-10 08:42:54 +0000[diff] [blame]866requires_config_enabled MBEDTLS_SSL_TRUNCATED_HMAC
Hanno Becker34d0c3f2017-11-17 15:46:24 +0000[diff] [blame]867run_test "Truncated HMAC: client disabled, server enabled" \
868 "$P_SRV debug_level=4 trunc_hmac=1" \
Hanno Becker909f9a32017-11-21 17:10:12 +0000[diff] [blame]869 "$P_CLI force_ciphersuite=TLS-RSA-WITH-AES-128-CBC-SHA trunc_hmac=0" \
Hanno Becker34d0c3f2017-11-17 15:46:24 +0000[diff] [blame]870 0 \
871 -s "dumping 'expected mac' (20 bytes)" \
872 -S "dumping 'expected mac' (10 bytes)"
873
874requires_config_enabled MBEDTLS_SSL_TRUNCATED_HMAC
Manuel Pégourié-Gonnarde117a8f2015-01-09 12:39:35 +0100[diff] [blame]875run_test "Truncated HMAC: client enabled, server enabled" \
876 "$P_SRV debug_level=4 trunc_hmac=1" \
Hanno Becker909f9a32017-11-21 17:10:12 +0000[diff] [blame]877 "$P_CLI force_ciphersuite=TLS-RSA-WITH-AES-128-CBC-SHA trunc_hmac=1" \
Manuel Pégourié-Gonnarde117a8f2015-01-09 12:39:35 +0100[diff] [blame]878 0 \
Hanno Becker992b6872017-11-09 18:57:39 +0000[diff] [blame]879 -S "dumping 'expected mac' (20 bytes)" \
880 -s "dumping 'expected mac' (10 bytes)"
Manuel Pégourié-Gonnardf7c52012014-02-20 11:43:46 +0100[diff] [blame]881
Hanno Becker4c4f4102017-11-10 09:16:05 +0000[diff] [blame]882run_test "Truncated HMAC, DTLS: client default, server default" \
883 "$P_SRV dtls=1 debug_level=4" \
884 "$P_CLI dtls=1 force_ciphersuite=TLS-RSA-WITH-AES-128-CBC-SHA" \
885 0 \
886 -s "dumping 'expected mac' (20 bytes)" \
887 -S "dumping 'expected mac' (10 bytes)"
888
889requires_config_enabled MBEDTLS_SSL_TRUNCATED_HMAC
890run_test "Truncated HMAC, DTLS: client disabled, server default" \
891 "$P_SRV dtls=1 debug_level=4" \
Hanno Becker909f9a32017-11-21 17:10:12 +0000[diff] [blame]892 "$P_CLI dtls=1 force_ciphersuite=TLS-RSA-WITH-AES-128-CBC-SHA trunc_hmac=0" \
Hanno Becker4c4f4102017-11-10 09:16:05 +0000[diff] [blame]893 0 \
894 -s "dumping 'expected mac' (20 bytes)" \
895 -S "dumping 'expected mac' (10 bytes)"
896
897requires_config_enabled MBEDTLS_SSL_TRUNCATED_HMAC
898run_test "Truncated HMAC, DTLS: client enabled, server default" \
899 "$P_SRV dtls=1 debug_level=4" \
Hanno Becker909f9a32017-11-21 17:10:12 +0000[diff] [blame]900 "$P_CLI dtls=1 force_ciphersuite=TLS-RSA-WITH-AES-128-CBC-SHA trunc_hmac=1" \
Hanno Becker4c4f4102017-11-10 09:16:05 +0000[diff] [blame]901 0 \
902 -s "dumping 'expected mac' (20 bytes)" \
903 -S "dumping 'expected mac' (10 bytes)"
904
905requires_config_enabled MBEDTLS_SSL_TRUNCATED_HMAC
906run_test "Truncated HMAC, DTLS: client enabled, server disabled" \
907 "$P_SRV dtls=1 debug_level=4 trunc_hmac=0" \
Hanno Becker909f9a32017-11-21 17:10:12 +0000[diff] [blame]908 "$P_CLI dtls=1 force_ciphersuite=TLS-RSA-WITH-AES-128-CBC-SHA trunc_hmac=1" \
Hanno Becker4c4f4102017-11-10 09:16:05 +0000[diff] [blame]909 0 \
910 -s "dumping 'expected mac' (20 bytes)" \
911 -S "dumping 'expected mac' (10 bytes)"
912
913requires_config_enabled MBEDTLS_SSL_TRUNCATED_HMAC
914run_test "Truncated HMAC, DTLS: client disabled, server enabled" \
915 "$P_SRV dtls=1 debug_level=4 trunc_hmac=1" \
Hanno Becker909f9a32017-11-21 17:10:12 +0000[diff] [blame]916 "$P_CLI dtls=1 force_ciphersuite=TLS-RSA-WITH-AES-128-CBC-SHA trunc_hmac=0" \
Hanno Becker4c4f4102017-11-10 09:16:05 +0000[diff] [blame]917 0 \
918 -s "dumping 'expected mac' (20 bytes)" \
919 -S "dumping 'expected mac' (10 bytes)"
920
921requires_config_enabled MBEDTLS_SSL_TRUNCATED_HMAC
922run_test "Truncated HMAC, DTLS: client enabled, server enabled" \
923 "$P_SRV dtls=1 debug_level=4 trunc_hmac=1" \
Hanno Becker909f9a32017-11-21 17:10:12 +0000[diff] [blame]924 "$P_CLI dtls=1 force_ciphersuite=TLS-RSA-WITH-AES-128-CBC-SHA trunc_hmac=1" \
Manuel Pégourié-Gonnardeaadc502014-02-20 11:01:30 +0100[diff] [blame]925 0 \
926 -S "dumping 'expected mac' (20 bytes)" \
Manuel Pégourié-Gonnardf7c52012014-02-20 11:43:46 +0100[diff] [blame]927 -s "dumping 'expected mac' (10 bytes)"
928
Manuel Pégourié-Gonnard699cafa2014-10-27 13:57:03 +0100[diff] [blame]929# Tests for Encrypt-then-MAC extension
930
931run_test "Encrypt then MAC: default" \
Manuel Pégourié-Gonnard0098e7d2014-10-28 13:08:59 +0100[diff] [blame]932 "$P_SRV debug_level=3 \
933 force_ciphersuite=TLS-RSA-WITH-AES-128-CBC-SHA" \
Manuel Pégourié-Gonnard699cafa2014-10-27 13:57:03 +0100[diff] [blame]934 "$P_CLI debug_level=3" \
935 0 \
936 -c "client hello, adding encrypt_then_mac extension" \
937 -s "found encrypt then mac extension" \
938 -s "server hello, adding encrypt then mac extension" \
939 -c "found encrypt_then_mac extension" \
940 -c "using encrypt then mac" \
941 -s "using encrypt then mac"
942
943run_test "Encrypt then MAC: client enabled, server disabled" \
Manuel Pégourié-Gonnard0098e7d2014-10-28 13:08:59 +0100[diff] [blame]944 "$P_SRV debug_level=3 etm=0 \
945 force_ciphersuite=TLS-RSA-WITH-AES-128-CBC-SHA" \
Manuel Pégourié-Gonnard699cafa2014-10-27 13:57:03 +0100[diff] [blame]946 "$P_CLI debug_level=3 etm=1" \
947 0 \
948 -c "client hello, adding encrypt_then_mac extension" \
949 -s "found encrypt then mac extension" \
950 -S "server hello, adding encrypt then mac extension" \
951 -C "found encrypt_then_mac extension" \
952 -C "using encrypt then mac" \
953 -S "using encrypt then mac"
954
Manuel Pégourié-Gonnard78e745f2014-11-04 15:44:06 +0100[diff] [blame]955run_test "Encrypt then MAC: client enabled, aead cipher" \
956 "$P_SRV debug_level=3 etm=1 \
957 force_ciphersuite=TLS-RSA-WITH-AES-128-GCM-SHA256" \
958 "$P_CLI debug_level=3 etm=1" \
959 0 \
960 -c "client hello, adding encrypt_then_mac extension" \
961 -s "found encrypt then mac extension" \
962 -S "server hello, adding encrypt then mac extension" \
963 -C "found encrypt_then_mac extension" \
964 -C "using encrypt then mac" \
965 -S "using encrypt then mac"
966
967run_test "Encrypt then MAC: client enabled, stream cipher" \
968 "$P_SRV debug_level=3 etm=1 \
969 force_ciphersuite=TLS-RSA-WITH-RC4-128-SHA" \
Manuel Pégourié-Gonnardea0920f2015-03-24 09:50:15 +0100[diff] [blame]970 "$P_CLI debug_level=3 etm=1 arc4=1 force_ciphersuite=TLS-RSA-WITH-RC4-128-SHA" \
Manuel Pégourié-Gonnard78e745f2014-11-04 15:44:06 +0100[diff] [blame]971 0 \
972 -c "client hello, adding encrypt_then_mac extension" \
973 -s "found encrypt then mac extension" \
974 -S "server hello, adding encrypt then mac extension" \
975 -C "found encrypt_then_mac extension" \
976 -C "using encrypt then mac" \
977 -S "using encrypt then mac"
978
Manuel Pégourié-Gonnard699cafa2014-10-27 13:57:03 +0100[diff] [blame]979run_test "Encrypt then MAC: client disabled, server enabled" \
Manuel Pégourié-Gonnard0098e7d2014-10-28 13:08:59 +0100[diff] [blame]980 "$P_SRV debug_level=3 etm=1 \
981 force_ciphersuite=TLS-RSA-WITH-AES-128-CBC-SHA" \
Manuel Pégourié-Gonnard699cafa2014-10-27 13:57:03 +0100[diff] [blame]982 "$P_CLI debug_level=3 etm=0" \
983 0 \
984 -C "client hello, adding encrypt_then_mac extension" \
985 -S "found encrypt then mac extension" \
986 -S "server hello, adding encrypt then mac extension" \
987 -C "found encrypt_then_mac extension" \
988 -C "using encrypt then mac" \
989 -S "using encrypt then mac"
990
Janos Follathe2681a42016-03-07 15:57:05 +0000[diff] [blame]991requires_config_enabled MBEDTLS_SSL_PROTO_SSL3
Manuel Pégourié-Gonnard699cafa2014-10-27 13:57:03 +0100[diff] [blame]992run_test "Encrypt then MAC: client SSLv3, server enabled" \
Manuel Pégourié-Gonnard51d81662015-01-14 17:20:46 +0100[diff] [blame]993 "$P_SRV debug_level=3 min_version=ssl3 \
Manuel Pégourié-Gonnard0098e7d2014-10-28 13:08:59 +0100[diff] [blame]994 force_ciphersuite=TLS-RSA-WITH-AES-128-CBC-SHA" \
Manuel Pégourié-Gonnard699cafa2014-10-27 13:57:03 +0100[diff] [blame]995 "$P_CLI debug_level=3 force_version=ssl3" \
996 0 \
997 -C "client hello, adding encrypt_then_mac extension" \
998 -S "found encrypt then mac extension" \
999 -S "server hello, adding encrypt then mac extension" \
1000 -C "found encrypt_then_mac extension" \
1001 -C "using encrypt then mac" \
1002 -S "using encrypt then mac"
1003
Janos Follathe2681a42016-03-07 15:57:05 +0000[diff] [blame]1004requires_config_enabled MBEDTLS_SSL_PROTO_SSL3
Manuel Pégourié-Gonnard699cafa2014-10-27 13:57:03 +0100[diff] [blame]1005run_test "Encrypt then MAC: client enabled, server SSLv3" \
Manuel Pégourié-Gonnard0098e7d2014-10-28 13:08:59 +0100[diff] [blame]1006 "$P_SRV debug_level=3 force_version=ssl3 \
1007 force_ciphersuite=TLS-RSA-WITH-AES-128-CBC-SHA" \
Manuel Pégourié-Gonnard51d81662015-01-14 17:20:46 +0100[diff] [blame]1008 "$P_CLI debug_level=3 min_version=ssl3" \
Manuel Pégourié-Gonnard699cafa2014-10-27 13:57:03 +0100[diff] [blame]1009 0 \
1010 -c "client hello, adding encrypt_then_mac extension" \
Janos Follath00efff72016-05-06 13:48:23 +0100[diff] [blame]1011 -S "found encrypt then mac extension" \
Manuel Pégourié-Gonnard699cafa2014-10-27 13:57:03 +0100[diff] [blame]1012 -S "server hello, adding encrypt then mac extension" \
1013 -C "found encrypt_then_mac extension" \
1014 -C "using encrypt then mac" \
1015 -S "using encrypt then mac"
1016
Manuel Pégourié-Gonnard367381f2014-10-20 18:40:56 +0200[diff] [blame]1017# Tests for Extended Master Secret extension
1018
1019run_test "Extended Master Secret: default" \
1020 "$P_SRV debug_level=3" \
1021 "$P_CLI debug_level=3" \
1022 0 \
1023 -c "client hello, adding extended_master_secret extension" \
1024 -s "found extended master secret extension" \
1025 -s "server hello, adding extended master secret extension" \
1026 -c "found extended_master_secret extension" \
1027 -c "using extended master secret" \
1028 -s "using extended master secret"
1029
1030run_test "Extended Master Secret: client enabled, server disabled" \
1031 "$P_SRV debug_level=3 extended_ms=0" \
1032 "$P_CLI debug_level=3 extended_ms=1" \
1033 0 \
1034 -c "client hello, adding extended_master_secret extension" \
1035 -s "found extended master secret extension" \
1036 -S "server hello, adding extended master secret extension" \
1037 -C "found extended_master_secret extension" \
1038 -C "using extended master secret" \
1039 -S "using extended master secret"
1040
1041run_test "Extended Master Secret: client disabled, server enabled" \
1042 "$P_SRV debug_level=3 extended_ms=1" \
1043 "$P_CLI debug_level=3 extended_ms=0" \
1044 0 \
1045 -C "client hello, adding extended_master_secret extension" \
1046 -S "found extended master secret extension" \
1047 -S "server hello, adding extended master secret extension" \
1048 -C "found extended_master_secret extension" \
1049 -C "using extended master secret" \
1050 -S "using extended master secret"
1051
Janos Follathe2681a42016-03-07 15:57:05 +0000[diff] [blame]1052requires_config_enabled MBEDTLS_SSL_PROTO_SSL3
Manuel Pégourié-Gonnardb575b542014-10-24 15:12:31 +0200[diff] [blame]1053run_test "Extended Master Secret: client SSLv3, server enabled" \
Manuel Pégourié-Gonnard51d81662015-01-14 17:20:46 +0100[diff] [blame]1054 "$P_SRV debug_level=3 min_version=ssl3" \
Manuel Pégourié-Gonnardb575b542014-10-24 15:12:31 +0200[diff] [blame]1055 "$P_CLI debug_level=3 force_version=ssl3" \
1056 0 \
1057 -C "client hello, adding extended_master_secret extension" \
1058 -S "found extended master secret extension" \
1059 -S "server hello, adding extended master secret extension" \
1060 -C "found extended_master_secret extension" \
1061 -C "using extended master secret" \
1062 -S "using extended master secret"
1063
Janos Follathe2681a42016-03-07 15:57:05 +0000[diff] [blame]1064requires_config_enabled MBEDTLS_SSL_PROTO_SSL3
Manuel Pégourié-Gonnardb575b542014-10-24 15:12:31 +0200[diff] [blame]1065run_test "Extended Master Secret: client enabled, server SSLv3" \
1066 "$P_SRV debug_level=3 force_version=ssl3" \
Manuel Pégourié-Gonnard51d81662015-01-14 17:20:46 +0100[diff] [blame]1067 "$P_CLI debug_level=3 min_version=ssl3" \
Manuel Pégourié-Gonnardb575b542014-10-24 15:12:31 +0200[diff] [blame]1068 0 \
1069 -c "client hello, adding extended_master_secret extension" \
Janos Follath00efff72016-05-06 13:48:23 +0100[diff] [blame]1070 -S "found extended master secret extension" \
Manuel Pégourié-Gonnardb575b542014-10-24 15:12:31 +0200[diff] [blame]1071 -S "server hello, adding extended master secret extension" \
1072 -C "found extended_master_secret extension" \
1073 -C "using extended master secret" \
1074 -S "using extended master secret"
1075
Manuel Pégourié-Gonnard1cbd39d2014-10-20 13:34:59 +0200[diff] [blame]1076# Tests for FALLBACK_SCSV
1077
1078run_test "Fallback SCSV: default" \
Manuel Pégourié-Gonnard4268ae02015-08-04 12:44:10 +0200[diff] [blame]1079 "$P_SRV debug_level=2" \
Manuel Pégourié-Gonnard1cbd39d2014-10-20 13:34:59 +0200[diff] [blame]1080 "$P_CLI debug_level=3 force_version=tls1_1" \
1081 0 \
1082 -C "adding FALLBACK_SCSV" \
Manuel Pégourié-Gonnard01b26992014-10-20 14:05:28 +0200[diff] [blame]1083 -S "received FALLBACK_SCSV" \
1084 -S "inapropriate fallback" \
Manuel Pégourié-Gonnard1cbd39d2014-10-20 13:34:59 +0200[diff] [blame]1085 -C "is a fatal alert message (msg 86)"
1086
1087run_test "Fallback SCSV: explicitly disabled" \
Manuel Pégourié-Gonnard4268ae02015-08-04 12:44:10 +0200[diff] [blame]1088 "$P_SRV debug_level=2" \
Manuel Pégourié-Gonnard1cbd39d2014-10-20 13:34:59 +0200[diff] [blame]1089 "$P_CLI debug_level=3 force_version=tls1_1 fallback=0" \
1090 0 \
1091 -C "adding FALLBACK_SCSV" \
Manuel Pégourié-Gonnard01b26992014-10-20 14:05:28 +0200[diff] [blame]1092 -S "received FALLBACK_SCSV" \
1093 -S "inapropriate fallback" \
Manuel Pégourié-Gonnard1cbd39d2014-10-20 13:34:59 +0200[diff] [blame]1094 -C "is a fatal alert message (msg 86)"
1095
1096run_test "Fallback SCSV: enabled" \
Manuel Pégourié-Gonnard4268ae02015-08-04 12:44:10 +0200[diff] [blame]1097 "$P_SRV debug_level=2" \
Manuel Pégourié-Gonnard1cbd39d2014-10-20 13:34:59 +0200[diff] [blame]1098 "$P_CLI debug_level=3 force_version=tls1_1 fallback=1" \
Manuel Pégourié-Gonnard01b26992014-10-20 14:05:28 +0200[diff] [blame]1099 1 \
1100 -c "adding FALLBACK_SCSV" \
1101 -s "received FALLBACK_SCSV" \
1102 -s "inapropriate fallback" \
1103 -c "is a fatal alert message (msg 86)"
1104
1105run_test "Fallback SCSV: enabled, max version" \
Manuel Pégourié-Gonnard4268ae02015-08-04 12:44:10 +0200[diff] [blame]1106 "$P_SRV debug_level=2" \
Manuel Pégourié-Gonnard01b26992014-10-20 14:05:28 +0200[diff] [blame]1107 "$P_CLI debug_level=3 fallback=1" \
Manuel Pégourié-Gonnard1cbd39d2014-10-20 13:34:59 +0200[diff] [blame]1108 0 \
1109 -c "adding FALLBACK_SCSV" \
Manuel Pégourié-Gonnard01b26992014-10-20 14:05:28 +0200[diff] [blame]1110 -s "received FALLBACK_SCSV" \
1111 -S "inapropriate fallback" \
Manuel Pégourié-Gonnard1cbd39d2014-10-20 13:34:59 +0200[diff] [blame]1112 -C "is a fatal alert message (msg 86)"
1113
1114requires_openssl_with_fallback_scsv
1115run_test "Fallback SCSV: default, openssl server" \
1116 "$O_SRV" \
1117 "$P_CLI debug_level=3 force_version=tls1_1 fallback=0" \
1118 0 \
1119 -C "adding FALLBACK_SCSV" \
1120 -C "is a fatal alert message (msg 86)"
1121
1122requires_openssl_with_fallback_scsv
1123run_test "Fallback SCSV: enabled, openssl server" \
1124 "$O_SRV" \
1125 "$P_CLI debug_level=3 force_version=tls1_1 fallback=1" \
1126 1 \
1127 -c "adding FALLBACK_SCSV" \
1128 -c "is a fatal alert message (msg 86)"
1129
Manuel Pégourié-Gonnard01b26992014-10-20 14:05:28 +0200[diff] [blame]1130requires_openssl_with_fallback_scsv
1131run_test "Fallback SCSV: disabled, openssl client" \
Manuel Pégourié-Gonnard4268ae02015-08-04 12:44:10 +0200[diff] [blame]1132 "$P_SRV debug_level=2" \
Manuel Pégourié-Gonnard01b26992014-10-20 14:05:28 +0200[diff] [blame]1133 "$O_CLI -tls1_1" \
1134 0 \
1135 -S "received FALLBACK_SCSV" \
1136 -S "inapropriate fallback"
1137
1138requires_openssl_with_fallback_scsv
1139run_test "Fallback SCSV: enabled, openssl client" \
Manuel Pégourié-Gonnard4268ae02015-08-04 12:44:10 +0200[diff] [blame]1140 "$P_SRV debug_level=2" \
Manuel Pégourié-Gonnard01b26992014-10-20 14:05:28 +0200[diff] [blame]1141 "$O_CLI -tls1_1 -fallback_scsv" \
1142 1 \
1143 -s "received FALLBACK_SCSV" \
1144 -s "inapropriate fallback"
1145
1146requires_openssl_with_fallback_scsv
1147run_test "Fallback SCSV: enabled, max version, openssl client" \
Manuel Pégourié-Gonnard4268ae02015-08-04 12:44:10 +0200[diff] [blame]1148 "$P_SRV debug_level=2" \
Manuel Pégourié-Gonnard01b26992014-10-20 14:05:28 +0200[diff] [blame]1149 "$O_CLI -fallback_scsv" \
1150 0 \
1151 -s "received FALLBACK_SCSV" \
1152 -S "inapropriate fallback"
1153
Andres Amaya Garcia14783c42018-07-10 20:08:04 +0100[diff] [blame]1154# Test sending and receiving empty application data records
1155
1156run_test "Encrypt then MAC: empty application data record" \
1157 "$P_SRV auth_mode=none debug_level=4 etm=1" \
1158 "$P_CLI auth_mode=none etm=1 request_size=0 force_ciphersuite=TLS-ECDHE-RSA-WITH-AES-256-CBC-SHA" \
1159 0 \
1160 -S "0000: 0f 0f 0f 0f 0f 0f 0f 0f 0f 0f 0f 0f 0f 0f 0f 0f" \
1161 -s "dumping 'input payload after decrypt' (0 bytes)" \
1162 -c "0 bytes written in 1 fragments"
1163
1164run_test "Default, no Encrypt then MAC: empty application data record" \
1165 "$P_SRV auth_mode=none debug_level=4 etm=0" \
1166 "$P_CLI auth_mode=none etm=0 request_size=0" \
1167 0 \
1168 -s "dumping 'input payload after decrypt' (0 bytes)" \
1169 -c "0 bytes written in 1 fragments"
1170
1171run_test "Encrypt then MAC, DTLS: empty application data record" \
1172 "$P_SRV auth_mode=none debug_level=4 etm=1 dtls=1" \
1173 "$P_CLI auth_mode=none etm=1 request_size=0 force_ciphersuite=TLS-ECDHE-RSA-WITH-AES-256-CBC-SHA dtls=1" \
1174 0 \
1175 -S "0000: 0f 0f 0f 0f 0f 0f 0f 0f 0f 0f 0f 0f 0f 0f 0f 0f" \
1176 -s "dumping 'input payload after decrypt' (0 bytes)" \
1177 -c "0 bytes written in 1 fragments"
1178
1179run_test "Default, no Encrypt then MAC, DTLS: empty application data record" \
1180 "$P_SRV auth_mode=none debug_level=4 etm=0 dtls=1" \
1181 "$P_CLI auth_mode=none etm=0 request_size=0 dtls=1" \
1182 0 \
1183 -s "dumping 'input payload after decrypt' (0 bytes)" \
1184 -c "0 bytes written in 1 fragments"
1185
Gilles Peskined50177f2017-05-16 17:53:03 +0200[diff] [blame]1186## ClientHello generated with
1187## "openssl s_client -CAfile tests/data_files/test-ca.crt -tls1_1 -connect localhost:4433 -cipher ..."
1188## then manually twiddling the ciphersuite list.
1189## The ClientHello content is spelled out below as a hex string as
1190## "prefix ciphersuite1 ciphersuite2 ciphersuite3 ciphersuite4 suffix".
1191## The expected response is an inappropriate_fallback alert.
1192requires_openssl_with_fallback_scsv
1193run_test "Fallback SCSV: beginning of list" \
1194 "$P_SRV debug_level=2" \
1195 "$TCP_CLIENT localhost $SRV_PORT '160301003e0100003a03022aafb94308dc22ca1086c65acc00e414384d76b61ecab37df1633b1ae1034dbe000008 5600 0031 0032 0033 0100000900230000000f000101' '15030200020256'" \
1196 0 \
1197 -s "received FALLBACK_SCSV" \
1198 -s "inapropriate fallback"
1199
1200requires_openssl_with_fallback_scsv
1201run_test "Fallback SCSV: end of list" \
1202 "$P_SRV debug_level=2" \
1203 "$TCP_CLIENT localhost $SRV_PORT '160301003e0100003a03022aafb94308dc22ca1086c65acc00e414384d76b61ecab37df1633b1ae1034dbe000008 0031 0032 0033 5600 0100000900230000000f000101' '15030200020256'" \
1204 0 \
1205 -s "received FALLBACK_SCSV" \
1206 -s "inapropriate fallback"
1207
1208## Here the expected response is a valid ServerHello prefix, up to the random.
1209requires_openssl_with_fallback_scsv
1210run_test "Fallback SCSV: not in list" \
1211 "$P_SRV debug_level=2" \
1212 "$TCP_CLIENT localhost $SRV_PORT '160301003e0100003a03022aafb94308dc22ca1086c65acc00e414384d76b61ecab37df1633b1ae1034dbe000008 0056 0031 0032 0033 0100000900230000000f000101' '16030200300200002c0302'" \
1213 0 \
1214 -S "received FALLBACK_SCSV" \
1215 -S "inapropriate fallback"
1216
Manuel Pégourié-Gonnard3ff78232015-01-08 11:15:09 +0100[diff] [blame]1217# Tests for CBC 1/n-1 record splitting
1218
1219run_test "CBC Record splitting: TLS 1.2, no splitting" \
1220 "$P_SRV" \
1221 "$P_CLI force_ciphersuite=TLS-RSA-WITH-AES-128-CBC-SHA \
1222 request_size=123 force_version=tls1_2" \
1223 0 \
1224 -s "Read from client: 123 bytes read" \
1225 -S "Read from client: 1 bytes read" \
1226 -S "122 bytes read"
1227
1228run_test "CBC Record splitting: TLS 1.1, no splitting" \
1229 "$P_SRV" \
1230 "$P_CLI force_ciphersuite=TLS-RSA-WITH-AES-128-CBC-SHA \
1231 request_size=123 force_version=tls1_1" \
1232 0 \
1233 -s "Read from client: 123 bytes read" \
1234 -S "Read from client: 1 bytes read" \
1235 -S "122 bytes read"
1236
1237run_test "CBC Record splitting: TLS 1.0, splitting" \
1238 "$P_SRV" \
1239 "$P_CLI force_ciphersuite=TLS-RSA-WITH-AES-128-CBC-SHA \
1240 request_size=123 force_version=tls1" \
1241 0 \
1242 -S "Read from client: 123 bytes read" \
1243 -s "Read from client: 1 bytes read" \
1244 -s "122 bytes read"
1245
Janos Follathe2681a42016-03-07 15:57:05 +0000[diff] [blame]1246requires_config_enabled MBEDTLS_SSL_PROTO_SSL3
Manuel Pégourié-Gonnard3ff78232015-01-08 11:15:09 +0100[diff] [blame]1247run_test "CBC Record splitting: SSLv3, splitting" \
Manuel Pégourié-Gonnard51d81662015-01-14 17:20:46 +0100[diff] [blame]1248 "$P_SRV min_version=ssl3" \
Manuel Pégourié-Gonnard3ff78232015-01-08 11:15:09 +0100[diff] [blame]1249 "$P_CLI force_ciphersuite=TLS-RSA-WITH-AES-128-CBC-SHA \
1250 request_size=123 force_version=ssl3" \
1251 0 \
1252 -S "Read from client: 123 bytes read" \
1253 -s "Read from client: 1 bytes read" \
1254 -s "122 bytes read"
1255
1256run_test "CBC Record splitting: TLS 1.0 RC4, no splitting" \
Manuel Pégourié-Gonnardea0920f2015-03-24 09:50:15 +0100[diff] [blame]1257 "$P_SRV arc4=1 force_ciphersuite=TLS-RSA-WITH-RC4-128-SHA" \
Manuel Pégourié-Gonnard3ff78232015-01-08 11:15:09 +0100[diff] [blame]1258 "$P_CLI force_ciphersuite=TLS-RSA-WITH-RC4-128-SHA \
1259 request_size=123 force_version=tls1" \
1260 0 \
1261 -s "Read from client: 123 bytes read" \
1262 -S "Read from client: 1 bytes read" \
1263 -S "122 bytes read"
1264
1265run_test "CBC Record splitting: TLS 1.0, splitting disabled" \
1266 "$P_SRV" \
1267 "$P_CLI force_ciphersuite=TLS-RSA-WITH-AES-128-CBC-SHA \
1268 request_size=123 force_version=tls1 recsplit=0" \
1269 0 \
1270 -s "Read from client: 123 bytes read" \
1271 -S "Read from client: 1 bytes read" \
1272 -S "122 bytes read"
1273
Manuel Pégourié-Gonnarda852cf42015-01-13 20:56:15 +0100[diff] [blame]1274run_test "CBC Record splitting: TLS 1.0, splitting, nbio" \
1275 "$P_SRV nbio=2" \
1276 "$P_CLI nbio=2 force_ciphersuite=TLS-RSA-WITH-AES-128-CBC-SHA \
1277 request_size=123 force_version=tls1" \
1278 0 \
1279 -S "Read from client: 123 bytes read" \
1280 -s "Read from client: 1 bytes read" \
1281 -s "122 bytes read"
1282
Manuel Pégourié-Gonnard780d6712014-02-20 17:19:59 +0100[diff] [blame]1283# Tests for Session Tickets
1284
Manuel Pégourié-Gonnard8e03c712014-08-30 21:42:40 +0200[diff] [blame]1285run_test "Session resume using tickets: basic" \
Manuel Pégourié-Gonnard644e8f32014-08-30 21:59:31 +0200[diff] [blame]1286 "$P_SRV debug_level=3 tickets=1" \
1287 "$P_CLI debug_level=3 tickets=1 reconnect=1" \
Manuel Pégourié-Gonnardf7c52012014-02-20 11:43:46 +0100[diff] [blame]1288 0 \
Manuel Pégourié-Gonnardc55a5b72014-02-20 22:50:56 +0100[diff] [blame]1289 -c "client hello, adding session ticket extension" \
1290 -s "found session ticket extension" \
1291 -s "server hello, adding session ticket extension" \
1292 -c "found session_ticket extension" \
1293 -c "parse new session ticket" \
Manuel Pégourié-Gonnardf7c52012014-02-20 11:43:46 +0100[diff] [blame]1294 -S "session successfully restored from cache" \
1295 -s "session successfully restored from ticket" \
1296 -s "a session has been resumed" \
1297 -c "a session has been resumed"
1298
Manuel Pégourié-Gonnard8e03c712014-08-30 21:42:40 +0200[diff] [blame]1299run_test "Session resume using tickets: cache disabled" \
Manuel Pégourié-Gonnard644e8f32014-08-30 21:59:31 +0200[diff] [blame]1300 "$P_SRV debug_level=3 tickets=1 cache_max=0" \
1301 "$P_CLI debug_level=3 tickets=1 reconnect=1" \
Manuel Pégourié-Gonnarddbe1ee12014-02-21 09:18:13 +0100[diff] [blame]1302 0 \
1303 -c "client hello, adding session ticket extension" \
1304 -s "found session ticket extension" \
1305 -s "server hello, adding session ticket extension" \
1306 -c "found session_ticket extension" \
1307 -c "parse new session ticket" \
1308 -S "session successfully restored from cache" \
1309 -s "session successfully restored from ticket" \
1310 -s "a session has been resumed" \
1311 -c "a session has been resumed"
1312
Manuel Pégourié-Gonnard8e03c712014-08-30 21:42:40 +0200[diff] [blame]1313run_test "Session resume using tickets: timeout" \
Manuel Pégourié-Gonnard644e8f32014-08-30 21:59:31 +0200[diff] [blame]1314 "$P_SRV debug_level=3 tickets=1 cache_max=0 ticket_timeout=1" \
1315 "$P_CLI debug_level=3 tickets=1 reconnect=1 reco_delay=2" \
Manuel Pégourié-Gonnarddbe1ee12014-02-21 09:18:13 +0100[diff] [blame]1316 0 \
1317 -c "client hello, adding session ticket extension" \
1318 -s "found session ticket extension" \
1319 -s "server hello, adding session ticket extension" \
1320 -c "found session_ticket extension" \
1321 -c "parse new session ticket" \
1322 -S "session successfully restored from cache" \
1323 -S "session successfully restored from ticket" \
1324 -S "a session has been resumed" \
1325 -C "a session has been resumed"
1326
Manuel Pégourié-Gonnard8e03c712014-08-30 21:42:40 +0200[diff] [blame]1327run_test "Session resume using tickets: openssl server" \
Manuel Pégourié-Gonnardf7a26902014-02-27 12:25:54 +0100[diff] [blame]1328 "$O_SRV" \
Manuel Pégourié-Gonnard644e8f32014-08-30 21:59:31 +0200[diff] [blame]1329 "$P_CLI debug_level=3 tickets=1 reconnect=1" \
Manuel Pégourié-Gonnardfccd3252014-02-25 17:14:15 +0100[diff] [blame]1330 0 \
1331 -c "client hello, adding session ticket extension" \
1332 -c "found session_ticket extension" \
1333 -c "parse new session ticket" \
1334 -c "a session has been resumed"
1335
Manuel Pégourié-Gonnard8e03c712014-08-30 21:42:40 +0200[diff] [blame]1336run_test "Session resume using tickets: openssl client" \
Manuel Pégourié-Gonnard644e8f32014-08-30 21:59:31 +0200[diff] [blame]1337 "$P_SRV debug_level=3 tickets=1" \
Manuel Pégourié-Gonnardbc3b16c2014-05-28 23:06:50 +0200[diff] [blame]1338 "( $O_CLI -sess_out $SESSION; \
1339 $O_CLI -sess_in $SESSION; \
1340 rm -f $SESSION )" \
Manuel Pégourié-Gonnardfccd3252014-02-25 17:14:15 +0100[diff] [blame]1341 0 \
1342 -s "found session ticket extension" \
1343 -s "server hello, adding session ticket extension" \
1344 -S "session successfully restored from cache" \
1345 -s "session successfully restored from ticket" \
1346 -s "a session has been resumed"
1347
Hanno Beckerb5546362018-08-21 13:55:22 +0100[diff] [blame^]1348# Tests for Session Tickets with DTLS
1349
1350run_test "Session resume using tickets, DTLS: basic" \
1351 "$P_SRV debug_level=3 dtls=1 tickets=1" \
1352 "$P_CLI debug_level=3 dtls=1 tickets=1 reconnect=1" \
1353 0 \
1354 -c "client hello, adding session ticket extension" \
1355 -s "found session ticket extension" \
1356 -s "server hello, adding session ticket extension" \
1357 -c "found session_ticket extension" \
1358 -c "parse new session ticket" \
1359 -S "session successfully restored from cache" \
1360 -s "session successfully restored from ticket" \
1361 -s "a session has been resumed" \
1362 -c "a session has been resumed"
1363
1364run_test "Session resume using tickets, DTLS: cache disabled" \
1365 "$P_SRV debug_level=3 dtls=1 tickets=1 cache_max=0" \
1366 "$P_CLI debug_level=3 dtls=1 tickets=1 reconnect=1" \
1367 0 \
1368 -c "client hello, adding session ticket extension" \
1369 -s "found session ticket extension" \
1370 -s "server hello, adding session ticket extension" \
1371 -c "found session_ticket extension" \
1372 -c "parse new session ticket" \
1373 -S "session successfully restored from cache" \
1374 -s "session successfully restored from ticket" \
1375 -s "a session has been resumed" \
1376 -c "a session has been resumed"
1377
1378run_test "Session resume using tickets, DTLS: timeout" \
1379 "$P_SRV debug_level=3 dtls=1 tickets=1 cache_max=0 ticket_timeout=1" \
1380 "$P_CLI debug_level=3 dtls=1 tickets=1 reconnect=1 reco_delay=2" \
1381 0 \
1382 -c "client hello, adding session ticket extension" \
1383 -s "found session ticket extension" \
1384 -s "server hello, adding session ticket extension" \
1385 -c "found session_ticket extension" \
1386 -c "parse new session ticket" \
1387 -S "session successfully restored from cache" \
1388 -S "session successfully restored from ticket" \
1389 -S "a session has been resumed" \
1390 -C "a session has been resumed"
1391
1392run_test "Session resume using tickets, DTLS: openssl server" \
1393 "$O_SRV -dtls1" \
1394 "$P_CLI dtls=1 debug_level=3 tickets=1 reconnect=1" \
1395 0 \
1396 -c "client hello, adding session ticket extension" \
1397 -c "found session_ticket extension" \
1398 -c "parse new session ticket" \
1399 -c "a session has been resumed"
1400
1401run_test "Session resume using tickets, DTLS: openssl client" \
1402 "$P_SRV dtls=1 debug_level=3 tickets=1" \
1403 "( $O_CLI -dtls1 -sess_out $SESSION; \
1404 $O_CLI -dtls1 -sess_in $SESSION; \
1405 rm -f $SESSION )" \
1406 0 \
1407 -s "found session ticket extension" \
1408 -s "server hello, adding session ticket extension" \
1409 -S "session successfully restored from cache" \
1410 -s "session successfully restored from ticket" \
1411 -s "a session has been resumed"
1412
Manuel Pégourié-Gonnardc55a5b72014-02-20 22:50:56 +0100[diff] [blame]1413# Tests for Session Resume based on session-ID and cache
Manuel Pégourié-Gonnard780d6712014-02-20 17:19:59 +0100[diff] [blame]1414
Manuel Pégourié-Gonnard8e03c712014-08-30 21:42:40 +0200[diff] [blame]1415run_test "Session resume using cache: tickets enabled on client" \
Manuel Pégourié-Gonnard644e8f32014-08-30 21:59:31 +0200[diff] [blame]1416 "$P_SRV debug_level=3 tickets=0" \
1417 "$P_CLI debug_level=3 tickets=1 reconnect=1" \
Manuel Pégourié-Gonnardf7c52012014-02-20 11:43:46 +0100[diff] [blame]1418 0 \
Manuel Pégourié-Gonnardc55a5b72014-02-20 22:50:56 +0100[diff] [blame]1419 -c "client hello, adding session ticket extension" \
1420 -s "found session ticket extension" \
1421 -S "server hello, adding session ticket extension" \
1422 -C "found session_ticket extension" \
1423 -C "parse new session ticket" \
Manuel Pégourié-Gonnardf7c52012014-02-20 11:43:46 +0100[diff] [blame]1424 -s "session successfully restored from cache" \
1425 -S "session successfully restored from ticket" \
1426 -s "a session has been resumed" \
1427 -c "a session has been resumed"
1428
Manuel Pégourié-Gonnard8e03c712014-08-30 21:42:40 +0200[diff] [blame]1429run_test "Session resume using cache: tickets enabled on server" \
Manuel Pégourié-Gonnard644e8f32014-08-30 21:59:31 +0200[diff] [blame]1430 "$P_SRV debug_level=3 tickets=1" \
1431 "$P_CLI debug_level=3 tickets=0 reconnect=1" \
Manuel Pégourié-Gonnardf7c52012014-02-20 11:43:46 +0100[diff] [blame]1432 0 \
Manuel Pégourié-Gonnardc55a5b72014-02-20 22:50:56 +0100[diff] [blame]1433 -C "client hello, adding session ticket extension" \
1434 -S "found session ticket extension" \
1435 -S "server hello, adding session ticket extension" \
1436 -C "found session_ticket extension" \
1437 -C "parse new session ticket" \
Manuel Pégourié-Gonnardf7c52012014-02-20 11:43:46 +0100[diff] [blame]1438 -s "session successfully restored from cache" \
1439 -S "session successfully restored from ticket" \
1440 -s "a session has been resumed" \
1441 -c "a session has been resumed"
Manuel Pégourié-Gonnardde143782014-02-20 14:50:42 +0100[diff] [blame]1442
Manuel Pégourié-Gonnard8e03c712014-08-30 21:42:40 +0200[diff] [blame]1443run_test "Session resume using cache: cache_max=0" \
Manuel Pégourié-Gonnard644e8f32014-08-30 21:59:31 +0200[diff] [blame]1444 "$P_SRV debug_level=3 tickets=0 cache_max=0" \
1445 "$P_CLI debug_level=3 tickets=0 reconnect=1" \
Manuel Pégourié-Gonnard4c883452014-02-20 21:32:41 +0100[diff] [blame]1446 0 \
1447 -S "session successfully restored from cache" \
1448 -S "session successfully restored from ticket" \
Manuel Pégourié-Gonnardc55a5b72014-02-20 22:50:56 +0100[diff] [blame]1449 -S "a session has been resumed" \
1450 -C "a session has been resumed"
Manuel Pégourié-Gonnard4c883452014-02-20 21:32:41 +0100[diff] [blame]1451
Manuel Pégourié-Gonnard8e03c712014-08-30 21:42:40 +0200[diff] [blame]1452run_test "Session resume using cache: cache_max=1" \
Manuel Pégourié-Gonnard644e8f32014-08-30 21:59:31 +0200[diff] [blame]1453 "$P_SRV debug_level=3 tickets=0 cache_max=1" \
1454 "$P_CLI debug_level=3 tickets=0 reconnect=1" \
Manuel Pégourié-Gonnardc55a5b72014-02-20 22:50:56 +0100[diff] [blame]1455 0 \
1456 -s "session successfully restored from cache" \
1457 -S "session successfully restored from ticket" \
1458 -s "a session has been resumed" \
1459 -c "a session has been resumed"
1460
Manuel Pégourié-Gonnard6df31962015-05-04 10:55:47 +0200[diff] [blame]1461run_test "Session resume using cache: timeout > delay" \
Manuel Pégourié-Gonnard644e8f32014-08-30 21:59:31 +0200[diff] [blame]1462 "$P_SRV debug_level=3 tickets=0" \
1463 "$P_CLI debug_level=3 tickets=0 reconnect=1 reco_delay=0" \
Manuel Pégourié-Gonnardc55a5b72014-02-20 22:50:56 +0100[diff] [blame]1464 0 \
1465 -s "session successfully restored from cache" \
1466 -S "session successfully restored from ticket" \
1467 -s "a session has been resumed" \
1468 -c "a session has been resumed"
1469
Manuel Pégourié-Gonnard8e03c712014-08-30 21:42:40 +0200[diff] [blame]1470run_test "Session resume using cache: timeout < delay" \
Manuel Pégourié-Gonnard644e8f32014-08-30 21:59:31 +0200[diff] [blame]1471 "$P_SRV debug_level=3 tickets=0 cache_timeout=1" \
1472 "$P_CLI debug_level=3 tickets=0 reconnect=1 reco_delay=2" \
Manuel Pégourié-Gonnardc55a5b72014-02-20 22:50:56 +0100[diff] [blame]1473 0 \
1474 -S "session successfully restored from cache" \
1475 -S "session successfully restored from ticket" \
1476 -S "a session has been resumed" \
1477 -C "a session has been resumed"
1478
Manuel Pégourié-Gonnard8e03c712014-08-30 21:42:40 +0200[diff] [blame]1479run_test "Session resume using cache: no timeout" \
Manuel Pégourié-Gonnard644e8f32014-08-30 21:59:31 +0200[diff] [blame]1480 "$P_SRV debug_level=3 tickets=0 cache_timeout=0" \
1481 "$P_CLI debug_level=3 tickets=0 reconnect=1 reco_delay=2" \
Manuel Pégourié-Gonnard4c883452014-02-20 21:32:41 +0100[diff] [blame]1482 0 \
1483 -s "session successfully restored from cache" \
1484 -S "session successfully restored from ticket" \
1485 -s "a session has been resumed" \
1486 -c "a session has been resumed"
1487
Manuel Pégourié-Gonnard8e03c712014-08-30 21:42:40 +0200[diff] [blame]1488run_test "Session resume using cache: openssl client" \
Manuel Pégourié-Gonnard644e8f32014-08-30 21:59:31 +0200[diff] [blame]1489 "$P_SRV debug_level=3 tickets=0" \
Manuel Pégourié-Gonnardbc3b16c2014-05-28 23:06:50 +0200[diff] [blame]1490 "( $O_CLI -sess_out $SESSION; \
1491 $O_CLI -sess_in $SESSION; \
1492 rm -f $SESSION )" \
Manuel Pégourié-Gonnarddb735f62014-02-25 17:57:59 +0100[diff] [blame]1493 0 \
1494 -s "found session ticket extension" \
1495 -S "server hello, adding session ticket extension" \
1496 -s "session successfully restored from cache" \
1497 -S "session successfully restored from ticket" \
1498 -s "a session has been resumed"
1499
Manuel Pégourié-Gonnard8e03c712014-08-30 21:42:40 +0200[diff] [blame]1500run_test "Session resume using cache: openssl server" \
Manuel Pégourié-Gonnardf7a26902014-02-27 12:25:54 +0100[diff] [blame]1501 "$O_SRV" \
Manuel Pégourié-Gonnard644e8f32014-08-30 21:59:31 +0200[diff] [blame]1502 "$P_CLI debug_level=3 tickets=0 reconnect=1" \
Manuel Pégourié-Gonnarddb735f62014-02-25 17:57:59 +0100[diff] [blame]1503 0 \
1504 -C "found session_ticket extension" \
1505 -C "parse new session ticket" \
1506 -c "a session has been resumed"
1507
Hanno Beckerb5546362018-08-21 13:55:22 +0100[diff] [blame^]1508# Tests for Session Resume based on session-ID and cache, DTLS
1509
1510run_test "Session resume using cache, DTLS: tickets enabled on client" \
1511 "$P_SRV dtls=1 debug_level=3 tickets=0" \
1512 "$P_CLI dtls=1 debug_level=3 tickets=1 reconnect=1" \
1513 0 \
1514 -c "client hello, adding session ticket extension" \
1515 -s "found session ticket extension" \
1516 -S "server hello, adding session ticket extension" \
1517 -C "found session_ticket extension" \
1518 -C "parse new session ticket" \
1519 -s "session successfully restored from cache" \
1520 -S "session successfully restored from ticket" \
1521 -s "a session has been resumed" \
1522 -c "a session has been resumed"
1523
1524run_test "Session resume using cache, DTLS: tickets enabled on server" \
1525 "$P_SRV dtls=1 debug_level=3 tickets=1" \
1526 "$P_CLI dtls=1 debug_level=3 tickets=0 reconnect=1" \
1527 0 \
1528 -C "client hello, adding session ticket extension" \
1529 -S "found session ticket extension" \
1530 -S "server hello, adding session ticket extension" \
1531 -C "found session_ticket extension" \
1532 -C "parse new session ticket" \
1533 -s "session successfully restored from cache" \
1534 -S "session successfully restored from ticket" \
1535 -s "a session has been resumed" \
1536 -c "a session has been resumed"
1537
1538run_test "Session resume using cache, DTLS: cache_max=0" \
1539 "$P_SRV dtls=1 debug_level=3 tickets=0 cache_max=0" \
1540 "$P_CLI dtls=1 debug_level=3 tickets=0 reconnect=1" \
1541 0 \
1542 -S "session successfully restored from cache" \
1543 -S "session successfully restored from ticket" \
1544 -S "a session has been resumed" \
1545 -C "a session has been resumed"
1546
1547run_test "Session resume using cache, DTLS: cache_max=1" \
1548 "$P_SRV dtls=1 debug_level=3 tickets=0 cache_max=1" \
1549 "$P_CLI dtls=1 debug_level=3 tickets=0 reconnect=1" \
1550 0 \
1551 -s "session successfully restored from cache" \
1552 -S "session successfully restored from ticket" \
1553 -s "a session has been resumed" \
1554 -c "a session has been resumed"
1555
1556run_test "Session resume using cache, DTLS: timeout > delay" \
1557 "$P_SRV dtls=1 debug_level=3 tickets=0" \
1558 "$P_CLI dtls=1 debug_level=3 tickets=0 reconnect=1 reco_delay=0" \
1559 0 \
1560 -s "session successfully restored from cache" \
1561 -S "session successfully restored from ticket" \
1562 -s "a session has been resumed" \
1563 -c "a session has been resumed"
1564
1565run_test "Session resume using cache, DTLS: timeout < delay" \
1566 "$P_SRV dtls=1 debug_level=3 tickets=0 cache_timeout=1" \
1567 "$P_CLI dtls=1 debug_level=3 tickets=0 reconnect=1 reco_delay=2" \
1568 0 \
1569 -S "session successfully restored from cache" \
1570 -S "session successfully restored from ticket" \
1571 -S "a session has been resumed" \
1572 -C "a session has been resumed"
1573
1574run_test "Session resume using cache, DTLS: no timeout" \
1575 "$P_SRV dtls=1 debug_level=3 tickets=0 cache_timeout=0" \
1576 "$P_CLI dtls=1 debug_level=3 tickets=0 reconnect=1 reco_delay=2" \
1577 0 \
1578 -s "session successfully restored from cache" \
1579 -S "session successfully restored from ticket" \
1580 -s "a session has been resumed" \
1581 -c "a session has been resumed"
1582
1583run_test "Session resume using cache, DTLS: openssl client" \
1584 "$P_SRV dtls=1 debug_level=3 tickets=0" \
1585 "( $O_CLI -dtls1 -sess_out $SESSION; \
1586 $O_CLI -dtls1 -sess_in $SESSION; \
1587 rm -f $SESSION )" \
1588 0 \
1589 -s "found session ticket extension" \
1590 -S "server hello, adding session ticket extension" \
1591 -s "session successfully restored from cache" \
1592 -S "session successfully restored from ticket" \
1593 -s "a session has been resumed"
1594
1595run_test "Session resume using cache, DTLS: openssl server" \
1596 "$O_SRV -dtls1" \
1597 "$P_CLI dtls=1 debug_level=3 tickets=0 reconnect=1" \
1598 0 \
1599 -C "found session_ticket extension" \
1600 -C "parse new session ticket" \
1601 -c "a session has been resumed"
1602
Manuel Pégourié-Gonnard780d6712014-02-20 17:19:59 +0100[diff] [blame]1603# Tests for Max Fragment Length extension
1604
Hanno Becker6428f8d2017-09-22 16:58:50 +0100[diff] [blame]1605MAX_CONTENT_LEN_EXPECT='16384'
1606MAX_CONTENT_LEN_CONFIG=$( ../scripts/config.pl get MBEDTLS_SSL_MAX_CONTENT_LEN)
1607
1608if [ -n "$MAX_CONTENT_LEN_CONFIG" ] && [ "$MAX_CONTENT_LEN_CONFIG" -ne "$MAX_CONTENT_LEN_EXPECT" ]; then
1609 printf "The ${CONFIG_H} file contains a value for the configuration of\n"
1610 printf "MBEDTLS_SSL_MAX_CONTENT_LEN that is different from the script’s\n"
1611 printf "test value of ${MAX_CONTENT_LEN_EXPECT}. \n"
1612 printf "\n"
1613 printf "The tests assume this value and if it changes, the tests in this\n"
1614 printf "script should also be adjusted.\n"
1615 printf "\n"
1616
1617 exit 1
1618fi
1619
Hanno Becker4aed27e2017-09-18 15:00:34 +0100[diff] [blame]1620requires_config_enabled MBEDTLS_SSL_MAX_FRAGMENT_LENGTH
Hanno Beckerc5266962017-09-18 15:01:50 +0100[diff] [blame]1621run_test "Max fragment length: enabled, default" \
Manuel Pégourié-Gonnard644e8f32014-08-30 21:59:31 +0200[diff] [blame]1622 "$P_SRV debug_level=3" \
1623 "$P_CLI debug_level=3" \
Manuel Pégourié-Gonnardde143782014-02-20 14:50:42 +0100[diff] [blame]1624 0 \
Manuel Pégourié-Gonnarda2cda6b2015-08-31 18:30:52 +0200[diff] [blame]1625 -c "Maximum fragment length is 16384" \
1626 -s "Maximum fragment length is 16384" \
Manuel Pégourié-Gonnardde143782014-02-20 14:50:42 +0100[diff] [blame]1627 -C "client hello, adding max_fragment_length extension" \
1628 -S "found max fragment length extension" \
1629 -S "server hello, max_fragment_length extension" \
1630 -C "found max_fragment_length extension"
1631
Hanno Becker4aed27e2017-09-18 15:00:34 +0100[diff] [blame]1632requires_config_enabled MBEDTLS_SSL_MAX_FRAGMENT_LENGTH
Hanno Beckerc5266962017-09-18 15:01:50 +0100[diff] [blame]1633run_test "Max fragment length: enabled, default, larger message" \
1634 "$P_SRV debug_level=3" \
Hanno Becker9cfabe32017-10-18 14:42:01 +0100[diff] [blame]1635 "$P_CLI debug_level=3 request_size=16385" \
Hanno Beckerc5266962017-09-18 15:01:50 +0100[diff] [blame]1636 0 \
1637 -c "Maximum fragment length is 16384" \
1638 -s "Maximum fragment length is 16384" \
1639 -C "client hello, adding max_fragment_length extension" \
1640 -S "found max fragment length extension" \
1641 -S "server hello, max_fragment_length extension" \
1642 -C "found max_fragment_length extension" \
Hanno Becker9cfabe32017-10-18 14:42:01 +0100[diff] [blame]1643 -c "16385 bytes written in 2 fragments" \
Hanno Beckerc5266962017-09-18 15:01:50 +0100[diff] [blame]1644 -s "16384 bytes read" \
Hanno Becker9cfabe32017-10-18 14:42:01 +0100[diff] [blame]1645 -s "1 bytes read"
Hanno Beckerc5266962017-09-18 15:01:50 +0100[diff] [blame]1646
1647requires_config_enabled MBEDTLS_SSL_MAX_FRAGMENT_LENGTH
1648run_test "Max fragment length, DTLS: enabled, default, larger message" \
1649 "$P_SRV debug_level=3 dtls=1" \
Hanno Becker9cfabe32017-10-18 14:42:01 +0100[diff] [blame]1650 "$P_CLI debug_level=3 dtls=1 request_size=16385" \
Hanno Beckerc5266962017-09-18 15:01:50 +0100[diff] [blame]1651 1 \
1652 -c "Maximum fragment length is 16384" \
1653 -s "Maximum fragment length is 16384" \
1654 -C "client hello, adding max_fragment_length extension" \
1655 -S "found max fragment length extension" \
1656 -S "server hello, max_fragment_length extension" \
1657 -C "found max_fragment_length extension" \
1658 -c "fragment larger than.*maximum "
1659
1660requires_config_disabled MBEDTLS_SSL_MAX_FRAGMENT_LENGTH
1661run_test "Max fragment length: disabled, larger message" \
1662 "$P_SRV debug_level=3" \
Hanno Becker9cfabe32017-10-18 14:42:01 +0100[diff] [blame]1663 "$P_CLI debug_level=3 request_size=16385" \
Hanno Beckerc5266962017-09-18 15:01:50 +0100[diff] [blame]1664 0 \
1665 -C "Maximum fragment length is 16384" \
1666 -S "Maximum fragment length is 16384" \
Hanno Becker9cfabe32017-10-18 14:42:01 +0100[diff] [blame]1667 -c "16385 bytes written in 2 fragments" \
Hanno Beckerc5266962017-09-18 15:01:50 +0100[diff] [blame]1668 -s "16384 bytes read" \
Hanno Becker9cfabe32017-10-18 14:42:01 +0100[diff] [blame]1669 -s "1 bytes read"
Hanno Beckerc5266962017-09-18 15:01:50 +0100[diff] [blame]1670
1671requires_config_disabled MBEDTLS_SSL_MAX_FRAGMENT_LENGTH
1672run_test "Max fragment length DTLS: disabled, larger message" \
1673 "$P_SRV debug_level=3 dtls=1" \
Hanno Becker9cfabe32017-10-18 14:42:01 +0100[diff] [blame]1674 "$P_CLI debug_level=3 dtls=1 request_size=16385" \
Hanno Beckerc5266962017-09-18 15:01:50 +0100[diff] [blame]1675 1 \
1676 -C "Maximum fragment length is 16384" \
1677 -S "Maximum fragment length is 16384" \
1678 -c "fragment larger than.*maximum "
1679
1680requires_config_enabled MBEDTLS_SSL_MAX_FRAGMENT_LENGTH
Manuel Pégourié-Gonnard8e03c712014-08-30 21:42:40 +0200[diff] [blame]1681run_test "Max fragment length: used by client" \
Manuel Pégourié-Gonnard644e8f32014-08-30 21:59:31 +0200[diff] [blame]1682 "$P_SRV debug_level=3" \
1683 "$P_CLI debug_level=3 max_frag_len=4096" \
Manuel Pégourié-Gonnardde143782014-02-20 14:50:42 +0100[diff] [blame]1684 0 \
Manuel Pégourié-Gonnarda2cda6b2015-08-31 18:30:52 +0200[diff] [blame]1685 -c "Maximum fragment length is 4096" \
1686 -s "Maximum fragment length is 4096" \
Manuel Pégourié-Gonnardde143782014-02-20 14:50:42 +0100[diff] [blame]1687 -c "client hello, adding max_fragment_length extension" \
1688 -s "found max fragment length extension" \
1689 -s "server hello, max_fragment_length extension" \
1690 -c "found max_fragment_length extension"
1691
Hanno Becker4aed27e2017-09-18 15:00:34 +0100[diff] [blame]1692requires_config_enabled MBEDTLS_SSL_MAX_FRAGMENT_LENGTH
Manuel Pégourié-Gonnard8e03c712014-08-30 21:42:40 +0200[diff] [blame]1693run_test "Max fragment length: used by server" \
Manuel Pégourié-Gonnard644e8f32014-08-30 21:59:31 +0200[diff] [blame]1694 "$P_SRV debug_level=3 max_frag_len=4096" \
1695 "$P_CLI debug_level=3" \
Manuel Pégourié-Gonnardde143782014-02-20 14:50:42 +0100[diff] [blame]1696 0 \
Manuel Pégourié-Gonnarda2cda6b2015-08-31 18:30:52 +0200[diff] [blame]1697 -c "Maximum fragment length is 16384" \
1698 -s "Maximum fragment length is 4096" \
Manuel Pégourié-Gonnardde143782014-02-20 14:50:42 +0100[diff] [blame]1699 -C "client hello, adding max_fragment_length extension" \
1700 -S "found max fragment length extension" \
1701 -S "server hello, max_fragment_length extension" \
1702 -C "found max_fragment_length extension"
Manuel Pégourié-Gonnard780d6712014-02-20 17:19:59 +0100[diff] [blame]1703
Hanno Becker4aed27e2017-09-18 15:00:34 +0100[diff] [blame]1704requires_config_enabled MBEDTLS_SSL_MAX_FRAGMENT_LENGTH
Manuel Pégourié-Gonnard8e03c712014-08-30 21:42:40 +0200[diff] [blame]1705requires_gnutls
1706run_test "Max fragment length: gnutls server" \
Manuel Pégourié-Gonnardbaa7f072014-08-20 20:15:53 +0200[diff] [blame]1707 "$G_SRV" \
Manuel Pégourié-Gonnard644e8f32014-08-30 21:59:31 +0200[diff] [blame]1708 "$P_CLI debug_level=3 max_frag_len=4096" \
Manuel Pégourié-Gonnardbaa7f072014-08-20 20:15:53 +0200[diff] [blame]1709 0 \
Manuel Pégourié-Gonnarda2cda6b2015-08-31 18:30:52 +0200[diff] [blame]1710 -c "Maximum fragment length is 4096" \
Manuel Pégourié-Gonnardbaa7f072014-08-20 20:15:53 +0200[diff] [blame]1711 -c "client hello, adding max_fragment_length extension" \
1712 -c "found max_fragment_length extension"
1713
Hanno Becker4aed27e2017-09-18 15:00:34 +0100[diff] [blame]1714requires_config_enabled MBEDTLS_SSL_MAX_FRAGMENT_LENGTH
Manuel Pégourié-Gonnard37e08e12014-10-13 17:55:52 +0200[diff] [blame]1715run_test "Max fragment length: client, message just fits" \
1716 "$P_SRV debug_level=3" \
1717 "$P_CLI debug_level=3 max_frag_len=2048 request_size=2048" \
1718 0 \
Manuel Pégourié-Gonnarda2cda6b2015-08-31 18:30:52 +0200[diff] [blame]1719 -c "Maximum fragment length is 2048" \
1720 -s "Maximum fragment length is 2048" \
Manuel Pégourié-Gonnard37e08e12014-10-13 17:55:52 +0200[diff] [blame]1721 -c "client hello, adding max_fragment_length extension" \
1722 -s "found max fragment length extension" \
1723 -s "server hello, max_fragment_length extension" \
1724 -c "found max_fragment_length extension" \
1725 -c "2048 bytes written in 1 fragments" \
1726 -s "2048 bytes read"
1727
Hanno Becker4aed27e2017-09-18 15:00:34 +0100[diff] [blame]1728requires_config_enabled MBEDTLS_SSL_MAX_FRAGMENT_LENGTH
Manuel Pégourié-Gonnard37e08e12014-10-13 17:55:52 +0200[diff] [blame]1729run_test "Max fragment length: client, larger message" \
1730 "$P_SRV debug_level=3" \
1731 "$P_CLI debug_level=3 max_frag_len=2048 request_size=2345" \
1732 0 \
Manuel Pégourié-Gonnarda2cda6b2015-08-31 18:30:52 +0200[diff] [blame]1733 -c "Maximum fragment length is 2048" \
1734 -s "Maximum fragment length is 2048" \
Manuel Pégourié-Gonnard37e08e12014-10-13 17:55:52 +0200[diff] [blame]1735 -c "client hello, adding max_fragment_length extension" \
1736 -s "found max fragment length extension" \
1737 -s "server hello, max_fragment_length extension" \
1738 -c "found max_fragment_length extension" \
1739 -c "2345 bytes written in 2 fragments" \
1740 -s "2048 bytes read" \
1741 -s "297 bytes read"
1742
Hanno Becker4aed27e2017-09-18 15:00:34 +0100[diff] [blame]1743requires_config_enabled MBEDTLS_SSL_MAX_FRAGMENT_LENGTH
Manuel Pégourié-Gonnard23eb74d2015-01-21 14:37:13 +0000[diff] [blame]1744run_test "Max fragment length: DTLS client, larger message" \
Manuel Pégourié-Gonnard37e08e12014-10-13 17:55:52 +0200[diff] [blame]1745 "$P_SRV debug_level=3 dtls=1" \
1746 "$P_CLI debug_level=3 dtls=1 max_frag_len=2048 request_size=2345" \
1747 1 \
Manuel Pégourié-Gonnarda2cda6b2015-08-31 18:30:52 +0200[diff] [blame]1748 -c "Maximum fragment length is 2048" \
1749 -s "Maximum fragment length is 2048" \
Manuel Pégourié-Gonnard37e08e12014-10-13 17:55:52 +0200[diff] [blame]1750 -c "client hello, adding max_fragment_length extension" \
1751 -s "found max fragment length extension" \
1752 -s "server hello, max_fragment_length extension" \
1753 -c "found max_fragment_length extension" \
1754 -c "fragment larger than.*maximum"
1755
Manuel Pégourié-Gonnard780d6712014-02-20 17:19:59 +0100[diff] [blame]1756# Tests for renegotiation
1757
Hanno Becker6a243642017-10-12 15:18:45 +0100[diff] [blame]1758# Renegotiation SCSV always added, regardless of SSL_RENEGOTIATION
Manuel Pégourié-Gonnard8e03c712014-08-30 21:42:40 +0200[diff] [blame]1759run_test "Renegotiation: none, for reference" \
Manuel Pégourié-Gonnardfa44f202015-03-27 17:52:25 +0100[diff] [blame]1760 "$P_SRV debug_level=3 exchanges=2 auth_mode=optional" \
Manuel Pégourié-Gonnard644e8f32014-08-30 21:59:31 +0200[diff] [blame]1761 "$P_CLI debug_level=3 exchanges=2" \
Manuel Pégourié-Gonnard780d6712014-02-20 17:19:59 +0100[diff] [blame]1762 0 \
1763 -C "client hello, adding renegotiation extension" \
1764 -s "received TLS_EMPTY_RENEGOTIATION_INFO" \
1765 -S "found renegotiation extension" \
1766 -s "server hello, secure renegotiation extension" \
1767 -c "found renegotiation extension" \
Manuel Pégourié-Gonnardc73339f2014-02-26 16:35:27 +0100[diff] [blame]1768 -C "=> renegotiate" \
1769 -S "=> renegotiate" \
Manuel Pégourié-Gonnard780d6712014-02-20 17:19:59 +0100[diff] [blame]1770 -S "write hello request"
1771
Hanno Becker6a243642017-10-12 15:18:45 +0100[diff] [blame]1772requires_config_enabled MBEDTLS_SSL_RENEGOTIATION
Manuel Pégourié-Gonnard8e03c712014-08-30 21:42:40 +0200[diff] [blame]1773run_test "Renegotiation: client-initiated" \
Manuel Pégourié-Gonnardfa44f202015-03-27 17:52:25 +0100[diff] [blame]1774 "$P_SRV debug_level=3 exchanges=2 renegotiation=1 auth_mode=optional" \
Manuel Pégourié-Gonnard644e8f32014-08-30 21:59:31 +0200[diff] [blame]1775 "$P_CLI debug_level=3 exchanges=2 renegotiation=1 renegotiate=1" \
Manuel Pégourié-Gonnard780d6712014-02-20 17:19:59 +0100[diff] [blame]1776 0 \
1777 -c "client hello, adding renegotiation extension" \
1778 -s "received TLS_EMPTY_RENEGOTIATION_INFO" \
1779 -s "found renegotiation extension" \
1780 -s "server hello, secure renegotiation extension" \
1781 -c "found renegotiation extension" \
Manuel Pégourié-Gonnardc73339f2014-02-26 16:35:27 +0100[diff] [blame]1782 -c "=> renegotiate" \
1783 -s "=> renegotiate" \
Manuel Pégourié-Gonnard780d6712014-02-20 17:19:59 +0100[diff] [blame]1784 -S "write hello request"
1785
Hanno Becker6a243642017-10-12 15:18:45 +0100[diff] [blame]1786requires_config_enabled MBEDTLS_SSL_RENEGOTIATION
Manuel Pégourié-Gonnard8e03c712014-08-30 21:42:40 +0200[diff] [blame]1787run_test "Renegotiation: server-initiated" \
Manuel Pégourié-Gonnardfa44f202015-03-27 17:52:25 +0100[diff] [blame]1788 "$P_SRV debug_level=3 exchanges=2 renegotiation=1 auth_mode=optional renegotiate=1" \
Manuel Pégourié-Gonnard644e8f32014-08-30 21:59:31 +0200[diff] [blame]1789 "$P_CLI debug_level=3 exchanges=2 renegotiation=1" \
Manuel Pégourié-Gonnard780d6712014-02-20 17:19:59 +0100[diff] [blame]1790 0 \
1791 -c "client hello, adding renegotiation extension" \
1792 -s "received TLS_EMPTY_RENEGOTIATION_INFO" \
1793 -s "found renegotiation extension" \
1794 -s "server hello, secure renegotiation extension" \
1795 -c "found renegotiation extension" \
Manuel Pégourié-Gonnardc73339f2014-02-26 16:35:27 +0100[diff] [blame]1796 -c "=> renegotiate" \
1797 -s "=> renegotiate" \
Manuel Pégourié-Gonnard780d6712014-02-20 17:19:59 +0100[diff] [blame]1798 -s "write hello request"
1799
Janos Follathb0f148c2017-10-05 12:29:42 +0100[diff] [blame]1800# Checks that no Signature Algorithm with SHA-1 gets negotiated. Negotiating SHA-1 would mean that
1801# the server did not parse the Signature Algorithm extension. This test is valid only if an MD
1802# algorithm stronger than SHA-1 is enabled in config.h
Hanno Becker6a243642017-10-12 15:18:45 +0100[diff] [blame]1803requires_config_enabled MBEDTLS_SSL_RENEGOTIATION
Janos Follathb0f148c2017-10-05 12:29:42 +0100[diff] [blame]1804run_test "Renegotiation: Signature Algorithms parsing, client-initiated" \
1805 "$P_SRV debug_level=3 exchanges=2 renegotiation=1 auth_mode=optional" \
1806 "$P_CLI debug_level=3 exchanges=2 renegotiation=1 renegotiate=1" \
1807 0 \
1808 -c "client hello, adding renegotiation extension" \
1809 -s "received TLS_EMPTY_RENEGOTIATION_INFO" \
1810 -s "found renegotiation extension" \
1811 -s "server hello, secure renegotiation extension" \
1812 -c "found renegotiation extension" \
1813 -c "=> renegotiate" \
1814 -s "=> renegotiate" \
1815 -S "write hello request" \
1816 -S "client hello v3, signature_algorithm ext: 2" # Is SHA-1 negotiated?
1817
1818# Checks that no Signature Algorithm with SHA-1 gets negotiated. Negotiating SHA-1 would mean that
1819# the server did not parse the Signature Algorithm extension. This test is valid only if an MD
1820# algorithm stronger than SHA-1 is enabled in config.h
Hanno Becker6a243642017-10-12 15:18:45 +0100[diff] [blame]1821requires_config_enabled MBEDTLS_SSL_RENEGOTIATION
Janos Follathb0f148c2017-10-05 12:29:42 +0100[diff] [blame]1822run_test "Renegotiation: Signature Algorithms parsing, server-initiated" \
1823 "$P_SRV debug_level=3 exchanges=2 renegotiation=1 auth_mode=optional renegotiate=1" \
1824 "$P_CLI debug_level=3 exchanges=2 renegotiation=1" \
1825 0 \
1826 -c "client hello, adding renegotiation extension" \
1827 -s "received TLS_EMPTY_RENEGOTIATION_INFO" \
1828 -s "found renegotiation extension" \
1829 -s "server hello, secure renegotiation extension" \
1830 -c "found renegotiation extension" \
1831 -c "=> renegotiate" \
1832 -s "=> renegotiate" \
1833 -s "write hello request" \
1834 -S "client hello v3, signature_algorithm ext: 2" # Is SHA-1 negotiated?
1835
Hanno Becker6a243642017-10-12 15:18:45 +0100[diff] [blame]1836requires_config_enabled MBEDTLS_SSL_RENEGOTIATION
Manuel Pégourié-Gonnard8e03c712014-08-30 21:42:40 +0200[diff] [blame]1837run_test "Renegotiation: double" \
Manuel Pégourié-Gonnardfa44f202015-03-27 17:52:25 +0100[diff] [blame]1838 "$P_SRV debug_level=3 exchanges=2 renegotiation=1 auth_mode=optional renegotiate=1" \
Manuel Pégourié-Gonnard644e8f32014-08-30 21:59:31 +0200[diff] [blame]1839 "$P_CLI debug_level=3 exchanges=2 renegotiation=1 renegotiate=1" \
Manuel Pégourié-Gonnard780d6712014-02-20 17:19:59 +0100[diff] [blame]1840 0 \
1841 -c "client hello, adding renegotiation extension" \
1842 -s "received TLS_EMPTY_RENEGOTIATION_INFO" \
1843 -s "found renegotiation extension" \
1844 -s "server hello, secure renegotiation extension" \
1845 -c "found renegotiation extension" \
Manuel Pégourié-Gonnardc73339f2014-02-26 16:35:27 +0100[diff] [blame]1846 -c "=> renegotiate" \
1847 -s "=> renegotiate" \
Manuel Pégourié-Gonnard780d6712014-02-20 17:19:59 +0100[diff] [blame]1848 -s "write hello request"
1849
Hanno Becker6a243642017-10-12 15:18:45 +0100[diff] [blame]1850requires_config_enabled MBEDTLS_SSL_RENEGOTIATION
Manuel Pégourié-Gonnard8e03c712014-08-30 21:42:40 +0200[diff] [blame]1851run_test "Renegotiation: client-initiated, server-rejected" \
Manuel Pégourié-Gonnardfa44f202015-03-27 17:52:25 +0100[diff] [blame]1852 "$P_SRV debug_level=3 exchanges=2 renegotiation=0 auth_mode=optional" \
Manuel Pégourié-Gonnard644e8f32014-08-30 21:59:31 +0200[diff] [blame]1853 "$P_CLI debug_level=3 exchanges=2 renegotiation=1 renegotiate=1" \
Manuel Pégourié-Gonnard780d6712014-02-20 17:19:59 +0100[diff] [blame]1854 1 \
1855 -c "client hello, adding renegotiation extension" \
1856 -s "received TLS_EMPTY_RENEGOTIATION_INFO" \
1857 -S "found renegotiation extension" \
1858 -s "server hello, secure renegotiation extension" \
1859 -c "found renegotiation extension" \
Manuel Pégourié-Gonnardc73339f2014-02-26 16:35:27 +0100[diff] [blame]1860 -c "=> renegotiate" \
1861 -S "=> renegotiate" \
Manuel Pégourié-Gonnardfae355e2014-07-04 14:32:27 +0200[diff] [blame]1862 -S "write hello request" \
Manuel Pégourié-Gonnard65919622014-08-19 12:50:30 +0200[diff] [blame]1863 -c "SSL - Unexpected message at ServerHello in renegotiation" \
Manuel Pégourié-Gonnardfae355e2014-07-04 14:32:27 +0200[diff] [blame]1864 -c "failed"
Manuel Pégourié-Gonnard780d6712014-02-20 17:19:59 +0100[diff] [blame]1865
Hanno Becker6a243642017-10-12 15:18:45 +0100[diff] [blame]1866requires_config_enabled MBEDTLS_SSL_RENEGOTIATION
Manuel Pégourié-Gonnard8e03c712014-08-30 21:42:40 +0200[diff] [blame]1867run_test "Renegotiation: server-initiated, client-rejected, default" \
Manuel Pégourié-Gonnardfa44f202015-03-27 17:52:25 +0100[diff] [blame]1868 "$P_SRV debug_level=3 exchanges=2 renegotiation=1 renegotiate=1 auth_mode=optional" \
Manuel Pégourié-Gonnard644e8f32014-08-30 21:59:31 +0200[diff] [blame]1869 "$P_CLI debug_level=3 exchanges=2 renegotiation=0" \
Manuel Pégourié-Gonnard780d6712014-02-20 17:19:59 +0100[diff] [blame]1870 0 \
1871 -C "client hello, adding renegotiation extension" \
1872 -s "received TLS_EMPTY_RENEGOTIATION_INFO" \
1873 -S "found renegotiation extension" \
1874 -s "server hello, secure renegotiation extension" \
1875 -c "found renegotiation extension" \
Manuel Pégourié-Gonnardc73339f2014-02-26 16:35:27 +0100[diff] [blame]1876 -C "=> renegotiate" \
1877 -S "=> renegotiate" \
Manuel Pégourié-Gonnard780d6712014-02-20 17:19:59 +0100[diff] [blame]1878 -s "write hello request" \
Manuel Pégourié-Gonnarda9964db2014-07-03 19:29:16 +0200[diff] [blame]1879 -S "SSL - An unexpected message was received from our peer" \
1880 -S "failed"
Manuel Pégourié-Gonnard33a752e2014-02-21 09:47:37 +0100[diff] [blame]1881
Hanno Becker6a243642017-10-12 15:18:45 +0100[diff] [blame]1882requires_config_enabled MBEDTLS_SSL_RENEGOTIATION
Manuel Pégourié-Gonnard8e03c712014-08-30 21:42:40 +0200[diff] [blame]1883run_test "Renegotiation: server-initiated, client-rejected, not enforced" \
Manuel Pégourié-Gonnard644e8f32014-08-30 21:59:31 +0200[diff] [blame]1884 "$P_SRV debug_level=3 exchanges=2 renegotiation=1 renegotiate=1 \
Manuel Pégourié-Gonnardfa44f202015-03-27 17:52:25 +0100[diff] [blame]1885 renego_delay=-1 auth_mode=optional" \
Manuel Pégourié-Gonnard644e8f32014-08-30 21:59:31 +0200[diff] [blame]1886 "$P_CLI debug_level=3 exchanges=2 renegotiation=0" \
Manuel Pégourié-Gonnardfae355e2014-07-04 14:32:27 +0200[diff] [blame]1887 0 \
1888 -C "client hello, adding renegotiation extension" \
1889 -s "received TLS_EMPTY_RENEGOTIATION_INFO" \
1890 -S "found renegotiation extension" \
1891 -s "server hello, secure renegotiation extension" \
1892 -c "found renegotiation extension" \
1893 -C "=> renegotiate" \
1894 -S "=> renegotiate" \
1895 -s "write hello request" \
1896 -S "SSL - An unexpected message was received from our peer" \
1897 -S "failed"
1898
Manuel Pégourié-Gonnarda8c0a0d2014-08-15 12:07:38 +0200[diff] [blame]1899# delay 2 for 1 alert record + 1 application data record
Hanno Becker6a243642017-10-12 15:18:45 +0100[diff] [blame]1900requires_config_enabled MBEDTLS_SSL_RENEGOTIATION
Manuel Pégourié-Gonnard8e03c712014-08-30 21:42:40 +0200[diff] [blame]1901run_test "Renegotiation: server-initiated, client-rejected, delay 2" \
Manuel Pégourié-Gonnard644e8f32014-08-30 21:59:31 +0200[diff] [blame]1902 "$P_SRV debug_level=3 exchanges=2 renegotiation=1 renegotiate=1 \
Manuel Pégourié-Gonnardfa44f202015-03-27 17:52:25 +0100[diff] [blame]1903 renego_delay=2 auth_mode=optional" \
Manuel Pégourié-Gonnard644e8f32014-08-30 21:59:31 +0200[diff] [blame]1904 "$P_CLI debug_level=3 exchanges=2 renegotiation=0" \
Manuel Pégourié-Gonnardfae355e2014-07-04 14:32:27 +0200[diff] [blame]1905 0 \
1906 -C "client hello, adding renegotiation extension" \
1907 -s "received TLS_EMPTY_RENEGOTIATION_INFO" \
1908 -S "found renegotiation extension" \
1909 -s "server hello, secure renegotiation extension" \
1910 -c "found renegotiation extension" \
1911 -C "=> renegotiate" \
1912 -S "=> renegotiate" \
1913 -s "write hello request" \
1914 -S "SSL - An unexpected message was received from our peer" \
1915 -S "failed"
1916
Hanno Becker6a243642017-10-12 15:18:45 +0100[diff] [blame]1917requires_config_enabled MBEDTLS_SSL_RENEGOTIATION
Manuel Pégourié-Gonnard8e03c712014-08-30 21:42:40 +0200[diff] [blame]1918run_test "Renegotiation: server-initiated, client-rejected, delay 0" \
Manuel Pégourié-Gonnard644e8f32014-08-30 21:59:31 +0200[diff] [blame]1919 "$P_SRV debug_level=3 exchanges=2 renegotiation=1 renegotiate=1 \
Manuel Pégourié-Gonnardfa44f202015-03-27 17:52:25 +0100[diff] [blame]1920 renego_delay=0 auth_mode=optional" \
Manuel Pégourié-Gonnard644e8f32014-08-30 21:59:31 +0200[diff] [blame]1921 "$P_CLI debug_level=3 exchanges=2 renegotiation=0" \
Manuel Pégourié-Gonnardfae355e2014-07-04 14:32:27 +0200[diff] [blame]1922 0 \
1923 -C "client hello, adding renegotiation extension" \
1924 -s "received TLS_EMPTY_RENEGOTIATION_INFO" \
1925 -S "found renegotiation extension" \
1926 -s "server hello, secure renegotiation extension" \
1927 -c "found renegotiation extension" \
1928 -C "=> renegotiate" \
1929 -S "=> renegotiate" \
1930 -s "write hello request" \
Manuel Pégourié-Gonnarda8c0a0d2014-08-15 12:07:38 +0200[diff] [blame]1931 -s "SSL - An unexpected message was received from our peer"
Manuel Pégourié-Gonnardfae355e2014-07-04 14:32:27 +0200[diff] [blame]1932
Hanno Becker6a243642017-10-12 15:18:45 +0100[diff] [blame]1933requires_config_enabled MBEDTLS_SSL_RENEGOTIATION
Manuel Pégourié-Gonnard8e03c712014-08-30 21:42:40 +0200[diff] [blame]1934run_test "Renegotiation: server-initiated, client-accepted, delay 0" \
Manuel Pégourié-Gonnard644e8f32014-08-30 21:59:31 +0200[diff] [blame]1935 "$P_SRV debug_level=3 exchanges=2 renegotiation=1 renegotiate=1 \
Manuel Pégourié-Gonnardfa44f202015-03-27 17:52:25 +0100[diff] [blame]1936 renego_delay=0 auth_mode=optional" \
Manuel Pégourié-Gonnard644e8f32014-08-30 21:59:31 +0200[diff] [blame]1937 "$P_CLI debug_level=3 exchanges=2 renegotiation=1" \
Manuel Pégourié-Gonnardfae355e2014-07-04 14:32:27 +0200[diff] [blame]1938 0 \
1939 -c "client hello, adding renegotiation extension" \
1940 -s "received TLS_EMPTY_RENEGOTIATION_INFO" \
1941 -s "found renegotiation extension" \
1942 -s "server hello, secure renegotiation extension" \
1943 -c "found renegotiation extension" \
1944 -c "=> renegotiate" \
1945 -s "=> renegotiate" \
1946 -s "write hello request" \
1947 -S "SSL - An unexpected message was received from our peer" \
1948 -S "failed"
1949
Hanno Becker6a243642017-10-12 15:18:45 +0100[diff] [blame]1950requires_config_enabled MBEDTLS_SSL_RENEGOTIATION
Manuel Pégourié-Gonnard590f4162014-11-05 14:23:03 +0100[diff] [blame]1951run_test "Renegotiation: periodic, just below period" \
Manuel Pégourié-Gonnardfa44f202015-03-27 17:52:25 +0100[diff] [blame]1952 "$P_SRV debug_level=3 exchanges=9 renegotiation=1 renego_period=3 auth_mode=optional" \
Manuel Pégourié-Gonnard590f4162014-11-05 14:23:03 +0100[diff] [blame]1953 "$P_CLI debug_level=3 exchanges=2 renegotiation=1" \
1954 0 \
1955 -C "client hello, adding renegotiation extension" \
1956 -s "received TLS_EMPTY_RENEGOTIATION_INFO" \
1957 -S "found renegotiation extension" \
1958 -s "server hello, secure renegotiation extension" \
1959 -c "found renegotiation extension" \
1960 -S "record counter limit reached: renegotiate" \
1961 -C "=> renegotiate" \
1962 -S "=> renegotiate" \
1963 -S "write hello request" \
1964 -S "SSL - An unexpected message was received from our peer" \
1965 -S "failed"
1966
Manuel Pégourié-Gonnard9835bc02015-01-14 14:41:58 +0100[diff] [blame]1967# one extra exchange to be able to complete renego
Hanno Becker6a243642017-10-12 15:18:45 +0100[diff] [blame]1968requires_config_enabled MBEDTLS_SSL_RENEGOTIATION
Manuel Pégourié-Gonnard590f4162014-11-05 14:23:03 +0100[diff] [blame]1969run_test "Renegotiation: periodic, just above period" \
Manuel Pégourié-Gonnardfa44f202015-03-27 17:52:25 +0100[diff] [blame]1970 "$P_SRV debug_level=3 exchanges=9 renegotiation=1 renego_period=3 auth_mode=optional" \
Manuel Pégourié-Gonnard9835bc02015-01-14 14:41:58 +0100[diff] [blame]1971 "$P_CLI debug_level=3 exchanges=4 renegotiation=1" \
Manuel Pégourié-Gonnard590f4162014-11-05 14:23:03 +0100[diff] [blame]1972 0 \
1973 -c "client hello, adding renegotiation extension" \
1974 -s "received TLS_EMPTY_RENEGOTIATION_INFO" \
1975 -s "found renegotiation extension" \
1976 -s "server hello, secure renegotiation extension" \
1977 -c "found renegotiation extension" \
1978 -s "record counter limit reached: renegotiate" \
1979 -c "=> renegotiate" \
1980 -s "=> renegotiate" \
1981 -s "write hello request" \
1982 -S "SSL - An unexpected message was received from our peer" \
1983 -S "failed"
1984
Hanno Becker6a243642017-10-12 15:18:45 +0100[diff] [blame]1985requires_config_enabled MBEDTLS_SSL_RENEGOTIATION
Manuel Pégourié-Gonnard590f4162014-11-05 14:23:03 +0100[diff] [blame]1986run_test "Renegotiation: periodic, two times period" \
Manuel Pégourié-Gonnardfa44f202015-03-27 17:52:25 +0100[diff] [blame]1987 "$P_SRV debug_level=3 exchanges=9 renegotiation=1 renego_period=3 auth_mode=optional" \
Manuel Pégourié-Gonnard9835bc02015-01-14 14:41:58 +0100[diff] [blame]1988 "$P_CLI debug_level=3 exchanges=7 renegotiation=1" \
Manuel Pégourié-Gonnard590f4162014-11-05 14:23:03 +0100[diff] [blame]1989 0 \
1990 -c "client hello, adding renegotiation extension" \
1991 -s "received TLS_EMPTY_RENEGOTIATION_INFO" \
1992 -s "found renegotiation extension" \
1993 -s "server hello, secure renegotiation extension" \
1994 -c "found renegotiation extension" \
1995 -s "record counter limit reached: renegotiate" \
1996 -c "=> renegotiate" \
1997 -s "=> renegotiate" \
1998 -s "write hello request" \
1999 -S "SSL - An unexpected message was received from our peer" \
2000 -S "failed"
2001
Hanno Becker6a243642017-10-12 15:18:45 +0100[diff] [blame]2002requires_config_enabled MBEDTLS_SSL_RENEGOTIATION
Manuel Pégourié-Gonnard590f4162014-11-05 14:23:03 +0100[diff] [blame]2003run_test "Renegotiation: periodic, above period, disabled" \
Manuel Pégourié-Gonnardfa44f202015-03-27 17:52:25 +0100[diff] [blame]2004 "$P_SRV debug_level=3 exchanges=9 renegotiation=0 renego_period=3 auth_mode=optional" \
Manuel Pégourié-Gonnard590f4162014-11-05 14:23:03 +0100[diff] [blame]2005 "$P_CLI debug_level=3 exchanges=4 renegotiation=1" \
2006 0 \
2007 -C "client hello, adding renegotiation extension" \
2008 -s "received TLS_EMPTY_RENEGOTIATION_INFO" \
2009 -S "found renegotiation extension" \
2010 -s "server hello, secure renegotiation extension" \
2011 -c "found renegotiation extension" \
2012 -S "record counter limit reached: renegotiate" \
2013 -C "=> renegotiate" \
2014 -S "=> renegotiate" \
2015 -S "write hello request" \
2016 -S "SSL - An unexpected message was received from our peer" \
2017 -S "failed"
2018
Hanno Becker6a243642017-10-12 15:18:45 +0100[diff] [blame]2019requires_config_enabled MBEDTLS_SSL_RENEGOTIATION
Manuel Pégourié-Gonnard8e03c712014-08-30 21:42:40 +0200[diff] [blame]2020run_test "Renegotiation: nbio, client-initiated" \
Manuel Pégourié-Gonnardfa44f202015-03-27 17:52:25 +0100[diff] [blame]2021 "$P_SRV debug_level=3 nbio=2 exchanges=2 renegotiation=1 auth_mode=optional" \
Manuel Pégourié-Gonnard644e8f32014-08-30 21:59:31 +0200[diff] [blame]2022 "$P_CLI debug_level=3 nbio=2 exchanges=2 renegotiation=1 renegotiate=1" \
Manuel Pégourié-Gonnardf07f4212014-08-15 19:04:47 +0200[diff] [blame]2023 0 \
2024 -c "client hello, adding renegotiation extension" \
2025 -s "received TLS_EMPTY_RENEGOTIATION_INFO" \
2026 -s "found renegotiation extension" \
2027 -s "server hello, secure renegotiation extension" \
2028 -c "found renegotiation extension" \
2029 -c "=> renegotiate" \
2030 -s "=> renegotiate" \
2031 -S "write hello request"
2032
Hanno Becker6a243642017-10-12 15:18:45 +0100[diff] [blame]2033requires_config_enabled MBEDTLS_SSL_RENEGOTIATION
Manuel Pégourié-Gonnard8e03c712014-08-30 21:42:40 +0200[diff] [blame]2034run_test "Renegotiation: nbio, server-initiated" \
Manuel Pégourié-Gonnardfa44f202015-03-27 17:52:25 +0100[diff] [blame]2035 "$P_SRV debug_level=3 nbio=2 exchanges=2 renegotiation=1 renegotiate=1 auth_mode=optional" \
Manuel Pégourié-Gonnard644e8f32014-08-30 21:59:31 +0200[diff] [blame]2036 "$P_CLI debug_level=3 nbio=2 exchanges=2 renegotiation=1" \
Manuel Pégourié-Gonnardf07f4212014-08-15 19:04:47 +0200[diff] [blame]2037 0 \
2038 -c "client hello, adding renegotiation extension" \
2039 -s "received TLS_EMPTY_RENEGOTIATION_INFO" \
2040 -s "found renegotiation extension" \
2041 -s "server hello, secure renegotiation extension" \
2042 -c "found renegotiation extension" \
2043 -c "=> renegotiate" \
2044 -s "=> renegotiate" \
2045 -s "write hello request"
2046
Hanno Becker6a243642017-10-12 15:18:45 +0100[diff] [blame]2047requires_config_enabled MBEDTLS_SSL_RENEGOTIATION
Manuel Pégourié-Gonnard8e03c712014-08-30 21:42:40 +0200[diff] [blame]2048run_test "Renegotiation: openssl server, client-initiated" \
Manuel Pégourié-Gonnarda7756172014-08-31 18:37:01 +0200[diff] [blame]2049 "$O_SRV -www" \
Manuel Pégourié-Gonnard644e8f32014-08-30 21:59:31 +0200[diff] [blame]2050 "$P_CLI debug_level=3 exchanges=1 renegotiation=1 renegotiate=1" \
Manuel Pégourié-Gonnard51362962014-08-30 21:22:47 +0200[diff] [blame]2051 0 \
2052 -c "client hello, adding renegotiation extension" \
2053 -c "found renegotiation extension" \
2054 -c "=> renegotiate" \
Manuel Pégourié-Gonnard85d915b2014-11-03 20:10:36 +0100[diff] [blame]2055 -C "ssl_hanshake() returned" \
Manuel Pégourié-Gonnard51362962014-08-30 21:22:47 +0200[diff] [blame]2056 -C "error" \
2057 -c "HTTP/1.0 200 [Oo][Kk]"
2058
Paul Bakker539d9722015-02-08 16:18:35 +0100[diff] [blame]2059requires_gnutls
Hanno Becker6a243642017-10-12 15:18:45 +0100[diff] [blame]2060requires_config_enabled MBEDTLS_SSL_RENEGOTIATION
Manuel Pégourié-Gonnard85d915b2014-11-03 20:10:36 +0100[diff] [blame]2061run_test "Renegotiation: gnutls server strict, client-initiated" \
2062 "$G_SRV --priority=NORMAL:%SAFE_RENEGOTIATION" \
Manuel Pégourié-Gonnard644e8f32014-08-30 21:59:31 +0200[diff] [blame]2063 "$P_CLI debug_level=3 exchanges=1 renegotiation=1 renegotiate=1" \
Manuel Pégourié-Gonnard51362962014-08-30 21:22:47 +0200[diff] [blame]2064 0 \
2065 -c "client hello, adding renegotiation extension" \
2066 -c "found renegotiation extension" \
2067 -c "=> renegotiate" \
Manuel Pégourié-Gonnard85d915b2014-11-03 20:10:36 +0100[diff] [blame]2068 -C "ssl_hanshake() returned" \
Manuel Pégourié-Gonnard51362962014-08-30 21:22:47 +0200[diff] [blame]2069 -C "error" \
2070 -c "HTTP/1.0 200 [Oo][Kk]"
2071
Paul Bakker539d9722015-02-08 16:18:35 +0100[diff] [blame]2072requires_gnutls
Hanno Becker6a243642017-10-12 15:18:45 +0100[diff] [blame]2073requires_config_enabled MBEDTLS_SSL_RENEGOTIATION
Manuel Pégourié-Gonnard85d915b2014-11-03 20:10:36 +0100[diff] [blame]2074run_test "Renegotiation: gnutls server unsafe, client-initiated default" \
2075 "$G_SRV --priority=NORMAL:%DISABLE_SAFE_RENEGOTIATION" \
2076 "$P_CLI debug_level=3 exchanges=1 renegotiation=1 renegotiate=1" \
2077 1 \
2078 -c "client hello, adding renegotiation extension" \
2079 -C "found renegotiation extension" \
2080 -c "=> renegotiate" \
Manuel Pégourié-Gonnard2cf5a7c2015-04-08 12:49:31 +0200[diff] [blame]2081 -c "mbedtls_ssl_handshake() returned" \
Manuel Pégourié-Gonnard85d915b2014-11-03 20:10:36 +0100[diff] [blame]2082 -c "error" \
2083 -C "HTTP/1.0 200 [Oo][Kk]"
2084
Paul Bakker539d9722015-02-08 16:18:35 +0100[diff] [blame]2085requires_gnutls
Hanno Becker6a243642017-10-12 15:18:45 +0100[diff] [blame]2086requires_config_enabled MBEDTLS_SSL_RENEGOTIATION
Manuel Pégourié-Gonnard85d915b2014-11-03 20:10:36 +0100[diff] [blame]2087run_test "Renegotiation: gnutls server unsafe, client-inititated no legacy" \
2088 "$G_SRV --priority=NORMAL:%DISABLE_SAFE_RENEGOTIATION" \
2089 "$P_CLI debug_level=3 exchanges=1 renegotiation=1 renegotiate=1 \
2090 allow_legacy=0" \
2091 1 \
2092 -c "client hello, adding renegotiation extension" \
2093 -C "found renegotiation extension" \
2094 -c "=> renegotiate" \
Manuel Pégourié-Gonnard2cf5a7c2015-04-08 12:49:31 +0200[diff] [blame]2095 -c "mbedtls_ssl_handshake() returned" \
Manuel Pégourié-Gonnard85d915b2014-11-03 20:10:36 +0100[diff] [blame]2096 -c "error" \
2097 -C "HTTP/1.0 200 [Oo][Kk]"
2098
Paul Bakker539d9722015-02-08 16:18:35 +0100[diff] [blame]2099requires_gnutls
Hanno Becker6a243642017-10-12 15:18:45 +0100[diff] [blame]2100requires_config_enabled MBEDTLS_SSL_RENEGOTIATION
Manuel Pégourié-Gonnard85d915b2014-11-03 20:10:36 +0100[diff] [blame]2101run_test "Renegotiation: gnutls server unsafe, client-inititated legacy" \
2102 "$G_SRV --priority=NORMAL:%DISABLE_SAFE_RENEGOTIATION" \
2103 "$P_CLI debug_level=3 exchanges=1 renegotiation=1 renegotiate=1 \
2104 allow_legacy=1" \
2105 0 \
2106 -c "client hello, adding renegotiation extension" \
2107 -C "found renegotiation extension" \
2108 -c "=> renegotiate" \
2109 -C "ssl_hanshake() returned" \
Manuel Pégourié-Gonnard8520dac2014-02-21 12:12:23 +0100[diff] [blame]2110 -C "error" \
2111 -c "HTTP/1.0 200 [Oo][Kk]"
2112
Hanno Becker6a243642017-10-12 15:18:45 +0100[diff] [blame]2113requires_config_enabled MBEDTLS_SSL_RENEGOTIATION
Manuel Pégourié-Gonnard30d16eb2014-08-19 17:43:50 +0200[diff] [blame]2114run_test "Renegotiation: DTLS, client-initiated" \
2115 "$P_SRV debug_level=3 dtls=1 exchanges=2 renegotiation=1" \
2116 "$P_CLI debug_level=3 dtls=1 exchanges=2 renegotiation=1 renegotiate=1" \
2117 0 \
2118 -c "client hello, adding renegotiation extension" \
2119 -s "received TLS_EMPTY_RENEGOTIATION_INFO" \
2120 -s "found renegotiation extension" \
2121 -s "server hello, secure renegotiation extension" \
2122 -c "found renegotiation extension" \
2123 -c "=> renegotiate" \
2124 -s "=> renegotiate" \
2125 -S "write hello request"
2126
Hanno Becker6a243642017-10-12 15:18:45 +0100[diff] [blame]2127requires_config_enabled MBEDTLS_SSL_RENEGOTIATION
Manuel Pégourié-Gonnardc392b242014-08-19 17:53:11 +0200[diff] [blame]2128run_test "Renegotiation: DTLS, server-initiated" \
2129 "$P_SRV debug_level=3 dtls=1 exchanges=2 renegotiation=1 renegotiate=1" \
Manuel Pégourié-Gonnarddf9a0a82014-10-02 14:17:18 +0200[diff] [blame]2130 "$P_CLI debug_level=3 dtls=1 exchanges=2 renegotiation=1 \
2131 read_timeout=1000 max_resend=2" \
Manuel Pégourié-Gonnardc392b242014-08-19 17:53:11 +0200[diff] [blame]2132 0 \
2133 -c "client hello, adding renegotiation extension" \
2134 -s "received TLS_EMPTY_RENEGOTIATION_INFO" \
2135 -s "found renegotiation extension" \
2136 -s "server hello, secure renegotiation extension" \
2137 -c "found renegotiation extension" \
2138 -c "=> renegotiate" \
2139 -s "=> renegotiate" \
2140 -s "write hello request"
2141
Hanno Becker6a243642017-10-12 15:18:45 +0100[diff] [blame]2142requires_config_enabled MBEDTLS_SSL_RENEGOTIATION
Andres AG692ad842017-01-19 16:30:57 +0000[diff] [blame]2143run_test "Renegotiation: DTLS, renego_period overflow" \
2144 "$P_SRV debug_level=3 dtls=1 exchanges=4 renegotiation=1 renego_period=18446462598732840962 auth_mode=optional" \
2145 "$P_CLI debug_level=3 dtls=1 exchanges=4 renegotiation=1" \
2146 0 \
2147 -c "client hello, adding renegotiation extension" \
2148 -s "received TLS_EMPTY_RENEGOTIATION_INFO" \
2149 -s "found renegotiation extension" \
2150 -s "server hello, secure renegotiation extension" \
2151 -s "record counter limit reached: renegotiate" \
2152 -c "=> renegotiate" \
2153 -s "=> renegotiate" \
Hanno Becker6a243642017-10-12 15:18:45 +0100[diff] [blame]2154 -s "write hello request"
Andres AG692ad842017-01-19 16:30:57 +0000[diff] [blame]2155
Manuel Pégourié-Gonnard96999962015-02-17 16:02:37 +0000[diff] [blame]2156requires_gnutls
Hanno Becker6a243642017-10-12 15:18:45 +0100[diff] [blame]2157requires_config_enabled MBEDTLS_SSL_RENEGOTIATION
Manuel Pégourié-Gonnardf1499f62014-08-31 17:13:13 +0200[diff] [blame]2158run_test "Renegotiation: DTLS, gnutls server, client-initiated" \
2159 "$G_SRV -u --mtu 4096" \
2160 "$P_CLI debug_level=3 dtls=1 exchanges=1 renegotiation=1 renegotiate=1" \
2161 0 \
2162 -c "client hello, adding renegotiation extension" \
2163 -c "found renegotiation extension" \
2164 -c "=> renegotiate" \
Manuel Pégourié-Gonnard2cf5a7c2015-04-08 12:49:31 +0200[diff] [blame]2165 -C "mbedtls_ssl_handshake returned" \
Manuel Pégourié-Gonnardf1499f62014-08-31 17:13:13 +0200[diff] [blame]2166 -C "error" \
2167 -s "Extra-header:"
2168
Manuel Pégourié-Gonnard85d915b2014-11-03 20:10:36 +0100[diff] [blame]2169# Test for the "secure renegotation" extension only (no actual renegotiation)
2170
Paul Bakker539d9722015-02-08 16:18:35 +0100[diff] [blame]2171requires_gnutls
Manuel Pégourié-Gonnard85d915b2014-11-03 20:10:36 +0100[diff] [blame]2172run_test "Renego ext: gnutls server strict, client default" \
2173 "$G_SRV --priority=NORMAL:%SAFE_RENEGOTIATION" \
2174 "$P_CLI debug_level=3" \
2175 0 \
2176 -c "found renegotiation extension" \
2177 -C "error" \
2178 -c "HTTP/1.0 200 [Oo][Kk]"
2179
Paul Bakker539d9722015-02-08 16:18:35 +0100[diff] [blame]2180requires_gnutls
Manuel Pégourié-Gonnard85d915b2014-11-03 20:10:36 +0100[diff] [blame]2181run_test "Renego ext: gnutls server unsafe, client default" \
2182 "$G_SRV --priority=NORMAL:%DISABLE_SAFE_RENEGOTIATION" \
2183 "$P_CLI debug_level=3" \
2184 0 \
2185 -C "found renegotiation extension" \
2186 -C "error" \
2187 -c "HTTP/1.0 200 [Oo][Kk]"
2188
Paul Bakker539d9722015-02-08 16:18:35 +0100[diff] [blame]2189requires_gnutls
Manuel Pégourié-Gonnard85d915b2014-11-03 20:10:36 +0100[diff] [blame]2190run_test "Renego ext: gnutls server unsafe, client break legacy" \
2191 "$G_SRV --priority=NORMAL:%DISABLE_SAFE_RENEGOTIATION" \
2192 "$P_CLI debug_level=3 allow_legacy=-1" \
2193 1 \
2194 -C "found renegotiation extension" \
2195 -c "error" \
2196 -C "HTTP/1.0 200 [Oo][Kk]"
2197
Paul Bakker539d9722015-02-08 16:18:35 +0100[diff] [blame]2198requires_gnutls
Manuel Pégourié-Gonnard85d915b2014-11-03 20:10:36 +0100[diff] [blame]2199run_test "Renego ext: gnutls client strict, server default" \
2200 "$P_SRV debug_level=3" \
2201 "$G_CLI --priority=NORMAL:%SAFE_RENEGOTIATION" \
2202 0 \
2203 -s "received TLS_EMPTY_RENEGOTIATION_INFO\|found renegotiation extension" \
2204 -s "server hello, secure renegotiation extension"
2205
Paul Bakker539d9722015-02-08 16:18:35 +0100[diff] [blame]2206requires_gnutls
Manuel Pégourié-Gonnard85d915b2014-11-03 20:10:36 +0100[diff] [blame]2207run_test "Renego ext: gnutls client unsafe, server default" \
2208 "$P_SRV debug_level=3" \
2209 "$G_CLI --priority=NORMAL:%DISABLE_SAFE_RENEGOTIATION" \
2210 0 \
2211 -S "received TLS_EMPTY_RENEGOTIATION_INFO\|found renegotiation extension" \
2212 -S "server hello, secure renegotiation extension"
2213
Paul Bakker539d9722015-02-08 16:18:35 +0100[diff] [blame]2214requires_gnutls
Manuel Pégourié-Gonnard85d915b2014-11-03 20:10:36 +0100[diff] [blame]2215run_test "Renego ext: gnutls client unsafe, server break legacy" \
2216 "$P_SRV debug_level=3 allow_legacy=-1" \
2217 "$G_CLI --priority=NORMAL:%DISABLE_SAFE_RENEGOTIATION" \
2218 1 \
2219 -S "received TLS_EMPTY_RENEGOTIATION_INFO\|found renegotiation extension" \
2220 -S "server hello, secure renegotiation extension"
2221
Janos Follath0b242342016-02-17 10:11:21 +0000[diff] [blame]2222# Tests for silently dropping trailing extra bytes in .der certificates
2223
2224requires_gnutls
2225run_test "DER format: no trailing bytes" \
2226 "$P_SRV crt_file=data_files/server5-der0.crt \
2227 key_file=data_files/server5.key" \
2228 "$G_CLI " \
2229 0 \
2230 -c "Handshake was completed" \
2231
2232requires_gnutls
2233run_test "DER format: with a trailing zero byte" \
2234 "$P_SRV crt_file=data_files/server5-der1a.crt \
2235 key_file=data_files/server5.key" \
2236 "$G_CLI " \
2237 0 \
2238 -c "Handshake was completed" \
2239
2240requires_gnutls
2241run_test "DER format: with a trailing random byte" \
2242 "$P_SRV crt_file=data_files/server5-der1b.crt \
2243 key_file=data_files/server5.key" \
2244 "$G_CLI " \
2245 0 \
2246 -c "Handshake was completed" \
2247
2248requires_gnutls
2249run_test "DER format: with 2 trailing random bytes" \
2250 "$P_SRV crt_file=data_files/server5-der2.crt \
2251 key_file=data_files/server5.key" \
2252 "$G_CLI " \
2253 0 \
2254 -c "Handshake was completed" \
2255
2256requires_gnutls
2257run_test "DER format: with 4 trailing random bytes" \
2258 "$P_SRV crt_file=data_files/server5-der4.crt \
2259 key_file=data_files/server5.key" \
2260 "$G_CLI " \
2261 0 \
2262 -c "Handshake was completed" \
2263
2264requires_gnutls
2265run_test "DER format: with 8 trailing random bytes" \
2266 "$P_SRV crt_file=data_files/server5-der8.crt \
2267 key_file=data_files/server5.key" \
2268 "$G_CLI " \
2269 0 \
2270 -c "Handshake was completed" \
2271
2272requires_gnutls
2273run_test "DER format: with 9 trailing random bytes" \
2274 "$P_SRV crt_file=data_files/server5-der9.crt \
2275 key_file=data_files/server5.key" \
2276 "$G_CLI " \
2277 0 \
2278 -c "Handshake was completed" \
2279
Manuel Pégourié-Gonnard8520dac2014-02-21 12:12:23 +0100[diff] [blame]2280# Tests for auth_mode
2281
Manuel Pégourié-Gonnard8e03c712014-08-30 21:42:40 +0200[diff] [blame]2282run_test "Authentication: server badcert, client required" \
Manuel Pégourié-Gonnard8520dac2014-02-21 12:12:23 +0100[diff] [blame]2283 "$P_SRV crt_file=data_files/server5-badsign.crt \
2284 key_file=data_files/server5.key" \
Manuel Pégourié-Gonnard644e8f32014-08-30 21:59:31 +0200[diff] [blame]2285 "$P_CLI debug_level=1 auth_mode=required" \
Manuel Pégourié-Gonnard8520dac2014-02-21 12:12:23 +0100[diff] [blame]2286 1 \
2287 -c "x509_verify_cert() returned" \
Manuel Pégourié-Gonnard89addc42015-04-20 10:56:18 +0100[diff] [blame]2288 -c "! The certificate is not correctly signed by the trusted CA" \
Manuel Pégourié-Gonnard2cf5a7c2015-04-08 12:49:31 +0200[diff] [blame]2289 -c "! mbedtls_ssl_handshake returned" \
Manuel Pégourié-Gonnard8520dac2014-02-21 12:12:23 +0100[diff] [blame]2290 -c "X509 - Certificate verification failed"
2291
Manuel Pégourié-Gonnard8e03c712014-08-30 21:42:40 +0200[diff] [blame]2292run_test "Authentication: server badcert, client optional" \
Manuel Pégourié-Gonnard8520dac2014-02-21 12:12:23 +0100[diff] [blame]2293 "$P_SRV crt_file=data_files/server5-badsign.crt \
2294 key_file=data_files/server5.key" \
Manuel Pégourié-Gonnard644e8f32014-08-30 21:59:31 +0200[diff] [blame]2295 "$P_CLI debug_level=1 auth_mode=optional" \
Manuel Pégourié-Gonnard8520dac2014-02-21 12:12:23 +0100[diff] [blame]2296 0 \
2297 -c "x509_verify_cert() returned" \
Manuel Pégourié-Gonnard89addc42015-04-20 10:56:18 +0100[diff] [blame]2298 -c "! The certificate is not correctly signed by the trusted CA" \
Manuel Pégourié-Gonnard2cf5a7c2015-04-08 12:49:31 +0200[diff] [blame]2299 -C "! mbedtls_ssl_handshake returned" \
Manuel Pégourié-Gonnard8520dac2014-02-21 12:12:23 +0100[diff] [blame]2300 -C "X509 - Certificate verification failed"
2301
Hanno Beckere6706e62017-05-15 16:05:15 +0100[diff] [blame]2302run_test "Authentication: server goodcert, client optional, no trusted CA" \
2303 "$P_SRV" \
2304 "$P_CLI debug_level=3 auth_mode=optional ca_file=none ca_path=none" \
2305 0 \
2306 -c "x509_verify_cert() returned" \
2307 -c "! The certificate is not correctly signed by the trusted CA" \
2308 -c "! Certificate verification flags"\
2309 -C "! mbedtls_ssl_handshake returned" \
2310 -C "X509 - Certificate verification failed" \
2311 -C "SSL - No CA Chain is set, but required to operate"
2312
2313run_test "Authentication: server goodcert, client required, no trusted CA" \
2314 "$P_SRV" \
2315 "$P_CLI debug_level=3 auth_mode=required ca_file=none ca_path=none" \
2316 1 \
2317 -c "x509_verify_cert() returned" \
2318 -c "! The certificate is not correctly signed by the trusted CA" \
2319 -c "! Certificate verification flags"\
2320 -c "! mbedtls_ssl_handshake returned" \
2321 -c "SSL - No CA Chain is set, but required to operate"
2322
2323# The purpose of the next two tests is to test the client's behaviour when receiving a server
2324# certificate with an unsupported elliptic curve. This should usually not happen because
2325# the client informs the server about the supported curves - it does, though, in the
2326# corner case of a static ECDH suite, because the server doesn't check the curve on that
2327# occasion (to be fixed). If that bug's fixed, the test needs to be altered to use a
2328# different means to have the server ignoring the client's supported curve list.
2329
2330requires_config_enabled MBEDTLS_ECP_C
2331run_test "Authentication: server ECDH p256v1, client required, p256v1 unsupported" \
2332 "$P_SRV debug_level=1 key_file=data_files/server5.key \
2333 crt_file=data_files/server5.ku-ka.crt" \
2334 "$P_CLI debug_level=3 auth_mode=required curves=secp521r1" \
2335 1 \
2336 -c "bad certificate (EC key curve)"\
2337 -c "! Certificate verification flags"\
2338 -C "bad server certificate (ECDH curve)" # Expect failure at earlier verification stage
2339
2340requires_config_enabled MBEDTLS_ECP_C
2341run_test "Authentication: server ECDH p256v1, client optional, p256v1 unsupported" \
2342 "$P_SRV debug_level=1 key_file=data_files/server5.key \
2343 crt_file=data_files/server5.ku-ka.crt" \
2344 "$P_CLI debug_level=3 auth_mode=optional curves=secp521r1" \
2345 1 \
2346 -c "bad certificate (EC key curve)"\
2347 -c "! Certificate verification flags"\
2348 -c "bad server certificate (ECDH curve)" # Expect failure only at ECDH params check
2349
Manuel Pégourié-Gonnard8e03c712014-08-30 21:42:40 +0200[diff] [blame]2350run_test "Authentication: server badcert, client none" \
Manuel Pégourié-Gonnardc1da6642014-02-25 14:18:30 +0100[diff] [blame]2351 "$P_SRV crt_file=data_files/server5-badsign.crt \
Manuel Pégourié-Gonnard8520dac2014-02-21 12:12:23 +0100[diff] [blame]2352 key_file=data_files/server5.key" \
Manuel Pégourié-Gonnard644e8f32014-08-30 21:59:31 +0200[diff] [blame]2353 "$P_CLI debug_level=1 auth_mode=none" \
Manuel Pégourié-Gonnard8520dac2014-02-21 12:12:23 +0100[diff] [blame]2354 0 \
2355 -C "x509_verify_cert() returned" \
Manuel Pégourié-Gonnard89addc42015-04-20 10:56:18 +0100[diff] [blame]2356 -C "! The certificate is not correctly signed by the trusted CA" \
Manuel Pégourié-Gonnard2cf5a7c2015-04-08 12:49:31 +0200[diff] [blame]2357 -C "! mbedtls_ssl_handshake returned" \
Manuel Pégourié-Gonnard8520dac2014-02-21 12:12:23 +0100[diff] [blame]2358 -C "X509 - Certificate verification failed"
2359
Simon Butcher99000142016-10-13 17:21:01 +0100[diff] [blame]2360run_test "Authentication: client SHA256, server required" \
2361 "$P_SRV auth_mode=required" \
2362 "$P_CLI debug_level=3 crt_file=data_files/server6.crt \
2363 key_file=data_files/server6.key \
2364 force_ciphersuite=TLS-ECDHE-ECDSA-WITH-AES-256-GCM-SHA384" \
2365 0 \
2366 -c "Supported Signature Algorithm found: 4," \
2367 -c "Supported Signature Algorithm found: 5,"
2368
2369run_test "Authentication: client SHA384, server required" \
2370 "$P_SRV auth_mode=required" \
2371 "$P_CLI debug_level=3 crt_file=data_files/server6.crt \
2372 key_file=data_files/server6.key \
2373 force_ciphersuite=TLS-ECDHE-ECDSA-WITH-AES-128-GCM-SHA256" \
2374 0 \
2375 -c "Supported Signature Algorithm found: 4," \
2376 -c "Supported Signature Algorithm found: 5,"
2377
Gilles Peskinefd8332e2017-05-03 16:25:07 +0200[diff] [blame]2378requires_config_enabled MBEDTLS_SSL_PROTO_SSL3
2379run_test "Authentication: client has no cert, server required (SSLv3)" \
2380 "$P_SRV debug_level=3 min_version=ssl3 auth_mode=required" \
2381 "$P_CLI debug_level=3 force_version=ssl3 crt_file=none \
2382 key_file=data_files/server5.key" \
2383 1 \
2384 -S "skip write certificate request" \
2385 -C "skip parse certificate request" \
2386 -c "got a certificate request" \
2387 -c "got no certificate to send" \
2388 -S "x509_verify_cert() returned" \
2389 -s "client has no certificate" \
2390 -s "! mbedtls_ssl_handshake returned" \
2391 -c "! mbedtls_ssl_handshake returned" \
2392 -s "No client certification received from the client, but required by the authentication mode"
2393
2394run_test "Authentication: client has no cert, server required (TLS)" \
2395 "$P_SRV debug_level=3 auth_mode=required" \
2396 "$P_CLI debug_level=3 crt_file=none \
2397 key_file=data_files/server5.key" \
2398 1 \
2399 -S "skip write certificate request" \
2400 -C "skip parse certificate request" \
2401 -c "got a certificate request" \
2402 -c "= write certificate$" \
2403 -C "skip write certificate$" \
2404 -S "x509_verify_cert() returned" \
2405 -s "client has no certificate" \
2406 -s "! mbedtls_ssl_handshake returned" \
2407 -c "! mbedtls_ssl_handshake returned" \
2408 -s "No client certification received from the client, but required by the authentication mode"
2409
Manuel Pégourié-Gonnard8e03c712014-08-30 21:42:40 +0200[diff] [blame]2410run_test "Authentication: client badcert, server required" \
Manuel Pégourié-Gonnard644e8f32014-08-30 21:59:31 +0200[diff] [blame]2411 "$P_SRV debug_level=3 auth_mode=required" \
2412 "$P_CLI debug_level=3 crt_file=data_files/server5-badsign.crt \
Manuel Pégourié-Gonnard8520dac2014-02-21 12:12:23 +0100[diff] [blame]2413 key_file=data_files/server5.key" \
2414 1 \
2415 -S "skip write certificate request" \
2416 -C "skip parse certificate request" \
2417 -c "got a certificate request" \
2418 -C "skip write certificate" \
2419 -C "skip write certificate verify" \
2420 -S "skip parse certificate verify" \
2421 -s "x509_verify_cert() returned" \
Manuel Pégourié-Gonnard6ea831d2015-06-22 16:50:52 +0200[diff] [blame]2422 -s "! The certificate is not correctly signed by the trusted CA" \
Manuel Pégourié-Gonnard2cf5a7c2015-04-08 12:49:31 +0200[diff] [blame]2423 -s "! mbedtls_ssl_handshake returned" \
Gilles Peskine1cc8e342017-05-03 16:28:34 +0200[diff] [blame]2424 -s "send alert level=2 message=48" \
Manuel Pégourié-Gonnard2cf5a7c2015-04-08 12:49:31 +0200[diff] [blame]2425 -c "! mbedtls_ssl_handshake returned" \
Manuel Pégourié-Gonnard8520dac2014-02-21 12:12:23 +0100[diff] [blame]2426 -s "X509 - Certificate verification failed"
Gilles Peskine1cc8e342017-05-03 16:28:34 +0200[diff] [blame]2427# We don't check that the client receives the alert because it might
2428# detect that its write end of the connection is closed and abort
2429# before reading the alert message.
Manuel Pégourié-Gonnard8520dac2014-02-21 12:12:23 +0100[diff] [blame]2430
Janos Follath89baba22017-04-10 14:34:35 +0100[diff] [blame]2431run_test "Authentication: client cert not trusted, server required" \
2432 "$P_SRV debug_level=3 auth_mode=required" \
2433 "$P_CLI debug_level=3 crt_file=data_files/server5-selfsigned.crt \
2434 key_file=data_files/server5.key" \
2435 1 \
2436 -S "skip write certificate request" \
2437 -C "skip parse certificate request" \
2438 -c "got a certificate request" \
2439 -C "skip write certificate" \
2440 -C "skip write certificate verify" \
2441 -S "skip parse certificate verify" \
2442 -s "x509_verify_cert() returned" \
2443 -s "! The certificate is not correctly signed by the trusted CA" \
2444 -s "! mbedtls_ssl_handshake returned" \
2445 -c "! mbedtls_ssl_handshake returned" \
2446 -s "X509 - Certificate verification failed"
2447
Manuel Pégourié-Gonnard8e03c712014-08-30 21:42:40 +0200[diff] [blame]2448run_test "Authentication: client badcert, server optional" \
Manuel Pégourié-Gonnard644e8f32014-08-30 21:59:31 +0200[diff] [blame]2449 "$P_SRV debug_level=3 auth_mode=optional" \
2450 "$P_CLI debug_level=3 crt_file=data_files/server5-badsign.crt \
Manuel Pégourié-Gonnard8520dac2014-02-21 12:12:23 +0100[diff] [blame]2451 key_file=data_files/server5.key" \
2452 0 \
2453 -S "skip write certificate request" \
2454 -C "skip parse certificate request" \
2455 -c "got a certificate request" \
2456 -C "skip write certificate" \
2457 -C "skip write certificate verify" \
2458 -S "skip parse certificate verify" \
2459 -s "x509_verify_cert() returned" \
Manuel Pégourié-Gonnard89addc42015-04-20 10:56:18 +0100[diff] [blame]2460 -s "! The certificate is not correctly signed by the trusted CA" \
Manuel Pégourié-Gonnard2cf5a7c2015-04-08 12:49:31 +0200[diff] [blame]2461 -S "! mbedtls_ssl_handshake returned" \
2462 -C "! mbedtls_ssl_handshake returned" \
Manuel Pégourié-Gonnard8520dac2014-02-21 12:12:23 +0100[diff] [blame]2463 -S "X509 - Certificate verification failed"
2464
Manuel Pégourié-Gonnard8e03c712014-08-30 21:42:40 +0200[diff] [blame]2465run_test "Authentication: client badcert, server none" \
Manuel Pégourié-Gonnard644e8f32014-08-30 21:59:31 +0200[diff] [blame]2466 "$P_SRV debug_level=3 auth_mode=none" \
2467 "$P_CLI debug_level=3 crt_file=data_files/server5-badsign.crt \
Manuel Pégourié-Gonnard8520dac2014-02-21 12:12:23 +0100[diff] [blame]2468 key_file=data_files/server5.key" \
2469 0 \
2470 -s "skip write certificate request" \
2471 -C "skip parse certificate request" \
2472 -c "got no certificate request" \
2473 -c "skip write certificate" \
2474 -c "skip write certificate verify" \
2475 -s "skip parse certificate verify" \
2476 -S "x509_verify_cert() returned" \
Manuel Pégourié-Gonnard89addc42015-04-20 10:56:18 +0100[diff] [blame]2477 -S "! The certificate is not correctly signed by the trusted CA" \
Manuel Pégourié-Gonnard2cf5a7c2015-04-08 12:49:31 +0200[diff] [blame]2478 -S "! mbedtls_ssl_handshake returned" \
2479 -C "! mbedtls_ssl_handshake returned" \
Manuel Pégourié-Gonnard8520dac2014-02-21 12:12:23 +0100[diff] [blame]2480 -S "X509 - Certificate verification failed"
2481
Manuel Pégourié-Gonnard8e03c712014-08-30 21:42:40 +0200[diff] [blame]2482run_test "Authentication: client no cert, server optional" \
Manuel Pégourié-Gonnard644e8f32014-08-30 21:59:31 +0200[diff] [blame]2483 "$P_SRV debug_level=3 auth_mode=optional" \
2484 "$P_CLI debug_level=3 crt_file=none key_file=none" \
Manuel Pégourié-Gonnardde515cc2014-02-27 14:58:26 +0100[diff] [blame]2485 0 \
2486 -S "skip write certificate request" \
2487 -C "skip parse certificate request" \
2488 -c "got a certificate request" \
2489 -C "skip write certificate$" \
2490 -C "got no certificate to send" \
2491 -S "SSLv3 client has no certificate" \
2492 -c "skip write certificate verify" \
2493 -s "skip parse certificate verify" \
Manuel Pégourié-Gonnard89addc42015-04-20 10:56:18 +0100[diff] [blame]2494 -s "! Certificate was missing" \
Manuel Pégourié-Gonnard2cf5a7c2015-04-08 12:49:31 +0200[diff] [blame]2495 -S "! mbedtls_ssl_handshake returned" \
2496 -C "! mbedtls_ssl_handshake returned" \
Manuel Pégourié-Gonnardde515cc2014-02-27 14:58:26 +0100[diff] [blame]2497 -S "X509 - Certificate verification failed"
2498
Manuel Pégourié-Gonnard8e03c712014-08-30 21:42:40 +0200[diff] [blame]2499run_test "Authentication: openssl client no cert, server optional" \
Manuel Pégourié-Gonnard644e8f32014-08-30 21:59:31 +0200[diff] [blame]2500 "$P_SRV debug_level=3 auth_mode=optional" \
Manuel Pégourié-Gonnardde515cc2014-02-27 14:58:26 +0100[diff] [blame]2501 "$O_CLI" \
2502 0 \
2503 -S "skip write certificate request" \
2504 -s "skip parse certificate verify" \
Manuel Pégourié-Gonnard89addc42015-04-20 10:56:18 +0100[diff] [blame]2505 -s "! Certificate was missing" \
Manuel Pégourié-Gonnard2cf5a7c2015-04-08 12:49:31 +0200[diff] [blame]2506 -S "! mbedtls_ssl_handshake returned" \
Manuel Pégourié-Gonnardde515cc2014-02-27 14:58:26 +0100[diff] [blame]2507 -S "X509 - Certificate verification failed"
2508
Manuel Pégourié-Gonnard8e03c712014-08-30 21:42:40 +0200[diff] [blame]2509run_test "Authentication: client no cert, openssl server optional" \
Manuel Pégourié-Gonnardde515cc2014-02-27 14:58:26 +0100[diff] [blame]2510 "$O_SRV -verify 10" \
Manuel Pégourié-Gonnard644e8f32014-08-30 21:59:31 +0200[diff] [blame]2511 "$P_CLI debug_level=3 crt_file=none key_file=none" \
Manuel Pégourié-Gonnardde515cc2014-02-27 14:58:26 +0100[diff] [blame]2512 0 \
2513 -C "skip parse certificate request" \
2514 -c "got a certificate request" \
2515 -C "skip write certificate$" \
2516 -c "skip write certificate verify" \
Manuel Pégourié-Gonnard2cf5a7c2015-04-08 12:49:31 +0200[diff] [blame]2517 -C "! mbedtls_ssl_handshake returned"
Manuel Pégourié-Gonnardde515cc2014-02-27 14:58:26 +0100[diff] [blame]2518
Gilles Peskinefd8332e2017-05-03 16:25:07 +0200[diff] [blame]2519run_test "Authentication: client no cert, openssl server required" \
2520 "$O_SRV -Verify 10" \
2521 "$P_CLI debug_level=3 crt_file=none key_file=none" \
2522 1 \
2523 -C "skip parse certificate request" \
2524 -c "got a certificate request" \
2525 -C "skip write certificate$" \
2526 -c "skip write certificate verify" \
2527 -c "! mbedtls_ssl_handshake returned"
2528
Janos Follathe2681a42016-03-07 15:57:05 +0000[diff] [blame]2529requires_config_enabled MBEDTLS_SSL_PROTO_SSL3
Manuel Pégourié-Gonnard8e03c712014-08-30 21:42:40 +0200[diff] [blame]2530run_test "Authentication: client no cert, ssl3" \
Manuel Pégourié-Gonnard644e8f32014-08-30 21:59:31 +0200[diff] [blame]2531 "$P_SRV debug_level=3 auth_mode=optional force_version=ssl3" \
Manuel Pégourié-Gonnard448ea502015-01-12 11:40:14 +0100[diff] [blame]2532 "$P_CLI debug_level=3 crt_file=none key_file=none min_version=ssl3" \
Manuel Pégourié-Gonnardde515cc2014-02-27 14:58:26 +0100[diff] [blame]2533 0 \
2534 -S "skip write certificate request" \
2535 -C "skip parse certificate request" \
2536 -c "got a certificate request" \
2537 -C "skip write certificate$" \
2538 -c "skip write certificate verify" \
2539 -c "got no certificate to send" \
2540 -s "SSLv3 client has no certificate" \
2541 -s "skip parse certificate verify" \
Manuel Pégourié-Gonnard89addc42015-04-20 10:56:18 +0100[diff] [blame]2542 -s "! Certificate was missing" \
Manuel Pégourié-Gonnard2cf5a7c2015-04-08 12:49:31 +0200[diff] [blame]2543 -S "! mbedtls_ssl_handshake returned" \
2544 -C "! mbedtls_ssl_handshake returned" \
Manuel Pégourié-Gonnardde515cc2014-02-27 14:58:26 +0100[diff] [blame]2545 -S "X509 - Certificate verification failed"
2546
Manuel Pégourié-Gonnard9107b5f2017-07-06 12:16:25 +0200[diff] [blame]2547# The "max_int chain" tests assume that MAX_INTERMEDIATE_CA is set to its
2548# default value (8)
Hanno Beckera6bca9f2017-07-26 13:35:11 +0100[diff] [blame]2549
Simon Butcherbcfa6f42017-07-28 15:59:35 +0100[diff] [blame]2550MAX_IM_CA='8'
Simon Butcher06b78632017-07-28 01:00:17 +0100[diff] [blame]2551MAX_IM_CA_CONFIG=$( ../scripts/config.pl get MBEDTLS_X509_MAX_INTERMEDIATE_CA)
Hanno Beckera6bca9f2017-07-26 13:35:11 +0100[diff] [blame]2552
Simon Butcherbcfa6f42017-07-28 15:59:35 +0100[diff] [blame]2553if [ -n "$MAX_IM_CA_CONFIG" ] && [ "$MAX_IM_CA_CONFIG" -ne "$MAX_IM_CA" ]; then
Simon Butcher06b78632017-07-28 01:00:17 +0100[diff] [blame]2554 printf "The ${CONFIG_H} file contains a value for the configuration of\n"
Simon Butcherbcfa6f42017-07-28 15:59:35 +0100[diff] [blame]2555 printf "MBEDTLS_X509_MAX_INTERMEDIATE_CA that is different from the script’s\n"
Simon Butcher06b78632017-07-28 01:00:17 +0100[diff] [blame]2556 printf "test value of ${MAX_IM_CA}. \n"
2557 printf "\n"
Simon Butcherbcfa6f42017-07-28 15:59:35 +0100[diff] [blame]2558 printf "The tests assume this value and if it changes, the tests in this\n"
2559 printf "script should also be adjusted.\n"
Simon Butcher06b78632017-07-28 01:00:17 +0100[diff] [blame]2560 printf "\n"
Simon Butcher06b78632017-07-28 01:00:17 +0100[diff] [blame]2561
2562 exit 1
Hanno Beckera6bca9f2017-07-26 13:35:11 +0100[diff] [blame]2563fi
2564
Manuel Pégourié-Gonnard81bb6b62017-06-26 10:45:33 +0200[diff] [blame]2565run_test "Authentication: server max_int chain, client default" \
2566 "$P_SRV crt_file=data_files/dir-maxpath/c09.pem \
2567 key_file=data_files/dir-maxpath/09.key" \
2568 "$P_CLI server_name=CA09 ca_file=data_files/dir-maxpath/00.crt" \
2569 0 \
2570 -C "X509 - A fatal error occured"
2571
2572run_test "Authentication: server max_int+1 chain, client default" \
2573 "$P_SRV crt_file=data_files/dir-maxpath/c10.pem \
2574 key_file=data_files/dir-maxpath/10.key" \
2575 "$P_CLI server_name=CA10 ca_file=data_files/dir-maxpath/00.crt" \
2576 1 \
2577 -c "X509 - A fatal error occured"
2578
2579run_test "Authentication: server max_int+1 chain, client optional" \
2580 "$P_SRV crt_file=data_files/dir-maxpath/c10.pem \
2581 key_file=data_files/dir-maxpath/10.key" \
2582 "$P_CLI server_name=CA10 ca_file=data_files/dir-maxpath/00.crt \
2583 auth_mode=optional" \
2584 1 \
2585 -c "X509 - A fatal error occured"
2586
2587run_test "Authentication: server max_int+1 chain, client none" \
2588 "$P_SRV crt_file=data_files/dir-maxpath/c10.pem \
2589 key_file=data_files/dir-maxpath/10.key" \
2590 "$P_CLI server_name=CA10 ca_file=data_files/dir-maxpath/00.crt \
2591 auth_mode=none" \
2592 0 \
2593 -C "X509 - A fatal error occured"
2594
2595run_test "Authentication: client max_int+1 chain, server default" \
2596 "$P_SRV ca_file=data_files/dir-maxpath/00.crt" \
2597 "$P_CLI crt_file=data_files/dir-maxpath/c10.pem \
2598 key_file=data_files/dir-maxpath/10.key" \
2599 0 \
2600 -S "X509 - A fatal error occured"
2601
2602run_test "Authentication: client max_int+1 chain, server optional" \
2603 "$P_SRV ca_file=data_files/dir-maxpath/00.crt auth_mode=optional" \
2604 "$P_CLI crt_file=data_files/dir-maxpath/c10.pem \
2605 key_file=data_files/dir-maxpath/10.key" \
2606 1 \
2607 -s "X509 - A fatal error occured"
2608
2609run_test "Authentication: client max_int+1 chain, server required" \
2610 "$P_SRV ca_file=data_files/dir-maxpath/00.crt auth_mode=required" \
2611 "$P_CLI crt_file=data_files/dir-maxpath/c10.pem \
2612 key_file=data_files/dir-maxpath/10.key" \
2613 1 \
2614 -s "X509 - A fatal error occured"
2615
2616run_test "Authentication: client max_int chain, server required" \
2617 "$P_SRV ca_file=data_files/dir-maxpath/00.crt auth_mode=required" \
2618 "$P_CLI crt_file=data_files/dir-maxpath/c09.pem \
2619 key_file=data_files/dir-maxpath/09.key" \
2620 0 \
2621 -S "X509 - A fatal error occured"
2622
Janos Follath89baba22017-04-10 14:34:35 +0100[diff] [blame]2623# Tests for CA list in CertificateRequest messages
2624
2625run_test "Authentication: send CA list in CertificateRequest (default)" \
2626 "$P_SRV debug_level=3 auth_mode=required" \
2627 "$P_CLI crt_file=data_files/server6.crt \
2628 key_file=data_files/server6.key" \
2629 0 \
2630 -s "requested DN"
2631
2632run_test "Authentication: do not send CA list in CertificateRequest" \
2633 "$P_SRV debug_level=3 auth_mode=required cert_req_ca_list=0" \
2634 "$P_CLI crt_file=data_files/server6.crt \
2635 key_file=data_files/server6.key" \
2636 0 \
2637 -S "requested DN"
2638
2639run_test "Authentication: send CA list in CertificateRequest, client self signed" \
2640 "$P_SRV debug_level=3 auth_mode=required cert_req_ca_list=0" \
2641 "$P_CLI debug_level=3 crt_file=data_files/server5-selfsigned.crt \
2642 key_file=data_files/server5.key" \
2643 1 \
2644 -S "requested DN" \
2645 -s "x509_verify_cert() returned" \
2646 -s "! The certificate is not correctly signed by the trusted CA" \
2647 -s "! mbedtls_ssl_handshake returned" \
2648 -c "! mbedtls_ssl_handshake returned" \
2649 -s "X509 - Certificate verification failed"
2650
Manuel Pégourié-Gonnarddf331a52015-01-08 16:43:07 +0100[diff] [blame]2651# Tests for certificate selection based on SHA verson
2652
2653run_test "Certificate hash: client TLS 1.2 -> SHA-2" \
2654 "$P_SRV crt_file=data_files/server5.crt \
2655 key_file=data_files/server5.key \
2656 crt_file2=data_files/server5-sha1.crt \
2657 key_file2=data_files/server5.key" \
2658 "$P_CLI force_version=tls1_2" \
2659 0 \
2660 -c "signed using.*ECDSA with SHA256" \
2661 -C "signed using.*ECDSA with SHA1"
2662
2663run_test "Certificate hash: client TLS 1.1 -> SHA-1" \
2664 "$P_SRV crt_file=data_files/server5.crt \
2665 key_file=data_files/server5.key \
2666 crt_file2=data_files/server5-sha1.crt \
2667 key_file2=data_files/server5.key" \
2668 "$P_CLI force_version=tls1_1" \
2669 0 \
2670 -C "signed using.*ECDSA with SHA256" \
2671 -c "signed using.*ECDSA with SHA1"
2672
2673run_test "Certificate hash: client TLS 1.0 -> SHA-1" \
2674 "$P_SRV crt_file=data_files/server5.crt \
2675 key_file=data_files/server5.key \
2676 crt_file2=data_files/server5-sha1.crt \
2677 key_file2=data_files/server5.key" \
2678 "$P_CLI force_version=tls1" \
2679 0 \
2680 -C "signed using.*ECDSA with SHA256" \
2681 -c "signed using.*ECDSA with SHA1"
2682
2683run_test "Certificate hash: client TLS 1.1, no SHA-1 -> SHA-2 (order 1)" \
2684 "$P_SRV crt_file=data_files/server5.crt \
2685 key_file=data_files/server5.key \
2686 crt_file2=data_files/server6.crt \
2687 key_file2=data_files/server6.key" \
2688 "$P_CLI force_version=tls1_1" \
2689 0 \
2690 -c "serial number.*09" \
2691 -c "signed using.*ECDSA with SHA256" \
2692 -C "signed using.*ECDSA with SHA1"
2693
2694run_test "Certificate hash: client TLS 1.1, no SHA-1 -> SHA-2 (order 2)" \
2695 "$P_SRV crt_file=data_files/server6.crt \
2696 key_file=data_files/server6.key \
2697 crt_file2=data_files/server5.crt \
2698 key_file2=data_files/server5.key" \
2699 "$P_CLI force_version=tls1_1" \
2700 0 \
2701 -c "serial number.*0A" \
2702 -c "signed using.*ECDSA with SHA256" \
2703 -C "signed using.*ECDSA with SHA1"
2704
Manuel Pégourié-Gonnard96ea2f22014-02-25 12:26:29 +0100[diff] [blame]2705# tests for SNI
2706
Manuel Pégourié-Gonnard8e03c712014-08-30 21:42:40 +0200[diff] [blame]2707run_test "SNI: no SNI callback" \
Manuel Pégourié-Gonnard0eb6cab2014-07-23 20:17:47 +0200[diff] [blame]2708 "$P_SRV debug_level=3 \
Manuel Pégourié-Gonnard96ea2f22014-02-25 12:26:29 +0100[diff] [blame]2709 crt_file=data_files/server5.crt key_file=data_files/server5.key" \
Manuel Pégourié-Gonnard0eb6cab2014-07-23 20:17:47 +0200[diff] [blame]2710 "$P_CLI server_name=localhost" \
Manuel Pégourié-Gonnard6ea831d2015-06-22 16:50:52 +0200[diff] [blame]2711 0 \
2712 -S "parse ServerName extension" \
2713 -c "issuer name *: C=NL, O=PolarSSL, CN=Polarssl Test EC CA" \
2714 -c "subject name *: C=NL, O=PolarSSL, CN=localhost"
Manuel Pégourié-Gonnard96ea2f22014-02-25 12:26:29 +0100[diff] [blame]2715
Manuel Pégourié-Gonnard8e03c712014-08-30 21:42:40 +0200[diff] [blame]2716run_test "SNI: matching cert 1" \
Manuel Pégourié-Gonnard0eb6cab2014-07-23 20:17:47 +0200[diff] [blame]2717 "$P_SRV debug_level=3 \
Manuel Pégourié-Gonnard96ea2f22014-02-25 12:26:29 +0100[diff] [blame]2718 crt_file=data_files/server5.crt key_file=data_files/server5.key \
Manuel Pégourié-Gonnard4d6f1782015-06-19 14:40:39 +0200[diff] [blame]2719 sni=localhost,data_files/server2.crt,data_files/server2.key,-,-,-,polarssl.example,data_files/server1-nospace.crt,data_files/server1.key,-,-,-" \
Manuel Pégourié-Gonnard0eb6cab2014-07-23 20:17:47 +0200[diff] [blame]2720 "$P_CLI server_name=localhost" \
Manuel Pégourié-Gonnard6ea831d2015-06-22 16:50:52 +0200[diff] [blame]2721 0 \
2722 -s "parse ServerName extension" \
2723 -c "issuer name *: C=NL, O=PolarSSL, CN=PolarSSL Test CA" \
2724 -c "subject name *: C=NL, O=PolarSSL, CN=localhost"
Manuel Pégourié-Gonnard96ea2f22014-02-25 12:26:29 +0100[diff] [blame]2725
Manuel Pégourié-Gonnard8e03c712014-08-30 21:42:40 +0200[diff] [blame]2726run_test "SNI: matching cert 2" \
Manuel Pégourié-Gonnard0eb6cab2014-07-23 20:17:47 +0200[diff] [blame]2727 "$P_SRV debug_level=3 \
Manuel Pégourié-Gonnard96ea2f22014-02-25 12:26:29 +0100[diff] [blame]2728 crt_file=data_files/server5.crt key_file=data_files/server5.key \
Manuel Pégourié-Gonnard4d6f1782015-06-19 14:40:39 +0200[diff] [blame]2729 sni=localhost,data_files/server2.crt,data_files/server2.key,-,-,-,polarssl.example,data_files/server1-nospace.crt,data_files/server1.key,-,-,-" \
Manuel Pégourié-Gonnard0eb6cab2014-07-23 20:17:47 +0200[diff] [blame]2730 "$P_CLI server_name=polarssl.example" \
Manuel Pégourié-Gonnard6ea831d2015-06-22 16:50:52 +0200[diff] [blame]2731 0 \
2732 -s "parse ServerName extension" \
2733 -c "issuer name *: C=NL, O=PolarSSL, CN=PolarSSL Test CA" \
2734 -c "subject name *: C=NL, O=PolarSSL, CN=polarssl.example"
Manuel Pégourié-Gonnard96ea2f22014-02-25 12:26:29 +0100[diff] [blame]2735
Manuel Pégourié-Gonnard8e03c712014-08-30 21:42:40 +0200[diff] [blame]2736run_test "SNI: no matching cert" \
Manuel Pégourié-Gonnard0eb6cab2014-07-23 20:17:47 +0200[diff] [blame]2737 "$P_SRV debug_level=3 \
Manuel Pégourié-Gonnard96ea2f22014-02-25 12:26:29 +0100[diff] [blame]2738 crt_file=data_files/server5.crt key_file=data_files/server5.key \
Manuel Pégourié-Gonnard4d6f1782015-06-19 14:40:39 +0200[diff] [blame]2739 sni=localhost,data_files/server2.crt,data_files/server2.key,-,-,-,polarssl.example,data_files/server1-nospace.crt,data_files/server1.key,-,-,-" \
Manuel Pégourié-Gonnard0eb6cab2014-07-23 20:17:47 +0200[diff] [blame]2740 "$P_CLI server_name=nonesuch.example" \
Manuel Pégourié-Gonnard6ea831d2015-06-22 16:50:52 +0200[diff] [blame]2741 1 \
2742 -s "parse ServerName extension" \
2743 -s "ssl_sni_wrapper() returned" \
2744 -s "mbedtls_ssl_handshake returned" \
2745 -c "mbedtls_ssl_handshake returned" \
2746 -c "SSL - A fatal alert message was received from our peer"
Manuel Pégourié-Gonnard96ea2f22014-02-25 12:26:29 +0100[diff] [blame]2747
Manuel Pégourié-Gonnardc948a792015-06-22 16:04:20 +0200[diff] [blame]2748run_test "SNI: client auth no override: optional" \
2749 "$P_SRV debug_level=3 auth_mode=optional \
2750 crt_file=data_files/server5.crt key_file=data_files/server5.key \
2751 sni=localhost,data_files/server2.crt,data_files/server2.key,-,-,-" \
2752 "$P_CLI debug_level=3 server_name=localhost" \
Manuel Pégourié-Gonnard6ea831d2015-06-22 16:50:52 +0200[diff] [blame]2753 0 \
Manuel Pégourié-Gonnardc948a792015-06-22 16:04:20 +0200[diff] [blame]2754 -S "skip write certificate request" \
2755 -C "skip parse certificate request" \
2756 -c "got a certificate request" \
2757 -C "skip write certificate" \
2758 -C "skip write certificate verify" \
2759 -S "skip parse certificate verify"
2760
2761run_test "SNI: client auth override: none -> optional" \
2762 "$P_SRV debug_level=3 auth_mode=none \
2763 crt_file=data_files/server5.crt key_file=data_files/server5.key \
2764 sni=localhost,data_files/server2.crt,data_files/server2.key,-,-,optional" \
2765 "$P_CLI debug_level=3 server_name=localhost" \
Manuel Pégourié-Gonnard6ea831d2015-06-22 16:50:52 +0200[diff] [blame]2766 0 \
Manuel Pégourié-Gonnardc948a792015-06-22 16:04:20 +0200[diff] [blame]2767 -S "skip write certificate request" \
2768 -C "skip parse certificate request" \
2769 -c "got a certificate request" \
2770 -C "skip write certificate" \
2771 -C "skip write certificate verify" \
2772 -S "skip parse certificate verify"
2773
2774run_test "SNI: client auth override: optional -> none" \
2775 "$P_SRV debug_level=3 auth_mode=optional \
2776 crt_file=data_files/server5.crt key_file=data_files/server5.key \
2777 sni=localhost,data_files/server2.crt,data_files/server2.key,-,-,none" \
2778 "$P_CLI debug_level=3 server_name=localhost" \
Manuel Pégourié-Gonnard6ea831d2015-06-22 16:50:52 +0200[diff] [blame]2779 0 \
Manuel Pégourié-Gonnardc948a792015-06-22 16:04:20 +0200[diff] [blame]2780 -s "skip write certificate request" \
2781 -C "skip parse certificate request" \
2782 -c "got no certificate request" \
2783 -c "skip write certificate" \
2784 -c "skip write certificate verify" \
2785 -s "skip parse certificate verify"
2786
Manuel Pégourié-Gonnard6ea831d2015-06-22 16:50:52 +0200[diff] [blame]2787run_test "SNI: CA no override" \
2788 "$P_SRV debug_level=3 auth_mode=optional \
2789 crt_file=data_files/server5.crt key_file=data_files/server5.key \
2790 ca_file=data_files/test-ca.crt \
2791 sni=localhost,data_files/server2.crt,data_files/server2.key,-,-,required" \
2792 "$P_CLI debug_level=3 server_name=localhost \
2793 crt_file=data_files/server6.crt key_file=data_files/server6.key" \
2794 1 \
2795 -S "skip write certificate request" \
2796 -C "skip parse certificate request" \
2797 -c "got a certificate request" \
2798 -C "skip write certificate" \
2799 -C "skip write certificate verify" \
2800 -S "skip parse certificate verify" \
2801 -s "x509_verify_cert() returned" \
2802 -s "! The certificate is not correctly signed by the trusted CA" \
2803 -S "The certificate has been revoked (is on a CRL)"
2804
2805run_test "SNI: CA override" \
2806 "$P_SRV debug_level=3 auth_mode=optional \
2807 crt_file=data_files/server5.crt key_file=data_files/server5.key \
2808 ca_file=data_files/test-ca.crt \
2809 sni=localhost,data_files/server2.crt,data_files/server2.key,data_files/test-ca2.crt,-,required" \
2810 "$P_CLI debug_level=3 server_name=localhost \
2811 crt_file=data_files/server6.crt key_file=data_files/server6.key" \
2812 0 \
2813 -S "skip write certificate request" \
2814 -C "skip parse certificate request" \
2815 -c "got a certificate request" \
2816 -C "skip write certificate" \
2817 -C "skip write certificate verify" \
2818 -S "skip parse certificate verify" \
2819 -S "x509_verify_cert() returned" \
2820 -S "! The certificate is not correctly signed by the trusted CA" \
2821 -S "The certificate has been revoked (is on a CRL)"
2822
2823run_test "SNI: CA override with CRL" \
2824 "$P_SRV debug_level=3 auth_mode=optional \
2825 crt_file=data_files/server5.crt key_file=data_files/server5.key \
2826 ca_file=data_files/test-ca.crt \
2827 sni=localhost,data_files/server2.crt,data_files/server2.key,data_files/test-ca2.crt,data_files/crl-ec-sha256.pem,required" \
2828 "$P_CLI debug_level=3 server_name=localhost \
2829 crt_file=data_files/server6.crt key_file=data_files/server6.key" \
2830 1 \
2831 -S "skip write certificate request" \
2832 -C "skip parse certificate request" \
2833 -c "got a certificate request" \
2834 -C "skip write certificate" \
2835 -C "skip write certificate verify" \
2836 -S "skip parse certificate verify" \
2837 -s "x509_verify_cert() returned" \
2838 -S "! The certificate is not correctly signed by the trusted CA" \
2839 -s "The certificate has been revoked (is on a CRL)"
2840
Andres AGe8b07742016-12-07 10:01:30 +0000[diff] [blame]2841# Tests for SNI and DTLS
2842
Andres Amaya Garciaf9519bf2018-05-01 20:27:37 +0100[diff] [blame]2843run_test "SNI: DTLS, no SNI callback" \
2844 "$P_SRV debug_level=3 dtls=1 \
2845 crt_file=data_files/server5.crt key_file=data_files/server5.key" \
2846 "$P_CLI server_name=localhost dtls=1" \
2847 0 \
2848 -S "parse ServerName extension" \
2849 -c "issuer name *: C=NL, O=PolarSSL, CN=Polarssl Test EC CA" \
2850 -c "subject name *: C=NL, O=PolarSSL, CN=localhost"
2851
Andres Amaya Garcia914eea42018-05-01 20:26:47 +0100[diff] [blame]2852run_test "SNI: DTLS, matching cert 1" \
Andres AGe8b07742016-12-07 10:01:30 +0000[diff] [blame]2853 "$P_SRV debug_level=3 dtls=1 \
2854 crt_file=data_files/server5.crt key_file=data_files/server5.key \
2855 sni=localhost,data_files/server2.crt,data_files/server2.key,-,-,-,polarssl.example,data_files/server1-nospace.crt,data_files/server1.key,-,-,-" \
2856 "$P_CLI server_name=localhost dtls=1" \
2857 0 \
2858 -s "parse ServerName extension" \
2859 -c "issuer name *: C=NL, O=PolarSSL, CN=PolarSSL Test CA" \
2860 -c "subject name *: C=NL, O=PolarSSL, CN=localhost"
2861
Andres Amaya Garciaf9519bf2018-05-01 20:27:37 +0100[diff] [blame]2862run_test "SNI: DTLS, matching cert 2" \
2863 "$P_SRV debug_level=3 dtls=1 \
2864 crt_file=data_files/server5.crt key_file=data_files/server5.key \
2865 sni=localhost,data_files/server2.crt,data_files/server2.key,-,-,-,polarssl.example,data_files/server1-nospace.crt,data_files/server1.key,-,-,-" \
2866 "$P_CLI server_name=polarssl.example dtls=1" \
2867 0 \
2868 -s "parse ServerName extension" \
2869 -c "issuer name *: C=NL, O=PolarSSL, CN=PolarSSL Test CA" \
2870 -c "subject name *: C=NL, O=PolarSSL, CN=polarssl.example"
2871
2872run_test "SNI: DTLS, no matching cert" \
2873 "$P_SRV debug_level=3 dtls=1 \
2874 crt_file=data_files/server5.crt key_file=data_files/server5.key \
2875 sni=localhost,data_files/server2.crt,data_files/server2.key,-,-,-,polarssl.example,data_files/server1-nospace.crt,data_files/server1.key,-,-,-" \
2876 "$P_CLI server_name=nonesuch.example dtls=1" \
2877 1 \
2878 -s "parse ServerName extension" \
2879 -s "ssl_sni_wrapper() returned" \
2880 -s "mbedtls_ssl_handshake returned" \
2881 -c "mbedtls_ssl_handshake returned" \
2882 -c "SSL - A fatal alert message was received from our peer"
2883
2884run_test "SNI: DTLS, client auth no override: optional" \
2885 "$P_SRV debug_level=3 auth_mode=optional dtls=1 \
2886 crt_file=data_files/server5.crt key_file=data_files/server5.key \
2887 sni=localhost,data_files/server2.crt,data_files/server2.key,-,-,-" \
2888 "$P_CLI debug_level=3 server_name=localhost dtls=1" \
2889 0 \
2890 -S "skip write certificate request" \
2891 -C "skip parse certificate request" \
2892 -c "got a certificate request" \
2893 -C "skip write certificate" \
2894 -C "skip write certificate verify" \
2895 -S "skip parse certificate verify"
2896
2897run_test "SNI: DTLS, client auth override: none -> optional" \
2898 "$P_SRV debug_level=3 auth_mode=none dtls=1 \
2899 crt_file=data_files/server5.crt key_file=data_files/server5.key \
2900 sni=localhost,data_files/server2.crt,data_files/server2.key,-,-,optional" \
2901 "$P_CLI debug_level=3 server_name=localhost dtls=1" \
2902 0 \
2903 -S "skip write certificate request" \
2904 -C "skip parse certificate request" \
2905 -c "got a certificate request" \
2906 -C "skip write certificate" \
2907 -C "skip write certificate verify" \
2908 -S "skip parse certificate verify"
2909
2910run_test "SNI: DTLS, client auth override: optional -> none" \
2911 "$P_SRV debug_level=3 auth_mode=optional dtls=1 \
2912 crt_file=data_files/server5.crt key_file=data_files/server5.key \
2913 sni=localhost,data_files/server2.crt,data_files/server2.key,-,-,none" \
2914 "$P_CLI debug_level=3 server_name=localhost dtls=1" \
2915 0 \
2916 -s "skip write certificate request" \
2917 -C "skip parse certificate request" \
2918 -c "got no certificate request" \
2919 -c "skip write certificate" \
2920 -c "skip write certificate verify" \
2921 -s "skip parse certificate verify"
2922
2923run_test "SNI: DTLS, CA no override" \
2924 "$P_SRV debug_level=3 auth_mode=optional dtls=1 \
2925 crt_file=data_files/server5.crt key_file=data_files/server5.key \
2926 ca_file=data_files/test-ca.crt \
2927 sni=localhost,data_files/server2.crt,data_files/server2.key,-,-,required" \
2928 "$P_CLI debug_level=3 server_name=localhost dtls=1 \
2929 crt_file=data_files/server6.crt key_file=data_files/server6.key" \
2930 1 \
2931 -S "skip write certificate request" \
2932 -C "skip parse certificate request" \
2933 -c "got a certificate request" \
2934 -C "skip write certificate" \
2935 -C "skip write certificate verify" \
2936 -S "skip parse certificate verify" \
2937 -s "x509_verify_cert() returned" \
2938 -s "! The certificate is not correctly signed by the trusted CA" \
2939 -S "The certificate has been revoked (is on a CRL)"
2940
Andres Amaya Garcia914eea42018-05-01 20:26:47 +0100[diff] [blame]2941run_test "SNI: DTLS, CA override" \
Andres AGe8b07742016-12-07 10:01:30 +0000[diff] [blame]2942 "$P_SRV debug_level=3 auth_mode=optional dtls=1 \
2943 crt_file=data_files/server5.crt key_file=data_files/server5.key \
2944 ca_file=data_files/test-ca.crt \
2945 sni=localhost,data_files/server2.crt,data_files/server2.key,data_files/test-ca2.crt,-,required" \
2946 "$P_CLI debug_level=3 server_name=localhost dtls=1 \
2947 crt_file=data_files/server6.crt key_file=data_files/server6.key" \
2948 0 \
2949 -S "skip write certificate request" \
2950 -C "skip parse certificate request" \
2951 -c "got a certificate request" \
2952 -C "skip write certificate" \
2953 -C "skip write certificate verify" \
2954 -S "skip parse certificate verify" \
2955 -S "x509_verify_cert() returned" \
2956 -S "! The certificate is not correctly signed by the trusted CA" \
2957 -S "The certificate has been revoked (is on a CRL)"
2958
Andres Amaya Garcia914eea42018-05-01 20:26:47 +0100[diff] [blame]2959run_test "SNI: DTLS, CA override with CRL" \
Andres AGe8b07742016-12-07 10:01:30 +0000[diff] [blame]2960 "$P_SRV debug_level=3 auth_mode=optional \
2961 crt_file=data_files/server5.crt key_file=data_files/server5.key dtls=1 \
2962 ca_file=data_files/test-ca.crt \
2963 sni=localhost,data_files/server2.crt,data_files/server2.key,data_files/test-ca2.crt,data_files/crl-ec-sha256.pem,required" \
2964 "$P_CLI debug_level=3 server_name=localhost dtls=1 \
2965 crt_file=data_files/server6.crt key_file=data_files/server6.key" \
2966 1 \
2967 -S "skip write certificate request" \
2968 -C "skip parse certificate request" \
2969 -c "got a certificate request" \
2970 -C "skip write certificate" \
2971 -C "skip write certificate verify" \
2972 -S "skip parse certificate verify" \
2973 -s "x509_verify_cert() returned" \
2974 -S "! The certificate is not correctly signed by the trusted CA" \
2975 -s "The certificate has been revoked (is on a CRL)"
2976
Manuel Pégourié-Gonnard0b6609b2014-02-26 14:45:12 +0100[diff] [blame]2977# Tests for non-blocking I/O: exercise a variety of handshake flows
2978
Manuel Pégourié-Gonnard8e03c712014-08-30 21:42:40 +0200[diff] [blame]2979run_test "Non-blocking I/O: basic handshake" \
Manuel Pégourié-Gonnard0b6609b2014-02-26 14:45:12 +0100[diff] [blame]2980 "$P_SRV nbio=2 tickets=0 auth_mode=none" \
2981 "$P_CLI nbio=2 tickets=0" \
2982 0 \
Manuel Pégourié-Gonnard2cf5a7c2015-04-08 12:49:31 +0200[diff] [blame]2983 -S "mbedtls_ssl_handshake returned" \
2984 -C "mbedtls_ssl_handshake returned" \
Manuel Pégourié-Gonnard0b6609b2014-02-26 14:45:12 +0100[diff] [blame]2985 -c "Read from server: .* bytes read"
2986
Manuel Pégourié-Gonnard8e03c712014-08-30 21:42:40 +0200[diff] [blame]2987run_test "Non-blocking I/O: client auth" \
Manuel Pégourié-Gonnard0b6609b2014-02-26 14:45:12 +0100[diff] [blame]2988 "$P_SRV nbio=2 tickets=0 auth_mode=required" \
2989 "$P_CLI nbio=2 tickets=0" \
2990 0 \
Manuel Pégourié-Gonnard2cf5a7c2015-04-08 12:49:31 +0200[diff] [blame]2991 -S "mbedtls_ssl_handshake returned" \
2992 -C "mbedtls_ssl_handshake returned" \
Manuel Pégourié-Gonnard0b6609b2014-02-26 14:45:12 +0100[diff] [blame]2993 -c "Read from server: .* bytes read"
2994
Manuel Pégourié-Gonnard8e03c712014-08-30 21:42:40 +0200[diff] [blame]2995run_test "Non-blocking I/O: ticket" \
Manuel Pégourié-Gonnard0b6609b2014-02-26 14:45:12 +0100[diff] [blame]2996 "$P_SRV nbio=2 tickets=1 auth_mode=none" \
2997 "$P_CLI nbio=2 tickets=1" \
2998 0 \
Manuel Pégourié-Gonnard2cf5a7c2015-04-08 12:49:31 +0200[diff] [blame]2999 -S "mbedtls_ssl_handshake returned" \
3000 -C "mbedtls_ssl_handshake returned" \
Manuel Pégourié-Gonnard0b6609b2014-02-26 14:45:12 +0100[diff] [blame]3001 -c "Read from server: .* bytes read"
3002
Manuel Pégourié-Gonnard8e03c712014-08-30 21:42:40 +0200[diff] [blame]3003run_test "Non-blocking I/O: ticket + client auth" \
Manuel Pégourié-Gonnard0b6609b2014-02-26 14:45:12 +0100[diff] [blame]3004 "$P_SRV nbio=2 tickets=1 auth_mode=required" \
3005 "$P_CLI nbio=2 tickets=1" \
3006 0 \
Manuel Pégourié-Gonnard2cf5a7c2015-04-08 12:49:31 +0200[diff] [blame]3007 -S "mbedtls_ssl_handshake returned" \
3008 -C "mbedtls_ssl_handshake returned" \
Manuel Pégourié-Gonnard0b6609b2014-02-26 14:45:12 +0100[diff] [blame]3009 -c "Read from server: .* bytes read"
3010
Manuel Pégourié-Gonnard8e03c712014-08-30 21:42:40 +0200[diff] [blame]3011run_test "Non-blocking I/O: ticket + client auth + resume" \
Manuel Pégourié-Gonnard0b6609b2014-02-26 14:45:12 +0100[diff] [blame]3012 "$P_SRV nbio=2 tickets=1 auth_mode=required" \
3013 "$P_CLI nbio=2 tickets=1 reconnect=1" \
3014 0 \
Manuel Pégourié-Gonnard2cf5a7c2015-04-08 12:49:31 +0200[diff] [blame]3015 -S "mbedtls_ssl_handshake returned" \
3016 -C "mbedtls_ssl_handshake returned" \
Manuel Pégourié-Gonnard0b6609b2014-02-26 14:45:12 +0100[diff] [blame]3017 -c "Read from server: .* bytes read"
3018
Manuel Pégourié-Gonnard8e03c712014-08-30 21:42:40 +0200[diff] [blame]3019run_test "Non-blocking I/O: ticket + resume" \
Manuel Pégourié-Gonnard0b6609b2014-02-26 14:45:12 +0100[diff] [blame]3020 "$P_SRV nbio=2 tickets=1 auth_mode=none" \
3021 "$P_CLI nbio=2 tickets=1 reconnect=1" \
3022 0 \
Manuel Pégourié-Gonnard2cf5a7c2015-04-08 12:49:31 +0200[diff] [blame]3023 -S "mbedtls_ssl_handshake returned" \
3024 -C "mbedtls_ssl_handshake returned" \
Manuel Pégourié-Gonnard0b6609b2014-02-26 14:45:12 +0100[diff] [blame]3025 -c "Read from server: .* bytes read"
3026
Manuel Pégourié-Gonnard8e03c712014-08-30 21:42:40 +0200[diff] [blame]3027run_test "Non-blocking I/O: session-id resume" \
Manuel Pégourié-Gonnard0b6609b2014-02-26 14:45:12 +0100[diff] [blame]3028 "$P_SRV nbio=2 tickets=0 auth_mode=none" \
3029 "$P_CLI nbio=2 tickets=0 reconnect=1" \
3030 0 \
Manuel Pégourié-Gonnard2cf5a7c2015-04-08 12:49:31 +0200[diff] [blame]3031 -S "mbedtls_ssl_handshake returned" \
3032 -C "mbedtls_ssl_handshake returned" \
Manuel Pégourié-Gonnard0b6609b2014-02-26 14:45:12 +0100[diff] [blame]3033 -c "Read from server: .* bytes read"
3034
Manuel Pégourié-Gonnardf6521de2014-04-07 12:42:04 +0200[diff] [blame]3035# Tests for version negotiation
3036
Manuel Pégourié-Gonnard8e03c712014-08-30 21:42:40 +0200[diff] [blame]3037run_test "Version check: all -> 1.2" \
Manuel Pégourié-Gonnarda3d808e2014-02-26 16:33:03 +0100[diff] [blame]3038 "$P_SRV" \
3039 "$P_CLI" \
3040 0 \
Manuel Pégourié-Gonnard2cf5a7c2015-04-08 12:49:31 +0200[diff] [blame]3041 -S "mbedtls_ssl_handshake returned" \
3042 -C "mbedtls_ssl_handshake returned" \
Manuel Pégourié-Gonnarda3d808e2014-02-26 16:33:03 +0100[diff] [blame]3043 -s "Protocol is TLSv1.2" \
3044 -c "Protocol is TLSv1.2"
3045
Manuel Pégourié-Gonnard8e03c712014-08-30 21:42:40 +0200[diff] [blame]3046run_test "Version check: cli max 1.1 -> 1.1" \
Manuel Pégourié-Gonnarda3d808e2014-02-26 16:33:03 +0100[diff] [blame]3047 "$P_SRV" \
3048 "$P_CLI max_version=tls1_1" \
3049 0 \
Manuel Pégourié-Gonnard2cf5a7c2015-04-08 12:49:31 +0200[diff] [blame]3050 -S "mbedtls_ssl_handshake returned" \
3051 -C "mbedtls_ssl_handshake returned" \
Manuel Pégourié-Gonnarda3d808e2014-02-26 16:33:03 +0100[diff] [blame]3052 -s "Protocol is TLSv1.1" \
3053 -c "Protocol is TLSv1.1"
3054
Manuel Pégourié-Gonnard8e03c712014-08-30 21:42:40 +0200[diff] [blame]3055run_test "Version check: srv max 1.1 -> 1.1" \
Manuel Pégourié-Gonnarda3d808e2014-02-26 16:33:03 +0100[diff] [blame]3056 "$P_SRV max_version=tls1_1" \
3057 "$P_CLI" \
3058 0 \
Manuel Pégourié-Gonnard2cf5a7c2015-04-08 12:49:31 +0200[diff] [blame]3059 -S "mbedtls_ssl_handshake returned" \
3060 -C "mbedtls_ssl_handshake returned" \
Manuel Pégourié-Gonnarda3d808e2014-02-26 16:33:03 +0100[diff] [blame]3061 -s "Protocol is TLSv1.1" \
3062 -c "Protocol is TLSv1.1"
3063
Manuel Pégourié-Gonnard8e03c712014-08-30 21:42:40 +0200[diff] [blame]3064run_test "Version check: cli+srv max 1.1 -> 1.1" \
Manuel Pégourié-Gonnarda3d808e2014-02-26 16:33:03 +0100[diff] [blame]3065 "$P_SRV max_version=tls1_1" \
3066 "$P_CLI max_version=tls1_1" \
3067 0 \
Manuel Pégourié-Gonnard2cf5a7c2015-04-08 12:49:31 +0200[diff] [blame]3068 -S "mbedtls_ssl_handshake returned" \
3069 -C "mbedtls_ssl_handshake returned" \
Manuel Pégourié-Gonnarda3d808e2014-02-26 16:33:03 +0100[diff] [blame]3070 -s "Protocol is TLSv1.1" \
3071 -c "Protocol is TLSv1.1"
3072
Manuel Pégourié-Gonnard8e03c712014-08-30 21:42:40 +0200[diff] [blame]3073run_test "Version check: cli max 1.1, srv min 1.1 -> 1.1" \
Manuel Pégourié-Gonnarda3d808e2014-02-26 16:33:03 +0100[diff] [blame]3074 "$P_SRV min_version=tls1_1" \
3075 "$P_CLI max_version=tls1_1" \
3076 0 \
Manuel Pégourié-Gonnard2cf5a7c2015-04-08 12:49:31 +0200[diff] [blame]3077 -S "mbedtls_ssl_handshake returned" \
3078 -C "mbedtls_ssl_handshake returned" \
Manuel Pégourié-Gonnarda3d808e2014-02-26 16:33:03 +0100[diff] [blame]3079 -s "Protocol is TLSv1.1" \
3080 -c "Protocol is TLSv1.1"
3081
Manuel Pégourié-Gonnard8e03c712014-08-30 21:42:40 +0200[diff] [blame]3082run_test "Version check: cli min 1.1, srv max 1.1 -> 1.1" \
Manuel Pégourié-Gonnarda3d808e2014-02-26 16:33:03 +0100[diff] [blame]3083 "$P_SRV max_version=tls1_1" \
3084 "$P_CLI min_version=tls1_1" \
3085 0 \
Manuel Pégourié-Gonnard2cf5a7c2015-04-08 12:49:31 +0200[diff] [blame]3086 -S "mbedtls_ssl_handshake returned" \
3087 -C "mbedtls_ssl_handshake returned" \
Manuel Pégourié-Gonnarda3d808e2014-02-26 16:33:03 +0100[diff] [blame]3088 -s "Protocol is TLSv1.1" \
3089 -c "Protocol is TLSv1.1"
3090
Manuel Pégourié-Gonnard8e03c712014-08-30 21:42:40 +0200[diff] [blame]3091run_test "Version check: cli min 1.2, srv max 1.1 -> fail" \
Manuel Pégourié-Gonnarda3d808e2014-02-26 16:33:03 +0100[diff] [blame]3092 "$P_SRV max_version=tls1_1" \
3093 "$P_CLI min_version=tls1_2" \
3094 1 \
Manuel Pégourié-Gonnard2cf5a7c2015-04-08 12:49:31 +0200[diff] [blame]3095 -s "mbedtls_ssl_handshake returned" \
3096 -c "mbedtls_ssl_handshake returned" \
Manuel Pégourié-Gonnarda3d808e2014-02-26 16:33:03 +0100[diff] [blame]3097 -c "SSL - Handshake protocol not within min/max boundaries"
3098
Manuel Pégourié-Gonnard8e03c712014-08-30 21:42:40 +0200[diff] [blame]3099run_test "Version check: srv min 1.2, cli max 1.1 -> fail" \
Manuel Pégourié-Gonnarda3d808e2014-02-26 16:33:03 +0100[diff] [blame]3100 "$P_SRV min_version=tls1_2" \
3101 "$P_CLI max_version=tls1_1" \
3102 1 \
Manuel Pégourié-Gonnard2cf5a7c2015-04-08 12:49:31 +0200[diff] [blame]3103 -s "mbedtls_ssl_handshake returned" \
3104 -c "mbedtls_ssl_handshake returned" \
Manuel Pégourié-Gonnarda3d808e2014-02-26 16:33:03 +0100[diff] [blame]3105 -s "SSL - Handshake protocol not within min/max boundaries"
3106
Manuel Pégourié-Gonnardf6521de2014-04-07 12:42:04 +0200[diff] [blame]3107# Tests for ALPN extension
3108
Manuel Pégourié-Gonnard8e03c712014-08-30 21:42:40 +0200[diff] [blame]3109run_test "ALPN: none" \
Manuel Pégourié-Gonnard644e8f32014-08-30 21:59:31 +0200[diff] [blame]3110 "$P_SRV debug_level=3" \
3111 "$P_CLI debug_level=3" \
Manuel Pégourié-Gonnardf6521de2014-04-07 12:42:04 +0200[diff] [blame]3112 0 \
3113 -C "client hello, adding alpn extension" \
3114 -S "found alpn extension" \
3115 -C "got an alert message, type: \\[2:120]" \
3116 -S "server hello, adding alpn extension" \
3117 -C "found alpn extension " \
3118 -C "Application Layer Protocol is" \
3119 -S "Application Layer Protocol is"
3120
Manuel Pégourié-Gonnard8e03c712014-08-30 21:42:40 +0200[diff] [blame]3121run_test "ALPN: client only" \
Manuel Pégourié-Gonnard644e8f32014-08-30 21:59:31 +0200[diff] [blame]3122 "$P_SRV debug_level=3" \
3123 "$P_CLI debug_level=3 alpn=abc,1234" \
Manuel Pégourié-Gonnardf6521de2014-04-07 12:42:04 +0200[diff] [blame]3124 0 \
3125 -c "client hello, adding alpn extension" \
3126 -s "found alpn extension" \
3127 -C "got an alert message, type: \\[2:120]" \
3128 -S "server hello, adding alpn extension" \
3129 -C "found alpn extension " \
3130 -c "Application Layer Protocol is (none)" \
3131 -S "Application Layer Protocol is"
3132
Manuel Pégourié-Gonnard8e03c712014-08-30 21:42:40 +0200[diff] [blame]3133run_test "ALPN: server only" \
Manuel Pégourié-Gonnard644e8f32014-08-30 21:59:31 +0200[diff] [blame]3134 "$P_SRV debug_level=3 alpn=abc,1234" \
3135 "$P_CLI debug_level=3" \
Manuel Pégourié-Gonnardf6521de2014-04-07 12:42:04 +0200[diff] [blame]3136 0 \
3137 -C "client hello, adding alpn extension" \
3138 -S "found alpn extension" \
3139 -C "got an alert message, type: \\[2:120]" \
3140 -S "server hello, adding alpn extension" \
3141 -C "found alpn extension " \
3142 -C "Application Layer Protocol is" \
3143 -s "Application Layer Protocol is (none)"
3144
Manuel Pégourié-Gonnard8e03c712014-08-30 21:42:40 +0200[diff] [blame]3145run_test "ALPN: both, common cli1-srv1" \
Manuel Pégourié-Gonnard644e8f32014-08-30 21:59:31 +0200[diff] [blame]3146 "$P_SRV debug_level=3 alpn=abc,1234" \
3147 "$P_CLI debug_level=3 alpn=abc,1234" \
Manuel Pégourié-Gonnardf6521de2014-04-07 12:42:04 +0200[diff] [blame]3148 0 \
3149 -c "client hello, adding alpn extension" \
3150 -s "found alpn extension" \
3151 -C "got an alert message, type: \\[2:120]" \
3152 -s "server hello, adding alpn extension" \
3153 -c "found alpn extension" \
3154 -c "Application Layer Protocol is abc" \
3155 -s "Application Layer Protocol is abc"
3156
Manuel Pégourié-Gonnard8e03c712014-08-30 21:42:40 +0200[diff] [blame]3157run_test "ALPN: both, common cli2-srv1" \
Manuel Pégourié-Gonnard644e8f32014-08-30 21:59:31 +0200[diff] [blame]3158 "$P_SRV debug_level=3 alpn=abc,1234" \
3159 "$P_CLI debug_level=3 alpn=1234,abc" \
Manuel Pégourié-Gonnardf6521de2014-04-07 12:42:04 +0200[diff] [blame]3160 0 \
3161 -c "client hello, adding alpn extension" \
3162 -s "found alpn extension" \
3163 -C "got an alert message, type: \\[2:120]" \
3164 -s "server hello, adding alpn extension" \
3165 -c "found alpn extension" \
3166 -c "Application Layer Protocol is abc" \
3167 -s "Application Layer Protocol is abc"
3168
Manuel Pégourié-Gonnard8e03c712014-08-30 21:42:40 +0200[diff] [blame]3169run_test "ALPN: both, common cli1-srv2" \
Manuel Pégourié-Gonnard644e8f32014-08-30 21:59:31 +0200[diff] [blame]3170 "$P_SRV debug_level=3 alpn=abc,1234" \
3171 "$P_CLI debug_level=3 alpn=1234,abcde" \
Manuel Pégourié-Gonnardf6521de2014-04-07 12:42:04 +0200[diff] [blame]3172 0 \
3173 -c "client hello, adding alpn extension" \
3174 -s "found alpn extension" \
3175 -C "got an alert message, type: \\[2:120]" \
3176 -s "server hello, adding alpn extension" \
3177 -c "found alpn extension" \
3178 -c "Application Layer Protocol is 1234" \
3179 -s "Application Layer Protocol is 1234"
3180
Manuel Pégourié-Gonnard8e03c712014-08-30 21:42:40 +0200[diff] [blame]3181run_test "ALPN: both, no common" \
Manuel Pégourié-Gonnard644e8f32014-08-30 21:59:31 +0200[diff] [blame]3182 "$P_SRV debug_level=3 alpn=abc,123" \
3183 "$P_CLI debug_level=3 alpn=1234,abcde" \
Manuel Pégourié-Gonnardf6521de2014-04-07 12:42:04 +0200[diff] [blame]3184 1 \
3185 -c "client hello, adding alpn extension" \
3186 -s "found alpn extension" \
3187 -c "got an alert message, type: \\[2:120]" \
3188 -S "server hello, adding alpn extension" \
3189 -C "found alpn extension" \
3190 -C "Application Layer Protocol is 1234" \
3191 -S "Application Layer Protocol is 1234"
3192
Manuel Pégourié-Gonnard83d8c732014-04-07 13:24:21 +0200[diff] [blame]3193
Manuel Pégourié-Gonnard7f2a07d2014-04-09 09:50:57 +0200[diff] [blame]3194# Tests for keyUsage in leaf certificates, part 1:
3195# server-side certificate/suite selection
3196
Manuel Pégourié-Gonnard8e03c712014-08-30 21:42:40 +0200[diff] [blame]3197run_test "keyUsage srv: RSA, digitalSignature -> (EC)DHE-RSA" \
Manuel Pégourié-Gonnard7f2a07d2014-04-09 09:50:57 +0200[diff] [blame]3198 "$P_SRV key_file=data_files/server2.key \
3199 crt_file=data_files/server2.ku-ds.crt" \
3200 "$P_CLI" \
3201 0 \
Manuel Pégourié-Gonnard17cde5f2014-05-22 14:42:39 +0200[diff] [blame]3202 -c "Ciphersuite is TLS-[EC]*DHE-RSA-WITH-"
Manuel Pégourié-Gonnard7f2a07d2014-04-09 09:50:57 +0200[diff] [blame]3203
3204
Manuel Pégourié-Gonnard8e03c712014-08-30 21:42:40 +0200[diff] [blame]3205run_test "keyUsage srv: RSA, keyEncipherment -> RSA" \
Manuel Pégourié-Gonnard7f2a07d2014-04-09 09:50:57 +0200[diff] [blame]3206 "$P_SRV key_file=data_files/server2.key \
3207 crt_file=data_files/server2.ku-ke.crt" \
3208 "$P_CLI" \
3209 0 \
3210 -c "Ciphersuite is TLS-RSA-WITH-"
3211
Manuel Pégourié-Gonnard8e03c712014-08-30 21:42:40 +0200[diff] [blame]3212run_test "keyUsage srv: RSA, keyAgreement -> fail" \
Manuel Pégourié-Gonnardf2629b92014-08-30 14:20:14 +0200[diff] [blame]3213 "$P_SRV key_file=data_files/server2.key \
Manuel Pégourié-Gonnard7f2a07d2014-04-09 09:50:57 +0200[diff] [blame]3214 crt_file=data_files/server2.ku-ka.crt" \
Manuel Pégourié-Gonnardf2629b92014-08-30 14:20:14 +0200[diff] [blame]3215 "$P_CLI" \
Manuel Pégourié-Gonnard7f2a07d2014-04-09 09:50:57 +0200[diff] [blame]3216 1 \
3217 -C "Ciphersuite is "
3218
Manuel Pégourié-Gonnard8e03c712014-08-30 21:42:40 +0200[diff] [blame]3219run_test "keyUsage srv: ECDSA, digitalSignature -> ECDHE-ECDSA" \
Manuel Pégourié-Gonnard7f2a07d2014-04-09 09:50:57 +0200[diff] [blame]3220 "$P_SRV key_file=data_files/server5.key \
3221 crt_file=data_files/server5.ku-ds.crt" \
3222 "$P_CLI" \
3223 0 \
3224 -c "Ciphersuite is TLS-ECDHE-ECDSA-WITH-"
3225
3226
Manuel Pégourié-Gonnard8e03c712014-08-30 21:42:40 +0200[diff] [blame]3227run_test "keyUsage srv: ECDSA, keyAgreement -> ECDH-" \
Manuel Pégourié-Gonnard7f2a07d2014-04-09 09:50:57 +0200[diff] [blame]3228 "$P_SRV key_file=data_files/server5.key \
3229 crt_file=data_files/server5.ku-ka.crt" \
3230 "$P_CLI" \
3231 0 \
3232 -c "Ciphersuite is TLS-ECDH-"
3233
Manuel Pégourié-Gonnard8e03c712014-08-30 21:42:40 +0200[diff] [blame]3234run_test "keyUsage srv: ECDSA, keyEncipherment -> fail" \
Manuel Pégourié-Gonnardf2629b92014-08-30 14:20:14 +0200[diff] [blame]3235 "$P_SRV key_file=data_files/server5.key \
Manuel Pégourié-Gonnard7f2a07d2014-04-09 09:50:57 +0200[diff] [blame]3236 crt_file=data_files/server5.ku-ke.crt" \
Manuel Pégourié-Gonnardf2629b92014-08-30 14:20:14 +0200[diff] [blame]3237 "$P_CLI" \
Manuel Pégourié-Gonnard7f2a07d2014-04-09 09:50:57 +0200[diff] [blame]3238 1 \
3239 -C "Ciphersuite is "
3240
3241# Tests for keyUsage in leaf certificates, part 2:
Manuel Pégourié-Gonnarda9db85d2014-04-09 14:53:05 +0200[diff] [blame]3242# client-side checking of server cert
Manuel Pégourié-Gonnard7f2a07d2014-04-09 09:50:57 +0200[diff] [blame]3243
Manuel Pégourié-Gonnard8e03c712014-08-30 21:42:40 +0200[diff] [blame]3244run_test "keyUsage cli: DigitalSignature+KeyEncipherment, RSA: OK" \
Manuel Pégourié-Gonnard7f2a07d2014-04-09 09:50:57 +0200[diff] [blame]3245 "$O_SRV -key data_files/server2.key \
3246 -cert data_files/server2.ku-ds_ke.crt" \
Manuel Pégourié-Gonnard644e8f32014-08-30 21:59:31 +0200[diff] [blame]3247 "$P_CLI debug_level=1 \
Manuel Pégourié-Gonnard7f2a07d2014-04-09 09:50:57 +0200[diff] [blame]3248 force_ciphersuite=TLS-RSA-WITH-AES-128-CBC-SHA" \
3249 0 \
Manuel Pégourié-Gonnarda9db85d2014-04-09 14:53:05 +0200[diff] [blame]3250 -C "bad certificate (usage extensions)" \
Manuel Pégourié-Gonnard7f2a07d2014-04-09 09:50:57 +0200[diff] [blame]3251 -C "Processing of the Certificate handshake message failed" \
3252 -c "Ciphersuite is TLS-"
3253
Manuel Pégourié-Gonnard8e03c712014-08-30 21:42:40 +0200[diff] [blame]3254run_test "keyUsage cli: DigitalSignature+KeyEncipherment, DHE-RSA: OK" \
Manuel Pégourié-Gonnard7f2a07d2014-04-09 09:50:57 +0200[diff] [blame]3255 "$O_SRV -key data_files/server2.key \
3256 -cert data_files/server2.ku-ds_ke.crt" \
Manuel Pégourié-Gonnard644e8f32014-08-30 21:59:31 +0200[diff] [blame]3257 "$P_CLI debug_level=1 \
Manuel Pégourié-Gonnard7f2a07d2014-04-09 09:50:57 +0200[diff] [blame]3258 force_ciphersuite=TLS-DHE-RSA-WITH-AES-128-CBC-SHA" \
3259 0 \
Manuel Pégourié-Gonnarda9db85d2014-04-09 14:53:05 +0200[diff] [blame]3260 -C "bad certificate (usage extensions)" \
Manuel Pégourié-Gonnard7f2a07d2014-04-09 09:50:57 +0200[diff] [blame]3261 -C "Processing of the Certificate handshake message failed" \
3262 -c "Ciphersuite is TLS-"
3263
Manuel Pégourié-Gonnard8e03c712014-08-30 21:42:40 +0200[diff] [blame]3264run_test "keyUsage cli: KeyEncipherment, RSA: OK" \
Manuel Pégourié-Gonnard7f2a07d2014-04-09 09:50:57 +0200[diff] [blame]3265 "$O_SRV -key data_files/server2.key \
3266 -cert data_files/server2.ku-ke.crt" \
Manuel Pégourié-Gonnard644e8f32014-08-30 21:59:31 +0200[diff] [blame]3267 "$P_CLI debug_level=1 \
Manuel Pégourié-Gonnard7f2a07d2014-04-09 09:50:57 +0200[diff] [blame]3268 force_ciphersuite=TLS-RSA-WITH-AES-128-CBC-SHA" \
3269 0 \
Manuel Pégourié-Gonnarda9db85d2014-04-09 14:53:05 +0200[diff] [blame]3270 -C "bad certificate (usage extensions)" \
Manuel Pégourié-Gonnard7f2a07d2014-04-09 09:50:57 +0200[diff] [blame]3271 -C "Processing of the Certificate handshake message failed" \
3272 -c "Ciphersuite is TLS-"
3273
Manuel Pégourié-Gonnard8e03c712014-08-30 21:42:40 +0200[diff] [blame]3274run_test "keyUsage cli: KeyEncipherment, DHE-RSA: fail" \
Manuel Pégourié-Gonnard7f2a07d2014-04-09 09:50:57 +0200[diff] [blame]3275 "$O_SRV -key data_files/server2.key \
3276 -cert data_files/server2.ku-ke.crt" \
Manuel Pégourié-Gonnard644e8f32014-08-30 21:59:31 +0200[diff] [blame]3277 "$P_CLI debug_level=1 \
Manuel Pégourié-Gonnard7f2a07d2014-04-09 09:50:57 +0200[diff] [blame]3278 force_ciphersuite=TLS-DHE-RSA-WITH-AES-128-CBC-SHA" \
3279 1 \
Manuel Pégourié-Gonnarda9db85d2014-04-09 14:53:05 +0200[diff] [blame]3280 -c "bad certificate (usage extensions)" \
Manuel Pégourié-Gonnard7f2a07d2014-04-09 09:50:57 +0200[diff] [blame]3281 -c "Processing of the Certificate handshake message failed" \
3282 -C "Ciphersuite is TLS-"
3283
Manuel Pégourié-Gonnarde6efa6f2015-04-20 11:01:48 +0100[diff] [blame]3284run_test "keyUsage cli: KeyEncipherment, DHE-RSA: fail, soft" \
3285 "$O_SRV -key data_files/server2.key \
3286 -cert data_files/server2.ku-ke.crt" \
3287 "$P_CLI debug_level=1 auth_mode=optional \
3288 force_ciphersuite=TLS-DHE-RSA-WITH-AES-128-CBC-SHA" \
3289 0 \
3290 -c "bad certificate (usage extensions)" \
3291 -C "Processing of the Certificate handshake message failed" \
3292 -c "Ciphersuite is TLS-" \
3293 -c "! Usage does not match the keyUsage extension"
3294
Manuel Pégourié-Gonnard8e03c712014-08-30 21:42:40 +0200[diff] [blame]3295run_test "keyUsage cli: DigitalSignature, DHE-RSA: OK" \
Manuel Pégourié-Gonnard7f2a07d2014-04-09 09:50:57 +0200[diff] [blame]3296 "$O_SRV -key data_files/server2.key \
3297 -cert data_files/server2.ku-ds.crt" \
Manuel Pégourié-Gonnard644e8f32014-08-30 21:59:31 +0200[diff] [blame]3298 "$P_CLI debug_level=1 \
Manuel Pégourié-Gonnard7f2a07d2014-04-09 09:50:57 +0200[diff] [blame]3299 force_ciphersuite=TLS-DHE-RSA-WITH-AES-128-CBC-SHA" \
3300 0 \
Manuel Pégourié-Gonnarda9db85d2014-04-09 14:53:05 +0200[diff] [blame]3301 -C "bad certificate (usage extensions)" \
Manuel Pégourié-Gonnard7f2a07d2014-04-09 09:50:57 +0200[diff] [blame]3302 -C "Processing of the Certificate handshake message failed" \
3303 -c "Ciphersuite is TLS-"
3304
Manuel Pégourié-Gonnard8e03c712014-08-30 21:42:40 +0200[diff] [blame]3305run_test "keyUsage cli: DigitalSignature, RSA: fail" \
Manuel Pégourié-Gonnard7f2a07d2014-04-09 09:50:57 +0200[diff] [blame]3306 "$O_SRV -key data_files/server2.key \
3307 -cert data_files/server2.ku-ds.crt" \
Manuel Pégourié-Gonnard644e8f32014-08-30 21:59:31 +0200[diff] [blame]3308 "$P_CLI debug_level=1 \
Manuel Pégourié-Gonnard7f2a07d2014-04-09 09:50:57 +0200[diff] [blame]3309 force_ciphersuite=TLS-RSA-WITH-AES-128-CBC-SHA" \
3310 1 \
Manuel Pégourié-Gonnarda9db85d2014-04-09 14:53:05 +0200[diff] [blame]3311 -c "bad certificate (usage extensions)" \
Manuel Pégourié-Gonnard7f2a07d2014-04-09 09:50:57 +0200[diff] [blame]3312 -c "Processing of the Certificate handshake message failed" \
3313 -C "Ciphersuite is TLS-"
3314
Manuel Pégourié-Gonnarde6efa6f2015-04-20 11:01:48 +0100[diff] [blame]3315run_test "keyUsage cli: DigitalSignature, RSA: fail, soft" \
3316 "$O_SRV -key data_files/server2.key \
3317 -cert data_files/server2.ku-ds.crt" \
3318 "$P_CLI debug_level=1 auth_mode=optional \
3319 force_ciphersuite=TLS-RSA-WITH-AES-128-CBC-SHA" \
3320 0 \
3321 -c "bad certificate (usage extensions)" \
3322 -C "Processing of the Certificate handshake message failed" \
3323 -c "Ciphersuite is TLS-" \
3324 -c "! Usage does not match the keyUsage extension"
3325
Manuel Pégourié-Gonnarda9db85d2014-04-09 14:53:05 +0200[diff] [blame]3326# Tests for keyUsage in leaf certificates, part 3:
3327# server-side checking of client cert
3328
Manuel Pégourié-Gonnard8e03c712014-08-30 21:42:40 +0200[diff] [blame]3329run_test "keyUsage cli-auth: RSA, DigitalSignature: OK" \
Manuel Pégourié-Gonnard644e8f32014-08-30 21:59:31 +0200[diff] [blame]3330 "$P_SRV debug_level=1 auth_mode=optional" \
Manuel Pégourié-Gonnarda9db85d2014-04-09 14:53:05 +0200[diff] [blame]3331 "$O_CLI -key data_files/server2.key \
3332 -cert data_files/server2.ku-ds.crt" \
3333 0 \
3334 -S "bad certificate (usage extensions)" \
3335 -S "Processing of the Certificate handshake message failed"
3336
Manuel Pégourié-Gonnard8e03c712014-08-30 21:42:40 +0200[diff] [blame]3337run_test "keyUsage cli-auth: RSA, KeyEncipherment: fail (soft)" \
Manuel Pégourié-Gonnard644e8f32014-08-30 21:59:31 +0200[diff] [blame]3338 "$P_SRV debug_level=1 auth_mode=optional" \
Manuel Pégourié-Gonnarda9db85d2014-04-09 14:53:05 +0200[diff] [blame]3339 "$O_CLI -key data_files/server2.key \
3340 -cert data_files/server2.ku-ke.crt" \
3341 0 \
3342 -s "bad certificate (usage extensions)" \
3343 -S "Processing of the Certificate handshake message failed"
3344
Manuel Pégourié-Gonnard8e03c712014-08-30 21:42:40 +0200[diff] [blame]3345run_test "keyUsage cli-auth: RSA, KeyEncipherment: fail (hard)" \
Manuel Pégourié-Gonnard644e8f32014-08-30 21:59:31 +0200[diff] [blame]3346 "$P_SRV debug_level=1 auth_mode=required" \
Manuel Pégourié-Gonnarda9db85d2014-04-09 14:53:05 +0200[diff] [blame]3347 "$O_CLI -key data_files/server2.key \
3348 -cert data_files/server2.ku-ke.crt" \
3349 1 \
3350 -s "bad certificate (usage extensions)" \
3351 -s "Processing of the Certificate handshake message failed"
3352
Manuel Pégourié-Gonnard8e03c712014-08-30 21:42:40 +0200[diff] [blame]3353run_test "keyUsage cli-auth: ECDSA, DigitalSignature: OK" \
Manuel Pégourié-Gonnard644e8f32014-08-30 21:59:31 +0200[diff] [blame]3354 "$P_SRV debug_level=1 auth_mode=optional" \
Manuel Pégourié-Gonnarda9db85d2014-04-09 14:53:05 +0200[diff] [blame]3355 "$O_CLI -key data_files/server5.key \
3356 -cert data_files/server5.ku-ds.crt" \
3357 0 \
3358 -S "bad certificate (usage extensions)" \
3359 -S "Processing of the Certificate handshake message failed"
3360
Manuel Pégourié-Gonnard8e03c712014-08-30 21:42:40 +0200[diff] [blame]3361run_test "keyUsage cli-auth: ECDSA, KeyAgreement: fail (soft)" \
Manuel Pégourié-Gonnard644e8f32014-08-30 21:59:31 +0200[diff] [blame]3362 "$P_SRV debug_level=1 auth_mode=optional" \
Manuel Pégourié-Gonnarda9db85d2014-04-09 14:53:05 +0200[diff] [blame]3363 "$O_CLI -key data_files/server5.key \
3364 -cert data_files/server5.ku-ka.crt" \
3365 0 \
3366 -s "bad certificate (usage extensions)" \
3367 -S "Processing of the Certificate handshake message failed"
3368
Manuel Pégourié-Gonnard0408fd12014-04-11 11:06:22 +0200[diff] [blame]3369# Tests for extendedKeyUsage, part 1: server-side certificate/suite selection
3370
Manuel Pégourié-Gonnard8e03c712014-08-30 21:42:40 +0200[diff] [blame]3371run_test "extKeyUsage srv: serverAuth -> OK" \
Manuel Pégourié-Gonnard0408fd12014-04-11 11:06:22 +0200[diff] [blame]3372 "$P_SRV key_file=data_files/server5.key \
3373 crt_file=data_files/server5.eku-srv.crt" \
3374 "$P_CLI" \
3375 0
3376
Manuel Pégourié-Gonnard8e03c712014-08-30 21:42:40 +0200[diff] [blame]3377run_test "extKeyUsage srv: serverAuth,clientAuth -> OK" \
Manuel Pégourié-Gonnard0408fd12014-04-11 11:06:22 +0200[diff] [blame]3378 "$P_SRV key_file=data_files/server5.key \
3379 crt_file=data_files/server5.eku-srv.crt" \
3380 "$P_CLI" \
3381 0
3382
Manuel Pégourié-Gonnard8e03c712014-08-30 21:42:40 +0200[diff] [blame]3383run_test "extKeyUsage srv: codeSign,anyEKU -> OK" \
Manuel Pégourié-Gonnard0408fd12014-04-11 11:06:22 +0200[diff] [blame]3384 "$P_SRV key_file=data_files/server5.key \
3385 crt_file=data_files/server5.eku-cs_any.crt" \
3386 "$P_CLI" \
3387 0
3388
Manuel Pégourié-Gonnard8e03c712014-08-30 21:42:40 +0200[diff] [blame]3389run_test "extKeyUsage srv: codeSign -> fail" \
Manuel Pégourié-Gonnard7eb58cb2015-07-07 11:54:14 +0200[diff] [blame]3390 "$P_SRV key_file=data_files/server5.key \
Manuel Pégourié-Gonnard0408fd12014-04-11 11:06:22 +0200[diff] [blame]3391 crt_file=data_files/server5.eku-cli.crt" \
Manuel Pégourié-Gonnard7eb58cb2015-07-07 11:54:14 +0200[diff] [blame]3392 "$P_CLI" \
Manuel Pégourié-Gonnard0408fd12014-04-11 11:06:22 +0200[diff] [blame]3393 1
3394
3395# Tests for extendedKeyUsage, part 2: client-side checking of server cert
3396
Manuel Pégourié-Gonnard8e03c712014-08-30 21:42:40 +0200[diff] [blame]3397run_test "extKeyUsage cli: serverAuth -> OK" \
Manuel Pégourié-Gonnard0408fd12014-04-11 11:06:22 +0200[diff] [blame]3398 "$O_SRV -key data_files/server5.key \
3399 -cert data_files/server5.eku-srv.crt" \
Manuel Pégourié-Gonnard644e8f32014-08-30 21:59:31 +0200[diff] [blame]3400 "$P_CLI debug_level=1" \
Manuel Pégourié-Gonnard0408fd12014-04-11 11:06:22 +0200[diff] [blame]3401 0 \
3402 -C "bad certificate (usage extensions)" \
3403 -C "Processing of the Certificate handshake message failed" \
3404 -c "Ciphersuite is TLS-"
3405
Manuel Pégourié-Gonnard8e03c712014-08-30 21:42:40 +0200[diff] [blame]3406run_test "extKeyUsage cli: serverAuth,clientAuth -> OK" \
Manuel Pégourié-Gonnard0408fd12014-04-11 11:06:22 +0200[diff] [blame]3407 "$O_SRV -key data_files/server5.key \
3408 -cert data_files/server5.eku-srv_cli.crt" \
Manuel Pégourié-Gonnard644e8f32014-08-30 21:59:31 +0200[diff] [blame]3409 "$P_CLI debug_level=1" \
Manuel Pégourié-Gonnard0408fd12014-04-11 11:06:22 +0200[diff] [blame]3410 0 \
3411 -C "bad certificate (usage extensions)" \
3412 -C "Processing of the Certificate handshake message failed" \
3413 -c "Ciphersuite is TLS-"
3414
Manuel Pégourié-Gonnard8e03c712014-08-30 21:42:40 +0200[diff] [blame]3415run_test "extKeyUsage cli: codeSign,anyEKU -> OK" \
Manuel Pégourié-Gonnard0408fd12014-04-11 11:06:22 +0200[diff] [blame]3416 "$O_SRV -key data_files/server5.key \
3417 -cert data_files/server5.eku-cs_any.crt" \
Manuel Pégourié-Gonnard644e8f32014-08-30 21:59:31 +0200[diff] [blame]3418 "$P_CLI debug_level=1" \
Manuel Pégourié-Gonnard0408fd12014-04-11 11:06:22 +0200[diff] [blame]3419 0 \
3420 -C "bad certificate (usage extensions)" \
3421 -C "Processing of the Certificate handshake message failed" \
3422 -c "Ciphersuite is TLS-"
3423
Manuel Pégourié-Gonnard8e03c712014-08-30 21:42:40 +0200[diff] [blame]3424run_test "extKeyUsage cli: codeSign -> fail" \
Manuel Pégourié-Gonnard0408fd12014-04-11 11:06:22 +0200[diff] [blame]3425 "$O_SRV -key data_files/server5.key \
3426 -cert data_files/server5.eku-cs.crt" \
Manuel Pégourié-Gonnard644e8f32014-08-30 21:59:31 +0200[diff] [blame]3427 "$P_CLI debug_level=1" \
Manuel Pégourié-Gonnard0408fd12014-04-11 11:06:22 +0200[diff] [blame]3428 1 \
3429 -c "bad certificate (usage extensions)" \
3430 -c "Processing of the Certificate handshake message failed" \
3431 -C "Ciphersuite is TLS-"
3432
3433# Tests for extendedKeyUsage, part 3: server-side checking of client cert
3434
Manuel Pégourié-Gonnard8e03c712014-08-30 21:42:40 +0200[diff] [blame]3435run_test "extKeyUsage cli-auth: clientAuth -> OK" \
Manuel Pégourié-Gonnard644e8f32014-08-30 21:59:31 +0200[diff] [blame]3436 "$P_SRV debug_level=1 auth_mode=optional" \
Manuel Pégourié-Gonnard0408fd12014-04-11 11:06:22 +0200[diff] [blame]3437 "$O_CLI -key data_files/server5.key \
3438 -cert data_files/server5.eku-cli.crt" \
3439 0 \
3440 -S "bad certificate (usage extensions)" \
3441 -S "Processing of the Certificate handshake message failed"
3442
Manuel Pégourié-Gonnard8e03c712014-08-30 21:42:40 +0200[diff] [blame]3443run_test "extKeyUsage cli-auth: serverAuth,clientAuth -> OK" \
Manuel Pégourié-Gonnard644e8f32014-08-30 21:59:31 +0200[diff] [blame]3444 "$P_SRV debug_level=1 auth_mode=optional" \
Manuel Pégourié-Gonnard0408fd12014-04-11 11:06:22 +0200[diff] [blame]3445 "$O_CLI -key data_files/server5.key \
3446 -cert data_files/server5.eku-srv_cli.crt" \
3447 0 \
3448 -S "bad certificate (usage extensions)" \
3449 -S "Processing of the Certificate handshake message failed"
3450
Manuel Pégourié-Gonnard8e03c712014-08-30 21:42:40 +0200[diff] [blame]3451run_test "extKeyUsage cli-auth: codeSign,anyEKU -> OK" \
Manuel Pégourié-Gonnard644e8f32014-08-30 21:59:31 +0200[diff] [blame]3452 "$P_SRV debug_level=1 auth_mode=optional" \
Manuel Pégourié-Gonnard0408fd12014-04-11 11:06:22 +0200[diff] [blame]3453 "$O_CLI -key data_files/server5.key \
3454 -cert data_files/server5.eku-cs_any.crt" \
3455 0 \
3456 -S "bad certificate (usage extensions)" \
3457 -S "Processing of the Certificate handshake message failed"
3458
Manuel Pégourié-Gonnard8e03c712014-08-30 21:42:40 +0200[diff] [blame]3459run_test "extKeyUsage cli-auth: codeSign -> fail (soft)" \
Manuel Pégourié-Gonnard644e8f32014-08-30 21:59:31 +0200[diff] [blame]3460 "$P_SRV debug_level=1 auth_mode=optional" \
Manuel Pégourié-Gonnard0408fd12014-04-11 11:06:22 +0200[diff] [blame]3461 "$O_CLI -key data_files/server5.key \
3462 -cert data_files/server5.eku-cs.crt" \
3463 0 \
3464 -s "bad certificate (usage extensions)" \
3465 -S "Processing of the Certificate handshake message failed"
3466
Manuel Pégourié-Gonnard8e03c712014-08-30 21:42:40 +0200[diff] [blame]3467run_test "extKeyUsage cli-auth: codeSign -> fail (hard)" \
Manuel Pégourié-Gonnard644e8f32014-08-30 21:59:31 +0200[diff] [blame]3468 "$P_SRV debug_level=1 auth_mode=required" \
Manuel Pégourié-Gonnard0408fd12014-04-11 11:06:22 +0200[diff] [blame]3469 "$O_CLI -key data_files/server5.key \
3470 -cert data_files/server5.eku-cs.crt" \
3471 1 \
3472 -s "bad certificate (usage extensions)" \
3473 -s "Processing of the Certificate handshake message failed"
3474
Manuel Pégourié-Gonnard0cc7e312014-06-09 11:36:47 +0200[diff] [blame]3475# Tests for DHM parameters loading
3476
Manuel Pégourié-Gonnard8e03c712014-08-30 21:42:40 +0200[diff] [blame]3477run_test "DHM parameters: reference" \
Manuel Pégourié-Gonnard0cc7e312014-06-09 11:36:47 +0200[diff] [blame]3478 "$P_SRV" \
3479 "$P_CLI force_ciphersuite=TLS-DHE-RSA-WITH-AES-128-CBC-SHA \
3480 debug_level=3" \
3481 0 \
3482 -c "value of 'DHM: P ' (2048 bits)" \
Hanno Becker13be9902017-09-27 17:17:30 +0100[diff] [blame]3483 -c "value of 'DHM: G ' (2 bits)"
Manuel Pégourié-Gonnard0cc7e312014-06-09 11:36:47 +0200[diff] [blame]3484
Manuel Pégourié-Gonnard8e03c712014-08-30 21:42:40 +0200[diff] [blame]3485run_test "DHM parameters: other parameters" \
Manuel Pégourié-Gonnard0cc7e312014-06-09 11:36:47 +0200[diff] [blame]3486 "$P_SRV dhm_file=data_files/dhparams.pem" \
3487 "$P_CLI force_ciphersuite=TLS-DHE-RSA-WITH-AES-128-CBC-SHA \
3488 debug_level=3" \
3489 0 \
3490 -c "value of 'DHM: P ' (1024 bits)" \
3491 -c "value of 'DHM: G ' (2 bits)"
3492
Manuel Pégourié-Gonnard7a010aa2015-06-12 11:19:10 +0200[diff] [blame]3493# Tests for DHM client-side size checking
3494
3495run_test "DHM size: server default, client default, OK" \
3496 "$P_SRV" \
3497 "$P_CLI force_ciphersuite=TLS-DHE-RSA-WITH-AES-128-CBC-SHA \
3498 debug_level=1" \
3499 0 \
3500 -C "DHM prime too short:"
3501
3502run_test "DHM size: server default, client 2048, OK" \
3503 "$P_SRV" \
3504 "$P_CLI force_ciphersuite=TLS-DHE-RSA-WITH-AES-128-CBC-SHA \
3505 debug_level=1 dhmlen=2048" \
3506 0 \
3507 -C "DHM prime too short:"
3508
3509run_test "DHM size: server 1024, client default, OK" \
3510 "$P_SRV dhm_file=data_files/dhparams.pem" \
3511 "$P_CLI force_ciphersuite=TLS-DHE-RSA-WITH-AES-128-CBC-SHA \
3512 debug_level=1" \
3513 0 \
3514 -C "DHM prime too short:"
3515
3516run_test "DHM size: server 1000, client default, rejected" \
3517 "$P_SRV dhm_file=data_files/dh.1000.pem" \
3518 "$P_CLI force_ciphersuite=TLS-DHE-RSA-WITH-AES-128-CBC-SHA \
3519 debug_level=1" \
3520 1 \
3521 -c "DHM prime too short:"
3522
3523run_test "DHM size: server default, client 2049, rejected" \
3524 "$P_SRV" \
3525 "$P_CLI force_ciphersuite=TLS-DHE-RSA-WITH-AES-128-CBC-SHA \
3526 debug_level=1 dhmlen=2049" \
3527 1 \
3528 -c "DHM prime too short:"
3529
Manuel Pégourié-Gonnarda6781c92014-06-10 15:00:46 +0200[diff] [blame]3530# Tests for PSK callback
3531
Manuel Pégourié-Gonnard8e03c712014-08-30 21:42:40 +0200[diff] [blame]3532run_test "PSK callback: psk, no callback" \
Manuel Pégourié-Gonnarda6781c92014-06-10 15:00:46 +0200[diff] [blame]3533 "$P_SRV psk=abc123 psk_identity=foo" \
3534 "$P_CLI force_ciphersuite=TLS-PSK-WITH-AES-128-CBC-SHA \
3535 psk_identity=foo psk=abc123" \
3536 0 \
Manuel Pégourié-Gonnardf01768c2015-01-08 17:06:16 +0100[diff] [blame]3537 -S "SSL - None of the common ciphersuites is usable" \
Manuel Pégourié-Gonnard10c3c9f2014-06-10 15:28:52 +0200[diff] [blame]3538 -S "SSL - Unknown identity received" \
3539 -S "SSL - Verification of the message MAC failed"
3540
Manuel Pégourié-Gonnard8e03c712014-08-30 21:42:40 +0200[diff] [blame]3541run_test "PSK callback: no psk, no callback" \
Manuel Pégourié-Gonnard10c3c9f2014-06-10 15:28:52 +0200[diff] [blame]3542 "$P_SRV" \
3543 "$P_CLI force_ciphersuite=TLS-PSK-WITH-AES-128-CBC-SHA \
3544 psk_identity=foo psk=abc123" \
3545 1 \
Manuel Pégourié-Gonnardf01768c2015-01-08 17:06:16 +0100[diff] [blame]3546 -s "SSL - None of the common ciphersuites is usable" \
Manuel Pégourié-Gonnarda6781c92014-06-10 15:00:46 +0200[diff] [blame]3547 -S "SSL - Unknown identity received" \
3548 -S "SSL - Verification of the message MAC failed"
3549
Manuel Pégourié-Gonnard8e03c712014-08-30 21:42:40 +0200[diff] [blame]3550run_test "PSK callback: callback overrides other settings" \
Manuel Pégourié-Gonnarda6781c92014-06-10 15:00:46 +0200[diff] [blame]3551 "$P_SRV psk=abc123 psk_identity=foo psk_list=abc,dead,def,beef" \
3552 "$P_CLI force_ciphersuite=TLS-PSK-WITH-AES-128-CBC-SHA \
3553 psk_identity=foo psk=abc123" \
3554 1 \
Manuel Pégourié-Gonnardf01768c2015-01-08 17:06:16 +0100[diff] [blame]3555 -S "SSL - None of the common ciphersuites is usable" \
Manuel Pégourié-Gonnarda6781c92014-06-10 15:00:46 +0200[diff] [blame]3556 -s "SSL - Unknown identity received" \
3557 -S "SSL - Verification of the message MAC failed"
3558
Manuel Pégourié-Gonnard8e03c712014-08-30 21:42:40 +0200[diff] [blame]3559run_test "PSK callback: first id matches" \
Manuel Pégourié-Gonnarda6781c92014-06-10 15:00:46 +0200[diff] [blame]3560 "$P_SRV psk_list=abc,dead,def,beef" \
3561 "$P_CLI force_ciphersuite=TLS-PSK-WITH-AES-128-CBC-SHA \
3562 psk_identity=abc psk=dead" \
3563 0 \
Manuel Pégourié-Gonnardf01768c2015-01-08 17:06:16 +0100[diff] [blame]3564 -S "SSL - None of the common ciphersuites is usable" \
Manuel Pégourié-Gonnarda6781c92014-06-10 15:00:46 +0200[diff] [blame]3565 -S "SSL - Unknown identity received" \
3566 -S "SSL - Verification of the message MAC failed"
3567
Manuel Pégourié-Gonnard8e03c712014-08-30 21:42:40 +0200[diff] [blame]3568run_test "PSK callback: second id matches" \
Manuel Pégourié-Gonnarda6781c92014-06-10 15:00:46 +0200[diff] [blame]3569 "$P_SRV psk_list=abc,dead,def,beef" \
3570 "$P_CLI force_ciphersuite=TLS-PSK-WITH-AES-128-CBC-SHA \
3571 psk_identity=def psk=beef" \
3572 0 \
Manuel Pégourié-Gonnardf01768c2015-01-08 17:06:16 +0100[diff] [blame]3573 -S "SSL - None of the common ciphersuites is usable" \
Manuel Pégourié-Gonnarda6781c92014-06-10 15:00:46 +0200[diff] [blame]3574 -S "SSL - Unknown identity received" \
3575 -S "SSL - Verification of the message MAC failed"
3576
Manuel Pégourié-Gonnard8e03c712014-08-30 21:42:40 +0200[diff] [blame]3577run_test "PSK callback: no match" \
Manuel Pégourié-Gonnarda6781c92014-06-10 15:00:46 +0200[diff] [blame]3578 "$P_SRV psk_list=abc,dead,def,beef" \
3579 "$P_CLI force_ciphersuite=TLS-PSK-WITH-AES-128-CBC-SHA \
3580 psk_identity=ghi psk=beef" \
3581 1 \
Manuel Pégourié-Gonnardf01768c2015-01-08 17:06:16 +0100[diff] [blame]3582 -S "SSL - None of the common ciphersuites is usable" \
Manuel Pégourié-Gonnarda6781c92014-06-10 15:00:46 +0200[diff] [blame]3583 -s "SSL - Unknown identity received" \
3584 -S "SSL - Verification of the message MAC failed"
3585
Manuel Pégourié-Gonnard8e03c712014-08-30 21:42:40 +0200[diff] [blame]3586run_test "PSK callback: wrong key" \
Manuel Pégourié-Gonnarda6781c92014-06-10 15:00:46 +0200[diff] [blame]3587 "$P_SRV psk_list=abc,dead,def,beef" \
3588 "$P_CLI force_ciphersuite=TLS-PSK-WITH-AES-128-CBC-SHA \
3589 psk_identity=abc psk=beef" \
3590 1 \
Manuel Pégourié-Gonnardf01768c2015-01-08 17:06:16 +0100[diff] [blame]3591 -S "SSL - None of the common ciphersuites is usable" \
Manuel Pégourié-Gonnarda6781c92014-06-10 15:00:46 +0200[diff] [blame]3592 -S "SSL - Unknown identity received" \
3593 -s "SSL - Verification of the message MAC failed"
Manuel Pégourié-Gonnard0cc7e312014-06-09 11:36:47 +0200[diff] [blame]3594
Manuel Pégourié-Gonnarde511b4e2015-09-16 14:11:09 +0200[diff] [blame]3595# Tests for EC J-PAKE
3596
Manuel Pégourié-Gonnard12ca6f52015-10-20 15:24:51 +0200[diff] [blame]3597requires_config_enabled MBEDTLS_KEY_EXCHANGE_ECJPAKE
Manuel Pégourié-Gonnarde511b4e2015-09-16 14:11:09 +0200[diff] [blame]3598run_test "ECJPAKE: client not configured" \
3599 "$P_SRV debug_level=3" \
3600 "$P_CLI debug_level=3" \
3601 0 \
3602 -C "add ciphersuite: c0ff" \
3603 -C "adding ecjpake_kkpp extension" \
Manuel Pégourié-Gonnardbf57be62015-09-16 15:04:01 +0200[diff] [blame]3604 -S "found ecjpake kkpp extension" \
3605 -S "skip ecjpake kkpp extension" \
Manuel Pégourié-Gonnarde511b4e2015-09-16 14:11:09 +0200[diff] [blame]3606 -S "ciphersuite mismatch: ecjpake not configured" \
Manuel Pégourié-Gonnard55c7f992015-09-16 15:35:27 +0200[diff] [blame]3607 -S "server hello, ecjpake kkpp extension" \
Manuel Pégourié-Gonnard0a1324a2015-09-16 16:01:00 +0200[diff] [blame]3608 -C "found ecjpake_kkpp extension" \
Manuel Pégourié-Gonnarde511b4e2015-09-16 14:11:09 +0200[diff] [blame]3609 -S "None of the common ciphersuites is usable"
3610
Manuel Pégourié-Gonnard12ca6f52015-10-20 15:24:51 +0200[diff] [blame]3611requires_config_enabled MBEDTLS_KEY_EXCHANGE_ECJPAKE
Manuel Pégourié-Gonnarde511b4e2015-09-16 14:11:09 +0200[diff] [blame]3612run_test "ECJPAKE: server not configured" \
3613 "$P_SRV debug_level=3" \
3614 "$P_CLI debug_level=3 ecjpake_pw=bla \
3615 force_ciphersuite=TLS-ECJPAKE-WITH-AES-128-CCM-8" \
3616 1 \
3617 -c "add ciphersuite: c0ff" \
3618 -c "adding ecjpake_kkpp extension" \
Manuel Pégourié-Gonnardbf57be62015-09-16 15:04:01 +0200[diff] [blame]3619 -s "found ecjpake kkpp extension" \
3620 -s "skip ecjpake kkpp extension" \
Manuel Pégourié-Gonnarde511b4e2015-09-16 14:11:09 +0200[diff] [blame]3621 -s "ciphersuite mismatch: ecjpake not configured" \
Manuel Pégourié-Gonnard55c7f992015-09-16 15:35:27 +0200[diff] [blame]3622 -S "server hello, ecjpake kkpp extension" \
Manuel Pégourié-Gonnard0a1324a2015-09-16 16:01:00 +0200[diff] [blame]3623 -C "found ecjpake_kkpp extension" \
Manuel Pégourié-Gonnarde511b4e2015-09-16 14:11:09 +0200[diff] [blame]3624 -s "None of the common ciphersuites is usable"
3625
Manuel Pégourié-Gonnard12ca6f52015-10-20 15:24:51 +0200[diff] [blame]3626requires_config_enabled MBEDTLS_KEY_EXCHANGE_ECJPAKE
Manuel Pégourié-Gonnardbf57be62015-09-16 15:04:01 +0200[diff] [blame]3627run_test "ECJPAKE: working, TLS" \
3628 "$P_SRV debug_level=3 ecjpake_pw=bla" \
3629 "$P_CLI debug_level=3 ecjpake_pw=bla \
3630 force_ciphersuite=TLS-ECJPAKE-WITH-AES-128-CCM-8" \
Manuel Pégourié-Gonnard0f1660a2015-09-16 22:41:06 +0200[diff] [blame]3631 0 \
Manuel Pégourié-Gonnardbf57be62015-09-16 15:04:01 +0200[diff] [blame]3632 -c "add ciphersuite: c0ff" \
3633 -c "adding ecjpake_kkpp extension" \
Manuel Pégourié-Gonnardd0d8cb32015-09-17 14:16:30 +0200[diff] [blame]3634 -C "re-using cached ecjpake parameters" \
Manuel Pégourié-Gonnardbf57be62015-09-16 15:04:01 +0200[diff] [blame]3635 -s "found ecjpake kkpp extension" \
3636 -S "skip ecjpake kkpp extension" \
3637 -S "ciphersuite mismatch: ecjpake not configured" \
Manuel Pégourié-Gonnard55c7f992015-09-16 15:35:27 +0200[diff] [blame]3638 -s "server hello, ecjpake kkpp extension" \
Manuel Pégourié-Gonnard0a1324a2015-09-16 16:01:00 +0200[diff] [blame]3639 -c "found ecjpake_kkpp extension" \
Manuel Pégourié-Gonnard921f2d02015-09-16 22:52:18 +0200[diff] [blame]3640 -S "None of the common ciphersuites is usable" \
3641 -S "SSL - Verification of the message MAC failed"
3642
Janos Follath74537a62016-09-02 13:45:28 +0100[diff] [blame]3643server_needs_more_time 1
Manuel Pégourié-Gonnard12ca6f52015-10-20 15:24:51 +0200[diff] [blame]3644requires_config_enabled MBEDTLS_KEY_EXCHANGE_ECJPAKE
Manuel Pégourié-Gonnard921f2d02015-09-16 22:52:18 +0200[diff] [blame]3645run_test "ECJPAKE: password mismatch, TLS" \
3646 "$P_SRV debug_level=3 ecjpake_pw=bla" \
3647 "$P_CLI debug_level=3 ecjpake_pw=bad \
3648 force_ciphersuite=TLS-ECJPAKE-WITH-AES-128-CCM-8" \
3649 1 \
Manuel Pégourié-Gonnardd0d8cb32015-09-17 14:16:30 +0200[diff] [blame]3650 -C "re-using cached ecjpake parameters" \
Manuel Pégourié-Gonnard921f2d02015-09-16 22:52:18 +0200[diff] [blame]3651 -s "SSL - Verification of the message MAC failed"
3652
Manuel Pégourié-Gonnard12ca6f52015-10-20 15:24:51 +0200[diff] [blame]3653requires_config_enabled MBEDTLS_KEY_EXCHANGE_ECJPAKE
Manuel Pégourié-Gonnard921f2d02015-09-16 22:52:18 +0200[diff] [blame]3654run_test "ECJPAKE: working, DTLS" \
3655 "$P_SRV debug_level=3 dtls=1 ecjpake_pw=bla" \
3656 "$P_CLI debug_level=3 dtls=1 ecjpake_pw=bla \
3657 force_ciphersuite=TLS-ECJPAKE-WITH-AES-128-CCM-8" \
3658 0 \
Manuel Pégourié-Gonnardd0d8cb32015-09-17 14:16:30 +0200[diff] [blame]3659 -c "re-using cached ecjpake parameters" \
3660 -S "SSL - Verification of the message MAC failed"
3661
Manuel Pégourié-Gonnard12ca6f52015-10-20 15:24:51 +0200[diff] [blame]3662requires_config_enabled MBEDTLS_KEY_EXCHANGE_ECJPAKE
Manuel Pégourié-Gonnardd0d8cb32015-09-17 14:16:30 +0200[diff] [blame]3663run_test "ECJPAKE: working, DTLS, no cookie" \
3664 "$P_SRV debug_level=3 dtls=1 ecjpake_pw=bla cookies=0" \
3665 "$P_CLI debug_level=3 dtls=1 ecjpake_pw=bla \
3666 force_ciphersuite=TLS-ECJPAKE-WITH-AES-128-CCM-8" \
3667 0 \
3668 -C "re-using cached ecjpake parameters" \
Manuel Pégourié-Gonnard921f2d02015-09-16 22:52:18 +0200[diff] [blame]3669 -S "SSL - Verification of the message MAC failed"
3670
Janos Follath74537a62016-09-02 13:45:28 +0100[diff] [blame]3671server_needs_more_time 1
Manuel Pégourié-Gonnard12ca6f52015-10-20 15:24:51 +0200[diff] [blame]3672requires_config_enabled MBEDTLS_KEY_EXCHANGE_ECJPAKE
Manuel Pégourié-Gonnard921f2d02015-09-16 22:52:18 +0200[diff] [blame]3673run_test "ECJPAKE: password mismatch, DTLS" \
3674 "$P_SRV debug_level=3 dtls=1 ecjpake_pw=bla" \
3675 "$P_CLI debug_level=3 dtls=1 ecjpake_pw=bad \
3676 force_ciphersuite=TLS-ECJPAKE-WITH-AES-128-CCM-8" \
3677 1 \
Manuel Pégourié-Gonnardd0d8cb32015-09-17 14:16:30 +0200[diff] [blame]3678 -c "re-using cached ecjpake parameters" \
Manuel Pégourié-Gonnard921f2d02015-09-16 22:52:18 +0200[diff] [blame]3679 -s "SSL - Verification of the message MAC failed"
Manuel Pégourié-Gonnardbf57be62015-09-16 15:04:01 +0200[diff] [blame]3680
Manuel Pégourié-Gonnardca700b22015-10-20 14:47:00 +0200[diff] [blame]3681# for tests with configs/config-thread.h
Manuel Pégourié-Gonnard12ca6f52015-10-20 15:24:51 +0200[diff] [blame]3682requires_config_enabled MBEDTLS_KEY_EXCHANGE_ECJPAKE
Manuel Pégourié-Gonnardca700b22015-10-20 14:47:00 +0200[diff] [blame]3683run_test "ECJPAKE: working, DTLS, nolog" \
3684 "$P_SRV dtls=1 ecjpake_pw=bla" \
3685 "$P_CLI dtls=1 ecjpake_pw=bla \
3686 force_ciphersuite=TLS-ECJPAKE-WITH-AES-128-CCM-8" \
3687 0
3688
Manuel Pégourié-Gonnard90805a82014-06-11 14:06:01 +0200[diff] [blame]3689# Tests for ciphersuites per version
3690
Janos Follathe2681a42016-03-07 15:57:05 +0000[diff] [blame]3691requires_config_enabled MBEDTLS_SSL_PROTO_SSL3
Manuel Pégourié-Gonnard8e03c712014-08-30 21:42:40 +0200[diff] [blame]3692run_test "Per-version suites: SSL3" \
Manuel Pégourié-Gonnardea0920f2015-03-24 09:50:15 +0100[diff] [blame]3693 "$P_SRV min_version=ssl3 version_suites=TLS-RSA-WITH-3DES-EDE-CBC-SHA,TLS-RSA-WITH-AES-256-CBC-SHA,TLS-RSA-WITH-AES-128-CBC-SHA,TLS-RSA-WITH-AES-128-GCM-SHA256" \
Manuel Pégourié-Gonnard90805a82014-06-11 14:06:01 +0200[diff] [blame]3694 "$P_CLI force_version=ssl3" \
3695 0 \
3696 -c "Ciphersuite is TLS-RSA-WITH-3DES-EDE-CBC-SHA"
3697
Manuel Pégourié-Gonnard8e03c712014-08-30 21:42:40 +0200[diff] [blame]3698run_test "Per-version suites: TLS 1.0" \
Manuel Pégourié-Gonnardea0920f2015-03-24 09:50:15 +0100[diff] [blame]3699 "$P_SRV arc4=1 version_suites=TLS-RSA-WITH-3DES-EDE-CBC-SHA,TLS-RSA-WITH-AES-256-CBC-SHA,TLS-RSA-WITH-AES-128-CBC-SHA,TLS-RSA-WITH-AES-128-GCM-SHA256" \
Manuel Pégourié-Gonnardbd47a582015-01-12 13:43:29 +0100[diff] [blame]3700 "$P_CLI force_version=tls1 arc4=1" \
Manuel Pégourié-Gonnard90805a82014-06-11 14:06:01 +0200[diff] [blame]3701 0 \
Manuel Pégourié-Gonnardea0920f2015-03-24 09:50:15 +0100[diff] [blame]3702 -c "Ciphersuite is TLS-RSA-WITH-AES-256-CBC-SHA"
Manuel Pégourié-Gonnard90805a82014-06-11 14:06:01 +0200[diff] [blame]3703
Manuel Pégourié-Gonnard8e03c712014-08-30 21:42:40 +0200[diff] [blame]3704run_test "Per-version suites: TLS 1.1" \
Manuel Pégourié-Gonnardea0920f2015-03-24 09:50:15 +0100[diff] [blame]3705 "$P_SRV version_suites=TLS-RSA-WITH-3DES-EDE-CBC-SHA,TLS-RSA-WITH-AES-256-CBC-SHA,TLS-RSA-WITH-AES-128-CBC-SHA,TLS-RSA-WITH-AES-128-GCM-SHA256" \
Manuel Pégourié-Gonnard90805a82014-06-11 14:06:01 +0200[diff] [blame]3706 "$P_CLI force_version=tls1_1" \
3707 0 \
3708 -c "Ciphersuite is TLS-RSA-WITH-AES-128-CBC-SHA"
3709
Manuel Pégourié-Gonnard8e03c712014-08-30 21:42:40 +0200[diff] [blame]3710run_test "Per-version suites: TLS 1.2" \
Manuel Pégourié-Gonnardea0920f2015-03-24 09:50:15 +0100[diff] [blame]3711 "$P_SRV version_suites=TLS-RSA-WITH-3DES-EDE-CBC-SHA,TLS-RSA-WITH-AES-256-CBC-SHA,TLS-RSA-WITH-AES-128-CBC-SHA,TLS-RSA-WITH-AES-128-GCM-SHA256" \
Manuel Pégourié-Gonnard90805a82014-06-11 14:06:01 +0200[diff] [blame]3712 "$P_CLI force_version=tls1_2" \
3713 0 \
3714 -c "Ciphersuite is TLS-RSA-WITH-AES-128-GCM-SHA256"
3715
Manuel Pégourié-Gonnard4cc8c632015-07-23 12:24:03 +0200[diff] [blame]3716# Test for ClientHello without extensions
3717
Manuel Pégourié-Gonnardd55bc202015-08-04 16:22:30 +0200[diff] [blame]3718requires_gnutls
Gilles Peskine5d2511c2017-05-12 13:16:40 +0200[diff] [blame]3719run_test "ClientHello without extensions, SHA-1 allowed" \
Manuel Pégourié-Gonnard4cc8c632015-07-23 12:24:03 +0200[diff] [blame]3720 "$P_SRV debug_level=3" \
3721 "$G_CLI --priority=NORMAL:%NO_EXTENSIONS:%DISABLE_SAFE_RENEGOTIATION" \
3722 0 \
3723 -s "dumping 'client hello extensions' (0 bytes)"
3724
Gilles Peskine5d2511c2017-05-12 13:16:40 +0200[diff] [blame]3725requires_gnutls
3726run_test "ClientHello without extensions, SHA-1 forbidden in certificates on server" \
3727 "$P_SRV debug_level=3 key_file=data_files/server2.key crt_file=data_files/server2.crt allow_sha1=0" \
3728 "$G_CLI --priority=NORMAL:%NO_EXTENSIONS:%DISABLE_SAFE_RENEGOTIATION" \
3729 0 \
3730 -s "dumping 'client hello extensions' (0 bytes)"
3731
Manuel Pégourié-Gonnard2cf5a7c2015-04-08 12:49:31 +0200[diff] [blame]3732# Tests for mbedtls_ssl_get_bytes_avail()
Manuel Pégourié-Gonnard95c0a632014-06-11 18:32:36 +0200[diff] [blame]3733
Manuel Pégourié-Gonnard2cf5a7c2015-04-08 12:49:31 +0200[diff] [blame]3734run_test "mbedtls_ssl_get_bytes_avail: no extra data" \
Manuel Pégourié-Gonnard95c0a632014-06-11 18:32:36 +0200[diff] [blame]3735 "$P_SRV" \
3736 "$P_CLI request_size=100" \
3737 0 \
3738 -s "Read from client: 100 bytes read$"
3739
Manuel Pégourié-Gonnard2cf5a7c2015-04-08 12:49:31 +0200[diff] [blame]3740run_test "mbedtls_ssl_get_bytes_avail: extra data" \
Manuel Pégourié-Gonnard95c0a632014-06-11 18:32:36 +0200[diff] [blame]3741 "$P_SRV" \
3742 "$P_CLI request_size=500" \
3743 0 \
3744 -s "Read from client: 500 bytes read (.*+.*)"
Manuel Pégourié-Gonnard90805a82014-06-11 14:06:01 +0200[diff] [blame]3745
Manuel Pégourié-Gonnardee415032014-06-18 15:08:56 +0200[diff] [blame]3746# Tests for small packets
3747
Janos Follathe2681a42016-03-07 15:57:05 +0000[diff] [blame]3748requires_config_enabled MBEDTLS_SSL_PROTO_SSL3
Manuel Pégourié-Gonnardee415032014-06-18 15:08:56 +0200[diff] [blame]3749run_test "Small packet SSLv3 BlockCipher" \
Manuel Pégourié-Gonnard448ea502015-01-12 11:40:14 +0100[diff] [blame]3750 "$P_SRV min_version=ssl3" \
Manuel Pégourié-Gonnardee415032014-06-18 15:08:56 +0200[diff] [blame]3751 "$P_CLI request_size=1 force_version=ssl3 \
3752 force_ciphersuite=TLS-RSA-WITH-AES-256-CBC-SHA" \
3753 0 \
3754 -s "Read from client: 1 bytes read"
3755
Janos Follathe2681a42016-03-07 15:57:05 +0000[diff] [blame]3756requires_config_enabled MBEDTLS_SSL_PROTO_SSL3
Manuel Pégourié-Gonnardee415032014-06-18 15:08:56 +0200[diff] [blame]3757run_test "Small packet SSLv3 StreamCipher" \
Manuel Pégourié-Gonnardea0920f2015-03-24 09:50:15 +0100[diff] [blame]3758 "$P_SRV min_version=ssl3 arc4=1 force_ciphersuite=TLS-RSA-WITH-RC4-128-SHA" \
Manuel Pégourié-Gonnardee415032014-06-18 15:08:56 +0200[diff] [blame]3759 "$P_CLI request_size=1 force_version=ssl3 \
3760 force_ciphersuite=TLS-RSA-WITH-RC4-128-SHA" \
3761 0 \
3762 -s "Read from client: 1 bytes read"
3763
3764run_test "Small packet TLS 1.0 BlockCipher" \
3765 "$P_SRV" \
3766 "$P_CLI request_size=1 force_version=tls1 \
3767 force_ciphersuite=TLS-RSA-WITH-AES-256-CBC-SHA" \
3768 0 \
3769 -s "Read from client: 1 bytes read"
3770
Hanno Becker8501f982017-11-10 08:59:04 +0000[diff] [blame]3771run_test "Small packet TLS 1.0 BlockCipher, without EtM" \
Manuel Pégourié-Gonnard169dd6a2014-11-04 16:15:39 +0100[diff] [blame]3772 "$P_SRV" \
3773 "$P_CLI request_size=1 force_version=tls1 etm=0 \
3774 force_ciphersuite=TLS-RSA-WITH-AES-256-CBC-SHA" \
3775 0 \
3776 -s "Read from client: 1 bytes read"
3777
Hanno Becker32c55012017-11-10 08:42:54 +0000[diff] [blame]3778requires_config_enabled MBEDTLS_SSL_TRUNCATED_HMAC
Hanno Becker8501f982017-11-10 08:59:04 +0000[diff] [blame]3779run_test "Small packet TLS 1.0 BlockCipher, truncated MAC" \
Hanno Becker909f9a32017-11-21 17:10:12 +0000[diff] [blame]3780 "$P_SRV trunc_hmac=1" \
Manuel Pégourié-Gonnardee415032014-06-18 15:08:56 +0200[diff] [blame]3781 "$P_CLI request_size=1 force_version=tls1 \
Hanno Becker909f9a32017-11-21 17:10:12 +0000[diff] [blame]3782 force_ciphersuite=TLS-RSA-WITH-AES-256-CBC-SHA trunc_hmac=1" \
Manuel Pégourié-Gonnardee415032014-06-18 15:08:56 +0200[diff] [blame]3783 0 \
3784 -s "Read from client: 1 bytes read"
3785
Hanno Becker32c55012017-11-10 08:42:54 +0000[diff] [blame]3786requires_config_enabled MBEDTLS_SSL_TRUNCATED_HMAC
Hanno Becker8501f982017-11-10 08:59:04 +0000[diff] [blame]3787run_test "Small packet TLS 1.0 BlockCipher, without EtM, truncated MAC" \
Hanno Becker909f9a32017-11-21 17:10:12 +0000[diff] [blame]3788 "$P_SRV trunc_hmac=1" \
Hanno Becker8501f982017-11-10 08:59:04 +0000[diff] [blame]3789 "$P_CLI request_size=1 force_version=tls1 \
Hanno Becker909f9a32017-11-21 17:10:12 +0000[diff] [blame]3790 force_ciphersuite=TLS-RSA-WITH-AES-256-CBC-SHA trunc_hmac=1 etm=0" \
Hanno Becker8501f982017-11-10 08:59:04 +0000[diff] [blame]3791 0 \
3792 -s "Read from client: 1 bytes read"
3793
3794run_test "Small packet TLS 1.0 StreamCipher" \
Manuel Pégourié-Gonnardea0920f2015-03-24 09:50:15 +0100[diff] [blame]3795 "$P_SRV arc4=1 force_ciphersuite=TLS-RSA-WITH-RC4-128-SHA" \
Manuel Pégourié-Gonnardee415032014-06-18 15:08:56 +0200[diff] [blame]3796 "$P_CLI request_size=1 force_version=tls1 \
Hanno Becker8501f982017-11-10 08:59:04 +0000[diff] [blame]3797 force_ciphersuite=TLS-RSA-WITH-RC4-128-SHA" \
3798 0 \
3799 -s "Read from client: 1 bytes read"
3800
3801run_test "Small packet TLS 1.0 StreamCipher, without EtM" \
3802 "$P_SRV arc4=1 force_ciphersuite=TLS-RSA-WITH-RC4-128-SHA" \
3803 "$P_CLI request_size=1 force_version=tls1 \
Hanno Becker909f9a32017-11-21 17:10:12 +0000[diff] [blame]3804 force_ciphersuite=TLS-RSA-WITH-RC4-128-SHA etm=0" \
Hanno Becker8501f982017-11-10 08:59:04 +0000[diff] [blame]3805 0 \
3806 -s "Read from client: 1 bytes read"
3807
3808requires_config_enabled MBEDTLS_SSL_TRUNCATED_HMAC
3809run_test "Small packet TLS 1.0 StreamCipher, truncated MAC" \
Hanno Becker909f9a32017-11-21 17:10:12 +0000[diff] [blame]3810 "$P_SRV arc4=1 force_ciphersuite=TLS-RSA-WITH-RC4-128-SHA trunc_hmac=1" \
Manuel Pégourié-Gonnardee415032014-06-18 15:08:56 +0200[diff] [blame]3811 "$P_CLI request_size=1 force_version=tls1 \
Hanno Becker909f9a32017-11-21 17:10:12 +0000[diff] [blame]3812 force_ciphersuite=TLS-RSA-WITH-RC4-128-SHA trunc_hmac=1" \
Manuel Pégourié-Gonnardee415032014-06-18 15:08:56 +0200[diff] [blame]3813 0 \
3814 -s "Read from client: 1 bytes read"
3815
Hanno Becker8501f982017-11-10 08:59:04 +0000[diff] [blame]3816requires_config_enabled MBEDTLS_SSL_TRUNCATED_HMAC
3817run_test "Small packet TLS 1.0 StreamCipher, without EtM, truncated MAC" \
Hanno Becker909f9a32017-11-21 17:10:12 +0000[diff] [blame]3818 "$P_SRV arc4=1 force_ciphersuite=TLS-RSA-WITH-RC4-128-SHA trunc_hmac=1" \
3819 "$P_CLI request_size=1 force_version=tls1 force_ciphersuite=TLS-RSA-WITH-RC4-128-SHA \
3820 trunc_hmac=1 etm=0" \
Manuel Pégourié-Gonnardee415032014-06-18 15:08:56 +0200[diff] [blame]3821 0 \
3822 -s "Read from client: 1 bytes read"
3823
3824run_test "Small packet TLS 1.1 BlockCipher" \
3825 "$P_SRV" \
3826 "$P_CLI request_size=1 force_version=tls1_1 \
3827 force_ciphersuite=TLS-RSA-WITH-AES-256-CBC-SHA" \
3828 0 \
3829 -s "Read from client: 1 bytes read"
3830
Hanno Becker8501f982017-11-10 08:59:04 +0000[diff] [blame]3831run_test "Small packet TLS 1.1 BlockCipher, without EtM" \
Manuel Pégourié-Gonnard169dd6a2014-11-04 16:15:39 +0100[diff] [blame]3832 "$P_SRV" \
Hanno Becker8501f982017-11-10 08:59:04 +0000[diff] [blame]3833 "$P_CLI request_size=1 force_version=tls1_1 \
Hanno Becker909f9a32017-11-21 17:10:12 +0000[diff] [blame]3834 force_ciphersuite=TLS-RSA-WITH-AES-256-CBC-SHA etm=0" \
Hanno Becker8501f982017-11-10 08:59:04 +0000[diff] [blame]3835 0 \
3836 -s "Read from client: 1 bytes read"
3837
3838requires_config_enabled MBEDTLS_SSL_TRUNCATED_HMAC
3839run_test "Small packet TLS 1.1 BlockCipher, truncated MAC" \
Hanno Becker909f9a32017-11-21 17:10:12 +0000[diff] [blame]3840 "$P_SRV trunc_hmac=1" \
Hanno Becker8501f982017-11-10 08:59:04 +0000[diff] [blame]3841 "$P_CLI request_size=1 force_version=tls1_1 \
Hanno Becker909f9a32017-11-21 17:10:12 +0000[diff] [blame]3842 force_ciphersuite=TLS-RSA-WITH-AES-256-CBC-SHA trunc_hmac=1" \
Hanno Becker8501f982017-11-10 08:59:04 +0000[diff] [blame]3843 0 \
3844 -s "Read from client: 1 bytes read"
3845
3846requires_config_enabled MBEDTLS_SSL_TRUNCATED_HMAC
3847run_test "Small packet TLS 1.1 BlockCipher, without EtM, truncated MAC" \
Hanno Becker909f9a32017-11-21 17:10:12 +0000[diff] [blame]3848 "$P_SRV trunc_hmac=1" \
Hanno Becker8501f982017-11-10 08:59:04 +0000[diff] [blame]3849 "$P_CLI request_size=1 force_version=tls1_1 \
Hanno Becker909f9a32017-11-21 17:10:12 +0000[diff] [blame]3850 force_ciphersuite=TLS-RSA-WITH-AES-256-CBC-SHA trunc_hmac=1 etm=0" \
Manuel Pégourié-Gonnard169dd6a2014-11-04 16:15:39 +0100[diff] [blame]3851 0 \
3852 -s "Read from client: 1 bytes read"
3853
Manuel Pégourié-Gonnardee415032014-06-18 15:08:56 +0200[diff] [blame]3854run_test "Small packet TLS 1.1 StreamCipher" \
Manuel Pégourié-Gonnardea0920f2015-03-24 09:50:15 +0100[diff] [blame]3855 "$P_SRV arc4=1 force_ciphersuite=TLS-RSA-WITH-RC4-128-SHA" \
Manuel Pégourié-Gonnardee415032014-06-18 15:08:56 +0200[diff] [blame]3856 "$P_CLI request_size=1 force_version=tls1_1 \
3857 force_ciphersuite=TLS-RSA-WITH-RC4-128-SHA" \
3858 0 \
3859 -s "Read from client: 1 bytes read"
3860
Hanno Becker8501f982017-11-10 08:59:04 +0000[diff] [blame]3861run_test "Small packet TLS 1.1 StreamCipher, without EtM" \
3862 "$P_SRV arc4=1 force_ciphersuite=TLS-RSA-WITH-RC4-128-SHA" \
Manuel Pégourié-Gonnardee415032014-06-18 15:08:56 +0200[diff] [blame]3863 "$P_CLI request_size=1 force_version=tls1_1 \
Hanno Becker909f9a32017-11-21 17:10:12 +0000[diff] [blame]3864 force_ciphersuite=TLS-RSA-WITH-RC4-128-SHA etm=0" \
Manuel Pégourié-Gonnardee415032014-06-18 15:08:56 +0200[diff] [blame]3865 0 \
3866 -s "Read from client: 1 bytes read"
3867
Hanno Becker8501f982017-11-10 08:59:04 +0000[diff] [blame]3868requires_config_enabled MBEDTLS_SSL_TRUNCATED_HMAC
3869run_test "Small packet TLS 1.1 StreamCipher, truncated MAC" \
Hanno Becker909f9a32017-11-21 17:10:12 +0000[diff] [blame]3870 "$P_SRV arc4=1 force_ciphersuite=TLS-RSA-WITH-RC4-128-SHA trunc_hmac=1" \
Manuel Pégourié-Gonnardee415032014-06-18 15:08:56 +0200[diff] [blame]3871 "$P_CLI request_size=1 force_version=tls1_1 \
Hanno Becker909f9a32017-11-21 17:10:12 +0000[diff] [blame]3872 force_ciphersuite=TLS-RSA-WITH-RC4-128-SHA trunc_hmac=1" \
Manuel Pégourié-Gonnardee415032014-06-18 15:08:56 +0200[diff] [blame]3873 0 \
3874 -s "Read from client: 1 bytes read"
3875
Hanno Becker32c55012017-11-10 08:42:54 +0000[diff] [blame]3876requires_config_enabled MBEDTLS_SSL_TRUNCATED_HMAC
Hanno Becker8501f982017-11-10 08:59:04 +0000[diff] [blame]3877run_test "Small packet TLS 1.1 StreamCipher, without EtM, truncated MAC" \
Hanno Becker909f9a32017-11-21 17:10:12 +0000[diff] [blame]3878 "$P_SRV arc4=1 force_ciphersuite=TLS-RSA-WITH-RC4-128-SHA trunc_hmac=1" \
Manuel Pégourié-Gonnardee415032014-06-18 15:08:56 +0200[diff] [blame]3879 "$P_CLI request_size=1 force_version=tls1_1 \
Hanno Becker909f9a32017-11-21 17:10:12 +0000[diff] [blame]3880 force_ciphersuite=TLS-RSA-WITH-RC4-128-SHA trunc_hmac=1 etm=0" \
Manuel Pégourié-Gonnardee415032014-06-18 15:08:56 +0200[diff] [blame]3881 0 \
3882 -s "Read from client: 1 bytes read"
3883
3884run_test "Small packet TLS 1.2 BlockCipher" \
3885 "$P_SRV" \
3886 "$P_CLI request_size=1 force_version=tls1_2 \
3887 force_ciphersuite=TLS-RSA-WITH-AES-256-CBC-SHA" \
3888 0 \
3889 -s "Read from client: 1 bytes read"
3890
Hanno Becker8501f982017-11-10 08:59:04 +0000[diff] [blame]3891run_test "Small packet TLS 1.2 BlockCipher, without EtM" \
Manuel Pégourié-Gonnard169dd6a2014-11-04 16:15:39 +0100[diff] [blame]3892 "$P_SRV" \
Hanno Becker8501f982017-11-10 08:59:04 +0000[diff] [blame]3893 "$P_CLI request_size=1 force_version=tls1_2 \
Hanno Becker909f9a32017-11-21 17:10:12 +0000[diff] [blame]3894 force_ciphersuite=TLS-RSA-WITH-AES-256-CBC-SHA etm=0" \
Manuel Pégourié-Gonnard169dd6a2014-11-04 16:15:39 +0100[diff] [blame]3895 0 \
3896 -s "Read from client: 1 bytes read"
3897
Manuel Pégourié-Gonnardee415032014-06-18 15:08:56 +0200[diff] [blame]3898run_test "Small packet TLS 1.2 BlockCipher larger MAC" \
3899 "$P_SRV" \
Manuel Pégourié-Gonnardc82ee352015-01-07 16:35:25 +0100[diff] [blame]3900 "$P_CLI request_size=1 force_version=tls1_2 \
3901 force_ciphersuite=TLS-ECDHE-RSA-WITH-AES-256-CBC-SHA384" \
Manuel Pégourié-Gonnardee415032014-06-18 15:08:56 +0200[diff] [blame]3902 0 \
3903 -s "Read from client: 1 bytes read"
3904
Hanno Becker32c55012017-11-10 08:42:54 +0000[diff] [blame]3905requires_config_enabled MBEDTLS_SSL_TRUNCATED_HMAC
Hanno Becker8501f982017-11-10 08:59:04 +0000[diff] [blame]3906run_test "Small packet TLS 1.2 BlockCipher, truncated MAC" \
Hanno Becker909f9a32017-11-21 17:10:12 +0000[diff] [blame]3907 "$P_SRV trunc_hmac=1" \
Manuel Pégourié-Gonnardee415032014-06-18 15:08:56 +0200[diff] [blame]3908 "$P_CLI request_size=1 force_version=tls1_2 \
Hanno Becker909f9a32017-11-21 17:10:12 +0000[diff] [blame]3909 force_ciphersuite=TLS-RSA-WITH-AES-256-CBC-SHA trunc_hmac=1" \
Manuel Pégourié-Gonnardee415032014-06-18 15:08:56 +0200[diff] [blame]3910 0 \
3911 -s "Read from client: 1 bytes read"
3912
Hanno Becker8501f982017-11-10 08:59:04 +0000[diff] [blame]3913requires_config_enabled MBEDTLS_SSL_TRUNCATED_HMAC
3914run_test "Small packet TLS 1.2 BlockCipher, without EtM, truncated MAC" \
Hanno Becker909f9a32017-11-21 17:10:12 +0000[diff] [blame]3915 "$P_SRV trunc_hmac=1" \
Hanno Becker8501f982017-11-10 08:59:04 +0000[diff] [blame]3916 "$P_CLI request_size=1 force_version=tls1_2 \
Hanno Becker909f9a32017-11-21 17:10:12 +0000[diff] [blame]3917 force_ciphersuite=TLS-RSA-WITH-AES-256-CBC-SHA trunc_hmac=1 etm=0" \
Manuel Pégourié-Gonnardee415032014-06-18 15:08:56 +0200[diff] [blame]3918 0 \
3919 -s "Read from client: 1 bytes read"
3920
3921run_test "Small packet TLS 1.2 StreamCipher" \
Manuel Pégourié-Gonnardea0920f2015-03-24 09:50:15 +0100[diff] [blame]3922 "$P_SRV arc4=1 force_ciphersuite=TLS-RSA-WITH-RC4-128-SHA" \
Manuel Pégourié-Gonnardee415032014-06-18 15:08:56 +0200[diff] [blame]3923 "$P_CLI request_size=1 force_version=tls1_2 \
3924 force_ciphersuite=TLS-RSA-WITH-RC4-128-SHA" \
3925 0 \
3926 -s "Read from client: 1 bytes read"
3927
Hanno Becker8501f982017-11-10 08:59:04 +0000[diff] [blame]3928run_test "Small packet TLS 1.2 StreamCipher, without EtM" \
Manuel Pégourié-Gonnardea0920f2015-03-24 09:50:15 +0100[diff] [blame]3929 "$P_SRV arc4=1 force_ciphersuite=TLS-RSA-WITH-RC4-128-SHA" \
Manuel Pégourié-Gonnardee415032014-06-18 15:08:56 +0200[diff] [blame]3930 "$P_CLI request_size=1 force_version=tls1_2 \
Hanno Becker909f9a32017-11-21 17:10:12 +0000[diff] [blame]3931 force_ciphersuite=TLS-RSA-WITH-RC4-128-SHA etm=0" \
Hanno Becker8501f982017-11-10 08:59:04 +0000[diff] [blame]3932 0 \
3933 -s "Read from client: 1 bytes read"
3934
Hanno Becker32c55012017-11-10 08:42:54 +0000[diff] [blame]3935requires_config_enabled MBEDTLS_SSL_TRUNCATED_HMAC
Hanno Becker8501f982017-11-10 08:59:04 +0000[diff] [blame]3936run_test "Small packet TLS 1.2 StreamCipher, truncated MAC" \
Hanno Becker909f9a32017-11-21 17:10:12 +0000[diff] [blame]3937 "$P_SRV arc4=1 force_ciphersuite=TLS-RSA-WITH-RC4-128-SHA trunc_hmac=1" \
Manuel Pégourié-Gonnardee415032014-06-18 15:08:56 +0200[diff] [blame]3938 "$P_CLI request_size=1 force_version=tls1_2 \
Hanno Becker909f9a32017-11-21 17:10:12 +0000[diff] [blame]3939 force_ciphersuite=TLS-RSA-WITH-RC4-128-SHA trunc_hmac=1" \
Manuel Pégourié-Gonnardee415032014-06-18 15:08:56 +0200[diff] [blame]3940 0 \
3941 -s "Read from client: 1 bytes read"
3942
Hanno Becker8501f982017-11-10 08:59:04 +0000[diff] [blame]3943requires_config_enabled MBEDTLS_SSL_TRUNCATED_HMAC
3944run_test "Small packet TLS 1.2 StreamCipher, without EtM, truncated MAC" \
Hanno Becker909f9a32017-11-21 17:10:12 +0000[diff] [blame]3945 "$P_SRV arc4=1 force_ciphersuite=TLS-RSA-WITH-RC4-128-SHA trunc_hmac=1" \
Hanno Becker8501f982017-11-10 08:59:04 +0000[diff] [blame]3946 "$P_CLI request_size=1 force_version=tls1_2 \
Hanno Becker909f9a32017-11-21 17:10:12 +0000[diff] [blame]3947 force_ciphersuite=TLS-RSA-WITH-RC4-128-SHA trunc_hmac=1 etm=0" \
Manuel Pégourié-Gonnardee415032014-06-18 15:08:56 +0200[diff] [blame]3948 0 \
3949 -s "Read from client: 1 bytes read"
3950
3951run_test "Small packet TLS 1.2 AEAD" \
3952 "$P_SRV" \
3953 "$P_CLI request_size=1 force_version=tls1_2 \
3954 force_ciphersuite=TLS-RSA-WITH-AES-256-CCM" \
3955 0 \
3956 -s "Read from client: 1 bytes read"
3957
3958run_test "Small packet TLS 1.2 AEAD shorter tag" \
3959 "$P_SRV" \
3960 "$P_CLI request_size=1 force_version=tls1_2 \
3961 force_ciphersuite=TLS-RSA-WITH-AES-256-CCM-8" \
3962 0 \
3963 -s "Read from client: 1 bytes read"
3964
Hanno Beckere2148042017-11-10 08:59:18 +0000[diff] [blame]3965# Tests for small packets in DTLS
3966
3967requires_config_enabled MBEDTLS_SSL_PROTO_DTLS
3968run_test "Small packet DTLS 1.0" \
3969 "$P_SRV dtls=1 force_version=dtls1" \
3970 "$P_CLI dtls=1 request_size=1 \
3971 force_ciphersuite=TLS-RSA-WITH-AES-256-CBC-SHA" \
3972 0 \
3973 -s "Read from client: 1 bytes read"
3974
3975requires_config_enabled MBEDTLS_SSL_PROTO_DTLS
3976run_test "Small packet DTLS 1.0, without EtM" \
3977 "$P_SRV dtls=1 force_version=dtls1 etm=0" \
3978 "$P_CLI dtls=1 request_size=1 \
3979 force_ciphersuite=TLS-RSA-WITH-AES-256-CBC-SHA" \
3980 0 \
3981 -s "Read from client: 1 bytes read"
3982
3983requires_config_enabled MBEDTLS_SSL_PROTO_DTLS
3984requires_config_enabled MBEDTLS_SSL_TRUNCATED_HMAC
3985run_test "Small packet DTLS 1.0, truncated hmac" \
Hanno Becker909f9a32017-11-21 17:10:12 +0000[diff] [blame]3986 "$P_SRV dtls=1 force_version=dtls1 trunc_hmac=1" \
3987 "$P_CLI dtls=1 request_size=1 trunc_hmac=1 \
Hanno Beckere2148042017-11-10 08:59:18 +0000[diff] [blame]3988 force_ciphersuite=TLS-RSA-WITH-AES-256-CBC-SHA" \
3989 0 \
3990 -s "Read from client: 1 bytes read"
3991
3992requires_config_enabled MBEDTLS_SSL_PROTO_DTLS
3993requires_config_enabled MBEDTLS_SSL_TRUNCATED_HMAC
3994run_test "Small packet DTLS 1.0, without EtM, truncated MAC" \
Hanno Becker909f9a32017-11-21 17:10:12 +0000[diff] [blame]3995 "$P_SRV dtls=1 force_version=dtls1 trunc_hmac=1 etm=0" \
Hanno Beckere2148042017-11-10 08:59:18 +0000[diff] [blame]3996 "$P_CLI dtls=1 request_size=1 \
Hanno Becker909f9a32017-11-21 17:10:12 +0000[diff] [blame]3997 force_ciphersuite=TLS-RSA-WITH-AES-256-CBC-SHA trunc_hmac=1"\
Hanno Beckere2148042017-11-10 08:59:18 +0000[diff] [blame]3998 0 \
3999 -s "Read from client: 1 bytes read"
4000
4001requires_config_enabled MBEDTLS_SSL_PROTO_DTLS
4002run_test "Small packet DTLS 1.2" \
4003 "$P_SRV dtls=1 force_version=dtls1_2" \
4004 "$P_CLI dtls=1 request_size=1 \
4005 force_ciphersuite=TLS-RSA-WITH-AES-256-CBC-SHA" \
4006 0 \
4007 -s "Read from client: 1 bytes read"
4008
4009requires_config_enabled MBEDTLS_SSL_PROTO_DTLS
4010run_test "Small packet DTLS 1.2, without EtM" \
Hanno Becker909f9a32017-11-21 17:10:12 +0000[diff] [blame]4011 "$P_SRV dtls=1 force_version=dtls1_2 etm=0" \
Hanno Beckere2148042017-11-10 08:59:18 +0000[diff] [blame]4012 "$P_CLI dtls=1 request_size=1 \
4013 force_ciphersuite=TLS-RSA-WITH-AES-256-CBC-SHA" \
4014 0 \
4015 -s "Read from client: 1 bytes read"
4016
4017requires_config_enabled MBEDTLS_SSL_PROTO_DTLS
4018requires_config_enabled MBEDTLS_SSL_TRUNCATED_HMAC
4019run_test "Small packet DTLS 1.2, truncated hmac" \
Hanno Becker909f9a32017-11-21 17:10:12 +0000[diff] [blame]4020 "$P_SRV dtls=1 force_version=dtls1_2 trunc_hmac=1" \
Hanno Beckere2148042017-11-10 08:59:18 +0000[diff] [blame]4021 "$P_CLI dtls=1 request_size=1 \
Hanno Becker909f9a32017-11-21 17:10:12 +0000[diff] [blame]4022 force_ciphersuite=TLS-RSA-WITH-AES-256-CBC-SHA trunc_hmac=1" \
Hanno Beckere2148042017-11-10 08:59:18 +0000[diff] [blame]4023 0 \
4024 -s "Read from client: 1 bytes read"
4025
4026requires_config_enabled MBEDTLS_SSL_PROTO_DTLS
4027requires_config_enabled MBEDTLS_SSL_TRUNCATED_HMAC
4028run_test "Small packet DTLS 1.2, without EtM, truncated MAC" \
Hanno Becker909f9a32017-11-21 17:10:12 +0000[diff] [blame]4029 "$P_SRV dtls=1 force_version=dtls1_2 trunc_hmac=1 etm=0" \
Hanno Beckere2148042017-11-10 08:59:18 +0000[diff] [blame]4030 "$P_CLI dtls=1 request_size=1 \
Hanno Becker909f9a32017-11-21 17:10:12 +0000[diff] [blame]4031 force_ciphersuite=TLS-RSA-WITH-AES-256-CBC-SHA trunc_hmac=1"\
Hanno Beckere2148042017-11-10 08:59:18 +0000[diff] [blame]4032 0 \
4033 -s "Read from client: 1 bytes read"
4034
Janos Follath00efff72016-05-06 13:48:23 +0100[diff] [blame]4035# A test for extensions in SSLv3
4036
4037requires_config_enabled MBEDTLS_SSL_PROTO_SSL3
4038run_test "SSLv3 with extensions, server side" \
4039 "$P_SRV min_version=ssl3 debug_level=3" \
4040 "$P_CLI force_version=ssl3 tickets=1 max_frag_len=4096 alpn=abc,1234" \
4041 0 \
4042 -S "dumping 'client hello extensions'" \
4043 -S "server hello, total extension length:"
4044
Manuel Pégourié-Gonnard8920f692014-06-18 22:05:08 +0200[diff] [blame]4045# Test for large packets
4046
Janos Follathe2681a42016-03-07 15:57:05 +0000[diff] [blame]4047requires_config_enabled MBEDTLS_SSL_PROTO_SSL3
Manuel Pégourié-Gonnard8920f692014-06-18 22:05:08 +0200[diff] [blame]4048run_test "Large packet SSLv3 BlockCipher" \
Manuel Pégourié-Gonnard448ea502015-01-12 11:40:14 +0100[diff] [blame]4049 "$P_SRV min_version=ssl3" \
Manuel Pégourié-Gonnardc82ee352015-01-07 16:35:25 +0100[diff] [blame]4050 "$P_CLI request_size=16384 force_version=ssl3 recsplit=0 \
Manuel Pégourié-Gonnard8920f692014-06-18 22:05:08 +0200[diff] [blame]4051 force_ciphersuite=TLS-RSA-WITH-AES-256-CBC-SHA" \
4052 0 \
Hanno Becker09930d12017-09-18 15:04:19 +0100[diff] [blame]4053 -c "16384 bytes written in 1 fragments" \
Manuel Pégourié-Gonnard8920f692014-06-18 22:05:08 +0200[diff] [blame]4054 -s "Read from client: 16384 bytes read"
4055
Janos Follathe2681a42016-03-07 15:57:05 +0000[diff] [blame]4056requires_config_enabled MBEDTLS_SSL_PROTO_SSL3
Manuel Pégourié-Gonnard8920f692014-06-18 22:05:08 +0200[diff] [blame]4057run_test "Large packet SSLv3 StreamCipher" \
Manuel Pégourié-Gonnardea0920f2015-03-24 09:50:15 +0100[diff] [blame]4058 "$P_SRV min_version=ssl3 arc4=1 force_ciphersuite=TLS-RSA-WITH-RC4-128-SHA" \
Manuel Pégourié-Gonnard8920f692014-06-18 22:05:08 +0200[diff] [blame]4059 "$P_CLI request_size=16384 force_version=ssl3 \
4060 force_ciphersuite=TLS-RSA-WITH-RC4-128-SHA" \
4061 0 \
Hanno Becker09930d12017-09-18 15:04:19 +0100[diff] [blame]4062 -c "16384 bytes written in 1 fragments" \
Manuel Pégourié-Gonnard8920f692014-06-18 22:05:08 +0200[diff] [blame]4063 -s "Read from client: 16384 bytes read"
4064
4065run_test "Large packet TLS 1.0 BlockCipher" \
4066 "$P_SRV" \
Manuel Pégourié-Gonnardc82ee352015-01-07 16:35:25 +0100[diff] [blame]4067 "$P_CLI request_size=16384 force_version=tls1 recsplit=0 \
Manuel Pégourié-Gonnard8920f692014-06-18 22:05:08 +0200[diff] [blame]4068 force_ciphersuite=TLS-RSA-WITH-AES-256-CBC-SHA" \
4069 0 \
Hanno Becker09930d12017-09-18 15:04:19 +0100[diff] [blame]4070 -c "16384 bytes written in 1 fragments" \
Manuel Pégourié-Gonnard8920f692014-06-18 22:05:08 +0200[diff] [blame]4071 -s "Read from client: 16384 bytes read"
4072
Hanno Becker278fc7a2017-11-10 09:16:28 +0000[diff] [blame]4073run_test "Large packet TLS 1.0 BlockCipher, without EtM" \
Manuel Pégourié-Gonnard8920f692014-06-18 22:05:08 +0200[diff] [blame]4074 "$P_SRV" \
Hanno Becker278fc7a2017-11-10 09:16:28 +0000[diff] [blame]4075 "$P_CLI request_size=16384 force_version=tls1 etm=0 recsplit=0 \
4076 force_ciphersuite=TLS-RSA-WITH-AES-256-CBC-SHA" \
4077 0 \
4078 -s "Read from client: 16384 bytes read"
4079
Hanno Becker32c55012017-11-10 08:42:54 +0000[diff] [blame]4080requires_config_enabled MBEDTLS_SSL_TRUNCATED_HMAC
Hanno Becker278fc7a2017-11-10 09:16:28 +0000[diff] [blame]4081run_test "Large packet TLS 1.0 BlockCipher, truncated MAC" \
Hanno Becker909f9a32017-11-21 17:10:12 +0000[diff] [blame]4082 "$P_SRV trunc_hmac=1" \
Manuel Pégourié-Gonnardc82ee352015-01-07 16:35:25 +0100[diff] [blame]4083 "$P_CLI request_size=16384 force_version=tls1 recsplit=0 \
Hanno Becker909f9a32017-11-21 17:10:12 +0000[diff] [blame]4084 force_ciphersuite=TLS-RSA-WITH-AES-256-CBC-SHA trunc_hmac=1" \
Manuel Pégourié-Gonnard8920f692014-06-18 22:05:08 +0200[diff] [blame]4085 0 \
Hanno Becker09930d12017-09-18 15:04:19 +0100[diff] [blame]4086 -c "16384 bytes written in 1 fragments" \
Manuel Pégourié-Gonnard8920f692014-06-18 22:05:08 +0200[diff] [blame]4087 -s "Read from client: 16384 bytes read"
4088
Hanno Becker32c55012017-11-10 08:42:54 +0000[diff] [blame]4089requires_config_enabled MBEDTLS_SSL_TRUNCATED_HMAC
Hanno Becker278fc7a2017-11-10 09:16:28 +0000[diff] [blame]4090run_test "Large packet TLS 1.0 BlockCipher, without EtM, truncated MAC" \
Hanno Becker909f9a32017-11-21 17:10:12 +0000[diff] [blame]4091 "$P_SRV trunc_hmac=1" \
Hanno Becker278fc7a2017-11-10 09:16:28 +0000[diff] [blame]4092 "$P_CLI request_size=16384 force_version=tls1 etm=0 recsplit=0 \
Hanno Becker909f9a32017-11-21 17:10:12 +0000[diff] [blame]4093 force_ciphersuite=TLS-RSA-WITH-AES-256-CBC-SHA trunc_hmac=1" \
Hanno Becker278fc7a2017-11-10 09:16:28 +0000[diff] [blame]4094 0 \
4095 -s "Read from client: 16384 bytes read"
4096
4097run_test "Large packet TLS 1.0 StreamCipher" \
Manuel Pégourié-Gonnardea0920f2015-03-24 09:50:15 +0100[diff] [blame]4098 "$P_SRV arc4=1 force_ciphersuite=TLS-RSA-WITH-RC4-128-SHA" \
Manuel Pégourié-Gonnard8920f692014-06-18 22:05:08 +0200[diff] [blame]4099 "$P_CLI request_size=16384 force_version=tls1 \
Hanno Becker278fc7a2017-11-10 09:16:28 +0000[diff] [blame]4100 force_ciphersuite=TLS-RSA-WITH-RC4-128-SHA" \
4101 0 \
4102 -s "Read from client: 16384 bytes read"
4103
4104run_test "Large packet TLS 1.0 StreamCipher, without EtM" \
4105 "$P_SRV arc4=1 force_ciphersuite=TLS-RSA-WITH-RC4-128-SHA" \
4106 "$P_CLI request_size=16384 force_version=tls1 \
Hanno Becker909f9a32017-11-21 17:10:12 +0000[diff] [blame]4107 force_ciphersuite=TLS-RSA-WITH-RC4-128-SHA etm=0" \
Hanno Becker278fc7a2017-11-10 09:16:28 +0000[diff] [blame]4108 0 \
4109 -s "Read from client: 16384 bytes read"
4110
4111requires_config_enabled MBEDTLS_SSL_TRUNCATED_HMAC
4112run_test "Large packet TLS 1.0 StreamCipher, truncated MAC" \
Hanno Becker909f9a32017-11-21 17:10:12 +0000[diff] [blame]4113 "$P_SRV arc4=1 force_ciphersuite=TLS-RSA-WITH-RC4-128-SHA trunc_hmac=1" \
Manuel Pégourié-Gonnard8920f692014-06-18 22:05:08 +0200[diff] [blame]4114 "$P_CLI request_size=16384 force_version=tls1 \
Hanno Becker909f9a32017-11-21 17:10:12 +0000[diff] [blame]4115 force_ciphersuite=TLS-RSA-WITH-RC4-128-SHA trunc_hmac=1" \
Manuel Pégourié-Gonnard8920f692014-06-18 22:05:08 +0200[diff] [blame]4116 0 \
4117 -s "Read from client: 16384 bytes read"
4118
Hanno Becker278fc7a2017-11-10 09:16:28 +0000[diff] [blame]4119requires_config_enabled MBEDTLS_SSL_TRUNCATED_HMAC
4120run_test "Large packet TLS 1.0 StreamCipher, without EtM, truncated MAC" \
Hanno Becker909f9a32017-11-21 17:10:12 +0000[diff] [blame]4121 "$P_SRV arc4=1 force_ciphersuite=TLS-RSA-WITH-RC4-128-SHA trunc_hmac=1" \
Hanno Becker278fc7a2017-11-10 09:16:28 +0000[diff] [blame]4122 "$P_CLI request_size=16384 force_version=tls1 \
Hanno Becker909f9a32017-11-21 17:10:12 +0000[diff] [blame]4123 force_ciphersuite=TLS-RSA-WITH-RC4-128-SHA trunc_hmac=1 etm=0" \
Manuel Pégourié-Gonnard8920f692014-06-18 22:05:08 +0200[diff] [blame]4124 0 \
Hanno Becker09930d12017-09-18 15:04:19 +0100[diff] [blame]4125 -c "16384 bytes written in 1 fragments" \
Manuel Pégourié-Gonnard8920f692014-06-18 22:05:08 +0200[diff] [blame]4126 -s "Read from client: 16384 bytes read"
4127
4128run_test "Large packet TLS 1.1 BlockCipher" \
4129 "$P_SRV" \
4130 "$P_CLI request_size=16384 force_version=tls1_1 \
4131 force_ciphersuite=TLS-RSA-WITH-AES-256-CBC-SHA" \
4132 0 \
Hanno Becker09930d12017-09-18 15:04:19 +0100[diff] [blame]4133 -c "16384 bytes written in 1 fragments" \
Manuel Pégourié-Gonnard8920f692014-06-18 22:05:08 +0200[diff] [blame]4134 -s "Read from client: 16384 bytes read"
4135
Hanno Becker278fc7a2017-11-10 09:16:28 +0000[diff] [blame]4136run_test "Large packet TLS 1.1 BlockCipher, without EtM" \
4137 "$P_SRV" \
4138 "$P_CLI request_size=16384 force_version=tls1_1 etm=0 \
4139 force_ciphersuite=TLS-RSA-WITH-AES-256-CBC-SHA" \
Manuel Pégourié-Gonnard8920f692014-06-18 22:05:08 +0200[diff] [blame]4140 0 \
4141 -s "Read from client: 16384 bytes read"
4142
Hanno Becker32c55012017-11-10 08:42:54 +0000[diff] [blame]4143requires_config_enabled MBEDTLS_SSL_TRUNCATED_HMAC
Hanno Becker278fc7a2017-11-10 09:16:28 +0000[diff] [blame]4144run_test "Large packet TLS 1.1 BlockCipher, truncated MAC" \
Hanno Becker909f9a32017-11-21 17:10:12 +0000[diff] [blame]4145 "$P_SRV trunc_hmac=1" \
Manuel Pégourié-Gonnard8920f692014-06-18 22:05:08 +0200[diff] [blame]4146 "$P_CLI request_size=16384 force_version=tls1_1 \
Hanno Becker909f9a32017-11-21 17:10:12 +0000[diff] [blame]4147 force_ciphersuite=TLS-RSA-WITH-AES-256-CBC-SHA trunc_hmac=1" \
Manuel Pégourié-Gonnard8920f692014-06-18 22:05:08 +0200[diff] [blame]4148 0 \
4149 -s "Read from client: 16384 bytes read"
4150
Hanno Becker32c55012017-11-10 08:42:54 +0000[diff] [blame]4151requires_config_enabled MBEDTLS_SSL_TRUNCATED_HMAC
Hanno Becker278fc7a2017-11-10 09:16:28 +0000[diff] [blame]4152run_test "Large packet TLS 1.1 BlockCipher, without EtM, truncated MAC" \
Hanno Becker909f9a32017-11-21 17:10:12 +0000[diff] [blame]4153 "$P_SRV trunc_hmac=1" \
Hanno Becker278fc7a2017-11-10 09:16:28 +0000[diff] [blame]4154 "$P_CLI request_size=16384 force_version=tls1_1 \
Hanno Becker909f9a32017-11-21 17:10:12 +0000[diff] [blame]4155 force_ciphersuite=TLS-RSA-WITH-AES-256-CBC-SHA trunc_hmac=1 etm=0" \
Hanno Becker278fc7a2017-11-10 09:16:28 +0000[diff] [blame]4156 0 \
4157 -s "Read from client: 16384 bytes read"
4158
Manuel Pégourié-Gonnard8920f692014-06-18 22:05:08 +0200[diff] [blame]4159run_test "Large packet TLS 1.1 StreamCipher" \
4160 "$P_SRV arc4=1 force_ciphersuite=TLS-RSA-WITH-RC4-128-SHA" \
4161 "$P_CLI request_size=16384 force_version=tls1_1 \
4162 force_ciphersuite=TLS-RSA-WITH-RC4-128-SHA" \
4163 0 \
Hanno Becker09930d12017-09-18 15:04:19 +0100[diff] [blame]4164 -c "16384 bytes written in 1 fragments" \
Manuel Pégourié-Gonnard8920f692014-06-18 22:05:08 +0200[diff] [blame]4165 -s "Read from client: 16384 bytes read"
4166
Hanno Becker278fc7a2017-11-10 09:16:28 +0000[diff] [blame]4167run_test "Large packet TLS 1.1 StreamCipher, without EtM" \
4168 "$P_SRV arc4=1 force_ciphersuite=TLS-RSA-WITH-RC4-128-SHA" \
Manuel Pégourié-Gonnard8920f692014-06-18 22:05:08 +0200[diff] [blame]4169 "$P_CLI request_size=16384 force_version=tls1_1 \
Hanno Becker909f9a32017-11-21 17:10:12 +0000[diff] [blame]4170 force_ciphersuite=TLS-RSA-WITH-RC4-128-SHA etm=0" \
Manuel Pégourié-Gonnard8920f692014-06-18 22:05:08 +0200[diff] [blame]4171 0 \
Hanno Becker09930d12017-09-18 15:04:19 +0100[diff] [blame]4172 -c "16384 bytes written in 1 fragments" \
Manuel Pégourié-Gonnard8920f692014-06-18 22:05:08 +0200[diff] [blame]4173 -s "Read from client: 16384 bytes read"
4174
Hanno Becker278fc7a2017-11-10 09:16:28 +0000[diff] [blame]4175requires_config_enabled MBEDTLS_SSL_TRUNCATED_HMAC
4176run_test "Large packet TLS 1.1 StreamCipher, truncated MAC" \
Hanno Becker909f9a32017-11-21 17:10:12 +0000[diff] [blame]4177 "$P_SRV arc4=1 force_ciphersuite=TLS-RSA-WITH-RC4-128-SHA trunc_hmac=1" \
Manuel Pégourié-Gonnard8920f692014-06-18 22:05:08 +0200[diff] [blame]4178 "$P_CLI request_size=16384 force_version=tls1_1 \
Hanno Becker909f9a32017-11-21 17:10:12 +0000[diff] [blame]4179 force_ciphersuite=TLS-RSA-WITH-RC4-128-SHA trunc_hmac=1" \
Manuel Pégourié-Gonnard8920f692014-06-18 22:05:08 +0200[diff] [blame]4180 0 \
4181 -s "Read from client: 16384 bytes read"
4182
Hanno Becker278fc7a2017-11-10 09:16:28 +0000[diff] [blame]4183requires_config_enabled MBEDTLS_SSL_TRUNCATED_HMAC
4184run_test "Large packet TLS 1.1 StreamCipher, without EtM, truncated MAC" \
Hanno Becker909f9a32017-11-21 17:10:12 +0000[diff] [blame]4185 "$P_SRV arc4=1 force_ciphersuite=TLS-RSA-WITH-RC4-128-SHA trunc_hmac=1" \
Hanno Becker278fc7a2017-11-10 09:16:28 +0000[diff] [blame]4186 "$P_CLI request_size=16384 force_version=tls1_1 \
Hanno Becker909f9a32017-11-21 17:10:12 +0000[diff] [blame]4187 force_ciphersuite=TLS-RSA-WITH-RC4-128-SHA trunc_hmac=1 etm=0" \
Manuel Pégourié-Gonnard8920f692014-06-18 22:05:08 +0200[diff] [blame]4188 0 \
Hanno Becker09930d12017-09-18 15:04:19 +0100[diff] [blame]4189 -c "16384 bytes written in 1 fragments" \
Manuel Pégourié-Gonnard8920f692014-06-18 22:05:08 +0200[diff] [blame]4190 -s "Read from client: 16384 bytes read"
4191
4192run_test "Large packet TLS 1.2 BlockCipher" \
4193 "$P_SRV" \
4194 "$P_CLI request_size=16384 force_version=tls1_2 \
4195 force_ciphersuite=TLS-RSA-WITH-AES-256-CBC-SHA" \
4196 0 \
Hanno Becker09930d12017-09-18 15:04:19 +0100[diff] [blame]4197 -c "16384 bytes written in 1 fragments" \
Manuel Pégourié-Gonnard8920f692014-06-18 22:05:08 +0200[diff] [blame]4198 -s "Read from client: 16384 bytes read"
4199
Hanno Becker278fc7a2017-11-10 09:16:28 +0000[diff] [blame]4200run_test "Large packet TLS 1.2 BlockCipher, without EtM" \
4201 "$P_SRV" \
4202 "$P_CLI request_size=16384 force_version=tls1_2 etm=0 \
4203 force_ciphersuite=TLS-RSA-WITH-AES-256-CBC-SHA" \
4204 0 \
4205 -s "Read from client: 16384 bytes read"
4206
Manuel Pégourié-Gonnard8920f692014-06-18 22:05:08 +0200[diff] [blame]4207run_test "Large packet TLS 1.2 BlockCipher larger MAC" \
4208 "$P_SRV" \
Manuel Pégourié-Gonnardc82ee352015-01-07 16:35:25 +0100[diff] [blame]4209 "$P_CLI request_size=16384 force_version=tls1_2 \
4210 force_ciphersuite=TLS-ECDHE-RSA-WITH-AES-256-CBC-SHA384" \
Manuel Pégourié-Gonnard8920f692014-06-18 22:05:08 +0200[diff] [blame]4211 0 \
Hanno Becker09930d12017-09-18 15:04:19 +0100[diff] [blame]4212 -c "16384 bytes written in 1 fragments" \
Manuel Pégourié-Gonnard8920f692014-06-18 22:05:08 +0200[diff] [blame]4213 -s "Read from client: 16384 bytes read"
4214
Hanno Becker32c55012017-11-10 08:42:54 +0000[diff] [blame]4215requires_config_enabled MBEDTLS_SSL_TRUNCATED_HMAC
Hanno Becker278fc7a2017-11-10 09:16:28 +0000[diff] [blame]4216run_test "Large packet TLS 1.2 BlockCipher, truncated MAC" \
Hanno Becker909f9a32017-11-21 17:10:12 +0000[diff] [blame]4217 "$P_SRV trunc_hmac=1" \
Manuel Pégourié-Gonnard8920f692014-06-18 22:05:08 +0200[diff] [blame]4218 "$P_CLI request_size=16384 force_version=tls1_2 \
Hanno Becker909f9a32017-11-21 17:10:12 +0000[diff] [blame]4219 force_ciphersuite=TLS-RSA-WITH-AES-256-CBC-SHA trunc_hmac=1" \
Manuel Pégourié-Gonnard8920f692014-06-18 22:05:08 +0200[diff] [blame]4220 0 \
4221 -s "Read from client: 16384 bytes read"
4222
Hanno Becker278fc7a2017-11-10 09:16:28 +0000[diff] [blame]4223requires_config_enabled MBEDTLS_SSL_TRUNCATED_HMAC
4224run_test "Large packet TLS 1.2 BlockCipher, without EtM, truncated MAC" \
Hanno Becker909f9a32017-11-21 17:10:12 +0000[diff] [blame]4225 "$P_SRV trunc_hmac=1" \
Hanno Becker278fc7a2017-11-10 09:16:28 +0000[diff] [blame]4226 "$P_CLI request_size=16384 force_version=tls1_2 \
Hanno Becker909f9a32017-11-21 17:10:12 +0000[diff] [blame]4227 force_ciphersuite=TLS-RSA-WITH-AES-256-CBC-SHA trunc_hmac=1 etm=0" \
Manuel Pégourié-Gonnard8920f692014-06-18 22:05:08 +0200[diff] [blame]4228 0 \
Hanno Becker09930d12017-09-18 15:04:19 +0100[diff] [blame]4229 -c "16384 bytes written in 1 fragments" \
Manuel Pégourié-Gonnard8920f692014-06-18 22:05:08 +0200[diff] [blame]4230 -s "Read from client: 16384 bytes read"
4231
4232run_test "Large packet TLS 1.2 StreamCipher" \
Manuel Pégourié-Gonnardea0920f2015-03-24 09:50:15 +0100[diff] [blame]4233 "$P_SRV arc4=1 force_ciphersuite=TLS-RSA-WITH-RC4-128-SHA" \
Manuel Pégourié-Gonnard8920f692014-06-18 22:05:08 +0200[diff] [blame]4234 "$P_CLI request_size=16384 force_version=tls1_2 \
4235 force_ciphersuite=TLS-RSA-WITH-RC4-128-SHA" \
4236 0 \
Hanno Becker09930d12017-09-18 15:04:19 +0100[diff] [blame]4237 -c "16384 bytes written in 1 fragments" \
Manuel Pégourié-Gonnard8920f692014-06-18 22:05:08 +0200[diff] [blame]4238 -s "Read from client: 16384 bytes read"
4239
Hanno Becker278fc7a2017-11-10 09:16:28 +0000[diff] [blame]4240run_test "Large packet TLS 1.2 StreamCipher, without EtM" \
Manuel Pégourié-Gonnardea0920f2015-03-24 09:50:15 +0100[diff] [blame]4241 "$P_SRV arc4=1 force_ciphersuite=TLS-RSA-WITH-RC4-128-SHA" \
Manuel Pégourié-Gonnard8920f692014-06-18 22:05:08 +0200[diff] [blame]4242 "$P_CLI request_size=16384 force_version=tls1_2 \
Hanno Becker278fc7a2017-11-10 09:16:28 +0000[diff] [blame]4243 force_ciphersuite=TLS-RSA-WITH-RC4-128-SHA etm=0" \
4244 0 \
4245 -s "Read from client: 16384 bytes read"
4246
Hanno Becker32c55012017-11-10 08:42:54 +0000[diff] [blame]4247requires_config_enabled MBEDTLS_SSL_TRUNCATED_HMAC
Hanno Becker278fc7a2017-11-10 09:16:28 +0000[diff] [blame]4248run_test "Large packet TLS 1.2 StreamCipher, truncated MAC" \
Hanno Becker909f9a32017-11-21 17:10:12 +0000[diff] [blame]4249 "$P_SRV arc4=1 force_ciphersuite=TLS-RSA-WITH-RC4-128-SHA trunc_hmac=1" \
Manuel Pégourié-Gonnard8920f692014-06-18 22:05:08 +0200[diff] [blame]4250 "$P_CLI request_size=16384 force_version=tls1_2 \
Hanno Becker909f9a32017-11-21 17:10:12 +0000[diff] [blame]4251 force_ciphersuite=TLS-RSA-WITH-RC4-128-SHA trunc_hmac=1" \
Manuel Pégourié-Gonnard8920f692014-06-18 22:05:08 +0200[diff] [blame]4252 0 \
4253 -s "Read from client: 16384 bytes read"
4254
Hanno Becker278fc7a2017-11-10 09:16:28 +0000[diff] [blame]4255requires_config_enabled MBEDTLS_SSL_TRUNCATED_HMAC
4256run_test "Large packet TLS 1.2 StreamCipher, without EtM, truncated MAC" \
Hanno Becker909f9a32017-11-21 17:10:12 +0000[diff] [blame]4257 "$P_SRV arc4=1 force_ciphersuite=TLS-RSA-WITH-RC4-128-SHA trunc_hmac=1" \
Hanno Becker278fc7a2017-11-10 09:16:28 +0000[diff] [blame]4258 "$P_CLI request_size=16384 force_version=tls1_2 \
Hanno Becker909f9a32017-11-21 17:10:12 +0000[diff] [blame]4259 force_ciphersuite=TLS-RSA-WITH-RC4-128-SHA trunc_hmac=1 etm=0" \
Manuel Pégourié-Gonnard8920f692014-06-18 22:05:08 +0200[diff] [blame]4260 0 \
Hanno Becker09930d12017-09-18 15:04:19 +0100[diff] [blame]4261 -c "16384 bytes written in 1 fragments" \
Manuel Pégourié-Gonnard8920f692014-06-18 22:05:08 +0200[diff] [blame]4262 -s "Read from client: 16384 bytes read"
4263
4264run_test "Large packet TLS 1.2 AEAD" \
4265 "$P_SRV" \
4266 "$P_CLI request_size=16384 force_version=tls1_2 \
4267 force_ciphersuite=TLS-RSA-WITH-AES-256-CCM" \
4268 0 \
Hanno Becker09930d12017-09-18 15:04:19 +0100[diff] [blame]4269 -c "16384 bytes written in 1 fragments" \
Manuel Pégourié-Gonnard8920f692014-06-18 22:05:08 +0200[diff] [blame]4270 -s "Read from client: 16384 bytes read"
4271
4272run_test "Large packet TLS 1.2 AEAD shorter tag" \
4273 "$P_SRV" \
4274 "$P_CLI request_size=16384 force_version=tls1_2 \
4275 force_ciphersuite=TLS-RSA-WITH-AES-256-CCM-8" \
4276 0 \
Hanno Becker09930d12017-09-18 15:04:19 +0100[diff] [blame]4277 -c "16384 bytes written in 1 fragments" \
Manuel Pégourié-Gonnard8920f692014-06-18 22:05:08 +0200[diff] [blame]4278 -s "Read from client: 16384 bytes read"
4279
Ron Eldorc7f15232018-06-28 13:22:05 +0300[diff] [blame]4280# Tests for ECC extensions (rfc 4492)
4281
Ron Eldor94226d82018-06-28 16:17:00 +0300[diff] [blame]4282requires_config_enabled MBEDTLS_AES_C
4283requires_config_enabled MBEDTLS_CIPHER_MODE_CBC
4284requires_config_enabled MBEDTLS_SHA256_C
4285requires_config_enabled MBEDTLS_KEY_EXCHANGE_RSA_ENABLED
Ron Eldorc7f15232018-06-28 13:22:05 +0300[diff] [blame]4286run_test "Force a non ECC ciphersuite in the client side" \
4287 "$P_SRV debug_level=3" \
Ron Eldor94226d82018-06-28 16:17:00 +0300[diff] [blame]4288 "$P_CLI debug_level=3 force_ciphersuite=TLS-RSA-WITH-AES-128-CBC-SHA256" \
Ron Eldorc7f15232018-06-28 13:22:05 +0300[diff] [blame]4289 0 \
4290 -C "client hello, adding supported_elliptic_curves extension" \
4291 -C "client hello, adding supported_point_formats extension" \
4292 -S "found supported elliptic curves extension" \
4293 -S "found supported point formats extension"
4294
Ron Eldor94226d82018-06-28 16:17:00 +0300[diff] [blame]4295requires_config_enabled MBEDTLS_AES_C
4296requires_config_enabled MBEDTLS_CIPHER_MODE_CBC
4297requires_config_enabled MBEDTLS_SHA256_C
4298requires_config_enabled MBEDTLS_KEY_EXCHANGE_RSA_ENABLED
Ron Eldorc7f15232018-06-28 13:22:05 +0300[diff] [blame]4299run_test "Force a non ECC ciphersuite in the server side" \
Ron Eldor94226d82018-06-28 16:17:00 +0300[diff] [blame]4300 "$P_SRV debug_level=3 force_ciphersuite=TLS-RSA-WITH-AES-128-CBC-SHA256" \
Ron Eldorc7f15232018-06-28 13:22:05 +0300[diff] [blame]4301 "$P_CLI debug_level=3" \
4302 0 \
4303 -C "found supported_point_formats extension" \
4304 -S "server hello, supported_point_formats extension"
4305
Ron Eldor94226d82018-06-28 16:17:00 +0300[diff] [blame]4306requires_config_enabled MBEDTLS_AES_C
4307requires_config_enabled MBEDTLS_CIPHER_MODE_CBC
4308requires_config_enabled MBEDTLS_SHA256_C
4309requires_config_enabled MBEDTLS_KEY_EXCHANGE_ECDHE_ECDSA_ENABLED
Ron Eldorc7f15232018-06-28 13:22:05 +0300[diff] [blame]4310run_test "Force an ECC ciphersuite in the client side" \
4311 "$P_SRV debug_level=3" \
4312 "$P_CLI debug_level=3 force_ciphersuite=TLS-ECDHE-ECDSA-WITH-AES-128-CBC-SHA256" \
4313 0 \
4314 -c "client hello, adding supported_elliptic_curves extension" \
4315 -c "client hello, adding supported_point_formats extension" \
4316 -s "found supported elliptic curves extension" \
4317 -s "found supported point formats extension"
4318
Ron Eldor94226d82018-06-28 16:17:00 +0300[diff] [blame]4319requires_config_enabled MBEDTLS_AES_C
4320requires_config_enabled MBEDTLS_CIPHER_MODE_CBC
4321requires_config_enabled MBEDTLS_SHA256_C
4322requires_config_enabled MBEDTLS_KEY_EXCHANGE_ECDHE_ECDSA_ENABLED
Ron Eldorc7f15232018-06-28 13:22:05 +0300[diff] [blame]4323run_test "Force an ECC ciphersuite in the server side" \
4324 "$P_SRV debug_level=3 force_ciphersuite=TLS-ECDHE-ECDSA-WITH-AES-128-CBC-SHA256" \
4325 "$P_CLI debug_level=3" \
4326 0 \
4327 -c "found supported_point_formats extension" \
4328 -s "server hello, supported_point_formats extension"
4329
Manuel Pégourié-Gonnard0eb6cab2014-07-23 20:17:47 +0200[diff] [blame]4330# Tests for DTLS HelloVerifyRequest
4331
4332run_test "DTLS cookie: enabled" \
4333 "$P_SRV dtls=1 debug_level=2" \
4334 "$P_CLI dtls=1 debug_level=2" \
4335 0 \
4336 -s "cookie verification failed" \
4337 -s "cookie verification passed" \
4338 -S "cookie verification skipped" \
4339 -c "received hello verify request" \
Manuel Pégourié-Gonnardcaecdae2014-10-13 19:04:37 +0200[diff] [blame]4340 -s "hello verification requested" \
Manuel Pégourié-Gonnard0eb6cab2014-07-23 20:17:47 +0200[diff] [blame]4341 -S "SSL - The requested feature is not available"
4342
4343run_test "DTLS cookie: disabled" \
4344 "$P_SRV dtls=1 debug_level=2 cookies=0" \
4345 "$P_CLI dtls=1 debug_level=2" \
4346 0 \
4347 -S "cookie verification failed" \
4348 -S "cookie verification passed" \
4349 -s "cookie verification skipped" \
4350 -C "received hello verify request" \
Manuel Pégourié-Gonnardcaecdae2014-10-13 19:04:37 +0200[diff] [blame]4351 -S "hello verification requested" \
Manuel Pégourié-Gonnard0eb6cab2014-07-23 20:17:47 +0200[diff] [blame]4352 -S "SSL - The requested feature is not available"
4353
Manuel Pégourié-Gonnardcaecdae2014-10-13 19:04:37 +0200[diff] [blame]4354run_test "DTLS cookie: default (failing)" \
4355 "$P_SRV dtls=1 debug_level=2 cookies=-1" \
4356 "$P_CLI dtls=1 debug_level=2 hs_timeout=100-400" \
4357 1 \
4358 -s "cookie verification failed" \
4359 -S "cookie verification passed" \
4360 -S "cookie verification skipped" \
4361 -C "received hello verify request" \
4362 -S "hello verification requested" \
4363 -s "SSL - The requested feature is not available"
Manuel Pégourié-Gonnard0eb6cab2014-07-23 20:17:47 +0200[diff] [blame]4364
4365requires_ipv6
4366run_test "DTLS cookie: enabled, IPv6" \
4367 "$P_SRV dtls=1 debug_level=2 server_addr=::1" \
4368 "$P_CLI dtls=1 debug_level=2 server_addr=::1" \
4369 0 \
4370 -s "cookie verification failed" \
4371 -s "cookie verification passed" \
4372 -S "cookie verification skipped" \
4373 -c "received hello verify request" \
Manuel Pégourié-Gonnardcaecdae2014-10-13 19:04:37 +0200[diff] [blame]4374 -s "hello verification requested" \
Manuel Pégourié-Gonnard0eb6cab2014-07-23 20:17:47 +0200[diff] [blame]4375 -S "SSL - The requested feature is not available"
4376
Manuel Pégourié-Gonnard579950c2014-09-29 17:47:33 +0200[diff] [blame]4377run_test "DTLS cookie: enabled, nbio" \
4378 "$P_SRV dtls=1 nbio=2 debug_level=2" \
4379 "$P_CLI dtls=1 nbio=2 debug_level=2" \
4380 0 \
4381 -s "cookie verification failed" \
4382 -s "cookie verification passed" \
4383 -S "cookie verification skipped" \
4384 -c "received hello verify request" \
Manuel Pégourié-Gonnardcaecdae2014-10-13 19:04:37 +0200[diff] [blame]4385 -s "hello verification requested" \
Manuel Pégourié-Gonnard579950c2014-09-29 17:47:33 +0200[diff] [blame]4386 -S "SSL - The requested feature is not available"
4387
Manuel Pégourié-Gonnardd745a1a2015-09-08 12:40:43 +0200[diff] [blame]4388# Tests for client reconnecting from the same port with DTLS
4389
Manuel Pégourié-Gonnard259db912015-09-09 11:37:17 +0200[diff] [blame]4390not_with_valgrind # spurious resend
Manuel Pégourié-Gonnardd745a1a2015-09-08 12:40:43 +0200[diff] [blame]4391run_test "DTLS client reconnect from same port: reference" \
Manuel Pégourié-Gonnard259db912015-09-09 11:37:17 +0200[diff] [blame]4392 "$P_SRV dtls=1 exchanges=2 read_timeout=1000" \
4393 "$P_CLI dtls=1 exchanges=2 debug_level=2 hs_timeout=500-1000" \
Manuel Pégourié-Gonnardd745a1a2015-09-08 12:40:43 +0200[diff] [blame]4394 0 \
4395 -C "resend" \
Manuel Pégourié-Gonnard259db912015-09-09 11:37:17 +0200[diff] [blame]4396 -S "The operation timed out" \
Manuel Pégourié-Gonnardd745a1a2015-09-08 12:40:43 +0200[diff] [blame]4397 -S "Client initiated reconnection from same port"
4398
Manuel Pégourié-Gonnard259db912015-09-09 11:37:17 +0200[diff] [blame]4399not_with_valgrind # spurious resend
Manuel Pégourié-Gonnardd745a1a2015-09-08 12:40:43 +0200[diff] [blame]4400run_test "DTLS client reconnect from same port: reconnect" \
Manuel Pégourié-Gonnard259db912015-09-09 11:37:17 +0200[diff] [blame]4401 "$P_SRV dtls=1 exchanges=2 read_timeout=1000" \
4402 "$P_CLI dtls=1 exchanges=2 debug_level=2 hs_timeout=500-1000 reconnect_hard=1" \
Manuel Pégourié-Gonnardd745a1a2015-09-08 12:40:43 +0200[diff] [blame]4403 0 \
4404 -C "resend" \
Manuel Pégourié-Gonnard259db912015-09-09 11:37:17 +0200[diff] [blame]4405 -S "The operation timed out" \
Manuel Pégourié-Gonnardd745a1a2015-09-08 12:40:43 +0200[diff] [blame]4406 -s "Client initiated reconnection from same port"
4407
Paul Bakker362689d2016-05-13 10:33:25 +0100[diff] [blame]4408not_with_valgrind # server/client too slow to respond in time (next test has higher timeouts)
4409run_test "DTLS client reconnect from same port: reconnect, nbio, no valgrind" \
Manuel Pégourié-Gonnard259db912015-09-09 11:37:17 +0200[diff] [blame]4410 "$P_SRV dtls=1 exchanges=2 read_timeout=1000 nbio=2" \
4411 "$P_CLI dtls=1 exchanges=2 debug_level=2 hs_timeout=500-1000 reconnect_hard=1" \
Manuel Pégourié-Gonnardd745a1a2015-09-08 12:40:43 +0200[diff] [blame]4412 0 \
Manuel Pégourié-Gonnard259db912015-09-09 11:37:17 +0200[diff] [blame]4413 -S "The operation timed out" \
Manuel Pégourié-Gonnardd745a1a2015-09-08 12:40:43 +0200[diff] [blame]4414 -s "Client initiated reconnection from same port"
4415
Paul Bakker362689d2016-05-13 10:33:25 +0100[diff] [blame]4416only_with_valgrind # Only with valgrind, do previous test but with higher read_timeout and hs_timeout
4417run_test "DTLS client reconnect from same port: reconnect, nbio, valgrind" \
4418 "$P_SRV dtls=1 exchanges=2 read_timeout=2000 nbio=2 hs_timeout=1500-6000" \
4419 "$P_CLI dtls=1 exchanges=2 debug_level=2 hs_timeout=1500-3000 reconnect_hard=1" \
4420 0 \
4421 -S "The operation timed out" \
4422 -s "Client initiated reconnection from same port"
4423
Manuel Pégourié-Gonnard259db912015-09-09 11:37:17 +0200[diff] [blame]4424run_test "DTLS client reconnect from same port: no cookies" \
4425 "$P_SRV dtls=1 exchanges=2 read_timeout=1000 cookies=0" \
Manuel Pégourié-Gonnard6ad23b92015-09-15 12:57:46 +0200[diff] [blame]4426 "$P_CLI dtls=1 exchanges=2 debug_level=2 hs_timeout=500-8000 reconnect_hard=1" \
4427 0 \
Manuel Pégourié-Gonnard259db912015-09-09 11:37:17 +0200[diff] [blame]4428 -s "The operation timed out" \
4429 -S "Client initiated reconnection from same port"
4430
Manuel Pégourié-Gonnard08a1d4b2014-09-26 10:35:50 +0200[diff] [blame]4431# Tests for various cases of client authentication with DTLS
4432# (focused on handshake flows and message parsing)
4433
4434run_test "DTLS client auth: required" \
4435 "$P_SRV dtls=1 auth_mode=required" \
4436 "$P_CLI dtls=1" \
4437 0 \
4438 -s "Verifying peer X.509 certificate... ok"
4439
4440run_test "DTLS client auth: optional, client has no cert" \
4441 "$P_SRV dtls=1 auth_mode=optional" \
4442 "$P_CLI dtls=1 crt_file=none key_file=none" \
4443 0 \
Manuel Pégourié-Gonnard89addc42015-04-20 10:56:18 +0100[diff] [blame]4444 -s "! Certificate was missing"
Manuel Pégourié-Gonnard08a1d4b2014-09-26 10:35:50 +0200[diff] [blame]4445
Manuel Pégourié-Gonnard89addc42015-04-20 10:56:18 +0100[diff] [blame]4446run_test "DTLS client auth: none, client has no cert" \
Manuel Pégourié-Gonnard08a1d4b2014-09-26 10:35:50 +0200[diff] [blame]4447 "$P_SRV dtls=1 auth_mode=none" \
4448 "$P_CLI dtls=1 crt_file=none key_file=none debug_level=2" \
4449 0 \
4450 -c "skip write certificate$" \
Manuel Pégourié-Gonnard89addc42015-04-20 10:56:18 +0100[diff] [blame]4451 -s "! Certificate verification was skipped"
Manuel Pégourié-Gonnard08a1d4b2014-09-26 10:35:50 +0200[diff] [blame]4452
Manuel Pégourié-Gonnard0a885742015-08-04 12:08:35 +0200[diff] [blame]4453run_test "DTLS wrong PSK: badmac alert" \
4454 "$P_SRV dtls=1 psk=abc123 force_ciphersuite=TLS-PSK-WITH-AES-128-GCM-SHA256" \
4455 "$P_CLI dtls=1 psk=abc124" \
4456 1 \
4457 -s "SSL - Verification of the message MAC failed" \
4458 -c "SSL - A fatal alert message was received from our peer"
4459
Manuel Pégourié-Gonnard502bf302014-08-20 13:12:58 +0200[diff] [blame]4460# Tests for receiving fragmented handshake messages with DTLS
4461
4462requires_gnutls
4463run_test "DTLS reassembly: no fragmentation (gnutls server)" \
4464 "$G_SRV -u --mtu 2048 -a" \
4465 "$P_CLI dtls=1 debug_level=2" \
4466 0 \
4467 -C "found fragmented DTLS handshake message" \
4468 -C "error"
4469
4470requires_gnutls
4471run_test "DTLS reassembly: some fragmentation (gnutls server)" \
4472 "$G_SRV -u --mtu 512" \
4473 "$P_CLI dtls=1 debug_level=2" \
4474 0 \
4475 -c "found fragmented DTLS handshake message" \
4476 -C "error"
4477
4478requires_gnutls
4479run_test "DTLS reassembly: more fragmentation (gnutls server)" \
4480 "$G_SRV -u --mtu 128" \
4481 "$P_CLI dtls=1 debug_level=2" \
4482 0 \
4483 -c "found fragmented DTLS handshake message" \
4484 -C "error"
4485
4486requires_gnutls
4487run_test "DTLS reassembly: more fragmentation, nbio (gnutls server)" \
4488 "$G_SRV -u --mtu 128" \
4489 "$P_CLI dtls=1 nbio=2 debug_level=2" \
4490 0 \
4491 -c "found fragmented DTLS handshake message" \
4492 -C "error"
4493
Manuel Pégourié-Gonnard0c4cbc72014-09-02 14:47:31 +0200[diff] [blame]4494requires_gnutls
Hanno Becker6a243642017-10-12 15:18:45 +0100[diff] [blame]4495requires_config_enabled MBEDTLS_SSL_RENEGOTIATION
Manuel Pégourié-Gonnard0c4cbc72014-09-02 14:47:31 +0200[diff] [blame]4496run_test "DTLS reassembly: fragmentation, renego (gnutls server)" \
4497 "$G_SRV -u --mtu 256" \
4498 "$P_CLI debug_level=3 dtls=1 renegotiation=1 renegotiate=1" \
4499 0 \
4500 -c "found fragmented DTLS handshake message" \
4501 -c "client hello, adding renegotiation extension" \
4502 -c "found renegotiation extension" \
4503 -c "=> renegotiate" \
Manuel Pégourié-Gonnard2cf5a7c2015-04-08 12:49:31 +0200[diff] [blame]4504 -C "mbedtls_ssl_handshake returned" \
Manuel Pégourié-Gonnard0c4cbc72014-09-02 14:47:31 +0200[diff] [blame]4505 -C "error" \
4506 -s "Extra-header:"
4507
4508requires_gnutls
Hanno Becker6a243642017-10-12 15:18:45 +0100[diff] [blame]4509requires_config_enabled MBEDTLS_SSL_RENEGOTIATION
Manuel Pégourié-Gonnard0c4cbc72014-09-02 14:47:31 +0200[diff] [blame]4510run_test "DTLS reassembly: fragmentation, nbio, renego (gnutls server)" \
4511 "$G_SRV -u --mtu 256" \
4512 "$P_CLI debug_level=3 nbio=2 dtls=1 renegotiation=1 renegotiate=1" \
4513 0 \
4514 -c "found fragmented DTLS handshake message" \
4515 -c "client hello, adding renegotiation extension" \
4516 -c "found renegotiation extension" \
4517 -c "=> renegotiate" \
Manuel Pégourié-Gonnard2cf5a7c2015-04-08 12:49:31 +0200[diff] [blame]4518 -C "mbedtls_ssl_handshake returned" \
Manuel Pégourié-Gonnard0c4cbc72014-09-02 14:47:31 +0200[diff] [blame]4519 -C "error" \
4520 -s "Extra-header:"
4521
Manuel Pégourié-Gonnarda7756172014-08-31 18:37:01 +0200[diff] [blame]4522run_test "DTLS reassembly: no fragmentation (openssl server)" \
4523 "$O_SRV -dtls1 -mtu 2048" \
4524 "$P_CLI dtls=1 debug_level=2" \
4525 0 \
4526 -C "found fragmented DTLS handshake message" \
4527 -C "error"
4528
Manuel Pégourié-Gonnard825a49e2014-09-23 11:00:37 +0200[diff] [blame]4529run_test "DTLS reassembly: some fragmentation (openssl server)" \
4530 "$O_SRV -dtls1 -mtu 768" \
Manuel Pégourié-Gonnard64dffc52014-09-02 13:39:16 +0200[diff] [blame]4531 "$P_CLI dtls=1 debug_level=2" \
4532 0 \
4533 -c "found fragmented DTLS handshake message" \
4534 -C "error"
4535
Manuel Pégourié-Gonnard825a49e2014-09-23 11:00:37 +0200[diff] [blame]4536run_test "DTLS reassembly: more fragmentation (openssl server)" \
Manuel Pégourié-Gonnard64dffc52014-09-02 13:39:16 +0200[diff] [blame]4537 "$O_SRV -dtls1 -mtu 256" \
4538 "$P_CLI dtls=1 debug_level=2" \
4539 0 \
4540 -c "found fragmented DTLS handshake message" \
4541 -C "error"
4542
4543run_test "DTLS reassembly: fragmentation, nbio (openssl server)" \
4544 "$O_SRV -dtls1 -mtu 256" \
4545 "$P_CLI dtls=1 nbio=2 debug_level=2" \
4546 0 \
4547 -c "found fragmented DTLS handshake message" \
4548 -C "error"
Manuel Pégourié-Gonnarda7756172014-08-31 18:37:01 +0200[diff] [blame]4549
Manuel Pégourié-Gonnard7a66cbc2014-09-26 16:31:46 +0200[diff] [blame]4550# Tests for specific things with "unreliable" UDP connection
Manuel Pégourié-Gonnardbe9eb872014-09-05 17:45:19 +0200[diff] [blame]4551
Manuel Pégourié-Gonnard76fe9e42014-09-24 15:17:31 +0200[diff] [blame]4552not_with_valgrind # spurious resend due to timeout
Manuel Pégourié-Gonnard990f9e42014-09-06 12:27:02 +0200[diff] [blame]4553run_test "DTLS proxy: reference" \
Manuel Pégourié-Gonnardbe9eb872014-09-05 17:45:19 +0200[diff] [blame]4554 -p "$P_PXY" \
Manuel Pégourié-Gonnard76fe9e42014-09-24 15:17:31 +0200[diff] [blame]4555 "$P_SRV dtls=1 debug_level=2" \
4556 "$P_CLI dtls=1 debug_level=2" \
Manuel Pégourié-Gonnard990f9e42014-09-06 12:27:02 +0200[diff] [blame]4557 0 \
Manuel Pégourié-Gonnard246c13a2014-09-24 13:56:09 +0200[diff] [blame]4558 -C "replayed record" \
4559 -S "replayed record" \
4560 -C "record from another epoch" \
4561 -S "record from another epoch" \
4562 -C "discarding invalid record" \
4563 -S "discarding invalid record" \
Manuel Pégourié-Gonnard76fe9e42014-09-24 15:17:31 +0200[diff] [blame]4564 -S "resend" \
Manuel Pégourié-Gonnard63eca932014-09-08 16:39:08 +0200[diff] [blame]4565 -s "Extra-header:" \
Manuel Pégourié-Gonnard990f9e42014-09-06 12:27:02 +0200[diff] [blame]4566 -c "HTTP/1.0 200 OK"
4567
Manuel Pégourié-Gonnard76fe9e42014-09-24 15:17:31 +0200[diff] [blame]4568not_with_valgrind # spurious resend due to timeout
Manuel Pégourié-Gonnardb47368a2014-09-24 13:29:58 +0200[diff] [blame]4569run_test "DTLS proxy: duplicate every packet" \
Manuel Pégourié-Gonnard990f9e42014-09-06 12:27:02 +0200[diff] [blame]4570 -p "$P_PXY duplicate=1" \
Manuel Pégourié-Gonnard76fe9e42014-09-24 15:17:31 +0200[diff] [blame]4571 "$P_SRV dtls=1 debug_level=2" \
4572 "$P_CLI dtls=1 debug_level=2" \
Manuel Pégourié-Gonnard990f9e42014-09-06 12:27:02 +0200[diff] [blame]4573 0 \
Manuel Pégourié-Gonnardb47368a2014-09-24 13:29:58 +0200[diff] [blame]4574 -c "replayed record" \
4575 -s "replayed record" \
Manuel Pégourié-Gonnard246c13a2014-09-24 13:56:09 +0200[diff] [blame]4576 -c "discarding invalid record" \
4577 -s "discarding invalid record" \
Manuel Pégourié-Gonnard76fe9e42014-09-24 15:17:31 +0200[diff] [blame]4578 -S "resend" \
Manuel Pégourié-Gonnard63eca932014-09-08 16:39:08 +0200[diff] [blame]4579 -s "Extra-header:" \
4580 -c "HTTP/1.0 200 OK"
4581
Manuel Pégourié-Gonnard27393132014-09-24 14:41:11 +0200[diff] [blame]4582run_test "DTLS proxy: duplicate every packet, server anti-replay off" \
4583 -p "$P_PXY duplicate=1" \
Manuel Pégourié-Gonnard76fe9e42014-09-24 15:17:31 +0200[diff] [blame]4584 "$P_SRV dtls=1 debug_level=2 anti_replay=0" \
4585 "$P_CLI dtls=1 debug_level=2" \
Manuel Pégourié-Gonnard27393132014-09-24 14:41:11 +0200[diff] [blame]4586 0 \
4587 -c "replayed record" \
4588 -S "replayed record" \
4589 -c "discarding invalid record" \
4590 -s "discarding invalid record" \
Manuel Pégourié-Gonnard76fe9e42014-09-24 15:17:31 +0200[diff] [blame]4591 -c "resend" \
4592 -s "resend" \
Manuel Pégourié-Gonnard27393132014-09-24 14:41:11 +0200[diff] [blame]4593 -s "Extra-header:" \
4594 -c "HTTP/1.0 200 OK"
4595
Manuel Pégourié-Gonnarde698f592014-10-14 19:36:36 +0200[diff] [blame]4596run_test "DTLS proxy: inject invalid AD record, default badmac_limit" \
Manuel Pégourié-Gonnard63eca932014-09-08 16:39:08 +0200[diff] [blame]4597 -p "$P_PXY bad_ad=1" \
Manuel Pégourié-Gonnard246c13a2014-09-24 13:56:09 +0200[diff] [blame]4598 "$P_SRV dtls=1 debug_level=1" \
Manuel Pégourié-Gonnarde698f592014-10-14 19:36:36 +0200[diff] [blame]4599 "$P_CLI dtls=1 debug_level=1 read_timeout=100" \
Manuel Pégourié-Gonnard825a49e2014-09-23 11:00:37 +0200[diff] [blame]4600 0 \
Manuel Pégourié-Gonnard74a13782014-10-14 22:34:08 +0200[diff] [blame]4601 -c "discarding invalid record (mac)" \
4602 -s "discarding invalid record (mac)" \
Manuel Pégourié-Gonnard825a49e2014-09-23 11:00:37 +0200[diff] [blame]4603 -s "Extra-header:" \
Manuel Pégourié-Gonnarde698f592014-10-14 19:36:36 +0200[diff] [blame]4604 -c "HTTP/1.0 200 OK" \
4605 -S "too many records with bad MAC" \
4606 -S "Verification of the message MAC failed"
4607
4608run_test "DTLS proxy: inject invalid AD record, badmac_limit 1" \
4609 -p "$P_PXY bad_ad=1" \
4610 "$P_SRV dtls=1 debug_level=1 badmac_limit=1" \
4611 "$P_CLI dtls=1 debug_level=1 read_timeout=100" \
4612 1 \
Manuel Pégourié-Gonnard74a13782014-10-14 22:34:08 +0200[diff] [blame]4613 -C "discarding invalid record (mac)" \
4614 -S "discarding invalid record (mac)" \
Manuel Pégourié-Gonnarde698f592014-10-14 19:36:36 +0200[diff] [blame]4615 -S "Extra-header:" \
4616 -C "HTTP/1.0 200 OK" \
4617 -s "too many records with bad MAC" \
4618 -s "Verification of the message MAC failed"
4619
4620run_test "DTLS proxy: inject invalid AD record, badmac_limit 2" \
4621 -p "$P_PXY bad_ad=1" \
4622 "$P_SRV dtls=1 debug_level=1 badmac_limit=2" \
4623 "$P_CLI dtls=1 debug_level=1 read_timeout=100" \
4624 0 \
Manuel Pégourié-Gonnard74a13782014-10-14 22:34:08 +0200[diff] [blame]4625 -c "discarding invalid record (mac)" \
4626 -s "discarding invalid record (mac)" \
Manuel Pégourié-Gonnarde698f592014-10-14 19:36:36 +0200[diff] [blame]4627 -s "Extra-header:" \
4628 -c "HTTP/1.0 200 OK" \
4629 -S "too many records with bad MAC" \
4630 -S "Verification of the message MAC failed"
4631
4632run_test "DTLS proxy: inject invalid AD record, badmac_limit 2, exchanges 2"\
4633 -p "$P_PXY bad_ad=1" \
4634 "$P_SRV dtls=1 debug_level=1 badmac_limit=2 exchanges=2" \
4635 "$P_CLI dtls=1 debug_level=1 read_timeout=100 exchanges=2" \
4636 1 \
Manuel Pégourié-Gonnard74a13782014-10-14 22:34:08 +0200[diff] [blame]4637 -c "discarding invalid record (mac)" \
4638 -s "discarding invalid record (mac)" \
Manuel Pégourié-Gonnarde698f592014-10-14 19:36:36 +0200[diff] [blame]4639 -s "Extra-header:" \
4640 -c "HTTP/1.0 200 OK" \
4641 -s "too many records with bad MAC" \
4642 -s "Verification of the message MAC failed"
Manuel Pégourié-Gonnard825a49e2014-09-23 11:00:37 +0200[diff] [blame]4643
4644run_test "DTLS proxy: delay ChangeCipherSpec" \
Manuel Pégourié-Gonnard246c13a2014-09-24 13:56:09 +0200[diff] [blame]4645 -p "$P_PXY delay_ccs=1" \
4646 "$P_SRV dtls=1 debug_level=1" \
4647 "$P_CLI dtls=1 debug_level=1" \
Manuel Pégourié-Gonnard825a49e2014-09-23 11:00:37 +0200[diff] [blame]4648 0 \
Manuel Pégourié-Gonnard246c13a2014-09-24 13:56:09 +0200[diff] [blame]4649 -c "record from another epoch" \
4650 -s "record from another epoch" \
Manuel Pégourié-Gonnard825a49e2014-09-23 11:00:37 +0200[diff] [blame]4651 -c "discarding invalid record" \
Manuel Pégourié-Gonnard246c13a2014-09-24 13:56:09 +0200[diff] [blame]4652 -s "discarding invalid record" \
Manuel Pégourié-Gonnard825a49e2014-09-23 11:00:37 +0200[diff] [blame]4653 -s "Extra-header:" \
4654 -c "HTTP/1.0 200 OK"
4655
Manuel Pégourié-Gonnard7a66cbc2014-09-26 16:31:46 +0200[diff] [blame]4656# Tests for "randomly unreliable connection": try a variety of flows and peers
Manuel Pégourié-Gonnard18e519a2014-09-24 19:09:17 +0200[diff] [blame]4657
Janos Follath74537a62016-09-02 13:45:28 +0100[diff] [blame]4658client_needs_more_time 2
Manuel Pégourié-Gonnard18e519a2014-09-24 19:09:17 +0200[diff] [blame]4659run_test "DTLS proxy: 3d (drop, delay, duplicate), \"short\" PSK handshake" \
Manuel Pégourié-Gonnard825a49e2014-09-23 11:00:37 +0200[diff] [blame]4660 -p "$P_PXY drop=5 delay=5 duplicate=5" \
Manuel Pégourié-Gonnard37a4de22014-10-01 16:38:03 +0200[diff] [blame]4661 "$P_SRV dtls=1 hs_timeout=250-10000 tickets=0 auth_mode=none \
4662 psk=abc123" \
4663 "$P_CLI dtls=1 hs_timeout=250-10000 tickets=0 psk=abc123 \
Manuel Pégourié-Gonnard18e519a2014-09-24 19:09:17 +0200[diff] [blame]4664 force_ciphersuite=TLS-PSK-WITH-AES-128-CCM-8" \
4665 0 \
4666 -s "Extra-header:" \
4667 -c "HTTP/1.0 200 OK"
4668
Janos Follath74537a62016-09-02 13:45:28 +0100[diff] [blame]4669client_needs_more_time 2
Manuel Pégourié-Gonnard18e519a2014-09-24 19:09:17 +0200[diff] [blame]4670run_test "DTLS proxy: 3d, \"short\" RSA handshake" \
4671 -p "$P_PXY drop=5 delay=5 duplicate=5" \
Manuel Pégourié-Gonnard37a4de22014-10-01 16:38:03 +0200[diff] [blame]4672 "$P_SRV dtls=1 hs_timeout=250-10000 tickets=0 auth_mode=none" \
4673 "$P_CLI dtls=1 hs_timeout=250-10000 tickets=0 \
Manuel Pégourié-Gonnard18e519a2014-09-24 19:09:17 +0200[diff] [blame]4674 force_ciphersuite=TLS-RSA-WITH-AES-128-CBC-SHA" \
4675 0 \
4676 -s "Extra-header:" \
4677 -c "HTTP/1.0 200 OK"
4678
Janos Follath74537a62016-09-02 13:45:28 +0100[diff] [blame]4679client_needs_more_time 2
Manuel Pégourié-Gonnard18e519a2014-09-24 19:09:17 +0200[diff] [blame]4680run_test "DTLS proxy: 3d, \"short\" (no ticket, no cli_auth) FS handshake" \
4681 -p "$P_PXY drop=5 delay=5 duplicate=5" \
Manuel Pégourié-Gonnard37a4de22014-10-01 16:38:03 +0200[diff] [blame]4682 "$P_SRV dtls=1 hs_timeout=250-10000 tickets=0 auth_mode=none" \
4683 "$P_CLI dtls=1 hs_timeout=250-10000 tickets=0" \
Manuel Pégourié-Gonnard18e519a2014-09-24 19:09:17 +0200[diff] [blame]4684 0 \
4685 -s "Extra-header:" \
4686 -c "HTTP/1.0 200 OK"
4687
Janos Follath74537a62016-09-02 13:45:28 +0100[diff] [blame]4688client_needs_more_time 2
Manuel Pégourié-Gonnard18e519a2014-09-24 19:09:17 +0200[diff] [blame]4689run_test "DTLS proxy: 3d, FS, client auth" \
4690 -p "$P_PXY drop=5 delay=5 duplicate=5" \
Manuel Pégourié-Gonnard37a4de22014-10-01 16:38:03 +0200[diff] [blame]4691 "$P_SRV dtls=1 hs_timeout=250-10000 tickets=0 auth_mode=required" \
4692 "$P_CLI dtls=1 hs_timeout=250-10000 tickets=0" \
Manuel Pégourié-Gonnard18e519a2014-09-24 19:09:17 +0200[diff] [blame]4693 0 \
4694 -s "Extra-header:" \
4695 -c "HTTP/1.0 200 OK"
4696
Janos Follath74537a62016-09-02 13:45:28 +0100[diff] [blame]4697client_needs_more_time 2
Manuel Pégourié-Gonnard18e519a2014-09-24 19:09:17 +0200[diff] [blame]4698run_test "DTLS proxy: 3d, FS, ticket" \
4699 -p "$P_PXY drop=5 delay=5 duplicate=5" \
Manuel Pégourié-Gonnard37a4de22014-10-01 16:38:03 +0200[diff] [blame]4700 "$P_SRV dtls=1 hs_timeout=250-10000 tickets=1 auth_mode=none" \
4701 "$P_CLI dtls=1 hs_timeout=250-10000 tickets=1" \
Manuel Pégourié-Gonnard18e519a2014-09-24 19:09:17 +0200[diff] [blame]4702 0 \
4703 -s "Extra-header:" \
4704 -c "HTTP/1.0 200 OK"
4705
Janos Follath74537a62016-09-02 13:45:28 +0100[diff] [blame]4706client_needs_more_time 2
Manuel Pégourié-Gonnard18e519a2014-09-24 19:09:17 +0200[diff] [blame]4707run_test "DTLS proxy: 3d, max handshake (FS, ticket + client auth)" \
4708 -p "$P_PXY drop=5 delay=5 duplicate=5" \
Manuel Pégourié-Gonnard37a4de22014-10-01 16:38:03 +0200[diff] [blame]4709 "$P_SRV dtls=1 hs_timeout=250-10000 tickets=1 auth_mode=required" \
4710 "$P_CLI dtls=1 hs_timeout=250-10000 tickets=1" \
Manuel Pégourié-Gonnard825a49e2014-09-23 11:00:37 +0200[diff] [blame]4711 0 \
4712 -s "Extra-header:" \
4713 -c "HTTP/1.0 200 OK"
4714
Janos Follath74537a62016-09-02 13:45:28 +0100[diff] [blame]4715client_needs_more_time 2
Manuel Pégourié-Gonnard6093d812014-09-29 17:52:57 +0200[diff] [blame]4716run_test "DTLS proxy: 3d, max handshake, nbio" \
4717 -p "$P_PXY drop=5 delay=5 duplicate=5" \
Manuel Pégourié-Gonnard37a4de22014-10-01 16:38:03 +0200[diff] [blame]4718 "$P_SRV dtls=1 hs_timeout=250-10000 nbio=2 tickets=1 \
4719 auth_mode=required" \
4720 "$P_CLI dtls=1 hs_timeout=250-10000 nbio=2 tickets=1" \
Manuel Pégourié-Gonnard6093d812014-09-29 17:52:57 +0200[diff] [blame]4721 0 \
4722 -s "Extra-header:" \
4723 -c "HTTP/1.0 200 OK"
4724
Janos Follath74537a62016-09-02 13:45:28 +0100[diff] [blame]4725client_needs_more_time 4
Manuel Pégourié-Gonnard7a26d732014-10-02 14:50:46 +0200[diff] [blame]4726run_test "DTLS proxy: 3d, min handshake, resumption" \
4727 -p "$P_PXY drop=5 delay=5 duplicate=5" \
4728 "$P_SRV dtls=1 hs_timeout=250-10000 tickets=0 auth_mode=none \
4729 psk=abc123 debug_level=3" \
4730 "$P_CLI dtls=1 hs_timeout=250-10000 tickets=0 psk=abc123 \
4731 debug_level=3 reconnect=1 read_timeout=1000 max_resend=10 \
4732 force_ciphersuite=TLS-PSK-WITH-AES-128-CCM-8" \
4733 0 \
4734 -s "a session has been resumed" \
4735 -c "a session has been resumed" \
4736 -s "Extra-header:" \
4737 -c "HTTP/1.0 200 OK"
4738
Janos Follath74537a62016-09-02 13:45:28 +0100[diff] [blame]4739client_needs_more_time 4
Manuel Pégourié-Gonnard85beb302014-10-02 17:59:19 +0200[diff] [blame]4740run_test "DTLS proxy: 3d, min handshake, resumption, nbio" \
4741 -p "$P_PXY drop=5 delay=5 duplicate=5" \
4742 "$P_SRV dtls=1 hs_timeout=250-10000 tickets=0 auth_mode=none \
4743 psk=abc123 debug_level=3 nbio=2" \
4744 "$P_CLI dtls=1 hs_timeout=250-10000 tickets=0 psk=abc123 \
4745 debug_level=3 reconnect=1 read_timeout=1000 max_resend=10 \
4746 force_ciphersuite=TLS-PSK-WITH-AES-128-CCM-8 nbio=2" \
4747 0 \
4748 -s "a session has been resumed" \
4749 -c "a session has been resumed" \
4750 -s "Extra-header:" \
4751 -c "HTTP/1.0 200 OK"
4752
Janos Follath74537a62016-09-02 13:45:28 +0100[diff] [blame]4753client_needs_more_time 4
Hanno Becker6a243642017-10-12 15:18:45 +0100[diff] [blame]4754requires_config_enabled MBEDTLS_SSL_RENEGOTIATION
Manuel Pégourié-Gonnard6093d812014-09-29 17:52:57 +0200[diff] [blame]4755run_test "DTLS proxy: 3d, min handshake, client-initiated renego" \
Manuel Pégourié-Gonnard1b753f12014-09-25 16:09:36 +0200[diff] [blame]4756 -p "$P_PXY drop=5 delay=5 duplicate=5" \
Manuel Pégourié-Gonnard37a4de22014-10-01 16:38:03 +0200[diff] [blame]4757 "$P_SRV dtls=1 hs_timeout=250-10000 tickets=0 auth_mode=none \
4758 psk=abc123 renegotiation=1 debug_level=2" \
4759 "$P_CLI dtls=1 hs_timeout=250-10000 tickets=0 psk=abc123 \
4760 renegotiate=1 debug_level=2 \
Manuel Pégourié-Gonnard1b753f12014-09-25 16:09:36 +0200[diff] [blame]4761 force_ciphersuite=TLS-PSK-WITH-AES-128-CCM-8" \
4762 0 \
4763 -c "=> renegotiate" \
4764 -s "=> renegotiate" \
4765 -s "Extra-header:" \
4766 -c "HTTP/1.0 200 OK"
4767
Janos Follath74537a62016-09-02 13:45:28 +0100[diff] [blame]4768client_needs_more_time 4
Hanno Becker6a243642017-10-12 15:18:45 +0100[diff] [blame]4769requires_config_enabled MBEDTLS_SSL_RENEGOTIATION
Manuel Pégourié-Gonnard6093d812014-09-29 17:52:57 +0200[diff] [blame]4770run_test "DTLS proxy: 3d, min handshake, client-initiated renego, nbio" \
4771 -p "$P_PXY drop=5 delay=5 duplicate=5" \
Manuel Pégourié-Gonnard37a4de22014-10-01 16:38:03 +0200[diff] [blame]4772 "$P_SRV dtls=1 hs_timeout=250-10000 tickets=0 auth_mode=none \
4773 psk=abc123 renegotiation=1 debug_level=2" \
4774 "$P_CLI dtls=1 hs_timeout=250-10000 tickets=0 psk=abc123 \
4775 renegotiate=1 debug_level=2 \
Manuel Pégourié-Gonnard6093d812014-09-29 17:52:57 +0200[diff] [blame]4776 force_ciphersuite=TLS-PSK-WITH-AES-128-CCM-8" \
4777 0 \
4778 -c "=> renegotiate" \
4779 -s "=> renegotiate" \
4780 -s "Extra-header:" \
4781 -c "HTTP/1.0 200 OK"
4782
Janos Follath74537a62016-09-02 13:45:28 +0100[diff] [blame]4783client_needs_more_time 4
Hanno Becker6a243642017-10-12 15:18:45 +0100[diff] [blame]4784requires_config_enabled MBEDTLS_SSL_RENEGOTIATION
Manuel Pégourié-Gonnardba958b82014-10-09 16:13:44 +0200[diff] [blame]4785run_test "DTLS proxy: 3d, min handshake, server-initiated renego" \
Manuel Pégourié-Gonnarda6ace042014-10-15 12:44:41 +0200[diff] [blame]4786 -p "$P_PXY drop=5 delay=5 duplicate=5" \
Manuel Pégourié-Gonnardba958b82014-10-09 16:13:44 +0200[diff] [blame]4787 "$P_SRV dtls=1 hs_timeout=250-10000 tickets=0 auth_mode=none \
Manuel Pégourié-Gonnarda6ace042014-10-15 12:44:41 +0200[diff] [blame]4788 psk=abc123 renegotiate=1 renegotiation=1 exchanges=4 \
Manuel Pégourié-Gonnardba958b82014-10-09 16:13:44 +0200[diff] [blame]4789 debug_level=2" \
4790 "$P_CLI dtls=1 hs_timeout=250-10000 tickets=0 psk=abc123 \
Manuel Pégourié-Gonnarda6ace042014-10-15 12:44:41 +0200[diff] [blame]4791 renegotiation=1 exchanges=4 debug_level=2 \
Manuel Pégourié-Gonnardba958b82014-10-09 16:13:44 +0200[diff] [blame]4792 force_ciphersuite=TLS-PSK-WITH-AES-128-CCM-8" \
4793 0 \
4794 -c "=> renegotiate" \
4795 -s "=> renegotiate" \
4796 -s "Extra-header:" \
4797 -c "HTTP/1.0 200 OK"
4798
Janos Follath74537a62016-09-02 13:45:28 +0100[diff] [blame]4799client_needs_more_time 4
Hanno Becker6a243642017-10-12 15:18:45 +0100[diff] [blame]4800requires_config_enabled MBEDTLS_SSL_RENEGOTIATION
Manuel Pégourié-Gonnardba958b82014-10-09 16:13:44 +0200[diff] [blame]4801run_test "DTLS proxy: 3d, min handshake, server-initiated renego, nbio" \
Manuel Pégourié-Gonnarda6ace042014-10-15 12:44:41 +0200[diff] [blame]4802 -p "$P_PXY drop=5 delay=5 duplicate=5" \
Manuel Pégourié-Gonnardba958b82014-10-09 16:13:44 +0200[diff] [blame]4803 "$P_SRV dtls=1 hs_timeout=250-10000 tickets=0 auth_mode=none \
Manuel Pégourié-Gonnarda6ace042014-10-15 12:44:41 +0200[diff] [blame]4804 psk=abc123 renegotiate=1 renegotiation=1 exchanges=4 \
Manuel Pégourié-Gonnardba958b82014-10-09 16:13:44 +0200[diff] [blame]4805 debug_level=2 nbio=2" \
4806 "$P_CLI dtls=1 hs_timeout=250-10000 tickets=0 psk=abc123 \
Manuel Pégourié-Gonnarda6ace042014-10-15 12:44:41 +0200[diff] [blame]4807 renegotiation=1 exchanges=4 debug_level=2 nbio=2 \
Manuel Pégourié-Gonnardba958b82014-10-09 16:13:44 +0200[diff] [blame]4808 force_ciphersuite=TLS-PSK-WITH-AES-128-CCM-8" \
4809 0 \
4810 -c "=> renegotiate" \
4811 -s "=> renegotiate" \
4812 -s "Extra-header:" \
4813 -c "HTTP/1.0 200 OK"
4814
Janos Follath74537a62016-09-02 13:45:28 +0100[diff] [blame]4815client_needs_more_time 6
Manuel Pégourié-Gonnardd68434e2015-08-31 12:48:22 +0200[diff] [blame]4816not_with_valgrind # risk of non-mbedtls peer timing out
Manuel Pégourié-Gonnard9590e0a2014-09-26 16:27:59 +0200[diff] [blame]4817run_test "DTLS proxy: 3d, openssl server" \
Manuel Pégourié-Gonnardd0fd1da2014-09-25 17:00:27 +0200[diff] [blame]4818 -p "$P_PXY drop=5 delay=5 duplicate=5 protect_hvr=1" \
4819 "$O_SRV -dtls1 -mtu 2048" \
Manuel Pégourié-Gonnard8fe411e2015-03-09 16:09:53 +0000[diff] [blame]4820 "$P_CLI dtls=1 hs_timeout=250-60000 tickets=0" \
Manuel Pégourié-Gonnardd0fd1da2014-09-25 17:00:27 +0200[diff] [blame]4821 0 \
Manuel Pégourié-Gonnardd0fd1da2014-09-25 17:00:27 +0200[diff] [blame]4822 -c "HTTP/1.0 200 OK"
4823
Janos Follath74537a62016-09-02 13:45:28 +0100[diff] [blame]4824client_needs_more_time 8
Manuel Pégourié-Gonnardd68434e2015-08-31 12:48:22 +0200[diff] [blame]4825not_with_valgrind # risk of non-mbedtls peer timing out
Manuel Pégourié-Gonnard9590e0a2014-09-26 16:27:59 +0200[diff] [blame]4826run_test "DTLS proxy: 3d, openssl server, fragmentation" \
4827 -p "$P_PXY drop=5 delay=5 duplicate=5 protect_hvr=1" \
4828 "$O_SRV -dtls1 -mtu 768" \
Manuel Pégourié-Gonnard8fe411e2015-03-09 16:09:53 +0000[diff] [blame]4829 "$P_CLI dtls=1 hs_timeout=250-60000 tickets=0" \
Manuel Pégourié-Gonnard9590e0a2014-09-26 16:27:59 +0200[diff] [blame]4830 0 \
Manuel Pégourié-Gonnard9590e0a2014-09-26 16:27:59 +0200[diff] [blame]4831 -c "HTTP/1.0 200 OK"
4832
Janos Follath74537a62016-09-02 13:45:28 +0100[diff] [blame]4833client_needs_more_time 8
Manuel Pégourié-Gonnardd68434e2015-08-31 12:48:22 +0200[diff] [blame]4834not_with_valgrind # risk of non-mbedtls peer timing out
Manuel Pégourié-Gonnard6093d812014-09-29 17:52:57 +0200[diff] [blame]4835run_test "DTLS proxy: 3d, openssl server, fragmentation, nbio" \
4836 -p "$P_PXY drop=5 delay=5 duplicate=5 protect_hvr=1" \
4837 "$O_SRV -dtls1 -mtu 768" \
Manuel Pégourié-Gonnard8fe411e2015-03-09 16:09:53 +0000[diff] [blame]4838 "$P_CLI dtls=1 hs_timeout=250-60000 nbio=2 tickets=0" \
Manuel Pégourié-Gonnard6093d812014-09-29 17:52:57 +0200[diff] [blame]4839 0 \
Manuel Pégourié-Gonnard6093d812014-09-29 17:52:57 +0200[diff] [blame]4840 -c "HTTP/1.0 200 OK"
4841
Manuel Pégourié-Gonnard96999962015-02-17 16:02:37 +0000[diff] [blame]4842requires_gnutls
Janos Follath74537a62016-09-02 13:45:28 +0100[diff] [blame]4843client_needs_more_time 6
Manuel Pégourié-Gonnardd68434e2015-08-31 12:48:22 +0200[diff] [blame]4844not_with_valgrind # risk of non-mbedtls peer timing out
Manuel Pégourié-Gonnard9590e0a2014-09-26 16:27:59 +0200[diff] [blame]4845run_test "DTLS proxy: 3d, gnutls server" \
4846 -p "$P_PXY drop=5 delay=5 duplicate=5" \
4847 "$G_SRV -u --mtu 2048 -a" \
Manuel Pégourié-Gonnardf1384472014-10-14 22:57:46 +0200[diff] [blame]4848 "$P_CLI dtls=1 hs_timeout=250-60000" \
Manuel Pégourié-Gonnard9590e0a2014-09-26 16:27:59 +0200[diff] [blame]4849 0 \
4850 -s "Extra-header:" \
4851 -c "Extra-header:"
4852
Manuel Pégourié-Gonnard96999962015-02-17 16:02:37 +0000[diff] [blame]4853requires_gnutls
Janos Follath74537a62016-09-02 13:45:28 +0100[diff] [blame]4854client_needs_more_time 8
Manuel Pégourié-Gonnardd68434e2015-08-31 12:48:22 +0200[diff] [blame]4855not_with_valgrind # risk of non-mbedtls peer timing out
Manuel Pégourié-Gonnard9590e0a2014-09-26 16:27:59 +0200[diff] [blame]4856run_test "DTLS proxy: 3d, gnutls server, fragmentation" \
4857 -p "$P_PXY drop=5 delay=5 duplicate=5" \
4858 "$G_SRV -u --mtu 512" \
Manuel Pégourié-Gonnardf1384472014-10-14 22:57:46 +0200[diff] [blame]4859 "$P_CLI dtls=1 hs_timeout=250-60000" \
Manuel Pégourié-Gonnard9590e0a2014-09-26 16:27:59 +0200[diff] [blame]4860 0 \
4861 -s "Extra-header:" \
4862 -c "Extra-header:"
4863
Manuel Pégourié-Gonnard96999962015-02-17 16:02:37 +0000[diff] [blame]4864requires_gnutls
Janos Follath74537a62016-09-02 13:45:28 +0100[diff] [blame]4865client_needs_more_time 8
Manuel Pégourié-Gonnardd68434e2015-08-31 12:48:22 +0200[diff] [blame]4866not_with_valgrind # risk of non-mbedtls peer timing out
Manuel Pégourié-Gonnard6093d812014-09-29 17:52:57 +0200[diff] [blame]4867run_test "DTLS proxy: 3d, gnutls server, fragmentation, nbio" \
4868 -p "$P_PXY drop=5 delay=5 duplicate=5" \
4869 "$G_SRV -u --mtu 512" \
Manuel Pégourié-Gonnardf1384472014-10-14 22:57:46 +0200[diff] [blame]4870 "$P_CLI dtls=1 hs_timeout=250-60000 nbio=2" \
Manuel Pégourié-Gonnard6093d812014-09-29 17:52:57 +0200[diff] [blame]4871 0 \
4872 -s "Extra-header:" \
4873 -c "Extra-header:"
4874
Manuel Pégourié-Gonnard8520dac2014-02-21 12:12:23 +0100[diff] [blame]4875# Final report
4876
Manuel Pégourié-Gonnard33a752e2014-02-21 09:47:37 +0100[diff] [blame]4877echo "------------------------------------------------------------------------"
4878
4879if [ $FAILS = 0 ]; then
Manuel Pégourié-Gonnardf46f1282014-12-11 11:51:28 +0100[diff] [blame]4880 printf "PASSED"
Manuel Pégourié-Gonnard33a752e2014-02-21 09:47:37 +0100[diff] [blame]4881else
Manuel Pégourié-Gonnardf46f1282014-12-11 11:51:28 +0100[diff] [blame]4882 printf "FAILED"
Manuel Pégourié-Gonnard33a752e2014-02-21 09:47:37 +0100[diff] [blame]4883fi
Manuel Pégourié-Gonnard72e51ee2014-08-31 10:22:11 +0200[diff] [blame]4884PASSES=$(( $TESTS - $FAILS ))
Manuel Pégourié-Gonnard6f4fbbb2014-08-14 14:31:29 +0200[diff] [blame]4885echo " ($PASSES / $TESTS tests ($SKIPS skipped))"
Manuel Pégourié-Gonnard33a752e2014-02-21 09:47:37 +0100[diff] [blame]4886
4887exit $FAILS