TrustedFirmware Git Browser
Code Review Sign In
review.trustedfirmware.org / mirror / mbed-tls / 7680698d0266e2e6761b4ea2359edf18e0a6c8c6 / . / tests / ssl-opt.sh
blob: 51047129f37bfae17f70a04dc1503b16f4d04884 [file] [log] [blame]
Manuel Pégourié-Gonnardeaadc502014-02-20 11:01:30 +0100[diff] [blame]1#!/bin/sh
2
3# Test various options that are not covered by compat.sh
4#
5# Here the goal is not to cover every ciphersuite/version, but
6# rather specific options (max fragment length, truncated hmac, etc)
7# or procedures (session resumption from cache or ticket, renego, etc).
8#
9# Assumes all options are compiled in.
10
Manuel Pégourié-Gonnardfccd3252014-02-25 17:14:15 +0100[diff] [blame]11set -u
12
Manuel Pégourié-Gonnard913030c2014-03-28 10:12:38 +0100[diff] [blame]13# test if it is defined from the environment before assining default
14# if yes, assume it means it's a build with all the options we need (SSLv2)
15if [ -n "${OPENSSL_CMD:-}" ]; then
16 OPENSSL_OK=1
17else
18 OPENSSL_OK=0
19fi
20
Manuel Pégourié-Gonnardf7a26902014-02-27 12:25:54 +0100[diff] [blame]21# default values, can be overriden by the environment
22: ${P_SRV:=../programs/ssl/ssl_server2}
23: ${P_CLI:=../programs/ssl/ssl_client2}
Manuel Pégourié-Gonnard74faf3c2014-03-13 18:47:44 +0100[diff] [blame]24: ${OPENSSL_CMD:=openssl} # OPENSSL would conflict with the build system
Manuel Pégourié-Gonnardeaadc502014-02-20 11:01:30 +0100[diff] [blame]25
Manuel Pégourié-Gonnard74faf3c2014-03-13 18:47:44 +0100[diff] [blame]26O_SRV="$OPENSSL_CMD s_server -www -cert data_files/server5.crt -key data_files/server5.key"
27O_CLI="echo 'GET / HTTP/1.0' | $OPENSSL_CMD s_client"
Manuel Pégourié-Gonnardfccd3252014-02-25 17:14:15 +0100[diff] [blame]28
Manuel Pégourié-Gonnard33a752e2014-02-21 09:47:37 +0100[diff] [blame]29TESTS=0
30FAILS=0
31
Manuel Pégourié-Gonnard83d8c732014-04-07 13:24:21 +0200[diff] [blame]32CONFIG_H='../include/polarssl/config.h'
33
Manuel Pégourié-Gonnardc73339f2014-02-26 16:35:27 +0100[diff] [blame]34MEMCHECK=0
Manuel Pégourié-Gonnard417d46c2014-03-13 19:17:53 +0100[diff] [blame]35FILTER='.*'
Manuel Pégourié-Gonnard913030c2014-03-28 10:12:38 +0100[diff] [blame]36if [ "$OPENSSL_OK" -gt 0 ]; then
37 EXCLUDE='^$'
38else
39 EXCLUDE='SSLv2'
40fi
Manuel Pégourié-Gonnardc73339f2014-02-26 16:35:27 +0100[diff] [blame]41
42print_usage() {
43 echo "Usage: $0 [options]"
Manuel Pégourié-Gonnard417d46c2014-03-13 19:17:53 +0100[diff] [blame]44 echo -e " -h|--help\tPrint this help."
45 echo -e " -m|--memcheck\tCheck memory leaks and errors."
46 echo -e " -f|--filter\tOnly matching tests are executed (default: '$FILTER')"
47 echo -e " -e|--exclude\tMatching tests are excluded (default: '$EXCLUDE')"
Manuel Pégourié-Gonnardc73339f2014-02-26 16:35:27 +0100[diff] [blame]48}
49
50get_options() {
51 while [ $# -gt 0 ]; do
52 case "$1" in
Manuel Pégourié-Gonnard417d46c2014-03-13 19:17:53 +0100[diff] [blame]53 -f|--filter)
54 shift; FILTER=$1
55 ;;
56 -e|--exclude)
57 shift; EXCLUDE=$1
58 ;;
Manuel Pégourié-Gonnardc73339f2014-02-26 16:35:27 +0100[diff] [blame]59 -m|--memcheck)
60 MEMCHECK=1
61 ;;
62 -h|--help)
63 print_usage
64 exit 0
65 ;;
66 *)
Paul Bakker1ebc0c52014-05-22 15:47:58 +0200[diff] [blame]67 echo "Unknown argument: '$1'"
Manuel Pégourié-Gonnardc73339f2014-02-26 16:35:27 +0100[diff] [blame]68 print_usage
69 exit 1
70 ;;
71 esac
72 shift
73 done
74}
75
Manuel Pégourié-Gonnardf8bdbb52014-02-21 09:20:14 +0100[diff] [blame]76# print_name <name>
77print_name() {
78 echo -n "$1 "
79 LEN=`echo "$1" | wc -c`
80 LEN=`echo 72 - $LEN | bc`
81 for i in `seq 1 $LEN`; do echo -n '.'; done
82 echo -n ' '
Manuel Pégourié-Gonnard33a752e2014-02-21 09:47:37 +0100[diff] [blame]83
84 TESTS=`echo $TESTS + 1 | bc`
Manuel Pégourié-Gonnardf8bdbb52014-02-21 09:20:14 +0100[diff] [blame]85}
86
87# fail <message>
88fail() {
89 echo "FAIL"
Manuel Pégourié-Gonnard3eec6042014-02-27 15:37:24 +0100[diff] [blame]90 echo " ! $1"
Manuel Pégourié-Gonnard33a752e2014-02-21 09:47:37 +0100[diff] [blame]91
Manuel Pégourié-Gonnardbc3b16c2014-05-28 23:06:50 +0200[diff] [blame]92 cp $SRV_OUT o-srv-${TESTS}.log
93 cp $CLI_OUT o-cli-${TESTS}.log
Manuel Pégourié-Gonnard3eec6042014-02-27 15:37:24 +0100[diff] [blame]94 echo " ! outputs saved to o-srv-${TESTS}.log and o-cli-${TESTS}.log"
Manuel Pégourié-Gonnard33a752e2014-02-21 09:47:37 +0100[diff] [blame]95
96 FAILS=`echo $FAILS + 1 | bc`
Manuel Pégourié-Gonnardf8bdbb52014-02-21 09:20:14 +0100[diff] [blame]97}
98
Manuel Pégourié-Gonnard677884d2014-02-25 16:42:31 +0100[diff] [blame]99# is_polar <cmd_line>
100is_polar() {
101 echo "$1" | grep 'ssl_server2\|ssl_client2' > /dev/null
102}
103
Manuel Pégourié-Gonnardc73339f2014-02-26 16:35:27 +0100[diff] [blame]104# has_mem_err <log_file_name>
105has_mem_err() {
106 if ( grep -F 'All heap blocks were freed -- no leaks are possible' "$1" &&
107 grep -F 'ERROR SUMMARY: 0 errors from 0 contexts' "$1" ) > /dev/null
108 then
109 return 1 # false: does not have errors
110 else
111 return 0 # true: has errors
112 fi
113}
114
Manuel Pégourié-Gonnarddb2a6c12014-05-29 12:15:40 +0200[diff] [blame]115# wait for server to be ready
116wait_srv_ready() {
117 if is_polar "$SRV_CMD"; then
118 READY_MSG="Waiting for a remote connection"
119 else
120 READY_MSG="ACCEPT"
121 fi
122
123 # If the server isn't ready after 10 secs, something probably went wrong
124 ( sleep 10; echo "SERVERSTART TIMEOUT"; kill $MAIN_PID ) &
125 WATCHDOG_PID=$!
126
127 while ! grep "$READY_MSG" $SRV_OUT >/dev/null; do
128 # don't use sleep, since the whole goal is to avoid wasting time,
129 # and 1 second is usually way more than the server needs to start
130 true
131 done
132
133 kill $WATCHDOG_PID
134 wait $WATCHDOG_PID
135}
136
Manuel Pégourié-Gonnardfccd3252014-02-25 17:14:15 +0100[diff] [blame]137# Usage: run_test name srv_cmd cli_cmd cli_exit [option [...]]
Manuel Pégourié-Gonnardeaadc502014-02-20 11:01:30 +0100[diff] [blame]138# Options: -s pattern pattern that must be present in server output
139# -c pattern pattern that must be present in client output
140# -S pattern pattern that must be absent in server output
141# -C pattern pattern that must be absent in client output
142run_test() {
Manuel Pégourié-Gonnardfccd3252014-02-25 17:14:15 +0100[diff] [blame]143 NAME="$1"
144 SRV_CMD="$2"
145 CLI_CMD="$3"
146 CLI_EXPECT="$4"
147 shift 4
148
Manuel Pégourié-Gonnard417d46c2014-03-13 19:17:53 +0100[diff] [blame]149 if echo "$NAME" | grep "$FILTER" | grep -v "$EXCLUDE" >/dev/null; then :
150 else
151 return
152 fi
153
Manuel Pégourié-Gonnardfccd3252014-02-25 17:14:15 +0100[diff] [blame]154 print_name "$NAME"
Manuel Pégourié-Gonnardeaadc502014-02-20 11:01:30 +0100[diff] [blame]155
Manuel Pégourié-Gonnardc73339f2014-02-26 16:35:27 +0100[diff] [blame]156 # prepend valgrind to our commands if active
157 if [ "$MEMCHECK" -gt 0 ]; then
158 if is_polar "$SRV_CMD"; then
159 SRV_CMD="valgrind --leak-check=full $SRV_CMD"
160 fi
161 if is_polar "$CLI_CMD"; then
162 CLI_CMD="valgrind --leak-check=full $CLI_CMD"
163 fi
164 fi
165
Manuel Pégourié-Gonnardeaadc502014-02-20 11:01:30 +0100[diff] [blame]166 # run the commands
Manuel Pégourié-Gonnardbc3b16c2014-05-28 23:06:50 +0200[diff] [blame]167 echo "$SRV_CMD" > $SRV_OUT
168 $SRV_CMD >> $SRV_OUT 2>&1 &
Manuel Pégourié-Gonnardeaadc502014-02-20 11:01:30 +0100[diff] [blame]169 SRV_PID=$!
Manuel Pégourié-Gonnarddb2a6c12014-05-29 12:15:40 +0200[diff] [blame]170 wait_srv_ready
Manuel Pégourié-Gonnardbc3b16c2014-05-28 23:06:50 +0200[diff] [blame]171 echo "$CLI_CMD" > $CLI_OUT
172 eval "$CLI_CMD" >> $CLI_OUT 2>&1
Manuel Pégourié-Gonnardeaadc502014-02-20 11:01:30 +0100[diff] [blame]173 CLI_EXIT=$?
Manuel Pégourié-Gonnardbc3b16c2014-05-28 23:06:50 +0200[diff] [blame]174 echo "EXIT: $CLI_EXIT" >> $CLI_OUT
Manuel Pégourié-Gonnarde01af4c2014-03-25 14:16:44 +0100[diff] [blame]175
Manuel Pégourié-Gonnardfccd3252014-02-25 17:14:15 +0100[diff] [blame]176 if is_polar "$SRV_CMD"; then
Manuel Pégourié-Gonnard32f8f4d2014-05-29 11:31:20 +0200[diff] [blame]177 # start watchdog in case SERVERQUIT fails
178 ( sleep 10; echo "SERVERQUIT TIMEOUT"; kill $MAIN_PID ) &
179 WATCHDOG_PID=$!
180
181 # psk is useful when server only has bad certs
Manuel Pégourié-Gonnard8066b812014-05-28 22:59:30 +0200[diff] [blame]182 $P_CLI request_page=SERVERQUIT tickets=0 auth_mode=none psk=abc123 \
Manuel Pégourié-Gonnard84fd6872014-03-13 18:35:10 +0100[diff] [blame]183 crt_file=data_files/cli2.crt key_file=data_files/cli2.key \
184 >/dev/null
Manuel Pégourié-Gonnard32f8f4d2014-05-29 11:31:20 +0200[diff] [blame]185
186 wait $SRV_PID
187 kill $WATCHDOG_PID
188 wait $WATCHDOG_PID
Manuel Pégourié-Gonnard677884d2014-02-25 16:42:31 +0100[diff] [blame]189 else
190 kill $SRV_PID
Manuel Pégourié-Gonnard32f8f4d2014-05-29 11:31:20 +0200[diff] [blame]191 wait $SRV_PID
Manuel Pégourié-Gonnard677884d2014-02-25 16:42:31 +0100[diff] [blame]192 fi
Manuel Pégourié-Gonnard677884d2014-02-25 16:42:31 +0100[diff] [blame]193
194 # check if the client and server went at least to the handshake stage
Paul Bakker1ebc0c52014-05-22 15:47:58 +0200[diff] [blame]195 # (useful to avoid tests with only negative assertions and non-zero
Manuel Pégourié-Gonnard677884d2014-02-25 16:42:31 +0100[diff] [blame]196 # expected client exit to incorrectly succeed in case of catastrophic
197 # failure)
Manuel Pégourié-Gonnardfccd3252014-02-25 17:14:15 +0100[diff] [blame]198 if is_polar "$SRV_CMD"; then
Manuel Pégourié-Gonnardbc3b16c2014-05-28 23:06:50 +0200[diff] [blame]199 if grep "Performing the SSL/TLS handshake" $SRV_OUT >/dev/null; then :;
Manuel Pégourié-Gonnard677884d2014-02-25 16:42:31 +0100[diff] [blame]200 else
201 fail "server failed to start"
202 return
203 fi
204 fi
Manuel Pégourié-Gonnardfccd3252014-02-25 17:14:15 +0100[diff] [blame]205 if is_polar "$CLI_CMD"; then
Manuel Pégourié-Gonnardbc3b16c2014-05-28 23:06:50 +0200[diff] [blame]206 if grep "Performing the SSL/TLS handshake" $CLI_OUT >/dev/null; then :;
Manuel Pégourié-Gonnard677884d2014-02-25 16:42:31 +0100[diff] [blame]207 else
208 fail "client failed to start"
209 return
210 fi
211 fi
212
Manuel Pégourié-Gonnardf8bdbb52014-02-21 09:20:14 +0100[diff] [blame]213 # check server exit code
214 if [ $? != 0 ]; then
215 fail "server fail"
216 return
217 fi
218
Manuel Pégourié-Gonnardeaadc502014-02-20 11:01:30 +0100[diff] [blame]219 # check client exit code
Manuel Pégourié-Gonnardfccd3252014-02-25 17:14:15 +0100[diff] [blame]220 if [ \( "$CLI_EXPECT" = 0 -a "$CLI_EXIT" != 0 \) -o \
221 \( "$CLI_EXPECT" != 0 -a "$CLI_EXIT" = 0 \) ]
Manuel Pégourié-Gonnard780d6712014-02-20 17:19:59 +0100[diff] [blame]222 then
Manuel Pégourié-Gonnard8520dac2014-02-21 12:12:23 +0100[diff] [blame]223 fail "bad client exit code"
Manuel Pégourié-Gonnardeaadc502014-02-20 11:01:30 +0100[diff] [blame]224 return
225 fi
Manuel Pégourié-Gonnardeaadc502014-02-20 11:01:30 +0100[diff] [blame]226
Manuel Pégourié-Gonnardc73339f2014-02-26 16:35:27 +0100[diff] [blame]227 # check other assertions
Manuel Pégourié-Gonnardeaadc502014-02-20 11:01:30 +0100[diff] [blame]228 while [ $# -gt 0 ]
229 do
230 case $1 in
231 "-s")
Manuel Pégourié-Gonnardbc3b16c2014-05-28 23:06:50 +0200[diff] [blame]232 if grep "$2" $SRV_OUT >/dev/null; then :; else
Manuel Pégourié-Gonnardf8bdbb52014-02-21 09:20:14 +0100[diff] [blame]233 fail "-s $2"
Manuel Pégourié-Gonnardeaadc502014-02-20 11:01:30 +0100[diff] [blame]234 return
235 fi
236 ;;
237
238 "-c")
Manuel Pégourié-Gonnardbc3b16c2014-05-28 23:06:50 +0200[diff] [blame]239 if grep "$2" $CLI_OUT >/dev/null; then :; else
Manuel Pégourié-Gonnardf8bdbb52014-02-21 09:20:14 +0100[diff] [blame]240 fail "-c $2"
Manuel Pégourié-Gonnardeaadc502014-02-20 11:01:30 +0100[diff] [blame]241 return
242 fi
243 ;;
244
245 "-S")
Manuel Pégourié-Gonnardbc3b16c2014-05-28 23:06:50 +0200[diff] [blame]246 if grep "$2" $SRV_OUT >/dev/null; then
Manuel Pégourié-Gonnardf8bdbb52014-02-21 09:20:14 +0100[diff] [blame]247 fail "-S $2"
Manuel Pégourié-Gonnardeaadc502014-02-20 11:01:30 +0100[diff] [blame]248 return
249 fi
250 ;;
251
252 "-C")
Manuel Pégourié-Gonnardbc3b16c2014-05-28 23:06:50 +0200[diff] [blame]253 if grep "$2" $CLI_OUT >/dev/null; then
Manuel Pégourié-Gonnardf8bdbb52014-02-21 09:20:14 +0100[diff] [blame]254 fail "-C $2"
Manuel Pégourié-Gonnardeaadc502014-02-20 11:01:30 +0100[diff] [blame]255 return
256 fi
257 ;;
258
259 *)
Paul Bakker1ebc0c52014-05-22 15:47:58 +0200[diff] [blame]260 echo "Unknown test: $1" >&2
Manuel Pégourié-Gonnardeaadc502014-02-20 11:01:30 +0100[diff] [blame]261 exit 1
262 esac
263 shift 2
264 done
265
Manuel Pégourié-Gonnardc73339f2014-02-26 16:35:27 +0100[diff] [blame]266 # check valgrind's results
267 if [ "$MEMCHECK" -gt 0 ]; then
Manuel Pégourié-Gonnardbc3b16c2014-05-28 23:06:50 +0200[diff] [blame]268 if is_polar "$SRV_CMD" && has_mem_err $SRV_OUT; then
Manuel Pégourié-Gonnardc73339f2014-02-26 16:35:27 +0100[diff] [blame]269 fail "Server has memory errors"
270 return
271 fi
Manuel Pégourié-Gonnardbc3b16c2014-05-28 23:06:50 +0200[diff] [blame]272 if is_polar "$CLI_CMD" && has_mem_err $CLI_OUT; then
Manuel Pégourié-Gonnardc73339f2014-02-26 16:35:27 +0100[diff] [blame]273 fail "Client has memory errors"
274 return
275 fi
276 fi
277
Manuel Pégourié-Gonnardeaadc502014-02-20 11:01:30 +0100[diff] [blame]278 # if we're here, everything is ok
279 echo "PASS"
Manuel Pégourié-Gonnardbc3b16c2014-05-28 23:06:50 +0200[diff] [blame]280 rm -f $SRV_OUT $CLI_OUT
Manuel Pégourié-Gonnardeaadc502014-02-20 11:01:30 +0100[diff] [blame]281}
282
Manuel Pégourié-Gonnarda9062e92014-02-25 16:21:22 +0100[diff] [blame]283cleanup() {
Manuel Pégourié-Gonnardbc3b16c2014-05-28 23:06:50 +0200[diff] [blame]284 rm -f $CLI_OUT $SRV_OUT $SESSION
Manuel Pégourié-Gonnarda9062e92014-02-25 16:21:22 +0100[diff] [blame]285 kill $SRV_PID
286 exit 1
287}
288
Manuel Pégourié-Gonnard9dea8bd2014-02-26 18:21:02 +0100[diff] [blame]289#
290# MAIN
291#
292
Manuel Pégourié-Gonnard913030c2014-03-28 10:12:38 +0100[diff] [blame]293get_options "$@"
294
Manuel Pégourié-Gonnardf7a26902014-02-27 12:25:54 +0100[diff] [blame]295# sanity checks, avoid an avalanche of errors
296if [ ! -x "$P_SRV" ]; then
297 echo "Command '$P_SRV' is not an executable file"
298 exit 1
299fi
300if [ ! -x "$P_CLI" ]; then
301 echo "Command '$P_CLI' is not an executable file"
302 exit 1
303fi
Manuel Pégourié-Gonnard74faf3c2014-03-13 18:47:44 +0100[diff] [blame]304if which $OPENSSL_CMD >/dev/null 2>&1; then :; else
305 echo "Command '$OPENSSL_CMD' not found"
Manuel Pégourié-Gonnardf7a26902014-02-27 12:25:54 +0100[diff] [blame]306 exit 1
307fi
308
Manuel Pégourié-Gonnard32f8f4d2014-05-29 11:31:20 +0200[diff] [blame]309# used by watchdog
310MAIN_PID="$$"
311
Manuel Pégourié-Gonnard8066b812014-05-28 22:59:30 +0200[diff] [blame]312# Pick a "unique" port in the range 10000-19999.
313PORT="0000$$"
314PORT="1$(echo $PORT | tail -c 4)"
315
316# fix commands to use this port
317P_SRV="$P_SRV server_port=$PORT"
318P_CLI="$P_CLI server_port=$PORT"
319O_SRV="$O_SRV -accept $PORT"
320O_CLI="$O_CLI -connect localhost:$PORT"
321
Manuel Pégourié-Gonnardbc3b16c2014-05-28 23:06:50 +0200[diff] [blame]322# Also pick a unique name for intermediate files
323SRV_OUT="srv_out.$$"
324CLI_OUT="cli_out.$$"
325SESSION="session.$$"
326
Manuel Pégourié-Gonnarda9062e92014-02-25 16:21:22 +0100[diff] [blame]327trap cleanup INT TERM HUP
Manuel Pégourié-Gonnardeaadc502014-02-20 11:01:30 +0100[diff] [blame]328
Manuel Pégourié-Gonnardc1da6642014-02-25 14:18:30 +0100[diff] [blame]329# Test for SSLv2 ClientHello
330
331run_test "SSLv2 ClientHello #0 (reference)" \
332 "$P_SRV debug_level=3" \
Manuel Pégourié-Gonnarda3d808e2014-02-26 16:33:03 +0100[diff] [blame]333 "$O_CLI -no_ssl2" \
Manuel Pégourié-Gonnardc1da6642014-02-25 14:18:30 +0100[diff] [blame]334 0 \
335 -S "parse client hello v2" \
336 -S "ssl_handshake returned"
337
338# Adding a SSL2-only suite makes OpenSSL client send SSLv2 ClientHello
339run_test "SSLv2 ClientHello #1 (actual test)" \
340 "$P_SRV debug_level=3" \
Manuel Pégourié-Gonnardfccd3252014-02-25 17:14:15 +0100[diff] [blame]341 "$O_CLI -cipher 'DES-CBC-MD5:ALL'" \
Manuel Pégourié-Gonnardc1da6642014-02-25 14:18:30 +0100[diff] [blame]342 0 \
343 -s "parse client hello v2" \
344 -S "ssl_handshake returned"
345
Manuel Pégourié-Gonnard780d6712014-02-20 17:19:59 +0100[diff] [blame]346# Tests for Truncated HMAC extension
347
348run_test "Truncated HMAC #0" \
Manuel Pégourié-Gonnardc1da6642014-02-25 14:18:30 +0100[diff] [blame]349 "$P_SRV debug_level=5" \
350 "$P_CLI trunc_hmac=0 force_ciphersuite=TLS-RSA-WITH-AES-128-CBC-SHA" \
Manuel Pégourié-Gonnard780d6712014-02-20 17:19:59 +0100[diff] [blame]351 0 \
352 -s "dumping 'computed mac' (20 bytes)"
353
354run_test "Truncated HMAC #1" \
Manuel Pégourié-Gonnardc1da6642014-02-25 14:18:30 +0100[diff] [blame]355 "$P_SRV debug_level=5" \
356 "$P_CLI trunc_hmac=1 force_ciphersuite=TLS-RSA-WITH-AES-128-CBC-SHA" \
Manuel Pégourié-Gonnardeaadc502014-02-20 11:01:30 +0100[diff] [blame]357 0 \
Manuel Pégourié-Gonnardf7c52012014-02-20 11:43:46 +0100[diff] [blame]358 -s "dumping 'computed mac' (10 bytes)"
359
Manuel Pégourié-Gonnard780d6712014-02-20 17:19:59 +0100[diff] [blame]360# Tests for Session Tickets
361
Manuel Pégourié-Gonnardfccd3252014-02-25 17:14:15 +0100[diff] [blame]362run_test "Session resume using tickets #1 (basic)" \
Manuel Pégourié-Gonnardc1da6642014-02-25 14:18:30 +0100[diff] [blame]363 "$P_SRV debug_level=4 tickets=1" \
364 "$P_CLI debug_level=4 tickets=1 reconnect=1" \
Manuel Pégourié-Gonnardf7c52012014-02-20 11:43:46 +0100[diff] [blame]365 0 \
Manuel Pégourié-Gonnardc55a5b72014-02-20 22:50:56 +0100[diff] [blame]366 -c "client hello, adding session ticket extension" \
367 -s "found session ticket extension" \
368 -s "server hello, adding session ticket extension" \
369 -c "found session_ticket extension" \
370 -c "parse new session ticket" \
Manuel Pégourié-Gonnardf7c52012014-02-20 11:43:46 +0100[diff] [blame]371 -S "session successfully restored from cache" \
372 -s "session successfully restored from ticket" \
373 -s "a session has been resumed" \
374 -c "a session has been resumed"
375
Manuel Pégourié-Gonnardfccd3252014-02-25 17:14:15 +0100[diff] [blame]376run_test "Session resume using tickets #2 (cache disabled)" \
Manuel Pégourié-Gonnardc1da6642014-02-25 14:18:30 +0100[diff] [blame]377 "$P_SRV debug_level=4 tickets=1 cache_max=0" \
378 "$P_CLI debug_level=4 tickets=1 reconnect=1" \
Manuel Pégourié-Gonnarddbe1ee12014-02-21 09:18:13 +0100[diff] [blame]379 0 \
380 -c "client hello, adding session ticket extension" \
381 -s "found session ticket extension" \
382 -s "server hello, adding session ticket extension" \
383 -c "found session_ticket extension" \
384 -c "parse new session ticket" \
385 -S "session successfully restored from cache" \
386 -s "session successfully restored from ticket" \
387 -s "a session has been resumed" \
388 -c "a session has been resumed"
389
Manuel Pégourié-Gonnardfccd3252014-02-25 17:14:15 +0100[diff] [blame]390run_test "Session resume using tickets #3 (timeout)" \
Manuel Pégourié-Gonnardc1da6642014-02-25 14:18:30 +0100[diff] [blame]391 "$P_SRV debug_level=4 tickets=1 cache_max=0 ticket_timeout=1" \
392 "$P_CLI debug_level=4 tickets=1 reconnect=1 reco_delay=2" \
Manuel Pégourié-Gonnarddbe1ee12014-02-21 09:18:13 +0100[diff] [blame]393 0 \
394 -c "client hello, adding session ticket extension" \
395 -s "found session ticket extension" \
396 -s "server hello, adding session ticket extension" \
397 -c "found session_ticket extension" \
398 -c "parse new session ticket" \
399 -S "session successfully restored from cache" \
400 -S "session successfully restored from ticket" \
401 -S "a session has been resumed" \
402 -C "a session has been resumed"
403
Manuel Pégourié-Gonnardc73339f2014-02-26 16:35:27 +0100[diff] [blame]404run_test "Session resume using tickets #4 (openssl server)" \
Manuel Pégourié-Gonnardf7a26902014-02-27 12:25:54 +0100[diff] [blame]405 "$O_SRV" \
Manuel Pégourié-Gonnardfccd3252014-02-25 17:14:15 +0100[diff] [blame]406 "$P_CLI debug_level=4 tickets=1 reconnect=1" \
407 0 \
408 -c "client hello, adding session ticket extension" \
409 -c "found session_ticket extension" \
410 -c "parse new session ticket" \
411 -c "a session has been resumed"
412
Manuel Pégourié-Gonnardc73339f2014-02-26 16:35:27 +0100[diff] [blame]413run_test "Session resume using tickets #5 (openssl client)" \
Manuel Pégourié-Gonnardfccd3252014-02-25 17:14:15 +0100[diff] [blame]414 "$P_SRV debug_level=4 tickets=1" \
Manuel Pégourié-Gonnardbc3b16c2014-05-28 23:06:50 +0200[diff] [blame]415 "( $O_CLI -sess_out $SESSION; \
416 $O_CLI -sess_in $SESSION; \
417 rm -f $SESSION )" \
Manuel Pégourié-Gonnardfccd3252014-02-25 17:14:15 +0100[diff] [blame]418 0 \
419 -s "found session ticket extension" \
420 -s "server hello, adding session ticket extension" \
421 -S "session successfully restored from cache" \
422 -s "session successfully restored from ticket" \
423 -s "a session has been resumed"
424
Manuel Pégourié-Gonnardc55a5b72014-02-20 22:50:56 +0100[diff] [blame]425# Tests for Session Resume based on session-ID and cache
Manuel Pégourié-Gonnard780d6712014-02-20 17:19:59 +0100[diff] [blame]426
Manuel Pégourié-Gonnardc55a5b72014-02-20 22:50:56 +0100[diff] [blame]427run_test "Session resume using cache #1 (tickets enabled on client)" \
Manuel Pégourié-Gonnardc1da6642014-02-25 14:18:30 +0100[diff] [blame]428 "$P_SRV debug_level=4 tickets=0" \
429 "$P_CLI debug_level=4 tickets=1 reconnect=1" \
Manuel Pégourié-Gonnardf7c52012014-02-20 11:43:46 +0100[diff] [blame]430 0 \
Manuel Pégourié-Gonnardc55a5b72014-02-20 22:50:56 +0100[diff] [blame]431 -c "client hello, adding session ticket extension" \
432 -s "found session ticket extension" \
433 -S "server hello, adding session ticket extension" \
434 -C "found session_ticket extension" \
435 -C "parse new session ticket" \
Manuel Pégourié-Gonnardf7c52012014-02-20 11:43:46 +0100[diff] [blame]436 -s "session successfully restored from cache" \
437 -S "session successfully restored from ticket" \
438 -s "a session has been resumed" \
439 -c "a session has been resumed"
440
Manuel Pégourié-Gonnardc55a5b72014-02-20 22:50:56 +0100[diff] [blame]441run_test "Session resume using cache #2 (tickets enabled on server)" \
Manuel Pégourié-Gonnardc1da6642014-02-25 14:18:30 +0100[diff] [blame]442 "$P_SRV debug_level=4 tickets=1" \
443 "$P_CLI debug_level=4 tickets=0 reconnect=1" \
Manuel Pégourié-Gonnardf7c52012014-02-20 11:43:46 +0100[diff] [blame]444 0 \
Manuel Pégourié-Gonnardc55a5b72014-02-20 22:50:56 +0100[diff] [blame]445 -C "client hello, adding session ticket extension" \
446 -S "found session ticket extension" \
447 -S "server hello, adding session ticket extension" \
448 -C "found session_ticket extension" \
449 -C "parse new session ticket" \
Manuel Pégourié-Gonnardf7c52012014-02-20 11:43:46 +0100[diff] [blame]450 -s "session successfully restored from cache" \
451 -S "session successfully restored from ticket" \
452 -s "a session has been resumed" \
453 -c "a session has been resumed"
Manuel Pégourié-Gonnardde143782014-02-20 14:50:42 +0100[diff] [blame]454
Manuel Pégourié-Gonnardc55a5b72014-02-20 22:50:56 +0100[diff] [blame]455run_test "Session resume using cache #3 (cache_max=0)" \
Manuel Pégourié-Gonnardc1da6642014-02-25 14:18:30 +0100[diff] [blame]456 "$P_SRV debug_level=4 tickets=0 cache_max=0" \
457 "$P_CLI debug_level=4 tickets=0 reconnect=1" \
Manuel Pégourié-Gonnard4c883452014-02-20 21:32:41 +0100[diff] [blame]458 0 \
459 -S "session successfully restored from cache" \
460 -S "session successfully restored from ticket" \
Manuel Pégourié-Gonnardc55a5b72014-02-20 22:50:56 +0100[diff] [blame]461 -S "a session has been resumed" \
462 -C "a session has been resumed"
Manuel Pégourié-Gonnard4c883452014-02-20 21:32:41 +0100[diff] [blame]463
Manuel Pégourié-Gonnardc55a5b72014-02-20 22:50:56 +0100[diff] [blame]464run_test "Session resume using cache #4 (cache_max=1)" \
Manuel Pégourié-Gonnardc1da6642014-02-25 14:18:30 +0100[diff] [blame]465 "$P_SRV debug_level=4 tickets=0 cache_max=1" \
466 "$P_CLI debug_level=4 tickets=0 reconnect=1" \
Manuel Pégourié-Gonnardc55a5b72014-02-20 22:50:56 +0100[diff] [blame]467 0 \
468 -s "session successfully restored from cache" \
469 -S "session successfully restored from ticket" \
470 -s "a session has been resumed" \
471 -c "a session has been resumed"
472
473run_test "Session resume using cache #5 (timemout > delay)" \
Manuel Pégourié-Gonnardc73339f2014-02-26 16:35:27 +0100[diff] [blame]474 "$P_SRV debug_level=4 tickets=0" \
Manuel Pégourié-Gonnardc1da6642014-02-25 14:18:30 +0100[diff] [blame]475 "$P_CLI debug_level=4 tickets=0 reconnect=1 reco_delay=0" \
Manuel Pégourié-Gonnardc55a5b72014-02-20 22:50:56 +0100[diff] [blame]476 0 \
477 -s "session successfully restored from cache" \
478 -S "session successfully restored from ticket" \
479 -s "a session has been resumed" \
480 -c "a session has been resumed"
481
482run_test "Session resume using cache #6 (timeout < delay)" \
Manuel Pégourié-Gonnardc1da6642014-02-25 14:18:30 +0100[diff] [blame]483 "$P_SRV debug_level=4 tickets=0 cache_timeout=1" \
484 "$P_CLI debug_level=4 tickets=0 reconnect=1 reco_delay=2" \
Manuel Pégourié-Gonnardc55a5b72014-02-20 22:50:56 +0100[diff] [blame]485 0 \
486 -S "session successfully restored from cache" \
487 -S "session successfully restored from ticket" \
488 -S "a session has been resumed" \
489 -C "a session has been resumed"
490
491run_test "Session resume using cache #7 (no timeout)" \
Manuel Pégourié-Gonnardc1da6642014-02-25 14:18:30 +0100[diff] [blame]492 "$P_SRV debug_level=4 tickets=0 cache_timeout=0" \
493 "$P_CLI debug_level=4 tickets=0 reconnect=1 reco_delay=2" \
Manuel Pégourié-Gonnard4c883452014-02-20 21:32:41 +0100[diff] [blame]494 0 \
495 -s "session successfully restored from cache" \
496 -S "session successfully restored from ticket" \
497 -s "a session has been resumed" \
498 -c "a session has been resumed"
499
Manuel Pégourié-Gonnarddb735f62014-02-25 17:57:59 +0100[diff] [blame]500run_test "Session resume using cache #8 (openssl client)" \
501 "$P_SRV debug_level=4 tickets=0" \
Manuel Pégourié-Gonnardbc3b16c2014-05-28 23:06:50 +0200[diff] [blame]502 "( $O_CLI -sess_out $SESSION; \
503 $O_CLI -sess_in $SESSION; \
504 rm -f $SESSION )" \
Manuel Pégourié-Gonnarddb735f62014-02-25 17:57:59 +0100[diff] [blame]505 0 \
506 -s "found session ticket extension" \
507 -S "server hello, adding session ticket extension" \
508 -s "session successfully restored from cache" \
509 -S "session successfully restored from ticket" \
510 -s "a session has been resumed"
511
512run_test "Session resume using cache #9 (openssl server)" \
Manuel Pégourié-Gonnardf7a26902014-02-27 12:25:54 +0100[diff] [blame]513 "$O_SRV" \
Manuel Pégourié-Gonnarddb735f62014-02-25 17:57:59 +0100[diff] [blame]514 "$P_CLI debug_level=4 tickets=0 reconnect=1" \
515 0 \
516 -C "found session_ticket extension" \
517 -C "parse new session ticket" \
518 -c "a session has been resumed"
519
Manuel Pégourié-Gonnard780d6712014-02-20 17:19:59 +0100[diff] [blame]520# Tests for Max Fragment Length extension
521
Manuel Pégourié-Gonnardde143782014-02-20 14:50:42 +0100[diff] [blame]522run_test "Max fragment length #1" \
Manuel Pégourié-Gonnardc1da6642014-02-25 14:18:30 +0100[diff] [blame]523 "$P_SRV debug_level=4" \
524 "$P_CLI debug_level=4" \
Manuel Pégourié-Gonnardde143782014-02-20 14:50:42 +0100[diff] [blame]525 0 \
526 -C "client hello, adding max_fragment_length extension" \
527 -S "found max fragment length extension" \
528 -S "server hello, max_fragment_length extension" \
529 -C "found max_fragment_length extension"
530
531run_test "Max fragment length #2" \
Manuel Pégourié-Gonnardc1da6642014-02-25 14:18:30 +0100[diff] [blame]532 "$P_SRV debug_level=4" \
533 "$P_CLI debug_level=4 max_frag_len=4096" \
Manuel Pégourié-Gonnardde143782014-02-20 14:50:42 +0100[diff] [blame]534 0 \
535 -c "client hello, adding max_fragment_length extension" \
536 -s "found max fragment length extension" \
537 -s "server hello, max_fragment_length extension" \
538 -c "found max_fragment_length extension"
539
540run_test "Max fragment length #3" \
Manuel Pégourié-Gonnardc1da6642014-02-25 14:18:30 +0100[diff] [blame]541 "$P_SRV debug_level=4 max_frag_len=4096" \
542 "$P_CLI debug_level=4" \
Manuel Pégourié-Gonnardde143782014-02-20 14:50:42 +0100[diff] [blame]543 0 \
544 -C "client hello, adding max_fragment_length extension" \
545 -S "found max fragment length extension" \
546 -S "server hello, max_fragment_length extension" \
547 -C "found max_fragment_length extension"
Manuel Pégourié-Gonnard780d6712014-02-20 17:19:59 +0100[diff] [blame]548
549# Tests for renegotiation
550
551run_test "Renegotiation #0 (none)" \
Manuel Pégourié-Gonnardc1da6642014-02-25 14:18:30 +0100[diff] [blame]552 "$P_SRV debug_level=4" \
553 "$P_CLI debug_level=4" \
Manuel Pégourié-Gonnard780d6712014-02-20 17:19:59 +0100[diff] [blame]554 0 \
555 -C "client hello, adding renegotiation extension" \
556 -s "received TLS_EMPTY_RENEGOTIATION_INFO" \
557 -S "found renegotiation extension" \
558 -s "server hello, secure renegotiation extension" \
559 -c "found renegotiation extension" \
Manuel Pégourié-Gonnardc73339f2014-02-26 16:35:27 +0100[diff] [blame]560 -C "=> renegotiate" \
561 -S "=> renegotiate" \
Manuel Pégourié-Gonnard780d6712014-02-20 17:19:59 +0100[diff] [blame]562 -S "write hello request"
563
564run_test "Renegotiation #1 (enabled, client-initiated)" \
Manuel Pégourié-Gonnard00d538f2014-03-31 10:44:40 +0200[diff] [blame]565 "$P_SRV debug_level=4 renegotiation=1" \
566 "$P_CLI debug_level=4 renegotiation=1 renegotiate=1" \
Manuel Pégourié-Gonnard780d6712014-02-20 17:19:59 +0100[diff] [blame]567 0 \
568 -c "client hello, adding renegotiation extension" \
569 -s "received TLS_EMPTY_RENEGOTIATION_INFO" \
570 -s "found renegotiation extension" \
571 -s "server hello, secure renegotiation extension" \
572 -c "found renegotiation extension" \
Manuel Pégourié-Gonnardc73339f2014-02-26 16:35:27 +0100[diff] [blame]573 -c "=> renegotiate" \
574 -s "=> renegotiate" \
Manuel Pégourié-Gonnard780d6712014-02-20 17:19:59 +0100[diff] [blame]575 -S "write hello request"
576
577run_test "Renegotiation #2 (enabled, server-initiated)" \
Manuel Pégourié-Gonnard00d538f2014-03-31 10:44:40 +0200[diff] [blame]578 "$P_SRV debug_level=4 renegotiation=1 renegotiate=1" \
579 "$P_CLI debug_level=4 renegotiation=1" \
Manuel Pégourié-Gonnard780d6712014-02-20 17:19:59 +0100[diff] [blame]580 0 \
581 -c "client hello, adding renegotiation extension" \
582 -s "received TLS_EMPTY_RENEGOTIATION_INFO" \
583 -s "found renegotiation extension" \
584 -s "server hello, secure renegotiation extension" \
585 -c "found renegotiation extension" \
Manuel Pégourié-Gonnardc73339f2014-02-26 16:35:27 +0100[diff] [blame]586 -c "=> renegotiate" \
587 -s "=> renegotiate" \
Manuel Pégourié-Gonnard780d6712014-02-20 17:19:59 +0100[diff] [blame]588 -s "write hello request"
589
590run_test "Renegotiation #3 (enabled, double)" \
Manuel Pégourié-Gonnard00d538f2014-03-31 10:44:40 +0200[diff] [blame]591 "$P_SRV debug_level=4 renegotiation=1 renegotiate=1" \
592 "$P_CLI debug_level=4 renegotiation=1 renegotiate=1" \
Manuel Pégourié-Gonnard780d6712014-02-20 17:19:59 +0100[diff] [blame]593 0 \
594 -c "client hello, adding renegotiation extension" \
595 -s "received TLS_EMPTY_RENEGOTIATION_INFO" \
596 -s "found renegotiation extension" \
597 -s "server hello, secure renegotiation extension" \
598 -c "found renegotiation extension" \
Manuel Pégourié-Gonnardc73339f2014-02-26 16:35:27 +0100[diff] [blame]599 -c "=> renegotiate" \
600 -s "=> renegotiate" \
Manuel Pégourié-Gonnard780d6712014-02-20 17:19:59 +0100[diff] [blame]601 -s "write hello request"
602
603run_test "Renegotiation #4 (client-initiated, server-rejected)" \
Manuel Pégourié-Gonnardc1da6642014-02-25 14:18:30 +0100[diff] [blame]604 "$P_SRV debug_level=4 renegotiation=0" \
Manuel Pégourié-Gonnard00d538f2014-03-31 10:44:40 +0200[diff] [blame]605 "$P_CLI debug_level=4 renegotiation=1 renegotiate=1" \
Manuel Pégourié-Gonnard780d6712014-02-20 17:19:59 +0100[diff] [blame]606 1 \
607 -c "client hello, adding renegotiation extension" \
608 -s "received TLS_EMPTY_RENEGOTIATION_INFO" \
609 -S "found renegotiation extension" \
610 -s "server hello, secure renegotiation extension" \
611 -c "found renegotiation extension" \
Manuel Pégourié-Gonnardc73339f2014-02-26 16:35:27 +0100[diff] [blame]612 -c "=> renegotiate" \
613 -S "=> renegotiate" \
Manuel Pégourié-Gonnard780d6712014-02-20 17:19:59 +0100[diff] [blame]614 -S "write hello request"
615
616run_test "Renegotiation #5 (server-initiated, client-rejected)" \
Manuel Pégourié-Gonnard00d538f2014-03-31 10:44:40 +0200[diff] [blame]617 "$P_SRV debug_level=4 renegotiation=1 renegotiate=1" \
Manuel Pégourié-Gonnardc1da6642014-02-25 14:18:30 +0100[diff] [blame]618 "$P_CLI debug_level=4 renegotiation=0" \
Manuel Pégourié-Gonnard780d6712014-02-20 17:19:59 +0100[diff] [blame]619 0 \
620 -C "client hello, adding renegotiation extension" \
621 -s "received TLS_EMPTY_RENEGOTIATION_INFO" \
622 -S "found renegotiation extension" \
623 -s "server hello, secure renegotiation extension" \
624 -c "found renegotiation extension" \
Manuel Pégourié-Gonnardc73339f2014-02-26 16:35:27 +0100[diff] [blame]625 -C "=> renegotiate" \
626 -S "=> renegotiate" \
Manuel Pégourié-Gonnard780d6712014-02-20 17:19:59 +0100[diff] [blame]627 -s "write hello request" \
628 -s "SSL - An unexpected message was received from our peer" \
629 -s "failed"
Manuel Pégourié-Gonnard33a752e2014-02-21 09:47:37 +0100[diff] [blame]630
Manuel Pégourié-Gonnard8520dac2014-02-21 12:12:23 +0100[diff] [blame]631# Tests for auth_mode
632
633run_test "Authentication #1 (server badcert, client required)" \
Manuel Pégourié-Gonnardc1da6642014-02-25 14:18:30 +0100[diff] [blame]634 "$P_SRV crt_file=data_files/server5-badsign.crt \
Manuel Pégourié-Gonnard8520dac2014-02-21 12:12:23 +0100[diff] [blame]635 key_file=data_files/server5.key" \
Manuel Pégourié-Gonnardc1da6642014-02-25 14:18:30 +0100[diff] [blame]636 "$P_CLI debug_level=2 auth_mode=required" \
Manuel Pégourié-Gonnard8520dac2014-02-21 12:12:23 +0100[diff] [blame]637 1 \
638 -c "x509_verify_cert() returned" \
639 -c "! self-signed or not signed by a trusted CA" \
640 -c "! ssl_handshake returned" \
641 -c "X509 - Certificate verification failed"
642
643run_test "Authentication #2 (server badcert, client optional)" \
Manuel Pégourié-Gonnardc1da6642014-02-25 14:18:30 +0100[diff] [blame]644 "$P_SRV crt_file=data_files/server5-badsign.crt \
Manuel Pégourié-Gonnard8520dac2014-02-21 12:12:23 +0100[diff] [blame]645 key_file=data_files/server5.key" \
Manuel Pégourié-Gonnardc1da6642014-02-25 14:18:30 +0100[diff] [blame]646 "$P_CLI debug_level=2 auth_mode=optional" \
Manuel Pégourié-Gonnard8520dac2014-02-21 12:12:23 +0100[diff] [blame]647 0 \
648 -c "x509_verify_cert() returned" \
649 -c "! self-signed or not signed by a trusted CA" \
650 -C "! ssl_handshake returned" \
651 -C "X509 - Certificate verification failed"
652
653run_test "Authentication #3 (server badcert, client none)" \
Manuel Pégourié-Gonnardc1da6642014-02-25 14:18:30 +0100[diff] [blame]654 "$P_SRV crt_file=data_files/server5-badsign.crt \
Manuel Pégourié-Gonnard8520dac2014-02-21 12:12:23 +0100[diff] [blame]655 key_file=data_files/server5.key" \
Manuel Pégourié-Gonnardc1da6642014-02-25 14:18:30 +0100[diff] [blame]656 "$P_CLI debug_level=2 auth_mode=none" \
Manuel Pégourié-Gonnard8520dac2014-02-21 12:12:23 +0100[diff] [blame]657 0 \
658 -C "x509_verify_cert() returned" \
659 -C "! self-signed or not signed by a trusted CA" \
660 -C "! ssl_handshake returned" \
661 -C "X509 - Certificate verification failed"
662
663run_test "Authentication #4 (client badcert, server required)" \
Manuel Pégourié-Gonnardc1da6642014-02-25 14:18:30 +0100[diff] [blame]664 "$P_SRV debug_level=4 auth_mode=required" \
665 "$P_CLI debug_level=4 crt_file=data_files/server5-badsign.crt \
Manuel Pégourié-Gonnard8520dac2014-02-21 12:12:23 +0100[diff] [blame]666 key_file=data_files/server5.key" \
667 1 \
668 -S "skip write certificate request" \
669 -C "skip parse certificate request" \
670 -c "got a certificate request" \
671 -C "skip write certificate" \
672 -C "skip write certificate verify" \
673 -S "skip parse certificate verify" \
674 -s "x509_verify_cert() returned" \
675 -S "! self-signed or not signed by a trusted CA" \
676 -s "! ssl_handshake returned" \
677 -c "! ssl_handshake returned" \
678 -s "X509 - Certificate verification failed"
679
680run_test "Authentication #5 (client badcert, server optional)" \
Manuel Pégourié-Gonnardc1da6642014-02-25 14:18:30 +0100[diff] [blame]681 "$P_SRV debug_level=4 auth_mode=optional" \
682 "$P_CLI debug_level=4 crt_file=data_files/server5-badsign.crt \
Manuel Pégourié-Gonnard8520dac2014-02-21 12:12:23 +0100[diff] [blame]683 key_file=data_files/server5.key" \
684 0 \
685 -S "skip write certificate request" \
686 -C "skip parse certificate request" \
687 -c "got a certificate request" \
688 -C "skip write certificate" \
689 -C "skip write certificate verify" \
690 -S "skip parse certificate verify" \
691 -s "x509_verify_cert() returned" \
692 -s "! self-signed or not signed by a trusted CA" \
693 -S "! ssl_handshake returned" \
694 -C "! ssl_handshake returned" \
695 -S "X509 - Certificate verification failed"
696
697run_test "Authentication #6 (client badcert, server none)" \
Manuel Pégourié-Gonnardc1da6642014-02-25 14:18:30 +0100[diff] [blame]698 "$P_SRV debug_level=4 auth_mode=none" \
699 "$P_CLI debug_level=4 crt_file=data_files/server5-badsign.crt \
Manuel Pégourié-Gonnard8520dac2014-02-21 12:12:23 +0100[diff] [blame]700 key_file=data_files/server5.key" \
701 0 \
702 -s "skip write certificate request" \
703 -C "skip parse certificate request" \
704 -c "got no certificate request" \
705 -c "skip write certificate" \
706 -c "skip write certificate verify" \
707 -s "skip parse certificate verify" \
708 -S "x509_verify_cert() returned" \
709 -S "! self-signed or not signed by a trusted CA" \
710 -S "! ssl_handshake returned" \
711 -C "! ssl_handshake returned" \
712 -S "X509 - Certificate verification failed"
713
Manuel Pégourié-Gonnardde515cc2014-02-27 14:58:26 +0100[diff] [blame]714run_test "Authentication #7 (client no cert, server optional)" \
715 "$P_SRV debug_level=4 auth_mode=optional" \
716 "$P_CLI debug_level=4 crt_file=none key_file=none" \
717 0 \
718 -S "skip write certificate request" \
719 -C "skip parse certificate request" \
720 -c "got a certificate request" \
721 -C "skip write certificate$" \
722 -C "got no certificate to send" \
723 -S "SSLv3 client has no certificate" \
724 -c "skip write certificate verify" \
725 -s "skip parse certificate verify" \
726 -s "! no client certificate sent" \
727 -S "! ssl_handshake returned" \
728 -C "! ssl_handshake returned" \
729 -S "X509 - Certificate verification failed"
730
731run_test "Authentication #8 (openssl client no cert, server optional)" \
732 "$P_SRV debug_level=4 auth_mode=optional" \
733 "$O_CLI" \
734 0 \
735 -S "skip write certificate request" \
736 -s "skip parse certificate verify" \
737 -s "! no client certificate sent" \
738 -S "! ssl_handshake returned" \
739 -S "X509 - Certificate verification failed"
740
741run_test "Authentication #9 (client no cert, openssl server optional)" \
742 "$O_SRV -verify 10" \
743 "$P_CLI debug_level=4 crt_file=none key_file=none" \
744 0 \
745 -C "skip parse certificate request" \
746 -c "got a certificate request" \
747 -C "skip write certificate$" \
748 -c "skip write certificate verify" \
749 -C "! ssl_handshake returned"
750
751run_test "Authentication #10 (client no cert, ssl3)" \
752 "$P_SRV debug_level=4 auth_mode=optional force_version=ssl3" \
753 "$P_CLI debug_level=4 crt_file=none key_file=none" \
754 0 \
755 -S "skip write certificate request" \
756 -C "skip parse certificate request" \
757 -c "got a certificate request" \
758 -C "skip write certificate$" \
759 -c "skip write certificate verify" \
760 -c "got no certificate to send" \
761 -s "SSLv3 client has no certificate" \
762 -s "skip parse certificate verify" \
763 -s "! no client certificate sent" \
764 -S "! ssl_handshake returned" \
765 -C "! ssl_handshake returned" \
766 -S "X509 - Certificate verification failed"
767
Manuel Pégourié-Gonnard96ea2f22014-02-25 12:26:29 +0100[diff] [blame]768# tests for SNI
769
770run_test "SNI #0 (no SNI callback)" \
Manuel Pégourié-Gonnardc1da6642014-02-25 14:18:30 +0100[diff] [blame]771 "$P_SRV debug_level=4 server_addr=127.0.0.1 \
Manuel Pégourié-Gonnard96ea2f22014-02-25 12:26:29 +0100[diff] [blame]772 crt_file=data_files/server5.crt key_file=data_files/server5.key" \
Manuel Pégourié-Gonnardc1da6642014-02-25 14:18:30 +0100[diff] [blame]773 "$P_CLI debug_level=0 server_addr=127.0.0.1 \
Manuel Pégourié-Gonnard96ea2f22014-02-25 12:26:29 +0100[diff] [blame]774 server_name=localhost" \
775 0 \
776 -S "parse ServerName extension" \
777 -c "issuer name *: C=NL, O=PolarSSL, CN=Polarssl Test EC CA" \
778 -c "subject name *: C=NL, O=PolarSSL, CN=localhost"
779
780run_test "SNI #1 (matching cert 1)" \
Manuel Pégourié-Gonnardc1da6642014-02-25 14:18:30 +0100[diff] [blame]781 "$P_SRV debug_level=4 server_addr=127.0.0.1 \
Manuel Pégourié-Gonnard96ea2f22014-02-25 12:26:29 +0100[diff] [blame]782 crt_file=data_files/server5.crt key_file=data_files/server5.key \
Manuel Pégourié-Gonnard76b8ab72014-03-26 09:31:35 +0100[diff] [blame]783 sni=localhost,data_files/server2.crt,data_files/server2.key,polarssl.example,data_files/server1-nospace.crt,data_files/server1.key" \
Manuel Pégourié-Gonnardc1da6642014-02-25 14:18:30 +0100[diff] [blame]784 "$P_CLI debug_level=0 server_addr=127.0.0.1 \
Manuel Pégourié-Gonnard96ea2f22014-02-25 12:26:29 +0100[diff] [blame]785 server_name=localhost" \
786 0 \
787 -s "parse ServerName extension" \
788 -c "issuer name *: C=NL, O=PolarSSL, CN=PolarSSL Test CA" \
789 -c "subject name *: C=NL, O=PolarSSL, CN=localhost"
790
791run_test "SNI #2 (matching cert 2)" \
Manuel Pégourié-Gonnardc1da6642014-02-25 14:18:30 +0100[diff] [blame]792 "$P_SRV debug_level=4 server_addr=127.0.0.1 \
Manuel Pégourié-Gonnard96ea2f22014-02-25 12:26:29 +0100[diff] [blame]793 crt_file=data_files/server5.crt key_file=data_files/server5.key \
Manuel Pégourié-Gonnard76b8ab72014-03-26 09:31:35 +0100[diff] [blame]794 sni=localhost,data_files/server2.crt,data_files/server2.key,polarssl.example,data_files/server1-nospace.crt,data_files/server1.key" \
Manuel Pégourié-Gonnardc1da6642014-02-25 14:18:30 +0100[diff] [blame]795 "$P_CLI debug_level=0 server_addr=127.0.0.1 \
Manuel Pégourié-Gonnard76b8ab72014-03-26 09:31:35 +0100[diff] [blame]796 server_name=polarssl.example" \
Manuel Pégourié-Gonnard96ea2f22014-02-25 12:26:29 +0100[diff] [blame]797 0 \
798 -s "parse ServerName extension" \
799 -c "issuer name *: C=NL, O=PolarSSL, CN=PolarSSL Test CA" \
Manuel Pégourié-Gonnard76b8ab72014-03-26 09:31:35 +0100[diff] [blame]800 -c "subject name *: C=NL, O=PolarSSL, CN=polarssl.example"
Manuel Pégourié-Gonnard96ea2f22014-02-25 12:26:29 +0100[diff] [blame]801
802run_test "SNI #3 (no matching cert)" \
Manuel Pégourié-Gonnardc1da6642014-02-25 14:18:30 +0100[diff] [blame]803 "$P_SRV debug_level=4 server_addr=127.0.0.1 \
Manuel Pégourié-Gonnard96ea2f22014-02-25 12:26:29 +0100[diff] [blame]804 crt_file=data_files/server5.crt key_file=data_files/server5.key \
Manuel Pégourié-Gonnard76b8ab72014-03-26 09:31:35 +0100[diff] [blame]805 sni=localhost,data_files/server2.crt,data_files/server2.key,polarssl.example,data_files/server1-nospace.crt,data_files/server1.key" \
Manuel Pégourié-Gonnardc1da6642014-02-25 14:18:30 +0100[diff] [blame]806 "$P_CLI debug_level=0 server_addr=127.0.0.1 \
Manuel Pégourié-Gonnard76b8ab72014-03-26 09:31:35 +0100[diff] [blame]807 server_name=nonesuch.example" \
Manuel Pégourié-Gonnard96ea2f22014-02-25 12:26:29 +0100[diff] [blame]808 1 \
809 -s "parse ServerName extension" \
810 -s "ssl_sni_wrapper() returned" \
811 -s "ssl_handshake returned" \
812 -c "ssl_handshake returned" \
813 -c "SSL - A fatal alert message was received from our peer"
814
Manuel Pégourié-Gonnard0b6609b2014-02-26 14:45:12 +0100[diff] [blame]815# Tests for non-blocking I/O: exercise a variety of handshake flows
816
817run_test "Non-blocking I/O #1 (basic handshake)" \
818 "$P_SRV nbio=2 tickets=0 auth_mode=none" \
819 "$P_CLI nbio=2 tickets=0" \
820 0 \
821 -S "ssl_handshake returned" \
822 -C "ssl_handshake returned" \
823 -c "Read from server: .* bytes read"
824
825run_test "Non-blocking I/O #2 (client auth)" \
826 "$P_SRV nbio=2 tickets=0 auth_mode=required" \
827 "$P_CLI nbio=2 tickets=0" \
828 0 \
829 -S "ssl_handshake returned" \
830 -C "ssl_handshake returned" \
831 -c "Read from server: .* bytes read"
832
833run_test "Non-blocking I/O #3 (ticket)" \
834 "$P_SRV nbio=2 tickets=1 auth_mode=none" \
835 "$P_CLI nbio=2 tickets=1" \
836 0 \
837 -S "ssl_handshake returned" \
838 -C "ssl_handshake returned" \
839 -c "Read from server: .* bytes read"
840
841run_test "Non-blocking I/O #4 (ticket + client auth)" \
842 "$P_SRV nbio=2 tickets=1 auth_mode=required" \
843 "$P_CLI nbio=2 tickets=1" \
844 0 \
845 -S "ssl_handshake returned" \
846 -C "ssl_handshake returned" \
847 -c "Read from server: .* bytes read"
848
849run_test "Non-blocking I/O #5 (ticket + client auth + resume)" \
850 "$P_SRV nbio=2 tickets=1 auth_mode=required" \
851 "$P_CLI nbio=2 tickets=1 reconnect=1" \
852 0 \
853 -S "ssl_handshake returned" \
854 -C "ssl_handshake returned" \
855 -c "Read from server: .* bytes read"
856
857run_test "Non-blocking I/O #6 (ticket + resume)" \
858 "$P_SRV nbio=2 tickets=1 auth_mode=none" \
859 "$P_CLI nbio=2 tickets=1 reconnect=1" \
860 0 \
861 -S "ssl_handshake returned" \
862 -C "ssl_handshake returned" \
863 -c "Read from server: .* bytes read"
864
865run_test "Non-blocking I/O #7 (session-id resume)" \
866 "$P_SRV nbio=2 tickets=0 auth_mode=none" \
867 "$P_CLI nbio=2 tickets=0 reconnect=1" \
868 0 \
869 -S "ssl_handshake returned" \
870 -C "ssl_handshake returned" \
871 -c "Read from server: .* bytes read"
872
Manuel Pégourié-Gonnardf6521de2014-04-07 12:42:04 +0200[diff] [blame]873# Tests for version negotiation
874
Manuel Pégourié-Gonnarda3d808e2014-02-26 16:33:03 +0100[diff] [blame]875run_test "Version check #1 (all -> 1.2)" \
876 "$P_SRV" \
877 "$P_CLI" \
878 0 \
879 -S "ssl_handshake returned" \
880 -C "ssl_handshake returned" \
881 -s "Protocol is TLSv1.2" \
882 -c "Protocol is TLSv1.2"
883
884run_test "Version check #2 (cli max 1.1 -> 1.1)" \
885 "$P_SRV" \
886 "$P_CLI max_version=tls1_1" \
887 0 \
888 -S "ssl_handshake returned" \
889 -C "ssl_handshake returned" \
890 -s "Protocol is TLSv1.1" \
891 -c "Protocol is TLSv1.1"
892
893run_test "Version check #3 (srv max 1.1 -> 1.1)" \
894 "$P_SRV max_version=tls1_1" \
895 "$P_CLI" \
896 0 \
897 -S "ssl_handshake returned" \
898 -C "ssl_handshake returned" \
899 -s "Protocol is TLSv1.1" \
900 -c "Protocol is TLSv1.1"
901
902run_test "Version check #4 (cli+srv max 1.1 -> 1.1)" \
903 "$P_SRV max_version=tls1_1" \
904 "$P_CLI max_version=tls1_1" \
905 0 \
906 -S "ssl_handshake returned" \
907 -C "ssl_handshake returned" \
908 -s "Protocol is TLSv1.1" \
909 -c "Protocol is TLSv1.1"
910
911run_test "Version check #5 (cli max 1.1, srv min 1.1 -> 1.1)" \
912 "$P_SRV min_version=tls1_1" \
913 "$P_CLI max_version=tls1_1" \
914 0 \
915 -S "ssl_handshake returned" \
916 -C "ssl_handshake returned" \
917 -s "Protocol is TLSv1.1" \
918 -c "Protocol is TLSv1.1"
919
920run_test "Version check #6 (cli min 1.1, srv max 1.1 -> 1.1)" \
921 "$P_SRV max_version=tls1_1" \
922 "$P_CLI min_version=tls1_1" \
923 0 \
924 -S "ssl_handshake returned" \
925 -C "ssl_handshake returned" \
926 -s "Protocol is TLSv1.1" \
927 -c "Protocol is TLSv1.1"
928
929run_test "Version check #7 (cli min 1.2, srv max 1.1 -> fail)" \
930 "$P_SRV max_version=tls1_1" \
931 "$P_CLI min_version=tls1_2" \
932 1 \
933 -s "ssl_handshake returned" \
934 -c "ssl_handshake returned" \
935 -c "SSL - Handshake protocol not within min/max boundaries"
936
937run_test "Version check #8 (srv min 1.2, cli max 1.1 -> fail)" \
938 "$P_SRV min_version=tls1_2" \
939 "$P_CLI max_version=tls1_1" \
940 1 \
941 -s "ssl_handshake returned" \
942 -c "ssl_handshake returned" \
943 -s "SSL - Handshake protocol not within min/max boundaries"
944
Manuel Pégourié-Gonnardf6521de2014-04-07 12:42:04 +0200[diff] [blame]945# Tests for ALPN extension
946
Manuel Pégourié-Gonnard83d8c732014-04-07 13:24:21 +0200[diff] [blame]947if grep '^#define POLARSSL_SSL_ALPN' $CONFIG_H >/dev/null; then
948
Manuel Pégourié-Gonnardf6521de2014-04-07 12:42:04 +0200[diff] [blame]949run_test "ALPN #0 (none)" \
950 "$P_SRV debug_level=4" \
951 "$P_CLI debug_level=4" \
952 0 \
953 -C "client hello, adding alpn extension" \
954 -S "found alpn extension" \
955 -C "got an alert message, type: \\[2:120]" \
956 -S "server hello, adding alpn extension" \
957 -C "found alpn extension " \
958 -C "Application Layer Protocol is" \
959 -S "Application Layer Protocol is"
960
961run_test "ALPN #1 (client only)" \
962 "$P_SRV debug_level=4" \
963 "$P_CLI debug_level=4 alpn=abc,1234" \
964 0 \
965 -c "client hello, adding alpn extension" \
966 -s "found alpn extension" \
967 -C "got an alert message, type: \\[2:120]" \
968 -S "server hello, adding alpn extension" \
969 -C "found alpn extension " \
970 -c "Application Layer Protocol is (none)" \
971 -S "Application Layer Protocol is"
972
973run_test "ALPN #2 (server only)" \
974 "$P_SRV debug_level=4 alpn=abc,1234" \
975 "$P_CLI debug_level=4" \
976 0 \
977 -C "client hello, adding alpn extension" \
978 -S "found alpn extension" \
979 -C "got an alert message, type: \\[2:120]" \
980 -S "server hello, adding alpn extension" \
981 -C "found alpn extension " \
982 -C "Application Layer Protocol is" \
983 -s "Application Layer Protocol is (none)"
984
985run_test "ALPN #3 (both, common cli1-srv1)" \
986 "$P_SRV debug_level=4 alpn=abc,1234" \
987 "$P_CLI debug_level=4 alpn=abc,1234" \
988 0 \
989 -c "client hello, adding alpn extension" \
990 -s "found alpn extension" \
991 -C "got an alert message, type: \\[2:120]" \
992 -s "server hello, adding alpn extension" \
993 -c "found alpn extension" \
994 -c "Application Layer Protocol is abc" \
995 -s "Application Layer Protocol is abc"
996
997run_test "ALPN #4 (both, common cli2-srv1)" \
998 "$P_SRV debug_level=4 alpn=abc,1234" \
999 "$P_CLI debug_level=4 alpn=1234,abc" \
1000 0 \
1001 -c "client hello, adding alpn extension" \
1002 -s "found alpn extension" \
1003 -C "got an alert message, type: \\[2:120]" \
1004 -s "server hello, adding alpn extension" \
1005 -c "found alpn extension" \
1006 -c "Application Layer Protocol is abc" \
1007 -s "Application Layer Protocol is abc"
1008
1009run_test "ALPN #5 (both, common cli1-srv2)" \
1010 "$P_SRV debug_level=4 alpn=abc,1234" \
1011 "$P_CLI debug_level=4 alpn=1234,abcde" \
1012 0 \
1013 -c "client hello, adding alpn extension" \
1014 -s "found alpn extension" \
1015 -C "got an alert message, type: \\[2:120]" \
1016 -s "server hello, adding alpn extension" \
1017 -c "found alpn extension" \
1018 -c "Application Layer Protocol is 1234" \
1019 -s "Application Layer Protocol is 1234"
1020
1021run_test "ALPN #6 (both, no common)" \
1022 "$P_SRV debug_level=4 alpn=abc,123" \
1023 "$P_CLI debug_level=4 alpn=1234,abcde" \
1024 1 \
1025 -c "client hello, adding alpn extension" \
1026 -s "found alpn extension" \
1027 -c "got an alert message, type: \\[2:120]" \
1028 -S "server hello, adding alpn extension" \
1029 -C "found alpn extension" \
1030 -C "Application Layer Protocol is 1234" \
1031 -S "Application Layer Protocol is 1234"
1032
Manuel Pégourié-Gonnard83d8c732014-04-07 13:24:21 +0200[diff] [blame]1033fi
1034
Manuel Pégourié-Gonnard7f2a07d2014-04-09 09:50:57 +0200[diff] [blame]1035# Tests for keyUsage in leaf certificates, part 1:
1036# server-side certificate/suite selection
1037
Manuel Pégourié-Gonnard17cde5f2014-05-22 14:42:39 +0200[diff] [blame]1038run_test "keyUsage srv #1 (RSA, digitalSignature -> (EC)DHE-RSA)" \
Manuel Pégourié-Gonnard7f2a07d2014-04-09 09:50:57 +0200[diff] [blame]1039 "$P_SRV key_file=data_files/server2.key \
1040 crt_file=data_files/server2.ku-ds.crt" \
1041 "$P_CLI" \
1042 0 \
Manuel Pégourié-Gonnard17cde5f2014-05-22 14:42:39 +0200[diff] [blame]1043 -c "Ciphersuite is TLS-[EC]*DHE-RSA-WITH-"
Manuel Pégourié-Gonnard7f2a07d2014-04-09 09:50:57 +0200[diff] [blame]1044
1045
1046run_test "keyUsage srv #2 (RSA, keyEncipherment -> RSA)" \
1047 "$P_SRV key_file=data_files/server2.key \
1048 crt_file=data_files/server2.ku-ke.crt" \
1049 "$P_CLI" \
1050 0 \
1051 -c "Ciphersuite is TLS-RSA-WITH-"
1052
1053# add psk to leave an option for client to send SERVERQUIT
1054run_test "keyUsage srv #3 (RSA, keyAgreement -> fail)" \
1055 "$P_SRV psk=abc123 key_file=data_files/server2.key \
1056 crt_file=data_files/server2.ku-ka.crt" \
1057 "$P_CLI psk=badbad" \
1058 1 \
1059 -C "Ciphersuite is "
1060
1061run_test "keyUsage srv #4 (ECDSA, digitalSignature -> ECDHE-ECDSA)" \
1062 "$P_SRV key_file=data_files/server5.key \
1063 crt_file=data_files/server5.ku-ds.crt" \
1064 "$P_CLI" \
1065 0 \
1066 -c "Ciphersuite is TLS-ECDHE-ECDSA-WITH-"
1067
1068
1069run_test "keyUsage srv #5 (ECDSA, keyAgreement -> ECDH-)" \
1070 "$P_SRV key_file=data_files/server5.key \
1071 crt_file=data_files/server5.ku-ka.crt" \
1072 "$P_CLI" \
1073 0 \
1074 -c "Ciphersuite is TLS-ECDH-"
1075
1076# add psk to leave an option for client to send SERVERQUIT
1077run_test "keyUsage srv #6 (ECDSA, keyEncipherment -> fail)" \
1078 "$P_SRV psk=abc123 key_file=data_files/server5.key \
1079 crt_file=data_files/server5.ku-ke.crt" \
1080 "$P_CLI psk=badbad" \
1081 1 \
1082 -C "Ciphersuite is "
1083
1084# Tests for keyUsage in leaf certificates, part 2:
Manuel Pégourié-Gonnarda9db85d2014-04-09 14:53:05 +0200[diff] [blame]1085# client-side checking of server cert
Manuel Pégourié-Gonnard7f2a07d2014-04-09 09:50:57 +0200[diff] [blame]1086
1087run_test "keyUsage cli #1 (DigitalSignature+KeyEncipherment, RSA: OK)" \
1088 "$O_SRV -key data_files/server2.key \
1089 -cert data_files/server2.ku-ds_ke.crt" \
1090 "$P_CLI debug_level=2 \
1091 force_ciphersuite=TLS-RSA-WITH-AES-128-CBC-SHA" \
1092 0 \
Manuel Pégourié-Gonnarda9db85d2014-04-09 14:53:05 +0200[diff] [blame]1093 -C "bad certificate (usage extensions)" \
Manuel Pégourié-Gonnard7f2a07d2014-04-09 09:50:57 +0200[diff] [blame]1094 -C "Processing of the Certificate handshake message failed" \
1095 -c "Ciphersuite is TLS-"
1096
1097run_test "keyUsage cli #2 (DigitalSignature+KeyEncipherment, DHE-RSA: OK)" \
1098 "$O_SRV -key data_files/server2.key \
1099 -cert data_files/server2.ku-ds_ke.crt" \
1100 "$P_CLI debug_level=2 \
1101 force_ciphersuite=TLS-DHE-RSA-WITH-AES-128-CBC-SHA" \
1102 0 \
Manuel Pégourié-Gonnarda9db85d2014-04-09 14:53:05 +0200[diff] [blame]1103 -C "bad certificate (usage extensions)" \
Manuel Pégourié-Gonnard7f2a07d2014-04-09 09:50:57 +0200[diff] [blame]1104 -C "Processing of the Certificate handshake message failed" \
1105 -c "Ciphersuite is TLS-"
1106
1107run_test "keyUsage cli #3 (KeyEncipherment, RSA: OK)" \
1108 "$O_SRV -key data_files/server2.key \
1109 -cert data_files/server2.ku-ke.crt" \
1110 "$P_CLI debug_level=2 \
1111 force_ciphersuite=TLS-RSA-WITH-AES-128-CBC-SHA" \
1112 0 \
Manuel Pégourié-Gonnarda9db85d2014-04-09 14:53:05 +0200[diff] [blame]1113 -C "bad certificate (usage extensions)" \
Manuel Pégourié-Gonnard7f2a07d2014-04-09 09:50:57 +0200[diff] [blame]1114 -C "Processing of the Certificate handshake message failed" \
1115 -c "Ciphersuite is TLS-"
1116
1117run_test "keyUsage cli #4 (KeyEncipherment, DHE-RSA: fail)" \
1118 "$O_SRV -key data_files/server2.key \
1119 -cert data_files/server2.ku-ke.crt" \
1120 "$P_CLI debug_level=2 \
1121 force_ciphersuite=TLS-DHE-RSA-WITH-AES-128-CBC-SHA" \
1122 1 \
Manuel Pégourié-Gonnarda9db85d2014-04-09 14:53:05 +0200[diff] [blame]1123 -c "bad certificate (usage extensions)" \
Manuel Pégourié-Gonnard7f2a07d2014-04-09 09:50:57 +0200[diff] [blame]1124 -c "Processing of the Certificate handshake message failed" \
1125 -C "Ciphersuite is TLS-"
1126
1127run_test "keyUsage cli #5 (DigitalSignature, DHE-RSA: OK)" \
1128 "$O_SRV -key data_files/server2.key \
1129 -cert data_files/server2.ku-ds.crt" \
1130 "$P_CLI debug_level=2 \
1131 force_ciphersuite=TLS-DHE-RSA-WITH-AES-128-CBC-SHA" \
1132 0 \
Manuel Pégourié-Gonnarda9db85d2014-04-09 14:53:05 +0200[diff] [blame]1133 -C "bad certificate (usage extensions)" \
Manuel Pégourié-Gonnard7f2a07d2014-04-09 09:50:57 +0200[diff] [blame]1134 -C "Processing of the Certificate handshake message failed" \
1135 -c "Ciphersuite is TLS-"
1136
1137run_test "keyUsage cli #5 (DigitalSignature, RSA: fail)" \
1138 "$O_SRV -key data_files/server2.key \
1139 -cert data_files/server2.ku-ds.crt" \
1140 "$P_CLI debug_level=2 \
1141 force_ciphersuite=TLS-RSA-WITH-AES-128-CBC-SHA" \
1142 1 \
Manuel Pégourié-Gonnarda9db85d2014-04-09 14:53:05 +0200[diff] [blame]1143 -c "bad certificate (usage extensions)" \
Manuel Pégourié-Gonnard7f2a07d2014-04-09 09:50:57 +0200[diff] [blame]1144 -c "Processing of the Certificate handshake message failed" \
1145 -C "Ciphersuite is TLS-"
1146
Manuel Pégourié-Gonnarda9db85d2014-04-09 14:53:05 +0200[diff] [blame]1147# Tests for keyUsage in leaf certificates, part 3:
1148# server-side checking of client cert
1149
1150run_test "keyUsage cli-auth #1 (RSA, DigitalSignature: OK)" \
1151 "$P_SRV debug_level=2 auth_mode=optional" \
1152 "$O_CLI -key data_files/server2.key \
1153 -cert data_files/server2.ku-ds.crt" \
1154 0 \
1155 -S "bad certificate (usage extensions)" \
1156 -S "Processing of the Certificate handshake message failed"
1157
1158run_test "keyUsage cli-auth #2 (RSA, KeyEncipherment: fail (soft))" \
1159 "$P_SRV debug_level=2 auth_mode=optional" \
1160 "$O_CLI -key data_files/server2.key \
1161 -cert data_files/server2.ku-ke.crt" \
1162 0 \
1163 -s "bad certificate (usage extensions)" \
1164 -S "Processing of the Certificate handshake message failed"
1165
1166run_test "keyUsage cli-auth #3 (RSA, KeyEncipherment: fail (hard))" \
1167 "$P_SRV debug_level=2 auth_mode=required" \
1168 "$O_CLI -key data_files/server2.key \
1169 -cert data_files/server2.ku-ke.crt" \
1170 1 \
1171 -s "bad certificate (usage extensions)" \
1172 -s "Processing of the Certificate handshake message failed"
1173
1174run_test "keyUsage cli-auth #4 (ECDSA, DigitalSignature: OK)" \
1175 "$P_SRV debug_level=2 auth_mode=optional" \
1176 "$O_CLI -key data_files/server5.key \
1177 -cert data_files/server5.ku-ds.crt" \
1178 0 \
1179 -S "bad certificate (usage extensions)" \
1180 -S "Processing of the Certificate handshake message failed"
1181
1182run_test "keyUsage cli-auth #5 (ECDSA, KeyAgreement: fail (soft))" \
1183 "$P_SRV debug_level=2 auth_mode=optional" \
1184 "$O_CLI -key data_files/server5.key \
1185 -cert data_files/server5.ku-ka.crt" \
1186 0 \
1187 -s "bad certificate (usage extensions)" \
1188 -S "Processing of the Certificate handshake message failed"
1189
Manuel Pégourié-Gonnard0408fd12014-04-11 11:06:22 +0200[diff] [blame]1190# Tests for extendedKeyUsage, part 1: server-side certificate/suite selection
1191
1192run_test "extKeyUsage srv #1 (serverAuth -> OK)" \
1193 "$P_SRV key_file=data_files/server5.key \
1194 crt_file=data_files/server5.eku-srv.crt" \
1195 "$P_CLI" \
1196 0
1197
1198run_test "extKeyUsage srv #2 (serverAuth,clientAuth -> OK)" \
1199 "$P_SRV key_file=data_files/server5.key \
1200 crt_file=data_files/server5.eku-srv.crt" \
1201 "$P_CLI" \
1202 0
1203
1204run_test "extKeyUsage srv #3 (codeSign,anyEKU -> OK)" \
1205 "$P_SRV key_file=data_files/server5.key \
1206 crt_file=data_files/server5.eku-cs_any.crt" \
1207 "$P_CLI" \
1208 0
1209
1210# add psk to leave an option for client to send SERVERQUIT
1211run_test "extKeyUsage srv #4 (codeSign -> fail)" \
1212 "$P_SRV psk=abc123 key_file=data_files/server5.key \
1213 crt_file=data_files/server5.eku-cli.crt" \
1214 "$P_CLI psk=badbad" \
1215 1
1216
1217# Tests for extendedKeyUsage, part 2: client-side checking of server cert
1218
1219run_test "extKeyUsage cli #1 (serverAuth -> OK)" \
1220 "$O_SRV -key data_files/server5.key \
1221 -cert data_files/server5.eku-srv.crt" \
1222 "$P_CLI debug_level=2" \
1223 0 \
1224 -C "bad certificate (usage extensions)" \
1225 -C "Processing of the Certificate handshake message failed" \
1226 -c "Ciphersuite is TLS-"
1227
1228run_test "extKeyUsage cli #2 (serverAuth,clientAuth -> OK)" \
1229 "$O_SRV -key data_files/server5.key \
1230 -cert data_files/server5.eku-srv_cli.crt" \
1231 "$P_CLI debug_level=2" \
1232 0 \
1233 -C "bad certificate (usage extensions)" \
1234 -C "Processing of the Certificate handshake message failed" \
1235 -c "Ciphersuite is TLS-"
1236
1237run_test "extKeyUsage cli #3 (codeSign,anyEKU -> OK)" \
1238 "$O_SRV -key data_files/server5.key \
1239 -cert data_files/server5.eku-cs_any.crt" \
1240 "$P_CLI debug_level=2" \
1241 0 \
1242 -C "bad certificate (usage extensions)" \
1243 -C "Processing of the Certificate handshake message failed" \
1244 -c "Ciphersuite is TLS-"
1245
1246run_test "extKeyUsage cli #4 (codeSign -> fail)" \
1247 "$O_SRV -key data_files/server5.key \
1248 -cert data_files/server5.eku-cs.crt" \
1249 "$P_CLI debug_level=2" \
1250 1 \
1251 -c "bad certificate (usage extensions)" \
1252 -c "Processing of the Certificate handshake message failed" \
1253 -C "Ciphersuite is TLS-"
1254
1255# Tests for extendedKeyUsage, part 3: server-side checking of client cert
1256
1257run_test "extKeyUsage cli-auth #1 (clientAuth -> OK)" \
1258 "$P_SRV debug_level=2 auth_mode=optional" \
1259 "$O_CLI -key data_files/server5.key \
1260 -cert data_files/server5.eku-cli.crt" \
1261 0 \
1262 -S "bad certificate (usage extensions)" \
1263 -S "Processing of the Certificate handshake message failed"
1264
1265run_test "extKeyUsage cli-auth #2 (serverAuth,clientAuth -> OK)" \
1266 "$P_SRV debug_level=2 auth_mode=optional" \
1267 "$O_CLI -key data_files/server5.key \
1268 -cert data_files/server5.eku-srv_cli.crt" \
1269 0 \
1270 -S "bad certificate (usage extensions)" \
1271 -S "Processing of the Certificate handshake message failed"
1272
1273run_test "extKeyUsage cli-auth #3 (codeSign,anyEKU -> OK)" \
1274 "$P_SRV debug_level=2 auth_mode=optional" \
1275 "$O_CLI -key data_files/server5.key \
1276 -cert data_files/server5.eku-cs_any.crt" \
1277 0 \
1278 -S "bad certificate (usage extensions)" \
1279 -S "Processing of the Certificate handshake message failed"
1280
1281run_test "extKeyUsage cli-auth #4 (codeSign -> fail (soft))" \
1282 "$P_SRV debug_level=2 auth_mode=optional" \
1283 "$O_CLI -key data_files/server5.key \
1284 -cert data_files/server5.eku-cs.crt" \
1285 0 \
1286 -s "bad certificate (usage extensions)" \
1287 -S "Processing of the Certificate handshake message failed"
1288
1289run_test "extKeyUsage cli-auth #4b (codeSign -> fail (hard))" \
1290 "$P_SRV debug_level=2 auth_mode=required" \
1291 "$O_CLI -key data_files/server5.key \
1292 -cert data_files/server5.eku-cs.crt" \
1293 1 \
1294 -s "bad certificate (usage extensions)" \
1295 -s "Processing of the Certificate handshake message failed"
1296
Manuel Pégourié-Gonnard0cc7e312014-06-09 11:36:47 +0200[diff] [blame]1297# Tests for DHM parameters loading
1298
1299run_test "DHM parameters #0 (reference)" \
1300 "$P_SRV" \
1301 "$P_CLI force_ciphersuite=TLS-DHE-RSA-WITH-AES-128-CBC-SHA \
1302 debug_level=3" \
1303 0 \
1304 -c "value of 'DHM: P ' (2048 bits)" \
1305 -c "value of 'DHM: G ' (2048 bits)"
1306
1307run_test "DHM parameters #1 (other parameters)" \
1308 "$P_SRV dhm_file=data_files/dhparams.pem" \
1309 "$P_CLI force_ciphersuite=TLS-DHE-RSA-WITH-AES-128-CBC-SHA \
1310 debug_level=3" \
1311 0 \
1312 -c "value of 'DHM: P ' (1024 bits)" \
1313 -c "value of 'DHM: G ' (2 bits)"
1314
Manuel Pégourié-Gonnarda6781c92014-06-10 15:00:46 +0200[diff] [blame]1315# Tests for PSK callback
1316
Manuel Pégourié-Gonnard10c3c9f2014-06-10 15:28:52 +0200[diff] [blame]1317run_test "PSK callback #0a (psk, no callback)" \
Manuel Pégourié-Gonnarda6781c92014-06-10 15:00:46 +0200[diff] [blame]1318 "$P_SRV psk=abc123 psk_identity=foo" \
1319 "$P_CLI force_ciphersuite=TLS-PSK-WITH-AES-128-CBC-SHA \
1320 psk_identity=foo psk=abc123" \
1321 0 \
Manuel Pégourié-Gonnard10c3c9f2014-06-10 15:28:52 +0200[diff] [blame]1322 -S "SSL - The server has no ciphersuites in common" \
1323 -S "SSL - Unknown identity received" \
1324 -S "SSL - Verification of the message MAC failed"
1325
1326run_test "PSK callback #0b (no psk, no callback)" \
1327 "$P_SRV" \
1328 "$P_CLI force_ciphersuite=TLS-PSK-WITH-AES-128-CBC-SHA \
1329 psk_identity=foo psk=abc123" \
1330 1 \
1331 -s "SSL - The server has no ciphersuites in common" \
Manuel Pégourié-Gonnarda6781c92014-06-10 15:00:46 +0200[diff] [blame]1332 -S "SSL - Unknown identity received" \
1333 -S "SSL - Verification of the message MAC failed"
1334
1335run_test "PSK callback #1 (callback overrides other settings)" \
1336 "$P_SRV psk=abc123 psk_identity=foo psk_list=abc,dead,def,beef" \
1337 "$P_CLI force_ciphersuite=TLS-PSK-WITH-AES-128-CBC-SHA \
1338 psk_identity=foo psk=abc123" \
1339 1 \
Manuel Pégourié-Gonnard10c3c9f2014-06-10 15:28:52 +0200[diff] [blame]1340 -S "SSL - The server has no ciphersuites in common" \
Manuel Pégourié-Gonnarda6781c92014-06-10 15:00:46 +0200[diff] [blame]1341 -s "SSL - Unknown identity received" \
1342 -S "SSL - Verification of the message MAC failed"
1343
1344run_test "PSK callback #2 (first id matches)" \
1345 "$P_SRV psk_list=abc,dead,def,beef" \
1346 "$P_CLI force_ciphersuite=TLS-PSK-WITH-AES-128-CBC-SHA \
1347 psk_identity=abc psk=dead" \
1348 0 \
Manuel Pégourié-Gonnard10c3c9f2014-06-10 15:28:52 +0200[diff] [blame]1349 -S "SSL - The server has no ciphersuites in common" \
Manuel Pégourié-Gonnarda6781c92014-06-10 15:00:46 +0200[diff] [blame]1350 -S "SSL - Unknown identity received" \
1351 -S "SSL - Verification of the message MAC failed"
1352
1353run_test "PSK callback #3 (second id matches)" \
1354 "$P_SRV psk_list=abc,dead,def,beef" \
1355 "$P_CLI force_ciphersuite=TLS-PSK-WITH-AES-128-CBC-SHA \
1356 psk_identity=def psk=beef" \
1357 0 \
Manuel Pégourié-Gonnard10c3c9f2014-06-10 15:28:52 +0200[diff] [blame]1358 -S "SSL - The server has no ciphersuites in common" \
Manuel Pégourié-Gonnarda6781c92014-06-10 15:00:46 +0200[diff] [blame]1359 -S "SSL - Unknown identity received" \
1360 -S "SSL - Verification of the message MAC failed"
1361
1362run_test "PSK callback #4 (no match)" \
1363 "$P_SRV psk_list=abc,dead,def,beef" \
1364 "$P_CLI force_ciphersuite=TLS-PSK-WITH-AES-128-CBC-SHA \
1365 psk_identity=ghi psk=beef" \
1366 1 \
Manuel Pégourié-Gonnard10c3c9f2014-06-10 15:28:52 +0200[diff] [blame]1367 -S "SSL - The server has no ciphersuites in common" \
Manuel Pégourié-Gonnarda6781c92014-06-10 15:00:46 +0200[diff] [blame]1368 -s "SSL - Unknown identity received" \
1369 -S "SSL - Verification of the message MAC failed"
1370
1371run_test "PSK callback #5 (wrong key)" \
1372 "$P_SRV psk_list=abc,dead,def,beef" \
1373 "$P_CLI force_ciphersuite=TLS-PSK-WITH-AES-128-CBC-SHA \
1374 psk_identity=abc psk=beef" \
1375 1 \
Manuel Pégourié-Gonnard10c3c9f2014-06-10 15:28:52 +0200[diff] [blame]1376 -S "SSL - The server has no ciphersuites in common" \
Manuel Pégourié-Gonnarda6781c92014-06-10 15:00:46 +0200[diff] [blame]1377 -S "SSL - Unknown identity received" \
1378 -s "SSL - Verification of the message MAC failed"
Manuel Pégourié-Gonnard0cc7e312014-06-09 11:36:47 +0200[diff] [blame]1379
Manuel Pégourié-Gonnard90805a82014-06-11 14:06:01 +0200[diff] [blame]1380# Tests for ciphersuites per version
1381
1382run_test "Per-version suites #1" \
1383 "$P_SRV version_suites=TLS-RSA-WITH-3DES-EDE-CBC-SHA,TLS-RSA-WITH-RC4-128-SHA,TLS-RSA-WITH-AES-128-CBC-SHA,TLS-RSA-WITH-AES-128-GCM-SHA256" \
1384 "$P_CLI force_version=ssl3" \
1385 0 \
1386 -c "Ciphersuite is TLS-RSA-WITH-3DES-EDE-CBC-SHA"
1387
1388run_test "Per-version suites #2" \
1389 "$P_SRV version_suites=TLS-RSA-WITH-3DES-EDE-CBC-SHA,TLS-RSA-WITH-RC4-128-SHA,TLS-RSA-WITH-AES-128-CBC-SHA,TLS-RSA-WITH-AES-128-GCM-SHA256" \
1390 "$P_CLI force_version=tls1" \
1391 0 \
1392 -c "Ciphersuite is TLS-RSA-WITH-RC4-128-SHA"
1393
1394run_test "Per-version suites #3" \
1395 "$P_SRV version_suites=TLS-RSA-WITH-3DES-EDE-CBC-SHA,TLS-RSA-WITH-RC4-128-SHA,TLS-RSA-WITH-AES-128-CBC-SHA,TLS-RSA-WITH-AES-128-GCM-SHA256" \
1396 "$P_CLI force_version=tls1_1" \
1397 0 \
1398 -c "Ciphersuite is TLS-RSA-WITH-AES-128-CBC-SHA"
1399
1400run_test "Per-version suites #4" \
1401 "$P_SRV version_suites=TLS-RSA-WITH-3DES-EDE-CBC-SHA,TLS-RSA-WITH-RC4-128-SHA,TLS-RSA-WITH-AES-128-CBC-SHA,TLS-RSA-WITH-AES-128-GCM-SHA256" \
1402 "$P_CLI force_version=tls1_2" \
1403 0 \
1404 -c "Ciphersuite is TLS-RSA-WITH-AES-128-GCM-SHA256"
1405
Manuel Pégourié-Gonnard95c0a632014-06-11 18:32:36 +0200[diff] [blame]1406# Tests for ssl_get_bytes_avail()
1407
1408run_test "ssl_get_bytes_avail #1 (no extra data)" \
1409 "$P_SRV" \
1410 "$P_CLI request_size=100" \
1411 0 \
1412 -s "Read from client: 100 bytes read$"
1413
1414run_test "ssl_get_bytes_avail #2 (extra data)" \
1415 "$P_SRV" \
1416 "$P_CLI request_size=500" \
1417 0 \
1418 -s "Read from client: 500 bytes read (.*+.*)"
Manuel Pégourié-Gonnard90805a82014-06-11 14:06:01 +0200[diff] [blame]1419
Manuel Pégourié-Gonnard8520dac2014-02-21 12:12:23 +0100[diff] [blame]1420# Final report
1421
Manuel Pégourié-Gonnard33a752e2014-02-21 09:47:37 +0100[diff] [blame]1422echo "------------------------------------------------------------------------"
1423
1424if [ $FAILS = 0 ]; then
1425 echo -n "PASSED"
1426else
1427 echo -n "FAILED"
1428fi
1429PASSES=`echo $TESTS - $FAILS | bc`
Manuel Pégourié-Gonnard4145b892014-02-24 13:20:14 +0100[diff] [blame]1430echo " ($PASSES / $TESTS tests)"
Manuel Pégourié-Gonnard33a752e2014-02-21 09:47:37 +0100[diff] [blame]1431
1432exit $FAILS