TrustedFirmware Git Browser
Code Review Sign In
review.trustedfirmware.org / mirror / mbed-tls / e7a9c3aecadc450cb90d3d0a4c93d2e275ec7e50 / . / tests / ssl-opt.sh
blob: 7fc0b0f1b7e3891303ee1b97dfd7d504f0261c03 [file] [log] [blame]
Manuel Pégourié-Gonnardeaadc502014-02-20 11:01:30 +0100[diff] [blame]1#!/bin/sh
2
Simon Butcher58eddef2016-05-19 23:43:11 +0100[diff] [blame]3# ssl-opt.sh
Manuel Pégourié-Gonnardeaadc502014-02-20 11:01:30 +0100[diff] [blame]4#
Bence Szépkúti44bfbe32020-08-19 16:54:51 +0200[diff] [blame]5# Copyright The Mbed TLS Contributors
Bence Szépkúti4e9f7122020-06-05 13:02:18 +0200[diff] [blame]6# SPDX-License-Identifier: Apache-2.0 OR GPL-2.0-or-later
7#
8# This file is provided under the Apache License 2.0, or the
9# GNU General Public License v2.0 or later.
10#
11# **********
12# Apache License 2.0:
Bence Szépkúti09b4f192020-05-26 01:54:15 +0200[diff] [blame]13#
14# Licensed under the Apache License, Version 2.0 (the "License"); you may
15# not use this file except in compliance with the License.
16# You may obtain a copy of the License at
17#
18# http://www.apache.org/licenses/LICENSE-2.0
19#
20# Unless required by applicable law or agreed to in writing, software
21# distributed under the License is distributed on an "AS IS" BASIS, WITHOUT
22# WARRANTIES OR CONDITIONS OF ANY KIND, either express or implied.
23# See the License for the specific language governing permissions and
24# limitations under the License.
25#
Bence Szépkúti4e9f7122020-06-05 13:02:18 +0200[diff] [blame]26# **********
27#
28# **********
29# GNU General Public License v2.0 or later:
30#
31# This program is free software; you can redistribute it and/or modify
32# it under the terms of the GNU General Public License as published by
33# the Free Software Foundation; either version 2 of the License, or
34# (at your option) any later version.
35#
36# This program is distributed in the hope that it will be useful,
37# but WITHOUT ANY WARRANTY; without even the implied warranty of
38# MERCHANTABILITY or FITNESS FOR A PARTICULAR PURPOSE. See the
39# GNU General Public License for more details.
40#
41# You should have received a copy of the GNU General Public License along
42# with this program; if not, write to the Free Software Foundation, Inc.,
43# 51 Franklin Street, Fifth Floor, Boston, MA 02110-1301 USA.
44#
45# **********
46#
Simon Butcher58eddef2016-05-19 23:43:11 +0100[diff] [blame]47# Purpose
48#
49# Executes tests to prove various TLS/SSL options and extensions.
50#
51# The goal is not to cover every ciphersuite/version, but instead to cover
52# specific options (max fragment length, truncated hmac, etc) or procedures
53# (session resumption from cache or ticket, renego, etc).
54#
55# The tests assume a build with default options, with exceptions expressed
56# with a dependency. The tests focus on functionality and do not consider
57# performance.
58#
Manuel Pégourié-Gonnardeaadc502014-02-20 11:01:30 +0100[diff] [blame]59
Manuel Pégourié-Gonnardfccd3252014-02-25 17:14:15 +0100[diff] [blame]60set -u
61
Jaeden Amero34730912019-07-03 13:51:04 +0100[diff] [blame]62# Limit the size of each log to 10 GiB, in case of failures with this script
63# where it may output seemingly unlimited length error logs.
64ulimit -f 20971520
65
Antonin Décimo8fd91562019-01-23 15:24:37 +0100[diff] [blame]66# default values, can be overridden by the environment
Manuel Pégourié-Gonnardf7a26902014-02-27 12:25:54 +0100[diff] [blame]67: ${P_SRV:=../programs/ssl/ssl_server2}
68: ${P_CLI:=../programs/ssl/ssl_client2}
Manuel Pégourié-Gonnardbe9eb872014-09-05 17:45:19 +0200[diff] [blame]69: ${P_PXY:=../programs/test/udp_proxy}
Manuel Pégourié-Gonnard74faf3c2014-03-13 18:47:44 +0100[diff] [blame]70: ${OPENSSL_CMD:=openssl} # OPENSSL would conflict with the build system
Manuel Pégourié-Gonnardbaa7f072014-08-20 20:15:53 +0200[diff] [blame]71: ${GNUTLS_CLI:=gnutls-cli}
72: ${GNUTLS_SERV:=gnutls-serv}
Gilles Peskined50177f2017-05-16 17:53:03 +0200[diff] [blame]73: ${PERL:=perl}
Manuel Pégourié-Gonnardeaadc502014-02-20 11:01:30 +0100[diff] [blame]74
Manuel Pégourié-Gonnardfa60f122014-09-26 16:07:29 +0200[diff] [blame]75O_SRV="$OPENSSL_CMD s_server -www -cert data_files/server5.crt -key data_files/server5.key"
Manuel Pégourié-Gonnard74faf3c2014-03-13 18:47:44 +0100[diff] [blame]76O_CLI="echo 'GET / HTTP/1.0' | $OPENSSL_CMD s_client"
Manuel Pégourié-Gonnardbaa7f072014-08-20 20:15:53 +0200[diff] [blame]77G_SRV="$GNUTLS_SERV --x509certfile data_files/server5.crt --x509keyfile data_files/server5.key"
Manuel Pégourié-Gonnard179c2272020-02-03 15:37:47 +0100[diff] [blame]78G_CLI="echo 'GET / HTTP/1.0' | $GNUTLS_CLI --x509cafile data_files/test-ca_cat12u.crt"
Gilles Peskined50177f2017-05-16 17:53:03 +0200[diff] [blame]79TCP_CLIENT="$PERL scripts/tcp_client.pl"
Manuel Pégourié-Gonnardfccd3252014-02-25 17:14:15 +0100[diff] [blame]80
Manuel Pégourié-Gonnard33a752e2014-02-21 09:47:37 +0100[diff] [blame]81TESTS=0
82FAILS=0
Manuel Pégourié-Gonnard6f4fbbb2014-08-14 14:31:29 +0200[diff] [blame]83SKIPS=0
Manuel Pégourié-Gonnard33a752e2014-02-21 09:47:37 +0100[diff] [blame]84
Manuel Pégourié-Gonnard7f809972015-03-09 17:05:11 +0000[diff] [blame]85CONFIG_H='../include/mbedtls/config.h'
Manuel Pégourié-Gonnard83d8c732014-04-07 13:24:21 +0200[diff] [blame]86
Manuel Pégourié-Gonnardc73339f2014-02-26 16:35:27 +0100[diff] [blame]87MEMCHECK=0
Manuel Pégourié-Gonnard417d46c2014-03-13 19:17:53 +0100[diff] [blame]88FILTER='.*'
Manuel Pégourié-Gonnard6f4fbbb2014-08-14 14:31:29 +0200[diff] [blame]89EXCLUDE='^$'
Manuel Pégourié-Gonnardc73339f2014-02-26 16:35:27 +0100[diff] [blame]90
Paul Bakkere20310a2016-05-10 11:18:17 +0100[diff] [blame]91SHOW_TEST_NUMBER=0
Paul Bakkerb7584a52016-05-10 10:50:43 +0100[diff] [blame]92RUN_TEST_NUMBER=''
93
Paul Bakkeracaac852016-05-10 11:47:13 +0100[diff] [blame]94PRESERVE_LOGS=0
95
Gilles Peskinef93c7d32017-04-14 17:55:28 +0200[diff] [blame]96# Pick a "unique" server port in the range 10000-19999, and a proxy
97# port which is this plus 10000. Each port number may be independently
98# overridden by a command line option.
99SRV_PORT=$(($$ % 10000 + 10000))
100PXY_PORT=$((SRV_PORT + 10000))
101
Manuel Pégourié-Gonnardc73339f2014-02-26 16:35:27 +0100[diff] [blame]102print_usage() {
103 echo "Usage: $0 [options]"
Manuel Pégourié-Gonnardf46f1282014-12-11 11:51:28 +0100[diff] [blame]104 printf " -h|--help\tPrint this help.\n"
105 printf " -m|--memcheck\tCheck memory leaks and errors.\n"
Gilles Peskinee7a9c3a2020-08-26 22:50:38 +0200[diff] [blame^]106 printf " -f|--filter\tOnly matching tests are executed (BRE)\n"
107 printf " -e|--exclude\tMatching tests are excluded (BRE)\n"
Paul Bakkerb7584a52016-05-10 10:50:43 +0100[diff] [blame]108 printf " -n|--number\tExecute only numbered test (comma-separated, e.g. '245,256')\n"
Paul Bakkere20310a2016-05-10 11:18:17 +0100[diff] [blame]109 printf " -s|--show-numbers\tShow test numbers in front of test names\n"
Paul Bakkeracaac852016-05-10 11:47:13 +0100[diff] [blame]110 printf " -p|--preserve-logs\tPreserve logs of successful tests as well\n"
Gilles Peskinef93c7d32017-04-14 17:55:28 +0200[diff] [blame]111 printf " --port\tTCP/UDP port (default: randomish 1xxxx)\n"
112 printf " --proxy-port\tTCP/UDP proxy port (default: randomish 2xxxx)\n"
Andres AGf04f54d2016-10-10 15:46:20 +0100[diff] [blame]113 printf " --seed\tInteger seed value to use for this test run\n"
Manuel Pégourié-Gonnardc73339f2014-02-26 16:35:27 +0100[diff] [blame]114}
115
116get_options() {
117 while [ $# -gt 0 ]; do
118 case "$1" in
Manuel Pégourié-Gonnard417d46c2014-03-13 19:17:53 +0100[diff] [blame]119 -f|--filter)
120 shift; FILTER=$1
121 ;;
122 -e|--exclude)
123 shift; EXCLUDE=$1
124 ;;
Manuel Pégourié-Gonnardc73339f2014-02-26 16:35:27 +0100[diff] [blame]125 -m|--memcheck)
126 MEMCHECK=1
127 ;;
Paul Bakkerb7584a52016-05-10 10:50:43 +0100[diff] [blame]128 -n|--number)
129 shift; RUN_TEST_NUMBER=$1
130 ;;
Paul Bakkere20310a2016-05-10 11:18:17 +0100[diff] [blame]131 -s|--show-numbers)
132 SHOW_TEST_NUMBER=1
133 ;;
Paul Bakkeracaac852016-05-10 11:47:13 +0100[diff] [blame]134 -p|--preserve-logs)
135 PRESERVE_LOGS=1
136 ;;
Gilles Peskinef93c7d32017-04-14 17:55:28 +0200[diff] [blame]137 --port)
138 shift; SRV_PORT=$1
139 ;;
140 --proxy-port)
141 shift; PXY_PORT=$1
142 ;;
Andres AGf04f54d2016-10-10 15:46:20 +0100[diff] [blame]143 --seed)
144 shift; SEED="$1"
145 ;;
Manuel Pégourié-Gonnardc73339f2014-02-26 16:35:27 +0100[diff] [blame]146 -h|--help)
147 print_usage
148 exit 0
149 ;;
150 *)
Paul Bakker1ebc0c52014-05-22 15:47:58 +0200[diff] [blame]151 echo "Unknown argument: '$1'"
Manuel Pégourié-Gonnardc73339f2014-02-26 16:35:27 +0100[diff] [blame]152 print_usage
153 exit 1
154 ;;
155 esac
156 shift
157 done
158}
159
Manuel Pégourié-Gonnard988209f2015-03-24 10:43:55 +0100[diff] [blame]160# skip next test if the flag is not enabled in config.h
161requires_config_enabled() {
162 if grep "^#define $1" $CONFIG_H > /dev/null; then :; else
163 SKIP_NEXT="YES"
164 fi
165}
166
Manuel Pégourié-Gonnardaf63c212017-06-08 17:51:08 +0200[diff] [blame]167# skip next test if the flag is enabled in config.h
168requires_config_disabled() {
169 if grep "^#define $1" $CONFIG_H > /dev/null; then
170 SKIP_NEXT="YES"
171 fi
172}
173
Manuel Pégourié-Gonnard1cbd39d2014-10-20 13:34:59 +0200[diff] [blame]174# skip next test if OpenSSL doesn't support FALLBACK_SCSV
175requires_openssl_with_fallback_scsv() {
176 if [ -z "${OPENSSL_HAS_FBSCSV:-}" ]; then
177 if $OPENSSL_CMD s_client -help 2>&1 | grep fallback_scsv >/dev/null
178 then
179 OPENSSL_HAS_FBSCSV="YES"
180 else
181 OPENSSL_HAS_FBSCSV="NO"
182 fi
183 fi
184 if [ "$OPENSSL_HAS_FBSCSV" = "NO" ]; then
185 SKIP_NEXT="YES"
186 fi
187}
188
Manuel Pégourié-Gonnardbaa7f072014-08-20 20:15:53 +0200[diff] [blame]189# skip next test if GnuTLS isn't available
190requires_gnutls() {
191 if [ -z "${GNUTLS_AVAILABLE:-}" ]; then
Manuel Pégourié-Gonnard03db6b02015-06-26 15:45:30 +0200[diff] [blame]192 if ( which "$GNUTLS_CLI" && which "$GNUTLS_SERV" ) >/dev/null 2>&1; then
Manuel Pégourié-Gonnardbaa7f072014-08-20 20:15:53 +0200[diff] [blame]193 GNUTLS_AVAILABLE="YES"
194 else
195 GNUTLS_AVAILABLE="NO"
196 fi
197 fi
198 if [ "$GNUTLS_AVAILABLE" = "NO" ]; then
199 SKIP_NEXT="YES"
200 fi
201}
202
Manuel Pégourié-Gonnard0eb6cab2014-07-23 20:17:47 +0200[diff] [blame]203# skip next test if IPv6 isn't available on this host
204requires_ipv6() {
205 if [ -z "${HAS_IPV6:-}" ]; then
206 $P_SRV server_addr='::1' > $SRV_OUT 2>&1 &
207 SRV_PID=$!
208 sleep 1
209 kill $SRV_PID >/dev/null 2>&1
210 if grep "NET - Binding of the socket failed" $SRV_OUT >/dev/null; then
211 HAS_IPV6="NO"
212 else
213 HAS_IPV6="YES"
214 fi
215 rm -r $SRV_OUT
216 fi
217
218 if [ "$HAS_IPV6" = "NO" ]; then
219 SKIP_NEXT="YES"
220 fi
221}
222
Manuel Pégourié-Gonnard76fe9e42014-09-24 15:17:31 +0200[diff] [blame]223# skip the next test if valgrind is in use
224not_with_valgrind() {
225 if [ "$MEMCHECK" -gt 0 ]; then
226 SKIP_NEXT="YES"
227 fi
228}
229
Paul Bakker362689d2016-05-13 10:33:25 +0100[diff] [blame]230# skip the next test if valgrind is NOT in use
231only_with_valgrind() {
232 if [ "$MEMCHECK" -eq 0 ]; then
233 SKIP_NEXT="YES"
234 fi
235}
236
Manuel Pégourié-Gonnarda0719722014-09-20 12:46:27 +0200[diff] [blame]237# multiply the client timeout delay by the given factor for the next test
Janos Follath74537a62016-09-02 13:45:28 +0100[diff] [blame]238client_needs_more_time() {
Manuel Pégourié-Gonnarda0719722014-09-20 12:46:27 +0200[diff] [blame]239 CLI_DELAY_FACTOR=$1
240}
241
Janos Follath74537a62016-09-02 13:45:28 +0100[diff] [blame]242# wait for the given seconds after the client finished in the next test
243server_needs_more_time() {
244 SRV_DELAY_SECONDS=$1
245}
246
Manuel Pégourié-Gonnardf8bdbb52014-02-21 09:20:14 +0100[diff] [blame]247# print_name <name>
248print_name() {
Paul Bakkere20310a2016-05-10 11:18:17 +0100[diff] [blame]249 TESTS=$(( $TESTS + 1 ))
250 LINE=""
251
252 if [ "$SHOW_TEST_NUMBER" -gt 0 ]; then
253 LINE="$TESTS "
254 fi
255
256 LINE="$LINE$1"
257 printf "$LINE "
258 LEN=$(( 72 - `echo "$LINE" | wc -c` ))
Manuel Pégourié-Gonnardf46f1282014-12-11 11:51:28 +0100[diff] [blame]259 for i in `seq 1 $LEN`; do printf '.'; done
260 printf ' '
Manuel Pégourié-Gonnard33a752e2014-02-21 09:47:37 +0100[diff] [blame]261
Manuel Pégourié-Gonnardf8bdbb52014-02-21 09:20:14 +0100[diff] [blame]262}
263
264# fail <message>
265fail() {
266 echo "FAIL"
Manuel Pégourié-Gonnard3eec6042014-02-27 15:37:24 +0100[diff] [blame]267 echo " ! $1"
Manuel Pégourié-Gonnard33a752e2014-02-21 09:47:37 +0100[diff] [blame]268
Manuel Pégourié-Gonnardc2b00922014-08-31 16:46:04 +0200[diff] [blame]269 mv $SRV_OUT o-srv-${TESTS}.log
270 mv $CLI_OUT o-cli-${TESTS}.log
Manuel Pégourié-Gonnardbe9eb872014-09-05 17:45:19 +0200[diff] [blame]271 if [ -n "$PXY_CMD" ]; then
272 mv $PXY_OUT o-pxy-${TESTS}.log
273 fi
274 echo " ! outputs saved to o-XXX-${TESTS}.log"
Manuel Pégourié-Gonnard33a752e2014-02-21 09:47:37 +0100[diff] [blame]275
Manuel Pégourié-Gonnardbc079e22020-06-08 11:49:05 +0200[diff] [blame]276 if [ "${LOG_FAILURE_ON_STDOUT:-0}" != 0 ]; then
Manuel Pégourié-Gonnard7fa67722014-08-31 17:42:53 +0200[diff] [blame]277 echo " ! server output:"
278 cat o-srv-${TESTS}.log
Manuel Pégourié-Gonnardbe9eb872014-09-05 17:45:19 +0200[diff] [blame]279 echo " ! ========================================================"
Manuel Pégourié-Gonnard7fa67722014-08-31 17:42:53 +0200[diff] [blame]280 echo " ! client output:"
281 cat o-cli-${TESTS}.log
Manuel Pégourié-Gonnardbe9eb872014-09-05 17:45:19 +0200[diff] [blame]282 if [ -n "$PXY_CMD" ]; then
283 echo " ! ========================================================"
284 echo " ! proxy output:"
285 cat o-pxy-${TESTS}.log
286 fi
287 echo ""
Manuel Pégourié-Gonnard7fa67722014-08-31 17:42:53 +0200[diff] [blame]288 fi
289
Manuel Pégourié-Gonnard72e51ee2014-08-31 10:22:11 +0200[diff] [blame]290 FAILS=$(( $FAILS + 1 ))
Manuel Pégourié-Gonnardf8bdbb52014-02-21 09:20:14 +0100[diff] [blame]291}
292
Manuel Pégourié-Gonnard677884d2014-02-25 16:42:31 +0100[diff] [blame]293# is_polar <cmd_line>
294is_polar() {
295 echo "$1" | grep 'ssl_server2\|ssl_client2' > /dev/null
296}
297
Manuel Pégourié-Gonnardfa60f122014-09-26 16:07:29 +0200[diff] [blame]298# openssl s_server doesn't have -www with DTLS
299check_osrv_dtls() {
300 if echo "$SRV_CMD" | grep 's_server.*-dtls' >/dev/null; then
301 NEEDS_INPUT=1
302 SRV_CMD="$( echo $SRV_CMD | sed s/-www// )"
303 else
304 NEEDS_INPUT=0
305 fi
306}
307
308# provide input to commands that need it
309provide_input() {
310 if [ $NEEDS_INPUT -eq 0 ]; then
311 return
312 fi
313
314 while true; do
315 echo "HTTP/1.0 200 OK"
316 sleep 1
317 done
318}
319
Manuel Pégourié-Gonnardc73339f2014-02-26 16:35:27 +0100[diff] [blame]320# has_mem_err <log_file_name>
321has_mem_err() {
322 if ( grep -F 'All heap blocks were freed -- no leaks are possible' "$1" &&
323 grep -F 'ERROR SUMMARY: 0 errors from 0 contexts' "$1" ) > /dev/null
324 then
325 return 1 # false: does not have errors
326 else
327 return 0 # true: has errors
328 fi
329}
330
Unknownb86bcb42019-09-02 10:42:57 -0400[diff] [blame]331# Wait for process $2 named $3 to be listening on port $1. Print error to $4.
Gilles Peskine418b5362017-12-14 18:58:42 +0100[diff] [blame]332if type lsof >/dev/null 2>/dev/null; then
Unknownb86bcb42019-09-02 10:42:57 -0400[diff] [blame]333 wait_app_start() {
Gilles Peskine418b5362017-12-14 18:58:42 +0100[diff] [blame]334 START_TIME=$(date +%s)
Manuel Pégourié-Gonnard0eb6cab2014-07-23 20:17:47 +0200[diff] [blame]335 if [ "$DTLS" -eq 1 ]; then
Gilles Peskine418b5362017-12-14 18:58:42 +0100[diff] [blame]336 proto=UDP
Manuel Pégourié-Gonnard0eb6cab2014-07-23 20:17:47 +0200[diff] [blame]337 else
Gilles Peskine418b5362017-12-14 18:58:42 +0100[diff] [blame]338 proto=TCP
Manuel Pégourié-Gonnard0eb6cab2014-07-23 20:17:47 +0200[diff] [blame]339 fi
Gilles Peskine418b5362017-12-14 18:58:42 +0100[diff] [blame]340 # Make a tight loop, server normally takes less than 1s to start.
341 while ! lsof -a -n -b -i "$proto:$1" -p "$2" >/dev/null 2>/dev/null; do
342 if [ $(( $(date +%s) - $START_TIME )) -gt $DOG_DELAY ]; then
Unknownb86bcb42019-09-02 10:42:57 -0400[diff] [blame]343 echo "$3 START TIMEOUT"
344 echo "$3 START TIMEOUT" >> $4
Gilles Peskine418b5362017-12-14 18:58:42 +0100[diff] [blame]345 break
346 fi
347 # Linux and *BSD support decimal arguments to sleep. On other
348 # OSes this may be a tight loop.
349 sleep 0.1 2>/dev/null || true
350 done
351 }
352else
Unknownb86bcb42019-09-02 10:42:57 -0400[diff] [blame]353 echo "Warning: lsof not available, wait_app_start = sleep"
354 wait_app_start() {
Manuel Pégourié-Gonnard0c1ec472014-06-20 18:41:11 +0200[diff] [blame]355 sleep "$START_DELAY"
Gilles Peskine418b5362017-12-14 18:58:42 +0100[diff] [blame]356 }
357fi
Manuel Pégourié-Gonnard0c1ec472014-06-20 18:41:11 +0200[diff] [blame]358
Unknownb86bcb42019-09-02 10:42:57 -0400[diff] [blame]359# Wait for server process $2 to be listening on port $1.
360wait_server_start() {
361 wait_app_start $1 $2 "SERVER" $SRV_OUT
362}
363
364# Wait for proxy process $2 to be listening on port $1.
365wait_proxy_start() {
366 wait_app_start $1 $2 "PROXY" $PXY_OUT
367}
368
Andres Amaya Garciab84c40b2017-09-06 15:44:01 +0100[diff] [blame]369# Given the client or server debug output, parse the unix timestamp that is
Andres Amaya Garcia3b1bdff2017-09-14 12:41:29 +0100[diff] [blame]370# included in the first 4 bytes of the random bytes and check that it's within
Andres Amaya Garciab84c40b2017-09-06 15:44:01 +0100[diff] [blame]371# acceptable bounds
372check_server_hello_time() {
373 # Extract the time from the debug (lvl 3) output of the client
Andres Amaya Garcia67d8da52017-09-15 15:49:24 +0100[diff] [blame]374 SERVER_HELLO_TIME="$(sed -n 's/.*server hello, current time: //p' < "$1")"
Andres Amaya Garciab84c40b2017-09-06 15:44:01 +0100[diff] [blame]375 # Get the Unix timestamp for now
376 CUR_TIME=$(date +'%s')
377 THRESHOLD_IN_SECS=300
378
379 # Check if the ServerHello time was printed
380 if [ -z "$SERVER_HELLO_TIME" ]; then
381 return 1
382 fi
383
384 # Check the time in ServerHello is within acceptable bounds
385 if [ $SERVER_HELLO_TIME -lt $(( $CUR_TIME - $THRESHOLD_IN_SECS )) ]; then
386 # The time in ServerHello is at least 5 minutes before now
387 return 1
388 elif [ $SERVER_HELLO_TIME -gt $(( $CUR_TIME + $THRESHOLD_IN_SECS )) ]; then
Andres Amaya Garcia3b1bdff2017-09-14 12:41:29 +0100[diff] [blame]389 # The time in ServerHello is at least 5 minutes later than now
Andres Amaya Garciab84c40b2017-09-06 15:44:01 +0100[diff] [blame]390 return 1
391 else
392 return 0
393 fi
394}
395
Manuel Pégourié-Gonnardc0f6a692014-08-30 22:41:47 +0200[diff] [blame]396# wait for client to terminate and set CLI_EXIT
397# must be called right after starting the client
398wait_client_done() {
399 CLI_PID=$!
400
Manuel Pégourié-Gonnarda0719722014-09-20 12:46:27 +0200[diff] [blame]401 CLI_DELAY=$(( $DOG_DELAY * $CLI_DELAY_FACTOR ))
402 CLI_DELAY_FACTOR=1
403
Manuel Pégourié-Gonnarda365add2015-08-04 20:57:59 +0200[diff] [blame]404 ( sleep $CLI_DELAY; echo "===CLIENT_TIMEOUT===" >> $CLI_OUT; kill $CLI_PID ) &
Manuel Pégourié-Gonnarda6189f02014-09-20 13:15:43 +0200[diff] [blame]405 DOG_PID=$!
Manuel Pégourié-Gonnardc0f6a692014-08-30 22:41:47 +0200[diff] [blame]406
407 wait $CLI_PID
408 CLI_EXIT=$?
409
Manuel Pégourié-Gonnarda6189f02014-09-20 13:15:43 +0200[diff] [blame]410 kill $DOG_PID >/dev/null 2>&1
411 wait $DOG_PID
Manuel Pégourié-Gonnardc0f6a692014-08-30 22:41:47 +0200[diff] [blame]412
413 echo "EXIT: $CLI_EXIT" >> $CLI_OUT
Janos Follath74537a62016-09-02 13:45:28 +0100[diff] [blame]414
415 sleep $SRV_DELAY_SECONDS
416 SRV_DELAY_SECONDS=0
Manuel Pégourié-Gonnardc0f6a692014-08-30 22:41:47 +0200[diff] [blame]417}
418
Manuel Pégourié-Gonnard0eb6cab2014-07-23 20:17:47 +0200[diff] [blame]419# check if the given command uses dtls and sets global variable DTLS
420detect_dtls() {
Manuel Pégourié-Gonnardbe9eb872014-09-05 17:45:19 +0200[diff] [blame]421 if echo "$1" | grep 'dtls=1\|-dtls1\|-u' >/dev/null; then
Manuel Pégourié-Gonnard0eb6cab2014-07-23 20:17:47 +0200[diff] [blame]422 DTLS=1
423 else
424 DTLS=0
425 fi
426}
427
Manuel Pégourié-Gonnardbe9eb872014-09-05 17:45:19 +0200[diff] [blame]428# Usage: run_test name [-p proxy_cmd] srv_cmd cli_cmd cli_exit [option [...]]
Manuel Pégourié-Gonnardeaadc502014-02-20 11:01:30 +0100[diff] [blame]429# Options: -s pattern pattern that must be present in server output
430# -c pattern pattern that must be present in client output
Simon Butcher8e004102016-10-14 00:48:33 +0100[diff] [blame]431# -u pattern lines after pattern must be unique in client output
Andres Amaya Garcia93993de2017-09-06 15:38:07 +0100[diff] [blame]432# -f call shell function on client output
Manuel Pégourié-Gonnardeaadc502014-02-20 11:01:30 +0100[diff] [blame]433# -S pattern pattern that must be absent in server output
434# -C pattern pattern that must be absent in client output
Simon Butcher8e004102016-10-14 00:48:33 +0100[diff] [blame]435# -U pattern lines after pattern must be unique in server output
Andres Amaya Garcia93993de2017-09-06 15:38:07 +0100[diff] [blame]436# -F call shell function on server output
Manuel Pégourié-Gonnardeaadc502014-02-20 11:01:30 +0100[diff] [blame]437run_test() {
Manuel Pégourié-Gonnardfccd3252014-02-25 17:14:15 +0100[diff] [blame]438 NAME="$1"
Manuel Pégourié-Gonnardbe9eb872014-09-05 17:45:19 +0200[diff] [blame]439 shift 1
Manuel Pégourié-Gonnardfccd3252014-02-25 17:14:15 +0100[diff] [blame]440
Manuel Pégourié-Gonnard417d46c2014-03-13 19:17:53 +0100[diff] [blame]441 if echo "$NAME" | grep "$FILTER" | grep -v "$EXCLUDE" >/dev/null; then :
442 else
Manuel Pégourié-Gonnard74a13782014-10-14 22:34:08 +0200[diff] [blame]443 SKIP_NEXT="NO"
Manuel Pégourié-Gonnard417d46c2014-03-13 19:17:53 +0100[diff] [blame]444 return
445 fi
446
Manuel Pégourié-Gonnardfccd3252014-02-25 17:14:15 +0100[diff] [blame]447 print_name "$NAME"
Manuel Pégourié-Gonnardeaadc502014-02-20 11:01:30 +0100[diff] [blame]448
Paul Bakkerb7584a52016-05-10 10:50:43 +0100[diff] [blame]449 # Do we only run numbered tests?
450 if [ "X$RUN_TEST_NUMBER" = "X" ]; then :
451 elif echo ",$RUN_TEST_NUMBER," | grep ",$TESTS," >/dev/null; then :
452 else
453 SKIP_NEXT="YES"
454 fi
455
Manuel Pégourié-Gonnard6f4fbbb2014-08-14 14:31:29 +0200[diff] [blame]456 # should we skip?
457 if [ "X$SKIP_NEXT" = "XYES" ]; then
458 SKIP_NEXT="NO"
459 echo "SKIP"
Manuel Pégourié-Gonnard72e51ee2014-08-31 10:22:11 +0200[diff] [blame]460 SKIPS=$(( $SKIPS + 1 ))
Manuel Pégourié-Gonnard6f4fbbb2014-08-14 14:31:29 +0200[diff] [blame]461 return
462 fi
463
Manuel Pégourié-Gonnardbe9eb872014-09-05 17:45:19 +0200[diff] [blame]464 # does this test use a proxy?
465 if [ "X$1" = "X-p" ]; then
466 PXY_CMD="$2"
467 shift 2
468 else
469 PXY_CMD=""
470 fi
471
472 # get commands and client output
473 SRV_CMD="$1"
474 CLI_CMD="$2"
475 CLI_EXPECT="$3"
476 shift 3
477
Manuel Pégourié-Gonnard0eb6cab2014-07-23 20:17:47 +0200[diff] [blame]478 # update DTLS variable
479 detect_dtls "$SRV_CMD"
480
Manuel Pégourié-Gonnard1fcb1a12020-06-08 11:40:06 +0200[diff] [blame]481 # if the test uses DTLS but no custom proxy, add a simple proxy
482 # as it provides timing info that's useful to debug failures
Manuel Pégourié-Gonnardc5ae9c82020-06-25 09:54:46 +0200[diff] [blame]483 if [ -z "$PXY_CMD" ] && [ "$DTLS" -eq 1 ]; then
Manuel Pégourié-Gonnard1fcb1a12020-06-08 11:40:06 +0200[diff] [blame]484 PXY_CMD="$P_PXY"
Manuel Pégourié-Gonnarded0aaf42020-07-16 10:19:32 +0200[diff] [blame]485 case " $SRV_CMD " in
486 *' server_addr=::1 '*)
487 PXY_CMD="$PXY_CMD server_addr=::1 listen_addr=::1";;
488 esac
Manuel Pégourié-Gonnard1fcb1a12020-06-08 11:40:06 +0200[diff] [blame]489 fi
490
Manuel Pégourié-Gonnard57e328e2020-06-25 09:52:54 +0200[diff] [blame]491 # fix client port
492 if [ -n "$PXY_CMD" ]; then
493 CLI_CMD=$( echo "$CLI_CMD" | sed s/+SRV_PORT/$PXY_PORT/g )
494 else
495 CLI_CMD=$( echo "$CLI_CMD" | sed s/+SRV_PORT/$SRV_PORT/g )
496 fi
497
Manuel Pégourié-Gonnardc73339f2014-02-26 16:35:27 +0100[diff] [blame]498 # prepend valgrind to our commands if active
499 if [ "$MEMCHECK" -gt 0 ]; then
500 if is_polar "$SRV_CMD"; then
501 SRV_CMD="valgrind --leak-check=full $SRV_CMD"
502 fi
503 if is_polar "$CLI_CMD"; then
504 CLI_CMD="valgrind --leak-check=full $CLI_CMD"
505 fi
506 fi
507
Manuel Pégourié-Gonnarda365add2015-08-04 20:57:59 +0200[diff] [blame]508 TIMES_LEFT=2
509 while [ $TIMES_LEFT -gt 0 ]; do
Manuel Pégourié-Gonnardab5f7b42015-08-04 21:01:37 +0200[diff] [blame]510 TIMES_LEFT=$(( $TIMES_LEFT - 1 ))
Manuel Pégourié-Gonnarda365add2015-08-04 20:57:59 +0200[diff] [blame]511
Manuel Pégourié-Gonnardab5f7b42015-08-04 21:01:37 +0200[diff] [blame]512 # run the commands
513 if [ -n "$PXY_CMD" ]; then
Manuel Pégourié-Gonnard33659702020-07-27 09:45:32 +0200[diff] [blame]514 printf "# %s\n%s\n" "$NAME" "$PXY_CMD" > $PXY_OUT
Manuel Pégourié-Gonnardab5f7b42015-08-04 21:01:37 +0200[diff] [blame]515 $PXY_CMD >> $PXY_OUT 2>&1 &
516 PXY_PID=$!
Unknownb86bcb42019-09-02 10:42:57 -0400[diff] [blame]517 wait_proxy_start "$PXY_PORT" "$PXY_PID"
Manuel Pégourié-Gonnardab5f7b42015-08-04 21:01:37 +0200[diff] [blame]518 fi
Manuel Pégourié-Gonnardbe9eb872014-09-05 17:45:19 +0200[diff] [blame]519
Manuel Pégourié-Gonnardab5f7b42015-08-04 21:01:37 +0200[diff] [blame]520 check_osrv_dtls
Manuel Pégourié-Gonnarde5201e42020-06-08 12:06:21 +0200[diff] [blame]521 printf "# $NAME\n$SRV_CMD\n" > $SRV_OUT
Manuel Pégourié-Gonnardab5f7b42015-08-04 21:01:37 +0200[diff] [blame]522 provide_input | $SRV_CMD >> $SRV_OUT 2>&1 &
523 SRV_PID=$!
Gilles Peskine418b5362017-12-14 18:58:42 +0100[diff] [blame]524 wait_server_start "$SRV_PORT" "$SRV_PID"
Manuel Pégourié-Gonnardc0f6a692014-08-30 22:41:47 +0200[diff] [blame]525
Manuel Pégourié-Gonnarde5201e42020-06-08 12:06:21 +0200[diff] [blame]526 printf "# $NAME\n$CLI_CMD\n" > $CLI_OUT
Manuel Pégourié-Gonnardab5f7b42015-08-04 21:01:37 +0200[diff] [blame]527 eval "$CLI_CMD" >> $CLI_OUT 2>&1 &
528 wait_client_done
Manuel Pégourié-Gonnarde01af4c2014-03-25 14:16:44 +0100[diff] [blame]529
Manuel Pégourié-Gonnardab5f7b42015-08-04 21:01:37 +0200[diff] [blame]530 # terminate the server (and the proxy)
531 kill $SRV_PID
532 wait $SRV_PID
533 if [ -n "$PXY_CMD" ]; then
534 kill $PXY_PID >/dev/null 2>&1
535 wait $PXY_PID
536 fi
Manuel Pégourié-Gonnard677884d2014-02-25 16:42:31 +0100[diff] [blame]537
Manuel Pégourié-Gonnardab5f7b42015-08-04 21:01:37 +0200[diff] [blame]538 # retry only on timeouts
539 if grep '===CLIENT_TIMEOUT===' $CLI_OUT >/dev/null; then
540 printf "RETRY "
541 else
542 TIMES_LEFT=0
543 fi
Manuel Pégourié-Gonnarda365add2015-08-04 20:57:59 +0200[diff] [blame]544 done
545
Manuel Pégourié-Gonnard677884d2014-02-25 16:42:31 +0100[diff] [blame]546 # check if the client and server went at least to the handshake stage
Paul Bakker1ebc0c52014-05-22 15:47:58 +0200[diff] [blame]547 # (useful to avoid tests with only negative assertions and non-zero
Manuel Pégourié-Gonnard677884d2014-02-25 16:42:31 +0100[diff] [blame]548 # expected client exit to incorrectly succeed in case of catastrophic
549 # failure)
Manuel Pégourié-Gonnardfccd3252014-02-25 17:14:15 +0100[diff] [blame]550 if is_polar "$SRV_CMD"; then
Manuel Pégourié-Gonnardbc3b16c2014-05-28 23:06:50 +0200[diff] [blame]551 if grep "Performing the SSL/TLS handshake" $SRV_OUT >/dev/null; then :;
Manuel Pégourié-Gonnard677884d2014-02-25 16:42:31 +0100[diff] [blame]552 else
Manuel Pégourié-Gonnard699cafa2014-10-27 13:57:03 +0100[diff] [blame]553 fail "server or client failed to reach handshake stage"
Manuel Pégourié-Gonnard677884d2014-02-25 16:42:31 +0100[diff] [blame]554 return
555 fi
556 fi
Manuel Pégourié-Gonnardfccd3252014-02-25 17:14:15 +0100[diff] [blame]557 if is_polar "$CLI_CMD"; then
Manuel Pégourié-Gonnardbc3b16c2014-05-28 23:06:50 +0200[diff] [blame]558 if grep "Performing the SSL/TLS handshake" $CLI_OUT >/dev/null; then :;
Manuel Pégourié-Gonnard677884d2014-02-25 16:42:31 +0100[diff] [blame]559 else
Manuel Pégourié-Gonnard699cafa2014-10-27 13:57:03 +0100[diff] [blame]560 fail "server or client failed to reach handshake stage"
Manuel Pégourié-Gonnard677884d2014-02-25 16:42:31 +0100[diff] [blame]561 return
562 fi
563 fi
564
Manuel Pégourié-Gonnardf8bdbb52014-02-21 09:20:14 +0100[diff] [blame]565 # check server exit code
566 if [ $? != 0 ]; then
567 fail "server fail"
568 return
569 fi
570
Manuel Pégourié-Gonnardeaadc502014-02-20 11:01:30 +0100[diff] [blame]571 # check client exit code
Manuel Pégourié-Gonnardfccd3252014-02-25 17:14:15 +0100[diff] [blame]572 if [ \( "$CLI_EXPECT" = 0 -a "$CLI_EXIT" != 0 \) -o \
573 \( "$CLI_EXPECT" != 0 -a "$CLI_EXIT" = 0 \) ]
Manuel Pégourié-Gonnard780d6712014-02-20 17:19:59 +0100[diff] [blame]574 then
Manuel Pégourié-Gonnardbe9eb872014-09-05 17:45:19 +0200[diff] [blame]575 fail "bad client exit code (expected $CLI_EXPECT, got $CLI_EXIT)"
Manuel Pégourié-Gonnardeaadc502014-02-20 11:01:30 +0100[diff] [blame]576 return
577 fi
Manuel Pégourié-Gonnardeaadc502014-02-20 11:01:30 +0100[diff] [blame]578
Manuel Pégourié-Gonnardc73339f2014-02-26 16:35:27 +0100[diff] [blame]579 # check other assertions
Manuel Pégourié-Gonnard480905d2014-08-21 19:38:32 +0200[diff] [blame]580 # lines beginning with == are added by valgrind, ignore them
Paul Bakker1f650922016-05-13 10:16:46 +0100[diff] [blame]581 # lines with 'Serious error when reading debug info', are valgrind issues as well
Manuel Pégourié-Gonnardeaadc502014-02-20 11:01:30 +0100[diff] [blame]582 while [ $# -gt 0 ]
583 do
584 case $1 in
585 "-s")
Paul Bakker1f650922016-05-13 10:16:46 +0100[diff] [blame]586 if grep -v '^==' $SRV_OUT | grep -v 'Serious error when reading debug info' | grep "$2" >/dev/null; then :; else
Simon Butcher8e004102016-10-14 00:48:33 +0100[diff] [blame]587 fail "pattern '$2' MUST be present in the Server output"
Manuel Pégourié-Gonnardeaadc502014-02-20 11:01:30 +0100[diff] [blame]588 return
589 fi
590 ;;
591
592 "-c")
Paul Bakker1f650922016-05-13 10:16:46 +0100[diff] [blame]593 if grep -v '^==' $CLI_OUT | grep -v 'Serious error when reading debug info' | grep "$2" >/dev/null; then :; else
Simon Butcher8e004102016-10-14 00:48:33 +0100[diff] [blame]594 fail "pattern '$2' MUST be present in the Client output"
Manuel Pégourié-Gonnardeaadc502014-02-20 11:01:30 +0100[diff] [blame]595 return
596 fi
597 ;;
598
599 "-S")
Paul Bakker1f650922016-05-13 10:16:46 +0100[diff] [blame]600 if grep -v '^==' $SRV_OUT | grep -v 'Serious error when reading debug info' | grep "$2" >/dev/null; then
Simon Butcher8e004102016-10-14 00:48:33 +0100[diff] [blame]601 fail "pattern '$2' MUST NOT be present in the Server output"
Manuel Pégourié-Gonnardeaadc502014-02-20 11:01:30 +0100[diff] [blame]602 return
603 fi
604 ;;
605
606 "-C")
Paul Bakker1f650922016-05-13 10:16:46 +0100[diff] [blame]607 if grep -v '^==' $CLI_OUT | grep -v 'Serious error when reading debug info' | grep "$2" >/dev/null; then
Simon Butcher8e004102016-10-14 00:48:33 +0100[diff] [blame]608 fail "pattern '$2' MUST NOT be present in the Client output"
609 return
610 fi
611 ;;
612
613 # The filtering in the following two options (-u and -U) do the following
614 # - ignore valgrind output
Antonin Décimo8fd91562019-01-23 15:24:37 +0100[diff] [blame]615 # - filter out everything but lines right after the pattern occurrences
Simon Butcher8e004102016-10-14 00:48:33 +0100[diff] [blame]616 # - keep one of each non-unique line
617 # - count how many lines remain
618 # A line with '--' will remain in the result from previous outputs, so the number of lines in the result will be 1
619 # if there were no duplicates.
620 "-U")
621 if [ $(grep -v '^==' $SRV_OUT | grep -v 'Serious error when reading debug info' | grep -A1 "$2" | grep -v "$2" | sort | uniq -d | wc -l) -gt 1 ]; then
622 fail "lines following pattern '$2' must be unique in Server output"
623 return
624 fi
625 ;;
626
627 "-u")
628 if [ $(grep -v '^==' $CLI_OUT | grep -v 'Serious error when reading debug info' | grep -A1 "$2" | grep -v "$2" | sort | uniq -d | wc -l) -gt 1 ]; then
629 fail "lines following pattern '$2' must be unique in Client output"
Manuel Pégourié-Gonnardeaadc502014-02-20 11:01:30 +0100[diff] [blame]630 return
631 fi
632 ;;
Andres Amaya Garcia93993de2017-09-06 15:38:07 +0100[diff] [blame]633 "-F")
634 if ! $2 "$SRV_OUT"; then
635 fail "function call to '$2' failed on Server output"
636 return
637 fi
638 ;;
639 "-f")
640 if ! $2 "$CLI_OUT"; then
641 fail "function call to '$2' failed on Client output"
642 return
643 fi
644 ;;
Manuel Pégourié-Gonnardeaadc502014-02-20 11:01:30 +0100[diff] [blame]645
646 *)
Paul Bakker1ebc0c52014-05-22 15:47:58 +0200[diff] [blame]647 echo "Unknown test: $1" >&2
Manuel Pégourié-Gonnardeaadc502014-02-20 11:01:30 +0100[diff] [blame]648 exit 1
649 esac
650 shift 2
651 done
652
Manuel Pégourié-Gonnardc73339f2014-02-26 16:35:27 +0100[diff] [blame]653 # check valgrind's results
654 if [ "$MEMCHECK" -gt 0 ]; then
Manuel Pégourié-Gonnardbc3b16c2014-05-28 23:06:50 +0200[diff] [blame]655 if is_polar "$SRV_CMD" && has_mem_err $SRV_OUT; then
Manuel Pégourié-Gonnardc73339f2014-02-26 16:35:27 +0100[diff] [blame]656 fail "Server has memory errors"
657 return
658 fi
Manuel Pégourié-Gonnardbc3b16c2014-05-28 23:06:50 +0200[diff] [blame]659 if is_polar "$CLI_CMD" && has_mem_err $CLI_OUT; then
Manuel Pégourié-Gonnardc73339f2014-02-26 16:35:27 +0100[diff] [blame]660 fail "Client has memory errors"
661 return
662 fi
663 fi
664
Manuel Pégourié-Gonnardeaadc502014-02-20 11:01:30 +0100[diff] [blame]665 # if we're here, everything is ok
666 echo "PASS"
Paul Bakkeracaac852016-05-10 11:47:13 +0100[diff] [blame]667 if [ "$PRESERVE_LOGS" -gt 0 ]; then
668 mv $SRV_OUT o-srv-${TESTS}.log
669 mv $CLI_OUT o-cli-${TESTS}.log
Hanno Beckerdc6c0e42018-08-20 12:21:35 +0100[diff] [blame]670 if [ -n "$PXY_CMD" ]; then
671 mv $PXY_OUT o-pxy-${TESTS}.log
672 fi
Paul Bakkeracaac852016-05-10 11:47:13 +0100[diff] [blame]673 fi
674
Manuel Pégourié-Gonnardbe9eb872014-09-05 17:45:19 +0200[diff] [blame]675 rm -f $SRV_OUT $CLI_OUT $PXY_OUT
Manuel Pégourié-Gonnardeaadc502014-02-20 11:01:30 +0100[diff] [blame]676}
677
Manuel Pégourié-Gonnarda9062e92014-02-25 16:21:22 +0100[diff] [blame]678cleanup() {
Manuel Pégourié-Gonnardbe9eb872014-09-05 17:45:19 +0200[diff] [blame]679 rm -f $CLI_OUT $SRV_OUT $PXY_OUT $SESSION
Manuel Pégourié-Gonnarda6189f02014-09-20 13:15:43 +0200[diff] [blame]680 test -n "${SRV_PID:-}" && kill $SRV_PID >/dev/null 2>&1
681 test -n "${PXY_PID:-}" && kill $PXY_PID >/dev/null 2>&1
682 test -n "${CLI_PID:-}" && kill $CLI_PID >/dev/null 2>&1
683 test -n "${DOG_PID:-}" && kill $DOG_PID >/dev/null 2>&1
Manuel Pégourié-Gonnarda9062e92014-02-25 16:21:22 +0100[diff] [blame]684 exit 1
685}
686
Manuel Pégourié-Gonnard9dea8bd2014-02-26 18:21:02 +0100[diff] [blame]687#
688# MAIN
689#
690
Manuel Pégourié-Gonnard19db8ea2015-03-10 13:41:04 +0000[diff] [blame]691if cd $( dirname $0 ); then :; else
692 echo "cd $( dirname $0 ) failed" >&2
693 exit 1
694fi
695
Manuel Pégourié-Gonnard913030c2014-03-28 10:12:38 +0100[diff] [blame]696get_options "$@"
697
Manuel Pégourié-Gonnardf7a26902014-02-27 12:25:54 +0100[diff] [blame]698# sanity checks, avoid an avalanche of errors
699if [ ! -x "$P_SRV" ]; then
700 echo "Command '$P_SRV' is not an executable file"
701 exit 1
702fi
703if [ ! -x "$P_CLI" ]; then
704 echo "Command '$P_CLI' is not an executable file"
705 exit 1
706fi
Manuel Pégourié-Gonnardbe9eb872014-09-05 17:45:19 +0200[diff] [blame]707if [ ! -x "$P_PXY" ]; then
708 echo "Command '$P_PXY' is not an executable file"
709 exit 1
710fi
Simon Butcher3c0d7b82016-05-23 11:13:17 +0100[diff] [blame]711if [ "$MEMCHECK" -gt 0 ]; then
712 if which valgrind >/dev/null 2>&1; then :; else
713 echo "Memcheck not possible. Valgrind not found"
714 exit 1
715 fi
716fi
Manuel Pégourié-Gonnard74faf3c2014-03-13 18:47:44 +0100[diff] [blame]717if which $OPENSSL_CMD >/dev/null 2>&1; then :; else
718 echo "Command '$OPENSSL_CMD' not found"
Manuel Pégourié-Gonnardf7a26902014-02-27 12:25:54 +0100[diff] [blame]719 exit 1
720fi
721
Manuel Pégourié-Gonnard32f8f4d2014-05-29 11:31:20 +0200[diff] [blame]722# used by watchdog
723MAIN_PID="$$"
724
Manuel Pégourié-Gonnard0d225da2018-01-22 10:22:09 +0100[diff] [blame]725# We use somewhat arbitrary delays for tests:
726# - how long do we wait for the server to start (when lsof not available)?
727# - how long do we allow for the client to finish?
728# (not to check performance, just to avoid waiting indefinitely)
729# Things are slower with valgrind, so give extra time here.
730#
731# Note: without lsof, there is a trade-off between the running time of this
732# script and the risk of spurious errors because we didn't wait long enough.
733# The watchdog delay on the other hand doesn't affect normal running time of
734# the script, only the case where a client or server gets stuck.
Manuel Pégourié-Gonnard0c1ec472014-06-20 18:41:11 +0200[diff] [blame]735if [ "$MEMCHECK" -gt 0 ]; then
Manuel Pégourié-Gonnard0d225da2018-01-22 10:22:09 +0100[diff] [blame]736 START_DELAY=6
737 DOG_DELAY=60
Manuel Pégourié-Gonnard0c1ec472014-06-20 18:41:11 +0200[diff] [blame]738else
Manuel Pégourié-Gonnard0d225da2018-01-22 10:22:09 +0100[diff] [blame]739 START_DELAY=2
740 DOG_DELAY=20
Manuel Pégourié-Gonnard0c1ec472014-06-20 18:41:11 +0200[diff] [blame]741fi
Manuel Pégourié-Gonnard0d225da2018-01-22 10:22:09 +0100[diff] [blame]742
743# some particular tests need more time:
744# - for the client, we multiply the usual watchdog limit by a factor
745# - for the server, we sleep for a number of seconds after the client exits
746# see client_need_more_time() and server_needs_more_time()
Manuel Pégourié-Gonnarda0719722014-09-20 12:46:27 +0200[diff] [blame]747CLI_DELAY_FACTOR=1
Janos Follath74537a62016-09-02 13:45:28 +0100[diff] [blame]748SRV_DELAY_SECONDS=0
Manuel Pégourié-Gonnard0c1ec472014-06-20 18:41:11 +0200[diff] [blame]749
Manuel Pégourié-Gonnard0eb6cab2014-07-23 20:17:47 +0200[diff] [blame]750# fix commands to use this port, force IPv4 while at it
Manuel Pégourié-Gonnard0af1ba32015-01-21 11:44:33 +0000[diff] [blame]751# +SRV_PORT will be replaced by either $SRV_PORT or $PXY_PORT later
Manuel Pégourié-Gonnardbe9eb872014-09-05 17:45:19 +0200[diff] [blame]752P_SRV="$P_SRV server_addr=127.0.0.1 server_port=$SRV_PORT"
753P_CLI="$P_CLI server_addr=127.0.0.1 server_port=+SRV_PORT"
Andres AGf04f54d2016-10-10 15:46:20 +0100[diff] [blame]754P_PXY="$P_PXY server_addr=127.0.0.1 server_port=$SRV_PORT listen_addr=127.0.0.1 listen_port=$PXY_PORT ${SEED:+"seed=$SEED"}"
Manuel Pégourié-Gonnard61957672015-06-18 17:54:58 +0200[diff] [blame]755O_SRV="$O_SRV -accept $SRV_PORT -dhparam data_files/dhparams.pem"
Manuel Pégourié-Gonnardbe9eb872014-09-05 17:45:19 +0200[diff] [blame]756O_CLI="$O_CLI -connect localhost:+SRV_PORT"
757G_SRV="$G_SRV -p $SRV_PORT"
Manuel Pégourié-Gonnard0af1ba32015-01-21 11:44:33 +0000[diff] [blame]758G_CLI="$G_CLI -p +SRV_PORT localhost"
Manuel Pégourié-Gonnard8066b812014-05-28 22:59:30 +0200[diff] [blame]759
Gilles Peskine62469d92017-05-10 10:13:59 +0200[diff] [blame]760# Allow SHA-1, because many of our test certificates use it
761P_SRV="$P_SRV allow_sha1=1"
762P_CLI="$P_CLI allow_sha1=1"
763
Manuel Pégourié-Gonnardbc3b16c2014-05-28 23:06:50 +0200[diff] [blame]764# Also pick a unique name for intermediate files
765SRV_OUT="srv_out.$$"
766CLI_OUT="cli_out.$$"
Manuel Pégourié-Gonnardbe9eb872014-09-05 17:45:19 +0200[diff] [blame]767PXY_OUT="pxy_out.$$"
Manuel Pégourié-Gonnardbc3b16c2014-05-28 23:06:50 +0200[diff] [blame]768SESSION="session.$$"
769
Manuel Pégourié-Gonnard6f4fbbb2014-08-14 14:31:29 +0200[diff] [blame]770SKIP_NEXT="NO"
771
Manuel Pégourié-Gonnarda9062e92014-02-25 16:21:22 +0100[diff] [blame]772trap cleanup INT TERM HUP
Manuel Pégourié-Gonnardeaadc502014-02-20 11:01:30 +0100[diff] [blame]773
Manuel Pégourié-Gonnarde73b2632014-07-12 04:00:00 +0200[diff] [blame]774# Basic test
775
Manuel Pégourié-Gonnard480905d2014-08-21 19:38:32 +0200[diff] [blame]776# Checks that:
777# - things work with all ciphersuites active (used with config-full in all.sh)
778# - the expected (highest security) parameters are selected
779# ("signature_algorithm ext: 6" means SHA-512 (highest common hash))
Manuel Pégourié-Gonnarde73b2632014-07-12 04:00:00 +0200[diff] [blame]780run_test "Default" \
Manuel Pégourié-Gonnard480905d2014-08-21 19:38:32 +0200[diff] [blame]781 "$P_SRV debug_level=3" \
Manuel Pégourié-Gonnarde73b2632014-07-12 04:00:00 +0200[diff] [blame]782 "$P_CLI" \
783 0 \
Manuel Pégourié-Gonnard480905d2014-08-21 19:38:32 +0200[diff] [blame]784 -s "Protocol is TLSv1.2" \
785 -s "Ciphersuite is TLS-ECDHE-ECDSA-WITH-AES-256-GCM-SHA384" \
786 -s "client hello v3, signature_algorithm ext: 6" \
787 -s "ECDHE curve: secp521r1" \
788 -S "error" \
789 -C "error"
Manuel Pégourié-Gonnarde73b2632014-07-12 04:00:00 +0200[diff] [blame]790
Manuel Pégourié-Gonnard3bb08012015-01-22 13:34:21 +0000[diff] [blame]791run_test "Default, DTLS" \
792 "$P_SRV dtls=1" \
793 "$P_CLI dtls=1" \
794 0 \
795 -s "Protocol is DTLSv1.2" \
796 -s "Ciphersuite is TLS-ECDHE-ECDSA-WITH-AES-256-GCM-SHA384"
797
Manuel Pégourié-Gonnard45575512020-01-02 11:58:00 +0100[diff] [blame]798requires_config_enabled MBEDTLS_ZLIB_SUPPORT
799run_test "Default (compression enabled)" \
800 "$P_SRV debug_level=3" \
801 "$P_CLI debug_level=3" \
802 0 \
803 -s "Allocating compression buffer" \
804 -c "Allocating compression buffer" \
805 -s "Record expansion is unknown (compression)" \
806 -c "Record expansion is unknown (compression)" \
807 -S "error" \
808 -C "error"
809
Andres Amaya Garciab84c40b2017-09-06 15:44:01 +0100[diff] [blame]810# Test current time in ServerHello
811requires_config_enabled MBEDTLS_HAVE_TIME
812run_test "Default, ServerHello contains gmt_unix_time" \
813 "$P_SRV debug_level=3" \
814 "$P_CLI debug_level=3" \
815 0 \
816 -s "Protocol is TLSv1.2" \
817 -s "Ciphersuite is TLS-ECDHE-ECDSA-WITH-AES-256-GCM-SHA384" \
818 -s "client hello v3, signature_algorithm ext: 6" \
819 -s "ECDHE curve: secp521r1" \
820 -S "error" \
821 -C "error" \
822 -f "check_server_hello_time" \
823 -F "check_server_hello_time"
824
Simon Butcher8e004102016-10-14 00:48:33 +0100[diff] [blame]825# Test for uniqueness of IVs in AEAD ciphersuites
826run_test "Unique IV in GCM" \
827 "$P_SRV exchanges=20 debug_level=4" \
828 "$P_CLI exchanges=20 debug_level=4 force_ciphersuite=TLS-ECDHE-ECDSA-WITH-AES-256-GCM-SHA384" \
829 0 \
830 -u "IV used" \
831 -U "IV used"
832
Manuel Pégourié-Gonnardbd47a582015-01-12 13:43:29 +0100[diff] [blame]833# Tests for rc4 option
834
Simon Butchera410af52016-05-19 22:12:18 +0100[diff] [blame]835requires_config_enabled MBEDTLS_REMOVE_ARC4_CIPHERSUITES
Manuel Pégourié-Gonnardbd47a582015-01-12 13:43:29 +0100[diff] [blame]836run_test "RC4: server disabled, client enabled" \
837 "$P_SRV" \
838 "$P_CLI force_ciphersuite=TLS-RSA-WITH-RC4-128-SHA" \
839 1 \
Manuel Pégourié-Gonnardea0920f2015-03-24 09:50:15 +0100[diff] [blame]840 -s "SSL - The server has no ciphersuites in common"
841
Simon Butchera410af52016-05-19 22:12:18 +0100[diff] [blame]842requires_config_enabled MBEDTLS_REMOVE_ARC4_CIPHERSUITES
Manuel Pégourié-Gonnardea0920f2015-03-24 09:50:15 +0100[diff] [blame]843run_test "RC4: server half, client enabled" \
844 "$P_SRV arc4=1" \
845 "$P_CLI force_ciphersuite=TLS-RSA-WITH-RC4-128-SHA" \
846 1 \
847 -s "SSL - The server has no ciphersuites in common"
Manuel Pégourié-Gonnardbd47a582015-01-12 13:43:29 +0100[diff] [blame]848
849run_test "RC4: server enabled, client disabled" \
850 "$P_SRV force_ciphersuite=TLS-RSA-WITH-RC4-128-SHA" \
851 "$P_CLI" \
852 1 \
853 -s "SSL - The server has no ciphersuites in common"
854
855run_test "RC4: both enabled" \
Manuel Pégourié-Gonnardea0920f2015-03-24 09:50:15 +0100[diff] [blame]856 "$P_SRV force_ciphersuite=TLS-RSA-WITH-RC4-128-SHA" \
Manuel Pégourié-Gonnardbd47a582015-01-12 13:43:29 +0100[diff] [blame]857 "$P_CLI force_ciphersuite=TLS-RSA-WITH-RC4-128-SHA" \
858 0 \
Manuel Pégourié-Gonnard51d81662015-01-14 17:20:46 +0100[diff] [blame]859 -S "SSL - None of the common ciphersuites is usable" \
Manuel Pégourié-Gonnardbd47a582015-01-12 13:43:29 +0100[diff] [blame]860 -S "SSL - The server has no ciphersuites in common"
861
Hanno Becker3a333a52018-08-17 09:54:10 +0100[diff] [blame]862# Test empty CA list in CertificateRequest in TLS 1.1 and earlier
863
864requires_gnutls
865requires_config_enabled MBEDTLS_SSL_PROTO_TLS1_1
866run_test "CertificateRequest with empty CA list, TLS 1.1 (GnuTLS server)" \
867 "$G_SRV"\
868 "$P_CLI force_version=tls1_1" \
869 0
870
871requires_gnutls
872requires_config_enabled MBEDTLS_SSL_PROTO_TLS1
873run_test "CertificateRequest with empty CA list, TLS 1.0 (GnuTLS server)" \
874 "$G_SRV"\
875 "$P_CLI force_version=tls1" \
876 0
877
Gilles Peskinebc70a182017-05-09 15:59:24 +0200[diff] [blame]878# Tests for SHA-1 support
879
Manuel Pégourié-Gonnardaf63c212017-06-08 17:51:08 +0200[diff] [blame]880requires_config_disabled MBEDTLS_TLS_DEFAULT_ALLOW_SHA1_IN_CERTIFICATES
Gilles Peskinebc70a182017-05-09 15:59:24 +0200[diff] [blame]881run_test "SHA-1 forbidden by default in server certificate" \
882 "$P_SRV key_file=data_files/server2.key crt_file=data_files/server2.crt" \
883 "$P_CLI debug_level=2 allow_sha1=0" \
884 1 \
885 -c "The certificate is signed with an unacceptable hash"
886
Manuel Pégourié-Gonnardaf63c212017-06-08 17:51:08 +0200[diff] [blame]887requires_config_enabled MBEDTLS_TLS_DEFAULT_ALLOW_SHA1_IN_CERTIFICATES
888run_test "SHA-1 forbidden by default in server certificate" \
889 "$P_SRV key_file=data_files/server2.key crt_file=data_files/server2.crt" \
890 "$P_CLI debug_level=2 allow_sha1=0" \
891 0
892
Gilles Peskinebc70a182017-05-09 15:59:24 +0200[diff] [blame]893run_test "SHA-1 explicitly allowed in server certificate" \
894 "$P_SRV key_file=data_files/server2.key crt_file=data_files/server2.crt" \
895 "$P_CLI allow_sha1=1" \
896 0
897
898run_test "SHA-256 allowed by default in server certificate" \
899 "$P_SRV key_file=data_files/server2.key crt_file=data_files/server2-sha256.crt" \
900 "$P_CLI allow_sha1=0" \
901 0
902
Manuel Pégourié-Gonnardaf63c212017-06-08 17:51:08 +0200[diff] [blame]903requires_config_disabled MBEDTLS_TLS_DEFAULT_ALLOW_SHA1_IN_CERTIFICATES
Gilles Peskinebc70a182017-05-09 15:59:24 +0200[diff] [blame]904run_test "SHA-1 forbidden by default in client certificate" \
905 "$P_SRV auth_mode=required allow_sha1=0" \
906 "$P_CLI key_file=data_files/cli-rsa.key crt_file=data_files/cli-rsa-sha1.crt" \
907 1 \
908 -s "The certificate is signed with an unacceptable hash"
909
Manuel Pégourié-Gonnardaf63c212017-06-08 17:51:08 +0200[diff] [blame]910requires_config_enabled MBEDTLS_TLS_DEFAULT_ALLOW_SHA1_IN_CERTIFICATES
911run_test "SHA-1 forbidden by default in client certificate" \
912 "$P_SRV auth_mode=required allow_sha1=0" \
913 "$P_CLI key_file=data_files/cli-rsa.key crt_file=data_files/cli-rsa-sha1.crt" \
914 0
915
Gilles Peskinebc70a182017-05-09 15:59:24 +0200[diff] [blame]916run_test "SHA-1 explicitly allowed in client certificate" \
917 "$P_SRV auth_mode=required allow_sha1=1" \
918 "$P_CLI key_file=data_files/cli-rsa.key crt_file=data_files/cli-rsa-sha1.crt" \
919 0
920
921run_test "SHA-256 allowed by default in client certificate" \
922 "$P_SRV auth_mode=required allow_sha1=0" \
923 "$P_CLI key_file=data_files/cli-rsa.key crt_file=data_files/cli-rsa-sha256.crt" \
924 0
925
Manuel Pégourié-Gonnard780d6712014-02-20 17:19:59 +0100[diff] [blame]926# Tests for Truncated HMAC extension
927
Manuel Pégourié-Gonnarde117a8f2015-01-09 12:39:35 +0100[diff] [blame]928run_test "Truncated HMAC: client default, server default" \
Manuel Pégourié-Gonnard644e8f32014-08-30 21:59:31 +0200[diff] [blame]929 "$P_SRV debug_level=4" \
Manuel Pégourié-Gonnarde117a8f2015-01-09 12:39:35 +0100[diff] [blame]930 "$P_CLI force_ciphersuite=TLS-RSA-WITH-AES-128-CBC-SHA" \
Manuel Pégourié-Gonnard780d6712014-02-20 17:19:59 +0100[diff] [blame]931 0 \
Hanno Becker992b6872017-11-09 18:57:39 +0000[diff] [blame]932 -s "dumping 'expected mac' (20 bytes)" \
933 -S "dumping 'expected mac' (10 bytes)"
Manuel Pégourié-Gonnard780d6712014-02-20 17:19:59 +0100[diff] [blame]934
Hanno Becker32c55012017-11-10 08:42:54 +0000[diff] [blame]935requires_config_enabled MBEDTLS_SSL_TRUNCATED_HMAC
Manuel Pégourié-Gonnarde117a8f2015-01-09 12:39:35 +0100[diff] [blame]936run_test "Truncated HMAC: client disabled, server default" \
Manuel Pégourié-Gonnard644e8f32014-08-30 21:59:31 +0200[diff] [blame]937 "$P_SRV debug_level=4" \
Hanno Becker909f9a32017-11-21 17:10:12 +0000[diff] [blame]938 "$P_CLI force_ciphersuite=TLS-RSA-WITH-AES-128-CBC-SHA trunc_hmac=0" \
Manuel Pégourié-Gonnardeaadc502014-02-20 11:01:30 +0100[diff] [blame]939 0 \
Hanno Becker992b6872017-11-09 18:57:39 +0000[diff] [blame]940 -s "dumping 'expected mac' (20 bytes)" \
941 -S "dumping 'expected mac' (10 bytes)"
Manuel Pégourié-Gonnarde117a8f2015-01-09 12:39:35 +0100[diff] [blame]942
Hanno Becker32c55012017-11-10 08:42:54 +0000[diff] [blame]943requires_config_enabled MBEDTLS_SSL_TRUNCATED_HMAC
Manuel Pégourié-Gonnarde117a8f2015-01-09 12:39:35 +0100[diff] [blame]944run_test "Truncated HMAC: client enabled, server default" \
945 "$P_SRV debug_level=4" \
Hanno Becker909f9a32017-11-21 17:10:12 +0000[diff] [blame]946 "$P_CLI force_ciphersuite=TLS-RSA-WITH-AES-128-CBC-SHA trunc_hmac=1" \
Manuel Pégourié-Gonnarde117a8f2015-01-09 12:39:35 +0100[diff] [blame]947 0 \
Hanno Becker992b6872017-11-09 18:57:39 +0000[diff] [blame]948 -s "dumping 'expected mac' (20 bytes)" \
949 -S "dumping 'expected mac' (10 bytes)"
Manuel Pégourié-Gonnarde117a8f2015-01-09 12:39:35 +0100[diff] [blame]950
Hanno Becker32c55012017-11-10 08:42:54 +0000[diff] [blame]951requires_config_enabled MBEDTLS_SSL_TRUNCATED_HMAC
Manuel Pégourié-Gonnarde117a8f2015-01-09 12:39:35 +0100[diff] [blame]952run_test "Truncated HMAC: client enabled, server disabled" \
953 "$P_SRV debug_level=4 trunc_hmac=0" \
Hanno Becker909f9a32017-11-21 17:10:12 +0000[diff] [blame]954 "$P_CLI force_ciphersuite=TLS-RSA-WITH-AES-128-CBC-SHA trunc_hmac=1" \
Manuel Pégourié-Gonnarde117a8f2015-01-09 12:39:35 +0100[diff] [blame]955 0 \
Hanno Becker992b6872017-11-09 18:57:39 +0000[diff] [blame]956 -s "dumping 'expected mac' (20 bytes)" \
957 -S "dumping 'expected mac' (10 bytes)"
Manuel Pégourié-Gonnarde117a8f2015-01-09 12:39:35 +0100[diff] [blame]958
Hanno Becker32c55012017-11-10 08:42:54 +0000[diff] [blame]959requires_config_enabled MBEDTLS_SSL_TRUNCATED_HMAC
Hanno Becker34d0c3f2017-11-17 15:46:24 +0000[diff] [blame]960run_test "Truncated HMAC: client disabled, server enabled" \
961 "$P_SRV debug_level=4 trunc_hmac=1" \
Hanno Becker909f9a32017-11-21 17:10:12 +0000[diff] [blame]962 "$P_CLI force_ciphersuite=TLS-RSA-WITH-AES-128-CBC-SHA trunc_hmac=0" \
Hanno Becker34d0c3f2017-11-17 15:46:24 +0000[diff] [blame]963 0 \
964 -s "dumping 'expected mac' (20 bytes)" \
965 -S "dumping 'expected mac' (10 bytes)"
966
967requires_config_enabled MBEDTLS_SSL_TRUNCATED_HMAC
Manuel Pégourié-Gonnarde117a8f2015-01-09 12:39:35 +0100[diff] [blame]968run_test "Truncated HMAC: client enabled, server enabled" \
969 "$P_SRV debug_level=4 trunc_hmac=1" \
Hanno Becker909f9a32017-11-21 17:10:12 +0000[diff] [blame]970 "$P_CLI force_ciphersuite=TLS-RSA-WITH-AES-128-CBC-SHA trunc_hmac=1" \
Manuel Pégourié-Gonnarde117a8f2015-01-09 12:39:35 +0100[diff] [blame]971 0 \
Hanno Becker992b6872017-11-09 18:57:39 +0000[diff] [blame]972 -S "dumping 'expected mac' (20 bytes)" \
973 -s "dumping 'expected mac' (10 bytes)"
Manuel Pégourié-Gonnardf7c52012014-02-20 11:43:46 +0100[diff] [blame]974
Hanno Becker4c4f4102017-11-10 09:16:05 +0000[diff] [blame]975run_test "Truncated HMAC, DTLS: client default, server default" \
976 "$P_SRV dtls=1 debug_level=4" \
977 "$P_CLI dtls=1 force_ciphersuite=TLS-RSA-WITH-AES-128-CBC-SHA" \
978 0 \
979 -s "dumping 'expected mac' (20 bytes)" \
980 -S "dumping 'expected mac' (10 bytes)"
981
982requires_config_enabled MBEDTLS_SSL_TRUNCATED_HMAC
983run_test "Truncated HMAC, DTLS: client disabled, server default" \
984 "$P_SRV dtls=1 debug_level=4" \
Hanno Becker909f9a32017-11-21 17:10:12 +0000[diff] [blame]985 "$P_CLI dtls=1 force_ciphersuite=TLS-RSA-WITH-AES-128-CBC-SHA trunc_hmac=0" \
Hanno Becker4c4f4102017-11-10 09:16:05 +0000[diff] [blame]986 0 \
987 -s "dumping 'expected mac' (20 bytes)" \
988 -S "dumping 'expected mac' (10 bytes)"
989
990requires_config_enabled MBEDTLS_SSL_TRUNCATED_HMAC
991run_test "Truncated HMAC, DTLS: client enabled, server default" \
992 "$P_SRV dtls=1 debug_level=4" \
Hanno Becker909f9a32017-11-21 17:10:12 +0000[diff] [blame]993 "$P_CLI dtls=1 force_ciphersuite=TLS-RSA-WITH-AES-128-CBC-SHA trunc_hmac=1" \
Hanno Becker4c4f4102017-11-10 09:16:05 +0000[diff] [blame]994 0 \
995 -s "dumping 'expected mac' (20 bytes)" \
996 -S "dumping 'expected mac' (10 bytes)"
997
998requires_config_enabled MBEDTLS_SSL_TRUNCATED_HMAC
999run_test "Truncated HMAC, DTLS: client enabled, server disabled" \
1000 "$P_SRV dtls=1 debug_level=4 trunc_hmac=0" \
Hanno Becker909f9a32017-11-21 17:10:12 +0000[diff] [blame]1001 "$P_CLI dtls=1 force_ciphersuite=TLS-RSA-WITH-AES-128-CBC-SHA trunc_hmac=1" \
Hanno Becker4c4f4102017-11-10 09:16:05 +0000[diff] [blame]1002 0 \
1003 -s "dumping 'expected mac' (20 bytes)" \
1004 -S "dumping 'expected mac' (10 bytes)"
1005
1006requires_config_enabled MBEDTLS_SSL_TRUNCATED_HMAC
1007run_test "Truncated HMAC, DTLS: client disabled, server enabled" \
1008 "$P_SRV dtls=1 debug_level=4 trunc_hmac=1" \
Hanno Becker909f9a32017-11-21 17:10:12 +0000[diff] [blame]1009 "$P_CLI dtls=1 force_ciphersuite=TLS-RSA-WITH-AES-128-CBC-SHA trunc_hmac=0" \
Hanno Becker4c4f4102017-11-10 09:16:05 +0000[diff] [blame]1010 0 \
1011 -s "dumping 'expected mac' (20 bytes)" \
1012 -S "dumping 'expected mac' (10 bytes)"
1013
1014requires_config_enabled MBEDTLS_SSL_TRUNCATED_HMAC
1015run_test "Truncated HMAC, DTLS: client enabled, server enabled" \
1016 "$P_SRV dtls=1 debug_level=4 trunc_hmac=1" \
Hanno Becker909f9a32017-11-21 17:10:12 +0000[diff] [blame]1017 "$P_CLI dtls=1 force_ciphersuite=TLS-RSA-WITH-AES-128-CBC-SHA trunc_hmac=1" \
Manuel Pégourié-Gonnardeaadc502014-02-20 11:01:30 +0100[diff] [blame]1018 0 \
1019 -S "dumping 'expected mac' (20 bytes)" \
Manuel Pégourié-Gonnardf7c52012014-02-20 11:43:46 +0100[diff] [blame]1020 -s "dumping 'expected mac' (10 bytes)"
1021
Manuel Pégourié-Gonnard699cafa2014-10-27 13:57:03 +0100[diff] [blame]1022# Tests for Encrypt-then-MAC extension
1023
1024run_test "Encrypt then MAC: default" \
Manuel Pégourié-Gonnard0098e7d2014-10-28 13:08:59 +0100[diff] [blame]1025 "$P_SRV debug_level=3 \
1026 force_ciphersuite=TLS-RSA-WITH-AES-128-CBC-SHA" \
Manuel Pégourié-Gonnard699cafa2014-10-27 13:57:03 +0100[diff] [blame]1027 "$P_CLI debug_level=3" \
1028 0 \
1029 -c "client hello, adding encrypt_then_mac extension" \
1030 -s "found encrypt then mac extension" \
1031 -s "server hello, adding encrypt then mac extension" \
1032 -c "found encrypt_then_mac extension" \
1033 -c "using encrypt then mac" \
1034 -s "using encrypt then mac"
1035
1036run_test "Encrypt then MAC: client enabled, server disabled" \
Manuel Pégourié-Gonnard0098e7d2014-10-28 13:08:59 +0100[diff] [blame]1037 "$P_SRV debug_level=3 etm=0 \
1038 force_ciphersuite=TLS-RSA-WITH-AES-128-CBC-SHA" \
Manuel Pégourié-Gonnard699cafa2014-10-27 13:57:03 +0100[diff] [blame]1039 "$P_CLI debug_level=3 etm=1" \
1040 0 \
1041 -c "client hello, adding encrypt_then_mac extension" \
1042 -s "found encrypt then mac extension" \
1043 -S "server hello, adding encrypt then mac extension" \
1044 -C "found encrypt_then_mac extension" \
1045 -C "using encrypt then mac" \
1046 -S "using encrypt then mac"
1047
Manuel Pégourié-Gonnard78e745f2014-11-04 15:44:06 +0100[diff] [blame]1048run_test "Encrypt then MAC: client enabled, aead cipher" \
1049 "$P_SRV debug_level=3 etm=1 \
1050 force_ciphersuite=TLS-RSA-WITH-AES-128-GCM-SHA256" \
1051 "$P_CLI debug_level=3 etm=1" \
1052 0 \
1053 -c "client hello, adding encrypt_then_mac extension" \
1054 -s "found encrypt then mac extension" \
1055 -S "server hello, adding encrypt then mac extension" \
1056 -C "found encrypt_then_mac extension" \
1057 -C "using encrypt then mac" \
1058 -S "using encrypt then mac"
1059
1060run_test "Encrypt then MAC: client enabled, stream cipher" \
1061 "$P_SRV debug_level=3 etm=1 \
1062 force_ciphersuite=TLS-RSA-WITH-RC4-128-SHA" \
Manuel Pégourié-Gonnardea0920f2015-03-24 09:50:15 +0100[diff] [blame]1063 "$P_CLI debug_level=3 etm=1 arc4=1 force_ciphersuite=TLS-RSA-WITH-RC4-128-SHA" \
Manuel Pégourié-Gonnard78e745f2014-11-04 15:44:06 +0100[diff] [blame]1064 0 \
1065 -c "client hello, adding encrypt_then_mac extension" \
1066 -s "found encrypt then mac extension" \
1067 -S "server hello, adding encrypt then mac extension" \
1068 -C "found encrypt_then_mac extension" \
1069 -C "using encrypt then mac" \
1070 -S "using encrypt then mac"
1071
Manuel Pégourié-Gonnard699cafa2014-10-27 13:57:03 +0100[diff] [blame]1072run_test "Encrypt then MAC: client disabled, server enabled" \
Manuel Pégourié-Gonnard0098e7d2014-10-28 13:08:59 +0100[diff] [blame]1073 "$P_SRV debug_level=3 etm=1 \
1074 force_ciphersuite=TLS-RSA-WITH-AES-128-CBC-SHA" \
Manuel Pégourié-Gonnard699cafa2014-10-27 13:57:03 +0100[diff] [blame]1075 "$P_CLI debug_level=3 etm=0" \
1076 0 \
1077 -C "client hello, adding encrypt_then_mac extension" \
1078 -S "found encrypt then mac extension" \
1079 -S "server hello, adding encrypt then mac extension" \
1080 -C "found encrypt_then_mac extension" \
1081 -C "using encrypt then mac" \
1082 -S "using encrypt then mac"
1083
Janos Follathe2681a42016-03-07 15:57:05 +0000[diff] [blame]1084requires_config_enabled MBEDTLS_SSL_PROTO_SSL3
Manuel Pégourié-Gonnard699cafa2014-10-27 13:57:03 +0100[diff] [blame]1085run_test "Encrypt then MAC: client SSLv3, server enabled" \
Manuel Pégourié-Gonnard51d81662015-01-14 17:20:46 +0100[diff] [blame]1086 "$P_SRV debug_level=3 min_version=ssl3 \
Manuel Pégourié-Gonnard0098e7d2014-10-28 13:08:59 +0100[diff] [blame]1087 force_ciphersuite=TLS-RSA-WITH-AES-128-CBC-SHA" \
Manuel Pégourié-Gonnard699cafa2014-10-27 13:57:03 +0100[diff] [blame]1088 "$P_CLI debug_level=3 force_version=ssl3" \
1089 0 \
1090 -C "client hello, adding encrypt_then_mac extension" \
1091 -S "found encrypt then mac extension" \
1092 -S "server hello, adding encrypt then mac extension" \
1093 -C "found encrypt_then_mac extension" \
1094 -C "using encrypt then mac" \
1095 -S "using encrypt then mac"
1096
Janos Follathe2681a42016-03-07 15:57:05 +0000[diff] [blame]1097requires_config_enabled MBEDTLS_SSL_PROTO_SSL3
Manuel Pégourié-Gonnard699cafa2014-10-27 13:57:03 +0100[diff] [blame]1098run_test "Encrypt then MAC: client enabled, server SSLv3" \
Manuel Pégourié-Gonnard0098e7d2014-10-28 13:08:59 +0100[diff] [blame]1099 "$P_SRV debug_level=3 force_version=ssl3 \
1100 force_ciphersuite=TLS-RSA-WITH-AES-128-CBC-SHA" \
Manuel Pégourié-Gonnard51d81662015-01-14 17:20:46 +0100[diff] [blame]1101 "$P_CLI debug_level=3 min_version=ssl3" \
Manuel Pégourié-Gonnard699cafa2014-10-27 13:57:03 +0100[diff] [blame]1102 0 \
1103 -c "client hello, adding encrypt_then_mac extension" \
Janos Follath00efff72016-05-06 13:48:23 +0100[diff] [blame]1104 -S "found encrypt then mac extension" \
Manuel Pégourié-Gonnard699cafa2014-10-27 13:57:03 +0100[diff] [blame]1105 -S "server hello, adding encrypt then mac extension" \
1106 -C "found encrypt_then_mac extension" \
1107 -C "using encrypt then mac" \
1108 -S "using encrypt then mac"
1109
Manuel Pégourié-Gonnard367381f2014-10-20 18:40:56 +0200[diff] [blame]1110# Tests for Extended Master Secret extension
1111
1112run_test "Extended Master Secret: default" \
1113 "$P_SRV debug_level=3" \
1114 "$P_CLI debug_level=3" \
1115 0 \
1116 -c "client hello, adding extended_master_secret extension" \
1117 -s "found extended master secret extension" \
1118 -s "server hello, adding extended master secret extension" \
1119 -c "found extended_master_secret extension" \
1120 -c "using extended master secret" \
1121 -s "using extended master secret"
1122
1123run_test "Extended Master Secret: client enabled, server disabled" \
1124 "$P_SRV debug_level=3 extended_ms=0" \
1125 "$P_CLI debug_level=3 extended_ms=1" \
1126 0 \
1127 -c "client hello, adding extended_master_secret extension" \
1128 -s "found extended master secret extension" \
1129 -S "server hello, adding extended master secret extension" \
1130 -C "found extended_master_secret extension" \
1131 -C "using extended master secret" \
1132 -S "using extended master secret"
1133
1134run_test "Extended Master Secret: client disabled, server enabled" \
1135 "$P_SRV debug_level=3 extended_ms=1" \
1136 "$P_CLI debug_level=3 extended_ms=0" \
1137 0 \
1138 -C "client hello, adding extended_master_secret extension" \
1139 -S "found extended master secret extension" \
1140 -S "server hello, adding extended master secret extension" \
1141 -C "found extended_master_secret extension" \
1142 -C "using extended master secret" \
1143 -S "using extended master secret"
1144
Janos Follathe2681a42016-03-07 15:57:05 +0000[diff] [blame]1145requires_config_enabled MBEDTLS_SSL_PROTO_SSL3
Manuel Pégourié-Gonnardb575b542014-10-24 15:12:31 +0200[diff] [blame]1146run_test "Extended Master Secret: client SSLv3, server enabled" \
Manuel Pégourié-Gonnard51d81662015-01-14 17:20:46 +0100[diff] [blame]1147 "$P_SRV debug_level=3 min_version=ssl3" \
Manuel Pégourié-Gonnardb575b542014-10-24 15:12:31 +0200[diff] [blame]1148 "$P_CLI debug_level=3 force_version=ssl3" \
1149 0 \
1150 -C "client hello, adding extended_master_secret extension" \
1151 -S "found extended master secret extension" \
1152 -S "server hello, adding extended master secret extension" \
1153 -C "found extended_master_secret extension" \
1154 -C "using extended master secret" \
1155 -S "using extended master secret"
1156
Janos Follathe2681a42016-03-07 15:57:05 +0000[diff] [blame]1157requires_config_enabled MBEDTLS_SSL_PROTO_SSL3
Manuel Pégourié-Gonnardb575b542014-10-24 15:12:31 +0200[diff] [blame]1158run_test "Extended Master Secret: client enabled, server SSLv3" \
1159 "$P_SRV debug_level=3 force_version=ssl3" \
Manuel Pégourié-Gonnard51d81662015-01-14 17:20:46 +0100[diff] [blame]1160 "$P_CLI debug_level=3 min_version=ssl3" \
Manuel Pégourié-Gonnardb575b542014-10-24 15:12:31 +0200[diff] [blame]1161 0 \
1162 -c "client hello, adding extended_master_secret extension" \
Janos Follath00efff72016-05-06 13:48:23 +0100[diff] [blame]1163 -S "found extended master secret extension" \
Manuel Pégourié-Gonnardb575b542014-10-24 15:12:31 +0200[diff] [blame]1164 -S "server hello, adding extended master secret extension" \
1165 -C "found extended_master_secret extension" \
1166 -C "using extended master secret" \
1167 -S "using extended master secret"
1168
Manuel Pégourié-Gonnard1cbd39d2014-10-20 13:34:59 +0200[diff] [blame]1169# Tests for FALLBACK_SCSV
1170
1171run_test "Fallback SCSV: default" \
Manuel Pégourié-Gonnard4268ae02015-08-04 12:44:10 +0200[diff] [blame]1172 "$P_SRV debug_level=2" \
Manuel Pégourié-Gonnard1cbd39d2014-10-20 13:34:59 +0200[diff] [blame]1173 "$P_CLI debug_level=3 force_version=tls1_1" \
1174 0 \
1175 -C "adding FALLBACK_SCSV" \
Manuel Pégourié-Gonnard01b26992014-10-20 14:05:28 +0200[diff] [blame]1176 -S "received FALLBACK_SCSV" \
1177 -S "inapropriate fallback" \
Manuel Pégourié-Gonnard1cbd39d2014-10-20 13:34:59 +0200[diff] [blame]1178 -C "is a fatal alert message (msg 86)"
1179
1180run_test "Fallback SCSV: explicitly disabled" \
Manuel Pégourié-Gonnard4268ae02015-08-04 12:44:10 +0200[diff] [blame]1181 "$P_SRV debug_level=2" \
Manuel Pégourié-Gonnard1cbd39d2014-10-20 13:34:59 +0200[diff] [blame]1182 "$P_CLI debug_level=3 force_version=tls1_1 fallback=0" \
1183 0 \
1184 -C "adding FALLBACK_SCSV" \
Manuel Pégourié-Gonnard01b26992014-10-20 14:05:28 +0200[diff] [blame]1185 -S "received FALLBACK_SCSV" \
1186 -S "inapropriate fallback" \
Manuel Pégourié-Gonnard1cbd39d2014-10-20 13:34:59 +0200[diff] [blame]1187 -C "is a fatal alert message (msg 86)"
1188
1189run_test "Fallback SCSV: enabled" \
Manuel Pégourié-Gonnard4268ae02015-08-04 12:44:10 +0200[diff] [blame]1190 "$P_SRV debug_level=2" \
Manuel Pégourié-Gonnard1cbd39d2014-10-20 13:34:59 +0200[diff] [blame]1191 "$P_CLI debug_level=3 force_version=tls1_1 fallback=1" \
Manuel Pégourié-Gonnard01b26992014-10-20 14:05:28 +0200[diff] [blame]1192 1 \
1193 -c "adding FALLBACK_SCSV" \
1194 -s "received FALLBACK_SCSV" \
1195 -s "inapropriate fallback" \
1196 -c "is a fatal alert message (msg 86)"
1197
1198run_test "Fallback SCSV: enabled, max version" \
Manuel Pégourié-Gonnard4268ae02015-08-04 12:44:10 +0200[diff] [blame]1199 "$P_SRV debug_level=2" \
Manuel Pégourié-Gonnard01b26992014-10-20 14:05:28 +0200[diff] [blame]1200 "$P_CLI debug_level=3 fallback=1" \
Manuel Pégourié-Gonnard1cbd39d2014-10-20 13:34:59 +0200[diff] [blame]1201 0 \
1202 -c "adding FALLBACK_SCSV" \
Manuel Pégourié-Gonnard01b26992014-10-20 14:05:28 +0200[diff] [blame]1203 -s "received FALLBACK_SCSV" \
1204 -S "inapropriate fallback" \
Manuel Pégourié-Gonnard1cbd39d2014-10-20 13:34:59 +0200[diff] [blame]1205 -C "is a fatal alert message (msg 86)"
1206
1207requires_openssl_with_fallback_scsv
1208run_test "Fallback SCSV: default, openssl server" \
1209 "$O_SRV" \
1210 "$P_CLI debug_level=3 force_version=tls1_1 fallback=0" \
1211 0 \
1212 -C "adding FALLBACK_SCSV" \
1213 -C "is a fatal alert message (msg 86)"
1214
1215requires_openssl_with_fallback_scsv
1216run_test "Fallback SCSV: enabled, openssl server" \
1217 "$O_SRV" \
1218 "$P_CLI debug_level=3 force_version=tls1_1 fallback=1" \
1219 1 \
1220 -c "adding FALLBACK_SCSV" \
1221 -c "is a fatal alert message (msg 86)"
1222
Manuel Pégourié-Gonnard01b26992014-10-20 14:05:28 +0200[diff] [blame]1223requires_openssl_with_fallback_scsv
1224run_test "Fallback SCSV: disabled, openssl client" \
Manuel Pégourié-Gonnard4268ae02015-08-04 12:44:10 +0200[diff] [blame]1225 "$P_SRV debug_level=2" \
Manuel Pégourié-Gonnard01b26992014-10-20 14:05:28 +0200[diff] [blame]1226 "$O_CLI -tls1_1" \
1227 0 \
1228 -S "received FALLBACK_SCSV" \
1229 -S "inapropriate fallback"
1230
1231requires_openssl_with_fallback_scsv
1232run_test "Fallback SCSV: enabled, openssl client" \
Manuel Pégourié-Gonnard4268ae02015-08-04 12:44:10 +0200[diff] [blame]1233 "$P_SRV debug_level=2" \
Manuel Pégourié-Gonnard01b26992014-10-20 14:05:28 +0200[diff] [blame]1234 "$O_CLI -tls1_1 -fallback_scsv" \
1235 1 \
1236 -s "received FALLBACK_SCSV" \
1237 -s "inapropriate fallback"
1238
1239requires_openssl_with_fallback_scsv
1240run_test "Fallback SCSV: enabled, max version, openssl client" \
Manuel Pégourié-Gonnard4268ae02015-08-04 12:44:10 +0200[diff] [blame]1241 "$P_SRV debug_level=2" \
Manuel Pégourié-Gonnard01b26992014-10-20 14:05:28 +0200[diff] [blame]1242 "$O_CLI -fallback_scsv" \
1243 0 \
1244 -s "received FALLBACK_SCSV" \
1245 -S "inapropriate fallback"
1246
Andres Amaya Garcia14783c42018-07-10 20:08:04 +0100[diff] [blame]1247# Test sending and receiving empty application data records
1248
1249run_test "Encrypt then MAC: empty application data record" \
1250 "$P_SRV auth_mode=none debug_level=4 etm=1" \
1251 "$P_CLI auth_mode=none etm=1 request_size=0 force_ciphersuite=TLS-ECDHE-RSA-WITH-AES-256-CBC-SHA" \
1252 0 \
1253 -S "0000: 0f 0f 0f 0f 0f 0f 0f 0f 0f 0f 0f 0f 0f 0f 0f 0f" \
1254 -s "dumping 'input payload after decrypt' (0 bytes)" \
1255 -c "0 bytes written in 1 fragments"
1256
Manuel Pégourié-Gonnardd6e44542020-03-24 10:53:39 +0100[diff] [blame]1257run_test "Encrypt then MAC: disabled, empty application data record" \
Andres Amaya Garcia14783c42018-07-10 20:08:04 +0100[diff] [blame]1258 "$P_SRV auth_mode=none debug_level=4 etm=0" \
1259 "$P_CLI auth_mode=none etm=0 request_size=0" \
1260 0 \
1261 -s "dumping 'input payload after decrypt' (0 bytes)" \
1262 -c "0 bytes written in 1 fragments"
1263
1264run_test "Encrypt then MAC, DTLS: empty application data record" \
1265 "$P_SRV auth_mode=none debug_level=4 etm=1 dtls=1" \
1266 "$P_CLI auth_mode=none etm=1 request_size=0 force_ciphersuite=TLS-ECDHE-RSA-WITH-AES-256-CBC-SHA dtls=1" \
1267 0 \
1268 -S "0000: 0f 0f 0f 0f 0f 0f 0f 0f 0f 0f 0f 0f 0f 0f 0f 0f" \
1269 -s "dumping 'input payload after decrypt' (0 bytes)" \
1270 -c "0 bytes written in 1 fragments"
1271
Manuel Pégourié-Gonnardd6e44542020-03-24 10:53:39 +0100[diff] [blame]1272run_test "Encrypt then MAC, DTLS: disabled, empty application data record" \
Andres Amaya Garcia14783c42018-07-10 20:08:04 +0100[diff] [blame]1273 "$P_SRV auth_mode=none debug_level=4 etm=0 dtls=1" \
1274 "$P_CLI auth_mode=none etm=0 request_size=0 dtls=1" \
1275 0 \
1276 -s "dumping 'input payload after decrypt' (0 bytes)" \
1277 -c "0 bytes written in 1 fragments"
1278
Gilles Peskined50177f2017-05-16 17:53:03 +0200[diff] [blame]1279## ClientHello generated with
1280## "openssl s_client -CAfile tests/data_files/test-ca.crt -tls1_1 -connect localhost:4433 -cipher ..."
1281## then manually twiddling the ciphersuite list.
1282## The ClientHello content is spelled out below as a hex string as
1283## "prefix ciphersuite1 ciphersuite2 ciphersuite3 ciphersuite4 suffix".
1284## The expected response is an inappropriate_fallback alert.
1285requires_openssl_with_fallback_scsv
1286run_test "Fallback SCSV: beginning of list" \
1287 "$P_SRV debug_level=2" \
1288 "$TCP_CLIENT localhost $SRV_PORT '160301003e0100003a03022aafb94308dc22ca1086c65acc00e414384d76b61ecab37df1633b1ae1034dbe000008 5600 0031 0032 0033 0100000900230000000f000101' '15030200020256'" \
1289 0 \
1290 -s "received FALLBACK_SCSV" \
1291 -s "inapropriate fallback"
1292
1293requires_openssl_with_fallback_scsv
1294run_test "Fallback SCSV: end of list" \
1295 "$P_SRV debug_level=2" \
1296 "$TCP_CLIENT localhost $SRV_PORT '160301003e0100003a03022aafb94308dc22ca1086c65acc00e414384d76b61ecab37df1633b1ae1034dbe000008 0031 0032 0033 5600 0100000900230000000f000101' '15030200020256'" \
1297 0 \
1298 -s "received FALLBACK_SCSV" \
1299 -s "inapropriate fallback"
1300
1301## Here the expected response is a valid ServerHello prefix, up to the random.
1302requires_openssl_with_fallback_scsv
1303run_test "Fallback SCSV: not in list" \
1304 "$P_SRV debug_level=2" \
1305 "$TCP_CLIENT localhost $SRV_PORT '160301003e0100003a03022aafb94308dc22ca1086c65acc00e414384d76b61ecab37df1633b1ae1034dbe000008 0056 0031 0032 0033 0100000900230000000f000101' '16030200300200002c0302'" \
1306 0 \
1307 -S "received FALLBACK_SCSV" \
1308 -S "inapropriate fallback"
1309
Manuel Pégourié-Gonnard3ff78232015-01-08 11:15:09 +0100[diff] [blame]1310# Tests for CBC 1/n-1 record splitting
1311
1312run_test "CBC Record splitting: TLS 1.2, no splitting" \
1313 "$P_SRV" \
1314 "$P_CLI force_ciphersuite=TLS-RSA-WITH-AES-128-CBC-SHA \
1315 request_size=123 force_version=tls1_2" \
1316 0 \
1317 -s "Read from client: 123 bytes read" \
1318 -S "Read from client: 1 bytes read" \
1319 -S "122 bytes read"
1320
1321run_test "CBC Record splitting: TLS 1.1, no splitting" \
1322 "$P_SRV" \
1323 "$P_CLI force_ciphersuite=TLS-RSA-WITH-AES-128-CBC-SHA \
1324 request_size=123 force_version=tls1_1" \
1325 0 \
1326 -s "Read from client: 123 bytes read" \
1327 -S "Read from client: 1 bytes read" \
1328 -S "122 bytes read"
1329
1330run_test "CBC Record splitting: TLS 1.0, splitting" \
1331 "$P_SRV" \
1332 "$P_CLI force_ciphersuite=TLS-RSA-WITH-AES-128-CBC-SHA \
1333 request_size=123 force_version=tls1" \
1334 0 \
1335 -S "Read from client: 123 bytes read" \
1336 -s "Read from client: 1 bytes read" \
1337 -s "122 bytes read"
1338
Janos Follathe2681a42016-03-07 15:57:05 +0000[diff] [blame]1339requires_config_enabled MBEDTLS_SSL_PROTO_SSL3
Manuel Pégourié-Gonnard3ff78232015-01-08 11:15:09 +0100[diff] [blame]1340run_test "CBC Record splitting: SSLv3, splitting" \
Manuel Pégourié-Gonnard51d81662015-01-14 17:20:46 +0100[diff] [blame]1341 "$P_SRV min_version=ssl3" \
Manuel Pégourié-Gonnard3ff78232015-01-08 11:15:09 +0100[diff] [blame]1342 "$P_CLI force_ciphersuite=TLS-RSA-WITH-AES-128-CBC-SHA \
1343 request_size=123 force_version=ssl3" \
1344 0 \
1345 -S "Read from client: 123 bytes read" \
1346 -s "Read from client: 1 bytes read" \
1347 -s "122 bytes read"
1348
1349run_test "CBC Record splitting: TLS 1.0 RC4, no splitting" \
Manuel Pégourié-Gonnardea0920f2015-03-24 09:50:15 +0100[diff] [blame]1350 "$P_SRV arc4=1 force_ciphersuite=TLS-RSA-WITH-RC4-128-SHA" \
Manuel Pégourié-Gonnard3ff78232015-01-08 11:15:09 +0100[diff] [blame]1351 "$P_CLI force_ciphersuite=TLS-RSA-WITH-RC4-128-SHA \
1352 request_size=123 force_version=tls1" \
1353 0 \
1354 -s "Read from client: 123 bytes read" \
1355 -S "Read from client: 1 bytes read" \
1356 -S "122 bytes read"
1357
1358run_test "CBC Record splitting: TLS 1.0, splitting disabled" \
1359 "$P_SRV" \
1360 "$P_CLI force_ciphersuite=TLS-RSA-WITH-AES-128-CBC-SHA \
1361 request_size=123 force_version=tls1 recsplit=0" \
1362 0 \
1363 -s "Read from client: 123 bytes read" \
1364 -S "Read from client: 1 bytes read" \
1365 -S "122 bytes read"
1366
Manuel Pégourié-Gonnarda852cf42015-01-13 20:56:15 +0100[diff] [blame]1367run_test "CBC Record splitting: TLS 1.0, splitting, nbio" \
1368 "$P_SRV nbio=2" \
1369 "$P_CLI nbio=2 force_ciphersuite=TLS-RSA-WITH-AES-128-CBC-SHA \
1370 request_size=123 force_version=tls1" \
1371 0 \
1372 -S "Read from client: 123 bytes read" \
1373 -s "Read from client: 1 bytes read" \
1374 -s "122 bytes read"
1375
Manuel Pégourié-Gonnard780d6712014-02-20 17:19:59 +0100[diff] [blame]1376# Tests for Session Tickets
1377
Manuel Pégourié-Gonnard8e03c712014-08-30 21:42:40 +0200[diff] [blame]1378run_test "Session resume using tickets: basic" \
Manuel Pégourié-Gonnard644e8f32014-08-30 21:59:31 +0200[diff] [blame]1379 "$P_SRV debug_level=3 tickets=1" \
1380 "$P_CLI debug_level=3 tickets=1 reconnect=1" \
Manuel Pégourié-Gonnardf7c52012014-02-20 11:43:46 +0100[diff] [blame]1381 0 \
Manuel Pégourié-Gonnardc55a5b72014-02-20 22:50:56 +0100[diff] [blame]1382 -c "client hello, adding session ticket extension" \
1383 -s "found session ticket extension" \
1384 -s "server hello, adding session ticket extension" \
1385 -c "found session_ticket extension" \
1386 -c "parse new session ticket" \
Manuel Pégourié-Gonnardf7c52012014-02-20 11:43:46 +0100[diff] [blame]1387 -S "session successfully restored from cache" \
1388 -s "session successfully restored from ticket" \
1389 -s "a session has been resumed" \
1390 -c "a session has been resumed"
1391
Manuel Pégourié-Gonnard8e03c712014-08-30 21:42:40 +0200[diff] [blame]1392run_test "Session resume using tickets: cache disabled" \
Manuel Pégourié-Gonnard644e8f32014-08-30 21:59:31 +0200[diff] [blame]1393 "$P_SRV debug_level=3 tickets=1 cache_max=0" \
1394 "$P_CLI debug_level=3 tickets=1 reconnect=1" \
Manuel Pégourié-Gonnarddbe1ee12014-02-21 09:18:13 +0100[diff] [blame]1395 0 \
1396 -c "client hello, adding session ticket extension" \
1397 -s "found session ticket extension" \
1398 -s "server hello, adding session ticket extension" \
1399 -c "found session_ticket extension" \
1400 -c "parse new session ticket" \
1401 -S "session successfully restored from cache" \
1402 -s "session successfully restored from ticket" \
1403 -s "a session has been resumed" \
1404 -c "a session has been resumed"
1405
Manuel Pégourié-Gonnard8e03c712014-08-30 21:42:40 +0200[diff] [blame]1406run_test "Session resume using tickets: timeout" \
Manuel Pégourié-Gonnard644e8f32014-08-30 21:59:31 +0200[diff] [blame]1407 "$P_SRV debug_level=3 tickets=1 cache_max=0 ticket_timeout=1" \
1408 "$P_CLI debug_level=3 tickets=1 reconnect=1 reco_delay=2" \
Manuel Pégourié-Gonnarddbe1ee12014-02-21 09:18:13 +0100[diff] [blame]1409 0 \
1410 -c "client hello, adding session ticket extension" \
1411 -s "found session ticket extension" \
1412 -s "server hello, adding session ticket extension" \
1413 -c "found session_ticket extension" \
1414 -c "parse new session ticket" \
1415 -S "session successfully restored from cache" \
1416 -S "session successfully restored from ticket" \
1417 -S "a session has been resumed" \
1418 -C "a session has been resumed"
1419
Manuel Pégourié-Gonnard8e03c712014-08-30 21:42:40 +0200[diff] [blame]1420run_test "Session resume using tickets: openssl server" \
Manuel Pégourié-Gonnardf7a26902014-02-27 12:25:54 +0100[diff] [blame]1421 "$O_SRV" \
Manuel Pégourié-Gonnard644e8f32014-08-30 21:59:31 +0200[diff] [blame]1422 "$P_CLI debug_level=3 tickets=1 reconnect=1" \
Manuel Pégourié-Gonnardfccd3252014-02-25 17:14:15 +0100[diff] [blame]1423 0 \
1424 -c "client hello, adding session ticket extension" \
1425 -c "found session_ticket extension" \
1426 -c "parse new session ticket" \
1427 -c "a session has been resumed"
1428
Manuel Pégourié-Gonnard8e03c712014-08-30 21:42:40 +0200[diff] [blame]1429run_test "Session resume using tickets: openssl client" \
Manuel Pégourié-Gonnard644e8f32014-08-30 21:59:31 +0200[diff] [blame]1430 "$P_SRV debug_level=3 tickets=1" \
Manuel Pégourié-Gonnardbc3b16c2014-05-28 23:06:50 +0200[diff] [blame]1431 "( $O_CLI -sess_out $SESSION; \
1432 $O_CLI -sess_in $SESSION; \
1433 rm -f $SESSION )" \
Manuel Pégourié-Gonnardfccd3252014-02-25 17:14:15 +0100[diff] [blame]1434 0 \
1435 -s "found session ticket extension" \
1436 -s "server hello, adding session ticket extension" \
1437 -S "session successfully restored from cache" \
1438 -s "session successfully restored from ticket" \
1439 -s "a session has been resumed"
1440
Hanno Beckerb5546362018-08-21 13:55:22 +0100[diff] [blame]1441# Tests for Session Tickets with DTLS
1442
1443run_test "Session resume using tickets, DTLS: basic" \
1444 "$P_SRV debug_level=3 dtls=1 tickets=1" \
Manuel Pégourié-Gonnard5e261e92020-02-17 11:04:33 +0100[diff] [blame]1445 "$P_CLI debug_level=3 dtls=1 tickets=1 reconnect=1 skip_close_notify=1" \
Hanno Beckerb5546362018-08-21 13:55:22 +0100[diff] [blame]1446 0 \
1447 -c "client hello, adding session ticket extension" \
1448 -s "found session ticket extension" \
1449 -s "server hello, adding session ticket extension" \
1450 -c "found session_ticket extension" \
1451 -c "parse new session ticket" \
1452 -S "session successfully restored from cache" \
1453 -s "session successfully restored from ticket" \
1454 -s "a session has been resumed" \
1455 -c "a session has been resumed"
1456
1457run_test "Session resume using tickets, DTLS: cache disabled" \
1458 "$P_SRV debug_level=3 dtls=1 tickets=1 cache_max=0" \
Manuel Pégourié-Gonnard5e261e92020-02-17 11:04:33 +0100[diff] [blame]1459 "$P_CLI debug_level=3 dtls=1 tickets=1 reconnect=1 skip_close_notify=1" \
Hanno Beckerb5546362018-08-21 13:55:22 +0100[diff] [blame]1460 0 \
1461 -c "client hello, adding session ticket extension" \
1462 -s "found session ticket extension" \
1463 -s "server hello, adding session ticket extension" \
1464 -c "found session_ticket extension" \
1465 -c "parse new session ticket" \
1466 -S "session successfully restored from cache" \
1467 -s "session successfully restored from ticket" \
1468 -s "a session has been resumed" \
1469 -c "a session has been resumed"
1470
1471run_test "Session resume using tickets, DTLS: timeout" \
1472 "$P_SRV debug_level=3 dtls=1 tickets=1 cache_max=0 ticket_timeout=1" \
Manuel Pégourié-Gonnard5e261e92020-02-17 11:04:33 +0100[diff] [blame]1473 "$P_CLI debug_level=3 dtls=1 tickets=1 reconnect=1 skip_close_notify=1 reco_delay=2" \
Hanno Beckerb5546362018-08-21 13:55:22 +0100[diff] [blame]1474 0 \
1475 -c "client hello, adding session ticket extension" \
1476 -s "found session ticket extension" \
1477 -s "server hello, adding session ticket extension" \
1478 -c "found session_ticket extension" \
1479 -c "parse new session ticket" \
1480 -S "session successfully restored from cache" \
1481 -S "session successfully restored from ticket" \
1482 -S "a session has been resumed" \
1483 -C "a session has been resumed"
1484
1485run_test "Session resume using tickets, DTLS: openssl server" \
1486 "$O_SRV -dtls1" \
1487 "$P_CLI dtls=1 debug_level=3 tickets=1 reconnect=1" \
1488 0 \
1489 -c "client hello, adding session ticket extension" \
1490 -c "found session_ticket extension" \
1491 -c "parse new session ticket" \
1492 -c "a session has been resumed"
1493
1494run_test "Session resume using tickets, DTLS: openssl client" \
1495 "$P_SRV dtls=1 debug_level=3 tickets=1" \
1496 "( $O_CLI -dtls1 -sess_out $SESSION; \
1497 $O_CLI -dtls1 -sess_in $SESSION; \
1498 rm -f $SESSION )" \
1499 0 \
1500 -s "found session ticket extension" \
1501 -s "server hello, adding session ticket extension" \
1502 -S "session successfully restored from cache" \
1503 -s "session successfully restored from ticket" \
1504 -s "a session has been resumed"
1505
Manuel Pégourié-Gonnardc55a5b72014-02-20 22:50:56 +0100[diff] [blame]1506# Tests for Session Resume based on session-ID and cache
Manuel Pégourié-Gonnard780d6712014-02-20 17:19:59 +0100[diff] [blame]1507
Manuel Pégourié-Gonnard8e03c712014-08-30 21:42:40 +0200[diff] [blame]1508run_test "Session resume using cache: tickets enabled on client" \
Manuel Pégourié-Gonnard644e8f32014-08-30 21:59:31 +0200[diff] [blame]1509 "$P_SRV debug_level=3 tickets=0" \
1510 "$P_CLI debug_level=3 tickets=1 reconnect=1" \
Manuel Pégourié-Gonnardf7c52012014-02-20 11:43:46 +0100[diff] [blame]1511 0 \
Manuel Pégourié-Gonnardc55a5b72014-02-20 22:50:56 +0100[diff] [blame]1512 -c "client hello, adding session ticket extension" \
1513 -s "found session ticket extension" \
1514 -S "server hello, adding session ticket extension" \
1515 -C "found session_ticket extension" \
1516 -C "parse new session ticket" \
Manuel Pégourié-Gonnardf7c52012014-02-20 11:43:46 +0100[diff] [blame]1517 -s "session successfully restored from cache" \
1518 -S "session successfully restored from ticket" \
1519 -s "a session has been resumed" \
1520 -c "a session has been resumed"
1521
Manuel Pégourié-Gonnard8e03c712014-08-30 21:42:40 +0200[diff] [blame]1522run_test "Session resume using cache: tickets enabled on server" \
Manuel Pégourié-Gonnard644e8f32014-08-30 21:59:31 +0200[diff] [blame]1523 "$P_SRV debug_level=3 tickets=1" \
1524 "$P_CLI debug_level=3 tickets=0 reconnect=1" \
Manuel Pégourié-Gonnardf7c52012014-02-20 11:43:46 +0100[diff] [blame]1525 0 \
Manuel Pégourié-Gonnardc55a5b72014-02-20 22:50:56 +0100[diff] [blame]1526 -C "client hello, adding session ticket extension" \
1527 -S "found session ticket extension" \
1528 -S "server hello, adding session ticket extension" \
1529 -C "found session_ticket extension" \
1530 -C "parse new session ticket" \
Manuel Pégourié-Gonnardf7c52012014-02-20 11:43:46 +0100[diff] [blame]1531 -s "session successfully restored from cache" \
1532 -S "session successfully restored from ticket" \
1533 -s "a session has been resumed" \
1534 -c "a session has been resumed"
Manuel Pégourié-Gonnardde143782014-02-20 14:50:42 +0100[diff] [blame]1535
Manuel Pégourié-Gonnard8e03c712014-08-30 21:42:40 +0200[diff] [blame]1536run_test "Session resume using cache: cache_max=0" \
Manuel Pégourié-Gonnard644e8f32014-08-30 21:59:31 +0200[diff] [blame]1537 "$P_SRV debug_level=3 tickets=0 cache_max=0" \
1538 "$P_CLI debug_level=3 tickets=0 reconnect=1" \
Manuel Pégourié-Gonnard4c883452014-02-20 21:32:41 +0100[diff] [blame]1539 0 \
1540 -S "session successfully restored from cache" \
1541 -S "session successfully restored from ticket" \
Manuel Pégourié-Gonnardc55a5b72014-02-20 22:50:56 +0100[diff] [blame]1542 -S "a session has been resumed" \
1543 -C "a session has been resumed"
Manuel Pégourié-Gonnard4c883452014-02-20 21:32:41 +0100[diff] [blame]1544
Manuel Pégourié-Gonnard8e03c712014-08-30 21:42:40 +0200[diff] [blame]1545run_test "Session resume using cache: cache_max=1" \
Manuel Pégourié-Gonnard644e8f32014-08-30 21:59:31 +0200[diff] [blame]1546 "$P_SRV debug_level=3 tickets=0 cache_max=1" \
1547 "$P_CLI debug_level=3 tickets=0 reconnect=1" \
Manuel Pégourié-Gonnardc55a5b72014-02-20 22:50:56 +0100[diff] [blame]1548 0 \
1549 -s "session successfully restored from cache" \
1550 -S "session successfully restored from ticket" \
1551 -s "a session has been resumed" \
1552 -c "a session has been resumed"
1553
Manuel Pégourié-Gonnard6df31962015-05-04 10:55:47 +0200[diff] [blame]1554run_test "Session resume using cache: timeout > delay" \
Manuel Pégourié-Gonnard644e8f32014-08-30 21:59:31 +0200[diff] [blame]1555 "$P_SRV debug_level=3 tickets=0" \
1556 "$P_CLI debug_level=3 tickets=0 reconnect=1 reco_delay=0" \
Manuel Pégourié-Gonnardc55a5b72014-02-20 22:50:56 +0100[diff] [blame]1557 0 \
1558 -s "session successfully restored from cache" \
1559 -S "session successfully restored from ticket" \
1560 -s "a session has been resumed" \
1561 -c "a session has been resumed"
1562
Manuel Pégourié-Gonnard8e03c712014-08-30 21:42:40 +0200[diff] [blame]1563run_test "Session resume using cache: timeout < delay" \
Manuel Pégourié-Gonnard644e8f32014-08-30 21:59:31 +0200[diff] [blame]1564 "$P_SRV debug_level=3 tickets=0 cache_timeout=1" \
1565 "$P_CLI debug_level=3 tickets=0 reconnect=1 reco_delay=2" \
Manuel Pégourié-Gonnardc55a5b72014-02-20 22:50:56 +0100[diff] [blame]1566 0 \
1567 -S "session successfully restored from cache" \
1568 -S "session successfully restored from ticket" \
1569 -S "a session has been resumed" \
1570 -C "a session has been resumed"
1571
Manuel Pégourié-Gonnard8e03c712014-08-30 21:42:40 +0200[diff] [blame]1572run_test "Session resume using cache: no timeout" \
Manuel Pégourié-Gonnard644e8f32014-08-30 21:59:31 +0200[diff] [blame]1573 "$P_SRV debug_level=3 tickets=0 cache_timeout=0" \
1574 "$P_CLI debug_level=3 tickets=0 reconnect=1 reco_delay=2" \
Manuel Pégourié-Gonnard4c883452014-02-20 21:32:41 +0100[diff] [blame]1575 0 \
1576 -s "session successfully restored from cache" \
1577 -S "session successfully restored from ticket" \
1578 -s "a session has been resumed" \
1579 -c "a session has been resumed"
1580
Manuel Pégourié-Gonnard8e03c712014-08-30 21:42:40 +0200[diff] [blame]1581run_test "Session resume using cache: openssl client" \
Manuel Pégourié-Gonnard644e8f32014-08-30 21:59:31 +0200[diff] [blame]1582 "$P_SRV debug_level=3 tickets=0" \
Manuel Pégourié-Gonnardbc3b16c2014-05-28 23:06:50 +0200[diff] [blame]1583 "( $O_CLI -sess_out $SESSION; \
1584 $O_CLI -sess_in $SESSION; \
1585 rm -f $SESSION )" \
Manuel Pégourié-Gonnarddb735f62014-02-25 17:57:59 +0100[diff] [blame]1586 0 \
1587 -s "found session ticket extension" \
1588 -S "server hello, adding session ticket extension" \
1589 -s "session successfully restored from cache" \
1590 -S "session successfully restored from ticket" \
1591 -s "a session has been resumed"
1592
Manuel Pégourié-Gonnard8e03c712014-08-30 21:42:40 +0200[diff] [blame]1593run_test "Session resume using cache: openssl server" \
Manuel Pégourié-Gonnardf7a26902014-02-27 12:25:54 +0100[diff] [blame]1594 "$O_SRV" \
Manuel Pégourié-Gonnard644e8f32014-08-30 21:59:31 +0200[diff] [blame]1595 "$P_CLI debug_level=3 tickets=0 reconnect=1" \
Manuel Pégourié-Gonnarddb735f62014-02-25 17:57:59 +0100[diff] [blame]1596 0 \
1597 -C "found session_ticket extension" \
1598 -C "parse new session ticket" \
1599 -c "a session has been resumed"
1600
Hanno Beckerb5546362018-08-21 13:55:22 +0100[diff] [blame]1601# Tests for Session Resume based on session-ID and cache, DTLS
1602
1603run_test "Session resume using cache, DTLS: tickets enabled on client" \
1604 "$P_SRV dtls=1 debug_level=3 tickets=0" \
Manuel Pégourié-Gonnard5e261e92020-02-17 11:04:33 +0100[diff] [blame]1605 "$P_CLI dtls=1 debug_level=3 tickets=1 reconnect=1 skip_close_notify=1" \
Hanno Beckerb5546362018-08-21 13:55:22 +0100[diff] [blame]1606 0 \
1607 -c "client hello, adding session ticket extension" \
1608 -s "found session ticket extension" \
1609 -S "server hello, adding session ticket extension" \
1610 -C "found session_ticket extension" \
1611 -C "parse new session ticket" \
1612 -s "session successfully restored from cache" \
1613 -S "session successfully restored from ticket" \
1614 -s "a session has been resumed" \
1615 -c "a session has been resumed"
1616
1617run_test "Session resume using cache, DTLS: tickets enabled on server" \
1618 "$P_SRV dtls=1 debug_level=3 tickets=1" \
Manuel Pégourié-Gonnard5e261e92020-02-17 11:04:33 +0100[diff] [blame]1619 "$P_CLI dtls=1 debug_level=3 tickets=0 reconnect=1 skip_close_notify=1" \
Hanno Beckerb5546362018-08-21 13:55:22 +0100[diff] [blame]1620 0 \
1621 -C "client hello, adding session ticket extension" \
1622 -S "found session ticket extension" \
1623 -S "server hello, adding session ticket extension" \
1624 -C "found session_ticket extension" \
1625 -C "parse new session ticket" \
1626 -s "session successfully restored from cache" \
1627 -S "session successfully restored from ticket" \
1628 -s "a session has been resumed" \
1629 -c "a session has been resumed"
1630
1631run_test "Session resume using cache, DTLS: cache_max=0" \
1632 "$P_SRV dtls=1 debug_level=3 tickets=0 cache_max=0" \
Manuel Pégourié-Gonnard5e261e92020-02-17 11:04:33 +0100[diff] [blame]1633 "$P_CLI dtls=1 debug_level=3 tickets=0 reconnect=1 skip_close_notify=1" \
Hanno Beckerb5546362018-08-21 13:55:22 +0100[diff] [blame]1634 0 \
1635 -S "session successfully restored from cache" \
1636 -S "session successfully restored from ticket" \
1637 -S "a session has been resumed" \
1638 -C "a session has been resumed"
1639
1640run_test "Session resume using cache, DTLS: cache_max=1" \
1641 "$P_SRV dtls=1 debug_level=3 tickets=0 cache_max=1" \
Manuel Pégourié-Gonnard5e261e92020-02-17 11:04:33 +0100[diff] [blame]1642 "$P_CLI dtls=1 debug_level=3 tickets=0 reconnect=1 skip_close_notify=1" \
Hanno Beckerb5546362018-08-21 13:55:22 +0100[diff] [blame]1643 0 \
1644 -s "session successfully restored from cache" \
1645 -S "session successfully restored from ticket" \
1646 -s "a session has been resumed" \
1647 -c "a session has been resumed"
1648
1649run_test "Session resume using cache, DTLS: timeout > delay" \
1650 "$P_SRV dtls=1 debug_level=3 tickets=0" \
Manuel Pégourié-Gonnard5e261e92020-02-17 11:04:33 +0100[diff] [blame]1651 "$P_CLI dtls=1 debug_level=3 tickets=0 reconnect=1 skip_close_notify=1 reco_delay=0" \
Hanno Beckerb5546362018-08-21 13:55:22 +0100[diff] [blame]1652 0 \
1653 -s "session successfully restored from cache" \
1654 -S "session successfully restored from ticket" \
1655 -s "a session has been resumed" \
1656 -c "a session has been resumed"
1657
1658run_test "Session resume using cache, DTLS: timeout < delay" \
1659 "$P_SRV dtls=1 debug_level=3 tickets=0 cache_timeout=1" \
Manuel Pégourié-Gonnard5e261e92020-02-17 11:04:33 +0100[diff] [blame]1660 "$P_CLI dtls=1 debug_level=3 tickets=0 reconnect=1 skip_close_notify=1 reco_delay=2" \
Hanno Beckerb5546362018-08-21 13:55:22 +0100[diff] [blame]1661 0 \
1662 -S "session successfully restored from cache" \
1663 -S "session successfully restored from ticket" \
1664 -S "a session has been resumed" \
1665 -C "a session has been resumed"
1666
1667run_test "Session resume using cache, DTLS: no timeout" \
1668 "$P_SRV dtls=1 debug_level=3 tickets=0 cache_timeout=0" \
Manuel Pégourié-Gonnard5e261e92020-02-17 11:04:33 +0100[diff] [blame]1669 "$P_CLI dtls=1 debug_level=3 tickets=0 reconnect=1 skip_close_notify=1 reco_delay=2" \
Hanno Beckerb5546362018-08-21 13:55:22 +0100[diff] [blame]1670 0 \
1671 -s "session successfully restored from cache" \
1672 -S "session successfully restored from ticket" \
1673 -s "a session has been resumed" \
1674 -c "a session has been resumed"
1675
1676run_test "Session resume using cache, DTLS: openssl client" \
1677 "$P_SRV dtls=1 debug_level=3 tickets=0" \
1678 "( $O_CLI -dtls1 -sess_out $SESSION; \
1679 $O_CLI -dtls1 -sess_in $SESSION; \
1680 rm -f $SESSION )" \
1681 0 \
1682 -s "found session ticket extension" \
1683 -S "server hello, adding session ticket extension" \
1684 -s "session successfully restored from cache" \
1685 -S "session successfully restored from ticket" \
1686 -s "a session has been resumed"
1687
1688run_test "Session resume using cache, DTLS: openssl server" \
1689 "$O_SRV -dtls1" \
1690 "$P_CLI dtls=1 debug_level=3 tickets=0 reconnect=1" \
1691 0 \
1692 -C "found session_ticket extension" \
1693 -C "parse new session ticket" \
1694 -c "a session has been resumed"
1695
Manuel Pégourié-Gonnard780d6712014-02-20 17:19:59 +0100[diff] [blame]1696# Tests for Max Fragment Length extension
1697
Hanno Becker6428f8d2017-09-22 16:58:50 +0100[diff] [blame]1698MAX_CONTENT_LEN_EXPECT='16384'
1699MAX_CONTENT_LEN_CONFIG=$( ../scripts/config.pl get MBEDTLS_SSL_MAX_CONTENT_LEN)
1700
1701if [ -n "$MAX_CONTENT_LEN_CONFIG" ] && [ "$MAX_CONTENT_LEN_CONFIG" -ne "$MAX_CONTENT_LEN_EXPECT" ]; then
1702 printf "The ${CONFIG_H} file contains a value for the configuration of\n"
1703 printf "MBEDTLS_SSL_MAX_CONTENT_LEN that is different from the script’s\n"
1704 printf "test value of ${MAX_CONTENT_LEN_EXPECT}. \n"
1705 printf "\n"
1706 printf "The tests assume this value and if it changes, the tests in this\n"
1707 printf "script should also be adjusted.\n"
1708 printf "\n"
1709
1710 exit 1
1711fi
1712
Hanno Becker4aed27e2017-09-18 15:00:34 +0100[diff] [blame]1713requires_config_enabled MBEDTLS_SSL_MAX_FRAGMENT_LENGTH
Hanno Beckerc5266962017-09-18 15:01:50 +0100[diff] [blame]1714run_test "Max fragment length: enabled, default" \
Manuel Pégourié-Gonnard644e8f32014-08-30 21:59:31 +0200[diff] [blame]1715 "$P_SRV debug_level=3" \
1716 "$P_CLI debug_level=3" \
Manuel Pégourié-Gonnardde143782014-02-20 14:50:42 +0100[diff] [blame]1717 0 \
Manuel Pégourié-Gonnarda2cda6b2015-08-31 18:30:52 +0200[diff] [blame]1718 -c "Maximum fragment length is 16384" \
1719 -s "Maximum fragment length is 16384" \
Manuel Pégourié-Gonnardde143782014-02-20 14:50:42 +0100[diff] [blame]1720 -C "client hello, adding max_fragment_length extension" \
1721 -S "found max fragment length extension" \
1722 -S "server hello, max_fragment_length extension" \
1723 -C "found max_fragment_length extension"
1724
Hanno Becker4aed27e2017-09-18 15:00:34 +0100[diff] [blame]1725requires_config_enabled MBEDTLS_SSL_MAX_FRAGMENT_LENGTH
Hanno Beckerc5266962017-09-18 15:01:50 +0100[diff] [blame]1726run_test "Max fragment length: enabled, default, larger message" \
1727 "$P_SRV debug_level=3" \
Hanno Becker9cfabe32017-10-18 14:42:01 +0100[diff] [blame]1728 "$P_CLI debug_level=3 request_size=16385" \
Hanno Beckerc5266962017-09-18 15:01:50 +0100[diff] [blame]1729 0 \
1730 -c "Maximum fragment length is 16384" \
1731 -s "Maximum fragment length is 16384" \
1732 -C "client hello, adding max_fragment_length extension" \
1733 -S "found max fragment length extension" \
1734 -S "server hello, max_fragment_length extension" \
1735 -C "found max_fragment_length extension" \
Hanno Becker9cfabe32017-10-18 14:42:01 +0100[diff] [blame]1736 -c "16385 bytes written in 2 fragments" \
Hanno Beckerc5266962017-09-18 15:01:50 +0100[diff] [blame]1737 -s "16384 bytes read" \
Hanno Becker9cfabe32017-10-18 14:42:01 +0100[diff] [blame]1738 -s "1 bytes read"
Hanno Beckerc5266962017-09-18 15:01:50 +0100[diff] [blame]1739
1740requires_config_enabled MBEDTLS_SSL_MAX_FRAGMENT_LENGTH
1741run_test "Max fragment length, DTLS: enabled, default, larger message" \
1742 "$P_SRV debug_level=3 dtls=1" \
Hanno Becker9cfabe32017-10-18 14:42:01 +0100[diff] [blame]1743 "$P_CLI debug_level=3 dtls=1 request_size=16385" \
Hanno Beckerc5266962017-09-18 15:01:50 +0100[diff] [blame]1744 1 \
1745 -c "Maximum fragment length is 16384" \
1746 -s "Maximum fragment length is 16384" \
1747 -C "client hello, adding max_fragment_length extension" \
1748 -S "found max fragment length extension" \
1749 -S "server hello, max_fragment_length extension" \
1750 -C "found max_fragment_length extension" \
1751 -c "fragment larger than.*maximum "
1752
1753requires_config_disabled MBEDTLS_SSL_MAX_FRAGMENT_LENGTH
1754run_test "Max fragment length: disabled, larger message" \
1755 "$P_SRV debug_level=3" \
Hanno Becker9cfabe32017-10-18 14:42:01 +0100[diff] [blame]1756 "$P_CLI debug_level=3 request_size=16385" \
Hanno Beckerc5266962017-09-18 15:01:50 +0100[diff] [blame]1757 0 \
1758 -C "Maximum fragment length is 16384" \
1759 -S "Maximum fragment length is 16384" \
Hanno Becker9cfabe32017-10-18 14:42:01 +0100[diff] [blame]1760 -c "16385 bytes written in 2 fragments" \
Hanno Beckerc5266962017-09-18 15:01:50 +0100[diff] [blame]1761 -s "16384 bytes read" \
Hanno Becker9cfabe32017-10-18 14:42:01 +0100[diff] [blame]1762 -s "1 bytes read"
Hanno Beckerc5266962017-09-18 15:01:50 +0100[diff] [blame]1763
1764requires_config_disabled MBEDTLS_SSL_MAX_FRAGMENT_LENGTH
1765run_test "Max fragment length DTLS: disabled, larger message" \
1766 "$P_SRV debug_level=3 dtls=1" \
Hanno Becker9cfabe32017-10-18 14:42:01 +0100[diff] [blame]1767 "$P_CLI debug_level=3 dtls=1 request_size=16385" \
Hanno Beckerc5266962017-09-18 15:01:50 +0100[diff] [blame]1768 1 \
1769 -C "Maximum fragment length is 16384" \
1770 -S "Maximum fragment length is 16384" \
1771 -c "fragment larger than.*maximum "
1772
1773requires_config_enabled MBEDTLS_SSL_MAX_FRAGMENT_LENGTH
Manuel Pégourié-Gonnard8e03c712014-08-30 21:42:40 +0200[diff] [blame]1774run_test "Max fragment length: used by client" \
Manuel Pégourié-Gonnard644e8f32014-08-30 21:59:31 +0200[diff] [blame]1775 "$P_SRV debug_level=3" \
1776 "$P_CLI debug_level=3 max_frag_len=4096" \
Manuel Pégourié-Gonnardde143782014-02-20 14:50:42 +0100[diff] [blame]1777 0 \
Manuel Pégourié-Gonnarda2cda6b2015-08-31 18:30:52 +0200[diff] [blame]1778 -c "Maximum fragment length is 4096" \
1779 -s "Maximum fragment length is 4096" \
Manuel Pégourié-Gonnardde143782014-02-20 14:50:42 +0100[diff] [blame]1780 -c "client hello, adding max_fragment_length extension" \
1781 -s "found max fragment length extension" \
1782 -s "server hello, max_fragment_length extension" \
1783 -c "found max_fragment_length extension"
1784
Hanno Becker4aed27e2017-09-18 15:00:34 +0100[diff] [blame]1785requires_config_enabled MBEDTLS_SSL_MAX_FRAGMENT_LENGTH
Manuel Pégourié-Gonnard8e03c712014-08-30 21:42:40 +0200[diff] [blame]1786run_test "Max fragment length: used by server" \
Manuel Pégourié-Gonnard644e8f32014-08-30 21:59:31 +0200[diff] [blame]1787 "$P_SRV debug_level=3 max_frag_len=4096" \
1788 "$P_CLI debug_level=3" \
Manuel Pégourié-Gonnardde143782014-02-20 14:50:42 +0100[diff] [blame]1789 0 \
Manuel Pégourié-Gonnarda2cda6b2015-08-31 18:30:52 +0200[diff] [blame]1790 -c "Maximum fragment length is 16384" \
1791 -s "Maximum fragment length is 4096" \
Manuel Pégourié-Gonnardde143782014-02-20 14:50:42 +0100[diff] [blame]1792 -C "client hello, adding max_fragment_length extension" \
1793 -S "found max fragment length extension" \
1794 -S "server hello, max_fragment_length extension" \
1795 -C "found max_fragment_length extension"
Manuel Pégourié-Gonnard780d6712014-02-20 17:19:59 +0100[diff] [blame]1796
Hanno Becker4aed27e2017-09-18 15:00:34 +0100[diff] [blame]1797requires_config_enabled MBEDTLS_SSL_MAX_FRAGMENT_LENGTH
Manuel Pégourié-Gonnard8e03c712014-08-30 21:42:40 +0200[diff] [blame]1798requires_gnutls
1799run_test "Max fragment length: gnutls server" \
Manuel Pégourié-Gonnardbaa7f072014-08-20 20:15:53 +0200[diff] [blame]1800 "$G_SRV" \
Manuel Pégourié-Gonnard644e8f32014-08-30 21:59:31 +0200[diff] [blame]1801 "$P_CLI debug_level=3 max_frag_len=4096" \
Manuel Pégourié-Gonnardbaa7f072014-08-20 20:15:53 +0200[diff] [blame]1802 0 \
Manuel Pégourié-Gonnarda2cda6b2015-08-31 18:30:52 +0200[diff] [blame]1803 -c "Maximum fragment length is 4096" \
Manuel Pégourié-Gonnardbaa7f072014-08-20 20:15:53 +0200[diff] [blame]1804 -c "client hello, adding max_fragment_length extension" \
1805 -c "found max_fragment_length extension"
1806
Hanno Becker4aed27e2017-09-18 15:00:34 +0100[diff] [blame]1807requires_config_enabled MBEDTLS_SSL_MAX_FRAGMENT_LENGTH
Manuel Pégourié-Gonnard37e08e12014-10-13 17:55:52 +0200[diff] [blame]1808run_test "Max fragment length: client, message just fits" \
1809 "$P_SRV debug_level=3" \
1810 "$P_CLI debug_level=3 max_frag_len=2048 request_size=2048" \
1811 0 \
Manuel Pégourié-Gonnarda2cda6b2015-08-31 18:30:52 +0200[diff] [blame]1812 -c "Maximum fragment length is 2048" \
1813 -s "Maximum fragment length is 2048" \
Manuel Pégourié-Gonnard37e08e12014-10-13 17:55:52 +0200[diff] [blame]1814 -c "client hello, adding max_fragment_length extension" \
1815 -s "found max fragment length extension" \
1816 -s "server hello, max_fragment_length extension" \
1817 -c "found max_fragment_length extension" \
1818 -c "2048 bytes written in 1 fragments" \
1819 -s "2048 bytes read"
1820
Hanno Becker4aed27e2017-09-18 15:00:34 +0100[diff] [blame]1821requires_config_enabled MBEDTLS_SSL_MAX_FRAGMENT_LENGTH
Manuel Pégourié-Gonnard37e08e12014-10-13 17:55:52 +0200[diff] [blame]1822run_test "Max fragment length: client, larger message" \
1823 "$P_SRV debug_level=3" \
1824 "$P_CLI debug_level=3 max_frag_len=2048 request_size=2345" \
1825 0 \
Manuel Pégourié-Gonnarda2cda6b2015-08-31 18:30:52 +0200[diff] [blame]1826 -c "Maximum fragment length is 2048" \
1827 -s "Maximum fragment length is 2048" \
Manuel Pégourié-Gonnard37e08e12014-10-13 17:55:52 +0200[diff] [blame]1828 -c "client hello, adding max_fragment_length extension" \
1829 -s "found max fragment length extension" \
1830 -s "server hello, max_fragment_length extension" \
1831 -c "found max_fragment_length extension" \
1832 -c "2345 bytes written in 2 fragments" \
1833 -s "2048 bytes read" \
1834 -s "297 bytes read"
1835
Hanno Becker4aed27e2017-09-18 15:00:34 +0100[diff] [blame]1836requires_config_enabled MBEDTLS_SSL_MAX_FRAGMENT_LENGTH
Manuel Pégourié-Gonnard23eb74d2015-01-21 14:37:13 +0000[diff] [blame]1837run_test "Max fragment length: DTLS client, larger message" \
Manuel Pégourié-Gonnard37e08e12014-10-13 17:55:52 +0200[diff] [blame]1838 "$P_SRV debug_level=3 dtls=1" \
1839 "$P_CLI debug_level=3 dtls=1 max_frag_len=2048 request_size=2345" \
1840 1 \
Manuel Pégourié-Gonnarda2cda6b2015-08-31 18:30:52 +0200[diff] [blame]1841 -c "Maximum fragment length is 2048" \
1842 -s "Maximum fragment length is 2048" \
Manuel Pégourié-Gonnard37e08e12014-10-13 17:55:52 +0200[diff] [blame]1843 -c "client hello, adding max_fragment_length extension" \
1844 -s "found max fragment length extension" \
1845 -s "server hello, max_fragment_length extension" \
1846 -c "found max_fragment_length extension" \
1847 -c "fragment larger than.*maximum"
1848
Manuel Pégourié-Gonnard780d6712014-02-20 17:19:59 +0100[diff] [blame]1849# Tests for renegotiation
1850
Hanno Becker6a243642017-10-12 15:18:45 +0100[diff] [blame]1851# Renegotiation SCSV always added, regardless of SSL_RENEGOTIATION
Manuel Pégourié-Gonnard8e03c712014-08-30 21:42:40 +0200[diff] [blame]1852run_test "Renegotiation: none, for reference" \
Manuel Pégourié-Gonnardfa44f202015-03-27 17:52:25 +0100[diff] [blame]1853 "$P_SRV debug_level=3 exchanges=2 auth_mode=optional" \
Manuel Pégourié-Gonnard644e8f32014-08-30 21:59:31 +0200[diff] [blame]1854 "$P_CLI debug_level=3 exchanges=2" \
Manuel Pégourié-Gonnard780d6712014-02-20 17:19:59 +0100[diff] [blame]1855 0 \
1856 -C "client hello, adding renegotiation extension" \
1857 -s "received TLS_EMPTY_RENEGOTIATION_INFO" \
1858 -S "found renegotiation extension" \
1859 -s "server hello, secure renegotiation extension" \
1860 -c "found renegotiation extension" \
Manuel Pégourié-Gonnardc73339f2014-02-26 16:35:27 +0100[diff] [blame]1861 -C "=> renegotiate" \
1862 -S "=> renegotiate" \
Manuel Pégourié-Gonnard780d6712014-02-20 17:19:59 +0100[diff] [blame]1863 -S "write hello request"
1864
Hanno Becker6a243642017-10-12 15:18:45 +0100[diff] [blame]1865requires_config_enabled MBEDTLS_SSL_RENEGOTIATION
Manuel Pégourié-Gonnard8e03c712014-08-30 21:42:40 +0200[diff] [blame]1866run_test "Renegotiation: client-initiated" \
Manuel Pégourié-Gonnardfa44f202015-03-27 17:52:25 +0100[diff] [blame]1867 "$P_SRV debug_level=3 exchanges=2 renegotiation=1 auth_mode=optional" \
Manuel Pégourié-Gonnard644e8f32014-08-30 21:59:31 +0200[diff] [blame]1868 "$P_CLI debug_level=3 exchanges=2 renegotiation=1 renegotiate=1" \
Manuel Pégourié-Gonnard780d6712014-02-20 17:19:59 +0100[diff] [blame]1869 0 \
1870 -c "client hello, adding renegotiation extension" \
1871 -s "received TLS_EMPTY_RENEGOTIATION_INFO" \
1872 -s "found renegotiation extension" \
1873 -s "server hello, secure renegotiation extension" \
1874 -c "found renegotiation extension" \
Manuel Pégourié-Gonnardc73339f2014-02-26 16:35:27 +0100[diff] [blame]1875 -c "=> renegotiate" \
1876 -s "=> renegotiate" \
Manuel Pégourié-Gonnard780d6712014-02-20 17:19:59 +0100[diff] [blame]1877 -S "write hello request"
1878
Hanno Becker6a243642017-10-12 15:18:45 +0100[diff] [blame]1879requires_config_enabled MBEDTLS_SSL_RENEGOTIATION
Manuel Pégourié-Gonnard8e03c712014-08-30 21:42:40 +0200[diff] [blame]1880run_test "Renegotiation: server-initiated" \
Manuel Pégourié-Gonnardfa44f202015-03-27 17:52:25 +0100[diff] [blame]1881 "$P_SRV debug_level=3 exchanges=2 renegotiation=1 auth_mode=optional renegotiate=1" \
Manuel Pégourié-Gonnard644e8f32014-08-30 21:59:31 +0200[diff] [blame]1882 "$P_CLI debug_level=3 exchanges=2 renegotiation=1" \
Manuel Pégourié-Gonnard780d6712014-02-20 17:19:59 +0100[diff] [blame]1883 0 \
1884 -c "client hello, adding renegotiation extension" \
1885 -s "received TLS_EMPTY_RENEGOTIATION_INFO" \
1886 -s "found renegotiation extension" \
1887 -s "server hello, secure renegotiation extension" \
1888 -c "found renegotiation extension" \
Manuel Pégourié-Gonnardc73339f2014-02-26 16:35:27 +0100[diff] [blame]1889 -c "=> renegotiate" \
1890 -s "=> renegotiate" \
Manuel Pégourié-Gonnard780d6712014-02-20 17:19:59 +0100[diff] [blame]1891 -s "write hello request"
1892
Janos Follathb0f148c2017-10-05 12:29:42 +0100[diff] [blame]1893# Checks that no Signature Algorithm with SHA-1 gets negotiated. Negotiating SHA-1 would mean that
1894# the server did not parse the Signature Algorithm extension. This test is valid only if an MD
1895# algorithm stronger than SHA-1 is enabled in config.h
Hanno Becker6a243642017-10-12 15:18:45 +0100[diff] [blame]1896requires_config_enabled MBEDTLS_SSL_RENEGOTIATION
Janos Follathb0f148c2017-10-05 12:29:42 +0100[diff] [blame]1897run_test "Renegotiation: Signature Algorithms parsing, client-initiated" \
1898 "$P_SRV debug_level=3 exchanges=2 renegotiation=1 auth_mode=optional" \
1899 "$P_CLI debug_level=3 exchanges=2 renegotiation=1 renegotiate=1" \
1900 0 \
1901 -c "client hello, adding renegotiation extension" \
1902 -s "received TLS_EMPTY_RENEGOTIATION_INFO" \
1903 -s "found renegotiation extension" \
1904 -s "server hello, secure renegotiation extension" \
1905 -c "found renegotiation extension" \
1906 -c "=> renegotiate" \
1907 -s "=> renegotiate" \
1908 -S "write hello request" \
1909 -S "client hello v3, signature_algorithm ext: 2" # Is SHA-1 negotiated?
1910
1911# Checks that no Signature Algorithm with SHA-1 gets negotiated. Negotiating SHA-1 would mean that
1912# the server did not parse the Signature Algorithm extension. This test is valid only if an MD
1913# algorithm stronger than SHA-1 is enabled in config.h
Hanno Becker6a243642017-10-12 15:18:45 +0100[diff] [blame]1914requires_config_enabled MBEDTLS_SSL_RENEGOTIATION
Janos Follathb0f148c2017-10-05 12:29:42 +0100[diff] [blame]1915run_test "Renegotiation: Signature Algorithms parsing, server-initiated" \
1916 "$P_SRV debug_level=3 exchanges=2 renegotiation=1 auth_mode=optional renegotiate=1" \
1917 "$P_CLI debug_level=3 exchanges=2 renegotiation=1" \
1918 0 \
1919 -c "client hello, adding renegotiation extension" \
1920 -s "received TLS_EMPTY_RENEGOTIATION_INFO" \
1921 -s "found renegotiation extension" \
1922 -s "server hello, secure renegotiation extension" \
1923 -c "found renegotiation extension" \
1924 -c "=> renegotiate" \
1925 -s "=> renegotiate" \
1926 -s "write hello request" \
1927 -S "client hello v3, signature_algorithm ext: 2" # Is SHA-1 negotiated?
1928
Hanno Becker6a243642017-10-12 15:18:45 +0100[diff] [blame]1929requires_config_enabled MBEDTLS_SSL_RENEGOTIATION
Manuel Pégourié-Gonnard8e03c712014-08-30 21:42:40 +0200[diff] [blame]1930run_test "Renegotiation: double" \
Manuel Pégourié-Gonnardfa44f202015-03-27 17:52:25 +0100[diff] [blame]1931 "$P_SRV debug_level=3 exchanges=2 renegotiation=1 auth_mode=optional renegotiate=1" \
Manuel Pégourié-Gonnard644e8f32014-08-30 21:59:31 +0200[diff] [blame]1932 "$P_CLI debug_level=3 exchanges=2 renegotiation=1 renegotiate=1" \
Manuel Pégourié-Gonnard780d6712014-02-20 17:19:59 +0100[diff] [blame]1933 0 \
1934 -c "client hello, adding renegotiation extension" \
1935 -s "received TLS_EMPTY_RENEGOTIATION_INFO" \
1936 -s "found renegotiation extension" \
1937 -s "server hello, secure renegotiation extension" \
1938 -c "found renegotiation extension" \
Manuel Pégourié-Gonnardc73339f2014-02-26 16:35:27 +0100[diff] [blame]1939 -c "=> renegotiate" \
1940 -s "=> renegotiate" \
Manuel Pégourié-Gonnard780d6712014-02-20 17:19:59 +0100[diff] [blame]1941 -s "write hello request"
1942
Hanno Becker6a243642017-10-12 15:18:45 +0100[diff] [blame]1943requires_config_enabled MBEDTLS_SSL_RENEGOTIATION
Manuel Pégourié-Gonnard8e03c712014-08-30 21:42:40 +0200[diff] [blame]1944run_test "Renegotiation: client-initiated, server-rejected" \
Manuel Pégourié-Gonnardfa44f202015-03-27 17:52:25 +0100[diff] [blame]1945 "$P_SRV debug_level=3 exchanges=2 renegotiation=0 auth_mode=optional" \
Manuel Pégourié-Gonnard644e8f32014-08-30 21:59:31 +0200[diff] [blame]1946 "$P_CLI debug_level=3 exchanges=2 renegotiation=1 renegotiate=1" \
Manuel Pégourié-Gonnard780d6712014-02-20 17:19:59 +0100[diff] [blame]1947 1 \
1948 -c "client hello, adding renegotiation extension" \
1949 -s "received TLS_EMPTY_RENEGOTIATION_INFO" \
1950 -S "found renegotiation extension" \
1951 -s "server hello, secure renegotiation extension" \
1952 -c "found renegotiation extension" \
Manuel Pégourié-Gonnardc73339f2014-02-26 16:35:27 +0100[diff] [blame]1953 -c "=> renegotiate" \
1954 -S "=> renegotiate" \
Manuel Pégourié-Gonnardfae355e2014-07-04 14:32:27 +0200[diff] [blame]1955 -S "write hello request" \
Manuel Pégourié-Gonnard65919622014-08-19 12:50:30 +0200[diff] [blame]1956 -c "SSL - Unexpected message at ServerHello in renegotiation" \
Manuel Pégourié-Gonnardfae355e2014-07-04 14:32:27 +0200[diff] [blame]1957 -c "failed"
Manuel Pégourié-Gonnard780d6712014-02-20 17:19:59 +0100[diff] [blame]1958
Hanno Becker6a243642017-10-12 15:18:45 +0100[diff] [blame]1959requires_config_enabled MBEDTLS_SSL_RENEGOTIATION
Manuel Pégourié-Gonnard8e03c712014-08-30 21:42:40 +0200[diff] [blame]1960run_test "Renegotiation: server-initiated, client-rejected, default" \
Manuel Pégourié-Gonnardfa44f202015-03-27 17:52:25 +0100[diff] [blame]1961 "$P_SRV debug_level=3 exchanges=2 renegotiation=1 renegotiate=1 auth_mode=optional" \
Manuel Pégourié-Gonnard644e8f32014-08-30 21:59:31 +0200[diff] [blame]1962 "$P_CLI debug_level=3 exchanges=2 renegotiation=0" \
Manuel Pégourié-Gonnard780d6712014-02-20 17:19:59 +0100[diff] [blame]1963 0 \
1964 -C "client hello, adding renegotiation extension" \
1965 -s "received TLS_EMPTY_RENEGOTIATION_INFO" \
1966 -S "found renegotiation extension" \
1967 -s "server hello, secure renegotiation extension" \
1968 -c "found renegotiation extension" \
Manuel Pégourié-Gonnardc73339f2014-02-26 16:35:27 +0100[diff] [blame]1969 -C "=> renegotiate" \
1970 -S "=> renegotiate" \
Manuel Pégourié-Gonnard780d6712014-02-20 17:19:59 +0100[diff] [blame]1971 -s "write hello request" \
Manuel Pégourié-Gonnarda9964db2014-07-03 19:29:16 +0200[diff] [blame]1972 -S "SSL - An unexpected message was received from our peer" \
1973 -S "failed"
Manuel Pégourié-Gonnard33a752e2014-02-21 09:47:37 +0100[diff] [blame]1974
Hanno Becker6a243642017-10-12 15:18:45 +0100[diff] [blame]1975requires_config_enabled MBEDTLS_SSL_RENEGOTIATION
Manuel Pégourié-Gonnard8e03c712014-08-30 21:42:40 +0200[diff] [blame]1976run_test "Renegotiation: server-initiated, client-rejected, not enforced" \
Manuel Pégourié-Gonnard644e8f32014-08-30 21:59:31 +0200[diff] [blame]1977 "$P_SRV debug_level=3 exchanges=2 renegotiation=1 renegotiate=1 \
Manuel Pégourié-Gonnardfa44f202015-03-27 17:52:25 +0100[diff] [blame]1978 renego_delay=-1 auth_mode=optional" \
Manuel Pégourié-Gonnard644e8f32014-08-30 21:59:31 +0200[diff] [blame]1979 "$P_CLI debug_level=3 exchanges=2 renegotiation=0" \
Manuel Pégourié-Gonnardfae355e2014-07-04 14:32:27 +0200[diff] [blame]1980 0 \
1981 -C "client hello, adding renegotiation extension" \
1982 -s "received TLS_EMPTY_RENEGOTIATION_INFO" \
1983 -S "found renegotiation extension" \
1984 -s "server hello, secure renegotiation extension" \
1985 -c "found renegotiation extension" \
1986 -C "=> renegotiate" \
1987 -S "=> renegotiate" \
1988 -s "write hello request" \
1989 -S "SSL - An unexpected message was received from our peer" \
1990 -S "failed"
1991
Manuel Pégourié-Gonnarda8c0a0d2014-08-15 12:07:38 +0200[diff] [blame]1992# delay 2 for 1 alert record + 1 application data record
Hanno Becker6a243642017-10-12 15:18:45 +0100[diff] [blame]1993requires_config_enabled MBEDTLS_SSL_RENEGOTIATION
Manuel Pégourié-Gonnard8e03c712014-08-30 21:42:40 +0200[diff] [blame]1994run_test "Renegotiation: server-initiated, client-rejected, delay 2" \
Manuel Pégourié-Gonnard644e8f32014-08-30 21:59:31 +0200[diff] [blame]1995 "$P_SRV debug_level=3 exchanges=2 renegotiation=1 renegotiate=1 \
Manuel Pégourié-Gonnardfa44f202015-03-27 17:52:25 +0100[diff] [blame]1996 renego_delay=2 auth_mode=optional" \
Manuel Pégourié-Gonnard644e8f32014-08-30 21:59:31 +0200[diff] [blame]1997 "$P_CLI debug_level=3 exchanges=2 renegotiation=0" \
Manuel Pégourié-Gonnardfae355e2014-07-04 14:32:27 +0200[diff] [blame]1998 0 \
1999 -C "client hello, adding renegotiation extension" \
2000 -s "received TLS_EMPTY_RENEGOTIATION_INFO" \
2001 -S "found renegotiation extension" \
2002 -s "server hello, secure renegotiation extension" \
2003 -c "found renegotiation extension" \
2004 -C "=> renegotiate" \
2005 -S "=> renegotiate" \
2006 -s "write hello request" \
2007 -S "SSL - An unexpected message was received from our peer" \
2008 -S "failed"
2009
Hanno Becker6a243642017-10-12 15:18:45 +0100[diff] [blame]2010requires_config_enabled MBEDTLS_SSL_RENEGOTIATION
Manuel Pégourié-Gonnard8e03c712014-08-30 21:42:40 +0200[diff] [blame]2011run_test "Renegotiation: server-initiated, client-rejected, delay 0" \
Manuel Pégourié-Gonnard644e8f32014-08-30 21:59:31 +0200[diff] [blame]2012 "$P_SRV debug_level=3 exchanges=2 renegotiation=1 renegotiate=1 \
Manuel Pégourié-Gonnardfa44f202015-03-27 17:52:25 +0100[diff] [blame]2013 renego_delay=0 auth_mode=optional" \
Manuel Pégourié-Gonnard644e8f32014-08-30 21:59:31 +0200[diff] [blame]2014 "$P_CLI debug_level=3 exchanges=2 renegotiation=0" \
Manuel Pégourié-Gonnardfae355e2014-07-04 14:32:27 +0200[diff] [blame]2015 0 \
2016 -C "client hello, adding renegotiation extension" \
2017 -s "received TLS_EMPTY_RENEGOTIATION_INFO" \
2018 -S "found renegotiation extension" \
2019 -s "server hello, secure renegotiation extension" \
2020 -c "found renegotiation extension" \
2021 -C "=> renegotiate" \
2022 -S "=> renegotiate" \
2023 -s "write hello request" \
Manuel Pégourié-Gonnarda8c0a0d2014-08-15 12:07:38 +0200[diff] [blame]2024 -s "SSL - An unexpected message was received from our peer"
Manuel Pégourié-Gonnardfae355e2014-07-04 14:32:27 +0200[diff] [blame]2025
Hanno Becker6a243642017-10-12 15:18:45 +0100[diff] [blame]2026requires_config_enabled MBEDTLS_SSL_RENEGOTIATION
Manuel Pégourié-Gonnard8e03c712014-08-30 21:42:40 +0200[diff] [blame]2027run_test "Renegotiation: server-initiated, client-accepted, delay 0" \
Manuel Pégourié-Gonnard644e8f32014-08-30 21:59:31 +0200[diff] [blame]2028 "$P_SRV debug_level=3 exchanges=2 renegotiation=1 renegotiate=1 \
Manuel Pégourié-Gonnardfa44f202015-03-27 17:52:25 +0100[diff] [blame]2029 renego_delay=0 auth_mode=optional" \
Manuel Pégourié-Gonnard644e8f32014-08-30 21:59:31 +0200[diff] [blame]2030 "$P_CLI debug_level=3 exchanges=2 renegotiation=1" \
Manuel Pégourié-Gonnardfae355e2014-07-04 14:32:27 +0200[diff] [blame]2031 0 \
2032 -c "client hello, adding renegotiation extension" \
2033 -s "received TLS_EMPTY_RENEGOTIATION_INFO" \
2034 -s "found renegotiation extension" \
2035 -s "server hello, secure renegotiation extension" \
2036 -c "found renegotiation extension" \
2037 -c "=> renegotiate" \
2038 -s "=> renegotiate" \
2039 -s "write hello request" \
2040 -S "SSL - An unexpected message was received from our peer" \
2041 -S "failed"
2042
Hanno Becker6a243642017-10-12 15:18:45 +0100[diff] [blame]2043requires_config_enabled MBEDTLS_SSL_RENEGOTIATION
Manuel Pégourié-Gonnard590f4162014-11-05 14:23:03 +0100[diff] [blame]2044run_test "Renegotiation: periodic, just below period" \
Manuel Pégourié-Gonnardfa44f202015-03-27 17:52:25 +0100[diff] [blame]2045 "$P_SRV debug_level=3 exchanges=9 renegotiation=1 renego_period=3 auth_mode=optional" \
Manuel Pégourié-Gonnard590f4162014-11-05 14:23:03 +0100[diff] [blame]2046 "$P_CLI debug_level=3 exchanges=2 renegotiation=1" \
2047 0 \
2048 -C "client hello, adding renegotiation extension" \
2049 -s "received TLS_EMPTY_RENEGOTIATION_INFO" \
2050 -S "found renegotiation extension" \
2051 -s "server hello, secure renegotiation extension" \
2052 -c "found renegotiation extension" \
2053 -S "record counter limit reached: renegotiate" \
2054 -C "=> renegotiate" \
2055 -S "=> renegotiate" \
2056 -S "write hello request" \
2057 -S "SSL - An unexpected message was received from our peer" \
2058 -S "failed"
2059
Manuel Pégourié-Gonnard9835bc02015-01-14 14:41:58 +0100[diff] [blame]2060# one extra exchange to be able to complete renego
Hanno Becker6a243642017-10-12 15:18:45 +0100[diff] [blame]2061requires_config_enabled MBEDTLS_SSL_RENEGOTIATION
Manuel Pégourié-Gonnard590f4162014-11-05 14:23:03 +0100[diff] [blame]2062run_test "Renegotiation: periodic, just above period" \
Manuel Pégourié-Gonnardfa44f202015-03-27 17:52:25 +0100[diff] [blame]2063 "$P_SRV debug_level=3 exchanges=9 renegotiation=1 renego_period=3 auth_mode=optional" \
Manuel Pégourié-Gonnard9835bc02015-01-14 14:41:58 +0100[diff] [blame]2064 "$P_CLI debug_level=3 exchanges=4 renegotiation=1" \
Manuel Pégourié-Gonnard590f4162014-11-05 14:23:03 +0100[diff] [blame]2065 0 \
2066 -c "client hello, adding renegotiation extension" \
2067 -s "received TLS_EMPTY_RENEGOTIATION_INFO" \
2068 -s "found renegotiation extension" \
2069 -s "server hello, secure renegotiation extension" \
2070 -c "found renegotiation extension" \
2071 -s "record counter limit reached: renegotiate" \
2072 -c "=> renegotiate" \
2073 -s "=> renegotiate" \
2074 -s "write hello request" \
2075 -S "SSL - An unexpected message was received from our peer" \
2076 -S "failed"
2077
Hanno Becker6a243642017-10-12 15:18:45 +0100[diff] [blame]2078requires_config_enabled MBEDTLS_SSL_RENEGOTIATION
Manuel Pégourié-Gonnard590f4162014-11-05 14:23:03 +0100[diff] [blame]2079run_test "Renegotiation: periodic, two times period" \
Manuel Pégourié-Gonnardfa44f202015-03-27 17:52:25 +0100[diff] [blame]2080 "$P_SRV debug_level=3 exchanges=9 renegotiation=1 renego_period=3 auth_mode=optional" \
Manuel Pégourié-Gonnard9835bc02015-01-14 14:41:58 +0100[diff] [blame]2081 "$P_CLI debug_level=3 exchanges=7 renegotiation=1" \
Manuel Pégourié-Gonnard590f4162014-11-05 14:23:03 +0100[diff] [blame]2082 0 \
2083 -c "client hello, adding renegotiation extension" \
2084 -s "received TLS_EMPTY_RENEGOTIATION_INFO" \
2085 -s "found renegotiation extension" \
2086 -s "server hello, secure renegotiation extension" \
2087 -c "found renegotiation extension" \
2088 -s "record counter limit reached: renegotiate" \
2089 -c "=> renegotiate" \
2090 -s "=> renegotiate" \
2091 -s "write hello request" \
2092 -S "SSL - An unexpected message was received from our peer" \
2093 -S "failed"
2094
Hanno Becker6a243642017-10-12 15:18:45 +0100[diff] [blame]2095requires_config_enabled MBEDTLS_SSL_RENEGOTIATION
Manuel Pégourié-Gonnard590f4162014-11-05 14:23:03 +0100[diff] [blame]2096run_test "Renegotiation: periodic, above period, disabled" \
Manuel Pégourié-Gonnardfa44f202015-03-27 17:52:25 +0100[diff] [blame]2097 "$P_SRV debug_level=3 exchanges=9 renegotiation=0 renego_period=3 auth_mode=optional" \
Manuel Pégourié-Gonnard590f4162014-11-05 14:23:03 +0100[diff] [blame]2098 "$P_CLI debug_level=3 exchanges=4 renegotiation=1" \
2099 0 \
2100 -C "client hello, adding renegotiation extension" \
2101 -s "received TLS_EMPTY_RENEGOTIATION_INFO" \
2102 -S "found renegotiation extension" \
2103 -s "server hello, secure renegotiation extension" \
2104 -c "found renegotiation extension" \
2105 -S "record counter limit reached: renegotiate" \
2106 -C "=> renegotiate" \
2107 -S "=> renegotiate" \
2108 -S "write hello request" \
2109 -S "SSL - An unexpected message was received from our peer" \
2110 -S "failed"
2111
Hanno Becker6a243642017-10-12 15:18:45 +0100[diff] [blame]2112requires_config_enabled MBEDTLS_SSL_RENEGOTIATION
Manuel Pégourié-Gonnard8e03c712014-08-30 21:42:40 +0200[diff] [blame]2113run_test "Renegotiation: nbio, client-initiated" \
Manuel Pégourié-Gonnardfa44f202015-03-27 17:52:25 +0100[diff] [blame]2114 "$P_SRV debug_level=3 nbio=2 exchanges=2 renegotiation=1 auth_mode=optional" \
Manuel Pégourié-Gonnard644e8f32014-08-30 21:59:31 +0200[diff] [blame]2115 "$P_CLI debug_level=3 nbio=2 exchanges=2 renegotiation=1 renegotiate=1" \
Manuel Pégourié-Gonnardf07f4212014-08-15 19:04:47 +0200[diff] [blame]2116 0 \
2117 -c "client hello, adding renegotiation extension" \
2118 -s "received TLS_EMPTY_RENEGOTIATION_INFO" \
2119 -s "found renegotiation extension" \
2120 -s "server hello, secure renegotiation extension" \
2121 -c "found renegotiation extension" \
2122 -c "=> renegotiate" \
2123 -s "=> renegotiate" \
2124 -S "write hello request"
2125
Hanno Becker6a243642017-10-12 15:18:45 +0100[diff] [blame]2126requires_config_enabled MBEDTLS_SSL_RENEGOTIATION
Manuel Pégourié-Gonnard8e03c712014-08-30 21:42:40 +0200[diff] [blame]2127run_test "Renegotiation: nbio, server-initiated" \
Manuel Pégourié-Gonnardfa44f202015-03-27 17:52:25 +0100[diff] [blame]2128 "$P_SRV debug_level=3 nbio=2 exchanges=2 renegotiation=1 renegotiate=1 auth_mode=optional" \
Manuel Pégourié-Gonnard644e8f32014-08-30 21:59:31 +0200[diff] [blame]2129 "$P_CLI debug_level=3 nbio=2 exchanges=2 renegotiation=1" \
Manuel Pégourié-Gonnardf07f4212014-08-15 19:04:47 +0200[diff] [blame]2130 0 \
2131 -c "client hello, adding renegotiation extension" \
2132 -s "received TLS_EMPTY_RENEGOTIATION_INFO" \
2133 -s "found renegotiation extension" \
2134 -s "server hello, secure renegotiation extension" \
2135 -c "found renegotiation extension" \
2136 -c "=> renegotiate" \
2137 -s "=> renegotiate" \
2138 -s "write hello request"
2139
Hanno Becker6a243642017-10-12 15:18:45 +0100[diff] [blame]2140requires_config_enabled MBEDTLS_SSL_RENEGOTIATION
Manuel Pégourié-Gonnard8e03c712014-08-30 21:42:40 +0200[diff] [blame]2141run_test "Renegotiation: openssl server, client-initiated" \
Manuel Pégourié-Gonnarda7756172014-08-31 18:37:01 +0200[diff] [blame]2142 "$O_SRV -www" \
Manuel Pégourié-Gonnard644e8f32014-08-30 21:59:31 +0200[diff] [blame]2143 "$P_CLI debug_level=3 exchanges=1 renegotiation=1 renegotiate=1" \
Manuel Pégourié-Gonnard51362962014-08-30 21:22:47 +0200[diff] [blame]2144 0 \
2145 -c "client hello, adding renegotiation extension" \
2146 -c "found renegotiation extension" \
2147 -c "=> renegotiate" \
Manuel Pégourié-Gonnard85d915b2014-11-03 20:10:36 +0100[diff] [blame]2148 -C "ssl_hanshake() returned" \
Manuel Pégourié-Gonnard51362962014-08-30 21:22:47 +0200[diff] [blame]2149 -C "error" \
2150 -c "HTTP/1.0 200 [Oo][Kk]"
2151
Paul Bakker539d9722015-02-08 16:18:35 +0100[diff] [blame]2152requires_gnutls
Hanno Becker6a243642017-10-12 15:18:45 +0100[diff] [blame]2153requires_config_enabled MBEDTLS_SSL_RENEGOTIATION
Manuel Pégourié-Gonnard85d915b2014-11-03 20:10:36 +0100[diff] [blame]2154run_test "Renegotiation: gnutls server strict, client-initiated" \
2155 "$G_SRV --priority=NORMAL:%SAFE_RENEGOTIATION" \
Manuel Pégourié-Gonnard644e8f32014-08-30 21:59:31 +0200[diff] [blame]2156 "$P_CLI debug_level=3 exchanges=1 renegotiation=1 renegotiate=1" \
Manuel Pégourié-Gonnard51362962014-08-30 21:22:47 +0200[diff] [blame]2157 0 \
2158 -c "client hello, adding renegotiation extension" \
2159 -c "found renegotiation extension" \
2160 -c "=> renegotiate" \
Manuel Pégourié-Gonnard85d915b2014-11-03 20:10:36 +0100[diff] [blame]2161 -C "ssl_hanshake() returned" \
Manuel Pégourié-Gonnard51362962014-08-30 21:22:47 +0200[diff] [blame]2162 -C "error" \
2163 -c "HTTP/1.0 200 [Oo][Kk]"
2164
Paul Bakker539d9722015-02-08 16:18:35 +0100[diff] [blame]2165requires_gnutls
Hanno Becker6a243642017-10-12 15:18:45 +0100[diff] [blame]2166requires_config_enabled MBEDTLS_SSL_RENEGOTIATION
Manuel Pégourié-Gonnard85d915b2014-11-03 20:10:36 +0100[diff] [blame]2167run_test "Renegotiation: gnutls server unsafe, client-initiated default" \
2168 "$G_SRV --priority=NORMAL:%DISABLE_SAFE_RENEGOTIATION" \
2169 "$P_CLI debug_level=3 exchanges=1 renegotiation=1 renegotiate=1" \
2170 1 \
2171 -c "client hello, adding renegotiation extension" \
2172 -C "found renegotiation extension" \
2173 -c "=> renegotiate" \
Manuel Pégourié-Gonnard2cf5a7c2015-04-08 12:49:31 +0200[diff] [blame]2174 -c "mbedtls_ssl_handshake() returned" \
Manuel Pégourié-Gonnard85d915b2014-11-03 20:10:36 +0100[diff] [blame]2175 -c "error" \
2176 -C "HTTP/1.0 200 [Oo][Kk]"
2177
Paul Bakker539d9722015-02-08 16:18:35 +0100[diff] [blame]2178requires_gnutls
Hanno Becker6a243642017-10-12 15:18:45 +0100[diff] [blame]2179requires_config_enabled MBEDTLS_SSL_RENEGOTIATION
Manuel Pégourié-Gonnard85d915b2014-11-03 20:10:36 +0100[diff] [blame]2180run_test "Renegotiation: gnutls server unsafe, client-inititated no legacy" \
2181 "$G_SRV --priority=NORMAL:%DISABLE_SAFE_RENEGOTIATION" \
2182 "$P_CLI debug_level=3 exchanges=1 renegotiation=1 renegotiate=1 \
2183 allow_legacy=0" \
2184 1 \
2185 -c "client hello, adding renegotiation extension" \
2186 -C "found renegotiation extension" \
2187 -c "=> renegotiate" \
Manuel Pégourié-Gonnard2cf5a7c2015-04-08 12:49:31 +0200[diff] [blame]2188 -c "mbedtls_ssl_handshake() returned" \
Manuel Pégourié-Gonnard85d915b2014-11-03 20:10:36 +0100[diff] [blame]2189 -c "error" \
2190 -C "HTTP/1.0 200 [Oo][Kk]"
2191
Paul Bakker539d9722015-02-08 16:18:35 +0100[diff] [blame]2192requires_gnutls
Hanno Becker6a243642017-10-12 15:18:45 +0100[diff] [blame]2193requires_config_enabled MBEDTLS_SSL_RENEGOTIATION
Manuel Pégourié-Gonnard85d915b2014-11-03 20:10:36 +0100[diff] [blame]2194run_test "Renegotiation: gnutls server unsafe, client-inititated legacy" \
2195 "$G_SRV --priority=NORMAL:%DISABLE_SAFE_RENEGOTIATION" \
2196 "$P_CLI debug_level=3 exchanges=1 renegotiation=1 renegotiate=1 \
2197 allow_legacy=1" \
2198 0 \
2199 -c "client hello, adding renegotiation extension" \
2200 -C "found renegotiation extension" \
2201 -c "=> renegotiate" \
2202 -C "ssl_hanshake() returned" \
Manuel Pégourié-Gonnard8520dac2014-02-21 12:12:23 +0100[diff] [blame]2203 -C "error" \
2204 -c "HTTP/1.0 200 [Oo][Kk]"
2205
Hanno Becker6a243642017-10-12 15:18:45 +0100[diff] [blame]2206requires_config_enabled MBEDTLS_SSL_RENEGOTIATION
Manuel Pégourié-Gonnard30d16eb2014-08-19 17:43:50 +0200[diff] [blame]2207run_test "Renegotiation: DTLS, client-initiated" \
2208 "$P_SRV debug_level=3 dtls=1 exchanges=2 renegotiation=1" \
2209 "$P_CLI debug_level=3 dtls=1 exchanges=2 renegotiation=1 renegotiate=1" \
2210 0 \
2211 -c "client hello, adding renegotiation extension" \
2212 -s "received TLS_EMPTY_RENEGOTIATION_INFO" \
2213 -s "found renegotiation extension" \
2214 -s "server hello, secure renegotiation extension" \
2215 -c "found renegotiation extension" \
2216 -c "=> renegotiate" \
2217 -s "=> renegotiate" \
2218 -S "write hello request"
2219
Hanno Becker6a243642017-10-12 15:18:45 +0100[diff] [blame]2220requires_config_enabled MBEDTLS_SSL_RENEGOTIATION
Manuel Pégourié-Gonnardc392b242014-08-19 17:53:11 +0200[diff] [blame]2221run_test "Renegotiation: DTLS, server-initiated" \
2222 "$P_SRV debug_level=3 dtls=1 exchanges=2 renegotiation=1 renegotiate=1" \
Manuel Pégourié-Gonnarddf9a0a82014-10-02 14:17:18 +0200[diff] [blame]2223 "$P_CLI debug_level=3 dtls=1 exchanges=2 renegotiation=1 \
2224 read_timeout=1000 max_resend=2" \
Manuel Pégourié-Gonnardc392b242014-08-19 17:53:11 +0200[diff] [blame]2225 0 \
2226 -c "client hello, adding renegotiation extension" \
2227 -s "received TLS_EMPTY_RENEGOTIATION_INFO" \
2228 -s "found renegotiation extension" \
2229 -s "server hello, secure renegotiation extension" \
2230 -c "found renegotiation extension" \
2231 -c "=> renegotiate" \
2232 -s "=> renegotiate" \
2233 -s "write hello request"
2234
Hanno Becker6a243642017-10-12 15:18:45 +0100[diff] [blame]2235requires_config_enabled MBEDTLS_SSL_RENEGOTIATION
Andres AG692ad842017-01-19 16:30:57 +0000[diff] [blame]2236run_test "Renegotiation: DTLS, renego_period overflow" \
2237 "$P_SRV debug_level=3 dtls=1 exchanges=4 renegotiation=1 renego_period=18446462598732840962 auth_mode=optional" \
2238 "$P_CLI debug_level=3 dtls=1 exchanges=4 renegotiation=1" \
2239 0 \
2240 -c "client hello, adding renegotiation extension" \
2241 -s "received TLS_EMPTY_RENEGOTIATION_INFO" \
2242 -s "found renegotiation extension" \
2243 -s "server hello, secure renegotiation extension" \
2244 -s "record counter limit reached: renegotiate" \
2245 -c "=> renegotiate" \
2246 -s "=> renegotiate" \
Hanno Becker6a243642017-10-12 15:18:45 +0100[diff] [blame]2247 -s "write hello request"
Andres AG692ad842017-01-19 16:30:57 +0000[diff] [blame]2248
Manuel Pégourié-Gonnard96999962015-02-17 16:02:37 +0000[diff] [blame]2249requires_gnutls
Hanno Becker6a243642017-10-12 15:18:45 +0100[diff] [blame]2250requires_config_enabled MBEDTLS_SSL_RENEGOTIATION
Manuel Pégourié-Gonnardf1499f62014-08-31 17:13:13 +0200[diff] [blame]2251run_test "Renegotiation: DTLS, gnutls server, client-initiated" \
2252 "$G_SRV -u --mtu 4096" \
2253 "$P_CLI debug_level=3 dtls=1 exchanges=1 renegotiation=1 renegotiate=1" \
2254 0 \
2255 -c "client hello, adding renegotiation extension" \
2256 -c "found renegotiation extension" \
2257 -c "=> renegotiate" \
Manuel Pégourié-Gonnard2cf5a7c2015-04-08 12:49:31 +0200[diff] [blame]2258 -C "mbedtls_ssl_handshake returned" \
Manuel Pégourié-Gonnardf1499f62014-08-31 17:13:13 +0200[diff] [blame]2259 -C "error" \
2260 -s "Extra-header:"
2261
Manuel Pégourié-Gonnard85d915b2014-11-03 20:10:36 +0100[diff] [blame]2262# Test for the "secure renegotation" extension only (no actual renegotiation)
2263
Paul Bakker539d9722015-02-08 16:18:35 +0100[diff] [blame]2264requires_gnutls
Manuel Pégourié-Gonnard85d915b2014-11-03 20:10:36 +0100[diff] [blame]2265run_test "Renego ext: gnutls server strict, client default" \
2266 "$G_SRV --priority=NORMAL:%SAFE_RENEGOTIATION" \
2267 "$P_CLI debug_level=3" \
2268 0 \
2269 -c "found renegotiation extension" \
2270 -C "error" \
2271 -c "HTTP/1.0 200 [Oo][Kk]"
2272
Paul Bakker539d9722015-02-08 16:18:35 +0100[diff] [blame]2273requires_gnutls
Manuel Pégourié-Gonnard85d915b2014-11-03 20:10:36 +0100[diff] [blame]2274run_test "Renego ext: gnutls server unsafe, client default" \
2275 "$G_SRV --priority=NORMAL:%DISABLE_SAFE_RENEGOTIATION" \
2276 "$P_CLI debug_level=3" \
2277 0 \
2278 -C "found renegotiation extension" \
2279 -C "error" \
2280 -c "HTTP/1.0 200 [Oo][Kk]"
2281
Paul Bakker539d9722015-02-08 16:18:35 +0100[diff] [blame]2282requires_gnutls
Manuel Pégourié-Gonnard85d915b2014-11-03 20:10:36 +0100[diff] [blame]2283run_test "Renego ext: gnutls server unsafe, client break legacy" \
2284 "$G_SRV --priority=NORMAL:%DISABLE_SAFE_RENEGOTIATION" \
2285 "$P_CLI debug_level=3 allow_legacy=-1" \
2286 1 \
2287 -C "found renegotiation extension" \
2288 -c "error" \
2289 -C "HTTP/1.0 200 [Oo][Kk]"
2290
Paul Bakker539d9722015-02-08 16:18:35 +0100[diff] [blame]2291requires_gnutls
Manuel Pégourié-Gonnard85d915b2014-11-03 20:10:36 +0100[diff] [blame]2292run_test "Renego ext: gnutls client strict, server default" \
2293 "$P_SRV debug_level=3" \
2294 "$G_CLI --priority=NORMAL:%SAFE_RENEGOTIATION" \
2295 0 \
2296 -s "received TLS_EMPTY_RENEGOTIATION_INFO\|found renegotiation extension" \
2297 -s "server hello, secure renegotiation extension"
2298
Paul Bakker539d9722015-02-08 16:18:35 +0100[diff] [blame]2299requires_gnutls
Manuel Pégourié-Gonnard85d915b2014-11-03 20:10:36 +0100[diff] [blame]2300run_test "Renego ext: gnutls client unsafe, server default" \
2301 "$P_SRV debug_level=3" \
2302 "$G_CLI --priority=NORMAL:%DISABLE_SAFE_RENEGOTIATION" \
2303 0 \
2304 -S "received TLS_EMPTY_RENEGOTIATION_INFO\|found renegotiation extension" \
2305 -S "server hello, secure renegotiation extension"
2306
Paul Bakker539d9722015-02-08 16:18:35 +0100[diff] [blame]2307requires_gnutls
Manuel Pégourié-Gonnard85d915b2014-11-03 20:10:36 +0100[diff] [blame]2308run_test "Renego ext: gnutls client unsafe, server break legacy" \
2309 "$P_SRV debug_level=3 allow_legacy=-1" \
2310 "$G_CLI --priority=NORMAL:%DISABLE_SAFE_RENEGOTIATION" \
2311 1 \
2312 -S "received TLS_EMPTY_RENEGOTIATION_INFO\|found renegotiation extension" \
2313 -S "server hello, secure renegotiation extension"
2314
Janos Follath0b242342016-02-17 10:11:21 +0000[diff] [blame]2315# Tests for silently dropping trailing extra bytes in .der certificates
2316
2317requires_gnutls
2318run_test "DER format: no trailing bytes" \
2319 "$P_SRV crt_file=data_files/server5-der0.crt \
2320 key_file=data_files/server5.key" \
2321 "$G_CLI " \
2322 0 \
2323 -c "Handshake was completed" \
2324
2325requires_gnutls
2326run_test "DER format: with a trailing zero byte" \
2327 "$P_SRV crt_file=data_files/server5-der1a.crt \
2328 key_file=data_files/server5.key" \
2329 "$G_CLI " \
2330 0 \
2331 -c "Handshake was completed" \
2332
2333requires_gnutls
2334run_test "DER format: with a trailing random byte" \
2335 "$P_SRV crt_file=data_files/server5-der1b.crt \
2336 key_file=data_files/server5.key" \
2337 "$G_CLI " \
2338 0 \
2339 -c "Handshake was completed" \
2340
2341requires_gnutls
2342run_test "DER format: with 2 trailing random bytes" \
2343 "$P_SRV crt_file=data_files/server5-der2.crt \
2344 key_file=data_files/server5.key" \
2345 "$G_CLI " \
2346 0 \
2347 -c "Handshake was completed" \
2348
2349requires_gnutls
2350run_test "DER format: with 4 trailing random bytes" \
2351 "$P_SRV crt_file=data_files/server5-der4.crt \
2352 key_file=data_files/server5.key" \
2353 "$G_CLI " \
2354 0 \
2355 -c "Handshake was completed" \
2356
2357requires_gnutls
2358run_test "DER format: with 8 trailing random bytes" \
2359 "$P_SRV crt_file=data_files/server5-der8.crt \
2360 key_file=data_files/server5.key" \
2361 "$G_CLI " \
2362 0 \
2363 -c "Handshake was completed" \
2364
2365requires_gnutls
2366run_test "DER format: with 9 trailing random bytes" \
2367 "$P_SRV crt_file=data_files/server5-der9.crt \
2368 key_file=data_files/server5.key" \
2369 "$G_CLI " \
2370 0 \
2371 -c "Handshake was completed" \
2372
Manuel Pégourié-Gonnard8520dac2014-02-21 12:12:23 +0100[diff] [blame]2373# Tests for auth_mode
2374
Manuel Pégourié-Gonnard8e03c712014-08-30 21:42:40 +0200[diff] [blame]2375run_test "Authentication: server badcert, client required" \
Manuel Pégourié-Gonnard8520dac2014-02-21 12:12:23 +0100[diff] [blame]2376 "$P_SRV crt_file=data_files/server5-badsign.crt \
2377 key_file=data_files/server5.key" \
Manuel Pégourié-Gonnard644e8f32014-08-30 21:59:31 +0200[diff] [blame]2378 "$P_CLI debug_level=1 auth_mode=required" \
Manuel Pégourié-Gonnard8520dac2014-02-21 12:12:23 +0100[diff] [blame]2379 1 \
2380 -c "x509_verify_cert() returned" \
Manuel Pégourié-Gonnard89addc42015-04-20 10:56:18 +0100[diff] [blame]2381 -c "! The certificate is not correctly signed by the trusted CA" \
Manuel Pégourié-Gonnard2cf5a7c2015-04-08 12:49:31 +0200[diff] [blame]2382 -c "! mbedtls_ssl_handshake returned" \
Manuel Pégourié-Gonnard8520dac2014-02-21 12:12:23 +0100[diff] [blame]2383 -c "X509 - Certificate verification failed"
2384
Manuel Pégourié-Gonnard8e03c712014-08-30 21:42:40 +0200[diff] [blame]2385run_test "Authentication: server badcert, client optional" \
Manuel Pégourié-Gonnard8520dac2014-02-21 12:12:23 +0100[diff] [blame]2386 "$P_SRV crt_file=data_files/server5-badsign.crt \
2387 key_file=data_files/server5.key" \
Manuel Pégourié-Gonnard644e8f32014-08-30 21:59:31 +0200[diff] [blame]2388 "$P_CLI debug_level=1 auth_mode=optional" \
Manuel Pégourié-Gonnard8520dac2014-02-21 12:12:23 +0100[diff] [blame]2389 0 \
2390 -c "x509_verify_cert() returned" \
Manuel Pégourié-Gonnard89addc42015-04-20 10:56:18 +0100[diff] [blame]2391 -c "! The certificate is not correctly signed by the trusted CA" \
Manuel Pégourié-Gonnard2cf5a7c2015-04-08 12:49:31 +0200[diff] [blame]2392 -C "! mbedtls_ssl_handshake returned" \
Manuel Pégourié-Gonnard8520dac2014-02-21 12:12:23 +0100[diff] [blame]2393 -C "X509 - Certificate verification failed"
2394
Hanno Beckere6706e62017-05-15 16:05:15 +0100[diff] [blame]2395run_test "Authentication: server goodcert, client optional, no trusted CA" \
2396 "$P_SRV" \
2397 "$P_CLI debug_level=3 auth_mode=optional ca_file=none ca_path=none" \
2398 0 \
2399 -c "x509_verify_cert() returned" \
2400 -c "! The certificate is not correctly signed by the trusted CA" \
2401 -c "! Certificate verification flags"\
2402 -C "! mbedtls_ssl_handshake returned" \
2403 -C "X509 - Certificate verification failed" \
2404 -C "SSL - No CA Chain is set, but required to operate"
2405
2406run_test "Authentication: server goodcert, client required, no trusted CA" \
2407 "$P_SRV" \
2408 "$P_CLI debug_level=3 auth_mode=required ca_file=none ca_path=none" \
2409 1 \
2410 -c "x509_verify_cert() returned" \
2411 -c "! The certificate is not correctly signed by the trusted CA" \
2412 -c "! Certificate verification flags"\
2413 -c "! mbedtls_ssl_handshake returned" \
2414 -c "SSL - No CA Chain is set, but required to operate"
2415
2416# The purpose of the next two tests is to test the client's behaviour when receiving a server
2417# certificate with an unsupported elliptic curve. This should usually not happen because
2418# the client informs the server about the supported curves - it does, though, in the
2419# corner case of a static ECDH suite, because the server doesn't check the curve on that
2420# occasion (to be fixed). If that bug's fixed, the test needs to be altered to use a
2421# different means to have the server ignoring the client's supported curve list.
2422
2423requires_config_enabled MBEDTLS_ECP_C
2424run_test "Authentication: server ECDH p256v1, client required, p256v1 unsupported" \
2425 "$P_SRV debug_level=1 key_file=data_files/server5.key \
2426 crt_file=data_files/server5.ku-ka.crt" \
2427 "$P_CLI debug_level=3 auth_mode=required curves=secp521r1" \
2428 1 \
2429 -c "bad certificate (EC key curve)"\
2430 -c "! Certificate verification flags"\
2431 -C "bad server certificate (ECDH curve)" # Expect failure at earlier verification stage
2432
2433requires_config_enabled MBEDTLS_ECP_C
2434run_test "Authentication: server ECDH p256v1, client optional, p256v1 unsupported" \
2435 "$P_SRV debug_level=1 key_file=data_files/server5.key \
2436 crt_file=data_files/server5.ku-ka.crt" \
2437 "$P_CLI debug_level=3 auth_mode=optional curves=secp521r1" \
2438 1 \
2439 -c "bad certificate (EC key curve)"\
2440 -c "! Certificate verification flags"\
2441 -c "bad server certificate (ECDH curve)" # Expect failure only at ECDH params check
2442
Manuel Pégourié-Gonnard8e03c712014-08-30 21:42:40 +0200[diff] [blame]2443run_test "Authentication: server badcert, client none" \
Manuel Pégourié-Gonnardc1da6642014-02-25 14:18:30 +0100[diff] [blame]2444 "$P_SRV crt_file=data_files/server5-badsign.crt \
Manuel Pégourié-Gonnard8520dac2014-02-21 12:12:23 +0100[diff] [blame]2445 key_file=data_files/server5.key" \
Manuel Pégourié-Gonnard644e8f32014-08-30 21:59:31 +0200[diff] [blame]2446 "$P_CLI debug_level=1 auth_mode=none" \
Manuel Pégourié-Gonnard8520dac2014-02-21 12:12:23 +0100[diff] [blame]2447 0 \
2448 -C "x509_verify_cert() returned" \
Manuel Pégourié-Gonnard89addc42015-04-20 10:56:18 +0100[diff] [blame]2449 -C "! The certificate is not correctly signed by the trusted CA" \
Manuel Pégourié-Gonnard2cf5a7c2015-04-08 12:49:31 +0200[diff] [blame]2450 -C "! mbedtls_ssl_handshake returned" \
Manuel Pégourié-Gonnard8520dac2014-02-21 12:12:23 +0100[diff] [blame]2451 -C "X509 - Certificate verification failed"
2452
Simon Butcher99000142016-10-13 17:21:01 +0100[diff] [blame]2453run_test "Authentication: client SHA256, server required" \
2454 "$P_SRV auth_mode=required" \
2455 "$P_CLI debug_level=3 crt_file=data_files/server6.crt \
2456 key_file=data_files/server6.key \
2457 force_ciphersuite=TLS-ECDHE-ECDSA-WITH-AES-256-GCM-SHA384" \
2458 0 \
2459 -c "Supported Signature Algorithm found: 4," \
2460 -c "Supported Signature Algorithm found: 5,"
2461
2462run_test "Authentication: client SHA384, server required" \
2463 "$P_SRV auth_mode=required" \
2464 "$P_CLI debug_level=3 crt_file=data_files/server6.crt \
2465 key_file=data_files/server6.key \
2466 force_ciphersuite=TLS-ECDHE-ECDSA-WITH-AES-128-GCM-SHA256" \
2467 0 \
2468 -c "Supported Signature Algorithm found: 4," \
2469 -c "Supported Signature Algorithm found: 5,"
2470
Gilles Peskinefd8332e2017-05-03 16:25:07 +0200[diff] [blame]2471requires_config_enabled MBEDTLS_SSL_PROTO_SSL3
2472run_test "Authentication: client has no cert, server required (SSLv3)" \
2473 "$P_SRV debug_level=3 min_version=ssl3 auth_mode=required" \
2474 "$P_CLI debug_level=3 force_version=ssl3 crt_file=none \
2475 key_file=data_files/server5.key" \
2476 1 \
2477 -S "skip write certificate request" \
2478 -C "skip parse certificate request" \
2479 -c "got a certificate request" \
2480 -c "got no certificate to send" \
2481 -S "x509_verify_cert() returned" \
2482 -s "client has no certificate" \
2483 -s "! mbedtls_ssl_handshake returned" \
2484 -c "! mbedtls_ssl_handshake returned" \
2485 -s "No client certification received from the client, but required by the authentication mode"
2486
2487run_test "Authentication: client has no cert, server required (TLS)" \
2488 "$P_SRV debug_level=3 auth_mode=required" \
2489 "$P_CLI debug_level=3 crt_file=none \
2490 key_file=data_files/server5.key" \
2491 1 \
2492 -S "skip write certificate request" \
2493 -C "skip parse certificate request" \
2494 -c "got a certificate request" \
2495 -c "= write certificate$" \
2496 -C "skip write certificate$" \
2497 -S "x509_verify_cert() returned" \
2498 -s "client has no certificate" \
2499 -s "! mbedtls_ssl_handshake returned" \
2500 -c "! mbedtls_ssl_handshake returned" \
2501 -s "No client certification received from the client, but required by the authentication mode"
2502
Manuel Pégourié-Gonnard8e03c712014-08-30 21:42:40 +0200[diff] [blame]2503run_test "Authentication: client badcert, server required" \
Manuel Pégourié-Gonnard644e8f32014-08-30 21:59:31 +0200[diff] [blame]2504 "$P_SRV debug_level=3 auth_mode=required" \
2505 "$P_CLI debug_level=3 crt_file=data_files/server5-badsign.crt \
Manuel Pégourié-Gonnard8520dac2014-02-21 12:12:23 +0100[diff] [blame]2506 key_file=data_files/server5.key" \
2507 1 \
2508 -S "skip write certificate request" \
2509 -C "skip parse certificate request" \
2510 -c "got a certificate request" \
2511 -C "skip write certificate" \
2512 -C "skip write certificate verify" \
2513 -S "skip parse certificate verify" \
2514 -s "x509_verify_cert() returned" \
Manuel Pégourié-Gonnard6ea831d2015-06-22 16:50:52 +0200[diff] [blame]2515 -s "! The certificate is not correctly signed by the trusted CA" \
Manuel Pégourié-Gonnard2cf5a7c2015-04-08 12:49:31 +0200[diff] [blame]2516 -s "! mbedtls_ssl_handshake returned" \
Gilles Peskine1cc8e342017-05-03 16:28:34 +0200[diff] [blame]2517 -s "send alert level=2 message=48" \
Manuel Pégourié-Gonnard2cf5a7c2015-04-08 12:49:31 +0200[diff] [blame]2518 -c "! mbedtls_ssl_handshake returned" \
Manuel Pégourié-Gonnard8520dac2014-02-21 12:12:23 +0100[diff] [blame]2519 -s "X509 - Certificate verification failed"
Gilles Peskine1cc8e342017-05-03 16:28:34 +0200[diff] [blame]2520# We don't check that the client receives the alert because it might
2521# detect that its write end of the connection is closed and abort
2522# before reading the alert message.
Manuel Pégourié-Gonnard8520dac2014-02-21 12:12:23 +0100[diff] [blame]2523
Janos Follath89baba22017-04-10 14:34:35 +0100[diff] [blame]2524run_test "Authentication: client cert not trusted, server required" \
2525 "$P_SRV debug_level=3 auth_mode=required" \
2526 "$P_CLI debug_level=3 crt_file=data_files/server5-selfsigned.crt \
2527 key_file=data_files/server5.key" \
2528 1 \
2529 -S "skip write certificate request" \
2530 -C "skip parse certificate request" \
2531 -c "got a certificate request" \
2532 -C "skip write certificate" \
2533 -C "skip write certificate verify" \
2534 -S "skip parse certificate verify" \
2535 -s "x509_verify_cert() returned" \
2536 -s "! The certificate is not correctly signed by the trusted CA" \
2537 -s "! mbedtls_ssl_handshake returned" \
2538 -c "! mbedtls_ssl_handshake returned" \
2539 -s "X509 - Certificate verification failed"
2540
Manuel Pégourié-Gonnard8e03c712014-08-30 21:42:40 +0200[diff] [blame]2541run_test "Authentication: client badcert, server optional" \
Manuel Pégourié-Gonnard644e8f32014-08-30 21:59:31 +0200[diff] [blame]2542 "$P_SRV debug_level=3 auth_mode=optional" \
2543 "$P_CLI debug_level=3 crt_file=data_files/server5-badsign.crt \
Manuel Pégourié-Gonnard8520dac2014-02-21 12:12:23 +0100[diff] [blame]2544 key_file=data_files/server5.key" \
2545 0 \
2546 -S "skip write certificate request" \
2547 -C "skip parse certificate request" \
2548 -c "got a certificate request" \
2549 -C "skip write certificate" \
2550 -C "skip write certificate verify" \
2551 -S "skip parse certificate verify" \
2552 -s "x509_verify_cert() returned" \
Manuel Pégourié-Gonnard89addc42015-04-20 10:56:18 +0100[diff] [blame]2553 -s "! The certificate is not correctly signed by the trusted CA" \
Manuel Pégourié-Gonnard2cf5a7c2015-04-08 12:49:31 +0200[diff] [blame]2554 -S "! mbedtls_ssl_handshake returned" \
2555 -C "! mbedtls_ssl_handshake returned" \
Manuel Pégourié-Gonnard8520dac2014-02-21 12:12:23 +0100[diff] [blame]2556 -S "X509 - Certificate verification failed"
2557
Manuel Pégourié-Gonnard8e03c712014-08-30 21:42:40 +0200[diff] [blame]2558run_test "Authentication: client badcert, server none" \
Manuel Pégourié-Gonnard644e8f32014-08-30 21:59:31 +0200[diff] [blame]2559 "$P_SRV debug_level=3 auth_mode=none" \
2560 "$P_CLI debug_level=3 crt_file=data_files/server5-badsign.crt \
Manuel Pégourié-Gonnard8520dac2014-02-21 12:12:23 +0100[diff] [blame]2561 key_file=data_files/server5.key" \
2562 0 \
2563 -s "skip write certificate request" \
2564 -C "skip parse certificate request" \
2565 -c "got no certificate request" \
2566 -c "skip write certificate" \
2567 -c "skip write certificate verify" \
2568 -s "skip parse certificate verify" \
2569 -S "x509_verify_cert() returned" \
Manuel Pégourié-Gonnard89addc42015-04-20 10:56:18 +0100[diff] [blame]2570 -S "! The certificate is not correctly signed by the trusted CA" \
Manuel Pégourié-Gonnard2cf5a7c2015-04-08 12:49:31 +0200[diff] [blame]2571 -S "! mbedtls_ssl_handshake returned" \
2572 -C "! mbedtls_ssl_handshake returned" \
Manuel Pégourié-Gonnard8520dac2014-02-21 12:12:23 +0100[diff] [blame]2573 -S "X509 - Certificate verification failed"
2574
Manuel Pégourié-Gonnard8e03c712014-08-30 21:42:40 +0200[diff] [blame]2575run_test "Authentication: client no cert, server optional" \
Manuel Pégourié-Gonnard644e8f32014-08-30 21:59:31 +0200[diff] [blame]2576 "$P_SRV debug_level=3 auth_mode=optional" \
2577 "$P_CLI debug_level=3 crt_file=none key_file=none" \
Manuel Pégourié-Gonnardde515cc2014-02-27 14:58:26 +0100[diff] [blame]2578 0 \
2579 -S "skip write certificate request" \
2580 -C "skip parse certificate request" \
2581 -c "got a certificate request" \
2582 -C "skip write certificate$" \
2583 -C "got no certificate to send" \
2584 -S "SSLv3 client has no certificate" \
2585 -c "skip write certificate verify" \
2586 -s "skip parse certificate verify" \
Manuel Pégourié-Gonnard89addc42015-04-20 10:56:18 +0100[diff] [blame]2587 -s "! Certificate was missing" \
Manuel Pégourié-Gonnard2cf5a7c2015-04-08 12:49:31 +0200[diff] [blame]2588 -S "! mbedtls_ssl_handshake returned" \
2589 -C "! mbedtls_ssl_handshake returned" \
Manuel Pégourié-Gonnardde515cc2014-02-27 14:58:26 +0100[diff] [blame]2590 -S "X509 - Certificate verification failed"
2591
Manuel Pégourié-Gonnard8e03c712014-08-30 21:42:40 +0200[diff] [blame]2592run_test "Authentication: openssl client no cert, server optional" \
Manuel Pégourié-Gonnard644e8f32014-08-30 21:59:31 +0200[diff] [blame]2593 "$P_SRV debug_level=3 auth_mode=optional" \
Manuel Pégourié-Gonnardde515cc2014-02-27 14:58:26 +0100[diff] [blame]2594 "$O_CLI" \
2595 0 \
2596 -S "skip write certificate request" \
2597 -s "skip parse certificate verify" \
Manuel Pégourié-Gonnard89addc42015-04-20 10:56:18 +0100[diff] [blame]2598 -s "! Certificate was missing" \
Manuel Pégourié-Gonnard2cf5a7c2015-04-08 12:49:31 +0200[diff] [blame]2599 -S "! mbedtls_ssl_handshake returned" \
Manuel Pégourié-Gonnardde515cc2014-02-27 14:58:26 +0100[diff] [blame]2600 -S "X509 - Certificate verification failed"
2601
Manuel Pégourié-Gonnard8e03c712014-08-30 21:42:40 +0200[diff] [blame]2602run_test "Authentication: client no cert, openssl server optional" \
Manuel Pégourié-Gonnardde515cc2014-02-27 14:58:26 +0100[diff] [blame]2603 "$O_SRV -verify 10" \
Manuel Pégourié-Gonnard644e8f32014-08-30 21:59:31 +0200[diff] [blame]2604 "$P_CLI debug_level=3 crt_file=none key_file=none" \
Manuel Pégourié-Gonnardde515cc2014-02-27 14:58:26 +0100[diff] [blame]2605 0 \
2606 -C "skip parse certificate request" \
2607 -c "got a certificate request" \
2608 -C "skip write certificate$" \
2609 -c "skip write certificate verify" \
Manuel Pégourié-Gonnard2cf5a7c2015-04-08 12:49:31 +0200[diff] [blame]2610 -C "! mbedtls_ssl_handshake returned"
Manuel Pégourié-Gonnardde515cc2014-02-27 14:58:26 +0100[diff] [blame]2611
Gilles Peskinefd8332e2017-05-03 16:25:07 +0200[diff] [blame]2612run_test "Authentication: client no cert, openssl server required" \
2613 "$O_SRV -Verify 10" \
2614 "$P_CLI debug_level=3 crt_file=none key_file=none" \
2615 1 \
2616 -C "skip parse certificate request" \
2617 -c "got a certificate request" \
2618 -C "skip write certificate$" \
2619 -c "skip write certificate verify" \
2620 -c "! mbedtls_ssl_handshake returned"
2621
Janos Follathe2681a42016-03-07 15:57:05 +0000[diff] [blame]2622requires_config_enabled MBEDTLS_SSL_PROTO_SSL3
Manuel Pégourié-Gonnard8e03c712014-08-30 21:42:40 +0200[diff] [blame]2623run_test "Authentication: client no cert, ssl3" \
Manuel Pégourié-Gonnard644e8f32014-08-30 21:59:31 +0200[diff] [blame]2624 "$P_SRV debug_level=3 auth_mode=optional force_version=ssl3" \
Manuel Pégourié-Gonnard448ea502015-01-12 11:40:14 +0100[diff] [blame]2625 "$P_CLI debug_level=3 crt_file=none key_file=none min_version=ssl3" \
Manuel Pégourié-Gonnardde515cc2014-02-27 14:58:26 +0100[diff] [blame]2626 0 \
2627 -S "skip write certificate request" \
2628 -C "skip parse certificate request" \
2629 -c "got a certificate request" \
2630 -C "skip write certificate$" \
2631 -c "skip write certificate verify" \
2632 -c "got no certificate to send" \
2633 -s "SSLv3 client has no certificate" \
2634 -s "skip parse certificate verify" \
Manuel Pégourié-Gonnard89addc42015-04-20 10:56:18 +0100[diff] [blame]2635 -s "! Certificate was missing" \
Manuel Pégourié-Gonnard2cf5a7c2015-04-08 12:49:31 +0200[diff] [blame]2636 -S "! mbedtls_ssl_handshake returned" \
2637 -C "! mbedtls_ssl_handshake returned" \
Manuel Pégourié-Gonnardde515cc2014-02-27 14:58:26 +0100[diff] [blame]2638 -S "X509 - Certificate verification failed"
2639
Manuel Pégourié-Gonnard9107b5f2017-07-06 12:16:25 +0200[diff] [blame]2640# The "max_int chain" tests assume that MAX_INTERMEDIATE_CA is set to its
2641# default value (8)
Hanno Beckera6bca9f2017-07-26 13:35:11 +0100[diff] [blame]2642
Simon Butcherbcfa6f42017-07-28 15:59:35 +0100[diff] [blame]2643MAX_IM_CA='8'
Simon Butcher06b78632017-07-28 01:00:17 +0100[diff] [blame]2644MAX_IM_CA_CONFIG=$( ../scripts/config.pl get MBEDTLS_X509_MAX_INTERMEDIATE_CA)
Hanno Beckera6bca9f2017-07-26 13:35:11 +0100[diff] [blame]2645
Simon Butcherbcfa6f42017-07-28 15:59:35 +0100[diff] [blame]2646if [ -n "$MAX_IM_CA_CONFIG" ] && [ "$MAX_IM_CA_CONFIG" -ne "$MAX_IM_CA" ]; then
Simon Butcher06b78632017-07-28 01:00:17 +0100[diff] [blame]2647 printf "The ${CONFIG_H} file contains a value for the configuration of\n"
Simon Butcherbcfa6f42017-07-28 15:59:35 +0100[diff] [blame]2648 printf "MBEDTLS_X509_MAX_INTERMEDIATE_CA that is different from the script’s\n"
Simon Butcher06b78632017-07-28 01:00:17 +0100[diff] [blame]2649 printf "test value of ${MAX_IM_CA}. \n"
2650 printf "\n"
Simon Butcherbcfa6f42017-07-28 15:59:35 +0100[diff] [blame]2651 printf "The tests assume this value and if it changes, the tests in this\n"
2652 printf "script should also be adjusted.\n"
Simon Butcher06b78632017-07-28 01:00:17 +0100[diff] [blame]2653 printf "\n"
Simon Butcher06b78632017-07-28 01:00:17 +0100[diff] [blame]2654
2655 exit 1
Hanno Beckera6bca9f2017-07-26 13:35:11 +0100[diff] [blame]2656fi
2657
Manuel Pégourié-Gonnard81bb6b62017-06-26 10:45:33 +0200[diff] [blame]2658run_test "Authentication: server max_int chain, client default" \
2659 "$P_SRV crt_file=data_files/dir-maxpath/c09.pem \
2660 key_file=data_files/dir-maxpath/09.key" \
2661 "$P_CLI server_name=CA09 ca_file=data_files/dir-maxpath/00.crt" \
2662 0 \
Antonin Décimo8fd91562019-01-23 15:24:37 +0100[diff] [blame]2663 -C "X509 - A fatal error occurred"
Manuel Pégourié-Gonnard81bb6b62017-06-26 10:45:33 +0200[diff] [blame]2664
2665run_test "Authentication: server max_int+1 chain, client default" \
2666 "$P_SRV crt_file=data_files/dir-maxpath/c10.pem \
2667 key_file=data_files/dir-maxpath/10.key" \
2668 "$P_CLI server_name=CA10 ca_file=data_files/dir-maxpath/00.crt" \
2669 1 \
Antonin Décimo8fd91562019-01-23 15:24:37 +0100[diff] [blame]2670 -c "X509 - A fatal error occurred"
Manuel Pégourié-Gonnard81bb6b62017-06-26 10:45:33 +0200[diff] [blame]2671
2672run_test "Authentication: server max_int+1 chain, client optional" \
2673 "$P_SRV crt_file=data_files/dir-maxpath/c10.pem \
2674 key_file=data_files/dir-maxpath/10.key" \
2675 "$P_CLI server_name=CA10 ca_file=data_files/dir-maxpath/00.crt \
2676 auth_mode=optional" \
2677 1 \
Antonin Décimo8fd91562019-01-23 15:24:37 +0100[diff] [blame]2678 -c "X509 - A fatal error occurred"
Manuel Pégourié-Gonnard81bb6b62017-06-26 10:45:33 +0200[diff] [blame]2679
2680run_test "Authentication: server max_int+1 chain, client none" \
2681 "$P_SRV crt_file=data_files/dir-maxpath/c10.pem \
2682 key_file=data_files/dir-maxpath/10.key" \
2683 "$P_CLI server_name=CA10 ca_file=data_files/dir-maxpath/00.crt \
2684 auth_mode=none" \
2685 0 \
Antonin Décimo8fd91562019-01-23 15:24:37 +0100[diff] [blame]2686 -C "X509 - A fatal error occurred"
Manuel Pégourié-Gonnard81bb6b62017-06-26 10:45:33 +0200[diff] [blame]2687
2688run_test "Authentication: client max_int+1 chain, server default" \
2689 "$P_SRV ca_file=data_files/dir-maxpath/00.crt" \
2690 "$P_CLI crt_file=data_files/dir-maxpath/c10.pem \
2691 key_file=data_files/dir-maxpath/10.key" \
2692 0 \
Antonin Décimo8fd91562019-01-23 15:24:37 +0100[diff] [blame]2693 -S "X509 - A fatal error occurred"
Manuel Pégourié-Gonnard81bb6b62017-06-26 10:45:33 +0200[diff] [blame]2694
2695run_test "Authentication: client max_int+1 chain, server optional" \
2696 "$P_SRV ca_file=data_files/dir-maxpath/00.crt auth_mode=optional" \
2697 "$P_CLI crt_file=data_files/dir-maxpath/c10.pem \
2698 key_file=data_files/dir-maxpath/10.key" \
2699 1 \
Antonin Décimo8fd91562019-01-23 15:24:37 +0100[diff] [blame]2700 -s "X509 - A fatal error occurred"
Manuel Pégourié-Gonnard81bb6b62017-06-26 10:45:33 +0200[diff] [blame]2701
2702run_test "Authentication: client max_int+1 chain, server required" \
2703 "$P_SRV ca_file=data_files/dir-maxpath/00.crt auth_mode=required" \
2704 "$P_CLI crt_file=data_files/dir-maxpath/c10.pem \
2705 key_file=data_files/dir-maxpath/10.key" \
2706 1 \
Antonin Décimo8fd91562019-01-23 15:24:37 +0100[diff] [blame]2707 -s "X509 - A fatal error occurred"
Manuel Pégourié-Gonnard81bb6b62017-06-26 10:45:33 +0200[diff] [blame]2708
2709run_test "Authentication: client max_int chain, server required" \
2710 "$P_SRV ca_file=data_files/dir-maxpath/00.crt auth_mode=required" \
2711 "$P_CLI crt_file=data_files/dir-maxpath/c09.pem \
2712 key_file=data_files/dir-maxpath/09.key" \
2713 0 \
Antonin Décimo8fd91562019-01-23 15:24:37 +0100[diff] [blame]2714 -S "X509 - A fatal error occurred"
Manuel Pégourié-Gonnard81bb6b62017-06-26 10:45:33 +0200[diff] [blame]2715
Janos Follath89baba22017-04-10 14:34:35 +0100[diff] [blame]2716# Tests for CA list in CertificateRequest messages
2717
2718run_test "Authentication: send CA list in CertificateRequest (default)" \
2719 "$P_SRV debug_level=3 auth_mode=required" \
2720 "$P_CLI crt_file=data_files/server6.crt \
2721 key_file=data_files/server6.key" \
2722 0 \
2723 -s "requested DN"
2724
2725run_test "Authentication: do not send CA list in CertificateRequest" \
2726 "$P_SRV debug_level=3 auth_mode=required cert_req_ca_list=0" \
2727 "$P_CLI crt_file=data_files/server6.crt \
2728 key_file=data_files/server6.key" \
2729 0 \
2730 -S "requested DN"
2731
2732run_test "Authentication: send CA list in CertificateRequest, client self signed" \
2733 "$P_SRV debug_level=3 auth_mode=required cert_req_ca_list=0" \
2734 "$P_CLI debug_level=3 crt_file=data_files/server5-selfsigned.crt \
2735 key_file=data_files/server5.key" \
2736 1 \
2737 -S "requested DN" \
2738 -s "x509_verify_cert() returned" \
2739 -s "! The certificate is not correctly signed by the trusted CA" \
2740 -s "! mbedtls_ssl_handshake returned" \
2741 -c "! mbedtls_ssl_handshake returned" \
2742 -s "X509 - Certificate verification failed"
2743
Manuel Pégourié-Gonnarddf331a52015-01-08 16:43:07 +0100[diff] [blame]2744# Tests for certificate selection based on SHA verson
2745
2746run_test "Certificate hash: client TLS 1.2 -> SHA-2" \
2747 "$P_SRV crt_file=data_files/server5.crt \
2748 key_file=data_files/server5.key \
2749 crt_file2=data_files/server5-sha1.crt \
2750 key_file2=data_files/server5.key" \
2751 "$P_CLI force_version=tls1_2" \
2752 0 \
2753 -c "signed using.*ECDSA with SHA256" \
2754 -C "signed using.*ECDSA with SHA1"
2755
2756run_test "Certificate hash: client TLS 1.1 -> SHA-1" \
2757 "$P_SRV crt_file=data_files/server5.crt \
2758 key_file=data_files/server5.key \
2759 crt_file2=data_files/server5-sha1.crt \
2760 key_file2=data_files/server5.key" \
2761 "$P_CLI force_version=tls1_1" \
2762 0 \
2763 -C "signed using.*ECDSA with SHA256" \
2764 -c "signed using.*ECDSA with SHA1"
2765
2766run_test "Certificate hash: client TLS 1.0 -> SHA-1" \
2767 "$P_SRV crt_file=data_files/server5.crt \
2768 key_file=data_files/server5.key \
2769 crt_file2=data_files/server5-sha1.crt \
2770 key_file2=data_files/server5.key" \
2771 "$P_CLI force_version=tls1" \
2772 0 \
2773 -C "signed using.*ECDSA with SHA256" \
2774 -c "signed using.*ECDSA with SHA1"
2775
2776run_test "Certificate hash: client TLS 1.1, no SHA-1 -> SHA-2 (order 1)" \
2777 "$P_SRV crt_file=data_files/server5.crt \
2778 key_file=data_files/server5.key \
2779 crt_file2=data_files/server6.crt \
2780 key_file2=data_files/server6.key" \
2781 "$P_CLI force_version=tls1_1" \
2782 0 \
2783 -c "serial number.*09" \
2784 -c "signed using.*ECDSA with SHA256" \
2785 -C "signed using.*ECDSA with SHA1"
2786
2787run_test "Certificate hash: client TLS 1.1, no SHA-1 -> SHA-2 (order 2)" \
2788 "$P_SRV crt_file=data_files/server6.crt \
2789 key_file=data_files/server6.key \
2790 crt_file2=data_files/server5.crt \
2791 key_file2=data_files/server5.key" \
2792 "$P_CLI force_version=tls1_1" \
2793 0 \
2794 -c "serial number.*0A" \
2795 -c "signed using.*ECDSA with SHA256" \
2796 -C "signed using.*ECDSA with SHA1"
2797
Manuel Pégourié-Gonnard96ea2f22014-02-25 12:26:29 +0100[diff] [blame]2798# tests for SNI
2799
Manuel Pégourié-Gonnard8e03c712014-08-30 21:42:40 +0200[diff] [blame]2800run_test "SNI: no SNI callback" \
Manuel Pégourié-Gonnard0eb6cab2014-07-23 20:17:47 +0200[diff] [blame]2801 "$P_SRV debug_level=3 \
Manuel Pégourié-Gonnard96ea2f22014-02-25 12:26:29 +0100[diff] [blame]2802 crt_file=data_files/server5.crt key_file=data_files/server5.key" \
Manuel Pégourié-Gonnard0eb6cab2014-07-23 20:17:47 +0200[diff] [blame]2803 "$P_CLI server_name=localhost" \
Manuel Pégourié-Gonnard6ea831d2015-06-22 16:50:52 +0200[diff] [blame]2804 0 \
2805 -S "parse ServerName extension" \
2806 -c "issuer name *: C=NL, O=PolarSSL, CN=Polarssl Test EC CA" \
2807 -c "subject name *: C=NL, O=PolarSSL, CN=localhost"
Manuel Pégourié-Gonnard96ea2f22014-02-25 12:26:29 +0100[diff] [blame]2808
Manuel Pégourié-Gonnard8e03c712014-08-30 21:42:40 +0200[diff] [blame]2809run_test "SNI: matching cert 1" \
Manuel Pégourié-Gonnard0eb6cab2014-07-23 20:17:47 +0200[diff] [blame]2810 "$P_SRV debug_level=3 \
Manuel Pégourié-Gonnard96ea2f22014-02-25 12:26:29 +0100[diff] [blame]2811 crt_file=data_files/server5.crt key_file=data_files/server5.key \
Manuel Pégourié-Gonnard4d6f1782015-06-19 14:40:39 +0200[diff] [blame]2812 sni=localhost,data_files/server2.crt,data_files/server2.key,-,-,-,polarssl.example,data_files/server1-nospace.crt,data_files/server1.key,-,-,-" \
Manuel Pégourié-Gonnard0eb6cab2014-07-23 20:17:47 +0200[diff] [blame]2813 "$P_CLI server_name=localhost" \
Manuel Pégourié-Gonnard6ea831d2015-06-22 16:50:52 +0200[diff] [blame]2814 0 \
2815 -s "parse ServerName extension" \
2816 -c "issuer name *: C=NL, O=PolarSSL, CN=PolarSSL Test CA" \
2817 -c "subject name *: C=NL, O=PolarSSL, CN=localhost"
Manuel Pégourié-Gonnard96ea2f22014-02-25 12:26:29 +0100[diff] [blame]2818
Manuel Pégourié-Gonnard8e03c712014-08-30 21:42:40 +0200[diff] [blame]2819run_test "SNI: matching cert 2" \
Manuel Pégourié-Gonnard0eb6cab2014-07-23 20:17:47 +0200[diff] [blame]2820 "$P_SRV debug_level=3 \
Manuel Pégourié-Gonnard96ea2f22014-02-25 12:26:29 +0100[diff] [blame]2821 crt_file=data_files/server5.crt key_file=data_files/server5.key \
Manuel Pégourié-Gonnard4d6f1782015-06-19 14:40:39 +0200[diff] [blame]2822 sni=localhost,data_files/server2.crt,data_files/server2.key,-,-,-,polarssl.example,data_files/server1-nospace.crt,data_files/server1.key,-,-,-" \
Manuel Pégourié-Gonnard0eb6cab2014-07-23 20:17:47 +0200[diff] [blame]2823 "$P_CLI server_name=polarssl.example" \
Manuel Pégourié-Gonnard6ea831d2015-06-22 16:50:52 +0200[diff] [blame]2824 0 \
2825 -s "parse ServerName extension" \
2826 -c "issuer name *: C=NL, O=PolarSSL, CN=PolarSSL Test CA" \
2827 -c "subject name *: C=NL, O=PolarSSL, CN=polarssl.example"
Manuel Pégourié-Gonnard96ea2f22014-02-25 12:26:29 +0100[diff] [blame]2828
Manuel Pégourié-Gonnard8e03c712014-08-30 21:42:40 +0200[diff] [blame]2829run_test "SNI: no matching cert" \
Manuel Pégourié-Gonnard0eb6cab2014-07-23 20:17:47 +0200[diff] [blame]2830 "$P_SRV debug_level=3 \
Manuel Pégourié-Gonnard96ea2f22014-02-25 12:26:29 +0100[diff] [blame]2831 crt_file=data_files/server5.crt key_file=data_files/server5.key \
Manuel Pégourié-Gonnard4d6f1782015-06-19 14:40:39 +0200[diff] [blame]2832 sni=localhost,data_files/server2.crt,data_files/server2.key,-,-,-,polarssl.example,data_files/server1-nospace.crt,data_files/server1.key,-,-,-" \
Manuel Pégourié-Gonnard0eb6cab2014-07-23 20:17:47 +0200[diff] [blame]2833 "$P_CLI server_name=nonesuch.example" \
Manuel Pégourié-Gonnard6ea831d2015-06-22 16:50:52 +0200[diff] [blame]2834 1 \
2835 -s "parse ServerName extension" \
2836 -s "ssl_sni_wrapper() returned" \
2837 -s "mbedtls_ssl_handshake returned" \
2838 -c "mbedtls_ssl_handshake returned" \
2839 -c "SSL - A fatal alert message was received from our peer"
Manuel Pégourié-Gonnard96ea2f22014-02-25 12:26:29 +0100[diff] [blame]2840
Manuel Pégourié-Gonnardc948a792015-06-22 16:04:20 +0200[diff] [blame]2841run_test "SNI: client auth no override: optional" \
2842 "$P_SRV debug_level=3 auth_mode=optional \
2843 crt_file=data_files/server5.crt key_file=data_files/server5.key \
2844 sni=localhost,data_files/server2.crt,data_files/server2.key,-,-,-" \
2845 "$P_CLI debug_level=3 server_name=localhost" \
Manuel Pégourié-Gonnard6ea831d2015-06-22 16:50:52 +0200[diff] [blame]2846 0 \
Manuel Pégourié-Gonnardc948a792015-06-22 16:04:20 +0200[diff] [blame]2847 -S "skip write certificate request" \
2848 -C "skip parse certificate request" \
2849 -c "got a certificate request" \
2850 -C "skip write certificate" \
2851 -C "skip write certificate verify" \
2852 -S "skip parse certificate verify"
2853
2854run_test "SNI: client auth override: none -> optional" \
2855 "$P_SRV debug_level=3 auth_mode=none \
2856 crt_file=data_files/server5.crt key_file=data_files/server5.key \
2857 sni=localhost,data_files/server2.crt,data_files/server2.key,-,-,optional" \
2858 "$P_CLI debug_level=3 server_name=localhost" \
Manuel Pégourié-Gonnard6ea831d2015-06-22 16:50:52 +0200[diff] [blame]2859 0 \
Manuel Pégourié-Gonnardc948a792015-06-22 16:04:20 +0200[diff] [blame]2860 -S "skip write certificate request" \
2861 -C "skip parse certificate request" \
2862 -c "got a certificate request" \
2863 -C "skip write certificate" \
2864 -C "skip write certificate verify" \
2865 -S "skip parse certificate verify"
2866
2867run_test "SNI: client auth override: optional -> none" \
2868 "$P_SRV debug_level=3 auth_mode=optional \
2869 crt_file=data_files/server5.crt key_file=data_files/server5.key \
2870 sni=localhost,data_files/server2.crt,data_files/server2.key,-,-,none" \
2871 "$P_CLI debug_level=3 server_name=localhost" \
Manuel Pégourié-Gonnard6ea831d2015-06-22 16:50:52 +0200[diff] [blame]2872 0 \
Manuel Pégourié-Gonnardc948a792015-06-22 16:04:20 +0200[diff] [blame]2873 -s "skip write certificate request" \
2874 -C "skip parse certificate request" \
2875 -c "got no certificate request" \
2876 -c "skip write certificate" \
2877 -c "skip write certificate verify" \
2878 -s "skip parse certificate verify"
2879
Manuel Pégourié-Gonnard6ea831d2015-06-22 16:50:52 +0200[diff] [blame]2880run_test "SNI: CA no override" \
2881 "$P_SRV debug_level=3 auth_mode=optional \
2882 crt_file=data_files/server5.crt key_file=data_files/server5.key \
2883 ca_file=data_files/test-ca.crt \
2884 sni=localhost,data_files/server2.crt,data_files/server2.key,-,-,required" \
2885 "$P_CLI debug_level=3 server_name=localhost \
2886 crt_file=data_files/server6.crt key_file=data_files/server6.key" \
2887 1 \
2888 -S "skip write certificate request" \
2889 -C "skip parse certificate request" \
2890 -c "got a certificate request" \
2891 -C "skip write certificate" \
2892 -C "skip write certificate verify" \
2893 -S "skip parse certificate verify" \
2894 -s "x509_verify_cert() returned" \
2895 -s "! The certificate is not correctly signed by the trusted CA" \
2896 -S "The certificate has been revoked (is on a CRL)"
2897
2898run_test "SNI: CA override" \
2899 "$P_SRV debug_level=3 auth_mode=optional \
2900 crt_file=data_files/server5.crt key_file=data_files/server5.key \
2901 ca_file=data_files/test-ca.crt \
2902 sni=localhost,data_files/server2.crt,data_files/server2.key,data_files/test-ca2.crt,-,required" \
2903 "$P_CLI debug_level=3 server_name=localhost \
2904 crt_file=data_files/server6.crt key_file=data_files/server6.key" \
2905 0 \
2906 -S "skip write certificate request" \
2907 -C "skip parse certificate request" \
2908 -c "got a certificate request" \
2909 -C "skip write certificate" \
2910 -C "skip write certificate verify" \
2911 -S "skip parse certificate verify" \
2912 -S "x509_verify_cert() returned" \
2913 -S "! The certificate is not correctly signed by the trusted CA" \
2914 -S "The certificate has been revoked (is on a CRL)"
2915
2916run_test "SNI: CA override with CRL" \
2917 "$P_SRV debug_level=3 auth_mode=optional \
2918 crt_file=data_files/server5.crt key_file=data_files/server5.key \
2919 ca_file=data_files/test-ca.crt \
2920 sni=localhost,data_files/server2.crt,data_files/server2.key,data_files/test-ca2.crt,data_files/crl-ec-sha256.pem,required" \
2921 "$P_CLI debug_level=3 server_name=localhost \
2922 crt_file=data_files/server6.crt key_file=data_files/server6.key" \
2923 1 \
2924 -S "skip write certificate request" \
2925 -C "skip parse certificate request" \
2926 -c "got a certificate request" \
2927 -C "skip write certificate" \
2928 -C "skip write certificate verify" \
2929 -S "skip parse certificate verify" \
2930 -s "x509_verify_cert() returned" \
2931 -S "! The certificate is not correctly signed by the trusted CA" \
2932 -s "The certificate has been revoked (is on a CRL)"
2933
Andres AGe8b07742016-12-07 10:01:30 +0000[diff] [blame]2934# Tests for SNI and DTLS
2935
Andres Amaya Garciaf9519bf2018-05-01 20:27:37 +0100[diff] [blame]2936run_test "SNI: DTLS, no SNI callback" \
2937 "$P_SRV debug_level=3 dtls=1 \
2938 crt_file=data_files/server5.crt key_file=data_files/server5.key" \
2939 "$P_CLI server_name=localhost dtls=1" \
2940 0 \
2941 -S "parse ServerName extension" \
2942 -c "issuer name *: C=NL, O=PolarSSL, CN=Polarssl Test EC CA" \
2943 -c "subject name *: C=NL, O=PolarSSL, CN=localhost"
2944
Andres Amaya Garcia914eea42018-05-01 20:26:47 +0100[diff] [blame]2945run_test "SNI: DTLS, matching cert 1" \
Andres AGe8b07742016-12-07 10:01:30 +0000[diff] [blame]2946 "$P_SRV debug_level=3 dtls=1 \
2947 crt_file=data_files/server5.crt key_file=data_files/server5.key \
2948 sni=localhost,data_files/server2.crt,data_files/server2.key,-,-,-,polarssl.example,data_files/server1-nospace.crt,data_files/server1.key,-,-,-" \
2949 "$P_CLI server_name=localhost dtls=1" \
2950 0 \
2951 -s "parse ServerName extension" \
2952 -c "issuer name *: C=NL, O=PolarSSL, CN=PolarSSL Test CA" \
2953 -c "subject name *: C=NL, O=PolarSSL, CN=localhost"
2954
Andres Amaya Garciaf9519bf2018-05-01 20:27:37 +0100[diff] [blame]2955run_test "SNI: DTLS, matching cert 2" \
2956 "$P_SRV debug_level=3 dtls=1 \
2957 crt_file=data_files/server5.crt key_file=data_files/server5.key \
2958 sni=localhost,data_files/server2.crt,data_files/server2.key,-,-,-,polarssl.example,data_files/server1-nospace.crt,data_files/server1.key,-,-,-" \
2959 "$P_CLI server_name=polarssl.example dtls=1" \
2960 0 \
2961 -s "parse ServerName extension" \
2962 -c "issuer name *: C=NL, O=PolarSSL, CN=PolarSSL Test CA" \
2963 -c "subject name *: C=NL, O=PolarSSL, CN=polarssl.example"
2964
2965run_test "SNI: DTLS, no matching cert" \
2966 "$P_SRV debug_level=3 dtls=1 \
2967 crt_file=data_files/server5.crt key_file=data_files/server5.key \
2968 sni=localhost,data_files/server2.crt,data_files/server2.key,-,-,-,polarssl.example,data_files/server1-nospace.crt,data_files/server1.key,-,-,-" \
2969 "$P_CLI server_name=nonesuch.example dtls=1" \
2970 1 \
2971 -s "parse ServerName extension" \
2972 -s "ssl_sni_wrapper() returned" \
2973 -s "mbedtls_ssl_handshake returned" \
2974 -c "mbedtls_ssl_handshake returned" \
2975 -c "SSL - A fatal alert message was received from our peer"
2976
2977run_test "SNI: DTLS, client auth no override: optional" \
2978 "$P_SRV debug_level=3 auth_mode=optional dtls=1 \
2979 crt_file=data_files/server5.crt key_file=data_files/server5.key \
2980 sni=localhost,data_files/server2.crt,data_files/server2.key,-,-,-" \
2981 "$P_CLI debug_level=3 server_name=localhost dtls=1" \
2982 0 \
2983 -S "skip write certificate request" \
2984 -C "skip parse certificate request" \
2985 -c "got a certificate request" \
2986 -C "skip write certificate" \
2987 -C "skip write certificate verify" \
2988 -S "skip parse certificate verify"
2989
2990run_test "SNI: DTLS, client auth override: none -> optional" \
2991 "$P_SRV debug_level=3 auth_mode=none dtls=1 \
2992 crt_file=data_files/server5.crt key_file=data_files/server5.key \
2993 sni=localhost,data_files/server2.crt,data_files/server2.key,-,-,optional" \
2994 "$P_CLI debug_level=3 server_name=localhost dtls=1" \
2995 0 \
2996 -S "skip write certificate request" \
2997 -C "skip parse certificate request" \
2998 -c "got a certificate request" \
2999 -C "skip write certificate" \
3000 -C "skip write certificate verify" \
3001 -S "skip parse certificate verify"
3002
3003run_test "SNI: DTLS, client auth override: optional -> none" \
3004 "$P_SRV debug_level=3 auth_mode=optional dtls=1 \
3005 crt_file=data_files/server5.crt key_file=data_files/server5.key \
3006 sni=localhost,data_files/server2.crt,data_files/server2.key,-,-,none" \
3007 "$P_CLI debug_level=3 server_name=localhost dtls=1" \
3008 0 \
3009 -s "skip write certificate request" \
3010 -C "skip parse certificate request" \
3011 -c "got no certificate request" \
3012 -c "skip write certificate" \
3013 -c "skip write certificate verify" \
3014 -s "skip parse certificate verify"
3015
3016run_test "SNI: DTLS, CA no override" \
3017 "$P_SRV debug_level=3 auth_mode=optional dtls=1 \
3018 crt_file=data_files/server5.crt key_file=data_files/server5.key \
3019 ca_file=data_files/test-ca.crt \
3020 sni=localhost,data_files/server2.crt,data_files/server2.key,-,-,required" \
3021 "$P_CLI debug_level=3 server_name=localhost dtls=1 \
3022 crt_file=data_files/server6.crt key_file=data_files/server6.key" \
3023 1 \
3024 -S "skip write certificate request" \
3025 -C "skip parse certificate request" \
3026 -c "got a certificate request" \
3027 -C "skip write certificate" \
3028 -C "skip write certificate verify" \
3029 -S "skip parse certificate verify" \
3030 -s "x509_verify_cert() returned" \
3031 -s "! The certificate is not correctly signed by the trusted CA" \
3032 -S "The certificate has been revoked (is on a CRL)"
3033
Andres Amaya Garcia914eea42018-05-01 20:26:47 +0100[diff] [blame]3034run_test "SNI: DTLS, CA override" \
Andres AGe8b07742016-12-07 10:01:30 +0000[diff] [blame]3035 "$P_SRV debug_level=3 auth_mode=optional dtls=1 \
3036 crt_file=data_files/server5.crt key_file=data_files/server5.key \
3037 ca_file=data_files/test-ca.crt \
3038 sni=localhost,data_files/server2.crt,data_files/server2.key,data_files/test-ca2.crt,-,required" \
3039 "$P_CLI debug_level=3 server_name=localhost dtls=1 \
3040 crt_file=data_files/server6.crt key_file=data_files/server6.key" \
3041 0 \
3042 -S "skip write certificate request" \
3043 -C "skip parse certificate request" \
3044 -c "got a certificate request" \
3045 -C "skip write certificate" \
3046 -C "skip write certificate verify" \
3047 -S "skip parse certificate verify" \
3048 -S "x509_verify_cert() returned" \
3049 -S "! The certificate is not correctly signed by the trusted CA" \
3050 -S "The certificate has been revoked (is on a CRL)"
3051
Andres Amaya Garcia914eea42018-05-01 20:26:47 +0100[diff] [blame]3052run_test "SNI: DTLS, CA override with CRL" \
Andres AGe8b07742016-12-07 10:01:30 +0000[diff] [blame]3053 "$P_SRV debug_level=3 auth_mode=optional \
3054 crt_file=data_files/server5.crt key_file=data_files/server5.key dtls=1 \
3055 ca_file=data_files/test-ca.crt \
3056 sni=localhost,data_files/server2.crt,data_files/server2.key,data_files/test-ca2.crt,data_files/crl-ec-sha256.pem,required" \
3057 "$P_CLI debug_level=3 server_name=localhost dtls=1 \
3058 crt_file=data_files/server6.crt key_file=data_files/server6.key" \
3059 1 \
3060 -S "skip write certificate request" \
3061 -C "skip parse certificate request" \
3062 -c "got a certificate request" \
3063 -C "skip write certificate" \
3064 -C "skip write certificate verify" \
3065 -S "skip parse certificate verify" \
3066 -s "x509_verify_cert() returned" \
3067 -S "! The certificate is not correctly signed by the trusted CA" \
3068 -s "The certificate has been revoked (is on a CRL)"
3069
Manuel Pégourié-Gonnard0b6609b2014-02-26 14:45:12 +0100[diff] [blame]3070# Tests for non-blocking I/O: exercise a variety of handshake flows
3071
Manuel Pégourié-Gonnard8e03c712014-08-30 21:42:40 +0200[diff] [blame]3072run_test "Non-blocking I/O: basic handshake" \
Manuel Pégourié-Gonnard0b6609b2014-02-26 14:45:12 +0100[diff] [blame]3073 "$P_SRV nbio=2 tickets=0 auth_mode=none" \
3074 "$P_CLI nbio=2 tickets=0" \
3075 0 \
Manuel Pégourié-Gonnard2cf5a7c2015-04-08 12:49:31 +0200[diff] [blame]3076 -S "mbedtls_ssl_handshake returned" \
3077 -C "mbedtls_ssl_handshake returned" \
Manuel Pégourié-Gonnard0b6609b2014-02-26 14:45:12 +0100[diff] [blame]3078 -c "Read from server: .* bytes read"
3079
Manuel Pégourié-Gonnard8e03c712014-08-30 21:42:40 +0200[diff] [blame]3080run_test "Non-blocking I/O: client auth" \
Manuel Pégourié-Gonnard0b6609b2014-02-26 14:45:12 +0100[diff] [blame]3081 "$P_SRV nbio=2 tickets=0 auth_mode=required" \
3082 "$P_CLI nbio=2 tickets=0" \
3083 0 \
Manuel Pégourié-Gonnard2cf5a7c2015-04-08 12:49:31 +0200[diff] [blame]3084 -S "mbedtls_ssl_handshake returned" \
3085 -C "mbedtls_ssl_handshake returned" \
Manuel Pégourié-Gonnard0b6609b2014-02-26 14:45:12 +0100[diff] [blame]3086 -c "Read from server: .* bytes read"
3087
Manuel Pégourié-Gonnard8e03c712014-08-30 21:42:40 +0200[diff] [blame]3088run_test "Non-blocking I/O: ticket" \
Manuel Pégourié-Gonnard0b6609b2014-02-26 14:45:12 +0100[diff] [blame]3089 "$P_SRV nbio=2 tickets=1 auth_mode=none" \
3090 "$P_CLI nbio=2 tickets=1" \
3091 0 \
Manuel Pégourié-Gonnard2cf5a7c2015-04-08 12:49:31 +0200[diff] [blame]3092 -S "mbedtls_ssl_handshake returned" \
3093 -C "mbedtls_ssl_handshake returned" \
Manuel Pégourié-Gonnard0b6609b2014-02-26 14:45:12 +0100[diff] [blame]3094 -c "Read from server: .* bytes read"
3095
Manuel Pégourié-Gonnard8e03c712014-08-30 21:42:40 +0200[diff] [blame]3096run_test "Non-blocking I/O: ticket + client auth" \
Manuel Pégourié-Gonnard0b6609b2014-02-26 14:45:12 +0100[diff] [blame]3097 "$P_SRV nbio=2 tickets=1 auth_mode=required" \
3098 "$P_CLI nbio=2 tickets=1" \
3099 0 \
Manuel Pégourié-Gonnard2cf5a7c2015-04-08 12:49:31 +0200[diff] [blame]3100 -S "mbedtls_ssl_handshake returned" \
3101 -C "mbedtls_ssl_handshake returned" \
Manuel Pégourié-Gonnard0b6609b2014-02-26 14:45:12 +0100[diff] [blame]3102 -c "Read from server: .* bytes read"
3103
Manuel Pégourié-Gonnard8e03c712014-08-30 21:42:40 +0200[diff] [blame]3104run_test "Non-blocking I/O: ticket + client auth + resume" \
Manuel Pégourié-Gonnard0b6609b2014-02-26 14:45:12 +0100[diff] [blame]3105 "$P_SRV nbio=2 tickets=1 auth_mode=required" \
3106 "$P_CLI nbio=2 tickets=1 reconnect=1" \
3107 0 \
Manuel Pégourié-Gonnard2cf5a7c2015-04-08 12:49:31 +0200[diff] [blame]3108 -S "mbedtls_ssl_handshake returned" \
3109 -C "mbedtls_ssl_handshake returned" \
Manuel Pégourié-Gonnard0b6609b2014-02-26 14:45:12 +0100[diff] [blame]3110 -c "Read from server: .* bytes read"
3111
Manuel Pégourié-Gonnard8e03c712014-08-30 21:42:40 +0200[diff] [blame]3112run_test "Non-blocking I/O: ticket + resume" \
Manuel Pégourié-Gonnard0b6609b2014-02-26 14:45:12 +0100[diff] [blame]3113 "$P_SRV nbio=2 tickets=1 auth_mode=none" \
3114 "$P_CLI nbio=2 tickets=1 reconnect=1" \
3115 0 \
Manuel Pégourié-Gonnard2cf5a7c2015-04-08 12:49:31 +0200[diff] [blame]3116 -S "mbedtls_ssl_handshake returned" \
3117 -C "mbedtls_ssl_handshake returned" \
Manuel Pégourié-Gonnard0b6609b2014-02-26 14:45:12 +0100[diff] [blame]3118 -c "Read from server: .* bytes read"
3119
Manuel Pégourié-Gonnard8e03c712014-08-30 21:42:40 +0200[diff] [blame]3120run_test "Non-blocking I/O: session-id resume" \
Manuel Pégourié-Gonnard0b6609b2014-02-26 14:45:12 +0100[diff] [blame]3121 "$P_SRV nbio=2 tickets=0 auth_mode=none" \
3122 "$P_CLI nbio=2 tickets=0 reconnect=1" \
3123 0 \
Manuel Pégourié-Gonnard2cf5a7c2015-04-08 12:49:31 +0200[diff] [blame]3124 -S "mbedtls_ssl_handshake returned" \
3125 -C "mbedtls_ssl_handshake returned" \
Manuel Pégourié-Gonnard0b6609b2014-02-26 14:45:12 +0100[diff] [blame]3126 -c "Read from server: .* bytes read"
3127
Manuel Pégourié-Gonnardf6521de2014-04-07 12:42:04 +0200[diff] [blame]3128# Tests for version negotiation
3129
Manuel Pégourié-Gonnard8e03c712014-08-30 21:42:40 +0200[diff] [blame]3130run_test "Version check: all -> 1.2" \
Manuel Pégourié-Gonnarda3d808e2014-02-26 16:33:03 +0100[diff] [blame]3131 "$P_SRV" \
3132 "$P_CLI" \
3133 0 \
Manuel Pégourié-Gonnard2cf5a7c2015-04-08 12:49:31 +0200[diff] [blame]3134 -S "mbedtls_ssl_handshake returned" \
3135 -C "mbedtls_ssl_handshake returned" \
Manuel Pégourié-Gonnarda3d808e2014-02-26 16:33:03 +0100[diff] [blame]3136 -s "Protocol is TLSv1.2" \
3137 -c "Protocol is TLSv1.2"
3138
Manuel Pégourié-Gonnard8e03c712014-08-30 21:42:40 +0200[diff] [blame]3139run_test "Version check: cli max 1.1 -> 1.1" \
Manuel Pégourié-Gonnarda3d808e2014-02-26 16:33:03 +0100[diff] [blame]3140 "$P_SRV" \
3141 "$P_CLI max_version=tls1_1" \
3142 0 \
Manuel Pégourié-Gonnard2cf5a7c2015-04-08 12:49:31 +0200[diff] [blame]3143 -S "mbedtls_ssl_handshake returned" \
3144 -C "mbedtls_ssl_handshake returned" \
Manuel Pégourié-Gonnarda3d808e2014-02-26 16:33:03 +0100[diff] [blame]3145 -s "Protocol is TLSv1.1" \
3146 -c "Protocol is TLSv1.1"
3147
Manuel Pégourié-Gonnard8e03c712014-08-30 21:42:40 +0200[diff] [blame]3148run_test "Version check: srv max 1.1 -> 1.1" \
Manuel Pégourié-Gonnarda3d808e2014-02-26 16:33:03 +0100[diff] [blame]3149 "$P_SRV max_version=tls1_1" \
3150 "$P_CLI" \
3151 0 \
Manuel Pégourié-Gonnard2cf5a7c2015-04-08 12:49:31 +0200[diff] [blame]3152 -S "mbedtls_ssl_handshake returned" \
3153 -C "mbedtls_ssl_handshake returned" \
Manuel Pégourié-Gonnarda3d808e2014-02-26 16:33:03 +0100[diff] [blame]3154 -s "Protocol is TLSv1.1" \
3155 -c "Protocol is TLSv1.1"
3156
Manuel Pégourié-Gonnard8e03c712014-08-30 21:42:40 +0200[diff] [blame]3157run_test "Version check: cli+srv max 1.1 -> 1.1" \
Manuel Pégourié-Gonnarda3d808e2014-02-26 16:33:03 +0100[diff] [blame]3158 "$P_SRV max_version=tls1_1" \
3159 "$P_CLI max_version=tls1_1" \
3160 0 \
Manuel Pégourié-Gonnard2cf5a7c2015-04-08 12:49:31 +0200[diff] [blame]3161 -S "mbedtls_ssl_handshake returned" \
3162 -C "mbedtls_ssl_handshake returned" \
Manuel Pégourié-Gonnarda3d808e2014-02-26 16:33:03 +0100[diff] [blame]3163 -s "Protocol is TLSv1.1" \
3164 -c "Protocol is TLSv1.1"
3165
Manuel Pégourié-Gonnard8e03c712014-08-30 21:42:40 +0200[diff] [blame]3166run_test "Version check: cli max 1.1, srv min 1.1 -> 1.1" \
Manuel Pégourié-Gonnarda3d808e2014-02-26 16:33:03 +0100[diff] [blame]3167 "$P_SRV min_version=tls1_1" \
3168 "$P_CLI max_version=tls1_1" \
3169 0 \
Manuel Pégourié-Gonnard2cf5a7c2015-04-08 12:49:31 +0200[diff] [blame]3170 -S "mbedtls_ssl_handshake returned" \
3171 -C "mbedtls_ssl_handshake returned" \
Manuel Pégourié-Gonnarda3d808e2014-02-26 16:33:03 +0100[diff] [blame]3172 -s "Protocol is TLSv1.1" \
3173 -c "Protocol is TLSv1.1"
3174
Manuel Pégourié-Gonnard8e03c712014-08-30 21:42:40 +0200[diff] [blame]3175run_test "Version check: cli min 1.1, srv max 1.1 -> 1.1" \
Manuel Pégourié-Gonnarda3d808e2014-02-26 16:33:03 +0100[diff] [blame]3176 "$P_SRV max_version=tls1_1" \
3177 "$P_CLI min_version=tls1_1" \
3178 0 \
Manuel Pégourié-Gonnard2cf5a7c2015-04-08 12:49:31 +0200[diff] [blame]3179 -S "mbedtls_ssl_handshake returned" \
3180 -C "mbedtls_ssl_handshake returned" \
Manuel Pégourié-Gonnarda3d808e2014-02-26 16:33:03 +0100[diff] [blame]3181 -s "Protocol is TLSv1.1" \
3182 -c "Protocol is TLSv1.1"
3183
Manuel Pégourié-Gonnard8e03c712014-08-30 21:42:40 +0200[diff] [blame]3184run_test "Version check: cli min 1.2, srv max 1.1 -> fail" \
Manuel Pégourié-Gonnarda3d808e2014-02-26 16:33:03 +0100[diff] [blame]3185 "$P_SRV max_version=tls1_1" \
3186 "$P_CLI min_version=tls1_2" \
3187 1 \
Manuel Pégourié-Gonnard2cf5a7c2015-04-08 12:49:31 +0200[diff] [blame]3188 -s "mbedtls_ssl_handshake returned" \
3189 -c "mbedtls_ssl_handshake returned" \
Manuel Pégourié-Gonnarda3d808e2014-02-26 16:33:03 +0100[diff] [blame]3190 -c "SSL - Handshake protocol not within min/max boundaries"
3191
Manuel Pégourié-Gonnard8e03c712014-08-30 21:42:40 +0200[diff] [blame]3192run_test "Version check: srv min 1.2, cli max 1.1 -> fail" \
Manuel Pégourié-Gonnarda3d808e2014-02-26 16:33:03 +0100[diff] [blame]3193 "$P_SRV min_version=tls1_2" \
3194 "$P_CLI max_version=tls1_1" \
3195 1 \
Manuel Pégourié-Gonnard2cf5a7c2015-04-08 12:49:31 +0200[diff] [blame]3196 -s "mbedtls_ssl_handshake returned" \
3197 -c "mbedtls_ssl_handshake returned" \
Manuel Pégourié-Gonnarda3d808e2014-02-26 16:33:03 +0100[diff] [blame]3198 -s "SSL - Handshake protocol not within min/max boundaries"
3199
Manuel Pégourié-Gonnardf6521de2014-04-07 12:42:04 +0200[diff] [blame]3200# Tests for ALPN extension
3201
Manuel Pégourié-Gonnard8e03c712014-08-30 21:42:40 +0200[diff] [blame]3202run_test "ALPN: none" \
Manuel Pégourié-Gonnard644e8f32014-08-30 21:59:31 +0200[diff] [blame]3203 "$P_SRV debug_level=3" \
3204 "$P_CLI debug_level=3" \
Manuel Pégourié-Gonnardf6521de2014-04-07 12:42:04 +0200[diff] [blame]3205 0 \
3206 -C "client hello, adding alpn extension" \
3207 -S "found alpn extension" \
3208 -C "got an alert message, type: \\[2:120]" \
3209 -S "server hello, adding alpn extension" \
3210 -C "found alpn extension " \
3211 -C "Application Layer Protocol is" \
3212 -S "Application Layer Protocol is"
3213
Manuel Pégourié-Gonnard8e03c712014-08-30 21:42:40 +0200[diff] [blame]3214run_test "ALPN: client only" \
Manuel Pégourié-Gonnard644e8f32014-08-30 21:59:31 +0200[diff] [blame]3215 "$P_SRV debug_level=3" \
3216 "$P_CLI debug_level=3 alpn=abc,1234" \
Manuel Pégourié-Gonnardf6521de2014-04-07 12:42:04 +0200[diff] [blame]3217 0 \
3218 -c "client hello, adding alpn extension" \
3219 -s "found alpn extension" \
3220 -C "got an alert message, type: \\[2:120]" \
3221 -S "server hello, adding alpn extension" \
3222 -C "found alpn extension " \
3223 -c "Application Layer Protocol is (none)" \
3224 -S "Application Layer Protocol is"
3225
Manuel Pégourié-Gonnard8e03c712014-08-30 21:42:40 +0200[diff] [blame]3226run_test "ALPN: server only" \
Manuel Pégourié-Gonnard644e8f32014-08-30 21:59:31 +0200[diff] [blame]3227 "$P_SRV debug_level=3 alpn=abc,1234" \
3228 "$P_CLI debug_level=3" \
Manuel Pégourié-Gonnardf6521de2014-04-07 12:42:04 +0200[diff] [blame]3229 0 \
3230 -C "client hello, adding alpn extension" \
3231 -S "found alpn extension" \
3232 -C "got an alert message, type: \\[2:120]" \
3233 -S "server hello, adding alpn extension" \
3234 -C "found alpn extension " \
3235 -C "Application Layer Protocol is" \
3236 -s "Application Layer Protocol is (none)"
3237
Manuel Pégourié-Gonnard8e03c712014-08-30 21:42:40 +0200[diff] [blame]3238run_test "ALPN: both, common cli1-srv1" \
Manuel Pégourié-Gonnard644e8f32014-08-30 21:59:31 +0200[diff] [blame]3239 "$P_SRV debug_level=3 alpn=abc,1234" \
3240 "$P_CLI debug_level=3 alpn=abc,1234" \
Manuel Pégourié-Gonnardf6521de2014-04-07 12:42:04 +0200[diff] [blame]3241 0 \
3242 -c "client hello, adding alpn extension" \
3243 -s "found alpn extension" \
3244 -C "got an alert message, type: \\[2:120]" \
3245 -s "server hello, adding alpn extension" \
3246 -c "found alpn extension" \
3247 -c "Application Layer Protocol is abc" \
3248 -s "Application Layer Protocol is abc"
3249
Manuel Pégourié-Gonnard8e03c712014-08-30 21:42:40 +0200[diff] [blame]3250run_test "ALPN: both, common cli2-srv1" \
Manuel Pégourié-Gonnard644e8f32014-08-30 21:59:31 +0200[diff] [blame]3251 "$P_SRV debug_level=3 alpn=abc,1234" \
3252 "$P_CLI debug_level=3 alpn=1234,abc" \
Manuel Pégourié-Gonnardf6521de2014-04-07 12:42:04 +0200[diff] [blame]3253 0 \
3254 -c "client hello, adding alpn extension" \
3255 -s "found alpn extension" \
3256 -C "got an alert message, type: \\[2:120]" \
3257 -s "server hello, adding alpn extension" \
3258 -c "found alpn extension" \
3259 -c "Application Layer Protocol is abc" \
3260 -s "Application Layer Protocol is abc"
3261
Manuel Pégourié-Gonnard8e03c712014-08-30 21:42:40 +0200[diff] [blame]3262run_test "ALPN: both, common cli1-srv2" \
Manuel Pégourié-Gonnard644e8f32014-08-30 21:59:31 +0200[diff] [blame]3263 "$P_SRV debug_level=3 alpn=abc,1234" \
3264 "$P_CLI debug_level=3 alpn=1234,abcde" \
Manuel Pégourié-Gonnardf6521de2014-04-07 12:42:04 +0200[diff] [blame]3265 0 \
3266 -c "client hello, adding alpn extension" \
3267 -s "found alpn extension" \
3268 -C "got an alert message, type: \\[2:120]" \
3269 -s "server hello, adding alpn extension" \
3270 -c "found alpn extension" \
3271 -c "Application Layer Protocol is 1234" \
3272 -s "Application Layer Protocol is 1234"
3273
Manuel Pégourié-Gonnard8e03c712014-08-30 21:42:40 +0200[diff] [blame]3274run_test "ALPN: both, no common" \
Manuel Pégourié-Gonnard644e8f32014-08-30 21:59:31 +0200[diff] [blame]3275 "$P_SRV debug_level=3 alpn=abc,123" \
3276 "$P_CLI debug_level=3 alpn=1234,abcde" \
Manuel Pégourié-Gonnardf6521de2014-04-07 12:42:04 +0200[diff] [blame]3277 1 \
3278 -c "client hello, adding alpn extension" \
3279 -s "found alpn extension" \
3280 -c "got an alert message, type: \\[2:120]" \
3281 -S "server hello, adding alpn extension" \
3282 -C "found alpn extension" \
3283 -C "Application Layer Protocol is 1234" \
3284 -S "Application Layer Protocol is 1234"
3285
Manuel Pégourié-Gonnard83d8c732014-04-07 13:24:21 +0200[diff] [blame]3286
Manuel Pégourié-Gonnard7f2a07d2014-04-09 09:50:57 +0200[diff] [blame]3287# Tests for keyUsage in leaf certificates, part 1:
3288# server-side certificate/suite selection
3289
Manuel Pégourié-Gonnard8e03c712014-08-30 21:42:40 +0200[diff] [blame]3290run_test "keyUsage srv: RSA, digitalSignature -> (EC)DHE-RSA" \
Manuel Pégourié-Gonnard7f2a07d2014-04-09 09:50:57 +0200[diff] [blame]3291 "$P_SRV key_file=data_files/server2.key \
3292 crt_file=data_files/server2.ku-ds.crt" \
3293 "$P_CLI" \
3294 0 \
Manuel Pégourié-Gonnard17cde5f2014-05-22 14:42:39 +0200[diff] [blame]3295 -c "Ciphersuite is TLS-[EC]*DHE-RSA-WITH-"
Manuel Pégourié-Gonnard7f2a07d2014-04-09 09:50:57 +0200[diff] [blame]3296
3297
Manuel Pégourié-Gonnard8e03c712014-08-30 21:42:40 +0200[diff] [blame]3298run_test "keyUsage srv: RSA, keyEncipherment -> RSA" \
Manuel Pégourié-Gonnard7f2a07d2014-04-09 09:50:57 +0200[diff] [blame]3299 "$P_SRV key_file=data_files/server2.key \
3300 crt_file=data_files/server2.ku-ke.crt" \
3301 "$P_CLI" \
3302 0 \
3303 -c "Ciphersuite is TLS-RSA-WITH-"
3304
Manuel Pégourié-Gonnard8e03c712014-08-30 21:42:40 +0200[diff] [blame]3305run_test "keyUsage srv: RSA, keyAgreement -> fail" \
Manuel Pégourié-Gonnardf2629b92014-08-30 14:20:14 +0200[diff] [blame]3306 "$P_SRV key_file=data_files/server2.key \
Manuel Pégourié-Gonnard7f2a07d2014-04-09 09:50:57 +0200[diff] [blame]3307 crt_file=data_files/server2.ku-ka.crt" \
Manuel Pégourié-Gonnardf2629b92014-08-30 14:20:14 +0200[diff] [blame]3308 "$P_CLI" \
Manuel Pégourié-Gonnard7f2a07d2014-04-09 09:50:57 +0200[diff] [blame]3309 1 \
3310 -C "Ciphersuite is "
3311
Manuel Pégourié-Gonnard8e03c712014-08-30 21:42:40 +0200[diff] [blame]3312run_test "keyUsage srv: ECDSA, digitalSignature -> ECDHE-ECDSA" \
Manuel Pégourié-Gonnard7f2a07d2014-04-09 09:50:57 +0200[diff] [blame]3313 "$P_SRV key_file=data_files/server5.key \
3314 crt_file=data_files/server5.ku-ds.crt" \
3315 "$P_CLI" \
3316 0 \
3317 -c "Ciphersuite is TLS-ECDHE-ECDSA-WITH-"
3318
3319
Manuel Pégourié-Gonnard8e03c712014-08-30 21:42:40 +0200[diff] [blame]3320run_test "keyUsage srv: ECDSA, keyAgreement -> ECDH-" \
Manuel Pégourié-Gonnard7f2a07d2014-04-09 09:50:57 +0200[diff] [blame]3321 "$P_SRV key_file=data_files/server5.key \
3322 crt_file=data_files/server5.ku-ka.crt" \
3323 "$P_CLI" \
3324 0 \
3325 -c "Ciphersuite is TLS-ECDH-"
3326
Manuel Pégourié-Gonnard8e03c712014-08-30 21:42:40 +0200[diff] [blame]3327run_test "keyUsage srv: ECDSA, keyEncipherment -> fail" \
Manuel Pégourié-Gonnardf2629b92014-08-30 14:20:14 +0200[diff] [blame]3328 "$P_SRV key_file=data_files/server5.key \
Manuel Pégourié-Gonnard7f2a07d2014-04-09 09:50:57 +0200[diff] [blame]3329 crt_file=data_files/server5.ku-ke.crt" \
Manuel Pégourié-Gonnardf2629b92014-08-30 14:20:14 +0200[diff] [blame]3330 "$P_CLI" \
Manuel Pégourié-Gonnard7f2a07d2014-04-09 09:50:57 +0200[diff] [blame]3331 1 \
3332 -C "Ciphersuite is "
3333
3334# Tests for keyUsage in leaf certificates, part 2:
Manuel Pégourié-Gonnarda9db85d2014-04-09 14:53:05 +0200[diff] [blame]3335# client-side checking of server cert
Manuel Pégourié-Gonnard7f2a07d2014-04-09 09:50:57 +0200[diff] [blame]3336
Manuel Pégourié-Gonnard8e03c712014-08-30 21:42:40 +0200[diff] [blame]3337run_test "keyUsage cli: DigitalSignature+KeyEncipherment, RSA: OK" \
Manuel Pégourié-Gonnard7f2a07d2014-04-09 09:50:57 +0200[diff] [blame]3338 "$O_SRV -key data_files/server2.key \
3339 -cert data_files/server2.ku-ds_ke.crt" \
Manuel Pégourié-Gonnard644e8f32014-08-30 21:59:31 +0200[diff] [blame]3340 "$P_CLI debug_level=1 \
Manuel Pégourié-Gonnard7f2a07d2014-04-09 09:50:57 +0200[diff] [blame]3341 force_ciphersuite=TLS-RSA-WITH-AES-128-CBC-SHA" \
3342 0 \
Manuel Pégourié-Gonnarda9db85d2014-04-09 14:53:05 +0200[diff] [blame]3343 -C "bad certificate (usage extensions)" \
Manuel Pégourié-Gonnard7f2a07d2014-04-09 09:50:57 +0200[diff] [blame]3344 -C "Processing of the Certificate handshake message failed" \
3345 -c "Ciphersuite is TLS-"
3346
Manuel Pégourié-Gonnard8e03c712014-08-30 21:42:40 +0200[diff] [blame]3347run_test "keyUsage cli: DigitalSignature+KeyEncipherment, DHE-RSA: OK" \
Manuel Pégourié-Gonnard7f2a07d2014-04-09 09:50:57 +0200[diff] [blame]3348 "$O_SRV -key data_files/server2.key \
3349 -cert data_files/server2.ku-ds_ke.crt" \
Manuel Pégourié-Gonnard644e8f32014-08-30 21:59:31 +0200[diff] [blame]3350 "$P_CLI debug_level=1 \
Manuel Pégourié-Gonnard7f2a07d2014-04-09 09:50:57 +0200[diff] [blame]3351 force_ciphersuite=TLS-DHE-RSA-WITH-AES-128-CBC-SHA" \
3352 0 \
Manuel Pégourié-Gonnarda9db85d2014-04-09 14:53:05 +0200[diff] [blame]3353 -C "bad certificate (usage extensions)" \
Manuel Pégourié-Gonnard7f2a07d2014-04-09 09:50:57 +0200[diff] [blame]3354 -C "Processing of the Certificate handshake message failed" \
3355 -c "Ciphersuite is TLS-"
3356
Manuel Pégourié-Gonnard8e03c712014-08-30 21:42:40 +0200[diff] [blame]3357run_test "keyUsage cli: KeyEncipherment, RSA: OK" \
Manuel Pégourié-Gonnard7f2a07d2014-04-09 09:50:57 +0200[diff] [blame]3358 "$O_SRV -key data_files/server2.key \
3359 -cert data_files/server2.ku-ke.crt" \
Manuel Pégourié-Gonnard644e8f32014-08-30 21:59:31 +0200[diff] [blame]3360 "$P_CLI debug_level=1 \
Manuel Pégourié-Gonnard7f2a07d2014-04-09 09:50:57 +0200[diff] [blame]3361 force_ciphersuite=TLS-RSA-WITH-AES-128-CBC-SHA" \
3362 0 \
Manuel Pégourié-Gonnarda9db85d2014-04-09 14:53:05 +0200[diff] [blame]3363 -C "bad certificate (usage extensions)" \
Manuel Pégourié-Gonnard7f2a07d2014-04-09 09:50:57 +0200[diff] [blame]3364 -C "Processing of the Certificate handshake message failed" \
3365 -c "Ciphersuite is TLS-"
3366
Manuel Pégourié-Gonnard8e03c712014-08-30 21:42:40 +0200[diff] [blame]3367run_test "keyUsage cli: KeyEncipherment, DHE-RSA: fail" \
Manuel Pégourié-Gonnard7f2a07d2014-04-09 09:50:57 +0200[diff] [blame]3368 "$O_SRV -key data_files/server2.key \
3369 -cert data_files/server2.ku-ke.crt" \
Manuel Pégourié-Gonnard644e8f32014-08-30 21:59:31 +0200[diff] [blame]3370 "$P_CLI debug_level=1 \
Manuel Pégourié-Gonnard7f2a07d2014-04-09 09:50:57 +0200[diff] [blame]3371 force_ciphersuite=TLS-DHE-RSA-WITH-AES-128-CBC-SHA" \
3372 1 \
Manuel Pégourié-Gonnarda9db85d2014-04-09 14:53:05 +0200[diff] [blame]3373 -c "bad certificate (usage extensions)" \
Manuel Pégourié-Gonnard7f2a07d2014-04-09 09:50:57 +0200[diff] [blame]3374 -c "Processing of the Certificate handshake message failed" \
3375 -C "Ciphersuite is TLS-"
3376
Manuel Pégourié-Gonnarde6efa6f2015-04-20 11:01:48 +0100[diff] [blame]3377run_test "keyUsage cli: KeyEncipherment, DHE-RSA: fail, soft" \
3378 "$O_SRV -key data_files/server2.key \
3379 -cert data_files/server2.ku-ke.crt" \
3380 "$P_CLI debug_level=1 auth_mode=optional \
3381 force_ciphersuite=TLS-DHE-RSA-WITH-AES-128-CBC-SHA" \
3382 0 \
3383 -c "bad certificate (usage extensions)" \
3384 -C "Processing of the Certificate handshake message failed" \
3385 -c "Ciphersuite is TLS-" \
3386 -c "! Usage does not match the keyUsage extension"
3387
Manuel Pégourié-Gonnard8e03c712014-08-30 21:42:40 +0200[diff] [blame]3388run_test "keyUsage cli: DigitalSignature, DHE-RSA: OK" \
Manuel Pégourié-Gonnard7f2a07d2014-04-09 09:50:57 +0200[diff] [blame]3389 "$O_SRV -key data_files/server2.key \
3390 -cert data_files/server2.ku-ds.crt" \
Manuel Pégourié-Gonnard644e8f32014-08-30 21:59:31 +0200[diff] [blame]3391 "$P_CLI debug_level=1 \
Manuel Pégourié-Gonnard7f2a07d2014-04-09 09:50:57 +0200[diff] [blame]3392 force_ciphersuite=TLS-DHE-RSA-WITH-AES-128-CBC-SHA" \
3393 0 \
Manuel Pégourié-Gonnarda9db85d2014-04-09 14:53:05 +0200[diff] [blame]3394 -C "bad certificate (usage extensions)" \
Manuel Pégourié-Gonnard7f2a07d2014-04-09 09:50:57 +0200[diff] [blame]3395 -C "Processing of the Certificate handshake message failed" \
3396 -c "Ciphersuite is TLS-"
3397
Manuel Pégourié-Gonnard8e03c712014-08-30 21:42:40 +0200[diff] [blame]3398run_test "keyUsage cli: DigitalSignature, RSA: fail" \
Manuel Pégourié-Gonnard7f2a07d2014-04-09 09:50:57 +0200[diff] [blame]3399 "$O_SRV -key data_files/server2.key \
3400 -cert data_files/server2.ku-ds.crt" \
Manuel Pégourié-Gonnard644e8f32014-08-30 21:59:31 +0200[diff] [blame]3401 "$P_CLI debug_level=1 \
Manuel Pégourié-Gonnard7f2a07d2014-04-09 09:50:57 +0200[diff] [blame]3402 force_ciphersuite=TLS-RSA-WITH-AES-128-CBC-SHA" \
3403 1 \
Manuel Pégourié-Gonnarda9db85d2014-04-09 14:53:05 +0200[diff] [blame]3404 -c "bad certificate (usage extensions)" \
Manuel Pégourié-Gonnard7f2a07d2014-04-09 09:50:57 +0200[diff] [blame]3405 -c "Processing of the Certificate handshake message failed" \
3406 -C "Ciphersuite is TLS-"
3407
Manuel Pégourié-Gonnarde6efa6f2015-04-20 11:01:48 +0100[diff] [blame]3408run_test "keyUsage cli: DigitalSignature, RSA: fail, soft" \
3409 "$O_SRV -key data_files/server2.key \
3410 -cert data_files/server2.ku-ds.crt" \
3411 "$P_CLI debug_level=1 auth_mode=optional \
3412 force_ciphersuite=TLS-RSA-WITH-AES-128-CBC-SHA" \
3413 0 \
3414 -c "bad certificate (usage extensions)" \
3415 -C "Processing of the Certificate handshake message failed" \
3416 -c "Ciphersuite is TLS-" \
3417 -c "! Usage does not match the keyUsage extension"
3418
Manuel Pégourié-Gonnarda9db85d2014-04-09 14:53:05 +0200[diff] [blame]3419# Tests for keyUsage in leaf certificates, part 3:
3420# server-side checking of client cert
3421
Manuel Pégourié-Gonnard8e03c712014-08-30 21:42:40 +0200[diff] [blame]3422run_test "keyUsage cli-auth: RSA, DigitalSignature: OK" \
Manuel Pégourié-Gonnard644e8f32014-08-30 21:59:31 +0200[diff] [blame]3423 "$P_SRV debug_level=1 auth_mode=optional" \
Manuel Pégourié-Gonnarda9db85d2014-04-09 14:53:05 +0200[diff] [blame]3424 "$O_CLI -key data_files/server2.key \
3425 -cert data_files/server2.ku-ds.crt" \
3426 0 \
3427 -S "bad certificate (usage extensions)" \
3428 -S "Processing of the Certificate handshake message failed"
3429
Manuel Pégourié-Gonnard8e03c712014-08-30 21:42:40 +0200[diff] [blame]3430run_test "keyUsage cli-auth: RSA, KeyEncipherment: fail (soft)" \
Manuel Pégourié-Gonnard644e8f32014-08-30 21:59:31 +0200[diff] [blame]3431 "$P_SRV debug_level=1 auth_mode=optional" \
Manuel Pégourié-Gonnarda9db85d2014-04-09 14:53:05 +0200[diff] [blame]3432 "$O_CLI -key data_files/server2.key \
3433 -cert data_files/server2.ku-ke.crt" \
3434 0 \
3435 -s "bad certificate (usage extensions)" \
3436 -S "Processing of the Certificate handshake message failed"
3437
Manuel Pégourié-Gonnard8e03c712014-08-30 21:42:40 +0200[diff] [blame]3438run_test "keyUsage cli-auth: RSA, KeyEncipherment: fail (hard)" \
Manuel Pégourié-Gonnard644e8f32014-08-30 21:59:31 +0200[diff] [blame]3439 "$P_SRV debug_level=1 auth_mode=required" \
Manuel Pégourié-Gonnarda9db85d2014-04-09 14:53:05 +0200[diff] [blame]3440 "$O_CLI -key data_files/server2.key \
3441 -cert data_files/server2.ku-ke.crt" \
3442 1 \
3443 -s "bad certificate (usage extensions)" \
3444 -s "Processing of the Certificate handshake message failed"
3445
Manuel Pégourié-Gonnard8e03c712014-08-30 21:42:40 +0200[diff] [blame]3446run_test "keyUsage cli-auth: ECDSA, DigitalSignature: OK" \
Manuel Pégourié-Gonnard644e8f32014-08-30 21:59:31 +0200[diff] [blame]3447 "$P_SRV debug_level=1 auth_mode=optional" \
Manuel Pégourié-Gonnarda9db85d2014-04-09 14:53:05 +0200[diff] [blame]3448 "$O_CLI -key data_files/server5.key \
3449 -cert data_files/server5.ku-ds.crt" \
3450 0 \
3451 -S "bad certificate (usage extensions)" \
3452 -S "Processing of the Certificate handshake message failed"
3453
Manuel Pégourié-Gonnard8e03c712014-08-30 21:42:40 +0200[diff] [blame]3454run_test "keyUsage cli-auth: ECDSA, KeyAgreement: fail (soft)" \
Manuel Pégourié-Gonnard644e8f32014-08-30 21:59:31 +0200[diff] [blame]3455 "$P_SRV debug_level=1 auth_mode=optional" \
Manuel Pégourié-Gonnarda9db85d2014-04-09 14:53:05 +0200[diff] [blame]3456 "$O_CLI -key data_files/server5.key \
3457 -cert data_files/server5.ku-ka.crt" \
3458 0 \
3459 -s "bad certificate (usage extensions)" \
3460 -S "Processing of the Certificate handshake message failed"
3461
Manuel Pégourié-Gonnard0408fd12014-04-11 11:06:22 +0200[diff] [blame]3462# Tests for extendedKeyUsage, part 1: server-side certificate/suite selection
3463
Manuel Pégourié-Gonnard8e03c712014-08-30 21:42:40 +0200[diff] [blame]3464run_test "extKeyUsage srv: serverAuth -> OK" \
Manuel Pégourié-Gonnard0408fd12014-04-11 11:06:22 +0200[diff] [blame]3465 "$P_SRV key_file=data_files/server5.key \
3466 crt_file=data_files/server5.eku-srv.crt" \
3467 "$P_CLI" \
3468 0
3469
Manuel Pégourié-Gonnard8e03c712014-08-30 21:42:40 +0200[diff] [blame]3470run_test "extKeyUsage srv: serverAuth,clientAuth -> OK" \
Manuel Pégourié-Gonnard0408fd12014-04-11 11:06:22 +0200[diff] [blame]3471 "$P_SRV key_file=data_files/server5.key \
3472 crt_file=data_files/server5.eku-srv.crt" \
3473 "$P_CLI" \
3474 0
3475
Manuel Pégourié-Gonnard8e03c712014-08-30 21:42:40 +0200[diff] [blame]3476run_test "extKeyUsage srv: codeSign,anyEKU -> OK" \
Manuel Pégourié-Gonnard0408fd12014-04-11 11:06:22 +0200[diff] [blame]3477 "$P_SRV key_file=data_files/server5.key \
3478 crt_file=data_files/server5.eku-cs_any.crt" \
3479 "$P_CLI" \
3480 0
3481
Manuel Pégourié-Gonnard8e03c712014-08-30 21:42:40 +0200[diff] [blame]3482run_test "extKeyUsage srv: codeSign -> fail" \
Manuel Pégourié-Gonnard7eb58cb2015-07-07 11:54:14 +0200[diff] [blame]3483 "$P_SRV key_file=data_files/server5.key \
Manuel Pégourié-Gonnard0408fd12014-04-11 11:06:22 +0200[diff] [blame]3484 crt_file=data_files/server5.eku-cli.crt" \
Manuel Pégourié-Gonnard7eb58cb2015-07-07 11:54:14 +0200[diff] [blame]3485 "$P_CLI" \
Manuel Pégourié-Gonnard0408fd12014-04-11 11:06:22 +0200[diff] [blame]3486 1
3487
3488# Tests for extendedKeyUsage, part 2: client-side checking of server cert
3489
Manuel Pégourié-Gonnard8e03c712014-08-30 21:42:40 +0200[diff] [blame]3490run_test "extKeyUsage cli: serverAuth -> OK" \
Manuel Pégourié-Gonnard0408fd12014-04-11 11:06:22 +0200[diff] [blame]3491 "$O_SRV -key data_files/server5.key \
3492 -cert data_files/server5.eku-srv.crt" \
Manuel Pégourié-Gonnard644e8f32014-08-30 21:59:31 +0200[diff] [blame]3493 "$P_CLI debug_level=1" \
Manuel Pégourié-Gonnard0408fd12014-04-11 11:06:22 +0200[diff] [blame]3494 0 \
3495 -C "bad certificate (usage extensions)" \
3496 -C "Processing of the Certificate handshake message failed" \
3497 -c "Ciphersuite is TLS-"
3498
Manuel Pégourié-Gonnard8e03c712014-08-30 21:42:40 +0200[diff] [blame]3499run_test "extKeyUsage cli: serverAuth,clientAuth -> OK" \
Manuel Pégourié-Gonnard0408fd12014-04-11 11:06:22 +0200[diff] [blame]3500 "$O_SRV -key data_files/server5.key \
3501 -cert data_files/server5.eku-srv_cli.crt" \
Manuel Pégourié-Gonnard644e8f32014-08-30 21:59:31 +0200[diff] [blame]3502 "$P_CLI debug_level=1" \
Manuel Pégourié-Gonnard0408fd12014-04-11 11:06:22 +0200[diff] [blame]3503 0 \
3504 -C "bad certificate (usage extensions)" \
3505 -C "Processing of the Certificate handshake message failed" \
3506 -c "Ciphersuite is TLS-"
3507
Manuel Pégourié-Gonnard8e03c712014-08-30 21:42:40 +0200[diff] [blame]3508run_test "extKeyUsage cli: codeSign,anyEKU -> OK" \
Manuel Pégourié-Gonnard0408fd12014-04-11 11:06:22 +0200[diff] [blame]3509 "$O_SRV -key data_files/server5.key \
3510 -cert data_files/server5.eku-cs_any.crt" \
Manuel Pégourié-Gonnard644e8f32014-08-30 21:59:31 +0200[diff] [blame]3511 "$P_CLI debug_level=1" \
Manuel Pégourié-Gonnard0408fd12014-04-11 11:06:22 +0200[diff] [blame]3512 0 \
3513 -C "bad certificate (usage extensions)" \
3514 -C "Processing of the Certificate handshake message failed" \
3515 -c "Ciphersuite is TLS-"
3516
Manuel Pégourié-Gonnard8e03c712014-08-30 21:42:40 +0200[diff] [blame]3517run_test "extKeyUsage cli: codeSign -> fail" \
Manuel Pégourié-Gonnard0408fd12014-04-11 11:06:22 +0200[diff] [blame]3518 "$O_SRV -key data_files/server5.key \
3519 -cert data_files/server5.eku-cs.crt" \
Manuel Pégourié-Gonnard644e8f32014-08-30 21:59:31 +0200[diff] [blame]3520 "$P_CLI debug_level=1" \
Manuel Pégourié-Gonnard0408fd12014-04-11 11:06:22 +0200[diff] [blame]3521 1 \
3522 -c "bad certificate (usage extensions)" \
3523 -c "Processing of the Certificate handshake message failed" \
3524 -C "Ciphersuite is TLS-"
3525
3526# Tests for extendedKeyUsage, part 3: server-side checking of client cert
3527
Manuel Pégourié-Gonnard8e03c712014-08-30 21:42:40 +0200[diff] [blame]3528run_test "extKeyUsage cli-auth: clientAuth -> OK" \
Manuel Pégourié-Gonnard644e8f32014-08-30 21:59:31 +0200[diff] [blame]3529 "$P_SRV debug_level=1 auth_mode=optional" \
Manuel Pégourié-Gonnard0408fd12014-04-11 11:06:22 +0200[diff] [blame]3530 "$O_CLI -key data_files/server5.key \
3531 -cert data_files/server5.eku-cli.crt" \
3532 0 \
3533 -S "bad certificate (usage extensions)" \
3534 -S "Processing of the Certificate handshake message failed"
3535
Manuel Pégourié-Gonnard8e03c712014-08-30 21:42:40 +0200[diff] [blame]3536run_test "extKeyUsage cli-auth: serverAuth,clientAuth -> OK" \
Manuel Pégourié-Gonnard644e8f32014-08-30 21:59:31 +0200[diff] [blame]3537 "$P_SRV debug_level=1 auth_mode=optional" \
Manuel Pégourié-Gonnard0408fd12014-04-11 11:06:22 +0200[diff] [blame]3538 "$O_CLI -key data_files/server5.key \
3539 -cert data_files/server5.eku-srv_cli.crt" \
3540 0 \
3541 -S "bad certificate (usage extensions)" \
3542 -S "Processing of the Certificate handshake message failed"
3543
Manuel Pégourié-Gonnard8e03c712014-08-30 21:42:40 +0200[diff] [blame]3544run_test "extKeyUsage cli-auth: codeSign,anyEKU -> OK" \
Manuel Pégourié-Gonnard644e8f32014-08-30 21:59:31 +0200[diff] [blame]3545 "$P_SRV debug_level=1 auth_mode=optional" \
Manuel Pégourié-Gonnard0408fd12014-04-11 11:06:22 +0200[diff] [blame]3546 "$O_CLI -key data_files/server5.key \
3547 -cert data_files/server5.eku-cs_any.crt" \
3548 0 \
3549 -S "bad certificate (usage extensions)" \
3550 -S "Processing of the Certificate handshake message failed"
3551
Manuel Pégourié-Gonnard8e03c712014-08-30 21:42:40 +0200[diff] [blame]3552run_test "extKeyUsage cli-auth: codeSign -> fail (soft)" \
Manuel Pégourié-Gonnard644e8f32014-08-30 21:59:31 +0200[diff] [blame]3553 "$P_SRV debug_level=1 auth_mode=optional" \
Manuel Pégourié-Gonnard0408fd12014-04-11 11:06:22 +0200[diff] [blame]3554 "$O_CLI -key data_files/server5.key \
3555 -cert data_files/server5.eku-cs.crt" \
3556 0 \
3557 -s "bad certificate (usage extensions)" \
3558 -S "Processing of the Certificate handshake message failed"
3559
Manuel Pégourié-Gonnard8e03c712014-08-30 21:42:40 +0200[diff] [blame]3560run_test "extKeyUsage cli-auth: codeSign -> fail (hard)" \
Manuel Pégourié-Gonnard644e8f32014-08-30 21:59:31 +0200[diff] [blame]3561 "$P_SRV debug_level=1 auth_mode=required" \
Manuel Pégourié-Gonnard0408fd12014-04-11 11:06:22 +0200[diff] [blame]3562 "$O_CLI -key data_files/server5.key \
3563 -cert data_files/server5.eku-cs.crt" \
3564 1 \
3565 -s "bad certificate (usage extensions)" \
3566 -s "Processing of the Certificate handshake message failed"
3567
Manuel Pégourié-Gonnard0cc7e312014-06-09 11:36:47 +0200[diff] [blame]3568# Tests for DHM parameters loading
3569
Manuel Pégourié-Gonnard8e03c712014-08-30 21:42:40 +0200[diff] [blame]3570run_test "DHM parameters: reference" \
Manuel Pégourié-Gonnard0cc7e312014-06-09 11:36:47 +0200[diff] [blame]3571 "$P_SRV" \
3572 "$P_CLI force_ciphersuite=TLS-DHE-RSA-WITH-AES-128-CBC-SHA \
3573 debug_level=3" \
3574 0 \
3575 -c "value of 'DHM: P ' (2048 bits)" \
Hanno Becker13be9902017-09-27 17:17:30 +0100[diff] [blame]3576 -c "value of 'DHM: G ' (2 bits)"
Manuel Pégourié-Gonnard0cc7e312014-06-09 11:36:47 +0200[diff] [blame]3577
Manuel Pégourié-Gonnard8e03c712014-08-30 21:42:40 +0200[diff] [blame]3578run_test "DHM parameters: other parameters" \
Manuel Pégourié-Gonnard0cc7e312014-06-09 11:36:47 +0200[diff] [blame]3579 "$P_SRV dhm_file=data_files/dhparams.pem" \
3580 "$P_CLI force_ciphersuite=TLS-DHE-RSA-WITH-AES-128-CBC-SHA \
3581 debug_level=3" \
3582 0 \
3583 -c "value of 'DHM: P ' (1024 bits)" \
3584 -c "value of 'DHM: G ' (2 bits)"
3585
Manuel Pégourié-Gonnard7a010aa2015-06-12 11:19:10 +0200[diff] [blame]3586# Tests for DHM client-side size checking
3587
3588run_test "DHM size: server default, client default, OK" \
3589 "$P_SRV" \
3590 "$P_CLI force_ciphersuite=TLS-DHE-RSA-WITH-AES-128-CBC-SHA \
3591 debug_level=1" \
3592 0 \
3593 -C "DHM prime too short:"
3594
3595run_test "DHM size: server default, client 2048, OK" \
3596 "$P_SRV" \
3597 "$P_CLI force_ciphersuite=TLS-DHE-RSA-WITH-AES-128-CBC-SHA \
3598 debug_level=1 dhmlen=2048" \
3599 0 \
3600 -C "DHM prime too short:"
3601
3602run_test "DHM size: server 1024, client default, OK" \
3603 "$P_SRV dhm_file=data_files/dhparams.pem" \
3604 "$P_CLI force_ciphersuite=TLS-DHE-RSA-WITH-AES-128-CBC-SHA \
3605 debug_level=1" \
3606 0 \
3607 -C "DHM prime too short:"
3608
3609run_test "DHM size: server 1000, client default, rejected" \
3610 "$P_SRV dhm_file=data_files/dh.1000.pem" \
3611 "$P_CLI force_ciphersuite=TLS-DHE-RSA-WITH-AES-128-CBC-SHA \
3612 debug_level=1" \
3613 1 \
3614 -c "DHM prime too short:"
3615
3616run_test "DHM size: server default, client 2049, rejected" \
3617 "$P_SRV" \
3618 "$P_CLI force_ciphersuite=TLS-DHE-RSA-WITH-AES-128-CBC-SHA \
3619 debug_level=1 dhmlen=2049" \
3620 1 \
3621 -c "DHM prime too short:"
3622
Manuel Pégourié-Gonnarda6781c92014-06-10 15:00:46 +0200[diff] [blame]3623# Tests for PSK callback
3624
Manuel Pégourié-Gonnard8e03c712014-08-30 21:42:40 +0200[diff] [blame]3625run_test "PSK callback: psk, no callback" \
Manuel Pégourié-Gonnarda6781c92014-06-10 15:00:46 +0200[diff] [blame]3626 "$P_SRV psk=abc123 psk_identity=foo" \
3627 "$P_CLI force_ciphersuite=TLS-PSK-WITH-AES-128-CBC-SHA \
3628 psk_identity=foo psk=abc123" \
3629 0 \
Manuel Pégourié-Gonnardf01768c2015-01-08 17:06:16 +0100[diff] [blame]3630 -S "SSL - None of the common ciphersuites is usable" \
Manuel Pégourié-Gonnard10c3c9f2014-06-10 15:28:52 +0200[diff] [blame]3631 -S "SSL - Unknown identity received" \
3632 -S "SSL - Verification of the message MAC failed"
3633
Manuel Pégourié-Gonnard8e03c712014-08-30 21:42:40 +0200[diff] [blame]3634run_test "PSK callback: no psk, no callback" \
Manuel Pégourié-Gonnard10c3c9f2014-06-10 15:28:52 +0200[diff] [blame]3635 "$P_SRV" \
3636 "$P_CLI force_ciphersuite=TLS-PSK-WITH-AES-128-CBC-SHA \
3637 psk_identity=foo psk=abc123" \
3638 1 \
Manuel Pégourié-Gonnardf01768c2015-01-08 17:06:16 +0100[diff] [blame]3639 -s "SSL - None of the common ciphersuites is usable" \
Manuel Pégourié-Gonnarda6781c92014-06-10 15:00:46 +0200[diff] [blame]3640 -S "SSL - Unknown identity received" \
3641 -S "SSL - Verification of the message MAC failed"
3642
Manuel Pégourié-Gonnard8e03c712014-08-30 21:42:40 +0200[diff] [blame]3643run_test "PSK callback: callback overrides other settings" \
Manuel Pégourié-Gonnarda6781c92014-06-10 15:00:46 +0200[diff] [blame]3644 "$P_SRV psk=abc123 psk_identity=foo psk_list=abc,dead,def,beef" \
3645 "$P_CLI force_ciphersuite=TLS-PSK-WITH-AES-128-CBC-SHA \
3646 psk_identity=foo psk=abc123" \
3647 1 \
Manuel Pégourié-Gonnardf01768c2015-01-08 17:06:16 +0100[diff] [blame]3648 -S "SSL - None of the common ciphersuites is usable" \
Manuel Pégourié-Gonnarda6781c92014-06-10 15:00:46 +0200[diff] [blame]3649 -s "SSL - Unknown identity received" \
3650 -S "SSL - Verification of the message MAC failed"
3651
Manuel Pégourié-Gonnard8e03c712014-08-30 21:42:40 +0200[diff] [blame]3652run_test "PSK callback: first id matches" \
Manuel Pégourié-Gonnarda6781c92014-06-10 15:00:46 +0200[diff] [blame]3653 "$P_SRV psk_list=abc,dead,def,beef" \
3654 "$P_CLI force_ciphersuite=TLS-PSK-WITH-AES-128-CBC-SHA \
3655 psk_identity=abc psk=dead" \
3656 0 \
Manuel Pégourié-Gonnardf01768c2015-01-08 17:06:16 +0100[diff] [blame]3657 -S "SSL - None of the common ciphersuites is usable" \
Manuel Pégourié-Gonnarda6781c92014-06-10 15:00:46 +0200[diff] [blame]3658 -S "SSL - Unknown identity received" \
3659 -S "SSL - Verification of the message MAC failed"
3660
Manuel Pégourié-Gonnard8e03c712014-08-30 21:42:40 +0200[diff] [blame]3661run_test "PSK callback: second id matches" \
Manuel Pégourié-Gonnarda6781c92014-06-10 15:00:46 +0200[diff] [blame]3662 "$P_SRV psk_list=abc,dead,def,beef" \
3663 "$P_CLI force_ciphersuite=TLS-PSK-WITH-AES-128-CBC-SHA \
3664 psk_identity=def psk=beef" \
3665 0 \
Manuel Pégourié-Gonnardf01768c2015-01-08 17:06:16 +0100[diff] [blame]3666 -S "SSL - None of the common ciphersuites is usable" \
Manuel Pégourié-Gonnarda6781c92014-06-10 15:00:46 +0200[diff] [blame]3667 -S "SSL - Unknown identity received" \
3668 -S "SSL - Verification of the message MAC failed"
3669
Manuel Pégourié-Gonnard8e03c712014-08-30 21:42:40 +0200[diff] [blame]3670run_test "PSK callback: no match" \
Manuel Pégourié-Gonnarda6781c92014-06-10 15:00:46 +0200[diff] [blame]3671 "$P_SRV psk_list=abc,dead,def,beef" \
3672 "$P_CLI force_ciphersuite=TLS-PSK-WITH-AES-128-CBC-SHA \
3673 psk_identity=ghi psk=beef" \
3674 1 \
Manuel Pégourié-Gonnardf01768c2015-01-08 17:06:16 +0100[diff] [blame]3675 -S "SSL - None of the common ciphersuites is usable" \
Manuel Pégourié-Gonnarda6781c92014-06-10 15:00:46 +0200[diff] [blame]3676 -s "SSL - Unknown identity received" \
3677 -S "SSL - Verification of the message MAC failed"
3678
Manuel Pégourié-Gonnard8e03c712014-08-30 21:42:40 +0200[diff] [blame]3679run_test "PSK callback: wrong key" \
Manuel Pégourié-Gonnarda6781c92014-06-10 15:00:46 +0200[diff] [blame]3680 "$P_SRV psk_list=abc,dead,def,beef" \
3681 "$P_CLI force_ciphersuite=TLS-PSK-WITH-AES-128-CBC-SHA \
3682 psk_identity=abc psk=beef" \
3683 1 \
Manuel Pégourié-Gonnardf01768c2015-01-08 17:06:16 +0100[diff] [blame]3684 -S "SSL - None of the common ciphersuites is usable" \
Manuel Pégourié-Gonnarda6781c92014-06-10 15:00:46 +0200[diff] [blame]3685 -S "SSL - Unknown identity received" \
3686 -s "SSL - Verification of the message MAC failed"
Manuel Pégourié-Gonnard0cc7e312014-06-09 11:36:47 +0200[diff] [blame]3687
Manuel Pégourié-Gonnarde511b4e2015-09-16 14:11:09 +0200[diff] [blame]3688# Tests for EC J-PAKE
3689
Manuel Pégourié-Gonnard12ca6f52015-10-20 15:24:51 +0200[diff] [blame]3690requires_config_enabled MBEDTLS_KEY_EXCHANGE_ECJPAKE
Manuel Pégourié-Gonnarde511b4e2015-09-16 14:11:09 +0200[diff] [blame]3691run_test "ECJPAKE: client not configured" \
3692 "$P_SRV debug_level=3" \
3693 "$P_CLI debug_level=3" \
3694 0 \
3695 -C "add ciphersuite: c0ff" \
3696 -C "adding ecjpake_kkpp extension" \
Manuel Pégourié-Gonnardbf57be62015-09-16 15:04:01 +0200[diff] [blame]3697 -S "found ecjpake kkpp extension" \
3698 -S "skip ecjpake kkpp extension" \
Manuel Pégourié-Gonnarde511b4e2015-09-16 14:11:09 +0200[diff] [blame]3699 -S "ciphersuite mismatch: ecjpake not configured" \
Manuel Pégourié-Gonnard55c7f992015-09-16 15:35:27 +0200[diff] [blame]3700 -S "server hello, ecjpake kkpp extension" \
Manuel Pégourié-Gonnard0a1324a2015-09-16 16:01:00 +0200[diff] [blame]3701 -C "found ecjpake_kkpp extension" \
Manuel Pégourié-Gonnarde511b4e2015-09-16 14:11:09 +0200[diff] [blame]3702 -S "None of the common ciphersuites is usable"
3703
Manuel Pégourié-Gonnard12ca6f52015-10-20 15:24:51 +0200[diff] [blame]3704requires_config_enabled MBEDTLS_KEY_EXCHANGE_ECJPAKE
Manuel Pégourié-Gonnarde511b4e2015-09-16 14:11:09 +0200[diff] [blame]3705run_test "ECJPAKE: server not configured" \
3706 "$P_SRV debug_level=3" \
3707 "$P_CLI debug_level=3 ecjpake_pw=bla \
3708 force_ciphersuite=TLS-ECJPAKE-WITH-AES-128-CCM-8" \
3709 1 \
3710 -c "add ciphersuite: c0ff" \
3711 -c "adding ecjpake_kkpp extension" \
Manuel Pégourié-Gonnardbf57be62015-09-16 15:04:01 +0200[diff] [blame]3712 -s "found ecjpake kkpp extension" \
3713 -s "skip ecjpake kkpp extension" \
Manuel Pégourié-Gonnarde511b4e2015-09-16 14:11:09 +0200[diff] [blame]3714 -s "ciphersuite mismatch: ecjpake not configured" \
Manuel Pégourié-Gonnard55c7f992015-09-16 15:35:27 +0200[diff] [blame]3715 -S "server hello, ecjpake kkpp extension" \
Manuel Pégourié-Gonnard0a1324a2015-09-16 16:01:00 +0200[diff] [blame]3716 -C "found ecjpake_kkpp extension" \
Manuel Pégourié-Gonnarde511b4e2015-09-16 14:11:09 +0200[diff] [blame]3717 -s "None of the common ciphersuites is usable"
3718
Manuel Pégourié-Gonnard12ca6f52015-10-20 15:24:51 +0200[diff] [blame]3719requires_config_enabled MBEDTLS_KEY_EXCHANGE_ECJPAKE
Manuel Pégourié-Gonnardbf57be62015-09-16 15:04:01 +0200[diff] [blame]3720run_test "ECJPAKE: working, TLS" \
3721 "$P_SRV debug_level=3 ecjpake_pw=bla" \
3722 "$P_CLI debug_level=3 ecjpake_pw=bla \
3723 force_ciphersuite=TLS-ECJPAKE-WITH-AES-128-CCM-8" \
Manuel Pégourié-Gonnard0f1660a2015-09-16 22:41:06 +0200[diff] [blame]3724 0 \
Manuel Pégourié-Gonnardbf57be62015-09-16 15:04:01 +0200[diff] [blame]3725 -c "add ciphersuite: c0ff" \
3726 -c "adding ecjpake_kkpp extension" \
Manuel Pégourié-Gonnardd0d8cb32015-09-17 14:16:30 +0200[diff] [blame]3727 -C "re-using cached ecjpake parameters" \
Manuel Pégourié-Gonnardbf57be62015-09-16 15:04:01 +0200[diff] [blame]3728 -s "found ecjpake kkpp extension" \
3729 -S "skip ecjpake kkpp extension" \
3730 -S "ciphersuite mismatch: ecjpake not configured" \
Manuel Pégourié-Gonnard55c7f992015-09-16 15:35:27 +0200[diff] [blame]3731 -s "server hello, ecjpake kkpp extension" \
Manuel Pégourié-Gonnard0a1324a2015-09-16 16:01:00 +0200[diff] [blame]3732 -c "found ecjpake_kkpp extension" \
Manuel Pégourié-Gonnard921f2d02015-09-16 22:52:18 +0200[diff] [blame]3733 -S "None of the common ciphersuites is usable" \
3734 -S "SSL - Verification of the message MAC failed"
3735
Janos Follath74537a62016-09-02 13:45:28 +0100[diff] [blame]3736server_needs_more_time 1
Manuel Pégourié-Gonnard12ca6f52015-10-20 15:24:51 +0200[diff] [blame]3737requires_config_enabled MBEDTLS_KEY_EXCHANGE_ECJPAKE
Manuel Pégourié-Gonnard921f2d02015-09-16 22:52:18 +0200[diff] [blame]3738run_test "ECJPAKE: password mismatch, TLS" \
3739 "$P_SRV debug_level=3 ecjpake_pw=bla" \
3740 "$P_CLI debug_level=3 ecjpake_pw=bad \
3741 force_ciphersuite=TLS-ECJPAKE-WITH-AES-128-CCM-8" \
3742 1 \
Manuel Pégourié-Gonnardd0d8cb32015-09-17 14:16:30 +0200[diff] [blame]3743 -C "re-using cached ecjpake parameters" \
Manuel Pégourié-Gonnard921f2d02015-09-16 22:52:18 +0200[diff] [blame]3744 -s "SSL - Verification of the message MAC failed"
3745
Manuel Pégourié-Gonnard12ca6f52015-10-20 15:24:51 +0200[diff] [blame]3746requires_config_enabled MBEDTLS_KEY_EXCHANGE_ECJPAKE
Manuel Pégourié-Gonnard921f2d02015-09-16 22:52:18 +0200[diff] [blame]3747run_test "ECJPAKE: working, DTLS" \
3748 "$P_SRV debug_level=3 dtls=1 ecjpake_pw=bla" \
3749 "$P_CLI debug_level=3 dtls=1 ecjpake_pw=bla \
3750 force_ciphersuite=TLS-ECJPAKE-WITH-AES-128-CCM-8" \
3751 0 \
Manuel Pégourié-Gonnardd0d8cb32015-09-17 14:16:30 +0200[diff] [blame]3752 -c "re-using cached ecjpake parameters" \
3753 -S "SSL - Verification of the message MAC failed"
3754
Manuel Pégourié-Gonnard12ca6f52015-10-20 15:24:51 +0200[diff] [blame]3755requires_config_enabled MBEDTLS_KEY_EXCHANGE_ECJPAKE
Manuel Pégourié-Gonnardd0d8cb32015-09-17 14:16:30 +0200[diff] [blame]3756run_test "ECJPAKE: working, DTLS, no cookie" \
3757 "$P_SRV debug_level=3 dtls=1 ecjpake_pw=bla cookies=0" \
3758 "$P_CLI debug_level=3 dtls=1 ecjpake_pw=bla \
3759 force_ciphersuite=TLS-ECJPAKE-WITH-AES-128-CCM-8" \
3760 0 \
3761 -C "re-using cached ecjpake parameters" \
Manuel Pégourié-Gonnard921f2d02015-09-16 22:52:18 +0200[diff] [blame]3762 -S "SSL - Verification of the message MAC failed"
3763
Janos Follath74537a62016-09-02 13:45:28 +0100[diff] [blame]3764server_needs_more_time 1
Manuel Pégourié-Gonnard12ca6f52015-10-20 15:24:51 +0200[diff] [blame]3765requires_config_enabled MBEDTLS_KEY_EXCHANGE_ECJPAKE
Manuel Pégourié-Gonnard921f2d02015-09-16 22:52:18 +0200[diff] [blame]3766run_test "ECJPAKE: password mismatch, DTLS" \
3767 "$P_SRV debug_level=3 dtls=1 ecjpake_pw=bla" \
3768 "$P_CLI debug_level=3 dtls=1 ecjpake_pw=bad \
3769 force_ciphersuite=TLS-ECJPAKE-WITH-AES-128-CCM-8" \
3770 1 \
Manuel Pégourié-Gonnardd0d8cb32015-09-17 14:16:30 +0200[diff] [blame]3771 -c "re-using cached ecjpake parameters" \
Manuel Pégourié-Gonnard921f2d02015-09-16 22:52:18 +0200[diff] [blame]3772 -s "SSL - Verification of the message MAC failed"
Manuel Pégourié-Gonnardbf57be62015-09-16 15:04:01 +0200[diff] [blame]3773
Manuel Pégourié-Gonnardca700b22015-10-20 14:47:00 +0200[diff] [blame]3774# for tests with configs/config-thread.h
Manuel Pégourié-Gonnard12ca6f52015-10-20 15:24:51 +0200[diff] [blame]3775requires_config_enabled MBEDTLS_KEY_EXCHANGE_ECJPAKE
Manuel Pégourié-Gonnardca700b22015-10-20 14:47:00 +0200[diff] [blame]3776run_test "ECJPAKE: working, DTLS, nolog" \
3777 "$P_SRV dtls=1 ecjpake_pw=bla" \
3778 "$P_CLI dtls=1 ecjpake_pw=bla \
3779 force_ciphersuite=TLS-ECJPAKE-WITH-AES-128-CCM-8" \
3780 0
3781
Manuel Pégourié-Gonnard90805a82014-06-11 14:06:01 +0200[diff] [blame]3782# Tests for ciphersuites per version
3783
Janos Follathe2681a42016-03-07 15:57:05 +0000[diff] [blame]3784requires_config_enabled MBEDTLS_SSL_PROTO_SSL3
Manuel Pégourié-Gonnarda82d38d2019-03-01 10:14:58 +0100[diff] [blame]3785requires_config_enabled MBEDTLS_CAMELLIA_C
3786requires_config_enabled MBEDTLS_AES_C
Manuel Pégourié-Gonnard8e03c712014-08-30 21:42:40 +0200[diff] [blame]3787run_test "Per-version suites: SSL3" \
Manuel Pégourié-Gonnarda82d38d2019-03-01 10:14:58 +0100[diff] [blame]3788 "$P_SRV min_version=ssl3 version_suites=TLS-RSA-WITH-CAMELLIA-128-CBC-SHA,TLS-RSA-WITH-AES-256-CBC-SHA,TLS-RSA-WITH-AES-128-CBC-SHA,TLS-RSA-WITH-AES-128-GCM-SHA256" \
Manuel Pégourié-Gonnard90805a82014-06-11 14:06:01 +0200[diff] [blame]3789 "$P_CLI force_version=ssl3" \
3790 0 \
Manuel Pégourié-Gonnarda82d38d2019-03-01 10:14:58 +0100[diff] [blame]3791 -c "Ciphersuite is TLS-RSA-WITH-CAMELLIA-128-CBC-SHA"
Manuel Pégourié-Gonnard90805a82014-06-11 14:06:01 +0200[diff] [blame]3792
Manuel Pégourié-Gonnarda82d38d2019-03-01 10:14:58 +0100[diff] [blame]3793requires_config_enabled MBEDTLS_SSL_PROTO_TLS1
3794requires_config_enabled MBEDTLS_CAMELLIA_C
3795requires_config_enabled MBEDTLS_AES_C
Manuel Pégourié-Gonnard8e03c712014-08-30 21:42:40 +0200[diff] [blame]3796run_test "Per-version suites: TLS 1.0" \
Manuel Pégourié-Gonnarda82d38d2019-03-01 10:14:58 +0100[diff] [blame]3797 "$P_SRV version_suites=TLS-RSA-WITH-CAMELLIA-128-CBC-SHA,TLS-RSA-WITH-AES-256-CBC-SHA,TLS-RSA-WITH-AES-128-CBC-SHA,TLS-RSA-WITH-AES-128-GCM-SHA256" \
Manuel Pégourié-Gonnardbd47a582015-01-12 13:43:29 +0100[diff] [blame]3798 "$P_CLI force_version=tls1 arc4=1" \
Manuel Pégourié-Gonnard90805a82014-06-11 14:06:01 +0200[diff] [blame]3799 0 \
Manuel Pégourié-Gonnardea0920f2015-03-24 09:50:15 +0100[diff] [blame]3800 -c "Ciphersuite is TLS-RSA-WITH-AES-256-CBC-SHA"
Manuel Pégourié-Gonnard90805a82014-06-11 14:06:01 +0200[diff] [blame]3801
Manuel Pégourié-Gonnarda82d38d2019-03-01 10:14:58 +0100[diff] [blame]3802requires_config_enabled MBEDTLS_SSL_PROTO_TLS1_1
3803requires_config_enabled MBEDTLS_CAMELLIA_C
3804requires_config_enabled MBEDTLS_AES_C
Manuel Pégourié-Gonnard8e03c712014-08-30 21:42:40 +0200[diff] [blame]3805run_test "Per-version suites: TLS 1.1" \
Manuel Pégourié-Gonnarda82d38d2019-03-01 10:14:58 +0100[diff] [blame]3806 "$P_SRV version_suites=TLS-RSA-WITH-CAMELLIA-128-CBC-SHA,TLS-RSA-WITH-AES-256-CBC-SHA,TLS-RSA-WITH-AES-128-CBC-SHA,TLS-RSA-WITH-AES-128-GCM-SHA256" \
Manuel Pégourié-Gonnard90805a82014-06-11 14:06:01 +0200[diff] [blame]3807 "$P_CLI force_version=tls1_1" \
3808 0 \
3809 -c "Ciphersuite is TLS-RSA-WITH-AES-128-CBC-SHA"
3810
Manuel Pégourié-Gonnarda82d38d2019-03-01 10:14:58 +0100[diff] [blame]3811requires_config_enabled MBEDTLS_SSL_PROTO_TLS1_2
3812requires_config_enabled MBEDTLS_CAMELLIA_C
3813requires_config_enabled MBEDTLS_AES_C
Manuel Pégourié-Gonnard8e03c712014-08-30 21:42:40 +0200[diff] [blame]3814run_test "Per-version suites: TLS 1.2" \
Manuel Pégourié-Gonnarda82d38d2019-03-01 10:14:58 +0100[diff] [blame]3815 "$P_SRV version_suites=TLS-RSA-WITH-CAMELLIA-128-CBC-SHA,TLS-RSA-WITH-AES-256-CBC-SHA,TLS-RSA-WITH-AES-128-CBC-SHA,TLS-RSA-WITH-AES-128-GCM-SHA256" \
Manuel Pégourié-Gonnard90805a82014-06-11 14:06:01 +0200[diff] [blame]3816 "$P_CLI force_version=tls1_2" \
3817 0 \
3818 -c "Ciphersuite is TLS-RSA-WITH-AES-128-GCM-SHA256"
3819
Manuel Pégourié-Gonnard4cc8c632015-07-23 12:24:03 +0200[diff] [blame]3820# Test for ClientHello without extensions
3821
Manuel Pégourié-Gonnardd55bc202015-08-04 16:22:30 +0200[diff] [blame]3822requires_gnutls
Manuel Pégourié-Gonnard37abf122020-01-30 12:45:14 +0100[diff] [blame]3823run_test "ClientHello without extensions" \
Manuel Pégourié-Gonnarda92990a2020-01-30 11:19:45 +0100[diff] [blame]3824 "$P_SRV debug_level=3" \
Gilles Peskine5d2511c2017-05-12 13:16:40 +0200[diff] [blame]3825 "$G_CLI --priority=NORMAL:%NO_EXTENSIONS:%DISABLE_SAFE_RENEGOTIATION" \
3826 0 \
3827 -s "dumping 'client hello extensions' (0 bytes)"
3828
Manuel Pégourié-Gonnard2cf5a7c2015-04-08 12:49:31 +0200[diff] [blame]3829# Tests for mbedtls_ssl_get_bytes_avail()
Manuel Pégourié-Gonnard95c0a632014-06-11 18:32:36 +0200[diff] [blame]3830
Manuel Pégourié-Gonnard2cf5a7c2015-04-08 12:49:31 +0200[diff] [blame]3831run_test "mbedtls_ssl_get_bytes_avail: no extra data" \
Manuel Pégourié-Gonnard95c0a632014-06-11 18:32:36 +0200[diff] [blame]3832 "$P_SRV" \
3833 "$P_CLI request_size=100" \
3834 0 \
3835 -s "Read from client: 100 bytes read$"
3836
Manuel Pégourié-Gonnard2cf5a7c2015-04-08 12:49:31 +0200[diff] [blame]3837run_test "mbedtls_ssl_get_bytes_avail: extra data" \
Manuel Pégourié-Gonnard95c0a632014-06-11 18:32:36 +0200[diff] [blame]3838 "$P_SRV" \
3839 "$P_CLI request_size=500" \
3840 0 \
3841 -s "Read from client: 500 bytes read (.*+.*)"
Manuel Pégourié-Gonnard90805a82014-06-11 14:06:01 +0200[diff] [blame]3842
Andrzej Kurekd731a632018-06-19 09:37:30 -0400[diff] [blame]3843# Tests for small client packets
Manuel Pégourié-Gonnardee415032014-06-18 15:08:56 +0200[diff] [blame]3844
Janos Follathe2681a42016-03-07 15:57:05 +0000[diff] [blame]3845requires_config_enabled MBEDTLS_SSL_PROTO_SSL3
Andrzej Kurekd731a632018-06-19 09:37:30 -0400[diff] [blame]3846run_test "Small client packet SSLv3 BlockCipher" \
Manuel Pégourié-Gonnard448ea502015-01-12 11:40:14 +0100[diff] [blame]3847 "$P_SRV min_version=ssl3" \
Manuel Pégourié-Gonnardee415032014-06-18 15:08:56 +0200[diff] [blame]3848 "$P_CLI request_size=1 force_version=ssl3 \
3849 force_ciphersuite=TLS-RSA-WITH-AES-256-CBC-SHA" \
3850 0 \
3851 -s "Read from client: 1 bytes read"
3852
Janos Follathe2681a42016-03-07 15:57:05 +0000[diff] [blame]3853requires_config_enabled MBEDTLS_SSL_PROTO_SSL3
Andrzej Kurekd731a632018-06-19 09:37:30 -0400[diff] [blame]3854run_test "Small client packet SSLv3 StreamCipher" \
Manuel Pégourié-Gonnardea0920f2015-03-24 09:50:15 +0100[diff] [blame]3855 "$P_SRV min_version=ssl3 arc4=1 force_ciphersuite=TLS-RSA-WITH-RC4-128-SHA" \
Manuel Pégourié-Gonnardee415032014-06-18 15:08:56 +0200[diff] [blame]3856 "$P_CLI request_size=1 force_version=ssl3 \
3857 force_ciphersuite=TLS-RSA-WITH-RC4-128-SHA" \
3858 0 \
3859 -s "Read from client: 1 bytes read"
3860
Andrzej Kurekd731a632018-06-19 09:37:30 -0400[diff] [blame]3861run_test "Small client packet TLS 1.0 BlockCipher" \
Manuel Pégourié-Gonnardee415032014-06-18 15:08:56 +0200[diff] [blame]3862 "$P_SRV" \
3863 "$P_CLI request_size=1 force_version=tls1 \
3864 force_ciphersuite=TLS-RSA-WITH-AES-256-CBC-SHA" \
3865 0 \
3866 -s "Read from client: 1 bytes read"
3867
Andrzej Kurekd731a632018-06-19 09:37:30 -0400[diff] [blame]3868run_test "Small client packet TLS 1.0 BlockCipher, without EtM" \
Manuel Pégourié-Gonnard169dd6a2014-11-04 16:15:39 +0100[diff] [blame]3869 "$P_SRV" \
3870 "$P_CLI request_size=1 force_version=tls1 etm=0 \
3871 force_ciphersuite=TLS-RSA-WITH-AES-256-CBC-SHA" \
3872 0 \
3873 -s "Read from client: 1 bytes read"
3874
Hanno Becker32c55012017-11-10 08:42:54 +0000[diff] [blame]3875requires_config_enabled MBEDTLS_SSL_TRUNCATED_HMAC
Andrzej Kurekd731a632018-06-19 09:37:30 -0400[diff] [blame]3876run_test "Small client packet TLS 1.0 BlockCipher, truncated MAC" \
Hanno Becker909f9a32017-11-21 17:10:12 +0000[diff] [blame]3877 "$P_SRV trunc_hmac=1" \
Manuel Pégourié-Gonnardee415032014-06-18 15:08:56 +0200[diff] [blame]3878 "$P_CLI request_size=1 force_version=tls1 \
Hanno Becker909f9a32017-11-21 17:10:12 +0000[diff] [blame]3879 force_ciphersuite=TLS-RSA-WITH-AES-256-CBC-SHA trunc_hmac=1" \
Manuel Pégourié-Gonnardee415032014-06-18 15:08:56 +0200[diff] [blame]3880 0 \
3881 -s "Read from client: 1 bytes read"
3882
Hanno Becker32c55012017-11-10 08:42:54 +0000[diff] [blame]3883requires_config_enabled MBEDTLS_SSL_TRUNCATED_HMAC
Andrzej Kurekd731a632018-06-19 09:37:30 -0400[diff] [blame]3884run_test "Small client packet TLS 1.0 BlockCipher, without EtM, truncated MAC" \
Hanno Becker909f9a32017-11-21 17:10:12 +0000[diff] [blame]3885 "$P_SRV trunc_hmac=1" \
Hanno Becker8501f982017-11-10 08:59:04 +0000[diff] [blame]3886 "$P_CLI request_size=1 force_version=tls1 \
Hanno Becker909f9a32017-11-21 17:10:12 +0000[diff] [blame]3887 force_ciphersuite=TLS-RSA-WITH-AES-256-CBC-SHA trunc_hmac=1 etm=0" \
Hanno Becker8501f982017-11-10 08:59:04 +0000[diff] [blame]3888 0 \
3889 -s "Read from client: 1 bytes read"
3890
Andrzej Kurekd731a632018-06-19 09:37:30 -0400[diff] [blame]3891run_test "Small client packet TLS 1.0 StreamCipher" \
Manuel Pégourié-Gonnardea0920f2015-03-24 09:50:15 +0100[diff] [blame]3892 "$P_SRV arc4=1 force_ciphersuite=TLS-RSA-WITH-RC4-128-SHA" \
Manuel Pégourié-Gonnardee415032014-06-18 15:08:56 +0200[diff] [blame]3893 "$P_CLI request_size=1 force_version=tls1 \
Hanno Becker8501f982017-11-10 08:59:04 +0000[diff] [blame]3894 force_ciphersuite=TLS-RSA-WITH-RC4-128-SHA" \
3895 0 \
3896 -s "Read from client: 1 bytes read"
3897
Andrzej Kurekd731a632018-06-19 09:37:30 -0400[diff] [blame]3898run_test "Small client packet TLS 1.0 StreamCipher, without EtM" \
Hanno Becker8501f982017-11-10 08:59:04 +0000[diff] [blame]3899 "$P_SRV arc4=1 force_ciphersuite=TLS-RSA-WITH-RC4-128-SHA" \
3900 "$P_CLI request_size=1 force_version=tls1 \
Hanno Becker909f9a32017-11-21 17:10:12 +0000[diff] [blame]3901 force_ciphersuite=TLS-RSA-WITH-RC4-128-SHA etm=0" \
Hanno Becker8501f982017-11-10 08:59:04 +0000[diff] [blame]3902 0 \
3903 -s "Read from client: 1 bytes read"
3904
3905requires_config_enabled MBEDTLS_SSL_TRUNCATED_HMAC
Andrzej Kurekd731a632018-06-19 09:37:30 -0400[diff] [blame]3906run_test "Small client packet TLS 1.0 StreamCipher, truncated MAC" \
Hanno Becker909f9a32017-11-21 17:10:12 +0000[diff] [blame]3907 "$P_SRV arc4=1 force_ciphersuite=TLS-RSA-WITH-RC4-128-SHA trunc_hmac=1" \
Manuel Pégourié-Gonnardee415032014-06-18 15:08:56 +0200[diff] [blame]3908 "$P_CLI request_size=1 force_version=tls1 \
Hanno Becker909f9a32017-11-21 17:10:12 +0000[diff] [blame]3909 force_ciphersuite=TLS-RSA-WITH-RC4-128-SHA trunc_hmac=1" \
Manuel Pégourié-Gonnardee415032014-06-18 15:08:56 +0200[diff] [blame]3910 0 \
3911 -s "Read from client: 1 bytes read"
3912
Hanno Becker8501f982017-11-10 08:59:04 +0000[diff] [blame]3913requires_config_enabled MBEDTLS_SSL_TRUNCATED_HMAC
Andrzej Kurekd731a632018-06-19 09:37:30 -0400[diff] [blame]3914run_test "Small client packet TLS 1.0 StreamCipher, without EtM, truncated MAC" \
Hanno Becker909f9a32017-11-21 17:10:12 +0000[diff] [blame]3915 "$P_SRV arc4=1 force_ciphersuite=TLS-RSA-WITH-RC4-128-SHA trunc_hmac=1" \
3916 "$P_CLI request_size=1 force_version=tls1 force_ciphersuite=TLS-RSA-WITH-RC4-128-SHA \
3917 trunc_hmac=1 etm=0" \
Manuel Pégourié-Gonnardee415032014-06-18 15:08:56 +0200[diff] [blame]3918 0 \
3919 -s "Read from client: 1 bytes read"
3920
Andrzej Kurekd731a632018-06-19 09:37:30 -0400[diff] [blame]3921run_test "Small client packet TLS 1.1 BlockCipher" \
Manuel Pégourié-Gonnardee415032014-06-18 15:08:56 +0200[diff] [blame]3922 "$P_SRV" \
3923 "$P_CLI request_size=1 force_version=tls1_1 \
3924 force_ciphersuite=TLS-RSA-WITH-AES-256-CBC-SHA" \
3925 0 \
3926 -s "Read from client: 1 bytes read"
3927
Andrzej Kurekd731a632018-06-19 09:37:30 -0400[diff] [blame]3928run_test "Small client packet TLS 1.1 BlockCipher, without EtM" \
Manuel Pégourié-Gonnard169dd6a2014-11-04 16:15:39 +0100[diff] [blame]3929 "$P_SRV" \
Hanno Becker8501f982017-11-10 08:59:04 +0000[diff] [blame]3930 "$P_CLI request_size=1 force_version=tls1_1 \
Hanno Becker909f9a32017-11-21 17:10:12 +0000[diff] [blame]3931 force_ciphersuite=TLS-RSA-WITH-AES-256-CBC-SHA etm=0" \
Hanno Becker8501f982017-11-10 08:59:04 +0000[diff] [blame]3932 0 \
3933 -s "Read from client: 1 bytes read"
3934
3935requires_config_enabled MBEDTLS_SSL_TRUNCATED_HMAC
Andrzej Kurekd731a632018-06-19 09:37:30 -0400[diff] [blame]3936run_test "Small client packet TLS 1.1 BlockCipher, truncated MAC" \
Hanno Becker909f9a32017-11-21 17:10:12 +0000[diff] [blame]3937 "$P_SRV trunc_hmac=1" \
Hanno Becker8501f982017-11-10 08:59:04 +0000[diff] [blame]3938 "$P_CLI request_size=1 force_version=tls1_1 \
Hanno Becker909f9a32017-11-21 17:10:12 +0000[diff] [blame]3939 force_ciphersuite=TLS-RSA-WITH-AES-256-CBC-SHA trunc_hmac=1" \
Hanno Becker8501f982017-11-10 08:59:04 +0000[diff] [blame]3940 0 \
3941 -s "Read from client: 1 bytes read"
3942
3943requires_config_enabled MBEDTLS_SSL_TRUNCATED_HMAC
Andrzej Kurekd731a632018-06-19 09:37:30 -0400[diff] [blame]3944run_test "Small client packet TLS 1.1 BlockCipher, without EtM, truncated MAC" \
Hanno Becker909f9a32017-11-21 17:10:12 +0000[diff] [blame]3945 "$P_SRV trunc_hmac=1" \
Hanno Becker8501f982017-11-10 08:59:04 +0000[diff] [blame]3946 "$P_CLI request_size=1 force_version=tls1_1 \
Hanno Becker909f9a32017-11-21 17:10:12 +0000[diff] [blame]3947 force_ciphersuite=TLS-RSA-WITH-AES-256-CBC-SHA trunc_hmac=1 etm=0" \
Manuel Pégourié-Gonnard169dd6a2014-11-04 16:15:39 +0100[diff] [blame]3948 0 \
3949 -s "Read from client: 1 bytes read"
3950
Andrzej Kurekd731a632018-06-19 09:37:30 -0400[diff] [blame]3951run_test "Small client packet TLS 1.1 StreamCipher" \
Manuel Pégourié-Gonnardea0920f2015-03-24 09:50:15 +0100[diff] [blame]3952 "$P_SRV arc4=1 force_ciphersuite=TLS-RSA-WITH-RC4-128-SHA" \
Manuel Pégourié-Gonnardee415032014-06-18 15:08:56 +0200[diff] [blame]3953 "$P_CLI request_size=1 force_version=tls1_1 \
3954 force_ciphersuite=TLS-RSA-WITH-RC4-128-SHA" \
3955 0 \
3956 -s "Read from client: 1 bytes read"
3957
Andrzej Kurekd731a632018-06-19 09:37:30 -0400[diff] [blame]3958run_test "Small client packet TLS 1.1 StreamCipher, without EtM" \
Hanno Becker8501f982017-11-10 08:59:04 +0000[diff] [blame]3959 "$P_SRV arc4=1 force_ciphersuite=TLS-RSA-WITH-RC4-128-SHA" \
Manuel Pégourié-Gonnardee415032014-06-18 15:08:56 +0200[diff] [blame]3960 "$P_CLI request_size=1 force_version=tls1_1 \
Hanno Becker909f9a32017-11-21 17:10:12 +0000[diff] [blame]3961 force_ciphersuite=TLS-RSA-WITH-RC4-128-SHA etm=0" \
Manuel Pégourié-Gonnardee415032014-06-18 15:08:56 +0200[diff] [blame]3962 0 \
3963 -s "Read from client: 1 bytes read"
3964
Hanno Becker8501f982017-11-10 08:59:04 +0000[diff] [blame]3965requires_config_enabled MBEDTLS_SSL_TRUNCATED_HMAC
Andrzej Kurekd731a632018-06-19 09:37:30 -0400[diff] [blame]3966run_test "Small client packet TLS 1.1 StreamCipher, truncated MAC" \
Hanno Becker909f9a32017-11-21 17:10:12 +0000[diff] [blame]3967 "$P_SRV arc4=1 force_ciphersuite=TLS-RSA-WITH-RC4-128-SHA trunc_hmac=1" \
Manuel Pégourié-Gonnardee415032014-06-18 15:08:56 +0200[diff] [blame]3968 "$P_CLI request_size=1 force_version=tls1_1 \
Hanno Becker909f9a32017-11-21 17:10:12 +0000[diff] [blame]3969 force_ciphersuite=TLS-RSA-WITH-RC4-128-SHA trunc_hmac=1" \
Manuel Pégourié-Gonnardee415032014-06-18 15:08:56 +0200[diff] [blame]3970 0 \
3971 -s "Read from client: 1 bytes read"
3972
Hanno Becker32c55012017-11-10 08:42:54 +0000[diff] [blame]3973requires_config_enabled MBEDTLS_SSL_TRUNCATED_HMAC
Andrzej Kurekd731a632018-06-19 09:37:30 -0400[diff] [blame]3974run_test "Small client packet TLS 1.1 StreamCipher, without EtM, truncated MAC" \
Hanno Becker909f9a32017-11-21 17:10:12 +0000[diff] [blame]3975 "$P_SRV arc4=1 force_ciphersuite=TLS-RSA-WITH-RC4-128-SHA trunc_hmac=1" \
Manuel Pégourié-Gonnardee415032014-06-18 15:08:56 +0200[diff] [blame]3976 "$P_CLI request_size=1 force_version=tls1_1 \
Hanno Becker909f9a32017-11-21 17:10:12 +0000[diff] [blame]3977 force_ciphersuite=TLS-RSA-WITH-RC4-128-SHA trunc_hmac=1 etm=0" \
Manuel Pégourié-Gonnardee415032014-06-18 15:08:56 +0200[diff] [blame]3978 0 \
3979 -s "Read from client: 1 bytes read"
3980
Andrzej Kurekd731a632018-06-19 09:37:30 -0400[diff] [blame]3981run_test "Small client packet TLS 1.2 BlockCipher" \
Manuel Pégourié-Gonnardee415032014-06-18 15:08:56 +0200[diff] [blame]3982 "$P_SRV" \
3983 "$P_CLI request_size=1 force_version=tls1_2 \
3984 force_ciphersuite=TLS-RSA-WITH-AES-256-CBC-SHA" \
3985 0 \
3986 -s "Read from client: 1 bytes read"
3987
Andrzej Kurekd731a632018-06-19 09:37:30 -0400[diff] [blame]3988run_test "Small client packet TLS 1.2 BlockCipher, without EtM" \
Manuel Pégourié-Gonnard169dd6a2014-11-04 16:15:39 +0100[diff] [blame]3989 "$P_SRV" \
Hanno Becker8501f982017-11-10 08:59:04 +0000[diff] [blame]3990 "$P_CLI request_size=1 force_version=tls1_2 \
Hanno Becker909f9a32017-11-21 17:10:12 +0000[diff] [blame]3991 force_ciphersuite=TLS-RSA-WITH-AES-256-CBC-SHA etm=0" \
Manuel Pégourié-Gonnard169dd6a2014-11-04 16:15:39 +0100[diff] [blame]3992 0 \
3993 -s "Read from client: 1 bytes read"
3994
Andrzej Kurekd731a632018-06-19 09:37:30 -0400[diff] [blame]3995run_test "Small client packet TLS 1.2 BlockCipher larger MAC" \
Manuel Pégourié-Gonnardee415032014-06-18 15:08:56 +0200[diff] [blame]3996 "$P_SRV" \
Manuel Pégourié-Gonnardc82ee352015-01-07 16:35:25 +0100[diff] [blame]3997 "$P_CLI request_size=1 force_version=tls1_2 \
3998 force_ciphersuite=TLS-ECDHE-RSA-WITH-AES-256-CBC-SHA384" \
Manuel Pégourié-Gonnardee415032014-06-18 15:08:56 +0200[diff] [blame]3999 0 \
4000 -s "Read from client: 1 bytes read"
4001
Hanno Becker32c55012017-11-10 08:42:54 +0000[diff] [blame]4002requires_config_enabled MBEDTLS_SSL_TRUNCATED_HMAC
Andrzej Kurekd731a632018-06-19 09:37:30 -0400[diff] [blame]4003run_test "Small client packet TLS 1.2 BlockCipher, truncated MAC" \
Hanno Becker909f9a32017-11-21 17:10:12 +0000[diff] [blame]4004 "$P_SRV trunc_hmac=1" \
Manuel Pégourié-Gonnardee415032014-06-18 15:08:56 +0200[diff] [blame]4005 "$P_CLI request_size=1 force_version=tls1_2 \
Hanno Becker909f9a32017-11-21 17:10:12 +0000[diff] [blame]4006 force_ciphersuite=TLS-RSA-WITH-AES-256-CBC-SHA trunc_hmac=1" \
Manuel Pégourié-Gonnardee415032014-06-18 15:08:56 +0200[diff] [blame]4007 0 \
4008 -s "Read from client: 1 bytes read"
4009
Hanno Becker8501f982017-11-10 08:59:04 +0000[diff] [blame]4010requires_config_enabled MBEDTLS_SSL_TRUNCATED_HMAC
Andrzej Kurekd731a632018-06-19 09:37:30 -0400[diff] [blame]4011run_test "Small client packet TLS 1.2 BlockCipher, without EtM, truncated MAC" \
Hanno Becker909f9a32017-11-21 17:10:12 +0000[diff] [blame]4012 "$P_SRV trunc_hmac=1" \
Hanno Becker8501f982017-11-10 08:59:04 +0000[diff] [blame]4013 "$P_CLI request_size=1 force_version=tls1_2 \
Hanno Becker909f9a32017-11-21 17:10:12 +0000[diff] [blame]4014 force_ciphersuite=TLS-RSA-WITH-AES-256-CBC-SHA trunc_hmac=1 etm=0" \
Manuel Pégourié-Gonnardee415032014-06-18 15:08:56 +0200[diff] [blame]4015 0 \
4016 -s "Read from client: 1 bytes read"
4017
Andrzej Kurekd731a632018-06-19 09:37:30 -0400[diff] [blame]4018run_test "Small client packet TLS 1.2 StreamCipher" \
Manuel Pégourié-Gonnardea0920f2015-03-24 09:50:15 +0100[diff] [blame]4019 "$P_SRV arc4=1 force_ciphersuite=TLS-RSA-WITH-RC4-128-SHA" \
Manuel Pégourié-Gonnardee415032014-06-18 15:08:56 +0200[diff] [blame]4020 "$P_CLI request_size=1 force_version=tls1_2 \
4021 force_ciphersuite=TLS-RSA-WITH-RC4-128-SHA" \
4022 0 \
4023 -s "Read from client: 1 bytes read"
4024
Andrzej Kurekd731a632018-06-19 09:37:30 -0400[diff] [blame]4025run_test "Small client packet TLS 1.2 StreamCipher, without EtM" \
Manuel Pégourié-Gonnardea0920f2015-03-24 09:50:15 +0100[diff] [blame]4026 "$P_SRV arc4=1 force_ciphersuite=TLS-RSA-WITH-RC4-128-SHA" \
Manuel Pégourié-Gonnardee415032014-06-18 15:08:56 +0200[diff] [blame]4027 "$P_CLI request_size=1 force_version=tls1_2 \
Hanno Becker909f9a32017-11-21 17:10:12 +0000[diff] [blame]4028 force_ciphersuite=TLS-RSA-WITH-RC4-128-SHA etm=0" \
Hanno Becker8501f982017-11-10 08:59:04 +0000[diff] [blame]4029 0 \
4030 -s "Read from client: 1 bytes read"
4031
Hanno Becker32c55012017-11-10 08:42:54 +0000[diff] [blame]4032requires_config_enabled MBEDTLS_SSL_TRUNCATED_HMAC
Andrzej Kurekd731a632018-06-19 09:37:30 -0400[diff] [blame]4033run_test "Small client packet TLS 1.2 StreamCipher, truncated MAC" \
Hanno Becker909f9a32017-11-21 17:10:12 +0000[diff] [blame]4034 "$P_SRV arc4=1 force_ciphersuite=TLS-RSA-WITH-RC4-128-SHA trunc_hmac=1" \
Manuel Pégourié-Gonnardee415032014-06-18 15:08:56 +0200[diff] [blame]4035 "$P_CLI request_size=1 force_version=tls1_2 \
Hanno Becker909f9a32017-11-21 17:10:12 +0000[diff] [blame]4036 force_ciphersuite=TLS-RSA-WITH-RC4-128-SHA trunc_hmac=1" \
Manuel Pégourié-Gonnardee415032014-06-18 15:08:56 +0200[diff] [blame]4037 0 \
4038 -s "Read from client: 1 bytes read"
4039
Hanno Becker8501f982017-11-10 08:59:04 +0000[diff] [blame]4040requires_config_enabled MBEDTLS_SSL_TRUNCATED_HMAC
Andrzej Kurekd731a632018-06-19 09:37:30 -0400[diff] [blame]4041run_test "Small client packet TLS 1.2 StreamCipher, without EtM, truncated MAC" \
Hanno Becker909f9a32017-11-21 17:10:12 +0000[diff] [blame]4042 "$P_SRV arc4=1 force_ciphersuite=TLS-RSA-WITH-RC4-128-SHA trunc_hmac=1" \
Hanno Becker8501f982017-11-10 08:59:04 +0000[diff] [blame]4043 "$P_CLI request_size=1 force_version=tls1_2 \
Hanno Becker909f9a32017-11-21 17:10:12 +0000[diff] [blame]4044 force_ciphersuite=TLS-RSA-WITH-RC4-128-SHA trunc_hmac=1 etm=0" \
Manuel Pégourié-Gonnardee415032014-06-18 15:08:56 +0200[diff] [blame]4045 0 \
4046 -s "Read from client: 1 bytes read"
4047
Andrzej Kurekd731a632018-06-19 09:37:30 -0400[diff] [blame]4048run_test "Small client packet TLS 1.2 AEAD" \
Manuel Pégourié-Gonnardee415032014-06-18 15:08:56 +0200[diff] [blame]4049 "$P_SRV" \
4050 "$P_CLI request_size=1 force_version=tls1_2 \
4051 force_ciphersuite=TLS-RSA-WITH-AES-256-CCM" \
4052 0 \
4053 -s "Read from client: 1 bytes read"
4054
Andrzej Kurekd731a632018-06-19 09:37:30 -0400[diff] [blame]4055run_test "Small client packet TLS 1.2 AEAD shorter tag" \
Manuel Pégourié-Gonnardee415032014-06-18 15:08:56 +0200[diff] [blame]4056 "$P_SRV" \
4057 "$P_CLI request_size=1 force_version=tls1_2 \
4058 force_ciphersuite=TLS-RSA-WITH-AES-256-CCM-8" \
4059 0 \
4060 -s "Read from client: 1 bytes read"
4061
Andrzej Kurekd731a632018-06-19 09:37:30 -0400[diff] [blame]4062# Tests for small client packets in DTLS
Hanno Beckere2148042017-11-10 08:59:18 +0000[diff] [blame]4063
4064requires_config_enabled MBEDTLS_SSL_PROTO_DTLS
Andrzej Kurekd731a632018-06-19 09:37:30 -0400[diff] [blame]4065run_test "Small client packet DTLS 1.0" \
Hanno Beckere2148042017-11-10 08:59:18 +0000[diff] [blame]4066 "$P_SRV dtls=1 force_version=dtls1" \
4067 "$P_CLI dtls=1 request_size=1 \
4068 force_ciphersuite=TLS-RSA-WITH-AES-256-CBC-SHA" \
4069 0 \
4070 -s "Read from client: 1 bytes read"
4071
4072requires_config_enabled MBEDTLS_SSL_PROTO_DTLS
Andrzej Kurekd731a632018-06-19 09:37:30 -0400[diff] [blame]4073run_test "Small client packet DTLS 1.0, without EtM" \
Hanno Beckere2148042017-11-10 08:59:18 +0000[diff] [blame]4074 "$P_SRV dtls=1 force_version=dtls1 etm=0" \
4075 "$P_CLI dtls=1 request_size=1 \
4076 force_ciphersuite=TLS-RSA-WITH-AES-256-CBC-SHA" \
4077 0 \
4078 -s "Read from client: 1 bytes read"
4079
4080requires_config_enabled MBEDTLS_SSL_PROTO_DTLS
4081requires_config_enabled MBEDTLS_SSL_TRUNCATED_HMAC
Andrzej Kurekd731a632018-06-19 09:37:30 -0400[diff] [blame]4082run_test "Small client packet DTLS 1.0, truncated hmac" \
Hanno Becker909f9a32017-11-21 17:10:12 +0000[diff] [blame]4083 "$P_SRV dtls=1 force_version=dtls1 trunc_hmac=1" \
4084 "$P_CLI dtls=1 request_size=1 trunc_hmac=1 \
Hanno Beckere2148042017-11-10 08:59:18 +0000[diff] [blame]4085 force_ciphersuite=TLS-RSA-WITH-AES-256-CBC-SHA" \
4086 0 \
4087 -s "Read from client: 1 bytes read"
4088
4089requires_config_enabled MBEDTLS_SSL_PROTO_DTLS
4090requires_config_enabled MBEDTLS_SSL_TRUNCATED_HMAC
Andrzej Kurekd731a632018-06-19 09:37:30 -0400[diff] [blame]4091run_test "Small client packet DTLS 1.0, without EtM, truncated MAC" \
Hanno Becker909f9a32017-11-21 17:10:12 +0000[diff] [blame]4092 "$P_SRV dtls=1 force_version=dtls1 trunc_hmac=1 etm=0" \
Hanno Beckere2148042017-11-10 08:59:18 +0000[diff] [blame]4093 "$P_CLI dtls=1 request_size=1 \
Hanno Becker909f9a32017-11-21 17:10:12 +0000[diff] [blame]4094 force_ciphersuite=TLS-RSA-WITH-AES-256-CBC-SHA trunc_hmac=1"\
Hanno Beckere2148042017-11-10 08:59:18 +0000[diff] [blame]4095 0 \
4096 -s "Read from client: 1 bytes read"
4097
4098requires_config_enabled MBEDTLS_SSL_PROTO_DTLS
Andrzej Kurekd731a632018-06-19 09:37:30 -0400[diff] [blame]4099run_test "Small client packet DTLS 1.2" \
Hanno Beckere2148042017-11-10 08:59:18 +0000[diff] [blame]4100 "$P_SRV dtls=1 force_version=dtls1_2" \
4101 "$P_CLI dtls=1 request_size=1 \
4102 force_ciphersuite=TLS-RSA-WITH-AES-256-CBC-SHA" \
4103 0 \
4104 -s "Read from client: 1 bytes read"
4105
4106requires_config_enabled MBEDTLS_SSL_PROTO_DTLS
Andrzej Kurekd731a632018-06-19 09:37:30 -0400[diff] [blame]4107run_test "Small client packet DTLS 1.2, without EtM" \
Hanno Becker909f9a32017-11-21 17:10:12 +0000[diff] [blame]4108 "$P_SRV dtls=1 force_version=dtls1_2 etm=0" \
Hanno Beckere2148042017-11-10 08:59:18 +0000[diff] [blame]4109 "$P_CLI dtls=1 request_size=1 \
4110 force_ciphersuite=TLS-RSA-WITH-AES-256-CBC-SHA" \
4111 0 \
4112 -s "Read from client: 1 bytes read"
4113
4114requires_config_enabled MBEDTLS_SSL_PROTO_DTLS
4115requires_config_enabled MBEDTLS_SSL_TRUNCATED_HMAC
Andrzej Kurekd731a632018-06-19 09:37:30 -0400[diff] [blame]4116run_test "Small client packet DTLS 1.2, truncated hmac" \
Hanno Becker909f9a32017-11-21 17:10:12 +0000[diff] [blame]4117 "$P_SRV dtls=1 force_version=dtls1_2 trunc_hmac=1" \
Hanno Beckere2148042017-11-10 08:59:18 +0000[diff] [blame]4118 "$P_CLI dtls=1 request_size=1 \
Hanno Becker909f9a32017-11-21 17:10:12 +0000[diff] [blame]4119 force_ciphersuite=TLS-RSA-WITH-AES-256-CBC-SHA trunc_hmac=1" \
Hanno Beckere2148042017-11-10 08:59:18 +0000[diff] [blame]4120 0 \
4121 -s "Read from client: 1 bytes read"
4122
4123requires_config_enabled MBEDTLS_SSL_PROTO_DTLS
4124requires_config_enabled MBEDTLS_SSL_TRUNCATED_HMAC
Andrzej Kurekd731a632018-06-19 09:37:30 -0400[diff] [blame]4125run_test "Small client packet DTLS 1.2, without EtM, truncated MAC" \
Hanno Becker909f9a32017-11-21 17:10:12 +0000[diff] [blame]4126 "$P_SRV dtls=1 force_version=dtls1_2 trunc_hmac=1 etm=0" \
Hanno Beckere2148042017-11-10 08:59:18 +0000[diff] [blame]4127 "$P_CLI dtls=1 request_size=1 \
Hanno Becker909f9a32017-11-21 17:10:12 +0000[diff] [blame]4128 force_ciphersuite=TLS-RSA-WITH-AES-256-CBC-SHA trunc_hmac=1"\
Hanno Beckere2148042017-11-10 08:59:18 +0000[diff] [blame]4129 0 \
4130 -s "Read from client: 1 bytes read"
4131
Andrzej Kurekd731a632018-06-19 09:37:30 -0400[diff] [blame]4132# Tests for small server packets
4133
4134requires_config_enabled MBEDTLS_SSL_PROTO_SSL3
4135run_test "Small server packet SSLv3 BlockCipher" \
4136 "$P_SRV response_size=1 min_version=ssl3" \
4137 "$P_CLI force_version=ssl3 \
4138 force_ciphersuite=TLS-RSA-WITH-AES-256-CBC-SHA" \
4139 0 \
4140 -c "Read from server: 1 bytes read"
4141
4142requires_config_enabled MBEDTLS_SSL_PROTO_SSL3
4143run_test "Small server packet SSLv3 StreamCipher" \
4144 "$P_SRV response_size=1 min_version=ssl3 arc4=1 force_ciphersuite=TLS-RSA-WITH-RC4-128-SHA" \
4145 "$P_CLI force_version=ssl3 \
4146 force_ciphersuite=TLS-RSA-WITH-RC4-128-SHA" \
4147 0 \
4148 -c "Read from server: 1 bytes read"
4149
4150run_test "Small server packet TLS 1.0 BlockCipher" \
4151 "$P_SRV response_size=1" \
4152 "$P_CLI force_version=tls1 \
4153 force_ciphersuite=TLS-RSA-WITH-AES-256-CBC-SHA" \
4154 0 \
4155 -c "Read from server: 1 bytes read"
4156
4157run_test "Small server packet TLS 1.0 BlockCipher, without EtM" \
4158 "$P_SRV response_size=1" \
4159 "$P_CLI force_version=tls1 etm=0 \
4160 force_ciphersuite=TLS-RSA-WITH-AES-256-CBC-SHA" \
4161 0 \
4162 -c "Read from server: 1 bytes read"
4163
4164requires_config_enabled MBEDTLS_SSL_TRUNCATED_HMAC
4165run_test "Small server packet TLS 1.0 BlockCipher, truncated MAC" \
4166 "$P_SRV response_size=1 trunc_hmac=1" \
4167 "$P_CLI force_version=tls1 \
4168 force_ciphersuite=TLS-RSA-WITH-AES-256-CBC-SHA trunc_hmac=1" \
4169 0 \
4170 -c "Read from server: 1 bytes read"
4171
4172requires_config_enabled MBEDTLS_SSL_TRUNCATED_HMAC
4173run_test "Small server packet TLS 1.0 BlockCipher, without EtM, truncated MAC" \
4174 "$P_SRV response_size=1 trunc_hmac=1" \
4175 "$P_CLI force_version=tls1 \
4176 force_ciphersuite=TLS-RSA-WITH-AES-256-CBC-SHA trunc_hmac=1 etm=0" \
4177 0 \
4178 -c "Read from server: 1 bytes read"
4179
4180run_test "Small server packet TLS 1.0 StreamCipher" \
4181 "$P_SRV response_size=1 arc4=1 force_ciphersuite=TLS-RSA-WITH-RC4-128-SHA" \
4182 "$P_CLI force_version=tls1 \
4183 force_ciphersuite=TLS-RSA-WITH-RC4-128-SHA" \
4184 0 \
4185 -c "Read from server: 1 bytes read"
4186
4187run_test "Small server packet TLS 1.0 StreamCipher, without EtM" \
4188 "$P_SRV response_size=1 arc4=1 force_ciphersuite=TLS-RSA-WITH-RC4-128-SHA" \
4189 "$P_CLI force_version=tls1 \
4190 force_ciphersuite=TLS-RSA-WITH-RC4-128-SHA etm=0" \
4191 0 \
4192 -c "Read from server: 1 bytes read"
4193
4194requires_config_enabled MBEDTLS_SSL_TRUNCATED_HMAC
4195run_test "Small server packet TLS 1.0 StreamCipher, truncated MAC" \
4196 "$P_SRV response_size=1 arc4=1 force_ciphersuite=TLS-RSA-WITH-RC4-128-SHA trunc_hmac=1" \
4197 "$P_CLI force_version=tls1 \
4198 force_ciphersuite=TLS-RSA-WITH-RC4-128-SHA trunc_hmac=1" \
4199 0 \
4200 -c "Read from server: 1 bytes read"
4201
4202requires_config_enabled MBEDTLS_SSL_TRUNCATED_HMAC
4203run_test "Small server packet TLS 1.0 StreamCipher, without EtM, truncated MAC" \
4204 "$P_SRV response_size=1 arc4=1 force_ciphersuite=TLS-RSA-WITH-RC4-128-SHA trunc_hmac=1" \
4205 "$P_CLI force_version=tls1 force_ciphersuite=TLS-RSA-WITH-RC4-128-SHA \
4206 trunc_hmac=1 etm=0" \
4207 0 \
4208 -c "Read from server: 1 bytes read"
4209
4210run_test "Small server packet TLS 1.1 BlockCipher" \
4211 "$P_SRV response_size=1" \
4212 "$P_CLI force_version=tls1_1 \
4213 force_ciphersuite=TLS-RSA-WITH-AES-256-CBC-SHA" \
4214 0 \
4215 -c "Read from server: 1 bytes read"
4216
4217run_test "Small server packet TLS 1.1 BlockCipher, without EtM" \
4218 "$P_SRV response_size=1" \
4219 "$P_CLI force_version=tls1_1 \
4220 force_ciphersuite=TLS-RSA-WITH-AES-256-CBC-SHA etm=0" \
4221 0 \
4222 -c "Read from server: 1 bytes read"
4223
4224requires_config_enabled MBEDTLS_SSL_TRUNCATED_HMAC
4225run_test "Small server packet TLS 1.1 BlockCipher, truncated MAC" \
4226 "$P_SRV response_size=1 trunc_hmac=1" \
4227 "$P_CLI force_version=tls1_1 \
4228 force_ciphersuite=TLS-RSA-WITH-AES-256-CBC-SHA trunc_hmac=1" \
4229 0 \
4230 -c "Read from server: 1 bytes read"
4231
4232requires_config_enabled MBEDTLS_SSL_TRUNCATED_HMAC
4233run_test "Small server packet TLS 1.1 BlockCipher, without EtM, truncated MAC" \
4234 "$P_SRV response_size=1 trunc_hmac=1" \
4235 "$P_CLI force_version=tls1_1 \
4236 force_ciphersuite=TLS-RSA-WITH-AES-256-CBC-SHA trunc_hmac=1 etm=0" \
4237 0 \
4238 -c "Read from server: 1 bytes read"
4239
4240run_test "Small server packet TLS 1.1 StreamCipher" \
4241 "$P_SRV response_size=1 arc4=1 force_ciphersuite=TLS-RSA-WITH-RC4-128-SHA" \
4242 "$P_CLI force_version=tls1_1 \
4243 force_ciphersuite=TLS-RSA-WITH-RC4-128-SHA" \
4244 0 \
4245 -c "Read from server: 1 bytes read"
4246
4247run_test "Small server packet TLS 1.1 StreamCipher, without EtM" \
4248 "$P_SRV response_size=1 arc4=1 force_ciphersuite=TLS-RSA-WITH-RC4-128-SHA" \
4249 "$P_CLI force_version=tls1_1 \
4250 force_ciphersuite=TLS-RSA-WITH-RC4-128-SHA etm=0" \
4251 0 \
4252 -c "Read from server: 1 bytes read"
4253
4254requires_config_enabled MBEDTLS_SSL_TRUNCATED_HMAC
4255run_test "Small server packet TLS 1.1 StreamCipher, truncated MAC" \
4256 "$P_SRV response_size=1 arc4=1 force_ciphersuite=TLS-RSA-WITH-RC4-128-SHA trunc_hmac=1" \
4257 "$P_CLI force_version=tls1_1 \
4258 force_ciphersuite=TLS-RSA-WITH-RC4-128-SHA trunc_hmac=1" \
4259 0 \
4260 -c "Read from server: 1 bytes read"
4261
4262requires_config_enabled MBEDTLS_SSL_TRUNCATED_HMAC
4263run_test "Small server packet TLS 1.1 StreamCipher, without EtM, truncated MAC" \
4264 "$P_SRV response_size=1 arc4=1 force_ciphersuite=TLS-RSA-WITH-RC4-128-SHA trunc_hmac=1" \
4265 "$P_CLI force_version=tls1_1 \
4266 force_ciphersuite=TLS-RSA-WITH-RC4-128-SHA trunc_hmac=1 etm=0" \
4267 0 \
4268 -c "Read from server: 1 bytes read"
4269
4270run_test "Small server packet TLS 1.2 BlockCipher" \
4271 "$P_SRV response_size=1" \
4272 "$P_CLI force_version=tls1_2 \
4273 force_ciphersuite=TLS-RSA-WITH-AES-256-CBC-SHA" \
4274 0 \
4275 -c "Read from server: 1 bytes read"
4276
4277run_test "Small server packet TLS 1.2 BlockCipher, without EtM" \
4278 "$P_SRV response_size=1" \
4279 "$P_CLI force_version=tls1_2 \
4280 force_ciphersuite=TLS-RSA-WITH-AES-256-CBC-SHA etm=0" \
4281 0 \
4282 -c "Read from server: 1 bytes read"
4283
4284run_test "Small server packet TLS 1.2 BlockCipher larger MAC" \
4285 "$P_SRV response_size=1" \
4286 "$P_CLI force_version=tls1_2 \
4287 force_ciphersuite=TLS-ECDHE-RSA-WITH-AES-256-CBC-SHA384" \
4288 0 \
4289 -c "Read from server: 1 bytes read"
4290
4291requires_config_enabled MBEDTLS_SSL_TRUNCATED_HMAC
4292run_test "Small server packet TLS 1.2 BlockCipher, truncated MAC" \
4293 "$P_SRV response_size=1 trunc_hmac=1" \
4294 "$P_CLI force_version=tls1_2 \
4295 force_ciphersuite=TLS-RSA-WITH-AES-256-CBC-SHA trunc_hmac=1" \
4296 0 \
4297 -c "Read from server: 1 bytes read"
4298
4299requires_config_enabled MBEDTLS_SSL_TRUNCATED_HMAC
4300run_test "Small server packet TLS 1.2 BlockCipher, without EtM, truncated MAC" \
4301 "$P_SRV response_size=1 trunc_hmac=1" \
4302 "$P_CLI force_version=tls1_2 \
4303 force_ciphersuite=TLS-RSA-WITH-AES-256-CBC-SHA trunc_hmac=1 etm=0" \
4304 0 \
4305 -c "Read from server: 1 bytes read"
4306
4307run_test "Small server packet TLS 1.2 StreamCipher" \
4308 "$P_SRV response_size=1 arc4=1 force_ciphersuite=TLS-RSA-WITH-RC4-128-SHA" \
4309 "$P_CLI force_version=tls1_2 \
4310 force_ciphersuite=TLS-RSA-WITH-RC4-128-SHA" \
4311 0 \
4312 -c "Read from server: 1 bytes read"
4313
4314run_test "Small server packet TLS 1.2 StreamCipher, without EtM" \
4315 "$P_SRV response_size=1 arc4=1 force_ciphersuite=TLS-RSA-WITH-RC4-128-SHA" \
4316 "$P_CLI force_version=tls1_2 \
4317 force_ciphersuite=TLS-RSA-WITH-RC4-128-SHA etm=0" \
4318 0 \
4319 -c "Read from server: 1 bytes read"
4320
4321requires_config_enabled MBEDTLS_SSL_TRUNCATED_HMAC
4322run_test "Small server packet TLS 1.2 StreamCipher, truncated MAC" \
4323 "$P_SRV response_size=1 arc4=1 force_ciphersuite=TLS-RSA-WITH-RC4-128-SHA trunc_hmac=1" \
4324 "$P_CLI force_version=tls1_2 \
4325 force_ciphersuite=TLS-RSA-WITH-RC4-128-SHA trunc_hmac=1" \
4326 0 \
4327 -c "Read from server: 1 bytes read"
4328
4329requires_config_enabled MBEDTLS_SSL_TRUNCATED_HMAC
4330run_test "Small server packet TLS 1.2 StreamCipher, without EtM, truncated MAC" \
4331 "$P_SRV response_size=1 arc4=1 force_ciphersuite=TLS-RSA-WITH-RC4-128-SHA trunc_hmac=1" \
4332 "$P_CLI force_version=tls1_2 \
4333 force_ciphersuite=TLS-RSA-WITH-RC4-128-SHA trunc_hmac=1 etm=0" \
4334 0 \
4335 -c "Read from server: 1 bytes read"
4336
4337run_test "Small server packet TLS 1.2 AEAD" \
4338 "$P_SRV response_size=1" \
4339 "$P_CLI force_version=tls1_2 \
4340 force_ciphersuite=TLS-RSA-WITH-AES-256-CCM" \
4341 0 \
4342 -c "Read from server: 1 bytes read"
4343
4344run_test "Small server packet TLS 1.2 AEAD shorter tag" \
4345 "$P_SRV response_size=1" \
4346 "$P_CLI force_version=tls1_2 \
4347 force_ciphersuite=TLS-RSA-WITH-AES-256-CCM-8" \
4348 0 \
4349 -c "Read from server: 1 bytes read"
4350
4351# Tests for small server packets in DTLS
4352
4353requires_config_enabled MBEDTLS_SSL_PROTO_DTLS
4354run_test "Small server packet DTLS 1.0" \
4355 "$P_SRV dtls=1 response_size=1 force_version=dtls1" \
4356 "$P_CLI dtls=1 \
4357 force_ciphersuite=TLS-RSA-WITH-AES-256-CBC-SHA" \
4358 0 \
4359 -c "Read from server: 1 bytes read"
4360
4361requires_config_enabled MBEDTLS_SSL_PROTO_DTLS
4362run_test "Small server packet DTLS 1.0, without EtM" \
4363 "$P_SRV dtls=1 response_size=1 force_version=dtls1 etm=0" \
4364 "$P_CLI dtls=1 \
4365 force_ciphersuite=TLS-RSA-WITH-AES-256-CBC-SHA" \
4366 0 \
4367 -c "Read from server: 1 bytes read"
4368
4369requires_config_enabled MBEDTLS_SSL_PROTO_DTLS
4370requires_config_enabled MBEDTLS_SSL_TRUNCATED_HMAC
4371run_test "Small server packet DTLS 1.0, truncated hmac" \
4372 "$P_SRV dtls=1 response_size=1 force_version=dtls1 trunc_hmac=1" \
4373 "$P_CLI dtls=1 trunc_hmac=1 \
4374 force_ciphersuite=TLS-RSA-WITH-AES-256-CBC-SHA" \
4375 0 \
4376 -c "Read from server: 1 bytes read"
4377
4378requires_config_enabled MBEDTLS_SSL_PROTO_DTLS
4379requires_config_enabled MBEDTLS_SSL_TRUNCATED_HMAC
4380run_test "Small server packet DTLS 1.0, without EtM, truncated MAC" \
4381 "$P_SRV dtls=1 response_size=1 force_version=dtls1 trunc_hmac=1 etm=0" \
4382 "$P_CLI dtls=1 \
4383 force_ciphersuite=TLS-RSA-WITH-AES-256-CBC-SHA trunc_hmac=1"\
4384 0 \
4385 -c "Read from server: 1 bytes read"
4386
4387requires_config_enabled MBEDTLS_SSL_PROTO_DTLS
4388run_test "Small server packet DTLS 1.2" \
4389 "$P_SRV dtls=1 response_size=1 force_version=dtls1_2" \
4390 "$P_CLI dtls=1 \
4391 force_ciphersuite=TLS-RSA-WITH-AES-256-CBC-SHA" \
4392 0 \
4393 -c "Read from server: 1 bytes read"
4394
4395requires_config_enabled MBEDTLS_SSL_PROTO_DTLS
4396run_test "Small server packet DTLS 1.2, without EtM" \
4397 "$P_SRV dtls=1 response_size=1 force_version=dtls1_2 etm=0" \
4398 "$P_CLI dtls=1 \
4399 force_ciphersuite=TLS-RSA-WITH-AES-256-CBC-SHA" \
4400 0 \
4401 -c "Read from server: 1 bytes read"
4402
4403requires_config_enabled MBEDTLS_SSL_PROTO_DTLS
4404requires_config_enabled MBEDTLS_SSL_TRUNCATED_HMAC
4405run_test "Small server packet DTLS 1.2, truncated hmac" \
4406 "$P_SRV dtls=1 response_size=1 force_version=dtls1_2 trunc_hmac=1" \
4407 "$P_CLI dtls=1 \
4408 force_ciphersuite=TLS-RSA-WITH-AES-256-CBC-SHA trunc_hmac=1" \
4409 0 \
4410 -c "Read from server: 1 bytes read"
4411
4412requires_config_enabled MBEDTLS_SSL_PROTO_DTLS
4413requires_config_enabled MBEDTLS_SSL_TRUNCATED_HMAC
4414run_test "Small server packet DTLS 1.2, without EtM, truncated MAC" \
4415 "$P_SRV dtls=1 response_size=1 force_version=dtls1_2 trunc_hmac=1 etm=0" \
4416 "$P_CLI dtls=1 \
4417 force_ciphersuite=TLS-RSA-WITH-AES-256-CBC-SHA trunc_hmac=1"\
4418 0 \
4419 -c "Read from server: 1 bytes read"
4420
Janos Follath00efff72016-05-06 13:48:23 +0100[diff] [blame]4421# A test for extensions in SSLv3
4422
4423requires_config_enabled MBEDTLS_SSL_PROTO_SSL3
4424run_test "SSLv3 with extensions, server side" \
4425 "$P_SRV min_version=ssl3 debug_level=3" \
4426 "$P_CLI force_version=ssl3 tickets=1 max_frag_len=4096 alpn=abc,1234" \
4427 0 \
4428 -S "dumping 'client hello extensions'" \
4429 -S "server hello, total extension length:"
4430
Andrzej Kurek557335e2018-06-28 04:03:10 -0400[diff] [blame]4431# Test for large client packets
Manuel Pégourié-Gonnard8920f692014-06-18 22:05:08 +0200[diff] [blame]4432
Janos Follathe2681a42016-03-07 15:57:05 +0000[diff] [blame]4433requires_config_enabled MBEDTLS_SSL_PROTO_SSL3
Andrzej Kurek557335e2018-06-28 04:03:10 -0400[diff] [blame]4434run_test "Large client packet SSLv3 BlockCipher" \
Manuel Pégourié-Gonnard448ea502015-01-12 11:40:14 +0100[diff] [blame]4435 "$P_SRV min_version=ssl3" \
Manuel Pégourié-Gonnardc82ee352015-01-07 16:35:25 +0100[diff] [blame]4436 "$P_CLI request_size=16384 force_version=ssl3 recsplit=0 \
Manuel Pégourié-Gonnard8920f692014-06-18 22:05:08 +0200[diff] [blame]4437 force_ciphersuite=TLS-RSA-WITH-AES-256-CBC-SHA" \
4438 0 \
Hanno Becker09930d12017-09-18 15:04:19 +0100[diff] [blame]4439 -c "16384 bytes written in 1 fragments" \
Manuel Pégourié-Gonnard8920f692014-06-18 22:05:08 +0200[diff] [blame]4440 -s "Read from client: 16384 bytes read"
4441
Janos Follathe2681a42016-03-07 15:57:05 +0000[diff] [blame]4442requires_config_enabled MBEDTLS_SSL_PROTO_SSL3
Andrzej Kurek557335e2018-06-28 04:03:10 -0400[diff] [blame]4443run_test "Large client packet SSLv3 StreamCipher" \
Manuel Pégourié-Gonnardea0920f2015-03-24 09:50:15 +0100[diff] [blame]4444 "$P_SRV min_version=ssl3 arc4=1 force_ciphersuite=TLS-RSA-WITH-RC4-128-SHA" \
Manuel Pégourié-Gonnard8920f692014-06-18 22:05:08 +0200[diff] [blame]4445 "$P_CLI request_size=16384 force_version=ssl3 \
4446 force_ciphersuite=TLS-RSA-WITH-RC4-128-SHA" \
4447 0 \
Hanno Becker09930d12017-09-18 15:04:19 +0100[diff] [blame]4448 -c "16384 bytes written in 1 fragments" \
Manuel Pégourié-Gonnard8920f692014-06-18 22:05:08 +0200[diff] [blame]4449 -s "Read from client: 16384 bytes read"
4450
Andrzej Kurek557335e2018-06-28 04:03:10 -0400[diff] [blame]4451run_test "Large client packet TLS 1.0 BlockCipher" \
Manuel Pégourié-Gonnard8920f692014-06-18 22:05:08 +0200[diff] [blame]4452 "$P_SRV" \
Manuel Pégourié-Gonnardc82ee352015-01-07 16:35:25 +0100[diff] [blame]4453 "$P_CLI request_size=16384 force_version=tls1 recsplit=0 \
Manuel Pégourié-Gonnard8920f692014-06-18 22:05:08 +0200[diff] [blame]4454 force_ciphersuite=TLS-RSA-WITH-AES-256-CBC-SHA" \
4455 0 \
Hanno Becker09930d12017-09-18 15:04:19 +0100[diff] [blame]4456 -c "16384 bytes written in 1 fragments" \
Manuel Pégourié-Gonnard8920f692014-06-18 22:05:08 +0200[diff] [blame]4457 -s "Read from client: 16384 bytes read"
4458
Andrzej Kurek557335e2018-06-28 04:03:10 -0400[diff] [blame]4459run_test "Large client packet TLS 1.0 BlockCipher, without EtM" \
Manuel Pégourié-Gonnard8920f692014-06-18 22:05:08 +0200[diff] [blame]4460 "$P_SRV" \
Hanno Becker278fc7a2017-11-10 09:16:28 +0000[diff] [blame]4461 "$P_CLI request_size=16384 force_version=tls1 etm=0 recsplit=0 \
4462 force_ciphersuite=TLS-RSA-WITH-AES-256-CBC-SHA" \
4463 0 \
4464 -s "Read from client: 16384 bytes read"
4465
Hanno Becker32c55012017-11-10 08:42:54 +0000[diff] [blame]4466requires_config_enabled MBEDTLS_SSL_TRUNCATED_HMAC
Andrzej Kurek557335e2018-06-28 04:03:10 -0400[diff] [blame]4467run_test "Large client packet TLS 1.0 BlockCipher, truncated MAC" \
Hanno Becker909f9a32017-11-21 17:10:12 +0000[diff] [blame]4468 "$P_SRV trunc_hmac=1" \
Manuel Pégourié-Gonnardc82ee352015-01-07 16:35:25 +0100[diff] [blame]4469 "$P_CLI request_size=16384 force_version=tls1 recsplit=0 \
Hanno Becker909f9a32017-11-21 17:10:12 +0000[diff] [blame]4470 force_ciphersuite=TLS-RSA-WITH-AES-256-CBC-SHA trunc_hmac=1" \
Manuel Pégourié-Gonnard8920f692014-06-18 22:05:08 +0200[diff] [blame]4471 0 \
Hanno Becker09930d12017-09-18 15:04:19 +0100[diff] [blame]4472 -c "16384 bytes written in 1 fragments" \
Manuel Pégourié-Gonnard8920f692014-06-18 22:05:08 +0200[diff] [blame]4473 -s "Read from client: 16384 bytes read"
4474
Hanno Becker32c55012017-11-10 08:42:54 +0000[diff] [blame]4475requires_config_enabled MBEDTLS_SSL_TRUNCATED_HMAC
Andrzej Kurek557335e2018-06-28 04:03:10 -0400[diff] [blame]4476run_test "Large client packet TLS 1.0 BlockCipher, without EtM, truncated MAC" \
Hanno Becker909f9a32017-11-21 17:10:12 +0000[diff] [blame]4477 "$P_SRV trunc_hmac=1" \
Hanno Becker278fc7a2017-11-10 09:16:28 +0000[diff] [blame]4478 "$P_CLI request_size=16384 force_version=tls1 etm=0 recsplit=0 \
Hanno Becker909f9a32017-11-21 17:10:12 +0000[diff] [blame]4479 force_ciphersuite=TLS-RSA-WITH-AES-256-CBC-SHA trunc_hmac=1" \
Hanno Becker278fc7a2017-11-10 09:16:28 +0000[diff] [blame]4480 0 \
4481 -s "Read from client: 16384 bytes read"
4482
Andrzej Kurek557335e2018-06-28 04:03:10 -0400[diff] [blame]4483run_test "Large client packet TLS 1.0 StreamCipher" \
Manuel Pégourié-Gonnardea0920f2015-03-24 09:50:15 +0100[diff] [blame]4484 "$P_SRV arc4=1 force_ciphersuite=TLS-RSA-WITH-RC4-128-SHA" \
Manuel Pégourié-Gonnard8920f692014-06-18 22:05:08 +0200[diff] [blame]4485 "$P_CLI request_size=16384 force_version=tls1 \
Hanno Becker278fc7a2017-11-10 09:16:28 +0000[diff] [blame]4486 force_ciphersuite=TLS-RSA-WITH-RC4-128-SHA" \
4487 0 \
4488 -s "Read from client: 16384 bytes read"
4489
Andrzej Kurek557335e2018-06-28 04:03:10 -0400[diff] [blame]4490run_test "Large client packet TLS 1.0 StreamCipher, without EtM" \
Hanno Becker278fc7a2017-11-10 09:16:28 +0000[diff] [blame]4491 "$P_SRV arc4=1 force_ciphersuite=TLS-RSA-WITH-RC4-128-SHA" \
4492 "$P_CLI request_size=16384 force_version=tls1 \
Hanno Becker909f9a32017-11-21 17:10:12 +0000[diff] [blame]4493 force_ciphersuite=TLS-RSA-WITH-RC4-128-SHA etm=0" \
Hanno Becker278fc7a2017-11-10 09:16:28 +0000[diff] [blame]4494 0 \
4495 -s "Read from client: 16384 bytes read"
4496
4497requires_config_enabled MBEDTLS_SSL_TRUNCATED_HMAC
Andrzej Kurek557335e2018-06-28 04:03:10 -0400[diff] [blame]4498run_test "Large client packet TLS 1.0 StreamCipher, truncated MAC" \
Hanno Becker909f9a32017-11-21 17:10:12 +0000[diff] [blame]4499 "$P_SRV arc4=1 force_ciphersuite=TLS-RSA-WITH-RC4-128-SHA trunc_hmac=1" \
Manuel Pégourié-Gonnard8920f692014-06-18 22:05:08 +0200[diff] [blame]4500 "$P_CLI request_size=16384 force_version=tls1 \
Hanno Becker909f9a32017-11-21 17:10:12 +0000[diff] [blame]4501 force_ciphersuite=TLS-RSA-WITH-RC4-128-SHA trunc_hmac=1" \
Manuel Pégourié-Gonnard8920f692014-06-18 22:05:08 +0200[diff] [blame]4502 0 \
4503 -s "Read from client: 16384 bytes read"
4504
Hanno Becker278fc7a2017-11-10 09:16:28 +0000[diff] [blame]4505requires_config_enabled MBEDTLS_SSL_TRUNCATED_HMAC
Andrzej Kurek557335e2018-06-28 04:03:10 -0400[diff] [blame]4506run_test "Large client packet TLS 1.0 StreamCipher, without EtM, truncated MAC" \
Hanno Becker909f9a32017-11-21 17:10:12 +0000[diff] [blame]4507 "$P_SRV arc4=1 force_ciphersuite=TLS-RSA-WITH-RC4-128-SHA trunc_hmac=1" \
Hanno Becker278fc7a2017-11-10 09:16:28 +0000[diff] [blame]4508 "$P_CLI request_size=16384 force_version=tls1 \
Hanno Becker909f9a32017-11-21 17:10:12 +0000[diff] [blame]4509 force_ciphersuite=TLS-RSA-WITH-RC4-128-SHA trunc_hmac=1 etm=0" \
Manuel Pégourié-Gonnard8920f692014-06-18 22:05:08 +0200[diff] [blame]4510 0 \
Hanno Becker09930d12017-09-18 15:04:19 +0100[diff] [blame]4511 -c "16384 bytes written in 1 fragments" \
Manuel Pégourié-Gonnard8920f692014-06-18 22:05:08 +0200[diff] [blame]4512 -s "Read from client: 16384 bytes read"
4513
Andrzej Kurek557335e2018-06-28 04:03:10 -0400[diff] [blame]4514run_test "Large client packet TLS 1.1 BlockCipher" \
Manuel Pégourié-Gonnard8920f692014-06-18 22:05:08 +0200[diff] [blame]4515 "$P_SRV" \
4516 "$P_CLI request_size=16384 force_version=tls1_1 \
4517 force_ciphersuite=TLS-RSA-WITH-AES-256-CBC-SHA" \
4518 0 \
Hanno Becker09930d12017-09-18 15:04:19 +0100[diff] [blame]4519 -c "16384 bytes written in 1 fragments" \
Manuel Pégourié-Gonnard8920f692014-06-18 22:05:08 +0200[diff] [blame]4520 -s "Read from client: 16384 bytes read"
4521
Andrzej Kurek557335e2018-06-28 04:03:10 -0400[diff] [blame]4522run_test "Large client packet TLS 1.1 BlockCipher, without EtM" \
Hanno Becker278fc7a2017-11-10 09:16:28 +0000[diff] [blame]4523 "$P_SRV" \
4524 "$P_CLI request_size=16384 force_version=tls1_1 etm=0 \
4525 force_ciphersuite=TLS-RSA-WITH-AES-256-CBC-SHA" \
Manuel Pégourié-Gonnard8920f692014-06-18 22:05:08 +0200[diff] [blame]4526 0 \
4527 -s "Read from client: 16384 bytes read"
4528
Hanno Becker32c55012017-11-10 08:42:54 +0000[diff] [blame]4529requires_config_enabled MBEDTLS_SSL_TRUNCATED_HMAC
Andrzej Kurek557335e2018-06-28 04:03:10 -0400[diff] [blame]4530run_test "Large client packet TLS 1.1 BlockCipher, truncated MAC" \
Hanno Becker909f9a32017-11-21 17:10:12 +0000[diff] [blame]4531 "$P_SRV trunc_hmac=1" \
Manuel Pégourié-Gonnard8920f692014-06-18 22:05:08 +0200[diff] [blame]4532 "$P_CLI request_size=16384 force_version=tls1_1 \
Hanno Becker909f9a32017-11-21 17:10:12 +0000[diff] [blame]4533 force_ciphersuite=TLS-RSA-WITH-AES-256-CBC-SHA trunc_hmac=1" \
Manuel Pégourié-Gonnard8920f692014-06-18 22:05:08 +0200[diff] [blame]4534 0 \
4535 -s "Read from client: 16384 bytes read"
4536
Hanno Becker32c55012017-11-10 08:42:54 +0000[diff] [blame]4537requires_config_enabled MBEDTLS_SSL_TRUNCATED_HMAC
Andrzej Kurek557335e2018-06-28 04:03:10 -0400[diff] [blame]4538run_test "Large client packet TLS 1.1 BlockCipher, without EtM, truncated MAC" \
Hanno Becker909f9a32017-11-21 17:10:12 +0000[diff] [blame]4539 "$P_SRV trunc_hmac=1" \
Hanno Becker278fc7a2017-11-10 09:16:28 +0000[diff] [blame]4540 "$P_CLI request_size=16384 force_version=tls1_1 \
Hanno Becker909f9a32017-11-21 17:10:12 +0000[diff] [blame]4541 force_ciphersuite=TLS-RSA-WITH-AES-256-CBC-SHA trunc_hmac=1 etm=0" \
Hanno Becker278fc7a2017-11-10 09:16:28 +0000[diff] [blame]4542 0 \
4543 -s "Read from client: 16384 bytes read"
4544
Andrzej Kurek557335e2018-06-28 04:03:10 -0400[diff] [blame]4545run_test "Large client packet TLS 1.1 StreamCipher" \
Manuel Pégourié-Gonnard8920f692014-06-18 22:05:08 +0200[diff] [blame]4546 "$P_SRV arc4=1 force_ciphersuite=TLS-RSA-WITH-RC4-128-SHA" \
4547 "$P_CLI request_size=16384 force_version=tls1_1 \
4548 force_ciphersuite=TLS-RSA-WITH-RC4-128-SHA" \
4549 0 \
Hanno Becker09930d12017-09-18 15:04:19 +0100[diff] [blame]4550 -c "16384 bytes written in 1 fragments" \
Manuel Pégourié-Gonnard8920f692014-06-18 22:05:08 +0200[diff] [blame]4551 -s "Read from client: 16384 bytes read"
4552
Andrzej Kurek557335e2018-06-28 04:03:10 -0400[diff] [blame]4553run_test "Large client packet TLS 1.1 StreamCipher, without EtM" \
Hanno Becker278fc7a2017-11-10 09:16:28 +0000[diff] [blame]4554 "$P_SRV arc4=1 force_ciphersuite=TLS-RSA-WITH-RC4-128-SHA" \
Manuel Pégourié-Gonnard8920f692014-06-18 22:05:08 +0200[diff] [blame]4555 "$P_CLI request_size=16384 force_version=tls1_1 \
Hanno Becker909f9a32017-11-21 17:10:12 +0000[diff] [blame]4556 force_ciphersuite=TLS-RSA-WITH-RC4-128-SHA etm=0" \
Manuel Pégourié-Gonnard8920f692014-06-18 22:05:08 +0200[diff] [blame]4557 0 \
Hanno Becker09930d12017-09-18 15:04:19 +0100[diff] [blame]4558 -c "16384 bytes written in 1 fragments" \
Manuel Pégourié-Gonnard8920f692014-06-18 22:05:08 +0200[diff] [blame]4559 -s "Read from client: 16384 bytes read"
4560
Hanno Becker278fc7a2017-11-10 09:16:28 +0000[diff] [blame]4561requires_config_enabled MBEDTLS_SSL_TRUNCATED_HMAC
Andrzej Kurek557335e2018-06-28 04:03:10 -0400[diff] [blame]4562run_test "Large client packet TLS 1.1 StreamCipher, truncated MAC" \
Hanno Becker909f9a32017-11-21 17:10:12 +0000[diff] [blame]4563 "$P_SRV arc4=1 force_ciphersuite=TLS-RSA-WITH-RC4-128-SHA trunc_hmac=1" \
Manuel Pégourié-Gonnard8920f692014-06-18 22:05:08 +0200[diff] [blame]4564 "$P_CLI request_size=16384 force_version=tls1_1 \
Hanno Becker909f9a32017-11-21 17:10:12 +0000[diff] [blame]4565 force_ciphersuite=TLS-RSA-WITH-RC4-128-SHA trunc_hmac=1" \
Manuel Pégourié-Gonnard8920f692014-06-18 22:05:08 +0200[diff] [blame]4566 0 \
4567 -s "Read from client: 16384 bytes read"
4568
Hanno Becker278fc7a2017-11-10 09:16:28 +0000[diff] [blame]4569requires_config_enabled MBEDTLS_SSL_TRUNCATED_HMAC
Andrzej Kurek557335e2018-06-28 04:03:10 -0400[diff] [blame]4570run_test "Large client packet TLS 1.1 StreamCipher, without EtM, truncated MAC" \
Hanno Becker909f9a32017-11-21 17:10:12 +0000[diff] [blame]4571 "$P_SRV arc4=1 force_ciphersuite=TLS-RSA-WITH-RC4-128-SHA trunc_hmac=1" \
Hanno Becker278fc7a2017-11-10 09:16:28 +0000[diff] [blame]4572 "$P_CLI request_size=16384 force_version=tls1_1 \
Hanno Becker909f9a32017-11-21 17:10:12 +0000[diff] [blame]4573 force_ciphersuite=TLS-RSA-WITH-RC4-128-SHA trunc_hmac=1 etm=0" \
Manuel Pégourié-Gonnard8920f692014-06-18 22:05:08 +0200[diff] [blame]4574 0 \
Hanno Becker09930d12017-09-18 15:04:19 +0100[diff] [blame]4575 -c "16384 bytes written in 1 fragments" \
Manuel Pégourié-Gonnard8920f692014-06-18 22:05:08 +0200[diff] [blame]4576 -s "Read from client: 16384 bytes read"
4577
Andrzej Kurek557335e2018-06-28 04:03:10 -0400[diff] [blame]4578run_test "Large client packet TLS 1.2 BlockCipher" \
Manuel Pégourié-Gonnard8920f692014-06-18 22:05:08 +0200[diff] [blame]4579 "$P_SRV" \
4580 "$P_CLI request_size=16384 force_version=tls1_2 \
4581 force_ciphersuite=TLS-RSA-WITH-AES-256-CBC-SHA" \
4582 0 \
Hanno Becker09930d12017-09-18 15:04:19 +0100[diff] [blame]4583 -c "16384 bytes written in 1 fragments" \
Manuel Pégourié-Gonnard8920f692014-06-18 22:05:08 +0200[diff] [blame]4584 -s "Read from client: 16384 bytes read"
4585
Andrzej Kurek557335e2018-06-28 04:03:10 -0400[diff] [blame]4586run_test "Large client packet TLS 1.2 BlockCipher, without EtM" \
Hanno Becker278fc7a2017-11-10 09:16:28 +0000[diff] [blame]4587 "$P_SRV" \
4588 "$P_CLI request_size=16384 force_version=tls1_2 etm=0 \
4589 force_ciphersuite=TLS-RSA-WITH-AES-256-CBC-SHA" \
4590 0 \
4591 -s "Read from client: 16384 bytes read"
4592
Andrzej Kurek557335e2018-06-28 04:03:10 -0400[diff] [blame]4593run_test "Large client packet TLS 1.2 BlockCipher larger MAC" \
Manuel Pégourié-Gonnard8920f692014-06-18 22:05:08 +0200[diff] [blame]4594 "$P_SRV" \
Manuel Pégourié-Gonnardc82ee352015-01-07 16:35:25 +0100[diff] [blame]4595 "$P_CLI request_size=16384 force_version=tls1_2 \
4596 force_ciphersuite=TLS-ECDHE-RSA-WITH-AES-256-CBC-SHA384" \
Manuel Pégourié-Gonnard8920f692014-06-18 22:05:08 +0200[diff] [blame]4597 0 \
Hanno Becker09930d12017-09-18 15:04:19 +0100[diff] [blame]4598 -c "16384 bytes written in 1 fragments" \
Manuel Pégourié-Gonnard8920f692014-06-18 22:05:08 +0200[diff] [blame]4599 -s "Read from client: 16384 bytes read"
4600
Hanno Becker32c55012017-11-10 08:42:54 +0000[diff] [blame]4601requires_config_enabled MBEDTLS_SSL_TRUNCATED_HMAC
Andrzej Kurek557335e2018-06-28 04:03:10 -0400[diff] [blame]4602run_test "Large client packet TLS 1.2 BlockCipher, truncated MAC" \
Hanno Becker909f9a32017-11-21 17:10:12 +0000[diff] [blame]4603 "$P_SRV trunc_hmac=1" \
Manuel Pégourié-Gonnard8920f692014-06-18 22:05:08 +0200[diff] [blame]4604 "$P_CLI request_size=16384 force_version=tls1_2 \
Hanno Becker909f9a32017-11-21 17:10:12 +0000[diff] [blame]4605 force_ciphersuite=TLS-RSA-WITH-AES-256-CBC-SHA trunc_hmac=1" \
Manuel Pégourié-Gonnard8920f692014-06-18 22:05:08 +0200[diff] [blame]4606 0 \
4607 -s "Read from client: 16384 bytes read"
4608
Hanno Becker278fc7a2017-11-10 09:16:28 +0000[diff] [blame]4609requires_config_enabled MBEDTLS_SSL_TRUNCATED_HMAC
Andrzej Kurek557335e2018-06-28 04:03:10 -0400[diff] [blame]4610run_test "Large client packet TLS 1.2 BlockCipher, without EtM, truncated MAC" \
Hanno Becker909f9a32017-11-21 17:10:12 +0000[diff] [blame]4611 "$P_SRV trunc_hmac=1" \
Hanno Becker278fc7a2017-11-10 09:16:28 +0000[diff] [blame]4612 "$P_CLI request_size=16384 force_version=tls1_2 \
Hanno Becker909f9a32017-11-21 17:10:12 +0000[diff] [blame]4613 force_ciphersuite=TLS-RSA-WITH-AES-256-CBC-SHA trunc_hmac=1 etm=0" \
Manuel Pégourié-Gonnard8920f692014-06-18 22:05:08 +0200[diff] [blame]4614 0 \
Hanno Becker09930d12017-09-18 15:04:19 +0100[diff] [blame]4615 -c "16384 bytes written in 1 fragments" \
Manuel Pégourié-Gonnard8920f692014-06-18 22:05:08 +0200[diff] [blame]4616 -s "Read from client: 16384 bytes read"
4617
Andrzej Kurek557335e2018-06-28 04:03:10 -0400[diff] [blame]4618run_test "Large client packet TLS 1.2 StreamCipher" \
Manuel Pégourié-Gonnardea0920f2015-03-24 09:50:15 +0100[diff] [blame]4619 "$P_SRV arc4=1 force_ciphersuite=TLS-RSA-WITH-RC4-128-SHA" \
Manuel Pégourié-Gonnard8920f692014-06-18 22:05:08 +0200[diff] [blame]4620 "$P_CLI request_size=16384 force_version=tls1_2 \
4621 force_ciphersuite=TLS-RSA-WITH-RC4-128-SHA" \
4622 0 \
Hanno Becker09930d12017-09-18 15:04:19 +0100[diff] [blame]4623 -c "16384 bytes written in 1 fragments" \
Manuel Pégourié-Gonnard8920f692014-06-18 22:05:08 +0200[diff] [blame]4624 -s "Read from client: 16384 bytes read"
4625
Andrzej Kurek557335e2018-06-28 04:03:10 -0400[diff] [blame]4626run_test "Large client packet TLS 1.2 StreamCipher, without EtM" \
Manuel Pégourié-Gonnardea0920f2015-03-24 09:50:15 +0100[diff] [blame]4627 "$P_SRV arc4=1 force_ciphersuite=TLS-RSA-WITH-RC4-128-SHA" \
Manuel Pégourié-Gonnard8920f692014-06-18 22:05:08 +0200[diff] [blame]4628 "$P_CLI request_size=16384 force_version=tls1_2 \
Hanno Becker278fc7a2017-11-10 09:16:28 +0000[diff] [blame]4629 force_ciphersuite=TLS-RSA-WITH-RC4-128-SHA etm=0" \
4630 0 \
4631 -s "Read from client: 16384 bytes read"
4632
Hanno Becker32c55012017-11-10 08:42:54 +0000[diff] [blame]4633requires_config_enabled MBEDTLS_SSL_TRUNCATED_HMAC
Andrzej Kurek557335e2018-06-28 04:03:10 -0400[diff] [blame]4634run_test "Large client packet TLS 1.2 StreamCipher, truncated MAC" \
Hanno Becker909f9a32017-11-21 17:10:12 +0000[diff] [blame]4635 "$P_SRV arc4=1 force_ciphersuite=TLS-RSA-WITH-RC4-128-SHA trunc_hmac=1" \
Manuel Pégourié-Gonnard8920f692014-06-18 22:05:08 +0200[diff] [blame]4636 "$P_CLI request_size=16384 force_version=tls1_2 \
Hanno Becker909f9a32017-11-21 17:10:12 +0000[diff] [blame]4637 force_ciphersuite=TLS-RSA-WITH-RC4-128-SHA trunc_hmac=1" \
Manuel Pégourié-Gonnard8920f692014-06-18 22:05:08 +0200[diff] [blame]4638 0 \
4639 -s "Read from client: 16384 bytes read"
4640
Hanno Becker278fc7a2017-11-10 09:16:28 +0000[diff] [blame]4641requires_config_enabled MBEDTLS_SSL_TRUNCATED_HMAC
Andrzej Kurek557335e2018-06-28 04:03:10 -0400[diff] [blame]4642run_test "Large client packet TLS 1.2 StreamCipher, without EtM, truncated MAC" \
Hanno Becker909f9a32017-11-21 17:10:12 +0000[diff] [blame]4643 "$P_SRV arc4=1 force_ciphersuite=TLS-RSA-WITH-RC4-128-SHA trunc_hmac=1" \
Hanno Becker278fc7a2017-11-10 09:16:28 +0000[diff] [blame]4644 "$P_CLI request_size=16384 force_version=tls1_2 \
Hanno Becker909f9a32017-11-21 17:10:12 +0000[diff] [blame]4645 force_ciphersuite=TLS-RSA-WITH-RC4-128-SHA trunc_hmac=1 etm=0" \
Manuel Pégourié-Gonnard8920f692014-06-18 22:05:08 +0200[diff] [blame]4646 0 \
Hanno Becker09930d12017-09-18 15:04:19 +0100[diff] [blame]4647 -c "16384 bytes written in 1 fragments" \
Manuel Pégourié-Gonnard8920f692014-06-18 22:05:08 +0200[diff] [blame]4648 -s "Read from client: 16384 bytes read"
4649
Andrzej Kurek557335e2018-06-28 04:03:10 -0400[diff] [blame]4650run_test "Large client packet TLS 1.2 AEAD" \
Manuel Pégourié-Gonnard8920f692014-06-18 22:05:08 +0200[diff] [blame]4651 "$P_SRV" \
4652 "$P_CLI request_size=16384 force_version=tls1_2 \
4653 force_ciphersuite=TLS-RSA-WITH-AES-256-CCM" \
4654 0 \
Hanno Becker09930d12017-09-18 15:04:19 +0100[diff] [blame]4655 -c "16384 bytes written in 1 fragments" \
Manuel Pégourié-Gonnard8920f692014-06-18 22:05:08 +0200[diff] [blame]4656 -s "Read from client: 16384 bytes read"
4657
Andrzej Kurek557335e2018-06-28 04:03:10 -0400[diff] [blame]4658run_test "Large client packet TLS 1.2 AEAD shorter tag" \
Manuel Pégourié-Gonnard8920f692014-06-18 22:05:08 +0200[diff] [blame]4659 "$P_SRV" \
4660 "$P_CLI request_size=16384 force_version=tls1_2 \
4661 force_ciphersuite=TLS-RSA-WITH-AES-256-CCM-8" \
4662 0 \
Hanno Becker09930d12017-09-18 15:04:19 +0100[diff] [blame]4663 -c "16384 bytes written in 1 fragments" \
Manuel Pégourié-Gonnard8920f692014-06-18 22:05:08 +0200[diff] [blame]4664 -s "Read from client: 16384 bytes read"
4665
Ron Eldorc7f15232018-06-28 13:22:05 +0300[diff] [blame]4666# Tests for ECC extensions (rfc 4492)
4667
Ron Eldor94226d82018-06-28 16:17:00 +0300[diff] [blame]4668requires_config_enabled MBEDTLS_AES_C
4669requires_config_enabled MBEDTLS_CIPHER_MODE_CBC
4670requires_config_enabled MBEDTLS_SHA256_C
4671requires_config_enabled MBEDTLS_KEY_EXCHANGE_RSA_ENABLED
Ron Eldorc7f15232018-06-28 13:22:05 +0300[diff] [blame]4672run_test "Force a non ECC ciphersuite in the client side" \
4673 "$P_SRV debug_level=3" \
Ron Eldor94226d82018-06-28 16:17:00 +0300[diff] [blame]4674 "$P_CLI debug_level=3 force_ciphersuite=TLS-RSA-WITH-AES-128-CBC-SHA256" \
Ron Eldorc7f15232018-06-28 13:22:05 +0300[diff] [blame]4675 0 \
4676 -C "client hello, adding supported_elliptic_curves extension" \
4677 -C "client hello, adding supported_point_formats extension" \
4678 -S "found supported elliptic curves extension" \
4679 -S "found supported point formats extension"
4680
Ron Eldor94226d82018-06-28 16:17:00 +0300[diff] [blame]4681requires_config_enabled MBEDTLS_AES_C
4682requires_config_enabled MBEDTLS_CIPHER_MODE_CBC
4683requires_config_enabled MBEDTLS_SHA256_C
4684requires_config_enabled MBEDTLS_KEY_EXCHANGE_RSA_ENABLED
Ron Eldorc7f15232018-06-28 13:22:05 +0300[diff] [blame]4685run_test "Force a non ECC ciphersuite in the server side" \
Ron Eldor94226d82018-06-28 16:17:00 +0300[diff] [blame]4686 "$P_SRV debug_level=3 force_ciphersuite=TLS-RSA-WITH-AES-128-CBC-SHA256" \
Ron Eldorc7f15232018-06-28 13:22:05 +0300[diff] [blame]4687 "$P_CLI debug_level=3" \
4688 0 \
4689 -C "found supported_point_formats extension" \
4690 -S "server hello, supported_point_formats extension"
4691
Ron Eldor94226d82018-06-28 16:17:00 +0300[diff] [blame]4692requires_config_enabled MBEDTLS_AES_C
4693requires_config_enabled MBEDTLS_CIPHER_MODE_CBC
4694requires_config_enabled MBEDTLS_SHA256_C
4695requires_config_enabled MBEDTLS_KEY_EXCHANGE_ECDHE_ECDSA_ENABLED
Ron Eldorc7f15232018-06-28 13:22:05 +0300[diff] [blame]4696run_test "Force an ECC ciphersuite in the client side" \
4697 "$P_SRV debug_level=3" \
4698 "$P_CLI debug_level=3 force_ciphersuite=TLS-ECDHE-ECDSA-WITH-AES-128-CBC-SHA256" \
4699 0 \
4700 -c "client hello, adding supported_elliptic_curves extension" \
4701 -c "client hello, adding supported_point_formats extension" \
4702 -s "found supported elliptic curves extension" \
4703 -s "found supported point formats extension"
4704
Ron Eldor94226d82018-06-28 16:17:00 +0300[diff] [blame]4705requires_config_enabled MBEDTLS_AES_C
4706requires_config_enabled MBEDTLS_CIPHER_MODE_CBC
4707requires_config_enabled MBEDTLS_SHA256_C
4708requires_config_enabled MBEDTLS_KEY_EXCHANGE_ECDHE_ECDSA_ENABLED
Ron Eldorc7f15232018-06-28 13:22:05 +0300[diff] [blame]4709run_test "Force an ECC ciphersuite in the server side" \
4710 "$P_SRV debug_level=3 force_ciphersuite=TLS-ECDHE-ECDSA-WITH-AES-128-CBC-SHA256" \
4711 "$P_CLI debug_level=3" \
4712 0 \
4713 -c "found supported_point_formats extension" \
4714 -s "server hello, supported_point_formats extension"
4715
Andrzej Kurek557335e2018-06-28 04:03:10 -0400[diff] [blame]4716# Test for large server packets
Andrzej Kurek557335e2018-06-28 04:03:10 -0400[diff] [blame]4717requires_config_enabled MBEDTLS_SSL_PROTO_SSL3
4718run_test "Large server packet SSLv3 StreamCipher" \
4719 "$P_SRV response_size=16384 min_version=ssl3 arc4=1 force_ciphersuite=TLS-RSA-WITH-RC4-128-SHA" \
4720 "$P_CLI force_version=ssl3 \
4721 force_ciphersuite=TLS-RSA-WITH-RC4-128-SHA" \
4722 0 \
4723 -c "Read from server: 16384 bytes read"
4724
Andrzej Kurekc8958212018-08-27 08:00:13 -0400[diff] [blame]4725# Checking next 4 tests logs for 1n-1 split against BEAST too
4726requires_config_enabled MBEDTLS_SSL_PROTO_SSL3
4727run_test "Large server packet SSLv3 BlockCipher" \
4728 "$P_SRV response_size=16384 min_version=ssl3" \
4729 "$P_CLI force_version=ssl3 recsplit=0 \
4730 force_ciphersuite=TLS-RSA-WITH-AES-256-CBC-SHA" \
4731 0 \
4732 -c "Read from server: 1 bytes read"\
4733 -c "16383 bytes read"\
4734 -C "Read from server: 16384 bytes read"
4735
Andrzej Kurek557335e2018-06-28 04:03:10 -0400[diff] [blame]4736run_test "Large server packet TLS 1.0 BlockCipher" \
4737 "$P_SRV response_size=16384" \
4738 "$P_CLI force_version=tls1 recsplit=0 \
4739 force_ciphersuite=TLS-RSA-WITH-AES-256-CBC-SHA" \
4740 0 \
4741 -c "Read from server: 1 bytes read"\
4742 -c "16383 bytes read"\
4743 -C "Read from server: 16384 bytes read"
4744
Andrzej Kurekd731a632018-06-19 09:37:30 -0400[diff] [blame]4745run_test "Large server packet TLS 1.0 BlockCipher, without EtM" \
4746 "$P_SRV response_size=16384" \
4747 "$P_CLI force_version=tls1 etm=0 recsplit=0 \
4748 force_ciphersuite=TLS-RSA-WITH-AES-256-CBC-SHA" \
4749 0 \
4750 -c "Read from server: 1 bytes read"\
4751 -c "16383 bytes read"\
4752 -C "Read from server: 16384 bytes read"
4753
Andrzej Kurek557335e2018-06-28 04:03:10 -0400[diff] [blame]4754requires_config_enabled MBEDTLS_SSL_TRUNCATED_HMAC
4755run_test "Large server packet TLS 1.0 BlockCipher truncated MAC" \
4756 "$P_SRV response_size=16384" \
4757 "$P_CLI force_version=tls1 recsplit=0 \
4758 force_ciphersuite=TLS-RSA-WITH-AES-256-CBC-SHA \
4759 trunc_hmac=1" \
4760 0 \
4761 -c "Read from server: 1 bytes read"\
4762 -c "16383 bytes read"\
4763 -C "Read from server: 16384 bytes read"
4764
4765requires_config_enabled MBEDTLS_SSL_TRUNCATED_HMAC
4766run_test "Large server packet TLS 1.0 StreamCipher truncated MAC" \
4767 "$P_SRV response_size=16384 arc4=1 force_ciphersuite=TLS-RSA-WITH-RC4-128-SHA" \
4768 "$P_CLI force_version=tls1 \
4769 force_ciphersuite=TLS-RSA-WITH-RC4-128-SHA \
4770 trunc_hmac=1" \
4771 0 \
Andrzej Kurekd731a632018-06-19 09:37:30 -0400[diff] [blame]4772 -s "16384 bytes written in 1 fragments" \
4773 -c "Read from server: 16384 bytes read"
4774
4775run_test "Large server packet TLS 1.0 StreamCipher" \
4776 "$P_SRV response_size=16384 arc4=1 force_ciphersuite=TLS-RSA-WITH-RC4-128-SHA" \
4777 "$P_CLI force_version=tls1 \
4778 force_ciphersuite=TLS-RSA-WITH-RC4-128-SHA" \
4779 0 \
4780 -s "16384 bytes written in 1 fragments" \
4781 -c "Read from server: 16384 bytes read"
4782
4783run_test "Large server packet TLS 1.0 StreamCipher, without EtM" \
4784 "$P_SRV response_size=16384 arc4=1 force_ciphersuite=TLS-RSA-WITH-RC4-128-SHA" \
4785 "$P_CLI force_version=tls1 \
4786 force_ciphersuite=TLS-RSA-WITH-RC4-128-SHA etm=0" \
4787 0 \
4788 -s "16384 bytes written in 1 fragments" \
4789 -c "Read from server: 16384 bytes read"
4790
4791requires_config_enabled MBEDTLS_SSL_TRUNCATED_HMAC
4792run_test "Large server packet TLS 1.0 StreamCipher, truncated MAC" \
4793 "$P_SRV response_size=16384 arc4=1 force_ciphersuite=TLS-RSA-WITH-RC4-128-SHA trunc_hmac=1" \
4794 "$P_CLI force_version=tls1 \
4795 force_ciphersuite=TLS-RSA-WITH-RC4-128-SHA trunc_hmac=1" \
4796 0 \
4797 -s "16384 bytes written in 1 fragments" \
4798 -c "Read from server: 16384 bytes read"
4799
4800requires_config_enabled MBEDTLS_SSL_TRUNCATED_HMAC
4801run_test "Large server packet TLS 1.0 StreamCipher, without EtM, truncated MAC" \
4802 "$P_SRV response_size=16384 arc4=1 force_ciphersuite=TLS-RSA-WITH-RC4-128-SHA trunc_hmac=1" \
4803 "$P_CLI force_version=tls1 \
4804 force_ciphersuite=TLS-RSA-WITH-RC4-128-SHA trunc_hmac=1 etm=0" \
4805 0 \
4806 -s "16384 bytes written in 1 fragments" \
Andrzej Kurek557335e2018-06-28 04:03:10 -0400[diff] [blame]4807 -c "Read from server: 16384 bytes read"
4808
4809run_test "Large server packet TLS 1.1 BlockCipher" \
4810 "$P_SRV response_size=16384" \
4811 "$P_CLI force_version=tls1_1 \
4812 force_ciphersuite=TLS-RSA-WITH-AES-256-CBC-SHA" \
4813 0 \
4814 -c "Read from server: 16384 bytes read"
4815
Andrzej Kurekd731a632018-06-19 09:37:30 -0400[diff] [blame]4816run_test "Large server packet TLS 1.1 BlockCipher, without EtM" \
4817 "$P_SRV response_size=16384" \
4818 "$P_CLI force_version=tls1_1 etm=0 \
4819 force_ciphersuite=TLS-RSA-WITH-AES-256-CBC-SHA" \
Andrzej Kurek557335e2018-06-28 04:03:10 -0400[diff] [blame]4820 0 \
Andrzej Kurekd731a632018-06-19 09:37:30 -0400[diff] [blame]4821 -s "16384 bytes written in 1 fragments" \
Andrzej Kurek557335e2018-06-28 04:03:10 -0400[diff] [blame]4822 -c "Read from server: 16384 bytes read"
4823
4824requires_config_enabled MBEDTLS_SSL_TRUNCATED_HMAC
4825run_test "Large server packet TLS 1.1 BlockCipher truncated MAC" \
4826 "$P_SRV response_size=16384" \
4827 "$P_CLI force_version=tls1_1 \
4828 force_ciphersuite=TLS-RSA-WITH-AES-256-CBC-SHA \
4829 trunc_hmac=1" \
4830 0 \
4831 -c "Read from server: 16384 bytes read"
4832
4833requires_config_enabled MBEDTLS_SSL_TRUNCATED_HMAC
Andrzej Kurekd731a632018-06-19 09:37:30 -0400[diff] [blame]4834run_test "Large server packet TLS 1.1 BlockCipher, without EtM, truncated MAC" \
4835 "$P_SRV response_size=16384 trunc_hmac=1" \
4836 "$P_CLI force_version=tls1_1 \
4837 force_ciphersuite=TLS-RSA-WITH-AES-256-CBC-SHA trunc_hmac=1 etm=0" \
4838 0 \
4839 -s "16384 bytes written in 1 fragments" \
4840 -c "Read from server: 16384 bytes read"
4841
4842run_test "Large server packet TLS 1.1 StreamCipher" \
4843 "$P_SRV response_size=16384 arc4=1 force_ciphersuite=TLS-RSA-WITH-RC4-128-SHA" \
4844 "$P_CLI force_version=tls1_1 \
4845 force_ciphersuite=TLS-RSA-WITH-RC4-128-SHA" \
4846 0 \
4847 -c "Read from server: 16384 bytes read"
4848
4849run_test "Large server packet TLS 1.1 StreamCipher, without EtM" \
4850 "$P_SRV response_size=16384 arc4=1 force_ciphersuite=TLS-RSA-WITH-RC4-128-SHA" \
4851 "$P_CLI force_version=tls1_1 \
4852 force_ciphersuite=TLS-RSA-WITH-RC4-128-SHA etm=0" \
4853 0 \
4854 -s "16384 bytes written in 1 fragments" \
4855 -c "Read from server: 16384 bytes read"
4856
4857requires_config_enabled MBEDTLS_SSL_TRUNCATED_HMAC
Andrzej Kurek557335e2018-06-28 04:03:10 -0400[diff] [blame]4858run_test "Large server packet TLS 1.1 StreamCipher truncated MAC" \
4859 "$P_SRV response_size=16384 arc4=1 force_ciphersuite=TLS-RSA-WITH-RC4-128-SHA" \
4860 "$P_CLI force_version=tls1_1 \
4861 force_ciphersuite=TLS-RSA-WITH-RC4-128-SHA \
4862 trunc_hmac=1" \
4863 0 \
4864 -c "Read from server: 16384 bytes read"
4865
Andrzej Kurekd731a632018-06-19 09:37:30 -0400[diff] [blame]4866run_test "Large server packet TLS 1.1 StreamCipher, without EtM, truncated MAC" \
4867 "$P_SRV response_size=16384 arc4=1 force_ciphersuite=TLS-RSA-WITH-RC4-128-SHA trunc_hmac=1" \
4868 "$P_CLI force_version=tls1_1 \
4869 force_ciphersuite=TLS-RSA-WITH-RC4-128-SHA trunc_hmac=1 etm=0" \
4870 0 \
4871 -s "16384 bytes written in 1 fragments" \
4872 -c "Read from server: 16384 bytes read"
4873
Andrzej Kurek557335e2018-06-28 04:03:10 -0400[diff] [blame]4874run_test "Large server packet TLS 1.2 BlockCipher" \
4875 "$P_SRV response_size=16384" \
4876 "$P_CLI force_version=tls1_2 \
4877 force_ciphersuite=TLS-RSA-WITH-AES-256-CBC-SHA" \
4878 0 \
4879 -c "Read from server: 16384 bytes read"
4880
Andrzej Kurekd731a632018-06-19 09:37:30 -0400[diff] [blame]4881run_test "Large server packet TLS 1.2 BlockCipher, without EtM" \
4882 "$P_SRV response_size=16384" \
4883 "$P_CLI force_version=tls1_2 etm=0 \
4884 force_ciphersuite=TLS-RSA-WITH-AES-256-CBC-SHA" \
4885 0 \
4886 -s "16384 bytes written in 1 fragments" \
4887 -c "Read from server: 16384 bytes read"
4888
Andrzej Kurek557335e2018-06-28 04:03:10 -0400[diff] [blame]4889run_test "Large server packet TLS 1.2 BlockCipher larger MAC" \
4890 "$P_SRV response_size=16384" \
4891 "$P_CLI force_version=tls1_2 \
4892 force_ciphersuite=TLS-ECDHE-RSA-WITH-AES-256-CBC-SHA384" \
4893 0 \
4894 -c "Read from server: 16384 bytes read"
4895
4896requires_config_enabled MBEDTLS_SSL_TRUNCATED_HMAC
4897run_test "Large server packet TLS 1.2 BlockCipher truncated MAC" \
4898 "$P_SRV response_size=16384" \
4899 "$P_CLI force_version=tls1_2 \
4900 force_ciphersuite=TLS-RSA-WITH-AES-256-CBC-SHA \
4901 trunc_hmac=1" \
4902 0 \
4903 -c "Read from server: 16384 bytes read"
4904
Andrzej Kurekd731a632018-06-19 09:37:30 -0400[diff] [blame]4905run_test "Large server packet TLS 1.2 BlockCipher, without EtM, truncated MAC" \
4906 "$P_SRV response_size=16384 trunc_hmac=1" \
4907 "$P_CLI force_version=tls1_2 \
4908 force_ciphersuite=TLS-RSA-WITH-AES-256-CBC-SHA trunc_hmac=1 etm=0" \
4909 0 \
4910 -s "16384 bytes written in 1 fragments" \
4911 -c "Read from server: 16384 bytes read"
4912
Andrzej Kurek557335e2018-06-28 04:03:10 -0400[diff] [blame]4913run_test "Large server packet TLS 1.2 StreamCipher" \
4914 "$P_SRV response_size=16384 arc4=1 force_ciphersuite=TLS-RSA-WITH-RC4-128-SHA" \
4915 "$P_CLI force_version=tls1_2 \
4916 force_ciphersuite=TLS-RSA-WITH-RC4-128-SHA" \
4917 0 \
Andrzej Kurekd731a632018-06-19 09:37:30 -0400[diff] [blame]4918 -s "16384 bytes written in 1 fragments" \
4919 -c "Read from server: 16384 bytes read"
4920
4921run_test "Large server packet TLS 1.2 StreamCipher, without EtM" \
4922 "$P_SRV response_size=16384 arc4=1 force_ciphersuite=TLS-RSA-WITH-RC4-128-SHA" \
4923 "$P_CLI force_version=tls1_2 \
4924 force_ciphersuite=TLS-RSA-WITH-RC4-128-SHA etm=0" \
4925 0 \
4926 -s "16384 bytes written in 1 fragments" \
Andrzej Kurek557335e2018-06-28 04:03:10 -0400[diff] [blame]4927 -c "Read from server: 16384 bytes read"
4928
4929requires_config_enabled MBEDTLS_SSL_TRUNCATED_HMAC
4930run_test "Large server packet TLS 1.2 StreamCipher truncated MAC" \
4931 "$P_SRV response_size=16384 arc4=1 force_ciphersuite=TLS-RSA-WITH-RC4-128-SHA" \
4932 "$P_CLI force_version=tls1_2 \
4933 force_ciphersuite=TLS-RSA-WITH-RC4-128-SHA \
4934 trunc_hmac=1" \
4935 0 \
4936 -c "Read from server: 16384 bytes read"
4937
Andrzej Kurekd731a632018-06-19 09:37:30 -0400[diff] [blame]4938requires_config_enabled MBEDTLS_SSL_TRUNCATED_HMAC
4939run_test "Large server packet TLS 1.2 StreamCipher, without EtM, truncated MAC" \
4940 "$P_SRV response_size=16384 arc4=1 force_ciphersuite=TLS-RSA-WITH-RC4-128-SHA trunc_hmac=1" \
4941 "$P_CLI force_version=tls1_2 \
4942 force_ciphersuite=TLS-RSA-WITH-RC4-128-SHA trunc_hmac=1 etm=0" \
4943 0 \
4944 -s "16384 bytes written in 1 fragments" \
4945 -c "Read from server: 16384 bytes read"
4946
Andrzej Kurek557335e2018-06-28 04:03:10 -0400[diff] [blame]4947run_test "Large server packet TLS 1.2 AEAD" \
4948 "$P_SRV response_size=16384" \
4949 "$P_CLI force_version=tls1_2 \
4950 force_ciphersuite=TLS-RSA-WITH-AES-256-CCM" \
4951 0 \
4952 -c "Read from server: 16384 bytes read"
4953
4954run_test "Large server packet TLS 1.2 AEAD shorter tag" \
4955 "$P_SRV response_size=16384" \
4956 "$P_CLI force_version=tls1_2 \
4957 force_ciphersuite=TLS-RSA-WITH-AES-256-CCM-8" \
4958 0 \
4959 -c "Read from server: 16384 bytes read"
4960
Manuel Pégourié-Gonnard0eb6cab2014-07-23 20:17:47 +0200[diff] [blame]4961# Tests for DTLS HelloVerifyRequest
4962
4963run_test "DTLS cookie: enabled" \
4964 "$P_SRV dtls=1 debug_level=2" \
4965 "$P_CLI dtls=1 debug_level=2" \
4966 0 \
4967 -s "cookie verification failed" \
4968 -s "cookie verification passed" \
4969 -S "cookie verification skipped" \
4970 -c "received hello verify request" \
Manuel Pégourié-Gonnardcaecdae2014-10-13 19:04:37 +0200[diff] [blame]4971 -s "hello verification requested" \
Manuel Pégourié-Gonnard0eb6cab2014-07-23 20:17:47 +0200[diff] [blame]4972 -S "SSL - The requested feature is not available"
4973
4974run_test "DTLS cookie: disabled" \
4975 "$P_SRV dtls=1 debug_level=2 cookies=0" \
4976 "$P_CLI dtls=1 debug_level=2" \
4977 0 \
4978 -S "cookie verification failed" \
4979 -S "cookie verification passed" \
4980 -s "cookie verification skipped" \
4981 -C "received hello verify request" \
Manuel Pégourié-Gonnardcaecdae2014-10-13 19:04:37 +0200[diff] [blame]4982 -S "hello verification requested" \
Manuel Pégourié-Gonnard0eb6cab2014-07-23 20:17:47 +0200[diff] [blame]4983 -S "SSL - The requested feature is not available"
4984
Manuel Pégourié-Gonnardcaecdae2014-10-13 19:04:37 +0200[diff] [blame]4985run_test "DTLS cookie: default (failing)" \
4986 "$P_SRV dtls=1 debug_level=2 cookies=-1" \
4987 "$P_CLI dtls=1 debug_level=2 hs_timeout=100-400" \
4988 1 \
4989 -s "cookie verification failed" \
4990 -S "cookie verification passed" \
4991 -S "cookie verification skipped" \
4992 -C "received hello verify request" \
4993 -S "hello verification requested" \
4994 -s "SSL - The requested feature is not available"
Manuel Pégourié-Gonnard0eb6cab2014-07-23 20:17:47 +0200[diff] [blame]4995
4996requires_ipv6
4997run_test "DTLS cookie: enabled, IPv6" \
4998 "$P_SRV dtls=1 debug_level=2 server_addr=::1" \
4999 "$P_CLI dtls=1 debug_level=2 server_addr=::1" \
5000 0 \
5001 -s "cookie verification failed" \
5002 -s "cookie verification passed" \
5003 -S "cookie verification skipped" \
5004 -c "received hello verify request" \
Manuel Pégourié-Gonnardcaecdae2014-10-13 19:04:37 +0200[diff] [blame]5005 -s "hello verification requested" \
Manuel Pégourié-Gonnard0eb6cab2014-07-23 20:17:47 +0200[diff] [blame]5006 -S "SSL - The requested feature is not available"
5007
Manuel Pégourié-Gonnard579950c2014-09-29 17:47:33 +0200[diff] [blame]5008run_test "DTLS cookie: enabled, nbio" \
5009 "$P_SRV dtls=1 nbio=2 debug_level=2" \
5010 "$P_CLI dtls=1 nbio=2 debug_level=2" \
5011 0 \
5012 -s "cookie verification failed" \
5013 -s "cookie verification passed" \
5014 -S "cookie verification skipped" \
5015 -c "received hello verify request" \
Manuel Pégourié-Gonnardcaecdae2014-10-13 19:04:37 +0200[diff] [blame]5016 -s "hello verification requested" \
Manuel Pégourié-Gonnard579950c2014-09-29 17:47:33 +0200[diff] [blame]5017 -S "SSL - The requested feature is not available"
5018
Manuel Pégourié-Gonnardd745a1a2015-09-08 12:40:43 +0200[diff] [blame]5019# Tests for client reconnecting from the same port with DTLS
5020
Manuel Pégourié-Gonnard259db912015-09-09 11:37:17 +0200[diff] [blame]5021not_with_valgrind # spurious resend
Manuel Pégourié-Gonnardd745a1a2015-09-08 12:40:43 +0200[diff] [blame]5022run_test "DTLS client reconnect from same port: reference" \
Manuel Pégourié-Gonnardb1ee30b2019-09-09 11:14:37 +0200[diff] [blame]5023 "$P_SRV dtls=1 exchanges=2 read_timeout=20000 hs_timeout=10000-20000" \
5024 "$P_CLI dtls=1 exchanges=2 debug_level=2 hs_timeout=10000-20000" \
Manuel Pégourié-Gonnardd745a1a2015-09-08 12:40:43 +0200[diff] [blame]5025 0 \
5026 -C "resend" \
Manuel Pégourié-Gonnard259db912015-09-09 11:37:17 +0200[diff] [blame]5027 -S "The operation timed out" \
Manuel Pégourié-Gonnardd745a1a2015-09-08 12:40:43 +0200[diff] [blame]5028 -S "Client initiated reconnection from same port"
5029
Manuel Pégourié-Gonnard259db912015-09-09 11:37:17 +0200[diff] [blame]5030not_with_valgrind # spurious resend
Manuel Pégourié-Gonnardd745a1a2015-09-08 12:40:43 +0200[diff] [blame]5031run_test "DTLS client reconnect from same port: reconnect" \
Manuel Pégourié-Gonnardb1ee30b2019-09-09 11:14:37 +0200[diff] [blame]5032 "$P_SRV dtls=1 exchanges=2 read_timeout=20000 hs_timeout=10000-20000" \
5033 "$P_CLI dtls=1 exchanges=2 debug_level=2 hs_timeout=10000-20000 reconnect_hard=1" \
Manuel Pégourié-Gonnardd745a1a2015-09-08 12:40:43 +0200[diff] [blame]5034 0 \
5035 -C "resend" \
Manuel Pégourié-Gonnard259db912015-09-09 11:37:17 +0200[diff] [blame]5036 -S "The operation timed out" \
Manuel Pégourié-Gonnardd745a1a2015-09-08 12:40:43 +0200[diff] [blame]5037 -s "Client initiated reconnection from same port"
5038
Paul Bakker362689d2016-05-13 10:33:25 +0100[diff] [blame]5039not_with_valgrind # server/client too slow to respond in time (next test has higher timeouts)
5040run_test "DTLS client reconnect from same port: reconnect, nbio, no valgrind" \
Manuel Pégourié-Gonnard259db912015-09-09 11:37:17 +0200[diff] [blame]5041 "$P_SRV dtls=1 exchanges=2 read_timeout=1000 nbio=2" \
5042 "$P_CLI dtls=1 exchanges=2 debug_level=2 hs_timeout=500-1000 reconnect_hard=1" \
Manuel Pégourié-Gonnardd745a1a2015-09-08 12:40:43 +0200[diff] [blame]5043 0 \
Manuel Pégourié-Gonnard259db912015-09-09 11:37:17 +0200[diff] [blame]5044 -S "The operation timed out" \
Manuel Pégourié-Gonnardd745a1a2015-09-08 12:40:43 +0200[diff] [blame]5045 -s "Client initiated reconnection from same port"
5046
Paul Bakker362689d2016-05-13 10:33:25 +0100[diff] [blame]5047only_with_valgrind # Only with valgrind, do previous test but with higher read_timeout and hs_timeout
5048run_test "DTLS client reconnect from same port: reconnect, nbio, valgrind" \
5049 "$P_SRV dtls=1 exchanges=2 read_timeout=2000 nbio=2 hs_timeout=1500-6000" \
5050 "$P_CLI dtls=1 exchanges=2 debug_level=2 hs_timeout=1500-3000 reconnect_hard=1" \
5051 0 \
5052 -S "The operation timed out" \
5053 -s "Client initiated reconnection from same port"
5054
Manuel Pégourié-Gonnard259db912015-09-09 11:37:17 +0200[diff] [blame]5055run_test "DTLS client reconnect from same port: no cookies" \
5056 "$P_SRV dtls=1 exchanges=2 read_timeout=1000 cookies=0" \
Manuel Pégourié-Gonnard6ad23b92015-09-15 12:57:46 +0200[diff] [blame]5057 "$P_CLI dtls=1 exchanges=2 debug_level=2 hs_timeout=500-8000 reconnect_hard=1" \
5058 0 \
Manuel Pégourié-Gonnard259db912015-09-09 11:37:17 +0200[diff] [blame]5059 -s "The operation timed out" \
5060 -S "Client initiated reconnection from same port"
5061
Manuel Pégourié-Gonnarda58b0462020-03-13 11:11:02 +0100[diff] [blame]5062run_test "DTLS client reconnect from same port: attacker-injected" \
5063 -p "$P_PXY inject_clihlo=1" \
5064 "$P_SRV dtls=1 exchanges=2 debug_level=1" \
5065 "$P_CLI dtls=1 exchanges=2" \
5066 0 \
5067 -s "possible client reconnect from the same port" \
5068 -S "Client initiated reconnection from same port"
5069
Manuel Pégourié-Gonnard08a1d4b2014-09-26 10:35:50 +0200[diff] [blame]5070# Tests for various cases of client authentication with DTLS
5071# (focused on handshake flows and message parsing)
5072
5073run_test "DTLS client auth: required" \
5074 "$P_SRV dtls=1 auth_mode=required" \
5075 "$P_CLI dtls=1" \
5076 0 \
5077 -s "Verifying peer X.509 certificate... ok"
5078
5079run_test "DTLS client auth: optional, client has no cert" \
5080 "$P_SRV dtls=1 auth_mode=optional" \
5081 "$P_CLI dtls=1 crt_file=none key_file=none" \
5082 0 \
Manuel Pégourié-Gonnard89addc42015-04-20 10:56:18 +0100[diff] [blame]5083 -s "! Certificate was missing"
Manuel Pégourié-Gonnard08a1d4b2014-09-26 10:35:50 +0200[diff] [blame]5084
Manuel Pégourié-Gonnard89addc42015-04-20 10:56:18 +0100[diff] [blame]5085run_test "DTLS client auth: none, client has no cert" \
Manuel Pégourié-Gonnard08a1d4b2014-09-26 10:35:50 +0200[diff] [blame]5086 "$P_SRV dtls=1 auth_mode=none" \
5087 "$P_CLI dtls=1 crt_file=none key_file=none debug_level=2" \
5088 0 \
5089 -c "skip write certificate$" \
Manuel Pégourié-Gonnard89addc42015-04-20 10:56:18 +0100[diff] [blame]5090 -s "! Certificate verification was skipped"
Manuel Pégourié-Gonnard08a1d4b2014-09-26 10:35:50 +0200[diff] [blame]5091
Manuel Pégourié-Gonnard0a885742015-08-04 12:08:35 +0200[diff] [blame]5092run_test "DTLS wrong PSK: badmac alert" \
5093 "$P_SRV dtls=1 psk=abc123 force_ciphersuite=TLS-PSK-WITH-AES-128-GCM-SHA256" \
5094 "$P_CLI dtls=1 psk=abc124" \
5095 1 \
5096 -s "SSL - Verification of the message MAC failed" \
5097 -c "SSL - A fatal alert message was received from our peer"
5098
Manuel Pégourié-Gonnard502bf302014-08-20 13:12:58 +0200[diff] [blame]5099# Tests for receiving fragmented handshake messages with DTLS
5100
5101requires_gnutls
5102run_test "DTLS reassembly: no fragmentation (gnutls server)" \
5103 "$G_SRV -u --mtu 2048 -a" \
5104 "$P_CLI dtls=1 debug_level=2" \
5105 0 \
5106 -C "found fragmented DTLS handshake message" \
5107 -C "error"
5108
5109requires_gnutls
5110run_test "DTLS reassembly: some fragmentation (gnutls server)" \
5111 "$G_SRV -u --mtu 512" \
5112 "$P_CLI dtls=1 debug_level=2" \
5113 0 \
5114 -c "found fragmented DTLS handshake message" \
5115 -C "error"
5116
5117requires_gnutls
5118run_test "DTLS reassembly: more fragmentation (gnutls server)" \
5119 "$G_SRV -u --mtu 128" \
5120 "$P_CLI dtls=1 debug_level=2" \
5121 0 \
5122 -c "found fragmented DTLS handshake message" \
5123 -C "error"
5124
5125requires_gnutls
5126run_test "DTLS reassembly: more fragmentation, nbio (gnutls server)" \
5127 "$G_SRV -u --mtu 128" \
5128 "$P_CLI dtls=1 nbio=2 debug_level=2" \
5129 0 \
5130 -c "found fragmented DTLS handshake message" \
5131 -C "error"
5132
Manuel Pégourié-Gonnard0c4cbc72014-09-02 14:47:31 +0200[diff] [blame]5133requires_gnutls
Hanno Becker6a243642017-10-12 15:18:45 +0100[diff] [blame]5134requires_config_enabled MBEDTLS_SSL_RENEGOTIATION
Manuel Pégourié-Gonnard0c4cbc72014-09-02 14:47:31 +0200[diff] [blame]5135run_test "DTLS reassembly: fragmentation, renego (gnutls server)" \
5136 "$G_SRV -u --mtu 256" \
5137 "$P_CLI debug_level=3 dtls=1 renegotiation=1 renegotiate=1" \
5138 0 \
5139 -c "found fragmented DTLS handshake message" \
5140 -c "client hello, adding renegotiation extension" \
5141 -c "found renegotiation extension" \
5142 -c "=> renegotiate" \
Manuel Pégourié-Gonnard2cf5a7c2015-04-08 12:49:31 +0200[diff] [blame]5143 -C "mbedtls_ssl_handshake returned" \
Manuel Pégourié-Gonnard0c4cbc72014-09-02 14:47:31 +0200[diff] [blame]5144 -C "error" \
5145 -s "Extra-header:"
5146
5147requires_gnutls
Hanno Becker6a243642017-10-12 15:18:45 +0100[diff] [blame]5148requires_config_enabled MBEDTLS_SSL_RENEGOTIATION
Manuel Pégourié-Gonnard0c4cbc72014-09-02 14:47:31 +0200[diff] [blame]5149run_test "DTLS reassembly: fragmentation, nbio, renego (gnutls server)" \
5150 "$G_SRV -u --mtu 256" \
5151 "$P_CLI debug_level=3 nbio=2 dtls=1 renegotiation=1 renegotiate=1" \
5152 0 \
5153 -c "found fragmented DTLS handshake message" \
5154 -c "client hello, adding renegotiation extension" \
5155 -c "found renegotiation extension" \
5156 -c "=> renegotiate" \
Manuel Pégourié-Gonnard2cf5a7c2015-04-08 12:49:31 +0200[diff] [blame]5157 -C "mbedtls_ssl_handshake returned" \
Manuel Pégourié-Gonnard0c4cbc72014-09-02 14:47:31 +0200[diff] [blame]5158 -C "error" \
5159 -s "Extra-header:"
5160
Manuel Pégourié-Gonnarda7756172014-08-31 18:37:01 +0200[diff] [blame]5161run_test "DTLS reassembly: no fragmentation (openssl server)" \
5162 "$O_SRV -dtls1 -mtu 2048" \
5163 "$P_CLI dtls=1 debug_level=2" \
5164 0 \
5165 -C "found fragmented DTLS handshake message" \
5166 -C "error"
5167
Manuel Pégourié-Gonnard825a49e2014-09-23 11:00:37 +0200[diff] [blame]5168run_test "DTLS reassembly: some fragmentation (openssl server)" \
5169 "$O_SRV -dtls1 -mtu 768" \
Manuel Pégourié-Gonnard64dffc52014-09-02 13:39:16 +0200[diff] [blame]5170 "$P_CLI dtls=1 debug_level=2" \
5171 0 \
5172 -c "found fragmented DTLS handshake message" \
5173 -C "error"
5174
Manuel Pégourié-Gonnard825a49e2014-09-23 11:00:37 +0200[diff] [blame]5175run_test "DTLS reassembly: more fragmentation (openssl server)" \
Manuel Pégourié-Gonnard64dffc52014-09-02 13:39:16 +0200[diff] [blame]5176 "$O_SRV -dtls1 -mtu 256" \
5177 "$P_CLI dtls=1 debug_level=2" \
5178 0 \
5179 -c "found fragmented DTLS handshake message" \
5180 -C "error"
5181
5182run_test "DTLS reassembly: fragmentation, nbio (openssl server)" \
5183 "$O_SRV -dtls1 -mtu 256" \
5184 "$P_CLI dtls=1 nbio=2 debug_level=2" \
5185 0 \
5186 -c "found fragmented DTLS handshake message" \
5187 -C "error"
Manuel Pégourié-Gonnarda7756172014-08-31 18:37:01 +0200[diff] [blame]5188
Manuel Pégourié-Gonnard7a66cbc2014-09-26 16:31:46 +0200[diff] [blame]5189# Tests for specific things with "unreliable" UDP connection
Manuel Pégourié-Gonnardbe9eb872014-09-05 17:45:19 +0200[diff] [blame]5190
Manuel Pégourié-Gonnard76fe9e42014-09-24 15:17:31 +0200[diff] [blame]5191not_with_valgrind # spurious resend due to timeout
Manuel Pégourié-Gonnard990f9e42014-09-06 12:27:02 +0200[diff] [blame]5192run_test "DTLS proxy: reference" \
Manuel Pégourié-Gonnardbe9eb872014-09-05 17:45:19 +0200[diff] [blame]5193 -p "$P_PXY" \
Manuel Pégourié-Gonnardb1ee30b2019-09-09 11:14:37 +0200[diff] [blame]5194 "$P_SRV dtls=1 debug_level=2 hs_timeout=10000-20000" \
5195 "$P_CLI dtls=1 debug_level=2 hs_timeout=10000-20000" \
Manuel Pégourié-Gonnard990f9e42014-09-06 12:27:02 +0200[diff] [blame]5196 0 \
Manuel Pégourié-Gonnard246c13a2014-09-24 13:56:09 +0200[diff] [blame]5197 -C "replayed record" \
5198 -S "replayed record" \
5199 -C "record from another epoch" \
5200 -S "record from another epoch" \
5201 -C "discarding invalid record" \
5202 -S "discarding invalid record" \
Manuel Pégourié-Gonnard76fe9e42014-09-24 15:17:31 +0200[diff] [blame]5203 -S "resend" \
Manuel Pégourié-Gonnard63eca932014-09-08 16:39:08 +0200[diff] [blame]5204 -s "Extra-header:" \
Manuel Pégourié-Gonnard990f9e42014-09-06 12:27:02 +0200[diff] [blame]5205 -c "HTTP/1.0 200 OK"
5206
Manuel Pégourié-Gonnard76fe9e42014-09-24 15:17:31 +0200[diff] [blame]5207not_with_valgrind # spurious resend due to timeout
Manuel Pégourié-Gonnardb47368a2014-09-24 13:29:58 +0200[diff] [blame]5208run_test "DTLS proxy: duplicate every packet" \
Manuel Pégourié-Gonnard990f9e42014-09-06 12:27:02 +0200[diff] [blame]5209 -p "$P_PXY duplicate=1" \
Manuel Pégourié-Gonnardb1ee30b2019-09-09 11:14:37 +0200[diff] [blame]5210 "$P_SRV dtls=1 debug_level=2 hs_timeout=10000-20000" \
5211 "$P_CLI dtls=1 debug_level=2 hs_timeout=10000-20000" \
Manuel Pégourié-Gonnard990f9e42014-09-06 12:27:02 +0200[diff] [blame]5212 0 \
Manuel Pégourié-Gonnardb47368a2014-09-24 13:29:58 +0200[diff] [blame]5213 -c "replayed record" \
5214 -s "replayed record" \
Hanno Beckera34cc6b2017-05-26 16:07:36 +0100[diff] [blame]5215 -c "record from another epoch" \
5216 -s "record from another epoch" \
Manuel Pégourié-Gonnard76fe9e42014-09-24 15:17:31 +0200[diff] [blame]5217 -S "resend" \
Manuel Pégourié-Gonnard63eca932014-09-08 16:39:08 +0200[diff] [blame]5218 -s "Extra-header:" \
5219 -c "HTTP/1.0 200 OK"
5220
Manuel Pégourié-Gonnard27393132014-09-24 14:41:11 +0200[diff] [blame]5221run_test "DTLS proxy: duplicate every packet, server anti-replay off" \
5222 -p "$P_PXY duplicate=1" \
Manuel Pégourié-Gonnard76fe9e42014-09-24 15:17:31 +0200[diff] [blame]5223 "$P_SRV dtls=1 debug_level=2 anti_replay=0" \
5224 "$P_CLI dtls=1 debug_level=2" \
Manuel Pégourié-Gonnard27393132014-09-24 14:41:11 +0200[diff] [blame]5225 0 \
5226 -c "replayed record" \
5227 -S "replayed record" \
Hanno Beckera34cc6b2017-05-26 16:07:36 +0100[diff] [blame]5228 -c "record from another epoch" \
5229 -s "record from another epoch" \
Manuel Pégourié-Gonnard76fe9e42014-09-24 15:17:31 +0200[diff] [blame]5230 -c "resend" \
5231 -s "resend" \
Manuel Pégourié-Gonnard27393132014-09-24 14:41:11 +0200[diff] [blame]5232 -s "Extra-header:" \
5233 -c "HTTP/1.0 200 OK"
5234
Manuel Pégourié-Gonnarde698f592014-10-14 19:36:36 +0200[diff] [blame]5235run_test "DTLS proxy: inject invalid AD record, default badmac_limit" \
Manuel Pégourié-Gonnard63eca932014-09-08 16:39:08 +0200[diff] [blame]5236 -p "$P_PXY bad_ad=1" \
Manuel Pégourié-Gonnard246c13a2014-09-24 13:56:09 +0200[diff] [blame]5237 "$P_SRV dtls=1 debug_level=1" \
Manuel Pégourié-Gonnarde698f592014-10-14 19:36:36 +0200[diff] [blame]5238 "$P_CLI dtls=1 debug_level=1 read_timeout=100" \
Manuel Pégourié-Gonnard825a49e2014-09-23 11:00:37 +0200[diff] [blame]5239 0 \
Manuel Pégourié-Gonnard74a13782014-10-14 22:34:08 +0200[diff] [blame]5240 -c "discarding invalid record (mac)" \
5241 -s "discarding invalid record (mac)" \
Manuel Pégourié-Gonnard825a49e2014-09-23 11:00:37 +0200[diff] [blame]5242 -s "Extra-header:" \
Manuel Pégourié-Gonnarde698f592014-10-14 19:36:36 +0200[diff] [blame]5243 -c "HTTP/1.0 200 OK" \
5244 -S "too many records with bad MAC" \
5245 -S "Verification of the message MAC failed"
5246
5247run_test "DTLS proxy: inject invalid AD record, badmac_limit 1" \
5248 -p "$P_PXY bad_ad=1" \
5249 "$P_SRV dtls=1 debug_level=1 badmac_limit=1" \
5250 "$P_CLI dtls=1 debug_level=1 read_timeout=100" \
5251 1 \
Manuel Pégourié-Gonnard74a13782014-10-14 22:34:08 +0200[diff] [blame]5252 -C "discarding invalid record (mac)" \
5253 -S "discarding invalid record (mac)" \
Manuel Pégourié-Gonnarde698f592014-10-14 19:36:36 +0200[diff] [blame]5254 -S "Extra-header:" \
5255 -C "HTTP/1.0 200 OK" \
5256 -s "too many records with bad MAC" \
5257 -s "Verification of the message MAC failed"
5258
5259run_test "DTLS proxy: inject invalid AD record, badmac_limit 2" \
5260 -p "$P_PXY bad_ad=1" \
5261 "$P_SRV dtls=1 debug_level=1 badmac_limit=2" \
5262 "$P_CLI dtls=1 debug_level=1 read_timeout=100" \
5263 0 \
Manuel Pégourié-Gonnard74a13782014-10-14 22:34:08 +0200[diff] [blame]5264 -c "discarding invalid record (mac)" \
5265 -s "discarding invalid record (mac)" \
Manuel Pégourié-Gonnarde698f592014-10-14 19:36:36 +0200[diff] [blame]5266 -s "Extra-header:" \
5267 -c "HTTP/1.0 200 OK" \
5268 -S "too many records with bad MAC" \
5269 -S "Verification of the message MAC failed"
5270
5271run_test "DTLS proxy: inject invalid AD record, badmac_limit 2, exchanges 2"\
5272 -p "$P_PXY bad_ad=1" \
5273 "$P_SRV dtls=1 debug_level=1 badmac_limit=2 exchanges=2" \
5274 "$P_CLI dtls=1 debug_level=1 read_timeout=100 exchanges=2" \
5275 1 \
Manuel Pégourié-Gonnard74a13782014-10-14 22:34:08 +0200[diff] [blame]5276 -c "discarding invalid record (mac)" \
5277 -s "discarding invalid record (mac)" \
Manuel Pégourié-Gonnarde698f592014-10-14 19:36:36 +0200[diff] [blame]5278 -s "Extra-header:" \
5279 -c "HTTP/1.0 200 OK" \
5280 -s "too many records with bad MAC" \
5281 -s "Verification of the message MAC failed"
Manuel Pégourié-Gonnard825a49e2014-09-23 11:00:37 +0200[diff] [blame]5282
5283run_test "DTLS proxy: delay ChangeCipherSpec" \
Manuel Pégourié-Gonnard246c13a2014-09-24 13:56:09 +0200[diff] [blame]5284 -p "$P_PXY delay_ccs=1" \
5285 "$P_SRV dtls=1 debug_level=1" \
5286 "$P_CLI dtls=1 debug_level=1" \
Manuel Pégourié-Gonnard825a49e2014-09-23 11:00:37 +0200[diff] [blame]5287 0 \
Manuel Pégourié-Gonnard246c13a2014-09-24 13:56:09 +0200[diff] [blame]5288 -c "record from another epoch" \
5289 -s "record from another epoch" \
Manuel Pégourié-Gonnard825a49e2014-09-23 11:00:37 +0200[diff] [blame]5290 -s "Extra-header:" \
5291 -c "HTTP/1.0 200 OK"
5292
Manuel Pégourié-Gonnard7a66cbc2014-09-26 16:31:46 +0200[diff] [blame]5293# Tests for "randomly unreliable connection": try a variety of flows and peers
Manuel Pégourié-Gonnard18e519a2014-09-24 19:09:17 +0200[diff] [blame]5294
Janos Follath74537a62016-09-02 13:45:28 +0100[diff] [blame]5295client_needs_more_time 2
Manuel Pégourié-Gonnard18e519a2014-09-24 19:09:17 +0200[diff] [blame]5296run_test "DTLS proxy: 3d (drop, delay, duplicate), \"short\" PSK handshake" \
Manuel Pégourié-Gonnard825a49e2014-09-23 11:00:37 +0200[diff] [blame]5297 -p "$P_PXY drop=5 delay=5 duplicate=5" \
Manuel Pégourié-Gonnardaa719e72020-03-03 10:08:15 +0100[diff] [blame]5298 "$P_SRV dtls=1 hs_timeout=500-10000 tickets=0 auth_mode=none \
Manuel Pégourié-Gonnard37a4de22014-10-01 16:38:03 +0200[diff] [blame]5299 psk=abc123" \
Manuel Pégourié-Gonnardaa719e72020-03-03 10:08:15 +0100[diff] [blame]5300 "$P_CLI dtls=1 hs_timeout=500-10000 tickets=0 psk=abc123 \
Manuel Pégourié-Gonnard18e519a2014-09-24 19:09:17 +0200[diff] [blame]5301 force_ciphersuite=TLS-PSK-WITH-AES-128-CCM-8" \
5302 0 \
5303 -s "Extra-header:" \
5304 -c "HTTP/1.0 200 OK"
5305
Janos Follath74537a62016-09-02 13:45:28 +0100[diff] [blame]5306client_needs_more_time 2
Manuel Pégourié-Gonnard18e519a2014-09-24 19:09:17 +0200[diff] [blame]5307run_test "DTLS proxy: 3d, \"short\" RSA handshake" \
5308 -p "$P_PXY drop=5 delay=5 duplicate=5" \
Manuel Pégourié-Gonnardaa719e72020-03-03 10:08:15 +0100[diff] [blame]5309 "$P_SRV dtls=1 hs_timeout=500-10000 tickets=0 auth_mode=none" \
5310 "$P_CLI dtls=1 hs_timeout=500-10000 tickets=0 \
Manuel Pégourié-Gonnard18e519a2014-09-24 19:09:17 +0200[diff] [blame]5311 force_ciphersuite=TLS-RSA-WITH-AES-128-CBC-SHA" \
5312 0 \
5313 -s "Extra-header:" \
5314 -c "HTTP/1.0 200 OK"
5315
Janos Follath74537a62016-09-02 13:45:28 +0100[diff] [blame]5316client_needs_more_time 2
Manuel Pégourié-Gonnard18e519a2014-09-24 19:09:17 +0200[diff] [blame]5317run_test "DTLS proxy: 3d, \"short\" (no ticket, no cli_auth) FS handshake" \
5318 -p "$P_PXY drop=5 delay=5 duplicate=5" \
Manuel Pégourié-Gonnardaa719e72020-03-03 10:08:15 +0100[diff] [blame]5319 "$P_SRV dtls=1 hs_timeout=500-10000 tickets=0 auth_mode=none" \
5320 "$P_CLI dtls=1 hs_timeout=500-10000 tickets=0" \
Manuel Pégourié-Gonnard18e519a2014-09-24 19:09:17 +0200[diff] [blame]5321 0 \
5322 -s "Extra-header:" \
5323 -c "HTTP/1.0 200 OK"
5324
Janos Follath74537a62016-09-02 13:45:28 +0100[diff] [blame]5325client_needs_more_time 2
Manuel Pégourié-Gonnard18e519a2014-09-24 19:09:17 +0200[diff] [blame]5326run_test "DTLS proxy: 3d, FS, client auth" \
5327 -p "$P_PXY drop=5 delay=5 duplicate=5" \
Manuel Pégourié-Gonnardaa719e72020-03-03 10:08:15 +0100[diff] [blame]5328 "$P_SRV dtls=1 hs_timeout=500-10000 tickets=0 auth_mode=required" \
5329 "$P_CLI dtls=1 hs_timeout=500-10000 tickets=0" \
Manuel Pégourié-Gonnard18e519a2014-09-24 19:09:17 +0200[diff] [blame]5330 0 \
5331 -s "Extra-header:" \
5332 -c "HTTP/1.0 200 OK"
5333
Janos Follath74537a62016-09-02 13:45:28 +0100[diff] [blame]5334client_needs_more_time 2
Manuel Pégourié-Gonnard18e519a2014-09-24 19:09:17 +0200[diff] [blame]5335run_test "DTLS proxy: 3d, FS, ticket" \
5336 -p "$P_PXY drop=5 delay=5 duplicate=5" \
Manuel Pégourié-Gonnardaa719e72020-03-03 10:08:15 +0100[diff] [blame]5337 "$P_SRV dtls=1 hs_timeout=500-10000 tickets=1 auth_mode=none" \
5338 "$P_CLI dtls=1 hs_timeout=500-10000 tickets=1" \
Manuel Pégourié-Gonnard18e519a2014-09-24 19:09:17 +0200[diff] [blame]5339 0 \
5340 -s "Extra-header:" \
5341 -c "HTTP/1.0 200 OK"
5342
Janos Follath74537a62016-09-02 13:45:28 +0100[diff] [blame]5343client_needs_more_time 2
Manuel Pégourié-Gonnard18e519a2014-09-24 19:09:17 +0200[diff] [blame]5344run_test "DTLS proxy: 3d, max handshake (FS, ticket + client auth)" \
5345 -p "$P_PXY drop=5 delay=5 duplicate=5" \
Manuel Pégourié-Gonnardaa719e72020-03-03 10:08:15 +0100[diff] [blame]5346 "$P_SRV dtls=1 hs_timeout=500-10000 tickets=1 auth_mode=required" \
5347 "$P_CLI dtls=1 hs_timeout=500-10000 tickets=1" \
Manuel Pégourié-Gonnard825a49e2014-09-23 11:00:37 +0200[diff] [blame]5348 0 \
5349 -s "Extra-header:" \
5350 -c "HTTP/1.0 200 OK"
5351
Janos Follath74537a62016-09-02 13:45:28 +0100[diff] [blame]5352client_needs_more_time 2
Manuel Pégourié-Gonnard6093d812014-09-29 17:52:57 +0200[diff] [blame]5353run_test "DTLS proxy: 3d, max handshake, nbio" \
5354 -p "$P_PXY drop=5 delay=5 duplicate=5" \
Manuel Pégourié-Gonnardaa719e72020-03-03 10:08:15 +0100[diff] [blame]5355 "$P_SRV dtls=1 hs_timeout=500-10000 nbio=2 tickets=1 \
Manuel Pégourié-Gonnard37a4de22014-10-01 16:38:03 +0200[diff] [blame]5356 auth_mode=required" \
Manuel Pégourié-Gonnardaa719e72020-03-03 10:08:15 +0100[diff] [blame]5357 "$P_CLI dtls=1 hs_timeout=500-10000 nbio=2 tickets=1" \
Manuel Pégourié-Gonnard6093d812014-09-29 17:52:57 +0200[diff] [blame]5358 0 \
5359 -s "Extra-header:" \
5360 -c "HTTP/1.0 200 OK"
5361
Janos Follath74537a62016-09-02 13:45:28 +0100[diff] [blame]5362client_needs_more_time 4
Manuel Pégourié-Gonnard7a26d732014-10-02 14:50:46 +0200[diff] [blame]5363run_test "DTLS proxy: 3d, min handshake, resumption" \
5364 -p "$P_PXY drop=5 delay=5 duplicate=5" \
Manuel Pégourié-Gonnardaa719e72020-03-03 10:08:15 +0100[diff] [blame]5365 "$P_SRV dtls=1 hs_timeout=500-10000 tickets=0 auth_mode=none \
Manuel Pégourié-Gonnard7a26d732014-10-02 14:50:46 +0200[diff] [blame]5366 psk=abc123 debug_level=3" \
Manuel Pégourié-Gonnardaa719e72020-03-03 10:08:15 +0100[diff] [blame]5367 "$P_CLI dtls=1 hs_timeout=500-10000 tickets=0 psk=abc123 \
Manuel Pégourié-Gonnard5e261e92020-02-17 11:04:33 +0100[diff] [blame]5368 debug_level=3 reconnect=1 skip_close_notify=1 read_timeout=1000 max_resend=10 \
Manuel Pégourié-Gonnard7a26d732014-10-02 14:50:46 +0200[diff] [blame]5369 force_ciphersuite=TLS-PSK-WITH-AES-128-CCM-8" \
5370 0 \
5371 -s "a session has been resumed" \
5372 -c "a session has been resumed" \
5373 -s "Extra-header:" \
5374 -c "HTTP/1.0 200 OK"
5375
Janos Follath74537a62016-09-02 13:45:28 +0100[diff] [blame]5376client_needs_more_time 4
Manuel Pégourié-Gonnard85beb302014-10-02 17:59:19 +0200[diff] [blame]5377run_test "DTLS proxy: 3d, min handshake, resumption, nbio" \
5378 -p "$P_PXY drop=5 delay=5 duplicate=5" \
Manuel Pégourié-Gonnardaa719e72020-03-03 10:08:15 +0100[diff] [blame]5379 "$P_SRV dtls=1 hs_timeout=500-10000 tickets=0 auth_mode=none \
Manuel Pégourié-Gonnard85beb302014-10-02 17:59:19 +0200[diff] [blame]5380 psk=abc123 debug_level=3 nbio=2" \
Manuel Pégourié-Gonnardaa719e72020-03-03 10:08:15 +0100[diff] [blame]5381 "$P_CLI dtls=1 hs_timeout=500-10000 tickets=0 psk=abc123 \
Manuel Pégourié-Gonnard5e261e92020-02-17 11:04:33 +0100[diff] [blame]5382 debug_level=3 reconnect=1 skip_close_notify=1 read_timeout=1000 max_resend=10 \
Manuel Pégourié-Gonnard85beb302014-10-02 17:59:19 +0200[diff] [blame]5383 force_ciphersuite=TLS-PSK-WITH-AES-128-CCM-8 nbio=2" \
5384 0 \
5385 -s "a session has been resumed" \
5386 -c "a session has been resumed" \
5387 -s "Extra-header:" \
5388 -c "HTTP/1.0 200 OK"
5389
Janos Follath74537a62016-09-02 13:45:28 +0100[diff] [blame]5390client_needs_more_time 4
Hanno Becker6a243642017-10-12 15:18:45 +0100[diff] [blame]5391requires_config_enabled MBEDTLS_SSL_RENEGOTIATION
Manuel Pégourié-Gonnard6093d812014-09-29 17:52:57 +0200[diff] [blame]5392run_test "DTLS proxy: 3d, min handshake, client-initiated renego" \
Manuel Pégourié-Gonnard1b753f12014-09-25 16:09:36 +0200[diff] [blame]5393 -p "$P_PXY drop=5 delay=5 duplicate=5" \
Manuel Pégourié-Gonnardaa719e72020-03-03 10:08:15 +0100[diff] [blame]5394 "$P_SRV dtls=1 hs_timeout=500-10000 tickets=0 auth_mode=none \
Manuel Pégourié-Gonnard37a4de22014-10-01 16:38:03 +0200[diff] [blame]5395 psk=abc123 renegotiation=1 debug_level=2" \
Manuel Pégourié-Gonnardaa719e72020-03-03 10:08:15 +0100[diff] [blame]5396 "$P_CLI dtls=1 hs_timeout=500-10000 tickets=0 psk=abc123 \
Manuel Pégourié-Gonnard37a4de22014-10-01 16:38:03 +0200[diff] [blame]5397 renegotiate=1 debug_level=2 \
Manuel Pégourié-Gonnard1b753f12014-09-25 16:09:36 +0200[diff] [blame]5398 force_ciphersuite=TLS-PSK-WITH-AES-128-CCM-8" \
5399 0 \
5400 -c "=> renegotiate" \
5401 -s "=> renegotiate" \
5402 -s "Extra-header:" \
5403 -c "HTTP/1.0 200 OK"
5404
Janos Follath74537a62016-09-02 13:45:28 +0100[diff] [blame]5405client_needs_more_time 4
Hanno Becker6a243642017-10-12 15:18:45 +0100[diff] [blame]5406requires_config_enabled MBEDTLS_SSL_RENEGOTIATION
Manuel Pégourié-Gonnard6093d812014-09-29 17:52:57 +0200[diff] [blame]5407run_test "DTLS proxy: 3d, min handshake, client-initiated renego, nbio" \
5408 -p "$P_PXY drop=5 delay=5 duplicate=5" \
Manuel Pégourié-Gonnardaa719e72020-03-03 10:08:15 +0100[diff] [blame]5409 "$P_SRV dtls=1 hs_timeout=500-10000 tickets=0 auth_mode=none \
Manuel Pégourié-Gonnard37a4de22014-10-01 16:38:03 +0200[diff] [blame]5410 psk=abc123 renegotiation=1 debug_level=2" \
Manuel Pégourié-Gonnardaa719e72020-03-03 10:08:15 +0100[diff] [blame]5411 "$P_CLI dtls=1 hs_timeout=500-10000 tickets=0 psk=abc123 \
Manuel Pégourié-Gonnard37a4de22014-10-01 16:38:03 +0200[diff] [blame]5412 renegotiate=1 debug_level=2 \
Manuel Pégourié-Gonnard6093d812014-09-29 17:52:57 +0200[diff] [blame]5413 force_ciphersuite=TLS-PSK-WITH-AES-128-CCM-8" \
5414 0 \
5415 -c "=> renegotiate" \
5416 -s "=> renegotiate" \
5417 -s "Extra-header:" \
5418 -c "HTTP/1.0 200 OK"
5419
Janos Follath74537a62016-09-02 13:45:28 +0100[diff] [blame]5420client_needs_more_time 4
Hanno Becker6a243642017-10-12 15:18:45 +0100[diff] [blame]5421requires_config_enabled MBEDTLS_SSL_RENEGOTIATION
Manuel Pégourié-Gonnardba958b82014-10-09 16:13:44 +0200[diff] [blame]5422run_test "DTLS proxy: 3d, min handshake, server-initiated renego" \
Manuel Pégourié-Gonnarda6ace042014-10-15 12:44:41 +0200[diff] [blame]5423 -p "$P_PXY drop=5 delay=5 duplicate=5" \
Manuel Pégourié-Gonnardaa719e72020-03-03 10:08:15 +0100[diff] [blame]5424 "$P_SRV dtls=1 hs_timeout=500-10000 tickets=0 auth_mode=none \
Manuel Pégourié-Gonnarda6ace042014-10-15 12:44:41 +0200[diff] [blame]5425 psk=abc123 renegotiate=1 renegotiation=1 exchanges=4 \
Manuel Pégourié-Gonnardba958b82014-10-09 16:13:44 +0200[diff] [blame]5426 debug_level=2" \
Manuel Pégourié-Gonnardaa719e72020-03-03 10:08:15 +0100[diff] [blame]5427 "$P_CLI dtls=1 hs_timeout=500-10000 tickets=0 psk=abc123 \
Manuel Pégourié-Gonnarda6ace042014-10-15 12:44:41 +0200[diff] [blame]5428 renegotiation=1 exchanges=4 debug_level=2 \
Manuel Pégourié-Gonnardba958b82014-10-09 16:13:44 +0200[diff] [blame]5429 force_ciphersuite=TLS-PSK-WITH-AES-128-CCM-8" \
5430 0 \
5431 -c "=> renegotiate" \
5432 -s "=> renegotiate" \
5433 -s "Extra-header:" \
5434 -c "HTTP/1.0 200 OK"
5435
Janos Follath74537a62016-09-02 13:45:28 +0100[diff] [blame]5436client_needs_more_time 4
Hanno Becker6a243642017-10-12 15:18:45 +0100[diff] [blame]5437requires_config_enabled MBEDTLS_SSL_RENEGOTIATION
Manuel Pégourié-Gonnardba958b82014-10-09 16:13:44 +0200[diff] [blame]5438run_test "DTLS proxy: 3d, min handshake, server-initiated renego, nbio" \
Manuel Pégourié-Gonnarda6ace042014-10-15 12:44:41 +0200[diff] [blame]5439 -p "$P_PXY drop=5 delay=5 duplicate=5" \
Manuel Pégourié-Gonnardaa719e72020-03-03 10:08:15 +0100[diff] [blame]5440 "$P_SRV dtls=1 hs_timeout=500-10000 tickets=0 auth_mode=none \
Manuel Pégourié-Gonnarda6ace042014-10-15 12:44:41 +0200[diff] [blame]5441 psk=abc123 renegotiate=1 renegotiation=1 exchanges=4 \
Manuel Pégourié-Gonnardba958b82014-10-09 16:13:44 +0200[diff] [blame]5442 debug_level=2 nbio=2" \
Manuel Pégourié-Gonnardaa719e72020-03-03 10:08:15 +0100[diff] [blame]5443 "$P_CLI dtls=1 hs_timeout=500-10000 tickets=0 psk=abc123 \
Manuel Pégourié-Gonnarda6ace042014-10-15 12:44:41 +0200[diff] [blame]5444 renegotiation=1 exchanges=4 debug_level=2 nbio=2 \
Manuel Pégourié-Gonnardba958b82014-10-09 16:13:44 +0200[diff] [blame]5445 force_ciphersuite=TLS-PSK-WITH-AES-128-CCM-8" \
5446 0 \
5447 -c "=> renegotiate" \
5448 -s "=> renegotiate" \
5449 -s "Extra-header:" \
5450 -c "HTTP/1.0 200 OK"
5451
Janos Follath74537a62016-09-02 13:45:28 +0100[diff] [blame]5452client_needs_more_time 6
Manuel Pégourié-Gonnardd68434e2015-08-31 12:48:22 +0200[diff] [blame]5453not_with_valgrind # risk of non-mbedtls peer timing out
Manuel Pégourié-Gonnard9590e0a2014-09-26 16:27:59 +0200[diff] [blame]5454run_test "DTLS proxy: 3d, openssl server" \
Manuel Pégourié-Gonnardd0fd1da2014-09-25 17:00:27 +0200[diff] [blame]5455 -p "$P_PXY drop=5 delay=5 duplicate=5 protect_hvr=1" \
5456 "$O_SRV -dtls1 -mtu 2048" \
Manuel Pégourié-Gonnardaa719e72020-03-03 10:08:15 +0100[diff] [blame]5457 "$P_CLI dtls=1 hs_timeout=500-60000 tickets=0" \
Manuel Pégourié-Gonnardd0fd1da2014-09-25 17:00:27 +0200[diff] [blame]5458 0 \
Manuel Pégourié-Gonnardd0fd1da2014-09-25 17:00:27 +0200[diff] [blame]5459 -c "HTTP/1.0 200 OK"
5460
Janos Follath74537a62016-09-02 13:45:28 +0100[diff] [blame]5461client_needs_more_time 8
Manuel Pégourié-Gonnardd68434e2015-08-31 12:48:22 +0200[diff] [blame]5462not_with_valgrind # risk of non-mbedtls peer timing out
Manuel Pégourié-Gonnard9590e0a2014-09-26 16:27:59 +0200[diff] [blame]5463run_test "DTLS proxy: 3d, openssl server, fragmentation" \
5464 -p "$P_PXY drop=5 delay=5 duplicate=5 protect_hvr=1" \
5465 "$O_SRV -dtls1 -mtu 768" \
Manuel Pégourié-Gonnardaa719e72020-03-03 10:08:15 +0100[diff] [blame]5466 "$P_CLI dtls=1 hs_timeout=500-60000 tickets=0" \
Manuel Pégourié-Gonnard9590e0a2014-09-26 16:27:59 +0200[diff] [blame]5467 0 \
Manuel Pégourié-Gonnard9590e0a2014-09-26 16:27:59 +0200[diff] [blame]5468 -c "HTTP/1.0 200 OK"
5469
Janos Follath74537a62016-09-02 13:45:28 +0100[diff] [blame]5470client_needs_more_time 8
Manuel Pégourié-Gonnardd68434e2015-08-31 12:48:22 +0200[diff] [blame]5471not_with_valgrind # risk of non-mbedtls peer timing out
Manuel Pégourié-Gonnard6093d812014-09-29 17:52:57 +0200[diff] [blame]5472run_test "DTLS proxy: 3d, openssl server, fragmentation, nbio" \
5473 -p "$P_PXY drop=5 delay=5 duplicate=5 protect_hvr=1" \
5474 "$O_SRV -dtls1 -mtu 768" \
Manuel Pégourié-Gonnardaa719e72020-03-03 10:08:15 +0100[diff] [blame]5475 "$P_CLI dtls=1 hs_timeout=500-60000 nbio=2 tickets=0" \
Manuel Pégourié-Gonnard6093d812014-09-29 17:52:57 +0200[diff] [blame]5476 0 \
Manuel Pégourié-Gonnard6093d812014-09-29 17:52:57 +0200[diff] [blame]5477 -c "HTTP/1.0 200 OK"
5478
Manuel Pégourié-Gonnard96999962015-02-17 16:02:37 +0000[diff] [blame]5479requires_gnutls
Janos Follath74537a62016-09-02 13:45:28 +0100[diff] [blame]5480client_needs_more_time 6
Manuel Pégourié-Gonnardd68434e2015-08-31 12:48:22 +0200[diff] [blame]5481not_with_valgrind # risk of non-mbedtls peer timing out
Manuel Pégourié-Gonnard9590e0a2014-09-26 16:27:59 +0200[diff] [blame]5482run_test "DTLS proxy: 3d, gnutls server" \
5483 -p "$P_PXY drop=5 delay=5 duplicate=5" \
5484 "$G_SRV -u --mtu 2048 -a" \
Manuel Pégourié-Gonnardaa719e72020-03-03 10:08:15 +0100[diff] [blame]5485 "$P_CLI dtls=1 hs_timeout=500-60000" \
Manuel Pégourié-Gonnard9590e0a2014-09-26 16:27:59 +0200[diff] [blame]5486 0 \
5487 -s "Extra-header:" \
5488 -c "Extra-header:"
5489
Manuel Pégourié-Gonnard96999962015-02-17 16:02:37 +0000[diff] [blame]5490requires_gnutls
Janos Follath74537a62016-09-02 13:45:28 +0100[diff] [blame]5491client_needs_more_time 8
Manuel Pégourié-Gonnardd68434e2015-08-31 12:48:22 +0200[diff] [blame]5492not_with_valgrind # risk of non-mbedtls peer timing out
Manuel Pégourié-Gonnard9590e0a2014-09-26 16:27:59 +0200[diff] [blame]5493run_test "DTLS proxy: 3d, gnutls server, fragmentation" \
5494 -p "$P_PXY drop=5 delay=5 duplicate=5" \
5495 "$G_SRV -u --mtu 512" \
Manuel Pégourié-Gonnardaa719e72020-03-03 10:08:15 +0100[diff] [blame]5496 "$P_CLI dtls=1 hs_timeout=500-60000" \
Manuel Pégourié-Gonnard9590e0a2014-09-26 16:27:59 +0200[diff] [blame]5497 0 \
5498 -s "Extra-header:" \
5499 -c "Extra-header:"
5500
Manuel Pégourié-Gonnard96999962015-02-17 16:02:37 +0000[diff] [blame]5501requires_gnutls
Janos Follath74537a62016-09-02 13:45:28 +0100[diff] [blame]5502client_needs_more_time 8
Manuel Pégourié-Gonnardd68434e2015-08-31 12:48:22 +0200[diff] [blame]5503not_with_valgrind # risk of non-mbedtls peer timing out
Manuel Pégourié-Gonnard6093d812014-09-29 17:52:57 +0200[diff] [blame]5504run_test "DTLS proxy: 3d, gnutls server, fragmentation, nbio" \
5505 -p "$P_PXY drop=5 delay=5 duplicate=5" \
5506 "$G_SRV -u --mtu 512" \
Manuel Pégourié-Gonnardaa719e72020-03-03 10:08:15 +0100[diff] [blame]5507 "$P_CLI dtls=1 hs_timeout=500-60000 nbio=2" \
Manuel Pégourié-Gonnard6093d812014-09-29 17:52:57 +0200[diff] [blame]5508 0 \
5509 -s "Extra-header:" \
5510 -c "Extra-header:"
5511
Manuel Pégourié-Gonnard8520dac2014-02-21 12:12:23 +0100[diff] [blame]5512# Final report
5513
Manuel Pégourié-Gonnard33a752e2014-02-21 09:47:37 +0100[diff] [blame]5514echo "------------------------------------------------------------------------"
5515
5516if [ $FAILS = 0 ]; then
Manuel Pégourié-Gonnardf46f1282014-12-11 11:51:28 +0100[diff] [blame]5517 printf "PASSED"
Manuel Pégourié-Gonnard33a752e2014-02-21 09:47:37 +0100[diff] [blame]5518else
Manuel Pégourié-Gonnardf46f1282014-12-11 11:51:28 +0100[diff] [blame]5519 printf "FAILED"
Manuel Pégourié-Gonnard33a752e2014-02-21 09:47:37 +0100[diff] [blame]5520fi
Manuel Pégourié-Gonnard72e51ee2014-08-31 10:22:11 +0200[diff] [blame]5521PASSES=$(( $TESTS - $FAILS ))
Manuel Pégourié-Gonnard6f4fbbb2014-08-14 14:31:29 +0200[diff] [blame]5522echo " ($PASSES / $TESTS tests ($SKIPS skipped))"
Manuel Pégourié-Gonnard33a752e2014-02-21 09:47:37 +0100[diff] [blame]5523
5524exit $FAILS