TrustedFirmware Git Browser
Code Review Sign In
review.trustedfirmware.org / mirror / mbed-tls / f2629b965e1e4f8af29167b40a56b84270284cff / . / tests / ssl-opt.sh
blob: 9c411974754901defee387510cf15f2519d3d753 [file] [log] [blame]
Manuel Pégourié-Gonnardeaadc502014-02-20 11:01:30 +0100[diff] [blame]1#!/bin/sh
2
3# Test various options that are not covered by compat.sh
4#
5# Here the goal is not to cover every ciphersuite/version, but
6# rather specific options (max fragment length, truncated hmac, etc)
7# or procedures (session resumption from cache or ticket, renego, etc).
8#
9# Assumes all options are compiled in.
10
Manuel Pégourié-Gonnardfccd3252014-02-25 17:14:15 +0100[diff] [blame]11set -u
12
Manuel Pégourié-Gonnardf7a26902014-02-27 12:25:54 +0100[diff] [blame]13# default values, can be overriden by the environment
14: ${P_SRV:=../programs/ssl/ssl_server2}
15: ${P_CLI:=../programs/ssl/ssl_client2}
Manuel Pégourié-Gonnard74faf3c2014-03-13 18:47:44 +0100[diff] [blame]16: ${OPENSSL_CMD:=openssl} # OPENSSL would conflict with the build system
Manuel Pégourié-Gonnardbaa7f072014-08-20 20:15:53 +0200[diff] [blame]17: ${GNUTLS_CLI:=gnutls-cli}
18: ${GNUTLS_SERV:=gnutls-serv}
Manuel Pégourié-Gonnardeaadc502014-02-20 11:01:30 +0100[diff] [blame]19
Manuel Pégourié-Gonnard74faf3c2014-03-13 18:47:44 +0100[diff] [blame]20O_SRV="$OPENSSL_CMD s_server -www -cert data_files/server5.crt -key data_files/server5.key"
21O_CLI="echo 'GET / HTTP/1.0' | $OPENSSL_CMD s_client"
Manuel Pégourié-Gonnardbaa7f072014-08-20 20:15:53 +0200[diff] [blame]22G_SRV="$GNUTLS_SERV --x509certfile data_files/server5.crt --x509keyfile data_files/server5.key"
23G_CLI="$GNUTLS_CLI"
Manuel Pégourié-Gonnardfccd3252014-02-25 17:14:15 +0100[diff] [blame]24
Manuel Pégourié-Gonnard33a752e2014-02-21 09:47:37 +0100[diff] [blame]25TESTS=0
26FAILS=0
Manuel Pégourié-Gonnard6f4fbbb2014-08-14 14:31:29 +0200[diff] [blame]27SKIPS=0
Manuel Pégourié-Gonnard33a752e2014-02-21 09:47:37 +0100[diff] [blame]28
Manuel Pégourié-Gonnard83d8c732014-04-07 13:24:21 +0200[diff] [blame]29CONFIG_H='../include/polarssl/config.h'
30
Manuel Pégourié-Gonnardc73339f2014-02-26 16:35:27 +0100[diff] [blame]31MEMCHECK=0
Manuel Pégourié-Gonnard417d46c2014-03-13 19:17:53 +0100[diff] [blame]32FILTER='.*'
Manuel Pégourié-Gonnard6f4fbbb2014-08-14 14:31:29 +0200[diff] [blame]33EXCLUDE='^$'
Manuel Pégourié-Gonnardc73339f2014-02-26 16:35:27 +0100[diff] [blame]34
35print_usage() {
36 echo "Usage: $0 [options]"
Manuel Pégourié-Gonnard417d46c2014-03-13 19:17:53 +0100[diff] [blame]37 echo -e " -h|--help\tPrint this help."
38 echo -e " -m|--memcheck\tCheck memory leaks and errors."
39 echo -e " -f|--filter\tOnly matching tests are executed (default: '$FILTER')"
40 echo -e " -e|--exclude\tMatching tests are excluded (default: '$EXCLUDE')"
Manuel Pégourié-Gonnardc73339f2014-02-26 16:35:27 +0100[diff] [blame]41}
42
43get_options() {
44 while [ $# -gt 0 ]; do
45 case "$1" in
Manuel Pégourié-Gonnard417d46c2014-03-13 19:17:53 +0100[diff] [blame]46 -f|--filter)
47 shift; FILTER=$1
48 ;;
49 -e|--exclude)
50 shift; EXCLUDE=$1
51 ;;
Manuel Pégourié-Gonnardc73339f2014-02-26 16:35:27 +0100[diff] [blame]52 -m|--memcheck)
53 MEMCHECK=1
54 ;;
55 -h|--help)
56 print_usage
57 exit 0
58 ;;
59 *)
Paul Bakker1ebc0c52014-05-22 15:47:58 +0200[diff] [blame]60 echo "Unknown argument: '$1'"
Manuel Pégourié-Gonnardc73339f2014-02-26 16:35:27 +0100[diff] [blame]61 print_usage
62 exit 1
63 ;;
64 esac
65 shift
66 done
67}
68
Manuel Pégourié-Gonnard6f4fbbb2014-08-14 14:31:29 +0200[diff] [blame]69# skip next test if OpenSSL can't send SSLv2 ClientHello
70requires_openssl_with_sslv2() {
71 if [ -z "${OPENSSL_HAS_SSL2:-}" ]; then
72 if openssl ciphers -ssl2 >/dev/null 2>&1; then
73 OPENSSL_HAS_SSL2="YES"
74 else
75 OPENSSL_HAS_SSL2="NO"
76 fi
77 fi
78 if [ "$OPENSSL_HAS_SSL2" = "NO" ]; then
79 SKIP_NEXT="YES"
80 fi
81}
82
Manuel Pégourié-Gonnardbaa7f072014-08-20 20:15:53 +0200[diff] [blame]83# skip next test if GnuTLS isn't available
84requires_gnutls() {
85 if [ -z "${GNUTLS_AVAILABLE:-}" ]; then
86 if ( which "$GNUTLS_CLI" && which "$GNUTLS_SERV" ) >/dev/null; then
87 GNUTLS_AVAILABLE="YES"
88 else
89 GNUTLS_AVAILABLE="NO"
90 fi
91 fi
92 if [ "$GNUTLS_AVAILABLE" = "NO" ]; then
93 SKIP_NEXT="YES"
94 fi
95}
96
Manuel Pégourié-Gonnardf8bdbb52014-02-21 09:20:14 +0100[diff] [blame]97# print_name <name>
98print_name() {
99 echo -n "$1 "
100 LEN=`echo "$1" | wc -c`
101 LEN=`echo 72 - $LEN | bc`
102 for i in `seq 1 $LEN`; do echo -n '.'; done
103 echo -n ' '
Manuel Pégourié-Gonnard33a752e2014-02-21 09:47:37 +0100[diff] [blame]104
105 TESTS=`echo $TESTS + 1 | bc`
Manuel Pégourié-Gonnardf8bdbb52014-02-21 09:20:14 +0100[diff] [blame]106}
107
108# fail <message>
109fail() {
110 echo "FAIL"
Manuel Pégourié-Gonnard3eec6042014-02-27 15:37:24 +0100[diff] [blame]111 echo " ! $1"
Manuel Pégourié-Gonnard33a752e2014-02-21 09:47:37 +0100[diff] [blame]112
Manuel Pégourié-Gonnardbc3b16c2014-05-28 23:06:50 +0200[diff] [blame]113 cp $SRV_OUT o-srv-${TESTS}.log
114 cp $CLI_OUT o-cli-${TESTS}.log
Manuel Pégourié-Gonnard3eec6042014-02-27 15:37:24 +0100[diff] [blame]115 echo " ! outputs saved to o-srv-${TESTS}.log and o-cli-${TESTS}.log"
Manuel Pégourié-Gonnard33a752e2014-02-21 09:47:37 +0100[diff] [blame]116
117 FAILS=`echo $FAILS + 1 | bc`
Manuel Pégourié-Gonnardf8bdbb52014-02-21 09:20:14 +0100[diff] [blame]118}
119
Manuel Pégourié-Gonnard677884d2014-02-25 16:42:31 +0100[diff] [blame]120# is_polar <cmd_line>
121is_polar() {
122 echo "$1" | grep 'ssl_server2\|ssl_client2' > /dev/null
123}
124
Manuel Pégourié-Gonnardc73339f2014-02-26 16:35:27 +0100[diff] [blame]125# has_mem_err <log_file_name>
126has_mem_err() {
127 if ( grep -F 'All heap blocks were freed -- no leaks are possible' "$1" &&
128 grep -F 'ERROR SUMMARY: 0 errors from 0 contexts' "$1" ) > /dev/null
129 then
130 return 1 # false: does not have errors
131 else
132 return 0 # true: has errors
133 fi
134}
135
Manuel Pégourié-Gonnard0c1ec472014-06-20 18:41:11 +0200[diff] [blame]136# wait for server to start: two versions depending on lsof availability
137wait_server_start() {
138 if which lsof >/dev/null; then
139 # make sure we don't loop forever
140 ( sleep "$DOG_DELAY"; echo "SERVERSTART TIMEOUT"; kill $MAIN_PID ) &
141 WATCHDOG_PID=$!
142
143 # make a tight loop, server usually takes less than 1 sec to start
144 until lsof -nbi TCP:"$PORT" | grep LISTEN >/dev/null; do :; done
145
146 kill $WATCHDOG_PID
147 wait $WATCHDOG_PID
148 else
149 sleep "$START_DELAY"
150 fi
151}
152
Manuel Pégourié-Gonnardfccd3252014-02-25 17:14:15 +0100[diff] [blame]153# Usage: run_test name srv_cmd cli_cmd cli_exit [option [...]]
Manuel Pégourié-Gonnardeaadc502014-02-20 11:01:30 +0100[diff] [blame]154# Options: -s pattern pattern that must be present in server output
155# -c pattern pattern that must be present in client output
156# -S pattern pattern that must be absent in server output
157# -C pattern pattern that must be absent in client output
158run_test() {
Manuel Pégourié-Gonnardfccd3252014-02-25 17:14:15 +0100[diff] [blame]159 NAME="$1"
160 SRV_CMD="$2"
161 CLI_CMD="$3"
162 CLI_EXPECT="$4"
163 shift 4
164
Manuel Pégourié-Gonnard417d46c2014-03-13 19:17:53 +0100[diff] [blame]165 if echo "$NAME" | grep "$FILTER" | grep -v "$EXCLUDE" >/dev/null; then :
166 else
167 return
168 fi
169
Manuel Pégourié-Gonnardfccd3252014-02-25 17:14:15 +0100[diff] [blame]170 print_name "$NAME"
Manuel Pégourié-Gonnardeaadc502014-02-20 11:01:30 +0100[diff] [blame]171
Manuel Pégourié-Gonnard6f4fbbb2014-08-14 14:31:29 +0200[diff] [blame]172 # should we skip?
173 if [ "X$SKIP_NEXT" = "XYES" ]; then
174 SKIP_NEXT="NO"
175 echo "SKIP"
176 SKIPS=`echo $SKIPS + 1 | bc`
177 return
178 fi
179
Manuel Pégourié-Gonnardc73339f2014-02-26 16:35:27 +0100[diff] [blame]180 # prepend valgrind to our commands if active
181 if [ "$MEMCHECK" -gt 0 ]; then
182 if is_polar "$SRV_CMD"; then
183 SRV_CMD="valgrind --leak-check=full $SRV_CMD"
184 fi
185 if is_polar "$CLI_CMD"; then
186 CLI_CMD="valgrind --leak-check=full $CLI_CMD"
187 fi
188 fi
189
Manuel Pégourié-Gonnardeaadc502014-02-20 11:01:30 +0100[diff] [blame]190 # run the commands
Manuel Pégourié-Gonnardbc3b16c2014-05-28 23:06:50 +0200[diff] [blame]191 echo "$SRV_CMD" > $SRV_OUT
192 $SRV_CMD >> $SRV_OUT 2>&1 &
Manuel Pégourié-Gonnardeaadc502014-02-20 11:01:30 +0100[diff] [blame]193 SRV_PID=$!
Manuel Pégourié-Gonnard0c1ec472014-06-20 18:41:11 +0200[diff] [blame]194 wait_server_start
Manuel Pégourié-Gonnardbc3b16c2014-05-28 23:06:50 +0200[diff] [blame]195 echo "$CLI_CMD" > $CLI_OUT
196 eval "$CLI_CMD" >> $CLI_OUT 2>&1
Manuel Pégourié-Gonnardeaadc502014-02-20 11:01:30 +0100[diff] [blame]197 CLI_EXIT=$?
Manuel Pégourié-Gonnardbc3b16c2014-05-28 23:06:50 +0200[diff] [blame]198 echo "EXIT: $CLI_EXIT" >> $CLI_OUT
Manuel Pégourié-Gonnarde01af4c2014-03-25 14:16:44 +0100[diff] [blame]199
Manuel Pégourié-Gonnard74b11702014-08-14 15:47:33 +0200[diff] [blame]200 # kill the server
201 kill $SRV_PID
202 wait $SRV_PID
Manuel Pégourié-Gonnard677884d2014-02-25 16:42:31 +0100[diff] [blame]203
204 # check if the client and server went at least to the handshake stage
Paul Bakker1ebc0c52014-05-22 15:47:58 +0200[diff] [blame]205 # (useful to avoid tests with only negative assertions and non-zero
Manuel Pégourié-Gonnard677884d2014-02-25 16:42:31 +0100[diff] [blame]206 # expected client exit to incorrectly succeed in case of catastrophic
207 # failure)
Manuel Pégourié-Gonnardfccd3252014-02-25 17:14:15 +0100[diff] [blame]208 if is_polar "$SRV_CMD"; then
Manuel Pégourié-Gonnardbc3b16c2014-05-28 23:06:50 +0200[diff] [blame]209 if grep "Performing the SSL/TLS handshake" $SRV_OUT >/dev/null; then :;
Manuel Pégourié-Gonnard677884d2014-02-25 16:42:31 +0100[diff] [blame]210 else
211 fail "server failed to start"
212 return
213 fi
214 fi
Manuel Pégourié-Gonnardfccd3252014-02-25 17:14:15 +0100[diff] [blame]215 if is_polar "$CLI_CMD"; then
Manuel Pégourié-Gonnardbc3b16c2014-05-28 23:06:50 +0200[diff] [blame]216 if grep "Performing the SSL/TLS handshake" $CLI_OUT >/dev/null; then :;
Manuel Pégourié-Gonnard677884d2014-02-25 16:42:31 +0100[diff] [blame]217 else
218 fail "client failed to start"
219 return
220 fi
221 fi
222
Manuel Pégourié-Gonnardf8bdbb52014-02-21 09:20:14 +0100[diff] [blame]223 # check server exit code
224 if [ $? != 0 ]; then
225 fail "server fail"
226 return
227 fi
228
Manuel Pégourié-Gonnardeaadc502014-02-20 11:01:30 +0100[diff] [blame]229 # check client exit code
Manuel Pégourié-Gonnardfccd3252014-02-25 17:14:15 +0100[diff] [blame]230 if [ \( "$CLI_EXPECT" = 0 -a "$CLI_EXIT" != 0 \) -o \
231 \( "$CLI_EXPECT" != 0 -a "$CLI_EXIT" = 0 \) ]
Manuel Pégourié-Gonnard780d6712014-02-20 17:19:59 +0100[diff] [blame]232 then
Manuel Pégourié-Gonnard8520dac2014-02-21 12:12:23 +0100[diff] [blame]233 fail "bad client exit code"
Manuel Pégourié-Gonnardeaadc502014-02-20 11:01:30 +0100[diff] [blame]234 return
235 fi
Manuel Pégourié-Gonnardeaadc502014-02-20 11:01:30 +0100[diff] [blame]236
Manuel Pégourié-Gonnardc73339f2014-02-26 16:35:27 +0100[diff] [blame]237 # check other assertions
Manuel Pégourié-Gonnard480905d2014-08-21 19:38:32 +0200[diff] [blame]238 # lines beginning with == are added by valgrind, ignore them
Manuel Pégourié-Gonnardeaadc502014-02-20 11:01:30 +0100[diff] [blame]239 while [ $# -gt 0 ]
240 do
241 case $1 in
242 "-s")
Manuel Pégourié-Gonnard480905d2014-08-21 19:38:32 +0200[diff] [blame]243 if grep -v '^==' $SRV_OUT | grep "$2" >/dev/null; then :; else
Manuel Pégourié-Gonnardf8bdbb52014-02-21 09:20:14 +0100[diff] [blame]244 fail "-s $2"
Manuel Pégourié-Gonnardeaadc502014-02-20 11:01:30 +0100[diff] [blame]245 return
246 fi
247 ;;
248
249 "-c")
Manuel Pégourié-Gonnard480905d2014-08-21 19:38:32 +0200[diff] [blame]250 if grep -v '^==' $CLI_OUT | grep "$2" >/dev/null; then :; else
Manuel Pégourié-Gonnardf8bdbb52014-02-21 09:20:14 +0100[diff] [blame]251 fail "-c $2"
Manuel Pégourié-Gonnardeaadc502014-02-20 11:01:30 +0100[diff] [blame]252 return
253 fi
254 ;;
255
256 "-S")
Manuel Pégourié-Gonnard480905d2014-08-21 19:38:32 +0200[diff] [blame]257 if grep -v '^==' $SRV_OUT | grep "$2" >/dev/null; then
Manuel Pégourié-Gonnardf8bdbb52014-02-21 09:20:14 +0100[diff] [blame]258 fail "-S $2"
Manuel Pégourié-Gonnardeaadc502014-02-20 11:01:30 +0100[diff] [blame]259 return
260 fi
261 ;;
262
263 "-C")
Manuel Pégourié-Gonnard480905d2014-08-21 19:38:32 +0200[diff] [blame]264 if grep -v '^==' $CLI_OUT | grep "$2" >/dev/null; then
Manuel Pégourié-Gonnardf8bdbb52014-02-21 09:20:14 +0100[diff] [blame]265 fail "-C $2"
Manuel Pégourié-Gonnardeaadc502014-02-20 11:01:30 +0100[diff] [blame]266 return
267 fi
268 ;;
269
270 *)
Paul Bakker1ebc0c52014-05-22 15:47:58 +0200[diff] [blame]271 echo "Unknown test: $1" >&2
Manuel Pégourié-Gonnardeaadc502014-02-20 11:01:30 +0100[diff] [blame]272 exit 1
273 esac
274 shift 2
275 done
276
Manuel Pégourié-Gonnardc73339f2014-02-26 16:35:27 +0100[diff] [blame]277 # check valgrind's results
278 if [ "$MEMCHECK" -gt 0 ]; then
Manuel Pégourié-Gonnardbc3b16c2014-05-28 23:06:50 +0200[diff] [blame]279 if is_polar "$SRV_CMD" && has_mem_err $SRV_OUT; then
Manuel Pégourié-Gonnardc73339f2014-02-26 16:35:27 +0100[diff] [blame]280 fail "Server has memory errors"
281 return
282 fi
Manuel Pégourié-Gonnardbc3b16c2014-05-28 23:06:50 +0200[diff] [blame]283 if is_polar "$CLI_CMD" && has_mem_err $CLI_OUT; then
Manuel Pégourié-Gonnardc73339f2014-02-26 16:35:27 +0100[diff] [blame]284 fail "Client has memory errors"
285 return
286 fi
287 fi
288
Manuel Pégourié-Gonnardeaadc502014-02-20 11:01:30 +0100[diff] [blame]289 # if we're here, everything is ok
290 echo "PASS"
Manuel Pégourié-Gonnardbc3b16c2014-05-28 23:06:50 +0200[diff] [blame]291 rm -f $SRV_OUT $CLI_OUT
Manuel Pégourié-Gonnardeaadc502014-02-20 11:01:30 +0100[diff] [blame]292}
293
Manuel Pégourié-Gonnarda9062e92014-02-25 16:21:22 +0100[diff] [blame]294cleanup() {
Manuel Pégourié-Gonnardbc3b16c2014-05-28 23:06:50 +0200[diff] [blame]295 rm -f $CLI_OUT $SRV_OUT $SESSION
Manuel Pégourié-Gonnard0c1ec472014-06-20 18:41:11 +0200[diff] [blame]296 kill $SRV_PID >/dev/null 2>&1
297 kill $WATCHDOG_PID >/dev/null 2>&1
Manuel Pégourié-Gonnarda9062e92014-02-25 16:21:22 +0100[diff] [blame]298 exit 1
299}
300
Manuel Pégourié-Gonnard9dea8bd2014-02-26 18:21:02 +0100[diff] [blame]301#
302# MAIN
303#
304
Manuel Pégourié-Gonnard913030c2014-03-28 10:12:38 +0100[diff] [blame]305get_options "$@"
306
Manuel Pégourié-Gonnardf7a26902014-02-27 12:25:54 +0100[diff] [blame]307# sanity checks, avoid an avalanche of errors
308if [ ! -x "$P_SRV" ]; then
309 echo "Command '$P_SRV' is not an executable file"
310 exit 1
311fi
312if [ ! -x "$P_CLI" ]; then
313 echo "Command '$P_CLI' is not an executable file"
314 exit 1
315fi
Manuel Pégourié-Gonnard74faf3c2014-03-13 18:47:44 +0100[diff] [blame]316if which $OPENSSL_CMD >/dev/null 2>&1; then :; else
317 echo "Command '$OPENSSL_CMD' not found"
Manuel Pégourié-Gonnardf7a26902014-02-27 12:25:54 +0100[diff] [blame]318 exit 1
319fi
320
Manuel Pégourié-Gonnard32f8f4d2014-05-29 11:31:20 +0200[diff] [blame]321# used by watchdog
322MAIN_PID="$$"
323
Manuel Pégourié-Gonnard0c1ec472014-06-20 18:41:11 +0200[diff] [blame]324# be more patient with valgrind
325if [ "$MEMCHECK" -gt 0 ]; then
326 START_DELAY=3
327 DOG_DELAY=30
328else
329 START_DELAY=1
330 DOG_DELAY=10
331fi
332
Manuel Pégourié-Gonnard8066b812014-05-28 22:59:30 +0200[diff] [blame]333# Pick a "unique" port in the range 10000-19999.
334PORT="0000$$"
Manuel Pégourié-Gonnardfab2a3c2014-06-16 16:54:36 +0200[diff] [blame]335PORT="1$(echo $PORT | tail -c 5)"
Manuel Pégourié-Gonnard8066b812014-05-28 22:59:30 +0200[diff] [blame]336
337# fix commands to use this port
338P_SRV="$P_SRV server_port=$PORT"
339P_CLI="$P_CLI server_port=$PORT"
340O_SRV="$O_SRV -accept $PORT"
341O_CLI="$O_CLI -connect localhost:$PORT"
Manuel Pégourié-Gonnardbaa7f072014-08-20 20:15:53 +0200[diff] [blame]342G_SRV="$G_SRV -p $PORT"
343G_CLI="$G_CLI -p $PORT"
Manuel Pégourié-Gonnard8066b812014-05-28 22:59:30 +0200[diff] [blame]344
Manuel Pégourié-Gonnardbc3b16c2014-05-28 23:06:50 +0200[diff] [blame]345# Also pick a unique name for intermediate files
346SRV_OUT="srv_out.$$"
347CLI_OUT="cli_out.$$"
348SESSION="session.$$"
349
Manuel Pégourié-Gonnard6f4fbbb2014-08-14 14:31:29 +0200[diff] [blame]350SKIP_NEXT="NO"
351
Manuel Pégourié-Gonnarda9062e92014-02-25 16:21:22 +0100[diff] [blame]352trap cleanup INT TERM HUP
Manuel Pégourié-Gonnardeaadc502014-02-20 11:01:30 +0100[diff] [blame]353
Manuel Pégourié-Gonnarde73b2632014-07-12 04:00:00 +0200[diff] [blame]354# Basic test
355
Manuel Pégourié-Gonnard480905d2014-08-21 19:38:32 +0200[diff] [blame]356# Checks that:
357# - things work with all ciphersuites active (used with config-full in all.sh)
358# - the expected (highest security) parameters are selected
359# ("signature_algorithm ext: 6" means SHA-512 (highest common hash))
Manuel Pégourié-Gonnarde73b2632014-07-12 04:00:00 +0200[diff] [blame]360run_test "Default" \
Manuel Pégourié-Gonnard480905d2014-08-21 19:38:32 +0200[diff] [blame]361 "$P_SRV debug_level=3" \
Manuel Pégourié-Gonnarde73b2632014-07-12 04:00:00 +0200[diff] [blame]362 "$P_CLI" \
363 0 \
Manuel Pégourié-Gonnard480905d2014-08-21 19:38:32 +0200[diff] [blame]364 -s "Protocol is TLSv1.2" \
365 -s "Ciphersuite is TLS-ECDHE-ECDSA-WITH-AES-256-GCM-SHA384" \
366 -s "client hello v3, signature_algorithm ext: 6" \
367 -s "ECDHE curve: secp521r1" \
368 -S "error" \
369 -C "error"
Manuel Pégourié-Gonnarde73b2632014-07-12 04:00:00 +0200[diff] [blame]370
Manuel Pégourié-Gonnardc1da6642014-02-25 14:18:30 +0100[diff] [blame]371# Test for SSLv2 ClientHello
372
Manuel Pégourié-Gonnard6f4fbbb2014-08-14 14:31:29 +0200[diff] [blame]373requires_openssl_with_sslv2
Manuel Pégourié-Gonnardc1da6642014-02-25 14:18:30 +0100[diff] [blame]374run_test "SSLv2 ClientHello #0 (reference)" \
375 "$P_SRV debug_level=3" \
Manuel Pégourié-Gonnarda3d808e2014-02-26 16:33:03 +0100[diff] [blame]376 "$O_CLI -no_ssl2" \
Manuel Pégourié-Gonnardc1da6642014-02-25 14:18:30 +0100[diff] [blame]377 0 \
378 -S "parse client hello v2" \
379 -S "ssl_handshake returned"
380
381# Adding a SSL2-only suite makes OpenSSL client send SSLv2 ClientHello
Manuel Pégourié-Gonnard6f4fbbb2014-08-14 14:31:29 +0200[diff] [blame]382requires_openssl_with_sslv2
Manuel Pégourié-Gonnardc1da6642014-02-25 14:18:30 +0100[diff] [blame]383run_test "SSLv2 ClientHello #1 (actual test)" \
384 "$P_SRV debug_level=3" \
Manuel Pégourié-Gonnardfccd3252014-02-25 17:14:15 +0100[diff] [blame]385 "$O_CLI -cipher 'DES-CBC-MD5:ALL'" \
Manuel Pégourié-Gonnardc1da6642014-02-25 14:18:30 +0100[diff] [blame]386 0 \
387 -s "parse client hello v2" \
388 -S "ssl_handshake returned"
389
Manuel Pégourié-Gonnard780d6712014-02-20 17:19:59 +0100[diff] [blame]390# Tests for Truncated HMAC extension
391
392run_test "Truncated HMAC #0" \
Manuel Pégourié-Gonnardc1da6642014-02-25 14:18:30 +0100[diff] [blame]393 "$P_SRV debug_level=5" \
394 "$P_CLI trunc_hmac=0 force_ciphersuite=TLS-RSA-WITH-AES-128-CBC-SHA" \
Manuel Pégourié-Gonnard780d6712014-02-20 17:19:59 +0100[diff] [blame]395 0 \
396 -s "dumping 'computed mac' (20 bytes)"
397
398run_test "Truncated HMAC #1" \
Manuel Pégourié-Gonnardc1da6642014-02-25 14:18:30 +0100[diff] [blame]399 "$P_SRV debug_level=5" \
400 "$P_CLI trunc_hmac=1 force_ciphersuite=TLS-RSA-WITH-AES-128-CBC-SHA" \
Manuel Pégourié-Gonnardeaadc502014-02-20 11:01:30 +0100[diff] [blame]401 0 \
Manuel Pégourié-Gonnardf7c52012014-02-20 11:43:46 +0100[diff] [blame]402 -s "dumping 'computed mac' (10 bytes)"
403
Manuel Pégourié-Gonnard780d6712014-02-20 17:19:59 +0100[diff] [blame]404# Tests for Session Tickets
405
Manuel Pégourié-Gonnardfccd3252014-02-25 17:14:15 +0100[diff] [blame]406run_test "Session resume using tickets #1 (basic)" \
Manuel Pégourié-Gonnardc1da6642014-02-25 14:18:30 +0100[diff] [blame]407 "$P_SRV debug_level=4 tickets=1" \
408 "$P_CLI debug_level=4 tickets=1 reconnect=1" \
Manuel Pégourié-Gonnardf7c52012014-02-20 11:43:46 +0100[diff] [blame]409 0 \
Manuel Pégourié-Gonnardc55a5b72014-02-20 22:50:56 +0100[diff] [blame]410 -c "client hello, adding session ticket extension" \
411 -s "found session ticket extension" \
412 -s "server hello, adding session ticket extension" \
413 -c "found session_ticket extension" \
414 -c "parse new session ticket" \
Manuel Pégourié-Gonnardf7c52012014-02-20 11:43:46 +0100[diff] [blame]415 -S "session successfully restored from cache" \
416 -s "session successfully restored from ticket" \
417 -s "a session has been resumed" \
418 -c "a session has been resumed"
419
Manuel Pégourié-Gonnardfccd3252014-02-25 17:14:15 +0100[diff] [blame]420run_test "Session resume using tickets #2 (cache disabled)" \
Manuel Pégourié-Gonnardc1da6642014-02-25 14:18:30 +0100[diff] [blame]421 "$P_SRV debug_level=4 tickets=1 cache_max=0" \
422 "$P_CLI debug_level=4 tickets=1 reconnect=1" \
Manuel Pégourié-Gonnarddbe1ee12014-02-21 09:18:13 +0100[diff] [blame]423 0 \
424 -c "client hello, adding session ticket extension" \
425 -s "found session ticket extension" \
426 -s "server hello, adding session ticket extension" \
427 -c "found session_ticket extension" \
428 -c "parse new session ticket" \
429 -S "session successfully restored from cache" \
430 -s "session successfully restored from ticket" \
431 -s "a session has been resumed" \
432 -c "a session has been resumed"
433
Manuel Pégourié-Gonnardfccd3252014-02-25 17:14:15 +0100[diff] [blame]434run_test "Session resume using tickets #3 (timeout)" \
Manuel Pégourié-Gonnardc1da6642014-02-25 14:18:30 +0100[diff] [blame]435 "$P_SRV debug_level=4 tickets=1 cache_max=0 ticket_timeout=1" \
436 "$P_CLI debug_level=4 tickets=1 reconnect=1 reco_delay=2" \
Manuel Pégourié-Gonnarddbe1ee12014-02-21 09:18:13 +0100[diff] [blame]437 0 \
438 -c "client hello, adding session ticket extension" \
439 -s "found session ticket extension" \
440 -s "server hello, adding session ticket extension" \
441 -c "found session_ticket extension" \
442 -c "parse new session ticket" \
443 -S "session successfully restored from cache" \
444 -S "session successfully restored from ticket" \
445 -S "a session has been resumed" \
446 -C "a session has been resumed"
447
Manuel Pégourié-Gonnardc73339f2014-02-26 16:35:27 +0100[diff] [blame]448run_test "Session resume using tickets #4 (openssl server)" \
Manuel Pégourié-Gonnardf7a26902014-02-27 12:25:54 +0100[diff] [blame]449 "$O_SRV" \
Manuel Pégourié-Gonnardfccd3252014-02-25 17:14:15 +0100[diff] [blame]450 "$P_CLI debug_level=4 tickets=1 reconnect=1" \
451 0 \
452 -c "client hello, adding session ticket extension" \
453 -c "found session_ticket extension" \
454 -c "parse new session ticket" \
455 -c "a session has been resumed"
456
Manuel Pégourié-Gonnardc73339f2014-02-26 16:35:27 +0100[diff] [blame]457run_test "Session resume using tickets #5 (openssl client)" \
Manuel Pégourié-Gonnardfccd3252014-02-25 17:14:15 +0100[diff] [blame]458 "$P_SRV debug_level=4 tickets=1" \
Manuel Pégourié-Gonnardbc3b16c2014-05-28 23:06:50 +0200[diff] [blame]459 "( $O_CLI -sess_out $SESSION; \
460 $O_CLI -sess_in $SESSION; \
461 rm -f $SESSION )" \
Manuel Pégourié-Gonnardfccd3252014-02-25 17:14:15 +0100[diff] [blame]462 0 \
463 -s "found session ticket extension" \
464 -s "server hello, adding session ticket extension" \
465 -S "session successfully restored from cache" \
466 -s "session successfully restored from ticket" \
467 -s "a session has been resumed"
468
Manuel Pégourié-Gonnardc55a5b72014-02-20 22:50:56 +0100[diff] [blame]469# Tests for Session Resume based on session-ID and cache
Manuel Pégourié-Gonnard780d6712014-02-20 17:19:59 +0100[diff] [blame]470
Manuel Pégourié-Gonnardc55a5b72014-02-20 22:50:56 +0100[diff] [blame]471run_test "Session resume using cache #1 (tickets enabled on client)" \
Manuel Pégourié-Gonnardc1da6642014-02-25 14:18:30 +0100[diff] [blame]472 "$P_SRV debug_level=4 tickets=0" \
473 "$P_CLI debug_level=4 tickets=1 reconnect=1" \
Manuel Pégourié-Gonnardf7c52012014-02-20 11:43:46 +0100[diff] [blame]474 0 \
Manuel Pégourié-Gonnardc55a5b72014-02-20 22:50:56 +0100[diff] [blame]475 -c "client hello, adding session ticket extension" \
476 -s "found session ticket extension" \
477 -S "server hello, adding session ticket extension" \
478 -C "found session_ticket extension" \
479 -C "parse new session ticket" \
Manuel Pégourié-Gonnardf7c52012014-02-20 11:43:46 +0100[diff] [blame]480 -s "session successfully restored from cache" \
481 -S "session successfully restored from ticket" \
482 -s "a session has been resumed" \
483 -c "a session has been resumed"
484
Manuel Pégourié-Gonnardc55a5b72014-02-20 22:50:56 +0100[diff] [blame]485run_test "Session resume using cache #2 (tickets enabled on server)" \
Manuel Pégourié-Gonnardc1da6642014-02-25 14:18:30 +0100[diff] [blame]486 "$P_SRV debug_level=4 tickets=1" \
487 "$P_CLI debug_level=4 tickets=0 reconnect=1" \
Manuel Pégourié-Gonnardf7c52012014-02-20 11:43:46 +0100[diff] [blame]488 0 \
Manuel Pégourié-Gonnardc55a5b72014-02-20 22:50:56 +0100[diff] [blame]489 -C "client hello, adding session ticket extension" \
490 -S "found session ticket extension" \
491 -S "server hello, adding session ticket extension" \
492 -C "found session_ticket extension" \
493 -C "parse new session ticket" \
Manuel Pégourié-Gonnardf7c52012014-02-20 11:43:46 +0100[diff] [blame]494 -s "session successfully restored from cache" \
495 -S "session successfully restored from ticket" \
496 -s "a session has been resumed" \
497 -c "a session has been resumed"
Manuel Pégourié-Gonnardde143782014-02-20 14:50:42 +0100[diff] [blame]498
Manuel Pégourié-Gonnardc55a5b72014-02-20 22:50:56 +0100[diff] [blame]499run_test "Session resume using cache #3 (cache_max=0)" \
Manuel Pégourié-Gonnardc1da6642014-02-25 14:18:30 +0100[diff] [blame]500 "$P_SRV debug_level=4 tickets=0 cache_max=0" \
501 "$P_CLI debug_level=4 tickets=0 reconnect=1" \
Manuel Pégourié-Gonnard4c883452014-02-20 21:32:41 +0100[diff] [blame]502 0 \
503 -S "session successfully restored from cache" \
504 -S "session successfully restored from ticket" \
Manuel Pégourié-Gonnardc55a5b72014-02-20 22:50:56 +0100[diff] [blame]505 -S "a session has been resumed" \
506 -C "a session has been resumed"
Manuel Pégourié-Gonnard4c883452014-02-20 21:32:41 +0100[diff] [blame]507
Manuel Pégourié-Gonnardc55a5b72014-02-20 22:50:56 +0100[diff] [blame]508run_test "Session resume using cache #4 (cache_max=1)" \
Manuel Pégourié-Gonnardc1da6642014-02-25 14:18:30 +0100[diff] [blame]509 "$P_SRV debug_level=4 tickets=0 cache_max=1" \
510 "$P_CLI debug_level=4 tickets=0 reconnect=1" \
Manuel Pégourié-Gonnardc55a5b72014-02-20 22:50:56 +0100[diff] [blame]511 0 \
512 -s "session successfully restored from cache" \
513 -S "session successfully restored from ticket" \
514 -s "a session has been resumed" \
515 -c "a session has been resumed"
516
517run_test "Session resume using cache #5 (timemout > delay)" \
Manuel Pégourié-Gonnardc73339f2014-02-26 16:35:27 +0100[diff] [blame]518 "$P_SRV debug_level=4 tickets=0" \
Manuel Pégourié-Gonnardc1da6642014-02-25 14:18:30 +0100[diff] [blame]519 "$P_CLI debug_level=4 tickets=0 reconnect=1 reco_delay=0" \
Manuel Pégourié-Gonnardc55a5b72014-02-20 22:50:56 +0100[diff] [blame]520 0 \
521 -s "session successfully restored from cache" \
522 -S "session successfully restored from ticket" \
523 -s "a session has been resumed" \
524 -c "a session has been resumed"
525
526run_test "Session resume using cache #6 (timeout < delay)" \
Manuel Pégourié-Gonnardc1da6642014-02-25 14:18:30 +0100[diff] [blame]527 "$P_SRV debug_level=4 tickets=0 cache_timeout=1" \
528 "$P_CLI debug_level=4 tickets=0 reconnect=1 reco_delay=2" \
Manuel Pégourié-Gonnardc55a5b72014-02-20 22:50:56 +0100[diff] [blame]529 0 \
530 -S "session successfully restored from cache" \
531 -S "session successfully restored from ticket" \
532 -S "a session has been resumed" \
533 -C "a session has been resumed"
534
535run_test "Session resume using cache #7 (no timeout)" \
Manuel Pégourié-Gonnardc1da6642014-02-25 14:18:30 +0100[diff] [blame]536 "$P_SRV debug_level=4 tickets=0 cache_timeout=0" \
537 "$P_CLI debug_level=4 tickets=0 reconnect=1 reco_delay=2" \
Manuel Pégourié-Gonnard4c883452014-02-20 21:32:41 +0100[diff] [blame]538 0 \
539 -s "session successfully restored from cache" \
540 -S "session successfully restored from ticket" \
541 -s "a session has been resumed" \
542 -c "a session has been resumed"
543
Manuel Pégourié-Gonnarddb735f62014-02-25 17:57:59 +0100[diff] [blame]544run_test "Session resume using cache #8 (openssl client)" \
545 "$P_SRV debug_level=4 tickets=0" \
Manuel Pégourié-Gonnardbc3b16c2014-05-28 23:06:50 +0200[diff] [blame]546 "( $O_CLI -sess_out $SESSION; \
547 $O_CLI -sess_in $SESSION; \
548 rm -f $SESSION )" \
Manuel Pégourié-Gonnarddb735f62014-02-25 17:57:59 +0100[diff] [blame]549 0 \
550 -s "found session ticket extension" \
551 -S "server hello, adding session ticket extension" \
552 -s "session successfully restored from cache" \
553 -S "session successfully restored from ticket" \
554 -s "a session has been resumed"
555
556run_test "Session resume using cache #9 (openssl server)" \
Manuel Pégourié-Gonnardf7a26902014-02-27 12:25:54 +0100[diff] [blame]557 "$O_SRV" \
Manuel Pégourié-Gonnarddb735f62014-02-25 17:57:59 +0100[diff] [blame]558 "$P_CLI debug_level=4 tickets=0 reconnect=1" \
559 0 \
560 -C "found session_ticket extension" \
561 -C "parse new session ticket" \
562 -c "a session has been resumed"
563
Manuel Pégourié-Gonnard780d6712014-02-20 17:19:59 +0100[diff] [blame]564# Tests for Max Fragment Length extension
565
Manuel Pégourié-Gonnardde143782014-02-20 14:50:42 +0100[diff] [blame]566run_test "Max fragment length #1" \
Manuel Pégourié-Gonnardc1da6642014-02-25 14:18:30 +0100[diff] [blame]567 "$P_SRV debug_level=4" \
568 "$P_CLI debug_level=4" \
Manuel Pégourié-Gonnardde143782014-02-20 14:50:42 +0100[diff] [blame]569 0 \
570 -C "client hello, adding max_fragment_length extension" \
571 -S "found max fragment length extension" \
572 -S "server hello, max_fragment_length extension" \
573 -C "found max_fragment_length extension"
574
575run_test "Max fragment length #2" \
Manuel Pégourié-Gonnardc1da6642014-02-25 14:18:30 +0100[diff] [blame]576 "$P_SRV debug_level=4" \
577 "$P_CLI debug_level=4 max_frag_len=4096" \
Manuel Pégourié-Gonnardde143782014-02-20 14:50:42 +0100[diff] [blame]578 0 \
579 -c "client hello, adding max_fragment_length extension" \
580 -s "found max fragment length extension" \
581 -s "server hello, max_fragment_length extension" \
582 -c "found max_fragment_length extension"
583
584run_test "Max fragment length #3" \
Manuel Pégourié-Gonnardc1da6642014-02-25 14:18:30 +0100[diff] [blame]585 "$P_SRV debug_level=4 max_frag_len=4096" \
586 "$P_CLI debug_level=4" \
Manuel Pégourié-Gonnardde143782014-02-20 14:50:42 +0100[diff] [blame]587 0 \
588 -C "client hello, adding max_fragment_length extension" \
589 -S "found max fragment length extension" \
590 -S "server hello, max_fragment_length extension" \
591 -C "found max_fragment_length extension"
Manuel Pégourié-Gonnard780d6712014-02-20 17:19:59 +0100[diff] [blame]592
Manuel Pégourié-Gonnardbaa7f072014-08-20 20:15:53 +0200[diff] [blame]593run_test "Max fragment length #4 (GnuTLS server)" \
594 "$G_SRV" \
595 "$P_CLI debug_level=4 max_frag_len=4096" \
596 0 \
597 -c "client hello, adding max_fragment_length extension" \
598 -c "found max_fragment_length extension"
599
Manuel Pégourié-Gonnard780d6712014-02-20 17:19:59 +0100[diff] [blame]600# Tests for renegotiation
601
602run_test "Renegotiation #0 (none)" \
Manuel Pégourié-Gonnarda8c0a0d2014-08-15 12:07:38 +0200[diff] [blame]603 "$P_SRV debug_level=4 exchanges=2" \
604 "$P_CLI debug_level=4 exchanges=2" \
Manuel Pégourié-Gonnard780d6712014-02-20 17:19:59 +0100[diff] [blame]605 0 \
606 -C "client hello, adding renegotiation extension" \
607 -s "received TLS_EMPTY_RENEGOTIATION_INFO" \
608 -S "found renegotiation extension" \
609 -s "server hello, secure renegotiation extension" \
610 -c "found renegotiation extension" \
Manuel Pégourié-Gonnardc73339f2014-02-26 16:35:27 +0100[diff] [blame]611 -C "=> renegotiate" \
612 -S "=> renegotiate" \
Manuel Pégourié-Gonnard780d6712014-02-20 17:19:59 +0100[diff] [blame]613 -S "write hello request"
614
615run_test "Renegotiation #1 (enabled, client-initiated)" \
Manuel Pégourié-Gonnarda8c0a0d2014-08-15 12:07:38 +0200[diff] [blame]616 "$P_SRV debug_level=4 exchanges=2 renegotiation=1" \
617 "$P_CLI debug_level=4 exchanges=2 renegotiation=1 renegotiate=1" \
Manuel Pégourié-Gonnard780d6712014-02-20 17:19:59 +0100[diff] [blame]618 0 \
619 -c "client hello, adding renegotiation extension" \
620 -s "received TLS_EMPTY_RENEGOTIATION_INFO" \
621 -s "found renegotiation extension" \
622 -s "server hello, secure renegotiation extension" \
623 -c "found renegotiation extension" \
Manuel Pégourié-Gonnardc73339f2014-02-26 16:35:27 +0100[diff] [blame]624 -c "=> renegotiate" \
625 -s "=> renegotiate" \
Manuel Pégourié-Gonnard780d6712014-02-20 17:19:59 +0100[diff] [blame]626 -S "write hello request"
627
628run_test "Renegotiation #2 (enabled, server-initiated)" \
Manuel Pégourié-Gonnarda8c0a0d2014-08-15 12:07:38 +0200[diff] [blame]629 "$P_SRV debug_level=4 exchanges=2 renegotiation=1 renegotiate=1" \
630 "$P_CLI debug_level=4 exchanges=2 renegotiation=1" \
Manuel Pégourié-Gonnard780d6712014-02-20 17:19:59 +0100[diff] [blame]631 0 \
632 -c "client hello, adding renegotiation extension" \
633 -s "received TLS_EMPTY_RENEGOTIATION_INFO" \
634 -s "found renegotiation extension" \
635 -s "server hello, secure renegotiation extension" \
636 -c "found renegotiation extension" \
Manuel Pégourié-Gonnardc73339f2014-02-26 16:35:27 +0100[diff] [blame]637 -c "=> renegotiate" \
638 -s "=> renegotiate" \
Manuel Pégourié-Gonnard780d6712014-02-20 17:19:59 +0100[diff] [blame]639 -s "write hello request"
640
641run_test "Renegotiation #3 (enabled, double)" \
Manuel Pégourié-Gonnarda8c0a0d2014-08-15 12:07:38 +0200[diff] [blame]642 "$P_SRV debug_level=4 exchanges=2 renegotiation=1 renegotiate=1" \
643 "$P_CLI debug_level=4 exchanges=2 renegotiation=1 renegotiate=1" \
Manuel Pégourié-Gonnard780d6712014-02-20 17:19:59 +0100[diff] [blame]644 0 \
645 -c "client hello, adding renegotiation extension" \
646 -s "received TLS_EMPTY_RENEGOTIATION_INFO" \
647 -s "found renegotiation extension" \
648 -s "server hello, secure renegotiation extension" \
649 -c "found renegotiation extension" \
Manuel Pégourié-Gonnardc73339f2014-02-26 16:35:27 +0100[diff] [blame]650 -c "=> renegotiate" \
651 -s "=> renegotiate" \
Manuel Pégourié-Gonnard780d6712014-02-20 17:19:59 +0100[diff] [blame]652 -s "write hello request"
653
654run_test "Renegotiation #4 (client-initiated, server-rejected)" \
Manuel Pégourié-Gonnarda8c0a0d2014-08-15 12:07:38 +0200[diff] [blame]655 "$P_SRV debug_level=4 exchanges=2 renegotiation=0" \
656 "$P_CLI debug_level=4 exchanges=2 renegotiation=1 renegotiate=1" \
Manuel Pégourié-Gonnard780d6712014-02-20 17:19:59 +0100[diff] [blame]657 1 \
658 -c "client hello, adding renegotiation extension" \
659 -s "received TLS_EMPTY_RENEGOTIATION_INFO" \
660 -S "found renegotiation extension" \
661 -s "server hello, secure renegotiation extension" \
662 -c "found renegotiation extension" \
Manuel Pégourié-Gonnardc73339f2014-02-26 16:35:27 +0100[diff] [blame]663 -c "=> renegotiate" \
664 -S "=> renegotiate" \
Manuel Pégourié-Gonnardfae355e2014-07-04 14:32:27 +0200[diff] [blame]665 -S "write hello request" \
Manuel Pégourié-Gonnard65919622014-08-19 12:50:30 +0200[diff] [blame]666 -c "SSL - Unexpected message at ServerHello in renegotiation" \
Manuel Pégourié-Gonnardfae355e2014-07-04 14:32:27 +0200[diff] [blame]667 -c "failed"
Manuel Pégourié-Gonnard780d6712014-02-20 17:19:59 +0100[diff] [blame]668
Manuel Pégourié-Gonnardfae355e2014-07-04 14:32:27 +0200[diff] [blame]669run_test "Renegotiation #5 (server-initiated, client-rejected, default)" \
Manuel Pégourié-Gonnarda8c0a0d2014-08-15 12:07:38 +0200[diff] [blame]670 "$P_SRV debug_level=4 exchanges=2 renegotiation=1 renegotiate=1" \
671 "$P_CLI debug_level=4 exchanges=2 renegotiation=0" \
Manuel Pégourié-Gonnard780d6712014-02-20 17:19:59 +0100[diff] [blame]672 0 \
673 -C "client hello, adding renegotiation extension" \
674 -s "received TLS_EMPTY_RENEGOTIATION_INFO" \
675 -S "found renegotiation extension" \
676 -s "server hello, secure renegotiation extension" \
677 -c "found renegotiation extension" \
Manuel Pégourié-Gonnardc73339f2014-02-26 16:35:27 +0100[diff] [blame]678 -C "=> renegotiate" \
679 -S "=> renegotiate" \
Manuel Pégourié-Gonnard780d6712014-02-20 17:19:59 +0100[diff] [blame]680 -s "write hello request" \
Manuel Pégourié-Gonnarda9964db2014-07-03 19:29:16 +0200[diff] [blame]681 -S "SSL - An unexpected message was received from our peer" \
682 -S "failed"
Manuel Pégourié-Gonnard33a752e2014-02-21 09:47:37 +0100[diff] [blame]683
Manuel Pégourié-Gonnardfae355e2014-07-04 14:32:27 +0200[diff] [blame]684run_test "Renegotiation #6 (server-initiated, client-rejected, not enforced)" \
Manuel Pégourié-Gonnarda8c0a0d2014-08-15 12:07:38 +0200[diff] [blame]685 "$P_SRV debug_level=4 exchanges=2 renegotiation=1 renegotiate=1 \
Manuel Pégourié-Gonnardfae355e2014-07-04 14:32:27 +0200[diff] [blame]686 renego_delay=-1" \
Manuel Pégourié-Gonnarda8c0a0d2014-08-15 12:07:38 +0200[diff] [blame]687 "$P_CLI debug_level=4 exchanges=2 renegotiation=0" \
Manuel Pégourié-Gonnardfae355e2014-07-04 14:32:27 +0200[diff] [blame]688 0 \
689 -C "client hello, adding renegotiation extension" \
690 -s "received TLS_EMPTY_RENEGOTIATION_INFO" \
691 -S "found renegotiation extension" \
692 -s "server hello, secure renegotiation extension" \
693 -c "found renegotiation extension" \
694 -C "=> renegotiate" \
695 -S "=> renegotiate" \
696 -s "write hello request" \
697 -S "SSL - An unexpected message was received from our peer" \
698 -S "failed"
699
Manuel Pégourié-Gonnarda8c0a0d2014-08-15 12:07:38 +0200[diff] [blame]700# delay 2 for 1 alert record + 1 application data record
701run_test "Renegotiation #7 (server-initiated, client-rejected, delay 2)" \
702 "$P_SRV debug_level=4 exchanges=2 renegotiation=1 renegotiate=1 \
703 renego_delay=2" \
704 "$P_CLI debug_level=4 exchanges=2 renegotiation=0" \
Manuel Pégourié-Gonnardfae355e2014-07-04 14:32:27 +0200[diff] [blame]705 0 \
706 -C "client hello, adding renegotiation extension" \
707 -s "received TLS_EMPTY_RENEGOTIATION_INFO" \
708 -S "found renegotiation extension" \
709 -s "server hello, secure renegotiation extension" \
710 -c "found renegotiation extension" \
711 -C "=> renegotiate" \
712 -S "=> renegotiate" \
713 -s "write hello request" \
714 -S "SSL - An unexpected message was received from our peer" \
715 -S "failed"
716
717run_test "Renegotiation #8 (server-initiated, client-rejected, delay 0)" \
Manuel Pégourié-Gonnarda8c0a0d2014-08-15 12:07:38 +0200[diff] [blame]718 "$P_SRV debug_level=4 exchanges=2 renegotiation=1 renegotiate=1 \
Manuel Pégourié-Gonnardfae355e2014-07-04 14:32:27 +0200[diff] [blame]719 renego_delay=0" \
Manuel Pégourié-Gonnarda8c0a0d2014-08-15 12:07:38 +0200[diff] [blame]720 "$P_CLI debug_level=4 exchanges=2 renegotiation=0" \
Manuel Pégourié-Gonnardfae355e2014-07-04 14:32:27 +0200[diff] [blame]721 0 \
722 -C "client hello, adding renegotiation extension" \
723 -s "received TLS_EMPTY_RENEGOTIATION_INFO" \
724 -S "found renegotiation extension" \
725 -s "server hello, secure renegotiation extension" \
726 -c "found renegotiation extension" \
727 -C "=> renegotiate" \
728 -S "=> renegotiate" \
729 -s "write hello request" \
Manuel Pégourié-Gonnarda8c0a0d2014-08-15 12:07:38 +0200[diff] [blame]730 -s "SSL - An unexpected message was received from our peer"
Manuel Pégourié-Gonnardfae355e2014-07-04 14:32:27 +0200[diff] [blame]731
732run_test "Renegotiation #9 (server-initiated, client-accepted, delay 0)" \
Manuel Pégourié-Gonnarda8c0a0d2014-08-15 12:07:38 +0200[diff] [blame]733 "$P_SRV debug_level=4 exchanges=2 renegotiation=1 renegotiate=1 \
Manuel Pégourié-Gonnardfae355e2014-07-04 14:32:27 +0200[diff] [blame]734 renego_delay=0" \
Manuel Pégourié-Gonnarda8c0a0d2014-08-15 12:07:38 +0200[diff] [blame]735 "$P_CLI debug_level=4 exchanges=2 renegotiation=1" \
Manuel Pégourié-Gonnardfae355e2014-07-04 14:32:27 +0200[diff] [blame]736 0 \
737 -c "client hello, adding renegotiation extension" \
738 -s "received TLS_EMPTY_RENEGOTIATION_INFO" \
739 -s "found renegotiation extension" \
740 -s "server hello, secure renegotiation extension" \
741 -c "found renegotiation extension" \
742 -c "=> renegotiate" \
743 -s "=> renegotiate" \
744 -s "write hello request" \
745 -S "SSL - An unexpected message was received from our peer" \
746 -S "failed"
747
Manuel Pégourié-Gonnardf07f4212014-08-15 19:04:47 +0200[diff] [blame]748run_test "Renegotiation #10 (nbio, enabled, client-initiated)" \
749 "$P_SRV debug_level=4 nbio=2 exchanges=2 renegotiation=1" \
750 "$P_CLI debug_level=4 nbio=2 exchanges=2 renegotiation=1 renegotiate=1" \
751 0 \
752 -c "client hello, adding renegotiation extension" \
753 -s "received TLS_EMPTY_RENEGOTIATION_INFO" \
754 -s "found renegotiation extension" \
755 -s "server hello, secure renegotiation extension" \
756 -c "found renegotiation extension" \
757 -c "=> renegotiate" \
758 -s "=> renegotiate" \
759 -S "write hello request"
760
761run_test "Renegotiation #11 (nbio, enabled, server-initiated)" \
762 "$P_SRV debug_level=4 nbio=2 exchanges=2 renegotiation=1 renegotiate=1" \
763 "$P_CLI debug_level=4 nbio=2 exchanges=2 renegotiation=1" \
764 0 \
765 -c "client hello, adding renegotiation extension" \
766 -s "received TLS_EMPTY_RENEGOTIATION_INFO" \
767 -s "found renegotiation extension" \
768 -s "server hello, secure renegotiation extension" \
769 -c "found renegotiation extension" \
770 -c "=> renegotiate" \
771 -s "=> renegotiate" \
772 -s "write hello request"
773
Manuel Pégourié-Gonnard8520dac2014-02-21 12:12:23 +0100[diff] [blame]774# Tests for auth_mode
775
776run_test "Authentication #1 (server badcert, client required)" \
Manuel Pégourié-Gonnardc1da6642014-02-25 14:18:30 +0100[diff] [blame]777 "$P_SRV crt_file=data_files/server5-badsign.crt \
Manuel Pégourié-Gonnard8520dac2014-02-21 12:12:23 +0100[diff] [blame]778 key_file=data_files/server5.key" \
Manuel Pégourié-Gonnardc1da6642014-02-25 14:18:30 +0100[diff] [blame]779 "$P_CLI debug_level=2 auth_mode=required" \
Manuel Pégourié-Gonnard8520dac2014-02-21 12:12:23 +0100[diff] [blame]780 1 \
781 -c "x509_verify_cert() returned" \
782 -c "! self-signed or not signed by a trusted CA" \
783 -c "! ssl_handshake returned" \
784 -c "X509 - Certificate verification failed"
785
786run_test "Authentication #2 (server badcert, client optional)" \
Manuel Pégourié-Gonnardc1da6642014-02-25 14:18:30 +0100[diff] [blame]787 "$P_SRV crt_file=data_files/server5-badsign.crt \
Manuel Pégourié-Gonnard8520dac2014-02-21 12:12:23 +0100[diff] [blame]788 key_file=data_files/server5.key" \
Manuel Pégourié-Gonnardc1da6642014-02-25 14:18:30 +0100[diff] [blame]789 "$P_CLI debug_level=2 auth_mode=optional" \
Manuel Pégourié-Gonnard8520dac2014-02-21 12:12:23 +0100[diff] [blame]790 0 \
791 -c "x509_verify_cert() returned" \
792 -c "! self-signed or not signed by a trusted CA" \
793 -C "! ssl_handshake returned" \
794 -C "X509 - Certificate verification failed"
795
796run_test "Authentication #3 (server badcert, client none)" \
Manuel Pégourié-Gonnardc1da6642014-02-25 14:18:30 +0100[diff] [blame]797 "$P_SRV crt_file=data_files/server5-badsign.crt \
Manuel Pégourié-Gonnard8520dac2014-02-21 12:12:23 +0100[diff] [blame]798 key_file=data_files/server5.key" \
Manuel Pégourié-Gonnardc1da6642014-02-25 14:18:30 +0100[diff] [blame]799 "$P_CLI debug_level=2 auth_mode=none" \
Manuel Pégourié-Gonnard8520dac2014-02-21 12:12:23 +0100[diff] [blame]800 0 \
801 -C "x509_verify_cert() returned" \
802 -C "! self-signed or not signed by a trusted CA" \
803 -C "! ssl_handshake returned" \
804 -C "X509 - Certificate verification failed"
805
806run_test "Authentication #4 (client badcert, server required)" \
Manuel Pégourié-Gonnardc1da6642014-02-25 14:18:30 +0100[diff] [blame]807 "$P_SRV debug_level=4 auth_mode=required" \
808 "$P_CLI debug_level=4 crt_file=data_files/server5-badsign.crt \
Manuel Pégourié-Gonnard8520dac2014-02-21 12:12:23 +0100[diff] [blame]809 key_file=data_files/server5.key" \
810 1 \
811 -S "skip write certificate request" \
812 -C "skip parse certificate request" \
813 -c "got a certificate request" \
814 -C "skip write certificate" \
815 -C "skip write certificate verify" \
816 -S "skip parse certificate verify" \
817 -s "x509_verify_cert() returned" \
818 -S "! self-signed or not signed by a trusted CA" \
819 -s "! ssl_handshake returned" \
820 -c "! ssl_handshake returned" \
821 -s "X509 - Certificate verification failed"
822
823run_test "Authentication #5 (client badcert, server optional)" \
Manuel Pégourié-Gonnardc1da6642014-02-25 14:18:30 +0100[diff] [blame]824 "$P_SRV debug_level=4 auth_mode=optional" \
825 "$P_CLI debug_level=4 crt_file=data_files/server5-badsign.crt \
Manuel Pégourié-Gonnard8520dac2014-02-21 12:12:23 +0100[diff] [blame]826 key_file=data_files/server5.key" \
827 0 \
828 -S "skip write certificate request" \
829 -C "skip parse certificate request" \
830 -c "got a certificate request" \
831 -C "skip write certificate" \
832 -C "skip write certificate verify" \
833 -S "skip parse certificate verify" \
834 -s "x509_verify_cert() returned" \
835 -s "! self-signed or not signed by a trusted CA" \
836 -S "! ssl_handshake returned" \
837 -C "! ssl_handshake returned" \
838 -S "X509 - Certificate verification failed"
839
840run_test "Authentication #6 (client badcert, server none)" \
Manuel Pégourié-Gonnardc1da6642014-02-25 14:18:30 +0100[diff] [blame]841 "$P_SRV debug_level=4 auth_mode=none" \
842 "$P_CLI debug_level=4 crt_file=data_files/server5-badsign.crt \
Manuel Pégourié-Gonnard8520dac2014-02-21 12:12:23 +0100[diff] [blame]843 key_file=data_files/server5.key" \
844 0 \
845 -s "skip write certificate request" \
846 -C "skip parse certificate request" \
847 -c "got no certificate request" \
848 -c "skip write certificate" \
849 -c "skip write certificate verify" \
850 -s "skip parse certificate verify" \
851 -S "x509_verify_cert() returned" \
852 -S "! self-signed or not signed by a trusted CA" \
853 -S "! ssl_handshake returned" \
854 -C "! ssl_handshake returned" \
855 -S "X509 - Certificate verification failed"
856
Manuel Pégourié-Gonnardde515cc2014-02-27 14:58:26 +0100[diff] [blame]857run_test "Authentication #7 (client no cert, server optional)" \
858 "$P_SRV debug_level=4 auth_mode=optional" \
859 "$P_CLI debug_level=4 crt_file=none key_file=none" \
860 0 \
861 -S "skip write certificate request" \
862 -C "skip parse certificate request" \
863 -c "got a certificate request" \
864 -C "skip write certificate$" \
865 -C "got no certificate to send" \
866 -S "SSLv3 client has no certificate" \
867 -c "skip write certificate verify" \
868 -s "skip parse certificate verify" \
869 -s "! no client certificate sent" \
870 -S "! ssl_handshake returned" \
871 -C "! ssl_handshake returned" \
872 -S "X509 - Certificate verification failed"
873
874run_test "Authentication #8 (openssl client no cert, server optional)" \
875 "$P_SRV debug_level=4 auth_mode=optional" \
876 "$O_CLI" \
877 0 \
878 -S "skip write certificate request" \
879 -s "skip parse certificate verify" \
880 -s "! no client certificate sent" \
881 -S "! ssl_handshake returned" \
882 -S "X509 - Certificate verification failed"
883
884run_test "Authentication #9 (client no cert, openssl server optional)" \
885 "$O_SRV -verify 10" \
886 "$P_CLI debug_level=4 crt_file=none key_file=none" \
887 0 \
888 -C "skip parse certificate request" \
889 -c "got a certificate request" \
890 -C "skip write certificate$" \
891 -c "skip write certificate verify" \
892 -C "! ssl_handshake returned"
893
894run_test "Authentication #10 (client no cert, ssl3)" \
895 "$P_SRV debug_level=4 auth_mode=optional force_version=ssl3" \
896 "$P_CLI debug_level=4 crt_file=none key_file=none" \
897 0 \
898 -S "skip write certificate request" \
899 -C "skip parse certificate request" \
900 -c "got a certificate request" \
901 -C "skip write certificate$" \
902 -c "skip write certificate verify" \
903 -c "got no certificate to send" \
904 -s "SSLv3 client has no certificate" \
905 -s "skip parse certificate verify" \
906 -s "! no client certificate sent" \
907 -S "! ssl_handshake returned" \
908 -C "! ssl_handshake returned" \
909 -S "X509 - Certificate verification failed"
910
Manuel Pégourié-Gonnard96ea2f22014-02-25 12:26:29 +0100[diff] [blame]911# tests for SNI
912
913run_test "SNI #0 (no SNI callback)" \
Manuel Pégourié-Gonnardc1da6642014-02-25 14:18:30 +0100[diff] [blame]914 "$P_SRV debug_level=4 server_addr=127.0.0.1 \
Manuel Pégourié-Gonnard96ea2f22014-02-25 12:26:29 +0100[diff] [blame]915 crt_file=data_files/server5.crt key_file=data_files/server5.key" \
Manuel Pégourié-Gonnardc1da6642014-02-25 14:18:30 +0100[diff] [blame]916 "$P_CLI debug_level=0 server_addr=127.0.0.1 \
Manuel Pégourié-Gonnard96ea2f22014-02-25 12:26:29 +0100[diff] [blame]917 server_name=localhost" \
918 0 \
919 -S "parse ServerName extension" \
920 -c "issuer name *: C=NL, O=PolarSSL, CN=Polarssl Test EC CA" \
921 -c "subject name *: C=NL, O=PolarSSL, CN=localhost"
922
923run_test "SNI #1 (matching cert 1)" \
Manuel Pégourié-Gonnardc1da6642014-02-25 14:18:30 +0100[diff] [blame]924 "$P_SRV debug_level=4 server_addr=127.0.0.1 \
Manuel Pégourié-Gonnard96ea2f22014-02-25 12:26:29 +0100[diff] [blame]925 crt_file=data_files/server5.crt key_file=data_files/server5.key \
Manuel Pégourié-Gonnard76b8ab72014-03-26 09:31:35 +0100[diff] [blame]926 sni=localhost,data_files/server2.crt,data_files/server2.key,polarssl.example,data_files/server1-nospace.crt,data_files/server1.key" \
Manuel Pégourié-Gonnardc1da6642014-02-25 14:18:30 +0100[diff] [blame]927 "$P_CLI debug_level=0 server_addr=127.0.0.1 \
Manuel Pégourié-Gonnard96ea2f22014-02-25 12:26:29 +0100[diff] [blame]928 server_name=localhost" \
929 0 \
930 -s "parse ServerName extension" \
931 -c "issuer name *: C=NL, O=PolarSSL, CN=PolarSSL Test CA" \
932 -c "subject name *: C=NL, O=PolarSSL, CN=localhost"
933
934run_test "SNI #2 (matching cert 2)" \
Manuel Pégourié-Gonnardc1da6642014-02-25 14:18:30 +0100[diff] [blame]935 "$P_SRV debug_level=4 server_addr=127.0.0.1 \
Manuel Pégourié-Gonnard96ea2f22014-02-25 12:26:29 +0100[diff] [blame]936 crt_file=data_files/server5.crt key_file=data_files/server5.key \
Manuel Pégourié-Gonnard76b8ab72014-03-26 09:31:35 +0100[diff] [blame]937 sni=localhost,data_files/server2.crt,data_files/server2.key,polarssl.example,data_files/server1-nospace.crt,data_files/server1.key" \
Manuel Pégourié-Gonnardc1da6642014-02-25 14:18:30 +0100[diff] [blame]938 "$P_CLI debug_level=0 server_addr=127.0.0.1 \
Manuel Pégourié-Gonnard76b8ab72014-03-26 09:31:35 +0100[diff] [blame]939 server_name=polarssl.example" \
Manuel Pégourié-Gonnard96ea2f22014-02-25 12:26:29 +0100[diff] [blame]940 0 \
941 -s "parse ServerName extension" \
942 -c "issuer name *: C=NL, O=PolarSSL, CN=PolarSSL Test CA" \
Manuel Pégourié-Gonnard76b8ab72014-03-26 09:31:35 +0100[diff] [blame]943 -c "subject name *: C=NL, O=PolarSSL, CN=polarssl.example"
Manuel Pégourié-Gonnard96ea2f22014-02-25 12:26:29 +0100[diff] [blame]944
945run_test "SNI #3 (no matching cert)" \
Manuel Pégourié-Gonnardc1da6642014-02-25 14:18:30 +0100[diff] [blame]946 "$P_SRV debug_level=4 server_addr=127.0.0.1 \
Manuel Pégourié-Gonnard96ea2f22014-02-25 12:26:29 +0100[diff] [blame]947 crt_file=data_files/server5.crt key_file=data_files/server5.key \
Manuel Pégourié-Gonnard76b8ab72014-03-26 09:31:35 +0100[diff] [blame]948 sni=localhost,data_files/server2.crt,data_files/server2.key,polarssl.example,data_files/server1-nospace.crt,data_files/server1.key" \
Manuel Pégourié-Gonnardc1da6642014-02-25 14:18:30 +0100[diff] [blame]949 "$P_CLI debug_level=0 server_addr=127.0.0.1 \
Manuel Pégourié-Gonnard76b8ab72014-03-26 09:31:35 +0100[diff] [blame]950 server_name=nonesuch.example" \
Manuel Pégourié-Gonnard96ea2f22014-02-25 12:26:29 +0100[diff] [blame]951 1 \
952 -s "parse ServerName extension" \
953 -s "ssl_sni_wrapper() returned" \
954 -s "ssl_handshake returned" \
955 -c "ssl_handshake returned" \
956 -c "SSL - A fatal alert message was received from our peer"
957
Manuel Pégourié-Gonnard0b6609b2014-02-26 14:45:12 +0100[diff] [blame]958# Tests for non-blocking I/O: exercise a variety of handshake flows
959
960run_test "Non-blocking I/O #1 (basic handshake)" \
961 "$P_SRV nbio=2 tickets=0 auth_mode=none" \
962 "$P_CLI nbio=2 tickets=0" \
963 0 \
964 -S "ssl_handshake returned" \
965 -C "ssl_handshake returned" \
966 -c "Read from server: .* bytes read"
967
968run_test "Non-blocking I/O #2 (client auth)" \
969 "$P_SRV nbio=2 tickets=0 auth_mode=required" \
970 "$P_CLI nbio=2 tickets=0" \
971 0 \
972 -S "ssl_handshake returned" \
973 -C "ssl_handshake returned" \
974 -c "Read from server: .* bytes read"
975
976run_test "Non-blocking I/O #3 (ticket)" \
977 "$P_SRV nbio=2 tickets=1 auth_mode=none" \
978 "$P_CLI nbio=2 tickets=1" \
979 0 \
980 -S "ssl_handshake returned" \
981 -C "ssl_handshake returned" \
982 -c "Read from server: .* bytes read"
983
984run_test "Non-blocking I/O #4 (ticket + client auth)" \
985 "$P_SRV nbio=2 tickets=1 auth_mode=required" \
986 "$P_CLI nbio=2 tickets=1" \
987 0 \
988 -S "ssl_handshake returned" \
989 -C "ssl_handshake returned" \
990 -c "Read from server: .* bytes read"
991
992run_test "Non-blocking I/O #5 (ticket + client auth + resume)" \
993 "$P_SRV nbio=2 tickets=1 auth_mode=required" \
994 "$P_CLI nbio=2 tickets=1 reconnect=1" \
995 0 \
996 -S "ssl_handshake returned" \
997 -C "ssl_handshake returned" \
998 -c "Read from server: .* bytes read"
999
1000run_test "Non-blocking I/O #6 (ticket + resume)" \
1001 "$P_SRV nbio=2 tickets=1 auth_mode=none" \
1002 "$P_CLI nbio=2 tickets=1 reconnect=1" \
1003 0 \
1004 -S "ssl_handshake returned" \
1005 -C "ssl_handshake returned" \
1006 -c "Read from server: .* bytes read"
1007
1008run_test "Non-blocking I/O #7 (session-id resume)" \
1009 "$P_SRV nbio=2 tickets=0 auth_mode=none" \
1010 "$P_CLI nbio=2 tickets=0 reconnect=1" \
1011 0 \
1012 -S "ssl_handshake returned" \
1013 -C "ssl_handshake returned" \
1014 -c "Read from server: .* bytes read"
1015
Manuel Pégourié-Gonnardf6521de2014-04-07 12:42:04 +0200[diff] [blame]1016# Tests for version negotiation
1017
Manuel Pégourié-Gonnarda3d808e2014-02-26 16:33:03 +0100[diff] [blame]1018run_test "Version check #1 (all -> 1.2)" \
1019 "$P_SRV" \
1020 "$P_CLI" \
1021 0 \
1022 -S "ssl_handshake returned" \
1023 -C "ssl_handshake returned" \
1024 -s "Protocol is TLSv1.2" \
1025 -c "Protocol is TLSv1.2"
1026
1027run_test "Version check #2 (cli max 1.1 -> 1.1)" \
1028 "$P_SRV" \
1029 "$P_CLI max_version=tls1_1" \
1030 0 \
1031 -S "ssl_handshake returned" \
1032 -C "ssl_handshake returned" \
1033 -s "Protocol is TLSv1.1" \
1034 -c "Protocol is TLSv1.1"
1035
1036run_test "Version check #3 (srv max 1.1 -> 1.1)" \
1037 "$P_SRV max_version=tls1_1" \
1038 "$P_CLI" \
1039 0 \
1040 -S "ssl_handshake returned" \
1041 -C "ssl_handshake returned" \
1042 -s "Protocol is TLSv1.1" \
1043 -c "Protocol is TLSv1.1"
1044
1045run_test "Version check #4 (cli+srv max 1.1 -> 1.1)" \
1046 "$P_SRV max_version=tls1_1" \
1047 "$P_CLI max_version=tls1_1" \
1048 0 \
1049 -S "ssl_handshake returned" \
1050 -C "ssl_handshake returned" \
1051 -s "Protocol is TLSv1.1" \
1052 -c "Protocol is TLSv1.1"
1053
1054run_test "Version check #5 (cli max 1.1, srv min 1.1 -> 1.1)" \
1055 "$P_SRV min_version=tls1_1" \
1056 "$P_CLI max_version=tls1_1" \
1057 0 \
1058 -S "ssl_handshake returned" \
1059 -C "ssl_handshake returned" \
1060 -s "Protocol is TLSv1.1" \
1061 -c "Protocol is TLSv1.1"
1062
1063run_test "Version check #6 (cli min 1.1, srv max 1.1 -> 1.1)" \
1064 "$P_SRV max_version=tls1_1" \
1065 "$P_CLI min_version=tls1_1" \
1066 0 \
1067 -S "ssl_handshake returned" \
1068 -C "ssl_handshake returned" \
1069 -s "Protocol is TLSv1.1" \
1070 -c "Protocol is TLSv1.1"
1071
1072run_test "Version check #7 (cli min 1.2, srv max 1.1 -> fail)" \
1073 "$P_SRV max_version=tls1_1" \
1074 "$P_CLI min_version=tls1_2" \
1075 1 \
1076 -s "ssl_handshake returned" \
1077 -c "ssl_handshake returned" \
1078 -c "SSL - Handshake protocol not within min/max boundaries"
1079
1080run_test "Version check #8 (srv min 1.2, cli max 1.1 -> fail)" \
1081 "$P_SRV min_version=tls1_2" \
1082 "$P_CLI max_version=tls1_1" \
1083 1 \
1084 -s "ssl_handshake returned" \
1085 -c "ssl_handshake returned" \
1086 -s "SSL - Handshake protocol not within min/max boundaries"
1087
Manuel Pégourié-Gonnardf6521de2014-04-07 12:42:04 +0200[diff] [blame]1088# Tests for ALPN extension
1089
Manuel Pégourié-Gonnard83d8c732014-04-07 13:24:21 +0200[diff] [blame]1090if grep '^#define POLARSSL_SSL_ALPN' $CONFIG_H >/dev/null; then
1091
Manuel Pégourié-Gonnardf6521de2014-04-07 12:42:04 +0200[diff] [blame]1092run_test "ALPN #0 (none)" \
1093 "$P_SRV debug_level=4" \
1094 "$P_CLI debug_level=4" \
1095 0 \
1096 -C "client hello, adding alpn extension" \
1097 -S "found alpn extension" \
1098 -C "got an alert message, type: \\[2:120]" \
1099 -S "server hello, adding alpn extension" \
1100 -C "found alpn extension " \
1101 -C "Application Layer Protocol is" \
1102 -S "Application Layer Protocol is"
1103
1104run_test "ALPN #1 (client only)" \
1105 "$P_SRV debug_level=4" \
1106 "$P_CLI debug_level=4 alpn=abc,1234" \
1107 0 \
1108 -c "client hello, adding alpn extension" \
1109 -s "found alpn extension" \
1110 -C "got an alert message, type: \\[2:120]" \
1111 -S "server hello, adding alpn extension" \
1112 -C "found alpn extension " \
1113 -c "Application Layer Protocol is (none)" \
1114 -S "Application Layer Protocol is"
1115
1116run_test "ALPN #2 (server only)" \
1117 "$P_SRV debug_level=4 alpn=abc,1234" \
1118 "$P_CLI debug_level=4" \
1119 0 \
1120 -C "client hello, adding alpn extension" \
1121 -S "found alpn extension" \
1122 -C "got an alert message, type: \\[2:120]" \
1123 -S "server hello, adding alpn extension" \
1124 -C "found alpn extension " \
1125 -C "Application Layer Protocol is" \
1126 -s "Application Layer Protocol is (none)"
1127
1128run_test "ALPN #3 (both, common cli1-srv1)" \
1129 "$P_SRV debug_level=4 alpn=abc,1234" \
1130 "$P_CLI debug_level=4 alpn=abc,1234" \
1131 0 \
1132 -c "client hello, adding alpn extension" \
1133 -s "found alpn extension" \
1134 -C "got an alert message, type: \\[2:120]" \
1135 -s "server hello, adding alpn extension" \
1136 -c "found alpn extension" \
1137 -c "Application Layer Protocol is abc" \
1138 -s "Application Layer Protocol is abc"
1139
1140run_test "ALPN #4 (both, common cli2-srv1)" \
1141 "$P_SRV debug_level=4 alpn=abc,1234" \
1142 "$P_CLI debug_level=4 alpn=1234,abc" \
1143 0 \
1144 -c "client hello, adding alpn extension" \
1145 -s "found alpn extension" \
1146 -C "got an alert message, type: \\[2:120]" \
1147 -s "server hello, adding alpn extension" \
1148 -c "found alpn extension" \
1149 -c "Application Layer Protocol is abc" \
1150 -s "Application Layer Protocol is abc"
1151
1152run_test "ALPN #5 (both, common cli1-srv2)" \
1153 "$P_SRV debug_level=4 alpn=abc,1234" \
1154 "$P_CLI debug_level=4 alpn=1234,abcde" \
1155 0 \
1156 -c "client hello, adding alpn extension" \
1157 -s "found alpn extension" \
1158 -C "got an alert message, type: \\[2:120]" \
1159 -s "server hello, adding alpn extension" \
1160 -c "found alpn extension" \
1161 -c "Application Layer Protocol is 1234" \
1162 -s "Application Layer Protocol is 1234"
1163
1164run_test "ALPN #6 (both, no common)" \
1165 "$P_SRV debug_level=4 alpn=abc,123" \
1166 "$P_CLI debug_level=4 alpn=1234,abcde" \
1167 1 \
1168 -c "client hello, adding alpn extension" \
1169 -s "found alpn extension" \
1170 -c "got an alert message, type: \\[2:120]" \
1171 -S "server hello, adding alpn extension" \
1172 -C "found alpn extension" \
1173 -C "Application Layer Protocol is 1234" \
1174 -S "Application Layer Protocol is 1234"
1175
Manuel Pégourié-Gonnard83d8c732014-04-07 13:24:21 +0200[diff] [blame]1176fi
1177
Manuel Pégourié-Gonnard7f2a07d2014-04-09 09:50:57 +0200[diff] [blame]1178# Tests for keyUsage in leaf certificates, part 1:
1179# server-side certificate/suite selection
1180
Manuel Pégourié-Gonnard17cde5f2014-05-22 14:42:39 +0200[diff] [blame]1181run_test "keyUsage srv #1 (RSA, digitalSignature -> (EC)DHE-RSA)" \
Manuel Pégourié-Gonnard7f2a07d2014-04-09 09:50:57 +0200[diff] [blame]1182 "$P_SRV key_file=data_files/server2.key \
1183 crt_file=data_files/server2.ku-ds.crt" \
1184 "$P_CLI" \
1185 0 \
Manuel Pégourié-Gonnard17cde5f2014-05-22 14:42:39 +0200[diff] [blame]1186 -c "Ciphersuite is TLS-[EC]*DHE-RSA-WITH-"
Manuel Pégourié-Gonnard7f2a07d2014-04-09 09:50:57 +0200[diff] [blame]1187
1188
1189run_test "keyUsage srv #2 (RSA, keyEncipherment -> RSA)" \
1190 "$P_SRV key_file=data_files/server2.key \
1191 crt_file=data_files/server2.ku-ke.crt" \
1192 "$P_CLI" \
1193 0 \
1194 -c "Ciphersuite is TLS-RSA-WITH-"
1195
Manuel Pégourié-Gonnard7f2a07d2014-04-09 09:50:57 +0200[diff] [blame]1196run_test "keyUsage srv #3 (RSA, keyAgreement -> fail)" \
Manuel Pégourié-Gonnardf2629b92014-08-30 14:20:14 +0200[diff] [blame^]1197 "$P_SRV key_file=data_files/server2.key \
Manuel Pégourié-Gonnard7f2a07d2014-04-09 09:50:57 +0200[diff] [blame]1198 crt_file=data_files/server2.ku-ka.crt" \
Manuel Pégourié-Gonnardf2629b92014-08-30 14:20:14 +0200[diff] [blame^]1199 "$P_CLI" \
Manuel Pégourié-Gonnard7f2a07d2014-04-09 09:50:57 +0200[diff] [blame]1200 1 \
1201 -C "Ciphersuite is "
1202
1203run_test "keyUsage srv #4 (ECDSA, digitalSignature -> ECDHE-ECDSA)" \
1204 "$P_SRV key_file=data_files/server5.key \
1205 crt_file=data_files/server5.ku-ds.crt" \
1206 "$P_CLI" \
1207 0 \
1208 -c "Ciphersuite is TLS-ECDHE-ECDSA-WITH-"
1209
1210
1211run_test "keyUsage srv #5 (ECDSA, keyAgreement -> ECDH-)" \
1212 "$P_SRV key_file=data_files/server5.key \
1213 crt_file=data_files/server5.ku-ka.crt" \
1214 "$P_CLI" \
1215 0 \
1216 -c "Ciphersuite is TLS-ECDH-"
1217
Manuel Pégourié-Gonnard7f2a07d2014-04-09 09:50:57 +0200[diff] [blame]1218run_test "keyUsage srv #6 (ECDSA, keyEncipherment -> fail)" \
Manuel Pégourié-Gonnardf2629b92014-08-30 14:20:14 +0200[diff] [blame^]1219 "$P_SRV key_file=data_files/server5.key \
Manuel Pégourié-Gonnard7f2a07d2014-04-09 09:50:57 +0200[diff] [blame]1220 crt_file=data_files/server5.ku-ke.crt" \
Manuel Pégourié-Gonnardf2629b92014-08-30 14:20:14 +0200[diff] [blame^]1221 "$P_CLI" \
Manuel Pégourié-Gonnard7f2a07d2014-04-09 09:50:57 +0200[diff] [blame]1222 1 \
1223 -C "Ciphersuite is "
1224
1225# Tests for keyUsage in leaf certificates, part 2:
Manuel Pégourié-Gonnarda9db85d2014-04-09 14:53:05 +0200[diff] [blame]1226# client-side checking of server cert
Manuel Pégourié-Gonnard7f2a07d2014-04-09 09:50:57 +0200[diff] [blame]1227
1228run_test "keyUsage cli #1 (DigitalSignature+KeyEncipherment, RSA: OK)" \
1229 "$O_SRV -key data_files/server2.key \
1230 -cert data_files/server2.ku-ds_ke.crt" \
1231 "$P_CLI debug_level=2 \
1232 force_ciphersuite=TLS-RSA-WITH-AES-128-CBC-SHA" \
1233 0 \
Manuel Pégourié-Gonnarda9db85d2014-04-09 14:53:05 +0200[diff] [blame]1234 -C "bad certificate (usage extensions)" \
Manuel Pégourié-Gonnard7f2a07d2014-04-09 09:50:57 +0200[diff] [blame]1235 -C "Processing of the Certificate handshake message failed" \
1236 -c "Ciphersuite is TLS-"
1237
1238run_test "keyUsage cli #2 (DigitalSignature+KeyEncipherment, DHE-RSA: OK)" \
1239 "$O_SRV -key data_files/server2.key \
1240 -cert data_files/server2.ku-ds_ke.crt" \
1241 "$P_CLI debug_level=2 \
1242 force_ciphersuite=TLS-DHE-RSA-WITH-AES-128-CBC-SHA" \
1243 0 \
Manuel Pégourié-Gonnarda9db85d2014-04-09 14:53:05 +0200[diff] [blame]1244 -C "bad certificate (usage extensions)" \
Manuel Pégourié-Gonnard7f2a07d2014-04-09 09:50:57 +0200[diff] [blame]1245 -C "Processing of the Certificate handshake message failed" \
1246 -c "Ciphersuite is TLS-"
1247
1248run_test "keyUsage cli #3 (KeyEncipherment, RSA: OK)" \
1249 "$O_SRV -key data_files/server2.key \
1250 -cert data_files/server2.ku-ke.crt" \
1251 "$P_CLI debug_level=2 \
1252 force_ciphersuite=TLS-RSA-WITH-AES-128-CBC-SHA" \
1253 0 \
Manuel Pégourié-Gonnarda9db85d2014-04-09 14:53:05 +0200[diff] [blame]1254 -C "bad certificate (usage extensions)" \
Manuel Pégourié-Gonnard7f2a07d2014-04-09 09:50:57 +0200[diff] [blame]1255 -C "Processing of the Certificate handshake message failed" \
1256 -c "Ciphersuite is TLS-"
1257
1258run_test "keyUsage cli #4 (KeyEncipherment, DHE-RSA: fail)" \
1259 "$O_SRV -key data_files/server2.key \
1260 -cert data_files/server2.ku-ke.crt" \
1261 "$P_CLI debug_level=2 \
1262 force_ciphersuite=TLS-DHE-RSA-WITH-AES-128-CBC-SHA" \
1263 1 \
Manuel Pégourié-Gonnarda9db85d2014-04-09 14:53:05 +0200[diff] [blame]1264 -c "bad certificate (usage extensions)" \
Manuel Pégourié-Gonnard7f2a07d2014-04-09 09:50:57 +0200[diff] [blame]1265 -c "Processing of the Certificate handshake message failed" \
1266 -C "Ciphersuite is TLS-"
1267
1268run_test "keyUsage cli #5 (DigitalSignature, DHE-RSA: OK)" \
1269 "$O_SRV -key data_files/server2.key \
1270 -cert data_files/server2.ku-ds.crt" \
1271 "$P_CLI debug_level=2 \
1272 force_ciphersuite=TLS-DHE-RSA-WITH-AES-128-CBC-SHA" \
1273 0 \
Manuel Pégourié-Gonnarda9db85d2014-04-09 14:53:05 +0200[diff] [blame]1274 -C "bad certificate (usage extensions)" \
Manuel Pégourié-Gonnard7f2a07d2014-04-09 09:50:57 +0200[diff] [blame]1275 -C "Processing of the Certificate handshake message failed" \
1276 -c "Ciphersuite is TLS-"
1277
1278run_test "keyUsage cli #5 (DigitalSignature, RSA: fail)" \
1279 "$O_SRV -key data_files/server2.key \
1280 -cert data_files/server2.ku-ds.crt" \
1281 "$P_CLI debug_level=2 \
1282 force_ciphersuite=TLS-RSA-WITH-AES-128-CBC-SHA" \
1283 1 \
Manuel Pégourié-Gonnarda9db85d2014-04-09 14:53:05 +0200[diff] [blame]1284 -c "bad certificate (usage extensions)" \
Manuel Pégourié-Gonnard7f2a07d2014-04-09 09:50:57 +0200[diff] [blame]1285 -c "Processing of the Certificate handshake message failed" \
1286 -C "Ciphersuite is TLS-"
1287
Manuel Pégourié-Gonnarda9db85d2014-04-09 14:53:05 +0200[diff] [blame]1288# Tests for keyUsage in leaf certificates, part 3:
1289# server-side checking of client cert
1290
1291run_test "keyUsage cli-auth #1 (RSA, DigitalSignature: OK)" \
1292 "$P_SRV debug_level=2 auth_mode=optional" \
1293 "$O_CLI -key data_files/server2.key \
1294 -cert data_files/server2.ku-ds.crt" \
1295 0 \
1296 -S "bad certificate (usage extensions)" \
1297 -S "Processing of the Certificate handshake message failed"
1298
1299run_test "keyUsage cli-auth #2 (RSA, KeyEncipherment: fail (soft))" \
1300 "$P_SRV debug_level=2 auth_mode=optional" \
1301 "$O_CLI -key data_files/server2.key \
1302 -cert data_files/server2.ku-ke.crt" \
1303 0 \
1304 -s "bad certificate (usage extensions)" \
1305 -S "Processing of the Certificate handshake message failed"
1306
1307run_test "keyUsage cli-auth #3 (RSA, KeyEncipherment: fail (hard))" \
1308 "$P_SRV debug_level=2 auth_mode=required" \
1309 "$O_CLI -key data_files/server2.key \
1310 -cert data_files/server2.ku-ke.crt" \
1311 1 \
1312 -s "bad certificate (usage extensions)" \
1313 -s "Processing of the Certificate handshake message failed"
1314
1315run_test "keyUsage cli-auth #4 (ECDSA, DigitalSignature: OK)" \
1316 "$P_SRV debug_level=2 auth_mode=optional" \
1317 "$O_CLI -key data_files/server5.key \
1318 -cert data_files/server5.ku-ds.crt" \
1319 0 \
1320 -S "bad certificate (usage extensions)" \
1321 -S "Processing of the Certificate handshake message failed"
1322
1323run_test "keyUsage cli-auth #5 (ECDSA, KeyAgreement: fail (soft))" \
1324 "$P_SRV debug_level=2 auth_mode=optional" \
1325 "$O_CLI -key data_files/server5.key \
1326 -cert data_files/server5.ku-ka.crt" \
1327 0 \
1328 -s "bad certificate (usage extensions)" \
1329 -S "Processing of the Certificate handshake message failed"
1330
Manuel Pégourié-Gonnard0408fd12014-04-11 11:06:22 +0200[diff] [blame]1331# Tests for extendedKeyUsage, part 1: server-side certificate/suite selection
1332
1333run_test "extKeyUsage srv #1 (serverAuth -> OK)" \
1334 "$P_SRV key_file=data_files/server5.key \
1335 crt_file=data_files/server5.eku-srv.crt" \
1336 "$P_CLI" \
1337 0
1338
1339run_test "extKeyUsage srv #2 (serverAuth,clientAuth -> OK)" \
1340 "$P_SRV key_file=data_files/server5.key \
1341 crt_file=data_files/server5.eku-srv.crt" \
1342 "$P_CLI" \
1343 0
1344
1345run_test "extKeyUsage srv #3 (codeSign,anyEKU -> OK)" \
1346 "$P_SRV key_file=data_files/server5.key \
1347 crt_file=data_files/server5.eku-cs_any.crt" \
1348 "$P_CLI" \
1349 0
1350
1351# add psk to leave an option for client to send SERVERQUIT
1352run_test "extKeyUsage srv #4 (codeSign -> fail)" \
1353 "$P_SRV psk=abc123 key_file=data_files/server5.key \
1354 crt_file=data_files/server5.eku-cli.crt" \
1355 "$P_CLI psk=badbad" \
1356 1
1357
1358# Tests for extendedKeyUsage, part 2: client-side checking of server cert
1359
1360run_test "extKeyUsage cli #1 (serverAuth -> OK)" \
1361 "$O_SRV -key data_files/server5.key \
1362 -cert data_files/server5.eku-srv.crt" \
1363 "$P_CLI debug_level=2" \
1364 0 \
1365 -C "bad certificate (usage extensions)" \
1366 -C "Processing of the Certificate handshake message failed" \
1367 -c "Ciphersuite is TLS-"
1368
1369run_test "extKeyUsage cli #2 (serverAuth,clientAuth -> OK)" \
1370 "$O_SRV -key data_files/server5.key \
1371 -cert data_files/server5.eku-srv_cli.crt" \
1372 "$P_CLI debug_level=2" \
1373 0 \
1374 -C "bad certificate (usage extensions)" \
1375 -C "Processing of the Certificate handshake message failed" \
1376 -c "Ciphersuite is TLS-"
1377
1378run_test "extKeyUsage cli #3 (codeSign,anyEKU -> OK)" \
1379 "$O_SRV -key data_files/server5.key \
1380 -cert data_files/server5.eku-cs_any.crt" \
1381 "$P_CLI debug_level=2" \
1382 0 \
1383 -C "bad certificate (usage extensions)" \
1384 -C "Processing of the Certificate handshake message failed" \
1385 -c "Ciphersuite is TLS-"
1386
1387run_test "extKeyUsage cli #4 (codeSign -> fail)" \
1388 "$O_SRV -key data_files/server5.key \
1389 -cert data_files/server5.eku-cs.crt" \
1390 "$P_CLI debug_level=2" \
1391 1 \
1392 -c "bad certificate (usage extensions)" \
1393 -c "Processing of the Certificate handshake message failed" \
1394 -C "Ciphersuite is TLS-"
1395
1396# Tests for extendedKeyUsage, part 3: server-side checking of client cert
1397
1398run_test "extKeyUsage cli-auth #1 (clientAuth -> OK)" \
1399 "$P_SRV debug_level=2 auth_mode=optional" \
1400 "$O_CLI -key data_files/server5.key \
1401 -cert data_files/server5.eku-cli.crt" \
1402 0 \
1403 -S "bad certificate (usage extensions)" \
1404 -S "Processing of the Certificate handshake message failed"
1405
1406run_test "extKeyUsage cli-auth #2 (serverAuth,clientAuth -> OK)" \
1407 "$P_SRV debug_level=2 auth_mode=optional" \
1408 "$O_CLI -key data_files/server5.key \
1409 -cert data_files/server5.eku-srv_cli.crt" \
1410 0 \
1411 -S "bad certificate (usage extensions)" \
1412 -S "Processing of the Certificate handshake message failed"
1413
1414run_test "extKeyUsage cli-auth #3 (codeSign,anyEKU -> OK)" \
1415 "$P_SRV debug_level=2 auth_mode=optional" \
1416 "$O_CLI -key data_files/server5.key \
1417 -cert data_files/server5.eku-cs_any.crt" \
1418 0 \
1419 -S "bad certificate (usage extensions)" \
1420 -S "Processing of the Certificate handshake message failed"
1421
1422run_test "extKeyUsage cli-auth #4 (codeSign -> fail (soft))" \
1423 "$P_SRV debug_level=2 auth_mode=optional" \
1424 "$O_CLI -key data_files/server5.key \
1425 -cert data_files/server5.eku-cs.crt" \
1426 0 \
1427 -s "bad certificate (usage extensions)" \
1428 -S "Processing of the Certificate handshake message failed"
1429
1430run_test "extKeyUsage cli-auth #4b (codeSign -> fail (hard))" \
1431 "$P_SRV debug_level=2 auth_mode=required" \
1432 "$O_CLI -key data_files/server5.key \
1433 -cert data_files/server5.eku-cs.crt" \
1434 1 \
1435 -s "bad certificate (usage extensions)" \
1436 -s "Processing of the Certificate handshake message failed"
1437
Manuel Pégourié-Gonnard0cc7e312014-06-09 11:36:47 +0200[diff] [blame]1438# Tests for DHM parameters loading
1439
1440run_test "DHM parameters #0 (reference)" \
1441 "$P_SRV" \
1442 "$P_CLI force_ciphersuite=TLS-DHE-RSA-WITH-AES-128-CBC-SHA \
1443 debug_level=3" \
1444 0 \
1445 -c "value of 'DHM: P ' (2048 bits)" \
1446 -c "value of 'DHM: G ' (2048 bits)"
1447
1448run_test "DHM parameters #1 (other parameters)" \
1449 "$P_SRV dhm_file=data_files/dhparams.pem" \
1450 "$P_CLI force_ciphersuite=TLS-DHE-RSA-WITH-AES-128-CBC-SHA \
1451 debug_level=3" \
1452 0 \
1453 -c "value of 'DHM: P ' (1024 bits)" \
1454 -c "value of 'DHM: G ' (2 bits)"
1455
Manuel Pégourié-Gonnarda6781c92014-06-10 15:00:46 +0200[diff] [blame]1456# Tests for PSK callback
1457
Manuel Pégourié-Gonnard10c3c9f2014-06-10 15:28:52 +0200[diff] [blame]1458run_test "PSK callback #0a (psk, no callback)" \
Manuel Pégourié-Gonnarda6781c92014-06-10 15:00:46 +0200[diff] [blame]1459 "$P_SRV psk=abc123 psk_identity=foo" \
1460 "$P_CLI force_ciphersuite=TLS-PSK-WITH-AES-128-CBC-SHA \
1461 psk_identity=foo psk=abc123" \
1462 0 \
Manuel Pégourié-Gonnard10c3c9f2014-06-10 15:28:52 +0200[diff] [blame]1463 -S "SSL - The server has no ciphersuites in common" \
1464 -S "SSL - Unknown identity received" \
1465 -S "SSL - Verification of the message MAC failed"
1466
1467run_test "PSK callback #0b (no psk, no callback)" \
1468 "$P_SRV" \
1469 "$P_CLI force_ciphersuite=TLS-PSK-WITH-AES-128-CBC-SHA \
1470 psk_identity=foo psk=abc123" \
1471 1 \
1472 -s "SSL - The server has no ciphersuites in common" \
Manuel Pégourié-Gonnarda6781c92014-06-10 15:00:46 +0200[diff] [blame]1473 -S "SSL - Unknown identity received" \
1474 -S "SSL - Verification of the message MAC failed"
1475
1476run_test "PSK callback #1 (callback overrides other settings)" \
1477 "$P_SRV psk=abc123 psk_identity=foo psk_list=abc,dead,def,beef" \
1478 "$P_CLI force_ciphersuite=TLS-PSK-WITH-AES-128-CBC-SHA \
1479 psk_identity=foo psk=abc123" \
1480 1 \
Manuel Pégourié-Gonnard10c3c9f2014-06-10 15:28:52 +0200[diff] [blame]1481 -S "SSL - The server has no ciphersuites in common" \
Manuel Pégourié-Gonnarda6781c92014-06-10 15:00:46 +0200[diff] [blame]1482 -s "SSL - Unknown identity received" \
1483 -S "SSL - Verification of the message MAC failed"
1484
1485run_test "PSK callback #2 (first id matches)" \
1486 "$P_SRV psk_list=abc,dead,def,beef" \
1487 "$P_CLI force_ciphersuite=TLS-PSK-WITH-AES-128-CBC-SHA \
1488 psk_identity=abc psk=dead" \
1489 0 \
Manuel Pégourié-Gonnard10c3c9f2014-06-10 15:28:52 +0200[diff] [blame]1490 -S "SSL - The server has no ciphersuites in common" \
Manuel Pégourié-Gonnarda6781c92014-06-10 15:00:46 +0200[diff] [blame]1491 -S "SSL - Unknown identity received" \
1492 -S "SSL - Verification of the message MAC failed"
1493
1494run_test "PSK callback #3 (second id matches)" \
1495 "$P_SRV psk_list=abc,dead,def,beef" \
1496 "$P_CLI force_ciphersuite=TLS-PSK-WITH-AES-128-CBC-SHA \
1497 psk_identity=def psk=beef" \
1498 0 \
Manuel Pégourié-Gonnard10c3c9f2014-06-10 15:28:52 +0200[diff] [blame]1499 -S "SSL - The server has no ciphersuites in common" \
Manuel Pégourié-Gonnarda6781c92014-06-10 15:00:46 +0200[diff] [blame]1500 -S "SSL - Unknown identity received" \
1501 -S "SSL - Verification of the message MAC failed"
1502
1503run_test "PSK callback #4 (no match)" \
1504 "$P_SRV psk_list=abc,dead,def,beef" \
1505 "$P_CLI force_ciphersuite=TLS-PSK-WITH-AES-128-CBC-SHA \
1506 psk_identity=ghi psk=beef" \
1507 1 \
Manuel Pégourié-Gonnard10c3c9f2014-06-10 15:28:52 +0200[diff] [blame]1508 -S "SSL - The server has no ciphersuites in common" \
Manuel Pégourié-Gonnarda6781c92014-06-10 15:00:46 +0200[diff] [blame]1509 -s "SSL - Unknown identity received" \
1510 -S "SSL - Verification of the message MAC failed"
1511
1512run_test "PSK callback #5 (wrong key)" \
1513 "$P_SRV psk_list=abc,dead,def,beef" \
1514 "$P_CLI force_ciphersuite=TLS-PSK-WITH-AES-128-CBC-SHA \
1515 psk_identity=abc psk=beef" \
1516 1 \
Manuel Pégourié-Gonnard10c3c9f2014-06-10 15:28:52 +0200[diff] [blame]1517 -S "SSL - The server has no ciphersuites in common" \
Manuel Pégourié-Gonnarda6781c92014-06-10 15:00:46 +0200[diff] [blame]1518 -S "SSL - Unknown identity received" \
1519 -s "SSL - Verification of the message MAC failed"
Manuel Pégourié-Gonnard0cc7e312014-06-09 11:36:47 +0200[diff] [blame]1520
Manuel Pégourié-Gonnard90805a82014-06-11 14:06:01 +0200[diff] [blame]1521# Tests for ciphersuites per version
1522
1523run_test "Per-version suites #1" \
1524 "$P_SRV version_suites=TLS-RSA-WITH-3DES-EDE-CBC-SHA,TLS-RSA-WITH-RC4-128-SHA,TLS-RSA-WITH-AES-128-CBC-SHA,TLS-RSA-WITH-AES-128-GCM-SHA256" \
1525 "$P_CLI force_version=ssl3" \
1526 0 \
1527 -c "Ciphersuite is TLS-RSA-WITH-3DES-EDE-CBC-SHA"
1528
1529run_test "Per-version suites #2" \
1530 "$P_SRV version_suites=TLS-RSA-WITH-3DES-EDE-CBC-SHA,TLS-RSA-WITH-RC4-128-SHA,TLS-RSA-WITH-AES-128-CBC-SHA,TLS-RSA-WITH-AES-128-GCM-SHA256" \
1531 "$P_CLI force_version=tls1" \
1532 0 \
1533 -c "Ciphersuite is TLS-RSA-WITH-RC4-128-SHA"
1534
1535run_test "Per-version suites #3" \
1536 "$P_SRV version_suites=TLS-RSA-WITH-3DES-EDE-CBC-SHA,TLS-RSA-WITH-RC4-128-SHA,TLS-RSA-WITH-AES-128-CBC-SHA,TLS-RSA-WITH-AES-128-GCM-SHA256" \
1537 "$P_CLI force_version=tls1_1" \
1538 0 \
1539 -c "Ciphersuite is TLS-RSA-WITH-AES-128-CBC-SHA"
1540
1541run_test "Per-version suites #4" \
1542 "$P_SRV version_suites=TLS-RSA-WITH-3DES-EDE-CBC-SHA,TLS-RSA-WITH-RC4-128-SHA,TLS-RSA-WITH-AES-128-CBC-SHA,TLS-RSA-WITH-AES-128-GCM-SHA256" \
1543 "$P_CLI force_version=tls1_2" \
1544 0 \
1545 -c "Ciphersuite is TLS-RSA-WITH-AES-128-GCM-SHA256"
1546
Manuel Pégourié-Gonnard95c0a632014-06-11 18:32:36 +0200[diff] [blame]1547# Tests for ssl_get_bytes_avail()
1548
1549run_test "ssl_get_bytes_avail #1 (no extra data)" \
1550 "$P_SRV" \
1551 "$P_CLI request_size=100" \
1552 0 \
1553 -s "Read from client: 100 bytes read$"
1554
1555run_test "ssl_get_bytes_avail #2 (extra data)" \
1556 "$P_SRV" \
1557 "$P_CLI request_size=500" \
1558 0 \
1559 -s "Read from client: 500 bytes read (.*+.*)"
Manuel Pégourié-Gonnard90805a82014-06-11 14:06:01 +0200[diff] [blame]1560
Manuel Pégourié-Gonnardee415032014-06-18 15:08:56 +0200[diff] [blame]1561# Tests for small packets
1562
1563run_test "Small packet SSLv3 BlockCipher" \
1564 "$P_SRV" \
1565 "$P_CLI request_size=1 force_version=ssl3 \
1566 force_ciphersuite=TLS-RSA-WITH-AES-256-CBC-SHA" \
1567 0 \
1568 -s "Read from client: 1 bytes read"
1569
1570run_test "Small packet SSLv3 StreamCipher" \
1571 "$P_SRV" \
1572 "$P_CLI request_size=1 force_version=ssl3 \
1573 force_ciphersuite=TLS-RSA-WITH-RC4-128-SHA" \
1574 0 \
1575 -s "Read from client: 1 bytes read"
1576
1577run_test "Small packet TLS 1.0 BlockCipher" \
1578 "$P_SRV" \
1579 "$P_CLI request_size=1 force_version=tls1 \
1580 force_ciphersuite=TLS-RSA-WITH-AES-256-CBC-SHA" \
1581 0 \
1582 -s "Read from client: 1 bytes read"
1583
1584run_test "Small packet TLS 1.0 BlockCipher truncated MAC" \
1585 "$P_SRV" \
1586 "$P_CLI request_size=1 force_version=tls1 \
1587 force_ciphersuite=TLS-RSA-WITH-AES-256-CBC-SHA \
1588 trunc_hmac=1" \
1589 0 \
1590 -s "Read from client: 1 bytes read"
1591
1592run_test "Small packet TLS 1.0 StreamCipher truncated MAC" \
1593 "$P_SRV" \
1594 "$P_CLI request_size=1 force_version=tls1 \
1595 force_ciphersuite=TLS-RSA-WITH-RC4-128-SHA \
1596 trunc_hmac=1" \
1597 0 \
1598 -s "Read from client: 1 bytes read"
1599
1600run_test "Small packet TLS 1.1 BlockCipher" \
1601 "$P_SRV" \
1602 "$P_CLI request_size=1 force_version=tls1_1 \
1603 force_ciphersuite=TLS-RSA-WITH-AES-256-CBC-SHA" \
1604 0 \
1605 -s "Read from client: 1 bytes read"
1606
1607run_test "Small packet TLS 1.1 StreamCipher" \
1608 "$P_SRV" \
1609 "$P_CLI request_size=1 force_version=tls1_1 \
1610 force_ciphersuite=TLS-RSA-WITH-RC4-128-SHA" \
1611 0 \
1612 -s "Read from client: 1 bytes read"
1613
1614run_test "Small packet TLS 1.1 BlockCipher truncated MAC" \
1615 "$P_SRV" \
1616 "$P_CLI request_size=1 force_version=tls1_1 \
1617 force_ciphersuite=TLS-RSA-WITH-AES-256-CBC-SHA \
1618 trunc_hmac=1" \
1619 0 \
1620 -s "Read from client: 1 bytes read"
1621
1622run_test "Small packet TLS 1.1 StreamCipher truncated MAC" \
1623 "$P_SRV" \
1624 "$P_CLI request_size=1 force_version=tls1_1 \
1625 force_ciphersuite=TLS-RSA-WITH-RC4-128-SHA \
1626 trunc_hmac=1" \
1627 0 \
1628 -s "Read from client: 1 bytes read"
1629
1630run_test "Small packet TLS 1.2 BlockCipher" \
1631 "$P_SRV" \
1632 "$P_CLI request_size=1 force_version=tls1_2 \
1633 force_ciphersuite=TLS-RSA-WITH-AES-256-CBC-SHA" \
1634 0 \
1635 -s "Read from client: 1 bytes read"
1636
1637run_test "Small packet TLS 1.2 BlockCipher larger MAC" \
1638 "$P_SRV" \
1639 "$P_CLI request_size=1 force_version=tls1_2 force_ciphersuite=TLS-ECDHE-RSA-WITH-AES-256-CBC-SHA384" \
1640 0 \
1641 -s "Read from client: 1 bytes read"
1642
1643run_test "Small packet TLS 1.2 BlockCipher truncated MAC" \
1644 "$P_SRV" \
1645 "$P_CLI request_size=1 force_version=tls1_2 \
1646 force_ciphersuite=TLS-RSA-WITH-AES-256-CBC-SHA \
1647 trunc_hmac=1" \
1648 0 \
1649 -s "Read from client: 1 bytes read"
1650
1651run_test "Small packet TLS 1.2 StreamCipher" \
1652 "$P_SRV" \
1653 "$P_CLI request_size=1 force_version=tls1_2 \
1654 force_ciphersuite=TLS-RSA-WITH-RC4-128-SHA" \
1655 0 \
1656 -s "Read from client: 1 bytes read"
1657
1658run_test "Small packet TLS 1.2 StreamCipher truncated MAC" \
1659 "$P_SRV" \
1660 "$P_CLI request_size=1 force_version=tls1_2 \
1661 force_ciphersuite=TLS-RSA-WITH-RC4-128-SHA \
1662 trunc_hmac=1" \
1663 0 \
1664 -s "Read from client: 1 bytes read"
1665
1666run_test "Small packet TLS 1.2 AEAD" \
1667 "$P_SRV" \
1668 "$P_CLI request_size=1 force_version=tls1_2 \
1669 force_ciphersuite=TLS-RSA-WITH-AES-256-CCM" \
1670 0 \
1671 -s "Read from client: 1 bytes read"
1672
1673run_test "Small packet TLS 1.2 AEAD shorter tag" \
1674 "$P_SRV" \
1675 "$P_CLI request_size=1 force_version=tls1_2 \
1676 force_ciphersuite=TLS-RSA-WITH-AES-256-CCM-8" \
1677 0 \
1678 -s "Read from client: 1 bytes read"
1679
Manuel Pégourié-Gonnard8920f692014-06-18 22:05:08 +0200[diff] [blame]1680# Test for large packets
1681
1682run_test "Large packet SSLv3 BlockCipher" \
1683 "$P_SRV" \
1684 "$P_CLI request_size=16384 force_version=ssl3 \
1685 force_ciphersuite=TLS-RSA-WITH-AES-256-CBC-SHA" \
1686 0 \
1687 -s "Read from client: 16384 bytes read"
1688
1689run_test "Large packet SSLv3 StreamCipher" \
1690 "$P_SRV" \
1691 "$P_CLI request_size=16384 force_version=ssl3 \
1692 force_ciphersuite=TLS-RSA-WITH-RC4-128-SHA" \
1693 0 \
1694 -s "Read from client: 16384 bytes read"
1695
1696run_test "Large packet TLS 1.0 BlockCipher" \
1697 "$P_SRV" \
1698 "$P_CLI request_size=16384 force_version=tls1 \
1699 force_ciphersuite=TLS-RSA-WITH-AES-256-CBC-SHA" \
1700 0 \
1701 -s "Read from client: 16384 bytes read"
1702
1703run_test "Large packet TLS 1.0 BlockCipher truncated MAC" \
1704 "$P_SRV" \
1705 "$P_CLI request_size=16384 force_version=tls1 \
1706 force_ciphersuite=TLS-RSA-WITH-AES-256-CBC-SHA \
1707 trunc_hmac=1" \
1708 0 \
1709 -s "Read from client: 16384 bytes read"
1710
1711run_test "Large packet TLS 1.0 StreamCipher truncated MAC" \
1712 "$P_SRV" \
1713 "$P_CLI request_size=16384 force_version=tls1 \
1714 force_ciphersuite=TLS-RSA-WITH-RC4-128-SHA \
1715 trunc_hmac=1" \
1716 0 \
1717 -s "Read from client: 16384 bytes read"
1718
1719run_test "Large packet TLS 1.1 BlockCipher" \
1720 "$P_SRV" \
1721 "$P_CLI request_size=16384 force_version=tls1_1 \
1722 force_ciphersuite=TLS-RSA-WITH-AES-256-CBC-SHA" \
1723 0 \
1724 -s "Read from client: 16384 bytes read"
1725
1726run_test "Large packet TLS 1.1 StreamCipher" \
1727 "$P_SRV" \
1728 "$P_CLI request_size=16384 force_version=tls1_1 \
1729 force_ciphersuite=TLS-RSA-WITH-RC4-128-SHA" \
1730 0 \
1731 -s "Read from client: 16384 bytes read"
1732
1733run_test "Large packet TLS 1.1 BlockCipher truncated MAC" \
1734 "$P_SRV" \
1735 "$P_CLI request_size=16384 force_version=tls1_1 \
1736 force_ciphersuite=TLS-RSA-WITH-AES-256-CBC-SHA \
1737 trunc_hmac=1" \
1738 0 \
1739 -s "Read from client: 16384 bytes read"
1740
1741run_test "Large packet TLS 1.1 StreamCipher truncated MAC" \
1742 "$P_SRV" \
1743 "$P_CLI request_size=16384 force_version=tls1_1 \
1744 force_ciphersuite=TLS-RSA-WITH-RC4-128-SHA \
1745 trunc_hmac=1" \
1746 0 \
1747 -s "Read from client: 16384 bytes read"
1748
1749run_test "Large packet TLS 1.2 BlockCipher" \
1750 "$P_SRV" \
1751 "$P_CLI request_size=16384 force_version=tls1_2 \
1752 force_ciphersuite=TLS-RSA-WITH-AES-256-CBC-SHA" \
1753 0 \
1754 -s "Read from client: 16384 bytes read"
1755
1756run_test "Large packet TLS 1.2 BlockCipher larger MAC" \
1757 "$P_SRV" \
1758 "$P_CLI request_size=16384 force_version=tls1_2 force_ciphersuite=TLS-ECDHE-RSA-WITH-AES-256-CBC-SHA384" \
1759 0 \
1760 -s "Read from client: 16384 bytes read"
1761
1762run_test "Large packet TLS 1.2 BlockCipher truncated MAC" \
1763 "$P_SRV" \
1764 "$P_CLI request_size=16384 force_version=tls1_2 \
1765 force_ciphersuite=TLS-RSA-WITH-AES-256-CBC-SHA \
1766 trunc_hmac=1" \
1767 0 \
1768 -s "Read from client: 16384 bytes read"
1769
1770run_test "Large packet TLS 1.2 StreamCipher" \
1771 "$P_SRV" \
1772 "$P_CLI request_size=16384 force_version=tls1_2 \
1773 force_ciphersuite=TLS-RSA-WITH-RC4-128-SHA" \
1774 0 \
1775 -s "Read from client: 16384 bytes read"
1776
1777run_test "Large packet TLS 1.2 StreamCipher truncated MAC" \
1778 "$P_SRV" \
1779 "$P_CLI request_size=16384 force_version=tls1_2 \
1780 force_ciphersuite=TLS-RSA-WITH-RC4-128-SHA \
1781 trunc_hmac=1" \
1782 0 \
1783 -s "Read from client: 16384 bytes read"
1784
1785run_test "Large packet TLS 1.2 AEAD" \
1786 "$P_SRV" \
1787 "$P_CLI request_size=16384 force_version=tls1_2 \
1788 force_ciphersuite=TLS-RSA-WITH-AES-256-CCM" \
1789 0 \
1790 -s "Read from client: 16384 bytes read"
1791
1792run_test "Large packet TLS 1.2 AEAD shorter tag" \
1793 "$P_SRV" \
1794 "$P_CLI request_size=16384 force_version=tls1_2 \
1795 force_ciphersuite=TLS-RSA-WITH-AES-256-CCM-8" \
1796 0 \
1797 -s "Read from client: 16384 bytes read"
1798
Manuel Pégourié-Gonnard8520dac2014-02-21 12:12:23 +0100[diff] [blame]1799# Final report
1800
Manuel Pégourié-Gonnard33a752e2014-02-21 09:47:37 +0100[diff] [blame]1801echo "------------------------------------------------------------------------"
1802
1803if [ $FAILS = 0 ]; then
1804 echo -n "PASSED"
1805else
1806 echo -n "FAILED"
1807fi
1808PASSES=`echo $TESTS - $FAILS | bc`
Manuel Pégourié-Gonnard6f4fbbb2014-08-14 14:31:29 +0200[diff] [blame]1809echo " ($PASSES / $TESTS tests ($SKIPS skipped))"
Manuel Pégourié-Gonnard33a752e2014-02-21 09:47:37 +0100[diff] [blame]1810
1811exit $FAILS