TrustedFirmware Git Browser
Code Review Sign In
review.trustedfirmware.org / mirror / mbed-tls / f9022b056b1d3226cd5c5914f6c8fdf8ebd767ec / . / tests / ssl-opt.sh
blob: ce687f74ffd0d8b77ba7950c1418670551acd42f [file] [log] [blame]
Manuel Pégourié-Gonnardeaadc502014-02-20 11:01:30 +0100[diff] [blame]1#!/bin/sh
2
Simon Butcher58eddef2016-05-19 23:43:11 +0100[diff] [blame]3# ssl-opt.sh
Manuel Pégourié-Gonnardeaadc502014-02-20 11:01:30 +0100[diff] [blame]4#
Bence Szépkúti1e148272020-08-07 13:07:28 +0200[diff] [blame]5# Copyright The Mbed TLS Contributors
Bence Szépkútic7da1fe2020-05-26 01:54:15 +0200[diff] [blame]6# SPDX-License-Identifier: Apache-2.0
7#
8# Licensed under the Apache License, Version 2.0 (the "License"); you may
9# not use this file except in compliance with the License.
10# You may obtain a copy of the License at
11#
12# http://www.apache.org/licenses/LICENSE-2.0
13#
14# Unless required by applicable law or agreed to in writing, software
15# distributed under the License is distributed on an "AS IS" BASIS, WITHOUT
16# WARRANTIES OR CONDITIONS OF ANY KIND, either express or implied.
17# See the License for the specific language governing permissions and
18# limitations under the License.
19#
Simon Butcher58eddef2016-05-19 23:43:11 +0100[diff] [blame]20# Purpose
21#
22# Executes tests to prove various TLS/SSL options and extensions.
23#
24# The goal is not to cover every ciphersuite/version, but instead to cover
25# specific options (max fragment length, truncated hmac, etc) or procedures
26# (session resumption from cache or ticket, renego, etc).
27#
28# The tests assume a build with default options, with exceptions expressed
29# with a dependency. The tests focus on functionality and do not consider
30# performance.
31#
Manuel Pégourié-Gonnardeaadc502014-02-20 11:01:30 +0100[diff] [blame]32
Manuel Pégourié-Gonnardfccd3252014-02-25 17:14:15 +0100[diff] [blame]33set -u
34
Jaeden Amero6e70eb22019-07-03 13:51:04 +0100[diff] [blame]35# Limit the size of each log to 10 GiB, in case of failures with this script
36# where it may output seemingly unlimited length error logs.
37ulimit -f 20971520
38
Gilles Peskine560280b2019-09-16 15:17:38 +0200[diff] [blame]39ORIGINAL_PWD=$PWD
40if ! cd "$(dirname "$0")"; then
41 exit 125
Angus Grattonc4dd0732018-04-11 16:28:39 +1000[diff] [blame]42fi
43
Antonin Décimo36e89b52019-01-23 15:24:37 +0100[diff] [blame]44# default values, can be overridden by the environment
Manuel Pégourié-Gonnardf7a26902014-02-27 12:25:54 +0100[diff] [blame]45: ${P_SRV:=../programs/ssl/ssl_server2}
46: ${P_CLI:=../programs/ssl/ssl_client2}
Manuel Pégourié-Gonnardbe9eb872014-09-05 17:45:19 +0200[diff] [blame]47: ${P_PXY:=../programs/test/udp_proxy}
Manuel Pégourié-Gonnard74faf3c2014-03-13 18:47:44 +0100[diff] [blame]48: ${OPENSSL_CMD:=openssl} # OPENSSL would conflict with the build system
Manuel Pégourié-Gonnardbaa7f072014-08-20 20:15:53 +0200[diff] [blame]49: ${GNUTLS_CLI:=gnutls-cli}
50: ${GNUTLS_SERV:=gnutls-serv}
Gilles Peskined50177f2017-05-16 17:53:03 +0200[diff] [blame]51: ${PERL:=perl}
Manuel Pégourié-Gonnardeaadc502014-02-20 11:01:30 +0100[diff] [blame]52
Gilles Peskine560280b2019-09-16 15:17:38 +0200[diff] [blame]53guess_config_name() {
54 if git diff --quiet ../include/mbedtls/config.h 2>/dev/null; then
55 echo "default"
56 else
57 echo "unknown"
58 fi
59}
60: ${MBEDTLS_TEST_OUTCOME_FILE=}
61: ${MBEDTLS_TEST_CONFIGURATION:="$(guess_config_name)"}
62: ${MBEDTLS_TEST_PLATFORM:="$(uname -s | tr -c \\n0-9A-Za-z _)-$(uname -m | tr -c \\n0-9A-Za-z _)"}
63
Manuel Pégourié-Gonnardfa60f122014-09-26 16:07:29 +0200[diff] [blame]64O_SRV="$OPENSSL_CMD s_server -www -cert data_files/server5.crt -key data_files/server5.key"
Manuel Pégourié-Gonnard74faf3c2014-03-13 18:47:44 +0100[diff] [blame]65O_CLI="echo 'GET / HTTP/1.0' | $OPENSSL_CMD s_client"
Manuel Pégourié-Gonnardbaa7f072014-08-20 20:15:53 +0200[diff] [blame]66G_SRV="$GNUTLS_SERV --x509certfile data_files/server5.crt --x509keyfile data_files/server5.key"
Manuel Pégourié-Gonnard85d915b2014-11-03 20:10:36 +0100[diff] [blame]67G_CLI="echo 'GET / HTTP/1.0' | $GNUTLS_CLI --x509cafile data_files/test-ca_cat12.crt"
Gilles Peskined50177f2017-05-16 17:53:03 +0200[diff] [blame]68TCP_CLIENT="$PERL scripts/tcp_client.pl"
Manuel Pégourié-Gonnardfccd3252014-02-25 17:14:15 +0100[diff] [blame]69
Manuel Pégourié-Gonnard38110df2018-08-17 12:44:54 +0200[diff] [blame]70# alternative versions of OpenSSL and GnuTLS (no default path)
71
72if [ -n "${OPENSSL_LEGACY:-}" ]; then
73 O_LEGACY_SRV="$OPENSSL_LEGACY s_server -www -cert data_files/server5.crt -key data_files/server5.key"
74 O_LEGACY_CLI="echo 'GET / HTTP/1.0' | $OPENSSL_LEGACY s_client"
75else
76 O_LEGACY_SRV=false
77 O_LEGACY_CLI=false
78fi
79
Paul Elliott633a74e2021-10-13 18:31:07 +0100[diff] [blame]80if [ -n "${OPENSSL_NEXT:-}" ]; then
81 O_NEXT_SRV="$OPENSSL_NEXT s_server -www -cert data_files/server5.crt -key data_files/server5.key"
82 O_NEXT_CLI="echo 'GET / HTTP/1.0' | $OPENSSL_NEXT s_client"
83else
84 O_NEXT_SRV=false
85 O_NEXT_CLI=false
86fi
87
Hanno Becker58e9dc32018-08-17 15:53:21 +0100[diff] [blame]88if [ -n "${GNUTLS_NEXT_SERV:-}" ]; then
Manuel Pégourié-Gonnard38110df2018-08-17 12:44:54 +0200[diff] [blame]89 G_NEXT_SRV="$GNUTLS_NEXT_SERV --x509certfile data_files/server5.crt --x509keyfile data_files/server5.key"
90else
91 G_NEXT_SRV=false
92fi
93
Hanno Becker58e9dc32018-08-17 15:53:21 +0100[diff] [blame]94if [ -n "${GNUTLS_NEXT_CLI:-}" ]; then
Manuel Pégourié-Gonnard38110df2018-08-17 12:44:54 +0200[diff] [blame]95 G_NEXT_CLI="echo 'GET / HTTP/1.0' | $GNUTLS_NEXT_CLI --x509cafile data_files/test-ca_cat12.crt"
96else
97 G_NEXT_CLI=false
98fi
99
Manuel Pégourié-Gonnard33a752e2014-02-21 09:47:37 +0100[diff] [blame]100TESTS=0
101FAILS=0
Manuel Pégourié-Gonnard6f4fbbb2014-08-14 14:31:29 +0200[diff] [blame]102SKIPS=0
Manuel Pégourié-Gonnard33a752e2014-02-21 09:47:37 +0100[diff] [blame]103
Manuel Pégourié-Gonnard7f809972015-03-09 17:05:11 +0000[diff] [blame]104CONFIG_H='../include/mbedtls/config.h'
Manuel Pégourié-Gonnard83d8c732014-04-07 13:24:21 +0200[diff] [blame]105
Manuel Pégourié-Gonnardc73339f2014-02-26 16:35:27 +0100[diff] [blame]106MEMCHECK=0
Manuel Pégourié-Gonnard417d46c2014-03-13 19:17:53 +0100[diff] [blame]107FILTER='.*'
Manuel Pégourié-Gonnard6f4fbbb2014-08-14 14:31:29 +0200[diff] [blame]108EXCLUDE='^$'
Manuel Pégourié-Gonnardc73339f2014-02-26 16:35:27 +0100[diff] [blame]109
Paul Bakkere20310a2016-05-10 11:18:17 +0100[diff] [blame]110SHOW_TEST_NUMBER=0
Paul Bakkerb7584a52016-05-10 10:50:43 +0100[diff] [blame]111RUN_TEST_NUMBER=''
112
Paul Bakkeracaac852016-05-10 11:47:13 +0100[diff] [blame]113PRESERVE_LOGS=0
114
Gilles Peskinef93c7d32017-04-14 17:55:28 +0200[diff] [blame]115# Pick a "unique" server port in the range 10000-19999, and a proxy
116# port which is this plus 10000. Each port number may be independently
117# overridden by a command line option.
118SRV_PORT=$(($$ % 10000 + 10000))
119PXY_PORT=$((SRV_PORT + 10000))
120
Manuel Pégourié-Gonnardc73339f2014-02-26 16:35:27 +0100[diff] [blame]121print_usage() {
122 echo "Usage: $0 [options]"
Manuel Pégourié-Gonnardf46f1282014-12-11 11:51:28 +0100[diff] [blame]123 printf " -h|--help\tPrint this help.\n"
124 printf " -m|--memcheck\tCheck memory leaks and errors.\n"
Gilles Peskine9fa4ed62020-08-26 22:35:46 +0200[diff] [blame]125 printf " -f|--filter\tOnly matching tests are executed (substring or BRE)\n"
126 printf " -e|--exclude\tMatching tests are excluded (substring or BRE)\n"
Paul Bakkerb7584a52016-05-10 10:50:43 +0100[diff] [blame]127 printf " -n|--number\tExecute only numbered test (comma-separated, e.g. '245,256')\n"
Paul Bakkere20310a2016-05-10 11:18:17 +0100[diff] [blame]128 printf " -s|--show-numbers\tShow test numbers in front of test names\n"
Paul Bakkeracaac852016-05-10 11:47:13 +0100[diff] [blame]129 printf " -p|--preserve-logs\tPreserve logs of successful tests as well\n"
Gilles Peskine560280b2019-09-16 15:17:38 +0200[diff] [blame]130 printf " --outcome-file\tFile where test outcomes are written\n"
131 printf " \t(default: \$MBEDTLS_TEST_OUTCOME_FILE, none if empty)\n"
132 printf " --port \tTCP/UDP port (default: randomish 1xxxx)\n"
Gilles Peskinef93c7d32017-04-14 17:55:28 +0200[diff] [blame]133 printf " --proxy-port\tTCP/UDP proxy port (default: randomish 2xxxx)\n"
Gilles Peskine560280b2019-09-16 15:17:38 +0200[diff] [blame]134 printf " --seed \tInteger seed value to use for this test run\n"
Manuel Pégourié-Gonnardc73339f2014-02-26 16:35:27 +0100[diff] [blame]135}
136
137get_options() {
138 while [ $# -gt 0 ]; do
139 case "$1" in
Manuel Pégourié-Gonnard417d46c2014-03-13 19:17:53 +0100[diff] [blame]140 -f|--filter)
141 shift; FILTER=$1
142 ;;
143 -e|--exclude)
144 shift; EXCLUDE=$1
145 ;;
Manuel Pégourié-Gonnardc73339f2014-02-26 16:35:27 +0100[diff] [blame]146 -m|--memcheck)
147 MEMCHECK=1
148 ;;
Paul Bakkerb7584a52016-05-10 10:50:43 +0100[diff] [blame]149 -n|--number)
150 shift; RUN_TEST_NUMBER=$1
151 ;;
Paul Bakkere20310a2016-05-10 11:18:17 +0100[diff] [blame]152 -s|--show-numbers)
153 SHOW_TEST_NUMBER=1
154 ;;
Paul Bakkeracaac852016-05-10 11:47:13 +0100[diff] [blame]155 -p|--preserve-logs)
156 PRESERVE_LOGS=1
157 ;;
Gilles Peskinef93c7d32017-04-14 17:55:28 +0200[diff] [blame]158 --port)
159 shift; SRV_PORT=$1
160 ;;
161 --proxy-port)
162 shift; PXY_PORT=$1
163 ;;
Andres AGf04f54d2016-10-10 15:46:20 +0100[diff] [blame]164 --seed)
165 shift; SEED="$1"
166 ;;
Manuel Pégourié-Gonnardc73339f2014-02-26 16:35:27 +0100[diff] [blame]167 -h|--help)
168 print_usage
169 exit 0
170 ;;
171 *)
Paul Bakker1ebc0c52014-05-22 15:47:58 +0200[diff] [blame]172 echo "Unknown argument: '$1'"
Manuel Pégourié-Gonnardc73339f2014-02-26 16:35:27 +0100[diff] [blame]173 print_usage
174 exit 1
175 ;;
176 esac
177 shift
178 done
179}
180
Gilles Peskine560280b2019-09-16 15:17:38 +0200[diff] [blame]181# Make the outcome file path relative to the original directory, not
182# to .../tests
183case "$MBEDTLS_TEST_OUTCOME_FILE" in
184 [!/]*)
185 MBEDTLS_TEST_OUTCOME_FILE="$ORIGINAL_PWD/$MBEDTLS_TEST_OUTCOME_FILE"
186 ;;
187esac
188
Gilles Peskine64457492020-08-26 21:53:33 +0200[diff] [blame]189# Read boolean configuration options from config.h for easy and quick
190# testing. Skip non-boolean options (with something other than spaces
191# and a comment after "#define SYMBOL"). The variable contains a
192# space-separated list of symbols.
193CONFIGS_ENABLED=" $(<"$CONFIG_H" \
194 sed -n 's!^ *#define *\([A-Za-z][0-9A-Z_a-z]*\) *\(/*\)*!\1!p' |
195 tr '\n' ' ')"
196
Hanno Becker3b8b40c2018-08-28 10:25:41 +0100[diff] [blame]197# Skip next test; use this macro to skip tests which are legitimate
198# in theory and expected to be re-introduced at some point, but
199# aren't expected to succeed at the moment due to problems outside
200# our control (such as bugs in other TLS implementations).
201skip_next_test() {
202 SKIP_NEXT="YES"
203}
204
Manuel Pégourié-Gonnard988209f2015-03-24 10:43:55 +0100[diff] [blame]205# skip next test if the flag is not enabled in config.h
206requires_config_enabled() {
Gilles Peskine64457492020-08-26 21:53:33 +0200[diff] [blame]207 case $CONFIGS_ENABLED in
208 *" $1 "*) :;;
209 *) SKIP_NEXT="YES";;
210 esac
Manuel Pégourié-Gonnard988209f2015-03-24 10:43:55 +0100[diff] [blame]211}
212
Manuel Pégourié-Gonnardaf63c212017-06-08 17:51:08 +0200[diff] [blame]213# skip next test if the flag is enabled in config.h
214requires_config_disabled() {
Gilles Peskine64457492020-08-26 21:53:33 +0200[diff] [blame]215 case $CONFIGS_ENABLED in
216 *" $1 "*) SKIP_NEXT="YES";;
217 esac
Manuel Pégourié-Gonnardaf63c212017-06-08 17:51:08 +0200[diff] [blame]218}
219
Hanno Becker7c48dd12018-08-28 16:09:22 +0100[diff] [blame]220get_config_value_or_default() {
Andres Amaya Garcia3169dc02018-10-16 21:29:07 +0100[diff] [blame]221 # This function uses the query_config command line option to query the
222 # required Mbed TLS compile time configuration from the ssl_server2
223 # program. The command will always return a success value if the
224 # configuration is defined and the value will be printed to stdout.
225 #
226 # Note that if the configuration is not defined or is defined to nothing,
227 # the output of this function will be an empty string.
228 ${P_SRV} "query_config=${1}"
Hanno Becker7c48dd12018-08-28 16:09:22 +0100[diff] [blame]229}
230
231requires_config_value_at_least() {
Andres Amaya Garcia3169dc02018-10-16 21:29:07 +0100[diff] [blame]232 VAL="$( get_config_value_or_default "$1" )"
233 if [ -z "$VAL" ]; then
234 # Should never happen
235 echo "Mbed TLS configuration $1 is not defined"
236 exit 1
237 elif [ "$VAL" -lt "$2" ]; then
Hanno Becker5cd017f2018-08-24 14:40:12 +0100[diff] [blame]238 SKIP_NEXT="YES"
239 fi
240}
241
242requires_config_value_at_most() {
Hanno Becker7c48dd12018-08-28 16:09:22 +0100[diff] [blame]243 VAL=$( get_config_value_or_default "$1" )
Andres Amaya Garcia3169dc02018-10-16 21:29:07 +0100[diff] [blame]244 if [ -z "$VAL" ]; then
245 # Should never happen
246 echo "Mbed TLS configuration $1 is not defined"
247 exit 1
248 elif [ "$VAL" -gt "$2" ]; then
Hanno Becker5cd017f2018-08-24 14:40:12 +0100[diff] [blame]249 SKIP_NEXT="YES"
250 fi
251}
252
Yuto Takano8a693ef2021-07-02 13:10:41 +0100[diff] [blame]253requires_config_value_equals() {
254 VAL=$( get_config_value_or_default "$1" )
255 if [ -z "$VAL" ]; then
256 # Should never happen
257 echo "Mbed TLS configuration $1 is not defined"
258 exit 1
259 elif [ "$VAL" -ne "$2" ]; then
260 SKIP_NEXT="YES"
261 fi
262}
263
Gilles Peskine64457492020-08-26 21:53:33 +0200[diff] [blame]264# Space-separated list of ciphersuites supported by this build of
265# Mbed TLS.
266P_CIPHERSUITES=" $($P_CLI --help 2>/dev/null |
267 grep TLS- |
268 tr -s ' \n' ' ')"
Hanno Becker9d76d562018-11-16 17:27:29 +0000[diff] [blame]269requires_ciphersuite_enabled() {
Gilles Peskine64457492020-08-26 21:53:33 +0200[diff] [blame]270 case $P_CIPHERSUITES in
271 *" $1 "*) :;;
272 *) SKIP_NEXT="YES";;
273 esac
Hanno Becker9d76d562018-11-16 17:27:29 +0000[diff] [blame]274}
275
Gilles Peskine0d721652020-06-26 23:35:53 +0200[diff] [blame]276# maybe_requires_ciphersuite_enabled CMD [RUN_TEST_OPTION...]
277# If CMD (call to a TLS client or server program) requires a specific
278# ciphersuite, arrange to only run the test case if this ciphersuite is
279# enabled. As an exception, do run the test case if it expects a ciphersuite
280# mismatch.
281maybe_requires_ciphersuite_enabled() {
282 case "$1" in
283 *\ force_ciphersuite=*) :;;
284 *) return;; # No specific required ciphersuite
285 esac
286 ciphersuite="${1##*\ force_ciphersuite=}"
287 ciphersuite="${ciphersuite%%[!-0-9A-Z_a-z]*}"
288 shift
289
290 case "$*" in
291 *"-s SSL - The server has no ciphersuites in common"*)
292 # This test case expects a ciphersuite mismatch, so it doesn't
293 # require the ciphersuite to be enabled.
294 ;;
295 *)
296 requires_ciphersuite_enabled "$ciphersuite"
297 ;;
298 esac
299
300 unset ciphersuite
301}
302
Manuel Pégourié-Gonnard1cbd39d2014-10-20 13:34:59 +0200[diff] [blame]303# skip next test if OpenSSL doesn't support FALLBACK_SCSV
304requires_openssl_with_fallback_scsv() {
305 if [ -z "${OPENSSL_HAS_FBSCSV:-}" ]; then
306 if $OPENSSL_CMD s_client -help 2>&1 | grep fallback_scsv >/dev/null
307 then
308 OPENSSL_HAS_FBSCSV="YES"
309 else
310 OPENSSL_HAS_FBSCSV="NO"
311 fi
312 fi
313 if [ "$OPENSSL_HAS_FBSCSV" = "NO" ]; then
314 SKIP_NEXT="YES"
315 fi
316}
317
Yuto Takanobec7cf72021-07-02 10:10:49 +0100[diff] [blame]318# skip next test if either IN_CONTENT_LEN or MAX_CONTENT_LEN are below a value
319requires_max_content_len() {
320 requires_config_value_at_least "MBEDTLS_SSL_IN_CONTENT_LEN" $1
321 requires_config_value_at_least "MBEDTLS_SSL_OUT_CONTENT_LEN" $1
322}
323
Manuel Pégourié-Gonnardbaa7f072014-08-20 20:15:53 +0200[diff] [blame]324# skip next test if GnuTLS isn't available
325requires_gnutls() {
326 if [ -z "${GNUTLS_AVAILABLE:-}" ]; then
Manuel Pégourié-Gonnard03db6b02015-06-26 15:45:30 +0200[diff] [blame]327 if ( which "$GNUTLS_CLI" && which "$GNUTLS_SERV" ) >/dev/null 2>&1; then
Manuel Pégourié-Gonnardbaa7f072014-08-20 20:15:53 +0200[diff] [blame]328 GNUTLS_AVAILABLE="YES"
329 else
330 GNUTLS_AVAILABLE="NO"
331 fi
332 fi
333 if [ "$GNUTLS_AVAILABLE" = "NO" ]; then
334 SKIP_NEXT="YES"
335 fi
336}
337
Manuel Pégourié-Gonnard38110df2018-08-17 12:44:54 +0200[diff] [blame]338# skip next test if GnuTLS-next isn't available
339requires_gnutls_next() {
340 if [ -z "${GNUTLS_NEXT_AVAILABLE:-}" ]; then
341 if ( which "${GNUTLS_NEXT_CLI:-}" && which "${GNUTLS_NEXT_SERV:-}" ) >/dev/null 2>&1; then
342 GNUTLS_NEXT_AVAILABLE="YES"
343 else
344 GNUTLS_NEXT_AVAILABLE="NO"
345 fi
346 fi
347 if [ "$GNUTLS_NEXT_AVAILABLE" = "NO" ]; then
348 SKIP_NEXT="YES"
349 fi
350}
351
352# skip next test if OpenSSL-legacy isn't available
353requires_openssl_legacy() {
354 if [ -z "${OPENSSL_LEGACY_AVAILABLE:-}" ]; then
355 if which "${OPENSSL_LEGACY:-}" >/dev/null 2>&1; then
356 OPENSSL_LEGACY_AVAILABLE="YES"
357 else
358 OPENSSL_LEGACY_AVAILABLE="NO"
359 fi
360 fi
361 if [ "$OPENSSL_LEGACY_AVAILABLE" = "NO" ]; then
362 SKIP_NEXT="YES"
363 fi
364}
365
Paul Elliott633a74e2021-10-13 18:31:07 +0100[diff] [blame]366requires_openssl_next() {
367 if [ -z "${OPENSSL_NEXT_AVAILABLE:-}" ]; then
368 if which "${OPENSSL_NEXT:-}" >/dev/null 2>&1; then
369 OPENSSL_NEXT_AVAILABLE="YES"
370 else
371 OPENSSL_NEXT_AVAILABLE="NO"
372 fi
373 fi
374 if [ "$OPENSSL_NEXT_AVAILABLE" = "NO" ]; then
375 SKIP_NEXT="YES"
376 fi
377}
378
Manuel Pégourié-Gonnard0eb6cab2014-07-23 20:17:47 +0200[diff] [blame]379# skip next test if IPv6 isn't available on this host
380requires_ipv6() {
381 if [ -z "${HAS_IPV6:-}" ]; then
382 $P_SRV server_addr='::1' > $SRV_OUT 2>&1 &
383 SRV_PID=$!
384 sleep 1
385 kill $SRV_PID >/dev/null 2>&1
386 if grep "NET - Binding of the socket failed" $SRV_OUT >/dev/null; then
387 HAS_IPV6="NO"
388 else
389 HAS_IPV6="YES"
390 fi
391 rm -r $SRV_OUT
392 fi
393
394 if [ "$HAS_IPV6" = "NO" ]; then
395 SKIP_NEXT="YES"
396 fi
397}
398
Andrzej Kurekb4593462018-10-11 08:43:30 -0400[diff] [blame]399# skip next test if it's i686 or uname is not available
400requires_not_i686() {
401 if [ -z "${IS_I686:-}" ]; then
402 IS_I686="YES"
403 if which "uname" >/dev/null 2>&1; then
404 if [ -z "$(uname -a | grep i686)" ]; then
405 IS_I686="NO"
406 fi
407 fi
408 fi
409 if [ "$IS_I686" = "YES" ]; then
410 SKIP_NEXT="YES"
411 fi
412}
413
Angus Grattonc4dd0732018-04-11 16:28:39 +1000[diff] [blame]414# Calculate the input & output maximum content lengths set in the config
Yuto Takanoab9e43332021-06-22 07:16:40 +0100[diff] [blame]415MAX_CONTENT_LEN=$( get_config_value_or_default "MBEDTLS_SSL_MAX_CONTENT_LEN" )
416MAX_IN_LEN=$( get_config_value_or_default "MBEDTLS_SSL_IN_CONTENT_LEN" )
417MAX_OUT_LEN=$( get_config_value_or_default "MBEDTLS_SSL_OUT_CONTENT_LEN" )
Angus Grattonc4dd0732018-04-11 16:28:39 +1000[diff] [blame]418
Yuto Takano18ddccc2021-06-21 19:43:33 +0100[diff] [blame]419# Calculate the maximum content length that fits both
Angus Grattonc4dd0732018-04-11 16:28:39 +1000[diff] [blame]420if [ "$MAX_IN_LEN" -lt "$MAX_CONTENT_LEN" ]; then
421 MAX_CONTENT_LEN="$MAX_IN_LEN"
422fi
423if [ "$MAX_OUT_LEN" -lt "$MAX_CONTENT_LEN" ]; then
424 MAX_CONTENT_LEN="$MAX_OUT_LEN"
425fi
426
427# skip the next test if the SSL output buffer is less than 16KB
428requires_full_size_output_buffer() {
429 if [ "$MAX_OUT_LEN" -ne 16384 ]; then
430 SKIP_NEXT="YES"
431 fi
432}
433
Manuel Pégourié-Gonnard76fe9e42014-09-24 15:17:31 +0200[diff] [blame]434# skip the next test if valgrind is in use
435not_with_valgrind() {
436 if [ "$MEMCHECK" -gt 0 ]; then
437 SKIP_NEXT="YES"
438 fi
439}
440
Paul Bakker362689d2016-05-13 10:33:25 +0100[diff] [blame]441# skip the next test if valgrind is NOT in use
442only_with_valgrind() {
443 if [ "$MEMCHECK" -eq 0 ]; then
444 SKIP_NEXT="YES"
445 fi
446}
447
Manuel Pégourié-Gonnarda0719722014-09-20 12:46:27 +0200[diff] [blame]448# multiply the client timeout delay by the given factor for the next test
Janos Follath74537a62016-09-02 13:45:28 +0100[diff] [blame]449client_needs_more_time() {
Manuel Pégourié-Gonnarda0719722014-09-20 12:46:27 +0200[diff] [blame]450 CLI_DELAY_FACTOR=$1
451}
452
Janos Follath74537a62016-09-02 13:45:28 +0100[diff] [blame]453# wait for the given seconds after the client finished in the next test
454server_needs_more_time() {
455 SRV_DELAY_SECONDS=$1
456}
457
Manuel Pégourié-Gonnardf8bdbb52014-02-21 09:20:14 +0100[diff] [blame]458# print_name <name>
459print_name() {
Paul Bakkere20310a2016-05-10 11:18:17 +0100[diff] [blame]460 TESTS=$(( $TESTS + 1 ))
461 LINE=""
462
463 if [ "$SHOW_TEST_NUMBER" -gt 0 ]; then
464 LINE="$TESTS "
465 fi
466
467 LINE="$LINE$1"
Gilles Peskine231befa2020-08-26 20:05:11 +0200[diff] [blame]468 printf "%s " "$LINE"
Paul Bakkere20310a2016-05-10 11:18:17 +0100[diff] [blame]469 LEN=$(( 72 - `echo "$LINE" | wc -c` ))
Manuel Pégourié-Gonnardf46f1282014-12-11 11:51:28 +0100[diff] [blame]470 for i in `seq 1 $LEN`; do printf '.'; done
471 printf ' '
Manuel Pégourié-Gonnard33a752e2014-02-21 09:47:37 +0100[diff] [blame]472
Manuel Pégourié-Gonnardf8bdbb52014-02-21 09:20:14 +0100[diff] [blame]473}
474
Gilles Peskine560280b2019-09-16 15:17:38 +0200[diff] [blame]475# record_outcome <outcome> [<failure-reason>]
476# The test name must be in $NAME.
477record_outcome() {
478 echo "$1"
479 if [ -n "$MBEDTLS_TEST_OUTCOME_FILE" ]; then
480 printf '%s;%s;%s;%s;%s;%s\n' \
481 "$MBEDTLS_TEST_PLATFORM" "$MBEDTLS_TEST_CONFIGURATION" \
482 "ssl-opt" "$NAME" \
483 "$1" "${2-}" \
484 >>"$MBEDTLS_TEST_OUTCOME_FILE"
485 fi
486}
487
Manuel Pégourié-Gonnardf8bdbb52014-02-21 09:20:14 +0100[diff] [blame]488# fail <message>
489fail() {
Gilles Peskine560280b2019-09-16 15:17:38 +0200[diff] [blame]490 record_outcome "FAIL" "$1"
Manuel Pégourié-Gonnard3eec6042014-02-27 15:37:24 +0100[diff] [blame]491 echo " ! $1"
Manuel Pégourié-Gonnard33a752e2014-02-21 09:47:37 +0100[diff] [blame]492
Manuel Pégourié-Gonnardc2b00922014-08-31 16:46:04 +0200[diff] [blame]493 mv $SRV_OUT o-srv-${TESTS}.log
494 mv $CLI_OUT o-cli-${TESTS}.log
Manuel Pégourié-Gonnardbe9eb872014-09-05 17:45:19 +0200[diff] [blame]495 if [ -n "$PXY_CMD" ]; then
496 mv $PXY_OUT o-pxy-${TESTS}.log
497 fi
498 echo " ! outputs saved to o-XXX-${TESTS}.log"
Manuel Pégourié-Gonnard33a752e2014-02-21 09:47:37 +0100[diff] [blame]499
Manuel Pégourié-Gonnard3f3302f2020-06-08 11:49:05 +0200[diff] [blame]500 if [ "${LOG_FAILURE_ON_STDOUT:-0}" != 0 ]; then
Manuel Pégourié-Gonnard7fa67722014-08-31 17:42:53 +0200[diff] [blame]501 echo " ! server output:"
502 cat o-srv-${TESTS}.log
Manuel Pégourié-Gonnardbe9eb872014-09-05 17:45:19 +0200[diff] [blame]503 echo " ! ========================================================"
Manuel Pégourié-Gonnard7fa67722014-08-31 17:42:53 +0200[diff] [blame]504 echo " ! client output:"
505 cat o-cli-${TESTS}.log
Manuel Pégourié-Gonnardbe9eb872014-09-05 17:45:19 +0200[diff] [blame]506 if [ -n "$PXY_CMD" ]; then
507 echo " ! ========================================================"
508 echo " ! proxy output:"
509 cat o-pxy-${TESTS}.log
510 fi
511 echo ""
Manuel Pégourié-Gonnard7fa67722014-08-31 17:42:53 +0200[diff] [blame]512 fi
513
Manuel Pégourié-Gonnard72e51ee2014-08-31 10:22:11 +0200[diff] [blame]514 FAILS=$(( $FAILS + 1 ))
Manuel Pégourié-Gonnardf8bdbb52014-02-21 09:20:14 +0100[diff] [blame]515}
516
Manuel Pégourié-Gonnard677884d2014-02-25 16:42:31 +0100[diff] [blame]517# is_polar <cmd_line>
518is_polar() {
Gilles Peskine64457492020-08-26 21:53:33 +0200[diff] [blame]519 case "$1" in
520 *ssl_client2*) true;;
521 *ssl_server2*) true;;
522 *) false;;
523 esac
Manuel Pégourié-Gonnard677884d2014-02-25 16:42:31 +0100[diff] [blame]524}
525
Manuel Pégourié-Gonnardfa60f122014-09-26 16:07:29 +0200[diff] [blame]526# openssl s_server doesn't have -www with DTLS
527check_osrv_dtls() {
Gilles Peskine64457492020-08-26 21:53:33 +0200[diff] [blame]528 case "$SRV_CMD" in
529 *s_server*-dtls*)
530 NEEDS_INPUT=1
531 SRV_CMD="$( echo $SRV_CMD | sed s/-www// )";;
532 *) NEEDS_INPUT=0;;
533 esac
Manuel Pégourié-Gonnardfa60f122014-09-26 16:07:29 +0200[diff] [blame]534}
535
536# provide input to commands that need it
537provide_input() {
538 if [ $NEEDS_INPUT -eq 0 ]; then
539 return
540 fi
541
542 while true; do
543 echo "HTTP/1.0 200 OK"
544 sleep 1
545 done
546}
547
Manuel Pégourié-Gonnardc73339f2014-02-26 16:35:27 +0100[diff] [blame]548# has_mem_err <log_file_name>
549has_mem_err() {
550 if ( grep -F 'All heap blocks were freed -- no leaks are possible' "$1" &&
551 grep -F 'ERROR SUMMARY: 0 errors from 0 contexts' "$1" ) > /dev/null
552 then
553 return 1 # false: does not have errors
554 else
555 return 0 # true: has errors
556 fi
557}
558
Unknownd364f4c2019-09-02 10:42:57 -0400[diff] [blame]559# Wait for process $2 named $3 to be listening on port $1. Print error to $4.
Gilles Peskine418b5362017-12-14 18:58:42 +0100[diff] [blame]560if type lsof >/dev/null 2>/dev/null; then
Unknownd364f4c2019-09-02 10:42:57 -0400[diff] [blame]561 wait_app_start() {
Gilles Peskine418b5362017-12-14 18:58:42 +0100[diff] [blame]562 START_TIME=$(date +%s)
Manuel Pégourié-Gonnard0eb6cab2014-07-23 20:17:47 +0200[diff] [blame]563 if [ "$DTLS" -eq 1 ]; then
Gilles Peskine418b5362017-12-14 18:58:42 +0100[diff] [blame]564 proto=UDP
Manuel Pégourié-Gonnard0eb6cab2014-07-23 20:17:47 +0200[diff] [blame]565 else
Gilles Peskine418b5362017-12-14 18:58:42 +0100[diff] [blame]566 proto=TCP
Manuel Pégourié-Gonnard0eb6cab2014-07-23 20:17:47 +0200[diff] [blame]567 fi
Gilles Peskine418b5362017-12-14 18:58:42 +0100[diff] [blame]568 # Make a tight loop, server normally takes less than 1s to start.
569 while ! lsof -a -n -b -i "$proto:$1" -p "$2" >/dev/null 2>/dev/null; do
570 if [ $(( $(date +%s) - $START_TIME )) -gt $DOG_DELAY ]; then
Unknownd364f4c2019-09-02 10:42:57 -0400[diff] [blame]571 echo "$3 START TIMEOUT"
572 echo "$3 START TIMEOUT" >> $4
Gilles Peskine418b5362017-12-14 18:58:42 +0100[diff] [blame]573 break
574 fi
575 # Linux and *BSD support decimal arguments to sleep. On other
576 # OSes this may be a tight loop.
577 sleep 0.1 2>/dev/null || true
578 done
579 }
580else
Unknownd364f4c2019-09-02 10:42:57 -0400[diff] [blame]581 echo "Warning: lsof not available, wait_app_start = sleep"
582 wait_app_start() {
Manuel Pégourié-Gonnard0c1ec472014-06-20 18:41:11 +0200[diff] [blame]583 sleep "$START_DELAY"
Gilles Peskine418b5362017-12-14 18:58:42 +0100[diff] [blame]584 }
585fi
Manuel Pégourié-Gonnard0c1ec472014-06-20 18:41:11 +0200[diff] [blame]586
Unknownd364f4c2019-09-02 10:42:57 -0400[diff] [blame]587# Wait for server process $2 to be listening on port $1.
588wait_server_start() {
589 wait_app_start $1 $2 "SERVER" $SRV_OUT
590}
591
592# Wait for proxy process $2 to be listening on port $1.
593wait_proxy_start() {
594 wait_app_start $1 $2 "PROXY" $PXY_OUT
595}
596
Andres Amaya Garciab84c40b2017-09-06 15:44:01 +0100[diff] [blame]597# Given the client or server debug output, parse the unix timestamp that is
Andres Amaya Garcia3b1bdff2017-09-14 12:41:29 +0100[diff] [blame]598# included in the first 4 bytes of the random bytes and check that it's within
Andres Amaya Garciab84c40b2017-09-06 15:44:01 +0100[diff] [blame]599# acceptable bounds
600check_server_hello_time() {
601 # Extract the time from the debug (lvl 3) output of the client
Andres Amaya Garcia67d8da52017-09-15 15:49:24 +0100[diff] [blame]602 SERVER_HELLO_TIME="$(sed -n 's/.*server hello, current time: //p' < "$1")"
Andres Amaya Garciab84c40b2017-09-06 15:44:01 +0100[diff] [blame]603 # Get the Unix timestamp for now
604 CUR_TIME=$(date +'%s')
605 THRESHOLD_IN_SECS=300
606
607 # Check if the ServerHello time was printed
608 if [ -z "$SERVER_HELLO_TIME" ]; then
609 return 1
610 fi
611
612 # Check the time in ServerHello is within acceptable bounds
613 if [ $SERVER_HELLO_TIME -lt $(( $CUR_TIME - $THRESHOLD_IN_SECS )) ]; then
614 # The time in ServerHello is at least 5 minutes before now
615 return 1
616 elif [ $SERVER_HELLO_TIME -gt $(( $CUR_TIME + $THRESHOLD_IN_SECS )) ]; then
Andres Amaya Garcia3b1bdff2017-09-14 12:41:29 +0100[diff] [blame]617 # The time in ServerHello is at least 5 minutes later than now
Andres Amaya Garciab84c40b2017-09-06 15:44:01 +0100[diff] [blame]618 return 1
619 else
620 return 0
621 fi
622}
623
Piotr Nowicki0937ed22019-11-26 16:32:40 +0100[diff] [blame]624# Get handshake memory usage from server or client output and put it into the variable specified by the first argument
625handshake_memory_get() {
626 OUTPUT_VARIABLE="$1"
627 OUTPUT_FILE="$2"
628
629 # Get memory usage from a pattern like "Heap memory usage after handshake: 23112 bytes. Peak memory usage was 33112"
630 MEM_USAGE=$(sed -n 's/.*Heap memory usage after handshake: //p' < "$OUTPUT_FILE" | grep -o "[0-9]*" | head -1)
631
632 # Check if memory usage was read
633 if [ -z "$MEM_USAGE" ]; then
634 echo "Error: Can not read the value of handshake memory usage"
635 return 1
636 else
637 eval "$OUTPUT_VARIABLE=$MEM_USAGE"
638 return 0
639 fi
640}
641
642# Get handshake memory usage from server or client output and check if this value
643# is not higher than the maximum given by the first argument
644handshake_memory_check() {
645 MAX_MEMORY="$1"
646 OUTPUT_FILE="$2"
647
648 # Get memory usage
649 if ! handshake_memory_get "MEMORY_USAGE" "$OUTPUT_FILE"; then
650 return 1
651 fi
652
653 # Check if memory usage is below max value
654 if [ "$MEMORY_USAGE" -gt "$MAX_MEMORY" ]; then
655 echo "\nFailed: Handshake memory usage was $MEMORY_USAGE bytes," \
656 "but should be below $MAX_MEMORY bytes"
657 return 1
658 else
659 return 0
660 fi
661}
662
Manuel Pégourié-Gonnardc0f6a692014-08-30 22:41:47 +0200[diff] [blame]663# wait for client to terminate and set CLI_EXIT
664# must be called right after starting the client
665wait_client_done() {
666 CLI_PID=$!
667
Manuel Pégourié-Gonnarda0719722014-09-20 12:46:27 +0200[diff] [blame]668 CLI_DELAY=$(( $DOG_DELAY * $CLI_DELAY_FACTOR ))
669 CLI_DELAY_FACTOR=1
670
Manuel Pégourié-Gonnarda365add2015-08-04 20:57:59 +0200[diff] [blame]671 ( sleep $CLI_DELAY; echo "===CLIENT_TIMEOUT===" >> $CLI_OUT; kill $CLI_PID ) &
Manuel Pégourié-Gonnarda6189f02014-09-20 13:15:43 +0200[diff] [blame]672 DOG_PID=$!
Manuel Pégourié-Gonnardc0f6a692014-08-30 22:41:47 +0200[diff] [blame]673
674 wait $CLI_PID
675 CLI_EXIT=$?
676
Manuel Pégourié-Gonnarda6189f02014-09-20 13:15:43 +0200[diff] [blame]677 kill $DOG_PID >/dev/null 2>&1
678 wait $DOG_PID
Manuel Pégourié-Gonnardc0f6a692014-08-30 22:41:47 +0200[diff] [blame]679
680 echo "EXIT: $CLI_EXIT" >> $CLI_OUT
Janos Follath74537a62016-09-02 13:45:28 +0100[diff] [blame]681
682 sleep $SRV_DELAY_SECONDS
683 SRV_DELAY_SECONDS=0
Manuel Pégourié-Gonnardc0f6a692014-08-30 22:41:47 +0200[diff] [blame]684}
685
Manuel Pégourié-Gonnard0eb6cab2014-07-23 20:17:47 +0200[diff] [blame]686# check if the given command uses dtls and sets global variable DTLS
687detect_dtls() {
Gilles Peskine64457492020-08-26 21:53:33 +0200[diff] [blame]688 case "$1" in
Paul Elliott405fccc2021-10-12 16:02:55 +0100[diff] [blame]689 *dtls=1*|*-dtls*|*-u*) DTLS=1;;
Gilles Peskine64457492020-08-26 21:53:33 +0200[diff] [blame]690 *) DTLS=0;;
691 esac
Manuel Pégourié-Gonnard0eb6cab2014-07-23 20:17:47 +0200[diff] [blame]692}
693
Dave Rodgman0279c2f2021-02-10 12:45:41 +0000[diff] [blame]694# check if the given command uses gnutls and sets global variable CMD_IS_GNUTLS
695is_gnutls() {
696 case "$1" in
697 *gnutls-cli*)
698 CMD_IS_GNUTLS=1
699 ;;
700 *gnutls-serv*)
701 CMD_IS_GNUTLS=1
702 ;;
703 *)
704 CMD_IS_GNUTLS=0
705 ;;
706 esac
707}
708
Johan Pascal9bc50b02020-09-24 12:01:13 +0200[diff] [blame]709# Compare file content
710# Usage: find_in_both pattern file1 file2
711# extract from file1 the first line matching the pattern
712# check in file2 that the same line can be found
713find_in_both() {
714 srv_pattern=$(grep -m 1 "$1" "$2");
715 if [ -z "$srv_pattern" ]; then
716 return 1;
717 fi
718
719 if grep "$srv_pattern" $3 >/dev/null; then :
Johan Pascal10403152020-10-09 20:43:51 +0200[diff] [blame]720 return 0;
Johan Pascal9bc50b02020-09-24 12:01:13 +0200[diff] [blame]721 else
722 return 1;
723 fi
724}
725
Gilles Peskinef9022b02021-10-19 16:25:10 +0200[diff] [blame^]726# Analyze the commands that will be used in a test.
727#
728# Analyze and possibly instrument $PXY_CMD, $CLI_CMD, $SRV_CMD to pass
729# extra arguments or go through wrappers.
730# Set $DTLS (0=TLS, 1=DTLS).
731analyze_test_commands() {
Manuel Pégourié-Gonnard0eb6cab2014-07-23 20:17:47 +0200[diff] [blame]732 # update DTLS variable
733 detect_dtls "$SRV_CMD"
734
Manuel Pégourié-Gonnardf4557862020-06-08 11:40:06 +0200[diff] [blame]735 # if the test uses DTLS but no custom proxy, add a simple proxy
736 # as it provides timing info that's useful to debug failures
Manuel Pégourié-Gonnard70fce982020-06-25 09:54:46 +0200[diff] [blame]737 if [ -z "$PXY_CMD" ] && [ "$DTLS" -eq 1 ]; then
Manuel Pégourié-Gonnardf4557862020-06-08 11:40:06 +0200[diff] [blame]738 PXY_CMD="$P_PXY"
Manuel Pégourié-Gonnard8779e9a2020-07-16 10:19:32 +0200[diff] [blame]739 case " $SRV_CMD " in
740 *' server_addr=::1 '*)
741 PXY_CMD="$PXY_CMD server_addr=::1 listen_addr=::1";;
742 esac
Manuel Pégourié-Gonnardf4557862020-06-08 11:40:06 +0200[diff] [blame]743 fi
744
Dave Rodgman0279c2f2021-02-10 12:45:41 +0000[diff] [blame]745 # update CMD_IS_GNUTLS variable
746 is_gnutls "$SRV_CMD"
747
748 # if the server uses gnutls but doesn't set priority, explicitly
749 # set the default priority
750 if [ "$CMD_IS_GNUTLS" -eq 1 ]; then
751 case "$SRV_CMD" in
752 *--priority*) :;;
753 *) SRV_CMD="$SRV_CMD --priority=NORMAL";;
754 esac
755 fi
756
757 # update CMD_IS_GNUTLS variable
758 is_gnutls "$CLI_CMD"
759
760 # if the client uses gnutls but doesn't set priority, explicitly
761 # set the default priority
762 if [ "$CMD_IS_GNUTLS" -eq 1 ]; then
763 case "$CLI_CMD" in
764 *--priority*) :;;
765 *) CLI_CMD="$CLI_CMD --priority=NORMAL";;
766 esac
767 fi
768
Manuel Pégourié-Gonnardfccd3252014-02-25 17:14:15 +0100[diff] [blame]769 # fix client port
Manuel Pégourié-Gonnardeaadc502014-02-20 11:01:30 +0100[diff] [blame]770 if [ -n "$PXY_CMD" ]; then
Manuel Pégourié-Gonnard6f4fbbb2014-08-14 14:31:29 +0200[diff] [blame]771 CLI_CMD=$( echo "$CLI_CMD" | sed s/+SRV_PORT/$PXY_PORT/g )
772 else
773 CLI_CMD=$( echo "$CLI_CMD" | sed s/+SRV_PORT/$SRV_PORT/g )
774 fi
Manuel Pégourié-Gonnard72e51ee2014-08-31 10:22:11 +0200[diff] [blame]775
Manuel Pégourié-Gonnardc73339f2014-02-26 16:35:27 +0100[diff] [blame]776 # prepend valgrind to our commands if active
777 if [ "$MEMCHECK" -gt 0 ]; then
778 if is_polar "$SRV_CMD"; then
779 SRV_CMD="valgrind --leak-check=full $SRV_CMD"
780 fi
781 if is_polar "$CLI_CMD"; then
782 CLI_CMD="valgrind --leak-check=full $CLI_CMD"
783 fi
784 fi
Gilles Peskinef9022b02021-10-19 16:25:10 +0200[diff] [blame^]785}
Manuel Pégourié-Gonnardc73339f2014-02-26 16:35:27 +0100[diff] [blame]786
Gilles Peskinef9022b02021-10-19 16:25:10 +0200[diff] [blame^]787# Check for failure conditions after a test case.
788#
789# Inputs from run_test:
790# * positional parameters: test options (see run_test documentation)
791# * $CLI_EXIT: client return code
792# * $CLI_EXPECT: expected client return code
793# * $SRV_RET: server return code
794# * $CLI_OUT, $SRV_OUT, $PXY_OUT: files containing client/server/proxy logs
795#
796# Outputs:
797# * $pass: set to 1 if no failures are detected, 0 otherwise
798check_test_failure() {
799 pass=0
Manuel Pégourié-Gonnarda365add2015-08-04 20:57:59 +0200[diff] [blame]800
Manuel Pégourié-Gonnard677884d2014-02-25 16:42:31 +0100[diff] [blame]801 # check if the client and server went at least to the handshake stage
Paul Bakker1ebc0c52014-05-22 15:47:58 +0200[diff] [blame]802 # (useful to avoid tests with only negative assertions and non-zero
Manuel Pégourié-Gonnard677884d2014-02-25 16:42:31 +0100[diff] [blame]803 # expected client exit to incorrectly succeed in case of catastrophic
804 # failure)
Manuel Pégourié-Gonnardfccd3252014-02-25 17:14:15 +0100[diff] [blame]805 if is_polar "$SRV_CMD"; then
Manuel Pégourié-Gonnardbc3b16c2014-05-28 23:06:50 +0200[diff] [blame]806 if grep "Performing the SSL/TLS handshake" $SRV_OUT >/dev/null; then :;
Manuel Pégourié-Gonnard677884d2014-02-25 16:42:31 +0100[diff] [blame]807 else
Manuel Pégourié-Gonnard699cafa2014-10-27 13:57:03 +0100[diff] [blame]808 fail "server or client failed to reach handshake stage"
Manuel Pégourié-Gonnard677884d2014-02-25 16:42:31 +0100[diff] [blame]809 return
810 fi
811 fi
Manuel Pégourié-Gonnardfccd3252014-02-25 17:14:15 +0100[diff] [blame]812 if is_polar "$CLI_CMD"; then
Manuel Pégourié-Gonnardbc3b16c2014-05-28 23:06:50 +0200[diff] [blame]813 if grep "Performing the SSL/TLS handshake" $CLI_OUT >/dev/null; then :;
Manuel Pégourié-Gonnard677884d2014-02-25 16:42:31 +0100[diff] [blame]814 else
Manuel Pégourié-Gonnard699cafa2014-10-27 13:57:03 +0100[diff] [blame]815 fail "server or client failed to reach handshake stage"
Manuel Pégourié-Gonnard677884d2014-02-25 16:42:31 +0100[diff] [blame]816 return
817 fi
818 fi
819
Gilles Peskineaaf866e2021-02-09 21:01:33 +0100[diff] [blame]820 # Check server exit code (only for Mbed TLS: GnuTLS and OpenSSL don't
821 # exit with status 0 when interrupted by a signal, and we don't really
822 # care anyway), in case e.g. the server reports a memory leak.
823 if [ $SRV_RET != 0 ] && is_polar "$SRV_CMD"; then
Gilles Peskine7f919de2021-02-02 23:29:03 +0100[diff] [blame]824 fail "Server exited with status $SRV_RET"
Manuel Pégourié-Gonnardf8bdbb52014-02-21 09:20:14 +0100[diff] [blame]825 return
826 fi
827
Manuel Pégourié-Gonnardeaadc502014-02-20 11:01:30 +0100[diff] [blame]828 # check client exit code
Manuel Pégourié-Gonnardfccd3252014-02-25 17:14:15 +0100[diff] [blame]829 if [ \( "$CLI_EXPECT" = 0 -a "$CLI_EXIT" != 0 \) -o \
830 \( "$CLI_EXPECT" != 0 -a "$CLI_EXIT" = 0 \) ]
Manuel Pégourié-Gonnard780d6712014-02-20 17:19:59 +0100[diff] [blame]831 then
Manuel Pégourié-Gonnardbe9eb872014-09-05 17:45:19 +0200[diff] [blame]832 fail "bad client exit code (expected $CLI_EXPECT, got $CLI_EXIT)"
Manuel Pégourié-Gonnardeaadc502014-02-20 11:01:30 +0100[diff] [blame]833 return
834 fi
Manuel Pégourié-Gonnardeaadc502014-02-20 11:01:30 +0100[diff] [blame]835
Manuel Pégourié-Gonnardc73339f2014-02-26 16:35:27 +0100[diff] [blame]836 # check other assertions
Manuel Pégourié-Gonnard480905d2014-08-21 19:38:32 +0200[diff] [blame]837 # lines beginning with == are added by valgrind, ignore them
Paul Bakker1f650922016-05-13 10:16:46 +0100[diff] [blame]838 # lines with 'Serious error when reading debug info', are valgrind issues as well
Manuel Pégourié-Gonnardeaadc502014-02-20 11:01:30 +0100[diff] [blame]839 while [ $# -gt 0 ]
840 do
841 case $1 in
842 "-s")
Paul Bakker1f650922016-05-13 10:16:46 +0100[diff] [blame]843 if grep -v '^==' $SRV_OUT | grep -v 'Serious error when reading debug info' | grep "$2" >/dev/null; then :; else
Simon Butcher8e004102016-10-14 00:48:33 +0100[diff] [blame]844 fail "pattern '$2' MUST be present in the Server output"
Manuel Pégourié-Gonnardeaadc502014-02-20 11:01:30 +0100[diff] [blame]845 return
846 fi
847 ;;
848
849 "-c")
Paul Bakker1f650922016-05-13 10:16:46 +0100[diff] [blame]850 if grep -v '^==' $CLI_OUT | grep -v 'Serious error when reading debug info' | grep "$2" >/dev/null; then :; else
Simon Butcher8e004102016-10-14 00:48:33 +0100[diff] [blame]851 fail "pattern '$2' MUST be present in the Client output"
Manuel Pégourié-Gonnardeaadc502014-02-20 11:01:30 +0100[diff] [blame]852 return
853 fi
854 ;;
855
856 "-S")
Paul Bakker1f650922016-05-13 10:16:46 +0100[diff] [blame]857 if grep -v '^==' $SRV_OUT | grep -v 'Serious error when reading debug info' | grep "$2" >/dev/null; then
Simon Butcher8e004102016-10-14 00:48:33 +0100[diff] [blame]858 fail "pattern '$2' MUST NOT be present in the Server output"
Manuel Pégourié-Gonnardeaadc502014-02-20 11:01:30 +0100[diff] [blame]859 return
860 fi
861 ;;
862
863 "-C")
Paul Bakker1f650922016-05-13 10:16:46 +0100[diff] [blame]864 if grep -v '^==' $CLI_OUT | grep -v 'Serious error when reading debug info' | grep "$2" >/dev/null; then
Simon Butcher8e004102016-10-14 00:48:33 +0100[diff] [blame]865 fail "pattern '$2' MUST NOT be present in the Client output"
866 return
867 fi
868 ;;
869
870 # The filtering in the following two options (-u and -U) do the following
871 # - ignore valgrind output
Antonin Décimo36e89b52019-01-23 15:24:37 +0100[diff] [blame]872 # - filter out everything but lines right after the pattern occurrences
Simon Butcher8e004102016-10-14 00:48:33 +0100[diff] [blame]873 # - keep one of each non-unique line
874 # - count how many lines remain
875 # A line with '--' will remain in the result from previous outputs, so the number of lines in the result will be 1
876 # if there were no duplicates.
877 "-U")
878 if [ $(grep -v '^==' $SRV_OUT | grep -v 'Serious error when reading debug info' | grep -A1 "$2" | grep -v "$2" | sort | uniq -d | wc -l) -gt 1 ]; then
879 fail "lines following pattern '$2' must be unique in Server output"
880 return
881 fi
882 ;;
883
884 "-u")
885 if [ $(grep -v '^==' $CLI_OUT | grep -v 'Serious error when reading debug info' | grep -A1 "$2" | grep -v "$2" | sort | uniq -d | wc -l) -gt 1 ]; then
886 fail "lines following pattern '$2' must be unique in Client output"
Manuel Pégourié-Gonnardeaadc502014-02-20 11:01:30 +0100[diff] [blame]887 return
888 fi
889 ;;
Andres Amaya Garcia93993de2017-09-06 15:38:07 +0100[diff] [blame]890 "-F")
891 if ! $2 "$SRV_OUT"; then
892 fail "function call to '$2' failed on Server output"
893 return
894 fi
895 ;;
896 "-f")
897 if ! $2 "$CLI_OUT"; then
898 fail "function call to '$2' failed on Client output"
899 return
900 fi
901 ;;
Johan Pascal9bc50b02020-09-24 12:01:13 +0200[diff] [blame]902 "-g")
903 if ! eval "$2 '$SRV_OUT' '$CLI_OUT'"; then
904 fail "function call to '$2' failed on Server and Client output"
905 return
906 fi
907 ;;
Manuel Pégourié-Gonnardeaadc502014-02-20 11:01:30 +0100[diff] [blame]908
909 *)
Paul Bakker1ebc0c52014-05-22 15:47:58 +0200[diff] [blame]910 echo "Unknown test: $1" >&2
Manuel Pégourié-Gonnardeaadc502014-02-20 11:01:30 +0100[diff] [blame]911 exit 1
912 esac
913 shift 2
914 done
915
Manuel Pégourié-Gonnardc73339f2014-02-26 16:35:27 +0100[diff] [blame]916 # check valgrind's results
917 if [ "$MEMCHECK" -gt 0 ]; then
Manuel Pégourié-Gonnardbc3b16c2014-05-28 23:06:50 +0200[diff] [blame]918 if is_polar "$SRV_CMD" && has_mem_err $SRV_OUT; then
Manuel Pégourié-Gonnardc73339f2014-02-26 16:35:27 +0100[diff] [blame]919 fail "Server has memory errors"
920 return
921 fi
Manuel Pégourié-Gonnardbc3b16c2014-05-28 23:06:50 +0200[diff] [blame]922 if is_polar "$CLI_CMD" && has_mem_err $CLI_OUT; then
Manuel Pégourié-Gonnardc73339f2014-02-26 16:35:27 +0100[diff] [blame]923 fail "Client has memory errors"
924 return
925 fi
926 fi
927
Manuel Pégourié-Gonnardeaadc502014-02-20 11:01:30 +0100[diff] [blame]928 # if we're here, everything is ok
Gilles Peskinef9022b02021-10-19 16:25:10 +0200[diff] [blame^]929 pass=1
930}
931
932# Usage: run_test name [-p proxy_cmd] srv_cmd cli_cmd cli_exit [option [...]]
933# Options: -s pattern pattern that must be present in server output
934# -c pattern pattern that must be present in client output
935# -u pattern lines after pattern must be unique in client output
936# -f call shell function on client output
937# -S pattern pattern that must be absent in server output
938# -C pattern pattern that must be absent in client output
939# -U pattern lines after pattern must be unique in server output
940# -F call shell function on server output
941# -g call shell function on server and client output
942run_test() {
943 NAME="$1"
944 shift 1
945
946 if is_excluded "$NAME"; then
947 SKIP_NEXT="NO"
948 # There was no request to run the test, so don't record its outcome.
949 return
950 fi
951
952 print_name "$NAME"
953
954 # Do we only run numbered tests?
955 if [ -n "$RUN_TEST_NUMBER" ]; then
956 case ",$RUN_TEST_NUMBER," in
957 *",$TESTS,"*) :;;
958 *) SKIP_NEXT="YES";;
959 esac
960 fi
961
962 # does this test use a proxy?
963 if [ "X$1" = "X-p" ]; then
964 PXY_CMD="$2"
965 shift 2
966 else
967 PXY_CMD=""
968 fi
969
970 # get commands and client output
971 SRV_CMD="$1"
972 CLI_CMD="$2"
973 CLI_EXPECT="$3"
974 shift 3
975
976 # Check if test uses files
977 case "$SRV_CMD $CLI_CMD" in
978 *data_files/*)
979 requires_config_enabled MBEDTLS_FS_IO;;
980 esac
981
982 # If the client or serve requires a ciphersuite, check that it's enabled.
983 maybe_requires_ciphersuite_enabled "$SRV_CMD" "$@"
984 maybe_requires_ciphersuite_enabled "$CLI_CMD" "$@"
985
986 # should we skip?
987 if [ "X$SKIP_NEXT" = "XYES" ]; then
988 SKIP_NEXT="NO"
989 record_outcome "SKIP"
990 SKIPS=$(( $SKIPS + 1 ))
991 return
992 fi
993
994 analyze_test_commands "$@"
995
996 TIMES_LEFT=2
997 while [ $TIMES_LEFT -gt 0 ]; do
998 TIMES_LEFT=$(( $TIMES_LEFT - 1 ))
999
1000 # run the commands
1001 if [ -n "$PXY_CMD" ]; then
1002 printf "# %s\n%s\n" "$NAME" "$PXY_CMD" > $PXY_OUT
1003 $PXY_CMD >> $PXY_OUT 2>&1 &
1004 PXY_PID=$!
1005 wait_proxy_start "$PXY_PORT" "$PXY_PID"
1006 fi
1007
1008 check_osrv_dtls
1009 printf '# %s\n%s\n' "$NAME" "$SRV_CMD" > $SRV_OUT
1010 provide_input | $SRV_CMD >> $SRV_OUT 2>&1 &
1011 SRV_PID=$!
1012 wait_server_start "$SRV_PORT" "$SRV_PID"
1013
1014 printf '# %s\n%s\n' "$NAME" "$CLI_CMD" > $CLI_OUT
1015 eval "$CLI_CMD" >> $CLI_OUT 2>&1 &
1016 wait_client_done
1017
1018 sleep 0.05
1019
1020 # terminate the server (and the proxy)
1021 kill $SRV_PID
1022 wait $SRV_PID
1023 SRV_RET=$?
1024
1025 if [ -n "$PXY_CMD" ]; then
1026 kill $PXY_PID >/dev/null 2>&1
1027 wait $PXY_PID
1028 fi
1029
1030 # retry only on timeouts
1031 if grep '===CLIENT_TIMEOUT===' $CLI_OUT >/dev/null; then
1032 printf "RETRY "
1033 else
1034 TIMES_LEFT=0
1035 fi
1036 done
1037
1038 check_test_failure "$@"
1039 if [ "$pass" -eq 0 ]; then
1040 return
1041 fi
1042
Gilles Peskine560280b2019-09-16 15:17:38 +0200[diff] [blame]1043 record_outcome "PASS"
Paul Bakkeracaac852016-05-10 11:47:13 +0100[diff] [blame]1044 if [ "$PRESERVE_LOGS" -gt 0 ]; then
1045 mv $SRV_OUT o-srv-${TESTS}.log
1046 mv $CLI_OUT o-cli-${TESTS}.log
Hanno Becker7be2e5b2018-08-20 12:21:35 +0100[diff] [blame]1047 if [ -n "$PXY_CMD" ]; then
1048 mv $PXY_OUT o-pxy-${TESTS}.log
1049 fi
Paul Bakkeracaac852016-05-10 11:47:13 +0100[diff] [blame]1050 fi
1051
Manuel Pégourié-Gonnardbe9eb872014-09-05 17:45:19 +0200[diff] [blame]1052 rm -f $SRV_OUT $CLI_OUT $PXY_OUT
Manuel Pégourié-Gonnardeaadc502014-02-20 11:01:30 +0100[diff] [blame]1053}
1054
Hanno Becker9b5853c2018-11-16 17:28:40 +0000[diff] [blame]1055run_test_psa() {
1056 requires_config_enabled MBEDTLS_USE_PSA_CRYPTO
Hanno Beckere9420c22018-11-20 11:37:34 +0000[diff] [blame]1057 run_test "PSA-supported ciphersuite: $1" \
Hanno Becker4c8c7aa2019-04-10 09:25:41 +0100[diff] [blame]1058 "$P_SRV debug_level=3 force_version=tls1_2" \
1059 "$P_CLI debug_level=3 force_version=tls1_2 force_ciphersuite=$1" \
Hanno Becker9b5853c2018-11-16 17:28:40 +0000[diff] [blame]1060 0 \
1061 -c "Successfully setup PSA-based decryption cipher context" \
1062 -c "Successfully setup PSA-based encryption cipher context" \
Andrzej Kurek683d77e2019-01-30 03:50:42 -0500[diff] [blame]1063 -c "PSA calc verify" \
Andrzej Kurek92dd4d02019-01-30 04:10:19 -0500[diff] [blame]1064 -c "calc PSA finished" \
Hanno Becker9b5853c2018-11-16 17:28:40 +0000[diff] [blame]1065 -s "Successfully setup PSA-based decryption cipher context" \
1066 -s "Successfully setup PSA-based encryption cipher context" \
Andrzej Kurek683d77e2019-01-30 03:50:42 -0500[diff] [blame]1067 -s "PSA calc verify" \
Andrzej Kurek92dd4d02019-01-30 04:10:19 -0500[diff] [blame]1068 -s "calc PSA finished" \
Hanno Becker9b5853c2018-11-16 17:28:40 +0000[diff] [blame]1069 -C "Failed to setup PSA-based cipher context"\
1070 -S "Failed to setup PSA-based cipher context"\
1071 -s "Protocol is TLSv1.2" \
Hanno Becker28f78442019-02-18 16:47:50 +0000[diff] [blame]1072 -c "Perform PSA-based ECDH computation."\
Andrzej Kureke85414e2019-01-15 05:23:59 -0500[diff] [blame]1073 -c "Perform PSA-based computation of digest of ServerKeyExchange" \
Hanno Becker9b5853c2018-11-16 17:28:40 +0000[diff] [blame]1074 -S "error" \
1075 -C "error"
1076}
1077
Hanno Becker354e2482019-01-08 11:40:25 +0000[diff] [blame]1078run_test_psa_force_curve() {
1079 requires_config_enabled MBEDTLS_USE_PSA_CRYPTO
1080 run_test "PSA - ECDH with $1" \
1081 "$P_SRV debug_level=4 force_version=tls1_2" \
1082 "$P_CLI debug_level=4 force_version=tls1_2 force_ciphersuite=TLS-ECDHE-RSA-WITH-AES-128-GCM-SHA256 curves=$1" \
1083 0 \
Hanno Becker28f78442019-02-18 16:47:50 +0000[diff] [blame]1084 -c "Successfully setup PSA-based decryption cipher context" \
1085 -c "Successfully setup PSA-based encryption cipher context" \
1086 -c "PSA calc verify" \
1087 -c "calc PSA finished" \
1088 -s "Successfully setup PSA-based decryption cipher context" \
1089 -s "Successfully setup PSA-based encryption cipher context" \
1090 -s "PSA calc verify" \
1091 -s "calc PSA finished" \
1092 -C "Failed to setup PSA-based cipher context"\
1093 -S "Failed to setup PSA-based cipher context"\
Hanno Becker354e2482019-01-08 11:40:25 +0000[diff] [blame]1094 -s "Protocol is TLSv1.2" \
Hanno Becker28f78442019-02-18 16:47:50 +0000[diff] [blame]1095 -c "Perform PSA-based ECDH computation."\
Manuel Pégourié-Gonnarda9062e92014-02-25 16:21:22 +0100[diff] [blame]1096 -c "Perform PSA-based computation of digest of ServerKeyExchange" \
Manuel Pégourié-Gonnardbe9eb872014-09-05 17:45:19 +0200[diff] [blame]1097 -S "error" \
Manuel Pégourié-Gonnarda6189f02014-09-20 13:15:43 +0200[diff] [blame]1098 -C "error"
1099}
1100
Piotr Nowicki0937ed22019-11-26 16:32:40 +0100[diff] [blame]1101# Test that the server's memory usage after a handshake is reduced when a client specifies
1102# a maximum fragment length.
1103# first argument ($1) is MFL for SSL client
1104# second argument ($2) is memory usage for SSL client with default MFL (16k)
1105run_test_memory_after_hanshake_with_mfl()
1106{
1107 # The test passes if the difference is around 2*(16k-MFL)
Gilles Peskine5b428d72020-08-26 21:52:23 +0200[diff] [blame]1108 MEMORY_USAGE_LIMIT="$(( $2 - ( 2 * ( 16384 - $1 )) ))"
Piotr Nowicki0937ed22019-11-26 16:32:40 +0100[diff] [blame]1109
1110 # Leave some margin for robustness
1111 MEMORY_USAGE_LIMIT="$(( ( MEMORY_USAGE_LIMIT * 110 ) / 100 ))"
1112
1113 run_test "Handshake memory usage (MFL $1)" \
1114 "$P_SRV debug_level=3 auth_mode=required force_version=tls1_2" \
1115 "$P_CLI debug_level=3 force_version=tls1_2 \
1116 crt_file=data_files/server5.crt key_file=data_files/server5.key \
1117 force_ciphersuite=TLS-ECDHE-ECDSA-WITH-AES-128-CCM max_frag_len=$1" \
1118 0 \
1119 -F "handshake_memory_check $MEMORY_USAGE_LIMIT"
1120}
1121
1122
1123# Test that the server's memory usage after a handshake is reduced when a client specifies
1124# different values of Maximum Fragment Length: default (16k), 4k, 2k, 1k and 512 bytes
1125run_tests_memory_after_hanshake()
1126{
1127 # all tests in this sequence requires the same configuration (see requires_config_enabled())
1128 SKIP_THIS_TESTS="$SKIP_NEXT"
1129
1130 # first test with default MFU is to get reference memory usage
1131 MEMORY_USAGE_MFL_16K=0
1132 run_test "Handshake memory usage initial (MFL 16384 - default)" \
1133 "$P_SRV debug_level=3 auth_mode=required force_version=tls1_2" \
1134 "$P_CLI debug_level=3 force_version=tls1_2 \
1135 crt_file=data_files/server5.crt key_file=data_files/server5.key \
1136 force_ciphersuite=TLS-ECDHE-ECDSA-WITH-AES-128-CCM" \
1137 0 \
1138 -F "handshake_memory_get MEMORY_USAGE_MFL_16K"
1139
1140 SKIP_NEXT="$SKIP_THIS_TESTS"
1141 run_test_memory_after_hanshake_with_mfl 4096 "$MEMORY_USAGE_MFL_16K"
1142
1143 SKIP_NEXT="$SKIP_THIS_TESTS"
1144 run_test_memory_after_hanshake_with_mfl 2048 "$MEMORY_USAGE_MFL_16K"
1145
1146 SKIP_NEXT="$SKIP_THIS_TESTS"
1147 run_test_memory_after_hanshake_with_mfl 1024 "$MEMORY_USAGE_MFL_16K"
1148
1149 SKIP_NEXT="$SKIP_THIS_TESTS"
1150 run_test_memory_after_hanshake_with_mfl 512 "$MEMORY_USAGE_MFL_16K"
1151}
1152
Manuel Pégourié-Gonnarda9062e92014-02-25 16:21:22 +0100[diff] [blame]1153cleanup() {
Manuel Pégourié-Gonnardbc3b16c2014-05-28 23:06:50 +0200[diff] [blame]1154 rm -f $CLI_OUT $SRV_OUT $PXY_OUT $SESSION
Piotr Nowicki3de298f2020-04-16 14:35:19 +0200[diff] [blame]1155 rm -f context_srv.txt
1156 rm -f context_cli.txt
Manuel Pégourié-Gonnarda6189f02014-09-20 13:15:43 +0200[diff] [blame]1157 test -n "${SRV_PID:-}" && kill $SRV_PID >/dev/null 2>&1
1158 test -n "${PXY_PID:-}" && kill $PXY_PID >/dev/null 2>&1
1159 test -n "${CLI_PID:-}" && kill $CLI_PID >/dev/null 2>&1
1160 test -n "${DOG_PID:-}" && kill $DOG_PID >/dev/null 2>&1
Manuel Pégourié-Gonnarda9062e92014-02-25 16:21:22 +0100[diff] [blame]1161 exit 1
1162}
1163
Manuel Pégourié-Gonnard9dea8bd2014-02-26 18:21:02 +0100[diff] [blame]1164#
1165# MAIN
1166#
1167
Manuel Pégourié-Gonnard913030c2014-03-28 10:12:38 +0100[diff] [blame]1168get_options "$@"
1169
Gilles Peskine9fa4ed62020-08-26 22:35:46 +0200[diff] [blame]1170# Optimize filters: if $FILTER and $EXCLUDE can be expressed as shell
1171# patterns rather than regular expressions, use a case statement instead
1172# of calling grep. To keep the optimizer simple, it is incomplete and only
1173# detects simple cases: plain substring, everything, nothing.
1174#
1175# As an exception, the character '.' is treated as an ordinary character
1176# if it is the only special character in the string. This is because it's
1177# rare to need "any one character", but needing a literal '.' is common
1178# (e.g. '-f "DTLS 1.2"').
1179need_grep=
1180case "$FILTER" in
1181 '^$') simple_filter=;;
1182 '.*') simple_filter='*';;
Gilles Peskineb09e0012020-09-29 23:48:39 +0200[diff] [blame]1183 *[][$+*?\\^{\|}]*) # Regexp special characters (other than .), we need grep
Gilles Peskine9fa4ed62020-08-26 22:35:46 +0200[diff] [blame]1184 need_grep=1;;
1185 *) # No regexp or shell-pattern special character
1186 simple_filter="*$FILTER*";;
1187esac
1188case "$EXCLUDE" in
1189 '^$') simple_exclude=;;
1190 '.*') simple_exclude='*';;
Gilles Peskineb09e0012020-09-29 23:48:39 +0200[diff] [blame]1191 *[][$+*?\\^{\|}]*) # Regexp special characters (other than .), we need grep
Gilles Peskine9fa4ed62020-08-26 22:35:46 +0200[diff] [blame]1192 need_grep=1;;
1193 *) # No regexp or shell-pattern special character
1194 simple_exclude="*$EXCLUDE*";;
1195esac
1196if [ -n "$need_grep" ]; then
1197 is_excluded () {
1198 ! echo "$1" | grep "$FILTER" | grep -q -v "$EXCLUDE"
1199 }
1200else
1201 is_excluded () {
1202 case "$1" in
1203 $simple_exclude) true;;
1204 $simple_filter) false;;
1205 *) true;;
1206 esac
1207 }
1208fi
1209
Manuel Pégourié-Gonnardf7a26902014-02-27 12:25:54 +0100[diff] [blame]1210# sanity checks, avoid an avalanche of errors
Hanno Becker4ac73e72017-10-23 15:27:37 +0100[diff] [blame]1211P_SRV_BIN="${P_SRV%%[ ]*}"
1212P_CLI_BIN="${P_CLI%%[ ]*}"
1213P_PXY_BIN="${P_PXY%%[ ]*}"
Hanno Becker17c04932017-10-10 14:44:53 +0100[diff] [blame]1214if [ ! -x "$P_SRV_BIN" ]; then
1215 echo "Command '$P_SRV_BIN' is not an executable file"
Manuel Pégourié-Gonnardf7a26902014-02-27 12:25:54 +0100[diff] [blame]1216 exit 1
1217fi
Hanno Becker17c04932017-10-10 14:44:53 +0100[diff] [blame]1218if [ ! -x "$P_CLI_BIN" ]; then
1219 echo "Command '$P_CLI_BIN' is not an executable file"
Manuel Pégourié-Gonnardf7a26902014-02-27 12:25:54 +0100[diff] [blame]1220 exit 1
1221fi
Hanno Becker17c04932017-10-10 14:44:53 +0100[diff] [blame]1222if [ ! -x "$P_PXY_BIN" ]; then
1223 echo "Command '$P_PXY_BIN' is not an executable file"
Manuel Pégourié-Gonnardbe9eb872014-09-05 17:45:19 +0200[diff] [blame]1224 exit 1
1225fi
Simon Butcher3c0d7b82016-05-23 11:13:17 +0100[diff] [blame]1226if [ "$MEMCHECK" -gt 0 ]; then
1227 if which valgrind >/dev/null 2>&1; then :; else
1228 echo "Memcheck not possible. Valgrind not found"
1229 exit 1
1230 fi
1231fi
Manuel Pégourié-Gonnard74faf3c2014-03-13 18:47:44 +0100[diff] [blame]1232if which $OPENSSL_CMD >/dev/null 2>&1; then :; else
1233 echo "Command '$OPENSSL_CMD' not found"
Manuel Pégourié-Gonnardf7a26902014-02-27 12:25:54 +0100[diff] [blame]1234 exit 1
1235fi
1236
Manuel Pégourié-Gonnard32f8f4d2014-05-29 11:31:20 +0200[diff] [blame]1237# used by watchdog
1238MAIN_PID="$$"
1239
Manuel Pégourié-Gonnard0d225da2018-01-22 10:22:09 +0100[diff] [blame]1240# We use somewhat arbitrary delays for tests:
1241# - how long do we wait for the server to start (when lsof not available)?
1242# - how long do we allow for the client to finish?
1243# (not to check performance, just to avoid waiting indefinitely)
1244# Things are slower with valgrind, so give extra time here.
1245#
1246# Note: without lsof, there is a trade-off between the running time of this
1247# script and the risk of spurious errors because we didn't wait long enough.
1248# The watchdog delay on the other hand doesn't affect normal running time of
1249# the script, only the case where a client or server gets stuck.
Manuel Pégourié-Gonnard0c1ec472014-06-20 18:41:11 +0200[diff] [blame]1250if [ "$MEMCHECK" -gt 0 ]; then
Manuel Pégourié-Gonnard0d225da2018-01-22 10:22:09 +0100[diff] [blame]1251 START_DELAY=6
1252 DOG_DELAY=60
Manuel Pégourié-Gonnard0c1ec472014-06-20 18:41:11 +0200[diff] [blame]1253else
Manuel Pégourié-Gonnard0d225da2018-01-22 10:22:09 +0100[diff] [blame]1254 START_DELAY=2
1255 DOG_DELAY=20
Manuel Pégourié-Gonnard0c1ec472014-06-20 18:41:11 +0200[diff] [blame]1256fi
Manuel Pégourié-Gonnard0d225da2018-01-22 10:22:09 +0100[diff] [blame]1257
1258# some particular tests need more time:
1259# - for the client, we multiply the usual watchdog limit by a factor
1260# - for the server, we sleep for a number of seconds after the client exits
1261# see client_need_more_time() and server_needs_more_time()
Manuel Pégourié-Gonnarda0719722014-09-20 12:46:27 +0200[diff] [blame]1262CLI_DELAY_FACTOR=1
Janos Follath74537a62016-09-02 13:45:28 +0100[diff] [blame]1263SRV_DELAY_SECONDS=0
Manuel Pégourié-Gonnard0c1ec472014-06-20 18:41:11 +0200[diff] [blame]1264
Manuel Pégourié-Gonnard0eb6cab2014-07-23 20:17:47 +0200[diff] [blame]1265# fix commands to use this port, force IPv4 while at it
Manuel Pégourié-Gonnard0af1ba32015-01-21 11:44:33 +0000[diff] [blame]1266# +SRV_PORT will be replaced by either $SRV_PORT or $PXY_PORT later
Paul Elliottccba1292021-10-12 16:10:37 +0100[diff] [blame]1267# Note: Using 'localhost' rather than 127.0.0.1 here is unwise, as on many
1268# machines that will resolve to ::1, and we don't want ipv6 here.
Manuel Pégourié-Gonnardbe9eb872014-09-05 17:45:19 +0200[diff] [blame]1269P_SRV="$P_SRV server_addr=127.0.0.1 server_port=$SRV_PORT"
1270P_CLI="$P_CLI server_addr=127.0.0.1 server_port=+SRV_PORT"
Andres AGf04f54d2016-10-10 15:46:20 +0100[diff] [blame]1271P_PXY="$P_PXY server_addr=127.0.0.1 server_port=$SRV_PORT listen_addr=127.0.0.1 listen_port=$PXY_PORT ${SEED:+"seed=$SEED"}"
Gilles Peskine3aec89b2021-04-01 14:00:11 +0200[diff] [blame]1272O_SRV="$O_SRV -accept $SRV_PORT"
Paul Elliottccba1292021-10-12 16:10:37 +0100[diff] [blame]1273O_CLI="$O_CLI -connect 127.0.0.1:+SRV_PORT"
Manuel Pégourié-Gonnardbe9eb872014-09-05 17:45:19 +0200[diff] [blame]1274G_SRV="$G_SRV -p $SRV_PORT"
Manuel Pégourié-Gonnard34aa1872018-08-23 19:07:15 +0200[diff] [blame]1275G_CLI="$G_CLI -p +SRV_PORT"
Manuel Pégourié-Gonnard8066b812014-05-28 22:59:30 +0200[diff] [blame]1276
Manuel Pégourié-Gonnard38110df2018-08-17 12:44:54 +0200[diff] [blame]1277if [ -n "${OPENSSL_LEGACY:-}" ]; then
1278 O_LEGACY_SRV="$O_LEGACY_SRV -accept $SRV_PORT -dhparam data_files/dhparams.pem"
Paul Elliottccba1292021-10-12 16:10:37 +0100[diff] [blame]1279 O_LEGACY_CLI="$O_LEGACY_CLI -connect 127.0.0.1:+SRV_PORT"
Manuel Pégourié-Gonnard38110df2018-08-17 12:44:54 +0200[diff] [blame]1280fi
1281
Paul Elliott633a74e2021-10-13 18:31:07 +0100[diff] [blame]1282if [ -n "${OPENSSL_NEXT:-}" ]; then
1283 O_NEXT_SRV="$O_NEXT_SRV -accept $SRV_PORT"
Paul Elliottccba1292021-10-12 16:10:37 +0100[diff] [blame]1284 O_NEXT_CLI="$O_NEXT_CLI -connect 127.0.0.1:+SRV_PORT"
Paul Elliott633a74e2021-10-13 18:31:07 +0100[diff] [blame]1285fi
1286
Hanno Becker58e9dc32018-08-17 15:53:21 +0100[diff] [blame]1287if [ -n "${GNUTLS_NEXT_SERV:-}" ]; then
Manuel Pégourié-Gonnard38110df2018-08-17 12:44:54 +0200[diff] [blame]1288 G_NEXT_SRV="$G_NEXT_SRV -p $SRV_PORT"
1289fi
1290
Hanno Becker58e9dc32018-08-17 15:53:21 +0100[diff] [blame]1291if [ -n "${GNUTLS_NEXT_CLI:-}" ]; then
Manuel Pégourié-Gonnard34aa1872018-08-23 19:07:15 +0200[diff] [blame]1292 G_NEXT_CLI="$G_NEXT_CLI -p +SRV_PORT"
Manuel Pégourié-Gonnard38110df2018-08-17 12:44:54 +0200[diff] [blame]1293fi
Manuel Pégourié-Gonnardc1da6642014-02-25 14:18:30 +0100[diff] [blame]1294
Gilles Peskine62469d92017-05-10 10:13:59 +0200[diff] [blame]1295# Allow SHA-1, because many of our test certificates use it
1296P_SRV="$P_SRV allow_sha1=1"
1297P_CLI="$P_CLI allow_sha1=1"
1298
Manuel Pégourié-Gonnardbc3b16c2014-05-28 23:06:50 +0200[diff] [blame]1299# Also pick a unique name for intermediate files
1300SRV_OUT="srv_out.$$"
1301CLI_OUT="cli_out.$$"
Manuel Pégourié-Gonnardbe9eb872014-09-05 17:45:19 +0200[diff] [blame]1302PXY_OUT="pxy_out.$$"
Manuel Pégourié-Gonnardbc3b16c2014-05-28 23:06:50 +0200[diff] [blame]1303SESSION="session.$$"
1304
Manuel Pégourié-Gonnard6f4fbbb2014-08-14 14:31:29 +0200[diff] [blame]1305SKIP_NEXT="NO"
1306
Manuel Pégourié-Gonnardc1da6642014-02-25 14:18:30 +0100[diff] [blame]1307trap cleanup INT TERM HUP
1308
Manuel Pégourié-Gonnarde73b2632014-07-12 04:00:00 +0200[diff] [blame]1309# Basic test
1310
Manuel Pégourié-Gonnard480905d2014-08-21 19:38:32 +0200[diff] [blame]1311# Checks that:
1312# - things work with all ciphersuites active (used with config-full in all.sh)
1313# - the expected (highest security) parameters are selected
1314# ("signature_algorithm ext: 6" means SHA-512 (highest common hash))
Manuel Pégourié-Gonnarde73b2632014-07-12 04:00:00 +0200[diff] [blame]1315run_test "Default" \
Manuel Pégourié-Gonnard480905d2014-08-21 19:38:32 +0200[diff] [blame]1316 "$P_SRV debug_level=3" \
Manuel Pégourié-Gonnarde73b2632014-07-12 04:00:00 +0200[diff] [blame]1317 "$P_CLI" \
1318 0 \
Manuel Pégourié-Gonnard480905d2014-08-21 19:38:32 +0200[diff] [blame]1319 -s "Protocol is TLSv1.2" \
Manuel Pégourié-Gonnardce66d5e2018-06-14 11:11:15 +0200[diff] [blame]1320 -s "Ciphersuite is TLS-ECDHE-RSA-WITH-CHACHA20-POLY1305-SHA256" \
Manuel Pégourié-Gonnard480905d2014-08-21 19:38:32 +0200[diff] [blame]1321 -s "client hello v3, signature_algorithm ext: 6" \
1322 -s "ECDHE curve: secp521r1" \
1323 -S "error" \
1324 -C "error"
Manuel Pégourié-Gonnarde73b2632014-07-12 04:00:00 +0200[diff] [blame]1325
Manuel Pégourié-Gonnard3bb08012015-01-22 13:34:21 +0000[diff] [blame]1326run_test "Default, DTLS" \
1327 "$P_SRV dtls=1" \
1328 "$P_CLI dtls=1" \
1329 0 \
1330 -s "Protocol is DTLSv1.2" \
Manuel Pégourié-Gonnardce66d5e2018-06-14 11:11:15 +0200[diff] [blame]1331 -s "Ciphersuite is TLS-ECDHE-RSA-WITH-CHACHA20-POLY1305-SHA256"
Manuel Pégourié-Gonnard3bb08012015-01-22 13:34:21 +0000[diff] [blame]1332
Hanno Becker721f7c12020-08-17 12:17:32 +0100[diff] [blame]1333run_test "TLS client auth: required" \
1334 "$P_SRV auth_mode=required" \
1335 "$P_CLI" \
1336 0 \
1337 -s "Verifying peer X.509 certificate... ok"
1338
Hanno Becker2f54a3c2020-08-17 12:14:06 +0100[diff] [blame]1339requires_config_enabled MBEDTLS_X509_CRT_PARSE_C
1340requires_config_enabled MBEDTLS_ECDSA_C
1341requires_config_enabled MBEDTLS_SHA256_C
1342run_test "TLS: password protected client key" \
1343 "$P_SRV auth_mode=required" \
1344 "$P_CLI crt_file=data_files/server5.crt key_file=data_files/server5.key.enc key_pwd=PolarSSLTest" \
1345 0
1346
1347requires_config_enabled MBEDTLS_X509_CRT_PARSE_C
1348requires_config_enabled MBEDTLS_ECDSA_C
1349requires_config_enabled MBEDTLS_SHA256_C
1350run_test "TLS: password protected server key" \
1351 "$P_SRV crt_file=data_files/server5.crt key_file=data_files/server5.key.enc key_pwd=PolarSSLTest" \
1352 "$P_CLI" \
1353 0
1354
1355requires_config_enabled MBEDTLS_X509_CRT_PARSE_C
1356requires_config_enabled MBEDTLS_ECDSA_C
1357requires_config_enabled MBEDTLS_RSA_C
1358requires_config_enabled MBEDTLS_SHA256_C
1359run_test "TLS: password protected server key, two certificates" \
1360 "$P_SRV \
1361 key_file=data_files/server5.key.enc key_pwd=PolarSSLTest crt_file=data_files/server5.crt \
1362 key_file2=data_files/server2.key.enc key_pwd2=PolarSSLTest crt_file2=data_files/server2.crt" \
1363 "$P_CLI" \
1364 0
1365
Manuel Pégourié-Gonnard342d2ca2020-01-02 11:58:00 +0100[diff] [blame]1366requires_config_enabled MBEDTLS_ZLIB_SUPPORT
1367run_test "Default (compression enabled)" \
1368 "$P_SRV debug_level=3" \
1369 "$P_CLI debug_level=3" \
1370 0 \
1371 -s "Allocating compression buffer" \
1372 -c "Allocating compression buffer" \
1373 -s "Record expansion is unknown (compression)" \
1374 -c "Record expansion is unknown (compression)" \
1375 -S "error" \
1376 -C "error"
1377
Hanno Becker746aaf32019-03-28 15:25:23 +0000[diff] [blame]1378requires_config_enabled MBEDTLS_X509_TRUSTED_CERTIFICATE_CALLBACK
1379run_test "CA callback on client" \
1380 "$P_SRV debug_level=3" \
1381 "$P_CLI ca_callback=1 debug_level=3 " \
1382 0 \
Janos Follathd7ecbd62019-04-05 14:52:17 +0100[diff] [blame]1383 -c "use CA callback for X.509 CRT verification" \
Hanno Becker746aaf32019-03-28 15:25:23 +0000[diff] [blame]1384 -S "error" \
1385 -C "error"
1386
1387requires_config_enabled MBEDTLS_X509_TRUSTED_CERTIFICATE_CALLBACK
1388requires_config_enabled MBEDTLS_X509_CRT_PARSE_C
1389requires_config_enabled MBEDTLS_ECDSA_C
1390requires_config_enabled MBEDTLS_SHA256_C
1391run_test "CA callback on server" \
1392 "$P_SRV auth_mode=required" \
1393 "$P_CLI ca_callback=1 debug_level=3 crt_file=data_files/server5.crt \
1394 key_file=data_files/server5.key" \
1395 0 \
Janos Follathd7ecbd62019-04-05 14:52:17 +0100[diff] [blame]1396 -c "use CA callback for X.509 CRT verification" \
Hanno Becker746aaf32019-03-28 15:25:23 +0000[diff] [blame]1397 -s "Verifying peer X.509 certificate... ok" \
1398 -S "error" \
1399 -C "error"
1400
Manuel Pégourié-Gonnardcfdf8f42018-11-08 09:52:25 +0100[diff] [blame]1401# Test using an opaque private key for client authentication
1402requires_config_enabled MBEDTLS_USE_PSA_CRYPTO
1403requires_config_enabled MBEDTLS_X509_CRT_PARSE_C
1404requires_config_enabled MBEDTLS_ECDSA_C
1405requires_config_enabled MBEDTLS_SHA256_C
1406run_test "Opaque key for client authentication" \
1407 "$P_SRV auth_mode=required" \
1408 "$P_CLI key_opaque=1 crt_file=data_files/server5.crt \
1409 key_file=data_files/server5.key" \
1410 0 \
1411 -c "key type: Opaque" \
1412 -s "Verifying peer X.509 certificate... ok" \
1413 -S "error" \
1414 -C "error"
1415
Hanno Becker9b5853c2018-11-16 17:28:40 +0000[diff] [blame]1416# Test ciphersuites which we expect to be fully supported by PSA Crypto
1417# and check that we don't fall back to Mbed TLS' internal crypto primitives.
1418run_test_psa TLS-ECDHE-ECDSA-WITH-AES-128-CCM
1419run_test_psa TLS-ECDHE-ECDSA-WITH-AES-128-CCM-8
1420run_test_psa TLS-ECDHE-ECDSA-WITH-AES-256-CCM
1421run_test_psa TLS-ECDHE-ECDSA-WITH-AES-256-CCM-8
1422run_test_psa TLS-ECDHE-ECDSA-WITH-AES-128-GCM-SHA256
1423run_test_psa TLS-ECDHE-ECDSA-WITH-AES-256-GCM-SHA384
1424run_test_psa TLS-ECDHE-ECDSA-WITH-AES-128-CBC-SHA
1425run_test_psa TLS-ECDHE-ECDSA-WITH-AES-128-CBC-SHA256
1426run_test_psa TLS-ECDHE-ECDSA-WITH-AES-256-CBC-SHA384
1427
Hanno Becker354e2482019-01-08 11:40:25 +0000[diff] [blame]1428requires_config_enabled MBEDTLS_ECP_DP_SECP521R1_ENABLED
1429run_test_psa_force_curve "secp521r1"
1430requires_config_enabled MBEDTLS_ECP_DP_BP512R1_ENABLED
1431run_test_psa_force_curve "brainpoolP512r1"
1432requires_config_enabled MBEDTLS_ECP_DP_SECP384R1_ENABLED
1433run_test_psa_force_curve "secp384r1"
1434requires_config_enabled MBEDTLS_ECP_DP_BP384R1_ENABLED
1435run_test_psa_force_curve "brainpoolP384r1"
1436requires_config_enabled MBEDTLS_ECP_DP_SECP256R1_ENABLED
1437run_test_psa_force_curve "secp256r1"
1438requires_config_enabled MBEDTLS_ECP_DP_SECP256K1_ENABLED
1439run_test_psa_force_curve "secp256k1"
1440requires_config_enabled MBEDTLS_ECP_DP_BP256R1_ENABLED
1441run_test_psa_force_curve "brainpoolP256r1"
1442requires_config_enabled MBEDTLS_ECP_DP_SECP224R1_ENABLED
1443run_test_psa_force_curve "secp224r1"
Gilles Peskinedefdc3b2021-03-23 13:59:58 +0100[diff] [blame]1444## SECP224K1 is buggy via the PSA API
1445## (https://github.com/ARMmbed/mbedtls/issues/3541),
1446## so it is disabled in PSA even when it's enabled in Mbed TLS.
1447## The proper dependency would be on PSA_WANT_ECC_SECP_K1_224 but
1448## dependencies on PSA symbols in ssl-opt.sh are not implemented yet.
1449#requires_config_enabled MBEDTLS_ECP_DP_SECP224K1_ENABLED
1450#run_test_psa_force_curve "secp224k1"
Hanno Becker354e2482019-01-08 11:40:25 +0000[diff] [blame]1451requires_config_enabled MBEDTLS_ECP_DP_SECP192R1_ENABLED
1452run_test_psa_force_curve "secp192r1"
1453requires_config_enabled MBEDTLS_ECP_DP_SECP192K1_ENABLED
1454run_test_psa_force_curve "secp192k1"
1455
Andres Amaya Garciab84c40b2017-09-06 15:44:01 +0100[diff] [blame]1456# Test current time in ServerHello
1457requires_config_enabled MBEDTLS_HAVE_TIME
Manuel Pégourié-Gonnardce66d5e2018-06-14 11:11:15 +0200[diff] [blame]1458run_test "ServerHello contains gmt_unix_time" \
Andres Amaya Garciab84c40b2017-09-06 15:44:01 +0100[diff] [blame]1459 "$P_SRV debug_level=3" \
1460 "$P_CLI debug_level=3" \
1461 0 \
Andres Amaya Garciab84c40b2017-09-06 15:44:01 +0100[diff] [blame]1462 -f "check_server_hello_time" \
1463 -F "check_server_hello_time"
1464
Simon Butcher8e004102016-10-14 00:48:33 +0100[diff] [blame]1465# Test for uniqueness of IVs in AEAD ciphersuites
1466run_test "Unique IV in GCM" \
1467 "$P_SRV exchanges=20 debug_level=4" \
1468 "$P_CLI exchanges=20 debug_level=4 force_ciphersuite=TLS-ECDHE-ECDSA-WITH-AES-256-GCM-SHA384" \
1469 0 \
1470 -u "IV used" \
1471 -U "IV used"
1472
Janos Follathee11be62019-04-04 12:03:30 +0100[diff] [blame]1473# Tests for certificate verification callback
1474run_test "Configuration-specific CRT verification callback" \
1475 "$P_SRV debug_level=3" \
1476 "$P_CLI context_crt_cb=0 debug_level=3" \
1477 0 \
Janos Follathee11be62019-04-04 12:03:30 +0100[diff] [blame]1478 -S "error" \
1479 -c "Verify requested for " \
1480 -c "Use configuration-specific verification callback" \
1481 -C "Use context-specific verification callback" \
1482 -C "error"
1483
Hanno Beckerefb440a2019-04-03 13:04:33 +0100[diff] [blame]1484run_test "Context-specific CRT verification callback" \
1485 "$P_SRV debug_level=3" \
1486 "$P_CLI context_crt_cb=1 debug_level=3" \
1487 0 \
Hanno Beckerefb440a2019-04-03 13:04:33 +0100[diff] [blame]1488 -S "error" \
Janos Follathee11be62019-04-04 12:03:30 +0100[diff] [blame]1489 -c "Verify requested for " \
1490 -c "Use context-specific verification callback" \
1491 -C "Use configuration-specific verification callback" \
Hanno Beckerefb440a2019-04-03 13:04:33 +0100[diff] [blame]1492 -C "error"
1493
Manuel Pégourié-Gonnardbd47a582015-01-12 13:43:29 +0100[diff] [blame]1494# Tests for rc4 option
1495
Simon Butchera410af52016-05-19 22:12:18 +0100[diff] [blame]1496requires_config_enabled MBEDTLS_REMOVE_ARC4_CIPHERSUITES
Manuel Pégourié-Gonnardbd47a582015-01-12 13:43:29 +0100[diff] [blame]1497run_test "RC4: server disabled, client enabled" \
1498 "$P_SRV" \
1499 "$P_CLI force_ciphersuite=TLS-RSA-WITH-RC4-128-SHA" \
1500 1 \
Manuel Pégourié-Gonnardea0920f2015-03-24 09:50:15 +0100[diff] [blame]1501 -s "SSL - The server has no ciphersuites in common"
1502
Simon Butchera410af52016-05-19 22:12:18 +0100[diff] [blame]1503requires_config_enabled MBEDTLS_REMOVE_ARC4_CIPHERSUITES
Manuel Pégourié-Gonnardea0920f2015-03-24 09:50:15 +0100[diff] [blame]1504run_test "RC4: server half, client enabled" \
1505 "$P_SRV arc4=1" \
1506 "$P_CLI force_ciphersuite=TLS-RSA-WITH-RC4-128-SHA" \
1507 1 \
1508 -s "SSL - The server has no ciphersuites in common"
Manuel Pégourié-Gonnardbd47a582015-01-12 13:43:29 +0100[diff] [blame]1509
1510run_test "RC4: server enabled, client disabled" \
1511 "$P_SRV force_ciphersuite=TLS-RSA-WITH-RC4-128-SHA" \
1512 "$P_CLI" \
1513 1 \
1514 -s "SSL - The server has no ciphersuites in common"
1515
1516run_test "RC4: both enabled" \
Manuel Pégourié-Gonnardea0920f2015-03-24 09:50:15 +0100[diff] [blame]1517 "$P_SRV force_ciphersuite=TLS-RSA-WITH-RC4-128-SHA" \
Manuel Pégourié-Gonnardbd47a582015-01-12 13:43:29 +0100[diff] [blame]1518 "$P_CLI force_ciphersuite=TLS-RSA-WITH-RC4-128-SHA" \
1519 0 \
Manuel Pégourié-Gonnard51d81662015-01-14 17:20:46 +0100[diff] [blame]1520 -S "SSL - None of the common ciphersuites is usable" \
Manuel Pégourié-Gonnardbd47a582015-01-12 13:43:29 +0100[diff] [blame]1521 -S "SSL - The server has no ciphersuites in common"
1522
Hanno Beckerd26bb202018-08-17 09:54:10 +0100[diff] [blame]1523# Test empty CA list in CertificateRequest in TLS 1.1 and earlier
1524
1525requires_gnutls
1526requires_config_enabled MBEDTLS_SSL_PROTO_TLS1_1
1527run_test "CertificateRequest with empty CA list, TLS 1.1 (GnuTLS server)" \
1528 "$G_SRV"\
1529 "$P_CLI force_version=tls1_1" \
1530 0
1531
1532requires_gnutls
1533requires_config_enabled MBEDTLS_SSL_PROTO_TLS1
1534run_test "CertificateRequest with empty CA list, TLS 1.0 (GnuTLS server)" \
1535 "$G_SRV"\
1536 "$P_CLI force_version=tls1" \
1537 0
1538
Gilles Peskinebc70a182017-05-09 15:59:24 +0200[diff] [blame]1539# Tests for SHA-1 support
1540
1541run_test "SHA-1 forbidden by default in server certificate" \
1542 "$P_SRV key_file=data_files/server2.key crt_file=data_files/server2.crt" \
1543 "$P_CLI debug_level=2 allow_sha1=0" \
1544 1 \
1545 -c "The certificate is signed with an unacceptable hash"
1546
1547run_test "SHA-1 explicitly allowed in server certificate" \
1548 "$P_SRV key_file=data_files/server2.key crt_file=data_files/server2.crt" \
1549 "$P_CLI allow_sha1=1" \
1550 0
1551
1552run_test "SHA-256 allowed by default in server certificate" \
1553 "$P_SRV key_file=data_files/server2.key crt_file=data_files/server2-sha256.crt" \
1554 "$P_CLI allow_sha1=0" \
1555 0
1556
1557run_test "SHA-1 forbidden by default in client certificate" \
1558 "$P_SRV auth_mode=required allow_sha1=0" \
1559 "$P_CLI key_file=data_files/cli-rsa.key crt_file=data_files/cli-rsa-sha1.crt" \
1560 1 \
1561 -s "The certificate is signed with an unacceptable hash"
1562
1563run_test "SHA-1 explicitly allowed in client certificate" \
1564 "$P_SRV auth_mode=required allow_sha1=1" \
1565 "$P_CLI key_file=data_files/cli-rsa.key crt_file=data_files/cli-rsa-sha1.crt" \
1566 0
1567
1568run_test "SHA-256 allowed by default in client certificate" \
1569 "$P_SRV auth_mode=required allow_sha1=0" \
1570 "$P_CLI key_file=data_files/cli-rsa.key crt_file=data_files/cli-rsa-sha256.crt" \
1571 0
1572
Hanno Becker7ae8a762018-08-14 15:43:35 +0100[diff] [blame]1573# Tests for datagram packing
1574run_test "DTLS: multiple records in same datagram, client and server" \
1575 "$P_SRV dtls=1 dgram_packing=1 debug_level=2" \
1576 "$P_CLI dtls=1 dgram_packing=1 debug_level=2" \
1577 0 \
1578 -c "next record in same datagram" \
1579 -s "next record in same datagram"
1580
1581run_test "DTLS: multiple records in same datagram, client only" \
1582 "$P_SRV dtls=1 dgram_packing=0 debug_level=2" \
1583 "$P_CLI dtls=1 dgram_packing=1 debug_level=2" \
1584 0 \
1585 -s "next record in same datagram" \
1586 -C "next record in same datagram"
1587
1588run_test "DTLS: multiple records in same datagram, server only" \
1589 "$P_SRV dtls=1 dgram_packing=1 debug_level=2" \
1590 "$P_CLI dtls=1 dgram_packing=0 debug_level=2" \
1591 0 \
1592 -S "next record in same datagram" \
1593 -c "next record in same datagram"
1594
1595run_test "DTLS: multiple records in same datagram, neither client nor server" \
1596 "$P_SRV dtls=1 dgram_packing=0 debug_level=2" \
1597 "$P_CLI dtls=1 dgram_packing=0 debug_level=2" \
1598 0 \
1599 -S "next record in same datagram" \
1600 -C "next record in same datagram"
1601
Manuel Pégourié-Gonnard780d6712014-02-20 17:19:59 +0100[diff] [blame]1602# Tests for Truncated HMAC extension
1603
Manuel Pégourié-Gonnarde117a8f2015-01-09 12:39:35 +0100[diff] [blame]1604run_test "Truncated HMAC: client default, server default" \
Manuel Pégourié-Gonnard644e8f32014-08-30 21:59:31 +0200[diff] [blame]1605 "$P_SRV debug_level=4" \
Manuel Pégourié-Gonnarde117a8f2015-01-09 12:39:35 +0100[diff] [blame]1606 "$P_CLI force_ciphersuite=TLS-RSA-WITH-AES-128-CBC-SHA" \
Manuel Pégourié-Gonnard780d6712014-02-20 17:19:59 +0100[diff] [blame]1607 0 \
Hanno Becker992b6872017-11-09 18:57:39 +0000[diff] [blame]1608 -s "dumping 'expected mac' (20 bytes)" \
1609 -S "dumping 'expected mac' (10 bytes)"
Manuel Pégourié-Gonnard780d6712014-02-20 17:19:59 +0100[diff] [blame]1610
Hanno Becker32c55012017-11-10 08:42:54 +0000[diff] [blame]1611requires_config_enabled MBEDTLS_SSL_TRUNCATED_HMAC
Manuel Pégourié-Gonnarde117a8f2015-01-09 12:39:35 +0100[diff] [blame]1612run_test "Truncated HMAC: client disabled, server default" \
Manuel Pégourié-Gonnard644e8f32014-08-30 21:59:31 +0200[diff] [blame]1613 "$P_SRV debug_level=4" \
Hanno Becker909f9a32017-11-21 17:10:12 +0000[diff] [blame]1614 "$P_CLI force_ciphersuite=TLS-RSA-WITH-AES-128-CBC-SHA trunc_hmac=0" \
Manuel Pégourié-Gonnardeaadc502014-02-20 11:01:30 +0100[diff] [blame]1615 0 \
Hanno Becker992b6872017-11-09 18:57:39 +0000[diff] [blame]1616 -s "dumping 'expected mac' (20 bytes)" \
1617 -S "dumping 'expected mac' (10 bytes)"
Manuel Pégourié-Gonnarde117a8f2015-01-09 12:39:35 +0100[diff] [blame]1618
Hanno Becker32c55012017-11-10 08:42:54 +0000[diff] [blame]1619requires_config_enabled MBEDTLS_SSL_TRUNCATED_HMAC
Manuel Pégourié-Gonnarde117a8f2015-01-09 12:39:35 +0100[diff] [blame]1620run_test "Truncated HMAC: client enabled, server default" \
1621 "$P_SRV debug_level=4" \
Hanno Becker909f9a32017-11-21 17:10:12 +0000[diff] [blame]1622 "$P_CLI force_ciphersuite=TLS-RSA-WITH-AES-128-CBC-SHA trunc_hmac=1" \
Manuel Pégourié-Gonnarde117a8f2015-01-09 12:39:35 +0100[diff] [blame]1623 0 \
Hanno Becker992b6872017-11-09 18:57:39 +0000[diff] [blame]1624 -s "dumping 'expected mac' (20 bytes)" \
1625 -S "dumping 'expected mac' (10 bytes)"
Manuel Pégourié-Gonnarde117a8f2015-01-09 12:39:35 +0100[diff] [blame]1626
Hanno Becker32c55012017-11-10 08:42:54 +0000[diff] [blame]1627requires_config_enabled MBEDTLS_SSL_TRUNCATED_HMAC
Manuel Pégourié-Gonnarde117a8f2015-01-09 12:39:35 +0100[diff] [blame]1628run_test "Truncated HMAC: client enabled, server disabled" \
1629 "$P_SRV debug_level=4 trunc_hmac=0" \
Hanno Becker909f9a32017-11-21 17:10:12 +0000[diff] [blame]1630 "$P_CLI force_ciphersuite=TLS-RSA-WITH-AES-128-CBC-SHA trunc_hmac=1" \
Manuel Pégourié-Gonnarde117a8f2015-01-09 12:39:35 +0100[diff] [blame]1631 0 \
Hanno Becker992b6872017-11-09 18:57:39 +0000[diff] [blame]1632 -s "dumping 'expected mac' (20 bytes)" \
1633 -S "dumping 'expected mac' (10 bytes)"
Manuel Pégourié-Gonnarde117a8f2015-01-09 12:39:35 +0100[diff] [blame]1634
Hanno Becker32c55012017-11-10 08:42:54 +0000[diff] [blame]1635requires_config_enabled MBEDTLS_SSL_TRUNCATED_HMAC
Hanno Becker34d0c3f2017-11-17 15:46:24 +0000[diff] [blame]1636run_test "Truncated HMAC: client disabled, server enabled" \
1637 "$P_SRV debug_level=4 trunc_hmac=1" \
Hanno Becker909f9a32017-11-21 17:10:12 +0000[diff] [blame]1638 "$P_CLI force_ciphersuite=TLS-RSA-WITH-AES-128-CBC-SHA trunc_hmac=0" \
Hanno Becker34d0c3f2017-11-17 15:46:24 +0000[diff] [blame]1639 0 \
1640 -s "dumping 'expected mac' (20 bytes)" \
1641 -S "dumping 'expected mac' (10 bytes)"
1642
1643requires_config_enabled MBEDTLS_SSL_TRUNCATED_HMAC
Manuel Pégourié-Gonnarde117a8f2015-01-09 12:39:35 +0100[diff] [blame]1644run_test "Truncated HMAC: client enabled, server enabled" \
1645 "$P_SRV debug_level=4 trunc_hmac=1" \
Hanno Becker909f9a32017-11-21 17:10:12 +0000[diff] [blame]1646 "$P_CLI force_ciphersuite=TLS-RSA-WITH-AES-128-CBC-SHA trunc_hmac=1" \
Manuel Pégourié-Gonnarde117a8f2015-01-09 12:39:35 +0100[diff] [blame]1647 0 \
Hanno Becker992b6872017-11-09 18:57:39 +0000[diff] [blame]1648 -S "dumping 'expected mac' (20 bytes)" \
1649 -s "dumping 'expected mac' (10 bytes)"
Manuel Pégourié-Gonnardf7c52012014-02-20 11:43:46 +0100[diff] [blame]1650
Hanno Becker4c4f4102017-11-10 09:16:05 +0000[diff] [blame]1651run_test "Truncated HMAC, DTLS: client default, server default" \
1652 "$P_SRV dtls=1 debug_level=4" \
1653 "$P_CLI dtls=1 force_ciphersuite=TLS-RSA-WITH-AES-128-CBC-SHA" \
1654 0 \
1655 -s "dumping 'expected mac' (20 bytes)" \
1656 -S "dumping 'expected mac' (10 bytes)"
1657
1658requires_config_enabled MBEDTLS_SSL_TRUNCATED_HMAC
1659run_test "Truncated HMAC, DTLS: client disabled, server default" \
1660 "$P_SRV dtls=1 debug_level=4" \
Hanno Becker909f9a32017-11-21 17:10:12 +0000[diff] [blame]1661 "$P_CLI dtls=1 force_ciphersuite=TLS-RSA-WITH-AES-128-CBC-SHA trunc_hmac=0" \
Hanno Becker4c4f4102017-11-10 09:16:05 +0000[diff] [blame]1662 0 \
1663 -s "dumping 'expected mac' (20 bytes)" \
1664 -S "dumping 'expected mac' (10 bytes)"
1665
1666requires_config_enabled MBEDTLS_SSL_TRUNCATED_HMAC
1667run_test "Truncated HMAC, DTLS: client enabled, server default" \
1668 "$P_SRV dtls=1 debug_level=4" \
Hanno Becker909f9a32017-11-21 17:10:12 +0000[diff] [blame]1669 "$P_CLI dtls=1 force_ciphersuite=TLS-RSA-WITH-AES-128-CBC-SHA trunc_hmac=1" \
Hanno Becker4c4f4102017-11-10 09:16:05 +0000[diff] [blame]1670 0 \
1671 -s "dumping 'expected mac' (20 bytes)" \
1672 -S "dumping 'expected mac' (10 bytes)"
1673
1674requires_config_enabled MBEDTLS_SSL_TRUNCATED_HMAC
1675run_test "Truncated HMAC, DTLS: client enabled, server disabled" \
1676 "$P_SRV dtls=1 debug_level=4 trunc_hmac=0" \
Hanno Becker909f9a32017-11-21 17:10:12 +0000[diff] [blame]1677 "$P_CLI dtls=1 force_ciphersuite=TLS-RSA-WITH-AES-128-CBC-SHA trunc_hmac=1" \
Hanno Becker4c4f4102017-11-10 09:16:05 +0000[diff] [blame]1678 0 \
1679 -s "dumping 'expected mac' (20 bytes)" \
1680 -S "dumping 'expected mac' (10 bytes)"
1681
1682requires_config_enabled MBEDTLS_SSL_TRUNCATED_HMAC
1683run_test "Truncated HMAC, DTLS: client disabled, server enabled" \
1684 "$P_SRV dtls=1 debug_level=4 trunc_hmac=1" \
Hanno Becker909f9a32017-11-21 17:10:12 +0000[diff] [blame]1685 "$P_CLI dtls=1 force_ciphersuite=TLS-RSA-WITH-AES-128-CBC-SHA trunc_hmac=0" \
Hanno Becker4c4f4102017-11-10 09:16:05 +0000[diff] [blame]1686 0 \
1687 -s "dumping 'expected mac' (20 bytes)" \
1688 -S "dumping 'expected mac' (10 bytes)"
1689
1690requires_config_enabled MBEDTLS_SSL_TRUNCATED_HMAC
1691run_test "Truncated HMAC, DTLS: client enabled, server enabled" \
1692 "$P_SRV dtls=1 debug_level=4 trunc_hmac=1" \
Hanno Becker909f9a32017-11-21 17:10:12 +0000[diff] [blame]1693 "$P_CLI dtls=1 force_ciphersuite=TLS-RSA-WITH-AES-128-CBC-SHA trunc_hmac=1" \
Manuel Pégourié-Gonnardeaadc502014-02-20 11:01:30 +0100[diff] [blame]1694 0 \
1695 -S "dumping 'expected mac' (20 bytes)" \
Manuel Pégourié-Gonnardf7c52012014-02-20 11:43:46 +0100[diff] [blame]1696 -s "dumping 'expected mac' (10 bytes)"
1697
Jarno Lamsa2937d812019-06-04 11:33:23 +0300[diff] [blame]1698# Tests for Context serialization
1699
1700requires_config_enabled MBEDTLS_SSL_CONTEXT_SERIALIZATION
Hanno Beckere0b90ec2019-08-30 11:32:12 +0100[diff] [blame]1701run_test "Context serialization, client serializes, CCM" \
Manuel Pégourié-Gonnard862b3192019-07-23 14:13:43 +0200[diff] [blame]1702 "$P_SRV dtls=1 serialize=0 exchanges=2" \
Hanno Beckere0b90ec2019-08-30 11:32:12 +0100[diff] [blame]1703 "$P_CLI dtls=1 serialize=1 exchanges=2 force_ciphersuite=TLS-ECDHE-ECDSA-WITH-AES-128-CCM-8" \
1704 0 \
1705 -c "Deserializing connection..." \
1706 -S "Deserializing connection..."
1707
1708requires_config_enabled MBEDTLS_SSL_CONTEXT_SERIALIZATION
1709run_test "Context serialization, client serializes, ChaChaPoly" \
1710 "$P_SRV dtls=1 serialize=0 exchanges=2" \
1711 "$P_CLI dtls=1 serialize=1 exchanges=2 force_ciphersuite=TLS-ECDHE-ECDSA-WITH-CHACHA20-POLY1305-SHA256" \
1712 0 \
1713 -c "Deserializing connection..." \
1714 -S "Deserializing connection..."
1715
1716requires_config_enabled MBEDTLS_SSL_CONTEXT_SERIALIZATION
1717run_test "Context serialization, client serializes, GCM" \
1718 "$P_SRV dtls=1 serialize=0 exchanges=2" \
1719 "$P_CLI dtls=1 serialize=1 exchanges=2 force_ciphersuite=TLS-ECDHE-ECDSA-WITH-AES-128-GCM-SHA256" \
Jarno Lamsa2937d812019-06-04 11:33:23 +0300[diff] [blame]1720 0 \
Jarno Lamsacbee1b32019-06-04 15:18:19 +0300[diff] [blame]1721 -c "Deserializing connection..." \
Jarno Lamsa2937d812019-06-04 11:33:23 +0300[diff] [blame]1722 -S "Deserializing connection..."
1723
1724requires_config_enabled MBEDTLS_SSL_CONTEXT_SERIALIZATION
Hanno Becker1b18fd32019-08-30 11:18:59 +0100[diff] [blame]1725requires_config_enabled MBEDTLS_SSL_DTLS_CONNECTION_ID
1726run_test "Context serialization, client serializes, with CID" \
1727 "$P_SRV dtls=1 serialize=0 exchanges=2 cid=1 cid_val=dead" \
1728 "$P_CLI dtls=1 serialize=1 exchanges=2 cid=1 cid_val=beef" \
1729 0 \
1730 -c "Deserializing connection..." \
1731 -S "Deserializing connection..."
1732
1733requires_config_enabled MBEDTLS_SSL_CONTEXT_SERIALIZATION
Hanno Beckere0b90ec2019-08-30 11:32:12 +0100[diff] [blame]1734run_test "Context serialization, server serializes, CCM" \
Manuel Pégourié-Gonnard862b3192019-07-23 14:13:43 +0200[diff] [blame]1735 "$P_SRV dtls=1 serialize=1 exchanges=2" \
Hanno Beckere0b90ec2019-08-30 11:32:12 +0100[diff] [blame]1736 "$P_CLI dtls=1 serialize=0 exchanges=2 force_ciphersuite=TLS-ECDHE-ECDSA-WITH-AES-128-CCM-8" \
1737 0 \
1738 -C "Deserializing connection..." \
1739 -s "Deserializing connection..."
1740
1741requires_config_enabled MBEDTLS_SSL_CONTEXT_SERIALIZATION
1742run_test "Context serialization, server serializes, ChaChaPoly" \
1743 "$P_SRV dtls=1 serialize=1 exchanges=2" \
1744 "$P_CLI dtls=1 serialize=0 exchanges=2 force_ciphersuite=TLS-ECDHE-ECDSA-WITH-CHACHA20-POLY1305-SHA256" \
1745 0 \
1746 -C "Deserializing connection..." \
1747 -s "Deserializing connection..."
1748
1749requires_config_enabled MBEDTLS_SSL_CONTEXT_SERIALIZATION
1750run_test "Context serialization, server serializes, GCM" \
1751 "$P_SRV dtls=1 serialize=1 exchanges=2" \
1752 "$P_CLI dtls=1 serialize=0 exchanges=2 force_ciphersuite=TLS-ECDHE-ECDSA-WITH-AES-128-GCM-SHA256" \
Jarno Lamsa2937d812019-06-04 11:33:23 +0300[diff] [blame]1753 0 \
Jarno Lamsacbee1b32019-06-04 15:18:19 +0300[diff] [blame]1754 -C "Deserializing connection..." \
Jarno Lamsa2937d812019-06-04 11:33:23 +0300[diff] [blame]1755 -s "Deserializing connection..."
1756
1757requires_config_enabled MBEDTLS_SSL_CONTEXT_SERIALIZATION
Hanno Becker1b18fd32019-08-30 11:18:59 +0100[diff] [blame]1758requires_config_enabled MBEDTLS_SSL_DTLS_CONNECTION_ID
1759run_test "Context serialization, server serializes, with CID" \
1760 "$P_SRV dtls=1 serialize=1 exchanges=2 cid=1 cid_val=dead" \
1761 "$P_CLI dtls=1 serialize=0 exchanges=2 cid=1 cid_val=beef" \
1762 0 \
1763 -C "Deserializing connection..." \
1764 -s "Deserializing connection..."
1765
1766requires_config_enabled MBEDTLS_SSL_CONTEXT_SERIALIZATION
Hanno Beckere0b90ec2019-08-30 11:32:12 +0100[diff] [blame]1767run_test "Context serialization, both serialize, CCM" \
Manuel Pégourié-Gonnard862b3192019-07-23 14:13:43 +0200[diff] [blame]1768 "$P_SRV dtls=1 serialize=1 exchanges=2" \
Hanno Beckere0b90ec2019-08-30 11:32:12 +0100[diff] [blame]1769 "$P_CLI dtls=1 serialize=1 exchanges=2 force_ciphersuite=TLS-ECDHE-ECDSA-WITH-AES-128-CCM-8" \
1770 0 \
1771 -c "Deserializing connection..." \
1772 -s "Deserializing connection..."
1773
1774requires_config_enabled MBEDTLS_SSL_CONTEXT_SERIALIZATION
1775run_test "Context serialization, both serialize, ChaChaPoly" \
1776 "$P_SRV dtls=1 serialize=1 exchanges=2" \
1777 "$P_CLI dtls=1 serialize=1 exchanges=2 force_ciphersuite=TLS-ECDHE-ECDSA-WITH-CHACHA20-POLY1305-SHA256" \
1778 0 \
1779 -c "Deserializing connection..." \
1780 -s "Deserializing connection..."
1781
1782requires_config_enabled MBEDTLS_SSL_CONTEXT_SERIALIZATION
1783run_test "Context serialization, both serialize, GCM" \
1784 "$P_SRV dtls=1 serialize=1 exchanges=2" \
1785 "$P_CLI dtls=1 serialize=1 exchanges=2 force_ciphersuite=TLS-ECDHE-ECDSA-WITH-AES-128-GCM-SHA256" \
Jarno Lamsa2937d812019-06-04 11:33:23 +0300[diff] [blame]1786 0 \
Jarno Lamsacbee1b32019-06-04 15:18:19 +0300[diff] [blame]1787 -c "Deserializing connection..." \
Jarno Lamsa2937d812019-06-04 11:33:23 +0300[diff] [blame]1788 -s "Deserializing connection..."
1789
Jarno Lamsac2376f02019-06-06 10:44:14 +0300[diff] [blame]1790requires_config_enabled MBEDTLS_SSL_CONTEXT_SERIALIZATION
Hanno Becker1b18fd32019-08-30 11:18:59 +0100[diff] [blame]1791requires_config_enabled MBEDTLS_SSL_DTLS_CONNECTION_ID
1792run_test "Context serialization, both serialize, with CID" \
1793 "$P_SRV dtls=1 serialize=1 exchanges=2 cid=1 cid_val=dead" \
1794 "$P_CLI dtls=1 serialize=1 exchanges=2 cid=1 cid_val=beef" \
1795 0 \
1796 -c "Deserializing connection..." \
1797 -s "Deserializing connection..."
1798
1799requires_config_enabled MBEDTLS_SSL_CONTEXT_SERIALIZATION
Hanno Beckere0b90ec2019-08-30 11:32:12 +0100[diff] [blame]1800run_test "Context serialization, re-init, client serializes, CCM" \
Manuel Pégourié-Gonnard862b3192019-07-23 14:13:43 +0200[diff] [blame]1801 "$P_SRV dtls=1 serialize=0 exchanges=2" \
Hanno Beckere0b90ec2019-08-30 11:32:12 +0100[diff] [blame]1802 "$P_CLI dtls=1 serialize=2 exchanges=2 force_ciphersuite=TLS-ECDHE-ECDSA-WITH-AES-128-CCM-8" \
1803 0 \
1804 -c "Deserializing connection..." \
1805 -S "Deserializing connection..."
1806
1807requires_config_enabled MBEDTLS_SSL_CONTEXT_SERIALIZATION
1808run_test "Context serialization, re-init, client serializes, ChaChaPoly" \
1809 "$P_SRV dtls=1 serialize=0 exchanges=2" \
1810 "$P_CLI dtls=1 serialize=2 exchanges=2 force_ciphersuite=TLS-ECDHE-ECDSA-WITH-CHACHA20-POLY1305-SHA256" \
1811 0 \
1812 -c "Deserializing connection..." \
1813 -S "Deserializing connection..."
1814
1815requires_config_enabled MBEDTLS_SSL_CONTEXT_SERIALIZATION
1816run_test "Context serialization, re-init, client serializes, GCM" \
1817 "$P_SRV dtls=1 serialize=0 exchanges=2" \
1818 "$P_CLI dtls=1 serialize=2 exchanges=2 force_ciphersuite=TLS-ECDHE-ECDSA-WITH-AES-128-GCM-SHA256" \
Jarno Lamsac2376f02019-06-06 10:44:14 +0300[diff] [blame]1819 0 \
1820 -c "Deserializing connection..." \
1821 -S "Deserializing connection..."
1822
Jarno Lamsac2376f02019-06-06 10:44:14 +0300[diff] [blame]1823requires_config_enabled MBEDTLS_SSL_CONTEXT_SERIALIZATION
Hanno Becker1b18fd32019-08-30 11:18:59 +0100[diff] [blame]1824requires_config_enabled MBEDTLS_SSL_DTLS_CONNECTION_ID
1825run_test "Context serialization, re-init, client serializes, with CID" \
1826 "$P_SRV dtls=1 serialize=0 exchanges=2 cid=1 cid_val=dead" \
1827 "$P_CLI dtls=1 serialize=2 exchanges=2 cid=1 cid_val=beef" \
1828 0 \
1829 -c "Deserializing connection..." \
1830 -S "Deserializing connection..."
1831
1832requires_config_enabled MBEDTLS_SSL_CONTEXT_SERIALIZATION
Hanno Beckere0b90ec2019-08-30 11:32:12 +0100[diff] [blame]1833run_test "Context serialization, re-init, server serializes, CCM" \
Manuel Pégourié-Gonnard862b3192019-07-23 14:13:43 +0200[diff] [blame]1834 "$P_SRV dtls=1 serialize=2 exchanges=2" \
Hanno Beckere0b90ec2019-08-30 11:32:12 +0100[diff] [blame]1835 "$P_CLI dtls=1 serialize=0 exchanges=2 force_ciphersuite=TLS-ECDHE-ECDSA-WITH-AES-128-CCM-8" \
1836 0 \
1837 -C "Deserializing connection..." \
1838 -s "Deserializing connection..."
1839
1840requires_config_enabled MBEDTLS_SSL_CONTEXT_SERIALIZATION
1841run_test "Context serialization, re-init, server serializes, ChaChaPoly" \
1842 "$P_SRV dtls=1 serialize=2 exchanges=2" \
1843 "$P_CLI dtls=1 serialize=0 exchanges=2 force_ciphersuite=TLS-ECDHE-ECDSA-WITH-CHACHA20-POLY1305-SHA256" \
1844 0 \
1845 -C "Deserializing connection..." \
1846 -s "Deserializing connection..."
1847
1848requires_config_enabled MBEDTLS_SSL_CONTEXT_SERIALIZATION
1849run_test "Context serialization, re-init, server serializes, GCM" \
1850 "$P_SRV dtls=1 serialize=2 exchanges=2" \
1851 "$P_CLI dtls=1 serialize=0 exchanges=2 force_ciphersuite=TLS-ECDHE-ECDSA-WITH-CHACHA20-POLY1305-SHA256" \
Jarno Lamsac2376f02019-06-06 10:44:14 +0300[diff] [blame]1852 0 \
1853 -C "Deserializing connection..." \
1854 -s "Deserializing connection..."
1855
Jarno Lamsac2376f02019-06-06 10:44:14 +0300[diff] [blame]1856requires_config_enabled MBEDTLS_SSL_CONTEXT_SERIALIZATION
Hanno Becker1b18fd32019-08-30 11:18:59 +0100[diff] [blame]1857requires_config_enabled MBEDTLS_SSL_DTLS_CONNECTION_ID
1858run_test "Context serialization, re-init, server serializes, with CID" \
1859 "$P_SRV dtls=1 serialize=2 exchanges=2 cid=1 cid_val=dead" \
1860 "$P_CLI dtls=1 serialize=0 exchanges=2 cid=1 cid_val=beef" \
1861 0 \
1862 -C "Deserializing connection..." \
1863 -s "Deserializing connection..."
1864
1865requires_config_enabled MBEDTLS_SSL_CONTEXT_SERIALIZATION
Hanno Beckere0b90ec2019-08-30 11:32:12 +0100[diff] [blame]1866run_test "Context serialization, re-init, both serialize, CCM" \
Manuel Pégourié-Gonnard862b3192019-07-23 14:13:43 +0200[diff] [blame]1867 "$P_SRV dtls=1 serialize=2 exchanges=2" \
Hanno Beckere0b90ec2019-08-30 11:32:12 +0100[diff] [blame]1868 "$P_CLI dtls=1 serialize=2 exchanges=2 force_ciphersuite=TLS-ECDHE-ECDSA-WITH-AES-128-CCM-8" \
1869 0 \
1870 -c "Deserializing connection..." \
1871 -s "Deserializing connection..."
1872
1873requires_config_enabled MBEDTLS_SSL_CONTEXT_SERIALIZATION
1874run_test "Context serialization, re-init, both serialize, ChaChaPoly" \
1875 "$P_SRV dtls=1 serialize=2 exchanges=2" \
1876 "$P_CLI dtls=1 serialize=2 exchanges=2 force_ciphersuite=TLS-ECDHE-ECDSA-WITH-CHACHA20-POLY1305-SHA256" \
1877 0 \
1878 -c "Deserializing connection..." \
1879 -s "Deserializing connection..."
1880
1881requires_config_enabled MBEDTLS_SSL_CONTEXT_SERIALIZATION
1882run_test "Context serialization, re-init, both serialize, GCM" \
1883 "$P_SRV dtls=1 serialize=2 exchanges=2" \
1884 "$P_CLI dtls=1 serialize=2 exchanges=2 force_ciphersuite=TLS-ECDHE-ECDSA-WITH-CHACHA20-POLY1305-SHA256" \
Jarno Lamsac2376f02019-06-06 10:44:14 +0300[diff] [blame]1885 0 \
1886 -c "Deserializing connection..." \
1887 -s "Deserializing connection..."
1888
Hanno Becker1b18fd32019-08-30 11:18:59 +0100[diff] [blame]1889requires_config_enabled MBEDTLS_SSL_CONTEXT_SERIALIZATION
1890requires_config_enabled MBEDTLS_SSL_DTLS_CONNECTION_ID
1891run_test "Context serialization, re-init, both serialize, with CID" \
1892 "$P_SRV dtls=1 serialize=2 exchanges=2 cid=1 cid_val=dead" \
1893 "$P_CLI dtls=1 serialize=2 exchanges=2 cid=1 cid_val=beef" \
1894 0 \
1895 -c "Deserializing connection..." \
1896 -s "Deserializing connection..."
1897
Piotr Nowicki3de298f2020-04-16 14:35:19 +0200[diff] [blame]1898requires_config_enabled MBEDTLS_SSL_CONTEXT_SERIALIZATION
1899run_test "Saving the serialized context to a file" \
1900 "$P_SRV dtls=1 serialize=1 context_file=context_srv.txt" \
1901 "$P_CLI dtls=1 serialize=1 context_file=context_cli.txt" \
1902 0 \
1903 -s "Save serialized context to a file... ok" \
1904 -c "Save serialized context to a file... ok"
1905rm -f context_srv.txt
1906rm -f context_cli.txt
1907
Hanno Becker7cf463e2019-04-09 18:08:47 +0100[diff] [blame]1908# Tests for DTLS Connection ID extension
1909
Hanno Becker7cf463e2019-04-09 18:08:47 +0100[diff] [blame]1910# So far, the CID API isn't implemented, so we can't
1911# grep for output witnessing its use. This needs to be
1912# changed once the CID extension is implemented.
1913
Hanno Beckera0e20d02019-05-15 14:03:01 +0100[diff] [blame]1914requires_config_enabled MBEDTLS_SSL_DTLS_CONNECTION_ID
Hanno Becker78c91372019-05-08 13:31:15 +0100[diff] [blame]1915run_test "Connection ID: Cli enabled, Srv disabled" \
Hanno Beckerf157a972019-04-25 16:05:45 +0100[diff] [blame]1916 "$P_SRV debug_level=3 dtls=1 cid=0" \
1917 "$P_CLI debug_level=3 dtls=1 cid=1 cid_val=deadbeef" \
1918 0 \
1919 -s "Disable use of CID extension." \
Hanno Becker7dee2c62019-04-26 14:17:56 +0100[diff] [blame]1920 -s "found CID extension" \
1921 -s "Client sent CID extension, but CID disabled" \
Hanno Becker6b78c832019-04-25 17:01:43 +0100[diff] [blame]1922 -c "Enable use of CID extension." \
Hanno Becker4bc9e9d2019-04-26 16:00:29 +0100[diff] [blame]1923 -c "client hello, adding CID extension" \
Hanno Beckera6a4c762019-04-26 16:13:31 +0100[diff] [blame]1924 -S "server hello, adding CID extension" \
Hanno Becker9ecb6c62019-04-26 16:23:52 +0100[diff] [blame]1925 -C "found CID extension" \
1926 -S "Copy CIDs into SSL transform" \
Hanno Beckerfcffdcc2019-04-26 17:19:46 +0100[diff] [blame]1927 -C "Copy CIDs into SSL transform" \
1928 -c "Use of Connection ID was rejected by the server"
Hanno Becker7cf463e2019-04-09 18:08:47 +0100[diff] [blame]1929
Hanno Beckera0e20d02019-05-15 14:03:01 +0100[diff] [blame]1930requires_config_enabled MBEDTLS_SSL_DTLS_CONNECTION_ID
Hanno Becker78c91372019-05-08 13:31:15 +0100[diff] [blame]1931run_test "Connection ID: Cli disabled, Srv enabled" \
Hanno Beckerf157a972019-04-25 16:05:45 +0100[diff] [blame]1932 "$P_SRV debug_level=3 dtls=1 cid=1 cid_val=deadbeef" \
1933 "$P_CLI debug_level=3 dtls=1 cid=0" \
1934 0 \
1935 -c "Disable use of CID extension." \
Hanno Becker6b78c832019-04-25 17:01:43 +0100[diff] [blame]1936 -C "client hello, adding CID extension" \
Hanno Becker7dee2c62019-04-26 14:17:56 +0100[diff] [blame]1937 -S "found CID extension" \
Hanno Becker4bc9e9d2019-04-26 16:00:29 +0100[diff] [blame]1938 -s "Enable use of CID extension." \
Hanno Beckera6a4c762019-04-26 16:13:31 +0100[diff] [blame]1939 -S "server hello, adding CID extension" \
Hanno Becker9ecb6c62019-04-26 16:23:52 +0100[diff] [blame]1940 -C "found CID extension" \
1941 -S "Copy CIDs into SSL transform" \
Hanno Beckerfcffdcc2019-04-26 17:19:46 +0100[diff] [blame]1942 -C "Copy CIDs into SSL transform" \
Hanno Beckerb3e9dd52019-05-08 13:19:53 +0100[diff] [blame]1943 -s "Use of Connection ID was not offered by client"
Hanno Becker7cf463e2019-04-09 18:08:47 +0100[diff] [blame]1944
Hanno Beckera0e20d02019-05-15 14:03:01 +0100[diff] [blame]1945requires_config_enabled MBEDTLS_SSL_DTLS_CONNECTION_ID
Hanno Becker78c91372019-05-08 13:31:15 +0100[diff] [blame]1946run_test "Connection ID: Cli+Srv enabled, Cli+Srv CID nonempty" \
Hanno Beckerf157a972019-04-25 16:05:45 +0100[diff] [blame]1947 "$P_SRV debug_level=3 dtls=1 cid=1 cid_val=dead" \
1948 "$P_CLI debug_level=3 dtls=1 cid=1 cid_val=beef" \
1949 0 \
1950 -c "Enable use of CID extension." \
Hanno Becker6b78c832019-04-25 17:01:43 +0100[diff] [blame]1951 -s "Enable use of CID extension." \
Hanno Becker7dee2c62019-04-26 14:17:56 +0100[diff] [blame]1952 -c "client hello, adding CID extension" \
1953 -s "found CID extension" \
Hanno Becker4bc9e9d2019-04-26 16:00:29 +0100[diff] [blame]1954 -s "Use of CID extension negotiated" \
Hanno Beckera6a4c762019-04-26 16:13:31 +0100[diff] [blame]1955 -s "server hello, adding CID extension" \
1956 -c "found CID extension" \
Hanno Becker9ecb6c62019-04-26 16:23:52 +0100[diff] [blame]1957 -c "Use of CID extension negotiated" \
1958 -s "Copy CIDs into SSL transform" \
Hanno Becker2749a672019-05-03 17:04:23 +0100[diff] [blame]1959 -c "Copy CIDs into SSL transform" \
1960 -c "Peer CID (length 2 Bytes): de ad" \
1961 -s "Peer CID (length 2 Bytes): be ef" \
1962 -s "Use of Connection ID has been negotiated" \
1963 -c "Use of Connection ID has been negotiated"
Hanno Becker7cf463e2019-04-09 18:08:47 +0100[diff] [blame]1964
Hanno Beckera0e20d02019-05-15 14:03:01 +0100[diff] [blame]1965requires_config_enabled MBEDTLS_SSL_DTLS_CONNECTION_ID
Hanno Becker78c91372019-05-08 13:31:15 +0100[diff] [blame]1966run_test "Connection ID, 3D: Cli+Srv enabled, Cli+Srv CID nonempty" \
Hanno Beckerd0ac5fa2019-05-24 10:11:23 +0100[diff] [blame]1967 -p "$P_PXY drop=5 delay=5 duplicate=5 bad_cid=1" \
Hanno Becker78c91372019-05-08 13:31:15 +0100[diff] [blame]1968 "$P_SRV debug_level=3 dtls=1 cid=1 dgram_packing=0 cid_val=dead" \
1969 "$P_CLI debug_level=3 dtls=1 cid=1 dgram_packing=0 cid_val=beef" \
1970 0 \
1971 -c "Enable use of CID extension." \
1972 -s "Enable use of CID extension." \
1973 -c "client hello, adding CID extension" \
1974 -s "found CID extension" \
1975 -s "Use of CID extension negotiated" \
1976 -s "server hello, adding CID extension" \
1977 -c "found CID extension" \
1978 -c "Use of CID extension negotiated" \
1979 -s "Copy CIDs into SSL transform" \
1980 -c "Copy CIDs into SSL transform" \
1981 -c "Peer CID (length 2 Bytes): de ad" \
1982 -s "Peer CID (length 2 Bytes): be ef" \
1983 -s "Use of Connection ID has been negotiated" \
Hanno Beckerd0ac5fa2019-05-24 10:11:23 +0100[diff] [blame]1984 -c "Use of Connection ID has been negotiated" \
1985 -c "ignoring unexpected CID" \
1986 -s "ignoring unexpected CID"
Hanno Becker78c91372019-05-08 13:31:15 +0100[diff] [blame]1987
Hanno Beckera0e20d02019-05-15 14:03:01 +0100[diff] [blame]1988requires_config_enabled MBEDTLS_SSL_DTLS_CONNECTION_ID
Hanno Becker78c91372019-05-08 13:31:15 +0100[diff] [blame]1989run_test "Connection ID, MTU: Cli+Srv enabled, Cli+Srv CID nonempty" \
1990 -p "$P_PXY mtu=800" \
1991 "$P_SRV debug_level=3 mtu=800 dtls=1 cid=1 cid_val=dead" \
1992 "$P_CLI debug_level=3 mtu=800 dtls=1 cid=1 cid_val=beef" \
1993 0 \
1994 -c "Enable use of CID extension." \
1995 -s "Enable use of CID extension." \
1996 -c "client hello, adding CID extension" \
1997 -s "found CID extension" \
1998 -s "Use of CID extension negotiated" \
1999 -s "server hello, adding CID extension" \
2000 -c "found CID extension" \
2001 -c "Use of CID extension negotiated" \
2002 -s "Copy CIDs into SSL transform" \
2003 -c "Copy CIDs into SSL transform" \
2004 -c "Peer CID (length 2 Bytes): de ad" \
2005 -s "Peer CID (length 2 Bytes): be ef" \
2006 -s "Use of Connection ID has been negotiated" \
2007 -c "Use of Connection ID has been negotiated"
2008
Hanno Beckera0e20d02019-05-15 14:03:01 +0100[diff] [blame]2009requires_config_enabled MBEDTLS_SSL_DTLS_CONNECTION_ID
Hanno Becker78c91372019-05-08 13:31:15 +0100[diff] [blame]2010run_test "Connection ID, 3D+MTU: Cli+Srv enabled, Cli+Srv CID nonempty" \
Hanno Beckerd0ac5fa2019-05-24 10:11:23 +0100[diff] [blame]2011 -p "$P_PXY mtu=800 drop=5 delay=5 duplicate=5 bad_cid=1" \
Hanno Becker78c91372019-05-08 13:31:15 +0100[diff] [blame]2012 "$P_SRV debug_level=3 mtu=800 dtls=1 cid=1 cid_val=dead" \
2013 "$P_CLI debug_level=3 mtu=800 dtls=1 cid=1 cid_val=beef" \
2014 0 \
2015 -c "Enable use of CID extension." \
2016 -s "Enable use of CID extension." \
2017 -c "client hello, adding CID extension" \
2018 -s "found CID extension" \
2019 -s "Use of CID extension negotiated" \
2020 -s "server hello, adding CID extension" \
2021 -c "found CID extension" \
2022 -c "Use of CID extension negotiated" \
2023 -s "Copy CIDs into SSL transform" \
2024 -c "Copy CIDs into SSL transform" \
2025 -c "Peer CID (length 2 Bytes): de ad" \
2026 -s "Peer CID (length 2 Bytes): be ef" \
2027 -s "Use of Connection ID has been negotiated" \
Hanno Beckerd0ac5fa2019-05-24 10:11:23 +0100[diff] [blame]2028 -c "Use of Connection ID has been negotiated" \
2029 -c "ignoring unexpected CID" \
2030 -s "ignoring unexpected CID"
Hanno Becker78c91372019-05-08 13:31:15 +0100[diff] [blame]2031
Hanno Beckera0e20d02019-05-15 14:03:01 +0100[diff] [blame]2032requires_config_enabled MBEDTLS_SSL_DTLS_CONNECTION_ID
Hanno Becker78c91372019-05-08 13:31:15 +0100[diff] [blame]2033run_test "Connection ID: Cli+Srv enabled, Cli CID empty" \
Hanno Beckerf157a972019-04-25 16:05:45 +0100[diff] [blame]2034 "$P_SRV debug_level=3 dtls=1 cid=1 cid_val=deadbeef" \
2035 "$P_CLI debug_level=3 dtls=1 cid=1" \
2036 0 \
2037 -c "Enable use of CID extension." \
Hanno Becker6b78c832019-04-25 17:01:43 +0100[diff] [blame]2038 -s "Enable use of CID extension." \
Hanno Becker7dee2c62019-04-26 14:17:56 +0100[diff] [blame]2039 -c "client hello, adding CID extension" \
2040 -s "found CID extension" \
Hanno Becker4bc9e9d2019-04-26 16:00:29 +0100[diff] [blame]2041 -s "Use of CID extension negotiated" \
Hanno Beckera6a4c762019-04-26 16:13:31 +0100[diff] [blame]2042 -s "server hello, adding CID extension" \
2043 -c "found CID extension" \
Hanno Becker9ecb6c62019-04-26 16:23:52 +0100[diff] [blame]2044 -c "Use of CID extension negotiated" \
2045 -s "Copy CIDs into SSL transform" \
Hanno Becker2749a672019-05-03 17:04:23 +0100[diff] [blame]2046 -c "Copy CIDs into SSL transform" \
2047 -c "Peer CID (length 4 Bytes): de ad be ef" \
2048 -s "Peer CID (length 0 Bytes):" \
2049 -s "Use of Connection ID has been negotiated" \
2050 -c "Use of Connection ID has been negotiated"
Hanno Becker7cf463e2019-04-09 18:08:47 +0100[diff] [blame]2051
Hanno Beckera0e20d02019-05-15 14:03:01 +0100[diff] [blame]2052requires_config_enabled MBEDTLS_SSL_DTLS_CONNECTION_ID
Hanno Becker78c91372019-05-08 13:31:15 +0100[diff] [blame]2053run_test "Connection ID: Cli+Srv enabled, Srv CID empty" \
Hanno Beckerf157a972019-04-25 16:05:45 +0100[diff] [blame]2054 "$P_SRV debug_level=3 dtls=1 cid=1" \
2055 "$P_CLI debug_level=3 dtls=1 cid=1 cid_val=deadbeef" \
2056 0 \
2057 -c "Enable use of CID extension." \
Hanno Becker6b78c832019-04-25 17:01:43 +0100[diff] [blame]2058 -s "Enable use of CID extension." \
Hanno Becker7dee2c62019-04-26 14:17:56 +0100[diff] [blame]2059 -c "client hello, adding CID extension" \
2060 -s "found CID extension" \
Hanno Becker4bc9e9d2019-04-26 16:00:29 +0100[diff] [blame]2061 -s "Use of CID extension negotiated" \
Hanno Beckera6a4c762019-04-26 16:13:31 +0100[diff] [blame]2062 -s "server hello, adding CID extension" \
2063 -c "found CID extension" \
Hanno Becker9ecb6c62019-04-26 16:23:52 +0100[diff] [blame]2064 -c "Use of CID extension negotiated" \
2065 -s "Copy CIDs into SSL transform" \
Hanno Becker2749a672019-05-03 17:04:23 +0100[diff] [blame]2066 -c "Copy CIDs into SSL transform" \
2067 -s "Peer CID (length 4 Bytes): de ad be ef" \
2068 -c "Peer CID (length 0 Bytes):" \
2069 -s "Use of Connection ID has been negotiated" \
2070 -c "Use of Connection ID has been negotiated"
Hanno Becker7cf463e2019-04-09 18:08:47 +0100[diff] [blame]2071
Hanno Beckera0e20d02019-05-15 14:03:01 +0100[diff] [blame]2072requires_config_enabled MBEDTLS_SSL_DTLS_CONNECTION_ID
Hanno Becker78c91372019-05-08 13:31:15 +0100[diff] [blame]2073run_test "Connection ID: Cli+Srv enabled, Cli+Srv CID empty" \
Hanno Beckerf157a972019-04-25 16:05:45 +0100[diff] [blame]2074 "$P_SRV debug_level=3 dtls=1 cid=1" \
2075 "$P_CLI debug_level=3 dtls=1 cid=1" \
2076 0 \
2077 -c "Enable use of CID extension." \
Hanno Becker6b78c832019-04-25 17:01:43 +0100[diff] [blame]2078 -s "Enable use of CID extension." \
Hanno Becker7dee2c62019-04-26 14:17:56 +0100[diff] [blame]2079 -c "client hello, adding CID extension" \
2080 -s "found CID extension" \
Hanno Becker4bc9e9d2019-04-26 16:00:29 +0100[diff] [blame]2081 -s "Use of CID extension negotiated" \
Hanno Beckera6a4c762019-04-26 16:13:31 +0100[diff] [blame]2082 -s "server hello, adding CID extension" \
2083 -c "found CID extension" \
Hanno Becker9ecb6c62019-04-26 16:23:52 +0100[diff] [blame]2084 -c "Use of CID extension negotiated" \
2085 -s "Copy CIDs into SSL transform" \
Hanno Beckerfcffdcc2019-04-26 17:19:46 +0100[diff] [blame]2086 -c "Copy CIDs into SSL transform" \
2087 -S "Use of Connection ID has been negotiated" \
2088 -C "Use of Connection ID has been negotiated"
Hanno Becker7cf463e2019-04-09 18:08:47 +0100[diff] [blame]2089
Hanno Beckera0e20d02019-05-15 14:03:01 +0100[diff] [blame]2090requires_config_enabled MBEDTLS_SSL_DTLS_CONNECTION_ID
Hanno Becker78c91372019-05-08 13:31:15 +0100[diff] [blame]2091run_test "Connection ID: Cli+Srv enabled, Cli+Srv CID nonempty, AES-128-CCM-8" \
Hanno Beckerf157a972019-04-25 16:05:45 +0100[diff] [blame]2092 "$P_SRV debug_level=3 dtls=1 cid=1 cid_val=dead" \
2093 "$P_CLI debug_level=3 dtls=1 cid=1 cid_val=beef force_ciphersuite=TLS-ECDHE-ECDSA-WITH-AES-128-CCM-8" \
2094 0 \
2095 -c "Enable use of CID extension." \
Hanno Becker6b78c832019-04-25 17:01:43 +0100[diff] [blame]2096 -s "Enable use of CID extension." \
Hanno Becker7dee2c62019-04-26 14:17:56 +0100[diff] [blame]2097 -c "client hello, adding CID extension" \
2098 -s "found CID extension" \
Hanno Becker4bc9e9d2019-04-26 16:00:29 +0100[diff] [blame]2099 -s "Use of CID extension negotiated" \
Hanno Beckera6a4c762019-04-26 16:13:31 +0100[diff] [blame]2100 -s "server hello, adding CID extension" \
2101 -c "found CID extension" \
Hanno Becker9ecb6c62019-04-26 16:23:52 +0100[diff] [blame]2102 -c "Use of CID extension negotiated" \
2103 -s "Copy CIDs into SSL transform" \
Hanno Becker2749a672019-05-03 17:04:23 +0100[diff] [blame]2104 -c "Copy CIDs into SSL transform" \
2105 -c "Peer CID (length 2 Bytes): de ad" \
2106 -s "Peer CID (length 2 Bytes): be ef" \
2107 -s "Use of Connection ID has been negotiated" \
2108 -c "Use of Connection ID has been negotiated"
Hanno Becker7cf463e2019-04-09 18:08:47 +0100[diff] [blame]2109
Hanno Beckera0e20d02019-05-15 14:03:01 +0100[diff] [blame]2110requires_config_enabled MBEDTLS_SSL_DTLS_CONNECTION_ID
Hanno Becker78c91372019-05-08 13:31:15 +0100[diff] [blame]2111run_test "Connection ID: Cli+Srv enabled, Cli CID empty, AES-128-CCM-8" \
Hanno Beckerf157a972019-04-25 16:05:45 +0100[diff] [blame]2112 "$P_SRV debug_level=3 dtls=1 cid=1 cid_val=deadbeef" \
2113 "$P_CLI debug_level=3 dtls=1 cid=1 force_ciphersuite=TLS-ECDHE-ECDSA-WITH-AES-128-CCM-8" \
2114 0 \
2115 -c "Enable use of CID extension." \
Hanno Becker6b78c832019-04-25 17:01:43 +0100[diff] [blame]2116 -s "Enable use of CID extension." \
Hanno Becker7dee2c62019-04-26 14:17:56 +0100[diff] [blame]2117 -c "client hello, adding CID extension" \
2118 -s "found CID extension" \
Hanno Becker4bc9e9d2019-04-26 16:00:29 +0100[diff] [blame]2119 -s "Use of CID extension negotiated" \
Hanno Beckera6a4c762019-04-26 16:13:31 +0100[diff] [blame]2120 -s "server hello, adding CID extension" \
2121 -c "found CID extension" \
Hanno Becker9ecb6c62019-04-26 16:23:52 +0100[diff] [blame]2122 -c "Use of CID extension negotiated" \
2123 -s "Copy CIDs into SSL transform" \
Hanno Becker2749a672019-05-03 17:04:23 +0100[diff] [blame]2124 -c "Copy CIDs into SSL transform" \
2125 -c "Peer CID (length 4 Bytes): de ad be ef" \
2126 -s "Peer CID (length 0 Bytes):" \
2127 -s "Use of Connection ID has been negotiated" \
2128 -c "Use of Connection ID has been negotiated"
Hanno Becker7cf463e2019-04-09 18:08:47 +0100[diff] [blame]2129
Hanno Beckera0e20d02019-05-15 14:03:01 +0100[diff] [blame]2130requires_config_enabled MBEDTLS_SSL_DTLS_CONNECTION_ID
Hanno Becker78c91372019-05-08 13:31:15 +0100[diff] [blame]2131run_test "Connection ID: Cli+Srv enabled, Srv CID empty, AES-128-CCM-8" \
Hanno Beckerf157a972019-04-25 16:05:45 +0100[diff] [blame]2132 "$P_SRV debug_level=3 dtls=1 cid=1" \
2133 "$P_CLI debug_level=3 dtls=1 cid=1 cid_val=deadbeef force_ciphersuite=TLS-ECDHE-ECDSA-WITH-AES-128-CCM-8" \
2134 0 \
2135 -c "Enable use of CID extension." \
Hanno Becker6b78c832019-04-25 17:01:43 +0100[diff] [blame]2136 -s "Enable use of CID extension." \
Hanno Becker7dee2c62019-04-26 14:17:56 +0100[diff] [blame]2137 -c "client hello, adding CID extension" \
2138 -s "found CID extension" \
Hanno Becker4bc9e9d2019-04-26 16:00:29 +0100[diff] [blame]2139 -s "Use of CID extension negotiated" \
Hanno Beckera6a4c762019-04-26 16:13:31 +0100[diff] [blame]2140 -s "server hello, adding CID extension" \
2141 -c "found CID extension" \
Hanno Becker9ecb6c62019-04-26 16:23:52 +0100[diff] [blame]2142 -c "Use of CID extension negotiated" \
2143 -s "Copy CIDs into SSL transform" \
Hanno Becker2749a672019-05-03 17:04:23 +0100[diff] [blame]2144 -c "Copy CIDs into SSL transform" \
2145 -s "Peer CID (length 4 Bytes): de ad be ef" \
2146 -c "Peer CID (length 0 Bytes):" \
2147 -s "Use of Connection ID has been negotiated" \
2148 -c "Use of Connection ID has been negotiated"
Hanno Becker7cf463e2019-04-09 18:08:47 +0100[diff] [blame]2149
Hanno Beckera0e20d02019-05-15 14:03:01 +0100[diff] [blame]2150requires_config_enabled MBEDTLS_SSL_DTLS_CONNECTION_ID
Hanno Becker78c91372019-05-08 13:31:15 +0100[diff] [blame]2151run_test "Connection ID: Cli+Srv enabled, Cli+Srv CID empty, AES-128-CCM-8" \
Hanno Beckerf157a972019-04-25 16:05:45 +0100[diff] [blame]2152 "$P_SRV debug_level=3 dtls=1 cid=1" \
2153 "$P_CLI debug_level=3 dtls=1 cid=1 force_ciphersuite=TLS-ECDHE-ECDSA-WITH-AES-128-CCM-8" \
2154 0 \
2155 -c "Enable use of CID extension." \
Hanno Becker6b78c832019-04-25 17:01:43 +0100[diff] [blame]2156 -s "Enable use of CID extension." \
Hanno Becker7dee2c62019-04-26 14:17:56 +0100[diff] [blame]2157 -c "client hello, adding CID extension" \
2158 -s "found CID extension" \
Hanno Becker4bc9e9d2019-04-26 16:00:29 +0100[diff] [blame]2159 -s "Use of CID extension negotiated" \
Hanno Beckera6a4c762019-04-26 16:13:31 +0100[diff] [blame]2160 -s "server hello, adding CID extension" \
2161 -c "found CID extension" \
Hanno Becker9ecb6c62019-04-26 16:23:52 +0100[diff] [blame]2162 -c "Use of CID extension negotiated" \
2163 -s "Copy CIDs into SSL transform" \
Hanno Beckerfcffdcc2019-04-26 17:19:46 +0100[diff] [blame]2164 -c "Copy CIDs into SSL transform" \
2165 -S "Use of Connection ID has been negotiated" \
2166 -C "Use of Connection ID has been negotiated"
Hanno Becker7cf463e2019-04-09 18:08:47 +0100[diff] [blame]2167
Hanno Beckera0e20d02019-05-15 14:03:01 +0100[diff] [blame]2168requires_config_enabled MBEDTLS_SSL_DTLS_CONNECTION_ID
Hanno Becker78c91372019-05-08 13:31:15 +0100[diff] [blame]2169run_test "Connection ID: Cli+Srv enabled, Cli+Srv CID nonempty, AES-128-CBC" \
Hanno Beckerf157a972019-04-25 16:05:45 +0100[diff] [blame]2170 "$P_SRV debug_level=3 dtls=1 cid=1 cid_val=dead" \
2171 "$P_CLI debug_level=3 dtls=1 cid=1 cid_val=beef force_ciphersuite=TLS-ECDHE-ECDSA-WITH-AES-128-CBC-SHA256" \
2172 0 \
2173 -c "Enable use of CID extension." \
Hanno Becker6b78c832019-04-25 17:01:43 +0100[diff] [blame]2174 -s "Enable use of CID extension." \
Hanno Becker7dee2c62019-04-26 14:17:56 +0100[diff] [blame]2175 -c "client hello, adding CID extension" \
2176 -s "found CID extension" \
Hanno Becker4bc9e9d2019-04-26 16:00:29 +0100[diff] [blame]2177 -s "Use of CID extension negotiated" \
Hanno Beckera6a4c762019-04-26 16:13:31 +0100[diff] [blame]2178 -s "server hello, adding CID extension" \
2179 -c "found CID extension" \
Hanno Becker9ecb6c62019-04-26 16:23:52 +0100[diff] [blame]2180 -c "Use of CID extension negotiated" \
2181 -s "Copy CIDs into SSL transform" \
Hanno Becker2749a672019-05-03 17:04:23 +0100[diff] [blame]2182 -c "Copy CIDs into SSL transform" \
2183 -c "Peer CID (length 2 Bytes): de ad" \
2184 -s "Peer CID (length 2 Bytes): be ef" \
2185 -s "Use of Connection ID has been negotiated" \
2186 -c "Use of Connection ID has been negotiated"
Hanno Becker7cf463e2019-04-09 18:08:47 +0100[diff] [blame]2187
Hanno Beckera0e20d02019-05-15 14:03:01 +0100[diff] [blame]2188requires_config_enabled MBEDTLS_SSL_DTLS_CONNECTION_ID
Hanno Becker78c91372019-05-08 13:31:15 +0100[diff] [blame]2189run_test "Connection ID: Cli+Srv enabled, Cli CID empty, AES-128-CBC" \
Hanno Beckerf157a972019-04-25 16:05:45 +0100[diff] [blame]2190 "$P_SRV debug_level=3 dtls=1 cid=1 cid_val=deadbeef" \
2191 "$P_CLI debug_level=3 dtls=1 cid=1 force_ciphersuite=TLS-ECDHE-ECDSA-WITH-AES-128-CBC-SHA256" \
2192 0 \
2193 -c "Enable use of CID extension." \
Hanno Becker6b78c832019-04-25 17:01:43 +0100[diff] [blame]2194 -s "Enable use of CID extension." \
Hanno Becker7dee2c62019-04-26 14:17:56 +0100[diff] [blame]2195 -c "client hello, adding CID extension" \
2196 -s "found CID extension" \
Hanno Becker4bc9e9d2019-04-26 16:00:29 +0100[diff] [blame]2197 -s "Use of CID extension negotiated" \
Hanno Beckera6a4c762019-04-26 16:13:31 +0100[diff] [blame]2198 -s "server hello, adding CID extension" \
2199 -c "found CID extension" \
Hanno Becker9ecb6c62019-04-26 16:23:52 +0100[diff] [blame]2200 -c "Use of CID extension negotiated" \
2201 -s "Copy CIDs into SSL transform" \
Hanno Becker2749a672019-05-03 17:04:23 +0100[diff] [blame]2202 -c "Copy CIDs into SSL transform" \
2203 -c "Peer CID (length 4 Bytes): de ad be ef" \
2204 -s "Peer CID (length 0 Bytes):" \
2205 -s "Use of Connection ID has been negotiated" \
2206 -c "Use of Connection ID has been negotiated"
Hanno Becker7cf463e2019-04-09 18:08:47 +0100[diff] [blame]2207
Hanno Beckera0e20d02019-05-15 14:03:01 +0100[diff] [blame]2208requires_config_enabled MBEDTLS_SSL_DTLS_CONNECTION_ID
Hanno Becker78c91372019-05-08 13:31:15 +0100[diff] [blame]2209run_test "Connection ID: Cli+Srv enabled, Srv CID empty, AES-128-CBC" \
Hanno Beckerf157a972019-04-25 16:05:45 +0100[diff] [blame]2210 "$P_SRV debug_level=3 dtls=1 cid=1" \
2211 "$P_CLI debug_level=3 dtls=1 cid=1 cid_val=deadbeef force_ciphersuite=TLS-ECDHE-ECDSA-WITH-AES-128-CBC-SHA256" \
2212 0 \
2213 -c "Enable use of CID extension." \
Hanno Becker6b78c832019-04-25 17:01:43 +0100[diff] [blame]2214 -s "Enable use of CID extension." \
Hanno Becker7dee2c62019-04-26 14:17:56 +0100[diff] [blame]2215 -c "client hello, adding CID extension" \
2216 -s "found CID extension" \
Hanno Becker4bc9e9d2019-04-26 16:00:29 +0100[diff] [blame]2217 -s "Use of CID extension negotiated" \
Hanno Beckera6a4c762019-04-26 16:13:31 +0100[diff] [blame]2218 -s "server hello, adding CID extension" \
2219 -c "found CID extension" \
Hanno Becker9ecb6c62019-04-26 16:23:52 +0100[diff] [blame]2220 -c "Use of CID extension negotiated" \
2221 -s "Copy CIDs into SSL transform" \
Hanno Becker2749a672019-05-03 17:04:23 +0100[diff] [blame]2222 -c "Copy CIDs into SSL transform" \
2223 -s "Peer CID (length 4 Bytes): de ad be ef" \
2224 -c "Peer CID (length 0 Bytes):" \
2225 -s "Use of Connection ID has been negotiated" \
2226 -c "Use of Connection ID has been negotiated"
Hanno Becker7cf463e2019-04-09 18:08:47 +0100[diff] [blame]2227
Hanno Beckera0e20d02019-05-15 14:03:01 +0100[diff] [blame]2228requires_config_enabled MBEDTLS_SSL_DTLS_CONNECTION_ID
Hanno Becker78c91372019-05-08 13:31:15 +0100[diff] [blame]2229run_test "Connection ID: Cli+Srv enabled, Cli+Srv CID empty, AES-128-CBC" \
Hanno Beckerf157a972019-04-25 16:05:45 +0100[diff] [blame]2230 "$P_SRV debug_level=3 dtls=1 cid=1" \
2231 "$P_CLI debug_level=3 dtls=1 cid=1 force_ciphersuite=TLS-ECDHE-ECDSA-WITH-AES-128-CBC-SHA256" \
2232 0 \
2233 -c "Enable use of CID extension." \
Hanno Becker6b78c832019-04-25 17:01:43 +0100[diff] [blame]2234 -s "Enable use of CID extension." \
Hanno Becker7dee2c62019-04-26 14:17:56 +0100[diff] [blame]2235 -c "client hello, adding CID extension" \
2236 -s "found CID extension" \
Hanno Becker4bc9e9d2019-04-26 16:00:29 +0100[diff] [blame]2237 -s "Use of CID extension negotiated" \
Hanno Beckera6a4c762019-04-26 16:13:31 +0100[diff] [blame]2238 -s "server hello, adding CID extension" \
2239 -c "found CID extension" \
Hanno Becker9ecb6c62019-04-26 16:23:52 +0100[diff] [blame]2240 -c "Use of CID extension negotiated" \
2241 -s "Copy CIDs into SSL transform" \
Hanno Beckerfcffdcc2019-04-26 17:19:46 +0100[diff] [blame]2242 -c "Copy CIDs into SSL transform" \
2243 -S "Use of Connection ID has been negotiated" \
2244 -C "Use of Connection ID has been negotiated"
Hanno Becker7cf463e2019-04-09 18:08:47 +0100[diff] [blame]2245
Hanno Beckera0e20d02019-05-15 14:03:01 +0100[diff] [blame]2246requires_config_enabled MBEDTLS_SSL_DTLS_CONNECTION_ID
Hanno Becker9bae30d2019-04-23 11:52:44 +0100[diff] [blame]2247requires_config_enabled MBEDTLS_SSL_RENEGOTIATION
Hanno Becker78c91372019-05-08 13:31:15 +0100[diff] [blame]2248run_test "Connection ID: Cli+Srv enabled, renegotiate without change of CID" \
Hanno Beckerf157a972019-04-25 16:05:45 +0100[diff] [blame]2249 "$P_SRV debug_level=3 dtls=1 cid=1 cid_val=dead renegotiation=1" \
2250 "$P_CLI debug_level=3 dtls=1 cid=1 cid_val=beef renegotiation=1 renegotiate=1" \
2251 0 \
Hanno Beckerb42ec0d2019-05-03 17:30:59 +0100[diff] [blame]2252 -c "(initial handshake) Peer CID (length 2 Bytes): de ad" \
2253 -s "(initial handshake) Peer CID (length 2 Bytes): be ef" \
2254 -s "(initial handshake) Use of Connection ID has been negotiated" \
2255 -c "(initial handshake) Use of Connection ID has been negotiated" \
2256 -c "(after renegotiation) Peer CID (length 2 Bytes): de ad" \
2257 -s "(after renegotiation) Peer CID (length 2 Bytes): be ef" \
2258 -s "(after renegotiation) Use of Connection ID has been negotiated" \
2259 -c "(after renegotiation) Use of Connection ID has been negotiated"
2260
Hanno Beckera0e20d02019-05-15 14:03:01 +0100[diff] [blame]2261requires_config_enabled MBEDTLS_SSL_DTLS_CONNECTION_ID
Hanno Beckerb42ec0d2019-05-03 17:30:59 +0100[diff] [blame]2262requires_config_enabled MBEDTLS_SSL_RENEGOTIATION
Hanno Becker78c91372019-05-08 13:31:15 +0100[diff] [blame]2263run_test "Connection ID: Cli+Srv enabled, renegotiate with different CID" \
Hanno Beckerb42ec0d2019-05-03 17:30:59 +0100[diff] [blame]2264 "$P_SRV debug_level=3 dtls=1 cid=1 cid_val=dead cid_val_renego=beef renegotiation=1" \
2265 "$P_CLI debug_level=3 dtls=1 cid=1 cid_val=beef cid_val_renego=dead renegotiation=1 renegotiate=1" \
2266 0 \
2267 -c "(initial handshake) Peer CID (length 2 Bytes): de ad" \
2268 -s "(initial handshake) Peer CID (length 2 Bytes): be ef" \
2269 -s "(initial handshake) Use of Connection ID has been negotiated" \
2270 -c "(initial handshake) Use of Connection ID has been negotiated" \
2271 -c "(after renegotiation) Peer CID (length 2 Bytes): be ef" \
2272 -s "(after renegotiation) Peer CID (length 2 Bytes): de ad" \
2273 -s "(after renegotiation) Use of Connection ID has been negotiated" \
2274 -c "(after renegotiation) Use of Connection ID has been negotiated"
2275
Hanno Beckera0e20d02019-05-15 14:03:01 +0100[diff] [blame]2276requires_config_enabled MBEDTLS_SSL_DTLS_CONNECTION_ID
Hanno Beckerb42ec0d2019-05-03 17:30:59 +0100[diff] [blame]2277requires_config_enabled MBEDTLS_SSL_RENEGOTIATION
Hanno Beckerc2045b02019-05-08 16:20:46 +0100[diff] [blame]2278run_test "Connection ID, no packing: Cli+Srv enabled, renegotiate with different CID" \
2279 "$P_SRV debug_level=3 dtls=1 cid=1 dgram_packing=0 cid_val=dead cid_val_renego=beef renegotiation=1" \
2280 "$P_CLI debug_level=3 dtls=1 cid=1 dgram_packing=0 cid_val=beef cid_val_renego=dead renegotiation=1 renegotiate=1" \
2281 0 \
2282 -c "(initial handshake) Peer CID (length 2 Bytes): de ad" \
2283 -s "(initial handshake) Peer CID (length 2 Bytes): be ef" \
2284 -s "(initial handshake) Use of Connection ID has been negotiated" \
2285 -c "(initial handshake) Use of Connection ID has been negotiated" \
2286 -c "(after renegotiation) Peer CID (length 2 Bytes): be ef" \
2287 -s "(after renegotiation) Peer CID (length 2 Bytes): de ad" \
2288 -s "(after renegotiation) Use of Connection ID has been negotiated" \
2289 -c "(after renegotiation) Use of Connection ID has been negotiated"
2290
Hanno Beckera0e20d02019-05-15 14:03:01 +0100[diff] [blame]2291requires_config_enabled MBEDTLS_SSL_DTLS_CONNECTION_ID
Hanno Beckerc2045b02019-05-08 16:20:46 +0100[diff] [blame]2292requires_config_enabled MBEDTLS_SSL_RENEGOTIATION
Hanno Becker78c91372019-05-08 13:31:15 +0100[diff] [blame]2293run_test "Connection ID, 3D+MTU: Cli+Srv enabled, renegotiate with different CID" \
Hanno Beckerd0ac5fa2019-05-24 10:11:23 +0100[diff] [blame]2294 -p "$P_PXY mtu=800 drop=5 delay=5 duplicate=5 bad_cid=1" \
Hanno Becker78c91372019-05-08 13:31:15 +0100[diff] [blame]2295 "$P_SRV debug_level=3 mtu=800 dtls=1 cid=1 cid_val=dead cid_val_renego=beef renegotiation=1" \
2296 "$P_CLI debug_level=3 mtu=800 dtls=1 cid=1 cid_val=beef cid_val_renego=dead renegotiation=1 renegotiate=1" \
2297 0 \
2298 -c "(initial handshake) Peer CID (length 2 Bytes): de ad" \
2299 -s "(initial handshake) Peer CID (length 2 Bytes): be ef" \
2300 -s "(initial handshake) Use of Connection ID has been negotiated" \
2301 -c "(initial handshake) Use of Connection ID has been negotiated" \
2302 -c "(after renegotiation) Peer CID (length 2 Bytes): be ef" \
2303 -s "(after renegotiation) Peer CID (length 2 Bytes): de ad" \
2304 -s "(after renegotiation) Use of Connection ID has been negotiated" \
Hanno Beckerd0ac5fa2019-05-24 10:11:23 +0100[diff] [blame]2305 -c "(after renegotiation) Use of Connection ID has been negotiated" \
2306 -c "ignoring unexpected CID" \
2307 -s "ignoring unexpected CID"
Hanno Becker78c91372019-05-08 13:31:15 +0100[diff] [blame]2308
Hanno Beckera0e20d02019-05-15 14:03:01 +0100[diff] [blame]2309requires_config_enabled MBEDTLS_SSL_DTLS_CONNECTION_ID
Hanno Becker78c91372019-05-08 13:31:15 +0100[diff] [blame]2310requires_config_enabled MBEDTLS_SSL_RENEGOTIATION
2311run_test "Connection ID: Cli+Srv enabled, renegotiate without CID" \
Hanno Beckerb42ec0d2019-05-03 17:30:59 +0100[diff] [blame]2312 "$P_SRV debug_level=3 dtls=1 cid=1 cid_val=dead cid_renego=0 renegotiation=1" \
2313 "$P_CLI debug_level=3 dtls=1 cid=1 cid_val=beef cid_renego=0 renegotiation=1 renegotiate=1" \
2314 0 \
2315 -c "(initial handshake) Peer CID (length 2 Bytes): de ad" \
2316 -s "(initial handshake) Peer CID (length 2 Bytes): be ef" \
2317 -s "(initial handshake) Use of Connection ID has been negotiated" \
2318 -c "(initial handshake) Use of Connection ID has been negotiated" \
2319 -C "(after renegotiation) Peer CID (length 2 Bytes): de ad" \
2320 -S "(after renegotiation) Peer CID (length 2 Bytes): be ef" \
2321 -C "(after renegotiation) Use of Connection ID has been negotiated" \
2322 -S "(after renegotiation) Use of Connection ID has been negotiated"
2323
Hanno Beckera0e20d02019-05-15 14:03:01 +0100[diff] [blame]2324requires_config_enabled MBEDTLS_SSL_DTLS_CONNECTION_ID
Hanno Beckerb42ec0d2019-05-03 17:30:59 +0100[diff] [blame]2325requires_config_enabled MBEDTLS_SSL_RENEGOTIATION
Hanno Beckerc2045b02019-05-08 16:20:46 +0100[diff] [blame]2326run_test "Connection ID, no packing: Cli+Srv enabled, renegotiate without CID" \
2327 "$P_SRV debug_level=3 dtls=1 dgram_packing=0 cid=1 cid_val=dead cid_renego=0 renegotiation=1" \
2328 "$P_CLI debug_level=3 dtls=1 dgram_packing=0 cid=1 cid_val=beef cid_renego=0 renegotiation=1 renegotiate=1" \
2329 0 \
2330 -c "(initial handshake) Peer CID (length 2 Bytes): de ad" \
2331 -s "(initial handshake) Peer CID (length 2 Bytes): be ef" \
2332 -s "(initial handshake) Use of Connection ID has been negotiated" \
2333 -c "(initial handshake) Use of Connection ID has been negotiated" \
2334 -C "(after renegotiation) Peer CID (length 2 Bytes): de ad" \
2335 -S "(after renegotiation) Peer CID (length 2 Bytes): be ef" \
2336 -C "(after renegotiation) Use of Connection ID has been negotiated" \
2337 -S "(after renegotiation) Use of Connection ID has been negotiated"
2338
Hanno Beckera0e20d02019-05-15 14:03:01 +0100[diff] [blame]2339requires_config_enabled MBEDTLS_SSL_DTLS_CONNECTION_ID
Hanno Beckerc2045b02019-05-08 16:20:46 +0100[diff] [blame]2340requires_config_enabled MBEDTLS_SSL_RENEGOTIATION
Hanno Becker78c91372019-05-08 13:31:15 +0100[diff] [blame]2341run_test "Connection ID, 3D+MTU: Cli+Srv enabled, renegotiate without CID" \
Hanno Beckerd0ac5fa2019-05-24 10:11:23 +0100[diff] [blame]2342 -p "$P_PXY drop=5 delay=5 duplicate=5 bad_cid=1" \
Hanno Becker78c91372019-05-08 13:31:15 +0100[diff] [blame]2343 "$P_SRV debug_level=3 mtu=800 dtls=1 cid=1 cid_val=dead cid_renego=0 renegotiation=1" \
2344 "$P_CLI debug_level=3 mtu=800 dtls=1 cid=1 cid_val=beef cid_renego=0 renegotiation=1 renegotiate=1" \
2345 0 \
2346 -c "(initial handshake) Peer CID (length 2 Bytes): de ad" \
2347 -s "(initial handshake) Peer CID (length 2 Bytes): be ef" \
2348 -s "(initial handshake) Use of Connection ID has been negotiated" \
2349 -c "(initial handshake) Use of Connection ID has been negotiated" \
2350 -C "(after renegotiation) Peer CID (length 2 Bytes): de ad" \
2351 -S "(after renegotiation) Peer CID (length 2 Bytes): be ef" \
2352 -C "(after renegotiation) Use of Connection ID has been negotiated" \
Hanno Beckerd0ac5fa2019-05-24 10:11:23 +0100[diff] [blame]2353 -S "(after renegotiation) Use of Connection ID has been negotiated" \
2354 -c "ignoring unexpected CID" \
2355 -s "ignoring unexpected CID"
Hanno Becker78c91372019-05-08 13:31:15 +0100[diff] [blame]2356
Hanno Beckera0e20d02019-05-15 14:03:01 +0100[diff] [blame]2357requires_config_enabled MBEDTLS_SSL_DTLS_CONNECTION_ID
Hanno Becker78c91372019-05-08 13:31:15 +0100[diff] [blame]2358requires_config_enabled MBEDTLS_SSL_RENEGOTIATION
2359run_test "Connection ID: Cli+Srv enabled, CID on renegotiation" \
Hanno Beckerb42ec0d2019-05-03 17:30:59 +0100[diff] [blame]2360 "$P_SRV debug_level=3 dtls=1 cid=0 cid_renego=1 cid_val_renego=dead renegotiation=1" \
2361 "$P_CLI debug_level=3 dtls=1 cid=0 cid_renego=1 cid_val_renego=beef renegotiation=1 renegotiate=1" \
2362 0 \
2363 -S "(initial handshake) Use of Connection ID has been negotiated" \
2364 -C "(initial handshake) Use of Connection ID has been negotiated" \
2365 -c "(after renegotiation) Peer CID (length 2 Bytes): de ad" \
2366 -s "(after renegotiation) Peer CID (length 2 Bytes): be ef" \
2367 -c "(after renegotiation) Use of Connection ID has been negotiated" \
2368 -s "(after renegotiation) Use of Connection ID has been negotiated"
2369
Hanno Beckera0e20d02019-05-15 14:03:01 +0100[diff] [blame]2370requires_config_enabled MBEDTLS_SSL_DTLS_CONNECTION_ID
Hanno Beckerb42ec0d2019-05-03 17:30:59 +0100[diff] [blame]2371requires_config_enabled MBEDTLS_SSL_RENEGOTIATION
Hanno Beckerc2045b02019-05-08 16:20:46 +0100[diff] [blame]2372run_test "Connection ID, no packing: Cli+Srv enabled, CID on renegotiation" \
2373 "$P_SRV debug_level=3 dtls=1 dgram_packing=0 cid=0 cid_renego=1 cid_val_renego=dead renegotiation=1" \
2374 "$P_CLI debug_level=3 dtls=1 dgram_packing=0 cid=0 cid_renego=1 cid_val_renego=beef renegotiation=1 renegotiate=1" \
2375 0 \
2376 -S "(initial handshake) Use of Connection ID has been negotiated" \
2377 -C "(initial handshake) Use of Connection ID has been negotiated" \
2378 -c "(after renegotiation) Peer CID (length 2 Bytes): de ad" \
2379 -s "(after renegotiation) Peer CID (length 2 Bytes): be ef" \
2380 -c "(after renegotiation) Use of Connection ID has been negotiated" \
2381 -s "(after renegotiation) Use of Connection ID has been negotiated"
2382
Hanno Beckera0e20d02019-05-15 14:03:01 +0100[diff] [blame]2383requires_config_enabled MBEDTLS_SSL_DTLS_CONNECTION_ID
Hanno Beckerc2045b02019-05-08 16:20:46 +0100[diff] [blame]2384requires_config_enabled MBEDTLS_SSL_RENEGOTIATION
Hanno Becker78c91372019-05-08 13:31:15 +0100[diff] [blame]2385run_test "Connection ID, 3D+MTU: Cli+Srv enabled, CID on renegotiation" \
Hanno Beckerd0ac5fa2019-05-24 10:11:23 +0100[diff] [blame]2386 -p "$P_PXY mtu=800 drop=5 delay=5 duplicate=5 bad_cid=1" \
Hanno Becker78c91372019-05-08 13:31:15 +0100[diff] [blame]2387 "$P_SRV debug_level=3 mtu=800 dtls=1 dgram_packing=1 cid=0 cid_renego=1 cid_val_renego=dead renegotiation=1" \
2388 "$P_CLI debug_level=3 mtu=800 dtls=1 dgram_packing=1 cid=0 cid_renego=1 cid_val_renego=beef renegotiation=1 renegotiate=1" \
2389 0 \
2390 -S "(initial handshake) Use of Connection ID has been negotiated" \
2391 -C "(initial handshake) Use of Connection ID has been negotiated" \
2392 -c "(after renegotiation) Peer CID (length 2 Bytes): de ad" \
2393 -s "(after renegotiation) Peer CID (length 2 Bytes): be ef" \
2394 -c "(after renegotiation) Use of Connection ID has been negotiated" \
Hanno Beckerd0ac5fa2019-05-24 10:11:23 +0100[diff] [blame]2395 -s "(after renegotiation) Use of Connection ID has been negotiated" \
2396 -c "ignoring unexpected CID" \
2397 -s "ignoring unexpected CID"
Hanno Becker78c91372019-05-08 13:31:15 +0100[diff] [blame]2398
Hanno Beckera0e20d02019-05-15 14:03:01 +0100[diff] [blame]2399requires_config_enabled MBEDTLS_SSL_DTLS_CONNECTION_ID
Hanno Becker78c91372019-05-08 13:31:15 +0100[diff] [blame]2400requires_config_enabled MBEDTLS_SSL_RENEGOTIATION
2401run_test "Connection ID: Cli+Srv enabled, Cli disables on renegotiation" \
Hanno Beckerb42ec0d2019-05-03 17:30:59 +0100[diff] [blame]2402 "$P_SRV debug_level=3 dtls=1 cid=1 cid_val=dead renegotiation=1" \
2403 "$P_CLI debug_level=3 dtls=1 cid=1 cid_val=beef cid_renego=0 renegotiation=1 renegotiate=1" \
2404 0 \
2405 -c "(initial handshake) Peer CID (length 2 Bytes): de ad" \
2406 -s "(initial handshake) Peer CID (length 2 Bytes): be ef" \
2407 -s "(initial handshake) Use of Connection ID has been negotiated" \
2408 -c "(initial handshake) Use of Connection ID has been negotiated" \
2409 -C "(after renegotiation) Peer CID (length 2 Bytes): de ad" \
2410 -S "(after renegotiation) Peer CID (length 2 Bytes): be ef" \
2411 -C "(after renegotiation) Use of Connection ID has been negotiated" \
2412 -S "(after renegotiation) Use of Connection ID has been negotiated" \
2413 -s "(after renegotiation) Use of Connection ID was not offered by client"
2414
Hanno Beckera0e20d02019-05-15 14:03:01 +0100[diff] [blame]2415requires_config_enabled MBEDTLS_SSL_DTLS_CONNECTION_ID
Hanno Beckerb42ec0d2019-05-03 17:30:59 +0100[diff] [blame]2416requires_config_enabled MBEDTLS_SSL_RENEGOTIATION
Hanno Becker78c91372019-05-08 13:31:15 +0100[diff] [blame]2417run_test "Connection ID, 3D: Cli+Srv enabled, Cli disables on renegotiation" \
Hanno Beckerd0ac5fa2019-05-24 10:11:23 +0100[diff] [blame]2418 -p "$P_PXY drop=5 delay=5 duplicate=5 bad_cid=1" \
Hanno Becker78c91372019-05-08 13:31:15 +0100[diff] [blame]2419 "$P_SRV debug_level=3 dtls=1 cid=1 cid_val=dead renegotiation=1" \
2420 "$P_CLI debug_level=3 dtls=1 cid=1 cid_val=beef cid_renego=0 renegotiation=1 renegotiate=1" \
2421 0 \
2422 -c "(initial handshake) Peer CID (length 2 Bytes): de ad" \
2423 -s "(initial handshake) Peer CID (length 2 Bytes): be ef" \
2424 -s "(initial handshake) Use of Connection ID has been negotiated" \
2425 -c "(initial handshake) Use of Connection ID has been negotiated" \
2426 -C "(after renegotiation) Peer CID (length 2 Bytes): de ad" \
2427 -S "(after renegotiation) Peer CID (length 2 Bytes): be ef" \
2428 -C "(after renegotiation) Use of Connection ID has been negotiated" \
2429 -S "(after renegotiation) Use of Connection ID has been negotiated" \
Hanno Beckerd0ac5fa2019-05-24 10:11:23 +0100[diff] [blame]2430 -s "(after renegotiation) Use of Connection ID was not offered by client" \
2431 -c "ignoring unexpected CID" \
2432 -s "ignoring unexpected CID"
Hanno Becker78c91372019-05-08 13:31:15 +0100[diff] [blame]2433
Hanno Beckera0e20d02019-05-15 14:03:01 +0100[diff] [blame]2434requires_config_enabled MBEDTLS_SSL_DTLS_CONNECTION_ID
Hanno Becker78c91372019-05-08 13:31:15 +0100[diff] [blame]2435requires_config_enabled MBEDTLS_SSL_RENEGOTIATION
2436run_test "Connection ID: Cli+Srv enabled, Srv disables on renegotiation" \
2437 "$P_SRV debug_level=3 dtls=1 cid=1 cid_val=dead cid_renego=0 renegotiation=1" \
2438 "$P_CLI debug_level=3 dtls=1 cid=1 cid_val=beef renegotiation=1 renegotiate=1" \
2439 0 \
2440 -c "(initial handshake) Peer CID (length 2 Bytes): de ad" \
2441 -s "(initial handshake) Peer CID (length 2 Bytes): be ef" \
2442 -s "(initial handshake) Use of Connection ID has been negotiated" \
2443 -c "(initial handshake) Use of Connection ID has been negotiated" \
2444 -C "(after renegotiation) Peer CID (length 2 Bytes): de ad" \
2445 -S "(after renegotiation) Peer CID (length 2 Bytes): be ef" \
2446 -C "(after renegotiation) Use of Connection ID has been negotiated" \
2447 -S "(after renegotiation) Use of Connection ID has been negotiated" \
2448 -c "(after renegotiation) Use of Connection ID was rejected by the server"
2449
Hanno Beckera0e20d02019-05-15 14:03:01 +0100[diff] [blame]2450requires_config_enabled MBEDTLS_SSL_DTLS_CONNECTION_ID
Hanno Becker78c91372019-05-08 13:31:15 +0100[diff] [blame]2451requires_config_enabled MBEDTLS_SSL_RENEGOTIATION
2452run_test "Connection ID, 3D: Cli+Srv enabled, Srv disables on renegotiation" \
Hanno Beckerd0ac5fa2019-05-24 10:11:23 +0100[diff] [blame]2453 -p "$P_PXY drop=5 delay=5 duplicate=5 bad_cid=1" \
Hanno Beckerb42ec0d2019-05-03 17:30:59 +0100[diff] [blame]2454 "$P_SRV debug_level=3 dtls=1 cid=1 cid_val=dead cid_renego=0 renegotiation=1" \
2455 "$P_CLI debug_level=3 dtls=1 cid=1 cid_val=beef renegotiation=1 renegotiate=1" \
2456 0 \
2457 -c "(initial handshake) Peer CID (length 2 Bytes): de ad" \
2458 -s "(initial handshake) Peer CID (length 2 Bytes): be ef" \
2459 -s "(initial handshake) Use of Connection ID has been negotiated" \
2460 -c "(initial handshake) Use of Connection ID has been negotiated" \
2461 -C "(after renegotiation) Peer CID (length 2 Bytes): de ad" \
2462 -S "(after renegotiation) Peer CID (length 2 Bytes): be ef" \
2463 -C "(after renegotiation) Use of Connection ID has been negotiated" \
2464 -S "(after renegotiation) Use of Connection ID has been negotiated" \
Hanno Beckerd0ac5fa2019-05-24 10:11:23 +0100[diff] [blame]2465 -c "(after renegotiation) Use of Connection ID was rejected by the server" \
2466 -c "ignoring unexpected CID" \
2467 -s "ignoring unexpected CID"
Hanno Becker7cf463e2019-04-09 18:08:47 +0100[diff] [blame]2468
Yuto Takano71879532021-07-09 11:32:38 +0100[diff] [blame]2469# This and the test below it require MAX_CONTENT_LEN to be at least MFL+1, because the
2470# tests check that the buffer contents are reallocated when the message is
2471# larger than the buffer.
Andrzej Kurekb6577832020-06-08 07:08:03 -0400[diff] [blame]2472requires_config_enabled MBEDTLS_SSL_DTLS_CONNECTION_ID
2473requires_config_enabled MBEDTLS_SSL_VARIABLE_BUFFER_LENGTH
Yuto Takano71879532021-07-09 11:32:38 +0100[diff] [blame]2474requires_max_content_len 513
Andrzej Kurekb6577832020-06-08 07:08:03 -0400[diff] [blame]2475run_test "Connection ID: Cli+Srv enabled, variable buffer lengths, MFL=512" \
2476 "$P_SRV dtls=1 cid=1 cid_val=dead debug_level=2" \
2477 "$P_CLI force_ciphersuite="TLS-ECDHE-ECDSA-WITH-AES-128-CCM-8" max_frag_len=512 dtls=1 cid=1 cid_val=beef" \
2478 0 \
2479 -c "(initial handshake) Peer CID (length 2 Bytes): de ad" \
2480 -s "(initial handshake) Peer CID (length 2 Bytes): be ef" \
2481 -s "(initial handshake) Use of Connection ID has been negotiated" \
2482 -c "(initial handshake) Use of Connection ID has been negotiated" \
2483 -s "Reallocating in_buf" \
2484 -s "Reallocating out_buf"
2485
2486requires_config_enabled MBEDTLS_SSL_DTLS_CONNECTION_ID
2487requires_config_enabled MBEDTLS_SSL_VARIABLE_BUFFER_LENGTH
Yuto Takano71879532021-07-09 11:32:38 +0100[diff] [blame]2488requires_max_content_len 1025
Andrzej Kurekb6577832020-06-08 07:08:03 -0400[diff] [blame]2489run_test "Connection ID: Cli+Srv enabled, variable buffer lengths, MFL=1024" \
2490 "$P_SRV dtls=1 cid=1 cid_val=dead debug_level=2" \
2491 "$P_CLI force_ciphersuite="TLS-ECDHE-ECDSA-WITH-AES-128-CCM-8" max_frag_len=1024 dtls=1 cid=1 cid_val=beef" \
2492 0 \
2493 -c "(initial handshake) Peer CID (length 2 Bytes): de ad" \
2494 -s "(initial handshake) Peer CID (length 2 Bytes): be ef" \
2495 -s "(initial handshake) Use of Connection ID has been negotiated" \
2496 -c "(initial handshake) Use of Connection ID has been negotiated" \
2497 -s "Reallocating in_buf" \
2498 -s "Reallocating out_buf"
2499
Manuel Pégourié-Gonnard699cafa2014-10-27 13:57:03 +0100[diff] [blame]2500# Tests for Encrypt-then-MAC extension
2501
2502run_test "Encrypt then MAC: default" \
Manuel Pégourié-Gonnard0098e7d2014-10-28 13:08:59 +0100[diff] [blame]2503 "$P_SRV debug_level=3 \
2504 force_ciphersuite=TLS-RSA-WITH-AES-128-CBC-SHA" \
Manuel Pégourié-Gonnard699cafa2014-10-27 13:57:03 +0100[diff] [blame]2505 "$P_CLI debug_level=3" \
2506 0 \
2507 -c "client hello, adding encrypt_then_mac extension" \
2508 -s "found encrypt then mac extension" \
2509 -s "server hello, adding encrypt then mac extension" \
2510 -c "found encrypt_then_mac extension" \
2511 -c "using encrypt then mac" \
2512 -s "using encrypt then mac"
2513
2514run_test "Encrypt then MAC: client enabled, server disabled" \
Manuel Pégourié-Gonnard0098e7d2014-10-28 13:08:59 +0100[diff] [blame]2515 "$P_SRV debug_level=3 etm=0 \
2516 force_ciphersuite=TLS-RSA-WITH-AES-128-CBC-SHA" \
Manuel Pégourié-Gonnard699cafa2014-10-27 13:57:03 +0100[diff] [blame]2517 "$P_CLI debug_level=3 etm=1" \
2518 0 \
2519 -c "client hello, adding encrypt_then_mac extension" \
2520 -s "found encrypt then mac extension" \
2521 -S "server hello, adding encrypt then mac extension" \
2522 -C "found encrypt_then_mac extension" \
2523 -C "using encrypt then mac" \
2524 -S "using encrypt then mac"
2525
Manuel Pégourié-Gonnard78e745f2014-11-04 15:44:06 +0100[diff] [blame]2526run_test "Encrypt then MAC: client enabled, aead cipher" \
2527 "$P_SRV debug_level=3 etm=1 \
2528 force_ciphersuite=TLS-RSA-WITH-AES-128-GCM-SHA256" \
2529 "$P_CLI debug_level=3 etm=1" \
2530 0 \
2531 -c "client hello, adding encrypt_then_mac extension" \
2532 -s "found encrypt then mac extension" \
2533 -S "server hello, adding encrypt then mac extension" \
2534 -C "found encrypt_then_mac extension" \
2535 -C "using encrypt then mac" \
2536 -S "using encrypt then mac"
2537
2538run_test "Encrypt then MAC: client enabled, stream cipher" \
2539 "$P_SRV debug_level=3 etm=1 \
2540 force_ciphersuite=TLS-RSA-WITH-RC4-128-SHA" \
Manuel Pégourié-Gonnardea0920f2015-03-24 09:50:15 +0100[diff] [blame]2541 "$P_CLI debug_level=3 etm=1 arc4=1 force_ciphersuite=TLS-RSA-WITH-RC4-128-SHA" \
Manuel Pégourié-Gonnard78e745f2014-11-04 15:44:06 +0100[diff] [blame]2542 0 \
2543 -c "client hello, adding encrypt_then_mac extension" \
2544 -s "found encrypt then mac extension" \
2545 -S "server hello, adding encrypt then mac extension" \
2546 -C "found encrypt_then_mac extension" \
2547 -C "using encrypt then mac" \
2548 -S "using encrypt then mac"
2549
Manuel Pégourié-Gonnard699cafa2014-10-27 13:57:03 +0100[diff] [blame]2550run_test "Encrypt then MAC: client disabled, server enabled" \
Manuel Pégourié-Gonnard0098e7d2014-10-28 13:08:59 +0100[diff] [blame]2551 "$P_SRV debug_level=3 etm=1 \
2552 force_ciphersuite=TLS-RSA-WITH-AES-128-CBC-SHA" \
Manuel Pégourié-Gonnard699cafa2014-10-27 13:57:03 +0100[diff] [blame]2553 "$P_CLI debug_level=3 etm=0" \
2554 0 \
2555 -C "client hello, adding encrypt_then_mac extension" \
2556 -S "found encrypt then mac extension" \
2557 -S "server hello, adding encrypt then mac extension" \
2558 -C "found encrypt_then_mac extension" \
2559 -C "using encrypt then mac" \
2560 -S "using encrypt then mac"
2561
Janos Follathe2681a42016-03-07 15:57:05 +0000[diff] [blame]2562requires_config_enabled MBEDTLS_SSL_PROTO_SSL3
Manuel Pégourié-Gonnard699cafa2014-10-27 13:57:03 +0100[diff] [blame]2563run_test "Encrypt then MAC: client SSLv3, server enabled" \
Manuel Pégourié-Gonnard51d81662015-01-14 17:20:46 +0100[diff] [blame]2564 "$P_SRV debug_level=3 min_version=ssl3 \
Manuel Pégourié-Gonnard0098e7d2014-10-28 13:08:59 +0100[diff] [blame]2565 force_ciphersuite=TLS-RSA-WITH-AES-128-CBC-SHA" \
Manuel Pégourié-Gonnard699cafa2014-10-27 13:57:03 +0100[diff] [blame]2566 "$P_CLI debug_level=3 force_version=ssl3" \
2567 0 \
2568 -C "client hello, adding encrypt_then_mac extension" \
2569 -S "found encrypt then mac extension" \
2570 -S "server hello, adding encrypt then mac extension" \
2571 -C "found encrypt_then_mac extension" \
2572 -C "using encrypt then mac" \
2573 -S "using encrypt then mac"
2574
Janos Follathe2681a42016-03-07 15:57:05 +0000[diff] [blame]2575requires_config_enabled MBEDTLS_SSL_PROTO_SSL3
Manuel Pégourié-Gonnard699cafa2014-10-27 13:57:03 +0100[diff] [blame]2576run_test "Encrypt then MAC: client enabled, server SSLv3" \
Manuel Pégourié-Gonnard0098e7d2014-10-28 13:08:59 +0100[diff] [blame]2577 "$P_SRV debug_level=3 force_version=ssl3 \
2578 force_ciphersuite=TLS-RSA-WITH-AES-128-CBC-SHA" \
Manuel Pégourié-Gonnard51d81662015-01-14 17:20:46 +0100[diff] [blame]2579 "$P_CLI debug_level=3 min_version=ssl3" \
Manuel Pégourié-Gonnard699cafa2014-10-27 13:57:03 +0100[diff] [blame]2580 0 \
2581 -c "client hello, adding encrypt_then_mac extension" \
Janos Follath00efff72016-05-06 13:48:23 +0100[diff] [blame]2582 -S "found encrypt then mac extension" \
Manuel Pégourié-Gonnard699cafa2014-10-27 13:57:03 +0100[diff] [blame]2583 -S "server hello, adding encrypt then mac extension" \
2584 -C "found encrypt_then_mac extension" \
2585 -C "using encrypt then mac" \
2586 -S "using encrypt then mac"
2587
Manuel Pégourié-Gonnard367381f2014-10-20 18:40:56 +0200[diff] [blame]2588# Tests for Extended Master Secret extension
2589
2590run_test "Extended Master Secret: default" \
2591 "$P_SRV debug_level=3" \
2592 "$P_CLI debug_level=3" \
2593 0 \
2594 -c "client hello, adding extended_master_secret extension" \
2595 -s "found extended master secret extension" \
2596 -s "server hello, adding extended master secret extension" \
2597 -c "found extended_master_secret extension" \
Manuel Pégourié-Gonnard8faa70e2019-05-20 12:09:50 +0200[diff] [blame]2598 -c "session hash for extended master secret" \
2599 -s "session hash for extended master secret"
Manuel Pégourié-Gonnard367381f2014-10-20 18:40:56 +0200[diff] [blame]2600
2601run_test "Extended Master Secret: client enabled, server disabled" \
2602 "$P_SRV debug_level=3 extended_ms=0" \
2603 "$P_CLI debug_level=3 extended_ms=1" \
2604 0 \
2605 -c "client hello, adding extended_master_secret extension" \
2606 -s "found extended master secret extension" \
2607 -S "server hello, adding extended master secret extension" \
2608 -C "found extended_master_secret extension" \
Manuel Pégourié-Gonnard8faa70e2019-05-20 12:09:50 +0200[diff] [blame]2609 -C "session hash for extended master secret" \
2610 -S "session hash for extended master secret"
Manuel Pégourié-Gonnard367381f2014-10-20 18:40:56 +0200[diff] [blame]2611
2612run_test "Extended Master Secret: client disabled, server enabled" \
2613 "$P_SRV debug_level=3 extended_ms=1" \
2614 "$P_CLI debug_level=3 extended_ms=0" \
2615 0 \
2616 -C "client hello, adding extended_master_secret extension" \
2617 -S "found extended master secret extension" \
2618 -S "server hello, adding extended master secret extension" \
2619 -C "found extended_master_secret extension" \
Manuel Pégourié-Gonnard8faa70e2019-05-20 12:09:50 +0200[diff] [blame]2620 -C "session hash for extended master secret" \
2621 -S "session hash for extended master secret"
Manuel Pégourié-Gonnard367381f2014-10-20 18:40:56 +0200[diff] [blame]2622
Janos Follathe2681a42016-03-07 15:57:05 +0000[diff] [blame]2623requires_config_enabled MBEDTLS_SSL_PROTO_SSL3
Manuel Pégourié-Gonnardb575b542014-10-24 15:12:31 +0200[diff] [blame]2624run_test "Extended Master Secret: client SSLv3, server enabled" \
Manuel Pégourié-Gonnard51d81662015-01-14 17:20:46 +0100[diff] [blame]2625 "$P_SRV debug_level=3 min_version=ssl3" \
Manuel Pégourié-Gonnardb575b542014-10-24 15:12:31 +0200[diff] [blame]2626 "$P_CLI debug_level=3 force_version=ssl3" \
2627 0 \
2628 -C "client hello, adding extended_master_secret extension" \
2629 -S "found extended master secret extension" \
2630 -S "server hello, adding extended master secret extension" \
2631 -C "found extended_master_secret extension" \
Manuel Pégourié-Gonnard8faa70e2019-05-20 12:09:50 +0200[diff] [blame]2632 -C "session hash for extended master secret" \
2633 -S "session hash for extended master secret"
Manuel Pégourié-Gonnardb575b542014-10-24 15:12:31 +0200[diff] [blame]2634
Janos Follathe2681a42016-03-07 15:57:05 +0000[diff] [blame]2635requires_config_enabled MBEDTLS_SSL_PROTO_SSL3
Manuel Pégourié-Gonnardb575b542014-10-24 15:12:31 +0200[diff] [blame]2636run_test "Extended Master Secret: client enabled, server SSLv3" \
2637 "$P_SRV debug_level=3 force_version=ssl3" \
Manuel Pégourié-Gonnard51d81662015-01-14 17:20:46 +0100[diff] [blame]2638 "$P_CLI debug_level=3 min_version=ssl3" \
Manuel Pégourié-Gonnardb575b542014-10-24 15:12:31 +0200[diff] [blame]2639 0 \
2640 -c "client hello, adding extended_master_secret extension" \
Janos Follath00efff72016-05-06 13:48:23 +0100[diff] [blame]2641 -S "found extended master secret extension" \
Manuel Pégourié-Gonnardb575b542014-10-24 15:12:31 +0200[diff] [blame]2642 -S "server hello, adding extended master secret extension" \
2643 -C "found extended_master_secret extension" \
Manuel Pégourié-Gonnard8faa70e2019-05-20 12:09:50 +0200[diff] [blame]2644 -C "session hash for extended master secret" \
2645 -S "session hash for extended master secret"
Manuel Pégourié-Gonnardb575b542014-10-24 15:12:31 +0200[diff] [blame]2646
Manuel Pégourié-Gonnard1cbd39d2014-10-20 13:34:59 +0200[diff] [blame]2647# Tests for FALLBACK_SCSV
2648
2649run_test "Fallback SCSV: default" \
Manuel Pégourié-Gonnard4268ae02015-08-04 12:44:10 +0200[diff] [blame]2650 "$P_SRV debug_level=2" \
Manuel Pégourié-Gonnard1cbd39d2014-10-20 13:34:59 +0200[diff] [blame]2651 "$P_CLI debug_level=3 force_version=tls1_1" \
2652 0 \
2653 -C "adding FALLBACK_SCSV" \
Manuel Pégourié-Gonnard01b26992014-10-20 14:05:28 +0200[diff] [blame]2654 -S "received FALLBACK_SCSV" \
2655 -S "inapropriate fallback" \
Manuel Pégourié-Gonnard1cbd39d2014-10-20 13:34:59 +0200[diff] [blame]2656 -C "is a fatal alert message (msg 86)"
2657
2658run_test "Fallback SCSV: explicitly disabled" \
Manuel Pégourié-Gonnard4268ae02015-08-04 12:44:10 +0200[diff] [blame]2659 "$P_SRV debug_level=2" \
Manuel Pégourié-Gonnard1cbd39d2014-10-20 13:34:59 +0200[diff] [blame]2660 "$P_CLI debug_level=3 force_version=tls1_1 fallback=0" \
2661 0 \
2662 -C "adding FALLBACK_SCSV" \
Manuel Pégourié-Gonnard01b26992014-10-20 14:05:28 +0200[diff] [blame]2663 -S "received FALLBACK_SCSV" \
2664 -S "inapropriate fallback" \
Manuel Pégourié-Gonnard1cbd39d2014-10-20 13:34:59 +0200[diff] [blame]2665 -C "is a fatal alert message (msg 86)"
2666
2667run_test "Fallback SCSV: enabled" \
Manuel Pégourié-Gonnard4268ae02015-08-04 12:44:10 +0200[diff] [blame]2668 "$P_SRV debug_level=2" \
Manuel Pégourié-Gonnard1cbd39d2014-10-20 13:34:59 +0200[diff] [blame]2669 "$P_CLI debug_level=3 force_version=tls1_1 fallback=1" \
Manuel Pégourié-Gonnard01b26992014-10-20 14:05:28 +0200[diff] [blame]2670 1 \
2671 -c "adding FALLBACK_SCSV" \
2672 -s "received FALLBACK_SCSV" \
2673 -s "inapropriate fallback" \
2674 -c "is a fatal alert message (msg 86)"
2675
2676run_test "Fallback SCSV: enabled, max version" \
Manuel Pégourié-Gonnard4268ae02015-08-04 12:44:10 +0200[diff] [blame]2677 "$P_SRV debug_level=2" \
Manuel Pégourié-Gonnard01b26992014-10-20 14:05:28 +0200[diff] [blame]2678 "$P_CLI debug_level=3 fallback=1" \
Manuel Pégourié-Gonnard1cbd39d2014-10-20 13:34:59 +0200[diff] [blame]2679 0 \
2680 -c "adding FALLBACK_SCSV" \
Manuel Pégourié-Gonnard01b26992014-10-20 14:05:28 +0200[diff] [blame]2681 -s "received FALLBACK_SCSV" \
2682 -S "inapropriate fallback" \
Manuel Pégourié-Gonnard1cbd39d2014-10-20 13:34:59 +0200[diff] [blame]2683 -C "is a fatal alert message (msg 86)"
2684
2685requires_openssl_with_fallback_scsv
2686run_test "Fallback SCSV: default, openssl server" \
2687 "$O_SRV" \
2688 "$P_CLI debug_level=3 force_version=tls1_1 fallback=0" \
2689 0 \
2690 -C "adding FALLBACK_SCSV" \
2691 -C "is a fatal alert message (msg 86)"
2692
2693requires_openssl_with_fallback_scsv
2694run_test "Fallback SCSV: enabled, openssl server" \
2695 "$O_SRV" \
2696 "$P_CLI debug_level=3 force_version=tls1_1 fallback=1" \
2697 1 \
2698 -c "adding FALLBACK_SCSV" \
2699 -c "is a fatal alert message (msg 86)"
2700
Manuel Pégourié-Gonnard01b26992014-10-20 14:05:28 +0200[diff] [blame]2701requires_openssl_with_fallback_scsv
2702run_test "Fallback SCSV: disabled, openssl client" \
Manuel Pégourié-Gonnard4268ae02015-08-04 12:44:10 +0200[diff] [blame]2703 "$P_SRV debug_level=2" \
Manuel Pégourié-Gonnard01b26992014-10-20 14:05:28 +0200[diff] [blame]2704 "$O_CLI -tls1_1" \
2705 0 \
2706 -S "received FALLBACK_SCSV" \
2707 -S "inapropriate fallback"
2708
2709requires_openssl_with_fallback_scsv
2710run_test "Fallback SCSV: enabled, openssl client" \
Manuel Pégourié-Gonnard4268ae02015-08-04 12:44:10 +0200[diff] [blame]2711 "$P_SRV debug_level=2" \
Manuel Pégourié-Gonnard01b26992014-10-20 14:05:28 +0200[diff] [blame]2712 "$O_CLI -tls1_1 -fallback_scsv" \
2713 1 \
2714 -s "received FALLBACK_SCSV" \
2715 -s "inapropriate fallback"
2716
2717requires_openssl_with_fallback_scsv
2718run_test "Fallback SCSV: enabled, max version, openssl client" \
Manuel Pégourié-Gonnard4268ae02015-08-04 12:44:10 +0200[diff] [blame]2719 "$P_SRV debug_level=2" \
Manuel Pégourié-Gonnard01b26992014-10-20 14:05:28 +0200[diff] [blame]2720 "$O_CLI -fallback_scsv" \
2721 0 \
2722 -s "received FALLBACK_SCSV" \
2723 -S "inapropriate fallback"
2724
Andres Amaya Garcia4c761fa2018-07-10 20:08:04 +0100[diff] [blame]2725# Test sending and receiving empty application data records
2726
2727run_test "Encrypt then MAC: empty application data record" \
2728 "$P_SRV auth_mode=none debug_level=4 etm=1" \
2729 "$P_CLI auth_mode=none etm=1 request_size=0 force_ciphersuite=TLS-ECDHE-RSA-WITH-AES-256-CBC-SHA" \
2730 0 \
2731 -S "0000: 0f 0f 0f 0f 0f 0f 0f 0f 0f 0f 0f 0f 0f 0f 0f 0f" \
2732 -s "dumping 'input payload after decrypt' (0 bytes)" \
2733 -c "0 bytes written in 1 fragments"
2734
Manuel Pégourié-Gonnard9e2c80f2020-03-24 10:53:39 +0100[diff] [blame]2735run_test "Encrypt then MAC: disabled, empty application data record" \
Andres Amaya Garcia4c761fa2018-07-10 20:08:04 +0100[diff] [blame]2736 "$P_SRV auth_mode=none debug_level=4 etm=0" \
2737 "$P_CLI auth_mode=none etm=0 request_size=0" \
2738 0 \
2739 -s "dumping 'input payload after decrypt' (0 bytes)" \
2740 -c "0 bytes written in 1 fragments"
2741
2742run_test "Encrypt then MAC, DTLS: empty application data record" \
2743 "$P_SRV auth_mode=none debug_level=4 etm=1 dtls=1" \
2744 "$P_CLI auth_mode=none etm=1 request_size=0 force_ciphersuite=TLS-ECDHE-RSA-WITH-AES-256-CBC-SHA dtls=1" \
2745 0 \
2746 -S "0000: 0f 0f 0f 0f 0f 0f 0f 0f 0f 0f 0f 0f 0f 0f 0f 0f" \
2747 -s "dumping 'input payload after decrypt' (0 bytes)" \
2748 -c "0 bytes written in 1 fragments"
2749
Manuel Pégourié-Gonnard9e2c80f2020-03-24 10:53:39 +0100[diff] [blame]2750run_test "Encrypt then MAC, DTLS: disabled, empty application data record" \
Andres Amaya Garcia4c761fa2018-07-10 20:08:04 +0100[diff] [blame]2751 "$P_SRV auth_mode=none debug_level=4 etm=0 dtls=1" \
2752 "$P_CLI auth_mode=none etm=0 request_size=0 dtls=1" \
2753 0 \
2754 -s "dumping 'input payload after decrypt' (0 bytes)" \
2755 -c "0 bytes written in 1 fragments"
2756
Gilles Peskined50177f2017-05-16 17:53:03 +0200[diff] [blame]2757## ClientHello generated with
2758## "openssl s_client -CAfile tests/data_files/test-ca.crt -tls1_1 -connect localhost:4433 -cipher ..."
2759## then manually twiddling the ciphersuite list.
2760## The ClientHello content is spelled out below as a hex string as
2761## "prefix ciphersuite1 ciphersuite2 ciphersuite3 ciphersuite4 suffix".
2762## The expected response is an inappropriate_fallback alert.
2763requires_openssl_with_fallback_scsv
2764run_test "Fallback SCSV: beginning of list" \
2765 "$P_SRV debug_level=2" \
2766 "$TCP_CLIENT localhost $SRV_PORT '160301003e0100003a03022aafb94308dc22ca1086c65acc00e414384d76b61ecab37df1633b1ae1034dbe000008 5600 0031 0032 0033 0100000900230000000f000101' '15030200020256'" \
2767 0 \
2768 -s "received FALLBACK_SCSV" \
2769 -s "inapropriate fallback"
2770
2771requires_openssl_with_fallback_scsv
2772run_test "Fallback SCSV: end of list" \
2773 "$P_SRV debug_level=2" \
2774 "$TCP_CLIENT localhost $SRV_PORT '160301003e0100003a03022aafb94308dc22ca1086c65acc00e414384d76b61ecab37df1633b1ae1034dbe000008 0031 0032 0033 5600 0100000900230000000f000101' '15030200020256'" \
2775 0 \
2776 -s "received FALLBACK_SCSV" \
2777 -s "inapropriate fallback"
2778
2779## Here the expected response is a valid ServerHello prefix, up to the random.
2780requires_openssl_with_fallback_scsv
2781run_test "Fallback SCSV: not in list" \
2782 "$P_SRV debug_level=2" \
2783 "$TCP_CLIENT localhost $SRV_PORT '160301003e0100003a03022aafb94308dc22ca1086c65acc00e414384d76b61ecab37df1633b1ae1034dbe000008 0056 0031 0032 0033 0100000900230000000f000101' '16030200300200002c0302'" \
2784 0 \
2785 -S "received FALLBACK_SCSV" \
2786 -S "inapropriate fallback"
2787
Manuel Pégourié-Gonnard3ff78232015-01-08 11:15:09 +0100[diff] [blame]2788# Tests for CBC 1/n-1 record splitting
2789
2790run_test "CBC Record splitting: TLS 1.2, no splitting" \
2791 "$P_SRV" \
2792 "$P_CLI force_ciphersuite=TLS-RSA-WITH-AES-128-CBC-SHA \
2793 request_size=123 force_version=tls1_2" \
2794 0 \
2795 -s "Read from client: 123 bytes read" \
2796 -S "Read from client: 1 bytes read" \
2797 -S "122 bytes read"
2798
2799run_test "CBC Record splitting: TLS 1.1, no splitting" \
2800 "$P_SRV" \
2801 "$P_CLI force_ciphersuite=TLS-RSA-WITH-AES-128-CBC-SHA \
2802 request_size=123 force_version=tls1_1" \
2803 0 \
2804 -s "Read from client: 123 bytes read" \
2805 -S "Read from client: 1 bytes read" \
2806 -S "122 bytes read"
2807
2808run_test "CBC Record splitting: TLS 1.0, splitting" \
2809 "$P_SRV" \
2810 "$P_CLI force_ciphersuite=TLS-RSA-WITH-AES-128-CBC-SHA \
2811 request_size=123 force_version=tls1" \
2812 0 \
2813 -S "Read from client: 123 bytes read" \
2814 -s "Read from client: 1 bytes read" \
2815 -s "122 bytes read"
2816
Janos Follathe2681a42016-03-07 15:57:05 +0000[diff] [blame]2817requires_config_enabled MBEDTLS_SSL_PROTO_SSL3
Manuel Pégourié-Gonnard3ff78232015-01-08 11:15:09 +0100[diff] [blame]2818run_test "CBC Record splitting: SSLv3, splitting" \
Manuel Pégourié-Gonnard51d81662015-01-14 17:20:46 +0100[diff] [blame]2819 "$P_SRV min_version=ssl3" \
Manuel Pégourié-Gonnard3ff78232015-01-08 11:15:09 +0100[diff] [blame]2820 "$P_CLI force_ciphersuite=TLS-RSA-WITH-AES-128-CBC-SHA \
2821 request_size=123 force_version=ssl3" \
2822 0 \
2823 -S "Read from client: 123 bytes read" \
2824 -s "Read from client: 1 bytes read" \
2825 -s "122 bytes read"
2826
2827run_test "CBC Record splitting: TLS 1.0 RC4, no splitting" \
Manuel Pégourié-Gonnardea0920f2015-03-24 09:50:15 +0100[diff] [blame]2828 "$P_SRV arc4=1 force_ciphersuite=TLS-RSA-WITH-RC4-128-SHA" \
Manuel Pégourié-Gonnard3ff78232015-01-08 11:15:09 +0100[diff] [blame]2829 "$P_CLI force_ciphersuite=TLS-RSA-WITH-RC4-128-SHA \
2830 request_size=123 force_version=tls1" \
2831 0 \
2832 -s "Read from client: 123 bytes read" \
2833 -S "Read from client: 1 bytes read" \
2834 -S "122 bytes read"
2835
2836run_test "CBC Record splitting: TLS 1.0, splitting disabled" \
2837 "$P_SRV" \
2838 "$P_CLI force_ciphersuite=TLS-RSA-WITH-AES-128-CBC-SHA \
2839 request_size=123 force_version=tls1 recsplit=0" \
2840 0 \
2841 -s "Read from client: 123 bytes read" \
2842 -S "Read from client: 1 bytes read" \
2843 -S "122 bytes read"
2844
Manuel Pégourié-Gonnarda852cf42015-01-13 20:56:15 +0100[diff] [blame]2845run_test "CBC Record splitting: TLS 1.0, splitting, nbio" \
2846 "$P_SRV nbio=2" \
2847 "$P_CLI nbio=2 force_ciphersuite=TLS-RSA-WITH-AES-128-CBC-SHA \
2848 request_size=123 force_version=tls1" \
2849 0 \
2850 -S "Read from client: 123 bytes read" \
2851 -s "Read from client: 1 bytes read" \
2852 -s "122 bytes read"
2853
Manuel Pégourié-Gonnard780d6712014-02-20 17:19:59 +0100[diff] [blame]2854# Tests for Session Tickets
2855
Manuel Pégourié-Gonnard8e03c712014-08-30 21:42:40 +0200[diff] [blame]2856run_test "Session resume using tickets: basic" \
Manuel Pégourié-Gonnard644e8f32014-08-30 21:59:31 +0200[diff] [blame]2857 "$P_SRV debug_level=3 tickets=1" \
2858 "$P_CLI debug_level=3 tickets=1 reconnect=1" \
Manuel Pégourié-Gonnardf7c52012014-02-20 11:43:46 +0100[diff] [blame]2859 0 \
Manuel Pégourié-Gonnardc55a5b72014-02-20 22:50:56 +0100[diff] [blame]2860 -c "client hello, adding session ticket extension" \
2861 -s "found session ticket extension" \
2862 -s "server hello, adding session ticket extension" \
2863 -c "found session_ticket extension" \
2864 -c "parse new session ticket" \
Manuel Pégourié-Gonnardf7c52012014-02-20 11:43:46 +0100[diff] [blame]2865 -S "session successfully restored from cache" \
2866 -s "session successfully restored from ticket" \
2867 -s "a session has been resumed" \
2868 -c "a session has been resumed"
2869
Manuel Pégourié-Gonnard8e03c712014-08-30 21:42:40 +0200[diff] [blame]2870run_test "Session resume using tickets: cache disabled" \
Manuel Pégourié-Gonnard644e8f32014-08-30 21:59:31 +0200[diff] [blame]2871 "$P_SRV debug_level=3 tickets=1 cache_max=0" \
2872 "$P_CLI debug_level=3 tickets=1 reconnect=1" \
Manuel Pégourié-Gonnarddbe1ee12014-02-21 09:18:13 +0100[diff] [blame]2873 0 \
2874 -c "client hello, adding session ticket extension" \
2875 -s "found session ticket extension" \
2876 -s "server hello, adding session ticket extension" \
2877 -c "found session_ticket extension" \
2878 -c "parse new session ticket" \
2879 -S "session successfully restored from cache" \
2880 -s "session successfully restored from ticket" \
2881 -s "a session has been resumed" \
2882 -c "a session has been resumed"
2883
Manuel Pégourié-Gonnard8e03c712014-08-30 21:42:40 +0200[diff] [blame]2884run_test "Session resume using tickets: timeout" \
Manuel Pégourié-Gonnard644e8f32014-08-30 21:59:31 +0200[diff] [blame]2885 "$P_SRV debug_level=3 tickets=1 cache_max=0 ticket_timeout=1" \
2886 "$P_CLI debug_level=3 tickets=1 reconnect=1 reco_delay=2" \
Manuel Pégourié-Gonnarddbe1ee12014-02-21 09:18:13 +0100[diff] [blame]2887 0 \
2888 -c "client hello, adding session ticket extension" \
2889 -s "found session ticket extension" \
2890 -s "server hello, adding session ticket extension" \
2891 -c "found session_ticket extension" \
2892 -c "parse new session ticket" \
2893 -S "session successfully restored from cache" \
2894 -S "session successfully restored from ticket" \
2895 -S "a session has been resumed" \
2896 -C "a session has been resumed"
2897
Manuel Pégourié-Gonnarda7c37652019-05-20 12:46:26 +0200[diff] [blame]2898run_test "Session resume using tickets: session copy" \
2899 "$P_SRV debug_level=3 tickets=1 cache_max=0" \
2900 "$P_CLI debug_level=3 tickets=1 reconnect=1 reco_mode=0" \
2901 0 \
2902 -c "client hello, adding session ticket extension" \
2903 -s "found session ticket extension" \
2904 -s "server hello, adding session ticket extension" \
2905 -c "found session_ticket extension" \
2906 -c "parse new session ticket" \
2907 -S "session successfully restored from cache" \
2908 -s "session successfully restored from ticket" \
2909 -s "a session has been resumed" \
2910 -c "a session has been resumed"
2911
Manuel Pégourié-Gonnard8e03c712014-08-30 21:42:40 +0200[diff] [blame]2912run_test "Session resume using tickets: openssl server" \
Manuel Pégourié-Gonnardf7a26902014-02-27 12:25:54 +0100[diff] [blame]2913 "$O_SRV" \
Manuel Pégourié-Gonnard644e8f32014-08-30 21:59:31 +0200[diff] [blame]2914 "$P_CLI debug_level=3 tickets=1 reconnect=1" \
Manuel Pégourié-Gonnardfccd3252014-02-25 17:14:15 +0100[diff] [blame]2915 0 \
2916 -c "client hello, adding session ticket extension" \
2917 -c "found session_ticket extension" \
2918 -c "parse new session ticket" \
2919 -c "a session has been resumed"
2920
Manuel Pégourié-Gonnard8e03c712014-08-30 21:42:40 +0200[diff] [blame]2921run_test "Session resume using tickets: openssl client" \
Manuel Pégourié-Gonnard644e8f32014-08-30 21:59:31 +0200[diff] [blame]2922 "$P_SRV debug_level=3 tickets=1" \
Manuel Pégourié-Gonnardbc3b16c2014-05-28 23:06:50 +0200[diff] [blame]2923 "( $O_CLI -sess_out $SESSION; \
2924 $O_CLI -sess_in $SESSION; \
2925 rm -f $SESSION )" \
Manuel Pégourié-Gonnardfccd3252014-02-25 17:14:15 +0100[diff] [blame]2926 0 \
2927 -s "found session ticket extension" \
2928 -s "server hello, adding session ticket extension" \
2929 -S "session successfully restored from cache" \
2930 -s "session successfully restored from ticket" \
2931 -s "a session has been resumed"
2932
Hanno Becker1d739932018-08-21 13:55:22 +0100[diff] [blame]2933# Tests for Session Tickets with DTLS
2934
2935run_test "Session resume using tickets, DTLS: basic" \
2936 "$P_SRV debug_level=3 dtls=1 tickets=1" \
Manuel Pégourié-Gonnard56941fe2020-02-17 11:04:33 +0100[diff] [blame]2937 "$P_CLI debug_level=3 dtls=1 tickets=1 reconnect=1 skip_close_notify=1" \
Hanno Becker1d739932018-08-21 13:55:22 +0100[diff] [blame]2938 0 \
2939 -c "client hello, adding session ticket extension" \
2940 -s "found session ticket extension" \
2941 -s "server hello, adding session ticket extension" \
2942 -c "found session_ticket extension" \
2943 -c "parse new session ticket" \
2944 -S "session successfully restored from cache" \
2945 -s "session successfully restored from ticket" \
2946 -s "a session has been resumed" \
2947 -c "a session has been resumed"
2948
2949run_test "Session resume using tickets, DTLS: cache disabled" \
2950 "$P_SRV debug_level=3 dtls=1 tickets=1 cache_max=0" \
Manuel Pégourié-Gonnard56941fe2020-02-17 11:04:33 +0100[diff] [blame]2951 "$P_CLI debug_level=3 dtls=1 tickets=1 reconnect=1 skip_close_notify=1" \
Hanno Becker1d739932018-08-21 13:55:22 +0100[diff] [blame]2952 0 \
2953 -c "client hello, adding session ticket extension" \
2954 -s "found session ticket extension" \
2955 -s "server hello, adding session ticket extension" \
2956 -c "found session_ticket extension" \
2957 -c "parse new session ticket" \
2958 -S "session successfully restored from cache" \
2959 -s "session successfully restored from ticket" \
2960 -s "a session has been resumed" \
2961 -c "a session has been resumed"
2962
2963run_test "Session resume using tickets, DTLS: timeout" \
2964 "$P_SRV debug_level=3 dtls=1 tickets=1 cache_max=0 ticket_timeout=1" \
Manuel Pégourié-Gonnard56941fe2020-02-17 11:04:33 +0100[diff] [blame]2965 "$P_CLI debug_level=3 dtls=1 tickets=1 reconnect=1 skip_close_notify=1 reco_delay=2" \
Hanno Becker1d739932018-08-21 13:55:22 +0100[diff] [blame]2966 0 \
2967 -c "client hello, adding session ticket extension" \
2968 -s "found session ticket extension" \
2969 -s "server hello, adding session ticket extension" \
2970 -c "found session_ticket extension" \
2971 -c "parse new session ticket" \
2972 -S "session successfully restored from cache" \
2973 -S "session successfully restored from ticket" \
2974 -S "a session has been resumed" \
2975 -C "a session has been resumed"
2976
Manuel Pégourié-Gonnarda7c37652019-05-20 12:46:26 +0200[diff] [blame]2977run_test "Session resume using tickets, DTLS: session copy" \
2978 "$P_SRV debug_level=3 dtls=1 tickets=1 cache_max=0" \
Manuel Pégourié-Gonnard56941fe2020-02-17 11:04:33 +0100[diff] [blame]2979 "$P_CLI debug_level=3 dtls=1 tickets=1 reconnect=1 skip_close_notify=1 reco_mode=0" \
Manuel Pégourié-Gonnarda7c37652019-05-20 12:46:26 +0200[diff] [blame]2980 0 \
2981 -c "client hello, adding session ticket extension" \
2982 -s "found session ticket extension" \
2983 -s "server hello, adding session ticket extension" \
2984 -c "found session_ticket extension" \
2985 -c "parse new session ticket" \
2986 -S "session successfully restored from cache" \
2987 -s "session successfully restored from ticket" \
2988 -s "a session has been resumed" \
2989 -c "a session has been resumed"
2990
Hanno Becker1d739932018-08-21 13:55:22 +0100[diff] [blame]2991run_test "Session resume using tickets, DTLS: openssl server" \
2992 "$O_SRV -dtls1" \
2993 "$P_CLI dtls=1 debug_level=3 tickets=1 reconnect=1" \
2994 0 \
2995 -c "client hello, adding session ticket extension" \
2996 -c "found session_ticket extension" \
2997 -c "parse new session ticket" \
2998 -c "a session has been resumed"
2999
Manuel Pégourié-Gonnardd76c47d2021-10-13 13:12:47 +0200[diff] [blame]3000# For reasons that aren't fully understood, this test randomly fails with high
Paul Elliott7ca2f392021-10-13 16:13:44 +0100[diff] [blame]3001# probability with OpenSSL 1.0.2g on the CI, see #5012.
Manuel Pégourié-Gonnardd76c47d2021-10-13 13:12:47 +0200[diff] [blame]3002requires_openssl_next
Hanno Becker1d739932018-08-21 13:55:22 +0100[diff] [blame]3003run_test "Session resume using tickets, DTLS: openssl client" \
3004 "$P_SRV dtls=1 debug_level=3 tickets=1" \
Manuel Pégourié-Gonnardd76c47d2021-10-13 13:12:47 +0200[diff] [blame]3005 "( $O_NEXT_CLI -dtls1 -sess_out $SESSION; \
3006 $O_NEXT_CLI -dtls1 -sess_in $SESSION; \
Hanno Becker1d739932018-08-21 13:55:22 +0100[diff] [blame]3007 rm -f $SESSION )" \
3008 0 \
3009 -s "found session ticket extension" \
3010 -s "server hello, adding session ticket extension" \
3011 -S "session successfully restored from cache" \
3012 -s "session successfully restored from ticket" \
3013 -s "a session has been resumed"
3014
Manuel Pégourié-Gonnardc55a5b72014-02-20 22:50:56 +0100[diff] [blame]3015# Tests for Session Resume based on session-ID and cache
Manuel Pégourié-Gonnard780d6712014-02-20 17:19:59 +0100[diff] [blame]3016
Manuel Pégourié-Gonnard8e03c712014-08-30 21:42:40 +0200[diff] [blame]3017run_test "Session resume using cache: tickets enabled on client" \
Manuel Pégourié-Gonnard644e8f32014-08-30 21:59:31 +0200[diff] [blame]3018 "$P_SRV debug_level=3 tickets=0" \
3019 "$P_CLI debug_level=3 tickets=1 reconnect=1" \
Manuel Pégourié-Gonnardf7c52012014-02-20 11:43:46 +0100[diff] [blame]3020 0 \
Manuel Pégourié-Gonnardc55a5b72014-02-20 22:50:56 +0100[diff] [blame]3021 -c "client hello, adding session ticket extension" \
3022 -s "found session ticket extension" \
3023 -S "server hello, adding session ticket extension" \
3024 -C "found session_ticket extension" \
3025 -C "parse new session ticket" \
Manuel Pégourié-Gonnardf7c52012014-02-20 11:43:46 +0100[diff] [blame]3026 -s "session successfully restored from cache" \
3027 -S "session successfully restored from ticket" \
3028 -s "a session has been resumed" \
3029 -c "a session has been resumed"
3030
Manuel Pégourié-Gonnard8e03c712014-08-30 21:42:40 +0200[diff] [blame]3031run_test "Session resume using cache: tickets enabled on server" \
Manuel Pégourié-Gonnard644e8f32014-08-30 21:59:31 +0200[diff] [blame]3032 "$P_SRV debug_level=3 tickets=1" \
3033 "$P_CLI debug_level=3 tickets=0 reconnect=1" \
Manuel Pégourié-Gonnardf7c52012014-02-20 11:43:46 +0100[diff] [blame]3034 0 \
Manuel Pégourié-Gonnardc55a5b72014-02-20 22:50:56 +0100[diff] [blame]3035 -C "client hello, adding session ticket extension" \
3036 -S "found session ticket extension" \
3037 -S "server hello, adding session ticket extension" \
3038 -C "found session_ticket extension" \
3039 -C "parse new session ticket" \
Manuel Pégourié-Gonnardf7c52012014-02-20 11:43:46 +0100[diff] [blame]3040 -s "session successfully restored from cache" \
3041 -S "session successfully restored from ticket" \
3042 -s "a session has been resumed" \
3043 -c "a session has been resumed"
Manuel Pégourié-Gonnardde143782014-02-20 14:50:42 +0100[diff] [blame]3044
Manuel Pégourié-Gonnard8e03c712014-08-30 21:42:40 +0200[diff] [blame]3045run_test "Session resume using cache: cache_max=0" \
Manuel Pégourié-Gonnard644e8f32014-08-30 21:59:31 +0200[diff] [blame]3046 "$P_SRV debug_level=3 tickets=0 cache_max=0" \
3047 "$P_CLI debug_level=3 tickets=0 reconnect=1" \
Manuel Pégourié-Gonnard4c883452014-02-20 21:32:41 +0100[diff] [blame]3048 0 \
3049 -S "session successfully restored from cache" \
3050 -S "session successfully restored from ticket" \
Manuel Pégourié-Gonnardc55a5b72014-02-20 22:50:56 +0100[diff] [blame]3051 -S "a session has been resumed" \
3052 -C "a session has been resumed"
Manuel Pégourié-Gonnard4c883452014-02-20 21:32:41 +0100[diff] [blame]3053
Manuel Pégourié-Gonnard8e03c712014-08-30 21:42:40 +0200[diff] [blame]3054run_test "Session resume using cache: cache_max=1" \
Manuel Pégourié-Gonnard644e8f32014-08-30 21:59:31 +0200[diff] [blame]3055 "$P_SRV debug_level=3 tickets=0 cache_max=1" \
3056 "$P_CLI debug_level=3 tickets=0 reconnect=1" \
Manuel Pégourié-Gonnardc55a5b72014-02-20 22:50:56 +0100[diff] [blame]3057 0 \
3058 -s "session successfully restored from cache" \
3059 -S "session successfully restored from ticket" \
3060 -s "a session has been resumed" \
3061 -c "a session has been resumed"
3062
Manuel Pégourié-Gonnard6df31962015-05-04 10:55:47 +0200[diff] [blame]3063run_test "Session resume using cache: timeout > delay" \
Manuel Pégourié-Gonnard644e8f32014-08-30 21:59:31 +0200[diff] [blame]3064 "$P_SRV debug_level=3 tickets=0" \
3065 "$P_CLI debug_level=3 tickets=0 reconnect=1 reco_delay=0" \
Manuel Pégourié-Gonnardc55a5b72014-02-20 22:50:56 +0100[diff] [blame]3066 0 \
3067 -s "session successfully restored from cache" \
3068 -S "session successfully restored from ticket" \
3069 -s "a session has been resumed" \
3070 -c "a session has been resumed"
3071
Manuel Pégourié-Gonnard8e03c712014-08-30 21:42:40 +0200[diff] [blame]3072run_test "Session resume using cache: timeout < delay" \
Manuel Pégourié-Gonnard644e8f32014-08-30 21:59:31 +0200[diff] [blame]3073 "$P_SRV debug_level=3 tickets=0 cache_timeout=1" \
3074 "$P_CLI debug_level=3 tickets=0 reconnect=1 reco_delay=2" \
Manuel Pégourié-Gonnardc55a5b72014-02-20 22:50:56 +0100[diff] [blame]3075 0 \
3076 -S "session successfully restored from cache" \
3077 -S "session successfully restored from ticket" \
3078 -S "a session has been resumed" \
3079 -C "a session has been resumed"
3080
Manuel Pégourié-Gonnard8e03c712014-08-30 21:42:40 +0200[diff] [blame]3081run_test "Session resume using cache: no timeout" \
Manuel Pégourié-Gonnard644e8f32014-08-30 21:59:31 +0200[diff] [blame]3082 "$P_SRV debug_level=3 tickets=0 cache_timeout=0" \
3083 "$P_CLI debug_level=3 tickets=0 reconnect=1 reco_delay=2" \
Manuel Pégourié-Gonnard4c883452014-02-20 21:32:41 +0100[diff] [blame]3084 0 \
3085 -s "session successfully restored from cache" \
3086 -S "session successfully restored from ticket" \
3087 -s "a session has been resumed" \
3088 -c "a session has been resumed"
3089
Manuel Pégourié-Gonnarda7c37652019-05-20 12:46:26 +0200[diff] [blame]3090run_test "Session resume using cache: session copy" \
3091 "$P_SRV debug_level=3 tickets=0" \
3092 "$P_CLI debug_level=3 tickets=0 reconnect=1 reco_mode=0" \
3093 0 \
3094 -s "session successfully restored from cache" \
3095 -S "session successfully restored from ticket" \
3096 -s "a session has been resumed" \
3097 -c "a session has been resumed"
3098
Manuel Pégourié-Gonnard8e03c712014-08-30 21:42:40 +0200[diff] [blame]3099run_test "Session resume using cache: openssl client" \
Manuel Pégourié-Gonnard644e8f32014-08-30 21:59:31 +0200[diff] [blame]3100 "$P_SRV debug_level=3 tickets=0" \
Manuel Pégourié-Gonnardbc3b16c2014-05-28 23:06:50 +0200[diff] [blame]3101 "( $O_CLI -sess_out $SESSION; \
3102 $O_CLI -sess_in $SESSION; \
3103 rm -f $SESSION )" \
Manuel Pégourié-Gonnarddb735f62014-02-25 17:57:59 +0100[diff] [blame]3104 0 \
3105 -s "found session ticket extension" \
3106 -S "server hello, adding session ticket extension" \
3107 -s "session successfully restored from cache" \
3108 -S "session successfully restored from ticket" \
3109 -s "a session has been resumed"
3110
Manuel Pégourié-Gonnard8e03c712014-08-30 21:42:40 +0200[diff] [blame]3111run_test "Session resume using cache: openssl server" \
Manuel Pégourié-Gonnardf7a26902014-02-27 12:25:54 +0100[diff] [blame]3112 "$O_SRV" \
Manuel Pégourié-Gonnard644e8f32014-08-30 21:59:31 +0200[diff] [blame]3113 "$P_CLI debug_level=3 tickets=0 reconnect=1" \
Manuel Pégourié-Gonnarddb735f62014-02-25 17:57:59 +0100[diff] [blame]3114 0 \
3115 -C "found session_ticket extension" \
3116 -C "parse new session ticket" \
3117 -c "a session has been resumed"
3118
Hanno Becker1d739932018-08-21 13:55:22 +0100[diff] [blame]3119# Tests for Session Resume based on session-ID and cache, DTLS
3120
3121run_test "Session resume using cache, DTLS: tickets enabled on client" \
3122 "$P_SRV dtls=1 debug_level=3 tickets=0" \
Manuel Pégourié-Gonnard56941fe2020-02-17 11:04:33 +0100[diff] [blame]3123 "$P_CLI dtls=1 debug_level=3 tickets=1 reconnect=1 skip_close_notify=1" \
Hanno Becker1d739932018-08-21 13:55:22 +0100[diff] [blame]3124 0 \
3125 -c "client hello, adding session ticket extension" \
3126 -s "found session ticket extension" \
3127 -S "server hello, adding session ticket extension" \
3128 -C "found session_ticket extension" \
3129 -C "parse new session ticket" \
3130 -s "session successfully restored from cache" \
3131 -S "session successfully restored from ticket" \
3132 -s "a session has been resumed" \
3133 -c "a session has been resumed"
3134
3135run_test "Session resume using cache, DTLS: tickets enabled on server" \
3136 "$P_SRV dtls=1 debug_level=3 tickets=1" \
Manuel Pégourié-Gonnard56941fe2020-02-17 11:04:33 +0100[diff] [blame]3137 "$P_CLI dtls=1 debug_level=3 tickets=0 reconnect=1 skip_close_notify=1" \
Hanno Becker1d739932018-08-21 13:55:22 +0100[diff] [blame]3138 0 \
3139 -C "client hello, adding session ticket extension" \
3140 -S "found session ticket extension" \
3141 -S "server hello, adding session ticket extension" \
3142 -C "found session_ticket extension" \
3143 -C "parse new session ticket" \
3144 -s "session successfully restored from cache" \
3145 -S "session successfully restored from ticket" \
3146 -s "a session has been resumed" \
3147 -c "a session has been resumed"
3148
3149run_test "Session resume using cache, DTLS: cache_max=0" \
3150 "$P_SRV dtls=1 debug_level=3 tickets=0 cache_max=0" \
Manuel Pégourié-Gonnard56941fe2020-02-17 11:04:33 +0100[diff] [blame]3151 "$P_CLI dtls=1 debug_level=3 tickets=0 reconnect=1 skip_close_notify=1" \
Hanno Becker1d739932018-08-21 13:55:22 +0100[diff] [blame]3152 0 \
3153 -S "session successfully restored from cache" \
3154 -S "session successfully restored from ticket" \
3155 -S "a session has been resumed" \
3156 -C "a session has been resumed"
3157
3158run_test "Session resume using cache, DTLS: cache_max=1" \
3159 "$P_SRV dtls=1 debug_level=3 tickets=0 cache_max=1" \
Manuel Pégourié-Gonnard56941fe2020-02-17 11:04:33 +0100[diff] [blame]3160 "$P_CLI dtls=1 debug_level=3 tickets=0 reconnect=1 skip_close_notify=1" \
Hanno Becker1d739932018-08-21 13:55:22 +0100[diff] [blame]3161 0 \
3162 -s "session successfully restored from cache" \
3163 -S "session successfully restored from ticket" \
3164 -s "a session has been resumed" \
3165 -c "a session has been resumed"
3166
3167run_test "Session resume using cache, DTLS: timeout > delay" \
3168 "$P_SRV dtls=1 debug_level=3 tickets=0" \
Manuel Pégourié-Gonnard56941fe2020-02-17 11:04:33 +0100[diff] [blame]3169 "$P_CLI dtls=1 debug_level=3 tickets=0 reconnect=1 skip_close_notify=1 reco_delay=0" \
Hanno Becker1d739932018-08-21 13:55:22 +0100[diff] [blame]3170 0 \
3171 -s "session successfully restored from cache" \
3172 -S "session successfully restored from ticket" \
3173 -s "a session has been resumed" \
3174 -c "a session has been resumed"
3175
3176run_test "Session resume using cache, DTLS: timeout < delay" \
3177 "$P_SRV dtls=1 debug_level=3 tickets=0 cache_timeout=1" \
Manuel Pégourié-Gonnard56941fe2020-02-17 11:04:33 +0100[diff] [blame]3178 "$P_CLI dtls=1 debug_level=3 tickets=0 reconnect=1 skip_close_notify=1 reco_delay=2" \
Hanno Becker1d739932018-08-21 13:55:22 +0100[diff] [blame]3179 0 \
3180 -S "session successfully restored from cache" \
3181 -S "session successfully restored from ticket" \
3182 -S "a session has been resumed" \
3183 -C "a session has been resumed"
3184
3185run_test "Session resume using cache, DTLS: no timeout" \
3186 "$P_SRV dtls=1 debug_level=3 tickets=0 cache_timeout=0" \
Manuel Pégourié-Gonnard56941fe2020-02-17 11:04:33 +0100[diff] [blame]3187 "$P_CLI dtls=1 debug_level=3 tickets=0 reconnect=1 skip_close_notify=1 reco_delay=2" \
Hanno Becker1d739932018-08-21 13:55:22 +0100[diff] [blame]3188 0 \
3189 -s "session successfully restored from cache" \
3190 -S "session successfully restored from ticket" \
3191 -s "a session has been resumed" \
3192 -c "a session has been resumed"
3193
Manuel Pégourié-Gonnarda7c37652019-05-20 12:46:26 +0200[diff] [blame]3194run_test "Session resume using cache, DTLS: session copy" \
3195 "$P_SRV dtls=1 debug_level=3 tickets=0" \
Manuel Pégourié-Gonnard56941fe2020-02-17 11:04:33 +0100[diff] [blame]3196 "$P_CLI dtls=1 debug_level=3 tickets=0 reconnect=1 skip_close_notify=1 reco_mode=0" \
Manuel Pégourié-Gonnarda7c37652019-05-20 12:46:26 +0200[diff] [blame]3197 0 \
3198 -s "session successfully restored from cache" \
3199 -S "session successfully restored from ticket" \
3200 -s "a session has been resumed" \
3201 -c "a session has been resumed"
3202
Manuel Pégourié-Gonnardd76c47d2021-10-13 13:12:47 +0200[diff] [blame]3203# For reasons that aren't fully understood, this test randomly fails with high
Paul Elliott7ca2f392021-10-13 16:13:44 +0100[diff] [blame]3204# probability with OpenSSL 1.0.2g on the CI, see #5012.
Manuel Pégourié-Gonnardd76c47d2021-10-13 13:12:47 +0200[diff] [blame]3205requires_openssl_next
Hanno Becker1d739932018-08-21 13:55:22 +0100[diff] [blame]3206run_test "Session resume using cache, DTLS: openssl client" \
3207 "$P_SRV dtls=1 debug_level=3 tickets=0" \
Manuel Pégourié-Gonnardd76c47d2021-10-13 13:12:47 +0200[diff] [blame]3208 "( $O_NEXT_CLI -dtls1 -sess_out $SESSION; \
3209 $O_NEXT_CLI -dtls1 -sess_in $SESSION; \
Hanno Becker1d739932018-08-21 13:55:22 +0100[diff] [blame]3210 rm -f $SESSION )" \
3211 0 \
3212 -s "found session ticket extension" \
3213 -S "server hello, adding session ticket extension" \
3214 -s "session successfully restored from cache" \
3215 -S "session successfully restored from ticket" \
3216 -s "a session has been resumed"
3217
3218run_test "Session resume using cache, DTLS: openssl server" \
3219 "$O_SRV -dtls1" \
3220 "$P_CLI dtls=1 debug_level=3 tickets=0 reconnect=1" \
3221 0 \
3222 -C "found session_ticket extension" \
3223 -C "parse new session ticket" \
3224 -c "a session has been resumed"
3225
Manuel Pégourié-Gonnard780d6712014-02-20 17:19:59 +0100[diff] [blame]3226# Tests for Max Fragment Length extension
3227
Hanno Becker4aed27e2017-09-18 15:00:34 +0100[diff] [blame]3228requires_config_enabled MBEDTLS_SSL_MAX_FRAGMENT_LENGTH
Hanno Beckerc5266962017-09-18 15:01:50 +0100[diff] [blame]3229run_test "Max fragment length: enabled, default" \
Manuel Pégourié-Gonnard644e8f32014-08-30 21:59:31 +0200[diff] [blame]3230 "$P_SRV debug_level=3" \
3231 "$P_CLI debug_level=3" \
Manuel Pégourié-Gonnardde143782014-02-20 14:50:42 +0100[diff] [blame]3232 0 \
Andrzej Kurek90c6e842020-04-03 05:25:29 -0400[diff] [blame]3233 -c "Maximum input fragment length is $MAX_CONTENT_LEN" \
3234 -c "Maximum output fragment length is $MAX_CONTENT_LEN" \
3235 -s "Maximum input fragment length is $MAX_CONTENT_LEN" \
3236 -s "Maximum output fragment length is $MAX_CONTENT_LEN" \
Manuel Pégourié-Gonnardde143782014-02-20 14:50:42 +0100[diff] [blame]3237 -C "client hello, adding max_fragment_length extension" \
3238 -S "found max fragment length extension" \
3239 -S "server hello, max_fragment_length extension" \
3240 -C "found max_fragment_length extension"
3241
Hanno Becker4aed27e2017-09-18 15:00:34 +0100[diff] [blame]3242requires_config_enabled MBEDTLS_SSL_MAX_FRAGMENT_LENGTH
Hanno Beckerc5266962017-09-18 15:01:50 +0100[diff] [blame]3243run_test "Max fragment length: enabled, default, larger message" \
3244 "$P_SRV debug_level=3" \
Angus Grattonc4dd0732018-04-11 16:28:39 +1000[diff] [blame]3245 "$P_CLI debug_level=3 request_size=$(( $MAX_CONTENT_LEN + 1))" \
Hanno Beckerc5266962017-09-18 15:01:50 +0100[diff] [blame]3246 0 \
Andrzej Kurek90c6e842020-04-03 05:25:29 -0400[diff] [blame]3247 -c "Maximum input fragment length is $MAX_CONTENT_LEN" \
3248 -c "Maximum output fragment length is $MAX_CONTENT_LEN" \
3249 -s "Maximum input fragment length is $MAX_CONTENT_LEN" \
3250 -s "Maximum output fragment length is $MAX_CONTENT_LEN" \
Hanno Beckerc5266962017-09-18 15:01:50 +0100[diff] [blame]3251 -C "client hello, adding max_fragment_length extension" \
3252 -S "found max fragment length extension" \
3253 -S "server hello, max_fragment_length extension" \
3254 -C "found max_fragment_length extension" \
Angus Grattonc4dd0732018-04-11 16:28:39 +1000[diff] [blame]3255 -c "$(( $MAX_CONTENT_LEN + 1)) bytes written in 2 fragments" \
3256 -s "$MAX_CONTENT_LEN bytes read" \
Hanno Becker9cfabe32017-10-18 14:42:01 +0100[diff] [blame]3257 -s "1 bytes read"
Hanno Beckerc5266962017-09-18 15:01:50 +0100[diff] [blame]3258
3259requires_config_enabled MBEDTLS_SSL_MAX_FRAGMENT_LENGTH
3260run_test "Max fragment length, DTLS: enabled, default, larger message" \
3261 "$P_SRV debug_level=3 dtls=1" \
Angus Grattonc4dd0732018-04-11 16:28:39 +1000[diff] [blame]3262 "$P_CLI debug_level=3 dtls=1 request_size=$(( $MAX_CONTENT_LEN + 1))" \
Hanno Beckerc5266962017-09-18 15:01:50 +0100[diff] [blame]3263 1 \
Andrzej Kurek90c6e842020-04-03 05:25:29 -0400[diff] [blame]3264 -c "Maximum input fragment length is $MAX_CONTENT_LEN" \
3265 -c "Maximum output fragment length is $MAX_CONTENT_LEN" \
3266 -s "Maximum input fragment length is $MAX_CONTENT_LEN" \
3267 -s "Maximum output fragment length is $MAX_CONTENT_LEN" \
Hanno Beckerc5266962017-09-18 15:01:50 +0100[diff] [blame]3268 -C "client hello, adding max_fragment_length extension" \
3269 -S "found max fragment length extension" \
3270 -S "server hello, max_fragment_length extension" \
3271 -C "found max_fragment_length extension" \
3272 -c "fragment larger than.*maximum "
3273
Angus Grattonc4dd0732018-04-11 16:28:39 +1000[diff] [blame]3274# Run some tests with MBEDTLS_SSL_MAX_FRAGMENT_LENGTH disabled
3275# (session fragment length will be 16384 regardless of mbedtls
3276# content length configuration.)
3277
Hanno Beckerc5266962017-09-18 15:01:50 +0100[diff] [blame]3278requires_config_disabled MBEDTLS_SSL_MAX_FRAGMENT_LENGTH
3279run_test "Max fragment length: disabled, larger message" \
3280 "$P_SRV debug_level=3" \
Angus Grattonc4dd0732018-04-11 16:28:39 +1000[diff] [blame]3281 "$P_CLI debug_level=3 request_size=$(( $MAX_CONTENT_LEN + 1))" \
Hanno Beckerc5266962017-09-18 15:01:50 +0100[diff] [blame]3282 0 \
Andrzej Kurek90c6e842020-04-03 05:25:29 -0400[diff] [blame]3283 -C "Maximum input fragment length is 16384" \
3284 -C "Maximum output fragment length is 16384" \
3285 -S "Maximum input fragment length is 16384" \
3286 -S "Maximum output fragment length is 16384" \
Angus Grattonc4dd0732018-04-11 16:28:39 +1000[diff] [blame]3287 -c "$(( $MAX_CONTENT_LEN + 1)) bytes written in 2 fragments" \
3288 -s "$MAX_CONTENT_LEN bytes read" \
Hanno Becker9cfabe32017-10-18 14:42:01 +0100[diff] [blame]3289 -s "1 bytes read"
Hanno Beckerc5266962017-09-18 15:01:50 +0100[diff] [blame]3290
3291requires_config_disabled MBEDTLS_SSL_MAX_FRAGMENT_LENGTH
Yuto Takano18ddccc2021-06-21 19:43:33 +0100[diff] [blame]3292run_test "Max fragment length, DTLS: disabled, larger message" \
Hanno Beckerc5266962017-09-18 15:01:50 +0100[diff] [blame]3293 "$P_SRV debug_level=3 dtls=1" \
Angus Grattonc4dd0732018-04-11 16:28:39 +1000[diff] [blame]3294 "$P_CLI debug_level=3 dtls=1 request_size=$(( $MAX_CONTENT_LEN + 1))" \
Hanno Beckerc5266962017-09-18 15:01:50 +0100[diff] [blame]3295 1 \
Andrzej Kurek90c6e842020-04-03 05:25:29 -0400[diff] [blame]3296 -C "Maximum input fragment length is 16384" \
3297 -C "Maximum output fragment length is 16384" \
3298 -S "Maximum input fragment length is 16384" \
3299 -S "Maximum output fragment length is 16384" \
Hanno Beckerc5266962017-09-18 15:01:50 +0100[diff] [blame]3300 -c "fragment larger than.*maximum "
3301
Yuto Takanobec7cf72021-07-02 10:10:49 +0100[diff] [blame]3302requires_max_content_len 4096
Hanno Beckerc5266962017-09-18 15:01:50 +0100[diff] [blame]3303requires_config_enabled MBEDTLS_SSL_MAX_FRAGMENT_LENGTH
Manuel Pégourié-Gonnard8e03c712014-08-30 21:42:40 +0200[diff] [blame]3304run_test "Max fragment length: used by client" \
Manuel Pégourié-Gonnard644e8f32014-08-30 21:59:31 +0200[diff] [blame]3305 "$P_SRV debug_level=3" \
3306 "$P_CLI debug_level=3 max_frag_len=4096" \
Manuel Pégourié-Gonnardde143782014-02-20 14:50:42 +0100[diff] [blame]3307 0 \
Andrzej Kurek90c6e842020-04-03 05:25:29 -0400[diff] [blame]3308 -c "Maximum input fragment length is 4096" \
3309 -c "Maximum output fragment length is 4096" \
3310 -s "Maximum input fragment length is 4096" \
3311 -s "Maximum output fragment length is 4096" \
3312 -c "client hello, adding max_fragment_length extension" \
3313 -s "found max fragment length extension" \
3314 -s "server hello, max_fragment_length extension" \
3315 -c "found max_fragment_length extension"
3316
Yuto Takanobec7cf72021-07-02 10:10:49 +0100[diff] [blame]3317requires_max_content_len 1024
Andrzej Kurek90c6e842020-04-03 05:25:29 -0400[diff] [blame]3318requires_config_enabled MBEDTLS_SSL_MAX_FRAGMENT_LENGTH
3319run_test "Max fragment length: client 512, server 1024" \
3320 "$P_SRV debug_level=3 max_frag_len=1024" \
3321 "$P_CLI debug_level=3 max_frag_len=512" \
3322 0 \
3323 -c "Maximum input fragment length is 512" \
3324 -c "Maximum output fragment length is 512" \
3325 -s "Maximum input fragment length is 512" \
3326 -s "Maximum output fragment length is 512" \
3327 -c "client hello, adding max_fragment_length extension" \
3328 -s "found max fragment length extension" \
3329 -s "server hello, max_fragment_length extension" \
3330 -c "found max_fragment_length extension"
3331
Yuto Takanobec7cf72021-07-02 10:10:49 +0100[diff] [blame]3332requires_max_content_len 2048
Andrzej Kurek90c6e842020-04-03 05:25:29 -0400[diff] [blame]3333requires_config_enabled MBEDTLS_SSL_MAX_FRAGMENT_LENGTH
3334run_test "Max fragment length: client 512, server 2048" \
3335 "$P_SRV debug_level=3 max_frag_len=2048" \
3336 "$P_CLI debug_level=3 max_frag_len=512" \
3337 0 \
3338 -c "Maximum input fragment length is 512" \
3339 -c "Maximum output fragment length is 512" \
3340 -s "Maximum input fragment length is 512" \
3341 -s "Maximum output fragment length is 512" \
3342 -c "client hello, adding max_fragment_length extension" \
3343 -s "found max fragment length extension" \
3344 -s "server hello, max_fragment_length extension" \
3345 -c "found max_fragment_length extension"
3346
Yuto Takanobec7cf72021-07-02 10:10:49 +0100[diff] [blame]3347requires_max_content_len 4096
Andrzej Kurek90c6e842020-04-03 05:25:29 -0400[diff] [blame]3348requires_config_enabled MBEDTLS_SSL_MAX_FRAGMENT_LENGTH
3349run_test "Max fragment length: client 512, server 4096" \
3350 "$P_SRV debug_level=3 max_frag_len=4096" \
3351 "$P_CLI debug_level=3 max_frag_len=512" \
3352 0 \
3353 -c "Maximum input fragment length is 512" \
3354 -c "Maximum output fragment length is 512" \
3355 -s "Maximum input fragment length is 512" \
3356 -s "Maximum output fragment length is 512" \
3357 -c "client hello, adding max_fragment_length extension" \
3358 -s "found max fragment length extension" \
3359 -s "server hello, max_fragment_length extension" \
3360 -c "found max_fragment_length extension"
3361
Yuto Takanobec7cf72021-07-02 10:10:49 +0100[diff] [blame]3362requires_max_content_len 1024
Andrzej Kurek90c6e842020-04-03 05:25:29 -0400[diff] [blame]3363requires_config_enabled MBEDTLS_SSL_MAX_FRAGMENT_LENGTH
3364run_test "Max fragment length: client 1024, server 512" \
3365 "$P_SRV debug_level=3 max_frag_len=512" \
3366 "$P_CLI debug_level=3 max_frag_len=1024" \
3367 0 \
3368 -c "Maximum input fragment length is 1024" \
3369 -c "Maximum output fragment length is 1024" \
3370 -s "Maximum input fragment length is 1024" \
3371 -s "Maximum output fragment length is 512" \
3372 -c "client hello, adding max_fragment_length extension" \
3373 -s "found max fragment length extension" \
3374 -s "server hello, max_fragment_length extension" \
3375 -c "found max_fragment_length extension"
3376
Yuto Takanobec7cf72021-07-02 10:10:49 +0100[diff] [blame]3377requires_max_content_len 2048
Andrzej Kurek90c6e842020-04-03 05:25:29 -0400[diff] [blame]3378requires_config_enabled MBEDTLS_SSL_MAX_FRAGMENT_LENGTH
3379run_test "Max fragment length: client 1024, server 2048" \
3380 "$P_SRV debug_level=3 max_frag_len=2048" \
3381 "$P_CLI debug_level=3 max_frag_len=1024" \
3382 0 \
3383 -c "Maximum input fragment length is 1024" \
3384 -c "Maximum output fragment length is 1024" \
3385 -s "Maximum input fragment length is 1024" \
3386 -s "Maximum output fragment length is 1024" \
3387 -c "client hello, adding max_fragment_length extension" \
3388 -s "found max fragment length extension" \
3389 -s "server hello, max_fragment_length extension" \
3390 -c "found max_fragment_length extension"
3391
Yuto Takanobec7cf72021-07-02 10:10:49 +0100[diff] [blame]3392requires_max_content_len 4096
Andrzej Kurek90c6e842020-04-03 05:25:29 -0400[diff] [blame]3393requires_config_enabled MBEDTLS_SSL_MAX_FRAGMENT_LENGTH
3394run_test "Max fragment length: client 1024, server 4096" \
3395 "$P_SRV debug_level=3 max_frag_len=4096" \
3396 "$P_CLI debug_level=3 max_frag_len=1024" \
3397 0 \
3398 -c "Maximum input fragment length is 1024" \
3399 -c "Maximum output fragment length is 1024" \
3400 -s "Maximum input fragment length is 1024" \
3401 -s "Maximum output fragment length is 1024" \
3402 -c "client hello, adding max_fragment_length extension" \
3403 -s "found max fragment length extension" \
3404 -s "server hello, max_fragment_length extension" \
3405 -c "found max_fragment_length extension"
3406
Yuto Takanobec7cf72021-07-02 10:10:49 +0100[diff] [blame]3407requires_max_content_len 2048
Andrzej Kurek90c6e842020-04-03 05:25:29 -0400[diff] [blame]3408requires_config_enabled MBEDTLS_SSL_MAX_FRAGMENT_LENGTH
3409run_test "Max fragment length: client 2048, server 512" \
3410 "$P_SRV debug_level=3 max_frag_len=512" \
3411 "$P_CLI debug_level=3 max_frag_len=2048" \
3412 0 \
3413 -c "Maximum input fragment length is 2048" \
3414 -c "Maximum output fragment length is 2048" \
3415 -s "Maximum input fragment length is 2048" \
3416 -s "Maximum output fragment length is 512" \
3417 -c "client hello, adding max_fragment_length extension" \
3418 -s "found max fragment length extension" \
3419 -s "server hello, max_fragment_length extension" \
3420 -c "found max_fragment_length extension"
3421
Yuto Takanobec7cf72021-07-02 10:10:49 +0100[diff] [blame]3422requires_max_content_len 2048
Andrzej Kurek90c6e842020-04-03 05:25:29 -0400[diff] [blame]3423requires_config_enabled MBEDTLS_SSL_MAX_FRAGMENT_LENGTH
3424run_test "Max fragment length: client 2048, server 1024" \
3425 "$P_SRV debug_level=3 max_frag_len=1024" \
3426 "$P_CLI debug_level=3 max_frag_len=2048" \
3427 0 \
3428 -c "Maximum input fragment length is 2048" \
3429 -c "Maximum output fragment length is 2048" \
3430 -s "Maximum input fragment length is 2048" \
3431 -s "Maximum output fragment length is 1024" \
3432 -c "client hello, adding max_fragment_length extension" \
3433 -s "found max fragment length extension" \
3434 -s "server hello, max_fragment_length extension" \
3435 -c "found max_fragment_length extension"
3436
Yuto Takanobec7cf72021-07-02 10:10:49 +0100[diff] [blame]3437requires_max_content_len 4096
Andrzej Kurek90c6e842020-04-03 05:25:29 -0400[diff] [blame]3438requires_config_enabled MBEDTLS_SSL_MAX_FRAGMENT_LENGTH
3439run_test "Max fragment length: client 2048, server 4096" \
3440 "$P_SRV debug_level=3 max_frag_len=4096" \
3441 "$P_CLI debug_level=3 max_frag_len=2048" \
3442 0 \
3443 -c "Maximum input fragment length is 2048" \
3444 -c "Maximum output fragment length is 2048" \
3445 -s "Maximum input fragment length is 2048" \
3446 -s "Maximum output fragment length is 2048" \
3447 -c "client hello, adding max_fragment_length extension" \
3448 -s "found max fragment length extension" \
3449 -s "server hello, max_fragment_length extension" \
3450 -c "found max_fragment_length extension"
3451
Yuto Takanobec7cf72021-07-02 10:10:49 +0100[diff] [blame]3452requires_max_content_len 4096
Andrzej Kurek90c6e842020-04-03 05:25:29 -0400[diff] [blame]3453requires_config_enabled MBEDTLS_SSL_MAX_FRAGMENT_LENGTH
3454run_test "Max fragment length: client 4096, server 512" \
3455 "$P_SRV debug_level=3 max_frag_len=512" \
3456 "$P_CLI debug_level=3 max_frag_len=4096" \
3457 0 \
3458 -c "Maximum input fragment length is 4096" \
3459 -c "Maximum output fragment length is 4096" \
3460 -s "Maximum input fragment length is 4096" \
3461 -s "Maximum output fragment length is 512" \
3462 -c "client hello, adding max_fragment_length extension" \
3463 -s "found max fragment length extension" \
3464 -s "server hello, max_fragment_length extension" \
3465 -c "found max_fragment_length extension"
3466
Yuto Takanobec7cf72021-07-02 10:10:49 +0100[diff] [blame]3467requires_max_content_len 4096
Andrzej Kurek90c6e842020-04-03 05:25:29 -0400[diff] [blame]3468requires_config_enabled MBEDTLS_SSL_MAX_FRAGMENT_LENGTH
3469run_test "Max fragment length: client 4096, server 1024" \
3470 "$P_SRV debug_level=3 max_frag_len=1024" \
3471 "$P_CLI debug_level=3 max_frag_len=4096" \
3472 0 \
3473 -c "Maximum input fragment length is 4096" \
3474 -c "Maximum output fragment length is 4096" \
3475 -s "Maximum input fragment length is 4096" \
3476 -s "Maximum output fragment length is 1024" \
3477 -c "client hello, adding max_fragment_length extension" \
3478 -s "found max fragment length extension" \
3479 -s "server hello, max_fragment_length extension" \
3480 -c "found max_fragment_length extension"
3481
Yuto Takanobec7cf72021-07-02 10:10:49 +0100[diff] [blame]3482requires_max_content_len 4096
Andrzej Kurek90c6e842020-04-03 05:25:29 -0400[diff] [blame]3483requires_config_enabled MBEDTLS_SSL_MAX_FRAGMENT_LENGTH
3484run_test "Max fragment length: client 4096, server 2048" \
3485 "$P_SRV debug_level=3 max_frag_len=2048" \
3486 "$P_CLI debug_level=3 max_frag_len=4096" \
3487 0 \
3488 -c "Maximum input fragment length is 4096" \
3489 -c "Maximum output fragment length is 4096" \
3490 -s "Maximum input fragment length is 4096" \
3491 -s "Maximum output fragment length is 2048" \
Manuel Pégourié-Gonnardde143782014-02-20 14:50:42 +0100[diff] [blame]3492 -c "client hello, adding max_fragment_length extension" \
3493 -s "found max fragment length extension" \
3494 -s "server hello, max_fragment_length extension" \
3495 -c "found max_fragment_length extension"
3496
Yuto Takanobec7cf72021-07-02 10:10:49 +0100[diff] [blame]3497requires_max_content_len 4096
Hanno Becker4aed27e2017-09-18 15:00:34 +0100[diff] [blame]3498requires_config_enabled MBEDTLS_SSL_MAX_FRAGMENT_LENGTH
Manuel Pégourié-Gonnard8e03c712014-08-30 21:42:40 +0200[diff] [blame]3499run_test "Max fragment length: used by server" \
Manuel Pégourié-Gonnard644e8f32014-08-30 21:59:31 +0200[diff] [blame]3500 "$P_SRV debug_level=3 max_frag_len=4096" \
3501 "$P_CLI debug_level=3" \
Manuel Pégourié-Gonnardde143782014-02-20 14:50:42 +0100[diff] [blame]3502 0 \
Andrzej Kurek90c6e842020-04-03 05:25:29 -0400[diff] [blame]3503 -c "Maximum input fragment length is $MAX_CONTENT_LEN" \
3504 -c "Maximum output fragment length is $MAX_CONTENT_LEN" \
3505 -s "Maximum input fragment length is $MAX_CONTENT_LEN" \
3506 -s "Maximum output fragment length is 4096" \
Manuel Pégourié-Gonnardde143782014-02-20 14:50:42 +0100[diff] [blame]3507 -C "client hello, adding max_fragment_length extension" \
3508 -S "found max fragment length extension" \
3509 -S "server hello, max_fragment_length extension" \
3510 -C "found max_fragment_length extension"
Manuel Pégourié-Gonnard780d6712014-02-20 17:19:59 +0100[diff] [blame]3511
Yuto Takanobec7cf72021-07-02 10:10:49 +0100[diff] [blame]3512requires_max_content_len 4096
Hanno Becker4aed27e2017-09-18 15:00:34 +0100[diff] [blame]3513requires_config_enabled MBEDTLS_SSL_MAX_FRAGMENT_LENGTH
Manuel Pégourié-Gonnard8e03c712014-08-30 21:42:40 +0200[diff] [blame]3514requires_gnutls
3515run_test "Max fragment length: gnutls server" \
Manuel Pégourié-Gonnardbaa7f072014-08-20 20:15:53 +0200[diff] [blame]3516 "$G_SRV" \
Manuel Pégourié-Gonnard644e8f32014-08-30 21:59:31 +0200[diff] [blame]3517 "$P_CLI debug_level=3 max_frag_len=4096" \
Manuel Pégourié-Gonnardbaa7f072014-08-20 20:15:53 +0200[diff] [blame]3518 0 \
Andrzej Kurek90c6e842020-04-03 05:25:29 -0400[diff] [blame]3519 -c "Maximum input fragment length is 4096" \
3520 -c "Maximum output fragment length is 4096" \
Manuel Pégourié-Gonnardbaa7f072014-08-20 20:15:53 +0200[diff] [blame]3521 -c "client hello, adding max_fragment_length extension" \
3522 -c "found max_fragment_length extension"
3523
Yuto Takanobec7cf72021-07-02 10:10:49 +0100[diff] [blame]3524requires_max_content_len 2048
Hanno Becker4aed27e2017-09-18 15:00:34 +0100[diff] [blame]3525requires_config_enabled MBEDTLS_SSL_MAX_FRAGMENT_LENGTH
Manuel Pégourié-Gonnard37e08e12014-10-13 17:55:52 +0200[diff] [blame]3526run_test "Max fragment length: client, message just fits" \
3527 "$P_SRV debug_level=3" \
3528 "$P_CLI debug_level=3 max_frag_len=2048 request_size=2048" \
3529 0 \
Andrzej Kurek90c6e842020-04-03 05:25:29 -0400[diff] [blame]3530 -c "Maximum input fragment length is 2048" \
3531 -c "Maximum output fragment length is 2048" \
3532 -s "Maximum input fragment length is 2048" \
3533 -s "Maximum output fragment length is 2048" \
Manuel Pégourié-Gonnard37e08e12014-10-13 17:55:52 +0200[diff] [blame]3534 -c "client hello, adding max_fragment_length extension" \
3535 -s "found max fragment length extension" \
3536 -s "server hello, max_fragment_length extension" \
3537 -c "found max_fragment_length extension" \
3538 -c "2048 bytes written in 1 fragments" \
3539 -s "2048 bytes read"
3540
Yuto Takanobec7cf72021-07-02 10:10:49 +0100[diff] [blame]3541requires_max_content_len 2048
Hanno Becker4aed27e2017-09-18 15:00:34 +0100[diff] [blame]3542requires_config_enabled MBEDTLS_SSL_MAX_FRAGMENT_LENGTH
Manuel Pégourié-Gonnard37e08e12014-10-13 17:55:52 +0200[diff] [blame]3543run_test "Max fragment length: client, larger message" \
3544 "$P_SRV debug_level=3" \
3545 "$P_CLI debug_level=3 max_frag_len=2048 request_size=2345" \
3546 0 \
Andrzej Kurek90c6e842020-04-03 05:25:29 -0400[diff] [blame]3547 -c "Maximum input fragment length is 2048" \
3548 -c "Maximum output fragment length is 2048" \
3549 -s "Maximum input fragment length is 2048" \
3550 -s "Maximum output fragment length is 2048" \
Manuel Pégourié-Gonnard37e08e12014-10-13 17:55:52 +0200[diff] [blame]3551 -c "client hello, adding max_fragment_length extension" \
3552 -s "found max fragment length extension" \
3553 -s "server hello, max_fragment_length extension" \
3554 -c "found max_fragment_length extension" \
3555 -c "2345 bytes written in 2 fragments" \
3556 -s "2048 bytes read" \
3557 -s "297 bytes read"
3558
Yuto Takanobec7cf72021-07-02 10:10:49 +0100[diff] [blame]3559requires_max_content_len 2048
Hanno Becker4aed27e2017-09-18 15:00:34 +0100[diff] [blame]3560requires_config_enabled MBEDTLS_SSL_MAX_FRAGMENT_LENGTH
Manuel Pégourié-Gonnard23eb74d2015-01-21 14:37:13 +0000[diff] [blame]3561run_test "Max fragment length: DTLS client, larger message" \
Manuel Pégourié-Gonnard37e08e12014-10-13 17:55:52 +0200[diff] [blame]3562 "$P_SRV debug_level=3 dtls=1" \
3563 "$P_CLI debug_level=3 dtls=1 max_frag_len=2048 request_size=2345" \
3564 1 \
Andrzej Kurek90c6e842020-04-03 05:25:29 -0400[diff] [blame]3565 -c "Maximum input fragment length is 2048" \
3566 -c "Maximum output fragment length is 2048" \
3567 -s "Maximum input fragment length is 2048" \
3568 -s "Maximum output fragment length is 2048" \
Manuel Pégourié-Gonnard37e08e12014-10-13 17:55:52 +0200[diff] [blame]3569 -c "client hello, adding max_fragment_length extension" \
3570 -s "found max fragment length extension" \
3571 -s "server hello, max_fragment_length extension" \
3572 -c "found max_fragment_length extension" \
3573 -c "fragment larger than.*maximum"
3574
Manuel Pégourié-Gonnard780d6712014-02-20 17:19:59 +0100[diff] [blame]3575# Tests for renegotiation
3576
Hanno Becker6a243642017-10-12 15:18:45 +0100[diff] [blame]3577# Renegotiation SCSV always added, regardless of SSL_RENEGOTIATION
Manuel Pégourié-Gonnard8e03c712014-08-30 21:42:40 +0200[diff] [blame]3578run_test "Renegotiation: none, for reference" \
Manuel Pégourié-Gonnardfa44f202015-03-27 17:52:25 +0100[diff] [blame]3579 "$P_SRV debug_level=3 exchanges=2 auth_mode=optional" \
Manuel Pégourié-Gonnard644e8f32014-08-30 21:59:31 +0200[diff] [blame]3580 "$P_CLI debug_level=3 exchanges=2" \
Manuel Pégourié-Gonnard780d6712014-02-20 17:19:59 +0100[diff] [blame]3581 0 \
3582 -C "client hello, adding renegotiation extension" \
3583 -s "received TLS_EMPTY_RENEGOTIATION_INFO" \
3584 -S "found renegotiation extension" \
3585 -s "server hello, secure renegotiation extension" \
3586 -c "found renegotiation extension" \
Manuel Pégourié-Gonnardc73339f2014-02-26 16:35:27 +0100[diff] [blame]3587 -C "=> renegotiate" \
3588 -S "=> renegotiate" \
Manuel Pégourié-Gonnard780d6712014-02-20 17:19:59 +0100[diff] [blame]3589 -S "write hello request"
3590
Hanno Becker6a243642017-10-12 15:18:45 +0100[diff] [blame]3591requires_config_enabled MBEDTLS_SSL_RENEGOTIATION
Manuel Pégourié-Gonnard8e03c712014-08-30 21:42:40 +0200[diff] [blame]3592run_test "Renegotiation: client-initiated" \
Manuel Pégourié-Gonnardfa44f202015-03-27 17:52:25 +0100[diff] [blame]3593 "$P_SRV debug_level=3 exchanges=2 renegotiation=1 auth_mode=optional" \
Manuel Pégourié-Gonnard644e8f32014-08-30 21:59:31 +0200[diff] [blame]3594 "$P_CLI debug_level=3 exchanges=2 renegotiation=1 renegotiate=1" \
Manuel Pégourié-Gonnard780d6712014-02-20 17:19:59 +0100[diff] [blame]3595 0 \
3596 -c "client hello, adding renegotiation extension" \
3597 -s "received TLS_EMPTY_RENEGOTIATION_INFO" \
3598 -s "found renegotiation extension" \
3599 -s "server hello, secure renegotiation extension" \
3600 -c "found renegotiation extension" \
Manuel Pégourié-Gonnardc73339f2014-02-26 16:35:27 +0100[diff] [blame]3601 -c "=> renegotiate" \
3602 -s "=> renegotiate" \
Manuel Pégourié-Gonnard780d6712014-02-20 17:19:59 +0100[diff] [blame]3603 -S "write hello request"
3604
Hanno Becker6a243642017-10-12 15:18:45 +0100[diff] [blame]3605requires_config_enabled MBEDTLS_SSL_RENEGOTIATION
Manuel Pégourié-Gonnard8e03c712014-08-30 21:42:40 +0200[diff] [blame]3606run_test "Renegotiation: server-initiated" \
Manuel Pégourié-Gonnardfa44f202015-03-27 17:52:25 +0100[diff] [blame]3607 "$P_SRV debug_level=3 exchanges=2 renegotiation=1 auth_mode=optional renegotiate=1" \
Manuel Pégourié-Gonnard644e8f32014-08-30 21:59:31 +0200[diff] [blame]3608 "$P_CLI debug_level=3 exchanges=2 renegotiation=1" \
Manuel Pégourié-Gonnard780d6712014-02-20 17:19:59 +0100[diff] [blame]3609 0 \
3610 -c "client hello, adding renegotiation extension" \
3611 -s "received TLS_EMPTY_RENEGOTIATION_INFO" \
3612 -s "found renegotiation extension" \
3613 -s "server hello, secure renegotiation extension" \
3614 -c "found renegotiation extension" \
Manuel Pégourié-Gonnardc73339f2014-02-26 16:35:27 +0100[diff] [blame]3615 -c "=> renegotiate" \
3616 -s "=> renegotiate" \
Manuel Pégourié-Gonnard780d6712014-02-20 17:19:59 +0100[diff] [blame]3617 -s "write hello request"
3618
Janos Follathb0f148c2017-10-05 12:29:42 +0100[diff] [blame]3619# Checks that no Signature Algorithm with SHA-1 gets negotiated. Negotiating SHA-1 would mean that
3620# the server did not parse the Signature Algorithm extension. This test is valid only if an MD
3621# algorithm stronger than SHA-1 is enabled in config.h
Hanno Becker6a243642017-10-12 15:18:45 +0100[diff] [blame]3622requires_config_enabled MBEDTLS_SSL_RENEGOTIATION
Janos Follathb0f148c2017-10-05 12:29:42 +0100[diff] [blame]3623run_test "Renegotiation: Signature Algorithms parsing, client-initiated" \
3624 "$P_SRV debug_level=3 exchanges=2 renegotiation=1 auth_mode=optional" \
3625 "$P_CLI debug_level=3 exchanges=2 renegotiation=1 renegotiate=1" \
3626 0 \
3627 -c "client hello, adding renegotiation extension" \
3628 -s "received TLS_EMPTY_RENEGOTIATION_INFO" \
3629 -s "found renegotiation extension" \
3630 -s "server hello, secure renegotiation extension" \
3631 -c "found renegotiation extension" \
3632 -c "=> renegotiate" \
3633 -s "=> renegotiate" \
3634 -S "write hello request" \
3635 -S "client hello v3, signature_algorithm ext: 2" # Is SHA-1 negotiated?
3636
3637# Checks that no Signature Algorithm with SHA-1 gets negotiated. Negotiating SHA-1 would mean that
3638# the server did not parse the Signature Algorithm extension. This test is valid only if an MD
3639# algorithm stronger than SHA-1 is enabled in config.h
Hanno Becker6a243642017-10-12 15:18:45 +0100[diff] [blame]3640requires_config_enabled MBEDTLS_SSL_RENEGOTIATION
Janos Follathb0f148c2017-10-05 12:29:42 +0100[diff] [blame]3641run_test "Renegotiation: Signature Algorithms parsing, server-initiated" \
3642 "$P_SRV debug_level=3 exchanges=2 renegotiation=1 auth_mode=optional renegotiate=1" \
3643 "$P_CLI debug_level=3 exchanges=2 renegotiation=1" \
3644 0 \
3645 -c "client hello, adding renegotiation extension" \
3646 -s "received TLS_EMPTY_RENEGOTIATION_INFO" \
3647 -s "found renegotiation extension" \
3648 -s "server hello, secure renegotiation extension" \
3649 -c "found renegotiation extension" \
3650 -c "=> renegotiate" \
3651 -s "=> renegotiate" \
3652 -s "write hello request" \
3653 -S "client hello v3, signature_algorithm ext: 2" # Is SHA-1 negotiated?
3654
Hanno Becker6a243642017-10-12 15:18:45 +0100[diff] [blame]3655requires_config_enabled MBEDTLS_SSL_RENEGOTIATION
Manuel Pégourié-Gonnard8e03c712014-08-30 21:42:40 +0200[diff] [blame]3656run_test "Renegotiation: double" \
Manuel Pégourié-Gonnardfa44f202015-03-27 17:52:25 +0100[diff] [blame]3657 "$P_SRV debug_level=3 exchanges=2 renegotiation=1 auth_mode=optional renegotiate=1" \
Manuel Pégourié-Gonnard644e8f32014-08-30 21:59:31 +0200[diff] [blame]3658 "$P_CLI debug_level=3 exchanges=2 renegotiation=1 renegotiate=1" \
Manuel Pégourié-Gonnard780d6712014-02-20 17:19:59 +0100[diff] [blame]3659 0 \
3660 -c "client hello, adding renegotiation extension" \
3661 -s "received TLS_EMPTY_RENEGOTIATION_INFO" \
3662 -s "found renegotiation extension" \
3663 -s "server hello, secure renegotiation extension" \
3664 -c "found renegotiation extension" \
Manuel Pégourié-Gonnardc73339f2014-02-26 16:35:27 +0100[diff] [blame]3665 -c "=> renegotiate" \
3666 -s "=> renegotiate" \
Manuel Pégourié-Gonnard780d6712014-02-20 17:19:59 +0100[diff] [blame]3667 -s "write hello request"
3668
Hanno Becker6a243642017-10-12 15:18:45 +0100[diff] [blame]3669requires_config_enabled MBEDTLS_SSL_RENEGOTIATION
Andrzej Kurek8ea68722020-04-03 06:40:47 -0400[diff] [blame]3670requires_config_enabled MBEDTLS_SSL_MAX_FRAGMENT_LENGTH
Yuto Takanobec7cf72021-07-02 10:10:49 +0100[diff] [blame]3671requires_max_content_len 2048
Andrzej Kurek8ea68722020-04-03 06:40:47 -0400[diff] [blame]3672run_test "Renegotiation with max fragment length: client 2048, server 512" \
3673 "$P_SRV debug_level=3 exchanges=2 renegotiation=1 auth_mode=optional renegotiate=1 max_frag_len=512" \
3674 "$P_CLI debug_level=3 exchanges=2 renegotiation=1 renegotiate=1 max_frag_len=2048 force_ciphersuite=TLS-ECDHE-ECDSA-WITH-AES-128-CCM-8" \
3675 0 \
3676 -c "Maximum input fragment length is 2048" \
3677 -c "Maximum output fragment length is 2048" \
3678 -s "Maximum input fragment length is 2048" \
3679 -s "Maximum output fragment length is 512" \
3680 -c "client hello, adding max_fragment_length extension" \
3681 -s "found max fragment length extension" \
3682 -s "server hello, max_fragment_length extension" \
3683 -c "found max_fragment_length extension" \
3684 -c "client hello, adding renegotiation extension" \
3685 -s "received TLS_EMPTY_RENEGOTIATION_INFO" \
3686 -s "found renegotiation extension" \
3687 -s "server hello, secure renegotiation extension" \
3688 -c "found renegotiation extension" \
3689 -c "=> renegotiate" \
3690 -s "=> renegotiate" \
3691 -s "write hello request"
3692
3693requires_config_enabled MBEDTLS_SSL_RENEGOTIATION
Manuel Pégourié-Gonnard8e03c712014-08-30 21:42:40 +0200[diff] [blame]3694run_test "Renegotiation: client-initiated, server-rejected" \
Manuel Pégourié-Gonnardfa44f202015-03-27 17:52:25 +0100[diff] [blame]3695 "$P_SRV debug_level=3 exchanges=2 renegotiation=0 auth_mode=optional" \
Manuel Pégourié-Gonnard644e8f32014-08-30 21:59:31 +0200[diff] [blame]3696 "$P_CLI debug_level=3 exchanges=2 renegotiation=1 renegotiate=1" \
Manuel Pégourié-Gonnard780d6712014-02-20 17:19:59 +0100[diff] [blame]3697 1 \
3698 -c "client hello, adding renegotiation extension" \
3699 -s "received TLS_EMPTY_RENEGOTIATION_INFO" \
3700 -S "found renegotiation extension" \
3701 -s "server hello, secure renegotiation extension" \
3702 -c "found renegotiation extension" \
Manuel Pégourié-Gonnardc73339f2014-02-26 16:35:27 +0100[diff] [blame]3703 -c "=> renegotiate" \
3704 -S "=> renegotiate" \
Manuel Pégourié-Gonnardfae355e2014-07-04 14:32:27 +0200[diff] [blame]3705 -S "write hello request" \
Manuel Pégourié-Gonnard65919622014-08-19 12:50:30 +0200[diff] [blame]3706 -c "SSL - Unexpected message at ServerHello in renegotiation" \
Manuel Pégourié-Gonnardfae355e2014-07-04 14:32:27 +0200[diff] [blame]3707 -c "failed"
Manuel Pégourié-Gonnard780d6712014-02-20 17:19:59 +0100[diff] [blame]3708
Hanno Becker6a243642017-10-12 15:18:45 +0100[diff] [blame]3709requires_config_enabled MBEDTLS_SSL_RENEGOTIATION
Manuel Pégourié-Gonnard8e03c712014-08-30 21:42:40 +0200[diff] [blame]3710run_test "Renegotiation: server-initiated, client-rejected, default" \
Manuel Pégourié-Gonnardfa44f202015-03-27 17:52:25 +0100[diff] [blame]3711 "$P_SRV debug_level=3 exchanges=2 renegotiation=1 renegotiate=1 auth_mode=optional" \
Manuel Pégourié-Gonnard644e8f32014-08-30 21:59:31 +0200[diff] [blame]3712 "$P_CLI debug_level=3 exchanges=2 renegotiation=0" \
Manuel Pégourié-Gonnard780d6712014-02-20 17:19:59 +0100[diff] [blame]3713 0 \
3714 -C "client hello, adding renegotiation extension" \
3715 -s "received TLS_EMPTY_RENEGOTIATION_INFO" \
3716 -S "found renegotiation extension" \
3717 -s "server hello, secure renegotiation extension" \
3718 -c "found renegotiation extension" \
Manuel Pégourié-Gonnardc73339f2014-02-26 16:35:27 +0100[diff] [blame]3719 -C "=> renegotiate" \
3720 -S "=> renegotiate" \
Manuel Pégourié-Gonnard780d6712014-02-20 17:19:59 +0100[diff] [blame]3721 -s "write hello request" \
Manuel Pégourié-Gonnarda9964db2014-07-03 19:29:16 +0200[diff] [blame]3722 -S "SSL - An unexpected message was received from our peer" \
3723 -S "failed"
Manuel Pégourié-Gonnard33a752e2014-02-21 09:47:37 +0100[diff] [blame]3724
Hanno Becker6a243642017-10-12 15:18:45 +0100[diff] [blame]3725requires_config_enabled MBEDTLS_SSL_RENEGOTIATION
Manuel Pégourié-Gonnard8e03c712014-08-30 21:42:40 +0200[diff] [blame]3726run_test "Renegotiation: server-initiated, client-rejected, not enforced" \
Manuel Pégourié-Gonnard644e8f32014-08-30 21:59:31 +0200[diff] [blame]3727 "$P_SRV debug_level=3 exchanges=2 renegotiation=1 renegotiate=1 \
Manuel Pégourié-Gonnardfa44f202015-03-27 17:52:25 +0100[diff] [blame]3728 renego_delay=-1 auth_mode=optional" \
Manuel Pégourié-Gonnard644e8f32014-08-30 21:59:31 +0200[diff] [blame]3729 "$P_CLI debug_level=3 exchanges=2 renegotiation=0" \
Manuel Pégourié-Gonnardfae355e2014-07-04 14:32:27 +0200[diff] [blame]3730 0 \
3731 -C "client hello, adding renegotiation extension" \
3732 -s "received TLS_EMPTY_RENEGOTIATION_INFO" \
3733 -S "found renegotiation extension" \
3734 -s "server hello, secure renegotiation extension" \
3735 -c "found renegotiation extension" \
3736 -C "=> renegotiate" \
3737 -S "=> renegotiate" \
3738 -s "write hello request" \
3739 -S "SSL - An unexpected message was received from our peer" \
3740 -S "failed"
3741
Manuel Pégourié-Gonnarda8c0a0d2014-08-15 12:07:38 +0200[diff] [blame]3742# delay 2 for 1 alert record + 1 application data record
Hanno Becker6a243642017-10-12 15:18:45 +0100[diff] [blame]3743requires_config_enabled MBEDTLS_SSL_RENEGOTIATION
Manuel Pégourié-Gonnard8e03c712014-08-30 21:42:40 +0200[diff] [blame]3744run_test "Renegotiation: server-initiated, client-rejected, delay 2" \
Manuel Pégourié-Gonnard644e8f32014-08-30 21:59:31 +0200[diff] [blame]3745 "$P_SRV debug_level=3 exchanges=2 renegotiation=1 renegotiate=1 \
Manuel Pégourié-Gonnardfa44f202015-03-27 17:52:25 +0100[diff] [blame]3746 renego_delay=2 auth_mode=optional" \
Manuel Pégourié-Gonnard644e8f32014-08-30 21:59:31 +0200[diff] [blame]3747 "$P_CLI debug_level=3 exchanges=2 renegotiation=0" \
Manuel Pégourié-Gonnardfae355e2014-07-04 14:32:27 +0200[diff] [blame]3748 0 \
3749 -C "client hello, adding renegotiation extension" \
3750 -s "received TLS_EMPTY_RENEGOTIATION_INFO" \
3751 -S "found renegotiation extension" \
3752 -s "server hello, secure renegotiation extension" \
3753 -c "found renegotiation extension" \
3754 -C "=> renegotiate" \
3755 -S "=> renegotiate" \
3756 -s "write hello request" \
3757 -S "SSL - An unexpected message was received from our peer" \
3758 -S "failed"
3759
Hanno Becker6a243642017-10-12 15:18:45 +0100[diff] [blame]3760requires_config_enabled MBEDTLS_SSL_RENEGOTIATION
Manuel Pégourié-Gonnard8e03c712014-08-30 21:42:40 +0200[diff] [blame]3761run_test "Renegotiation: server-initiated, client-rejected, delay 0" \
Manuel Pégourié-Gonnard644e8f32014-08-30 21:59:31 +0200[diff] [blame]3762 "$P_SRV debug_level=3 exchanges=2 renegotiation=1 renegotiate=1 \
Manuel Pégourié-Gonnardfa44f202015-03-27 17:52:25 +0100[diff] [blame]3763 renego_delay=0 auth_mode=optional" \
Manuel Pégourié-Gonnard644e8f32014-08-30 21:59:31 +0200[diff] [blame]3764 "$P_CLI debug_level=3 exchanges=2 renegotiation=0" \
Manuel Pégourié-Gonnardfae355e2014-07-04 14:32:27 +0200[diff] [blame]3765 0 \
3766 -C "client hello, adding renegotiation extension" \
3767 -s "received TLS_EMPTY_RENEGOTIATION_INFO" \
3768 -S "found renegotiation extension" \
3769 -s "server hello, secure renegotiation extension" \
3770 -c "found renegotiation extension" \
3771 -C "=> renegotiate" \
3772 -S "=> renegotiate" \
3773 -s "write hello request" \
Manuel Pégourié-Gonnarda8c0a0d2014-08-15 12:07:38 +0200[diff] [blame]3774 -s "SSL - An unexpected message was received from our peer"
Manuel Pégourié-Gonnardfae355e2014-07-04 14:32:27 +0200[diff] [blame]3775
Hanno Becker6a243642017-10-12 15:18:45 +0100[diff] [blame]3776requires_config_enabled MBEDTLS_SSL_RENEGOTIATION
Manuel Pégourié-Gonnard8e03c712014-08-30 21:42:40 +0200[diff] [blame]3777run_test "Renegotiation: server-initiated, client-accepted, delay 0" \
Manuel Pégourié-Gonnard644e8f32014-08-30 21:59:31 +0200[diff] [blame]3778 "$P_SRV debug_level=3 exchanges=2 renegotiation=1 renegotiate=1 \
Manuel Pégourié-Gonnardfa44f202015-03-27 17:52:25 +0100[diff] [blame]3779 renego_delay=0 auth_mode=optional" \
Manuel Pégourié-Gonnard644e8f32014-08-30 21:59:31 +0200[diff] [blame]3780 "$P_CLI debug_level=3 exchanges=2 renegotiation=1" \
Manuel Pégourié-Gonnardfae355e2014-07-04 14:32:27 +0200[diff] [blame]3781 0 \
3782 -c "client hello, adding renegotiation extension" \
3783 -s "received TLS_EMPTY_RENEGOTIATION_INFO" \
3784 -s "found renegotiation extension" \
3785 -s "server hello, secure renegotiation extension" \
3786 -c "found renegotiation extension" \
3787 -c "=> renegotiate" \
3788 -s "=> renegotiate" \
3789 -s "write hello request" \
3790 -S "SSL - An unexpected message was received from our peer" \
3791 -S "failed"
3792
Hanno Becker6a243642017-10-12 15:18:45 +0100[diff] [blame]3793requires_config_enabled MBEDTLS_SSL_RENEGOTIATION
Manuel Pégourié-Gonnard590f4162014-11-05 14:23:03 +0100[diff] [blame]3794run_test "Renegotiation: periodic, just below period" \
Manuel Pégourié-Gonnardfa44f202015-03-27 17:52:25 +0100[diff] [blame]3795 "$P_SRV debug_level=3 exchanges=9 renegotiation=1 renego_period=3 auth_mode=optional" \
Manuel Pégourié-Gonnard590f4162014-11-05 14:23:03 +0100[diff] [blame]3796 "$P_CLI debug_level=3 exchanges=2 renegotiation=1" \
3797 0 \
3798 -C "client hello, adding renegotiation extension" \
3799 -s "received TLS_EMPTY_RENEGOTIATION_INFO" \
3800 -S "found renegotiation extension" \
3801 -s "server hello, secure renegotiation extension" \
3802 -c "found renegotiation extension" \
3803 -S "record counter limit reached: renegotiate" \
3804 -C "=> renegotiate" \
3805 -S "=> renegotiate" \
3806 -S "write hello request" \
3807 -S "SSL - An unexpected message was received from our peer" \
3808 -S "failed"
3809
Manuel Pégourié-Gonnard9835bc02015-01-14 14:41:58 +0100[diff] [blame]3810# one extra exchange to be able to complete renego
Hanno Becker6a243642017-10-12 15:18:45 +0100[diff] [blame]3811requires_config_enabled MBEDTLS_SSL_RENEGOTIATION
Manuel Pégourié-Gonnard590f4162014-11-05 14:23:03 +0100[diff] [blame]3812run_test "Renegotiation: periodic, just above period" \
Manuel Pégourié-Gonnardfa44f202015-03-27 17:52:25 +0100[diff] [blame]3813 "$P_SRV debug_level=3 exchanges=9 renegotiation=1 renego_period=3 auth_mode=optional" \
Manuel Pégourié-Gonnard9835bc02015-01-14 14:41:58 +0100[diff] [blame]3814 "$P_CLI debug_level=3 exchanges=4 renegotiation=1" \
Manuel Pégourié-Gonnard590f4162014-11-05 14:23:03 +0100[diff] [blame]3815 0 \
3816 -c "client hello, adding renegotiation extension" \
3817 -s "received TLS_EMPTY_RENEGOTIATION_INFO" \
3818 -s "found renegotiation extension" \
3819 -s "server hello, secure renegotiation extension" \
3820 -c "found renegotiation extension" \
3821 -s "record counter limit reached: renegotiate" \
3822 -c "=> renegotiate" \
3823 -s "=> renegotiate" \
3824 -s "write hello request" \
3825 -S "SSL - An unexpected message was received from our peer" \
3826 -S "failed"
3827
Hanno Becker6a243642017-10-12 15:18:45 +0100[diff] [blame]3828requires_config_enabled MBEDTLS_SSL_RENEGOTIATION
Manuel Pégourié-Gonnard590f4162014-11-05 14:23:03 +0100[diff] [blame]3829run_test "Renegotiation: periodic, two times period" \
Manuel Pégourié-Gonnardfa44f202015-03-27 17:52:25 +0100[diff] [blame]3830 "$P_SRV debug_level=3 exchanges=9 renegotiation=1 renego_period=3 auth_mode=optional" \
Manuel Pégourié-Gonnard9835bc02015-01-14 14:41:58 +0100[diff] [blame]3831 "$P_CLI debug_level=3 exchanges=7 renegotiation=1" \
Manuel Pégourié-Gonnard590f4162014-11-05 14:23:03 +0100[diff] [blame]3832 0 \
3833 -c "client hello, adding renegotiation extension" \
3834 -s "received TLS_EMPTY_RENEGOTIATION_INFO" \
3835 -s "found renegotiation extension" \
3836 -s "server hello, secure renegotiation extension" \
3837 -c "found renegotiation extension" \
3838 -s "record counter limit reached: renegotiate" \
3839 -c "=> renegotiate" \
3840 -s "=> renegotiate" \
3841 -s "write hello request" \
3842 -S "SSL - An unexpected message was received from our peer" \
3843 -S "failed"
3844
Hanno Becker6a243642017-10-12 15:18:45 +0100[diff] [blame]3845requires_config_enabled MBEDTLS_SSL_RENEGOTIATION
Manuel Pégourié-Gonnard590f4162014-11-05 14:23:03 +0100[diff] [blame]3846run_test "Renegotiation: periodic, above period, disabled" \
Manuel Pégourié-Gonnardfa44f202015-03-27 17:52:25 +0100[diff] [blame]3847 "$P_SRV debug_level=3 exchanges=9 renegotiation=0 renego_period=3 auth_mode=optional" \
Manuel Pégourié-Gonnard590f4162014-11-05 14:23:03 +0100[diff] [blame]3848 "$P_CLI debug_level=3 exchanges=4 renegotiation=1" \
3849 0 \
3850 -C "client hello, adding renegotiation extension" \
3851 -s "received TLS_EMPTY_RENEGOTIATION_INFO" \
3852 -S "found renegotiation extension" \
3853 -s "server hello, secure renegotiation extension" \
3854 -c "found renegotiation extension" \
3855 -S "record counter limit reached: renegotiate" \
3856 -C "=> renegotiate" \
3857 -S "=> renegotiate" \
3858 -S "write hello request" \
3859 -S "SSL - An unexpected message was received from our peer" \
3860 -S "failed"
3861
Hanno Becker6a243642017-10-12 15:18:45 +0100[diff] [blame]3862requires_config_enabled MBEDTLS_SSL_RENEGOTIATION
Manuel Pégourié-Gonnard8e03c712014-08-30 21:42:40 +0200[diff] [blame]3863run_test "Renegotiation: nbio, client-initiated" \
Manuel Pégourié-Gonnardfa44f202015-03-27 17:52:25 +0100[diff] [blame]3864 "$P_SRV debug_level=3 nbio=2 exchanges=2 renegotiation=1 auth_mode=optional" \
Manuel Pégourié-Gonnard644e8f32014-08-30 21:59:31 +0200[diff] [blame]3865 "$P_CLI debug_level=3 nbio=2 exchanges=2 renegotiation=1 renegotiate=1" \
Manuel Pégourié-Gonnardf07f4212014-08-15 19:04:47 +0200[diff] [blame]3866 0 \
3867 -c "client hello, adding renegotiation extension" \
3868 -s "received TLS_EMPTY_RENEGOTIATION_INFO" \
3869 -s "found renegotiation extension" \
3870 -s "server hello, secure renegotiation extension" \
3871 -c "found renegotiation extension" \
3872 -c "=> renegotiate" \
3873 -s "=> renegotiate" \
3874 -S "write hello request"
3875
Hanno Becker6a243642017-10-12 15:18:45 +0100[diff] [blame]3876requires_config_enabled MBEDTLS_SSL_RENEGOTIATION
Manuel Pégourié-Gonnard8e03c712014-08-30 21:42:40 +0200[diff] [blame]3877run_test "Renegotiation: nbio, server-initiated" \
Manuel Pégourié-Gonnardfa44f202015-03-27 17:52:25 +0100[diff] [blame]3878 "$P_SRV debug_level=3 nbio=2 exchanges=2 renegotiation=1 renegotiate=1 auth_mode=optional" \
Manuel Pégourié-Gonnard644e8f32014-08-30 21:59:31 +0200[diff] [blame]3879 "$P_CLI debug_level=3 nbio=2 exchanges=2 renegotiation=1" \
Manuel Pégourié-Gonnardf07f4212014-08-15 19:04:47 +0200[diff] [blame]3880 0 \
3881 -c "client hello, adding renegotiation extension" \
3882 -s "received TLS_EMPTY_RENEGOTIATION_INFO" \
3883 -s "found renegotiation extension" \
3884 -s "server hello, secure renegotiation extension" \
3885 -c "found renegotiation extension" \
3886 -c "=> renegotiate" \
3887 -s "=> renegotiate" \
3888 -s "write hello request"
3889
Hanno Becker6a243642017-10-12 15:18:45 +0100[diff] [blame]3890requires_config_enabled MBEDTLS_SSL_RENEGOTIATION
Manuel Pégourié-Gonnard8e03c712014-08-30 21:42:40 +0200[diff] [blame]3891run_test "Renegotiation: openssl server, client-initiated" \
Manuel Pégourié-Gonnarda7756172014-08-31 18:37:01 +0200[diff] [blame]3892 "$O_SRV -www" \
Manuel Pégourié-Gonnard644e8f32014-08-30 21:59:31 +0200[diff] [blame]3893 "$P_CLI debug_level=3 exchanges=1 renegotiation=1 renegotiate=1" \
Manuel Pégourié-Gonnard51362962014-08-30 21:22:47 +0200[diff] [blame]3894 0 \
3895 -c "client hello, adding renegotiation extension" \
3896 -c "found renegotiation extension" \
3897 -c "=> renegotiate" \
Manuel Pégourié-Gonnard85d915b2014-11-03 20:10:36 +0100[diff] [blame]3898 -C "ssl_hanshake() returned" \
Manuel Pégourié-Gonnard51362962014-08-30 21:22:47 +0200[diff] [blame]3899 -C "error" \
3900 -c "HTTP/1.0 200 [Oo][Kk]"
3901
Paul Bakker539d9722015-02-08 16:18:35 +0100[diff] [blame]3902requires_gnutls
Hanno Becker6a243642017-10-12 15:18:45 +0100[diff] [blame]3903requires_config_enabled MBEDTLS_SSL_RENEGOTIATION
Manuel Pégourié-Gonnard85d915b2014-11-03 20:10:36 +0100[diff] [blame]3904run_test "Renegotiation: gnutls server strict, client-initiated" \
3905 "$G_SRV --priority=NORMAL:%SAFE_RENEGOTIATION" \
Manuel Pégourié-Gonnard644e8f32014-08-30 21:59:31 +0200[diff] [blame]3906 "$P_CLI debug_level=3 exchanges=1 renegotiation=1 renegotiate=1" \
Manuel Pégourié-Gonnard51362962014-08-30 21:22:47 +0200[diff] [blame]3907 0 \
3908 -c "client hello, adding renegotiation extension" \
3909 -c "found renegotiation extension" \
3910 -c "=> renegotiate" \
Manuel Pégourié-Gonnard85d915b2014-11-03 20:10:36 +0100[diff] [blame]3911 -C "ssl_hanshake() returned" \
Manuel Pégourié-Gonnard51362962014-08-30 21:22:47 +0200[diff] [blame]3912 -C "error" \
3913 -c "HTTP/1.0 200 [Oo][Kk]"
3914
Paul Bakker539d9722015-02-08 16:18:35 +0100[diff] [blame]3915requires_gnutls
Hanno Becker6a243642017-10-12 15:18:45 +0100[diff] [blame]3916requires_config_enabled MBEDTLS_SSL_RENEGOTIATION
Manuel Pégourié-Gonnard85d915b2014-11-03 20:10:36 +0100[diff] [blame]3917run_test "Renegotiation: gnutls server unsafe, client-initiated default" \
3918 "$G_SRV --priority=NORMAL:%DISABLE_SAFE_RENEGOTIATION" \
3919 "$P_CLI debug_level=3 exchanges=1 renegotiation=1 renegotiate=1" \
3920 1 \
3921 -c "client hello, adding renegotiation extension" \
3922 -C "found renegotiation extension" \
3923 -c "=> renegotiate" \
Manuel Pégourié-Gonnard2cf5a7c2015-04-08 12:49:31 +0200[diff] [blame]3924 -c "mbedtls_ssl_handshake() returned" \
Manuel Pégourié-Gonnard85d915b2014-11-03 20:10:36 +0100[diff] [blame]3925 -c "error" \
3926 -C "HTTP/1.0 200 [Oo][Kk]"
3927
Paul Bakker539d9722015-02-08 16:18:35 +0100[diff] [blame]3928requires_gnutls
Hanno Becker6a243642017-10-12 15:18:45 +0100[diff] [blame]3929requires_config_enabled MBEDTLS_SSL_RENEGOTIATION
Manuel Pégourié-Gonnard85d915b2014-11-03 20:10:36 +0100[diff] [blame]3930run_test "Renegotiation: gnutls server unsafe, client-inititated no legacy" \
3931 "$G_SRV --priority=NORMAL:%DISABLE_SAFE_RENEGOTIATION" \
3932 "$P_CLI debug_level=3 exchanges=1 renegotiation=1 renegotiate=1 \
3933 allow_legacy=0" \
3934 1 \
3935 -c "client hello, adding renegotiation extension" \
3936 -C "found renegotiation extension" \
3937 -c "=> renegotiate" \
Manuel Pégourié-Gonnard2cf5a7c2015-04-08 12:49:31 +0200[diff] [blame]3938 -c "mbedtls_ssl_handshake() returned" \
Manuel Pégourié-Gonnard85d915b2014-11-03 20:10:36 +0100[diff] [blame]3939 -c "error" \
3940 -C "HTTP/1.0 200 [Oo][Kk]"
3941
Paul Bakker539d9722015-02-08 16:18:35 +0100[diff] [blame]3942requires_gnutls
Hanno Becker6a243642017-10-12 15:18:45 +0100[diff] [blame]3943requires_config_enabled MBEDTLS_SSL_RENEGOTIATION
Manuel Pégourié-Gonnard85d915b2014-11-03 20:10:36 +0100[diff] [blame]3944run_test "Renegotiation: gnutls server unsafe, client-inititated legacy" \
3945 "$G_SRV --priority=NORMAL:%DISABLE_SAFE_RENEGOTIATION" \
3946 "$P_CLI debug_level=3 exchanges=1 renegotiation=1 renegotiate=1 \
3947 allow_legacy=1" \
3948 0 \
3949 -c "client hello, adding renegotiation extension" \
3950 -C "found renegotiation extension" \
3951 -c "=> renegotiate" \
3952 -C "ssl_hanshake() returned" \
Manuel Pégourié-Gonnard8520dac2014-02-21 12:12:23 +0100[diff] [blame]3953 -C "error" \
3954 -c "HTTP/1.0 200 [Oo][Kk]"
3955
Hanno Becker6a243642017-10-12 15:18:45 +0100[diff] [blame]3956requires_config_enabled MBEDTLS_SSL_RENEGOTIATION
Manuel Pégourié-Gonnard30d16eb2014-08-19 17:43:50 +0200[diff] [blame]3957run_test "Renegotiation: DTLS, client-initiated" \
3958 "$P_SRV debug_level=3 dtls=1 exchanges=2 renegotiation=1" \
3959 "$P_CLI debug_level=3 dtls=1 exchanges=2 renegotiation=1 renegotiate=1" \
3960 0 \
3961 -c "client hello, adding renegotiation extension" \
3962 -s "received TLS_EMPTY_RENEGOTIATION_INFO" \
3963 -s "found renegotiation extension" \
3964 -s "server hello, secure renegotiation extension" \
3965 -c "found renegotiation extension" \
3966 -c "=> renegotiate" \
3967 -s "=> renegotiate" \
3968 -S "write hello request"
3969
Hanno Becker6a243642017-10-12 15:18:45 +0100[diff] [blame]3970requires_config_enabled MBEDTLS_SSL_RENEGOTIATION
Manuel Pégourié-Gonnardc392b242014-08-19 17:53:11 +0200[diff] [blame]3971run_test "Renegotiation: DTLS, server-initiated" \
3972 "$P_SRV debug_level=3 dtls=1 exchanges=2 renegotiation=1 renegotiate=1" \
Manuel Pégourié-Gonnarddf9a0a82014-10-02 14:17:18 +0200[diff] [blame]3973 "$P_CLI debug_level=3 dtls=1 exchanges=2 renegotiation=1 \
3974 read_timeout=1000 max_resend=2" \
Manuel Pégourié-Gonnardc392b242014-08-19 17:53:11 +0200[diff] [blame]3975 0 \
3976 -c "client hello, adding renegotiation extension" \
3977 -s "received TLS_EMPTY_RENEGOTIATION_INFO" \
3978 -s "found renegotiation extension" \
3979 -s "server hello, secure renegotiation extension" \
3980 -c "found renegotiation extension" \
3981 -c "=> renegotiate" \
3982 -s "=> renegotiate" \
3983 -s "write hello request"
3984
Hanno Becker6a243642017-10-12 15:18:45 +0100[diff] [blame]3985requires_config_enabled MBEDTLS_SSL_RENEGOTIATION
Andres AG692ad842017-01-19 16:30:57 +0000[diff] [blame]3986run_test "Renegotiation: DTLS, renego_period overflow" \
3987 "$P_SRV debug_level=3 dtls=1 exchanges=4 renegotiation=1 renego_period=18446462598732840962 auth_mode=optional" \
3988 "$P_CLI debug_level=3 dtls=1 exchanges=4 renegotiation=1" \
3989 0 \
3990 -c "client hello, adding renegotiation extension" \
3991 -s "received TLS_EMPTY_RENEGOTIATION_INFO" \
3992 -s "found renegotiation extension" \
3993 -s "server hello, secure renegotiation extension" \
3994 -s "record counter limit reached: renegotiate" \
3995 -c "=> renegotiate" \
3996 -s "=> renegotiate" \
Hanno Becker6a243642017-10-12 15:18:45 +0100[diff] [blame]3997 -s "write hello request"
Andres AG692ad842017-01-19 16:30:57 +0000[diff] [blame]3998
Manuel Pégourié-Gonnard96999962015-02-17 16:02:37 +0000[diff] [blame]3999requires_gnutls
Hanno Becker6a243642017-10-12 15:18:45 +0100[diff] [blame]4000requires_config_enabled MBEDTLS_SSL_RENEGOTIATION
Manuel Pégourié-Gonnardf1499f62014-08-31 17:13:13 +0200[diff] [blame]4001run_test "Renegotiation: DTLS, gnutls server, client-initiated" \
4002 "$G_SRV -u --mtu 4096" \
4003 "$P_CLI debug_level=3 dtls=1 exchanges=1 renegotiation=1 renegotiate=1" \
4004 0 \
4005 -c "client hello, adding renegotiation extension" \
4006 -c "found renegotiation extension" \
4007 -c "=> renegotiate" \
Manuel Pégourié-Gonnard2cf5a7c2015-04-08 12:49:31 +0200[diff] [blame]4008 -C "mbedtls_ssl_handshake returned" \
Manuel Pégourié-Gonnardf1499f62014-08-31 17:13:13 +0200[diff] [blame]4009 -C "error" \
4010 -s "Extra-header:"
4011
Manuel Pégourié-Gonnard85d915b2014-11-03 20:10:36 +0100[diff] [blame]4012# Test for the "secure renegotation" extension only (no actual renegotiation)
4013
Paul Bakker539d9722015-02-08 16:18:35 +0100[diff] [blame]4014requires_gnutls
Manuel Pégourié-Gonnard85d915b2014-11-03 20:10:36 +0100[diff] [blame]4015run_test "Renego ext: gnutls server strict, client default" \
4016 "$G_SRV --priority=NORMAL:%SAFE_RENEGOTIATION" \
4017 "$P_CLI debug_level=3" \
4018 0 \
4019 -c "found renegotiation extension" \
4020 -C "error" \
4021 -c "HTTP/1.0 200 [Oo][Kk]"
4022
Paul Bakker539d9722015-02-08 16:18:35 +0100[diff] [blame]4023requires_gnutls
Manuel Pégourié-Gonnard85d915b2014-11-03 20:10:36 +0100[diff] [blame]4024run_test "Renego ext: gnutls server unsafe, client default" \
4025 "$G_SRV --priority=NORMAL:%DISABLE_SAFE_RENEGOTIATION" \
4026 "$P_CLI debug_level=3" \
4027 0 \
4028 -C "found renegotiation extension" \
4029 -C "error" \
4030 -c "HTTP/1.0 200 [Oo][Kk]"
4031
Paul Bakker539d9722015-02-08 16:18:35 +0100[diff] [blame]4032requires_gnutls
Manuel Pégourié-Gonnard85d915b2014-11-03 20:10:36 +0100[diff] [blame]4033run_test "Renego ext: gnutls server unsafe, client break legacy" \
4034 "$G_SRV --priority=NORMAL:%DISABLE_SAFE_RENEGOTIATION" \
4035 "$P_CLI debug_level=3 allow_legacy=-1" \
4036 1 \
4037 -C "found renegotiation extension" \
4038 -c "error" \
4039 -C "HTTP/1.0 200 [Oo][Kk]"
4040
Paul Bakker539d9722015-02-08 16:18:35 +0100[diff] [blame]4041requires_gnutls
Manuel Pégourié-Gonnard85d915b2014-11-03 20:10:36 +0100[diff] [blame]4042run_test "Renego ext: gnutls client strict, server default" \
4043 "$P_SRV debug_level=3" \
Manuel Pégourié-Gonnard34aa1872018-08-23 19:07:15 +0200[diff] [blame]4044 "$G_CLI --priority=NORMAL:%SAFE_RENEGOTIATION localhost" \
Manuel Pégourié-Gonnard85d915b2014-11-03 20:10:36 +0100[diff] [blame]4045 0 \
4046 -s "received TLS_EMPTY_RENEGOTIATION_INFO\|found renegotiation extension" \
4047 -s "server hello, secure renegotiation extension"
4048
Paul Bakker539d9722015-02-08 16:18:35 +0100[diff] [blame]4049requires_gnutls
Manuel Pégourié-Gonnard85d915b2014-11-03 20:10:36 +0100[diff] [blame]4050run_test "Renego ext: gnutls client unsafe, server default" \
4051 "$P_SRV debug_level=3" \
Manuel Pégourié-Gonnard34aa1872018-08-23 19:07:15 +0200[diff] [blame]4052 "$G_CLI --priority=NORMAL:%DISABLE_SAFE_RENEGOTIATION localhost" \
Manuel Pégourié-Gonnard85d915b2014-11-03 20:10:36 +0100[diff] [blame]4053 0 \
4054 -S "received TLS_EMPTY_RENEGOTIATION_INFO\|found renegotiation extension" \
4055 -S "server hello, secure renegotiation extension"
4056
Paul Bakker539d9722015-02-08 16:18:35 +0100[diff] [blame]4057requires_gnutls
Manuel Pégourié-Gonnard85d915b2014-11-03 20:10:36 +0100[diff] [blame]4058run_test "Renego ext: gnutls client unsafe, server break legacy" \
4059 "$P_SRV debug_level=3 allow_legacy=-1" \
Manuel Pégourié-Gonnard34aa1872018-08-23 19:07:15 +0200[diff] [blame]4060 "$G_CLI --priority=NORMAL:%DISABLE_SAFE_RENEGOTIATION localhost" \
Manuel Pégourié-Gonnard85d915b2014-11-03 20:10:36 +0100[diff] [blame]4061 1 \
4062 -S "received TLS_EMPTY_RENEGOTIATION_INFO\|found renegotiation extension" \
4063 -S "server hello, secure renegotiation extension"
4064
Janos Follath0b242342016-02-17 10:11:21 +0000[diff] [blame]4065# Tests for silently dropping trailing extra bytes in .der certificates
4066
4067requires_gnutls
4068run_test "DER format: no trailing bytes" \
4069 "$P_SRV crt_file=data_files/server5-der0.crt \
4070 key_file=data_files/server5.key" \
Manuel Pégourié-Gonnard34aa1872018-08-23 19:07:15 +0200[diff] [blame]4071 "$G_CLI localhost" \
Janos Follath0b242342016-02-17 10:11:21 +0000[diff] [blame]4072 0 \
4073 -c "Handshake was completed" \
4074
4075requires_gnutls
4076run_test "DER format: with a trailing zero byte" \
4077 "$P_SRV crt_file=data_files/server5-der1a.crt \
4078 key_file=data_files/server5.key" \
Manuel Pégourié-Gonnard34aa1872018-08-23 19:07:15 +0200[diff] [blame]4079 "$G_CLI localhost" \
Janos Follath0b242342016-02-17 10:11:21 +0000[diff] [blame]4080 0 \
4081 -c "Handshake was completed" \
4082
4083requires_gnutls
4084run_test "DER format: with a trailing random byte" \
4085 "$P_SRV crt_file=data_files/server5-der1b.crt \
4086 key_file=data_files/server5.key" \
Manuel Pégourié-Gonnard34aa1872018-08-23 19:07:15 +0200[diff] [blame]4087 "$G_CLI localhost" \
Janos Follath0b242342016-02-17 10:11:21 +0000[diff] [blame]4088 0 \
4089 -c "Handshake was completed" \
4090
4091requires_gnutls
4092run_test "DER format: with 2 trailing random bytes" \
4093 "$P_SRV crt_file=data_files/server5-der2.crt \
4094 key_file=data_files/server5.key" \
Manuel Pégourié-Gonnard34aa1872018-08-23 19:07:15 +0200[diff] [blame]4095 "$G_CLI localhost" \
Janos Follath0b242342016-02-17 10:11:21 +0000[diff] [blame]4096 0 \
4097 -c "Handshake was completed" \
4098
4099requires_gnutls
4100run_test "DER format: with 4 trailing random bytes" \
4101 "$P_SRV crt_file=data_files/server5-der4.crt \
4102 key_file=data_files/server5.key" \
Manuel Pégourié-Gonnard34aa1872018-08-23 19:07:15 +0200[diff] [blame]4103 "$G_CLI localhost" \
Janos Follath0b242342016-02-17 10:11:21 +0000[diff] [blame]4104 0 \
4105 -c "Handshake was completed" \
4106
4107requires_gnutls
4108run_test "DER format: with 8 trailing random bytes" \
4109 "$P_SRV crt_file=data_files/server5-der8.crt \
4110 key_file=data_files/server5.key" \
Manuel Pégourié-Gonnard34aa1872018-08-23 19:07:15 +0200[diff] [blame]4111 "$G_CLI localhost" \
Janos Follath0b242342016-02-17 10:11:21 +0000[diff] [blame]4112 0 \
4113 -c "Handshake was completed" \
4114
4115requires_gnutls
4116run_test "DER format: with 9 trailing random bytes" \
4117 "$P_SRV crt_file=data_files/server5-der9.crt \
4118 key_file=data_files/server5.key" \
Manuel Pégourié-Gonnard34aa1872018-08-23 19:07:15 +0200[diff] [blame]4119 "$G_CLI localhost" \
Janos Follath0b242342016-02-17 10:11:21 +0000[diff] [blame]4120 0 \
4121 -c "Handshake was completed" \
4122
Jarno Lamsaf7a7f9e2019-04-01 15:11:54 +0300[diff] [blame]4123# Tests for auth_mode, there are duplicated tests using ca callback for authentication
4124# When updating these tests, modify the matching authentication tests accordingly
Manuel Pégourié-Gonnard8520dac2014-02-21 12:12:23 +0100[diff] [blame]4125
Manuel Pégourié-Gonnard8e03c712014-08-30 21:42:40 +0200[diff] [blame]4126run_test "Authentication: server badcert, client required" \
Manuel Pégourié-Gonnard8520dac2014-02-21 12:12:23 +0100[diff] [blame]4127 "$P_SRV crt_file=data_files/server5-badsign.crt \
4128 key_file=data_files/server5.key" \
Manuel Pégourié-Gonnard644e8f32014-08-30 21:59:31 +0200[diff] [blame]4129 "$P_CLI debug_level=1 auth_mode=required" \
Manuel Pégourié-Gonnard8520dac2014-02-21 12:12:23 +0100[diff] [blame]4130 1 \
4131 -c "x509_verify_cert() returned" \
Manuel Pégourié-Gonnard89addc42015-04-20 10:56:18 +0100[diff] [blame]4132 -c "! The certificate is not correctly signed by the trusted CA" \
Manuel Pégourié-Gonnard2cf5a7c2015-04-08 12:49:31 +0200[diff] [blame]4133 -c "! mbedtls_ssl_handshake returned" \
Manuel Pégourié-Gonnard8520dac2014-02-21 12:12:23 +0100[diff] [blame]4134 -c "X509 - Certificate verification failed"
4135
Manuel Pégourié-Gonnard8e03c712014-08-30 21:42:40 +0200[diff] [blame]4136run_test "Authentication: server badcert, client optional" \
Manuel Pégourié-Gonnard8520dac2014-02-21 12:12:23 +0100[diff] [blame]4137 "$P_SRV crt_file=data_files/server5-badsign.crt \
4138 key_file=data_files/server5.key" \
Manuel Pégourié-Gonnard644e8f32014-08-30 21:59:31 +0200[diff] [blame]4139 "$P_CLI debug_level=1 auth_mode=optional" \
Manuel Pégourié-Gonnard8520dac2014-02-21 12:12:23 +0100[diff] [blame]4140 0 \
4141 -c "x509_verify_cert() returned" \
Manuel Pégourié-Gonnard89addc42015-04-20 10:56:18 +0100[diff] [blame]4142 -c "! The certificate is not correctly signed by the trusted CA" \
Manuel Pégourié-Gonnard2cf5a7c2015-04-08 12:49:31 +0200[diff] [blame]4143 -C "! mbedtls_ssl_handshake returned" \
Manuel Pégourié-Gonnard8520dac2014-02-21 12:12:23 +0100[diff] [blame]4144 -C "X509 - Certificate verification failed"
4145
Hanno Beckere6706e62017-05-15 16:05:15 +0100[diff] [blame]4146run_test "Authentication: server goodcert, client optional, no trusted CA" \
4147 "$P_SRV" \
4148 "$P_CLI debug_level=3 auth_mode=optional ca_file=none ca_path=none" \
4149 0 \
4150 -c "x509_verify_cert() returned" \
4151 -c "! The certificate is not correctly signed by the trusted CA" \
4152 -c "! Certificate verification flags"\
4153 -C "! mbedtls_ssl_handshake returned" \
4154 -C "X509 - Certificate verification failed" \
4155 -C "SSL - No CA Chain is set, but required to operate"
4156
4157run_test "Authentication: server goodcert, client required, no trusted CA" \
4158 "$P_SRV" \
4159 "$P_CLI debug_level=3 auth_mode=required ca_file=none ca_path=none" \
4160 1 \
4161 -c "x509_verify_cert() returned" \
4162 -c "! The certificate is not correctly signed by the trusted CA" \
4163 -c "! Certificate verification flags"\
4164 -c "! mbedtls_ssl_handshake returned" \
4165 -c "SSL - No CA Chain is set, but required to operate"
4166
4167# The purpose of the next two tests is to test the client's behaviour when receiving a server
4168# certificate with an unsupported elliptic curve. This should usually not happen because
4169# the client informs the server about the supported curves - it does, though, in the
4170# corner case of a static ECDH suite, because the server doesn't check the curve on that
4171# occasion (to be fixed). If that bug's fixed, the test needs to be altered to use a
4172# different means to have the server ignoring the client's supported curve list.
4173
4174requires_config_enabled MBEDTLS_ECP_C
4175run_test "Authentication: server ECDH p256v1, client required, p256v1 unsupported" \
4176 "$P_SRV debug_level=1 key_file=data_files/server5.key \
4177 crt_file=data_files/server5.ku-ka.crt" \
4178 "$P_CLI debug_level=3 auth_mode=required curves=secp521r1" \
4179 1 \
4180 -c "bad certificate (EC key curve)"\
4181 -c "! Certificate verification flags"\
4182 -C "bad server certificate (ECDH curve)" # Expect failure at earlier verification stage
4183
4184requires_config_enabled MBEDTLS_ECP_C
4185run_test "Authentication: server ECDH p256v1, client optional, p256v1 unsupported" \
4186 "$P_SRV debug_level=1 key_file=data_files/server5.key \
4187 crt_file=data_files/server5.ku-ka.crt" \
4188 "$P_CLI debug_level=3 auth_mode=optional curves=secp521r1" \
4189 1 \
4190 -c "bad certificate (EC key curve)"\
4191 -c "! Certificate verification flags"\
4192 -c "bad server certificate (ECDH curve)" # Expect failure only at ECDH params check
4193
Manuel Pégourié-Gonnard8e03c712014-08-30 21:42:40 +0200[diff] [blame]4194run_test "Authentication: server badcert, client none" \
Manuel Pégourié-Gonnardc1da6642014-02-25 14:18:30 +0100[diff] [blame]4195 "$P_SRV crt_file=data_files/server5-badsign.crt \
Manuel Pégourié-Gonnard8520dac2014-02-21 12:12:23 +0100[diff] [blame]4196 key_file=data_files/server5.key" \
Manuel Pégourié-Gonnard644e8f32014-08-30 21:59:31 +0200[diff] [blame]4197 "$P_CLI debug_level=1 auth_mode=none" \
Manuel Pégourié-Gonnard8520dac2014-02-21 12:12:23 +0100[diff] [blame]4198 0 \
4199 -C "x509_verify_cert() returned" \
Manuel Pégourié-Gonnard89addc42015-04-20 10:56:18 +0100[diff] [blame]4200 -C "! The certificate is not correctly signed by the trusted CA" \
Manuel Pégourié-Gonnard2cf5a7c2015-04-08 12:49:31 +0200[diff] [blame]4201 -C "! mbedtls_ssl_handshake returned" \
Manuel Pégourié-Gonnard8520dac2014-02-21 12:12:23 +0100[diff] [blame]4202 -C "X509 - Certificate verification failed"
4203
Simon Butcher99000142016-10-13 17:21:01 +0100[diff] [blame]4204run_test "Authentication: client SHA256, server required" \
4205 "$P_SRV auth_mode=required" \
4206 "$P_CLI debug_level=3 crt_file=data_files/server6.crt \
4207 key_file=data_files/server6.key \
4208 force_ciphersuite=TLS-ECDHE-ECDSA-WITH-AES-256-GCM-SHA384" \
4209 0 \
4210 -c "Supported Signature Algorithm found: 4," \
4211 -c "Supported Signature Algorithm found: 5,"
4212
4213run_test "Authentication: client SHA384, server required" \
4214 "$P_SRV auth_mode=required" \
4215 "$P_CLI debug_level=3 crt_file=data_files/server6.crt \
4216 key_file=data_files/server6.key \
4217 force_ciphersuite=TLS-ECDHE-ECDSA-WITH-AES-128-GCM-SHA256" \
4218 0 \
4219 -c "Supported Signature Algorithm found: 4," \
4220 -c "Supported Signature Algorithm found: 5,"
4221
Gilles Peskinefd8332e2017-05-03 16:25:07 +0200[diff] [blame]4222requires_config_enabled MBEDTLS_SSL_PROTO_SSL3
4223run_test "Authentication: client has no cert, server required (SSLv3)" \
4224 "$P_SRV debug_level=3 min_version=ssl3 auth_mode=required" \
4225 "$P_CLI debug_level=3 force_version=ssl3 crt_file=none \
4226 key_file=data_files/server5.key" \
4227 1 \
4228 -S "skip write certificate request" \
4229 -C "skip parse certificate request" \
4230 -c "got a certificate request" \
4231 -c "got no certificate to send" \
4232 -S "x509_verify_cert() returned" \
4233 -s "client has no certificate" \
4234 -s "! mbedtls_ssl_handshake returned" \
4235 -c "! mbedtls_ssl_handshake returned" \
4236 -s "No client certification received from the client, but required by the authentication mode"
4237
4238run_test "Authentication: client has no cert, server required (TLS)" \
4239 "$P_SRV debug_level=3 auth_mode=required" \
4240 "$P_CLI debug_level=3 crt_file=none \
4241 key_file=data_files/server5.key" \
4242 1 \
4243 -S "skip write certificate request" \
4244 -C "skip parse certificate request" \
4245 -c "got a certificate request" \
4246 -c "= write certificate$" \
4247 -C "skip write certificate$" \
4248 -S "x509_verify_cert() returned" \
4249 -s "client has no certificate" \
4250 -s "! mbedtls_ssl_handshake returned" \
4251 -c "! mbedtls_ssl_handshake returned" \
4252 -s "No client certification received from the client, but required by the authentication mode"
4253
Manuel Pégourié-Gonnard8e03c712014-08-30 21:42:40 +0200[diff] [blame]4254run_test "Authentication: client badcert, server required" \
Manuel Pégourié-Gonnard644e8f32014-08-30 21:59:31 +0200[diff] [blame]4255 "$P_SRV debug_level=3 auth_mode=required" \
4256 "$P_CLI debug_level=3 crt_file=data_files/server5-badsign.crt \
Manuel Pégourié-Gonnard8520dac2014-02-21 12:12:23 +0100[diff] [blame]4257 key_file=data_files/server5.key" \
4258 1 \
4259 -S "skip write certificate request" \
4260 -C "skip parse certificate request" \
4261 -c "got a certificate request" \
4262 -C "skip write certificate" \
4263 -C "skip write certificate verify" \
4264 -S "skip parse certificate verify" \
4265 -s "x509_verify_cert() returned" \
Manuel Pégourié-Gonnard6ea831d2015-06-22 16:50:52 +0200[diff] [blame]4266 -s "! The certificate is not correctly signed by the trusted CA" \
Manuel Pégourié-Gonnard2cf5a7c2015-04-08 12:49:31 +0200[diff] [blame]4267 -s "! mbedtls_ssl_handshake returned" \
Gilles Peskine1cc8e342017-05-03 16:28:34 +0200[diff] [blame]4268 -s "send alert level=2 message=48" \
Manuel Pégourié-Gonnard2cf5a7c2015-04-08 12:49:31 +0200[diff] [blame]4269 -c "! mbedtls_ssl_handshake returned" \
Manuel Pégourié-Gonnard8520dac2014-02-21 12:12:23 +0100[diff] [blame]4270 -s "X509 - Certificate verification failed"
Gilles Peskine1cc8e342017-05-03 16:28:34 +0200[diff] [blame]4271# We don't check that the client receives the alert because it might
4272# detect that its write end of the connection is closed and abort
4273# before reading the alert message.
Manuel Pégourié-Gonnard8520dac2014-02-21 12:12:23 +0100[diff] [blame]4274
Janos Follath89baba22017-04-10 14:34:35 +0100[diff] [blame]4275run_test "Authentication: client cert not trusted, server required" \
4276 "$P_SRV debug_level=3 auth_mode=required" \
4277 "$P_CLI debug_level=3 crt_file=data_files/server5-selfsigned.crt \
4278 key_file=data_files/server5.key" \
4279 1 \
4280 -S "skip write certificate request" \
4281 -C "skip parse certificate request" \
4282 -c "got a certificate request" \
4283 -C "skip write certificate" \
4284 -C "skip write certificate verify" \
4285 -S "skip parse certificate verify" \
4286 -s "x509_verify_cert() returned" \
4287 -s "! The certificate is not correctly signed by the trusted CA" \
4288 -s "! mbedtls_ssl_handshake returned" \
4289 -c "! mbedtls_ssl_handshake returned" \
4290 -s "X509 - Certificate verification failed"
4291
Manuel Pégourié-Gonnard8e03c712014-08-30 21:42:40 +0200[diff] [blame]4292run_test "Authentication: client badcert, server optional" \
Manuel Pégourié-Gonnard644e8f32014-08-30 21:59:31 +0200[diff] [blame]4293 "$P_SRV debug_level=3 auth_mode=optional" \
4294 "$P_CLI debug_level=3 crt_file=data_files/server5-badsign.crt \
Manuel Pégourié-Gonnard8520dac2014-02-21 12:12:23 +0100[diff] [blame]4295 key_file=data_files/server5.key" \
4296 0 \
4297 -S "skip write certificate request" \
4298 -C "skip parse certificate request" \
4299 -c "got a certificate request" \
4300 -C "skip write certificate" \
4301 -C "skip write certificate verify" \
4302 -S "skip parse certificate verify" \
4303 -s "x509_verify_cert() returned" \
Manuel Pégourié-Gonnard89addc42015-04-20 10:56:18 +0100[diff] [blame]4304 -s "! The certificate is not correctly signed by the trusted CA" \
Manuel Pégourié-Gonnard2cf5a7c2015-04-08 12:49:31 +0200[diff] [blame]4305 -S "! mbedtls_ssl_handshake returned" \
4306 -C "! mbedtls_ssl_handshake returned" \
Manuel Pégourié-Gonnard8520dac2014-02-21 12:12:23 +0100[diff] [blame]4307 -S "X509 - Certificate verification failed"
4308
Manuel Pégourié-Gonnard8e03c712014-08-30 21:42:40 +0200[diff] [blame]4309run_test "Authentication: client badcert, server none" \
Manuel Pégourié-Gonnard644e8f32014-08-30 21:59:31 +0200[diff] [blame]4310 "$P_SRV debug_level=3 auth_mode=none" \
4311 "$P_CLI debug_level=3 crt_file=data_files/server5-badsign.crt \
Manuel Pégourié-Gonnard8520dac2014-02-21 12:12:23 +0100[diff] [blame]4312 key_file=data_files/server5.key" \
4313 0 \
4314 -s "skip write certificate request" \
4315 -C "skip parse certificate request" \
4316 -c "got no certificate request" \
4317 -c "skip write certificate" \
4318 -c "skip write certificate verify" \
4319 -s "skip parse certificate verify" \
4320 -S "x509_verify_cert() returned" \
Manuel Pégourié-Gonnard89addc42015-04-20 10:56:18 +0100[diff] [blame]4321 -S "! The certificate is not correctly signed by the trusted CA" \
Manuel Pégourié-Gonnard2cf5a7c2015-04-08 12:49:31 +0200[diff] [blame]4322 -S "! mbedtls_ssl_handshake returned" \
4323 -C "! mbedtls_ssl_handshake returned" \
Manuel Pégourié-Gonnard8520dac2014-02-21 12:12:23 +0100[diff] [blame]4324 -S "X509 - Certificate verification failed"
4325
Manuel Pégourié-Gonnard8e03c712014-08-30 21:42:40 +0200[diff] [blame]4326run_test "Authentication: client no cert, server optional" \
Manuel Pégourié-Gonnard644e8f32014-08-30 21:59:31 +0200[diff] [blame]4327 "$P_SRV debug_level=3 auth_mode=optional" \
4328 "$P_CLI debug_level=3 crt_file=none key_file=none" \
Manuel Pégourié-Gonnardde515cc2014-02-27 14:58:26 +0100[diff] [blame]4329 0 \
4330 -S "skip write certificate request" \
4331 -C "skip parse certificate request" \
4332 -c "got a certificate request" \
4333 -C "skip write certificate$" \
4334 -C "got no certificate to send" \
4335 -S "SSLv3 client has no certificate" \
4336 -c "skip write certificate verify" \
4337 -s "skip parse certificate verify" \
Manuel Pégourié-Gonnard89addc42015-04-20 10:56:18 +0100[diff] [blame]4338 -s "! Certificate was missing" \
Manuel Pégourié-Gonnard2cf5a7c2015-04-08 12:49:31 +0200[diff] [blame]4339 -S "! mbedtls_ssl_handshake returned" \
4340 -C "! mbedtls_ssl_handshake returned" \
Manuel Pégourié-Gonnardde515cc2014-02-27 14:58:26 +0100[diff] [blame]4341 -S "X509 - Certificate verification failed"
4342
Manuel Pégourié-Gonnard8e03c712014-08-30 21:42:40 +0200[diff] [blame]4343run_test "Authentication: openssl client no cert, server optional" \
Manuel Pégourié-Gonnard644e8f32014-08-30 21:59:31 +0200[diff] [blame]4344 "$P_SRV debug_level=3 auth_mode=optional" \
Manuel Pégourié-Gonnardde515cc2014-02-27 14:58:26 +0100[diff] [blame]4345 "$O_CLI" \
4346 0 \
4347 -S "skip write certificate request" \
4348 -s "skip parse certificate verify" \
Manuel Pégourié-Gonnard89addc42015-04-20 10:56:18 +0100[diff] [blame]4349 -s "! Certificate was missing" \
Manuel Pégourié-Gonnard2cf5a7c2015-04-08 12:49:31 +0200[diff] [blame]4350 -S "! mbedtls_ssl_handshake returned" \
Manuel Pégourié-Gonnardde515cc2014-02-27 14:58:26 +0100[diff] [blame]4351 -S "X509 - Certificate verification failed"
4352
Manuel Pégourié-Gonnard8e03c712014-08-30 21:42:40 +0200[diff] [blame]4353run_test "Authentication: client no cert, openssl server optional" \
Manuel Pégourié-Gonnardde515cc2014-02-27 14:58:26 +0100[diff] [blame]4354 "$O_SRV -verify 10" \
Manuel Pégourié-Gonnard644e8f32014-08-30 21:59:31 +0200[diff] [blame]4355 "$P_CLI debug_level=3 crt_file=none key_file=none" \
Manuel Pégourié-Gonnardde515cc2014-02-27 14:58:26 +0100[diff] [blame]4356 0 \
4357 -C "skip parse certificate request" \
4358 -c "got a certificate request" \
4359 -C "skip write certificate$" \
4360 -c "skip write certificate verify" \
Manuel Pégourié-Gonnard2cf5a7c2015-04-08 12:49:31 +0200[diff] [blame]4361 -C "! mbedtls_ssl_handshake returned"
Manuel Pégourié-Gonnardde515cc2014-02-27 14:58:26 +0100[diff] [blame]4362
Gilles Peskinefd8332e2017-05-03 16:25:07 +0200[diff] [blame]4363run_test "Authentication: client no cert, openssl server required" \
4364 "$O_SRV -Verify 10" \
4365 "$P_CLI debug_level=3 crt_file=none key_file=none" \
4366 1 \
4367 -C "skip parse certificate request" \
4368 -c "got a certificate request" \
4369 -C "skip write certificate$" \
4370 -c "skip write certificate verify" \
4371 -c "! mbedtls_ssl_handshake returned"
4372
Janos Follathe2681a42016-03-07 15:57:05 +0000[diff] [blame]4373requires_config_enabled MBEDTLS_SSL_PROTO_SSL3
Manuel Pégourié-Gonnard8e03c712014-08-30 21:42:40 +0200[diff] [blame]4374run_test "Authentication: client no cert, ssl3" \
Manuel Pégourié-Gonnard644e8f32014-08-30 21:59:31 +0200[diff] [blame]4375 "$P_SRV debug_level=3 auth_mode=optional force_version=ssl3" \
Manuel Pégourié-Gonnard448ea502015-01-12 11:40:14 +0100[diff] [blame]4376 "$P_CLI debug_level=3 crt_file=none key_file=none min_version=ssl3" \
Manuel Pégourié-Gonnardde515cc2014-02-27 14:58:26 +0100[diff] [blame]4377 0 \
4378 -S "skip write certificate request" \
4379 -C "skip parse certificate request" \
4380 -c "got a certificate request" \
4381 -C "skip write certificate$" \
4382 -c "skip write certificate verify" \
4383 -c "got no certificate to send" \
4384 -s "SSLv3 client has no certificate" \
4385 -s "skip parse certificate verify" \
Manuel Pégourié-Gonnard89addc42015-04-20 10:56:18 +0100[diff] [blame]4386 -s "! Certificate was missing" \
Manuel Pégourié-Gonnard2cf5a7c2015-04-08 12:49:31 +0200[diff] [blame]4387 -S "! mbedtls_ssl_handshake returned" \
4388 -C "! mbedtls_ssl_handshake returned" \
Manuel Pégourié-Gonnardde515cc2014-02-27 14:58:26 +0100[diff] [blame]4389 -S "X509 - Certificate verification failed"
4390
Yuto Takanoccdd25c2021-07-02 13:05:15 +0100[diff] [blame]4391# This script assumes that MBEDTLS_X509_MAX_INTERMEDIATE_CA has its default
4392# value, defined here as MAX_IM_CA. Some test cases will be skipped if the
4393# library is configured with a different value.
Hanno Beckera6bca9f2017-07-26 13:35:11 +0100[diff] [blame]4394
Simon Butcherbcfa6f42017-07-28 15:59:35 +0100[diff] [blame]4395MAX_IM_CA='8'
Hanno Beckera6bca9f2017-07-26 13:35:11 +0100[diff] [blame]4396
Yuto Takanoccdd25c2021-07-02 13:05:15 +0100[diff] [blame]4397# The tests for the max_int tests can pass with any number higher than MAX_IM_CA
4398# because only a chain of MAX_IM_CA length is tested. Equally, the max_int+1
4399# tests can pass with any number less than MAX_IM_CA. However, stricter preconditions
4400# are in place so that the semantics are consistent with the test description.
Yuto Takano8a693ef2021-07-02 13:10:41 +0100[diff] [blame]4401requires_config_value_equals "MBEDTLS_X509_MAX_INTERMEDIATE_CA" $MAX_IM_CA
Angus Grattonc4dd0732018-04-11 16:28:39 +1000[diff] [blame]4402requires_full_size_output_buffer
Manuel Pégourié-Gonnard81bb6b62017-06-26 10:45:33 +0200[diff] [blame]4403run_test "Authentication: server max_int chain, client default" \
4404 "$P_SRV crt_file=data_files/dir-maxpath/c09.pem \
4405 key_file=data_files/dir-maxpath/09.key" \
4406 "$P_CLI server_name=CA09 ca_file=data_files/dir-maxpath/00.crt" \
4407 0 \
Antonin Décimo36e89b52019-01-23 15:24:37 +0100[diff] [blame]4408 -C "X509 - A fatal error occurred"
Manuel Pégourié-Gonnard81bb6b62017-06-26 10:45:33 +0200[diff] [blame]4409
Yuto Takano8a693ef2021-07-02 13:10:41 +0100[diff] [blame]4410requires_config_value_equals "MBEDTLS_X509_MAX_INTERMEDIATE_CA" $MAX_IM_CA
Angus Grattonc4dd0732018-04-11 16:28:39 +1000[diff] [blame]4411requires_full_size_output_buffer
Manuel Pégourié-Gonnard81bb6b62017-06-26 10:45:33 +0200[diff] [blame]4412run_test "Authentication: server max_int+1 chain, client default" \
4413 "$P_SRV crt_file=data_files/dir-maxpath/c10.pem \
4414 key_file=data_files/dir-maxpath/10.key" \
4415 "$P_CLI server_name=CA10 ca_file=data_files/dir-maxpath/00.crt" \
4416 1 \
Antonin Décimo36e89b52019-01-23 15:24:37 +0100[diff] [blame]4417 -c "X509 - A fatal error occurred"
Manuel Pégourié-Gonnard81bb6b62017-06-26 10:45:33 +0200[diff] [blame]4418
Yuto Takano8a693ef2021-07-02 13:10:41 +0100[diff] [blame]4419requires_config_value_equals "MBEDTLS_X509_MAX_INTERMEDIATE_CA" $MAX_IM_CA
Angus Grattonc4dd0732018-04-11 16:28:39 +1000[diff] [blame]4420requires_full_size_output_buffer
Manuel Pégourié-Gonnard81bb6b62017-06-26 10:45:33 +0200[diff] [blame]4421run_test "Authentication: server max_int+1 chain, client optional" \
4422 "$P_SRV crt_file=data_files/dir-maxpath/c10.pem \
4423 key_file=data_files/dir-maxpath/10.key" \
4424 "$P_CLI server_name=CA10 ca_file=data_files/dir-maxpath/00.crt \
4425 auth_mode=optional" \
4426 1 \
Antonin Décimo36e89b52019-01-23 15:24:37 +0100[diff] [blame]4427 -c "X509 - A fatal error occurred"
Manuel Pégourié-Gonnard81bb6b62017-06-26 10:45:33 +0200[diff] [blame]4428
Yuto Takano8a693ef2021-07-02 13:10:41 +0100[diff] [blame]4429requires_config_value_equals "MBEDTLS_X509_MAX_INTERMEDIATE_CA" $MAX_IM_CA
Angus Grattonc4dd0732018-04-11 16:28:39 +1000[diff] [blame]4430requires_full_size_output_buffer
Manuel Pégourié-Gonnard81bb6b62017-06-26 10:45:33 +0200[diff] [blame]4431run_test "Authentication: server max_int+1 chain, client none" \
4432 "$P_SRV crt_file=data_files/dir-maxpath/c10.pem \
4433 key_file=data_files/dir-maxpath/10.key" \
4434 "$P_CLI server_name=CA10 ca_file=data_files/dir-maxpath/00.crt \
4435 auth_mode=none" \
4436 0 \
Antonin Décimo36e89b52019-01-23 15:24:37 +0100[diff] [blame]4437 -C "X509 - A fatal error occurred"
Manuel Pégourié-Gonnard81bb6b62017-06-26 10:45:33 +0200[diff] [blame]4438
Yuto Takano8a693ef2021-07-02 13:10:41 +0100[diff] [blame]4439requires_config_value_equals "MBEDTLS_X509_MAX_INTERMEDIATE_CA" $MAX_IM_CA
Angus Grattonc4dd0732018-04-11 16:28:39 +1000[diff] [blame]4440requires_full_size_output_buffer
Manuel Pégourié-Gonnard81bb6b62017-06-26 10:45:33 +0200[diff] [blame]4441run_test "Authentication: client max_int+1 chain, server default" \
4442 "$P_SRV ca_file=data_files/dir-maxpath/00.crt" \
4443 "$P_CLI crt_file=data_files/dir-maxpath/c10.pem \
4444 key_file=data_files/dir-maxpath/10.key" \
4445 0 \
Antonin Décimo36e89b52019-01-23 15:24:37 +0100[diff] [blame]4446 -S "X509 - A fatal error occurred"
Manuel Pégourié-Gonnard81bb6b62017-06-26 10:45:33 +0200[diff] [blame]4447
Yuto Takano8a693ef2021-07-02 13:10:41 +0100[diff] [blame]4448requires_config_value_equals "MBEDTLS_X509_MAX_INTERMEDIATE_CA" $MAX_IM_CA
Angus Grattonc4dd0732018-04-11 16:28:39 +1000[diff] [blame]4449requires_full_size_output_buffer
Manuel Pégourié-Gonnard81bb6b62017-06-26 10:45:33 +0200[diff] [blame]4450run_test "Authentication: client max_int+1 chain, server optional" \
4451 "$P_SRV ca_file=data_files/dir-maxpath/00.crt auth_mode=optional" \
4452 "$P_CLI crt_file=data_files/dir-maxpath/c10.pem \
4453 key_file=data_files/dir-maxpath/10.key" \
4454 1 \
Antonin Décimo36e89b52019-01-23 15:24:37 +0100[diff] [blame]4455 -s "X509 - A fatal error occurred"
Manuel Pégourié-Gonnard81bb6b62017-06-26 10:45:33 +0200[diff] [blame]4456
Yuto Takano8a693ef2021-07-02 13:10:41 +0100[diff] [blame]4457requires_config_value_equals "MBEDTLS_X509_MAX_INTERMEDIATE_CA" $MAX_IM_CA
Angus Grattonc4dd0732018-04-11 16:28:39 +1000[diff] [blame]4458requires_full_size_output_buffer
Manuel Pégourié-Gonnard81bb6b62017-06-26 10:45:33 +0200[diff] [blame]4459run_test "Authentication: client max_int+1 chain, server required" \
4460 "$P_SRV ca_file=data_files/dir-maxpath/00.crt auth_mode=required" \
4461 "$P_CLI crt_file=data_files/dir-maxpath/c10.pem \
4462 key_file=data_files/dir-maxpath/10.key" \
4463 1 \
Antonin Décimo36e89b52019-01-23 15:24:37 +0100[diff] [blame]4464 -s "X509 - A fatal error occurred"
Manuel Pégourié-Gonnard81bb6b62017-06-26 10:45:33 +0200[diff] [blame]4465
Yuto Takano8a693ef2021-07-02 13:10:41 +0100[diff] [blame]4466requires_config_value_equals "MBEDTLS_X509_MAX_INTERMEDIATE_CA" $MAX_IM_CA
Angus Grattonc4dd0732018-04-11 16:28:39 +1000[diff] [blame]4467requires_full_size_output_buffer
Manuel Pégourié-Gonnard81bb6b62017-06-26 10:45:33 +0200[diff] [blame]4468run_test "Authentication: client max_int chain, server required" \
4469 "$P_SRV ca_file=data_files/dir-maxpath/00.crt auth_mode=required" \
4470 "$P_CLI crt_file=data_files/dir-maxpath/c09.pem \
4471 key_file=data_files/dir-maxpath/09.key" \
4472 0 \
Antonin Décimo36e89b52019-01-23 15:24:37 +0100[diff] [blame]4473 -S "X509 - A fatal error occurred"
Manuel Pégourié-Gonnard81bb6b62017-06-26 10:45:33 +0200[diff] [blame]4474
Janos Follath89baba22017-04-10 14:34:35 +0100[diff] [blame]4475# Tests for CA list in CertificateRequest messages
4476
4477run_test "Authentication: send CA list in CertificateRequest (default)" \
4478 "$P_SRV debug_level=3 auth_mode=required" \
4479 "$P_CLI crt_file=data_files/server6.crt \
4480 key_file=data_files/server6.key" \
4481 0 \
4482 -s "requested DN"
4483
4484run_test "Authentication: do not send CA list in CertificateRequest" \
4485 "$P_SRV debug_level=3 auth_mode=required cert_req_ca_list=0" \
4486 "$P_CLI crt_file=data_files/server6.crt \
4487 key_file=data_files/server6.key" \
4488 0 \
4489 -S "requested DN"
4490
4491run_test "Authentication: send CA list in CertificateRequest, client self signed" \
4492 "$P_SRV debug_level=3 auth_mode=required cert_req_ca_list=0" \
4493 "$P_CLI debug_level=3 crt_file=data_files/server5-selfsigned.crt \
4494 key_file=data_files/server5.key" \
4495 1 \
4496 -S "requested DN" \
4497 -s "x509_verify_cert() returned" \
4498 -s "! The certificate is not correctly signed by the trusted CA" \
4499 -s "! mbedtls_ssl_handshake returned" \
4500 -c "! mbedtls_ssl_handshake returned" \
4501 -s "X509 - Certificate verification failed"
4502
Jarno Lamsaf7a7f9e2019-04-01 15:11:54 +0300[diff] [blame]4503# Tests for auth_mode, using CA callback, these are duplicated from the authentication tests
4504# When updating these tests, modify the matching authentication tests accordingly
Hanno Becker746aaf32019-03-28 15:25:23 +0000[diff] [blame]4505
4506requires_config_enabled MBEDTLS_X509_TRUSTED_CERTIFICATE_CALLBACK
4507run_test "Authentication, CA callback: server badcert, client required" \
4508 "$P_SRV crt_file=data_files/server5-badsign.crt \
4509 key_file=data_files/server5.key" \
4510 "$P_CLI ca_callback=1 debug_level=3 auth_mode=required" \
4511 1 \
Janos Follathd7ecbd62019-04-05 14:52:17 +0100[diff] [blame]4512 -c "use CA callback for X.509 CRT verification" \
Hanno Becker746aaf32019-03-28 15:25:23 +0000[diff] [blame]4513 -c "x509_verify_cert() returned" \
4514 -c "! The certificate is not correctly signed by the trusted CA" \
4515 -c "! mbedtls_ssl_handshake returned" \
4516 -c "X509 - Certificate verification failed"
4517
4518requires_config_enabled MBEDTLS_X509_TRUSTED_CERTIFICATE_CALLBACK
4519run_test "Authentication, CA callback: server badcert, client optional" \
4520 "$P_SRV crt_file=data_files/server5-badsign.crt \
4521 key_file=data_files/server5.key" \
4522 "$P_CLI ca_callback=1 debug_level=3 auth_mode=optional" \
4523 0 \
Janos Follathd7ecbd62019-04-05 14:52:17 +0100[diff] [blame]4524 -c "use CA callback for X.509 CRT verification" \
Hanno Becker746aaf32019-03-28 15:25:23 +0000[diff] [blame]4525 -c "x509_verify_cert() returned" \
4526 -c "! The certificate is not correctly signed by the trusted CA" \
4527 -C "! mbedtls_ssl_handshake returned" \
4528 -C "X509 - Certificate verification failed"
4529
4530# The purpose of the next two tests is to test the client's behaviour when receiving a server
4531# certificate with an unsupported elliptic curve. This should usually not happen because
4532# the client informs the server about the supported curves - it does, though, in the
4533# corner case of a static ECDH suite, because the server doesn't check the curve on that
4534# occasion (to be fixed). If that bug's fixed, the test needs to be altered to use a
4535# different means to have the server ignoring the client's supported curve list.
4536
4537requires_config_enabled MBEDTLS_ECP_C
4538requires_config_enabled MBEDTLS_X509_TRUSTED_CERTIFICATE_CALLBACK
4539run_test "Authentication, CA callback: server ECDH p256v1, client required, p256v1 unsupported" \
4540 "$P_SRV debug_level=1 key_file=data_files/server5.key \
4541 crt_file=data_files/server5.ku-ka.crt" \
4542 "$P_CLI ca_callback=1 debug_level=3 auth_mode=required curves=secp521r1" \
4543 1 \
Janos Follathd7ecbd62019-04-05 14:52:17 +0100[diff] [blame]4544 -c "use CA callback for X.509 CRT verification" \
4545 -c "bad certificate (EC key curve)" \
4546 -c "! Certificate verification flags" \
Hanno Becker746aaf32019-03-28 15:25:23 +0000[diff] [blame]4547 -C "bad server certificate (ECDH curve)" # Expect failure at earlier verification stage
4548
4549requires_config_enabled MBEDTLS_ECP_C
4550requires_config_enabled MBEDTLS_X509_TRUSTED_CERTIFICATE_CALLBACK
4551run_test "Authentication, CA callback: server ECDH p256v1, client optional, p256v1 unsupported" \
4552 "$P_SRV debug_level=1 key_file=data_files/server5.key \
4553 crt_file=data_files/server5.ku-ka.crt" \
4554 "$P_CLI ca_callback=1 debug_level=3 auth_mode=optional curves=secp521r1" \
4555 1 \
Janos Follathd7ecbd62019-04-05 14:52:17 +0100[diff] [blame]4556 -c "use CA callback for X.509 CRT verification" \
Hanno Becker746aaf32019-03-28 15:25:23 +0000[diff] [blame]4557 -c "bad certificate (EC key curve)"\
4558 -c "! Certificate verification flags"\
4559 -c "bad server certificate (ECDH curve)" # Expect failure only at ECDH params check
4560
4561requires_config_enabled MBEDTLS_X509_TRUSTED_CERTIFICATE_CALLBACK
4562run_test "Authentication, CA callback: client SHA256, server required" \
4563 "$P_SRV ca_callback=1 debug_level=3 auth_mode=required" \
4564 "$P_CLI debug_level=3 crt_file=data_files/server6.crt \
4565 key_file=data_files/server6.key \
4566 force_ciphersuite=TLS-ECDHE-ECDSA-WITH-AES-256-GCM-SHA384" \
4567 0 \
Janos Follathd7ecbd62019-04-05 14:52:17 +0100[diff] [blame]4568 -s "use CA callback for X.509 CRT verification" \
Hanno Becker746aaf32019-03-28 15:25:23 +0000[diff] [blame]4569 -c "Supported Signature Algorithm found: 4," \
4570 -c "Supported Signature Algorithm found: 5,"
4571
4572requires_config_enabled MBEDTLS_X509_TRUSTED_CERTIFICATE_CALLBACK
4573run_test "Authentication, CA callback: client SHA384, server required" \
4574 "$P_SRV ca_callback=1 debug_level=3 auth_mode=required" \
4575 "$P_CLI debug_level=3 crt_file=data_files/server6.crt \
4576 key_file=data_files/server6.key \
4577 force_ciphersuite=TLS-ECDHE-ECDSA-WITH-AES-128-GCM-SHA256" \
4578 0 \
Janos Follathd7ecbd62019-04-05 14:52:17 +0100[diff] [blame]4579 -s "use CA callback for X.509 CRT verification" \
Hanno Becker746aaf32019-03-28 15:25:23 +0000[diff] [blame]4580 -c "Supported Signature Algorithm found: 4," \
4581 -c "Supported Signature Algorithm found: 5,"
4582
4583requires_config_enabled MBEDTLS_X509_TRUSTED_CERTIFICATE_CALLBACK
4584run_test "Authentication, CA callback: client badcert, server required" \
4585 "$P_SRV ca_callback=1 debug_level=3 auth_mode=required" \
4586 "$P_CLI debug_level=3 crt_file=data_files/server5-badsign.crt \
4587 key_file=data_files/server5.key" \
4588 1 \
Janos Follathd7ecbd62019-04-05 14:52:17 +0100[diff] [blame]4589 -s "use CA callback for X.509 CRT verification" \
Hanno Becker746aaf32019-03-28 15:25:23 +0000[diff] [blame]4590 -S "skip write certificate request" \
4591 -C "skip parse certificate request" \
4592 -c "got a certificate request" \
4593 -C "skip write certificate" \
4594 -C "skip write certificate verify" \
4595 -S "skip parse certificate verify" \
4596 -s "x509_verify_cert() returned" \
4597 -s "! The certificate is not correctly signed by the trusted CA" \
4598 -s "! mbedtls_ssl_handshake returned" \
4599 -s "send alert level=2 message=48" \
4600 -c "! mbedtls_ssl_handshake returned" \
4601 -s "X509 - Certificate verification failed"
4602# We don't check that the client receives the alert because it might
4603# detect that its write end of the connection is closed and abort
4604# before reading the alert message.
4605
4606requires_config_enabled MBEDTLS_X509_TRUSTED_CERTIFICATE_CALLBACK
4607run_test "Authentication, CA callback: client cert not trusted, server required" \
4608 "$P_SRV ca_callback=1 debug_level=3 auth_mode=required" \
4609 "$P_CLI debug_level=3 crt_file=data_files/server5-selfsigned.crt \
4610 key_file=data_files/server5.key" \
4611 1 \
Janos Follathd7ecbd62019-04-05 14:52:17 +0100[diff] [blame]4612 -s "use CA callback for X.509 CRT verification" \
Hanno Becker746aaf32019-03-28 15:25:23 +0000[diff] [blame]4613 -S "skip write certificate request" \
4614 -C "skip parse certificate request" \
4615 -c "got a certificate request" \
4616 -C "skip write certificate" \
4617 -C "skip write certificate verify" \
4618 -S "skip parse certificate verify" \
4619 -s "x509_verify_cert() returned" \
4620 -s "! The certificate is not correctly signed by the trusted CA" \
4621 -s "! mbedtls_ssl_handshake returned" \
4622 -c "! mbedtls_ssl_handshake returned" \
4623 -s "X509 - Certificate verification failed"
4624
4625requires_config_enabled MBEDTLS_X509_TRUSTED_CERTIFICATE_CALLBACK
4626run_test "Authentication, CA callback: client badcert, server optional" \
4627 "$P_SRV ca_callback=1 debug_level=3 auth_mode=optional" \
4628 "$P_CLI debug_level=3 crt_file=data_files/server5-badsign.crt \
4629 key_file=data_files/server5.key" \
4630 0 \
Janos Follathd7ecbd62019-04-05 14:52:17 +0100[diff] [blame]4631 -s "use CA callback for X.509 CRT verification" \
Hanno Becker746aaf32019-03-28 15:25:23 +0000[diff] [blame]4632 -S "skip write certificate request" \
4633 -C "skip parse certificate request" \
4634 -c "got a certificate request" \
4635 -C "skip write certificate" \
4636 -C "skip write certificate verify" \
4637 -S "skip parse certificate verify" \
4638 -s "x509_verify_cert() returned" \
4639 -s "! The certificate is not correctly signed by the trusted CA" \
4640 -S "! mbedtls_ssl_handshake returned" \
4641 -C "! mbedtls_ssl_handshake returned" \
4642 -S "X509 - Certificate verification failed"
4643
Yuto Takano8a693ef2021-07-02 13:10:41 +0100[diff] [blame]4644requires_config_value_equals "MBEDTLS_X509_MAX_INTERMEDIATE_CA" $MAX_IM_CA
Hanno Becker746aaf32019-03-28 15:25:23 +0000[diff] [blame]4645requires_full_size_output_buffer
4646requires_config_enabled MBEDTLS_X509_TRUSTED_CERTIFICATE_CALLBACK
4647run_test "Authentication, CA callback: server max_int chain, client default" \
4648 "$P_SRV crt_file=data_files/dir-maxpath/c09.pem \
4649 key_file=data_files/dir-maxpath/09.key" \
4650 "$P_CLI ca_callback=1 debug_level=3 server_name=CA09 ca_file=data_files/dir-maxpath/00.crt" \
4651 0 \
Janos Follathd7ecbd62019-04-05 14:52:17 +0100[diff] [blame]4652 -c "use CA callback for X.509 CRT verification" \
Hanno Becker746aaf32019-03-28 15:25:23 +0000[diff] [blame]4653 -C "X509 - A fatal error occurred"
4654
Yuto Takano8a693ef2021-07-02 13:10:41 +0100[diff] [blame]4655requires_config_value_equals "MBEDTLS_X509_MAX_INTERMEDIATE_CA" $MAX_IM_CA
Hanno Becker746aaf32019-03-28 15:25:23 +0000[diff] [blame]4656requires_full_size_output_buffer
4657requires_config_enabled MBEDTLS_X509_TRUSTED_CERTIFICATE_CALLBACK
4658run_test "Authentication, CA callback: server max_int+1 chain, client default" \
4659 "$P_SRV crt_file=data_files/dir-maxpath/c10.pem \
4660 key_file=data_files/dir-maxpath/10.key" \
4661 "$P_CLI debug_level=3 ca_callback=1 server_name=CA10 ca_file=data_files/dir-maxpath/00.crt" \
4662 1 \
Janos Follathd7ecbd62019-04-05 14:52:17 +0100[diff] [blame]4663 -c "use CA callback for X.509 CRT verification" \
Hanno Becker746aaf32019-03-28 15:25:23 +0000[diff] [blame]4664 -c "X509 - A fatal error occurred"
4665
Yuto Takano8a693ef2021-07-02 13:10:41 +0100[diff] [blame]4666requires_config_value_equals "MBEDTLS_X509_MAX_INTERMEDIATE_CA" $MAX_IM_CA
Hanno Becker746aaf32019-03-28 15:25:23 +0000[diff] [blame]4667requires_full_size_output_buffer
4668requires_config_enabled MBEDTLS_X509_TRUSTED_CERTIFICATE_CALLBACK
4669run_test "Authentication, CA callback: server max_int+1 chain, client optional" \
4670 "$P_SRV crt_file=data_files/dir-maxpath/c10.pem \
4671 key_file=data_files/dir-maxpath/10.key" \
4672 "$P_CLI ca_callback=1 server_name=CA10 ca_file=data_files/dir-maxpath/00.crt \
4673 debug_level=3 auth_mode=optional" \
4674 1 \
Janos Follathd7ecbd62019-04-05 14:52:17 +0100[diff] [blame]4675 -c "use CA callback for X.509 CRT verification" \
Hanno Becker746aaf32019-03-28 15:25:23 +0000[diff] [blame]4676 -c "X509 - A fatal error occurred"
4677
Yuto Takano8a693ef2021-07-02 13:10:41 +0100[diff] [blame]4678requires_config_value_equals "MBEDTLS_X509_MAX_INTERMEDIATE_CA" $MAX_IM_CA
Hanno Becker746aaf32019-03-28 15:25:23 +0000[diff] [blame]4679requires_full_size_output_buffer
4680requires_config_enabled MBEDTLS_X509_TRUSTED_CERTIFICATE_CALLBACK
4681run_test "Authentication, CA callback: client max_int+1 chain, server optional" \
4682 "$P_SRV ca_callback=1 debug_level=3 ca_file=data_files/dir-maxpath/00.crt auth_mode=optional" \
4683 "$P_CLI crt_file=data_files/dir-maxpath/c10.pem \
4684 key_file=data_files/dir-maxpath/10.key" \
4685 1 \
Janos Follathd7ecbd62019-04-05 14:52:17 +0100[diff] [blame]4686 -s "use CA callback for X.509 CRT verification" \
Hanno Becker746aaf32019-03-28 15:25:23 +0000[diff] [blame]4687 -s "X509 - A fatal error occurred"
4688
Yuto Takano8a693ef2021-07-02 13:10:41 +0100[diff] [blame]4689requires_config_value_equals "MBEDTLS_X509_MAX_INTERMEDIATE_CA" $MAX_IM_CA
Hanno Becker746aaf32019-03-28 15:25:23 +0000[diff] [blame]4690requires_full_size_output_buffer
4691requires_config_enabled MBEDTLS_X509_TRUSTED_CERTIFICATE_CALLBACK
4692run_test "Authentication, CA callback: client max_int+1 chain, server required" \
4693 "$P_SRV ca_callback=1 debug_level=3 ca_file=data_files/dir-maxpath/00.crt auth_mode=required" \
4694 "$P_CLI crt_file=data_files/dir-maxpath/c10.pem \
4695 key_file=data_files/dir-maxpath/10.key" \
4696 1 \
Janos Follathd7ecbd62019-04-05 14:52:17 +0100[diff] [blame]4697 -s "use CA callback for X.509 CRT verification" \
Hanno Becker746aaf32019-03-28 15:25:23 +0000[diff] [blame]4698 -s "X509 - A fatal error occurred"
4699
Yuto Takano8a693ef2021-07-02 13:10:41 +0100[diff] [blame]4700requires_config_value_equals "MBEDTLS_X509_MAX_INTERMEDIATE_CA" $MAX_IM_CA
Hanno Becker746aaf32019-03-28 15:25:23 +0000[diff] [blame]4701requires_full_size_output_buffer
4702requires_config_enabled MBEDTLS_X509_TRUSTED_CERTIFICATE_CALLBACK
4703run_test "Authentication, CA callback: client max_int chain, server required" \
4704 "$P_SRV ca_callback=1 debug_level=3 ca_file=data_files/dir-maxpath/00.crt auth_mode=required" \
4705 "$P_CLI crt_file=data_files/dir-maxpath/c09.pem \
4706 key_file=data_files/dir-maxpath/09.key" \
4707 0 \
Janos Follathd7ecbd62019-04-05 14:52:17 +0100[diff] [blame]4708 -s "use CA callback for X.509 CRT verification" \
Hanno Becker746aaf32019-03-28 15:25:23 +0000[diff] [blame]4709 -S "X509 - A fatal error occurred"
4710
Manuel Pégourié-Gonnarddf331a52015-01-08 16:43:07 +0100[diff] [blame]4711# Tests for certificate selection based on SHA verson
4712
4713run_test "Certificate hash: client TLS 1.2 -> SHA-2" \
4714 "$P_SRV crt_file=data_files/server5.crt \
4715 key_file=data_files/server5.key \
4716 crt_file2=data_files/server5-sha1.crt \
4717 key_file2=data_files/server5.key" \
4718 "$P_CLI force_version=tls1_2" \
4719 0 \
4720 -c "signed using.*ECDSA with SHA256" \
4721 -C "signed using.*ECDSA with SHA1"
4722
4723run_test "Certificate hash: client TLS 1.1 -> SHA-1" \
4724 "$P_SRV crt_file=data_files/server5.crt \
4725 key_file=data_files/server5.key \
4726 crt_file2=data_files/server5-sha1.crt \
4727 key_file2=data_files/server5.key" \
4728 "$P_CLI force_version=tls1_1" \
4729 0 \
4730 -C "signed using.*ECDSA with SHA256" \
4731 -c "signed using.*ECDSA with SHA1"
4732
4733run_test "Certificate hash: client TLS 1.0 -> SHA-1" \
4734 "$P_SRV crt_file=data_files/server5.crt \
4735 key_file=data_files/server5.key \
4736 crt_file2=data_files/server5-sha1.crt \
4737 key_file2=data_files/server5.key" \
4738 "$P_CLI force_version=tls1" \
4739 0 \
4740 -C "signed using.*ECDSA with SHA256" \
4741 -c "signed using.*ECDSA with SHA1"
4742
4743run_test "Certificate hash: client TLS 1.1, no SHA-1 -> SHA-2 (order 1)" \
4744 "$P_SRV crt_file=data_files/server5.crt \
4745 key_file=data_files/server5.key \
4746 crt_file2=data_files/server6.crt \
4747 key_file2=data_files/server6.key" \
4748 "$P_CLI force_version=tls1_1" \
4749 0 \
4750 -c "serial number.*09" \
4751 -c "signed using.*ECDSA with SHA256" \
4752 -C "signed using.*ECDSA with SHA1"
4753
4754run_test "Certificate hash: client TLS 1.1, no SHA-1 -> SHA-2 (order 2)" \
4755 "$P_SRV crt_file=data_files/server6.crt \
4756 key_file=data_files/server6.key \
4757 crt_file2=data_files/server5.crt \
4758 key_file2=data_files/server5.key" \
4759 "$P_CLI force_version=tls1_1" \
4760 0 \
4761 -c "serial number.*0A" \
4762 -c "signed using.*ECDSA with SHA256" \
4763 -C "signed using.*ECDSA with SHA1"
4764
Manuel Pégourié-Gonnard96ea2f22014-02-25 12:26:29 +0100[diff] [blame]4765# tests for SNI
4766
Manuel Pégourié-Gonnard8e03c712014-08-30 21:42:40 +0200[diff] [blame]4767run_test "SNI: no SNI callback" \
Manuel Pégourié-Gonnard0eb6cab2014-07-23 20:17:47 +0200[diff] [blame]4768 "$P_SRV debug_level=3 \
Manuel Pégourié-Gonnard96ea2f22014-02-25 12:26:29 +0100[diff] [blame]4769 crt_file=data_files/server5.crt key_file=data_files/server5.key" \
Manuel Pégourié-Gonnard0eb6cab2014-07-23 20:17:47 +0200[diff] [blame]4770 "$P_CLI server_name=localhost" \
Manuel Pégourié-Gonnard6ea831d2015-06-22 16:50:52 +0200[diff] [blame]4771 0 \
4772 -S "parse ServerName extension" \
4773 -c "issuer name *: C=NL, O=PolarSSL, CN=Polarssl Test EC CA" \
4774 -c "subject name *: C=NL, O=PolarSSL, CN=localhost"
Manuel Pégourié-Gonnard96ea2f22014-02-25 12:26:29 +0100[diff] [blame]4775
Manuel Pégourié-Gonnard8e03c712014-08-30 21:42:40 +0200[diff] [blame]4776run_test "SNI: matching cert 1" \
Manuel Pégourié-Gonnard0eb6cab2014-07-23 20:17:47 +0200[diff] [blame]4777 "$P_SRV debug_level=3 \
Manuel Pégourié-Gonnard96ea2f22014-02-25 12:26:29 +0100[diff] [blame]4778 crt_file=data_files/server5.crt key_file=data_files/server5.key \
Manuel Pégourié-Gonnard4d6f1782015-06-19 14:40:39 +0200[diff] [blame]4779 sni=localhost,data_files/server2.crt,data_files/server2.key,-,-,-,polarssl.example,data_files/server1-nospace.crt,data_files/server1.key,-,-,-" \
Manuel Pégourié-Gonnard0eb6cab2014-07-23 20:17:47 +0200[diff] [blame]4780 "$P_CLI server_name=localhost" \
Manuel Pégourié-Gonnard6ea831d2015-06-22 16:50:52 +0200[diff] [blame]4781 0 \
4782 -s "parse ServerName extension" \
4783 -c "issuer name *: C=NL, O=PolarSSL, CN=PolarSSL Test CA" \
4784 -c "subject name *: C=NL, O=PolarSSL, CN=localhost"
Manuel Pégourié-Gonnard96ea2f22014-02-25 12:26:29 +0100[diff] [blame]4785
Manuel Pégourié-Gonnard8e03c712014-08-30 21:42:40 +0200[diff] [blame]4786run_test "SNI: matching cert 2" \
Manuel Pégourié-Gonnard0eb6cab2014-07-23 20:17:47 +0200[diff] [blame]4787 "$P_SRV debug_level=3 \
Manuel Pégourié-Gonnard96ea2f22014-02-25 12:26:29 +0100[diff] [blame]4788 crt_file=data_files/server5.crt key_file=data_files/server5.key \
Manuel Pégourié-Gonnard4d6f1782015-06-19 14:40:39 +0200[diff] [blame]4789 sni=localhost,data_files/server2.crt,data_files/server2.key,-,-,-,polarssl.example,data_files/server1-nospace.crt,data_files/server1.key,-,-,-" \
Manuel Pégourié-Gonnard0eb6cab2014-07-23 20:17:47 +0200[diff] [blame]4790 "$P_CLI server_name=polarssl.example" \
Manuel Pégourié-Gonnard6ea831d2015-06-22 16:50:52 +0200[diff] [blame]4791 0 \
4792 -s "parse ServerName extension" \
4793 -c "issuer name *: C=NL, O=PolarSSL, CN=PolarSSL Test CA" \
4794 -c "subject name *: C=NL, O=PolarSSL, CN=polarssl.example"
Manuel Pégourié-Gonnard96ea2f22014-02-25 12:26:29 +0100[diff] [blame]4795
Manuel Pégourié-Gonnard8e03c712014-08-30 21:42:40 +0200[diff] [blame]4796run_test "SNI: no matching cert" \
Manuel Pégourié-Gonnard0eb6cab2014-07-23 20:17:47 +0200[diff] [blame]4797 "$P_SRV debug_level=3 \
Manuel Pégourié-Gonnard96ea2f22014-02-25 12:26:29 +0100[diff] [blame]4798 crt_file=data_files/server5.crt key_file=data_files/server5.key \
Manuel Pégourié-Gonnard4d6f1782015-06-19 14:40:39 +0200[diff] [blame]4799 sni=localhost,data_files/server2.crt,data_files/server2.key,-,-,-,polarssl.example,data_files/server1-nospace.crt,data_files/server1.key,-,-,-" \
Manuel Pégourié-Gonnard0eb6cab2014-07-23 20:17:47 +0200[diff] [blame]4800 "$P_CLI server_name=nonesuch.example" \
Manuel Pégourié-Gonnard6ea831d2015-06-22 16:50:52 +0200[diff] [blame]4801 1 \
4802 -s "parse ServerName extension" \
4803 -s "ssl_sni_wrapper() returned" \
4804 -s "mbedtls_ssl_handshake returned" \
4805 -c "mbedtls_ssl_handshake returned" \
4806 -c "SSL - A fatal alert message was received from our peer"
Manuel Pégourié-Gonnard96ea2f22014-02-25 12:26:29 +0100[diff] [blame]4807
Manuel Pégourié-Gonnardc948a792015-06-22 16:04:20 +0200[diff] [blame]4808run_test "SNI: client auth no override: optional" \
4809 "$P_SRV debug_level=3 auth_mode=optional \
4810 crt_file=data_files/server5.crt key_file=data_files/server5.key \
4811 sni=localhost,data_files/server2.crt,data_files/server2.key,-,-,-" \
4812 "$P_CLI debug_level=3 server_name=localhost" \
Manuel Pégourié-Gonnard6ea831d2015-06-22 16:50:52 +0200[diff] [blame]4813 0 \
Manuel Pégourié-Gonnardc948a792015-06-22 16:04:20 +0200[diff] [blame]4814 -S "skip write certificate request" \
4815 -C "skip parse certificate request" \
4816 -c "got a certificate request" \
4817 -C "skip write certificate" \
4818 -C "skip write certificate verify" \
4819 -S "skip parse certificate verify"
4820
4821run_test "SNI: client auth override: none -> optional" \
4822 "$P_SRV debug_level=3 auth_mode=none \
4823 crt_file=data_files/server5.crt key_file=data_files/server5.key \
4824 sni=localhost,data_files/server2.crt,data_files/server2.key,-,-,optional" \
4825 "$P_CLI debug_level=3 server_name=localhost" \
Manuel Pégourié-Gonnard6ea831d2015-06-22 16:50:52 +0200[diff] [blame]4826 0 \
Manuel Pégourié-Gonnardc948a792015-06-22 16:04:20 +0200[diff] [blame]4827 -S "skip write certificate request" \
4828 -C "skip parse certificate request" \
4829 -c "got a certificate request" \
4830 -C "skip write certificate" \
4831 -C "skip write certificate verify" \
4832 -S "skip parse certificate verify"
4833
4834run_test "SNI: client auth override: optional -> none" \
4835 "$P_SRV debug_level=3 auth_mode=optional \
4836 crt_file=data_files/server5.crt key_file=data_files/server5.key \
4837 sni=localhost,data_files/server2.crt,data_files/server2.key,-,-,none" \
4838 "$P_CLI debug_level=3 server_name=localhost" \
Manuel Pégourié-Gonnard6ea831d2015-06-22 16:50:52 +0200[diff] [blame]4839 0 \
Manuel Pégourié-Gonnardc948a792015-06-22 16:04:20 +0200[diff] [blame]4840 -s "skip write certificate request" \
4841 -C "skip parse certificate request" \
4842 -c "got no certificate request" \
4843 -c "skip write certificate" \
4844 -c "skip write certificate verify" \
4845 -s "skip parse certificate verify"
4846
Manuel Pégourié-Gonnard6ea831d2015-06-22 16:50:52 +0200[diff] [blame]4847run_test "SNI: CA no override" \
4848 "$P_SRV debug_level=3 auth_mode=optional \
4849 crt_file=data_files/server5.crt key_file=data_files/server5.key \
4850 ca_file=data_files/test-ca.crt \
4851 sni=localhost,data_files/server2.crt,data_files/server2.key,-,-,required" \
4852 "$P_CLI debug_level=3 server_name=localhost \
4853 crt_file=data_files/server6.crt key_file=data_files/server6.key" \
4854 1 \
4855 -S "skip write certificate request" \
4856 -C "skip parse certificate request" \
4857 -c "got a certificate request" \
4858 -C "skip write certificate" \
4859 -C "skip write certificate verify" \
4860 -S "skip parse certificate verify" \
4861 -s "x509_verify_cert() returned" \
4862 -s "! The certificate is not correctly signed by the trusted CA" \
4863 -S "The certificate has been revoked (is on a CRL)"
4864
4865run_test "SNI: CA override" \
4866 "$P_SRV debug_level=3 auth_mode=optional \
4867 crt_file=data_files/server5.crt key_file=data_files/server5.key \
4868 ca_file=data_files/test-ca.crt \
4869 sni=localhost,data_files/server2.crt,data_files/server2.key,data_files/test-ca2.crt,-,required" \
4870 "$P_CLI debug_level=3 server_name=localhost \
4871 crt_file=data_files/server6.crt key_file=data_files/server6.key" \
4872 0 \
4873 -S "skip write certificate request" \
4874 -C "skip parse certificate request" \
4875 -c "got a certificate request" \
4876 -C "skip write certificate" \
4877 -C "skip write certificate verify" \
4878 -S "skip parse certificate verify" \
4879 -S "x509_verify_cert() returned" \
4880 -S "! The certificate is not correctly signed by the trusted CA" \
4881 -S "The certificate has been revoked (is on a CRL)"
4882
4883run_test "SNI: CA override with CRL" \
4884 "$P_SRV debug_level=3 auth_mode=optional \
4885 crt_file=data_files/server5.crt key_file=data_files/server5.key \
4886 ca_file=data_files/test-ca.crt \
4887 sni=localhost,data_files/server2.crt,data_files/server2.key,data_files/test-ca2.crt,data_files/crl-ec-sha256.pem,required" \
4888 "$P_CLI debug_level=3 server_name=localhost \
4889 crt_file=data_files/server6.crt key_file=data_files/server6.key" \
4890 1 \
4891 -S "skip write certificate request" \
4892 -C "skip parse certificate request" \
4893 -c "got a certificate request" \
4894 -C "skip write certificate" \
4895 -C "skip write certificate verify" \
4896 -S "skip parse certificate verify" \
4897 -s "x509_verify_cert() returned" \
4898 -S "! The certificate is not correctly signed by the trusted CA" \
4899 -s "The certificate has been revoked (is on a CRL)"
4900
Andres AG1a834452016-12-07 10:01:30 +0000[diff] [blame]4901# Tests for SNI and DTLS
4902
Andres Amaya Garcia54306c12018-05-01 20:27:37 +0100[diff] [blame]4903run_test "SNI: DTLS, no SNI callback" \
4904 "$P_SRV debug_level=3 dtls=1 \
4905 crt_file=data_files/server5.crt key_file=data_files/server5.key" \
4906 "$P_CLI server_name=localhost dtls=1" \
4907 0 \
4908 -S "parse ServerName extension" \
4909 -c "issuer name *: C=NL, O=PolarSSL, CN=Polarssl Test EC CA" \
4910 -c "subject name *: C=NL, O=PolarSSL, CN=localhost"
4911
Andres Amaya Garciaf77d3d32018-05-01 20:26:47 +0100[diff] [blame]4912run_test "SNI: DTLS, matching cert 1" \
Andres AG1a834452016-12-07 10:01:30 +0000[diff] [blame]4913 "$P_SRV debug_level=3 dtls=1 \
4914 crt_file=data_files/server5.crt key_file=data_files/server5.key \
4915 sni=localhost,data_files/server2.crt,data_files/server2.key,-,-,-,polarssl.example,data_files/server1-nospace.crt,data_files/server1.key,-,-,-" \
4916 "$P_CLI server_name=localhost dtls=1" \
4917 0 \
4918 -s "parse ServerName extension" \
4919 -c "issuer name *: C=NL, O=PolarSSL, CN=PolarSSL Test CA" \
4920 -c "subject name *: C=NL, O=PolarSSL, CN=localhost"
4921
Andres Amaya Garcia54306c12018-05-01 20:27:37 +0100[diff] [blame]4922run_test "SNI: DTLS, matching cert 2" \
4923 "$P_SRV debug_level=3 dtls=1 \
4924 crt_file=data_files/server5.crt key_file=data_files/server5.key \
4925 sni=localhost,data_files/server2.crt,data_files/server2.key,-,-,-,polarssl.example,data_files/server1-nospace.crt,data_files/server1.key,-,-,-" \
4926 "$P_CLI server_name=polarssl.example dtls=1" \
4927 0 \
4928 -s "parse ServerName extension" \
4929 -c "issuer name *: C=NL, O=PolarSSL, CN=PolarSSL Test CA" \
4930 -c "subject name *: C=NL, O=PolarSSL, CN=polarssl.example"
4931
4932run_test "SNI: DTLS, no matching cert" \
4933 "$P_SRV debug_level=3 dtls=1 \
4934 crt_file=data_files/server5.crt key_file=data_files/server5.key \
4935 sni=localhost,data_files/server2.crt,data_files/server2.key,-,-,-,polarssl.example,data_files/server1-nospace.crt,data_files/server1.key,-,-,-" \
4936 "$P_CLI server_name=nonesuch.example dtls=1" \
4937 1 \
4938 -s "parse ServerName extension" \
4939 -s "ssl_sni_wrapper() returned" \
4940 -s "mbedtls_ssl_handshake returned" \
4941 -c "mbedtls_ssl_handshake returned" \
4942 -c "SSL - A fatal alert message was received from our peer"
4943
4944run_test "SNI: DTLS, client auth no override: optional" \
4945 "$P_SRV debug_level=3 auth_mode=optional dtls=1 \
4946 crt_file=data_files/server5.crt key_file=data_files/server5.key \
4947 sni=localhost,data_files/server2.crt,data_files/server2.key,-,-,-" \
4948 "$P_CLI debug_level=3 server_name=localhost dtls=1" \
4949 0 \
4950 -S "skip write certificate request" \
4951 -C "skip parse certificate request" \
4952 -c "got a certificate request" \
4953 -C "skip write certificate" \
4954 -C "skip write certificate verify" \
4955 -S "skip parse certificate verify"
4956
4957run_test "SNI: DTLS, client auth override: none -> optional" \
4958 "$P_SRV debug_level=3 auth_mode=none dtls=1 \
4959 crt_file=data_files/server5.crt key_file=data_files/server5.key \
4960 sni=localhost,data_files/server2.crt,data_files/server2.key,-,-,optional" \
4961 "$P_CLI debug_level=3 server_name=localhost dtls=1" \
4962 0 \
4963 -S "skip write certificate request" \
4964 -C "skip parse certificate request" \
4965 -c "got a certificate request" \
4966 -C "skip write certificate" \
4967 -C "skip write certificate verify" \
4968 -S "skip parse certificate verify"
4969
4970run_test "SNI: DTLS, client auth override: optional -> none" \
4971 "$P_SRV debug_level=3 auth_mode=optional dtls=1 \
4972 crt_file=data_files/server5.crt key_file=data_files/server5.key \
4973 sni=localhost,data_files/server2.crt,data_files/server2.key,-,-,none" \
4974 "$P_CLI debug_level=3 server_name=localhost dtls=1" \
4975 0 \
4976 -s "skip write certificate request" \
4977 -C "skip parse certificate request" \
4978 -c "got no certificate request" \
4979 -c "skip write certificate" \
4980 -c "skip write certificate verify" \
4981 -s "skip parse certificate verify"
4982
4983run_test "SNI: DTLS, CA no override" \
4984 "$P_SRV debug_level=3 auth_mode=optional dtls=1 \
4985 crt_file=data_files/server5.crt key_file=data_files/server5.key \
4986 ca_file=data_files/test-ca.crt \
4987 sni=localhost,data_files/server2.crt,data_files/server2.key,-,-,required" \
4988 "$P_CLI debug_level=3 server_name=localhost dtls=1 \
4989 crt_file=data_files/server6.crt key_file=data_files/server6.key" \
4990 1 \
4991 -S "skip write certificate request" \
4992 -C "skip parse certificate request" \
4993 -c "got a certificate request" \
4994 -C "skip write certificate" \
4995 -C "skip write certificate verify" \
4996 -S "skip parse certificate verify" \
4997 -s "x509_verify_cert() returned" \
4998 -s "! The certificate is not correctly signed by the trusted CA" \
4999 -S "The certificate has been revoked (is on a CRL)"
5000
Andres Amaya Garciaf77d3d32018-05-01 20:26:47 +0100[diff] [blame]5001run_test "SNI: DTLS, CA override" \
Andres AG1a834452016-12-07 10:01:30 +0000[diff] [blame]5002 "$P_SRV debug_level=3 auth_mode=optional dtls=1 \
5003 crt_file=data_files/server5.crt key_file=data_files/server5.key \
5004 ca_file=data_files/test-ca.crt \
5005 sni=localhost,data_files/server2.crt,data_files/server2.key,data_files/test-ca2.crt,-,required" \
5006 "$P_CLI debug_level=3 server_name=localhost dtls=1 \
5007 crt_file=data_files/server6.crt key_file=data_files/server6.key" \
5008 0 \
5009 -S "skip write certificate request" \
5010 -C "skip parse certificate request" \
5011 -c "got a certificate request" \
5012 -C "skip write certificate" \
5013 -C "skip write certificate verify" \
5014 -S "skip parse certificate verify" \
5015 -S "x509_verify_cert() returned" \
5016 -S "! The certificate is not correctly signed by the trusted CA" \
5017 -S "The certificate has been revoked (is on a CRL)"
5018
Andres Amaya Garciaf77d3d32018-05-01 20:26:47 +0100[diff] [blame]5019run_test "SNI: DTLS, CA override with CRL" \
Andres AG1a834452016-12-07 10:01:30 +0000[diff] [blame]5020 "$P_SRV debug_level=3 auth_mode=optional \
5021 crt_file=data_files/server5.crt key_file=data_files/server5.key dtls=1 \
5022 ca_file=data_files/test-ca.crt \
5023 sni=localhost,data_files/server2.crt,data_files/server2.key,data_files/test-ca2.crt,data_files/crl-ec-sha256.pem,required" \
5024 "$P_CLI debug_level=3 server_name=localhost dtls=1 \
5025 crt_file=data_files/server6.crt key_file=data_files/server6.key" \
5026 1 \
5027 -S "skip write certificate request" \
5028 -C "skip parse certificate request" \
5029 -c "got a certificate request" \
5030 -C "skip write certificate" \
5031 -C "skip write certificate verify" \
5032 -S "skip parse certificate verify" \
5033 -s "x509_verify_cert() returned" \
5034 -S "! The certificate is not correctly signed by the trusted CA" \
5035 -s "The certificate has been revoked (is on a CRL)"
5036
Manuel Pégourié-Gonnard0b6609b2014-02-26 14:45:12 +0100[diff] [blame]5037# Tests for non-blocking I/O: exercise a variety of handshake flows
5038
Manuel Pégourié-Gonnard8e03c712014-08-30 21:42:40 +0200[diff] [blame]5039run_test "Non-blocking I/O: basic handshake" \
Manuel Pégourié-Gonnard0b6609b2014-02-26 14:45:12 +0100[diff] [blame]5040 "$P_SRV nbio=2 tickets=0 auth_mode=none" \
5041 "$P_CLI nbio=2 tickets=0" \
5042 0 \
Manuel Pégourié-Gonnard2cf5a7c2015-04-08 12:49:31 +0200[diff] [blame]5043 -S "mbedtls_ssl_handshake returned" \
5044 -C "mbedtls_ssl_handshake returned" \
Manuel Pégourié-Gonnard0b6609b2014-02-26 14:45:12 +0100[diff] [blame]5045 -c "Read from server: .* bytes read"
5046
Manuel Pégourié-Gonnard8e03c712014-08-30 21:42:40 +0200[diff] [blame]5047run_test "Non-blocking I/O: client auth" \
Manuel Pégourié-Gonnard0b6609b2014-02-26 14:45:12 +0100[diff] [blame]5048 "$P_SRV nbio=2 tickets=0 auth_mode=required" \
5049 "$P_CLI nbio=2 tickets=0" \
5050 0 \
Manuel Pégourié-Gonnard2cf5a7c2015-04-08 12:49:31 +0200[diff] [blame]5051 -S "mbedtls_ssl_handshake returned" \
5052 -C "mbedtls_ssl_handshake returned" \
Manuel Pégourié-Gonnard0b6609b2014-02-26 14:45:12 +0100[diff] [blame]5053 -c "Read from server: .* bytes read"
5054
Manuel Pégourié-Gonnard8e03c712014-08-30 21:42:40 +0200[diff] [blame]5055run_test "Non-blocking I/O: ticket" \
Manuel Pégourié-Gonnard0b6609b2014-02-26 14:45:12 +0100[diff] [blame]5056 "$P_SRV nbio=2 tickets=1 auth_mode=none" \
5057 "$P_CLI nbio=2 tickets=1" \
5058 0 \
Manuel Pégourié-Gonnard2cf5a7c2015-04-08 12:49:31 +0200[diff] [blame]5059 -S "mbedtls_ssl_handshake returned" \
5060 -C "mbedtls_ssl_handshake returned" \
Manuel Pégourié-Gonnard0b6609b2014-02-26 14:45:12 +0100[diff] [blame]5061 -c "Read from server: .* bytes read"
5062
Manuel Pégourié-Gonnard8e03c712014-08-30 21:42:40 +0200[diff] [blame]5063run_test "Non-blocking I/O: ticket + client auth" \
Manuel Pégourié-Gonnard0b6609b2014-02-26 14:45:12 +0100[diff] [blame]5064 "$P_SRV nbio=2 tickets=1 auth_mode=required" \
5065 "$P_CLI nbio=2 tickets=1" \
5066 0 \
Manuel Pégourié-Gonnard2cf5a7c2015-04-08 12:49:31 +0200[diff] [blame]5067 -S "mbedtls_ssl_handshake returned" \
5068 -C "mbedtls_ssl_handshake returned" \
Manuel Pégourié-Gonnard0b6609b2014-02-26 14:45:12 +0100[diff] [blame]5069 -c "Read from server: .* bytes read"
5070
Manuel Pégourié-Gonnard8e03c712014-08-30 21:42:40 +0200[diff] [blame]5071run_test "Non-blocking I/O: ticket + client auth + resume" \
Manuel Pégourié-Gonnard0b6609b2014-02-26 14:45:12 +0100[diff] [blame]5072 "$P_SRV nbio=2 tickets=1 auth_mode=required" \
5073 "$P_CLI nbio=2 tickets=1 reconnect=1" \
5074 0 \
Manuel Pégourié-Gonnard2cf5a7c2015-04-08 12:49:31 +0200[diff] [blame]5075 -S "mbedtls_ssl_handshake returned" \
5076 -C "mbedtls_ssl_handshake returned" \
Manuel Pégourié-Gonnard0b6609b2014-02-26 14:45:12 +0100[diff] [blame]5077 -c "Read from server: .* bytes read"
5078
Manuel Pégourié-Gonnard8e03c712014-08-30 21:42:40 +0200[diff] [blame]5079run_test "Non-blocking I/O: ticket + resume" \
Manuel Pégourié-Gonnard0b6609b2014-02-26 14:45:12 +0100[diff] [blame]5080 "$P_SRV nbio=2 tickets=1 auth_mode=none" \
5081 "$P_CLI nbio=2 tickets=1 reconnect=1" \
5082 0 \
Manuel Pégourié-Gonnard2cf5a7c2015-04-08 12:49:31 +0200[diff] [blame]5083 -S "mbedtls_ssl_handshake returned" \
5084 -C "mbedtls_ssl_handshake returned" \
Manuel Pégourié-Gonnard0b6609b2014-02-26 14:45:12 +0100[diff] [blame]5085 -c "Read from server: .* bytes read"
5086
Manuel Pégourié-Gonnard8e03c712014-08-30 21:42:40 +0200[diff] [blame]5087run_test "Non-blocking I/O: session-id resume" \
Manuel Pégourié-Gonnard0b6609b2014-02-26 14:45:12 +0100[diff] [blame]5088 "$P_SRV nbio=2 tickets=0 auth_mode=none" \
5089 "$P_CLI nbio=2 tickets=0 reconnect=1" \
5090 0 \
Manuel Pégourié-Gonnard2cf5a7c2015-04-08 12:49:31 +0200[diff] [blame]5091 -S "mbedtls_ssl_handshake returned" \
5092 -C "mbedtls_ssl_handshake returned" \
Manuel Pégourié-Gonnard0b6609b2014-02-26 14:45:12 +0100[diff] [blame]5093 -c "Read from server: .* bytes read"
5094
Hanno Becker00076712017-11-15 16:39:08 +0000[diff] [blame]5095# Tests for event-driven I/O: exercise a variety of handshake flows
5096
5097run_test "Event-driven I/O: basic handshake" \
5098 "$P_SRV event=1 tickets=0 auth_mode=none" \
5099 "$P_CLI event=1 tickets=0" \
5100 0 \
5101 -S "mbedtls_ssl_handshake returned" \
5102 -C "mbedtls_ssl_handshake returned" \
5103 -c "Read from server: .* bytes read"
5104
5105run_test "Event-driven I/O: client auth" \
5106 "$P_SRV event=1 tickets=0 auth_mode=required" \
5107 "$P_CLI event=1 tickets=0" \
5108 0 \
5109 -S "mbedtls_ssl_handshake returned" \
5110 -C "mbedtls_ssl_handshake returned" \
5111 -c "Read from server: .* bytes read"
5112
5113run_test "Event-driven I/O: ticket" \
5114 "$P_SRV event=1 tickets=1 auth_mode=none" \
5115 "$P_CLI event=1 tickets=1" \
5116 0 \
5117 -S "mbedtls_ssl_handshake returned" \
5118 -C "mbedtls_ssl_handshake returned" \
5119 -c "Read from server: .* bytes read"
5120
5121run_test "Event-driven I/O: ticket + client auth" \
5122 "$P_SRV event=1 tickets=1 auth_mode=required" \
5123 "$P_CLI event=1 tickets=1" \
5124 0 \
5125 -S "mbedtls_ssl_handshake returned" \
5126 -C "mbedtls_ssl_handshake returned" \
5127 -c "Read from server: .* bytes read"
5128
5129run_test "Event-driven I/O: ticket + client auth + resume" \
5130 "$P_SRV event=1 tickets=1 auth_mode=required" \
5131 "$P_CLI event=1 tickets=1 reconnect=1" \
5132 0 \
5133 -S "mbedtls_ssl_handshake returned" \
5134 -C "mbedtls_ssl_handshake returned" \
5135 -c "Read from server: .* bytes read"
5136
5137run_test "Event-driven I/O: ticket + resume" \
5138 "$P_SRV event=1 tickets=1 auth_mode=none" \
5139 "$P_CLI event=1 tickets=1 reconnect=1" \
5140 0 \
5141 -S "mbedtls_ssl_handshake returned" \
5142 -C "mbedtls_ssl_handshake returned" \
5143 -c "Read from server: .* bytes read"
5144
5145run_test "Event-driven I/O: session-id resume" \
5146 "$P_SRV event=1 tickets=0 auth_mode=none" \
5147 "$P_CLI event=1 tickets=0 reconnect=1" \
5148 0 \
5149 -S "mbedtls_ssl_handshake returned" \
5150 -C "mbedtls_ssl_handshake returned" \
5151 -c "Read from server: .* bytes read"
5152
Hanno Becker6a33f592018-03-13 11:38:46 +0000[diff] [blame]5153run_test "Event-driven I/O, DTLS: basic handshake" \
5154 "$P_SRV dtls=1 event=1 tickets=0 auth_mode=none" \
5155 "$P_CLI dtls=1 event=1 tickets=0" \
5156 0 \
5157 -c "Read from server: .* bytes read"
5158
5159run_test "Event-driven I/O, DTLS: client auth" \
5160 "$P_SRV dtls=1 event=1 tickets=0 auth_mode=required" \
5161 "$P_CLI dtls=1 event=1 tickets=0" \
5162 0 \
5163 -c "Read from server: .* bytes read"
5164
5165run_test "Event-driven I/O, DTLS: ticket" \
5166 "$P_SRV dtls=1 event=1 tickets=1 auth_mode=none" \
5167 "$P_CLI dtls=1 event=1 tickets=1" \
5168 0 \
5169 -c "Read from server: .* bytes read"
5170
5171run_test "Event-driven I/O, DTLS: ticket + client auth" \
5172 "$P_SRV dtls=1 event=1 tickets=1 auth_mode=required" \
5173 "$P_CLI dtls=1 event=1 tickets=1" \
5174 0 \
5175 -c "Read from server: .* bytes read"
5176
5177run_test "Event-driven I/O, DTLS: ticket + client auth + resume" \
5178 "$P_SRV dtls=1 event=1 tickets=1 auth_mode=required" \
Manuel Pégourié-Gonnard56941fe2020-02-17 11:04:33 +0100[diff] [blame]5179 "$P_CLI dtls=1 event=1 tickets=1 reconnect=1 skip_close_notify=1" \
Hanno Becker6a33f592018-03-13 11:38:46 +0000[diff] [blame]5180 0 \
5181 -c "Read from server: .* bytes read"
5182
5183run_test "Event-driven I/O, DTLS: ticket + resume" \
5184 "$P_SRV dtls=1 event=1 tickets=1 auth_mode=none" \
Manuel Pégourié-Gonnard56941fe2020-02-17 11:04:33 +0100[diff] [blame]5185 "$P_CLI dtls=1 event=1 tickets=1 reconnect=1 skip_close_notify=1" \
Hanno Becker6a33f592018-03-13 11:38:46 +0000[diff] [blame]5186 0 \
5187 -c "Read from server: .* bytes read"
5188
5189run_test "Event-driven I/O, DTLS: session-id resume" \
5190 "$P_SRV dtls=1 event=1 tickets=0 auth_mode=none" \
Manuel Pégourié-Gonnard56941fe2020-02-17 11:04:33 +0100[diff] [blame]5191 "$P_CLI dtls=1 event=1 tickets=0 reconnect=1 skip_close_notify=1" \
Hanno Becker6a33f592018-03-13 11:38:46 +0000[diff] [blame]5192 0 \
5193 -c "Read from server: .* bytes read"
Hanno Beckerbc6c1102018-03-13 11:39:40 +0000[diff] [blame]5194
5195# This test demonstrates the need for the mbedtls_ssl_check_pending function.
5196# During session resumption, the client will send its ApplicationData record
5197# within the same datagram as the Finished messages. In this situation, the
5198# server MUST NOT idle on the underlying transport after handshake completion,
5199# because the ApplicationData request has already been queued internally.
5200run_test "Event-driven I/O, DTLS: session-id resume, UDP packing" \
Hanno Becker8d832182018-03-15 10:14:19 +0000[diff] [blame]5201 -p "$P_PXY pack=50" \
Hanno Beckerbc6c1102018-03-13 11:39:40 +0000[diff] [blame]5202 "$P_SRV dtls=1 event=1 tickets=0 auth_mode=required" \
Manuel Pégourié-Gonnard56941fe2020-02-17 11:04:33 +0100[diff] [blame]5203 "$P_CLI dtls=1 event=1 tickets=0 reconnect=1 skip_close_notify=1" \
Hanno Beckerbc6c1102018-03-13 11:39:40 +0000[diff] [blame]5204 0 \
5205 -c "Read from server: .* bytes read"
5206
Manuel Pégourié-Gonnardf6521de2014-04-07 12:42:04 +0200[diff] [blame]5207# Tests for version negotiation
5208
Manuel Pégourié-Gonnard8e03c712014-08-30 21:42:40 +0200[diff] [blame]5209run_test "Version check: all -> 1.2" \
Manuel Pégourié-Gonnarda3d808e2014-02-26 16:33:03 +0100[diff] [blame]5210 "$P_SRV" \
5211 "$P_CLI" \
5212 0 \
Manuel Pégourié-Gonnard2cf5a7c2015-04-08 12:49:31 +0200[diff] [blame]5213 -S "mbedtls_ssl_handshake returned" \
5214 -C "mbedtls_ssl_handshake returned" \
Manuel Pégourié-Gonnarda3d808e2014-02-26 16:33:03 +0100[diff] [blame]5215 -s "Protocol is TLSv1.2" \
5216 -c "Protocol is TLSv1.2"
5217
Manuel Pégourié-Gonnard8e03c712014-08-30 21:42:40 +0200[diff] [blame]5218run_test "Version check: cli max 1.1 -> 1.1" \
Manuel Pégourié-Gonnarda3d808e2014-02-26 16:33:03 +0100[diff] [blame]5219 "$P_SRV" \
5220 "$P_CLI max_version=tls1_1" \
5221 0 \
Manuel Pégourié-Gonnard2cf5a7c2015-04-08 12:49:31 +0200[diff] [blame]5222 -S "mbedtls_ssl_handshake returned" \
5223 -C "mbedtls_ssl_handshake returned" \
Manuel Pégourié-Gonnarda3d808e2014-02-26 16:33:03 +0100[diff] [blame]5224 -s "Protocol is TLSv1.1" \
5225 -c "Protocol is TLSv1.1"
5226
Manuel Pégourié-Gonnard8e03c712014-08-30 21:42:40 +0200[diff] [blame]5227run_test "Version check: srv max 1.1 -> 1.1" \
Manuel Pégourié-Gonnarda3d808e2014-02-26 16:33:03 +0100[diff] [blame]5228 "$P_SRV max_version=tls1_1" \
5229 "$P_CLI" \
5230 0 \
Manuel Pégourié-Gonnard2cf5a7c2015-04-08 12:49:31 +0200[diff] [blame]5231 -S "mbedtls_ssl_handshake returned" \
5232 -C "mbedtls_ssl_handshake returned" \
Manuel Pégourié-Gonnarda3d808e2014-02-26 16:33:03 +0100[diff] [blame]5233 -s "Protocol is TLSv1.1" \
5234 -c "Protocol is TLSv1.1"
5235
Manuel Pégourié-Gonnard8e03c712014-08-30 21:42:40 +0200[diff] [blame]5236run_test "Version check: cli+srv max 1.1 -> 1.1" \
Manuel Pégourié-Gonnarda3d808e2014-02-26 16:33:03 +0100[diff] [blame]5237 "$P_SRV max_version=tls1_1" \
5238 "$P_CLI max_version=tls1_1" \
5239 0 \
Manuel Pégourié-Gonnard2cf5a7c2015-04-08 12:49:31 +0200[diff] [blame]5240 -S "mbedtls_ssl_handshake returned" \
5241 -C "mbedtls_ssl_handshake returned" \
Manuel Pégourié-Gonnarda3d808e2014-02-26 16:33:03 +0100[diff] [blame]5242 -s "Protocol is TLSv1.1" \
5243 -c "Protocol is TLSv1.1"
5244
Manuel Pégourié-Gonnard8e03c712014-08-30 21:42:40 +0200[diff] [blame]5245run_test "Version check: cli max 1.1, srv min 1.1 -> 1.1" \
Manuel Pégourié-Gonnarda3d808e2014-02-26 16:33:03 +0100[diff] [blame]5246 "$P_SRV min_version=tls1_1" \
5247 "$P_CLI max_version=tls1_1" \
5248 0 \
Manuel Pégourié-Gonnard2cf5a7c2015-04-08 12:49:31 +0200[diff] [blame]5249 -S "mbedtls_ssl_handshake returned" \
5250 -C "mbedtls_ssl_handshake returned" \
Manuel Pégourié-Gonnarda3d808e2014-02-26 16:33:03 +0100[diff] [blame]5251 -s "Protocol is TLSv1.1" \
5252 -c "Protocol is TLSv1.1"
5253
Manuel Pégourié-Gonnard8e03c712014-08-30 21:42:40 +0200[diff] [blame]5254run_test "Version check: cli min 1.1, srv max 1.1 -> 1.1" \
Manuel Pégourié-Gonnarda3d808e2014-02-26 16:33:03 +0100[diff] [blame]5255 "$P_SRV max_version=tls1_1" \
5256 "$P_CLI min_version=tls1_1" \
5257 0 \
Manuel Pégourié-Gonnard2cf5a7c2015-04-08 12:49:31 +0200[diff] [blame]5258 -S "mbedtls_ssl_handshake returned" \
5259 -C "mbedtls_ssl_handshake returned" \
Manuel Pégourié-Gonnarda3d808e2014-02-26 16:33:03 +0100[diff] [blame]5260 -s "Protocol is TLSv1.1" \
5261 -c "Protocol is TLSv1.1"
5262
Manuel Pégourié-Gonnard8e03c712014-08-30 21:42:40 +0200[diff] [blame]5263run_test "Version check: cli min 1.2, srv max 1.1 -> fail" \
Manuel Pégourié-Gonnarda3d808e2014-02-26 16:33:03 +0100[diff] [blame]5264 "$P_SRV max_version=tls1_1" \
5265 "$P_CLI min_version=tls1_2" \
5266 1 \
Manuel Pégourié-Gonnard2cf5a7c2015-04-08 12:49:31 +0200[diff] [blame]5267 -s "mbedtls_ssl_handshake returned" \
5268 -c "mbedtls_ssl_handshake returned" \
Manuel Pégourié-Gonnarda3d808e2014-02-26 16:33:03 +0100[diff] [blame]5269 -c "SSL - Handshake protocol not within min/max boundaries"
5270
Manuel Pégourié-Gonnard8e03c712014-08-30 21:42:40 +0200[diff] [blame]5271run_test "Version check: srv min 1.2, cli max 1.1 -> fail" \
Manuel Pégourié-Gonnarda3d808e2014-02-26 16:33:03 +0100[diff] [blame]5272 "$P_SRV min_version=tls1_2" \
5273 "$P_CLI max_version=tls1_1" \
5274 1 \
Manuel Pégourié-Gonnard2cf5a7c2015-04-08 12:49:31 +0200[diff] [blame]5275 -s "mbedtls_ssl_handshake returned" \
5276 -c "mbedtls_ssl_handshake returned" \
Manuel Pégourié-Gonnarda3d808e2014-02-26 16:33:03 +0100[diff] [blame]5277 -s "SSL - Handshake protocol not within min/max boundaries"
5278
Manuel Pégourié-Gonnardf6521de2014-04-07 12:42:04 +0200[diff] [blame]5279# Tests for ALPN extension
5280
Manuel Pégourié-Gonnard8e03c712014-08-30 21:42:40 +0200[diff] [blame]5281run_test "ALPN: none" \
Manuel Pégourié-Gonnard644e8f32014-08-30 21:59:31 +0200[diff] [blame]5282 "$P_SRV debug_level=3" \
5283 "$P_CLI debug_level=3" \
Manuel Pégourié-Gonnardf6521de2014-04-07 12:42:04 +0200[diff] [blame]5284 0 \
5285 -C "client hello, adding alpn extension" \
5286 -S "found alpn extension" \
5287 -C "got an alert message, type: \\[2:120]" \
5288 -S "server hello, adding alpn extension" \
5289 -C "found alpn extension " \
5290 -C "Application Layer Protocol is" \
5291 -S "Application Layer Protocol is"
5292
Manuel Pégourié-Gonnard8e03c712014-08-30 21:42:40 +0200[diff] [blame]5293run_test "ALPN: client only" \
Manuel Pégourié-Gonnard644e8f32014-08-30 21:59:31 +0200[diff] [blame]5294 "$P_SRV debug_level=3" \
5295 "$P_CLI debug_level=3 alpn=abc,1234" \
Manuel Pégourié-Gonnardf6521de2014-04-07 12:42:04 +0200[diff] [blame]5296 0 \
5297 -c "client hello, adding alpn extension" \
5298 -s "found alpn extension" \
5299 -C "got an alert message, type: \\[2:120]" \
5300 -S "server hello, adding alpn extension" \
5301 -C "found alpn extension " \
5302 -c "Application Layer Protocol is (none)" \
5303 -S "Application Layer Protocol is"
5304
Manuel Pégourié-Gonnard8e03c712014-08-30 21:42:40 +0200[diff] [blame]5305run_test "ALPN: server only" \
Manuel Pégourié-Gonnard644e8f32014-08-30 21:59:31 +0200[diff] [blame]5306 "$P_SRV debug_level=3 alpn=abc,1234" \
5307 "$P_CLI debug_level=3" \
Manuel Pégourié-Gonnardf6521de2014-04-07 12:42:04 +0200[diff] [blame]5308 0 \
5309 -C "client hello, adding alpn extension" \
5310 -S "found alpn extension" \
5311 -C "got an alert message, type: \\[2:120]" \
5312 -S "server hello, adding alpn extension" \
5313 -C "found alpn extension " \
5314 -C "Application Layer Protocol is" \
5315 -s "Application Layer Protocol is (none)"
5316
Manuel Pégourié-Gonnard8e03c712014-08-30 21:42:40 +0200[diff] [blame]5317run_test "ALPN: both, common cli1-srv1" \
Manuel Pégourié-Gonnard644e8f32014-08-30 21:59:31 +0200[diff] [blame]5318 "$P_SRV debug_level=3 alpn=abc,1234" \
5319 "$P_CLI debug_level=3 alpn=abc,1234" \
Manuel Pégourié-Gonnardf6521de2014-04-07 12:42:04 +0200[diff] [blame]5320 0 \
5321 -c "client hello, adding alpn extension" \
5322 -s "found alpn extension" \
5323 -C "got an alert message, type: \\[2:120]" \
5324 -s "server hello, adding alpn extension" \
5325 -c "found alpn extension" \
5326 -c "Application Layer Protocol is abc" \
5327 -s "Application Layer Protocol is abc"
5328
Manuel Pégourié-Gonnard8e03c712014-08-30 21:42:40 +0200[diff] [blame]5329run_test "ALPN: both, common cli2-srv1" \
Manuel Pégourié-Gonnard644e8f32014-08-30 21:59:31 +0200[diff] [blame]5330 "$P_SRV debug_level=3 alpn=abc,1234" \
5331 "$P_CLI debug_level=3 alpn=1234,abc" \
Manuel Pégourié-Gonnardf6521de2014-04-07 12:42:04 +0200[diff] [blame]5332 0 \
5333 -c "client hello, adding alpn extension" \
5334 -s "found alpn extension" \
5335 -C "got an alert message, type: \\[2:120]" \
5336 -s "server hello, adding alpn extension" \
5337 -c "found alpn extension" \
5338 -c "Application Layer Protocol is abc" \
5339 -s "Application Layer Protocol is abc"
5340
Manuel Pégourié-Gonnard8e03c712014-08-30 21:42:40 +0200[diff] [blame]5341run_test "ALPN: both, common cli1-srv2" \
Manuel Pégourié-Gonnard644e8f32014-08-30 21:59:31 +0200[diff] [blame]5342 "$P_SRV debug_level=3 alpn=abc,1234" \
5343 "$P_CLI debug_level=3 alpn=1234,abcde" \
Manuel Pégourié-Gonnardf6521de2014-04-07 12:42:04 +0200[diff] [blame]5344 0 \
5345 -c "client hello, adding alpn extension" \
5346 -s "found alpn extension" \
5347 -C "got an alert message, type: \\[2:120]" \
5348 -s "server hello, adding alpn extension" \
5349 -c "found alpn extension" \
5350 -c "Application Layer Protocol is 1234" \
5351 -s "Application Layer Protocol is 1234"
5352
Manuel Pégourié-Gonnard8e03c712014-08-30 21:42:40 +0200[diff] [blame]5353run_test "ALPN: both, no common" \
Manuel Pégourié-Gonnard644e8f32014-08-30 21:59:31 +0200[diff] [blame]5354 "$P_SRV debug_level=3 alpn=abc,123" \
5355 "$P_CLI debug_level=3 alpn=1234,abcde" \
Manuel Pégourié-Gonnardf6521de2014-04-07 12:42:04 +0200[diff] [blame]5356 1 \
5357 -c "client hello, adding alpn extension" \
5358 -s "found alpn extension" \
5359 -c "got an alert message, type: \\[2:120]" \
5360 -S "server hello, adding alpn extension" \
5361 -C "found alpn extension" \
5362 -C "Application Layer Protocol is 1234" \
5363 -S "Application Layer Protocol is 1234"
5364
Manuel Pégourié-Gonnard83d8c732014-04-07 13:24:21 +0200[diff] [blame]5365
Manuel Pégourié-Gonnard7f2a07d2014-04-09 09:50:57 +0200[diff] [blame]5366# Tests for keyUsage in leaf certificates, part 1:
5367# server-side certificate/suite selection
5368
Manuel Pégourié-Gonnard8e03c712014-08-30 21:42:40 +0200[diff] [blame]5369run_test "keyUsage srv: RSA, digitalSignature -> (EC)DHE-RSA" \
Manuel Pégourié-Gonnard7f2a07d2014-04-09 09:50:57 +0200[diff] [blame]5370 "$P_SRV key_file=data_files/server2.key \
5371 crt_file=data_files/server2.ku-ds.crt" \
5372 "$P_CLI" \
5373 0 \
Manuel Pégourié-Gonnard17cde5f2014-05-22 14:42:39 +0200[diff] [blame]5374 -c "Ciphersuite is TLS-[EC]*DHE-RSA-WITH-"
Manuel Pégourié-Gonnard7f2a07d2014-04-09 09:50:57 +0200[diff] [blame]5375
5376
Manuel Pégourié-Gonnard8e03c712014-08-30 21:42:40 +0200[diff] [blame]5377run_test "keyUsage srv: RSA, keyEncipherment -> RSA" \
Manuel Pégourié-Gonnard7f2a07d2014-04-09 09:50:57 +0200[diff] [blame]5378 "$P_SRV key_file=data_files/server2.key \
5379 crt_file=data_files/server2.ku-ke.crt" \
5380 "$P_CLI" \
5381 0 \
5382 -c "Ciphersuite is TLS-RSA-WITH-"
5383
Manuel Pégourié-Gonnard8e03c712014-08-30 21:42:40 +0200[diff] [blame]5384run_test "keyUsage srv: RSA, keyAgreement -> fail" \
Manuel Pégourié-Gonnardf2629b92014-08-30 14:20:14 +0200[diff] [blame]5385 "$P_SRV key_file=data_files/server2.key \
Manuel Pégourié-Gonnard7f2a07d2014-04-09 09:50:57 +0200[diff] [blame]5386 crt_file=data_files/server2.ku-ka.crt" \
Manuel Pégourié-Gonnardf2629b92014-08-30 14:20:14 +0200[diff] [blame]5387 "$P_CLI" \
Manuel Pégourié-Gonnard7f2a07d2014-04-09 09:50:57 +0200[diff] [blame]5388 1 \
5389 -C "Ciphersuite is "
5390
Manuel Pégourié-Gonnard8e03c712014-08-30 21:42:40 +0200[diff] [blame]5391run_test "keyUsage srv: ECDSA, digitalSignature -> ECDHE-ECDSA" \
Manuel Pégourié-Gonnard7f2a07d2014-04-09 09:50:57 +0200[diff] [blame]5392 "$P_SRV key_file=data_files/server5.key \
5393 crt_file=data_files/server5.ku-ds.crt" \
5394 "$P_CLI" \
5395 0 \
5396 -c "Ciphersuite is TLS-ECDHE-ECDSA-WITH-"
5397
5398
Manuel Pégourié-Gonnard8e03c712014-08-30 21:42:40 +0200[diff] [blame]5399run_test "keyUsage srv: ECDSA, keyAgreement -> ECDH-" \
Manuel Pégourié-Gonnard7f2a07d2014-04-09 09:50:57 +0200[diff] [blame]5400 "$P_SRV key_file=data_files/server5.key \
5401 crt_file=data_files/server5.ku-ka.crt" \
5402 "$P_CLI" \
5403 0 \
5404 -c "Ciphersuite is TLS-ECDH-"
5405
Manuel Pégourié-Gonnard8e03c712014-08-30 21:42:40 +0200[diff] [blame]5406run_test "keyUsage srv: ECDSA, keyEncipherment -> fail" \
Manuel Pégourié-Gonnardf2629b92014-08-30 14:20:14 +0200[diff] [blame]5407 "$P_SRV key_file=data_files/server5.key \
Manuel Pégourié-Gonnard7f2a07d2014-04-09 09:50:57 +0200[diff] [blame]5408 crt_file=data_files/server5.ku-ke.crt" \
Manuel Pégourié-Gonnardf2629b92014-08-30 14:20:14 +0200[diff] [blame]5409 "$P_CLI" \
Manuel Pégourié-Gonnard7f2a07d2014-04-09 09:50:57 +0200[diff] [blame]5410 1 \
5411 -C "Ciphersuite is "
5412
5413# Tests for keyUsage in leaf certificates, part 2:
Manuel Pégourié-Gonnarda9db85d2014-04-09 14:53:05 +0200[diff] [blame]5414# client-side checking of server cert
Manuel Pégourié-Gonnard7f2a07d2014-04-09 09:50:57 +0200[diff] [blame]5415
Manuel Pégourié-Gonnard8e03c712014-08-30 21:42:40 +0200[diff] [blame]5416run_test "keyUsage cli: DigitalSignature+KeyEncipherment, RSA: OK" \
Manuel Pégourié-Gonnard7f2a07d2014-04-09 09:50:57 +0200[diff] [blame]5417 "$O_SRV -key data_files/server2.key \
5418 -cert data_files/server2.ku-ds_ke.crt" \
Manuel Pégourié-Gonnard644e8f32014-08-30 21:59:31 +0200[diff] [blame]5419 "$P_CLI debug_level=1 \
Manuel Pégourié-Gonnard7f2a07d2014-04-09 09:50:57 +0200[diff] [blame]5420 force_ciphersuite=TLS-RSA-WITH-AES-128-CBC-SHA" \
5421 0 \
Manuel Pégourié-Gonnarda9db85d2014-04-09 14:53:05 +0200[diff] [blame]5422 -C "bad certificate (usage extensions)" \
Manuel Pégourié-Gonnard7f2a07d2014-04-09 09:50:57 +0200[diff] [blame]5423 -C "Processing of the Certificate handshake message failed" \
5424 -c "Ciphersuite is TLS-"
5425
Manuel Pégourié-Gonnard8e03c712014-08-30 21:42:40 +0200[diff] [blame]5426run_test "keyUsage cli: DigitalSignature+KeyEncipherment, DHE-RSA: OK" \
Manuel Pégourié-Gonnard7f2a07d2014-04-09 09:50:57 +0200[diff] [blame]5427 "$O_SRV -key data_files/server2.key \
5428 -cert data_files/server2.ku-ds_ke.crt" \
Manuel Pégourié-Gonnard644e8f32014-08-30 21:59:31 +0200[diff] [blame]5429 "$P_CLI debug_level=1 \
Manuel Pégourié-Gonnard7f2a07d2014-04-09 09:50:57 +0200[diff] [blame]5430 force_ciphersuite=TLS-DHE-RSA-WITH-AES-128-CBC-SHA" \
5431 0 \
Manuel Pégourié-Gonnarda9db85d2014-04-09 14:53:05 +0200[diff] [blame]5432 -C "bad certificate (usage extensions)" \
Manuel Pégourié-Gonnard7f2a07d2014-04-09 09:50:57 +0200[diff] [blame]5433 -C "Processing of the Certificate handshake message failed" \
5434 -c "Ciphersuite is TLS-"
5435
Manuel Pégourié-Gonnard8e03c712014-08-30 21:42:40 +0200[diff] [blame]5436run_test "keyUsage cli: KeyEncipherment, RSA: OK" \
Manuel Pégourié-Gonnard7f2a07d2014-04-09 09:50:57 +0200[diff] [blame]5437 "$O_SRV -key data_files/server2.key \
5438 -cert data_files/server2.ku-ke.crt" \
Manuel Pégourié-Gonnard644e8f32014-08-30 21:59:31 +0200[diff] [blame]5439 "$P_CLI debug_level=1 \
Manuel Pégourié-Gonnard7f2a07d2014-04-09 09:50:57 +0200[diff] [blame]5440 force_ciphersuite=TLS-RSA-WITH-AES-128-CBC-SHA" \
5441 0 \
Manuel Pégourié-Gonnarda9db85d2014-04-09 14:53:05 +0200[diff] [blame]5442 -C "bad certificate (usage extensions)" \
Manuel Pégourié-Gonnard7f2a07d2014-04-09 09:50:57 +0200[diff] [blame]5443 -C "Processing of the Certificate handshake message failed" \
5444 -c "Ciphersuite is TLS-"
5445
Manuel Pégourié-Gonnard8e03c712014-08-30 21:42:40 +0200[diff] [blame]5446run_test "keyUsage cli: KeyEncipherment, DHE-RSA: fail" \
Manuel Pégourié-Gonnard7f2a07d2014-04-09 09:50:57 +0200[diff] [blame]5447 "$O_SRV -key data_files/server2.key \
5448 -cert data_files/server2.ku-ke.crt" \
Manuel Pégourié-Gonnard644e8f32014-08-30 21:59:31 +0200[diff] [blame]5449 "$P_CLI debug_level=1 \
Manuel Pégourié-Gonnard7f2a07d2014-04-09 09:50:57 +0200[diff] [blame]5450 force_ciphersuite=TLS-DHE-RSA-WITH-AES-128-CBC-SHA" \
5451 1 \
Manuel Pégourié-Gonnarda9db85d2014-04-09 14:53:05 +0200[diff] [blame]5452 -c "bad certificate (usage extensions)" \
Manuel Pégourié-Gonnard7f2a07d2014-04-09 09:50:57 +0200[diff] [blame]5453 -c "Processing of the Certificate handshake message failed" \
5454 -C "Ciphersuite is TLS-"
5455
Manuel Pégourié-Gonnarde6efa6f2015-04-20 11:01:48 +0100[diff] [blame]5456run_test "keyUsage cli: KeyEncipherment, DHE-RSA: fail, soft" \
5457 "$O_SRV -key data_files/server2.key \
5458 -cert data_files/server2.ku-ke.crt" \
5459 "$P_CLI debug_level=1 auth_mode=optional \
5460 force_ciphersuite=TLS-DHE-RSA-WITH-AES-128-CBC-SHA" \
5461 0 \
5462 -c "bad certificate (usage extensions)" \
5463 -C "Processing of the Certificate handshake message failed" \
5464 -c "Ciphersuite is TLS-" \
5465 -c "! Usage does not match the keyUsage extension"
5466
Manuel Pégourié-Gonnard8e03c712014-08-30 21:42:40 +0200[diff] [blame]5467run_test "keyUsage cli: DigitalSignature, DHE-RSA: OK" \
Manuel Pégourié-Gonnard7f2a07d2014-04-09 09:50:57 +0200[diff] [blame]5468 "$O_SRV -key data_files/server2.key \
5469 -cert data_files/server2.ku-ds.crt" \
Manuel Pégourié-Gonnard644e8f32014-08-30 21:59:31 +0200[diff] [blame]5470 "$P_CLI debug_level=1 \
Manuel Pégourié-Gonnard7f2a07d2014-04-09 09:50:57 +0200[diff] [blame]5471 force_ciphersuite=TLS-DHE-RSA-WITH-AES-128-CBC-SHA" \
5472 0 \
Manuel Pégourié-Gonnarda9db85d2014-04-09 14:53:05 +0200[diff] [blame]5473 -C "bad certificate (usage extensions)" \
Manuel Pégourié-Gonnard7f2a07d2014-04-09 09:50:57 +0200[diff] [blame]5474 -C "Processing of the Certificate handshake message failed" \
5475 -c "Ciphersuite is TLS-"
5476
Manuel Pégourié-Gonnard8e03c712014-08-30 21:42:40 +0200[diff] [blame]5477run_test "keyUsage cli: DigitalSignature, RSA: fail" \
Manuel Pégourié-Gonnard7f2a07d2014-04-09 09:50:57 +0200[diff] [blame]5478 "$O_SRV -key data_files/server2.key \
5479 -cert data_files/server2.ku-ds.crt" \
Manuel Pégourié-Gonnard644e8f32014-08-30 21:59:31 +0200[diff] [blame]5480 "$P_CLI debug_level=1 \
Manuel Pégourié-Gonnard7f2a07d2014-04-09 09:50:57 +0200[diff] [blame]5481 force_ciphersuite=TLS-RSA-WITH-AES-128-CBC-SHA" \
5482 1 \
Manuel Pégourié-Gonnarda9db85d2014-04-09 14:53:05 +0200[diff] [blame]5483 -c "bad certificate (usage extensions)" \
Manuel Pégourié-Gonnard7f2a07d2014-04-09 09:50:57 +0200[diff] [blame]5484 -c "Processing of the Certificate handshake message failed" \
5485 -C "Ciphersuite is TLS-"
5486
Manuel Pégourié-Gonnarde6efa6f2015-04-20 11:01:48 +0100[diff] [blame]5487run_test "keyUsage cli: DigitalSignature, RSA: fail, soft" \
5488 "$O_SRV -key data_files/server2.key \
5489 -cert data_files/server2.ku-ds.crt" \
5490 "$P_CLI debug_level=1 auth_mode=optional \
5491 force_ciphersuite=TLS-RSA-WITH-AES-128-CBC-SHA" \
5492 0 \
5493 -c "bad certificate (usage extensions)" \
5494 -C "Processing of the Certificate handshake message failed" \
5495 -c "Ciphersuite is TLS-" \
5496 -c "! Usage does not match the keyUsage extension"
5497
Manuel Pégourié-Gonnarda9db85d2014-04-09 14:53:05 +0200[diff] [blame]5498# Tests for keyUsage in leaf certificates, part 3:
5499# server-side checking of client cert
5500
Manuel Pégourié-Gonnard8e03c712014-08-30 21:42:40 +0200[diff] [blame]5501run_test "keyUsage cli-auth: RSA, DigitalSignature: OK" \
Manuel Pégourié-Gonnard644e8f32014-08-30 21:59:31 +0200[diff] [blame]5502 "$P_SRV debug_level=1 auth_mode=optional" \
Manuel Pégourié-Gonnarda9db85d2014-04-09 14:53:05 +0200[diff] [blame]5503 "$O_CLI -key data_files/server2.key \
5504 -cert data_files/server2.ku-ds.crt" \
5505 0 \
5506 -S "bad certificate (usage extensions)" \
5507 -S "Processing of the Certificate handshake message failed"
5508
Manuel Pégourié-Gonnard8e03c712014-08-30 21:42:40 +0200[diff] [blame]5509run_test "keyUsage cli-auth: RSA, KeyEncipherment: fail (soft)" \
Manuel Pégourié-Gonnard644e8f32014-08-30 21:59:31 +0200[diff] [blame]5510 "$P_SRV debug_level=1 auth_mode=optional" \
Manuel Pégourié-Gonnarda9db85d2014-04-09 14:53:05 +0200[diff] [blame]5511 "$O_CLI -key data_files/server2.key \
5512 -cert data_files/server2.ku-ke.crt" \
5513 0 \
5514 -s "bad certificate (usage extensions)" \
5515 -S "Processing of the Certificate handshake message failed"
5516
Manuel Pégourié-Gonnard8e03c712014-08-30 21:42:40 +0200[diff] [blame]5517run_test "keyUsage cli-auth: RSA, KeyEncipherment: fail (hard)" \
Manuel Pégourié-Gonnard644e8f32014-08-30 21:59:31 +0200[diff] [blame]5518 "$P_SRV debug_level=1 auth_mode=required" \
Manuel Pégourié-Gonnarda9db85d2014-04-09 14:53:05 +0200[diff] [blame]5519 "$O_CLI -key data_files/server2.key \
5520 -cert data_files/server2.ku-ke.crt" \
5521 1 \
5522 -s "bad certificate (usage extensions)" \
5523 -s "Processing of the Certificate handshake message failed"
5524
Manuel Pégourié-Gonnard8e03c712014-08-30 21:42:40 +0200[diff] [blame]5525run_test "keyUsage cli-auth: ECDSA, DigitalSignature: OK" \
Manuel Pégourié-Gonnard644e8f32014-08-30 21:59:31 +0200[diff] [blame]5526 "$P_SRV debug_level=1 auth_mode=optional" \
Manuel Pégourié-Gonnarda9db85d2014-04-09 14:53:05 +0200[diff] [blame]5527 "$O_CLI -key data_files/server5.key \
5528 -cert data_files/server5.ku-ds.crt" \
5529 0 \
5530 -S "bad certificate (usage extensions)" \
5531 -S "Processing of the Certificate handshake message failed"
5532
Manuel Pégourié-Gonnard8e03c712014-08-30 21:42:40 +0200[diff] [blame]5533run_test "keyUsage cli-auth: ECDSA, KeyAgreement: fail (soft)" \
Manuel Pégourié-Gonnard644e8f32014-08-30 21:59:31 +0200[diff] [blame]5534 "$P_SRV debug_level=1 auth_mode=optional" \
Manuel Pégourié-Gonnarda9db85d2014-04-09 14:53:05 +0200[diff] [blame]5535 "$O_CLI -key data_files/server5.key \
5536 -cert data_files/server5.ku-ka.crt" \
5537 0 \
5538 -s "bad certificate (usage extensions)" \
5539 -S "Processing of the Certificate handshake message failed"
5540
Manuel Pégourié-Gonnard0408fd12014-04-11 11:06:22 +0200[diff] [blame]5541# Tests for extendedKeyUsage, part 1: server-side certificate/suite selection
5542
Manuel Pégourié-Gonnard8e03c712014-08-30 21:42:40 +0200[diff] [blame]5543run_test "extKeyUsage srv: serverAuth -> OK" \
Manuel Pégourié-Gonnard0408fd12014-04-11 11:06:22 +0200[diff] [blame]5544 "$P_SRV key_file=data_files/server5.key \
5545 crt_file=data_files/server5.eku-srv.crt" \
5546 "$P_CLI" \
5547 0
5548
Manuel Pégourié-Gonnard8e03c712014-08-30 21:42:40 +0200[diff] [blame]5549run_test "extKeyUsage srv: serverAuth,clientAuth -> OK" \
Manuel Pégourié-Gonnard0408fd12014-04-11 11:06:22 +0200[diff] [blame]5550 "$P_SRV key_file=data_files/server5.key \
5551 crt_file=data_files/server5.eku-srv.crt" \
5552 "$P_CLI" \
5553 0
5554
Manuel Pégourié-Gonnard8e03c712014-08-30 21:42:40 +0200[diff] [blame]5555run_test "extKeyUsage srv: codeSign,anyEKU -> OK" \
Manuel Pégourié-Gonnard0408fd12014-04-11 11:06:22 +0200[diff] [blame]5556 "$P_SRV key_file=data_files/server5.key \
5557 crt_file=data_files/server5.eku-cs_any.crt" \
5558 "$P_CLI" \
5559 0
5560
Manuel Pégourié-Gonnard8e03c712014-08-30 21:42:40 +0200[diff] [blame]5561run_test "extKeyUsage srv: codeSign -> fail" \
Manuel Pégourié-Gonnard7eb58cb2015-07-07 11:54:14 +0200[diff] [blame]5562 "$P_SRV key_file=data_files/server5.key \
Manuel Pégourié-Gonnard0408fd12014-04-11 11:06:22 +0200[diff] [blame]5563 crt_file=data_files/server5.eku-cli.crt" \
Manuel Pégourié-Gonnard7eb58cb2015-07-07 11:54:14 +0200[diff] [blame]5564 "$P_CLI" \
Manuel Pégourié-Gonnard0408fd12014-04-11 11:06:22 +0200[diff] [blame]5565 1
5566
5567# Tests for extendedKeyUsage, part 2: client-side checking of server cert
5568
Manuel Pégourié-Gonnard8e03c712014-08-30 21:42:40 +0200[diff] [blame]5569run_test "extKeyUsage cli: serverAuth -> OK" \
Manuel Pégourié-Gonnard0408fd12014-04-11 11:06:22 +0200[diff] [blame]5570 "$O_SRV -key data_files/server5.key \
5571 -cert data_files/server5.eku-srv.crt" \
Manuel Pégourié-Gonnard644e8f32014-08-30 21:59:31 +0200[diff] [blame]5572 "$P_CLI debug_level=1" \
Manuel Pégourié-Gonnard0408fd12014-04-11 11:06:22 +0200[diff] [blame]5573 0 \
5574 -C "bad certificate (usage extensions)" \
5575 -C "Processing of the Certificate handshake message failed" \
5576 -c "Ciphersuite is TLS-"
5577
Manuel Pégourié-Gonnard8e03c712014-08-30 21:42:40 +0200[diff] [blame]5578run_test "extKeyUsage cli: serverAuth,clientAuth -> OK" \
Manuel Pégourié-Gonnard0408fd12014-04-11 11:06:22 +0200[diff] [blame]5579 "$O_SRV -key data_files/server5.key \
5580 -cert data_files/server5.eku-srv_cli.crt" \
Manuel Pégourié-Gonnard644e8f32014-08-30 21:59:31 +0200[diff] [blame]5581 "$P_CLI debug_level=1" \
Manuel Pégourié-Gonnard0408fd12014-04-11 11:06:22 +0200[diff] [blame]5582 0 \
5583 -C "bad certificate (usage extensions)" \
5584 -C "Processing of the Certificate handshake message failed" \
5585 -c "Ciphersuite is TLS-"
5586
Manuel Pégourié-Gonnard8e03c712014-08-30 21:42:40 +0200[diff] [blame]5587run_test "extKeyUsage cli: codeSign,anyEKU -> OK" \
Manuel Pégourié-Gonnard0408fd12014-04-11 11:06:22 +0200[diff] [blame]5588 "$O_SRV -key data_files/server5.key \
5589 -cert data_files/server5.eku-cs_any.crt" \
Manuel Pégourié-Gonnard644e8f32014-08-30 21:59:31 +0200[diff] [blame]5590 "$P_CLI debug_level=1" \
Manuel Pégourié-Gonnard0408fd12014-04-11 11:06:22 +0200[diff] [blame]5591 0 \
5592 -C "bad certificate (usage extensions)" \
5593 -C "Processing of the Certificate handshake message failed" \
5594 -c "Ciphersuite is TLS-"
5595
Manuel Pégourié-Gonnard8e03c712014-08-30 21:42:40 +0200[diff] [blame]5596run_test "extKeyUsage cli: codeSign -> fail" \
Manuel Pégourié-Gonnard0408fd12014-04-11 11:06:22 +0200[diff] [blame]5597 "$O_SRV -key data_files/server5.key \
5598 -cert data_files/server5.eku-cs.crt" \
Manuel Pégourié-Gonnard644e8f32014-08-30 21:59:31 +0200[diff] [blame]5599 "$P_CLI debug_level=1" \
Manuel Pégourié-Gonnard0408fd12014-04-11 11:06:22 +0200[diff] [blame]5600 1 \
5601 -c "bad certificate (usage extensions)" \
5602 -c "Processing of the Certificate handshake message failed" \
5603 -C "Ciphersuite is TLS-"
5604
5605# Tests for extendedKeyUsage, part 3: server-side checking of client cert
5606
Manuel Pégourié-Gonnard8e03c712014-08-30 21:42:40 +0200[diff] [blame]5607run_test "extKeyUsage cli-auth: clientAuth -> OK" \
Manuel Pégourié-Gonnard644e8f32014-08-30 21:59:31 +0200[diff] [blame]5608 "$P_SRV debug_level=1 auth_mode=optional" \
Manuel Pégourié-Gonnard0408fd12014-04-11 11:06:22 +0200[diff] [blame]5609 "$O_CLI -key data_files/server5.key \
5610 -cert data_files/server5.eku-cli.crt" \
5611 0 \
5612 -S "bad certificate (usage extensions)" \
5613 -S "Processing of the Certificate handshake message failed"
5614
Manuel Pégourié-Gonnard8e03c712014-08-30 21:42:40 +0200[diff] [blame]5615run_test "extKeyUsage cli-auth: serverAuth,clientAuth -> OK" \
Manuel Pégourié-Gonnard644e8f32014-08-30 21:59:31 +0200[diff] [blame]5616 "$P_SRV debug_level=1 auth_mode=optional" \
Manuel Pégourié-Gonnard0408fd12014-04-11 11:06:22 +0200[diff] [blame]5617 "$O_CLI -key data_files/server5.key \
5618 -cert data_files/server5.eku-srv_cli.crt" \
5619 0 \
5620 -S "bad certificate (usage extensions)" \
5621 -S "Processing of the Certificate handshake message failed"
5622
Manuel Pégourié-Gonnard8e03c712014-08-30 21:42:40 +0200[diff] [blame]5623run_test "extKeyUsage cli-auth: codeSign,anyEKU -> OK" \
Manuel Pégourié-Gonnard644e8f32014-08-30 21:59:31 +0200[diff] [blame]5624 "$P_SRV debug_level=1 auth_mode=optional" \
Manuel Pégourié-Gonnard0408fd12014-04-11 11:06:22 +0200[diff] [blame]5625 "$O_CLI -key data_files/server5.key \
5626 -cert data_files/server5.eku-cs_any.crt" \
5627 0 \
5628 -S "bad certificate (usage extensions)" \
5629 -S "Processing of the Certificate handshake message failed"
5630
Manuel Pégourié-Gonnard8e03c712014-08-30 21:42:40 +0200[diff] [blame]5631run_test "extKeyUsage cli-auth: codeSign -> fail (soft)" \
Manuel Pégourié-Gonnard644e8f32014-08-30 21:59:31 +0200[diff] [blame]5632 "$P_SRV debug_level=1 auth_mode=optional" \
Manuel Pégourié-Gonnard0408fd12014-04-11 11:06:22 +0200[diff] [blame]5633 "$O_CLI -key data_files/server5.key \
5634 -cert data_files/server5.eku-cs.crt" \
5635 0 \
5636 -s "bad certificate (usage extensions)" \
5637 -S "Processing of the Certificate handshake message failed"
5638
Manuel Pégourié-Gonnard8e03c712014-08-30 21:42:40 +0200[diff] [blame]5639run_test "extKeyUsage cli-auth: codeSign -> fail (hard)" \
Manuel Pégourié-Gonnard644e8f32014-08-30 21:59:31 +0200[diff] [blame]5640 "$P_SRV debug_level=1 auth_mode=required" \
Manuel Pégourié-Gonnard0408fd12014-04-11 11:06:22 +0200[diff] [blame]5641 "$O_CLI -key data_files/server5.key \
5642 -cert data_files/server5.eku-cs.crt" \
5643 1 \
5644 -s "bad certificate (usage extensions)" \
5645 -s "Processing of the Certificate handshake message failed"
5646
Manuel Pégourié-Gonnard0cc7e312014-06-09 11:36:47 +0200[diff] [blame]5647# Tests for DHM parameters loading
5648
Manuel Pégourié-Gonnard8e03c712014-08-30 21:42:40 +0200[diff] [blame]5649run_test "DHM parameters: reference" \
Manuel Pégourié-Gonnard0cc7e312014-06-09 11:36:47 +0200[diff] [blame]5650 "$P_SRV" \
5651 "$P_CLI force_ciphersuite=TLS-DHE-RSA-WITH-AES-128-CBC-SHA \
5652 debug_level=3" \
5653 0 \
5654 -c "value of 'DHM: P ' (2048 bits)" \
Hanno Becker13be9902017-09-27 17:17:30 +0100[diff] [blame]5655 -c "value of 'DHM: G ' (2 bits)"
Manuel Pégourié-Gonnard0cc7e312014-06-09 11:36:47 +0200[diff] [blame]5656
Manuel Pégourié-Gonnard8e03c712014-08-30 21:42:40 +0200[diff] [blame]5657run_test "DHM parameters: other parameters" \
Manuel Pégourié-Gonnard0cc7e312014-06-09 11:36:47 +0200[diff] [blame]5658 "$P_SRV dhm_file=data_files/dhparams.pem" \
5659 "$P_CLI force_ciphersuite=TLS-DHE-RSA-WITH-AES-128-CBC-SHA \
5660 debug_level=3" \
5661 0 \
5662 -c "value of 'DHM: P ' (1024 bits)" \
5663 -c "value of 'DHM: G ' (2 bits)"
5664
Manuel Pégourié-Gonnard7a010aa2015-06-12 11:19:10 +0200[diff] [blame]5665# Tests for DHM client-side size checking
5666
5667run_test "DHM size: server default, client default, OK" \
5668 "$P_SRV" \
5669 "$P_CLI force_ciphersuite=TLS-DHE-RSA-WITH-AES-128-CBC-SHA \
5670 debug_level=1" \
5671 0 \
5672 -C "DHM prime too short:"
5673
5674run_test "DHM size: server default, client 2048, OK" \
5675 "$P_SRV" \
5676 "$P_CLI force_ciphersuite=TLS-DHE-RSA-WITH-AES-128-CBC-SHA \
5677 debug_level=1 dhmlen=2048" \
5678 0 \
5679 -C "DHM prime too short:"
5680
5681run_test "DHM size: server 1024, client default, OK" \
5682 "$P_SRV dhm_file=data_files/dhparams.pem" \
5683 "$P_CLI force_ciphersuite=TLS-DHE-RSA-WITH-AES-128-CBC-SHA \
5684 debug_level=1" \
5685 0 \
5686 -C "DHM prime too short:"
5687
Gilles Peskinec6b0d962020-12-08 22:31:52 +0100[diff] [blame]5688run_test "DHM size: server 999, client 999, OK" \
5689 "$P_SRV dhm_file=data_files/dh.999.pem" \
5690 "$P_CLI force_ciphersuite=TLS-DHE-RSA-WITH-AES-128-CBC-SHA \
5691 debug_level=1 dhmlen=999" \
5692 0 \
5693 -C "DHM prime too short:"
5694
5695run_test "DHM size: server 1000, client 1000, OK" \
5696 "$P_SRV dhm_file=data_files/dh.1000.pem" \
5697 "$P_CLI force_ciphersuite=TLS-DHE-RSA-WITH-AES-128-CBC-SHA \
5698 debug_level=1 dhmlen=1000" \
5699 0 \
5700 -C "DHM prime too short:"
5701
Manuel Pégourié-Gonnard7a010aa2015-06-12 11:19:10 +0200[diff] [blame]5702run_test "DHM size: server 1000, client default, rejected" \
5703 "$P_SRV dhm_file=data_files/dh.1000.pem" \
5704 "$P_CLI force_ciphersuite=TLS-DHE-RSA-WITH-AES-128-CBC-SHA \
5705 debug_level=1" \
5706 1 \
5707 -c "DHM prime too short:"
5708
Gilles Peskinec6b0d962020-12-08 22:31:52 +0100[diff] [blame]5709run_test "DHM size: server 1000, client 1001, rejected" \
5710 "$P_SRV dhm_file=data_files/dh.1000.pem" \
5711 "$P_CLI force_ciphersuite=TLS-DHE-RSA-WITH-AES-128-CBC-SHA \
5712 debug_level=1 dhmlen=1001" \
5713 1 \
5714 -c "DHM prime too short:"
5715
5716run_test "DHM size: server 999, client 1000, rejected" \
5717 "$P_SRV dhm_file=data_files/dh.999.pem" \
5718 "$P_CLI force_ciphersuite=TLS-DHE-RSA-WITH-AES-128-CBC-SHA \
5719 debug_level=1 dhmlen=1000" \
5720 1 \
5721 -c "DHM prime too short:"
5722
5723run_test "DHM size: server 998, client 999, rejected" \
5724 "$P_SRV dhm_file=data_files/dh.998.pem" \
5725 "$P_CLI force_ciphersuite=TLS-DHE-RSA-WITH-AES-128-CBC-SHA \
5726 debug_level=1 dhmlen=999" \
5727 1 \
5728 -c "DHM prime too short:"
5729
Manuel Pégourié-Gonnard7a010aa2015-06-12 11:19:10 +0200[diff] [blame]5730run_test "DHM size: server default, client 2049, rejected" \
5731 "$P_SRV" \
5732 "$P_CLI force_ciphersuite=TLS-DHE-RSA-WITH-AES-128-CBC-SHA \
5733 debug_level=1 dhmlen=2049" \
5734 1 \
5735 -c "DHM prime too short:"
5736
Manuel Pégourié-Gonnarda6781c92014-06-10 15:00:46 +0200[diff] [blame]5737# Tests for PSK callback
5738
Manuel Pégourié-Gonnard8e03c712014-08-30 21:42:40 +0200[diff] [blame]5739run_test "PSK callback: psk, no callback" \
Manuel Pégourié-Gonnarda6781c92014-06-10 15:00:46 +0200[diff] [blame]5740 "$P_SRV psk=abc123 psk_identity=foo" \
5741 "$P_CLI force_ciphersuite=TLS-PSK-WITH-AES-128-CBC-SHA \
5742 psk_identity=foo psk=abc123" \
5743 0 \
Manuel Pégourié-Gonnardf01768c2015-01-08 17:06:16 +0100[diff] [blame]5744 -S "SSL - None of the common ciphersuites is usable" \
Manuel Pégourié-Gonnard10c3c9f2014-06-10 15:28:52 +0200[diff] [blame]5745 -S "SSL - Unknown identity received" \
5746 -S "SSL - Verification of the message MAC failed"
5747
Hanno Beckerf7027512018-10-23 15:27:39 +0100[diff] [blame]5748requires_config_enabled MBEDTLS_USE_PSA_CRYPTO
5749run_test "PSK callback: opaque psk on client, no callback" \
5750 "$P_SRV extended_ms=0 debug_level=1 psk=abc123 psk_identity=foo" \
5751 "$P_CLI extended_ms=0 debug_level=1 min_version=tls1_2 force_ciphersuite=TLS-PSK-WITH-AES-128-CBC-SHA \
Hanno Becker1d911cd2018-11-15 13:06:09 +0000[diff] [blame]5752 psk_identity=foo psk=abc123 psk_opaque=1" \
Hanno Beckerf7027512018-10-23 15:27:39 +0100[diff] [blame]5753 0 \
5754 -c "skip PMS generation for opaque PSK"\
5755 -S "skip PMS generation for opaque PSK"\
Manuel Pégourié-Gonnard8faa70e2019-05-20 12:09:50 +0200[diff] [blame]5756 -C "session hash for extended master secret"\
5757 -S "session hash for extended master secret"\
Hanno Beckerf7027512018-10-23 15:27:39 +0100[diff] [blame]5758 -S "SSL - None of the common ciphersuites is usable" \
5759 -S "SSL - Unknown identity received" \
5760 -S "SSL - Verification of the message MAC failed"
5761
5762requires_config_enabled MBEDTLS_USE_PSA_CRYPTO
5763run_test "PSK callback: opaque psk on client, no callback, SHA-384" \
5764 "$P_SRV extended_ms=0 debug_level=1 psk=abc123 psk_identity=foo" \
5765 "$P_CLI extended_ms=0 debug_level=1 min_version=tls1_2 force_ciphersuite=TLS-PSK-WITH-AES-256-CBC-SHA384 \
Hanno Becker1d911cd2018-11-15 13:06:09 +0000[diff] [blame]5766 psk_identity=foo psk=abc123 psk_opaque=1" \
Hanno Beckerf7027512018-10-23 15:27:39 +0100[diff] [blame]5767 0 \
5768 -c "skip PMS generation for opaque PSK"\
5769 -S "skip PMS generation for opaque PSK"\
Manuel Pégourié-Gonnard8faa70e2019-05-20 12:09:50 +0200[diff] [blame]5770 -C "session hash for extended master secret"\
5771 -S "session hash for extended master secret"\
Hanno Beckerf7027512018-10-23 15:27:39 +0100[diff] [blame]5772 -S "SSL - None of the common ciphersuites is usable" \
5773 -S "SSL - Unknown identity received" \
5774 -S "SSL - Verification of the message MAC failed"
5775
5776requires_config_enabled MBEDTLS_USE_PSA_CRYPTO
5777run_test "PSK callback: opaque psk on client, no callback, EMS" \
5778 "$P_SRV extended_ms=1 debug_level=3 psk=abc123 psk_identity=foo" \
5779 "$P_CLI extended_ms=1 debug_level=3 min_version=tls1_2 force_ciphersuite=TLS-PSK-WITH-AES-128-CBC-SHA \
Hanno Becker1d911cd2018-11-15 13:06:09 +0000[diff] [blame]5780 psk_identity=foo psk=abc123 psk_opaque=1" \
Hanno Beckerf7027512018-10-23 15:27:39 +0100[diff] [blame]5781 0 \
5782 -c "skip PMS generation for opaque PSK"\
5783 -S "skip PMS generation for opaque PSK"\
Manuel Pégourié-Gonnard8faa70e2019-05-20 12:09:50 +0200[diff] [blame]5784 -c "session hash for extended master secret"\
5785 -s "session hash for extended master secret"\
Hanno Beckerf7027512018-10-23 15:27:39 +0100[diff] [blame]5786 -S "SSL - None of the common ciphersuites is usable" \
5787 -S "SSL - Unknown identity received" \
5788 -S "SSL - Verification of the message MAC failed"
5789
5790requires_config_enabled MBEDTLS_USE_PSA_CRYPTO
5791run_test "PSK callback: opaque psk on client, no callback, SHA-384, EMS" \
5792 "$P_SRV extended_ms=1 debug_level=3 psk=abc123 psk_identity=foo" \
5793 "$P_CLI extended_ms=1 debug_level=3 min_version=tls1_2 force_ciphersuite=TLS-PSK-WITH-AES-256-CBC-SHA384 \
Hanno Becker1d911cd2018-11-15 13:06:09 +0000[diff] [blame]5794 psk_identity=foo psk=abc123 psk_opaque=1" \
Hanno Beckerf7027512018-10-23 15:27:39 +0100[diff] [blame]5795 0 \
5796 -c "skip PMS generation for opaque PSK"\
5797 -S "skip PMS generation for opaque PSK"\
Manuel Pégourié-Gonnard8faa70e2019-05-20 12:09:50 +0200[diff] [blame]5798 -c "session hash for extended master secret"\
5799 -s "session hash for extended master secret"\
Hanno Beckerf7027512018-10-23 15:27:39 +0100[diff] [blame]5800 -S "SSL - None of the common ciphersuites is usable" \
5801 -S "SSL - Unknown identity received" \
5802 -S "SSL - Verification of the message MAC failed"
5803
Hanno Becker28c79dc2018-10-26 13:15:08 +0100[diff] [blame]5804requires_config_enabled MBEDTLS_USE_PSA_CRYPTO
5805run_test "PSK callback: raw psk on client, static opaque on server, no callback" \
Hanno Becker1d911cd2018-11-15 13:06:09 +0000[diff] [blame]5806 "$P_SRV extended_ms=0 debug_level=1 psk=abc123 psk_identity=foo psk_opaque=1 min_version=tls1_2 force_ciphersuite=TLS-PSK-WITH-AES-128-CBC-SHA" \
Hanno Becker28c79dc2018-10-26 13:15:08 +0100[diff] [blame]5807 "$P_CLI extended_ms=0 debug_level=1 min_version=tls1_2 force_ciphersuite=TLS-PSK-WITH-AES-128-CBC-SHA \
5808 psk_identity=foo psk=abc123" \
5809 0 \
5810 -C "skip PMS generation for opaque PSK"\
5811 -s "skip PMS generation for opaque PSK"\
Manuel Pégourié-Gonnard8faa70e2019-05-20 12:09:50 +0200[diff] [blame]5812 -C "session hash for extended master secret"\
5813 -S "session hash for extended master secret"\
Hanno Becker28c79dc2018-10-26 13:15:08 +0100[diff] [blame]5814 -S "SSL - None of the common ciphersuites is usable" \
5815 -S "SSL - Unknown identity received" \
5816 -S "SSL - Verification of the message MAC failed"
5817
5818requires_config_enabled MBEDTLS_USE_PSA_CRYPTO
5819run_test "PSK callback: raw psk on client, static opaque on server, no callback, SHA-384" \
Hanno Becker1d911cd2018-11-15 13:06:09 +0000[diff] [blame]5820 "$P_SRV extended_ms=0 debug_level=1 psk=abc123 psk_identity=foo psk_opaque=1 min_version=tls1_2 force_ciphersuite=TLS-PSK-WITH-AES-256-CBC-SHA384" \
Hanno Becker28c79dc2018-10-26 13:15:08 +0100[diff] [blame]5821 "$P_CLI extended_ms=0 debug_level=1 min_version=tls1_2 force_ciphersuite=TLS-PSK-WITH-AES-256-CBC-SHA384 \
5822 psk_identity=foo psk=abc123" \
5823 0 \
5824 -C "skip PMS generation for opaque PSK"\
5825 -s "skip PMS generation for opaque PSK"\
Manuel Pégourié-Gonnard8faa70e2019-05-20 12:09:50 +0200[diff] [blame]5826 -C "session hash for extended master secret"\
5827 -S "session hash for extended master secret"\
Hanno Becker28c79dc2018-10-26 13:15:08 +0100[diff] [blame]5828 -S "SSL - None of the common ciphersuites is usable" \
5829 -S "SSL - Unknown identity received" \
5830 -S "SSL - Verification of the message MAC failed"
5831
5832requires_config_enabled MBEDTLS_USE_PSA_CRYPTO
5833run_test "PSK callback: raw psk on client, static opaque on server, no callback, EMS" \
Hanno Becker1d911cd2018-11-15 13:06:09 +0000[diff] [blame]5834 "$P_SRV debug_level=3 psk=abc123 psk_identity=foo psk_opaque=1 min_version=tls1_2 \
Hanno Becker28c79dc2018-10-26 13:15:08 +0100[diff] [blame]5835 force_ciphersuite=TLS-PSK-WITH-AES-128-CBC-SHA extended_ms=1" \
5836 "$P_CLI debug_level=3 min_version=tls1_2 force_ciphersuite=TLS-PSK-WITH-AES-128-CBC-SHA \
5837 psk_identity=foo psk=abc123 extended_ms=1" \
5838 0 \
Manuel Pégourié-Gonnard8faa70e2019-05-20 12:09:50 +0200[diff] [blame]5839 -c "session hash for extended master secret"\
5840 -s "session hash for extended master secret"\
Hanno Becker28c79dc2018-10-26 13:15:08 +0100[diff] [blame]5841 -C "skip PMS generation for opaque PSK"\
5842 -s "skip PMS generation for opaque PSK"\
5843 -S "SSL - None of the common ciphersuites is usable" \
5844 -S "SSL - Unknown identity received" \
5845 -S "SSL - Verification of the message MAC failed"
5846
5847requires_config_enabled MBEDTLS_USE_PSA_CRYPTO
5848run_test "PSK callback: raw psk on client, static opaque on server, no callback, EMS, SHA384" \
Hanno Becker1d911cd2018-11-15 13:06:09 +0000[diff] [blame]5849 "$P_SRV debug_level=3 psk=abc123 psk_identity=foo psk_opaque=1 min_version=tls1_2 \
Hanno Becker28c79dc2018-10-26 13:15:08 +0100[diff] [blame]5850 force_ciphersuite=TLS-PSK-WITH-AES-256-CBC-SHA384 extended_ms=1" \
5851 "$P_CLI debug_level=3 min_version=tls1_2 force_ciphersuite=TLS-PSK-WITH-AES-256-CBC-SHA384 \
5852 psk_identity=foo psk=abc123 extended_ms=1" \
5853 0 \
Manuel Pégourié-Gonnard8faa70e2019-05-20 12:09:50 +0200[diff] [blame]5854 -c "session hash for extended master secret"\
5855 -s "session hash for extended master secret"\
Hanno Becker28c79dc2018-10-26 13:15:08 +0100[diff] [blame]5856 -C "skip PMS generation for opaque PSK"\
5857 -s "skip PMS generation for opaque PSK"\
5858 -S "SSL - None of the common ciphersuites is usable" \
5859 -S "SSL - Unknown identity received" \
5860 -S "SSL - Verification of the message MAC failed"
5861
5862requires_config_enabled MBEDTLS_USE_PSA_CRYPTO
5863run_test "PSK callback: raw psk on client, no static PSK on server, opaque PSK from callback" \
Hanno Becker1d911cd2018-11-15 13:06:09 +0000[diff] [blame]5864 "$P_SRV extended_ms=0 debug_level=3 psk_list=abc,dead,def,beef psk_list_opaque=1 min_version=tls1_2 force_ciphersuite=TLS-PSK-WITH-AES-128-CBC-SHA" \
Hanno Becker28c79dc2018-10-26 13:15:08 +0100[diff] [blame]5865 "$P_CLI extended_ms=0 debug_level=3 min_version=tls1_2 force_ciphersuite=TLS-PSK-WITH-AES-128-CBC-SHA \
5866 psk_identity=def psk=beef" \
5867 0 \
5868 -C "skip PMS generation for opaque PSK"\
5869 -s "skip PMS generation for opaque PSK"\
Manuel Pégourié-Gonnard8faa70e2019-05-20 12:09:50 +0200[diff] [blame]5870 -C "session hash for extended master secret"\
5871 -S "session hash for extended master secret"\
Hanno Becker28c79dc2018-10-26 13:15:08 +0100[diff] [blame]5872 -S "SSL - None of the common ciphersuites is usable" \
5873 -S "SSL - Unknown identity received" \
5874 -S "SSL - Verification of the message MAC failed"
5875
5876requires_config_enabled MBEDTLS_USE_PSA_CRYPTO
5877run_test "PSK callback: raw psk on client, no static PSK on server, opaque PSK from callback, SHA-384" \
Hanno Becker1d911cd2018-11-15 13:06:09 +0000[diff] [blame]5878 "$P_SRV extended_ms=0 debug_level=3 psk_list=abc,dead,def,beef psk_list_opaque=1 min_version=tls1_2 force_ciphersuite=TLS-PSK-WITH-AES-256-CBC-SHA384" \
Hanno Becker28c79dc2018-10-26 13:15:08 +0100[diff] [blame]5879 "$P_CLI extended_ms=0 debug_level=3 min_version=tls1_2 force_ciphersuite=TLS-PSK-WITH-AES-256-CBC-SHA384 \
5880 psk_identity=def psk=beef" \
5881 0 \
5882 -C "skip PMS generation for opaque PSK"\
5883 -s "skip PMS generation for opaque PSK"\
Manuel Pégourié-Gonnard8faa70e2019-05-20 12:09:50 +0200[diff] [blame]5884 -C "session hash for extended master secret"\
5885 -S "session hash for extended master secret"\
Hanno Becker28c79dc2018-10-26 13:15:08 +0100[diff] [blame]5886 -S "SSL - None of the common ciphersuites is usable" \
5887 -S "SSL - Unknown identity received" \
5888 -S "SSL - Verification of the message MAC failed"
5889
5890requires_config_enabled MBEDTLS_USE_PSA_CRYPTO
5891run_test "PSK callback: raw psk on client, no static PSK on server, opaque PSK from callback, EMS" \
Hanno Becker1d911cd2018-11-15 13:06:09 +0000[diff] [blame]5892 "$P_SRV debug_level=3 psk_list=abc,dead,def,beef psk_list_opaque=1 min_version=tls1_2 \
Hanno Becker28c79dc2018-10-26 13:15:08 +0100[diff] [blame]5893 force_ciphersuite=TLS-PSK-WITH-AES-128-CBC-SHA extended_ms=1" \
5894 "$P_CLI debug_level=3 min_version=tls1_2 force_ciphersuite=TLS-PSK-WITH-AES-128-CBC-SHA \
5895 psk_identity=abc psk=dead extended_ms=1" \
5896 0 \
Manuel Pégourié-Gonnard8faa70e2019-05-20 12:09:50 +0200[diff] [blame]5897 -c "session hash for extended master secret"\
5898 -s "session hash for extended master secret"\
Hanno Becker28c79dc2018-10-26 13:15:08 +0100[diff] [blame]5899 -C "skip PMS generation for opaque PSK"\
5900 -s "skip PMS generation for opaque PSK"\
5901 -S "SSL - None of the common ciphersuites is usable" \
5902 -S "SSL - Unknown identity received" \
5903 -S "SSL - Verification of the message MAC failed"
5904
5905requires_config_enabled MBEDTLS_USE_PSA_CRYPTO
5906run_test "PSK callback: raw psk on client, no static PSK on server, opaque PSK from callback, EMS, SHA384" \
Hanno Becker1d911cd2018-11-15 13:06:09 +0000[diff] [blame]5907 "$P_SRV debug_level=3 psk_list=abc,dead,def,beef psk_list_opaque=1 min_version=tls1_2 \
Hanno Becker28c79dc2018-10-26 13:15:08 +0100[diff] [blame]5908 force_ciphersuite=TLS-PSK-WITH-AES-256-CBC-SHA384 extended_ms=1" \
5909 "$P_CLI debug_level=3 min_version=tls1_2 force_ciphersuite=TLS-PSK-WITH-AES-256-CBC-SHA384 \
5910 psk_identity=abc psk=dead extended_ms=1" \
5911 0 \
Manuel Pégourié-Gonnard8faa70e2019-05-20 12:09:50 +0200[diff] [blame]5912 -c "session hash for extended master secret"\
5913 -s "session hash for extended master secret"\
Hanno Becker28c79dc2018-10-26 13:15:08 +0100[diff] [blame]5914 -C "skip PMS generation for opaque PSK"\
5915 -s "skip PMS generation for opaque PSK"\
5916 -S "SSL - None of the common ciphersuites is usable" \
5917 -S "SSL - Unknown identity received" \
5918 -S "SSL - Verification of the message MAC failed"
5919
5920requires_config_enabled MBEDTLS_USE_PSA_CRYPTO
5921run_test "PSK callback: raw psk on client, mismatching static raw PSK on server, opaque PSK from callback" \
Hanno Becker1d911cd2018-11-15 13:06:09 +0000[diff] [blame]5922 "$P_SRV extended_ms=0 psk_identity=foo psk=abc123 debug_level=3 psk_list=abc,dead,def,beef psk_list_opaque=1 min_version=tls1_2 force_ciphersuite=TLS-PSK-WITH-AES-128-CBC-SHA" \
Hanno Becker28c79dc2018-10-26 13:15:08 +0100[diff] [blame]5923 "$P_CLI extended_ms=0 debug_level=3 min_version=tls1_2 force_ciphersuite=TLS-PSK-WITH-AES-128-CBC-SHA \
5924 psk_identity=def psk=beef" \
5925 0 \
5926 -C "skip PMS generation for opaque PSK"\
5927 -s "skip PMS generation for opaque PSK"\
Manuel Pégourié-Gonnard8faa70e2019-05-20 12:09:50 +0200[diff] [blame]5928 -C "session hash for extended master secret"\
5929 -S "session hash for extended master secret"\
Hanno Becker28c79dc2018-10-26 13:15:08 +0100[diff] [blame]5930 -S "SSL - None of the common ciphersuites is usable" \
5931 -S "SSL - Unknown identity received" \
5932 -S "SSL - Verification of the message MAC failed"
5933
5934requires_config_enabled MBEDTLS_USE_PSA_CRYPTO
5935run_test "PSK callback: raw psk on client, mismatching static opaque PSK on server, opaque PSK from callback" \
Hanno Becker1d911cd2018-11-15 13:06:09 +0000[diff] [blame]5936 "$P_SRV extended_ms=0 psk_opaque=1 psk_identity=foo psk=abc123 debug_level=3 psk_list=abc,dead,def,beef psk_list_opaque=1 min_version=tls1_2 force_ciphersuite=TLS-PSK-WITH-AES-128-CBC-SHA" \
Hanno Becker28c79dc2018-10-26 13:15:08 +0100[diff] [blame]5937 "$P_CLI extended_ms=0 debug_level=3 min_version=tls1_2 force_ciphersuite=TLS-PSK-WITH-AES-128-CBC-SHA \
5938 psk_identity=def psk=beef" \
5939 0 \
5940 -C "skip PMS generation for opaque PSK"\
5941 -s "skip PMS generation for opaque PSK"\
Manuel Pégourié-Gonnard8faa70e2019-05-20 12:09:50 +0200[diff] [blame]5942 -C "session hash for extended master secret"\
5943 -S "session hash for extended master secret"\
Hanno Becker28c79dc2018-10-26 13:15:08 +0100[diff] [blame]5944 -S "SSL - None of the common ciphersuites is usable" \
5945 -S "SSL - Unknown identity received" \
5946 -S "SSL - Verification of the message MAC failed"
5947
5948requires_config_enabled MBEDTLS_USE_PSA_CRYPTO
5949run_test "PSK callback: raw psk on client, mismatching static opaque PSK on server, raw PSK from callback" \
Hanno Becker1d911cd2018-11-15 13:06:09 +0000[diff] [blame]5950 "$P_SRV extended_ms=0 psk_opaque=1 psk_identity=foo psk=abc123 debug_level=3 psk_list=abc,dead,def,beef min_version=tls1_2 force_ciphersuite=TLS-PSK-WITH-AES-128-CBC-SHA" \
Hanno Becker28c79dc2018-10-26 13:15:08 +0100[diff] [blame]5951 "$P_CLI extended_ms=0 debug_level=3 min_version=tls1_2 force_ciphersuite=TLS-PSK-WITH-AES-128-CBC-SHA \
5952 psk_identity=def psk=beef" \
5953 0 \
5954 -C "skip PMS generation for opaque PSK"\
Manuel Pégourié-Gonnard8faa70e2019-05-20 12:09:50 +0200[diff] [blame]5955 -C "session hash for extended master secret"\
5956 -S "session hash for extended master secret"\
Hanno Becker28c79dc2018-10-26 13:15:08 +0100[diff] [blame]5957 -S "SSL - None of the common ciphersuites is usable" \
5958 -S "SSL - Unknown identity received" \
5959 -S "SSL - Verification of the message MAC failed"
5960
5961requires_config_enabled MBEDTLS_USE_PSA_CRYPTO
5962run_test "PSK callback: raw psk on client, id-matching but wrong raw PSK on server, opaque PSK from callback" \
Hanno Becker1d911cd2018-11-15 13:06:09 +0000[diff] [blame]5963 "$P_SRV extended_ms=0 psk_opaque=1 psk_identity=def psk=abc123 debug_level=3 psk_list=abc,dead,def,beef min_version=tls1_2 force_ciphersuite=TLS-PSK-WITH-AES-128-CBC-SHA" \
Hanno Becker28c79dc2018-10-26 13:15:08 +0100[diff] [blame]5964 "$P_CLI extended_ms=0 debug_level=3 min_version=tls1_2 force_ciphersuite=TLS-PSK-WITH-AES-128-CBC-SHA \
5965 psk_identity=def psk=beef" \
5966 0 \
5967 -C "skip PMS generation for opaque PSK"\
Manuel Pégourié-Gonnard8faa70e2019-05-20 12:09:50 +0200[diff] [blame]5968 -C "session hash for extended master secret"\
5969 -S "session hash for extended master secret"\
Hanno Becker28c79dc2018-10-26 13:15:08 +0100[diff] [blame]5970 -S "SSL - None of the common ciphersuites is usable" \
5971 -S "SSL - Unknown identity received" \
5972 -S "SSL - Verification of the message MAC failed"
5973
5974requires_config_enabled MBEDTLS_USE_PSA_CRYPTO
5975run_test "PSK callback: raw psk on client, matching opaque PSK on server, wrong opaque PSK from callback" \
Hanno Becker1d911cd2018-11-15 13:06:09 +0000[diff] [blame]5976 "$P_SRV extended_ms=0 psk_opaque=1 psk_identity=def psk=beef debug_level=3 psk_list=abc,dead,def,abc123 min_version=tls1_2 force_ciphersuite=TLS-PSK-WITH-AES-128-CBC-SHA" \
Hanno Becker28c79dc2018-10-26 13:15:08 +0100[diff] [blame]5977 "$P_CLI extended_ms=0 debug_level=3 min_version=tls1_2 force_ciphersuite=TLS-PSK-WITH-AES-128-CBC-SHA \
5978 psk_identity=def psk=beef" \
5979 1 \
5980 -s "SSL - Verification of the message MAC failed"
5981
Manuel Pégourié-Gonnard8e03c712014-08-30 21:42:40 +0200[diff] [blame]5982run_test "PSK callback: no psk, no callback" \
Manuel Pégourié-Gonnard10c3c9f2014-06-10 15:28:52 +0200[diff] [blame]5983 "$P_SRV" \
5984 "$P_CLI force_ciphersuite=TLS-PSK-WITH-AES-128-CBC-SHA \
5985 psk_identity=foo psk=abc123" \
5986 1 \
Manuel Pégourié-Gonnardf01768c2015-01-08 17:06:16 +0100[diff] [blame]5987 -s "SSL - None of the common ciphersuites is usable" \
Manuel Pégourié-Gonnarda6781c92014-06-10 15:00:46 +0200[diff] [blame]5988 -S "SSL - Unknown identity received" \
5989 -S "SSL - Verification of the message MAC failed"
5990
Manuel Pégourié-Gonnard8e03c712014-08-30 21:42:40 +0200[diff] [blame]5991run_test "PSK callback: callback overrides other settings" \
Manuel Pégourié-Gonnarda6781c92014-06-10 15:00:46 +0200[diff] [blame]5992 "$P_SRV psk=abc123 psk_identity=foo psk_list=abc,dead,def,beef" \
5993 "$P_CLI force_ciphersuite=TLS-PSK-WITH-AES-128-CBC-SHA \
5994 psk_identity=foo psk=abc123" \
5995 1 \
Manuel Pégourié-Gonnardf01768c2015-01-08 17:06:16 +0100[diff] [blame]5996 -S "SSL - None of the common ciphersuites is usable" \
Manuel Pégourié-Gonnarda6781c92014-06-10 15:00:46 +0200[diff] [blame]5997 -s "SSL - Unknown identity received" \
5998 -S "SSL - Verification of the message MAC failed"
5999
Manuel Pégourié-Gonnard8e03c712014-08-30 21:42:40 +0200[diff] [blame]6000run_test "PSK callback: first id matches" \
Manuel Pégourié-Gonnarda6781c92014-06-10 15:00:46 +0200[diff] [blame]6001 "$P_SRV psk_list=abc,dead,def,beef" \
6002 "$P_CLI force_ciphersuite=TLS-PSK-WITH-AES-128-CBC-SHA \
6003 psk_identity=abc psk=dead" \
6004 0 \
Manuel Pégourié-Gonnardf01768c2015-01-08 17:06:16 +0100[diff] [blame]6005 -S "SSL - None of the common ciphersuites is usable" \
Manuel Pégourié-Gonnarda6781c92014-06-10 15:00:46 +0200[diff] [blame]6006 -S "SSL - Unknown identity received" \
6007 -S "SSL - Verification of the message MAC failed"
6008
Manuel Pégourié-Gonnard8e03c712014-08-30 21:42:40 +0200[diff] [blame]6009run_test "PSK callback: second id matches" \
Manuel Pégourié-Gonnarda6781c92014-06-10 15:00:46 +0200[diff] [blame]6010 "$P_SRV psk_list=abc,dead,def,beef" \
6011 "$P_CLI force_ciphersuite=TLS-PSK-WITH-AES-128-CBC-SHA \
6012 psk_identity=def psk=beef" \
6013 0 \
Manuel Pégourié-Gonnardf01768c2015-01-08 17:06:16 +0100[diff] [blame]6014 -S "SSL - None of the common ciphersuites is usable" \
Manuel Pégourié-Gonnarda6781c92014-06-10 15:00:46 +0200[diff] [blame]6015 -S "SSL - Unknown identity received" \
6016 -S "SSL - Verification of the message MAC failed"
6017
Manuel Pégourié-Gonnard8e03c712014-08-30 21:42:40 +0200[diff] [blame]6018run_test "PSK callback: no match" \
Manuel Pégourié-Gonnarda6781c92014-06-10 15:00:46 +0200[diff] [blame]6019 "$P_SRV psk_list=abc,dead,def,beef" \
6020 "$P_CLI force_ciphersuite=TLS-PSK-WITH-AES-128-CBC-SHA \
6021 psk_identity=ghi psk=beef" \
6022 1 \
Manuel Pégourié-Gonnardf01768c2015-01-08 17:06:16 +0100[diff] [blame]6023 -S "SSL - None of the common ciphersuites is usable" \
Manuel Pégourié-Gonnarda6781c92014-06-10 15:00:46 +0200[diff] [blame]6024 -s "SSL - Unknown identity received" \
6025 -S "SSL - Verification of the message MAC failed"
6026
Manuel Pégourié-Gonnard8e03c712014-08-30 21:42:40 +0200[diff] [blame]6027run_test "PSK callback: wrong key" \
Manuel Pégourié-Gonnarda6781c92014-06-10 15:00:46 +0200[diff] [blame]6028 "$P_SRV psk_list=abc,dead,def,beef" \
6029 "$P_CLI force_ciphersuite=TLS-PSK-WITH-AES-128-CBC-SHA \
6030 psk_identity=abc psk=beef" \
6031 1 \
Manuel Pégourié-Gonnardf01768c2015-01-08 17:06:16 +0100[diff] [blame]6032 -S "SSL - None of the common ciphersuites is usable" \
Manuel Pégourié-Gonnarda6781c92014-06-10 15:00:46 +0200[diff] [blame]6033 -S "SSL - Unknown identity received" \
6034 -s "SSL - Verification of the message MAC failed"
Manuel Pégourié-Gonnard0cc7e312014-06-09 11:36:47 +0200[diff] [blame]6035
Manuel Pégourié-Gonnarde511b4e2015-09-16 14:11:09 +0200[diff] [blame]6036# Tests for EC J-PAKE
6037
Hanno Beckerfa452c42020-08-14 15:42:49 +0100[diff] [blame]6038requires_config_enabled MBEDTLS_KEY_EXCHANGE_ECJPAKE_ENABLED
Manuel Pégourié-Gonnarde511b4e2015-09-16 14:11:09 +0200[diff] [blame]6039run_test "ECJPAKE: client not configured" \
6040 "$P_SRV debug_level=3" \
6041 "$P_CLI debug_level=3" \
6042 0 \
Hanno Beckeree63af62020-08-14 15:41:23 +0100[diff] [blame]6043 -C "add ciphersuite: 0xc0ff" \
Manuel Pégourié-Gonnarde511b4e2015-09-16 14:11:09 +0200[diff] [blame]6044 -C "adding ecjpake_kkpp extension" \
Manuel Pégourié-Gonnardbf57be62015-09-16 15:04:01 +0200[diff] [blame]6045 -S "found ecjpake kkpp extension" \
6046 -S "skip ecjpake kkpp extension" \
Manuel Pégourié-Gonnarde511b4e2015-09-16 14:11:09 +0200[diff] [blame]6047 -S "ciphersuite mismatch: ecjpake not configured" \
Manuel Pégourié-Gonnard55c7f992015-09-16 15:35:27 +0200[diff] [blame]6048 -S "server hello, ecjpake kkpp extension" \
Manuel Pégourié-Gonnard0a1324a2015-09-16 16:01:00 +0200[diff] [blame]6049 -C "found ecjpake_kkpp extension" \
Manuel Pégourié-Gonnarde511b4e2015-09-16 14:11:09 +0200[diff] [blame]6050 -S "None of the common ciphersuites is usable"
6051
Hanno Beckerfa452c42020-08-14 15:42:49 +0100[diff] [blame]6052requires_config_enabled MBEDTLS_KEY_EXCHANGE_ECJPAKE_ENABLED
Manuel Pégourié-Gonnarde511b4e2015-09-16 14:11:09 +0200[diff] [blame]6053run_test "ECJPAKE: server not configured" \
6054 "$P_SRV debug_level=3" \
6055 "$P_CLI debug_level=3 ecjpake_pw=bla \
6056 force_ciphersuite=TLS-ECJPAKE-WITH-AES-128-CCM-8" \
6057 1 \
Hanno Beckeree63af62020-08-14 15:41:23 +0100[diff] [blame]6058 -c "add ciphersuite: 0xc0ff" \
Manuel Pégourié-Gonnarde511b4e2015-09-16 14:11:09 +0200[diff] [blame]6059 -c "adding ecjpake_kkpp extension" \
Manuel Pégourié-Gonnardbf57be62015-09-16 15:04:01 +0200[diff] [blame]6060 -s "found ecjpake kkpp extension" \
6061 -s "skip ecjpake kkpp extension" \
Manuel Pégourié-Gonnarde511b4e2015-09-16 14:11:09 +0200[diff] [blame]6062 -s "ciphersuite mismatch: ecjpake not configured" \
Manuel Pégourié-Gonnard55c7f992015-09-16 15:35:27 +0200[diff] [blame]6063 -S "server hello, ecjpake kkpp extension" \
Manuel Pégourié-Gonnard0a1324a2015-09-16 16:01:00 +0200[diff] [blame]6064 -C "found ecjpake_kkpp extension" \
Manuel Pégourié-Gonnarde511b4e2015-09-16 14:11:09 +0200[diff] [blame]6065 -s "None of the common ciphersuites is usable"
6066
Hanno Beckerfa452c42020-08-14 15:42:49 +0100[diff] [blame]6067requires_config_enabled MBEDTLS_KEY_EXCHANGE_ECJPAKE_ENABLED
Manuel Pégourié-Gonnardbf57be62015-09-16 15:04:01 +0200[diff] [blame]6068run_test "ECJPAKE: working, TLS" \
6069 "$P_SRV debug_level=3 ecjpake_pw=bla" \
6070 "$P_CLI debug_level=3 ecjpake_pw=bla \
6071 force_ciphersuite=TLS-ECJPAKE-WITH-AES-128-CCM-8" \
Manuel Pégourié-Gonnard0f1660a2015-09-16 22:41:06 +0200[diff] [blame]6072 0 \
Hanno Beckeree63af62020-08-14 15:41:23 +0100[diff] [blame]6073 -c "add ciphersuite: 0xc0ff" \
Manuel Pégourié-Gonnardbf57be62015-09-16 15:04:01 +0200[diff] [blame]6074 -c "adding ecjpake_kkpp extension" \
Manuel Pégourié-Gonnardd0d8cb32015-09-17 14:16:30 +0200[diff] [blame]6075 -C "re-using cached ecjpake parameters" \
Manuel Pégourié-Gonnardbf57be62015-09-16 15:04:01 +0200[diff] [blame]6076 -s "found ecjpake kkpp extension" \
6077 -S "skip ecjpake kkpp extension" \
6078 -S "ciphersuite mismatch: ecjpake not configured" \
Manuel Pégourié-Gonnard55c7f992015-09-16 15:35:27 +0200[diff] [blame]6079 -s "server hello, ecjpake kkpp extension" \
Manuel Pégourié-Gonnard0a1324a2015-09-16 16:01:00 +0200[diff] [blame]6080 -c "found ecjpake_kkpp extension" \
Manuel Pégourié-Gonnard921f2d02015-09-16 22:52:18 +0200[diff] [blame]6081 -S "None of the common ciphersuites is usable" \
6082 -S "SSL - Verification of the message MAC failed"
6083
Janos Follath74537a62016-09-02 13:45:28 +0100[diff] [blame]6084server_needs_more_time 1
Dave Rodgman7ed75e22021-06-29 19:05:34 +0100[diff] [blame]6085requires_config_enabled MBEDTLS_KEY_EXCHANGE_ECJPAKE_ENABLED
Manuel Pégourié-Gonnard921f2d02015-09-16 22:52:18 +0200[diff] [blame]6086run_test "ECJPAKE: password mismatch, TLS" \
6087 "$P_SRV debug_level=3 ecjpake_pw=bla" \
6088 "$P_CLI debug_level=3 ecjpake_pw=bad \
6089 force_ciphersuite=TLS-ECJPAKE-WITH-AES-128-CCM-8" \
6090 1 \
Manuel Pégourié-Gonnardd0d8cb32015-09-17 14:16:30 +0200[diff] [blame]6091 -C "re-using cached ecjpake parameters" \
Manuel Pégourié-Gonnard921f2d02015-09-16 22:52:18 +0200[diff] [blame]6092 -s "SSL - Verification of the message MAC failed"
6093
Dave Rodgman7ed75e22021-06-29 19:05:34 +0100[diff] [blame]6094requires_config_enabled MBEDTLS_KEY_EXCHANGE_ECJPAKE_ENABLED
Manuel Pégourié-Gonnard921f2d02015-09-16 22:52:18 +0200[diff] [blame]6095run_test "ECJPAKE: working, DTLS" \
6096 "$P_SRV debug_level=3 dtls=1 ecjpake_pw=bla" \
6097 "$P_CLI debug_level=3 dtls=1 ecjpake_pw=bla \
6098 force_ciphersuite=TLS-ECJPAKE-WITH-AES-128-CCM-8" \
6099 0 \
Manuel Pégourié-Gonnardd0d8cb32015-09-17 14:16:30 +0200[diff] [blame]6100 -c "re-using cached ecjpake parameters" \
6101 -S "SSL - Verification of the message MAC failed"
6102
Dave Rodgman7ed75e22021-06-29 19:05:34 +0100[diff] [blame]6103requires_config_enabled MBEDTLS_KEY_EXCHANGE_ECJPAKE_ENABLED
Manuel Pégourié-Gonnardd0d8cb32015-09-17 14:16:30 +0200[diff] [blame]6104run_test "ECJPAKE: working, DTLS, no cookie" \
6105 "$P_SRV debug_level=3 dtls=1 ecjpake_pw=bla cookies=0" \
6106 "$P_CLI debug_level=3 dtls=1 ecjpake_pw=bla \
6107 force_ciphersuite=TLS-ECJPAKE-WITH-AES-128-CCM-8" \
6108 0 \
6109 -C "re-using cached ecjpake parameters" \
Manuel Pégourié-Gonnard921f2d02015-09-16 22:52:18 +0200[diff] [blame]6110 -S "SSL - Verification of the message MAC failed"
6111
Janos Follath74537a62016-09-02 13:45:28 +0100[diff] [blame]6112server_needs_more_time 1
Dave Rodgman7ed75e22021-06-29 19:05:34 +0100[diff] [blame]6113requires_config_enabled MBEDTLS_KEY_EXCHANGE_ECJPAKE_ENABLED
Manuel Pégourié-Gonnard921f2d02015-09-16 22:52:18 +0200[diff] [blame]6114run_test "ECJPAKE: password mismatch, DTLS" \
6115 "$P_SRV debug_level=3 dtls=1 ecjpake_pw=bla" \
6116 "$P_CLI debug_level=3 dtls=1 ecjpake_pw=bad \
6117 force_ciphersuite=TLS-ECJPAKE-WITH-AES-128-CCM-8" \
6118 1 \
Manuel Pégourié-Gonnardd0d8cb32015-09-17 14:16:30 +0200[diff] [blame]6119 -c "re-using cached ecjpake parameters" \
Manuel Pégourié-Gonnard921f2d02015-09-16 22:52:18 +0200[diff] [blame]6120 -s "SSL - Verification of the message MAC failed"
Manuel Pégourié-Gonnardbf57be62015-09-16 15:04:01 +0200[diff] [blame]6121
Manuel Pégourié-Gonnardca700b22015-10-20 14:47:00 +0200[diff] [blame]6122# for tests with configs/config-thread.h
Dave Rodgman7ed75e22021-06-29 19:05:34 +0100[diff] [blame]6123requires_config_enabled MBEDTLS_KEY_EXCHANGE_ECJPAKE_ENABLED
Manuel Pégourié-Gonnardca700b22015-10-20 14:47:00 +0200[diff] [blame]6124run_test "ECJPAKE: working, DTLS, nolog" \
6125 "$P_SRV dtls=1 ecjpake_pw=bla" \
6126 "$P_CLI dtls=1 ecjpake_pw=bla \
6127 force_ciphersuite=TLS-ECJPAKE-WITH-AES-128-CCM-8" \
6128 0
6129
Manuel Pégourié-Gonnard90805a82014-06-11 14:06:01 +0200[diff] [blame]6130# Tests for ciphersuites per version
6131
Janos Follathe2681a42016-03-07 15:57:05 +0000[diff] [blame]6132requires_config_enabled MBEDTLS_SSL_PROTO_SSL3
Manuel Pégourié-Gonnardaa946b22019-03-01 10:14:58 +0100[diff] [blame]6133requires_config_enabled MBEDTLS_CAMELLIA_C
6134requires_config_enabled MBEDTLS_AES_C
Manuel Pégourié-Gonnard8e03c712014-08-30 21:42:40 +0200[diff] [blame]6135run_test "Per-version suites: SSL3" \
Manuel Pégourié-Gonnardaa946b22019-03-01 10:14:58 +0100[diff] [blame]6136 "$P_SRV min_version=ssl3 version_suites=TLS-RSA-WITH-CAMELLIA-128-CBC-SHA,TLS-RSA-WITH-AES-256-CBC-SHA,TLS-RSA-WITH-AES-128-CBC-SHA,TLS-RSA-WITH-AES-128-GCM-SHA256" \
Manuel Pégourié-Gonnard90805a82014-06-11 14:06:01 +0200[diff] [blame]6137 "$P_CLI force_version=ssl3" \
6138 0 \
Manuel Pégourié-Gonnardaa946b22019-03-01 10:14:58 +0100[diff] [blame]6139 -c "Ciphersuite is TLS-RSA-WITH-CAMELLIA-128-CBC-SHA"
Manuel Pégourié-Gonnard90805a82014-06-11 14:06:01 +0200[diff] [blame]6140
Manuel Pégourié-Gonnardaa946b22019-03-01 10:14:58 +0100[diff] [blame]6141requires_config_enabled MBEDTLS_SSL_PROTO_TLS1
6142requires_config_enabled MBEDTLS_CAMELLIA_C
6143requires_config_enabled MBEDTLS_AES_C
Manuel Pégourié-Gonnard8e03c712014-08-30 21:42:40 +0200[diff] [blame]6144run_test "Per-version suites: TLS 1.0" \
Manuel Pégourié-Gonnardaa946b22019-03-01 10:14:58 +0100[diff] [blame]6145 "$P_SRV version_suites=TLS-RSA-WITH-CAMELLIA-128-CBC-SHA,TLS-RSA-WITH-AES-256-CBC-SHA,TLS-RSA-WITH-AES-128-CBC-SHA,TLS-RSA-WITH-AES-128-GCM-SHA256" \
Manuel Pégourié-Gonnardbd47a582015-01-12 13:43:29 +0100[diff] [blame]6146 "$P_CLI force_version=tls1 arc4=1" \
Manuel Pégourié-Gonnard90805a82014-06-11 14:06:01 +0200[diff] [blame]6147 0 \
Manuel Pégourié-Gonnardea0920f2015-03-24 09:50:15 +0100[diff] [blame]6148 -c "Ciphersuite is TLS-RSA-WITH-AES-256-CBC-SHA"
Manuel Pégourié-Gonnard90805a82014-06-11 14:06:01 +0200[diff] [blame]6149
Manuel Pégourié-Gonnardaa946b22019-03-01 10:14:58 +0100[diff] [blame]6150requires_config_enabled MBEDTLS_SSL_PROTO_TLS1_1
6151requires_config_enabled MBEDTLS_CAMELLIA_C
6152requires_config_enabled MBEDTLS_AES_C
Manuel Pégourié-Gonnard8e03c712014-08-30 21:42:40 +0200[diff] [blame]6153run_test "Per-version suites: TLS 1.1" \
Manuel Pégourié-Gonnardaa946b22019-03-01 10:14:58 +0100[diff] [blame]6154 "$P_SRV version_suites=TLS-RSA-WITH-CAMELLIA-128-CBC-SHA,TLS-RSA-WITH-AES-256-CBC-SHA,TLS-RSA-WITH-AES-128-CBC-SHA,TLS-RSA-WITH-AES-128-GCM-SHA256" \
Manuel Pégourié-Gonnard90805a82014-06-11 14:06:01 +0200[diff] [blame]6155 "$P_CLI force_version=tls1_1" \
6156 0 \
6157 -c "Ciphersuite is TLS-RSA-WITH-AES-128-CBC-SHA"
6158
Manuel Pégourié-Gonnardaa946b22019-03-01 10:14:58 +0100[diff] [blame]6159requires_config_enabled MBEDTLS_SSL_PROTO_TLS1_2
6160requires_config_enabled MBEDTLS_CAMELLIA_C
6161requires_config_enabled MBEDTLS_AES_C
Manuel Pégourié-Gonnard8e03c712014-08-30 21:42:40 +0200[diff] [blame]6162run_test "Per-version suites: TLS 1.2" \
Manuel Pégourié-Gonnardaa946b22019-03-01 10:14:58 +0100[diff] [blame]6163 "$P_SRV version_suites=TLS-RSA-WITH-CAMELLIA-128-CBC-SHA,TLS-RSA-WITH-AES-256-CBC-SHA,TLS-RSA-WITH-AES-128-CBC-SHA,TLS-RSA-WITH-AES-128-GCM-SHA256" \
Manuel Pégourié-Gonnard90805a82014-06-11 14:06:01 +0200[diff] [blame]6164 "$P_CLI force_version=tls1_2" \
6165 0 \
6166 -c "Ciphersuite is TLS-RSA-WITH-AES-128-GCM-SHA256"
6167
Manuel Pégourié-Gonnard4cc8c632015-07-23 12:24:03 +0200[diff] [blame]6168# Test for ClientHello without extensions
6169
Manuel Pégourié-Gonnardd55bc202015-08-04 16:22:30 +0200[diff] [blame]6170requires_gnutls
Manuel Pégourié-Gonnardbc4da292020-01-30 12:45:14 +0100[diff] [blame]6171run_test "ClientHello without extensions" \
Manuel Pégourié-Gonnard77cbeff2020-01-30 10:58:57 +0100[diff] [blame]6172 "$P_SRV debug_level=3" \
Manuel Pégourié-Gonnard34aa1872018-08-23 19:07:15 +0200[diff] [blame]6173 "$G_CLI --priority=NORMAL:%NO_EXTENSIONS:%DISABLE_SAFE_RENEGOTIATION localhost" \
Gilles Peskine5d2511c2017-05-12 13:16:40 +0200[diff] [blame]6174 0 \
6175 -s "dumping 'client hello extensions' (0 bytes)"
6176
Manuel Pégourié-Gonnard2cf5a7c2015-04-08 12:49:31 +0200[diff] [blame]6177# Tests for mbedtls_ssl_get_bytes_avail()
Manuel Pégourié-Gonnard95c0a632014-06-11 18:32:36 +0200[diff] [blame]6178
Manuel Pégourié-Gonnard2cf5a7c2015-04-08 12:49:31 +0200[diff] [blame]6179run_test "mbedtls_ssl_get_bytes_avail: no extra data" \
Manuel Pégourié-Gonnard95c0a632014-06-11 18:32:36 +0200[diff] [blame]6180 "$P_SRV" \
6181 "$P_CLI request_size=100" \
6182 0 \
6183 -s "Read from client: 100 bytes read$"
6184
Manuel Pégourié-Gonnard2cf5a7c2015-04-08 12:49:31 +0200[diff] [blame]6185run_test "mbedtls_ssl_get_bytes_avail: extra data" \
Manuel Pégourié-Gonnard95c0a632014-06-11 18:32:36 +0200[diff] [blame]6186 "$P_SRV" \
6187 "$P_CLI request_size=500" \
6188 0 \
6189 -s "Read from client: 500 bytes read (.*+.*)"
Manuel Pégourié-Gonnard90805a82014-06-11 14:06:01 +0200[diff] [blame]6190
Andrzej Kurekc19fc552018-06-19 09:37:30 -0400[diff] [blame]6191# Tests for small client packets
Manuel Pégourié-Gonnardee415032014-06-18 15:08:56 +0200[diff] [blame]6192
Janos Follathe2681a42016-03-07 15:57:05 +0000[diff] [blame]6193requires_config_enabled MBEDTLS_SSL_PROTO_SSL3
Andrzej Kurekc19fc552018-06-19 09:37:30 -0400[diff] [blame]6194run_test "Small client packet SSLv3 BlockCipher" \
Manuel Pégourié-Gonnard448ea502015-01-12 11:40:14 +0100[diff] [blame]6195 "$P_SRV min_version=ssl3" \
Manuel Pégourié-Gonnardee415032014-06-18 15:08:56 +0200[diff] [blame]6196 "$P_CLI request_size=1 force_version=ssl3 \
6197 force_ciphersuite=TLS-RSA-WITH-AES-256-CBC-SHA" \
6198 0 \
6199 -s "Read from client: 1 bytes read"
6200
Janos Follathe2681a42016-03-07 15:57:05 +0000[diff] [blame]6201requires_config_enabled MBEDTLS_SSL_PROTO_SSL3
Andrzej Kurekc19fc552018-06-19 09:37:30 -0400[diff] [blame]6202run_test "Small client packet SSLv3 StreamCipher" \
Manuel Pégourié-Gonnardea0920f2015-03-24 09:50:15 +0100[diff] [blame]6203 "$P_SRV min_version=ssl3 arc4=1 force_ciphersuite=TLS-RSA-WITH-RC4-128-SHA" \
Manuel Pégourié-Gonnardee415032014-06-18 15:08:56 +0200[diff] [blame]6204 "$P_CLI request_size=1 force_version=ssl3 \
6205 force_ciphersuite=TLS-RSA-WITH-RC4-128-SHA" \
6206 0 \
6207 -s "Read from client: 1 bytes read"
6208
Andrzej Kurekc19fc552018-06-19 09:37:30 -0400[diff] [blame]6209run_test "Small client packet TLS 1.0 BlockCipher" \
Manuel Pégourié-Gonnardee415032014-06-18 15:08:56 +0200[diff] [blame]6210 "$P_SRV" \
6211 "$P_CLI request_size=1 force_version=tls1 \
6212 force_ciphersuite=TLS-RSA-WITH-AES-256-CBC-SHA" \
6213 0 \
6214 -s "Read from client: 1 bytes read"
6215
Andrzej Kurekc19fc552018-06-19 09:37:30 -0400[diff] [blame]6216run_test "Small client packet TLS 1.0 BlockCipher, without EtM" \
Manuel Pégourié-Gonnard169dd6a2014-11-04 16:15:39 +0100[diff] [blame]6217 "$P_SRV" \
6218 "$P_CLI request_size=1 force_version=tls1 etm=0 \
6219 force_ciphersuite=TLS-RSA-WITH-AES-256-CBC-SHA" \
6220 0 \
6221 -s "Read from client: 1 bytes read"
6222
Hanno Becker32c55012017-11-10 08:42:54 +0000[diff] [blame]6223requires_config_enabled MBEDTLS_SSL_TRUNCATED_HMAC
Andrzej Kurekc19fc552018-06-19 09:37:30 -0400[diff] [blame]6224run_test "Small client packet TLS 1.0 BlockCipher, truncated MAC" \
Hanno Becker909f9a32017-11-21 17:10:12 +0000[diff] [blame]6225 "$P_SRV trunc_hmac=1" \
Manuel Pégourié-Gonnardee415032014-06-18 15:08:56 +0200[diff] [blame]6226 "$P_CLI request_size=1 force_version=tls1 \
Hanno Becker909f9a32017-11-21 17:10:12 +0000[diff] [blame]6227 force_ciphersuite=TLS-RSA-WITH-AES-256-CBC-SHA trunc_hmac=1" \
Manuel Pégourié-Gonnardee415032014-06-18 15:08:56 +0200[diff] [blame]6228 0 \
6229 -s "Read from client: 1 bytes read"
6230
Hanno Becker32c55012017-11-10 08:42:54 +0000[diff] [blame]6231requires_config_enabled MBEDTLS_SSL_TRUNCATED_HMAC
Andrzej Kurekc19fc552018-06-19 09:37:30 -0400[diff] [blame]6232run_test "Small client packet TLS 1.0 BlockCipher, without EtM, truncated MAC" \
Hanno Becker909f9a32017-11-21 17:10:12 +0000[diff] [blame]6233 "$P_SRV trunc_hmac=1" \
Hanno Becker8501f982017-11-10 08:59:04 +0000[diff] [blame]6234 "$P_CLI request_size=1 force_version=tls1 \
Hanno Becker909f9a32017-11-21 17:10:12 +0000[diff] [blame]6235 force_ciphersuite=TLS-RSA-WITH-AES-256-CBC-SHA trunc_hmac=1 etm=0" \
Hanno Becker8501f982017-11-10 08:59:04 +0000[diff] [blame]6236 0 \
6237 -s "Read from client: 1 bytes read"
6238
Andrzej Kurekc19fc552018-06-19 09:37:30 -0400[diff] [blame]6239run_test "Small client packet TLS 1.0 StreamCipher" \
Manuel Pégourié-Gonnardea0920f2015-03-24 09:50:15 +0100[diff] [blame]6240 "$P_SRV arc4=1 force_ciphersuite=TLS-RSA-WITH-RC4-128-SHA" \
Manuel Pégourié-Gonnardee415032014-06-18 15:08:56 +0200[diff] [blame]6241 "$P_CLI request_size=1 force_version=tls1 \
Hanno Becker8501f982017-11-10 08:59:04 +0000[diff] [blame]6242 force_ciphersuite=TLS-RSA-WITH-RC4-128-SHA" \
6243 0 \
6244 -s "Read from client: 1 bytes read"
6245
Andrzej Kurekc19fc552018-06-19 09:37:30 -0400[diff] [blame]6246run_test "Small client packet TLS 1.0 StreamCipher, without EtM" \
Hanno Becker8501f982017-11-10 08:59:04 +0000[diff] [blame]6247 "$P_SRV arc4=1 force_ciphersuite=TLS-RSA-WITH-RC4-128-SHA" \
6248 "$P_CLI request_size=1 force_version=tls1 \
Hanno Becker909f9a32017-11-21 17:10:12 +0000[diff] [blame]6249 force_ciphersuite=TLS-RSA-WITH-RC4-128-SHA etm=0" \
Hanno Becker8501f982017-11-10 08:59:04 +0000[diff] [blame]6250 0 \
6251 -s "Read from client: 1 bytes read"
6252
6253requires_config_enabled MBEDTLS_SSL_TRUNCATED_HMAC
Andrzej Kurekc19fc552018-06-19 09:37:30 -0400[diff] [blame]6254run_test "Small client packet TLS 1.0 StreamCipher, truncated MAC" \
Hanno Becker909f9a32017-11-21 17:10:12 +0000[diff] [blame]6255 "$P_SRV arc4=1 force_ciphersuite=TLS-RSA-WITH-RC4-128-SHA trunc_hmac=1" \
Manuel Pégourié-Gonnardee415032014-06-18 15:08:56 +0200[diff] [blame]6256 "$P_CLI request_size=1 force_version=tls1 \
Hanno Becker909f9a32017-11-21 17:10:12 +0000[diff] [blame]6257 force_ciphersuite=TLS-RSA-WITH-RC4-128-SHA trunc_hmac=1" \
Manuel Pégourié-Gonnardee415032014-06-18 15:08:56 +0200[diff] [blame]6258 0 \
6259 -s "Read from client: 1 bytes read"
6260
Hanno Becker8501f982017-11-10 08:59:04 +0000[diff] [blame]6261requires_config_enabled MBEDTLS_SSL_TRUNCATED_HMAC
Andrzej Kurekc19fc552018-06-19 09:37:30 -0400[diff] [blame]6262run_test "Small client packet TLS 1.0 StreamCipher, without EtM, truncated MAC" \
Hanno Becker909f9a32017-11-21 17:10:12 +0000[diff] [blame]6263 "$P_SRV arc4=1 force_ciphersuite=TLS-RSA-WITH-RC4-128-SHA trunc_hmac=1" \
6264 "$P_CLI request_size=1 force_version=tls1 force_ciphersuite=TLS-RSA-WITH-RC4-128-SHA \
6265 trunc_hmac=1 etm=0" \
Manuel Pégourié-Gonnardee415032014-06-18 15:08:56 +0200[diff] [blame]6266 0 \
6267 -s "Read from client: 1 bytes read"
6268
Andrzej Kurekc19fc552018-06-19 09:37:30 -0400[diff] [blame]6269run_test "Small client packet TLS 1.1 BlockCipher" \
Manuel Pégourié-Gonnardee415032014-06-18 15:08:56 +0200[diff] [blame]6270 "$P_SRV" \
6271 "$P_CLI request_size=1 force_version=tls1_1 \
6272 force_ciphersuite=TLS-RSA-WITH-AES-256-CBC-SHA" \
6273 0 \
6274 -s "Read from client: 1 bytes read"
6275
Andrzej Kurekc19fc552018-06-19 09:37:30 -0400[diff] [blame]6276run_test "Small client packet TLS 1.1 BlockCipher, without EtM" \
Manuel Pégourié-Gonnard169dd6a2014-11-04 16:15:39 +0100[diff] [blame]6277 "$P_SRV" \
Hanno Becker8501f982017-11-10 08:59:04 +0000[diff] [blame]6278 "$P_CLI request_size=1 force_version=tls1_1 \
Hanno Becker909f9a32017-11-21 17:10:12 +0000[diff] [blame]6279 force_ciphersuite=TLS-RSA-WITH-AES-256-CBC-SHA etm=0" \
Hanno Becker8501f982017-11-10 08:59:04 +0000[diff] [blame]6280 0 \
6281 -s "Read from client: 1 bytes read"
6282
6283requires_config_enabled MBEDTLS_SSL_TRUNCATED_HMAC
Andrzej Kurekc19fc552018-06-19 09:37:30 -0400[diff] [blame]6284run_test "Small client packet TLS 1.1 BlockCipher, truncated MAC" \
Hanno Becker909f9a32017-11-21 17:10:12 +0000[diff] [blame]6285 "$P_SRV trunc_hmac=1" \
Hanno Becker8501f982017-11-10 08:59:04 +0000[diff] [blame]6286 "$P_CLI request_size=1 force_version=tls1_1 \
Hanno Becker909f9a32017-11-21 17:10:12 +0000[diff] [blame]6287 force_ciphersuite=TLS-RSA-WITH-AES-256-CBC-SHA trunc_hmac=1" \
Hanno Becker8501f982017-11-10 08:59:04 +0000[diff] [blame]6288 0 \
6289 -s "Read from client: 1 bytes read"
6290
6291requires_config_enabled MBEDTLS_SSL_TRUNCATED_HMAC
Andrzej Kurekc19fc552018-06-19 09:37:30 -0400[diff] [blame]6292run_test "Small client packet TLS 1.1 BlockCipher, without EtM, truncated MAC" \
Hanno Becker909f9a32017-11-21 17:10:12 +0000[diff] [blame]6293 "$P_SRV trunc_hmac=1" \
Hanno Becker8501f982017-11-10 08:59:04 +0000[diff] [blame]6294 "$P_CLI request_size=1 force_version=tls1_1 \
Hanno Becker909f9a32017-11-21 17:10:12 +0000[diff] [blame]6295 force_ciphersuite=TLS-RSA-WITH-AES-256-CBC-SHA trunc_hmac=1 etm=0" \
Manuel Pégourié-Gonnard169dd6a2014-11-04 16:15:39 +0100[diff] [blame]6296 0 \
6297 -s "Read from client: 1 bytes read"
6298
Andrzej Kurekc19fc552018-06-19 09:37:30 -0400[diff] [blame]6299run_test "Small client packet TLS 1.1 StreamCipher" \
Manuel Pégourié-Gonnardea0920f2015-03-24 09:50:15 +0100[diff] [blame]6300 "$P_SRV arc4=1 force_ciphersuite=TLS-RSA-WITH-RC4-128-SHA" \
Manuel Pégourié-Gonnardee415032014-06-18 15:08:56 +0200[diff] [blame]6301 "$P_CLI request_size=1 force_version=tls1_1 \
6302 force_ciphersuite=TLS-RSA-WITH-RC4-128-SHA" \
6303 0 \
6304 -s "Read from client: 1 bytes read"
6305
Andrzej Kurekc19fc552018-06-19 09:37:30 -0400[diff] [blame]6306run_test "Small client packet TLS 1.1 StreamCipher, without EtM" \
Hanno Becker8501f982017-11-10 08:59:04 +0000[diff] [blame]6307 "$P_SRV arc4=1 force_ciphersuite=TLS-RSA-WITH-RC4-128-SHA" \
Manuel Pégourié-Gonnardee415032014-06-18 15:08:56 +0200[diff] [blame]6308 "$P_CLI request_size=1 force_version=tls1_1 \
Hanno Becker909f9a32017-11-21 17:10:12 +0000[diff] [blame]6309 force_ciphersuite=TLS-RSA-WITH-RC4-128-SHA etm=0" \
Manuel Pégourié-Gonnardee415032014-06-18 15:08:56 +0200[diff] [blame]6310 0 \
6311 -s "Read from client: 1 bytes read"
6312
Hanno Becker8501f982017-11-10 08:59:04 +0000[diff] [blame]6313requires_config_enabled MBEDTLS_SSL_TRUNCATED_HMAC
Andrzej Kurekc19fc552018-06-19 09:37:30 -0400[diff] [blame]6314run_test "Small client packet TLS 1.1 StreamCipher, truncated MAC" \
Hanno Becker909f9a32017-11-21 17:10:12 +0000[diff] [blame]6315 "$P_SRV arc4=1 force_ciphersuite=TLS-RSA-WITH-RC4-128-SHA trunc_hmac=1" \
Manuel Pégourié-Gonnardee415032014-06-18 15:08:56 +0200[diff] [blame]6316 "$P_CLI request_size=1 force_version=tls1_1 \
Hanno Becker909f9a32017-11-21 17:10:12 +0000[diff] [blame]6317 force_ciphersuite=TLS-RSA-WITH-RC4-128-SHA trunc_hmac=1" \
Manuel Pégourié-Gonnardee415032014-06-18 15:08:56 +0200[diff] [blame]6318 0 \
6319 -s "Read from client: 1 bytes read"
6320
Hanno Becker32c55012017-11-10 08:42:54 +0000[diff] [blame]6321requires_config_enabled MBEDTLS_SSL_TRUNCATED_HMAC
Andrzej Kurekc19fc552018-06-19 09:37:30 -0400[diff] [blame]6322run_test "Small client packet TLS 1.1 StreamCipher, without EtM, truncated MAC" \
Hanno Becker909f9a32017-11-21 17:10:12 +0000[diff] [blame]6323 "$P_SRV arc4=1 force_ciphersuite=TLS-RSA-WITH-RC4-128-SHA trunc_hmac=1" \
Manuel Pégourié-Gonnardee415032014-06-18 15:08:56 +0200[diff] [blame]6324 "$P_CLI request_size=1 force_version=tls1_1 \
Hanno Becker909f9a32017-11-21 17:10:12 +0000[diff] [blame]6325 force_ciphersuite=TLS-RSA-WITH-RC4-128-SHA trunc_hmac=1 etm=0" \
Manuel Pégourié-Gonnardee415032014-06-18 15:08:56 +0200[diff] [blame]6326 0 \
6327 -s "Read from client: 1 bytes read"
6328
Andrzej Kurekc19fc552018-06-19 09:37:30 -0400[diff] [blame]6329run_test "Small client packet TLS 1.2 BlockCipher" \
Manuel Pégourié-Gonnardee415032014-06-18 15:08:56 +0200[diff] [blame]6330 "$P_SRV" \
6331 "$P_CLI request_size=1 force_version=tls1_2 \
6332 force_ciphersuite=TLS-RSA-WITH-AES-256-CBC-SHA" \
6333 0 \
6334 -s "Read from client: 1 bytes read"
6335
Andrzej Kurekc19fc552018-06-19 09:37:30 -0400[diff] [blame]6336run_test "Small client packet TLS 1.2 BlockCipher, without EtM" \
Manuel Pégourié-Gonnard169dd6a2014-11-04 16:15:39 +0100[diff] [blame]6337 "$P_SRV" \
Hanno Becker8501f982017-11-10 08:59:04 +0000[diff] [blame]6338 "$P_CLI request_size=1 force_version=tls1_2 \
Hanno Becker909f9a32017-11-21 17:10:12 +0000[diff] [blame]6339 force_ciphersuite=TLS-RSA-WITH-AES-256-CBC-SHA etm=0" \
Manuel Pégourié-Gonnard169dd6a2014-11-04 16:15:39 +0100[diff] [blame]6340 0 \
6341 -s "Read from client: 1 bytes read"
6342
Andrzej Kurekc19fc552018-06-19 09:37:30 -0400[diff] [blame]6343run_test "Small client packet TLS 1.2 BlockCipher larger MAC" \
Manuel Pégourié-Gonnardee415032014-06-18 15:08:56 +0200[diff] [blame]6344 "$P_SRV" \
Manuel Pégourié-Gonnardc82ee352015-01-07 16:35:25 +0100[diff] [blame]6345 "$P_CLI request_size=1 force_version=tls1_2 \
6346 force_ciphersuite=TLS-ECDHE-RSA-WITH-AES-256-CBC-SHA384" \
Manuel Pégourié-Gonnardee415032014-06-18 15:08:56 +0200[diff] [blame]6347 0 \
6348 -s "Read from client: 1 bytes read"
6349
Hanno Becker32c55012017-11-10 08:42:54 +0000[diff] [blame]6350requires_config_enabled MBEDTLS_SSL_TRUNCATED_HMAC
Andrzej Kurekc19fc552018-06-19 09:37:30 -0400[diff] [blame]6351run_test "Small client packet TLS 1.2 BlockCipher, truncated MAC" \
Hanno Becker909f9a32017-11-21 17:10:12 +0000[diff] [blame]6352 "$P_SRV trunc_hmac=1" \
Manuel Pégourié-Gonnardee415032014-06-18 15:08:56 +0200[diff] [blame]6353 "$P_CLI request_size=1 force_version=tls1_2 \
Hanno Becker909f9a32017-11-21 17:10:12 +0000[diff] [blame]6354 force_ciphersuite=TLS-RSA-WITH-AES-256-CBC-SHA trunc_hmac=1" \
Manuel Pégourié-Gonnardee415032014-06-18 15:08:56 +0200[diff] [blame]6355 0 \
6356 -s "Read from client: 1 bytes read"
6357
Hanno Becker8501f982017-11-10 08:59:04 +0000[diff] [blame]6358requires_config_enabled MBEDTLS_SSL_TRUNCATED_HMAC
Andrzej Kurekc19fc552018-06-19 09:37:30 -0400[diff] [blame]6359run_test "Small client packet TLS 1.2 BlockCipher, without EtM, truncated MAC" \
Hanno Becker909f9a32017-11-21 17:10:12 +0000[diff] [blame]6360 "$P_SRV trunc_hmac=1" \
Hanno Becker8501f982017-11-10 08:59:04 +0000[diff] [blame]6361 "$P_CLI request_size=1 force_version=tls1_2 \
Hanno Becker909f9a32017-11-21 17:10:12 +0000[diff] [blame]6362 force_ciphersuite=TLS-RSA-WITH-AES-256-CBC-SHA trunc_hmac=1 etm=0" \
Manuel Pégourié-Gonnardee415032014-06-18 15:08:56 +0200[diff] [blame]6363 0 \
6364 -s "Read from client: 1 bytes read"
6365
Andrzej Kurekc19fc552018-06-19 09:37:30 -0400[diff] [blame]6366run_test "Small client packet TLS 1.2 StreamCipher" \
Manuel Pégourié-Gonnardea0920f2015-03-24 09:50:15 +0100[diff] [blame]6367 "$P_SRV arc4=1 force_ciphersuite=TLS-RSA-WITH-RC4-128-SHA" \
Manuel Pégourié-Gonnardee415032014-06-18 15:08:56 +0200[diff] [blame]6368 "$P_CLI request_size=1 force_version=tls1_2 \
6369 force_ciphersuite=TLS-RSA-WITH-RC4-128-SHA" \
6370 0 \
6371 -s "Read from client: 1 bytes read"
6372
Andrzej Kurekc19fc552018-06-19 09:37:30 -0400[diff] [blame]6373run_test "Small client packet TLS 1.2 StreamCipher, without EtM" \
Manuel Pégourié-Gonnardea0920f2015-03-24 09:50:15 +0100[diff] [blame]6374 "$P_SRV arc4=1 force_ciphersuite=TLS-RSA-WITH-RC4-128-SHA" \
Manuel Pégourié-Gonnardee415032014-06-18 15:08:56 +0200[diff] [blame]6375 "$P_CLI request_size=1 force_version=tls1_2 \
Hanno Becker909f9a32017-11-21 17:10:12 +0000[diff] [blame]6376 force_ciphersuite=TLS-RSA-WITH-RC4-128-SHA etm=0" \
Hanno Becker8501f982017-11-10 08:59:04 +0000[diff] [blame]6377 0 \
6378 -s "Read from client: 1 bytes read"
6379
Hanno Becker32c55012017-11-10 08:42:54 +0000[diff] [blame]6380requires_config_enabled MBEDTLS_SSL_TRUNCATED_HMAC
Andrzej Kurekc19fc552018-06-19 09:37:30 -0400[diff] [blame]6381run_test "Small client packet TLS 1.2 StreamCipher, truncated MAC" \
Hanno Becker909f9a32017-11-21 17:10:12 +0000[diff] [blame]6382 "$P_SRV arc4=1 force_ciphersuite=TLS-RSA-WITH-RC4-128-SHA trunc_hmac=1" \
Manuel Pégourié-Gonnardee415032014-06-18 15:08:56 +0200[diff] [blame]6383 "$P_CLI request_size=1 force_version=tls1_2 \
Hanno Becker909f9a32017-11-21 17:10:12 +0000[diff] [blame]6384 force_ciphersuite=TLS-RSA-WITH-RC4-128-SHA trunc_hmac=1" \
Manuel Pégourié-Gonnardee415032014-06-18 15:08:56 +0200[diff] [blame]6385 0 \
6386 -s "Read from client: 1 bytes read"
6387
Hanno Becker8501f982017-11-10 08:59:04 +0000[diff] [blame]6388requires_config_enabled MBEDTLS_SSL_TRUNCATED_HMAC
Andrzej Kurekc19fc552018-06-19 09:37:30 -0400[diff] [blame]6389run_test "Small client packet TLS 1.2 StreamCipher, without EtM, truncated MAC" \
Hanno Becker909f9a32017-11-21 17:10:12 +0000[diff] [blame]6390 "$P_SRV arc4=1 force_ciphersuite=TLS-RSA-WITH-RC4-128-SHA trunc_hmac=1" \
Hanno Becker8501f982017-11-10 08:59:04 +0000[diff] [blame]6391 "$P_CLI request_size=1 force_version=tls1_2 \
Hanno Becker909f9a32017-11-21 17:10:12 +0000[diff] [blame]6392 force_ciphersuite=TLS-RSA-WITH-RC4-128-SHA trunc_hmac=1 etm=0" \
Manuel Pégourié-Gonnardee415032014-06-18 15:08:56 +0200[diff] [blame]6393 0 \
6394 -s "Read from client: 1 bytes read"
6395
Andrzej Kurekc19fc552018-06-19 09:37:30 -0400[diff] [blame]6396run_test "Small client packet TLS 1.2 AEAD" \
Manuel Pégourié-Gonnardee415032014-06-18 15:08:56 +0200[diff] [blame]6397 "$P_SRV" \
6398 "$P_CLI request_size=1 force_version=tls1_2 \
6399 force_ciphersuite=TLS-RSA-WITH-AES-256-CCM" \
6400 0 \
6401 -s "Read from client: 1 bytes read"
6402
Andrzej Kurekc19fc552018-06-19 09:37:30 -0400[diff] [blame]6403run_test "Small client packet TLS 1.2 AEAD shorter tag" \
Manuel Pégourié-Gonnardee415032014-06-18 15:08:56 +0200[diff] [blame]6404 "$P_SRV" \
6405 "$P_CLI request_size=1 force_version=tls1_2 \
6406 force_ciphersuite=TLS-RSA-WITH-AES-256-CCM-8" \
6407 0 \
6408 -s "Read from client: 1 bytes read"
6409
Andrzej Kurekc19fc552018-06-19 09:37:30 -0400[diff] [blame]6410# Tests for small client packets in DTLS
Hanno Beckere2148042017-11-10 08:59:18 +0000[diff] [blame]6411
6412requires_config_enabled MBEDTLS_SSL_PROTO_DTLS
Andrzej Kurekc19fc552018-06-19 09:37:30 -0400[diff] [blame]6413run_test "Small client packet DTLS 1.0" \
Hanno Beckere2148042017-11-10 08:59:18 +0000[diff] [blame]6414 "$P_SRV dtls=1 force_version=dtls1" \
6415 "$P_CLI dtls=1 request_size=1 \
6416 force_ciphersuite=TLS-RSA-WITH-AES-256-CBC-SHA" \
6417 0 \
6418 -s "Read from client: 1 bytes read"
6419
6420requires_config_enabled MBEDTLS_SSL_PROTO_DTLS
Andrzej Kurekc19fc552018-06-19 09:37:30 -0400[diff] [blame]6421run_test "Small client packet DTLS 1.0, without EtM" \
Hanno Beckere2148042017-11-10 08:59:18 +0000[diff] [blame]6422 "$P_SRV dtls=1 force_version=dtls1 etm=0" \
6423 "$P_CLI dtls=1 request_size=1 \
6424 force_ciphersuite=TLS-RSA-WITH-AES-256-CBC-SHA" \
6425 0 \
6426 -s "Read from client: 1 bytes read"
6427
6428requires_config_enabled MBEDTLS_SSL_PROTO_DTLS
6429requires_config_enabled MBEDTLS_SSL_TRUNCATED_HMAC
Andrzej Kurekc19fc552018-06-19 09:37:30 -0400[diff] [blame]6430run_test "Small client packet DTLS 1.0, truncated hmac" \
Hanno Becker909f9a32017-11-21 17:10:12 +0000[diff] [blame]6431 "$P_SRV dtls=1 force_version=dtls1 trunc_hmac=1" \
6432 "$P_CLI dtls=1 request_size=1 trunc_hmac=1 \
Hanno Beckere2148042017-11-10 08:59:18 +0000[diff] [blame]6433 force_ciphersuite=TLS-RSA-WITH-AES-256-CBC-SHA" \
6434 0 \
6435 -s "Read from client: 1 bytes read"
6436
6437requires_config_enabled MBEDTLS_SSL_PROTO_DTLS
6438requires_config_enabled MBEDTLS_SSL_TRUNCATED_HMAC
Andrzej Kurekc19fc552018-06-19 09:37:30 -0400[diff] [blame]6439run_test "Small client packet DTLS 1.0, without EtM, truncated MAC" \
Hanno Becker909f9a32017-11-21 17:10:12 +0000[diff] [blame]6440 "$P_SRV dtls=1 force_version=dtls1 trunc_hmac=1 etm=0" \
Hanno Beckere2148042017-11-10 08:59:18 +0000[diff] [blame]6441 "$P_CLI dtls=1 request_size=1 \
Hanno Becker909f9a32017-11-21 17:10:12 +0000[diff] [blame]6442 force_ciphersuite=TLS-RSA-WITH-AES-256-CBC-SHA trunc_hmac=1"\
Hanno Beckere2148042017-11-10 08:59:18 +0000[diff] [blame]6443 0 \
6444 -s "Read from client: 1 bytes read"
6445
6446requires_config_enabled MBEDTLS_SSL_PROTO_DTLS
Andrzej Kurekc19fc552018-06-19 09:37:30 -0400[diff] [blame]6447run_test "Small client packet DTLS 1.2" \
Hanno Beckere2148042017-11-10 08:59:18 +0000[diff] [blame]6448 "$P_SRV dtls=1 force_version=dtls1_2" \
6449 "$P_CLI dtls=1 request_size=1 \
6450 force_ciphersuite=TLS-RSA-WITH-AES-256-CBC-SHA" \
6451 0 \
6452 -s "Read from client: 1 bytes read"
6453
6454requires_config_enabled MBEDTLS_SSL_PROTO_DTLS
Andrzej Kurekc19fc552018-06-19 09:37:30 -0400[diff] [blame]6455run_test "Small client packet DTLS 1.2, without EtM" \
Hanno Becker909f9a32017-11-21 17:10:12 +0000[diff] [blame]6456 "$P_SRV dtls=1 force_version=dtls1_2 etm=0" \
Hanno Beckere2148042017-11-10 08:59:18 +0000[diff] [blame]6457 "$P_CLI dtls=1 request_size=1 \
6458 force_ciphersuite=TLS-RSA-WITH-AES-256-CBC-SHA" \
6459 0 \
6460 -s "Read from client: 1 bytes read"
6461
6462requires_config_enabled MBEDTLS_SSL_PROTO_DTLS
6463requires_config_enabled MBEDTLS_SSL_TRUNCATED_HMAC
Andrzej Kurekc19fc552018-06-19 09:37:30 -0400[diff] [blame]6464run_test "Small client packet DTLS 1.2, truncated hmac" \
Hanno Becker909f9a32017-11-21 17:10:12 +0000[diff] [blame]6465 "$P_SRV dtls=1 force_version=dtls1_2 trunc_hmac=1" \
Hanno Beckere2148042017-11-10 08:59:18 +0000[diff] [blame]6466 "$P_CLI dtls=1 request_size=1 \
Hanno Becker909f9a32017-11-21 17:10:12 +0000[diff] [blame]6467 force_ciphersuite=TLS-RSA-WITH-AES-256-CBC-SHA trunc_hmac=1" \
Hanno Beckere2148042017-11-10 08:59:18 +0000[diff] [blame]6468 0 \
6469 -s "Read from client: 1 bytes read"
6470
6471requires_config_enabled MBEDTLS_SSL_PROTO_DTLS
6472requires_config_enabled MBEDTLS_SSL_TRUNCATED_HMAC
Andrzej Kurekc19fc552018-06-19 09:37:30 -0400[diff] [blame]6473run_test "Small client packet DTLS 1.2, without EtM, truncated MAC" \
Hanno Becker909f9a32017-11-21 17:10:12 +0000[diff] [blame]6474 "$P_SRV dtls=1 force_version=dtls1_2 trunc_hmac=1 etm=0" \
Hanno Beckere2148042017-11-10 08:59:18 +0000[diff] [blame]6475 "$P_CLI dtls=1 request_size=1 \
Hanno Becker909f9a32017-11-21 17:10:12 +0000[diff] [blame]6476 force_ciphersuite=TLS-RSA-WITH-AES-256-CBC-SHA trunc_hmac=1"\
Hanno Beckere2148042017-11-10 08:59:18 +0000[diff] [blame]6477 0 \
6478 -s "Read from client: 1 bytes read"
6479
Andrzej Kurekc19fc552018-06-19 09:37:30 -0400[diff] [blame]6480# Tests for small server packets
6481
6482requires_config_enabled MBEDTLS_SSL_PROTO_SSL3
6483run_test "Small server packet SSLv3 BlockCipher" \
6484 "$P_SRV response_size=1 min_version=ssl3" \
6485 "$P_CLI force_version=ssl3 \
6486 force_ciphersuite=TLS-RSA-WITH-AES-256-CBC-SHA" \
6487 0 \
6488 -c "Read from server: 1 bytes read"
6489
6490requires_config_enabled MBEDTLS_SSL_PROTO_SSL3
6491run_test "Small server packet SSLv3 StreamCipher" \
6492 "$P_SRV response_size=1 min_version=ssl3 arc4=1 force_ciphersuite=TLS-RSA-WITH-RC4-128-SHA" \
6493 "$P_CLI force_version=ssl3 \
6494 force_ciphersuite=TLS-RSA-WITH-RC4-128-SHA" \
6495 0 \
6496 -c "Read from server: 1 bytes read"
6497
6498run_test "Small server packet TLS 1.0 BlockCipher" \
6499 "$P_SRV response_size=1" \
6500 "$P_CLI force_version=tls1 \
6501 force_ciphersuite=TLS-RSA-WITH-AES-256-CBC-SHA" \
6502 0 \
6503 -c "Read from server: 1 bytes read"
6504
6505run_test "Small server packet TLS 1.0 BlockCipher, without EtM" \
6506 "$P_SRV response_size=1" \
6507 "$P_CLI force_version=tls1 etm=0 \
6508 force_ciphersuite=TLS-RSA-WITH-AES-256-CBC-SHA" \
6509 0 \
6510 -c "Read from server: 1 bytes read"
6511
6512requires_config_enabled MBEDTLS_SSL_TRUNCATED_HMAC
6513run_test "Small server packet TLS 1.0 BlockCipher, truncated MAC" \
6514 "$P_SRV response_size=1 trunc_hmac=1" \
6515 "$P_CLI force_version=tls1 \
6516 force_ciphersuite=TLS-RSA-WITH-AES-256-CBC-SHA trunc_hmac=1" \
6517 0 \
6518 -c "Read from server: 1 bytes read"
6519
6520requires_config_enabled MBEDTLS_SSL_TRUNCATED_HMAC
6521run_test "Small server packet TLS 1.0 BlockCipher, without EtM, truncated MAC" \
6522 "$P_SRV response_size=1 trunc_hmac=1" \
6523 "$P_CLI force_version=tls1 \
6524 force_ciphersuite=TLS-RSA-WITH-AES-256-CBC-SHA trunc_hmac=1 etm=0" \
6525 0 \
6526 -c "Read from server: 1 bytes read"
6527
6528run_test "Small server packet TLS 1.0 StreamCipher" \
6529 "$P_SRV response_size=1 arc4=1 force_ciphersuite=TLS-RSA-WITH-RC4-128-SHA" \
6530 "$P_CLI force_version=tls1 \
6531 force_ciphersuite=TLS-RSA-WITH-RC4-128-SHA" \
6532 0 \
6533 -c "Read from server: 1 bytes read"
6534
6535run_test "Small server packet TLS 1.0 StreamCipher, without EtM" \
6536 "$P_SRV response_size=1 arc4=1 force_ciphersuite=TLS-RSA-WITH-RC4-128-SHA" \
6537 "$P_CLI force_version=tls1 \
6538 force_ciphersuite=TLS-RSA-WITH-RC4-128-SHA etm=0" \
6539 0 \
6540 -c "Read from server: 1 bytes read"
6541
6542requires_config_enabled MBEDTLS_SSL_TRUNCATED_HMAC
6543run_test "Small server packet TLS 1.0 StreamCipher, truncated MAC" \
6544 "$P_SRV response_size=1 arc4=1 force_ciphersuite=TLS-RSA-WITH-RC4-128-SHA trunc_hmac=1" \
6545 "$P_CLI force_version=tls1 \
6546 force_ciphersuite=TLS-RSA-WITH-RC4-128-SHA trunc_hmac=1" \
6547 0 \
6548 -c "Read from server: 1 bytes read"
6549
6550requires_config_enabled MBEDTLS_SSL_TRUNCATED_HMAC
6551run_test "Small server packet TLS 1.0 StreamCipher, without EtM, truncated MAC" \
6552 "$P_SRV response_size=1 arc4=1 force_ciphersuite=TLS-RSA-WITH-RC4-128-SHA trunc_hmac=1" \
6553 "$P_CLI force_version=tls1 force_ciphersuite=TLS-RSA-WITH-RC4-128-SHA \
6554 trunc_hmac=1 etm=0" \
6555 0 \
6556 -c "Read from server: 1 bytes read"
6557
6558run_test "Small server packet TLS 1.1 BlockCipher" \
6559 "$P_SRV response_size=1" \
6560 "$P_CLI force_version=tls1_1 \
6561 force_ciphersuite=TLS-RSA-WITH-AES-256-CBC-SHA" \
6562 0 \
6563 -c "Read from server: 1 bytes read"
6564
6565run_test "Small server packet TLS 1.1 BlockCipher, without EtM" \
6566 "$P_SRV response_size=1" \
6567 "$P_CLI force_version=tls1_1 \
6568 force_ciphersuite=TLS-RSA-WITH-AES-256-CBC-SHA etm=0" \
6569 0 \
6570 -c "Read from server: 1 bytes read"
6571
6572requires_config_enabled MBEDTLS_SSL_TRUNCATED_HMAC
6573run_test "Small server packet TLS 1.1 BlockCipher, truncated MAC" \
6574 "$P_SRV response_size=1 trunc_hmac=1" \
6575 "$P_CLI force_version=tls1_1 \
6576 force_ciphersuite=TLS-RSA-WITH-AES-256-CBC-SHA trunc_hmac=1" \
6577 0 \
6578 -c "Read from server: 1 bytes read"
6579
6580requires_config_enabled MBEDTLS_SSL_TRUNCATED_HMAC
6581run_test "Small server packet TLS 1.1 BlockCipher, without EtM, truncated MAC" \
6582 "$P_SRV response_size=1 trunc_hmac=1" \
6583 "$P_CLI force_version=tls1_1 \
6584 force_ciphersuite=TLS-RSA-WITH-AES-256-CBC-SHA trunc_hmac=1 etm=0" \
6585 0 \
6586 -c "Read from server: 1 bytes read"
6587
6588run_test "Small server packet TLS 1.1 StreamCipher" \
6589 "$P_SRV response_size=1 arc4=1 force_ciphersuite=TLS-RSA-WITH-RC4-128-SHA" \
6590 "$P_CLI force_version=tls1_1 \
6591 force_ciphersuite=TLS-RSA-WITH-RC4-128-SHA" \
6592 0 \
6593 -c "Read from server: 1 bytes read"
6594
6595run_test "Small server packet TLS 1.1 StreamCipher, without EtM" \
6596 "$P_SRV response_size=1 arc4=1 force_ciphersuite=TLS-RSA-WITH-RC4-128-SHA" \
6597 "$P_CLI force_version=tls1_1 \
6598 force_ciphersuite=TLS-RSA-WITH-RC4-128-SHA etm=0" \
6599 0 \
6600 -c "Read from server: 1 bytes read"
6601
6602requires_config_enabled MBEDTLS_SSL_TRUNCATED_HMAC
6603run_test "Small server packet TLS 1.1 StreamCipher, truncated MAC" \
6604 "$P_SRV response_size=1 arc4=1 force_ciphersuite=TLS-RSA-WITH-RC4-128-SHA trunc_hmac=1" \
6605 "$P_CLI force_version=tls1_1 \
6606 force_ciphersuite=TLS-RSA-WITH-RC4-128-SHA trunc_hmac=1" \
6607 0 \
6608 -c "Read from server: 1 bytes read"
6609
6610requires_config_enabled MBEDTLS_SSL_TRUNCATED_HMAC
6611run_test "Small server packet TLS 1.1 StreamCipher, without EtM, truncated MAC" \
6612 "$P_SRV response_size=1 arc4=1 force_ciphersuite=TLS-RSA-WITH-RC4-128-SHA trunc_hmac=1" \
6613 "$P_CLI force_version=tls1_1 \
6614 force_ciphersuite=TLS-RSA-WITH-RC4-128-SHA trunc_hmac=1 etm=0" \
6615 0 \
6616 -c "Read from server: 1 bytes read"
6617
6618run_test "Small server packet TLS 1.2 BlockCipher" \
6619 "$P_SRV response_size=1" \
6620 "$P_CLI force_version=tls1_2 \
6621 force_ciphersuite=TLS-RSA-WITH-AES-256-CBC-SHA" \
6622 0 \
6623 -c "Read from server: 1 bytes read"
6624
6625run_test "Small server packet TLS 1.2 BlockCipher, without EtM" \
6626 "$P_SRV response_size=1" \
6627 "$P_CLI force_version=tls1_2 \
6628 force_ciphersuite=TLS-RSA-WITH-AES-256-CBC-SHA etm=0" \
6629 0 \
6630 -c "Read from server: 1 bytes read"
6631
6632run_test "Small server packet TLS 1.2 BlockCipher larger MAC" \
6633 "$P_SRV response_size=1" \
6634 "$P_CLI force_version=tls1_2 \
6635 force_ciphersuite=TLS-ECDHE-RSA-WITH-AES-256-CBC-SHA384" \
6636 0 \
6637 -c "Read from server: 1 bytes read"
6638
6639requires_config_enabled MBEDTLS_SSL_TRUNCATED_HMAC
6640run_test "Small server packet TLS 1.2 BlockCipher, truncated MAC" \
6641 "$P_SRV response_size=1 trunc_hmac=1" \
6642 "$P_CLI force_version=tls1_2 \
6643 force_ciphersuite=TLS-RSA-WITH-AES-256-CBC-SHA trunc_hmac=1" \
6644 0 \
6645 -c "Read from server: 1 bytes read"
6646
6647requires_config_enabled MBEDTLS_SSL_TRUNCATED_HMAC
6648run_test "Small server packet TLS 1.2 BlockCipher, without EtM, truncated MAC" \
6649 "$P_SRV response_size=1 trunc_hmac=1" \
6650 "$P_CLI force_version=tls1_2 \
6651 force_ciphersuite=TLS-RSA-WITH-AES-256-CBC-SHA trunc_hmac=1 etm=0" \
6652 0 \
6653 -c "Read from server: 1 bytes read"
6654
6655run_test "Small server packet TLS 1.2 StreamCipher" \
6656 "$P_SRV response_size=1 arc4=1 force_ciphersuite=TLS-RSA-WITH-RC4-128-SHA" \
6657 "$P_CLI force_version=tls1_2 \
6658 force_ciphersuite=TLS-RSA-WITH-RC4-128-SHA" \
6659 0 \
6660 -c "Read from server: 1 bytes read"
6661
6662run_test "Small server packet TLS 1.2 StreamCipher, without EtM" \
6663 "$P_SRV response_size=1 arc4=1 force_ciphersuite=TLS-RSA-WITH-RC4-128-SHA" \
6664 "$P_CLI force_version=tls1_2 \
6665 force_ciphersuite=TLS-RSA-WITH-RC4-128-SHA etm=0" \
6666 0 \
6667 -c "Read from server: 1 bytes read"
6668
6669requires_config_enabled MBEDTLS_SSL_TRUNCATED_HMAC
6670run_test "Small server packet TLS 1.2 StreamCipher, truncated MAC" \
6671 "$P_SRV response_size=1 arc4=1 force_ciphersuite=TLS-RSA-WITH-RC4-128-SHA trunc_hmac=1" \
6672 "$P_CLI force_version=tls1_2 \
6673 force_ciphersuite=TLS-RSA-WITH-RC4-128-SHA trunc_hmac=1" \
6674 0 \
6675 -c "Read from server: 1 bytes read"
6676
6677requires_config_enabled MBEDTLS_SSL_TRUNCATED_HMAC
6678run_test "Small server packet TLS 1.2 StreamCipher, without EtM, truncated MAC" \
6679 "$P_SRV response_size=1 arc4=1 force_ciphersuite=TLS-RSA-WITH-RC4-128-SHA trunc_hmac=1" \
6680 "$P_CLI force_version=tls1_2 \
6681 force_ciphersuite=TLS-RSA-WITH-RC4-128-SHA trunc_hmac=1 etm=0" \
6682 0 \
6683 -c "Read from server: 1 bytes read"
6684
6685run_test "Small server packet TLS 1.2 AEAD" \
6686 "$P_SRV response_size=1" \
6687 "$P_CLI force_version=tls1_2 \
6688 force_ciphersuite=TLS-RSA-WITH-AES-256-CCM" \
6689 0 \
6690 -c "Read from server: 1 bytes read"
6691
6692run_test "Small server packet TLS 1.2 AEAD shorter tag" \
6693 "$P_SRV response_size=1" \
6694 "$P_CLI force_version=tls1_2 \
6695 force_ciphersuite=TLS-RSA-WITH-AES-256-CCM-8" \
6696 0 \
6697 -c "Read from server: 1 bytes read"
6698
6699# Tests for small server packets in DTLS
6700
6701requires_config_enabled MBEDTLS_SSL_PROTO_DTLS
6702run_test "Small server packet DTLS 1.0" \
6703 "$P_SRV dtls=1 response_size=1 force_version=dtls1" \
6704 "$P_CLI dtls=1 \
6705 force_ciphersuite=TLS-RSA-WITH-AES-256-CBC-SHA" \
6706 0 \
6707 -c "Read from server: 1 bytes read"
6708
6709requires_config_enabled MBEDTLS_SSL_PROTO_DTLS
6710run_test "Small server packet DTLS 1.0, without EtM" \
6711 "$P_SRV dtls=1 response_size=1 force_version=dtls1 etm=0" \
6712 "$P_CLI dtls=1 \
6713 force_ciphersuite=TLS-RSA-WITH-AES-256-CBC-SHA" \
6714 0 \
6715 -c "Read from server: 1 bytes read"
6716
6717requires_config_enabled MBEDTLS_SSL_PROTO_DTLS
6718requires_config_enabled MBEDTLS_SSL_TRUNCATED_HMAC
6719run_test "Small server packet DTLS 1.0, truncated hmac" \
6720 "$P_SRV dtls=1 response_size=1 force_version=dtls1 trunc_hmac=1" \
6721 "$P_CLI dtls=1 trunc_hmac=1 \
6722 force_ciphersuite=TLS-RSA-WITH-AES-256-CBC-SHA" \
6723 0 \
6724 -c "Read from server: 1 bytes read"
6725
6726requires_config_enabled MBEDTLS_SSL_PROTO_DTLS
6727requires_config_enabled MBEDTLS_SSL_TRUNCATED_HMAC
6728run_test "Small server packet DTLS 1.0, without EtM, truncated MAC" \
6729 "$P_SRV dtls=1 response_size=1 force_version=dtls1 trunc_hmac=1 etm=0" \
6730 "$P_CLI dtls=1 \
6731 force_ciphersuite=TLS-RSA-WITH-AES-256-CBC-SHA trunc_hmac=1"\
6732 0 \
6733 -c "Read from server: 1 bytes read"
6734
6735requires_config_enabled MBEDTLS_SSL_PROTO_DTLS
6736run_test "Small server packet DTLS 1.2" \
6737 "$P_SRV dtls=1 response_size=1 force_version=dtls1_2" \
6738 "$P_CLI dtls=1 \
6739 force_ciphersuite=TLS-RSA-WITH-AES-256-CBC-SHA" \
6740 0 \
6741 -c "Read from server: 1 bytes read"
6742
6743requires_config_enabled MBEDTLS_SSL_PROTO_DTLS
6744run_test "Small server packet DTLS 1.2, without EtM" \
6745 "$P_SRV dtls=1 response_size=1 force_version=dtls1_2 etm=0" \
6746 "$P_CLI dtls=1 \
6747 force_ciphersuite=TLS-RSA-WITH-AES-256-CBC-SHA" \
6748 0 \
6749 -c "Read from server: 1 bytes read"
6750
6751requires_config_enabled MBEDTLS_SSL_PROTO_DTLS
6752requires_config_enabled MBEDTLS_SSL_TRUNCATED_HMAC
6753run_test "Small server packet DTLS 1.2, truncated hmac" \
6754 "$P_SRV dtls=1 response_size=1 force_version=dtls1_2 trunc_hmac=1" \
6755 "$P_CLI dtls=1 \
6756 force_ciphersuite=TLS-RSA-WITH-AES-256-CBC-SHA trunc_hmac=1" \
6757 0 \
6758 -c "Read from server: 1 bytes read"
6759
6760requires_config_enabled MBEDTLS_SSL_PROTO_DTLS
6761requires_config_enabled MBEDTLS_SSL_TRUNCATED_HMAC
6762run_test "Small server packet DTLS 1.2, without EtM, truncated MAC" \
6763 "$P_SRV dtls=1 response_size=1 force_version=dtls1_2 trunc_hmac=1 etm=0" \
6764 "$P_CLI dtls=1 \
6765 force_ciphersuite=TLS-RSA-WITH-AES-256-CBC-SHA trunc_hmac=1"\
6766 0 \
6767 -c "Read from server: 1 bytes read"
6768
Janos Follath00efff72016-05-06 13:48:23 +0100[diff] [blame]6769# A test for extensions in SSLv3
Janos Follath00efff72016-05-06 13:48:23 +0100[diff] [blame]6770requires_config_enabled MBEDTLS_SSL_PROTO_SSL3
Yuto Takanoa49124e2021-07-08 15:56:33 +0100[diff] [blame]6771requires_max_content_len 4096
Janos Follath00efff72016-05-06 13:48:23 +0100[diff] [blame]6772run_test "SSLv3 with extensions, server side" \
6773 "$P_SRV min_version=ssl3 debug_level=3" \
6774 "$P_CLI force_version=ssl3 tickets=1 max_frag_len=4096 alpn=abc,1234" \
6775 0 \
6776 -S "dumping 'client hello extensions'" \
6777 -S "server hello, total extension length:"
6778
Andrzej Kurek30e731d2017-10-12 13:50:29 +0200[diff] [blame]6779# Test for large client packets
Manuel Pégourié-Gonnard8920f692014-06-18 22:05:08 +0200[diff] [blame]6780
Angus Grattonc4dd0732018-04-11 16:28:39 +1000[diff] [blame]6781# How many fragments do we expect to write $1 bytes?
6782fragments_for_write() {
6783 echo "$(( ( $1 + $MAX_OUT_LEN - 1 ) / $MAX_OUT_LEN ))"
6784}
6785
Janos Follathe2681a42016-03-07 15:57:05 +0000[diff] [blame]6786requires_config_enabled MBEDTLS_SSL_PROTO_SSL3
Andrzej Kurek30e731d2017-10-12 13:50:29 +0200[diff] [blame]6787run_test "Large client packet SSLv3 BlockCipher" \
Manuel Pégourié-Gonnard448ea502015-01-12 11:40:14 +0100[diff] [blame]6788 "$P_SRV min_version=ssl3" \
Manuel Pégourié-Gonnardc82ee352015-01-07 16:35:25 +0100[diff] [blame]6789 "$P_CLI request_size=16384 force_version=ssl3 recsplit=0 \
Manuel Pégourié-Gonnard8920f692014-06-18 22:05:08 +0200[diff] [blame]6790 force_ciphersuite=TLS-RSA-WITH-AES-256-CBC-SHA" \
6791 0 \
Angus Grattonc4dd0732018-04-11 16:28:39 +1000[diff] [blame]6792 -c "16384 bytes written in $(fragments_for_write 16384) fragments" \
6793 -s "Read from client: $MAX_CONTENT_LEN bytes read"
Manuel Pégourié-Gonnard8920f692014-06-18 22:05:08 +0200[diff] [blame]6794
Janos Follathe2681a42016-03-07 15:57:05 +0000[diff] [blame]6795requires_config_enabled MBEDTLS_SSL_PROTO_SSL3
Andrzej Kurek30e731d2017-10-12 13:50:29 +0200[diff] [blame]6796run_test "Large client packet SSLv3 StreamCipher" \
Manuel Pégourié-Gonnardea0920f2015-03-24 09:50:15 +0100[diff] [blame]6797 "$P_SRV min_version=ssl3 arc4=1 force_ciphersuite=TLS-RSA-WITH-RC4-128-SHA" \
Manuel Pégourié-Gonnard8920f692014-06-18 22:05:08 +0200[diff] [blame]6798 "$P_CLI request_size=16384 force_version=ssl3 \
6799 force_ciphersuite=TLS-RSA-WITH-RC4-128-SHA" \
6800 0 \
Angus Grattonc4dd0732018-04-11 16:28:39 +1000[diff] [blame]6801 -c "16384 bytes written in $(fragments_for_write 16384) fragments" \
6802 -s "Read from client: $MAX_CONTENT_LEN bytes read"
Manuel Pégourié-Gonnard8920f692014-06-18 22:05:08 +0200[diff] [blame]6803
Andrzej Kurek30e731d2017-10-12 13:50:29 +0200[diff] [blame]6804run_test "Large client packet TLS 1.0 BlockCipher" \
Manuel Pégourié-Gonnard8920f692014-06-18 22:05:08 +0200[diff] [blame]6805 "$P_SRV" \
Manuel Pégourié-Gonnardc82ee352015-01-07 16:35:25 +0100[diff] [blame]6806 "$P_CLI request_size=16384 force_version=tls1 recsplit=0 \
Manuel Pégourié-Gonnard8920f692014-06-18 22:05:08 +0200[diff] [blame]6807 force_ciphersuite=TLS-RSA-WITH-AES-256-CBC-SHA" \
6808 0 \
Angus Grattonc4dd0732018-04-11 16:28:39 +1000[diff] [blame]6809 -c "16384 bytes written in $(fragments_for_write 16384) fragments" \
6810 -s "Read from client: $MAX_CONTENT_LEN bytes read"
Manuel Pégourié-Gonnard8920f692014-06-18 22:05:08 +0200[diff] [blame]6811
Andrzej Kurek30e731d2017-10-12 13:50:29 +0200[diff] [blame]6812run_test "Large client packet TLS 1.0 BlockCipher, without EtM" \
Manuel Pégourié-Gonnard8920f692014-06-18 22:05:08 +0200[diff] [blame]6813 "$P_SRV" \
Hanno Becker278fc7a2017-11-10 09:16:28 +0000[diff] [blame]6814 "$P_CLI request_size=16384 force_version=tls1 etm=0 recsplit=0 \
6815 force_ciphersuite=TLS-RSA-WITH-AES-256-CBC-SHA" \
6816 0 \
Angus Grattonc4dd0732018-04-11 16:28:39 +1000[diff] [blame]6817 -s "Read from client: $MAX_CONTENT_LEN bytes read"
Hanno Becker278fc7a2017-11-10 09:16:28 +0000[diff] [blame]6818
Hanno Becker32c55012017-11-10 08:42:54 +0000[diff] [blame]6819requires_config_enabled MBEDTLS_SSL_TRUNCATED_HMAC
Andrzej Kurek30e731d2017-10-12 13:50:29 +0200[diff] [blame]6820run_test "Large client packet TLS 1.0 BlockCipher, truncated MAC" \
Hanno Becker909f9a32017-11-21 17:10:12 +0000[diff] [blame]6821 "$P_SRV trunc_hmac=1" \
Manuel Pégourié-Gonnardc82ee352015-01-07 16:35:25 +0100[diff] [blame]6822 "$P_CLI request_size=16384 force_version=tls1 recsplit=0 \
Hanno Becker909f9a32017-11-21 17:10:12 +0000[diff] [blame]6823 force_ciphersuite=TLS-RSA-WITH-AES-256-CBC-SHA trunc_hmac=1" \
Manuel Pégourié-Gonnard8920f692014-06-18 22:05:08 +0200[diff] [blame]6824 0 \
Angus Grattonc4dd0732018-04-11 16:28:39 +1000[diff] [blame]6825 -c "16384 bytes written in $(fragments_for_write 16384) fragments" \
6826 -s "Read from client: $MAX_CONTENT_LEN bytes read"
Manuel Pégourié-Gonnard8920f692014-06-18 22:05:08 +0200[diff] [blame]6827
Hanno Becker32c55012017-11-10 08:42:54 +0000[diff] [blame]6828requires_config_enabled MBEDTLS_SSL_TRUNCATED_HMAC
Andrzej Kurek30e731d2017-10-12 13:50:29 +0200[diff] [blame]6829run_test "Large client packet TLS 1.0 BlockCipher, without EtM, truncated MAC" \
Hanno Becker909f9a32017-11-21 17:10:12 +0000[diff] [blame]6830 "$P_SRV trunc_hmac=1" \
Hanno Becker278fc7a2017-11-10 09:16:28 +0000[diff] [blame]6831 "$P_CLI request_size=16384 force_version=tls1 etm=0 recsplit=0 \
Hanno Becker909f9a32017-11-21 17:10:12 +0000[diff] [blame]6832 force_ciphersuite=TLS-RSA-WITH-AES-256-CBC-SHA trunc_hmac=1" \
Hanno Becker278fc7a2017-11-10 09:16:28 +0000[diff] [blame]6833 0 \
Angus Grattonc4dd0732018-04-11 16:28:39 +1000[diff] [blame]6834 -s "Read from client: $MAX_CONTENT_LEN bytes read"
Hanno Becker278fc7a2017-11-10 09:16:28 +0000[diff] [blame]6835
Andrzej Kurek30e731d2017-10-12 13:50:29 +0200[diff] [blame]6836run_test "Large client packet TLS 1.0 StreamCipher" \
Manuel Pégourié-Gonnardea0920f2015-03-24 09:50:15 +0100[diff] [blame]6837 "$P_SRV arc4=1 force_ciphersuite=TLS-RSA-WITH-RC4-128-SHA" \
Manuel Pégourié-Gonnard8920f692014-06-18 22:05:08 +0200[diff] [blame]6838 "$P_CLI request_size=16384 force_version=tls1 \
Hanno Becker278fc7a2017-11-10 09:16:28 +0000[diff] [blame]6839 force_ciphersuite=TLS-RSA-WITH-RC4-128-SHA" \
6840 0 \
Angus Grattonc4dd0732018-04-11 16:28:39 +1000[diff] [blame]6841 -s "Read from client: $MAX_CONTENT_LEN bytes read"
Hanno Becker278fc7a2017-11-10 09:16:28 +0000[diff] [blame]6842
Andrzej Kurek30e731d2017-10-12 13:50:29 +0200[diff] [blame]6843run_test "Large client packet TLS 1.0 StreamCipher, without EtM" \
Hanno Becker278fc7a2017-11-10 09:16:28 +0000[diff] [blame]6844 "$P_SRV arc4=1 force_ciphersuite=TLS-RSA-WITH-RC4-128-SHA" \
6845 "$P_CLI request_size=16384 force_version=tls1 \
Hanno Becker909f9a32017-11-21 17:10:12 +0000[diff] [blame]6846 force_ciphersuite=TLS-RSA-WITH-RC4-128-SHA etm=0" \
Hanno Becker278fc7a2017-11-10 09:16:28 +0000[diff] [blame]6847 0 \
Angus Grattonc4dd0732018-04-11 16:28:39 +1000[diff] [blame]6848 -s "Read from client: $MAX_CONTENT_LEN bytes read"
Hanno Becker278fc7a2017-11-10 09:16:28 +0000[diff] [blame]6849
6850requires_config_enabled MBEDTLS_SSL_TRUNCATED_HMAC
Andrzej Kurek30e731d2017-10-12 13:50:29 +0200[diff] [blame]6851run_test "Large client packet TLS 1.0 StreamCipher, truncated MAC" \
Hanno Becker909f9a32017-11-21 17:10:12 +0000[diff] [blame]6852 "$P_SRV arc4=1 force_ciphersuite=TLS-RSA-WITH-RC4-128-SHA trunc_hmac=1" \
Manuel Pégourié-Gonnard8920f692014-06-18 22:05:08 +0200[diff] [blame]6853 "$P_CLI request_size=16384 force_version=tls1 \
Hanno Becker909f9a32017-11-21 17:10:12 +0000[diff] [blame]6854 force_ciphersuite=TLS-RSA-WITH-RC4-128-SHA trunc_hmac=1" \
Manuel Pégourié-Gonnard8920f692014-06-18 22:05:08 +0200[diff] [blame]6855 0 \
Angus Grattonc4dd0732018-04-11 16:28:39 +1000[diff] [blame]6856 -s "Read from client: $MAX_CONTENT_LEN bytes read"
Manuel Pégourié-Gonnard8920f692014-06-18 22:05:08 +0200[diff] [blame]6857
Hanno Becker278fc7a2017-11-10 09:16:28 +0000[diff] [blame]6858requires_config_enabled MBEDTLS_SSL_TRUNCATED_HMAC
Andrzej Kurek30e731d2017-10-12 13:50:29 +0200[diff] [blame]6859run_test "Large client packet TLS 1.0 StreamCipher, without EtM, truncated MAC" \
Hanno Becker909f9a32017-11-21 17:10:12 +0000[diff] [blame]6860 "$P_SRV arc4=1 force_ciphersuite=TLS-RSA-WITH-RC4-128-SHA trunc_hmac=1" \
Hanno Becker278fc7a2017-11-10 09:16:28 +0000[diff] [blame]6861 "$P_CLI request_size=16384 force_version=tls1 \
Hanno Becker909f9a32017-11-21 17:10:12 +0000[diff] [blame]6862 force_ciphersuite=TLS-RSA-WITH-RC4-128-SHA trunc_hmac=1 etm=0" \
Manuel Pégourié-Gonnard8920f692014-06-18 22:05:08 +0200[diff] [blame]6863 0 \
Angus Grattonc4dd0732018-04-11 16:28:39 +1000[diff] [blame]6864 -c "16384 bytes written in $(fragments_for_write 16384) fragments" \
6865 -s "Read from client: $MAX_CONTENT_LEN bytes read"
Manuel Pégourié-Gonnard8920f692014-06-18 22:05:08 +0200[diff] [blame]6866
Andrzej Kurek30e731d2017-10-12 13:50:29 +0200[diff] [blame]6867run_test "Large client packet TLS 1.1 BlockCipher" \
Manuel Pégourié-Gonnard8920f692014-06-18 22:05:08 +0200[diff] [blame]6868 "$P_SRV" \
6869 "$P_CLI request_size=16384 force_version=tls1_1 \
6870 force_ciphersuite=TLS-RSA-WITH-AES-256-CBC-SHA" \
6871 0 \
Angus Grattonc4dd0732018-04-11 16:28:39 +1000[diff] [blame]6872 -c "16384 bytes written in $(fragments_for_write 16384) fragments" \
6873 -s "Read from client: $MAX_CONTENT_LEN bytes read"
Manuel Pégourié-Gonnard8920f692014-06-18 22:05:08 +0200[diff] [blame]6874
Andrzej Kurek30e731d2017-10-12 13:50:29 +0200[diff] [blame]6875run_test "Large client packet TLS 1.1 BlockCipher, without EtM" \
Hanno Becker278fc7a2017-11-10 09:16:28 +0000[diff] [blame]6876 "$P_SRV" \
6877 "$P_CLI request_size=16384 force_version=tls1_1 etm=0 \
6878 force_ciphersuite=TLS-RSA-WITH-AES-256-CBC-SHA" \
Manuel Pégourié-Gonnard8920f692014-06-18 22:05:08 +0200[diff] [blame]6879 0 \
Angus Grattonc4dd0732018-04-11 16:28:39 +1000[diff] [blame]6880 -s "Read from client: $MAX_CONTENT_LEN bytes read"
Manuel Pégourié-Gonnard8920f692014-06-18 22:05:08 +0200[diff] [blame]6881
Hanno Becker32c55012017-11-10 08:42:54 +0000[diff] [blame]6882requires_config_enabled MBEDTLS_SSL_TRUNCATED_HMAC
Andrzej Kurek30e731d2017-10-12 13:50:29 +0200[diff] [blame]6883run_test "Large client packet TLS 1.1 BlockCipher, truncated MAC" \
Hanno Becker909f9a32017-11-21 17:10:12 +0000[diff] [blame]6884 "$P_SRV trunc_hmac=1" \
Manuel Pégourié-Gonnard8920f692014-06-18 22:05:08 +0200[diff] [blame]6885 "$P_CLI request_size=16384 force_version=tls1_1 \
Hanno Becker909f9a32017-11-21 17:10:12 +0000[diff] [blame]6886 force_ciphersuite=TLS-RSA-WITH-AES-256-CBC-SHA trunc_hmac=1" \
Manuel Pégourié-Gonnard8920f692014-06-18 22:05:08 +0200[diff] [blame]6887 0 \
Angus Grattonc4dd0732018-04-11 16:28:39 +1000[diff] [blame]6888 -s "Read from client: $MAX_CONTENT_LEN bytes read"
Manuel Pégourié-Gonnard8920f692014-06-18 22:05:08 +0200[diff] [blame]6889
Hanno Becker32c55012017-11-10 08:42:54 +0000[diff] [blame]6890requires_config_enabled MBEDTLS_SSL_TRUNCATED_HMAC
Andrzej Kurek30e731d2017-10-12 13:50:29 +0200[diff] [blame]6891run_test "Large client packet TLS 1.1 BlockCipher, without EtM, truncated MAC" \
Hanno Becker909f9a32017-11-21 17:10:12 +0000[diff] [blame]6892 "$P_SRV trunc_hmac=1" \
Hanno Becker278fc7a2017-11-10 09:16:28 +0000[diff] [blame]6893 "$P_CLI request_size=16384 force_version=tls1_1 \
Hanno Becker909f9a32017-11-21 17:10:12 +0000[diff] [blame]6894 force_ciphersuite=TLS-RSA-WITH-AES-256-CBC-SHA trunc_hmac=1 etm=0" \
Hanno Becker278fc7a2017-11-10 09:16:28 +0000[diff] [blame]6895 0 \
Angus Grattonc4dd0732018-04-11 16:28:39 +1000[diff] [blame]6896 -s "Read from client: $MAX_CONTENT_LEN bytes read"
Hanno Becker278fc7a2017-11-10 09:16:28 +0000[diff] [blame]6897
Andrzej Kurek30e731d2017-10-12 13:50:29 +0200[diff] [blame]6898run_test "Large client packet TLS 1.1 StreamCipher" \
Manuel Pégourié-Gonnard8920f692014-06-18 22:05:08 +0200[diff] [blame]6899 "$P_SRV arc4=1 force_ciphersuite=TLS-RSA-WITH-RC4-128-SHA" \
6900 "$P_CLI request_size=16384 force_version=tls1_1 \
6901 force_ciphersuite=TLS-RSA-WITH-RC4-128-SHA" \
6902 0 \
Angus Grattonc4dd0732018-04-11 16:28:39 +1000[diff] [blame]6903 -c "16384 bytes written in $(fragments_for_write 16384) fragments" \
6904 -s "Read from client: $MAX_CONTENT_LEN bytes read"
Manuel Pégourié-Gonnard8920f692014-06-18 22:05:08 +0200[diff] [blame]6905
Andrzej Kurek30e731d2017-10-12 13:50:29 +0200[diff] [blame]6906run_test "Large client packet TLS 1.1 StreamCipher, without EtM" \
Hanno Becker278fc7a2017-11-10 09:16:28 +0000[diff] [blame]6907 "$P_SRV arc4=1 force_ciphersuite=TLS-RSA-WITH-RC4-128-SHA" \
Manuel Pégourié-Gonnard8920f692014-06-18 22:05:08 +0200[diff] [blame]6908 "$P_CLI request_size=16384 force_version=tls1_1 \
Hanno Becker909f9a32017-11-21 17:10:12 +0000[diff] [blame]6909 force_ciphersuite=TLS-RSA-WITH-RC4-128-SHA etm=0" \
Manuel Pégourié-Gonnard8920f692014-06-18 22:05:08 +0200[diff] [blame]6910 0 \
Angus Grattonc4dd0732018-04-11 16:28:39 +1000[diff] [blame]6911 -c "16384 bytes written in $(fragments_for_write 16384) fragments" \
6912 -s "Read from client: $MAX_CONTENT_LEN bytes read"
Manuel Pégourié-Gonnard8920f692014-06-18 22:05:08 +0200[diff] [blame]6913
Hanno Becker278fc7a2017-11-10 09:16:28 +0000[diff] [blame]6914requires_config_enabled MBEDTLS_SSL_TRUNCATED_HMAC
Andrzej Kurek30e731d2017-10-12 13:50:29 +0200[diff] [blame]6915run_test "Large client packet TLS 1.1 StreamCipher, truncated MAC" \
Hanno Becker909f9a32017-11-21 17:10:12 +0000[diff] [blame]6916 "$P_SRV arc4=1 force_ciphersuite=TLS-RSA-WITH-RC4-128-SHA trunc_hmac=1" \
Manuel Pégourié-Gonnard8920f692014-06-18 22:05:08 +0200[diff] [blame]6917 "$P_CLI request_size=16384 force_version=tls1_1 \
Hanno Becker909f9a32017-11-21 17:10:12 +0000[diff] [blame]6918 force_ciphersuite=TLS-RSA-WITH-RC4-128-SHA trunc_hmac=1" \
Manuel Pégourié-Gonnard8920f692014-06-18 22:05:08 +0200[diff] [blame]6919 0 \
Angus Grattonc4dd0732018-04-11 16:28:39 +1000[diff] [blame]6920 -s "Read from client: $MAX_CONTENT_LEN bytes read"
Manuel Pégourié-Gonnard8920f692014-06-18 22:05:08 +0200[diff] [blame]6921
Hanno Becker278fc7a2017-11-10 09:16:28 +0000[diff] [blame]6922requires_config_enabled MBEDTLS_SSL_TRUNCATED_HMAC
Andrzej Kurek30e731d2017-10-12 13:50:29 +0200[diff] [blame]6923run_test "Large client packet TLS 1.1 StreamCipher, without EtM, truncated MAC" \
Hanno Becker909f9a32017-11-21 17:10:12 +0000[diff] [blame]6924 "$P_SRV arc4=1 force_ciphersuite=TLS-RSA-WITH-RC4-128-SHA trunc_hmac=1" \
Hanno Becker278fc7a2017-11-10 09:16:28 +0000[diff] [blame]6925 "$P_CLI request_size=16384 force_version=tls1_1 \
Hanno Becker909f9a32017-11-21 17:10:12 +0000[diff] [blame]6926 force_ciphersuite=TLS-RSA-WITH-RC4-128-SHA trunc_hmac=1 etm=0" \
Manuel Pégourié-Gonnard8920f692014-06-18 22:05:08 +0200[diff] [blame]6927 0 \
Angus Grattonc4dd0732018-04-11 16:28:39 +1000[diff] [blame]6928 -c "16384 bytes written in $(fragments_for_write 16384) fragments" \
6929 -s "Read from client: $MAX_CONTENT_LEN bytes read"
Manuel Pégourié-Gonnard8920f692014-06-18 22:05:08 +0200[diff] [blame]6930
Andrzej Kurek30e731d2017-10-12 13:50:29 +0200[diff] [blame]6931run_test "Large client packet TLS 1.2 BlockCipher" \
Manuel Pégourié-Gonnard8920f692014-06-18 22:05:08 +0200[diff] [blame]6932 "$P_SRV" \
6933 "$P_CLI request_size=16384 force_version=tls1_2 \
6934 force_ciphersuite=TLS-RSA-WITH-AES-256-CBC-SHA" \
6935 0 \
Angus Grattonc4dd0732018-04-11 16:28:39 +1000[diff] [blame]6936 -c "16384 bytes written in $(fragments_for_write 16384) fragments" \
6937 -s "Read from client: $MAX_CONTENT_LEN bytes read"
Manuel Pégourié-Gonnard8920f692014-06-18 22:05:08 +0200[diff] [blame]6938
Andrzej Kurek30e731d2017-10-12 13:50:29 +0200[diff] [blame]6939run_test "Large client packet TLS 1.2 BlockCipher, without EtM" \
Hanno Becker278fc7a2017-11-10 09:16:28 +0000[diff] [blame]6940 "$P_SRV" \
6941 "$P_CLI request_size=16384 force_version=tls1_2 etm=0 \
6942 force_ciphersuite=TLS-RSA-WITH-AES-256-CBC-SHA" \
6943 0 \
Angus Grattonc4dd0732018-04-11 16:28:39 +1000[diff] [blame]6944 -s "Read from client: $MAX_CONTENT_LEN bytes read"
Hanno Becker278fc7a2017-11-10 09:16:28 +0000[diff] [blame]6945
Andrzej Kurek30e731d2017-10-12 13:50:29 +0200[diff] [blame]6946run_test "Large client packet TLS 1.2 BlockCipher larger MAC" \
Manuel Pégourié-Gonnard8920f692014-06-18 22:05:08 +0200[diff] [blame]6947 "$P_SRV" \
Manuel Pégourié-Gonnardc82ee352015-01-07 16:35:25 +0100[diff] [blame]6948 "$P_CLI request_size=16384 force_version=tls1_2 \
6949 force_ciphersuite=TLS-ECDHE-RSA-WITH-AES-256-CBC-SHA384" \
Manuel Pégourié-Gonnard8920f692014-06-18 22:05:08 +0200[diff] [blame]6950 0 \
Angus Grattonc4dd0732018-04-11 16:28:39 +1000[diff] [blame]6951 -c "16384 bytes written in $(fragments_for_write 16384) fragments" \
6952 -s "Read from client: $MAX_CONTENT_LEN bytes read"
Manuel Pégourié-Gonnard8920f692014-06-18 22:05:08 +0200[diff] [blame]6953
Hanno Becker32c55012017-11-10 08:42:54 +0000[diff] [blame]6954requires_config_enabled MBEDTLS_SSL_TRUNCATED_HMAC
Andrzej Kurek30e731d2017-10-12 13:50:29 +0200[diff] [blame]6955run_test "Large client packet TLS 1.2 BlockCipher, truncated MAC" \
Hanno Becker909f9a32017-11-21 17:10:12 +0000[diff] [blame]6956 "$P_SRV trunc_hmac=1" \
Manuel Pégourié-Gonnard8920f692014-06-18 22:05:08 +0200[diff] [blame]6957 "$P_CLI request_size=16384 force_version=tls1_2 \
Hanno Becker909f9a32017-11-21 17:10:12 +0000[diff] [blame]6958 force_ciphersuite=TLS-RSA-WITH-AES-256-CBC-SHA trunc_hmac=1" \
Manuel Pégourié-Gonnard8920f692014-06-18 22:05:08 +0200[diff] [blame]6959 0 \
Angus Grattonc4dd0732018-04-11 16:28:39 +1000[diff] [blame]6960 -s "Read from client: $MAX_CONTENT_LEN bytes read"
Manuel Pégourié-Gonnard8920f692014-06-18 22:05:08 +0200[diff] [blame]6961
Hanno Becker278fc7a2017-11-10 09:16:28 +0000[diff] [blame]6962requires_config_enabled MBEDTLS_SSL_TRUNCATED_HMAC
Andrzej Kurek30e731d2017-10-12 13:50:29 +0200[diff] [blame]6963run_test "Large client packet TLS 1.2 BlockCipher, without EtM, truncated MAC" \
Hanno Becker909f9a32017-11-21 17:10:12 +0000[diff] [blame]6964 "$P_SRV trunc_hmac=1" \
Hanno Becker278fc7a2017-11-10 09:16:28 +0000[diff] [blame]6965 "$P_CLI request_size=16384 force_version=tls1_2 \
Hanno Becker909f9a32017-11-21 17:10:12 +0000[diff] [blame]6966 force_ciphersuite=TLS-RSA-WITH-AES-256-CBC-SHA trunc_hmac=1 etm=0" \
Manuel Pégourié-Gonnard8920f692014-06-18 22:05:08 +0200[diff] [blame]6967 0 \
Angus Grattonc4dd0732018-04-11 16:28:39 +1000[diff] [blame]6968 -c "16384 bytes written in $(fragments_for_write 16384) fragments" \
6969 -s "Read from client: $MAX_CONTENT_LEN bytes read"
Manuel Pégourié-Gonnard8920f692014-06-18 22:05:08 +0200[diff] [blame]6970
Andrzej Kurek30e731d2017-10-12 13:50:29 +0200[diff] [blame]6971run_test "Large client packet TLS 1.2 StreamCipher" \
Manuel Pégourié-Gonnardea0920f2015-03-24 09:50:15 +0100[diff] [blame]6972 "$P_SRV arc4=1 force_ciphersuite=TLS-RSA-WITH-RC4-128-SHA" \
Manuel Pégourié-Gonnard8920f692014-06-18 22:05:08 +0200[diff] [blame]6973 "$P_CLI request_size=16384 force_version=tls1_2 \
6974 force_ciphersuite=TLS-RSA-WITH-RC4-128-SHA" \
6975 0 \
Angus Grattonc4dd0732018-04-11 16:28:39 +1000[diff] [blame]6976 -c "16384 bytes written in $(fragments_for_write 16384) fragments" \
6977 -s "Read from client: $MAX_CONTENT_LEN bytes read"
Manuel Pégourié-Gonnard8920f692014-06-18 22:05:08 +0200[diff] [blame]6978
Andrzej Kurek30e731d2017-10-12 13:50:29 +0200[diff] [blame]6979run_test "Large client packet TLS 1.2 StreamCipher, without EtM" \
Manuel Pégourié-Gonnardea0920f2015-03-24 09:50:15 +0100[diff] [blame]6980 "$P_SRV arc4=1 force_ciphersuite=TLS-RSA-WITH-RC4-128-SHA" \
Manuel Pégourié-Gonnard8920f692014-06-18 22:05:08 +0200[diff] [blame]6981 "$P_CLI request_size=16384 force_version=tls1_2 \
Hanno Becker278fc7a2017-11-10 09:16:28 +0000[diff] [blame]6982 force_ciphersuite=TLS-RSA-WITH-RC4-128-SHA etm=0" \
6983 0 \
Angus Grattonc4dd0732018-04-11 16:28:39 +1000[diff] [blame]6984 -s "Read from client: $MAX_CONTENT_LEN bytes read"
Hanno Becker278fc7a2017-11-10 09:16:28 +0000[diff] [blame]6985
Hanno Becker32c55012017-11-10 08:42:54 +0000[diff] [blame]6986requires_config_enabled MBEDTLS_SSL_TRUNCATED_HMAC
Andrzej Kurek30e731d2017-10-12 13:50:29 +0200[diff] [blame]6987run_test "Large client packet TLS 1.2 StreamCipher, truncated MAC" \
Hanno Becker909f9a32017-11-21 17:10:12 +0000[diff] [blame]6988 "$P_SRV arc4=1 force_ciphersuite=TLS-RSA-WITH-RC4-128-SHA trunc_hmac=1" \
Manuel Pégourié-Gonnard8920f692014-06-18 22:05:08 +0200[diff] [blame]6989 "$P_CLI request_size=16384 force_version=tls1_2 \
Hanno Becker909f9a32017-11-21 17:10:12 +0000[diff] [blame]6990 force_ciphersuite=TLS-RSA-WITH-RC4-128-SHA trunc_hmac=1" \
Manuel Pégourié-Gonnard8920f692014-06-18 22:05:08 +0200[diff] [blame]6991 0 \
Angus Grattonc4dd0732018-04-11 16:28:39 +1000[diff] [blame]6992 -s "Read from client: $MAX_CONTENT_LEN bytes read"
Manuel Pégourié-Gonnard8920f692014-06-18 22:05:08 +0200[diff] [blame]6993
Hanno Becker278fc7a2017-11-10 09:16:28 +0000[diff] [blame]6994requires_config_enabled MBEDTLS_SSL_TRUNCATED_HMAC
Andrzej Kurek30e731d2017-10-12 13:50:29 +0200[diff] [blame]6995run_test "Large client packet TLS 1.2 StreamCipher, without EtM, truncated MAC" \
Hanno Becker909f9a32017-11-21 17:10:12 +0000[diff] [blame]6996 "$P_SRV arc4=1 force_ciphersuite=TLS-RSA-WITH-RC4-128-SHA trunc_hmac=1" \
Hanno Becker278fc7a2017-11-10 09:16:28 +0000[diff] [blame]6997 "$P_CLI request_size=16384 force_version=tls1_2 \
Hanno Becker909f9a32017-11-21 17:10:12 +0000[diff] [blame]6998 force_ciphersuite=TLS-RSA-WITH-RC4-128-SHA trunc_hmac=1 etm=0" \
Manuel Pégourié-Gonnard8920f692014-06-18 22:05:08 +0200[diff] [blame]6999 0 \
Angus Grattonc4dd0732018-04-11 16:28:39 +1000[diff] [blame]7000 -c "16384 bytes written in $(fragments_for_write 16384) fragments" \
7001 -s "Read from client: $MAX_CONTENT_LEN bytes read"
Manuel Pégourié-Gonnard8920f692014-06-18 22:05:08 +0200[diff] [blame]7002
Andrzej Kurek30e731d2017-10-12 13:50:29 +0200[diff] [blame]7003run_test "Large client packet TLS 1.2 AEAD" \
Manuel Pégourié-Gonnard8920f692014-06-18 22:05:08 +0200[diff] [blame]7004 "$P_SRV" \
7005 "$P_CLI request_size=16384 force_version=tls1_2 \
7006 force_ciphersuite=TLS-RSA-WITH-AES-256-CCM" \
7007 0 \
Angus Grattonc4dd0732018-04-11 16:28:39 +1000[diff] [blame]7008 -c "16384 bytes written in $(fragments_for_write 16384) fragments" \
7009 -s "Read from client: $MAX_CONTENT_LEN bytes read"
Manuel Pégourié-Gonnard8920f692014-06-18 22:05:08 +0200[diff] [blame]7010
Andrzej Kurek30e731d2017-10-12 13:50:29 +0200[diff] [blame]7011run_test "Large client packet TLS 1.2 AEAD shorter tag" \
Manuel Pégourié-Gonnard8920f692014-06-18 22:05:08 +0200[diff] [blame]7012 "$P_SRV" \
7013 "$P_CLI request_size=16384 force_version=tls1_2 \
7014 force_ciphersuite=TLS-RSA-WITH-AES-256-CCM-8" \
7015 0 \
Angus Grattonc4dd0732018-04-11 16:28:39 +1000[diff] [blame]7016 -c "16384 bytes written in $(fragments_for_write 16384) fragments" \
7017 -s "Read from client: $MAX_CONTENT_LEN bytes read"
Manuel Pégourié-Gonnard8920f692014-06-18 22:05:08 +0200[diff] [blame]7018
Andrzej Kurek30e731d2017-10-12 13:50:29 +0200[diff] [blame]7019# Test for large server packets
Yuto Takanoa49124e2021-07-08 15:56:33 +0100[diff] [blame]7020# The tests below fail when the server's OUT_CONTENT_LEN is less than 16384.
Andrzej Kurek30e731d2017-10-12 13:50:29 +0200[diff] [blame]7021requires_config_enabled MBEDTLS_SSL_PROTO_SSL3
7022run_test "Large server packet SSLv3 StreamCipher" \
7023 "$P_SRV response_size=16384 min_version=ssl3 arc4=1 force_ciphersuite=TLS-RSA-WITH-RC4-128-SHA" \
7024 "$P_CLI force_version=ssl3 \
7025 force_ciphersuite=TLS-RSA-WITH-RC4-128-SHA" \
7026 0 \
7027 -c "Read from server: 16384 bytes read"
7028
Andrzej Kurek6a4f2242018-08-27 08:00:13 -0400[diff] [blame]7029# Checking next 4 tests logs for 1n-1 split against BEAST too
7030requires_config_enabled MBEDTLS_SSL_PROTO_SSL3
7031run_test "Large server packet SSLv3 BlockCipher" \
7032 "$P_SRV response_size=16384 min_version=ssl3" \
7033 "$P_CLI force_version=ssl3 recsplit=0 \
7034 force_ciphersuite=TLS-RSA-WITH-AES-256-CBC-SHA" \
7035 0 \
7036 -c "Read from server: 1 bytes read"\
7037 -c "16383 bytes read"\
7038 -C "Read from server: 16384 bytes read"
7039
Andrzej Kurek30e731d2017-10-12 13:50:29 +0200[diff] [blame]7040run_test "Large server packet TLS 1.0 BlockCipher" \
7041 "$P_SRV response_size=16384" \
7042 "$P_CLI force_version=tls1 recsplit=0 \
7043 force_ciphersuite=TLS-RSA-WITH-AES-256-CBC-SHA" \
7044 0 \
7045 -c "Read from server: 1 bytes read"\
7046 -c "16383 bytes read"\
7047 -C "Read from server: 16384 bytes read"
7048
Andrzej Kurekc19fc552018-06-19 09:37:30 -0400[diff] [blame]7049run_test "Large server packet TLS 1.0 BlockCipher, without EtM" \
7050 "$P_SRV response_size=16384" \
7051 "$P_CLI force_version=tls1 etm=0 recsplit=0 \
7052 force_ciphersuite=TLS-RSA-WITH-AES-256-CBC-SHA" \
7053 0 \
7054 -c "Read from server: 1 bytes read"\
7055 -c "16383 bytes read"\
7056 -C "Read from server: 16384 bytes read"
7057
Andrzej Kurek30e731d2017-10-12 13:50:29 +0200[diff] [blame]7058requires_config_enabled MBEDTLS_SSL_TRUNCATED_HMAC
7059run_test "Large server packet TLS 1.0 BlockCipher truncated MAC" \
7060 "$P_SRV response_size=16384" \
7061 "$P_CLI force_version=tls1 recsplit=0 \
7062 force_ciphersuite=TLS-RSA-WITH-AES-256-CBC-SHA \
7063 trunc_hmac=1" \
7064 0 \
7065 -c "Read from server: 1 bytes read"\
7066 -c "16383 bytes read"\
7067 -C "Read from server: 16384 bytes read"
7068
7069requires_config_enabled MBEDTLS_SSL_TRUNCATED_HMAC
7070run_test "Large server packet TLS 1.0 StreamCipher truncated MAC" \
7071 "$P_SRV response_size=16384 arc4=1 force_ciphersuite=TLS-RSA-WITH-RC4-128-SHA" \
7072 "$P_CLI force_version=tls1 \
7073 force_ciphersuite=TLS-RSA-WITH-RC4-128-SHA \
7074 trunc_hmac=1" \
7075 0 \
Andrzej Kurekc19fc552018-06-19 09:37:30 -0400[diff] [blame]7076 -s "16384 bytes written in 1 fragments" \
7077 -c "Read from server: 16384 bytes read"
7078
7079run_test "Large server packet TLS 1.0 StreamCipher" \
7080 "$P_SRV response_size=16384 arc4=1 force_ciphersuite=TLS-RSA-WITH-RC4-128-SHA" \
7081 "$P_CLI force_version=tls1 \
7082 force_ciphersuite=TLS-RSA-WITH-RC4-128-SHA" \
7083 0 \
7084 -s "16384 bytes written in 1 fragments" \
7085 -c "Read from server: 16384 bytes read"
7086
7087run_test "Large server packet TLS 1.0 StreamCipher, without EtM" \
7088 "$P_SRV response_size=16384 arc4=1 force_ciphersuite=TLS-RSA-WITH-RC4-128-SHA" \
7089 "$P_CLI force_version=tls1 \
7090 force_ciphersuite=TLS-RSA-WITH-RC4-128-SHA etm=0" \
7091 0 \
7092 -s "16384 bytes written in 1 fragments" \
7093 -c "Read from server: 16384 bytes read"
7094
7095requires_config_enabled MBEDTLS_SSL_TRUNCATED_HMAC
7096run_test "Large server packet TLS 1.0 StreamCipher, truncated MAC" \
7097 "$P_SRV response_size=16384 arc4=1 force_ciphersuite=TLS-RSA-WITH-RC4-128-SHA trunc_hmac=1" \
7098 "$P_CLI force_version=tls1 \
7099 force_ciphersuite=TLS-RSA-WITH-RC4-128-SHA trunc_hmac=1" \
7100 0 \
7101 -s "16384 bytes written in 1 fragments" \
7102 -c "Read from server: 16384 bytes read"
7103
7104requires_config_enabled MBEDTLS_SSL_TRUNCATED_HMAC
7105run_test "Large server packet TLS 1.0 StreamCipher, without EtM, truncated MAC" \
7106 "$P_SRV response_size=16384 arc4=1 force_ciphersuite=TLS-RSA-WITH-RC4-128-SHA trunc_hmac=1" \
7107 "$P_CLI force_version=tls1 \
7108 force_ciphersuite=TLS-RSA-WITH-RC4-128-SHA trunc_hmac=1 etm=0" \
7109 0 \
7110 -s "16384 bytes written in 1 fragments" \
Andrzej Kurek30e731d2017-10-12 13:50:29 +0200[diff] [blame]7111 -c "Read from server: 16384 bytes read"
7112
7113run_test "Large server packet TLS 1.1 BlockCipher" \
7114 "$P_SRV response_size=16384" \
7115 "$P_CLI force_version=tls1_1 \
7116 force_ciphersuite=TLS-RSA-WITH-AES-256-CBC-SHA" \
7117 0 \
7118 -c "Read from server: 16384 bytes read"
7119
Andrzej Kurekc19fc552018-06-19 09:37:30 -0400[diff] [blame]7120run_test "Large server packet TLS 1.1 BlockCipher, without EtM" \
7121 "$P_SRV response_size=16384" \
7122 "$P_CLI force_version=tls1_1 etm=0 \
7123 force_ciphersuite=TLS-RSA-WITH-AES-256-CBC-SHA" \
Andrzej Kurek30e731d2017-10-12 13:50:29 +0200[diff] [blame]7124 0 \
Andrzej Kurekc19fc552018-06-19 09:37:30 -0400[diff] [blame]7125 -s "16384 bytes written in 1 fragments" \
Andrzej Kurek30e731d2017-10-12 13:50:29 +0200[diff] [blame]7126 -c "Read from server: 16384 bytes read"
7127
7128requires_config_enabled MBEDTLS_SSL_TRUNCATED_HMAC
7129run_test "Large server packet TLS 1.1 BlockCipher truncated MAC" \
7130 "$P_SRV response_size=16384" \
7131 "$P_CLI force_version=tls1_1 \
7132 force_ciphersuite=TLS-RSA-WITH-AES-256-CBC-SHA \
7133 trunc_hmac=1" \
7134 0 \
7135 -c "Read from server: 16384 bytes read"
7136
7137requires_config_enabled MBEDTLS_SSL_TRUNCATED_HMAC
Andrzej Kurekc19fc552018-06-19 09:37:30 -0400[diff] [blame]7138run_test "Large server packet TLS 1.1 BlockCipher, without EtM, truncated MAC" \
7139 "$P_SRV response_size=16384 trunc_hmac=1" \
7140 "$P_CLI force_version=tls1_1 \
7141 force_ciphersuite=TLS-RSA-WITH-AES-256-CBC-SHA trunc_hmac=1 etm=0" \
7142 0 \
7143 -s "16384 bytes written in 1 fragments" \
7144 -c "Read from server: 16384 bytes read"
7145
7146run_test "Large server packet TLS 1.1 StreamCipher" \
7147 "$P_SRV response_size=16384 arc4=1 force_ciphersuite=TLS-RSA-WITH-RC4-128-SHA" \
7148 "$P_CLI force_version=tls1_1 \
7149 force_ciphersuite=TLS-RSA-WITH-RC4-128-SHA" \
7150 0 \
7151 -c "Read from server: 16384 bytes read"
7152
7153run_test "Large server packet TLS 1.1 StreamCipher, without EtM" \
7154 "$P_SRV response_size=16384 arc4=1 force_ciphersuite=TLS-RSA-WITH-RC4-128-SHA" \
7155 "$P_CLI force_version=tls1_1 \
7156 force_ciphersuite=TLS-RSA-WITH-RC4-128-SHA etm=0" \
7157 0 \
7158 -s "16384 bytes written in 1 fragments" \
7159 -c "Read from server: 16384 bytes read"
7160
7161requires_config_enabled MBEDTLS_SSL_TRUNCATED_HMAC
Andrzej Kurek30e731d2017-10-12 13:50:29 +0200[diff] [blame]7162run_test "Large server packet TLS 1.1 StreamCipher truncated MAC" \
7163 "$P_SRV response_size=16384 arc4=1 force_ciphersuite=TLS-RSA-WITH-RC4-128-SHA" \
7164 "$P_CLI force_version=tls1_1 \
7165 force_ciphersuite=TLS-RSA-WITH-RC4-128-SHA \
7166 trunc_hmac=1" \
7167 0 \
7168 -c "Read from server: 16384 bytes read"
7169
Andrzej Kurekc19fc552018-06-19 09:37:30 -0400[diff] [blame]7170run_test "Large server packet TLS 1.1 StreamCipher, without EtM, truncated MAC" \
7171 "$P_SRV response_size=16384 arc4=1 force_ciphersuite=TLS-RSA-WITH-RC4-128-SHA trunc_hmac=1" \
7172 "$P_CLI force_version=tls1_1 \
7173 force_ciphersuite=TLS-RSA-WITH-RC4-128-SHA trunc_hmac=1 etm=0" \
7174 0 \
7175 -s "16384 bytes written in 1 fragments" \
7176 -c "Read from server: 16384 bytes read"
7177
Andrzej Kurek30e731d2017-10-12 13:50:29 +0200[diff] [blame]7178run_test "Large server packet TLS 1.2 BlockCipher" \
7179 "$P_SRV response_size=16384" \
7180 "$P_CLI force_version=tls1_2 \
7181 force_ciphersuite=TLS-RSA-WITH-AES-256-CBC-SHA" \
7182 0 \
7183 -c "Read from server: 16384 bytes read"
7184
Andrzej Kurekc19fc552018-06-19 09:37:30 -0400[diff] [blame]7185run_test "Large server packet TLS 1.2 BlockCipher, without EtM" \
7186 "$P_SRV response_size=16384" \
7187 "$P_CLI force_version=tls1_2 etm=0 \
7188 force_ciphersuite=TLS-RSA-WITH-AES-256-CBC-SHA" \
7189 0 \
7190 -s "16384 bytes written in 1 fragments" \
7191 -c "Read from server: 16384 bytes read"
7192
Andrzej Kurek30e731d2017-10-12 13:50:29 +0200[diff] [blame]7193run_test "Large server packet TLS 1.2 BlockCipher larger MAC" \
7194 "$P_SRV response_size=16384" \
7195 "$P_CLI force_version=tls1_2 \
7196 force_ciphersuite=TLS-ECDHE-RSA-WITH-AES-256-CBC-SHA384" \
7197 0 \
7198 -c "Read from server: 16384 bytes read"
7199
7200requires_config_enabled MBEDTLS_SSL_TRUNCATED_HMAC
7201run_test "Large server packet TLS 1.2 BlockCipher truncated MAC" \
7202 "$P_SRV response_size=16384" \
7203 "$P_CLI force_version=tls1_2 \
7204 force_ciphersuite=TLS-RSA-WITH-AES-256-CBC-SHA \
7205 trunc_hmac=1" \
7206 0 \
7207 -c "Read from server: 16384 bytes read"
7208
Andrzej Kurekc19fc552018-06-19 09:37:30 -0400[diff] [blame]7209run_test "Large server packet TLS 1.2 BlockCipher, without EtM, truncated MAC" \
7210 "$P_SRV response_size=16384 trunc_hmac=1" \
7211 "$P_CLI force_version=tls1_2 \
7212 force_ciphersuite=TLS-RSA-WITH-AES-256-CBC-SHA trunc_hmac=1 etm=0" \
7213 0 \
7214 -s "16384 bytes written in 1 fragments" \
7215 -c "Read from server: 16384 bytes read"
7216
Andrzej Kurek30e731d2017-10-12 13:50:29 +0200[diff] [blame]7217run_test "Large server packet TLS 1.2 StreamCipher" \
7218 "$P_SRV response_size=16384 arc4=1 force_ciphersuite=TLS-RSA-WITH-RC4-128-SHA" \
7219 "$P_CLI force_version=tls1_2 \
7220 force_ciphersuite=TLS-RSA-WITH-RC4-128-SHA" \
7221 0 \
Andrzej Kurekc19fc552018-06-19 09:37:30 -0400[diff] [blame]7222 -s "16384 bytes written in 1 fragments" \
7223 -c "Read from server: 16384 bytes read"
7224
7225run_test "Large server packet TLS 1.2 StreamCipher, without EtM" \
7226 "$P_SRV response_size=16384 arc4=1 force_ciphersuite=TLS-RSA-WITH-RC4-128-SHA" \
7227 "$P_CLI force_version=tls1_2 \
7228 force_ciphersuite=TLS-RSA-WITH-RC4-128-SHA etm=0" \
7229 0 \
7230 -s "16384 bytes written in 1 fragments" \
Andrzej Kurek30e731d2017-10-12 13:50:29 +0200[diff] [blame]7231 -c "Read from server: 16384 bytes read"
7232
7233requires_config_enabled MBEDTLS_SSL_TRUNCATED_HMAC
7234run_test "Large server packet TLS 1.2 StreamCipher truncated MAC" \
7235 "$P_SRV response_size=16384 arc4=1 force_ciphersuite=TLS-RSA-WITH-RC4-128-SHA" \
7236 "$P_CLI force_version=tls1_2 \
7237 force_ciphersuite=TLS-RSA-WITH-RC4-128-SHA \
7238 trunc_hmac=1" \
7239 0 \
7240 -c "Read from server: 16384 bytes read"
7241
Andrzej Kurekc19fc552018-06-19 09:37:30 -0400[diff] [blame]7242requires_config_enabled MBEDTLS_SSL_TRUNCATED_HMAC
7243run_test "Large server packet TLS 1.2 StreamCipher, without EtM, truncated MAC" \
7244 "$P_SRV response_size=16384 arc4=1 force_ciphersuite=TLS-RSA-WITH-RC4-128-SHA trunc_hmac=1" \
7245 "$P_CLI force_version=tls1_2 \
7246 force_ciphersuite=TLS-RSA-WITH-RC4-128-SHA trunc_hmac=1 etm=0" \
7247 0 \
7248 -s "16384 bytes written in 1 fragments" \
7249 -c "Read from server: 16384 bytes read"
7250
Andrzej Kurek30e731d2017-10-12 13:50:29 +0200[diff] [blame]7251run_test "Large server packet TLS 1.2 AEAD" \
7252 "$P_SRV response_size=16384" \
7253 "$P_CLI force_version=tls1_2 \
7254 force_ciphersuite=TLS-RSA-WITH-AES-256-CCM" \
7255 0 \
7256 -c "Read from server: 16384 bytes read"
7257
7258run_test "Large server packet TLS 1.2 AEAD shorter tag" \
7259 "$P_SRV response_size=16384" \
7260 "$P_CLI force_version=tls1_2 \
7261 force_ciphersuite=TLS-RSA-WITH-AES-256-CCM-8" \
7262 0 \
7263 -c "Read from server: 16384 bytes read"
7264
Manuel Pégourié-Gonnard2350b4e2017-05-16 09:26:48 +0200[diff] [blame]7265# Tests for restartable ECC
7266
7267requires_config_enabled MBEDTLS_ECP_RESTARTABLE
7268run_test "EC restart: TLS, default" \
Manuel Pégourié-Gonnard862cde52017-05-17 11:56:15 +0200[diff] [blame]7269 "$P_SRV auth_mode=required" \
Manuel Pégourié-Gonnard2350b4e2017-05-16 09:26:48 +0200[diff] [blame]7270 "$P_CLI force_ciphersuite=TLS-ECDHE-ECDSA-WITH-AES-128-GCM-SHA256 \
Manuel Pégourié-Gonnard862cde52017-05-17 11:56:15 +0200[diff] [blame]7271 key_file=data_files/server5.key crt_file=data_files/server5.crt \
Manuel Pégourié-Gonnard2350b4e2017-05-16 09:26:48 +0200[diff] [blame]7272 debug_level=1" \
7273 0 \
Manuel Pégourié-Gonnardb5d668a2018-06-13 11:22:01 +0200[diff] [blame]7274 -C "x509_verify_cert.*4b00" \
7275 -C "mbedtls_pk_verify.*4b00" \
7276 -C "mbedtls_ecdh_make_public.*4b00" \
7277 -C "mbedtls_pk_sign.*4b00"
Manuel Pégourié-Gonnard2350b4e2017-05-16 09:26:48 +0200[diff] [blame]7278
7279requires_config_enabled MBEDTLS_ECP_RESTARTABLE
7280run_test "EC restart: TLS, max_ops=0" \
Manuel Pégourié-Gonnard862cde52017-05-17 11:56:15 +0200[diff] [blame]7281 "$P_SRV auth_mode=required" \
Manuel Pégourié-Gonnard2350b4e2017-05-16 09:26:48 +0200[diff] [blame]7282 "$P_CLI force_ciphersuite=TLS-ECDHE-ECDSA-WITH-AES-128-GCM-SHA256 \
Manuel Pégourié-Gonnard862cde52017-05-17 11:56:15 +0200[diff] [blame]7283 key_file=data_files/server5.key crt_file=data_files/server5.crt \
Manuel Pégourié-Gonnard2350b4e2017-05-16 09:26:48 +0200[diff] [blame]7284 debug_level=1 ec_max_ops=0" \
7285 0 \
Manuel Pégourié-Gonnardb5d668a2018-06-13 11:22:01 +0200[diff] [blame]7286 -C "x509_verify_cert.*4b00" \
7287 -C "mbedtls_pk_verify.*4b00" \
7288 -C "mbedtls_ecdh_make_public.*4b00" \
7289 -C "mbedtls_pk_sign.*4b00"
Manuel Pégourié-Gonnard2350b4e2017-05-16 09:26:48 +0200[diff] [blame]7290
7291requires_config_enabled MBEDTLS_ECP_RESTARTABLE
7292run_test "EC restart: TLS, max_ops=65535" \
Manuel Pégourié-Gonnard862cde52017-05-17 11:56:15 +0200[diff] [blame]7293 "$P_SRV auth_mode=required" \
Manuel Pégourié-Gonnard2350b4e2017-05-16 09:26:48 +0200[diff] [blame]7294 "$P_CLI force_ciphersuite=TLS-ECDHE-ECDSA-WITH-AES-128-GCM-SHA256 \
Manuel Pégourié-Gonnard862cde52017-05-17 11:56:15 +0200[diff] [blame]7295 key_file=data_files/server5.key crt_file=data_files/server5.crt \
Manuel Pégourié-Gonnard2350b4e2017-05-16 09:26:48 +0200[diff] [blame]7296 debug_level=1 ec_max_ops=65535" \
7297 0 \
Manuel Pégourié-Gonnardb5d668a2018-06-13 11:22:01 +0200[diff] [blame]7298 -C "x509_verify_cert.*4b00" \
7299 -C "mbedtls_pk_verify.*4b00" \
7300 -C "mbedtls_ecdh_make_public.*4b00" \
7301 -C "mbedtls_pk_sign.*4b00"
Manuel Pégourié-Gonnard2350b4e2017-05-16 09:26:48 +0200[diff] [blame]7302
7303requires_config_enabled MBEDTLS_ECP_RESTARTABLE
7304run_test "EC restart: TLS, max_ops=1000" \
Manuel Pégourié-Gonnard862cde52017-05-17 11:56:15 +0200[diff] [blame]7305 "$P_SRV auth_mode=required" \
Manuel Pégourié-Gonnard2350b4e2017-05-16 09:26:48 +0200[diff] [blame]7306 "$P_CLI force_ciphersuite=TLS-ECDHE-ECDSA-WITH-AES-128-GCM-SHA256 \
Manuel Pégourié-Gonnard862cde52017-05-17 11:56:15 +0200[diff] [blame]7307 key_file=data_files/server5.key crt_file=data_files/server5.crt \
Manuel Pégourié-Gonnard2350b4e2017-05-16 09:26:48 +0200[diff] [blame]7308 debug_level=1 ec_max_ops=1000" \
7309 0 \
Manuel Pégourié-Gonnardb5d668a2018-06-13 11:22:01 +0200[diff] [blame]7310 -c "x509_verify_cert.*4b00" \
7311 -c "mbedtls_pk_verify.*4b00" \
7312 -c "mbedtls_ecdh_make_public.*4b00" \
7313 -c "mbedtls_pk_sign.*4b00"
Manuel Pégourié-Gonnard2350b4e2017-05-16 09:26:48 +0200[diff] [blame]7314
7315requires_config_enabled MBEDTLS_ECP_RESTARTABLE
Manuel Pégourié-Gonnard3bf49c42017-08-15 13:47:06 +0200[diff] [blame]7316run_test "EC restart: TLS, max_ops=1000, badsign" \
7317 "$P_SRV auth_mode=required \
7318 crt_file=data_files/server5-badsign.crt \
7319 key_file=data_files/server5.key" \
7320 "$P_CLI force_ciphersuite=TLS-ECDHE-ECDSA-WITH-AES-128-GCM-SHA256 \
7321 key_file=data_files/server5.key crt_file=data_files/server5.crt \
7322 debug_level=1 ec_max_ops=1000" \
7323 1 \
Manuel Pégourié-Gonnardb5d668a2018-06-13 11:22:01 +0200[diff] [blame]7324 -c "x509_verify_cert.*4b00" \
7325 -C "mbedtls_pk_verify.*4b00" \
7326 -C "mbedtls_ecdh_make_public.*4b00" \
7327 -C "mbedtls_pk_sign.*4b00" \
Manuel Pégourié-Gonnard3bf49c42017-08-15 13:47:06 +0200[diff] [blame]7328 -c "! The certificate is not correctly signed by the trusted CA" \
7329 -c "! mbedtls_ssl_handshake returned" \
7330 -c "X509 - Certificate verification failed"
7331
7332requires_config_enabled MBEDTLS_ECP_RESTARTABLE
7333run_test "EC restart: TLS, max_ops=1000, auth_mode=optional badsign" \
7334 "$P_SRV auth_mode=required \
7335 crt_file=data_files/server5-badsign.crt \
7336 key_file=data_files/server5.key" \
7337 "$P_CLI force_ciphersuite=TLS-ECDHE-ECDSA-WITH-AES-128-GCM-SHA256 \
7338 key_file=data_files/server5.key crt_file=data_files/server5.crt \
7339 debug_level=1 ec_max_ops=1000 auth_mode=optional" \
7340 0 \
Manuel Pégourié-Gonnardb5d668a2018-06-13 11:22:01 +0200[diff] [blame]7341 -c "x509_verify_cert.*4b00" \
7342 -c "mbedtls_pk_verify.*4b00" \
7343 -c "mbedtls_ecdh_make_public.*4b00" \
7344 -c "mbedtls_pk_sign.*4b00" \
Manuel Pégourié-Gonnard3bf49c42017-08-15 13:47:06 +0200[diff] [blame]7345 -c "! The certificate is not correctly signed by the trusted CA" \
7346 -C "! mbedtls_ssl_handshake returned" \
7347 -C "X509 - Certificate verification failed"
7348
7349requires_config_enabled MBEDTLS_ECP_RESTARTABLE
7350run_test "EC restart: TLS, max_ops=1000, auth_mode=none badsign" \
7351 "$P_SRV auth_mode=required \
7352 crt_file=data_files/server5-badsign.crt \
7353 key_file=data_files/server5.key" \
7354 "$P_CLI force_ciphersuite=TLS-ECDHE-ECDSA-WITH-AES-128-GCM-SHA256 \
7355 key_file=data_files/server5.key crt_file=data_files/server5.crt \
7356 debug_level=1 ec_max_ops=1000 auth_mode=none" \
7357 0 \
Manuel Pégourié-Gonnardb5d668a2018-06-13 11:22:01 +0200[diff] [blame]7358 -C "x509_verify_cert.*4b00" \
7359 -c "mbedtls_pk_verify.*4b00" \
7360 -c "mbedtls_ecdh_make_public.*4b00" \
7361 -c "mbedtls_pk_sign.*4b00" \
Manuel Pégourié-Gonnard3bf49c42017-08-15 13:47:06 +0200[diff] [blame]7362 -C "! The certificate is not correctly signed by the trusted CA" \
7363 -C "! mbedtls_ssl_handshake returned" \
7364 -C "X509 - Certificate verification failed"
7365
7366requires_config_enabled MBEDTLS_ECP_RESTARTABLE
Manuel Pégourié-Gonnard2350b4e2017-05-16 09:26:48 +0200[diff] [blame]7367run_test "EC restart: DTLS, max_ops=1000" \
Manuel Pégourié-Gonnard862cde52017-05-17 11:56:15 +0200[diff] [blame]7368 "$P_SRV auth_mode=required dtls=1" \
Manuel Pégourié-Gonnard2350b4e2017-05-16 09:26:48 +0200[diff] [blame]7369 "$P_CLI force_ciphersuite=TLS-ECDHE-ECDSA-WITH-AES-128-GCM-SHA256 \
Manuel Pégourié-Gonnard862cde52017-05-17 11:56:15 +0200[diff] [blame]7370 key_file=data_files/server5.key crt_file=data_files/server5.crt \
Manuel Pégourié-Gonnard2350b4e2017-05-16 09:26:48 +0200[diff] [blame]7371 dtls=1 debug_level=1 ec_max_ops=1000" \
7372 0 \
Manuel Pégourié-Gonnardb5d668a2018-06-13 11:22:01 +0200[diff] [blame]7373 -c "x509_verify_cert.*4b00" \
7374 -c "mbedtls_pk_verify.*4b00" \
7375 -c "mbedtls_ecdh_make_public.*4b00" \
7376 -c "mbedtls_pk_sign.*4b00"
Manuel Pégourié-Gonnard2350b4e2017-05-16 09:26:48 +0200[diff] [blame]7377
Manuel Pégourié-Gonnard32033da2017-05-18 12:49:27 +0200[diff] [blame]7378requires_config_enabled MBEDTLS_ECP_RESTARTABLE
7379run_test "EC restart: TLS, max_ops=1000 no client auth" \
7380 "$P_SRV" \
7381 "$P_CLI force_ciphersuite=TLS-ECDHE-ECDSA-WITH-AES-128-GCM-SHA256 \
7382 debug_level=1 ec_max_ops=1000" \
7383 0 \
Manuel Pégourié-Gonnardb5d668a2018-06-13 11:22:01 +0200[diff] [blame]7384 -c "x509_verify_cert.*4b00" \
7385 -c "mbedtls_pk_verify.*4b00" \
7386 -c "mbedtls_ecdh_make_public.*4b00" \
7387 -C "mbedtls_pk_sign.*4b00"
Manuel Pégourié-Gonnard32033da2017-05-18 12:49:27 +0200[diff] [blame]7388
7389requires_config_enabled MBEDTLS_ECP_RESTARTABLE
7390run_test "EC restart: TLS, max_ops=1000, ECDHE-PSK" \
7391 "$P_SRV psk=abc123" \
7392 "$P_CLI force_ciphersuite=TLS-ECDHE-PSK-WITH-AES-128-CBC-SHA256 \
7393 psk=abc123 debug_level=1 ec_max_ops=1000" \
7394 0 \
Manuel Pégourié-Gonnardb5d668a2018-06-13 11:22:01 +0200[diff] [blame]7395 -C "x509_verify_cert.*4b00" \
7396 -C "mbedtls_pk_verify.*4b00" \
7397 -C "mbedtls_ecdh_make_public.*4b00" \
7398 -C "mbedtls_pk_sign.*4b00"
Manuel Pégourié-Gonnard32033da2017-05-18 12:49:27 +0200[diff] [blame]7399
Gilles Peskine3665f1d2018-01-05 21:22:12 +0100[diff] [blame]7400# Tests of asynchronous private key support in SSL
7401
Gilles Peskineb74a1c72018-04-24 13:09:22 +0200[diff] [blame]7402requires_config_enabled MBEDTLS_SSL_ASYNC_PRIVATE
Gilles Peskinefcca9d82018-01-12 13:47:48 +0100[diff] [blame]7403run_test "SSL async private: sign, delay=0" \
7404 "$P_SRV \
7405 async_operations=s async_private_delay1=0 async_private_delay2=0" \
Gilles Peskine3665f1d2018-01-05 21:22:12 +0100[diff] [blame]7406 "$P_CLI" \
7407 0 \
7408 -s "Async sign callback: using key slot " \
Gilles Peskinefcca9d82018-01-12 13:47:48 +0100[diff] [blame]7409 -s "Async resume (slot [0-9]): sign done, status=0"
Gilles Peskine3665f1d2018-01-05 21:22:12 +0100[diff] [blame]7410
Gilles Peskineb74a1c72018-04-24 13:09:22 +0200[diff] [blame]7411requires_config_enabled MBEDTLS_SSL_ASYNC_PRIVATE
Gilles Peskinefcca9d82018-01-12 13:47:48 +0100[diff] [blame]7412run_test "SSL async private: sign, delay=1" \
7413 "$P_SRV \
7414 async_operations=s async_private_delay1=1 async_private_delay2=1" \
Gilles Peskine3665f1d2018-01-05 21:22:12 +0100[diff] [blame]7415 "$P_CLI" \
7416 0 \
7417 -s "Async sign callback: using key slot " \
7418 -s "Async resume (slot [0-9]): call 0 more times." \
Gilles Peskinefcca9d82018-01-12 13:47:48 +0100[diff] [blame]7419 -s "Async resume (slot [0-9]): sign done, status=0"
7420
Gilles Peskine12d0cc12018-04-26 15:06:56 +0200[diff] [blame]7421requires_config_enabled MBEDTLS_SSL_ASYNC_PRIVATE
7422run_test "SSL async private: sign, delay=2" \
7423 "$P_SRV \
7424 async_operations=s async_private_delay1=2 async_private_delay2=2" \
7425 "$P_CLI" \
7426 0 \
7427 -s "Async sign callback: using key slot " \
7428 -U "Async sign callback: using key slot " \
7429 -s "Async resume (slot [0-9]): call 1 more times." \
7430 -s "Async resume (slot [0-9]): call 0 more times." \
7431 -s "Async resume (slot [0-9]): sign done, status=0"
7432
Gilles Peskined3268832018-04-26 06:23:59 +0200[diff] [blame]7433# Test that the async callback correctly signs the 36-byte hash of TLS 1.0/1.1
7434# with RSA PKCS#1v1.5 as used in TLS 1.0/1.1.
7435requires_config_enabled MBEDTLS_SSL_ASYNC_PRIVATE
7436requires_config_enabled MBEDTLS_SSL_PROTO_TLS1_1
7437run_test "SSL async private: sign, RSA, TLS 1.1" \
7438 "$P_SRV key_file=data_files/server2.key crt_file=data_files/server2.crt \
7439 async_operations=s async_private_delay1=0 async_private_delay2=0" \
7440 "$P_CLI force_version=tls1_1" \
7441 0 \
7442 -s "Async sign callback: using key slot " \
7443 -s "Async resume (slot [0-9]): sign done, status=0"
7444
Gilles Peskineb74a1c72018-04-24 13:09:22 +0200[diff] [blame]7445requires_config_enabled MBEDTLS_SSL_ASYNC_PRIVATE
Gilles Peskine807d74a2018-04-30 10:30:49 +0200[diff] [blame]7446run_test "SSL async private: sign, SNI" \
7447 "$P_SRV debug_level=3 \
7448 async_operations=s async_private_delay1=0 async_private_delay2=0 \
7449 crt_file=data_files/server5.crt key_file=data_files/server5.key \
7450 sni=localhost,data_files/server2.crt,data_files/server2.key,-,-,-,polarssl.example,data_files/server1-nospace.crt,data_files/server1.key,-,-,-" \
7451 "$P_CLI server_name=polarssl.example" \
7452 0 \
7453 -s "Async sign callback: using key slot " \
7454 -s "Async resume (slot [0-9]): sign done, status=0" \
7455 -s "parse ServerName extension" \
7456 -c "issuer name *: C=NL, O=PolarSSL, CN=PolarSSL Test CA" \
7457 -c "subject name *: C=NL, O=PolarSSL, CN=polarssl.example"
7458
7459requires_config_enabled MBEDTLS_SSL_ASYNC_PRIVATE
Gilles Peskinefcca9d82018-01-12 13:47:48 +0100[diff] [blame]7460run_test "SSL async private: decrypt, delay=0" \
7461 "$P_SRV \
7462 async_operations=d async_private_delay1=0 async_private_delay2=0" \
7463 "$P_CLI force_ciphersuite=TLS-RSA-WITH-AES-128-CBC-SHA" \
7464 0 \
7465 -s "Async decrypt callback: using key slot " \
7466 -s "Async resume (slot [0-9]): decrypt done, status=0"
7467
Gilles Peskineb74a1c72018-04-24 13:09:22 +0200[diff] [blame]7468requires_config_enabled MBEDTLS_SSL_ASYNC_PRIVATE
Gilles Peskinefcca9d82018-01-12 13:47:48 +0100[diff] [blame]7469run_test "SSL async private: decrypt, delay=1" \
7470 "$P_SRV \
7471 async_operations=d async_private_delay1=1 async_private_delay2=1" \
7472 "$P_CLI force_ciphersuite=TLS-RSA-WITH-AES-128-CBC-SHA" \
7473 0 \
7474 -s "Async decrypt callback: using key slot " \
7475 -s "Async resume (slot [0-9]): call 0 more times." \
7476 -s "Async resume (slot [0-9]): decrypt done, status=0"
7477
Gilles Peskineb74a1c72018-04-24 13:09:22 +0200[diff] [blame]7478requires_config_enabled MBEDTLS_SSL_ASYNC_PRIVATE
Gilles Peskinefcca9d82018-01-12 13:47:48 +0100[diff] [blame]7479run_test "SSL async private: decrypt RSA-PSK, delay=0" \
7480 "$P_SRV psk=abc123 \
7481 async_operations=d async_private_delay1=0 async_private_delay2=0" \
7482 "$P_CLI psk=abc123 \
7483 force_ciphersuite=TLS-RSA-PSK-WITH-AES-128-CBC-SHA256" \
7484 0 \
7485 -s "Async decrypt callback: using key slot " \
7486 -s "Async resume (slot [0-9]): decrypt done, status=0"
7487
Gilles Peskineb74a1c72018-04-24 13:09:22 +0200[diff] [blame]7488requires_config_enabled MBEDTLS_SSL_ASYNC_PRIVATE
Gilles Peskinefcca9d82018-01-12 13:47:48 +0100[diff] [blame]7489run_test "SSL async private: decrypt RSA-PSK, delay=1" \
7490 "$P_SRV psk=abc123 \
7491 async_operations=d async_private_delay1=1 async_private_delay2=1" \
7492 "$P_CLI psk=abc123 \
7493 force_ciphersuite=TLS-RSA-PSK-WITH-AES-128-CBC-SHA256" \
7494 0 \
7495 -s "Async decrypt callback: using key slot " \
7496 -s "Async resume (slot [0-9]): call 0 more times." \
7497 -s "Async resume (slot [0-9]): decrypt done, status=0"
7498
Gilles Peskineb74a1c72018-04-24 13:09:22 +0200[diff] [blame]7499requires_config_enabled MBEDTLS_SSL_ASYNC_PRIVATE
Gilles Peskinefcca9d82018-01-12 13:47:48 +0100[diff] [blame]7500run_test "SSL async private: sign callback not present" \
7501 "$P_SRV \
7502 async_operations=d async_private_delay1=1 async_private_delay2=1" \
7503 "$P_CLI; [ \$? -eq 1 ] &&
7504 $P_CLI force_ciphersuite=TLS-RSA-WITH-AES-128-CBC-SHA" \
7505 0 \
7506 -S "Async sign callback" \
7507 -s "! mbedtls_ssl_handshake returned" \
7508 -s "The own private key or pre-shared key is not set, but needed" \
7509 -s "Async resume (slot [0-9]): decrypt done, status=0" \
7510 -s "Successful connection"
7511
Gilles Peskineb74a1c72018-04-24 13:09:22 +0200[diff] [blame]7512requires_config_enabled MBEDTLS_SSL_ASYNC_PRIVATE
Gilles Peskinefcca9d82018-01-12 13:47:48 +0100[diff] [blame]7513run_test "SSL async private: decrypt callback not present" \
7514 "$P_SRV debug_level=1 \
7515 async_operations=s async_private_delay1=1 async_private_delay2=1" \
7516 "$P_CLI force_ciphersuite=TLS-RSA-WITH-AES-128-CBC-SHA;
7517 [ \$? -eq 1 ] && $P_CLI" \
7518 0 \
7519 -S "Async decrypt callback" \
7520 -s "! mbedtls_ssl_handshake returned" \
7521 -s "got no RSA private key" \
7522 -s "Async resume (slot [0-9]): sign done, status=0" \
7523 -s "Successful connection"
Gilles Peskine3665f1d2018-01-05 21:22:12 +0100[diff] [blame]7524
7525# key1: ECDSA, key2: RSA; use key1 from slot 0
Gilles Peskineb74a1c72018-04-24 13:09:22 +0200[diff] [blame]7526requires_config_enabled MBEDTLS_SSL_ASYNC_PRIVATE
Gilles Peskine3665f1d2018-01-05 21:22:12 +0100[diff] [blame]7527run_test "SSL async private: slot 0 used with key1" \
Gilles Peskinefcca9d82018-01-12 13:47:48 +0100[diff] [blame]7528 "$P_SRV \
7529 async_operations=s async_private_delay1=1 \
7530 key_file=data_files/server5.key crt_file=data_files/server5.crt \
7531 key_file2=data_files/server2.key crt_file2=data_files/server2.crt" \
Gilles Peskine3665f1d2018-01-05 21:22:12 +0100[diff] [blame]7532 "$P_CLI force_ciphersuite=TLS-ECDHE-ECDSA-WITH-AES-128-CBC-SHA256" \
7533 0 \
7534 -s "Async sign callback: using key slot 0," \
7535 -s "Async resume (slot 0): call 0 more times." \
Gilles Peskinefcca9d82018-01-12 13:47:48 +0100[diff] [blame]7536 -s "Async resume (slot 0): sign done, status=0"
Gilles Peskine3665f1d2018-01-05 21:22:12 +0100[diff] [blame]7537
7538# key1: ECDSA, key2: RSA; use key2 from slot 0
Gilles Peskineb74a1c72018-04-24 13:09:22 +0200[diff] [blame]7539requires_config_enabled MBEDTLS_SSL_ASYNC_PRIVATE
Gilles Peskine3665f1d2018-01-05 21:22:12 +0100[diff] [blame]7540run_test "SSL async private: slot 0 used with key2" \
Gilles Peskinefcca9d82018-01-12 13:47:48 +0100[diff] [blame]7541 "$P_SRV \
7542 async_operations=s async_private_delay2=1 \
7543 key_file=data_files/server5.key crt_file=data_files/server5.crt \
7544 key_file2=data_files/server2.key crt_file2=data_files/server2.crt" \
Gilles Peskine3665f1d2018-01-05 21:22:12 +0100[diff] [blame]7545 "$P_CLI force_ciphersuite=TLS-ECDHE-RSA-WITH-AES-128-CBC-SHA256" \
7546 0 \
7547 -s "Async sign callback: using key slot 0," \
7548 -s "Async resume (slot 0): call 0 more times." \
Gilles Peskinefcca9d82018-01-12 13:47:48 +0100[diff] [blame]7549 -s "Async resume (slot 0): sign done, status=0"
Gilles Peskine3665f1d2018-01-05 21:22:12 +0100[diff] [blame]7550
7551# key1: ECDSA, key2: RSA; use key2 from slot 1
Gilles Peskineb74a1c72018-04-24 13:09:22 +0200[diff] [blame]7552requires_config_enabled MBEDTLS_SSL_ASYNC_PRIVATE
Gilles Peskinead28bf02018-04-26 00:19:16 +0200[diff] [blame]7553run_test "SSL async private: slot 1 used with key2" \
Gilles Peskinefcca9d82018-01-12 13:47:48 +0100[diff] [blame]7554 "$P_SRV \
Gilles Peskine168dae82018-04-25 23:35:42 +0200[diff] [blame]7555 async_operations=s async_private_delay1=1 async_private_delay2=1 \
Gilles Peskinefcca9d82018-01-12 13:47:48 +0100[diff] [blame]7556 key_file=data_files/server5.key crt_file=data_files/server5.crt \
7557 key_file2=data_files/server2.key crt_file2=data_files/server2.crt" \
Gilles Peskine3665f1d2018-01-05 21:22:12 +0100[diff] [blame]7558 "$P_CLI force_ciphersuite=TLS-ECDHE-RSA-WITH-AES-128-CBC-SHA256" \
7559 0 \
7560 -s "Async sign callback: using key slot 1," \
7561 -s "Async resume (slot 1): call 0 more times." \
Gilles Peskinefcca9d82018-01-12 13:47:48 +0100[diff] [blame]7562 -s "Async resume (slot 1): sign done, status=0"
Gilles Peskine3665f1d2018-01-05 21:22:12 +0100[diff] [blame]7563
7564# key1: ECDSA, key2: RSA; use key2 directly
Gilles Peskineb74a1c72018-04-24 13:09:22 +0200[diff] [blame]7565requires_config_enabled MBEDTLS_SSL_ASYNC_PRIVATE
Gilles Peskine3665f1d2018-01-05 21:22:12 +0100[diff] [blame]7566run_test "SSL async private: fall back to transparent key" \
Gilles Peskinefcca9d82018-01-12 13:47:48 +0100[diff] [blame]7567 "$P_SRV \
7568 async_operations=s async_private_delay1=1 \
7569 key_file=data_files/server5.key crt_file=data_files/server5.crt \
7570 key_file2=data_files/server2.key crt_file2=data_files/server2.crt " \
Gilles Peskine3665f1d2018-01-05 21:22:12 +0100[diff] [blame]7571 "$P_CLI force_ciphersuite=TLS-ECDHE-RSA-WITH-AES-128-CBC-SHA256" \
7572 0 \
7573 -s "Async sign callback: no key matches this certificate."
7574
Gilles Peskineb74a1c72018-04-24 13:09:22 +0200[diff] [blame]7575requires_config_enabled MBEDTLS_SSL_ASYNC_PRIVATE
Gilles Peskine725f1cb2018-06-12 15:06:40 +0200[diff] [blame]7576run_test "SSL async private: sign, error in start" \
Gilles Peskinefcca9d82018-01-12 13:47:48 +0100[diff] [blame]7577 "$P_SRV \
7578 async_operations=s async_private_delay1=1 async_private_delay2=1 \
7579 async_private_error=1" \
Gilles Peskine3665f1d2018-01-05 21:22:12 +0100[diff] [blame]7580 "$P_CLI" \
7581 1 \
7582 -s "Async sign callback: injected error" \
7583 -S "Async resume" \
Gilles Peskine37289cd2018-04-27 11:50:14 +0200[diff] [blame]7584 -S "Async cancel" \
Gilles Peskine3665f1d2018-01-05 21:22:12 +0100[diff] [blame]7585 -s "! mbedtls_ssl_handshake returned"
7586
Gilles Peskineb74a1c72018-04-24 13:09:22 +0200[diff] [blame]7587requires_config_enabled MBEDTLS_SSL_ASYNC_PRIVATE
Gilles Peskine725f1cb2018-06-12 15:06:40 +0200[diff] [blame]7588run_test "SSL async private: sign, cancel after start" \
Gilles Peskinefcca9d82018-01-12 13:47:48 +0100[diff] [blame]7589 "$P_SRV \
7590 async_operations=s async_private_delay1=1 async_private_delay2=1 \
7591 async_private_error=2" \
Gilles Peskine3665f1d2018-01-05 21:22:12 +0100[diff] [blame]7592 "$P_CLI" \
7593 1 \
7594 -s "Async sign callback: using key slot " \
7595 -S "Async resume" \
7596 -s "Async cancel"
7597
Gilles Peskineb74a1c72018-04-24 13:09:22 +0200[diff] [blame]7598requires_config_enabled MBEDTLS_SSL_ASYNC_PRIVATE
Gilles Peskine725f1cb2018-06-12 15:06:40 +0200[diff] [blame]7599run_test "SSL async private: sign, error in resume" \
Gilles Peskinefcca9d82018-01-12 13:47:48 +0100[diff] [blame]7600 "$P_SRV \
7601 async_operations=s async_private_delay1=1 async_private_delay2=1 \
7602 async_private_error=3" \
Gilles Peskine3665f1d2018-01-05 21:22:12 +0100[diff] [blame]7603 "$P_CLI" \
7604 1 \
7605 -s "Async sign callback: using key slot " \
Gilles Peskinefcca9d82018-01-12 13:47:48 +0100[diff] [blame]7606 -s "Async resume callback: sign done but injected error" \
Gilles Peskine37289cd2018-04-27 11:50:14 +0200[diff] [blame]7607 -S "Async cancel" \
Gilles Peskine3665f1d2018-01-05 21:22:12 +0100[diff] [blame]7608 -s "! mbedtls_ssl_handshake returned"
7609
Gilles Peskineb74a1c72018-04-24 13:09:22 +0200[diff] [blame]7610requires_config_enabled MBEDTLS_SSL_ASYNC_PRIVATE
Gilles Peskine725f1cb2018-06-12 15:06:40 +0200[diff] [blame]7611run_test "SSL async private: decrypt, error in start" \
7612 "$P_SRV \
7613 async_operations=d async_private_delay1=1 async_private_delay2=1 \
7614 async_private_error=1" \
7615 "$P_CLI force_ciphersuite=TLS-RSA-WITH-AES-128-CBC-SHA" \
7616 1 \
7617 -s "Async decrypt callback: injected error" \
7618 -S "Async resume" \
7619 -S "Async cancel" \
7620 -s "! mbedtls_ssl_handshake returned"
7621
7622requires_config_enabled MBEDTLS_SSL_ASYNC_PRIVATE
7623run_test "SSL async private: decrypt, cancel after start" \
7624 "$P_SRV \
7625 async_operations=d async_private_delay1=1 async_private_delay2=1 \
7626 async_private_error=2" \
7627 "$P_CLI force_ciphersuite=TLS-RSA-WITH-AES-128-CBC-SHA" \
7628 1 \
7629 -s "Async decrypt callback: using key slot " \
7630 -S "Async resume" \
7631 -s "Async cancel"
7632
7633requires_config_enabled MBEDTLS_SSL_ASYNC_PRIVATE
7634run_test "SSL async private: decrypt, error in resume" \
7635 "$P_SRV \
7636 async_operations=d async_private_delay1=1 async_private_delay2=1 \
7637 async_private_error=3" \
7638 "$P_CLI force_ciphersuite=TLS-RSA-WITH-AES-128-CBC-SHA" \
7639 1 \
7640 -s "Async decrypt callback: using key slot " \
7641 -s "Async resume callback: decrypt done but injected error" \
7642 -S "Async cancel" \
7643 -s "! mbedtls_ssl_handshake returned"
7644
7645requires_config_enabled MBEDTLS_SSL_ASYNC_PRIVATE
Gilles Peskine60ee4ca2018-01-08 11:28:05 +0100[diff] [blame]7646run_test "SSL async private: cancel after start then operate correctly" \
Gilles Peskinefcca9d82018-01-12 13:47:48 +0100[diff] [blame]7647 "$P_SRV \
7648 async_operations=s async_private_delay1=1 async_private_delay2=1 \
7649 async_private_error=-2" \
Gilles Peskine60ee4ca2018-01-08 11:28:05 +0100[diff] [blame]7650 "$P_CLI; [ \$? -eq 1 ] && $P_CLI" \
7651 0 \
7652 -s "Async cancel" \
7653 -s "! mbedtls_ssl_handshake returned" \
7654 -s "Async resume" \
7655 -s "Successful connection"
7656
Gilles Peskineb74a1c72018-04-24 13:09:22 +0200[diff] [blame]7657requires_config_enabled MBEDTLS_SSL_ASYNC_PRIVATE
Gilles Peskine60ee4ca2018-01-08 11:28:05 +0100[diff] [blame]7658run_test "SSL async private: error in resume then operate correctly" \
Gilles Peskinefcca9d82018-01-12 13:47:48 +0100[diff] [blame]7659 "$P_SRV \
7660 async_operations=s async_private_delay1=1 async_private_delay2=1 \
7661 async_private_error=-3" \
Gilles Peskine60ee4ca2018-01-08 11:28:05 +0100[diff] [blame]7662 "$P_CLI; [ \$? -eq 1 ] && $P_CLI" \
7663 0 \
7664 -s "! mbedtls_ssl_handshake returned" \
7665 -s "Async resume" \
7666 -s "Successful connection"
7667
7668# key1: ECDSA, key2: RSA; use key1 through async, then key2 directly
Gilles Peskineb74a1c72018-04-24 13:09:22 +0200[diff] [blame]7669requires_config_enabled MBEDTLS_SSL_ASYNC_PRIVATE
Gilles Peskine60ee4ca2018-01-08 11:28:05 +0100[diff] [blame]7670run_test "SSL async private: cancel after start then fall back to transparent key" \
Gilles Peskinefcca9d82018-01-12 13:47:48 +0100[diff] [blame]7671 "$P_SRV \
7672 async_operations=s async_private_delay1=1 async_private_error=-2 \
7673 key_file=data_files/server5.key crt_file=data_files/server5.crt \
7674 key_file2=data_files/server2.key crt_file2=data_files/server2.crt" \
Gilles Peskine60ee4ca2018-01-08 11:28:05 +0100[diff] [blame]7675 "$P_CLI force_ciphersuite=TLS-ECDHE-ECDSA-WITH-AES-128-CBC-SHA256;
7676 [ \$? -eq 1 ] &&
7677 $P_CLI force_ciphersuite=TLS-ECDHE-RSA-WITH-AES-128-CBC-SHA256" \
7678 0 \
Gilles Peskinededa75a2018-04-30 10:02:45 +0200[diff] [blame]7679 -s "Async sign callback: using key slot 0" \
Gilles Peskine60ee4ca2018-01-08 11:28:05 +0100[diff] [blame]7680 -S "Async resume" \
7681 -s "Async cancel" \
7682 -s "! mbedtls_ssl_handshake returned" \
7683 -s "Async sign callback: no key matches this certificate." \
7684 -s "Successful connection"
7685
7686# key1: ECDSA, key2: RSA; use key1 through async, then key2 directly
Gilles Peskineb74a1c72018-04-24 13:09:22 +0200[diff] [blame]7687requires_config_enabled MBEDTLS_SSL_ASYNC_PRIVATE
Gilles Peskine725f1cb2018-06-12 15:06:40 +0200[diff] [blame]7688run_test "SSL async private: sign, error in resume then fall back to transparent key" \
Gilles Peskinefcca9d82018-01-12 13:47:48 +0100[diff] [blame]7689 "$P_SRV \
7690 async_operations=s async_private_delay1=1 async_private_error=-3 \
7691 key_file=data_files/server5.key crt_file=data_files/server5.crt \
7692 key_file2=data_files/server2.key crt_file2=data_files/server2.crt" \
Gilles Peskine60ee4ca2018-01-08 11:28:05 +0100[diff] [blame]7693 "$P_CLI force_ciphersuite=TLS-ECDHE-ECDSA-WITH-AES-128-CBC-SHA256;
7694 [ \$? -eq 1 ] &&
7695 $P_CLI force_ciphersuite=TLS-ECDHE-RSA-WITH-AES-128-CBC-SHA256" \
7696 0 \
7697 -s "Async resume" \
7698 -s "! mbedtls_ssl_handshake returned" \
7699 -s "Async sign callback: no key matches this certificate." \
7700 -s "Successful connection"
7701
Gilles Peskineb74a1c72018-04-24 13:09:22 +0200[diff] [blame]7702requires_config_enabled MBEDTLS_SSL_ASYNC_PRIVATE
Gilles Peskine3665f1d2018-01-05 21:22:12 +0100[diff] [blame]7703requires_config_enabled MBEDTLS_SSL_RENEGOTIATION
Gilles Peskine654bab72019-09-16 15:19:20 +0200[diff] [blame]7704run_test "SSL async private: renegotiation: client-initiated, sign" \
Gilles Peskinefcca9d82018-01-12 13:47:48 +0100[diff] [blame]7705 "$P_SRV \
7706 async_operations=s async_private_delay1=1 async_private_delay2=1 \
Gilles Peskine3665f1d2018-01-05 21:22:12 +0100[diff] [blame]7707 exchanges=2 renegotiation=1" \
7708 "$P_CLI exchanges=2 renegotiation=1 renegotiate=1" \
7709 0 \
7710 -s "Async sign callback: using key slot " \
Gilles Peskinefcca9d82018-01-12 13:47:48 +0100[diff] [blame]7711 -s "Async resume (slot [0-9]): sign done, status=0"
Gilles Peskine3665f1d2018-01-05 21:22:12 +0100[diff] [blame]7712
Gilles Peskineb74a1c72018-04-24 13:09:22 +0200[diff] [blame]7713requires_config_enabled MBEDTLS_SSL_ASYNC_PRIVATE
Gilles Peskine3665f1d2018-01-05 21:22:12 +0100[diff] [blame]7714requires_config_enabled MBEDTLS_SSL_RENEGOTIATION
Gilles Peskine654bab72019-09-16 15:19:20 +0200[diff] [blame]7715run_test "SSL async private: renegotiation: server-initiated, sign" \
Gilles Peskinefcca9d82018-01-12 13:47:48 +0100[diff] [blame]7716 "$P_SRV \
7717 async_operations=s async_private_delay1=1 async_private_delay2=1 \
Gilles Peskine3665f1d2018-01-05 21:22:12 +0100[diff] [blame]7718 exchanges=2 renegotiation=1 renegotiate=1" \
7719 "$P_CLI exchanges=2 renegotiation=1" \
7720 0 \
7721 -s "Async sign callback: using key slot " \
Gilles Peskinefcca9d82018-01-12 13:47:48 +0100[diff] [blame]7722 -s "Async resume (slot [0-9]): sign done, status=0"
7723
Gilles Peskineb74a1c72018-04-24 13:09:22 +0200[diff] [blame]7724requires_config_enabled MBEDTLS_SSL_ASYNC_PRIVATE
Gilles Peskinefcca9d82018-01-12 13:47:48 +0100[diff] [blame]7725requires_config_enabled MBEDTLS_SSL_RENEGOTIATION
Gilles Peskine654bab72019-09-16 15:19:20 +0200[diff] [blame]7726run_test "SSL async private: renegotiation: client-initiated, decrypt" \
Gilles Peskinefcca9d82018-01-12 13:47:48 +0100[diff] [blame]7727 "$P_SRV \
7728 async_operations=d async_private_delay1=1 async_private_delay2=1 \
7729 exchanges=2 renegotiation=1" \
7730 "$P_CLI exchanges=2 renegotiation=1 renegotiate=1 \
7731 force_ciphersuite=TLS-RSA-WITH-AES-128-CBC-SHA" \
7732 0 \
7733 -s "Async decrypt callback: using key slot " \
7734 -s "Async resume (slot [0-9]): decrypt done, status=0"
7735
Gilles Peskineb74a1c72018-04-24 13:09:22 +0200[diff] [blame]7736requires_config_enabled MBEDTLS_SSL_ASYNC_PRIVATE
Gilles Peskinefcca9d82018-01-12 13:47:48 +0100[diff] [blame]7737requires_config_enabled MBEDTLS_SSL_RENEGOTIATION
Gilles Peskine654bab72019-09-16 15:19:20 +0200[diff] [blame]7738run_test "SSL async private: renegotiation: server-initiated, decrypt" \
Gilles Peskinefcca9d82018-01-12 13:47:48 +0100[diff] [blame]7739 "$P_SRV \
7740 async_operations=d async_private_delay1=1 async_private_delay2=1 \
7741 exchanges=2 renegotiation=1 renegotiate=1" \
7742 "$P_CLI exchanges=2 renegotiation=1 \
7743 force_ciphersuite=TLS-RSA-WITH-AES-128-CBC-SHA" \
7744 0 \
7745 -s "Async decrypt callback: using key slot " \
7746 -s "Async resume (slot [0-9]): decrypt done, status=0"
Gilles Peskine3665f1d2018-01-05 21:22:12 +0100[diff] [blame]7747
Ron Eldor58093c82018-06-28 13:22:05 +0300[diff] [blame]7748# Tests for ECC extensions (rfc 4492)
7749
Ron Eldor643df7c2018-06-28 16:17:00 +0300[diff] [blame]7750requires_config_enabled MBEDTLS_AES_C
7751requires_config_enabled MBEDTLS_CIPHER_MODE_CBC
7752requires_config_enabled MBEDTLS_SHA256_C
7753requires_config_enabled MBEDTLS_KEY_EXCHANGE_RSA_ENABLED
Ron Eldor58093c82018-06-28 13:22:05 +0300[diff] [blame]7754run_test "Force a non ECC ciphersuite in the client side" \
7755 "$P_SRV debug_level=3" \
Ron Eldor643df7c2018-06-28 16:17:00 +0300[diff] [blame]7756 "$P_CLI debug_level=3 force_ciphersuite=TLS-RSA-WITH-AES-128-CBC-SHA256" \
Ron Eldor58093c82018-06-28 13:22:05 +0300[diff] [blame]7757 0 \
7758 -C "client hello, adding supported_elliptic_curves extension" \
7759 -C "client hello, adding supported_point_formats extension" \
7760 -S "found supported elliptic curves extension" \
7761 -S "found supported point formats extension"
7762
Ron Eldor643df7c2018-06-28 16:17:00 +0300[diff] [blame]7763requires_config_enabled MBEDTLS_AES_C
7764requires_config_enabled MBEDTLS_CIPHER_MODE_CBC
7765requires_config_enabled MBEDTLS_SHA256_C
7766requires_config_enabled MBEDTLS_KEY_EXCHANGE_RSA_ENABLED
Ron Eldor58093c82018-06-28 13:22:05 +0300[diff] [blame]7767run_test "Force a non ECC ciphersuite in the server side" \
Ron Eldor643df7c2018-06-28 16:17:00 +0300[diff] [blame]7768 "$P_SRV debug_level=3 force_ciphersuite=TLS-RSA-WITH-AES-128-CBC-SHA256" \
Ron Eldor58093c82018-06-28 13:22:05 +0300[diff] [blame]7769 "$P_CLI debug_level=3" \
7770 0 \
7771 -C "found supported_point_formats extension" \
7772 -S "server hello, supported_point_formats extension"
7773
Ron Eldor643df7c2018-06-28 16:17:00 +0300[diff] [blame]7774requires_config_enabled MBEDTLS_AES_C
7775requires_config_enabled MBEDTLS_CIPHER_MODE_CBC
7776requires_config_enabled MBEDTLS_SHA256_C
7777requires_config_enabled MBEDTLS_KEY_EXCHANGE_ECDHE_ECDSA_ENABLED
Ron Eldor58093c82018-06-28 13:22:05 +0300[diff] [blame]7778run_test "Force an ECC ciphersuite in the client side" \
7779 "$P_SRV debug_level=3" \
7780 "$P_CLI debug_level=3 force_ciphersuite=TLS-ECDHE-ECDSA-WITH-AES-128-CBC-SHA256" \
7781 0 \
7782 -c "client hello, adding supported_elliptic_curves extension" \
7783 -c "client hello, adding supported_point_formats extension" \
7784 -s "found supported elliptic curves extension" \
7785 -s "found supported point formats extension"
7786
Ron Eldor643df7c2018-06-28 16:17:00 +0300[diff] [blame]7787requires_config_enabled MBEDTLS_AES_C
7788requires_config_enabled MBEDTLS_CIPHER_MODE_CBC
7789requires_config_enabled MBEDTLS_SHA256_C
7790requires_config_enabled MBEDTLS_KEY_EXCHANGE_ECDHE_ECDSA_ENABLED
Ron Eldor58093c82018-06-28 13:22:05 +0300[diff] [blame]7791run_test "Force an ECC ciphersuite in the server side" \
7792 "$P_SRV debug_level=3 force_ciphersuite=TLS-ECDHE-ECDSA-WITH-AES-128-CBC-SHA256" \
7793 "$P_CLI debug_level=3" \
7794 0 \
7795 -c "found supported_point_formats extension" \
7796 -s "server hello, supported_point_formats extension"
7797
Manuel Pégourié-Gonnard0eb6cab2014-07-23 20:17:47 +0200[diff] [blame]7798# Tests for DTLS HelloVerifyRequest
7799
7800run_test "DTLS cookie: enabled" \
7801 "$P_SRV dtls=1 debug_level=2" \
7802 "$P_CLI dtls=1 debug_level=2" \
7803 0 \
7804 -s "cookie verification failed" \
7805 -s "cookie verification passed" \
7806 -S "cookie verification skipped" \
7807 -c "received hello verify request" \
Manuel Pégourié-Gonnardcaecdae2014-10-13 19:04:37 +0200[diff] [blame]7808 -s "hello verification requested" \
Manuel Pégourié-Gonnard0eb6cab2014-07-23 20:17:47 +0200[diff] [blame]7809 -S "SSL - The requested feature is not available"
7810
7811run_test "DTLS cookie: disabled" \
7812 "$P_SRV dtls=1 debug_level=2 cookies=0" \
7813 "$P_CLI dtls=1 debug_level=2" \
7814 0 \
7815 -S "cookie verification failed" \
7816 -S "cookie verification passed" \
7817 -s "cookie verification skipped" \
7818 -C "received hello verify request" \
Manuel Pégourié-Gonnardcaecdae2014-10-13 19:04:37 +0200[diff] [blame]7819 -S "hello verification requested" \
Manuel Pégourié-Gonnard0eb6cab2014-07-23 20:17:47 +0200[diff] [blame]7820 -S "SSL - The requested feature is not available"
7821
Manuel Pégourié-Gonnardcaecdae2014-10-13 19:04:37 +0200[diff] [blame]7822run_test "DTLS cookie: default (failing)" \
7823 "$P_SRV dtls=1 debug_level=2 cookies=-1" \
7824 "$P_CLI dtls=1 debug_level=2 hs_timeout=100-400" \
7825 1 \
7826 -s "cookie verification failed" \
7827 -S "cookie verification passed" \
7828 -S "cookie verification skipped" \
7829 -C "received hello verify request" \
7830 -S "hello verification requested" \
7831 -s "SSL - The requested feature is not available"
Manuel Pégourié-Gonnard0eb6cab2014-07-23 20:17:47 +0200[diff] [blame]7832
7833requires_ipv6
7834run_test "DTLS cookie: enabled, IPv6" \
7835 "$P_SRV dtls=1 debug_level=2 server_addr=::1" \
7836 "$P_CLI dtls=1 debug_level=2 server_addr=::1" \
7837 0 \
7838 -s "cookie verification failed" \
7839 -s "cookie verification passed" \
7840 -S "cookie verification skipped" \
7841 -c "received hello verify request" \
Manuel Pégourié-Gonnardcaecdae2014-10-13 19:04:37 +0200[diff] [blame]7842 -s "hello verification requested" \
Manuel Pégourié-Gonnard0eb6cab2014-07-23 20:17:47 +0200[diff] [blame]7843 -S "SSL - The requested feature is not available"
7844
Manuel Pégourié-Gonnard579950c2014-09-29 17:47:33 +0200[diff] [blame]7845run_test "DTLS cookie: enabled, nbio" \
7846 "$P_SRV dtls=1 nbio=2 debug_level=2" \
7847 "$P_CLI dtls=1 nbio=2 debug_level=2" \
7848 0 \
7849 -s "cookie verification failed" \
7850 -s "cookie verification passed" \
7851 -S "cookie verification skipped" \
7852 -c "received hello verify request" \
Manuel Pégourié-Gonnardcaecdae2014-10-13 19:04:37 +0200[diff] [blame]7853 -s "hello verification requested" \
Manuel Pégourié-Gonnard579950c2014-09-29 17:47:33 +0200[diff] [blame]7854 -S "SSL - The requested feature is not available"
7855
Manuel Pégourié-Gonnardd745a1a2015-09-08 12:40:43 +0200[diff] [blame]7856# Tests for client reconnecting from the same port with DTLS
7857
Manuel Pégourié-Gonnard259db912015-09-09 11:37:17 +0200[diff] [blame]7858not_with_valgrind # spurious resend
Manuel Pégourié-Gonnardd745a1a2015-09-08 12:40:43 +0200[diff] [blame]7859run_test "DTLS client reconnect from same port: reference" \
Manuel Pégourié-Gonnardb6929892019-09-09 11:14:37 +0200[diff] [blame]7860 "$P_SRV dtls=1 exchanges=2 read_timeout=20000 hs_timeout=10000-20000" \
7861 "$P_CLI dtls=1 exchanges=2 debug_level=2 hs_timeout=10000-20000" \
Manuel Pégourié-Gonnardd745a1a2015-09-08 12:40:43 +0200[diff] [blame]7862 0 \
7863 -C "resend" \
Manuel Pégourié-Gonnard259db912015-09-09 11:37:17 +0200[diff] [blame]7864 -S "The operation timed out" \
Manuel Pégourié-Gonnardd745a1a2015-09-08 12:40:43 +0200[diff] [blame]7865 -S "Client initiated reconnection from same port"
7866
Manuel Pégourié-Gonnard259db912015-09-09 11:37:17 +0200[diff] [blame]7867not_with_valgrind # spurious resend
Manuel Pégourié-Gonnardd745a1a2015-09-08 12:40:43 +0200[diff] [blame]7868run_test "DTLS client reconnect from same port: reconnect" \
Manuel Pégourié-Gonnardb6929892019-09-09 11:14:37 +0200[diff] [blame]7869 "$P_SRV dtls=1 exchanges=2 read_timeout=20000 hs_timeout=10000-20000" \
7870 "$P_CLI dtls=1 exchanges=2 debug_level=2 hs_timeout=10000-20000 reconnect_hard=1" \
Manuel Pégourié-Gonnardd745a1a2015-09-08 12:40:43 +0200[diff] [blame]7871 0 \
7872 -C "resend" \
Manuel Pégourié-Gonnard259db912015-09-09 11:37:17 +0200[diff] [blame]7873 -S "The operation timed out" \
Manuel Pégourié-Gonnardd745a1a2015-09-08 12:40:43 +0200[diff] [blame]7874 -s "Client initiated reconnection from same port"
7875
Paul Bakker362689d2016-05-13 10:33:25 +0100[diff] [blame]7876not_with_valgrind # server/client too slow to respond in time (next test has higher timeouts)
7877run_test "DTLS client reconnect from same port: reconnect, nbio, no valgrind" \
Manuel Pégourié-Gonnard259db912015-09-09 11:37:17 +0200[diff] [blame]7878 "$P_SRV dtls=1 exchanges=2 read_timeout=1000 nbio=2" \
7879 "$P_CLI dtls=1 exchanges=2 debug_level=2 hs_timeout=500-1000 reconnect_hard=1" \
Manuel Pégourié-Gonnardd745a1a2015-09-08 12:40:43 +0200[diff] [blame]7880 0 \
Manuel Pégourié-Gonnard259db912015-09-09 11:37:17 +0200[diff] [blame]7881 -S "The operation timed out" \
Manuel Pégourié-Gonnardd745a1a2015-09-08 12:40:43 +0200[diff] [blame]7882 -s "Client initiated reconnection from same port"
7883
Paul Bakker362689d2016-05-13 10:33:25 +0100[diff] [blame]7884only_with_valgrind # Only with valgrind, do previous test but with higher read_timeout and hs_timeout
7885run_test "DTLS client reconnect from same port: reconnect, nbio, valgrind" \
7886 "$P_SRV dtls=1 exchanges=2 read_timeout=2000 nbio=2 hs_timeout=1500-6000" \
7887 "$P_CLI dtls=1 exchanges=2 debug_level=2 hs_timeout=1500-3000 reconnect_hard=1" \
7888 0 \
7889 -S "The operation timed out" \
7890 -s "Client initiated reconnection from same port"
7891
Manuel Pégourié-Gonnard259db912015-09-09 11:37:17 +0200[diff] [blame]7892run_test "DTLS client reconnect from same port: no cookies" \
7893 "$P_SRV dtls=1 exchanges=2 read_timeout=1000 cookies=0" \
Manuel Pégourié-Gonnard6ad23b92015-09-15 12:57:46 +0200[diff] [blame]7894 "$P_CLI dtls=1 exchanges=2 debug_level=2 hs_timeout=500-8000 reconnect_hard=1" \
7895 0 \
Manuel Pégourié-Gonnard259db912015-09-09 11:37:17 +0200[diff] [blame]7896 -s "The operation timed out" \
7897 -S "Client initiated reconnection from same port"
7898
Manuel Pégourié-Gonnardbaad2de2020-03-13 11:11:02 +0100[diff] [blame]7899run_test "DTLS client reconnect from same port: attacker-injected" \
7900 -p "$P_PXY inject_clihlo=1" \
7901 "$P_SRV dtls=1 exchanges=2 debug_level=1" \
7902 "$P_CLI dtls=1 exchanges=2" \
7903 0 \
7904 -s "possible client reconnect from the same port" \
7905 -S "Client initiated reconnection from same port"
7906
Manuel Pégourié-Gonnard08a1d4b2014-09-26 10:35:50 +0200[diff] [blame]7907# Tests for various cases of client authentication with DTLS
7908# (focused on handshake flows and message parsing)
7909
7910run_test "DTLS client auth: required" \
7911 "$P_SRV dtls=1 auth_mode=required" \
7912 "$P_CLI dtls=1" \
7913 0 \
7914 -s "Verifying peer X.509 certificate... ok"
7915
7916run_test "DTLS client auth: optional, client has no cert" \
7917 "$P_SRV dtls=1 auth_mode=optional" \
7918 "$P_CLI dtls=1 crt_file=none key_file=none" \
7919 0 \
Manuel Pégourié-Gonnard89addc42015-04-20 10:56:18 +0100[diff] [blame]7920 -s "! Certificate was missing"
Manuel Pégourié-Gonnard08a1d4b2014-09-26 10:35:50 +0200[diff] [blame]7921
Manuel Pégourié-Gonnard89addc42015-04-20 10:56:18 +0100[diff] [blame]7922run_test "DTLS client auth: none, client has no cert" \
Manuel Pégourié-Gonnard08a1d4b2014-09-26 10:35:50 +0200[diff] [blame]7923 "$P_SRV dtls=1 auth_mode=none" \
7924 "$P_CLI dtls=1 crt_file=none key_file=none debug_level=2" \
7925 0 \
7926 -c "skip write certificate$" \
Manuel Pégourié-Gonnard89addc42015-04-20 10:56:18 +0100[diff] [blame]7927 -s "! Certificate verification was skipped"
Manuel Pégourié-Gonnard08a1d4b2014-09-26 10:35:50 +0200[diff] [blame]7928
Manuel Pégourié-Gonnard0a885742015-08-04 12:08:35 +0200[diff] [blame]7929run_test "DTLS wrong PSK: badmac alert" \
7930 "$P_SRV dtls=1 psk=abc123 force_ciphersuite=TLS-PSK-WITH-AES-128-GCM-SHA256" \
7931 "$P_CLI dtls=1 psk=abc124" \
7932 1 \
7933 -s "SSL - Verification of the message MAC failed" \
7934 -c "SSL - A fatal alert message was received from our peer"
7935
Manuel Pégourié-Gonnard502bf302014-08-20 13:12:58 +0200[diff] [blame]7936# Tests for receiving fragmented handshake messages with DTLS
7937
7938requires_gnutls
7939run_test "DTLS reassembly: no fragmentation (gnutls server)" \
7940 "$G_SRV -u --mtu 2048 -a" \
7941 "$P_CLI dtls=1 debug_level=2" \
7942 0 \
7943 -C "found fragmented DTLS handshake message" \
7944 -C "error"
7945
7946requires_gnutls
7947run_test "DTLS reassembly: some fragmentation (gnutls server)" \
7948 "$G_SRV -u --mtu 512" \
7949 "$P_CLI dtls=1 debug_level=2" \
7950 0 \
7951 -c "found fragmented DTLS handshake message" \
7952 -C "error"
7953
7954requires_gnutls
7955run_test "DTLS reassembly: more fragmentation (gnutls server)" \
7956 "$G_SRV -u --mtu 128" \
7957 "$P_CLI dtls=1 debug_level=2" \
7958 0 \
7959 -c "found fragmented DTLS handshake message" \
7960 -C "error"
7961
7962requires_gnutls
7963run_test "DTLS reassembly: more fragmentation, nbio (gnutls server)" \
7964 "$G_SRV -u --mtu 128" \
7965 "$P_CLI dtls=1 nbio=2 debug_level=2" \
7966 0 \
7967 -c "found fragmented DTLS handshake message" \
7968 -C "error"
7969
Manuel Pégourié-Gonnard0c4cbc72014-09-02 14:47:31 +0200[diff] [blame]7970requires_gnutls
Hanno Becker6a243642017-10-12 15:18:45 +0100[diff] [blame]7971requires_config_enabled MBEDTLS_SSL_RENEGOTIATION
Manuel Pégourié-Gonnard0c4cbc72014-09-02 14:47:31 +0200[diff] [blame]7972run_test "DTLS reassembly: fragmentation, renego (gnutls server)" \
7973 "$G_SRV -u --mtu 256" \
7974 "$P_CLI debug_level=3 dtls=1 renegotiation=1 renegotiate=1" \
7975 0 \
7976 -c "found fragmented DTLS handshake message" \
7977 -c "client hello, adding renegotiation extension" \
7978 -c "found renegotiation extension" \
7979 -c "=> renegotiate" \
Manuel Pégourié-Gonnard2cf5a7c2015-04-08 12:49:31 +0200[diff] [blame]7980 -C "mbedtls_ssl_handshake returned" \
Manuel Pégourié-Gonnard0c4cbc72014-09-02 14:47:31 +0200[diff] [blame]7981 -C "error" \
7982 -s "Extra-header:"
7983
7984requires_gnutls
Hanno Becker6a243642017-10-12 15:18:45 +0100[diff] [blame]7985requires_config_enabled MBEDTLS_SSL_RENEGOTIATION
Manuel Pégourié-Gonnard0c4cbc72014-09-02 14:47:31 +0200[diff] [blame]7986run_test "DTLS reassembly: fragmentation, nbio, renego (gnutls server)" \
7987 "$G_SRV -u --mtu 256" \
7988 "$P_CLI debug_level=3 nbio=2 dtls=1 renegotiation=1 renegotiate=1" \
7989 0 \
7990 -c "found fragmented DTLS handshake message" \
7991 -c "client hello, adding renegotiation extension" \
7992 -c "found renegotiation extension" \
7993 -c "=> renegotiate" \
Manuel Pégourié-Gonnard2cf5a7c2015-04-08 12:49:31 +0200[diff] [blame]7994 -C "mbedtls_ssl_handshake returned" \
Manuel Pégourié-Gonnard0c4cbc72014-09-02 14:47:31 +0200[diff] [blame]7995 -C "error" \
7996 -s "Extra-header:"
7997
Manuel Pégourié-Gonnarda7756172014-08-31 18:37:01 +0200[diff] [blame]7998run_test "DTLS reassembly: no fragmentation (openssl server)" \
7999 "$O_SRV -dtls1 -mtu 2048" \
8000 "$P_CLI dtls=1 debug_level=2" \
8001 0 \
8002 -C "found fragmented DTLS handshake message" \
8003 -C "error"
8004
Manuel Pégourié-Gonnard825a49e2014-09-23 11:00:37 +0200[diff] [blame]8005run_test "DTLS reassembly: some fragmentation (openssl server)" \
8006 "$O_SRV -dtls1 -mtu 768" \
Manuel Pégourié-Gonnard64dffc52014-09-02 13:39:16 +0200[diff] [blame]8007 "$P_CLI dtls=1 debug_level=2" \
8008 0 \
8009 -c "found fragmented DTLS handshake message" \
8010 -C "error"
8011
Manuel Pégourié-Gonnard825a49e2014-09-23 11:00:37 +0200[diff] [blame]8012run_test "DTLS reassembly: more fragmentation (openssl server)" \
Manuel Pégourié-Gonnard64dffc52014-09-02 13:39:16 +0200[diff] [blame]8013 "$O_SRV -dtls1 -mtu 256" \
8014 "$P_CLI dtls=1 debug_level=2" \
8015 0 \
8016 -c "found fragmented DTLS handshake message" \
8017 -C "error"
8018
8019run_test "DTLS reassembly: fragmentation, nbio (openssl server)" \
8020 "$O_SRV -dtls1 -mtu 256" \
8021 "$P_CLI dtls=1 nbio=2 debug_level=2" \
8022 0 \
8023 -c "found fragmented DTLS handshake message" \
8024 -C "error"
Manuel Pégourié-Gonnarda7756172014-08-31 18:37:01 +0200[diff] [blame]8025
Manuel Pégourié-Gonnard2cb17e22017-09-19 13:00:47 +0200[diff] [blame]8026# Tests for sending fragmented handshake messages with DTLS
8027#
8028# Use client auth when we need the client to send large messages,
8029# and use large cert chains on both sides too (the long chains we have all use
8030# both RSA and ECDSA, but ideally we should have long chains with either).
8031# Sizes reached (UDP payload):
8032# - 2037B for server certificate
8033# - 1542B for client certificate
8034# - 1013B for newsessionticket
8035# - all others below 512B
8036# All those tests assume MAX_CONTENT_LEN is at least 2048
8037
8038requires_config_enabled MBEDTLS_SSL_PROTO_DTLS
8039requires_config_enabled MBEDTLS_RSA_C
8040requires_config_enabled MBEDTLS_ECDSA_C
8041requires_config_enabled MBEDTLS_SSL_MAX_FRAGMENT_LENGTH
Yuto Takanoa49124e2021-07-08 15:56:33 +0100[diff] [blame]8042requires_max_content_len 4096
Manuel Pégourié-Gonnard2cb17e22017-09-19 13:00:47 +0200[diff] [blame]8043run_test "DTLS fragmenting: none (for reference)" \
8044 "$P_SRV dtls=1 debug_level=2 auth_mode=required \
8045 crt_file=data_files/server7_int-ca.crt \
8046 key_file=data_files/server7.key \
Andrzej Kurek52f84912018-10-05 07:53:40 -0400[diff] [blame]8047 hs_timeout=2500-60000 \
Hanno Becker12405e72018-08-13 16:45:46 +0100[diff] [blame]8048 max_frag_len=4096" \
Manuel Pégourié-Gonnard2cb17e22017-09-19 13:00:47 +0200[diff] [blame]8049 "$P_CLI dtls=1 debug_level=2 \
8050 crt_file=data_files/server8_int-ca2.crt \
8051 key_file=data_files/server8.key \
Andrzej Kurek52f84912018-10-05 07:53:40 -0400[diff] [blame]8052 hs_timeout=2500-60000 \
Hanno Becker12405e72018-08-13 16:45:46 +0100[diff] [blame]8053 max_frag_len=4096" \
Manuel Pégourié-Gonnard2cb17e22017-09-19 13:00:47 +0200[diff] [blame]8054 0 \
8055 -S "found fragmented DTLS handshake message" \
8056 -C "found fragmented DTLS handshake message" \
8057 -C "error"
8058
8059requires_config_enabled MBEDTLS_SSL_PROTO_DTLS
8060requires_config_enabled MBEDTLS_RSA_C
8061requires_config_enabled MBEDTLS_ECDSA_C
8062requires_config_enabled MBEDTLS_SSL_MAX_FRAGMENT_LENGTH
Yuto Takanoa49124e2021-07-08 15:56:33 +0100[diff] [blame]8063requires_max_content_len 2048
Manuel Pégourié-Gonnardb747c6c2018-08-12 13:28:53 +0200[diff] [blame]8064run_test "DTLS fragmenting: server only (max_frag_len)" \
Manuel Pégourié-Gonnard2cb17e22017-09-19 13:00:47 +0200[diff] [blame]8065 "$P_SRV dtls=1 debug_level=2 auth_mode=required \
8066 crt_file=data_files/server7_int-ca.crt \
8067 key_file=data_files/server7.key \
Andrzej Kurek52f84912018-10-05 07:53:40 -0400[diff] [blame]8068 hs_timeout=2500-60000 \
Manuel Pégourié-Gonnard2cb17e22017-09-19 13:00:47 +0200[diff] [blame]8069 max_frag_len=1024" \
8070 "$P_CLI dtls=1 debug_level=2 \
8071 crt_file=data_files/server8_int-ca2.crt \
8072 key_file=data_files/server8.key \
Andrzej Kurek52f84912018-10-05 07:53:40 -0400[diff] [blame]8073 hs_timeout=2500-60000 \
Manuel Pégourié-Gonnard2cb17e22017-09-19 13:00:47 +0200[diff] [blame]8074 max_frag_len=2048" \
8075 0 \
8076 -S "found fragmented DTLS handshake message" \
8077 -c "found fragmented DTLS handshake message" \
8078 -C "error"
8079
Hanno Becker69ca0ad2018-08-24 12:11:35 +0100[diff] [blame]8080# With the MFL extension, the server has no way of forcing
8081# the client to not exceed a certain MTU; hence, the following
8082# test can't be replicated with an MTU proxy such as the one
8083# `client-initiated, server only (max_frag_len)` below.
Manuel Pégourié-Gonnard2cb17e22017-09-19 13:00:47 +0200[diff] [blame]8084requires_config_enabled MBEDTLS_SSL_PROTO_DTLS
8085requires_config_enabled MBEDTLS_RSA_C
8086requires_config_enabled MBEDTLS_ECDSA_C
8087requires_config_enabled MBEDTLS_SSL_MAX_FRAGMENT_LENGTH
Yuto Takanoa49124e2021-07-08 15:56:33 +0100[diff] [blame]8088requires_max_content_len 4096
Manuel Pégourié-Gonnardb747c6c2018-08-12 13:28:53 +0200[diff] [blame]8089run_test "DTLS fragmenting: server only (more) (max_frag_len)" \
Manuel Pégourié-Gonnard2cb17e22017-09-19 13:00:47 +0200[diff] [blame]8090 "$P_SRV dtls=1 debug_level=2 auth_mode=required \
8091 crt_file=data_files/server7_int-ca.crt \
8092 key_file=data_files/server7.key \
Andrzej Kurek52f84912018-10-05 07:53:40 -0400[diff] [blame]8093 hs_timeout=2500-60000 \
Manuel Pégourié-Gonnard2cb17e22017-09-19 13:00:47 +0200[diff] [blame]8094 max_frag_len=512" \
8095 "$P_CLI dtls=1 debug_level=2 \
8096 crt_file=data_files/server8_int-ca2.crt \
8097 key_file=data_files/server8.key \
Andrzej Kurek52f84912018-10-05 07:53:40 -0400[diff] [blame]8098 hs_timeout=2500-60000 \
Hanno Becker69ca0ad2018-08-24 12:11:35 +0100[diff] [blame]8099 max_frag_len=4096" \
Manuel Pégourié-Gonnard2cb17e22017-09-19 13:00:47 +0200[diff] [blame]8100 0 \
8101 -S "found fragmented DTLS handshake message" \
8102 -c "found fragmented DTLS handshake message" \
8103 -C "error"
8104
8105requires_config_enabled MBEDTLS_SSL_PROTO_DTLS
8106requires_config_enabled MBEDTLS_RSA_C
8107requires_config_enabled MBEDTLS_ECDSA_C
8108requires_config_enabled MBEDTLS_SSL_MAX_FRAGMENT_LENGTH
Yuto Takanoa49124e2021-07-08 15:56:33 +0100[diff] [blame]8109requires_max_content_len 2048
Manuel Pégourié-Gonnardb747c6c2018-08-12 13:28:53 +0200[diff] [blame]8110run_test "DTLS fragmenting: client-initiated, server only (max_frag_len)" \
Manuel Pégourié-Gonnard2cb17e22017-09-19 13:00:47 +0200[diff] [blame]8111 "$P_SRV dtls=1 debug_level=2 auth_mode=none \
8112 crt_file=data_files/server7_int-ca.crt \
8113 key_file=data_files/server7.key \
Andrzej Kurek52f84912018-10-05 07:53:40 -0400[diff] [blame]8114 hs_timeout=2500-60000 \
Manuel Pégourié-Gonnard2cb17e22017-09-19 13:00:47 +0200[diff] [blame]8115 max_frag_len=2048" \
8116 "$P_CLI dtls=1 debug_level=2 \
8117 crt_file=data_files/server8_int-ca2.crt \
8118 key_file=data_files/server8.key \
Andrzej Kurek52f84912018-10-05 07:53:40 -0400[diff] [blame]8119 hs_timeout=2500-60000 \
8120 max_frag_len=1024" \
8121 0 \
Manuel Pégourié-Gonnard2cb17e22017-09-19 13:00:47 +0200[diff] [blame]8122 -S "found fragmented DTLS handshake message" \
8123 -c "found fragmented DTLS handshake message" \
8124 -C "error"
8125
Hanno Beckerc92b5c82018-08-24 11:48:01 +0100[diff] [blame]8126# While not required by the standard defining the MFL extension
8127# (according to which it only applies to records, not to datagrams),
8128# Mbed TLS will never send datagrams larger than MFL + { Max record expansion },
8129# as otherwise there wouldn't be any means to communicate MTU restrictions
8130# to the peer.
8131# The next test checks that no datagrams significantly larger than the
8132# negotiated MFL are sent.
8133requires_config_enabled MBEDTLS_SSL_PROTO_DTLS
8134requires_config_enabled MBEDTLS_RSA_C
8135requires_config_enabled MBEDTLS_ECDSA_C
8136requires_config_enabled MBEDTLS_SSL_MAX_FRAGMENT_LENGTH
Yuto Takanoa49124e2021-07-08 15:56:33 +0100[diff] [blame]8137requires_max_content_len 2048
Hanno Beckerc92b5c82018-08-24 11:48:01 +0100[diff] [blame]8138run_test "DTLS fragmenting: client-initiated, server only (max_frag_len), proxy MTU" \
Andrzej Kurek0fc9cf42018-10-09 03:09:41 -0400[diff] [blame]8139 -p "$P_PXY mtu=1110" \
Hanno Beckerc92b5c82018-08-24 11:48:01 +0100[diff] [blame]8140 "$P_SRV dtls=1 debug_level=2 auth_mode=none \
8141 crt_file=data_files/server7_int-ca.crt \
8142 key_file=data_files/server7.key \
Andrzej Kurek52f84912018-10-05 07:53:40 -0400[diff] [blame]8143 hs_timeout=2500-60000 \
Hanno Beckerc92b5c82018-08-24 11:48:01 +0100[diff] [blame]8144 max_frag_len=2048" \
8145 "$P_CLI dtls=1 debug_level=2 \
8146 crt_file=data_files/server8_int-ca2.crt \
8147 key_file=data_files/server8.key \
Andrzej Kurek52f84912018-10-05 07:53:40 -0400[diff] [blame]8148 hs_timeout=2500-60000 \
8149 max_frag_len=1024" \
Hanno Beckerc92b5c82018-08-24 11:48:01 +0100[diff] [blame]8150 0 \
8151 -S "found fragmented DTLS handshake message" \
8152 -c "found fragmented DTLS handshake message" \
8153 -C "error"
8154
Manuel Pégourié-Gonnard2cb17e22017-09-19 13:00:47 +0200[diff] [blame]8155requires_config_enabled MBEDTLS_SSL_PROTO_DTLS
8156requires_config_enabled MBEDTLS_RSA_C
8157requires_config_enabled MBEDTLS_ECDSA_C
8158requires_config_enabled MBEDTLS_SSL_MAX_FRAGMENT_LENGTH
Yuto Takanoa49124e2021-07-08 15:56:33 +0100[diff] [blame]8159requires_max_content_len 2048
Manuel Pégourié-Gonnardb747c6c2018-08-12 13:28:53 +0200[diff] [blame]8160run_test "DTLS fragmenting: client-initiated, both (max_frag_len)" \
Manuel Pégourié-Gonnard2cb17e22017-09-19 13:00:47 +0200[diff] [blame]8161 "$P_SRV dtls=1 debug_level=2 auth_mode=required \
8162 crt_file=data_files/server7_int-ca.crt \
8163 key_file=data_files/server7.key \
Andrzej Kurek52f84912018-10-05 07:53:40 -0400[diff] [blame]8164 hs_timeout=2500-60000 \
Manuel Pégourié-Gonnard2cb17e22017-09-19 13:00:47 +0200[diff] [blame]8165 max_frag_len=2048" \
8166 "$P_CLI dtls=1 debug_level=2 \
8167 crt_file=data_files/server8_int-ca2.crt \
8168 key_file=data_files/server8.key \
Andrzej Kurek52f84912018-10-05 07:53:40 -0400[diff] [blame]8169 hs_timeout=2500-60000 \
8170 max_frag_len=1024" \
Manuel Pégourié-Gonnard2cb17e22017-09-19 13:00:47 +0200[diff] [blame]8171 0 \
8172 -s "found fragmented DTLS handshake message" \
8173 -c "found fragmented DTLS handshake message" \
8174 -C "error"
8175
Hanno Beckerc92b5c82018-08-24 11:48:01 +0100[diff] [blame]8176# While not required by the standard defining the MFL extension
8177# (according to which it only applies to records, not to datagrams),
8178# Mbed TLS will never send datagrams larger than MFL + { Max record expansion },
8179# as otherwise there wouldn't be any means to communicate MTU restrictions
8180# to the peer.
8181# The next test checks that no datagrams significantly larger than the
8182# negotiated MFL are sent.
8183requires_config_enabled MBEDTLS_SSL_PROTO_DTLS
8184requires_config_enabled MBEDTLS_RSA_C
8185requires_config_enabled MBEDTLS_ECDSA_C
8186requires_config_enabled MBEDTLS_SSL_MAX_FRAGMENT_LENGTH
Yuto Takanoa49124e2021-07-08 15:56:33 +0100[diff] [blame]8187requires_max_content_len 2048
Hanno Beckerc92b5c82018-08-24 11:48:01 +0100[diff] [blame]8188run_test "DTLS fragmenting: client-initiated, both (max_frag_len), proxy MTU" \
Andrzej Kurek0fc9cf42018-10-09 03:09:41 -0400[diff] [blame]8189 -p "$P_PXY mtu=1110" \
Hanno Beckerc92b5c82018-08-24 11:48:01 +0100[diff] [blame]8190 "$P_SRV dtls=1 debug_level=2 auth_mode=required \
8191 crt_file=data_files/server7_int-ca.crt \
8192 key_file=data_files/server7.key \
Andrzej Kurek52f84912018-10-05 07:53:40 -0400[diff] [blame]8193 hs_timeout=2500-60000 \
Hanno Beckerc92b5c82018-08-24 11:48:01 +0100[diff] [blame]8194 max_frag_len=2048" \
8195 "$P_CLI dtls=1 debug_level=2 \
8196 crt_file=data_files/server8_int-ca2.crt \
8197 key_file=data_files/server8.key \
Andrzej Kurek52f84912018-10-05 07:53:40 -0400[diff] [blame]8198 hs_timeout=2500-60000 \
8199 max_frag_len=1024" \
Hanno Beckerc92b5c82018-08-24 11:48:01 +0100[diff] [blame]8200 0 \
8201 -s "found fragmented DTLS handshake message" \
8202 -c "found fragmented DTLS handshake message" \
8203 -C "error"
8204
Manuel Pégourié-Gonnardb747c6c2018-08-12 13:28:53 +0200[diff] [blame]8205requires_config_enabled MBEDTLS_SSL_PROTO_DTLS
8206requires_config_enabled MBEDTLS_RSA_C
8207requires_config_enabled MBEDTLS_ECDSA_C
Yuto Takanoa49124e2021-07-08 15:56:33 +0100[diff] [blame]8208requires_max_content_len 4096
Manuel Pégourié-Gonnardb747c6c2018-08-12 13:28:53 +0200[diff] [blame]8209run_test "DTLS fragmenting: none (for reference) (MTU)" \
8210 "$P_SRV dtls=1 debug_level=2 auth_mode=required \
8211 crt_file=data_files/server7_int-ca.crt \
8212 key_file=data_files/server7.key \
Andrzej Kurek52f84912018-10-05 07:53:40 -0400[diff] [blame]8213 hs_timeout=2500-60000 \
Hanno Becker12405e72018-08-13 16:45:46 +0100[diff] [blame]8214 mtu=4096" \
Manuel Pégourié-Gonnardb747c6c2018-08-12 13:28:53 +0200[diff] [blame]8215 "$P_CLI dtls=1 debug_level=2 \
8216 crt_file=data_files/server8_int-ca2.crt \
8217 key_file=data_files/server8.key \
Andrzej Kurek52f84912018-10-05 07:53:40 -0400[diff] [blame]8218 hs_timeout=2500-60000 \
Hanno Becker12405e72018-08-13 16:45:46 +0100[diff] [blame]8219 mtu=4096" \
Manuel Pégourié-Gonnardb747c6c2018-08-12 13:28:53 +0200[diff] [blame]8220 0 \
8221 -S "found fragmented DTLS handshake message" \
8222 -C "found fragmented DTLS handshake message" \
8223 -C "error"
8224
8225requires_config_enabled MBEDTLS_SSL_PROTO_DTLS
8226requires_config_enabled MBEDTLS_RSA_C
8227requires_config_enabled MBEDTLS_ECDSA_C
Yuto Takanoa49124e2021-07-08 15:56:33 +0100[diff] [blame]8228requires_max_content_len 4096
Manuel Pégourié-Gonnardb747c6c2018-08-12 13:28:53 +0200[diff] [blame]8229run_test "DTLS fragmenting: client (MTU)" \
8230 "$P_SRV dtls=1 debug_level=2 auth_mode=required \
8231 crt_file=data_files/server7_int-ca.crt \
8232 key_file=data_files/server7.key \
Andrzej Kurek948fe802018-10-05 15:42:44 -0400[diff] [blame]8233 hs_timeout=3500-60000 \
Hanno Becker12405e72018-08-13 16:45:46 +0100[diff] [blame]8234 mtu=4096" \
Manuel Pégourié-Gonnardb747c6c2018-08-12 13:28:53 +0200[diff] [blame]8235 "$P_CLI dtls=1 debug_level=2 \
8236 crt_file=data_files/server8_int-ca2.crt \
8237 key_file=data_files/server8.key \
Andrzej Kurek948fe802018-10-05 15:42:44 -0400[diff] [blame]8238 hs_timeout=3500-60000 \
Andrzej Kurek52f84912018-10-05 07:53:40 -0400[diff] [blame]8239 mtu=1024" \
Manuel Pégourié-Gonnardb747c6c2018-08-12 13:28:53 +0200[diff] [blame]8240 0 \
8241 -s "found fragmented DTLS handshake message" \
8242 -C "found fragmented DTLS handshake message" \
8243 -C "error"
8244
8245requires_config_enabled MBEDTLS_SSL_PROTO_DTLS
8246requires_config_enabled MBEDTLS_RSA_C
8247requires_config_enabled MBEDTLS_ECDSA_C
Yuto Takanoa49124e2021-07-08 15:56:33 +0100[diff] [blame]8248requires_max_content_len 2048
Manuel Pégourié-Gonnardb747c6c2018-08-12 13:28:53 +0200[diff] [blame]8249run_test "DTLS fragmenting: server (MTU)" \
8250 "$P_SRV dtls=1 debug_level=2 auth_mode=required \
8251 crt_file=data_files/server7_int-ca.crt \
8252 key_file=data_files/server7.key \
Andrzej Kurek52f84912018-10-05 07:53:40 -0400[diff] [blame]8253 hs_timeout=2500-60000 \
Manuel Pégourié-Gonnardb747c6c2018-08-12 13:28:53 +0200[diff] [blame]8254 mtu=512" \
8255 "$P_CLI dtls=1 debug_level=2 \
8256 crt_file=data_files/server8_int-ca2.crt \
8257 key_file=data_files/server8.key \
Andrzej Kurek52f84912018-10-05 07:53:40 -0400[diff] [blame]8258 hs_timeout=2500-60000 \
Manuel Pégourié-Gonnardb747c6c2018-08-12 13:28:53 +0200[diff] [blame]8259 mtu=2048" \
8260 0 \
8261 -S "found fragmented DTLS handshake message" \
8262 -c "found fragmented DTLS handshake message" \
8263 -C "error"
8264
8265requires_config_enabled MBEDTLS_SSL_PROTO_DTLS
8266requires_config_enabled MBEDTLS_RSA_C
8267requires_config_enabled MBEDTLS_ECDSA_C
Yuto Takanoa49124e2021-07-08 15:56:33 +0100[diff] [blame]8268requires_max_content_len 2048
Andrzej Kurek7311c782018-10-11 06:49:41 -0400[diff] [blame]8269run_test "DTLS fragmenting: both (MTU=1024)" \
Andrzej Kurek52f84912018-10-05 07:53:40 -0400[diff] [blame]8270 -p "$P_PXY mtu=1024" \
Manuel Pégourié-Gonnardb747c6c2018-08-12 13:28:53 +0200[diff] [blame]8271 "$P_SRV dtls=1 debug_level=2 auth_mode=required \
8272 crt_file=data_files/server7_int-ca.crt \
8273 key_file=data_files/server7.key \
Andrzej Kurek52f84912018-10-05 07:53:40 -0400[diff] [blame]8274 hs_timeout=2500-60000 \
Andrzej Kurek95805282018-10-11 08:55:37 -0400[diff] [blame]8275 mtu=1024" \
Manuel Pégourié-Gonnardb747c6c2018-08-12 13:28:53 +0200[diff] [blame]8276 "$P_CLI dtls=1 debug_level=2 \
8277 crt_file=data_files/server8_int-ca2.crt \
8278 key_file=data_files/server8.key \
Andrzej Kurek52f84912018-10-05 07:53:40 -0400[diff] [blame]8279 hs_timeout=2500-60000 \
8280 mtu=1024" \
Manuel Pégourié-Gonnardb747c6c2018-08-12 13:28:53 +0200[diff] [blame]8281 0 \
8282 -s "found fragmented DTLS handshake message" \
8283 -c "found fragmented DTLS handshake message" \
8284 -C "error"
8285
Andrzej Kurek77826052018-10-11 07:34:08 -0400[diff] [blame]8286# Forcing ciphersuite for this test to fit the MTU of 512 with full config.
Andrzej Kurek7311c782018-10-11 06:49:41 -0400[diff] [blame]8287requires_config_enabled MBEDTLS_SSL_PROTO_DTLS
8288requires_config_enabled MBEDTLS_RSA_C
8289requires_config_enabled MBEDTLS_ECDSA_C
8290requires_config_enabled MBEDTLS_SHA256_C
Gilles Peskinee7738c32021-07-13 20:34:55 +0200[diff] [blame]8291requires_config_enabled MBEDTLS_KEY_EXCHANGE_ECDHE_ECDSA_ENABLED
Andrzej Kurek7311c782018-10-11 06:49:41 -0400[diff] [blame]8292requires_config_enabled MBEDTLS_AES_C
8293requires_config_enabled MBEDTLS_GCM_C
Yuto Takanoa49124e2021-07-08 15:56:33 +0100[diff] [blame]8294requires_max_content_len 2048
Andrzej Kurek7311c782018-10-11 06:49:41 -0400[diff] [blame]8295run_test "DTLS fragmenting: both (MTU=512)" \
Hanno Becker8d832182018-03-15 10:14:19 +0000[diff] [blame]8296 -p "$P_PXY mtu=512" \
Hanno Becker72a4f032017-11-15 16:39:20 +0000[diff] [blame]8297 "$P_SRV dtls=1 debug_level=2 auth_mode=required \
8298 crt_file=data_files/server7_int-ca.crt \
8299 key_file=data_files/server7.key \
Andrzej Kurek7311c782018-10-11 06:49:41 -0400[diff] [blame]8300 hs_timeout=2500-60000 \
Hanno Becker72a4f032017-11-15 16:39:20 +0000[diff] [blame]8301 mtu=512" \
8302 "$P_CLI dtls=1 debug_level=2 \
8303 crt_file=data_files/server8_int-ca2.crt \
8304 key_file=data_files/server8.key \
Andrzej Kurek7311c782018-10-11 06:49:41 -0400[diff] [blame]8305 force_ciphersuite=TLS-ECDHE-ECDSA-WITH-AES-128-GCM-SHA256 \
8306 hs_timeout=2500-60000 \
Manuel Pégourié-Gonnarde698f592014-10-14 19:36:36 +0200[diff] [blame]8307 mtu=512" \
Manuel Pégourié-Gonnard63eca932014-09-08 16:39:08 +0200[diff] [blame]8308 0 \
Manuel Pégourié-Gonnard246c13a2014-09-24 13:56:09 +0200[diff] [blame]8309 -s "found fragmented DTLS handshake message" \
Manuel Pégourié-Gonnarde698f592014-10-14 19:36:36 +0200[diff] [blame]8310 -c "found fragmented DTLS handshake message" \
Manuel Pégourié-Gonnard825a49e2014-09-23 11:00:37 +0200[diff] [blame]8311 -C "error"
Manuel Pégourié-Gonnard74a13782014-10-14 22:34:08 +0200[diff] [blame]8312
Andrzej Kurek7311c782018-10-11 06:49:41 -0400[diff] [blame]8313# Test for automatic MTU reduction on repeated resend.
Andrzej Kurek77826052018-10-11 07:34:08 -0400[diff] [blame]8314# Forcing ciphersuite for this test to fit the MTU of 508 with full config.
Andrzej Kurek7311c782018-10-11 06:49:41 -0400[diff] [blame]8315# The ratio of max/min timeout should ideally equal 4 to accept two
8316# retransmissions, but in some cases (like both the server and client using
8317# fragmentation and auto-reduction) an extra retransmission might occur,
8318# hence the ratio of 8.
Hanno Becker37029eb2018-08-29 17:01:40 +0100[diff] [blame]8319not_with_valgrind
Manuel Pégourié-Gonnardb8eec192018-08-20 09:34:02 +0200[diff] [blame]8320requires_config_enabled MBEDTLS_SSL_PROTO_DTLS
8321requires_config_enabled MBEDTLS_RSA_C
8322requires_config_enabled MBEDTLS_ECDSA_C
Gilles Peskinee7738c32021-07-13 20:34:55 +0200[diff] [blame]8323requires_config_enabled MBEDTLS_KEY_EXCHANGE_ECDHE_ECDSA_ENABLED
Andrzej Kurek7311c782018-10-11 06:49:41 -0400[diff] [blame]8324requires_config_enabled MBEDTLS_AES_C
8325requires_config_enabled MBEDTLS_GCM_C
Yuto Takanoa49124e2021-07-08 15:56:33 +0100[diff] [blame]8326requires_max_content_len 2048
Gilles Peskine0d8b86a2019-09-20 18:03:11 +0200[diff] [blame]8327run_test "DTLS fragmenting: proxy MTU: auto-reduction (not valgrind)" \
Manuel Pégourié-Gonnardb8eec192018-08-20 09:34:02 +0200[diff] [blame]8328 -p "$P_PXY mtu=508" \
8329 "$P_SRV dtls=1 debug_level=2 auth_mode=required \
8330 crt_file=data_files/server7_int-ca.crt \
Andrzej Kurek7311c782018-10-11 06:49:41 -0400[diff] [blame]8331 key_file=data_files/server7.key \
8332 hs_timeout=400-3200" \
Manuel Pégourié-Gonnardb8eec192018-08-20 09:34:02 +0200[diff] [blame]8333 "$P_CLI dtls=1 debug_level=2 \
8334 crt_file=data_files/server8_int-ca2.crt \
8335 key_file=data_files/server8.key \
Andrzej Kurek7311c782018-10-11 06:49:41 -0400[diff] [blame]8336 force_ciphersuite=TLS-ECDHE-ECDSA-WITH-AES-128-GCM-SHA256 \
8337 hs_timeout=400-3200" \
Manuel Pégourié-Gonnardb8eec192018-08-20 09:34:02 +0200[diff] [blame]8338 0 \
8339 -s "found fragmented DTLS handshake message" \
8340 -c "found fragmented DTLS handshake message" \
8341 -C "error"
8342
Andrzej Kurek77826052018-10-11 07:34:08 -0400[diff] [blame]8343# Forcing ciphersuite for this test to fit the MTU of 508 with full config.
Hanno Becker108992e2018-08-29 17:04:18 +0100[diff] [blame]8344only_with_valgrind
8345requires_config_enabled MBEDTLS_SSL_PROTO_DTLS
8346requires_config_enabled MBEDTLS_RSA_C
8347requires_config_enabled MBEDTLS_ECDSA_C
Gilles Peskinee7738c32021-07-13 20:34:55 +0200[diff] [blame]8348requires_config_enabled MBEDTLS_KEY_EXCHANGE_ECDHE_ECDSA_ENABLED
Andrzej Kurek7311c782018-10-11 06:49:41 -0400[diff] [blame]8349requires_config_enabled MBEDTLS_AES_C
8350requires_config_enabled MBEDTLS_GCM_C
Yuto Takanoa49124e2021-07-08 15:56:33 +0100[diff] [blame]8351requires_max_content_len 2048
Gilles Peskine0d8b86a2019-09-20 18:03:11 +0200[diff] [blame]8352run_test "DTLS fragmenting: proxy MTU: auto-reduction (with valgrind)" \
Hanno Becker108992e2018-08-29 17:04:18 +0100[diff] [blame]8353 -p "$P_PXY mtu=508" \
8354 "$P_SRV dtls=1 debug_level=2 auth_mode=required \
8355 crt_file=data_files/server7_int-ca.crt \
Andrzej Kurek7311c782018-10-11 06:49:41 -0400[diff] [blame]8356 key_file=data_files/server7.key \
Hanno Becker108992e2018-08-29 17:04:18 +0100[diff] [blame]8357 hs_timeout=250-10000" \
8358 "$P_CLI dtls=1 debug_level=2 \
8359 crt_file=data_files/server8_int-ca2.crt \
8360 key_file=data_files/server8.key \
Andrzej Kurek7311c782018-10-11 06:49:41 -0400[diff] [blame]8361 force_ciphersuite=TLS-ECDHE-ECDSA-WITH-AES-128-GCM-SHA256 \
Hanno Becker108992e2018-08-29 17:04:18 +0100[diff] [blame]8362 hs_timeout=250-10000" \
8363 0 \
8364 -s "found fragmented DTLS handshake message" \
8365 -c "found fragmented DTLS handshake message" \
8366 -C "error"
8367
Manuel Pégourié-Gonnard72c27072018-08-13 12:37:51 +0200[diff] [blame]8368# the proxy shouldn't drop or mess up anything, so we shouldn't need to resend
Manuel Pégourié-Gonnard3d183ce2018-08-22 09:56:22 +0200[diff] [blame]8369# OTOH the client might resend if the server is to slow to reset after sending
8370# a HelloVerifyRequest, so only check for no retransmission server-side
Andrzej Kurek35f2f302018-10-09 08:52:14 -0400[diff] [blame]8371not_with_valgrind # spurious autoreduction due to timeout
Manuel Pégourié-Gonnard72c27072018-08-13 12:37:51 +0200[diff] [blame]8372requires_config_enabled MBEDTLS_SSL_PROTO_DTLS
8373requires_config_enabled MBEDTLS_RSA_C
8374requires_config_enabled MBEDTLS_ECDSA_C
Yuto Takanoa49124e2021-07-08 15:56:33 +0100[diff] [blame]8375requires_max_content_len 2048
Andrzej Kurek7311c782018-10-11 06:49:41 -0400[diff] [blame]8376run_test "DTLS fragmenting: proxy MTU, simple handshake (MTU=1024)" \
Andrzej Kurek52f84912018-10-05 07:53:40 -0400[diff] [blame]8377 -p "$P_PXY mtu=1024" \
Manuel Pégourié-Gonnard72c27072018-08-13 12:37:51 +0200[diff] [blame]8378 "$P_SRV dtls=1 debug_level=2 auth_mode=required \
8379 crt_file=data_files/server7_int-ca.crt \
8380 key_file=data_files/server7.key \
Andrzej Kurek52f84912018-10-05 07:53:40 -0400[diff] [blame]8381 hs_timeout=10000-60000 \
8382 mtu=1024" \
Manuel Pégourié-Gonnard72c27072018-08-13 12:37:51 +0200[diff] [blame]8383 "$P_CLI dtls=1 debug_level=2 \
8384 crt_file=data_files/server8_int-ca2.crt \
8385 key_file=data_files/server8.key \
Andrzej Kurek52f84912018-10-05 07:53:40 -0400[diff] [blame]8386 hs_timeout=10000-60000 \
8387 mtu=1024" \
Manuel Pégourié-Gonnard72c27072018-08-13 12:37:51 +0200[diff] [blame]8388 0 \
Andrzej Kurek35f2f302018-10-09 08:52:14 -0400[diff] [blame]8389 -S "autoreduction" \
Manuel Pégourié-Gonnard72c27072018-08-13 12:37:51 +0200[diff] [blame]8390 -s "found fragmented DTLS handshake message" \
8391 -c "found fragmented DTLS handshake message" \
8392 -C "error"
8393
Andrzej Kurek77826052018-10-11 07:34:08 -0400[diff] [blame]8394# Forcing ciphersuite for this test to fit the MTU of 512 with full config.
Andrzej Kurek7311c782018-10-11 06:49:41 -0400[diff] [blame]8395# the proxy shouldn't drop or mess up anything, so we shouldn't need to resend
8396# OTOH the client might resend if the server is to slow to reset after sending
8397# a HelloVerifyRequest, so only check for no retransmission server-side
Andrzej Kurek35f2f302018-10-09 08:52:14 -0400[diff] [blame]8398not_with_valgrind # spurious autoreduction due to timeout
Manuel Pégourié-Gonnardc1d54b72018-08-22 10:02:59 +0200[diff] [blame]8399requires_config_enabled MBEDTLS_SSL_PROTO_DTLS
8400requires_config_enabled MBEDTLS_RSA_C
8401requires_config_enabled MBEDTLS_ECDSA_C
Gilles Peskinee7738c32021-07-13 20:34:55 +0200[diff] [blame]8402requires_config_enabled MBEDTLS_KEY_EXCHANGE_ECDHE_ECDSA_ENABLED
Andrzej Kurek7311c782018-10-11 06:49:41 -0400[diff] [blame]8403requires_config_enabled MBEDTLS_AES_C
8404requires_config_enabled MBEDTLS_GCM_C
Yuto Takanoa49124e2021-07-08 15:56:33 +0100[diff] [blame]8405requires_max_content_len 2048
Andrzej Kurek7311c782018-10-11 06:49:41 -0400[diff] [blame]8406run_test "DTLS fragmenting: proxy MTU, simple handshake (MTU=512)" \
Manuel Pégourié-Gonnardc1d54b72018-08-22 10:02:59 +0200[diff] [blame]8407 -p "$P_PXY mtu=512" \
8408 "$P_SRV dtls=1 debug_level=2 auth_mode=required \
8409 crt_file=data_files/server7_int-ca.crt \
8410 key_file=data_files/server7.key \
Andrzej Kurek7311c782018-10-11 06:49:41 -0400[diff] [blame]8411 hs_timeout=10000-60000 \
8412 mtu=512" \
Manuel Pégourié-Gonnardc1d54b72018-08-22 10:02:59 +0200[diff] [blame]8413 "$P_CLI dtls=1 debug_level=2 \
8414 crt_file=data_files/server8_int-ca2.crt \
8415 key_file=data_files/server8.key \
Andrzej Kurek7311c782018-10-11 06:49:41 -0400[diff] [blame]8416 force_ciphersuite=TLS-ECDHE-ECDSA-WITH-AES-128-GCM-SHA256 \
8417 hs_timeout=10000-60000 \
8418 mtu=512" \
Manuel Pégourié-Gonnardc1d54b72018-08-22 10:02:59 +0200[diff] [blame]8419 0 \
Andrzej Kurek7311c782018-10-11 06:49:41 -0400[diff] [blame]8420 -S "autoreduction" \
Manuel Pégourié-Gonnardc1d54b72018-08-22 10:02:59 +0200[diff] [blame]8421 -s "found fragmented DTLS handshake message" \
8422 -c "found fragmented DTLS handshake message" \
8423 -C "error"
8424
Andrzej Kurek7311c782018-10-11 06:49:41 -0400[diff] [blame]8425not_with_valgrind # spurious autoreduction due to timeout
8426requires_config_enabled MBEDTLS_SSL_PROTO_DTLS
8427requires_config_enabled MBEDTLS_RSA_C
8428requires_config_enabled MBEDTLS_ECDSA_C
Yuto Takanoa49124e2021-07-08 15:56:33 +0100[diff] [blame]8429requires_max_content_len 2048
Andrzej Kurek7311c782018-10-11 06:49:41 -0400[diff] [blame]8430run_test "DTLS fragmenting: proxy MTU, simple handshake, nbio (MTU=1024)" \
Andrzej Kurek52f84912018-10-05 07:53:40 -0400[diff] [blame]8431 -p "$P_PXY mtu=1024" \
Manuel Pégourié-Gonnard72c27072018-08-13 12:37:51 +0200[diff] [blame]8432 "$P_SRV dtls=1 debug_level=2 auth_mode=required \
8433 crt_file=data_files/server7_int-ca.crt \
8434 key_file=data_files/server7.key \
Andrzej Kurek7311c782018-10-11 06:49:41 -0400[diff] [blame]8435 hs_timeout=10000-60000 \
8436 mtu=1024 nbio=2" \
Manuel Pégourié-Gonnard72c27072018-08-13 12:37:51 +0200[diff] [blame]8437 "$P_CLI dtls=1 debug_level=2 \
8438 crt_file=data_files/server8_int-ca2.crt \
8439 key_file=data_files/server8.key \
Andrzej Kurek7311c782018-10-11 06:49:41 -0400[diff] [blame]8440 hs_timeout=10000-60000 \
8441 mtu=1024 nbio=2" \
8442 0 \
8443 -S "autoreduction" \
8444 -s "found fragmented DTLS handshake message" \
8445 -c "found fragmented DTLS handshake message" \
8446 -C "error"
8447
Andrzej Kurek77826052018-10-11 07:34:08 -0400[diff] [blame]8448# Forcing ciphersuite for this test to fit the MTU of 512 with full config.
Andrzej Kurek7311c782018-10-11 06:49:41 -0400[diff] [blame]8449not_with_valgrind # spurious autoreduction due to timeout
8450requires_config_enabled MBEDTLS_SSL_PROTO_DTLS
8451requires_config_enabled MBEDTLS_RSA_C
8452requires_config_enabled MBEDTLS_ECDSA_C
Gilles Peskinee7738c32021-07-13 20:34:55 +0200[diff] [blame]8453requires_config_enabled MBEDTLS_KEY_EXCHANGE_ECDHE_ECDSA_ENABLED
Andrzej Kurek7311c782018-10-11 06:49:41 -0400[diff] [blame]8454requires_config_enabled MBEDTLS_AES_C
8455requires_config_enabled MBEDTLS_GCM_C
Yuto Takanoa49124e2021-07-08 15:56:33 +0100[diff] [blame]8456requires_max_content_len 2048
Andrzej Kurek7311c782018-10-11 06:49:41 -0400[diff] [blame]8457run_test "DTLS fragmenting: proxy MTU, simple handshake, nbio (MTU=512)" \
8458 -p "$P_PXY mtu=512" \
8459 "$P_SRV dtls=1 debug_level=2 auth_mode=required \
8460 crt_file=data_files/server7_int-ca.crt \
8461 key_file=data_files/server7.key \
8462 hs_timeout=10000-60000 \
8463 mtu=512 nbio=2" \
8464 "$P_CLI dtls=1 debug_level=2 \
8465 crt_file=data_files/server8_int-ca2.crt \
8466 key_file=data_files/server8.key \
8467 force_ciphersuite=TLS-ECDHE-ECDSA-WITH-AES-128-GCM-SHA256 \
8468 hs_timeout=10000-60000 \
8469 mtu=512 nbio=2" \
Manuel Pégourié-Gonnard72c27072018-08-13 12:37:51 +0200[diff] [blame]8470 0 \
Andrzej Kurek35f2f302018-10-09 08:52:14 -0400[diff] [blame]8471 -S "autoreduction" \
Manuel Pégourié-Gonnard72c27072018-08-13 12:37:51 +0200[diff] [blame]8472 -s "found fragmented DTLS handshake message" \
8473 -c "found fragmented DTLS handshake message" \
8474 -C "error"
8475
Andrzej Kurek77826052018-10-11 07:34:08 -0400[diff] [blame]8476# Forcing ciphersuite for this test to fit the MTU of 1450 with full config.
Hanno Beckerb841b4f2018-08-28 10:25:51 +0100[diff] [blame]8477# This ensures things still work after session_reset().
8478# It also exercises the "resumed handshake" flow.
Manuel Pégourié-Gonnard19c62f92018-08-16 10:50:39 +0200[diff] [blame]8479# Since we don't support reading fragmented ClientHello yet,
8480# up the MTU to 1450 (larger than ClientHello with session ticket,
8481# but still smaller than client's Certificate to ensure fragmentation).
Andrzej Kurek35f2f302018-10-09 08:52:14 -0400[diff] [blame]8482# An autoreduction on the client-side might happen if the server is
8483# slow to reset, therefore omitting '-C "autoreduction"' below.
Manuel Pégourié-Gonnard2f2d9022018-08-21 12:17:54 +0200[diff] [blame]8484# reco_delay avoids races where the client reconnects before the server has
Andrzej Kurek35f2f302018-10-09 08:52:14 -0400[diff] [blame]8485# resumed listening, which would result in a spurious autoreduction.
8486not_with_valgrind # spurious autoreduction due to timeout
Manuel Pégourié-Gonnard19c62f92018-08-16 10:50:39 +0200[diff] [blame]8487requires_config_enabled MBEDTLS_SSL_PROTO_DTLS
8488requires_config_enabled MBEDTLS_RSA_C
8489requires_config_enabled MBEDTLS_ECDSA_C
Gilles Peskinee7738c32021-07-13 20:34:55 +0200[diff] [blame]8490requires_config_enabled MBEDTLS_KEY_EXCHANGE_ECDHE_ECDSA_ENABLED
Andrzej Kurek7311c782018-10-11 06:49:41 -0400[diff] [blame]8491requires_config_enabled MBEDTLS_AES_C
8492requires_config_enabled MBEDTLS_GCM_C
Yuto Takanoa49124e2021-07-08 15:56:33 +0100[diff] [blame]8493requires_max_content_len 2048
Manuel Pégourié-Gonnard19c62f92018-08-16 10:50:39 +0200[diff] [blame]8494run_test "DTLS fragmenting: proxy MTU, resumed handshake" \
8495 -p "$P_PXY mtu=1450" \
8496 "$P_SRV dtls=1 debug_level=2 auth_mode=required \
8497 crt_file=data_files/server7_int-ca.crt \
8498 key_file=data_files/server7.key \
Andrzej Kurek52f84912018-10-05 07:53:40 -0400[diff] [blame]8499 hs_timeout=10000-60000 \
Manuel Pégourié-Gonnard19c62f92018-08-16 10:50:39 +0200[diff] [blame]8500 mtu=1450" \
8501 "$P_CLI dtls=1 debug_level=2 \
8502 crt_file=data_files/server8_int-ca2.crt \
8503 key_file=data_files/server8.key \
Andrzej Kurek52f84912018-10-05 07:53:40 -0400[diff] [blame]8504 hs_timeout=10000-60000 \
Andrzej Kurek7311c782018-10-11 06:49:41 -0400[diff] [blame]8505 force_ciphersuite=TLS-ECDHE-ECDSA-WITH-AES-128-GCM-SHA256 \
Manuel Pégourié-Gonnard56941fe2020-02-17 11:04:33 +0100[diff] [blame]8506 mtu=1450 reconnect=1 skip_close_notify=1 reco_delay=1" \
Manuel Pégourié-Gonnard19c62f92018-08-16 10:50:39 +0200[diff] [blame]8507 0 \
Andrzej Kurek35f2f302018-10-09 08:52:14 -0400[diff] [blame]8508 -S "autoreduction" \
Manuel Pégourié-Gonnard19c62f92018-08-16 10:50:39 +0200[diff] [blame]8509 -s "found fragmented DTLS handshake message" \
8510 -c "found fragmented DTLS handshake message" \
8511 -C "error"
8512
Andrzej Kurek35f2f302018-10-09 08:52:14 -0400[diff] [blame]8513# An autoreduction on the client-side might happen if the server is
8514# slow to reset, therefore omitting '-C "autoreduction"' below.
8515not_with_valgrind # spurious autoreduction due to timeout
Manuel Pégourié-Gonnard72c27072018-08-13 12:37:51 +0200[diff] [blame]8516requires_config_enabled MBEDTLS_SSL_PROTO_DTLS
8517requires_config_enabled MBEDTLS_RSA_C
8518requires_config_enabled MBEDTLS_ECDSA_C
8519requires_config_enabled MBEDTLS_SHA256_C
Gilles Peskinee7738c32021-07-13 20:34:55 +0200[diff] [blame]8520requires_config_enabled MBEDTLS_KEY_EXCHANGE_ECDHE_ECDSA_ENABLED
Manuel Pégourié-Gonnard72c27072018-08-13 12:37:51 +0200[diff] [blame]8521requires_config_enabled MBEDTLS_SSL_RENEGOTIATION
8522requires_config_enabled MBEDTLS_CHACHAPOLY_C
Yuto Takanoa49124e2021-07-08 15:56:33 +0100[diff] [blame]8523requires_max_content_len 2048
Manuel Pégourié-Gonnard72c27072018-08-13 12:37:51 +0200[diff] [blame]8524run_test "DTLS fragmenting: proxy MTU, ChachaPoly renego" \
8525 -p "$P_PXY mtu=512" \
8526 "$P_SRV dtls=1 debug_level=2 auth_mode=required \
8527 crt_file=data_files/server7_int-ca.crt \
8528 key_file=data_files/server7.key \
8529 exchanges=2 renegotiation=1 \
Andrzej Kurek52f84912018-10-05 07:53:40 -0400[diff] [blame]8530 hs_timeout=10000-60000 \
Manuel Pégourié-Gonnard72c27072018-08-13 12:37:51 +0200[diff] [blame]8531 mtu=512" \
8532 "$P_CLI dtls=1 debug_level=2 \
8533 crt_file=data_files/server8_int-ca2.crt \
8534 key_file=data_files/server8.key \
8535 exchanges=2 renegotiation=1 renegotiate=1 \
Andrzej Kurek7311c782018-10-11 06:49:41 -0400[diff] [blame]8536 force_ciphersuite=TLS-ECDHE-ECDSA-WITH-AES-128-GCM-SHA256 \
Andrzej Kurek52f84912018-10-05 07:53:40 -0400[diff] [blame]8537 hs_timeout=10000-60000 \
Manuel Pégourié-Gonnard72c27072018-08-13 12:37:51 +0200[diff] [blame]8538 mtu=512" \
8539 0 \
Andrzej Kurek35f2f302018-10-09 08:52:14 -0400[diff] [blame]8540 -S "autoreduction" \
Manuel Pégourié-Gonnard72c27072018-08-13 12:37:51 +0200[diff] [blame]8541 -s "found fragmented DTLS handshake message" \
8542 -c "found fragmented DTLS handshake message" \
8543 -C "error"
8544
Andrzej Kurek35f2f302018-10-09 08:52:14 -0400[diff] [blame]8545# An autoreduction on the client-side might happen if the server is
8546# slow to reset, therefore omitting '-C "autoreduction"' below.
8547not_with_valgrind # spurious autoreduction due to timeout
Manuel Pégourié-Gonnard72c27072018-08-13 12:37:51 +0200[diff] [blame]8548requires_config_enabled MBEDTLS_SSL_PROTO_DTLS
8549requires_config_enabled MBEDTLS_RSA_C
8550requires_config_enabled MBEDTLS_ECDSA_C
8551requires_config_enabled MBEDTLS_SHA256_C
Gilles Peskinee7738c32021-07-13 20:34:55 +0200[diff] [blame]8552requires_config_enabled MBEDTLS_KEY_EXCHANGE_ECDHE_ECDSA_ENABLED
Manuel Pégourié-Gonnard72c27072018-08-13 12:37:51 +0200[diff] [blame]8553requires_config_enabled MBEDTLS_SSL_RENEGOTIATION
8554requires_config_enabled MBEDTLS_AES_C
8555requires_config_enabled MBEDTLS_GCM_C
Yuto Takanoa49124e2021-07-08 15:56:33 +0100[diff] [blame]8556requires_max_content_len 2048
Manuel Pégourié-Gonnard72c27072018-08-13 12:37:51 +0200[diff] [blame]8557run_test "DTLS fragmenting: proxy MTU, AES-GCM renego" \
8558 -p "$P_PXY mtu=512" \
8559 "$P_SRV dtls=1 debug_level=2 auth_mode=required \
8560 crt_file=data_files/server7_int-ca.crt \
8561 key_file=data_files/server7.key \
8562 exchanges=2 renegotiation=1 \
Andrzej Kurek52f84912018-10-05 07:53:40 -0400[diff] [blame]8563 hs_timeout=10000-60000 \
Manuel Pégourié-Gonnard72c27072018-08-13 12:37:51 +0200[diff] [blame]8564 mtu=512" \
8565 "$P_CLI dtls=1 debug_level=2 \
8566 crt_file=data_files/server8_int-ca2.crt \
8567 key_file=data_files/server8.key \
8568 exchanges=2 renegotiation=1 renegotiate=1 \
Andrzej Kurek7311c782018-10-11 06:49:41 -0400[diff] [blame]8569 force_ciphersuite=TLS-ECDHE-ECDSA-WITH-AES-128-GCM-SHA256 \
Andrzej Kurek52f84912018-10-05 07:53:40 -0400[diff] [blame]8570 hs_timeout=10000-60000 \
Manuel Pégourié-Gonnard72c27072018-08-13 12:37:51 +0200[diff] [blame]8571 mtu=512" \
8572 0 \
Andrzej Kurek35f2f302018-10-09 08:52:14 -0400[diff] [blame]8573 -S "autoreduction" \
Manuel Pégourié-Gonnard72c27072018-08-13 12:37:51 +0200[diff] [blame]8574 -s "found fragmented DTLS handshake message" \
8575 -c "found fragmented DTLS handshake message" \
8576 -C "error"
8577
Andrzej Kurek35f2f302018-10-09 08:52:14 -0400[diff] [blame]8578# An autoreduction on the client-side might happen if the server is
8579# slow to reset, therefore omitting '-C "autoreduction"' below.
8580not_with_valgrind # spurious autoreduction due to timeout
Manuel Pégourié-Gonnard72c27072018-08-13 12:37:51 +0200[diff] [blame]8581requires_config_enabled MBEDTLS_SSL_PROTO_DTLS
8582requires_config_enabled MBEDTLS_RSA_C
8583requires_config_enabled MBEDTLS_ECDSA_C
8584requires_config_enabled MBEDTLS_SHA256_C
Gilles Peskinee7738c32021-07-13 20:34:55 +0200[diff] [blame]8585requires_config_enabled MBEDTLS_KEY_EXCHANGE_ECDHE_ECDSA_ENABLED
Manuel Pégourié-Gonnard72c27072018-08-13 12:37:51 +0200[diff] [blame]8586requires_config_enabled MBEDTLS_SSL_RENEGOTIATION
8587requires_config_enabled MBEDTLS_AES_C
8588requires_config_enabled MBEDTLS_CCM_C
Yuto Takanoa49124e2021-07-08 15:56:33 +0100[diff] [blame]8589requires_max_content_len 2048
Manuel Pégourié-Gonnard72c27072018-08-13 12:37:51 +0200[diff] [blame]8590run_test "DTLS fragmenting: proxy MTU, AES-CCM renego" \
Andrzej Kurek52f84912018-10-05 07:53:40 -0400[diff] [blame]8591 -p "$P_PXY mtu=1024" \
Manuel Pégourié-Gonnard72c27072018-08-13 12:37:51 +0200[diff] [blame]8592 "$P_SRV dtls=1 debug_level=2 auth_mode=required \
8593 crt_file=data_files/server7_int-ca.crt \
8594 key_file=data_files/server7.key \
8595 exchanges=2 renegotiation=1 \
8596 force_ciphersuite=TLS-ECDHE-ECDSA-WITH-AES-128-CCM-8 \
Andrzej Kurek52f84912018-10-05 07:53:40 -0400[diff] [blame]8597 hs_timeout=10000-60000 \
8598 mtu=1024" \
Manuel Pégourié-Gonnard72c27072018-08-13 12:37:51 +0200[diff] [blame]8599 "$P_CLI dtls=1 debug_level=2 \
8600 crt_file=data_files/server8_int-ca2.crt \
8601 key_file=data_files/server8.key \
8602 exchanges=2 renegotiation=1 renegotiate=1 \
Andrzej Kurek52f84912018-10-05 07:53:40 -0400[diff] [blame]8603 hs_timeout=10000-60000 \
8604 mtu=1024" \
Manuel Pégourié-Gonnard72c27072018-08-13 12:37:51 +0200[diff] [blame]8605 0 \
Andrzej Kurek35f2f302018-10-09 08:52:14 -0400[diff] [blame]8606 -S "autoreduction" \
Manuel Pégourié-Gonnard72c27072018-08-13 12:37:51 +0200[diff] [blame]8607 -s "found fragmented DTLS handshake message" \
8608 -c "found fragmented DTLS handshake message" \
8609 -C "error"
8610
Andrzej Kurek35f2f302018-10-09 08:52:14 -0400[diff] [blame]8611# An autoreduction on the client-side might happen if the server is
8612# slow to reset, therefore omitting '-C "autoreduction"' below.
8613not_with_valgrind # spurious autoreduction due to timeout
Manuel Pégourié-Gonnard72c27072018-08-13 12:37:51 +0200[diff] [blame]8614requires_config_enabled MBEDTLS_SSL_PROTO_DTLS
8615requires_config_enabled MBEDTLS_RSA_C
8616requires_config_enabled MBEDTLS_ECDSA_C
8617requires_config_enabled MBEDTLS_SHA256_C
Gilles Peskinee7738c32021-07-13 20:34:55 +0200[diff] [blame]8618requires_config_enabled MBEDTLS_KEY_EXCHANGE_ECDHE_ECDSA_ENABLED
Manuel Pégourié-Gonnard72c27072018-08-13 12:37:51 +0200[diff] [blame]8619requires_config_enabled MBEDTLS_SSL_RENEGOTIATION
8620requires_config_enabled MBEDTLS_AES_C
8621requires_config_enabled MBEDTLS_CIPHER_MODE_CBC
8622requires_config_enabled MBEDTLS_SSL_ENCRYPT_THEN_MAC
Yuto Takanoa49124e2021-07-08 15:56:33 +0100[diff] [blame]8623requires_max_content_len 2048
Manuel Pégourié-Gonnard72c27072018-08-13 12:37:51 +0200[diff] [blame]8624run_test "DTLS fragmenting: proxy MTU, AES-CBC EtM renego" \
Andrzej Kurek52f84912018-10-05 07:53:40 -0400[diff] [blame]8625 -p "$P_PXY mtu=1024" \
Manuel Pégourié-Gonnard72c27072018-08-13 12:37:51 +0200[diff] [blame]8626 "$P_SRV dtls=1 debug_level=2 auth_mode=required \
8627 crt_file=data_files/server7_int-ca.crt \
8628 key_file=data_files/server7.key \
8629 exchanges=2 renegotiation=1 \
8630 force_ciphersuite=TLS-ECDHE-ECDSA-WITH-AES-128-CBC-SHA256 \
Andrzej Kurek52f84912018-10-05 07:53:40 -0400[diff] [blame]8631 hs_timeout=10000-60000 \
8632 mtu=1024" \
Manuel Pégourié-Gonnard72c27072018-08-13 12:37:51 +0200[diff] [blame]8633 "$P_CLI dtls=1 debug_level=2 \
8634 crt_file=data_files/server8_int-ca2.crt \
8635 key_file=data_files/server8.key \
8636 exchanges=2 renegotiation=1 renegotiate=1 \
Andrzej Kurek52f84912018-10-05 07:53:40 -0400[diff] [blame]8637 hs_timeout=10000-60000 \
8638 mtu=1024" \
Manuel Pégourié-Gonnard72c27072018-08-13 12:37:51 +0200[diff] [blame]8639 0 \
Andrzej Kurek35f2f302018-10-09 08:52:14 -0400[diff] [blame]8640 -S "autoreduction" \
Manuel Pégourié-Gonnard72c27072018-08-13 12:37:51 +0200[diff] [blame]8641 -s "found fragmented DTLS handshake message" \
8642 -c "found fragmented DTLS handshake message" \
8643 -C "error"
8644
Andrzej Kurek35f2f302018-10-09 08:52:14 -0400[diff] [blame]8645# An autoreduction on the client-side might happen if the server is
8646# slow to reset, therefore omitting '-C "autoreduction"' below.
8647not_with_valgrind # spurious autoreduction due to timeout
Manuel Pégourié-Gonnard72c27072018-08-13 12:37:51 +0200[diff] [blame]8648requires_config_enabled MBEDTLS_SSL_PROTO_DTLS
8649requires_config_enabled MBEDTLS_RSA_C
8650requires_config_enabled MBEDTLS_ECDSA_C
8651requires_config_enabled MBEDTLS_SHA256_C
Gilles Peskinee7738c32021-07-13 20:34:55 +0200[diff] [blame]8652requires_config_enabled MBEDTLS_KEY_EXCHANGE_ECDHE_ECDSA_ENABLED
Manuel Pégourié-Gonnard72c27072018-08-13 12:37:51 +0200[diff] [blame]8653requires_config_enabled MBEDTLS_SSL_RENEGOTIATION
8654requires_config_enabled MBEDTLS_AES_C
8655requires_config_enabled MBEDTLS_CIPHER_MODE_CBC
Yuto Takanoa49124e2021-07-08 15:56:33 +0100[diff] [blame]8656requires_max_content_len 2048
Manuel Pégourié-Gonnard72c27072018-08-13 12:37:51 +0200[diff] [blame]8657run_test "DTLS fragmenting: proxy MTU, AES-CBC non-EtM renego" \
Andrzej Kurek52f84912018-10-05 07:53:40 -0400[diff] [blame]8658 -p "$P_PXY mtu=1024" \
Manuel Pégourié-Gonnard72c27072018-08-13 12:37:51 +0200[diff] [blame]8659 "$P_SRV dtls=1 debug_level=2 auth_mode=required \
8660 crt_file=data_files/server7_int-ca.crt \
8661 key_file=data_files/server7.key \
8662 exchanges=2 renegotiation=1 \
8663 force_ciphersuite=TLS-ECDHE-ECDSA-WITH-AES-128-CBC-SHA256 etm=0 \
Andrzej Kurek52f84912018-10-05 07:53:40 -0400[diff] [blame]8664 hs_timeout=10000-60000 \
8665 mtu=1024" \
Manuel Pégourié-Gonnard72c27072018-08-13 12:37:51 +0200[diff] [blame]8666 "$P_CLI dtls=1 debug_level=2 \
8667 crt_file=data_files/server8_int-ca2.crt \
8668 key_file=data_files/server8.key \
8669 exchanges=2 renegotiation=1 renegotiate=1 \
Andrzej Kurek52f84912018-10-05 07:53:40 -0400[diff] [blame]8670 hs_timeout=10000-60000 \
8671 mtu=1024" \
Manuel Pégourié-Gonnard72c27072018-08-13 12:37:51 +0200[diff] [blame]8672 0 \
Andrzej Kurek35f2f302018-10-09 08:52:14 -0400[diff] [blame]8673 -S "autoreduction" \
Manuel Pégourié-Gonnard72c27072018-08-13 12:37:51 +0200[diff] [blame]8674 -s "found fragmented DTLS handshake message" \
8675 -c "found fragmented DTLS handshake message" \
8676 -C "error"
8677
Andrzej Kurek77826052018-10-11 07:34:08 -0400[diff] [blame]8678# Forcing ciphersuite for this test to fit the MTU of 512 with full config.
Manuel Pégourié-Gonnard2d56f0d2018-08-16 11:09:03 +0200[diff] [blame]8679requires_config_enabled MBEDTLS_SSL_PROTO_DTLS
8680requires_config_enabled MBEDTLS_RSA_C
8681requires_config_enabled MBEDTLS_ECDSA_C
Gilles Peskinee7738c32021-07-13 20:34:55 +0200[diff] [blame]8682requires_config_enabled MBEDTLS_KEY_EXCHANGE_ECDHE_ECDSA_ENABLED
Andrzej Kurek7311c782018-10-11 06:49:41 -0400[diff] [blame]8683requires_config_enabled MBEDTLS_AES_C
8684requires_config_enabled MBEDTLS_GCM_C
Manuel Pégourié-Gonnard2d56f0d2018-08-16 11:09:03 +0200[diff] [blame]8685client_needs_more_time 2
Yuto Takanoa49124e2021-07-08 15:56:33 +0100[diff] [blame]8686requires_max_content_len 2048
Manuel Pégourié-Gonnard2d56f0d2018-08-16 11:09:03 +0200[diff] [blame]8687run_test "DTLS fragmenting: proxy MTU + 3d" \
8688 -p "$P_PXY mtu=512 drop=8 delay=8 duplicate=8" \
Hanno Becker1c9a24c2018-08-14 13:46:33 +0100[diff] [blame]8689 "$P_SRV dgram_packing=0 dtls=1 debug_level=2 auth_mode=required \
Manuel Pégourié-Gonnard2d56f0d2018-08-16 11:09:03 +0200[diff] [blame]8690 crt_file=data_files/server7_int-ca.crt \
8691 key_file=data_files/server7.key \
Manuel Pégourié-Gonnard02f3a8a2018-08-20 10:49:28 +0200[diff] [blame]8692 hs_timeout=250-10000 mtu=512" \
Hanno Becker1c9a24c2018-08-14 13:46:33 +0100[diff] [blame]8693 "$P_CLI dgram_packing=0 dtls=1 debug_level=2 \
Manuel Pégourié-Gonnard2d56f0d2018-08-16 11:09:03 +0200[diff] [blame]8694 crt_file=data_files/server8_int-ca2.crt \
8695 key_file=data_files/server8.key \
Andrzej Kurek7311c782018-10-11 06:49:41 -0400[diff] [blame]8696 force_ciphersuite=TLS-ECDHE-ECDSA-WITH-AES-128-GCM-SHA256 \
Manuel Pégourié-Gonnard02f3a8a2018-08-20 10:49:28 +0200[diff] [blame]8697 hs_timeout=250-10000 mtu=512" \
Manuel Pégourié-Gonnard2d56f0d2018-08-16 11:09:03 +0200[diff] [blame]8698 0 \
8699 -s "found fragmented DTLS handshake message" \
8700 -c "found fragmented DTLS handshake message" \
8701 -C "error"
8702
Andrzej Kurek77826052018-10-11 07:34:08 -0400[diff] [blame]8703# Forcing ciphersuite for this test to fit the MTU of 512 with full config.
Manuel Pégourié-Gonnardc1d54b72018-08-22 10:02:59 +0200[diff] [blame]8704requires_config_enabled MBEDTLS_SSL_PROTO_DTLS
8705requires_config_enabled MBEDTLS_RSA_C
8706requires_config_enabled MBEDTLS_ECDSA_C
Gilles Peskinee7738c32021-07-13 20:34:55 +0200[diff] [blame]8707requires_config_enabled MBEDTLS_KEY_EXCHANGE_ECDHE_ECDSA_ENABLED
Andrzej Kurek7311c782018-10-11 06:49:41 -0400[diff] [blame]8708requires_config_enabled MBEDTLS_AES_C
8709requires_config_enabled MBEDTLS_GCM_C
Manuel Pégourié-Gonnardc1d54b72018-08-22 10:02:59 +0200[diff] [blame]8710client_needs_more_time 2
Yuto Takanoa49124e2021-07-08 15:56:33 +0100[diff] [blame]8711requires_max_content_len 2048
Manuel Pégourié-Gonnardc1d54b72018-08-22 10:02:59 +0200[diff] [blame]8712run_test "DTLS fragmenting: proxy MTU + 3d, nbio" \
8713 -p "$P_PXY mtu=512 drop=8 delay=8 duplicate=8" \
8714 "$P_SRV dtls=1 debug_level=2 auth_mode=required \
8715 crt_file=data_files/server7_int-ca.crt \
8716 key_file=data_files/server7.key \
8717 hs_timeout=250-10000 mtu=512 nbio=2" \
8718 "$P_CLI dtls=1 debug_level=2 \
8719 crt_file=data_files/server8_int-ca2.crt \
8720 key_file=data_files/server8.key \
Andrzej Kurek7311c782018-10-11 06:49:41 -0400[diff] [blame]8721 force_ciphersuite=TLS-ECDHE-ECDSA-WITH-AES-128-GCM-SHA256 \
Manuel Pégourié-Gonnardc1d54b72018-08-22 10:02:59 +0200[diff] [blame]8722 hs_timeout=250-10000 mtu=512 nbio=2" \
8723 0 \
8724 -s "found fragmented DTLS handshake message" \
8725 -c "found fragmented DTLS handshake message" \
8726 -C "error"
8727
Manuel Pégourié-Gonnard38110df2018-08-17 12:44:54 +0200[diff] [blame]8728# interop tests for DTLS fragmentating with reliable connection
8729#
Manuel Pégourié-Gonnard1218bc02018-08-17 10:51:26 +0200[diff] [blame]8730# here and below we just want to test that the we fragment in a way that
8731# pleases other implementations, so we don't need the peer to fragment
8732requires_config_enabled MBEDTLS_SSL_PROTO_DTLS
8733requires_config_enabled MBEDTLS_RSA_C
8734requires_config_enabled MBEDTLS_ECDSA_C
8735requires_config_enabled MBEDTLS_SSL_PROTO_TLS1_2
Manuel Pégourié-Gonnard61512982018-08-21 09:40:07 +0200[diff] [blame]8736requires_gnutls
Yuto Takanoa49124e2021-07-08 15:56:33 +0100[diff] [blame]8737requires_max_content_len 2048
Manuel Pégourié-Gonnard1218bc02018-08-17 10:51:26 +0200[diff] [blame]8738run_test "DTLS fragmenting: gnutls server, DTLS 1.2" \
8739 "$G_SRV -u" \
8740 "$P_CLI dtls=1 debug_level=2 \
8741 crt_file=data_files/server8_int-ca2.crt \
8742 key_file=data_files/server8.key \
8743 mtu=512 force_version=dtls1_2" \
8744 0 \
8745 -c "fragmenting handshake message" \
8746 -C "error"
8747
8748requires_config_enabled MBEDTLS_SSL_PROTO_DTLS
8749requires_config_enabled MBEDTLS_RSA_C
8750requires_config_enabled MBEDTLS_ECDSA_C
8751requires_config_enabled MBEDTLS_SSL_PROTO_TLS1_1
Manuel Pégourié-Gonnard61512982018-08-21 09:40:07 +0200[diff] [blame]8752requires_gnutls
Yuto Takano75ab9282021-07-26 08:27:47 +0100[diff] [blame]8753requires_max_content_len 2048
Manuel Pégourié-Gonnard1218bc02018-08-17 10:51:26 +0200[diff] [blame]8754run_test "DTLS fragmenting: gnutls server, DTLS 1.0" \
8755 "$G_SRV -u" \
8756 "$P_CLI dtls=1 debug_level=2 \
8757 crt_file=data_files/server8_int-ca2.crt \
8758 key_file=data_files/server8.key \
Manuel Pégourié-Gonnard02f3a8a2018-08-20 10:49:28 +0200[diff] [blame]8759 mtu=512 force_version=dtls1" \
Manuel Pégourié-Gonnard1218bc02018-08-17 10:51:26 +0200[diff] [blame]8760 0 \
8761 -c "fragmenting handshake message" \
8762 -C "error"
8763
Hanno Beckerb9a00862018-08-28 10:20:22 +0100[diff] [blame]8764# We use --insecure for the GnuTLS client because it expects
8765# the hostname / IP it connects to to be the name used in the
8766# certificate obtained from the server. Here, however, it
8767# connects to 127.0.0.1 while our test certificates use 'localhost'
8768# as the server name in the certificate. This will make the
8769# certifiate validation fail, but passing --insecure makes
8770# GnuTLS continue the connection nonetheless.
Manuel Pégourié-Gonnard1218bc02018-08-17 10:51:26 +0200[diff] [blame]8771requires_config_enabled MBEDTLS_SSL_PROTO_DTLS
8772requires_config_enabled MBEDTLS_RSA_C
8773requires_config_enabled MBEDTLS_ECDSA_C
8774requires_config_enabled MBEDTLS_SSL_PROTO_TLS1_2
Manuel Pégourié-Gonnard61512982018-08-21 09:40:07 +0200[diff] [blame]8775requires_gnutls
Andrzej Kurekb4593462018-10-11 08:43:30 -0400[diff] [blame]8776requires_not_i686
Yuto Takanoa49124e2021-07-08 15:56:33 +0100[diff] [blame]8777requires_max_content_len 2048
Manuel Pégourié-Gonnard1218bc02018-08-17 10:51:26 +0200[diff] [blame]8778run_test "DTLS fragmenting: gnutls client, DTLS 1.2" \
Manuel Pégourié-Gonnard34aa1872018-08-23 19:07:15 +0200[diff] [blame]8779 "$P_SRV dtls=1 debug_level=2 \
Manuel Pégourié-Gonnard1218bc02018-08-17 10:51:26 +0200[diff] [blame]8780 crt_file=data_files/server7_int-ca.crt \
8781 key_file=data_files/server7.key \
8782 mtu=512 force_version=dtls1_2" \
Manuel Pégourié-Gonnard34aa1872018-08-23 19:07:15 +0200[diff] [blame]8783 "$G_CLI -u --insecure 127.0.0.1" \
Manuel Pégourié-Gonnard1218bc02018-08-17 10:51:26 +0200[diff] [blame]8784 0 \
8785 -s "fragmenting handshake message"
8786
Hanno Beckerb9a00862018-08-28 10:20:22 +0100[diff] [blame]8787# See previous test for the reason to use --insecure
Manuel Pégourié-Gonnard1218bc02018-08-17 10:51:26 +0200[diff] [blame]8788requires_config_enabled MBEDTLS_SSL_PROTO_DTLS
8789requires_config_enabled MBEDTLS_RSA_C
8790requires_config_enabled MBEDTLS_ECDSA_C
8791requires_config_enabled MBEDTLS_SSL_PROTO_TLS1_1
Manuel Pégourié-Gonnard61512982018-08-21 09:40:07 +0200[diff] [blame]8792requires_gnutls
Andrzej Kurekb4593462018-10-11 08:43:30 -0400[diff] [blame]8793requires_not_i686
Yuto Takano75ab9282021-07-26 08:27:47 +0100[diff] [blame]8794requires_max_content_len 2048
Manuel Pégourié-Gonnard1218bc02018-08-17 10:51:26 +0200[diff] [blame]8795run_test "DTLS fragmenting: gnutls client, DTLS 1.0" \
Manuel Pégourié-Gonnard34aa1872018-08-23 19:07:15 +0200[diff] [blame]8796 "$P_SRV dtls=1 debug_level=2 \
Manuel Pégourié-Gonnard1218bc02018-08-17 10:51:26 +0200[diff] [blame]8797 crt_file=data_files/server7_int-ca.crt \
8798 key_file=data_files/server7.key \
8799 mtu=512 force_version=dtls1" \
Manuel Pégourié-Gonnard34aa1872018-08-23 19:07:15 +0200[diff] [blame]8800 "$G_CLI -u --insecure 127.0.0.1" \
Manuel Pégourié-Gonnard1218bc02018-08-17 10:51:26 +0200[diff] [blame]8801 0 \
8802 -s "fragmenting handshake message"
8803
8804requires_config_enabled MBEDTLS_SSL_PROTO_DTLS
8805requires_config_enabled MBEDTLS_RSA_C
8806requires_config_enabled MBEDTLS_ECDSA_C
8807requires_config_enabled MBEDTLS_SSL_PROTO_TLS1_2
Yuto Takanoa49124e2021-07-08 15:56:33 +0100[diff] [blame]8808requires_max_content_len 2048
Manuel Pégourié-Gonnard1218bc02018-08-17 10:51:26 +0200[diff] [blame]8809run_test "DTLS fragmenting: openssl server, DTLS 1.2" \
8810 "$O_SRV -dtls1_2 -verify 10" \
8811 "$P_CLI dtls=1 debug_level=2 \
8812 crt_file=data_files/server8_int-ca2.crt \
8813 key_file=data_files/server8.key \
8814 mtu=512 force_version=dtls1_2" \
8815 0 \
8816 -c "fragmenting handshake message" \
8817 -C "error"
8818
8819requires_config_enabled MBEDTLS_SSL_PROTO_DTLS
8820requires_config_enabled MBEDTLS_RSA_C
8821requires_config_enabled MBEDTLS_ECDSA_C
8822requires_config_enabled MBEDTLS_SSL_PROTO_TLS1_1
Yuto Takano75ab9282021-07-26 08:27:47 +0100[diff] [blame]8823requires_max_content_len 2048
Manuel Pégourié-Gonnard1218bc02018-08-17 10:51:26 +0200[diff] [blame]8824run_test "DTLS fragmenting: openssl server, DTLS 1.0" \
8825 "$O_SRV -dtls1 -verify 10" \
8826 "$P_CLI dtls=1 debug_level=2 \
8827 crt_file=data_files/server8_int-ca2.crt \
8828 key_file=data_files/server8.key \
8829 mtu=512 force_version=dtls1" \
8830 0 \
8831 -c "fragmenting handshake message" \
8832 -C "error"
8833
8834requires_config_enabled MBEDTLS_SSL_PROTO_DTLS
8835requires_config_enabled MBEDTLS_RSA_C
8836requires_config_enabled MBEDTLS_ECDSA_C
8837requires_config_enabled MBEDTLS_SSL_PROTO_TLS1_2
Yuto Takanoa49124e2021-07-08 15:56:33 +0100[diff] [blame]8838requires_max_content_len 2048
Manuel Pégourié-Gonnard1218bc02018-08-17 10:51:26 +0200[diff] [blame]8839run_test "DTLS fragmenting: openssl client, DTLS 1.2" \
8840 "$P_SRV dtls=1 debug_level=2 \
8841 crt_file=data_files/server7_int-ca.crt \
8842 key_file=data_files/server7.key \
8843 mtu=512 force_version=dtls1_2" \
8844 "$O_CLI -dtls1_2" \
8845 0 \
8846 -s "fragmenting handshake message"
8847
8848requires_config_enabled MBEDTLS_SSL_PROTO_DTLS
8849requires_config_enabled MBEDTLS_RSA_C
8850requires_config_enabled MBEDTLS_ECDSA_C
8851requires_config_enabled MBEDTLS_SSL_PROTO_TLS1_1
Yuto Takano75ab9282021-07-26 08:27:47 +0100[diff] [blame]8852requires_max_content_len 2048
Manuel Pégourié-Gonnard1218bc02018-08-17 10:51:26 +0200[diff] [blame]8853run_test "DTLS fragmenting: openssl client, DTLS 1.0" \
8854 "$P_SRV dtls=1 debug_level=2 \
8855 crt_file=data_files/server7_int-ca.crt \
8856 key_file=data_files/server7.key \
8857 mtu=512 force_version=dtls1" \
8858 "$O_CLI -dtls1" \
8859 0 \
8860 -s "fragmenting handshake message"
8861
Manuel Pégourié-Gonnard38110df2018-08-17 12:44:54 +0200[diff] [blame]8862# interop tests for DTLS fragmentating with unreliable connection
8863#
8864# again we just want to test that the we fragment in a way that
8865# pleases other implementations, so we don't need the peer to fragment
8866requires_gnutls_next
8867requires_config_enabled MBEDTLS_SSL_PROTO_DTLS
8868requires_config_enabled MBEDTLS_RSA_C
8869requires_config_enabled MBEDTLS_ECDSA_C
8870requires_config_enabled MBEDTLS_SSL_PROTO_TLS1_2
Manuel Pégourié-Gonnard02f3a8a2018-08-20 10:49:28 +0200[diff] [blame]8871client_needs_more_time 4
Yuto Takanoa49124e2021-07-08 15:56:33 +0100[diff] [blame]8872requires_max_content_len 2048
Manuel Pégourié-Gonnard38110df2018-08-17 12:44:54 +0200[diff] [blame]8873run_test "DTLS fragmenting: 3d, gnutls server, DTLS 1.2" \
8874 -p "$P_PXY drop=8 delay=8 duplicate=8" \
8875 "$G_NEXT_SRV -u" \
Hanno Becker1c9a24c2018-08-14 13:46:33 +0100[diff] [blame]8876 "$P_CLI dgram_packing=0 dtls=1 debug_level=2 \
Manuel Pégourié-Gonnard38110df2018-08-17 12:44:54 +0200[diff] [blame]8877 crt_file=data_files/server8_int-ca2.crt \
8878 key_file=data_files/server8.key \
Manuel Pégourié-Gonnard02f3a8a2018-08-20 10:49:28 +0200[diff] [blame]8879 hs_timeout=250-60000 mtu=512 force_version=dtls1_2" \
Manuel Pégourié-Gonnard38110df2018-08-17 12:44:54 +0200[diff] [blame]8880 0 \
8881 -c "fragmenting handshake message" \
8882 -C "error"
8883
8884requires_gnutls_next
8885requires_config_enabled MBEDTLS_SSL_PROTO_DTLS
8886requires_config_enabled MBEDTLS_RSA_C
8887requires_config_enabled MBEDTLS_ECDSA_C
8888requires_config_enabled MBEDTLS_SSL_PROTO_TLS1_1
Manuel Pégourié-Gonnard02f3a8a2018-08-20 10:49:28 +0200[diff] [blame]8889client_needs_more_time 4
Yuto Takano75ab9282021-07-26 08:27:47 +0100[diff] [blame]8890requires_max_content_len 2048
Manuel Pégourié-Gonnard38110df2018-08-17 12:44:54 +0200[diff] [blame]8891run_test "DTLS fragmenting: 3d, gnutls server, DTLS 1.0" \
8892 -p "$P_PXY drop=8 delay=8 duplicate=8" \
8893 "$G_NEXT_SRV -u" \
Hanno Becker1c9a24c2018-08-14 13:46:33 +0100[diff] [blame]8894 "$P_CLI dgram_packing=0 dtls=1 debug_level=2 \
Manuel Pégourié-Gonnard38110df2018-08-17 12:44:54 +0200[diff] [blame]8895 crt_file=data_files/server8_int-ca2.crt \
8896 key_file=data_files/server8.key \
Manuel Pégourié-Gonnard02f3a8a2018-08-20 10:49:28 +0200[diff] [blame]8897 hs_timeout=250-60000 mtu=512 force_version=dtls1" \
Manuel Pégourié-Gonnard38110df2018-08-17 12:44:54 +0200[diff] [blame]8898 0 \
8899 -c "fragmenting handshake message" \
8900 -C "error"
8901
k-stachowiak17a38d32019-02-18 15:29:56 +0100[diff] [blame]8902requires_gnutls_next
Hanno Becker3b8b40c2018-08-28 10:25:41 +0100[diff] [blame]8903requires_config_enabled MBEDTLS_SSL_PROTO_DTLS
8904requires_config_enabled MBEDTLS_RSA_C
8905requires_config_enabled MBEDTLS_ECDSA_C
8906requires_config_enabled MBEDTLS_SSL_PROTO_TLS1_2
8907client_needs_more_time 4
Yuto Takanoa49124e2021-07-08 15:56:33 +0100[diff] [blame]8908requires_max_content_len 2048
Hanno Becker3b8b40c2018-08-28 10:25:41 +0100[diff] [blame]8909run_test "DTLS fragmenting: 3d, gnutls client, DTLS 1.2" \
8910 -p "$P_PXY drop=8 delay=8 duplicate=8" \
8911 "$P_SRV dtls=1 debug_level=2 \
8912 crt_file=data_files/server7_int-ca.crt \
8913 key_file=data_files/server7.key \
8914 hs_timeout=250-60000 mtu=512 force_version=dtls1_2" \
k-stachowiak17a38d32019-02-18 15:29:56 +0100[diff] [blame]8915 "$G_NEXT_CLI -u --insecure 127.0.0.1" \
Hanno Becker3b8b40c2018-08-28 10:25:41 +0100[diff] [blame]8916 0 \
8917 -s "fragmenting handshake message"
8918
k-stachowiak17a38d32019-02-18 15:29:56 +0100[diff] [blame]8919requires_gnutls_next
Hanno Becker3b8b40c2018-08-28 10:25:41 +0100[diff] [blame]8920requires_config_enabled MBEDTLS_SSL_PROTO_DTLS
8921requires_config_enabled MBEDTLS_RSA_C
8922requires_config_enabled MBEDTLS_ECDSA_C
8923requires_config_enabled MBEDTLS_SSL_PROTO_TLS1_1
8924client_needs_more_time 4
Yuto Takano75ab9282021-07-26 08:27:47 +0100[diff] [blame]8925requires_max_content_len 2048
Hanno Becker3b8b40c2018-08-28 10:25:41 +0100[diff] [blame]8926run_test "DTLS fragmenting: 3d, gnutls client, DTLS 1.0" \
8927 -p "$P_PXY drop=8 delay=8 duplicate=8" \
8928 "$P_SRV dtls=1 debug_level=2 \
8929 crt_file=data_files/server7_int-ca.crt \
8930 key_file=data_files/server7.key \
8931 hs_timeout=250-60000 mtu=512 force_version=dtls1" \
k-stachowiak17a38d32019-02-18 15:29:56 +0100[diff] [blame]8932 "$G_NEXT_CLI -u --insecure 127.0.0.1" \
Hanno Becker3b8b40c2018-08-28 10:25:41 +0100[diff] [blame]8933 0 \
8934 -s "fragmenting handshake message"
Manuel Pégourié-Gonnard38110df2018-08-17 12:44:54 +0200[diff] [blame]8935
Manuel Pégourié-Gonnardc1eda672018-09-03 10:41:49 +0200[diff] [blame]8936## Interop test with OpenSSL might trigger a bug in recent versions (including
8937## all versions installed on the CI machines), reported here:
Manuel Pégourié-Gonnard38110df2018-08-17 12:44:54 +0200[diff] [blame]8938## Bug report: https://github.com/openssl/openssl/issues/6902
Manuel Pégourié-Gonnardc1eda672018-09-03 10:41:49 +0200[diff] [blame]8939## They should be re-enabled once a fixed version of OpenSSL is available
8940## (this should happen in some 1.1.1_ release according to the ticket).
Hanno Becker3b8b40c2018-08-28 10:25:41 +0100[diff] [blame]8941skip_next_test
8942requires_config_enabled MBEDTLS_SSL_PROTO_DTLS
8943requires_config_enabled MBEDTLS_RSA_C
8944requires_config_enabled MBEDTLS_ECDSA_C
8945requires_config_enabled MBEDTLS_SSL_PROTO_TLS1_2
8946client_needs_more_time 4
Yuto Takanoa49124e2021-07-08 15:56:33 +0100[diff] [blame]8947requires_max_content_len 2048
Hanno Becker3b8b40c2018-08-28 10:25:41 +0100[diff] [blame]8948run_test "DTLS fragmenting: 3d, openssl server, DTLS 1.2" \
8949 -p "$P_PXY drop=8 delay=8 duplicate=8" \
8950 "$O_SRV -dtls1_2 -verify 10" \
8951 "$P_CLI dtls=1 debug_level=2 \
8952 crt_file=data_files/server8_int-ca2.crt \
8953 key_file=data_files/server8.key \
8954 hs_timeout=250-60000 mtu=512 force_version=dtls1_2" \
8955 0 \
8956 -c "fragmenting handshake message" \
8957 -C "error"
Manuel Pégourié-Gonnard38110df2018-08-17 12:44:54 +0200[diff] [blame]8958
Manuel Pégourié-Gonnardc1eda672018-09-03 10:41:49 +0200[diff] [blame]8959skip_next_test
Manuel Pégourié-Gonnard38110df2018-08-17 12:44:54 +0200[diff] [blame]8960requires_config_enabled MBEDTLS_SSL_PROTO_DTLS
8961requires_config_enabled MBEDTLS_RSA_C
8962requires_config_enabled MBEDTLS_ECDSA_C
8963requires_config_enabled MBEDTLS_SSL_PROTO_TLS1_1
Manuel Pégourié-Gonnard02f3a8a2018-08-20 10:49:28 +0200[diff] [blame]8964client_needs_more_time 4
Yuto Takano75ab9282021-07-26 08:27:47 +0100[diff] [blame]8965requires_max_content_len 2048
Manuel Pégourié-Gonnard38110df2018-08-17 12:44:54 +0200[diff] [blame]8966run_test "DTLS fragmenting: 3d, openssl server, DTLS 1.0" \
8967 -p "$P_PXY drop=8 delay=8 duplicate=8" \
Manuel Pégourié-Gonnardc1eda672018-09-03 10:41:49 +0200[diff] [blame]8968 "$O_SRV -dtls1 -verify 10" \
Hanno Becker1c9a24c2018-08-14 13:46:33 +0100[diff] [blame]8969 "$P_CLI dgram_packing=0 dtls=1 debug_level=2 \
Manuel Pégourié-Gonnard38110df2018-08-17 12:44:54 +0200[diff] [blame]8970 crt_file=data_files/server8_int-ca2.crt \
8971 key_file=data_files/server8.key \
Manuel Pégourié-Gonnard02f3a8a2018-08-20 10:49:28 +0200[diff] [blame]8972 hs_timeout=250-60000 mtu=512 force_version=dtls1" \
Manuel Pégourié-Gonnard38110df2018-08-17 12:44:54 +0200[diff] [blame]8973 0 \
8974 -c "fragmenting handshake message" \
8975 -C "error"
8976
Manuel Pégourié-Gonnardc1eda672018-09-03 10:41:49 +0200[diff] [blame]8977skip_next_test
8978requires_config_enabled MBEDTLS_SSL_PROTO_DTLS
8979requires_config_enabled MBEDTLS_RSA_C
8980requires_config_enabled MBEDTLS_ECDSA_C
8981requires_config_enabled MBEDTLS_SSL_PROTO_TLS1_2
8982client_needs_more_time 4
Yuto Takanoa49124e2021-07-08 15:56:33 +0100[diff] [blame]8983requires_max_content_len 2048
Manuel Pégourié-Gonnardc1eda672018-09-03 10:41:49 +0200[diff] [blame]8984run_test "DTLS fragmenting: 3d, openssl client, DTLS 1.2" \
8985 -p "$P_PXY drop=8 delay=8 duplicate=8" \
8986 "$P_SRV dtls=1 debug_level=2 \
8987 crt_file=data_files/server7_int-ca.crt \
8988 key_file=data_files/server7.key \
8989 hs_timeout=250-60000 mtu=512 force_version=dtls1_2" \
8990 "$O_CLI -dtls1_2" \
8991 0 \
8992 -s "fragmenting handshake message"
Manuel Pégourié-Gonnard38110df2018-08-17 12:44:54 +0200[diff] [blame]8993
8994# -nbio is added to prevent s_client from blocking in case of duplicated
8995# messages at the end of the handshake
Manuel Pégourié-Gonnardc1eda672018-09-03 10:41:49 +0200[diff] [blame]8996skip_next_test
Manuel Pégourié-Gonnard38110df2018-08-17 12:44:54 +0200[diff] [blame]8997requires_config_enabled MBEDTLS_SSL_PROTO_DTLS
8998requires_config_enabled MBEDTLS_RSA_C
8999requires_config_enabled MBEDTLS_ECDSA_C
9000requires_config_enabled MBEDTLS_SSL_PROTO_TLS1_1
Manuel Pégourié-Gonnard02f3a8a2018-08-20 10:49:28 +0200[diff] [blame]9001client_needs_more_time 4
Yuto Takano75ab9282021-07-26 08:27:47 +0100[diff] [blame]9002requires_max_content_len 2048
Manuel Pégourié-Gonnard38110df2018-08-17 12:44:54 +0200[diff] [blame]9003run_test "DTLS fragmenting: 3d, openssl client, DTLS 1.0" \
9004 -p "$P_PXY drop=8 delay=8 duplicate=8" \
Hanno Becker1c9a24c2018-08-14 13:46:33 +0100[diff] [blame]9005 "$P_SRV dgram_packing=0 dtls=1 debug_level=2 \
Manuel Pégourié-Gonnard38110df2018-08-17 12:44:54 +0200[diff] [blame]9006 crt_file=data_files/server7_int-ca.crt \
9007 key_file=data_files/server7.key \
Manuel Pégourié-Gonnard02f3a8a2018-08-20 10:49:28 +0200[diff] [blame]9008 hs_timeout=250-60000 mtu=512 force_version=dtls1" \
Manuel Pégourié-Gonnardc1eda672018-09-03 10:41:49 +0200[diff] [blame]9009 "$O_CLI -nbio -dtls1" \
Manuel Pégourié-Gonnard38110df2018-08-17 12:44:54 +0200[diff] [blame]9010 0 \
9011 -s "fragmenting handshake message"
9012
Ron Eldorb4655392018-07-05 18:25:39 +0300[diff] [blame]9013# Tests for DTLS-SRTP (RFC 5764)
9014requires_config_enabled MBEDTLS_SSL_DTLS_SRTP
9015run_test "DTLS-SRTP all profiles supported" \
9016 "$P_SRV dtls=1 use_srtp=1 debug_level=3" \
9017 "$P_CLI dtls=1 use_srtp=1 debug_level=3" \
9018 0 \
9019 -s "found use_srtp extension" \
9020 -s "found srtp profile" \
9021 -s "selected srtp profile" \
9022 -s "server hello, adding use_srtp extension" \
Johan Pascal9bc97ca2020-09-21 23:44:45 +0200[diff] [blame]9023 -s "DTLS-SRTP key material is"\
Ron Eldorb4655392018-07-05 18:25:39 +0300[diff] [blame]9024 -c "client hello, adding use_srtp extension" \
9025 -c "found use_srtp extension" \
9026 -c "found srtp profile" \
9027 -c "selected srtp profile" \
Johan Pascal9bc97ca2020-09-21 23:44:45 +0200[diff] [blame]9028 -c "DTLS-SRTP key material is"\
Johan Pascal9bc50b02020-09-24 12:01:13 +0200[diff] [blame]9029 -g "find_in_both '^ *Keying material: [0-9A-F]*$'"\
Ron Eldorb4655392018-07-05 18:25:39 +0300[diff] [blame]9030 -C "error"
9031
Johan Pascal9bc50b02020-09-24 12:01:13 +0200[diff] [blame]9032
Ron Eldorb4655392018-07-05 18:25:39 +0300[diff] [blame]9033requires_config_enabled MBEDTLS_SSL_DTLS_SRTP
9034run_test "DTLS-SRTP server supports all profiles. Client supports one profile." \
9035 "$P_SRV dtls=1 use_srtp=1 debug_level=3" \
Johan Pascal43f94902020-09-22 12:25:52 +0200[diff] [blame]9036 "$P_CLI dtls=1 use_srtp=1 srtp_force_profile=5 debug_level=3" \
Ron Eldorb4655392018-07-05 18:25:39 +0300[diff] [blame]9037 0 \
9038 -s "found use_srtp extension" \
Johan Pascal43f94902020-09-22 12:25:52 +0200[diff] [blame]9039 -s "found srtp profile: MBEDTLS_TLS_SRTP_NULL_HMAC_SHA1_80" \
9040 -s "selected srtp profile: MBEDTLS_TLS_SRTP_NULL_HMAC_SHA1_80" \
Ron Eldorb4655392018-07-05 18:25:39 +0300[diff] [blame]9041 -s "server hello, adding use_srtp extension" \
Johan Pascal9bc97ca2020-09-21 23:44:45 +0200[diff] [blame]9042 -s "DTLS-SRTP key material is"\
Ron Eldorb4655392018-07-05 18:25:39 +0300[diff] [blame]9043 -c "client hello, adding use_srtp extension" \
9044 -c "found use_srtp extension" \
Johan Pascal43f94902020-09-22 12:25:52 +0200[diff] [blame]9045 -c "found srtp profile: MBEDTLS_TLS_SRTP_NULL_HMAC_SHA1_80" \
Ron Eldorb4655392018-07-05 18:25:39 +0300[diff] [blame]9046 -c "selected srtp profile" \
Johan Pascal9bc97ca2020-09-21 23:44:45 +0200[diff] [blame]9047 -c "DTLS-SRTP key material is"\
Johan Pascal9bc50b02020-09-24 12:01:13 +0200[diff] [blame]9048 -g "find_in_both '^ *Keying material: [0-9A-F]*$'"\
Ron Eldorb4655392018-07-05 18:25:39 +0300[diff] [blame]9049 -C "error"
9050
9051requires_config_enabled MBEDTLS_SSL_DTLS_SRTP
Ron Eldor3c6a44b2018-07-10 10:32:10 +0300[diff] [blame]9052run_test "DTLS-SRTP server supports one profile. Client supports all profiles." \
Johan Pascal43f94902020-09-22 12:25:52 +0200[diff] [blame]9053 "$P_SRV dtls=1 use_srtp=1 srtp_force_profile=6 debug_level=3" \
Ron Eldorb4655392018-07-05 18:25:39 +0300[diff] [blame]9054 "$P_CLI dtls=1 use_srtp=1 debug_level=3" \
9055 0 \
9056 -s "found use_srtp extension" \
9057 -s "found srtp profile" \
Johan Pascal43f94902020-09-22 12:25:52 +0200[diff] [blame]9058 -s "selected srtp profile: MBEDTLS_TLS_SRTP_NULL_HMAC_SHA1_32" \
Ron Eldorb4655392018-07-05 18:25:39 +0300[diff] [blame]9059 -s "server hello, adding use_srtp extension" \
Johan Pascal9bc97ca2020-09-21 23:44:45 +0200[diff] [blame]9060 -s "DTLS-SRTP key material is"\
Ron Eldorb4655392018-07-05 18:25:39 +0300[diff] [blame]9061 -c "client hello, adding use_srtp extension" \
9062 -c "found use_srtp extension" \
Johan Pascal43f94902020-09-22 12:25:52 +0200[diff] [blame]9063 -c "found srtp profile: MBEDTLS_TLS_SRTP_NULL_HMAC_SHA1_32" \
Ron Eldorb4655392018-07-05 18:25:39 +0300[diff] [blame]9064 -c "selected srtp profile" \
Johan Pascal9bc97ca2020-09-21 23:44:45 +0200[diff] [blame]9065 -c "DTLS-SRTP key material is"\
Johan Pascal9bc50b02020-09-24 12:01:13 +0200[diff] [blame]9066 -g "find_in_both '^ *Keying material: [0-9A-F]*$'"\
Ron Eldorb4655392018-07-05 18:25:39 +0300[diff] [blame]9067 -C "error"
9068
9069requires_config_enabled MBEDTLS_SSL_DTLS_SRTP
9070run_test "DTLS-SRTP server and Client support only one matching profile." \
9071 "$P_SRV dtls=1 use_srtp=1 srtp_force_profile=2 debug_level=3" \
9072 "$P_CLI dtls=1 use_srtp=1 srtp_force_profile=2 debug_level=3" \
9073 0 \
9074 -s "found use_srtp extension" \
Johan Pascal43f94902020-09-22 12:25:52 +0200[diff] [blame]9075 -s "found srtp profile: MBEDTLS_TLS_SRTP_AES128_CM_HMAC_SHA1_32" \
9076 -s "selected srtp profile: MBEDTLS_TLS_SRTP_AES128_CM_HMAC_SHA1_32" \
Ron Eldorb4655392018-07-05 18:25:39 +0300[diff] [blame]9077 -s "server hello, adding use_srtp extension" \
Johan Pascal9bc97ca2020-09-21 23:44:45 +0200[diff] [blame]9078 -s "DTLS-SRTP key material is"\
Ron Eldorb4655392018-07-05 18:25:39 +0300[diff] [blame]9079 -c "client hello, adding use_srtp extension" \
9080 -c "found use_srtp extension" \
Johan Pascal43f94902020-09-22 12:25:52 +0200[diff] [blame]9081 -c "found srtp profile: MBEDTLS_TLS_SRTP_AES128_CM_HMAC_SHA1_32" \
Ron Eldorb4655392018-07-05 18:25:39 +0300[diff] [blame]9082 -c "selected srtp profile" \
Johan Pascal9bc97ca2020-09-21 23:44:45 +0200[diff] [blame]9083 -c "DTLS-SRTP key material is"\
Johan Pascal9bc50b02020-09-24 12:01:13 +0200[diff] [blame]9084 -g "find_in_both '^ *Keying material: [0-9A-F]*$'"\
Ron Eldorb4655392018-07-05 18:25:39 +0300[diff] [blame]9085 -C "error"
9086
9087requires_config_enabled MBEDTLS_SSL_DTLS_SRTP
9088run_test "DTLS-SRTP server and Client support only one different profile." \
9089 "$P_SRV dtls=1 use_srtp=1 srtp_force_profile=2 debug_level=3" \
Johan Pascal43f94902020-09-22 12:25:52 +0200[diff] [blame]9090 "$P_CLI dtls=1 use_srtp=1 srtp_force_profile=6 debug_level=3" \
Ron Eldorb4655392018-07-05 18:25:39 +0300[diff] [blame]9091 0 \
9092 -s "found use_srtp extension" \
Johan Pascal43f94902020-09-22 12:25:52 +0200[diff] [blame]9093 -s "found srtp profile: MBEDTLS_TLS_SRTP_NULL_HMAC_SHA1_32" \
Ron Eldorb4655392018-07-05 18:25:39 +0300[diff] [blame]9094 -S "selected srtp profile" \
9095 -S "server hello, adding use_srtp extension" \
Johan Pascal9bc97ca2020-09-21 23:44:45 +0200[diff] [blame]9096 -S "DTLS-SRTP key material is"\
Ron Eldorb4655392018-07-05 18:25:39 +0300[diff] [blame]9097 -c "client hello, adding use_srtp extension" \
9098 -C "found use_srtp extension" \
9099 -C "found srtp profile" \
9100 -C "selected srtp profile" \
Johan Pascal9bc97ca2020-09-21 23:44:45 +0200[diff] [blame]9101 -C "DTLS-SRTP key material is"\
Ron Eldorb4655392018-07-05 18:25:39 +0300[diff] [blame]9102 -C "error"
9103
9104requires_config_enabled MBEDTLS_SSL_DTLS_SRTP
9105run_test "DTLS-SRTP server doesn't support use_srtp extension." \
9106 "$P_SRV dtls=1 debug_level=3" \
9107 "$P_CLI dtls=1 use_srtp=1 debug_level=3" \
9108 0 \
9109 -s "found use_srtp extension" \
9110 -S "server hello, adding use_srtp extension" \
Johan Pascal9bc97ca2020-09-21 23:44:45 +0200[diff] [blame]9111 -S "DTLS-SRTP key material is"\
Ron Eldorb4655392018-07-05 18:25:39 +0300[diff] [blame]9112 -c "client hello, adding use_srtp extension" \
9113 -C "found use_srtp extension" \
9114 -C "found srtp profile" \
9115 -C "selected srtp profile" \
Johan Pascal9bc97ca2020-09-21 23:44:45 +0200[diff] [blame]9116 -C "DTLS-SRTP key material is"\
Ron Eldorb4655392018-07-05 18:25:39 +0300[diff] [blame]9117 -C "error"
9118
9119requires_config_enabled MBEDTLS_SSL_DTLS_SRTP
9120run_test "DTLS-SRTP all profiles supported. mki used" \
9121 "$P_SRV dtls=1 use_srtp=1 support_mki=1 debug_level=3" \
9122 "$P_CLI dtls=1 use_srtp=1 mki=542310ab34290481 debug_level=3" \
9123 0 \
9124 -s "found use_srtp extension" \
9125 -s "found srtp profile" \
9126 -s "selected srtp profile" \
9127 -s "server hello, adding use_srtp extension" \
9128 -s "dumping 'using mki' (8 bytes)" \
Johan Pascal9bc97ca2020-09-21 23:44:45 +0200[diff] [blame]9129 -s "DTLS-SRTP key material is"\
Ron Eldorb4655392018-07-05 18:25:39 +0300[diff] [blame]9130 -c "client hello, adding use_srtp extension" \
9131 -c "found use_srtp extension" \
9132 -c "found srtp profile" \
9133 -c "selected srtp profile" \
9134 -c "dumping 'sending mki' (8 bytes)" \
9135 -c "dumping 'received mki' (8 bytes)" \
Johan Pascal9bc97ca2020-09-21 23:44:45 +0200[diff] [blame]9136 -c "DTLS-SRTP key material is"\
Johan Pascal9bc50b02020-09-24 12:01:13 +0200[diff] [blame]9137 -g "find_in_both '^ *Keying material: [0-9A-F]*$'"\
Johan Pascal20c7db32020-10-26 22:45:58 +0100[diff] [blame]9138 -g "find_in_both '^ *DTLS-SRTP mki value: [0-9A-F]*$'"\
Ron Eldorb4655392018-07-05 18:25:39 +0300[diff] [blame]9139 -C "error"
9140
9141requires_config_enabled MBEDTLS_SSL_DTLS_SRTP
9142run_test "DTLS-SRTP all profiles supported. server doesn't support mki." \
9143 "$P_SRV dtls=1 use_srtp=1 debug_level=3" \
9144 "$P_CLI dtls=1 use_srtp=1 mki=542310ab34290481 debug_level=3" \
9145 0 \
9146 -s "found use_srtp extension" \
9147 -s "found srtp profile" \
9148 -s "selected srtp profile" \
9149 -s "server hello, adding use_srtp extension" \
Johan Pascal9bc97ca2020-09-21 23:44:45 +0200[diff] [blame]9150 -s "DTLS-SRTP key material is"\
Johan Pascal5ef72d22020-10-28 17:05:47 +0100[diff] [blame]9151 -s "DTLS-SRTP no mki value negotiated"\
Ron Eldorb4655392018-07-05 18:25:39 +0300[diff] [blame]9152 -S "dumping 'using mki' (8 bytes)" \
9153 -c "client hello, adding use_srtp extension" \
9154 -c "found use_srtp extension" \
9155 -c "found srtp profile" \
9156 -c "selected srtp profile" \
Johan Pascal9bc97ca2020-09-21 23:44:45 +0200[diff] [blame]9157 -c "DTLS-SRTP key material is"\
Johan Pascal5ef72d22020-10-28 17:05:47 +0100[diff] [blame]9158 -c "DTLS-SRTP no mki value negotiated"\
Johan Pascal9bc50b02020-09-24 12:01:13 +0200[diff] [blame]9159 -g "find_in_both '^ *Keying material: [0-9A-F]*$'"\
Ron Eldorb4655392018-07-05 18:25:39 +0300[diff] [blame]9160 -c "dumping 'sending mki' (8 bytes)" \
9161 -C "dumping 'received mki' (8 bytes)" \
9162 -C "error"
9163
Ron Eldor3c6a44b2018-07-10 10:32:10 +0300[diff] [blame]9164requires_config_enabled MBEDTLS_SSL_DTLS_SRTP
9165run_test "DTLS-SRTP all profiles supported. openssl client." \
9166 "$P_SRV dtls=1 use_srtp=1 debug_level=3" \
Johan Pascal39cfd3b2020-09-23 18:49:13 +0200[diff] [blame]9167 "$O_CLI -dtls1 -use_srtp SRTP_AES128_CM_SHA1_80:SRTP_AES128_CM_SHA1_32 -keymatexport 'EXTRACTOR-dtls_srtp' -keymatexportlen 60" \
Ron Eldor3c6a44b2018-07-10 10:32:10 +0300[diff] [blame]9168 0 \
9169 -s "found use_srtp extension" \
9170 -s "found srtp profile" \
9171 -s "selected srtp profile" \
9172 -s "server hello, adding use_srtp extension" \
Johan Pascal9bc97ca2020-09-21 23:44:45 +0200[diff] [blame]9173 -s "DTLS-SRTP key material is"\
Johan Pascal9bc50b02020-09-24 12:01:13 +0200[diff] [blame]9174 -g "find_in_both '^ *Keying material: [0-9A-F]*$'"\
Ron Eldor3c6a44b2018-07-10 10:32:10 +0300[diff] [blame]9175 -c "SRTP Extension negotiated, profile=SRTP_AES128_CM_SHA1_80"
9176
9177requires_config_enabled MBEDTLS_SSL_DTLS_SRTP
9178run_test "DTLS-SRTP server supports all profiles. Client supports all profiles, in different order. openssl client." \
9179 "$P_SRV dtls=1 use_srtp=1 debug_level=3" \
Johan Pascal39cfd3b2020-09-23 18:49:13 +0200[diff] [blame]9180 "$O_CLI -dtls1 -use_srtp SRTP_AES128_CM_SHA1_32:SRTP_AES128_CM_SHA1_80 -keymatexport 'EXTRACTOR-dtls_srtp' -keymatexportlen 60" \
Ron Eldor3c6a44b2018-07-10 10:32:10 +0300[diff] [blame]9181 0 \
9182 -s "found use_srtp extension" \
9183 -s "found srtp profile" \
9184 -s "selected srtp profile" \
9185 -s "server hello, adding use_srtp extension" \
Johan Pascal9bc97ca2020-09-21 23:44:45 +0200[diff] [blame]9186 -s "DTLS-SRTP key material is"\
Johan Pascal9bc50b02020-09-24 12:01:13 +0200[diff] [blame]9187 -g "find_in_both '^ *Keying material: [0-9A-F]*$'"\
Ron Eldor3c6a44b2018-07-10 10:32:10 +0300[diff] [blame]9188 -c "SRTP Extension negotiated, profile=SRTP_AES128_CM_SHA1_32"
9189
9190requires_config_enabled MBEDTLS_SSL_DTLS_SRTP
9191run_test "DTLS-SRTP server supports all profiles. Client supports one profile. openssl client." \
9192 "$P_SRV dtls=1 use_srtp=1 debug_level=3" \
Johan Pascal39cfd3b2020-09-23 18:49:13 +0200[diff] [blame]9193 "$O_CLI -dtls1 -use_srtp SRTP_AES128_CM_SHA1_32 -keymatexport 'EXTRACTOR-dtls_srtp' -keymatexportlen 60" \
Ron Eldor3c6a44b2018-07-10 10:32:10 +0300[diff] [blame]9194 0 \
9195 -s "found use_srtp extension" \
9196 -s "found srtp profile" \
9197 -s "selected srtp profile" \
9198 -s "server hello, adding use_srtp extension" \
Johan Pascal9bc97ca2020-09-21 23:44:45 +0200[diff] [blame]9199 -s "DTLS-SRTP key material is"\
Johan Pascal9bc50b02020-09-24 12:01:13 +0200[diff] [blame]9200 -g "find_in_both '^ *Keying material: [0-9A-F]*$'"\
Ron Eldor3c6a44b2018-07-10 10:32:10 +0300[diff] [blame]9201 -c "SRTP Extension negotiated, profile=SRTP_AES128_CM_SHA1_32"
9202
9203requires_config_enabled MBEDTLS_SSL_DTLS_SRTP
9204run_test "DTLS-SRTP server supports one profile. Client supports all profiles. openssl client." \
9205 "$P_SRV dtls=1 use_srtp=1 srtp_force_profile=2 debug_level=3" \
Johan Pascal39cfd3b2020-09-23 18:49:13 +0200[diff] [blame]9206 "$O_CLI -dtls1 -use_srtp SRTP_AES128_CM_SHA1_80:SRTP_AES128_CM_SHA1_32 -keymatexport 'EXTRACTOR-dtls_srtp' -keymatexportlen 60" \
Ron Eldor3c6a44b2018-07-10 10:32:10 +0300[diff] [blame]9207 0 \
9208 -s "found use_srtp extension" \
9209 -s "found srtp profile" \
9210 -s "selected srtp profile" \
9211 -s "server hello, adding use_srtp extension" \
Johan Pascal9bc97ca2020-09-21 23:44:45 +0200[diff] [blame]9212 -s "DTLS-SRTP key material is"\
Johan Pascal9bc50b02020-09-24 12:01:13 +0200[diff] [blame]9213 -g "find_in_both '^ *Keying material: [0-9A-F]*$'"\
Ron Eldor3c6a44b2018-07-10 10:32:10 +0300[diff] [blame]9214 -c "SRTP Extension negotiated, profile=SRTP_AES128_CM_SHA1_32"
9215
9216requires_config_enabled MBEDTLS_SSL_DTLS_SRTP
9217run_test "DTLS-SRTP server and Client support only one matching profile. openssl client." \
9218 "$P_SRV dtls=1 use_srtp=1 srtp_force_profile=2 debug_level=3" \
Johan Pascal39cfd3b2020-09-23 18:49:13 +0200[diff] [blame]9219 "$O_CLI -dtls1 -use_srtp SRTP_AES128_CM_SHA1_32 -keymatexport 'EXTRACTOR-dtls_srtp' -keymatexportlen 60" \
Ron Eldor3c6a44b2018-07-10 10:32:10 +0300[diff] [blame]9220 0 \
9221 -s "found use_srtp extension" \
9222 -s "found srtp profile" \
9223 -s "selected srtp profile" \
9224 -s "server hello, adding use_srtp extension" \
Johan Pascal9bc97ca2020-09-21 23:44:45 +0200[diff] [blame]9225 -s "DTLS-SRTP key material is"\
Johan Pascal9bc50b02020-09-24 12:01:13 +0200[diff] [blame]9226 -g "find_in_both '^ *Keying material: [0-9A-F]*$'"\
Ron Eldor3c6a44b2018-07-10 10:32:10 +0300[diff] [blame]9227 -c "SRTP Extension negotiated, profile=SRTP_AES128_CM_SHA1_32"
9228
9229requires_config_enabled MBEDTLS_SSL_DTLS_SRTP
9230run_test "DTLS-SRTP server and Client support only one different profile. openssl client." \
9231 "$P_SRV dtls=1 use_srtp=1 srtp_force_profile=1 debug_level=3" \
Johan Pascal39cfd3b2020-09-23 18:49:13 +0200[diff] [blame]9232 "$O_CLI -dtls1 -use_srtp SRTP_AES128_CM_SHA1_32 -keymatexport 'EXTRACTOR-dtls_srtp' -keymatexportlen 60" \
Ron Eldor3c6a44b2018-07-10 10:32:10 +0300[diff] [blame]9233 0 \
9234 -s "found use_srtp extension" \
9235 -s "found srtp profile" \
9236 -S "selected srtp profile" \
9237 -S "server hello, adding use_srtp extension" \
Johan Pascal9bc97ca2020-09-21 23:44:45 +0200[diff] [blame]9238 -S "DTLS-SRTP key material is"\
Ron Eldor3c6a44b2018-07-10 10:32:10 +0300[diff] [blame]9239 -C "SRTP Extension negotiated, profile"
9240
9241requires_config_enabled MBEDTLS_SSL_DTLS_SRTP
9242run_test "DTLS-SRTP server doesn't support use_srtp extension. openssl client" \
9243 "$P_SRV dtls=1 debug_level=3" \
Johan Pascal39cfd3b2020-09-23 18:49:13 +0200[diff] [blame]9244 "$O_CLI -dtls1 -use_srtp SRTP_AES128_CM_SHA1_80:SRTP_AES128_CM_SHA1_32 -keymatexport 'EXTRACTOR-dtls_srtp' -keymatexportlen 60" \
Ron Eldor3c6a44b2018-07-10 10:32:10 +0300[diff] [blame]9245 0 \
9246 -s "found use_srtp extension" \
9247 -S "server hello, adding use_srtp extension" \
Johan Pascal9bc97ca2020-09-21 23:44:45 +0200[diff] [blame]9248 -S "DTLS-SRTP key material is"\
Ron Eldor3c6a44b2018-07-10 10:32:10 +0300[diff] [blame]9249 -C "SRTP Extension negotiated, profile"
9250
9251requires_config_enabled MBEDTLS_SSL_DTLS_SRTP
9252run_test "DTLS-SRTP all profiles supported. openssl server" \
Johan Pascal39cfd3b2020-09-23 18:49:13 +0200[diff] [blame]9253 "$O_SRV -dtls1 -verify 0 -use_srtp SRTP_AES128_CM_SHA1_80:SRTP_AES128_CM_SHA1_32 -keymatexport 'EXTRACTOR-dtls_srtp' -keymatexportlen 60" \
Ron Eldor3c6a44b2018-07-10 10:32:10 +0300[diff] [blame]9254 "$P_CLI dtls=1 use_srtp=1 debug_level=3" \
9255 0 \
9256 -c "client hello, adding use_srtp extension" \
9257 -c "found use_srtp extension" \
9258 -c "found srtp profile" \
Johan Pascal43f94902020-09-22 12:25:52 +0200[diff] [blame]9259 -c "selected srtp profile: MBEDTLS_TLS_SRTP_AES128_CM_HMAC_SHA1_80" \
Johan Pascal9bc97ca2020-09-21 23:44:45 +0200[diff] [blame]9260 -c "DTLS-SRTP key material is"\
Ron Eldor3c6a44b2018-07-10 10:32:10 +0300[diff] [blame]9261 -C "error"
9262
9263requires_config_enabled MBEDTLS_SSL_DTLS_SRTP
9264run_test "DTLS-SRTP server supports all profiles. Client supports all profiles, in different order. openssl server." \
Johan Pascal39cfd3b2020-09-23 18:49:13 +0200[diff] [blame]9265 "$O_SRV -dtls1 -verify 0 -use_srtp SRTP_AES128_CM_SHA1_32:SRTP_AES128_CM_SHA1_80 -keymatexport 'EXTRACTOR-dtls_srtp' -keymatexportlen 60" \
Ron Eldor3c6a44b2018-07-10 10:32:10 +0300[diff] [blame]9266 "$P_CLI dtls=1 use_srtp=1 debug_level=3" \
9267 0 \
9268 -c "client hello, adding use_srtp extension" \
9269 -c "found use_srtp extension" \
9270 -c "found srtp profile" \
9271 -c "selected srtp profile" \
Johan Pascal9bc97ca2020-09-21 23:44:45 +0200[diff] [blame]9272 -c "DTLS-SRTP key material is"\
Ron Eldor3c6a44b2018-07-10 10:32:10 +0300[diff] [blame]9273 -C "error"
9274
9275requires_config_enabled MBEDTLS_SSL_DTLS_SRTP
9276run_test "DTLS-SRTP server supports all profiles. Client supports one profile. openssl server." \
Johan Pascal39cfd3b2020-09-23 18:49:13 +0200[diff] [blame]9277 "$O_SRV -dtls1 -verify 0 -use_srtp SRTP_AES128_CM_SHA1_80:SRTP_AES128_CM_SHA1_32 -keymatexport 'EXTRACTOR-dtls_srtp' -keymatexportlen 60" \
Ron Eldor3c6a44b2018-07-10 10:32:10 +0300[diff] [blame]9278 "$P_CLI dtls=1 use_srtp=1 srtp_force_profile=2 debug_level=3" \
9279 0 \
9280 -c "client hello, adding use_srtp extension" \
9281 -c "found use_srtp extension" \
Johan Pascal43f94902020-09-22 12:25:52 +0200[diff] [blame]9282 -c "found srtp profile: MBEDTLS_TLS_SRTP_AES128_CM_HMAC_SHA1_32" \
Ron Eldor3c6a44b2018-07-10 10:32:10 +0300[diff] [blame]9283 -c "selected srtp profile" \
Johan Pascal9bc97ca2020-09-21 23:44:45 +0200[diff] [blame]9284 -c "DTLS-SRTP key material is"\
Ron Eldor3c6a44b2018-07-10 10:32:10 +0300[diff] [blame]9285 -C "error"
9286
9287requires_config_enabled MBEDTLS_SSL_DTLS_SRTP
9288run_test "DTLS-SRTP server supports one profile. Client supports all profiles. openssl server." \
Johan Pascal39cfd3b2020-09-23 18:49:13 +0200[diff] [blame]9289 "$O_SRV -dtls1 -verify 0 -use_srtp SRTP_AES128_CM_SHA1_32 -keymatexport 'EXTRACTOR-dtls_srtp' -keymatexportlen 60" \
Ron Eldor3c6a44b2018-07-10 10:32:10 +0300[diff] [blame]9290 "$P_CLI dtls=1 use_srtp=1 debug_level=3" \
9291 0 \
9292 -c "client hello, adding use_srtp extension" \
9293 -c "found use_srtp extension" \
Johan Pascal43f94902020-09-22 12:25:52 +0200[diff] [blame]9294 -c "found srtp profile: MBEDTLS_TLS_SRTP_AES128_CM_HMAC_SHA1_32" \
Ron Eldor3c6a44b2018-07-10 10:32:10 +0300[diff] [blame]9295 -c "selected srtp profile" \
Johan Pascal9bc97ca2020-09-21 23:44:45 +0200[diff] [blame]9296 -c "DTLS-SRTP key material is"\
Ron Eldor3c6a44b2018-07-10 10:32:10 +0300[diff] [blame]9297 -C "error"
9298
9299requires_config_enabled MBEDTLS_SSL_DTLS_SRTP
9300run_test "DTLS-SRTP server and Client support only one matching profile. openssl server." \
Johan Pascal39cfd3b2020-09-23 18:49:13 +0200[diff] [blame]9301 "$O_SRV -dtls1 -verify 0 -use_srtp SRTP_AES128_CM_SHA1_32 -keymatexport 'EXTRACTOR-dtls_srtp' -keymatexportlen 60" \
Ron Eldor3c6a44b2018-07-10 10:32:10 +0300[diff] [blame]9302 "$P_CLI dtls=1 use_srtp=1 srtp_force_profile=2 debug_level=3" \
9303 0 \
9304 -c "client hello, adding use_srtp extension" \
9305 -c "found use_srtp extension" \
Johan Pascal43f94902020-09-22 12:25:52 +0200[diff] [blame]9306 -c "found srtp profile: MBEDTLS_TLS_SRTP_AES128_CM_HMAC_SHA1_32" \
Ron Eldor3c6a44b2018-07-10 10:32:10 +0300[diff] [blame]9307 -c "selected srtp profile" \
Johan Pascal9bc97ca2020-09-21 23:44:45 +0200[diff] [blame]9308 -c "DTLS-SRTP key material is"\
Ron Eldor3c6a44b2018-07-10 10:32:10 +0300[diff] [blame]9309 -C "error"
9310
9311requires_config_enabled MBEDTLS_SSL_DTLS_SRTP
9312run_test "DTLS-SRTP server and Client support only one different profile. openssl server." \
Johan Pascal39cfd3b2020-09-23 18:49:13 +0200[diff] [blame]9313 "$O_SRV -dtls1 -verify 0 -use_srtp SRTP_AES128_CM_SHA1_32 -keymatexport 'EXTRACTOR-dtls_srtp' -keymatexportlen 60" \
Johan Pascal43f94902020-09-22 12:25:52 +0200[diff] [blame]9314 "$P_CLI dtls=1 use_srtp=1 srtp_force_profile=6 debug_level=3" \
Ron Eldor3c6a44b2018-07-10 10:32:10 +0300[diff] [blame]9315 0 \
9316 -c "client hello, adding use_srtp extension" \
9317 -C "found use_srtp extension" \
9318 -C "found srtp profile" \
9319 -C "selected srtp profile" \
Johan Pascal9bc97ca2020-09-21 23:44:45 +0200[diff] [blame]9320 -C "DTLS-SRTP key material is"\
Ron Eldor3c6a44b2018-07-10 10:32:10 +0300[diff] [blame]9321 -C "error"
9322
9323requires_config_enabled MBEDTLS_SSL_DTLS_SRTP
9324run_test "DTLS-SRTP server doesn't support use_srtp extension. openssl server" \
9325 "$O_SRV -dtls1" \
9326 "$P_CLI dtls=1 use_srtp=1 debug_level=3" \
9327 0 \
9328 -c "client hello, adding use_srtp extension" \
9329 -C "found use_srtp extension" \
9330 -C "found srtp profile" \
9331 -C "selected srtp profile" \
Johan Pascal9bc97ca2020-09-21 23:44:45 +0200[diff] [blame]9332 -C "DTLS-SRTP key material is"\
Ron Eldor3c6a44b2018-07-10 10:32:10 +0300[diff] [blame]9333 -C "error"
9334
9335requires_config_enabled MBEDTLS_SSL_DTLS_SRTP
9336run_test "DTLS-SRTP all profiles supported. server doesn't support mki. openssl server." \
Johan Pascal39cfd3b2020-09-23 18:49:13 +0200[diff] [blame]9337 "$O_SRV -dtls1 -verify 0 -use_srtp SRTP_AES128_CM_SHA1_80:SRTP_AES128_CM_SHA1_32 -keymatexport 'EXTRACTOR-dtls_srtp' -keymatexportlen 60" \
Ron Eldor3c6a44b2018-07-10 10:32:10 +0300[diff] [blame]9338 "$P_CLI dtls=1 use_srtp=1 mki=542310ab34290481 debug_level=3" \
9339 0 \
9340 -c "client hello, adding use_srtp extension" \
9341 -c "found use_srtp extension" \
9342 -c "found srtp profile" \
9343 -c "selected srtp profile" \
Johan Pascal9bc97ca2020-09-21 23:44:45 +0200[diff] [blame]9344 -c "DTLS-SRTP key material is"\
Johan Pascal5ef72d22020-10-28 17:05:47 +0100[diff] [blame]9345 -c "DTLS-SRTP no mki value negotiated"\
Ron Eldor3c6a44b2018-07-10 10:32:10 +0300[diff] [blame]9346 -c "dumping 'sending mki' (8 bytes)" \
9347 -C "dumping 'received mki' (8 bytes)" \
9348 -C "error"
9349
9350requires_config_enabled MBEDTLS_SSL_DTLS_SRTP
Ron Eldor5d991c92019-01-15 18:54:03 +0200[diff] [blame]9351requires_gnutls
Ron Eldor3c6a44b2018-07-10 10:32:10 +0300[diff] [blame]9352run_test "DTLS-SRTP all profiles supported. gnutls client." \
Ron Eldor5d991c92019-01-15 18:54:03 +0200[diff] [blame]9353 "$P_SRV dtls=1 use_srtp=1 debug_level=3" \
9354 "$G_CLI -u --srtp-profiles=SRTP_AES128_CM_HMAC_SHA1_80:SRTP_AES128_CM_HMAC_SHA1_32:SRTP_NULL_HMAC_SHA1_80:SRTP_NULL_SHA1_32 --insecure 127.0.0.1" \
Ron Eldor3c6a44b2018-07-10 10:32:10 +0300[diff] [blame]9355 0 \
9356 -s "found use_srtp extension" \
9357 -s "found srtp profile" \
9358 -s "selected srtp profile" \
9359 -s "server hello, adding use_srtp extension" \
Johan Pascal9bc97ca2020-09-21 23:44:45 +0200[diff] [blame]9360 -s "DTLS-SRTP key material is"\
Ron Eldor3c6a44b2018-07-10 10:32:10 +0300[diff] [blame]9361 -c "SRTP profile: SRTP_AES128_CM_HMAC_SHA1_80"
9362
9363requires_config_enabled MBEDTLS_SSL_DTLS_SRTP
Ron Eldor5d991c92019-01-15 18:54:03 +0200[diff] [blame]9364requires_gnutls
Ron Eldor3c6a44b2018-07-10 10:32:10 +0300[diff] [blame]9365run_test "DTLS-SRTP server supports all profiles. Client supports all profiles, in different order. gnutls client." \
Ron Eldor5d991c92019-01-15 18:54:03 +0200[diff] [blame]9366 "$P_SRV dtls=1 use_srtp=1 debug_level=3" \
9367 "$G_CLI -u --srtp-profiles=SRTP_NULL_HMAC_SHA1_80:SRTP_AES128_CM_HMAC_SHA1_80:SRTP_NULL_SHA1_32:SRTP_AES128_CM_HMAC_SHA1_32 --insecure 127.0.0.1" \
Ron Eldor3c6a44b2018-07-10 10:32:10 +0300[diff] [blame]9368 0 \
9369 -s "found use_srtp extension" \
9370 -s "found srtp profile" \
9371 -s "selected srtp profile" \
9372 -s "server hello, adding use_srtp extension" \
Johan Pascal9bc97ca2020-09-21 23:44:45 +0200[diff] [blame]9373 -s "DTLS-SRTP key material is"\
Ron Eldor3c6a44b2018-07-10 10:32:10 +0300[diff] [blame]9374 -c "SRTP profile: SRTP_NULL_HMAC_SHA1_80"
9375
9376requires_config_enabled MBEDTLS_SSL_DTLS_SRTP
Ron Eldor5d991c92019-01-15 18:54:03 +0200[diff] [blame]9377requires_gnutls
Ron Eldor3c6a44b2018-07-10 10:32:10 +0300[diff] [blame]9378run_test "DTLS-SRTP server supports all profiles. Client supports one profile. gnutls client." \
Ron Eldor5d991c92019-01-15 18:54:03 +0200[diff] [blame]9379 "$P_SRV dtls=1 use_srtp=1 debug_level=3" \
9380 "$G_CLI -u --srtp-profiles=SRTP_AES128_CM_HMAC_SHA1_32 --insecure 127.0.0.1" \
Ron Eldor3c6a44b2018-07-10 10:32:10 +0300[diff] [blame]9381 0 \
9382 -s "found use_srtp extension" \
Johan Pascal43f94902020-09-22 12:25:52 +0200[diff] [blame]9383 -s "found srtp profile: MBEDTLS_TLS_SRTP_AES128_CM_HMAC_SHA1_32" \
9384 -s "selected srtp profile: MBEDTLS_TLS_SRTP_AES128_CM_HMAC_SHA1_32" \
Ron Eldor3c6a44b2018-07-10 10:32:10 +0300[diff] [blame]9385 -s "server hello, adding use_srtp extension" \
Johan Pascal9bc97ca2020-09-21 23:44:45 +0200[diff] [blame]9386 -s "DTLS-SRTP key material is"\
Ron Eldor3c6a44b2018-07-10 10:32:10 +0300[diff] [blame]9387 -c "SRTP profile: SRTP_AES128_CM_HMAC_SHA1_32"
9388
9389requires_config_enabled MBEDTLS_SSL_DTLS_SRTP
Ron Eldor5d991c92019-01-15 18:54:03 +0200[diff] [blame]9390requires_gnutls
Ron Eldor3c6a44b2018-07-10 10:32:10 +0300[diff] [blame]9391run_test "DTLS-SRTP server supports one profile. Client supports all profiles. gnutls client." \
Johan Pascal43f94902020-09-22 12:25:52 +0200[diff] [blame]9392 "$P_SRV dtls=1 use_srtp=1 srtp_force_profile=6 debug_level=3" \
Ron Eldor5d991c92019-01-15 18:54:03 +0200[diff] [blame]9393 "$G_CLI -u --srtp-profiles=SRTP_AES128_CM_HMAC_SHA1_80:SRTP_AES128_CM_HMAC_SHA1_32:SRTP_NULL_HMAC_SHA1_80:SRTP_NULL_SHA1_32 --insecure 127.0.0.1" \
Ron Eldor3c6a44b2018-07-10 10:32:10 +0300[diff] [blame]9394 0 \
9395 -s "found use_srtp extension" \
9396 -s "found srtp profile" \
Johan Pascal43f94902020-09-22 12:25:52 +0200[diff] [blame]9397 -s "selected srtp profile: MBEDTLS_TLS_SRTP_NULL_HMAC_SHA1_32" \
Ron Eldor3c6a44b2018-07-10 10:32:10 +0300[diff] [blame]9398 -s "server hello, adding use_srtp extension" \
Johan Pascal9bc97ca2020-09-21 23:44:45 +0200[diff] [blame]9399 -s "DTLS-SRTP key material is"\
Ron Eldor3c6a44b2018-07-10 10:32:10 +0300[diff] [blame]9400 -c "SRTP profile: SRTP_NULL_SHA1_32"
9401
9402requires_config_enabled MBEDTLS_SSL_DTLS_SRTP
Ron Eldor5d991c92019-01-15 18:54:03 +0200[diff] [blame]9403requires_gnutls
Ron Eldor3c6a44b2018-07-10 10:32:10 +0300[diff] [blame]9404run_test "DTLS-SRTP server and Client support only one matching profile. gnutls client." \
Ron Eldor5d991c92019-01-15 18:54:03 +0200[diff] [blame]9405 "$P_SRV dtls=1 use_srtp=1 srtp_force_profile=2 debug_level=3" \
9406 "$G_CLI -u --srtp-profiles=SRTP_AES128_CM_HMAC_SHA1_32 --insecure 127.0.0.1" \
Ron Eldor3c6a44b2018-07-10 10:32:10 +0300[diff] [blame]9407 0 \
9408 -s "found use_srtp extension" \
9409 -s "found srtp profile" \
9410 -s "selected srtp profile" \
9411 -s "server hello, adding use_srtp extension" \
Johan Pascal9bc97ca2020-09-21 23:44:45 +0200[diff] [blame]9412 -s "DTLS-SRTP key material is"\
Ron Eldor3c6a44b2018-07-10 10:32:10 +0300[diff] [blame]9413 -c "SRTP profile: SRTP_AES128_CM_HMAC_SHA1_32"
9414
9415requires_config_enabled MBEDTLS_SSL_DTLS_SRTP
Ron Eldor5d991c92019-01-15 18:54:03 +0200[diff] [blame]9416requires_gnutls
Ron Eldor3c6a44b2018-07-10 10:32:10 +0300[diff] [blame]9417run_test "DTLS-SRTP server and Client support only one different profile. gnutls client." \
Ron Eldor5d991c92019-01-15 18:54:03 +0200[diff] [blame]9418 "$P_SRV dtls=1 use_srtp=1 srtp_force_profile=1 debug_level=3" \
9419 "$G_CLI -u --srtp-profiles=SRTP_AES128_CM_HMAC_SHA1_32 --insecure 127.0.0.1" \
Ron Eldor3c6a44b2018-07-10 10:32:10 +0300[diff] [blame]9420 0 \
9421 -s "found use_srtp extension" \
9422 -s "found srtp profile" \
9423 -S "selected srtp profile" \
9424 -S "server hello, adding use_srtp extension" \
Johan Pascal9bc97ca2020-09-21 23:44:45 +0200[diff] [blame]9425 -S "DTLS-SRTP key material is"\
Ron Eldor3c6a44b2018-07-10 10:32:10 +0300[diff] [blame]9426 -C "SRTP profile:"
9427
9428requires_config_enabled MBEDTLS_SSL_DTLS_SRTP
Ron Eldor5d991c92019-01-15 18:54:03 +0200[diff] [blame]9429requires_gnutls
Ron Eldor3c6a44b2018-07-10 10:32:10 +0300[diff] [blame]9430run_test "DTLS-SRTP server doesn't support use_srtp extension. gnutls client" \
Ron Eldor5d991c92019-01-15 18:54:03 +0200[diff] [blame]9431 "$P_SRV dtls=1 debug_level=3" \
9432 "$G_CLI -u --srtp-profiles=SRTP_AES128_CM_HMAC_SHA1_80:SRTP_AES128_CM_HMAC_SHA1_32:SRTP_NULL_HMAC_SHA1_80:SRTP_NULL_SHA1_32 --insecure 127.0.0.1" \
Ron Eldor3c6a44b2018-07-10 10:32:10 +0300[diff] [blame]9433 0 \
9434 -s "found use_srtp extension" \
9435 -S "server hello, adding use_srtp extension" \
Johan Pascal9bc97ca2020-09-21 23:44:45 +0200[diff] [blame]9436 -S "DTLS-SRTP key material is"\
Ron Eldor3c6a44b2018-07-10 10:32:10 +0300[diff] [blame]9437 -C "SRTP profile:"
9438
9439requires_config_enabled MBEDTLS_SSL_DTLS_SRTP
Ron Eldor5d991c92019-01-15 18:54:03 +0200[diff] [blame]9440requires_gnutls
Ron Eldor3c6a44b2018-07-10 10:32:10 +0300[diff] [blame]9441run_test "DTLS-SRTP all profiles supported. gnutls server" \
9442 "$G_SRV -u --srtp-profiles=SRTP_AES128_CM_HMAC_SHA1_80:SRTP_AES128_CM_HMAC_SHA1_32:SRTP_NULL_HMAC_SHA1_80:SRTP_NULL_SHA1_32" \
9443 "$P_CLI dtls=1 use_srtp=1 debug_level=3" \
9444 0 \
9445 -c "client hello, adding use_srtp extension" \
9446 -c "found use_srtp extension" \
9447 -c "found srtp profile" \
Johan Pascal43f94902020-09-22 12:25:52 +0200[diff] [blame]9448 -c "selected srtp profile: MBEDTLS_TLS_SRTP_AES128_CM_HMAC_SHA1_80" \
Johan Pascal9bc97ca2020-09-21 23:44:45 +0200[diff] [blame]9449 -c "DTLS-SRTP key material is"\
Ron Eldor3c6a44b2018-07-10 10:32:10 +0300[diff] [blame]9450 -C "error"
9451
9452requires_config_enabled MBEDTLS_SSL_DTLS_SRTP
Ron Eldor5d991c92019-01-15 18:54:03 +0200[diff] [blame]9453requires_gnutls
Ron Eldor3c6a44b2018-07-10 10:32:10 +0300[diff] [blame]9454run_test "DTLS-SRTP server supports all profiles. Client supports all profiles, in different order. gnutls server." \
9455 "$G_SRV -u --srtp-profiles=SRTP_NULL_SHA1_32:SRTP_AES128_CM_HMAC_SHA1_32:SRTP_AES128_CM_HMAC_SHA1_80:SRTP_NULL_HMAC_SHA1_80:SRTP_NULL_SHA1_32" \
9456 "$P_CLI dtls=1 use_srtp=1 debug_level=3" \
9457 0 \
9458 -c "client hello, adding use_srtp extension" \
9459 -c "found use_srtp extension" \
9460 -c "found srtp profile" \
Johan Pascal43f94902020-09-22 12:25:52 +0200[diff] [blame]9461 -c "selected srtp profile: MBEDTLS_TLS_SRTP_AES128_CM_HMAC_SHA1_80" \
Johan Pascal9bc97ca2020-09-21 23:44:45 +0200[diff] [blame]9462 -c "DTLS-SRTP key material is"\
Ron Eldor3c6a44b2018-07-10 10:32:10 +0300[diff] [blame]9463 -C "error"
9464
9465requires_config_enabled MBEDTLS_SSL_DTLS_SRTP
Ron Eldor5d991c92019-01-15 18:54:03 +0200[diff] [blame]9466requires_gnutls
Ron Eldor3c6a44b2018-07-10 10:32:10 +0300[diff] [blame]9467run_test "DTLS-SRTP server supports all profiles. Client supports one profile. gnutls server." \
9468 "$G_SRV -u --srtp-profiles=SRTP_NULL_SHA1_32:SRTP_AES128_CM_HMAC_SHA1_32:SRTP_AES128_CM_HMAC_SHA1_80:SRTP_NULL_HMAC_SHA1_80:SRTP_NULL_SHA1_32" \
9469 "$P_CLI dtls=1 use_srtp=1 srtp_force_profile=2 debug_level=3" \
9470 0 \
9471 -c "client hello, adding use_srtp extension" \
9472 -c "found use_srtp extension" \
Johan Pascal43f94902020-09-22 12:25:52 +0200[diff] [blame]9473 -c "found srtp profile: MBEDTLS_TLS_SRTP_AES128_CM_HMAC_SHA1_32" \
Ron Eldor3c6a44b2018-07-10 10:32:10 +0300[diff] [blame]9474 -c "selected srtp profile" \
Johan Pascal9bc97ca2020-09-21 23:44:45 +0200[diff] [blame]9475 -c "DTLS-SRTP key material is"\
Ron Eldor3c6a44b2018-07-10 10:32:10 +0300[diff] [blame]9476 -C "error"
9477
9478requires_config_enabled MBEDTLS_SSL_DTLS_SRTP
Ron Eldor5d991c92019-01-15 18:54:03 +0200[diff] [blame]9479requires_gnutls
Ron Eldor3c6a44b2018-07-10 10:32:10 +0300[diff] [blame]9480run_test "DTLS-SRTP server supports one profile. Client supports all profiles. gnutls server." \
9481 "$G_SRV -u --srtp-profiles=SRTP_NULL_HMAC_SHA1_80" \
Johan Pascal9bc97ca2020-09-21 23:44:45 +0200[diff] [blame]9482 "$P_CLI dtls=1 use_srtp=1 debug_level=3" \
Ron Eldor3c6a44b2018-07-10 10:32:10 +0300[diff] [blame]9483 0 \
9484 -c "client hello, adding use_srtp extension" \
9485 -c "found use_srtp extension" \
Johan Pascal43f94902020-09-22 12:25:52 +0200[diff] [blame]9486 -c "found srtp profile: MBEDTLS_TLS_SRTP_NULL_HMAC_SHA1_80" \
Ron Eldor3c6a44b2018-07-10 10:32:10 +0300[diff] [blame]9487 -c "selected srtp profile" \
Johan Pascal9bc97ca2020-09-21 23:44:45 +0200[diff] [blame]9488 -c "DTLS-SRTP key material is"\
Ron Eldor3c6a44b2018-07-10 10:32:10 +0300[diff] [blame]9489 -C "error"
9490
9491requires_config_enabled MBEDTLS_SSL_DTLS_SRTP
Ron Eldor5d991c92019-01-15 18:54:03 +0200[diff] [blame]9492requires_gnutls
Ron Eldor3c6a44b2018-07-10 10:32:10 +0300[diff] [blame]9493run_test "DTLS-SRTP server and Client support only one matching profile. gnutls server." \
9494 "$G_SRV -u --srtp-profiles=SRTP_AES128_CM_HMAC_SHA1_32" \
9495 "$P_CLI dtls=1 use_srtp=1 srtp_force_profile=2 debug_level=3" \
9496 0 \
9497 -c "client hello, adding use_srtp extension" \
9498 -c "found use_srtp extension" \
Johan Pascal43f94902020-09-22 12:25:52 +0200[diff] [blame]9499 -c "found srtp profile: MBEDTLS_TLS_SRTP_AES128_CM_HMAC_SHA1_32" \
Ron Eldor3c6a44b2018-07-10 10:32:10 +0300[diff] [blame]9500 -c "selected srtp profile" \
Johan Pascal9bc97ca2020-09-21 23:44:45 +0200[diff] [blame]9501 -c "DTLS-SRTP key material is"\
Ron Eldor3c6a44b2018-07-10 10:32:10 +0300[diff] [blame]9502 -C "error"
9503
9504requires_config_enabled MBEDTLS_SSL_DTLS_SRTP
Ron Eldor5d991c92019-01-15 18:54:03 +0200[diff] [blame]9505requires_gnutls
Ron Eldor3c6a44b2018-07-10 10:32:10 +0300[diff] [blame]9506run_test "DTLS-SRTP server and Client support only one different profile. gnutls server." \
9507 "$G_SRV -u --srtp-profiles=SRTP_AES128_CM_HMAC_SHA1_32" \
Johan Pascal43f94902020-09-22 12:25:52 +0200[diff] [blame]9508 "$P_CLI dtls=1 use_srtp=1 srtp_force_profile=6 debug_level=3" \
Ron Eldor3c6a44b2018-07-10 10:32:10 +0300[diff] [blame]9509 0 \
9510 -c "client hello, adding use_srtp extension" \
9511 -C "found use_srtp extension" \
9512 -C "found srtp profile" \
9513 -C "selected srtp profile" \
Johan Pascal9bc97ca2020-09-21 23:44:45 +0200[diff] [blame]9514 -C "DTLS-SRTP key material is"\
Ron Eldor3c6a44b2018-07-10 10:32:10 +0300[diff] [blame]9515 -C "error"
9516
9517requires_config_enabled MBEDTLS_SSL_DTLS_SRTP
Ron Eldor5d991c92019-01-15 18:54:03 +0200[diff] [blame]9518requires_gnutls
Ron Eldor3c6a44b2018-07-10 10:32:10 +0300[diff] [blame]9519run_test "DTLS-SRTP server doesn't support use_srtp extension. gnutls server" \
9520 "$G_SRV -u" \
9521 "$P_CLI dtls=1 use_srtp=1 debug_level=3" \
9522 0 \
9523 -c "client hello, adding use_srtp extension" \
9524 -C "found use_srtp extension" \
9525 -C "found srtp profile" \
9526 -C "selected srtp profile" \
Johan Pascal9bc97ca2020-09-21 23:44:45 +0200[diff] [blame]9527 -C "DTLS-SRTP key material is"\
Ron Eldor3c6a44b2018-07-10 10:32:10 +0300[diff] [blame]9528 -C "error"
9529
9530requires_config_enabled MBEDTLS_SSL_DTLS_SRTP
Ron Eldor5d991c92019-01-15 18:54:03 +0200[diff] [blame]9531requires_gnutls
Ron Eldor3c6a44b2018-07-10 10:32:10 +0300[diff] [blame]9532run_test "DTLS-SRTP all profiles supported. mki used. gnutls server." \
9533 "$G_SRV -u --srtp-profiles=SRTP_AES128_CM_HMAC_SHA1_80:SRTP_AES128_CM_HMAC_SHA1_32:SRTP_NULL_HMAC_SHA1_80:SRTP_NULL_SHA1_32" \
9534 "$P_CLI dtls=1 use_srtp=1 mki=542310ab34290481 debug_level=3" \
9535 0 \
9536 -c "client hello, adding use_srtp extension" \
9537 -c "found use_srtp extension" \
9538 -c "found srtp profile" \
9539 -c "selected srtp profile" \
Johan Pascal9bc97ca2020-09-21 23:44:45 +0200[diff] [blame]9540 -c "DTLS-SRTP key material is"\
Johan Pascal20c7db32020-10-26 22:45:58 +0100[diff] [blame]9541 -c "DTLS-SRTP mki value:"\
Ron Eldor3c6a44b2018-07-10 10:32:10 +0300[diff] [blame]9542 -c "dumping 'sending mki' (8 bytes)" \
9543 -c "dumping 'received mki' (8 bytes)" \
9544 -C "error"
9545
Manuel Pégourié-Gonnarda7756172014-08-31 18:37:01 +0200[diff] [blame]9546# Tests for specific things with "unreliable" UDP connection
9547
9548not_with_valgrind # spurious resend due to timeout
9549run_test "DTLS proxy: reference" \
9550 -p "$P_PXY" \
Manuel Pégourié-Gonnardb6929892019-09-09 11:14:37 +0200[diff] [blame]9551 "$P_SRV dtls=1 debug_level=2 hs_timeout=10000-20000" \
9552 "$P_CLI dtls=1 debug_level=2 hs_timeout=10000-20000" \
Manuel Pégourié-Gonnarda7756172014-08-31 18:37:01 +0200[diff] [blame]9553 0 \
9554 -C "replayed record" \
9555 -S "replayed record" \
Hanno Beckerb2a86c32019-07-19 15:43:09 +0100[diff] [blame]9556 -C "Buffer record from epoch" \
9557 -S "Buffer record from epoch" \
9558 -C "ssl_buffer_message" \
9559 -S "ssl_buffer_message" \
Manuel Pégourié-Gonnarda7756172014-08-31 18:37:01 +0200[diff] [blame]9560 -C "discarding invalid record" \
Manuel Pégourié-Gonnard990f9e42014-09-06 12:27:02 +0200[diff] [blame]9561 -S "discarding invalid record" \
Manuel Pégourié-Gonnardbe9eb872014-09-05 17:45:19 +0200[diff] [blame]9562 -S "resend" \
Manuel Pégourié-Gonnard990f9e42014-09-06 12:27:02 +0200[diff] [blame]9563 -s "Extra-header:" \
Manuel Pégourié-Gonnardbe9eb872014-09-05 17:45:19 +0200[diff] [blame]9564 -c "HTTP/1.0 200 OK"
9565
9566not_with_valgrind # spurious resend due to timeout
Manuel Pégourié-Gonnard990f9e42014-09-06 12:27:02 +0200[diff] [blame]9567run_test "DTLS proxy: duplicate every packet" \
9568 -p "$P_PXY duplicate=1" \
Manuel Pégourié-Gonnardb6929892019-09-09 11:14:37 +0200[diff] [blame]9569 "$P_SRV dtls=1 dgram_packing=0 debug_level=2 hs_timeout=10000-20000" \
9570 "$P_CLI dtls=1 dgram_packing=0 debug_level=2 hs_timeout=10000-20000" \
Manuel Pégourié-Gonnard990f9e42014-09-06 12:27:02 +0200[diff] [blame]9571 0 \
9572 -c "replayed record" \
9573 -s "replayed record" \
9574 -c "record from another epoch" \
9575 -s "record from another epoch" \
9576 -S "resend" \
9577 -s "Extra-header:" \
9578 -c "HTTP/1.0 200 OK"
9579
9580run_test "DTLS proxy: duplicate every packet, server anti-replay off" \
9581 -p "$P_PXY duplicate=1" \
Hanno Becker1c9a24c2018-08-14 13:46:33 +0100[diff] [blame]9582 "$P_SRV dtls=1 dgram_packing=0 debug_level=2 anti_replay=0" \
9583 "$P_CLI dtls=1 dgram_packing=0 debug_level=2" \
Manuel Pégourié-Gonnard63eca932014-09-08 16:39:08 +0200[diff] [blame]9584 0 \
9585 -c "replayed record" \
9586 -S "replayed record" \
9587 -c "record from another epoch" \
Manuel Pégourié-Gonnard825a49e2014-09-23 11:00:37 +0200[diff] [blame]9588 -s "record from another epoch" \
9589 -c "resend" \
9590 -s "resend" \
Manuel Pégourié-Gonnard246c13a2014-09-24 13:56:09 +0200[diff] [blame]9591 -s "Extra-header:" \
Manuel Pégourié-Gonnard825a49e2014-09-23 11:00:37 +0200[diff] [blame]9592 -c "HTTP/1.0 200 OK"
9593
9594run_test "DTLS proxy: multiple records in same datagram" \
9595 -p "$P_PXY pack=50" \
Hanno Becker1c9a24c2018-08-14 13:46:33 +0100[diff] [blame]9596 "$P_SRV dtls=1 dgram_packing=0 debug_level=2" \
9597 "$P_CLI dtls=1 dgram_packing=0 debug_level=2" \
Manuel Pégourié-Gonnard63eca932014-09-08 16:39:08 +0200[diff] [blame]9598 0 \
Manuel Pégourié-Gonnard825a49e2014-09-23 11:00:37 +0200[diff] [blame]9599 -c "next record in same datagram" \
9600 -s "next record in same datagram"
9601
9602run_test "DTLS proxy: multiple records in same datagram, duplicate every packet" \
9603 -p "$P_PXY pack=50 duplicate=1" \
Hanno Becker1c9a24c2018-08-14 13:46:33 +0100[diff] [blame]9604 "$P_SRV dtls=1 dgram_packing=0 debug_level=2" \
9605 "$P_CLI dtls=1 dgram_packing=0 debug_level=2" \
Manuel Pégourié-Gonnard246c13a2014-09-24 13:56:09 +0200[diff] [blame]9606 0 \
9607 -c "next record in same datagram" \
9608 -s "next record in same datagram"
Manuel Pégourié-Gonnard825a49e2014-09-23 11:00:37 +0200[diff] [blame]9609
Manuel Pégourié-Gonnard246c13a2014-09-24 13:56:09 +0200[diff] [blame]9610run_test "DTLS proxy: inject invalid AD record, default badmac_limit" \
9611 -p "$P_PXY bad_ad=1" \
Hanno Becker1c9a24c2018-08-14 13:46:33 +0100[diff] [blame]9612 "$P_SRV dtls=1 dgram_packing=0 debug_level=1" \
9613 "$P_CLI dtls=1 dgram_packing=0 debug_level=1 read_timeout=100" \
Manuel Pégourié-Gonnard63eca932014-09-08 16:39:08 +0200[diff] [blame]9614 0 \
Manuel Pégourié-Gonnard74a13782014-10-14 22:34:08 +0200[diff] [blame]9615 -c "discarding invalid record (mac)" \
9616 -s "discarding invalid record (mac)" \
Manuel Pégourié-Gonnard825a49e2014-09-23 11:00:37 +0200[diff] [blame]9617 -s "Extra-header:" \
Manuel Pégourié-Gonnarde698f592014-10-14 19:36:36 +0200[diff] [blame]9618 -c "HTTP/1.0 200 OK" \
9619 -S "too many records with bad MAC" \
9620 -S "Verification of the message MAC failed"
9621
9622run_test "DTLS proxy: inject invalid AD record, badmac_limit 1" \
9623 -p "$P_PXY bad_ad=1" \
Hanno Becker1c9a24c2018-08-14 13:46:33 +0100[diff] [blame]9624 "$P_SRV dtls=1 dgram_packing=0 debug_level=1 badmac_limit=1" \
9625 "$P_CLI dtls=1 dgram_packing=0 debug_level=1 read_timeout=100" \
Manuel Pégourié-Gonnarde698f592014-10-14 19:36:36 +0200[diff] [blame]9626 1 \
Manuel Pégourié-Gonnard74a13782014-10-14 22:34:08 +0200[diff] [blame]9627 -C "discarding invalid record (mac)" \
9628 -S "discarding invalid record (mac)" \
Manuel Pégourié-Gonnarde698f592014-10-14 19:36:36 +0200[diff] [blame]9629 -S "Extra-header:" \
9630 -C "HTTP/1.0 200 OK" \
9631 -s "too many records with bad MAC" \
9632 -s "Verification of the message MAC failed"
9633
9634run_test "DTLS proxy: inject invalid AD record, badmac_limit 2" \
9635 -p "$P_PXY bad_ad=1" \
Hanno Becker1c9a24c2018-08-14 13:46:33 +0100[diff] [blame]9636 "$P_SRV dtls=1 dgram_packing=0 debug_level=1 badmac_limit=2" \
9637 "$P_CLI dtls=1 dgram_packing=0 debug_level=1 read_timeout=100" \
Manuel Pégourié-Gonnarde698f592014-10-14 19:36:36 +0200[diff] [blame]9638 0 \
Manuel Pégourié-Gonnard74a13782014-10-14 22:34:08 +0200[diff] [blame]9639 -c "discarding invalid record (mac)" \
9640 -s "discarding invalid record (mac)" \
Manuel Pégourié-Gonnarde698f592014-10-14 19:36:36 +0200[diff] [blame]9641 -s "Extra-header:" \
9642 -c "HTTP/1.0 200 OK" \
9643 -S "too many records with bad MAC" \
9644 -S "Verification of the message MAC failed"
9645
9646run_test "DTLS proxy: inject invalid AD record, badmac_limit 2, exchanges 2"\
9647 -p "$P_PXY bad_ad=1" \
Hanno Becker1c9a24c2018-08-14 13:46:33 +0100[diff] [blame]9648 "$P_SRV dtls=1 dgram_packing=0 debug_level=1 badmac_limit=2 exchanges=2" \
9649 "$P_CLI dtls=1 dgram_packing=0 debug_level=1 read_timeout=100 exchanges=2" \
Manuel Pégourié-Gonnarde698f592014-10-14 19:36:36 +0200[diff] [blame]9650 1 \
Manuel Pégourié-Gonnard74a13782014-10-14 22:34:08 +0200[diff] [blame]9651 -c "discarding invalid record (mac)" \
9652 -s "discarding invalid record (mac)" \
Manuel Pégourié-Gonnarde698f592014-10-14 19:36:36 +0200[diff] [blame]9653 -s "Extra-header:" \
9654 -c "HTTP/1.0 200 OK" \
9655 -s "too many records with bad MAC" \
9656 -s "Verification of the message MAC failed"
Manuel Pégourié-Gonnard825a49e2014-09-23 11:00:37 +0200[diff] [blame]9657
9658run_test "DTLS proxy: delay ChangeCipherSpec" \
9659 -p "$P_PXY delay_ccs=1" \
Hanno Beckerc4305232018-08-14 13:41:21 +0100[diff] [blame]9660 "$P_SRV dtls=1 debug_level=1 dgram_packing=0" \
9661 "$P_CLI dtls=1 debug_level=1 dgram_packing=0" \
Manuel Pégourié-Gonnard825a49e2014-09-23 11:00:37 +0200[diff] [blame]9662 0 \
9663 -c "record from another epoch" \
9664 -s "record from another epoch" \
Manuel Pégourié-Gonnard825a49e2014-09-23 11:00:37 +0200[diff] [blame]9665 -s "Extra-header:" \
9666 -c "HTTP/1.0 200 OK"
9667
Hanno Beckeraa5d0c42018-08-16 13:15:19 +0100[diff] [blame]9668# Tests for reordering support with DTLS
9669
Hanno Becker56cdfd12018-08-17 13:42:15 +0100[diff] [blame]9670run_test "DTLS reordering: Buffer out-of-order handshake message on client" \
9671 -p "$P_PXY delay_srv=ServerHello" \
Andrzej Kurek948fe802018-10-05 15:42:44 -0400[diff] [blame]9672 "$P_SRV dgram_packing=0 cookies=0 dtls=1 debug_level=2 \
9673 hs_timeout=2500-60000" \
9674 "$P_CLI dgram_packing=0 dtls=1 debug_level=2 \
9675 hs_timeout=2500-60000" \
Hanno Beckere3842212018-08-16 15:28:59 +0100[diff] [blame]9676 0 \
9677 -c "Buffering HS message" \
Hanno Becker56cdfd12018-08-17 13:42:15 +0100[diff] [blame]9678 -c "Next handshake message has been buffered - load"\
9679 -S "Buffering HS message" \
9680 -S "Next handshake message has been buffered - load"\
Hanno Becker39b8bc92018-08-28 17:17:13 +0100[diff] [blame]9681 -C "Injecting buffered CCS message" \
Hanno Becker56cdfd12018-08-17 13:42:15 +0100[diff] [blame]9682 -C "Remember CCS message" \
Hanno Becker39b8bc92018-08-28 17:17:13 +0100[diff] [blame]9683 -S "Injecting buffered CCS message" \
Hanno Becker56cdfd12018-08-17 13:42:15 +0100[diff] [blame]9684 -S "Remember CCS message"
Hanno Beckere3842212018-08-16 15:28:59 +0100[diff] [blame]9685
Hanno Beckerdc1e9502018-08-28 16:02:33 +0100[diff] [blame]9686run_test "DTLS reordering: Buffer out-of-order handshake message fragment on client" \
9687 -p "$P_PXY delay_srv=ServerHello" \
Andrzej Kurek948fe802018-10-05 15:42:44 -0400[diff] [blame]9688 "$P_SRV mtu=512 dgram_packing=0 cookies=0 dtls=1 debug_level=2 \
9689 hs_timeout=2500-60000" \
9690 "$P_CLI dgram_packing=0 dtls=1 debug_level=2 \
9691 hs_timeout=2500-60000" \
Hanno Beckerdc1e9502018-08-28 16:02:33 +0100[diff] [blame]9692 0 \
9693 -c "Buffering HS message" \
9694 -c "found fragmented DTLS handshake message"\
9695 -c "Next handshake message 1 not or only partially bufffered" \
9696 -c "Next handshake message has been buffered - load"\
9697 -S "Buffering HS message" \
9698 -S "Next handshake message has been buffered - load"\
Hanno Becker39b8bc92018-08-28 17:17:13 +0100[diff] [blame]9699 -C "Injecting buffered CCS message" \
Hanno Beckerdc1e9502018-08-28 16:02:33 +0100[diff] [blame]9700 -C "Remember CCS message" \
Hanno Becker39b8bc92018-08-28 17:17:13 +0100[diff] [blame]9701 -S "Injecting buffered CCS message" \
Hanno Beckeraa5d0c42018-08-16 13:15:19 +0100[diff] [blame]9702 -S "Remember CCS message"
9703
Hanno Beckera1adcca2018-08-24 14:41:07 +0100[diff] [blame]9704# The client buffers the ServerKeyExchange before receiving the fragmented
9705# Certificate message; at the time of writing, together these are aroudn 1200b
9706# in size, so that the bound below ensures that the certificate can be reassembled
9707# while keeping the ServerKeyExchange.
9708requires_config_value_at_least "MBEDTLS_SSL_DTLS_MAX_BUFFERING" 1300
9709run_test "DTLS reordering: Buffer out-of-order hs msg before reassembling next" \
Hanno Beckere3567052018-08-21 16:50:43 +0100[diff] [blame]9710 -p "$P_PXY delay_srv=Certificate delay_srv=Certificate" \
Andrzej Kurek948fe802018-10-05 15:42:44 -0400[diff] [blame]9711 "$P_SRV mtu=512 dgram_packing=0 cookies=0 dtls=1 debug_level=2 \
9712 hs_timeout=2500-60000" \
9713 "$P_CLI dgram_packing=0 dtls=1 debug_level=2 \
9714 hs_timeout=2500-60000" \
Hanno Beckere3567052018-08-21 16:50:43 +0100[diff] [blame]9715 0 \
9716 -c "Buffering HS message" \
9717 -c "Next handshake message has been buffered - load"\
Hanno Beckera1adcca2018-08-24 14:41:07 +0100[diff] [blame]9718 -C "attempt to make space by freeing buffered messages" \
9719 -S "Buffering HS message" \
9720 -S "Next handshake message has been buffered - load"\
Hanno Becker39b8bc92018-08-28 17:17:13 +0100[diff] [blame]9721 -C "Injecting buffered CCS message" \
Hanno Beckera1adcca2018-08-24 14:41:07 +0100[diff] [blame]9722 -C "Remember CCS message" \
Hanno Becker39b8bc92018-08-28 17:17:13 +0100[diff] [blame]9723 -S "Injecting buffered CCS message" \
Hanno Beckera1adcca2018-08-24 14:41:07 +0100[diff] [blame]9724 -S "Remember CCS message"
9725
9726# The size constraints ensure that the delayed certificate message can't
9727# be reassembled while keeping the ServerKeyExchange message, but it can
9728# when dropping it first.
9729requires_config_value_at_least "MBEDTLS_SSL_DTLS_MAX_BUFFERING" 900
9730requires_config_value_at_most "MBEDTLS_SSL_DTLS_MAX_BUFFERING" 1299
9731run_test "DTLS reordering: Buffer out-of-order hs msg before reassembling next, free buffered msg" \
9732 -p "$P_PXY delay_srv=Certificate delay_srv=Certificate" \
Andrzej Kurek948fe802018-10-05 15:42:44 -0400[diff] [blame]9733 "$P_SRV mtu=512 dgram_packing=0 cookies=0 dtls=1 debug_level=2 \
9734 hs_timeout=2500-60000" \
9735 "$P_CLI dgram_packing=0 dtls=1 debug_level=2 \
9736 hs_timeout=2500-60000" \
Hanno Beckera1adcca2018-08-24 14:41:07 +0100[diff] [blame]9737 0 \
9738 -c "Buffering HS message" \
9739 -c "attempt to make space by freeing buffered future messages" \
9740 -c "Enough space available after freeing buffered HS messages" \
Hanno Beckere3567052018-08-21 16:50:43 +0100[diff] [blame]9741 -S "Buffering HS message" \
9742 -S "Next handshake message has been buffered - load"\
Hanno Becker39b8bc92018-08-28 17:17:13 +0100[diff] [blame]9743 -C "Injecting buffered CCS message" \
Hanno Beckere3567052018-08-21 16:50:43 +0100[diff] [blame]9744 -C "Remember CCS message" \
Hanno Becker39b8bc92018-08-28 17:17:13 +0100[diff] [blame]9745 -S "Injecting buffered CCS message" \
Hanno Beckere3567052018-08-21 16:50:43 +0100[diff] [blame]9746 -S "Remember CCS message"
9747
Hanno Becker56cdfd12018-08-17 13:42:15 +0100[diff] [blame]9748run_test "DTLS reordering: Buffer out-of-order handshake message on server" \
9749 -p "$P_PXY delay_cli=Certificate" \
Andrzej Kurek948fe802018-10-05 15:42:44 -0400[diff] [blame]9750 "$P_SRV dgram_packing=0 auth_mode=required cookies=0 dtls=1 debug_level=2 \
9751 hs_timeout=2500-60000" \
9752 "$P_CLI dgram_packing=0 dtls=1 debug_level=2 \
9753 hs_timeout=2500-60000" \
Hanno Becker56cdfd12018-08-17 13:42:15 +0100[diff] [blame]9754 0 \
9755 -C "Buffering HS message" \
9756 -C "Next handshake message has been buffered - load"\
9757 -s "Buffering HS message" \
9758 -s "Next handshake message has been buffered - load" \
Hanno Becker39b8bc92018-08-28 17:17:13 +0100[diff] [blame]9759 -C "Injecting buffered CCS message" \
Hanno Becker56cdfd12018-08-17 13:42:15 +0100[diff] [blame]9760 -C "Remember CCS message" \
Hanno Becker39b8bc92018-08-28 17:17:13 +0100[diff] [blame]9761 -S "Injecting buffered CCS message" \
Hanno Becker56cdfd12018-08-17 13:42:15 +0100[diff] [blame]9762 -S "Remember CCS message"
9763
9764run_test "DTLS reordering: Buffer out-of-order CCS message on client"\
9765 -p "$P_PXY delay_srv=NewSessionTicket" \
Andrzej Kurek948fe802018-10-05 15:42:44 -0400[diff] [blame]9766 "$P_SRV dgram_packing=0 cookies=0 dtls=1 debug_level=2 \
9767 hs_timeout=2500-60000" \
9768 "$P_CLI dgram_packing=0 dtls=1 debug_level=2 \
9769 hs_timeout=2500-60000" \
Hanno Becker56cdfd12018-08-17 13:42:15 +0100[diff] [blame]9770 0 \
9771 -C "Buffering HS message" \
9772 -C "Next handshake message has been buffered - load"\
9773 -S "Buffering HS message" \
9774 -S "Next handshake message has been buffered - load" \
Hanno Becker39b8bc92018-08-28 17:17:13 +0100[diff] [blame]9775 -c "Injecting buffered CCS message" \
Hanno Becker56cdfd12018-08-17 13:42:15 +0100[diff] [blame]9776 -c "Remember CCS message" \
Hanno Becker39b8bc92018-08-28 17:17:13 +0100[diff] [blame]9777 -S "Injecting buffered CCS message" \
Hanno Becker56cdfd12018-08-17 13:42:15 +0100[diff] [blame]9778 -S "Remember CCS message"
9779
9780run_test "DTLS reordering: Buffer out-of-order CCS message on server"\
9781 -p "$P_PXY delay_cli=ClientKeyExchange" \
Andrzej Kurek948fe802018-10-05 15:42:44 -0400[diff] [blame]9782 "$P_SRV dgram_packing=0 cookies=0 dtls=1 debug_level=2 \
9783 hs_timeout=2500-60000" \
9784 "$P_CLI dgram_packing=0 dtls=1 debug_level=2 \
9785 hs_timeout=2500-60000" \
Hanno Becker56cdfd12018-08-17 13:42:15 +0100[diff] [blame]9786 0 \
9787 -C "Buffering HS message" \
9788 -C "Next handshake message has been buffered - load"\
9789 -S "Buffering HS message" \
9790 -S "Next handshake message has been buffered - load" \
Hanno Becker39b8bc92018-08-28 17:17:13 +0100[diff] [blame]9791 -C "Injecting buffered CCS message" \
Hanno Becker56cdfd12018-08-17 13:42:15 +0100[diff] [blame]9792 -C "Remember CCS message" \
Hanno Becker39b8bc92018-08-28 17:17:13 +0100[diff] [blame]9793 -s "Injecting buffered CCS message" \
Hanno Becker56cdfd12018-08-17 13:42:15 +0100[diff] [blame]9794 -s "Remember CCS message"
9795
Hanno Beckera1adcca2018-08-24 14:41:07 +0100[diff] [blame]9796run_test "DTLS reordering: Buffer encrypted Finished message" \
Hanno Becker56cdfd12018-08-17 13:42:15 +0100[diff] [blame]9797 -p "$P_PXY delay_ccs=1" \
Andrzej Kurek948fe802018-10-05 15:42:44 -0400[diff] [blame]9798 "$P_SRV dgram_packing=0 cookies=0 dtls=1 debug_level=2 \
9799 hs_timeout=2500-60000" \
9800 "$P_CLI dgram_packing=0 dtls=1 debug_level=2 \
9801 hs_timeout=2500-60000" \
Hanno Beckerb34149c2018-08-16 15:29:06 +0100[diff] [blame]9802 0 \
9803 -s "Buffer record from epoch 1" \
Hanno Becker56cdfd12018-08-17 13:42:15 +0100[diff] [blame]9804 -s "Found buffered record from current epoch - load" \
9805 -c "Buffer record from epoch 1" \
9806 -c "Found buffered record from current epoch - load"
Manuel Pégourié-Gonnard18e519a2014-09-24 19:09:17 +0200[diff] [blame]9807
Hanno Beckera1adcca2018-08-24 14:41:07 +0100[diff] [blame]9808# In this test, both the fragmented NewSessionTicket and the ChangeCipherSpec
9809# from the server are delayed, so that the encrypted Finished message
9810# is received and buffered. When the fragmented NewSessionTicket comes
9811# in afterwards, the encrypted Finished message must be freed in order
9812# to make space for the NewSessionTicket to be reassembled.
9813# This works only in very particular circumstances:
9814# - MBEDTLS_SSL_DTLS_MAX_BUFFERING must be large enough to allow buffering
9815# of the NewSessionTicket, but small enough to also allow buffering of
9816# the encrypted Finished message.
9817# - The MTU setting on the server must be so small that the NewSessionTicket
9818# needs to be fragmented.
9819# - All messages sent by the server must be small enough to be either sent
9820# without fragmentation or be reassembled within the bounds of
9821# MBEDTLS_SSL_DTLS_MAX_BUFFERING. Achieve this by testing with a PSK-based
9822# handshake, omitting CRTs.
Manuel Pégourié-Gonnardeef4c752019-05-28 10:21:30 +0200[diff] [blame]9823requires_config_value_at_least "MBEDTLS_SSL_DTLS_MAX_BUFFERING" 190
9824requires_config_value_at_most "MBEDTLS_SSL_DTLS_MAX_BUFFERING" 230
Hanno Beckera1adcca2018-08-24 14:41:07 +0100[diff] [blame]9825run_test "DTLS reordering: Buffer encrypted Finished message, drop for fragmented NewSessionTicket" \
9826 -p "$P_PXY delay_srv=NewSessionTicket delay_srv=NewSessionTicket delay_ccs=1" \
Manuel Pégourié-Gonnardeef4c752019-05-28 10:21:30 +0200[diff] [blame]9827 "$P_SRV mtu=140 response_size=90 dgram_packing=0 psk=abc123 psk_identity=foo cookies=0 dtls=1 debug_level=2" \
Hanno Beckera1adcca2018-08-24 14:41:07 +0100[diff] [blame]9828 "$P_CLI dgram_packing=0 dtls=1 debug_level=2 force_ciphersuite=TLS-PSK-WITH-AES-128-CCM-8 psk=abc123 psk_identity=foo" \
9829 0 \
9830 -s "Buffer record from epoch 1" \
9831 -s "Found buffered record from current epoch - load" \
9832 -c "Buffer record from epoch 1" \
9833 -C "Found buffered record from current epoch - load" \
9834 -c "Enough space available after freeing future epoch record"
9835
Manuel Pégourié-Gonnarda0719722014-09-20 12:46:27 +0200[diff] [blame]9836# Tests for "randomly unreliable connection": try a variety of flows and peers
9837
9838client_needs_more_time 2
Manuel Pégourié-Gonnard825a49e2014-09-23 11:00:37 +0200[diff] [blame]9839run_test "DTLS proxy: 3d (drop, delay, duplicate), \"short\" PSK handshake" \
9840 -p "$P_PXY drop=5 delay=5 duplicate=5" \
Andrzej Kurek948fe802018-10-05 15:42:44 -0400[diff] [blame]9841 "$P_SRV dtls=1 dgram_packing=0 hs_timeout=500-10000 tickets=0 auth_mode=none \
Manuel Pégourié-Gonnard18e519a2014-09-24 19:09:17 +0200[diff] [blame]9842 psk=abc123" \
Andrzej Kurek948fe802018-10-05 15:42:44 -0400[diff] [blame]9843 "$P_CLI dtls=1 dgram_packing=0 hs_timeout=500-10000 tickets=0 psk=abc123 \
Manuel Pégourié-Gonnard18e519a2014-09-24 19:09:17 +0200[diff] [blame]9844 force_ciphersuite=TLS-PSK-WITH-AES-128-CCM-8" \
9845 0 \
9846 -s "Extra-header:" \
9847 -c "HTTP/1.0 200 OK"
9848
Janos Follath74537a62016-09-02 13:45:28 +0100[diff] [blame]9849client_needs_more_time 2
Manuel Pégourié-Gonnard18e519a2014-09-24 19:09:17 +0200[diff] [blame]9850run_test "DTLS proxy: 3d, \"short\" RSA handshake" \
9851 -p "$P_PXY drop=5 delay=5 duplicate=5" \
Andrzej Kurek948fe802018-10-05 15:42:44 -0400[diff] [blame]9852 "$P_SRV dtls=1 dgram_packing=0 hs_timeout=500-10000 tickets=0 auth_mode=none" \
9853 "$P_CLI dtls=1 dgram_packing=0 hs_timeout=500-10000 tickets=0 \
Manuel Pégourié-Gonnard18e519a2014-09-24 19:09:17 +0200[diff] [blame]9854 force_ciphersuite=TLS-RSA-WITH-AES-128-CBC-SHA" \
9855 0 \
9856 -s "Extra-header:" \
9857 -c "HTTP/1.0 200 OK"
9858
Janos Follath74537a62016-09-02 13:45:28 +0100[diff] [blame]9859client_needs_more_time 2
Manuel Pégourié-Gonnard18e519a2014-09-24 19:09:17 +0200[diff] [blame]9860run_test "DTLS proxy: 3d, \"short\" (no ticket, no cli_auth) FS handshake" \
9861 -p "$P_PXY drop=5 delay=5 duplicate=5" \
Andrzej Kurek948fe802018-10-05 15:42:44 -0400[diff] [blame]9862 "$P_SRV dtls=1 dgram_packing=0 hs_timeout=500-10000 tickets=0 auth_mode=none" \
9863 "$P_CLI dtls=1 dgram_packing=0 hs_timeout=500-10000 tickets=0" \
Manuel Pégourié-Gonnard18e519a2014-09-24 19:09:17 +0200[diff] [blame]9864 0 \
9865 -s "Extra-header:" \
9866 -c "HTTP/1.0 200 OK"
9867
Janos Follath74537a62016-09-02 13:45:28 +0100[diff] [blame]9868client_needs_more_time 2
Manuel Pégourié-Gonnard18e519a2014-09-24 19:09:17 +0200[diff] [blame]9869run_test "DTLS proxy: 3d, FS, client auth" \
9870 -p "$P_PXY drop=5 delay=5 duplicate=5" \
Andrzej Kurek948fe802018-10-05 15:42:44 -0400[diff] [blame]9871 "$P_SRV dtls=1 dgram_packing=0 hs_timeout=500-10000 tickets=0 auth_mode=required" \
9872 "$P_CLI dtls=1 dgram_packing=0 hs_timeout=500-10000 tickets=0" \
Manuel Pégourié-Gonnard18e519a2014-09-24 19:09:17 +0200[diff] [blame]9873 0 \
9874 -s "Extra-header:" \
9875 -c "HTTP/1.0 200 OK"
9876
Janos Follath74537a62016-09-02 13:45:28 +0100[diff] [blame]9877client_needs_more_time 2
Manuel Pégourié-Gonnard18e519a2014-09-24 19:09:17 +0200[diff] [blame]9878run_test "DTLS proxy: 3d, FS, ticket" \
9879 -p "$P_PXY drop=5 delay=5 duplicate=5" \
Andrzej Kurek948fe802018-10-05 15:42:44 -0400[diff] [blame]9880 "$P_SRV dtls=1 dgram_packing=0 hs_timeout=500-10000 tickets=1 auth_mode=none" \
9881 "$P_CLI dtls=1 dgram_packing=0 hs_timeout=500-10000 tickets=1" \
Manuel Pégourié-Gonnard18e519a2014-09-24 19:09:17 +0200[diff] [blame]9882 0 \
9883 -s "Extra-header:" \
9884 -c "HTTP/1.0 200 OK"
9885
Janos Follath74537a62016-09-02 13:45:28 +0100[diff] [blame]9886client_needs_more_time 2
Manuel Pégourié-Gonnard18e519a2014-09-24 19:09:17 +0200[diff] [blame]9887run_test "DTLS proxy: 3d, max handshake (FS, ticket + client auth)" \
9888 -p "$P_PXY drop=5 delay=5 duplicate=5" \
Andrzej Kurek948fe802018-10-05 15:42:44 -0400[diff] [blame]9889 "$P_SRV dtls=1 dgram_packing=0 hs_timeout=500-10000 tickets=1 auth_mode=required" \
9890 "$P_CLI dtls=1 dgram_packing=0 hs_timeout=500-10000 tickets=1" \
Manuel Pégourié-Gonnard825a49e2014-09-23 11:00:37 +0200[diff] [blame]9891 0 \
9892 -s "Extra-header:" \
9893 -c "HTTP/1.0 200 OK"
9894
Janos Follath74537a62016-09-02 13:45:28 +0100[diff] [blame]9895client_needs_more_time 2
Manuel Pégourié-Gonnard6093d812014-09-29 17:52:57 +0200[diff] [blame]9896run_test "DTLS proxy: 3d, max handshake, nbio" \
9897 -p "$P_PXY drop=5 delay=5 duplicate=5" \
Andrzej Kurek948fe802018-10-05 15:42:44 -0400[diff] [blame]9898 "$P_SRV dtls=1 dgram_packing=0 hs_timeout=500-10000 nbio=2 tickets=1 \
Manuel Pégourié-Gonnard37a4de22014-10-01 16:38:03 +0200[diff] [blame]9899 auth_mode=required" \
Andrzej Kurek948fe802018-10-05 15:42:44 -0400[diff] [blame]9900 "$P_CLI dtls=1 dgram_packing=0 hs_timeout=500-10000 nbio=2 tickets=1" \
Manuel Pégourié-Gonnard6093d812014-09-29 17:52:57 +0200[diff] [blame]9901 0 \
9902 -s "Extra-header:" \
9903 -c "HTTP/1.0 200 OK"
9904
Janos Follath74537a62016-09-02 13:45:28 +0100[diff] [blame]9905client_needs_more_time 4
Manuel Pégourié-Gonnard7a26d732014-10-02 14:50:46 +0200[diff] [blame]9906run_test "DTLS proxy: 3d, min handshake, resumption" \
9907 -p "$P_PXY drop=5 delay=5 duplicate=5" \
Andrzej Kurek948fe802018-10-05 15:42:44 -0400[diff] [blame]9908 "$P_SRV dtls=1 dgram_packing=0 hs_timeout=500-10000 tickets=0 auth_mode=none \
Manuel Pégourié-Gonnard7a26d732014-10-02 14:50:46 +0200[diff] [blame]9909 psk=abc123 debug_level=3" \
Andrzej Kurek948fe802018-10-05 15:42:44 -0400[diff] [blame]9910 "$P_CLI dtls=1 dgram_packing=0 hs_timeout=500-10000 tickets=0 psk=abc123 \
Manuel Pégourié-Gonnard56941fe2020-02-17 11:04:33 +0100[diff] [blame]9911 debug_level=3 reconnect=1 skip_close_notify=1 read_timeout=1000 max_resend=10 \
Manuel Pégourié-Gonnard7a26d732014-10-02 14:50:46 +0200[diff] [blame]9912 force_ciphersuite=TLS-PSK-WITH-AES-128-CCM-8" \
9913 0 \
9914 -s "a session has been resumed" \
9915 -c "a session has been resumed" \
9916 -s "Extra-header:" \
9917 -c "HTTP/1.0 200 OK"
9918
Janos Follath74537a62016-09-02 13:45:28 +0100[diff] [blame]9919client_needs_more_time 4
Manuel Pégourié-Gonnard85beb302014-10-02 17:59:19 +0200[diff] [blame]9920run_test "DTLS proxy: 3d, min handshake, resumption, nbio" \
9921 -p "$P_PXY drop=5 delay=5 duplicate=5" \
Andrzej Kurek948fe802018-10-05 15:42:44 -0400[diff] [blame]9922 "$P_SRV dtls=1 dgram_packing=0 hs_timeout=500-10000 tickets=0 auth_mode=none \
Manuel Pégourié-Gonnard85beb302014-10-02 17:59:19 +0200[diff] [blame]9923 psk=abc123 debug_level=3 nbio=2" \
Andrzej Kurek948fe802018-10-05 15:42:44 -0400[diff] [blame]9924 "$P_CLI dtls=1 dgram_packing=0 hs_timeout=500-10000 tickets=0 psk=abc123 \
Manuel Pégourié-Gonnard56941fe2020-02-17 11:04:33 +0100[diff] [blame]9925 debug_level=3 reconnect=1 skip_close_notify=1 read_timeout=1000 max_resend=10 \
Manuel Pégourié-Gonnard85beb302014-10-02 17:59:19 +0200[diff] [blame]9926 force_ciphersuite=TLS-PSK-WITH-AES-128-CCM-8 nbio=2" \
9927 0 \
9928 -s "a session has been resumed" \
9929 -c "a session has been resumed" \
9930 -s "Extra-header:" \
9931 -c "HTTP/1.0 200 OK"
9932
Janos Follath74537a62016-09-02 13:45:28 +0100[diff] [blame]9933client_needs_more_time 4
Hanno Becker6a243642017-10-12 15:18:45 +0100[diff] [blame]9934requires_config_enabled MBEDTLS_SSL_RENEGOTIATION
Manuel Pégourié-Gonnard6093d812014-09-29 17:52:57 +0200[diff] [blame]9935run_test "DTLS proxy: 3d, min handshake, client-initiated renego" \
Manuel Pégourié-Gonnard1b753f12014-09-25 16:09:36 +0200[diff] [blame]9936 -p "$P_PXY drop=5 delay=5 duplicate=5" \
Andrzej Kurek948fe802018-10-05 15:42:44 -0400[diff] [blame]9937 "$P_SRV dtls=1 dgram_packing=0 hs_timeout=500-10000 tickets=0 auth_mode=none \
Manuel Pégourié-Gonnard37a4de22014-10-01 16:38:03 +0200[diff] [blame]9938 psk=abc123 renegotiation=1 debug_level=2" \
Andrzej Kurek948fe802018-10-05 15:42:44 -0400[diff] [blame]9939 "$P_CLI dtls=1 dgram_packing=0 hs_timeout=500-10000 tickets=0 psk=abc123 \
Manuel Pégourié-Gonnard37a4de22014-10-01 16:38:03 +0200[diff] [blame]9940 renegotiate=1 debug_level=2 \
Manuel Pégourié-Gonnard1b753f12014-09-25 16:09:36 +0200[diff] [blame]9941 force_ciphersuite=TLS-PSK-WITH-AES-128-CCM-8" \
9942 0 \
9943 -c "=> renegotiate" \
9944 -s "=> renegotiate" \
9945 -s "Extra-header:" \
9946 -c "HTTP/1.0 200 OK"
9947
Janos Follath74537a62016-09-02 13:45:28 +0100[diff] [blame]9948client_needs_more_time 4
Hanno Becker6a243642017-10-12 15:18:45 +0100[diff] [blame]9949requires_config_enabled MBEDTLS_SSL_RENEGOTIATION
Manuel Pégourié-Gonnard6093d812014-09-29 17:52:57 +0200[diff] [blame]9950run_test "DTLS proxy: 3d, min handshake, client-initiated renego, nbio" \
9951 -p "$P_PXY drop=5 delay=5 duplicate=5" \
Andrzej Kurek948fe802018-10-05 15:42:44 -0400[diff] [blame]9952 "$P_SRV dtls=1 dgram_packing=0 hs_timeout=500-10000 tickets=0 auth_mode=none \
Manuel Pégourié-Gonnard37a4de22014-10-01 16:38:03 +0200[diff] [blame]9953 psk=abc123 renegotiation=1 debug_level=2" \
Andrzej Kurek948fe802018-10-05 15:42:44 -0400[diff] [blame]9954 "$P_CLI dtls=1 dgram_packing=0 hs_timeout=500-10000 tickets=0 psk=abc123 \
Manuel Pégourié-Gonnard37a4de22014-10-01 16:38:03 +0200[diff] [blame]9955 renegotiate=1 debug_level=2 \
Manuel Pégourié-Gonnard6093d812014-09-29 17:52:57 +0200[diff] [blame]9956 force_ciphersuite=TLS-PSK-WITH-AES-128-CCM-8" \
9957 0 \
9958 -c "=> renegotiate" \
9959 -s "=> renegotiate" \
9960 -s "Extra-header:" \
9961 -c "HTTP/1.0 200 OK"
9962
Janos Follath74537a62016-09-02 13:45:28 +0100[diff] [blame]9963client_needs_more_time 4
Hanno Becker6a243642017-10-12 15:18:45 +0100[diff] [blame]9964requires_config_enabled MBEDTLS_SSL_RENEGOTIATION
Manuel Pégourié-Gonnardba958b82014-10-09 16:13:44 +0200[diff] [blame]9965run_test "DTLS proxy: 3d, min handshake, server-initiated renego" \
Manuel Pégourié-Gonnarda6ace042014-10-15 12:44:41 +0200[diff] [blame]9966 -p "$P_PXY drop=5 delay=5 duplicate=5" \
Andrzej Kurek948fe802018-10-05 15:42:44 -0400[diff] [blame]9967 "$P_SRV dtls=1 dgram_packing=0 hs_timeout=500-10000 tickets=0 auth_mode=none \
Manuel Pégourié-Gonnarda6ace042014-10-15 12:44:41 +0200[diff] [blame]9968 psk=abc123 renegotiate=1 renegotiation=1 exchanges=4 \
Manuel Pégourié-Gonnardba958b82014-10-09 16:13:44 +0200[diff] [blame]9969 debug_level=2" \
Andrzej Kurek948fe802018-10-05 15:42:44 -0400[diff] [blame]9970 "$P_CLI dtls=1 dgram_packing=0 hs_timeout=500-10000 tickets=0 psk=abc123 \
Manuel Pégourié-Gonnarda6ace042014-10-15 12:44:41 +0200[diff] [blame]9971 renegotiation=1 exchanges=4 debug_level=2 \
Manuel Pégourié-Gonnardba958b82014-10-09 16:13:44 +0200[diff] [blame]9972 force_ciphersuite=TLS-PSK-WITH-AES-128-CCM-8" \
9973 0 \
9974 -c "=> renegotiate" \
9975 -s "=> renegotiate" \
9976 -s "Extra-header:" \
9977 -c "HTTP/1.0 200 OK"
9978
Janos Follath74537a62016-09-02 13:45:28 +0100[diff] [blame]9979client_needs_more_time 4
Hanno Becker6a243642017-10-12 15:18:45 +0100[diff] [blame]9980requires_config_enabled MBEDTLS_SSL_RENEGOTIATION
Manuel Pégourié-Gonnardba958b82014-10-09 16:13:44 +0200[diff] [blame]9981run_test "DTLS proxy: 3d, min handshake, server-initiated renego, nbio" \
Manuel Pégourié-Gonnarda6ace042014-10-15 12:44:41 +0200[diff] [blame]9982 -p "$P_PXY drop=5 delay=5 duplicate=5" \
Andrzej Kurek948fe802018-10-05 15:42:44 -0400[diff] [blame]9983 "$P_SRV dtls=1 dgram_packing=0 hs_timeout=500-10000 tickets=0 auth_mode=none \
Manuel Pégourié-Gonnarda6ace042014-10-15 12:44:41 +0200[diff] [blame]9984 psk=abc123 renegotiate=1 renegotiation=1 exchanges=4 \
Manuel Pégourié-Gonnardba958b82014-10-09 16:13:44 +0200[diff] [blame]9985 debug_level=2 nbio=2" \
Andrzej Kurek948fe802018-10-05 15:42:44 -0400[diff] [blame]9986 "$P_CLI dtls=1 dgram_packing=0 hs_timeout=500-10000 tickets=0 psk=abc123 \
Manuel Pégourié-Gonnarda6ace042014-10-15 12:44:41 +0200[diff] [blame]9987 renegotiation=1 exchanges=4 debug_level=2 nbio=2 \
Manuel Pégourié-Gonnardba958b82014-10-09 16:13:44 +0200[diff] [blame]9988 force_ciphersuite=TLS-PSK-WITH-AES-128-CCM-8" \
9989 0 \
9990 -c "=> renegotiate" \
9991 -s "=> renegotiate" \
9992 -s "Extra-header:" \
9993 -c "HTTP/1.0 200 OK"
9994
Manuel Pégourié-Gonnard82986c12018-09-03 10:50:21 +0200[diff] [blame]9995## Interop tests with OpenSSL might trigger a bug in recent versions (including
9996## all versions installed on the CI machines), reported here:
9997## Bug report: https://github.com/openssl/openssl/issues/6902
9998## They should be re-enabled once a fixed version of OpenSSL is available
9999## (this should happen in some 1.1.1_ release according to the ticket).
10000skip_next_test
Janos Follath74537a62016-09-02 13:45:28 +0100[diff] [blame]10001client_needs_more_time 6
Manuel Pégourié-Gonnardd68434e2015-08-31 12:48:22 +0200[diff] [blame]10002not_with_valgrind # risk of non-mbedtls peer timing out
Manuel Pégourié-Gonnard9590e0a2014-09-26 16:27:59 +0200[diff] [blame]10003run_test "DTLS proxy: 3d, openssl server" \
Manuel Pégourié-Gonnardd0fd1da2014-09-25 17:00:27 +0200[diff] [blame]10004 -p "$P_PXY drop=5 delay=5 duplicate=5 protect_hvr=1" \
10005 "$O_SRV -dtls1 -mtu 2048" \
Andrzej Kurek948fe802018-10-05 15:42:44 -0400[diff] [blame]10006 "$P_CLI dgram_packing=0 dtls=1 hs_timeout=500-60000 tickets=0" \
Manuel Pégourié-Gonnardd0fd1da2014-09-25 17:00:27 +0200[diff] [blame]10007 0 \
Manuel Pégourié-Gonnardd0fd1da2014-09-25 17:00:27 +0200[diff] [blame]10008 -c "HTTP/1.0 200 OK"
10009
Manuel Pégourié-Gonnard82986c12018-09-03 10:50:21 +0200[diff] [blame]10010skip_next_test # see above
Janos Follath74537a62016-09-02 13:45:28 +0100[diff] [blame]10011client_needs_more_time 8
Manuel Pégourié-Gonnardd68434e2015-08-31 12:48:22 +0200[diff] [blame]10012not_with_valgrind # risk of non-mbedtls peer timing out
Manuel Pégourié-Gonnard9590e0a2014-09-26 16:27:59 +0200[diff] [blame]10013run_test "DTLS proxy: 3d, openssl server, fragmentation" \
10014 -p "$P_PXY drop=5 delay=5 duplicate=5 protect_hvr=1" \
10015 "$O_SRV -dtls1 -mtu 768" \
Andrzej Kurek948fe802018-10-05 15:42:44 -0400[diff] [blame]10016 "$P_CLI dgram_packing=0 dtls=1 hs_timeout=500-60000 tickets=0" \
Manuel Pégourié-Gonnard9590e0a2014-09-26 16:27:59 +0200[diff] [blame]10017 0 \
Manuel Pégourié-Gonnard9590e0a2014-09-26 16:27:59 +0200[diff] [blame]10018 -c "HTTP/1.0 200 OK"
10019
Manuel Pégourié-Gonnard82986c12018-09-03 10:50:21 +0200[diff] [blame]10020skip_next_test # see above
Janos Follath74537a62016-09-02 13:45:28 +0100[diff] [blame]10021client_needs_more_time 8
Manuel Pégourié-Gonnardd68434e2015-08-31 12:48:22 +0200[diff] [blame]10022not_with_valgrind # risk of non-mbedtls peer timing out
Manuel Pégourié-Gonnard6093d812014-09-29 17:52:57 +0200[diff] [blame]10023run_test "DTLS proxy: 3d, openssl server, fragmentation, nbio" \
10024 -p "$P_PXY drop=5 delay=5 duplicate=5 protect_hvr=1" \
10025 "$O_SRV -dtls1 -mtu 768" \
Andrzej Kurek948fe802018-10-05 15:42:44 -0400[diff] [blame]10026 "$P_CLI dgram_packing=0 dtls=1 hs_timeout=500-60000 nbio=2 tickets=0" \
Manuel Pégourié-Gonnard6093d812014-09-29 17:52:57 +0200[diff] [blame]10027 0 \
Manuel Pégourié-Gonnard6093d812014-09-29 17:52:57 +0200[diff] [blame]10028 -c "HTTP/1.0 200 OK"
10029
Manuel Pégourié-Gonnard96999962015-02-17 16:02:37 +0000[diff] [blame]10030requires_gnutls
Janos Follath74537a62016-09-02 13:45:28 +0100[diff] [blame]10031client_needs_more_time 6
Manuel Pégourié-Gonnardd68434e2015-08-31 12:48:22 +0200[diff] [blame]10032not_with_valgrind # risk of non-mbedtls peer timing out
Manuel Pégourié-Gonnard9590e0a2014-09-26 16:27:59 +0200[diff] [blame]10033run_test "DTLS proxy: 3d, gnutls server" \
10034 -p "$P_PXY drop=5 delay=5 duplicate=5" \
10035 "$G_SRV -u --mtu 2048 -a" \
Andrzej Kurek948fe802018-10-05 15:42:44 -0400[diff] [blame]10036 "$P_CLI dgram_packing=0 dtls=1 hs_timeout=500-60000" \
Manuel Pégourié-Gonnard9590e0a2014-09-26 16:27:59 +0200[diff] [blame]10037 0 \
10038 -s "Extra-header:" \
10039 -c "Extra-header:"
10040
k-stachowiak17a38d32019-02-18 15:29:56 +0100[diff] [blame]10041requires_gnutls_next
Janos Follath74537a62016-09-02 13:45:28 +0100[diff] [blame]10042client_needs_more_time 8
Manuel Pégourié-Gonnardd68434e2015-08-31 12:48:22 +0200[diff] [blame]10043not_with_valgrind # risk of non-mbedtls peer timing out
Manuel Pégourié-Gonnard9590e0a2014-09-26 16:27:59 +0200[diff] [blame]10044run_test "DTLS proxy: 3d, gnutls server, fragmentation" \
10045 -p "$P_PXY drop=5 delay=5 duplicate=5" \
k-stachowiak17a38d32019-02-18 15:29:56 +0100[diff] [blame]10046 "$G_NEXT_SRV -u --mtu 512" \
Andrzej Kurek948fe802018-10-05 15:42:44 -0400[diff] [blame]10047 "$P_CLI dgram_packing=0 dtls=1 hs_timeout=500-60000" \
Manuel Pégourié-Gonnard9590e0a2014-09-26 16:27:59 +0200[diff] [blame]10048 0 \
10049 -s "Extra-header:" \
10050 -c "Extra-header:"
10051
k-stachowiak17a38d32019-02-18 15:29:56 +0100[diff] [blame]10052requires_gnutls_next
Janos Follath74537a62016-09-02 13:45:28 +0100[diff] [blame]10053client_needs_more_time 8
Manuel Pégourié-Gonnardd68434e2015-08-31 12:48:22 +0200[diff] [blame]10054not_with_valgrind # risk of non-mbedtls peer timing out
Manuel Pégourié-Gonnard6093d812014-09-29 17:52:57 +0200[diff] [blame]10055run_test "DTLS proxy: 3d, gnutls server, fragmentation, nbio" \
10056 -p "$P_PXY drop=5 delay=5 duplicate=5" \
k-stachowiak17a38d32019-02-18 15:29:56 +0100[diff] [blame]10057 "$G_NEXT_SRV -u --mtu 512" \
Andrzej Kurek948fe802018-10-05 15:42:44 -0400[diff] [blame]10058 "$P_CLI dgram_packing=0 dtls=1 hs_timeout=500-60000 nbio=2" \
Manuel Pégourié-Gonnard6093d812014-09-29 17:52:57 +0200[diff] [blame]10059 0 \
10060 -s "Extra-header:" \
10061 -c "Extra-header:"
10062
Ron Eldorf75e2522019-05-14 20:38:49 +0300[diff] [blame]10063requires_config_enabled MBEDTLS_SSL_EXPORT_KEYS
10064run_test "export keys functionality" \
10065 "$P_SRV eap_tls=1 debug_level=3" \
10066 "$P_CLI eap_tls=1 debug_level=3" \
10067 0 \
10068 -s "exported maclen is " \
10069 -s "exported keylen is " \
10070 -s "exported ivlen is " \
10071 -c "exported maclen is " \
10072 -c "exported keylen is " \
Ron Eldor65d8c262019-06-04 13:05:36 +0300[diff] [blame]10073 -c "exported ivlen is " \
10074 -c "EAP-TLS key material is:"\
10075 -s "EAP-TLS key material is:"\
10076 -c "EAP-TLS IV is:" \
10077 -s "EAP-TLS IV is:"
Ron Eldorf75e2522019-05-14 20:38:49 +0300[diff] [blame]10078
Piotr Nowicki0937ed22019-11-26 16:32:40 +0100[diff] [blame]10079# Test heap memory usage after handshake
10080requires_config_enabled MBEDTLS_MEMORY_DEBUG
10081requires_config_enabled MBEDTLS_MEMORY_BUFFER_ALLOC_C
10082requires_config_enabled MBEDTLS_SSL_MAX_FRAGMENT_LENGTH
Yuto Takanoa49124e2021-07-08 15:56:33 +0100[diff] [blame]10083requires_max_content_len 16384
Piotr Nowicki0937ed22019-11-26 16:32:40 +0100[diff] [blame]10084run_tests_memory_after_hanshake
10085
Manuel Pégourié-Gonnard8520dac2014-02-21 12:12:23 +0100[diff] [blame]10086# Final report
10087
Manuel Pégourié-Gonnard33a752e2014-02-21 09:47:37 +0100[diff] [blame]10088echo "------------------------------------------------------------------------"
10089
10090if [ $FAILS = 0 ]; then
Manuel Pégourié-Gonnardf46f1282014-12-11 11:51:28 +0100[diff] [blame]10091 printf "PASSED"
Manuel Pégourié-Gonnard33a752e2014-02-21 09:47:37 +0100[diff] [blame]10092else
Manuel Pégourié-Gonnardf46f1282014-12-11 11:51:28 +0100[diff] [blame]10093 printf "FAILED"
Manuel Pégourié-Gonnard33a752e2014-02-21 09:47:37 +0100[diff] [blame]10094fi
Manuel Pégourié-Gonnard72e51ee2014-08-31 10:22:11 +0200[diff] [blame]10095PASSES=$(( $TESTS - $FAILS ))
Manuel Pégourié-Gonnard6f4fbbb2014-08-14 14:31:29 +0200[diff] [blame]10096echo " ($PASSES / $TESTS tests ($SKIPS skipped))"
Manuel Pégourié-Gonnard33a752e2014-02-21 09:47:37 +0100[diff] [blame]10097
10098exit $FAILS