Arcola / mbedtls

mbed TLS upgraded to 2.6.0

Fork of mbedtls by Mark Radbourne

tests/ssl-opt.sh@1:9ebc941037d5, 2017-09-29 (annotated)

Committer:
Jasper Wallace
Date:
Fri Sep 29 18:41:59 2017 +0100
Revision:
1:9ebc941037d5
Parent:
0:cdf462088d13
Child:
2:bbdeda018a3c
Update to mbedtls 2.4.2, security fixes



Changes to mbedtls sources made:



in include/mbedtls/config.h comment out:



#define MBEDTLS_FS_IO

#define MBEDTLS_NET_C

#define MBEDTLS_TIMING_C



uncomment:



#define MBEDTLS_NO_PLATFORM_ENTROPY

Who changed what in which revision?

UserRevisionLine numberNew contents of line
markrad 0:cdf462088d13 1 #!/bin/sh
markrad 0:cdf462088d13 2
markrad 0:cdf462088d13 3 # ssl-opt.sh
markrad 0:cdf462088d13 4 #
markrad 0:cdf462088d13 5 # This file is part of mbed TLS (https://tls.mbed.org)
markrad 0:cdf462088d13 6 #
markrad 0:cdf462088d13 7 # Copyright (c) 2016, ARM Limited, All Rights Reserved
markrad 0:cdf462088d13 8 #
markrad 0:cdf462088d13 9 # Purpose
markrad 0:cdf462088d13 10 #
markrad 0:cdf462088d13 11 # Executes tests to prove various TLS/SSL options and extensions.
markrad 0:cdf462088d13 12 #
markrad 0:cdf462088d13 13 # The goal is not to cover every ciphersuite/version, but instead to cover
markrad 0:cdf462088d13 14 # specific options (max fragment length, truncated hmac, etc) or procedures
markrad 0:cdf462088d13 15 # (session resumption from cache or ticket, renego, etc).
markrad 0:cdf462088d13 16 #
markrad 0:cdf462088d13 17 # The tests assume a build with default options, with exceptions expressed
markrad 0:cdf462088d13 18 # with a dependency. The tests focus on functionality and do not consider
markrad 0:cdf462088d13 19 # performance.
markrad 0:cdf462088d13 20 #
markrad 0:cdf462088d13 21
markrad 0:cdf462088d13 22 set -u
markrad 0:cdf462088d13 23
markrad 0:cdf462088d13 24 # default values, can be overriden by the environment
markrad 0:cdf462088d13 25 : ${P_SRV:=../programs/ssl/ssl_server2}
markrad 0:cdf462088d13 26 : ${P_CLI:=../programs/ssl/ssl_client2}
markrad 0:cdf462088d13 27 : ${P_PXY:=../programs/test/udp_proxy}
markrad 0:cdf462088d13 28 : ${OPENSSL_CMD:=openssl} # OPENSSL would conflict with the build system
markrad 0:cdf462088d13 29 : ${GNUTLS_CLI:=gnutls-cli}
markrad 0:cdf462088d13 30 : ${GNUTLS_SERV:=gnutls-serv}
markrad 0:cdf462088d13 31
markrad 0:cdf462088d13 32 O_SRV="$OPENSSL_CMD s_server -www -cert data_files/server5.crt -key data_files/server5.key"
markrad 0:cdf462088d13 33 O_CLI="echo 'GET / HTTP/1.0' | $OPENSSL_CMD s_client"
markrad 0:cdf462088d13 34 G_SRV="$GNUTLS_SERV --x509certfile data_files/server5.crt --x509keyfile data_files/server5.key"
markrad 0:cdf462088d13 35 G_CLI="echo 'GET / HTTP/1.0' | $GNUTLS_CLI --x509cafile data_files/test-ca_cat12.crt"
markrad 0:cdf462088d13 36
markrad 0:cdf462088d13 37 TESTS=0
markrad 0:cdf462088d13 38 FAILS=0
markrad 0:cdf462088d13 39 SKIPS=0
markrad 0:cdf462088d13 40
markrad 0:cdf462088d13 41 CONFIG_H='../include/mbedtls/config.h'
markrad 0:cdf462088d13 42
markrad 0:cdf462088d13 43 MEMCHECK=0
markrad 0:cdf462088d13 44 FILTER='.*'
markrad 0:cdf462088d13 45 EXCLUDE='^$'
markrad 0:cdf462088d13 46
markrad 0:cdf462088d13 47 SHOW_TEST_NUMBER=0
markrad 0:cdf462088d13 48 RUN_TEST_NUMBER=''
markrad 0:cdf462088d13 49
markrad 0:cdf462088d13 50 PRESERVE_LOGS=0
markrad 0:cdf462088d13 51
markrad 0:cdf462088d13 52 print_usage() {
markrad 0:cdf462088d13 53 echo "Usage: $0 [options]"
markrad 0:cdf462088d13 54 printf " -h|--help\tPrint this help.\n"
markrad 0:cdf462088d13 55 printf " -m|--memcheck\tCheck memory leaks and errors.\n"
markrad 0:cdf462088d13 56 printf " -f|--filter\tOnly matching tests are executed (default: '$FILTER')\n"
markrad 0:cdf462088d13 57 printf " -e|--exclude\tMatching tests are excluded (default: '$EXCLUDE')\n"
markrad 0:cdf462088d13 58 printf " -n|--number\tExecute only numbered test (comma-separated, e.g. '245,256')\n"
markrad 0:cdf462088d13 59 printf " -s|--show-numbers\tShow test numbers in front of test names\n"
markrad 0:cdf462088d13 60 printf " -p|--preserve-logs\tPreserve logs of successful tests as well\n"
markrad 0:cdf462088d13 61 printf " --seed\tInteger seed value to use for this test run\n"
markrad 0:cdf462088d13 62 }
markrad 0:cdf462088d13 63
markrad 0:cdf462088d13 64 get_options() {
markrad 0:cdf462088d13 65 while [ $# -gt 0 ]; do
markrad 0:cdf462088d13 66 case "$1" in
markrad 0:cdf462088d13 67 -f|--filter)
markrad 0:cdf462088d13 68 shift; FILTER=$1
markrad 0:cdf462088d13 69 ;;
markrad 0:cdf462088d13 70 -e|--exclude)
markrad 0:cdf462088d13 71 shift; EXCLUDE=$1
markrad 0:cdf462088d13 72 ;;
markrad 0:cdf462088d13 73 -m|--memcheck)
markrad 0:cdf462088d13 74 MEMCHECK=1
markrad 0:cdf462088d13 75 ;;
markrad 0:cdf462088d13 76 -n|--number)
markrad 0:cdf462088d13 77 shift; RUN_TEST_NUMBER=$1
markrad 0:cdf462088d13 78 ;;
markrad 0:cdf462088d13 79 -s|--show-numbers)
markrad 0:cdf462088d13 80 SHOW_TEST_NUMBER=1
markrad 0:cdf462088d13 81 ;;
markrad 0:cdf462088d13 82 -p|--preserve-logs)
markrad 0:cdf462088d13 83 PRESERVE_LOGS=1
markrad 0:cdf462088d13 84 ;;
markrad 0:cdf462088d13 85 --seed)
markrad 0:cdf462088d13 86 shift; SEED="$1"
markrad 0:cdf462088d13 87 ;;
markrad 0:cdf462088d13 88 -h|--help)
markrad 0:cdf462088d13 89 print_usage
markrad 0:cdf462088d13 90 exit 0
markrad 0:cdf462088d13 91 ;;
markrad 0:cdf462088d13 92 *)
markrad 0:cdf462088d13 93 echo "Unknown argument: '$1'"
markrad 0:cdf462088d13 94 print_usage
markrad 0:cdf462088d13 95 exit 1
markrad 0:cdf462088d13 96 ;;
markrad 0:cdf462088d13 97 esac
markrad 0:cdf462088d13 98 shift
markrad 0:cdf462088d13 99 done
markrad 0:cdf462088d13 100 }
markrad 0:cdf462088d13 101
markrad 0:cdf462088d13 102 # skip next test if the flag is not enabled in config.h
markrad 0:cdf462088d13 103 requires_config_enabled() {
markrad 0:cdf462088d13 104 if grep "^#define $1" $CONFIG_H > /dev/null; then :; else
markrad 0:cdf462088d13 105 SKIP_NEXT="YES"
markrad 0:cdf462088d13 106 fi
markrad 0:cdf462088d13 107 }
markrad 0:cdf462088d13 108
markrad 0:cdf462088d13 109 # skip next test if OpenSSL doesn't support FALLBACK_SCSV
markrad 0:cdf462088d13 110 requires_openssl_with_fallback_scsv() {
markrad 0:cdf462088d13 111 if [ -z "${OPENSSL_HAS_FBSCSV:-}" ]; then
markrad 0:cdf462088d13 112 if $OPENSSL_CMD s_client -help 2>&1 | grep fallback_scsv >/dev/null
markrad 0:cdf462088d13 113 then
markrad 0:cdf462088d13 114 OPENSSL_HAS_FBSCSV="YES"
markrad 0:cdf462088d13 115 else
markrad 0:cdf462088d13 116 OPENSSL_HAS_FBSCSV="NO"
markrad 0:cdf462088d13 117 fi
markrad 0:cdf462088d13 118 fi
markrad 0:cdf462088d13 119 if [ "$OPENSSL_HAS_FBSCSV" = "NO" ]; then
markrad 0:cdf462088d13 120 SKIP_NEXT="YES"
markrad 0:cdf462088d13 121 fi
markrad 0:cdf462088d13 122 }
markrad 0:cdf462088d13 123
markrad 0:cdf462088d13 124 # skip next test if GnuTLS isn't available
markrad 0:cdf462088d13 125 requires_gnutls() {
markrad 0:cdf462088d13 126 if [ -z "${GNUTLS_AVAILABLE:-}" ]; then
markrad 0:cdf462088d13 127 if ( which "$GNUTLS_CLI" && which "$GNUTLS_SERV" ) >/dev/null 2>&1; then
markrad 0:cdf462088d13 128 GNUTLS_AVAILABLE="YES"
markrad 0:cdf462088d13 129 else
markrad 0:cdf462088d13 130 GNUTLS_AVAILABLE="NO"
markrad 0:cdf462088d13 131 fi
markrad 0:cdf462088d13 132 fi
markrad 0:cdf462088d13 133 if [ "$GNUTLS_AVAILABLE" = "NO" ]; then
markrad 0:cdf462088d13 134 SKIP_NEXT="YES"
markrad 0:cdf462088d13 135 fi
markrad 0:cdf462088d13 136 }
markrad 0:cdf462088d13 137
markrad 0:cdf462088d13 138 # skip next test if IPv6 isn't available on this host
markrad 0:cdf462088d13 139 requires_ipv6() {
markrad 0:cdf462088d13 140 if [ -z "${HAS_IPV6:-}" ]; then
markrad 0:cdf462088d13 141 $P_SRV server_addr='::1' > $SRV_OUT 2>&1 &
markrad 0:cdf462088d13 142 SRV_PID=$!
markrad 0:cdf462088d13 143 sleep 1
markrad 0:cdf462088d13 144 kill $SRV_PID >/dev/null 2>&1
markrad 0:cdf462088d13 145 if grep "NET - Binding of the socket failed" $SRV_OUT >/dev/null; then
markrad 0:cdf462088d13 146 HAS_IPV6="NO"
markrad 0:cdf462088d13 147 else
markrad 0:cdf462088d13 148 HAS_IPV6="YES"
markrad 0:cdf462088d13 149 fi
markrad 0:cdf462088d13 150 rm -r $SRV_OUT
markrad 0:cdf462088d13 151 fi
markrad 0:cdf462088d13 152
markrad 0:cdf462088d13 153 if [ "$HAS_IPV6" = "NO" ]; then
markrad 0:cdf462088d13 154 SKIP_NEXT="YES"
markrad 0:cdf462088d13 155 fi
markrad 0:cdf462088d13 156 }
markrad 0:cdf462088d13 157
markrad 0:cdf462088d13 158 # skip the next test if valgrind is in use
markrad 0:cdf462088d13 159 not_with_valgrind() {
markrad 0:cdf462088d13 160 if [ "$MEMCHECK" -gt 0 ]; then
markrad 0:cdf462088d13 161 SKIP_NEXT="YES"
markrad 0:cdf462088d13 162 fi
markrad 0:cdf462088d13 163 }
markrad 0:cdf462088d13 164
markrad 0:cdf462088d13 165 # skip the next test if valgrind is NOT in use
markrad 0:cdf462088d13 166 only_with_valgrind() {
markrad 0:cdf462088d13 167 if [ "$MEMCHECK" -eq 0 ]; then
markrad 0:cdf462088d13 168 SKIP_NEXT="YES"
markrad 0:cdf462088d13 169 fi
markrad 0:cdf462088d13 170 }
markrad 0:cdf462088d13 171
markrad 0:cdf462088d13 172 # multiply the client timeout delay by the given factor for the next test
markrad 0:cdf462088d13 173 client_needs_more_time() {
markrad 0:cdf462088d13 174 CLI_DELAY_FACTOR=$1
markrad 0:cdf462088d13 175 }
markrad 0:cdf462088d13 176
markrad 0:cdf462088d13 177 # wait for the given seconds after the client finished in the next test
markrad 0:cdf462088d13 178 server_needs_more_time() {
markrad 0:cdf462088d13 179 SRV_DELAY_SECONDS=$1
markrad 0:cdf462088d13 180 }
markrad 0:cdf462088d13 181
markrad 0:cdf462088d13 182 # print_name <name>
markrad 0:cdf462088d13 183 print_name() {
markrad 0:cdf462088d13 184 TESTS=$(( $TESTS + 1 ))
markrad 0:cdf462088d13 185 LINE=""
markrad 0:cdf462088d13 186
markrad 0:cdf462088d13 187 if [ "$SHOW_TEST_NUMBER" -gt 0 ]; then
markrad 0:cdf462088d13 188 LINE="$TESTS "
markrad 0:cdf462088d13 189 fi
markrad 0:cdf462088d13 190
markrad 0:cdf462088d13 191 LINE="$LINE$1"
markrad 0:cdf462088d13 192 printf "$LINE "
markrad 0:cdf462088d13 193 LEN=$(( 72 - `echo "$LINE" | wc -c` ))
markrad 0:cdf462088d13 194 for i in `seq 1 $LEN`; do printf '.'; done
markrad 0:cdf462088d13 195 printf ' '
markrad 0:cdf462088d13 196
markrad 0:cdf462088d13 197 }
markrad 0:cdf462088d13 198
markrad 0:cdf462088d13 199 # fail <message>
markrad 0:cdf462088d13 200 fail() {
markrad 0:cdf462088d13 201 echo "FAIL"
markrad 0:cdf462088d13 202 echo " ! $1"
markrad 0:cdf462088d13 203
markrad 0:cdf462088d13 204 mv $SRV_OUT o-srv-${TESTS}.log
markrad 0:cdf462088d13 205 mv $CLI_OUT o-cli-${TESTS}.log
markrad 0:cdf462088d13 206 if [ -n "$PXY_CMD" ]; then
markrad 0:cdf462088d13 207 mv $PXY_OUT o-pxy-${TESTS}.log
markrad 0:cdf462088d13 208 fi
markrad 0:cdf462088d13 209 echo " ! outputs saved to o-XXX-${TESTS}.log"
markrad 0:cdf462088d13 210
markrad 0:cdf462088d13 211 if [ "X${USER:-}" = Xbuildbot -o "X${LOGNAME:-}" = Xbuildbot ]; then
markrad 0:cdf462088d13 212 echo " ! server output:"
markrad 0:cdf462088d13 213 cat o-srv-${TESTS}.log
markrad 0:cdf462088d13 214 echo " ! ========================================================"
markrad 0:cdf462088d13 215 echo " ! client output:"
markrad 0:cdf462088d13 216 cat o-cli-${TESTS}.log
markrad 0:cdf462088d13 217 if [ -n "$PXY_CMD" ]; then
markrad 0:cdf462088d13 218 echo " ! ========================================================"
markrad 0:cdf462088d13 219 echo " ! proxy output:"
markrad 0:cdf462088d13 220 cat o-pxy-${TESTS}.log
markrad 0:cdf462088d13 221 fi
markrad 0:cdf462088d13 222 echo ""
markrad 0:cdf462088d13 223 fi
markrad 0:cdf462088d13 224
markrad 0:cdf462088d13 225 FAILS=$(( $FAILS + 1 ))
markrad 0:cdf462088d13 226 }
markrad 0:cdf462088d13 227
markrad 0:cdf462088d13 228 # is_polar <cmd_line>
markrad 0:cdf462088d13 229 is_polar() {
markrad 0:cdf462088d13 230 echo "$1" | grep 'ssl_server2\|ssl_client2' > /dev/null
markrad 0:cdf462088d13 231 }
markrad 0:cdf462088d13 232
markrad 0:cdf462088d13 233 # openssl s_server doesn't have -www with DTLS
markrad 0:cdf462088d13 234 check_osrv_dtls() {
markrad 0:cdf462088d13 235 if echo "$SRV_CMD" | grep 's_server.*-dtls' >/dev/null; then
markrad 0:cdf462088d13 236 NEEDS_INPUT=1
markrad 0:cdf462088d13 237 SRV_CMD="$( echo $SRV_CMD | sed s/-www// )"
markrad 0:cdf462088d13 238 else
markrad 0:cdf462088d13 239 NEEDS_INPUT=0
markrad 0:cdf462088d13 240 fi
markrad 0:cdf462088d13 241 }
markrad 0:cdf462088d13 242
markrad 0:cdf462088d13 243 # provide input to commands that need it
markrad 0:cdf462088d13 244 provide_input() {
markrad 0:cdf462088d13 245 if [ $NEEDS_INPUT -eq 0 ]; then
markrad 0:cdf462088d13 246 return
markrad 0:cdf462088d13 247 fi
markrad 0:cdf462088d13 248
markrad 0:cdf462088d13 249 while true; do
markrad 0:cdf462088d13 250 echo "HTTP/1.0 200 OK"
markrad 0:cdf462088d13 251 sleep 1
markrad 0:cdf462088d13 252 done
markrad 0:cdf462088d13 253 }
markrad 0:cdf462088d13 254
markrad 0:cdf462088d13 255 # has_mem_err <log_file_name>
markrad 0:cdf462088d13 256 has_mem_err() {
markrad 0:cdf462088d13 257 if ( grep -F 'All heap blocks were freed -- no leaks are possible' "$1" &&
markrad 0:cdf462088d13 258 grep -F 'ERROR SUMMARY: 0 errors from 0 contexts' "$1" ) > /dev/null
markrad 0:cdf462088d13 259 then
markrad 0:cdf462088d13 260 return 1 # false: does not have errors
markrad 0:cdf462088d13 261 else
markrad 0:cdf462088d13 262 return 0 # true: has errors
markrad 0:cdf462088d13 263 fi
markrad 0:cdf462088d13 264 }
markrad 0:cdf462088d13 265
markrad 0:cdf462088d13 266 # wait for server to start: two versions depending on lsof availability
markrad 0:cdf462088d13 267 wait_server_start() {
markrad 0:cdf462088d13 268 if which lsof >/dev/null 2>&1; then
markrad 0:cdf462088d13 269 START_TIME=$( date +%s )
markrad 0:cdf462088d13 270 DONE=0
markrad 0:cdf462088d13 271
markrad 0:cdf462088d13 272 # make a tight loop, server usually takes less than 1 sec to start
markrad 0:cdf462088d13 273 if [ "$DTLS" -eq 1 ]; then
markrad 0:cdf462088d13 274 while [ $DONE -eq 0 ]; do
markrad 0:cdf462088d13 275 if lsof -nbi UDP:"$SRV_PORT" 2>/dev/null | grep UDP >/dev/null
markrad 0:cdf462088d13 276 then
markrad 0:cdf462088d13 277 DONE=1
markrad 0:cdf462088d13 278 elif [ $(( $( date +%s ) - $START_TIME )) -gt $DOG_DELAY ]; then
markrad 0:cdf462088d13 279 echo "SERVERSTART TIMEOUT"
markrad 0:cdf462088d13 280 echo "SERVERSTART TIMEOUT" >> $SRV_OUT
markrad 0:cdf462088d13 281 DONE=1
markrad 0:cdf462088d13 282 fi
markrad 0:cdf462088d13 283 done
markrad 0:cdf462088d13 284 else
markrad 0:cdf462088d13 285 while [ $DONE -eq 0 ]; do
markrad 0:cdf462088d13 286 if lsof -nbi TCP:"$SRV_PORT" 2>/dev/null | grep LISTEN >/dev/null
markrad 0:cdf462088d13 287 then
markrad 0:cdf462088d13 288 DONE=1
markrad 0:cdf462088d13 289 elif [ $(( $( date +%s ) - $START_TIME )) -gt $DOG_DELAY ]; then
markrad 0:cdf462088d13 290 echo "SERVERSTART TIMEOUT"
markrad 0:cdf462088d13 291 echo "SERVERSTART TIMEOUT" >> $SRV_OUT
markrad 0:cdf462088d13 292 DONE=1
markrad 0:cdf462088d13 293 fi
markrad 0:cdf462088d13 294 done
markrad 0:cdf462088d13 295 fi
markrad 0:cdf462088d13 296 else
markrad 0:cdf462088d13 297 sleep "$START_DELAY"
markrad 0:cdf462088d13 298 fi
markrad 0:cdf462088d13 299 }
markrad 0:cdf462088d13 300
markrad 0:cdf462088d13 301 # wait for client to terminate and set CLI_EXIT
markrad 0:cdf462088d13 302 # must be called right after starting the client
markrad 0:cdf462088d13 303 wait_client_done() {
markrad 0:cdf462088d13 304 CLI_PID=$!
markrad 0:cdf462088d13 305
markrad 0:cdf462088d13 306 CLI_DELAY=$(( $DOG_DELAY * $CLI_DELAY_FACTOR ))
markrad 0:cdf462088d13 307 CLI_DELAY_FACTOR=1
markrad 0:cdf462088d13 308
markrad 0:cdf462088d13 309 ( sleep $CLI_DELAY; echo "===CLIENT_TIMEOUT===" >> $CLI_OUT; kill $CLI_PID ) &
markrad 0:cdf462088d13 310 DOG_PID=$!
markrad 0:cdf462088d13 311
markrad 0:cdf462088d13 312 wait $CLI_PID
markrad 0:cdf462088d13 313 CLI_EXIT=$?
markrad 0:cdf462088d13 314
markrad 0:cdf462088d13 315 kill $DOG_PID >/dev/null 2>&1
markrad 0:cdf462088d13 316 wait $DOG_PID
markrad 0:cdf462088d13 317
markrad 0:cdf462088d13 318 echo "EXIT: $CLI_EXIT" >> $CLI_OUT
markrad 0:cdf462088d13 319
markrad 0:cdf462088d13 320 sleep $SRV_DELAY_SECONDS
markrad 0:cdf462088d13 321 SRV_DELAY_SECONDS=0
markrad 0:cdf462088d13 322 }
markrad 0:cdf462088d13 323
markrad 0:cdf462088d13 324 # check if the given command uses dtls and sets global variable DTLS
markrad 0:cdf462088d13 325 detect_dtls() {
markrad 0:cdf462088d13 326 if echo "$1" | grep 'dtls=1\|-dtls1\|-u' >/dev/null; then
markrad 0:cdf462088d13 327 DTLS=1
markrad 0:cdf462088d13 328 else
markrad 0:cdf462088d13 329 DTLS=0
markrad 0:cdf462088d13 330 fi
markrad 0:cdf462088d13 331 }
markrad 0:cdf462088d13 332
markrad 0:cdf462088d13 333 # Usage: run_test name [-p proxy_cmd] srv_cmd cli_cmd cli_exit [option [...]]
markrad 0:cdf462088d13 334 # Options: -s pattern pattern that must be present in server output
markrad 0:cdf462088d13 335 # -c pattern pattern that must be present in client output
markrad 0:cdf462088d13 336 # -u pattern lines after pattern must be unique in client output
markrad 0:cdf462088d13 337 # -S pattern pattern that must be absent in server output
markrad 0:cdf462088d13 338 # -C pattern pattern that must be absent in client output
markrad 0:cdf462088d13 339 # -U pattern lines after pattern must be unique in server output
markrad 0:cdf462088d13 340 run_test() {
markrad 0:cdf462088d13 341 NAME="$1"
markrad 0:cdf462088d13 342 shift 1
markrad 0:cdf462088d13 343
markrad 0:cdf462088d13 344 if echo "$NAME" | grep "$FILTER" | grep -v "$EXCLUDE" >/dev/null; then :
markrad 0:cdf462088d13 345 else
markrad 0:cdf462088d13 346 SKIP_NEXT="NO"
markrad 0:cdf462088d13 347 return
markrad 0:cdf462088d13 348 fi
markrad 0:cdf462088d13 349
markrad 0:cdf462088d13 350 print_name "$NAME"
markrad 0:cdf462088d13 351
markrad 0:cdf462088d13 352 # Do we only run numbered tests?
markrad 0:cdf462088d13 353 if [ "X$RUN_TEST_NUMBER" = "X" ]; then :
markrad 0:cdf462088d13 354 elif echo ",$RUN_TEST_NUMBER," | grep ",$TESTS," >/dev/null; then :
markrad 0:cdf462088d13 355 else
markrad 0:cdf462088d13 356 SKIP_NEXT="YES"
markrad 0:cdf462088d13 357 fi
markrad 0:cdf462088d13 358
markrad 0:cdf462088d13 359 # should we skip?
markrad 0:cdf462088d13 360 if [ "X$SKIP_NEXT" = "XYES" ]; then
markrad 0:cdf462088d13 361 SKIP_NEXT="NO"
markrad 0:cdf462088d13 362 echo "SKIP"
markrad 0:cdf462088d13 363 SKIPS=$(( $SKIPS + 1 ))
markrad 0:cdf462088d13 364 return
markrad 0:cdf462088d13 365 fi
markrad 0:cdf462088d13 366
markrad 0:cdf462088d13 367 # does this test use a proxy?
markrad 0:cdf462088d13 368 if [ "X$1" = "X-p" ]; then
markrad 0:cdf462088d13 369 PXY_CMD="$2"
markrad 0:cdf462088d13 370 shift 2
markrad 0:cdf462088d13 371 else
markrad 0:cdf462088d13 372 PXY_CMD=""
markrad 0:cdf462088d13 373 fi
markrad 0:cdf462088d13 374
markrad 0:cdf462088d13 375 # get commands and client output
markrad 0:cdf462088d13 376 SRV_CMD="$1"
markrad 0:cdf462088d13 377 CLI_CMD="$2"
markrad 0:cdf462088d13 378 CLI_EXPECT="$3"
markrad 0:cdf462088d13 379 shift 3
markrad 0:cdf462088d13 380
markrad 0:cdf462088d13 381 # fix client port
markrad 0:cdf462088d13 382 if [ -n "$PXY_CMD" ]; then
markrad 0:cdf462088d13 383 CLI_CMD=$( echo "$CLI_CMD" | sed s/+SRV_PORT/$PXY_PORT/g )
markrad 0:cdf462088d13 384 else
markrad 0:cdf462088d13 385 CLI_CMD=$( echo "$CLI_CMD" | sed s/+SRV_PORT/$SRV_PORT/g )
markrad 0:cdf462088d13 386 fi
markrad 0:cdf462088d13 387
markrad 0:cdf462088d13 388 # update DTLS variable
markrad 0:cdf462088d13 389 detect_dtls "$SRV_CMD"
markrad 0:cdf462088d13 390
markrad 0:cdf462088d13 391 # prepend valgrind to our commands if active
markrad 0:cdf462088d13 392 if [ "$MEMCHECK" -gt 0 ]; then
markrad 0:cdf462088d13 393 if is_polar "$SRV_CMD"; then
markrad 0:cdf462088d13 394 SRV_CMD="valgrind --leak-check=full $SRV_CMD"
markrad 0:cdf462088d13 395 fi
markrad 0:cdf462088d13 396 if is_polar "$CLI_CMD"; then
markrad 0:cdf462088d13 397 CLI_CMD="valgrind --leak-check=full $CLI_CMD"
markrad 0:cdf462088d13 398 fi
markrad 0:cdf462088d13 399 fi
markrad 0:cdf462088d13 400
markrad 0:cdf462088d13 401 TIMES_LEFT=2
markrad 0:cdf462088d13 402 while [ $TIMES_LEFT -gt 0 ]; do
markrad 0:cdf462088d13 403 TIMES_LEFT=$(( $TIMES_LEFT - 1 ))
markrad 0:cdf462088d13 404
markrad 0:cdf462088d13 405 # run the commands
markrad 0:cdf462088d13 406 if [ -n "$PXY_CMD" ]; then
markrad 0:cdf462088d13 407 echo "$PXY_CMD" > $PXY_OUT
markrad 0:cdf462088d13 408 $PXY_CMD >> $PXY_OUT 2>&1 &
markrad 0:cdf462088d13 409 PXY_PID=$!
markrad 0:cdf462088d13 410 # assume proxy starts faster than server
markrad 0:cdf462088d13 411 fi
markrad 0:cdf462088d13 412
markrad 0:cdf462088d13 413 check_osrv_dtls
markrad 0:cdf462088d13 414 echo "$SRV_CMD" > $SRV_OUT
markrad 0:cdf462088d13 415 provide_input | $SRV_CMD >> $SRV_OUT 2>&1 &
markrad 0:cdf462088d13 416 SRV_PID=$!
markrad 0:cdf462088d13 417 wait_server_start
markrad 0:cdf462088d13 418
markrad 0:cdf462088d13 419 echo "$CLI_CMD" > $CLI_OUT
markrad 0:cdf462088d13 420 eval "$CLI_CMD" >> $CLI_OUT 2>&1 &
markrad 0:cdf462088d13 421 wait_client_done
markrad 0:cdf462088d13 422
markrad 0:cdf462088d13 423 # terminate the server (and the proxy)
markrad 0:cdf462088d13 424 kill $SRV_PID
markrad 0:cdf462088d13 425 wait $SRV_PID
markrad 0:cdf462088d13 426 if [ -n "$PXY_CMD" ]; then
markrad 0:cdf462088d13 427 kill $PXY_PID >/dev/null 2>&1
markrad 0:cdf462088d13 428 wait $PXY_PID
markrad 0:cdf462088d13 429 fi
markrad 0:cdf462088d13 430
markrad 0:cdf462088d13 431 # retry only on timeouts
markrad 0:cdf462088d13 432 if grep '===CLIENT_TIMEOUT===' $CLI_OUT >/dev/null; then
markrad 0:cdf462088d13 433 printf "RETRY "
markrad 0:cdf462088d13 434 else
markrad 0:cdf462088d13 435 TIMES_LEFT=0
markrad 0:cdf462088d13 436 fi
markrad 0:cdf462088d13 437 done
markrad 0:cdf462088d13 438
markrad 0:cdf462088d13 439 # check if the client and server went at least to the handshake stage
markrad 0:cdf462088d13 440 # (useful to avoid tests with only negative assertions and non-zero
markrad 0:cdf462088d13 441 # expected client exit to incorrectly succeed in case of catastrophic
markrad 0:cdf462088d13 442 # failure)
markrad 0:cdf462088d13 443 if is_polar "$SRV_CMD"; then
markrad 0:cdf462088d13 444 if grep "Performing the SSL/TLS handshake" $SRV_OUT >/dev/null; then :;
markrad 0:cdf462088d13 445 else
markrad 0:cdf462088d13 446 fail "server or client failed to reach handshake stage"
markrad 0:cdf462088d13 447 return
markrad 0:cdf462088d13 448 fi
markrad 0:cdf462088d13 449 fi
markrad 0:cdf462088d13 450 if is_polar "$CLI_CMD"; then
markrad 0:cdf462088d13 451 if grep "Performing the SSL/TLS handshake" $CLI_OUT >/dev/null; then :;
markrad 0:cdf462088d13 452 else
markrad 0:cdf462088d13 453 fail "server or client failed to reach handshake stage"
markrad 0:cdf462088d13 454 return
markrad 0:cdf462088d13 455 fi
markrad 0:cdf462088d13 456 fi
markrad 0:cdf462088d13 457
markrad 0:cdf462088d13 458 # check server exit code
markrad 0:cdf462088d13 459 if [ $? != 0 ]; then
markrad 0:cdf462088d13 460 fail "server fail"
markrad 0:cdf462088d13 461 return
markrad 0:cdf462088d13 462 fi
markrad 0:cdf462088d13 463
markrad 0:cdf462088d13 464 # check client exit code
markrad 0:cdf462088d13 465 if [ \( "$CLI_EXPECT" = 0 -a "$CLI_EXIT" != 0 \) -o \
markrad 0:cdf462088d13 466 \( "$CLI_EXPECT" != 0 -a "$CLI_EXIT" = 0 \) ]
markrad 0:cdf462088d13 467 then
markrad 0:cdf462088d13 468 fail "bad client exit code (expected $CLI_EXPECT, got $CLI_EXIT)"
markrad 0:cdf462088d13 469 return
markrad 0:cdf462088d13 470 fi
markrad 0:cdf462088d13 471
markrad 0:cdf462088d13 472 # check other assertions
markrad 0:cdf462088d13 473 # lines beginning with == are added by valgrind, ignore them
markrad 0:cdf462088d13 474 # lines with 'Serious error when reading debug info', are valgrind issues as well
markrad 0:cdf462088d13 475 while [ $# -gt 0 ]
markrad 0:cdf462088d13 476 do
markrad 0:cdf462088d13 477 case $1 in
markrad 0:cdf462088d13 478 "-s")
markrad 0:cdf462088d13 479 if grep -v '^==' $SRV_OUT | grep -v 'Serious error when reading debug info' | grep "$2" >/dev/null; then :; else
markrad 0:cdf462088d13 480 fail "pattern '$2' MUST be present in the Server output"
markrad 0:cdf462088d13 481 return
markrad 0:cdf462088d13 482 fi
markrad 0:cdf462088d13 483 ;;
markrad 0:cdf462088d13 484
markrad 0:cdf462088d13 485 "-c")
markrad 0:cdf462088d13 486 if grep -v '^==' $CLI_OUT | grep -v 'Serious error when reading debug info' | grep "$2" >/dev/null; then :; else
markrad 0:cdf462088d13 487 fail "pattern '$2' MUST be present in the Client output"
markrad 0:cdf462088d13 488 return
markrad 0:cdf462088d13 489 fi
markrad 0:cdf462088d13 490 ;;
markrad 0:cdf462088d13 491
markrad 0:cdf462088d13 492 "-S")
markrad 0:cdf462088d13 493 if grep -v '^==' $SRV_OUT | grep -v 'Serious error when reading debug info' | grep "$2" >/dev/null; then
markrad 0:cdf462088d13 494 fail "pattern '$2' MUST NOT be present in the Server output"
markrad 0:cdf462088d13 495 return
markrad 0:cdf462088d13 496 fi
markrad 0:cdf462088d13 497 ;;
markrad 0:cdf462088d13 498
markrad 0:cdf462088d13 499 "-C")
markrad 0:cdf462088d13 500 if grep -v '^==' $CLI_OUT | grep -v 'Serious error when reading debug info' | grep "$2" >/dev/null; then
markrad 0:cdf462088d13 501 fail "pattern '$2' MUST NOT be present in the Client output"
markrad 0:cdf462088d13 502 return
markrad 0:cdf462088d13 503 fi
markrad 0:cdf462088d13 504 ;;
markrad 0:cdf462088d13 505
markrad 0:cdf462088d13 506 # The filtering in the following two options (-u and -U) do the following
markrad 0:cdf462088d13 507 # - ignore valgrind output
markrad 0:cdf462088d13 508 # - filter out everything but lines right after the pattern occurances
markrad 0:cdf462088d13 509 # - keep one of each non-unique line
markrad 0:cdf462088d13 510 # - count how many lines remain
markrad 0:cdf462088d13 511 # A line with '--' will remain in the result from previous outputs, so the number of lines in the result will be 1
markrad 0:cdf462088d13 512 # if there were no duplicates.
markrad 0:cdf462088d13 513 "-U")
markrad 0:cdf462088d13 514 if [ $(grep -v '^==' $SRV_OUT | grep -v 'Serious error when reading debug info' | grep -A1 "$2" | grep -v "$2" | sort | uniq -d | wc -l) -gt 1 ]; then
markrad 0:cdf462088d13 515 fail "lines following pattern '$2' must be unique in Server output"
markrad 0:cdf462088d13 516 return
markrad 0:cdf462088d13 517 fi
markrad 0:cdf462088d13 518 ;;
markrad 0:cdf462088d13 519
markrad 0:cdf462088d13 520 "-u")
markrad 0:cdf462088d13 521 if [ $(grep -v '^==' $CLI_OUT | grep -v 'Serious error when reading debug info' | grep -A1 "$2" | grep -v "$2" | sort | uniq -d | wc -l) -gt 1 ]; then
markrad 0:cdf462088d13 522 fail "lines following pattern '$2' must be unique in Client output"
markrad 0:cdf462088d13 523 return
markrad 0:cdf462088d13 524 fi
markrad 0:cdf462088d13 525 ;;
markrad 0:cdf462088d13 526
markrad 0:cdf462088d13 527 *)
markrad 0:cdf462088d13 528 echo "Unknown test: $1" >&2
markrad 0:cdf462088d13 529 exit 1
markrad 0:cdf462088d13 530 esac
markrad 0:cdf462088d13 531 shift 2
markrad 0:cdf462088d13 532 done
markrad 0:cdf462088d13 533
markrad 0:cdf462088d13 534 # check valgrind's results
markrad 0:cdf462088d13 535 if [ "$MEMCHECK" -gt 0 ]; then
markrad 0:cdf462088d13 536 if is_polar "$SRV_CMD" && has_mem_err $SRV_OUT; then
markrad 0:cdf462088d13 537 fail "Server has memory errors"
markrad 0:cdf462088d13 538 return
markrad 0:cdf462088d13 539 fi
markrad 0:cdf462088d13 540 if is_polar "$CLI_CMD" && has_mem_err $CLI_OUT; then
markrad 0:cdf462088d13 541 fail "Client has memory errors"
markrad 0:cdf462088d13 542 return
markrad 0:cdf462088d13 543 fi
markrad 0:cdf462088d13 544 fi
markrad 0:cdf462088d13 545
markrad 0:cdf462088d13 546 # if we're here, everything is ok
markrad 0:cdf462088d13 547 echo "PASS"
markrad 0:cdf462088d13 548 if [ "$PRESERVE_LOGS" -gt 0 ]; then
markrad 0:cdf462088d13 549 mv $SRV_OUT o-srv-${TESTS}.log
markrad 0:cdf462088d13 550 mv $CLI_OUT o-cli-${TESTS}.log
markrad 0:cdf462088d13 551 fi
markrad 0:cdf462088d13 552
markrad 0:cdf462088d13 553 rm -f $SRV_OUT $CLI_OUT $PXY_OUT
markrad 0:cdf462088d13 554 }
markrad 0:cdf462088d13 555
markrad 0:cdf462088d13 556 cleanup() {
markrad 0:cdf462088d13 557 rm -f $CLI_OUT $SRV_OUT $PXY_OUT $SESSION
markrad 0:cdf462088d13 558 test -n "${SRV_PID:-}" && kill $SRV_PID >/dev/null 2>&1
markrad 0:cdf462088d13 559 test -n "${PXY_PID:-}" && kill $PXY_PID >/dev/null 2>&1
markrad 0:cdf462088d13 560 test -n "${CLI_PID:-}" && kill $CLI_PID >/dev/null 2>&1
markrad 0:cdf462088d13 561 test -n "${DOG_PID:-}" && kill $DOG_PID >/dev/null 2>&1
markrad 0:cdf462088d13 562 exit 1
markrad 0:cdf462088d13 563 }
markrad 0:cdf462088d13 564
markrad 0:cdf462088d13 565 #
markrad 0:cdf462088d13 566 # MAIN
markrad 0:cdf462088d13 567 #
markrad 0:cdf462088d13 568
markrad 0:cdf462088d13 569 if cd $( dirname $0 ); then :; else
markrad 0:cdf462088d13 570 echo "cd $( dirname $0 ) failed" >&2
markrad 0:cdf462088d13 571 exit 1
markrad 0:cdf462088d13 572 fi
markrad 0:cdf462088d13 573
markrad 0:cdf462088d13 574 get_options "$@"
markrad 0:cdf462088d13 575
markrad 0:cdf462088d13 576 # sanity checks, avoid an avalanche of errors
markrad 0:cdf462088d13 577 if [ ! -x "$P_SRV" ]; then
markrad 0:cdf462088d13 578 echo "Command '$P_SRV' is not an executable file"
markrad 0:cdf462088d13 579 exit 1
markrad 0:cdf462088d13 580 fi
markrad 0:cdf462088d13 581 if [ ! -x "$P_CLI" ]; then
markrad 0:cdf462088d13 582 echo "Command '$P_CLI' is not an executable file"
markrad 0:cdf462088d13 583 exit 1
markrad 0:cdf462088d13 584 fi
markrad 0:cdf462088d13 585 if [ ! -x "$P_PXY" ]; then
markrad 0:cdf462088d13 586 echo "Command '$P_PXY' is not an executable file"
markrad 0:cdf462088d13 587 exit 1
markrad 0:cdf462088d13 588 fi
markrad 0:cdf462088d13 589 if [ "$MEMCHECK" -gt 0 ]; then
markrad 0:cdf462088d13 590 if which valgrind >/dev/null 2>&1; then :; else
markrad 0:cdf462088d13 591 echo "Memcheck not possible. Valgrind not found"
markrad 0:cdf462088d13 592 exit 1
markrad 0:cdf462088d13 593 fi
markrad 0:cdf462088d13 594 fi
markrad 0:cdf462088d13 595 if which $OPENSSL_CMD >/dev/null 2>&1; then :; else
markrad 0:cdf462088d13 596 echo "Command '$OPENSSL_CMD' not found"
markrad 0:cdf462088d13 597 exit 1
markrad 0:cdf462088d13 598 fi
markrad 0:cdf462088d13 599
markrad 0:cdf462088d13 600 # used by watchdog
markrad 0:cdf462088d13 601 MAIN_PID="$$"
markrad 0:cdf462088d13 602
markrad 0:cdf462088d13 603 # be more patient with valgrind
markrad 0:cdf462088d13 604 if [ "$MEMCHECK" -gt 0 ]; then
markrad 0:cdf462088d13 605 START_DELAY=3
markrad 0:cdf462088d13 606 DOG_DELAY=30
markrad 0:cdf462088d13 607 else
markrad 0:cdf462088d13 608 START_DELAY=1
markrad 0:cdf462088d13 609 DOG_DELAY=10
markrad 0:cdf462088d13 610 fi
markrad 0:cdf462088d13 611 CLI_DELAY_FACTOR=1
markrad 0:cdf462088d13 612 SRV_DELAY_SECONDS=0
markrad 0:cdf462088d13 613
markrad 0:cdf462088d13 614 # Pick a "unique" server port in the range 10000-19999, and a proxy port
markrad 0:cdf462088d13 615 PORT_BASE="0000$$"
markrad 0:cdf462088d13 616 PORT_BASE="$( printf $PORT_BASE | tail -c 4 )"
markrad 0:cdf462088d13 617 SRV_PORT="1$PORT_BASE"
markrad 0:cdf462088d13 618 PXY_PORT="2$PORT_BASE"
markrad 0:cdf462088d13 619 unset PORT_BASE
markrad 0:cdf462088d13 620
markrad 0:cdf462088d13 621 # fix commands to use this port, force IPv4 while at it
markrad 0:cdf462088d13 622 # +SRV_PORT will be replaced by either $SRV_PORT or $PXY_PORT later
markrad 0:cdf462088d13 623 P_SRV="$P_SRV server_addr=127.0.0.1 server_port=$SRV_PORT"
markrad 0:cdf462088d13 624 P_CLI="$P_CLI server_addr=127.0.0.1 server_port=+SRV_PORT"
markrad 0:cdf462088d13 625 P_PXY="$P_PXY server_addr=127.0.0.1 server_port=$SRV_PORT listen_addr=127.0.0.1 listen_port=$PXY_PORT ${SEED:+"seed=$SEED"}"
markrad 0:cdf462088d13 626 O_SRV="$O_SRV -accept $SRV_PORT -dhparam data_files/dhparams.pem"
markrad 0:cdf462088d13 627 O_CLI="$O_CLI -connect localhost:+SRV_PORT"
markrad 0:cdf462088d13 628 G_SRV="$G_SRV -p $SRV_PORT"
markrad 0:cdf462088d13 629 G_CLI="$G_CLI -p +SRV_PORT localhost"
markrad 0:cdf462088d13 630
markrad 0:cdf462088d13 631 # Also pick a unique name for intermediate files
markrad 0:cdf462088d13 632 SRV_OUT="srv_out.$$"
markrad 0:cdf462088d13 633 CLI_OUT="cli_out.$$"
markrad 0:cdf462088d13 634 PXY_OUT="pxy_out.$$"
markrad 0:cdf462088d13 635 SESSION="session.$$"
markrad 0:cdf462088d13 636
markrad 0:cdf462088d13 637 SKIP_NEXT="NO"
markrad 0:cdf462088d13 638
markrad 0:cdf462088d13 639 trap cleanup INT TERM HUP
markrad 0:cdf462088d13 640
markrad 0:cdf462088d13 641 # Basic test
markrad 0:cdf462088d13 642
markrad 0:cdf462088d13 643 # Checks that:
markrad 0:cdf462088d13 644 # - things work with all ciphersuites active (used with config-full in all.sh)
markrad 0:cdf462088d13 645 # - the expected (highest security) parameters are selected
markrad 0:cdf462088d13 646 # ("signature_algorithm ext: 6" means SHA-512 (highest common hash))
markrad 0:cdf462088d13 647 run_test "Default" \
markrad 0:cdf462088d13 648 "$P_SRV debug_level=3" \
markrad 0:cdf462088d13 649 "$P_CLI" \
markrad 0:cdf462088d13 650 0 \
markrad 0:cdf462088d13 651 -s "Protocol is TLSv1.2" \
markrad 0:cdf462088d13 652 -s "Ciphersuite is TLS-ECDHE-ECDSA-WITH-AES-256-GCM-SHA384" \
markrad 0:cdf462088d13 653 -s "client hello v3, signature_algorithm ext: 6" \
markrad 0:cdf462088d13 654 -s "ECDHE curve: secp521r1" \
markrad 0:cdf462088d13 655 -S "error" \
markrad 0:cdf462088d13 656 -C "error"
markrad 0:cdf462088d13 657
markrad 0:cdf462088d13 658 run_test "Default, DTLS" \
markrad 0:cdf462088d13 659 "$P_SRV dtls=1" \
markrad 0:cdf462088d13 660 "$P_CLI dtls=1" \
markrad 0:cdf462088d13 661 0 \
markrad 0:cdf462088d13 662 -s "Protocol is DTLSv1.2" \
markrad 0:cdf462088d13 663 -s "Ciphersuite is TLS-ECDHE-ECDSA-WITH-AES-256-GCM-SHA384"
markrad 0:cdf462088d13 664
markrad 0:cdf462088d13 665 # Test for uniqueness of IVs in AEAD ciphersuites
markrad 0:cdf462088d13 666 run_test "Unique IV in GCM" \
markrad 0:cdf462088d13 667 "$P_SRV exchanges=20 debug_level=4" \
markrad 0:cdf462088d13 668 "$P_CLI exchanges=20 debug_level=4 force_ciphersuite=TLS-ECDHE-ECDSA-WITH-AES-256-GCM-SHA384" \
markrad 0:cdf462088d13 669 0 \
markrad 0:cdf462088d13 670 -u "IV used" \
markrad 0:cdf462088d13 671 -U "IV used"
markrad 0:cdf462088d13 672
markrad 0:cdf462088d13 673 # Tests for rc4 option
markrad 0:cdf462088d13 674
markrad 0:cdf462088d13 675 requires_config_enabled MBEDTLS_REMOVE_ARC4_CIPHERSUITES
markrad 0:cdf462088d13 676 run_test "RC4: server disabled, client enabled" \
markrad 0:cdf462088d13 677 "$P_SRV" \
markrad 0:cdf462088d13 678 "$P_CLI force_ciphersuite=TLS-RSA-WITH-RC4-128-SHA" \
markrad 0:cdf462088d13 679 1 \
markrad 0:cdf462088d13 680 -s "SSL - The server has no ciphersuites in common"
markrad 0:cdf462088d13 681
markrad 0:cdf462088d13 682 requires_config_enabled MBEDTLS_REMOVE_ARC4_CIPHERSUITES
markrad 0:cdf462088d13 683 run_test "RC4: server half, client enabled" \
markrad 0:cdf462088d13 684 "$P_SRV arc4=1" \
markrad 0:cdf462088d13 685 "$P_CLI force_ciphersuite=TLS-RSA-WITH-RC4-128-SHA" \
markrad 0:cdf462088d13 686 1 \
markrad 0:cdf462088d13 687 -s "SSL - The server has no ciphersuites in common"
markrad 0:cdf462088d13 688
markrad 0:cdf462088d13 689 run_test "RC4: server enabled, client disabled" \
markrad 0:cdf462088d13 690 "$P_SRV force_ciphersuite=TLS-RSA-WITH-RC4-128-SHA" \
markrad 0:cdf462088d13 691 "$P_CLI" \
markrad 0:cdf462088d13 692 1 \
markrad 0:cdf462088d13 693 -s "SSL - The server has no ciphersuites in common"
markrad 0:cdf462088d13 694
markrad 0:cdf462088d13 695 run_test "RC4: both enabled" \
markrad 0:cdf462088d13 696 "$P_SRV force_ciphersuite=TLS-RSA-WITH-RC4-128-SHA" \
markrad 0:cdf462088d13 697 "$P_CLI force_ciphersuite=TLS-RSA-WITH-RC4-128-SHA" \
markrad 0:cdf462088d13 698 0 \
markrad 0:cdf462088d13 699 -S "SSL - None of the common ciphersuites is usable" \
markrad 0:cdf462088d13 700 -S "SSL - The server has no ciphersuites in common"
markrad 0:cdf462088d13 701
markrad 0:cdf462088d13 702 # Tests for Truncated HMAC extension
markrad 0:cdf462088d13 703
markrad 0:cdf462088d13 704 run_test "Truncated HMAC: client default, server default" \
markrad 0:cdf462088d13 705 "$P_SRV debug_level=4" \
markrad 0:cdf462088d13 706 "$P_CLI force_ciphersuite=TLS-RSA-WITH-AES-128-CBC-SHA" \
markrad 0:cdf462088d13 707 0 \
markrad 0:cdf462088d13 708 -s "dumping 'computed mac' (20 bytes)" \
markrad 0:cdf462088d13 709 -S "dumping 'computed mac' (10 bytes)"
markrad 0:cdf462088d13 710
markrad 0:cdf462088d13 711 run_test "Truncated HMAC: client disabled, server default" \
markrad 0:cdf462088d13 712 "$P_SRV debug_level=4" \
markrad 0:cdf462088d13 713 "$P_CLI force_ciphersuite=TLS-RSA-WITH-AES-128-CBC-SHA \
markrad 0:cdf462088d13 714 trunc_hmac=0" \
markrad 0:cdf462088d13 715 0 \
markrad 0:cdf462088d13 716 -s "dumping 'computed mac' (20 bytes)" \
markrad 0:cdf462088d13 717 -S "dumping 'computed mac' (10 bytes)"
markrad 0:cdf462088d13 718
markrad 0:cdf462088d13 719 run_test "Truncated HMAC: client enabled, server default" \
markrad 0:cdf462088d13 720 "$P_SRV debug_level=4" \
markrad 0:cdf462088d13 721 "$P_CLI force_ciphersuite=TLS-RSA-WITH-AES-128-CBC-SHA \
markrad 0:cdf462088d13 722 trunc_hmac=1" \
markrad 0:cdf462088d13 723 0 \
markrad 0:cdf462088d13 724 -s "dumping 'computed mac' (20 bytes)" \
markrad 0:cdf462088d13 725 -S "dumping 'computed mac' (10 bytes)"
markrad 0:cdf462088d13 726
markrad 0:cdf462088d13 727 run_test "Truncated HMAC: client enabled, server disabled" \
markrad 0:cdf462088d13 728 "$P_SRV debug_level=4 trunc_hmac=0" \
markrad 0:cdf462088d13 729 "$P_CLI force_ciphersuite=TLS-RSA-WITH-AES-128-CBC-SHA \
markrad 0:cdf462088d13 730 trunc_hmac=1" \
markrad 0:cdf462088d13 731 0 \
markrad 0:cdf462088d13 732 -s "dumping 'computed mac' (20 bytes)" \
markrad 0:cdf462088d13 733 -S "dumping 'computed mac' (10 bytes)"
markrad 0:cdf462088d13 734
markrad 0:cdf462088d13 735 run_test "Truncated HMAC: client enabled, server enabled" \
markrad 0:cdf462088d13 736 "$P_SRV debug_level=4 trunc_hmac=1" \
markrad 0:cdf462088d13 737 "$P_CLI force_ciphersuite=TLS-RSA-WITH-AES-128-CBC-SHA \
markrad 0:cdf462088d13 738 trunc_hmac=1" \
markrad 0:cdf462088d13 739 0 \
markrad 0:cdf462088d13 740 -S "dumping 'computed mac' (20 bytes)" \
markrad 0:cdf462088d13 741 -s "dumping 'computed mac' (10 bytes)"
markrad 0:cdf462088d13 742
markrad 0:cdf462088d13 743 # Tests for Encrypt-then-MAC extension
markrad 0:cdf462088d13 744
markrad 0:cdf462088d13 745 run_test "Encrypt then MAC: default" \
markrad 0:cdf462088d13 746 "$P_SRV debug_level=3 \
markrad 0:cdf462088d13 747 force_ciphersuite=TLS-RSA-WITH-AES-128-CBC-SHA" \
markrad 0:cdf462088d13 748 "$P_CLI debug_level=3" \
markrad 0:cdf462088d13 749 0 \
markrad 0:cdf462088d13 750 -c "client hello, adding encrypt_then_mac extension" \
markrad 0:cdf462088d13 751 -s "found encrypt then mac extension" \
markrad 0:cdf462088d13 752 -s "server hello, adding encrypt then mac extension" \
markrad 0:cdf462088d13 753 -c "found encrypt_then_mac extension" \
markrad 0:cdf462088d13 754 -c "using encrypt then mac" \
markrad 0:cdf462088d13 755 -s "using encrypt then mac"
markrad 0:cdf462088d13 756
markrad 0:cdf462088d13 757 run_test "Encrypt then MAC: client enabled, server disabled" \
markrad 0:cdf462088d13 758 "$P_SRV debug_level=3 etm=0 \
markrad 0:cdf462088d13 759 force_ciphersuite=TLS-RSA-WITH-AES-128-CBC-SHA" \
markrad 0:cdf462088d13 760 "$P_CLI debug_level=3 etm=1" \
markrad 0:cdf462088d13 761 0 \
markrad 0:cdf462088d13 762 -c "client hello, adding encrypt_then_mac extension" \
markrad 0:cdf462088d13 763 -s "found encrypt then mac extension" \
markrad 0:cdf462088d13 764 -S "server hello, adding encrypt then mac extension" \
markrad 0:cdf462088d13 765 -C "found encrypt_then_mac extension" \
markrad 0:cdf462088d13 766 -C "using encrypt then mac" \
markrad 0:cdf462088d13 767 -S "using encrypt then mac"
markrad 0:cdf462088d13 768
markrad 0:cdf462088d13 769 run_test "Encrypt then MAC: client enabled, aead cipher" \
markrad 0:cdf462088d13 770 "$P_SRV debug_level=3 etm=1 \
markrad 0:cdf462088d13 771 force_ciphersuite=TLS-RSA-WITH-AES-128-GCM-SHA256" \
markrad 0:cdf462088d13 772 "$P_CLI debug_level=3 etm=1" \
markrad 0:cdf462088d13 773 0 \
markrad 0:cdf462088d13 774 -c "client hello, adding encrypt_then_mac extension" \
markrad 0:cdf462088d13 775 -s "found encrypt then mac extension" \
markrad 0:cdf462088d13 776 -S "server hello, adding encrypt then mac extension" \
markrad 0:cdf462088d13 777 -C "found encrypt_then_mac extension" \
markrad 0:cdf462088d13 778 -C "using encrypt then mac" \
markrad 0:cdf462088d13 779 -S "using encrypt then mac"
markrad 0:cdf462088d13 780
markrad 0:cdf462088d13 781 run_test "Encrypt then MAC: client enabled, stream cipher" \
markrad 0:cdf462088d13 782 "$P_SRV debug_level=3 etm=1 \
markrad 0:cdf462088d13 783 force_ciphersuite=TLS-RSA-WITH-RC4-128-SHA" \
markrad 0:cdf462088d13 784 "$P_CLI debug_level=3 etm=1 arc4=1 force_ciphersuite=TLS-RSA-WITH-RC4-128-SHA" \
markrad 0:cdf462088d13 785 0 \
markrad 0:cdf462088d13 786 -c "client hello, adding encrypt_then_mac extension" \
markrad 0:cdf462088d13 787 -s "found encrypt then mac extension" \
markrad 0:cdf462088d13 788 -S "server hello, adding encrypt then mac extension" \
markrad 0:cdf462088d13 789 -C "found encrypt_then_mac extension" \
markrad 0:cdf462088d13 790 -C "using encrypt then mac" \
markrad 0:cdf462088d13 791 -S "using encrypt then mac"
markrad 0:cdf462088d13 792
markrad 0:cdf462088d13 793 run_test "Encrypt then MAC: client disabled, server enabled" \
markrad 0:cdf462088d13 794 "$P_SRV debug_level=3 etm=1 \
markrad 0:cdf462088d13 795 force_ciphersuite=TLS-RSA-WITH-AES-128-CBC-SHA" \
markrad 0:cdf462088d13 796 "$P_CLI debug_level=3 etm=0" \
markrad 0:cdf462088d13 797 0 \
markrad 0:cdf462088d13 798 -C "client hello, adding encrypt_then_mac extension" \
markrad 0:cdf462088d13 799 -S "found encrypt then mac extension" \
markrad 0:cdf462088d13 800 -S "server hello, adding encrypt then mac extension" \
markrad 0:cdf462088d13 801 -C "found encrypt_then_mac extension" \
markrad 0:cdf462088d13 802 -C "using encrypt then mac" \
markrad 0:cdf462088d13 803 -S "using encrypt then mac"
markrad 0:cdf462088d13 804
markrad 0:cdf462088d13 805 requires_config_enabled MBEDTLS_SSL_PROTO_SSL3
markrad 0:cdf462088d13 806 run_test "Encrypt then MAC: client SSLv3, server enabled" \
markrad 0:cdf462088d13 807 "$P_SRV debug_level=3 min_version=ssl3 \
markrad 0:cdf462088d13 808 force_ciphersuite=TLS-RSA-WITH-AES-128-CBC-SHA" \
markrad 0:cdf462088d13 809 "$P_CLI debug_level=3 force_version=ssl3" \
markrad 0:cdf462088d13 810 0 \
markrad 0:cdf462088d13 811 -C "client hello, adding encrypt_then_mac extension" \
markrad 0:cdf462088d13 812 -S "found encrypt then mac extension" \
markrad 0:cdf462088d13 813 -S "server hello, adding encrypt then mac extension" \
markrad 0:cdf462088d13 814 -C "found encrypt_then_mac extension" \
markrad 0:cdf462088d13 815 -C "using encrypt then mac" \
markrad 0:cdf462088d13 816 -S "using encrypt then mac"
markrad 0:cdf462088d13 817
markrad 0:cdf462088d13 818 requires_config_enabled MBEDTLS_SSL_PROTO_SSL3
markrad 0:cdf462088d13 819 run_test "Encrypt then MAC: client enabled, server SSLv3" \
markrad 0:cdf462088d13 820 "$P_SRV debug_level=3 force_version=ssl3 \
markrad 0:cdf462088d13 821 force_ciphersuite=TLS-RSA-WITH-AES-128-CBC-SHA" \
markrad 0:cdf462088d13 822 "$P_CLI debug_level=3 min_version=ssl3" \
markrad 0:cdf462088d13 823 0 \
markrad 0:cdf462088d13 824 -c "client hello, adding encrypt_then_mac extension" \
markrad 0:cdf462088d13 825 -S "found encrypt then mac extension" \
markrad 0:cdf462088d13 826 -S "server hello, adding encrypt then mac extension" \
markrad 0:cdf462088d13 827 -C "found encrypt_then_mac extension" \
markrad 0:cdf462088d13 828 -C "using encrypt then mac" \
markrad 0:cdf462088d13 829 -S "using encrypt then mac"
markrad 0:cdf462088d13 830
markrad 0:cdf462088d13 831 # Tests for Extended Master Secret extension
markrad 0:cdf462088d13 832
markrad 0:cdf462088d13 833 run_test "Extended Master Secret: default" \
markrad 0:cdf462088d13 834 "$P_SRV debug_level=3" \
markrad 0:cdf462088d13 835 "$P_CLI debug_level=3" \
markrad 0:cdf462088d13 836 0 \
markrad 0:cdf462088d13 837 -c "client hello, adding extended_master_secret extension" \
markrad 0:cdf462088d13 838 -s "found extended master secret extension" \
markrad 0:cdf462088d13 839 -s "server hello, adding extended master secret extension" \
markrad 0:cdf462088d13 840 -c "found extended_master_secret extension" \
markrad 0:cdf462088d13 841 -c "using extended master secret" \
markrad 0:cdf462088d13 842 -s "using extended master secret"
markrad 0:cdf462088d13 843
markrad 0:cdf462088d13 844 run_test "Extended Master Secret: client enabled, server disabled" \
markrad 0:cdf462088d13 845 "$P_SRV debug_level=3 extended_ms=0" \
markrad 0:cdf462088d13 846 "$P_CLI debug_level=3 extended_ms=1" \
markrad 0:cdf462088d13 847 0 \
markrad 0:cdf462088d13 848 -c "client hello, adding extended_master_secret extension" \
markrad 0:cdf462088d13 849 -s "found extended master secret extension" \
markrad 0:cdf462088d13 850 -S "server hello, adding extended master secret extension" \
markrad 0:cdf462088d13 851 -C "found extended_master_secret extension" \
markrad 0:cdf462088d13 852 -C "using extended master secret" \
markrad 0:cdf462088d13 853 -S "using extended master secret"
markrad 0:cdf462088d13 854
markrad 0:cdf462088d13 855 run_test "Extended Master Secret: client disabled, server enabled" \
markrad 0:cdf462088d13 856 "$P_SRV debug_level=3 extended_ms=1" \
markrad 0:cdf462088d13 857 "$P_CLI debug_level=3 extended_ms=0" \
markrad 0:cdf462088d13 858 0 \
markrad 0:cdf462088d13 859 -C "client hello, adding extended_master_secret extension" \
markrad 0:cdf462088d13 860 -S "found extended master secret extension" \
markrad 0:cdf462088d13 861 -S "server hello, adding extended master secret extension" \
markrad 0:cdf462088d13 862 -C "found extended_master_secret extension" \
markrad 0:cdf462088d13 863 -C "using extended master secret" \
markrad 0:cdf462088d13 864 -S "using extended master secret"
markrad 0:cdf462088d13 865
markrad 0:cdf462088d13 866 requires_config_enabled MBEDTLS_SSL_PROTO_SSL3
markrad 0:cdf462088d13 867 run_test "Extended Master Secret: client SSLv3, server enabled" \
markrad 0:cdf462088d13 868 "$P_SRV debug_level=3 min_version=ssl3" \
markrad 0:cdf462088d13 869 "$P_CLI debug_level=3 force_version=ssl3" \
markrad 0:cdf462088d13 870 0 \
markrad 0:cdf462088d13 871 -C "client hello, adding extended_master_secret extension" \
markrad 0:cdf462088d13 872 -S "found extended master secret extension" \
markrad 0:cdf462088d13 873 -S "server hello, adding extended master secret extension" \
markrad 0:cdf462088d13 874 -C "found extended_master_secret extension" \
markrad 0:cdf462088d13 875 -C "using extended master secret" \
markrad 0:cdf462088d13 876 -S "using extended master secret"
markrad 0:cdf462088d13 877
markrad 0:cdf462088d13 878 requires_config_enabled MBEDTLS_SSL_PROTO_SSL3
markrad 0:cdf462088d13 879 run_test "Extended Master Secret: client enabled, server SSLv3" \
markrad 0:cdf462088d13 880 "$P_SRV debug_level=3 force_version=ssl3" \
markrad 0:cdf462088d13 881 "$P_CLI debug_level=3 min_version=ssl3" \
markrad 0:cdf462088d13 882 0 \
markrad 0:cdf462088d13 883 -c "client hello, adding extended_master_secret extension" \
markrad 0:cdf462088d13 884 -S "found extended master secret extension" \
markrad 0:cdf462088d13 885 -S "server hello, adding extended master secret extension" \
markrad 0:cdf462088d13 886 -C "found extended_master_secret extension" \
markrad 0:cdf462088d13 887 -C "using extended master secret" \
markrad 0:cdf462088d13 888 -S "using extended master secret"
markrad 0:cdf462088d13 889
markrad 0:cdf462088d13 890 # Tests for FALLBACK_SCSV
markrad 0:cdf462088d13 891
markrad 0:cdf462088d13 892 run_test "Fallback SCSV: default" \
markrad 0:cdf462088d13 893 "$P_SRV debug_level=2" \
markrad 0:cdf462088d13 894 "$P_CLI debug_level=3 force_version=tls1_1" \
markrad 0:cdf462088d13 895 0 \
markrad 0:cdf462088d13 896 -C "adding FALLBACK_SCSV" \
markrad 0:cdf462088d13 897 -S "received FALLBACK_SCSV" \
markrad 0:cdf462088d13 898 -S "inapropriate fallback" \
markrad 0:cdf462088d13 899 -C "is a fatal alert message (msg 86)"
markrad 0:cdf462088d13 900
markrad 0:cdf462088d13 901 run_test "Fallback SCSV: explicitly disabled" \
markrad 0:cdf462088d13 902 "$P_SRV debug_level=2" \
markrad 0:cdf462088d13 903 "$P_CLI debug_level=3 force_version=tls1_1 fallback=0" \
markrad 0:cdf462088d13 904 0 \
markrad 0:cdf462088d13 905 -C "adding FALLBACK_SCSV" \
markrad 0:cdf462088d13 906 -S "received FALLBACK_SCSV" \
markrad 0:cdf462088d13 907 -S "inapropriate fallback" \
markrad 0:cdf462088d13 908 -C "is a fatal alert message (msg 86)"
markrad 0:cdf462088d13 909
markrad 0:cdf462088d13 910 run_test "Fallback SCSV: enabled" \
markrad 0:cdf462088d13 911 "$P_SRV debug_level=2" \
markrad 0:cdf462088d13 912 "$P_CLI debug_level=3 force_version=tls1_1 fallback=1" \
markrad 0:cdf462088d13 913 1 \
markrad 0:cdf462088d13 914 -c "adding FALLBACK_SCSV" \
markrad 0:cdf462088d13 915 -s "received FALLBACK_SCSV" \
markrad 0:cdf462088d13 916 -s "inapropriate fallback" \
markrad 0:cdf462088d13 917 -c "is a fatal alert message (msg 86)"
markrad 0:cdf462088d13 918
markrad 0:cdf462088d13 919 run_test "Fallback SCSV: enabled, max version" \
markrad 0:cdf462088d13 920 "$P_SRV debug_level=2" \
markrad 0:cdf462088d13 921 "$P_CLI debug_level=3 fallback=1" \
markrad 0:cdf462088d13 922 0 \
markrad 0:cdf462088d13 923 -c "adding FALLBACK_SCSV" \
markrad 0:cdf462088d13 924 -s "received FALLBACK_SCSV" \
markrad 0:cdf462088d13 925 -S "inapropriate fallback" \
markrad 0:cdf462088d13 926 -C "is a fatal alert message (msg 86)"
markrad 0:cdf462088d13 927
markrad 0:cdf462088d13 928 requires_openssl_with_fallback_scsv
markrad 0:cdf462088d13 929 run_test "Fallback SCSV: default, openssl server" \
markrad 0:cdf462088d13 930 "$O_SRV" \
markrad 0:cdf462088d13 931 "$P_CLI debug_level=3 force_version=tls1_1 fallback=0" \
markrad 0:cdf462088d13 932 0 \
markrad 0:cdf462088d13 933 -C "adding FALLBACK_SCSV" \
markrad 0:cdf462088d13 934 -C "is a fatal alert message (msg 86)"
markrad 0:cdf462088d13 935
markrad 0:cdf462088d13 936 requires_openssl_with_fallback_scsv
markrad 0:cdf462088d13 937 run_test "Fallback SCSV: enabled, openssl server" \
markrad 0:cdf462088d13 938 "$O_SRV" \
markrad 0:cdf462088d13 939 "$P_CLI debug_level=3 force_version=tls1_1 fallback=1" \
markrad 0:cdf462088d13 940 1 \
markrad 0:cdf462088d13 941 -c "adding FALLBACK_SCSV" \
markrad 0:cdf462088d13 942 -c "is a fatal alert message (msg 86)"
markrad 0:cdf462088d13 943
markrad 0:cdf462088d13 944 requires_openssl_with_fallback_scsv
markrad 0:cdf462088d13 945 run_test "Fallback SCSV: disabled, openssl client" \
markrad 0:cdf462088d13 946 "$P_SRV debug_level=2" \
markrad 0:cdf462088d13 947 "$O_CLI -tls1_1" \
markrad 0:cdf462088d13 948 0 \
markrad 0:cdf462088d13 949 -S "received FALLBACK_SCSV" \
markrad 0:cdf462088d13 950 -S "inapropriate fallback"
markrad 0:cdf462088d13 951
markrad 0:cdf462088d13 952 requires_openssl_with_fallback_scsv
markrad 0:cdf462088d13 953 run_test "Fallback SCSV: enabled, openssl client" \
markrad 0:cdf462088d13 954 "$P_SRV debug_level=2" \
markrad 0:cdf462088d13 955 "$O_CLI -tls1_1 -fallback_scsv" \
markrad 0:cdf462088d13 956 1 \
markrad 0:cdf462088d13 957 -s "received FALLBACK_SCSV" \
markrad 0:cdf462088d13 958 -s "inapropriate fallback"
markrad 0:cdf462088d13 959
markrad 0:cdf462088d13 960 requires_openssl_with_fallback_scsv
markrad 0:cdf462088d13 961 run_test "Fallback SCSV: enabled, max version, openssl client" \
markrad 0:cdf462088d13 962 "$P_SRV debug_level=2" \
markrad 0:cdf462088d13 963 "$O_CLI -fallback_scsv" \
markrad 0:cdf462088d13 964 0 \
markrad 0:cdf462088d13 965 -s "received FALLBACK_SCSV" \
markrad 0:cdf462088d13 966 -S "inapropriate fallback"
markrad 0:cdf462088d13 967
markrad 0:cdf462088d13 968 # Tests for CBC 1/n-1 record splitting
markrad 0:cdf462088d13 969
markrad 0:cdf462088d13 970 run_test "CBC Record splitting: TLS 1.2, no splitting" \
markrad 0:cdf462088d13 971 "$P_SRV" \
markrad 0:cdf462088d13 972 "$P_CLI force_ciphersuite=TLS-RSA-WITH-AES-128-CBC-SHA \
markrad 0:cdf462088d13 973 request_size=123 force_version=tls1_2" \
markrad 0:cdf462088d13 974 0 \
markrad 0:cdf462088d13 975 -s "Read from client: 123 bytes read" \
markrad 0:cdf462088d13 976 -S "Read from client: 1 bytes read" \
markrad 0:cdf462088d13 977 -S "122 bytes read"
markrad 0:cdf462088d13 978
markrad 0:cdf462088d13 979 run_test "CBC Record splitting: TLS 1.1, no splitting" \
markrad 0:cdf462088d13 980 "$P_SRV" \
markrad 0:cdf462088d13 981 "$P_CLI force_ciphersuite=TLS-RSA-WITH-AES-128-CBC-SHA \
markrad 0:cdf462088d13 982 request_size=123 force_version=tls1_1" \
markrad 0:cdf462088d13 983 0 \
markrad 0:cdf462088d13 984 -s "Read from client: 123 bytes read" \
markrad 0:cdf462088d13 985 -S "Read from client: 1 bytes read" \
markrad 0:cdf462088d13 986 -S "122 bytes read"
markrad 0:cdf462088d13 987
markrad 0:cdf462088d13 988 run_test "CBC Record splitting: TLS 1.0, splitting" \
markrad 0:cdf462088d13 989 "$P_SRV" \
markrad 0:cdf462088d13 990 "$P_CLI force_ciphersuite=TLS-RSA-WITH-AES-128-CBC-SHA \
markrad 0:cdf462088d13 991 request_size=123 force_version=tls1" \
markrad 0:cdf462088d13 992 0 \
markrad 0:cdf462088d13 993 -S "Read from client: 123 bytes read" \
markrad 0:cdf462088d13 994 -s "Read from client: 1 bytes read" \
markrad 0:cdf462088d13 995 -s "122 bytes read"
markrad 0:cdf462088d13 996
markrad 0:cdf462088d13 997 requires_config_enabled MBEDTLS_SSL_PROTO_SSL3
markrad 0:cdf462088d13 998 run_test "CBC Record splitting: SSLv3, splitting" \
markrad 0:cdf462088d13 999 "$P_SRV min_version=ssl3" \
markrad 0:cdf462088d13 1000 "$P_CLI force_ciphersuite=TLS-RSA-WITH-AES-128-CBC-SHA \
markrad 0:cdf462088d13 1001 request_size=123 force_version=ssl3" \
markrad 0:cdf462088d13 1002 0 \
markrad 0:cdf462088d13 1003 -S "Read from client: 123 bytes read" \
markrad 0:cdf462088d13 1004 -s "Read from client: 1 bytes read" \
markrad 0:cdf462088d13 1005 -s "122 bytes read"
markrad 0:cdf462088d13 1006
markrad 0:cdf462088d13 1007 run_test "CBC Record splitting: TLS 1.0 RC4, no splitting" \
markrad 0:cdf462088d13 1008 "$P_SRV arc4=1 force_ciphersuite=TLS-RSA-WITH-RC4-128-SHA" \
markrad 0:cdf462088d13 1009 "$P_CLI force_ciphersuite=TLS-RSA-WITH-RC4-128-SHA \
markrad 0:cdf462088d13 1010 request_size=123 force_version=tls1" \
markrad 0:cdf462088d13 1011 0 \
markrad 0:cdf462088d13 1012 -s "Read from client: 123 bytes read" \
markrad 0:cdf462088d13 1013 -S "Read from client: 1 bytes read" \
markrad 0:cdf462088d13 1014 -S "122 bytes read"
markrad 0:cdf462088d13 1015
markrad 0:cdf462088d13 1016 run_test "CBC Record splitting: TLS 1.0, splitting disabled" \
markrad 0:cdf462088d13 1017 "$P_SRV" \
markrad 0:cdf462088d13 1018 "$P_CLI force_ciphersuite=TLS-RSA-WITH-AES-128-CBC-SHA \
markrad 0:cdf462088d13 1019 request_size=123 force_version=tls1 recsplit=0" \
markrad 0:cdf462088d13 1020 0 \
markrad 0:cdf462088d13 1021 -s "Read from client: 123 bytes read" \
markrad 0:cdf462088d13 1022 -S "Read from client: 1 bytes read" \
markrad 0:cdf462088d13 1023 -S "122 bytes read"
markrad 0:cdf462088d13 1024
markrad 0:cdf462088d13 1025 run_test "CBC Record splitting: TLS 1.0, splitting, nbio" \
markrad 0:cdf462088d13 1026 "$P_SRV nbio=2" \
markrad 0:cdf462088d13 1027 "$P_CLI nbio=2 force_ciphersuite=TLS-RSA-WITH-AES-128-CBC-SHA \
markrad 0:cdf462088d13 1028 request_size=123 force_version=tls1" \
markrad 0:cdf462088d13 1029 0 \
markrad 0:cdf462088d13 1030 -S "Read from client: 123 bytes read" \
markrad 0:cdf462088d13 1031 -s "Read from client: 1 bytes read" \
markrad 0:cdf462088d13 1032 -s "122 bytes read"
markrad 0:cdf462088d13 1033
markrad 0:cdf462088d13 1034 # Tests for Session Tickets
markrad 0:cdf462088d13 1035
markrad 0:cdf462088d13 1036 run_test "Session resume using tickets: basic" \
markrad 0:cdf462088d13 1037 "$P_SRV debug_level=3 tickets=1" \
markrad 0:cdf462088d13 1038 "$P_CLI debug_level=3 tickets=1 reconnect=1" \
markrad 0:cdf462088d13 1039 0 \
markrad 0:cdf462088d13 1040 -c "client hello, adding session ticket extension" \
markrad 0:cdf462088d13 1041 -s "found session ticket extension" \
markrad 0:cdf462088d13 1042 -s "server hello, adding session ticket extension" \
markrad 0:cdf462088d13 1043 -c "found session_ticket extension" \
markrad 0:cdf462088d13 1044 -c "parse new session ticket" \
markrad 0:cdf462088d13 1045 -S "session successfully restored from cache" \
markrad 0:cdf462088d13 1046 -s "session successfully restored from ticket" \
markrad 0:cdf462088d13 1047 -s "a session has been resumed" \
markrad 0:cdf462088d13 1048 -c "a session has been resumed"
markrad 0:cdf462088d13 1049
markrad 0:cdf462088d13 1050 run_test "Session resume using tickets: cache disabled" \
markrad 0:cdf462088d13 1051 "$P_SRV debug_level=3 tickets=1 cache_max=0" \
markrad 0:cdf462088d13 1052 "$P_CLI debug_level=3 tickets=1 reconnect=1" \
markrad 0:cdf462088d13 1053 0 \
markrad 0:cdf462088d13 1054 -c "client hello, adding session ticket extension" \
markrad 0:cdf462088d13 1055 -s "found session ticket extension" \
markrad 0:cdf462088d13 1056 -s "server hello, adding session ticket extension" \
markrad 0:cdf462088d13 1057 -c "found session_ticket extension" \
markrad 0:cdf462088d13 1058 -c "parse new session ticket" \
markrad 0:cdf462088d13 1059 -S "session successfully restored from cache" \
markrad 0:cdf462088d13 1060 -s "session successfully restored from ticket" \
markrad 0:cdf462088d13 1061 -s "a session has been resumed" \
markrad 0:cdf462088d13 1062 -c "a session has been resumed"
markrad 0:cdf462088d13 1063
markrad 0:cdf462088d13 1064 run_test "Session resume using tickets: timeout" \
markrad 0:cdf462088d13 1065 "$P_SRV debug_level=3 tickets=1 cache_max=0 ticket_timeout=1" \
markrad 0:cdf462088d13 1066 "$P_CLI debug_level=3 tickets=1 reconnect=1 reco_delay=2" \
markrad 0:cdf462088d13 1067 0 \
markrad 0:cdf462088d13 1068 -c "client hello, adding session ticket extension" \
markrad 0:cdf462088d13 1069 -s "found session ticket extension" \
markrad 0:cdf462088d13 1070 -s "server hello, adding session ticket extension" \
markrad 0:cdf462088d13 1071 -c "found session_ticket extension" \
markrad 0:cdf462088d13 1072 -c "parse new session ticket" \
markrad 0:cdf462088d13 1073 -S "session successfully restored from cache" \
markrad 0:cdf462088d13 1074 -S "session successfully restored from ticket" \
markrad 0:cdf462088d13 1075 -S "a session has been resumed" \
markrad 0:cdf462088d13 1076 -C "a session has been resumed"
markrad 0:cdf462088d13 1077
markrad 0:cdf462088d13 1078 run_test "Session resume using tickets: openssl server" \
markrad 0:cdf462088d13 1079 "$O_SRV" \
markrad 0:cdf462088d13 1080 "$P_CLI debug_level=3 tickets=1 reconnect=1" \
markrad 0:cdf462088d13 1081 0 \
markrad 0:cdf462088d13 1082 -c "client hello, adding session ticket extension" \
markrad 0:cdf462088d13 1083 -c "found session_ticket extension" \
markrad 0:cdf462088d13 1084 -c "parse new session ticket" \
markrad 0:cdf462088d13 1085 -c "a session has been resumed"
markrad 0:cdf462088d13 1086
markrad 0:cdf462088d13 1087 run_test "Session resume using tickets: openssl client" \
markrad 0:cdf462088d13 1088 "$P_SRV debug_level=3 tickets=1" \
markrad 0:cdf462088d13 1089 "( $O_CLI -sess_out $SESSION; \
markrad 0:cdf462088d13 1090 $O_CLI -sess_in $SESSION; \
markrad 0:cdf462088d13 1091 rm -f $SESSION )" \
markrad 0:cdf462088d13 1092 0 \
markrad 0:cdf462088d13 1093 -s "found session ticket extension" \
markrad 0:cdf462088d13 1094 -s "server hello, adding session ticket extension" \
markrad 0:cdf462088d13 1095 -S "session successfully restored from cache" \
markrad 0:cdf462088d13 1096 -s "session successfully restored from ticket" \
markrad 0:cdf462088d13 1097 -s "a session has been resumed"
markrad 0:cdf462088d13 1098
markrad 0:cdf462088d13 1099 # Tests for Session Resume based on session-ID and cache
markrad 0:cdf462088d13 1100
markrad 0:cdf462088d13 1101 run_test "Session resume using cache: tickets enabled on client" \
markrad 0:cdf462088d13 1102 "$P_SRV debug_level=3 tickets=0" \
markrad 0:cdf462088d13 1103 "$P_CLI debug_level=3 tickets=1 reconnect=1" \
markrad 0:cdf462088d13 1104 0 \
markrad 0:cdf462088d13 1105 -c "client hello, adding session ticket extension" \
markrad 0:cdf462088d13 1106 -s "found session ticket extension" \
markrad 0:cdf462088d13 1107 -S "server hello, adding session ticket extension" \
markrad 0:cdf462088d13 1108 -C "found session_ticket extension" \
markrad 0:cdf462088d13 1109 -C "parse new session ticket" \
markrad 0:cdf462088d13 1110 -s "session successfully restored from cache" \
markrad 0:cdf462088d13 1111 -S "session successfully restored from ticket" \
markrad 0:cdf462088d13 1112 -s "a session has been resumed" \
markrad 0:cdf462088d13 1113 -c "a session has been resumed"
markrad 0:cdf462088d13 1114
markrad 0:cdf462088d13 1115 run_test "Session resume using cache: tickets enabled on server" \
markrad 0:cdf462088d13 1116 "$P_SRV debug_level=3 tickets=1" \
markrad 0:cdf462088d13 1117 "$P_CLI debug_level=3 tickets=0 reconnect=1" \
markrad 0:cdf462088d13 1118 0 \
markrad 0:cdf462088d13 1119 -C "client hello, adding session ticket extension" \
markrad 0:cdf462088d13 1120 -S "found session ticket extension" \
markrad 0:cdf462088d13 1121 -S "server hello, adding session ticket extension" \
markrad 0:cdf462088d13 1122 -C "found session_ticket extension" \
markrad 0:cdf462088d13 1123 -C "parse new session ticket" \
markrad 0:cdf462088d13 1124 -s "session successfully restored from cache" \
markrad 0:cdf462088d13 1125 -S "session successfully restored from ticket" \
markrad 0:cdf462088d13 1126 -s "a session has been resumed" \
markrad 0:cdf462088d13 1127 -c "a session has been resumed"
markrad 0:cdf462088d13 1128
markrad 0:cdf462088d13 1129 run_test "Session resume using cache: cache_max=0" \
markrad 0:cdf462088d13 1130 "$P_SRV debug_level=3 tickets=0 cache_max=0" \
markrad 0:cdf462088d13 1131 "$P_CLI debug_level=3 tickets=0 reconnect=1" \
markrad 0:cdf462088d13 1132 0 \
markrad 0:cdf462088d13 1133 -S "session successfully restored from cache" \
markrad 0:cdf462088d13 1134 -S "session successfully restored from ticket" \
markrad 0:cdf462088d13 1135 -S "a session has been resumed" \
markrad 0:cdf462088d13 1136 -C "a session has been resumed"
markrad 0:cdf462088d13 1137
markrad 0:cdf462088d13 1138 run_test "Session resume using cache: cache_max=1" \
markrad 0:cdf462088d13 1139 "$P_SRV debug_level=3 tickets=0 cache_max=1" \
markrad 0:cdf462088d13 1140 "$P_CLI debug_level=3 tickets=0 reconnect=1" \
markrad 0:cdf462088d13 1141 0 \
markrad 0:cdf462088d13 1142 -s "session successfully restored from cache" \
markrad 0:cdf462088d13 1143 -S "session successfully restored from ticket" \
markrad 0:cdf462088d13 1144 -s "a session has been resumed" \
markrad 0:cdf462088d13 1145 -c "a session has been resumed"
markrad 0:cdf462088d13 1146
markrad 0:cdf462088d13 1147 run_test "Session resume using cache: timeout > delay" \
markrad 0:cdf462088d13 1148 "$P_SRV debug_level=3 tickets=0" \
markrad 0:cdf462088d13 1149 "$P_CLI debug_level=3 tickets=0 reconnect=1 reco_delay=0" \
markrad 0:cdf462088d13 1150 0 \
markrad 0:cdf462088d13 1151 -s "session successfully restored from cache" \
markrad 0:cdf462088d13 1152 -S "session successfully restored from ticket" \
markrad 0:cdf462088d13 1153 -s "a session has been resumed" \
markrad 0:cdf462088d13 1154 -c "a session has been resumed"
markrad 0:cdf462088d13 1155
markrad 0:cdf462088d13 1156 run_test "Session resume using cache: timeout < delay" \
markrad 0:cdf462088d13 1157 "$P_SRV debug_level=3 tickets=0 cache_timeout=1" \
markrad 0:cdf462088d13 1158 "$P_CLI debug_level=3 tickets=0 reconnect=1 reco_delay=2" \
markrad 0:cdf462088d13 1159 0 \
markrad 0:cdf462088d13 1160 -S "session successfully restored from cache" \
markrad 0:cdf462088d13 1161 -S "session successfully restored from ticket" \
markrad 0:cdf462088d13 1162 -S "a session has been resumed" \
markrad 0:cdf462088d13 1163 -C "a session has been resumed"
markrad 0:cdf462088d13 1164
markrad 0:cdf462088d13 1165 run_test "Session resume using cache: no timeout" \
markrad 0:cdf462088d13 1166 "$P_SRV debug_level=3 tickets=0 cache_timeout=0" \
markrad 0:cdf462088d13 1167 "$P_CLI debug_level=3 tickets=0 reconnect=1 reco_delay=2" \
markrad 0:cdf462088d13 1168 0 \
markrad 0:cdf462088d13 1169 -s "session successfully restored from cache" \
markrad 0:cdf462088d13 1170 -S "session successfully restored from ticket" \
markrad 0:cdf462088d13 1171 -s "a session has been resumed" \
markrad 0:cdf462088d13 1172 -c "a session has been resumed"
markrad 0:cdf462088d13 1173
markrad 0:cdf462088d13 1174 run_test "Session resume using cache: openssl client" \
markrad 0:cdf462088d13 1175 "$P_SRV debug_level=3 tickets=0" \
markrad 0:cdf462088d13 1176 "( $O_CLI -sess_out $SESSION; \
markrad 0:cdf462088d13 1177 $O_CLI -sess_in $SESSION; \
markrad 0:cdf462088d13 1178 rm -f $SESSION )" \
markrad 0:cdf462088d13 1179 0 \
markrad 0:cdf462088d13 1180 -s "found session ticket extension" \
markrad 0:cdf462088d13 1181 -S "server hello, adding session ticket extension" \
markrad 0:cdf462088d13 1182 -s "session successfully restored from cache" \
markrad 0:cdf462088d13 1183 -S "session successfully restored from ticket" \
markrad 0:cdf462088d13 1184 -s "a session has been resumed"
markrad 0:cdf462088d13 1185
markrad 0:cdf462088d13 1186 run_test "Session resume using cache: openssl server" \
markrad 0:cdf462088d13 1187 "$O_SRV" \
markrad 0:cdf462088d13 1188 "$P_CLI debug_level=3 tickets=0 reconnect=1" \
markrad 0:cdf462088d13 1189 0 \
markrad 0:cdf462088d13 1190 -C "found session_ticket extension" \
markrad 0:cdf462088d13 1191 -C "parse new session ticket" \
markrad 0:cdf462088d13 1192 -c "a session has been resumed"
markrad 0:cdf462088d13 1193
markrad 0:cdf462088d13 1194 # Tests for Max Fragment Length extension
markrad 0:cdf462088d13 1195
markrad 0:cdf462088d13 1196 run_test "Max fragment length: not used, reference" \
markrad 0:cdf462088d13 1197 "$P_SRV debug_level=3" \
markrad 0:cdf462088d13 1198 "$P_CLI debug_level=3" \
markrad 0:cdf462088d13 1199 0 \
markrad 0:cdf462088d13 1200 -c "Maximum fragment length is 16384" \
markrad 0:cdf462088d13 1201 -s "Maximum fragment length is 16384" \
markrad 0:cdf462088d13 1202 -C "client hello, adding max_fragment_length extension" \
markrad 0:cdf462088d13 1203 -S "found max fragment length extension" \
markrad 0:cdf462088d13 1204 -S "server hello, max_fragment_length extension" \
markrad 0:cdf462088d13 1205 -C "found max_fragment_length extension"
markrad 0:cdf462088d13 1206
markrad 0:cdf462088d13 1207 run_test "Max fragment length: used by client" \
markrad 0:cdf462088d13 1208 "$P_SRV debug_level=3" \
markrad 0:cdf462088d13 1209 "$P_CLI debug_level=3 max_frag_len=4096" \
markrad 0:cdf462088d13 1210 0 \
markrad 0:cdf462088d13 1211 -c "Maximum fragment length is 4096" \
markrad 0:cdf462088d13 1212 -s "Maximum fragment length is 4096" \
markrad 0:cdf462088d13 1213 -c "client hello, adding max_fragment_length extension" \
markrad 0:cdf462088d13 1214 -s "found max fragment length extension" \
markrad 0:cdf462088d13 1215 -s "server hello, max_fragment_length extension" \
markrad 0:cdf462088d13 1216 -c "found max_fragment_length extension"
markrad 0:cdf462088d13 1217
markrad 0:cdf462088d13 1218 run_test "Max fragment length: used by server" \
markrad 0:cdf462088d13 1219 "$P_SRV debug_level=3 max_frag_len=4096" \
markrad 0:cdf462088d13 1220 "$P_CLI debug_level=3" \
markrad 0:cdf462088d13 1221 0 \
markrad 0:cdf462088d13 1222 -c "Maximum fragment length is 16384" \
markrad 0:cdf462088d13 1223 -s "Maximum fragment length is 4096" \
markrad 0:cdf462088d13 1224 -C "client hello, adding max_fragment_length extension" \
markrad 0:cdf462088d13 1225 -S "found max fragment length extension" \
markrad 0:cdf462088d13 1226 -S "server hello, max_fragment_length extension" \
markrad 0:cdf462088d13 1227 -C "found max_fragment_length extension"
markrad 0:cdf462088d13 1228
markrad 0:cdf462088d13 1229 requires_gnutls
markrad 0:cdf462088d13 1230 run_test "Max fragment length: gnutls server" \
markrad 0:cdf462088d13 1231 "$G_SRV" \
markrad 0:cdf462088d13 1232 "$P_CLI debug_level=3 max_frag_len=4096" \
markrad 0:cdf462088d13 1233 0 \
markrad 0:cdf462088d13 1234 -c "Maximum fragment length is 4096" \
markrad 0:cdf462088d13 1235 -c "client hello, adding max_fragment_length extension" \
markrad 0:cdf462088d13 1236 -c "found max_fragment_length extension"
markrad 0:cdf462088d13 1237
markrad 0:cdf462088d13 1238 run_test "Max fragment length: client, message just fits" \
markrad 0:cdf462088d13 1239 "$P_SRV debug_level=3" \
markrad 0:cdf462088d13 1240 "$P_CLI debug_level=3 max_frag_len=2048 request_size=2048" \
markrad 0:cdf462088d13 1241 0 \
markrad 0:cdf462088d13 1242 -c "Maximum fragment length is 2048" \
markrad 0:cdf462088d13 1243 -s "Maximum fragment length is 2048" \
markrad 0:cdf462088d13 1244 -c "client hello, adding max_fragment_length extension" \
markrad 0:cdf462088d13 1245 -s "found max fragment length extension" \
markrad 0:cdf462088d13 1246 -s "server hello, max_fragment_length extension" \
markrad 0:cdf462088d13 1247 -c "found max_fragment_length extension" \
markrad 0:cdf462088d13 1248 -c "2048 bytes written in 1 fragments" \
markrad 0:cdf462088d13 1249 -s "2048 bytes read"
markrad 0:cdf462088d13 1250
markrad 0:cdf462088d13 1251 run_test "Max fragment length: client, larger message" \
markrad 0:cdf462088d13 1252 "$P_SRV debug_level=3" \
markrad 0:cdf462088d13 1253 "$P_CLI debug_level=3 max_frag_len=2048 request_size=2345" \
markrad 0:cdf462088d13 1254 0 \
markrad 0:cdf462088d13 1255 -c "Maximum fragment length is 2048" \
markrad 0:cdf462088d13 1256 -s "Maximum fragment length is 2048" \
markrad 0:cdf462088d13 1257 -c "client hello, adding max_fragment_length extension" \
markrad 0:cdf462088d13 1258 -s "found max fragment length extension" \
markrad 0:cdf462088d13 1259 -s "server hello, max_fragment_length extension" \
markrad 0:cdf462088d13 1260 -c "found max_fragment_length extension" \
markrad 0:cdf462088d13 1261 -c "2345 bytes written in 2 fragments" \
markrad 0:cdf462088d13 1262 -s "2048 bytes read" \
markrad 0:cdf462088d13 1263 -s "297 bytes read"
markrad 0:cdf462088d13 1264
markrad 0:cdf462088d13 1265 run_test "Max fragment length: DTLS client, larger message" \
markrad 0:cdf462088d13 1266 "$P_SRV debug_level=3 dtls=1" \
markrad 0:cdf462088d13 1267 "$P_CLI debug_level=3 dtls=1 max_frag_len=2048 request_size=2345" \
markrad 0:cdf462088d13 1268 1 \
markrad 0:cdf462088d13 1269 -c "Maximum fragment length is 2048" \
markrad 0:cdf462088d13 1270 -s "Maximum fragment length is 2048" \
markrad 0:cdf462088d13 1271 -c "client hello, adding max_fragment_length extension" \
markrad 0:cdf462088d13 1272 -s "found max fragment length extension" \
markrad 0:cdf462088d13 1273 -s "server hello, max_fragment_length extension" \
markrad 0:cdf462088d13 1274 -c "found max_fragment_length extension" \
markrad 0:cdf462088d13 1275 -c "fragment larger than.*maximum"
markrad 0:cdf462088d13 1276
markrad 0:cdf462088d13 1277 # Tests for renegotiation
markrad 0:cdf462088d13 1278
markrad 0:cdf462088d13 1279 run_test "Renegotiation: none, for reference" \
markrad 0:cdf462088d13 1280 "$P_SRV debug_level=3 exchanges=2 auth_mode=optional" \
markrad 0:cdf462088d13 1281 "$P_CLI debug_level=3 exchanges=2" \
markrad 0:cdf462088d13 1282 0 \
markrad 0:cdf462088d13 1283 -C "client hello, adding renegotiation extension" \
markrad 0:cdf462088d13 1284 -s "received TLS_EMPTY_RENEGOTIATION_INFO" \
markrad 0:cdf462088d13 1285 -S "found renegotiation extension" \
markrad 0:cdf462088d13 1286 -s "server hello, secure renegotiation extension" \
markrad 0:cdf462088d13 1287 -c "found renegotiation extension" \
markrad 0:cdf462088d13 1288 -C "=> renegotiate" \
markrad 0:cdf462088d13 1289 -S "=> renegotiate" \
markrad 0:cdf462088d13 1290 -S "write hello request"
markrad 0:cdf462088d13 1291
markrad 0:cdf462088d13 1292 run_test "Renegotiation: client-initiated" \
markrad 0:cdf462088d13 1293 "$P_SRV debug_level=3 exchanges=2 renegotiation=1 auth_mode=optional" \
markrad 0:cdf462088d13 1294 "$P_CLI debug_level=3 exchanges=2 renegotiation=1 renegotiate=1" \
markrad 0:cdf462088d13 1295 0 \
markrad 0:cdf462088d13 1296 -c "client hello, adding renegotiation extension" \
markrad 0:cdf462088d13 1297 -s "received TLS_EMPTY_RENEGOTIATION_INFO" \
markrad 0:cdf462088d13 1298 -s "found renegotiation extension" \
markrad 0:cdf462088d13 1299 -s "server hello, secure renegotiation extension" \
markrad 0:cdf462088d13 1300 -c "found renegotiation extension" \
markrad 0:cdf462088d13 1301 -c "=> renegotiate" \
markrad 0:cdf462088d13 1302 -s "=> renegotiate" \
markrad 0:cdf462088d13 1303 -S "write hello request"
markrad 0:cdf462088d13 1304
markrad 0:cdf462088d13 1305 run_test "Renegotiation: server-initiated" \
markrad 0:cdf462088d13 1306 "$P_SRV debug_level=3 exchanges=2 renegotiation=1 auth_mode=optional renegotiate=1" \
markrad 0:cdf462088d13 1307 "$P_CLI debug_level=3 exchanges=2 renegotiation=1" \
markrad 0:cdf462088d13 1308 0 \
markrad 0:cdf462088d13 1309 -c "client hello, adding renegotiation extension" \
markrad 0:cdf462088d13 1310 -s "received TLS_EMPTY_RENEGOTIATION_INFO" \
markrad 0:cdf462088d13 1311 -s "found renegotiation extension" \
markrad 0:cdf462088d13 1312 -s "server hello, secure renegotiation extension" \
markrad 0:cdf462088d13 1313 -c "found renegotiation extension" \
markrad 0:cdf462088d13 1314 -c "=> renegotiate" \
markrad 0:cdf462088d13 1315 -s "=> renegotiate" \
markrad 0:cdf462088d13 1316 -s "write hello request"
markrad 0:cdf462088d13 1317
markrad 0:cdf462088d13 1318 run_test "Renegotiation: double" \
markrad 0:cdf462088d13 1319 "$P_SRV debug_level=3 exchanges=2 renegotiation=1 auth_mode=optional renegotiate=1" \
markrad 0:cdf462088d13 1320 "$P_CLI debug_level=3 exchanges=2 renegotiation=1 renegotiate=1" \
markrad 0:cdf462088d13 1321 0 \
markrad 0:cdf462088d13 1322 -c "client hello, adding renegotiation extension" \
markrad 0:cdf462088d13 1323 -s "received TLS_EMPTY_RENEGOTIATION_INFO" \
markrad 0:cdf462088d13 1324 -s "found renegotiation extension" \
markrad 0:cdf462088d13 1325 -s "server hello, secure renegotiation extension" \
markrad 0:cdf462088d13 1326 -c "found renegotiation extension" \
markrad 0:cdf462088d13 1327 -c "=> renegotiate" \
markrad 0:cdf462088d13 1328 -s "=> renegotiate" \
markrad 0:cdf462088d13 1329 -s "write hello request"
markrad 0:cdf462088d13 1330
markrad 0:cdf462088d13 1331 run_test "Renegotiation: client-initiated, server-rejected" \
markrad 0:cdf462088d13 1332 "$P_SRV debug_level=3 exchanges=2 renegotiation=0 auth_mode=optional" \
markrad 0:cdf462088d13 1333 "$P_CLI debug_level=3 exchanges=2 renegotiation=1 renegotiate=1" \
markrad 0:cdf462088d13 1334 1 \
markrad 0:cdf462088d13 1335 -c "client hello, adding renegotiation extension" \
markrad 0:cdf462088d13 1336 -s "received TLS_EMPTY_RENEGOTIATION_INFO" \
markrad 0:cdf462088d13 1337 -S "found renegotiation extension" \
markrad 0:cdf462088d13 1338 -s "server hello, secure renegotiation extension" \
markrad 0:cdf462088d13 1339 -c "found renegotiation extension" \
markrad 0:cdf462088d13 1340 -c "=> renegotiate" \
markrad 0:cdf462088d13 1341 -S "=> renegotiate" \
markrad 0:cdf462088d13 1342 -S "write hello request" \
markrad 0:cdf462088d13 1343 -c "SSL - Unexpected message at ServerHello in renegotiation" \
markrad 0:cdf462088d13 1344 -c "failed"
markrad 0:cdf462088d13 1345
markrad 0:cdf462088d13 1346 run_test "Renegotiation: server-initiated, client-rejected, default" \
markrad 0:cdf462088d13 1347 "$P_SRV debug_level=3 exchanges=2 renegotiation=1 renegotiate=1 auth_mode=optional" \
markrad 0:cdf462088d13 1348 "$P_CLI debug_level=3 exchanges=2 renegotiation=0" \
markrad 0:cdf462088d13 1349 0 \
markrad 0:cdf462088d13 1350 -C "client hello, adding renegotiation extension" \
markrad 0:cdf462088d13 1351 -s "received TLS_EMPTY_RENEGOTIATION_INFO" \
markrad 0:cdf462088d13 1352 -S "found renegotiation extension" \
markrad 0:cdf462088d13 1353 -s "server hello, secure renegotiation extension" \
markrad 0:cdf462088d13 1354 -c "found renegotiation extension" \
markrad 0:cdf462088d13 1355 -C "=> renegotiate" \
markrad 0:cdf462088d13 1356 -S "=> renegotiate" \
markrad 0:cdf462088d13 1357 -s "write hello request" \
markrad 0:cdf462088d13 1358 -S "SSL - An unexpected message was received from our peer" \
markrad 0:cdf462088d13 1359 -S "failed"
markrad 0:cdf462088d13 1360
markrad 0:cdf462088d13 1361 run_test "Renegotiation: server-initiated, client-rejected, not enforced" \
markrad 0:cdf462088d13 1362 "$P_SRV debug_level=3 exchanges=2 renegotiation=1 renegotiate=1 \
markrad 0:cdf462088d13 1363 renego_delay=-1 auth_mode=optional" \
markrad 0:cdf462088d13 1364 "$P_CLI debug_level=3 exchanges=2 renegotiation=0" \
markrad 0:cdf462088d13 1365 0 \
markrad 0:cdf462088d13 1366 -C "client hello, adding renegotiation extension" \
markrad 0:cdf462088d13 1367 -s "received TLS_EMPTY_RENEGOTIATION_INFO" \
markrad 0:cdf462088d13 1368 -S "found renegotiation extension" \
markrad 0:cdf462088d13 1369 -s "server hello, secure renegotiation extension" \
markrad 0:cdf462088d13 1370 -c "found renegotiation extension" \
markrad 0:cdf462088d13 1371 -C "=> renegotiate" \
markrad 0:cdf462088d13 1372 -S "=> renegotiate" \
markrad 0:cdf462088d13 1373 -s "write hello request" \
markrad 0:cdf462088d13 1374 -S "SSL - An unexpected message was received from our peer" \
markrad 0:cdf462088d13 1375 -S "failed"
markrad 0:cdf462088d13 1376
markrad 0:cdf462088d13 1377 # delay 2 for 1 alert record + 1 application data record
markrad 0:cdf462088d13 1378 run_test "Renegotiation: server-initiated, client-rejected, delay 2" \
markrad 0:cdf462088d13 1379 "$P_SRV debug_level=3 exchanges=2 renegotiation=1 renegotiate=1 \
markrad 0:cdf462088d13 1380 renego_delay=2 auth_mode=optional" \
markrad 0:cdf462088d13 1381 "$P_CLI debug_level=3 exchanges=2 renegotiation=0" \
markrad 0:cdf462088d13 1382 0 \
markrad 0:cdf462088d13 1383 -C "client hello, adding renegotiation extension" \
markrad 0:cdf462088d13 1384 -s "received TLS_EMPTY_RENEGOTIATION_INFO" \
markrad 0:cdf462088d13 1385 -S "found renegotiation extension" \
markrad 0:cdf462088d13 1386 -s "server hello, secure renegotiation extension" \
markrad 0:cdf462088d13 1387 -c "found renegotiation extension" \
markrad 0:cdf462088d13 1388 -C "=> renegotiate" \
markrad 0:cdf462088d13 1389 -S "=> renegotiate" \
markrad 0:cdf462088d13 1390 -s "write hello request" \
markrad 0:cdf462088d13 1391 -S "SSL - An unexpected message was received from our peer" \
markrad 0:cdf462088d13 1392 -S "failed"
markrad 0:cdf462088d13 1393
markrad 0:cdf462088d13 1394 run_test "Renegotiation: server-initiated, client-rejected, delay 0" \
markrad 0:cdf462088d13 1395 "$P_SRV debug_level=3 exchanges=2 renegotiation=1 renegotiate=1 \
markrad 0:cdf462088d13 1396 renego_delay=0 auth_mode=optional" \
markrad 0:cdf462088d13 1397 "$P_CLI debug_level=3 exchanges=2 renegotiation=0" \
markrad 0:cdf462088d13 1398 0 \
markrad 0:cdf462088d13 1399 -C "client hello, adding renegotiation extension" \
markrad 0:cdf462088d13 1400 -s "received TLS_EMPTY_RENEGOTIATION_INFO" \
markrad 0:cdf462088d13 1401 -S "found renegotiation extension" \
markrad 0:cdf462088d13 1402 -s "server hello, secure renegotiation extension" \
markrad 0:cdf462088d13 1403 -c "found renegotiation extension" \
markrad 0:cdf462088d13 1404 -C "=> renegotiate" \
markrad 0:cdf462088d13 1405 -S "=> renegotiate" \
markrad 0:cdf462088d13 1406 -s "write hello request" \
markrad 0:cdf462088d13 1407 -s "SSL - An unexpected message was received from our peer"
markrad 0:cdf462088d13 1408
markrad 0:cdf462088d13 1409 run_test "Renegotiation: server-initiated, client-accepted, delay 0" \
markrad 0:cdf462088d13 1410 "$P_SRV debug_level=3 exchanges=2 renegotiation=1 renegotiate=1 \
markrad 0:cdf462088d13 1411 renego_delay=0 auth_mode=optional" \
markrad 0:cdf462088d13 1412 "$P_CLI debug_level=3 exchanges=2 renegotiation=1" \
markrad 0:cdf462088d13 1413 0 \
markrad 0:cdf462088d13 1414 -c "client hello, adding renegotiation extension" \
markrad 0:cdf462088d13 1415 -s "received TLS_EMPTY_RENEGOTIATION_INFO" \
markrad 0:cdf462088d13 1416 -s "found renegotiation extension" \
markrad 0:cdf462088d13 1417 -s "server hello, secure renegotiation extension" \
markrad 0:cdf462088d13 1418 -c "found renegotiation extension" \
markrad 0:cdf462088d13 1419 -c "=> renegotiate" \
markrad 0:cdf462088d13 1420 -s "=> renegotiate" \
markrad 0:cdf462088d13 1421 -s "write hello request" \
markrad 0:cdf462088d13 1422 -S "SSL - An unexpected message was received from our peer" \
markrad 0:cdf462088d13 1423 -S "failed"
markrad 0:cdf462088d13 1424
markrad 0:cdf462088d13 1425 run_test "Renegotiation: periodic, just below period" \
markrad 0:cdf462088d13 1426 "$P_SRV debug_level=3 exchanges=9 renegotiation=1 renego_period=3 auth_mode=optional" \
markrad 0:cdf462088d13 1427 "$P_CLI debug_level=3 exchanges=2 renegotiation=1" \
markrad 0:cdf462088d13 1428 0 \
markrad 0:cdf462088d13 1429 -C "client hello, adding renegotiation extension" \
markrad 0:cdf462088d13 1430 -s "received TLS_EMPTY_RENEGOTIATION_INFO" \
markrad 0:cdf462088d13 1431 -S "found renegotiation extension" \
markrad 0:cdf462088d13 1432 -s "server hello, secure renegotiation extension" \
markrad 0:cdf462088d13 1433 -c "found renegotiation extension" \
markrad 0:cdf462088d13 1434 -S "record counter limit reached: renegotiate" \
markrad 0:cdf462088d13 1435 -C "=> renegotiate" \
markrad 0:cdf462088d13 1436 -S "=> renegotiate" \
markrad 0:cdf462088d13 1437 -S "write hello request" \
markrad 0:cdf462088d13 1438 -S "SSL - An unexpected message was received from our peer" \
markrad 0:cdf462088d13 1439 -S "failed"
markrad 0:cdf462088d13 1440
markrad 0:cdf462088d13 1441 # one extra exchange to be able to complete renego
markrad 0:cdf462088d13 1442 run_test "Renegotiation: periodic, just above period" \
markrad 0:cdf462088d13 1443 "$P_SRV debug_level=3 exchanges=9 renegotiation=1 renego_period=3 auth_mode=optional" \
markrad 0:cdf462088d13 1444 "$P_CLI debug_level=3 exchanges=4 renegotiation=1" \
markrad 0:cdf462088d13 1445 0 \
markrad 0:cdf462088d13 1446 -c "client hello, adding renegotiation extension" \
markrad 0:cdf462088d13 1447 -s "received TLS_EMPTY_RENEGOTIATION_INFO" \
markrad 0:cdf462088d13 1448 -s "found renegotiation extension" \
markrad 0:cdf462088d13 1449 -s "server hello, secure renegotiation extension" \
markrad 0:cdf462088d13 1450 -c "found renegotiation extension" \
markrad 0:cdf462088d13 1451 -s "record counter limit reached: renegotiate" \
markrad 0:cdf462088d13 1452 -c "=> renegotiate" \
markrad 0:cdf462088d13 1453 -s "=> renegotiate" \
markrad 0:cdf462088d13 1454 -s "write hello request" \
markrad 0:cdf462088d13 1455 -S "SSL - An unexpected message was received from our peer" \
markrad 0:cdf462088d13 1456 -S "failed"
markrad 0:cdf462088d13 1457
markrad 0:cdf462088d13 1458 run_test "Renegotiation: periodic, two times period" \
markrad 0:cdf462088d13 1459 "$P_SRV debug_level=3 exchanges=9 renegotiation=1 renego_period=3 auth_mode=optional" \
markrad 0:cdf462088d13 1460 "$P_CLI debug_level=3 exchanges=7 renegotiation=1" \
markrad 0:cdf462088d13 1461 0 \
markrad 0:cdf462088d13 1462 -c "client hello, adding renegotiation extension" \
markrad 0:cdf462088d13 1463 -s "received TLS_EMPTY_RENEGOTIATION_INFO" \
markrad 0:cdf462088d13 1464 -s "found renegotiation extension" \
markrad 0:cdf462088d13 1465 -s "server hello, secure renegotiation extension" \
markrad 0:cdf462088d13 1466 -c "found renegotiation extension" \
markrad 0:cdf462088d13 1467 -s "record counter limit reached: renegotiate" \
markrad 0:cdf462088d13 1468 -c "=> renegotiate" \
markrad 0:cdf462088d13 1469 -s "=> renegotiate" \
markrad 0:cdf462088d13 1470 -s "write hello request" \
markrad 0:cdf462088d13 1471 -S "SSL - An unexpected message was received from our peer" \
markrad 0:cdf462088d13 1472 -S "failed"
markrad 0:cdf462088d13 1473
markrad 0:cdf462088d13 1474 run_test "Renegotiation: periodic, above period, disabled" \
markrad 0:cdf462088d13 1475 "$P_SRV debug_level=3 exchanges=9 renegotiation=0 renego_period=3 auth_mode=optional" \
markrad 0:cdf462088d13 1476 "$P_CLI debug_level=3 exchanges=4 renegotiation=1" \
markrad 0:cdf462088d13 1477 0 \
markrad 0:cdf462088d13 1478 -C "client hello, adding renegotiation extension" \
markrad 0:cdf462088d13 1479 -s "received TLS_EMPTY_RENEGOTIATION_INFO" \
markrad 0:cdf462088d13 1480 -S "found renegotiation extension" \
markrad 0:cdf462088d13 1481 -s "server hello, secure renegotiation extension" \
markrad 0:cdf462088d13 1482 -c "found renegotiation extension" \
markrad 0:cdf462088d13 1483 -S "record counter limit reached: renegotiate" \
markrad 0:cdf462088d13 1484 -C "=> renegotiate" \
markrad 0:cdf462088d13 1485 -S "=> renegotiate" \
markrad 0:cdf462088d13 1486 -S "write hello request" \
markrad 0:cdf462088d13 1487 -S "SSL - An unexpected message was received from our peer" \
markrad 0:cdf462088d13 1488 -S "failed"
markrad 0:cdf462088d13 1489
markrad 0:cdf462088d13 1490 run_test "Renegotiation: nbio, client-initiated" \
markrad 0:cdf462088d13 1491 "$P_SRV debug_level=3 nbio=2 exchanges=2 renegotiation=1 auth_mode=optional" \
markrad 0:cdf462088d13 1492 "$P_CLI debug_level=3 nbio=2 exchanges=2 renegotiation=1 renegotiate=1" \
markrad 0:cdf462088d13 1493 0 \
markrad 0:cdf462088d13 1494 -c "client hello, adding renegotiation extension" \
markrad 0:cdf462088d13 1495 -s "received TLS_EMPTY_RENEGOTIATION_INFO" \
markrad 0:cdf462088d13 1496 -s "found renegotiation extension" \
markrad 0:cdf462088d13 1497 -s "server hello, secure renegotiation extension" \
markrad 0:cdf462088d13 1498 -c "found renegotiation extension" \
markrad 0:cdf462088d13 1499 -c "=> renegotiate" \
markrad 0:cdf462088d13 1500 -s "=> renegotiate" \
markrad 0:cdf462088d13 1501 -S "write hello request"
markrad 0:cdf462088d13 1502
markrad 0:cdf462088d13 1503 run_test "Renegotiation: nbio, server-initiated" \
markrad 0:cdf462088d13 1504 "$P_SRV debug_level=3 nbio=2 exchanges=2 renegotiation=1 renegotiate=1 auth_mode=optional" \
markrad 0:cdf462088d13 1505 "$P_CLI debug_level=3 nbio=2 exchanges=2 renegotiation=1" \
markrad 0:cdf462088d13 1506 0 \
markrad 0:cdf462088d13 1507 -c "client hello, adding renegotiation extension" \
markrad 0:cdf462088d13 1508 -s "received TLS_EMPTY_RENEGOTIATION_INFO" \
markrad 0:cdf462088d13 1509 -s "found renegotiation extension" \
markrad 0:cdf462088d13 1510 -s "server hello, secure renegotiation extension" \
markrad 0:cdf462088d13 1511 -c "found renegotiation extension" \
markrad 0:cdf462088d13 1512 -c "=> renegotiate" \
markrad 0:cdf462088d13 1513 -s "=> renegotiate" \
markrad 0:cdf462088d13 1514 -s "write hello request"
markrad 0:cdf462088d13 1515
markrad 0:cdf462088d13 1516 run_test "Renegotiation: openssl server, client-initiated" \
markrad 0:cdf462088d13 1517 "$O_SRV -www" \
markrad 0:cdf462088d13 1518 "$P_CLI debug_level=3 exchanges=1 renegotiation=1 renegotiate=1" \
markrad 0:cdf462088d13 1519 0 \
markrad 0:cdf462088d13 1520 -c "client hello, adding renegotiation extension" \
markrad 0:cdf462088d13 1521 -c "found renegotiation extension" \
markrad 0:cdf462088d13 1522 -c "=> renegotiate" \
markrad 0:cdf462088d13 1523 -C "ssl_hanshake() returned" \
markrad 0:cdf462088d13 1524 -C "error" \
markrad 0:cdf462088d13 1525 -c "HTTP/1.0 200 [Oo][Kk]"
markrad 0:cdf462088d13 1526
markrad 0:cdf462088d13 1527 requires_gnutls
markrad 0:cdf462088d13 1528 run_test "Renegotiation: gnutls server strict, client-initiated" \
markrad 0:cdf462088d13 1529 "$G_SRV --priority=NORMAL:%SAFE_RENEGOTIATION" \
markrad 0:cdf462088d13 1530 "$P_CLI debug_level=3 exchanges=1 renegotiation=1 renegotiate=1" \
markrad 0:cdf462088d13 1531 0 \
markrad 0:cdf462088d13 1532 -c "client hello, adding renegotiation extension" \
markrad 0:cdf462088d13 1533 -c "found renegotiation extension" \
markrad 0:cdf462088d13 1534 -c "=> renegotiate" \
markrad 0:cdf462088d13 1535 -C "ssl_hanshake() returned" \
markrad 0:cdf462088d13 1536 -C "error" \
markrad 0:cdf462088d13 1537 -c "HTTP/1.0 200 [Oo][Kk]"
markrad 0:cdf462088d13 1538
markrad 0:cdf462088d13 1539 requires_gnutls
markrad 0:cdf462088d13 1540 run_test "Renegotiation: gnutls server unsafe, client-initiated default" \
markrad 0:cdf462088d13 1541 "$G_SRV --priority=NORMAL:%DISABLE_SAFE_RENEGOTIATION" \
markrad 0:cdf462088d13 1542 "$P_CLI debug_level=3 exchanges=1 renegotiation=1 renegotiate=1" \
markrad 0:cdf462088d13 1543 1 \
markrad 0:cdf462088d13 1544 -c "client hello, adding renegotiation extension" \
markrad 0:cdf462088d13 1545 -C "found renegotiation extension" \
markrad 0:cdf462088d13 1546 -c "=> renegotiate" \
markrad 0:cdf462088d13 1547 -c "mbedtls_ssl_handshake() returned" \
markrad 0:cdf462088d13 1548 -c "error" \
markrad 0:cdf462088d13 1549 -C "HTTP/1.0 200 [Oo][Kk]"
markrad 0:cdf462088d13 1550
markrad 0:cdf462088d13 1551 requires_gnutls
markrad 0:cdf462088d13 1552 run_test "Renegotiation: gnutls server unsafe, client-inititated no legacy" \
markrad 0:cdf462088d13 1553 "$G_SRV --priority=NORMAL:%DISABLE_SAFE_RENEGOTIATION" \
markrad 0:cdf462088d13 1554 "$P_CLI debug_level=3 exchanges=1 renegotiation=1 renegotiate=1 \
markrad 0:cdf462088d13 1555 allow_legacy=0" \
markrad 0:cdf462088d13 1556 1 \
markrad 0:cdf462088d13 1557 -c "client hello, adding renegotiation extension" \
markrad 0:cdf462088d13 1558 -C "found renegotiation extension" \
markrad 0:cdf462088d13 1559 -c "=> renegotiate" \
markrad 0:cdf462088d13 1560 -c "mbedtls_ssl_handshake() returned" \
markrad 0:cdf462088d13 1561 -c "error" \
markrad 0:cdf462088d13 1562 -C "HTTP/1.0 200 [Oo][Kk]"
markrad 0:cdf462088d13 1563
markrad 0:cdf462088d13 1564 requires_gnutls
markrad 0:cdf462088d13 1565 run_test "Renegotiation: gnutls server unsafe, client-inititated legacy" \
markrad 0:cdf462088d13 1566 "$G_SRV --priority=NORMAL:%DISABLE_SAFE_RENEGOTIATION" \
markrad 0:cdf462088d13 1567 "$P_CLI debug_level=3 exchanges=1 renegotiation=1 renegotiate=1 \
markrad 0:cdf462088d13 1568 allow_legacy=1" \
markrad 0:cdf462088d13 1569 0 \
markrad 0:cdf462088d13 1570 -c "client hello, adding renegotiation extension" \
markrad 0:cdf462088d13 1571 -C "found renegotiation extension" \
markrad 0:cdf462088d13 1572 -c "=> renegotiate" \
markrad 0:cdf462088d13 1573 -C "ssl_hanshake() returned" \
markrad 0:cdf462088d13 1574 -C "error" \
markrad 0:cdf462088d13 1575 -c "HTTP/1.0 200 [Oo][Kk]"
markrad 0:cdf462088d13 1576
markrad 0:cdf462088d13 1577 run_test "Renegotiation: DTLS, client-initiated" \
markrad 0:cdf462088d13 1578 "$P_SRV debug_level=3 dtls=1 exchanges=2 renegotiation=1" \
markrad 0:cdf462088d13 1579 "$P_CLI debug_level=3 dtls=1 exchanges=2 renegotiation=1 renegotiate=1" \
markrad 0:cdf462088d13 1580 0 \
markrad 0:cdf462088d13 1581 -c "client hello, adding renegotiation extension" \
markrad 0:cdf462088d13 1582 -s "received TLS_EMPTY_RENEGOTIATION_INFO" \
markrad 0:cdf462088d13 1583 -s "found renegotiation extension" \
markrad 0:cdf462088d13 1584 -s "server hello, secure renegotiation extension" \
markrad 0:cdf462088d13 1585 -c "found renegotiation extension" \
markrad 0:cdf462088d13 1586 -c "=> renegotiate" \
markrad 0:cdf462088d13 1587 -s "=> renegotiate" \
markrad 0:cdf462088d13 1588 -S "write hello request"
markrad 0:cdf462088d13 1589
markrad 0:cdf462088d13 1590 run_test "Renegotiation: DTLS, server-initiated" \
markrad 0:cdf462088d13 1591 "$P_SRV debug_level=3 dtls=1 exchanges=2 renegotiation=1 renegotiate=1" \
markrad 0:cdf462088d13 1592 "$P_CLI debug_level=3 dtls=1 exchanges=2 renegotiation=1 \
markrad 0:cdf462088d13 1593 read_timeout=1000 max_resend=2" \
markrad 0:cdf462088d13 1594 0 \
markrad 0:cdf462088d13 1595 -c "client hello, adding renegotiation extension" \
markrad 0:cdf462088d13 1596 -s "received TLS_EMPTY_RENEGOTIATION_INFO" \
markrad 0:cdf462088d13 1597 -s "found renegotiation extension" \
markrad 0:cdf462088d13 1598 -s "server hello, secure renegotiation extension" \
markrad 0:cdf462088d13 1599 -c "found renegotiation extension" \
markrad 0:cdf462088d13 1600 -c "=> renegotiate" \
markrad 0:cdf462088d13 1601 -s "=> renegotiate" \
markrad 0:cdf462088d13 1602 -s "write hello request"
markrad 0:cdf462088d13 1603
Jasper Wallace 1:9ebc941037d5 1604 run_test "Renegotiation: DTLS, renego_period overflow" \
Jasper Wallace 1:9ebc941037d5 1605 "$P_SRV debug_level=3 dtls=1 exchanges=4 renegotiation=1 renego_period=18446462598732840962 auth_mode=optional" \
Jasper Wallace 1:9ebc941037d5 1606 "$P_CLI debug_level=3 dtls=1 exchanges=4 renegotiation=1" \
Jasper Wallace 1:9ebc941037d5 1607 0 \
Jasper Wallace 1:9ebc941037d5 1608 -c "client hello, adding renegotiation extension" \
Jasper Wallace 1:9ebc941037d5 1609 -s "received TLS_EMPTY_RENEGOTIATION_INFO" \
Jasper Wallace 1:9ebc941037d5 1610 -s "found renegotiation extension" \
Jasper Wallace 1:9ebc941037d5 1611 -s "server hello, secure renegotiation extension" \
Jasper Wallace 1:9ebc941037d5 1612 -s "record counter limit reached: renegotiate" \
Jasper Wallace 1:9ebc941037d5 1613 -c "=> renegotiate" \
Jasper Wallace 1:9ebc941037d5 1614 -s "=> renegotiate" \
Jasper Wallace 1:9ebc941037d5 1615 -s "write hello request" \
Jasper Wallace 1:9ebc941037d5 1616
markrad 0:cdf462088d13 1617 requires_gnutls
markrad 0:cdf462088d13 1618 run_test "Renegotiation: DTLS, gnutls server, client-initiated" \
markrad 0:cdf462088d13 1619 "$G_SRV -u --mtu 4096" \
markrad 0:cdf462088d13 1620 "$P_CLI debug_level=3 dtls=1 exchanges=1 renegotiation=1 renegotiate=1" \
markrad 0:cdf462088d13 1621 0 \
markrad 0:cdf462088d13 1622 -c "client hello, adding renegotiation extension" \
markrad 0:cdf462088d13 1623 -c "found renegotiation extension" \
markrad 0:cdf462088d13 1624 -c "=> renegotiate" \
markrad 0:cdf462088d13 1625 -C "mbedtls_ssl_handshake returned" \
markrad 0:cdf462088d13 1626 -C "error" \
markrad 0:cdf462088d13 1627 -s "Extra-header:"
markrad 0:cdf462088d13 1628
markrad 0:cdf462088d13 1629 # Test for the "secure renegotation" extension only (no actual renegotiation)
markrad 0:cdf462088d13 1630
markrad 0:cdf462088d13 1631 requires_gnutls
markrad 0:cdf462088d13 1632 run_test "Renego ext: gnutls server strict, client default" \
markrad 0:cdf462088d13 1633 "$G_SRV --priority=NORMAL:%SAFE_RENEGOTIATION" \
markrad 0:cdf462088d13 1634 "$P_CLI debug_level=3" \
markrad 0:cdf462088d13 1635 0 \
markrad 0:cdf462088d13 1636 -c "found renegotiation extension" \
markrad 0:cdf462088d13 1637 -C "error" \
markrad 0:cdf462088d13 1638 -c "HTTP/1.0 200 [Oo][Kk]"
markrad 0:cdf462088d13 1639
markrad 0:cdf462088d13 1640 requires_gnutls
markrad 0:cdf462088d13 1641 run_test "Renego ext: gnutls server unsafe, client default" \
markrad 0:cdf462088d13 1642 "$G_SRV --priority=NORMAL:%DISABLE_SAFE_RENEGOTIATION" \
markrad 0:cdf462088d13 1643 "$P_CLI debug_level=3" \
markrad 0:cdf462088d13 1644 0 \
markrad 0:cdf462088d13 1645 -C "found renegotiation extension" \
markrad 0:cdf462088d13 1646 -C "error" \
markrad 0:cdf462088d13 1647 -c "HTTP/1.0 200 [Oo][Kk]"
markrad 0:cdf462088d13 1648
markrad 0:cdf462088d13 1649 requires_gnutls
markrad 0:cdf462088d13 1650 run_test "Renego ext: gnutls server unsafe, client break legacy" \
markrad 0:cdf462088d13 1651 "$G_SRV --priority=NORMAL:%DISABLE_SAFE_RENEGOTIATION" \
markrad 0:cdf462088d13 1652 "$P_CLI debug_level=3 allow_legacy=-1" \
markrad 0:cdf462088d13 1653 1 \
markrad 0:cdf462088d13 1654 -C "found renegotiation extension" \
markrad 0:cdf462088d13 1655 -c "error" \
markrad 0:cdf462088d13 1656 -C "HTTP/1.0 200 [Oo][Kk]"
markrad 0:cdf462088d13 1657
markrad 0:cdf462088d13 1658 requires_gnutls
markrad 0:cdf462088d13 1659 run_test "Renego ext: gnutls client strict, server default" \
markrad 0:cdf462088d13 1660 "$P_SRV debug_level=3" \
markrad 0:cdf462088d13 1661 "$G_CLI --priority=NORMAL:%SAFE_RENEGOTIATION" \
markrad 0:cdf462088d13 1662 0 \
markrad 0:cdf462088d13 1663 -s "received TLS_EMPTY_RENEGOTIATION_INFO\|found renegotiation extension" \
markrad 0:cdf462088d13 1664 -s "server hello, secure renegotiation extension"
markrad 0:cdf462088d13 1665
markrad 0:cdf462088d13 1666 requires_gnutls
markrad 0:cdf462088d13 1667 run_test "Renego ext: gnutls client unsafe, server default" \
markrad 0:cdf462088d13 1668 "$P_SRV debug_level=3" \
markrad 0:cdf462088d13 1669 "$G_CLI --priority=NORMAL:%DISABLE_SAFE_RENEGOTIATION" \
markrad 0:cdf462088d13 1670 0 \
markrad 0:cdf462088d13 1671 -S "received TLS_EMPTY_RENEGOTIATION_INFO\|found renegotiation extension" \
markrad 0:cdf462088d13 1672 -S "server hello, secure renegotiation extension"
markrad 0:cdf462088d13 1673
markrad 0:cdf462088d13 1674 requires_gnutls
markrad 0:cdf462088d13 1675 run_test "Renego ext: gnutls client unsafe, server break legacy" \
markrad 0:cdf462088d13 1676 "$P_SRV debug_level=3 allow_legacy=-1" \
markrad 0:cdf462088d13 1677 "$G_CLI --priority=NORMAL:%DISABLE_SAFE_RENEGOTIATION" \
markrad 0:cdf462088d13 1678 1 \
markrad 0:cdf462088d13 1679 -S "received TLS_EMPTY_RENEGOTIATION_INFO\|found renegotiation extension" \
markrad 0:cdf462088d13 1680 -S "server hello, secure renegotiation extension"
markrad 0:cdf462088d13 1681
markrad 0:cdf462088d13 1682 # Tests for silently dropping trailing extra bytes in .der certificates
markrad 0:cdf462088d13 1683
markrad 0:cdf462088d13 1684 requires_gnutls
markrad 0:cdf462088d13 1685 run_test "DER format: no trailing bytes" \
markrad 0:cdf462088d13 1686 "$P_SRV crt_file=data_files/server5-der0.crt \
markrad 0:cdf462088d13 1687 key_file=data_files/server5.key" \
markrad 0:cdf462088d13 1688 "$G_CLI " \
markrad 0:cdf462088d13 1689 0 \
markrad 0:cdf462088d13 1690 -c "Handshake was completed" \
markrad 0:cdf462088d13 1691
markrad 0:cdf462088d13 1692 requires_gnutls
markrad 0:cdf462088d13 1693 run_test "DER format: with a trailing zero byte" \
markrad 0:cdf462088d13 1694 "$P_SRV crt_file=data_files/server5-der1a.crt \
markrad 0:cdf462088d13 1695 key_file=data_files/server5.key" \
markrad 0:cdf462088d13 1696 "$G_CLI " \
markrad 0:cdf462088d13 1697 0 \
markrad 0:cdf462088d13 1698 -c "Handshake was completed" \
markrad 0:cdf462088d13 1699
markrad 0:cdf462088d13 1700 requires_gnutls
markrad 0:cdf462088d13 1701 run_test "DER format: with a trailing random byte" \
markrad 0:cdf462088d13 1702 "$P_SRV crt_file=data_files/server5-der1b.crt \
markrad 0:cdf462088d13 1703 key_file=data_files/server5.key" \
markrad 0:cdf462088d13 1704 "$G_CLI " \
markrad 0:cdf462088d13 1705 0 \
markrad 0:cdf462088d13 1706 -c "Handshake was completed" \
markrad 0:cdf462088d13 1707
markrad 0:cdf462088d13 1708 requires_gnutls
markrad 0:cdf462088d13 1709 run_test "DER format: with 2 trailing random bytes" \
markrad 0:cdf462088d13 1710 "$P_SRV crt_file=data_files/server5-der2.crt \
markrad 0:cdf462088d13 1711 key_file=data_files/server5.key" \
markrad 0:cdf462088d13 1712 "$G_CLI " \
markrad 0:cdf462088d13 1713 0 \
markrad 0:cdf462088d13 1714 -c "Handshake was completed" \
markrad 0:cdf462088d13 1715
markrad 0:cdf462088d13 1716 requires_gnutls
markrad 0:cdf462088d13 1717 run_test "DER format: with 4 trailing random bytes" \
markrad 0:cdf462088d13 1718 "$P_SRV crt_file=data_files/server5-der4.crt \
markrad 0:cdf462088d13 1719 key_file=data_files/server5.key" \
markrad 0:cdf462088d13 1720 "$G_CLI " \
markrad 0:cdf462088d13 1721 0 \
markrad 0:cdf462088d13 1722 -c "Handshake was completed" \
markrad 0:cdf462088d13 1723
markrad 0:cdf462088d13 1724 requires_gnutls
markrad 0:cdf462088d13 1725 run_test "DER format: with 8 trailing random bytes" \
markrad 0:cdf462088d13 1726 "$P_SRV crt_file=data_files/server5-der8.crt \
markrad 0:cdf462088d13 1727 key_file=data_files/server5.key" \
markrad 0:cdf462088d13 1728 "$G_CLI " \
markrad 0:cdf462088d13 1729 0 \
markrad 0:cdf462088d13 1730 -c "Handshake was completed" \
markrad 0:cdf462088d13 1731
markrad 0:cdf462088d13 1732 requires_gnutls
markrad 0:cdf462088d13 1733 run_test "DER format: with 9 trailing random bytes" \
markrad 0:cdf462088d13 1734 "$P_SRV crt_file=data_files/server5-der9.crt \
markrad 0:cdf462088d13 1735 key_file=data_files/server5.key" \
markrad 0:cdf462088d13 1736 "$G_CLI " \
markrad 0:cdf462088d13 1737 0 \
markrad 0:cdf462088d13 1738 -c "Handshake was completed" \
markrad 0:cdf462088d13 1739
markrad 0:cdf462088d13 1740 # Tests for auth_mode
markrad 0:cdf462088d13 1741
markrad 0:cdf462088d13 1742 run_test "Authentication: server badcert, client required" \
markrad 0:cdf462088d13 1743 "$P_SRV crt_file=data_files/server5-badsign.crt \
markrad 0:cdf462088d13 1744 key_file=data_files/server5.key" \
markrad 0:cdf462088d13 1745 "$P_CLI debug_level=1 auth_mode=required" \
markrad 0:cdf462088d13 1746 1 \
markrad 0:cdf462088d13 1747 -c "x509_verify_cert() returned" \
markrad 0:cdf462088d13 1748 -c "! The certificate is not correctly signed by the trusted CA" \
markrad 0:cdf462088d13 1749 -c "! mbedtls_ssl_handshake returned" \
markrad 0:cdf462088d13 1750 -c "X509 - Certificate verification failed"
markrad 0:cdf462088d13 1751
markrad 0:cdf462088d13 1752 run_test "Authentication: server badcert, client optional" \
markrad 0:cdf462088d13 1753 "$P_SRV crt_file=data_files/server5-badsign.crt \
markrad 0:cdf462088d13 1754 key_file=data_files/server5.key" \
markrad 0:cdf462088d13 1755 "$P_CLI debug_level=1 auth_mode=optional" \
markrad 0:cdf462088d13 1756 0 \
markrad 0:cdf462088d13 1757 -c "x509_verify_cert() returned" \
markrad 0:cdf462088d13 1758 -c "! The certificate is not correctly signed by the trusted CA" \
markrad 0:cdf462088d13 1759 -C "! mbedtls_ssl_handshake returned" \
markrad 0:cdf462088d13 1760 -C "X509 - Certificate verification failed"
markrad 0:cdf462088d13 1761
markrad 0:cdf462088d13 1762 run_test "Authentication: server badcert, client none" \
markrad 0:cdf462088d13 1763 "$P_SRV crt_file=data_files/server5-badsign.crt \
markrad 0:cdf462088d13 1764 key_file=data_files/server5.key" \
markrad 0:cdf462088d13 1765 "$P_CLI debug_level=1 auth_mode=none" \
markrad 0:cdf462088d13 1766 0 \
markrad 0:cdf462088d13 1767 -C "x509_verify_cert() returned" \
markrad 0:cdf462088d13 1768 -C "! The certificate is not correctly signed by the trusted CA" \
markrad 0:cdf462088d13 1769 -C "! mbedtls_ssl_handshake returned" \
markrad 0:cdf462088d13 1770 -C "X509 - Certificate verification failed"
markrad 0:cdf462088d13 1771
markrad 0:cdf462088d13 1772 run_test "Authentication: client SHA256, server required" \
markrad 0:cdf462088d13 1773 "$P_SRV auth_mode=required" \
markrad 0:cdf462088d13 1774 "$P_CLI debug_level=3 crt_file=data_files/server6.crt \
markrad 0:cdf462088d13 1775 key_file=data_files/server6.key \
markrad 0:cdf462088d13 1776 force_ciphersuite=TLS-ECDHE-ECDSA-WITH-AES-256-GCM-SHA384" \
markrad 0:cdf462088d13 1777 0 \
markrad 0:cdf462088d13 1778 -c "Supported Signature Algorithm found: 4," \
markrad 0:cdf462088d13 1779 -c "Supported Signature Algorithm found: 5,"
markrad 0:cdf462088d13 1780
markrad 0:cdf462088d13 1781 run_test "Authentication: client SHA384, server required" \
markrad 0:cdf462088d13 1782 "$P_SRV auth_mode=required" \
markrad 0:cdf462088d13 1783 "$P_CLI debug_level=3 crt_file=data_files/server6.crt \
markrad 0:cdf462088d13 1784 key_file=data_files/server6.key \
markrad 0:cdf462088d13 1785 force_ciphersuite=TLS-ECDHE-ECDSA-WITH-AES-128-GCM-SHA256" \
markrad 0:cdf462088d13 1786 0 \
markrad 0:cdf462088d13 1787 -c "Supported Signature Algorithm found: 4," \
markrad 0:cdf462088d13 1788 -c "Supported Signature Algorithm found: 5,"
markrad 0:cdf462088d13 1789
markrad 0:cdf462088d13 1790 run_test "Authentication: client badcert, server required" \
markrad 0:cdf462088d13 1791 "$P_SRV debug_level=3 auth_mode=required" \
markrad 0:cdf462088d13 1792 "$P_CLI debug_level=3 crt_file=data_files/server5-badsign.crt \
markrad 0:cdf462088d13 1793 key_file=data_files/server5.key" \
markrad 0:cdf462088d13 1794 1 \
markrad 0:cdf462088d13 1795 -S "skip write certificate request" \
markrad 0:cdf462088d13 1796 -C "skip parse certificate request" \
markrad 0:cdf462088d13 1797 -c "got a certificate request" \
markrad 0:cdf462088d13 1798 -C "skip write certificate" \
markrad 0:cdf462088d13 1799 -C "skip write certificate verify" \
markrad 0:cdf462088d13 1800 -S "skip parse certificate verify" \
markrad 0:cdf462088d13 1801 -s "x509_verify_cert() returned" \
markrad 0:cdf462088d13 1802 -s "! The certificate is not correctly signed by the trusted CA" \
markrad 0:cdf462088d13 1803 -s "! mbedtls_ssl_handshake returned" \
markrad 0:cdf462088d13 1804 -c "! mbedtls_ssl_handshake returned" \
markrad 0:cdf462088d13 1805 -s "X509 - Certificate verification failed"
markrad 0:cdf462088d13 1806
markrad 0:cdf462088d13 1807 run_test "Authentication: client badcert, server optional" \
markrad 0:cdf462088d13 1808 "$P_SRV debug_level=3 auth_mode=optional" \
markrad 0:cdf462088d13 1809 "$P_CLI debug_level=3 crt_file=data_files/server5-badsign.crt \
markrad 0:cdf462088d13 1810 key_file=data_files/server5.key" \
markrad 0:cdf462088d13 1811 0 \
markrad 0:cdf462088d13 1812 -S "skip write certificate request" \
markrad 0:cdf462088d13 1813 -C "skip parse certificate request" \
markrad 0:cdf462088d13 1814 -c "got a certificate request" \
markrad 0:cdf462088d13 1815 -C "skip write certificate" \
markrad 0:cdf462088d13 1816 -C "skip write certificate verify" \
markrad 0:cdf462088d13 1817 -S "skip parse certificate verify" \
markrad 0:cdf462088d13 1818 -s "x509_verify_cert() returned" \
markrad 0:cdf462088d13 1819 -s "! The certificate is not correctly signed by the trusted CA" \
markrad 0:cdf462088d13 1820 -S "! mbedtls_ssl_handshake returned" \
markrad 0:cdf462088d13 1821 -C "! mbedtls_ssl_handshake returned" \
markrad 0:cdf462088d13 1822 -S "X509 - Certificate verification failed"
markrad 0:cdf462088d13 1823
markrad 0:cdf462088d13 1824 run_test "Authentication: client badcert, server none" \
markrad 0:cdf462088d13 1825 "$P_SRV debug_level=3 auth_mode=none" \
markrad 0:cdf462088d13 1826 "$P_CLI debug_level=3 crt_file=data_files/server5-badsign.crt \
markrad 0:cdf462088d13 1827 key_file=data_files/server5.key" \
markrad 0:cdf462088d13 1828 0 \
markrad 0:cdf462088d13 1829 -s "skip write certificate request" \
markrad 0:cdf462088d13 1830 -C "skip parse certificate request" \
markrad 0:cdf462088d13 1831 -c "got no certificate request" \
markrad 0:cdf462088d13 1832 -c "skip write certificate" \
markrad 0:cdf462088d13 1833 -c "skip write certificate verify" \
markrad 0:cdf462088d13 1834 -s "skip parse certificate verify" \
markrad 0:cdf462088d13 1835 -S "x509_verify_cert() returned" \
markrad 0:cdf462088d13 1836 -S "! The certificate is not correctly signed by the trusted CA" \
markrad 0:cdf462088d13 1837 -S "! mbedtls_ssl_handshake returned" \
markrad 0:cdf462088d13 1838 -C "! mbedtls_ssl_handshake returned" \
markrad 0:cdf462088d13 1839 -S "X509 - Certificate verification failed"
markrad 0:cdf462088d13 1840
markrad 0:cdf462088d13 1841 run_test "Authentication: client no cert, server optional" \
markrad 0:cdf462088d13 1842 "$P_SRV debug_level=3 auth_mode=optional" \
markrad 0:cdf462088d13 1843 "$P_CLI debug_level=3 crt_file=none key_file=none" \
markrad 0:cdf462088d13 1844 0 \
markrad 0:cdf462088d13 1845 -S "skip write certificate request" \
markrad 0:cdf462088d13 1846 -C "skip parse certificate request" \
markrad 0:cdf462088d13 1847 -c "got a certificate request" \
markrad 0:cdf462088d13 1848 -C "skip write certificate$" \
markrad 0:cdf462088d13 1849 -C "got no certificate to send" \
markrad 0:cdf462088d13 1850 -S "SSLv3 client has no certificate" \
markrad 0:cdf462088d13 1851 -c "skip write certificate verify" \
markrad 0:cdf462088d13 1852 -s "skip parse certificate verify" \
markrad 0:cdf462088d13 1853 -s "! Certificate was missing" \
markrad 0:cdf462088d13 1854 -S "! mbedtls_ssl_handshake returned" \
markrad 0:cdf462088d13 1855 -C "! mbedtls_ssl_handshake returned" \
markrad 0:cdf462088d13 1856 -S "X509 - Certificate verification failed"
markrad 0:cdf462088d13 1857
markrad 0:cdf462088d13 1858 run_test "Authentication: openssl client no cert, server optional" \
markrad 0:cdf462088d13 1859 "$P_SRV debug_level=3 auth_mode=optional" \
markrad 0:cdf462088d13 1860 "$O_CLI" \
markrad 0:cdf462088d13 1861 0 \
markrad 0:cdf462088d13 1862 -S "skip write certificate request" \
markrad 0:cdf462088d13 1863 -s "skip parse certificate verify" \
markrad 0:cdf462088d13 1864 -s "! Certificate was missing" \
markrad 0:cdf462088d13 1865 -S "! mbedtls_ssl_handshake returned" \
markrad 0:cdf462088d13 1866 -S "X509 - Certificate verification failed"
markrad 0:cdf462088d13 1867
markrad 0:cdf462088d13 1868 run_test "Authentication: client no cert, openssl server optional" \
markrad 0:cdf462088d13 1869 "$O_SRV -verify 10" \
markrad 0:cdf462088d13 1870 "$P_CLI debug_level=3 crt_file=none key_file=none" \
markrad 0:cdf462088d13 1871 0 \
markrad 0:cdf462088d13 1872 -C "skip parse certificate request" \
markrad 0:cdf462088d13 1873 -c "got a certificate request" \
markrad 0:cdf462088d13 1874 -C "skip write certificate$" \
markrad 0:cdf462088d13 1875 -c "skip write certificate verify" \
markrad 0:cdf462088d13 1876 -C "! mbedtls_ssl_handshake returned"
markrad 0:cdf462088d13 1877
markrad 0:cdf462088d13 1878 requires_config_enabled MBEDTLS_SSL_PROTO_SSL3
markrad 0:cdf462088d13 1879 run_test "Authentication: client no cert, ssl3" \
markrad 0:cdf462088d13 1880 "$P_SRV debug_level=3 auth_mode=optional force_version=ssl3" \
markrad 0:cdf462088d13 1881 "$P_CLI debug_level=3 crt_file=none key_file=none min_version=ssl3" \
markrad 0:cdf462088d13 1882 0 \
markrad 0:cdf462088d13 1883 -S "skip write certificate request" \
markrad 0:cdf462088d13 1884 -C "skip parse certificate request" \
markrad 0:cdf462088d13 1885 -c "got a certificate request" \
markrad 0:cdf462088d13 1886 -C "skip write certificate$" \
markrad 0:cdf462088d13 1887 -c "skip write certificate verify" \
markrad 0:cdf462088d13 1888 -c "got no certificate to send" \
markrad 0:cdf462088d13 1889 -s "SSLv3 client has no certificate" \
markrad 0:cdf462088d13 1890 -s "skip parse certificate verify" \
markrad 0:cdf462088d13 1891 -s "! Certificate was missing" \
markrad 0:cdf462088d13 1892 -S "! mbedtls_ssl_handshake returned" \
markrad 0:cdf462088d13 1893 -C "! mbedtls_ssl_handshake returned" \
markrad 0:cdf462088d13 1894 -S "X509 - Certificate verification failed"
markrad 0:cdf462088d13 1895
markrad 0:cdf462088d13 1896 # Tests for certificate selection based on SHA verson
markrad 0:cdf462088d13 1897
markrad 0:cdf462088d13 1898 run_test "Certificate hash: client TLS 1.2 -> SHA-2" \
markrad 0:cdf462088d13 1899 "$P_SRV crt_file=data_files/server5.crt \
markrad 0:cdf462088d13 1900 key_file=data_files/server5.key \
markrad 0:cdf462088d13 1901 crt_file2=data_files/server5-sha1.crt \
markrad 0:cdf462088d13 1902 key_file2=data_files/server5.key" \
markrad 0:cdf462088d13 1903 "$P_CLI force_version=tls1_2" \
markrad 0:cdf462088d13 1904 0 \
markrad 0:cdf462088d13 1905 -c "signed using.*ECDSA with SHA256" \
markrad 0:cdf462088d13 1906 -C "signed using.*ECDSA with SHA1"
markrad 0:cdf462088d13 1907
markrad 0:cdf462088d13 1908 run_test "Certificate hash: client TLS 1.1 -> SHA-1" \
markrad 0:cdf462088d13 1909 "$P_SRV crt_file=data_files/server5.crt \
markrad 0:cdf462088d13 1910 key_file=data_files/server5.key \
markrad 0:cdf462088d13 1911 crt_file2=data_files/server5-sha1.crt \
markrad 0:cdf462088d13 1912 key_file2=data_files/server5.key" \
markrad 0:cdf462088d13 1913 "$P_CLI force_version=tls1_1" \
markrad 0:cdf462088d13 1914 0 \
markrad 0:cdf462088d13 1915 -C "signed using.*ECDSA with SHA256" \
markrad 0:cdf462088d13 1916 -c "signed using.*ECDSA with SHA1"
markrad 0:cdf462088d13 1917
markrad 0:cdf462088d13 1918 run_test "Certificate hash: client TLS 1.0 -> SHA-1" \
markrad 0:cdf462088d13 1919 "$P_SRV crt_file=data_files/server5.crt \
markrad 0:cdf462088d13 1920 key_file=data_files/server5.key \
markrad 0:cdf462088d13 1921 crt_file2=data_files/server5-sha1.crt \
markrad 0:cdf462088d13 1922 key_file2=data_files/server5.key" \
markrad 0:cdf462088d13 1923 "$P_CLI force_version=tls1" \
markrad 0:cdf462088d13 1924 0 \
markrad 0:cdf462088d13 1925 -C "signed using.*ECDSA with SHA256" \
markrad 0:cdf462088d13 1926 -c "signed using.*ECDSA with SHA1"
markrad 0:cdf462088d13 1927
markrad 0:cdf462088d13 1928 run_test "Certificate hash: client TLS 1.1, no SHA-1 -> SHA-2 (order 1)" \
markrad 0:cdf462088d13 1929 "$P_SRV crt_file=data_files/server5.crt \
markrad 0:cdf462088d13 1930 key_file=data_files/server5.key \
markrad 0:cdf462088d13 1931 crt_file2=data_files/server6.crt \
markrad 0:cdf462088d13 1932 key_file2=data_files/server6.key" \
markrad 0:cdf462088d13 1933 "$P_CLI force_version=tls1_1" \
markrad 0:cdf462088d13 1934 0 \
markrad 0:cdf462088d13 1935 -c "serial number.*09" \
markrad 0:cdf462088d13 1936 -c "signed using.*ECDSA with SHA256" \
markrad 0:cdf462088d13 1937 -C "signed using.*ECDSA with SHA1"
markrad 0:cdf462088d13 1938
markrad 0:cdf462088d13 1939 run_test "Certificate hash: client TLS 1.1, no SHA-1 -> SHA-2 (order 2)" \
markrad 0:cdf462088d13 1940 "$P_SRV crt_file=data_files/server6.crt \
markrad 0:cdf462088d13 1941 key_file=data_files/server6.key \
markrad 0:cdf462088d13 1942 crt_file2=data_files/server5.crt \
markrad 0:cdf462088d13 1943 key_file2=data_files/server5.key" \
markrad 0:cdf462088d13 1944 "$P_CLI force_version=tls1_1" \
markrad 0:cdf462088d13 1945 0 \
markrad 0:cdf462088d13 1946 -c "serial number.*0A" \
markrad 0:cdf462088d13 1947 -c "signed using.*ECDSA with SHA256" \
markrad 0:cdf462088d13 1948 -C "signed using.*ECDSA with SHA1"
markrad 0:cdf462088d13 1949
markrad 0:cdf462088d13 1950 # tests for SNI
markrad 0:cdf462088d13 1951
markrad 0:cdf462088d13 1952 run_test "SNI: no SNI callback" \
markrad 0:cdf462088d13 1953 "$P_SRV debug_level=3 \
markrad 0:cdf462088d13 1954 crt_file=data_files/server5.crt key_file=data_files/server5.key" \
markrad 0:cdf462088d13 1955 "$P_CLI server_name=localhost" \
markrad 0:cdf462088d13 1956 0 \
markrad 0:cdf462088d13 1957 -S "parse ServerName extension" \
markrad 0:cdf462088d13 1958 -c "issuer name *: C=NL, O=PolarSSL, CN=Polarssl Test EC CA" \
markrad 0:cdf462088d13 1959 -c "subject name *: C=NL, O=PolarSSL, CN=localhost"
markrad 0:cdf462088d13 1960
markrad 0:cdf462088d13 1961 run_test "SNI: matching cert 1" \
markrad 0:cdf462088d13 1962 "$P_SRV debug_level=3 \
markrad 0:cdf462088d13 1963 crt_file=data_files/server5.crt key_file=data_files/server5.key \
markrad 0:cdf462088d13 1964 sni=localhost,data_files/server2.crt,data_files/server2.key,-,-,-,polarssl.example,data_files/server1-nospace.crt,data_files/server1.key,-,-,-" \
markrad 0:cdf462088d13 1965 "$P_CLI server_name=localhost" \
markrad 0:cdf462088d13 1966 0 \
markrad 0:cdf462088d13 1967 -s "parse ServerName extension" \
markrad 0:cdf462088d13 1968 -c "issuer name *: C=NL, O=PolarSSL, CN=PolarSSL Test CA" \
markrad 0:cdf462088d13 1969 -c "subject name *: C=NL, O=PolarSSL, CN=localhost"
markrad 0:cdf462088d13 1970
markrad 0:cdf462088d13 1971 run_test "SNI: matching cert 2" \
markrad 0:cdf462088d13 1972 "$P_SRV debug_level=3 \
markrad 0:cdf462088d13 1973 crt_file=data_files/server5.crt key_file=data_files/server5.key \
markrad 0:cdf462088d13 1974 sni=localhost,data_files/server2.crt,data_files/server2.key,-,-,-,polarssl.example,data_files/server1-nospace.crt,data_files/server1.key,-,-,-" \
markrad 0:cdf462088d13 1975 "$P_CLI server_name=polarssl.example" \
markrad 0:cdf462088d13 1976 0 \
markrad 0:cdf462088d13 1977 -s "parse ServerName extension" \
markrad 0:cdf462088d13 1978 -c "issuer name *: C=NL, O=PolarSSL, CN=PolarSSL Test CA" \
markrad 0:cdf462088d13 1979 -c "subject name *: C=NL, O=PolarSSL, CN=polarssl.example"
markrad 0:cdf462088d13 1980
markrad 0:cdf462088d13 1981 run_test "SNI: no matching cert" \
markrad 0:cdf462088d13 1982 "$P_SRV debug_level=3 \
markrad 0:cdf462088d13 1983 crt_file=data_files/server5.crt key_file=data_files/server5.key \
markrad 0:cdf462088d13 1984 sni=localhost,data_files/server2.crt,data_files/server2.key,-,-,-,polarssl.example,data_files/server1-nospace.crt,data_files/server1.key,-,-,-" \
markrad 0:cdf462088d13 1985 "$P_CLI server_name=nonesuch.example" \
markrad 0:cdf462088d13 1986 1 \
markrad 0:cdf462088d13 1987 -s "parse ServerName extension" \
markrad 0:cdf462088d13 1988 -s "ssl_sni_wrapper() returned" \
markrad 0:cdf462088d13 1989 -s "mbedtls_ssl_handshake returned" \
markrad 0:cdf462088d13 1990 -c "mbedtls_ssl_handshake returned" \
markrad 0:cdf462088d13 1991 -c "SSL - A fatal alert message was received from our peer"
markrad 0:cdf462088d13 1992
markrad 0:cdf462088d13 1993 run_test "SNI: client auth no override: optional" \
markrad 0:cdf462088d13 1994 "$P_SRV debug_level=3 auth_mode=optional \
markrad 0:cdf462088d13 1995 crt_file=data_files/server5.crt key_file=data_files/server5.key \
markrad 0:cdf462088d13 1996 sni=localhost,data_files/server2.crt,data_files/server2.key,-,-,-" \
markrad 0:cdf462088d13 1997 "$P_CLI debug_level=3 server_name=localhost" \
markrad 0:cdf462088d13 1998 0 \
markrad 0:cdf462088d13 1999 -S "skip write certificate request" \
markrad 0:cdf462088d13 2000 -C "skip parse certificate request" \
markrad 0:cdf462088d13 2001 -c "got a certificate request" \
markrad 0:cdf462088d13 2002 -C "skip write certificate" \
markrad 0:cdf462088d13 2003 -C "skip write certificate verify" \
markrad 0:cdf462088d13 2004 -S "skip parse certificate verify"
markrad 0:cdf462088d13 2005
markrad 0:cdf462088d13 2006 run_test "SNI: client auth override: none -> optional" \
markrad 0:cdf462088d13 2007 "$P_SRV debug_level=3 auth_mode=none \
markrad 0:cdf462088d13 2008 crt_file=data_files/server5.crt key_file=data_files/server5.key \
markrad 0:cdf462088d13 2009 sni=localhost,data_files/server2.crt,data_files/server2.key,-,-,optional" \
markrad 0:cdf462088d13 2010 "$P_CLI debug_level=3 server_name=localhost" \
markrad 0:cdf462088d13 2011 0 \
markrad 0:cdf462088d13 2012 -S "skip write certificate request" \
markrad 0:cdf462088d13 2013 -C "skip parse certificate request" \
markrad 0:cdf462088d13 2014 -c "got a certificate request" \
markrad 0:cdf462088d13 2015 -C "skip write certificate" \
markrad 0:cdf462088d13 2016 -C "skip write certificate verify" \
markrad 0:cdf462088d13 2017 -S "skip parse certificate verify"
markrad 0:cdf462088d13 2018
markrad 0:cdf462088d13 2019 run_test "SNI: client auth override: optional -> none" \
markrad 0:cdf462088d13 2020 "$P_SRV debug_level=3 auth_mode=optional \
markrad 0:cdf462088d13 2021 crt_file=data_files/server5.crt key_file=data_files/server5.key \
markrad 0:cdf462088d13 2022 sni=localhost,data_files/server2.crt,data_files/server2.key,-,-,none" \
markrad 0:cdf462088d13 2023 "$P_CLI debug_level=3 server_name=localhost" \
markrad 0:cdf462088d13 2024 0 \
markrad 0:cdf462088d13 2025 -s "skip write certificate request" \
markrad 0:cdf462088d13 2026 -C "skip parse certificate request" \
markrad 0:cdf462088d13 2027 -c "got no certificate request" \
markrad 0:cdf462088d13 2028 -c "skip write certificate" \
markrad 0:cdf462088d13 2029 -c "skip write certificate verify" \
markrad 0:cdf462088d13 2030 -s "skip parse certificate verify"
markrad 0:cdf462088d13 2031
markrad 0:cdf462088d13 2032 run_test "SNI: CA no override" \
markrad 0:cdf462088d13 2033 "$P_SRV debug_level=3 auth_mode=optional \
markrad 0:cdf462088d13 2034 crt_file=data_files/server5.crt key_file=data_files/server5.key \
markrad 0:cdf462088d13 2035 ca_file=data_files/test-ca.crt \
markrad 0:cdf462088d13 2036 sni=localhost,data_files/server2.crt,data_files/server2.key,-,-,required" \
markrad 0:cdf462088d13 2037 "$P_CLI debug_level=3 server_name=localhost \
markrad 0:cdf462088d13 2038 crt_file=data_files/server6.crt key_file=data_files/server6.key" \
markrad 0:cdf462088d13 2039 1 \
markrad 0:cdf462088d13 2040 -S "skip write certificate request" \
markrad 0:cdf462088d13 2041 -C "skip parse certificate request" \
markrad 0:cdf462088d13 2042 -c "got a certificate request" \
markrad 0:cdf462088d13 2043 -C "skip write certificate" \
markrad 0:cdf462088d13 2044 -C "skip write certificate verify" \
markrad 0:cdf462088d13 2045 -S "skip parse certificate verify" \
markrad 0:cdf462088d13 2046 -s "x509_verify_cert() returned" \
markrad 0:cdf462088d13 2047 -s "! The certificate is not correctly signed by the trusted CA" \
markrad 0:cdf462088d13 2048 -S "The certificate has been revoked (is on a CRL)"
markrad 0:cdf462088d13 2049
markrad 0:cdf462088d13 2050 run_test "SNI: CA override" \
markrad 0:cdf462088d13 2051 "$P_SRV debug_level=3 auth_mode=optional \
markrad 0:cdf462088d13 2052 crt_file=data_files/server5.crt key_file=data_files/server5.key \
markrad 0:cdf462088d13 2053 ca_file=data_files/test-ca.crt \
markrad 0:cdf462088d13 2054 sni=localhost,data_files/server2.crt,data_files/server2.key,data_files/test-ca2.crt,-,required" \
markrad 0:cdf462088d13 2055 "$P_CLI debug_level=3 server_name=localhost \
markrad 0:cdf462088d13 2056 crt_file=data_files/server6.crt key_file=data_files/server6.key" \
markrad 0:cdf462088d13 2057 0 \
markrad 0:cdf462088d13 2058 -S "skip write certificate request" \
markrad 0:cdf462088d13 2059 -C "skip parse certificate request" \
markrad 0:cdf462088d13 2060 -c "got a certificate request" \
markrad 0:cdf462088d13 2061 -C "skip write certificate" \
markrad 0:cdf462088d13 2062 -C "skip write certificate verify" \
markrad 0:cdf462088d13 2063 -S "skip parse certificate verify" \
markrad 0:cdf462088d13 2064 -S "x509_verify_cert() returned" \
markrad 0:cdf462088d13 2065 -S "! The certificate is not correctly signed by the trusted CA" \
markrad 0:cdf462088d13 2066 -S "The certificate has been revoked (is on a CRL)"
markrad 0:cdf462088d13 2067
markrad 0:cdf462088d13 2068 run_test "SNI: CA override with CRL" \
markrad 0:cdf462088d13 2069 "$P_SRV debug_level=3 auth_mode=optional \
markrad 0:cdf462088d13 2070 crt_file=data_files/server5.crt key_file=data_files/server5.key \
markrad 0:cdf462088d13 2071 ca_file=data_files/test-ca.crt \
markrad 0:cdf462088d13 2072 sni=localhost,data_files/server2.crt,data_files/server2.key,data_files/test-ca2.crt,data_files/crl-ec-sha256.pem,required" \
markrad 0:cdf462088d13 2073 "$P_CLI debug_level=3 server_name=localhost \
markrad 0:cdf462088d13 2074 crt_file=data_files/server6.crt key_file=data_files/server6.key" \
markrad 0:cdf462088d13 2075 1 \
markrad 0:cdf462088d13 2076 -S "skip write certificate request" \
markrad 0:cdf462088d13 2077 -C "skip parse certificate request" \
markrad 0:cdf462088d13 2078 -c "got a certificate request" \
markrad 0:cdf462088d13 2079 -C "skip write certificate" \
markrad 0:cdf462088d13 2080 -C "skip write certificate verify" \
markrad 0:cdf462088d13 2081 -S "skip parse certificate verify" \
markrad 0:cdf462088d13 2082 -s "x509_verify_cert() returned" \
markrad 0:cdf462088d13 2083 -S "! The certificate is not correctly signed by the trusted CA" \
markrad 0:cdf462088d13 2084 -s "The certificate has been revoked (is on a CRL)"
markrad 0:cdf462088d13 2085
markrad 0:cdf462088d13 2086 # Tests for non-blocking I/O: exercise a variety of handshake flows
markrad 0:cdf462088d13 2087
markrad 0:cdf462088d13 2088 run_test "Non-blocking I/O: basic handshake" \
markrad 0:cdf462088d13 2089 "$P_SRV nbio=2 tickets=0 auth_mode=none" \
markrad 0:cdf462088d13 2090 "$P_CLI nbio=2 tickets=0" \
markrad 0:cdf462088d13 2091 0 \
markrad 0:cdf462088d13 2092 -S "mbedtls_ssl_handshake returned" \
markrad 0:cdf462088d13 2093 -C "mbedtls_ssl_handshake returned" \
markrad 0:cdf462088d13 2094 -c "Read from server: .* bytes read"
markrad 0:cdf462088d13 2095
markrad 0:cdf462088d13 2096 run_test "Non-blocking I/O: client auth" \
markrad 0:cdf462088d13 2097 "$P_SRV nbio=2 tickets=0 auth_mode=required" \
markrad 0:cdf462088d13 2098 "$P_CLI nbio=2 tickets=0" \
markrad 0:cdf462088d13 2099 0 \
markrad 0:cdf462088d13 2100 -S "mbedtls_ssl_handshake returned" \
markrad 0:cdf462088d13 2101 -C "mbedtls_ssl_handshake returned" \
markrad 0:cdf462088d13 2102 -c "Read from server: .* bytes read"
markrad 0:cdf462088d13 2103
markrad 0:cdf462088d13 2104 run_test "Non-blocking I/O: ticket" \
markrad 0:cdf462088d13 2105 "$P_SRV nbio=2 tickets=1 auth_mode=none" \
markrad 0:cdf462088d13 2106 "$P_CLI nbio=2 tickets=1" \
markrad 0:cdf462088d13 2107 0 \
markrad 0:cdf462088d13 2108 -S "mbedtls_ssl_handshake returned" \
markrad 0:cdf462088d13 2109 -C "mbedtls_ssl_handshake returned" \
markrad 0:cdf462088d13 2110 -c "Read from server: .* bytes read"
markrad 0:cdf462088d13 2111
markrad 0:cdf462088d13 2112 run_test "Non-blocking I/O: ticket + client auth" \
markrad 0:cdf462088d13 2113 "$P_SRV nbio=2 tickets=1 auth_mode=required" \
markrad 0:cdf462088d13 2114 "$P_CLI nbio=2 tickets=1" \
markrad 0:cdf462088d13 2115 0 \
markrad 0:cdf462088d13 2116 -S "mbedtls_ssl_handshake returned" \
markrad 0:cdf462088d13 2117 -C "mbedtls_ssl_handshake returned" \
markrad 0:cdf462088d13 2118 -c "Read from server: .* bytes read"
markrad 0:cdf462088d13 2119
markrad 0:cdf462088d13 2120 run_test "Non-blocking I/O: ticket + client auth + resume" \
markrad 0:cdf462088d13 2121 "$P_SRV nbio=2 tickets=1 auth_mode=required" \
markrad 0:cdf462088d13 2122 "$P_CLI nbio=2 tickets=1 reconnect=1" \
markrad 0:cdf462088d13 2123 0 \
markrad 0:cdf462088d13 2124 -S "mbedtls_ssl_handshake returned" \
markrad 0:cdf462088d13 2125 -C "mbedtls_ssl_handshake returned" \
markrad 0:cdf462088d13 2126 -c "Read from server: .* bytes read"
markrad 0:cdf462088d13 2127
markrad 0:cdf462088d13 2128 run_test "Non-blocking I/O: ticket + resume" \
markrad 0:cdf462088d13 2129 "$P_SRV nbio=2 tickets=1 auth_mode=none" \
markrad 0:cdf462088d13 2130 "$P_CLI nbio=2 tickets=1 reconnect=1" \
markrad 0:cdf462088d13 2131 0 \
markrad 0:cdf462088d13 2132 -S "mbedtls_ssl_handshake returned" \
markrad 0:cdf462088d13 2133 -C "mbedtls_ssl_handshake returned" \
markrad 0:cdf462088d13 2134 -c "Read from server: .* bytes read"
markrad 0:cdf462088d13 2135
markrad 0:cdf462088d13 2136 run_test "Non-blocking I/O: session-id resume" \
markrad 0:cdf462088d13 2137 "$P_SRV nbio=2 tickets=0 auth_mode=none" \
markrad 0:cdf462088d13 2138 "$P_CLI nbio=2 tickets=0 reconnect=1" \
markrad 0:cdf462088d13 2139 0 \
markrad 0:cdf462088d13 2140 -S "mbedtls_ssl_handshake returned" \
markrad 0:cdf462088d13 2141 -C "mbedtls_ssl_handshake returned" \
markrad 0:cdf462088d13 2142 -c "Read from server: .* bytes read"
markrad 0:cdf462088d13 2143
markrad 0:cdf462088d13 2144 # Tests for version negotiation
markrad 0:cdf462088d13 2145
markrad 0:cdf462088d13 2146 run_test "Version check: all -> 1.2" \
markrad 0:cdf462088d13 2147 "$P_SRV" \
markrad 0:cdf462088d13 2148 "$P_CLI" \
markrad 0:cdf462088d13 2149 0 \
markrad 0:cdf462088d13 2150 -S "mbedtls_ssl_handshake returned" \
markrad 0:cdf462088d13 2151 -C "mbedtls_ssl_handshake returned" \
markrad 0:cdf462088d13 2152 -s "Protocol is TLSv1.2" \
markrad 0:cdf462088d13 2153 -c "Protocol is TLSv1.2"
markrad 0:cdf462088d13 2154
markrad 0:cdf462088d13 2155 run_test "Version check: cli max 1.1 -> 1.1" \
markrad 0:cdf462088d13 2156 "$P_SRV" \
markrad 0:cdf462088d13 2157 "$P_CLI max_version=tls1_1" \
markrad 0:cdf462088d13 2158 0 \
markrad 0:cdf462088d13 2159 -S "mbedtls_ssl_handshake returned" \
markrad 0:cdf462088d13 2160 -C "mbedtls_ssl_handshake returned" \
markrad 0:cdf462088d13 2161 -s "Protocol is TLSv1.1" \
markrad 0:cdf462088d13 2162 -c "Protocol is TLSv1.1"
markrad 0:cdf462088d13 2163
markrad 0:cdf462088d13 2164 run_test "Version check: srv max 1.1 -> 1.1" \
markrad 0:cdf462088d13 2165 "$P_SRV max_version=tls1_1" \
markrad 0:cdf462088d13 2166 "$P_CLI" \
markrad 0:cdf462088d13 2167 0 \
markrad 0:cdf462088d13 2168 -S "mbedtls_ssl_handshake returned" \
markrad 0:cdf462088d13 2169 -C "mbedtls_ssl_handshake returned" \
markrad 0:cdf462088d13 2170 -s "Protocol is TLSv1.1" \
markrad 0:cdf462088d13 2171 -c "Protocol is TLSv1.1"
markrad 0:cdf462088d13 2172
markrad 0:cdf462088d13 2173 run_test "Version check: cli+srv max 1.1 -> 1.1" \
markrad 0:cdf462088d13 2174 "$P_SRV max_version=tls1_1" \
markrad 0:cdf462088d13 2175 "$P_CLI max_version=tls1_1" \
markrad 0:cdf462088d13 2176 0 \
markrad 0:cdf462088d13 2177 -S "mbedtls_ssl_handshake returned" \
markrad 0:cdf462088d13 2178 -C "mbedtls_ssl_handshake returned" \
markrad 0:cdf462088d13 2179 -s "Protocol is TLSv1.1" \
markrad 0:cdf462088d13 2180 -c "Protocol is TLSv1.1"
markrad 0:cdf462088d13 2181
markrad 0:cdf462088d13 2182 run_test "Version check: cli max 1.1, srv min 1.1 -> 1.1" \
markrad 0:cdf462088d13 2183 "$P_SRV min_version=tls1_1" \
markrad 0:cdf462088d13 2184 "$P_CLI max_version=tls1_1" \
markrad 0:cdf462088d13 2185 0 \
markrad 0:cdf462088d13 2186 -S "mbedtls_ssl_handshake returned" \
markrad 0:cdf462088d13 2187 -C "mbedtls_ssl_handshake returned" \
markrad 0:cdf462088d13 2188 -s "Protocol is TLSv1.1" \
markrad 0:cdf462088d13 2189 -c "Protocol is TLSv1.1"
markrad 0:cdf462088d13 2190
markrad 0:cdf462088d13 2191 run_test "Version check: cli min 1.1, srv max 1.1 -> 1.1" \
markrad 0:cdf462088d13 2192 "$P_SRV max_version=tls1_1" \
markrad 0:cdf462088d13 2193 "$P_CLI min_version=tls1_1" \
markrad 0:cdf462088d13 2194 0 \
markrad 0:cdf462088d13 2195 -S "mbedtls_ssl_handshake returned" \
markrad 0:cdf462088d13 2196 -C "mbedtls_ssl_handshake returned" \
markrad 0:cdf462088d13 2197 -s "Protocol is TLSv1.1" \
markrad 0:cdf462088d13 2198 -c "Protocol is TLSv1.1"
markrad 0:cdf462088d13 2199
markrad 0:cdf462088d13 2200 run_test "Version check: cli min 1.2, srv max 1.1 -> fail" \
markrad 0:cdf462088d13 2201 "$P_SRV max_version=tls1_1" \
markrad 0:cdf462088d13 2202 "$P_CLI min_version=tls1_2" \
markrad 0:cdf462088d13 2203 1 \
markrad 0:cdf462088d13 2204 -s "mbedtls_ssl_handshake returned" \
markrad 0:cdf462088d13 2205 -c "mbedtls_ssl_handshake returned" \
markrad 0:cdf462088d13 2206 -c "SSL - Handshake protocol not within min/max boundaries"
markrad 0:cdf462088d13 2207
markrad 0:cdf462088d13 2208 run_test "Version check: srv min 1.2, cli max 1.1 -> fail" \
markrad 0:cdf462088d13 2209 "$P_SRV min_version=tls1_2" \
markrad 0:cdf462088d13 2210 "$P_CLI max_version=tls1_1" \
markrad 0:cdf462088d13 2211 1 \
markrad 0:cdf462088d13 2212 -s "mbedtls_ssl_handshake returned" \
markrad 0:cdf462088d13 2213 -c "mbedtls_ssl_handshake returned" \
markrad 0:cdf462088d13 2214 -s "SSL - Handshake protocol not within min/max boundaries"
markrad 0:cdf462088d13 2215
markrad 0:cdf462088d13 2216 # Tests for ALPN extension
markrad 0:cdf462088d13 2217
markrad 0:cdf462088d13 2218 run_test "ALPN: none" \
markrad 0:cdf462088d13 2219 "$P_SRV debug_level=3" \
markrad 0:cdf462088d13 2220 "$P_CLI debug_level=3" \
markrad 0:cdf462088d13 2221 0 \
markrad 0:cdf462088d13 2222 -C "client hello, adding alpn extension" \
markrad 0:cdf462088d13 2223 -S "found alpn extension" \
markrad 0:cdf462088d13 2224 -C "got an alert message, type: \\[2:120]" \
markrad 0:cdf462088d13 2225 -S "server hello, adding alpn extension" \
markrad 0:cdf462088d13 2226 -C "found alpn extension " \
markrad 0:cdf462088d13 2227 -C "Application Layer Protocol is" \
markrad 0:cdf462088d13 2228 -S "Application Layer Protocol is"
markrad 0:cdf462088d13 2229
markrad 0:cdf462088d13 2230 run_test "ALPN: client only" \
markrad 0:cdf462088d13 2231 "$P_SRV debug_level=3" \
markrad 0:cdf462088d13 2232 "$P_CLI debug_level=3 alpn=abc,1234" \
markrad 0:cdf462088d13 2233 0 \
markrad 0:cdf462088d13 2234 -c "client hello, adding alpn extension" \
markrad 0:cdf462088d13 2235 -s "found alpn extension" \
markrad 0:cdf462088d13 2236 -C "got an alert message, type: \\[2:120]" \
markrad 0:cdf462088d13 2237 -S "server hello, adding alpn extension" \
markrad 0:cdf462088d13 2238 -C "found alpn extension " \
markrad 0:cdf462088d13 2239 -c "Application Layer Protocol is (none)" \
markrad 0:cdf462088d13 2240 -S "Application Layer Protocol is"
markrad 0:cdf462088d13 2241
markrad 0:cdf462088d13 2242 run_test "ALPN: server only" \
markrad 0:cdf462088d13 2243 "$P_SRV debug_level=3 alpn=abc,1234" \
markrad 0:cdf462088d13 2244 "$P_CLI debug_level=3" \
markrad 0:cdf462088d13 2245 0 \
markrad 0:cdf462088d13 2246 -C "client hello, adding alpn extension" \
markrad 0:cdf462088d13 2247 -S "found alpn extension" \
markrad 0:cdf462088d13 2248 -C "got an alert message, type: \\[2:120]" \
markrad 0:cdf462088d13 2249 -S "server hello, adding alpn extension" \
markrad 0:cdf462088d13 2250 -C "found alpn extension " \
markrad 0:cdf462088d13 2251 -C "Application Layer Protocol is" \
markrad 0:cdf462088d13 2252 -s "Application Layer Protocol is (none)"
markrad 0:cdf462088d13 2253
markrad 0:cdf462088d13 2254 run_test "ALPN: both, common cli1-srv1" \
markrad 0:cdf462088d13 2255 "$P_SRV debug_level=3 alpn=abc,1234" \
markrad 0:cdf462088d13 2256 "$P_CLI debug_level=3 alpn=abc,1234" \
markrad 0:cdf462088d13 2257 0 \
markrad 0:cdf462088d13 2258 -c "client hello, adding alpn extension" \
markrad 0:cdf462088d13 2259 -s "found alpn extension" \
markrad 0:cdf462088d13 2260 -C "got an alert message, type: \\[2:120]" \
markrad 0:cdf462088d13 2261 -s "server hello, adding alpn extension" \
markrad 0:cdf462088d13 2262 -c "found alpn extension" \
markrad 0:cdf462088d13 2263 -c "Application Layer Protocol is abc" \
markrad 0:cdf462088d13 2264 -s "Application Layer Protocol is abc"
markrad 0:cdf462088d13 2265
markrad 0:cdf462088d13 2266 run_test "ALPN: both, common cli2-srv1" \
markrad 0:cdf462088d13 2267 "$P_SRV debug_level=3 alpn=abc,1234" \
markrad 0:cdf462088d13 2268 "$P_CLI debug_level=3 alpn=1234,abc" \
markrad 0:cdf462088d13 2269 0 \
markrad 0:cdf462088d13 2270 -c "client hello, adding alpn extension" \
markrad 0:cdf462088d13 2271 -s "found alpn extension" \
markrad 0:cdf462088d13 2272 -C "got an alert message, type: \\[2:120]" \
markrad 0:cdf462088d13 2273 -s "server hello, adding alpn extension" \
markrad 0:cdf462088d13 2274 -c "found alpn extension" \
markrad 0:cdf462088d13 2275 -c "Application Layer Protocol is abc" \
markrad 0:cdf462088d13 2276 -s "Application Layer Protocol is abc"
markrad 0:cdf462088d13 2277
markrad 0:cdf462088d13 2278 run_test "ALPN: both, common cli1-srv2" \
markrad 0:cdf462088d13 2279 "$P_SRV debug_level=3 alpn=abc,1234" \
markrad 0:cdf462088d13 2280 "$P_CLI debug_level=3 alpn=1234,abcde" \
markrad 0:cdf462088d13 2281 0 \
markrad 0:cdf462088d13 2282 -c "client hello, adding alpn extension" \
markrad 0:cdf462088d13 2283 -s "found alpn extension" \
markrad 0:cdf462088d13 2284 -C "got an alert message, type: \\[2:120]" \
markrad 0:cdf462088d13 2285 -s "server hello, adding alpn extension" \
markrad 0:cdf462088d13 2286 -c "found alpn extension" \
markrad 0:cdf462088d13 2287 -c "Application Layer Protocol is 1234" \
markrad 0:cdf462088d13 2288 -s "Application Layer Protocol is 1234"
markrad 0:cdf462088d13 2289
markrad 0:cdf462088d13 2290 run_test "ALPN: both, no common" \
markrad 0:cdf462088d13 2291 "$P_SRV debug_level=3 alpn=abc,123" \
markrad 0:cdf462088d13 2292 "$P_CLI debug_level=3 alpn=1234,abcde" \
markrad 0:cdf462088d13 2293 1 \
markrad 0:cdf462088d13 2294 -c "client hello, adding alpn extension" \
markrad 0:cdf462088d13 2295 -s "found alpn extension" \
markrad 0:cdf462088d13 2296 -c "got an alert message, type: \\[2:120]" \
markrad 0:cdf462088d13 2297 -S "server hello, adding alpn extension" \
markrad 0:cdf462088d13 2298 -C "found alpn extension" \
markrad 0:cdf462088d13 2299 -C "Application Layer Protocol is 1234" \
markrad 0:cdf462088d13 2300 -S "Application Layer Protocol is 1234"
markrad 0:cdf462088d13 2301
markrad 0:cdf462088d13 2302
markrad 0:cdf462088d13 2303 # Tests for keyUsage in leaf certificates, part 1:
markrad 0:cdf462088d13 2304 # server-side certificate/suite selection
markrad 0:cdf462088d13 2305
markrad 0:cdf462088d13 2306 run_test "keyUsage srv: RSA, digitalSignature -> (EC)DHE-RSA" \
markrad 0:cdf462088d13 2307 "$P_SRV key_file=data_files/server2.key \
markrad 0:cdf462088d13 2308 crt_file=data_files/server2.ku-ds.crt" \
markrad 0:cdf462088d13 2309 "$P_CLI" \
markrad 0:cdf462088d13 2310 0 \
markrad 0:cdf462088d13 2311 -c "Ciphersuite is TLS-[EC]*DHE-RSA-WITH-"
markrad 0:cdf462088d13 2312
markrad 0:cdf462088d13 2313
markrad 0:cdf462088d13 2314 run_test "keyUsage srv: RSA, keyEncipherment -> RSA" \
markrad 0:cdf462088d13 2315 "$P_SRV key_file=data_files/server2.key \
markrad 0:cdf462088d13 2316 crt_file=data_files/server2.ku-ke.crt" \
markrad 0:cdf462088d13 2317 "$P_CLI" \
markrad 0:cdf462088d13 2318 0 \
markrad 0:cdf462088d13 2319 -c "Ciphersuite is TLS-RSA-WITH-"
markrad 0:cdf462088d13 2320
markrad 0:cdf462088d13 2321 run_test "keyUsage srv: RSA, keyAgreement -> fail" \
markrad 0:cdf462088d13 2322 "$P_SRV key_file=data_files/server2.key \
markrad 0:cdf462088d13 2323 crt_file=data_files/server2.ku-ka.crt" \
markrad 0:cdf462088d13 2324 "$P_CLI" \
markrad 0:cdf462088d13 2325 1 \
markrad 0:cdf462088d13 2326 -C "Ciphersuite is "
markrad 0:cdf462088d13 2327
markrad 0:cdf462088d13 2328 run_test "keyUsage srv: ECDSA, digitalSignature -> ECDHE-ECDSA" \
markrad 0:cdf462088d13 2329 "$P_SRV key_file=data_files/server5.key \
markrad 0:cdf462088d13 2330 crt_file=data_files/server5.ku-ds.crt" \
markrad 0:cdf462088d13 2331 "$P_CLI" \
markrad 0:cdf462088d13 2332 0 \
markrad 0:cdf462088d13 2333 -c "Ciphersuite is TLS-ECDHE-ECDSA-WITH-"
markrad 0:cdf462088d13 2334
markrad 0:cdf462088d13 2335
markrad 0:cdf462088d13 2336 run_test "keyUsage srv: ECDSA, keyAgreement -> ECDH-" \
markrad 0:cdf462088d13 2337 "$P_SRV key_file=data_files/server5.key \
markrad 0:cdf462088d13 2338 crt_file=data_files/server5.ku-ka.crt" \
markrad 0:cdf462088d13 2339 "$P_CLI" \
markrad 0:cdf462088d13 2340 0 \
markrad 0:cdf462088d13 2341 -c "Ciphersuite is TLS-ECDH-"
markrad 0:cdf462088d13 2342
markrad 0:cdf462088d13 2343 run_test "keyUsage srv: ECDSA, keyEncipherment -> fail" \
markrad 0:cdf462088d13 2344 "$P_SRV key_file=data_files/server5.key \
markrad 0:cdf462088d13 2345 crt_file=data_files/server5.ku-ke.crt" \
markrad 0:cdf462088d13 2346 "$P_CLI" \
markrad 0:cdf462088d13 2347 1 \
markrad 0:cdf462088d13 2348 -C "Ciphersuite is "
markrad 0:cdf462088d13 2349
markrad 0:cdf462088d13 2350 # Tests for keyUsage in leaf certificates, part 2:
markrad 0:cdf462088d13 2351 # client-side checking of server cert
markrad 0:cdf462088d13 2352
markrad 0:cdf462088d13 2353 run_test "keyUsage cli: DigitalSignature+KeyEncipherment, RSA: OK" \
markrad 0:cdf462088d13 2354 "$O_SRV -key data_files/server2.key \
markrad 0:cdf462088d13 2355 -cert data_files/server2.ku-ds_ke.crt" \
markrad 0:cdf462088d13 2356 "$P_CLI debug_level=1 \
markrad 0:cdf462088d13 2357 force_ciphersuite=TLS-RSA-WITH-AES-128-CBC-SHA" \
markrad 0:cdf462088d13 2358 0 \
markrad 0:cdf462088d13 2359 -C "bad certificate (usage extensions)" \
markrad 0:cdf462088d13 2360 -C "Processing of the Certificate handshake message failed" \
markrad 0:cdf462088d13 2361 -c "Ciphersuite is TLS-"
markrad 0:cdf462088d13 2362
markrad 0:cdf462088d13 2363 run_test "keyUsage cli: DigitalSignature+KeyEncipherment, DHE-RSA: OK" \
markrad 0:cdf462088d13 2364 "$O_SRV -key data_files/server2.key \
markrad 0:cdf462088d13 2365 -cert data_files/server2.ku-ds_ke.crt" \
markrad 0:cdf462088d13 2366 "$P_CLI debug_level=1 \
markrad 0:cdf462088d13 2367 force_ciphersuite=TLS-DHE-RSA-WITH-AES-128-CBC-SHA" \
markrad 0:cdf462088d13 2368 0 \
markrad 0:cdf462088d13 2369 -C "bad certificate (usage extensions)" \
markrad 0:cdf462088d13 2370 -C "Processing of the Certificate handshake message failed" \
markrad 0:cdf462088d13 2371 -c "Ciphersuite is TLS-"
markrad 0:cdf462088d13 2372
markrad 0:cdf462088d13 2373 run_test "keyUsage cli: KeyEncipherment, RSA: OK" \
markrad 0:cdf462088d13 2374 "$O_SRV -key data_files/server2.key \
markrad 0:cdf462088d13 2375 -cert data_files/server2.ku-ke.crt" \
markrad 0:cdf462088d13 2376 "$P_CLI debug_level=1 \
markrad 0:cdf462088d13 2377 force_ciphersuite=TLS-RSA-WITH-AES-128-CBC-SHA" \
markrad 0:cdf462088d13 2378 0 \
markrad 0:cdf462088d13 2379 -C "bad certificate (usage extensions)" \
markrad 0:cdf462088d13 2380 -C "Processing of the Certificate handshake message failed" \
markrad 0:cdf462088d13 2381 -c "Ciphersuite is TLS-"
markrad 0:cdf462088d13 2382
markrad 0:cdf462088d13 2383 run_test "keyUsage cli: KeyEncipherment, DHE-RSA: fail" \
markrad 0:cdf462088d13 2384 "$O_SRV -key data_files/server2.key \
markrad 0:cdf462088d13 2385 -cert data_files/server2.ku-ke.crt" \
markrad 0:cdf462088d13 2386 "$P_CLI debug_level=1 \
markrad 0:cdf462088d13 2387 force_ciphersuite=TLS-DHE-RSA-WITH-AES-128-CBC-SHA" \
markrad 0:cdf462088d13 2388 1 \
markrad 0:cdf462088d13 2389 -c "bad certificate (usage extensions)" \
markrad 0:cdf462088d13 2390 -c "Processing of the Certificate handshake message failed" \
markrad 0:cdf462088d13 2391 -C "Ciphersuite is TLS-"
markrad 0:cdf462088d13 2392
markrad 0:cdf462088d13 2393 run_test "keyUsage cli: KeyEncipherment, DHE-RSA: fail, soft" \
markrad 0:cdf462088d13 2394 "$O_SRV -key data_files/server2.key \
markrad 0:cdf462088d13 2395 -cert data_files/server2.ku-ke.crt" \
markrad 0:cdf462088d13 2396 "$P_CLI debug_level=1 auth_mode=optional \
markrad 0:cdf462088d13 2397 force_ciphersuite=TLS-DHE-RSA-WITH-AES-128-CBC-SHA" \
markrad 0:cdf462088d13 2398 0 \
markrad 0:cdf462088d13 2399 -c "bad certificate (usage extensions)" \
markrad 0:cdf462088d13 2400 -C "Processing of the Certificate handshake message failed" \
markrad 0:cdf462088d13 2401 -c "Ciphersuite is TLS-" \
markrad 0:cdf462088d13 2402 -c "! Usage does not match the keyUsage extension"
markrad 0:cdf462088d13 2403
markrad 0:cdf462088d13 2404 run_test "keyUsage cli: DigitalSignature, DHE-RSA: OK" \
markrad 0:cdf462088d13 2405 "$O_SRV -key data_files/server2.key \
markrad 0:cdf462088d13 2406 -cert data_files/server2.ku-ds.crt" \
markrad 0:cdf462088d13 2407 "$P_CLI debug_level=1 \
markrad 0:cdf462088d13 2408 force_ciphersuite=TLS-DHE-RSA-WITH-AES-128-CBC-SHA" \
markrad 0:cdf462088d13 2409 0 \
markrad 0:cdf462088d13 2410 -C "bad certificate (usage extensions)" \
markrad 0:cdf462088d13 2411 -C "Processing of the Certificate handshake message failed" \
markrad 0:cdf462088d13 2412 -c "Ciphersuite is TLS-"
markrad 0:cdf462088d13 2413
markrad 0:cdf462088d13 2414 run_test "keyUsage cli: DigitalSignature, RSA: fail" \
markrad 0:cdf462088d13 2415 "$O_SRV -key data_files/server2.key \
markrad 0:cdf462088d13 2416 -cert data_files/server2.ku-ds.crt" \
markrad 0:cdf462088d13 2417 "$P_CLI debug_level=1 \
markrad 0:cdf462088d13 2418 force_ciphersuite=TLS-RSA-WITH-AES-128-CBC-SHA" \
markrad 0:cdf462088d13 2419 1 \
markrad 0:cdf462088d13 2420 -c "bad certificate (usage extensions)" \
markrad 0:cdf462088d13 2421 -c "Processing of the Certificate handshake message failed" \
markrad 0:cdf462088d13 2422 -C "Ciphersuite is TLS-"
markrad 0:cdf462088d13 2423
markrad 0:cdf462088d13 2424 run_test "keyUsage cli: DigitalSignature, RSA: fail, soft" \
markrad 0:cdf462088d13 2425 "$O_SRV -key data_files/server2.key \
markrad 0:cdf462088d13 2426 -cert data_files/server2.ku-ds.crt" \
markrad 0:cdf462088d13 2427 "$P_CLI debug_level=1 auth_mode=optional \
markrad 0:cdf462088d13 2428 force_ciphersuite=TLS-RSA-WITH-AES-128-CBC-SHA" \
markrad 0:cdf462088d13 2429 0 \
markrad 0:cdf462088d13 2430 -c "bad certificate (usage extensions)" \
markrad 0:cdf462088d13 2431 -C "Processing of the Certificate handshake message failed" \
markrad 0:cdf462088d13 2432 -c "Ciphersuite is TLS-" \
markrad 0:cdf462088d13 2433 -c "! Usage does not match the keyUsage extension"
markrad 0:cdf462088d13 2434
markrad 0:cdf462088d13 2435 # Tests for keyUsage in leaf certificates, part 3:
markrad 0:cdf462088d13 2436 # server-side checking of client cert
markrad 0:cdf462088d13 2437
markrad 0:cdf462088d13 2438 run_test "keyUsage cli-auth: RSA, DigitalSignature: OK" \
markrad 0:cdf462088d13 2439 "$P_SRV debug_level=1 auth_mode=optional" \
markrad 0:cdf462088d13 2440 "$O_CLI -key data_files/server2.key \
markrad 0:cdf462088d13 2441 -cert data_files/server2.ku-ds.crt" \
markrad 0:cdf462088d13 2442 0 \
markrad 0:cdf462088d13 2443 -S "bad certificate (usage extensions)" \
markrad 0:cdf462088d13 2444 -S "Processing of the Certificate handshake message failed"
markrad 0:cdf462088d13 2445
markrad 0:cdf462088d13 2446 run_test "keyUsage cli-auth: RSA, KeyEncipherment: fail (soft)" \
markrad 0:cdf462088d13 2447 "$P_SRV debug_level=1 auth_mode=optional" \
markrad 0:cdf462088d13 2448 "$O_CLI -key data_files/server2.key \
markrad 0:cdf462088d13 2449 -cert data_files/server2.ku-ke.crt" \
markrad 0:cdf462088d13 2450 0 \
markrad 0:cdf462088d13 2451 -s "bad certificate (usage extensions)" \
markrad 0:cdf462088d13 2452 -S "Processing of the Certificate handshake message failed"
markrad 0:cdf462088d13 2453
markrad 0:cdf462088d13 2454 run_test "keyUsage cli-auth: RSA, KeyEncipherment: fail (hard)" \
markrad 0:cdf462088d13 2455 "$P_SRV debug_level=1 auth_mode=required" \
markrad 0:cdf462088d13 2456 "$O_CLI -key data_files/server2.key \
markrad 0:cdf462088d13 2457 -cert data_files/server2.ku-ke.crt" \
markrad 0:cdf462088d13 2458 1 \
markrad 0:cdf462088d13 2459 -s "bad certificate (usage extensions)" \
markrad 0:cdf462088d13 2460 -s "Processing of the Certificate handshake message failed"
markrad 0:cdf462088d13 2461
markrad 0:cdf462088d13 2462 run_test "keyUsage cli-auth: ECDSA, DigitalSignature: OK" \
markrad 0:cdf462088d13 2463 "$P_SRV debug_level=1 auth_mode=optional" \
markrad 0:cdf462088d13 2464 "$O_CLI -key data_files/server5.key \
markrad 0:cdf462088d13 2465 -cert data_files/server5.ku-ds.crt" \
markrad 0:cdf462088d13 2466 0 \
markrad 0:cdf462088d13 2467 -S "bad certificate (usage extensions)" \
markrad 0:cdf462088d13 2468 -S "Processing of the Certificate handshake message failed"
markrad 0:cdf462088d13 2469
markrad 0:cdf462088d13 2470 run_test "keyUsage cli-auth: ECDSA, KeyAgreement: fail (soft)" \
markrad 0:cdf462088d13 2471 "$P_SRV debug_level=1 auth_mode=optional" \
markrad 0:cdf462088d13 2472 "$O_CLI -key data_files/server5.key \
markrad 0:cdf462088d13 2473 -cert data_files/server5.ku-ka.crt" \
markrad 0:cdf462088d13 2474 0 \
markrad 0:cdf462088d13 2475 -s "bad certificate (usage extensions)" \
markrad 0:cdf462088d13 2476 -S "Processing of the Certificate handshake message failed"
markrad 0:cdf462088d13 2477
markrad 0:cdf462088d13 2478 # Tests for extendedKeyUsage, part 1: server-side certificate/suite selection
markrad 0:cdf462088d13 2479
markrad 0:cdf462088d13 2480 run_test "extKeyUsage srv: serverAuth -> OK" \
markrad 0:cdf462088d13 2481 "$P_SRV key_file=data_files/server5.key \
markrad 0:cdf462088d13 2482 crt_file=data_files/server5.eku-srv.crt" \
markrad 0:cdf462088d13 2483 "$P_CLI" \
markrad 0:cdf462088d13 2484 0
markrad 0:cdf462088d13 2485
markrad 0:cdf462088d13 2486 run_test "extKeyUsage srv: serverAuth,clientAuth -> OK" \
markrad 0:cdf462088d13 2487 "$P_SRV key_file=data_files/server5.key \
markrad 0:cdf462088d13 2488 crt_file=data_files/server5.eku-srv.crt" \
markrad 0:cdf462088d13 2489 "$P_CLI" \
markrad 0:cdf462088d13 2490 0
markrad 0:cdf462088d13 2491
markrad 0:cdf462088d13 2492 run_test "extKeyUsage srv: codeSign,anyEKU -> OK" \
markrad 0:cdf462088d13 2493 "$P_SRV key_file=data_files/server5.key \
markrad 0:cdf462088d13 2494 crt_file=data_files/server5.eku-cs_any.crt" \
markrad 0:cdf462088d13 2495 "$P_CLI" \
markrad 0:cdf462088d13 2496 0
markrad 0:cdf462088d13 2497
markrad 0:cdf462088d13 2498 run_test "extKeyUsage srv: codeSign -> fail" \
markrad 0:cdf462088d13 2499 "$P_SRV key_file=data_files/server5.key \
markrad 0:cdf462088d13 2500 crt_file=data_files/server5.eku-cli.crt" \
markrad 0:cdf462088d13 2501 "$P_CLI" \
markrad 0:cdf462088d13 2502 1
markrad 0:cdf462088d13 2503
markrad 0:cdf462088d13 2504 # Tests for extendedKeyUsage, part 2: client-side checking of server cert
markrad 0:cdf462088d13 2505
markrad 0:cdf462088d13 2506 run_test "extKeyUsage cli: serverAuth -> OK" \
markrad 0:cdf462088d13 2507 "$O_SRV -key data_files/server5.key \
markrad 0:cdf462088d13 2508 -cert data_files/server5.eku-srv.crt" \
markrad 0:cdf462088d13 2509 "$P_CLI debug_level=1" \
markrad 0:cdf462088d13 2510 0 \
markrad 0:cdf462088d13 2511 -C "bad certificate (usage extensions)" \
markrad 0:cdf462088d13 2512 -C "Processing of the Certificate handshake message failed" \
markrad 0:cdf462088d13 2513 -c "Ciphersuite is TLS-"
markrad 0:cdf462088d13 2514
markrad 0:cdf462088d13 2515 run_test "extKeyUsage cli: serverAuth,clientAuth -> OK" \
markrad 0:cdf462088d13 2516 "$O_SRV -key data_files/server5.key \
markrad 0:cdf462088d13 2517 -cert data_files/server5.eku-srv_cli.crt" \
markrad 0:cdf462088d13 2518 "$P_CLI debug_level=1" \
markrad 0:cdf462088d13 2519 0 \
markrad 0:cdf462088d13 2520 -C "bad certificate (usage extensions)" \
markrad 0:cdf462088d13 2521 -C "Processing of the Certificate handshake message failed" \
markrad 0:cdf462088d13 2522 -c "Ciphersuite is TLS-"
markrad 0:cdf462088d13 2523
markrad 0:cdf462088d13 2524 run_test "extKeyUsage cli: codeSign,anyEKU -> OK" \
markrad 0:cdf462088d13 2525 "$O_SRV -key data_files/server5.key \
markrad 0:cdf462088d13 2526 -cert data_files/server5.eku-cs_any.crt" \
markrad 0:cdf462088d13 2527 "$P_CLI debug_level=1" \
markrad 0:cdf462088d13 2528 0 \
markrad 0:cdf462088d13 2529 -C "bad certificate (usage extensions)" \
markrad 0:cdf462088d13 2530 -C "Processing of the Certificate handshake message failed" \
markrad 0:cdf462088d13 2531 -c "Ciphersuite is TLS-"
markrad 0:cdf462088d13 2532
markrad 0:cdf462088d13 2533 run_test "extKeyUsage cli: codeSign -> fail" \
markrad 0:cdf462088d13 2534 "$O_SRV -key data_files/server5.key \
markrad 0:cdf462088d13 2535 -cert data_files/server5.eku-cs.crt" \
markrad 0:cdf462088d13 2536 "$P_CLI debug_level=1" \
markrad 0:cdf462088d13 2537 1 \
markrad 0:cdf462088d13 2538 -c "bad certificate (usage extensions)" \
markrad 0:cdf462088d13 2539 -c "Processing of the Certificate handshake message failed" \
markrad 0:cdf462088d13 2540 -C "Ciphersuite is TLS-"
markrad 0:cdf462088d13 2541
markrad 0:cdf462088d13 2542 # Tests for extendedKeyUsage, part 3: server-side checking of client cert
markrad 0:cdf462088d13 2543
markrad 0:cdf462088d13 2544 run_test "extKeyUsage cli-auth: clientAuth -> OK" \
markrad 0:cdf462088d13 2545 "$P_SRV debug_level=1 auth_mode=optional" \
markrad 0:cdf462088d13 2546 "$O_CLI -key data_files/server5.key \
markrad 0:cdf462088d13 2547 -cert data_files/server5.eku-cli.crt" \
markrad 0:cdf462088d13 2548 0 \
markrad 0:cdf462088d13 2549 -S "bad certificate (usage extensions)" \
markrad 0:cdf462088d13 2550 -S "Processing of the Certificate handshake message failed"
markrad 0:cdf462088d13 2551
markrad 0:cdf462088d13 2552 run_test "extKeyUsage cli-auth: serverAuth,clientAuth -> OK" \
markrad 0:cdf462088d13 2553 "$P_SRV debug_level=1 auth_mode=optional" \
markrad 0:cdf462088d13 2554 "$O_CLI -key data_files/server5.key \
markrad 0:cdf462088d13 2555 -cert data_files/server5.eku-srv_cli.crt" \
markrad 0:cdf462088d13 2556 0 \
markrad 0:cdf462088d13 2557 -S "bad certificate (usage extensions)" \
markrad 0:cdf462088d13 2558 -S "Processing of the Certificate handshake message failed"
markrad 0:cdf462088d13 2559
markrad 0:cdf462088d13 2560 run_test "extKeyUsage cli-auth: codeSign,anyEKU -> OK" \
markrad 0:cdf462088d13 2561 "$P_SRV debug_level=1 auth_mode=optional" \
markrad 0:cdf462088d13 2562 "$O_CLI -key data_files/server5.key \
markrad 0:cdf462088d13 2563 -cert data_files/server5.eku-cs_any.crt" \
markrad 0:cdf462088d13 2564 0 \
markrad 0:cdf462088d13 2565 -S "bad certificate (usage extensions)" \
markrad 0:cdf462088d13 2566 -S "Processing of the Certificate handshake message failed"
markrad 0:cdf462088d13 2567
markrad 0:cdf462088d13 2568 run_test "extKeyUsage cli-auth: codeSign -> fail (soft)" \
markrad 0:cdf462088d13 2569 "$P_SRV debug_level=1 auth_mode=optional" \
markrad 0:cdf462088d13 2570 "$O_CLI -key data_files/server5.key \
markrad 0:cdf462088d13 2571 -cert data_files/server5.eku-cs.crt" \
markrad 0:cdf462088d13 2572 0 \
markrad 0:cdf462088d13 2573 -s "bad certificate (usage extensions)" \
markrad 0:cdf462088d13 2574 -S "Processing of the Certificate handshake message failed"
markrad 0:cdf462088d13 2575
markrad 0:cdf462088d13 2576 run_test "extKeyUsage cli-auth: codeSign -> fail (hard)" \
markrad 0:cdf462088d13 2577 "$P_SRV debug_level=1 auth_mode=required" \
markrad 0:cdf462088d13 2578 "$O_CLI -key data_files/server5.key \
markrad 0:cdf462088d13 2579 -cert data_files/server5.eku-cs.crt" \
markrad 0:cdf462088d13 2580 1 \
markrad 0:cdf462088d13 2581 -s "bad certificate (usage extensions)" \
markrad 0:cdf462088d13 2582 -s "Processing of the Certificate handshake message failed"
markrad 0:cdf462088d13 2583
markrad 0:cdf462088d13 2584 # Tests for DHM parameters loading
markrad 0:cdf462088d13 2585
markrad 0:cdf462088d13 2586 run_test "DHM parameters: reference" \
markrad 0:cdf462088d13 2587 "$P_SRV" \
markrad 0:cdf462088d13 2588 "$P_CLI force_ciphersuite=TLS-DHE-RSA-WITH-AES-128-CBC-SHA \
markrad 0:cdf462088d13 2589 debug_level=3" \
markrad 0:cdf462088d13 2590 0 \
markrad 0:cdf462088d13 2591 -c "value of 'DHM: P ' (2048 bits)" \
markrad 0:cdf462088d13 2592 -c "value of 'DHM: G ' (2048 bits)"
markrad 0:cdf462088d13 2593
markrad 0:cdf462088d13 2594 run_test "DHM parameters: other parameters" \
markrad 0:cdf462088d13 2595 "$P_SRV dhm_file=data_files/dhparams.pem" \
markrad 0:cdf462088d13 2596 "$P_CLI force_ciphersuite=TLS-DHE-RSA-WITH-AES-128-CBC-SHA \
markrad 0:cdf462088d13 2597 debug_level=3" \
markrad 0:cdf462088d13 2598 0 \
markrad 0:cdf462088d13 2599 -c "value of 'DHM: P ' (1024 bits)" \
markrad 0:cdf462088d13 2600 -c "value of 'DHM: G ' (2 bits)"
markrad 0:cdf462088d13 2601
markrad 0:cdf462088d13 2602 # Tests for DHM client-side size checking
markrad 0:cdf462088d13 2603
markrad 0:cdf462088d13 2604 run_test "DHM size: server default, client default, OK" \
markrad 0:cdf462088d13 2605 "$P_SRV" \
markrad 0:cdf462088d13 2606 "$P_CLI force_ciphersuite=TLS-DHE-RSA-WITH-AES-128-CBC-SHA \
markrad 0:cdf462088d13 2607 debug_level=1" \
markrad 0:cdf462088d13 2608 0 \
markrad 0:cdf462088d13 2609 -C "DHM prime too short:"
markrad 0:cdf462088d13 2610
markrad 0:cdf462088d13 2611 run_test "DHM size: server default, client 2048, OK" \
markrad 0:cdf462088d13 2612 "$P_SRV" \
markrad 0:cdf462088d13 2613 "$P_CLI force_ciphersuite=TLS-DHE-RSA-WITH-AES-128-CBC-SHA \
markrad 0:cdf462088d13 2614 debug_level=1 dhmlen=2048" \
markrad 0:cdf462088d13 2615 0 \
markrad 0:cdf462088d13 2616 -C "DHM prime too short:"
markrad 0:cdf462088d13 2617
markrad 0:cdf462088d13 2618 run_test "DHM size: server 1024, client default, OK" \
markrad 0:cdf462088d13 2619 "$P_SRV dhm_file=data_files/dhparams.pem" \
markrad 0:cdf462088d13 2620 "$P_CLI force_ciphersuite=TLS-DHE-RSA-WITH-AES-128-CBC-SHA \
markrad 0:cdf462088d13 2621 debug_level=1" \
markrad 0:cdf462088d13 2622 0 \
markrad 0:cdf462088d13 2623 -C "DHM prime too short:"
markrad 0:cdf462088d13 2624
markrad 0:cdf462088d13 2625 run_test "DHM size: server 1000, client default, rejected" \
markrad 0:cdf462088d13 2626 "$P_SRV dhm_file=data_files/dh.1000.pem" \
markrad 0:cdf462088d13 2627 "$P_CLI force_ciphersuite=TLS-DHE-RSA-WITH-AES-128-CBC-SHA \
markrad 0:cdf462088d13 2628 debug_level=1" \
markrad 0:cdf462088d13 2629 1 \
markrad 0:cdf462088d13 2630 -c "DHM prime too short:"
markrad 0:cdf462088d13 2631
markrad 0:cdf462088d13 2632 run_test "DHM size: server default, client 2049, rejected" \
markrad 0:cdf462088d13 2633 "$P_SRV" \
markrad 0:cdf462088d13 2634 "$P_CLI force_ciphersuite=TLS-DHE-RSA-WITH-AES-128-CBC-SHA \
markrad 0:cdf462088d13 2635 debug_level=1 dhmlen=2049" \
markrad 0:cdf462088d13 2636 1 \
markrad 0:cdf462088d13 2637 -c "DHM prime too short:"
markrad 0:cdf462088d13 2638
markrad 0:cdf462088d13 2639 # Tests for PSK callback
markrad 0:cdf462088d13 2640
markrad 0:cdf462088d13 2641 run_test "PSK callback: psk, no callback" \
markrad 0:cdf462088d13 2642 "$P_SRV psk=abc123 psk_identity=foo" \
markrad 0:cdf462088d13 2643 "$P_CLI force_ciphersuite=TLS-PSK-WITH-AES-128-CBC-SHA \
markrad 0:cdf462088d13 2644 psk_identity=foo psk=abc123" \
markrad 0:cdf462088d13 2645 0 \
markrad 0:cdf462088d13 2646 -S "SSL - None of the common ciphersuites is usable" \
markrad 0:cdf462088d13 2647 -S "SSL - Unknown identity received" \
markrad 0:cdf462088d13 2648 -S "SSL - Verification of the message MAC failed"
markrad 0:cdf462088d13 2649
markrad 0:cdf462088d13 2650 run_test "PSK callback: no psk, no callback" \
markrad 0:cdf462088d13 2651 "$P_SRV" \
markrad 0:cdf462088d13 2652 "$P_CLI force_ciphersuite=TLS-PSK-WITH-AES-128-CBC-SHA \
markrad 0:cdf462088d13 2653 psk_identity=foo psk=abc123" \
markrad 0:cdf462088d13 2654 1 \
markrad 0:cdf462088d13 2655 -s "SSL - None of the common ciphersuites is usable" \
markrad 0:cdf462088d13 2656 -S "SSL - Unknown identity received" \
markrad 0:cdf462088d13 2657 -S "SSL - Verification of the message MAC failed"
markrad 0:cdf462088d13 2658
markrad 0:cdf462088d13 2659 run_test "PSK callback: callback overrides other settings" \
markrad 0:cdf462088d13 2660 "$P_SRV psk=abc123 psk_identity=foo psk_list=abc,dead,def,beef" \
markrad 0:cdf462088d13 2661 "$P_CLI force_ciphersuite=TLS-PSK-WITH-AES-128-CBC-SHA \
markrad 0:cdf462088d13 2662 psk_identity=foo psk=abc123" \
markrad 0:cdf462088d13 2663 1 \
markrad 0:cdf462088d13 2664 -S "SSL - None of the common ciphersuites is usable" \
markrad 0:cdf462088d13 2665 -s "SSL - Unknown identity received" \
markrad 0:cdf462088d13 2666 -S "SSL - Verification of the message MAC failed"
markrad 0:cdf462088d13 2667
markrad 0:cdf462088d13 2668 run_test "PSK callback: first id matches" \
markrad 0:cdf462088d13 2669 "$P_SRV psk_list=abc,dead,def,beef" \
markrad 0:cdf462088d13 2670 "$P_CLI force_ciphersuite=TLS-PSK-WITH-AES-128-CBC-SHA \
markrad 0:cdf462088d13 2671 psk_identity=abc psk=dead" \
markrad 0:cdf462088d13 2672 0 \
markrad 0:cdf462088d13 2673 -S "SSL - None of the common ciphersuites is usable" \
markrad 0:cdf462088d13 2674 -S "SSL - Unknown identity received" \
markrad 0:cdf462088d13 2675 -S "SSL - Verification of the message MAC failed"
markrad 0:cdf462088d13 2676
markrad 0:cdf462088d13 2677 run_test "PSK callback: second id matches" \
markrad 0:cdf462088d13 2678 "$P_SRV psk_list=abc,dead,def,beef" \
markrad 0:cdf462088d13 2679 "$P_CLI force_ciphersuite=TLS-PSK-WITH-AES-128-CBC-SHA \
markrad 0:cdf462088d13 2680 psk_identity=def psk=beef" \
markrad 0:cdf462088d13 2681 0 \
markrad 0:cdf462088d13 2682 -S "SSL - None of the common ciphersuites is usable" \
markrad 0:cdf462088d13 2683 -S "SSL - Unknown identity received" \
markrad 0:cdf462088d13 2684 -S "SSL - Verification of the message MAC failed"
markrad 0:cdf462088d13 2685
markrad 0:cdf462088d13 2686 run_test "PSK callback: no match" \
markrad 0:cdf462088d13 2687 "$P_SRV psk_list=abc,dead,def,beef" \
markrad 0:cdf462088d13 2688 "$P_CLI force_ciphersuite=TLS-PSK-WITH-AES-128-CBC-SHA \
markrad 0:cdf462088d13 2689 psk_identity=ghi psk=beef" \
markrad 0:cdf462088d13 2690 1 \
markrad 0:cdf462088d13 2691 -S "SSL - None of the common ciphersuites is usable" \
markrad 0:cdf462088d13 2692 -s "SSL - Unknown identity received" \
markrad 0:cdf462088d13 2693 -S "SSL - Verification of the message MAC failed"
markrad 0:cdf462088d13 2694
markrad 0:cdf462088d13 2695 run_test "PSK callback: wrong key" \
markrad 0:cdf462088d13 2696 "$P_SRV psk_list=abc,dead,def,beef" \
markrad 0:cdf462088d13 2697 "$P_CLI force_ciphersuite=TLS-PSK-WITH-AES-128-CBC-SHA \
markrad 0:cdf462088d13 2698 psk_identity=abc psk=beef" \
markrad 0:cdf462088d13 2699 1 \
markrad 0:cdf462088d13 2700 -S "SSL - None of the common ciphersuites is usable" \
markrad 0:cdf462088d13 2701 -S "SSL - Unknown identity received" \
markrad 0:cdf462088d13 2702 -s "SSL - Verification of the message MAC failed"
markrad 0:cdf462088d13 2703
markrad 0:cdf462088d13 2704 # Tests for EC J-PAKE
markrad 0:cdf462088d13 2705
markrad 0:cdf462088d13 2706 requires_config_enabled MBEDTLS_KEY_EXCHANGE_ECJPAKE
markrad 0:cdf462088d13 2707 run_test "ECJPAKE: client not configured" \
markrad 0:cdf462088d13 2708 "$P_SRV debug_level=3" \
markrad 0:cdf462088d13 2709 "$P_CLI debug_level=3" \
markrad 0:cdf462088d13 2710 0 \
markrad 0:cdf462088d13 2711 -C "add ciphersuite: c0ff" \
markrad 0:cdf462088d13 2712 -C "adding ecjpake_kkpp extension" \
markrad 0:cdf462088d13 2713 -S "found ecjpake kkpp extension" \
markrad 0:cdf462088d13 2714 -S "skip ecjpake kkpp extension" \
markrad 0:cdf462088d13 2715 -S "ciphersuite mismatch: ecjpake not configured" \
markrad 0:cdf462088d13 2716 -S "server hello, ecjpake kkpp extension" \
markrad 0:cdf462088d13 2717 -C "found ecjpake_kkpp extension" \
markrad 0:cdf462088d13 2718 -S "None of the common ciphersuites is usable"
markrad 0:cdf462088d13 2719
markrad 0:cdf462088d13 2720 requires_config_enabled MBEDTLS_KEY_EXCHANGE_ECJPAKE
markrad 0:cdf462088d13 2721 run_test "ECJPAKE: server not configured" \
markrad 0:cdf462088d13 2722 "$P_SRV debug_level=3" \
markrad 0:cdf462088d13 2723 "$P_CLI debug_level=3 ecjpake_pw=bla \
markrad 0:cdf462088d13 2724 force_ciphersuite=TLS-ECJPAKE-WITH-AES-128-CCM-8" \
markrad 0:cdf462088d13 2725 1 \
markrad 0:cdf462088d13 2726 -c "add ciphersuite: c0ff" \
markrad 0:cdf462088d13 2727 -c "adding ecjpake_kkpp extension" \
markrad 0:cdf462088d13 2728 -s "found ecjpake kkpp extension" \
markrad 0:cdf462088d13 2729 -s "skip ecjpake kkpp extension" \
markrad 0:cdf462088d13 2730 -s "ciphersuite mismatch: ecjpake not configured" \
markrad 0:cdf462088d13 2731 -S "server hello, ecjpake kkpp extension" \
markrad 0:cdf462088d13 2732 -C "found ecjpake_kkpp extension" \
markrad 0:cdf462088d13 2733 -s "None of the common ciphersuites is usable"
markrad 0:cdf462088d13 2734
markrad 0:cdf462088d13 2735 requires_config_enabled MBEDTLS_KEY_EXCHANGE_ECJPAKE
markrad 0:cdf462088d13 2736 run_test "ECJPAKE: working, TLS" \
markrad 0:cdf462088d13 2737 "$P_SRV debug_level=3 ecjpake_pw=bla" \
markrad 0:cdf462088d13 2738 "$P_CLI debug_level=3 ecjpake_pw=bla \
markrad 0:cdf462088d13 2739 force_ciphersuite=TLS-ECJPAKE-WITH-AES-128-CCM-8" \
markrad 0:cdf462088d13 2740 0 \
markrad 0:cdf462088d13 2741 -c "add ciphersuite: c0ff" \
markrad 0:cdf462088d13 2742 -c "adding ecjpake_kkpp extension" \
markrad 0:cdf462088d13 2743 -C "re-using cached ecjpake parameters" \
markrad 0:cdf462088d13 2744 -s "found ecjpake kkpp extension" \
markrad 0:cdf462088d13 2745 -S "skip ecjpake kkpp extension" \
markrad 0:cdf462088d13 2746 -S "ciphersuite mismatch: ecjpake not configured" \
markrad 0:cdf462088d13 2747 -s "server hello, ecjpake kkpp extension" \
markrad 0:cdf462088d13 2748 -c "found ecjpake_kkpp extension" \
markrad 0:cdf462088d13 2749 -S "None of the common ciphersuites is usable" \
markrad 0:cdf462088d13 2750 -S "SSL - Verification of the message MAC failed"
markrad 0:cdf462088d13 2751
markrad 0:cdf462088d13 2752 server_needs_more_time 1
markrad 0:cdf462088d13 2753 requires_config_enabled MBEDTLS_KEY_EXCHANGE_ECJPAKE
markrad 0:cdf462088d13 2754 run_test "ECJPAKE: password mismatch, TLS" \
markrad 0:cdf462088d13 2755 "$P_SRV debug_level=3 ecjpake_pw=bla" \
markrad 0:cdf462088d13 2756 "$P_CLI debug_level=3 ecjpake_pw=bad \
markrad 0:cdf462088d13 2757 force_ciphersuite=TLS-ECJPAKE-WITH-AES-128-CCM-8" \
markrad 0:cdf462088d13 2758 1 \
markrad 0:cdf462088d13 2759 -C "re-using cached ecjpake parameters" \
markrad 0:cdf462088d13 2760 -s "SSL - Verification of the message MAC failed"
markrad 0:cdf462088d13 2761
markrad 0:cdf462088d13 2762 requires_config_enabled MBEDTLS_KEY_EXCHANGE_ECJPAKE
markrad 0:cdf462088d13 2763 run_test "ECJPAKE: working, DTLS" \
markrad 0:cdf462088d13 2764 "$P_SRV debug_level=3 dtls=1 ecjpake_pw=bla" \
markrad 0:cdf462088d13 2765 "$P_CLI debug_level=3 dtls=1 ecjpake_pw=bla \
markrad 0:cdf462088d13 2766 force_ciphersuite=TLS-ECJPAKE-WITH-AES-128-CCM-8" \
markrad 0:cdf462088d13 2767 0 \
markrad 0:cdf462088d13 2768 -c "re-using cached ecjpake parameters" \
markrad 0:cdf462088d13 2769 -S "SSL - Verification of the message MAC failed"
markrad 0:cdf462088d13 2770
markrad 0:cdf462088d13 2771 requires_config_enabled MBEDTLS_KEY_EXCHANGE_ECJPAKE
markrad 0:cdf462088d13 2772 run_test "ECJPAKE: working, DTLS, no cookie" \
markrad 0:cdf462088d13 2773 "$P_SRV debug_level=3 dtls=1 ecjpake_pw=bla cookies=0" \
markrad 0:cdf462088d13 2774 "$P_CLI debug_level=3 dtls=1 ecjpake_pw=bla \
markrad 0:cdf462088d13 2775 force_ciphersuite=TLS-ECJPAKE-WITH-AES-128-CCM-8" \
markrad 0:cdf462088d13 2776 0 \
markrad 0:cdf462088d13 2777 -C "re-using cached ecjpake parameters" \
markrad 0:cdf462088d13 2778 -S "SSL - Verification of the message MAC failed"
markrad 0:cdf462088d13 2779
markrad 0:cdf462088d13 2780 server_needs_more_time 1
markrad 0:cdf462088d13 2781 requires_config_enabled MBEDTLS_KEY_EXCHANGE_ECJPAKE
markrad 0:cdf462088d13 2782 run_test "ECJPAKE: password mismatch, DTLS" \
markrad 0:cdf462088d13 2783 "$P_SRV debug_level=3 dtls=1 ecjpake_pw=bla" \
markrad 0:cdf462088d13 2784 "$P_CLI debug_level=3 dtls=1 ecjpake_pw=bad \
markrad 0:cdf462088d13 2785 force_ciphersuite=TLS-ECJPAKE-WITH-AES-128-CCM-8" \
markrad 0:cdf462088d13 2786 1 \
markrad 0:cdf462088d13 2787 -c "re-using cached ecjpake parameters" \
markrad 0:cdf462088d13 2788 -s "SSL - Verification of the message MAC failed"
markrad 0:cdf462088d13 2789
markrad 0:cdf462088d13 2790 # for tests with configs/config-thread.h
markrad 0:cdf462088d13 2791 requires_config_enabled MBEDTLS_KEY_EXCHANGE_ECJPAKE
markrad 0:cdf462088d13 2792 run_test "ECJPAKE: working, DTLS, nolog" \
markrad 0:cdf462088d13 2793 "$P_SRV dtls=1 ecjpake_pw=bla" \
markrad 0:cdf462088d13 2794 "$P_CLI dtls=1 ecjpake_pw=bla \
markrad 0:cdf462088d13 2795 force_ciphersuite=TLS-ECJPAKE-WITH-AES-128-CCM-8" \
markrad 0:cdf462088d13 2796 0
markrad 0:cdf462088d13 2797
markrad 0:cdf462088d13 2798 # Tests for ciphersuites per version
markrad 0:cdf462088d13 2799
markrad 0:cdf462088d13 2800 requires_config_enabled MBEDTLS_SSL_PROTO_SSL3
markrad 0:cdf462088d13 2801 run_test "Per-version suites: SSL3" \
markrad 0:cdf462088d13 2802 "$P_SRV min_version=ssl3 version_suites=TLS-RSA-WITH-3DES-EDE-CBC-SHA,TLS-RSA-WITH-AES-256-CBC-SHA,TLS-RSA-WITH-AES-128-CBC-SHA,TLS-RSA-WITH-AES-128-GCM-SHA256" \
markrad 0:cdf462088d13 2803 "$P_CLI force_version=ssl3" \
markrad 0:cdf462088d13 2804 0 \
markrad 0:cdf462088d13 2805 -c "Ciphersuite is TLS-RSA-WITH-3DES-EDE-CBC-SHA"
markrad 0:cdf462088d13 2806
markrad 0:cdf462088d13 2807 run_test "Per-version suites: TLS 1.0" \
markrad 0:cdf462088d13 2808 "$P_SRV arc4=1 version_suites=TLS-RSA-WITH-3DES-EDE-CBC-SHA,TLS-RSA-WITH-AES-256-CBC-SHA,TLS-RSA-WITH-AES-128-CBC-SHA,TLS-RSA-WITH-AES-128-GCM-SHA256" \
markrad 0:cdf462088d13 2809 "$P_CLI force_version=tls1 arc4=1" \
markrad 0:cdf462088d13 2810 0 \
markrad 0:cdf462088d13 2811 -c "Ciphersuite is TLS-RSA-WITH-AES-256-CBC-SHA"
markrad 0:cdf462088d13 2812
markrad 0:cdf462088d13 2813 run_test "Per-version suites: TLS 1.1" \
markrad 0:cdf462088d13 2814 "$P_SRV version_suites=TLS-RSA-WITH-3DES-EDE-CBC-SHA,TLS-RSA-WITH-AES-256-CBC-SHA,TLS-RSA-WITH-AES-128-CBC-SHA,TLS-RSA-WITH-AES-128-GCM-SHA256" \
markrad 0:cdf462088d13 2815 "$P_CLI force_version=tls1_1" \
markrad 0:cdf462088d13 2816 0 \
markrad 0:cdf462088d13 2817 -c "Ciphersuite is TLS-RSA-WITH-AES-128-CBC-SHA"
markrad 0:cdf462088d13 2818
markrad 0:cdf462088d13 2819 run_test "Per-version suites: TLS 1.2" \
markrad 0:cdf462088d13 2820 "$P_SRV version_suites=TLS-RSA-WITH-3DES-EDE-CBC-SHA,TLS-RSA-WITH-AES-256-CBC-SHA,TLS-RSA-WITH-AES-128-CBC-SHA,TLS-RSA-WITH-AES-128-GCM-SHA256" \
markrad 0:cdf462088d13 2821 "$P_CLI force_version=tls1_2" \
markrad 0:cdf462088d13 2822 0 \
markrad 0:cdf462088d13 2823 -c "Ciphersuite is TLS-RSA-WITH-AES-128-GCM-SHA256"
markrad 0:cdf462088d13 2824
markrad 0:cdf462088d13 2825 # Test for ClientHello without extensions
markrad 0:cdf462088d13 2826
markrad 0:cdf462088d13 2827 requires_gnutls
markrad 0:cdf462088d13 2828 run_test "ClientHello without extensions" \
markrad 0:cdf462088d13 2829 "$P_SRV debug_level=3" \
markrad 0:cdf462088d13 2830 "$G_CLI --priority=NORMAL:%NO_EXTENSIONS:%DISABLE_SAFE_RENEGOTIATION" \
markrad 0:cdf462088d13 2831 0 \
markrad 0:cdf462088d13 2832 -s "dumping 'client hello extensions' (0 bytes)"
markrad 0:cdf462088d13 2833
markrad 0:cdf462088d13 2834 # Tests for mbedtls_ssl_get_bytes_avail()
markrad 0:cdf462088d13 2835
markrad 0:cdf462088d13 2836 run_test "mbedtls_ssl_get_bytes_avail: no extra data" \
markrad 0:cdf462088d13 2837 "$P_SRV" \
markrad 0:cdf462088d13 2838 "$P_CLI request_size=100" \
markrad 0:cdf462088d13 2839 0 \
markrad 0:cdf462088d13 2840 -s "Read from client: 100 bytes read$"
markrad 0:cdf462088d13 2841
markrad 0:cdf462088d13 2842 run_test "mbedtls_ssl_get_bytes_avail: extra data" \
markrad 0:cdf462088d13 2843 "$P_SRV" \
markrad 0:cdf462088d13 2844 "$P_CLI request_size=500" \
markrad 0:cdf462088d13 2845 0 \
markrad 0:cdf462088d13 2846 -s "Read from client: 500 bytes read (.*+.*)"
markrad 0:cdf462088d13 2847
markrad 0:cdf462088d13 2848 # Tests for small packets
markrad 0:cdf462088d13 2849
markrad 0:cdf462088d13 2850 requires_config_enabled MBEDTLS_SSL_PROTO_SSL3
markrad 0:cdf462088d13 2851 run_test "Small packet SSLv3 BlockCipher" \
markrad 0:cdf462088d13 2852 "$P_SRV min_version=ssl3" \
markrad 0:cdf462088d13 2853 "$P_CLI request_size=1 force_version=ssl3 \
markrad 0:cdf462088d13 2854 force_ciphersuite=TLS-RSA-WITH-AES-256-CBC-SHA" \
markrad 0:cdf462088d13 2855 0 \
markrad 0:cdf462088d13 2856 -s "Read from client: 1 bytes read"
markrad 0:cdf462088d13 2857
markrad 0:cdf462088d13 2858 requires_config_enabled MBEDTLS_SSL_PROTO_SSL3
markrad 0:cdf462088d13 2859 run_test "Small packet SSLv3 StreamCipher" \
markrad 0:cdf462088d13 2860 "$P_SRV min_version=ssl3 arc4=1 force_ciphersuite=TLS-RSA-WITH-RC4-128-SHA" \
markrad 0:cdf462088d13 2861 "$P_CLI request_size=1 force_version=ssl3 \
markrad 0:cdf462088d13 2862 force_ciphersuite=TLS-RSA-WITH-RC4-128-SHA" \
markrad 0:cdf462088d13 2863 0 \
markrad 0:cdf462088d13 2864 -s "Read from client: 1 bytes read"
markrad 0:cdf462088d13 2865
markrad 0:cdf462088d13 2866 run_test "Small packet TLS 1.0 BlockCipher" \
markrad 0:cdf462088d13 2867 "$P_SRV" \
markrad 0:cdf462088d13 2868 "$P_CLI request_size=1 force_version=tls1 \
markrad 0:cdf462088d13 2869 force_ciphersuite=TLS-RSA-WITH-AES-256-CBC-SHA" \
markrad 0:cdf462088d13 2870 0 \
markrad 0:cdf462088d13 2871 -s "Read from client: 1 bytes read"
markrad 0:cdf462088d13 2872
markrad 0:cdf462088d13 2873 run_test "Small packet TLS 1.0 BlockCipher without EtM" \
markrad 0:cdf462088d13 2874 "$P_SRV" \
markrad 0:cdf462088d13 2875 "$P_CLI request_size=1 force_version=tls1 etm=0 \
markrad 0:cdf462088d13 2876 force_ciphersuite=TLS-RSA-WITH-AES-256-CBC-SHA" \
markrad 0:cdf462088d13 2877 0 \
markrad 0:cdf462088d13 2878 -s "Read from client: 1 bytes read"
markrad 0:cdf462088d13 2879
markrad 0:cdf462088d13 2880 run_test "Small packet TLS 1.0 BlockCipher truncated MAC" \
markrad 0:cdf462088d13 2881 "$P_SRV" \
markrad 0:cdf462088d13 2882 "$P_CLI request_size=1 force_version=tls1 \
markrad 0:cdf462088d13 2883 force_ciphersuite=TLS-RSA-WITH-AES-256-CBC-SHA \
markrad 0:cdf462088d13 2884 trunc_hmac=1" \
markrad 0:cdf462088d13 2885 0 \
markrad 0:cdf462088d13 2886 -s "Read from client: 1 bytes read"
markrad 0:cdf462088d13 2887
markrad 0:cdf462088d13 2888 run_test "Small packet TLS 1.0 StreamCipher truncated MAC" \
markrad 0:cdf462088d13 2889 "$P_SRV arc4=1 force_ciphersuite=TLS-RSA-WITH-RC4-128-SHA" \
markrad 0:cdf462088d13 2890 "$P_CLI request_size=1 force_version=tls1 \
markrad 0:cdf462088d13 2891 force_ciphersuite=TLS-RSA-WITH-RC4-128-SHA \
markrad 0:cdf462088d13 2892 trunc_hmac=1" \
markrad 0:cdf462088d13 2893 0 \
markrad 0:cdf462088d13 2894 -s "Read from client: 1 bytes read"
markrad 0:cdf462088d13 2895
markrad 0:cdf462088d13 2896 run_test "Small packet TLS 1.1 BlockCipher" \
markrad 0:cdf462088d13 2897 "$P_SRV" \
markrad 0:cdf462088d13 2898 "$P_CLI request_size=1 force_version=tls1_1 \
markrad 0:cdf462088d13 2899 force_ciphersuite=TLS-RSA-WITH-AES-256-CBC-SHA" \
markrad 0:cdf462088d13 2900 0 \
markrad 0:cdf462088d13 2901 -s "Read from client: 1 bytes read"
markrad 0:cdf462088d13 2902
markrad 0:cdf462088d13 2903 run_test "Small packet TLS 1.1 BlockCipher without EtM" \
markrad 0:cdf462088d13 2904 "$P_SRV" \
markrad 0:cdf462088d13 2905 "$P_CLI request_size=1 force_version=tls1_1 etm=0 \
markrad 0:cdf462088d13 2906 force_ciphersuite=TLS-RSA-WITH-AES-256-CBC-SHA" \
markrad 0:cdf462088d13 2907 0 \
markrad 0:cdf462088d13 2908 -s "Read from client: 1 bytes read"
markrad 0:cdf462088d13 2909
markrad 0:cdf462088d13 2910 run_test "Small packet TLS 1.1 StreamCipher" \
markrad 0:cdf462088d13 2911 "$P_SRV arc4=1 force_ciphersuite=TLS-RSA-WITH-RC4-128-SHA" \
markrad 0:cdf462088d13 2912 "$P_CLI request_size=1 force_version=tls1_1 \
markrad 0:cdf462088d13 2913 force_ciphersuite=TLS-RSA-WITH-RC4-128-SHA" \
markrad 0:cdf462088d13 2914 0 \
markrad 0:cdf462088d13 2915 -s "Read from client: 1 bytes read"
markrad 0:cdf462088d13 2916
markrad 0:cdf462088d13 2917 run_test "Small packet TLS 1.1 BlockCipher truncated MAC" \
markrad 0:cdf462088d13 2918 "$P_SRV" \
markrad 0:cdf462088d13 2919 "$P_CLI request_size=1 force_version=tls1_1 \
markrad 0:cdf462088d13 2920 force_ciphersuite=TLS-RSA-WITH-AES-256-CBC-SHA \
markrad 0:cdf462088d13 2921 trunc_hmac=1" \
markrad 0:cdf462088d13 2922 0 \
markrad 0:cdf462088d13 2923 -s "Read from client: 1 bytes read"
markrad 0:cdf462088d13 2924
markrad 0:cdf462088d13 2925 run_test "Small packet TLS 1.1 StreamCipher truncated MAC" \
markrad 0:cdf462088d13 2926 "$P_SRV arc4=1 force_ciphersuite=TLS-RSA-WITH-RC4-128-SHA" \
markrad 0:cdf462088d13 2927 "$P_CLI request_size=1 force_version=tls1_1 \
markrad 0:cdf462088d13 2928 force_ciphersuite=TLS-RSA-WITH-RC4-128-SHA \
markrad 0:cdf462088d13 2929 trunc_hmac=1" \
markrad 0:cdf462088d13 2930 0 \
markrad 0:cdf462088d13 2931 -s "Read from client: 1 bytes read"
markrad 0:cdf462088d13 2932
markrad 0:cdf462088d13 2933 run_test "Small packet TLS 1.2 BlockCipher" \
markrad 0:cdf462088d13 2934 "$P_SRV" \
markrad 0:cdf462088d13 2935 "$P_CLI request_size=1 force_version=tls1_2 \
markrad 0:cdf462088d13 2936 force_ciphersuite=TLS-RSA-WITH-AES-256-CBC-SHA" \
markrad 0:cdf462088d13 2937 0 \
markrad 0:cdf462088d13 2938 -s "Read from client: 1 bytes read"
markrad 0:cdf462088d13 2939
markrad 0:cdf462088d13 2940 run_test "Small packet TLS 1.2 BlockCipher without EtM" \
markrad 0:cdf462088d13 2941 "$P_SRV" \
markrad 0:cdf462088d13 2942 "$P_CLI request_size=1 force_version=tls1_2 etm=0 \
markrad 0:cdf462088d13 2943 force_ciphersuite=TLS-RSA-WITH-AES-256-CBC-SHA" \
markrad 0:cdf462088d13 2944 0 \
markrad 0:cdf462088d13 2945 -s "Read from client: 1 bytes read"
markrad 0:cdf462088d13 2946
markrad 0:cdf462088d13 2947 run_test "Small packet TLS 1.2 BlockCipher larger MAC" \
markrad 0:cdf462088d13 2948 "$P_SRV" \
markrad 0:cdf462088d13 2949 "$P_CLI request_size=1 force_version=tls1_2 \
markrad 0:cdf462088d13 2950 force_ciphersuite=TLS-ECDHE-RSA-WITH-AES-256-CBC-SHA384" \
markrad 0:cdf462088d13 2951 0 \
markrad 0:cdf462088d13 2952 -s "Read from client: 1 bytes read"
markrad 0:cdf462088d13 2953
markrad 0:cdf462088d13 2954 run_test "Small packet TLS 1.2 BlockCipher truncated MAC" \
markrad 0:cdf462088d13 2955 "$P_SRV" \
markrad 0:cdf462088d13 2956 "$P_CLI request_size=1 force_version=tls1_2 \
markrad 0:cdf462088d13 2957 force_ciphersuite=TLS-RSA-WITH-AES-256-CBC-SHA \
markrad 0:cdf462088d13 2958 trunc_hmac=1" \
markrad 0:cdf462088d13 2959 0 \
markrad 0:cdf462088d13 2960 -s "Read from client: 1 bytes read"
markrad 0:cdf462088d13 2961
markrad 0:cdf462088d13 2962 run_test "Small packet TLS 1.2 StreamCipher" \
markrad 0:cdf462088d13 2963 "$P_SRV arc4=1 force_ciphersuite=TLS-RSA-WITH-RC4-128-SHA" \
markrad 0:cdf462088d13 2964 "$P_CLI request_size=1 force_version=tls1_2 \
markrad 0:cdf462088d13 2965 force_ciphersuite=TLS-RSA-WITH-RC4-128-SHA" \
markrad 0:cdf462088d13 2966 0 \
markrad 0:cdf462088d13 2967 -s "Read from client: 1 bytes read"
markrad 0:cdf462088d13 2968
markrad 0:cdf462088d13 2969 run_test "Small packet TLS 1.2 StreamCipher truncated MAC" \
markrad 0:cdf462088d13 2970 "$P_SRV arc4=1 force_ciphersuite=TLS-RSA-WITH-RC4-128-SHA" \
markrad 0:cdf462088d13 2971 "$P_CLI request_size=1 force_version=tls1_2 \
markrad 0:cdf462088d13 2972 force_ciphersuite=TLS-RSA-WITH-RC4-128-SHA \
markrad 0:cdf462088d13 2973 trunc_hmac=1" \
markrad 0:cdf462088d13 2974 0 \
markrad 0:cdf462088d13 2975 -s "Read from client: 1 bytes read"
markrad 0:cdf462088d13 2976
markrad 0:cdf462088d13 2977 run_test "Small packet TLS 1.2 AEAD" \
markrad 0:cdf462088d13 2978 "$P_SRV" \
markrad 0:cdf462088d13 2979 "$P_CLI request_size=1 force_version=tls1_2 \
markrad 0:cdf462088d13 2980 force_ciphersuite=TLS-RSA-WITH-AES-256-CCM" \
markrad 0:cdf462088d13 2981 0 \
markrad 0:cdf462088d13 2982 -s "Read from client: 1 bytes read"
markrad 0:cdf462088d13 2983
markrad 0:cdf462088d13 2984 run_test "Small packet TLS 1.2 AEAD shorter tag" \
markrad 0:cdf462088d13 2985 "$P_SRV" \
markrad 0:cdf462088d13 2986 "$P_CLI request_size=1 force_version=tls1_2 \
markrad 0:cdf462088d13 2987 force_ciphersuite=TLS-RSA-WITH-AES-256-CCM-8" \
markrad 0:cdf462088d13 2988 0 \
markrad 0:cdf462088d13 2989 -s "Read from client: 1 bytes read"
markrad 0:cdf462088d13 2990
markrad 0:cdf462088d13 2991 # A test for extensions in SSLv3
markrad 0:cdf462088d13 2992
markrad 0:cdf462088d13 2993 requires_config_enabled MBEDTLS_SSL_PROTO_SSL3
markrad 0:cdf462088d13 2994 run_test "SSLv3 with extensions, server side" \
markrad 0:cdf462088d13 2995 "$P_SRV min_version=ssl3 debug_level=3" \
markrad 0:cdf462088d13 2996 "$P_CLI force_version=ssl3 tickets=1 max_frag_len=4096 alpn=abc,1234" \
markrad 0:cdf462088d13 2997 0 \
markrad 0:cdf462088d13 2998 -S "dumping 'client hello extensions'" \
markrad 0:cdf462088d13 2999 -S "server hello, total extension length:"
markrad 0:cdf462088d13 3000
markrad 0:cdf462088d13 3001 # Test for large packets
markrad 0:cdf462088d13 3002
markrad 0:cdf462088d13 3003 requires_config_enabled MBEDTLS_SSL_PROTO_SSL3
markrad 0:cdf462088d13 3004 run_test "Large packet SSLv3 BlockCipher" \
markrad 0:cdf462088d13 3005 "$P_SRV min_version=ssl3" \
markrad 0:cdf462088d13 3006 "$P_CLI request_size=16384 force_version=ssl3 recsplit=0 \
markrad 0:cdf462088d13 3007 force_ciphersuite=TLS-RSA-WITH-AES-256-CBC-SHA" \
markrad 0:cdf462088d13 3008 0 \
markrad 0:cdf462088d13 3009 -s "Read from client: 16384 bytes read"
markrad 0:cdf462088d13 3010
markrad 0:cdf462088d13 3011 requires_config_enabled MBEDTLS_SSL_PROTO_SSL3
markrad 0:cdf462088d13 3012 run_test "Large packet SSLv3 StreamCipher" \
markrad 0:cdf462088d13 3013 "$P_SRV min_version=ssl3 arc4=1 force_ciphersuite=TLS-RSA-WITH-RC4-128-SHA" \
markrad 0:cdf462088d13 3014 "$P_CLI request_size=16384 force_version=ssl3 \
markrad 0:cdf462088d13 3015 force_ciphersuite=TLS-RSA-WITH-RC4-128-SHA" \
markrad 0:cdf462088d13 3016 0 \
markrad 0:cdf462088d13 3017 -s "Read from client: 16384 bytes read"
markrad 0:cdf462088d13 3018
markrad 0:cdf462088d13 3019 run_test "Large packet TLS 1.0 BlockCipher" \
markrad 0:cdf462088d13 3020 "$P_SRV" \
markrad 0:cdf462088d13 3021 "$P_CLI request_size=16384 force_version=tls1 recsplit=0 \
markrad 0:cdf462088d13 3022 force_ciphersuite=TLS-RSA-WITH-AES-256-CBC-SHA" \
markrad 0:cdf462088d13 3023 0 \
markrad 0:cdf462088d13 3024 -s "Read from client: 16384 bytes read"
markrad 0:cdf462088d13 3025
markrad 0:cdf462088d13 3026 run_test "Large packet TLS 1.0 BlockCipher truncated MAC" \
markrad 0:cdf462088d13 3027 "$P_SRV" \
markrad 0:cdf462088d13 3028 "$P_CLI request_size=16384 force_version=tls1 recsplit=0 \
markrad 0:cdf462088d13 3029 force_ciphersuite=TLS-RSA-WITH-AES-256-CBC-SHA \
markrad 0:cdf462088d13 3030 trunc_hmac=1" \
markrad 0:cdf462088d13 3031 0 \
markrad 0:cdf462088d13 3032 -s "Read from client: 16384 bytes read"
markrad 0:cdf462088d13 3033
markrad 0:cdf462088d13 3034 run_test "Large packet TLS 1.0 StreamCipher truncated MAC" \
markrad 0:cdf462088d13 3035 "$P_SRV arc4=1 force_ciphersuite=TLS-RSA-WITH-RC4-128-SHA" \
markrad 0:cdf462088d13 3036 "$P_CLI request_size=16384 force_version=tls1 \
markrad 0:cdf462088d13 3037 force_ciphersuite=TLS-RSA-WITH-RC4-128-SHA \
markrad 0:cdf462088d13 3038 trunc_hmac=1" \
markrad 0:cdf462088d13 3039 0 \
markrad 0:cdf462088d13 3040 -s "Read from client: 16384 bytes read"
markrad 0:cdf462088d13 3041
markrad 0:cdf462088d13 3042 run_test "Large packet TLS 1.1 BlockCipher" \
markrad 0:cdf462088d13 3043 "$P_SRV" \
markrad 0:cdf462088d13 3044 "$P_CLI request_size=16384 force_version=tls1_1 \
markrad 0:cdf462088d13 3045 force_ciphersuite=TLS-RSA-WITH-AES-256-CBC-SHA" \
markrad 0:cdf462088d13 3046 0 \
markrad 0:cdf462088d13 3047 -s "Read from client: 16384 bytes read"
markrad 0:cdf462088d13 3048
markrad 0:cdf462088d13 3049 run_test "Large packet TLS 1.1 StreamCipher" \
markrad 0:cdf462088d13 3050 "$P_SRV arc4=1 force_ciphersuite=TLS-RSA-WITH-RC4-128-SHA" \
markrad 0:cdf462088d13 3051 "$P_CLI request_size=16384 force_version=tls1_1 \
markrad 0:cdf462088d13 3052 force_ciphersuite=TLS-RSA-WITH-RC4-128-SHA" \
markrad 0:cdf462088d13 3053 0 \
markrad 0:cdf462088d13 3054 -s "Read from client: 16384 bytes read"
markrad 0:cdf462088d13 3055
markrad 0:cdf462088d13 3056 run_test "Large packet TLS 1.1 BlockCipher truncated MAC" \
markrad 0:cdf462088d13 3057 "$P_SRV" \
markrad 0:cdf462088d13 3058 "$P_CLI request_size=16384 force_version=tls1_1 \
markrad 0:cdf462088d13 3059 force_ciphersuite=TLS-RSA-WITH-AES-256-CBC-SHA \
markrad 0:cdf462088d13 3060 trunc_hmac=1" \
markrad 0:cdf462088d13 3061 0 \
markrad 0:cdf462088d13 3062 -s "Read from client: 16384 bytes read"
markrad 0:cdf462088d13 3063
markrad 0:cdf462088d13 3064 run_test "Large packet TLS 1.1 StreamCipher truncated MAC" \
markrad 0:cdf462088d13 3065 "$P_SRV arc4=1 force_ciphersuite=TLS-RSA-WITH-RC4-128-SHA" \
markrad 0:cdf462088d13 3066 "$P_CLI request_size=16384 force_version=tls1_1 \
markrad 0:cdf462088d13 3067 force_ciphersuite=TLS-RSA-WITH-RC4-128-SHA \
markrad 0:cdf462088d13 3068 trunc_hmac=1" \
markrad 0:cdf462088d13 3069 0 \
markrad 0:cdf462088d13 3070 -s "Read from client: 16384 bytes read"
markrad 0:cdf462088d13 3071
markrad 0:cdf462088d13 3072 run_test "Large packet TLS 1.2 BlockCipher" \
markrad 0:cdf462088d13 3073 "$P_SRV" \
markrad 0:cdf462088d13 3074 "$P_CLI request_size=16384 force_version=tls1_2 \
markrad 0:cdf462088d13 3075 force_ciphersuite=TLS-RSA-WITH-AES-256-CBC-SHA" \
markrad 0:cdf462088d13 3076 0 \
markrad 0:cdf462088d13 3077 -s "Read from client: 16384 bytes read"
markrad 0:cdf462088d13 3078
markrad 0:cdf462088d13 3079 run_test "Large packet TLS 1.2 BlockCipher larger MAC" \
markrad 0:cdf462088d13 3080 "$P_SRV" \
markrad 0:cdf462088d13 3081 "$P_CLI request_size=16384 force_version=tls1_2 \
markrad 0:cdf462088d13 3082 force_ciphersuite=TLS-ECDHE-RSA-WITH-AES-256-CBC-SHA384" \
markrad 0:cdf462088d13 3083 0 \
markrad 0:cdf462088d13 3084 -s "Read from client: 16384 bytes read"
markrad 0:cdf462088d13 3085
markrad 0:cdf462088d13 3086 run_test "Large packet TLS 1.2 BlockCipher truncated MAC" \
markrad 0:cdf462088d13 3087 "$P_SRV" \
markrad 0:cdf462088d13 3088 "$P_CLI request_size=16384 force_version=tls1_2 \
markrad 0:cdf462088d13 3089 force_ciphersuite=TLS-RSA-WITH-AES-256-CBC-SHA \
markrad 0:cdf462088d13 3090 trunc_hmac=1" \
markrad 0:cdf462088d13 3091 0 \
markrad 0:cdf462088d13 3092 -s "Read from client: 16384 bytes read"
markrad 0:cdf462088d13 3093
markrad 0:cdf462088d13 3094 run_test "Large packet TLS 1.2 StreamCipher" \
markrad 0:cdf462088d13 3095 "$P_SRV arc4=1 force_ciphersuite=TLS-RSA-WITH-RC4-128-SHA" \
markrad 0:cdf462088d13 3096 "$P_CLI request_size=16384 force_version=tls1_2 \
markrad 0:cdf462088d13 3097 force_ciphersuite=TLS-RSA-WITH-RC4-128-SHA" \
markrad 0:cdf462088d13 3098 0 \
markrad 0:cdf462088d13 3099 -s "Read from client: 16384 bytes read"
markrad 0:cdf462088d13 3100
markrad 0:cdf462088d13 3101 run_test "Large packet TLS 1.2 StreamCipher truncated MAC" \
markrad 0:cdf462088d13 3102 "$P_SRV arc4=1 force_ciphersuite=TLS-RSA-WITH-RC4-128-SHA" \
markrad 0:cdf462088d13 3103 "$P_CLI request_size=16384 force_version=tls1_2 \
markrad 0:cdf462088d13 3104 force_ciphersuite=TLS-RSA-WITH-RC4-128-SHA \
markrad 0:cdf462088d13 3105 trunc_hmac=1" \
markrad 0:cdf462088d13 3106 0 \
markrad 0:cdf462088d13 3107 -s "Read from client: 16384 bytes read"
markrad 0:cdf462088d13 3108
markrad 0:cdf462088d13 3109 run_test "Large packet TLS 1.2 AEAD" \
markrad 0:cdf462088d13 3110 "$P_SRV" \
markrad 0:cdf462088d13 3111 "$P_CLI request_size=16384 force_version=tls1_2 \
markrad 0:cdf462088d13 3112 force_ciphersuite=TLS-RSA-WITH-AES-256-CCM" \
markrad 0:cdf462088d13 3113 0 \
markrad 0:cdf462088d13 3114 -s "Read from client: 16384 bytes read"
markrad 0:cdf462088d13 3115
markrad 0:cdf462088d13 3116 run_test "Large packet TLS 1.2 AEAD shorter tag" \
markrad 0:cdf462088d13 3117 "$P_SRV" \
markrad 0:cdf462088d13 3118 "$P_CLI request_size=16384 force_version=tls1_2 \
markrad 0:cdf462088d13 3119 force_ciphersuite=TLS-RSA-WITH-AES-256-CCM-8" \
markrad 0:cdf462088d13 3120 0 \
markrad 0:cdf462088d13 3121 -s "Read from client: 16384 bytes read"
markrad 0:cdf462088d13 3122
markrad 0:cdf462088d13 3123 # Tests for DTLS HelloVerifyRequest
markrad 0:cdf462088d13 3124
markrad 0:cdf462088d13 3125 run_test "DTLS cookie: enabled" \
markrad 0:cdf462088d13 3126 "$P_SRV dtls=1 debug_level=2" \
markrad 0:cdf462088d13 3127 "$P_CLI dtls=1 debug_level=2" \
markrad 0:cdf462088d13 3128 0 \
markrad 0:cdf462088d13 3129 -s "cookie verification failed" \
markrad 0:cdf462088d13 3130 -s "cookie verification passed" \
markrad 0:cdf462088d13 3131 -S "cookie verification skipped" \
markrad 0:cdf462088d13 3132 -c "received hello verify request" \
markrad 0:cdf462088d13 3133 -s "hello verification requested" \
markrad 0:cdf462088d13 3134 -S "SSL - The requested feature is not available"
markrad 0:cdf462088d13 3135
markrad 0:cdf462088d13 3136 run_test "DTLS cookie: disabled" \
markrad 0:cdf462088d13 3137 "$P_SRV dtls=1 debug_level=2 cookies=0" \
markrad 0:cdf462088d13 3138 "$P_CLI dtls=1 debug_level=2" \
markrad 0:cdf462088d13 3139 0 \
markrad 0:cdf462088d13 3140 -S "cookie verification failed" \
markrad 0:cdf462088d13 3141 -S "cookie verification passed" \
markrad 0:cdf462088d13 3142 -s "cookie verification skipped" \
markrad 0:cdf462088d13 3143 -C "received hello verify request" \
markrad 0:cdf462088d13 3144 -S "hello verification requested" \
markrad 0:cdf462088d13 3145 -S "SSL - The requested feature is not available"
markrad 0:cdf462088d13 3146
markrad 0:cdf462088d13 3147 run_test "DTLS cookie: default (failing)" \
markrad 0:cdf462088d13 3148 "$P_SRV dtls=1 debug_level=2 cookies=-1" \
markrad 0:cdf462088d13 3149 "$P_CLI dtls=1 debug_level=2 hs_timeout=100-400" \
markrad 0:cdf462088d13 3150 1 \
markrad 0:cdf462088d13 3151 -s "cookie verification failed" \
markrad 0:cdf462088d13 3152 -S "cookie verification passed" \
markrad 0:cdf462088d13 3153 -S "cookie verification skipped" \
markrad 0:cdf462088d13 3154 -C "received hello verify request" \
markrad 0:cdf462088d13 3155 -S "hello verification requested" \
markrad 0:cdf462088d13 3156 -s "SSL - The requested feature is not available"
markrad 0:cdf462088d13 3157
markrad 0:cdf462088d13 3158 requires_ipv6
markrad 0:cdf462088d13 3159 run_test "DTLS cookie: enabled, IPv6" \
markrad 0:cdf462088d13 3160 "$P_SRV dtls=1 debug_level=2 server_addr=::1" \
markrad 0:cdf462088d13 3161 "$P_CLI dtls=1 debug_level=2 server_addr=::1" \
markrad 0:cdf462088d13 3162 0 \
markrad 0:cdf462088d13 3163 -s "cookie verification failed" \
markrad 0:cdf462088d13 3164 -s "cookie verification passed" \
markrad 0:cdf462088d13 3165 -S "cookie verification skipped" \
markrad 0:cdf462088d13 3166 -c "received hello verify request" \
markrad 0:cdf462088d13 3167 -s "hello verification requested" \
markrad 0:cdf462088d13 3168 -S "SSL - The requested feature is not available"
markrad 0:cdf462088d13 3169
markrad 0:cdf462088d13 3170 run_test "DTLS cookie: enabled, nbio" \
markrad 0:cdf462088d13 3171 "$P_SRV dtls=1 nbio=2 debug_level=2" \
markrad 0:cdf462088d13 3172 "$P_CLI dtls=1 nbio=2 debug_level=2" \
markrad 0:cdf462088d13 3173 0 \
markrad 0:cdf462088d13 3174 -s "cookie verification failed" \
markrad 0:cdf462088d13 3175 -s "cookie verification passed" \
markrad 0:cdf462088d13 3176 -S "cookie verification skipped" \
markrad 0:cdf462088d13 3177 -c "received hello verify request" \
markrad 0:cdf462088d13 3178 -s "hello verification requested" \
markrad 0:cdf462088d13 3179 -S "SSL - The requested feature is not available"
markrad 0:cdf462088d13 3180
markrad 0:cdf462088d13 3181 # Tests for client reconnecting from the same port with DTLS
markrad 0:cdf462088d13 3182
markrad 0:cdf462088d13 3183 not_with_valgrind # spurious resend
markrad 0:cdf462088d13 3184 run_test "DTLS client reconnect from same port: reference" \
markrad 0:cdf462088d13 3185 "$P_SRV dtls=1 exchanges=2 read_timeout=1000" \
markrad 0:cdf462088d13 3186 "$P_CLI dtls=1 exchanges=2 debug_level=2 hs_timeout=500-1000" \
markrad 0:cdf462088d13 3187 0 \
markrad 0:cdf462088d13 3188 -C "resend" \
markrad 0:cdf462088d13 3189 -S "The operation timed out" \
markrad 0:cdf462088d13 3190 -S "Client initiated reconnection from same port"
markrad 0:cdf462088d13 3191
markrad 0:cdf462088d13 3192 not_with_valgrind # spurious resend
markrad 0:cdf462088d13 3193 run_test "DTLS client reconnect from same port: reconnect" \
markrad 0:cdf462088d13 3194 "$P_SRV dtls=1 exchanges=2 read_timeout=1000" \
markrad 0:cdf462088d13 3195 "$P_CLI dtls=1 exchanges=2 debug_level=2 hs_timeout=500-1000 reconnect_hard=1" \
markrad 0:cdf462088d13 3196 0 \
markrad 0:cdf462088d13 3197 -C "resend" \
markrad 0:cdf462088d13 3198 -S "The operation timed out" \
markrad 0:cdf462088d13 3199 -s "Client initiated reconnection from same port"
markrad 0:cdf462088d13 3200
markrad 0:cdf462088d13 3201 not_with_valgrind # server/client too slow to respond in time (next test has higher timeouts)
markrad 0:cdf462088d13 3202 run_test "DTLS client reconnect from same port: reconnect, nbio, no valgrind" \
markrad 0:cdf462088d13 3203 "$P_SRV dtls=1 exchanges=2 read_timeout=1000 nbio=2" \
markrad 0:cdf462088d13 3204 "$P_CLI dtls=1 exchanges=2 debug_level=2 hs_timeout=500-1000 reconnect_hard=1" \
markrad 0:cdf462088d13 3205 0 \
markrad 0:cdf462088d13 3206 -S "The operation timed out" \
markrad 0:cdf462088d13 3207 -s "Client initiated reconnection from same port"
markrad 0:cdf462088d13 3208
markrad 0:cdf462088d13 3209 only_with_valgrind # Only with valgrind, do previous test but with higher read_timeout and hs_timeout
markrad 0:cdf462088d13 3210 run_test "DTLS client reconnect from same port: reconnect, nbio, valgrind" \
markrad 0:cdf462088d13 3211 "$P_SRV dtls=1 exchanges=2 read_timeout=2000 nbio=2 hs_timeout=1500-6000" \
markrad 0:cdf462088d13 3212 "$P_CLI dtls=1 exchanges=2 debug_level=2 hs_timeout=1500-3000 reconnect_hard=1" \
markrad 0:cdf462088d13 3213 0 \
markrad 0:cdf462088d13 3214 -S "The operation timed out" \
markrad 0:cdf462088d13 3215 -s "Client initiated reconnection from same port"
markrad 0:cdf462088d13 3216
markrad 0:cdf462088d13 3217 run_test "DTLS client reconnect from same port: no cookies" \
markrad 0:cdf462088d13 3218 "$P_SRV dtls=1 exchanges=2 read_timeout=1000 cookies=0" \
markrad 0:cdf462088d13 3219 "$P_CLI dtls=1 exchanges=2 debug_level=2 hs_timeout=500-8000 reconnect_hard=1" \
markrad 0:cdf462088d13 3220 0 \
markrad 0:cdf462088d13 3221 -s "The operation timed out" \
markrad 0:cdf462088d13 3222 -S "Client initiated reconnection from same port"
markrad 0:cdf462088d13 3223
markrad 0:cdf462088d13 3224 # Tests for various cases of client authentication with DTLS
markrad 0:cdf462088d13 3225 # (focused on handshake flows and message parsing)
markrad 0:cdf462088d13 3226
markrad 0:cdf462088d13 3227 run_test "DTLS client auth: required" \
markrad 0:cdf462088d13 3228 "$P_SRV dtls=1 auth_mode=required" \
markrad 0:cdf462088d13 3229 "$P_CLI dtls=1" \
markrad 0:cdf462088d13 3230 0 \
markrad 0:cdf462088d13 3231 -s "Verifying peer X.509 certificate... ok"
markrad 0:cdf462088d13 3232
markrad 0:cdf462088d13 3233 run_test "DTLS client auth: optional, client has no cert" \
markrad 0:cdf462088d13 3234 "$P_SRV dtls=1 auth_mode=optional" \
markrad 0:cdf462088d13 3235 "$P_CLI dtls=1 crt_file=none key_file=none" \
markrad 0:cdf462088d13 3236 0 \
markrad 0:cdf462088d13 3237 -s "! Certificate was missing"
markrad 0:cdf462088d13 3238
markrad 0:cdf462088d13 3239 run_test "DTLS client auth: none, client has no cert" \
markrad 0:cdf462088d13 3240 "$P_SRV dtls=1 auth_mode=none" \
markrad 0:cdf462088d13 3241 "$P_CLI dtls=1 crt_file=none key_file=none debug_level=2" \
markrad 0:cdf462088d13 3242 0 \
markrad 0:cdf462088d13 3243 -c "skip write certificate$" \
markrad 0:cdf462088d13 3244 -s "! Certificate verification was skipped"
markrad 0:cdf462088d13 3245
markrad 0:cdf462088d13 3246 run_test "DTLS wrong PSK: badmac alert" \
markrad 0:cdf462088d13 3247 "$P_SRV dtls=1 psk=abc123 force_ciphersuite=TLS-PSK-WITH-AES-128-GCM-SHA256" \
markrad 0:cdf462088d13 3248 "$P_CLI dtls=1 psk=abc124" \
markrad 0:cdf462088d13 3249 1 \
markrad 0:cdf462088d13 3250 -s "SSL - Verification of the message MAC failed" \
markrad 0:cdf462088d13 3251 -c "SSL - A fatal alert message was received from our peer"
markrad 0:cdf462088d13 3252
markrad 0:cdf462088d13 3253 # Tests for receiving fragmented handshake messages with DTLS
markrad 0:cdf462088d13 3254
markrad 0:cdf462088d13 3255 requires_gnutls
markrad 0:cdf462088d13 3256 run_test "DTLS reassembly: no fragmentation (gnutls server)" \
markrad 0:cdf462088d13 3257 "$G_SRV -u --mtu 2048 -a" \
markrad 0:cdf462088d13 3258 "$P_CLI dtls=1 debug_level=2" \
markrad 0:cdf462088d13 3259 0 \
markrad 0:cdf462088d13 3260 -C "found fragmented DTLS handshake message" \
markrad 0:cdf462088d13 3261 -C "error"
markrad 0:cdf462088d13 3262
markrad 0:cdf462088d13 3263 requires_gnutls
markrad 0:cdf462088d13 3264 run_test "DTLS reassembly: some fragmentation (gnutls server)" \
markrad 0:cdf462088d13 3265 "$G_SRV -u --mtu 512" \
markrad 0:cdf462088d13 3266 "$P_CLI dtls=1 debug_level=2" \
markrad 0:cdf462088d13 3267 0 \
markrad 0:cdf462088d13 3268 -c "found fragmented DTLS handshake message" \
markrad 0:cdf462088d13 3269 -C "error"
markrad 0:cdf462088d13 3270
markrad 0:cdf462088d13 3271 requires_gnutls
markrad 0:cdf462088d13 3272 run_test "DTLS reassembly: more fragmentation (gnutls server)" \
markrad 0:cdf462088d13 3273 "$G_SRV -u --mtu 128" \
markrad 0:cdf462088d13 3274 "$P_CLI dtls=1 debug_level=2" \
markrad 0:cdf462088d13 3275 0 \
markrad 0:cdf462088d13 3276 -c "found fragmented DTLS handshake message" \
markrad 0:cdf462088d13 3277 -C "error"
markrad 0:cdf462088d13 3278
markrad 0:cdf462088d13 3279 requires_gnutls
markrad 0:cdf462088d13 3280 run_test "DTLS reassembly: more fragmentation, nbio (gnutls server)" \
markrad 0:cdf462088d13 3281 "$G_SRV -u --mtu 128" \
markrad 0:cdf462088d13 3282 "$P_CLI dtls=1 nbio=2 debug_level=2" \
markrad 0:cdf462088d13 3283 0 \
markrad 0:cdf462088d13 3284 -c "found fragmented DTLS handshake message" \
markrad 0:cdf462088d13 3285 -C "error"
markrad 0:cdf462088d13 3286
markrad 0:cdf462088d13 3287 requires_gnutls
markrad 0:cdf462088d13 3288 run_test "DTLS reassembly: fragmentation, renego (gnutls server)" \
markrad 0:cdf462088d13 3289 "$G_SRV -u --mtu 256" \
markrad 0:cdf462088d13 3290 "$P_CLI debug_level=3 dtls=1 renegotiation=1 renegotiate=1" \
markrad 0:cdf462088d13 3291 0 \
markrad 0:cdf462088d13 3292 -c "found fragmented DTLS handshake message" \
markrad 0:cdf462088d13 3293 -c "client hello, adding renegotiation extension" \
markrad 0:cdf462088d13 3294 -c "found renegotiation extension" \
markrad 0:cdf462088d13 3295 -c "=> renegotiate" \
markrad 0:cdf462088d13 3296 -C "mbedtls_ssl_handshake returned" \
markrad 0:cdf462088d13 3297 -C "error" \
markrad 0:cdf462088d13 3298 -s "Extra-header:"
markrad 0:cdf462088d13 3299
markrad 0:cdf462088d13 3300 requires_gnutls
markrad 0:cdf462088d13 3301 run_test "DTLS reassembly: fragmentation, nbio, renego (gnutls server)" \
markrad 0:cdf462088d13 3302 "$G_SRV -u --mtu 256" \
markrad 0:cdf462088d13 3303 "$P_CLI debug_level=3 nbio=2 dtls=1 renegotiation=1 renegotiate=1" \
markrad 0:cdf462088d13 3304 0 \
markrad 0:cdf462088d13 3305 -c "found fragmented DTLS handshake message" \
markrad 0:cdf462088d13 3306 -c "client hello, adding renegotiation extension" \
markrad 0:cdf462088d13 3307 -c "found renegotiation extension" \
markrad 0:cdf462088d13 3308 -c "=> renegotiate" \
markrad 0:cdf462088d13 3309 -C "mbedtls_ssl_handshake returned" \
markrad 0:cdf462088d13 3310 -C "error" \
markrad 0:cdf462088d13 3311 -s "Extra-header:"
markrad 0:cdf462088d13 3312
markrad 0:cdf462088d13 3313 run_test "DTLS reassembly: no fragmentation (openssl server)" \
markrad 0:cdf462088d13 3314 "$O_SRV -dtls1 -mtu 2048" \
markrad 0:cdf462088d13 3315 "$P_CLI dtls=1 debug_level=2" \
markrad 0:cdf462088d13 3316 0 \
markrad 0:cdf462088d13 3317 -C "found fragmented DTLS handshake message" \
markrad 0:cdf462088d13 3318 -C "error"
markrad 0:cdf462088d13 3319
markrad 0:cdf462088d13 3320 run_test "DTLS reassembly: some fragmentation (openssl server)" \
markrad 0:cdf462088d13 3321 "$O_SRV -dtls1 -mtu 768" \
markrad 0:cdf462088d13 3322 "$P_CLI dtls=1 debug_level=2" \
markrad 0:cdf462088d13 3323 0 \
markrad 0:cdf462088d13 3324 -c "found fragmented DTLS handshake message" \
markrad 0:cdf462088d13 3325 -C "error"
markrad 0:cdf462088d13 3326
markrad 0:cdf462088d13 3327 run_test "DTLS reassembly: more fragmentation (openssl server)" \
markrad 0:cdf462088d13 3328 "$O_SRV -dtls1 -mtu 256" \
markrad 0:cdf462088d13 3329 "$P_CLI dtls=1 debug_level=2" \
markrad 0:cdf462088d13 3330 0 \
markrad 0:cdf462088d13 3331 -c "found fragmented DTLS handshake message" \
markrad 0:cdf462088d13 3332 -C "error"
markrad 0:cdf462088d13 3333
markrad 0:cdf462088d13 3334 run_test "DTLS reassembly: fragmentation, nbio (openssl server)" \
markrad 0:cdf462088d13 3335 "$O_SRV -dtls1 -mtu 256" \
markrad 0:cdf462088d13 3336 "$P_CLI dtls=1 nbio=2 debug_level=2" \
markrad 0:cdf462088d13 3337 0 \
markrad 0:cdf462088d13 3338 -c "found fragmented DTLS handshake message" \
markrad 0:cdf462088d13 3339 -C "error"
markrad 0:cdf462088d13 3340
markrad 0:cdf462088d13 3341 # Tests for specific things with "unreliable" UDP connection
markrad 0:cdf462088d13 3342
markrad 0:cdf462088d13 3343 not_with_valgrind # spurious resend due to timeout
markrad 0:cdf462088d13 3344 run_test "DTLS proxy: reference" \
markrad 0:cdf462088d13 3345 -p "$P_PXY" \
markrad 0:cdf462088d13 3346 "$P_SRV dtls=1 debug_level=2" \
markrad 0:cdf462088d13 3347 "$P_CLI dtls=1 debug_level=2" \
markrad 0:cdf462088d13 3348 0 \
markrad 0:cdf462088d13 3349 -C "replayed record" \
markrad 0:cdf462088d13 3350 -S "replayed record" \
markrad 0:cdf462088d13 3351 -C "record from another epoch" \
markrad 0:cdf462088d13 3352 -S "record from another epoch" \
markrad 0:cdf462088d13 3353 -C "discarding invalid record" \
markrad 0:cdf462088d13 3354 -S "discarding invalid record" \
markrad 0:cdf462088d13 3355 -S "resend" \
markrad 0:cdf462088d13 3356 -s "Extra-header:" \
markrad 0:cdf462088d13 3357 -c "HTTP/1.0 200 OK"
markrad 0:cdf462088d13 3358
markrad 0:cdf462088d13 3359 not_with_valgrind # spurious resend due to timeout
markrad 0:cdf462088d13 3360 run_test "DTLS proxy: duplicate every packet" \
markrad 0:cdf462088d13 3361 -p "$P_PXY duplicate=1" \
markrad 0:cdf462088d13 3362 "$P_SRV dtls=1 debug_level=2" \
markrad 0:cdf462088d13 3363 "$P_CLI dtls=1 debug_level=2" \
markrad 0:cdf462088d13 3364 0 \
markrad 0:cdf462088d13 3365 -c "replayed record" \
markrad 0:cdf462088d13 3366 -s "replayed record" \
markrad 0:cdf462088d13 3367 -c "discarding invalid record" \
markrad 0:cdf462088d13 3368 -s "discarding invalid record" \
markrad 0:cdf462088d13 3369 -S "resend" \
markrad 0:cdf462088d13 3370 -s "Extra-header:" \
markrad 0:cdf462088d13 3371 -c "HTTP/1.0 200 OK"
markrad 0:cdf462088d13 3372
markrad 0:cdf462088d13 3373 run_test "DTLS proxy: duplicate every packet, server anti-replay off" \
markrad 0:cdf462088d13 3374 -p "$P_PXY duplicate=1" \
markrad 0:cdf462088d13 3375 "$P_SRV dtls=1 debug_level=2 anti_replay=0" \
markrad 0:cdf462088d13 3376 "$P_CLI dtls=1 debug_level=2" \
markrad 0:cdf462088d13 3377 0 \
markrad 0:cdf462088d13 3378 -c "replayed record" \
markrad 0:cdf462088d13 3379 -S "replayed record" \
markrad 0:cdf462088d13 3380 -c "discarding invalid record" \
markrad 0:cdf462088d13 3381 -s "discarding invalid record" \
markrad 0:cdf462088d13 3382 -c "resend" \
markrad 0:cdf462088d13 3383 -s "resend" \
markrad 0:cdf462088d13 3384 -s "Extra-header:" \
markrad 0:cdf462088d13 3385 -c "HTTP/1.0 200 OK"
markrad 0:cdf462088d13 3386
markrad 0:cdf462088d13 3387 run_test "DTLS proxy: inject invalid AD record, default badmac_limit" \
markrad 0:cdf462088d13 3388 -p "$P_PXY bad_ad=1" \
markrad 0:cdf462088d13 3389 "$P_SRV dtls=1 debug_level=1" \
markrad 0:cdf462088d13 3390 "$P_CLI dtls=1 debug_level=1 read_timeout=100" \
markrad 0:cdf462088d13 3391 0 \
markrad 0:cdf462088d13 3392 -c "discarding invalid record (mac)" \
markrad 0:cdf462088d13 3393 -s "discarding invalid record (mac)" \
markrad 0:cdf462088d13 3394 -s "Extra-header:" \
markrad 0:cdf462088d13 3395 -c "HTTP/1.0 200 OK" \
markrad 0:cdf462088d13 3396 -S "too many records with bad MAC" \
markrad 0:cdf462088d13 3397 -S "Verification of the message MAC failed"
markrad 0:cdf462088d13 3398
markrad 0:cdf462088d13 3399 run_test "DTLS proxy: inject invalid AD record, badmac_limit 1" \
markrad 0:cdf462088d13 3400 -p "$P_PXY bad_ad=1" \
markrad 0:cdf462088d13 3401 "$P_SRV dtls=1 debug_level=1 badmac_limit=1" \
markrad 0:cdf462088d13 3402 "$P_CLI dtls=1 debug_level=1 read_timeout=100" \
markrad 0:cdf462088d13 3403 1 \
markrad 0:cdf462088d13 3404 -C "discarding invalid record (mac)" \
markrad 0:cdf462088d13 3405 -S "discarding invalid record (mac)" \
markrad 0:cdf462088d13 3406 -S "Extra-header:" \
markrad 0:cdf462088d13 3407 -C "HTTP/1.0 200 OK" \
markrad 0:cdf462088d13 3408 -s "too many records with bad MAC" \
markrad 0:cdf462088d13 3409 -s "Verification of the message MAC failed"
markrad 0:cdf462088d13 3410
markrad 0:cdf462088d13 3411 run_test "DTLS proxy: inject invalid AD record, badmac_limit 2" \
markrad 0:cdf462088d13 3412 -p "$P_PXY bad_ad=1" \
markrad 0:cdf462088d13 3413 "$P_SRV dtls=1 debug_level=1 badmac_limit=2" \
markrad 0:cdf462088d13 3414 "$P_CLI dtls=1 debug_level=1 read_timeout=100" \
markrad 0:cdf462088d13 3415 0 \
markrad 0:cdf462088d13 3416 -c "discarding invalid record (mac)" \
markrad 0:cdf462088d13 3417 -s "discarding invalid record (mac)" \
markrad 0:cdf462088d13 3418 -s "Extra-header:" \
markrad 0:cdf462088d13 3419 -c "HTTP/1.0 200 OK" \
markrad 0:cdf462088d13 3420 -S "too many records with bad MAC" \
markrad 0:cdf462088d13 3421 -S "Verification of the message MAC failed"
markrad 0:cdf462088d13 3422
markrad 0:cdf462088d13 3423 run_test "DTLS proxy: inject invalid AD record, badmac_limit 2, exchanges 2"\
markrad 0:cdf462088d13 3424 -p "$P_PXY bad_ad=1" \
markrad 0:cdf462088d13 3425 "$P_SRV dtls=1 debug_level=1 badmac_limit=2 exchanges=2" \
markrad 0:cdf462088d13 3426 "$P_CLI dtls=1 debug_level=1 read_timeout=100 exchanges=2" \
markrad 0:cdf462088d13 3427 1 \
markrad 0:cdf462088d13 3428 -c "discarding invalid record (mac)" \
markrad 0:cdf462088d13 3429 -s "discarding invalid record (mac)" \
markrad 0:cdf462088d13 3430 -s "Extra-header:" \
markrad 0:cdf462088d13 3431 -c "HTTP/1.0 200 OK" \
markrad 0:cdf462088d13 3432 -s "too many records with bad MAC" \
markrad 0:cdf462088d13 3433 -s "Verification of the message MAC failed"
markrad 0:cdf462088d13 3434
markrad 0:cdf462088d13 3435 run_test "DTLS proxy: delay ChangeCipherSpec" \
markrad 0:cdf462088d13 3436 -p "$P_PXY delay_ccs=1" \
markrad 0:cdf462088d13 3437 "$P_SRV dtls=1 debug_level=1" \
markrad 0:cdf462088d13 3438 "$P_CLI dtls=1 debug_level=1" \
markrad 0:cdf462088d13 3439 0 \
markrad 0:cdf462088d13 3440 -c "record from another epoch" \
markrad 0:cdf462088d13 3441 -s "record from another epoch" \
markrad 0:cdf462088d13 3442 -c "discarding invalid record" \
markrad 0:cdf462088d13 3443 -s "discarding invalid record" \
markrad 0:cdf462088d13 3444 -s "Extra-header:" \
markrad 0:cdf462088d13 3445 -c "HTTP/1.0 200 OK"
markrad 0:cdf462088d13 3446
markrad 0:cdf462088d13 3447 # Tests for "randomly unreliable connection": try a variety of flows and peers
markrad 0:cdf462088d13 3448
markrad 0:cdf462088d13 3449 client_needs_more_time 2
markrad 0:cdf462088d13 3450 run_test "DTLS proxy: 3d (drop, delay, duplicate), \"short\" PSK handshake" \
markrad 0:cdf462088d13 3451 -p "$P_PXY drop=5 delay=5 duplicate=5" \
markrad 0:cdf462088d13 3452 "$P_SRV dtls=1 hs_timeout=250-10000 tickets=0 auth_mode=none \
markrad 0:cdf462088d13 3453 psk=abc123" \
markrad 0:cdf462088d13 3454 "$P_CLI dtls=1 hs_timeout=250-10000 tickets=0 psk=abc123 \
markrad 0:cdf462088d13 3455 force_ciphersuite=TLS-PSK-WITH-AES-128-CCM-8" \
markrad 0:cdf462088d13 3456 0 \
markrad 0:cdf462088d13 3457 -s "Extra-header:" \
markrad 0:cdf462088d13 3458 -c "HTTP/1.0 200 OK"
markrad 0:cdf462088d13 3459
markrad 0:cdf462088d13 3460 client_needs_more_time 2
markrad 0:cdf462088d13 3461 run_test "DTLS proxy: 3d, \"short\" RSA handshake" \
markrad 0:cdf462088d13 3462 -p "$P_PXY drop=5 delay=5 duplicate=5" \
markrad 0:cdf462088d13 3463 "$P_SRV dtls=1 hs_timeout=250-10000 tickets=0 auth_mode=none" \
markrad 0:cdf462088d13 3464 "$P_CLI dtls=1 hs_timeout=250-10000 tickets=0 \
markrad 0:cdf462088d13 3465 force_ciphersuite=TLS-RSA-WITH-AES-128-CBC-SHA" \
markrad 0:cdf462088d13 3466 0 \
markrad 0:cdf462088d13 3467 -s "Extra-header:" \
markrad 0:cdf462088d13 3468 -c "HTTP/1.0 200 OK"
markrad 0:cdf462088d13 3469
markrad 0:cdf462088d13 3470 client_needs_more_time 2
markrad 0:cdf462088d13 3471 run_test "DTLS proxy: 3d, \"short\" (no ticket, no cli_auth) FS handshake" \
markrad 0:cdf462088d13 3472 -p "$P_PXY drop=5 delay=5 duplicate=5" \
markrad 0:cdf462088d13 3473 "$P_SRV dtls=1 hs_timeout=250-10000 tickets=0 auth_mode=none" \
markrad 0:cdf462088d13 3474 "$P_CLI dtls=1 hs_timeout=250-10000 tickets=0" \
markrad 0:cdf462088d13 3475 0 \
markrad 0:cdf462088d13 3476 -s "Extra-header:" \
markrad 0:cdf462088d13 3477 -c "HTTP/1.0 200 OK"
markrad 0:cdf462088d13 3478
markrad 0:cdf462088d13 3479 client_needs_more_time 2
markrad 0:cdf462088d13 3480 run_test "DTLS proxy: 3d, FS, client auth" \
markrad 0:cdf462088d13 3481 -p "$P_PXY drop=5 delay=5 duplicate=5" \
markrad 0:cdf462088d13 3482 "$P_SRV dtls=1 hs_timeout=250-10000 tickets=0 auth_mode=required" \
markrad 0:cdf462088d13 3483 "$P_CLI dtls=1 hs_timeout=250-10000 tickets=0" \
markrad 0:cdf462088d13 3484 0 \
markrad 0:cdf462088d13 3485 -s "Extra-header:" \
markrad 0:cdf462088d13 3486 -c "HTTP/1.0 200 OK"
markrad 0:cdf462088d13 3487
markrad 0:cdf462088d13 3488 client_needs_more_time 2
markrad 0:cdf462088d13 3489 run_test "DTLS proxy: 3d, FS, ticket" \
markrad 0:cdf462088d13 3490 -p "$P_PXY drop=5 delay=5 duplicate=5" \
markrad 0:cdf462088d13 3491 "$P_SRV dtls=1 hs_timeout=250-10000 tickets=1 auth_mode=none" \
markrad 0:cdf462088d13 3492 "$P_CLI dtls=1 hs_timeout=250-10000 tickets=1" \
markrad 0:cdf462088d13 3493 0 \
markrad 0:cdf462088d13 3494 -s "Extra-header:" \
markrad 0:cdf462088d13 3495 -c "HTTP/1.0 200 OK"
markrad 0:cdf462088d13 3496
markrad 0:cdf462088d13 3497 client_needs_more_time 2
markrad 0:cdf462088d13 3498 run_test "DTLS proxy: 3d, max handshake (FS, ticket + client auth)" \
markrad 0:cdf462088d13 3499 -p "$P_PXY drop=5 delay=5 duplicate=5" \
markrad 0:cdf462088d13 3500 "$P_SRV dtls=1 hs_timeout=250-10000 tickets=1 auth_mode=required" \
markrad 0:cdf462088d13 3501 "$P_CLI dtls=1 hs_timeout=250-10000 tickets=1" \
markrad 0:cdf462088d13 3502 0 \
markrad 0:cdf462088d13 3503 -s "Extra-header:" \
markrad 0:cdf462088d13 3504 -c "HTTP/1.0 200 OK"
markrad 0:cdf462088d13 3505
markrad 0:cdf462088d13 3506 client_needs_more_time 2
markrad 0:cdf462088d13 3507 run_test "DTLS proxy: 3d, max handshake, nbio" \
markrad 0:cdf462088d13 3508 -p "$P_PXY drop=5 delay=5 duplicate=5" \
markrad 0:cdf462088d13 3509 "$P_SRV dtls=1 hs_timeout=250-10000 nbio=2 tickets=1 \
markrad 0:cdf462088d13 3510 auth_mode=required" \
markrad 0:cdf462088d13 3511 "$P_CLI dtls=1 hs_timeout=250-10000 nbio=2 tickets=1" \
markrad 0:cdf462088d13 3512 0 \
markrad 0:cdf462088d13 3513 -s "Extra-header:" \
markrad 0:cdf462088d13 3514 -c "HTTP/1.0 200 OK"
markrad 0:cdf462088d13 3515
markrad 0:cdf462088d13 3516 client_needs_more_time 4
markrad 0:cdf462088d13 3517 run_test "DTLS proxy: 3d, min handshake, resumption" \
markrad 0:cdf462088d13 3518 -p "$P_PXY drop=5 delay=5 duplicate=5" \
markrad 0:cdf462088d13 3519 "$P_SRV dtls=1 hs_timeout=250-10000 tickets=0 auth_mode=none \
markrad 0:cdf462088d13 3520 psk=abc123 debug_level=3" \
markrad 0:cdf462088d13 3521 "$P_CLI dtls=1 hs_timeout=250-10000 tickets=0 psk=abc123 \
markrad 0:cdf462088d13 3522 debug_level=3 reconnect=1 read_timeout=1000 max_resend=10 \
markrad 0:cdf462088d13 3523 force_ciphersuite=TLS-PSK-WITH-AES-128-CCM-8" \
markrad 0:cdf462088d13 3524 0 \
markrad 0:cdf462088d13 3525 -s "a session has been resumed" \
markrad 0:cdf462088d13 3526 -c "a session has been resumed" \
markrad 0:cdf462088d13 3527 -s "Extra-header:" \
markrad 0:cdf462088d13 3528 -c "HTTP/1.0 200 OK"
markrad 0:cdf462088d13 3529
markrad 0:cdf462088d13 3530 client_needs_more_time 4
markrad 0:cdf462088d13 3531 run_test "DTLS proxy: 3d, min handshake, resumption, nbio" \
markrad 0:cdf462088d13 3532 -p "$P_PXY drop=5 delay=5 duplicate=5" \
markrad 0:cdf462088d13 3533 "$P_SRV dtls=1 hs_timeout=250-10000 tickets=0 auth_mode=none \
markrad 0:cdf462088d13 3534 psk=abc123 debug_level=3 nbio=2" \
markrad 0:cdf462088d13 3535 "$P_CLI dtls=1 hs_timeout=250-10000 tickets=0 psk=abc123 \
markrad 0:cdf462088d13 3536 debug_level=3 reconnect=1 read_timeout=1000 max_resend=10 \
markrad 0:cdf462088d13 3537 force_ciphersuite=TLS-PSK-WITH-AES-128-CCM-8 nbio=2" \
markrad 0:cdf462088d13 3538 0 \
markrad 0:cdf462088d13 3539 -s "a session has been resumed" \
markrad 0:cdf462088d13 3540 -c "a session has been resumed" \
markrad 0:cdf462088d13 3541 -s "Extra-header:" \
markrad 0:cdf462088d13 3542 -c "HTTP/1.0 200 OK"
markrad 0:cdf462088d13 3543
markrad 0:cdf462088d13 3544 client_needs_more_time 4
markrad 0:cdf462088d13 3545 run_test "DTLS proxy: 3d, min handshake, client-initiated renego" \
markrad 0:cdf462088d13 3546 -p "$P_PXY drop=5 delay=5 duplicate=5" \
markrad 0:cdf462088d13 3547 "$P_SRV dtls=1 hs_timeout=250-10000 tickets=0 auth_mode=none \
markrad 0:cdf462088d13 3548 psk=abc123 renegotiation=1 debug_level=2" \
markrad 0:cdf462088d13 3549 "$P_CLI dtls=1 hs_timeout=250-10000 tickets=0 psk=abc123 \
markrad 0:cdf462088d13 3550 renegotiate=1 debug_level=2 \
markrad 0:cdf462088d13 3551 force_ciphersuite=TLS-PSK-WITH-AES-128-CCM-8" \
markrad 0:cdf462088d13 3552 0 \
markrad 0:cdf462088d13 3553 -c "=> renegotiate" \
markrad 0:cdf462088d13 3554 -s "=> renegotiate" \
markrad 0:cdf462088d13 3555 -s "Extra-header:" \
markrad 0:cdf462088d13 3556 -c "HTTP/1.0 200 OK"
markrad 0:cdf462088d13 3557
markrad 0:cdf462088d13 3558 client_needs_more_time 4
markrad 0:cdf462088d13 3559 run_test "DTLS proxy: 3d, min handshake, client-initiated renego, nbio" \
markrad 0:cdf462088d13 3560 -p "$P_PXY drop=5 delay=5 duplicate=5" \
markrad 0:cdf462088d13 3561 "$P_SRV dtls=1 hs_timeout=250-10000 tickets=0 auth_mode=none \
markrad 0:cdf462088d13 3562 psk=abc123 renegotiation=1 debug_level=2" \
markrad 0:cdf462088d13 3563 "$P_CLI dtls=1 hs_timeout=250-10000 tickets=0 psk=abc123 \
markrad 0:cdf462088d13 3564 renegotiate=1 debug_level=2 \
markrad 0:cdf462088d13 3565 force_ciphersuite=TLS-PSK-WITH-AES-128-CCM-8" \
markrad 0:cdf462088d13 3566 0 \
markrad 0:cdf462088d13 3567 -c "=> renegotiate" \
markrad 0:cdf462088d13 3568 -s "=> renegotiate" \
markrad 0:cdf462088d13 3569 -s "Extra-header:" \
markrad 0:cdf462088d13 3570 -c "HTTP/1.0 200 OK"
markrad 0:cdf462088d13 3571
markrad 0:cdf462088d13 3572 client_needs_more_time 4
markrad 0:cdf462088d13 3573 run_test "DTLS proxy: 3d, min handshake, server-initiated renego" \
markrad 0:cdf462088d13 3574 -p "$P_PXY drop=5 delay=5 duplicate=5" \
markrad 0:cdf462088d13 3575 "$P_SRV dtls=1 hs_timeout=250-10000 tickets=0 auth_mode=none \
markrad 0:cdf462088d13 3576 psk=abc123 renegotiate=1 renegotiation=1 exchanges=4 \
markrad 0:cdf462088d13 3577 debug_level=2" \
markrad 0:cdf462088d13 3578 "$P_CLI dtls=1 hs_timeout=250-10000 tickets=0 psk=abc123 \
markrad 0:cdf462088d13 3579 renegotiation=1 exchanges=4 debug_level=2 \
markrad 0:cdf462088d13 3580 force_ciphersuite=TLS-PSK-WITH-AES-128-CCM-8" \
markrad 0:cdf462088d13 3581 0 \
markrad 0:cdf462088d13 3582 -c "=> renegotiate" \
markrad 0:cdf462088d13 3583 -s "=> renegotiate" \
markrad 0:cdf462088d13 3584 -s "Extra-header:" \
markrad 0:cdf462088d13 3585 -c "HTTP/1.0 200 OK"
markrad 0:cdf462088d13 3586
markrad 0:cdf462088d13 3587 client_needs_more_time 4
markrad 0:cdf462088d13 3588 run_test "DTLS proxy: 3d, min handshake, server-initiated renego, nbio" \
markrad 0:cdf462088d13 3589 -p "$P_PXY drop=5 delay=5 duplicate=5" \
markrad 0:cdf462088d13 3590 "$P_SRV dtls=1 hs_timeout=250-10000 tickets=0 auth_mode=none \
markrad 0:cdf462088d13 3591 psk=abc123 renegotiate=1 renegotiation=1 exchanges=4 \
markrad 0:cdf462088d13 3592 debug_level=2 nbio=2" \
markrad 0:cdf462088d13 3593 "$P_CLI dtls=1 hs_timeout=250-10000 tickets=0 psk=abc123 \
markrad 0:cdf462088d13 3594 renegotiation=1 exchanges=4 debug_level=2 nbio=2 \
markrad 0:cdf462088d13 3595 force_ciphersuite=TLS-PSK-WITH-AES-128-CCM-8" \
markrad 0:cdf462088d13 3596 0 \
markrad 0:cdf462088d13 3597 -c "=> renegotiate" \
markrad 0:cdf462088d13 3598 -s "=> renegotiate" \
markrad 0:cdf462088d13 3599 -s "Extra-header:" \
markrad 0:cdf462088d13 3600 -c "HTTP/1.0 200 OK"
markrad 0:cdf462088d13 3601
markrad 0:cdf462088d13 3602 client_needs_more_time 6
markrad 0:cdf462088d13 3603 not_with_valgrind # risk of non-mbedtls peer timing out
markrad 0:cdf462088d13 3604 run_test "DTLS proxy: 3d, openssl server" \
markrad 0:cdf462088d13 3605 -p "$P_PXY drop=5 delay=5 duplicate=5 protect_hvr=1" \
markrad 0:cdf462088d13 3606 "$O_SRV -dtls1 -mtu 2048" \
markrad 0:cdf462088d13 3607 "$P_CLI dtls=1 hs_timeout=250-60000 tickets=0" \
markrad 0:cdf462088d13 3608 0 \
markrad 0:cdf462088d13 3609 -c "HTTP/1.0 200 OK"
markrad 0:cdf462088d13 3610
markrad 0:cdf462088d13 3611 client_needs_more_time 8
markrad 0:cdf462088d13 3612 not_with_valgrind # risk of non-mbedtls peer timing out
markrad 0:cdf462088d13 3613 run_test "DTLS proxy: 3d, openssl server, fragmentation" \
markrad 0:cdf462088d13 3614 -p "$P_PXY drop=5 delay=5 duplicate=5 protect_hvr=1" \
markrad 0:cdf462088d13 3615 "$O_SRV -dtls1 -mtu 768" \
markrad 0:cdf462088d13 3616 "$P_CLI dtls=1 hs_timeout=250-60000 tickets=0" \
markrad 0:cdf462088d13 3617 0 \
markrad 0:cdf462088d13 3618 -c "HTTP/1.0 200 OK"
markrad 0:cdf462088d13 3619
markrad 0:cdf462088d13 3620 client_needs_more_time 8
markrad 0:cdf462088d13 3621 not_with_valgrind # risk of non-mbedtls peer timing out
markrad 0:cdf462088d13 3622 run_test "DTLS proxy: 3d, openssl server, fragmentation, nbio" \
markrad 0:cdf462088d13 3623 -p "$P_PXY drop=5 delay=5 duplicate=5 protect_hvr=1" \
markrad 0:cdf462088d13 3624 "$O_SRV -dtls1 -mtu 768" \
markrad 0:cdf462088d13 3625 "$P_CLI dtls=1 hs_timeout=250-60000 nbio=2 tickets=0" \
markrad 0:cdf462088d13 3626 0 \
markrad 0:cdf462088d13 3627 -c "HTTP/1.0 200 OK"
markrad 0:cdf462088d13 3628
markrad 0:cdf462088d13 3629 requires_gnutls
markrad 0:cdf462088d13 3630 client_needs_more_time 6
markrad 0:cdf462088d13 3631 not_with_valgrind # risk of non-mbedtls peer timing out
markrad 0:cdf462088d13 3632 run_test "DTLS proxy: 3d, gnutls server" \
markrad 0:cdf462088d13 3633 -p "$P_PXY drop=5 delay=5 duplicate=5" \
markrad 0:cdf462088d13 3634 "$G_SRV -u --mtu 2048 -a" \
markrad 0:cdf462088d13 3635 "$P_CLI dtls=1 hs_timeout=250-60000" \
markrad 0:cdf462088d13 3636 0 \
markrad 0:cdf462088d13 3637 -s "Extra-header:" \
markrad 0:cdf462088d13 3638 -c "Extra-header:"
markrad 0:cdf462088d13 3639
markrad 0:cdf462088d13 3640 requires_gnutls
markrad 0:cdf462088d13 3641 client_needs_more_time 8
markrad 0:cdf462088d13 3642 not_with_valgrind # risk of non-mbedtls peer timing out
markrad 0:cdf462088d13 3643 run_test "DTLS proxy: 3d, gnutls server, fragmentation" \
markrad 0:cdf462088d13 3644 -p "$P_PXY drop=5 delay=5 duplicate=5" \
markrad 0:cdf462088d13 3645 "$G_SRV -u --mtu 512" \
markrad 0:cdf462088d13 3646 "$P_CLI dtls=1 hs_timeout=250-60000" \
markrad 0:cdf462088d13 3647 0 \
markrad 0:cdf462088d13 3648 -s "Extra-header:" \
markrad 0:cdf462088d13 3649 -c "Extra-header:"
markrad 0:cdf462088d13 3650
markrad 0:cdf462088d13 3651 requires_gnutls
markrad 0:cdf462088d13 3652 client_needs_more_time 8
markrad 0:cdf462088d13 3653 not_with_valgrind # risk of non-mbedtls peer timing out
markrad 0:cdf462088d13 3654 run_test "DTLS proxy: 3d, gnutls server, fragmentation, nbio" \
markrad 0:cdf462088d13 3655 -p "$P_PXY drop=5 delay=5 duplicate=5" \
markrad 0:cdf462088d13 3656 "$G_SRV -u --mtu 512" \
markrad 0:cdf462088d13 3657 "$P_CLI dtls=1 hs_timeout=250-60000 nbio=2" \
markrad 0:cdf462088d13 3658 0 \
markrad 0:cdf462088d13 3659 -s "Extra-header:" \
markrad 0:cdf462088d13 3660 -c "Extra-header:"
markrad 0:cdf462088d13 3661
markrad 0:cdf462088d13 3662 # Final report
markrad 0:cdf462088d13 3663
markrad 0:cdf462088d13 3664 echo "------------------------------------------------------------------------"
markrad 0:cdf462088d13 3665
markrad 0:cdf462088d13 3666 if [ $FAILS = 0 ]; then
markrad 0:cdf462088d13 3667 printf "PASSED"
markrad 0:cdf462088d13 3668 else
markrad 0:cdf462088d13 3669 printf "FAILED"
markrad 0:cdf462088d13 3670 fi
markrad 0:cdf462088d13 3671 PASSES=$(( $TESTS - $FAILS ))
markrad 0:cdf462088d13 3672 echo " ($PASSES / $TESTS tests ($SKIPS skipped))"
markrad 0:cdf462088d13 3673
markrad 0:cdf462088d13 3674 exit $FAILS