mbedtls - mbed TLS upgraded to 2.6.0

Arcola » Code » mbedtls

mbed TLS upgraded to 2.6.0

tests/ssl-opt.sh@2:bbdeda018a3c, 2017-09-29 (annotated)

Committer:: Jasper Wallace
Date:: Fri Sep 29 19:50:30 2017 +0100
Revision:: 2:bbdeda018a3c
Parent:: 1:9ebc941037d5

Update to mbedtls 2.6.0, many changes.



Changes to mbedtls sources made:



in include/mbedtls/config.h comment out:



#define MBEDTLS_FS_IO

#define MBEDTLS_NET_C

#define MBEDTLS_TIMING_C



uncomment:



#define MBEDTLS_NO_PLATFORM_ENTROPY



remove the following directorys:



programs

yotta

visualc

Who changed what in which revision?

User	Revision	Line number	New contents of line
markrad	0:cdf462088d13	1	#!/bin/sh
markrad	0:cdf462088d13	2
markrad	0:cdf462088d13	3	# ssl-opt.sh
markrad	0:cdf462088d13	4	#
markrad	0:cdf462088d13	5	# This file is part of mbed TLS (https://tls.mbed.org)
markrad	0:cdf462088d13	6	#
markrad	0:cdf462088d13	7	# Copyright (c) 2016, ARM Limited, All Rights Reserved
markrad	0:cdf462088d13	8	#
markrad	0:cdf462088d13	9	# Purpose
markrad	0:cdf462088d13	10	#
markrad	0:cdf462088d13	11	# Executes tests to prove various TLS/SSL options and extensions.
markrad	0:cdf462088d13	12	#
markrad	0:cdf462088d13	13	# The goal is not to cover every ciphersuite/version, but instead to cover
markrad	0:cdf462088d13	14	# specific options (max fragment length, truncated hmac, etc) or procedures
markrad	0:cdf462088d13	15	# (session resumption from cache or ticket, renego, etc).
markrad	0:cdf462088d13	16	#
markrad	0:cdf462088d13	17	# The tests assume a build with default options, with exceptions expressed
markrad	0:cdf462088d13	18	# with a dependency. The tests focus on functionality and do not consider
markrad	0:cdf462088d13	19	# performance.
markrad	0:cdf462088d13	20	#
markrad	0:cdf462088d13	21
markrad	0:cdf462088d13	22	set -u
markrad	0:cdf462088d13	23
markrad	0:cdf462088d13	24	# default values, can be overriden by the environment
markrad	0:cdf462088d13	25	: ${P_SRV:=../programs/ssl/ssl_server2}
markrad	0:cdf462088d13	26	: ${P_CLI:=../programs/ssl/ssl_client2}
markrad	0:cdf462088d13	27	: ${P_PXY:=../programs/test/udp_proxy}
markrad	0:cdf462088d13	28	: ${OPENSSL_CMD:=openssl} # OPENSSL would conflict with the build system
markrad	0:cdf462088d13	29	: ${GNUTLS_CLI:=gnutls-cli}
markrad	0:cdf462088d13	30	: ${GNUTLS_SERV:=gnutls-serv}
Jasper Wallace	2:bbdeda018a3c	31	: ${PERL:=perl}
markrad	0:cdf462088d13	32
markrad	0:cdf462088d13	33	O_SRV="$OPENSSL_CMD s_server -www -cert data_files/server5.crt -key data_files/server5.key"
markrad	0:cdf462088d13	34	O_CLI="echo 'GET / HTTP/1.0' \| $OPENSSL_CMD s_client"
markrad	0:cdf462088d13	35	G_SRV="$GNUTLS_SERV --x509certfile data_files/server5.crt --x509keyfile data_files/server5.key"
markrad	0:cdf462088d13	36	G_CLI="echo 'GET / HTTP/1.0' \| $GNUTLS_CLI --x509cafile data_files/test-ca_cat12.crt"
Jasper Wallace	2:bbdeda018a3c	37	TCP_CLIENT="$PERL scripts/tcp_client.pl"
markrad	0:cdf462088d13	38
markrad	0:cdf462088d13	39	TESTS=0
markrad	0:cdf462088d13	40	FAILS=0
markrad	0:cdf462088d13	41	SKIPS=0
markrad	0:cdf462088d13	42
markrad	0:cdf462088d13	43	CONFIG_H='../include/mbedtls/config.h'
markrad	0:cdf462088d13	44
markrad	0:cdf462088d13	45	MEMCHECK=0
markrad	0:cdf462088d13	46	FILTER='.*'
markrad	0:cdf462088d13	47	EXCLUDE='^$'
markrad	0:cdf462088d13	48
markrad	0:cdf462088d13	49	SHOW_TEST_NUMBER=0
markrad	0:cdf462088d13	50	RUN_TEST_NUMBER=''
markrad	0:cdf462088d13	51
markrad	0:cdf462088d13	52	PRESERVE_LOGS=0
markrad	0:cdf462088d13	53
Jasper Wallace	2:bbdeda018a3c	54	# Pick a "unique" server port in the range 10000-19999, and a proxy
Jasper Wallace	2:bbdeda018a3c	55	# port which is this plus 10000. Each port number may be independently
Jasper Wallace	2:bbdeda018a3c	56	# overridden by a command line option.
Jasper Wallace	2:bbdeda018a3c	57	SRV_PORT=$(($$ % 10000 + 10000))
Jasper Wallace	2:bbdeda018a3c	58	PXY_PORT=$((SRV_PORT + 10000))
Jasper Wallace	2:bbdeda018a3c	59
markrad	0:cdf462088d13	60	print_usage() {
markrad	0:cdf462088d13	61	echo "Usage: $0 [options]"
markrad	0:cdf462088d13	62	printf " -h\|--help\tPrint this help.\n"
markrad	0:cdf462088d13	63	printf " -m\|--memcheck\tCheck memory leaks and errors.\n"
Jasper Wallace	2:bbdeda018a3c	64	printf " -f\|--filter\tOnly matching tests are executed (BRE; default: '$FILTER')\n"
Jasper Wallace	2:bbdeda018a3c	65	printf " -e\|--exclude\tMatching tests are excluded (BRE; default: '$EXCLUDE')\n"
markrad	0:cdf462088d13	66	printf " -n\|--number\tExecute only numbered test (comma-separated, e.g. '245,256')\n"
markrad	0:cdf462088d13	67	printf " -s\|--show-numbers\tShow test numbers in front of test names\n"
markrad	0:cdf462088d13	68	printf " -p\|--preserve-logs\tPreserve logs of successful tests as well\n"
Jasper Wallace	2:bbdeda018a3c	69	printf " --port\tTCP/UDP port (default: randomish 1xxxx)\n"
Jasper Wallace	2:bbdeda018a3c	70	printf " --proxy-port\tTCP/UDP proxy port (default: randomish 2xxxx)\n"
markrad	0:cdf462088d13	71	printf " --seed\tInteger seed value to use for this test run\n"
markrad	0:cdf462088d13	72	}
markrad	0:cdf462088d13	73
markrad	0:cdf462088d13	74	get_options() {
markrad	0:cdf462088d13	75	while [ $# -gt 0 ]; do
markrad	0:cdf462088d13	76	case "$1" in
markrad	0:cdf462088d13	77	-f\|--filter)
markrad	0:cdf462088d13	78	shift; FILTER=$1
markrad	0:cdf462088d13	79	;;
markrad	0:cdf462088d13	80	-e\|--exclude)
markrad	0:cdf462088d13	81	shift; EXCLUDE=$1
markrad	0:cdf462088d13	82	;;
markrad	0:cdf462088d13	83	-m\|--memcheck)
markrad	0:cdf462088d13	84	MEMCHECK=1
markrad	0:cdf462088d13	85	;;
markrad	0:cdf462088d13	86	-n\|--number)
markrad	0:cdf462088d13	87	shift; RUN_TEST_NUMBER=$1
markrad	0:cdf462088d13	88	;;
markrad	0:cdf462088d13	89	-s\|--show-numbers)
markrad	0:cdf462088d13	90	SHOW_TEST_NUMBER=1
markrad	0:cdf462088d13	91	;;
markrad	0:cdf462088d13	92	-p\|--preserve-logs)
markrad	0:cdf462088d13	93	PRESERVE_LOGS=1
markrad	0:cdf462088d13	94	;;
Jasper Wallace	2:bbdeda018a3c	95	--port)
Jasper Wallace	2:bbdeda018a3c	96	shift; SRV_PORT=$1
Jasper Wallace	2:bbdeda018a3c	97	;;
Jasper Wallace	2:bbdeda018a3c	98	--proxy-port)
Jasper Wallace	2:bbdeda018a3c	99	shift; PXY_PORT=$1
Jasper Wallace	2:bbdeda018a3c	100	;;
markrad	0:cdf462088d13	101	--seed)
markrad	0:cdf462088d13	102	shift; SEED="$1"
markrad	0:cdf462088d13	103	;;
markrad	0:cdf462088d13	104	-h\|--help)
markrad	0:cdf462088d13	105	print_usage
markrad	0:cdf462088d13	106	exit 0
markrad	0:cdf462088d13	107	;;
markrad	0:cdf462088d13	108	*)
markrad	0:cdf462088d13	109	echo "Unknown argument: '$1'"
markrad	0:cdf462088d13	110	print_usage
markrad	0:cdf462088d13	111	exit 1
markrad	0:cdf462088d13	112	;;
markrad	0:cdf462088d13	113	esac
markrad	0:cdf462088d13	114	shift
markrad	0:cdf462088d13	115	done
markrad	0:cdf462088d13	116	}
markrad	0:cdf462088d13	117
markrad	0:cdf462088d13	118	# skip next test if the flag is not enabled in config.h
markrad	0:cdf462088d13	119	requires_config_enabled() {
markrad	0:cdf462088d13	120	if grep "^#define $1" $CONFIG_H > /dev/null; then :; else
markrad	0:cdf462088d13	121	SKIP_NEXT="YES"
markrad	0:cdf462088d13	122	fi
markrad	0:cdf462088d13	123	}
markrad	0:cdf462088d13	124
Jasper Wallace	2:bbdeda018a3c	125	# skip next test if the flag is enabled in config.h
Jasper Wallace	2:bbdeda018a3c	126	requires_config_disabled() {
Jasper Wallace	2:bbdeda018a3c	127	if grep "^#define $1" $CONFIG_H > /dev/null; then
Jasper Wallace	2:bbdeda018a3c	128	SKIP_NEXT="YES"
Jasper Wallace	2:bbdeda018a3c	129	fi
Jasper Wallace	2:bbdeda018a3c	130	}
Jasper Wallace	2:bbdeda018a3c	131
markrad	0:cdf462088d13	132	# skip next test if OpenSSL doesn't support FALLBACK_SCSV
markrad	0:cdf462088d13	133	requires_openssl_with_fallback_scsv() {
markrad	0:cdf462088d13	134	if [ -z "${OPENSSL_HAS_FBSCSV:-}" ]; then
markrad	0:cdf462088d13	135	if $OPENSSL_CMD s_client -help 2>&1 \| grep fallback_scsv >/dev/null
markrad	0:cdf462088d13	136	then
markrad	0:cdf462088d13	137	OPENSSL_HAS_FBSCSV="YES"
markrad	0:cdf462088d13	138	else
markrad	0:cdf462088d13	139	OPENSSL_HAS_FBSCSV="NO"
markrad	0:cdf462088d13	140	fi
markrad	0:cdf462088d13	141	fi
markrad	0:cdf462088d13	142	if [ "$OPENSSL_HAS_FBSCSV" = "NO" ]; then
markrad	0:cdf462088d13	143	SKIP_NEXT="YES"
markrad	0:cdf462088d13	144	fi
markrad	0:cdf462088d13	145	}
markrad	0:cdf462088d13	146
markrad	0:cdf462088d13	147	# skip next test if GnuTLS isn't available
markrad	0:cdf462088d13	148	requires_gnutls() {
markrad	0:cdf462088d13	149	if [ -z "${GNUTLS_AVAILABLE:-}" ]; then
markrad	0:cdf462088d13	150	if ( which "$GNUTLS_CLI" && which "$GNUTLS_SERV" ) >/dev/null 2>&1; then
markrad	0:cdf462088d13	151	GNUTLS_AVAILABLE="YES"
markrad	0:cdf462088d13	152	else
markrad	0:cdf462088d13	153	GNUTLS_AVAILABLE="NO"
markrad	0:cdf462088d13	154	fi
markrad	0:cdf462088d13	155	fi
markrad	0:cdf462088d13	156	if [ "$GNUTLS_AVAILABLE" = "NO" ]; then
markrad	0:cdf462088d13	157	SKIP_NEXT="YES"
markrad	0:cdf462088d13	158	fi
markrad	0:cdf462088d13	159	}
markrad	0:cdf462088d13	160
markrad	0:cdf462088d13	161	# skip next test if IPv6 isn't available on this host
markrad	0:cdf462088d13	162	requires_ipv6() {
markrad	0:cdf462088d13	163	if [ -z "${HAS_IPV6:-}" ]; then
markrad	0:cdf462088d13	164	$P_SRV server_addr='::1' > $SRV_OUT 2>&1 &
markrad	0:cdf462088d13	165	SRV_PID=$!
markrad	0:cdf462088d13	166	sleep 1
markrad	0:cdf462088d13	167	kill $SRV_PID >/dev/null 2>&1
markrad	0:cdf462088d13	168	if grep "NET - Binding of the socket failed" $SRV_OUT >/dev/null; then
markrad	0:cdf462088d13	169	HAS_IPV6="NO"
markrad	0:cdf462088d13	170	else
markrad	0:cdf462088d13	171	HAS_IPV6="YES"
markrad	0:cdf462088d13	172	fi
markrad	0:cdf462088d13	173	rm -r $SRV_OUT
markrad	0:cdf462088d13	174	fi
markrad	0:cdf462088d13	175
markrad	0:cdf462088d13	176	if [ "$HAS_IPV6" = "NO" ]; then
markrad	0:cdf462088d13	177	SKIP_NEXT="YES"
markrad	0:cdf462088d13	178	fi
markrad	0:cdf462088d13	179	}
markrad	0:cdf462088d13	180
markrad	0:cdf462088d13	181	# skip the next test if valgrind is in use
markrad	0:cdf462088d13	182	not_with_valgrind() {
markrad	0:cdf462088d13	183	if [ "$MEMCHECK" -gt 0 ]; then
markrad	0:cdf462088d13	184	SKIP_NEXT="YES"
markrad	0:cdf462088d13	185	fi
markrad	0:cdf462088d13	186	}
markrad	0:cdf462088d13	187
markrad	0:cdf462088d13	188	# skip the next test if valgrind is NOT in use
markrad	0:cdf462088d13	189	only_with_valgrind() {
markrad	0:cdf462088d13	190	if [ "$MEMCHECK" -eq 0 ]; then
markrad	0:cdf462088d13	191	SKIP_NEXT="YES"
markrad	0:cdf462088d13	192	fi
markrad	0:cdf462088d13	193	}
markrad	0:cdf462088d13	194
markrad	0:cdf462088d13	195	# multiply the client timeout delay by the given factor for the next test
markrad	0:cdf462088d13	196	client_needs_more_time() {
markrad	0:cdf462088d13	197	CLI_DELAY_FACTOR=$1
markrad	0:cdf462088d13	198	}
markrad	0:cdf462088d13	199
markrad	0:cdf462088d13	200	# wait for the given seconds after the client finished in the next test
markrad	0:cdf462088d13	201	server_needs_more_time() {
markrad	0:cdf462088d13	202	SRV_DELAY_SECONDS=$1
markrad	0:cdf462088d13	203	}
markrad	0:cdf462088d13	204
markrad	0:cdf462088d13	205	# print_name <name>
markrad	0:cdf462088d13	206	print_name() {
markrad	0:cdf462088d13	207	TESTS=$(( $TESTS + 1 ))
markrad	0:cdf462088d13	208	LINE=""
markrad	0:cdf462088d13	209
markrad	0:cdf462088d13	210	if [ "$SHOW_TEST_NUMBER" -gt 0 ]; then
markrad	0:cdf462088d13	211	LINE="$TESTS "
markrad	0:cdf462088d13	212	fi
markrad	0:cdf462088d13	213
markrad	0:cdf462088d13	214	LINE="$LINE$1"
markrad	0:cdf462088d13	215	printf "$LINE "
markrad	0:cdf462088d13	216	LEN=$(( 72 - `echo "$LINE" \| wc -c` ))
markrad	0:cdf462088d13	217	for i in `seq 1 $LEN`; do printf '.'; done
markrad	0:cdf462088d13	218	printf ' '
markrad	0:cdf462088d13	219
markrad	0:cdf462088d13	220	}
markrad	0:cdf462088d13	221
markrad	0:cdf462088d13	222	# fail <message>
markrad	0:cdf462088d13	223	fail() {
markrad	0:cdf462088d13	224	echo "FAIL"
markrad	0:cdf462088d13	225	echo " ! $1"
markrad	0:cdf462088d13	226
markrad	0:cdf462088d13	227	mv $SRV_OUT o-srv-${TESTS}.log
markrad	0:cdf462088d13	228	mv $CLI_OUT o-cli-${TESTS}.log
markrad	0:cdf462088d13	229	if [ -n "$PXY_CMD" ]; then
markrad	0:cdf462088d13	230	mv $PXY_OUT o-pxy-${TESTS}.log
markrad	0:cdf462088d13	231	fi
markrad	0:cdf462088d13	232	echo " ! outputs saved to o-XXX-${TESTS}.log"
markrad	0:cdf462088d13	233
markrad	0:cdf462088d13	234	if [ "X${USER:-}" = Xbuildbot -o "X${LOGNAME:-}" = Xbuildbot ]; then
markrad	0:cdf462088d13	235	echo " ! server output:"
markrad	0:cdf462088d13	236	cat o-srv-${TESTS}.log
markrad	0:cdf462088d13	237	echo " ! ========================================================"
markrad	0:cdf462088d13	238	echo " ! client output:"
markrad	0:cdf462088d13	239	cat o-cli-${TESTS}.log
markrad	0:cdf462088d13	240	if [ -n "$PXY_CMD" ]; then
markrad	0:cdf462088d13	241	echo " ! ========================================================"
markrad	0:cdf462088d13	242	echo " ! proxy output:"
markrad	0:cdf462088d13	243	cat o-pxy-${TESTS}.log
markrad	0:cdf462088d13	244	fi
markrad	0:cdf462088d13	245	echo ""
markrad	0:cdf462088d13	246	fi
markrad	0:cdf462088d13	247
markrad	0:cdf462088d13	248	FAILS=$(( $FAILS + 1 ))
markrad	0:cdf462088d13	249	}
markrad	0:cdf462088d13	250
markrad	0:cdf462088d13	251	# is_polar <cmd_line>
markrad	0:cdf462088d13	252	is_polar() {
markrad	0:cdf462088d13	253	echo "$1" \| grep 'ssl_server2\\|ssl_client2' > /dev/null
markrad	0:cdf462088d13	254	}
markrad	0:cdf462088d13	255
markrad	0:cdf462088d13	256	# openssl s_server doesn't have -www with DTLS
markrad	0:cdf462088d13	257	check_osrv_dtls() {
markrad	0:cdf462088d13	258	if echo "$SRV_CMD" \| grep 's_server.*-dtls' >/dev/null; then
markrad	0:cdf462088d13	259	NEEDS_INPUT=1
markrad	0:cdf462088d13	260	SRV_CMD="$( echo $SRV_CMD \| sed s/-www// )"
markrad	0:cdf462088d13	261	else
markrad	0:cdf462088d13	262	NEEDS_INPUT=0
markrad	0:cdf462088d13	263	fi
markrad	0:cdf462088d13	264	}
markrad	0:cdf462088d13	265
markrad	0:cdf462088d13	266	# provide input to commands that need it
markrad	0:cdf462088d13	267	provide_input() {
markrad	0:cdf462088d13	268	if [ $NEEDS_INPUT -eq 0 ]; then
markrad	0:cdf462088d13	269	return
markrad	0:cdf462088d13	270	fi
markrad	0:cdf462088d13	271
markrad	0:cdf462088d13	272	while true; do
markrad	0:cdf462088d13	273	echo "HTTP/1.0 200 OK"
markrad	0:cdf462088d13	274	sleep 1
markrad	0:cdf462088d13	275	done
markrad	0:cdf462088d13	276	}
markrad	0:cdf462088d13	277
markrad	0:cdf462088d13	278	# has_mem_err <log_file_name>
markrad	0:cdf462088d13	279	has_mem_err() {
markrad	0:cdf462088d13	280	if ( grep -F 'All heap blocks were freed -- no leaks are possible' "$1" &&
markrad	0:cdf462088d13	281	grep -F 'ERROR SUMMARY: 0 errors from 0 contexts' "$1" ) > /dev/null
markrad	0:cdf462088d13	282	then
markrad	0:cdf462088d13	283	return 1 # false: does not have errors
markrad	0:cdf462088d13	284	else
markrad	0:cdf462088d13	285	return 0 # true: has errors
markrad	0:cdf462088d13	286	fi
markrad	0:cdf462088d13	287	}
markrad	0:cdf462088d13	288
markrad	0:cdf462088d13	289	# wait for server to start: two versions depending on lsof availability
markrad	0:cdf462088d13	290	wait_server_start() {
markrad	0:cdf462088d13	291	if which lsof >/dev/null 2>&1; then
markrad	0:cdf462088d13	292	START_TIME=$( date +%s )
markrad	0:cdf462088d13	293	DONE=0
markrad	0:cdf462088d13	294
markrad	0:cdf462088d13	295	# make a tight loop, server usually takes less than 1 sec to start
markrad	0:cdf462088d13	296	if [ "$DTLS" -eq 1 ]; then
markrad	0:cdf462088d13	297	while [ $DONE -eq 0 ]; do
markrad	0:cdf462088d13	298	if lsof -nbi UDP:"$SRV_PORT" 2>/dev/null \| grep UDP >/dev/null
markrad	0:cdf462088d13	299	then
markrad	0:cdf462088d13	300	DONE=1
markrad	0:cdf462088d13	301	elif [ $(( $( date +%s ) - $START_TIME )) -gt $DOG_DELAY ]; then
markrad	0:cdf462088d13	302	echo "SERVERSTART TIMEOUT"
markrad	0:cdf462088d13	303	echo "SERVERSTART TIMEOUT" >> $SRV_OUT
markrad	0:cdf462088d13	304	DONE=1
markrad	0:cdf462088d13	305	fi
markrad	0:cdf462088d13	306	done
markrad	0:cdf462088d13	307	else
markrad	0:cdf462088d13	308	while [ $DONE -eq 0 ]; do
markrad	0:cdf462088d13	309	if lsof -nbi TCP:"$SRV_PORT" 2>/dev/null \| grep LISTEN >/dev/null
markrad	0:cdf462088d13	310	then
markrad	0:cdf462088d13	311	DONE=1
markrad	0:cdf462088d13	312	elif [ $(( $( date +%s ) - $START_TIME )) -gt $DOG_DELAY ]; then
markrad	0:cdf462088d13	313	echo "SERVERSTART TIMEOUT"
markrad	0:cdf462088d13	314	echo "SERVERSTART TIMEOUT" >> $SRV_OUT
markrad	0:cdf462088d13	315	DONE=1
markrad	0:cdf462088d13	316	fi
markrad	0:cdf462088d13	317	done
markrad	0:cdf462088d13	318	fi
markrad	0:cdf462088d13	319	else
markrad	0:cdf462088d13	320	sleep "$START_DELAY"
markrad	0:cdf462088d13	321	fi
markrad	0:cdf462088d13	322	}
markrad	0:cdf462088d13	323
markrad	0:cdf462088d13	324	# wait for client to terminate and set CLI_EXIT
markrad	0:cdf462088d13	325	# must be called right after starting the client
markrad	0:cdf462088d13	326	wait_client_done() {
markrad	0:cdf462088d13	327	CLI_PID=$!
markrad	0:cdf462088d13	328
markrad	0:cdf462088d13	329	CLI_DELAY=$(( $DOG_DELAY * $CLI_DELAY_FACTOR ))
markrad	0:cdf462088d13	330	CLI_DELAY_FACTOR=1
markrad	0:cdf462088d13	331
markrad	0:cdf462088d13	332	( sleep $CLI_DELAY; echo "===CLIENT_TIMEOUT===" >> $CLI_OUT; kill $CLI_PID ) &
markrad	0:cdf462088d13	333	DOG_PID=$!
markrad	0:cdf462088d13	334
markrad	0:cdf462088d13	335	wait $CLI_PID
markrad	0:cdf462088d13	336	CLI_EXIT=$?
markrad	0:cdf462088d13	337
markrad	0:cdf462088d13	338	kill $DOG_PID >/dev/null 2>&1
markrad	0:cdf462088d13	339	wait $DOG_PID
markrad	0:cdf462088d13	340
markrad	0:cdf462088d13	341	echo "EXIT: $CLI_EXIT" >> $CLI_OUT
markrad	0:cdf462088d13	342
markrad	0:cdf462088d13	343	sleep $SRV_DELAY_SECONDS
markrad	0:cdf462088d13	344	SRV_DELAY_SECONDS=0
markrad	0:cdf462088d13	345	}
markrad	0:cdf462088d13	346
markrad	0:cdf462088d13	347	# check if the given command uses dtls and sets global variable DTLS
markrad	0:cdf462088d13	348	detect_dtls() {
markrad	0:cdf462088d13	349	if echo "$1" \| grep 'dtls=1\\|-dtls1\\|-u' >/dev/null; then
markrad	0:cdf462088d13	350	DTLS=1
markrad	0:cdf462088d13	351	else
markrad	0:cdf462088d13	352	DTLS=0
markrad	0:cdf462088d13	353	fi
markrad	0:cdf462088d13	354	}
markrad	0:cdf462088d13	355
markrad	0:cdf462088d13	356	# Usage: run_test name [-p proxy_cmd] srv_cmd cli_cmd cli_exit [option [...]]
markrad	0:cdf462088d13	357	# Options: -s pattern pattern that must be present in server output
markrad	0:cdf462088d13	358	# -c pattern pattern that must be present in client output
markrad	0:cdf462088d13	359	# -u pattern lines after pattern must be unique in client output
markrad	0:cdf462088d13	360	# -S pattern pattern that must be absent in server output
markrad	0:cdf462088d13	361	# -C pattern pattern that must be absent in client output
markrad	0:cdf462088d13	362	# -U pattern lines after pattern must be unique in server output
markrad	0:cdf462088d13	363	run_test() {
markrad	0:cdf462088d13	364	NAME="$1"
markrad	0:cdf462088d13	365	shift 1
markrad	0:cdf462088d13	366
markrad	0:cdf462088d13	367	if echo "$NAME" \| grep "$FILTER" \| grep -v "$EXCLUDE" >/dev/null; then :
markrad	0:cdf462088d13	368	else
markrad	0:cdf462088d13	369	SKIP_NEXT="NO"
markrad	0:cdf462088d13	370	return
markrad	0:cdf462088d13	371	fi
markrad	0:cdf462088d13	372
markrad	0:cdf462088d13	373	print_name "$NAME"
markrad	0:cdf462088d13	374
markrad	0:cdf462088d13	375	# Do we only run numbered tests?
markrad	0:cdf462088d13	376	if [ "X$RUN_TEST_NUMBER" = "X" ]; then :
markrad	0:cdf462088d13	377	elif echo ",$RUN_TEST_NUMBER," \| grep ",$TESTS," >/dev/null; then :
markrad	0:cdf462088d13	378	else
markrad	0:cdf462088d13	379	SKIP_NEXT="YES"
markrad	0:cdf462088d13	380	fi
markrad	0:cdf462088d13	381
markrad	0:cdf462088d13	382	# should we skip?
markrad	0:cdf462088d13	383	if [ "X$SKIP_NEXT" = "XYES" ]; then
markrad	0:cdf462088d13	384	SKIP_NEXT="NO"
markrad	0:cdf462088d13	385	echo "SKIP"
markrad	0:cdf462088d13	386	SKIPS=$(( $SKIPS + 1 ))
markrad	0:cdf462088d13	387	return
markrad	0:cdf462088d13	388	fi
markrad	0:cdf462088d13	389
markrad	0:cdf462088d13	390	# does this test use a proxy?
markrad	0:cdf462088d13	391	if [ "X$1" = "X-p" ]; then
markrad	0:cdf462088d13	392	PXY_CMD="$2"
markrad	0:cdf462088d13	393	shift 2
markrad	0:cdf462088d13	394	else
markrad	0:cdf462088d13	395	PXY_CMD=""
markrad	0:cdf462088d13	396	fi
markrad	0:cdf462088d13	397
markrad	0:cdf462088d13	398	# get commands and client output
markrad	0:cdf462088d13	399	SRV_CMD="$1"
markrad	0:cdf462088d13	400	CLI_CMD="$2"
markrad	0:cdf462088d13	401	CLI_EXPECT="$3"
markrad	0:cdf462088d13	402	shift 3
markrad	0:cdf462088d13	403
markrad	0:cdf462088d13	404	# fix client port
markrad	0:cdf462088d13	405	if [ -n "$PXY_CMD" ]; then
markrad	0:cdf462088d13	406	CLI_CMD=$( echo "$CLI_CMD" \| sed s/+SRV_PORT/$PXY_PORT/g )
markrad	0:cdf462088d13	407	else
markrad	0:cdf462088d13	408	CLI_CMD=$( echo "$CLI_CMD" \| sed s/+SRV_PORT/$SRV_PORT/g )
markrad	0:cdf462088d13	409	fi
markrad	0:cdf462088d13	410
markrad	0:cdf462088d13	411	# update DTLS variable
markrad	0:cdf462088d13	412	detect_dtls "$SRV_CMD"
markrad	0:cdf462088d13	413
markrad	0:cdf462088d13	414	# prepend valgrind to our commands if active
markrad	0:cdf462088d13	415	if [ "$MEMCHECK" -gt 0 ]; then
markrad	0:cdf462088d13	416	if is_polar "$SRV_CMD"; then
markrad	0:cdf462088d13	417	SRV_CMD="valgrind --leak-check=full $SRV_CMD"
markrad	0:cdf462088d13	418	fi
markrad	0:cdf462088d13	419	if is_polar "$CLI_CMD"; then
markrad	0:cdf462088d13	420	CLI_CMD="valgrind --leak-check=full $CLI_CMD"
markrad	0:cdf462088d13	421	fi
markrad	0:cdf462088d13	422	fi
markrad	0:cdf462088d13	423
markrad	0:cdf462088d13	424	TIMES_LEFT=2
markrad	0:cdf462088d13	425	while [ $TIMES_LEFT -gt 0 ]; do
markrad	0:cdf462088d13	426	TIMES_LEFT=$(( $TIMES_LEFT - 1 ))
markrad	0:cdf462088d13	427
markrad	0:cdf462088d13	428	# run the commands
markrad	0:cdf462088d13	429	if [ -n "$PXY_CMD" ]; then
markrad	0:cdf462088d13	430	echo "$PXY_CMD" > $PXY_OUT
markrad	0:cdf462088d13	431	$PXY_CMD >> $PXY_OUT 2>&1 &
markrad	0:cdf462088d13	432	PXY_PID=$!
markrad	0:cdf462088d13	433	# assume proxy starts faster than server
markrad	0:cdf462088d13	434	fi
markrad	0:cdf462088d13	435
markrad	0:cdf462088d13	436	check_osrv_dtls
markrad	0:cdf462088d13	437	echo "$SRV_CMD" > $SRV_OUT
markrad	0:cdf462088d13	438	provide_input \| $SRV_CMD >> $SRV_OUT 2>&1 &
markrad	0:cdf462088d13	439	SRV_PID=$!
markrad	0:cdf462088d13	440	wait_server_start
markrad	0:cdf462088d13	441
markrad	0:cdf462088d13	442	echo "$CLI_CMD" > $CLI_OUT
markrad	0:cdf462088d13	443	eval "$CLI_CMD" >> $CLI_OUT 2>&1 &
markrad	0:cdf462088d13	444	wait_client_done
markrad	0:cdf462088d13	445
markrad	0:cdf462088d13	446	# terminate the server (and the proxy)
markrad	0:cdf462088d13	447	kill $SRV_PID
markrad	0:cdf462088d13	448	wait $SRV_PID
markrad	0:cdf462088d13	449	if [ -n "$PXY_CMD" ]; then
markrad	0:cdf462088d13	450	kill $PXY_PID >/dev/null 2>&1
markrad	0:cdf462088d13	451	wait $PXY_PID
markrad	0:cdf462088d13	452	fi
markrad	0:cdf462088d13	453
markrad	0:cdf462088d13	454	# retry only on timeouts
markrad	0:cdf462088d13	455	if grep '===CLIENT_TIMEOUT===' $CLI_OUT >/dev/null; then
markrad	0:cdf462088d13	456	printf "RETRY "
markrad	0:cdf462088d13	457	else
markrad	0:cdf462088d13	458	TIMES_LEFT=0
markrad	0:cdf462088d13	459	fi
markrad	0:cdf462088d13	460	done
markrad	0:cdf462088d13	461
markrad	0:cdf462088d13	462	# check if the client and server went at least to the handshake stage
markrad	0:cdf462088d13	463	# (useful to avoid tests with only negative assertions and non-zero
markrad	0:cdf462088d13	464	# expected client exit to incorrectly succeed in case of catastrophic
markrad	0:cdf462088d13	465	# failure)
markrad	0:cdf462088d13	466	if is_polar "$SRV_CMD"; then
markrad	0:cdf462088d13	467	if grep "Performing the SSL/TLS handshake" $SRV_OUT >/dev/null; then :;
markrad	0:cdf462088d13	468	else
markrad	0:cdf462088d13	469	fail "server or client failed to reach handshake stage"
markrad	0:cdf462088d13	470	return
markrad	0:cdf462088d13	471	fi
markrad	0:cdf462088d13	472	fi
markrad	0:cdf462088d13	473	if is_polar "$CLI_CMD"; then
markrad	0:cdf462088d13	474	if grep "Performing the SSL/TLS handshake" $CLI_OUT >/dev/null; then :;
markrad	0:cdf462088d13	475	else
markrad	0:cdf462088d13	476	fail "server or client failed to reach handshake stage"
markrad	0:cdf462088d13	477	return
markrad	0:cdf462088d13	478	fi
markrad	0:cdf462088d13	479	fi
markrad	0:cdf462088d13	480
markrad	0:cdf462088d13	481	# check server exit code
markrad	0:cdf462088d13	482	if [ $? != 0 ]; then
markrad	0:cdf462088d13	483	fail "server fail"
markrad	0:cdf462088d13	484	return
markrad	0:cdf462088d13	485	fi
markrad	0:cdf462088d13	486
markrad	0:cdf462088d13	487	# check client exit code
markrad	0:cdf462088d13	488	if [ $ "$CLI_EXPECT" = 0 -a "$CLI_EXIT" != 0 $ -o \
markrad	0:cdf462088d13	489	$ "$CLI_EXPECT" != 0 -a "$CLI_EXIT" = 0 $ ]
markrad	0:cdf462088d13	490	then
markrad	0:cdf462088d13	491	fail "bad client exit code (expected $CLI_EXPECT, got $CLI_EXIT)"
markrad	0:cdf462088d13	492	return
markrad	0:cdf462088d13	493	fi
markrad	0:cdf462088d13	494
markrad	0:cdf462088d13	495	# check other assertions
markrad	0:cdf462088d13	496	# lines beginning with == are added by valgrind, ignore them
markrad	0:cdf462088d13	497	# lines with 'Serious error when reading debug info', are valgrind issues as well
markrad	0:cdf462088d13	498	while [ $# -gt 0 ]
markrad	0:cdf462088d13	499	do
markrad	0:cdf462088d13	500	case $1 in
markrad	0:cdf462088d13	501	"-s")
markrad	0:cdf462088d13	502	if grep -v '^==' $SRV_OUT \| grep -v 'Serious error when reading debug info' \| grep "$2" >/dev/null; then :; else
markrad	0:cdf462088d13	503	fail "pattern '$2' MUST be present in the Server output"
markrad	0:cdf462088d13	504	return
markrad	0:cdf462088d13	505	fi
markrad	0:cdf462088d13	506	;;
markrad	0:cdf462088d13	507
markrad	0:cdf462088d13	508	"-c")
markrad	0:cdf462088d13	509	if grep -v '^==' $CLI_OUT \| grep -v 'Serious error when reading debug info' \| grep "$2" >/dev/null; then :; else
markrad	0:cdf462088d13	510	fail "pattern '$2' MUST be present in the Client output"
markrad	0:cdf462088d13	511	return
markrad	0:cdf462088d13	512	fi
markrad	0:cdf462088d13	513	;;
markrad	0:cdf462088d13	514
markrad	0:cdf462088d13	515	"-S")
markrad	0:cdf462088d13	516	if grep -v '^==' $SRV_OUT \| grep -v 'Serious error when reading debug info' \| grep "$2" >/dev/null; then
markrad	0:cdf462088d13	517	fail "pattern '$2' MUST NOT be present in the Server output"
markrad	0:cdf462088d13	518	return
markrad	0:cdf462088d13	519	fi
markrad	0:cdf462088d13	520	;;
markrad	0:cdf462088d13	521
markrad	0:cdf462088d13	522	"-C")
markrad	0:cdf462088d13	523	if grep -v '^==' $CLI_OUT \| grep -v 'Serious error when reading debug info' \| grep "$2" >/dev/null; then
markrad	0:cdf462088d13	524	fail "pattern '$2' MUST NOT be present in the Client output"
markrad	0:cdf462088d13	525	return
markrad	0:cdf462088d13	526	fi
markrad	0:cdf462088d13	527	;;
markrad	0:cdf462088d13	528
markrad	0:cdf462088d13	529	# The filtering in the following two options (-u and -U) do the following
markrad	0:cdf462088d13	530	# - ignore valgrind output
markrad	0:cdf462088d13	531	# - filter out everything but lines right after the pattern occurances
markrad	0:cdf462088d13	532	# - keep one of each non-unique line
markrad	0:cdf462088d13	533	# - count how many lines remain
markrad	0:cdf462088d13	534	# A line with '--' will remain in the result from previous outputs, so the number of lines in the result will be 1
markrad	0:cdf462088d13	535	# if there were no duplicates.
markrad	0:cdf462088d13	536	"-U")
markrad	0:cdf462088d13	537	if [ $(grep -v '^==' $SRV_OUT \| grep -v 'Serious error when reading debug info' \| grep -A1 "$2" \| grep -v "$2" \| sort \| uniq -d \| wc -l) -gt 1 ]; then
markrad	0:cdf462088d13	538	fail "lines following pattern '$2' must be unique in Server output"
markrad	0:cdf462088d13	539	return
markrad	0:cdf462088d13	540	fi
markrad	0:cdf462088d13	541	;;
markrad	0:cdf462088d13	542
markrad	0:cdf462088d13	543	"-u")
markrad	0:cdf462088d13	544	if [ $(grep -v '^==' $CLI_OUT \| grep -v 'Serious error when reading debug info' \| grep -A1 "$2" \| grep -v "$2" \| sort \| uniq -d \| wc -l) -gt 1 ]; then
markrad	0:cdf462088d13	545	fail "lines following pattern '$2' must be unique in Client output"
markrad	0:cdf462088d13	546	return
markrad	0:cdf462088d13	547	fi
markrad	0:cdf462088d13	548	;;
markrad	0:cdf462088d13	549
markrad	0:cdf462088d13	550	*)
markrad	0:cdf462088d13	551	echo "Unknown test: $1" >&2
markrad	0:cdf462088d13	552	exit 1
markrad	0:cdf462088d13	553	esac
markrad	0:cdf462088d13	554	shift 2
markrad	0:cdf462088d13	555	done
markrad	0:cdf462088d13	556
markrad	0:cdf462088d13	557	# check valgrind's results
markrad	0:cdf462088d13	558	if [ "$MEMCHECK" -gt 0 ]; then
markrad	0:cdf462088d13	559	if is_polar "$SRV_CMD" && has_mem_err $SRV_OUT; then
markrad	0:cdf462088d13	560	fail "Server has memory errors"
markrad	0:cdf462088d13	561	return
markrad	0:cdf462088d13	562	fi
markrad	0:cdf462088d13	563	if is_polar "$CLI_CMD" && has_mem_err $CLI_OUT; then
markrad	0:cdf462088d13	564	fail "Client has memory errors"
markrad	0:cdf462088d13	565	return
markrad	0:cdf462088d13	566	fi
markrad	0:cdf462088d13	567	fi
markrad	0:cdf462088d13	568
markrad	0:cdf462088d13	569	# if we're here, everything is ok
markrad	0:cdf462088d13	570	echo "PASS"
markrad	0:cdf462088d13	571	if [ "$PRESERVE_LOGS" -gt 0 ]; then
markrad	0:cdf462088d13	572	mv $SRV_OUT o-srv-${TESTS}.log
markrad	0:cdf462088d13	573	mv $CLI_OUT o-cli-${TESTS}.log
markrad	0:cdf462088d13	574	fi
markrad	0:cdf462088d13	575
markrad	0:cdf462088d13	576	rm -f $SRV_OUT $CLI_OUT $PXY_OUT
markrad	0:cdf462088d13	577	}
markrad	0:cdf462088d13	578
markrad	0:cdf462088d13	579	cleanup() {
markrad	0:cdf462088d13	580	rm -f $CLI_OUT $SRV_OUT $PXY_OUT $SESSION
markrad	0:cdf462088d13	581	test -n "${SRV_PID:-}" && kill $SRV_PID >/dev/null 2>&1
markrad	0:cdf462088d13	582	test -n "${PXY_PID:-}" && kill $PXY_PID >/dev/null 2>&1
markrad	0:cdf462088d13	583	test -n "${CLI_PID:-}" && kill $CLI_PID >/dev/null 2>&1
markrad	0:cdf462088d13	584	test -n "${DOG_PID:-}" && kill $DOG_PID >/dev/null 2>&1
markrad	0:cdf462088d13	585	exit 1
markrad	0:cdf462088d13	586	}
markrad	0:cdf462088d13	587
markrad	0:cdf462088d13	588	#
markrad	0:cdf462088d13	589	# MAIN
markrad	0:cdf462088d13	590	#
markrad	0:cdf462088d13	591
markrad	0:cdf462088d13	592	if cd $( dirname $0 ); then :; else
markrad	0:cdf462088d13	593	echo "cd $( dirname $0 ) failed" >&2
markrad	0:cdf462088d13	594	exit 1
markrad	0:cdf462088d13	595	fi
markrad	0:cdf462088d13	596
markrad	0:cdf462088d13	597	get_options "$@"
markrad	0:cdf462088d13	598
markrad	0:cdf462088d13	599	# sanity checks, avoid an avalanche of errors
markrad	0:cdf462088d13	600	if [ ! -x "$P_SRV" ]; then
markrad	0:cdf462088d13	601	echo "Command '$P_SRV' is not an executable file"
markrad	0:cdf462088d13	602	exit 1
markrad	0:cdf462088d13	603	fi
markrad	0:cdf462088d13	604	if [ ! -x "$P_CLI" ]; then
markrad	0:cdf462088d13	605	echo "Command '$P_CLI' is not an executable file"
markrad	0:cdf462088d13	606	exit 1
markrad	0:cdf462088d13	607	fi
markrad	0:cdf462088d13	608	if [ ! -x "$P_PXY" ]; then
markrad	0:cdf462088d13	609	echo "Command '$P_PXY' is not an executable file"
markrad	0:cdf462088d13	610	exit 1
markrad	0:cdf462088d13	611	fi
markrad	0:cdf462088d13	612	if [ "$MEMCHECK" -gt 0 ]; then
markrad	0:cdf462088d13	613	if which valgrind >/dev/null 2>&1; then :; else
markrad	0:cdf462088d13	614	echo "Memcheck not possible. Valgrind not found"
markrad	0:cdf462088d13	615	exit 1
markrad	0:cdf462088d13	616	fi
markrad	0:cdf462088d13	617	fi
markrad	0:cdf462088d13	618	if which $OPENSSL_CMD >/dev/null 2>&1; then :; else
markrad	0:cdf462088d13	619	echo "Command '$OPENSSL_CMD' not found"
markrad	0:cdf462088d13	620	exit 1
markrad	0:cdf462088d13	621	fi
markrad	0:cdf462088d13	622
markrad	0:cdf462088d13	623	# used by watchdog
markrad	0:cdf462088d13	624	MAIN_PID="$$"
markrad	0:cdf462088d13	625
markrad	0:cdf462088d13	626	# be more patient with valgrind
markrad	0:cdf462088d13	627	if [ "$MEMCHECK" -gt 0 ]; then
markrad	0:cdf462088d13	628	START_DELAY=3
markrad	0:cdf462088d13	629	DOG_DELAY=30
markrad	0:cdf462088d13	630	else
markrad	0:cdf462088d13	631	START_DELAY=1
markrad	0:cdf462088d13	632	DOG_DELAY=10
markrad	0:cdf462088d13	633	fi
markrad	0:cdf462088d13	634	CLI_DELAY_FACTOR=1
markrad	0:cdf462088d13	635	SRV_DELAY_SECONDS=0
markrad	0:cdf462088d13	636
markrad	0:cdf462088d13	637	# fix commands to use this port, force IPv4 while at it
markrad	0:cdf462088d13	638	# +SRV_PORT will be replaced by either $SRV_PORT or $PXY_PORT later
markrad	0:cdf462088d13	639	P_SRV="$P_SRV server_addr=127.0.0.1 server_port=$SRV_PORT"
markrad	0:cdf462088d13	640	P_CLI="$P_CLI server_addr=127.0.0.1 server_port=+SRV_PORT"
markrad	0:cdf462088d13	641	P_PXY="$P_PXY server_addr=127.0.0.1 server_port=$SRV_PORT listen_addr=127.0.0.1 listen_port=$PXY_PORT ${SEED:+"seed=$SEED"}"
markrad	0:cdf462088d13	642	O_SRV="$O_SRV -accept $SRV_PORT -dhparam data_files/dhparams.pem"
markrad	0:cdf462088d13	643	O_CLI="$O_CLI -connect localhost:+SRV_PORT"
markrad	0:cdf462088d13	644	G_SRV="$G_SRV -p $SRV_PORT"
markrad	0:cdf462088d13	645	G_CLI="$G_CLI -p +SRV_PORT localhost"
markrad	0:cdf462088d13	646
Jasper Wallace	2:bbdeda018a3c	647	# Allow SHA-1, because many of our test certificates use it
Jasper Wallace	2:bbdeda018a3c	648	P_SRV="$P_SRV allow_sha1=1"
Jasper Wallace	2:bbdeda018a3c	649	P_CLI="$P_CLI allow_sha1=1"
Jasper Wallace	2:bbdeda018a3c	650
markrad	0:cdf462088d13	651	# Also pick a unique name for intermediate files
markrad	0:cdf462088d13	652	SRV_OUT="srv_out.$$"
markrad	0:cdf462088d13	653	CLI_OUT="cli_out.$$"
markrad	0:cdf462088d13	654	PXY_OUT="pxy_out.$$"
markrad	0:cdf462088d13	655	SESSION="session.$$"
markrad	0:cdf462088d13	656
markrad	0:cdf462088d13	657	SKIP_NEXT="NO"
markrad	0:cdf462088d13	658
markrad	0:cdf462088d13	659	trap cleanup INT TERM HUP
markrad	0:cdf462088d13	660
markrad	0:cdf462088d13	661	# Basic test
markrad	0:cdf462088d13	662
markrad	0:cdf462088d13	663	# Checks that:
markrad	0:cdf462088d13	664	# - things work with all ciphersuites active (used with config-full in all.sh)
markrad	0:cdf462088d13	665	# - the expected (highest security) parameters are selected
markrad	0:cdf462088d13	666	# ("signature_algorithm ext: 6" means SHA-512 (highest common hash))
markrad	0:cdf462088d13	667	run_test "Default" \
markrad	0:cdf462088d13	668	"$P_SRV debug_level=3" \
markrad	0:cdf462088d13	669	"$P_CLI" \
markrad	0:cdf462088d13	670	0 \
markrad	0:cdf462088d13	671	-s "Protocol is TLSv1.2" \
markrad	0:cdf462088d13	672	-s "Ciphersuite is TLS-ECDHE-ECDSA-WITH-AES-256-GCM-SHA384" \
markrad	0:cdf462088d13	673	-s "client hello v3, signature_algorithm ext: 6" \
markrad	0:cdf462088d13	674	-s "ECDHE curve: secp521r1" \
markrad	0:cdf462088d13	675	-S "error" \
markrad	0:cdf462088d13	676	-C "error"
markrad	0:cdf462088d13	677
markrad	0:cdf462088d13	678	run_test "Default, DTLS" \
markrad	0:cdf462088d13	679	"$P_SRV dtls=1" \
markrad	0:cdf462088d13	680	"$P_CLI dtls=1" \
markrad	0:cdf462088d13	681	0 \
markrad	0:cdf462088d13	682	-s "Protocol is DTLSv1.2" \
markrad	0:cdf462088d13	683	-s "Ciphersuite is TLS-ECDHE-ECDSA-WITH-AES-256-GCM-SHA384"
markrad	0:cdf462088d13	684
markrad	0:cdf462088d13	685	# Test for uniqueness of IVs in AEAD ciphersuites
markrad	0:cdf462088d13	686	run_test "Unique IV in GCM" \
markrad	0:cdf462088d13	687	"$P_SRV exchanges=20 debug_level=4" \
markrad	0:cdf462088d13	688	"$P_CLI exchanges=20 debug_level=4 force_ciphersuite=TLS-ECDHE-ECDSA-WITH-AES-256-GCM-SHA384" \
markrad	0:cdf462088d13	689	0 \
markrad	0:cdf462088d13	690	-u "IV used" \
markrad	0:cdf462088d13	691	-U "IV used"
markrad	0:cdf462088d13	692
markrad	0:cdf462088d13	693	# Tests for rc4 option
markrad	0:cdf462088d13	694
markrad	0:cdf462088d13	695	requires_config_enabled MBEDTLS_REMOVE_ARC4_CIPHERSUITES
markrad	0:cdf462088d13	696	run_test "RC4: server disabled, client enabled" \
markrad	0:cdf462088d13	697	"$P_SRV" \
markrad	0:cdf462088d13	698	"$P_CLI force_ciphersuite=TLS-RSA-WITH-RC4-128-SHA" \
markrad	0:cdf462088d13	699	1 \
markrad	0:cdf462088d13	700	-s "SSL - The server has no ciphersuites in common"
markrad	0:cdf462088d13	701
markrad	0:cdf462088d13	702	requires_config_enabled MBEDTLS_REMOVE_ARC4_CIPHERSUITES
markrad	0:cdf462088d13	703	run_test "RC4: server half, client enabled" \
markrad	0:cdf462088d13	704	"$P_SRV arc4=1" \
markrad	0:cdf462088d13	705	"$P_CLI force_ciphersuite=TLS-RSA-WITH-RC4-128-SHA" \
markrad	0:cdf462088d13	706	1 \
markrad	0:cdf462088d13	707	-s "SSL - The server has no ciphersuites in common"
markrad	0:cdf462088d13	708
markrad	0:cdf462088d13	709	run_test "RC4: server enabled, client disabled" \
markrad	0:cdf462088d13	710	"$P_SRV force_ciphersuite=TLS-RSA-WITH-RC4-128-SHA" \
markrad	0:cdf462088d13	711	"$P_CLI" \
markrad	0:cdf462088d13	712	1 \
markrad	0:cdf462088d13	713	-s "SSL - The server has no ciphersuites in common"
markrad	0:cdf462088d13	714
markrad	0:cdf462088d13	715	run_test "RC4: both enabled" \
markrad	0:cdf462088d13	716	"$P_SRV force_ciphersuite=TLS-RSA-WITH-RC4-128-SHA" \
markrad	0:cdf462088d13	717	"$P_CLI force_ciphersuite=TLS-RSA-WITH-RC4-128-SHA" \
markrad	0:cdf462088d13	718	0 \
markrad	0:cdf462088d13	719	-S "SSL - None of the common ciphersuites is usable" \
markrad	0:cdf462088d13	720	-S "SSL - The server has no ciphersuites in common"
markrad	0:cdf462088d13	721
Jasper Wallace	2:bbdeda018a3c	722	# Tests for SHA-1 support
Jasper Wallace	2:bbdeda018a3c	723
Jasper Wallace	2:bbdeda018a3c	724	requires_config_disabled MBEDTLS_TLS_DEFAULT_ALLOW_SHA1_IN_CERTIFICATES
Jasper Wallace	2:bbdeda018a3c	725	run_test "SHA-1 forbidden by default in server certificate" \
Jasper Wallace	2:bbdeda018a3c	726	"$P_SRV key_file=data_files/server2.key crt_file=data_files/server2.crt" \
Jasper Wallace	2:bbdeda018a3c	727	"$P_CLI debug_level=2 allow_sha1=0" \
Jasper Wallace	2:bbdeda018a3c	728	1 \
Jasper Wallace	2:bbdeda018a3c	729	-c "The certificate is signed with an unacceptable hash"
Jasper Wallace	2:bbdeda018a3c	730
Jasper Wallace	2:bbdeda018a3c	731	requires_config_enabled MBEDTLS_TLS_DEFAULT_ALLOW_SHA1_IN_CERTIFICATES
Jasper Wallace	2:bbdeda018a3c	732	run_test "SHA-1 forbidden by default in server certificate" \
Jasper Wallace	2:bbdeda018a3c	733	"$P_SRV key_file=data_files/server2.key crt_file=data_files/server2.crt" \
Jasper Wallace	2:bbdeda018a3c	734	"$P_CLI debug_level=2 allow_sha1=0" \
Jasper Wallace	2:bbdeda018a3c	735	0
Jasper Wallace	2:bbdeda018a3c	736
Jasper Wallace	2:bbdeda018a3c	737	run_test "SHA-1 explicitly allowed in server certificate" \
Jasper Wallace	2:bbdeda018a3c	738	"$P_SRV key_file=data_files/server2.key crt_file=data_files/server2.crt" \
Jasper Wallace	2:bbdeda018a3c	739	"$P_CLI allow_sha1=1" \
Jasper Wallace	2:bbdeda018a3c	740	0
Jasper Wallace	2:bbdeda018a3c	741
Jasper Wallace	2:bbdeda018a3c	742	run_test "SHA-256 allowed by default in server certificate" \
Jasper Wallace	2:bbdeda018a3c	743	"$P_SRV key_file=data_files/server2.key crt_file=data_files/server2-sha256.crt" \
Jasper Wallace	2:bbdeda018a3c	744	"$P_CLI allow_sha1=0" \
Jasper Wallace	2:bbdeda018a3c	745	0
Jasper Wallace	2:bbdeda018a3c	746
Jasper Wallace	2:bbdeda018a3c	747	requires_config_disabled MBEDTLS_TLS_DEFAULT_ALLOW_SHA1_IN_CERTIFICATES
Jasper Wallace	2:bbdeda018a3c	748	run_test "SHA-1 forbidden by default in client certificate" \
Jasper Wallace	2:bbdeda018a3c	749	"$P_SRV auth_mode=required allow_sha1=0" \
Jasper Wallace	2:bbdeda018a3c	750	"$P_CLI key_file=data_files/cli-rsa.key crt_file=data_files/cli-rsa-sha1.crt" \
Jasper Wallace	2:bbdeda018a3c	751	1 \
Jasper Wallace	2:bbdeda018a3c	752	-s "The certificate is signed with an unacceptable hash"
Jasper Wallace	2:bbdeda018a3c	753
Jasper Wallace	2:bbdeda018a3c	754	requires_config_enabled MBEDTLS_TLS_DEFAULT_ALLOW_SHA1_IN_CERTIFICATES
Jasper Wallace	2:bbdeda018a3c	755	run_test "SHA-1 forbidden by default in client certificate" \
Jasper Wallace	2:bbdeda018a3c	756	"$P_SRV auth_mode=required allow_sha1=0" \
Jasper Wallace	2:bbdeda018a3c	757	"$P_CLI key_file=data_files/cli-rsa.key crt_file=data_files/cli-rsa-sha1.crt" \
Jasper Wallace	2:bbdeda018a3c	758	0
Jasper Wallace	2:bbdeda018a3c	759
Jasper Wallace	2:bbdeda018a3c	760	run_test "SHA-1 explicitly allowed in client certificate" \
Jasper Wallace	2:bbdeda018a3c	761	"$P_SRV auth_mode=required allow_sha1=1" \
Jasper Wallace	2:bbdeda018a3c	762	"$P_CLI key_file=data_files/cli-rsa.key crt_file=data_files/cli-rsa-sha1.crt" \
Jasper Wallace	2:bbdeda018a3c	763	0
Jasper Wallace	2:bbdeda018a3c	764
Jasper Wallace	2:bbdeda018a3c	765	run_test "SHA-256 allowed by default in client certificate" \
Jasper Wallace	2:bbdeda018a3c	766	"$P_SRV auth_mode=required allow_sha1=0" \
Jasper Wallace	2:bbdeda018a3c	767	"$P_CLI key_file=data_files/cli-rsa.key crt_file=data_files/cli-rsa-sha256.crt" \
Jasper Wallace	2:bbdeda018a3c	768	0
Jasper Wallace	2:bbdeda018a3c	769
markrad	0:cdf462088d13	770	# Tests for Truncated HMAC extension
markrad	0:cdf462088d13	771
markrad	0:cdf462088d13	772	run_test "Truncated HMAC: client default, server default" \
markrad	0:cdf462088d13	773	"$P_SRV debug_level=4" \
markrad	0:cdf462088d13	774	"$P_CLI force_ciphersuite=TLS-RSA-WITH-AES-128-CBC-SHA" \
markrad	0:cdf462088d13	775	0 \
markrad	0:cdf462088d13	776	-s "dumping 'computed mac' (20 bytes)" \
markrad	0:cdf462088d13	777	-S "dumping 'computed mac' (10 bytes)"
markrad	0:cdf462088d13	778
markrad	0:cdf462088d13	779	run_test "Truncated HMAC: client disabled, server default" \
markrad	0:cdf462088d13	780	"$P_SRV debug_level=4" \
markrad	0:cdf462088d13	781	"$P_CLI force_ciphersuite=TLS-RSA-WITH-AES-128-CBC-SHA \
markrad	0:cdf462088d13	782	trunc_hmac=0" \
markrad	0:cdf462088d13	783	0 \
markrad	0:cdf462088d13	784	-s "dumping 'computed mac' (20 bytes)" \
markrad	0:cdf462088d13	785	-S "dumping 'computed mac' (10 bytes)"
markrad	0:cdf462088d13	786
markrad	0:cdf462088d13	787	run_test "Truncated HMAC: client enabled, server default" \
markrad	0:cdf462088d13	788	"$P_SRV debug_level=4" \
markrad	0:cdf462088d13	789	"$P_CLI force_ciphersuite=TLS-RSA-WITH-AES-128-CBC-SHA \
markrad	0:cdf462088d13	790	trunc_hmac=1" \
markrad	0:cdf462088d13	791	0 \
markrad	0:cdf462088d13	792	-s "dumping 'computed mac' (20 bytes)" \
markrad	0:cdf462088d13	793	-S "dumping 'computed mac' (10 bytes)"
markrad	0:cdf462088d13	794
markrad	0:cdf462088d13	795	run_test "Truncated HMAC: client enabled, server disabled" \
markrad	0:cdf462088d13	796	"$P_SRV debug_level=4 trunc_hmac=0" \
markrad	0:cdf462088d13	797	"$P_CLI force_ciphersuite=TLS-RSA-WITH-AES-128-CBC-SHA \
markrad	0:cdf462088d13	798	trunc_hmac=1" \
markrad	0:cdf462088d13	799	0 \
markrad	0:cdf462088d13	800	-s "dumping 'computed mac' (20 bytes)" \
markrad	0:cdf462088d13	801	-S "dumping 'computed mac' (10 bytes)"
markrad	0:cdf462088d13	802
markrad	0:cdf462088d13	803	run_test "Truncated HMAC: client enabled, server enabled" \
markrad	0:cdf462088d13	804	"$P_SRV debug_level=4 trunc_hmac=1" \
markrad	0:cdf462088d13	805	"$P_CLI force_ciphersuite=TLS-RSA-WITH-AES-128-CBC-SHA \
markrad	0:cdf462088d13	806	trunc_hmac=1" \
markrad	0:cdf462088d13	807	0 \
markrad	0:cdf462088d13	808	-S "dumping 'computed mac' (20 bytes)" \
markrad	0:cdf462088d13	809	-s "dumping 'computed mac' (10 bytes)"
markrad	0:cdf462088d13	810
markrad	0:cdf462088d13	811	# Tests for Encrypt-then-MAC extension
markrad	0:cdf462088d13	812
markrad	0:cdf462088d13	813	run_test "Encrypt then MAC: default" \
markrad	0:cdf462088d13	814	"$P_SRV debug_level=3 \
markrad	0:cdf462088d13	815	force_ciphersuite=TLS-RSA-WITH-AES-128-CBC-SHA" \
markrad	0:cdf462088d13	816	"$P_CLI debug_level=3" \
markrad	0:cdf462088d13	817	0 \
markrad	0:cdf462088d13	818	-c "client hello, adding encrypt_then_mac extension" \
markrad	0:cdf462088d13	819	-s "found encrypt then mac extension" \
markrad	0:cdf462088d13	820	-s "server hello, adding encrypt then mac extension" \
markrad	0:cdf462088d13	821	-c "found encrypt_then_mac extension" \
markrad	0:cdf462088d13	822	-c "using encrypt then mac" \
markrad	0:cdf462088d13	823	-s "using encrypt then mac"
markrad	0:cdf462088d13	824
markrad	0:cdf462088d13	825	run_test "Encrypt then MAC: client enabled, server disabled" \
markrad	0:cdf462088d13	826	"$P_SRV debug_level=3 etm=0 \
markrad	0:cdf462088d13	827	force_ciphersuite=TLS-RSA-WITH-AES-128-CBC-SHA" \
markrad	0:cdf462088d13	828	"$P_CLI debug_level=3 etm=1" \
markrad	0:cdf462088d13	829	0 \
markrad	0:cdf462088d13	830	-c "client hello, adding encrypt_then_mac extension" \
markrad	0:cdf462088d13	831	-s "found encrypt then mac extension" \
markrad	0:cdf462088d13	832	-S "server hello, adding encrypt then mac extension" \
markrad	0:cdf462088d13	833	-C "found encrypt_then_mac extension" \
markrad	0:cdf462088d13	834	-C "using encrypt then mac" \
markrad	0:cdf462088d13	835	-S "using encrypt then mac"
markrad	0:cdf462088d13	836
markrad	0:cdf462088d13	837	run_test "Encrypt then MAC: client enabled, aead cipher" \
markrad	0:cdf462088d13	838	"$P_SRV debug_level=3 etm=1 \
markrad	0:cdf462088d13	839	force_ciphersuite=TLS-RSA-WITH-AES-128-GCM-SHA256" \
markrad	0:cdf462088d13	840	"$P_CLI debug_level=3 etm=1" \
markrad	0:cdf462088d13	841	0 \
markrad	0:cdf462088d13	842	-c "client hello, adding encrypt_then_mac extension" \
markrad	0:cdf462088d13	843	-s "found encrypt then mac extension" \
markrad	0:cdf462088d13	844	-S "server hello, adding encrypt then mac extension" \
markrad	0:cdf462088d13	845	-C "found encrypt_then_mac extension" \
markrad	0:cdf462088d13	846	-C "using encrypt then mac" \
markrad	0:cdf462088d13	847	-S "using encrypt then mac"
markrad	0:cdf462088d13	848
markrad	0:cdf462088d13	849	run_test "Encrypt then MAC: client enabled, stream cipher" \
markrad	0:cdf462088d13	850	"$P_SRV debug_level=3 etm=1 \
markrad	0:cdf462088d13	851	force_ciphersuite=TLS-RSA-WITH-RC4-128-SHA" \
markrad	0:cdf462088d13	852	"$P_CLI debug_level=3 etm=1 arc4=1 force_ciphersuite=TLS-RSA-WITH-RC4-128-SHA" \
markrad	0:cdf462088d13	853	0 \
markrad	0:cdf462088d13	854	-c "client hello, adding encrypt_then_mac extension" \
markrad	0:cdf462088d13	855	-s "found encrypt then mac extension" \
markrad	0:cdf462088d13	856	-S "server hello, adding encrypt then mac extension" \
markrad	0:cdf462088d13	857	-C "found encrypt_then_mac extension" \
markrad	0:cdf462088d13	858	-C "using encrypt then mac" \
markrad	0:cdf462088d13	859	-S "using encrypt then mac"
markrad	0:cdf462088d13	860
markrad	0:cdf462088d13	861	run_test "Encrypt then MAC: client disabled, server enabled" \
markrad	0:cdf462088d13	862	"$P_SRV debug_level=3 etm=1 \
markrad	0:cdf462088d13	863	force_ciphersuite=TLS-RSA-WITH-AES-128-CBC-SHA" \
markrad	0:cdf462088d13	864	"$P_CLI debug_level=3 etm=0" \
markrad	0:cdf462088d13	865	0 \
markrad	0:cdf462088d13	866	-C "client hello, adding encrypt_then_mac extension" \
markrad	0:cdf462088d13	867	-S "found encrypt then mac extension" \
markrad	0:cdf462088d13	868	-S "server hello, adding encrypt then mac extension" \
markrad	0:cdf462088d13	869	-C "found encrypt_then_mac extension" \
markrad	0:cdf462088d13	870	-C "using encrypt then mac" \
markrad	0:cdf462088d13	871	-S "using encrypt then mac"
markrad	0:cdf462088d13	872
markrad	0:cdf462088d13	873	requires_config_enabled MBEDTLS_SSL_PROTO_SSL3
markrad	0:cdf462088d13	874	run_test "Encrypt then MAC: client SSLv3, server enabled" \
markrad	0:cdf462088d13	875	"$P_SRV debug_level=3 min_version=ssl3 \
markrad	0:cdf462088d13	876	force_ciphersuite=TLS-RSA-WITH-AES-128-CBC-SHA" \
markrad	0:cdf462088d13	877	"$P_CLI debug_level=3 force_version=ssl3" \
markrad	0:cdf462088d13	878	0 \
markrad	0:cdf462088d13	879	-C "client hello, adding encrypt_then_mac extension" \
markrad	0:cdf462088d13	880	-S "found encrypt then mac extension" \
markrad	0:cdf462088d13	881	-S "server hello, adding encrypt then mac extension" \
markrad	0:cdf462088d13	882	-C "found encrypt_then_mac extension" \
markrad	0:cdf462088d13	883	-C "using encrypt then mac" \
markrad	0:cdf462088d13	884	-S "using encrypt then mac"
markrad	0:cdf462088d13	885
markrad	0:cdf462088d13	886	requires_config_enabled MBEDTLS_SSL_PROTO_SSL3
markrad	0:cdf462088d13	887	run_test "Encrypt then MAC: client enabled, server SSLv3" \
markrad	0:cdf462088d13	888	"$P_SRV debug_level=3 force_version=ssl3 \
markrad	0:cdf462088d13	889	force_ciphersuite=TLS-RSA-WITH-AES-128-CBC-SHA" \
markrad	0:cdf462088d13	890	"$P_CLI debug_level=3 min_version=ssl3" \
markrad	0:cdf462088d13	891	0 \
markrad	0:cdf462088d13	892	-c "client hello, adding encrypt_then_mac extension" \
markrad	0:cdf462088d13	893	-S "found encrypt then mac extension" \
markrad	0:cdf462088d13	894	-S "server hello, adding encrypt then mac extension" \
markrad	0:cdf462088d13	895	-C "found encrypt_then_mac extension" \
markrad	0:cdf462088d13	896	-C "using encrypt then mac" \
markrad	0:cdf462088d13	897	-S "using encrypt then mac"
markrad	0:cdf462088d13	898
markrad	0:cdf462088d13	899	# Tests for Extended Master Secret extension
markrad	0:cdf462088d13	900
markrad	0:cdf462088d13	901	run_test "Extended Master Secret: default" \
markrad	0:cdf462088d13	902	"$P_SRV debug_level=3" \
markrad	0:cdf462088d13	903	"$P_CLI debug_level=3" \
markrad	0:cdf462088d13	904	0 \
markrad	0:cdf462088d13	905	-c "client hello, adding extended_master_secret extension" \
markrad	0:cdf462088d13	906	-s "found extended master secret extension" \
markrad	0:cdf462088d13	907	-s "server hello, adding extended master secret extension" \
markrad	0:cdf462088d13	908	-c "found extended_master_secret extension" \
markrad	0:cdf462088d13	909	-c "using extended master secret" \
markrad	0:cdf462088d13	910	-s "using extended master secret"
markrad	0:cdf462088d13	911
markrad	0:cdf462088d13	912	run_test "Extended Master Secret: client enabled, server disabled" \
markrad	0:cdf462088d13	913	"$P_SRV debug_level=3 extended_ms=0" \
markrad	0:cdf462088d13	914	"$P_CLI debug_level=3 extended_ms=1" \
markrad	0:cdf462088d13	915	0 \
markrad	0:cdf462088d13	916	-c "client hello, adding extended_master_secret extension" \
markrad	0:cdf462088d13	917	-s "found extended master secret extension" \
markrad	0:cdf462088d13	918	-S "server hello, adding extended master secret extension" \
markrad	0:cdf462088d13	919	-C "found extended_master_secret extension" \
markrad	0:cdf462088d13	920	-C "using extended master secret" \
markrad	0:cdf462088d13	921	-S "using extended master secret"
markrad	0:cdf462088d13	922
markrad	0:cdf462088d13	923	run_test "Extended Master Secret: client disabled, server enabled" \
markrad	0:cdf462088d13	924	"$P_SRV debug_level=3 extended_ms=1" \
markrad	0:cdf462088d13	925	"$P_CLI debug_level=3 extended_ms=0" \
markrad	0:cdf462088d13	926	0 \
markrad	0:cdf462088d13	927	-C "client hello, adding extended_master_secret extension" \
markrad	0:cdf462088d13	928	-S "found extended master secret extension" \
markrad	0:cdf462088d13	929	-S "server hello, adding extended master secret extension" \
markrad	0:cdf462088d13	930	-C "found extended_master_secret extension" \
markrad	0:cdf462088d13	931	-C "using extended master secret" \
markrad	0:cdf462088d13	932	-S "using extended master secret"
markrad	0:cdf462088d13	933
markrad	0:cdf462088d13	934	requires_config_enabled MBEDTLS_SSL_PROTO_SSL3
markrad	0:cdf462088d13	935	run_test "Extended Master Secret: client SSLv3, server enabled" \
markrad	0:cdf462088d13	936	"$P_SRV debug_level=3 min_version=ssl3" \
markrad	0:cdf462088d13	937	"$P_CLI debug_level=3 force_version=ssl3" \
markrad	0:cdf462088d13	938	0 \
markrad	0:cdf462088d13	939	-C "client hello, adding extended_master_secret extension" \
markrad	0:cdf462088d13	940	-S "found extended master secret extension" \
markrad	0:cdf462088d13	941	-S "server hello, adding extended master secret extension" \
markrad	0:cdf462088d13	942	-C "found extended_master_secret extension" \
markrad	0:cdf462088d13	943	-C "using extended master secret" \
markrad	0:cdf462088d13	944	-S "using extended master secret"
markrad	0:cdf462088d13	945
markrad	0:cdf462088d13	946	requires_config_enabled MBEDTLS_SSL_PROTO_SSL3
markrad	0:cdf462088d13	947	run_test "Extended Master Secret: client enabled, server SSLv3" \
markrad	0:cdf462088d13	948	"$P_SRV debug_level=3 force_version=ssl3" \
markrad	0:cdf462088d13	949	"$P_CLI debug_level=3 min_version=ssl3" \
markrad	0:cdf462088d13	950	0 \
markrad	0:cdf462088d13	951	-c "client hello, adding extended_master_secret extension" \
markrad	0:cdf462088d13	952	-S "found extended master secret extension" \
markrad	0:cdf462088d13	953	-S "server hello, adding extended master secret extension" \
markrad	0:cdf462088d13	954	-C "found extended_master_secret extension" \
markrad	0:cdf462088d13	955	-C "using extended master secret" \
markrad	0:cdf462088d13	956	-S "using extended master secret"
markrad	0:cdf462088d13	957
markrad	0:cdf462088d13	958	# Tests for FALLBACK_SCSV
markrad	0:cdf462088d13	959
markrad	0:cdf462088d13	960	run_test "Fallback SCSV: default" \
markrad	0:cdf462088d13	961	"$P_SRV debug_level=2" \
markrad	0:cdf462088d13	962	"$P_CLI debug_level=3 force_version=tls1_1" \
markrad	0:cdf462088d13	963	0 \
markrad	0:cdf462088d13	964	-C "adding FALLBACK_SCSV" \
markrad	0:cdf462088d13	965	-S "received FALLBACK_SCSV" \
markrad	0:cdf462088d13	966	-S "inapropriate fallback" \
markrad	0:cdf462088d13	967	-C "is a fatal alert message (msg 86)"
markrad	0:cdf462088d13	968
markrad	0:cdf462088d13	969	run_test "Fallback SCSV: explicitly disabled" \
markrad	0:cdf462088d13	970	"$P_SRV debug_level=2" \
markrad	0:cdf462088d13	971	"$P_CLI debug_level=3 force_version=tls1_1 fallback=0" \
markrad	0:cdf462088d13	972	0 \
markrad	0:cdf462088d13	973	-C "adding FALLBACK_SCSV" \
markrad	0:cdf462088d13	974	-S "received FALLBACK_SCSV" \
markrad	0:cdf462088d13	975	-S "inapropriate fallback" \
markrad	0:cdf462088d13	976	-C "is a fatal alert message (msg 86)"
markrad	0:cdf462088d13	977
markrad	0:cdf462088d13	978	run_test "Fallback SCSV: enabled" \
markrad	0:cdf462088d13	979	"$P_SRV debug_level=2" \
markrad	0:cdf462088d13	980	"$P_CLI debug_level=3 force_version=tls1_1 fallback=1" \
markrad	0:cdf462088d13	981	1 \
markrad	0:cdf462088d13	982	-c "adding FALLBACK_SCSV" \
markrad	0:cdf462088d13	983	-s "received FALLBACK_SCSV" \
markrad	0:cdf462088d13	984	-s "inapropriate fallback" \
markrad	0:cdf462088d13	985	-c "is a fatal alert message (msg 86)"
markrad	0:cdf462088d13	986
markrad	0:cdf462088d13	987	run_test "Fallback SCSV: enabled, max version" \
markrad	0:cdf462088d13	988	"$P_SRV debug_level=2" \
markrad	0:cdf462088d13	989	"$P_CLI debug_level=3 fallback=1" \
markrad	0:cdf462088d13	990	0 \
markrad	0:cdf462088d13	991	-c "adding FALLBACK_SCSV" \
markrad	0:cdf462088d13	992	-s "received FALLBACK_SCSV" \
markrad	0:cdf462088d13	993	-S "inapropriate fallback" \
markrad	0:cdf462088d13	994	-C "is a fatal alert message (msg 86)"
markrad	0:cdf462088d13	995
markrad	0:cdf462088d13	996	requires_openssl_with_fallback_scsv
markrad	0:cdf462088d13	997	run_test "Fallback SCSV: default, openssl server" \
markrad	0:cdf462088d13	998	"$O_SRV" \
markrad	0:cdf462088d13	999	"$P_CLI debug_level=3 force_version=tls1_1 fallback=0" \
markrad	0:cdf462088d13	1000	0 \
markrad	0:cdf462088d13	1001	-C "adding FALLBACK_SCSV" \
markrad	0:cdf462088d13	1002	-C "is a fatal alert message (msg 86)"
markrad	0:cdf462088d13	1003
markrad	0:cdf462088d13	1004	requires_openssl_with_fallback_scsv
markrad	0:cdf462088d13	1005	run_test "Fallback SCSV: enabled, openssl server" \
markrad	0:cdf462088d13	1006	"$O_SRV" \
markrad	0:cdf462088d13	1007	"$P_CLI debug_level=3 force_version=tls1_1 fallback=1" \
markrad	0:cdf462088d13	1008	1 \
markrad	0:cdf462088d13	1009	-c "adding FALLBACK_SCSV" \
markrad	0:cdf462088d13	1010	-c "is a fatal alert message (msg 86)"
markrad	0:cdf462088d13	1011
markrad	0:cdf462088d13	1012	requires_openssl_with_fallback_scsv
markrad	0:cdf462088d13	1013	run_test "Fallback SCSV: disabled, openssl client" \
markrad	0:cdf462088d13	1014	"$P_SRV debug_level=2" \
markrad	0:cdf462088d13	1015	"$O_CLI -tls1_1" \
markrad	0:cdf462088d13	1016	0 \
markrad	0:cdf462088d13	1017	-S "received FALLBACK_SCSV" \
markrad	0:cdf462088d13	1018	-S "inapropriate fallback"
markrad	0:cdf462088d13	1019
markrad	0:cdf462088d13	1020	requires_openssl_with_fallback_scsv
markrad	0:cdf462088d13	1021	run_test "Fallback SCSV: enabled, openssl client" \
markrad	0:cdf462088d13	1022	"$P_SRV debug_level=2" \
markrad	0:cdf462088d13	1023	"$O_CLI -tls1_1 -fallback_scsv" \
markrad	0:cdf462088d13	1024	1 \
markrad	0:cdf462088d13	1025	-s "received FALLBACK_SCSV" \
markrad	0:cdf462088d13	1026	-s "inapropriate fallback"
markrad	0:cdf462088d13	1027
markrad	0:cdf462088d13	1028	requires_openssl_with_fallback_scsv
markrad	0:cdf462088d13	1029	run_test "Fallback SCSV: enabled, max version, openssl client" \
markrad	0:cdf462088d13	1030	"$P_SRV debug_level=2" \
markrad	0:cdf462088d13	1031	"$O_CLI -fallback_scsv" \
markrad	0:cdf462088d13	1032	0 \
markrad	0:cdf462088d13	1033	-s "received FALLBACK_SCSV" \
markrad	0:cdf462088d13	1034	-S "inapropriate fallback"
markrad	0:cdf462088d13	1035
Jasper Wallace	2:bbdeda018a3c	1036	## ClientHello generated with
Jasper Wallace	2:bbdeda018a3c	1037	## "openssl s_client -CAfile tests/data_files/test-ca.crt -tls1_1 -connect localhost:4433 -cipher ..."
Jasper Wallace	2:bbdeda018a3c	1038	## then manually twiddling the ciphersuite list.
Jasper Wallace	2:bbdeda018a3c	1039	## The ClientHello content is spelled out below as a hex string as
Jasper Wallace	2:bbdeda018a3c	1040	## "prefix ciphersuite1 ciphersuite2 ciphersuite3 ciphersuite4 suffix".
Jasper Wallace	2:bbdeda018a3c	1041	## The expected response is an inappropriate_fallback alert.
Jasper Wallace	2:bbdeda018a3c	1042	requires_openssl_with_fallback_scsv
Jasper Wallace	2:bbdeda018a3c	1043	run_test "Fallback SCSV: beginning of list" \
Jasper Wallace	2:bbdeda018a3c	1044	"$P_SRV debug_level=2" \
Jasper Wallace	2:bbdeda018a3c	1045	"$TCP_CLIENT localhost $SRV_PORT '160301003e0100003a03022aafb94308dc22ca1086c65acc00e414384d76b61ecab37df1633b1ae1034dbe000008 5600 0031 0032 0033 0100000900230000000f000101' '15030200020256'" \
Jasper Wallace	2:bbdeda018a3c	1046	0 \
Jasper Wallace	2:bbdeda018a3c	1047	-s "received FALLBACK_SCSV" \
Jasper Wallace	2:bbdeda018a3c	1048	-s "inapropriate fallback"
Jasper Wallace	2:bbdeda018a3c	1049
Jasper Wallace	2:bbdeda018a3c	1050	requires_openssl_with_fallback_scsv
Jasper Wallace	2:bbdeda018a3c	1051	run_test "Fallback SCSV: end of list" \
Jasper Wallace	2:bbdeda018a3c	1052	"$P_SRV debug_level=2" \
Jasper Wallace	2:bbdeda018a3c	1053	"$TCP_CLIENT localhost $SRV_PORT '160301003e0100003a03022aafb94308dc22ca1086c65acc00e414384d76b61ecab37df1633b1ae1034dbe000008 0031 0032 0033 5600 0100000900230000000f000101' '15030200020256'" \
Jasper Wallace	2:bbdeda018a3c	1054	0 \
Jasper Wallace	2:bbdeda018a3c	1055	-s "received FALLBACK_SCSV" \
Jasper Wallace	2:bbdeda018a3c	1056	-s "inapropriate fallback"
Jasper Wallace	2:bbdeda018a3c	1057
Jasper Wallace	2:bbdeda018a3c	1058	## Here the expected response is a valid ServerHello prefix, up to the random.
Jasper Wallace	2:bbdeda018a3c	1059	requires_openssl_with_fallback_scsv
Jasper Wallace	2:bbdeda018a3c	1060	run_test "Fallback SCSV: not in list" \
Jasper Wallace	2:bbdeda018a3c	1061	"$P_SRV debug_level=2" \
Jasper Wallace	2:bbdeda018a3c	1062	"$TCP_CLIENT localhost $SRV_PORT '160301003e0100003a03022aafb94308dc22ca1086c65acc00e414384d76b61ecab37df1633b1ae1034dbe000008 0056 0031 0032 0033 0100000900230000000f000101' '16030200300200002c0302'" \
Jasper Wallace	2:bbdeda018a3c	1063	0 \
Jasper Wallace	2:bbdeda018a3c	1064	-S "received FALLBACK_SCSV" \
Jasper Wallace	2:bbdeda018a3c	1065	-S "inapropriate fallback"
Jasper Wallace	2:bbdeda018a3c	1066
markrad	0:cdf462088d13	1067	# Tests for CBC 1/n-1 record splitting
markrad	0:cdf462088d13	1068
markrad	0:cdf462088d13	1069	run_test "CBC Record splitting: TLS 1.2, no splitting" \
markrad	0:cdf462088d13	1070	"$P_SRV" \
markrad	0:cdf462088d13	1071	"$P_CLI force_ciphersuite=TLS-RSA-WITH-AES-128-CBC-SHA \
markrad	0:cdf462088d13	1072	request_size=123 force_version=tls1_2" \
markrad	0:cdf462088d13	1073	0 \
markrad	0:cdf462088d13	1074	-s "Read from client: 123 bytes read" \
markrad	0:cdf462088d13	1075	-S "Read from client: 1 bytes read" \
markrad	0:cdf462088d13	1076	-S "122 bytes read"
markrad	0:cdf462088d13	1077
markrad	0:cdf462088d13	1078	run_test "CBC Record splitting: TLS 1.1, no splitting" \
markrad	0:cdf462088d13	1079	"$P_SRV" \
markrad	0:cdf462088d13	1080	"$P_CLI force_ciphersuite=TLS-RSA-WITH-AES-128-CBC-SHA \
markrad	0:cdf462088d13	1081	request_size=123 force_version=tls1_1" \
markrad	0:cdf462088d13	1082	0 \
markrad	0:cdf462088d13	1083	-s "Read from client: 123 bytes read" \
markrad	0:cdf462088d13	1084	-S "Read from client: 1 bytes read" \
markrad	0:cdf462088d13	1085	-S "122 bytes read"
markrad	0:cdf462088d13	1086
markrad	0:cdf462088d13	1087	run_test "CBC Record splitting: TLS 1.0, splitting" \
markrad	0:cdf462088d13	1088	"$P_SRV" \
markrad	0:cdf462088d13	1089	"$P_CLI force_ciphersuite=TLS-RSA-WITH-AES-128-CBC-SHA \
markrad	0:cdf462088d13	1090	request_size=123 force_version=tls1" \
markrad	0:cdf462088d13	1091	0 \
markrad	0:cdf462088d13	1092	-S "Read from client: 123 bytes read" \
markrad	0:cdf462088d13	1093	-s "Read from client: 1 bytes read" \
markrad	0:cdf462088d13	1094	-s "122 bytes read"
markrad	0:cdf462088d13	1095
markrad	0:cdf462088d13	1096	requires_config_enabled MBEDTLS_SSL_PROTO_SSL3
markrad	0:cdf462088d13	1097	run_test "CBC Record splitting: SSLv3, splitting" \
markrad	0:cdf462088d13	1098	"$P_SRV min_version=ssl3" \
markrad	0:cdf462088d13	1099	"$P_CLI force_ciphersuite=TLS-RSA-WITH-AES-128-CBC-SHA \
markrad	0:cdf462088d13	1100	request_size=123 force_version=ssl3" \
markrad	0:cdf462088d13	1101	0 \
markrad	0:cdf462088d13	1102	-S "Read from client: 123 bytes read" \
markrad	0:cdf462088d13	1103	-s "Read from client: 1 bytes read" \
markrad	0:cdf462088d13	1104	-s "122 bytes read"
markrad	0:cdf462088d13	1105
markrad	0:cdf462088d13	1106	run_test "CBC Record splitting: TLS 1.0 RC4, no splitting" \
markrad	0:cdf462088d13	1107	"$P_SRV arc4=1 force_ciphersuite=TLS-RSA-WITH-RC4-128-SHA" \
markrad	0:cdf462088d13	1108	"$P_CLI force_ciphersuite=TLS-RSA-WITH-RC4-128-SHA \
markrad	0:cdf462088d13	1109	request_size=123 force_version=tls1" \
markrad	0:cdf462088d13	1110	0 \
markrad	0:cdf462088d13	1111	-s "Read from client: 123 bytes read" \
markrad	0:cdf462088d13	1112	-S "Read from client: 1 bytes read" \
markrad	0:cdf462088d13	1113	-S "122 bytes read"
markrad	0:cdf462088d13	1114
markrad	0:cdf462088d13	1115	run_test "CBC Record splitting: TLS 1.0, splitting disabled" \
markrad	0:cdf462088d13	1116	"$P_SRV" \
markrad	0:cdf462088d13	1117	"$P_CLI force_ciphersuite=TLS-RSA-WITH-AES-128-CBC-SHA \
markrad	0:cdf462088d13	1118	request_size=123 force_version=tls1 recsplit=0" \
markrad	0:cdf462088d13	1119	0 \
markrad	0:cdf462088d13	1120	-s "Read from client: 123 bytes read" \
markrad	0:cdf462088d13	1121	-S "Read from client: 1 bytes read" \
markrad	0:cdf462088d13	1122	-S "122 bytes read"
markrad	0:cdf462088d13	1123
markrad	0:cdf462088d13	1124	run_test "CBC Record splitting: TLS 1.0, splitting, nbio" \
markrad	0:cdf462088d13	1125	"$P_SRV nbio=2" \
markrad	0:cdf462088d13	1126	"$P_CLI nbio=2 force_ciphersuite=TLS-RSA-WITH-AES-128-CBC-SHA \
markrad	0:cdf462088d13	1127	request_size=123 force_version=tls1" \
markrad	0:cdf462088d13	1128	0 \
markrad	0:cdf462088d13	1129	-S "Read from client: 123 bytes read" \
markrad	0:cdf462088d13	1130	-s "Read from client: 1 bytes read" \
markrad	0:cdf462088d13	1131	-s "122 bytes read"
markrad	0:cdf462088d13	1132
markrad	0:cdf462088d13	1133	# Tests for Session Tickets
markrad	0:cdf462088d13	1134
markrad	0:cdf462088d13	1135	run_test "Session resume using tickets: basic" \
markrad	0:cdf462088d13	1136	"$P_SRV debug_level=3 tickets=1" \
markrad	0:cdf462088d13	1137	"$P_CLI debug_level=3 tickets=1 reconnect=1" \
markrad	0:cdf462088d13	1138	0 \
markrad	0:cdf462088d13	1139	-c "client hello, adding session ticket extension" \
markrad	0:cdf462088d13	1140	-s "found session ticket extension" \
markrad	0:cdf462088d13	1141	-s "server hello, adding session ticket extension" \
markrad	0:cdf462088d13	1142	-c "found session_ticket extension" \
markrad	0:cdf462088d13	1143	-c "parse new session ticket" \
markrad	0:cdf462088d13	1144	-S "session successfully restored from cache" \
markrad	0:cdf462088d13	1145	-s "session successfully restored from ticket" \
markrad	0:cdf462088d13	1146	-s "a session has been resumed" \
markrad	0:cdf462088d13	1147	-c "a session has been resumed"
markrad	0:cdf462088d13	1148
markrad	0:cdf462088d13	1149	run_test "Session resume using tickets: cache disabled" \
markrad	0:cdf462088d13	1150	"$P_SRV debug_level=3 tickets=1 cache_max=0" \
markrad	0:cdf462088d13	1151	"$P_CLI debug_level=3 tickets=1 reconnect=1" \
markrad	0:cdf462088d13	1152	0 \
markrad	0:cdf462088d13	1153	-c "client hello, adding session ticket extension" \
markrad	0:cdf462088d13	1154	-s "found session ticket extension" \
markrad	0:cdf462088d13	1155	-s "server hello, adding session ticket extension" \
markrad	0:cdf462088d13	1156	-c "found session_ticket extension" \
markrad	0:cdf462088d13	1157	-c "parse new session ticket" \
markrad	0:cdf462088d13	1158	-S "session successfully restored from cache" \
markrad	0:cdf462088d13	1159	-s "session successfully restored from ticket" \
markrad	0:cdf462088d13	1160	-s "a session has been resumed" \
markrad	0:cdf462088d13	1161	-c "a session has been resumed"
markrad	0:cdf462088d13	1162
markrad	0:cdf462088d13	1163	run_test "Session resume using tickets: timeout" \
markrad	0:cdf462088d13	1164	"$P_SRV debug_level=3 tickets=1 cache_max=0 ticket_timeout=1" \
markrad	0:cdf462088d13	1165	"$P_CLI debug_level=3 tickets=1 reconnect=1 reco_delay=2" \
markrad	0:cdf462088d13	1166	0 \
markrad	0:cdf462088d13	1167	-c "client hello, adding session ticket extension" \
markrad	0:cdf462088d13	1168	-s "found session ticket extension" \
markrad	0:cdf462088d13	1169	-s "server hello, adding session ticket extension" \
markrad	0:cdf462088d13	1170	-c "found session_ticket extension" \
markrad	0:cdf462088d13	1171	-c "parse new session ticket" \
markrad	0:cdf462088d13	1172	-S "session successfully restored from cache" \
markrad	0:cdf462088d13	1173	-S "session successfully restored from ticket" \
markrad	0:cdf462088d13	1174	-S "a session has been resumed" \
markrad	0:cdf462088d13	1175	-C "a session has been resumed"
markrad	0:cdf462088d13	1176
markrad	0:cdf462088d13	1177	run_test "Session resume using tickets: openssl server" \
markrad	0:cdf462088d13	1178	"$O_SRV" \
markrad	0:cdf462088d13	1179	"$P_CLI debug_level=3 tickets=1 reconnect=1" \
markrad	0:cdf462088d13	1180	0 \
markrad	0:cdf462088d13	1181	-c "client hello, adding session ticket extension" \
markrad	0:cdf462088d13	1182	-c "found session_ticket extension" \
markrad	0:cdf462088d13	1183	-c "parse new session ticket" \
markrad	0:cdf462088d13	1184	-c "a session has been resumed"
markrad	0:cdf462088d13	1185
markrad	0:cdf462088d13	1186	run_test "Session resume using tickets: openssl client" \
markrad	0:cdf462088d13	1187	"$P_SRV debug_level=3 tickets=1" \
markrad	0:cdf462088d13	1188	"( $O_CLI -sess_out $SESSION; \
markrad	0:cdf462088d13	1189	$O_CLI -sess_in $SESSION; \
markrad	0:cdf462088d13	1190	rm -f $SESSION )" \
markrad	0:cdf462088d13	1191	0 \
markrad	0:cdf462088d13	1192	-s "found session ticket extension" \
markrad	0:cdf462088d13	1193	-s "server hello, adding session ticket extension" \
markrad	0:cdf462088d13	1194	-S "session successfully restored from cache" \
markrad	0:cdf462088d13	1195	-s "session successfully restored from ticket" \
markrad	0:cdf462088d13	1196	-s "a session has been resumed"
markrad	0:cdf462088d13	1197
markrad	0:cdf462088d13	1198	# Tests for Session Resume based on session-ID and cache
markrad	0:cdf462088d13	1199
markrad	0:cdf462088d13	1200	run_test "Session resume using cache: tickets enabled on client" \
markrad	0:cdf462088d13	1201	"$P_SRV debug_level=3 tickets=0" \
markrad	0:cdf462088d13	1202	"$P_CLI debug_level=3 tickets=1 reconnect=1" \
markrad	0:cdf462088d13	1203	0 \
markrad	0:cdf462088d13	1204	-c "client hello, adding session ticket extension" \
markrad	0:cdf462088d13	1205	-s "found session ticket extension" \
markrad	0:cdf462088d13	1206	-S "server hello, adding session ticket extension" \
markrad	0:cdf462088d13	1207	-C "found session_ticket extension" \
markrad	0:cdf462088d13	1208	-C "parse new session ticket" \
markrad	0:cdf462088d13	1209	-s "session successfully restored from cache" \
markrad	0:cdf462088d13	1210	-S "session successfully restored from ticket" \
markrad	0:cdf462088d13	1211	-s "a session has been resumed" \
markrad	0:cdf462088d13	1212	-c "a session has been resumed"
markrad	0:cdf462088d13	1213
markrad	0:cdf462088d13	1214	run_test "Session resume using cache: tickets enabled on server" \
markrad	0:cdf462088d13	1215	"$P_SRV debug_level=3 tickets=1" \
markrad	0:cdf462088d13	1216	"$P_CLI debug_level=3 tickets=0 reconnect=1" \
markrad	0:cdf462088d13	1217	0 \
markrad	0:cdf462088d13	1218	-C "client hello, adding session ticket extension" \
markrad	0:cdf462088d13	1219	-S "found session ticket extension" \
markrad	0:cdf462088d13	1220	-S "server hello, adding session ticket extension" \
markrad	0:cdf462088d13	1221	-C "found session_ticket extension" \
markrad	0:cdf462088d13	1222	-C "parse new session ticket" \
markrad	0:cdf462088d13	1223	-s "session successfully restored from cache" \
markrad	0:cdf462088d13	1224	-S "session successfully restored from ticket" \
markrad	0:cdf462088d13	1225	-s "a session has been resumed" \
markrad	0:cdf462088d13	1226	-c "a session has been resumed"
markrad	0:cdf462088d13	1227
markrad	0:cdf462088d13	1228	run_test "Session resume using cache: cache_max=0" \
markrad	0:cdf462088d13	1229	"$P_SRV debug_level=3 tickets=0 cache_max=0" \
markrad	0:cdf462088d13	1230	"$P_CLI debug_level=3 tickets=0 reconnect=1" \
markrad	0:cdf462088d13	1231	0 \
markrad	0:cdf462088d13	1232	-S "session successfully restored from cache" \
markrad	0:cdf462088d13	1233	-S "session successfully restored from ticket" \
markrad	0:cdf462088d13	1234	-S "a session has been resumed" \
markrad	0:cdf462088d13	1235	-C "a session has been resumed"
markrad	0:cdf462088d13	1236
markrad	0:cdf462088d13	1237	run_test "Session resume using cache: cache_max=1" \
markrad	0:cdf462088d13	1238	"$P_SRV debug_level=3 tickets=0 cache_max=1" \
markrad	0:cdf462088d13	1239	"$P_CLI debug_level=3 tickets=0 reconnect=1" \
markrad	0:cdf462088d13	1240	0 \
markrad	0:cdf462088d13	1241	-s "session successfully restored from cache" \
markrad	0:cdf462088d13	1242	-S "session successfully restored from ticket" \
markrad	0:cdf462088d13	1243	-s "a session has been resumed" \
markrad	0:cdf462088d13	1244	-c "a session has been resumed"
markrad	0:cdf462088d13	1245
markrad	0:cdf462088d13	1246	run_test "Session resume using cache: timeout > delay" \
markrad	0:cdf462088d13	1247	"$P_SRV debug_level=3 tickets=0" \
markrad	0:cdf462088d13	1248	"$P_CLI debug_level=3 tickets=0 reconnect=1 reco_delay=0" \
markrad	0:cdf462088d13	1249	0 \
markrad	0:cdf462088d13	1250	-s "session successfully restored from cache" \
markrad	0:cdf462088d13	1251	-S "session successfully restored from ticket" \
markrad	0:cdf462088d13	1252	-s "a session has been resumed" \
markrad	0:cdf462088d13	1253	-c "a session has been resumed"
markrad	0:cdf462088d13	1254
markrad	0:cdf462088d13	1255	run_test "Session resume using cache: timeout < delay" \
markrad	0:cdf462088d13	1256	"$P_SRV debug_level=3 tickets=0 cache_timeout=1" \
markrad	0:cdf462088d13	1257	"$P_CLI debug_level=3 tickets=0 reconnect=1 reco_delay=2" \
markrad	0:cdf462088d13	1258	0 \
markrad	0:cdf462088d13	1259	-S "session successfully restored from cache" \
markrad	0:cdf462088d13	1260	-S "session successfully restored from ticket" \
markrad	0:cdf462088d13	1261	-S "a session has been resumed" \
markrad	0:cdf462088d13	1262	-C "a session has been resumed"
markrad	0:cdf462088d13	1263
markrad	0:cdf462088d13	1264	run_test "Session resume using cache: no timeout" \
markrad	0:cdf462088d13	1265	"$P_SRV debug_level=3 tickets=0 cache_timeout=0" \
markrad	0:cdf462088d13	1266	"$P_CLI debug_level=3 tickets=0 reconnect=1 reco_delay=2" \
markrad	0:cdf462088d13	1267	0 \
markrad	0:cdf462088d13	1268	-s "session successfully restored from cache" \
markrad	0:cdf462088d13	1269	-S "session successfully restored from ticket" \
markrad	0:cdf462088d13	1270	-s "a session has been resumed" \
markrad	0:cdf462088d13	1271	-c "a session has been resumed"
markrad	0:cdf462088d13	1272
markrad	0:cdf462088d13	1273	run_test "Session resume using cache: openssl client" \
markrad	0:cdf462088d13	1274	"$P_SRV debug_level=3 tickets=0" \
markrad	0:cdf462088d13	1275	"( $O_CLI -sess_out $SESSION; \
markrad	0:cdf462088d13	1276	$O_CLI -sess_in $SESSION; \
markrad	0:cdf462088d13	1277	rm -f $SESSION )" \
markrad	0:cdf462088d13	1278	0 \
markrad	0:cdf462088d13	1279	-s "found session ticket extension" \
markrad	0:cdf462088d13	1280	-S "server hello, adding session ticket extension" \
markrad	0:cdf462088d13	1281	-s "session successfully restored from cache" \
markrad	0:cdf462088d13	1282	-S "session successfully restored from ticket" \
markrad	0:cdf462088d13	1283	-s "a session has been resumed"
markrad	0:cdf462088d13	1284
markrad	0:cdf462088d13	1285	run_test "Session resume using cache: openssl server" \
markrad	0:cdf462088d13	1286	"$O_SRV" \
markrad	0:cdf462088d13	1287	"$P_CLI debug_level=3 tickets=0 reconnect=1" \
markrad	0:cdf462088d13	1288	0 \
markrad	0:cdf462088d13	1289	-C "found session_ticket extension" \
markrad	0:cdf462088d13	1290	-C "parse new session ticket" \
markrad	0:cdf462088d13	1291	-c "a session has been resumed"
markrad	0:cdf462088d13	1292
markrad	0:cdf462088d13	1293	# Tests for Max Fragment Length extension
markrad	0:cdf462088d13	1294
markrad	0:cdf462088d13	1295	run_test "Max fragment length: not used, reference" \
markrad	0:cdf462088d13	1296	"$P_SRV debug_level=3" \
markrad	0:cdf462088d13	1297	"$P_CLI debug_level=3" \
markrad	0:cdf462088d13	1298	0 \
markrad	0:cdf462088d13	1299	-c "Maximum fragment length is 16384" \
markrad	0:cdf462088d13	1300	-s "Maximum fragment length is 16384" \
markrad	0:cdf462088d13	1301	-C "client hello, adding max_fragment_length extension" \
markrad	0:cdf462088d13	1302	-S "found max fragment length extension" \
markrad	0:cdf462088d13	1303	-S "server hello, max_fragment_length extension" \
markrad	0:cdf462088d13	1304	-C "found max_fragment_length extension"
markrad	0:cdf462088d13	1305
markrad	0:cdf462088d13	1306	run_test "Max fragment length: used by client" \
markrad	0:cdf462088d13	1307	"$P_SRV debug_level=3" \
markrad	0:cdf462088d13	1308	"$P_CLI debug_level=3 max_frag_len=4096" \
markrad	0:cdf462088d13	1309	0 \
markrad	0:cdf462088d13	1310	-c "Maximum fragment length is 4096" \
markrad	0:cdf462088d13	1311	-s "Maximum fragment length is 4096" \
markrad	0:cdf462088d13	1312	-c "client hello, adding max_fragment_length extension" \
markrad	0:cdf462088d13	1313	-s "found max fragment length extension" \
markrad	0:cdf462088d13	1314	-s "server hello, max_fragment_length extension" \
markrad	0:cdf462088d13	1315	-c "found max_fragment_length extension"
markrad	0:cdf462088d13	1316
markrad	0:cdf462088d13	1317	run_test "Max fragment length: used by server" \
markrad	0:cdf462088d13	1318	"$P_SRV debug_level=3 max_frag_len=4096" \
markrad	0:cdf462088d13	1319	"$P_CLI debug_level=3" \
markrad	0:cdf462088d13	1320	0 \
markrad	0:cdf462088d13	1321	-c "Maximum fragment length is 16384" \
markrad	0:cdf462088d13	1322	-s "Maximum fragment length is 4096" \
markrad	0:cdf462088d13	1323	-C "client hello, adding max_fragment_length extension" \
markrad	0:cdf462088d13	1324	-S "found max fragment length extension" \
markrad	0:cdf462088d13	1325	-S "server hello, max_fragment_length extension" \
markrad	0:cdf462088d13	1326	-C "found max_fragment_length extension"
markrad	0:cdf462088d13	1327
markrad	0:cdf462088d13	1328	requires_gnutls
markrad	0:cdf462088d13	1329	run_test "Max fragment length: gnutls server" \
markrad	0:cdf462088d13	1330	"$G_SRV" \
markrad	0:cdf462088d13	1331	"$P_CLI debug_level=3 max_frag_len=4096" \
markrad	0:cdf462088d13	1332	0 \
markrad	0:cdf462088d13	1333	-c "Maximum fragment length is 4096" \
markrad	0:cdf462088d13	1334	-c "client hello, adding max_fragment_length extension" \
markrad	0:cdf462088d13	1335	-c "found max_fragment_length extension"
markrad	0:cdf462088d13	1336
markrad	0:cdf462088d13	1337	run_test "Max fragment length: client, message just fits" \
markrad	0:cdf462088d13	1338	"$P_SRV debug_level=3" \
markrad	0:cdf462088d13	1339	"$P_CLI debug_level=3 max_frag_len=2048 request_size=2048" \
markrad	0:cdf462088d13	1340	0 \
markrad	0:cdf462088d13	1341	-c "Maximum fragment length is 2048" \
markrad	0:cdf462088d13	1342	-s "Maximum fragment length is 2048" \
markrad	0:cdf462088d13	1343	-c "client hello, adding max_fragment_length extension" \
markrad	0:cdf462088d13	1344	-s "found max fragment length extension" \
markrad	0:cdf462088d13	1345	-s "server hello, max_fragment_length extension" \
markrad	0:cdf462088d13	1346	-c "found max_fragment_length extension" \
markrad	0:cdf462088d13	1347	-c "2048 bytes written in 1 fragments" \
markrad	0:cdf462088d13	1348	-s "2048 bytes read"
markrad	0:cdf462088d13	1349
markrad	0:cdf462088d13	1350	run_test "Max fragment length: client, larger message" \
markrad	0:cdf462088d13	1351	"$P_SRV debug_level=3" \
markrad	0:cdf462088d13	1352	"$P_CLI debug_level=3 max_frag_len=2048 request_size=2345" \
markrad	0:cdf462088d13	1353	0 \
markrad	0:cdf462088d13	1354	-c "Maximum fragment length is 2048" \
markrad	0:cdf462088d13	1355	-s "Maximum fragment length is 2048" \
markrad	0:cdf462088d13	1356	-c "client hello, adding max_fragment_length extension" \
markrad	0:cdf462088d13	1357	-s "found max fragment length extension" \
markrad	0:cdf462088d13	1358	-s "server hello, max_fragment_length extension" \
markrad	0:cdf462088d13	1359	-c "found max_fragment_length extension" \
markrad	0:cdf462088d13	1360	-c "2345 bytes written in 2 fragments" \
markrad	0:cdf462088d13	1361	-s "2048 bytes read" \
markrad	0:cdf462088d13	1362	-s "297 bytes read"
markrad	0:cdf462088d13	1363
markrad	0:cdf462088d13	1364	run_test "Max fragment length: DTLS client, larger message" \
markrad	0:cdf462088d13	1365	"$P_SRV debug_level=3 dtls=1" \
markrad	0:cdf462088d13	1366	"$P_CLI debug_level=3 dtls=1 max_frag_len=2048 request_size=2345" \
markrad	0:cdf462088d13	1367	1 \
markrad	0:cdf462088d13	1368	-c "Maximum fragment length is 2048" \
markrad	0:cdf462088d13	1369	-s "Maximum fragment length is 2048" \
markrad	0:cdf462088d13	1370	-c "client hello, adding max_fragment_length extension" \
markrad	0:cdf462088d13	1371	-s "found max fragment length extension" \
markrad	0:cdf462088d13	1372	-s "server hello, max_fragment_length extension" \
markrad	0:cdf462088d13	1373	-c "found max_fragment_length extension" \
markrad	0:cdf462088d13	1374	-c "fragment larger than.*maximum"
markrad	0:cdf462088d13	1375
markrad	0:cdf462088d13	1376	# Tests for renegotiation
markrad	0:cdf462088d13	1377
markrad	0:cdf462088d13	1378	run_test "Renegotiation: none, for reference" \
markrad	0:cdf462088d13	1379	"$P_SRV debug_level=3 exchanges=2 auth_mode=optional" \
markrad	0:cdf462088d13	1380	"$P_CLI debug_level=3 exchanges=2" \
markrad	0:cdf462088d13	1381	0 \
markrad	0:cdf462088d13	1382	-C "client hello, adding renegotiation extension" \
markrad	0:cdf462088d13	1383	-s "received TLS_EMPTY_RENEGOTIATION_INFO" \
markrad	0:cdf462088d13	1384	-S "found renegotiation extension" \
markrad	0:cdf462088d13	1385	-s "server hello, secure renegotiation extension" \
markrad	0:cdf462088d13	1386	-c "found renegotiation extension" \
markrad	0:cdf462088d13	1387	-C "=> renegotiate" \
markrad	0:cdf462088d13	1388	-S "=> renegotiate" \
markrad	0:cdf462088d13	1389	-S "write hello request"
markrad	0:cdf462088d13	1390
markrad	0:cdf462088d13	1391	run_test "Renegotiation: client-initiated" \
markrad	0:cdf462088d13	1392	"$P_SRV debug_level=3 exchanges=2 renegotiation=1 auth_mode=optional" \
markrad	0:cdf462088d13	1393	"$P_CLI debug_level=3 exchanges=2 renegotiation=1 renegotiate=1" \
markrad	0:cdf462088d13	1394	0 \
markrad	0:cdf462088d13	1395	-c "client hello, adding renegotiation extension" \
markrad	0:cdf462088d13	1396	-s "received TLS_EMPTY_RENEGOTIATION_INFO" \
markrad	0:cdf462088d13	1397	-s "found renegotiation extension" \
markrad	0:cdf462088d13	1398	-s "server hello, secure renegotiation extension" \
markrad	0:cdf462088d13	1399	-c "found renegotiation extension" \
markrad	0:cdf462088d13	1400	-c "=> renegotiate" \
markrad	0:cdf462088d13	1401	-s "=> renegotiate" \
markrad	0:cdf462088d13	1402	-S "write hello request"
markrad	0:cdf462088d13	1403
markrad	0:cdf462088d13	1404	run_test "Renegotiation: server-initiated" \
markrad	0:cdf462088d13	1405	"$P_SRV debug_level=3 exchanges=2 renegotiation=1 auth_mode=optional renegotiate=1" \
markrad	0:cdf462088d13	1406	"$P_CLI debug_level=3 exchanges=2 renegotiation=1" \
markrad	0:cdf462088d13	1407	0 \
markrad	0:cdf462088d13	1408	-c "client hello, adding renegotiation extension" \
markrad	0:cdf462088d13	1409	-s "received TLS_EMPTY_RENEGOTIATION_INFO" \
markrad	0:cdf462088d13	1410	-s "found renegotiation extension" \
markrad	0:cdf462088d13	1411	-s "server hello, secure renegotiation extension" \
markrad	0:cdf462088d13	1412	-c "found renegotiation extension" \
markrad	0:cdf462088d13	1413	-c "=> renegotiate" \
markrad	0:cdf462088d13	1414	-s "=> renegotiate" \
markrad	0:cdf462088d13	1415	-s "write hello request"
markrad	0:cdf462088d13	1416
markrad	0:cdf462088d13	1417	run_test "Renegotiation: double" \
markrad	0:cdf462088d13	1418	"$P_SRV debug_level=3 exchanges=2 renegotiation=1 auth_mode=optional renegotiate=1" \
markrad	0:cdf462088d13	1419	"$P_CLI debug_level=3 exchanges=2 renegotiation=1 renegotiate=1" \
markrad	0:cdf462088d13	1420	0 \
markrad	0:cdf462088d13	1421	-c "client hello, adding renegotiation extension" \
markrad	0:cdf462088d13	1422	-s "received TLS_EMPTY_RENEGOTIATION_INFO" \
markrad	0:cdf462088d13	1423	-s "found renegotiation extension" \
markrad	0:cdf462088d13	1424	-s "server hello, secure renegotiation extension" \
markrad	0:cdf462088d13	1425	-c "found renegotiation extension" \
markrad	0:cdf462088d13	1426	-c "=> renegotiate" \
markrad	0:cdf462088d13	1427	-s "=> renegotiate" \
markrad	0:cdf462088d13	1428	-s "write hello request"
markrad	0:cdf462088d13	1429
markrad	0:cdf462088d13	1430	run_test "Renegotiation: client-initiated, server-rejected" \
markrad	0:cdf462088d13	1431	"$P_SRV debug_level=3 exchanges=2 renegotiation=0 auth_mode=optional" \
markrad	0:cdf462088d13	1432	"$P_CLI debug_level=3 exchanges=2 renegotiation=1 renegotiate=1" \
markrad	0:cdf462088d13	1433	1 \
markrad	0:cdf462088d13	1434	-c "client hello, adding renegotiation extension" \
markrad	0:cdf462088d13	1435	-s "received TLS_EMPTY_RENEGOTIATION_INFO" \
markrad	0:cdf462088d13	1436	-S "found renegotiation extension" \
markrad	0:cdf462088d13	1437	-s "server hello, secure renegotiation extension" \
markrad	0:cdf462088d13	1438	-c "found renegotiation extension" \
markrad	0:cdf462088d13	1439	-c "=> renegotiate" \
markrad	0:cdf462088d13	1440	-S "=> renegotiate" \
markrad	0:cdf462088d13	1441	-S "write hello request" \
markrad	0:cdf462088d13	1442	-c "SSL - Unexpected message at ServerHello in renegotiation" \
markrad	0:cdf462088d13	1443	-c "failed"
markrad	0:cdf462088d13	1444
markrad	0:cdf462088d13	1445	run_test "Renegotiation: server-initiated, client-rejected, default" \
markrad	0:cdf462088d13	1446	"$P_SRV debug_level=3 exchanges=2 renegotiation=1 renegotiate=1 auth_mode=optional" \
markrad	0:cdf462088d13	1447	"$P_CLI debug_level=3 exchanges=2 renegotiation=0" \
markrad	0:cdf462088d13	1448	0 \
markrad	0:cdf462088d13	1449	-C "client hello, adding renegotiation extension" \
markrad	0:cdf462088d13	1450	-s "received TLS_EMPTY_RENEGOTIATION_INFO" \
markrad	0:cdf462088d13	1451	-S "found renegotiation extension" \
markrad	0:cdf462088d13	1452	-s "server hello, secure renegotiation extension" \
markrad	0:cdf462088d13	1453	-c "found renegotiation extension" \
markrad	0:cdf462088d13	1454	-C "=> renegotiate" \
markrad	0:cdf462088d13	1455	-S "=> renegotiate" \
markrad	0:cdf462088d13	1456	-s "write hello request" \
markrad	0:cdf462088d13	1457	-S "SSL - An unexpected message was received from our peer" \
markrad	0:cdf462088d13	1458	-S "failed"
markrad	0:cdf462088d13	1459
markrad	0:cdf462088d13	1460	run_test "Renegotiation: server-initiated, client-rejected, not enforced" \
markrad	0:cdf462088d13	1461	"$P_SRV debug_level=3 exchanges=2 renegotiation=1 renegotiate=1 \
markrad	0:cdf462088d13	1462	renego_delay=-1 auth_mode=optional" \
markrad	0:cdf462088d13	1463	"$P_CLI debug_level=3 exchanges=2 renegotiation=0" \
markrad	0:cdf462088d13	1464	0 \
markrad	0:cdf462088d13	1465	-C "client hello, adding renegotiation extension" \
markrad	0:cdf462088d13	1466	-s "received TLS_EMPTY_RENEGOTIATION_INFO" \
markrad	0:cdf462088d13	1467	-S "found renegotiation extension" \
markrad	0:cdf462088d13	1468	-s "server hello, secure renegotiation extension" \
markrad	0:cdf462088d13	1469	-c "found renegotiation extension" \
markrad	0:cdf462088d13	1470	-C "=> renegotiate" \
markrad	0:cdf462088d13	1471	-S "=> renegotiate" \
markrad	0:cdf462088d13	1472	-s "write hello request" \
markrad	0:cdf462088d13	1473	-S "SSL - An unexpected message was received from our peer" \
markrad	0:cdf462088d13	1474	-S "failed"
markrad	0:cdf462088d13	1475
markrad	0:cdf462088d13	1476	# delay 2 for 1 alert record + 1 application data record
markrad	0:cdf462088d13	1477	run_test "Renegotiation: server-initiated, client-rejected, delay 2" \
markrad	0:cdf462088d13	1478	"$P_SRV debug_level=3 exchanges=2 renegotiation=1 renegotiate=1 \
markrad	0:cdf462088d13	1479	renego_delay=2 auth_mode=optional" \
markrad	0:cdf462088d13	1480	"$P_CLI debug_level=3 exchanges=2 renegotiation=0" \
markrad	0:cdf462088d13	1481	0 \
markrad	0:cdf462088d13	1482	-C "client hello, adding renegotiation extension" \
markrad	0:cdf462088d13	1483	-s "received TLS_EMPTY_RENEGOTIATION_INFO" \
markrad	0:cdf462088d13	1484	-S "found renegotiation extension" \
markrad	0:cdf462088d13	1485	-s "server hello, secure renegotiation extension" \
markrad	0:cdf462088d13	1486	-c "found renegotiation extension" \
markrad	0:cdf462088d13	1487	-C "=> renegotiate" \
markrad	0:cdf462088d13	1488	-S "=> renegotiate" \
markrad	0:cdf462088d13	1489	-s "write hello request" \
markrad	0:cdf462088d13	1490	-S "SSL - An unexpected message was received from our peer" \
markrad	0:cdf462088d13	1491	-S "failed"
markrad	0:cdf462088d13	1492
markrad	0:cdf462088d13	1493	run_test "Renegotiation: server-initiated, client-rejected, delay 0" \
markrad	0:cdf462088d13	1494	"$P_SRV debug_level=3 exchanges=2 renegotiation=1 renegotiate=1 \
markrad	0:cdf462088d13	1495	renego_delay=0 auth_mode=optional" \
markrad	0:cdf462088d13	1496	"$P_CLI debug_level=3 exchanges=2 renegotiation=0" \
markrad	0:cdf462088d13	1497	0 \
markrad	0:cdf462088d13	1498	-C "client hello, adding renegotiation extension" \
markrad	0:cdf462088d13	1499	-s "received TLS_EMPTY_RENEGOTIATION_INFO" \
markrad	0:cdf462088d13	1500	-S "found renegotiation extension" \
markrad	0:cdf462088d13	1501	-s "server hello, secure renegotiation extension" \
markrad	0:cdf462088d13	1502	-c "found renegotiation extension" \
markrad	0:cdf462088d13	1503	-C "=> renegotiate" \
markrad	0:cdf462088d13	1504	-S "=> renegotiate" \
markrad	0:cdf462088d13	1505	-s "write hello request" \
markrad	0:cdf462088d13	1506	-s "SSL - An unexpected message was received from our peer"
markrad	0:cdf462088d13	1507
markrad	0:cdf462088d13	1508	run_test "Renegotiation: server-initiated, client-accepted, delay 0" \
markrad	0:cdf462088d13	1509	"$P_SRV debug_level=3 exchanges=2 renegotiation=1 renegotiate=1 \
markrad	0:cdf462088d13	1510	renego_delay=0 auth_mode=optional" \
markrad	0:cdf462088d13	1511	"$P_CLI debug_level=3 exchanges=2 renegotiation=1" \
markrad	0:cdf462088d13	1512	0 \
markrad	0:cdf462088d13	1513	-c "client hello, adding renegotiation extension" \
markrad	0:cdf462088d13	1514	-s "received TLS_EMPTY_RENEGOTIATION_INFO" \
markrad	0:cdf462088d13	1515	-s "found renegotiation extension" \
markrad	0:cdf462088d13	1516	-s "server hello, secure renegotiation extension" \
markrad	0:cdf462088d13	1517	-c "found renegotiation extension" \
markrad	0:cdf462088d13	1518	-c "=> renegotiate" \
markrad	0:cdf462088d13	1519	-s "=> renegotiate" \
markrad	0:cdf462088d13	1520	-s "write hello request" \
markrad	0:cdf462088d13	1521	-S "SSL - An unexpected message was received from our peer" \
markrad	0:cdf462088d13	1522	-S "failed"
markrad	0:cdf462088d13	1523
markrad	0:cdf462088d13	1524	run_test "Renegotiation: periodic, just below period" \
markrad	0:cdf462088d13	1525	"$P_SRV debug_level=3 exchanges=9 renegotiation=1 renego_period=3 auth_mode=optional" \
markrad	0:cdf462088d13	1526	"$P_CLI debug_level=3 exchanges=2 renegotiation=1" \
markrad	0:cdf462088d13	1527	0 \
markrad	0:cdf462088d13	1528	-C "client hello, adding renegotiation extension" \
markrad	0:cdf462088d13	1529	-s "received TLS_EMPTY_RENEGOTIATION_INFO" \
markrad	0:cdf462088d13	1530	-S "found renegotiation extension" \
markrad	0:cdf462088d13	1531	-s "server hello, secure renegotiation extension" \
markrad	0:cdf462088d13	1532	-c "found renegotiation extension" \
markrad	0:cdf462088d13	1533	-S "record counter limit reached: renegotiate" \
markrad	0:cdf462088d13	1534	-C "=> renegotiate" \
markrad	0:cdf462088d13	1535	-S "=> renegotiate" \
markrad	0:cdf462088d13	1536	-S "write hello request" \
markrad	0:cdf462088d13	1537	-S "SSL - An unexpected message was received from our peer" \
markrad	0:cdf462088d13	1538	-S "failed"
markrad	0:cdf462088d13	1539
markrad	0:cdf462088d13	1540	# one extra exchange to be able to complete renego
markrad	0:cdf462088d13	1541	run_test "Renegotiation: periodic, just above period" \
markrad	0:cdf462088d13	1542	"$P_SRV debug_level=3 exchanges=9 renegotiation=1 renego_period=3 auth_mode=optional" \
markrad	0:cdf462088d13	1543	"$P_CLI debug_level=3 exchanges=4 renegotiation=1" \
markrad	0:cdf462088d13	1544	0 \
markrad	0:cdf462088d13	1545	-c "client hello, adding renegotiation extension" \
markrad	0:cdf462088d13	1546	-s "received TLS_EMPTY_RENEGOTIATION_INFO" \
markrad	0:cdf462088d13	1547	-s "found renegotiation extension" \
markrad	0:cdf462088d13	1548	-s "server hello, secure renegotiation extension" \
markrad	0:cdf462088d13	1549	-c "found renegotiation extension" \
markrad	0:cdf462088d13	1550	-s "record counter limit reached: renegotiate" \
markrad	0:cdf462088d13	1551	-c "=> renegotiate" \
markrad	0:cdf462088d13	1552	-s "=> renegotiate" \
markrad	0:cdf462088d13	1553	-s "write hello request" \
markrad	0:cdf462088d13	1554	-S "SSL - An unexpected message was received from our peer" \
markrad	0:cdf462088d13	1555	-S "failed"
markrad	0:cdf462088d13	1556
markrad	0:cdf462088d13	1557	run_test "Renegotiation: periodic, two times period" \
markrad	0:cdf462088d13	1558	"$P_SRV debug_level=3 exchanges=9 renegotiation=1 renego_period=3 auth_mode=optional" \
markrad	0:cdf462088d13	1559	"$P_CLI debug_level=3 exchanges=7 renegotiation=1" \
markrad	0:cdf462088d13	1560	0 \
markrad	0:cdf462088d13	1561	-c "client hello, adding renegotiation extension" \
markrad	0:cdf462088d13	1562	-s "received TLS_EMPTY_RENEGOTIATION_INFO" \
markrad	0:cdf462088d13	1563	-s "found renegotiation extension" \
markrad	0:cdf462088d13	1564	-s "server hello, secure renegotiation extension" \
markrad	0:cdf462088d13	1565	-c "found renegotiation extension" \
markrad	0:cdf462088d13	1566	-s "record counter limit reached: renegotiate" \
markrad	0:cdf462088d13	1567	-c "=> renegotiate" \
markrad	0:cdf462088d13	1568	-s "=> renegotiate" \
markrad	0:cdf462088d13	1569	-s "write hello request" \
markrad	0:cdf462088d13	1570	-S "SSL - An unexpected message was received from our peer" \
markrad	0:cdf462088d13	1571	-S "failed"
markrad	0:cdf462088d13	1572
markrad	0:cdf462088d13	1573	run_test "Renegotiation: periodic, above period, disabled" \
markrad	0:cdf462088d13	1574	"$P_SRV debug_level=3 exchanges=9 renegotiation=0 renego_period=3 auth_mode=optional" \
markrad	0:cdf462088d13	1575	"$P_CLI debug_level=3 exchanges=4 renegotiation=1" \
markrad	0:cdf462088d13	1576	0 \
markrad	0:cdf462088d13	1577	-C "client hello, adding renegotiation extension" \
markrad	0:cdf462088d13	1578	-s "received TLS_EMPTY_RENEGOTIATION_INFO" \
markrad	0:cdf462088d13	1579	-S "found renegotiation extension" \
markrad	0:cdf462088d13	1580	-s "server hello, secure renegotiation extension" \
markrad	0:cdf462088d13	1581	-c "found renegotiation extension" \
markrad	0:cdf462088d13	1582	-S "record counter limit reached: renegotiate" \
markrad	0:cdf462088d13	1583	-C "=> renegotiate" \
markrad	0:cdf462088d13	1584	-S "=> renegotiate" \
markrad	0:cdf462088d13	1585	-S "write hello request" \
markrad	0:cdf462088d13	1586	-S "SSL - An unexpected message was received from our peer" \
markrad	0:cdf462088d13	1587	-S "failed"
markrad	0:cdf462088d13	1588
markrad	0:cdf462088d13	1589	run_test "Renegotiation: nbio, client-initiated" \
markrad	0:cdf462088d13	1590	"$P_SRV debug_level=3 nbio=2 exchanges=2 renegotiation=1 auth_mode=optional" \
markrad	0:cdf462088d13	1591	"$P_CLI debug_level=3 nbio=2 exchanges=2 renegotiation=1 renegotiate=1" \
markrad	0:cdf462088d13	1592	0 \
markrad	0:cdf462088d13	1593	-c "client hello, adding renegotiation extension" \
markrad	0:cdf462088d13	1594	-s "received TLS_EMPTY_RENEGOTIATION_INFO" \
markrad	0:cdf462088d13	1595	-s "found renegotiation extension" \
markrad	0:cdf462088d13	1596	-s "server hello, secure renegotiation extension" \
markrad	0:cdf462088d13	1597	-c "found renegotiation extension" \
markrad	0:cdf462088d13	1598	-c "=> renegotiate" \
markrad	0:cdf462088d13	1599	-s "=> renegotiate" \
markrad	0:cdf462088d13	1600	-S "write hello request"
markrad	0:cdf462088d13	1601
markrad	0:cdf462088d13	1602	run_test "Renegotiation: nbio, server-initiated" \
markrad	0:cdf462088d13	1603	"$P_SRV debug_level=3 nbio=2 exchanges=2 renegotiation=1 renegotiate=1 auth_mode=optional" \
markrad	0:cdf462088d13	1604	"$P_CLI debug_level=3 nbio=2 exchanges=2 renegotiation=1" \
markrad	0:cdf462088d13	1605	0 \
markrad	0:cdf462088d13	1606	-c "client hello, adding renegotiation extension" \
markrad	0:cdf462088d13	1607	-s "received TLS_EMPTY_RENEGOTIATION_INFO" \
markrad	0:cdf462088d13	1608	-s "found renegotiation extension" \
markrad	0:cdf462088d13	1609	-s "server hello, secure renegotiation extension" \
markrad	0:cdf462088d13	1610	-c "found renegotiation extension" \
markrad	0:cdf462088d13	1611	-c "=> renegotiate" \
markrad	0:cdf462088d13	1612	-s "=> renegotiate" \
markrad	0:cdf462088d13	1613	-s "write hello request"
markrad	0:cdf462088d13	1614
markrad	0:cdf462088d13	1615	run_test "Renegotiation: openssl server, client-initiated" \
markrad	0:cdf462088d13	1616	"$O_SRV -www" \
markrad	0:cdf462088d13	1617	"$P_CLI debug_level=3 exchanges=1 renegotiation=1 renegotiate=1" \
markrad	0:cdf462088d13	1618	0 \
markrad	0:cdf462088d13	1619	-c "client hello, adding renegotiation extension" \
markrad	0:cdf462088d13	1620	-c "found renegotiation extension" \
markrad	0:cdf462088d13	1621	-c "=> renegotiate" \
markrad	0:cdf462088d13	1622	-C "ssl_hanshake() returned" \
markrad	0:cdf462088d13	1623	-C "error" \
markrad	0:cdf462088d13	1624	-c "HTTP/1.0 200 [Oo][Kk]"
markrad	0:cdf462088d13	1625
markrad	0:cdf462088d13	1626	requires_gnutls
markrad	0:cdf462088d13	1627	run_test "Renegotiation: gnutls server strict, client-initiated" \
markrad	0:cdf462088d13	1628	"$G_SRV --priority=NORMAL:%SAFE_RENEGOTIATION" \
markrad	0:cdf462088d13	1629	"$P_CLI debug_level=3 exchanges=1 renegotiation=1 renegotiate=1" \
markrad	0:cdf462088d13	1630	0 \
markrad	0:cdf462088d13	1631	-c "client hello, adding renegotiation extension" \
markrad	0:cdf462088d13	1632	-c "found renegotiation extension" \
markrad	0:cdf462088d13	1633	-c "=> renegotiate" \
markrad	0:cdf462088d13	1634	-C "ssl_hanshake() returned" \
markrad	0:cdf462088d13	1635	-C "error" \
markrad	0:cdf462088d13	1636	-c "HTTP/1.0 200 [Oo][Kk]"
markrad	0:cdf462088d13	1637
markrad	0:cdf462088d13	1638	requires_gnutls
markrad	0:cdf462088d13	1639	run_test "Renegotiation: gnutls server unsafe, client-initiated default" \
markrad	0:cdf462088d13	1640	"$G_SRV --priority=NORMAL:%DISABLE_SAFE_RENEGOTIATION" \
markrad	0:cdf462088d13	1641	"$P_CLI debug_level=3 exchanges=1 renegotiation=1 renegotiate=1" \
markrad	0:cdf462088d13	1642	1 \
markrad	0:cdf462088d13	1643	-c "client hello, adding renegotiation extension" \
markrad	0:cdf462088d13	1644	-C "found renegotiation extension" \
markrad	0:cdf462088d13	1645	-c "=> renegotiate" \
markrad	0:cdf462088d13	1646	-c "mbedtls_ssl_handshake() returned" \
markrad	0:cdf462088d13	1647	-c "error" \
markrad	0:cdf462088d13	1648	-C "HTTP/1.0 200 [Oo][Kk]"
markrad	0:cdf462088d13	1649
markrad	0:cdf462088d13	1650	requires_gnutls
markrad	0:cdf462088d13	1651	run_test "Renegotiation: gnutls server unsafe, client-inititated no legacy" \
markrad	0:cdf462088d13	1652	"$G_SRV --priority=NORMAL:%DISABLE_SAFE_RENEGOTIATION" \
markrad	0:cdf462088d13	1653	"$P_CLI debug_level=3 exchanges=1 renegotiation=1 renegotiate=1 \
markrad	0:cdf462088d13	1654	allow_legacy=0" \
markrad	0:cdf462088d13	1655	1 \
markrad	0:cdf462088d13	1656	-c "client hello, adding renegotiation extension" \
markrad	0:cdf462088d13	1657	-C "found renegotiation extension" \
markrad	0:cdf462088d13	1658	-c "=> renegotiate" \
markrad	0:cdf462088d13	1659	-c "mbedtls_ssl_handshake() returned" \
markrad	0:cdf462088d13	1660	-c "error" \
markrad	0:cdf462088d13	1661	-C "HTTP/1.0 200 [Oo][Kk]"
markrad	0:cdf462088d13	1662
markrad	0:cdf462088d13	1663	requires_gnutls
markrad	0:cdf462088d13	1664	run_test "Renegotiation: gnutls server unsafe, client-inititated legacy" \
markrad	0:cdf462088d13	1665	"$G_SRV --priority=NORMAL:%DISABLE_SAFE_RENEGOTIATION" \
markrad	0:cdf462088d13	1666	"$P_CLI debug_level=3 exchanges=1 renegotiation=1 renegotiate=1 \
markrad	0:cdf462088d13	1667	allow_legacy=1" \
markrad	0:cdf462088d13	1668	0 \
markrad	0:cdf462088d13	1669	-c "client hello, adding renegotiation extension" \
markrad	0:cdf462088d13	1670	-C "found renegotiation extension" \
markrad	0:cdf462088d13	1671	-c "=> renegotiate" \
markrad	0:cdf462088d13	1672	-C "ssl_hanshake() returned" \
markrad	0:cdf462088d13	1673	-C "error" \
markrad	0:cdf462088d13	1674	-c "HTTP/1.0 200 [Oo][Kk]"
markrad	0:cdf462088d13	1675
markrad	0:cdf462088d13	1676	run_test "Renegotiation: DTLS, client-initiated" \
markrad	0:cdf462088d13	1677	"$P_SRV debug_level=3 dtls=1 exchanges=2 renegotiation=1" \
markrad	0:cdf462088d13	1678	"$P_CLI debug_level=3 dtls=1 exchanges=2 renegotiation=1 renegotiate=1" \
markrad	0:cdf462088d13	1679	0 \
markrad	0:cdf462088d13	1680	-c "client hello, adding renegotiation extension" \
markrad	0:cdf462088d13	1681	-s "received TLS_EMPTY_RENEGOTIATION_INFO" \
markrad	0:cdf462088d13	1682	-s "found renegotiation extension" \
markrad	0:cdf462088d13	1683	-s "server hello, secure renegotiation extension" \
markrad	0:cdf462088d13	1684	-c "found renegotiation extension" \
markrad	0:cdf462088d13	1685	-c "=> renegotiate" \
markrad	0:cdf462088d13	1686	-s "=> renegotiate" \
markrad	0:cdf462088d13	1687	-S "write hello request"
markrad	0:cdf462088d13	1688
markrad	0:cdf462088d13	1689	run_test "Renegotiation: DTLS, server-initiated" \
markrad	0:cdf462088d13	1690	"$P_SRV debug_level=3 dtls=1 exchanges=2 renegotiation=1 renegotiate=1" \
markrad	0:cdf462088d13	1691	"$P_CLI debug_level=3 dtls=1 exchanges=2 renegotiation=1 \
markrad	0:cdf462088d13	1692	read_timeout=1000 max_resend=2" \
markrad	0:cdf462088d13	1693	0 \
markrad	0:cdf462088d13	1694	-c "client hello, adding renegotiation extension" \
markrad	0:cdf462088d13	1695	-s "received TLS_EMPTY_RENEGOTIATION_INFO" \
markrad	0:cdf462088d13	1696	-s "found renegotiation extension" \
markrad	0:cdf462088d13	1697	-s "server hello, secure renegotiation extension" \
markrad	0:cdf462088d13	1698	-c "found renegotiation extension" \
markrad	0:cdf462088d13	1699	-c "=> renegotiate" \
markrad	0:cdf462088d13	1700	-s "=> renegotiate" \
markrad	0:cdf462088d13	1701	-s "write hello request"
markrad	0:cdf462088d13	1702
Jasper Wallace	1:9ebc941037d5	1703	run_test "Renegotiation: DTLS, renego_period overflow" \
Jasper Wallace	1:9ebc941037d5	1704	"$P_SRV debug_level=3 dtls=1 exchanges=4 renegotiation=1 renego_period=18446462598732840962 auth_mode=optional" \
Jasper Wallace	1:9ebc941037d5	1705	"$P_CLI debug_level=3 dtls=1 exchanges=4 renegotiation=1" \
Jasper Wallace	1:9ebc941037d5	1706	0 \
Jasper Wallace	1:9ebc941037d5	1707	-c "client hello, adding renegotiation extension" \
Jasper Wallace	1:9ebc941037d5	1708	-s "received TLS_EMPTY_RENEGOTIATION_INFO" \
Jasper Wallace	1:9ebc941037d5	1709	-s "found renegotiation extension" \
Jasper Wallace	1:9ebc941037d5	1710	-s "server hello, secure renegotiation extension" \
Jasper Wallace	1:9ebc941037d5	1711	-s "record counter limit reached: renegotiate" \
Jasper Wallace	1:9ebc941037d5	1712	-c "=> renegotiate" \
Jasper Wallace	1:9ebc941037d5	1713	-s "=> renegotiate" \
Jasper Wallace	1:9ebc941037d5	1714	-s "write hello request" \
Jasper Wallace	1:9ebc941037d5	1715
markrad	0:cdf462088d13	1716	requires_gnutls
markrad	0:cdf462088d13	1717	run_test "Renegotiation: DTLS, gnutls server, client-initiated" \
markrad	0:cdf462088d13	1718	"$G_SRV -u --mtu 4096" \
markrad	0:cdf462088d13	1719	"$P_CLI debug_level=3 dtls=1 exchanges=1 renegotiation=1 renegotiate=1" \
markrad	0:cdf462088d13	1720	0 \
markrad	0:cdf462088d13	1721	-c "client hello, adding renegotiation extension" \
markrad	0:cdf462088d13	1722	-c "found renegotiation extension" \
markrad	0:cdf462088d13	1723	-c "=> renegotiate" \
markrad	0:cdf462088d13	1724	-C "mbedtls_ssl_handshake returned" \
markrad	0:cdf462088d13	1725	-C "error" \
markrad	0:cdf462088d13	1726	-s "Extra-header:"
markrad	0:cdf462088d13	1727
markrad	0:cdf462088d13	1728	# Test for the "secure renegotation" extension only (no actual renegotiation)
markrad	0:cdf462088d13	1729
markrad	0:cdf462088d13	1730	requires_gnutls
markrad	0:cdf462088d13	1731	run_test "Renego ext: gnutls server strict, client default" \
markrad	0:cdf462088d13	1732	"$G_SRV --priority=NORMAL:%SAFE_RENEGOTIATION" \
markrad	0:cdf462088d13	1733	"$P_CLI debug_level=3" \
markrad	0:cdf462088d13	1734	0 \
markrad	0:cdf462088d13	1735	-c "found renegotiation extension" \
markrad	0:cdf462088d13	1736	-C "error" \
markrad	0:cdf462088d13	1737	-c "HTTP/1.0 200 [Oo][Kk]"
markrad	0:cdf462088d13	1738
markrad	0:cdf462088d13	1739	requires_gnutls
markrad	0:cdf462088d13	1740	run_test "Renego ext: gnutls server unsafe, client default" \
markrad	0:cdf462088d13	1741	"$G_SRV --priority=NORMAL:%DISABLE_SAFE_RENEGOTIATION" \
markrad	0:cdf462088d13	1742	"$P_CLI debug_level=3" \
markrad	0:cdf462088d13	1743	0 \
markrad	0:cdf462088d13	1744	-C "found renegotiation extension" \
markrad	0:cdf462088d13	1745	-C "error" \
markrad	0:cdf462088d13	1746	-c "HTTP/1.0 200 [Oo][Kk]"
markrad	0:cdf462088d13	1747
markrad	0:cdf462088d13	1748	requires_gnutls
markrad	0:cdf462088d13	1749	run_test "Renego ext: gnutls server unsafe, client break legacy" \
markrad	0:cdf462088d13	1750	"$G_SRV --priority=NORMAL:%DISABLE_SAFE_RENEGOTIATION" \
markrad	0:cdf462088d13	1751	"$P_CLI debug_level=3 allow_legacy=-1" \
markrad	0:cdf462088d13	1752	1 \
markrad	0:cdf462088d13	1753	-C "found renegotiation extension" \
markrad	0:cdf462088d13	1754	-c "error" \
markrad	0:cdf462088d13	1755	-C "HTTP/1.0 200 [Oo][Kk]"
markrad	0:cdf462088d13	1756
markrad	0:cdf462088d13	1757	requires_gnutls
markrad	0:cdf462088d13	1758	run_test "Renego ext: gnutls client strict, server default" \
markrad	0:cdf462088d13	1759	"$P_SRV debug_level=3" \
markrad	0:cdf462088d13	1760	"$G_CLI --priority=NORMAL:%SAFE_RENEGOTIATION" \
markrad	0:cdf462088d13	1761	0 \
markrad	0:cdf462088d13	1762	-s "received TLS_EMPTY_RENEGOTIATION_INFO\\|found renegotiation extension" \
markrad	0:cdf462088d13	1763	-s "server hello, secure renegotiation extension"
markrad	0:cdf462088d13	1764
markrad	0:cdf462088d13	1765	requires_gnutls
markrad	0:cdf462088d13	1766	run_test "Renego ext: gnutls client unsafe, server default" \
markrad	0:cdf462088d13	1767	"$P_SRV debug_level=3" \
markrad	0:cdf462088d13	1768	"$G_CLI --priority=NORMAL:%DISABLE_SAFE_RENEGOTIATION" \
markrad	0:cdf462088d13	1769	0 \
markrad	0:cdf462088d13	1770	-S "received TLS_EMPTY_RENEGOTIATION_INFO\\|found renegotiation extension" \
markrad	0:cdf462088d13	1771	-S "server hello, secure renegotiation extension"
markrad	0:cdf462088d13	1772
markrad	0:cdf462088d13	1773	requires_gnutls
markrad	0:cdf462088d13	1774	run_test "Renego ext: gnutls client unsafe, server break legacy" \
markrad	0:cdf462088d13	1775	"$P_SRV debug_level=3 allow_legacy=-1" \
markrad	0:cdf462088d13	1776	"$G_CLI --priority=NORMAL:%DISABLE_SAFE_RENEGOTIATION" \
markrad	0:cdf462088d13	1777	1 \
markrad	0:cdf462088d13	1778	-S "received TLS_EMPTY_RENEGOTIATION_INFO\\|found renegotiation extension" \
markrad	0:cdf462088d13	1779	-S "server hello, secure renegotiation extension"
markrad	0:cdf462088d13	1780
markrad	0:cdf462088d13	1781	# Tests for silently dropping trailing extra bytes in .der certificates
markrad	0:cdf462088d13	1782
markrad	0:cdf462088d13	1783	requires_gnutls
markrad	0:cdf462088d13	1784	run_test "DER format: no trailing bytes" \
markrad	0:cdf462088d13	1785	"$P_SRV crt_file=data_files/server5-der0.crt \
markrad	0:cdf462088d13	1786	key_file=data_files/server5.key" \
markrad	0:cdf462088d13	1787	"$G_CLI " \
markrad	0:cdf462088d13	1788	0 \
markrad	0:cdf462088d13	1789	-c "Handshake was completed" \
markrad	0:cdf462088d13	1790
markrad	0:cdf462088d13	1791	requires_gnutls
markrad	0:cdf462088d13	1792	run_test "DER format: with a trailing zero byte" \
markrad	0:cdf462088d13	1793	"$P_SRV crt_file=data_files/server5-der1a.crt \
markrad	0:cdf462088d13	1794	key_file=data_files/server5.key" \
markrad	0:cdf462088d13	1795	"$G_CLI " \
markrad	0:cdf462088d13	1796	0 \
markrad	0:cdf462088d13	1797	-c "Handshake was completed" \
markrad	0:cdf462088d13	1798
markrad	0:cdf462088d13	1799	requires_gnutls
markrad	0:cdf462088d13	1800	run_test "DER format: with a trailing random byte" \
markrad	0:cdf462088d13	1801	"$P_SRV crt_file=data_files/server5-der1b.crt \
markrad	0:cdf462088d13	1802	key_file=data_files/server5.key" \
markrad	0:cdf462088d13	1803	"$G_CLI " \
markrad	0:cdf462088d13	1804	0 \
markrad	0:cdf462088d13	1805	-c "Handshake was completed" \
markrad	0:cdf462088d13	1806
markrad	0:cdf462088d13	1807	requires_gnutls
markrad	0:cdf462088d13	1808	run_test "DER format: with 2 trailing random bytes" \
markrad	0:cdf462088d13	1809	"$P_SRV crt_file=data_files/server5-der2.crt \
markrad	0:cdf462088d13	1810	key_file=data_files/server5.key" \
markrad	0:cdf462088d13	1811	"$G_CLI " \
markrad	0:cdf462088d13	1812	0 \
markrad	0:cdf462088d13	1813	-c "Handshake was completed" \
markrad	0:cdf462088d13	1814
markrad	0:cdf462088d13	1815	requires_gnutls
markrad	0:cdf462088d13	1816	run_test "DER format: with 4 trailing random bytes" \
markrad	0:cdf462088d13	1817	"$P_SRV crt_file=data_files/server5-der4.crt \
markrad	0:cdf462088d13	1818	key_file=data_files/server5.key" \
markrad	0:cdf462088d13	1819	"$G_CLI " \
markrad	0:cdf462088d13	1820	0 \
markrad	0:cdf462088d13	1821	-c "Handshake was completed" \
markrad	0:cdf462088d13	1822
markrad	0:cdf462088d13	1823	requires_gnutls
markrad	0:cdf462088d13	1824	run_test "DER format: with 8 trailing random bytes" \
markrad	0:cdf462088d13	1825	"$P_SRV crt_file=data_files/server5-der8.crt \
markrad	0:cdf462088d13	1826	key_file=data_files/server5.key" \
markrad	0:cdf462088d13	1827	"$G_CLI " \
markrad	0:cdf462088d13	1828	0 \
markrad	0:cdf462088d13	1829	-c "Handshake was completed" \
markrad	0:cdf462088d13	1830
markrad	0:cdf462088d13	1831	requires_gnutls
markrad	0:cdf462088d13	1832	run_test "DER format: with 9 trailing random bytes" \
markrad	0:cdf462088d13	1833	"$P_SRV crt_file=data_files/server5-der9.crt \
markrad	0:cdf462088d13	1834	key_file=data_files/server5.key" \
markrad	0:cdf462088d13	1835	"$G_CLI " \
markrad	0:cdf462088d13	1836	0 \
markrad	0:cdf462088d13	1837	-c "Handshake was completed" \
markrad	0:cdf462088d13	1838
markrad	0:cdf462088d13	1839	# Tests for auth_mode
markrad	0:cdf462088d13	1840
markrad	0:cdf462088d13	1841	run_test "Authentication: server badcert, client required" \
markrad	0:cdf462088d13	1842	"$P_SRV crt_file=data_files/server5-badsign.crt \
markrad	0:cdf462088d13	1843	key_file=data_files/server5.key" \
markrad	0:cdf462088d13	1844	"$P_CLI debug_level=1 auth_mode=required" \
markrad	0:cdf462088d13	1845	1 \
markrad	0:cdf462088d13	1846	-c "x509_verify_cert() returned" \
markrad	0:cdf462088d13	1847	-c "! The certificate is not correctly signed by the trusted CA" \
markrad	0:cdf462088d13	1848	-c "! mbedtls_ssl_handshake returned" \
markrad	0:cdf462088d13	1849	-c "X509 - Certificate verification failed"
markrad	0:cdf462088d13	1850
markrad	0:cdf462088d13	1851	run_test "Authentication: server badcert, client optional" \
markrad	0:cdf462088d13	1852	"$P_SRV crt_file=data_files/server5-badsign.crt \
markrad	0:cdf462088d13	1853	key_file=data_files/server5.key" \
markrad	0:cdf462088d13	1854	"$P_CLI debug_level=1 auth_mode=optional" \
markrad	0:cdf462088d13	1855	0 \
markrad	0:cdf462088d13	1856	-c "x509_verify_cert() returned" \
markrad	0:cdf462088d13	1857	-c "! The certificate is not correctly signed by the trusted CA" \
markrad	0:cdf462088d13	1858	-C "! mbedtls_ssl_handshake returned" \
markrad	0:cdf462088d13	1859	-C "X509 - Certificate verification failed"
markrad	0:cdf462088d13	1860
Jasper Wallace	2:bbdeda018a3c	1861	run_test "Authentication: server goodcert, client optional, no trusted CA" \
Jasper Wallace	2:bbdeda018a3c	1862	"$P_SRV" \
Jasper Wallace	2:bbdeda018a3c	1863	"$P_CLI debug_level=3 auth_mode=optional ca_file=none ca_path=none" \
Jasper Wallace	2:bbdeda018a3c	1864	0 \
Jasper Wallace	2:bbdeda018a3c	1865	-c "x509_verify_cert() returned" \
Jasper Wallace	2:bbdeda018a3c	1866	-c "! The certificate is not correctly signed by the trusted CA" \
Jasper Wallace	2:bbdeda018a3c	1867	-c "! Certificate verification flags"\
Jasper Wallace	2:bbdeda018a3c	1868	-C "! mbedtls_ssl_handshake returned" \
Jasper Wallace	2:bbdeda018a3c	1869	-C "X509 - Certificate verification failed" \
Jasper Wallace	2:bbdeda018a3c	1870	-C "SSL - No CA Chain is set, but required to operate"
Jasper Wallace	2:bbdeda018a3c	1871
Jasper Wallace	2:bbdeda018a3c	1872	run_test "Authentication: server goodcert, client required, no trusted CA" \
Jasper Wallace	2:bbdeda018a3c	1873	"$P_SRV" \
Jasper Wallace	2:bbdeda018a3c	1874	"$P_CLI debug_level=3 auth_mode=required ca_file=none ca_path=none" \
Jasper Wallace	2:bbdeda018a3c	1875	1 \
Jasper Wallace	2:bbdeda018a3c	1876	-c "x509_verify_cert() returned" \
Jasper Wallace	2:bbdeda018a3c	1877	-c "! The certificate is not correctly signed by the trusted CA" \
Jasper Wallace	2:bbdeda018a3c	1878	-c "! Certificate verification flags"\
Jasper Wallace	2:bbdeda018a3c	1879	-c "! mbedtls_ssl_handshake returned" \
Jasper Wallace	2:bbdeda018a3c	1880	-c "SSL - No CA Chain is set, but required to operate"
Jasper Wallace	2:bbdeda018a3c	1881
Jasper Wallace	2:bbdeda018a3c	1882	# The purpose of the next two tests is to test the client's behaviour when receiving a server
Jasper Wallace	2:bbdeda018a3c	1883	# certificate with an unsupported elliptic curve. This should usually not happen because
Jasper Wallace	2:bbdeda018a3c	1884	# the client informs the server about the supported curves - it does, though, in the
Jasper Wallace	2:bbdeda018a3c	1885	# corner case of a static ECDH suite, because the server doesn't check the curve on that
Jasper Wallace	2:bbdeda018a3c	1886	# occasion (to be fixed). If that bug's fixed, the test needs to be altered to use a
Jasper Wallace	2:bbdeda018a3c	1887	# different means to have the server ignoring the client's supported curve list.
Jasper Wallace	2:bbdeda018a3c	1888
Jasper Wallace	2:bbdeda018a3c	1889	requires_config_enabled MBEDTLS_ECP_C
Jasper Wallace	2:bbdeda018a3c	1890	run_test "Authentication: server ECDH p256v1, client required, p256v1 unsupported" \
Jasper Wallace	2:bbdeda018a3c	1891	"$P_SRV debug_level=1 key_file=data_files/server5.key \
Jasper Wallace	2:bbdeda018a3c	1892	crt_file=data_files/server5.ku-ka.crt" \
Jasper Wallace	2:bbdeda018a3c	1893	"$P_CLI debug_level=3 auth_mode=required curves=secp521r1" \
Jasper Wallace	2:bbdeda018a3c	1894	1 \
Jasper Wallace	2:bbdeda018a3c	1895	-c "bad certificate (EC key curve)"\
Jasper Wallace	2:bbdeda018a3c	1896	-c "! Certificate verification flags"\
Jasper Wallace	2:bbdeda018a3c	1897	-C "bad server certificate (ECDH curve)" # Expect failure at earlier verification stage
Jasper Wallace	2:bbdeda018a3c	1898
Jasper Wallace	2:bbdeda018a3c	1899	requires_config_enabled MBEDTLS_ECP_C
Jasper Wallace	2:bbdeda018a3c	1900	run_test "Authentication: server ECDH p256v1, client optional, p256v1 unsupported" \
Jasper Wallace	2:bbdeda018a3c	1901	"$P_SRV debug_level=1 key_file=data_files/server5.key \
Jasper Wallace	2:bbdeda018a3c	1902	crt_file=data_files/server5.ku-ka.crt" \
Jasper Wallace	2:bbdeda018a3c	1903	"$P_CLI debug_level=3 auth_mode=optional curves=secp521r1" \
Jasper Wallace	2:bbdeda018a3c	1904	1 \
Jasper Wallace	2:bbdeda018a3c	1905	-c "bad certificate (EC key curve)"\
Jasper Wallace	2:bbdeda018a3c	1906	-c "! Certificate verification flags"\
Jasper Wallace	2:bbdeda018a3c	1907	-c "bad server certificate (ECDH curve)" # Expect failure only at ECDH params check
Jasper Wallace	2:bbdeda018a3c	1908
markrad	0:cdf462088d13	1909	run_test "Authentication: server badcert, client none" \
markrad	0:cdf462088d13	1910	"$P_SRV crt_file=data_files/server5-badsign.crt \
markrad	0:cdf462088d13	1911	key_file=data_files/server5.key" \
markrad	0:cdf462088d13	1912	"$P_CLI debug_level=1 auth_mode=none" \
markrad	0:cdf462088d13	1913	0 \
markrad	0:cdf462088d13	1914	-C "x509_verify_cert() returned" \
markrad	0:cdf462088d13	1915	-C "! The certificate is not correctly signed by the trusted CA" \
markrad	0:cdf462088d13	1916	-C "! mbedtls_ssl_handshake returned" \
markrad	0:cdf462088d13	1917	-C "X509 - Certificate verification failed"
markrad	0:cdf462088d13	1918
markrad	0:cdf462088d13	1919	run_test "Authentication: client SHA256, server required" \
markrad	0:cdf462088d13	1920	"$P_SRV auth_mode=required" \
markrad	0:cdf462088d13	1921	"$P_CLI debug_level=3 crt_file=data_files/server6.crt \
markrad	0:cdf462088d13	1922	key_file=data_files/server6.key \
markrad	0:cdf462088d13	1923	force_ciphersuite=TLS-ECDHE-ECDSA-WITH-AES-256-GCM-SHA384" \
markrad	0:cdf462088d13	1924	0 \
markrad	0:cdf462088d13	1925	-c "Supported Signature Algorithm found: 4," \
markrad	0:cdf462088d13	1926	-c "Supported Signature Algorithm found: 5,"
markrad	0:cdf462088d13	1927
markrad	0:cdf462088d13	1928	run_test "Authentication: client SHA384, server required" \
markrad	0:cdf462088d13	1929	"$P_SRV auth_mode=required" \
markrad	0:cdf462088d13	1930	"$P_CLI debug_level=3 crt_file=data_files/server6.crt \
markrad	0:cdf462088d13	1931	key_file=data_files/server6.key \
markrad	0:cdf462088d13	1932	force_ciphersuite=TLS-ECDHE-ECDSA-WITH-AES-128-GCM-SHA256" \
markrad	0:cdf462088d13	1933	0 \
markrad	0:cdf462088d13	1934	-c "Supported Signature Algorithm found: 4," \
markrad	0:cdf462088d13	1935	-c "Supported Signature Algorithm found: 5,"
markrad	0:cdf462088d13	1936
Jasper Wallace	2:bbdeda018a3c	1937	requires_config_enabled MBEDTLS_SSL_PROTO_SSL3
Jasper Wallace	2:bbdeda018a3c	1938	run_test "Authentication: client has no cert, server required (SSLv3)" \
Jasper Wallace	2:bbdeda018a3c	1939	"$P_SRV debug_level=3 min_version=ssl3 auth_mode=required" \
Jasper Wallace	2:bbdeda018a3c	1940	"$P_CLI debug_level=3 force_version=ssl3 crt_file=none \
Jasper Wallace	2:bbdeda018a3c	1941	key_file=data_files/server5.key" \
Jasper Wallace	2:bbdeda018a3c	1942	1 \
Jasper Wallace	2:bbdeda018a3c	1943	-S "skip write certificate request" \
Jasper Wallace	2:bbdeda018a3c	1944	-C "skip parse certificate request" \
Jasper Wallace	2:bbdeda018a3c	1945	-c "got a certificate request" \
Jasper Wallace	2:bbdeda018a3c	1946	-c "got no certificate to send" \
Jasper Wallace	2:bbdeda018a3c	1947	-S "x509_verify_cert() returned" \
Jasper Wallace	2:bbdeda018a3c	1948	-s "client has no certificate" \
Jasper Wallace	2:bbdeda018a3c	1949	-s "! mbedtls_ssl_handshake returned" \
Jasper Wallace	2:bbdeda018a3c	1950	-c "! mbedtls_ssl_handshake returned" \
Jasper Wallace	2:bbdeda018a3c	1951	-s "No client certification received from the client, but required by the authentication mode"
Jasper Wallace	2:bbdeda018a3c	1952
Jasper Wallace	2:bbdeda018a3c	1953	run_test "Authentication: client has no cert, server required (TLS)" \
Jasper Wallace	2:bbdeda018a3c	1954	"$P_SRV debug_level=3 auth_mode=required" \
Jasper Wallace	2:bbdeda018a3c	1955	"$P_CLI debug_level=3 crt_file=none \
Jasper Wallace	2:bbdeda018a3c	1956	key_file=data_files/server5.key" \
Jasper Wallace	2:bbdeda018a3c	1957	1 \
Jasper Wallace	2:bbdeda018a3c	1958	-S "skip write certificate request" \
Jasper Wallace	2:bbdeda018a3c	1959	-C "skip parse certificate request" \
Jasper Wallace	2:bbdeda018a3c	1960	-c "got a certificate request" \
Jasper Wallace	2:bbdeda018a3c	1961	-c "= write certificate$" \
Jasper Wallace	2:bbdeda018a3c	1962	-C "skip write certificate$" \
Jasper Wallace	2:bbdeda018a3c	1963	-S "x509_verify_cert() returned" \
Jasper Wallace	2:bbdeda018a3c	1964	-s "client has no certificate" \
Jasper Wallace	2:bbdeda018a3c	1965	-s "! mbedtls_ssl_handshake returned" \
Jasper Wallace	2:bbdeda018a3c	1966	-c "! mbedtls_ssl_handshake returned" \
Jasper Wallace	2:bbdeda018a3c	1967	-s "No client certification received from the client, but required by the authentication mode"
Jasper Wallace	2:bbdeda018a3c	1968
markrad	0:cdf462088d13	1969	run_test "Authentication: client badcert, server required" \
markrad	0:cdf462088d13	1970	"$P_SRV debug_level=3 auth_mode=required" \
markrad	0:cdf462088d13	1971	"$P_CLI debug_level=3 crt_file=data_files/server5-badsign.crt \
markrad	0:cdf462088d13	1972	key_file=data_files/server5.key" \
markrad	0:cdf462088d13	1973	1 \
markrad	0:cdf462088d13	1974	-S "skip write certificate request" \
markrad	0:cdf462088d13	1975	-C "skip parse certificate request" \
markrad	0:cdf462088d13	1976	-c "got a certificate request" \
markrad	0:cdf462088d13	1977	-C "skip write certificate" \
markrad	0:cdf462088d13	1978	-C "skip write certificate verify" \
markrad	0:cdf462088d13	1979	-S "skip parse certificate verify" \
markrad	0:cdf462088d13	1980	-s "x509_verify_cert() returned" \
markrad	0:cdf462088d13	1981	-s "! The certificate is not correctly signed by the trusted CA" \
markrad	0:cdf462088d13	1982	-s "! mbedtls_ssl_handshake returned" \
Jasper Wallace	2:bbdeda018a3c	1983	-s "send alert level=2 message=48" \
Jasper Wallace	2:bbdeda018a3c	1984	-c "! mbedtls_ssl_handshake returned" \
Jasper Wallace	2:bbdeda018a3c	1985	-s "X509 - Certificate verification failed"
Jasper Wallace	2:bbdeda018a3c	1986	# We don't check that the client receives the alert because it might
Jasper Wallace	2:bbdeda018a3c	1987	# detect that its write end of the connection is closed and abort
Jasper Wallace	2:bbdeda018a3c	1988	# before reading the alert message.
Jasper Wallace	2:bbdeda018a3c	1989
Jasper Wallace	2:bbdeda018a3c	1990	run_test "Authentication: client cert not trusted, server required" \
Jasper Wallace	2:bbdeda018a3c	1991	"$P_SRV debug_level=3 auth_mode=required" \
Jasper Wallace	2:bbdeda018a3c	1992	"$P_CLI debug_level=3 crt_file=data_files/server5-selfsigned.crt \
Jasper Wallace	2:bbdeda018a3c	1993	key_file=data_files/server5.key" \
Jasper Wallace	2:bbdeda018a3c	1994	1 \
Jasper Wallace	2:bbdeda018a3c	1995	-S "skip write certificate request" \
Jasper Wallace	2:bbdeda018a3c	1996	-C "skip parse certificate request" \
Jasper Wallace	2:bbdeda018a3c	1997	-c "got a certificate request" \
Jasper Wallace	2:bbdeda018a3c	1998	-C "skip write certificate" \
Jasper Wallace	2:bbdeda018a3c	1999	-C "skip write certificate verify" \
Jasper Wallace	2:bbdeda018a3c	2000	-S "skip parse certificate verify" \
Jasper Wallace	2:bbdeda018a3c	2001	-s "x509_verify_cert() returned" \
Jasper Wallace	2:bbdeda018a3c	2002	-s "! The certificate is not correctly signed by the trusted CA" \
Jasper Wallace	2:bbdeda018a3c	2003	-s "! mbedtls_ssl_handshake returned" \
markrad	0:cdf462088d13	2004	-c "! mbedtls_ssl_handshake returned" \
markrad	0:cdf462088d13	2005	-s "X509 - Certificate verification failed"
markrad	0:cdf462088d13	2006
markrad	0:cdf462088d13	2007	run_test "Authentication: client badcert, server optional" \
markrad	0:cdf462088d13	2008	"$P_SRV debug_level=3 auth_mode=optional" \
markrad	0:cdf462088d13	2009	"$P_CLI debug_level=3 crt_file=data_files/server5-badsign.crt \
markrad	0:cdf462088d13	2010	key_file=data_files/server5.key" \
markrad	0:cdf462088d13	2011	0 \
markrad	0:cdf462088d13	2012	-S "skip write certificate request" \
markrad	0:cdf462088d13	2013	-C "skip parse certificate request" \
markrad	0:cdf462088d13	2014	-c "got a certificate request" \
markrad	0:cdf462088d13	2015	-C "skip write certificate" \
markrad	0:cdf462088d13	2016	-C "skip write certificate verify" \
markrad	0:cdf462088d13	2017	-S "skip parse certificate verify" \
markrad	0:cdf462088d13	2018	-s "x509_verify_cert() returned" \
markrad	0:cdf462088d13	2019	-s "! The certificate is not correctly signed by the trusted CA" \
markrad	0:cdf462088d13	2020	-S "! mbedtls_ssl_handshake returned" \
markrad	0:cdf462088d13	2021	-C "! mbedtls_ssl_handshake returned" \
markrad	0:cdf462088d13	2022	-S "X509 - Certificate verification failed"
markrad	0:cdf462088d13	2023
markrad	0:cdf462088d13	2024	run_test "Authentication: client badcert, server none" \
markrad	0:cdf462088d13	2025	"$P_SRV debug_level=3 auth_mode=none" \
markrad	0:cdf462088d13	2026	"$P_CLI debug_level=3 crt_file=data_files/server5-badsign.crt \
markrad	0:cdf462088d13	2027	key_file=data_files/server5.key" \
markrad	0:cdf462088d13	2028	0 \
markrad	0:cdf462088d13	2029	-s "skip write certificate request" \
markrad	0:cdf462088d13	2030	-C "skip parse certificate request" \
markrad	0:cdf462088d13	2031	-c "got no certificate request" \
markrad	0:cdf462088d13	2032	-c "skip write certificate" \
markrad	0:cdf462088d13	2033	-c "skip write certificate verify" \
markrad	0:cdf462088d13	2034	-s "skip parse certificate verify" \
markrad	0:cdf462088d13	2035	-S "x509_verify_cert() returned" \
markrad	0:cdf462088d13	2036	-S "! The certificate is not correctly signed by the trusted CA" \
markrad	0:cdf462088d13	2037	-S "! mbedtls_ssl_handshake returned" \
markrad	0:cdf462088d13	2038	-C "! mbedtls_ssl_handshake returned" \
markrad	0:cdf462088d13	2039	-S "X509 - Certificate verification failed"
markrad	0:cdf462088d13	2040
markrad	0:cdf462088d13	2041	run_test "Authentication: client no cert, server optional" \
markrad	0:cdf462088d13	2042	"$P_SRV debug_level=3 auth_mode=optional" \
markrad	0:cdf462088d13	2043	"$P_CLI debug_level=3 crt_file=none key_file=none" \
markrad	0:cdf462088d13	2044	0 \
markrad	0:cdf462088d13	2045	-S "skip write certificate request" \
markrad	0:cdf462088d13	2046	-C "skip parse certificate request" \
markrad	0:cdf462088d13	2047	-c "got a certificate request" \
markrad	0:cdf462088d13	2048	-C "skip write certificate$" \
markrad	0:cdf462088d13	2049	-C "got no certificate to send" \
markrad	0:cdf462088d13	2050	-S "SSLv3 client has no certificate" \
markrad	0:cdf462088d13	2051	-c "skip write certificate verify" \
markrad	0:cdf462088d13	2052	-s "skip parse certificate verify" \
markrad	0:cdf462088d13	2053	-s "! Certificate was missing" \
markrad	0:cdf462088d13	2054	-S "! mbedtls_ssl_handshake returned" \
markrad	0:cdf462088d13	2055	-C "! mbedtls_ssl_handshake returned" \
markrad	0:cdf462088d13	2056	-S "X509 - Certificate verification failed"
markrad	0:cdf462088d13	2057
markrad	0:cdf462088d13	2058	run_test "Authentication: openssl client no cert, server optional" \
markrad	0:cdf462088d13	2059	"$P_SRV debug_level=3 auth_mode=optional" \
markrad	0:cdf462088d13	2060	"$O_CLI" \
markrad	0:cdf462088d13	2061	0 \
markrad	0:cdf462088d13	2062	-S "skip write certificate request" \
markrad	0:cdf462088d13	2063	-s "skip parse certificate verify" \
markrad	0:cdf462088d13	2064	-s "! Certificate was missing" \
markrad	0:cdf462088d13	2065	-S "! mbedtls_ssl_handshake returned" \
markrad	0:cdf462088d13	2066	-S "X509 - Certificate verification failed"
markrad	0:cdf462088d13	2067
markrad	0:cdf462088d13	2068	run_test "Authentication: client no cert, openssl server optional" \
markrad	0:cdf462088d13	2069	"$O_SRV -verify 10" \
markrad	0:cdf462088d13	2070	"$P_CLI debug_level=3 crt_file=none key_file=none" \
markrad	0:cdf462088d13	2071	0 \
markrad	0:cdf462088d13	2072	-C "skip parse certificate request" \
markrad	0:cdf462088d13	2073	-c "got a certificate request" \
markrad	0:cdf462088d13	2074	-C "skip write certificate$" \
markrad	0:cdf462088d13	2075	-c "skip write certificate verify" \
markrad	0:cdf462088d13	2076	-C "! mbedtls_ssl_handshake returned"
markrad	0:cdf462088d13	2077
Jasper Wallace	2:bbdeda018a3c	2078	run_test "Authentication: client no cert, openssl server required" \
Jasper Wallace	2:bbdeda018a3c	2079	"$O_SRV -Verify 10" \
Jasper Wallace	2:bbdeda018a3c	2080	"$P_CLI debug_level=3 crt_file=none key_file=none" \
Jasper Wallace	2:bbdeda018a3c	2081	1 \
Jasper Wallace	2:bbdeda018a3c	2082	-C "skip parse certificate request" \
Jasper Wallace	2:bbdeda018a3c	2083	-c "got a certificate request" \
Jasper Wallace	2:bbdeda018a3c	2084	-C "skip write certificate$" \
Jasper Wallace	2:bbdeda018a3c	2085	-c "skip write certificate verify" \
Jasper Wallace	2:bbdeda018a3c	2086	-c "! mbedtls_ssl_handshake returned"
Jasper Wallace	2:bbdeda018a3c	2087
markrad	0:cdf462088d13	2088	requires_config_enabled MBEDTLS_SSL_PROTO_SSL3
markrad	0:cdf462088d13	2089	run_test "Authentication: client no cert, ssl3" \
markrad	0:cdf462088d13	2090	"$P_SRV debug_level=3 auth_mode=optional force_version=ssl3" \
markrad	0:cdf462088d13	2091	"$P_CLI debug_level=3 crt_file=none key_file=none min_version=ssl3" \
markrad	0:cdf462088d13	2092	0 \
markrad	0:cdf462088d13	2093	-S "skip write certificate request" \
markrad	0:cdf462088d13	2094	-C "skip parse certificate request" \
markrad	0:cdf462088d13	2095	-c "got a certificate request" \
markrad	0:cdf462088d13	2096	-C "skip write certificate$" \
markrad	0:cdf462088d13	2097	-c "skip write certificate verify" \
markrad	0:cdf462088d13	2098	-c "got no certificate to send" \
markrad	0:cdf462088d13	2099	-s "SSLv3 client has no certificate" \
markrad	0:cdf462088d13	2100	-s "skip parse certificate verify" \
markrad	0:cdf462088d13	2101	-s "! Certificate was missing" \
markrad	0:cdf462088d13	2102	-S "! mbedtls_ssl_handshake returned" \
markrad	0:cdf462088d13	2103	-C "! mbedtls_ssl_handshake returned" \
markrad	0:cdf462088d13	2104	-S "X509 - Certificate verification failed"
markrad	0:cdf462088d13	2105
Jasper Wallace	2:bbdeda018a3c	2106	# The "max_int chain" tests assume that MAX_INTERMEDIATE_CA is set to its
Jasper Wallace	2:bbdeda018a3c	2107	# default value (8)
Jasper Wallace	2:bbdeda018a3c	2108
Jasper Wallace	2:bbdeda018a3c	2109	MAX_IM_CA='8'
Jasper Wallace	2:bbdeda018a3c	2110	MAX_IM_CA_CONFIG=$( ../scripts/config.pl get MBEDTLS_X509_MAX_INTERMEDIATE_CA)
Jasper Wallace	2:bbdeda018a3c	2111
Jasper Wallace	2:bbdeda018a3c	2112	if [ -n "$MAX_IM_CA_CONFIG" ] && [ "$MAX_IM_CA_CONFIG" -ne "$MAX_IM_CA" ]; then
Jasper Wallace	2:bbdeda018a3c	2113	printf "The ${CONFIG_H} file contains a value for the configuration of\n"
Jasper Wallace	2:bbdeda018a3c	2114	printf "MBEDTLS_X509_MAX_INTERMEDIATE_CA that is different from the script’s\n"
Jasper Wallace	2:bbdeda018a3c	2115	printf "test value of ${MAX_IM_CA}. \n"
Jasper Wallace	2:bbdeda018a3c	2116	printf "\n"
Jasper Wallace	2:bbdeda018a3c	2117	printf "The tests assume this value and if it changes, the tests in this\n"
Jasper Wallace	2:bbdeda018a3c	2118	printf "script should also be adjusted.\n"
Jasper Wallace	2:bbdeda018a3c	2119	printf "\n"
Jasper Wallace	2:bbdeda018a3c	2120
Jasper Wallace	2:bbdeda018a3c	2121	exit 1
Jasper Wallace	2:bbdeda018a3c	2122	fi
Jasper Wallace	2:bbdeda018a3c	2123
Jasper Wallace	2:bbdeda018a3c	2124	run_test "Authentication: server max_int chain, client default" \
Jasper Wallace	2:bbdeda018a3c	2125	"$P_SRV crt_file=data_files/dir-maxpath/c09.pem \
Jasper Wallace	2:bbdeda018a3c	2126	key_file=data_files/dir-maxpath/09.key" \
Jasper Wallace	2:bbdeda018a3c	2127	"$P_CLI server_name=CA09 ca_file=data_files/dir-maxpath/00.crt" \
Jasper Wallace	2:bbdeda018a3c	2128	0 \
Jasper Wallace	2:bbdeda018a3c	2129	-C "X509 - A fatal error occured"
Jasper Wallace	2:bbdeda018a3c	2130
Jasper Wallace	2:bbdeda018a3c	2131	run_test "Authentication: server max_int+1 chain, client default" \
Jasper Wallace	2:bbdeda018a3c	2132	"$P_SRV crt_file=data_files/dir-maxpath/c10.pem \
Jasper Wallace	2:bbdeda018a3c	2133	key_file=data_files/dir-maxpath/10.key" \
Jasper Wallace	2:bbdeda018a3c	2134	"$P_CLI server_name=CA10 ca_file=data_files/dir-maxpath/00.crt" \
Jasper Wallace	2:bbdeda018a3c	2135	1 \
Jasper Wallace	2:bbdeda018a3c	2136	-c "X509 - A fatal error occured"
Jasper Wallace	2:bbdeda018a3c	2137
Jasper Wallace	2:bbdeda018a3c	2138	run_test "Authentication: server max_int+1 chain, client optional" \
Jasper Wallace	2:bbdeda018a3c	2139	"$P_SRV crt_file=data_files/dir-maxpath/c10.pem \
Jasper Wallace	2:bbdeda018a3c	2140	key_file=data_files/dir-maxpath/10.key" \
Jasper Wallace	2:bbdeda018a3c	2141	"$P_CLI server_name=CA10 ca_file=data_files/dir-maxpath/00.crt \
Jasper Wallace	2:bbdeda018a3c	2142	auth_mode=optional" \
Jasper Wallace	2:bbdeda018a3c	2143	1 \
Jasper Wallace	2:bbdeda018a3c	2144	-c "X509 - A fatal error occured"
Jasper Wallace	2:bbdeda018a3c	2145
Jasper Wallace	2:bbdeda018a3c	2146	run_test "Authentication: server max_int+1 chain, client none" \
Jasper Wallace	2:bbdeda018a3c	2147	"$P_SRV crt_file=data_files/dir-maxpath/c10.pem \
Jasper Wallace	2:bbdeda018a3c	2148	key_file=data_files/dir-maxpath/10.key" \
Jasper Wallace	2:bbdeda018a3c	2149	"$P_CLI server_name=CA10 ca_file=data_files/dir-maxpath/00.crt \
Jasper Wallace	2:bbdeda018a3c	2150	auth_mode=none" \
Jasper Wallace	2:bbdeda018a3c	2151	0 \
Jasper Wallace	2:bbdeda018a3c	2152	-C "X509 - A fatal error occured"
Jasper Wallace	2:bbdeda018a3c	2153
Jasper Wallace	2:bbdeda018a3c	2154	run_test "Authentication: client max_int+1 chain, server default" \
Jasper Wallace	2:bbdeda018a3c	2155	"$P_SRV ca_file=data_files/dir-maxpath/00.crt" \
Jasper Wallace	2:bbdeda018a3c	2156	"$P_CLI crt_file=data_files/dir-maxpath/c10.pem \
Jasper Wallace	2:bbdeda018a3c	2157	key_file=data_files/dir-maxpath/10.key" \
Jasper Wallace	2:bbdeda018a3c	2158	0 \
Jasper Wallace	2:bbdeda018a3c	2159	-S "X509 - A fatal error occured"
Jasper Wallace	2:bbdeda018a3c	2160
Jasper Wallace	2:bbdeda018a3c	2161	run_test "Authentication: client max_int+1 chain, server optional" \
Jasper Wallace	2:bbdeda018a3c	2162	"$P_SRV ca_file=data_files/dir-maxpath/00.crt auth_mode=optional" \
Jasper Wallace	2:bbdeda018a3c	2163	"$P_CLI crt_file=data_files/dir-maxpath/c10.pem \
Jasper Wallace	2:bbdeda018a3c	2164	key_file=data_files/dir-maxpath/10.key" \
Jasper Wallace	2:bbdeda018a3c	2165	1 \
Jasper Wallace	2:bbdeda018a3c	2166	-s "X509 - A fatal error occured"
Jasper Wallace	2:bbdeda018a3c	2167
Jasper Wallace	2:bbdeda018a3c	2168	run_test "Authentication: client max_int+1 chain, server required" \
Jasper Wallace	2:bbdeda018a3c	2169	"$P_SRV ca_file=data_files/dir-maxpath/00.crt auth_mode=required" \
Jasper Wallace	2:bbdeda018a3c	2170	"$P_CLI crt_file=data_files/dir-maxpath/c10.pem \
Jasper Wallace	2:bbdeda018a3c	2171	key_file=data_files/dir-maxpath/10.key" \
Jasper Wallace	2:bbdeda018a3c	2172	1 \
Jasper Wallace	2:bbdeda018a3c	2173	-s "X509 - A fatal error occured"
Jasper Wallace	2:bbdeda018a3c	2174
Jasper Wallace	2:bbdeda018a3c	2175	run_test "Authentication: client max_int chain, server required" \
Jasper Wallace	2:bbdeda018a3c	2176	"$P_SRV ca_file=data_files/dir-maxpath/00.crt auth_mode=required" \
Jasper Wallace	2:bbdeda018a3c	2177	"$P_CLI crt_file=data_files/dir-maxpath/c09.pem \
Jasper Wallace	2:bbdeda018a3c	2178	key_file=data_files/dir-maxpath/09.key" \
Jasper Wallace	2:bbdeda018a3c	2179	0 \
Jasper Wallace	2:bbdeda018a3c	2180	-S "X509 - A fatal error occured"
Jasper Wallace	2:bbdeda018a3c	2181
Jasper Wallace	2:bbdeda018a3c	2182	# Tests for CA list in CertificateRequest messages
Jasper Wallace	2:bbdeda018a3c	2183
Jasper Wallace	2:bbdeda018a3c	2184	run_test "Authentication: send CA list in CertificateRequest (default)" \
Jasper Wallace	2:bbdeda018a3c	2185	"$P_SRV debug_level=3 auth_mode=required" \
Jasper Wallace	2:bbdeda018a3c	2186	"$P_CLI crt_file=data_files/server6.crt \
Jasper Wallace	2:bbdeda018a3c	2187	key_file=data_files/server6.key" \
Jasper Wallace	2:bbdeda018a3c	2188	0 \
Jasper Wallace	2:bbdeda018a3c	2189	-s "requested DN"
Jasper Wallace	2:bbdeda018a3c	2190
Jasper Wallace	2:bbdeda018a3c	2191	run_test "Authentication: do not send CA list in CertificateRequest" \
Jasper Wallace	2:bbdeda018a3c	2192	"$P_SRV debug_level=3 auth_mode=required cert_req_ca_list=0" \
Jasper Wallace	2:bbdeda018a3c	2193	"$P_CLI crt_file=data_files/server6.crt \
Jasper Wallace	2:bbdeda018a3c	2194	key_file=data_files/server6.key" \
Jasper Wallace	2:bbdeda018a3c	2195	0 \
Jasper Wallace	2:bbdeda018a3c	2196	-S "requested DN"
Jasper Wallace	2:bbdeda018a3c	2197
Jasper Wallace	2:bbdeda018a3c	2198	run_test "Authentication: send CA list in CertificateRequest, client self signed" \
Jasper Wallace	2:bbdeda018a3c	2199	"$P_SRV debug_level=3 auth_mode=required cert_req_ca_list=0" \
Jasper Wallace	2:bbdeda018a3c	2200	"$P_CLI debug_level=3 crt_file=data_files/server5-selfsigned.crt \
Jasper Wallace	2:bbdeda018a3c	2201	key_file=data_files/server5.key" \
Jasper Wallace	2:bbdeda018a3c	2202	1 \
Jasper Wallace	2:bbdeda018a3c	2203	-S "requested DN" \
Jasper Wallace	2:bbdeda018a3c	2204	-s "x509_verify_cert() returned" \
Jasper Wallace	2:bbdeda018a3c	2205	-s "! The certificate is not correctly signed by the trusted CA" \
Jasper Wallace	2:bbdeda018a3c	2206	-s "! mbedtls_ssl_handshake returned" \
Jasper Wallace	2:bbdeda018a3c	2207	-c "! mbedtls_ssl_handshake returned" \
Jasper Wallace	2:bbdeda018a3c	2208	-s "X509 - Certificate verification failed"
Jasper Wallace	2:bbdeda018a3c	2209
markrad	0:cdf462088d13	2210	# Tests for certificate selection based on SHA verson
markrad	0:cdf462088d13	2211
markrad	0:cdf462088d13	2212	run_test "Certificate hash: client TLS 1.2 -> SHA-2" \
markrad	0:cdf462088d13	2213	"$P_SRV crt_file=data_files/server5.crt \
markrad	0:cdf462088d13	2214	key_file=data_files/server5.key \
markrad	0:cdf462088d13	2215	crt_file2=data_files/server5-sha1.crt \
markrad	0:cdf462088d13	2216	key_file2=data_files/server5.key" \
markrad	0:cdf462088d13	2217	"$P_CLI force_version=tls1_2" \
markrad	0:cdf462088d13	2218	0 \
markrad	0:cdf462088d13	2219	-c "signed using.*ECDSA with SHA256" \
markrad	0:cdf462088d13	2220	-C "signed using.*ECDSA with SHA1"
markrad	0:cdf462088d13	2221
markrad	0:cdf462088d13	2222	run_test "Certificate hash: client TLS 1.1 -> SHA-1" \
markrad	0:cdf462088d13	2223	"$P_SRV crt_file=data_files/server5.crt \
markrad	0:cdf462088d13	2224	key_file=data_files/server5.key \
markrad	0:cdf462088d13	2225	crt_file2=data_files/server5-sha1.crt \
markrad	0:cdf462088d13	2226	key_file2=data_files/server5.key" \
markrad	0:cdf462088d13	2227	"$P_CLI force_version=tls1_1" \
markrad	0:cdf462088d13	2228	0 \
markrad	0:cdf462088d13	2229	-C "signed using.*ECDSA with SHA256" \
markrad	0:cdf462088d13	2230	-c "signed using.*ECDSA with SHA1"
markrad	0:cdf462088d13	2231
markrad	0:cdf462088d13	2232	run_test "Certificate hash: client TLS 1.0 -> SHA-1" \
markrad	0:cdf462088d13	2233	"$P_SRV crt_file=data_files/server5.crt \
markrad	0:cdf462088d13	2234	key_file=data_files/server5.key \
markrad	0:cdf462088d13	2235	crt_file2=data_files/server5-sha1.crt \
markrad	0:cdf462088d13	2236	key_file2=data_files/server5.key" \
markrad	0:cdf462088d13	2237	"$P_CLI force_version=tls1" \
markrad	0:cdf462088d13	2238	0 \
markrad	0:cdf462088d13	2239	-C "signed using.*ECDSA with SHA256" \
markrad	0:cdf462088d13	2240	-c "signed using.*ECDSA with SHA1"
markrad	0:cdf462088d13	2241
markrad	0:cdf462088d13	2242	run_test "Certificate hash: client TLS 1.1, no SHA-1 -> SHA-2 (order 1)" \
markrad	0:cdf462088d13	2243	"$P_SRV crt_file=data_files/server5.crt \
markrad	0:cdf462088d13	2244	key_file=data_files/server5.key \
markrad	0:cdf462088d13	2245	crt_file2=data_files/server6.crt \
markrad	0:cdf462088d13	2246	key_file2=data_files/server6.key" \
markrad	0:cdf462088d13	2247	"$P_CLI force_version=tls1_1" \
markrad	0:cdf462088d13	2248	0 \
markrad	0:cdf462088d13	2249	-c "serial number.*09" \
markrad	0:cdf462088d13	2250	-c "signed using.*ECDSA with SHA256" \
markrad	0:cdf462088d13	2251	-C "signed using.*ECDSA with SHA1"
markrad	0:cdf462088d13	2252
markrad	0:cdf462088d13	2253	run_test "Certificate hash: client TLS 1.1, no SHA-1 -> SHA-2 (order 2)" \
markrad	0:cdf462088d13	2254	"$P_SRV crt_file=data_files/server6.crt \
markrad	0:cdf462088d13	2255	key_file=data_files/server6.key \
markrad	0:cdf462088d13	2256	crt_file2=data_files/server5.crt \
markrad	0:cdf462088d13	2257	key_file2=data_files/server5.key" \
markrad	0:cdf462088d13	2258	"$P_CLI force_version=tls1_1" \
markrad	0:cdf462088d13	2259	0 \
markrad	0:cdf462088d13	2260	-c "serial number.*0A" \
markrad	0:cdf462088d13	2261	-c "signed using.*ECDSA with SHA256" \
markrad	0:cdf462088d13	2262	-C "signed using.*ECDSA with SHA1"
markrad	0:cdf462088d13	2263
markrad	0:cdf462088d13	2264	# tests for SNI
markrad	0:cdf462088d13	2265
markrad	0:cdf462088d13	2266	run_test "SNI: no SNI callback" \
markrad	0:cdf462088d13	2267	"$P_SRV debug_level=3 \
markrad	0:cdf462088d13	2268	crt_file=data_files/server5.crt key_file=data_files/server5.key" \
markrad	0:cdf462088d13	2269	"$P_CLI server_name=localhost" \
markrad	0:cdf462088d13	2270	0 \
markrad	0:cdf462088d13	2271	-S "parse ServerName extension" \
markrad	0:cdf462088d13	2272	-c "issuer name *: C=NL, O=PolarSSL, CN=Polarssl Test EC CA" \
markrad	0:cdf462088d13	2273	-c "subject name *: C=NL, O=PolarSSL, CN=localhost"
markrad	0:cdf462088d13	2274
markrad	0:cdf462088d13	2275	run_test "SNI: matching cert 1" \
markrad	0:cdf462088d13	2276	"$P_SRV debug_level=3 \
markrad	0:cdf462088d13	2277	crt_file=data_files/server5.crt key_file=data_files/server5.key \
markrad	0:cdf462088d13	2278	sni=localhost,data_files/server2.crt,data_files/server2.key,-,-,-,polarssl.example,data_files/server1-nospace.crt,data_files/server1.key,-,-,-" \
markrad	0:cdf462088d13	2279	"$P_CLI server_name=localhost" \
markrad	0:cdf462088d13	2280	0 \
markrad	0:cdf462088d13	2281	-s "parse ServerName extension" \
markrad	0:cdf462088d13	2282	-c "issuer name *: C=NL, O=PolarSSL, CN=PolarSSL Test CA" \
markrad	0:cdf462088d13	2283	-c "subject name *: C=NL, O=PolarSSL, CN=localhost"
markrad	0:cdf462088d13	2284
markrad	0:cdf462088d13	2285	run_test "SNI: matching cert 2" \
markrad	0:cdf462088d13	2286	"$P_SRV debug_level=3 \
markrad	0:cdf462088d13	2287	crt_file=data_files/server5.crt key_file=data_files/server5.key \
markrad	0:cdf462088d13	2288	sni=localhost,data_files/server2.crt,data_files/server2.key,-,-,-,polarssl.example,data_files/server1-nospace.crt,data_files/server1.key,-,-,-" \
markrad	0:cdf462088d13	2289	"$P_CLI server_name=polarssl.example" \
markrad	0:cdf462088d13	2290	0 \
markrad	0:cdf462088d13	2291	-s "parse ServerName extension" \
markrad	0:cdf462088d13	2292	-c "issuer name *: C=NL, O=PolarSSL, CN=PolarSSL Test CA" \
markrad	0:cdf462088d13	2293	-c "subject name *: C=NL, O=PolarSSL, CN=polarssl.example"
markrad	0:cdf462088d13	2294
markrad	0:cdf462088d13	2295	run_test "SNI: no matching cert" \
markrad	0:cdf462088d13	2296	"$P_SRV debug_level=3 \
markrad	0:cdf462088d13	2297	crt_file=data_files/server5.crt key_file=data_files/server5.key \
markrad	0:cdf462088d13	2298	sni=localhost,data_files/server2.crt,data_files/server2.key,-,-,-,polarssl.example,data_files/server1-nospace.crt,data_files/server1.key,-,-,-" \
markrad	0:cdf462088d13	2299	"$P_CLI server_name=nonesuch.example" \
markrad	0:cdf462088d13	2300	1 \
markrad	0:cdf462088d13	2301	-s "parse ServerName extension" \
markrad	0:cdf462088d13	2302	-s "ssl_sni_wrapper() returned" \
markrad	0:cdf462088d13	2303	-s "mbedtls_ssl_handshake returned" \
markrad	0:cdf462088d13	2304	-c "mbedtls_ssl_handshake returned" \
markrad	0:cdf462088d13	2305	-c "SSL - A fatal alert message was received from our peer"
markrad	0:cdf462088d13	2306
markrad	0:cdf462088d13	2307	run_test "SNI: client auth no override: optional" \
markrad	0:cdf462088d13	2308	"$P_SRV debug_level=3 auth_mode=optional \
markrad	0:cdf462088d13	2309	crt_file=data_files/server5.crt key_file=data_files/server5.key \
markrad	0:cdf462088d13	2310	sni=localhost,data_files/server2.crt,data_files/server2.key,-,-,-" \
markrad	0:cdf462088d13	2311	"$P_CLI debug_level=3 server_name=localhost" \
markrad	0:cdf462088d13	2312	0 \
markrad	0:cdf462088d13	2313	-S "skip write certificate request" \
markrad	0:cdf462088d13	2314	-C "skip parse certificate request" \
markrad	0:cdf462088d13	2315	-c "got a certificate request" \
markrad	0:cdf462088d13	2316	-C "skip write certificate" \
markrad	0:cdf462088d13	2317	-C "skip write certificate verify" \
markrad	0:cdf462088d13	2318	-S "skip parse certificate verify"
markrad	0:cdf462088d13	2319
markrad	0:cdf462088d13	2320	run_test "SNI: client auth override: none -> optional" \
markrad	0:cdf462088d13	2321	"$P_SRV debug_level=3 auth_mode=none \
markrad	0:cdf462088d13	2322	crt_file=data_files/server5.crt key_file=data_files/server5.key \
markrad	0:cdf462088d13	2323	sni=localhost,data_files/server2.crt,data_files/server2.key,-,-,optional" \
markrad	0:cdf462088d13	2324	"$P_CLI debug_level=3 server_name=localhost" \
markrad	0:cdf462088d13	2325	0 \
markrad	0:cdf462088d13	2326	-S "skip write certificate request" \
markrad	0:cdf462088d13	2327	-C "skip parse certificate request" \
markrad	0:cdf462088d13	2328	-c "got a certificate request" \
markrad	0:cdf462088d13	2329	-C "skip write certificate" \
markrad	0:cdf462088d13	2330	-C "skip write certificate verify" \
markrad	0:cdf462088d13	2331	-S "skip parse certificate verify"
markrad	0:cdf462088d13	2332
markrad	0:cdf462088d13	2333	run_test "SNI: client auth override: optional -> none" \
markrad	0:cdf462088d13	2334	"$P_SRV debug_level=3 auth_mode=optional \
markrad	0:cdf462088d13	2335	crt_file=data_files/server5.crt key_file=data_files/server5.key \
markrad	0:cdf462088d13	2336	sni=localhost,data_files/server2.crt,data_files/server2.key,-,-,none" \
markrad	0:cdf462088d13	2337	"$P_CLI debug_level=3 server_name=localhost" \
markrad	0:cdf462088d13	2338	0 \
markrad	0:cdf462088d13	2339	-s "skip write certificate request" \
markrad	0:cdf462088d13	2340	-C "skip parse certificate request" \
markrad	0:cdf462088d13	2341	-c "got no certificate request" \
markrad	0:cdf462088d13	2342	-c "skip write certificate" \
markrad	0:cdf462088d13	2343	-c "skip write certificate verify" \
markrad	0:cdf462088d13	2344	-s "skip parse certificate verify"
markrad	0:cdf462088d13	2345
markrad	0:cdf462088d13	2346	run_test "SNI: CA no override" \
markrad	0:cdf462088d13	2347	"$P_SRV debug_level=3 auth_mode=optional \
markrad	0:cdf462088d13	2348	crt_file=data_files/server5.crt key_file=data_files/server5.key \
markrad	0:cdf462088d13	2349	ca_file=data_files/test-ca.crt \
markrad	0:cdf462088d13	2350	sni=localhost,data_files/server2.crt,data_files/server2.key,-,-,required" \
markrad	0:cdf462088d13	2351	"$P_CLI debug_level=3 server_name=localhost \
markrad	0:cdf462088d13	2352	crt_file=data_files/server6.crt key_file=data_files/server6.key" \
markrad	0:cdf462088d13	2353	1 \
markrad	0:cdf462088d13	2354	-S "skip write certificate request" \
markrad	0:cdf462088d13	2355	-C "skip parse certificate request" \
markrad	0:cdf462088d13	2356	-c "got a certificate request" \
markrad	0:cdf462088d13	2357	-C "skip write certificate" \
markrad	0:cdf462088d13	2358	-C "skip write certificate verify" \
markrad	0:cdf462088d13	2359	-S "skip parse certificate verify" \
markrad	0:cdf462088d13	2360	-s "x509_verify_cert() returned" \
markrad	0:cdf462088d13	2361	-s "! The certificate is not correctly signed by the trusted CA" \
markrad	0:cdf462088d13	2362	-S "The certificate has been revoked (is on a CRL)"
markrad	0:cdf462088d13	2363
markrad	0:cdf462088d13	2364	run_test "SNI: CA override" \
markrad	0:cdf462088d13	2365	"$P_SRV debug_level=3 auth_mode=optional \
markrad	0:cdf462088d13	2366	crt_file=data_files/server5.crt key_file=data_files/server5.key \
markrad	0:cdf462088d13	2367	ca_file=data_files/test-ca.crt \
markrad	0:cdf462088d13	2368	sni=localhost,data_files/server2.crt,data_files/server2.key,data_files/test-ca2.crt,-,required" \
markrad	0:cdf462088d13	2369	"$P_CLI debug_level=3 server_name=localhost \
markrad	0:cdf462088d13	2370	crt_file=data_files/server6.crt key_file=data_files/server6.key" \
markrad	0:cdf462088d13	2371	0 \
markrad	0:cdf462088d13	2372	-S "skip write certificate request" \
markrad	0:cdf462088d13	2373	-C "skip parse certificate request" \
markrad	0:cdf462088d13	2374	-c "got a certificate request" \
markrad	0:cdf462088d13	2375	-C "skip write certificate" \
markrad	0:cdf462088d13	2376	-C "skip write certificate verify" \
markrad	0:cdf462088d13	2377	-S "skip parse certificate verify" \
markrad	0:cdf462088d13	2378	-S "x509_verify_cert() returned" \
markrad	0:cdf462088d13	2379	-S "! The certificate is not correctly signed by the trusted CA" \
markrad	0:cdf462088d13	2380	-S "The certificate has been revoked (is on a CRL)"
markrad	0:cdf462088d13	2381
markrad	0:cdf462088d13	2382	run_test "SNI: CA override with CRL" \
markrad	0:cdf462088d13	2383	"$P_SRV debug_level=3 auth_mode=optional \
markrad	0:cdf462088d13	2384	crt_file=data_files/server5.crt key_file=data_files/server5.key \
markrad	0:cdf462088d13	2385	ca_file=data_files/test-ca.crt \
markrad	0:cdf462088d13	2386	sni=localhost,data_files/server2.crt,data_files/server2.key,data_files/test-ca2.crt,data_files/crl-ec-sha256.pem,required" \
markrad	0:cdf462088d13	2387	"$P_CLI debug_level=3 server_name=localhost \
markrad	0:cdf462088d13	2388	crt_file=data_files/server6.crt key_file=data_files/server6.key" \
markrad	0:cdf462088d13	2389	1 \
markrad	0:cdf462088d13	2390	-S "skip write certificate request" \
markrad	0:cdf462088d13	2391	-C "skip parse certificate request" \
markrad	0:cdf462088d13	2392	-c "got a certificate request" \
markrad	0:cdf462088d13	2393	-C "skip write certificate" \
markrad	0:cdf462088d13	2394	-C "skip write certificate verify" \
markrad	0:cdf462088d13	2395	-S "skip parse certificate verify" \
markrad	0:cdf462088d13	2396	-s "x509_verify_cert() returned" \
markrad	0:cdf462088d13	2397	-S "! The certificate is not correctly signed by the trusted CA" \
markrad	0:cdf462088d13	2398	-s "The certificate has been revoked (is on a CRL)"
markrad	0:cdf462088d13	2399
markrad	0:cdf462088d13	2400	# Tests for non-blocking I/O: exercise a variety of handshake flows
markrad	0:cdf462088d13	2401
markrad	0:cdf462088d13	2402	run_test "Non-blocking I/O: basic handshake" \
markrad	0:cdf462088d13	2403	"$P_SRV nbio=2 tickets=0 auth_mode=none" \
markrad	0:cdf462088d13	2404	"$P_CLI nbio=2 tickets=0" \
markrad	0:cdf462088d13	2405	0 \
markrad	0:cdf462088d13	2406	-S "mbedtls_ssl_handshake returned" \
markrad	0:cdf462088d13	2407	-C "mbedtls_ssl_handshake returned" \
markrad	0:cdf462088d13	2408	-c "Read from server: .* bytes read"
markrad	0:cdf462088d13	2409
markrad	0:cdf462088d13	2410	run_test "Non-blocking I/O: client auth" \
markrad	0:cdf462088d13	2411	"$P_SRV nbio=2 tickets=0 auth_mode=required" \
markrad	0:cdf462088d13	2412	"$P_CLI nbio=2 tickets=0" \
markrad	0:cdf462088d13	2413	0 \
markrad	0:cdf462088d13	2414	-S "mbedtls_ssl_handshake returned" \
markrad	0:cdf462088d13	2415	-C "mbedtls_ssl_handshake returned" \
markrad	0:cdf462088d13	2416	-c "Read from server: .* bytes read"
markrad	0:cdf462088d13	2417
markrad	0:cdf462088d13	2418	run_test "Non-blocking I/O: ticket" \
markrad	0:cdf462088d13	2419	"$P_SRV nbio=2 tickets=1 auth_mode=none" \
markrad	0:cdf462088d13	2420	"$P_CLI nbio=2 tickets=1" \
markrad	0:cdf462088d13	2421	0 \
markrad	0:cdf462088d13	2422	-S "mbedtls_ssl_handshake returned" \
markrad	0:cdf462088d13	2423	-C "mbedtls_ssl_handshake returned" \
markrad	0:cdf462088d13	2424	-c "Read from server: .* bytes read"
markrad	0:cdf462088d13	2425
markrad	0:cdf462088d13	2426	run_test "Non-blocking I/O: ticket + client auth" \
markrad	0:cdf462088d13	2427	"$P_SRV nbio=2 tickets=1 auth_mode=required" \
markrad	0:cdf462088d13	2428	"$P_CLI nbio=2 tickets=1" \
markrad	0:cdf462088d13	2429	0 \
markrad	0:cdf462088d13	2430	-S "mbedtls_ssl_handshake returned" \
markrad	0:cdf462088d13	2431	-C "mbedtls_ssl_handshake returned" \
markrad	0:cdf462088d13	2432	-c "Read from server: .* bytes read"
markrad	0:cdf462088d13	2433
markrad	0:cdf462088d13	2434	run_test "Non-blocking I/O: ticket + client auth + resume" \
markrad	0:cdf462088d13	2435	"$P_SRV nbio=2 tickets=1 auth_mode=required" \
markrad	0:cdf462088d13	2436	"$P_CLI nbio=2 tickets=1 reconnect=1" \
markrad	0:cdf462088d13	2437	0 \
markrad	0:cdf462088d13	2438	-S "mbedtls_ssl_handshake returned" \
markrad	0:cdf462088d13	2439	-C "mbedtls_ssl_handshake returned" \
markrad	0:cdf462088d13	2440	-c "Read from server: .* bytes read"
markrad	0:cdf462088d13	2441
markrad	0:cdf462088d13	2442	run_test "Non-blocking I/O: ticket + resume" \
markrad	0:cdf462088d13	2443	"$P_SRV nbio=2 tickets=1 auth_mode=none" \
markrad	0:cdf462088d13	2444	"$P_CLI nbio=2 tickets=1 reconnect=1" \
markrad	0:cdf462088d13	2445	0 \
markrad	0:cdf462088d13	2446	-S "mbedtls_ssl_handshake returned" \
markrad	0:cdf462088d13	2447	-C "mbedtls_ssl_handshake returned" \
markrad	0:cdf462088d13	2448	-c "Read from server: .* bytes read"
markrad	0:cdf462088d13	2449
markrad	0:cdf462088d13	2450	run_test "Non-blocking I/O: session-id resume" \
markrad	0:cdf462088d13	2451	"$P_SRV nbio=2 tickets=0 auth_mode=none" \
markrad	0:cdf462088d13	2452	"$P_CLI nbio=2 tickets=0 reconnect=1" \
markrad	0:cdf462088d13	2453	0 \
markrad	0:cdf462088d13	2454	-S "mbedtls_ssl_handshake returned" \
markrad	0:cdf462088d13	2455	-C "mbedtls_ssl_handshake returned" \
markrad	0:cdf462088d13	2456	-c "Read from server: .* bytes read"
markrad	0:cdf462088d13	2457
markrad	0:cdf462088d13	2458	# Tests for version negotiation
markrad	0:cdf462088d13	2459
markrad	0:cdf462088d13	2460	run_test "Version check: all -> 1.2" \
markrad	0:cdf462088d13	2461	"$P_SRV" \
markrad	0:cdf462088d13	2462	"$P_CLI" \
markrad	0:cdf462088d13	2463	0 \
markrad	0:cdf462088d13	2464	-S "mbedtls_ssl_handshake returned" \
markrad	0:cdf462088d13	2465	-C "mbedtls_ssl_handshake returned" \
markrad	0:cdf462088d13	2466	-s "Protocol is TLSv1.2" \
markrad	0:cdf462088d13	2467	-c "Protocol is TLSv1.2"
markrad	0:cdf462088d13	2468
markrad	0:cdf462088d13	2469	run_test "Version check: cli max 1.1 -> 1.1" \
markrad	0:cdf462088d13	2470	"$P_SRV" \
markrad	0:cdf462088d13	2471	"$P_CLI max_version=tls1_1" \
markrad	0:cdf462088d13	2472	0 \
markrad	0:cdf462088d13	2473	-S "mbedtls_ssl_handshake returned" \
markrad	0:cdf462088d13	2474	-C "mbedtls_ssl_handshake returned" \
markrad	0:cdf462088d13	2475	-s "Protocol is TLSv1.1" \
markrad	0:cdf462088d13	2476	-c "Protocol is TLSv1.1"
markrad	0:cdf462088d13	2477
markrad	0:cdf462088d13	2478	run_test "Version check: srv max 1.1 -> 1.1" \
markrad	0:cdf462088d13	2479	"$P_SRV max_version=tls1_1" \
markrad	0:cdf462088d13	2480	"$P_CLI" \
markrad	0:cdf462088d13	2481	0 \
markrad	0:cdf462088d13	2482	-S "mbedtls_ssl_handshake returned" \
markrad	0:cdf462088d13	2483	-C "mbedtls_ssl_handshake returned" \
markrad	0:cdf462088d13	2484	-s "Protocol is TLSv1.1" \
markrad	0:cdf462088d13	2485	-c "Protocol is TLSv1.1"
markrad	0:cdf462088d13	2486
markrad	0:cdf462088d13	2487	run_test "Version check: cli+srv max 1.1 -> 1.1" \
markrad	0:cdf462088d13	2488	"$P_SRV max_version=tls1_1" \
markrad	0:cdf462088d13	2489	"$P_CLI max_version=tls1_1" \
markrad	0:cdf462088d13	2490	0 \
markrad	0:cdf462088d13	2491	-S "mbedtls_ssl_handshake returned" \
markrad	0:cdf462088d13	2492	-C "mbedtls_ssl_handshake returned" \
markrad	0:cdf462088d13	2493	-s "Protocol is TLSv1.1" \
markrad	0:cdf462088d13	2494	-c "Protocol is TLSv1.1"
markrad	0:cdf462088d13	2495
markrad	0:cdf462088d13	2496	run_test "Version check: cli max 1.1, srv min 1.1 -> 1.1" \
markrad	0:cdf462088d13	2497	"$P_SRV min_version=tls1_1" \
markrad	0:cdf462088d13	2498	"$P_CLI max_version=tls1_1" \
markrad	0:cdf462088d13	2499	0 \
markrad	0:cdf462088d13	2500	-S "mbedtls_ssl_handshake returned" \
markrad	0:cdf462088d13	2501	-C "mbedtls_ssl_handshake returned" \
markrad	0:cdf462088d13	2502	-s "Protocol is TLSv1.1" \
markrad	0:cdf462088d13	2503	-c "Protocol is TLSv1.1"
markrad	0:cdf462088d13	2504
markrad	0:cdf462088d13	2505	run_test "Version check: cli min 1.1, srv max 1.1 -> 1.1" \
markrad	0:cdf462088d13	2506	"$P_SRV max_version=tls1_1" \
markrad	0:cdf462088d13	2507	"$P_CLI min_version=tls1_1" \
markrad	0:cdf462088d13	2508	0 \
markrad	0:cdf462088d13	2509	-S "mbedtls_ssl_handshake returned" \
markrad	0:cdf462088d13	2510	-C "mbedtls_ssl_handshake returned" \
markrad	0:cdf462088d13	2511	-s "Protocol is TLSv1.1" \
markrad	0:cdf462088d13	2512	-c "Protocol is TLSv1.1"
markrad	0:cdf462088d13	2513
markrad	0:cdf462088d13	2514	run_test "Version check: cli min 1.2, srv max 1.1 -> fail" \
markrad	0:cdf462088d13	2515	"$P_SRV max_version=tls1_1" \
markrad	0:cdf462088d13	2516	"$P_CLI min_version=tls1_2" \
markrad	0:cdf462088d13	2517	1 \
markrad	0:cdf462088d13	2518	-s "mbedtls_ssl_handshake returned" \
markrad	0:cdf462088d13	2519	-c "mbedtls_ssl_handshake returned" \
markrad	0:cdf462088d13	2520	-c "SSL - Handshake protocol not within min/max boundaries"
markrad	0:cdf462088d13	2521
markrad	0:cdf462088d13	2522	run_test "Version check: srv min 1.2, cli max 1.1 -> fail" \
markrad	0:cdf462088d13	2523	"$P_SRV min_version=tls1_2" \
markrad	0:cdf462088d13	2524	"$P_CLI max_version=tls1_1" \
markrad	0:cdf462088d13	2525	1 \
markrad	0:cdf462088d13	2526	-s "mbedtls_ssl_handshake returned" \
markrad	0:cdf462088d13	2527	-c "mbedtls_ssl_handshake returned" \
markrad	0:cdf462088d13	2528	-s "SSL - Handshake protocol not within min/max boundaries"
markrad	0:cdf462088d13	2529
markrad	0:cdf462088d13	2530	# Tests for ALPN extension
markrad	0:cdf462088d13	2531
markrad	0:cdf462088d13	2532	run_test "ALPN: none" \
markrad	0:cdf462088d13	2533	"$P_SRV debug_level=3" \
markrad	0:cdf462088d13	2534	"$P_CLI debug_level=3" \
markrad	0:cdf462088d13	2535	0 \
markrad	0:cdf462088d13	2536	-C "client hello, adding alpn extension" \
markrad	0:cdf462088d13	2537	-S "found alpn extension" \
markrad	0:cdf462088d13	2538	-C "got an alert message, type: \\[2:120]" \
markrad	0:cdf462088d13	2539	-S "server hello, adding alpn extension" \
markrad	0:cdf462088d13	2540	-C "found alpn extension " \
markrad	0:cdf462088d13	2541	-C "Application Layer Protocol is" \
markrad	0:cdf462088d13	2542	-S "Application Layer Protocol is"
markrad	0:cdf462088d13	2543
markrad	0:cdf462088d13	2544	run_test "ALPN: client only" \
markrad	0:cdf462088d13	2545	"$P_SRV debug_level=3" \
markrad	0:cdf462088d13	2546	"$P_CLI debug_level=3 alpn=abc,1234" \
markrad	0:cdf462088d13	2547	0 \
markrad	0:cdf462088d13	2548	-c "client hello, adding alpn extension" \
markrad	0:cdf462088d13	2549	-s "found alpn extension" \
markrad	0:cdf462088d13	2550	-C "got an alert message, type: \\[2:120]" \
markrad	0:cdf462088d13	2551	-S "server hello, adding alpn extension" \
markrad	0:cdf462088d13	2552	-C "found alpn extension " \
markrad	0:cdf462088d13	2553	-c "Application Layer Protocol is (none)" \
markrad	0:cdf462088d13	2554	-S "Application Layer Protocol is"
markrad	0:cdf462088d13	2555
markrad	0:cdf462088d13	2556	run_test "ALPN: server only" \
markrad	0:cdf462088d13	2557	"$P_SRV debug_level=3 alpn=abc,1234" \
markrad	0:cdf462088d13	2558	"$P_CLI debug_level=3" \
markrad	0:cdf462088d13	2559	0 \
markrad	0:cdf462088d13	2560	-C "client hello, adding alpn extension" \
markrad	0:cdf462088d13	2561	-S "found alpn extension" \
markrad	0:cdf462088d13	2562	-C "got an alert message, type: \\[2:120]" \
markrad	0:cdf462088d13	2563	-S "server hello, adding alpn extension" \
markrad	0:cdf462088d13	2564	-C "found alpn extension " \
markrad	0:cdf462088d13	2565	-C "Application Layer Protocol is" \
markrad	0:cdf462088d13	2566	-s "Application Layer Protocol is (none)"
markrad	0:cdf462088d13	2567
markrad	0:cdf462088d13	2568	run_test "ALPN: both, common cli1-srv1" \
markrad	0:cdf462088d13	2569	"$P_SRV debug_level=3 alpn=abc,1234" \
markrad	0:cdf462088d13	2570	"$P_CLI debug_level=3 alpn=abc,1234" \
markrad	0:cdf462088d13	2571	0 \
markrad	0:cdf462088d13	2572	-c "client hello, adding alpn extension" \
markrad	0:cdf462088d13	2573	-s "found alpn extension" \
markrad	0:cdf462088d13	2574	-C "got an alert message, type: \\[2:120]" \
markrad	0:cdf462088d13	2575	-s "server hello, adding alpn extension" \
markrad	0:cdf462088d13	2576	-c "found alpn extension" \
markrad	0:cdf462088d13	2577	-c "Application Layer Protocol is abc" \
markrad	0:cdf462088d13	2578	-s "Application Layer Protocol is abc"
markrad	0:cdf462088d13	2579
markrad	0:cdf462088d13	2580	run_test "ALPN: both, common cli2-srv1" \
markrad	0:cdf462088d13	2581	"$P_SRV debug_level=3 alpn=abc,1234" \
markrad	0:cdf462088d13	2582	"$P_CLI debug_level=3 alpn=1234,abc" \
markrad	0:cdf462088d13	2583	0 \
markrad	0:cdf462088d13	2584	-c "client hello, adding alpn extension" \
markrad	0:cdf462088d13	2585	-s "found alpn extension" \
markrad	0:cdf462088d13	2586	-C "got an alert message, type: \\[2:120]" \
markrad	0:cdf462088d13	2587	-s "server hello, adding alpn extension" \
markrad	0:cdf462088d13	2588	-c "found alpn extension" \
markrad	0:cdf462088d13	2589	-c "Application Layer Protocol is abc" \
markrad	0:cdf462088d13	2590	-s "Application Layer Protocol is abc"
markrad	0:cdf462088d13	2591
markrad	0:cdf462088d13	2592	run_test "ALPN: both, common cli1-srv2" \
markrad	0:cdf462088d13	2593	"$P_SRV debug_level=3 alpn=abc,1234" \
markrad	0:cdf462088d13	2594	"$P_CLI debug_level=3 alpn=1234,abcde" \
markrad	0:cdf462088d13	2595	0 \
markrad	0:cdf462088d13	2596	-c "client hello, adding alpn extension" \
markrad	0:cdf462088d13	2597	-s "found alpn extension" \
markrad	0:cdf462088d13	2598	-C "got an alert message, type: \\[2:120]" \
markrad	0:cdf462088d13	2599	-s "server hello, adding alpn extension" \
markrad	0:cdf462088d13	2600	-c "found alpn extension" \
markrad	0:cdf462088d13	2601	-c "Application Layer Protocol is 1234" \
markrad	0:cdf462088d13	2602	-s "Application Layer Protocol is 1234"
markrad	0:cdf462088d13	2603
markrad	0:cdf462088d13	2604	run_test "ALPN: both, no common" \
markrad	0:cdf462088d13	2605	"$P_SRV debug_level=3 alpn=abc,123" \
markrad	0:cdf462088d13	2606	"$P_CLI debug_level=3 alpn=1234,abcde" \
markrad	0:cdf462088d13	2607	1 \
markrad	0:cdf462088d13	2608	-c "client hello, adding alpn extension" \
markrad	0:cdf462088d13	2609	-s "found alpn extension" \
markrad	0:cdf462088d13	2610	-c "got an alert message, type: \\[2:120]" \
markrad	0:cdf462088d13	2611	-S "server hello, adding alpn extension" \
markrad	0:cdf462088d13	2612	-C "found alpn extension" \
markrad	0:cdf462088d13	2613	-C "Application Layer Protocol is 1234" \
markrad	0:cdf462088d13	2614	-S "Application Layer Protocol is 1234"
markrad	0:cdf462088d13	2615
markrad	0:cdf462088d13	2616
markrad	0:cdf462088d13	2617	# Tests for keyUsage in leaf certificates, part 1:
markrad	0:cdf462088d13	2618	# server-side certificate/suite selection
markrad	0:cdf462088d13	2619
markrad	0:cdf462088d13	2620	run_test "keyUsage srv: RSA, digitalSignature -> (EC)DHE-RSA" \
markrad	0:cdf462088d13	2621	"$P_SRV key_file=data_files/server2.key \
markrad	0:cdf462088d13	2622	crt_file=data_files/server2.ku-ds.crt" \
markrad	0:cdf462088d13	2623	"$P_CLI" \
markrad	0:cdf462088d13	2624	0 \
markrad	0:cdf462088d13	2625	-c "Ciphersuite is TLS-[EC]*DHE-RSA-WITH-"
markrad	0:cdf462088d13	2626
markrad	0:cdf462088d13	2627
markrad	0:cdf462088d13	2628	run_test "keyUsage srv: RSA, keyEncipherment -> RSA" \
markrad	0:cdf462088d13	2629	"$P_SRV key_file=data_files/server2.key \
markrad	0:cdf462088d13	2630	crt_file=data_files/server2.ku-ke.crt" \
markrad	0:cdf462088d13	2631	"$P_CLI" \
markrad	0:cdf462088d13	2632	0 \
markrad	0:cdf462088d13	2633	-c "Ciphersuite is TLS-RSA-WITH-"
markrad	0:cdf462088d13	2634
markrad	0:cdf462088d13	2635	run_test "keyUsage srv: RSA, keyAgreement -> fail" \
markrad	0:cdf462088d13	2636	"$P_SRV key_file=data_files/server2.key \
markrad	0:cdf462088d13	2637	crt_file=data_files/server2.ku-ka.crt" \
markrad	0:cdf462088d13	2638	"$P_CLI" \
markrad	0:cdf462088d13	2639	1 \
markrad	0:cdf462088d13	2640	-C "Ciphersuite is "
markrad	0:cdf462088d13	2641
markrad	0:cdf462088d13	2642	run_test "keyUsage srv: ECDSA, digitalSignature -> ECDHE-ECDSA" \
markrad	0:cdf462088d13	2643	"$P_SRV key_file=data_files/server5.key \
markrad	0:cdf462088d13	2644	crt_file=data_files/server5.ku-ds.crt" \
markrad	0:cdf462088d13	2645	"$P_CLI" \
markrad	0:cdf462088d13	2646	0 \
markrad	0:cdf462088d13	2647	-c "Ciphersuite is TLS-ECDHE-ECDSA-WITH-"
markrad	0:cdf462088d13	2648
markrad	0:cdf462088d13	2649
markrad	0:cdf462088d13	2650	run_test "keyUsage srv: ECDSA, keyAgreement -> ECDH-" \
markrad	0:cdf462088d13	2651	"$P_SRV key_file=data_files/server5.key \
markrad	0:cdf462088d13	2652	crt_file=data_files/server5.ku-ka.crt" \
markrad	0:cdf462088d13	2653	"$P_CLI" \
markrad	0:cdf462088d13	2654	0 \
markrad	0:cdf462088d13	2655	-c "Ciphersuite is TLS-ECDH-"
markrad	0:cdf462088d13	2656
markrad	0:cdf462088d13	2657	run_test "keyUsage srv: ECDSA, keyEncipherment -> fail" \
markrad	0:cdf462088d13	2658	"$P_SRV key_file=data_files/server5.key \
markrad	0:cdf462088d13	2659	crt_file=data_files/server5.ku-ke.crt" \
markrad	0:cdf462088d13	2660	"$P_CLI" \
markrad	0:cdf462088d13	2661	1 \
markrad	0:cdf462088d13	2662	-C "Ciphersuite is "
markrad	0:cdf462088d13	2663
markrad	0:cdf462088d13	2664	# Tests for keyUsage in leaf certificates, part 2:
markrad	0:cdf462088d13	2665	# client-side checking of server cert
markrad	0:cdf462088d13	2666
markrad	0:cdf462088d13	2667	run_test "keyUsage cli: DigitalSignature+KeyEncipherment, RSA: OK" \
markrad	0:cdf462088d13	2668	"$O_SRV -key data_files/server2.key \
markrad	0:cdf462088d13	2669	-cert data_files/server2.ku-ds_ke.crt" \
markrad	0:cdf462088d13	2670	"$P_CLI debug_level=1 \
markrad	0:cdf462088d13	2671	force_ciphersuite=TLS-RSA-WITH-AES-128-CBC-SHA" \
markrad	0:cdf462088d13	2672	0 \
markrad	0:cdf462088d13	2673	-C "bad certificate (usage extensions)" \
markrad	0:cdf462088d13	2674	-C "Processing of the Certificate handshake message failed" \
markrad	0:cdf462088d13	2675	-c "Ciphersuite is TLS-"
markrad	0:cdf462088d13	2676
markrad	0:cdf462088d13	2677	run_test "keyUsage cli: DigitalSignature+KeyEncipherment, DHE-RSA: OK" \
markrad	0:cdf462088d13	2678	"$O_SRV -key data_files/server2.key \
markrad	0:cdf462088d13	2679	-cert data_files/server2.ku-ds_ke.crt" \
markrad	0:cdf462088d13	2680	"$P_CLI debug_level=1 \
markrad	0:cdf462088d13	2681	force_ciphersuite=TLS-DHE-RSA-WITH-AES-128-CBC-SHA" \
markrad	0:cdf462088d13	2682	0 \
markrad	0:cdf462088d13	2683	-C "bad certificate (usage extensions)" \
markrad	0:cdf462088d13	2684	-C "Processing of the Certificate handshake message failed" \
markrad	0:cdf462088d13	2685	-c "Ciphersuite is TLS-"
markrad	0:cdf462088d13	2686
markrad	0:cdf462088d13	2687	run_test "keyUsage cli: KeyEncipherment, RSA: OK" \
markrad	0:cdf462088d13	2688	"$O_SRV -key data_files/server2.key \
markrad	0:cdf462088d13	2689	-cert data_files/server2.ku-ke.crt" \
markrad	0:cdf462088d13	2690	"$P_CLI debug_level=1 \
markrad	0:cdf462088d13	2691	force_ciphersuite=TLS-RSA-WITH-AES-128-CBC-SHA" \
markrad	0:cdf462088d13	2692	0 \
markrad	0:cdf462088d13	2693	-C "bad certificate (usage extensions)" \
markrad	0:cdf462088d13	2694	-C "Processing of the Certificate handshake message failed" \
markrad	0:cdf462088d13	2695	-c "Ciphersuite is TLS-"
markrad	0:cdf462088d13	2696
markrad	0:cdf462088d13	2697	run_test "keyUsage cli: KeyEncipherment, DHE-RSA: fail" \
markrad	0:cdf462088d13	2698	"$O_SRV -key data_files/server2.key \
markrad	0:cdf462088d13	2699	-cert data_files/server2.ku-ke.crt" \
markrad	0:cdf462088d13	2700	"$P_CLI debug_level=1 \
markrad	0:cdf462088d13	2701	force_ciphersuite=TLS-DHE-RSA-WITH-AES-128-CBC-SHA" \
markrad	0:cdf462088d13	2702	1 \
markrad	0:cdf462088d13	2703	-c "bad certificate (usage extensions)" \
markrad	0:cdf462088d13	2704	-c "Processing of the Certificate handshake message failed" \
markrad	0:cdf462088d13	2705	-C "Ciphersuite is TLS-"
markrad	0:cdf462088d13	2706
markrad	0:cdf462088d13	2707	run_test "keyUsage cli: KeyEncipherment, DHE-RSA: fail, soft" \
markrad	0:cdf462088d13	2708	"$O_SRV -key data_files/server2.key \
markrad	0:cdf462088d13	2709	-cert data_files/server2.ku-ke.crt" \
markrad	0:cdf462088d13	2710	"$P_CLI debug_level=1 auth_mode=optional \
markrad	0:cdf462088d13	2711	force_ciphersuite=TLS-DHE-RSA-WITH-AES-128-CBC-SHA" \
markrad	0:cdf462088d13	2712	0 \
markrad	0:cdf462088d13	2713	-c "bad certificate (usage extensions)" \
markrad	0:cdf462088d13	2714	-C "Processing of the Certificate handshake message failed" \
markrad	0:cdf462088d13	2715	-c "Ciphersuite is TLS-" \
markrad	0:cdf462088d13	2716	-c "! Usage does not match the keyUsage extension"
markrad	0:cdf462088d13	2717
markrad	0:cdf462088d13	2718	run_test "keyUsage cli: DigitalSignature, DHE-RSA: OK" \
markrad	0:cdf462088d13	2719	"$O_SRV -key data_files/server2.key \
markrad	0:cdf462088d13	2720	-cert data_files/server2.ku-ds.crt" \
markrad	0:cdf462088d13	2721	"$P_CLI debug_level=1 \
markrad	0:cdf462088d13	2722	force_ciphersuite=TLS-DHE-RSA-WITH-AES-128-CBC-SHA" \
markrad	0:cdf462088d13	2723	0 \
markrad	0:cdf462088d13	2724	-C "bad certificate (usage extensions)" \
markrad	0:cdf462088d13	2725	-C "Processing of the Certificate handshake message failed" \
markrad	0:cdf462088d13	2726	-c "Ciphersuite is TLS-"
markrad	0:cdf462088d13	2727
markrad	0:cdf462088d13	2728	run_test "keyUsage cli: DigitalSignature, RSA: fail" \
markrad	0:cdf462088d13	2729	"$O_SRV -key data_files/server2.key \
markrad	0:cdf462088d13	2730	-cert data_files/server2.ku-ds.crt" \
markrad	0:cdf462088d13	2731	"$P_CLI debug_level=1 \
markrad	0:cdf462088d13	2732	force_ciphersuite=TLS-RSA-WITH-AES-128-CBC-SHA" \
markrad	0:cdf462088d13	2733	1 \
markrad	0:cdf462088d13	2734	-c "bad certificate (usage extensions)" \
markrad	0:cdf462088d13	2735	-c "Processing of the Certificate handshake message failed" \
markrad	0:cdf462088d13	2736	-C "Ciphersuite is TLS-"
markrad	0:cdf462088d13	2737
markrad	0:cdf462088d13	2738	run_test "keyUsage cli: DigitalSignature, RSA: fail, soft" \
markrad	0:cdf462088d13	2739	"$O_SRV -key data_files/server2.key \
markrad	0:cdf462088d13	2740	-cert data_files/server2.ku-ds.crt" \
markrad	0:cdf462088d13	2741	"$P_CLI debug_level=1 auth_mode=optional \
markrad	0:cdf462088d13	2742	force_ciphersuite=TLS-RSA-WITH-AES-128-CBC-SHA" \
markrad	0:cdf462088d13	2743	0 \
markrad	0:cdf462088d13	2744	-c "bad certificate (usage extensions)" \
markrad	0:cdf462088d13	2745	-C "Processing of the Certificate handshake message failed" \
markrad	0:cdf462088d13	2746	-c "Ciphersuite is TLS-" \
markrad	0:cdf462088d13	2747	-c "! Usage does not match the keyUsage extension"
markrad	0:cdf462088d13	2748
markrad	0:cdf462088d13	2749	# Tests for keyUsage in leaf certificates, part 3:
markrad	0:cdf462088d13	2750	# server-side checking of client cert
markrad	0:cdf462088d13	2751
markrad	0:cdf462088d13	2752	run_test "keyUsage cli-auth: RSA, DigitalSignature: OK" \
markrad	0:cdf462088d13	2753	"$P_SRV debug_level=1 auth_mode=optional" \
markrad	0:cdf462088d13	2754	"$O_CLI -key data_files/server2.key \
markrad	0:cdf462088d13	2755	-cert data_files/server2.ku-ds.crt" \
markrad	0:cdf462088d13	2756	0 \
markrad	0:cdf462088d13	2757	-S "bad certificate (usage extensions)" \
markrad	0:cdf462088d13	2758	-S "Processing of the Certificate handshake message failed"
markrad	0:cdf462088d13	2759
markrad	0:cdf462088d13	2760	run_test "keyUsage cli-auth: RSA, KeyEncipherment: fail (soft)" \
markrad	0:cdf462088d13	2761	"$P_SRV debug_level=1 auth_mode=optional" \
markrad	0:cdf462088d13	2762	"$O_CLI -key data_files/server2.key \
markrad	0:cdf462088d13	2763	-cert data_files/server2.ku-ke.crt" \
markrad	0:cdf462088d13	2764	0 \
markrad	0:cdf462088d13	2765	-s "bad certificate (usage extensions)" \
markrad	0:cdf462088d13	2766	-S "Processing of the Certificate handshake message failed"
markrad	0:cdf462088d13	2767
markrad	0:cdf462088d13	2768	run_test "keyUsage cli-auth: RSA, KeyEncipherment: fail (hard)" \
markrad	0:cdf462088d13	2769	"$P_SRV debug_level=1 auth_mode=required" \
markrad	0:cdf462088d13	2770	"$O_CLI -key data_files/server2.key \
markrad	0:cdf462088d13	2771	-cert data_files/server2.ku-ke.crt" \
markrad	0:cdf462088d13	2772	1 \
markrad	0:cdf462088d13	2773	-s "bad certificate (usage extensions)" \
markrad	0:cdf462088d13	2774	-s "Processing of the Certificate handshake message failed"
markrad	0:cdf462088d13	2775
markrad	0:cdf462088d13	2776	run_test "keyUsage cli-auth: ECDSA, DigitalSignature: OK" \
markrad	0:cdf462088d13	2777	"$P_SRV debug_level=1 auth_mode=optional" \
markrad	0:cdf462088d13	2778	"$O_CLI -key data_files/server5.key \
markrad	0:cdf462088d13	2779	-cert data_files/server5.ku-ds.crt" \
markrad	0:cdf462088d13	2780	0 \
markrad	0:cdf462088d13	2781	-S "bad certificate (usage extensions)" \
markrad	0:cdf462088d13	2782	-S "Processing of the Certificate handshake message failed"
markrad	0:cdf462088d13	2783
markrad	0:cdf462088d13	2784	run_test "keyUsage cli-auth: ECDSA, KeyAgreement: fail (soft)" \
markrad	0:cdf462088d13	2785	"$P_SRV debug_level=1 auth_mode=optional" \
markrad	0:cdf462088d13	2786	"$O_CLI -key data_files/server5.key \
markrad	0:cdf462088d13	2787	-cert data_files/server5.ku-ka.crt" \
markrad	0:cdf462088d13	2788	0 \
markrad	0:cdf462088d13	2789	-s "bad certificate (usage extensions)" \
markrad	0:cdf462088d13	2790	-S "Processing of the Certificate handshake message failed"
markrad	0:cdf462088d13	2791
markrad	0:cdf462088d13	2792	# Tests for extendedKeyUsage, part 1: server-side certificate/suite selection
markrad	0:cdf462088d13	2793
markrad	0:cdf462088d13	2794	run_test "extKeyUsage srv: serverAuth -> OK" \
markrad	0:cdf462088d13	2795	"$P_SRV key_file=data_files/server5.key \
markrad	0:cdf462088d13	2796	crt_file=data_files/server5.eku-srv.crt" \
markrad	0:cdf462088d13	2797	"$P_CLI" \
markrad	0:cdf462088d13	2798	0
markrad	0:cdf462088d13	2799
markrad	0:cdf462088d13	2800	run_test "extKeyUsage srv: serverAuth,clientAuth -> OK" \
markrad	0:cdf462088d13	2801	"$P_SRV key_file=data_files/server5.key \
markrad	0:cdf462088d13	2802	crt_file=data_files/server5.eku-srv.crt" \
markrad	0:cdf462088d13	2803	"$P_CLI" \
markrad	0:cdf462088d13	2804	0
markrad	0:cdf462088d13	2805
markrad	0:cdf462088d13	2806	run_test "extKeyUsage srv: codeSign,anyEKU -> OK" \
markrad	0:cdf462088d13	2807	"$P_SRV key_file=data_files/server5.key \
markrad	0:cdf462088d13	2808	crt_file=data_files/server5.eku-cs_any.crt" \
markrad	0:cdf462088d13	2809	"$P_CLI" \
markrad	0:cdf462088d13	2810	0
markrad	0:cdf462088d13	2811
markrad	0:cdf462088d13	2812	run_test "extKeyUsage srv: codeSign -> fail" \
markrad	0:cdf462088d13	2813	"$P_SRV key_file=data_files/server5.key \
markrad	0:cdf462088d13	2814	crt_file=data_files/server5.eku-cli.crt" \
markrad	0:cdf462088d13	2815	"$P_CLI" \
markrad	0:cdf462088d13	2816	1
markrad	0:cdf462088d13	2817
markrad	0:cdf462088d13	2818	# Tests for extendedKeyUsage, part 2: client-side checking of server cert
markrad	0:cdf462088d13	2819
markrad	0:cdf462088d13	2820	run_test "extKeyUsage cli: serverAuth -> OK" \
markrad	0:cdf462088d13	2821	"$O_SRV -key data_files/server5.key \
markrad	0:cdf462088d13	2822	-cert data_files/server5.eku-srv.crt" \
markrad	0:cdf462088d13	2823	"$P_CLI debug_level=1" \
markrad	0:cdf462088d13	2824	0 \
markrad	0:cdf462088d13	2825	-C "bad certificate (usage extensions)" \
markrad	0:cdf462088d13	2826	-C "Processing of the Certificate handshake message failed" \
markrad	0:cdf462088d13	2827	-c "Ciphersuite is TLS-"
markrad	0:cdf462088d13	2828
markrad	0:cdf462088d13	2829	run_test "extKeyUsage cli: serverAuth,clientAuth -> OK" \
markrad	0:cdf462088d13	2830	"$O_SRV -key data_files/server5.key \
markrad	0:cdf462088d13	2831	-cert data_files/server5.eku-srv_cli.crt" \
markrad	0:cdf462088d13	2832	"$P_CLI debug_level=1" \
markrad	0:cdf462088d13	2833	0 \
markrad	0:cdf462088d13	2834	-C "bad certificate (usage extensions)" \
markrad	0:cdf462088d13	2835	-C "Processing of the Certificate handshake message failed" \
markrad	0:cdf462088d13	2836	-c "Ciphersuite is TLS-"
markrad	0:cdf462088d13	2837
markrad	0:cdf462088d13	2838	run_test "extKeyUsage cli: codeSign,anyEKU -> OK" \
markrad	0:cdf462088d13	2839	"$O_SRV -key data_files/server5.key \
markrad	0:cdf462088d13	2840	-cert data_files/server5.eku-cs_any.crt" \
markrad	0:cdf462088d13	2841	"$P_CLI debug_level=1" \
markrad	0:cdf462088d13	2842	0 \
markrad	0:cdf462088d13	2843	-C "bad certificate (usage extensions)" \
markrad	0:cdf462088d13	2844	-C "Processing of the Certificate handshake message failed" \
markrad	0:cdf462088d13	2845	-c "Ciphersuite is TLS-"
markrad	0:cdf462088d13	2846
markrad	0:cdf462088d13	2847	run_test "extKeyUsage cli: codeSign -> fail" \
markrad	0:cdf462088d13	2848	"$O_SRV -key data_files/server5.key \
markrad	0:cdf462088d13	2849	-cert data_files/server5.eku-cs.crt" \
markrad	0:cdf462088d13	2850	"$P_CLI debug_level=1" \
markrad	0:cdf462088d13	2851	1 \
markrad	0:cdf462088d13	2852	-c "bad certificate (usage extensions)" \
markrad	0:cdf462088d13	2853	-c "Processing of the Certificate handshake message failed" \
markrad	0:cdf462088d13	2854	-C "Ciphersuite is TLS-"
markrad	0:cdf462088d13	2855
markrad	0:cdf462088d13	2856	# Tests for extendedKeyUsage, part 3: server-side checking of client cert
markrad	0:cdf462088d13	2857
markrad	0:cdf462088d13	2858	run_test "extKeyUsage cli-auth: clientAuth -> OK" \
markrad	0:cdf462088d13	2859	"$P_SRV debug_level=1 auth_mode=optional" \
markrad	0:cdf462088d13	2860	"$O_CLI -key data_files/server5.key \
markrad	0:cdf462088d13	2861	-cert data_files/server5.eku-cli.crt" \
markrad	0:cdf462088d13	2862	0 \
markrad	0:cdf462088d13	2863	-S "bad certificate (usage extensions)" \
markrad	0:cdf462088d13	2864	-S "Processing of the Certificate handshake message failed"
markrad	0:cdf462088d13	2865
markrad	0:cdf462088d13	2866	run_test "extKeyUsage cli-auth: serverAuth,clientAuth -> OK" \
markrad	0:cdf462088d13	2867	"$P_SRV debug_level=1 auth_mode=optional" \
markrad	0:cdf462088d13	2868	"$O_CLI -key data_files/server5.key \
markrad	0:cdf462088d13	2869	-cert data_files/server5.eku-srv_cli.crt" \
markrad	0:cdf462088d13	2870	0 \
markrad	0:cdf462088d13	2871	-S "bad certificate (usage extensions)" \
markrad	0:cdf462088d13	2872	-S "Processing of the Certificate handshake message failed"
markrad	0:cdf462088d13	2873
markrad	0:cdf462088d13	2874	run_test "extKeyUsage cli-auth: codeSign,anyEKU -> OK" \
markrad	0:cdf462088d13	2875	"$P_SRV debug_level=1 auth_mode=optional" \
markrad	0:cdf462088d13	2876	"$O_CLI -key data_files/server5.key \
markrad	0:cdf462088d13	2877	-cert data_files/server5.eku-cs_any.crt" \
markrad	0:cdf462088d13	2878	0 \
markrad	0:cdf462088d13	2879	-S "bad certificate (usage extensions)" \
markrad	0:cdf462088d13	2880	-S "Processing of the Certificate handshake message failed"
markrad	0:cdf462088d13	2881
markrad	0:cdf462088d13	2882	run_test "extKeyUsage cli-auth: codeSign -> fail (soft)" \
markrad	0:cdf462088d13	2883	"$P_SRV debug_level=1 auth_mode=optional" \
markrad	0:cdf462088d13	2884	"$O_CLI -key data_files/server5.key \
markrad	0:cdf462088d13	2885	-cert data_files/server5.eku-cs.crt" \
markrad	0:cdf462088d13	2886	0 \
markrad	0:cdf462088d13	2887	-s "bad certificate (usage extensions)" \
markrad	0:cdf462088d13	2888	-S "Processing of the Certificate handshake message failed"
markrad	0:cdf462088d13	2889
markrad	0:cdf462088d13	2890	run_test "extKeyUsage cli-auth: codeSign -> fail (hard)" \
markrad	0:cdf462088d13	2891	"$P_SRV debug_level=1 auth_mode=required" \
markrad	0:cdf462088d13	2892	"$O_CLI -key data_files/server5.key \
markrad	0:cdf462088d13	2893	-cert data_files/server5.eku-cs.crt" \
markrad	0:cdf462088d13	2894	1 \
markrad	0:cdf462088d13	2895	-s "bad certificate (usage extensions)" \
markrad	0:cdf462088d13	2896	-s "Processing of the Certificate handshake message failed"
markrad	0:cdf462088d13	2897
markrad	0:cdf462088d13	2898	# Tests for DHM parameters loading
markrad	0:cdf462088d13	2899
markrad	0:cdf462088d13	2900	run_test "DHM parameters: reference" \
markrad	0:cdf462088d13	2901	"$P_SRV" \
markrad	0:cdf462088d13	2902	"$P_CLI force_ciphersuite=TLS-DHE-RSA-WITH-AES-128-CBC-SHA \
markrad	0:cdf462088d13	2903	debug_level=3" \
markrad	0:cdf462088d13	2904	0 \
markrad	0:cdf462088d13	2905	-c "value of 'DHM: P ' (2048 bits)" \
markrad	0:cdf462088d13	2906	-c "value of 'DHM: G ' (2048 bits)"
markrad	0:cdf462088d13	2907
markrad	0:cdf462088d13	2908	run_test "DHM parameters: other parameters" \
markrad	0:cdf462088d13	2909	"$P_SRV dhm_file=data_files/dhparams.pem" \
markrad	0:cdf462088d13	2910	"$P_CLI force_ciphersuite=TLS-DHE-RSA-WITH-AES-128-CBC-SHA \
markrad	0:cdf462088d13	2911	debug_level=3" \
markrad	0:cdf462088d13	2912	0 \
markrad	0:cdf462088d13	2913	-c "value of 'DHM: P ' (1024 bits)" \
markrad	0:cdf462088d13	2914	-c "value of 'DHM: G ' (2 bits)"
markrad	0:cdf462088d13	2915
markrad	0:cdf462088d13	2916	# Tests for DHM client-side size checking
markrad	0:cdf462088d13	2917
markrad	0:cdf462088d13	2918	run_test "DHM size: server default, client default, OK" \
markrad	0:cdf462088d13	2919	"$P_SRV" \
markrad	0:cdf462088d13	2920	"$P_CLI force_ciphersuite=TLS-DHE-RSA-WITH-AES-128-CBC-SHA \
markrad	0:cdf462088d13	2921	debug_level=1" \
markrad	0:cdf462088d13	2922	0 \
markrad	0:cdf462088d13	2923	-C "DHM prime too short:"
markrad	0:cdf462088d13	2924
markrad	0:cdf462088d13	2925	run_test "DHM size: server default, client 2048, OK" \
markrad	0:cdf462088d13	2926	"$P_SRV" \
markrad	0:cdf462088d13	2927	"$P_CLI force_ciphersuite=TLS-DHE-RSA-WITH-AES-128-CBC-SHA \
markrad	0:cdf462088d13	2928	debug_level=1 dhmlen=2048" \
markrad	0:cdf462088d13	2929	0 \
markrad	0:cdf462088d13	2930	-C "DHM prime too short:"
markrad	0:cdf462088d13	2931
markrad	0:cdf462088d13	2932	run_test "DHM size: server 1024, client default, OK" \
markrad	0:cdf462088d13	2933	"$P_SRV dhm_file=data_files/dhparams.pem" \
markrad	0:cdf462088d13	2934	"$P_CLI force_ciphersuite=TLS-DHE-RSA-WITH-AES-128-CBC-SHA \
markrad	0:cdf462088d13	2935	debug_level=1" \
markrad	0:cdf462088d13	2936	0 \
markrad	0:cdf462088d13	2937	-C "DHM prime too short:"
markrad	0:cdf462088d13	2938
markrad	0:cdf462088d13	2939	run_test "DHM size: server 1000, client default, rejected" \
markrad	0:cdf462088d13	2940	"$P_SRV dhm_file=data_files/dh.1000.pem" \
markrad	0:cdf462088d13	2941	"$P_CLI force_ciphersuite=TLS-DHE-RSA-WITH-AES-128-CBC-SHA \
markrad	0:cdf462088d13	2942	debug_level=1" \
markrad	0:cdf462088d13	2943	1 \
markrad	0:cdf462088d13	2944	-c "DHM prime too short:"
markrad	0:cdf462088d13	2945
markrad	0:cdf462088d13	2946	run_test "DHM size: server default, client 2049, rejected" \
markrad	0:cdf462088d13	2947	"$P_SRV" \
markrad	0:cdf462088d13	2948	"$P_CLI force_ciphersuite=TLS-DHE-RSA-WITH-AES-128-CBC-SHA \
markrad	0:cdf462088d13	2949	debug_level=1 dhmlen=2049" \
markrad	0:cdf462088d13	2950	1 \
markrad	0:cdf462088d13	2951	-c "DHM prime too short:"
markrad	0:cdf462088d13	2952
markrad	0:cdf462088d13	2953	# Tests for PSK callback
markrad	0:cdf462088d13	2954
markrad	0:cdf462088d13	2955	run_test "PSK callback: psk, no callback" \
markrad	0:cdf462088d13	2956	"$P_SRV psk=abc123 psk_identity=foo" \
markrad	0:cdf462088d13	2957	"$P_CLI force_ciphersuite=TLS-PSK-WITH-AES-128-CBC-SHA \
markrad	0:cdf462088d13	2958	psk_identity=foo psk=abc123" \
markrad	0:cdf462088d13	2959	0 \
markrad	0:cdf462088d13	2960	-S "SSL - None of the common ciphersuites is usable" \
markrad	0:cdf462088d13	2961	-S "SSL - Unknown identity received" \
markrad	0:cdf462088d13	2962	-S "SSL - Verification of the message MAC failed"
markrad	0:cdf462088d13	2963
markrad	0:cdf462088d13	2964	run_test "PSK callback: no psk, no callback" \
markrad	0:cdf462088d13	2965	"$P_SRV" \
markrad	0:cdf462088d13	2966	"$P_CLI force_ciphersuite=TLS-PSK-WITH-AES-128-CBC-SHA \
markrad	0:cdf462088d13	2967	psk_identity=foo psk=abc123" \
markrad	0:cdf462088d13	2968	1 \
markrad	0:cdf462088d13	2969	-s "SSL - None of the common ciphersuites is usable" \
markrad	0:cdf462088d13	2970	-S "SSL - Unknown identity received" \
markrad	0:cdf462088d13	2971	-S "SSL - Verification of the message MAC failed"
markrad	0:cdf462088d13	2972
markrad	0:cdf462088d13	2973	run_test "PSK callback: callback overrides other settings" \
markrad	0:cdf462088d13	2974	"$P_SRV psk=abc123 psk_identity=foo psk_list=abc,dead,def,beef" \
markrad	0:cdf462088d13	2975	"$P_CLI force_ciphersuite=TLS-PSK-WITH-AES-128-CBC-SHA \
markrad	0:cdf462088d13	2976	psk_identity=foo psk=abc123" \
markrad	0:cdf462088d13	2977	1 \
markrad	0:cdf462088d13	2978	-S "SSL - None of the common ciphersuites is usable" \
markrad	0:cdf462088d13	2979	-s "SSL - Unknown identity received" \
markrad	0:cdf462088d13	2980	-S "SSL - Verification of the message MAC failed"
markrad	0:cdf462088d13	2981
markrad	0:cdf462088d13	2982	run_test "PSK callback: first id matches" \
markrad	0:cdf462088d13	2983	"$P_SRV psk_list=abc,dead,def,beef" \
markrad	0:cdf462088d13	2984	"$P_CLI force_ciphersuite=TLS-PSK-WITH-AES-128-CBC-SHA \
markrad	0:cdf462088d13	2985	psk_identity=abc psk=dead" \
markrad	0:cdf462088d13	2986	0 \
markrad	0:cdf462088d13	2987	-S "SSL - None of the common ciphersuites is usable" \
markrad	0:cdf462088d13	2988	-S "SSL - Unknown identity received" \
markrad	0:cdf462088d13	2989	-S "SSL - Verification of the message MAC failed"
markrad	0:cdf462088d13	2990
markrad	0:cdf462088d13	2991	run_test "PSK callback: second id matches" \
markrad	0:cdf462088d13	2992	"$P_SRV psk_list=abc,dead,def,beef" \
markrad	0:cdf462088d13	2993	"$P_CLI force_ciphersuite=TLS-PSK-WITH-AES-128-CBC-SHA \
markrad	0:cdf462088d13	2994	psk_identity=def psk=beef" \
markrad	0:cdf462088d13	2995	0 \
markrad	0:cdf462088d13	2996	-S "SSL - None of the common ciphersuites is usable" \
markrad	0:cdf462088d13	2997	-S "SSL - Unknown identity received" \
markrad	0:cdf462088d13	2998	-S "SSL - Verification of the message MAC failed"
markrad	0:cdf462088d13	2999
markrad	0:cdf462088d13	3000	run_test "PSK callback: no match" \
markrad	0:cdf462088d13	3001	"$P_SRV psk_list=abc,dead,def,beef" \
markrad	0:cdf462088d13	3002	"$P_CLI force_ciphersuite=TLS-PSK-WITH-AES-128-CBC-SHA \
markrad	0:cdf462088d13	3003	psk_identity=ghi psk=beef" \
markrad	0:cdf462088d13	3004	1 \
markrad	0:cdf462088d13	3005	-S "SSL - None of the common ciphersuites is usable" \
markrad	0:cdf462088d13	3006	-s "SSL - Unknown identity received" \
markrad	0:cdf462088d13	3007	-S "SSL - Verification of the message MAC failed"
markrad	0:cdf462088d13	3008
markrad	0:cdf462088d13	3009	run_test "PSK callback: wrong key" \
markrad	0:cdf462088d13	3010	"$P_SRV psk_list=abc,dead,def,beef" \
markrad	0:cdf462088d13	3011	"$P_CLI force_ciphersuite=TLS-PSK-WITH-AES-128-CBC-SHA \
markrad	0:cdf462088d13	3012	psk_identity=abc psk=beef" \
markrad	0:cdf462088d13	3013	1 \
markrad	0:cdf462088d13	3014	-S "SSL - None of the common ciphersuites is usable" \
markrad	0:cdf462088d13	3015	-S "SSL - Unknown identity received" \
markrad	0:cdf462088d13	3016	-s "SSL - Verification of the message MAC failed"
markrad	0:cdf462088d13	3017
markrad	0:cdf462088d13	3018	# Tests for EC J-PAKE
markrad	0:cdf462088d13	3019
markrad	0:cdf462088d13	3020	requires_config_enabled MBEDTLS_KEY_EXCHANGE_ECJPAKE
markrad	0:cdf462088d13	3021	run_test "ECJPAKE: client not configured" \
markrad	0:cdf462088d13	3022	"$P_SRV debug_level=3" \
markrad	0:cdf462088d13	3023	"$P_CLI debug_level=3" \
markrad	0:cdf462088d13	3024	0 \
markrad	0:cdf462088d13	3025	-C "add ciphersuite: c0ff" \
markrad	0:cdf462088d13	3026	-C "adding ecjpake_kkpp extension" \
markrad	0:cdf462088d13	3027	-S "found ecjpake kkpp extension" \
markrad	0:cdf462088d13	3028	-S "skip ecjpake kkpp extension" \
markrad	0:cdf462088d13	3029	-S "ciphersuite mismatch: ecjpake not configured" \
markrad	0:cdf462088d13	3030	-S "server hello, ecjpake kkpp extension" \
markrad	0:cdf462088d13	3031	-C "found ecjpake_kkpp extension" \
markrad	0:cdf462088d13	3032	-S "None of the common ciphersuites is usable"
markrad	0:cdf462088d13	3033
markrad	0:cdf462088d13	3034	requires_config_enabled MBEDTLS_KEY_EXCHANGE_ECJPAKE
markrad	0:cdf462088d13	3035	run_test "ECJPAKE: server not configured" \
markrad	0:cdf462088d13	3036	"$P_SRV debug_level=3" \
markrad	0:cdf462088d13	3037	"$P_CLI debug_level=3 ecjpake_pw=bla \
markrad	0:cdf462088d13	3038	force_ciphersuite=TLS-ECJPAKE-WITH-AES-128-CCM-8" \
markrad	0:cdf462088d13	3039	1 \
markrad	0:cdf462088d13	3040	-c "add ciphersuite: c0ff" \
markrad	0:cdf462088d13	3041	-c "adding ecjpake_kkpp extension" \
markrad	0:cdf462088d13	3042	-s "found ecjpake kkpp extension" \
markrad	0:cdf462088d13	3043	-s "skip ecjpake kkpp extension" \
markrad	0:cdf462088d13	3044	-s "ciphersuite mismatch: ecjpake not configured" \
markrad	0:cdf462088d13	3045	-S "server hello, ecjpake kkpp extension" \
markrad	0:cdf462088d13	3046	-C "found ecjpake_kkpp extension" \
markrad	0:cdf462088d13	3047	-s "None of the common ciphersuites is usable"
markrad	0:cdf462088d13	3048
markrad	0:cdf462088d13	3049	requires_config_enabled MBEDTLS_KEY_EXCHANGE_ECJPAKE
markrad	0:cdf462088d13	3050	run_test "ECJPAKE: working, TLS" \
markrad	0:cdf462088d13	3051	"$P_SRV debug_level=3 ecjpake_pw=bla" \
markrad	0:cdf462088d13	3052	"$P_CLI debug_level=3 ecjpake_pw=bla \
markrad	0:cdf462088d13	3053	force_ciphersuite=TLS-ECJPAKE-WITH-AES-128-CCM-8" \
markrad	0:cdf462088d13	3054	0 \
markrad	0:cdf462088d13	3055	-c "add ciphersuite: c0ff" \
markrad	0:cdf462088d13	3056	-c "adding ecjpake_kkpp extension" \
markrad	0:cdf462088d13	3057	-C "re-using cached ecjpake parameters" \
markrad	0:cdf462088d13	3058	-s "found ecjpake kkpp extension" \
markrad	0:cdf462088d13	3059	-S "skip ecjpake kkpp extension" \
markrad	0:cdf462088d13	3060	-S "ciphersuite mismatch: ecjpake not configured" \
markrad	0:cdf462088d13	3061	-s "server hello, ecjpake kkpp extension" \
markrad	0:cdf462088d13	3062	-c "found ecjpake_kkpp extension" \
markrad	0:cdf462088d13	3063	-S "None of the common ciphersuites is usable" \
markrad	0:cdf462088d13	3064	-S "SSL - Verification of the message MAC failed"
markrad	0:cdf462088d13	3065
markrad	0:cdf462088d13	3066	server_needs_more_time 1
markrad	0:cdf462088d13	3067	requires_config_enabled MBEDTLS_KEY_EXCHANGE_ECJPAKE
markrad	0:cdf462088d13	3068	run_test "ECJPAKE: password mismatch, TLS" \
markrad	0:cdf462088d13	3069	"$P_SRV debug_level=3 ecjpake_pw=bla" \
markrad	0:cdf462088d13	3070	"$P_CLI debug_level=3 ecjpake_pw=bad \
markrad	0:cdf462088d13	3071	force_ciphersuite=TLS-ECJPAKE-WITH-AES-128-CCM-8" \
markrad	0:cdf462088d13	3072	1 \
markrad	0:cdf462088d13	3073	-C "re-using cached ecjpake parameters" \
markrad	0:cdf462088d13	3074	-s "SSL - Verification of the message MAC failed"
markrad	0:cdf462088d13	3075
markrad	0:cdf462088d13	3076	requires_config_enabled MBEDTLS_KEY_EXCHANGE_ECJPAKE
markrad	0:cdf462088d13	3077	run_test "ECJPAKE: working, DTLS" \
markrad	0:cdf462088d13	3078	"$P_SRV debug_level=3 dtls=1 ecjpake_pw=bla" \
markrad	0:cdf462088d13	3079	"$P_CLI debug_level=3 dtls=1 ecjpake_pw=bla \
markrad	0:cdf462088d13	3080	force_ciphersuite=TLS-ECJPAKE-WITH-AES-128-CCM-8" \
markrad	0:cdf462088d13	3081	0 \
markrad	0:cdf462088d13	3082	-c "re-using cached ecjpake parameters" \
markrad	0:cdf462088d13	3083	-S "SSL - Verification of the message MAC failed"
markrad	0:cdf462088d13	3084
markrad	0:cdf462088d13	3085	requires_config_enabled MBEDTLS_KEY_EXCHANGE_ECJPAKE
markrad	0:cdf462088d13	3086	run_test "ECJPAKE: working, DTLS, no cookie" \
markrad	0:cdf462088d13	3087	"$P_SRV debug_level=3 dtls=1 ecjpake_pw=bla cookies=0" \
markrad	0:cdf462088d13	3088	"$P_CLI debug_level=3 dtls=1 ecjpake_pw=bla \
markrad	0:cdf462088d13	3089	force_ciphersuite=TLS-ECJPAKE-WITH-AES-128-CCM-8" \
markrad	0:cdf462088d13	3090	0 \
markrad	0:cdf462088d13	3091	-C "re-using cached ecjpake parameters" \
markrad	0:cdf462088d13	3092	-S "SSL - Verification of the message MAC failed"
markrad	0:cdf462088d13	3093
markrad	0:cdf462088d13	3094	server_needs_more_time 1
markrad	0:cdf462088d13	3095	requires_config_enabled MBEDTLS_KEY_EXCHANGE_ECJPAKE
markrad	0:cdf462088d13	3096	run_test "ECJPAKE: password mismatch, DTLS" \
markrad	0:cdf462088d13	3097	"$P_SRV debug_level=3 dtls=1 ecjpake_pw=bla" \
markrad	0:cdf462088d13	3098	"$P_CLI debug_level=3 dtls=1 ecjpake_pw=bad \
markrad	0:cdf462088d13	3099	force_ciphersuite=TLS-ECJPAKE-WITH-AES-128-CCM-8" \
markrad	0:cdf462088d13	3100	1 \
markrad	0:cdf462088d13	3101	-c "re-using cached ecjpake parameters" \
markrad	0:cdf462088d13	3102	-s "SSL - Verification of the message MAC failed"
markrad	0:cdf462088d13	3103
markrad	0:cdf462088d13	3104	# for tests with configs/config-thread.h
markrad	0:cdf462088d13	3105	requires_config_enabled MBEDTLS_KEY_EXCHANGE_ECJPAKE
markrad	0:cdf462088d13	3106	run_test "ECJPAKE: working, DTLS, nolog" \
markrad	0:cdf462088d13	3107	"$P_SRV dtls=1 ecjpake_pw=bla" \
markrad	0:cdf462088d13	3108	"$P_CLI dtls=1 ecjpake_pw=bla \
markrad	0:cdf462088d13	3109	force_ciphersuite=TLS-ECJPAKE-WITH-AES-128-CCM-8" \
markrad	0:cdf462088d13	3110	0
markrad	0:cdf462088d13	3111
markrad	0:cdf462088d13	3112	# Tests for ciphersuites per version
markrad	0:cdf462088d13	3113
markrad	0:cdf462088d13	3114	requires_config_enabled MBEDTLS_SSL_PROTO_SSL3
markrad	0:cdf462088d13	3115	run_test "Per-version suites: SSL3" \
markrad	0:cdf462088d13	3116	"$P_SRV min_version=ssl3 version_suites=TLS-RSA-WITH-3DES-EDE-CBC-SHA,TLS-RSA-WITH-AES-256-CBC-SHA,TLS-RSA-WITH-AES-128-CBC-SHA,TLS-RSA-WITH-AES-128-GCM-SHA256" \
markrad	0:cdf462088d13	3117	"$P_CLI force_version=ssl3" \
markrad	0:cdf462088d13	3118	0 \
markrad	0:cdf462088d13	3119	-c "Ciphersuite is TLS-RSA-WITH-3DES-EDE-CBC-SHA"
markrad	0:cdf462088d13	3120
markrad	0:cdf462088d13	3121	run_test "Per-version suites: TLS 1.0" \
markrad	0:cdf462088d13	3122	"$P_SRV arc4=1 version_suites=TLS-RSA-WITH-3DES-EDE-CBC-SHA,TLS-RSA-WITH-AES-256-CBC-SHA,TLS-RSA-WITH-AES-128-CBC-SHA,TLS-RSA-WITH-AES-128-GCM-SHA256" \
markrad	0:cdf462088d13	3123	"$P_CLI force_version=tls1 arc4=1" \
markrad	0:cdf462088d13	3124	0 \
markrad	0:cdf462088d13	3125	-c "Ciphersuite is TLS-RSA-WITH-AES-256-CBC-SHA"
markrad	0:cdf462088d13	3126
markrad	0:cdf462088d13	3127	run_test "Per-version suites: TLS 1.1" \
markrad	0:cdf462088d13	3128	"$P_SRV version_suites=TLS-RSA-WITH-3DES-EDE-CBC-SHA,TLS-RSA-WITH-AES-256-CBC-SHA,TLS-RSA-WITH-AES-128-CBC-SHA,TLS-RSA-WITH-AES-128-GCM-SHA256" \
markrad	0:cdf462088d13	3129	"$P_CLI force_version=tls1_1" \
markrad	0:cdf462088d13	3130	0 \
markrad	0:cdf462088d13	3131	-c "Ciphersuite is TLS-RSA-WITH-AES-128-CBC-SHA"
markrad	0:cdf462088d13	3132
markrad	0:cdf462088d13	3133	run_test "Per-version suites: TLS 1.2" \
markrad	0:cdf462088d13	3134	"$P_SRV version_suites=TLS-RSA-WITH-3DES-EDE-CBC-SHA,TLS-RSA-WITH-AES-256-CBC-SHA,TLS-RSA-WITH-AES-128-CBC-SHA,TLS-RSA-WITH-AES-128-GCM-SHA256" \
markrad	0:cdf462088d13	3135	"$P_CLI force_version=tls1_2" \
markrad	0:cdf462088d13	3136	0 \
markrad	0:cdf462088d13	3137	-c "Ciphersuite is TLS-RSA-WITH-AES-128-GCM-SHA256"
markrad	0:cdf462088d13	3138
markrad	0:cdf462088d13	3139	# Test for ClientHello without extensions
markrad	0:cdf462088d13	3140
markrad	0:cdf462088d13	3141	requires_gnutls
Jasper Wallace	2:bbdeda018a3c	3142	run_test "ClientHello without extensions, SHA-1 allowed" \
markrad	0:cdf462088d13	3143	"$P_SRV debug_level=3" \
markrad	0:cdf462088d13	3144	"$G_CLI --priority=NORMAL:%NO_EXTENSIONS:%DISABLE_SAFE_RENEGOTIATION" \
markrad	0:cdf462088d13	3145	0 \
markrad	0:cdf462088d13	3146	-s "dumping 'client hello extensions' (0 bytes)"
markrad	0:cdf462088d13	3147
Jasper Wallace	2:bbdeda018a3c	3148	requires_gnutls
Jasper Wallace	2:bbdeda018a3c	3149	run_test "ClientHello without extensions, SHA-1 forbidden in certificates on server" \
Jasper Wallace	2:bbdeda018a3c	3150	"$P_SRV debug_level=3 key_file=data_files/server2.key crt_file=data_files/server2.crt allow_sha1=0" \
Jasper Wallace	2:bbdeda018a3c	3151	"$G_CLI --priority=NORMAL:%NO_EXTENSIONS:%DISABLE_SAFE_RENEGOTIATION" \
Jasper Wallace	2:bbdeda018a3c	3152	0 \
Jasper Wallace	2:bbdeda018a3c	3153	-s "dumping 'client hello extensions' (0 bytes)"
Jasper Wallace	2:bbdeda018a3c	3154
markrad	0:cdf462088d13	3155	# Tests for mbedtls_ssl_get_bytes_avail()
markrad	0:cdf462088d13	3156
markrad	0:cdf462088d13	3157	run_test "mbedtls_ssl_get_bytes_avail: no extra data" \
markrad	0:cdf462088d13	3158	"$P_SRV" \
markrad	0:cdf462088d13	3159	"$P_CLI request_size=100" \
markrad	0:cdf462088d13	3160	0 \
markrad	0:cdf462088d13	3161	-s "Read from client: 100 bytes read$"
markrad	0:cdf462088d13	3162
markrad	0:cdf462088d13	3163	run_test "mbedtls_ssl_get_bytes_avail: extra data" \
markrad	0:cdf462088d13	3164	"$P_SRV" \
markrad	0:cdf462088d13	3165	"$P_CLI request_size=500" \
markrad	0:cdf462088d13	3166	0 \
markrad	0:cdf462088d13	3167	-s "Read from client: 500 bytes read (.+.)"
markrad	0:cdf462088d13	3168
markrad	0:cdf462088d13	3169	# Tests for small packets
markrad	0:cdf462088d13	3170
markrad	0:cdf462088d13	3171	requires_config_enabled MBEDTLS_SSL_PROTO_SSL3
markrad	0:cdf462088d13	3172	run_test "Small packet SSLv3 BlockCipher" \
markrad	0:cdf462088d13	3173	"$P_SRV min_version=ssl3" \
markrad	0:cdf462088d13	3174	"$P_CLI request_size=1 force_version=ssl3 \
markrad	0:cdf462088d13	3175	force_ciphersuite=TLS-RSA-WITH-AES-256-CBC-SHA" \
markrad	0:cdf462088d13	3176	0 \
markrad	0:cdf462088d13	3177	-s "Read from client: 1 bytes read"
markrad	0:cdf462088d13	3178
markrad	0:cdf462088d13	3179	requires_config_enabled MBEDTLS_SSL_PROTO_SSL3
markrad	0:cdf462088d13	3180	run_test "Small packet SSLv3 StreamCipher" \
markrad	0:cdf462088d13	3181	"$P_SRV min_version=ssl3 arc4=1 force_ciphersuite=TLS-RSA-WITH-RC4-128-SHA" \
markrad	0:cdf462088d13	3182	"$P_CLI request_size=1 force_version=ssl3 \
markrad	0:cdf462088d13	3183	force_ciphersuite=TLS-RSA-WITH-RC4-128-SHA" \
markrad	0:cdf462088d13	3184	0 \
markrad	0:cdf462088d13	3185	-s "Read from client: 1 bytes read"
markrad	0:cdf462088d13	3186
markrad	0:cdf462088d13	3187	run_test "Small packet TLS 1.0 BlockCipher" \
markrad	0:cdf462088d13	3188	"$P_SRV" \
markrad	0:cdf462088d13	3189	"$P_CLI request_size=1 force_version=tls1 \
markrad	0:cdf462088d13	3190	force_ciphersuite=TLS-RSA-WITH-AES-256-CBC-SHA" \
markrad	0:cdf462088d13	3191	0 \
markrad	0:cdf462088d13	3192	-s "Read from client: 1 bytes read"
markrad	0:cdf462088d13	3193
markrad	0:cdf462088d13	3194	run_test "Small packet TLS 1.0 BlockCipher without EtM" \
markrad	0:cdf462088d13	3195	"$P_SRV" \
markrad	0:cdf462088d13	3196	"$P_CLI request_size=1 force_version=tls1 etm=0 \
markrad	0:cdf462088d13	3197	force_ciphersuite=TLS-RSA-WITH-AES-256-CBC-SHA" \
markrad	0:cdf462088d13	3198	0 \
markrad	0:cdf462088d13	3199	-s "Read from client: 1 bytes read"
markrad	0:cdf462088d13	3200
markrad	0:cdf462088d13	3201	run_test "Small packet TLS 1.0 BlockCipher truncated MAC" \
markrad	0:cdf462088d13	3202	"$P_SRV" \
markrad	0:cdf462088d13	3203	"$P_CLI request_size=1 force_version=tls1 \
markrad	0:cdf462088d13	3204	force_ciphersuite=TLS-RSA-WITH-AES-256-CBC-SHA \
markrad	0:cdf462088d13	3205	trunc_hmac=1" \
markrad	0:cdf462088d13	3206	0 \
markrad	0:cdf462088d13	3207	-s "Read from client: 1 bytes read"
markrad	0:cdf462088d13	3208
markrad	0:cdf462088d13	3209	run_test "Small packet TLS 1.0 StreamCipher truncated MAC" \
markrad	0:cdf462088d13	3210	"$P_SRV arc4=1 force_ciphersuite=TLS-RSA-WITH-RC4-128-SHA" \
markrad	0:cdf462088d13	3211	"$P_CLI request_size=1 force_version=tls1 \
markrad	0:cdf462088d13	3212	force_ciphersuite=TLS-RSA-WITH-RC4-128-SHA \
markrad	0:cdf462088d13	3213	trunc_hmac=1" \
markrad	0:cdf462088d13	3214	0 \
markrad	0:cdf462088d13	3215	-s "Read from client: 1 bytes read"
markrad	0:cdf462088d13	3216
markrad	0:cdf462088d13	3217	run_test "Small packet TLS 1.1 BlockCipher" \
markrad	0:cdf462088d13	3218	"$P_SRV" \
markrad	0:cdf462088d13	3219	"$P_CLI request_size=1 force_version=tls1_1 \
markrad	0:cdf462088d13	3220	force_ciphersuite=TLS-RSA-WITH-AES-256-CBC-SHA" \
markrad	0:cdf462088d13	3221	0 \
markrad	0:cdf462088d13	3222	-s "Read from client: 1 bytes read"
markrad	0:cdf462088d13	3223
markrad	0:cdf462088d13	3224	run_test "Small packet TLS 1.1 BlockCipher without EtM" \
markrad	0:cdf462088d13	3225	"$P_SRV" \
markrad	0:cdf462088d13	3226	"$P_CLI request_size=1 force_version=tls1_1 etm=0 \
markrad	0:cdf462088d13	3227	force_ciphersuite=TLS-RSA-WITH-AES-256-CBC-SHA" \
markrad	0:cdf462088d13	3228	0 \
markrad	0:cdf462088d13	3229	-s "Read from client: 1 bytes read"
markrad	0:cdf462088d13	3230
markrad	0:cdf462088d13	3231	run_test "Small packet TLS 1.1 StreamCipher" \
markrad	0:cdf462088d13	3232	"$P_SRV arc4=1 force_ciphersuite=TLS-RSA-WITH-RC4-128-SHA" \
markrad	0:cdf462088d13	3233	"$P_CLI request_size=1 force_version=tls1_1 \
markrad	0:cdf462088d13	3234	force_ciphersuite=TLS-RSA-WITH-RC4-128-SHA" \
markrad	0:cdf462088d13	3235	0 \
markrad	0:cdf462088d13	3236	-s "Read from client: 1 bytes read"
markrad	0:cdf462088d13	3237
markrad	0:cdf462088d13	3238	run_test "Small packet TLS 1.1 BlockCipher truncated MAC" \
markrad	0:cdf462088d13	3239	"$P_SRV" \
markrad	0:cdf462088d13	3240	"$P_CLI request_size=1 force_version=tls1_1 \
markrad	0:cdf462088d13	3241	force_ciphersuite=TLS-RSA-WITH-AES-256-CBC-SHA \
markrad	0:cdf462088d13	3242	trunc_hmac=1" \
markrad	0:cdf462088d13	3243	0 \
markrad	0:cdf462088d13	3244	-s "Read from client: 1 bytes read"
markrad	0:cdf462088d13	3245
markrad	0:cdf462088d13	3246	run_test "Small packet TLS 1.1 StreamCipher truncated MAC" \
markrad	0:cdf462088d13	3247	"$P_SRV arc4=1 force_ciphersuite=TLS-RSA-WITH-RC4-128-SHA" \
markrad	0:cdf462088d13	3248	"$P_CLI request_size=1 force_version=tls1_1 \
markrad	0:cdf462088d13	3249	force_ciphersuite=TLS-RSA-WITH-RC4-128-SHA \
markrad	0:cdf462088d13	3250	trunc_hmac=1" \
markrad	0:cdf462088d13	3251	0 \
markrad	0:cdf462088d13	3252	-s "Read from client: 1 bytes read"
markrad	0:cdf462088d13	3253
markrad	0:cdf462088d13	3254	run_test "Small packet TLS 1.2 BlockCipher" \
markrad	0:cdf462088d13	3255	"$P_SRV" \
markrad	0:cdf462088d13	3256	"$P_CLI request_size=1 force_version=tls1_2 \
markrad	0:cdf462088d13	3257	force_ciphersuite=TLS-RSA-WITH-AES-256-CBC-SHA" \
markrad	0:cdf462088d13	3258	0 \
markrad	0:cdf462088d13	3259	-s "Read from client: 1 bytes read"
markrad	0:cdf462088d13	3260
markrad	0:cdf462088d13	3261	run_test "Small packet TLS 1.2 BlockCipher without EtM" \
markrad	0:cdf462088d13	3262	"$P_SRV" \
markrad	0:cdf462088d13	3263	"$P_CLI request_size=1 force_version=tls1_2 etm=0 \
markrad	0:cdf462088d13	3264	force_ciphersuite=TLS-RSA-WITH-AES-256-CBC-SHA" \
markrad	0:cdf462088d13	3265	0 \
markrad	0:cdf462088d13	3266	-s "Read from client: 1 bytes read"
markrad	0:cdf462088d13	3267
markrad	0:cdf462088d13	3268	run_test "Small packet TLS 1.2 BlockCipher larger MAC" \
markrad	0:cdf462088d13	3269	"$P_SRV" \
markrad	0:cdf462088d13	3270	"$P_CLI request_size=1 force_version=tls1_2 \
markrad	0:cdf462088d13	3271	force_ciphersuite=TLS-ECDHE-RSA-WITH-AES-256-CBC-SHA384" \
markrad	0:cdf462088d13	3272	0 \
markrad	0:cdf462088d13	3273	-s "Read from client: 1 bytes read"
markrad	0:cdf462088d13	3274
markrad	0:cdf462088d13	3275	run_test "Small packet TLS 1.2 BlockCipher truncated MAC" \
markrad	0:cdf462088d13	3276	"$P_SRV" \
markrad	0:cdf462088d13	3277	"$P_CLI request_size=1 force_version=tls1_2 \
markrad	0:cdf462088d13	3278	force_ciphersuite=TLS-RSA-WITH-AES-256-CBC-SHA \
markrad	0:cdf462088d13	3279	trunc_hmac=1" \
markrad	0:cdf462088d13	3280	0 \
markrad	0:cdf462088d13	3281	-s "Read from client: 1 bytes read"
markrad	0:cdf462088d13	3282
markrad	0:cdf462088d13	3283	run_test "Small packet TLS 1.2 StreamCipher" \
markrad	0:cdf462088d13	3284	"$P_SRV arc4=1 force_ciphersuite=TLS-RSA-WITH-RC4-128-SHA" \
markrad	0:cdf462088d13	3285	"$P_CLI request_size=1 force_version=tls1_2 \
markrad	0:cdf462088d13	3286	force_ciphersuite=TLS-RSA-WITH-RC4-128-SHA" \
markrad	0:cdf462088d13	3287	0 \
markrad	0:cdf462088d13	3288	-s "Read from client: 1 bytes read"
markrad	0:cdf462088d13	3289
markrad	0:cdf462088d13	3290	run_test "Small packet TLS 1.2 StreamCipher truncated MAC" \
markrad	0:cdf462088d13	3291	"$P_SRV arc4=1 force_ciphersuite=TLS-RSA-WITH-RC4-128-SHA" \
markrad	0:cdf462088d13	3292	"$P_CLI request_size=1 force_version=tls1_2 \
markrad	0:cdf462088d13	3293	force_ciphersuite=TLS-RSA-WITH-RC4-128-SHA \
markrad	0:cdf462088d13	3294	trunc_hmac=1" \
markrad	0:cdf462088d13	3295	0 \
markrad	0:cdf462088d13	3296	-s "Read from client: 1 bytes read"
markrad	0:cdf462088d13	3297
markrad	0:cdf462088d13	3298	run_test "Small packet TLS 1.2 AEAD" \
markrad	0:cdf462088d13	3299	"$P_SRV" \
markrad	0:cdf462088d13	3300	"$P_CLI request_size=1 force_version=tls1_2 \
markrad	0:cdf462088d13	3301	force_ciphersuite=TLS-RSA-WITH-AES-256-CCM" \
markrad	0:cdf462088d13	3302	0 \
markrad	0:cdf462088d13	3303	-s "Read from client: 1 bytes read"
markrad	0:cdf462088d13	3304
markrad	0:cdf462088d13	3305	run_test "Small packet TLS 1.2 AEAD shorter tag" \
markrad	0:cdf462088d13	3306	"$P_SRV" \
markrad	0:cdf462088d13	3307	"$P_CLI request_size=1 force_version=tls1_2 \
markrad	0:cdf462088d13	3308	force_ciphersuite=TLS-RSA-WITH-AES-256-CCM-8" \
markrad	0:cdf462088d13	3309	0 \
markrad	0:cdf462088d13	3310	-s "Read from client: 1 bytes read"
markrad	0:cdf462088d13	3311
markrad	0:cdf462088d13	3312	# A test for extensions in SSLv3
markrad	0:cdf462088d13	3313
markrad	0:cdf462088d13	3314	requires_config_enabled MBEDTLS_SSL_PROTO_SSL3
markrad	0:cdf462088d13	3315	run_test "SSLv3 with extensions, server side" \
markrad	0:cdf462088d13	3316	"$P_SRV min_version=ssl3 debug_level=3" \
markrad	0:cdf462088d13	3317	"$P_CLI force_version=ssl3 tickets=1 max_frag_len=4096 alpn=abc,1234" \
markrad	0:cdf462088d13	3318	0 \
markrad	0:cdf462088d13	3319	-S "dumping 'client hello extensions'" \
markrad	0:cdf462088d13	3320	-S "server hello, total extension length:"
markrad	0:cdf462088d13	3321
markrad	0:cdf462088d13	3322	# Test for large packets
markrad	0:cdf462088d13	3323
markrad	0:cdf462088d13	3324	requires_config_enabled MBEDTLS_SSL_PROTO_SSL3
markrad	0:cdf462088d13	3325	run_test "Large packet SSLv3 BlockCipher" \
markrad	0:cdf462088d13	3326	"$P_SRV min_version=ssl3" \
markrad	0:cdf462088d13	3327	"$P_CLI request_size=16384 force_version=ssl3 recsplit=0 \
markrad	0:cdf462088d13	3328	force_ciphersuite=TLS-RSA-WITH-AES-256-CBC-SHA" \
markrad	0:cdf462088d13	3329	0 \
markrad	0:cdf462088d13	3330	-s "Read from client: 16384 bytes read"
markrad	0:cdf462088d13	3331
markrad	0:cdf462088d13	3332	requires_config_enabled MBEDTLS_SSL_PROTO_SSL3
markrad	0:cdf462088d13	3333	run_test "Large packet SSLv3 StreamCipher" \
markrad	0:cdf462088d13	3334	"$P_SRV min_version=ssl3 arc4=1 force_ciphersuite=TLS-RSA-WITH-RC4-128-SHA" \
markrad	0:cdf462088d13	3335	"$P_CLI request_size=16384 force_version=ssl3 \
markrad	0:cdf462088d13	3336	force_ciphersuite=TLS-RSA-WITH-RC4-128-SHA" \
markrad	0:cdf462088d13	3337	0 \
markrad	0:cdf462088d13	3338	-s "Read from client: 16384 bytes read"
markrad	0:cdf462088d13	3339
markrad	0:cdf462088d13	3340	run_test "Large packet TLS 1.0 BlockCipher" \
markrad	0:cdf462088d13	3341	"$P_SRV" \
markrad	0:cdf462088d13	3342	"$P_CLI request_size=16384 force_version=tls1 recsplit=0 \
markrad	0:cdf462088d13	3343	force_ciphersuite=TLS-RSA-WITH-AES-256-CBC-SHA" \
markrad	0:cdf462088d13	3344	0 \
markrad	0:cdf462088d13	3345	-s "Read from client: 16384 bytes read"
markrad	0:cdf462088d13	3346
markrad	0:cdf462088d13	3347	run_test "Large packet TLS 1.0 BlockCipher truncated MAC" \
markrad	0:cdf462088d13	3348	"$P_SRV" \
markrad	0:cdf462088d13	3349	"$P_CLI request_size=16384 force_version=tls1 recsplit=0 \
markrad	0:cdf462088d13	3350	force_ciphersuite=TLS-RSA-WITH-AES-256-CBC-SHA \
markrad	0:cdf462088d13	3351	trunc_hmac=1" \
markrad	0:cdf462088d13	3352	0 \
markrad	0:cdf462088d13	3353	-s "Read from client: 16384 bytes read"
markrad	0:cdf462088d13	3354
markrad	0:cdf462088d13	3355	run_test "Large packet TLS 1.0 StreamCipher truncated MAC" \
markrad	0:cdf462088d13	3356	"$P_SRV arc4=1 force_ciphersuite=TLS-RSA-WITH-RC4-128-SHA" \
markrad	0:cdf462088d13	3357	"$P_CLI request_size=16384 force_version=tls1 \
markrad	0:cdf462088d13	3358	force_ciphersuite=TLS-RSA-WITH-RC4-128-SHA \
markrad	0:cdf462088d13	3359	trunc_hmac=1" \
markrad	0:cdf462088d13	3360	0 \
markrad	0:cdf462088d13	3361	-s "Read from client: 16384 bytes read"
markrad	0:cdf462088d13	3362
markrad	0:cdf462088d13	3363	run_test "Large packet TLS 1.1 BlockCipher" \
markrad	0:cdf462088d13	3364	"$P_SRV" \
markrad	0:cdf462088d13	3365	"$P_CLI request_size=16384 force_version=tls1_1 \
markrad	0:cdf462088d13	3366	force_ciphersuite=TLS-RSA-WITH-AES-256-CBC-SHA" \
markrad	0:cdf462088d13	3367	0 \
markrad	0:cdf462088d13	3368	-s "Read from client: 16384 bytes read"
markrad	0:cdf462088d13	3369
markrad	0:cdf462088d13	3370	run_test "Large packet TLS 1.1 StreamCipher" \
markrad	0:cdf462088d13	3371	"$P_SRV arc4=1 force_ciphersuite=TLS-RSA-WITH-RC4-128-SHA" \
markrad	0:cdf462088d13	3372	"$P_CLI request_size=16384 force_version=tls1_1 \
markrad	0:cdf462088d13	3373	force_ciphersuite=TLS-RSA-WITH-RC4-128-SHA" \
markrad	0:cdf462088d13	3374	0 \
markrad	0:cdf462088d13	3375	-s "Read from client: 16384 bytes read"
markrad	0:cdf462088d13	3376
markrad	0:cdf462088d13	3377	run_test "Large packet TLS 1.1 BlockCipher truncated MAC" \
markrad	0:cdf462088d13	3378	"$P_SRV" \
markrad	0:cdf462088d13	3379	"$P_CLI request_size=16384 force_version=tls1_1 \
markrad	0:cdf462088d13	3380	force_ciphersuite=TLS-RSA-WITH-AES-256-CBC-SHA \
markrad	0:cdf462088d13	3381	trunc_hmac=1" \
markrad	0:cdf462088d13	3382	0 \
markrad	0:cdf462088d13	3383	-s "Read from client: 16384 bytes read"
markrad	0:cdf462088d13	3384
markrad	0:cdf462088d13	3385	run_test "Large packet TLS 1.1 StreamCipher truncated MAC" \
markrad	0:cdf462088d13	3386	"$P_SRV arc4=1 force_ciphersuite=TLS-RSA-WITH-RC4-128-SHA" \
markrad	0:cdf462088d13	3387	"$P_CLI request_size=16384 force_version=tls1_1 \
markrad	0:cdf462088d13	3388	force_ciphersuite=TLS-RSA-WITH-RC4-128-SHA \
markrad	0:cdf462088d13	3389	trunc_hmac=1" \
markrad	0:cdf462088d13	3390	0 \
markrad	0:cdf462088d13	3391	-s "Read from client: 16384 bytes read"
markrad	0:cdf462088d13	3392
markrad	0:cdf462088d13	3393	run_test "Large packet TLS 1.2 BlockCipher" \
markrad	0:cdf462088d13	3394	"$P_SRV" \
markrad	0:cdf462088d13	3395	"$P_CLI request_size=16384 force_version=tls1_2 \
markrad	0:cdf462088d13	3396	force_ciphersuite=TLS-RSA-WITH-AES-256-CBC-SHA" \
markrad	0:cdf462088d13	3397	0 \
markrad	0:cdf462088d13	3398	-s "Read from client: 16384 bytes read"
markrad	0:cdf462088d13	3399
markrad	0:cdf462088d13	3400	run_test "Large packet TLS 1.2 BlockCipher larger MAC" \
markrad	0:cdf462088d13	3401	"$P_SRV" \
markrad	0:cdf462088d13	3402	"$P_CLI request_size=16384 force_version=tls1_2 \
markrad	0:cdf462088d13	3403	force_ciphersuite=TLS-ECDHE-RSA-WITH-AES-256-CBC-SHA384" \
markrad	0:cdf462088d13	3404	0 \
markrad	0:cdf462088d13	3405	-s "Read from client: 16384 bytes read"
markrad	0:cdf462088d13	3406
markrad	0:cdf462088d13	3407	run_test "Large packet TLS 1.2 BlockCipher truncated MAC" \
markrad	0:cdf462088d13	3408	"$P_SRV" \
markrad	0:cdf462088d13	3409	"$P_CLI request_size=16384 force_version=tls1_2 \
markrad	0:cdf462088d13	3410	force_ciphersuite=TLS-RSA-WITH-AES-256-CBC-SHA \
markrad	0:cdf462088d13	3411	trunc_hmac=1" \
markrad	0:cdf462088d13	3412	0 \
markrad	0:cdf462088d13	3413	-s "Read from client: 16384 bytes read"
markrad	0:cdf462088d13	3414
markrad	0:cdf462088d13	3415	run_test "Large packet TLS 1.2 StreamCipher" \
markrad	0:cdf462088d13	3416	"$P_SRV arc4=1 force_ciphersuite=TLS-RSA-WITH-RC4-128-SHA" \
markrad	0:cdf462088d13	3417	"$P_CLI request_size=16384 force_version=tls1_2 \
markrad	0:cdf462088d13	3418	force_ciphersuite=TLS-RSA-WITH-RC4-128-SHA" \
markrad	0:cdf462088d13	3419	0 \
markrad	0:cdf462088d13	3420	-s "Read from client: 16384 bytes read"
markrad	0:cdf462088d13	3421
markrad	0:cdf462088d13	3422	run_test "Large packet TLS 1.2 StreamCipher truncated MAC" \
markrad	0:cdf462088d13	3423	"$P_SRV arc4=1 force_ciphersuite=TLS-RSA-WITH-RC4-128-SHA" \
markrad	0:cdf462088d13	3424	"$P_CLI request_size=16384 force_version=tls1_2 \
markrad	0:cdf462088d13	3425	force_ciphersuite=TLS-RSA-WITH-RC4-128-SHA \
markrad	0:cdf462088d13	3426	trunc_hmac=1" \
markrad	0:cdf462088d13	3427	0 \
markrad	0:cdf462088d13	3428	-s "Read from client: 16384 bytes read"
markrad	0:cdf462088d13	3429
markrad	0:cdf462088d13	3430	run_test "Large packet TLS 1.2 AEAD" \
markrad	0:cdf462088d13	3431	"$P_SRV" \
markrad	0:cdf462088d13	3432	"$P_CLI request_size=16384 force_version=tls1_2 \
markrad	0:cdf462088d13	3433	force_ciphersuite=TLS-RSA-WITH-AES-256-CCM" \
markrad	0:cdf462088d13	3434	0 \
markrad	0:cdf462088d13	3435	-s "Read from client: 16384 bytes read"
markrad	0:cdf462088d13	3436
markrad	0:cdf462088d13	3437	run_test "Large packet TLS 1.2 AEAD shorter tag" \
markrad	0:cdf462088d13	3438	"$P_SRV" \
markrad	0:cdf462088d13	3439	"$P_CLI request_size=16384 force_version=tls1_2 \
markrad	0:cdf462088d13	3440	force_ciphersuite=TLS-RSA-WITH-AES-256-CCM-8" \
markrad	0:cdf462088d13	3441	0 \
markrad	0:cdf462088d13	3442	-s "Read from client: 16384 bytes read"
markrad	0:cdf462088d13	3443
markrad	0:cdf462088d13	3444	# Tests for DTLS HelloVerifyRequest
markrad	0:cdf462088d13	3445
markrad	0:cdf462088d13	3446	run_test "DTLS cookie: enabled" \
markrad	0:cdf462088d13	3447	"$P_SRV dtls=1 debug_level=2" \
markrad	0:cdf462088d13	3448	"$P_CLI dtls=1 debug_level=2" \
markrad	0:cdf462088d13	3449	0 \
markrad	0:cdf462088d13	3450	-s "cookie verification failed" \
markrad	0:cdf462088d13	3451	-s "cookie verification passed" \
markrad	0:cdf462088d13	3452	-S "cookie verification skipped" \
markrad	0:cdf462088d13	3453	-c "received hello verify request" \
markrad	0:cdf462088d13	3454	-s "hello verification requested" \
markrad	0:cdf462088d13	3455	-S "SSL - The requested feature is not available"
markrad	0:cdf462088d13	3456
markrad	0:cdf462088d13	3457	run_test "DTLS cookie: disabled" \
markrad	0:cdf462088d13	3458	"$P_SRV dtls=1 debug_level=2 cookies=0" \
markrad	0:cdf462088d13	3459	"$P_CLI dtls=1 debug_level=2" \
markrad	0:cdf462088d13	3460	0 \
markrad	0:cdf462088d13	3461	-S "cookie verification failed" \
markrad	0:cdf462088d13	3462	-S "cookie verification passed" \
markrad	0:cdf462088d13	3463	-s "cookie verification skipped" \
markrad	0:cdf462088d13	3464	-C "received hello verify request" \
markrad	0:cdf462088d13	3465	-S "hello verification requested" \
markrad	0:cdf462088d13	3466	-S "SSL - The requested feature is not available"
markrad	0:cdf462088d13	3467
markrad	0:cdf462088d13	3468	run_test "DTLS cookie: default (failing)" \
markrad	0:cdf462088d13	3469	"$P_SRV dtls=1 debug_level=2 cookies=-1" \
markrad	0:cdf462088d13	3470	"$P_CLI dtls=1 debug_level=2 hs_timeout=100-400" \
markrad	0:cdf462088d13	3471	1 \
markrad	0:cdf462088d13	3472	-s "cookie verification failed" \
markrad	0:cdf462088d13	3473	-S "cookie verification passed" \
markrad	0:cdf462088d13	3474	-S "cookie verification skipped" \
markrad	0:cdf462088d13	3475	-C "received hello verify request" \
markrad	0:cdf462088d13	3476	-S "hello verification requested" \
markrad	0:cdf462088d13	3477	-s "SSL - The requested feature is not available"
markrad	0:cdf462088d13	3478
markrad	0:cdf462088d13	3479	requires_ipv6
markrad	0:cdf462088d13	3480	run_test "DTLS cookie: enabled, IPv6" \
markrad	0:cdf462088d13	3481	"$P_SRV dtls=1 debug_level=2 server_addr=::1" \
markrad	0:cdf462088d13	3482	"$P_CLI dtls=1 debug_level=2 server_addr=::1" \
markrad	0:cdf462088d13	3483	0 \
markrad	0:cdf462088d13	3484	-s "cookie verification failed" \
markrad	0:cdf462088d13	3485	-s "cookie verification passed" \
markrad	0:cdf462088d13	3486	-S "cookie verification skipped" \
markrad	0:cdf462088d13	3487	-c "received hello verify request" \
markrad	0:cdf462088d13	3488	-s "hello verification requested" \
markrad	0:cdf462088d13	3489	-S "SSL - The requested feature is not available"
markrad	0:cdf462088d13	3490
markrad	0:cdf462088d13	3491	run_test "DTLS cookie: enabled, nbio" \
markrad	0:cdf462088d13	3492	"$P_SRV dtls=1 nbio=2 debug_level=2" \
markrad	0:cdf462088d13	3493	"$P_CLI dtls=1 nbio=2 debug_level=2" \
markrad	0:cdf462088d13	3494	0 \
markrad	0:cdf462088d13	3495	-s "cookie verification failed" \
markrad	0:cdf462088d13	3496	-s "cookie verification passed" \
markrad	0:cdf462088d13	3497	-S "cookie verification skipped" \
markrad	0:cdf462088d13	3498	-c "received hello verify request" \
markrad	0:cdf462088d13	3499	-s "hello verification requested" \
markrad	0:cdf462088d13	3500	-S "SSL - The requested feature is not available"
markrad	0:cdf462088d13	3501
markrad	0:cdf462088d13	3502	# Tests for client reconnecting from the same port with DTLS
markrad	0:cdf462088d13	3503
markrad	0:cdf462088d13	3504	not_with_valgrind # spurious resend
markrad	0:cdf462088d13	3505	run_test "DTLS client reconnect from same port: reference" \
markrad	0:cdf462088d13	3506	"$P_SRV dtls=1 exchanges=2 read_timeout=1000" \
markrad	0:cdf462088d13	3507	"$P_CLI dtls=1 exchanges=2 debug_level=2 hs_timeout=500-1000" \
markrad	0:cdf462088d13	3508	0 \
markrad	0:cdf462088d13	3509	-C "resend" \
markrad	0:cdf462088d13	3510	-S "The operation timed out" \
markrad	0:cdf462088d13	3511	-S "Client initiated reconnection from same port"
markrad	0:cdf462088d13	3512
markrad	0:cdf462088d13	3513	not_with_valgrind # spurious resend
markrad	0:cdf462088d13	3514	run_test "DTLS client reconnect from same port: reconnect" \
markrad	0:cdf462088d13	3515	"$P_SRV dtls=1 exchanges=2 read_timeout=1000" \
markrad	0:cdf462088d13	3516	"$P_CLI dtls=1 exchanges=2 debug_level=2 hs_timeout=500-1000 reconnect_hard=1" \
markrad	0:cdf462088d13	3517	0 \
markrad	0:cdf462088d13	3518	-C "resend" \
markrad	0:cdf462088d13	3519	-S "The operation timed out" \
markrad	0:cdf462088d13	3520	-s "Client initiated reconnection from same port"
markrad	0:cdf462088d13	3521
markrad	0:cdf462088d13	3522	not_with_valgrind # server/client too slow to respond in time (next test has higher timeouts)
markrad	0:cdf462088d13	3523	run_test "DTLS client reconnect from same port: reconnect, nbio, no valgrind" \
markrad	0:cdf462088d13	3524	"$P_SRV dtls=1 exchanges=2 read_timeout=1000 nbio=2" \
markrad	0:cdf462088d13	3525	"$P_CLI dtls=1 exchanges=2 debug_level=2 hs_timeout=500-1000 reconnect_hard=1" \
markrad	0:cdf462088d13	3526	0 \
markrad	0:cdf462088d13	3527	-S "The operation timed out" \
markrad	0:cdf462088d13	3528	-s "Client initiated reconnection from same port"
markrad	0:cdf462088d13	3529
markrad	0:cdf462088d13	3530	only_with_valgrind # Only with valgrind, do previous test but with higher read_timeout and hs_timeout
markrad	0:cdf462088d13	3531	run_test "DTLS client reconnect from same port: reconnect, nbio, valgrind" \
markrad	0:cdf462088d13	3532	"$P_SRV dtls=1 exchanges=2 read_timeout=2000 nbio=2 hs_timeout=1500-6000" \
markrad	0:cdf462088d13	3533	"$P_CLI dtls=1 exchanges=2 debug_level=2 hs_timeout=1500-3000 reconnect_hard=1" \
markrad	0:cdf462088d13	3534	0 \
markrad	0:cdf462088d13	3535	-S "The operation timed out" \
markrad	0:cdf462088d13	3536	-s "Client initiated reconnection from same port"
markrad	0:cdf462088d13	3537
markrad	0:cdf462088d13	3538	run_test "DTLS client reconnect from same port: no cookies" \
markrad	0:cdf462088d13	3539	"$P_SRV dtls=1 exchanges=2 read_timeout=1000 cookies=0" \
markrad	0:cdf462088d13	3540	"$P_CLI dtls=1 exchanges=2 debug_level=2 hs_timeout=500-8000 reconnect_hard=1" \
markrad	0:cdf462088d13	3541	0 \
markrad	0:cdf462088d13	3542	-s "The operation timed out" \
markrad	0:cdf462088d13	3543	-S "Client initiated reconnection from same port"
markrad	0:cdf462088d13	3544
markrad	0:cdf462088d13	3545	# Tests for various cases of client authentication with DTLS
markrad	0:cdf462088d13	3546	# (focused on handshake flows and message parsing)
markrad	0:cdf462088d13	3547
markrad	0:cdf462088d13	3548	run_test "DTLS client auth: required" \
markrad	0:cdf462088d13	3549	"$P_SRV dtls=1 auth_mode=required" \
markrad	0:cdf462088d13	3550	"$P_CLI dtls=1" \
markrad	0:cdf462088d13	3551	0 \
markrad	0:cdf462088d13	3552	-s "Verifying peer X.509 certificate... ok"
markrad	0:cdf462088d13	3553
markrad	0:cdf462088d13	3554	run_test "DTLS client auth: optional, client has no cert" \
markrad	0:cdf462088d13	3555	"$P_SRV dtls=1 auth_mode=optional" \
markrad	0:cdf462088d13	3556	"$P_CLI dtls=1 crt_file=none key_file=none" \
markrad	0:cdf462088d13	3557	0 \
markrad	0:cdf462088d13	3558	-s "! Certificate was missing"
markrad	0:cdf462088d13	3559
markrad	0:cdf462088d13	3560	run_test "DTLS client auth: none, client has no cert" \
markrad	0:cdf462088d13	3561	"$P_SRV dtls=1 auth_mode=none" \
markrad	0:cdf462088d13	3562	"$P_CLI dtls=1 crt_file=none key_file=none debug_level=2" \
markrad	0:cdf462088d13	3563	0 \
markrad	0:cdf462088d13	3564	-c "skip write certificate$" \
markrad	0:cdf462088d13	3565	-s "! Certificate verification was skipped"
markrad	0:cdf462088d13	3566
markrad	0:cdf462088d13	3567	run_test "DTLS wrong PSK: badmac alert" \
markrad	0:cdf462088d13	3568	"$P_SRV dtls=1 psk=abc123 force_ciphersuite=TLS-PSK-WITH-AES-128-GCM-SHA256" \
markrad	0:cdf462088d13	3569	"$P_CLI dtls=1 psk=abc124" \
markrad	0:cdf462088d13	3570	1 \
markrad	0:cdf462088d13	3571	-s "SSL - Verification of the message MAC failed" \
markrad	0:cdf462088d13	3572	-c "SSL - A fatal alert message was received from our peer"
markrad	0:cdf462088d13	3573
markrad	0:cdf462088d13	3574	# Tests for receiving fragmented handshake messages with DTLS
markrad	0:cdf462088d13	3575
markrad	0:cdf462088d13	3576	requires_gnutls
markrad	0:cdf462088d13	3577	run_test "DTLS reassembly: no fragmentation (gnutls server)" \
markrad	0:cdf462088d13	3578	"$G_SRV -u --mtu 2048 -a" \
markrad	0:cdf462088d13	3579	"$P_CLI dtls=1 debug_level=2" \
markrad	0:cdf462088d13	3580	0 \
markrad	0:cdf462088d13	3581	-C "found fragmented DTLS handshake message" \
markrad	0:cdf462088d13	3582	-C "error"
markrad	0:cdf462088d13	3583
markrad	0:cdf462088d13	3584	requires_gnutls
markrad	0:cdf462088d13	3585	run_test "DTLS reassembly: some fragmentation (gnutls server)" \
markrad	0:cdf462088d13	3586	"$G_SRV -u --mtu 512" \
markrad	0:cdf462088d13	3587	"$P_CLI dtls=1 debug_level=2" \
markrad	0:cdf462088d13	3588	0 \
markrad	0:cdf462088d13	3589	-c "found fragmented DTLS handshake message" \
markrad	0:cdf462088d13	3590	-C "error"
markrad	0:cdf462088d13	3591
markrad	0:cdf462088d13	3592	requires_gnutls
markrad	0:cdf462088d13	3593	run_test "DTLS reassembly: more fragmentation (gnutls server)" \
markrad	0:cdf462088d13	3594	"$G_SRV -u --mtu 128" \
markrad	0:cdf462088d13	3595	"$P_CLI dtls=1 debug_level=2" \
markrad	0:cdf462088d13	3596	0 \
markrad	0:cdf462088d13	3597	-c "found fragmented DTLS handshake message" \
markrad	0:cdf462088d13	3598	-C "error"
markrad	0:cdf462088d13	3599
markrad	0:cdf462088d13	3600	requires_gnutls
markrad	0:cdf462088d13	3601	run_test "DTLS reassembly: more fragmentation, nbio (gnutls server)" \
markrad	0:cdf462088d13	3602	"$G_SRV -u --mtu 128" \
markrad	0:cdf462088d13	3603	"$P_CLI dtls=1 nbio=2 debug_level=2" \
markrad	0:cdf462088d13	3604	0 \
markrad	0:cdf462088d13	3605	-c "found fragmented DTLS handshake message" \
markrad	0:cdf462088d13	3606	-C "error"
markrad	0:cdf462088d13	3607
markrad	0:cdf462088d13	3608	requires_gnutls
markrad	0:cdf462088d13	3609	run_test "DTLS reassembly: fragmentation, renego (gnutls server)" \
markrad	0:cdf462088d13	3610	"$G_SRV -u --mtu 256" \
markrad	0:cdf462088d13	3611	"$P_CLI debug_level=3 dtls=1 renegotiation=1 renegotiate=1" \
markrad	0:cdf462088d13	3612	0 \
markrad	0:cdf462088d13	3613	-c "found fragmented DTLS handshake message" \
markrad	0:cdf462088d13	3614	-c "client hello, adding renegotiation extension" \
markrad	0:cdf462088d13	3615	-c "found renegotiation extension" \
markrad	0:cdf462088d13	3616	-c "=> renegotiate" \
markrad	0:cdf462088d13	3617	-C "mbedtls_ssl_handshake returned" \
markrad	0:cdf462088d13	3618	-C "error" \
markrad	0:cdf462088d13	3619	-s "Extra-header:"
markrad	0:cdf462088d13	3620
markrad	0:cdf462088d13	3621	requires_gnutls
markrad	0:cdf462088d13	3622	run_test "DTLS reassembly: fragmentation, nbio, renego (gnutls server)" \
markrad	0:cdf462088d13	3623	"$G_SRV -u --mtu 256" \
markrad	0:cdf462088d13	3624	"$P_CLI debug_level=3 nbio=2 dtls=1 renegotiation=1 renegotiate=1" \
markrad	0:cdf462088d13	3625	0 \
markrad	0:cdf462088d13	3626	-c "found fragmented DTLS handshake message" \
markrad	0:cdf462088d13	3627	-c "client hello, adding renegotiation extension" \
markrad	0:cdf462088d13	3628	-c "found renegotiation extension" \
markrad	0:cdf462088d13	3629	-c "=> renegotiate" \
markrad	0:cdf462088d13	3630	-C "mbedtls_ssl_handshake returned" \
markrad	0:cdf462088d13	3631	-C "error" \
markrad	0:cdf462088d13	3632	-s "Extra-header:"
markrad	0:cdf462088d13	3633
markrad	0:cdf462088d13	3634	run_test "DTLS reassembly: no fragmentation (openssl server)" \
markrad	0:cdf462088d13	3635	"$O_SRV -dtls1 -mtu 2048" \
markrad	0:cdf462088d13	3636	"$P_CLI dtls=1 debug_level=2" \
markrad	0:cdf462088d13	3637	0 \
markrad	0:cdf462088d13	3638	-C "found fragmented DTLS handshake message" \
markrad	0:cdf462088d13	3639	-C "error"
markrad	0:cdf462088d13	3640
markrad	0:cdf462088d13	3641	run_test "DTLS reassembly: some fragmentation (openssl server)" \
markrad	0:cdf462088d13	3642	"$O_SRV -dtls1 -mtu 768" \
markrad	0:cdf462088d13	3643	"$P_CLI dtls=1 debug_level=2" \
markrad	0:cdf462088d13	3644	0 \
markrad	0:cdf462088d13	3645	-c "found fragmented DTLS handshake message" \
markrad	0:cdf462088d13	3646	-C "error"
markrad	0:cdf462088d13	3647
markrad	0:cdf462088d13	3648	run_test "DTLS reassembly: more fragmentation (openssl server)" \
markrad	0:cdf462088d13	3649	"$O_SRV -dtls1 -mtu 256" \
markrad	0:cdf462088d13	3650	"$P_CLI dtls=1 debug_level=2" \
markrad	0:cdf462088d13	3651	0 \
markrad	0:cdf462088d13	3652	-c "found fragmented DTLS handshake message" \
markrad	0:cdf462088d13	3653	-C "error"
markrad	0:cdf462088d13	3654
markrad	0:cdf462088d13	3655	run_test "DTLS reassembly: fragmentation, nbio (openssl server)" \
markrad	0:cdf462088d13	3656	"$O_SRV -dtls1 -mtu 256" \
markrad	0:cdf462088d13	3657	"$P_CLI dtls=1 nbio=2 debug_level=2" \
markrad	0:cdf462088d13	3658	0 \
markrad	0:cdf462088d13	3659	-c "found fragmented DTLS handshake message" \
markrad	0:cdf462088d13	3660	-C "error"
markrad	0:cdf462088d13	3661
markrad	0:cdf462088d13	3662	# Tests for specific things with "unreliable" UDP connection
markrad	0:cdf462088d13	3663
markrad	0:cdf462088d13	3664	not_with_valgrind # spurious resend due to timeout
markrad	0:cdf462088d13	3665	run_test "DTLS proxy: reference" \
markrad	0:cdf462088d13	3666	-p "$P_PXY" \
markrad	0:cdf462088d13	3667	"$P_SRV dtls=1 debug_level=2" \
markrad	0:cdf462088d13	3668	"$P_CLI dtls=1 debug_level=2" \
markrad	0:cdf462088d13	3669	0 \
markrad	0:cdf462088d13	3670	-C "replayed record" \
markrad	0:cdf462088d13	3671	-S "replayed record" \
markrad	0:cdf462088d13	3672	-C "record from another epoch" \
markrad	0:cdf462088d13	3673	-S "record from another epoch" \
markrad	0:cdf462088d13	3674	-C "discarding invalid record" \
markrad	0:cdf462088d13	3675	-S "discarding invalid record" \
markrad	0:cdf462088d13	3676	-S "resend" \
markrad	0:cdf462088d13	3677	-s "Extra-header:" \
markrad	0:cdf462088d13	3678	-c "HTTP/1.0 200 OK"
markrad	0:cdf462088d13	3679
markrad	0:cdf462088d13	3680	not_with_valgrind # spurious resend due to timeout
markrad	0:cdf462088d13	3681	run_test "DTLS proxy: duplicate every packet" \
markrad	0:cdf462088d13	3682	-p "$P_PXY duplicate=1" \
markrad	0:cdf462088d13	3683	"$P_SRV dtls=1 debug_level=2" \
markrad	0:cdf462088d13	3684	"$P_CLI dtls=1 debug_level=2" \
markrad	0:cdf462088d13	3685	0 \
markrad	0:cdf462088d13	3686	-c "replayed record" \
markrad	0:cdf462088d13	3687	-s "replayed record" \
markrad	0:cdf462088d13	3688	-c "discarding invalid record" \
markrad	0:cdf462088d13	3689	-s "discarding invalid record" \
markrad	0:cdf462088d13	3690	-S "resend" \
markrad	0:cdf462088d13	3691	-s "Extra-header:" \
markrad	0:cdf462088d13	3692	-c "HTTP/1.0 200 OK"
markrad	0:cdf462088d13	3693
markrad	0:cdf462088d13	3694	run_test "DTLS proxy: duplicate every packet, server anti-replay off" \
markrad	0:cdf462088d13	3695	-p "$P_PXY duplicate=1" \
markrad	0:cdf462088d13	3696	"$P_SRV dtls=1 debug_level=2 anti_replay=0" \
markrad	0:cdf462088d13	3697	"$P_CLI dtls=1 debug_level=2" \
markrad	0:cdf462088d13	3698	0 \
markrad	0:cdf462088d13	3699	-c "replayed record" \
markrad	0:cdf462088d13	3700	-S "replayed record" \
markrad	0:cdf462088d13	3701	-c "discarding invalid record" \
markrad	0:cdf462088d13	3702	-s "discarding invalid record" \
markrad	0:cdf462088d13	3703	-c "resend" \
markrad	0:cdf462088d13	3704	-s "resend" \
markrad	0:cdf462088d13	3705	-s "Extra-header:" \
markrad	0:cdf462088d13	3706	-c "HTTP/1.0 200 OK"
markrad	0:cdf462088d13	3707
markrad	0:cdf462088d13	3708	run_test "DTLS proxy: inject invalid AD record, default badmac_limit" \
markrad	0:cdf462088d13	3709	-p "$P_PXY bad_ad=1" \
markrad	0:cdf462088d13	3710	"$P_SRV dtls=1 debug_level=1" \
markrad	0:cdf462088d13	3711	"$P_CLI dtls=1 debug_level=1 read_timeout=100" \
markrad	0:cdf462088d13	3712	0 \
markrad	0:cdf462088d13	3713	-c "discarding invalid record (mac)" \
markrad	0:cdf462088d13	3714	-s "discarding invalid record (mac)" \
markrad	0:cdf462088d13	3715	-s "Extra-header:" \
markrad	0:cdf462088d13	3716	-c "HTTP/1.0 200 OK" \
markrad	0:cdf462088d13	3717	-S "too many records with bad MAC" \
markrad	0:cdf462088d13	3718	-S "Verification of the message MAC failed"
markrad	0:cdf462088d13	3719
markrad	0:cdf462088d13	3720	run_test "DTLS proxy: inject invalid AD record, badmac_limit 1" \
markrad	0:cdf462088d13	3721	-p "$P_PXY bad_ad=1" \
markrad	0:cdf462088d13	3722	"$P_SRV dtls=1 debug_level=1 badmac_limit=1" \
markrad	0:cdf462088d13	3723	"$P_CLI dtls=1 debug_level=1 read_timeout=100" \
markrad	0:cdf462088d13	3724	1 \
markrad	0:cdf462088d13	3725	-C "discarding invalid record (mac)" \
markrad	0:cdf462088d13	3726	-S "discarding invalid record (mac)" \
markrad	0:cdf462088d13	3727	-S "Extra-header:" \
markrad	0:cdf462088d13	3728	-C "HTTP/1.0 200 OK" \
markrad	0:cdf462088d13	3729	-s "too many records with bad MAC" \
markrad	0:cdf462088d13	3730	-s "Verification of the message MAC failed"
markrad	0:cdf462088d13	3731
markrad	0:cdf462088d13	3732	run_test "DTLS proxy: inject invalid AD record, badmac_limit 2" \
markrad	0:cdf462088d13	3733	-p "$P_PXY bad_ad=1" \
markrad	0:cdf462088d13	3734	"$P_SRV dtls=1 debug_level=1 badmac_limit=2" \
markrad	0:cdf462088d13	3735	"$P_CLI dtls=1 debug_level=1 read_timeout=100" \
markrad	0:cdf462088d13	3736	0 \
markrad	0:cdf462088d13	3737	-c "discarding invalid record (mac)" \
markrad	0:cdf462088d13	3738	-s "discarding invalid record (mac)" \
markrad	0:cdf462088d13	3739	-s "Extra-header:" \
markrad	0:cdf462088d13	3740	-c "HTTP/1.0 200 OK" \
markrad	0:cdf462088d13	3741	-S "too many records with bad MAC" \
markrad	0:cdf462088d13	3742	-S "Verification of the message MAC failed"
markrad	0:cdf462088d13	3743
markrad	0:cdf462088d13	3744	run_test "DTLS proxy: inject invalid AD record, badmac_limit 2, exchanges 2"\
markrad	0:cdf462088d13	3745	-p "$P_PXY bad_ad=1" \
markrad	0:cdf462088d13	3746	"$P_SRV dtls=1 debug_level=1 badmac_limit=2 exchanges=2" \
markrad	0:cdf462088d13	3747	"$P_CLI dtls=1 debug_level=1 read_timeout=100 exchanges=2" \
markrad	0:cdf462088d13	3748	1 \
markrad	0:cdf462088d13	3749	-c "discarding invalid record (mac)" \
markrad	0:cdf462088d13	3750	-s "discarding invalid record (mac)" \
markrad	0:cdf462088d13	3751	-s "Extra-header:" \
markrad	0:cdf462088d13	3752	-c "HTTP/1.0 200 OK" \
markrad	0:cdf462088d13	3753	-s "too many records with bad MAC" \
markrad	0:cdf462088d13	3754	-s "Verification of the message MAC failed"
markrad	0:cdf462088d13	3755
markrad	0:cdf462088d13	3756	run_test "DTLS proxy: delay ChangeCipherSpec" \
markrad	0:cdf462088d13	3757	-p "$P_PXY delay_ccs=1" \
markrad	0:cdf462088d13	3758	"$P_SRV dtls=1 debug_level=1" \
markrad	0:cdf462088d13	3759	"$P_CLI dtls=1 debug_level=1" \
markrad	0:cdf462088d13	3760	0 \
markrad	0:cdf462088d13	3761	-c "record from another epoch" \
markrad	0:cdf462088d13	3762	-s "record from another epoch" \
markrad	0:cdf462088d13	3763	-c "discarding invalid record" \
markrad	0:cdf462088d13	3764	-s "discarding invalid record" \
markrad	0:cdf462088d13	3765	-s "Extra-header:" \
markrad	0:cdf462088d13	3766	-c "HTTP/1.0 200 OK"
markrad	0:cdf462088d13	3767
markrad	0:cdf462088d13	3768	# Tests for "randomly unreliable connection": try a variety of flows and peers
markrad	0:cdf462088d13	3769
markrad	0:cdf462088d13	3770	client_needs_more_time 2
markrad	0:cdf462088d13	3771	run_test "DTLS proxy: 3d (drop, delay, duplicate), \"short\" PSK handshake" \
markrad	0:cdf462088d13	3772	-p "$P_PXY drop=5 delay=5 duplicate=5" \
markrad	0:cdf462088d13	3773	"$P_SRV dtls=1 hs_timeout=250-10000 tickets=0 auth_mode=none \
markrad	0:cdf462088d13	3774	psk=abc123" \
markrad	0:cdf462088d13	3775	"$P_CLI dtls=1 hs_timeout=250-10000 tickets=0 psk=abc123 \
markrad	0:cdf462088d13	3776	force_ciphersuite=TLS-PSK-WITH-AES-128-CCM-8" \
markrad	0:cdf462088d13	3777	0 \
markrad	0:cdf462088d13	3778	-s "Extra-header:" \
markrad	0:cdf462088d13	3779	-c "HTTP/1.0 200 OK"
markrad	0:cdf462088d13	3780
markrad	0:cdf462088d13	3781	client_needs_more_time 2
markrad	0:cdf462088d13	3782	run_test "DTLS proxy: 3d, \"short\" RSA handshake" \
markrad	0:cdf462088d13	3783	-p "$P_PXY drop=5 delay=5 duplicate=5" \
markrad	0:cdf462088d13	3784	"$P_SRV dtls=1 hs_timeout=250-10000 tickets=0 auth_mode=none" \
markrad	0:cdf462088d13	3785	"$P_CLI dtls=1 hs_timeout=250-10000 tickets=0 \
markrad	0:cdf462088d13	3786	force_ciphersuite=TLS-RSA-WITH-AES-128-CBC-SHA" \
markrad	0:cdf462088d13	3787	0 \
markrad	0:cdf462088d13	3788	-s "Extra-header:" \
markrad	0:cdf462088d13	3789	-c "HTTP/1.0 200 OK"
markrad	0:cdf462088d13	3790
markrad	0:cdf462088d13	3791	client_needs_more_time 2
markrad	0:cdf462088d13	3792	run_test "DTLS proxy: 3d, \"short\" (no ticket, no cli_auth) FS handshake" \
markrad	0:cdf462088d13	3793	-p "$P_PXY drop=5 delay=5 duplicate=5" \
markrad	0:cdf462088d13	3794	"$P_SRV dtls=1 hs_timeout=250-10000 tickets=0 auth_mode=none" \
markrad	0:cdf462088d13	3795	"$P_CLI dtls=1 hs_timeout=250-10000 tickets=0" \
markrad	0:cdf462088d13	3796	0 \
markrad	0:cdf462088d13	3797	-s "Extra-header:" \
markrad	0:cdf462088d13	3798	-c "HTTP/1.0 200 OK"
markrad	0:cdf462088d13	3799
markrad	0:cdf462088d13	3800	client_needs_more_time 2
markrad	0:cdf462088d13	3801	run_test "DTLS proxy: 3d, FS, client auth" \
markrad	0:cdf462088d13	3802	-p "$P_PXY drop=5 delay=5 duplicate=5" \
markrad	0:cdf462088d13	3803	"$P_SRV dtls=1 hs_timeout=250-10000 tickets=0 auth_mode=required" \
markrad	0:cdf462088d13	3804	"$P_CLI dtls=1 hs_timeout=250-10000 tickets=0" \
markrad	0:cdf462088d13	3805	0 \
markrad	0:cdf462088d13	3806	-s "Extra-header:" \
markrad	0:cdf462088d13	3807	-c "HTTP/1.0 200 OK"
markrad	0:cdf462088d13	3808
markrad	0:cdf462088d13	3809	client_needs_more_time 2
markrad	0:cdf462088d13	3810	run_test "DTLS proxy: 3d, FS, ticket" \
markrad	0:cdf462088d13	3811	-p "$P_PXY drop=5 delay=5 duplicate=5" \
markrad	0:cdf462088d13	3812	"$P_SRV dtls=1 hs_timeout=250-10000 tickets=1 auth_mode=none" \
markrad	0:cdf462088d13	3813	"$P_CLI dtls=1 hs_timeout=250-10000 tickets=1" \
markrad	0:cdf462088d13	3814	0 \
markrad	0:cdf462088d13	3815	-s "Extra-header:" \
markrad	0:cdf462088d13	3816	-c "HTTP/1.0 200 OK"
markrad	0:cdf462088d13	3817
markrad	0:cdf462088d13	3818	client_needs_more_time 2
markrad	0:cdf462088d13	3819	run_test "DTLS proxy: 3d, max handshake (FS, ticket + client auth)" \
markrad	0:cdf462088d13	3820	-p "$P_PXY drop=5 delay=5 duplicate=5" \
markrad	0:cdf462088d13	3821	"$P_SRV dtls=1 hs_timeout=250-10000 tickets=1 auth_mode=required" \
markrad	0:cdf462088d13	3822	"$P_CLI dtls=1 hs_timeout=250-10000 tickets=1" \
markrad	0:cdf462088d13	3823	0 \
markrad	0:cdf462088d13	3824	-s "Extra-header:" \
markrad	0:cdf462088d13	3825	-c "HTTP/1.0 200 OK"
markrad	0:cdf462088d13	3826
markrad	0:cdf462088d13	3827	client_needs_more_time 2
markrad	0:cdf462088d13	3828	run_test "DTLS proxy: 3d, max handshake, nbio" \
markrad	0:cdf462088d13	3829	-p "$P_PXY drop=5 delay=5 duplicate=5" \
markrad	0:cdf462088d13	3830	"$P_SRV dtls=1 hs_timeout=250-10000 nbio=2 tickets=1 \
markrad	0:cdf462088d13	3831	auth_mode=required" \
markrad	0:cdf462088d13	3832	"$P_CLI dtls=1 hs_timeout=250-10000 nbio=2 tickets=1" \
markrad	0:cdf462088d13	3833	0 \
markrad	0:cdf462088d13	3834	-s "Extra-header:" \
markrad	0:cdf462088d13	3835	-c "HTTP/1.0 200 OK"
markrad	0:cdf462088d13	3836
markrad	0:cdf462088d13	3837	client_needs_more_time 4
markrad	0:cdf462088d13	3838	run_test "DTLS proxy: 3d, min handshake, resumption" \
markrad	0:cdf462088d13	3839	-p "$P_PXY drop=5 delay=5 duplicate=5" \
markrad	0:cdf462088d13	3840	"$P_SRV dtls=1 hs_timeout=250-10000 tickets=0 auth_mode=none \
markrad	0:cdf462088d13	3841	psk=abc123 debug_level=3" \
markrad	0:cdf462088d13	3842	"$P_CLI dtls=1 hs_timeout=250-10000 tickets=0 psk=abc123 \
markrad	0:cdf462088d13	3843	debug_level=3 reconnect=1 read_timeout=1000 max_resend=10 \
markrad	0:cdf462088d13	3844	force_ciphersuite=TLS-PSK-WITH-AES-128-CCM-8" \
markrad	0:cdf462088d13	3845	0 \
markrad	0:cdf462088d13	3846	-s "a session has been resumed" \
markrad	0:cdf462088d13	3847	-c "a session has been resumed" \
markrad	0:cdf462088d13	3848	-s "Extra-header:" \
markrad	0:cdf462088d13	3849	-c "HTTP/1.0 200 OK"
markrad	0:cdf462088d13	3850
markrad	0:cdf462088d13	3851	client_needs_more_time 4
markrad	0:cdf462088d13	3852	run_test "DTLS proxy: 3d, min handshake, resumption, nbio" \
markrad	0:cdf462088d13	3853	-p "$P_PXY drop=5 delay=5 duplicate=5" \
markrad	0:cdf462088d13	3854	"$P_SRV dtls=1 hs_timeout=250-10000 tickets=0 auth_mode=none \
markrad	0:cdf462088d13	3855	psk=abc123 debug_level=3 nbio=2" \
markrad	0:cdf462088d13	3856	"$P_CLI dtls=1 hs_timeout=250-10000 tickets=0 psk=abc123 \
markrad	0:cdf462088d13	3857	debug_level=3 reconnect=1 read_timeout=1000 max_resend=10 \
markrad	0:cdf462088d13	3858	force_ciphersuite=TLS-PSK-WITH-AES-128-CCM-8 nbio=2" \
markrad	0:cdf462088d13	3859	0 \
markrad	0:cdf462088d13	3860	-s "a session has been resumed" \
markrad	0:cdf462088d13	3861	-c "a session has been resumed" \
markrad	0:cdf462088d13	3862	-s "Extra-header:" \
markrad	0:cdf462088d13	3863	-c "HTTP/1.0 200 OK"
markrad	0:cdf462088d13	3864
markrad	0:cdf462088d13	3865	client_needs_more_time 4
markrad	0:cdf462088d13	3866	run_test "DTLS proxy: 3d, min handshake, client-initiated renego" \
markrad	0:cdf462088d13	3867	-p "$P_PXY drop=5 delay=5 duplicate=5" \
markrad	0:cdf462088d13	3868	"$P_SRV dtls=1 hs_timeout=250-10000 tickets=0 auth_mode=none \
markrad	0:cdf462088d13	3869	psk=abc123 renegotiation=1 debug_level=2" \
markrad	0:cdf462088d13	3870	"$P_CLI dtls=1 hs_timeout=250-10000 tickets=0 psk=abc123 \
markrad	0:cdf462088d13	3871	renegotiate=1 debug_level=2 \
markrad	0:cdf462088d13	3872	force_ciphersuite=TLS-PSK-WITH-AES-128-CCM-8" \
markrad	0:cdf462088d13	3873	0 \
markrad	0:cdf462088d13	3874	-c "=> renegotiate" \
markrad	0:cdf462088d13	3875	-s "=> renegotiate" \
markrad	0:cdf462088d13	3876	-s "Extra-header:" \
markrad	0:cdf462088d13	3877	-c "HTTP/1.0 200 OK"
markrad	0:cdf462088d13	3878
markrad	0:cdf462088d13	3879	client_needs_more_time 4
markrad	0:cdf462088d13	3880	run_test "DTLS proxy: 3d, min handshake, client-initiated renego, nbio" \
markrad	0:cdf462088d13	3881	-p "$P_PXY drop=5 delay=5 duplicate=5" \
markrad	0:cdf462088d13	3882	"$P_SRV dtls=1 hs_timeout=250-10000 tickets=0 auth_mode=none \
markrad	0:cdf462088d13	3883	psk=abc123 renegotiation=1 debug_level=2" \
markrad	0:cdf462088d13	3884	"$P_CLI dtls=1 hs_timeout=250-10000 tickets=0 psk=abc123 \
markrad	0:cdf462088d13	3885	renegotiate=1 debug_level=2 \
markrad	0:cdf462088d13	3886	force_ciphersuite=TLS-PSK-WITH-AES-128-CCM-8" \
markrad	0:cdf462088d13	3887	0 \
markrad	0:cdf462088d13	3888	-c "=> renegotiate" \
markrad	0:cdf462088d13	3889	-s "=> renegotiate" \
markrad	0:cdf462088d13	3890	-s "Extra-header:" \
markrad	0:cdf462088d13	3891	-c "HTTP/1.0 200 OK"
markrad	0:cdf462088d13	3892
markrad	0:cdf462088d13	3893	client_needs_more_time 4
markrad	0:cdf462088d13	3894	run_test "DTLS proxy: 3d, min handshake, server-initiated renego" \
markrad	0:cdf462088d13	3895	-p "$P_PXY drop=5 delay=5 duplicate=5" \
markrad	0:cdf462088d13	3896	"$P_SRV dtls=1 hs_timeout=250-10000 tickets=0 auth_mode=none \
markrad	0:cdf462088d13	3897	psk=abc123 renegotiate=1 renegotiation=1 exchanges=4 \
markrad	0:cdf462088d13	3898	debug_level=2" \
markrad	0:cdf462088d13	3899	"$P_CLI dtls=1 hs_timeout=250-10000 tickets=0 psk=abc123 \
markrad	0:cdf462088d13	3900	renegotiation=1 exchanges=4 debug_level=2 \
markrad	0:cdf462088d13	3901	force_ciphersuite=TLS-PSK-WITH-AES-128-CCM-8" \
markrad	0:cdf462088d13	3902	0 \
markrad	0:cdf462088d13	3903	-c "=> renegotiate" \
markrad	0:cdf462088d13	3904	-s "=> renegotiate" \
markrad	0:cdf462088d13	3905	-s "Extra-header:" \
markrad	0:cdf462088d13	3906	-c "HTTP/1.0 200 OK"
markrad	0:cdf462088d13	3907
markrad	0:cdf462088d13	3908	client_needs_more_time 4
markrad	0:cdf462088d13	3909	run_test "DTLS proxy: 3d, min handshake, server-initiated renego, nbio" \
markrad	0:cdf462088d13	3910	-p "$P_PXY drop=5 delay=5 duplicate=5" \
markrad	0:cdf462088d13	3911	"$P_SRV dtls=1 hs_timeout=250-10000 tickets=0 auth_mode=none \
markrad	0:cdf462088d13	3912	psk=abc123 renegotiate=1 renegotiation=1 exchanges=4 \
markrad	0:cdf462088d13	3913	debug_level=2 nbio=2" \
markrad	0:cdf462088d13	3914	"$P_CLI dtls=1 hs_timeout=250-10000 tickets=0 psk=abc123 \
markrad	0:cdf462088d13	3915	renegotiation=1 exchanges=4 debug_level=2 nbio=2 \
markrad	0:cdf462088d13	3916	force_ciphersuite=TLS-PSK-WITH-AES-128-CCM-8" \
markrad	0:cdf462088d13	3917	0 \
markrad	0:cdf462088d13	3918	-c "=> renegotiate" \
markrad	0:cdf462088d13	3919	-s "=> renegotiate" \
markrad	0:cdf462088d13	3920	-s "Extra-header:" \
markrad	0:cdf462088d13	3921	-c "HTTP/1.0 200 OK"
markrad	0:cdf462088d13	3922
markrad	0:cdf462088d13	3923	client_needs_more_time 6
markrad	0:cdf462088d13	3924	not_with_valgrind # risk of non-mbedtls peer timing out
markrad	0:cdf462088d13	3925	run_test "DTLS proxy: 3d, openssl server" \
markrad	0:cdf462088d13	3926	-p "$P_PXY drop=5 delay=5 duplicate=5 protect_hvr=1" \
markrad	0:cdf462088d13	3927	"$O_SRV -dtls1 -mtu 2048" \
markrad	0:cdf462088d13	3928	"$P_CLI dtls=1 hs_timeout=250-60000 tickets=0" \
markrad	0:cdf462088d13	3929	0 \
markrad	0:cdf462088d13	3930	-c "HTTP/1.0 200 OK"
markrad	0:cdf462088d13	3931
markrad	0:cdf462088d13	3932	client_needs_more_time 8
markrad	0:cdf462088d13	3933	not_with_valgrind # risk of non-mbedtls peer timing out
markrad	0:cdf462088d13	3934	run_test "DTLS proxy: 3d, openssl server, fragmentation" \
markrad	0:cdf462088d13	3935	-p "$P_PXY drop=5 delay=5 duplicate=5 protect_hvr=1" \
markrad	0:cdf462088d13	3936	"$O_SRV -dtls1 -mtu 768" \
markrad	0:cdf462088d13	3937	"$P_CLI dtls=1 hs_timeout=250-60000 tickets=0" \
markrad	0:cdf462088d13	3938	0 \
markrad	0:cdf462088d13	3939	-c "HTTP/1.0 200 OK"
markrad	0:cdf462088d13	3940
markrad	0:cdf462088d13	3941	client_needs_more_time 8
markrad	0:cdf462088d13	3942	not_with_valgrind # risk of non-mbedtls peer timing out
markrad	0:cdf462088d13	3943	run_test "DTLS proxy: 3d, openssl server, fragmentation, nbio" \
markrad	0:cdf462088d13	3944	-p "$P_PXY drop=5 delay=5 duplicate=5 protect_hvr=1" \
markrad	0:cdf462088d13	3945	"$O_SRV -dtls1 -mtu 768" \
markrad	0:cdf462088d13	3946	"$P_CLI dtls=1 hs_timeout=250-60000 nbio=2 tickets=0" \
markrad	0:cdf462088d13	3947	0 \
markrad	0:cdf462088d13	3948	-c "HTTP/1.0 200 OK"
markrad	0:cdf462088d13	3949
markrad	0:cdf462088d13	3950	requires_gnutls
markrad	0:cdf462088d13	3951	client_needs_more_time 6
markrad	0:cdf462088d13	3952	not_with_valgrind # risk of non-mbedtls peer timing out
markrad	0:cdf462088d13	3953	run_test "DTLS proxy: 3d, gnutls server" \
markrad	0:cdf462088d13	3954	-p "$P_PXY drop=5 delay=5 duplicate=5" \
markrad	0:cdf462088d13	3955	"$G_SRV -u --mtu 2048 -a" \
markrad	0:cdf462088d13	3956	"$P_CLI dtls=1 hs_timeout=250-60000" \
markrad	0:cdf462088d13	3957	0 \
markrad	0:cdf462088d13	3958	-s "Extra-header:" \
markrad	0:cdf462088d13	3959	-c "Extra-header:"
markrad	0:cdf462088d13	3960
markrad	0:cdf462088d13	3961	requires_gnutls
markrad	0:cdf462088d13	3962	client_needs_more_time 8
markrad	0:cdf462088d13	3963	not_with_valgrind # risk of non-mbedtls peer timing out
markrad	0:cdf462088d13	3964	run_test "DTLS proxy: 3d, gnutls server, fragmentation" \
markrad	0:cdf462088d13	3965	-p "$P_PXY drop=5 delay=5 duplicate=5" \
markrad	0:cdf462088d13	3966	"$G_SRV -u --mtu 512" \
markrad	0:cdf462088d13	3967	"$P_CLI dtls=1 hs_timeout=250-60000" \
markrad	0:cdf462088d13	3968	0 \
markrad	0:cdf462088d13	3969	-s "Extra-header:" \
markrad	0:cdf462088d13	3970	-c "Extra-header:"
markrad	0:cdf462088d13	3971
markrad	0:cdf462088d13	3972	requires_gnutls
markrad	0:cdf462088d13	3973	client_needs_more_time 8
markrad	0:cdf462088d13	3974	not_with_valgrind # risk of non-mbedtls peer timing out
markrad	0:cdf462088d13	3975	run_test "DTLS proxy: 3d, gnutls server, fragmentation, nbio" \
markrad	0:cdf462088d13	3976	-p "$P_PXY drop=5 delay=5 duplicate=5" \
markrad	0:cdf462088d13	3977	"$G_SRV -u --mtu 512" \
markrad	0:cdf462088d13	3978	"$P_CLI dtls=1 hs_timeout=250-60000 nbio=2" \
markrad	0:cdf462088d13	3979	0 \
markrad	0:cdf462088d13	3980	-s "Extra-header:" \
markrad	0:cdf462088d13	3981	-c "Extra-header:"
markrad	0:cdf462088d13	3982
markrad	0:cdf462088d13	3983	# Final report
markrad	0:cdf462088d13	3984
markrad	0:cdf462088d13	3985	echo "------------------------------------------------------------------------"
markrad	0:cdf462088d13	3986
markrad	0:cdf462088d13	3987	if [ $FAILS = 0 ]; then
markrad	0:cdf462088d13	3988	printf "PASSED"
markrad	0:cdf462088d13	3989	else
markrad	0:cdf462088d13	3990	printf "FAILED"
markrad	0:cdf462088d13	3991	fi
markrad	0:cdf462088d13	3992	PASSES=$(( $TESTS - $FAILS ))
markrad	0:cdf462088d13	3993	echo " ($PASSES / $TESTS tests ($SKIPS skipped))"
markrad	0:cdf462088d13	3994
markrad	0:cdf462088d13	3995	exit $FAILS

Repository toolbox

Export to desktop IDE

Repository details

Type:	Library
Created:	29 Sep 2017
Imports:	3
Forks:	0
Commits:	3
Dependents:	0
Dependencies:	0
Followers:	5

This repository is Public (Unlisted).

The code in this repository is Apache licensed.

tests/ssl-opt.sh@2:bbdeda018a3c, 2017-09-29 (annotated)

Who changed what in which revision?

Repository toolbox

Repository details

Important Information for this Arm website

Access Warning