Mark Radbourne / mbedtls

mbed TLS Build

Dependents:   Encrypt_Decrypt1 mbed_blink_tls encrypt encrypt

tests/ssl-opt.sh@0:cdf462088d13, 2017-01-05 (annotated)

Committer:
markrad
Date:
Thu Jan 05 00:18:44 2017 +0000
Revision:
0:cdf462088d13
Initial commit

Who changed what in which revision?

UserRevisionLine numberNew contents of line
markrad 0:cdf462088d13 1 #!/bin/sh
markrad 0:cdf462088d13 2
markrad 0:cdf462088d13 3 # ssl-opt.sh
markrad 0:cdf462088d13 4 #
markrad 0:cdf462088d13 5 # This file is part of mbed TLS (https://tls.mbed.org)
markrad 0:cdf462088d13 6 #
markrad 0:cdf462088d13 7 # Copyright (c) 2016, ARM Limited, All Rights Reserved
markrad 0:cdf462088d13 8 #
markrad 0:cdf462088d13 9 # Purpose
markrad 0:cdf462088d13 10 #
markrad 0:cdf462088d13 11 # Executes tests to prove various TLS/SSL options and extensions.
markrad 0:cdf462088d13 12 #
markrad 0:cdf462088d13 13 # The goal is not to cover every ciphersuite/version, but instead to cover
markrad 0:cdf462088d13 14 # specific options (max fragment length, truncated hmac, etc) or procedures
markrad 0:cdf462088d13 15 # (session resumption from cache or ticket, renego, etc).
markrad 0:cdf462088d13 16 #
markrad 0:cdf462088d13 17 # The tests assume a build with default options, with exceptions expressed
markrad 0:cdf462088d13 18 # with a dependency. The tests focus on functionality and do not consider
markrad 0:cdf462088d13 19 # performance.
markrad 0:cdf462088d13 20 #
markrad 0:cdf462088d13 21
markrad 0:cdf462088d13 22 set -u
markrad 0:cdf462088d13 23
markrad 0:cdf462088d13 24 # default values, can be overriden by the environment
markrad 0:cdf462088d13 25 : ${P_SRV:=../programs/ssl/ssl_server2}
markrad 0:cdf462088d13 26 : ${P_CLI:=../programs/ssl/ssl_client2}
markrad 0:cdf462088d13 27 : ${P_PXY:=../programs/test/udp_proxy}
markrad 0:cdf462088d13 28 : ${OPENSSL_CMD:=openssl} # OPENSSL would conflict with the build system
markrad 0:cdf462088d13 29 : ${GNUTLS_CLI:=gnutls-cli}
markrad 0:cdf462088d13 30 : ${GNUTLS_SERV:=gnutls-serv}
markrad 0:cdf462088d13 31
markrad 0:cdf462088d13 32 O_SRV="$OPENSSL_CMD s_server -www -cert data_files/server5.crt -key data_files/server5.key"
markrad 0:cdf462088d13 33 O_CLI="echo 'GET / HTTP/1.0' | $OPENSSL_CMD s_client"
markrad 0:cdf462088d13 34 G_SRV="$GNUTLS_SERV --x509certfile data_files/server5.crt --x509keyfile data_files/server5.key"
markrad 0:cdf462088d13 35 G_CLI="echo 'GET / HTTP/1.0' | $GNUTLS_CLI --x509cafile data_files/test-ca_cat12.crt"
markrad 0:cdf462088d13 36
markrad 0:cdf462088d13 37 TESTS=0
markrad 0:cdf462088d13 38 FAILS=0
markrad 0:cdf462088d13 39 SKIPS=0
markrad 0:cdf462088d13 40
markrad 0:cdf462088d13 41 CONFIG_H='../include/mbedtls/config.h'
markrad 0:cdf462088d13 42
markrad 0:cdf462088d13 43 MEMCHECK=0
markrad 0:cdf462088d13 44 FILTER='.*'
markrad 0:cdf462088d13 45 EXCLUDE='^$'
markrad 0:cdf462088d13 46
markrad 0:cdf462088d13 47 SHOW_TEST_NUMBER=0
markrad 0:cdf462088d13 48 RUN_TEST_NUMBER=''
markrad 0:cdf462088d13 49
markrad 0:cdf462088d13 50 PRESERVE_LOGS=0
markrad 0:cdf462088d13 51
markrad 0:cdf462088d13 52 print_usage() {
markrad 0:cdf462088d13 53 echo "Usage: $0 [options]"
markrad 0:cdf462088d13 54 printf " -h|--help\tPrint this help.\n"
markrad 0:cdf462088d13 55 printf " -m|--memcheck\tCheck memory leaks and errors.\n"
markrad 0:cdf462088d13 56 printf " -f|--filter\tOnly matching tests are executed (default: '$FILTER')\n"
markrad 0:cdf462088d13 57 printf " -e|--exclude\tMatching tests are excluded (default: '$EXCLUDE')\n"
markrad 0:cdf462088d13 58 printf " -n|--number\tExecute only numbered test (comma-separated, e.g. '245,256')\n"
markrad 0:cdf462088d13 59 printf " -s|--show-numbers\tShow test numbers in front of test names\n"
markrad 0:cdf462088d13 60 printf " -p|--preserve-logs\tPreserve logs of successful tests as well\n"
markrad 0:cdf462088d13 61 printf " --seed\tInteger seed value to use for this test run\n"
markrad 0:cdf462088d13 62 }
markrad 0:cdf462088d13 63
markrad 0:cdf462088d13 64 get_options() {
markrad 0:cdf462088d13 65 while [ $# -gt 0 ]; do
markrad 0:cdf462088d13 66 case "$1" in
markrad 0:cdf462088d13 67 -f|--filter)
markrad 0:cdf462088d13 68 shift; FILTER=$1
markrad 0:cdf462088d13 69 ;;
markrad 0:cdf462088d13 70 -e|--exclude)
markrad 0:cdf462088d13 71 shift; EXCLUDE=$1
markrad 0:cdf462088d13 72 ;;
markrad 0:cdf462088d13 73 -m|--memcheck)
markrad 0:cdf462088d13 74 MEMCHECK=1
markrad 0:cdf462088d13 75 ;;
markrad 0:cdf462088d13 76 -n|--number)
markrad 0:cdf462088d13 77 shift; RUN_TEST_NUMBER=$1
markrad 0:cdf462088d13 78 ;;
markrad 0:cdf462088d13 79 -s|--show-numbers)
markrad 0:cdf462088d13 80 SHOW_TEST_NUMBER=1
markrad 0:cdf462088d13 81 ;;
markrad 0:cdf462088d13 82 -p|--preserve-logs)
markrad 0:cdf462088d13 83 PRESERVE_LOGS=1
markrad 0:cdf462088d13 84 ;;
markrad 0:cdf462088d13 85 --seed)
markrad 0:cdf462088d13 86 shift; SEED="$1"
markrad 0:cdf462088d13 87 ;;
markrad 0:cdf462088d13 88 -h|--help)
markrad 0:cdf462088d13 89 print_usage
markrad 0:cdf462088d13 90 exit 0
markrad 0:cdf462088d13 91 ;;
markrad 0:cdf462088d13 92 *)
markrad 0:cdf462088d13 93 echo "Unknown argument: '$1'"
markrad 0:cdf462088d13 94 print_usage
markrad 0:cdf462088d13 95 exit 1
markrad 0:cdf462088d13 96 ;;
markrad 0:cdf462088d13 97 esac
markrad 0:cdf462088d13 98 shift
markrad 0:cdf462088d13 99 done
markrad 0:cdf462088d13 100 }
markrad 0:cdf462088d13 101
markrad 0:cdf462088d13 102 # skip next test if the flag is not enabled in config.h
markrad 0:cdf462088d13 103 requires_config_enabled() {
markrad 0:cdf462088d13 104 if grep "^#define $1" $CONFIG_H > /dev/null; then :; else
markrad 0:cdf462088d13 105 SKIP_NEXT="YES"
markrad 0:cdf462088d13 106 fi
markrad 0:cdf462088d13 107 }
markrad 0:cdf462088d13 108
markrad 0:cdf462088d13 109 # skip next test if OpenSSL doesn't support FALLBACK_SCSV
markrad 0:cdf462088d13 110 requires_openssl_with_fallback_scsv() {
markrad 0:cdf462088d13 111 if [ -z "${OPENSSL_HAS_FBSCSV:-}" ]; then
markrad 0:cdf462088d13 112 if $OPENSSL_CMD s_client -help 2>&1 | grep fallback_scsv >/dev/null
markrad 0:cdf462088d13 113 then
markrad 0:cdf462088d13 114 OPENSSL_HAS_FBSCSV="YES"
markrad 0:cdf462088d13 115 else
markrad 0:cdf462088d13 116 OPENSSL_HAS_FBSCSV="NO"
markrad 0:cdf462088d13 117 fi
markrad 0:cdf462088d13 118 fi
markrad 0:cdf462088d13 119 if [ "$OPENSSL_HAS_FBSCSV" = "NO" ]; then
markrad 0:cdf462088d13 120 SKIP_NEXT="YES"
markrad 0:cdf462088d13 121 fi
markrad 0:cdf462088d13 122 }
markrad 0:cdf462088d13 123
markrad 0:cdf462088d13 124 # skip next test if GnuTLS isn't available
markrad 0:cdf462088d13 125 requires_gnutls() {
markrad 0:cdf462088d13 126 if [ -z "${GNUTLS_AVAILABLE:-}" ]; then
markrad 0:cdf462088d13 127 if ( which "$GNUTLS_CLI" && which "$GNUTLS_SERV" ) >/dev/null 2>&1; then
markrad 0:cdf462088d13 128 GNUTLS_AVAILABLE="YES"
markrad 0:cdf462088d13 129 else
markrad 0:cdf462088d13 130 GNUTLS_AVAILABLE="NO"
markrad 0:cdf462088d13 131 fi
markrad 0:cdf462088d13 132 fi
markrad 0:cdf462088d13 133 if [ "$GNUTLS_AVAILABLE" = "NO" ]; then
markrad 0:cdf462088d13 134 SKIP_NEXT="YES"
markrad 0:cdf462088d13 135 fi
markrad 0:cdf462088d13 136 }
markrad 0:cdf462088d13 137
markrad 0:cdf462088d13 138 # skip next test if IPv6 isn't available on this host
markrad 0:cdf462088d13 139 requires_ipv6() {
markrad 0:cdf462088d13 140 if [ -z "${HAS_IPV6:-}" ]; then
markrad 0:cdf462088d13 141 $P_SRV server_addr='::1' > $SRV_OUT 2>&1 &
markrad 0:cdf462088d13 142 SRV_PID=$!
markrad 0:cdf462088d13 143 sleep 1
markrad 0:cdf462088d13 144 kill $SRV_PID >/dev/null 2>&1
markrad 0:cdf462088d13 145 if grep "NET - Binding of the socket failed" $SRV_OUT >/dev/null; then
markrad 0:cdf462088d13 146 HAS_IPV6="NO"
markrad 0:cdf462088d13 147 else
markrad 0:cdf462088d13 148 HAS_IPV6="YES"
markrad 0:cdf462088d13 149 fi
markrad 0:cdf462088d13 150 rm -r $SRV_OUT
markrad 0:cdf462088d13 151 fi
markrad 0:cdf462088d13 152
markrad 0:cdf462088d13 153 if [ "$HAS_IPV6" = "NO" ]; then
markrad 0:cdf462088d13 154 SKIP_NEXT="YES"
markrad 0:cdf462088d13 155 fi
markrad 0:cdf462088d13 156 }
markrad 0:cdf462088d13 157
markrad 0:cdf462088d13 158 # skip the next test if valgrind is in use
markrad 0:cdf462088d13 159 not_with_valgrind() {
markrad 0:cdf462088d13 160 if [ "$MEMCHECK" -gt 0 ]; then
markrad 0:cdf462088d13 161 SKIP_NEXT="YES"
markrad 0:cdf462088d13 162 fi
markrad 0:cdf462088d13 163 }
markrad 0:cdf462088d13 164
markrad 0:cdf462088d13 165 # skip the next test if valgrind is NOT in use
markrad 0:cdf462088d13 166 only_with_valgrind() {
markrad 0:cdf462088d13 167 if [ "$MEMCHECK" -eq 0 ]; then
markrad 0:cdf462088d13 168 SKIP_NEXT="YES"
markrad 0:cdf462088d13 169 fi
markrad 0:cdf462088d13 170 }
markrad 0:cdf462088d13 171
markrad 0:cdf462088d13 172 # multiply the client timeout delay by the given factor for the next test
markrad 0:cdf462088d13 173 client_needs_more_time() {
markrad 0:cdf462088d13 174 CLI_DELAY_FACTOR=$1
markrad 0:cdf462088d13 175 }
markrad 0:cdf462088d13 176
markrad 0:cdf462088d13 177 # wait for the given seconds after the client finished in the next test
markrad 0:cdf462088d13 178 server_needs_more_time() {
markrad 0:cdf462088d13 179 SRV_DELAY_SECONDS=$1
markrad 0:cdf462088d13 180 }
markrad 0:cdf462088d13 181
markrad 0:cdf462088d13 182 # print_name <name>
markrad 0:cdf462088d13 183 print_name() {
markrad 0:cdf462088d13 184 TESTS=$(( $TESTS + 1 ))
markrad 0:cdf462088d13 185 LINE=""
markrad 0:cdf462088d13 186
markrad 0:cdf462088d13 187 if [ "$SHOW_TEST_NUMBER" -gt 0 ]; then
markrad 0:cdf462088d13 188 LINE="$TESTS "
markrad 0:cdf462088d13 189 fi
markrad 0:cdf462088d13 190
markrad 0:cdf462088d13 191 LINE="$LINE$1"
markrad 0:cdf462088d13 192 printf "$LINE "
markrad 0:cdf462088d13 193 LEN=$(( 72 - `echo "$LINE" | wc -c` ))
markrad 0:cdf462088d13 194 for i in `seq 1 $LEN`; do printf '.'; done
markrad 0:cdf462088d13 195 printf ' '
markrad 0:cdf462088d13 196
markrad 0:cdf462088d13 197 }
markrad 0:cdf462088d13 198
markrad 0:cdf462088d13 199 # fail <message>
markrad 0:cdf462088d13 200 fail() {
markrad 0:cdf462088d13 201 echo "FAIL"
markrad 0:cdf462088d13 202 echo " ! $1"
markrad 0:cdf462088d13 203
markrad 0:cdf462088d13 204 mv $SRV_OUT o-srv-${TESTS}.log
markrad 0:cdf462088d13 205 mv $CLI_OUT o-cli-${TESTS}.log
markrad 0:cdf462088d13 206 if [ -n "$PXY_CMD" ]; then
markrad 0:cdf462088d13 207 mv $PXY_OUT o-pxy-${TESTS}.log
markrad 0:cdf462088d13 208 fi
markrad 0:cdf462088d13 209 echo " ! outputs saved to o-XXX-${TESTS}.log"
markrad 0:cdf462088d13 210
markrad 0:cdf462088d13 211 if [ "X${USER:-}" = Xbuildbot -o "X${LOGNAME:-}" = Xbuildbot ]; then
markrad 0:cdf462088d13 212 echo " ! server output:"
markrad 0:cdf462088d13 213 cat o-srv-${TESTS}.log
markrad 0:cdf462088d13 214 echo " ! ========================================================"
markrad 0:cdf462088d13 215 echo " ! client output:"
markrad 0:cdf462088d13 216 cat o-cli-${TESTS}.log
markrad 0:cdf462088d13 217 if [ -n "$PXY_CMD" ]; then
markrad 0:cdf462088d13 218 echo " ! ========================================================"
markrad 0:cdf462088d13 219 echo " ! proxy output:"
markrad 0:cdf462088d13 220 cat o-pxy-${TESTS}.log
markrad 0:cdf462088d13 221 fi
markrad 0:cdf462088d13 222 echo ""
markrad 0:cdf462088d13 223 fi
markrad 0:cdf462088d13 224
markrad 0:cdf462088d13 225 FAILS=$(( $FAILS + 1 ))
markrad 0:cdf462088d13 226 }
markrad 0:cdf462088d13 227
markrad 0:cdf462088d13 228 # is_polar <cmd_line>
markrad 0:cdf462088d13 229 is_polar() {
markrad 0:cdf462088d13 230 echo "$1" | grep 'ssl_server2\|ssl_client2' > /dev/null
markrad 0:cdf462088d13 231 }
markrad 0:cdf462088d13 232
markrad 0:cdf462088d13 233 # openssl s_server doesn't have -www with DTLS
markrad 0:cdf462088d13 234 check_osrv_dtls() {
markrad 0:cdf462088d13 235 if echo "$SRV_CMD" | grep 's_server.*-dtls' >/dev/null; then
markrad 0:cdf462088d13 236 NEEDS_INPUT=1
markrad 0:cdf462088d13 237 SRV_CMD="$( echo $SRV_CMD | sed s/-www// )"
markrad 0:cdf462088d13 238 else
markrad 0:cdf462088d13 239 NEEDS_INPUT=0
markrad 0:cdf462088d13 240 fi
markrad 0:cdf462088d13 241 }
markrad 0:cdf462088d13 242
markrad 0:cdf462088d13 243 # provide input to commands that need it
markrad 0:cdf462088d13 244 provide_input() {
markrad 0:cdf462088d13 245 if [ $NEEDS_INPUT -eq 0 ]; then
markrad 0:cdf462088d13 246 return
markrad 0:cdf462088d13 247 fi
markrad 0:cdf462088d13 248
markrad 0:cdf462088d13 249 while true; do
markrad 0:cdf462088d13 250 echo "HTTP/1.0 200 OK"
markrad 0:cdf462088d13 251 sleep 1
markrad 0:cdf462088d13 252 done
markrad 0:cdf462088d13 253 }
markrad 0:cdf462088d13 254
markrad 0:cdf462088d13 255 # has_mem_err <log_file_name>
markrad 0:cdf462088d13 256 has_mem_err() {
markrad 0:cdf462088d13 257 if ( grep -F 'All heap blocks were freed -- no leaks are possible' "$1" &&
markrad 0:cdf462088d13 258 grep -F 'ERROR SUMMARY: 0 errors from 0 contexts' "$1" ) > /dev/null
markrad 0:cdf462088d13 259 then
markrad 0:cdf462088d13 260 return 1 # false: does not have errors
markrad 0:cdf462088d13 261 else
markrad 0:cdf462088d13 262 return 0 # true: has errors
markrad 0:cdf462088d13 263 fi
markrad 0:cdf462088d13 264 }
markrad 0:cdf462088d13 265
markrad 0:cdf462088d13 266 # wait for server to start: two versions depending on lsof availability
markrad 0:cdf462088d13 267 wait_server_start() {
markrad 0:cdf462088d13 268 if which lsof >/dev/null 2>&1; then
markrad 0:cdf462088d13 269 START_TIME=$( date +%s )
markrad 0:cdf462088d13 270 DONE=0
markrad 0:cdf462088d13 271
markrad 0:cdf462088d13 272 # make a tight loop, server usually takes less than 1 sec to start
markrad 0:cdf462088d13 273 if [ "$DTLS" -eq 1 ]; then
markrad 0:cdf462088d13 274 while [ $DONE -eq 0 ]; do
markrad 0:cdf462088d13 275 if lsof -nbi UDP:"$SRV_PORT" 2>/dev/null | grep UDP >/dev/null
markrad 0:cdf462088d13 276 then
markrad 0:cdf462088d13 277 DONE=1
markrad 0:cdf462088d13 278 elif [ $(( $( date +%s ) - $START_TIME )) -gt $DOG_DELAY ]; then
markrad 0:cdf462088d13 279 echo "SERVERSTART TIMEOUT"
markrad 0:cdf462088d13 280 echo "SERVERSTART TIMEOUT" >> $SRV_OUT
markrad 0:cdf462088d13 281 DONE=1
markrad 0:cdf462088d13 282 fi
markrad 0:cdf462088d13 283 done
markrad 0:cdf462088d13 284 else
markrad 0:cdf462088d13 285 while [ $DONE -eq 0 ]; do
markrad 0:cdf462088d13 286 if lsof -nbi TCP:"$SRV_PORT" 2>/dev/null | grep LISTEN >/dev/null
markrad 0:cdf462088d13 287 then
markrad 0:cdf462088d13 288 DONE=1
markrad 0:cdf462088d13 289 elif [ $(( $( date +%s ) - $START_TIME )) -gt $DOG_DELAY ]; then
markrad 0:cdf462088d13 290 echo "SERVERSTART TIMEOUT"
markrad 0:cdf462088d13 291 echo "SERVERSTART TIMEOUT" >> $SRV_OUT
markrad 0:cdf462088d13 292 DONE=1
markrad 0:cdf462088d13 293 fi
markrad 0:cdf462088d13 294 done
markrad 0:cdf462088d13 295 fi
markrad 0:cdf462088d13 296 else
markrad 0:cdf462088d13 297 sleep "$START_DELAY"
markrad 0:cdf462088d13 298 fi
markrad 0:cdf462088d13 299 }
markrad 0:cdf462088d13 300
markrad 0:cdf462088d13 301 # wait for client to terminate and set CLI_EXIT
markrad 0:cdf462088d13 302 # must be called right after starting the client
markrad 0:cdf462088d13 303 wait_client_done() {
markrad 0:cdf462088d13 304 CLI_PID=$!
markrad 0:cdf462088d13 305
markrad 0:cdf462088d13 306 CLI_DELAY=$(( $DOG_DELAY * $CLI_DELAY_FACTOR ))
markrad 0:cdf462088d13 307 CLI_DELAY_FACTOR=1
markrad 0:cdf462088d13 308
markrad 0:cdf462088d13 309 ( sleep $CLI_DELAY; echo "===CLIENT_TIMEOUT===" >> $CLI_OUT; kill $CLI_PID ) &
markrad 0:cdf462088d13 310 DOG_PID=$!
markrad 0:cdf462088d13 311
markrad 0:cdf462088d13 312 wait $CLI_PID
markrad 0:cdf462088d13 313 CLI_EXIT=$?
markrad 0:cdf462088d13 314
markrad 0:cdf462088d13 315 kill $DOG_PID >/dev/null 2>&1
markrad 0:cdf462088d13 316 wait $DOG_PID
markrad 0:cdf462088d13 317
markrad 0:cdf462088d13 318 echo "EXIT: $CLI_EXIT" >> $CLI_OUT
markrad 0:cdf462088d13 319
markrad 0:cdf462088d13 320 sleep $SRV_DELAY_SECONDS
markrad 0:cdf462088d13 321 SRV_DELAY_SECONDS=0
markrad 0:cdf462088d13 322 }
markrad 0:cdf462088d13 323
markrad 0:cdf462088d13 324 # check if the given command uses dtls and sets global variable DTLS
markrad 0:cdf462088d13 325 detect_dtls() {
markrad 0:cdf462088d13 326 if echo "$1" | grep 'dtls=1\|-dtls1\|-u' >/dev/null; then
markrad 0:cdf462088d13 327 DTLS=1
markrad 0:cdf462088d13 328 else
markrad 0:cdf462088d13 329 DTLS=0
markrad 0:cdf462088d13 330 fi
markrad 0:cdf462088d13 331 }
markrad 0:cdf462088d13 332
markrad 0:cdf462088d13 333 # Usage: run_test name [-p proxy_cmd] srv_cmd cli_cmd cli_exit [option [...]]
markrad 0:cdf462088d13 334 # Options: -s pattern pattern that must be present in server output
markrad 0:cdf462088d13 335 # -c pattern pattern that must be present in client output
markrad 0:cdf462088d13 336 # -u pattern lines after pattern must be unique in client output
markrad 0:cdf462088d13 337 # -S pattern pattern that must be absent in server output
markrad 0:cdf462088d13 338 # -C pattern pattern that must be absent in client output
markrad 0:cdf462088d13 339 # -U pattern lines after pattern must be unique in server output
markrad 0:cdf462088d13 340 run_test() {
markrad 0:cdf462088d13 341 NAME="$1"
markrad 0:cdf462088d13 342 shift 1
markrad 0:cdf462088d13 343
markrad 0:cdf462088d13 344 if echo "$NAME" | grep "$FILTER" | grep -v "$EXCLUDE" >/dev/null; then :
markrad 0:cdf462088d13 345 else
markrad 0:cdf462088d13 346 SKIP_NEXT="NO"
markrad 0:cdf462088d13 347 return
markrad 0:cdf462088d13 348 fi
markrad 0:cdf462088d13 349
markrad 0:cdf462088d13 350 print_name "$NAME"
markrad 0:cdf462088d13 351
markrad 0:cdf462088d13 352 # Do we only run numbered tests?
markrad 0:cdf462088d13 353 if [ "X$RUN_TEST_NUMBER" = "X" ]; then :
markrad 0:cdf462088d13 354 elif echo ",$RUN_TEST_NUMBER," | grep ",$TESTS," >/dev/null; then :
markrad 0:cdf462088d13 355 else
markrad 0:cdf462088d13 356 SKIP_NEXT="YES"
markrad 0:cdf462088d13 357 fi
markrad 0:cdf462088d13 358
markrad 0:cdf462088d13 359 # should we skip?
markrad 0:cdf462088d13 360 if [ "X$SKIP_NEXT" = "XYES" ]; then
markrad 0:cdf462088d13 361 SKIP_NEXT="NO"
markrad 0:cdf462088d13 362 echo "SKIP"
markrad 0:cdf462088d13 363 SKIPS=$(( $SKIPS + 1 ))
markrad 0:cdf462088d13 364 return
markrad 0:cdf462088d13 365 fi
markrad 0:cdf462088d13 366
markrad 0:cdf462088d13 367 # does this test use a proxy?
markrad 0:cdf462088d13 368 if [ "X$1" = "X-p" ]; then
markrad 0:cdf462088d13 369 PXY_CMD="$2"
markrad 0:cdf462088d13 370 shift 2
markrad 0:cdf462088d13 371 else
markrad 0:cdf462088d13 372 PXY_CMD=""
markrad 0:cdf462088d13 373 fi
markrad 0:cdf462088d13 374
markrad 0:cdf462088d13 375 # get commands and client output
markrad 0:cdf462088d13 376 SRV_CMD="$1"
markrad 0:cdf462088d13 377 CLI_CMD="$2"
markrad 0:cdf462088d13 378 CLI_EXPECT="$3"
markrad 0:cdf462088d13 379 shift 3
markrad 0:cdf462088d13 380
markrad 0:cdf462088d13 381 # fix client port
markrad 0:cdf462088d13 382 if [ -n "$PXY_CMD" ]; then
markrad 0:cdf462088d13 383 CLI_CMD=$( echo "$CLI_CMD" | sed s/+SRV_PORT/$PXY_PORT/g )
markrad 0:cdf462088d13 384 else
markrad 0:cdf462088d13 385 CLI_CMD=$( echo "$CLI_CMD" | sed s/+SRV_PORT/$SRV_PORT/g )
markrad 0:cdf462088d13 386 fi
markrad 0:cdf462088d13 387
markrad 0:cdf462088d13 388 # update DTLS variable
markrad 0:cdf462088d13 389 detect_dtls "$SRV_CMD"
markrad 0:cdf462088d13 390
markrad 0:cdf462088d13 391 # prepend valgrind to our commands if active
markrad 0:cdf462088d13 392 if [ "$MEMCHECK" -gt 0 ]; then
markrad 0:cdf462088d13 393 if is_polar "$SRV_CMD"; then
markrad 0:cdf462088d13 394 SRV_CMD="valgrind --leak-check=full $SRV_CMD"
markrad 0:cdf462088d13 395 fi
markrad 0:cdf462088d13 396 if is_polar "$CLI_CMD"; then
markrad 0:cdf462088d13 397 CLI_CMD="valgrind --leak-check=full $CLI_CMD"
markrad 0:cdf462088d13 398 fi
markrad 0:cdf462088d13 399 fi
markrad 0:cdf462088d13 400
markrad 0:cdf462088d13 401 TIMES_LEFT=2
markrad 0:cdf462088d13 402 while [ $TIMES_LEFT -gt 0 ]; do
markrad 0:cdf462088d13 403 TIMES_LEFT=$(( $TIMES_LEFT - 1 ))
markrad 0:cdf462088d13 404
markrad 0:cdf462088d13 405 # run the commands
markrad 0:cdf462088d13 406 if [ -n "$PXY_CMD" ]; then
markrad 0:cdf462088d13 407 echo "$PXY_CMD" > $PXY_OUT
markrad 0:cdf462088d13 408 $PXY_CMD >> $PXY_OUT 2>&1 &
markrad 0:cdf462088d13 409 PXY_PID=$!
markrad 0:cdf462088d13 410 # assume proxy starts faster than server
markrad 0:cdf462088d13 411 fi
markrad 0:cdf462088d13 412
markrad 0:cdf462088d13 413 check_osrv_dtls
markrad 0:cdf462088d13 414 echo "$SRV_CMD" > $SRV_OUT
markrad 0:cdf462088d13 415 provide_input | $SRV_CMD >> $SRV_OUT 2>&1 &
markrad 0:cdf462088d13 416 SRV_PID=$!
markrad 0:cdf462088d13 417 wait_server_start
markrad 0:cdf462088d13 418
markrad 0:cdf462088d13 419 echo "$CLI_CMD" > $CLI_OUT
markrad 0:cdf462088d13 420 eval "$CLI_CMD" >> $CLI_OUT 2>&1 &
markrad 0:cdf462088d13 421 wait_client_done
markrad 0:cdf462088d13 422
markrad 0:cdf462088d13 423 # terminate the server (and the proxy)
markrad 0:cdf462088d13 424 kill $SRV_PID
markrad 0:cdf462088d13 425 wait $SRV_PID
markrad 0:cdf462088d13 426 if [ -n "$PXY_CMD" ]; then
markrad 0:cdf462088d13 427 kill $PXY_PID >/dev/null 2>&1
markrad 0:cdf462088d13 428 wait $PXY_PID
markrad 0:cdf462088d13 429 fi
markrad 0:cdf462088d13 430
markrad 0:cdf462088d13 431 # retry only on timeouts
markrad 0:cdf462088d13 432 if grep '===CLIENT_TIMEOUT===' $CLI_OUT >/dev/null; then
markrad 0:cdf462088d13 433 printf "RETRY "
markrad 0:cdf462088d13 434 else
markrad 0:cdf462088d13 435 TIMES_LEFT=0
markrad 0:cdf462088d13 436 fi
markrad 0:cdf462088d13 437 done
markrad 0:cdf462088d13 438
markrad 0:cdf462088d13 439 # check if the client and server went at least to the handshake stage
markrad 0:cdf462088d13 440 # (useful to avoid tests with only negative assertions and non-zero
markrad 0:cdf462088d13 441 # expected client exit to incorrectly succeed in case of catastrophic
markrad 0:cdf462088d13 442 # failure)
markrad 0:cdf462088d13 443 if is_polar "$SRV_CMD"; then
markrad 0:cdf462088d13 444 if grep "Performing the SSL/TLS handshake" $SRV_OUT >/dev/null; then :;
markrad 0:cdf462088d13 445 else
markrad 0:cdf462088d13 446 fail "server or client failed to reach handshake stage"
markrad 0:cdf462088d13 447 return
markrad 0:cdf462088d13 448 fi
markrad 0:cdf462088d13 449 fi
markrad 0:cdf462088d13 450 if is_polar "$CLI_CMD"; then
markrad 0:cdf462088d13 451 if grep "Performing the SSL/TLS handshake" $CLI_OUT >/dev/null; then :;
markrad 0:cdf462088d13 452 else
markrad 0:cdf462088d13 453 fail "server or client failed to reach handshake stage"
markrad 0:cdf462088d13 454 return
markrad 0:cdf462088d13 455 fi
markrad 0:cdf462088d13 456 fi
markrad 0:cdf462088d13 457
markrad 0:cdf462088d13 458 # check server exit code
markrad 0:cdf462088d13 459 if [ $? != 0 ]; then
markrad 0:cdf462088d13 460 fail "server fail"
markrad 0:cdf462088d13 461 return
markrad 0:cdf462088d13 462 fi
markrad 0:cdf462088d13 463
markrad 0:cdf462088d13 464 # check client exit code
markrad 0:cdf462088d13 465 if [ \( "$CLI_EXPECT" = 0 -a "$CLI_EXIT" != 0 \) -o \
markrad 0:cdf462088d13 466 \( "$CLI_EXPECT" != 0 -a "$CLI_EXIT" = 0 \) ]
markrad 0:cdf462088d13 467 then
markrad 0:cdf462088d13 468 fail "bad client exit code (expected $CLI_EXPECT, got $CLI_EXIT)"
markrad 0:cdf462088d13 469 return
markrad 0:cdf462088d13 470 fi
markrad 0:cdf462088d13 471
markrad 0:cdf462088d13 472 # check other assertions
markrad 0:cdf462088d13 473 # lines beginning with == are added by valgrind, ignore them
markrad 0:cdf462088d13 474 # lines with 'Serious error when reading debug info', are valgrind issues as well
markrad 0:cdf462088d13 475 while [ $# -gt 0 ]
markrad 0:cdf462088d13 476 do
markrad 0:cdf462088d13 477 case $1 in
markrad 0:cdf462088d13 478 "-s")
markrad 0:cdf462088d13 479 if grep -v '^==' $SRV_OUT | grep -v 'Serious error when reading debug info' | grep "$2" >/dev/null; then :; else
markrad 0:cdf462088d13 480 fail "pattern '$2' MUST be present in the Server output"
markrad 0:cdf462088d13 481 return
markrad 0:cdf462088d13 482 fi
markrad 0:cdf462088d13 483 ;;
markrad 0:cdf462088d13 484
markrad 0:cdf462088d13 485 "-c")
markrad 0:cdf462088d13 486 if grep -v '^==' $CLI_OUT | grep -v 'Serious error when reading debug info' | grep "$2" >/dev/null; then :; else
markrad 0:cdf462088d13 487 fail "pattern '$2' MUST be present in the Client output"
markrad 0:cdf462088d13 488 return
markrad 0:cdf462088d13 489 fi
markrad 0:cdf462088d13 490 ;;
markrad 0:cdf462088d13 491
markrad 0:cdf462088d13 492 "-S")
markrad 0:cdf462088d13 493 if grep -v '^==' $SRV_OUT | grep -v 'Serious error when reading debug info' | grep "$2" >/dev/null; then
markrad 0:cdf462088d13 494 fail "pattern '$2' MUST NOT be present in the Server output"
markrad 0:cdf462088d13 495 return
markrad 0:cdf462088d13 496 fi
markrad 0:cdf462088d13 497 ;;
markrad 0:cdf462088d13 498
markrad 0:cdf462088d13 499 "-C")
markrad 0:cdf462088d13 500 if grep -v '^==' $CLI_OUT | grep -v 'Serious error when reading debug info' | grep "$2" >/dev/null; then
markrad 0:cdf462088d13 501 fail "pattern '$2' MUST NOT be present in the Client output"
markrad 0:cdf462088d13 502 return
markrad 0:cdf462088d13 503 fi
markrad 0:cdf462088d13 504 ;;
markrad 0:cdf462088d13 505
markrad 0:cdf462088d13 506 # The filtering in the following two options (-u and -U) do the following
markrad 0:cdf462088d13 507 # - ignore valgrind output
markrad 0:cdf462088d13 508 # - filter out everything but lines right after the pattern occurances
markrad 0:cdf462088d13 509 # - keep one of each non-unique line
markrad 0:cdf462088d13 510 # - count how many lines remain
markrad 0:cdf462088d13 511 # A line with '--' will remain in the result from previous outputs, so the number of lines in the result will be 1
markrad 0:cdf462088d13 512 # if there were no duplicates.
markrad 0:cdf462088d13 513 "-U")
markrad 0:cdf462088d13 514 if [ $(grep -v '^==' $SRV_OUT | grep -v 'Serious error when reading debug info' | grep -A1 "$2" | grep -v "$2" | sort | uniq -d | wc -l) -gt 1 ]; then
markrad 0:cdf462088d13 515 fail "lines following pattern '$2' must be unique in Server output"
markrad 0:cdf462088d13 516 return
markrad 0:cdf462088d13 517 fi
markrad 0:cdf462088d13 518 ;;
markrad 0:cdf462088d13 519
markrad 0:cdf462088d13 520 "-u")
markrad 0:cdf462088d13 521 if [ $(grep -v '^==' $CLI_OUT | grep -v 'Serious error when reading debug info' | grep -A1 "$2" | grep -v "$2" | sort | uniq -d | wc -l) -gt 1 ]; then
markrad 0:cdf462088d13 522 fail "lines following pattern '$2' must be unique in Client output"
markrad 0:cdf462088d13 523 return
markrad 0:cdf462088d13 524 fi
markrad 0:cdf462088d13 525 ;;
markrad 0:cdf462088d13 526
markrad 0:cdf462088d13 527 *)
markrad 0:cdf462088d13 528 echo "Unknown test: $1" >&2
markrad 0:cdf462088d13 529 exit 1
markrad 0:cdf462088d13 530 esac
markrad 0:cdf462088d13 531 shift 2
markrad 0:cdf462088d13 532 done
markrad 0:cdf462088d13 533
markrad 0:cdf462088d13 534 # check valgrind's results
markrad 0:cdf462088d13 535 if [ "$MEMCHECK" -gt 0 ]; then
markrad 0:cdf462088d13 536 if is_polar "$SRV_CMD" && has_mem_err $SRV_OUT; then
markrad 0:cdf462088d13 537 fail "Server has memory errors"
markrad 0:cdf462088d13 538 return
markrad 0:cdf462088d13 539 fi
markrad 0:cdf462088d13 540 if is_polar "$CLI_CMD" && has_mem_err $CLI_OUT; then
markrad 0:cdf462088d13 541 fail "Client has memory errors"
markrad 0:cdf462088d13 542 return
markrad 0:cdf462088d13 543 fi
markrad 0:cdf462088d13 544 fi
markrad 0:cdf462088d13 545
markrad 0:cdf462088d13 546 # if we're here, everything is ok
markrad 0:cdf462088d13 547 echo "PASS"
markrad 0:cdf462088d13 548 if [ "$PRESERVE_LOGS" -gt 0 ]; then
markrad 0:cdf462088d13 549 mv $SRV_OUT o-srv-${TESTS}.log
markrad 0:cdf462088d13 550 mv $CLI_OUT o-cli-${TESTS}.log
markrad 0:cdf462088d13 551 fi
markrad 0:cdf462088d13 552
markrad 0:cdf462088d13 553 rm -f $SRV_OUT $CLI_OUT $PXY_OUT
markrad 0:cdf462088d13 554 }
markrad 0:cdf462088d13 555
markrad 0:cdf462088d13 556 cleanup() {
markrad 0:cdf462088d13 557 rm -f $CLI_OUT $SRV_OUT $PXY_OUT $SESSION
markrad 0:cdf462088d13 558 test -n "${SRV_PID:-}" && kill $SRV_PID >/dev/null 2>&1
markrad 0:cdf462088d13 559 test -n "${PXY_PID:-}" && kill $PXY_PID >/dev/null 2>&1
markrad 0:cdf462088d13 560 test -n "${CLI_PID:-}" && kill $CLI_PID >/dev/null 2>&1
markrad 0:cdf462088d13 561 test -n "${DOG_PID:-}" && kill $DOG_PID >/dev/null 2>&1
markrad 0:cdf462088d13 562 exit 1
markrad 0:cdf462088d13 563 }
markrad 0:cdf462088d13 564
markrad 0:cdf462088d13 565 #
markrad 0:cdf462088d13 566 # MAIN
markrad 0:cdf462088d13 567 #
markrad 0:cdf462088d13 568
markrad 0:cdf462088d13 569 if cd $( dirname $0 ); then :; else
markrad 0:cdf462088d13 570 echo "cd $( dirname $0 ) failed" >&2
markrad 0:cdf462088d13 571 exit 1
markrad 0:cdf462088d13 572 fi
markrad 0:cdf462088d13 573
markrad 0:cdf462088d13 574 get_options "$@"
markrad 0:cdf462088d13 575
markrad 0:cdf462088d13 576 # sanity checks, avoid an avalanche of errors
markrad 0:cdf462088d13 577 if [ ! -x "$P_SRV" ]; then
markrad 0:cdf462088d13 578 echo "Command '$P_SRV' is not an executable file"
markrad 0:cdf462088d13 579 exit 1
markrad 0:cdf462088d13 580 fi
markrad 0:cdf462088d13 581 if [ ! -x "$P_CLI" ]; then
markrad 0:cdf462088d13 582 echo "Command '$P_CLI' is not an executable file"
markrad 0:cdf462088d13 583 exit 1
markrad 0:cdf462088d13 584 fi
markrad 0:cdf462088d13 585 if [ ! -x "$P_PXY" ]; then
markrad 0:cdf462088d13 586 echo "Command '$P_PXY' is not an executable file"
markrad 0:cdf462088d13 587 exit 1
markrad 0:cdf462088d13 588 fi
markrad 0:cdf462088d13 589 if [ "$MEMCHECK" -gt 0 ]; then
markrad 0:cdf462088d13 590 if which valgrind >/dev/null 2>&1; then :; else
markrad 0:cdf462088d13 591 echo "Memcheck not possible. Valgrind not found"
markrad 0:cdf462088d13 592 exit 1
markrad 0:cdf462088d13 593 fi
markrad 0:cdf462088d13 594 fi
markrad 0:cdf462088d13 595 if which $OPENSSL_CMD >/dev/null 2>&1; then :; else
markrad 0:cdf462088d13 596 echo "Command '$OPENSSL_CMD' not found"
markrad 0:cdf462088d13 597 exit 1
markrad 0:cdf462088d13 598 fi
markrad 0:cdf462088d13 599
markrad 0:cdf462088d13 600 # used by watchdog
markrad 0:cdf462088d13 601 MAIN_PID="$$"
markrad 0:cdf462088d13 602
markrad 0:cdf462088d13 603 # be more patient with valgrind
markrad 0:cdf462088d13 604 if [ "$MEMCHECK" -gt 0 ]; then
markrad 0:cdf462088d13 605 START_DELAY=3
markrad 0:cdf462088d13 606 DOG_DELAY=30
markrad 0:cdf462088d13 607 else
markrad 0:cdf462088d13 608 START_DELAY=1
markrad 0:cdf462088d13 609 DOG_DELAY=10
markrad 0:cdf462088d13 610 fi
markrad 0:cdf462088d13 611 CLI_DELAY_FACTOR=1
markrad 0:cdf462088d13 612 SRV_DELAY_SECONDS=0
markrad 0:cdf462088d13 613
markrad 0:cdf462088d13 614 # Pick a "unique" server port in the range 10000-19999, and a proxy port
markrad 0:cdf462088d13 615 PORT_BASE="0000$$"
markrad 0:cdf462088d13 616 PORT_BASE="$( printf $PORT_BASE | tail -c 4 )"
markrad 0:cdf462088d13 617 SRV_PORT="1$PORT_BASE"
markrad 0:cdf462088d13 618 PXY_PORT="2$PORT_BASE"
markrad 0:cdf462088d13 619 unset PORT_BASE
markrad 0:cdf462088d13 620
markrad 0:cdf462088d13 621 # fix commands to use this port, force IPv4 while at it
markrad 0:cdf462088d13 622 # +SRV_PORT will be replaced by either $SRV_PORT or $PXY_PORT later
markrad 0:cdf462088d13 623 P_SRV="$P_SRV server_addr=127.0.0.1 server_port=$SRV_PORT"
markrad 0:cdf462088d13 624 P_CLI="$P_CLI server_addr=127.0.0.1 server_port=+SRV_PORT"
markrad 0:cdf462088d13 625 P_PXY="$P_PXY server_addr=127.0.0.1 server_port=$SRV_PORT listen_addr=127.0.0.1 listen_port=$PXY_PORT ${SEED:+"seed=$SEED"}"
markrad 0:cdf462088d13 626 O_SRV="$O_SRV -accept $SRV_PORT -dhparam data_files/dhparams.pem"
markrad 0:cdf462088d13 627 O_CLI="$O_CLI -connect localhost:+SRV_PORT"
markrad 0:cdf462088d13 628 G_SRV="$G_SRV -p $SRV_PORT"
markrad 0:cdf462088d13 629 G_CLI="$G_CLI -p +SRV_PORT localhost"
markrad 0:cdf462088d13 630
markrad 0:cdf462088d13 631 # Also pick a unique name for intermediate files
markrad 0:cdf462088d13 632 SRV_OUT="srv_out.$$"
markrad 0:cdf462088d13 633 CLI_OUT="cli_out.$$"
markrad 0:cdf462088d13 634 PXY_OUT="pxy_out.$$"
markrad 0:cdf462088d13 635 SESSION="session.$$"
markrad 0:cdf462088d13 636
markrad 0:cdf462088d13 637 SKIP_NEXT="NO"
markrad 0:cdf462088d13 638
markrad 0:cdf462088d13 639 trap cleanup INT TERM HUP
markrad 0:cdf462088d13 640
markrad 0:cdf462088d13 641 # Basic test
markrad 0:cdf462088d13 642
markrad 0:cdf462088d13 643 # Checks that:
markrad 0:cdf462088d13 644 # - things work with all ciphersuites active (used with config-full in all.sh)
markrad 0:cdf462088d13 645 # - the expected (highest security) parameters are selected
markrad 0:cdf462088d13 646 # ("signature_algorithm ext: 6" means SHA-512 (highest common hash))
markrad 0:cdf462088d13 647 run_test "Default" \
markrad 0:cdf462088d13 648 "$P_SRV debug_level=3" \
markrad 0:cdf462088d13 649 "$P_CLI" \
markrad 0:cdf462088d13 650 0 \
markrad 0:cdf462088d13 651 -s "Protocol is TLSv1.2" \
markrad 0:cdf462088d13 652 -s "Ciphersuite is TLS-ECDHE-ECDSA-WITH-AES-256-GCM-SHA384" \
markrad 0:cdf462088d13 653 -s "client hello v3, signature_algorithm ext: 6" \
markrad 0:cdf462088d13 654 -s "ECDHE curve: secp521r1" \
markrad 0:cdf462088d13 655 -S "error" \
markrad 0:cdf462088d13 656 -C "error"
markrad 0:cdf462088d13 657
markrad 0:cdf462088d13 658 run_test "Default, DTLS" \
markrad 0:cdf462088d13 659 "$P_SRV dtls=1" \
markrad 0:cdf462088d13 660 "$P_CLI dtls=1" \
markrad 0:cdf462088d13 661 0 \
markrad 0:cdf462088d13 662 -s "Protocol is DTLSv1.2" \
markrad 0:cdf462088d13 663 -s "Ciphersuite is TLS-ECDHE-ECDSA-WITH-AES-256-GCM-SHA384"
markrad 0:cdf462088d13 664
markrad 0:cdf462088d13 665 # Test for uniqueness of IVs in AEAD ciphersuites
markrad 0:cdf462088d13 666 run_test "Unique IV in GCM" \
markrad 0:cdf462088d13 667 "$P_SRV exchanges=20 debug_level=4" \
markrad 0:cdf462088d13 668 "$P_CLI exchanges=20 debug_level=4 force_ciphersuite=TLS-ECDHE-ECDSA-WITH-AES-256-GCM-SHA384" \
markrad 0:cdf462088d13 669 0 \
markrad 0:cdf462088d13 670 -u "IV used" \
markrad 0:cdf462088d13 671 -U "IV used"
markrad 0:cdf462088d13 672
markrad 0:cdf462088d13 673 # Tests for rc4 option
markrad 0:cdf462088d13 674
markrad 0:cdf462088d13 675 requires_config_enabled MBEDTLS_REMOVE_ARC4_CIPHERSUITES
markrad 0:cdf462088d13 676 run_test "RC4: server disabled, client enabled" \
markrad 0:cdf462088d13 677 "$P_SRV" \
markrad 0:cdf462088d13 678 "$P_CLI force_ciphersuite=TLS-RSA-WITH-RC4-128-SHA" \
markrad 0:cdf462088d13 679 1 \
markrad 0:cdf462088d13 680 -s "SSL - The server has no ciphersuites in common"
markrad 0:cdf462088d13 681
markrad 0:cdf462088d13 682 requires_config_enabled MBEDTLS_REMOVE_ARC4_CIPHERSUITES
markrad 0:cdf462088d13 683 run_test "RC4: server half, client enabled" \
markrad 0:cdf462088d13 684 "$P_SRV arc4=1" \
markrad 0:cdf462088d13 685 "$P_CLI force_ciphersuite=TLS-RSA-WITH-RC4-128-SHA" \
markrad 0:cdf462088d13 686 1 \
markrad 0:cdf462088d13 687 -s "SSL - The server has no ciphersuites in common"
markrad 0:cdf462088d13 688
markrad 0:cdf462088d13 689 run_test "RC4: server enabled, client disabled" \
markrad 0:cdf462088d13 690 "$P_SRV force_ciphersuite=TLS-RSA-WITH-RC4-128-SHA" \
markrad 0:cdf462088d13 691 "$P_CLI" \
markrad 0:cdf462088d13 692 1 \
markrad 0:cdf462088d13 693 -s "SSL - The server has no ciphersuites in common"
markrad 0:cdf462088d13 694
markrad 0:cdf462088d13 695 run_test "RC4: both enabled" \
markrad 0:cdf462088d13 696 "$P_SRV force_ciphersuite=TLS-RSA-WITH-RC4-128-SHA" \
markrad 0:cdf462088d13 697 "$P_CLI force_ciphersuite=TLS-RSA-WITH-RC4-128-SHA" \
markrad 0:cdf462088d13 698 0 \
markrad 0:cdf462088d13 699 -S "SSL - None of the common ciphersuites is usable" \
markrad 0:cdf462088d13 700 -S "SSL - The server has no ciphersuites in common"
markrad 0:cdf462088d13 701
markrad 0:cdf462088d13 702 # Tests for Truncated HMAC extension
markrad 0:cdf462088d13 703
markrad 0:cdf462088d13 704 run_test "Truncated HMAC: client default, server default" \
markrad 0:cdf462088d13 705 "$P_SRV debug_level=4" \
markrad 0:cdf462088d13 706 "$P_CLI force_ciphersuite=TLS-RSA-WITH-AES-128-CBC-SHA" \
markrad 0:cdf462088d13 707 0 \
markrad 0:cdf462088d13 708 -s "dumping 'computed mac' (20 bytes)" \
markrad 0:cdf462088d13 709 -S "dumping 'computed mac' (10 bytes)"
markrad 0:cdf462088d13 710
markrad 0:cdf462088d13 711 run_test "Truncated HMAC: client disabled, server default" \
markrad 0:cdf462088d13 712 "$P_SRV debug_level=4" \
markrad 0:cdf462088d13 713 "$P_CLI force_ciphersuite=TLS-RSA-WITH-AES-128-CBC-SHA \
markrad 0:cdf462088d13 714 trunc_hmac=0" \
markrad 0:cdf462088d13 715 0 \
markrad 0:cdf462088d13 716 -s "dumping 'computed mac' (20 bytes)" \
markrad 0:cdf462088d13 717 -S "dumping 'computed mac' (10 bytes)"
markrad 0:cdf462088d13 718
markrad 0:cdf462088d13 719 run_test "Truncated HMAC: client enabled, server default" \
markrad 0:cdf462088d13 720 "$P_SRV debug_level=4" \
markrad 0:cdf462088d13 721 "$P_CLI force_ciphersuite=TLS-RSA-WITH-AES-128-CBC-SHA \
markrad 0:cdf462088d13 722 trunc_hmac=1" \
markrad 0:cdf462088d13 723 0 \
markrad 0:cdf462088d13 724 -s "dumping 'computed mac' (20 bytes)" \
markrad 0:cdf462088d13 725 -S "dumping 'computed mac' (10 bytes)"
markrad 0:cdf462088d13 726
markrad 0:cdf462088d13 727 run_test "Truncated HMAC: client enabled, server disabled" \
markrad 0:cdf462088d13 728 "$P_SRV debug_level=4 trunc_hmac=0" \
markrad 0:cdf462088d13 729 "$P_CLI force_ciphersuite=TLS-RSA-WITH-AES-128-CBC-SHA \
markrad 0:cdf462088d13 730 trunc_hmac=1" \
markrad 0:cdf462088d13 731 0 \
markrad 0:cdf462088d13 732 -s "dumping 'computed mac' (20 bytes)" \
markrad 0:cdf462088d13 733 -S "dumping 'computed mac' (10 bytes)"
markrad 0:cdf462088d13 734
markrad 0:cdf462088d13 735 run_test "Truncated HMAC: client enabled, server enabled" \
markrad 0:cdf462088d13 736 "$P_SRV debug_level=4 trunc_hmac=1" \
markrad 0:cdf462088d13 737 "$P_CLI force_ciphersuite=TLS-RSA-WITH-AES-128-CBC-SHA \
markrad 0:cdf462088d13 738 trunc_hmac=1" \
markrad 0:cdf462088d13 739 0 \
markrad 0:cdf462088d13 740 -S "dumping 'computed mac' (20 bytes)" \
markrad 0:cdf462088d13 741 -s "dumping 'computed mac' (10 bytes)"
markrad 0:cdf462088d13 742
markrad 0:cdf462088d13 743 # Tests for Encrypt-then-MAC extension
markrad 0:cdf462088d13 744
markrad 0:cdf462088d13 745 run_test "Encrypt then MAC: default" \
markrad 0:cdf462088d13 746 "$P_SRV debug_level=3 \
markrad 0:cdf462088d13 747 force_ciphersuite=TLS-RSA-WITH-AES-128-CBC-SHA" \
markrad 0:cdf462088d13 748 "$P_CLI debug_level=3" \
markrad 0:cdf462088d13 749 0 \
markrad 0:cdf462088d13 750 -c "client hello, adding encrypt_then_mac extension" \
markrad 0:cdf462088d13 751 -s "found encrypt then mac extension" \
markrad 0:cdf462088d13 752 -s "server hello, adding encrypt then mac extension" \
markrad 0:cdf462088d13 753 -c "found encrypt_then_mac extension" \
markrad 0:cdf462088d13 754 -c "using encrypt then mac" \
markrad 0:cdf462088d13 755 -s "using encrypt then mac"
markrad 0:cdf462088d13 756
markrad 0:cdf462088d13 757 run_test "Encrypt then MAC: client enabled, server disabled" \
markrad 0:cdf462088d13 758 "$P_SRV debug_level=3 etm=0 \
markrad 0:cdf462088d13 759 force_ciphersuite=TLS-RSA-WITH-AES-128-CBC-SHA" \
markrad 0:cdf462088d13 760 "$P_CLI debug_level=3 etm=1" \
markrad 0:cdf462088d13 761 0 \
markrad 0:cdf462088d13 762 -c "client hello, adding encrypt_then_mac extension" \
markrad 0:cdf462088d13 763 -s "found encrypt then mac extension" \
markrad 0:cdf462088d13 764 -S "server hello, adding encrypt then mac extension" \
markrad 0:cdf462088d13 765 -C "found encrypt_then_mac extension" \
markrad 0:cdf462088d13 766 -C "using encrypt then mac" \
markrad 0:cdf462088d13 767 -S "using encrypt then mac"
markrad 0:cdf462088d13 768
markrad 0:cdf462088d13 769 run_test "Encrypt then MAC: client enabled, aead cipher" \
markrad 0:cdf462088d13 770 "$P_SRV debug_level=3 etm=1 \
markrad 0:cdf462088d13 771 force_ciphersuite=TLS-RSA-WITH-AES-128-GCM-SHA256" \
markrad 0:cdf462088d13 772 "$P_CLI debug_level=3 etm=1" \
markrad 0:cdf462088d13 773 0 \
markrad 0:cdf462088d13 774 -c "client hello, adding encrypt_then_mac extension" \
markrad 0:cdf462088d13 775 -s "found encrypt then mac extension" \
markrad 0:cdf462088d13 776 -S "server hello, adding encrypt then mac extension" \
markrad 0:cdf462088d13 777 -C "found encrypt_then_mac extension" \
markrad 0:cdf462088d13 778 -C "using encrypt then mac" \
markrad 0:cdf462088d13 779 -S "using encrypt then mac"
markrad 0:cdf462088d13 780
markrad 0:cdf462088d13 781 run_test "Encrypt then MAC: client enabled, stream cipher" \
markrad 0:cdf462088d13 782 "$P_SRV debug_level=3 etm=1 \
markrad 0:cdf462088d13 783 force_ciphersuite=TLS-RSA-WITH-RC4-128-SHA" \
markrad 0:cdf462088d13 784 "$P_CLI debug_level=3 etm=1 arc4=1 force_ciphersuite=TLS-RSA-WITH-RC4-128-SHA" \
markrad 0:cdf462088d13 785 0 \
markrad 0:cdf462088d13 786 -c "client hello, adding encrypt_then_mac extension" \
markrad 0:cdf462088d13 787 -s "found encrypt then mac extension" \
markrad 0:cdf462088d13 788 -S "server hello, adding encrypt then mac extension" \
markrad 0:cdf462088d13 789 -C "found encrypt_then_mac extension" \
markrad 0:cdf462088d13 790 -C "using encrypt then mac" \
markrad 0:cdf462088d13 791 -S "using encrypt then mac"
markrad 0:cdf462088d13 792
markrad 0:cdf462088d13 793 run_test "Encrypt then MAC: client disabled, server enabled" \
markrad 0:cdf462088d13 794 "$P_SRV debug_level=3 etm=1 \
markrad 0:cdf462088d13 795 force_ciphersuite=TLS-RSA-WITH-AES-128-CBC-SHA" \
markrad 0:cdf462088d13 796 "$P_CLI debug_level=3 etm=0" \
markrad 0:cdf462088d13 797 0 \
markrad 0:cdf462088d13 798 -C "client hello, adding encrypt_then_mac extension" \
markrad 0:cdf462088d13 799 -S "found encrypt then mac extension" \
markrad 0:cdf462088d13 800 -S "server hello, adding encrypt then mac extension" \
markrad 0:cdf462088d13 801 -C "found encrypt_then_mac extension" \
markrad 0:cdf462088d13 802 -C "using encrypt then mac" \
markrad 0:cdf462088d13 803 -S "using encrypt then mac"
markrad 0:cdf462088d13 804
markrad 0:cdf462088d13 805 requires_config_enabled MBEDTLS_SSL_PROTO_SSL3
markrad 0:cdf462088d13 806 run_test "Encrypt then MAC: client SSLv3, server enabled" \
markrad 0:cdf462088d13 807 "$P_SRV debug_level=3 min_version=ssl3 \
markrad 0:cdf462088d13 808 force_ciphersuite=TLS-RSA-WITH-AES-128-CBC-SHA" \
markrad 0:cdf462088d13 809 "$P_CLI debug_level=3 force_version=ssl3" \
markrad 0:cdf462088d13 810 0 \
markrad 0:cdf462088d13 811 -C "client hello, adding encrypt_then_mac extension" \
markrad 0:cdf462088d13 812 -S "found encrypt then mac extension" \
markrad 0:cdf462088d13 813 -S "server hello, adding encrypt then mac extension" \
markrad 0:cdf462088d13 814 -C "found encrypt_then_mac extension" \
markrad 0:cdf462088d13 815 -C "using encrypt then mac" \
markrad 0:cdf462088d13 816 -S "using encrypt then mac"
markrad 0:cdf462088d13 817
markrad 0:cdf462088d13 818 requires_config_enabled MBEDTLS_SSL_PROTO_SSL3
markrad 0:cdf462088d13 819 run_test "Encrypt then MAC: client enabled, server SSLv3" \
markrad 0:cdf462088d13 820 "$P_SRV debug_level=3 force_version=ssl3 \
markrad 0:cdf462088d13 821 force_ciphersuite=TLS-RSA-WITH-AES-128-CBC-SHA" \
markrad 0:cdf462088d13 822 "$P_CLI debug_level=3 min_version=ssl3" \
markrad 0:cdf462088d13 823 0 \
markrad 0:cdf462088d13 824 -c "client hello, adding encrypt_then_mac extension" \
markrad 0:cdf462088d13 825 -S "found encrypt then mac extension" \
markrad 0:cdf462088d13 826 -S "server hello, adding encrypt then mac extension" \
markrad 0:cdf462088d13 827 -C "found encrypt_then_mac extension" \
markrad 0:cdf462088d13 828 -C "using encrypt then mac" \
markrad 0:cdf462088d13 829 -S "using encrypt then mac"
markrad 0:cdf462088d13 830
markrad 0:cdf462088d13 831 # Tests for Extended Master Secret extension
markrad 0:cdf462088d13 832
markrad 0:cdf462088d13 833 run_test "Extended Master Secret: default" \
markrad 0:cdf462088d13 834 "$P_SRV debug_level=3" \
markrad 0:cdf462088d13 835 "$P_CLI debug_level=3" \
markrad 0:cdf462088d13 836 0 \
markrad 0:cdf462088d13 837 -c "client hello, adding extended_master_secret extension" \
markrad 0:cdf462088d13 838 -s "found extended master secret extension" \
markrad 0:cdf462088d13 839 -s "server hello, adding extended master secret extension" \
markrad 0:cdf462088d13 840 -c "found extended_master_secret extension" \
markrad 0:cdf462088d13 841 -c "using extended master secret" \
markrad 0:cdf462088d13 842 -s "using extended master secret"
markrad 0:cdf462088d13 843
markrad 0:cdf462088d13 844 run_test "Extended Master Secret: client enabled, server disabled" \
markrad 0:cdf462088d13 845 "$P_SRV debug_level=3 extended_ms=0" \
markrad 0:cdf462088d13 846 "$P_CLI debug_level=3 extended_ms=1" \
markrad 0:cdf462088d13 847 0 \
markrad 0:cdf462088d13 848 -c "client hello, adding extended_master_secret extension" \
markrad 0:cdf462088d13 849 -s "found extended master secret extension" \
markrad 0:cdf462088d13 850 -S "server hello, adding extended master secret extension" \
markrad 0:cdf462088d13 851 -C "found extended_master_secret extension" \
markrad 0:cdf462088d13 852 -C "using extended master secret" \
markrad 0:cdf462088d13 853 -S "using extended master secret"
markrad 0:cdf462088d13 854
markrad 0:cdf462088d13 855 run_test "Extended Master Secret: client disabled, server enabled" \
markrad 0:cdf462088d13 856 "$P_SRV debug_level=3 extended_ms=1" \
markrad 0:cdf462088d13 857 "$P_CLI debug_level=3 extended_ms=0" \
markrad 0:cdf462088d13 858 0 \
markrad 0:cdf462088d13 859 -C "client hello, adding extended_master_secret extension" \
markrad 0:cdf462088d13 860 -S "found extended master secret extension" \
markrad 0:cdf462088d13 861 -S "server hello, adding extended master secret extension" \
markrad 0:cdf462088d13 862 -C "found extended_master_secret extension" \
markrad 0:cdf462088d13 863 -C "using extended master secret" \
markrad 0:cdf462088d13 864 -S "using extended master secret"
markrad 0:cdf462088d13 865
markrad 0:cdf462088d13 866 requires_config_enabled MBEDTLS_SSL_PROTO_SSL3
markrad 0:cdf462088d13 867 run_test "Extended Master Secret: client SSLv3, server enabled" \
markrad 0:cdf462088d13 868 "$P_SRV debug_level=3 min_version=ssl3" \
markrad 0:cdf462088d13 869 "$P_CLI debug_level=3 force_version=ssl3" \
markrad 0:cdf462088d13 870 0 \
markrad 0:cdf462088d13 871 -C "client hello, adding extended_master_secret extension" \
markrad 0:cdf462088d13 872 -S "found extended master secret extension" \
markrad 0:cdf462088d13 873 -S "server hello, adding extended master secret extension" \
markrad 0:cdf462088d13 874 -C "found extended_master_secret extension" \
markrad 0:cdf462088d13 875 -C "using extended master secret" \
markrad 0:cdf462088d13 876 -S "using extended master secret"
markrad 0:cdf462088d13 877
markrad 0:cdf462088d13 878 requires_config_enabled MBEDTLS_SSL_PROTO_SSL3
markrad 0:cdf462088d13 879 run_test "Extended Master Secret: client enabled, server SSLv3" \
markrad 0:cdf462088d13 880 "$P_SRV debug_level=3 force_version=ssl3" \
markrad 0:cdf462088d13 881 "$P_CLI debug_level=3 min_version=ssl3" \
markrad 0:cdf462088d13 882 0 \
markrad 0:cdf462088d13 883 -c "client hello, adding extended_master_secret extension" \
markrad 0:cdf462088d13 884 -S "found extended master secret extension" \
markrad 0:cdf462088d13 885 -S "server hello, adding extended master secret extension" \
markrad 0:cdf462088d13 886 -C "found extended_master_secret extension" \
markrad 0:cdf462088d13 887 -C "using extended master secret" \
markrad 0:cdf462088d13 888 -S "using extended master secret"
markrad 0:cdf462088d13 889
markrad 0:cdf462088d13 890 # Tests for FALLBACK_SCSV
markrad 0:cdf462088d13 891
markrad 0:cdf462088d13 892 run_test "Fallback SCSV: default" \
markrad 0:cdf462088d13 893 "$P_SRV debug_level=2" \
markrad 0:cdf462088d13 894 "$P_CLI debug_level=3 force_version=tls1_1" \
markrad 0:cdf462088d13 895 0 \
markrad 0:cdf462088d13 896 -C "adding FALLBACK_SCSV" \
markrad 0:cdf462088d13 897 -S "received FALLBACK_SCSV" \
markrad 0:cdf462088d13 898 -S "inapropriate fallback" \
markrad 0:cdf462088d13 899 -C "is a fatal alert message (msg 86)"
markrad 0:cdf462088d13 900
markrad 0:cdf462088d13 901 run_test "Fallback SCSV: explicitly disabled" \
markrad 0:cdf462088d13 902 "$P_SRV debug_level=2" \
markrad 0:cdf462088d13 903 "$P_CLI debug_level=3 force_version=tls1_1 fallback=0" \
markrad 0:cdf462088d13 904 0 \
markrad 0:cdf462088d13 905 -C "adding FALLBACK_SCSV" \
markrad 0:cdf462088d13 906 -S "received FALLBACK_SCSV" \
markrad 0:cdf462088d13 907 -S "inapropriate fallback" \
markrad 0:cdf462088d13 908 -C "is a fatal alert message (msg 86)"
markrad 0:cdf462088d13 909
markrad 0:cdf462088d13 910 run_test "Fallback SCSV: enabled" \
markrad 0:cdf462088d13 911 "$P_SRV debug_level=2" \
markrad 0:cdf462088d13 912 "$P_CLI debug_level=3 force_version=tls1_1 fallback=1" \
markrad 0:cdf462088d13 913 1 \
markrad 0:cdf462088d13 914 -c "adding FALLBACK_SCSV" \
markrad 0:cdf462088d13 915 -s "received FALLBACK_SCSV" \
markrad 0:cdf462088d13 916 -s "inapropriate fallback" \
markrad 0:cdf462088d13 917 -c "is a fatal alert message (msg 86)"
markrad 0:cdf462088d13 918
markrad 0:cdf462088d13 919 run_test "Fallback SCSV: enabled, max version" \
markrad 0:cdf462088d13 920 "$P_SRV debug_level=2" \
markrad 0:cdf462088d13 921 "$P_CLI debug_level=3 fallback=1" \
markrad 0:cdf462088d13 922 0 \
markrad 0:cdf462088d13 923 -c "adding FALLBACK_SCSV" \
markrad 0:cdf462088d13 924 -s "received FALLBACK_SCSV" \
markrad 0:cdf462088d13 925 -S "inapropriate fallback" \
markrad 0:cdf462088d13 926 -C "is a fatal alert message (msg 86)"
markrad 0:cdf462088d13 927
markrad 0:cdf462088d13 928 requires_openssl_with_fallback_scsv
markrad 0:cdf462088d13 929 run_test "Fallback SCSV: default, openssl server" \
markrad 0:cdf462088d13 930 "$O_SRV" \
markrad 0:cdf462088d13 931 "$P_CLI debug_level=3 force_version=tls1_1 fallback=0" \
markrad 0:cdf462088d13 932 0 \
markrad 0:cdf462088d13 933 -C "adding FALLBACK_SCSV" \
markrad 0:cdf462088d13 934 -C "is a fatal alert message (msg 86)"
markrad 0:cdf462088d13 935
markrad 0:cdf462088d13 936 requires_openssl_with_fallback_scsv
markrad 0:cdf462088d13 937 run_test "Fallback SCSV: enabled, openssl server" \
markrad 0:cdf462088d13 938 "$O_SRV" \
markrad 0:cdf462088d13 939 "$P_CLI debug_level=3 force_version=tls1_1 fallback=1" \
markrad 0:cdf462088d13 940 1 \
markrad 0:cdf462088d13 941 -c "adding FALLBACK_SCSV" \
markrad 0:cdf462088d13 942 -c "is a fatal alert message (msg 86)"
markrad 0:cdf462088d13 943
markrad 0:cdf462088d13 944 requires_openssl_with_fallback_scsv
markrad 0:cdf462088d13 945 run_test "Fallback SCSV: disabled, openssl client" \
markrad 0:cdf462088d13 946 "$P_SRV debug_level=2" \
markrad 0:cdf462088d13 947 "$O_CLI -tls1_1" \
markrad 0:cdf462088d13 948 0 \
markrad 0:cdf462088d13 949 -S "received FALLBACK_SCSV" \
markrad 0:cdf462088d13 950 -S "inapropriate fallback"
markrad 0:cdf462088d13 951
markrad 0:cdf462088d13 952 requires_openssl_with_fallback_scsv
markrad 0:cdf462088d13 953 run_test "Fallback SCSV: enabled, openssl client" \
markrad 0:cdf462088d13 954 "$P_SRV debug_level=2" \
markrad 0:cdf462088d13 955 "$O_CLI -tls1_1 -fallback_scsv" \
markrad 0:cdf462088d13 956 1 \
markrad 0:cdf462088d13 957 -s "received FALLBACK_SCSV" \
markrad 0:cdf462088d13 958 -s "inapropriate fallback"
markrad 0:cdf462088d13 959
markrad 0:cdf462088d13 960 requires_openssl_with_fallback_scsv
markrad 0:cdf462088d13 961 run_test "Fallback SCSV: enabled, max version, openssl client" \
markrad 0:cdf462088d13 962 "$P_SRV debug_level=2" \
markrad 0:cdf462088d13 963 "$O_CLI -fallback_scsv" \
markrad 0:cdf462088d13 964 0 \
markrad 0:cdf462088d13 965 -s "received FALLBACK_SCSV" \
markrad 0:cdf462088d13 966 -S "inapropriate fallback"
markrad 0:cdf462088d13 967
markrad 0:cdf462088d13 968 # Tests for CBC 1/n-1 record splitting
markrad 0:cdf462088d13 969
markrad 0:cdf462088d13 970 run_test "CBC Record splitting: TLS 1.2, no splitting" \
markrad 0:cdf462088d13 971 "$P_SRV" \
markrad 0:cdf462088d13 972 "$P_CLI force_ciphersuite=TLS-RSA-WITH-AES-128-CBC-SHA \
markrad 0:cdf462088d13 973 request_size=123 force_version=tls1_2" \
markrad 0:cdf462088d13 974 0 \
markrad 0:cdf462088d13 975 -s "Read from client: 123 bytes read" \
markrad 0:cdf462088d13 976 -S "Read from client: 1 bytes read" \
markrad 0:cdf462088d13 977 -S "122 bytes read"
markrad 0:cdf462088d13 978
markrad 0:cdf462088d13 979 run_test "CBC Record splitting: TLS 1.1, no splitting" \
markrad 0:cdf462088d13 980 "$P_SRV" \
markrad 0:cdf462088d13 981 "$P_CLI force_ciphersuite=TLS-RSA-WITH-AES-128-CBC-SHA \
markrad 0:cdf462088d13 982 request_size=123 force_version=tls1_1" \
markrad 0:cdf462088d13 983 0 \
markrad 0:cdf462088d13 984 -s "Read from client: 123 bytes read" \
markrad 0:cdf462088d13 985 -S "Read from client: 1 bytes read" \
markrad 0:cdf462088d13 986 -S "122 bytes read"
markrad 0:cdf462088d13 987
markrad 0:cdf462088d13 988 run_test "CBC Record splitting: TLS 1.0, splitting" \
markrad 0:cdf462088d13 989 "$P_SRV" \
markrad 0:cdf462088d13 990 "$P_CLI force_ciphersuite=TLS-RSA-WITH-AES-128-CBC-SHA \
markrad 0:cdf462088d13 991 request_size=123 force_version=tls1" \
markrad 0:cdf462088d13 992 0 \
markrad 0:cdf462088d13 993 -S "Read from client: 123 bytes read" \
markrad 0:cdf462088d13 994 -s "Read from client: 1 bytes read" \
markrad 0:cdf462088d13 995 -s "122 bytes read"
markrad 0:cdf462088d13 996
markrad 0:cdf462088d13 997 requires_config_enabled MBEDTLS_SSL_PROTO_SSL3
markrad 0:cdf462088d13 998 run_test "CBC Record splitting: SSLv3, splitting" \
markrad 0:cdf462088d13 999 "$P_SRV min_version=ssl3" \
markrad 0:cdf462088d13 1000 "$P_CLI force_ciphersuite=TLS-RSA-WITH-AES-128-CBC-SHA \
markrad 0:cdf462088d13 1001 request_size=123 force_version=ssl3" \
markrad 0:cdf462088d13 1002 0 \
markrad 0:cdf462088d13 1003 -S "Read from client: 123 bytes read" \
markrad 0:cdf462088d13 1004 -s "Read from client: 1 bytes read" \
markrad 0:cdf462088d13 1005 -s "122 bytes read"
markrad 0:cdf462088d13 1006
markrad 0:cdf462088d13 1007 run_test "CBC Record splitting: TLS 1.0 RC4, no splitting" \
markrad 0:cdf462088d13 1008 "$P_SRV arc4=1 force_ciphersuite=TLS-RSA-WITH-RC4-128-SHA" \
markrad 0:cdf462088d13 1009 "$P_CLI force_ciphersuite=TLS-RSA-WITH-RC4-128-SHA \
markrad 0:cdf462088d13 1010 request_size=123 force_version=tls1" \
markrad 0:cdf462088d13 1011 0 \
markrad 0:cdf462088d13 1012 -s "Read from client: 123 bytes read" \
markrad 0:cdf462088d13 1013 -S "Read from client: 1 bytes read" \
markrad 0:cdf462088d13 1014 -S "122 bytes read"
markrad 0:cdf462088d13 1015
markrad 0:cdf462088d13 1016 run_test "CBC Record splitting: TLS 1.0, splitting disabled" \
markrad 0:cdf462088d13 1017 "$P_SRV" \
markrad 0:cdf462088d13 1018 "$P_CLI force_ciphersuite=TLS-RSA-WITH-AES-128-CBC-SHA \
markrad 0:cdf462088d13 1019 request_size=123 force_version=tls1 recsplit=0" \
markrad 0:cdf462088d13 1020 0 \
markrad 0:cdf462088d13 1021 -s "Read from client: 123 bytes read" \
markrad 0:cdf462088d13 1022 -S "Read from client: 1 bytes read" \
markrad 0:cdf462088d13 1023 -S "122 bytes read"
markrad 0:cdf462088d13 1024
markrad 0:cdf462088d13 1025 run_test "CBC Record splitting: TLS 1.0, splitting, nbio" \
markrad 0:cdf462088d13 1026 "$P_SRV nbio=2" \
markrad 0:cdf462088d13 1027 "$P_CLI nbio=2 force_ciphersuite=TLS-RSA-WITH-AES-128-CBC-SHA \
markrad 0:cdf462088d13 1028 request_size=123 force_version=tls1" \
markrad 0:cdf462088d13 1029 0 \
markrad 0:cdf462088d13 1030 -S "Read from client: 123 bytes read" \
markrad 0:cdf462088d13 1031 -s "Read from client: 1 bytes read" \
markrad 0:cdf462088d13 1032 -s "122 bytes read"
markrad 0:cdf462088d13 1033
markrad 0:cdf462088d13 1034 # Tests for Session Tickets
markrad 0:cdf462088d13 1035
markrad 0:cdf462088d13 1036 run_test "Session resume using tickets: basic" \
markrad 0:cdf462088d13 1037 "$P_SRV debug_level=3 tickets=1" \
markrad 0:cdf462088d13 1038 "$P_CLI debug_level=3 tickets=1 reconnect=1" \
markrad 0:cdf462088d13 1039 0 \
markrad 0:cdf462088d13 1040 -c "client hello, adding session ticket extension" \
markrad 0:cdf462088d13 1041 -s "found session ticket extension" \
markrad 0:cdf462088d13 1042 -s "server hello, adding session ticket extension" \
markrad 0:cdf462088d13 1043 -c "found session_ticket extension" \
markrad 0:cdf462088d13 1044 -c "parse new session ticket" \
markrad 0:cdf462088d13 1045 -S "session successfully restored from cache" \
markrad 0:cdf462088d13 1046 -s "session successfully restored from ticket" \
markrad 0:cdf462088d13 1047 -s "a session has been resumed" \
markrad 0:cdf462088d13 1048 -c "a session has been resumed"
markrad 0:cdf462088d13 1049
markrad 0:cdf462088d13 1050 run_test "Session resume using tickets: cache disabled" \
markrad 0:cdf462088d13 1051 "$P_SRV debug_level=3 tickets=1 cache_max=0" \
markrad 0:cdf462088d13 1052 "$P_CLI debug_level=3 tickets=1 reconnect=1" \
markrad 0:cdf462088d13 1053 0 \
markrad 0:cdf462088d13 1054 -c "client hello, adding session ticket extension" \
markrad 0:cdf462088d13 1055 -s "found session ticket extension" \
markrad 0:cdf462088d13 1056 -s "server hello, adding session ticket extension" \
markrad 0:cdf462088d13 1057 -c "found session_ticket extension" \
markrad 0:cdf462088d13 1058 -c "parse new session ticket" \
markrad 0:cdf462088d13 1059 -S "session successfully restored from cache" \
markrad 0:cdf462088d13 1060 -s "session successfully restored from ticket" \
markrad 0:cdf462088d13 1061 -s "a session has been resumed" \
markrad 0:cdf462088d13 1062 -c "a session has been resumed"
markrad 0:cdf462088d13 1063
markrad 0:cdf462088d13 1064 run_test "Session resume using tickets: timeout" \
markrad 0:cdf462088d13 1065 "$P_SRV debug_level=3 tickets=1 cache_max=0 ticket_timeout=1" \
markrad 0:cdf462088d13 1066 "$P_CLI debug_level=3 tickets=1 reconnect=1 reco_delay=2" \
markrad 0:cdf462088d13 1067 0 \
markrad 0:cdf462088d13 1068 -c "client hello, adding session ticket extension" \
markrad 0:cdf462088d13 1069 -s "found session ticket extension" \
markrad 0:cdf462088d13 1070 -s "server hello, adding session ticket extension" \
markrad 0:cdf462088d13 1071 -c "found session_ticket extension" \
markrad 0:cdf462088d13 1072 -c "parse new session ticket" \
markrad 0:cdf462088d13 1073 -S "session successfully restored from cache" \
markrad 0:cdf462088d13 1074 -S "session successfully restored from ticket" \
markrad 0:cdf462088d13 1075 -S "a session has been resumed" \
markrad 0:cdf462088d13 1076 -C "a session has been resumed"
markrad 0:cdf462088d13 1077
markrad 0:cdf462088d13 1078 run_test "Session resume using tickets: openssl server" \
markrad 0:cdf462088d13 1079 "$O_SRV" \
markrad 0:cdf462088d13 1080 "$P_CLI debug_level=3 tickets=1 reconnect=1" \
markrad 0:cdf462088d13 1081 0 \
markrad 0:cdf462088d13 1082 -c "client hello, adding session ticket extension" \
markrad 0:cdf462088d13 1083 -c "found session_ticket extension" \
markrad 0:cdf462088d13 1084 -c "parse new session ticket" \
markrad 0:cdf462088d13 1085 -c "a session has been resumed"
markrad 0:cdf462088d13 1086
markrad 0:cdf462088d13 1087 run_test "Session resume using tickets: openssl client" \
markrad 0:cdf462088d13 1088 "$P_SRV debug_level=3 tickets=1" \
markrad 0:cdf462088d13 1089 "( $O_CLI -sess_out $SESSION; \
markrad 0:cdf462088d13 1090 $O_CLI -sess_in $SESSION; \
markrad 0:cdf462088d13 1091 rm -f $SESSION )" \
markrad 0:cdf462088d13 1092 0 \
markrad 0:cdf462088d13 1093 -s "found session ticket extension" \
markrad 0:cdf462088d13 1094 -s "server hello, adding session ticket extension" \
markrad 0:cdf462088d13 1095 -S "session successfully restored from cache" \
markrad 0:cdf462088d13 1096 -s "session successfully restored from ticket" \
markrad 0:cdf462088d13 1097 -s "a session has been resumed"
markrad 0:cdf462088d13 1098
markrad 0:cdf462088d13 1099 # Tests for Session Resume based on session-ID and cache
markrad 0:cdf462088d13 1100
markrad 0:cdf462088d13 1101 run_test "Session resume using cache: tickets enabled on client" \
markrad 0:cdf462088d13 1102 "$P_SRV debug_level=3 tickets=0" \
markrad 0:cdf462088d13 1103 "$P_CLI debug_level=3 tickets=1 reconnect=1" \
markrad 0:cdf462088d13 1104 0 \
markrad 0:cdf462088d13 1105 -c "client hello, adding session ticket extension" \
markrad 0:cdf462088d13 1106 -s "found session ticket extension" \
markrad 0:cdf462088d13 1107 -S "server hello, adding session ticket extension" \
markrad 0:cdf462088d13 1108 -C "found session_ticket extension" \
markrad 0:cdf462088d13 1109 -C "parse new session ticket" \
markrad 0:cdf462088d13 1110 -s "session successfully restored from cache" \
markrad 0:cdf462088d13 1111 -S "session successfully restored from ticket" \
markrad 0:cdf462088d13 1112 -s "a session has been resumed" \
markrad 0:cdf462088d13 1113 -c "a session has been resumed"
markrad 0:cdf462088d13 1114
markrad 0:cdf462088d13 1115 run_test "Session resume using cache: tickets enabled on server" \
markrad 0:cdf462088d13 1116 "$P_SRV debug_level=3 tickets=1" \
markrad 0:cdf462088d13 1117 "$P_CLI debug_level=3 tickets=0 reconnect=1" \
markrad 0:cdf462088d13 1118 0 \
markrad 0:cdf462088d13 1119 -C "client hello, adding session ticket extension" \
markrad 0:cdf462088d13 1120 -S "found session ticket extension" \
markrad 0:cdf462088d13 1121 -S "server hello, adding session ticket extension" \
markrad 0:cdf462088d13 1122 -C "found session_ticket extension" \
markrad 0:cdf462088d13 1123 -C "parse new session ticket" \
markrad 0:cdf462088d13 1124 -s "session successfully restored from cache" \
markrad 0:cdf462088d13 1125 -S "session successfully restored from ticket" \
markrad 0:cdf462088d13 1126 -s "a session has been resumed" \
markrad 0:cdf462088d13 1127 -c "a session has been resumed"
markrad 0:cdf462088d13 1128
markrad 0:cdf462088d13 1129 run_test "Session resume using cache: cache_max=0" \
markrad 0:cdf462088d13 1130 "$P_SRV debug_level=3 tickets=0 cache_max=0" \
markrad 0:cdf462088d13 1131 "$P_CLI debug_level=3 tickets=0 reconnect=1" \
markrad 0:cdf462088d13 1132 0 \
markrad 0:cdf462088d13 1133 -S "session successfully restored from cache" \
markrad 0:cdf462088d13 1134 -S "session successfully restored from ticket" \
markrad 0:cdf462088d13 1135 -S "a session has been resumed" \
markrad 0:cdf462088d13 1136 -C "a session has been resumed"
markrad 0:cdf462088d13 1137
markrad 0:cdf462088d13 1138 run_test "Session resume using cache: cache_max=1" \
markrad 0:cdf462088d13 1139 "$P_SRV debug_level=3 tickets=0 cache_max=1" \
markrad 0:cdf462088d13 1140 "$P_CLI debug_level=3 tickets=0 reconnect=1" \
markrad 0:cdf462088d13 1141 0 \
markrad 0:cdf462088d13 1142 -s "session successfully restored from cache" \
markrad 0:cdf462088d13 1143 -S "session successfully restored from ticket" \
markrad 0:cdf462088d13 1144 -s "a session has been resumed" \
markrad 0:cdf462088d13 1145 -c "a session has been resumed"
markrad 0:cdf462088d13 1146
markrad 0:cdf462088d13 1147 run_test "Session resume using cache: timeout > delay" \
markrad 0:cdf462088d13 1148 "$P_SRV debug_level=3 tickets=0" \
markrad 0:cdf462088d13 1149 "$P_CLI debug_level=3 tickets=0 reconnect=1 reco_delay=0" \
markrad 0:cdf462088d13 1150 0 \
markrad 0:cdf462088d13 1151 -s "session successfully restored from cache" \
markrad 0:cdf462088d13 1152 -S "session successfully restored from ticket" \
markrad 0:cdf462088d13 1153 -s "a session has been resumed" \
markrad 0:cdf462088d13 1154 -c "a session has been resumed"
markrad 0:cdf462088d13 1155
markrad 0:cdf462088d13 1156 run_test "Session resume using cache: timeout < delay" \
markrad 0:cdf462088d13 1157 "$P_SRV debug_level=3 tickets=0 cache_timeout=1" \
markrad 0:cdf462088d13 1158 "$P_CLI debug_level=3 tickets=0 reconnect=1 reco_delay=2" \
markrad 0:cdf462088d13 1159 0 \
markrad 0:cdf462088d13 1160 -S "session successfully restored from cache" \
markrad 0:cdf462088d13 1161 -S "session successfully restored from ticket" \
markrad 0:cdf462088d13 1162 -S "a session has been resumed" \
markrad 0:cdf462088d13 1163 -C "a session has been resumed"
markrad 0:cdf462088d13 1164
markrad 0:cdf462088d13 1165 run_test "Session resume using cache: no timeout" \
markrad 0:cdf462088d13 1166 "$P_SRV debug_level=3 tickets=0 cache_timeout=0" \
markrad 0:cdf462088d13 1167 "$P_CLI debug_level=3 tickets=0 reconnect=1 reco_delay=2" \
markrad 0:cdf462088d13 1168 0 \
markrad 0:cdf462088d13 1169 -s "session successfully restored from cache" \
markrad 0:cdf462088d13 1170 -S "session successfully restored from ticket" \
markrad 0:cdf462088d13 1171 -s "a session has been resumed" \
markrad 0:cdf462088d13 1172 -c "a session has been resumed"
markrad 0:cdf462088d13 1173
markrad 0:cdf462088d13 1174 run_test "Session resume using cache: openssl client" \
markrad 0:cdf462088d13 1175 "$P_SRV debug_level=3 tickets=0" \
markrad 0:cdf462088d13 1176 "( $O_CLI -sess_out $SESSION; \
markrad 0:cdf462088d13 1177 $O_CLI -sess_in $SESSION; \
markrad 0:cdf462088d13 1178 rm -f $SESSION )" \
markrad 0:cdf462088d13 1179 0 \
markrad 0:cdf462088d13 1180 -s "found session ticket extension" \
markrad 0:cdf462088d13 1181 -S "server hello, adding session ticket extension" \
markrad 0:cdf462088d13 1182 -s "session successfully restored from cache" \
markrad 0:cdf462088d13 1183 -S "session successfully restored from ticket" \
markrad 0:cdf462088d13 1184 -s "a session has been resumed"
markrad 0:cdf462088d13 1185
markrad 0:cdf462088d13 1186 run_test "Session resume using cache: openssl server" \
markrad 0:cdf462088d13 1187 "$O_SRV" \
markrad 0:cdf462088d13 1188 "$P_CLI debug_level=3 tickets=0 reconnect=1" \
markrad 0:cdf462088d13 1189 0 \
markrad 0:cdf462088d13 1190 -C "found session_ticket extension" \
markrad 0:cdf462088d13 1191 -C "parse new session ticket" \
markrad 0:cdf462088d13 1192 -c "a session has been resumed"
markrad 0:cdf462088d13 1193
markrad 0:cdf462088d13 1194 # Tests for Max Fragment Length extension
markrad 0:cdf462088d13 1195
markrad 0:cdf462088d13 1196 run_test "Max fragment length: not used, reference" \
markrad 0:cdf462088d13 1197 "$P_SRV debug_level=3" \
markrad 0:cdf462088d13 1198 "$P_CLI debug_level=3" \
markrad 0:cdf462088d13 1199 0 \
markrad 0:cdf462088d13 1200 -c "Maximum fragment length is 16384" \
markrad 0:cdf462088d13 1201 -s "Maximum fragment length is 16384" \
markrad 0:cdf462088d13 1202 -C "client hello, adding max_fragment_length extension" \
markrad 0:cdf462088d13 1203 -S "found max fragment length extension" \
markrad 0:cdf462088d13 1204 -S "server hello, max_fragment_length extension" \
markrad 0:cdf462088d13 1205 -C "found max_fragment_length extension"
markrad 0:cdf462088d13 1206
markrad 0:cdf462088d13 1207 run_test "Max fragment length: used by client" \
markrad 0:cdf462088d13 1208 "$P_SRV debug_level=3" \
markrad 0:cdf462088d13 1209 "$P_CLI debug_level=3 max_frag_len=4096" \
markrad 0:cdf462088d13 1210 0 \
markrad 0:cdf462088d13 1211 -c "Maximum fragment length is 4096" \
markrad 0:cdf462088d13 1212 -s "Maximum fragment length is 4096" \
markrad 0:cdf462088d13 1213 -c "client hello, adding max_fragment_length extension" \
markrad 0:cdf462088d13 1214 -s "found max fragment length extension" \
markrad 0:cdf462088d13 1215 -s "server hello, max_fragment_length extension" \
markrad 0:cdf462088d13 1216 -c "found max_fragment_length extension"
markrad 0:cdf462088d13 1217
markrad 0:cdf462088d13 1218 run_test "Max fragment length: used by server" \
markrad 0:cdf462088d13 1219 "$P_SRV debug_level=3 max_frag_len=4096" \
markrad 0:cdf462088d13 1220 "$P_CLI debug_level=3" \
markrad 0:cdf462088d13 1221 0 \
markrad 0:cdf462088d13 1222 -c "Maximum fragment length is 16384" \
markrad 0:cdf462088d13 1223 -s "Maximum fragment length is 4096" \
markrad 0:cdf462088d13 1224 -C "client hello, adding max_fragment_length extension" \
markrad 0:cdf462088d13 1225 -S "found max fragment length extension" \
markrad 0:cdf462088d13 1226 -S "server hello, max_fragment_length extension" \
markrad 0:cdf462088d13 1227 -C "found max_fragment_length extension"
markrad 0:cdf462088d13 1228
markrad 0:cdf462088d13 1229 requires_gnutls
markrad 0:cdf462088d13 1230 run_test "Max fragment length: gnutls server" \
markrad 0:cdf462088d13 1231 "$G_SRV" \
markrad 0:cdf462088d13 1232 "$P_CLI debug_level=3 max_frag_len=4096" \
markrad 0:cdf462088d13 1233 0 \
markrad 0:cdf462088d13 1234 -c "Maximum fragment length is 4096" \
markrad 0:cdf462088d13 1235 -c "client hello, adding max_fragment_length extension" \
markrad 0:cdf462088d13 1236 -c "found max_fragment_length extension"
markrad 0:cdf462088d13 1237
markrad 0:cdf462088d13 1238 run_test "Max fragment length: client, message just fits" \
markrad 0:cdf462088d13 1239 "$P_SRV debug_level=3" \
markrad 0:cdf462088d13 1240 "$P_CLI debug_level=3 max_frag_len=2048 request_size=2048" \
markrad 0:cdf462088d13 1241 0 \
markrad 0:cdf462088d13 1242 -c "Maximum fragment length is 2048" \
markrad 0:cdf462088d13 1243 -s "Maximum fragment length is 2048" \
markrad 0:cdf462088d13 1244 -c "client hello, adding max_fragment_length extension" \
markrad 0:cdf462088d13 1245 -s "found max fragment length extension" \
markrad 0:cdf462088d13 1246 -s "server hello, max_fragment_length extension" \
markrad 0:cdf462088d13 1247 -c "found max_fragment_length extension" \
markrad 0:cdf462088d13 1248 -c "2048 bytes written in 1 fragments" \
markrad 0:cdf462088d13 1249 -s "2048 bytes read"
markrad 0:cdf462088d13 1250
markrad 0:cdf462088d13 1251 run_test "Max fragment length: client, larger message" \
markrad 0:cdf462088d13 1252 "$P_SRV debug_level=3" \
markrad 0:cdf462088d13 1253 "$P_CLI debug_level=3 max_frag_len=2048 request_size=2345" \
markrad 0:cdf462088d13 1254 0 \
markrad 0:cdf462088d13 1255 -c "Maximum fragment length is 2048" \
markrad 0:cdf462088d13 1256 -s "Maximum fragment length is 2048" \
markrad 0:cdf462088d13 1257 -c "client hello, adding max_fragment_length extension" \
markrad 0:cdf462088d13 1258 -s "found max fragment length extension" \
markrad 0:cdf462088d13 1259 -s "server hello, max_fragment_length extension" \
markrad 0:cdf462088d13 1260 -c "found max_fragment_length extension" \
markrad 0:cdf462088d13 1261 -c "2345 bytes written in 2 fragments" \
markrad 0:cdf462088d13 1262 -s "2048 bytes read" \
markrad 0:cdf462088d13 1263 -s "297 bytes read"
markrad 0:cdf462088d13 1264
markrad 0:cdf462088d13 1265 run_test "Max fragment length: DTLS client, larger message" \
markrad 0:cdf462088d13 1266 "$P_SRV debug_level=3 dtls=1" \
markrad 0:cdf462088d13 1267 "$P_CLI debug_level=3 dtls=1 max_frag_len=2048 request_size=2345" \
markrad 0:cdf462088d13 1268 1 \
markrad 0:cdf462088d13 1269 -c "Maximum fragment length is 2048" \
markrad 0:cdf462088d13 1270 -s "Maximum fragment length is 2048" \
markrad 0:cdf462088d13 1271 -c "client hello, adding max_fragment_length extension" \
markrad 0:cdf462088d13 1272 -s "found max fragment length extension" \
markrad 0:cdf462088d13 1273 -s "server hello, max_fragment_length extension" \
markrad 0:cdf462088d13 1274 -c "found max_fragment_length extension" \
markrad 0:cdf462088d13 1275 -c "fragment larger than.*maximum"
markrad 0:cdf462088d13 1276
markrad 0:cdf462088d13 1277 # Tests for renegotiation
markrad 0:cdf462088d13 1278
markrad 0:cdf462088d13 1279 run_test "Renegotiation: none, for reference" \
markrad 0:cdf462088d13 1280 "$P_SRV debug_level=3 exchanges=2 auth_mode=optional" \
markrad 0:cdf462088d13 1281 "$P_CLI debug_level=3 exchanges=2" \
markrad 0:cdf462088d13 1282 0 \
markrad 0:cdf462088d13 1283 -C "client hello, adding renegotiation extension" \
markrad 0:cdf462088d13 1284 -s "received TLS_EMPTY_RENEGOTIATION_INFO" \
markrad 0:cdf462088d13 1285 -S "found renegotiation extension" \
markrad 0:cdf462088d13 1286 -s "server hello, secure renegotiation extension" \
markrad 0:cdf462088d13 1287 -c "found renegotiation extension" \
markrad 0:cdf462088d13 1288 -C "=> renegotiate" \
markrad 0:cdf462088d13 1289 -S "=> renegotiate" \
markrad 0:cdf462088d13 1290 -S "write hello request"
markrad 0:cdf462088d13 1291
markrad 0:cdf462088d13 1292 run_test "Renegotiation: client-initiated" \
markrad 0:cdf462088d13 1293 "$P_SRV debug_level=3 exchanges=2 renegotiation=1 auth_mode=optional" \
markrad 0:cdf462088d13 1294 "$P_CLI debug_level=3 exchanges=2 renegotiation=1 renegotiate=1" \
markrad 0:cdf462088d13 1295 0 \
markrad 0:cdf462088d13 1296 -c "client hello, adding renegotiation extension" \
markrad 0:cdf462088d13 1297 -s "received TLS_EMPTY_RENEGOTIATION_INFO" \
markrad 0:cdf462088d13 1298 -s "found renegotiation extension" \
markrad 0:cdf462088d13 1299 -s "server hello, secure renegotiation extension" \
markrad 0:cdf462088d13 1300 -c "found renegotiation extension" \
markrad 0:cdf462088d13 1301 -c "=> renegotiate" \
markrad 0:cdf462088d13 1302 -s "=> renegotiate" \
markrad 0:cdf462088d13 1303 -S "write hello request"
markrad 0:cdf462088d13 1304
markrad 0:cdf462088d13 1305 run_test "Renegotiation: server-initiated" \
markrad 0:cdf462088d13 1306 "$P_SRV debug_level=3 exchanges=2 renegotiation=1 auth_mode=optional renegotiate=1" \
markrad 0:cdf462088d13 1307 "$P_CLI debug_level=3 exchanges=2 renegotiation=1" \
markrad 0:cdf462088d13 1308 0 \
markrad 0:cdf462088d13 1309 -c "client hello, adding renegotiation extension" \
markrad 0:cdf462088d13 1310 -s "received TLS_EMPTY_RENEGOTIATION_INFO" \
markrad 0:cdf462088d13 1311 -s "found renegotiation extension" \
markrad 0:cdf462088d13 1312 -s "server hello, secure renegotiation extension" \
markrad 0:cdf462088d13 1313 -c "found renegotiation extension" \
markrad 0:cdf462088d13 1314 -c "=> renegotiate" \
markrad 0:cdf462088d13 1315 -s "=> renegotiate" \
markrad 0:cdf462088d13 1316 -s "write hello request"
markrad 0:cdf462088d13 1317
markrad 0:cdf462088d13 1318 run_test "Renegotiation: double" \
markrad 0:cdf462088d13 1319 "$P_SRV debug_level=3 exchanges=2 renegotiation=1 auth_mode=optional renegotiate=1" \
markrad 0:cdf462088d13 1320 "$P_CLI debug_level=3 exchanges=2 renegotiation=1 renegotiate=1" \
markrad 0:cdf462088d13 1321 0 \
markrad 0:cdf462088d13 1322 -c "client hello, adding renegotiation extension" \
markrad 0:cdf462088d13 1323 -s "received TLS_EMPTY_RENEGOTIATION_INFO" \
markrad 0:cdf462088d13 1324 -s "found renegotiation extension" \
markrad 0:cdf462088d13 1325 -s "server hello, secure renegotiation extension" \
markrad 0:cdf462088d13 1326 -c "found renegotiation extension" \
markrad 0:cdf462088d13 1327 -c "=> renegotiate" \
markrad 0:cdf462088d13 1328 -s "=> renegotiate" \
markrad 0:cdf462088d13 1329 -s "write hello request"
markrad 0:cdf462088d13 1330
markrad 0:cdf462088d13 1331 run_test "Renegotiation: client-initiated, server-rejected" \
markrad 0:cdf462088d13 1332 "$P_SRV debug_level=3 exchanges=2 renegotiation=0 auth_mode=optional" \
markrad 0:cdf462088d13 1333 "$P_CLI debug_level=3 exchanges=2 renegotiation=1 renegotiate=1" \
markrad 0:cdf462088d13 1334 1 \
markrad 0:cdf462088d13 1335 -c "client hello, adding renegotiation extension" \
markrad 0:cdf462088d13 1336 -s "received TLS_EMPTY_RENEGOTIATION_INFO" \
markrad 0:cdf462088d13 1337 -S "found renegotiation extension" \
markrad 0:cdf462088d13 1338 -s "server hello, secure renegotiation extension" \
markrad 0:cdf462088d13 1339 -c "found renegotiation extension" \
markrad 0:cdf462088d13 1340 -c "=> renegotiate" \
markrad 0:cdf462088d13 1341 -S "=> renegotiate" \
markrad 0:cdf462088d13 1342 -S "write hello request" \
markrad 0:cdf462088d13 1343 -c "SSL - Unexpected message at ServerHello in renegotiation" \
markrad 0:cdf462088d13 1344 -c "failed"
markrad 0:cdf462088d13 1345
markrad 0:cdf462088d13 1346 run_test "Renegotiation: server-initiated, client-rejected, default" \
markrad 0:cdf462088d13 1347 "$P_SRV debug_level=3 exchanges=2 renegotiation=1 renegotiate=1 auth_mode=optional" \
markrad 0:cdf462088d13 1348 "$P_CLI debug_level=3 exchanges=2 renegotiation=0" \
markrad 0:cdf462088d13 1349 0 \
markrad 0:cdf462088d13 1350 -C "client hello, adding renegotiation extension" \
markrad 0:cdf462088d13 1351 -s "received TLS_EMPTY_RENEGOTIATION_INFO" \
markrad 0:cdf462088d13 1352 -S "found renegotiation extension" \
markrad 0:cdf462088d13 1353 -s "server hello, secure renegotiation extension" \
markrad 0:cdf462088d13 1354 -c "found renegotiation extension" \
markrad 0:cdf462088d13 1355 -C "=> renegotiate" \
markrad 0:cdf462088d13 1356 -S "=> renegotiate" \
markrad 0:cdf462088d13 1357 -s "write hello request" \
markrad 0:cdf462088d13 1358 -S "SSL - An unexpected message was received from our peer" \
markrad 0:cdf462088d13 1359 -S "failed"
markrad 0:cdf462088d13 1360
markrad 0:cdf462088d13 1361 run_test "Renegotiation: server-initiated, client-rejected, not enforced" \
markrad 0:cdf462088d13 1362 "$P_SRV debug_level=3 exchanges=2 renegotiation=1 renegotiate=1 \
markrad 0:cdf462088d13 1363 renego_delay=-1 auth_mode=optional" \
markrad 0:cdf462088d13 1364 "$P_CLI debug_level=3 exchanges=2 renegotiation=0" \
markrad 0:cdf462088d13 1365 0 \
markrad 0:cdf462088d13 1366 -C "client hello, adding renegotiation extension" \
markrad 0:cdf462088d13 1367 -s "received TLS_EMPTY_RENEGOTIATION_INFO" \
markrad 0:cdf462088d13 1368 -S "found renegotiation extension" \
markrad 0:cdf462088d13 1369 -s "server hello, secure renegotiation extension" \
markrad 0:cdf462088d13 1370 -c "found renegotiation extension" \
markrad 0:cdf462088d13 1371 -C "=> renegotiate" \
markrad 0:cdf462088d13 1372 -S "=> renegotiate" \
markrad 0:cdf462088d13 1373 -s "write hello request" \
markrad 0:cdf462088d13 1374 -S "SSL - An unexpected message was received from our peer" \
markrad 0:cdf462088d13 1375 -S "failed"
markrad 0:cdf462088d13 1376
markrad 0:cdf462088d13 1377 # delay 2 for 1 alert record + 1 application data record
markrad 0:cdf462088d13 1378 run_test "Renegotiation: server-initiated, client-rejected, delay 2" \
markrad 0:cdf462088d13 1379 "$P_SRV debug_level=3 exchanges=2 renegotiation=1 renegotiate=1 \
markrad 0:cdf462088d13 1380 renego_delay=2 auth_mode=optional" \
markrad 0:cdf462088d13 1381 "$P_CLI debug_level=3 exchanges=2 renegotiation=0" \
markrad 0:cdf462088d13 1382 0 \
markrad 0:cdf462088d13 1383 -C "client hello, adding renegotiation extension" \
markrad 0:cdf462088d13 1384 -s "received TLS_EMPTY_RENEGOTIATION_INFO" \
markrad 0:cdf462088d13 1385 -S "found renegotiation extension" \
markrad 0:cdf462088d13 1386 -s "server hello, secure renegotiation extension" \
markrad 0:cdf462088d13 1387 -c "found renegotiation extension" \
markrad 0:cdf462088d13 1388 -C "=> renegotiate" \
markrad 0:cdf462088d13 1389 -S "=> renegotiate" \
markrad 0:cdf462088d13 1390 -s "write hello request" \
markrad 0:cdf462088d13 1391 -S "SSL - An unexpected message was received from our peer" \
markrad 0:cdf462088d13 1392 -S "failed"
markrad 0:cdf462088d13 1393
markrad 0:cdf462088d13 1394 run_test "Renegotiation: server-initiated, client-rejected, delay 0" \
markrad 0:cdf462088d13 1395 "$P_SRV debug_level=3 exchanges=2 renegotiation=1 renegotiate=1 \
markrad 0:cdf462088d13 1396 renego_delay=0 auth_mode=optional" \
markrad 0:cdf462088d13 1397 "$P_CLI debug_level=3 exchanges=2 renegotiation=0" \
markrad 0:cdf462088d13 1398 0 \
markrad 0:cdf462088d13 1399 -C "client hello, adding renegotiation extension" \
markrad 0:cdf462088d13 1400 -s "received TLS_EMPTY_RENEGOTIATION_INFO" \
markrad 0:cdf462088d13 1401 -S "found renegotiation extension" \
markrad 0:cdf462088d13 1402 -s "server hello, secure renegotiation extension" \
markrad 0:cdf462088d13 1403 -c "found renegotiation extension" \
markrad 0:cdf462088d13 1404 -C "=> renegotiate" \
markrad 0:cdf462088d13 1405 -S "=> renegotiate" \
markrad 0:cdf462088d13 1406 -s "write hello request" \
markrad 0:cdf462088d13 1407 -s "SSL - An unexpected message was received from our peer"
markrad 0:cdf462088d13 1408
markrad 0:cdf462088d13 1409 run_test "Renegotiation: server-initiated, client-accepted, delay 0" \
markrad 0:cdf462088d13 1410 "$P_SRV debug_level=3 exchanges=2 renegotiation=1 renegotiate=1 \
markrad 0:cdf462088d13 1411 renego_delay=0 auth_mode=optional" \
markrad 0:cdf462088d13 1412 "$P_CLI debug_level=3 exchanges=2 renegotiation=1" \
markrad 0:cdf462088d13 1413 0 \
markrad 0:cdf462088d13 1414 -c "client hello, adding renegotiation extension" \
markrad 0:cdf462088d13 1415 -s "received TLS_EMPTY_RENEGOTIATION_INFO" \
markrad 0:cdf462088d13 1416 -s "found renegotiation extension" \
markrad 0:cdf462088d13 1417 -s "server hello, secure renegotiation extension" \
markrad 0:cdf462088d13 1418 -c "found renegotiation extension" \
markrad 0:cdf462088d13 1419 -c "=> renegotiate" \
markrad 0:cdf462088d13 1420 -s "=> renegotiate" \
markrad 0:cdf462088d13 1421 -s "write hello request" \
markrad 0:cdf462088d13 1422 -S "SSL - An unexpected message was received from our peer" \
markrad 0:cdf462088d13 1423 -S "failed"
markrad 0:cdf462088d13 1424
markrad 0:cdf462088d13 1425 run_test "Renegotiation: periodic, just below period" \
markrad 0:cdf462088d13 1426 "$P_SRV debug_level=3 exchanges=9 renegotiation=1 renego_period=3 auth_mode=optional" \
markrad 0:cdf462088d13 1427 "$P_CLI debug_level=3 exchanges=2 renegotiation=1" \
markrad 0:cdf462088d13 1428 0 \
markrad 0:cdf462088d13 1429 -C "client hello, adding renegotiation extension" \
markrad 0:cdf462088d13 1430 -s "received TLS_EMPTY_RENEGOTIATION_INFO" \
markrad 0:cdf462088d13 1431 -S "found renegotiation extension" \
markrad 0:cdf462088d13 1432 -s "server hello, secure renegotiation extension" \
markrad 0:cdf462088d13 1433 -c "found renegotiation extension" \
markrad 0:cdf462088d13 1434 -S "record counter limit reached: renegotiate" \
markrad 0:cdf462088d13 1435 -C "=> renegotiate" \
markrad 0:cdf462088d13 1436 -S "=> renegotiate" \
markrad 0:cdf462088d13 1437 -S "write hello request" \
markrad 0:cdf462088d13 1438 -S "SSL - An unexpected message was received from our peer" \
markrad 0:cdf462088d13 1439 -S "failed"
markrad 0:cdf462088d13 1440
markrad 0:cdf462088d13 1441 # one extra exchange to be able to complete renego
markrad 0:cdf462088d13 1442 run_test "Renegotiation: periodic, just above period" \
markrad 0:cdf462088d13 1443 "$P_SRV debug_level=3 exchanges=9 renegotiation=1 renego_period=3 auth_mode=optional" \
markrad 0:cdf462088d13 1444 "$P_CLI debug_level=3 exchanges=4 renegotiation=1" \
markrad 0:cdf462088d13 1445 0 \
markrad 0:cdf462088d13 1446 -c "client hello, adding renegotiation extension" \
markrad 0:cdf462088d13 1447 -s "received TLS_EMPTY_RENEGOTIATION_INFO" \
markrad 0:cdf462088d13 1448 -s "found renegotiation extension" \
markrad 0:cdf462088d13 1449 -s "server hello, secure renegotiation extension" \
markrad 0:cdf462088d13 1450 -c "found renegotiation extension" \
markrad 0:cdf462088d13 1451 -s "record counter limit reached: renegotiate" \
markrad 0:cdf462088d13 1452 -c "=> renegotiate" \
markrad 0:cdf462088d13 1453 -s "=> renegotiate" \
markrad 0:cdf462088d13 1454 -s "write hello request" \
markrad 0:cdf462088d13 1455 -S "SSL - An unexpected message was received from our peer" \
markrad 0:cdf462088d13 1456 -S "failed"
markrad 0:cdf462088d13 1457
markrad 0:cdf462088d13 1458 run_test "Renegotiation: periodic, two times period" \
markrad 0:cdf462088d13 1459 "$P_SRV debug_level=3 exchanges=9 renegotiation=1 renego_period=3 auth_mode=optional" \
markrad 0:cdf462088d13 1460 "$P_CLI debug_level=3 exchanges=7 renegotiation=1" \
markrad 0:cdf462088d13 1461 0 \
markrad 0:cdf462088d13 1462 -c "client hello, adding renegotiation extension" \
markrad 0:cdf462088d13 1463 -s "received TLS_EMPTY_RENEGOTIATION_INFO" \
markrad 0:cdf462088d13 1464 -s "found renegotiation extension" \
markrad 0:cdf462088d13 1465 -s "server hello, secure renegotiation extension" \
markrad 0:cdf462088d13 1466 -c "found renegotiation extension" \
markrad 0:cdf462088d13 1467 -s "record counter limit reached: renegotiate" \
markrad 0:cdf462088d13 1468 -c "=> renegotiate" \
markrad 0:cdf462088d13 1469 -s "=> renegotiate" \
markrad 0:cdf462088d13 1470 -s "write hello request" \
markrad 0:cdf462088d13 1471 -S "SSL - An unexpected message was received from our peer" \
markrad 0:cdf462088d13 1472 -S "failed"
markrad 0:cdf462088d13 1473
markrad 0:cdf462088d13 1474 run_test "Renegotiation: periodic, above period, disabled" \
markrad 0:cdf462088d13 1475 "$P_SRV debug_level=3 exchanges=9 renegotiation=0 renego_period=3 auth_mode=optional" \
markrad 0:cdf462088d13 1476 "$P_CLI debug_level=3 exchanges=4 renegotiation=1" \
markrad 0:cdf462088d13 1477 0 \
markrad 0:cdf462088d13 1478 -C "client hello, adding renegotiation extension" \
markrad 0:cdf462088d13 1479 -s "received TLS_EMPTY_RENEGOTIATION_INFO" \
markrad 0:cdf462088d13 1480 -S "found renegotiation extension" \
markrad 0:cdf462088d13 1481 -s "server hello, secure renegotiation extension" \
markrad 0:cdf462088d13 1482 -c "found renegotiation extension" \
markrad 0:cdf462088d13 1483 -S "record counter limit reached: renegotiate" \
markrad 0:cdf462088d13 1484 -C "=> renegotiate" \
markrad 0:cdf462088d13 1485 -S "=> renegotiate" \
markrad 0:cdf462088d13 1486 -S "write hello request" \
markrad 0:cdf462088d13 1487 -S "SSL - An unexpected message was received from our peer" \
markrad 0:cdf462088d13 1488 -S "failed"
markrad 0:cdf462088d13 1489
markrad 0:cdf462088d13 1490 run_test "Renegotiation: nbio, client-initiated" \
markrad 0:cdf462088d13 1491 "$P_SRV debug_level=3 nbio=2 exchanges=2 renegotiation=1 auth_mode=optional" \
markrad 0:cdf462088d13 1492 "$P_CLI debug_level=3 nbio=2 exchanges=2 renegotiation=1 renegotiate=1" \
markrad 0:cdf462088d13 1493 0 \
markrad 0:cdf462088d13 1494 -c "client hello, adding renegotiation extension" \
markrad 0:cdf462088d13 1495 -s "received TLS_EMPTY_RENEGOTIATION_INFO" \
markrad 0:cdf462088d13 1496 -s "found renegotiation extension" \
markrad 0:cdf462088d13 1497 -s "server hello, secure renegotiation extension" \
markrad 0:cdf462088d13 1498 -c "found renegotiation extension" \
markrad 0:cdf462088d13 1499 -c "=> renegotiate" \
markrad 0:cdf462088d13 1500 -s "=> renegotiate" \
markrad 0:cdf462088d13 1501 -S "write hello request"
markrad 0:cdf462088d13 1502
markrad 0:cdf462088d13 1503 run_test "Renegotiation: nbio, server-initiated" \
markrad 0:cdf462088d13 1504 "$P_SRV debug_level=3 nbio=2 exchanges=2 renegotiation=1 renegotiate=1 auth_mode=optional" \
markrad 0:cdf462088d13 1505 "$P_CLI debug_level=3 nbio=2 exchanges=2 renegotiation=1" \
markrad 0:cdf462088d13 1506 0 \
markrad 0:cdf462088d13 1507 -c "client hello, adding renegotiation extension" \
markrad 0:cdf462088d13 1508 -s "received TLS_EMPTY_RENEGOTIATION_INFO" \
markrad 0:cdf462088d13 1509 -s "found renegotiation extension" \
markrad 0:cdf462088d13 1510 -s "server hello, secure renegotiation extension" \
markrad 0:cdf462088d13 1511 -c "found renegotiation extension" \
markrad 0:cdf462088d13 1512 -c "=> renegotiate" \
markrad 0:cdf462088d13 1513 -s "=> renegotiate" \
markrad 0:cdf462088d13 1514 -s "write hello request"
markrad 0:cdf462088d13 1515
markrad 0:cdf462088d13 1516 run_test "Renegotiation: openssl server, client-initiated" \
markrad 0:cdf462088d13 1517 "$O_SRV -www" \
markrad 0:cdf462088d13 1518 "$P_CLI debug_level=3 exchanges=1 renegotiation=1 renegotiate=1" \
markrad 0:cdf462088d13 1519 0 \
markrad 0:cdf462088d13 1520 -c "client hello, adding renegotiation extension" \
markrad 0:cdf462088d13 1521 -c "found renegotiation extension" \
markrad 0:cdf462088d13 1522 -c "=> renegotiate" \
markrad 0:cdf462088d13 1523 -C "ssl_hanshake() returned" \
markrad 0:cdf462088d13 1524 -C "error" \
markrad 0:cdf462088d13 1525 -c "HTTP/1.0 200 [Oo][Kk]"
markrad 0:cdf462088d13 1526
markrad 0:cdf462088d13 1527 requires_gnutls
markrad 0:cdf462088d13 1528 run_test "Renegotiation: gnutls server strict, client-initiated" \
markrad 0:cdf462088d13 1529 "$G_SRV --priority=NORMAL:%SAFE_RENEGOTIATION" \
markrad 0:cdf462088d13 1530 "$P_CLI debug_level=3 exchanges=1 renegotiation=1 renegotiate=1" \
markrad 0:cdf462088d13 1531 0 \
markrad 0:cdf462088d13 1532 -c "client hello, adding renegotiation extension" \
markrad 0:cdf462088d13 1533 -c "found renegotiation extension" \
markrad 0:cdf462088d13 1534 -c "=> renegotiate" \
markrad 0:cdf462088d13 1535 -C "ssl_hanshake() returned" \
markrad 0:cdf462088d13 1536 -C "error" \
markrad 0:cdf462088d13 1537 -c "HTTP/1.0 200 [Oo][Kk]"
markrad 0:cdf462088d13 1538
markrad 0:cdf462088d13 1539 requires_gnutls
markrad 0:cdf462088d13 1540 run_test "Renegotiation: gnutls server unsafe, client-initiated default" \
markrad 0:cdf462088d13 1541 "$G_SRV --priority=NORMAL:%DISABLE_SAFE_RENEGOTIATION" \
markrad 0:cdf462088d13 1542 "$P_CLI debug_level=3 exchanges=1 renegotiation=1 renegotiate=1" \
markrad 0:cdf462088d13 1543 1 \
markrad 0:cdf462088d13 1544 -c "client hello, adding renegotiation extension" \
markrad 0:cdf462088d13 1545 -C "found renegotiation extension" \
markrad 0:cdf462088d13 1546 -c "=> renegotiate" \
markrad 0:cdf462088d13 1547 -c "mbedtls_ssl_handshake() returned" \
markrad 0:cdf462088d13 1548 -c "error" \
markrad 0:cdf462088d13 1549 -C "HTTP/1.0 200 [Oo][Kk]"
markrad 0:cdf462088d13 1550
markrad 0:cdf462088d13 1551 requires_gnutls
markrad 0:cdf462088d13 1552 run_test "Renegotiation: gnutls server unsafe, client-inititated no legacy" \
markrad 0:cdf462088d13 1553 "$G_SRV --priority=NORMAL:%DISABLE_SAFE_RENEGOTIATION" \
markrad 0:cdf462088d13 1554 "$P_CLI debug_level=3 exchanges=1 renegotiation=1 renegotiate=1 \
markrad 0:cdf462088d13 1555 allow_legacy=0" \
markrad 0:cdf462088d13 1556 1 \
markrad 0:cdf462088d13 1557 -c "client hello, adding renegotiation extension" \
markrad 0:cdf462088d13 1558 -C "found renegotiation extension" \
markrad 0:cdf462088d13 1559 -c "=> renegotiate" \
markrad 0:cdf462088d13 1560 -c "mbedtls_ssl_handshake() returned" \
markrad 0:cdf462088d13 1561 -c "error" \
markrad 0:cdf462088d13 1562 -C "HTTP/1.0 200 [Oo][Kk]"
markrad 0:cdf462088d13 1563
markrad 0:cdf462088d13 1564 requires_gnutls
markrad 0:cdf462088d13 1565 run_test "Renegotiation: gnutls server unsafe, client-inititated legacy" \
markrad 0:cdf462088d13 1566 "$G_SRV --priority=NORMAL:%DISABLE_SAFE_RENEGOTIATION" \
markrad 0:cdf462088d13 1567 "$P_CLI debug_level=3 exchanges=1 renegotiation=1 renegotiate=1 \
markrad 0:cdf462088d13 1568 allow_legacy=1" \
markrad 0:cdf462088d13 1569 0 \
markrad 0:cdf462088d13 1570 -c "client hello, adding renegotiation extension" \
markrad 0:cdf462088d13 1571 -C "found renegotiation extension" \
markrad 0:cdf462088d13 1572 -c "=> renegotiate" \
markrad 0:cdf462088d13 1573 -C "ssl_hanshake() returned" \
markrad 0:cdf462088d13 1574 -C "error" \
markrad 0:cdf462088d13 1575 -c "HTTP/1.0 200 [Oo][Kk]"
markrad 0:cdf462088d13 1576
markrad 0:cdf462088d13 1577 run_test "Renegotiation: DTLS, client-initiated" \
markrad 0:cdf462088d13 1578 "$P_SRV debug_level=3 dtls=1 exchanges=2 renegotiation=1" \
markrad 0:cdf462088d13 1579 "$P_CLI debug_level=3 dtls=1 exchanges=2 renegotiation=1 renegotiate=1" \
markrad 0:cdf462088d13 1580 0 \
markrad 0:cdf462088d13 1581 -c "client hello, adding renegotiation extension" \
markrad 0:cdf462088d13 1582 -s "received TLS_EMPTY_RENEGOTIATION_INFO" \
markrad 0:cdf462088d13 1583 -s "found renegotiation extension" \
markrad 0:cdf462088d13 1584 -s "server hello, secure renegotiation extension" \
markrad 0:cdf462088d13 1585 -c "found renegotiation extension" \
markrad 0:cdf462088d13 1586 -c "=> renegotiate" \
markrad 0:cdf462088d13 1587 -s "=> renegotiate" \
markrad 0:cdf462088d13 1588 -S "write hello request"
markrad 0:cdf462088d13 1589
markrad 0:cdf462088d13 1590 run_test "Renegotiation: DTLS, server-initiated" \
markrad 0:cdf462088d13 1591 "$P_SRV debug_level=3 dtls=1 exchanges=2 renegotiation=1 renegotiate=1" \
markrad 0:cdf462088d13 1592 "$P_CLI debug_level=3 dtls=1 exchanges=2 renegotiation=1 \
markrad 0:cdf462088d13 1593 read_timeout=1000 max_resend=2" \
markrad 0:cdf462088d13 1594 0 \
markrad 0:cdf462088d13 1595 -c "client hello, adding renegotiation extension" \
markrad 0:cdf462088d13 1596 -s "received TLS_EMPTY_RENEGOTIATION_INFO" \
markrad 0:cdf462088d13 1597 -s "found renegotiation extension" \
markrad 0:cdf462088d13 1598 -s "server hello, secure renegotiation extension" \
markrad 0:cdf462088d13 1599 -c "found renegotiation extension" \
markrad 0:cdf462088d13 1600 -c "=> renegotiate" \
markrad 0:cdf462088d13 1601 -s "=> renegotiate" \
markrad 0:cdf462088d13 1602 -s "write hello request"
markrad 0:cdf462088d13 1603
markrad 0:cdf462088d13 1604 requires_gnutls
markrad 0:cdf462088d13 1605 run_test "Renegotiation: DTLS, gnutls server, client-initiated" \
markrad 0:cdf462088d13 1606 "$G_SRV -u --mtu 4096" \
markrad 0:cdf462088d13 1607 "$P_CLI debug_level=3 dtls=1 exchanges=1 renegotiation=1 renegotiate=1" \
markrad 0:cdf462088d13 1608 0 \
markrad 0:cdf462088d13 1609 -c "client hello, adding renegotiation extension" \
markrad 0:cdf462088d13 1610 -c "found renegotiation extension" \
markrad 0:cdf462088d13 1611 -c "=> renegotiate" \
markrad 0:cdf462088d13 1612 -C "mbedtls_ssl_handshake returned" \
markrad 0:cdf462088d13 1613 -C "error" \
markrad 0:cdf462088d13 1614 -s "Extra-header:"
markrad 0:cdf462088d13 1615
markrad 0:cdf462088d13 1616 # Test for the "secure renegotation" extension only (no actual renegotiation)
markrad 0:cdf462088d13 1617
markrad 0:cdf462088d13 1618 requires_gnutls
markrad 0:cdf462088d13 1619 run_test "Renego ext: gnutls server strict, client default" \
markrad 0:cdf462088d13 1620 "$G_SRV --priority=NORMAL:%SAFE_RENEGOTIATION" \
markrad 0:cdf462088d13 1621 "$P_CLI debug_level=3" \
markrad 0:cdf462088d13 1622 0 \
markrad 0:cdf462088d13 1623 -c "found renegotiation extension" \
markrad 0:cdf462088d13 1624 -C "error" \
markrad 0:cdf462088d13 1625 -c "HTTP/1.0 200 [Oo][Kk]"
markrad 0:cdf462088d13 1626
markrad 0:cdf462088d13 1627 requires_gnutls
markrad 0:cdf462088d13 1628 run_test "Renego ext: gnutls server unsafe, client default" \
markrad 0:cdf462088d13 1629 "$G_SRV --priority=NORMAL:%DISABLE_SAFE_RENEGOTIATION" \
markrad 0:cdf462088d13 1630 "$P_CLI debug_level=3" \
markrad 0:cdf462088d13 1631 0 \
markrad 0:cdf462088d13 1632 -C "found renegotiation extension" \
markrad 0:cdf462088d13 1633 -C "error" \
markrad 0:cdf462088d13 1634 -c "HTTP/1.0 200 [Oo][Kk]"
markrad 0:cdf462088d13 1635
markrad 0:cdf462088d13 1636 requires_gnutls
markrad 0:cdf462088d13 1637 run_test "Renego ext: gnutls server unsafe, client break legacy" \
markrad 0:cdf462088d13 1638 "$G_SRV --priority=NORMAL:%DISABLE_SAFE_RENEGOTIATION" \
markrad 0:cdf462088d13 1639 "$P_CLI debug_level=3 allow_legacy=-1" \
markrad 0:cdf462088d13 1640 1 \
markrad 0:cdf462088d13 1641 -C "found renegotiation extension" \
markrad 0:cdf462088d13 1642 -c "error" \
markrad 0:cdf462088d13 1643 -C "HTTP/1.0 200 [Oo][Kk]"
markrad 0:cdf462088d13 1644
markrad 0:cdf462088d13 1645 requires_gnutls
markrad 0:cdf462088d13 1646 run_test "Renego ext: gnutls client strict, server default" \
markrad 0:cdf462088d13 1647 "$P_SRV debug_level=3" \
markrad 0:cdf462088d13 1648 "$G_CLI --priority=NORMAL:%SAFE_RENEGOTIATION" \
markrad 0:cdf462088d13 1649 0 \
markrad 0:cdf462088d13 1650 -s "received TLS_EMPTY_RENEGOTIATION_INFO\|found renegotiation extension" \
markrad 0:cdf462088d13 1651 -s "server hello, secure renegotiation extension"
markrad 0:cdf462088d13 1652
markrad 0:cdf462088d13 1653 requires_gnutls
markrad 0:cdf462088d13 1654 run_test "Renego ext: gnutls client unsafe, server default" \
markrad 0:cdf462088d13 1655 "$P_SRV debug_level=3" \
markrad 0:cdf462088d13 1656 "$G_CLI --priority=NORMAL:%DISABLE_SAFE_RENEGOTIATION" \
markrad 0:cdf462088d13 1657 0 \
markrad 0:cdf462088d13 1658 -S "received TLS_EMPTY_RENEGOTIATION_INFO\|found renegotiation extension" \
markrad 0:cdf462088d13 1659 -S "server hello, secure renegotiation extension"
markrad 0:cdf462088d13 1660
markrad 0:cdf462088d13 1661 requires_gnutls
markrad 0:cdf462088d13 1662 run_test "Renego ext: gnutls client unsafe, server break legacy" \
markrad 0:cdf462088d13 1663 "$P_SRV debug_level=3 allow_legacy=-1" \
markrad 0:cdf462088d13 1664 "$G_CLI --priority=NORMAL:%DISABLE_SAFE_RENEGOTIATION" \
markrad 0:cdf462088d13 1665 1 \
markrad 0:cdf462088d13 1666 -S "received TLS_EMPTY_RENEGOTIATION_INFO\|found renegotiation extension" \
markrad 0:cdf462088d13 1667 -S "server hello, secure renegotiation extension"
markrad 0:cdf462088d13 1668
markrad 0:cdf462088d13 1669 # Tests for silently dropping trailing extra bytes in .der certificates
markrad 0:cdf462088d13 1670
markrad 0:cdf462088d13 1671 requires_gnutls
markrad 0:cdf462088d13 1672 run_test "DER format: no trailing bytes" \
markrad 0:cdf462088d13 1673 "$P_SRV crt_file=data_files/server5-der0.crt \
markrad 0:cdf462088d13 1674 key_file=data_files/server5.key" \
markrad 0:cdf462088d13 1675 "$G_CLI " \
markrad 0:cdf462088d13 1676 0 \
markrad 0:cdf462088d13 1677 -c "Handshake was completed" \
markrad 0:cdf462088d13 1678
markrad 0:cdf462088d13 1679 requires_gnutls
markrad 0:cdf462088d13 1680 run_test "DER format: with a trailing zero byte" \
markrad 0:cdf462088d13 1681 "$P_SRV crt_file=data_files/server5-der1a.crt \
markrad 0:cdf462088d13 1682 key_file=data_files/server5.key" \
markrad 0:cdf462088d13 1683 "$G_CLI " \
markrad 0:cdf462088d13 1684 0 \
markrad 0:cdf462088d13 1685 -c "Handshake was completed" \
markrad 0:cdf462088d13 1686
markrad 0:cdf462088d13 1687 requires_gnutls
markrad 0:cdf462088d13 1688 run_test "DER format: with a trailing random byte" \
markrad 0:cdf462088d13 1689 "$P_SRV crt_file=data_files/server5-der1b.crt \
markrad 0:cdf462088d13 1690 key_file=data_files/server5.key" \
markrad 0:cdf462088d13 1691 "$G_CLI " \
markrad 0:cdf462088d13 1692 0 \
markrad 0:cdf462088d13 1693 -c "Handshake was completed" \
markrad 0:cdf462088d13 1694
markrad 0:cdf462088d13 1695 requires_gnutls
markrad 0:cdf462088d13 1696 run_test "DER format: with 2 trailing random bytes" \
markrad 0:cdf462088d13 1697 "$P_SRV crt_file=data_files/server5-der2.crt \
markrad 0:cdf462088d13 1698 key_file=data_files/server5.key" \
markrad 0:cdf462088d13 1699 "$G_CLI " \
markrad 0:cdf462088d13 1700 0 \
markrad 0:cdf462088d13 1701 -c "Handshake was completed" \
markrad 0:cdf462088d13 1702
markrad 0:cdf462088d13 1703 requires_gnutls
markrad 0:cdf462088d13 1704 run_test "DER format: with 4 trailing random bytes" \
markrad 0:cdf462088d13 1705 "$P_SRV crt_file=data_files/server5-der4.crt \
markrad 0:cdf462088d13 1706 key_file=data_files/server5.key" \
markrad 0:cdf462088d13 1707 "$G_CLI " \
markrad 0:cdf462088d13 1708 0 \
markrad 0:cdf462088d13 1709 -c "Handshake was completed" \
markrad 0:cdf462088d13 1710
markrad 0:cdf462088d13 1711 requires_gnutls
markrad 0:cdf462088d13 1712 run_test "DER format: with 8 trailing random bytes" \
markrad 0:cdf462088d13 1713 "$P_SRV crt_file=data_files/server5-der8.crt \
markrad 0:cdf462088d13 1714 key_file=data_files/server5.key" \
markrad 0:cdf462088d13 1715 "$G_CLI " \
markrad 0:cdf462088d13 1716 0 \
markrad 0:cdf462088d13 1717 -c "Handshake was completed" \
markrad 0:cdf462088d13 1718
markrad 0:cdf462088d13 1719 requires_gnutls
markrad 0:cdf462088d13 1720 run_test "DER format: with 9 trailing random bytes" \
markrad 0:cdf462088d13 1721 "$P_SRV crt_file=data_files/server5-der9.crt \
markrad 0:cdf462088d13 1722 key_file=data_files/server5.key" \
markrad 0:cdf462088d13 1723 "$G_CLI " \
markrad 0:cdf462088d13 1724 0 \
markrad 0:cdf462088d13 1725 -c "Handshake was completed" \
markrad 0:cdf462088d13 1726
markrad 0:cdf462088d13 1727 # Tests for auth_mode
markrad 0:cdf462088d13 1728
markrad 0:cdf462088d13 1729 run_test "Authentication: server badcert, client required" \
markrad 0:cdf462088d13 1730 "$P_SRV crt_file=data_files/server5-badsign.crt \
markrad 0:cdf462088d13 1731 key_file=data_files/server5.key" \
markrad 0:cdf462088d13 1732 "$P_CLI debug_level=1 auth_mode=required" \
markrad 0:cdf462088d13 1733 1 \
markrad 0:cdf462088d13 1734 -c "x509_verify_cert() returned" \
markrad 0:cdf462088d13 1735 -c "! The certificate is not correctly signed by the trusted CA" \
markrad 0:cdf462088d13 1736 -c "! mbedtls_ssl_handshake returned" \
markrad 0:cdf462088d13 1737 -c "X509 - Certificate verification failed"
markrad 0:cdf462088d13 1738
markrad 0:cdf462088d13 1739 run_test "Authentication: server badcert, client optional" \
markrad 0:cdf462088d13 1740 "$P_SRV crt_file=data_files/server5-badsign.crt \
markrad 0:cdf462088d13 1741 key_file=data_files/server5.key" \
markrad 0:cdf462088d13 1742 "$P_CLI debug_level=1 auth_mode=optional" \
markrad 0:cdf462088d13 1743 0 \
markrad 0:cdf462088d13 1744 -c "x509_verify_cert() returned" \
markrad 0:cdf462088d13 1745 -c "! The certificate is not correctly signed by the trusted CA" \
markrad 0:cdf462088d13 1746 -C "! mbedtls_ssl_handshake returned" \
markrad 0:cdf462088d13 1747 -C "X509 - Certificate verification failed"
markrad 0:cdf462088d13 1748
markrad 0:cdf462088d13 1749 run_test "Authentication: server badcert, client none" \
markrad 0:cdf462088d13 1750 "$P_SRV crt_file=data_files/server5-badsign.crt \
markrad 0:cdf462088d13 1751 key_file=data_files/server5.key" \
markrad 0:cdf462088d13 1752 "$P_CLI debug_level=1 auth_mode=none" \
markrad 0:cdf462088d13 1753 0 \
markrad 0:cdf462088d13 1754 -C "x509_verify_cert() returned" \
markrad 0:cdf462088d13 1755 -C "! The certificate is not correctly signed by the trusted CA" \
markrad 0:cdf462088d13 1756 -C "! mbedtls_ssl_handshake returned" \
markrad 0:cdf462088d13 1757 -C "X509 - Certificate verification failed"
markrad 0:cdf462088d13 1758
markrad 0:cdf462088d13 1759 run_test "Authentication: client SHA256, server required" \
markrad 0:cdf462088d13 1760 "$P_SRV auth_mode=required" \
markrad 0:cdf462088d13 1761 "$P_CLI debug_level=3 crt_file=data_files/server6.crt \
markrad 0:cdf462088d13 1762 key_file=data_files/server6.key \
markrad 0:cdf462088d13 1763 force_ciphersuite=TLS-ECDHE-ECDSA-WITH-AES-256-GCM-SHA384" \
markrad 0:cdf462088d13 1764 0 \
markrad 0:cdf462088d13 1765 -c "Supported Signature Algorithm found: 4," \
markrad 0:cdf462088d13 1766 -c "Supported Signature Algorithm found: 5,"
markrad 0:cdf462088d13 1767
markrad 0:cdf462088d13 1768 run_test "Authentication: client SHA384, server required" \
markrad 0:cdf462088d13 1769 "$P_SRV auth_mode=required" \
markrad 0:cdf462088d13 1770 "$P_CLI debug_level=3 crt_file=data_files/server6.crt \
markrad 0:cdf462088d13 1771 key_file=data_files/server6.key \
markrad 0:cdf462088d13 1772 force_ciphersuite=TLS-ECDHE-ECDSA-WITH-AES-128-GCM-SHA256" \
markrad 0:cdf462088d13 1773 0 \
markrad 0:cdf462088d13 1774 -c "Supported Signature Algorithm found: 4," \
markrad 0:cdf462088d13 1775 -c "Supported Signature Algorithm found: 5,"
markrad 0:cdf462088d13 1776
markrad 0:cdf462088d13 1777 run_test "Authentication: client badcert, server required" \
markrad 0:cdf462088d13 1778 "$P_SRV debug_level=3 auth_mode=required" \
markrad 0:cdf462088d13 1779 "$P_CLI debug_level=3 crt_file=data_files/server5-badsign.crt \
markrad 0:cdf462088d13 1780 key_file=data_files/server5.key" \
markrad 0:cdf462088d13 1781 1 \
markrad 0:cdf462088d13 1782 -S "skip write certificate request" \
markrad 0:cdf462088d13 1783 -C "skip parse certificate request" \
markrad 0:cdf462088d13 1784 -c "got a certificate request" \
markrad 0:cdf462088d13 1785 -C "skip write certificate" \
markrad 0:cdf462088d13 1786 -C "skip write certificate verify" \
markrad 0:cdf462088d13 1787 -S "skip parse certificate verify" \
markrad 0:cdf462088d13 1788 -s "x509_verify_cert() returned" \
markrad 0:cdf462088d13 1789 -s "! The certificate is not correctly signed by the trusted CA" \
markrad 0:cdf462088d13 1790 -s "! mbedtls_ssl_handshake returned" \
markrad 0:cdf462088d13 1791 -c "! mbedtls_ssl_handshake returned" \
markrad 0:cdf462088d13 1792 -s "X509 - Certificate verification failed"
markrad 0:cdf462088d13 1793
markrad 0:cdf462088d13 1794 run_test "Authentication: client badcert, server optional" \
markrad 0:cdf462088d13 1795 "$P_SRV debug_level=3 auth_mode=optional" \
markrad 0:cdf462088d13 1796 "$P_CLI debug_level=3 crt_file=data_files/server5-badsign.crt \
markrad 0:cdf462088d13 1797 key_file=data_files/server5.key" \
markrad 0:cdf462088d13 1798 0 \
markrad 0:cdf462088d13 1799 -S "skip write certificate request" \
markrad 0:cdf462088d13 1800 -C "skip parse certificate request" \
markrad 0:cdf462088d13 1801 -c "got a certificate request" \
markrad 0:cdf462088d13 1802 -C "skip write certificate" \
markrad 0:cdf462088d13 1803 -C "skip write certificate verify" \
markrad 0:cdf462088d13 1804 -S "skip parse certificate verify" \
markrad 0:cdf462088d13 1805 -s "x509_verify_cert() returned" \
markrad 0:cdf462088d13 1806 -s "! The certificate is not correctly signed by the trusted CA" \
markrad 0:cdf462088d13 1807 -S "! mbedtls_ssl_handshake returned" \
markrad 0:cdf462088d13 1808 -C "! mbedtls_ssl_handshake returned" \
markrad 0:cdf462088d13 1809 -S "X509 - Certificate verification failed"
markrad 0:cdf462088d13 1810
markrad 0:cdf462088d13 1811 run_test "Authentication: client badcert, server none" \
markrad 0:cdf462088d13 1812 "$P_SRV debug_level=3 auth_mode=none" \
markrad 0:cdf462088d13 1813 "$P_CLI debug_level=3 crt_file=data_files/server5-badsign.crt \
markrad 0:cdf462088d13 1814 key_file=data_files/server5.key" \
markrad 0:cdf462088d13 1815 0 \
markrad 0:cdf462088d13 1816 -s "skip write certificate request" \
markrad 0:cdf462088d13 1817 -C "skip parse certificate request" \
markrad 0:cdf462088d13 1818 -c "got no certificate request" \
markrad 0:cdf462088d13 1819 -c "skip write certificate" \
markrad 0:cdf462088d13 1820 -c "skip write certificate verify" \
markrad 0:cdf462088d13 1821 -s "skip parse certificate verify" \
markrad 0:cdf462088d13 1822 -S "x509_verify_cert() returned" \
markrad 0:cdf462088d13 1823 -S "! The certificate is not correctly signed by the trusted CA" \
markrad 0:cdf462088d13 1824 -S "! mbedtls_ssl_handshake returned" \
markrad 0:cdf462088d13 1825 -C "! mbedtls_ssl_handshake returned" \
markrad 0:cdf462088d13 1826 -S "X509 - Certificate verification failed"
markrad 0:cdf462088d13 1827
markrad 0:cdf462088d13 1828 run_test "Authentication: client no cert, server optional" \
markrad 0:cdf462088d13 1829 "$P_SRV debug_level=3 auth_mode=optional" \
markrad 0:cdf462088d13 1830 "$P_CLI debug_level=3 crt_file=none key_file=none" \
markrad 0:cdf462088d13 1831 0 \
markrad 0:cdf462088d13 1832 -S "skip write certificate request" \
markrad 0:cdf462088d13 1833 -C "skip parse certificate request" \
markrad 0:cdf462088d13 1834 -c "got a certificate request" \
markrad 0:cdf462088d13 1835 -C "skip write certificate$" \
markrad 0:cdf462088d13 1836 -C "got no certificate to send" \
markrad 0:cdf462088d13 1837 -S "SSLv3 client has no certificate" \
markrad 0:cdf462088d13 1838 -c "skip write certificate verify" \
markrad 0:cdf462088d13 1839 -s "skip parse certificate verify" \
markrad 0:cdf462088d13 1840 -s "! Certificate was missing" \
markrad 0:cdf462088d13 1841 -S "! mbedtls_ssl_handshake returned" \
markrad 0:cdf462088d13 1842 -C "! mbedtls_ssl_handshake returned" \
markrad 0:cdf462088d13 1843 -S "X509 - Certificate verification failed"
markrad 0:cdf462088d13 1844
markrad 0:cdf462088d13 1845 run_test "Authentication: openssl client no cert, server optional" \
markrad 0:cdf462088d13 1846 "$P_SRV debug_level=3 auth_mode=optional" \
markrad 0:cdf462088d13 1847 "$O_CLI" \
markrad 0:cdf462088d13 1848 0 \
markrad 0:cdf462088d13 1849 -S "skip write certificate request" \
markrad 0:cdf462088d13 1850 -s "skip parse certificate verify" \
markrad 0:cdf462088d13 1851 -s "! Certificate was missing" \
markrad 0:cdf462088d13 1852 -S "! mbedtls_ssl_handshake returned" \
markrad 0:cdf462088d13 1853 -S "X509 - Certificate verification failed"
markrad 0:cdf462088d13 1854
markrad 0:cdf462088d13 1855 run_test "Authentication: client no cert, openssl server optional" \
markrad 0:cdf462088d13 1856 "$O_SRV -verify 10" \
markrad 0:cdf462088d13 1857 "$P_CLI debug_level=3 crt_file=none key_file=none" \
markrad 0:cdf462088d13 1858 0 \
markrad 0:cdf462088d13 1859 -C "skip parse certificate request" \
markrad 0:cdf462088d13 1860 -c "got a certificate request" \
markrad 0:cdf462088d13 1861 -C "skip write certificate$" \
markrad 0:cdf462088d13 1862 -c "skip write certificate verify" \
markrad 0:cdf462088d13 1863 -C "! mbedtls_ssl_handshake returned"
markrad 0:cdf462088d13 1864
markrad 0:cdf462088d13 1865 requires_config_enabled MBEDTLS_SSL_PROTO_SSL3
markrad 0:cdf462088d13 1866 run_test "Authentication: client no cert, ssl3" \
markrad 0:cdf462088d13 1867 "$P_SRV debug_level=3 auth_mode=optional force_version=ssl3" \
markrad 0:cdf462088d13 1868 "$P_CLI debug_level=3 crt_file=none key_file=none min_version=ssl3" \
markrad 0:cdf462088d13 1869 0 \
markrad 0:cdf462088d13 1870 -S "skip write certificate request" \
markrad 0:cdf462088d13 1871 -C "skip parse certificate request" \
markrad 0:cdf462088d13 1872 -c "got a certificate request" \
markrad 0:cdf462088d13 1873 -C "skip write certificate$" \
markrad 0:cdf462088d13 1874 -c "skip write certificate verify" \
markrad 0:cdf462088d13 1875 -c "got no certificate to send" \
markrad 0:cdf462088d13 1876 -s "SSLv3 client has no certificate" \
markrad 0:cdf462088d13 1877 -s "skip parse certificate verify" \
markrad 0:cdf462088d13 1878 -s "! Certificate was missing" \
markrad 0:cdf462088d13 1879 -S "! mbedtls_ssl_handshake returned" \
markrad 0:cdf462088d13 1880 -C "! mbedtls_ssl_handshake returned" \
markrad 0:cdf462088d13 1881 -S "X509 - Certificate verification failed"
markrad 0:cdf462088d13 1882
markrad 0:cdf462088d13 1883 # Tests for certificate selection based on SHA verson
markrad 0:cdf462088d13 1884
markrad 0:cdf462088d13 1885 run_test "Certificate hash: client TLS 1.2 -> SHA-2" \
markrad 0:cdf462088d13 1886 "$P_SRV crt_file=data_files/server5.crt \
markrad 0:cdf462088d13 1887 key_file=data_files/server5.key \
markrad 0:cdf462088d13 1888 crt_file2=data_files/server5-sha1.crt \
markrad 0:cdf462088d13 1889 key_file2=data_files/server5.key" \
markrad 0:cdf462088d13 1890 "$P_CLI force_version=tls1_2" \
markrad 0:cdf462088d13 1891 0 \
markrad 0:cdf462088d13 1892 -c "signed using.*ECDSA with SHA256" \
markrad 0:cdf462088d13 1893 -C "signed using.*ECDSA with SHA1"
markrad 0:cdf462088d13 1894
markrad 0:cdf462088d13 1895 run_test "Certificate hash: client TLS 1.1 -> SHA-1" \
markrad 0:cdf462088d13 1896 "$P_SRV crt_file=data_files/server5.crt \
markrad 0:cdf462088d13 1897 key_file=data_files/server5.key \
markrad 0:cdf462088d13 1898 crt_file2=data_files/server5-sha1.crt \
markrad 0:cdf462088d13 1899 key_file2=data_files/server5.key" \
markrad 0:cdf462088d13 1900 "$P_CLI force_version=tls1_1" \
markrad 0:cdf462088d13 1901 0 \
markrad 0:cdf462088d13 1902 -C "signed using.*ECDSA with SHA256" \
markrad 0:cdf462088d13 1903 -c "signed using.*ECDSA with SHA1"
markrad 0:cdf462088d13 1904
markrad 0:cdf462088d13 1905 run_test "Certificate hash: client TLS 1.0 -> SHA-1" \
markrad 0:cdf462088d13 1906 "$P_SRV crt_file=data_files/server5.crt \
markrad 0:cdf462088d13 1907 key_file=data_files/server5.key \
markrad 0:cdf462088d13 1908 crt_file2=data_files/server5-sha1.crt \
markrad 0:cdf462088d13 1909 key_file2=data_files/server5.key" \
markrad 0:cdf462088d13 1910 "$P_CLI force_version=tls1" \
markrad 0:cdf462088d13 1911 0 \
markrad 0:cdf462088d13 1912 -C "signed using.*ECDSA with SHA256" \
markrad 0:cdf462088d13 1913 -c "signed using.*ECDSA with SHA1"
markrad 0:cdf462088d13 1914
markrad 0:cdf462088d13 1915 run_test "Certificate hash: client TLS 1.1, no SHA-1 -> SHA-2 (order 1)" \
markrad 0:cdf462088d13 1916 "$P_SRV crt_file=data_files/server5.crt \
markrad 0:cdf462088d13 1917 key_file=data_files/server5.key \
markrad 0:cdf462088d13 1918 crt_file2=data_files/server6.crt \
markrad 0:cdf462088d13 1919 key_file2=data_files/server6.key" \
markrad 0:cdf462088d13 1920 "$P_CLI force_version=tls1_1" \
markrad 0:cdf462088d13 1921 0 \
markrad 0:cdf462088d13 1922 -c "serial number.*09" \
markrad 0:cdf462088d13 1923 -c "signed using.*ECDSA with SHA256" \
markrad 0:cdf462088d13 1924 -C "signed using.*ECDSA with SHA1"
markrad 0:cdf462088d13 1925
markrad 0:cdf462088d13 1926 run_test "Certificate hash: client TLS 1.1, no SHA-1 -> SHA-2 (order 2)" \
markrad 0:cdf462088d13 1927 "$P_SRV crt_file=data_files/server6.crt \
markrad 0:cdf462088d13 1928 key_file=data_files/server6.key \
markrad 0:cdf462088d13 1929 crt_file2=data_files/server5.crt \
markrad 0:cdf462088d13 1930 key_file2=data_files/server5.key" \
markrad 0:cdf462088d13 1931 "$P_CLI force_version=tls1_1" \
markrad 0:cdf462088d13 1932 0 \
markrad 0:cdf462088d13 1933 -c "serial number.*0A" \
markrad 0:cdf462088d13 1934 -c "signed using.*ECDSA with SHA256" \
markrad 0:cdf462088d13 1935 -C "signed using.*ECDSA with SHA1"
markrad 0:cdf462088d13 1936
markrad 0:cdf462088d13 1937 # tests for SNI
markrad 0:cdf462088d13 1938
markrad 0:cdf462088d13 1939 run_test "SNI: no SNI callback" \
markrad 0:cdf462088d13 1940 "$P_SRV debug_level=3 \
markrad 0:cdf462088d13 1941 crt_file=data_files/server5.crt key_file=data_files/server5.key" \
markrad 0:cdf462088d13 1942 "$P_CLI server_name=localhost" \
markrad 0:cdf462088d13 1943 0 \
markrad 0:cdf462088d13 1944 -S "parse ServerName extension" \
markrad 0:cdf462088d13 1945 -c "issuer name *: C=NL, O=PolarSSL, CN=Polarssl Test EC CA" \
markrad 0:cdf462088d13 1946 -c "subject name *: C=NL, O=PolarSSL, CN=localhost"
markrad 0:cdf462088d13 1947
markrad 0:cdf462088d13 1948 run_test "SNI: matching cert 1" \
markrad 0:cdf462088d13 1949 "$P_SRV debug_level=3 \
markrad 0:cdf462088d13 1950 crt_file=data_files/server5.crt key_file=data_files/server5.key \
markrad 0:cdf462088d13 1951 sni=localhost,data_files/server2.crt,data_files/server2.key,-,-,-,polarssl.example,data_files/server1-nospace.crt,data_files/server1.key,-,-,-" \
markrad 0:cdf462088d13 1952 "$P_CLI server_name=localhost" \
markrad 0:cdf462088d13 1953 0 \
markrad 0:cdf462088d13 1954 -s "parse ServerName extension" \
markrad 0:cdf462088d13 1955 -c "issuer name *: C=NL, O=PolarSSL, CN=PolarSSL Test CA" \
markrad 0:cdf462088d13 1956 -c "subject name *: C=NL, O=PolarSSL, CN=localhost"
markrad 0:cdf462088d13 1957
markrad 0:cdf462088d13 1958 run_test "SNI: matching cert 2" \
markrad 0:cdf462088d13 1959 "$P_SRV debug_level=3 \
markrad 0:cdf462088d13 1960 crt_file=data_files/server5.crt key_file=data_files/server5.key \
markrad 0:cdf462088d13 1961 sni=localhost,data_files/server2.crt,data_files/server2.key,-,-,-,polarssl.example,data_files/server1-nospace.crt,data_files/server1.key,-,-,-" \
markrad 0:cdf462088d13 1962 "$P_CLI server_name=polarssl.example" \
markrad 0:cdf462088d13 1963 0 \
markrad 0:cdf462088d13 1964 -s "parse ServerName extension" \
markrad 0:cdf462088d13 1965 -c "issuer name *: C=NL, O=PolarSSL, CN=PolarSSL Test CA" \
markrad 0:cdf462088d13 1966 -c "subject name *: C=NL, O=PolarSSL, CN=polarssl.example"
markrad 0:cdf462088d13 1967
markrad 0:cdf462088d13 1968 run_test "SNI: no matching cert" \
markrad 0:cdf462088d13 1969 "$P_SRV debug_level=3 \
markrad 0:cdf462088d13 1970 crt_file=data_files/server5.crt key_file=data_files/server5.key \
markrad 0:cdf462088d13 1971 sni=localhost,data_files/server2.crt,data_files/server2.key,-,-,-,polarssl.example,data_files/server1-nospace.crt,data_files/server1.key,-,-,-" \
markrad 0:cdf462088d13 1972 "$P_CLI server_name=nonesuch.example" \
markrad 0:cdf462088d13 1973 1 \
markrad 0:cdf462088d13 1974 -s "parse ServerName extension" \
markrad 0:cdf462088d13 1975 -s "ssl_sni_wrapper() returned" \
markrad 0:cdf462088d13 1976 -s "mbedtls_ssl_handshake returned" \
markrad 0:cdf462088d13 1977 -c "mbedtls_ssl_handshake returned" \
markrad 0:cdf462088d13 1978 -c "SSL - A fatal alert message was received from our peer"
markrad 0:cdf462088d13 1979
markrad 0:cdf462088d13 1980 run_test "SNI: client auth no override: optional" \
markrad 0:cdf462088d13 1981 "$P_SRV debug_level=3 auth_mode=optional \
markrad 0:cdf462088d13 1982 crt_file=data_files/server5.crt key_file=data_files/server5.key \
markrad 0:cdf462088d13 1983 sni=localhost,data_files/server2.crt,data_files/server2.key,-,-,-" \
markrad 0:cdf462088d13 1984 "$P_CLI debug_level=3 server_name=localhost" \
markrad 0:cdf462088d13 1985 0 \
markrad 0:cdf462088d13 1986 -S "skip write certificate request" \
markrad 0:cdf462088d13 1987 -C "skip parse certificate request" \
markrad 0:cdf462088d13 1988 -c "got a certificate request" \
markrad 0:cdf462088d13 1989 -C "skip write certificate" \
markrad 0:cdf462088d13 1990 -C "skip write certificate verify" \
markrad 0:cdf462088d13 1991 -S "skip parse certificate verify"
markrad 0:cdf462088d13 1992
markrad 0:cdf462088d13 1993 run_test "SNI: client auth override: none -> optional" \
markrad 0:cdf462088d13 1994 "$P_SRV debug_level=3 auth_mode=none \
markrad 0:cdf462088d13 1995 crt_file=data_files/server5.crt key_file=data_files/server5.key \
markrad 0:cdf462088d13 1996 sni=localhost,data_files/server2.crt,data_files/server2.key,-,-,optional" \
markrad 0:cdf462088d13 1997 "$P_CLI debug_level=3 server_name=localhost" \
markrad 0:cdf462088d13 1998 0 \
markrad 0:cdf462088d13 1999 -S "skip write certificate request" \
markrad 0:cdf462088d13 2000 -C "skip parse certificate request" \
markrad 0:cdf462088d13 2001 -c "got a certificate request" \
markrad 0:cdf462088d13 2002 -C "skip write certificate" \
markrad 0:cdf462088d13 2003 -C "skip write certificate verify" \
markrad 0:cdf462088d13 2004 -S "skip parse certificate verify"
markrad 0:cdf462088d13 2005
markrad 0:cdf462088d13 2006 run_test "SNI: client auth override: optional -> none" \
markrad 0:cdf462088d13 2007 "$P_SRV debug_level=3 auth_mode=optional \
markrad 0:cdf462088d13 2008 crt_file=data_files/server5.crt key_file=data_files/server5.key \
markrad 0:cdf462088d13 2009 sni=localhost,data_files/server2.crt,data_files/server2.key,-,-,none" \
markrad 0:cdf462088d13 2010 "$P_CLI debug_level=3 server_name=localhost" \
markrad 0:cdf462088d13 2011 0 \
markrad 0:cdf462088d13 2012 -s "skip write certificate request" \
markrad 0:cdf462088d13 2013 -C "skip parse certificate request" \
markrad 0:cdf462088d13 2014 -c "got no certificate request" \
markrad 0:cdf462088d13 2015 -c "skip write certificate" \
markrad 0:cdf462088d13 2016 -c "skip write certificate verify" \
markrad 0:cdf462088d13 2017 -s "skip parse certificate verify"
markrad 0:cdf462088d13 2018
markrad 0:cdf462088d13 2019 run_test "SNI: CA no override" \
markrad 0:cdf462088d13 2020 "$P_SRV debug_level=3 auth_mode=optional \
markrad 0:cdf462088d13 2021 crt_file=data_files/server5.crt key_file=data_files/server5.key \
markrad 0:cdf462088d13 2022 ca_file=data_files/test-ca.crt \
markrad 0:cdf462088d13 2023 sni=localhost,data_files/server2.crt,data_files/server2.key,-,-,required" \
markrad 0:cdf462088d13 2024 "$P_CLI debug_level=3 server_name=localhost \
markrad 0:cdf462088d13 2025 crt_file=data_files/server6.crt key_file=data_files/server6.key" \
markrad 0:cdf462088d13 2026 1 \
markrad 0:cdf462088d13 2027 -S "skip write certificate request" \
markrad 0:cdf462088d13 2028 -C "skip parse certificate request" \
markrad 0:cdf462088d13 2029 -c "got a certificate request" \
markrad 0:cdf462088d13 2030 -C "skip write certificate" \
markrad 0:cdf462088d13 2031 -C "skip write certificate verify" \
markrad 0:cdf462088d13 2032 -S "skip parse certificate verify" \
markrad 0:cdf462088d13 2033 -s "x509_verify_cert() returned" \
markrad 0:cdf462088d13 2034 -s "! The certificate is not correctly signed by the trusted CA" \
markrad 0:cdf462088d13 2035 -S "The certificate has been revoked (is on a CRL)"
markrad 0:cdf462088d13 2036
markrad 0:cdf462088d13 2037 run_test "SNI: CA override" \
markrad 0:cdf462088d13 2038 "$P_SRV debug_level=3 auth_mode=optional \
markrad 0:cdf462088d13 2039 crt_file=data_files/server5.crt key_file=data_files/server5.key \
markrad 0:cdf462088d13 2040 ca_file=data_files/test-ca.crt \
markrad 0:cdf462088d13 2041 sni=localhost,data_files/server2.crt,data_files/server2.key,data_files/test-ca2.crt,-,required" \
markrad 0:cdf462088d13 2042 "$P_CLI debug_level=3 server_name=localhost \
markrad 0:cdf462088d13 2043 crt_file=data_files/server6.crt key_file=data_files/server6.key" \
markrad 0:cdf462088d13 2044 0 \
markrad 0:cdf462088d13 2045 -S "skip write certificate request" \
markrad 0:cdf462088d13 2046 -C "skip parse certificate request" \
markrad 0:cdf462088d13 2047 -c "got a certificate request" \
markrad 0:cdf462088d13 2048 -C "skip write certificate" \
markrad 0:cdf462088d13 2049 -C "skip write certificate verify" \
markrad 0:cdf462088d13 2050 -S "skip parse certificate verify" \
markrad 0:cdf462088d13 2051 -S "x509_verify_cert() returned" \
markrad 0:cdf462088d13 2052 -S "! The certificate is not correctly signed by the trusted CA" \
markrad 0:cdf462088d13 2053 -S "The certificate has been revoked (is on a CRL)"
markrad 0:cdf462088d13 2054
markrad 0:cdf462088d13 2055 run_test "SNI: CA override with CRL" \
markrad 0:cdf462088d13 2056 "$P_SRV debug_level=3 auth_mode=optional \
markrad 0:cdf462088d13 2057 crt_file=data_files/server5.crt key_file=data_files/server5.key \
markrad 0:cdf462088d13 2058 ca_file=data_files/test-ca.crt \
markrad 0:cdf462088d13 2059 sni=localhost,data_files/server2.crt,data_files/server2.key,data_files/test-ca2.crt,data_files/crl-ec-sha256.pem,required" \
markrad 0:cdf462088d13 2060 "$P_CLI debug_level=3 server_name=localhost \
markrad 0:cdf462088d13 2061 crt_file=data_files/server6.crt key_file=data_files/server6.key" \
markrad 0:cdf462088d13 2062 1 \
markrad 0:cdf462088d13 2063 -S "skip write certificate request" \
markrad 0:cdf462088d13 2064 -C "skip parse certificate request" \
markrad 0:cdf462088d13 2065 -c "got a certificate request" \
markrad 0:cdf462088d13 2066 -C "skip write certificate" \
markrad 0:cdf462088d13 2067 -C "skip write certificate verify" \
markrad 0:cdf462088d13 2068 -S "skip parse certificate verify" \
markrad 0:cdf462088d13 2069 -s "x509_verify_cert() returned" \
markrad 0:cdf462088d13 2070 -S "! The certificate is not correctly signed by the trusted CA" \
markrad 0:cdf462088d13 2071 -s "The certificate has been revoked (is on a CRL)"
markrad 0:cdf462088d13 2072
markrad 0:cdf462088d13 2073 # Tests for non-blocking I/O: exercise a variety of handshake flows
markrad 0:cdf462088d13 2074
markrad 0:cdf462088d13 2075 run_test "Non-blocking I/O: basic handshake" \
markrad 0:cdf462088d13 2076 "$P_SRV nbio=2 tickets=0 auth_mode=none" \
markrad 0:cdf462088d13 2077 "$P_CLI nbio=2 tickets=0" \
markrad 0:cdf462088d13 2078 0 \
markrad 0:cdf462088d13 2079 -S "mbedtls_ssl_handshake returned" \
markrad 0:cdf462088d13 2080 -C "mbedtls_ssl_handshake returned" \
markrad 0:cdf462088d13 2081 -c "Read from server: .* bytes read"
markrad 0:cdf462088d13 2082
markrad 0:cdf462088d13 2083 run_test "Non-blocking I/O: client auth" \
markrad 0:cdf462088d13 2084 "$P_SRV nbio=2 tickets=0 auth_mode=required" \
markrad 0:cdf462088d13 2085 "$P_CLI nbio=2 tickets=0" \
markrad 0:cdf462088d13 2086 0 \
markrad 0:cdf462088d13 2087 -S "mbedtls_ssl_handshake returned" \
markrad 0:cdf462088d13 2088 -C "mbedtls_ssl_handshake returned" \
markrad 0:cdf462088d13 2089 -c "Read from server: .* bytes read"
markrad 0:cdf462088d13 2090
markrad 0:cdf462088d13 2091 run_test "Non-blocking I/O: ticket" \
markrad 0:cdf462088d13 2092 "$P_SRV nbio=2 tickets=1 auth_mode=none" \
markrad 0:cdf462088d13 2093 "$P_CLI nbio=2 tickets=1" \
markrad 0:cdf462088d13 2094 0 \
markrad 0:cdf462088d13 2095 -S "mbedtls_ssl_handshake returned" \
markrad 0:cdf462088d13 2096 -C "mbedtls_ssl_handshake returned" \
markrad 0:cdf462088d13 2097 -c "Read from server: .* bytes read"
markrad 0:cdf462088d13 2098
markrad 0:cdf462088d13 2099 run_test "Non-blocking I/O: ticket + client auth" \
markrad 0:cdf462088d13 2100 "$P_SRV nbio=2 tickets=1 auth_mode=required" \
markrad 0:cdf462088d13 2101 "$P_CLI nbio=2 tickets=1" \
markrad 0:cdf462088d13 2102 0 \
markrad 0:cdf462088d13 2103 -S "mbedtls_ssl_handshake returned" \
markrad 0:cdf462088d13 2104 -C "mbedtls_ssl_handshake returned" \
markrad 0:cdf462088d13 2105 -c "Read from server: .* bytes read"
markrad 0:cdf462088d13 2106
markrad 0:cdf462088d13 2107 run_test "Non-blocking I/O: ticket + client auth + resume" \
markrad 0:cdf462088d13 2108 "$P_SRV nbio=2 tickets=1 auth_mode=required" \
markrad 0:cdf462088d13 2109 "$P_CLI nbio=2 tickets=1 reconnect=1" \
markrad 0:cdf462088d13 2110 0 \
markrad 0:cdf462088d13 2111 -S "mbedtls_ssl_handshake returned" \
markrad 0:cdf462088d13 2112 -C "mbedtls_ssl_handshake returned" \
markrad 0:cdf462088d13 2113 -c "Read from server: .* bytes read"
markrad 0:cdf462088d13 2114
markrad 0:cdf462088d13 2115 run_test "Non-blocking I/O: ticket + resume" \
markrad 0:cdf462088d13 2116 "$P_SRV nbio=2 tickets=1 auth_mode=none" \
markrad 0:cdf462088d13 2117 "$P_CLI nbio=2 tickets=1 reconnect=1" \
markrad 0:cdf462088d13 2118 0 \
markrad 0:cdf462088d13 2119 -S "mbedtls_ssl_handshake returned" \
markrad 0:cdf462088d13 2120 -C "mbedtls_ssl_handshake returned" \
markrad 0:cdf462088d13 2121 -c "Read from server: .* bytes read"
markrad 0:cdf462088d13 2122
markrad 0:cdf462088d13 2123 run_test "Non-blocking I/O: session-id resume" \
markrad 0:cdf462088d13 2124 "$P_SRV nbio=2 tickets=0 auth_mode=none" \
markrad 0:cdf462088d13 2125 "$P_CLI nbio=2 tickets=0 reconnect=1" \
markrad 0:cdf462088d13 2126 0 \
markrad 0:cdf462088d13 2127 -S "mbedtls_ssl_handshake returned" \
markrad 0:cdf462088d13 2128 -C "mbedtls_ssl_handshake returned" \
markrad 0:cdf462088d13 2129 -c "Read from server: .* bytes read"
markrad 0:cdf462088d13 2130
markrad 0:cdf462088d13 2131 # Tests for version negotiation
markrad 0:cdf462088d13 2132
markrad 0:cdf462088d13 2133 run_test "Version check: all -> 1.2" \
markrad 0:cdf462088d13 2134 "$P_SRV" \
markrad 0:cdf462088d13 2135 "$P_CLI" \
markrad 0:cdf462088d13 2136 0 \
markrad 0:cdf462088d13 2137 -S "mbedtls_ssl_handshake returned" \
markrad 0:cdf462088d13 2138 -C "mbedtls_ssl_handshake returned" \
markrad 0:cdf462088d13 2139 -s "Protocol is TLSv1.2" \
markrad 0:cdf462088d13 2140 -c "Protocol is TLSv1.2"
markrad 0:cdf462088d13 2141
markrad 0:cdf462088d13 2142 run_test "Version check: cli max 1.1 -> 1.1" \
markrad 0:cdf462088d13 2143 "$P_SRV" \
markrad 0:cdf462088d13 2144 "$P_CLI max_version=tls1_1" \
markrad 0:cdf462088d13 2145 0 \
markrad 0:cdf462088d13 2146 -S "mbedtls_ssl_handshake returned" \
markrad 0:cdf462088d13 2147 -C "mbedtls_ssl_handshake returned" \
markrad 0:cdf462088d13 2148 -s "Protocol is TLSv1.1" \
markrad 0:cdf462088d13 2149 -c "Protocol is TLSv1.1"
markrad 0:cdf462088d13 2150
markrad 0:cdf462088d13 2151 run_test "Version check: srv max 1.1 -> 1.1" \
markrad 0:cdf462088d13 2152 "$P_SRV max_version=tls1_1" \
markrad 0:cdf462088d13 2153 "$P_CLI" \
markrad 0:cdf462088d13 2154 0 \
markrad 0:cdf462088d13 2155 -S "mbedtls_ssl_handshake returned" \
markrad 0:cdf462088d13 2156 -C "mbedtls_ssl_handshake returned" \
markrad 0:cdf462088d13 2157 -s "Protocol is TLSv1.1" \
markrad 0:cdf462088d13 2158 -c "Protocol is TLSv1.1"
markrad 0:cdf462088d13 2159
markrad 0:cdf462088d13 2160 run_test "Version check: cli+srv max 1.1 -> 1.1" \
markrad 0:cdf462088d13 2161 "$P_SRV max_version=tls1_1" \
markrad 0:cdf462088d13 2162 "$P_CLI max_version=tls1_1" \
markrad 0:cdf462088d13 2163 0 \
markrad 0:cdf462088d13 2164 -S "mbedtls_ssl_handshake returned" \
markrad 0:cdf462088d13 2165 -C "mbedtls_ssl_handshake returned" \
markrad 0:cdf462088d13 2166 -s "Protocol is TLSv1.1" \
markrad 0:cdf462088d13 2167 -c "Protocol is TLSv1.1"
markrad 0:cdf462088d13 2168
markrad 0:cdf462088d13 2169 run_test "Version check: cli max 1.1, srv min 1.1 -> 1.1" \
markrad 0:cdf462088d13 2170 "$P_SRV min_version=tls1_1" \
markrad 0:cdf462088d13 2171 "$P_CLI max_version=tls1_1" \
markrad 0:cdf462088d13 2172 0 \
markrad 0:cdf462088d13 2173 -S "mbedtls_ssl_handshake returned" \
markrad 0:cdf462088d13 2174 -C "mbedtls_ssl_handshake returned" \
markrad 0:cdf462088d13 2175 -s "Protocol is TLSv1.1" \
markrad 0:cdf462088d13 2176 -c "Protocol is TLSv1.1"
markrad 0:cdf462088d13 2177
markrad 0:cdf462088d13 2178 run_test "Version check: cli min 1.1, srv max 1.1 -> 1.1" \
markrad 0:cdf462088d13 2179 "$P_SRV max_version=tls1_1" \
markrad 0:cdf462088d13 2180 "$P_CLI min_version=tls1_1" \
markrad 0:cdf462088d13 2181 0 \
markrad 0:cdf462088d13 2182 -S "mbedtls_ssl_handshake returned" \
markrad 0:cdf462088d13 2183 -C "mbedtls_ssl_handshake returned" \
markrad 0:cdf462088d13 2184 -s "Protocol is TLSv1.1" \
markrad 0:cdf462088d13 2185 -c "Protocol is TLSv1.1"
markrad 0:cdf462088d13 2186
markrad 0:cdf462088d13 2187 run_test "Version check: cli min 1.2, srv max 1.1 -> fail" \
markrad 0:cdf462088d13 2188 "$P_SRV max_version=tls1_1" \
markrad 0:cdf462088d13 2189 "$P_CLI min_version=tls1_2" \
markrad 0:cdf462088d13 2190 1 \
markrad 0:cdf462088d13 2191 -s "mbedtls_ssl_handshake returned" \
markrad 0:cdf462088d13 2192 -c "mbedtls_ssl_handshake returned" \
markrad 0:cdf462088d13 2193 -c "SSL - Handshake protocol not within min/max boundaries"
markrad 0:cdf462088d13 2194
markrad 0:cdf462088d13 2195 run_test "Version check: srv min 1.2, cli max 1.1 -> fail" \
markrad 0:cdf462088d13 2196 "$P_SRV min_version=tls1_2" \
markrad 0:cdf462088d13 2197 "$P_CLI max_version=tls1_1" \
markrad 0:cdf462088d13 2198 1 \
markrad 0:cdf462088d13 2199 -s "mbedtls_ssl_handshake returned" \
markrad 0:cdf462088d13 2200 -c "mbedtls_ssl_handshake returned" \
markrad 0:cdf462088d13 2201 -s "SSL - Handshake protocol not within min/max boundaries"
markrad 0:cdf462088d13 2202
markrad 0:cdf462088d13 2203 # Tests for ALPN extension
markrad 0:cdf462088d13 2204
markrad 0:cdf462088d13 2205 run_test "ALPN: none" \
markrad 0:cdf462088d13 2206 "$P_SRV debug_level=3" \
markrad 0:cdf462088d13 2207 "$P_CLI debug_level=3" \
markrad 0:cdf462088d13 2208 0 \
markrad 0:cdf462088d13 2209 -C "client hello, adding alpn extension" \
markrad 0:cdf462088d13 2210 -S "found alpn extension" \
markrad 0:cdf462088d13 2211 -C "got an alert message, type: \\[2:120]" \
markrad 0:cdf462088d13 2212 -S "server hello, adding alpn extension" \
markrad 0:cdf462088d13 2213 -C "found alpn extension " \
markrad 0:cdf462088d13 2214 -C "Application Layer Protocol is" \
markrad 0:cdf462088d13 2215 -S "Application Layer Protocol is"
markrad 0:cdf462088d13 2216
markrad 0:cdf462088d13 2217 run_test "ALPN: client only" \
markrad 0:cdf462088d13 2218 "$P_SRV debug_level=3" \
markrad 0:cdf462088d13 2219 "$P_CLI debug_level=3 alpn=abc,1234" \
markrad 0:cdf462088d13 2220 0 \
markrad 0:cdf462088d13 2221 -c "client hello, adding alpn extension" \
markrad 0:cdf462088d13 2222 -s "found alpn extension" \
markrad 0:cdf462088d13 2223 -C "got an alert message, type: \\[2:120]" \
markrad 0:cdf462088d13 2224 -S "server hello, adding alpn extension" \
markrad 0:cdf462088d13 2225 -C "found alpn extension " \
markrad 0:cdf462088d13 2226 -c "Application Layer Protocol is (none)" \
markrad 0:cdf462088d13 2227 -S "Application Layer Protocol is"
markrad 0:cdf462088d13 2228
markrad 0:cdf462088d13 2229 run_test "ALPN: server only" \
markrad 0:cdf462088d13 2230 "$P_SRV debug_level=3 alpn=abc,1234" \
markrad 0:cdf462088d13 2231 "$P_CLI debug_level=3" \
markrad 0:cdf462088d13 2232 0 \
markrad 0:cdf462088d13 2233 -C "client hello, adding alpn extension" \
markrad 0:cdf462088d13 2234 -S "found alpn extension" \
markrad 0:cdf462088d13 2235 -C "got an alert message, type: \\[2:120]" \
markrad 0:cdf462088d13 2236 -S "server hello, adding alpn extension" \
markrad 0:cdf462088d13 2237 -C "found alpn extension " \
markrad 0:cdf462088d13 2238 -C "Application Layer Protocol is" \
markrad 0:cdf462088d13 2239 -s "Application Layer Protocol is (none)"
markrad 0:cdf462088d13 2240
markrad 0:cdf462088d13 2241 run_test "ALPN: both, common cli1-srv1" \
markrad 0:cdf462088d13 2242 "$P_SRV debug_level=3 alpn=abc,1234" \
markrad 0:cdf462088d13 2243 "$P_CLI debug_level=3 alpn=abc,1234" \
markrad 0:cdf462088d13 2244 0 \
markrad 0:cdf462088d13 2245 -c "client hello, adding alpn extension" \
markrad 0:cdf462088d13 2246 -s "found alpn extension" \
markrad 0:cdf462088d13 2247 -C "got an alert message, type: \\[2:120]" \
markrad 0:cdf462088d13 2248 -s "server hello, adding alpn extension" \
markrad 0:cdf462088d13 2249 -c "found alpn extension" \
markrad 0:cdf462088d13 2250 -c "Application Layer Protocol is abc" \
markrad 0:cdf462088d13 2251 -s "Application Layer Protocol is abc"
markrad 0:cdf462088d13 2252
markrad 0:cdf462088d13 2253 run_test "ALPN: both, common cli2-srv1" \
markrad 0:cdf462088d13 2254 "$P_SRV debug_level=3 alpn=abc,1234" \
markrad 0:cdf462088d13 2255 "$P_CLI debug_level=3 alpn=1234,abc" \
markrad 0:cdf462088d13 2256 0 \
markrad 0:cdf462088d13 2257 -c "client hello, adding alpn extension" \
markrad 0:cdf462088d13 2258 -s "found alpn extension" \
markrad 0:cdf462088d13 2259 -C "got an alert message, type: \\[2:120]" \
markrad 0:cdf462088d13 2260 -s "server hello, adding alpn extension" \
markrad 0:cdf462088d13 2261 -c "found alpn extension" \
markrad 0:cdf462088d13 2262 -c "Application Layer Protocol is abc" \
markrad 0:cdf462088d13 2263 -s "Application Layer Protocol is abc"
markrad 0:cdf462088d13 2264
markrad 0:cdf462088d13 2265 run_test "ALPN: both, common cli1-srv2" \
markrad 0:cdf462088d13 2266 "$P_SRV debug_level=3 alpn=abc,1234" \
markrad 0:cdf462088d13 2267 "$P_CLI debug_level=3 alpn=1234,abcde" \
markrad 0:cdf462088d13 2268 0 \
markrad 0:cdf462088d13 2269 -c "client hello, adding alpn extension" \
markrad 0:cdf462088d13 2270 -s "found alpn extension" \
markrad 0:cdf462088d13 2271 -C "got an alert message, type: \\[2:120]" \
markrad 0:cdf462088d13 2272 -s "server hello, adding alpn extension" \
markrad 0:cdf462088d13 2273 -c "found alpn extension" \
markrad 0:cdf462088d13 2274 -c "Application Layer Protocol is 1234" \
markrad 0:cdf462088d13 2275 -s "Application Layer Protocol is 1234"
markrad 0:cdf462088d13 2276
markrad 0:cdf462088d13 2277 run_test "ALPN: both, no common" \
markrad 0:cdf462088d13 2278 "$P_SRV debug_level=3 alpn=abc,123" \
markrad 0:cdf462088d13 2279 "$P_CLI debug_level=3 alpn=1234,abcde" \
markrad 0:cdf462088d13 2280 1 \
markrad 0:cdf462088d13 2281 -c "client hello, adding alpn extension" \
markrad 0:cdf462088d13 2282 -s "found alpn extension" \
markrad 0:cdf462088d13 2283 -c "got an alert message, type: \\[2:120]" \
markrad 0:cdf462088d13 2284 -S "server hello, adding alpn extension" \
markrad 0:cdf462088d13 2285 -C "found alpn extension" \
markrad 0:cdf462088d13 2286 -C "Application Layer Protocol is 1234" \
markrad 0:cdf462088d13 2287 -S "Application Layer Protocol is 1234"
markrad 0:cdf462088d13 2288
markrad 0:cdf462088d13 2289
markrad 0:cdf462088d13 2290 # Tests for keyUsage in leaf certificates, part 1:
markrad 0:cdf462088d13 2291 # server-side certificate/suite selection
markrad 0:cdf462088d13 2292
markrad 0:cdf462088d13 2293 run_test "keyUsage srv: RSA, digitalSignature -> (EC)DHE-RSA" \
markrad 0:cdf462088d13 2294 "$P_SRV key_file=data_files/server2.key \
markrad 0:cdf462088d13 2295 crt_file=data_files/server2.ku-ds.crt" \
markrad 0:cdf462088d13 2296 "$P_CLI" \
markrad 0:cdf462088d13 2297 0 \
markrad 0:cdf462088d13 2298 -c "Ciphersuite is TLS-[EC]*DHE-RSA-WITH-"
markrad 0:cdf462088d13 2299
markrad 0:cdf462088d13 2300
markrad 0:cdf462088d13 2301 run_test "keyUsage srv: RSA, keyEncipherment -> RSA" \
markrad 0:cdf462088d13 2302 "$P_SRV key_file=data_files/server2.key \
markrad 0:cdf462088d13 2303 crt_file=data_files/server2.ku-ke.crt" \
markrad 0:cdf462088d13 2304 "$P_CLI" \
markrad 0:cdf462088d13 2305 0 \
markrad 0:cdf462088d13 2306 -c "Ciphersuite is TLS-RSA-WITH-"
markrad 0:cdf462088d13 2307
markrad 0:cdf462088d13 2308 run_test "keyUsage srv: RSA, keyAgreement -> fail" \
markrad 0:cdf462088d13 2309 "$P_SRV key_file=data_files/server2.key \
markrad 0:cdf462088d13 2310 crt_file=data_files/server2.ku-ka.crt" \
markrad 0:cdf462088d13 2311 "$P_CLI" \
markrad 0:cdf462088d13 2312 1 \
markrad 0:cdf462088d13 2313 -C "Ciphersuite is "
markrad 0:cdf462088d13 2314
markrad 0:cdf462088d13 2315 run_test "keyUsage srv: ECDSA, digitalSignature -> ECDHE-ECDSA" \
markrad 0:cdf462088d13 2316 "$P_SRV key_file=data_files/server5.key \
markrad 0:cdf462088d13 2317 crt_file=data_files/server5.ku-ds.crt" \
markrad 0:cdf462088d13 2318 "$P_CLI" \
markrad 0:cdf462088d13 2319 0 \
markrad 0:cdf462088d13 2320 -c "Ciphersuite is TLS-ECDHE-ECDSA-WITH-"
markrad 0:cdf462088d13 2321
markrad 0:cdf462088d13 2322
markrad 0:cdf462088d13 2323 run_test "keyUsage srv: ECDSA, keyAgreement -> ECDH-" \
markrad 0:cdf462088d13 2324 "$P_SRV key_file=data_files/server5.key \
markrad 0:cdf462088d13 2325 crt_file=data_files/server5.ku-ka.crt" \
markrad 0:cdf462088d13 2326 "$P_CLI" \
markrad 0:cdf462088d13 2327 0 \
markrad 0:cdf462088d13 2328 -c "Ciphersuite is TLS-ECDH-"
markrad 0:cdf462088d13 2329
markrad 0:cdf462088d13 2330 run_test "keyUsage srv: ECDSA, keyEncipherment -> fail" \
markrad 0:cdf462088d13 2331 "$P_SRV key_file=data_files/server5.key \
markrad 0:cdf462088d13 2332 crt_file=data_files/server5.ku-ke.crt" \
markrad 0:cdf462088d13 2333 "$P_CLI" \
markrad 0:cdf462088d13 2334 1 \
markrad 0:cdf462088d13 2335 -C "Ciphersuite is "
markrad 0:cdf462088d13 2336
markrad 0:cdf462088d13 2337 # Tests for keyUsage in leaf certificates, part 2:
markrad 0:cdf462088d13 2338 # client-side checking of server cert
markrad 0:cdf462088d13 2339
markrad 0:cdf462088d13 2340 run_test "keyUsage cli: DigitalSignature+KeyEncipherment, RSA: OK" \
markrad 0:cdf462088d13 2341 "$O_SRV -key data_files/server2.key \
markrad 0:cdf462088d13 2342 -cert data_files/server2.ku-ds_ke.crt" \
markrad 0:cdf462088d13 2343 "$P_CLI debug_level=1 \
markrad 0:cdf462088d13 2344 force_ciphersuite=TLS-RSA-WITH-AES-128-CBC-SHA" \
markrad 0:cdf462088d13 2345 0 \
markrad 0:cdf462088d13 2346 -C "bad certificate (usage extensions)" \
markrad 0:cdf462088d13 2347 -C "Processing of the Certificate handshake message failed" \
markrad 0:cdf462088d13 2348 -c "Ciphersuite is TLS-"
markrad 0:cdf462088d13 2349
markrad 0:cdf462088d13 2350 run_test "keyUsage cli: DigitalSignature+KeyEncipherment, DHE-RSA: OK" \
markrad 0:cdf462088d13 2351 "$O_SRV -key data_files/server2.key \
markrad 0:cdf462088d13 2352 -cert data_files/server2.ku-ds_ke.crt" \
markrad 0:cdf462088d13 2353 "$P_CLI debug_level=1 \
markrad 0:cdf462088d13 2354 force_ciphersuite=TLS-DHE-RSA-WITH-AES-128-CBC-SHA" \
markrad 0:cdf462088d13 2355 0 \
markrad 0:cdf462088d13 2356 -C "bad certificate (usage extensions)" \
markrad 0:cdf462088d13 2357 -C "Processing of the Certificate handshake message failed" \
markrad 0:cdf462088d13 2358 -c "Ciphersuite is TLS-"
markrad 0:cdf462088d13 2359
markrad 0:cdf462088d13 2360 run_test "keyUsage cli: KeyEncipherment, RSA: OK" \
markrad 0:cdf462088d13 2361 "$O_SRV -key data_files/server2.key \
markrad 0:cdf462088d13 2362 -cert data_files/server2.ku-ke.crt" \
markrad 0:cdf462088d13 2363 "$P_CLI debug_level=1 \
markrad 0:cdf462088d13 2364 force_ciphersuite=TLS-RSA-WITH-AES-128-CBC-SHA" \
markrad 0:cdf462088d13 2365 0 \
markrad 0:cdf462088d13 2366 -C "bad certificate (usage extensions)" \
markrad 0:cdf462088d13 2367 -C "Processing of the Certificate handshake message failed" \
markrad 0:cdf462088d13 2368 -c "Ciphersuite is TLS-"
markrad 0:cdf462088d13 2369
markrad 0:cdf462088d13 2370 run_test "keyUsage cli: KeyEncipherment, DHE-RSA: fail" \
markrad 0:cdf462088d13 2371 "$O_SRV -key data_files/server2.key \
markrad 0:cdf462088d13 2372 -cert data_files/server2.ku-ke.crt" \
markrad 0:cdf462088d13 2373 "$P_CLI debug_level=1 \
markrad 0:cdf462088d13 2374 force_ciphersuite=TLS-DHE-RSA-WITH-AES-128-CBC-SHA" \
markrad 0:cdf462088d13 2375 1 \
markrad 0:cdf462088d13 2376 -c "bad certificate (usage extensions)" \
markrad 0:cdf462088d13 2377 -c "Processing of the Certificate handshake message failed" \
markrad 0:cdf462088d13 2378 -C "Ciphersuite is TLS-"
markrad 0:cdf462088d13 2379
markrad 0:cdf462088d13 2380 run_test "keyUsage cli: KeyEncipherment, DHE-RSA: fail, soft" \
markrad 0:cdf462088d13 2381 "$O_SRV -key data_files/server2.key \
markrad 0:cdf462088d13 2382 -cert data_files/server2.ku-ke.crt" \
markrad 0:cdf462088d13 2383 "$P_CLI debug_level=1 auth_mode=optional \
markrad 0:cdf462088d13 2384 force_ciphersuite=TLS-DHE-RSA-WITH-AES-128-CBC-SHA" \
markrad 0:cdf462088d13 2385 0 \
markrad 0:cdf462088d13 2386 -c "bad certificate (usage extensions)" \
markrad 0:cdf462088d13 2387 -C "Processing of the Certificate handshake message failed" \
markrad 0:cdf462088d13 2388 -c "Ciphersuite is TLS-" \
markrad 0:cdf462088d13 2389 -c "! Usage does not match the keyUsage extension"
markrad 0:cdf462088d13 2390
markrad 0:cdf462088d13 2391 run_test "keyUsage cli: DigitalSignature, DHE-RSA: OK" \
markrad 0:cdf462088d13 2392 "$O_SRV -key data_files/server2.key \
markrad 0:cdf462088d13 2393 -cert data_files/server2.ku-ds.crt" \
markrad 0:cdf462088d13 2394 "$P_CLI debug_level=1 \
markrad 0:cdf462088d13 2395 force_ciphersuite=TLS-DHE-RSA-WITH-AES-128-CBC-SHA" \
markrad 0:cdf462088d13 2396 0 \
markrad 0:cdf462088d13 2397 -C "bad certificate (usage extensions)" \
markrad 0:cdf462088d13 2398 -C "Processing of the Certificate handshake message failed" \
markrad 0:cdf462088d13 2399 -c "Ciphersuite is TLS-"
markrad 0:cdf462088d13 2400
markrad 0:cdf462088d13 2401 run_test "keyUsage cli: DigitalSignature, RSA: fail" \
markrad 0:cdf462088d13 2402 "$O_SRV -key data_files/server2.key \
markrad 0:cdf462088d13 2403 -cert data_files/server2.ku-ds.crt" \
markrad 0:cdf462088d13 2404 "$P_CLI debug_level=1 \
markrad 0:cdf462088d13 2405 force_ciphersuite=TLS-RSA-WITH-AES-128-CBC-SHA" \
markrad 0:cdf462088d13 2406 1 \
markrad 0:cdf462088d13 2407 -c "bad certificate (usage extensions)" \
markrad 0:cdf462088d13 2408 -c "Processing of the Certificate handshake message failed" \
markrad 0:cdf462088d13 2409 -C "Ciphersuite is TLS-"
markrad 0:cdf462088d13 2410
markrad 0:cdf462088d13 2411 run_test "keyUsage cli: DigitalSignature, RSA: fail, soft" \
markrad 0:cdf462088d13 2412 "$O_SRV -key data_files/server2.key \
markrad 0:cdf462088d13 2413 -cert data_files/server2.ku-ds.crt" \
markrad 0:cdf462088d13 2414 "$P_CLI debug_level=1 auth_mode=optional \
markrad 0:cdf462088d13 2415 force_ciphersuite=TLS-RSA-WITH-AES-128-CBC-SHA" \
markrad 0:cdf462088d13 2416 0 \
markrad 0:cdf462088d13 2417 -c "bad certificate (usage extensions)" \
markrad 0:cdf462088d13 2418 -C "Processing of the Certificate handshake message failed" \
markrad 0:cdf462088d13 2419 -c "Ciphersuite is TLS-" \
markrad 0:cdf462088d13 2420 -c "! Usage does not match the keyUsage extension"
markrad 0:cdf462088d13 2421
markrad 0:cdf462088d13 2422 # Tests for keyUsage in leaf certificates, part 3:
markrad 0:cdf462088d13 2423 # server-side checking of client cert
markrad 0:cdf462088d13 2424
markrad 0:cdf462088d13 2425 run_test "keyUsage cli-auth: RSA, DigitalSignature: OK" \
markrad 0:cdf462088d13 2426 "$P_SRV debug_level=1 auth_mode=optional" \
markrad 0:cdf462088d13 2427 "$O_CLI -key data_files/server2.key \
markrad 0:cdf462088d13 2428 -cert data_files/server2.ku-ds.crt" \
markrad 0:cdf462088d13 2429 0 \
markrad 0:cdf462088d13 2430 -S "bad certificate (usage extensions)" \
markrad 0:cdf462088d13 2431 -S "Processing of the Certificate handshake message failed"
markrad 0:cdf462088d13 2432
markrad 0:cdf462088d13 2433 run_test "keyUsage cli-auth: RSA, KeyEncipherment: fail (soft)" \
markrad 0:cdf462088d13 2434 "$P_SRV debug_level=1 auth_mode=optional" \
markrad 0:cdf462088d13 2435 "$O_CLI -key data_files/server2.key \
markrad 0:cdf462088d13 2436 -cert data_files/server2.ku-ke.crt" \
markrad 0:cdf462088d13 2437 0 \
markrad 0:cdf462088d13 2438 -s "bad certificate (usage extensions)" \
markrad 0:cdf462088d13 2439 -S "Processing of the Certificate handshake message failed"
markrad 0:cdf462088d13 2440
markrad 0:cdf462088d13 2441 run_test "keyUsage cli-auth: RSA, KeyEncipherment: fail (hard)" \
markrad 0:cdf462088d13 2442 "$P_SRV debug_level=1 auth_mode=required" \
markrad 0:cdf462088d13 2443 "$O_CLI -key data_files/server2.key \
markrad 0:cdf462088d13 2444 -cert data_files/server2.ku-ke.crt" \
markrad 0:cdf462088d13 2445 1 \
markrad 0:cdf462088d13 2446 -s "bad certificate (usage extensions)" \
markrad 0:cdf462088d13 2447 -s "Processing of the Certificate handshake message failed"
markrad 0:cdf462088d13 2448
markrad 0:cdf462088d13 2449 run_test "keyUsage cli-auth: ECDSA, DigitalSignature: OK" \
markrad 0:cdf462088d13 2450 "$P_SRV debug_level=1 auth_mode=optional" \
markrad 0:cdf462088d13 2451 "$O_CLI -key data_files/server5.key \
markrad 0:cdf462088d13 2452 -cert data_files/server5.ku-ds.crt" \
markrad 0:cdf462088d13 2453 0 \
markrad 0:cdf462088d13 2454 -S "bad certificate (usage extensions)" \
markrad 0:cdf462088d13 2455 -S "Processing of the Certificate handshake message failed"
markrad 0:cdf462088d13 2456
markrad 0:cdf462088d13 2457 run_test "keyUsage cli-auth: ECDSA, KeyAgreement: fail (soft)" \
markrad 0:cdf462088d13 2458 "$P_SRV debug_level=1 auth_mode=optional" \
markrad 0:cdf462088d13 2459 "$O_CLI -key data_files/server5.key \
markrad 0:cdf462088d13 2460 -cert data_files/server5.ku-ka.crt" \
markrad 0:cdf462088d13 2461 0 \
markrad 0:cdf462088d13 2462 -s "bad certificate (usage extensions)" \
markrad 0:cdf462088d13 2463 -S "Processing of the Certificate handshake message failed"
markrad 0:cdf462088d13 2464
markrad 0:cdf462088d13 2465 # Tests for extendedKeyUsage, part 1: server-side certificate/suite selection
markrad 0:cdf462088d13 2466
markrad 0:cdf462088d13 2467 run_test "extKeyUsage srv: serverAuth -> OK" \
markrad 0:cdf462088d13 2468 "$P_SRV key_file=data_files/server5.key \
markrad 0:cdf462088d13 2469 crt_file=data_files/server5.eku-srv.crt" \
markrad 0:cdf462088d13 2470 "$P_CLI" \
markrad 0:cdf462088d13 2471 0
markrad 0:cdf462088d13 2472
markrad 0:cdf462088d13 2473 run_test "extKeyUsage srv: serverAuth,clientAuth -> OK" \
markrad 0:cdf462088d13 2474 "$P_SRV key_file=data_files/server5.key \
markrad 0:cdf462088d13 2475 crt_file=data_files/server5.eku-srv.crt" \
markrad 0:cdf462088d13 2476 "$P_CLI" \
markrad 0:cdf462088d13 2477 0
markrad 0:cdf462088d13 2478
markrad 0:cdf462088d13 2479 run_test "extKeyUsage srv: codeSign,anyEKU -> OK" \
markrad 0:cdf462088d13 2480 "$P_SRV key_file=data_files/server5.key \
markrad 0:cdf462088d13 2481 crt_file=data_files/server5.eku-cs_any.crt" \
markrad 0:cdf462088d13 2482 "$P_CLI" \
markrad 0:cdf462088d13 2483 0
markrad 0:cdf462088d13 2484
markrad 0:cdf462088d13 2485 run_test "extKeyUsage srv: codeSign -> fail" \
markrad 0:cdf462088d13 2486 "$P_SRV key_file=data_files/server5.key \
markrad 0:cdf462088d13 2487 crt_file=data_files/server5.eku-cli.crt" \
markrad 0:cdf462088d13 2488 "$P_CLI" \
markrad 0:cdf462088d13 2489 1
markrad 0:cdf462088d13 2490
markrad 0:cdf462088d13 2491 # Tests for extendedKeyUsage, part 2: client-side checking of server cert
markrad 0:cdf462088d13 2492
markrad 0:cdf462088d13 2493 run_test "extKeyUsage cli: serverAuth -> OK" \
markrad 0:cdf462088d13 2494 "$O_SRV -key data_files/server5.key \
markrad 0:cdf462088d13 2495 -cert data_files/server5.eku-srv.crt" \
markrad 0:cdf462088d13 2496 "$P_CLI debug_level=1" \
markrad 0:cdf462088d13 2497 0 \
markrad 0:cdf462088d13 2498 -C "bad certificate (usage extensions)" \
markrad 0:cdf462088d13 2499 -C "Processing of the Certificate handshake message failed" \
markrad 0:cdf462088d13 2500 -c "Ciphersuite is TLS-"
markrad 0:cdf462088d13 2501
markrad 0:cdf462088d13 2502 run_test "extKeyUsage cli: serverAuth,clientAuth -> OK" \
markrad 0:cdf462088d13 2503 "$O_SRV -key data_files/server5.key \
markrad 0:cdf462088d13 2504 -cert data_files/server5.eku-srv_cli.crt" \
markrad 0:cdf462088d13 2505 "$P_CLI debug_level=1" \
markrad 0:cdf462088d13 2506 0 \
markrad 0:cdf462088d13 2507 -C "bad certificate (usage extensions)" \
markrad 0:cdf462088d13 2508 -C "Processing of the Certificate handshake message failed" \
markrad 0:cdf462088d13 2509 -c "Ciphersuite is TLS-"
markrad 0:cdf462088d13 2510
markrad 0:cdf462088d13 2511 run_test "extKeyUsage cli: codeSign,anyEKU -> OK" \
markrad 0:cdf462088d13 2512 "$O_SRV -key data_files/server5.key \
markrad 0:cdf462088d13 2513 -cert data_files/server5.eku-cs_any.crt" \
markrad 0:cdf462088d13 2514 "$P_CLI debug_level=1" \
markrad 0:cdf462088d13 2515 0 \
markrad 0:cdf462088d13 2516 -C "bad certificate (usage extensions)" \
markrad 0:cdf462088d13 2517 -C "Processing of the Certificate handshake message failed" \
markrad 0:cdf462088d13 2518 -c "Ciphersuite is TLS-"
markrad 0:cdf462088d13 2519
markrad 0:cdf462088d13 2520 run_test "extKeyUsage cli: codeSign -> fail" \
markrad 0:cdf462088d13 2521 "$O_SRV -key data_files/server5.key \
markrad 0:cdf462088d13 2522 -cert data_files/server5.eku-cs.crt" \
markrad 0:cdf462088d13 2523 "$P_CLI debug_level=1" \
markrad 0:cdf462088d13 2524 1 \
markrad 0:cdf462088d13 2525 -c "bad certificate (usage extensions)" \
markrad 0:cdf462088d13 2526 -c "Processing of the Certificate handshake message failed" \
markrad 0:cdf462088d13 2527 -C "Ciphersuite is TLS-"
markrad 0:cdf462088d13 2528
markrad 0:cdf462088d13 2529 # Tests for extendedKeyUsage, part 3: server-side checking of client cert
markrad 0:cdf462088d13 2530
markrad 0:cdf462088d13 2531 run_test "extKeyUsage cli-auth: clientAuth -> OK" \
markrad 0:cdf462088d13 2532 "$P_SRV debug_level=1 auth_mode=optional" \
markrad 0:cdf462088d13 2533 "$O_CLI -key data_files/server5.key \
markrad 0:cdf462088d13 2534 -cert data_files/server5.eku-cli.crt" \
markrad 0:cdf462088d13 2535 0 \
markrad 0:cdf462088d13 2536 -S "bad certificate (usage extensions)" \
markrad 0:cdf462088d13 2537 -S "Processing of the Certificate handshake message failed"
markrad 0:cdf462088d13 2538
markrad 0:cdf462088d13 2539 run_test "extKeyUsage cli-auth: serverAuth,clientAuth -> OK" \
markrad 0:cdf462088d13 2540 "$P_SRV debug_level=1 auth_mode=optional" \
markrad 0:cdf462088d13 2541 "$O_CLI -key data_files/server5.key \
markrad 0:cdf462088d13 2542 -cert data_files/server5.eku-srv_cli.crt" \
markrad 0:cdf462088d13 2543 0 \
markrad 0:cdf462088d13 2544 -S "bad certificate (usage extensions)" \
markrad 0:cdf462088d13 2545 -S "Processing of the Certificate handshake message failed"
markrad 0:cdf462088d13 2546
markrad 0:cdf462088d13 2547 run_test "extKeyUsage cli-auth: codeSign,anyEKU -> OK" \
markrad 0:cdf462088d13 2548 "$P_SRV debug_level=1 auth_mode=optional" \
markrad 0:cdf462088d13 2549 "$O_CLI -key data_files/server5.key \
markrad 0:cdf462088d13 2550 -cert data_files/server5.eku-cs_any.crt" \
markrad 0:cdf462088d13 2551 0 \
markrad 0:cdf462088d13 2552 -S "bad certificate (usage extensions)" \
markrad 0:cdf462088d13 2553 -S "Processing of the Certificate handshake message failed"
markrad 0:cdf462088d13 2554
markrad 0:cdf462088d13 2555 run_test "extKeyUsage cli-auth: codeSign -> fail (soft)" \
markrad 0:cdf462088d13 2556 "$P_SRV debug_level=1 auth_mode=optional" \
markrad 0:cdf462088d13 2557 "$O_CLI -key data_files/server5.key \
markrad 0:cdf462088d13 2558 -cert data_files/server5.eku-cs.crt" \
markrad 0:cdf462088d13 2559 0 \
markrad 0:cdf462088d13 2560 -s "bad certificate (usage extensions)" \
markrad 0:cdf462088d13 2561 -S "Processing of the Certificate handshake message failed"
markrad 0:cdf462088d13 2562
markrad 0:cdf462088d13 2563 run_test "extKeyUsage cli-auth: codeSign -> fail (hard)" \
markrad 0:cdf462088d13 2564 "$P_SRV debug_level=1 auth_mode=required" \
markrad 0:cdf462088d13 2565 "$O_CLI -key data_files/server5.key \
markrad 0:cdf462088d13 2566 -cert data_files/server5.eku-cs.crt" \
markrad 0:cdf462088d13 2567 1 \
markrad 0:cdf462088d13 2568 -s "bad certificate (usage extensions)" \
markrad 0:cdf462088d13 2569 -s "Processing of the Certificate handshake message failed"
markrad 0:cdf462088d13 2570
markrad 0:cdf462088d13 2571 # Tests for DHM parameters loading
markrad 0:cdf462088d13 2572
markrad 0:cdf462088d13 2573 run_test "DHM parameters: reference" \
markrad 0:cdf462088d13 2574 "$P_SRV" \
markrad 0:cdf462088d13 2575 "$P_CLI force_ciphersuite=TLS-DHE-RSA-WITH-AES-128-CBC-SHA \
markrad 0:cdf462088d13 2576 debug_level=3" \
markrad 0:cdf462088d13 2577 0 \
markrad 0:cdf462088d13 2578 -c "value of 'DHM: P ' (2048 bits)" \
markrad 0:cdf462088d13 2579 -c "value of 'DHM: G ' (2048 bits)"
markrad 0:cdf462088d13 2580
markrad 0:cdf462088d13 2581 run_test "DHM parameters: other parameters" \
markrad 0:cdf462088d13 2582 "$P_SRV dhm_file=data_files/dhparams.pem" \
markrad 0:cdf462088d13 2583 "$P_CLI force_ciphersuite=TLS-DHE-RSA-WITH-AES-128-CBC-SHA \
markrad 0:cdf462088d13 2584 debug_level=3" \
markrad 0:cdf462088d13 2585 0 \
markrad 0:cdf462088d13 2586 -c "value of 'DHM: P ' (1024 bits)" \
markrad 0:cdf462088d13 2587 -c "value of 'DHM: G ' (2 bits)"
markrad 0:cdf462088d13 2588
markrad 0:cdf462088d13 2589 # Tests for DHM client-side size checking
markrad 0:cdf462088d13 2590
markrad 0:cdf462088d13 2591 run_test "DHM size: server default, client default, OK" \
markrad 0:cdf462088d13 2592 "$P_SRV" \
markrad 0:cdf462088d13 2593 "$P_CLI force_ciphersuite=TLS-DHE-RSA-WITH-AES-128-CBC-SHA \
markrad 0:cdf462088d13 2594 debug_level=1" \
markrad 0:cdf462088d13 2595 0 \
markrad 0:cdf462088d13 2596 -C "DHM prime too short:"
markrad 0:cdf462088d13 2597
markrad 0:cdf462088d13 2598 run_test "DHM size: server default, client 2048, OK" \
markrad 0:cdf462088d13 2599 "$P_SRV" \
markrad 0:cdf462088d13 2600 "$P_CLI force_ciphersuite=TLS-DHE-RSA-WITH-AES-128-CBC-SHA \
markrad 0:cdf462088d13 2601 debug_level=1 dhmlen=2048" \
markrad 0:cdf462088d13 2602 0 \
markrad 0:cdf462088d13 2603 -C "DHM prime too short:"
markrad 0:cdf462088d13 2604
markrad 0:cdf462088d13 2605 run_test "DHM size: server 1024, client default, OK" \
markrad 0:cdf462088d13 2606 "$P_SRV dhm_file=data_files/dhparams.pem" \
markrad 0:cdf462088d13 2607 "$P_CLI force_ciphersuite=TLS-DHE-RSA-WITH-AES-128-CBC-SHA \
markrad 0:cdf462088d13 2608 debug_level=1" \
markrad 0:cdf462088d13 2609 0 \
markrad 0:cdf462088d13 2610 -C "DHM prime too short:"
markrad 0:cdf462088d13 2611
markrad 0:cdf462088d13 2612 run_test "DHM size: server 1000, client default, rejected" \
markrad 0:cdf462088d13 2613 "$P_SRV dhm_file=data_files/dh.1000.pem" \
markrad 0:cdf462088d13 2614 "$P_CLI force_ciphersuite=TLS-DHE-RSA-WITH-AES-128-CBC-SHA \
markrad 0:cdf462088d13 2615 debug_level=1" \
markrad 0:cdf462088d13 2616 1 \
markrad 0:cdf462088d13 2617 -c "DHM prime too short:"
markrad 0:cdf462088d13 2618
markrad 0:cdf462088d13 2619 run_test "DHM size: server default, client 2049, rejected" \
markrad 0:cdf462088d13 2620 "$P_SRV" \
markrad 0:cdf462088d13 2621 "$P_CLI force_ciphersuite=TLS-DHE-RSA-WITH-AES-128-CBC-SHA \
markrad 0:cdf462088d13 2622 debug_level=1 dhmlen=2049" \
markrad 0:cdf462088d13 2623 1 \
markrad 0:cdf462088d13 2624 -c "DHM prime too short:"
markrad 0:cdf462088d13 2625
markrad 0:cdf462088d13 2626 # Tests for PSK callback
markrad 0:cdf462088d13 2627
markrad 0:cdf462088d13 2628 run_test "PSK callback: psk, no callback" \
markrad 0:cdf462088d13 2629 "$P_SRV psk=abc123 psk_identity=foo" \
markrad 0:cdf462088d13 2630 "$P_CLI force_ciphersuite=TLS-PSK-WITH-AES-128-CBC-SHA \
markrad 0:cdf462088d13 2631 psk_identity=foo psk=abc123" \
markrad 0:cdf462088d13 2632 0 \
markrad 0:cdf462088d13 2633 -S "SSL - None of the common ciphersuites is usable" \
markrad 0:cdf462088d13 2634 -S "SSL - Unknown identity received" \
markrad 0:cdf462088d13 2635 -S "SSL - Verification of the message MAC failed"
markrad 0:cdf462088d13 2636
markrad 0:cdf462088d13 2637 run_test "PSK callback: no psk, no callback" \
markrad 0:cdf462088d13 2638 "$P_SRV" \
markrad 0:cdf462088d13 2639 "$P_CLI force_ciphersuite=TLS-PSK-WITH-AES-128-CBC-SHA \
markrad 0:cdf462088d13 2640 psk_identity=foo psk=abc123" \
markrad 0:cdf462088d13 2641 1 \
markrad 0:cdf462088d13 2642 -s "SSL - None of the common ciphersuites is usable" \
markrad 0:cdf462088d13 2643 -S "SSL - Unknown identity received" \
markrad 0:cdf462088d13 2644 -S "SSL - Verification of the message MAC failed"
markrad 0:cdf462088d13 2645
markrad 0:cdf462088d13 2646 run_test "PSK callback: callback overrides other settings" \
markrad 0:cdf462088d13 2647 "$P_SRV psk=abc123 psk_identity=foo psk_list=abc,dead,def,beef" \
markrad 0:cdf462088d13 2648 "$P_CLI force_ciphersuite=TLS-PSK-WITH-AES-128-CBC-SHA \
markrad 0:cdf462088d13 2649 psk_identity=foo psk=abc123" \
markrad 0:cdf462088d13 2650 1 \
markrad 0:cdf462088d13 2651 -S "SSL - None of the common ciphersuites is usable" \
markrad 0:cdf462088d13 2652 -s "SSL - Unknown identity received" \
markrad 0:cdf462088d13 2653 -S "SSL - Verification of the message MAC failed"
markrad 0:cdf462088d13 2654
markrad 0:cdf462088d13 2655 run_test "PSK callback: first id matches" \
markrad 0:cdf462088d13 2656 "$P_SRV psk_list=abc,dead,def,beef" \
markrad 0:cdf462088d13 2657 "$P_CLI force_ciphersuite=TLS-PSK-WITH-AES-128-CBC-SHA \
markrad 0:cdf462088d13 2658 psk_identity=abc psk=dead" \
markrad 0:cdf462088d13 2659 0 \
markrad 0:cdf462088d13 2660 -S "SSL - None of the common ciphersuites is usable" \
markrad 0:cdf462088d13 2661 -S "SSL - Unknown identity received" \
markrad 0:cdf462088d13 2662 -S "SSL - Verification of the message MAC failed"
markrad 0:cdf462088d13 2663
markrad 0:cdf462088d13 2664 run_test "PSK callback: second id matches" \
markrad 0:cdf462088d13 2665 "$P_SRV psk_list=abc,dead,def,beef" \
markrad 0:cdf462088d13 2666 "$P_CLI force_ciphersuite=TLS-PSK-WITH-AES-128-CBC-SHA \
markrad 0:cdf462088d13 2667 psk_identity=def psk=beef" \
markrad 0:cdf462088d13 2668 0 \
markrad 0:cdf462088d13 2669 -S "SSL - None of the common ciphersuites is usable" \
markrad 0:cdf462088d13 2670 -S "SSL - Unknown identity received" \
markrad 0:cdf462088d13 2671 -S "SSL - Verification of the message MAC failed"
markrad 0:cdf462088d13 2672
markrad 0:cdf462088d13 2673 run_test "PSK callback: no match" \
markrad 0:cdf462088d13 2674 "$P_SRV psk_list=abc,dead,def,beef" \
markrad 0:cdf462088d13 2675 "$P_CLI force_ciphersuite=TLS-PSK-WITH-AES-128-CBC-SHA \
markrad 0:cdf462088d13 2676 psk_identity=ghi psk=beef" \
markrad 0:cdf462088d13 2677 1 \
markrad 0:cdf462088d13 2678 -S "SSL - None of the common ciphersuites is usable" \
markrad 0:cdf462088d13 2679 -s "SSL - Unknown identity received" \
markrad 0:cdf462088d13 2680 -S "SSL - Verification of the message MAC failed"
markrad 0:cdf462088d13 2681
markrad 0:cdf462088d13 2682 run_test "PSK callback: wrong key" \
markrad 0:cdf462088d13 2683 "$P_SRV psk_list=abc,dead,def,beef" \
markrad 0:cdf462088d13 2684 "$P_CLI force_ciphersuite=TLS-PSK-WITH-AES-128-CBC-SHA \
markrad 0:cdf462088d13 2685 psk_identity=abc psk=beef" \
markrad 0:cdf462088d13 2686 1 \
markrad 0:cdf462088d13 2687 -S "SSL - None of the common ciphersuites is usable" \
markrad 0:cdf462088d13 2688 -S "SSL - Unknown identity received" \
markrad 0:cdf462088d13 2689 -s "SSL - Verification of the message MAC failed"
markrad 0:cdf462088d13 2690
markrad 0:cdf462088d13 2691 # Tests for EC J-PAKE
markrad 0:cdf462088d13 2692
markrad 0:cdf462088d13 2693 requires_config_enabled MBEDTLS_KEY_EXCHANGE_ECJPAKE
markrad 0:cdf462088d13 2694 run_test "ECJPAKE: client not configured" \
markrad 0:cdf462088d13 2695 "$P_SRV debug_level=3" \
markrad 0:cdf462088d13 2696 "$P_CLI debug_level=3" \
markrad 0:cdf462088d13 2697 0 \
markrad 0:cdf462088d13 2698 -C "add ciphersuite: c0ff" \
markrad 0:cdf462088d13 2699 -C "adding ecjpake_kkpp extension" \
markrad 0:cdf462088d13 2700 -S "found ecjpake kkpp extension" \
markrad 0:cdf462088d13 2701 -S "skip ecjpake kkpp extension" \
markrad 0:cdf462088d13 2702 -S "ciphersuite mismatch: ecjpake not configured" \
markrad 0:cdf462088d13 2703 -S "server hello, ecjpake kkpp extension" \
markrad 0:cdf462088d13 2704 -C "found ecjpake_kkpp extension" \
markrad 0:cdf462088d13 2705 -S "None of the common ciphersuites is usable"
markrad 0:cdf462088d13 2706
markrad 0:cdf462088d13 2707 requires_config_enabled MBEDTLS_KEY_EXCHANGE_ECJPAKE
markrad 0:cdf462088d13 2708 run_test "ECJPAKE: server not configured" \
markrad 0:cdf462088d13 2709 "$P_SRV debug_level=3" \
markrad 0:cdf462088d13 2710 "$P_CLI debug_level=3 ecjpake_pw=bla \
markrad 0:cdf462088d13 2711 force_ciphersuite=TLS-ECJPAKE-WITH-AES-128-CCM-8" \
markrad 0:cdf462088d13 2712 1 \
markrad 0:cdf462088d13 2713 -c "add ciphersuite: c0ff" \
markrad 0:cdf462088d13 2714 -c "adding ecjpake_kkpp extension" \
markrad 0:cdf462088d13 2715 -s "found ecjpake kkpp extension" \
markrad 0:cdf462088d13 2716 -s "skip ecjpake kkpp extension" \
markrad 0:cdf462088d13 2717 -s "ciphersuite mismatch: ecjpake not configured" \
markrad 0:cdf462088d13 2718 -S "server hello, ecjpake kkpp extension" \
markrad 0:cdf462088d13 2719 -C "found ecjpake_kkpp extension" \
markrad 0:cdf462088d13 2720 -s "None of the common ciphersuites is usable"
markrad 0:cdf462088d13 2721
markrad 0:cdf462088d13 2722 requires_config_enabled MBEDTLS_KEY_EXCHANGE_ECJPAKE
markrad 0:cdf462088d13 2723 run_test "ECJPAKE: working, TLS" \
markrad 0:cdf462088d13 2724 "$P_SRV debug_level=3 ecjpake_pw=bla" \
markrad 0:cdf462088d13 2725 "$P_CLI debug_level=3 ecjpake_pw=bla \
markrad 0:cdf462088d13 2726 force_ciphersuite=TLS-ECJPAKE-WITH-AES-128-CCM-8" \
markrad 0:cdf462088d13 2727 0 \
markrad 0:cdf462088d13 2728 -c "add ciphersuite: c0ff" \
markrad 0:cdf462088d13 2729 -c "adding ecjpake_kkpp extension" \
markrad 0:cdf462088d13 2730 -C "re-using cached ecjpake parameters" \
markrad 0:cdf462088d13 2731 -s "found ecjpake kkpp extension" \
markrad 0:cdf462088d13 2732 -S "skip ecjpake kkpp extension" \
markrad 0:cdf462088d13 2733 -S "ciphersuite mismatch: ecjpake not configured" \
markrad 0:cdf462088d13 2734 -s "server hello, ecjpake kkpp extension" \
markrad 0:cdf462088d13 2735 -c "found ecjpake_kkpp extension" \
markrad 0:cdf462088d13 2736 -S "None of the common ciphersuites is usable" \
markrad 0:cdf462088d13 2737 -S "SSL - Verification of the message MAC failed"
markrad 0:cdf462088d13 2738
markrad 0:cdf462088d13 2739 server_needs_more_time 1
markrad 0:cdf462088d13 2740 requires_config_enabled MBEDTLS_KEY_EXCHANGE_ECJPAKE
markrad 0:cdf462088d13 2741 run_test "ECJPAKE: password mismatch, TLS" \
markrad 0:cdf462088d13 2742 "$P_SRV debug_level=3 ecjpake_pw=bla" \
markrad 0:cdf462088d13 2743 "$P_CLI debug_level=3 ecjpake_pw=bad \
markrad 0:cdf462088d13 2744 force_ciphersuite=TLS-ECJPAKE-WITH-AES-128-CCM-8" \
markrad 0:cdf462088d13 2745 1 \
markrad 0:cdf462088d13 2746 -C "re-using cached ecjpake parameters" \
markrad 0:cdf462088d13 2747 -s "SSL - Verification of the message MAC failed"
markrad 0:cdf462088d13 2748
markrad 0:cdf462088d13 2749 requires_config_enabled MBEDTLS_KEY_EXCHANGE_ECJPAKE
markrad 0:cdf462088d13 2750 run_test "ECJPAKE: working, DTLS" \
markrad 0:cdf462088d13 2751 "$P_SRV debug_level=3 dtls=1 ecjpake_pw=bla" \
markrad 0:cdf462088d13 2752 "$P_CLI debug_level=3 dtls=1 ecjpake_pw=bla \
markrad 0:cdf462088d13 2753 force_ciphersuite=TLS-ECJPAKE-WITH-AES-128-CCM-8" \
markrad 0:cdf462088d13 2754 0 \
markrad 0:cdf462088d13 2755 -c "re-using cached ecjpake parameters" \
markrad 0:cdf462088d13 2756 -S "SSL - Verification of the message MAC failed"
markrad 0:cdf462088d13 2757
markrad 0:cdf462088d13 2758 requires_config_enabled MBEDTLS_KEY_EXCHANGE_ECJPAKE
markrad 0:cdf462088d13 2759 run_test "ECJPAKE: working, DTLS, no cookie" \
markrad 0:cdf462088d13 2760 "$P_SRV debug_level=3 dtls=1 ecjpake_pw=bla cookies=0" \
markrad 0:cdf462088d13 2761 "$P_CLI debug_level=3 dtls=1 ecjpake_pw=bla \
markrad 0:cdf462088d13 2762 force_ciphersuite=TLS-ECJPAKE-WITH-AES-128-CCM-8" \
markrad 0:cdf462088d13 2763 0 \
markrad 0:cdf462088d13 2764 -C "re-using cached ecjpake parameters" \
markrad 0:cdf462088d13 2765 -S "SSL - Verification of the message MAC failed"
markrad 0:cdf462088d13 2766
markrad 0:cdf462088d13 2767 server_needs_more_time 1
markrad 0:cdf462088d13 2768 requires_config_enabled MBEDTLS_KEY_EXCHANGE_ECJPAKE
markrad 0:cdf462088d13 2769 run_test "ECJPAKE: password mismatch, DTLS" \
markrad 0:cdf462088d13 2770 "$P_SRV debug_level=3 dtls=1 ecjpake_pw=bla" \
markrad 0:cdf462088d13 2771 "$P_CLI debug_level=3 dtls=1 ecjpake_pw=bad \
markrad 0:cdf462088d13 2772 force_ciphersuite=TLS-ECJPAKE-WITH-AES-128-CCM-8" \
markrad 0:cdf462088d13 2773 1 \
markrad 0:cdf462088d13 2774 -c "re-using cached ecjpake parameters" \
markrad 0:cdf462088d13 2775 -s "SSL - Verification of the message MAC failed"
markrad 0:cdf462088d13 2776
markrad 0:cdf462088d13 2777 # for tests with configs/config-thread.h
markrad 0:cdf462088d13 2778 requires_config_enabled MBEDTLS_KEY_EXCHANGE_ECJPAKE
markrad 0:cdf462088d13 2779 run_test "ECJPAKE: working, DTLS, nolog" \
markrad 0:cdf462088d13 2780 "$P_SRV dtls=1 ecjpake_pw=bla" \
markrad 0:cdf462088d13 2781 "$P_CLI dtls=1 ecjpake_pw=bla \
markrad 0:cdf462088d13 2782 force_ciphersuite=TLS-ECJPAKE-WITH-AES-128-CCM-8" \
markrad 0:cdf462088d13 2783 0
markrad 0:cdf462088d13 2784
markrad 0:cdf462088d13 2785 # Tests for ciphersuites per version
markrad 0:cdf462088d13 2786
markrad 0:cdf462088d13 2787 requires_config_enabled MBEDTLS_SSL_PROTO_SSL3
markrad 0:cdf462088d13 2788 run_test "Per-version suites: SSL3" \
markrad 0:cdf462088d13 2789 "$P_SRV min_version=ssl3 version_suites=TLS-RSA-WITH-3DES-EDE-CBC-SHA,TLS-RSA-WITH-AES-256-CBC-SHA,TLS-RSA-WITH-AES-128-CBC-SHA,TLS-RSA-WITH-AES-128-GCM-SHA256" \
markrad 0:cdf462088d13 2790 "$P_CLI force_version=ssl3" \
markrad 0:cdf462088d13 2791 0 \
markrad 0:cdf462088d13 2792 -c "Ciphersuite is TLS-RSA-WITH-3DES-EDE-CBC-SHA"
markrad 0:cdf462088d13 2793
markrad 0:cdf462088d13 2794 run_test "Per-version suites: TLS 1.0" \
markrad 0:cdf462088d13 2795 "$P_SRV arc4=1 version_suites=TLS-RSA-WITH-3DES-EDE-CBC-SHA,TLS-RSA-WITH-AES-256-CBC-SHA,TLS-RSA-WITH-AES-128-CBC-SHA,TLS-RSA-WITH-AES-128-GCM-SHA256" \
markrad 0:cdf462088d13 2796 "$P_CLI force_version=tls1 arc4=1" \
markrad 0:cdf462088d13 2797 0 \
markrad 0:cdf462088d13 2798 -c "Ciphersuite is TLS-RSA-WITH-AES-256-CBC-SHA"
markrad 0:cdf462088d13 2799
markrad 0:cdf462088d13 2800 run_test "Per-version suites: TLS 1.1" \
markrad 0:cdf462088d13 2801 "$P_SRV version_suites=TLS-RSA-WITH-3DES-EDE-CBC-SHA,TLS-RSA-WITH-AES-256-CBC-SHA,TLS-RSA-WITH-AES-128-CBC-SHA,TLS-RSA-WITH-AES-128-GCM-SHA256" \
markrad 0:cdf462088d13 2802 "$P_CLI force_version=tls1_1" \
markrad 0:cdf462088d13 2803 0 \
markrad 0:cdf462088d13 2804 -c "Ciphersuite is TLS-RSA-WITH-AES-128-CBC-SHA"
markrad 0:cdf462088d13 2805
markrad 0:cdf462088d13 2806 run_test "Per-version suites: TLS 1.2" \
markrad 0:cdf462088d13 2807 "$P_SRV version_suites=TLS-RSA-WITH-3DES-EDE-CBC-SHA,TLS-RSA-WITH-AES-256-CBC-SHA,TLS-RSA-WITH-AES-128-CBC-SHA,TLS-RSA-WITH-AES-128-GCM-SHA256" \
markrad 0:cdf462088d13 2808 "$P_CLI force_version=tls1_2" \
markrad 0:cdf462088d13 2809 0 \
markrad 0:cdf462088d13 2810 -c "Ciphersuite is TLS-RSA-WITH-AES-128-GCM-SHA256"
markrad 0:cdf462088d13 2811
markrad 0:cdf462088d13 2812 # Test for ClientHello without extensions
markrad 0:cdf462088d13 2813
markrad 0:cdf462088d13 2814 requires_gnutls
markrad 0:cdf462088d13 2815 run_test "ClientHello without extensions" \
markrad 0:cdf462088d13 2816 "$P_SRV debug_level=3" \
markrad 0:cdf462088d13 2817 "$G_CLI --priority=NORMAL:%NO_EXTENSIONS:%DISABLE_SAFE_RENEGOTIATION" \
markrad 0:cdf462088d13 2818 0 \
markrad 0:cdf462088d13 2819 -s "dumping 'client hello extensions' (0 bytes)"
markrad 0:cdf462088d13 2820
markrad 0:cdf462088d13 2821 # Tests for mbedtls_ssl_get_bytes_avail()
markrad 0:cdf462088d13 2822
markrad 0:cdf462088d13 2823 run_test "mbedtls_ssl_get_bytes_avail: no extra data" \
markrad 0:cdf462088d13 2824 "$P_SRV" \
markrad 0:cdf462088d13 2825 "$P_CLI request_size=100" \
markrad 0:cdf462088d13 2826 0 \
markrad 0:cdf462088d13 2827 -s "Read from client: 100 bytes read$"
markrad 0:cdf462088d13 2828
markrad 0:cdf462088d13 2829 run_test "mbedtls_ssl_get_bytes_avail: extra data" \
markrad 0:cdf462088d13 2830 "$P_SRV" \
markrad 0:cdf462088d13 2831 "$P_CLI request_size=500" \
markrad 0:cdf462088d13 2832 0 \
markrad 0:cdf462088d13 2833 -s "Read from client: 500 bytes read (.*+.*)"
markrad 0:cdf462088d13 2834
markrad 0:cdf462088d13 2835 # Tests for small packets
markrad 0:cdf462088d13 2836
markrad 0:cdf462088d13 2837 requires_config_enabled MBEDTLS_SSL_PROTO_SSL3
markrad 0:cdf462088d13 2838 run_test "Small packet SSLv3 BlockCipher" \
markrad 0:cdf462088d13 2839 "$P_SRV min_version=ssl3" \
markrad 0:cdf462088d13 2840 "$P_CLI request_size=1 force_version=ssl3 \
markrad 0:cdf462088d13 2841 force_ciphersuite=TLS-RSA-WITH-AES-256-CBC-SHA" \
markrad 0:cdf462088d13 2842 0 \
markrad 0:cdf462088d13 2843 -s "Read from client: 1 bytes read"
markrad 0:cdf462088d13 2844
markrad 0:cdf462088d13 2845 requires_config_enabled MBEDTLS_SSL_PROTO_SSL3
markrad 0:cdf462088d13 2846 run_test "Small packet SSLv3 StreamCipher" \
markrad 0:cdf462088d13 2847 "$P_SRV min_version=ssl3 arc4=1 force_ciphersuite=TLS-RSA-WITH-RC4-128-SHA" \
markrad 0:cdf462088d13 2848 "$P_CLI request_size=1 force_version=ssl3 \
markrad 0:cdf462088d13 2849 force_ciphersuite=TLS-RSA-WITH-RC4-128-SHA" \
markrad 0:cdf462088d13 2850 0 \
markrad 0:cdf462088d13 2851 -s "Read from client: 1 bytes read"
markrad 0:cdf462088d13 2852
markrad 0:cdf462088d13 2853 run_test "Small packet TLS 1.0 BlockCipher" \
markrad 0:cdf462088d13 2854 "$P_SRV" \
markrad 0:cdf462088d13 2855 "$P_CLI request_size=1 force_version=tls1 \
markrad 0:cdf462088d13 2856 force_ciphersuite=TLS-RSA-WITH-AES-256-CBC-SHA" \
markrad 0:cdf462088d13 2857 0 \
markrad 0:cdf462088d13 2858 -s "Read from client: 1 bytes read"
markrad 0:cdf462088d13 2859
markrad 0:cdf462088d13 2860 run_test "Small packet TLS 1.0 BlockCipher without EtM" \
markrad 0:cdf462088d13 2861 "$P_SRV" \
markrad 0:cdf462088d13 2862 "$P_CLI request_size=1 force_version=tls1 etm=0 \
markrad 0:cdf462088d13 2863 force_ciphersuite=TLS-RSA-WITH-AES-256-CBC-SHA" \
markrad 0:cdf462088d13 2864 0 \
markrad 0:cdf462088d13 2865 -s "Read from client: 1 bytes read"
markrad 0:cdf462088d13 2866
markrad 0:cdf462088d13 2867 run_test "Small packet TLS 1.0 BlockCipher truncated MAC" \
markrad 0:cdf462088d13 2868 "$P_SRV" \
markrad 0:cdf462088d13 2869 "$P_CLI request_size=1 force_version=tls1 \
markrad 0:cdf462088d13 2870 force_ciphersuite=TLS-RSA-WITH-AES-256-CBC-SHA \
markrad 0:cdf462088d13 2871 trunc_hmac=1" \
markrad 0:cdf462088d13 2872 0 \
markrad 0:cdf462088d13 2873 -s "Read from client: 1 bytes read"
markrad 0:cdf462088d13 2874
markrad 0:cdf462088d13 2875 run_test "Small packet TLS 1.0 StreamCipher truncated MAC" \
markrad 0:cdf462088d13 2876 "$P_SRV arc4=1 force_ciphersuite=TLS-RSA-WITH-RC4-128-SHA" \
markrad 0:cdf462088d13 2877 "$P_CLI request_size=1 force_version=tls1 \
markrad 0:cdf462088d13 2878 force_ciphersuite=TLS-RSA-WITH-RC4-128-SHA \
markrad 0:cdf462088d13 2879 trunc_hmac=1" \
markrad 0:cdf462088d13 2880 0 \
markrad 0:cdf462088d13 2881 -s "Read from client: 1 bytes read"
markrad 0:cdf462088d13 2882
markrad 0:cdf462088d13 2883 run_test "Small packet TLS 1.1 BlockCipher" \
markrad 0:cdf462088d13 2884 "$P_SRV" \
markrad 0:cdf462088d13 2885 "$P_CLI request_size=1 force_version=tls1_1 \
markrad 0:cdf462088d13 2886 force_ciphersuite=TLS-RSA-WITH-AES-256-CBC-SHA" \
markrad 0:cdf462088d13 2887 0 \
markrad 0:cdf462088d13 2888 -s "Read from client: 1 bytes read"
markrad 0:cdf462088d13 2889
markrad 0:cdf462088d13 2890 run_test "Small packet TLS 1.1 BlockCipher without EtM" \
markrad 0:cdf462088d13 2891 "$P_SRV" \
markrad 0:cdf462088d13 2892 "$P_CLI request_size=1 force_version=tls1_1 etm=0 \
markrad 0:cdf462088d13 2893 force_ciphersuite=TLS-RSA-WITH-AES-256-CBC-SHA" \
markrad 0:cdf462088d13 2894 0 \
markrad 0:cdf462088d13 2895 -s "Read from client: 1 bytes read"
markrad 0:cdf462088d13 2896
markrad 0:cdf462088d13 2897 run_test "Small packet TLS 1.1 StreamCipher" \
markrad 0:cdf462088d13 2898 "$P_SRV arc4=1 force_ciphersuite=TLS-RSA-WITH-RC4-128-SHA" \
markrad 0:cdf462088d13 2899 "$P_CLI request_size=1 force_version=tls1_1 \
markrad 0:cdf462088d13 2900 force_ciphersuite=TLS-RSA-WITH-RC4-128-SHA" \
markrad 0:cdf462088d13 2901 0 \
markrad 0:cdf462088d13 2902 -s "Read from client: 1 bytes read"
markrad 0:cdf462088d13 2903
markrad 0:cdf462088d13 2904 run_test "Small packet TLS 1.1 BlockCipher truncated MAC" \
markrad 0:cdf462088d13 2905 "$P_SRV" \
markrad 0:cdf462088d13 2906 "$P_CLI request_size=1 force_version=tls1_1 \
markrad 0:cdf462088d13 2907 force_ciphersuite=TLS-RSA-WITH-AES-256-CBC-SHA \
markrad 0:cdf462088d13 2908 trunc_hmac=1" \
markrad 0:cdf462088d13 2909 0 \
markrad 0:cdf462088d13 2910 -s "Read from client: 1 bytes read"
markrad 0:cdf462088d13 2911
markrad 0:cdf462088d13 2912 run_test "Small packet TLS 1.1 StreamCipher truncated MAC" \
markrad 0:cdf462088d13 2913 "$P_SRV arc4=1 force_ciphersuite=TLS-RSA-WITH-RC4-128-SHA" \
markrad 0:cdf462088d13 2914 "$P_CLI request_size=1 force_version=tls1_1 \
markrad 0:cdf462088d13 2915 force_ciphersuite=TLS-RSA-WITH-RC4-128-SHA \
markrad 0:cdf462088d13 2916 trunc_hmac=1" \
markrad 0:cdf462088d13 2917 0 \
markrad 0:cdf462088d13 2918 -s "Read from client: 1 bytes read"
markrad 0:cdf462088d13 2919
markrad 0:cdf462088d13 2920 run_test "Small packet TLS 1.2 BlockCipher" \
markrad 0:cdf462088d13 2921 "$P_SRV" \
markrad 0:cdf462088d13 2922 "$P_CLI request_size=1 force_version=tls1_2 \
markrad 0:cdf462088d13 2923 force_ciphersuite=TLS-RSA-WITH-AES-256-CBC-SHA" \
markrad 0:cdf462088d13 2924 0 \
markrad 0:cdf462088d13 2925 -s "Read from client: 1 bytes read"
markrad 0:cdf462088d13 2926
markrad 0:cdf462088d13 2927 run_test "Small packet TLS 1.2 BlockCipher without EtM" \
markrad 0:cdf462088d13 2928 "$P_SRV" \
markrad 0:cdf462088d13 2929 "$P_CLI request_size=1 force_version=tls1_2 etm=0 \
markrad 0:cdf462088d13 2930 force_ciphersuite=TLS-RSA-WITH-AES-256-CBC-SHA" \
markrad 0:cdf462088d13 2931 0 \
markrad 0:cdf462088d13 2932 -s "Read from client: 1 bytes read"
markrad 0:cdf462088d13 2933
markrad 0:cdf462088d13 2934 run_test "Small packet TLS 1.2 BlockCipher larger MAC" \
markrad 0:cdf462088d13 2935 "$P_SRV" \
markrad 0:cdf462088d13 2936 "$P_CLI request_size=1 force_version=tls1_2 \
markrad 0:cdf462088d13 2937 force_ciphersuite=TLS-ECDHE-RSA-WITH-AES-256-CBC-SHA384" \
markrad 0:cdf462088d13 2938 0 \
markrad 0:cdf462088d13 2939 -s "Read from client: 1 bytes read"
markrad 0:cdf462088d13 2940
markrad 0:cdf462088d13 2941 run_test "Small packet TLS 1.2 BlockCipher truncated MAC" \
markrad 0:cdf462088d13 2942 "$P_SRV" \
markrad 0:cdf462088d13 2943 "$P_CLI request_size=1 force_version=tls1_2 \
markrad 0:cdf462088d13 2944 force_ciphersuite=TLS-RSA-WITH-AES-256-CBC-SHA \
markrad 0:cdf462088d13 2945 trunc_hmac=1" \
markrad 0:cdf462088d13 2946 0 \
markrad 0:cdf462088d13 2947 -s "Read from client: 1 bytes read"
markrad 0:cdf462088d13 2948
markrad 0:cdf462088d13 2949 run_test "Small packet TLS 1.2 StreamCipher" \
markrad 0:cdf462088d13 2950 "$P_SRV arc4=1 force_ciphersuite=TLS-RSA-WITH-RC4-128-SHA" \
markrad 0:cdf462088d13 2951 "$P_CLI request_size=1 force_version=tls1_2 \
markrad 0:cdf462088d13 2952 force_ciphersuite=TLS-RSA-WITH-RC4-128-SHA" \
markrad 0:cdf462088d13 2953 0 \
markrad 0:cdf462088d13 2954 -s "Read from client: 1 bytes read"
markrad 0:cdf462088d13 2955
markrad 0:cdf462088d13 2956 run_test "Small packet TLS 1.2 StreamCipher truncated MAC" \
markrad 0:cdf462088d13 2957 "$P_SRV arc4=1 force_ciphersuite=TLS-RSA-WITH-RC4-128-SHA" \
markrad 0:cdf462088d13 2958 "$P_CLI request_size=1 force_version=tls1_2 \
markrad 0:cdf462088d13 2959 force_ciphersuite=TLS-RSA-WITH-RC4-128-SHA \
markrad 0:cdf462088d13 2960 trunc_hmac=1" \
markrad 0:cdf462088d13 2961 0 \
markrad 0:cdf462088d13 2962 -s "Read from client: 1 bytes read"
markrad 0:cdf462088d13 2963
markrad 0:cdf462088d13 2964 run_test "Small packet TLS 1.2 AEAD" \
markrad 0:cdf462088d13 2965 "$P_SRV" \
markrad 0:cdf462088d13 2966 "$P_CLI request_size=1 force_version=tls1_2 \
markrad 0:cdf462088d13 2967 force_ciphersuite=TLS-RSA-WITH-AES-256-CCM" \
markrad 0:cdf462088d13 2968 0 \
markrad 0:cdf462088d13 2969 -s "Read from client: 1 bytes read"
markrad 0:cdf462088d13 2970
markrad 0:cdf462088d13 2971 run_test "Small packet TLS 1.2 AEAD shorter tag" \
markrad 0:cdf462088d13 2972 "$P_SRV" \
markrad 0:cdf462088d13 2973 "$P_CLI request_size=1 force_version=tls1_2 \
markrad 0:cdf462088d13 2974 force_ciphersuite=TLS-RSA-WITH-AES-256-CCM-8" \
markrad 0:cdf462088d13 2975 0 \
markrad 0:cdf462088d13 2976 -s "Read from client: 1 bytes read"
markrad 0:cdf462088d13 2977
markrad 0:cdf462088d13 2978 # A test for extensions in SSLv3
markrad 0:cdf462088d13 2979
markrad 0:cdf462088d13 2980 requires_config_enabled MBEDTLS_SSL_PROTO_SSL3
markrad 0:cdf462088d13 2981 run_test "SSLv3 with extensions, server side" \
markrad 0:cdf462088d13 2982 "$P_SRV min_version=ssl3 debug_level=3" \
markrad 0:cdf462088d13 2983 "$P_CLI force_version=ssl3 tickets=1 max_frag_len=4096 alpn=abc,1234" \
markrad 0:cdf462088d13 2984 0 \
markrad 0:cdf462088d13 2985 -S "dumping 'client hello extensions'" \
markrad 0:cdf462088d13 2986 -S "server hello, total extension length:"
markrad 0:cdf462088d13 2987
markrad 0:cdf462088d13 2988 # Test for large packets
markrad 0:cdf462088d13 2989
markrad 0:cdf462088d13 2990 requires_config_enabled MBEDTLS_SSL_PROTO_SSL3
markrad 0:cdf462088d13 2991 run_test "Large packet SSLv3 BlockCipher" \
markrad 0:cdf462088d13 2992 "$P_SRV min_version=ssl3" \
markrad 0:cdf462088d13 2993 "$P_CLI request_size=16384 force_version=ssl3 recsplit=0 \
markrad 0:cdf462088d13 2994 force_ciphersuite=TLS-RSA-WITH-AES-256-CBC-SHA" \
markrad 0:cdf462088d13 2995 0 \
markrad 0:cdf462088d13 2996 -s "Read from client: 16384 bytes read"
markrad 0:cdf462088d13 2997
markrad 0:cdf462088d13 2998 requires_config_enabled MBEDTLS_SSL_PROTO_SSL3
markrad 0:cdf462088d13 2999 run_test "Large packet SSLv3 StreamCipher" \
markrad 0:cdf462088d13 3000 "$P_SRV min_version=ssl3 arc4=1 force_ciphersuite=TLS-RSA-WITH-RC4-128-SHA" \
markrad 0:cdf462088d13 3001 "$P_CLI request_size=16384 force_version=ssl3 \
markrad 0:cdf462088d13 3002 force_ciphersuite=TLS-RSA-WITH-RC4-128-SHA" \
markrad 0:cdf462088d13 3003 0 \
markrad 0:cdf462088d13 3004 -s "Read from client: 16384 bytes read"
markrad 0:cdf462088d13 3005
markrad 0:cdf462088d13 3006 run_test "Large packet TLS 1.0 BlockCipher" \
markrad 0:cdf462088d13 3007 "$P_SRV" \
markrad 0:cdf462088d13 3008 "$P_CLI request_size=16384 force_version=tls1 recsplit=0 \
markrad 0:cdf462088d13 3009 force_ciphersuite=TLS-RSA-WITH-AES-256-CBC-SHA" \
markrad 0:cdf462088d13 3010 0 \
markrad 0:cdf462088d13 3011 -s "Read from client: 16384 bytes read"
markrad 0:cdf462088d13 3012
markrad 0:cdf462088d13 3013 run_test "Large packet TLS 1.0 BlockCipher truncated MAC" \
markrad 0:cdf462088d13 3014 "$P_SRV" \
markrad 0:cdf462088d13 3015 "$P_CLI request_size=16384 force_version=tls1 recsplit=0 \
markrad 0:cdf462088d13 3016 force_ciphersuite=TLS-RSA-WITH-AES-256-CBC-SHA \
markrad 0:cdf462088d13 3017 trunc_hmac=1" \
markrad 0:cdf462088d13 3018 0 \
markrad 0:cdf462088d13 3019 -s "Read from client: 16384 bytes read"
markrad 0:cdf462088d13 3020
markrad 0:cdf462088d13 3021 run_test "Large packet TLS 1.0 StreamCipher truncated MAC" \
markrad 0:cdf462088d13 3022 "$P_SRV arc4=1 force_ciphersuite=TLS-RSA-WITH-RC4-128-SHA" \
markrad 0:cdf462088d13 3023 "$P_CLI request_size=16384 force_version=tls1 \
markrad 0:cdf462088d13 3024 force_ciphersuite=TLS-RSA-WITH-RC4-128-SHA \
markrad 0:cdf462088d13 3025 trunc_hmac=1" \
markrad 0:cdf462088d13 3026 0 \
markrad 0:cdf462088d13 3027 -s "Read from client: 16384 bytes read"
markrad 0:cdf462088d13 3028
markrad 0:cdf462088d13 3029 run_test "Large packet TLS 1.1 BlockCipher" \
markrad 0:cdf462088d13 3030 "$P_SRV" \
markrad 0:cdf462088d13 3031 "$P_CLI request_size=16384 force_version=tls1_1 \
markrad 0:cdf462088d13 3032 force_ciphersuite=TLS-RSA-WITH-AES-256-CBC-SHA" \
markrad 0:cdf462088d13 3033 0 \
markrad 0:cdf462088d13 3034 -s "Read from client: 16384 bytes read"
markrad 0:cdf462088d13 3035
markrad 0:cdf462088d13 3036 run_test "Large packet TLS 1.1 StreamCipher" \
markrad 0:cdf462088d13 3037 "$P_SRV arc4=1 force_ciphersuite=TLS-RSA-WITH-RC4-128-SHA" \
markrad 0:cdf462088d13 3038 "$P_CLI request_size=16384 force_version=tls1_1 \
markrad 0:cdf462088d13 3039 force_ciphersuite=TLS-RSA-WITH-RC4-128-SHA" \
markrad 0:cdf462088d13 3040 0 \
markrad 0:cdf462088d13 3041 -s "Read from client: 16384 bytes read"
markrad 0:cdf462088d13 3042
markrad 0:cdf462088d13 3043 run_test "Large packet TLS 1.1 BlockCipher truncated MAC" \
markrad 0:cdf462088d13 3044 "$P_SRV" \
markrad 0:cdf462088d13 3045 "$P_CLI request_size=16384 force_version=tls1_1 \
markrad 0:cdf462088d13 3046 force_ciphersuite=TLS-RSA-WITH-AES-256-CBC-SHA \
markrad 0:cdf462088d13 3047 trunc_hmac=1" \
markrad 0:cdf462088d13 3048 0 \
markrad 0:cdf462088d13 3049 -s "Read from client: 16384 bytes read"
markrad 0:cdf462088d13 3050
markrad 0:cdf462088d13 3051 run_test "Large packet TLS 1.1 StreamCipher truncated MAC" \
markrad 0:cdf462088d13 3052 "$P_SRV arc4=1 force_ciphersuite=TLS-RSA-WITH-RC4-128-SHA" \
markrad 0:cdf462088d13 3053 "$P_CLI request_size=16384 force_version=tls1_1 \
markrad 0:cdf462088d13 3054 force_ciphersuite=TLS-RSA-WITH-RC4-128-SHA \
markrad 0:cdf462088d13 3055 trunc_hmac=1" \
markrad 0:cdf462088d13 3056 0 \
markrad 0:cdf462088d13 3057 -s "Read from client: 16384 bytes read"
markrad 0:cdf462088d13 3058
markrad 0:cdf462088d13 3059 run_test "Large packet TLS 1.2 BlockCipher" \
markrad 0:cdf462088d13 3060 "$P_SRV" \
markrad 0:cdf462088d13 3061 "$P_CLI request_size=16384 force_version=tls1_2 \
markrad 0:cdf462088d13 3062 force_ciphersuite=TLS-RSA-WITH-AES-256-CBC-SHA" \
markrad 0:cdf462088d13 3063 0 \
markrad 0:cdf462088d13 3064 -s "Read from client: 16384 bytes read"
markrad 0:cdf462088d13 3065
markrad 0:cdf462088d13 3066 run_test "Large packet TLS 1.2 BlockCipher larger MAC" \
markrad 0:cdf462088d13 3067 "$P_SRV" \
markrad 0:cdf462088d13 3068 "$P_CLI request_size=16384 force_version=tls1_2 \
markrad 0:cdf462088d13 3069 force_ciphersuite=TLS-ECDHE-RSA-WITH-AES-256-CBC-SHA384" \
markrad 0:cdf462088d13 3070 0 \
markrad 0:cdf462088d13 3071 -s "Read from client: 16384 bytes read"
markrad 0:cdf462088d13 3072
markrad 0:cdf462088d13 3073 run_test "Large packet TLS 1.2 BlockCipher truncated MAC" \
markrad 0:cdf462088d13 3074 "$P_SRV" \
markrad 0:cdf462088d13 3075 "$P_CLI request_size=16384 force_version=tls1_2 \
markrad 0:cdf462088d13 3076 force_ciphersuite=TLS-RSA-WITH-AES-256-CBC-SHA \
markrad 0:cdf462088d13 3077 trunc_hmac=1" \
markrad 0:cdf462088d13 3078 0 \
markrad 0:cdf462088d13 3079 -s "Read from client: 16384 bytes read"
markrad 0:cdf462088d13 3080
markrad 0:cdf462088d13 3081 run_test "Large packet TLS 1.2 StreamCipher" \
markrad 0:cdf462088d13 3082 "$P_SRV arc4=1 force_ciphersuite=TLS-RSA-WITH-RC4-128-SHA" \
markrad 0:cdf462088d13 3083 "$P_CLI request_size=16384 force_version=tls1_2 \
markrad 0:cdf462088d13 3084 force_ciphersuite=TLS-RSA-WITH-RC4-128-SHA" \
markrad 0:cdf462088d13 3085 0 \
markrad 0:cdf462088d13 3086 -s "Read from client: 16384 bytes read"
markrad 0:cdf462088d13 3087
markrad 0:cdf462088d13 3088 run_test "Large packet TLS 1.2 StreamCipher truncated MAC" \
markrad 0:cdf462088d13 3089 "$P_SRV arc4=1 force_ciphersuite=TLS-RSA-WITH-RC4-128-SHA" \
markrad 0:cdf462088d13 3090 "$P_CLI request_size=16384 force_version=tls1_2 \
markrad 0:cdf462088d13 3091 force_ciphersuite=TLS-RSA-WITH-RC4-128-SHA \
markrad 0:cdf462088d13 3092 trunc_hmac=1" \
markrad 0:cdf462088d13 3093 0 \
markrad 0:cdf462088d13 3094 -s "Read from client: 16384 bytes read"
markrad 0:cdf462088d13 3095
markrad 0:cdf462088d13 3096 run_test "Large packet TLS 1.2 AEAD" \
markrad 0:cdf462088d13 3097 "$P_SRV" \
markrad 0:cdf462088d13 3098 "$P_CLI request_size=16384 force_version=tls1_2 \
markrad 0:cdf462088d13 3099 force_ciphersuite=TLS-RSA-WITH-AES-256-CCM" \
markrad 0:cdf462088d13 3100 0 \
markrad 0:cdf462088d13 3101 -s "Read from client: 16384 bytes read"
markrad 0:cdf462088d13 3102
markrad 0:cdf462088d13 3103 run_test "Large packet TLS 1.2 AEAD shorter tag" \
markrad 0:cdf462088d13 3104 "$P_SRV" \
markrad 0:cdf462088d13 3105 "$P_CLI request_size=16384 force_version=tls1_2 \
markrad 0:cdf462088d13 3106 force_ciphersuite=TLS-RSA-WITH-AES-256-CCM-8" \
markrad 0:cdf462088d13 3107 0 \
markrad 0:cdf462088d13 3108 -s "Read from client: 16384 bytes read"
markrad 0:cdf462088d13 3109
markrad 0:cdf462088d13 3110 # Tests for DTLS HelloVerifyRequest
markrad 0:cdf462088d13 3111
markrad 0:cdf462088d13 3112 run_test "DTLS cookie: enabled" \
markrad 0:cdf462088d13 3113 "$P_SRV dtls=1 debug_level=2" \
markrad 0:cdf462088d13 3114 "$P_CLI dtls=1 debug_level=2" \
markrad 0:cdf462088d13 3115 0 \
markrad 0:cdf462088d13 3116 -s "cookie verification failed" \
markrad 0:cdf462088d13 3117 -s "cookie verification passed" \
markrad 0:cdf462088d13 3118 -S "cookie verification skipped" \
markrad 0:cdf462088d13 3119 -c "received hello verify request" \
markrad 0:cdf462088d13 3120 -s "hello verification requested" \
markrad 0:cdf462088d13 3121 -S "SSL - The requested feature is not available"
markrad 0:cdf462088d13 3122
markrad 0:cdf462088d13 3123 run_test "DTLS cookie: disabled" \
markrad 0:cdf462088d13 3124 "$P_SRV dtls=1 debug_level=2 cookies=0" \
markrad 0:cdf462088d13 3125 "$P_CLI dtls=1 debug_level=2" \
markrad 0:cdf462088d13 3126 0 \
markrad 0:cdf462088d13 3127 -S "cookie verification failed" \
markrad 0:cdf462088d13 3128 -S "cookie verification passed" \
markrad 0:cdf462088d13 3129 -s "cookie verification skipped" \
markrad 0:cdf462088d13 3130 -C "received hello verify request" \
markrad 0:cdf462088d13 3131 -S "hello verification requested" \
markrad 0:cdf462088d13 3132 -S "SSL - The requested feature is not available"
markrad 0:cdf462088d13 3133
markrad 0:cdf462088d13 3134 run_test "DTLS cookie: default (failing)" \
markrad 0:cdf462088d13 3135 "$P_SRV dtls=1 debug_level=2 cookies=-1" \
markrad 0:cdf462088d13 3136 "$P_CLI dtls=1 debug_level=2 hs_timeout=100-400" \
markrad 0:cdf462088d13 3137 1 \
markrad 0:cdf462088d13 3138 -s "cookie verification failed" \
markrad 0:cdf462088d13 3139 -S "cookie verification passed" \
markrad 0:cdf462088d13 3140 -S "cookie verification skipped" \
markrad 0:cdf462088d13 3141 -C "received hello verify request" \
markrad 0:cdf462088d13 3142 -S "hello verification requested" \
markrad 0:cdf462088d13 3143 -s "SSL - The requested feature is not available"
markrad 0:cdf462088d13 3144
markrad 0:cdf462088d13 3145 requires_ipv6
markrad 0:cdf462088d13 3146 run_test "DTLS cookie: enabled, IPv6" \
markrad 0:cdf462088d13 3147 "$P_SRV dtls=1 debug_level=2 server_addr=::1" \
markrad 0:cdf462088d13 3148 "$P_CLI dtls=1 debug_level=2 server_addr=::1" \
markrad 0:cdf462088d13 3149 0 \
markrad 0:cdf462088d13 3150 -s "cookie verification failed" \
markrad 0:cdf462088d13 3151 -s "cookie verification passed" \
markrad 0:cdf462088d13 3152 -S "cookie verification skipped" \
markrad 0:cdf462088d13 3153 -c "received hello verify request" \
markrad 0:cdf462088d13 3154 -s "hello verification requested" \
markrad 0:cdf462088d13 3155 -S "SSL - The requested feature is not available"
markrad 0:cdf462088d13 3156
markrad 0:cdf462088d13 3157 run_test "DTLS cookie: enabled, nbio" \
markrad 0:cdf462088d13 3158 "$P_SRV dtls=1 nbio=2 debug_level=2" \
markrad 0:cdf462088d13 3159 "$P_CLI dtls=1 nbio=2 debug_level=2" \
markrad 0:cdf462088d13 3160 0 \
markrad 0:cdf462088d13 3161 -s "cookie verification failed" \
markrad 0:cdf462088d13 3162 -s "cookie verification passed" \
markrad 0:cdf462088d13 3163 -S "cookie verification skipped" \
markrad 0:cdf462088d13 3164 -c "received hello verify request" \
markrad 0:cdf462088d13 3165 -s "hello verification requested" \
markrad 0:cdf462088d13 3166 -S "SSL - The requested feature is not available"
markrad 0:cdf462088d13 3167
markrad 0:cdf462088d13 3168 # Tests for client reconnecting from the same port with DTLS
markrad 0:cdf462088d13 3169
markrad 0:cdf462088d13 3170 not_with_valgrind # spurious resend
markrad 0:cdf462088d13 3171 run_test "DTLS client reconnect from same port: reference" \
markrad 0:cdf462088d13 3172 "$P_SRV dtls=1 exchanges=2 read_timeout=1000" \
markrad 0:cdf462088d13 3173 "$P_CLI dtls=1 exchanges=2 debug_level=2 hs_timeout=500-1000" \
markrad 0:cdf462088d13 3174 0 \
markrad 0:cdf462088d13 3175 -C "resend" \
markrad 0:cdf462088d13 3176 -S "The operation timed out" \
markrad 0:cdf462088d13 3177 -S "Client initiated reconnection from same port"
markrad 0:cdf462088d13 3178
markrad 0:cdf462088d13 3179 not_with_valgrind # spurious resend
markrad 0:cdf462088d13 3180 run_test "DTLS client reconnect from same port: reconnect" \
markrad 0:cdf462088d13 3181 "$P_SRV dtls=1 exchanges=2 read_timeout=1000" \
markrad 0:cdf462088d13 3182 "$P_CLI dtls=1 exchanges=2 debug_level=2 hs_timeout=500-1000 reconnect_hard=1" \
markrad 0:cdf462088d13 3183 0 \
markrad 0:cdf462088d13 3184 -C "resend" \
markrad 0:cdf462088d13 3185 -S "The operation timed out" \
markrad 0:cdf462088d13 3186 -s "Client initiated reconnection from same port"
markrad 0:cdf462088d13 3187
markrad 0:cdf462088d13 3188 not_with_valgrind # server/client too slow to respond in time (next test has higher timeouts)
markrad 0:cdf462088d13 3189 run_test "DTLS client reconnect from same port: reconnect, nbio, no valgrind" \
markrad 0:cdf462088d13 3190 "$P_SRV dtls=1 exchanges=2 read_timeout=1000 nbio=2" \
markrad 0:cdf462088d13 3191 "$P_CLI dtls=1 exchanges=2 debug_level=2 hs_timeout=500-1000 reconnect_hard=1" \
markrad 0:cdf462088d13 3192 0 \
markrad 0:cdf462088d13 3193 -S "The operation timed out" \
markrad 0:cdf462088d13 3194 -s "Client initiated reconnection from same port"
markrad 0:cdf462088d13 3195
markrad 0:cdf462088d13 3196 only_with_valgrind # Only with valgrind, do previous test but with higher read_timeout and hs_timeout
markrad 0:cdf462088d13 3197 run_test "DTLS client reconnect from same port: reconnect, nbio, valgrind" \
markrad 0:cdf462088d13 3198 "$P_SRV dtls=1 exchanges=2 read_timeout=2000 nbio=2 hs_timeout=1500-6000" \
markrad 0:cdf462088d13 3199 "$P_CLI dtls=1 exchanges=2 debug_level=2 hs_timeout=1500-3000 reconnect_hard=1" \
markrad 0:cdf462088d13 3200 0 \
markrad 0:cdf462088d13 3201 -S "The operation timed out" \
markrad 0:cdf462088d13 3202 -s "Client initiated reconnection from same port"
markrad 0:cdf462088d13 3203
markrad 0:cdf462088d13 3204 run_test "DTLS client reconnect from same port: no cookies" \
markrad 0:cdf462088d13 3205 "$P_SRV dtls=1 exchanges=2 read_timeout=1000 cookies=0" \
markrad 0:cdf462088d13 3206 "$P_CLI dtls=1 exchanges=2 debug_level=2 hs_timeout=500-8000 reconnect_hard=1" \
markrad 0:cdf462088d13 3207 0 \
markrad 0:cdf462088d13 3208 -s "The operation timed out" \
markrad 0:cdf462088d13 3209 -S "Client initiated reconnection from same port"
markrad 0:cdf462088d13 3210
markrad 0:cdf462088d13 3211 # Tests for various cases of client authentication with DTLS
markrad 0:cdf462088d13 3212 # (focused on handshake flows and message parsing)
markrad 0:cdf462088d13 3213
markrad 0:cdf462088d13 3214 run_test "DTLS client auth: required" \
markrad 0:cdf462088d13 3215 "$P_SRV dtls=1 auth_mode=required" \
markrad 0:cdf462088d13 3216 "$P_CLI dtls=1" \
markrad 0:cdf462088d13 3217 0 \
markrad 0:cdf462088d13 3218 -s "Verifying peer X.509 certificate... ok"
markrad 0:cdf462088d13 3219
markrad 0:cdf462088d13 3220 run_test "DTLS client auth: optional, client has no cert" \
markrad 0:cdf462088d13 3221 "$P_SRV dtls=1 auth_mode=optional" \
markrad 0:cdf462088d13 3222 "$P_CLI dtls=1 crt_file=none key_file=none" \
markrad 0:cdf462088d13 3223 0 \
markrad 0:cdf462088d13 3224 -s "! Certificate was missing"
markrad 0:cdf462088d13 3225
markrad 0:cdf462088d13 3226 run_test "DTLS client auth: none, client has no cert" \
markrad 0:cdf462088d13 3227 "$P_SRV dtls=1 auth_mode=none" \
markrad 0:cdf462088d13 3228 "$P_CLI dtls=1 crt_file=none key_file=none debug_level=2" \
markrad 0:cdf462088d13 3229 0 \
markrad 0:cdf462088d13 3230 -c "skip write certificate$" \
markrad 0:cdf462088d13 3231 -s "! Certificate verification was skipped"
markrad 0:cdf462088d13 3232
markrad 0:cdf462088d13 3233 run_test "DTLS wrong PSK: badmac alert" \
markrad 0:cdf462088d13 3234 "$P_SRV dtls=1 psk=abc123 force_ciphersuite=TLS-PSK-WITH-AES-128-GCM-SHA256" \
markrad 0:cdf462088d13 3235 "$P_CLI dtls=1 psk=abc124" \
markrad 0:cdf462088d13 3236 1 \
markrad 0:cdf462088d13 3237 -s "SSL - Verification of the message MAC failed" \
markrad 0:cdf462088d13 3238 -c "SSL - A fatal alert message was received from our peer"
markrad 0:cdf462088d13 3239
markrad 0:cdf462088d13 3240 # Tests for receiving fragmented handshake messages with DTLS
markrad 0:cdf462088d13 3241
markrad 0:cdf462088d13 3242 requires_gnutls
markrad 0:cdf462088d13 3243 run_test "DTLS reassembly: no fragmentation (gnutls server)" \
markrad 0:cdf462088d13 3244 "$G_SRV -u --mtu 2048 -a" \
markrad 0:cdf462088d13 3245 "$P_CLI dtls=1 debug_level=2" \
markrad 0:cdf462088d13 3246 0 \
markrad 0:cdf462088d13 3247 -C "found fragmented DTLS handshake message" \
markrad 0:cdf462088d13 3248 -C "error"
markrad 0:cdf462088d13 3249
markrad 0:cdf462088d13 3250 requires_gnutls
markrad 0:cdf462088d13 3251 run_test "DTLS reassembly: some fragmentation (gnutls server)" \
markrad 0:cdf462088d13 3252 "$G_SRV -u --mtu 512" \
markrad 0:cdf462088d13 3253 "$P_CLI dtls=1 debug_level=2" \
markrad 0:cdf462088d13 3254 0 \
markrad 0:cdf462088d13 3255 -c "found fragmented DTLS handshake message" \
markrad 0:cdf462088d13 3256 -C "error"
markrad 0:cdf462088d13 3257
markrad 0:cdf462088d13 3258 requires_gnutls
markrad 0:cdf462088d13 3259 run_test "DTLS reassembly: more fragmentation (gnutls server)" \
markrad 0:cdf462088d13 3260 "$G_SRV -u --mtu 128" \
markrad 0:cdf462088d13 3261 "$P_CLI dtls=1 debug_level=2" \
markrad 0:cdf462088d13 3262 0 \
markrad 0:cdf462088d13 3263 -c "found fragmented DTLS handshake message" \
markrad 0:cdf462088d13 3264 -C "error"
markrad 0:cdf462088d13 3265
markrad 0:cdf462088d13 3266 requires_gnutls
markrad 0:cdf462088d13 3267 run_test "DTLS reassembly: more fragmentation, nbio (gnutls server)" \
markrad 0:cdf462088d13 3268 "$G_SRV -u --mtu 128" \
markrad 0:cdf462088d13 3269 "$P_CLI dtls=1 nbio=2 debug_level=2" \
markrad 0:cdf462088d13 3270 0 \
markrad 0:cdf462088d13 3271 -c "found fragmented DTLS handshake message" \
markrad 0:cdf462088d13 3272 -C "error"
markrad 0:cdf462088d13 3273
markrad 0:cdf462088d13 3274 requires_gnutls
markrad 0:cdf462088d13 3275 run_test "DTLS reassembly: fragmentation, renego (gnutls server)" \
markrad 0:cdf462088d13 3276 "$G_SRV -u --mtu 256" \
markrad 0:cdf462088d13 3277 "$P_CLI debug_level=3 dtls=1 renegotiation=1 renegotiate=1" \
markrad 0:cdf462088d13 3278 0 \
markrad 0:cdf462088d13 3279 -c "found fragmented DTLS handshake message" \
markrad 0:cdf462088d13 3280 -c "client hello, adding renegotiation extension" \
markrad 0:cdf462088d13 3281 -c "found renegotiation extension" \
markrad 0:cdf462088d13 3282 -c "=> renegotiate" \
markrad 0:cdf462088d13 3283 -C "mbedtls_ssl_handshake returned" \
markrad 0:cdf462088d13 3284 -C "error" \
markrad 0:cdf462088d13 3285 -s "Extra-header:"
markrad 0:cdf462088d13 3286
markrad 0:cdf462088d13 3287 requires_gnutls
markrad 0:cdf462088d13 3288 run_test "DTLS reassembly: fragmentation, nbio, renego (gnutls server)" \
markrad 0:cdf462088d13 3289 "$G_SRV -u --mtu 256" \
markrad 0:cdf462088d13 3290 "$P_CLI debug_level=3 nbio=2 dtls=1 renegotiation=1 renegotiate=1" \
markrad 0:cdf462088d13 3291 0 \
markrad 0:cdf462088d13 3292 -c "found fragmented DTLS handshake message" \
markrad 0:cdf462088d13 3293 -c "client hello, adding renegotiation extension" \
markrad 0:cdf462088d13 3294 -c "found renegotiation extension" \
markrad 0:cdf462088d13 3295 -c "=> renegotiate" \
markrad 0:cdf462088d13 3296 -C "mbedtls_ssl_handshake returned" \
markrad 0:cdf462088d13 3297 -C "error" \
markrad 0:cdf462088d13 3298 -s "Extra-header:"
markrad 0:cdf462088d13 3299
markrad 0:cdf462088d13 3300 run_test "DTLS reassembly: no fragmentation (openssl server)" \
markrad 0:cdf462088d13 3301 "$O_SRV -dtls1 -mtu 2048" \
markrad 0:cdf462088d13 3302 "$P_CLI dtls=1 debug_level=2" \
markrad 0:cdf462088d13 3303 0 \
markrad 0:cdf462088d13 3304 -C "found fragmented DTLS handshake message" \
markrad 0:cdf462088d13 3305 -C "error"
markrad 0:cdf462088d13 3306
markrad 0:cdf462088d13 3307 run_test "DTLS reassembly: some fragmentation (openssl server)" \
markrad 0:cdf462088d13 3308 "$O_SRV -dtls1 -mtu 768" \
markrad 0:cdf462088d13 3309 "$P_CLI dtls=1 debug_level=2" \
markrad 0:cdf462088d13 3310 0 \
markrad 0:cdf462088d13 3311 -c "found fragmented DTLS handshake message" \
markrad 0:cdf462088d13 3312 -C "error"
markrad 0:cdf462088d13 3313
markrad 0:cdf462088d13 3314 run_test "DTLS reassembly: more fragmentation (openssl server)" \
markrad 0:cdf462088d13 3315 "$O_SRV -dtls1 -mtu 256" \
markrad 0:cdf462088d13 3316 "$P_CLI dtls=1 debug_level=2" \
markrad 0:cdf462088d13 3317 0 \
markrad 0:cdf462088d13 3318 -c "found fragmented DTLS handshake message" \
markrad 0:cdf462088d13 3319 -C "error"
markrad 0:cdf462088d13 3320
markrad 0:cdf462088d13 3321 run_test "DTLS reassembly: fragmentation, nbio (openssl server)" \
markrad 0:cdf462088d13 3322 "$O_SRV -dtls1 -mtu 256" \
markrad 0:cdf462088d13 3323 "$P_CLI dtls=1 nbio=2 debug_level=2" \
markrad 0:cdf462088d13 3324 0 \
markrad 0:cdf462088d13 3325 -c "found fragmented DTLS handshake message" \
markrad 0:cdf462088d13 3326 -C "error"
markrad 0:cdf462088d13 3327
markrad 0:cdf462088d13 3328 # Tests for specific things with "unreliable" UDP connection
markrad 0:cdf462088d13 3329
markrad 0:cdf462088d13 3330 not_with_valgrind # spurious resend due to timeout
markrad 0:cdf462088d13 3331 run_test "DTLS proxy: reference" \
markrad 0:cdf462088d13 3332 -p "$P_PXY" \
markrad 0:cdf462088d13 3333 "$P_SRV dtls=1 debug_level=2" \
markrad 0:cdf462088d13 3334 "$P_CLI dtls=1 debug_level=2" \
markrad 0:cdf462088d13 3335 0 \
markrad 0:cdf462088d13 3336 -C "replayed record" \
markrad 0:cdf462088d13 3337 -S "replayed record" \
markrad 0:cdf462088d13 3338 -C "record from another epoch" \
markrad 0:cdf462088d13 3339 -S "record from another epoch" \
markrad 0:cdf462088d13 3340 -C "discarding invalid record" \
markrad 0:cdf462088d13 3341 -S "discarding invalid record" \
markrad 0:cdf462088d13 3342 -S "resend" \
markrad 0:cdf462088d13 3343 -s "Extra-header:" \
markrad 0:cdf462088d13 3344 -c "HTTP/1.0 200 OK"
markrad 0:cdf462088d13 3345
markrad 0:cdf462088d13 3346 not_with_valgrind # spurious resend due to timeout
markrad 0:cdf462088d13 3347 run_test "DTLS proxy: duplicate every packet" \
markrad 0:cdf462088d13 3348 -p "$P_PXY duplicate=1" \
markrad 0:cdf462088d13 3349 "$P_SRV dtls=1 debug_level=2" \
markrad 0:cdf462088d13 3350 "$P_CLI dtls=1 debug_level=2" \
markrad 0:cdf462088d13 3351 0 \
markrad 0:cdf462088d13 3352 -c "replayed record" \
markrad 0:cdf462088d13 3353 -s "replayed record" \
markrad 0:cdf462088d13 3354 -c "discarding invalid record" \
markrad 0:cdf462088d13 3355 -s "discarding invalid record" \
markrad 0:cdf462088d13 3356 -S "resend" \
markrad 0:cdf462088d13 3357 -s "Extra-header:" \
markrad 0:cdf462088d13 3358 -c "HTTP/1.0 200 OK"
markrad 0:cdf462088d13 3359
markrad 0:cdf462088d13 3360 run_test "DTLS proxy: duplicate every packet, server anti-replay off" \
markrad 0:cdf462088d13 3361 -p "$P_PXY duplicate=1" \
markrad 0:cdf462088d13 3362 "$P_SRV dtls=1 debug_level=2 anti_replay=0" \
markrad 0:cdf462088d13 3363 "$P_CLI dtls=1 debug_level=2" \
markrad 0:cdf462088d13 3364 0 \
markrad 0:cdf462088d13 3365 -c "replayed record" \
markrad 0:cdf462088d13 3366 -S "replayed record" \
markrad 0:cdf462088d13 3367 -c "discarding invalid record" \
markrad 0:cdf462088d13 3368 -s "discarding invalid record" \
markrad 0:cdf462088d13 3369 -c "resend" \
markrad 0:cdf462088d13 3370 -s "resend" \
markrad 0:cdf462088d13 3371 -s "Extra-header:" \
markrad 0:cdf462088d13 3372 -c "HTTP/1.0 200 OK"
markrad 0:cdf462088d13 3373
markrad 0:cdf462088d13 3374 run_test "DTLS proxy: inject invalid AD record, default badmac_limit" \
markrad 0:cdf462088d13 3375 -p "$P_PXY bad_ad=1" \
markrad 0:cdf462088d13 3376 "$P_SRV dtls=1 debug_level=1" \
markrad 0:cdf462088d13 3377 "$P_CLI dtls=1 debug_level=1 read_timeout=100" \
markrad 0:cdf462088d13 3378 0 \
markrad 0:cdf462088d13 3379 -c "discarding invalid record (mac)" \
markrad 0:cdf462088d13 3380 -s "discarding invalid record (mac)" \
markrad 0:cdf462088d13 3381 -s "Extra-header:" \
markrad 0:cdf462088d13 3382 -c "HTTP/1.0 200 OK" \
markrad 0:cdf462088d13 3383 -S "too many records with bad MAC" \
markrad 0:cdf462088d13 3384 -S "Verification of the message MAC failed"
markrad 0:cdf462088d13 3385
markrad 0:cdf462088d13 3386 run_test "DTLS proxy: inject invalid AD record, badmac_limit 1" \
markrad 0:cdf462088d13 3387 -p "$P_PXY bad_ad=1" \
markrad 0:cdf462088d13 3388 "$P_SRV dtls=1 debug_level=1 badmac_limit=1" \
markrad 0:cdf462088d13 3389 "$P_CLI dtls=1 debug_level=1 read_timeout=100" \
markrad 0:cdf462088d13 3390 1 \
markrad 0:cdf462088d13 3391 -C "discarding invalid record (mac)" \
markrad 0:cdf462088d13 3392 -S "discarding invalid record (mac)" \
markrad 0:cdf462088d13 3393 -S "Extra-header:" \
markrad 0:cdf462088d13 3394 -C "HTTP/1.0 200 OK" \
markrad 0:cdf462088d13 3395 -s "too many records with bad MAC" \
markrad 0:cdf462088d13 3396 -s "Verification of the message MAC failed"
markrad 0:cdf462088d13 3397
markrad 0:cdf462088d13 3398 run_test "DTLS proxy: inject invalid AD record, badmac_limit 2" \
markrad 0:cdf462088d13 3399 -p "$P_PXY bad_ad=1" \
markrad 0:cdf462088d13 3400 "$P_SRV dtls=1 debug_level=1 badmac_limit=2" \
markrad 0:cdf462088d13 3401 "$P_CLI dtls=1 debug_level=1 read_timeout=100" \
markrad 0:cdf462088d13 3402 0 \
markrad 0:cdf462088d13 3403 -c "discarding invalid record (mac)" \
markrad 0:cdf462088d13 3404 -s "discarding invalid record (mac)" \
markrad 0:cdf462088d13 3405 -s "Extra-header:" \
markrad 0:cdf462088d13 3406 -c "HTTP/1.0 200 OK" \
markrad 0:cdf462088d13 3407 -S "too many records with bad MAC" \
markrad 0:cdf462088d13 3408 -S "Verification of the message MAC failed"
markrad 0:cdf462088d13 3409
markrad 0:cdf462088d13 3410 run_test "DTLS proxy: inject invalid AD record, badmac_limit 2, exchanges 2"\
markrad 0:cdf462088d13 3411 -p "$P_PXY bad_ad=1" \
markrad 0:cdf462088d13 3412 "$P_SRV dtls=1 debug_level=1 badmac_limit=2 exchanges=2" \
markrad 0:cdf462088d13 3413 "$P_CLI dtls=1 debug_level=1 read_timeout=100 exchanges=2" \
markrad 0:cdf462088d13 3414 1 \
markrad 0:cdf462088d13 3415 -c "discarding invalid record (mac)" \
markrad 0:cdf462088d13 3416 -s "discarding invalid record (mac)" \
markrad 0:cdf462088d13 3417 -s "Extra-header:" \
markrad 0:cdf462088d13 3418 -c "HTTP/1.0 200 OK" \
markrad 0:cdf462088d13 3419 -s "too many records with bad MAC" \
markrad 0:cdf462088d13 3420 -s "Verification of the message MAC failed"
markrad 0:cdf462088d13 3421
markrad 0:cdf462088d13 3422 run_test "DTLS proxy: delay ChangeCipherSpec" \
markrad 0:cdf462088d13 3423 -p "$P_PXY delay_ccs=1" \
markrad 0:cdf462088d13 3424 "$P_SRV dtls=1 debug_level=1" \
markrad 0:cdf462088d13 3425 "$P_CLI dtls=1 debug_level=1" \
markrad 0:cdf462088d13 3426 0 \
markrad 0:cdf462088d13 3427 -c "record from another epoch" \
markrad 0:cdf462088d13 3428 -s "record from another epoch" \
markrad 0:cdf462088d13 3429 -c "discarding invalid record" \
markrad 0:cdf462088d13 3430 -s "discarding invalid record" \
markrad 0:cdf462088d13 3431 -s "Extra-header:" \
markrad 0:cdf462088d13 3432 -c "HTTP/1.0 200 OK"
markrad 0:cdf462088d13 3433
markrad 0:cdf462088d13 3434 # Tests for "randomly unreliable connection": try a variety of flows and peers
markrad 0:cdf462088d13 3435
markrad 0:cdf462088d13 3436 client_needs_more_time 2
markrad 0:cdf462088d13 3437 run_test "DTLS proxy: 3d (drop, delay, duplicate), \"short\" PSK handshake" \
markrad 0:cdf462088d13 3438 -p "$P_PXY drop=5 delay=5 duplicate=5" \
markrad 0:cdf462088d13 3439 "$P_SRV dtls=1 hs_timeout=250-10000 tickets=0 auth_mode=none \
markrad 0:cdf462088d13 3440 psk=abc123" \
markrad 0:cdf462088d13 3441 "$P_CLI dtls=1 hs_timeout=250-10000 tickets=0 psk=abc123 \
markrad 0:cdf462088d13 3442 force_ciphersuite=TLS-PSK-WITH-AES-128-CCM-8" \
markrad 0:cdf462088d13 3443 0 \
markrad 0:cdf462088d13 3444 -s "Extra-header:" \
markrad 0:cdf462088d13 3445 -c "HTTP/1.0 200 OK"
markrad 0:cdf462088d13 3446
markrad 0:cdf462088d13 3447 client_needs_more_time 2
markrad 0:cdf462088d13 3448 run_test "DTLS proxy: 3d, \"short\" RSA handshake" \
markrad 0:cdf462088d13 3449 -p "$P_PXY drop=5 delay=5 duplicate=5" \
markrad 0:cdf462088d13 3450 "$P_SRV dtls=1 hs_timeout=250-10000 tickets=0 auth_mode=none" \
markrad 0:cdf462088d13 3451 "$P_CLI dtls=1 hs_timeout=250-10000 tickets=0 \
markrad 0:cdf462088d13 3452 force_ciphersuite=TLS-RSA-WITH-AES-128-CBC-SHA" \
markrad 0:cdf462088d13 3453 0 \
markrad 0:cdf462088d13 3454 -s "Extra-header:" \
markrad 0:cdf462088d13 3455 -c "HTTP/1.0 200 OK"
markrad 0:cdf462088d13 3456
markrad 0:cdf462088d13 3457 client_needs_more_time 2
markrad 0:cdf462088d13 3458 run_test "DTLS proxy: 3d, \"short\" (no ticket, no cli_auth) FS handshake" \
markrad 0:cdf462088d13 3459 -p "$P_PXY drop=5 delay=5 duplicate=5" \
markrad 0:cdf462088d13 3460 "$P_SRV dtls=1 hs_timeout=250-10000 tickets=0 auth_mode=none" \
markrad 0:cdf462088d13 3461 "$P_CLI dtls=1 hs_timeout=250-10000 tickets=0" \
markrad 0:cdf462088d13 3462 0 \
markrad 0:cdf462088d13 3463 -s "Extra-header:" \
markrad 0:cdf462088d13 3464 -c "HTTP/1.0 200 OK"
markrad 0:cdf462088d13 3465
markrad 0:cdf462088d13 3466 client_needs_more_time 2
markrad 0:cdf462088d13 3467 run_test "DTLS proxy: 3d, FS, client auth" \
markrad 0:cdf462088d13 3468 -p "$P_PXY drop=5 delay=5 duplicate=5" \
markrad 0:cdf462088d13 3469 "$P_SRV dtls=1 hs_timeout=250-10000 tickets=0 auth_mode=required" \
markrad 0:cdf462088d13 3470 "$P_CLI dtls=1 hs_timeout=250-10000 tickets=0" \
markrad 0:cdf462088d13 3471 0 \
markrad 0:cdf462088d13 3472 -s "Extra-header:" \
markrad 0:cdf462088d13 3473 -c "HTTP/1.0 200 OK"
markrad 0:cdf462088d13 3474
markrad 0:cdf462088d13 3475 client_needs_more_time 2
markrad 0:cdf462088d13 3476 run_test "DTLS proxy: 3d, FS, ticket" \
markrad 0:cdf462088d13 3477 -p "$P_PXY drop=5 delay=5 duplicate=5" \
markrad 0:cdf462088d13 3478 "$P_SRV dtls=1 hs_timeout=250-10000 tickets=1 auth_mode=none" \
markrad 0:cdf462088d13 3479 "$P_CLI dtls=1 hs_timeout=250-10000 tickets=1" \
markrad 0:cdf462088d13 3480 0 \
markrad 0:cdf462088d13 3481 -s "Extra-header:" \
markrad 0:cdf462088d13 3482 -c "HTTP/1.0 200 OK"
markrad 0:cdf462088d13 3483
markrad 0:cdf462088d13 3484 client_needs_more_time 2
markrad 0:cdf462088d13 3485 run_test "DTLS proxy: 3d, max handshake (FS, ticket + client auth)" \
markrad 0:cdf462088d13 3486 -p "$P_PXY drop=5 delay=5 duplicate=5" \
markrad 0:cdf462088d13 3487 "$P_SRV dtls=1 hs_timeout=250-10000 tickets=1 auth_mode=required" \
markrad 0:cdf462088d13 3488 "$P_CLI dtls=1 hs_timeout=250-10000 tickets=1" \
markrad 0:cdf462088d13 3489 0 \
markrad 0:cdf462088d13 3490 -s "Extra-header:" \
markrad 0:cdf462088d13 3491 -c "HTTP/1.0 200 OK"
markrad 0:cdf462088d13 3492
markrad 0:cdf462088d13 3493 client_needs_more_time 2
markrad 0:cdf462088d13 3494 run_test "DTLS proxy: 3d, max handshake, nbio" \
markrad 0:cdf462088d13 3495 -p "$P_PXY drop=5 delay=5 duplicate=5" \
markrad 0:cdf462088d13 3496 "$P_SRV dtls=1 hs_timeout=250-10000 nbio=2 tickets=1 \
markrad 0:cdf462088d13 3497 auth_mode=required" \
markrad 0:cdf462088d13 3498 "$P_CLI dtls=1 hs_timeout=250-10000 nbio=2 tickets=1" \
markrad 0:cdf462088d13 3499 0 \
markrad 0:cdf462088d13 3500 -s "Extra-header:" \
markrad 0:cdf462088d13 3501 -c "HTTP/1.0 200 OK"
markrad 0:cdf462088d13 3502
markrad 0:cdf462088d13 3503 client_needs_more_time 4
markrad 0:cdf462088d13 3504 run_test "DTLS proxy: 3d, min handshake, resumption" \
markrad 0:cdf462088d13 3505 -p "$P_PXY drop=5 delay=5 duplicate=5" \
markrad 0:cdf462088d13 3506 "$P_SRV dtls=1 hs_timeout=250-10000 tickets=0 auth_mode=none \
markrad 0:cdf462088d13 3507 psk=abc123 debug_level=3" \
markrad 0:cdf462088d13 3508 "$P_CLI dtls=1 hs_timeout=250-10000 tickets=0 psk=abc123 \
markrad 0:cdf462088d13 3509 debug_level=3 reconnect=1 read_timeout=1000 max_resend=10 \
markrad 0:cdf462088d13 3510 force_ciphersuite=TLS-PSK-WITH-AES-128-CCM-8" \
markrad 0:cdf462088d13 3511 0 \
markrad 0:cdf462088d13 3512 -s "a session has been resumed" \
markrad 0:cdf462088d13 3513 -c "a session has been resumed" \
markrad 0:cdf462088d13 3514 -s "Extra-header:" \
markrad 0:cdf462088d13 3515 -c "HTTP/1.0 200 OK"
markrad 0:cdf462088d13 3516
markrad 0:cdf462088d13 3517 client_needs_more_time 4
markrad 0:cdf462088d13 3518 run_test "DTLS proxy: 3d, min handshake, resumption, nbio" \
markrad 0:cdf462088d13 3519 -p "$P_PXY drop=5 delay=5 duplicate=5" \
markrad 0:cdf462088d13 3520 "$P_SRV dtls=1 hs_timeout=250-10000 tickets=0 auth_mode=none \
markrad 0:cdf462088d13 3521 psk=abc123 debug_level=3 nbio=2" \
markrad 0:cdf462088d13 3522 "$P_CLI dtls=1 hs_timeout=250-10000 tickets=0 psk=abc123 \
markrad 0:cdf462088d13 3523 debug_level=3 reconnect=1 read_timeout=1000 max_resend=10 \
markrad 0:cdf462088d13 3524 force_ciphersuite=TLS-PSK-WITH-AES-128-CCM-8 nbio=2" \
markrad 0:cdf462088d13 3525 0 \
markrad 0:cdf462088d13 3526 -s "a session has been resumed" \
markrad 0:cdf462088d13 3527 -c "a session has been resumed" \
markrad 0:cdf462088d13 3528 -s "Extra-header:" \
markrad 0:cdf462088d13 3529 -c "HTTP/1.0 200 OK"
markrad 0:cdf462088d13 3530
markrad 0:cdf462088d13 3531 client_needs_more_time 4
markrad 0:cdf462088d13 3532 run_test "DTLS proxy: 3d, min handshake, client-initiated renego" \
markrad 0:cdf462088d13 3533 -p "$P_PXY drop=5 delay=5 duplicate=5" \
markrad 0:cdf462088d13 3534 "$P_SRV dtls=1 hs_timeout=250-10000 tickets=0 auth_mode=none \
markrad 0:cdf462088d13 3535 psk=abc123 renegotiation=1 debug_level=2" \
markrad 0:cdf462088d13 3536 "$P_CLI dtls=1 hs_timeout=250-10000 tickets=0 psk=abc123 \
markrad 0:cdf462088d13 3537 renegotiate=1 debug_level=2 \
markrad 0:cdf462088d13 3538 force_ciphersuite=TLS-PSK-WITH-AES-128-CCM-8" \
markrad 0:cdf462088d13 3539 0 \
markrad 0:cdf462088d13 3540 -c "=> renegotiate" \
markrad 0:cdf462088d13 3541 -s "=> renegotiate" \
markrad 0:cdf462088d13 3542 -s "Extra-header:" \
markrad 0:cdf462088d13 3543 -c "HTTP/1.0 200 OK"
markrad 0:cdf462088d13 3544
markrad 0:cdf462088d13 3545 client_needs_more_time 4
markrad 0:cdf462088d13 3546 run_test "DTLS proxy: 3d, min handshake, client-initiated renego, nbio" \
markrad 0:cdf462088d13 3547 -p "$P_PXY drop=5 delay=5 duplicate=5" \
markrad 0:cdf462088d13 3548 "$P_SRV dtls=1 hs_timeout=250-10000 tickets=0 auth_mode=none \
markrad 0:cdf462088d13 3549 psk=abc123 renegotiation=1 debug_level=2" \
markrad 0:cdf462088d13 3550 "$P_CLI dtls=1 hs_timeout=250-10000 tickets=0 psk=abc123 \
markrad 0:cdf462088d13 3551 renegotiate=1 debug_level=2 \
markrad 0:cdf462088d13 3552 force_ciphersuite=TLS-PSK-WITH-AES-128-CCM-8" \
markrad 0:cdf462088d13 3553 0 \
markrad 0:cdf462088d13 3554 -c "=> renegotiate" \
markrad 0:cdf462088d13 3555 -s "=> renegotiate" \
markrad 0:cdf462088d13 3556 -s "Extra-header:" \
markrad 0:cdf462088d13 3557 -c "HTTP/1.0 200 OK"
markrad 0:cdf462088d13 3558
markrad 0:cdf462088d13 3559 client_needs_more_time 4
markrad 0:cdf462088d13 3560 run_test "DTLS proxy: 3d, min handshake, server-initiated renego" \
markrad 0:cdf462088d13 3561 -p "$P_PXY drop=5 delay=5 duplicate=5" \
markrad 0:cdf462088d13 3562 "$P_SRV dtls=1 hs_timeout=250-10000 tickets=0 auth_mode=none \
markrad 0:cdf462088d13 3563 psk=abc123 renegotiate=1 renegotiation=1 exchanges=4 \
markrad 0:cdf462088d13 3564 debug_level=2" \
markrad 0:cdf462088d13 3565 "$P_CLI dtls=1 hs_timeout=250-10000 tickets=0 psk=abc123 \
markrad 0:cdf462088d13 3566 renegotiation=1 exchanges=4 debug_level=2 \
markrad 0:cdf462088d13 3567 force_ciphersuite=TLS-PSK-WITH-AES-128-CCM-8" \
markrad 0:cdf462088d13 3568 0 \
markrad 0:cdf462088d13 3569 -c "=> renegotiate" \
markrad 0:cdf462088d13 3570 -s "=> renegotiate" \
markrad 0:cdf462088d13 3571 -s "Extra-header:" \
markrad 0:cdf462088d13 3572 -c "HTTP/1.0 200 OK"
markrad 0:cdf462088d13 3573
markrad 0:cdf462088d13 3574 client_needs_more_time 4
markrad 0:cdf462088d13 3575 run_test "DTLS proxy: 3d, min handshake, server-initiated renego, nbio" \
markrad 0:cdf462088d13 3576 -p "$P_PXY drop=5 delay=5 duplicate=5" \
markrad 0:cdf462088d13 3577 "$P_SRV dtls=1 hs_timeout=250-10000 tickets=0 auth_mode=none \
markrad 0:cdf462088d13 3578 psk=abc123 renegotiate=1 renegotiation=1 exchanges=4 \
markrad 0:cdf462088d13 3579 debug_level=2 nbio=2" \
markrad 0:cdf462088d13 3580 "$P_CLI dtls=1 hs_timeout=250-10000 tickets=0 psk=abc123 \
markrad 0:cdf462088d13 3581 renegotiation=1 exchanges=4 debug_level=2 nbio=2 \
markrad 0:cdf462088d13 3582 force_ciphersuite=TLS-PSK-WITH-AES-128-CCM-8" \
markrad 0:cdf462088d13 3583 0 \
markrad 0:cdf462088d13 3584 -c "=> renegotiate" \
markrad 0:cdf462088d13 3585 -s "=> renegotiate" \
markrad 0:cdf462088d13 3586 -s "Extra-header:" \
markrad 0:cdf462088d13 3587 -c "HTTP/1.0 200 OK"
markrad 0:cdf462088d13 3588
markrad 0:cdf462088d13 3589 client_needs_more_time 6
markrad 0:cdf462088d13 3590 not_with_valgrind # risk of non-mbedtls peer timing out
markrad 0:cdf462088d13 3591 run_test "DTLS proxy: 3d, openssl server" \
markrad 0:cdf462088d13 3592 -p "$P_PXY drop=5 delay=5 duplicate=5 protect_hvr=1" \
markrad 0:cdf462088d13 3593 "$O_SRV -dtls1 -mtu 2048" \
markrad 0:cdf462088d13 3594 "$P_CLI dtls=1 hs_timeout=250-60000 tickets=0" \
markrad 0:cdf462088d13 3595 0 \
markrad 0:cdf462088d13 3596 -c "HTTP/1.0 200 OK"
markrad 0:cdf462088d13 3597
markrad 0:cdf462088d13 3598 client_needs_more_time 8
markrad 0:cdf462088d13 3599 not_with_valgrind # risk of non-mbedtls peer timing out
markrad 0:cdf462088d13 3600 run_test "DTLS proxy: 3d, openssl server, fragmentation" \
markrad 0:cdf462088d13 3601 -p "$P_PXY drop=5 delay=5 duplicate=5 protect_hvr=1" \
markrad 0:cdf462088d13 3602 "$O_SRV -dtls1 -mtu 768" \
markrad 0:cdf462088d13 3603 "$P_CLI dtls=1 hs_timeout=250-60000 tickets=0" \
markrad 0:cdf462088d13 3604 0 \
markrad 0:cdf462088d13 3605 -c "HTTP/1.0 200 OK"
markrad 0:cdf462088d13 3606
markrad 0:cdf462088d13 3607 client_needs_more_time 8
markrad 0:cdf462088d13 3608 not_with_valgrind # risk of non-mbedtls peer timing out
markrad 0:cdf462088d13 3609 run_test "DTLS proxy: 3d, openssl server, fragmentation, nbio" \
markrad 0:cdf462088d13 3610 -p "$P_PXY drop=5 delay=5 duplicate=5 protect_hvr=1" \
markrad 0:cdf462088d13 3611 "$O_SRV -dtls1 -mtu 768" \
markrad 0:cdf462088d13 3612 "$P_CLI dtls=1 hs_timeout=250-60000 nbio=2 tickets=0" \
markrad 0:cdf462088d13 3613 0 \
markrad 0:cdf462088d13 3614 -c "HTTP/1.0 200 OK"
markrad 0:cdf462088d13 3615
markrad 0:cdf462088d13 3616 requires_gnutls
markrad 0:cdf462088d13 3617 client_needs_more_time 6
markrad 0:cdf462088d13 3618 not_with_valgrind # risk of non-mbedtls peer timing out
markrad 0:cdf462088d13 3619 run_test "DTLS proxy: 3d, gnutls server" \
markrad 0:cdf462088d13 3620 -p "$P_PXY drop=5 delay=5 duplicate=5" \
markrad 0:cdf462088d13 3621 "$G_SRV -u --mtu 2048 -a" \
markrad 0:cdf462088d13 3622 "$P_CLI dtls=1 hs_timeout=250-60000" \
markrad 0:cdf462088d13 3623 0 \
markrad 0:cdf462088d13 3624 -s "Extra-header:" \
markrad 0:cdf462088d13 3625 -c "Extra-header:"
markrad 0:cdf462088d13 3626
markrad 0:cdf462088d13 3627 requires_gnutls
markrad 0:cdf462088d13 3628 client_needs_more_time 8
markrad 0:cdf462088d13 3629 not_with_valgrind # risk of non-mbedtls peer timing out
markrad 0:cdf462088d13 3630 run_test "DTLS proxy: 3d, gnutls server, fragmentation" \
markrad 0:cdf462088d13 3631 -p "$P_PXY drop=5 delay=5 duplicate=5" \
markrad 0:cdf462088d13 3632 "$G_SRV -u --mtu 512" \
markrad 0:cdf462088d13 3633 "$P_CLI dtls=1 hs_timeout=250-60000" \
markrad 0:cdf462088d13 3634 0 \
markrad 0:cdf462088d13 3635 -s "Extra-header:" \
markrad 0:cdf462088d13 3636 -c "Extra-header:"
markrad 0:cdf462088d13 3637
markrad 0:cdf462088d13 3638 requires_gnutls
markrad 0:cdf462088d13 3639 client_needs_more_time 8
markrad 0:cdf462088d13 3640 not_with_valgrind # risk of non-mbedtls peer timing out
markrad 0:cdf462088d13 3641 run_test "DTLS proxy: 3d, gnutls server, fragmentation, nbio" \
markrad 0:cdf462088d13 3642 -p "$P_PXY drop=5 delay=5 duplicate=5" \
markrad 0:cdf462088d13 3643 "$G_SRV -u --mtu 512" \
markrad 0:cdf462088d13 3644 "$P_CLI dtls=1 hs_timeout=250-60000 nbio=2" \
markrad 0:cdf462088d13 3645 0 \
markrad 0:cdf462088d13 3646 -s "Extra-header:" \
markrad 0:cdf462088d13 3647 -c "Extra-header:"
markrad 0:cdf462088d13 3648
markrad 0:cdf462088d13 3649 # Final report
markrad 0:cdf462088d13 3650
markrad 0:cdf462088d13 3651 echo "------------------------------------------------------------------------"
markrad 0:cdf462088d13 3652
markrad 0:cdf462088d13 3653 if [ $FAILS = 0 ]; then
markrad 0:cdf462088d13 3654 printf "PASSED"
markrad 0:cdf462088d13 3655 else
markrad 0:cdf462088d13 3656 printf "FAILED"
markrad 0:cdf462088d13 3657 fi
markrad 0:cdf462088d13 3658 PASSES=$(( $TESTS - $FAILS ))
markrad 0:cdf462088d13 3659 echo " ($PASSES / $TESTS tests ($SKIPS skipped))"
markrad 0:cdf462088d13 3660
markrad 0:cdf462088d13 3661 exit $FAILS