From ac2cf1f26c9f1af70dbc99bb5627d199a338742f Mon Sep 17 00:00:00 2001 From: Deomid rojer Ryabkov Date: Sun, 10 Mar 2024 02:11:03 +0000 Subject: [PATCH 01/74] Defragment incoming TLS handshake messages Signed-off-by: Deomid rojer Ryabkov --- ChangeLog.d/tls-hs-defrag-in.txt | 2 + include/mbedtls/ssl.h | 2 + library/ssl_misc.h | 8 ++- library/ssl_msg.c | 99 ++++++++++++++++++++++++++++---- library/ssl_tls.c | 17 +++++- 5 files changed, 113 insertions(+), 15 deletions(-) create mode 100644 ChangeLog.d/tls-hs-defrag-in.txt diff --git a/ChangeLog.d/tls-hs-defrag-in.txt b/ChangeLog.d/tls-hs-defrag-in.txt new file mode 100644 index 000000000..8c5720011 --- /dev/null +++ b/ChangeLog.d/tls-hs-defrag-in.txt @@ -0,0 +1,2 @@ +Change + * Defragment incoming TLS handshake messages. diff --git a/include/mbedtls/ssl.h b/include/mbedtls/ssl.h index fff53399b..eb60c78fa 100644 --- a/include/mbedtls/ssl.h +++ b/include/mbedtls/ssl.h @@ -1808,6 +1808,8 @@ struct mbedtls_ssl_context { size_t MBEDTLS_PRIVATE(in_hslen); /*!< current handshake message length, including the handshake header */ + unsigned char *MBEDTLS_PRIVATE(in_hshdr); /*!< original handshake header start */ + size_t MBEDTLS_PRIVATE(in_hsfraglen); /*!< accumulated hs fragments length */ int MBEDTLS_PRIVATE(nb_zero); /*!< # of 0-length encrypted messages */ int MBEDTLS_PRIVATE(keep_current_message); /*!< drop or reuse current message diff --git a/library/ssl_misc.h b/library/ssl_misc.h index 5bda91a28..309e924ce 100644 --- a/library/ssl_misc.h +++ b/library/ssl_misc.h @@ -1829,7 +1829,13 @@ void mbedtls_ssl_set_timer(mbedtls_ssl_context *ssl, uint32_t millisecs); MBEDTLS_CHECK_RETURN_CRITICAL int mbedtls_ssl_check_timer(mbedtls_ssl_context *ssl); -void mbedtls_ssl_reset_in_out_pointers(mbedtls_ssl_context *ssl); +void mbedtls_ssl_reset_in_pointers(mbedtls_ssl_context *ssl); +void mbedtls_ssl_reset_out_pointers(mbedtls_ssl_context *ssl); +static inline void mbedtls_ssl_reset_in_out_pointers(mbedtls_ssl_context *ssl) +{ + mbedtls_ssl_reset_in_pointers(ssl); + mbedtls_ssl_reset_out_pointers(ssl); +} void mbedtls_ssl_update_out_pointers(mbedtls_ssl_context *ssl, mbedtls_ssl_transform *transform); void mbedtls_ssl_update_in_pointers(mbedtls_ssl_context *ssl); diff --git a/library/ssl_msg.c b/library/ssl_msg.c index 7000e93e5..1c548ecac 100644 --- a/library/ssl_msg.c +++ b/library/ssl_msg.c @@ -3225,7 +3225,11 @@ int mbedtls_ssl_prepare_handshake_record(mbedtls_ssl_context *ssl) return MBEDTLS_ERR_SSL_INVALID_RECORD; } - ssl->in_hslen = mbedtls_ssl_hs_hdr_len(ssl) + ssl_get_hs_total_len(ssl); + if (ssl->in_hslen == 0) { + ssl->in_hslen = mbedtls_ssl_hs_hdr_len(ssl) + ssl_get_hs_total_len(ssl); + ssl->in_hsfraglen = 0; + ssl->in_hshdr = ssl->in_hdr; + } MBEDTLS_SSL_DEBUG_MSG(3, ("handshake message: msglen =" " %" MBEDTLS_PRINTF_SIZET ", type = %u, hslen = %" @@ -3291,10 +3295,59 @@ int mbedtls_ssl_prepare_handshake_record(mbedtls_ssl_context *ssl) } } else #endif /* MBEDTLS_SSL_PROTO_DTLS */ - /* With TLS we don't handle fragmentation (for now) */ - if (ssl->in_msglen < ssl->in_hslen) { - MBEDTLS_SSL_DEBUG_MSG(1, ("TLS handshake fragmentation not supported")); - return MBEDTLS_ERR_SSL_FEATURE_UNAVAILABLE; + { + int ret; + const size_t hs_remain = ssl->in_hslen - ssl->in_hsfraglen; + const size_t msg_hslen = (hs_remain <= ssl->in_msglen ? hs_remain : ssl->in_msglen); + + MBEDTLS_SSL_DEBUG_MSG(3, + ("handshake fragment: %" MBEDTLS_PRINTF_SIZET " .. %" + MBEDTLS_PRINTF_SIZET " of %" + MBEDTLS_PRINTF_SIZET " msglen %" MBEDTLS_PRINTF_SIZET, + ssl->in_hsfraglen, ssl->in_hsfraglen + msg_hslen, + ssl->in_hslen, ssl->in_msglen)); + (void) msg_hslen; + if (ssl->in_msglen < hs_remain) { + ssl->in_hsfraglen += ssl->in_msglen; + ssl->in_hdr = ssl->in_msg + ssl->in_msglen; + ssl->in_msglen = 0; + mbedtls_ssl_update_in_pointers(ssl); + return MBEDTLS_ERR_SSL_CONTINUE_PROCESSING; + } + if (ssl->in_hshdr != ssl->in_hdr) { + /* + * At ssl->in_hshdr we have a sequence of records that cover the next handshake + * record, each with its own record header that we need to remove. + * Note that the reassembled record size may not equal the size of the message, + * there maybe bytes from the next message following it. + */ + size_t merged_rec_len = 0; + unsigned char *p = ssl->in_hshdr, *q = NULL; + do { + mbedtls_record rec; + ret = ssl_parse_record_header(ssl, p, mbedtls_ssl_in_hdr_len(ssl), &rec); + if (ret != 0) { + return ret; + } + merged_rec_len += rec.data_len; + p = rec.buf + rec.buf_len; + if (q != NULL) { + memmove(q, rec.buf + rec.data_offset, rec.data_len); + q += rec.data_len; + } else { + q = p; + } + } while (merged_rec_len < ssl->in_hslen); + ssl->in_hdr = ssl->in_hshdr; + mbedtls_ssl_update_in_pointers(ssl); + ssl->in_msglen = merged_rec_len; + /* Adjust message length. */ + MBEDTLS_PUT_UINT16_BE(merged_rec_len, ssl->in_len, 0); + ssl->in_hsfraglen = 0; + ssl->in_hshdr = NULL; + MBEDTLS_SSL_DEBUG_BUF(4, "reassembled record", + ssl->in_hdr, mbedtls_ssl_in_hdr_len(ssl) + merged_rec_len); + } } return 0; @@ -4639,6 +4692,16 @@ static int ssl_consume_current_message(mbedtls_ssl_context *ssl) return MBEDTLS_ERR_SSL_INTERNAL_ERROR; } + if (ssl->in_hsfraglen != 0) { + /* Not all handshake fragments have arrived, do not consume. */ + MBEDTLS_SSL_DEBUG_MSG(3, + ("waiting for more fragments (%" MBEDTLS_PRINTF_SIZET " of %" + MBEDTLS_PRINTF_SIZET ", %" MBEDTLS_PRINTF_SIZET " left)", + ssl->in_hsfraglen, ssl->in_hslen, + ssl->in_hslen - ssl->in_hsfraglen)); + return 0; + } + /* * Get next Handshake message in the current record */ @@ -4664,6 +4727,7 @@ static int ssl_consume_current_message(mbedtls_ssl_context *ssl) ssl->in_msglen -= ssl->in_hslen; memmove(ssl->in_msg, ssl->in_msg + ssl->in_hslen, ssl->in_msglen); + MBEDTLS_PUT_UINT16_BE(ssl->in_msglen, ssl->in_len, 0); MBEDTLS_SSL_DEBUG_BUF(4, "remaining content in record", ssl->in_msg, ssl->in_msglen); @@ -5338,7 +5402,7 @@ void mbedtls_ssl_update_in_pointers(mbedtls_ssl_context *ssl) } else #endif { - ssl->in_ctr = ssl->in_hdr - MBEDTLS_SSL_SEQUENCE_NUMBER_LEN; + ssl->in_ctr = ssl->in_buf; ssl->in_len = ssl->in_hdr + 3; #if defined(MBEDTLS_SSL_DTLS_CONNECTION_ID) ssl->in_cid = ssl->in_len; @@ -5354,24 +5418,35 @@ void mbedtls_ssl_update_in_pointers(mbedtls_ssl_context *ssl) * Setup an SSL context */ -void mbedtls_ssl_reset_in_out_pointers(mbedtls_ssl_context *ssl) +void mbedtls_ssl_reset_in_pointers(mbedtls_ssl_context *ssl) +{ +#if defined(MBEDTLS_SSL_PROTO_DTLS) + if (ssl->conf->transport == MBEDTLS_SSL_TRANSPORT_DATAGRAM) { + ssl->in_hdr = ssl->in_buf; + } else +#endif + { + ssl->in_hdr = ssl->in_buf + MBEDTLS_SSL_SEQUENCE_NUMBER_LEN; + } + + /* Derive other internal pointers. */ + mbedtls_ssl_update_in_pointers(ssl); +} + +void mbedtls_ssl_reset_out_pointers(mbedtls_ssl_context *ssl) { /* Set the incoming and outgoing record pointers. */ #if defined(MBEDTLS_SSL_PROTO_DTLS) if (ssl->conf->transport == MBEDTLS_SSL_TRANSPORT_DATAGRAM) { ssl->out_hdr = ssl->out_buf; - ssl->in_hdr = ssl->in_buf; } else #endif /* MBEDTLS_SSL_PROTO_DTLS */ { ssl->out_ctr = ssl->out_buf; - ssl->out_hdr = ssl->out_buf + 8; - ssl->in_hdr = ssl->in_buf + 8; + ssl->out_hdr = ssl->out_buf + MBEDTLS_SSL_SEQUENCE_NUMBER_LEN; } - /* Derive other internal pointers. */ mbedtls_ssl_update_out_pointers(ssl, NULL /* no transform enabled */); - mbedtls_ssl_update_in_pointers(ssl); } /* diff --git a/library/ssl_tls.c b/library/ssl_tls.c index ae4fd89f6..70621b5cc 100644 --- a/library/ssl_tls.c +++ b/library/ssl_tls.c @@ -343,12 +343,17 @@ static void handle_buffer_resizing(mbedtls_ssl_context *ssl, int downsizing, size_t out_buf_new_len) { int modified = 0; - size_t written_in = 0, iv_offset_in = 0, len_offset_in = 0; + size_t written_in = 0, iv_offset_in = 0, len_offset_in = 0, hdr_in = 0; size_t written_out = 0, iv_offset_out = 0, len_offset_out = 0; + size_t hshdr_in = 0; if (ssl->in_buf != NULL) { written_in = ssl->in_msg - ssl->in_buf; iv_offset_in = ssl->in_iv - ssl->in_buf; len_offset_in = ssl->in_len - ssl->in_buf; + hdr_in = ssl->in_hdr - ssl->in_buf; + if (ssl->in_hshdr != NULL) { + hshdr_in = ssl->in_hshdr - ssl->in_buf; + } if (downsizing ? ssl->in_buf_len > in_buf_new_len && ssl->in_left < in_buf_new_len : ssl->in_buf_len < in_buf_new_len) { @@ -380,7 +385,10 @@ static void handle_buffer_resizing(mbedtls_ssl_context *ssl, int downsizing, } if (modified) { /* Update pointers here to avoid doing it twice. */ - mbedtls_ssl_reset_in_out_pointers(ssl); + ssl->in_hdr = ssl->in_buf + hdr_in; + mbedtls_ssl_update_in_pointers(ssl); + mbedtls_ssl_reset_out_pointers(ssl); + /* Fields below might not be properly updated with record * splitting or with CID, so they are manually updated here. */ ssl->out_msg = ssl->out_buf + written_out; @@ -390,6 +398,9 @@ static void handle_buffer_resizing(mbedtls_ssl_context *ssl, int downsizing, ssl->in_msg = ssl->in_buf + written_in; ssl->in_len = ssl->in_buf + len_offset_in; ssl->in_iv = ssl->in_buf + iv_offset_in; + if (ssl->in_hshdr != NULL) { + ssl->in_hshdr = ssl->in_buf + hshdr_in; + } } } #endif /* MBEDTLS_SSL_VARIABLE_BUFFER_LENGTH */ @@ -1483,6 +1494,8 @@ void mbedtls_ssl_session_reset_msg_layer(mbedtls_ssl_context *ssl, ssl->in_hslen = 0; ssl->keep_current_message = 0; ssl->transform_in = NULL; + ssl->in_hshdr = NULL; + ssl->in_hsfraglen = 0; #if defined(MBEDTLS_SSL_PROTO_DTLS) ssl->next_record_offset = 0; From 5f7c2c21825518d87912aafc8ad5bda5ad0f320b Mon Sep 17 00:00:00 2001 From: Deomid Ryabkov Date: Wed, 15 Jan 2025 19:26:47 +0000 Subject: [PATCH 02/74] Update ChangeLog.d/tls-hs-defrag-in.txt Co-authored-by: minosgalanakis <30719586+minosgalanakis@users.noreply.github.com> Signed-off-by: Deomid Ryabkov --- ChangeLog.d/tls-hs-defrag-in.txt | 2 +- 1 file changed, 1 insertion(+), 1 deletion(-) diff --git a/ChangeLog.d/tls-hs-defrag-in.txt b/ChangeLog.d/tls-hs-defrag-in.txt index 8c5720011..3555a789d 100644 --- a/ChangeLog.d/tls-hs-defrag-in.txt +++ b/ChangeLog.d/tls-hs-defrag-in.txt @@ -1,2 +1,2 @@ -Change +Changes * Defragment incoming TLS handshake messages. From cad11ada7f7d0b79ac1a49d2d9e0484ce42613a1 Mon Sep 17 00:00:00 2001 From: Deomid rojer Ryabkov Date: Sat, 18 Jan 2025 15:58:57 +0200 Subject: [PATCH 03/74] Review comments Signed-off-by: Deomid rojer Ryabkov --- library/ssl_msg.c | 9 ++++----- 1 file changed, 4 insertions(+), 5 deletions(-) diff --git a/library/ssl_msg.c b/library/ssl_msg.c index 1c548ecac..d0b755d9d 100644 --- a/library/ssl_msg.c +++ b/library/ssl_msg.c @@ -3298,15 +3298,14 @@ int mbedtls_ssl_prepare_handshake_record(mbedtls_ssl_context *ssl) { int ret; const size_t hs_remain = ssl->in_hslen - ssl->in_hsfraglen; - const size_t msg_hslen = (hs_remain <= ssl->in_msglen ? hs_remain : ssl->in_msglen); - MBEDTLS_SSL_DEBUG_MSG(3, ("handshake fragment: %" MBEDTLS_PRINTF_SIZET " .. %" MBEDTLS_PRINTF_SIZET " of %" MBEDTLS_PRINTF_SIZET " msglen %" MBEDTLS_PRINTF_SIZET, - ssl->in_hsfraglen, ssl->in_hsfraglen + msg_hslen, + ssl->in_hsfraglen, + ssl->in_hsfraglen + + (hs_remain <= ssl->in_msglen ? hs_remain : ssl->in_msglen), ssl->in_hslen, ssl->in_msglen)); - (void) msg_hslen; if (ssl->in_msglen < hs_remain) { ssl->in_hsfraglen += ssl->in_msglen; ssl->in_hdr = ssl->in_msg + ssl->in_msglen; @@ -5424,7 +5423,7 @@ void mbedtls_ssl_reset_in_pointers(mbedtls_ssl_context *ssl) if (ssl->conf->transport == MBEDTLS_SSL_TRANSPORT_DATAGRAM) { ssl->in_hdr = ssl->in_buf; } else -#endif +#endif /* MBEDTLS_SSL_PROTO_DTLS */ { ssl->in_hdr = ssl->in_buf + MBEDTLS_SSL_SEQUENCE_NUMBER_LEN; } From 3dfe75e1158bdfe3225acda6612e47bdf397002d Mon Sep 17 00:00:00 2001 From: Deomid rojer Ryabkov Date: Sun, 26 Jan 2025 10:43:42 +0200 Subject: [PATCH 04/74] Remove mbedtls_ssl_reset_in_out_pointers Signed-off-by: Deomid rojer Ryabkov --- library/ssl_misc.h | 7 +------ library/ssl_tls.c | 6 ++++-- 2 files changed, 5 insertions(+), 8 deletions(-) diff --git a/library/ssl_misc.h b/library/ssl_misc.h index 309e924ce..45aaea59a 100644 --- a/library/ssl_misc.h +++ b/library/ssl_misc.h @@ -1830,15 +1830,10 @@ MBEDTLS_CHECK_RETURN_CRITICAL int mbedtls_ssl_check_timer(mbedtls_ssl_context *ssl); void mbedtls_ssl_reset_in_pointers(mbedtls_ssl_context *ssl); +void mbedtls_ssl_update_in_pointers(mbedtls_ssl_context *ssl); void mbedtls_ssl_reset_out_pointers(mbedtls_ssl_context *ssl); -static inline void mbedtls_ssl_reset_in_out_pointers(mbedtls_ssl_context *ssl) -{ - mbedtls_ssl_reset_in_pointers(ssl); - mbedtls_ssl_reset_out_pointers(ssl); -} void mbedtls_ssl_update_out_pointers(mbedtls_ssl_context *ssl, mbedtls_ssl_transform *transform); -void mbedtls_ssl_update_in_pointers(mbedtls_ssl_context *ssl); MBEDTLS_CHECK_RETURN_CRITICAL int mbedtls_ssl_session_reset_int(mbedtls_ssl_context *ssl, int partial); diff --git a/library/ssl_tls.c b/library/ssl_tls.c index 70621b5cc..450c397c7 100644 --- a/library/ssl_tls.c +++ b/library/ssl_tls.c @@ -1419,7 +1419,8 @@ int mbedtls_ssl_setup(mbedtls_ssl_context *ssl, goto error; } - mbedtls_ssl_reset_in_out_pointers(ssl); + mbedtls_ssl_reset_in_pointers(ssl); + mbedtls_ssl_reset_out_pointers(ssl); #if defined(MBEDTLS_SSL_DTLS_SRTP) memset(&ssl->dtls_srtp_info, 0, sizeof(ssl->dtls_srtp_info)); @@ -1484,7 +1485,8 @@ void mbedtls_ssl_session_reset_msg_layer(mbedtls_ssl_context *ssl, /* Cancel any possibly running timer */ mbedtls_ssl_set_timer(ssl, 0); - mbedtls_ssl_reset_in_out_pointers(ssl); + mbedtls_ssl_reset_in_pointers(ssl); + mbedtls_ssl_reset_out_pointers(ssl); /* Reset incoming message parsing */ ssl->in_offt = NULL; From aaa152ed91d445e233e71c8d7c3f2aa5b3b72a1a Mon Sep 17 00:00:00 2001 From: Deomid rojer Ryabkov Date: Sun, 26 Jan 2025 11:10:54 +0200 Subject: [PATCH 05/74] Allow fragments less HS msg header size (4 bytes) Except the first Signed-off-by: Deomid rojer Ryabkov --- library/ssl_msg.c | 3 ++- 1 file changed, 2 insertions(+), 1 deletion(-) diff --git a/library/ssl_msg.c b/library/ssl_msg.c index d0b755d9d..36a861110 100644 --- a/library/ssl_msg.c +++ b/library/ssl_msg.c @@ -3219,7 +3219,8 @@ static uint32_t ssl_get_hs_total_len(mbedtls_ssl_context const *ssl) int mbedtls_ssl_prepare_handshake_record(mbedtls_ssl_context *ssl) { - if (ssl->in_msglen < mbedtls_ssl_hs_hdr_len(ssl)) { + /* First handshake fragment must at least include the header. */ + if (ssl->in_msglen < mbedtls_ssl_hs_hdr_len(ssl) && ssl->in_hslen == 0) { MBEDTLS_SSL_DEBUG_MSG(1, ("handshake message too short: %" MBEDTLS_PRINTF_SIZET, ssl->in_msglen)); return MBEDTLS_ERR_SSL_INVALID_RECORD; From b70e76a1e6ffd1596915bc337d8975b904bdd8f6 Mon Sep 17 00:00:00 2001 From: Deomid rojer Ryabkov Date: Mon, 27 Jan 2025 22:37:37 +0400 Subject: [PATCH 06/74] Add a safety check for in_hsfraglen Signed-off-by: Deomid rojer Ryabkov --- library/ssl_msg.c | 3 +++ 1 file changed, 3 insertions(+) diff --git a/library/ssl_msg.c b/library/ssl_msg.c index 36a861110..3eb49e2b2 100644 --- a/library/ssl_msg.c +++ b/library/ssl_msg.c @@ -3297,6 +3297,9 @@ int mbedtls_ssl_prepare_handshake_record(mbedtls_ssl_context *ssl) } else #endif /* MBEDTLS_SSL_PROTO_DTLS */ { + if (ssl->in_hsfraglen > ssl->in_hslen) { + return MBEDTLS_ERR_ERROR_CORRUPTION_DETECTED; + } int ret; const size_t hs_remain = ssl->in_hslen - ssl->in_hsfraglen; MBEDTLS_SSL_DEBUG_MSG(3, From afa11db62010d7d0fd23087f228890e264fa66d0 Mon Sep 17 00:00:00 2001 From: Deomid rojer Ryabkov Date: Sat, 1 Feb 2025 15:33:37 +0200 Subject: [PATCH 07/74] Remove obselete checks due to the introduction of handhsake defragmen... tation. h/t @waleed-elmelegy-arm https://github.com/Mbed-TLS/mbedtls/pull/9928/commits/909e71672f6a11219e12347c2d7d2429b98e6500 Signed-off-by: Waleed Elmelegy Signed-off-by: Deomid rojer Ryabkov --- library/ssl_tls12_server.c | 17 ----------------- 1 file changed, 17 deletions(-) diff --git a/library/ssl_tls12_server.c b/library/ssl_tls12_server.c index 9e7c52c5e..8aad2b888 100644 --- a/library/ssl_tls12_server.c +++ b/library/ssl_tls12_server.c @@ -1060,23 +1060,6 @@ read_record_header: size_t handshake_len = MBEDTLS_GET_UINT24_BE(buf, 1); MBEDTLS_SSL_DEBUG_MSG(3, ("client hello v3, handshake len.: %u", (unsigned) handshake_len)); - - /* The record layer has a record size limit of 2^14 - 1 and - * fragmentation is not supported, so buf[1] should be zero. */ - if (buf[1] != 0) { - MBEDTLS_SSL_DEBUG_MSG(1, ("bad client hello message: %u != 0", - (unsigned) buf[1])); - return MBEDTLS_ERR_SSL_DECODE_ERROR; - } - - /* We don't support fragmentation of ClientHello (yet?) */ - if (msg_len != mbedtls_ssl_hs_hdr_len(ssl) + handshake_len) { - MBEDTLS_SSL_DEBUG_MSG(1, ("bad client hello message: %u != %u + %u", - (unsigned) msg_len, - (unsigned) mbedtls_ssl_hs_hdr_len(ssl), - (unsigned) handshake_len)); - return MBEDTLS_ERR_SSL_DECODE_ERROR; - } } #if defined(MBEDTLS_SSL_PROTO_DTLS) From eb77e5b1c7789939a3135a5ca2e96bbdaf148084 Mon Sep 17 00:00:00 2001 From: Deomid rojer Ryabkov Date: Tue, 4 Feb 2025 12:08:15 +0200 Subject: [PATCH 08/74] Update the changelog message Signed-off-by: Deomid rojer Ryabkov --- ChangeLog.d/tls-hs-defrag-in.txt | 7 +++++-- 1 file changed, 5 insertions(+), 2 deletions(-) diff --git a/ChangeLog.d/tls-hs-defrag-in.txt b/ChangeLog.d/tls-hs-defrag-in.txt index 3555a789d..55103c9a4 100644 --- a/ChangeLog.d/tls-hs-defrag-in.txt +++ b/ChangeLog.d/tls-hs-defrag-in.txt @@ -1,2 +1,5 @@ -Changes - * Defragment incoming TLS handshake messages. +Bugfix + * Support re-assembly of fragmented handshake messages in TLS, as mandated + by the spec. Lack of support was causing handshake failures with some + servers, especially with TLS 1.3 in practice (though both protocol + version could be affected in principle, and both are fixed now). From cf4e6a18e6645968355c9fead96f4a46da5b5265 Mon Sep 17 00:00:00 2001 From: Waleed Elmelegy Date: Fri, 31 Jan 2025 11:11:06 +0000 Subject: [PATCH 09/74] Remove unused variable in ssl_server.c Signed-off-by: Waleed Elmelegy Signed-off-by: Deomid rojer Ryabkov --- library/ssl_tls12_server.c | 5 ----- 1 file changed, 5 deletions(-) diff --git a/library/ssl_tls12_server.c b/library/ssl_tls12_server.c index 8aad2b888..aca37fd2b 100644 --- a/library/ssl_tls12_server.c +++ b/library/ssl_tls12_server.c @@ -1056,11 +1056,6 @@ read_record_header: MBEDTLS_SSL_DEBUG_MSG(1, ("bad client hello message")); return MBEDTLS_ERR_SSL_UNEXPECTED_MESSAGE; } - { - size_t handshake_len = MBEDTLS_GET_UINT24_BE(buf, 1); - MBEDTLS_SSL_DEBUG_MSG(3, ("client hello v3, handshake len.: %u", - (unsigned) handshake_len)); - } #if defined(MBEDTLS_SSL_PROTO_DTLS) if (ssl->conf->transport == MBEDTLS_SSL_TRANSPORT_DATAGRAM) { From dd14c0a11eeefb0b37db4ba6bd3967746488aff4 Mon Sep 17 00:00:00 2001 From: Deomid rojer Ryabkov Date: Thu, 13 Feb 2025 13:41:51 +0300 Subject: [PATCH 10/74] Remove in_hshdr The first fragment of a fragmented handshake message always starts at the beginning of the buffer so there's no need to store it. Signed-off-by: Deomid rojer Ryabkov --- include/mbedtls/ssl.h | 4 ++-- library/ssl_msg.c | 20 +++++++++----------- library/ssl_tls.c | 10 +--------- 3 files changed, 12 insertions(+), 22 deletions(-) diff --git a/include/mbedtls/ssl.h b/include/mbedtls/ssl.h index eb60c78fa..0e0bee54c 100644 --- a/include/mbedtls/ssl.h +++ b/include/mbedtls/ssl.h @@ -1808,8 +1808,8 @@ struct mbedtls_ssl_context { size_t MBEDTLS_PRIVATE(in_hslen); /*!< current handshake message length, including the handshake header */ - unsigned char *MBEDTLS_PRIVATE(in_hshdr); /*!< original handshake header start */ - size_t MBEDTLS_PRIVATE(in_hsfraglen); /*!< accumulated hs fragments length */ + size_t MBEDTLS_PRIVATE(in_hsfraglen); /*!< accumulated length of hs fragments + (up to in_hslen) */ int MBEDTLS_PRIVATE(nb_zero); /*!< # of 0-length encrypted messages */ int MBEDTLS_PRIVATE(keep_current_message); /*!< drop or reuse current message diff --git a/library/ssl_msg.c b/library/ssl_msg.c index 3eb49e2b2..a920e46db 100644 --- a/library/ssl_msg.c +++ b/library/ssl_msg.c @@ -3229,7 +3229,6 @@ int mbedtls_ssl_prepare_handshake_record(mbedtls_ssl_context *ssl) if (ssl->in_hslen == 0) { ssl->in_hslen = mbedtls_ssl_hs_hdr_len(ssl) + ssl_get_hs_total_len(ssl); ssl->in_hsfraglen = 0; - ssl->in_hshdr = ssl->in_hdr; } MBEDTLS_SSL_DEBUG_MSG(3, ("handshake message: msglen =" @@ -3296,10 +3295,7 @@ int mbedtls_ssl_prepare_handshake_record(mbedtls_ssl_context *ssl) } } else #endif /* MBEDTLS_SSL_PROTO_DTLS */ - { - if (ssl->in_hsfraglen > ssl->in_hslen) { - return MBEDTLS_ERR_ERROR_CORRUPTION_DETECTED; - } + if (ssl->in_hsfraglen <= ssl->in_hslen) { int ret; const size_t hs_remain = ssl->in_hslen - ssl->in_hsfraglen; MBEDTLS_SSL_DEBUG_MSG(3, @@ -3317,15 +3313,16 @@ int mbedtls_ssl_prepare_handshake_record(mbedtls_ssl_context *ssl) mbedtls_ssl_update_in_pointers(ssl); return MBEDTLS_ERR_SSL_CONTINUE_PROCESSING; } - if (ssl->in_hshdr != ssl->in_hdr) { + if (ssl->in_hsfraglen > 0) { /* - * At ssl->in_hshdr we have a sequence of records that cover the next handshake + * At in_first_hdr we have a sequence of records that cover the next handshake * record, each with its own record header that we need to remove. * Note that the reassembled record size may not equal the size of the message, - * there maybe bytes from the next message following it. + * there may be more messages after it, complete or partial. */ + unsigned char *in_first_hdr = ssl->in_buf + MBEDTLS_SSL_SEQUENCE_NUMBER_LEN; + unsigned char *p = in_first_hdr, *q = NULL; size_t merged_rec_len = 0; - unsigned char *p = ssl->in_hshdr, *q = NULL; do { mbedtls_record rec; ret = ssl_parse_record_header(ssl, p, mbedtls_ssl_in_hdr_len(ssl), &rec); @@ -3341,16 +3338,17 @@ int mbedtls_ssl_prepare_handshake_record(mbedtls_ssl_context *ssl) q = p; } } while (merged_rec_len < ssl->in_hslen); - ssl->in_hdr = ssl->in_hshdr; + ssl->in_hdr = in_first_hdr; mbedtls_ssl_update_in_pointers(ssl); ssl->in_msglen = merged_rec_len; /* Adjust message length. */ MBEDTLS_PUT_UINT16_BE(merged_rec_len, ssl->in_len, 0); ssl->in_hsfraglen = 0; - ssl->in_hshdr = NULL; MBEDTLS_SSL_DEBUG_BUF(4, "reassembled record", ssl->in_hdr, mbedtls_ssl_in_hdr_len(ssl) + merged_rec_len); } + } else { + return MBEDTLS_ERR_ERROR_CORRUPTION_DETECTED; } return 0; diff --git a/library/ssl_tls.c b/library/ssl_tls.c index 450c397c7..991b43117 100644 --- a/library/ssl_tls.c +++ b/library/ssl_tls.c @@ -345,15 +345,11 @@ static void handle_buffer_resizing(mbedtls_ssl_context *ssl, int downsizing, int modified = 0; size_t written_in = 0, iv_offset_in = 0, len_offset_in = 0, hdr_in = 0; size_t written_out = 0, iv_offset_out = 0, len_offset_out = 0; - size_t hshdr_in = 0; if (ssl->in_buf != NULL) { written_in = ssl->in_msg - ssl->in_buf; iv_offset_in = ssl->in_iv - ssl->in_buf; len_offset_in = ssl->in_len - ssl->in_buf; hdr_in = ssl->in_hdr - ssl->in_buf; - if (ssl->in_hshdr != NULL) { - hshdr_in = ssl->in_hshdr - ssl->in_buf; - } if (downsizing ? ssl->in_buf_len > in_buf_new_len && ssl->in_left < in_buf_new_len : ssl->in_buf_len < in_buf_new_len) { @@ -398,9 +394,6 @@ static void handle_buffer_resizing(mbedtls_ssl_context *ssl, int downsizing, ssl->in_msg = ssl->in_buf + written_in; ssl->in_len = ssl->in_buf + len_offset_in; ssl->in_iv = ssl->in_buf + iv_offset_in; - if (ssl->in_hshdr != NULL) { - ssl->in_hshdr = ssl->in_buf + hshdr_in; - } } } #endif /* MBEDTLS_SSL_VARIABLE_BUFFER_LENGTH */ @@ -1494,10 +1487,9 @@ void mbedtls_ssl_session_reset_msg_layer(mbedtls_ssl_context *ssl, ssl->in_msgtype = 0; ssl->in_msglen = 0; ssl->in_hslen = 0; + ssl->in_hsfraglen = 0; ssl->keep_current_message = 0; ssl->transform_in = NULL; - ssl->in_hshdr = NULL; - ssl->in_hsfraglen = 0; #if defined(MBEDTLS_SSL_PROTO_DTLS) ssl->next_record_offset = 0; From 79a8ded3159821b08cde22713f42e3db2819b7bb Mon Sep 17 00:00:00 2001 From: Waleed Elmelegy Date: Fri, 24 Jan 2025 17:39:58 +0000 Subject: [PATCH 11/74] Add TLS Hanshake defragmentation tests Tests uses openssl s_server with a mix of max_send_frag and split_send_frag options. Signed-off-by: Waleed Elmelegy --- tests/ssl-opt.sh | 84 ++++++++++++++++++++++++++++++++++++++++++++++++ 1 file changed, 84 insertions(+) diff --git a/tests/ssl-opt.sh b/tests/ssl-opt.sh index 23b692c72..a926f50bc 100755 --- a/tests/ssl-opt.sh +++ b/tests/ssl-opt.sh @@ -13872,6 +13872,90 @@ run_test "TLS 1.2 ClientHello indicating support for deflate compression meth -c "Handshake was completed" \ -s "dumping .client hello, compression. (2 bytes)" +# Handshake defragmentation testing + +requires_config_enabled MBEDTLS_SSL_PROTO_TLS1_2 +run_test "Hanshake defragmentation (512)" \ + "$O_SRV -max_send_frag 512 " \ + "$P_CLI debug_level=4 " \ + 0 \ + -c "received ServerHello message" \ + -c "<= handshake" \ + +requires_config_enabled MBEDTLS_SSL_PROTO_TLS1_2 +run_test "Hanshake defragmentation (513)" \ + "$O_SRV -max_send_frag 513 " \ + "$P_CLI debug_level=4 " \ + 0 \ + -c "received ServerHello message" \ + -c "<= handshake" \ + +requires_config_enabled MBEDTLS_SSL_PROTO_TLS1_2 +run_test "Hanshake defragmentation (256)" \ + "$O_SRV -mtu 32 -split_send_frag 256 " \ + "$P_CLI debug_level=4 " \ + 0 \ + -c "received ServerHello message" \ + -c "<= handshake" \ + +requires_config_enabled MBEDTLS_SSL_PROTO_TLS1_2 +run_test "Hanshake defragmentation (128)" \ + "$O_SRV -mtu 32 -split_send_frag 128 " \ + "$P_CLI debug_level=4 " \ + 0 \ + -c "received ServerHello message" \ + -c "<= handshake" \ + +requires_config_enabled MBEDTLS_SSL_PROTO_TLS1_2 +run_test "Hanshake defragmentation (64)" \ + "$O_SRV -mtu 32 -split_send_frag 64 " \ + "$P_CLI debug_level=4 " \ + 0 \ + -c "received ServerHello message" \ + -c "<= handshake" \ + +requires_config_enabled MBEDTLS_SSL_PROTO_TLS1_2 +run_test "Hanshake defragmentation (36)" \ + "$O_SRV -mtu 32 -split_send_frag 36 " \ + "$P_CLI debug_level=4 " \ + 0 \ + -c "received ServerHello message" \ + -c "<= handshake" \ + +requires_config_enabled MBEDTLS_SSL_PROTO_TLS1_2 +run_test "Hanshake defragmentation (32)" \ + "$O_SRV -mtu 32 -split_send_frag 32 " \ + "$P_CLI debug_level=4 " \ + 0 \ + -c "received ServerHello message" \ + -c "<= handshake" \ + +requires_config_enabled MBEDTLS_SSL_PROTO_TLS1_2 +run_test "Hanshake defragmentation (16)" \ + "$O_SRV -mtu 32 -split_send_frag 16 " \ + "$P_CLI debug_level=4 " \ + 0 \ + -c "received ServerHello message" \ + -c "<= handshake" \ + + +requires_config_enabled MBEDTLS_SSL_PROTO_TLS1_2 +run_test "Hanshake defragmentation (13)" \ + "$O_SRV -mtu 32 -split_send_frag 13 " \ + "$P_CLI debug_level=4 " \ + 0 \ + -c "received ServerHello message" \ + -c "<= handshake" \ + + +requires_config_enabled MBEDTLS_SSL_PROTO_TLS1_2 +run_test "Hanshake defragmentation (5)" \ + "$O_SRV -mtu 32 -split_send_frag 5 " \ + "$P_CLI debug_level=4 " \ + 0 \ + -c "received ServerHello message" \ + -c "<= handshake" \ + # Test heap memory usage after handshake requires_config_enabled MBEDTLS_SSL_PROTO_TLS1_2 requires_config_enabled MBEDTLS_MEMORY_DEBUG From 0e0d5d4dc84d81e5d3fc98026c1e6dc0e0beb2a5 Mon Sep 17 00:00:00 2001 From: Waleed Elmelegy Date: Tue, 28 Jan 2025 16:47:21 +0000 Subject: [PATCH 12/74] Improve TLS handshake defragmentation tests * Add tests for the server side. * Remove restriction for TLS 1.2 so that we can test TLS 1.2 & 1.3. * Use latest version of openSSL to make sure -max_send_frag & -split_send_frag flags are supported. Signed-off-by: Waleed Elmelegy --- tests/ssl-opt.sh | 131 ++++++++++++++++++++++++++++++++++++----------- 1 file changed, 100 insertions(+), 31 deletions(-) diff --git a/tests/ssl-opt.sh b/tests/ssl-opt.sh index a926f50bc..8d1ec9e4e 100755 --- a/tests/ssl-opt.sh +++ b/tests/ssl-opt.sh @@ -13874,87 +13874,156 @@ run_test "TLS 1.2 ClientHello indicating support for deflate compression meth # Handshake defragmentation testing -requires_config_enabled MBEDTLS_SSL_PROTO_TLS1_2 -run_test "Hanshake defragmentation (512)" \ - "$O_SRV -max_send_frag 512 " \ +run_test "Client Hanshake defragmentation (512)" \ + "$O_NEXT_SRV -max_send_frag 512 " \ "$P_CLI debug_level=4 " \ 0 \ -c "received ServerHello message" \ -c "<= handshake" \ + -c "handshake fragment: " -requires_config_enabled MBEDTLS_SSL_PROTO_TLS1_2 -run_test "Hanshake defragmentation (513)" \ - "$O_SRV -max_send_frag 513 " \ +run_test "Client Hanshake defragmentation (513)" \ + "$O_NEXT_SRV -max_send_frag 513 " \ "$P_CLI debug_level=4 " \ 0 \ -c "received ServerHello message" \ -c "<= handshake" \ + -c "handshake fragment: " -requires_config_enabled MBEDTLS_SSL_PROTO_TLS1_2 -run_test "Hanshake defragmentation (256)" \ - "$O_SRV -mtu 32 -split_send_frag 256 " \ +run_test "Client Hanshake defragmentation (256)" \ + "$O_NEXT_SRV -mtu 32 -split_send_frag 256 " \ "$P_CLI debug_level=4 " \ 0 \ -c "received ServerHello message" \ -c "<= handshake" \ + -c "handshake fragment: " -requires_config_enabled MBEDTLS_SSL_PROTO_TLS1_2 -run_test "Hanshake defragmentation (128)" \ - "$O_SRV -mtu 32 -split_send_frag 128 " \ +run_test "Client Hanshake defragmentation (128)" \ + "$O_NEXT_SRV -mtu 32 -split_send_frag 128 " \ "$P_CLI debug_level=4 " \ 0 \ -c "received ServerHello message" \ -c "<= handshake" \ + -c "handshake fragment: " -requires_config_enabled MBEDTLS_SSL_PROTO_TLS1_2 -run_test "Hanshake defragmentation (64)" \ - "$O_SRV -mtu 32 -split_send_frag 64 " \ +run_test "Client Hanshake defragmentation (64)" \ + "$O_NEXT_SRV -mtu 32 -split_send_frag 64 " \ "$P_CLI debug_level=4 " \ 0 \ -c "received ServerHello message" \ -c "<= handshake" \ + -c "handshake fragment: " -requires_config_enabled MBEDTLS_SSL_PROTO_TLS1_2 -run_test "Hanshake defragmentation (36)" \ - "$O_SRV -mtu 32 -split_send_frag 36 " \ +run_test "Client Hanshake defragmentation (36)" \ + "$O_NEXT_SRV -mtu 32 -split_send_frag 36 " \ "$P_CLI debug_level=4 " \ 0 \ -c "received ServerHello message" \ -c "<= handshake" \ + -c "handshake fragment: " -requires_config_enabled MBEDTLS_SSL_PROTO_TLS1_2 -run_test "Hanshake defragmentation (32)" \ - "$O_SRV -mtu 32 -split_send_frag 32 " \ +run_test "Client Hanshake defragmentation (32)" \ + "$O_NEXT_SRV -mtu 32 -split_send_frag 32 " \ "$P_CLI debug_level=4 " \ 0 \ -c "received ServerHello message" \ -c "<= handshake" \ + -c "handshake fragment: " -requires_config_enabled MBEDTLS_SSL_PROTO_TLS1_2 -run_test "Hanshake defragmentation (16)" \ - "$O_SRV -mtu 32 -split_send_frag 16 " \ +run_test "Client Hanshake defragmentation (16)" \ + "$O_NEXT_SRV -mtu 32 -split_send_frag 16 " \ "$P_CLI debug_level=4 " \ 0 \ -c "received ServerHello message" \ -c "<= handshake" \ + -c "handshake fragment: " -requires_config_enabled MBEDTLS_SSL_PROTO_TLS1_2 -run_test "Hanshake defragmentation (13)" \ - "$O_SRV -mtu 32 -split_send_frag 13 " \ +run_test "Client Hanshake defragmentation (13)" \ + "$O_NEXT_SRV -mtu 32 -split_send_frag 13 " \ "$P_CLI debug_level=4 " \ 0 \ -c "received ServerHello message" \ -c "<= handshake" \ + -c "handshake fragment: " - -requires_config_enabled MBEDTLS_SSL_PROTO_TLS1_2 -run_test "Hanshake defragmentation (5)" \ - "$O_SRV -mtu 32 -split_send_frag 5 " \ +run_test "Client Hanshake defragmentation (5)" \ + "$O_NEXT_SRV -mtu 32 -split_send_frag 5 " \ "$P_CLI debug_level=4 " \ 0 \ -c "received ServerHello message" \ -c "<= handshake" \ + -c "handshake fragment: " + +run_test "Server Hanshake defragmentation (512)" \ + "$P_SRV debug_level=4 " \ + "$O_NEXT_CLI -max_send_frag 512 " \ + 0 \ + -s "<= handshake" \ + -s "handshake fragment: " + +run_test "Server Hanshake defragmentation (513)" \ + "$P_SRV debug_level=4 " \ + "$O_NEXT_CLI -max_send_frag 513 " \ + 0 \ + -s "<= handshake" \ + -s "handshake fragment: " + +run_test "Server Hanshake defragmentation (256)" \ + "$P_SRV debug_level=4 " \ + "$O_NEXT_CLI -mtu 32 -split_send_frag 256 " \ + 0 \ + -s "<= handshake" \ + -s "handshake fragment: " + +run_test "Server Hanshake defragmentation (128)" \ + "$P_SRV debug_level=4 " \ + "$O_NEXT_CLI -mtu 32 -split_send_frag 128 " \ + 0 \ + -s "<= handshake" \ + -s "handshake fragment: " + +run_test "Server Hanshake defragmentation (64)" \ + "$P_SRV debug_level=4 " \ + "$O_NEXT_CLI -mtu 32 -split_send_frag 64 " \ + 0 \ + -s "<= handshake" \ + -s "handshake fragment: " + +run_test "Server Hanshake defragmentation (36)" \ + "$P_SRV debug_level=4 " \ + "$O_NEXT_CLI -mtu 32 -split_send_frag 36 " \ + 0 \ + -s "<= handshake" \ + -s "handshake fragment: " + +run_test "Server Hanshake defragmentation (32)" \ + "$P_SRV debug_level=4 " \ + "$O_NEXT_CLI -mtu 32 -split_send_frag 32 " \ + 0 \ + -s "<= handshake" \ + -s "handshake fragment: " + +run_test "Server Hanshake defragmentation (16)" \ + "$P_SRV debug_level=4 " \ + "$O_NEXT_CLI -mtu 32 -split_send_frag 16 " \ + 0 \ + -s "<= handshake" \ + -s "handshake fragment: " + +run_test "Server Hanshake defragmentation (13)" \ + "$P_SRV debug_level=4 " \ + "$O_NEXT_CLI -mtu 32 -split_send_frag 13 " \ + 0 \ + -s "<= handshake" \ + -s "handshake fragment: " + +run_test "Server Hanshake defragmentation (5)" \ + "$P_SRV debug_level=4 " \ + "$O_NEXT_CLI -mtu 32 -split_send_frag 5 " \ + 0 \ + -s "<= handshake" \ + -s "handshake fragment: " # Test heap memory usage after handshake requires_config_enabled MBEDTLS_SSL_PROTO_TLS1_2 From c0118d87b93231b1e0bffb3f6d6d1a8567c45d98 Mon Sep 17 00:00:00 2001 From: Waleed Elmelegy Date: Wed, 29 Jan 2025 16:23:40 +0000 Subject: [PATCH 13/74] Fix typo in TLS Handshake defrafmentation tests Signed-off-by: Waleed Elmelegy --- tests/ssl-opt.sh | 40 ++++++++++++++++++++-------------------- 1 file changed, 20 insertions(+), 20 deletions(-) diff --git a/tests/ssl-opt.sh b/tests/ssl-opt.sh index 8d1ec9e4e..fd196cd09 100755 --- a/tests/ssl-opt.sh +++ b/tests/ssl-opt.sh @@ -13874,7 +13874,7 @@ run_test "TLS 1.2 ClientHello indicating support for deflate compression meth # Handshake defragmentation testing -run_test "Client Hanshake defragmentation (512)" \ +run_test "Client Handshake defragmentation (512)" \ "$O_NEXT_SRV -max_send_frag 512 " \ "$P_CLI debug_level=4 " \ 0 \ @@ -13882,7 +13882,7 @@ run_test "Client Hanshake defragmentation (512)" \ -c "<= handshake" \ -c "handshake fragment: " -run_test "Client Hanshake defragmentation (513)" \ +run_test "Client Handshake defragmentation (513)" \ "$O_NEXT_SRV -max_send_frag 513 " \ "$P_CLI debug_level=4 " \ 0 \ @@ -13890,7 +13890,7 @@ run_test "Client Hanshake defragmentation (513)" \ -c "<= handshake" \ -c "handshake fragment: " -run_test "Client Hanshake defragmentation (256)" \ +run_test "Client Handshake defragmentation (256)" \ "$O_NEXT_SRV -mtu 32 -split_send_frag 256 " \ "$P_CLI debug_level=4 " \ 0 \ @@ -13898,7 +13898,7 @@ run_test "Client Hanshake defragmentation (256)" \ -c "<= handshake" \ -c "handshake fragment: " -run_test "Client Hanshake defragmentation (128)" \ +run_test "Client Handshake defragmentation (128)" \ "$O_NEXT_SRV -mtu 32 -split_send_frag 128 " \ "$P_CLI debug_level=4 " \ 0 \ @@ -13906,7 +13906,7 @@ run_test "Client Hanshake defragmentation (128)" \ -c "<= handshake" \ -c "handshake fragment: " -run_test "Client Hanshake defragmentation (64)" \ +run_test "Client Handshake defragmentation (64)" \ "$O_NEXT_SRV -mtu 32 -split_send_frag 64 " \ "$P_CLI debug_level=4 " \ 0 \ @@ -13914,7 +13914,7 @@ run_test "Client Hanshake defragmentation (64)" \ -c "<= handshake" \ -c "handshake fragment: " -run_test "Client Hanshake defragmentation (36)" \ +run_test "Client Handshake defragmentation (36)" \ "$O_NEXT_SRV -mtu 32 -split_send_frag 36 " \ "$P_CLI debug_level=4 " \ 0 \ @@ -13922,7 +13922,7 @@ run_test "Client Hanshake defragmentation (36)" \ -c "<= handshake" \ -c "handshake fragment: " -run_test "Client Hanshake defragmentation (32)" \ +run_test "Client Handshake defragmentation (32)" \ "$O_NEXT_SRV -mtu 32 -split_send_frag 32 " \ "$P_CLI debug_level=4 " \ 0 \ @@ -13930,7 +13930,7 @@ run_test "Client Hanshake defragmentation (32)" \ -c "<= handshake" \ -c "handshake fragment: " -run_test "Client Hanshake defragmentation (16)" \ +run_test "Client Handshake defragmentation (16)" \ "$O_NEXT_SRV -mtu 32 -split_send_frag 16 " \ "$P_CLI debug_level=4 " \ 0 \ @@ -13939,7 +13939,7 @@ run_test "Client Hanshake defragmentation (16)" \ -c "handshake fragment: " -run_test "Client Hanshake defragmentation (13)" \ +run_test "Client Handshake defragmentation (13)" \ "$O_NEXT_SRV -mtu 32 -split_send_frag 13 " \ "$P_CLI debug_level=4 " \ 0 \ @@ -13947,7 +13947,7 @@ run_test "Client Hanshake defragmentation (13)" \ -c "<= handshake" \ -c "handshake fragment: " -run_test "Client Hanshake defragmentation (5)" \ +run_test "Client Handshake defragmentation (5)" \ "$O_NEXT_SRV -mtu 32 -split_send_frag 5 " \ "$P_CLI debug_level=4 " \ 0 \ @@ -13955,70 +13955,70 @@ run_test "Client Hanshake defragmentation (5)" \ -c "<= handshake" \ -c "handshake fragment: " -run_test "Server Hanshake defragmentation (512)" \ +run_test "Server Handshake defragmentation (512)" \ "$P_SRV debug_level=4 " \ "$O_NEXT_CLI -max_send_frag 512 " \ 0 \ -s "<= handshake" \ -s "handshake fragment: " -run_test "Server Hanshake defragmentation (513)" \ +run_test "Server Handshake defragmentation (513)" \ "$P_SRV debug_level=4 " \ "$O_NEXT_CLI -max_send_frag 513 " \ 0 \ -s "<= handshake" \ -s "handshake fragment: " -run_test "Server Hanshake defragmentation (256)" \ +run_test "Server Handshake defragmentation (256)" \ "$P_SRV debug_level=4 " \ "$O_NEXT_CLI -mtu 32 -split_send_frag 256 " \ 0 \ -s "<= handshake" \ -s "handshake fragment: " -run_test "Server Hanshake defragmentation (128)" \ +run_test "Server Handshake defragmentation (128)" \ "$P_SRV debug_level=4 " \ "$O_NEXT_CLI -mtu 32 -split_send_frag 128 " \ 0 \ -s "<= handshake" \ -s "handshake fragment: " -run_test "Server Hanshake defragmentation (64)" \ +run_test "Server Handshake defragmentation (64)" \ "$P_SRV debug_level=4 " \ "$O_NEXT_CLI -mtu 32 -split_send_frag 64 " \ 0 \ -s "<= handshake" \ -s "handshake fragment: " -run_test "Server Hanshake defragmentation (36)" \ +run_test "Server Handshake defragmentation (36)" \ "$P_SRV debug_level=4 " \ "$O_NEXT_CLI -mtu 32 -split_send_frag 36 " \ 0 \ -s "<= handshake" \ -s "handshake fragment: " -run_test "Server Hanshake defragmentation (32)" \ +run_test "Server Handshake defragmentation (32)" \ "$P_SRV debug_level=4 " \ "$O_NEXT_CLI -mtu 32 -split_send_frag 32 " \ 0 \ -s "<= handshake" \ -s "handshake fragment: " -run_test "Server Hanshake defragmentation (16)" \ +run_test "Server Handshake defragmentation (16)" \ "$P_SRV debug_level=4 " \ "$O_NEXT_CLI -mtu 32 -split_send_frag 16 " \ 0 \ -s "<= handshake" \ -s "handshake fragment: " -run_test "Server Hanshake defragmentation (13)" \ +run_test "Server Handshake defragmentation (13)" \ "$P_SRV debug_level=4 " \ "$O_NEXT_CLI -mtu 32 -split_send_frag 13 " \ 0 \ -s "<= handshake" \ -s "handshake fragment: " -run_test "Server Hanshake defragmentation (5)" \ +run_test "Server Handshake defragmentation (5)" \ "$P_SRV debug_level=4 " \ "$O_NEXT_CLI -mtu 32 -split_send_frag 5 " \ 0 \ From fccd014c2d9f5f154d7a813dafc9168503b9d2eb Mon Sep 17 00:00:00 2001 From: Waleed Elmelegy Date: Wed, 29 Jan 2025 16:58:58 +0000 Subject: [PATCH 14/74] Remove unnecessary string check in handshake defragmentation tests Signed-off-by: Waleed Elmelegy --- tests/ssl-opt.sh | 10 ---------- 1 file changed, 10 deletions(-) diff --git a/tests/ssl-opt.sh b/tests/ssl-opt.sh index fd196cd09..d59d68121 100755 --- a/tests/ssl-opt.sh +++ b/tests/ssl-opt.sh @@ -13878,7 +13878,6 @@ run_test "Client Handshake defragmentation (512)" \ "$O_NEXT_SRV -max_send_frag 512 " \ "$P_CLI debug_level=4 " \ 0 \ - -c "received ServerHello message" \ -c "<= handshake" \ -c "handshake fragment: " @@ -13886,7 +13885,6 @@ run_test "Client Handshake defragmentation (513)" \ "$O_NEXT_SRV -max_send_frag 513 " \ "$P_CLI debug_level=4 " \ 0 \ - -c "received ServerHello message" \ -c "<= handshake" \ -c "handshake fragment: " @@ -13894,7 +13892,6 @@ run_test "Client Handshake defragmentation (256)" \ "$O_NEXT_SRV -mtu 32 -split_send_frag 256 " \ "$P_CLI debug_level=4 " \ 0 \ - -c "received ServerHello message" \ -c "<= handshake" \ -c "handshake fragment: " @@ -13902,7 +13899,6 @@ run_test "Client Handshake defragmentation (128)" \ "$O_NEXT_SRV -mtu 32 -split_send_frag 128 " \ "$P_CLI debug_level=4 " \ 0 \ - -c "received ServerHello message" \ -c "<= handshake" \ -c "handshake fragment: " @@ -13910,7 +13906,6 @@ run_test "Client Handshake defragmentation (64)" \ "$O_NEXT_SRV -mtu 32 -split_send_frag 64 " \ "$P_CLI debug_level=4 " \ 0 \ - -c "received ServerHello message" \ -c "<= handshake" \ -c "handshake fragment: " @@ -13918,7 +13913,6 @@ run_test "Client Handshake defragmentation (36)" \ "$O_NEXT_SRV -mtu 32 -split_send_frag 36 " \ "$P_CLI debug_level=4 " \ 0 \ - -c "received ServerHello message" \ -c "<= handshake" \ -c "handshake fragment: " @@ -13926,7 +13920,6 @@ run_test "Client Handshake defragmentation (32)" \ "$O_NEXT_SRV -mtu 32 -split_send_frag 32 " \ "$P_CLI debug_level=4 " \ 0 \ - -c "received ServerHello message" \ -c "<= handshake" \ -c "handshake fragment: " @@ -13934,7 +13927,6 @@ run_test "Client Handshake defragmentation (16)" \ "$O_NEXT_SRV -mtu 32 -split_send_frag 16 " \ "$P_CLI debug_level=4 " \ 0 \ - -c "received ServerHello message" \ -c "<= handshake" \ -c "handshake fragment: " @@ -13943,7 +13935,6 @@ run_test "Client Handshake defragmentation (13)" \ "$O_NEXT_SRV -mtu 32 -split_send_frag 13 " \ "$P_CLI debug_level=4 " \ 0 \ - -c "received ServerHello message" \ -c "<= handshake" \ -c "handshake fragment: " @@ -13951,7 +13942,6 @@ run_test "Client Handshake defragmentation (5)" \ "$O_NEXT_SRV -mtu 32 -split_send_frag 5 " \ "$P_CLI debug_level=4 " \ 0 \ - -c "received ServerHello message" \ -c "<= handshake" \ -c "handshake fragment: " From f9120311e34cb45d03a752e4f515d7ed13c45c25 Mon Sep 17 00:00:00 2001 From: Waleed Elmelegy Date: Wed, 29 Jan 2025 17:01:55 +0000 Subject: [PATCH 15/74] Require openssl to support TLS 1.3 in handshake defragmentation tests Signed-off-by: Waleed Elmelegy --- tests/ssl-opt.sh | 21 ++++++++++++++++++++- 1 file changed, 20 insertions(+), 1 deletion(-) diff --git a/tests/ssl-opt.sh b/tests/ssl-opt.sh index d59d68121..a9fd77c83 100755 --- a/tests/ssl-opt.sh +++ b/tests/ssl-opt.sh @@ -13874,6 +13874,7 @@ run_test "TLS 1.2 ClientHello indicating support for deflate compression meth # Handshake defragmentation testing +requires_openssl_tls1_3 run_test "Client Handshake defragmentation (512)" \ "$O_NEXT_SRV -max_send_frag 512 " \ "$P_CLI debug_level=4 " \ @@ -13881,6 +13882,7 @@ run_test "Client Handshake defragmentation (512)" \ -c "<= handshake" \ -c "handshake fragment: " +requires_openssl_tls1_3 run_test "Client Handshake defragmentation (513)" \ "$O_NEXT_SRV -max_send_frag 513 " \ "$P_CLI debug_level=4 " \ @@ -13888,6 +13890,7 @@ run_test "Client Handshake defragmentation (513)" \ -c "<= handshake" \ -c "handshake fragment: " +requires_openssl_tls1_3 run_test "Client Handshake defragmentation (256)" \ "$O_NEXT_SRV -mtu 32 -split_send_frag 256 " \ "$P_CLI debug_level=4 " \ @@ -13895,6 +13898,7 @@ run_test "Client Handshake defragmentation (256)" \ -c "<= handshake" \ -c "handshake fragment: " +requires_openssl_tls1_3 run_test "Client Handshake defragmentation (128)" \ "$O_NEXT_SRV -mtu 32 -split_send_frag 128 " \ "$P_CLI debug_level=4 " \ @@ -13902,6 +13906,7 @@ run_test "Client Handshake defragmentation (128)" \ -c "<= handshake" \ -c "handshake fragment: " +requires_openssl_tls1_3 run_test "Client Handshake defragmentation (64)" \ "$O_NEXT_SRV -mtu 32 -split_send_frag 64 " \ "$P_CLI debug_level=4 " \ @@ -13909,6 +13914,7 @@ run_test "Client Handshake defragmentation (64)" \ -c "<= handshake" \ -c "handshake fragment: " +requires_openssl_tls1_3 run_test "Client Handshake defragmentation (36)" \ "$O_NEXT_SRV -mtu 32 -split_send_frag 36 " \ "$P_CLI debug_level=4 " \ @@ -13916,6 +13922,7 @@ run_test "Client Handshake defragmentation (36)" \ -c "<= handshake" \ -c "handshake fragment: " +requires_openssl_tls1_3 run_test "Client Handshake defragmentation (32)" \ "$O_NEXT_SRV -mtu 32 -split_send_frag 32 " \ "$P_CLI debug_level=4 " \ @@ -13923,6 +13930,7 @@ run_test "Client Handshake defragmentation (32)" \ -c "<= handshake" \ -c "handshake fragment: " +requires_openssl_tls1_3 run_test "Client Handshake defragmentation (16)" \ "$O_NEXT_SRV -mtu 32 -split_send_frag 16 " \ "$P_CLI debug_level=4 " \ @@ -13930,7 +13938,7 @@ run_test "Client Handshake defragmentation (16)" \ -c "<= handshake" \ -c "handshake fragment: " - +requires_openssl_tls1_3 run_test "Client Handshake defragmentation (13)" \ "$O_NEXT_SRV -mtu 32 -split_send_frag 13 " \ "$P_CLI debug_level=4 " \ @@ -13938,6 +13946,7 @@ run_test "Client Handshake defragmentation (13)" \ -c "<= handshake" \ -c "handshake fragment: " +requires_openssl_tls1_3 run_test "Client Handshake defragmentation (5)" \ "$O_NEXT_SRV -mtu 32 -split_send_frag 5 " \ "$P_CLI debug_level=4 " \ @@ -13945,6 +13954,7 @@ run_test "Client Handshake defragmentation (5)" \ -c "<= handshake" \ -c "handshake fragment: " +requires_openssl_tls1_3 run_test "Server Handshake defragmentation (512)" \ "$P_SRV debug_level=4 " \ "$O_NEXT_CLI -max_send_frag 512 " \ @@ -13952,6 +13962,7 @@ run_test "Server Handshake defragmentation (512)" \ -s "<= handshake" \ -s "handshake fragment: " +requires_openssl_tls1_3 run_test "Server Handshake defragmentation (513)" \ "$P_SRV debug_level=4 " \ "$O_NEXT_CLI -max_send_frag 513 " \ @@ -13959,6 +13970,7 @@ run_test "Server Handshake defragmentation (513)" \ -s "<= handshake" \ -s "handshake fragment: " +requires_openssl_tls1_3 run_test "Server Handshake defragmentation (256)" \ "$P_SRV debug_level=4 " \ "$O_NEXT_CLI -mtu 32 -split_send_frag 256 " \ @@ -13966,6 +13978,7 @@ run_test "Server Handshake defragmentation (256)" \ -s "<= handshake" \ -s "handshake fragment: " +requires_openssl_tls1_3 run_test "Server Handshake defragmentation (128)" \ "$P_SRV debug_level=4 " \ "$O_NEXT_CLI -mtu 32 -split_send_frag 128 " \ @@ -13973,6 +13986,7 @@ run_test "Server Handshake defragmentation (128)" \ -s "<= handshake" \ -s "handshake fragment: " +requires_openssl_tls1_3 run_test "Server Handshake defragmentation (64)" \ "$P_SRV debug_level=4 " \ "$O_NEXT_CLI -mtu 32 -split_send_frag 64 " \ @@ -13980,6 +13994,7 @@ run_test "Server Handshake defragmentation (64)" \ -s "<= handshake" \ -s "handshake fragment: " +requires_openssl_tls1_3 run_test "Server Handshake defragmentation (36)" \ "$P_SRV debug_level=4 " \ "$O_NEXT_CLI -mtu 32 -split_send_frag 36 " \ @@ -13987,6 +14002,7 @@ run_test "Server Handshake defragmentation (36)" \ -s "<= handshake" \ -s "handshake fragment: " +requires_openssl_tls1_3 run_test "Server Handshake defragmentation (32)" \ "$P_SRV debug_level=4 " \ "$O_NEXT_CLI -mtu 32 -split_send_frag 32 " \ @@ -13994,6 +14010,7 @@ run_test "Server Handshake defragmentation (32)" \ -s "<= handshake" \ -s "handshake fragment: " +requires_openssl_tls1_3 run_test "Server Handshake defragmentation (16)" \ "$P_SRV debug_level=4 " \ "$O_NEXT_CLI -mtu 32 -split_send_frag 16 " \ @@ -14001,6 +14018,7 @@ run_test "Server Handshake defragmentation (16)" \ -s "<= handshake" \ -s "handshake fragment: " +requires_openssl_tls1_3 run_test "Server Handshake defragmentation (13)" \ "$P_SRV debug_level=4 " \ "$O_NEXT_CLI -mtu 32 -split_send_frag 13 " \ @@ -14008,6 +14026,7 @@ run_test "Server Handshake defragmentation (13)" \ -s "<= handshake" \ -s "handshake fragment: " +requires_openssl_tls1_3 run_test "Server Handshake defragmentation (5)" \ "$P_SRV debug_level=4 " \ "$O_NEXT_CLI -mtu 32 -split_send_frag 5 " \ From 48874b3abaf2ea71d869f2b7f4541fe90dc4676b Mon Sep 17 00:00:00 2001 From: Waleed Elmelegy Date: Wed, 29 Jan 2025 17:13:34 +0000 Subject: [PATCH 16/74] Add client authentication to handshake defragmentation tests Signed-off-by: Waleed Elmelegy --- tests/ssl-opt.sh | 20 ++++++++++---------- 1 file changed, 10 insertions(+), 10 deletions(-) diff --git a/tests/ssl-opt.sh b/tests/ssl-opt.sh index a9fd77c83..68c9f3f06 100755 --- a/tests/ssl-opt.sh +++ b/tests/ssl-opt.sh @@ -13957,7 +13957,7 @@ run_test "Client Handshake defragmentation (5)" \ requires_openssl_tls1_3 run_test "Server Handshake defragmentation (512)" \ "$P_SRV debug_level=4 " \ - "$O_NEXT_CLI -max_send_frag 512 " \ + "$O_NEXT_CLI -max_send_frag 512 -cert $DATA_FILES_PATH/server5.crt -key $DATA_FILES_PATH/server5.key" \ 0 \ -s "<= handshake" \ -s "handshake fragment: " @@ -13965,7 +13965,7 @@ run_test "Server Handshake defragmentation (512)" \ requires_openssl_tls1_3 run_test "Server Handshake defragmentation (513)" \ "$P_SRV debug_level=4 " \ - "$O_NEXT_CLI -max_send_frag 513 " \ + "$O_NEXT_CLI -max_send_frag 513 -cert $DATA_FILES_PATH/server5.crt -key $DATA_FILES_PATH/server5.key" \ 0 \ -s "<= handshake" \ -s "handshake fragment: " @@ -13973,7 +13973,7 @@ run_test "Server Handshake defragmentation (513)" \ requires_openssl_tls1_3 run_test "Server Handshake defragmentation (256)" \ "$P_SRV debug_level=4 " \ - "$O_NEXT_CLI -mtu 32 -split_send_frag 256 " \ + "$O_NEXT_CLI -mtu 32 -split_send_frag 256 -cert $DATA_FILES_PATH/server5.crt -key $DATA_FILES_PATH/server5.key" \ 0 \ -s "<= handshake" \ -s "handshake fragment: " @@ -13981,7 +13981,7 @@ run_test "Server Handshake defragmentation (256)" \ requires_openssl_tls1_3 run_test "Server Handshake defragmentation (128)" \ "$P_SRV debug_level=4 " \ - "$O_NEXT_CLI -mtu 32 -split_send_frag 128 " \ + "$O_NEXT_CLI -mtu 32 -split_send_frag 128 -cert $DATA_FILES_PATH/server5.crt -key $DATA_FILES_PATH/server5.key" \ 0 \ -s "<= handshake" \ -s "handshake fragment: " @@ -13989,7 +13989,7 @@ run_test "Server Handshake defragmentation (128)" \ requires_openssl_tls1_3 run_test "Server Handshake defragmentation (64)" \ "$P_SRV debug_level=4 " \ - "$O_NEXT_CLI -mtu 32 -split_send_frag 64 " \ + "$O_NEXT_CLI -mtu 32 -split_send_frag 64 -cert $DATA_FILES_PATH/server5.crt -key $DATA_FILES_PATH/server5.key" \ 0 \ -s "<= handshake" \ -s "handshake fragment: " @@ -13997,7 +13997,7 @@ run_test "Server Handshake defragmentation (64)" \ requires_openssl_tls1_3 run_test "Server Handshake defragmentation (36)" \ "$P_SRV debug_level=4 " \ - "$O_NEXT_CLI -mtu 32 -split_send_frag 36 " \ + "$O_NEXT_CLI -mtu 32 -split_send_frag 36 -cert $DATA_FILES_PATH/server5.crt -key $DATA_FILES_PATH/server5.key" \ 0 \ -s "<= handshake" \ -s "handshake fragment: " @@ -14005,7 +14005,7 @@ run_test "Server Handshake defragmentation (36)" \ requires_openssl_tls1_3 run_test "Server Handshake defragmentation (32)" \ "$P_SRV debug_level=4 " \ - "$O_NEXT_CLI -mtu 32 -split_send_frag 32 " \ + "$O_NEXT_CLI -mtu 32 -split_send_frag 32 -cert $DATA_FILES_PATH/server5.crt -key $DATA_FILES_PATH/server5.key" \ 0 \ -s "<= handshake" \ -s "handshake fragment: " @@ -14013,7 +14013,7 @@ run_test "Server Handshake defragmentation (32)" \ requires_openssl_tls1_3 run_test "Server Handshake defragmentation (16)" \ "$P_SRV debug_level=4 " \ - "$O_NEXT_CLI -mtu 32 -split_send_frag 16 " \ + "$O_NEXT_CLI -mtu 32 -split_send_frag 16 -cert $DATA_FILES_PATH/server5.crt -key $DATA_FILES_PATH/server5.key" \ 0 \ -s "<= handshake" \ -s "handshake fragment: " @@ -14021,7 +14021,7 @@ run_test "Server Handshake defragmentation (16)" \ requires_openssl_tls1_3 run_test "Server Handshake defragmentation (13)" \ "$P_SRV debug_level=4 " \ - "$O_NEXT_CLI -mtu 32 -split_send_frag 13 " \ + "$O_NEXT_CLI -mtu 32 -split_send_frag 13 -cert $DATA_FILES_PATH/server5.crt -key $DATA_FILES_PATH/server5.key" \ 0 \ -s "<= handshake" \ -s "handshake fragment: " @@ -14029,7 +14029,7 @@ run_test "Server Handshake defragmentation (13)" \ requires_openssl_tls1_3 run_test "Server Handshake defragmentation (5)" \ "$P_SRV debug_level=4 " \ - "$O_NEXT_CLI -mtu 32 -split_send_frag 5 " \ + "$O_NEXT_CLI -mtu 32 -split_send_frag 5 -cert $DATA_FILES_PATH/server5.crt -key $DATA_FILES_PATH/server5.key" \ 0 \ -s "<= handshake" \ -s "handshake fragment: " From 39d83dd38dfb9b4a26dafc5bcdee1a14eb6fc820 Mon Sep 17 00:00:00 2001 From: Waleed Elmelegy Date: Wed, 29 Jan 2025 18:28:56 +0000 Subject: [PATCH 17/74] Remove unneeded mtu option from handshake fragmentation tests Signed-off-by: Waleed Elmelegy --- tests/ssl-opt.sh | 32 ++++++++++++++++---------------- 1 file changed, 16 insertions(+), 16 deletions(-) diff --git a/tests/ssl-opt.sh b/tests/ssl-opt.sh index 68c9f3f06..7d9f7fe25 100755 --- a/tests/ssl-opt.sh +++ b/tests/ssl-opt.sh @@ -13892,7 +13892,7 @@ run_test "Client Handshake defragmentation (513)" \ requires_openssl_tls1_3 run_test "Client Handshake defragmentation (256)" \ - "$O_NEXT_SRV -mtu 32 -split_send_frag 256 " \ + "$O_NEXT_SRV -split_send_frag 256 " \ "$P_CLI debug_level=4 " \ 0 \ -c "<= handshake" \ @@ -13900,7 +13900,7 @@ run_test "Client Handshake defragmentation (256)" \ requires_openssl_tls1_3 run_test "Client Handshake defragmentation (128)" \ - "$O_NEXT_SRV -mtu 32 -split_send_frag 128 " \ + "$O_NEXT_SRV -split_send_frag 128 " \ "$P_CLI debug_level=4 " \ 0 \ -c "<= handshake" \ @@ -13908,7 +13908,7 @@ run_test "Client Handshake defragmentation (128)" \ requires_openssl_tls1_3 run_test "Client Handshake defragmentation (64)" \ - "$O_NEXT_SRV -mtu 32 -split_send_frag 64 " \ + "$O_NEXT_SRV -split_send_frag 64 " \ "$P_CLI debug_level=4 " \ 0 \ -c "<= handshake" \ @@ -13916,7 +13916,7 @@ run_test "Client Handshake defragmentation (64)" \ requires_openssl_tls1_3 run_test "Client Handshake defragmentation (36)" \ - "$O_NEXT_SRV -mtu 32 -split_send_frag 36 " \ + "$O_NEXT_SRV -split_send_frag 36 " \ "$P_CLI debug_level=4 " \ 0 \ -c "<= handshake" \ @@ -13924,7 +13924,7 @@ run_test "Client Handshake defragmentation (36)" \ requires_openssl_tls1_3 run_test "Client Handshake defragmentation (32)" \ - "$O_NEXT_SRV -mtu 32 -split_send_frag 32 " \ + "$O_NEXT_SRV -split_send_frag 32 " \ "$P_CLI debug_level=4 " \ 0 \ -c "<= handshake" \ @@ -13932,7 +13932,7 @@ run_test "Client Handshake defragmentation (32)" \ requires_openssl_tls1_3 run_test "Client Handshake defragmentation (16)" \ - "$O_NEXT_SRV -mtu 32 -split_send_frag 16 " \ + "$O_NEXT_SRV -split_send_frag 16 " \ "$P_CLI debug_level=4 " \ 0 \ -c "<= handshake" \ @@ -13940,7 +13940,7 @@ run_test "Client Handshake defragmentation (16)" \ requires_openssl_tls1_3 run_test "Client Handshake defragmentation (13)" \ - "$O_NEXT_SRV -mtu 32 -split_send_frag 13 " \ + "$O_NEXT_SRV -split_send_frag 13 " \ "$P_CLI debug_level=4 " \ 0 \ -c "<= handshake" \ @@ -13948,7 +13948,7 @@ run_test "Client Handshake defragmentation (13)" \ requires_openssl_tls1_3 run_test "Client Handshake defragmentation (5)" \ - "$O_NEXT_SRV -mtu 32 -split_send_frag 5 " \ + "$O_NEXT_SRV -split_send_frag 5 " \ "$P_CLI debug_level=4 " \ 0 \ -c "<= handshake" \ @@ -13973,7 +13973,7 @@ run_test "Server Handshake defragmentation (513)" \ requires_openssl_tls1_3 run_test "Server Handshake defragmentation (256)" \ "$P_SRV debug_level=4 " \ - "$O_NEXT_CLI -mtu 32 -split_send_frag 256 -cert $DATA_FILES_PATH/server5.crt -key $DATA_FILES_PATH/server5.key" \ + "$O_NEXT_CLI -split_send_frag 256 -cert $DATA_FILES_PATH/server5.crt -key $DATA_FILES_PATH/server5.key" \ 0 \ -s "<= handshake" \ -s "handshake fragment: " @@ -13981,7 +13981,7 @@ run_test "Server Handshake defragmentation (256)" \ requires_openssl_tls1_3 run_test "Server Handshake defragmentation (128)" \ "$P_SRV debug_level=4 " \ - "$O_NEXT_CLI -mtu 32 -split_send_frag 128 -cert $DATA_FILES_PATH/server5.crt -key $DATA_FILES_PATH/server5.key" \ + "$O_NEXT_CLI -split_send_frag 128 -cert $DATA_FILES_PATH/server5.crt -key $DATA_FILES_PATH/server5.key" \ 0 \ -s "<= handshake" \ -s "handshake fragment: " @@ -13989,7 +13989,7 @@ run_test "Server Handshake defragmentation (128)" \ requires_openssl_tls1_3 run_test "Server Handshake defragmentation (64)" \ "$P_SRV debug_level=4 " \ - "$O_NEXT_CLI -mtu 32 -split_send_frag 64 -cert $DATA_FILES_PATH/server5.crt -key $DATA_FILES_PATH/server5.key" \ + "$O_NEXT_CLI -split_send_frag 64 -cert $DATA_FILES_PATH/server5.crt -key $DATA_FILES_PATH/server5.key" \ 0 \ -s "<= handshake" \ -s "handshake fragment: " @@ -13997,7 +13997,7 @@ run_test "Server Handshake defragmentation (64)" \ requires_openssl_tls1_3 run_test "Server Handshake defragmentation (36)" \ "$P_SRV debug_level=4 " \ - "$O_NEXT_CLI -mtu 32 -split_send_frag 36 -cert $DATA_FILES_PATH/server5.crt -key $DATA_FILES_PATH/server5.key" \ + "$O_NEXT_CLI -split_send_frag 36 -cert $DATA_FILES_PATH/server5.crt -key $DATA_FILES_PATH/server5.key" \ 0 \ -s "<= handshake" \ -s "handshake fragment: " @@ -14005,7 +14005,7 @@ run_test "Server Handshake defragmentation (36)" \ requires_openssl_tls1_3 run_test "Server Handshake defragmentation (32)" \ "$P_SRV debug_level=4 " \ - "$O_NEXT_CLI -mtu 32 -split_send_frag 32 -cert $DATA_FILES_PATH/server5.crt -key $DATA_FILES_PATH/server5.key" \ + "$O_NEXT_CLI -split_send_frag 32 -cert $DATA_FILES_PATH/server5.crt -key $DATA_FILES_PATH/server5.key" \ 0 \ -s "<= handshake" \ -s "handshake fragment: " @@ -14013,7 +14013,7 @@ run_test "Server Handshake defragmentation (32)" \ requires_openssl_tls1_3 run_test "Server Handshake defragmentation (16)" \ "$P_SRV debug_level=4 " \ - "$O_NEXT_CLI -mtu 32 -split_send_frag 16 -cert $DATA_FILES_PATH/server5.crt -key $DATA_FILES_PATH/server5.key" \ + "$O_NEXT_CLI -split_send_frag 16 -cert $DATA_FILES_PATH/server5.crt -key $DATA_FILES_PATH/server5.key" \ 0 \ -s "<= handshake" \ -s "handshake fragment: " @@ -14021,7 +14021,7 @@ run_test "Server Handshake defragmentation (16)" \ requires_openssl_tls1_3 run_test "Server Handshake defragmentation (13)" \ "$P_SRV debug_level=4 " \ - "$O_NEXT_CLI -mtu 32 -split_send_frag 13 -cert $DATA_FILES_PATH/server5.crt -key $DATA_FILES_PATH/server5.key" \ + "$O_NEXT_CLI -split_send_frag 13 -cert $DATA_FILES_PATH/server5.crt -key $DATA_FILES_PATH/server5.key" \ 0 \ -s "<= handshake" \ -s "handshake fragment: " @@ -14029,7 +14029,7 @@ run_test "Server Handshake defragmentation (13)" \ requires_openssl_tls1_3 run_test "Server Handshake defragmentation (5)" \ "$P_SRV debug_level=4 " \ - "$O_NEXT_CLI -mtu 32 -split_send_frag 5 -cert $DATA_FILES_PATH/server5.crt -key $DATA_FILES_PATH/server5.key" \ + "$O_NEXT_CLI -split_send_frag 5 -cert $DATA_FILES_PATH/server5.crt -key $DATA_FILES_PATH/server5.key" \ 0 \ -s "<= handshake" \ -s "handshake fragment: " From 61b8e2d225da7e59bf759bab1708660ac4c7b1af Mon Sep 17 00:00:00 2001 From: Waleed Elmelegy Date: Thu, 30 Jan 2025 12:02:12 +0000 Subject: [PATCH 18/74] Enforce client authentication in handshake fragmentation tests Signed-off-by: Waleed Elmelegy --- tests/ssl-opt.sh | 20 ++++++++++---------- 1 file changed, 10 insertions(+), 10 deletions(-) diff --git a/tests/ssl-opt.sh b/tests/ssl-opt.sh index 7d9f7fe25..5e20d32aa 100755 --- a/tests/ssl-opt.sh +++ b/tests/ssl-opt.sh @@ -13956,7 +13956,7 @@ run_test "Client Handshake defragmentation (5)" \ requires_openssl_tls1_3 run_test "Server Handshake defragmentation (512)" \ - "$P_SRV debug_level=4 " \ + "$P_SRV debug_level=4 auth_mode=required" \ "$O_NEXT_CLI -max_send_frag 512 -cert $DATA_FILES_PATH/server5.crt -key $DATA_FILES_PATH/server5.key" \ 0 \ -s "<= handshake" \ @@ -13964,7 +13964,7 @@ run_test "Server Handshake defragmentation (512)" \ requires_openssl_tls1_3 run_test "Server Handshake defragmentation (513)" \ - "$P_SRV debug_level=4 " \ + "$P_SRV debug_level=4 auth_mode=required" \ "$O_NEXT_CLI -max_send_frag 513 -cert $DATA_FILES_PATH/server5.crt -key $DATA_FILES_PATH/server5.key" \ 0 \ -s "<= handshake" \ @@ -13972,7 +13972,7 @@ run_test "Server Handshake defragmentation (513)" \ requires_openssl_tls1_3 run_test "Server Handshake defragmentation (256)" \ - "$P_SRV debug_level=4 " \ + "$P_SRV debug_level=4 auth_mode=required" \ "$O_NEXT_CLI -split_send_frag 256 -cert $DATA_FILES_PATH/server5.crt -key $DATA_FILES_PATH/server5.key" \ 0 \ -s "<= handshake" \ @@ -13980,7 +13980,7 @@ run_test "Server Handshake defragmentation (256)" \ requires_openssl_tls1_3 run_test "Server Handshake defragmentation (128)" \ - "$P_SRV debug_level=4 " \ + "$P_SRV debug_level=4 auth_mode=required" \ "$O_NEXT_CLI -split_send_frag 128 -cert $DATA_FILES_PATH/server5.crt -key $DATA_FILES_PATH/server5.key" \ 0 \ -s "<= handshake" \ @@ -13988,7 +13988,7 @@ run_test "Server Handshake defragmentation (128)" \ requires_openssl_tls1_3 run_test "Server Handshake defragmentation (64)" \ - "$P_SRV debug_level=4 " \ + "$P_SRV debug_level=4 auth_mode=required" \ "$O_NEXT_CLI -split_send_frag 64 -cert $DATA_FILES_PATH/server5.crt -key $DATA_FILES_PATH/server5.key" \ 0 \ -s "<= handshake" \ @@ -13996,7 +13996,7 @@ run_test "Server Handshake defragmentation (64)" \ requires_openssl_tls1_3 run_test "Server Handshake defragmentation (36)" \ - "$P_SRV debug_level=4 " \ + "$P_SRV debug_level=4 auth_mode=required" \ "$O_NEXT_CLI -split_send_frag 36 -cert $DATA_FILES_PATH/server5.crt -key $DATA_FILES_PATH/server5.key" \ 0 \ -s "<= handshake" \ @@ -14004,7 +14004,7 @@ run_test "Server Handshake defragmentation (36)" \ requires_openssl_tls1_3 run_test "Server Handshake defragmentation (32)" \ - "$P_SRV debug_level=4 " \ + "$P_SRV debug_level=4 auth_mode=required" \ "$O_NEXT_CLI -split_send_frag 32 -cert $DATA_FILES_PATH/server5.crt -key $DATA_FILES_PATH/server5.key" \ 0 \ -s "<= handshake" \ @@ -14012,7 +14012,7 @@ run_test "Server Handshake defragmentation (32)" \ requires_openssl_tls1_3 run_test "Server Handshake defragmentation (16)" \ - "$P_SRV debug_level=4 " \ + "$P_SRV debug_level=4 auth_mode=required" \ "$O_NEXT_CLI -split_send_frag 16 -cert $DATA_FILES_PATH/server5.crt -key $DATA_FILES_PATH/server5.key" \ 0 \ -s "<= handshake" \ @@ -14020,7 +14020,7 @@ run_test "Server Handshake defragmentation (16)" \ requires_openssl_tls1_3 run_test "Server Handshake defragmentation (13)" \ - "$P_SRV debug_level=4 " \ + "$P_SRV debug_level=4 auth_mode=required" \ "$O_NEXT_CLI -split_send_frag 13 -cert $DATA_FILES_PATH/server5.crt -key $DATA_FILES_PATH/server5.key" \ 0 \ -s "<= handshake" \ @@ -14028,7 +14028,7 @@ run_test "Server Handshake defragmentation (13)" \ requires_openssl_tls1_3 run_test "Server Handshake defragmentation (5)" \ - "$P_SRV debug_level=4 " \ + "$P_SRV debug_level=4 auth_mode=required" \ "$O_NEXT_CLI -split_send_frag 5 -cert $DATA_FILES_PATH/server5.crt -key $DATA_FILES_PATH/server5.key" \ 0 \ -s "<= handshake" \ From f162249e87be8a431928f5eb7a76c9d9ff8bfcd8 Mon Sep 17 00:00:00 2001 From: Waleed Elmelegy Date: Thu, 30 Jan 2025 17:53:02 +0000 Subject: [PATCH 19/74] Add a comment to elaborate using split_send_frag in handshake defragmentation tests Signed-off-by: Waleed Elmelegy --- tests/ssl-opt.sh | 3 +++ 1 file changed, 3 insertions(+) diff --git a/tests/ssl-opt.sh b/tests/ssl-opt.sh index 5e20d32aa..9a2622e41 100755 --- a/tests/ssl-opt.sh +++ b/tests/ssl-opt.sh @@ -13890,6 +13890,9 @@ run_test "Client Handshake defragmentation (513)" \ -c "<= handshake" \ -c "handshake fragment: " +# OpenSSL does not allow max_send_frag to be less than 512 +# so we use split_send_frag instead for tests lower than 512 below. + requires_openssl_tls1_3 run_test "Client Handshake defragmentation (256)" \ "$O_NEXT_SRV -split_send_frag 256 " \ From a75c7e09c81599b1a25cde85352e3932ed6d76b5 Mon Sep 17 00:00:00 2001 From: Waleed Elmelegy Date: Fri, 31 Jan 2025 11:25:43 +0000 Subject: [PATCH 20/74] Add guard to handshake defragmentation tests for client certificate Signed-off-by: Waleed Elmelegy --- tests/ssl-opt.sh | 18 ++++++++++++++++++ 1 file changed, 18 insertions(+) diff --git a/tests/ssl-opt.sh b/tests/ssl-opt.sh index 9a2622e41..51844f2a6 100755 --- a/tests/ssl-opt.sh +++ b/tests/ssl-opt.sh @@ -13894,6 +13894,7 @@ run_test "Client Handshake defragmentation (513)" \ # so we use split_send_frag instead for tests lower than 512 below. requires_openssl_tls1_3 +requires_certificate_authentication run_test "Client Handshake defragmentation (256)" \ "$O_NEXT_SRV -split_send_frag 256 " \ "$P_CLI debug_level=4 " \ @@ -13902,6 +13903,7 @@ run_test "Client Handshake defragmentation (256)" \ -c "handshake fragment: " requires_openssl_tls1_3 +requires_certificate_authentication run_test "Client Handshake defragmentation (128)" \ "$O_NEXT_SRV -split_send_frag 128 " \ "$P_CLI debug_level=4 " \ @@ -13910,6 +13912,7 @@ run_test "Client Handshake defragmentation (128)" \ -c "handshake fragment: " requires_openssl_tls1_3 +requires_certificate_authentication run_test "Client Handshake defragmentation (64)" \ "$O_NEXT_SRV -split_send_frag 64 " \ "$P_CLI debug_level=4 " \ @@ -13918,6 +13921,7 @@ run_test "Client Handshake defragmentation (64)" \ -c "handshake fragment: " requires_openssl_tls1_3 +requires_certificate_authentication run_test "Client Handshake defragmentation (36)" \ "$O_NEXT_SRV -split_send_frag 36 " \ "$P_CLI debug_level=4 " \ @@ -13926,6 +13930,7 @@ run_test "Client Handshake defragmentation (36)" \ -c "handshake fragment: " requires_openssl_tls1_3 +requires_certificate_authentication run_test "Client Handshake defragmentation (32)" \ "$O_NEXT_SRV -split_send_frag 32 " \ "$P_CLI debug_level=4 " \ @@ -13934,6 +13939,7 @@ run_test "Client Handshake defragmentation (32)" \ -c "handshake fragment: " requires_openssl_tls1_3 +requires_certificate_authentication run_test "Client Handshake defragmentation (16)" \ "$O_NEXT_SRV -split_send_frag 16 " \ "$P_CLI debug_level=4 " \ @@ -13942,6 +13948,7 @@ run_test "Client Handshake defragmentation (16)" \ -c "handshake fragment: " requires_openssl_tls1_3 +requires_certificate_authentication run_test "Client Handshake defragmentation (13)" \ "$O_NEXT_SRV -split_send_frag 13 " \ "$P_CLI debug_level=4 " \ @@ -13950,6 +13957,7 @@ run_test "Client Handshake defragmentation (13)" \ -c "handshake fragment: " requires_openssl_tls1_3 +requires_certificate_authentication run_test "Client Handshake defragmentation (5)" \ "$O_NEXT_SRV -split_send_frag 5 " \ "$P_CLI debug_level=4 " \ @@ -13958,6 +13966,7 @@ run_test "Client Handshake defragmentation (5)" \ -c "handshake fragment: " requires_openssl_tls1_3 +requires_certificate_authentication run_test "Server Handshake defragmentation (512)" \ "$P_SRV debug_level=4 auth_mode=required" \ "$O_NEXT_CLI -max_send_frag 512 -cert $DATA_FILES_PATH/server5.crt -key $DATA_FILES_PATH/server5.key" \ @@ -13966,6 +13975,7 @@ run_test "Server Handshake defragmentation (512)" \ -s "handshake fragment: " requires_openssl_tls1_3 +requires_certificate_authentication run_test "Server Handshake defragmentation (513)" \ "$P_SRV debug_level=4 auth_mode=required" \ "$O_NEXT_CLI -max_send_frag 513 -cert $DATA_FILES_PATH/server5.crt -key $DATA_FILES_PATH/server5.key" \ @@ -13974,6 +13984,7 @@ run_test "Server Handshake defragmentation (513)" \ -s "handshake fragment: " requires_openssl_tls1_3 +requires_certificate_authentication run_test "Server Handshake defragmentation (256)" \ "$P_SRV debug_level=4 auth_mode=required" \ "$O_NEXT_CLI -split_send_frag 256 -cert $DATA_FILES_PATH/server5.crt -key $DATA_FILES_PATH/server5.key" \ @@ -13982,6 +13993,7 @@ run_test "Server Handshake defragmentation (256)" \ -s "handshake fragment: " requires_openssl_tls1_3 +requires_certificate_authentication run_test "Server Handshake defragmentation (128)" \ "$P_SRV debug_level=4 auth_mode=required" \ "$O_NEXT_CLI -split_send_frag 128 -cert $DATA_FILES_PATH/server5.crt -key $DATA_FILES_PATH/server5.key" \ @@ -13990,6 +14002,7 @@ run_test "Server Handshake defragmentation (128)" \ -s "handshake fragment: " requires_openssl_tls1_3 +requires_certificate_authentication run_test "Server Handshake defragmentation (64)" \ "$P_SRV debug_level=4 auth_mode=required" \ "$O_NEXT_CLI -split_send_frag 64 -cert $DATA_FILES_PATH/server5.crt -key $DATA_FILES_PATH/server5.key" \ @@ -13998,6 +14011,7 @@ run_test "Server Handshake defragmentation (64)" \ -s "handshake fragment: " requires_openssl_tls1_3 +requires_certificate_authentication run_test "Server Handshake defragmentation (36)" \ "$P_SRV debug_level=4 auth_mode=required" \ "$O_NEXT_CLI -split_send_frag 36 -cert $DATA_FILES_PATH/server5.crt -key $DATA_FILES_PATH/server5.key" \ @@ -14006,6 +14020,7 @@ run_test "Server Handshake defragmentation (36)" \ -s "handshake fragment: " requires_openssl_tls1_3 +requires_certificate_authentication run_test "Server Handshake defragmentation (32)" \ "$P_SRV debug_level=4 auth_mode=required" \ "$O_NEXT_CLI -split_send_frag 32 -cert $DATA_FILES_PATH/server5.crt -key $DATA_FILES_PATH/server5.key" \ @@ -14014,6 +14029,7 @@ run_test "Server Handshake defragmentation (32)" \ -s "handshake fragment: " requires_openssl_tls1_3 +requires_certificate_authentication run_test "Server Handshake defragmentation (16)" \ "$P_SRV debug_level=4 auth_mode=required" \ "$O_NEXT_CLI -split_send_frag 16 -cert $DATA_FILES_PATH/server5.crt -key $DATA_FILES_PATH/server5.key" \ @@ -14022,6 +14038,7 @@ run_test "Server Handshake defragmentation (16)" \ -s "handshake fragment: " requires_openssl_tls1_3 +requires_certificate_authentication run_test "Server Handshake defragmentation (13)" \ "$P_SRV debug_level=4 auth_mode=required" \ "$O_NEXT_CLI -split_send_frag 13 -cert $DATA_FILES_PATH/server5.crt -key $DATA_FILES_PATH/server5.key" \ @@ -14030,6 +14047,7 @@ run_test "Server Handshake defragmentation (13)" \ -s "handshake fragment: " requires_openssl_tls1_3 +requires_certificate_authentication run_test "Server Handshake defragmentation (5)" \ "$P_SRV debug_level=4 auth_mode=required" \ "$O_NEXT_CLI -split_send_frag 5 -cert $DATA_FILES_PATH/server5.crt -key $DATA_FILES_PATH/server5.key" \ From 5f21537c2ada87522334932c9908052a696c5629 Mon Sep 17 00:00:00 2001 From: Waleed Elmelegy Date: Fri, 31 Jan 2025 11:50:08 +0000 Subject: [PATCH 21/74] Test Handshake defragmentation only for TLS 1.3 only for small values Signed-off-by: Waleed Elmelegy --- tests/ssl-opt.sh | 19 +++++++++++++++++++ 1 file changed, 19 insertions(+) diff --git a/tests/ssl-opt.sh b/tests/ssl-opt.sh index 51844f2a6..4659fcdb2 100755 --- a/tests/ssl-opt.sh +++ b/tests/ssl-opt.sh @@ -13893,8 +13893,12 @@ run_test "Client Handshake defragmentation (513)" \ # OpenSSL does not allow max_send_frag to be less than 512 # so we use split_send_frag instead for tests lower than 512 below. +# There is an issue with OpenSSL when fragmenting with values less +# than 512 bytes in TLS 1.2 so we require TLS 1.3 with these values. + requires_openssl_tls1_3 requires_certificate_authentication +requires_config_enabled MBEDTLS_SSL_PROTO_TLS1_3 run_test "Client Handshake defragmentation (256)" \ "$O_NEXT_SRV -split_send_frag 256 " \ "$P_CLI debug_level=4 " \ @@ -13904,6 +13908,7 @@ run_test "Client Handshake defragmentation (256)" \ requires_openssl_tls1_3 requires_certificate_authentication +requires_config_enabled MBEDTLS_SSL_PROTO_TLS1_3 run_test "Client Handshake defragmentation (128)" \ "$O_NEXT_SRV -split_send_frag 128 " \ "$P_CLI debug_level=4 " \ @@ -13913,6 +13918,7 @@ run_test "Client Handshake defragmentation (128)" \ requires_openssl_tls1_3 requires_certificate_authentication +requires_config_enabled MBEDTLS_SSL_PROTO_TLS1_3 run_test "Client Handshake defragmentation (64)" \ "$O_NEXT_SRV -split_send_frag 64 " \ "$P_CLI debug_level=4 " \ @@ -13922,6 +13928,7 @@ run_test "Client Handshake defragmentation (64)" \ requires_openssl_tls1_3 requires_certificate_authentication +requires_config_enabled MBEDTLS_SSL_PROTO_TLS1_3 run_test "Client Handshake defragmentation (36)" \ "$O_NEXT_SRV -split_send_frag 36 " \ "$P_CLI debug_level=4 " \ @@ -13931,6 +13938,7 @@ run_test "Client Handshake defragmentation (36)" \ requires_openssl_tls1_3 requires_certificate_authentication +requires_config_enabled MBEDTLS_SSL_PROTO_TLS1_3 run_test "Client Handshake defragmentation (32)" \ "$O_NEXT_SRV -split_send_frag 32 " \ "$P_CLI debug_level=4 " \ @@ -13940,6 +13948,7 @@ run_test "Client Handshake defragmentation (32)" \ requires_openssl_tls1_3 requires_certificate_authentication +requires_config_enabled MBEDTLS_SSL_PROTO_TLS1_3 run_test "Client Handshake defragmentation (16)" \ "$O_NEXT_SRV -split_send_frag 16 " \ "$P_CLI debug_level=4 " \ @@ -13949,6 +13958,7 @@ run_test "Client Handshake defragmentation (16)" \ requires_openssl_tls1_3 requires_certificate_authentication +requires_config_enabled MBEDTLS_SSL_PROTO_TLS1_3 run_test "Client Handshake defragmentation (13)" \ "$O_NEXT_SRV -split_send_frag 13 " \ "$P_CLI debug_level=4 " \ @@ -13958,6 +13968,7 @@ run_test "Client Handshake defragmentation (13)" \ requires_openssl_tls1_3 requires_certificate_authentication +requires_config_enabled MBEDTLS_SSL_PROTO_TLS1_3 run_test "Client Handshake defragmentation (5)" \ "$O_NEXT_SRV -split_send_frag 5 " \ "$P_CLI debug_level=4 " \ @@ -13985,6 +13996,7 @@ run_test "Server Handshake defragmentation (513)" \ requires_openssl_tls1_3 requires_certificate_authentication +requires_config_enabled MBEDTLS_SSL_PROTO_TLS1_3 run_test "Server Handshake defragmentation (256)" \ "$P_SRV debug_level=4 auth_mode=required" \ "$O_NEXT_CLI -split_send_frag 256 -cert $DATA_FILES_PATH/server5.crt -key $DATA_FILES_PATH/server5.key" \ @@ -13994,6 +14006,7 @@ run_test "Server Handshake defragmentation (256)" \ requires_openssl_tls1_3 requires_certificate_authentication +requires_config_enabled MBEDTLS_SSL_PROTO_TLS1_3 run_test "Server Handshake defragmentation (128)" \ "$P_SRV debug_level=4 auth_mode=required" \ "$O_NEXT_CLI -split_send_frag 128 -cert $DATA_FILES_PATH/server5.crt -key $DATA_FILES_PATH/server5.key" \ @@ -14003,6 +14016,7 @@ run_test "Server Handshake defragmentation (128)" \ requires_openssl_tls1_3 requires_certificate_authentication +requires_config_enabled MBEDTLS_SSL_PROTO_TLS1_3 run_test "Server Handshake defragmentation (64)" \ "$P_SRV debug_level=4 auth_mode=required" \ "$O_NEXT_CLI -split_send_frag 64 -cert $DATA_FILES_PATH/server5.crt -key $DATA_FILES_PATH/server5.key" \ @@ -14012,6 +14026,7 @@ run_test "Server Handshake defragmentation (64)" \ requires_openssl_tls1_3 requires_certificate_authentication +requires_config_enabled MBEDTLS_SSL_PROTO_TLS1_3 run_test "Server Handshake defragmentation (36)" \ "$P_SRV debug_level=4 auth_mode=required" \ "$O_NEXT_CLI -split_send_frag 36 -cert $DATA_FILES_PATH/server5.crt -key $DATA_FILES_PATH/server5.key" \ @@ -14021,6 +14036,7 @@ run_test "Server Handshake defragmentation (36)" \ requires_openssl_tls1_3 requires_certificate_authentication +requires_config_enabled MBEDTLS_SSL_PROTO_TLS1_3 run_test "Server Handshake defragmentation (32)" \ "$P_SRV debug_level=4 auth_mode=required" \ "$O_NEXT_CLI -split_send_frag 32 -cert $DATA_FILES_PATH/server5.crt -key $DATA_FILES_PATH/server5.key" \ @@ -14030,6 +14046,7 @@ run_test "Server Handshake defragmentation (32)" \ requires_openssl_tls1_3 requires_certificate_authentication +requires_config_enabled MBEDTLS_SSL_PROTO_TLS1_3 run_test "Server Handshake defragmentation (16)" \ "$P_SRV debug_level=4 auth_mode=required" \ "$O_NEXT_CLI -split_send_frag 16 -cert $DATA_FILES_PATH/server5.crt -key $DATA_FILES_PATH/server5.key" \ @@ -14039,6 +14056,7 @@ run_test "Server Handshake defragmentation (16)" \ requires_openssl_tls1_3 requires_certificate_authentication +requires_config_enabled MBEDTLS_SSL_PROTO_TLS1_3 run_test "Server Handshake defragmentation (13)" \ "$P_SRV debug_level=4 auth_mode=required" \ "$O_NEXT_CLI -split_send_frag 13 -cert $DATA_FILES_PATH/server5.crt -key $DATA_FILES_PATH/server5.key" \ @@ -14048,6 +14066,7 @@ run_test "Server Handshake defragmentation (13)" \ requires_openssl_tls1_3 requires_certificate_authentication +requires_config_enabled MBEDTLS_SSL_PROTO_TLS1_3 run_test "Server Handshake defragmentation (5)" \ "$P_SRV debug_level=4 auth_mode=required" \ "$O_NEXT_CLI -split_send_frag 5 -cert $DATA_FILES_PATH/server5.crt -key $DATA_FILES_PATH/server5.key" \ From 4028cfd9ca2bae151203f26c457fcd702fc328f2 Mon Sep 17 00:00:00 2001 From: Waleed Elmelegy Date: Fri, 31 Jan 2025 14:44:13 +0000 Subject: [PATCH 22/74] Add missing client certificate check in handshake defragmentation tests Signed-off-by: Waleed Elmelegy --- tests/ssl-opt.sh | 2 ++ 1 file changed, 2 insertions(+) diff --git a/tests/ssl-opt.sh b/tests/ssl-opt.sh index 4659fcdb2..da4e6eb52 100755 --- a/tests/ssl-opt.sh +++ b/tests/ssl-opt.sh @@ -13875,6 +13875,7 @@ run_test "TLS 1.2 ClientHello indicating support for deflate compression meth # Handshake defragmentation testing requires_openssl_tls1_3 +requires_certificate_authentication run_test "Client Handshake defragmentation (512)" \ "$O_NEXT_SRV -max_send_frag 512 " \ "$P_CLI debug_level=4 " \ @@ -13883,6 +13884,7 @@ run_test "Client Handshake defragmentation (512)" \ -c "handshake fragment: " requires_openssl_tls1_3 +requires_certificate_authentication run_test "Client Handshake defragmentation (513)" \ "$O_NEXT_SRV -max_send_frag 513 " \ "$P_CLI debug_level=4 " \ From 270dd7462e5a4bdff3a302112d247ed99e639726 Mon Sep 17 00:00:00 2001 From: Minos Galanakis Date: Wed, 5 Feb 2025 15:23:14 +0000 Subject: [PATCH 23/74] ssl-opt: Updated the keywords to look up during handshake fragmentation tests. Signed-off-by: Minos Galanakis --- tests/ssl-opt.sh | 80 ++++++++++++++++++++++++------------------------ 1 file changed, 40 insertions(+), 40 deletions(-) diff --git a/tests/ssl-opt.sh b/tests/ssl-opt.sh index da4e6eb52..46751afdf 100755 --- a/tests/ssl-opt.sh +++ b/tests/ssl-opt.sh @@ -13880,8 +13880,8 @@ run_test "Client Handshake defragmentation (512)" \ "$O_NEXT_SRV -max_send_frag 512 " \ "$P_CLI debug_level=4 " \ 0 \ - -c "<= handshake" \ - -c "handshake fragment: " + -c "reassembled record" \ + -c "waiting for more fragments (512 [0-9]\\+, [0-9]\\+ left)" requires_openssl_tls1_3 requires_certificate_authentication @@ -13889,8 +13889,8 @@ run_test "Client Handshake defragmentation (513)" \ "$O_NEXT_SRV -max_send_frag 513 " \ "$P_CLI debug_level=4 " \ 0 \ - -c "<= handshake" \ - -c "handshake fragment: " + -c "reassembled record" \ + -c "waiting for more fragments (513 [0-9]\\+, [0-9]\\+ left)" # OpenSSL does not allow max_send_frag to be less than 512 # so we use split_send_frag instead for tests lower than 512 below. @@ -13905,8 +13905,8 @@ run_test "Client Handshake defragmentation (256)" \ "$O_NEXT_SRV -split_send_frag 256 " \ "$P_CLI debug_level=4 " \ 0 \ - -c "<= handshake" \ - -c "handshake fragment: " + -c "reassembled record" \ + -c "waiting for more fragments (256 of [0-9]\\+, [0-9]\\+ left)" requires_openssl_tls1_3 requires_certificate_authentication @@ -13915,8 +13915,8 @@ run_test "Client Handshake defragmentation (128)" \ "$O_NEXT_SRV -split_send_frag 128 " \ "$P_CLI debug_level=4 " \ 0 \ - -c "<= handshake" \ - -c "handshake fragment: " + -c "reassembled record" \ + -c "waiting for more fragments (128 [0-9]\\+, [0-9]\\+ left)" requires_openssl_tls1_3 requires_certificate_authentication @@ -13925,8 +13925,8 @@ run_test "Client Handshake defragmentation (64)" \ "$O_NEXT_SRV -split_send_frag 64 " \ "$P_CLI debug_level=4 " \ 0 \ - -c "<= handshake" \ - -c "handshake fragment: " + -c "reassembled record" \ + -c "waiting for more fragments (64 [0-9]\\+, [0-9]\\+ left)" requires_openssl_tls1_3 requires_certificate_authentication @@ -13935,8 +13935,8 @@ run_test "Client Handshake defragmentation (36)" \ "$O_NEXT_SRV -split_send_frag 36 " \ "$P_CLI debug_level=4 " \ 0 \ - -c "<= handshake" \ - -c "handshake fragment: " + -c "reassembled record" \ + -c "waiting for more fragments (36 [0-9]\\+, [0-9]\\+ left)" requires_openssl_tls1_3 requires_certificate_authentication @@ -13945,8 +13945,8 @@ run_test "Client Handshake defragmentation (32)" \ "$O_NEXT_SRV -split_send_frag 32 " \ "$P_CLI debug_level=4 " \ 0 \ - -c "<= handshake" \ - -c "handshake fragment: " + -c "reassembled record" \ + -c "waiting for more fragments (32 [0-9]\\+, [0-9]\\+ left)" requires_openssl_tls1_3 requires_certificate_authentication @@ -13955,8 +13955,8 @@ run_test "Client Handshake defragmentation (16)" \ "$O_NEXT_SRV -split_send_frag 16 " \ "$P_CLI debug_level=4 " \ 0 \ - -c "<= handshake" \ - -c "handshake fragment: " + -c "reassembled record" \ + -c "waiting for more fragments (16 [0-9]\\+, [0-9]\\+ left)" requires_openssl_tls1_3 requires_certificate_authentication @@ -13965,8 +13965,8 @@ run_test "Client Handshake defragmentation (13)" \ "$O_NEXT_SRV -split_send_frag 13 " \ "$P_CLI debug_level=4 " \ 0 \ - -c "<= handshake" \ - -c "handshake fragment: " + -c "reassembled record" \ + -c "waiting for more fragments (13 [0-9]\\+, [0-9]\\+ left)" requires_openssl_tls1_3 requires_certificate_authentication @@ -13975,8 +13975,8 @@ run_test "Client Handshake defragmentation (5)" \ "$O_NEXT_SRV -split_send_frag 5 " \ "$P_CLI debug_level=4 " \ 0 \ - -c "<= handshake" \ - -c "handshake fragment: " + -c "reassembled record" \ + -c "waiting for more fragments (5 [0-9]\\+, [0-9]\\+ left)" requires_openssl_tls1_3 requires_certificate_authentication @@ -13984,8 +13984,8 @@ run_test "Server Handshake defragmentation (512)" \ "$P_SRV debug_level=4 auth_mode=required" \ "$O_NEXT_CLI -max_send_frag 512 -cert $DATA_FILES_PATH/server5.crt -key $DATA_FILES_PATH/server5.key" \ 0 \ - -s "<= handshake" \ - -s "handshake fragment: " + -s "reassembled record" \ + -s "waiting for more fragments (512 [0-9]\\+, [0-9]\\+ left)" requires_openssl_tls1_3 requires_certificate_authentication @@ -13993,8 +13993,8 @@ run_test "Server Handshake defragmentation (513)" \ "$P_SRV debug_level=4 auth_mode=required" \ "$O_NEXT_CLI -max_send_frag 513 -cert $DATA_FILES_PATH/server5.crt -key $DATA_FILES_PATH/server5.key" \ 0 \ - -s "<= handshake" \ - -s "handshake fragment: " + -s "reassembled record" \ + -s "waiting for more fragments (513 [0-9]\\+, [0-9]\\+ left)" requires_openssl_tls1_3 requires_certificate_authentication @@ -14003,8 +14003,8 @@ run_test "Server Handshake defragmentation (256)" \ "$P_SRV debug_level=4 auth_mode=required" \ "$O_NEXT_CLI -split_send_frag 256 -cert $DATA_FILES_PATH/server5.crt -key $DATA_FILES_PATH/server5.key" \ 0 \ - -s "<= handshake" \ - -s "handshake fragment: " + -s "reassembled record" \ + -s "waiting for more fragments (256 [0-9]\\+, [0-9]\\+ left)" requires_openssl_tls1_3 requires_certificate_authentication @@ -14013,8 +14013,8 @@ run_test "Server Handshake defragmentation (128)" \ "$P_SRV debug_level=4 auth_mode=required" \ "$O_NEXT_CLI -split_send_frag 128 -cert $DATA_FILES_PATH/server5.crt -key $DATA_FILES_PATH/server5.key" \ 0 \ - -s "<= handshake" \ - -s "handshake fragment: " + -s "reassembled record" \ + -s "waiting for more fragments (128 [0-9]\\+, [0-9]\\+ left)" requires_openssl_tls1_3 requires_certificate_authentication @@ -14023,8 +14023,8 @@ run_test "Server Handshake defragmentation (64)" \ "$P_SRV debug_level=4 auth_mode=required" \ "$O_NEXT_CLI -split_send_frag 64 -cert $DATA_FILES_PATH/server5.crt -key $DATA_FILES_PATH/server5.key" \ 0 \ - -s "<= handshake" \ - -s "handshake fragment: " + -s "reassembled record" \ + -s "waiting for more fragments (64 [0-9]\\+, [0-9]\\+ left)" requires_openssl_tls1_3 requires_certificate_authentication @@ -14033,8 +14033,8 @@ run_test "Server Handshake defragmentation (36)" \ "$P_SRV debug_level=4 auth_mode=required" \ "$O_NEXT_CLI -split_send_frag 36 -cert $DATA_FILES_PATH/server5.crt -key $DATA_FILES_PATH/server5.key" \ 0 \ - -s "<= handshake" \ - -s "handshake fragment: " + -s "reassembled record" \ + -s "waiting for more fragments (36 [0-9]\\+, [0-9]\\+ left)" requires_openssl_tls1_3 requires_certificate_authentication @@ -14043,8 +14043,8 @@ run_test "Server Handshake defragmentation (32)" \ "$P_SRV debug_level=4 auth_mode=required" \ "$O_NEXT_CLI -split_send_frag 32 -cert $DATA_FILES_PATH/server5.crt -key $DATA_FILES_PATH/server5.key" \ 0 \ - -s "<= handshake" \ - -s "handshake fragment: " + -s "reassembled record" \ + -s "waiting for more fragments (32 [0-9]\\+, [0-9]\\+ left)" requires_openssl_tls1_3 requires_certificate_authentication @@ -14053,8 +14053,8 @@ run_test "Server Handshake defragmentation (16)" \ "$P_SRV debug_level=4 auth_mode=required" \ "$O_NEXT_CLI -split_send_frag 16 -cert $DATA_FILES_PATH/server5.crt -key $DATA_FILES_PATH/server5.key" \ 0 \ - -s "<= handshake" \ - -s "handshake fragment: " + -s "reassembled record" \ + -s "waiting for more fragments (16 [0-9]\\+, [0-9]\\+ left)" requires_openssl_tls1_3 requires_certificate_authentication @@ -14063,8 +14063,8 @@ run_test "Server Handshake defragmentation (13)" \ "$P_SRV debug_level=4 auth_mode=required" \ "$O_NEXT_CLI -split_send_frag 13 -cert $DATA_FILES_PATH/server5.crt -key $DATA_FILES_PATH/server5.key" \ 0 \ - -s "<= handshake" \ - -s "handshake fragment: " + -s "reassembled record" \ + -s "waiting for more fragments (12 [0-9]\\+, [0-9]\\+ left)" requires_openssl_tls1_3 requires_certificate_authentication @@ -14073,8 +14073,8 @@ run_test "Server Handshake defragmentation (5)" \ "$P_SRV debug_level=4 auth_mode=required" \ "$O_NEXT_CLI -split_send_frag 5 -cert $DATA_FILES_PATH/server5.crt -key $DATA_FILES_PATH/server5.key" \ 0 \ - -s "<= handshake" \ - -s "handshake fragment: " + -s "reassembled record" \ + -s "waiting for more fragments (5 [0-9]\\+, [0-9]\\+ left)" # Test heap memory usage after handshake requires_config_enabled MBEDTLS_SSL_PROTO_TLS1_2 From a1b9117f176e552574cd92304093bf5f71ca59f7 Mon Sep 17 00:00:00 2001 From: Minos Galanakis Date: Fri, 7 Feb 2025 14:10:18 +0000 Subject: [PATCH 24/74] ssl-opt: Added requires_openssl_3_x to defragmentation tests. Signed-off-by: Minos Galanakis --- tests/ssl-opt.sh | 80 ++++++++++++++++++++++++++++++++++++------------ 1 file changed, 60 insertions(+), 20 deletions(-) diff --git a/tests/ssl-opt.sh b/tests/ssl-opt.sh index 46751afdf..0fc099a23 100755 --- a/tests/ssl-opt.sh +++ b/tests/ssl-opt.sh @@ -13874,6 +13874,7 @@ run_test "TLS 1.2 ClientHello indicating support for deflate compression meth # Handshake defragmentation testing +requires_openssl_3_x requires_openssl_tls1_3 requires_certificate_authentication run_test "Client Handshake defragmentation (512)" \ @@ -13881,8 +13882,10 @@ run_test "Client Handshake defragmentation (512)" \ "$P_CLI debug_level=4 " \ 0 \ -c "reassembled record" \ - -c "waiting for more fragments (512 [0-9]\\+, [0-9]\\+ left)" + -c "handshake fragment: 0 \\.\\. 512 of [0-9]\\+ msglen 512" \ + -c "waiting for more fragments (512 of [0-9]\\+" +requires_openssl_3_x requires_openssl_tls1_3 requires_certificate_authentication run_test "Client Handshake defragmentation (513)" \ @@ -13890,7 +13893,8 @@ run_test "Client Handshake defragmentation (513)" \ "$P_CLI debug_level=4 " \ 0 \ -c "reassembled record" \ - -c "waiting for more fragments (513 [0-9]\\+, [0-9]\\+ left)" + -c "handshake fragment: 0 \\.\\. 513 of [0-9]\\+ msglen 513" \ + -c "waiting for more fragments (513 of [0-9]\\+" # OpenSSL does not allow max_send_frag to be less than 512 # so we use split_send_frag instead for tests lower than 512 below. @@ -13898,6 +13902,7 @@ run_test "Client Handshake defragmentation (513)" \ # There is an issue with OpenSSL when fragmenting with values less # than 512 bytes in TLS 1.2 so we require TLS 1.3 with these values. +requires_openssl_3_x requires_openssl_tls1_3 requires_certificate_authentication requires_config_enabled MBEDTLS_SSL_PROTO_TLS1_3 @@ -13906,8 +13911,10 @@ run_test "Client Handshake defragmentation (256)" \ "$P_CLI debug_level=4 " \ 0 \ -c "reassembled record" \ - -c "waiting for more fragments (256 of [0-9]\\+, [0-9]\\+ left)" + -c "handshake fragment: 0 \\.\\. 256 of [0-9]\\+ msglen 256" \ + -c "waiting for more fragments (256 of [0-9]\\+" +requires_openssl_3_x requires_openssl_tls1_3 requires_certificate_authentication requires_config_enabled MBEDTLS_SSL_PROTO_TLS1_3 @@ -13916,8 +13923,10 @@ run_test "Client Handshake defragmentation (128)" \ "$P_CLI debug_level=4 " \ 0 \ -c "reassembled record" \ - -c "waiting for more fragments (128 [0-9]\\+, [0-9]\\+ left)" + -c "handshake fragment: 0 \\.\\. 128 of [0-9]\\+ msglen 128" \ + -c "waiting for more fragments (128" +requires_openssl_3_x requires_openssl_tls1_3 requires_certificate_authentication requires_config_enabled MBEDTLS_SSL_PROTO_TLS1_3 @@ -13926,8 +13935,10 @@ run_test "Client Handshake defragmentation (64)" \ "$P_CLI debug_level=4 " \ 0 \ -c "reassembled record" \ - -c "waiting for more fragments (64 [0-9]\\+, [0-9]\\+ left)" + -c "handshake fragment: 0 \\.\\. 64 of [0-9]\\+ msglen 64" \ + -c "waiting for more fragments (64" +requires_openssl_3_x requires_openssl_tls1_3 requires_certificate_authentication requires_config_enabled MBEDTLS_SSL_PROTO_TLS1_3 @@ -13936,8 +13947,10 @@ run_test "Client Handshake defragmentation (36)" \ "$P_CLI debug_level=4 " \ 0 \ -c "reassembled record" \ - -c "waiting for more fragments (36 [0-9]\\+, [0-9]\\+ left)" + -c "handshake fragment: 0 \\.\\. 36 of [0-9]\\+ msglen 36" \ + -c "waiting for more fragments (36" +requires_openssl_3_x requires_openssl_tls1_3 requires_certificate_authentication requires_config_enabled MBEDTLS_SSL_PROTO_TLS1_3 @@ -13946,8 +13959,10 @@ run_test "Client Handshake defragmentation (32)" \ "$P_CLI debug_level=4 " \ 0 \ -c "reassembled record" \ - -c "waiting for more fragments (32 [0-9]\\+, [0-9]\\+ left)" + -c "handshake fragment: 0 \\.\\. 32 of [0-9]\\+ msglen 32" \ + -c "waiting for more fragments (32" +requires_openssl_3_x requires_openssl_tls1_3 requires_certificate_authentication requires_config_enabled MBEDTLS_SSL_PROTO_TLS1_3 @@ -13956,8 +13971,10 @@ run_test "Client Handshake defragmentation (16)" \ "$P_CLI debug_level=4 " \ 0 \ -c "reassembled record" \ - -c "waiting for more fragments (16 [0-9]\\+, [0-9]\\+ left)" + -c "handshake fragment: 0 \\.\\. 16 of [0-9]\\+ msglen 16" \ + -c "waiting for more fragments (16" +requires_openssl_3_x requires_openssl_tls1_3 requires_certificate_authentication requires_config_enabled MBEDTLS_SSL_PROTO_TLS1_3 @@ -13966,8 +13983,10 @@ run_test "Client Handshake defragmentation (13)" \ "$P_CLI debug_level=4 " \ 0 \ -c "reassembled record" \ - -c "waiting for more fragments (13 [0-9]\\+, [0-9]\\+ left)" + -c "handshake fragment: 0 \\.\\. 13 of [0-9]\\+ msglen 13" \ + -c "waiting for more fragments (13" +requires_openssl_3_x requires_openssl_tls1_3 requires_certificate_authentication requires_config_enabled MBEDTLS_SSL_PROTO_TLS1_3 @@ -13976,8 +13995,10 @@ run_test "Client Handshake defragmentation (5)" \ "$P_CLI debug_level=4 " \ 0 \ -c "reassembled record" \ - -c "waiting for more fragments (5 [0-9]\\+, [0-9]\\+ left)" + -c "handshake fragment: 0 \\.\\. 5 of [0-9]\\+ msglen 5" \ + -c "waiting for more fragments (5" +requires_openssl_3_x requires_openssl_tls1_3 requires_certificate_authentication run_test "Server Handshake defragmentation (512)" \ @@ -13985,8 +14006,10 @@ run_test "Server Handshake defragmentation (512)" \ "$O_NEXT_CLI -max_send_frag 512 -cert $DATA_FILES_PATH/server5.crt -key $DATA_FILES_PATH/server5.key" \ 0 \ -s "reassembled record" \ - -s "waiting for more fragments (512 [0-9]\\+, [0-9]\\+ left)" + -s "handshake fragment: 0 \\.\\. 512 of [0-9]\\+ msglen 512" \ + -s "waiting for more fragments (512" +requires_openssl_3_x requires_openssl_tls1_3 requires_certificate_authentication run_test "Server Handshake defragmentation (513)" \ @@ -13994,8 +14017,10 @@ run_test "Server Handshake defragmentation (513)" \ "$O_NEXT_CLI -max_send_frag 513 -cert $DATA_FILES_PATH/server5.crt -key $DATA_FILES_PATH/server5.key" \ 0 \ -s "reassembled record" \ - -s "waiting for more fragments (513 [0-9]\\+, [0-9]\\+ left)" + -s "handshake fragment: 0 \\.\\. 513 of [0-9]\\+ msglen 513" \ + -s "waiting for more fragments (513" +requires_openssl_3_x requires_openssl_tls1_3 requires_certificate_authentication requires_config_enabled MBEDTLS_SSL_PROTO_TLS1_3 @@ -14004,8 +14029,10 @@ run_test "Server Handshake defragmentation (256)" \ "$O_NEXT_CLI -split_send_frag 256 -cert $DATA_FILES_PATH/server5.crt -key $DATA_FILES_PATH/server5.key" \ 0 \ -s "reassembled record" \ - -s "waiting for more fragments (256 [0-9]\\+, [0-9]\\+ left)" + -s "handshake fragment: 0 \\.\\. 256 of [0-9]\\+ msglen 256" \ + -s "waiting for more fragments (256" +requires_openssl_3_x requires_openssl_tls1_3 requires_certificate_authentication requires_config_enabled MBEDTLS_SSL_PROTO_TLS1_3 @@ -14014,8 +14041,10 @@ run_test "Server Handshake defragmentation (128)" \ "$O_NEXT_CLI -split_send_frag 128 -cert $DATA_FILES_PATH/server5.crt -key $DATA_FILES_PATH/server5.key" \ 0 \ -s "reassembled record" \ - -s "waiting for more fragments (128 [0-9]\\+, [0-9]\\+ left)" + -s "handshake fragment: 0 \\.\\. 128 of [0-9]\\+ msglen 128" \ + -s "waiting for more fragments (128" +requires_openssl_3_x requires_openssl_tls1_3 requires_certificate_authentication requires_config_enabled MBEDTLS_SSL_PROTO_TLS1_3 @@ -14024,8 +14053,10 @@ run_test "Server Handshake defragmentation (64)" \ "$O_NEXT_CLI -split_send_frag 64 -cert $DATA_FILES_PATH/server5.crt -key $DATA_FILES_PATH/server5.key" \ 0 \ -s "reassembled record" \ - -s "waiting for more fragments (64 [0-9]\\+, [0-9]\\+ left)" + -s "handshake fragment: 0 \\.\\. 64 of [0-9]\\+ msglen 64" \ + -s "waiting for more fragments (64" +requires_openssl_3_x requires_openssl_tls1_3 requires_certificate_authentication requires_config_enabled MBEDTLS_SSL_PROTO_TLS1_3 @@ -14034,8 +14065,10 @@ run_test "Server Handshake defragmentation (36)" \ "$O_NEXT_CLI -split_send_frag 36 -cert $DATA_FILES_PATH/server5.crt -key $DATA_FILES_PATH/server5.key" \ 0 \ -s "reassembled record" \ - -s "waiting for more fragments (36 [0-9]\\+, [0-9]\\+ left)" + -s "handshake fragment: 0 \\.\\. 36 of [0-9]\\+ msglen 36" \ + -s "waiting for more fragments (36" +requires_openssl_3_x requires_openssl_tls1_3 requires_certificate_authentication requires_config_enabled MBEDTLS_SSL_PROTO_TLS1_3 @@ -14044,8 +14077,10 @@ run_test "Server Handshake defragmentation (32)" \ "$O_NEXT_CLI -split_send_frag 32 -cert $DATA_FILES_PATH/server5.crt -key $DATA_FILES_PATH/server5.key" \ 0 \ -s "reassembled record" \ - -s "waiting for more fragments (32 [0-9]\\+, [0-9]\\+ left)" + -s "handshake fragment: 0 \\.\\. 32 of [0-9]\\+ msglen 32" \ + -s "waiting for more fragments (32" +requires_openssl_3_x requires_openssl_tls1_3 requires_certificate_authentication requires_config_enabled MBEDTLS_SSL_PROTO_TLS1_3 @@ -14054,8 +14089,10 @@ run_test "Server Handshake defragmentation (16)" \ "$O_NEXT_CLI -split_send_frag 16 -cert $DATA_FILES_PATH/server5.crt -key $DATA_FILES_PATH/server5.key" \ 0 \ -s "reassembled record" \ - -s "waiting for more fragments (16 [0-9]\\+, [0-9]\\+ left)" + -s "handshake fragment: 0 \\.\\. 16 of [0-9]\\+ msglen 16" \ + -s "waiting for more fragments (16" +requires_openssl_3_x requires_openssl_tls1_3 requires_certificate_authentication requires_config_enabled MBEDTLS_SSL_PROTO_TLS1_3 @@ -14064,8 +14101,10 @@ run_test "Server Handshake defragmentation (13)" \ "$O_NEXT_CLI -split_send_frag 13 -cert $DATA_FILES_PATH/server5.crt -key $DATA_FILES_PATH/server5.key" \ 0 \ -s "reassembled record" \ - -s "waiting for more fragments (12 [0-9]\\+, [0-9]\\+ left)" + -s "handshake fragment: 0 \\.\\. 13 of [0-9]\\+ msglen 13" \ + -s "waiting for more fragments (13" +requires_openssl_3_x requires_openssl_tls1_3 requires_certificate_authentication requires_config_enabled MBEDTLS_SSL_PROTO_TLS1_3 @@ -14074,7 +14113,8 @@ run_test "Server Handshake defragmentation (5)" \ "$O_NEXT_CLI -split_send_frag 5 -cert $DATA_FILES_PATH/server5.crt -key $DATA_FILES_PATH/server5.key" \ 0 \ -s "reassembled record" \ - -s "waiting for more fragments (5 [0-9]\\+, [0-9]\\+ left)" + -s "handshake fragment: 0 \\.\\. 5 of [0-9]\\+ msglen 5" \ + -s "waiting for more fragments (5" # Test heap memory usage after handshake requires_config_enabled MBEDTLS_SSL_PROTO_TLS1_2 From a8a298c9d60d70bb5faa28de8e91547bd2e87280 Mon Sep 17 00:00:00 2001 From: Minos Galanakis Date: Fri, 7 Feb 2025 17:06:18 +0000 Subject: [PATCH 25/74] ssl-opt: Adjusted the wording on handshake fragmentation tests. Signed-off-by: Minos Galanakis --- tests/ssl-opt.sh | 40 ++++++++++++++++++++-------------------- 1 file changed, 20 insertions(+), 20 deletions(-) diff --git a/tests/ssl-opt.sh b/tests/ssl-opt.sh index 0fc099a23..269f6b45d 100755 --- a/tests/ssl-opt.sh +++ b/tests/ssl-opt.sh @@ -13877,7 +13877,7 @@ run_test "TLS 1.2 ClientHello indicating support for deflate compression meth requires_openssl_3_x requires_openssl_tls1_3 requires_certificate_authentication -run_test "Client Handshake defragmentation (512)" \ +run_test "Handshake defragmentation on client: len=512, TLS 1.3" \ "$O_NEXT_SRV -max_send_frag 512 " \ "$P_CLI debug_level=4 " \ 0 \ @@ -13888,7 +13888,7 @@ run_test "Client Handshake defragmentation (512)" \ requires_openssl_3_x requires_openssl_tls1_3 requires_certificate_authentication -run_test "Client Handshake defragmentation (513)" \ +run_test "Handshake defragmentation on client: len=513, TLS 1.3" \ "$O_NEXT_SRV -max_send_frag 513 " \ "$P_CLI debug_level=4 " \ 0 \ @@ -13906,7 +13906,7 @@ requires_openssl_3_x requires_openssl_tls1_3 requires_certificate_authentication requires_config_enabled MBEDTLS_SSL_PROTO_TLS1_3 -run_test "Client Handshake defragmentation (256)" \ +run_test "Handshake defragmentation on client: len=256, TLS 1.3" \ "$O_NEXT_SRV -split_send_frag 256 " \ "$P_CLI debug_level=4 " \ 0 \ @@ -13918,7 +13918,7 @@ requires_openssl_3_x requires_openssl_tls1_3 requires_certificate_authentication requires_config_enabled MBEDTLS_SSL_PROTO_TLS1_3 -run_test "Client Handshake defragmentation (128)" \ +run_test "Handshake defragmentation on client: len=128, TLS 1.3" \ "$O_NEXT_SRV -split_send_frag 128 " \ "$P_CLI debug_level=4 " \ 0 \ @@ -13930,7 +13930,7 @@ requires_openssl_3_x requires_openssl_tls1_3 requires_certificate_authentication requires_config_enabled MBEDTLS_SSL_PROTO_TLS1_3 -run_test "Client Handshake defragmentation (64)" \ +run_test "Handshake defragmentation on client: len=64, TLS 1.3" \ "$O_NEXT_SRV -split_send_frag 64 " \ "$P_CLI debug_level=4 " \ 0 \ @@ -13942,7 +13942,7 @@ requires_openssl_3_x requires_openssl_tls1_3 requires_certificate_authentication requires_config_enabled MBEDTLS_SSL_PROTO_TLS1_3 -run_test "Client Handshake defragmentation (36)" \ +run_test "Handshake defragmentation on client: len=36, TLS 1.3" \ "$O_NEXT_SRV -split_send_frag 36 " \ "$P_CLI debug_level=4 " \ 0 \ @@ -13954,7 +13954,7 @@ requires_openssl_3_x requires_openssl_tls1_3 requires_certificate_authentication requires_config_enabled MBEDTLS_SSL_PROTO_TLS1_3 -run_test "Client Handshake defragmentation (32)" \ +run_test "Handshake defragmentation on client: len=32, TLS 1.3" \ "$O_NEXT_SRV -split_send_frag 32 " \ "$P_CLI debug_level=4 " \ 0 \ @@ -13966,7 +13966,7 @@ requires_openssl_3_x requires_openssl_tls1_3 requires_certificate_authentication requires_config_enabled MBEDTLS_SSL_PROTO_TLS1_3 -run_test "Client Handshake defragmentation (16)" \ +run_test "Handshake defragmentation on client: len=14, TLS 1.3" \ "$O_NEXT_SRV -split_send_frag 16 " \ "$P_CLI debug_level=4 " \ 0 \ @@ -13978,7 +13978,7 @@ requires_openssl_3_x requires_openssl_tls1_3 requires_certificate_authentication requires_config_enabled MBEDTLS_SSL_PROTO_TLS1_3 -run_test "Client Handshake defragmentation (13)" \ +run_test "Handshake defragmentation on client: len=13, TLS 1.3" \ "$O_NEXT_SRV -split_send_frag 13 " \ "$P_CLI debug_level=4 " \ 0 \ @@ -13990,7 +13990,7 @@ requires_openssl_3_x requires_openssl_tls1_3 requires_certificate_authentication requires_config_enabled MBEDTLS_SSL_PROTO_TLS1_3 -run_test "Client Handshake defragmentation (5)" \ +run_test "Handshake defragmentation on client: len=5, TLS 1.3" \ "$O_NEXT_SRV -split_send_frag 5 " \ "$P_CLI debug_level=4 " \ 0 \ @@ -14001,7 +14001,7 @@ run_test "Client Handshake defragmentation (5)" \ requires_openssl_3_x requires_openssl_tls1_3 requires_certificate_authentication -run_test "Server Handshake defragmentation (512)" \ +run_test "Handshake defragmentation on server: len=512, TLS 1.3" \ "$P_SRV debug_level=4 auth_mode=required" \ "$O_NEXT_CLI -max_send_frag 512 -cert $DATA_FILES_PATH/server5.crt -key $DATA_FILES_PATH/server5.key" \ 0 \ @@ -14012,7 +14012,7 @@ run_test "Server Handshake defragmentation (512)" \ requires_openssl_3_x requires_openssl_tls1_3 requires_certificate_authentication -run_test "Server Handshake defragmentation (513)" \ +run_test "Handshake defragmentation on server: len=513, TLS 1.3" \ "$P_SRV debug_level=4 auth_mode=required" \ "$O_NEXT_CLI -max_send_frag 513 -cert $DATA_FILES_PATH/server5.crt -key $DATA_FILES_PATH/server5.key" \ 0 \ @@ -14024,7 +14024,7 @@ requires_openssl_3_x requires_openssl_tls1_3 requires_certificate_authentication requires_config_enabled MBEDTLS_SSL_PROTO_TLS1_3 -run_test "Server Handshake defragmentation (256)" \ +run_test "Handshake defragmentation on server: len=256, TLS 1.3" \ "$P_SRV debug_level=4 auth_mode=required" \ "$O_NEXT_CLI -split_send_frag 256 -cert $DATA_FILES_PATH/server5.crt -key $DATA_FILES_PATH/server5.key" \ 0 \ @@ -14036,7 +14036,7 @@ requires_openssl_3_x requires_openssl_tls1_3 requires_certificate_authentication requires_config_enabled MBEDTLS_SSL_PROTO_TLS1_3 -run_test "Server Handshake defragmentation (128)" \ +run_test "Handshake defragmentation on server: len=128, TLS 1.3" \ "$P_SRV debug_level=4 auth_mode=required" \ "$O_NEXT_CLI -split_send_frag 128 -cert $DATA_FILES_PATH/server5.crt -key $DATA_FILES_PATH/server5.key" \ 0 \ @@ -14048,7 +14048,7 @@ requires_openssl_3_x requires_openssl_tls1_3 requires_certificate_authentication requires_config_enabled MBEDTLS_SSL_PROTO_TLS1_3 -run_test "Server Handshake defragmentation (64)" \ +run_test "Handshake defragmentation on server: len=64, TLS 1.3" \ "$P_SRV debug_level=4 auth_mode=required" \ "$O_NEXT_CLI -split_send_frag 64 -cert $DATA_FILES_PATH/server5.crt -key $DATA_FILES_PATH/server5.key" \ 0 \ @@ -14060,7 +14060,7 @@ requires_openssl_3_x requires_openssl_tls1_3 requires_certificate_authentication requires_config_enabled MBEDTLS_SSL_PROTO_TLS1_3 -run_test "Server Handshake defragmentation (36)" \ +run_test "Handshake defragmentation on server: len=36, TLS 1.3" \ "$P_SRV debug_level=4 auth_mode=required" \ "$O_NEXT_CLI -split_send_frag 36 -cert $DATA_FILES_PATH/server5.crt -key $DATA_FILES_PATH/server5.key" \ 0 \ @@ -14072,7 +14072,7 @@ requires_openssl_3_x requires_openssl_tls1_3 requires_certificate_authentication requires_config_enabled MBEDTLS_SSL_PROTO_TLS1_3 -run_test "Server Handshake defragmentation (32)" \ +run_test "Handshake defragmentation on server: len=32, TLS 1.3" \ "$P_SRV debug_level=4 auth_mode=required" \ "$O_NEXT_CLI -split_send_frag 32 -cert $DATA_FILES_PATH/server5.crt -key $DATA_FILES_PATH/server5.key" \ 0 \ @@ -14084,7 +14084,7 @@ requires_openssl_3_x requires_openssl_tls1_3 requires_certificate_authentication requires_config_enabled MBEDTLS_SSL_PROTO_TLS1_3 -run_test "Server Handshake defragmentation (16)" \ +run_test "Handshake defragmentation on server: len=16, TLS 1.3" \ "$P_SRV debug_level=4 auth_mode=required" \ "$O_NEXT_CLI -split_send_frag 16 -cert $DATA_FILES_PATH/server5.crt -key $DATA_FILES_PATH/server5.key" \ 0 \ @@ -14096,7 +14096,7 @@ requires_openssl_3_x requires_openssl_tls1_3 requires_certificate_authentication requires_config_enabled MBEDTLS_SSL_PROTO_TLS1_3 -run_test "Server Handshake defragmentation (13)" \ +run_test "Handshake defragmentation on server: len=13, TLS 1.3" \ "$P_SRV debug_level=4 auth_mode=required" \ "$O_NEXT_CLI -split_send_frag 13 -cert $DATA_FILES_PATH/server5.crt -key $DATA_FILES_PATH/server5.key" \ 0 \ @@ -14108,7 +14108,7 @@ requires_openssl_3_x requires_openssl_tls1_3 requires_certificate_authentication requires_config_enabled MBEDTLS_SSL_PROTO_TLS1_3 -run_test "Server Handshake defragmentation (5)" \ +run_test "Handshake defragmentation on server: len=5, TLS 1.3" \ "$P_SRV debug_level=4 auth_mode=required" \ "$O_NEXT_CLI -split_send_frag 5 -cert $DATA_FILES_PATH/server5.crt -key $DATA_FILES_PATH/server5.key" \ 0 \ From a4dde77cbe57d0b68039c44acedae55e4851fde4 Mon Sep 17 00:00:00 2001 From: Minos Galanakis Date: Sat, 8 Feb 2025 23:31:43 +0000 Subject: [PATCH 26/74] ssl-opt: Dependency resolving set to use to requires_protocol_version HS deframentation tests. Signed-off-by: Minos Galanakis --- tests/ssl-opt.sh | 96 ++++++++++++++++++++---------------------------- 1 file changed, 40 insertions(+), 56 deletions(-) diff --git a/tests/ssl-opt.sh b/tests/ssl-opt.sh index 269f6b45d..7c9aea987 100755 --- a/tests/ssl-opt.sh +++ b/tests/ssl-opt.sh @@ -13875,10 +13875,10 @@ run_test "TLS 1.2 ClientHello indicating support for deflate compression meth # Handshake defragmentation testing requires_openssl_3_x -requires_openssl_tls1_3 +requires_protocol_version tls13 requires_certificate_authentication run_test "Handshake defragmentation on client: len=512, TLS 1.3" \ - "$O_NEXT_SRV -max_send_frag 512 " \ + "$O_NEXT_SRV -tls1_3 -max_send_frag 512 " \ "$P_CLI debug_level=4 " \ 0 \ -c "reassembled record" \ @@ -13886,10 +13886,10 @@ run_test "Handshake defragmentation on client: len=512, TLS 1.3" \ -c "waiting for more fragments (512 of [0-9]\\+" requires_openssl_3_x -requires_openssl_tls1_3 +requires_protocol_version tls13 requires_certificate_authentication run_test "Handshake defragmentation on client: len=513, TLS 1.3" \ - "$O_NEXT_SRV -max_send_frag 513 " \ + "$O_NEXT_SRV -tls1_3 -max_send_frag 513 " \ "$P_CLI debug_level=4 " \ 0 \ -c "reassembled record" \ @@ -13903,11 +13903,10 @@ run_test "Handshake defragmentation on client: len=513, TLS 1.3" \ # than 512 bytes in TLS 1.2 so we require TLS 1.3 with these values. requires_openssl_3_x -requires_openssl_tls1_3 +requires_protocol_version tls13 requires_certificate_authentication -requires_config_enabled MBEDTLS_SSL_PROTO_TLS1_3 run_test "Handshake defragmentation on client: len=256, TLS 1.3" \ - "$O_NEXT_SRV -split_send_frag 256 " \ + "$O_NEXT_SRV -tls1_3 -split_send_frag 256 " \ "$P_CLI debug_level=4 " \ 0 \ -c "reassembled record" \ @@ -13915,11 +13914,10 @@ run_test "Handshake defragmentation on client: len=256, TLS 1.3" \ -c "waiting for more fragments (256 of [0-9]\\+" requires_openssl_3_x -requires_openssl_tls1_3 +requires_protocol_version tls13 requires_certificate_authentication -requires_config_enabled MBEDTLS_SSL_PROTO_TLS1_3 run_test "Handshake defragmentation on client: len=128, TLS 1.3" \ - "$O_NEXT_SRV -split_send_frag 128 " \ + "$O_NEXT_SRV -tls1_3 -split_send_frag 128 " \ "$P_CLI debug_level=4 " \ 0 \ -c "reassembled record" \ @@ -13927,11 +13925,10 @@ run_test "Handshake defragmentation on client: len=128, TLS 1.3" \ -c "waiting for more fragments (128" requires_openssl_3_x -requires_openssl_tls1_3 +requires_protocol_version tls13 requires_certificate_authentication -requires_config_enabled MBEDTLS_SSL_PROTO_TLS1_3 run_test "Handshake defragmentation on client: len=64, TLS 1.3" \ - "$O_NEXT_SRV -split_send_frag 64 " \ + "$O_NEXT_SRV -tls1_3 -split_send_frag 64 " \ "$P_CLI debug_level=4 " \ 0 \ -c "reassembled record" \ @@ -13939,11 +13936,10 @@ run_test "Handshake defragmentation on client: len=64, TLS 1.3" \ -c "waiting for more fragments (64" requires_openssl_3_x -requires_openssl_tls1_3 +requires_protocol_version tls13 requires_certificate_authentication -requires_config_enabled MBEDTLS_SSL_PROTO_TLS1_3 run_test "Handshake defragmentation on client: len=36, TLS 1.3" \ - "$O_NEXT_SRV -split_send_frag 36 " \ + "$O_NEXT_SRV -tls1_3 -split_send_frag 36 " \ "$P_CLI debug_level=4 " \ 0 \ -c "reassembled record" \ @@ -13951,11 +13947,10 @@ run_test "Handshake defragmentation on client: len=36, TLS 1.3" \ -c "waiting for more fragments (36" requires_openssl_3_x -requires_openssl_tls1_3 +requires_protocol_version tls13 requires_certificate_authentication -requires_config_enabled MBEDTLS_SSL_PROTO_TLS1_3 run_test "Handshake defragmentation on client: len=32, TLS 1.3" \ - "$O_NEXT_SRV -split_send_frag 32 " \ + "$O_NEXT_SRV -tls1_3 -split_send_frag 32 " \ "$P_CLI debug_level=4 " \ 0 \ -c "reassembled record" \ @@ -13963,11 +13958,10 @@ run_test "Handshake defragmentation on client: len=32, TLS 1.3" \ -c "waiting for more fragments (32" requires_openssl_3_x -requires_openssl_tls1_3 +requires_protocol_version tls13 requires_certificate_authentication -requires_config_enabled MBEDTLS_SSL_PROTO_TLS1_3 run_test "Handshake defragmentation on client: len=14, TLS 1.3" \ - "$O_NEXT_SRV -split_send_frag 16 " \ + "$O_NEXT_SRV -tls1_3 -split_send_frag 16 " \ "$P_CLI debug_level=4 " \ 0 \ -c "reassembled record" \ @@ -13975,11 +13969,10 @@ run_test "Handshake defragmentation on client: len=14, TLS 1.3" \ -c "waiting for more fragments (16" requires_openssl_3_x -requires_openssl_tls1_3 +requires_protocol_version tls13 requires_certificate_authentication -requires_config_enabled MBEDTLS_SSL_PROTO_TLS1_3 run_test "Handshake defragmentation on client: len=13, TLS 1.3" \ - "$O_NEXT_SRV -split_send_frag 13 " \ + "$O_NEXT_SRV -tls1_3 -split_send_frag 13 " \ "$P_CLI debug_level=4 " \ 0 \ -c "reassembled record" \ @@ -13987,11 +13980,10 @@ run_test "Handshake defragmentation on client: len=13, TLS 1.3" \ -c "waiting for more fragments (13" requires_openssl_3_x -requires_openssl_tls1_3 +requires_protocol_version tls13 requires_certificate_authentication -requires_config_enabled MBEDTLS_SSL_PROTO_TLS1_3 run_test "Handshake defragmentation on client: len=5, TLS 1.3" \ - "$O_NEXT_SRV -split_send_frag 5 " \ + "$O_NEXT_SRV -tls1_3 -split_send_frag 5 " \ "$P_CLI debug_level=4 " \ 0 \ -c "reassembled record" \ @@ -13999,118 +13991,110 @@ run_test "Handshake defragmentation on client: len=5, TLS 1.3" \ -c "waiting for more fragments (5" requires_openssl_3_x -requires_openssl_tls1_3 +requires_protocol_version tls13 requires_certificate_authentication run_test "Handshake defragmentation on server: len=512, TLS 1.3" \ "$P_SRV debug_level=4 auth_mode=required" \ - "$O_NEXT_CLI -max_send_frag 512 -cert $DATA_FILES_PATH/server5.crt -key $DATA_FILES_PATH/server5.key" \ + "$O_NEXT_CLI -tls1_3 -max_send_frag 512 -cert $DATA_FILES_PATH/server5.crt -key $DATA_FILES_PATH/server5.key" \ 0 \ -s "reassembled record" \ -s "handshake fragment: 0 \\.\\. 512 of [0-9]\\+ msglen 512" \ -s "waiting for more fragments (512" requires_openssl_3_x -requires_openssl_tls1_3 +requires_protocol_version tls13 requires_certificate_authentication run_test "Handshake defragmentation on server: len=513, TLS 1.3" \ "$P_SRV debug_level=4 auth_mode=required" \ - "$O_NEXT_CLI -max_send_frag 513 -cert $DATA_FILES_PATH/server5.crt -key $DATA_FILES_PATH/server5.key" \ + "$O_NEXT_CLI -tls1_3 -max_send_frag 513 -cert $DATA_FILES_PATH/server5.crt -key $DATA_FILES_PATH/server5.key" \ 0 \ -s "reassembled record" \ -s "handshake fragment: 0 \\.\\. 513 of [0-9]\\+ msglen 513" \ -s "waiting for more fragments (513" requires_openssl_3_x -requires_openssl_tls1_3 +requires_protocol_version tls13 requires_certificate_authentication -requires_config_enabled MBEDTLS_SSL_PROTO_TLS1_3 run_test "Handshake defragmentation on server: len=256, TLS 1.3" \ "$P_SRV debug_level=4 auth_mode=required" \ - "$O_NEXT_CLI -split_send_frag 256 -cert $DATA_FILES_PATH/server5.crt -key $DATA_FILES_PATH/server5.key" \ + "$O_NEXT_CLI -tls1_3 -split_send_frag 256 -cert $DATA_FILES_PATH/server5.crt -key $DATA_FILES_PATH/server5.key" \ 0 \ -s "reassembled record" \ -s "handshake fragment: 0 \\.\\. 256 of [0-9]\\+ msglen 256" \ -s "waiting for more fragments (256" requires_openssl_3_x -requires_openssl_tls1_3 +requires_protocol_version tls13 requires_certificate_authentication -requires_config_enabled MBEDTLS_SSL_PROTO_TLS1_3 run_test "Handshake defragmentation on server: len=128, TLS 1.3" \ "$P_SRV debug_level=4 auth_mode=required" \ - "$O_NEXT_CLI -split_send_frag 128 -cert $DATA_FILES_PATH/server5.crt -key $DATA_FILES_PATH/server5.key" \ + "$O_NEXT_CLI -tls1_3 -split_send_frag 128 -cert $DATA_FILES_PATH/server5.crt -key $DATA_FILES_PATH/server5.key" \ 0 \ -s "reassembled record" \ -s "handshake fragment: 0 \\.\\. 128 of [0-9]\\+ msglen 128" \ -s "waiting for more fragments (128" requires_openssl_3_x -requires_openssl_tls1_3 +requires_protocol_version tls13 requires_certificate_authentication -requires_config_enabled MBEDTLS_SSL_PROTO_TLS1_3 run_test "Handshake defragmentation on server: len=64, TLS 1.3" \ "$P_SRV debug_level=4 auth_mode=required" \ - "$O_NEXT_CLI -split_send_frag 64 -cert $DATA_FILES_PATH/server5.crt -key $DATA_FILES_PATH/server5.key" \ + "$O_NEXT_CLI -tls1_3 -split_send_frag 64 -cert $DATA_FILES_PATH/server5.crt -key $DATA_FILES_PATH/server5.key" \ 0 \ -s "reassembled record" \ -s "handshake fragment: 0 \\.\\. 64 of [0-9]\\+ msglen 64" \ -s "waiting for more fragments (64" requires_openssl_3_x -requires_openssl_tls1_3 +requires_protocol_version tls13 requires_certificate_authentication -requires_config_enabled MBEDTLS_SSL_PROTO_TLS1_3 run_test "Handshake defragmentation on server: len=36, TLS 1.3" \ "$P_SRV debug_level=4 auth_mode=required" \ - "$O_NEXT_CLI -split_send_frag 36 -cert $DATA_FILES_PATH/server5.crt -key $DATA_FILES_PATH/server5.key" \ + "$O_NEXT_CLI -tls1_3 -split_send_frag 36 -cert $DATA_FILES_PATH/server5.crt -key $DATA_FILES_PATH/server5.key" \ 0 \ -s "reassembled record" \ -s "handshake fragment: 0 \\.\\. 36 of [0-9]\\+ msglen 36" \ -s "waiting for more fragments (36" requires_openssl_3_x -requires_openssl_tls1_3 +requires_protocol_version tls13 requires_certificate_authentication -requires_config_enabled MBEDTLS_SSL_PROTO_TLS1_3 run_test "Handshake defragmentation on server: len=32, TLS 1.3" \ "$P_SRV debug_level=4 auth_mode=required" \ - "$O_NEXT_CLI -split_send_frag 32 -cert $DATA_FILES_PATH/server5.crt -key $DATA_FILES_PATH/server5.key" \ + "$O_NEXT_CLI -tls1_3 -split_send_frag 32 -cert $DATA_FILES_PATH/server5.crt -key $DATA_FILES_PATH/server5.key" \ 0 \ -s "reassembled record" \ -s "handshake fragment: 0 \\.\\. 32 of [0-9]\\+ msglen 32" \ -s "waiting for more fragments (32" requires_openssl_3_x -requires_openssl_tls1_3 +requires_protocol_version tls13 requires_certificate_authentication -requires_config_enabled MBEDTLS_SSL_PROTO_TLS1_3 run_test "Handshake defragmentation on server: len=16, TLS 1.3" \ "$P_SRV debug_level=4 auth_mode=required" \ - "$O_NEXT_CLI -split_send_frag 16 -cert $DATA_FILES_PATH/server5.crt -key $DATA_FILES_PATH/server5.key" \ + "$O_NEXT_CLI -tls1_3 -split_send_frag 16 -cert $DATA_FILES_PATH/server5.crt -key $DATA_FILES_PATH/server5.key" \ 0 \ -s "reassembled record" \ -s "handshake fragment: 0 \\.\\. 16 of [0-9]\\+ msglen 16" \ -s "waiting for more fragments (16" requires_openssl_3_x -requires_openssl_tls1_3 +requires_protocol_version tls13 requires_certificate_authentication -requires_config_enabled MBEDTLS_SSL_PROTO_TLS1_3 run_test "Handshake defragmentation on server: len=13, TLS 1.3" \ "$P_SRV debug_level=4 auth_mode=required" \ - "$O_NEXT_CLI -split_send_frag 13 -cert $DATA_FILES_PATH/server5.crt -key $DATA_FILES_PATH/server5.key" \ + "$O_NEXT_CLI -tls1_3 -split_send_frag 13 -cert $DATA_FILES_PATH/server5.crt -key $DATA_FILES_PATH/server5.key" \ 0 \ -s "reassembled record" \ -s "handshake fragment: 0 \\.\\. 13 of [0-9]\\+ msglen 13" \ -s "waiting for more fragments (13" requires_openssl_3_x -requires_openssl_tls1_3 +requires_protocol_version tls13 requires_certificate_authentication -requires_config_enabled MBEDTLS_SSL_PROTO_TLS1_3 run_test "Handshake defragmentation on server: len=5, TLS 1.3" \ "$P_SRV debug_level=4 auth_mode=required" \ - "$O_NEXT_CLI -split_send_frag 5 -cert $DATA_FILES_PATH/server5.crt -key $DATA_FILES_PATH/server5.key" \ + "$O_NEXT_CLI -tls1_3 -split_send_frag 5 -cert $DATA_FILES_PATH/server5.crt -key $DATA_FILES_PATH/server5.key" \ 0 \ -s "reassembled record" \ -s "handshake fragment: 0 \\.\\. 5 of [0-9]\\+ msglen 5" \ From 85fe73d55db762af5c3ab0f74a2a92fee82fa2fd Mon Sep 17 00:00:00 2001 From: Minos Galanakis Date: Sun, 9 Feb 2025 23:37:34 +0000 Subject: [PATCH 27/74] ssl-opt: Added tls 1.2 tests for HS defragmentation. Signed-off-by: Minos Galanakis --- tests/ssl-opt.sh | 221 +++++++++++++++++++++++++++++++++++++++++++++++ 1 file changed, 221 insertions(+) diff --git a/tests/ssl-opt.sh b/tests/ssl-opt.sh index 7c9aea987..d22bccafb 100755 --- a/tests/ssl-opt.sh +++ b/tests/ssl-opt.sh @@ -13885,6 +13885,17 @@ run_test "Handshake defragmentation on client: len=512, TLS 1.3" \ -c "handshake fragment: 0 \\.\\. 512 of [0-9]\\+ msglen 512" \ -c "waiting for more fragments (512 of [0-9]\\+" +requires_openssl_3_x +requires_protocol_version tls12 +requires_certificate_authentication +run_test "Handshake defragmentation on client: len=512, TLS 1.2" \ + "$O_NEXT_SRV -tls1_2 -max_send_frag 512 " \ + "$P_CLI debug_level=4 " \ + 0 \ + -c "reassembled record" \ + -c "handshake fragment: 0 \\.\\. 512 of [0-9]\\+ msglen 512" \ + -c "waiting for more fragments (512 of [0-9]\\+" + requires_openssl_3_x requires_protocol_version tls13 requires_certificate_authentication @@ -13896,6 +13907,17 @@ run_test "Handshake defragmentation on client: len=513, TLS 1.3" \ -c "handshake fragment: 0 \\.\\. 513 of [0-9]\\+ msglen 513" \ -c "waiting for more fragments (513 of [0-9]\\+" +requires_openssl_3_x +requires_protocol_version tls12 +requires_certificate_authentication +run_test "Handshake defragmentation on client: len=513, TLS 1.2" \ + "$O_NEXT_SRV -tls1_2 -max_send_frag 513 " \ + "$P_CLI debug_level=4 " \ + 0 \ + -c "reassembled record" \ + -c "handshake fragment: 0 \\.\\. 513 of [0-9]\\+ msglen 513" \ + -c "waiting for more fragments (513 of [0-9]\\+" + # OpenSSL does not allow max_send_frag to be less than 512 # so we use split_send_frag instead for tests lower than 512 below. @@ -13913,6 +13935,17 @@ run_test "Handshake defragmentation on client: len=256, TLS 1.3" \ -c "handshake fragment: 0 \\.\\. 256 of [0-9]\\+ msglen 256" \ -c "waiting for more fragments (256 of [0-9]\\+" +requires_openssl_3_x +requires_protocol_version tls12 +requires_certificate_authentication +run_test "Handshake defragmentation on client: len=256, TLS 1.2" \ + "$O_NEXT_SRV -tls1_2 -split_send_frag 256 " \ + "$P_CLI debug_level=4 " \ + 0 \ + -c "reassembled record" \ + -c "handshake fragment: 0 \\.\\. 256 of [0-9]\\+ msglen 256" \ + -c "waiting for more fragments (256 of [0-9]\\+" + requires_openssl_3_x requires_protocol_version tls13 requires_certificate_authentication @@ -13924,6 +13957,17 @@ run_test "Handshake defragmentation on client: len=128, TLS 1.3" \ -c "handshake fragment: 0 \\.\\. 128 of [0-9]\\+ msglen 128" \ -c "waiting for more fragments (128" +requires_openssl_3_x +requires_protocol_version tls12 +requires_certificate_authentication +run_test "Handshake defragmentation on client: len=128, TLS 1.2" \ + "$O_NEXT_SRV -tls1_2 -split_send_frag 128 " \ + "$P_CLI debug_level=4 " \ + 0 \ + -c "reassembled record" \ + -c "handshake fragment: 0 \\.\\. 128 of [0-9]\\+ msglen 128" \ + -c "waiting for more fragments (128" + requires_openssl_3_x requires_protocol_version tls13 requires_certificate_authentication @@ -13935,6 +13979,17 @@ run_test "Handshake defragmentation on client: len=64, TLS 1.3" \ -c "handshake fragment: 0 \\.\\. 64 of [0-9]\\+ msglen 64" \ -c "waiting for more fragments (64" +requires_openssl_3_x +requires_protocol_version tls12 +requires_certificate_authentication +run_test "Handshake defragmentation on client: len=64, TLS 1.2" \ + "$O_NEXT_SRV -tls1_2 -split_send_frag 64 " \ + "$P_CLI debug_level=4 " \ + 0 \ + -c "reassembled record" \ + -c "handshake fragment: 0 \\.\\. 64 of [0-9]\\+ msglen 64" \ + -c "waiting for more fragments (64" + requires_openssl_3_x requires_protocol_version tls13 requires_certificate_authentication @@ -13946,6 +14001,17 @@ run_test "Handshake defragmentation on client: len=36, TLS 1.3" \ -c "handshake fragment: 0 \\.\\. 36 of [0-9]\\+ msglen 36" \ -c "waiting for more fragments (36" +requires_openssl_3_x +requires_protocol_version tls12 +requires_certificate_authentication +run_test "Handshake defragmentation on client: len=36, TLS 1.2" \ + "$O_NEXT_SRV -tls1_2 -split_send_frag 36 " \ + "$P_CLI debug_level=4 " \ + 0 \ + -c "reassembled record" \ + -c "handshake fragment: 0 \\.\\. 36 of [0-9]\\+ msglen 36" \ + -c "waiting for more fragments (36" + requires_openssl_3_x requires_protocol_version tls13 requires_certificate_authentication @@ -13957,6 +14023,17 @@ run_test "Handshake defragmentation on client: len=32, TLS 1.3" \ -c "handshake fragment: 0 \\.\\. 32 of [0-9]\\+ msglen 32" \ -c "waiting for more fragments (32" +requires_openssl_3_x +requires_protocol_version tls12 +requires_certificate_authentication +run_test "Handshake defragmentation on client: len=32, TLS 1.2" \ + "$O_NEXT_SRV -tls1_2 -split_send_frag 32 " \ + "$P_CLI debug_level=4 " \ + 0 \ + -c "reassembled record" \ + -c "handshake fragment: 0 \\.\\. 32 of [0-9]\\+ msglen 32" \ + -c "waiting for more fragments (32" + requires_openssl_3_x requires_protocol_version tls13 requires_certificate_authentication @@ -13968,6 +14045,17 @@ run_test "Handshake defragmentation on client: len=14, TLS 1.3" \ -c "handshake fragment: 0 \\.\\. 16 of [0-9]\\+ msglen 16" \ -c "waiting for more fragments (16" +requires_openssl_3_x +requires_protocol_version tls12 +requires_certificate_authentication +run_test "Handshake defragmentation on client: len=14, TLS 1.2" \ + "$O_NEXT_SRV -tls1_2 -split_send_frag 16 " \ + "$P_CLI debug_level=4 " \ + 0 \ + -c "reassembled record" \ + -c "handshake fragment: 0 \\.\\. 16 of [0-9]\\+ msglen 16" \ + -c "waiting for more fragments (16" + requires_openssl_3_x requires_protocol_version tls13 requires_certificate_authentication @@ -13979,6 +14067,17 @@ run_test "Handshake defragmentation on client: len=13, TLS 1.3" \ -c "handshake fragment: 0 \\.\\. 13 of [0-9]\\+ msglen 13" \ -c "waiting for more fragments (13" +requires_openssl_3_x +requires_protocol_version tls12 +requires_certificate_authentication +run_test "Handshake defragmentation on client: len=13, TLS 1.2" \ + "$O_NEXT_SRV -tls1_2 -split_send_frag 13 " \ + "$P_CLI debug_level=4 " \ + 0 \ + -c "reassembled record" \ + -c "handshake fragment: 0 \\.\\. 13 of [0-9]\\+ msglen 13" \ + -c "waiting for more fragments (13" + requires_openssl_3_x requires_protocol_version tls13 requires_certificate_authentication @@ -13990,6 +14089,17 @@ run_test "Handshake defragmentation on client: len=5, TLS 1.3" \ -c "handshake fragment: 0 \\.\\. 5 of [0-9]\\+ msglen 5" \ -c "waiting for more fragments (5" +requires_openssl_3_x +requires_protocol_version tls12 +requires_certificate_authentication +run_test "Handshake defragmentation on client: len=5, TLS 1.2" \ + "$O_NEXT_SRV -tls1_2 -split_send_frag 5 " \ + "$P_CLI debug_level=4 " \ + 0 \ + -c "reassembled record" \ + -c "handshake fragment: 0 \\.\\. 5 of [0-9]\\+ msglen 5" \ + -c "waiting for more fragments (5" + requires_openssl_3_x requires_protocol_version tls13 requires_certificate_authentication @@ -14001,6 +14111,17 @@ run_test "Handshake defragmentation on server: len=512, TLS 1.3" \ -s "handshake fragment: 0 \\.\\. 512 of [0-9]\\+ msglen 512" \ -s "waiting for more fragments (512" +requires_openssl_3_x +requires_protocol_version tls12 +requires_certificate_authentication +run_test "Handshake defragmentation on server: len=512, TLS 1.2" \ + "$P_SRV debug_level=4 auth_mode=required" \ + "$O_NEXT_CLI -tls1_2 -max_send_frag 512 -cert $DATA_FILES_PATH/server5.crt -key $DATA_FILES_PATH/server5.key" \ + 0 \ + -s "reassembled record" \ + -s "handshake fragment: 0 \\.\\. 512 of [0-9]\\+ msglen 512" \ + -s "waiting for more fragments (512" + requires_openssl_3_x requires_protocol_version tls13 requires_certificate_authentication @@ -14012,6 +14133,17 @@ run_test "Handshake defragmentation on server: len=513, TLS 1.3" \ -s "handshake fragment: 0 \\.\\. 513 of [0-9]\\+ msglen 513" \ -s "waiting for more fragments (513" +requires_openssl_3_x +requires_protocol_version tls12 +requires_certificate_authentication +run_test "Handshake defragmentation on server: len=513, TLS 1.2" \ + "$P_SRV debug_level=4 auth_mode=required" \ + "$O_NEXT_CLI -tls1_2 -max_send_frag 513 -cert $DATA_FILES_PATH/server5.crt -key $DATA_FILES_PATH/server5.key" \ + 0 \ + -s "reassembled record" \ + -s "handshake fragment: 0 \\.\\. 513 of [0-9]\\+ msglen 513" \ + -s "waiting for more fragments (513" + requires_openssl_3_x requires_protocol_version tls13 requires_certificate_authentication @@ -14023,6 +14155,18 @@ run_test "Handshake defragmentation on server: len=256, TLS 1.3" \ -s "handshake fragment: 0 \\.\\. 256 of [0-9]\\+ msglen 256" \ -s "waiting for more fragments (256" +requires_openssl_3_x +requires_protocol_version tls12 +requires_certificate_authentication +run_test "Handshake defragmentation on server: len=256, TLS 1.2" \ + "$P_SRV debug_level=4 auth_mode=required" \ + "$O_NEXT_CLI -tls1_3 -split_send_frag 256 -cert $DATA_FILES_PATH/server5.crt -key $DATA_FILES_PATH/server5.key" \ + 0 \ + -s "reassembled record" \ + -s "handshake fragment: 0 \\.\\. 256 of [0-9]\\+ msglen 256" \ + -s "waiting for more fragments (256" + + requires_openssl_3_x requires_protocol_version tls13 requires_certificate_authentication @@ -14034,6 +14178,17 @@ run_test "Handshake defragmentation on server: len=128, TLS 1.3" \ -s "handshake fragment: 0 \\.\\. 128 of [0-9]\\+ msglen 128" \ -s "waiting for more fragments (128" +requires_openssl_3_x +requires_protocol_version tls12 +requires_certificate_authentication +run_test "Handshake defragmentation on server: len=128, TLS 1.2" \ + "$P_SRV debug_level=4 auth_mode=required" \ + "$O_NEXT_CLI -tls1_2 -split_send_frag 128 -cert $DATA_FILES_PATH/server5.crt -key $DATA_FILES_PATH/server5.key" \ + 0 \ + -s "reassembled record" \ + -s "handshake fragment: 0 \\.\\. 128 of [0-9]\\+ msglen 128" \ + -s "waiting for more fragments (128" + requires_openssl_3_x requires_protocol_version tls13 requires_certificate_authentication @@ -14045,6 +14200,17 @@ run_test "Handshake defragmentation on server: len=64, TLS 1.3" \ -s "handshake fragment: 0 \\.\\. 64 of [0-9]\\+ msglen 64" \ -s "waiting for more fragments (64" +requires_openssl_3_x +requires_protocol_version tls12 +requires_certificate_authentication +run_test "Handshake defragmentation on server: len=64, TLS 1.2" \ + "$P_SRV debug_level=4 auth_mode=required" \ + "$O_NEXT_CLI -tls1_2 -split_send_frag 64 -cert $DATA_FILES_PATH/server5.crt -key $DATA_FILES_PATH/server5.key" \ + 0 \ + -s "reassembled record" \ + -s "handshake fragment: 0 \\.\\. 64 of [0-9]\\+ msglen 64" \ + -s "waiting for more fragments (64" + requires_openssl_3_x requires_protocol_version tls13 requires_certificate_authentication @@ -14056,6 +14222,17 @@ run_test "Handshake defragmentation on server: len=36, TLS 1.3" \ -s "handshake fragment: 0 \\.\\. 36 of [0-9]\\+ msglen 36" \ -s "waiting for more fragments (36" +requires_openssl_3_x +requires_protocol_version tls12 +requires_certificate_authentication +run_test "Handshake defragmentation on server: len=36, TLS 1.2" \ + "$P_SRV debug_level=4 auth_mode=required" \ + "$O_NEXT_CLI -tls1_2 -split_send_frag 36 -cert $DATA_FILES_PATH/server5.crt -key $DATA_FILES_PATH/server5.key" \ + 0 \ + -s "reassembled record" \ + -s "handshake fragment: 0 \\.\\. 36 of [0-9]\\+ msglen 36" \ + -s "waiting for more fragments (36" + requires_openssl_3_x requires_protocol_version tls13 requires_certificate_authentication @@ -14067,6 +14244,17 @@ run_test "Handshake defragmentation on server: len=32, TLS 1.3" \ -s "handshake fragment: 0 \\.\\. 32 of [0-9]\\+ msglen 32" \ -s "waiting for more fragments (32" +requires_openssl_3_x +requires_protocol_version tls12 +requires_certificate_authentication +run_test "Handshake defragmentation on server: len=32, TLS 1.2" \ + "$P_SRV debug_level=4 auth_mode=required" \ + "$O_NEXT_CLI -tls1_2 -split_send_frag 32 -cert $DATA_FILES_PATH/server5.crt -key $DATA_FILES_PATH/server5.key" \ + 0 \ + -s "reassembled record" \ + -s "handshake fragment: 0 \\.\\. 32 of [0-9]\\+ msglen 32" \ + -s "waiting for more fragments (32" + requires_openssl_3_x requires_protocol_version tls13 requires_certificate_authentication @@ -14078,6 +14266,17 @@ run_test "Handshake defragmentation on server: len=16, TLS 1.3" \ -s "handshake fragment: 0 \\.\\. 16 of [0-9]\\+ msglen 16" \ -s "waiting for more fragments (16" +requires_openssl_3_x +requires_protocol_version tls12 +requires_certificate_authentication +run_test "Handshake defragmentation on server: len=16, TLS 1.2" \ + "$P_SRV debug_level=4 auth_mode=required" \ + "$O_NEXT_CLI -tls1_2 -split_send_frag 16 -cert $DATA_FILES_PATH/server5.crt -key $DATA_FILES_PATH/server5.key" \ + 0 \ + -s "reassembled record" \ + -s "handshake fragment: 0 \\.\\. 16 of [0-9]\\+ msglen 16" \ + -s "waiting for more fragments (16" + requires_openssl_3_x requires_protocol_version tls13 requires_certificate_authentication @@ -14089,6 +14288,17 @@ run_test "Handshake defragmentation on server: len=13, TLS 1.3" \ -s "handshake fragment: 0 \\.\\. 13 of [0-9]\\+ msglen 13" \ -s "waiting for more fragments (13" +requires_openssl_3_x +requires_protocol_version tls12 +requires_certificate_authentication +run_test "Handshake defragmentation on server: len=13, TLS 1.2" \ + "$P_SRV debug_level=4 auth_mode=required" \ + "$O_NEXT_CLI -tls1_2 -split_send_frag 13 -cert $DATA_FILES_PATH/server5.crt -key $DATA_FILES_PATH/server5.key" \ + 0 \ + -s "reassembled record" \ + -s "handshake fragment: 0 \\.\\. 13 of [0-9]\\+ msglen 13" \ + -s "waiting for more fragments (13" + requires_openssl_3_x requires_protocol_version tls13 requires_certificate_authentication @@ -14100,6 +14310,17 @@ run_test "Handshake defragmentation on server: len=5, TLS 1.3" \ -s "handshake fragment: 0 \\.\\. 5 of [0-9]\\+ msglen 5" \ -s "waiting for more fragments (5" +requires_openssl_3_x +requires_protocol_version tls12 +requires_certificate_authentication +run_test "Handshake defragmentation on server: len=5, TLS 1.2" \ + "$P_SRV debug_level=4 auth_mode=required" \ + "$O_NEXT_CLI -tls1_2 -split_send_frag 5 -cert $DATA_FILES_PATH/server5.crt -key $DATA_FILES_PATH/server5.key" \ + 0 \ + -s "reassembled record" \ + -s "handshake fragment: 0 \\.\\. 5 of [0-9]\\+ msglen 5" \ + -s "waiting for more fragments (5" + # Test heap memory usage after handshake requires_config_enabled MBEDTLS_SSL_PROTO_TLS1_2 requires_config_enabled MBEDTLS_MEMORY_DEBUG From 41782a9cd0d2fc0e77879e1aab737294edfa8190 Mon Sep 17 00:00:00 2001 From: Minos Galanakis Date: Tue, 18 Feb 2025 17:21:22 +0000 Subject: [PATCH 28/74] ssl-opt: Added negative-assertion testing, (HS Fragmentation disabled) Signed-off-by: Minos Galanakis --- tests/ssl-opt.sh | 19 +++++++++++++++++++ 1 file changed, 19 insertions(+) diff --git a/tests/ssl-opt.sh b/tests/ssl-opt.sh index d22bccafb..855e3c0c3 100755 --- a/tests/ssl-opt.sh +++ b/tests/ssl-opt.sh @@ -13873,6 +13873,15 @@ run_test "TLS 1.2 ClientHello indicating support for deflate compression meth -s "dumping .client hello, compression. (2 bytes)" # Handshake defragmentation testing +requires_openssl_3_x +requires_protocol_version tls13 +requires_certificate_authentication +run_test "Handshake defragmentation on client (no fragmentation, for reference)" \ + "$O_NEXT_SRV" \ + "$P_CLI debug_level=4 " \ + 0 \ + -C "reassembled record" \ + -C "waiting for more fragments" requires_openssl_3_x requires_protocol_version tls13 @@ -14100,6 +14109,16 @@ run_test "Handshake defragmentation on client: len=5, TLS 1.2" \ -c "handshake fragment: 0 \\.\\. 5 of [0-9]\\+ msglen 5" \ -c "waiting for more fragments (5" +requires_openssl_3_x +requires_protocol_version tls13 +requires_certificate_authentication +run_test "Handshake defragmentation on server (no fragmentation, for reference)." \ + "$P_SRV debug_level=4 auth_mode=required" \ + "$O_NEXT_CLI -cert $DATA_FILES_PATH/server5.crt -key $DATA_FILES_PATH/server5.key" \ + 0 \ + -C "reassembled record" \ + -C "waiting for more fragments" + requires_openssl_3_x requires_protocol_version tls13 requires_certificate_authentication From 1c106afd22bf51b13dbcde8b7919a02cc4f86a72 Mon Sep 17 00:00:00 2001 From: Minos Galanakis Date: Tue, 18 Feb 2025 17:33:22 +0000 Subject: [PATCH 29/74] ssl-opt: Added handshake fragmentation tests for 4 byte fragments. Signed-off-by: Minos Galanakis --- tests/ssl-opt.sh | 23 ++++++++++++++++++++++- 1 file changed, 22 insertions(+), 1 deletion(-) diff --git a/tests/ssl-opt.sh b/tests/ssl-opt.sh index 855e3c0c3..7d57c4a3f 100755 --- a/tests/ssl-opt.sh +++ b/tests/ssl-opt.sh @@ -14109,7 +14109,6 @@ run_test "Handshake defragmentation on client: len=5, TLS 1.2" \ -c "handshake fragment: 0 \\.\\. 5 of [0-9]\\+ msglen 5" \ -c "waiting for more fragments (5" -requires_openssl_3_x requires_protocol_version tls13 requires_certificate_authentication run_test "Handshake defragmentation on server (no fragmentation, for reference)." \ @@ -14340,6 +14339,28 @@ run_test "Handshake defragmentation on server: len=5, TLS 1.2" \ -s "handshake fragment: 0 \\.\\. 5 of [0-9]\\+ msglen 5" \ -s "waiting for more fragments (5" +requires_protocol_version tls13 +requires_certificate_authentication +run_test "Handshake defragmentation on server: len=4, TLS 1.3" \ + "$P_SRV debug_level=4 auth_mode=required" \ + "$O_NEXT_CLI -tls1_3 -split_send_frag 4 -cert $DATA_FILES_PATH/server5.crt -key $DATA_FILES_PATH/server5.key" \ + 0 \ + -s "reassembled record" \ + -s "handshake fragment: 0 \\.\\. 4 of [0-9]\\+ msglen 4" \ + -s "waiting for more fragments (4" + +requires_openssl_3_x +requires_config_enabled MBEDTLS_SSL_PROTO_TLS1_2 +requires_config_enabled MBEDTLS_SSL_PROTO_TLS1_3 +requires_certificate_authentication +run_test "Handshake defragmentation on server: len=4, TLS 1.2" \ + "$P_SRV debug_level=4 auth_mode=required" \ + "$O_NEXT_CLI -tls1_2 -split_send_frag 4 -cert $DATA_FILES_PATH/server5.crt -key $DATA_FILES_PATH/server5.key" \ + 0 \ + -s "reassembled record" \ + -s "handshake fragment: 0 \\.\\. 4 of [0-9]\\+ msglen 4" \ + -s "waiting for more fragments (4" + # Test heap memory usage after handshake requires_config_enabled MBEDTLS_SSL_PROTO_TLS1_2 requires_config_enabled MBEDTLS_MEMORY_DEBUG From 74ce7498d7063958b0036e509d790ebd2e73ad82 Mon Sep 17 00:00:00 2001 From: Minos Galanakis Date: Tue, 18 Feb 2025 17:41:18 +0000 Subject: [PATCH 30/74] ssl-opt: Added negative tests for handshake fragmentation. Signed-off-by: Minos Galanakis --- tests/ssl-opt.sh | 56 ++++++++++++++++++++++++++++++++++++++++++++++++ 1 file changed, 56 insertions(+) diff --git a/tests/ssl-opt.sh b/tests/ssl-opt.sh index 7d57c4a3f..8268fde35 100755 --- a/tests/ssl-opt.sh +++ b/tests/ssl-opt.sh @@ -14109,6 +14109,27 @@ run_test "Handshake defragmentation on client: len=5, TLS 1.2" \ -c "handshake fragment: 0 \\.\\. 5 of [0-9]\\+ msglen 5" \ -c "waiting for more fragments (5" +requires_openssl_3_x +requires_protocol_version tls13 +requires_certificate_authentication +run_test "Handshake defragmentation on client: len=3, TLS 1.3" \ + "$O_NEXT_SRV -tls1_3 -split_send_frag 3 " \ + "$P_CLI debug_level=4 " \ + 1 \ + -c "=> ssl_tls13_process_server_hello" \ + -c "handshake message too short: 3" \ + -c "SSL - An invalid SSL record was received" + +requires_openssl_3_x +requires_protocol_version tls12 +requires_certificate_authentication +run_test "Handshake defragmentation on client: len=3, TLS 1.2" \ + "$O_NEXT_SRV -tls1_2 -split_send_frag 3 " \ + "$P_CLI debug_level=4 " \ + 1 \ + -c "handshake message too short: 3" \ + -c "SSL - An invalid SSL record was received" + requires_protocol_version tls13 requires_certificate_authentication run_test "Handshake defragmentation on server (no fragmentation, for reference)." \ @@ -14361,6 +14382,41 @@ run_test "Handshake defragmentation on server: len=4, TLS 1.2" \ -s "handshake fragment: 0 \\.\\. 4 of [0-9]\\+ msglen 4" \ -s "waiting for more fragments (4" +requires_openssl_3_x +requires_protocol_version tls13 +requires_certificate_authentication +run_test "Handshake defragmentation on server: len=3, TLS 1.3" \ + "$P_SRV debug_level=4 auth_mode=required" \ + "$O_NEXT_CLI -tls1_3 -split_send_frag 3 -cert $DATA_FILES_PATH/server5.crt -key $DATA_FILES_PATH/server5.key" \ + 1 \ + -s "<= parse client hello" \ + -s "handshake message too short: 3" \ + -s "SSL - An invalid SSL record was received" + +requires_openssl_3_x +requires_config_enabled MBEDTLS_SSL_PROTO_TLS1_2 +requires_config_enabled MBEDTLS_SSL_PROTO_TLS1_3 +requires_certificate_authentication +run_test "Handshake defragmentation on server: len=3, TLS 1.3" \ + "$P_SRV debug_level=4 auth_mode=required" \ + "$O_NEXT_CLI -tls1_2 -split_send_frag 3 -cert $DATA_FILES_PATH/server5.crt -key $DATA_FILES_PATH/server5.key" \ + 1 \ + -s "<= parse client hello" \ + -s "handshake message too short: 3" \ + -s "SSL - An invalid SSL record was received" + +requires_openssl_3_x +requires_config_enabled MBEDTLS_SSL_PROTO_TLS1_2 +requires_config_enabled MBEDTLS_SSL_PROTO_TLS1_3 +requires_certificate_authentication +run_test "Handshake defragmentation on server: len=32, TLS 1.2" \ + "$P_SRV debug_level=4 force_version=tls12 auth_mode=required" \ + "$O_NEXT_CLI -tls1_2 -split_send_frag 32 -cert $DATA_FILES_PATH/server5.crt -key $DATA_FILES_PATH/server5.key" \ + 1 \ + -s "The SSL configuration is tls12 only" \ + -s "bad client hello message" \ + -s "SSL - A message could not be parsed due to a syntactic error" + # Test heap memory usage after handshake requires_config_enabled MBEDTLS_SSL_PROTO_TLS1_2 requires_config_enabled MBEDTLS_MEMORY_DEBUG From 36c81f5f05878c717620095874a1c14d52c86db2 Mon Sep 17 00:00:00 2001 From: Minos Galanakis Date: Thu, 20 Feb 2025 09:44:46 +0000 Subject: [PATCH 31/74] ssl-opt: Added DSA-RSA dependency on TLS1.2 defragmentation testing. Signed-off-by: Minos Galanakis --- tests/ssl-opt.sh | 12 ++++++++++++ 1 file changed, 12 insertions(+) diff --git a/tests/ssl-opt.sh b/tests/ssl-opt.sh index 8268fde35..f6795f6b6 100755 --- a/tests/ssl-opt.sh +++ b/tests/ssl-opt.sh @@ -13894,9 +13894,13 @@ run_test "Handshake defragmentation on client: len=512, TLS 1.3" \ -c "handshake fragment: 0 \\.\\. 512 of [0-9]\\+ msglen 512" \ -c "waiting for more fragments (512 of [0-9]\\+" +# Since the removal of the DHE-RSA key exchange, the default openssl server +# certificate does not match what is provided by the testing client. Those +# use-cases are out of scope for defregmentation testing, and should be skipped. requires_openssl_3_x requires_protocol_version tls12 requires_certificate_authentication +requires_config_enabled MBEDTLS_KEY_EXCHANGE_ECDHE_ECDSA_ENABLED run_test "Handshake defragmentation on client: len=512, TLS 1.2" \ "$O_NEXT_SRV -tls1_2 -max_send_frag 512 " \ "$P_CLI debug_level=4 " \ @@ -13919,6 +13923,7 @@ run_test "Handshake defragmentation on client: len=513, TLS 1.3" \ requires_openssl_3_x requires_protocol_version tls12 requires_certificate_authentication +requires_config_enabled MBEDTLS_KEY_EXCHANGE_ECDHE_ECDSA_ENABLED run_test "Handshake defragmentation on client: len=513, TLS 1.2" \ "$O_NEXT_SRV -tls1_2 -max_send_frag 513 " \ "$P_CLI debug_level=4 " \ @@ -13947,6 +13952,7 @@ run_test "Handshake defragmentation on client: len=256, TLS 1.3" \ requires_openssl_3_x requires_protocol_version tls12 requires_certificate_authentication +requires_config_enabled MBEDTLS_KEY_EXCHANGE_ECDHE_ECDSA_ENABLED run_test "Handshake defragmentation on client: len=256, TLS 1.2" \ "$O_NEXT_SRV -tls1_2 -split_send_frag 256 " \ "$P_CLI debug_level=4 " \ @@ -13969,6 +13975,7 @@ run_test "Handshake defragmentation on client: len=128, TLS 1.3" \ requires_openssl_3_x requires_protocol_version tls12 requires_certificate_authentication +requires_config_enabled MBEDTLS_KEY_EXCHANGE_ECDHE_ECDSA_ENABLED run_test "Handshake defragmentation on client: len=128, TLS 1.2" \ "$O_NEXT_SRV -tls1_2 -split_send_frag 128 " \ "$P_CLI debug_level=4 " \ @@ -13991,6 +13998,7 @@ run_test "Handshake defragmentation on client: len=64, TLS 1.3" \ requires_openssl_3_x requires_protocol_version tls12 requires_certificate_authentication +requires_config_enabled MBEDTLS_KEY_EXCHANGE_ECDHE_ECDSA_ENABLED run_test "Handshake defragmentation on client: len=64, TLS 1.2" \ "$O_NEXT_SRV -tls1_2 -split_send_frag 64 " \ "$P_CLI debug_level=4 " \ @@ -14013,6 +14021,7 @@ run_test "Handshake defragmentation on client: len=36, TLS 1.3" \ requires_openssl_3_x requires_protocol_version tls12 requires_certificate_authentication +requires_config_enabled MBEDTLS_KEY_EXCHANGE_ECDHE_ECDSA_ENABLED run_test "Handshake defragmentation on client: len=36, TLS 1.2" \ "$O_NEXT_SRV -tls1_2 -split_send_frag 36 " \ "$P_CLI debug_level=4 " \ @@ -14035,6 +14044,7 @@ run_test "Handshake defragmentation on client: len=32, TLS 1.3" \ requires_openssl_3_x requires_protocol_version tls12 requires_certificate_authentication +requires_config_enabled MBEDTLS_KEY_EXCHANGE_ECDHE_ECDSA_ENABLED run_test "Handshake defragmentation on client: len=32, TLS 1.2" \ "$O_NEXT_SRV -tls1_2 -split_send_frag 32 " \ "$P_CLI debug_level=4 " \ @@ -14057,6 +14067,7 @@ run_test "Handshake defragmentation on client: len=14, TLS 1.3" \ requires_openssl_3_x requires_protocol_version tls12 requires_certificate_authentication +requires_config_enabled MBEDTLS_KEY_EXCHANGE_ECDHE_ECDSA_ENABLED run_test "Handshake defragmentation on client: len=14, TLS 1.2" \ "$O_NEXT_SRV -tls1_2 -split_send_frag 16 " \ "$P_CLI debug_level=4 " \ @@ -14123,6 +14134,7 @@ run_test "Handshake defragmentation on client: len=3, TLS 1.3" \ requires_openssl_3_x requires_protocol_version tls12 requires_certificate_authentication +requires_config_enabled MBEDTLS_KEY_EXCHANGE_ECDHE_ECDSA_ENABLED run_test "Handshake defragmentation on client: len=3, TLS 1.2" \ "$O_NEXT_SRV -tls1_2 -split_send_frag 3 " \ "$P_CLI debug_level=4 " \ From d708a63857c3fa0462ca61432400693dd08b3b2b Mon Sep 17 00:00:00 2001 From: Minos Galanakis Date: Tue, 18 Feb 2025 17:28:27 +0000 Subject: [PATCH 32/74] ssl-opt: Updated documentation. Signed-off-by: Minos Galanakis --- tests/ssl-opt.sh | 15 ++++++++------- 1 file changed, 8 insertions(+), 7 deletions(-) diff --git a/tests/ssl-opt.sh b/tests/ssl-opt.sh index f6795f6b6..54b0065d3 100755 --- a/tests/ssl-opt.sh +++ b/tests/ssl-opt.sh @@ -13873,6 +13873,11 @@ run_test "TLS 1.2 ClientHello indicating support for deflate compression meth -s "dumping .client hello, compression. (2 bytes)" # Handshake defragmentation testing + +# To warrant that the handhake messages are large enough and need to be split +# into fragments, the tests require certificate authentication. The party in control +# of the fragmentation operations is OpenSSL and will always use server5.crt (548 Bytes) +# either from O_NEXT_SRV or test data. requires_openssl_3_x requires_protocol_version tls13 requires_certificate_authentication @@ -13932,12 +13937,6 @@ run_test "Handshake defragmentation on client: len=513, TLS 1.2" \ -c "handshake fragment: 0 \\.\\. 513 of [0-9]\\+ msglen 513" \ -c "waiting for more fragments (513 of [0-9]\\+" -# OpenSSL does not allow max_send_frag to be less than 512 -# so we use split_send_frag instead for tests lower than 512 below. - -# There is an issue with OpenSSL when fragmenting with values less -# than 512 bytes in TLS 1.2 so we require TLS 1.3 with these values. - requires_openssl_3_x requires_protocol_version tls13 requires_certificate_authentication @@ -14405,11 +14404,13 @@ run_test "Handshake defragmentation on server: len=3, TLS 1.3" \ -s "handshake message too short: 3" \ -s "SSL - An invalid SSL record was received" +# Server-side ClientHello degfragmentation is only supported for MBEDTLS_SSL_PROTO_TLS1_3. For TLS 1.2 testing +# the server should suport both protocols and downgrade to client-requested TL1.2 after proccessing the ClientHello. requires_openssl_3_x requires_config_enabled MBEDTLS_SSL_PROTO_TLS1_2 requires_config_enabled MBEDTLS_SSL_PROTO_TLS1_3 requires_certificate_authentication -run_test "Handshake defragmentation on server: len=3, TLS 1.3" \ +run_test "Handshake defragmentation on server: len=3, TLS 1.3 -> 1.2" \ "$P_SRV debug_level=4 auth_mode=required" \ "$O_NEXT_CLI -tls1_2 -split_send_frag 3 -cert $DATA_FILES_PATH/server5.crt -key $DATA_FILES_PATH/server5.key" \ 1 \ From eddbb5a829e4b22e21a02ffe62eb7c00b4165d02 Mon Sep 17 00:00:00 2001 From: Minos Galanakis Date: Wed, 19 Feb 2025 11:37:39 +0000 Subject: [PATCH 33/74] ChangeLog: Updated the entry for tls-hs-defragmentation Signed-off-by: Minos Galanakis --- ChangeLog.d/tls-hs-defrag-in.txt | 7 +++++++ 1 file changed, 7 insertions(+) diff --git a/ChangeLog.d/tls-hs-defrag-in.txt b/ChangeLog.d/tls-hs-defrag-in.txt index 55103c9a4..4fd4a4e37 100644 --- a/ChangeLog.d/tls-hs-defrag-in.txt +++ b/ChangeLog.d/tls-hs-defrag-in.txt @@ -3,3 +3,10 @@ Bugfix by the spec. Lack of support was causing handshake failures with some servers, especially with TLS 1.3 in practice (though both protocol version could be affected in principle, and both are fixed now). + The initial fragment for each handshake message must be at least 4 bytes. + + Server-side, defragmentation of the ClientHello message is only + supported if the server accepts TLS 1.3 (regardless of whether the + ClientHello is 1.3 or 1.2). That is, servers configured (either + at compile time or at runtime) to only accept TLS 1.2 will + still fail the handshake if the ClientHello message is fragmented. From a5a8c9f5c9a06a6043cff3778620f5309fae0528 Mon Sep 17 00:00:00 2001 From: Minos Galanakis Date: Thu, 20 Feb 2025 20:27:51 +0000 Subject: [PATCH 34/74] ssl-opt: Added coverage for hs defragmentation TLS 1.2 tests. Signed-off-by: Minos Galanakis --- tests/ssl-opt.sh | 57 ++++++++++++++++++++++++++++++++++++------------ 1 file changed, 43 insertions(+), 14 deletions(-) diff --git a/tests/ssl-opt.sh b/tests/ssl-opt.sh index 54b0065d3..cf7dc2412 100755 --- a/tests/ssl-opt.sh +++ b/tests/ssl-opt.sh @@ -14055,7 +14055,7 @@ run_test "Handshake defragmentation on client: len=32, TLS 1.2" \ requires_openssl_3_x requires_protocol_version tls13 requires_certificate_authentication -run_test "Handshake defragmentation on client: len=14, TLS 1.3" \ +run_test "Handshake defragmentation on client: len=16, TLS 1.3" \ "$O_NEXT_SRV -tls1_3 -split_send_frag 16 " \ "$P_CLI debug_level=4 " \ 0 \ @@ -14067,7 +14067,7 @@ requires_openssl_3_x requires_protocol_version tls12 requires_certificate_authentication requires_config_enabled MBEDTLS_KEY_EXCHANGE_ECDHE_ECDSA_ENABLED -run_test "Handshake defragmentation on client: len=14, TLS 1.2" \ +run_test "Handshake defragmentation on client: len=16, TLS 1.2" \ "$O_NEXT_SRV -tls1_2 -split_send_frag 16 " \ "$P_CLI debug_level=4 " \ 0 \ @@ -14119,6 +14119,28 @@ run_test "Handshake defragmentation on client: len=5, TLS 1.2" \ -c "handshake fragment: 0 \\.\\. 5 of [0-9]\\+ msglen 5" \ -c "waiting for more fragments (5" +requires_openssl_3_x +requires_protocol_version tls13 +requires_certificate_authentication +run_test "Handshake defragmentation on client: len=4, TLS 1.3" \ + "$O_NEXT_SRV -tls1_3 -split_send_frag 4 " \ + "$P_CLI debug_level=4 " \ + 0 \ + -c "reassembled record" \ + -c "handshake fragment: 0 \\.\\. 4 of [0-9]\\+ msglen 4" \ + -c "waiting for more fragments (4" + +requires_openssl_3_x +requires_protocol_version tls12 +requires_certificate_authentication +run_test "Handshake defragmentation on client: len=4, TLS 1.2" \ + "$O_NEXT_SRV -tls1_2 -split_send_frag 4 " \ + "$P_CLI debug_level=4 " \ + 0 \ + -c "reassembled record" \ + -c "handshake fragment: 0 \\.\\. 4 of [0-9]\\+ msglen 4" \ + -c "waiting for more fragments (4" + requires_openssl_3_x requires_protocol_version tls13 requires_certificate_authentication @@ -14210,13 +14232,12 @@ requires_protocol_version tls12 requires_certificate_authentication run_test "Handshake defragmentation on server: len=256, TLS 1.2" \ "$P_SRV debug_level=4 auth_mode=required" \ - "$O_NEXT_CLI -tls1_3 -split_send_frag 256 -cert $DATA_FILES_PATH/server5.crt -key $DATA_FILES_PATH/server5.key" \ + "$O_NEXT_CLI -tls1_2 -split_send_frag 256 -cert $DATA_FILES_PATH/server5.crt -key $DATA_FILES_PATH/server5.key" \ 0 \ -s "reassembled record" \ -s "handshake fragment: 0 \\.\\. 256 of [0-9]\\+ msglen 256" \ -s "waiting for more fragments (256" - requires_openssl_3_x requires_protocol_version tls13 requires_certificate_authentication @@ -14228,8 +14249,11 @@ run_test "Handshake defragmentation on server: len=128, TLS 1.3" \ -s "handshake fragment: 0 \\.\\. 128 of [0-9]\\+ msglen 128" \ -s "waiting for more fragments (128" +# Server-side ClientHello degfragmentation is only supported for MBEDTLS_SSL_PROTO_TLS1_3. For TLS 1.2 testing +# the server should suport both protocols and downgrade to client-requested TL1.2 after proccessing the ClientHello. requires_openssl_3_x -requires_protocol_version tls12 +requires_config_enabled MBEDTLS_SSL_PROTO_TLS1_2 +requires_config_enabled MBEDTLS_SSL_PROTO_TLS1_3 requires_certificate_authentication run_test "Handshake defragmentation on server: len=128, TLS 1.2" \ "$P_SRV debug_level=4 auth_mode=required" \ @@ -14251,7 +14275,8 @@ run_test "Handshake defragmentation on server: len=64, TLS 1.3" \ -s "waiting for more fragments (64" requires_openssl_3_x -requires_protocol_version tls12 +requires_config_enabled MBEDTLS_SSL_PROTO_TLS1_2 +requires_config_enabled MBEDTLS_SSL_PROTO_TLS1_3 requires_certificate_authentication run_test "Handshake defragmentation on server: len=64, TLS 1.2" \ "$P_SRV debug_level=4 auth_mode=required" \ @@ -14273,7 +14298,8 @@ run_test "Handshake defragmentation on server: len=36, TLS 1.3" \ -s "waiting for more fragments (36" requires_openssl_3_x -requires_protocol_version tls12 +requires_config_enabled MBEDTLS_SSL_PROTO_TLS1_2 +requires_config_enabled MBEDTLS_SSL_PROTO_TLS1_3 requires_certificate_authentication run_test "Handshake defragmentation on server: len=36, TLS 1.2" \ "$P_SRV debug_level=4 auth_mode=required" \ @@ -14295,7 +14321,8 @@ run_test "Handshake defragmentation on server: len=32, TLS 1.3" \ -s "waiting for more fragments (32" requires_openssl_3_x -requires_protocol_version tls12 +requires_config_enabled MBEDTLS_SSL_PROTO_TLS1_2 +requires_config_enabled MBEDTLS_SSL_PROTO_TLS1_3 requires_certificate_authentication run_test "Handshake defragmentation on server: len=32, TLS 1.2" \ "$P_SRV debug_level=4 auth_mode=required" \ @@ -14317,7 +14344,8 @@ run_test "Handshake defragmentation on server: len=16, TLS 1.3" \ -s "waiting for more fragments (16" requires_openssl_3_x -requires_protocol_version tls12 +requires_config_enabled MBEDTLS_SSL_PROTO_TLS1_2 +requires_config_enabled MBEDTLS_SSL_PROTO_TLS1_3 requires_certificate_authentication run_test "Handshake defragmentation on server: len=16, TLS 1.2" \ "$P_SRV debug_level=4 auth_mode=required" \ @@ -14339,7 +14367,8 @@ run_test "Handshake defragmentation on server: len=13, TLS 1.3" \ -s "waiting for more fragments (13" requires_openssl_3_x -requires_protocol_version tls12 +requires_config_enabled MBEDTLS_SSL_PROTO_TLS1_2 +requires_config_enabled MBEDTLS_SSL_PROTO_TLS1_3 requires_certificate_authentication run_test "Handshake defragmentation on server: len=13, TLS 1.2" \ "$P_SRV debug_level=4 auth_mode=required" \ @@ -14361,7 +14390,8 @@ run_test "Handshake defragmentation on server: len=5, TLS 1.3" \ -s "waiting for more fragments (5" requires_openssl_3_x -requires_protocol_version tls12 +requires_config_enabled MBEDTLS_SSL_PROTO_TLS1_2 +requires_config_enabled MBEDTLS_SSL_PROTO_TLS1_3 requires_certificate_authentication run_test "Handshake defragmentation on server: len=5, TLS 1.2" \ "$P_SRV debug_level=4 auth_mode=required" \ @@ -14371,6 +14401,7 @@ run_test "Handshake defragmentation on server: len=5, TLS 1.2" \ -s "handshake fragment: 0 \\.\\. 5 of [0-9]\\+ msglen 5" \ -s "waiting for more fragments (5" +requires_openssl_3_x requires_protocol_version tls13 requires_certificate_authentication run_test "Handshake defragmentation on server: len=4, TLS 1.3" \ @@ -14404,8 +14435,6 @@ run_test "Handshake defragmentation on server: len=3, TLS 1.3" \ -s "handshake message too short: 3" \ -s "SSL - An invalid SSL record was received" -# Server-side ClientHello degfragmentation is only supported for MBEDTLS_SSL_PROTO_TLS1_3. For TLS 1.2 testing -# the server should suport both protocols and downgrade to client-requested TL1.2 after proccessing the ClientHello. requires_openssl_3_x requires_config_enabled MBEDTLS_SSL_PROTO_TLS1_2 requires_config_enabled MBEDTLS_SSL_PROTO_TLS1_3 @@ -14422,7 +14451,7 @@ requires_openssl_3_x requires_config_enabled MBEDTLS_SSL_PROTO_TLS1_2 requires_config_enabled MBEDTLS_SSL_PROTO_TLS1_3 requires_certificate_authentication -run_test "Handshake defragmentation on server: len=32, TLS 1.2" \ +run_test "Handshake defragmentation on server: len=32, TLS 1.2 -> 1.2" \ "$P_SRV debug_level=4 force_version=tls12 auth_mode=required" \ "$O_NEXT_CLI -tls1_2 -split_send_frag 32 -cert $DATA_FILES_PATH/server5.crt -key $DATA_FILES_PATH/server5.key" \ 1 \ From 99ca6680f29dfe7754c87b3cb9580886aed094fd Mon Sep 17 00:00:00 2001 From: Minos Galanakis Date: Thu, 20 Feb 2025 23:24:34 +0000 Subject: [PATCH 35/74] ssl-opt: Replaced max_send_frag with split_send_frag Signed-off-by: Minos Galanakis --- tests/ssl-opt.sh | 16 ++++++++-------- 1 file changed, 8 insertions(+), 8 deletions(-) diff --git a/tests/ssl-opt.sh b/tests/ssl-opt.sh index cf7dc2412..818d50dc9 100755 --- a/tests/ssl-opt.sh +++ b/tests/ssl-opt.sh @@ -13892,7 +13892,7 @@ requires_openssl_3_x requires_protocol_version tls13 requires_certificate_authentication run_test "Handshake defragmentation on client: len=512, TLS 1.3" \ - "$O_NEXT_SRV -tls1_3 -max_send_frag 512 " \ + "$O_NEXT_SRV -tls1_3 -split_send_frag 512 " \ "$P_CLI debug_level=4 " \ 0 \ -c "reassembled record" \ @@ -13907,7 +13907,7 @@ requires_protocol_version tls12 requires_certificate_authentication requires_config_enabled MBEDTLS_KEY_EXCHANGE_ECDHE_ECDSA_ENABLED run_test "Handshake defragmentation on client: len=512, TLS 1.2" \ - "$O_NEXT_SRV -tls1_2 -max_send_frag 512 " \ + "$O_NEXT_SRV -tls1_2 -split_send_frag 512 " \ "$P_CLI debug_level=4 " \ 0 \ -c "reassembled record" \ @@ -13918,7 +13918,7 @@ requires_openssl_3_x requires_protocol_version tls13 requires_certificate_authentication run_test "Handshake defragmentation on client: len=513, TLS 1.3" \ - "$O_NEXT_SRV -tls1_3 -max_send_frag 513 " \ + "$O_NEXT_SRV -tls1_3 -split_send_frag 513 " \ "$P_CLI debug_level=4 " \ 0 \ -c "reassembled record" \ @@ -13930,7 +13930,7 @@ requires_protocol_version tls12 requires_certificate_authentication requires_config_enabled MBEDTLS_KEY_EXCHANGE_ECDHE_ECDSA_ENABLED run_test "Handshake defragmentation on client: len=513, TLS 1.2" \ - "$O_NEXT_SRV -tls1_2 -max_send_frag 513 " \ + "$O_NEXT_SRV -tls1_2 -split_send_frag 513 " \ "$P_CLI debug_level=4 " \ 0 \ -c "reassembled record" \ @@ -14177,7 +14177,7 @@ requires_protocol_version tls13 requires_certificate_authentication run_test "Handshake defragmentation on server: len=512, TLS 1.3" \ "$P_SRV debug_level=4 auth_mode=required" \ - "$O_NEXT_CLI -tls1_3 -max_send_frag 512 -cert $DATA_FILES_PATH/server5.crt -key $DATA_FILES_PATH/server5.key" \ + "$O_NEXT_CLI -tls1_3 -split_send_frag 512 -cert $DATA_FILES_PATH/server5.crt -key $DATA_FILES_PATH/server5.key" \ 0 \ -s "reassembled record" \ -s "handshake fragment: 0 \\.\\. 512 of [0-9]\\+ msglen 512" \ @@ -14188,7 +14188,7 @@ requires_protocol_version tls12 requires_certificate_authentication run_test "Handshake defragmentation on server: len=512, TLS 1.2" \ "$P_SRV debug_level=4 auth_mode=required" \ - "$O_NEXT_CLI -tls1_2 -max_send_frag 512 -cert $DATA_FILES_PATH/server5.crt -key $DATA_FILES_PATH/server5.key" \ + "$O_NEXT_CLI -tls1_2 -split_send_frag 512 -cert $DATA_FILES_PATH/server5.crt -key $DATA_FILES_PATH/server5.key" \ 0 \ -s "reassembled record" \ -s "handshake fragment: 0 \\.\\. 512 of [0-9]\\+ msglen 512" \ @@ -14199,7 +14199,7 @@ requires_protocol_version tls13 requires_certificate_authentication run_test "Handshake defragmentation on server: len=513, TLS 1.3" \ "$P_SRV debug_level=4 auth_mode=required" \ - "$O_NEXT_CLI -tls1_3 -max_send_frag 513 -cert $DATA_FILES_PATH/server5.crt -key $DATA_FILES_PATH/server5.key" \ + "$O_NEXT_CLI -tls1_3 -split_send_frag 513 -cert $DATA_FILES_PATH/server5.crt -key $DATA_FILES_PATH/server5.key" \ 0 \ -s "reassembled record" \ -s "handshake fragment: 0 \\.\\. 513 of [0-9]\\+ msglen 513" \ @@ -14210,7 +14210,7 @@ requires_protocol_version tls12 requires_certificate_authentication run_test "Handshake defragmentation on server: len=513, TLS 1.2" \ "$P_SRV debug_level=4 auth_mode=required" \ - "$O_NEXT_CLI -tls1_2 -max_send_frag 513 -cert $DATA_FILES_PATH/server5.crt -key $DATA_FILES_PATH/server5.key" \ + "$O_NEXT_CLI -tls1_2 -split_send_frag 513 -cert $DATA_FILES_PATH/server5.crt -key $DATA_FILES_PATH/server5.key" \ 0 \ -s "reassembled record" \ -s "handshake fragment: 0 \\.\\. 513 of [0-9]\\+ msglen 513" \ From cd6a24b28895a277fe5fa5236c3dce09143d9928 Mon Sep 17 00:00:00 2001 From: Minos Galanakis Date: Mon, 24 Feb 2025 09:27:09 +0000 Subject: [PATCH 36/74] ssl-opt.sh: Disabled HS Defrag Tests for TLS1.2 where len < 16 Signed-off-by: Minos Galanakis --- tests/ssl-opt.sh | 3 +++ 1 file changed, 3 insertions(+) diff --git a/tests/ssl-opt.sh b/tests/ssl-opt.sh index 818d50dc9..d09005b66 100755 --- a/tests/ssl-opt.sh +++ b/tests/ssl-opt.sh @@ -14086,6 +14086,7 @@ run_test "Handshake defragmentation on client: len=13, TLS 1.3" \ -c "handshake fragment: 0 \\.\\. 13 of [0-9]\\+ msglen 13" \ -c "waiting for more fragments (13" +skip_next_test requires_openssl_3_x requires_protocol_version tls12 requires_certificate_authentication @@ -14108,6 +14109,7 @@ run_test "Handshake defragmentation on client: len=5, TLS 1.3" \ -c "handshake fragment: 0 \\.\\. 5 of [0-9]\\+ msglen 5" \ -c "waiting for more fragments (5" +skip_next_test requires_openssl_3_x requires_protocol_version tls12 requires_certificate_authentication @@ -14130,6 +14132,7 @@ run_test "Handshake defragmentation on client: len=4, TLS 1.3" \ -c "handshake fragment: 0 \\.\\. 4 of [0-9]\\+ msglen 4" \ -c "waiting for more fragments (4" +skip_next_test requires_openssl_3_x requires_protocol_version tls12 requires_certificate_authentication From c8709c6a85c5d9b2ce88533d60b87b4b95d7b70e Mon Sep 17 00:00:00 2001 From: Minos Galanakis Date: Mon, 24 Feb 2025 23:43:07 +0000 Subject: [PATCH 37/74] ssl-opt: Removed redundant dependencies: requires_openssl_3_x Signed-off-by: Minos Galanakis --- tests/ssl-opt.sh | 132 +++++++++++++++-------------------------------- 1 file changed, 41 insertions(+), 91 deletions(-) diff --git a/tests/ssl-opt.sh b/tests/ssl-opt.sh index d09005b66..6b9ef1d22 100755 --- a/tests/ssl-opt.sh +++ b/tests/ssl-opt.sh @@ -13878,8 +13878,7 @@ run_test "TLS 1.2 ClientHello indicating support for deflate compression meth # into fragments, the tests require certificate authentication. The party in control # of the fragmentation operations is OpenSSL and will always use server5.crt (548 Bytes) # either from O_NEXT_SRV or test data. -requires_openssl_3_x -requires_protocol_version tls13 +requires_config_enabled MBEDTLS_SSL_PROTO_TLS1_3 requires_certificate_authentication run_test "Handshake defragmentation on client (no fragmentation, for reference)" \ "$O_NEXT_SRV" \ @@ -13888,8 +13887,7 @@ run_test "Handshake defragmentation on client (no fragmentation, for referenc -C "reassembled record" \ -C "waiting for more fragments" -requires_openssl_3_x -requires_protocol_version tls13 +requires_config_enabled MBEDTLS_SSL_PROTO_TLS1_3 requires_certificate_authentication run_test "Handshake defragmentation on client: len=512, TLS 1.3" \ "$O_NEXT_SRV -tls1_3 -split_send_frag 512 " \ @@ -13902,8 +13900,7 @@ run_test "Handshake defragmentation on client: len=512, TLS 1.3" \ # Since the removal of the DHE-RSA key exchange, the default openssl server # certificate does not match what is provided by the testing client. Those # use-cases are out of scope for defregmentation testing, and should be skipped. -requires_openssl_3_x -requires_protocol_version tls12 +requires_config_enabled MBEDTLS_SSL_PROTO_TLS1_2 requires_certificate_authentication requires_config_enabled MBEDTLS_KEY_EXCHANGE_ECDHE_ECDSA_ENABLED run_test "Handshake defragmentation on client: len=512, TLS 1.2" \ @@ -13914,8 +13911,7 @@ run_test "Handshake defragmentation on client: len=512, TLS 1.2" \ -c "handshake fragment: 0 \\.\\. 512 of [0-9]\\+ msglen 512" \ -c "waiting for more fragments (512 of [0-9]\\+" -requires_openssl_3_x -requires_protocol_version tls13 +requires_config_enabled MBEDTLS_SSL_PROTO_TLS1_3 requires_certificate_authentication run_test "Handshake defragmentation on client: len=513, TLS 1.3" \ "$O_NEXT_SRV -tls1_3 -split_send_frag 513 " \ @@ -13925,8 +13921,7 @@ run_test "Handshake defragmentation on client: len=513, TLS 1.3" \ -c "handshake fragment: 0 \\.\\. 513 of [0-9]\\+ msglen 513" \ -c "waiting for more fragments (513 of [0-9]\\+" -requires_openssl_3_x -requires_protocol_version tls12 +requires_config_enabled MBEDTLS_SSL_PROTO_TLS1_2 requires_certificate_authentication requires_config_enabled MBEDTLS_KEY_EXCHANGE_ECDHE_ECDSA_ENABLED run_test "Handshake defragmentation on client: len=513, TLS 1.2" \ @@ -13937,8 +13932,7 @@ run_test "Handshake defragmentation on client: len=513, TLS 1.2" \ -c "handshake fragment: 0 \\.\\. 513 of [0-9]\\+ msglen 513" \ -c "waiting for more fragments (513 of [0-9]\\+" -requires_openssl_3_x -requires_protocol_version tls13 +requires_config_enabled MBEDTLS_SSL_PROTO_TLS1_3 requires_certificate_authentication run_test "Handshake defragmentation on client: len=256, TLS 1.3" \ "$O_NEXT_SRV -tls1_3 -split_send_frag 256 " \ @@ -13948,8 +13942,7 @@ run_test "Handshake defragmentation on client: len=256, TLS 1.3" \ -c "handshake fragment: 0 \\.\\. 256 of [0-9]\\+ msglen 256" \ -c "waiting for more fragments (256 of [0-9]\\+" -requires_openssl_3_x -requires_protocol_version tls12 +requires_config_enabled MBEDTLS_SSL_PROTO_TLS1_2 requires_certificate_authentication requires_config_enabled MBEDTLS_KEY_EXCHANGE_ECDHE_ECDSA_ENABLED run_test "Handshake defragmentation on client: len=256, TLS 1.2" \ @@ -13960,8 +13953,7 @@ run_test "Handshake defragmentation on client: len=256, TLS 1.2" \ -c "handshake fragment: 0 \\.\\. 256 of [0-9]\\+ msglen 256" \ -c "waiting for more fragments (256 of [0-9]\\+" -requires_openssl_3_x -requires_protocol_version tls13 +requires_config_enabled MBEDTLS_SSL_PROTO_TLS1_3 requires_certificate_authentication run_test "Handshake defragmentation on client: len=128, TLS 1.3" \ "$O_NEXT_SRV -tls1_3 -split_send_frag 128 " \ @@ -13971,8 +13963,7 @@ run_test "Handshake defragmentation on client: len=128, TLS 1.3" \ -c "handshake fragment: 0 \\.\\. 128 of [0-9]\\+ msglen 128" \ -c "waiting for more fragments (128" -requires_openssl_3_x -requires_protocol_version tls12 +requires_config_enabled MBEDTLS_SSL_PROTO_TLS1_2 requires_certificate_authentication requires_config_enabled MBEDTLS_KEY_EXCHANGE_ECDHE_ECDSA_ENABLED run_test "Handshake defragmentation on client: len=128, TLS 1.2" \ @@ -13983,8 +13974,7 @@ run_test "Handshake defragmentation on client: len=128, TLS 1.2" \ -c "handshake fragment: 0 \\.\\. 128 of [0-9]\\+ msglen 128" \ -c "waiting for more fragments (128" -requires_openssl_3_x -requires_protocol_version tls13 +requires_config_enabled MBEDTLS_SSL_PROTO_TLS1_3 requires_certificate_authentication run_test "Handshake defragmentation on client: len=64, TLS 1.3" \ "$O_NEXT_SRV -tls1_3 -split_send_frag 64 " \ @@ -13994,8 +13984,7 @@ run_test "Handshake defragmentation on client: len=64, TLS 1.3" \ -c "handshake fragment: 0 \\.\\. 64 of [0-9]\\+ msglen 64" \ -c "waiting for more fragments (64" -requires_openssl_3_x -requires_protocol_version tls12 +requires_config_enabled MBEDTLS_SSL_PROTO_TLS1_2 requires_certificate_authentication requires_config_enabled MBEDTLS_KEY_EXCHANGE_ECDHE_ECDSA_ENABLED run_test "Handshake defragmentation on client: len=64, TLS 1.2" \ @@ -14006,8 +13995,7 @@ run_test "Handshake defragmentation on client: len=64, TLS 1.2" \ -c "handshake fragment: 0 \\.\\. 64 of [0-9]\\+ msglen 64" \ -c "waiting for more fragments (64" -requires_openssl_3_x -requires_protocol_version tls13 +requires_config_enabled MBEDTLS_SSL_PROTO_TLS1_3 requires_certificate_authentication run_test "Handshake defragmentation on client: len=36, TLS 1.3" \ "$O_NEXT_SRV -tls1_3 -split_send_frag 36 " \ @@ -14017,8 +14005,7 @@ run_test "Handshake defragmentation on client: len=36, TLS 1.3" \ -c "handshake fragment: 0 \\.\\. 36 of [0-9]\\+ msglen 36" \ -c "waiting for more fragments (36" -requires_openssl_3_x -requires_protocol_version tls12 +requires_config_enabled MBEDTLS_SSL_PROTO_TLS1_2 requires_certificate_authentication requires_config_enabled MBEDTLS_KEY_EXCHANGE_ECDHE_ECDSA_ENABLED run_test "Handshake defragmentation on client: len=36, TLS 1.2" \ @@ -14029,8 +14016,7 @@ run_test "Handshake defragmentation on client: len=36, TLS 1.2" \ -c "handshake fragment: 0 \\.\\. 36 of [0-9]\\+ msglen 36" \ -c "waiting for more fragments (36" -requires_openssl_3_x -requires_protocol_version tls13 +requires_config_enabled MBEDTLS_SSL_PROTO_TLS1_3 requires_certificate_authentication run_test "Handshake defragmentation on client: len=32, TLS 1.3" \ "$O_NEXT_SRV -tls1_3 -split_send_frag 32 " \ @@ -14040,8 +14026,7 @@ run_test "Handshake defragmentation on client: len=32, TLS 1.3" \ -c "handshake fragment: 0 \\.\\. 32 of [0-9]\\+ msglen 32" \ -c "waiting for more fragments (32" -requires_openssl_3_x -requires_protocol_version tls12 +requires_config_enabled MBEDTLS_SSL_PROTO_TLS1_2 requires_certificate_authentication requires_config_enabled MBEDTLS_KEY_EXCHANGE_ECDHE_ECDSA_ENABLED run_test "Handshake defragmentation on client: len=32, TLS 1.2" \ @@ -14052,8 +14037,7 @@ run_test "Handshake defragmentation on client: len=32, TLS 1.2" \ -c "handshake fragment: 0 \\.\\. 32 of [0-9]\\+ msglen 32" \ -c "waiting for more fragments (32" -requires_openssl_3_x -requires_protocol_version tls13 +requires_config_enabled MBEDTLS_SSL_PROTO_TLS1_3 requires_certificate_authentication run_test "Handshake defragmentation on client: len=16, TLS 1.3" \ "$O_NEXT_SRV -tls1_3 -split_send_frag 16 " \ @@ -14063,8 +14047,7 @@ run_test "Handshake defragmentation on client: len=16, TLS 1.3" \ -c "handshake fragment: 0 \\.\\. 16 of [0-9]\\+ msglen 16" \ -c "waiting for more fragments (16" -requires_openssl_3_x -requires_protocol_version tls12 +requires_config_enabled MBEDTLS_SSL_PROTO_TLS1_2 requires_certificate_authentication requires_config_enabled MBEDTLS_KEY_EXCHANGE_ECDHE_ECDSA_ENABLED run_test "Handshake defragmentation on client: len=16, TLS 1.2" \ @@ -14075,8 +14058,7 @@ run_test "Handshake defragmentation on client: len=16, TLS 1.2" \ -c "handshake fragment: 0 \\.\\. 16 of [0-9]\\+ msglen 16" \ -c "waiting for more fragments (16" -requires_openssl_3_x -requires_protocol_version tls13 +requires_config_enabled MBEDTLS_SSL_PROTO_TLS1_3 requires_certificate_authentication run_test "Handshake defragmentation on client: len=13, TLS 1.3" \ "$O_NEXT_SRV -tls1_3 -split_send_frag 13 " \ @@ -14087,8 +14069,7 @@ run_test "Handshake defragmentation on client: len=13, TLS 1.3" \ -c "waiting for more fragments (13" skip_next_test -requires_openssl_3_x -requires_protocol_version tls12 +requires_config_enabled MBEDTLS_SSL_PROTO_TLS1_2 requires_certificate_authentication run_test "Handshake defragmentation on client: len=13, TLS 1.2" \ "$O_NEXT_SRV -tls1_2 -split_send_frag 13 " \ @@ -14098,8 +14079,7 @@ run_test "Handshake defragmentation on client: len=13, TLS 1.2" \ -c "handshake fragment: 0 \\.\\. 13 of [0-9]\\+ msglen 13" \ -c "waiting for more fragments (13" -requires_openssl_3_x -requires_protocol_version tls13 +requires_config_enabled MBEDTLS_SSL_PROTO_TLS1_3 requires_certificate_authentication run_test "Handshake defragmentation on client: len=5, TLS 1.3" \ "$O_NEXT_SRV -tls1_3 -split_send_frag 5 " \ @@ -14110,8 +14090,7 @@ run_test "Handshake defragmentation on client: len=5, TLS 1.3" \ -c "waiting for more fragments (5" skip_next_test -requires_openssl_3_x -requires_protocol_version tls12 +requires_config_enabled MBEDTLS_SSL_PROTO_TLS1_2 requires_certificate_authentication run_test "Handshake defragmentation on client: len=5, TLS 1.2" \ "$O_NEXT_SRV -tls1_2 -split_send_frag 5 " \ @@ -14121,8 +14100,7 @@ run_test "Handshake defragmentation on client: len=5, TLS 1.2" \ -c "handshake fragment: 0 \\.\\. 5 of [0-9]\\+ msglen 5" \ -c "waiting for more fragments (5" -requires_openssl_3_x -requires_protocol_version tls13 +requires_config_enabled MBEDTLS_SSL_PROTO_TLS1_3 requires_certificate_authentication run_test "Handshake defragmentation on client: len=4, TLS 1.3" \ "$O_NEXT_SRV -tls1_3 -split_send_frag 4 " \ @@ -14133,8 +14111,7 @@ run_test "Handshake defragmentation on client: len=4, TLS 1.3" \ -c "waiting for more fragments (4" skip_next_test -requires_openssl_3_x -requires_protocol_version tls12 +requires_config_enabled MBEDTLS_SSL_PROTO_TLS1_2 requires_certificate_authentication run_test "Handshake defragmentation on client: len=4, TLS 1.2" \ "$O_NEXT_SRV -tls1_2 -split_send_frag 4 " \ @@ -14144,8 +14121,7 @@ run_test "Handshake defragmentation on client: len=4, TLS 1.2" \ -c "handshake fragment: 0 \\.\\. 4 of [0-9]\\+ msglen 4" \ -c "waiting for more fragments (4" -requires_openssl_3_x -requires_protocol_version tls13 +requires_config_enabled MBEDTLS_SSL_PROTO_TLS1_3 requires_certificate_authentication run_test "Handshake defragmentation on client: len=3, TLS 1.3" \ "$O_NEXT_SRV -tls1_3 -split_send_frag 3 " \ @@ -14155,8 +14131,7 @@ run_test "Handshake defragmentation on client: len=3, TLS 1.3" \ -c "handshake message too short: 3" \ -c "SSL - An invalid SSL record was received" -requires_openssl_3_x -requires_protocol_version tls12 +requires_config_enabled MBEDTLS_SSL_PROTO_TLS1_2 requires_certificate_authentication requires_config_enabled MBEDTLS_KEY_EXCHANGE_ECDHE_ECDSA_ENABLED run_test "Handshake defragmentation on client: len=3, TLS 1.2" \ @@ -14166,7 +14141,7 @@ run_test "Handshake defragmentation on client: len=3, TLS 1.2" \ -c "handshake message too short: 3" \ -c "SSL - An invalid SSL record was received" -requires_protocol_version tls13 +requires_config_enabled MBEDTLS_SSL_PROTO_TLS1_3 requires_certificate_authentication run_test "Handshake defragmentation on server (no fragmentation, for reference)." \ "$P_SRV debug_level=4 auth_mode=required" \ @@ -14175,8 +14150,7 @@ run_test "Handshake defragmentation on server (no fragmentation, for referenc -C "reassembled record" \ -C "waiting for more fragments" -requires_openssl_3_x -requires_protocol_version tls13 +requires_config_enabled MBEDTLS_SSL_PROTO_TLS1_3 requires_certificate_authentication run_test "Handshake defragmentation on server: len=512, TLS 1.3" \ "$P_SRV debug_level=4 auth_mode=required" \ @@ -14186,8 +14160,7 @@ run_test "Handshake defragmentation on server: len=512, TLS 1.3" \ -s "handshake fragment: 0 \\.\\. 512 of [0-9]\\+ msglen 512" \ -s "waiting for more fragments (512" -requires_openssl_3_x -requires_protocol_version tls12 +requires_config_enabled MBEDTLS_SSL_PROTO_TLS1_2 requires_certificate_authentication run_test "Handshake defragmentation on server: len=512, TLS 1.2" \ "$P_SRV debug_level=4 auth_mode=required" \ @@ -14197,8 +14170,7 @@ run_test "Handshake defragmentation on server: len=512, TLS 1.2" \ -s "handshake fragment: 0 \\.\\. 512 of [0-9]\\+ msglen 512" \ -s "waiting for more fragments (512" -requires_openssl_3_x -requires_protocol_version tls13 +requires_config_enabled MBEDTLS_SSL_PROTO_TLS1_3 requires_certificate_authentication run_test "Handshake defragmentation on server: len=513, TLS 1.3" \ "$P_SRV debug_level=4 auth_mode=required" \ @@ -14208,8 +14180,7 @@ run_test "Handshake defragmentation on server: len=513, TLS 1.3" \ -s "handshake fragment: 0 \\.\\. 513 of [0-9]\\+ msglen 513" \ -s "waiting for more fragments (513" -requires_openssl_3_x -requires_protocol_version tls12 +requires_config_enabled MBEDTLS_SSL_PROTO_TLS1_2 requires_certificate_authentication run_test "Handshake defragmentation on server: len=513, TLS 1.2" \ "$P_SRV debug_level=4 auth_mode=required" \ @@ -14219,8 +14190,7 @@ run_test "Handshake defragmentation on server: len=513, TLS 1.2" \ -s "handshake fragment: 0 \\.\\. 513 of [0-9]\\+ msglen 513" \ -s "waiting for more fragments (513" -requires_openssl_3_x -requires_protocol_version tls13 +requires_config_enabled MBEDTLS_SSL_PROTO_TLS1_3 requires_certificate_authentication run_test "Handshake defragmentation on server: len=256, TLS 1.3" \ "$P_SRV debug_level=4 auth_mode=required" \ @@ -14230,8 +14200,7 @@ run_test "Handshake defragmentation on server: len=256, TLS 1.3" \ -s "handshake fragment: 0 \\.\\. 256 of [0-9]\\+ msglen 256" \ -s "waiting for more fragments (256" -requires_openssl_3_x -requires_protocol_version tls12 +requires_config_enabled MBEDTLS_SSL_PROTO_TLS1_2 requires_certificate_authentication run_test "Handshake defragmentation on server: len=256, TLS 1.2" \ "$P_SRV debug_level=4 auth_mode=required" \ @@ -14241,8 +14210,7 @@ run_test "Handshake defragmentation on server: len=256, TLS 1.2" \ -s "handshake fragment: 0 \\.\\. 256 of [0-9]\\+ msglen 256" \ -s "waiting for more fragments (256" -requires_openssl_3_x -requires_protocol_version tls13 +requires_config_enabled MBEDTLS_SSL_PROTO_TLS1_3 requires_certificate_authentication run_test "Handshake defragmentation on server: len=128, TLS 1.3" \ "$P_SRV debug_level=4 auth_mode=required" \ @@ -14254,7 +14222,6 @@ run_test "Handshake defragmentation on server: len=128, TLS 1.3" \ # Server-side ClientHello degfragmentation is only supported for MBEDTLS_SSL_PROTO_TLS1_3. For TLS 1.2 testing # the server should suport both protocols and downgrade to client-requested TL1.2 after proccessing the ClientHello. -requires_openssl_3_x requires_config_enabled MBEDTLS_SSL_PROTO_TLS1_2 requires_config_enabled MBEDTLS_SSL_PROTO_TLS1_3 requires_certificate_authentication @@ -14266,8 +14233,7 @@ run_test "Handshake defragmentation on server: len=128, TLS 1.2" \ -s "handshake fragment: 0 \\.\\. 128 of [0-9]\\+ msglen 128" \ -s "waiting for more fragments (128" -requires_openssl_3_x -requires_protocol_version tls13 +requires_config_enabled MBEDTLS_SSL_PROTO_TLS1_3 requires_certificate_authentication run_test "Handshake defragmentation on server: len=64, TLS 1.3" \ "$P_SRV debug_level=4 auth_mode=required" \ @@ -14277,7 +14243,6 @@ run_test "Handshake defragmentation on server: len=64, TLS 1.3" \ -s "handshake fragment: 0 \\.\\. 64 of [0-9]\\+ msglen 64" \ -s "waiting for more fragments (64" -requires_openssl_3_x requires_config_enabled MBEDTLS_SSL_PROTO_TLS1_2 requires_config_enabled MBEDTLS_SSL_PROTO_TLS1_3 requires_certificate_authentication @@ -14289,8 +14254,7 @@ run_test "Handshake defragmentation on server: len=64, TLS 1.2" \ -s "handshake fragment: 0 \\.\\. 64 of [0-9]\\+ msglen 64" \ -s "waiting for more fragments (64" -requires_openssl_3_x -requires_protocol_version tls13 +requires_config_enabled MBEDTLS_SSL_PROTO_TLS1_3 requires_certificate_authentication run_test "Handshake defragmentation on server: len=36, TLS 1.3" \ "$P_SRV debug_level=4 auth_mode=required" \ @@ -14300,7 +14264,6 @@ run_test "Handshake defragmentation on server: len=36, TLS 1.3" \ -s "handshake fragment: 0 \\.\\. 36 of [0-9]\\+ msglen 36" \ -s "waiting for more fragments (36" -requires_openssl_3_x requires_config_enabled MBEDTLS_SSL_PROTO_TLS1_2 requires_config_enabled MBEDTLS_SSL_PROTO_TLS1_3 requires_certificate_authentication @@ -14312,8 +14275,7 @@ run_test "Handshake defragmentation on server: len=36, TLS 1.2" \ -s "handshake fragment: 0 \\.\\. 36 of [0-9]\\+ msglen 36" \ -s "waiting for more fragments (36" -requires_openssl_3_x -requires_protocol_version tls13 +requires_config_enabled MBEDTLS_SSL_PROTO_TLS1_3 requires_certificate_authentication run_test "Handshake defragmentation on server: len=32, TLS 1.3" \ "$P_SRV debug_level=4 auth_mode=required" \ @@ -14323,7 +14285,6 @@ run_test "Handshake defragmentation on server: len=32, TLS 1.3" \ -s "handshake fragment: 0 \\.\\. 32 of [0-9]\\+ msglen 32" \ -s "waiting for more fragments (32" -requires_openssl_3_x requires_config_enabled MBEDTLS_SSL_PROTO_TLS1_2 requires_config_enabled MBEDTLS_SSL_PROTO_TLS1_3 requires_certificate_authentication @@ -14335,8 +14296,7 @@ run_test "Handshake defragmentation on server: len=32, TLS 1.2" \ -s "handshake fragment: 0 \\.\\. 32 of [0-9]\\+ msglen 32" \ -s "waiting for more fragments (32" -requires_openssl_3_x -requires_protocol_version tls13 +requires_config_enabled MBEDTLS_SSL_PROTO_TLS1_3 requires_certificate_authentication run_test "Handshake defragmentation on server: len=16, TLS 1.3" \ "$P_SRV debug_level=4 auth_mode=required" \ @@ -14346,7 +14306,6 @@ run_test "Handshake defragmentation on server: len=16, TLS 1.3" \ -s "handshake fragment: 0 \\.\\. 16 of [0-9]\\+ msglen 16" \ -s "waiting for more fragments (16" -requires_openssl_3_x requires_config_enabled MBEDTLS_SSL_PROTO_TLS1_2 requires_config_enabled MBEDTLS_SSL_PROTO_TLS1_3 requires_certificate_authentication @@ -14358,8 +14317,7 @@ run_test "Handshake defragmentation on server: len=16, TLS 1.2" \ -s "handshake fragment: 0 \\.\\. 16 of [0-9]\\+ msglen 16" \ -s "waiting for more fragments (16" -requires_openssl_3_x -requires_protocol_version tls13 +requires_config_enabled MBEDTLS_SSL_PROTO_TLS1_3 requires_certificate_authentication run_test "Handshake defragmentation on server: len=13, TLS 1.3" \ "$P_SRV debug_level=4 auth_mode=required" \ @@ -14369,7 +14327,6 @@ run_test "Handshake defragmentation on server: len=13, TLS 1.3" \ -s "handshake fragment: 0 \\.\\. 13 of [0-9]\\+ msglen 13" \ -s "waiting for more fragments (13" -requires_openssl_3_x requires_config_enabled MBEDTLS_SSL_PROTO_TLS1_2 requires_config_enabled MBEDTLS_SSL_PROTO_TLS1_3 requires_certificate_authentication @@ -14381,8 +14338,7 @@ run_test "Handshake defragmentation on server: len=13, TLS 1.2" \ -s "handshake fragment: 0 \\.\\. 13 of [0-9]\\+ msglen 13" \ -s "waiting for more fragments (13" -requires_openssl_3_x -requires_protocol_version tls13 +requires_config_enabled MBEDTLS_SSL_PROTO_TLS1_3 requires_certificate_authentication run_test "Handshake defragmentation on server: len=5, TLS 1.3" \ "$P_SRV debug_level=4 auth_mode=required" \ @@ -14392,7 +14348,6 @@ run_test "Handshake defragmentation on server: len=5, TLS 1.3" \ -s "handshake fragment: 0 \\.\\. 5 of [0-9]\\+ msglen 5" \ -s "waiting for more fragments (5" -requires_openssl_3_x requires_config_enabled MBEDTLS_SSL_PROTO_TLS1_2 requires_config_enabled MBEDTLS_SSL_PROTO_TLS1_3 requires_certificate_authentication @@ -14404,8 +14359,7 @@ run_test "Handshake defragmentation on server: len=5, TLS 1.2" \ -s "handshake fragment: 0 \\.\\. 5 of [0-9]\\+ msglen 5" \ -s "waiting for more fragments (5" -requires_openssl_3_x -requires_protocol_version tls13 +requires_config_enabled MBEDTLS_SSL_PROTO_TLS1_3 requires_certificate_authentication run_test "Handshake defragmentation on server: len=4, TLS 1.3" \ "$P_SRV debug_level=4 auth_mode=required" \ @@ -14415,7 +14369,6 @@ run_test "Handshake defragmentation on server: len=4, TLS 1.3" \ -s "handshake fragment: 0 \\.\\. 4 of [0-9]\\+ msglen 4" \ -s "waiting for more fragments (4" -requires_openssl_3_x requires_config_enabled MBEDTLS_SSL_PROTO_TLS1_2 requires_config_enabled MBEDTLS_SSL_PROTO_TLS1_3 requires_certificate_authentication @@ -14427,8 +14380,7 @@ run_test "Handshake defragmentation on server: len=4, TLS 1.2" \ -s "handshake fragment: 0 \\.\\. 4 of [0-9]\\+ msglen 4" \ -s "waiting for more fragments (4" -requires_openssl_3_x -requires_protocol_version tls13 +requires_config_enabled MBEDTLS_SSL_PROTO_TLS1_3 requires_certificate_authentication run_test "Handshake defragmentation on server: len=3, TLS 1.3" \ "$P_SRV debug_level=4 auth_mode=required" \ @@ -14438,7 +14390,6 @@ run_test "Handshake defragmentation on server: len=3, TLS 1.3" \ -s "handshake message too short: 3" \ -s "SSL - An invalid SSL record was received" -requires_openssl_3_x requires_config_enabled MBEDTLS_SSL_PROTO_TLS1_2 requires_config_enabled MBEDTLS_SSL_PROTO_TLS1_3 requires_certificate_authentication @@ -14450,7 +14401,6 @@ run_test "Handshake defragmentation on server: len=3, TLS 1.3 -> 1.2" \ -s "handshake message too short: 3" \ -s "SSL - An invalid SSL record was received" -requires_openssl_3_x requires_config_enabled MBEDTLS_SSL_PROTO_TLS1_2 requires_config_enabled MBEDTLS_SSL_PROTO_TLS1_3 requires_certificate_authentication From 17170a5ed22954eab7ab65ac0b564582934dfb3a Mon Sep 17 00:00:00 2001 From: Minos Galanakis Date: Thu, 27 Feb 2025 11:40:33 +0000 Subject: [PATCH 38/74] ssl-opt: Updated documentation of HS-Defrag tests. Signed-off-by: Minos Galanakis --- tests/ssl-opt.sh | 20 ++++++++++---------- 1 file changed, 10 insertions(+), 10 deletions(-) diff --git a/tests/ssl-opt.sh b/tests/ssl-opt.sh index 6b9ef1d22..52ae00265 100755 --- a/tests/ssl-opt.sh +++ b/tests/ssl-opt.sh @@ -14225,7 +14225,7 @@ run_test "Handshake defragmentation on server: len=128, TLS 1.3" \ requires_config_enabled MBEDTLS_SSL_PROTO_TLS1_2 requires_config_enabled MBEDTLS_SSL_PROTO_TLS1_3 requires_certificate_authentication -run_test "Handshake defragmentation on server: len=128, TLS 1.2" \ +run_test "Handshake defragmentation on server: len=128, TLS 1.2 TLS 1.3 Client-Hallo -> 1.2 Handhsake" \ "$P_SRV debug_level=4 auth_mode=required" \ "$O_NEXT_CLI -tls1_2 -split_send_frag 128 -cert $DATA_FILES_PATH/server5.crt -key $DATA_FILES_PATH/server5.key" \ 0 \ @@ -14246,7 +14246,7 @@ run_test "Handshake defragmentation on server: len=64, TLS 1.3" \ requires_config_enabled MBEDTLS_SSL_PROTO_TLS1_2 requires_config_enabled MBEDTLS_SSL_PROTO_TLS1_3 requires_certificate_authentication -run_test "Handshake defragmentation on server: len=64, TLS 1.2" \ +run_test "Handshake defragmentation on server: len=64, TLS 1.2 TLS 1.3 Client-Hallo -> 1.2 Handhsake" \ "$P_SRV debug_level=4 auth_mode=required" \ "$O_NEXT_CLI -tls1_2 -split_send_frag 64 -cert $DATA_FILES_PATH/server5.crt -key $DATA_FILES_PATH/server5.key" \ 0 \ @@ -14267,7 +14267,7 @@ run_test "Handshake defragmentation on server: len=36, TLS 1.3" \ requires_config_enabled MBEDTLS_SSL_PROTO_TLS1_2 requires_config_enabled MBEDTLS_SSL_PROTO_TLS1_3 requires_certificate_authentication -run_test "Handshake defragmentation on server: len=36, TLS 1.2" \ +run_test "Handshake defragmentation on server: len=36, TLS 1.2 TLS 1.3 Client-Hallo -> 1.2 Handhsake" \ "$P_SRV debug_level=4 auth_mode=required" \ "$O_NEXT_CLI -tls1_2 -split_send_frag 36 -cert $DATA_FILES_PATH/server5.crt -key $DATA_FILES_PATH/server5.key" \ 0 \ @@ -14288,7 +14288,7 @@ run_test "Handshake defragmentation on server: len=32, TLS 1.3" \ requires_config_enabled MBEDTLS_SSL_PROTO_TLS1_2 requires_config_enabled MBEDTLS_SSL_PROTO_TLS1_3 requires_certificate_authentication -run_test "Handshake defragmentation on server: len=32, TLS 1.2" \ +run_test "Handshake defragmentation on server: len=32, TLS 1.2 TLS 1.3 Client-Hallo -> 1.2 Handhsake" \ "$P_SRV debug_level=4 auth_mode=required" \ "$O_NEXT_CLI -tls1_2 -split_send_frag 32 -cert $DATA_FILES_PATH/server5.crt -key $DATA_FILES_PATH/server5.key" \ 0 \ @@ -14309,7 +14309,7 @@ run_test "Handshake defragmentation on server: len=16, TLS 1.3" \ requires_config_enabled MBEDTLS_SSL_PROTO_TLS1_2 requires_config_enabled MBEDTLS_SSL_PROTO_TLS1_3 requires_certificate_authentication -run_test "Handshake defragmentation on server: len=16, TLS 1.2" \ +run_test "Handshake defragmentation on server: len=16, TLS 1.2 TLS 1.3 Client-Hallo -> 1.2 Handhsake" \ "$P_SRV debug_level=4 auth_mode=required" \ "$O_NEXT_CLI -tls1_2 -split_send_frag 16 -cert $DATA_FILES_PATH/server5.crt -key $DATA_FILES_PATH/server5.key" \ 0 \ @@ -14330,7 +14330,7 @@ run_test "Handshake defragmentation on server: len=13, TLS 1.3" \ requires_config_enabled MBEDTLS_SSL_PROTO_TLS1_2 requires_config_enabled MBEDTLS_SSL_PROTO_TLS1_3 requires_certificate_authentication -run_test "Handshake defragmentation on server: len=13, TLS 1.2" \ +run_test "Handshake defragmentation on server: len=13, TLS 1.2 TLS 1.3 Client-Hallo -> 1.2 Handhsake" \ "$P_SRV debug_level=4 auth_mode=required" \ "$O_NEXT_CLI -tls1_2 -split_send_frag 13 -cert $DATA_FILES_PATH/server5.crt -key $DATA_FILES_PATH/server5.key" \ 0 \ @@ -14351,7 +14351,7 @@ run_test "Handshake defragmentation on server: len=5, TLS 1.3" \ requires_config_enabled MBEDTLS_SSL_PROTO_TLS1_2 requires_config_enabled MBEDTLS_SSL_PROTO_TLS1_3 requires_certificate_authentication -run_test "Handshake defragmentation on server: len=5, TLS 1.2" \ +run_test "Handshake defragmentation on server: len=5, TLS 1.2 TLS 1.3 Client-Hallo -> 1.2 Handhsake" \ "$P_SRV debug_level=4 auth_mode=required" \ "$O_NEXT_CLI -tls1_2 -split_send_frag 5 -cert $DATA_FILES_PATH/server5.crt -key $DATA_FILES_PATH/server5.key" \ 0 \ @@ -14372,7 +14372,7 @@ run_test "Handshake defragmentation on server: len=4, TLS 1.3" \ requires_config_enabled MBEDTLS_SSL_PROTO_TLS1_2 requires_config_enabled MBEDTLS_SSL_PROTO_TLS1_3 requires_certificate_authentication -run_test "Handshake defragmentation on server: len=4, TLS 1.2" \ +run_test "Handshake defragmentation on server: len=4, TLS 1.2 TLS 1.3 Client-Hallo -> 1.2 Handhsake" \ "$P_SRV debug_level=4 auth_mode=required" \ "$O_NEXT_CLI -tls1_2 -split_send_frag 4 -cert $DATA_FILES_PATH/server5.crt -key $DATA_FILES_PATH/server5.key" \ 0 \ @@ -14393,7 +14393,7 @@ run_test "Handshake defragmentation on server: len=3, TLS 1.3" \ requires_config_enabled MBEDTLS_SSL_PROTO_TLS1_2 requires_config_enabled MBEDTLS_SSL_PROTO_TLS1_3 requires_certificate_authentication -run_test "Handshake defragmentation on server: len=3, TLS 1.3 -> 1.2" \ +run_test "Handshake defragmentation on server: len=3, TLS 1.3 Client-Hallo -> 1.2 Handhsake" \ "$P_SRV debug_level=4 auth_mode=required" \ "$O_NEXT_CLI -tls1_2 -split_send_frag 3 -cert $DATA_FILES_PATH/server5.crt -key $DATA_FILES_PATH/server5.key" \ 1 \ @@ -14404,7 +14404,7 @@ run_test "Handshake defragmentation on server: len=3, TLS 1.3 -> 1.2" \ requires_config_enabled MBEDTLS_SSL_PROTO_TLS1_2 requires_config_enabled MBEDTLS_SSL_PROTO_TLS1_3 requires_certificate_authentication -run_test "Handshake defragmentation on server: len=32, TLS 1.2 -> 1.2" \ +run_test "Handshake defragmentation on server: len=32, TLS 1.3 Client-Hallo -> 1.2 Handhsake" \ "$P_SRV debug_level=4 force_version=tls12 auth_mode=required" \ "$O_NEXT_CLI -tls1_2 -split_send_frag 32 -cert $DATA_FILES_PATH/server5.crt -key $DATA_FILES_PATH/server5.key" \ 1 \ From 19dbbe095894a623f5ac32393f57219ef60a647c Mon Sep 17 00:00:00 2001 From: Minos Galanakis Date: Thu, 27 Feb 2025 11:45:02 +0000 Subject: [PATCH 39/74] analyze_outcomes: Temporary disabled 3 HS Degragmentation tests. Signed-off-by: Minos Galanakis --- tests/scripts/analyze_outcomes.py | 5 +++++ 1 file changed, 5 insertions(+) diff --git a/tests/scripts/analyze_outcomes.py b/tests/scripts/analyze_outcomes.py index e68c2cbf0..7a5c506a9 100755 --- a/tests/scripts/analyze_outcomes.py +++ b/tests/scripts/analyze_outcomes.py @@ -50,6 +50,11 @@ class CoverageTask(outcome_analysis.CoverageTask): # TLS doesn't use restartable ECDH yet. # https://github.com/Mbed-TLS/mbedtls/issues/7294 re.compile(r'EC restart:.*no USE_PSA.*'), + # Temporary disable Handshake defragmentation tests until mbedtls + # pr #10011 has been merged. + 'Handshake defragmentation on client: len=4, TLS 1.2', + 'Handshake defragmentation on client: len=5, TLS 1.2', + 'Handshake defragmentation on client: len=13, TLS 1.2' ], 'test_suite_config.mbedtls_boolean': [ # Missing coverage of test configurations. From 76957cceabebc87acbb363c3971403939d692104 Mon Sep 17 00:00:00 2001 From: Minos Galanakis Date: Thu, 27 Feb 2025 14:43:17 +0000 Subject: [PATCH 40/74] ssl-opt: Minor typos and documentation fixes. Signed-off-by: Minos Galanakis --- tests/ssl-opt.sh | 31 ++++++++++++++----------------- 1 file changed, 14 insertions(+), 17 deletions(-) diff --git a/tests/ssl-opt.sh b/tests/ssl-opt.sh index 52ae00265..84b72e8b4 100755 --- a/tests/ssl-opt.sh +++ b/tests/ssl-opt.sh @@ -13874,10 +13874,9 @@ run_test "TLS 1.2 ClientHello indicating support for deflate compression meth # Handshake defragmentation testing -# To warrant that the handhake messages are large enough and need to be split +# To guarantee that the handhake messages are large enough and need to be split # into fragments, the tests require certificate authentication. The party in control -# of the fragmentation operations is OpenSSL and will always use server5.crt (548 Bytes) -# either from O_NEXT_SRV or test data. +# of the fragmentation operations is OpenSSL and will always use server5.crt (548 Bytes). requires_config_enabled MBEDTLS_SSL_PROTO_TLS1_3 requires_certificate_authentication run_test "Handshake defragmentation on client (no fragmentation, for reference)" \ @@ -13897,9 +13896,7 @@ run_test "Handshake defragmentation on client: len=512, TLS 1.3" \ -c "handshake fragment: 0 \\.\\. 512 of [0-9]\\+ msglen 512" \ -c "waiting for more fragments (512 of [0-9]\\+" -# Since the removal of the DHE-RSA key exchange, the default openssl server -# certificate does not match what is provided by the testing client. Those -# use-cases are out of scope for defregmentation testing, and should be skipped. +#The server uses an ECDSA cert, so make sure we have a compatible key exchange requires_config_enabled MBEDTLS_SSL_PROTO_TLS1_2 requires_certificate_authentication requires_config_enabled MBEDTLS_KEY_EXCHANGE_ECDHE_ECDSA_ENABLED @@ -14220,12 +14217,12 @@ run_test "Handshake defragmentation on server: len=128, TLS 1.3" \ -s "handshake fragment: 0 \\.\\. 128 of [0-9]\\+ msglen 128" \ -s "waiting for more fragments (128" -# Server-side ClientHello degfragmentation is only supported for MBEDTLS_SSL_PROTO_TLS1_3. For TLS 1.2 testing +# Server-side ClientHello defragmentationis only supported for MBEDTLS_SSL_PROTO_TLS1_3. For TLS 1.2 testing # the server should suport both protocols and downgrade to client-requested TL1.2 after proccessing the ClientHello. requires_config_enabled MBEDTLS_SSL_PROTO_TLS1_2 requires_config_enabled MBEDTLS_SSL_PROTO_TLS1_3 requires_certificate_authentication -run_test "Handshake defragmentation on server: len=128, TLS 1.2 TLS 1.3 Client-Hallo -> 1.2 Handhsake" \ +run_test "Handshake defragmentation on server: len=128, TLS 1.2 TLS 1.3 ClientHello -> 1.2 Handshake" \ "$P_SRV debug_level=4 auth_mode=required" \ "$O_NEXT_CLI -tls1_2 -split_send_frag 128 -cert $DATA_FILES_PATH/server5.crt -key $DATA_FILES_PATH/server5.key" \ 0 \ @@ -14246,7 +14243,7 @@ run_test "Handshake defragmentation on server: len=64, TLS 1.3" \ requires_config_enabled MBEDTLS_SSL_PROTO_TLS1_2 requires_config_enabled MBEDTLS_SSL_PROTO_TLS1_3 requires_certificate_authentication -run_test "Handshake defragmentation on server: len=64, TLS 1.2 TLS 1.3 Client-Hallo -> 1.2 Handhsake" \ +run_test "Handshake defragmentation on server: len=64, TLS 1.2 TLS 1.3 ClientHello -> 1.2 Handshake" \ "$P_SRV debug_level=4 auth_mode=required" \ "$O_NEXT_CLI -tls1_2 -split_send_frag 64 -cert $DATA_FILES_PATH/server5.crt -key $DATA_FILES_PATH/server5.key" \ 0 \ @@ -14267,7 +14264,7 @@ run_test "Handshake defragmentation on server: len=36, TLS 1.3" \ requires_config_enabled MBEDTLS_SSL_PROTO_TLS1_2 requires_config_enabled MBEDTLS_SSL_PROTO_TLS1_3 requires_certificate_authentication -run_test "Handshake defragmentation on server: len=36, TLS 1.2 TLS 1.3 Client-Hallo -> 1.2 Handhsake" \ +run_test "Handshake defragmentation on server: len=36, TLS 1.2 TLS 1.3 ClientHello -> 1.2 Handshake" \ "$P_SRV debug_level=4 auth_mode=required" \ "$O_NEXT_CLI -tls1_2 -split_send_frag 36 -cert $DATA_FILES_PATH/server5.crt -key $DATA_FILES_PATH/server5.key" \ 0 \ @@ -14288,7 +14285,7 @@ run_test "Handshake defragmentation on server: len=32, TLS 1.3" \ requires_config_enabled MBEDTLS_SSL_PROTO_TLS1_2 requires_config_enabled MBEDTLS_SSL_PROTO_TLS1_3 requires_certificate_authentication -run_test "Handshake defragmentation on server: len=32, TLS 1.2 TLS 1.3 Client-Hallo -> 1.2 Handhsake" \ +run_test "Handshake defragmentation on server: len=32, TLS 1.2 TLS 1.3 ClientHello -> 1.2 Handshake" \ "$P_SRV debug_level=4 auth_mode=required" \ "$O_NEXT_CLI -tls1_2 -split_send_frag 32 -cert $DATA_FILES_PATH/server5.crt -key $DATA_FILES_PATH/server5.key" \ 0 \ @@ -14309,7 +14306,7 @@ run_test "Handshake defragmentation on server: len=16, TLS 1.3" \ requires_config_enabled MBEDTLS_SSL_PROTO_TLS1_2 requires_config_enabled MBEDTLS_SSL_PROTO_TLS1_3 requires_certificate_authentication -run_test "Handshake defragmentation on server: len=16, TLS 1.2 TLS 1.3 Client-Hallo -> 1.2 Handhsake" \ +run_test "Handshake defragmentation on server: len=16, TLS 1.2 TLS 1.3 ClientHello -> 1.2 Handshake" \ "$P_SRV debug_level=4 auth_mode=required" \ "$O_NEXT_CLI -tls1_2 -split_send_frag 16 -cert $DATA_FILES_PATH/server5.crt -key $DATA_FILES_PATH/server5.key" \ 0 \ @@ -14330,7 +14327,7 @@ run_test "Handshake defragmentation on server: len=13, TLS 1.3" \ requires_config_enabled MBEDTLS_SSL_PROTO_TLS1_2 requires_config_enabled MBEDTLS_SSL_PROTO_TLS1_3 requires_certificate_authentication -run_test "Handshake defragmentation on server: len=13, TLS 1.2 TLS 1.3 Client-Hallo -> 1.2 Handhsake" \ +run_test "Handshake defragmentation on server: len=13, TLS 1.2 TLS 1.3 ClientHello -> 1.2 Handshake" \ "$P_SRV debug_level=4 auth_mode=required" \ "$O_NEXT_CLI -tls1_2 -split_send_frag 13 -cert $DATA_FILES_PATH/server5.crt -key $DATA_FILES_PATH/server5.key" \ 0 \ @@ -14351,7 +14348,7 @@ run_test "Handshake defragmentation on server: len=5, TLS 1.3" \ requires_config_enabled MBEDTLS_SSL_PROTO_TLS1_2 requires_config_enabled MBEDTLS_SSL_PROTO_TLS1_3 requires_certificate_authentication -run_test "Handshake defragmentation on server: len=5, TLS 1.2 TLS 1.3 Client-Hallo -> 1.2 Handhsake" \ +run_test "Handshake defragmentation on server: len=5, TLS 1.2 TLS 1.3 ClientHello -> 1.2 Handshake" \ "$P_SRV debug_level=4 auth_mode=required" \ "$O_NEXT_CLI -tls1_2 -split_send_frag 5 -cert $DATA_FILES_PATH/server5.crt -key $DATA_FILES_PATH/server5.key" \ 0 \ @@ -14372,7 +14369,7 @@ run_test "Handshake defragmentation on server: len=4, TLS 1.3" \ requires_config_enabled MBEDTLS_SSL_PROTO_TLS1_2 requires_config_enabled MBEDTLS_SSL_PROTO_TLS1_3 requires_certificate_authentication -run_test "Handshake defragmentation on server: len=4, TLS 1.2 TLS 1.3 Client-Hallo -> 1.2 Handhsake" \ +run_test "Handshake defragmentation on server: len=4, TLS 1.2 TLS 1.3 ClientHello -> 1.2 Handshake" \ "$P_SRV debug_level=4 auth_mode=required" \ "$O_NEXT_CLI -tls1_2 -split_send_frag 4 -cert $DATA_FILES_PATH/server5.crt -key $DATA_FILES_PATH/server5.key" \ 0 \ @@ -14393,7 +14390,7 @@ run_test "Handshake defragmentation on server: len=3, TLS 1.3" \ requires_config_enabled MBEDTLS_SSL_PROTO_TLS1_2 requires_config_enabled MBEDTLS_SSL_PROTO_TLS1_3 requires_certificate_authentication -run_test "Handshake defragmentation on server: len=3, TLS 1.3 Client-Hallo -> 1.2 Handhsake" \ +run_test "Handshake defragmentation on server: len=3, TLS 1.3 ClientHello -> 1.2 Handshake" \ "$P_SRV debug_level=4 auth_mode=required" \ "$O_NEXT_CLI -tls1_2 -split_send_frag 3 -cert $DATA_FILES_PATH/server5.crt -key $DATA_FILES_PATH/server5.key" \ 1 \ @@ -14404,7 +14401,7 @@ run_test "Handshake defragmentation on server: len=3, TLS 1.3 Client-Hallo -> requires_config_enabled MBEDTLS_SSL_PROTO_TLS1_2 requires_config_enabled MBEDTLS_SSL_PROTO_TLS1_3 requires_certificate_authentication -run_test "Handshake defragmentation on server: len=32, TLS 1.3 Client-Hallo -> 1.2 Handhsake" \ +run_test "Handshake defragmentation on server: len=32, TLS 1.2 ClientHello" \ "$P_SRV debug_level=4 force_version=tls12 auth_mode=required" \ "$O_NEXT_CLI -tls1_2 -split_send_frag 32 -cert $DATA_FILES_PATH/server5.crt -key $DATA_FILES_PATH/server5.key" \ 1 \ From d01ac30cfa941141e49c5c0d561a48565c7a5627 Mon Sep 17 00:00:00 2001 From: Minos Galanakis Date: Thu, 27 Feb 2025 15:11:09 +0000 Subject: [PATCH 41/74] ssl-opt: Adjusted reference hs defragmentation tests. Signed-off-by: Minos Galanakis --- tests/ssl-opt.sh | 6 ++---- 1 file changed, 2 insertions(+), 4 deletions(-) diff --git a/tests/ssl-opt.sh b/tests/ssl-opt.sh index 84b72e8b4..7fdab715f 100755 --- a/tests/ssl-opt.sh +++ b/tests/ssl-opt.sh @@ -13877,7 +13877,6 @@ run_test "TLS 1.2 ClientHello indicating support for deflate compression meth # To guarantee that the handhake messages are large enough and need to be split # into fragments, the tests require certificate authentication. The party in control # of the fragmentation operations is OpenSSL and will always use server5.crt (548 Bytes). -requires_config_enabled MBEDTLS_SSL_PROTO_TLS1_3 requires_certificate_authentication run_test "Handshake defragmentation on client (no fragmentation, for reference)" \ "$O_NEXT_SRV" \ @@ -14138,14 +14137,13 @@ run_test "Handshake defragmentation on client: len=3, TLS 1.2" \ -c "handshake message too short: 3" \ -c "SSL - An invalid SSL record was received" -requires_config_enabled MBEDTLS_SSL_PROTO_TLS1_3 requires_certificate_authentication run_test "Handshake defragmentation on server (no fragmentation, for reference)." \ "$P_SRV debug_level=4 auth_mode=required" \ "$O_NEXT_CLI -cert $DATA_FILES_PATH/server5.crt -key $DATA_FILES_PATH/server5.key" \ 0 \ - -C "reassembled record" \ - -C "waiting for more fragments" + -S "reassembled record" \ + -S "waiting for more fragments" requires_config_enabled MBEDTLS_SSL_PROTO_TLS1_3 requires_certificate_authentication From 0dd57a99137a32ce1eae4dd20f452f32248543a4 Mon Sep 17 00:00:00 2001 From: Minos Galanakis Date: Thu, 27 Feb 2025 18:02:33 +0000 Subject: [PATCH 42/74] ssl-opt: Removed dependencies for HS defrag negative tests. Signed-off-by: Minos Galanakis --- tests/ssl-opt.sh | 4 ---- 1 file changed, 4 deletions(-) diff --git a/tests/ssl-opt.sh b/tests/ssl-opt.sh index 7fdab715f..b758aa296 100755 --- a/tests/ssl-opt.sh +++ b/tests/ssl-opt.sh @@ -14118,7 +14118,6 @@ run_test "Handshake defragmentation on client: len=4, TLS 1.2" \ -c "waiting for more fragments (4" requires_config_enabled MBEDTLS_SSL_PROTO_TLS1_3 -requires_certificate_authentication run_test "Handshake defragmentation on client: len=3, TLS 1.3" \ "$O_NEXT_SRV -tls1_3 -split_send_frag 3 " \ "$P_CLI debug_level=4 " \ @@ -14128,8 +14127,6 @@ run_test "Handshake defragmentation on client: len=3, TLS 1.3" \ -c "SSL - An invalid SSL record was received" requires_config_enabled MBEDTLS_SSL_PROTO_TLS1_2 -requires_certificate_authentication -requires_config_enabled MBEDTLS_KEY_EXCHANGE_ECDHE_ECDSA_ENABLED run_test "Handshake defragmentation on client: len=3, TLS 1.2" \ "$O_NEXT_SRV -tls1_2 -split_send_frag 3 " \ "$P_CLI debug_level=4 " \ @@ -14397,7 +14394,6 @@ run_test "Handshake defragmentation on server: len=3, TLS 1.3 ClientHello -> -s "SSL - An invalid SSL record was received" requires_config_enabled MBEDTLS_SSL_PROTO_TLS1_2 -requires_config_enabled MBEDTLS_SSL_PROTO_TLS1_3 requires_certificate_authentication run_test "Handshake defragmentation on server: len=32, TLS 1.2 ClientHello" \ "$P_SRV debug_level=4 force_version=tls12 auth_mode=required" \ From 4354dc646feb66e32a50e6fb793966934d88c901 Mon Sep 17 00:00:00 2001 From: Minos Galanakis Date: Thu, 27 Feb 2025 22:36:58 +0000 Subject: [PATCH 43/74] ssl-opt: Re-introduce certificate dependency for HS negative tests. Signed-off-by: Minos Galanakis --- tests/ssl-opt.sh | 1 + 1 file changed, 1 insertion(+) diff --git a/tests/ssl-opt.sh b/tests/ssl-opt.sh index b758aa296..5fc17a4cb 100755 --- a/tests/ssl-opt.sh +++ b/tests/ssl-opt.sh @@ -14118,6 +14118,7 @@ run_test "Handshake defragmentation on client: len=4, TLS 1.2" \ -c "waiting for more fragments (4" requires_config_enabled MBEDTLS_SSL_PROTO_TLS1_3 +requires_certificate_authentication run_test "Handshake defragmentation on client: len=3, TLS 1.3" \ "$O_NEXT_SRV -tls1_3 -split_send_frag 3 " \ "$P_CLI debug_level=4 " \ From 4773333dc6c32963db11f077c9162fc5806a31b9 Mon Sep 17 00:00:00 2001 From: Gilles Peskine Date: Sat, 1 Mar 2025 14:28:20 +0100 Subject: [PATCH 44/74] New generated file: tests/opt-testcases/handshake-generated.sh Signed-off-by: Gilles Peskine --- framework | 2 +- scripts/make_generated_files.bat | 1 + tests/.gitignore | 1 + tests/CMakeLists.txt | 18 ++++++++++++++++++ tests/Makefile | 7 +++++++ tests/scripts/check-generated-files.sh | 1 + 6 files changed, 29 insertions(+), 1 deletion(-) diff --git a/framework b/framework index 523a12d05..11e4f5ac1 160000 --- a/framework +++ b/framework @@ -1 +1 @@ -Subproject commit 523a12d05b91301b020e2aa560d9774135e3a801 +Subproject commit 11e4f5ac1c71fe7d803fa5193236560b2e176cea diff --git a/scripts/make_generated_files.bat b/scripts/make_generated_files.bat index 4982f77db..bef198f36 100644 --- a/scripts/make_generated_files.bat +++ b/scripts/make_generated_files.bat @@ -32,4 +32,5 @@ python framework\scripts\generate_psa_tests.py --directory tf-psa-crypto\tests\s python framework\scripts\generate_test_keys.py --output framework\tests\include\test\test_keys.h || exit /b 1 python tf-psa-crypto\framework\scripts\generate_test_keys.py --output tf-psa-crypto\framework\tests\include\test\test_keys.h || exit /b 1 python framework\scripts\generate_test_cert_macros.py --output tests\src\test_certs.h || exit /b 1 +python framework\scripts\generate_tls_handshake_tests.py || exit /b 1 python framework\scripts\generate_tls13_compat_tests.py || exit /b 1 diff --git a/tests/.gitignore b/tests/.gitignore index 997101cc8..a4a0309fa 100644 --- a/tests/.gitignore +++ b/tests/.gitignore @@ -18,6 +18,7 @@ ###START_GENERATED_FILES### # Generated source files +/opt-testcases/handshake-generated.sh /opt-testcases/tls13-compat.sh /suites/*.generated.data /suites/test_suite_config.mbedtls_boolean.data diff --git a/tests/CMakeLists.txt b/tests/CMakeLists.txt index 950c36597..a56a707f4 100644 --- a/tests/CMakeLists.txt +++ b/tests/CMakeLists.txt @@ -57,6 +57,24 @@ if(GEN_FILES) # change too often in ways that don't affect the result # ((un)commenting some options). ) + + add_custom_command( + OUTPUT + ${CMAKE_CURRENT_SOURCE_DIR}/opt-testcases/handshake-generated.sh + WORKING_DIRECTORY + ${CMAKE_CURRENT_SOURCE_DIR}/.. + COMMAND + "${MBEDTLS_PYTHON_EXECUTABLE}" + "${CMAKE_CURRENT_SOURCE_DIR}/../framework/scripts/generate_tls_handshake_tests.py" + DEPENDS + ${CMAKE_CURRENT_SOURCE_DIR}/../framework/scripts/mbedtls_framework/tls_test_case.py + ${CMAKE_CURRENT_SOURCE_DIR}/../framework/scripts/generate_tls_handshake_tests.py + ) + add_custom_target(handshake-generated.sh + DEPENDS ${CMAKE_CURRENT_SOURCE_DIR}/opt-testcases/handshake-generated.sh) + set_target_properties(handshake-generated.sh PROPERTIES EXCLUDE_FROM_ALL NO) + add_dependencies(${ssl_opt_target} handshake-generated.sh) + add_custom_command( OUTPUT ${CMAKE_CURRENT_SOURCE_DIR}/opt-testcases/tls13-compat.sh diff --git a/tests/Makefile b/tests/Makefile index 7bd995342..b6f2f8caf 100644 --- a/tests/Makefile +++ b/tests/Makefile @@ -64,6 +64,13 @@ GENERATED_FILES += ../framework/tests/include/test/test_keys.h \ # Generated files needed to (fully) run ssl-opt.sh .PHONY: ssl-opt +opt-testcases/handshake-generated.sh: ../framework/scripts/mbedtls_framework/tls_test_case.py +opt-testcases/handshake-generated.sh: ../framework/scripts/generate_tls_handshake_tests.py + echo " Gen $@" + $(PYTHON) ../framework/scripts/generate_tls_handshake_tests.py -o $@ +GENERATED_FILES += opt-testcases/handshake-generated.sh +ssl-opt: opt-testcases/handshake-generated.sh + opt-testcases/tls13-compat.sh: ../framework/scripts/generate_tls13_compat_tests.py echo " Gen $@" $(PYTHON) ../framework/scripts/generate_tls13_compat_tests.py -o $@ diff --git a/tests/scripts/check-generated-files.sh b/tests/scripts/check-generated-files.sh index 8cc341d17..ba10024ee 100755 --- a/tests/scripts/check-generated-files.sh +++ b/tests/scripts/check-generated-files.sh @@ -179,6 +179,7 @@ if in_mbedtls_repo; then check scripts/generate_query_config.pl programs/test/query_config.c check scripts/generate_features.pl library/version_features.c check framework/scripts/generate_ssl_debug_helpers.py library/ssl_debug_helpers_generated.c + check framework/scripts/generate_tls_handshake_tests.py tests/opt-testcases/handshake-generated.sh check framework/scripts/generate_tls13_compat_tests.py tests/opt-testcases/tls13-compat.sh check framework/scripts/generate_test_cert_macros.py tests/src/test_certs.h # generate_visualc_files enumerates source files (library/*.c). It doesn't From b40d33b7c86c07849001f61d3aa0577d4b2ab016 Mon Sep 17 00:00:00 2001 From: Gilles Peskine Date: Sat, 1 Mar 2025 14:26:51 +0100 Subject: [PATCH 45/74] Move most TLS handshake defragmentation tests to a separate file Prepare for those test cases to be automatically generated by a script. Signed-off-by: Gilles Peskine --- tests/opt-testcases/handshake-manual.sh | 519 +++++++++++++++++++++++ tests/ssl-opt.sh | 520 +----------------------- 2 files changed, 520 insertions(+), 519 deletions(-) create mode 100644 tests/opt-testcases/handshake-manual.sh diff --git a/tests/opt-testcases/handshake-manual.sh b/tests/opt-testcases/handshake-manual.sh new file mode 100644 index 000000000..8496c0d87 --- /dev/null +++ b/tests/opt-testcases/handshake-manual.sh @@ -0,0 +1,519 @@ +# To guarantee that the handhake messages are large enough and need to be split +# into fragments, the tests require certificate authentication. The party in control +# of the fragmentation operations is OpenSSL and will always use server5.crt (548 Bytes). +requires_certificate_authentication +run_test "Handshake defragmentation on client (no fragmentation, for reference)" \ + "$O_NEXT_SRV" \ + "$P_CLI debug_level=4 " \ + 0 \ + -C "reassembled record" \ + -C "waiting for more fragments" + +requires_config_enabled MBEDTLS_SSL_PROTO_TLS1_3 +requires_certificate_authentication +run_test "Handshake defragmentation on client: len=512, TLS 1.3" \ + "$O_NEXT_SRV -tls1_3 -split_send_frag 512 " \ + "$P_CLI debug_level=4 " \ + 0 \ + -c "reassembled record" \ + -c "handshake fragment: 0 \\.\\. 512 of [0-9]\\+ msglen 512" \ + -c "waiting for more fragments (512 of [0-9]\\+" + +#The server uses an ECDSA cert, so make sure we have a compatible key exchange +requires_config_enabled MBEDTLS_SSL_PROTO_TLS1_2 +requires_certificate_authentication +requires_config_enabled MBEDTLS_KEY_EXCHANGE_ECDHE_ECDSA_ENABLED +run_test "Handshake defragmentation on client: len=512, TLS 1.2" \ + "$O_NEXT_SRV -tls1_2 -split_send_frag 512 " \ + "$P_CLI debug_level=4 " \ + 0 \ + -c "reassembled record" \ + -c "handshake fragment: 0 \\.\\. 512 of [0-9]\\+ msglen 512" \ + -c "waiting for more fragments (512 of [0-9]\\+" + +requires_config_enabled MBEDTLS_SSL_PROTO_TLS1_3 +requires_certificate_authentication +run_test "Handshake defragmentation on client: len=513, TLS 1.3" \ + "$O_NEXT_SRV -tls1_3 -split_send_frag 513 " \ + "$P_CLI debug_level=4 " \ + 0 \ + -c "reassembled record" \ + -c "handshake fragment: 0 \\.\\. 513 of [0-9]\\+ msglen 513" \ + -c "waiting for more fragments (513 of [0-9]\\+" + +requires_config_enabled MBEDTLS_SSL_PROTO_TLS1_2 +requires_certificate_authentication +requires_config_enabled MBEDTLS_KEY_EXCHANGE_ECDHE_ECDSA_ENABLED +run_test "Handshake defragmentation on client: len=513, TLS 1.2" \ + "$O_NEXT_SRV -tls1_2 -split_send_frag 513 " \ + "$P_CLI debug_level=4 " \ + 0 \ + -c "reassembled record" \ + -c "handshake fragment: 0 \\.\\. 513 of [0-9]\\+ msglen 513" \ + -c "waiting for more fragments (513 of [0-9]\\+" + +requires_config_enabled MBEDTLS_SSL_PROTO_TLS1_3 +requires_certificate_authentication +run_test "Handshake defragmentation on client: len=256, TLS 1.3" \ + "$O_NEXT_SRV -tls1_3 -split_send_frag 256 " \ + "$P_CLI debug_level=4 " \ + 0 \ + -c "reassembled record" \ + -c "handshake fragment: 0 \\.\\. 256 of [0-9]\\+ msglen 256" \ + -c "waiting for more fragments (256 of [0-9]\\+" + +requires_config_enabled MBEDTLS_SSL_PROTO_TLS1_2 +requires_certificate_authentication +requires_config_enabled MBEDTLS_KEY_EXCHANGE_ECDHE_ECDSA_ENABLED +run_test "Handshake defragmentation on client: len=256, TLS 1.2" \ + "$O_NEXT_SRV -tls1_2 -split_send_frag 256 " \ + "$P_CLI debug_level=4 " \ + 0 \ + -c "reassembled record" \ + -c "handshake fragment: 0 \\.\\. 256 of [0-9]\\+ msglen 256" \ + -c "waiting for more fragments (256 of [0-9]\\+" + +requires_config_enabled MBEDTLS_SSL_PROTO_TLS1_3 +requires_certificate_authentication +run_test "Handshake defragmentation on client: len=128, TLS 1.3" \ + "$O_NEXT_SRV -tls1_3 -split_send_frag 128 " \ + "$P_CLI debug_level=4 " \ + 0 \ + -c "reassembled record" \ + -c "handshake fragment: 0 \\.\\. 128 of [0-9]\\+ msglen 128" \ + -c "waiting for more fragments (128" + +requires_config_enabled MBEDTLS_SSL_PROTO_TLS1_2 +requires_certificate_authentication +requires_config_enabled MBEDTLS_KEY_EXCHANGE_ECDHE_ECDSA_ENABLED +run_test "Handshake defragmentation on client: len=128, TLS 1.2" \ + "$O_NEXT_SRV -tls1_2 -split_send_frag 128 " \ + "$P_CLI debug_level=4 " \ + 0 \ + -c "reassembled record" \ + -c "handshake fragment: 0 \\.\\. 128 of [0-9]\\+ msglen 128" \ + -c "waiting for more fragments (128" + +requires_config_enabled MBEDTLS_SSL_PROTO_TLS1_3 +requires_certificate_authentication +run_test "Handshake defragmentation on client: len=64, TLS 1.3" \ + "$O_NEXT_SRV -tls1_3 -split_send_frag 64 " \ + "$P_CLI debug_level=4 " \ + 0 \ + -c "reassembled record" \ + -c "handshake fragment: 0 \\.\\. 64 of [0-9]\\+ msglen 64" \ + -c "waiting for more fragments (64" + +requires_config_enabled MBEDTLS_SSL_PROTO_TLS1_2 +requires_certificate_authentication +requires_config_enabled MBEDTLS_KEY_EXCHANGE_ECDHE_ECDSA_ENABLED +run_test "Handshake defragmentation on client: len=64, TLS 1.2" \ + "$O_NEXT_SRV -tls1_2 -split_send_frag 64 " \ + "$P_CLI debug_level=4 " \ + 0 \ + -c "reassembled record" \ + -c "handshake fragment: 0 \\.\\. 64 of [0-9]\\+ msglen 64" \ + -c "waiting for more fragments (64" + +requires_config_enabled MBEDTLS_SSL_PROTO_TLS1_3 +requires_certificate_authentication +run_test "Handshake defragmentation on client: len=36, TLS 1.3" \ + "$O_NEXT_SRV -tls1_3 -split_send_frag 36 " \ + "$P_CLI debug_level=4 " \ + 0 \ + -c "reassembled record" \ + -c "handshake fragment: 0 \\.\\. 36 of [0-9]\\+ msglen 36" \ + -c "waiting for more fragments (36" + +requires_config_enabled MBEDTLS_SSL_PROTO_TLS1_2 +requires_certificate_authentication +requires_config_enabled MBEDTLS_KEY_EXCHANGE_ECDHE_ECDSA_ENABLED +run_test "Handshake defragmentation on client: len=36, TLS 1.2" \ + "$O_NEXT_SRV -tls1_2 -split_send_frag 36 " \ + "$P_CLI debug_level=4 " \ + 0 \ + -c "reassembled record" \ + -c "handshake fragment: 0 \\.\\. 36 of [0-9]\\+ msglen 36" \ + -c "waiting for more fragments (36" + +requires_config_enabled MBEDTLS_SSL_PROTO_TLS1_3 +requires_certificate_authentication +run_test "Handshake defragmentation on client: len=32, TLS 1.3" \ + "$O_NEXT_SRV -tls1_3 -split_send_frag 32 " \ + "$P_CLI debug_level=4 " \ + 0 \ + -c "reassembled record" \ + -c "handshake fragment: 0 \\.\\. 32 of [0-9]\\+ msglen 32" \ + -c "waiting for more fragments (32" + +requires_config_enabled MBEDTLS_SSL_PROTO_TLS1_2 +requires_certificate_authentication +requires_config_enabled MBEDTLS_KEY_EXCHANGE_ECDHE_ECDSA_ENABLED +run_test "Handshake defragmentation on client: len=32, TLS 1.2" \ + "$O_NEXT_SRV -tls1_2 -split_send_frag 32 " \ + "$P_CLI debug_level=4 " \ + 0 \ + -c "reassembled record" \ + -c "handshake fragment: 0 \\.\\. 32 of [0-9]\\+ msglen 32" \ + -c "waiting for more fragments (32" + +requires_config_enabled MBEDTLS_SSL_PROTO_TLS1_3 +requires_certificate_authentication +run_test "Handshake defragmentation on client: len=16, TLS 1.3" \ + "$O_NEXT_SRV -tls1_3 -split_send_frag 16 " \ + "$P_CLI debug_level=4 " \ + 0 \ + -c "reassembled record" \ + -c "handshake fragment: 0 \\.\\. 16 of [0-9]\\+ msglen 16" \ + -c "waiting for more fragments (16" + +requires_config_enabled MBEDTLS_SSL_PROTO_TLS1_2 +requires_certificate_authentication +requires_config_enabled MBEDTLS_KEY_EXCHANGE_ECDHE_ECDSA_ENABLED +run_test "Handshake defragmentation on client: len=16, TLS 1.2" \ + "$O_NEXT_SRV -tls1_2 -split_send_frag 16 " \ + "$P_CLI debug_level=4 " \ + 0 \ + -c "reassembled record" \ + -c "handshake fragment: 0 \\.\\. 16 of [0-9]\\+ msglen 16" \ + -c "waiting for more fragments (16" + +requires_config_enabled MBEDTLS_SSL_PROTO_TLS1_3 +requires_certificate_authentication +run_test "Handshake defragmentation on client: len=13, TLS 1.3" \ + "$O_NEXT_SRV -tls1_3 -split_send_frag 13 " \ + "$P_CLI debug_level=4 " \ + 0 \ + -c "reassembled record" \ + -c "handshake fragment: 0 \\.\\. 13 of [0-9]\\+ msglen 13" \ + -c "waiting for more fragments (13" + +skip_next_test +requires_config_enabled MBEDTLS_SSL_PROTO_TLS1_2 +requires_certificate_authentication +run_test "Handshake defragmentation on client: len=13, TLS 1.2" \ + "$O_NEXT_SRV -tls1_2 -split_send_frag 13 " \ + "$P_CLI debug_level=4 " \ + 0 \ + -c "reassembled record" \ + -c "handshake fragment: 0 \\.\\. 13 of [0-9]\\+ msglen 13" \ + -c "waiting for more fragments (13" + +requires_config_enabled MBEDTLS_SSL_PROTO_TLS1_3 +requires_certificate_authentication +run_test "Handshake defragmentation on client: len=5, TLS 1.3" \ + "$O_NEXT_SRV -tls1_3 -split_send_frag 5 " \ + "$P_CLI debug_level=4 " \ + 0 \ + -c "reassembled record" \ + -c "handshake fragment: 0 \\.\\. 5 of [0-9]\\+ msglen 5" \ + -c "waiting for more fragments (5" + +skip_next_test +requires_config_enabled MBEDTLS_SSL_PROTO_TLS1_2 +requires_certificate_authentication +run_test "Handshake defragmentation on client: len=5, TLS 1.2" \ + "$O_NEXT_SRV -tls1_2 -split_send_frag 5 " \ + "$P_CLI debug_level=4 " \ + 0 \ + -c "reassembled record" \ + -c "handshake fragment: 0 \\.\\. 5 of [0-9]\\+ msglen 5" \ + -c "waiting for more fragments (5" + +requires_config_enabled MBEDTLS_SSL_PROTO_TLS1_3 +requires_certificate_authentication +run_test "Handshake defragmentation on client: len=4, TLS 1.3" \ + "$O_NEXT_SRV -tls1_3 -split_send_frag 4 " \ + "$P_CLI debug_level=4 " \ + 0 \ + -c "reassembled record" \ + -c "handshake fragment: 0 \\.\\. 4 of [0-9]\\+ msglen 4" \ + -c "waiting for more fragments (4" + +skip_next_test +requires_config_enabled MBEDTLS_SSL_PROTO_TLS1_2 +requires_certificate_authentication +run_test "Handshake defragmentation on client: len=4, TLS 1.2" \ + "$O_NEXT_SRV -tls1_2 -split_send_frag 4 " \ + "$P_CLI debug_level=4 " \ + 0 \ + -c "reassembled record" \ + -c "handshake fragment: 0 \\.\\. 4 of [0-9]\\+ msglen 4" \ + -c "waiting for more fragments (4" + +requires_config_enabled MBEDTLS_SSL_PROTO_TLS1_3 +requires_certificate_authentication +run_test "Handshake defragmentation on client: len=3, TLS 1.3" \ + "$O_NEXT_SRV -tls1_3 -split_send_frag 3 " \ + "$P_CLI debug_level=4 " \ + 1 \ + -c "=> ssl_tls13_process_server_hello" \ + -c "handshake message too short: 3" \ + -c "SSL - An invalid SSL record was received" + +requires_config_enabled MBEDTLS_SSL_PROTO_TLS1_2 +run_test "Handshake defragmentation on client: len=3, TLS 1.2" \ + "$O_NEXT_SRV -tls1_2 -split_send_frag 3 " \ + "$P_CLI debug_level=4 " \ + 1 \ + -c "handshake message too short: 3" \ + -c "SSL - An invalid SSL record was received" + +requires_certificate_authentication +run_test "Handshake defragmentation on server (no fragmentation, for reference)." \ + "$P_SRV debug_level=4 auth_mode=required" \ + "$O_NEXT_CLI -cert $DATA_FILES_PATH/server5.crt -key $DATA_FILES_PATH/server5.key" \ + 0 \ + -S "reassembled record" \ + -S "waiting for more fragments" + +requires_config_enabled MBEDTLS_SSL_PROTO_TLS1_3 +requires_certificate_authentication +run_test "Handshake defragmentation on server: len=512, TLS 1.3" \ + "$P_SRV debug_level=4 auth_mode=required" \ + "$O_NEXT_CLI -tls1_3 -split_send_frag 512 -cert $DATA_FILES_PATH/server5.crt -key $DATA_FILES_PATH/server5.key" \ + 0 \ + -s "reassembled record" \ + -s "handshake fragment: 0 \\.\\. 512 of [0-9]\\+ msglen 512" \ + -s "waiting for more fragments (512" + +requires_config_enabled MBEDTLS_SSL_PROTO_TLS1_2 +requires_certificate_authentication +run_test "Handshake defragmentation on server: len=512, TLS 1.2" \ + "$P_SRV debug_level=4 auth_mode=required" \ + "$O_NEXT_CLI -tls1_2 -split_send_frag 512 -cert $DATA_FILES_PATH/server5.crt -key $DATA_FILES_PATH/server5.key" \ + 0 \ + -s "reassembled record" \ + -s "handshake fragment: 0 \\.\\. 512 of [0-9]\\+ msglen 512" \ + -s "waiting for more fragments (512" + +requires_config_enabled MBEDTLS_SSL_PROTO_TLS1_3 +requires_certificate_authentication +run_test "Handshake defragmentation on server: len=513, TLS 1.3" \ + "$P_SRV debug_level=4 auth_mode=required" \ + "$O_NEXT_CLI -tls1_3 -split_send_frag 513 -cert $DATA_FILES_PATH/server5.crt -key $DATA_FILES_PATH/server5.key" \ + 0 \ + -s "reassembled record" \ + -s "handshake fragment: 0 \\.\\. 513 of [0-9]\\+ msglen 513" \ + -s "waiting for more fragments (513" + +requires_config_enabled MBEDTLS_SSL_PROTO_TLS1_2 +requires_certificate_authentication +run_test "Handshake defragmentation on server: len=513, TLS 1.2" \ + "$P_SRV debug_level=4 auth_mode=required" \ + "$O_NEXT_CLI -tls1_2 -split_send_frag 513 -cert $DATA_FILES_PATH/server5.crt -key $DATA_FILES_PATH/server5.key" \ + 0 \ + -s "reassembled record" \ + -s "handshake fragment: 0 \\.\\. 513 of [0-9]\\+ msglen 513" \ + -s "waiting for more fragments (513" + +requires_config_enabled MBEDTLS_SSL_PROTO_TLS1_3 +requires_certificate_authentication +run_test "Handshake defragmentation on server: len=256, TLS 1.3" \ + "$P_SRV debug_level=4 auth_mode=required" \ + "$O_NEXT_CLI -tls1_3 -split_send_frag 256 -cert $DATA_FILES_PATH/server5.crt -key $DATA_FILES_PATH/server5.key" \ + 0 \ + -s "reassembled record" \ + -s "handshake fragment: 0 \\.\\. 256 of [0-9]\\+ msglen 256" \ + -s "waiting for more fragments (256" + +requires_config_enabled MBEDTLS_SSL_PROTO_TLS1_2 +requires_certificate_authentication +run_test "Handshake defragmentation on server: len=256, TLS 1.2" \ + "$P_SRV debug_level=4 auth_mode=required" \ + "$O_NEXT_CLI -tls1_2 -split_send_frag 256 -cert $DATA_FILES_PATH/server5.crt -key $DATA_FILES_PATH/server5.key" \ + 0 \ + -s "reassembled record" \ + -s "handshake fragment: 0 \\.\\. 256 of [0-9]\\+ msglen 256" \ + -s "waiting for more fragments (256" + +requires_config_enabled MBEDTLS_SSL_PROTO_TLS1_3 +requires_certificate_authentication +run_test "Handshake defragmentation on server: len=128, TLS 1.3" \ + "$P_SRV debug_level=4 auth_mode=required" \ + "$O_NEXT_CLI -tls1_3 -split_send_frag 128 -cert $DATA_FILES_PATH/server5.crt -key $DATA_FILES_PATH/server5.key" \ + 0 \ + -s "reassembled record" \ + -s "handshake fragment: 0 \\.\\. 128 of [0-9]\\+ msglen 128" \ + -s "waiting for more fragments (128" + +# Server-side ClientHello defragmentationis only supported for MBEDTLS_SSL_PROTO_TLS1_3. For TLS 1.2 testing +# the server should suport both protocols and downgrade to client-requested TL1.2 after proccessing the ClientHello. +requires_config_enabled MBEDTLS_SSL_PROTO_TLS1_2 +requires_config_enabled MBEDTLS_SSL_PROTO_TLS1_3 +requires_certificate_authentication +run_test "Handshake defragmentation on server: len=128, TLS 1.2 TLS 1.3 ClientHello -> 1.2 Handshake" \ + "$P_SRV debug_level=4 auth_mode=required" \ + "$O_NEXT_CLI -tls1_2 -split_send_frag 128 -cert $DATA_FILES_PATH/server5.crt -key $DATA_FILES_PATH/server5.key" \ + 0 \ + -s "reassembled record" \ + -s "handshake fragment: 0 \\.\\. 128 of [0-9]\\+ msglen 128" \ + -s "waiting for more fragments (128" + +requires_config_enabled MBEDTLS_SSL_PROTO_TLS1_3 +requires_certificate_authentication +run_test "Handshake defragmentation on server: len=64, TLS 1.3" \ + "$P_SRV debug_level=4 auth_mode=required" \ + "$O_NEXT_CLI -tls1_3 -split_send_frag 64 -cert $DATA_FILES_PATH/server5.crt -key $DATA_FILES_PATH/server5.key" \ + 0 \ + -s "reassembled record" \ + -s "handshake fragment: 0 \\.\\. 64 of [0-9]\\+ msglen 64" \ + -s "waiting for more fragments (64" + +requires_config_enabled MBEDTLS_SSL_PROTO_TLS1_2 +requires_config_enabled MBEDTLS_SSL_PROTO_TLS1_3 +requires_certificate_authentication +run_test "Handshake defragmentation on server: len=64, TLS 1.2 TLS 1.3 ClientHello -> 1.2 Handshake" \ + "$P_SRV debug_level=4 auth_mode=required" \ + "$O_NEXT_CLI -tls1_2 -split_send_frag 64 -cert $DATA_FILES_PATH/server5.crt -key $DATA_FILES_PATH/server5.key" \ + 0 \ + -s "reassembled record" \ + -s "handshake fragment: 0 \\.\\. 64 of [0-9]\\+ msglen 64" \ + -s "waiting for more fragments (64" + +requires_config_enabled MBEDTLS_SSL_PROTO_TLS1_3 +requires_certificate_authentication +run_test "Handshake defragmentation on server: len=36, TLS 1.3" \ + "$P_SRV debug_level=4 auth_mode=required" \ + "$O_NEXT_CLI -tls1_3 -split_send_frag 36 -cert $DATA_FILES_PATH/server5.crt -key $DATA_FILES_PATH/server5.key" \ + 0 \ + -s "reassembled record" \ + -s "handshake fragment: 0 \\.\\. 36 of [0-9]\\+ msglen 36" \ + -s "waiting for more fragments (36" + +requires_config_enabled MBEDTLS_SSL_PROTO_TLS1_2 +requires_config_enabled MBEDTLS_SSL_PROTO_TLS1_3 +requires_certificate_authentication +run_test "Handshake defragmentation on server: len=36, TLS 1.2 TLS 1.3 ClientHello -> 1.2 Handshake" \ + "$P_SRV debug_level=4 auth_mode=required" \ + "$O_NEXT_CLI -tls1_2 -split_send_frag 36 -cert $DATA_FILES_PATH/server5.crt -key $DATA_FILES_PATH/server5.key" \ + 0 \ + -s "reassembled record" \ + -s "handshake fragment: 0 \\.\\. 36 of [0-9]\\+ msglen 36" \ + -s "waiting for more fragments (36" + +requires_config_enabled MBEDTLS_SSL_PROTO_TLS1_3 +requires_certificate_authentication +run_test "Handshake defragmentation on server: len=32, TLS 1.3" \ + "$P_SRV debug_level=4 auth_mode=required" \ + "$O_NEXT_CLI -tls1_3 -split_send_frag 32 -cert $DATA_FILES_PATH/server5.crt -key $DATA_FILES_PATH/server5.key" \ + 0 \ + -s "reassembled record" \ + -s "handshake fragment: 0 \\.\\. 32 of [0-9]\\+ msglen 32" \ + -s "waiting for more fragments (32" + +requires_config_enabled MBEDTLS_SSL_PROTO_TLS1_2 +requires_config_enabled MBEDTLS_SSL_PROTO_TLS1_3 +requires_certificate_authentication +run_test "Handshake defragmentation on server: len=32, TLS 1.2 TLS 1.3 ClientHello -> 1.2 Handshake" \ + "$P_SRV debug_level=4 auth_mode=required" \ + "$O_NEXT_CLI -tls1_2 -split_send_frag 32 -cert $DATA_FILES_PATH/server5.crt -key $DATA_FILES_PATH/server5.key" \ + 0 \ + -s "reassembled record" \ + -s "handshake fragment: 0 \\.\\. 32 of [0-9]\\+ msglen 32" \ + -s "waiting for more fragments (32" + +requires_config_enabled MBEDTLS_SSL_PROTO_TLS1_3 +requires_certificate_authentication +run_test "Handshake defragmentation on server: len=16, TLS 1.3" \ + "$P_SRV debug_level=4 auth_mode=required" \ + "$O_NEXT_CLI -tls1_3 -split_send_frag 16 -cert $DATA_FILES_PATH/server5.crt -key $DATA_FILES_PATH/server5.key" \ + 0 \ + -s "reassembled record" \ + -s "handshake fragment: 0 \\.\\. 16 of [0-9]\\+ msglen 16" \ + -s "waiting for more fragments (16" + +requires_config_enabled MBEDTLS_SSL_PROTO_TLS1_2 +requires_config_enabled MBEDTLS_SSL_PROTO_TLS1_3 +requires_certificate_authentication +run_test "Handshake defragmentation on server: len=16, TLS 1.2 TLS 1.3 ClientHello -> 1.2 Handshake" \ + "$P_SRV debug_level=4 auth_mode=required" \ + "$O_NEXT_CLI -tls1_2 -split_send_frag 16 -cert $DATA_FILES_PATH/server5.crt -key $DATA_FILES_PATH/server5.key" \ + 0 \ + -s "reassembled record" \ + -s "handshake fragment: 0 \\.\\. 16 of [0-9]\\+ msglen 16" \ + -s "waiting for more fragments (16" + +requires_config_enabled MBEDTLS_SSL_PROTO_TLS1_3 +requires_certificate_authentication +run_test "Handshake defragmentation on server: len=13, TLS 1.3" \ + "$P_SRV debug_level=4 auth_mode=required" \ + "$O_NEXT_CLI -tls1_3 -split_send_frag 13 -cert $DATA_FILES_PATH/server5.crt -key $DATA_FILES_PATH/server5.key" \ + 0 \ + -s "reassembled record" \ + -s "handshake fragment: 0 \\.\\. 13 of [0-9]\\+ msglen 13" \ + -s "waiting for more fragments (13" + +requires_config_enabled MBEDTLS_SSL_PROTO_TLS1_2 +requires_config_enabled MBEDTLS_SSL_PROTO_TLS1_3 +requires_certificate_authentication +run_test "Handshake defragmentation on server: len=13, TLS 1.2 TLS 1.3 ClientHello -> 1.2 Handshake" \ + "$P_SRV debug_level=4 auth_mode=required" \ + "$O_NEXT_CLI -tls1_2 -split_send_frag 13 -cert $DATA_FILES_PATH/server5.crt -key $DATA_FILES_PATH/server5.key" \ + 0 \ + -s "reassembled record" \ + -s "handshake fragment: 0 \\.\\. 13 of [0-9]\\+ msglen 13" \ + -s "waiting for more fragments (13" + +requires_config_enabled MBEDTLS_SSL_PROTO_TLS1_3 +requires_certificate_authentication +run_test "Handshake defragmentation on server: len=5, TLS 1.3" \ + "$P_SRV debug_level=4 auth_mode=required" \ + "$O_NEXT_CLI -tls1_3 -split_send_frag 5 -cert $DATA_FILES_PATH/server5.crt -key $DATA_FILES_PATH/server5.key" \ + 0 \ + -s "reassembled record" \ + -s "handshake fragment: 0 \\.\\. 5 of [0-9]\\+ msglen 5" \ + -s "waiting for more fragments (5" + +requires_config_enabled MBEDTLS_SSL_PROTO_TLS1_2 +requires_config_enabled MBEDTLS_SSL_PROTO_TLS1_3 +requires_certificate_authentication +run_test "Handshake defragmentation on server: len=5, TLS 1.2 TLS 1.3 ClientHello -> 1.2 Handshake" \ + "$P_SRV debug_level=4 auth_mode=required" \ + "$O_NEXT_CLI -tls1_2 -split_send_frag 5 -cert $DATA_FILES_PATH/server5.crt -key $DATA_FILES_PATH/server5.key" \ + 0 \ + -s "reassembled record" \ + -s "handshake fragment: 0 \\.\\. 5 of [0-9]\\+ msglen 5" \ + -s "waiting for more fragments (5" + +requires_config_enabled MBEDTLS_SSL_PROTO_TLS1_3 +requires_certificate_authentication +run_test "Handshake defragmentation on server: len=4, TLS 1.3" \ + "$P_SRV debug_level=4 auth_mode=required" \ + "$O_NEXT_CLI -tls1_3 -split_send_frag 4 -cert $DATA_FILES_PATH/server5.crt -key $DATA_FILES_PATH/server5.key" \ + 0 \ + -s "reassembled record" \ + -s "handshake fragment: 0 \\.\\. 4 of [0-9]\\+ msglen 4" \ + -s "waiting for more fragments (4" + +requires_config_enabled MBEDTLS_SSL_PROTO_TLS1_2 +requires_config_enabled MBEDTLS_SSL_PROTO_TLS1_3 +requires_certificate_authentication +run_test "Handshake defragmentation on server: len=4, TLS 1.2 TLS 1.3 ClientHello -> 1.2 Handshake" \ + "$P_SRV debug_level=4 auth_mode=required" \ + "$O_NEXT_CLI -tls1_2 -split_send_frag 4 -cert $DATA_FILES_PATH/server5.crt -key $DATA_FILES_PATH/server5.key" \ + 0 \ + -s "reassembled record" \ + -s "handshake fragment: 0 \\.\\. 4 of [0-9]\\+ msglen 4" \ + -s "waiting for more fragments (4" + +requires_config_enabled MBEDTLS_SSL_PROTO_TLS1_3 +requires_certificate_authentication +run_test "Handshake defragmentation on server: len=3, TLS 1.3" \ + "$P_SRV debug_level=4 auth_mode=required" \ + "$O_NEXT_CLI -tls1_3 -split_send_frag 3 -cert $DATA_FILES_PATH/server5.crt -key $DATA_FILES_PATH/server5.key" \ + 1 \ + -s "<= parse client hello" \ + -s "handshake message too short: 3" \ + -s "SSL - An invalid SSL record was received" + +requires_config_enabled MBEDTLS_SSL_PROTO_TLS1_2 +requires_config_enabled MBEDTLS_SSL_PROTO_TLS1_3 +requires_certificate_authentication +run_test "Handshake defragmentation on server: len=3, TLS 1.3 ClientHello -> 1.2 Handshake" \ + "$P_SRV debug_level=4 auth_mode=required" \ + "$O_NEXT_CLI -tls1_2 -split_send_frag 3 -cert $DATA_FILES_PATH/server5.crt -key $DATA_FILES_PATH/server5.key" \ + 1 \ + -s "<= parse client hello" \ + -s "handshake message too short: 3" \ + -s "SSL - An invalid SSL record was received" diff --git a/tests/ssl-opt.sh b/tests/ssl-opt.sh index 5fc17a4cb..40d15152c 100755 --- a/tests/ssl-opt.sh +++ b/tests/ssl-opt.sh @@ -13874,525 +13874,7 @@ run_test "TLS 1.2 ClientHello indicating support for deflate compression meth # Handshake defragmentation testing -# To guarantee that the handhake messages are large enough and need to be split -# into fragments, the tests require certificate authentication. The party in control -# of the fragmentation operations is OpenSSL and will always use server5.crt (548 Bytes). -requires_certificate_authentication -run_test "Handshake defragmentation on client (no fragmentation, for reference)" \ - "$O_NEXT_SRV" \ - "$P_CLI debug_level=4 " \ - 0 \ - -C "reassembled record" \ - -C "waiting for more fragments" - -requires_config_enabled MBEDTLS_SSL_PROTO_TLS1_3 -requires_certificate_authentication -run_test "Handshake defragmentation on client: len=512, TLS 1.3" \ - "$O_NEXT_SRV -tls1_3 -split_send_frag 512 " \ - "$P_CLI debug_level=4 " \ - 0 \ - -c "reassembled record" \ - -c "handshake fragment: 0 \\.\\. 512 of [0-9]\\+ msglen 512" \ - -c "waiting for more fragments (512 of [0-9]\\+" - -#The server uses an ECDSA cert, so make sure we have a compatible key exchange -requires_config_enabled MBEDTLS_SSL_PROTO_TLS1_2 -requires_certificate_authentication -requires_config_enabled MBEDTLS_KEY_EXCHANGE_ECDHE_ECDSA_ENABLED -run_test "Handshake defragmentation on client: len=512, TLS 1.2" \ - "$O_NEXT_SRV -tls1_2 -split_send_frag 512 " \ - "$P_CLI debug_level=4 " \ - 0 \ - -c "reassembled record" \ - -c "handshake fragment: 0 \\.\\. 512 of [0-9]\\+ msglen 512" \ - -c "waiting for more fragments (512 of [0-9]\\+" - -requires_config_enabled MBEDTLS_SSL_PROTO_TLS1_3 -requires_certificate_authentication -run_test "Handshake defragmentation on client: len=513, TLS 1.3" \ - "$O_NEXT_SRV -tls1_3 -split_send_frag 513 " \ - "$P_CLI debug_level=4 " \ - 0 \ - -c "reassembled record" \ - -c "handshake fragment: 0 \\.\\. 513 of [0-9]\\+ msglen 513" \ - -c "waiting for more fragments (513 of [0-9]\\+" - -requires_config_enabled MBEDTLS_SSL_PROTO_TLS1_2 -requires_certificate_authentication -requires_config_enabled MBEDTLS_KEY_EXCHANGE_ECDHE_ECDSA_ENABLED -run_test "Handshake defragmentation on client: len=513, TLS 1.2" \ - "$O_NEXT_SRV -tls1_2 -split_send_frag 513 " \ - "$P_CLI debug_level=4 " \ - 0 \ - -c "reassembled record" \ - -c "handshake fragment: 0 \\.\\. 513 of [0-9]\\+ msglen 513" \ - -c "waiting for more fragments (513 of [0-9]\\+" - -requires_config_enabled MBEDTLS_SSL_PROTO_TLS1_3 -requires_certificate_authentication -run_test "Handshake defragmentation on client: len=256, TLS 1.3" \ - "$O_NEXT_SRV -tls1_3 -split_send_frag 256 " \ - "$P_CLI debug_level=4 " \ - 0 \ - -c "reassembled record" \ - -c "handshake fragment: 0 \\.\\. 256 of [0-9]\\+ msglen 256" \ - -c "waiting for more fragments (256 of [0-9]\\+" - -requires_config_enabled MBEDTLS_SSL_PROTO_TLS1_2 -requires_certificate_authentication -requires_config_enabled MBEDTLS_KEY_EXCHANGE_ECDHE_ECDSA_ENABLED -run_test "Handshake defragmentation on client: len=256, TLS 1.2" \ - "$O_NEXT_SRV -tls1_2 -split_send_frag 256 " \ - "$P_CLI debug_level=4 " \ - 0 \ - -c "reassembled record" \ - -c "handshake fragment: 0 \\.\\. 256 of [0-9]\\+ msglen 256" \ - -c "waiting for more fragments (256 of [0-9]\\+" - -requires_config_enabled MBEDTLS_SSL_PROTO_TLS1_3 -requires_certificate_authentication -run_test "Handshake defragmentation on client: len=128, TLS 1.3" \ - "$O_NEXT_SRV -tls1_3 -split_send_frag 128 " \ - "$P_CLI debug_level=4 " \ - 0 \ - -c "reassembled record" \ - -c "handshake fragment: 0 \\.\\. 128 of [0-9]\\+ msglen 128" \ - -c "waiting for more fragments (128" - -requires_config_enabled MBEDTLS_SSL_PROTO_TLS1_2 -requires_certificate_authentication -requires_config_enabled MBEDTLS_KEY_EXCHANGE_ECDHE_ECDSA_ENABLED -run_test "Handshake defragmentation on client: len=128, TLS 1.2" \ - "$O_NEXT_SRV -tls1_2 -split_send_frag 128 " \ - "$P_CLI debug_level=4 " \ - 0 \ - -c "reassembled record" \ - -c "handshake fragment: 0 \\.\\. 128 of [0-9]\\+ msglen 128" \ - -c "waiting for more fragments (128" - -requires_config_enabled MBEDTLS_SSL_PROTO_TLS1_3 -requires_certificate_authentication -run_test "Handshake defragmentation on client: len=64, TLS 1.3" \ - "$O_NEXT_SRV -tls1_3 -split_send_frag 64 " \ - "$P_CLI debug_level=4 " \ - 0 \ - -c "reassembled record" \ - -c "handshake fragment: 0 \\.\\. 64 of [0-9]\\+ msglen 64" \ - -c "waiting for more fragments (64" - -requires_config_enabled MBEDTLS_SSL_PROTO_TLS1_2 -requires_certificate_authentication -requires_config_enabled MBEDTLS_KEY_EXCHANGE_ECDHE_ECDSA_ENABLED -run_test "Handshake defragmentation on client: len=64, TLS 1.2" \ - "$O_NEXT_SRV -tls1_2 -split_send_frag 64 " \ - "$P_CLI debug_level=4 " \ - 0 \ - -c "reassembled record" \ - -c "handshake fragment: 0 \\.\\. 64 of [0-9]\\+ msglen 64" \ - -c "waiting for more fragments (64" - -requires_config_enabled MBEDTLS_SSL_PROTO_TLS1_3 -requires_certificate_authentication -run_test "Handshake defragmentation on client: len=36, TLS 1.3" \ - "$O_NEXT_SRV -tls1_3 -split_send_frag 36 " \ - "$P_CLI debug_level=4 " \ - 0 \ - -c "reassembled record" \ - -c "handshake fragment: 0 \\.\\. 36 of [0-9]\\+ msglen 36" \ - -c "waiting for more fragments (36" - -requires_config_enabled MBEDTLS_SSL_PROTO_TLS1_2 -requires_certificate_authentication -requires_config_enabled MBEDTLS_KEY_EXCHANGE_ECDHE_ECDSA_ENABLED -run_test "Handshake defragmentation on client: len=36, TLS 1.2" \ - "$O_NEXT_SRV -tls1_2 -split_send_frag 36 " \ - "$P_CLI debug_level=4 " \ - 0 \ - -c "reassembled record" \ - -c "handshake fragment: 0 \\.\\. 36 of [0-9]\\+ msglen 36" \ - -c "waiting for more fragments (36" - -requires_config_enabled MBEDTLS_SSL_PROTO_TLS1_3 -requires_certificate_authentication -run_test "Handshake defragmentation on client: len=32, TLS 1.3" \ - "$O_NEXT_SRV -tls1_3 -split_send_frag 32 " \ - "$P_CLI debug_level=4 " \ - 0 \ - -c "reassembled record" \ - -c "handshake fragment: 0 \\.\\. 32 of [0-9]\\+ msglen 32" \ - -c "waiting for more fragments (32" - -requires_config_enabled MBEDTLS_SSL_PROTO_TLS1_2 -requires_certificate_authentication -requires_config_enabled MBEDTLS_KEY_EXCHANGE_ECDHE_ECDSA_ENABLED -run_test "Handshake defragmentation on client: len=32, TLS 1.2" \ - "$O_NEXT_SRV -tls1_2 -split_send_frag 32 " \ - "$P_CLI debug_level=4 " \ - 0 \ - -c "reassembled record" \ - -c "handshake fragment: 0 \\.\\. 32 of [0-9]\\+ msglen 32" \ - -c "waiting for more fragments (32" - -requires_config_enabled MBEDTLS_SSL_PROTO_TLS1_3 -requires_certificate_authentication -run_test "Handshake defragmentation on client: len=16, TLS 1.3" \ - "$O_NEXT_SRV -tls1_3 -split_send_frag 16 " \ - "$P_CLI debug_level=4 " \ - 0 \ - -c "reassembled record" \ - -c "handshake fragment: 0 \\.\\. 16 of [0-9]\\+ msglen 16" \ - -c "waiting for more fragments (16" - -requires_config_enabled MBEDTLS_SSL_PROTO_TLS1_2 -requires_certificate_authentication -requires_config_enabled MBEDTLS_KEY_EXCHANGE_ECDHE_ECDSA_ENABLED -run_test "Handshake defragmentation on client: len=16, TLS 1.2" \ - "$O_NEXT_SRV -tls1_2 -split_send_frag 16 " \ - "$P_CLI debug_level=4 " \ - 0 \ - -c "reassembled record" \ - -c "handshake fragment: 0 \\.\\. 16 of [0-9]\\+ msglen 16" \ - -c "waiting for more fragments (16" - -requires_config_enabled MBEDTLS_SSL_PROTO_TLS1_3 -requires_certificate_authentication -run_test "Handshake defragmentation on client: len=13, TLS 1.3" \ - "$O_NEXT_SRV -tls1_3 -split_send_frag 13 " \ - "$P_CLI debug_level=4 " \ - 0 \ - -c "reassembled record" \ - -c "handshake fragment: 0 \\.\\. 13 of [0-9]\\+ msglen 13" \ - -c "waiting for more fragments (13" - -skip_next_test -requires_config_enabled MBEDTLS_SSL_PROTO_TLS1_2 -requires_certificate_authentication -run_test "Handshake defragmentation on client: len=13, TLS 1.2" \ - "$O_NEXT_SRV -tls1_2 -split_send_frag 13 " \ - "$P_CLI debug_level=4 " \ - 0 \ - -c "reassembled record" \ - -c "handshake fragment: 0 \\.\\. 13 of [0-9]\\+ msglen 13" \ - -c "waiting for more fragments (13" - -requires_config_enabled MBEDTLS_SSL_PROTO_TLS1_3 -requires_certificate_authentication -run_test "Handshake defragmentation on client: len=5, TLS 1.3" \ - "$O_NEXT_SRV -tls1_3 -split_send_frag 5 " \ - "$P_CLI debug_level=4 " \ - 0 \ - -c "reassembled record" \ - -c "handshake fragment: 0 \\.\\. 5 of [0-9]\\+ msglen 5" \ - -c "waiting for more fragments (5" - -skip_next_test -requires_config_enabled MBEDTLS_SSL_PROTO_TLS1_2 -requires_certificate_authentication -run_test "Handshake defragmentation on client: len=5, TLS 1.2" \ - "$O_NEXT_SRV -tls1_2 -split_send_frag 5 " \ - "$P_CLI debug_level=4 " \ - 0 \ - -c "reassembled record" \ - -c "handshake fragment: 0 \\.\\. 5 of [0-9]\\+ msglen 5" \ - -c "waiting for more fragments (5" - -requires_config_enabled MBEDTLS_SSL_PROTO_TLS1_3 -requires_certificate_authentication -run_test "Handshake defragmentation on client: len=4, TLS 1.3" \ - "$O_NEXT_SRV -tls1_3 -split_send_frag 4 " \ - "$P_CLI debug_level=4 " \ - 0 \ - -c "reassembled record" \ - -c "handshake fragment: 0 \\.\\. 4 of [0-9]\\+ msglen 4" \ - -c "waiting for more fragments (4" - -skip_next_test -requires_config_enabled MBEDTLS_SSL_PROTO_TLS1_2 -requires_certificate_authentication -run_test "Handshake defragmentation on client: len=4, TLS 1.2" \ - "$O_NEXT_SRV -tls1_2 -split_send_frag 4 " \ - "$P_CLI debug_level=4 " \ - 0 \ - -c "reassembled record" \ - -c "handshake fragment: 0 \\.\\. 4 of [0-9]\\+ msglen 4" \ - -c "waiting for more fragments (4" - -requires_config_enabled MBEDTLS_SSL_PROTO_TLS1_3 -requires_certificate_authentication -run_test "Handshake defragmentation on client: len=3, TLS 1.3" \ - "$O_NEXT_SRV -tls1_3 -split_send_frag 3 " \ - "$P_CLI debug_level=4 " \ - 1 \ - -c "=> ssl_tls13_process_server_hello" \ - -c "handshake message too short: 3" \ - -c "SSL - An invalid SSL record was received" - -requires_config_enabled MBEDTLS_SSL_PROTO_TLS1_2 -run_test "Handshake defragmentation on client: len=3, TLS 1.2" \ - "$O_NEXT_SRV -tls1_2 -split_send_frag 3 " \ - "$P_CLI debug_level=4 " \ - 1 \ - -c "handshake message too short: 3" \ - -c "SSL - An invalid SSL record was received" - -requires_certificate_authentication -run_test "Handshake defragmentation on server (no fragmentation, for reference)." \ - "$P_SRV debug_level=4 auth_mode=required" \ - "$O_NEXT_CLI -cert $DATA_FILES_PATH/server5.crt -key $DATA_FILES_PATH/server5.key" \ - 0 \ - -S "reassembled record" \ - -S "waiting for more fragments" - -requires_config_enabled MBEDTLS_SSL_PROTO_TLS1_3 -requires_certificate_authentication -run_test "Handshake defragmentation on server: len=512, TLS 1.3" \ - "$P_SRV debug_level=4 auth_mode=required" \ - "$O_NEXT_CLI -tls1_3 -split_send_frag 512 -cert $DATA_FILES_PATH/server5.crt -key $DATA_FILES_PATH/server5.key" \ - 0 \ - -s "reassembled record" \ - -s "handshake fragment: 0 \\.\\. 512 of [0-9]\\+ msglen 512" \ - -s "waiting for more fragments (512" - -requires_config_enabled MBEDTLS_SSL_PROTO_TLS1_2 -requires_certificate_authentication -run_test "Handshake defragmentation on server: len=512, TLS 1.2" \ - "$P_SRV debug_level=4 auth_mode=required" \ - "$O_NEXT_CLI -tls1_2 -split_send_frag 512 -cert $DATA_FILES_PATH/server5.crt -key $DATA_FILES_PATH/server5.key" \ - 0 \ - -s "reassembled record" \ - -s "handshake fragment: 0 \\.\\. 512 of [0-9]\\+ msglen 512" \ - -s "waiting for more fragments (512" - -requires_config_enabled MBEDTLS_SSL_PROTO_TLS1_3 -requires_certificate_authentication -run_test "Handshake defragmentation on server: len=513, TLS 1.3" \ - "$P_SRV debug_level=4 auth_mode=required" \ - "$O_NEXT_CLI -tls1_3 -split_send_frag 513 -cert $DATA_FILES_PATH/server5.crt -key $DATA_FILES_PATH/server5.key" \ - 0 \ - -s "reassembled record" \ - -s "handshake fragment: 0 \\.\\. 513 of [0-9]\\+ msglen 513" \ - -s "waiting for more fragments (513" - -requires_config_enabled MBEDTLS_SSL_PROTO_TLS1_2 -requires_certificate_authentication -run_test "Handshake defragmentation on server: len=513, TLS 1.2" \ - "$P_SRV debug_level=4 auth_mode=required" \ - "$O_NEXT_CLI -tls1_2 -split_send_frag 513 -cert $DATA_FILES_PATH/server5.crt -key $DATA_FILES_PATH/server5.key" \ - 0 \ - -s "reassembled record" \ - -s "handshake fragment: 0 \\.\\. 513 of [0-9]\\+ msglen 513" \ - -s "waiting for more fragments (513" - -requires_config_enabled MBEDTLS_SSL_PROTO_TLS1_3 -requires_certificate_authentication -run_test "Handshake defragmentation on server: len=256, TLS 1.3" \ - "$P_SRV debug_level=4 auth_mode=required" \ - "$O_NEXT_CLI -tls1_3 -split_send_frag 256 -cert $DATA_FILES_PATH/server5.crt -key $DATA_FILES_PATH/server5.key" \ - 0 \ - -s "reassembled record" \ - -s "handshake fragment: 0 \\.\\. 256 of [0-9]\\+ msglen 256" \ - -s "waiting for more fragments (256" - -requires_config_enabled MBEDTLS_SSL_PROTO_TLS1_2 -requires_certificate_authentication -run_test "Handshake defragmentation on server: len=256, TLS 1.2" \ - "$P_SRV debug_level=4 auth_mode=required" \ - "$O_NEXT_CLI -tls1_2 -split_send_frag 256 -cert $DATA_FILES_PATH/server5.crt -key $DATA_FILES_PATH/server5.key" \ - 0 \ - -s "reassembled record" \ - -s "handshake fragment: 0 \\.\\. 256 of [0-9]\\+ msglen 256" \ - -s "waiting for more fragments (256" - -requires_config_enabled MBEDTLS_SSL_PROTO_TLS1_3 -requires_certificate_authentication -run_test "Handshake defragmentation on server: len=128, TLS 1.3" \ - "$P_SRV debug_level=4 auth_mode=required" \ - "$O_NEXT_CLI -tls1_3 -split_send_frag 128 -cert $DATA_FILES_PATH/server5.crt -key $DATA_FILES_PATH/server5.key" \ - 0 \ - -s "reassembled record" \ - -s "handshake fragment: 0 \\.\\. 128 of [0-9]\\+ msglen 128" \ - -s "waiting for more fragments (128" - -# Server-side ClientHello defragmentationis only supported for MBEDTLS_SSL_PROTO_TLS1_3. For TLS 1.2 testing -# the server should suport both protocols and downgrade to client-requested TL1.2 after proccessing the ClientHello. -requires_config_enabled MBEDTLS_SSL_PROTO_TLS1_2 -requires_config_enabled MBEDTLS_SSL_PROTO_TLS1_3 -requires_certificate_authentication -run_test "Handshake defragmentation on server: len=128, TLS 1.2 TLS 1.3 ClientHello -> 1.2 Handshake" \ - "$P_SRV debug_level=4 auth_mode=required" \ - "$O_NEXT_CLI -tls1_2 -split_send_frag 128 -cert $DATA_FILES_PATH/server5.crt -key $DATA_FILES_PATH/server5.key" \ - 0 \ - -s "reassembled record" \ - -s "handshake fragment: 0 \\.\\. 128 of [0-9]\\+ msglen 128" \ - -s "waiting for more fragments (128" - -requires_config_enabled MBEDTLS_SSL_PROTO_TLS1_3 -requires_certificate_authentication -run_test "Handshake defragmentation on server: len=64, TLS 1.3" \ - "$P_SRV debug_level=4 auth_mode=required" \ - "$O_NEXT_CLI -tls1_3 -split_send_frag 64 -cert $DATA_FILES_PATH/server5.crt -key $DATA_FILES_PATH/server5.key" \ - 0 \ - -s "reassembled record" \ - -s "handshake fragment: 0 \\.\\. 64 of [0-9]\\+ msglen 64" \ - -s "waiting for more fragments (64" - -requires_config_enabled MBEDTLS_SSL_PROTO_TLS1_2 -requires_config_enabled MBEDTLS_SSL_PROTO_TLS1_3 -requires_certificate_authentication -run_test "Handshake defragmentation on server: len=64, TLS 1.2 TLS 1.3 ClientHello -> 1.2 Handshake" \ - "$P_SRV debug_level=4 auth_mode=required" \ - "$O_NEXT_CLI -tls1_2 -split_send_frag 64 -cert $DATA_FILES_PATH/server5.crt -key $DATA_FILES_PATH/server5.key" \ - 0 \ - -s "reassembled record" \ - -s "handshake fragment: 0 \\.\\. 64 of [0-9]\\+ msglen 64" \ - -s "waiting for more fragments (64" - -requires_config_enabled MBEDTLS_SSL_PROTO_TLS1_3 -requires_certificate_authentication -run_test "Handshake defragmentation on server: len=36, TLS 1.3" \ - "$P_SRV debug_level=4 auth_mode=required" \ - "$O_NEXT_CLI -tls1_3 -split_send_frag 36 -cert $DATA_FILES_PATH/server5.crt -key $DATA_FILES_PATH/server5.key" \ - 0 \ - -s "reassembled record" \ - -s "handshake fragment: 0 \\.\\. 36 of [0-9]\\+ msglen 36" \ - -s "waiting for more fragments (36" - -requires_config_enabled MBEDTLS_SSL_PROTO_TLS1_2 -requires_config_enabled MBEDTLS_SSL_PROTO_TLS1_3 -requires_certificate_authentication -run_test "Handshake defragmentation on server: len=36, TLS 1.2 TLS 1.3 ClientHello -> 1.2 Handshake" \ - "$P_SRV debug_level=4 auth_mode=required" \ - "$O_NEXT_CLI -tls1_2 -split_send_frag 36 -cert $DATA_FILES_PATH/server5.crt -key $DATA_FILES_PATH/server5.key" \ - 0 \ - -s "reassembled record" \ - -s "handshake fragment: 0 \\.\\. 36 of [0-9]\\+ msglen 36" \ - -s "waiting for more fragments (36" - -requires_config_enabled MBEDTLS_SSL_PROTO_TLS1_3 -requires_certificate_authentication -run_test "Handshake defragmentation on server: len=32, TLS 1.3" \ - "$P_SRV debug_level=4 auth_mode=required" \ - "$O_NEXT_CLI -tls1_3 -split_send_frag 32 -cert $DATA_FILES_PATH/server5.crt -key $DATA_FILES_PATH/server5.key" \ - 0 \ - -s "reassembled record" \ - -s "handshake fragment: 0 \\.\\. 32 of [0-9]\\+ msglen 32" \ - -s "waiting for more fragments (32" - -requires_config_enabled MBEDTLS_SSL_PROTO_TLS1_2 -requires_config_enabled MBEDTLS_SSL_PROTO_TLS1_3 -requires_certificate_authentication -run_test "Handshake defragmentation on server: len=32, TLS 1.2 TLS 1.3 ClientHello -> 1.2 Handshake" \ - "$P_SRV debug_level=4 auth_mode=required" \ - "$O_NEXT_CLI -tls1_2 -split_send_frag 32 -cert $DATA_FILES_PATH/server5.crt -key $DATA_FILES_PATH/server5.key" \ - 0 \ - -s "reassembled record" \ - -s "handshake fragment: 0 \\.\\. 32 of [0-9]\\+ msglen 32" \ - -s "waiting for more fragments (32" - -requires_config_enabled MBEDTLS_SSL_PROTO_TLS1_3 -requires_certificate_authentication -run_test "Handshake defragmentation on server: len=16, TLS 1.3" \ - "$P_SRV debug_level=4 auth_mode=required" \ - "$O_NEXT_CLI -tls1_3 -split_send_frag 16 -cert $DATA_FILES_PATH/server5.crt -key $DATA_FILES_PATH/server5.key" \ - 0 \ - -s "reassembled record" \ - -s "handshake fragment: 0 \\.\\. 16 of [0-9]\\+ msglen 16" \ - -s "waiting for more fragments (16" - -requires_config_enabled MBEDTLS_SSL_PROTO_TLS1_2 -requires_config_enabled MBEDTLS_SSL_PROTO_TLS1_3 -requires_certificate_authentication -run_test "Handshake defragmentation on server: len=16, TLS 1.2 TLS 1.3 ClientHello -> 1.2 Handshake" \ - "$P_SRV debug_level=4 auth_mode=required" \ - "$O_NEXT_CLI -tls1_2 -split_send_frag 16 -cert $DATA_FILES_PATH/server5.crt -key $DATA_FILES_PATH/server5.key" \ - 0 \ - -s "reassembled record" \ - -s "handshake fragment: 0 \\.\\. 16 of [0-9]\\+ msglen 16" \ - -s "waiting for more fragments (16" - -requires_config_enabled MBEDTLS_SSL_PROTO_TLS1_3 -requires_certificate_authentication -run_test "Handshake defragmentation on server: len=13, TLS 1.3" \ - "$P_SRV debug_level=4 auth_mode=required" \ - "$O_NEXT_CLI -tls1_3 -split_send_frag 13 -cert $DATA_FILES_PATH/server5.crt -key $DATA_FILES_PATH/server5.key" \ - 0 \ - -s "reassembled record" \ - -s "handshake fragment: 0 \\.\\. 13 of [0-9]\\+ msglen 13" \ - -s "waiting for more fragments (13" - -requires_config_enabled MBEDTLS_SSL_PROTO_TLS1_2 -requires_config_enabled MBEDTLS_SSL_PROTO_TLS1_3 -requires_certificate_authentication -run_test "Handshake defragmentation on server: len=13, TLS 1.2 TLS 1.3 ClientHello -> 1.2 Handshake" \ - "$P_SRV debug_level=4 auth_mode=required" \ - "$O_NEXT_CLI -tls1_2 -split_send_frag 13 -cert $DATA_FILES_PATH/server5.crt -key $DATA_FILES_PATH/server5.key" \ - 0 \ - -s "reassembled record" \ - -s "handshake fragment: 0 \\.\\. 13 of [0-9]\\+ msglen 13" \ - -s "waiting for more fragments (13" - -requires_config_enabled MBEDTLS_SSL_PROTO_TLS1_3 -requires_certificate_authentication -run_test "Handshake defragmentation on server: len=5, TLS 1.3" \ - "$P_SRV debug_level=4 auth_mode=required" \ - "$O_NEXT_CLI -tls1_3 -split_send_frag 5 -cert $DATA_FILES_PATH/server5.crt -key $DATA_FILES_PATH/server5.key" \ - 0 \ - -s "reassembled record" \ - -s "handshake fragment: 0 \\.\\. 5 of [0-9]\\+ msglen 5" \ - -s "waiting for more fragments (5" - -requires_config_enabled MBEDTLS_SSL_PROTO_TLS1_2 -requires_config_enabled MBEDTLS_SSL_PROTO_TLS1_3 -requires_certificate_authentication -run_test "Handshake defragmentation on server: len=5, TLS 1.2 TLS 1.3 ClientHello -> 1.2 Handshake" \ - "$P_SRV debug_level=4 auth_mode=required" \ - "$O_NEXT_CLI -tls1_2 -split_send_frag 5 -cert $DATA_FILES_PATH/server5.crt -key $DATA_FILES_PATH/server5.key" \ - 0 \ - -s "reassembled record" \ - -s "handshake fragment: 0 \\.\\. 5 of [0-9]\\+ msglen 5" \ - -s "waiting for more fragments (5" - -requires_config_enabled MBEDTLS_SSL_PROTO_TLS1_3 -requires_certificate_authentication -run_test "Handshake defragmentation on server: len=4, TLS 1.3" \ - "$P_SRV debug_level=4 auth_mode=required" \ - "$O_NEXT_CLI -tls1_3 -split_send_frag 4 -cert $DATA_FILES_PATH/server5.crt -key $DATA_FILES_PATH/server5.key" \ - 0 \ - -s "reassembled record" \ - -s "handshake fragment: 0 \\.\\. 4 of [0-9]\\+ msglen 4" \ - -s "waiting for more fragments (4" - -requires_config_enabled MBEDTLS_SSL_PROTO_TLS1_2 -requires_config_enabled MBEDTLS_SSL_PROTO_TLS1_3 -requires_certificate_authentication -run_test "Handshake defragmentation on server: len=4, TLS 1.2 TLS 1.3 ClientHello -> 1.2 Handshake" \ - "$P_SRV debug_level=4 auth_mode=required" \ - "$O_NEXT_CLI -tls1_2 -split_send_frag 4 -cert $DATA_FILES_PATH/server5.crt -key $DATA_FILES_PATH/server5.key" \ - 0 \ - -s "reassembled record" \ - -s "handshake fragment: 0 \\.\\. 4 of [0-9]\\+ msglen 4" \ - -s "waiting for more fragments (4" - -requires_config_enabled MBEDTLS_SSL_PROTO_TLS1_3 -requires_certificate_authentication -run_test "Handshake defragmentation on server: len=3, TLS 1.3" \ - "$P_SRV debug_level=4 auth_mode=required" \ - "$O_NEXT_CLI -tls1_3 -split_send_frag 3 -cert $DATA_FILES_PATH/server5.crt -key $DATA_FILES_PATH/server5.key" \ - 1 \ - -s "<= parse client hello" \ - -s "handshake message too short: 3" \ - -s "SSL - An invalid SSL record was received" - -requires_config_enabled MBEDTLS_SSL_PROTO_TLS1_2 -requires_config_enabled MBEDTLS_SSL_PROTO_TLS1_3 -requires_certificate_authentication -run_test "Handshake defragmentation on server: len=3, TLS 1.3 ClientHello -> 1.2 Handshake" \ - "$P_SRV debug_level=4 auth_mode=required" \ - "$O_NEXT_CLI -tls1_2 -split_send_frag 3 -cert $DATA_FILES_PATH/server5.crt -key $DATA_FILES_PATH/server5.key" \ - 1 \ - -s "<= parse client hello" \ - -s "handshake message too short: 3" \ - -s "SSL - An invalid SSL record was received" +# Most test cases are in opt-testcases/handshake-generated.sh requires_config_enabled MBEDTLS_SSL_PROTO_TLS1_2 requires_certificate_authentication From aaab090ad87b5c504e5e4f349c8b235faf3aac34 Mon Sep 17 00:00:00 2001 From: Gilles Peskine Date: Sat, 1 Mar 2025 13:53:18 +0100 Subject: [PATCH 46/74] Normalize whitespace in defragmentation test cases Signed-off-by: Gilles Peskine --- tests/opt-testcases/handshake-manual.sh | 98 ++++++++++++------------- 1 file changed, 49 insertions(+), 49 deletions(-) diff --git a/tests/opt-testcases/handshake-manual.sh b/tests/opt-testcases/handshake-manual.sh index 8496c0d87..1b7b9799f 100644 --- a/tests/opt-testcases/handshake-manual.sh +++ b/tests/opt-testcases/handshake-manual.sh @@ -4,7 +4,7 @@ requires_certificate_authentication run_test "Handshake defragmentation on client (no fragmentation, for reference)" \ "$O_NEXT_SRV" \ - "$P_CLI debug_level=4 " \ + "$P_CLI debug_level=4" \ 0 \ -C "reassembled record" \ -C "waiting for more fragments" @@ -12,8 +12,8 @@ run_test "Handshake defragmentation on client (no fragmentation, for referenc requires_config_enabled MBEDTLS_SSL_PROTO_TLS1_3 requires_certificate_authentication run_test "Handshake defragmentation on client: len=512, TLS 1.3" \ - "$O_NEXT_SRV -tls1_3 -split_send_frag 512 " \ - "$P_CLI debug_level=4 " \ + "$O_NEXT_SRV -tls1_3 -split_send_frag 512" \ + "$P_CLI debug_level=4" \ 0 \ -c "reassembled record" \ -c "handshake fragment: 0 \\.\\. 512 of [0-9]\\+ msglen 512" \ @@ -24,8 +24,8 @@ requires_config_enabled MBEDTLS_SSL_PROTO_TLS1_2 requires_certificate_authentication requires_config_enabled MBEDTLS_KEY_EXCHANGE_ECDHE_ECDSA_ENABLED run_test "Handshake defragmentation on client: len=512, TLS 1.2" \ - "$O_NEXT_SRV -tls1_2 -split_send_frag 512 " \ - "$P_CLI debug_level=4 " \ + "$O_NEXT_SRV -tls1_2 -split_send_frag 512" \ + "$P_CLI debug_level=4" \ 0 \ -c "reassembled record" \ -c "handshake fragment: 0 \\.\\. 512 of [0-9]\\+ msglen 512" \ @@ -34,8 +34,8 @@ run_test "Handshake defragmentation on client: len=512, TLS 1.2" \ requires_config_enabled MBEDTLS_SSL_PROTO_TLS1_3 requires_certificate_authentication run_test "Handshake defragmentation on client: len=513, TLS 1.3" \ - "$O_NEXT_SRV -tls1_3 -split_send_frag 513 " \ - "$P_CLI debug_level=4 " \ + "$O_NEXT_SRV -tls1_3 -split_send_frag 513" \ + "$P_CLI debug_level=4" \ 0 \ -c "reassembled record" \ -c "handshake fragment: 0 \\.\\. 513 of [0-9]\\+ msglen 513" \ @@ -45,8 +45,8 @@ requires_config_enabled MBEDTLS_SSL_PROTO_TLS1_2 requires_certificate_authentication requires_config_enabled MBEDTLS_KEY_EXCHANGE_ECDHE_ECDSA_ENABLED run_test "Handshake defragmentation on client: len=513, TLS 1.2" \ - "$O_NEXT_SRV -tls1_2 -split_send_frag 513 " \ - "$P_CLI debug_level=4 " \ + "$O_NEXT_SRV -tls1_2 -split_send_frag 513" \ + "$P_CLI debug_level=4" \ 0 \ -c "reassembled record" \ -c "handshake fragment: 0 \\.\\. 513 of [0-9]\\+ msglen 513" \ @@ -55,8 +55,8 @@ run_test "Handshake defragmentation on client: len=513, TLS 1.2" \ requires_config_enabled MBEDTLS_SSL_PROTO_TLS1_3 requires_certificate_authentication run_test "Handshake defragmentation on client: len=256, TLS 1.3" \ - "$O_NEXT_SRV -tls1_3 -split_send_frag 256 " \ - "$P_CLI debug_level=4 " \ + "$O_NEXT_SRV -tls1_3 -split_send_frag 256" \ + "$P_CLI debug_level=4" \ 0 \ -c "reassembled record" \ -c "handshake fragment: 0 \\.\\. 256 of [0-9]\\+ msglen 256" \ @@ -66,8 +66,8 @@ requires_config_enabled MBEDTLS_SSL_PROTO_TLS1_2 requires_certificate_authentication requires_config_enabled MBEDTLS_KEY_EXCHANGE_ECDHE_ECDSA_ENABLED run_test "Handshake defragmentation on client: len=256, TLS 1.2" \ - "$O_NEXT_SRV -tls1_2 -split_send_frag 256 " \ - "$P_CLI debug_level=4 " \ + "$O_NEXT_SRV -tls1_2 -split_send_frag 256" \ + "$P_CLI debug_level=4" \ 0 \ -c "reassembled record" \ -c "handshake fragment: 0 \\.\\. 256 of [0-9]\\+ msglen 256" \ @@ -76,8 +76,8 @@ run_test "Handshake defragmentation on client: len=256, TLS 1.2" \ requires_config_enabled MBEDTLS_SSL_PROTO_TLS1_3 requires_certificate_authentication run_test "Handshake defragmentation on client: len=128, TLS 1.3" \ - "$O_NEXT_SRV -tls1_3 -split_send_frag 128 " \ - "$P_CLI debug_level=4 " \ + "$O_NEXT_SRV -tls1_3 -split_send_frag 128" \ + "$P_CLI debug_level=4" \ 0 \ -c "reassembled record" \ -c "handshake fragment: 0 \\.\\. 128 of [0-9]\\+ msglen 128" \ @@ -87,8 +87,8 @@ requires_config_enabled MBEDTLS_SSL_PROTO_TLS1_2 requires_certificate_authentication requires_config_enabled MBEDTLS_KEY_EXCHANGE_ECDHE_ECDSA_ENABLED run_test "Handshake defragmentation on client: len=128, TLS 1.2" \ - "$O_NEXT_SRV -tls1_2 -split_send_frag 128 " \ - "$P_CLI debug_level=4 " \ + "$O_NEXT_SRV -tls1_2 -split_send_frag 128" \ + "$P_CLI debug_level=4" \ 0 \ -c "reassembled record" \ -c "handshake fragment: 0 \\.\\. 128 of [0-9]\\+ msglen 128" \ @@ -97,8 +97,8 @@ run_test "Handshake defragmentation on client: len=128, TLS 1.2" \ requires_config_enabled MBEDTLS_SSL_PROTO_TLS1_3 requires_certificate_authentication run_test "Handshake defragmentation on client: len=64, TLS 1.3" \ - "$O_NEXT_SRV -tls1_3 -split_send_frag 64 " \ - "$P_CLI debug_level=4 " \ + "$O_NEXT_SRV -tls1_3 -split_send_frag 64" \ + "$P_CLI debug_level=4" \ 0 \ -c "reassembled record" \ -c "handshake fragment: 0 \\.\\. 64 of [0-9]\\+ msglen 64" \ @@ -108,8 +108,8 @@ requires_config_enabled MBEDTLS_SSL_PROTO_TLS1_2 requires_certificate_authentication requires_config_enabled MBEDTLS_KEY_EXCHANGE_ECDHE_ECDSA_ENABLED run_test "Handshake defragmentation on client: len=64, TLS 1.2" \ - "$O_NEXT_SRV -tls1_2 -split_send_frag 64 " \ - "$P_CLI debug_level=4 " \ + "$O_NEXT_SRV -tls1_2 -split_send_frag 64" \ + "$P_CLI debug_level=4" \ 0 \ -c "reassembled record" \ -c "handshake fragment: 0 \\.\\. 64 of [0-9]\\+ msglen 64" \ @@ -118,8 +118,8 @@ run_test "Handshake defragmentation on client: len=64, TLS 1.2" \ requires_config_enabled MBEDTLS_SSL_PROTO_TLS1_3 requires_certificate_authentication run_test "Handshake defragmentation on client: len=36, TLS 1.3" \ - "$O_NEXT_SRV -tls1_3 -split_send_frag 36 " \ - "$P_CLI debug_level=4 " \ + "$O_NEXT_SRV -tls1_3 -split_send_frag 36" \ + "$P_CLI debug_level=4" \ 0 \ -c "reassembled record" \ -c "handshake fragment: 0 \\.\\. 36 of [0-9]\\+ msglen 36" \ @@ -129,8 +129,8 @@ requires_config_enabled MBEDTLS_SSL_PROTO_TLS1_2 requires_certificate_authentication requires_config_enabled MBEDTLS_KEY_EXCHANGE_ECDHE_ECDSA_ENABLED run_test "Handshake defragmentation on client: len=36, TLS 1.2" \ - "$O_NEXT_SRV -tls1_2 -split_send_frag 36 " \ - "$P_CLI debug_level=4 " \ + "$O_NEXT_SRV -tls1_2 -split_send_frag 36" \ + "$P_CLI debug_level=4" \ 0 \ -c "reassembled record" \ -c "handshake fragment: 0 \\.\\. 36 of [0-9]\\+ msglen 36" \ @@ -139,8 +139,8 @@ run_test "Handshake defragmentation on client: len=36, TLS 1.2" \ requires_config_enabled MBEDTLS_SSL_PROTO_TLS1_3 requires_certificate_authentication run_test "Handshake defragmentation on client: len=32, TLS 1.3" \ - "$O_NEXT_SRV -tls1_3 -split_send_frag 32 " \ - "$P_CLI debug_level=4 " \ + "$O_NEXT_SRV -tls1_3 -split_send_frag 32" \ + "$P_CLI debug_level=4" \ 0 \ -c "reassembled record" \ -c "handshake fragment: 0 \\.\\. 32 of [0-9]\\+ msglen 32" \ @@ -150,8 +150,8 @@ requires_config_enabled MBEDTLS_SSL_PROTO_TLS1_2 requires_certificate_authentication requires_config_enabled MBEDTLS_KEY_EXCHANGE_ECDHE_ECDSA_ENABLED run_test "Handshake defragmentation on client: len=32, TLS 1.2" \ - "$O_NEXT_SRV -tls1_2 -split_send_frag 32 " \ - "$P_CLI debug_level=4 " \ + "$O_NEXT_SRV -tls1_2 -split_send_frag 32" \ + "$P_CLI debug_level=4" \ 0 \ -c "reassembled record" \ -c "handshake fragment: 0 \\.\\. 32 of [0-9]\\+ msglen 32" \ @@ -160,8 +160,8 @@ run_test "Handshake defragmentation on client: len=32, TLS 1.2" \ requires_config_enabled MBEDTLS_SSL_PROTO_TLS1_3 requires_certificate_authentication run_test "Handshake defragmentation on client: len=16, TLS 1.3" \ - "$O_NEXT_SRV -tls1_3 -split_send_frag 16 " \ - "$P_CLI debug_level=4 " \ + "$O_NEXT_SRV -tls1_3 -split_send_frag 16" \ + "$P_CLI debug_level=4" \ 0 \ -c "reassembled record" \ -c "handshake fragment: 0 \\.\\. 16 of [0-9]\\+ msglen 16" \ @@ -171,8 +171,8 @@ requires_config_enabled MBEDTLS_SSL_PROTO_TLS1_2 requires_certificate_authentication requires_config_enabled MBEDTLS_KEY_EXCHANGE_ECDHE_ECDSA_ENABLED run_test "Handshake defragmentation on client: len=16, TLS 1.2" \ - "$O_NEXT_SRV -tls1_2 -split_send_frag 16 " \ - "$P_CLI debug_level=4 " \ + "$O_NEXT_SRV -tls1_2 -split_send_frag 16" \ + "$P_CLI debug_level=4" \ 0 \ -c "reassembled record" \ -c "handshake fragment: 0 \\.\\. 16 of [0-9]\\+ msglen 16" \ @@ -181,8 +181,8 @@ run_test "Handshake defragmentation on client: len=16, TLS 1.2" \ requires_config_enabled MBEDTLS_SSL_PROTO_TLS1_3 requires_certificate_authentication run_test "Handshake defragmentation on client: len=13, TLS 1.3" \ - "$O_NEXT_SRV -tls1_3 -split_send_frag 13 " \ - "$P_CLI debug_level=4 " \ + "$O_NEXT_SRV -tls1_3 -split_send_frag 13" \ + "$P_CLI debug_level=4" \ 0 \ -c "reassembled record" \ -c "handshake fragment: 0 \\.\\. 13 of [0-9]\\+ msglen 13" \ @@ -192,8 +192,8 @@ skip_next_test requires_config_enabled MBEDTLS_SSL_PROTO_TLS1_2 requires_certificate_authentication run_test "Handshake defragmentation on client: len=13, TLS 1.2" \ - "$O_NEXT_SRV -tls1_2 -split_send_frag 13 " \ - "$P_CLI debug_level=4 " \ + "$O_NEXT_SRV -tls1_2 -split_send_frag 13" \ + "$P_CLI debug_level=4" \ 0 \ -c "reassembled record" \ -c "handshake fragment: 0 \\.\\. 13 of [0-9]\\+ msglen 13" \ @@ -202,8 +202,8 @@ run_test "Handshake defragmentation on client: len=13, TLS 1.2" \ requires_config_enabled MBEDTLS_SSL_PROTO_TLS1_3 requires_certificate_authentication run_test "Handshake defragmentation on client: len=5, TLS 1.3" \ - "$O_NEXT_SRV -tls1_3 -split_send_frag 5 " \ - "$P_CLI debug_level=4 " \ + "$O_NEXT_SRV -tls1_3 -split_send_frag 5" \ + "$P_CLI debug_level=4" \ 0 \ -c "reassembled record" \ -c "handshake fragment: 0 \\.\\. 5 of [0-9]\\+ msglen 5" \ @@ -213,8 +213,8 @@ skip_next_test requires_config_enabled MBEDTLS_SSL_PROTO_TLS1_2 requires_certificate_authentication run_test "Handshake defragmentation on client: len=5, TLS 1.2" \ - "$O_NEXT_SRV -tls1_2 -split_send_frag 5 " \ - "$P_CLI debug_level=4 " \ + "$O_NEXT_SRV -tls1_2 -split_send_frag 5" \ + "$P_CLI debug_level=4" \ 0 \ -c "reassembled record" \ -c "handshake fragment: 0 \\.\\. 5 of [0-9]\\+ msglen 5" \ @@ -223,8 +223,8 @@ run_test "Handshake defragmentation on client: len=5, TLS 1.2" \ requires_config_enabled MBEDTLS_SSL_PROTO_TLS1_3 requires_certificate_authentication run_test "Handshake defragmentation on client: len=4, TLS 1.3" \ - "$O_NEXT_SRV -tls1_3 -split_send_frag 4 " \ - "$P_CLI debug_level=4 " \ + "$O_NEXT_SRV -tls1_3 -split_send_frag 4" \ + "$P_CLI debug_level=4" \ 0 \ -c "reassembled record" \ -c "handshake fragment: 0 \\.\\. 4 of [0-9]\\+ msglen 4" \ @@ -234,8 +234,8 @@ skip_next_test requires_config_enabled MBEDTLS_SSL_PROTO_TLS1_2 requires_certificate_authentication run_test "Handshake defragmentation on client: len=4, TLS 1.2" \ - "$O_NEXT_SRV -tls1_2 -split_send_frag 4 " \ - "$P_CLI debug_level=4 " \ + "$O_NEXT_SRV -tls1_2 -split_send_frag 4" \ + "$P_CLI debug_level=4" \ 0 \ -c "reassembled record" \ -c "handshake fragment: 0 \\.\\. 4 of [0-9]\\+ msglen 4" \ @@ -244,8 +244,8 @@ run_test "Handshake defragmentation on client: len=4, TLS 1.2" \ requires_config_enabled MBEDTLS_SSL_PROTO_TLS1_3 requires_certificate_authentication run_test "Handshake defragmentation on client: len=3, TLS 1.3" \ - "$O_NEXT_SRV -tls1_3 -split_send_frag 3 " \ - "$P_CLI debug_level=4 " \ + "$O_NEXT_SRV -tls1_3 -split_send_frag 3" \ + "$P_CLI debug_level=4" \ 1 \ -c "=> ssl_tls13_process_server_hello" \ -c "handshake message too short: 3" \ @@ -253,8 +253,8 @@ run_test "Handshake defragmentation on client: len=3, TLS 1.3" \ requires_config_enabled MBEDTLS_SSL_PROTO_TLS1_2 run_test "Handshake defragmentation on client: len=3, TLS 1.2" \ - "$O_NEXT_SRV -tls1_2 -split_send_frag 3 " \ - "$P_CLI debug_level=4 " \ + "$O_NEXT_SRV -tls1_2 -split_send_frag 3" \ + "$P_CLI debug_level=4" \ 1 \ -c "handshake message too short: 3" \ -c "SSL - An invalid SSL record was received" From 46cb8a2aa91b4f7ff146b6a6c940d9807ee2e313 Mon Sep 17 00:00:00 2001 From: Gilles Peskine Date: Sat, 1 Mar 2025 14:12:02 +0100 Subject: [PATCH 47/74] Normalize messages in defragmentation test cases Make some test case descriptions and log patterns follow more systematic patterns. Signed-off-by: Gilles Peskine --- tests/opt-testcases/handshake-manual.sh | 94 ++++++++++++------------- 1 file changed, 47 insertions(+), 47 deletions(-) diff --git a/tests/opt-testcases/handshake-manual.sh b/tests/opt-testcases/handshake-manual.sh index 1b7b9799f..087cf66fc 100644 --- a/tests/opt-testcases/handshake-manual.sh +++ b/tests/opt-testcases/handshake-manual.sh @@ -2,7 +2,7 @@ # into fragments, the tests require certificate authentication. The party in control # of the fragmentation operations is OpenSSL and will always use server5.crt (548 Bytes). requires_certificate_authentication -run_test "Handshake defragmentation on client (no fragmentation, for reference)" \ +run_test "Handshake defragmentation on client: no fragmentation, for reference" \ "$O_NEXT_SRV" \ "$P_CLI debug_level=4" \ 0 \ @@ -17,7 +17,7 @@ run_test "Handshake defragmentation on client: len=512, TLS 1.3" \ 0 \ -c "reassembled record" \ -c "handshake fragment: 0 \\.\\. 512 of [0-9]\\+ msglen 512" \ - -c "waiting for more fragments (512 of [0-9]\\+" + -c "waiting for more fragments (512 of" #The server uses an ECDSA cert, so make sure we have a compatible key exchange requires_config_enabled MBEDTLS_SSL_PROTO_TLS1_2 @@ -29,7 +29,7 @@ run_test "Handshake defragmentation on client: len=512, TLS 1.2" \ 0 \ -c "reassembled record" \ -c "handshake fragment: 0 \\.\\. 512 of [0-9]\\+ msglen 512" \ - -c "waiting for more fragments (512 of [0-9]\\+" + -c "waiting for more fragments (512 of" requires_config_enabled MBEDTLS_SSL_PROTO_TLS1_3 requires_certificate_authentication @@ -39,7 +39,7 @@ run_test "Handshake defragmentation on client: len=513, TLS 1.3" \ 0 \ -c "reassembled record" \ -c "handshake fragment: 0 \\.\\. 513 of [0-9]\\+ msglen 513" \ - -c "waiting for more fragments (513 of [0-9]\\+" + -c "waiting for more fragments (513 of" requires_config_enabled MBEDTLS_SSL_PROTO_TLS1_2 requires_certificate_authentication @@ -50,7 +50,7 @@ run_test "Handshake defragmentation on client: len=513, TLS 1.2" \ 0 \ -c "reassembled record" \ -c "handshake fragment: 0 \\.\\. 513 of [0-9]\\+ msglen 513" \ - -c "waiting for more fragments (513 of [0-9]\\+" + -c "waiting for more fragments (513 of" requires_config_enabled MBEDTLS_SSL_PROTO_TLS1_3 requires_certificate_authentication @@ -60,7 +60,7 @@ run_test "Handshake defragmentation on client: len=256, TLS 1.3" \ 0 \ -c "reassembled record" \ -c "handshake fragment: 0 \\.\\. 256 of [0-9]\\+ msglen 256" \ - -c "waiting for more fragments (256 of [0-9]\\+" + -c "waiting for more fragments (256 of" requires_config_enabled MBEDTLS_SSL_PROTO_TLS1_2 requires_certificate_authentication @@ -71,7 +71,7 @@ run_test "Handshake defragmentation on client: len=256, TLS 1.2" \ 0 \ -c "reassembled record" \ -c "handshake fragment: 0 \\.\\. 256 of [0-9]\\+ msglen 256" \ - -c "waiting for more fragments (256 of [0-9]\\+" + -c "waiting for more fragments (256 of" requires_config_enabled MBEDTLS_SSL_PROTO_TLS1_3 requires_certificate_authentication @@ -81,7 +81,7 @@ run_test "Handshake defragmentation on client: len=128, TLS 1.3" \ 0 \ -c "reassembled record" \ -c "handshake fragment: 0 \\.\\. 128 of [0-9]\\+ msglen 128" \ - -c "waiting for more fragments (128" + -c "waiting for more fragments (128 of" requires_config_enabled MBEDTLS_SSL_PROTO_TLS1_2 requires_certificate_authentication @@ -92,7 +92,7 @@ run_test "Handshake defragmentation on client: len=128, TLS 1.2" \ 0 \ -c "reassembled record" \ -c "handshake fragment: 0 \\.\\. 128 of [0-9]\\+ msglen 128" \ - -c "waiting for more fragments (128" + -c "waiting for more fragments (128 of" requires_config_enabled MBEDTLS_SSL_PROTO_TLS1_3 requires_certificate_authentication @@ -102,7 +102,7 @@ run_test "Handshake defragmentation on client: len=64, TLS 1.3" \ 0 \ -c "reassembled record" \ -c "handshake fragment: 0 \\.\\. 64 of [0-9]\\+ msglen 64" \ - -c "waiting for more fragments (64" + -c "waiting for more fragments (64 of" requires_config_enabled MBEDTLS_SSL_PROTO_TLS1_2 requires_certificate_authentication @@ -113,7 +113,7 @@ run_test "Handshake defragmentation on client: len=64, TLS 1.2" \ 0 \ -c "reassembled record" \ -c "handshake fragment: 0 \\.\\. 64 of [0-9]\\+ msglen 64" \ - -c "waiting for more fragments (64" + -c "waiting for more fragments (64 of" requires_config_enabled MBEDTLS_SSL_PROTO_TLS1_3 requires_certificate_authentication @@ -123,7 +123,7 @@ run_test "Handshake defragmentation on client: len=36, TLS 1.3" \ 0 \ -c "reassembled record" \ -c "handshake fragment: 0 \\.\\. 36 of [0-9]\\+ msglen 36" \ - -c "waiting for more fragments (36" + -c "waiting for more fragments (36 of" requires_config_enabled MBEDTLS_SSL_PROTO_TLS1_2 requires_certificate_authentication @@ -134,7 +134,7 @@ run_test "Handshake defragmentation on client: len=36, TLS 1.2" \ 0 \ -c "reassembled record" \ -c "handshake fragment: 0 \\.\\. 36 of [0-9]\\+ msglen 36" \ - -c "waiting for more fragments (36" + -c "waiting for more fragments (36 of" requires_config_enabled MBEDTLS_SSL_PROTO_TLS1_3 requires_certificate_authentication @@ -144,7 +144,7 @@ run_test "Handshake defragmentation on client: len=32, TLS 1.3" \ 0 \ -c "reassembled record" \ -c "handshake fragment: 0 \\.\\. 32 of [0-9]\\+ msglen 32" \ - -c "waiting for more fragments (32" + -c "waiting for more fragments (32 of" requires_config_enabled MBEDTLS_SSL_PROTO_TLS1_2 requires_certificate_authentication @@ -155,7 +155,7 @@ run_test "Handshake defragmentation on client: len=32, TLS 1.2" \ 0 \ -c "reassembled record" \ -c "handshake fragment: 0 \\.\\. 32 of [0-9]\\+ msglen 32" \ - -c "waiting for more fragments (32" + -c "waiting for more fragments (32 of" requires_config_enabled MBEDTLS_SSL_PROTO_TLS1_3 requires_certificate_authentication @@ -165,7 +165,7 @@ run_test "Handshake defragmentation on client: len=16, TLS 1.3" \ 0 \ -c "reassembled record" \ -c "handshake fragment: 0 \\.\\. 16 of [0-9]\\+ msglen 16" \ - -c "waiting for more fragments (16" + -c "waiting for more fragments (16 of" requires_config_enabled MBEDTLS_SSL_PROTO_TLS1_2 requires_certificate_authentication @@ -176,7 +176,7 @@ run_test "Handshake defragmentation on client: len=16, TLS 1.2" \ 0 \ -c "reassembled record" \ -c "handshake fragment: 0 \\.\\. 16 of [0-9]\\+ msglen 16" \ - -c "waiting for more fragments (16" + -c "waiting for more fragments (16 of" requires_config_enabled MBEDTLS_SSL_PROTO_TLS1_3 requires_certificate_authentication @@ -186,7 +186,7 @@ run_test "Handshake defragmentation on client: len=13, TLS 1.3" \ 0 \ -c "reassembled record" \ -c "handshake fragment: 0 \\.\\. 13 of [0-9]\\+ msglen 13" \ - -c "waiting for more fragments (13" + -c "waiting for more fragments (13 of" skip_next_test requires_config_enabled MBEDTLS_SSL_PROTO_TLS1_2 @@ -197,7 +197,7 @@ run_test "Handshake defragmentation on client: len=13, TLS 1.2" \ 0 \ -c "reassembled record" \ -c "handshake fragment: 0 \\.\\. 13 of [0-9]\\+ msglen 13" \ - -c "waiting for more fragments (13" + -c "waiting for more fragments (13 of" requires_config_enabled MBEDTLS_SSL_PROTO_TLS1_3 requires_certificate_authentication @@ -207,7 +207,7 @@ run_test "Handshake defragmentation on client: len=5, TLS 1.3" \ 0 \ -c "reassembled record" \ -c "handshake fragment: 0 \\.\\. 5 of [0-9]\\+ msglen 5" \ - -c "waiting for more fragments (5" + -c "waiting for more fragments (5 of" skip_next_test requires_config_enabled MBEDTLS_SSL_PROTO_TLS1_2 @@ -218,7 +218,7 @@ run_test "Handshake defragmentation on client: len=5, TLS 1.2" \ 0 \ -c "reassembled record" \ -c "handshake fragment: 0 \\.\\. 5 of [0-9]\\+ msglen 5" \ - -c "waiting for more fragments (5" + -c "waiting for more fragments (5 of" requires_config_enabled MBEDTLS_SSL_PROTO_TLS1_3 requires_certificate_authentication @@ -228,7 +228,7 @@ run_test "Handshake defragmentation on client: len=4, TLS 1.3" \ 0 \ -c "reassembled record" \ -c "handshake fragment: 0 \\.\\. 4 of [0-9]\\+ msglen 4" \ - -c "waiting for more fragments (4" + -c "waiting for more fragments (4 of" skip_next_test requires_config_enabled MBEDTLS_SSL_PROTO_TLS1_2 @@ -239,7 +239,7 @@ run_test "Handshake defragmentation on client: len=4, TLS 1.2" \ 0 \ -c "reassembled record" \ -c "handshake fragment: 0 \\.\\. 4 of [0-9]\\+ msglen 4" \ - -c "waiting for more fragments (4" + -c "waiting for more fragments (4 of" requires_config_enabled MBEDTLS_SSL_PROTO_TLS1_3 requires_certificate_authentication @@ -260,7 +260,7 @@ run_test "Handshake defragmentation on client: len=3, TLS 1.2" \ -c "SSL - An invalid SSL record was received" requires_certificate_authentication -run_test "Handshake defragmentation on server (no fragmentation, for reference)." \ +run_test "Handshake defragmentation on server: no fragmentation, for reference" \ "$P_SRV debug_level=4 auth_mode=required" \ "$O_NEXT_CLI -cert $DATA_FILES_PATH/server5.crt -key $DATA_FILES_PATH/server5.key" \ 0 \ @@ -275,7 +275,7 @@ run_test "Handshake defragmentation on server: len=512, TLS 1.3" \ 0 \ -s "reassembled record" \ -s "handshake fragment: 0 \\.\\. 512 of [0-9]\\+ msglen 512" \ - -s "waiting for more fragments (512" + -s "waiting for more fragments (512 of" requires_config_enabled MBEDTLS_SSL_PROTO_TLS1_2 requires_certificate_authentication @@ -285,7 +285,7 @@ run_test "Handshake defragmentation on server: len=512, TLS 1.2" \ 0 \ -s "reassembled record" \ -s "handshake fragment: 0 \\.\\. 512 of [0-9]\\+ msglen 512" \ - -s "waiting for more fragments (512" + -s "waiting for more fragments (512 of" requires_config_enabled MBEDTLS_SSL_PROTO_TLS1_3 requires_certificate_authentication @@ -295,7 +295,7 @@ run_test "Handshake defragmentation on server: len=513, TLS 1.3" \ 0 \ -s "reassembled record" \ -s "handshake fragment: 0 \\.\\. 513 of [0-9]\\+ msglen 513" \ - -s "waiting for more fragments (513" + -s "waiting for more fragments (513 of" requires_config_enabled MBEDTLS_SSL_PROTO_TLS1_2 requires_certificate_authentication @@ -305,7 +305,7 @@ run_test "Handshake defragmentation on server: len=513, TLS 1.2" \ 0 \ -s "reassembled record" \ -s "handshake fragment: 0 \\.\\. 513 of [0-9]\\+ msglen 513" \ - -s "waiting for more fragments (513" + -s "waiting for more fragments (513 of" requires_config_enabled MBEDTLS_SSL_PROTO_TLS1_3 requires_certificate_authentication @@ -315,7 +315,7 @@ run_test "Handshake defragmentation on server: len=256, TLS 1.3" \ 0 \ -s "reassembled record" \ -s "handshake fragment: 0 \\.\\. 256 of [0-9]\\+ msglen 256" \ - -s "waiting for more fragments (256" + -s "waiting for more fragments (256 of" requires_config_enabled MBEDTLS_SSL_PROTO_TLS1_2 requires_certificate_authentication @@ -325,7 +325,7 @@ run_test "Handshake defragmentation on server: len=256, TLS 1.2" \ 0 \ -s "reassembled record" \ -s "handshake fragment: 0 \\.\\. 256 of [0-9]\\+ msglen 256" \ - -s "waiting for more fragments (256" + -s "waiting for more fragments (256 of" requires_config_enabled MBEDTLS_SSL_PROTO_TLS1_3 requires_certificate_authentication @@ -335,7 +335,7 @@ run_test "Handshake defragmentation on server: len=128, TLS 1.3" \ 0 \ -s "reassembled record" \ -s "handshake fragment: 0 \\.\\. 128 of [0-9]\\+ msglen 128" \ - -s "waiting for more fragments (128" + -s "waiting for more fragments (128 of" # Server-side ClientHello defragmentationis only supported for MBEDTLS_SSL_PROTO_TLS1_3. For TLS 1.2 testing # the server should suport both protocols and downgrade to client-requested TL1.2 after proccessing the ClientHello. @@ -348,7 +348,7 @@ run_test "Handshake defragmentation on server: len=128, TLS 1.2 TLS 1.3 Clie 0 \ -s "reassembled record" \ -s "handshake fragment: 0 \\.\\. 128 of [0-9]\\+ msglen 128" \ - -s "waiting for more fragments (128" + -s "waiting for more fragments (128 of" requires_config_enabled MBEDTLS_SSL_PROTO_TLS1_3 requires_certificate_authentication @@ -358,7 +358,7 @@ run_test "Handshake defragmentation on server: len=64, TLS 1.3" \ 0 \ -s "reassembled record" \ -s "handshake fragment: 0 \\.\\. 64 of [0-9]\\+ msglen 64" \ - -s "waiting for more fragments (64" + -s "waiting for more fragments (64 of" requires_config_enabled MBEDTLS_SSL_PROTO_TLS1_2 requires_config_enabled MBEDTLS_SSL_PROTO_TLS1_3 @@ -369,7 +369,7 @@ run_test "Handshake defragmentation on server: len=64, TLS 1.2 TLS 1.3 Clien 0 \ -s "reassembled record" \ -s "handshake fragment: 0 \\.\\. 64 of [0-9]\\+ msglen 64" \ - -s "waiting for more fragments (64" + -s "waiting for more fragments (64 of" requires_config_enabled MBEDTLS_SSL_PROTO_TLS1_3 requires_certificate_authentication @@ -379,7 +379,7 @@ run_test "Handshake defragmentation on server: len=36, TLS 1.3" \ 0 \ -s "reassembled record" \ -s "handshake fragment: 0 \\.\\. 36 of [0-9]\\+ msglen 36" \ - -s "waiting for more fragments (36" + -s "waiting for more fragments (36 of" requires_config_enabled MBEDTLS_SSL_PROTO_TLS1_2 requires_config_enabled MBEDTLS_SSL_PROTO_TLS1_3 @@ -390,7 +390,7 @@ run_test "Handshake defragmentation on server: len=36, TLS 1.2 TLS 1.3 Clien 0 \ -s "reassembled record" \ -s "handshake fragment: 0 \\.\\. 36 of [0-9]\\+ msglen 36" \ - -s "waiting for more fragments (36" + -s "waiting for more fragments (36 of" requires_config_enabled MBEDTLS_SSL_PROTO_TLS1_3 requires_certificate_authentication @@ -400,7 +400,7 @@ run_test "Handshake defragmentation on server: len=32, TLS 1.3" \ 0 \ -s "reassembled record" \ -s "handshake fragment: 0 \\.\\. 32 of [0-9]\\+ msglen 32" \ - -s "waiting for more fragments (32" + -s "waiting for more fragments (32 of" requires_config_enabled MBEDTLS_SSL_PROTO_TLS1_2 requires_config_enabled MBEDTLS_SSL_PROTO_TLS1_3 @@ -411,7 +411,7 @@ run_test "Handshake defragmentation on server: len=32, TLS 1.2 TLS 1.3 Clien 0 \ -s "reassembled record" \ -s "handshake fragment: 0 \\.\\. 32 of [0-9]\\+ msglen 32" \ - -s "waiting for more fragments (32" + -s "waiting for more fragments (32 of" requires_config_enabled MBEDTLS_SSL_PROTO_TLS1_3 requires_certificate_authentication @@ -421,7 +421,7 @@ run_test "Handshake defragmentation on server: len=16, TLS 1.3" \ 0 \ -s "reassembled record" \ -s "handshake fragment: 0 \\.\\. 16 of [0-9]\\+ msglen 16" \ - -s "waiting for more fragments (16" + -s "waiting for more fragments (16 of" requires_config_enabled MBEDTLS_SSL_PROTO_TLS1_2 requires_config_enabled MBEDTLS_SSL_PROTO_TLS1_3 @@ -432,7 +432,7 @@ run_test "Handshake defragmentation on server: len=16, TLS 1.2 TLS 1.3 Clien 0 \ -s "reassembled record" \ -s "handshake fragment: 0 \\.\\. 16 of [0-9]\\+ msglen 16" \ - -s "waiting for more fragments (16" + -s "waiting for more fragments (16 of" requires_config_enabled MBEDTLS_SSL_PROTO_TLS1_3 requires_certificate_authentication @@ -442,7 +442,7 @@ run_test "Handshake defragmentation on server: len=13, TLS 1.3" \ 0 \ -s "reassembled record" \ -s "handshake fragment: 0 \\.\\. 13 of [0-9]\\+ msglen 13" \ - -s "waiting for more fragments (13" + -s "waiting for more fragments (13 of" requires_config_enabled MBEDTLS_SSL_PROTO_TLS1_2 requires_config_enabled MBEDTLS_SSL_PROTO_TLS1_3 @@ -453,7 +453,7 @@ run_test "Handshake defragmentation on server: len=13, TLS 1.2 TLS 1.3 Clien 0 \ -s "reassembled record" \ -s "handshake fragment: 0 \\.\\. 13 of [0-9]\\+ msglen 13" \ - -s "waiting for more fragments (13" + -s "waiting for more fragments (13 of" requires_config_enabled MBEDTLS_SSL_PROTO_TLS1_3 requires_certificate_authentication @@ -463,7 +463,7 @@ run_test "Handshake defragmentation on server: len=5, TLS 1.3" \ 0 \ -s "reassembled record" \ -s "handshake fragment: 0 \\.\\. 5 of [0-9]\\+ msglen 5" \ - -s "waiting for more fragments (5" + -s "waiting for more fragments (5 of" requires_config_enabled MBEDTLS_SSL_PROTO_TLS1_2 requires_config_enabled MBEDTLS_SSL_PROTO_TLS1_3 @@ -474,7 +474,7 @@ run_test "Handshake defragmentation on server: len=5, TLS 1.2 TLS 1.3 Client 0 \ -s "reassembled record" \ -s "handshake fragment: 0 \\.\\. 5 of [0-9]\\+ msglen 5" \ - -s "waiting for more fragments (5" + -s "waiting for more fragments (5 of" requires_config_enabled MBEDTLS_SSL_PROTO_TLS1_3 requires_certificate_authentication @@ -484,7 +484,7 @@ run_test "Handshake defragmentation on server: len=4, TLS 1.3" \ 0 \ -s "reassembled record" \ -s "handshake fragment: 0 \\.\\. 4 of [0-9]\\+ msglen 4" \ - -s "waiting for more fragments (4" + -s "waiting for more fragments (4 of" requires_config_enabled MBEDTLS_SSL_PROTO_TLS1_2 requires_config_enabled MBEDTLS_SSL_PROTO_TLS1_3 @@ -495,7 +495,7 @@ run_test "Handshake defragmentation on server: len=4, TLS 1.2 TLS 1.3 Client 0 \ -s "reassembled record" \ -s "handshake fragment: 0 \\.\\. 4 of [0-9]\\+ msglen 4" \ - -s "waiting for more fragments (4" + -s "waiting for more fragments (4 of" requires_config_enabled MBEDTLS_SSL_PROTO_TLS1_3 requires_certificate_authentication @@ -510,7 +510,7 @@ run_test "Handshake defragmentation on server: len=3, TLS 1.3" \ requires_config_enabled MBEDTLS_SSL_PROTO_TLS1_2 requires_config_enabled MBEDTLS_SSL_PROTO_TLS1_3 requires_certificate_authentication -run_test "Handshake defragmentation on server: len=3, TLS 1.3 ClientHello -> 1.2 Handshake" \ +run_test "Handshake defragmentation on server: len=3, TLS 1.2 TLS 1.3 ClientHello -> 1.2 Handshake" \ "$P_SRV debug_level=4 auth_mode=required" \ "$O_NEXT_CLI -tls1_2 -split_send_frag 3 -cert $DATA_FILES_PATH/server5.crt -key $DATA_FILES_PATH/server5.key" \ 1 \ From 5071a253209921c1bf334b3b961cde1299413a4f Mon Sep 17 00:00:00 2001 From: Gilles Peskine Date: Sat, 1 Mar 2025 16:38:50 +0100 Subject: [PATCH 48/74] Normalize requirements in defragmentation test cases Be more uniform in where certificate authentication and ECDSA are explicitly required. A few test cases now run in PSK-only configurations where they always could. Add a missing requirement on ECDSA to test cases that are currently skipped. Signed-off-by: Gilles Peskine --- tests/opt-testcases/handshake-manual.sh | 8 +++----- 1 file changed, 3 insertions(+), 5 deletions(-) diff --git a/tests/opt-testcases/handshake-manual.sh b/tests/opt-testcases/handshake-manual.sh index 087cf66fc..1e118e59c 100644 --- a/tests/opt-testcases/handshake-manual.sh +++ b/tests/opt-testcases/handshake-manual.sh @@ -1,7 +1,6 @@ # To guarantee that the handhake messages are large enough and need to be split # into fragments, the tests require certificate authentication. The party in control # of the fragmentation operations is OpenSSL and will always use server5.crt (548 Bytes). -requires_certificate_authentication run_test "Handshake defragmentation on client: no fragmentation, for reference" \ "$O_NEXT_SRV" \ "$P_CLI debug_level=4" \ @@ -191,6 +190,7 @@ run_test "Handshake defragmentation on client: len=13, TLS 1.3" \ skip_next_test requires_config_enabled MBEDTLS_SSL_PROTO_TLS1_2 requires_certificate_authentication +requires_config_enabled MBEDTLS_KEY_EXCHANGE_ECDHE_ECDSA_ENABLED run_test "Handshake defragmentation on client: len=13, TLS 1.2" \ "$O_NEXT_SRV -tls1_2 -split_send_frag 13" \ "$P_CLI debug_level=4" \ @@ -212,6 +212,7 @@ run_test "Handshake defragmentation on client: len=5, TLS 1.3" \ skip_next_test requires_config_enabled MBEDTLS_SSL_PROTO_TLS1_2 requires_certificate_authentication +requires_config_enabled MBEDTLS_KEY_EXCHANGE_ECDHE_ECDSA_ENABLED run_test "Handshake defragmentation on client: len=5, TLS 1.2" \ "$O_NEXT_SRV -tls1_2 -split_send_frag 5" \ "$P_CLI debug_level=4" \ @@ -233,6 +234,7 @@ run_test "Handshake defragmentation on client: len=4, TLS 1.3" \ skip_next_test requires_config_enabled MBEDTLS_SSL_PROTO_TLS1_2 requires_certificate_authentication +requires_config_enabled MBEDTLS_KEY_EXCHANGE_ECDHE_ECDSA_ENABLED run_test "Handshake defragmentation on client: len=4, TLS 1.2" \ "$O_NEXT_SRV -tls1_2 -split_send_frag 4" \ "$P_CLI debug_level=4" \ @@ -242,7 +244,6 @@ run_test "Handshake defragmentation on client: len=4, TLS 1.2" \ -c "waiting for more fragments (4 of" requires_config_enabled MBEDTLS_SSL_PROTO_TLS1_3 -requires_certificate_authentication run_test "Handshake defragmentation on client: len=3, TLS 1.3" \ "$O_NEXT_SRV -tls1_3 -split_send_frag 3" \ "$P_CLI debug_level=4" \ @@ -259,7 +260,6 @@ run_test "Handshake defragmentation on client: len=3, TLS 1.2" \ -c "handshake message too short: 3" \ -c "SSL - An invalid SSL record was received" -requires_certificate_authentication run_test "Handshake defragmentation on server: no fragmentation, for reference" \ "$P_SRV debug_level=4 auth_mode=required" \ "$O_NEXT_CLI -cert $DATA_FILES_PATH/server5.crt -key $DATA_FILES_PATH/server5.key" \ @@ -498,7 +498,6 @@ run_test "Handshake defragmentation on server: len=4, TLS 1.2 TLS 1.3 Client -s "waiting for more fragments (4 of" requires_config_enabled MBEDTLS_SSL_PROTO_TLS1_3 -requires_certificate_authentication run_test "Handshake defragmentation on server: len=3, TLS 1.3" \ "$P_SRV debug_level=4 auth_mode=required" \ "$O_NEXT_CLI -tls1_3 -split_send_frag 3 -cert $DATA_FILES_PATH/server5.crt -key $DATA_FILES_PATH/server5.key" \ @@ -509,7 +508,6 @@ run_test "Handshake defragmentation on server: len=3, TLS 1.3" \ requires_config_enabled MBEDTLS_SSL_PROTO_TLS1_2 requires_config_enabled MBEDTLS_SSL_PROTO_TLS1_3 -requires_certificate_authentication run_test "Handshake defragmentation on server: len=3, TLS 1.2 TLS 1.3 ClientHello -> 1.2 Handshake" \ "$P_SRV debug_level=4 auth_mode=required" \ "$O_NEXT_CLI -tls1_2 -split_send_frag 3 -cert $DATA_FILES_PATH/server5.crt -key $DATA_FILES_PATH/server5.key" \ From f89bc276033d10b28429d8be04d1f6799fac3251 Mon Sep 17 00:00:00 2001 From: Gilles Peskine Date: Sat, 1 Mar 2025 16:48:33 +0100 Subject: [PATCH 49/74] Switch to generated handshake tests Replace `tests/opt-testcases/handshake-manual.sh` by `tests/opt-testcases/handshake-generated.sh`. They are identical except for comments. Signed-off-by: Gilles Peskine --- framework | 2 +- tests/opt-testcases/handshake-manual.sh | 517 ------------------------ 2 files changed, 1 insertion(+), 518 deletions(-) delete mode 100644 tests/opt-testcases/handshake-manual.sh diff --git a/framework b/framework index 11e4f5ac1..f88eb21ff 160000 --- a/framework +++ b/framework @@ -1 +1 @@ -Subproject commit 11e4f5ac1c71fe7d803fa5193236560b2e176cea +Subproject commit f88eb21ff11afe2c9ed553dcdba27166198f90d9 diff --git a/tests/opt-testcases/handshake-manual.sh b/tests/opt-testcases/handshake-manual.sh deleted file mode 100644 index 1e118e59c..000000000 --- a/tests/opt-testcases/handshake-manual.sh +++ /dev/null @@ -1,517 +0,0 @@ -# To guarantee that the handhake messages are large enough and need to be split -# into fragments, the tests require certificate authentication. The party in control -# of the fragmentation operations is OpenSSL and will always use server5.crt (548 Bytes). -run_test "Handshake defragmentation on client: no fragmentation, for reference" \ - "$O_NEXT_SRV" \ - "$P_CLI debug_level=4" \ - 0 \ - -C "reassembled record" \ - -C "waiting for more fragments" - -requires_config_enabled MBEDTLS_SSL_PROTO_TLS1_3 -requires_certificate_authentication -run_test "Handshake defragmentation on client: len=512, TLS 1.3" \ - "$O_NEXT_SRV -tls1_3 -split_send_frag 512" \ - "$P_CLI debug_level=4" \ - 0 \ - -c "reassembled record" \ - -c "handshake fragment: 0 \\.\\. 512 of [0-9]\\+ msglen 512" \ - -c "waiting for more fragments (512 of" - -#The server uses an ECDSA cert, so make sure we have a compatible key exchange -requires_config_enabled MBEDTLS_SSL_PROTO_TLS1_2 -requires_certificate_authentication -requires_config_enabled MBEDTLS_KEY_EXCHANGE_ECDHE_ECDSA_ENABLED -run_test "Handshake defragmentation on client: len=512, TLS 1.2" \ - "$O_NEXT_SRV -tls1_2 -split_send_frag 512" \ - "$P_CLI debug_level=4" \ - 0 \ - -c "reassembled record" \ - -c "handshake fragment: 0 \\.\\. 512 of [0-9]\\+ msglen 512" \ - -c "waiting for more fragments (512 of" - -requires_config_enabled MBEDTLS_SSL_PROTO_TLS1_3 -requires_certificate_authentication -run_test "Handshake defragmentation on client: len=513, TLS 1.3" \ - "$O_NEXT_SRV -tls1_3 -split_send_frag 513" \ - "$P_CLI debug_level=4" \ - 0 \ - -c "reassembled record" \ - -c "handshake fragment: 0 \\.\\. 513 of [0-9]\\+ msglen 513" \ - -c "waiting for more fragments (513 of" - -requires_config_enabled MBEDTLS_SSL_PROTO_TLS1_2 -requires_certificate_authentication -requires_config_enabled MBEDTLS_KEY_EXCHANGE_ECDHE_ECDSA_ENABLED -run_test "Handshake defragmentation on client: len=513, TLS 1.2" \ - "$O_NEXT_SRV -tls1_2 -split_send_frag 513" \ - "$P_CLI debug_level=4" \ - 0 \ - -c "reassembled record" \ - -c "handshake fragment: 0 \\.\\. 513 of [0-9]\\+ msglen 513" \ - -c "waiting for more fragments (513 of" - -requires_config_enabled MBEDTLS_SSL_PROTO_TLS1_3 -requires_certificate_authentication -run_test "Handshake defragmentation on client: len=256, TLS 1.3" \ - "$O_NEXT_SRV -tls1_3 -split_send_frag 256" \ - "$P_CLI debug_level=4" \ - 0 \ - -c "reassembled record" \ - -c "handshake fragment: 0 \\.\\. 256 of [0-9]\\+ msglen 256" \ - -c "waiting for more fragments (256 of" - -requires_config_enabled MBEDTLS_SSL_PROTO_TLS1_2 -requires_certificate_authentication -requires_config_enabled MBEDTLS_KEY_EXCHANGE_ECDHE_ECDSA_ENABLED -run_test "Handshake defragmentation on client: len=256, TLS 1.2" \ - "$O_NEXT_SRV -tls1_2 -split_send_frag 256" \ - "$P_CLI debug_level=4" \ - 0 \ - -c "reassembled record" \ - -c "handshake fragment: 0 \\.\\. 256 of [0-9]\\+ msglen 256" \ - -c "waiting for more fragments (256 of" - -requires_config_enabled MBEDTLS_SSL_PROTO_TLS1_3 -requires_certificate_authentication -run_test "Handshake defragmentation on client: len=128, TLS 1.3" \ - "$O_NEXT_SRV -tls1_3 -split_send_frag 128" \ - "$P_CLI debug_level=4" \ - 0 \ - -c "reassembled record" \ - -c "handshake fragment: 0 \\.\\. 128 of [0-9]\\+ msglen 128" \ - -c "waiting for more fragments (128 of" - -requires_config_enabled MBEDTLS_SSL_PROTO_TLS1_2 -requires_certificate_authentication -requires_config_enabled MBEDTLS_KEY_EXCHANGE_ECDHE_ECDSA_ENABLED -run_test "Handshake defragmentation on client: len=128, TLS 1.2" \ - "$O_NEXT_SRV -tls1_2 -split_send_frag 128" \ - "$P_CLI debug_level=4" \ - 0 \ - -c "reassembled record" \ - -c "handshake fragment: 0 \\.\\. 128 of [0-9]\\+ msglen 128" \ - -c "waiting for more fragments (128 of" - -requires_config_enabled MBEDTLS_SSL_PROTO_TLS1_3 -requires_certificate_authentication -run_test "Handshake defragmentation on client: len=64, TLS 1.3" \ - "$O_NEXT_SRV -tls1_3 -split_send_frag 64" \ - "$P_CLI debug_level=4" \ - 0 \ - -c "reassembled record" \ - -c "handshake fragment: 0 \\.\\. 64 of [0-9]\\+ msglen 64" \ - -c "waiting for more fragments (64 of" - -requires_config_enabled MBEDTLS_SSL_PROTO_TLS1_2 -requires_certificate_authentication -requires_config_enabled MBEDTLS_KEY_EXCHANGE_ECDHE_ECDSA_ENABLED -run_test "Handshake defragmentation on client: len=64, TLS 1.2" \ - "$O_NEXT_SRV -tls1_2 -split_send_frag 64" \ - "$P_CLI debug_level=4" \ - 0 \ - -c "reassembled record" \ - -c "handshake fragment: 0 \\.\\. 64 of [0-9]\\+ msglen 64" \ - -c "waiting for more fragments (64 of" - -requires_config_enabled MBEDTLS_SSL_PROTO_TLS1_3 -requires_certificate_authentication -run_test "Handshake defragmentation on client: len=36, TLS 1.3" \ - "$O_NEXT_SRV -tls1_3 -split_send_frag 36" \ - "$P_CLI debug_level=4" \ - 0 \ - -c "reassembled record" \ - -c "handshake fragment: 0 \\.\\. 36 of [0-9]\\+ msglen 36" \ - -c "waiting for more fragments (36 of" - -requires_config_enabled MBEDTLS_SSL_PROTO_TLS1_2 -requires_certificate_authentication -requires_config_enabled MBEDTLS_KEY_EXCHANGE_ECDHE_ECDSA_ENABLED -run_test "Handshake defragmentation on client: len=36, TLS 1.2" \ - "$O_NEXT_SRV -tls1_2 -split_send_frag 36" \ - "$P_CLI debug_level=4" \ - 0 \ - -c "reassembled record" \ - -c "handshake fragment: 0 \\.\\. 36 of [0-9]\\+ msglen 36" \ - -c "waiting for more fragments (36 of" - -requires_config_enabled MBEDTLS_SSL_PROTO_TLS1_3 -requires_certificate_authentication -run_test "Handshake defragmentation on client: len=32, TLS 1.3" \ - "$O_NEXT_SRV -tls1_3 -split_send_frag 32" \ - "$P_CLI debug_level=4" \ - 0 \ - -c "reassembled record" \ - -c "handshake fragment: 0 \\.\\. 32 of [0-9]\\+ msglen 32" \ - -c "waiting for more fragments (32 of" - -requires_config_enabled MBEDTLS_SSL_PROTO_TLS1_2 -requires_certificate_authentication -requires_config_enabled MBEDTLS_KEY_EXCHANGE_ECDHE_ECDSA_ENABLED -run_test "Handshake defragmentation on client: len=32, TLS 1.2" \ - "$O_NEXT_SRV -tls1_2 -split_send_frag 32" \ - "$P_CLI debug_level=4" \ - 0 \ - -c "reassembled record" \ - -c "handshake fragment: 0 \\.\\. 32 of [0-9]\\+ msglen 32" \ - -c "waiting for more fragments (32 of" - -requires_config_enabled MBEDTLS_SSL_PROTO_TLS1_3 -requires_certificate_authentication -run_test "Handshake defragmentation on client: len=16, TLS 1.3" \ - "$O_NEXT_SRV -tls1_3 -split_send_frag 16" \ - "$P_CLI debug_level=4" \ - 0 \ - -c "reassembled record" \ - -c "handshake fragment: 0 \\.\\. 16 of [0-9]\\+ msglen 16" \ - -c "waiting for more fragments (16 of" - -requires_config_enabled MBEDTLS_SSL_PROTO_TLS1_2 -requires_certificate_authentication -requires_config_enabled MBEDTLS_KEY_EXCHANGE_ECDHE_ECDSA_ENABLED -run_test "Handshake defragmentation on client: len=16, TLS 1.2" \ - "$O_NEXT_SRV -tls1_2 -split_send_frag 16" \ - "$P_CLI debug_level=4" \ - 0 \ - -c "reassembled record" \ - -c "handshake fragment: 0 \\.\\. 16 of [0-9]\\+ msglen 16" \ - -c "waiting for more fragments (16 of" - -requires_config_enabled MBEDTLS_SSL_PROTO_TLS1_3 -requires_certificate_authentication -run_test "Handshake defragmentation on client: len=13, TLS 1.3" \ - "$O_NEXT_SRV -tls1_3 -split_send_frag 13" \ - "$P_CLI debug_level=4" \ - 0 \ - -c "reassembled record" \ - -c "handshake fragment: 0 \\.\\. 13 of [0-9]\\+ msglen 13" \ - -c "waiting for more fragments (13 of" - -skip_next_test -requires_config_enabled MBEDTLS_SSL_PROTO_TLS1_2 -requires_certificate_authentication -requires_config_enabled MBEDTLS_KEY_EXCHANGE_ECDHE_ECDSA_ENABLED -run_test "Handshake defragmentation on client: len=13, TLS 1.2" \ - "$O_NEXT_SRV -tls1_2 -split_send_frag 13" \ - "$P_CLI debug_level=4" \ - 0 \ - -c "reassembled record" \ - -c "handshake fragment: 0 \\.\\. 13 of [0-9]\\+ msglen 13" \ - -c "waiting for more fragments (13 of" - -requires_config_enabled MBEDTLS_SSL_PROTO_TLS1_3 -requires_certificate_authentication -run_test "Handshake defragmentation on client: len=5, TLS 1.3" \ - "$O_NEXT_SRV -tls1_3 -split_send_frag 5" \ - "$P_CLI debug_level=4" \ - 0 \ - -c "reassembled record" \ - -c "handshake fragment: 0 \\.\\. 5 of [0-9]\\+ msglen 5" \ - -c "waiting for more fragments (5 of" - -skip_next_test -requires_config_enabled MBEDTLS_SSL_PROTO_TLS1_2 -requires_certificate_authentication -requires_config_enabled MBEDTLS_KEY_EXCHANGE_ECDHE_ECDSA_ENABLED -run_test "Handshake defragmentation on client: len=5, TLS 1.2" \ - "$O_NEXT_SRV -tls1_2 -split_send_frag 5" \ - "$P_CLI debug_level=4" \ - 0 \ - -c "reassembled record" \ - -c "handshake fragment: 0 \\.\\. 5 of [0-9]\\+ msglen 5" \ - -c "waiting for more fragments (5 of" - -requires_config_enabled MBEDTLS_SSL_PROTO_TLS1_3 -requires_certificate_authentication -run_test "Handshake defragmentation on client: len=4, TLS 1.3" \ - "$O_NEXT_SRV -tls1_3 -split_send_frag 4" \ - "$P_CLI debug_level=4" \ - 0 \ - -c "reassembled record" \ - -c "handshake fragment: 0 \\.\\. 4 of [0-9]\\+ msglen 4" \ - -c "waiting for more fragments (4 of" - -skip_next_test -requires_config_enabled MBEDTLS_SSL_PROTO_TLS1_2 -requires_certificate_authentication -requires_config_enabled MBEDTLS_KEY_EXCHANGE_ECDHE_ECDSA_ENABLED -run_test "Handshake defragmentation on client: len=4, TLS 1.2" \ - "$O_NEXT_SRV -tls1_2 -split_send_frag 4" \ - "$P_CLI debug_level=4" \ - 0 \ - -c "reassembled record" \ - -c "handshake fragment: 0 \\.\\. 4 of [0-9]\\+ msglen 4" \ - -c "waiting for more fragments (4 of" - -requires_config_enabled MBEDTLS_SSL_PROTO_TLS1_3 -run_test "Handshake defragmentation on client: len=3, TLS 1.3" \ - "$O_NEXT_SRV -tls1_3 -split_send_frag 3" \ - "$P_CLI debug_level=4" \ - 1 \ - -c "=> ssl_tls13_process_server_hello" \ - -c "handshake message too short: 3" \ - -c "SSL - An invalid SSL record was received" - -requires_config_enabled MBEDTLS_SSL_PROTO_TLS1_2 -run_test "Handshake defragmentation on client: len=3, TLS 1.2" \ - "$O_NEXT_SRV -tls1_2 -split_send_frag 3" \ - "$P_CLI debug_level=4" \ - 1 \ - -c "handshake message too short: 3" \ - -c "SSL - An invalid SSL record was received" - -run_test "Handshake defragmentation on server: no fragmentation, for reference" \ - "$P_SRV debug_level=4 auth_mode=required" \ - "$O_NEXT_CLI -cert $DATA_FILES_PATH/server5.crt -key $DATA_FILES_PATH/server5.key" \ - 0 \ - -S "reassembled record" \ - -S "waiting for more fragments" - -requires_config_enabled MBEDTLS_SSL_PROTO_TLS1_3 -requires_certificate_authentication -run_test "Handshake defragmentation on server: len=512, TLS 1.3" \ - "$P_SRV debug_level=4 auth_mode=required" \ - "$O_NEXT_CLI -tls1_3 -split_send_frag 512 -cert $DATA_FILES_PATH/server5.crt -key $DATA_FILES_PATH/server5.key" \ - 0 \ - -s "reassembled record" \ - -s "handshake fragment: 0 \\.\\. 512 of [0-9]\\+ msglen 512" \ - -s "waiting for more fragments (512 of" - -requires_config_enabled MBEDTLS_SSL_PROTO_TLS1_2 -requires_certificate_authentication -run_test "Handshake defragmentation on server: len=512, TLS 1.2" \ - "$P_SRV debug_level=4 auth_mode=required" \ - "$O_NEXT_CLI -tls1_2 -split_send_frag 512 -cert $DATA_FILES_PATH/server5.crt -key $DATA_FILES_PATH/server5.key" \ - 0 \ - -s "reassembled record" \ - -s "handshake fragment: 0 \\.\\. 512 of [0-9]\\+ msglen 512" \ - -s "waiting for more fragments (512 of" - -requires_config_enabled MBEDTLS_SSL_PROTO_TLS1_3 -requires_certificate_authentication -run_test "Handshake defragmentation on server: len=513, TLS 1.3" \ - "$P_SRV debug_level=4 auth_mode=required" \ - "$O_NEXT_CLI -tls1_3 -split_send_frag 513 -cert $DATA_FILES_PATH/server5.crt -key $DATA_FILES_PATH/server5.key" \ - 0 \ - -s "reassembled record" \ - -s "handshake fragment: 0 \\.\\. 513 of [0-9]\\+ msglen 513" \ - -s "waiting for more fragments (513 of" - -requires_config_enabled MBEDTLS_SSL_PROTO_TLS1_2 -requires_certificate_authentication -run_test "Handshake defragmentation on server: len=513, TLS 1.2" \ - "$P_SRV debug_level=4 auth_mode=required" \ - "$O_NEXT_CLI -tls1_2 -split_send_frag 513 -cert $DATA_FILES_PATH/server5.crt -key $DATA_FILES_PATH/server5.key" \ - 0 \ - -s "reassembled record" \ - -s "handshake fragment: 0 \\.\\. 513 of [0-9]\\+ msglen 513" \ - -s "waiting for more fragments (513 of" - -requires_config_enabled MBEDTLS_SSL_PROTO_TLS1_3 -requires_certificate_authentication -run_test "Handshake defragmentation on server: len=256, TLS 1.3" \ - "$P_SRV debug_level=4 auth_mode=required" \ - "$O_NEXT_CLI -tls1_3 -split_send_frag 256 -cert $DATA_FILES_PATH/server5.crt -key $DATA_FILES_PATH/server5.key" \ - 0 \ - -s "reassembled record" \ - -s "handshake fragment: 0 \\.\\. 256 of [0-9]\\+ msglen 256" \ - -s "waiting for more fragments (256 of" - -requires_config_enabled MBEDTLS_SSL_PROTO_TLS1_2 -requires_certificate_authentication -run_test "Handshake defragmentation on server: len=256, TLS 1.2" \ - "$P_SRV debug_level=4 auth_mode=required" \ - "$O_NEXT_CLI -tls1_2 -split_send_frag 256 -cert $DATA_FILES_PATH/server5.crt -key $DATA_FILES_PATH/server5.key" \ - 0 \ - -s "reassembled record" \ - -s "handshake fragment: 0 \\.\\. 256 of [0-9]\\+ msglen 256" \ - -s "waiting for more fragments (256 of" - -requires_config_enabled MBEDTLS_SSL_PROTO_TLS1_3 -requires_certificate_authentication -run_test "Handshake defragmentation on server: len=128, TLS 1.3" \ - "$P_SRV debug_level=4 auth_mode=required" \ - "$O_NEXT_CLI -tls1_3 -split_send_frag 128 -cert $DATA_FILES_PATH/server5.crt -key $DATA_FILES_PATH/server5.key" \ - 0 \ - -s "reassembled record" \ - -s "handshake fragment: 0 \\.\\. 128 of [0-9]\\+ msglen 128" \ - -s "waiting for more fragments (128 of" - -# Server-side ClientHello defragmentationis only supported for MBEDTLS_SSL_PROTO_TLS1_3. For TLS 1.2 testing -# the server should suport both protocols and downgrade to client-requested TL1.2 after proccessing the ClientHello. -requires_config_enabled MBEDTLS_SSL_PROTO_TLS1_2 -requires_config_enabled MBEDTLS_SSL_PROTO_TLS1_3 -requires_certificate_authentication -run_test "Handshake defragmentation on server: len=128, TLS 1.2 TLS 1.3 ClientHello -> 1.2 Handshake" \ - "$P_SRV debug_level=4 auth_mode=required" \ - "$O_NEXT_CLI -tls1_2 -split_send_frag 128 -cert $DATA_FILES_PATH/server5.crt -key $DATA_FILES_PATH/server5.key" \ - 0 \ - -s "reassembled record" \ - -s "handshake fragment: 0 \\.\\. 128 of [0-9]\\+ msglen 128" \ - -s "waiting for more fragments (128 of" - -requires_config_enabled MBEDTLS_SSL_PROTO_TLS1_3 -requires_certificate_authentication -run_test "Handshake defragmentation on server: len=64, TLS 1.3" \ - "$P_SRV debug_level=4 auth_mode=required" \ - "$O_NEXT_CLI -tls1_3 -split_send_frag 64 -cert $DATA_FILES_PATH/server5.crt -key $DATA_FILES_PATH/server5.key" \ - 0 \ - -s "reassembled record" \ - -s "handshake fragment: 0 \\.\\. 64 of [0-9]\\+ msglen 64" \ - -s "waiting for more fragments (64 of" - -requires_config_enabled MBEDTLS_SSL_PROTO_TLS1_2 -requires_config_enabled MBEDTLS_SSL_PROTO_TLS1_3 -requires_certificate_authentication -run_test "Handshake defragmentation on server: len=64, TLS 1.2 TLS 1.3 ClientHello -> 1.2 Handshake" \ - "$P_SRV debug_level=4 auth_mode=required" \ - "$O_NEXT_CLI -tls1_2 -split_send_frag 64 -cert $DATA_FILES_PATH/server5.crt -key $DATA_FILES_PATH/server5.key" \ - 0 \ - -s "reassembled record" \ - -s "handshake fragment: 0 \\.\\. 64 of [0-9]\\+ msglen 64" \ - -s "waiting for more fragments (64 of" - -requires_config_enabled MBEDTLS_SSL_PROTO_TLS1_3 -requires_certificate_authentication -run_test "Handshake defragmentation on server: len=36, TLS 1.3" \ - "$P_SRV debug_level=4 auth_mode=required" \ - "$O_NEXT_CLI -tls1_3 -split_send_frag 36 -cert $DATA_FILES_PATH/server5.crt -key $DATA_FILES_PATH/server5.key" \ - 0 \ - -s "reassembled record" \ - -s "handshake fragment: 0 \\.\\. 36 of [0-9]\\+ msglen 36" \ - -s "waiting for more fragments (36 of" - -requires_config_enabled MBEDTLS_SSL_PROTO_TLS1_2 -requires_config_enabled MBEDTLS_SSL_PROTO_TLS1_3 -requires_certificate_authentication -run_test "Handshake defragmentation on server: len=36, TLS 1.2 TLS 1.3 ClientHello -> 1.2 Handshake" \ - "$P_SRV debug_level=4 auth_mode=required" \ - "$O_NEXT_CLI -tls1_2 -split_send_frag 36 -cert $DATA_FILES_PATH/server5.crt -key $DATA_FILES_PATH/server5.key" \ - 0 \ - -s "reassembled record" \ - -s "handshake fragment: 0 \\.\\. 36 of [0-9]\\+ msglen 36" \ - -s "waiting for more fragments (36 of" - -requires_config_enabled MBEDTLS_SSL_PROTO_TLS1_3 -requires_certificate_authentication -run_test "Handshake defragmentation on server: len=32, TLS 1.3" \ - "$P_SRV debug_level=4 auth_mode=required" \ - "$O_NEXT_CLI -tls1_3 -split_send_frag 32 -cert $DATA_FILES_PATH/server5.crt -key $DATA_FILES_PATH/server5.key" \ - 0 \ - -s "reassembled record" \ - -s "handshake fragment: 0 \\.\\. 32 of [0-9]\\+ msglen 32" \ - -s "waiting for more fragments (32 of" - -requires_config_enabled MBEDTLS_SSL_PROTO_TLS1_2 -requires_config_enabled MBEDTLS_SSL_PROTO_TLS1_3 -requires_certificate_authentication -run_test "Handshake defragmentation on server: len=32, TLS 1.2 TLS 1.3 ClientHello -> 1.2 Handshake" \ - "$P_SRV debug_level=4 auth_mode=required" \ - "$O_NEXT_CLI -tls1_2 -split_send_frag 32 -cert $DATA_FILES_PATH/server5.crt -key $DATA_FILES_PATH/server5.key" \ - 0 \ - -s "reassembled record" \ - -s "handshake fragment: 0 \\.\\. 32 of [0-9]\\+ msglen 32" \ - -s "waiting for more fragments (32 of" - -requires_config_enabled MBEDTLS_SSL_PROTO_TLS1_3 -requires_certificate_authentication -run_test "Handshake defragmentation on server: len=16, TLS 1.3" \ - "$P_SRV debug_level=4 auth_mode=required" \ - "$O_NEXT_CLI -tls1_3 -split_send_frag 16 -cert $DATA_FILES_PATH/server5.crt -key $DATA_FILES_PATH/server5.key" \ - 0 \ - -s "reassembled record" \ - -s "handshake fragment: 0 \\.\\. 16 of [0-9]\\+ msglen 16" \ - -s "waiting for more fragments (16 of" - -requires_config_enabled MBEDTLS_SSL_PROTO_TLS1_2 -requires_config_enabled MBEDTLS_SSL_PROTO_TLS1_3 -requires_certificate_authentication -run_test "Handshake defragmentation on server: len=16, TLS 1.2 TLS 1.3 ClientHello -> 1.2 Handshake" \ - "$P_SRV debug_level=4 auth_mode=required" \ - "$O_NEXT_CLI -tls1_2 -split_send_frag 16 -cert $DATA_FILES_PATH/server5.crt -key $DATA_FILES_PATH/server5.key" \ - 0 \ - -s "reassembled record" \ - -s "handshake fragment: 0 \\.\\. 16 of [0-9]\\+ msglen 16" \ - -s "waiting for more fragments (16 of" - -requires_config_enabled MBEDTLS_SSL_PROTO_TLS1_3 -requires_certificate_authentication -run_test "Handshake defragmentation on server: len=13, TLS 1.3" \ - "$P_SRV debug_level=4 auth_mode=required" \ - "$O_NEXT_CLI -tls1_3 -split_send_frag 13 -cert $DATA_FILES_PATH/server5.crt -key $DATA_FILES_PATH/server5.key" \ - 0 \ - -s "reassembled record" \ - -s "handshake fragment: 0 \\.\\. 13 of [0-9]\\+ msglen 13" \ - -s "waiting for more fragments (13 of" - -requires_config_enabled MBEDTLS_SSL_PROTO_TLS1_2 -requires_config_enabled MBEDTLS_SSL_PROTO_TLS1_3 -requires_certificate_authentication -run_test "Handshake defragmentation on server: len=13, TLS 1.2 TLS 1.3 ClientHello -> 1.2 Handshake" \ - "$P_SRV debug_level=4 auth_mode=required" \ - "$O_NEXT_CLI -tls1_2 -split_send_frag 13 -cert $DATA_FILES_PATH/server5.crt -key $DATA_FILES_PATH/server5.key" \ - 0 \ - -s "reassembled record" \ - -s "handshake fragment: 0 \\.\\. 13 of [0-9]\\+ msglen 13" \ - -s "waiting for more fragments (13 of" - -requires_config_enabled MBEDTLS_SSL_PROTO_TLS1_3 -requires_certificate_authentication -run_test "Handshake defragmentation on server: len=5, TLS 1.3" \ - "$P_SRV debug_level=4 auth_mode=required" \ - "$O_NEXT_CLI -tls1_3 -split_send_frag 5 -cert $DATA_FILES_PATH/server5.crt -key $DATA_FILES_PATH/server5.key" \ - 0 \ - -s "reassembled record" \ - -s "handshake fragment: 0 \\.\\. 5 of [0-9]\\+ msglen 5" \ - -s "waiting for more fragments (5 of" - -requires_config_enabled MBEDTLS_SSL_PROTO_TLS1_2 -requires_config_enabled MBEDTLS_SSL_PROTO_TLS1_3 -requires_certificate_authentication -run_test "Handshake defragmentation on server: len=5, TLS 1.2 TLS 1.3 ClientHello -> 1.2 Handshake" \ - "$P_SRV debug_level=4 auth_mode=required" \ - "$O_NEXT_CLI -tls1_2 -split_send_frag 5 -cert $DATA_FILES_PATH/server5.crt -key $DATA_FILES_PATH/server5.key" \ - 0 \ - -s "reassembled record" \ - -s "handshake fragment: 0 \\.\\. 5 of [0-9]\\+ msglen 5" \ - -s "waiting for more fragments (5 of" - -requires_config_enabled MBEDTLS_SSL_PROTO_TLS1_3 -requires_certificate_authentication -run_test "Handshake defragmentation on server: len=4, TLS 1.3" \ - "$P_SRV debug_level=4 auth_mode=required" \ - "$O_NEXT_CLI -tls1_3 -split_send_frag 4 -cert $DATA_FILES_PATH/server5.crt -key $DATA_FILES_PATH/server5.key" \ - 0 \ - -s "reassembled record" \ - -s "handshake fragment: 0 \\.\\. 4 of [0-9]\\+ msglen 4" \ - -s "waiting for more fragments (4 of" - -requires_config_enabled MBEDTLS_SSL_PROTO_TLS1_2 -requires_config_enabled MBEDTLS_SSL_PROTO_TLS1_3 -requires_certificate_authentication -run_test "Handshake defragmentation on server: len=4, TLS 1.2 TLS 1.3 ClientHello -> 1.2 Handshake" \ - "$P_SRV debug_level=4 auth_mode=required" \ - "$O_NEXT_CLI -tls1_2 -split_send_frag 4 -cert $DATA_FILES_PATH/server5.crt -key $DATA_FILES_PATH/server5.key" \ - 0 \ - -s "reassembled record" \ - -s "handshake fragment: 0 \\.\\. 4 of [0-9]\\+ msglen 4" \ - -s "waiting for more fragments (4 of" - -requires_config_enabled MBEDTLS_SSL_PROTO_TLS1_3 -run_test "Handshake defragmentation on server: len=3, TLS 1.3" \ - "$P_SRV debug_level=4 auth_mode=required" \ - "$O_NEXT_CLI -tls1_3 -split_send_frag 3 -cert $DATA_FILES_PATH/server5.crt -key $DATA_FILES_PATH/server5.key" \ - 1 \ - -s "<= parse client hello" \ - -s "handshake message too short: 3" \ - -s "SSL - An invalid SSL record was received" - -requires_config_enabled MBEDTLS_SSL_PROTO_TLS1_2 -requires_config_enabled MBEDTLS_SSL_PROTO_TLS1_3 -run_test "Handshake defragmentation on server: len=3, TLS 1.2 TLS 1.3 ClientHello -> 1.2 Handshake" \ - "$P_SRV debug_level=4 auth_mode=required" \ - "$O_NEXT_CLI -tls1_2 -split_send_frag 3 -cert $DATA_FILES_PATH/server5.crt -key $DATA_FILES_PATH/server5.key" \ - 1 \ - -s "<= parse client hello" \ - -s "handshake message too short: 3" \ - -s "SSL - An invalid SSL record was received" From e0bd20bd585a018b6497dac14934ea9a530a9d1f Mon Sep 17 00:00:00 2001 From: Gilles Peskine Date: Mon, 3 Mar 2025 14:10:08 +0100 Subject: [PATCH 50/74] Generate handshake defragmentation test cases: update analyze_outcomes Signed-off-by: Gilles Peskine --- tests/scripts/analyze_outcomes.py | 12 +++++++----- 1 file changed, 7 insertions(+), 5 deletions(-) diff --git a/tests/scripts/analyze_outcomes.py b/tests/scripts/analyze_outcomes.py index 7a5c506a9..394601762 100755 --- a/tests/scripts/analyze_outcomes.py +++ b/tests/scripts/analyze_outcomes.py @@ -34,6 +34,13 @@ class CoverageTask(outcome_analysis.CoverageTask): re.DOTALL) IGNORED_TESTS = { + 'handshake-generated': [ + # Temporary disable Handshake defragmentation tests until mbedtls + # pr #10011 has been merged. + 'Handshake defragmentation on client: len=4, TLS 1.2', + 'Handshake defragmentation on client: len=5, TLS 1.2', + 'Handshake defragmentation on client: len=13, TLS 1.2' + ], 'ssl-opt': [ # We don't run ssl-opt.sh with Valgrind on the CI because # it's extremely slow. We don't intend to change this. @@ -50,11 +57,6 @@ class CoverageTask(outcome_analysis.CoverageTask): # TLS doesn't use restartable ECDH yet. # https://github.com/Mbed-TLS/mbedtls/issues/7294 re.compile(r'EC restart:.*no USE_PSA.*'), - # Temporary disable Handshake defragmentation tests until mbedtls - # pr #10011 has been merged. - 'Handshake defragmentation on client: len=4, TLS 1.2', - 'Handshake defragmentation on client: len=5, TLS 1.2', - 'Handshake defragmentation on client: len=13, TLS 1.2' ], 'test_suite_config.mbedtls_boolean': [ # Missing coverage of test configurations. From 2d23a9a4643ca88d9ca541f4a0af556785040878 Mon Sep 17 00:00:00 2001 From: Gilles Peskine Date: Tue, 4 Mar 2025 18:51:27 +0100 Subject: [PATCH 51/74] Update framework Signed-off-by: Gilles Peskine --- framework | 2 +- 1 file changed, 1 insertion(+), 1 deletion(-) diff --git a/framework b/framework index f88eb21ff..4a009d4b3 160000 --- a/framework +++ b/framework @@ -1 +1 @@ -Subproject commit f88eb21ff11afe2c9ed553dcdba27166198f90d9 +Subproject commit 4a009d4b3cf6c55a558d90c92c1aa2d1ea2bb99b From 2e5a7ea9bc4301745c0234225b18218f4af3edc3 Mon Sep 17 00:00:00 2001 From: Gilles Peskine Date: Wed, 12 Feb 2025 23:11:09 +0100 Subject: [PATCH 52/74] Fix Doxygen markup Pacify `clang -Wdocumentation`. Signed-off-by: Gilles Peskine --- programs/ssl/ssl_test_lib.h | 4 ++-- 1 file changed, 2 insertions(+), 2 deletions(-) diff --git a/programs/ssl/ssl_test_lib.h b/programs/ssl/ssl_test_lib.h index 6fc3d7307..bc5cce51a 100644 --- a/programs/ssl/ssl_test_lib.h +++ b/programs/ssl/ssl_test_lib.h @@ -243,8 +243,8 @@ int key_opaque_set_alg_usage(const char *alg1, const char *alg2, * - free the provided PK context and re-initilize it as an opaque PK context * wrapping the PSA key imported in the above step. * - * \param[in/out] pk On input the non-opaque PK context which contains the - * key to be wrapped. On output the re-initialized PK + * \param[in,out] pk On input, the non-opaque PK context which contains the + * key to be wrapped. On output, the re-initialized PK * context which represents the opaque version of the one * provided as input. * \param[in] psa_alg The primary algorithm that will be associated to the From 9bdc8aa80b3d8df7286273cf2710e1d658d147c5 Mon Sep 17 00:00:00 2001 From: Gilles Peskine Date: Fri, 28 Feb 2025 21:29:59 +0100 Subject: [PATCH 53/74] Tweak "waiting for more handshake fragments" log message In preparation for reworking mbedtls_ssl_prepare_handshake_record(), tweak the "waiting for more handshake fragments" log message in ssl_consume_current_message(), and add a similar one in mbedtls_ssl_prepare_handshake_record(). Assert both. Signed-off-by: Gilles Peskine --- library/ssl_msg.c | 11 ++++++----- 1 file changed, 6 insertions(+), 5 deletions(-) diff --git a/library/ssl_msg.c b/library/ssl_msg.c index a87785cfe..a9310aa97 100644 --- a/library/ssl_msg.c +++ b/library/ssl_msg.c @@ -3054,6 +3054,9 @@ int mbedtls_ssl_prepare_handshake_record(mbedtls_ssl_context *ssl) ssl->in_hdr = ssl->in_msg + ssl->in_msglen; ssl->in_msglen = 0; mbedtls_ssl_update_in_pointers(ssl); + MBEDTLS_SSL_DEBUG_MSG(3, ("Prepare: waiting for more handshake fragments %" + MBEDTLS_PRINTF_SIZET "/%" MBEDTLS_PRINTF_SIZET, + ssl->in_hsfraglen, ssl->in_hslen)); return MBEDTLS_ERR_SSL_CONTINUE_PROCESSING; } if (ssl->in_hsfraglen > 0) { @@ -4438,11 +4441,9 @@ static int ssl_consume_current_message(mbedtls_ssl_context *ssl) if (ssl->in_hsfraglen != 0) { /* Not all handshake fragments have arrived, do not consume. */ - MBEDTLS_SSL_DEBUG_MSG(3, - ("waiting for more fragments (%" MBEDTLS_PRINTF_SIZET " of %" - MBEDTLS_PRINTF_SIZET ", %" MBEDTLS_PRINTF_SIZET " left)", - ssl->in_hsfraglen, ssl->in_hslen, - ssl->in_hslen - ssl->in_hsfraglen)); + MBEDTLS_SSL_DEBUG_MSG(3, ("Consume: waiting for more handshake fragments %" + MBEDTLS_PRINTF_SIZET "/%" MBEDTLS_PRINTF_SIZET, + ssl->in_hsfraglen, ssl->in_hslen)); return 0; } From 07027722cbe091f2fe8f446e4805dcc93f604bda Mon Sep 17 00:00:00 2001 From: Gilles Peskine Date: Mon, 3 Mar 2025 16:46:10 +0100 Subject: [PATCH 54/74] Tweak handshake fragment log message In preparation for reworking mbedtls_ssl_prepare_handshake_record(), tweak the "handshake fragment:" log message. This changes what information is displayed when a record contains data beyond the expected end of the handshake message. This case is currently untested and its handling will change in a subsequent commit. Signed-off-by: Gilles Peskine --- library/ssl_msg.c | 13 +++++++------ 1 file changed, 7 insertions(+), 6 deletions(-) diff --git a/library/ssl_msg.c b/library/ssl_msg.c index a9310aa97..12d46c305 100644 --- a/library/ssl_msg.c +++ b/library/ssl_msg.c @@ -3042,13 +3042,14 @@ int mbedtls_ssl_prepare_handshake_record(mbedtls_ssl_context *ssl) int ret; const size_t hs_remain = ssl->in_hslen - ssl->in_hsfraglen; MBEDTLS_SSL_DEBUG_MSG(3, - ("handshake fragment: %" MBEDTLS_PRINTF_SIZET " .. %" - MBEDTLS_PRINTF_SIZET " of %" - MBEDTLS_PRINTF_SIZET " msglen %" MBEDTLS_PRINTF_SIZET, + ("handshake fragment: %" MBEDTLS_PRINTF_SIZET + ", %" MBEDTLS_PRINTF_SIZET + "..%" MBEDTLS_PRINTF_SIZET + " of %" MBEDTLS_PRINTF_SIZET, + ssl->in_msglen, ssl->in_hsfraglen, - ssl->in_hsfraglen + - (hs_remain <= ssl->in_msglen ? hs_remain : ssl->in_msglen), - ssl->in_hslen, ssl->in_msglen)); + ssl->in_hsfraglen + ssl->in_msglen, + ssl->in_hslen)); if (ssl->in_msglen < hs_remain) { ssl->in_hsfraglen += ssl->in_msglen; ssl->in_hdr = ssl->in_msg + ssl->in_msglen; From 7a17696c3414d10970fedc135dac7f8bcdf893a6 Mon Sep 17 00:00:00 2001 From: Gilles Peskine Date: Fri, 28 Feb 2025 21:59:12 +0100 Subject: [PATCH 55/74] mbedtls_ssl_prepare_handshake_record(): refactor first fragment prep Minor refactoring of the initial checks and preparation when receiving the first fragment. Use `ssl->in_hsfraglen` to determine whether there is a pending handshake fragment, for consistency, and possibly for more robustness in case handshake fragments are mixed with non-handshake records (although this is not currently supported anyway). Signed-off-by: Gilles Peskine --- library/ssl_msg.c | 19 +++++++++++-------- 1 file changed, 11 insertions(+), 8 deletions(-) diff --git a/library/ssl_msg.c b/library/ssl_msg.c index 12d46c305..a8c79172f 100644 --- a/library/ssl_msg.c +++ b/library/ssl_msg.c @@ -2962,16 +2962,19 @@ static uint32_t ssl_get_hs_total_len(mbedtls_ssl_context const *ssl) int mbedtls_ssl_prepare_handshake_record(mbedtls_ssl_context *ssl) { - /* First handshake fragment must at least include the header. */ - if (ssl->in_msglen < mbedtls_ssl_hs_hdr_len(ssl) && ssl->in_hslen == 0) { - MBEDTLS_SSL_DEBUG_MSG(1, ("handshake message too short: %" MBEDTLS_PRINTF_SIZET, - ssl->in_msglen)); - return MBEDTLS_ERR_SSL_INVALID_RECORD; - } + if (ssl->in_hsfraglen == 0) { + /* The handshake message must at least include the header. + * We may not have the full message yet in case of fragmentation. + * To simplify the code, we insist on having the header (and in + * particular the handshake message length) in the first + * fragment. */ + if (ssl->in_msglen < mbedtls_ssl_hs_hdr_len(ssl)) { + MBEDTLS_SSL_DEBUG_MSG(1, ("handshake message too short: %" MBEDTLS_PRINTF_SIZET, + ssl->in_msglen)); + return MBEDTLS_ERR_SSL_INVALID_RECORD; + } - if (ssl->in_hslen == 0) { ssl->in_hslen = mbedtls_ssl_hs_hdr_len(ssl) + ssl_get_hs_total_len(ssl); - ssl->in_hsfraglen = 0; } MBEDTLS_SSL_DEBUG_MSG(3, ("handshake message: msglen =" From 235eae9e0381c889b0d011971fe2c8123652a073 Mon Sep 17 00:00:00 2001 From: Gilles Peskine Date: Fri, 28 Feb 2025 22:02:52 +0100 Subject: [PATCH 56/74] mbedtls_ssl_prepare_handshake_record(): log offsets after decryption Signed-off-by: Gilles Peskine --- library/ssl_msg.c | 8 ++++++++ 1 file changed, 8 insertions(+) diff --git a/library/ssl_msg.c b/library/ssl_msg.c index a8c79172f..cba6096eb 100644 --- a/library/ssl_msg.c +++ b/library/ssl_msg.c @@ -2982,6 +2982,14 @@ int mbedtls_ssl_prepare_handshake_record(mbedtls_ssl_context *ssl) MBEDTLS_PRINTF_SIZET, ssl->in_msglen, ssl->in_msg[0], ssl->in_hslen)); + if (ssl->transform_in != NULL) { + MBEDTLS_SSL_DEBUG_MSG(4, ("decrypted handshake message:" + " iv-buf=%d hdr-buf=%d hdr-buf=%d", + (int) (ssl->in_iv - ssl->in_buf), + (int) (ssl->in_hdr - ssl->in_buf), + (int) (ssl->in_msg - ssl->in_buf))); + } + #if defined(MBEDTLS_SSL_PROTO_DTLS) if (ssl->conf->transport == MBEDTLS_SSL_TRANSPORT_DATAGRAM) { int ret = MBEDTLS_ERR_ERROR_CORRUPTION_DETECTED; From e85ece6584d9fae3a3f3661619d0223e6482acff Mon Sep 17 00:00:00 2001 From: Gilles Peskine Date: Fri, 28 Feb 2025 22:24:56 +0100 Subject: [PATCH 57/74] Handshake defragmentation: reassemble incrementally Reassemble handshake fragments incrementally instead of all at the end. That is, every time we receive a non-initial handshake fragment, append it to the initial fragment. Since we only have to deal with at most two handshake fragments at the same time, this simplifies the code (no re-parsing of a record) and is a little more memory-efficient (no need to store one record header per record). This commit also fixes a bug. The previous code did not calculate offsets correctly when records use an explicit IV, which is the case in TLS 1.2 with CBC (encrypt-then-MAC or not), GCM and CCM encryption (i.e. all but null and ChachaPoly). This led to the wrong data when an encrypted handshake message was fragmented (Finished or renegotiation). The new code handles this correctly. Signed-off-by: Gilles Peskine --- library/ssl_msg.c | 162 ++++++++++++++++++++---------- tests/scripts/analyze_outcomes.py | 7 -- 2 files changed, 110 insertions(+), 59 deletions(-) diff --git a/library/ssl_msg.c b/library/ssl_msg.c index cba6096eb..454b1ebbd 100644 --- a/library/ssl_msg.c +++ b/library/ssl_msg.c @@ -3049,64 +3049,122 @@ int mbedtls_ssl_prepare_handshake_record(mbedtls_ssl_context *ssl) } } else #endif /* MBEDTLS_SSL_PROTO_DTLS */ - if (ssl->in_hsfraglen <= ssl->in_hslen) { - int ret; - const size_t hs_remain = ssl->in_hslen - ssl->in_hsfraglen; - MBEDTLS_SSL_DEBUG_MSG(3, - ("handshake fragment: %" MBEDTLS_PRINTF_SIZET - ", %" MBEDTLS_PRINTF_SIZET - "..%" MBEDTLS_PRINTF_SIZET - " of %" MBEDTLS_PRINTF_SIZET, - ssl->in_msglen, - ssl->in_hsfraglen, - ssl->in_hsfraglen + ssl->in_msglen, - ssl->in_hslen)); - if (ssl->in_msglen < hs_remain) { - ssl->in_hsfraglen += ssl->in_msglen; - ssl->in_hdr = ssl->in_msg + ssl->in_msglen; + { + unsigned char *const reassembled_record_start = + ssl->in_buf + MBEDTLS_SSL_SEQUENCE_NUMBER_LEN; + unsigned char *const payload_start = + reassembled_record_start + mbedtls_ssl_in_hdr_len(ssl); + unsigned char *payload_end = payload_start + ssl->in_hsfraglen; + + if (ssl->in_hsfraglen != 0) { + /* We already had a handshake fragment. Prepare to append + * to the initial segment. */ + MBEDTLS_SSL_DEBUG_MSG(3, + ("subsequent handshake fragment: %" MBEDTLS_PRINTF_SIZET + ", %" MBEDTLS_PRINTF_SIZET + "..%" MBEDTLS_PRINTF_SIZET + " of %" MBEDTLS_PRINTF_SIZET, + ssl->in_msglen, + ssl->in_hsfraglen, + ssl->in_hsfraglen + ssl->in_msglen, + ssl->in_hslen)); + + const size_t hs_remain = ssl->in_hslen - ssl->in_hsfraglen; + if (ssl->in_msglen > hs_remain) { + MBEDTLS_SSL_DEBUG_MSG(1, ("Handshake fragment too long: %" + MBEDTLS_PRINTF_SIZET " but only %" + MBEDTLS_PRINTF_SIZET " of %" + MBEDTLS_PRINTF_SIZET " remain", + ssl->in_msglen, + hs_remain, + ssl->in_hslen)); + return MBEDTLS_ERR_SSL_INVALID_RECORD; + } + } else if (ssl->in_msglen == ssl->in_hslen) { + /* This is the sole fragment. */ + /* Emit a log message in the same format as when there are + * multiple fragments, for ease of matching. */ + MBEDTLS_SSL_DEBUG_MSG(3, + ("sole handshake fragment: %" MBEDTLS_PRINTF_SIZET + ", %" MBEDTLS_PRINTF_SIZET + "..%" MBEDTLS_PRINTF_SIZET + " of %" MBEDTLS_PRINTF_SIZET, + ssl->in_msglen, + ssl->in_hsfraglen, + ssl->in_hsfraglen + ssl->in_msglen, + ssl->in_hslen)); + } else { + /* This is the first fragment of many. */ + MBEDTLS_SSL_DEBUG_MSG(3, + ("initial handshake fragment: %" MBEDTLS_PRINTF_SIZET + ", %" MBEDTLS_PRINTF_SIZET + "..%" MBEDTLS_PRINTF_SIZET + " of %" MBEDTLS_PRINTF_SIZET, + ssl->in_msglen, + ssl->in_hsfraglen, + ssl->in_hsfraglen + ssl->in_msglen, + ssl->in_hslen)); + } + + /* Move the received handshake fragment to have the whole message + * (at least the part received so far) in a single segment at a + * known offset in the input buffer. + * - When receiving a non-initial handshake fragment, append it to + * the initial segment. + * - Even the initial handshake fragment is moved, if it was + * encrypted with an explicit IV: decryption leaves the payload + * after the explicit IV, but here we move it to start where the + * IV was. + */ +#if defined(MBEDTLS_SSL_VARIABLE_BUFFER_LENGTH) + size_t const in_buf_len = ssl->in_buf_len; +#else + size_t const in_buf_len = MBEDTLS_SSL_IN_BUFFER_LEN; +#endif + if (payload_end + ssl->in_hsfraglen > ssl->in_buf + in_buf_len) { + MBEDTLS_SSL_DEBUG_MSG(1, + ("Shouldn't happen: no room to move handshake fragment %" + MBEDTLS_PRINTF_SIZET " from %p to %p (buf=%p len=%" + MBEDTLS_PRINTF_SIZET ")", + ssl->in_msglen, + ssl->in_msg, payload_end, + ssl->in_buf, in_buf_len)); + return MBEDTLS_ERR_ERROR_CORRUPTION_DETECTED; + } + memmove(payload_end, ssl->in_msg, ssl->in_msglen); + + ssl->in_hsfraglen += ssl->in_msglen; + payload_end += ssl->in_msglen; + + if (ssl->in_hsfraglen < ssl->in_hslen) { + MBEDTLS_SSL_DEBUG_MSG(3, ("Prepare: waiting for more handshake fragments %" + MBEDTLS_PRINTF_SIZET "/%" + MBEDTLS_PRINTF_SIZET, + ssl->in_hsfraglen, ssl->in_hslen)); + ssl->in_hdr = payload_end; ssl->in_msglen = 0; mbedtls_ssl_update_in_pointers(ssl); - MBEDTLS_SSL_DEBUG_MSG(3, ("Prepare: waiting for more handshake fragments %" - MBEDTLS_PRINTF_SIZET "/%" MBEDTLS_PRINTF_SIZET, - ssl->in_hsfraglen, ssl->in_hslen)); return MBEDTLS_ERR_SSL_CONTINUE_PROCESSING; - } - if (ssl->in_hsfraglen > 0) { - /* - * At in_first_hdr we have a sequence of records that cover the next handshake - * record, each with its own record header that we need to remove. - * Note that the reassembled record size may not equal the size of the message, - * there may be more messages after it, complete or partial. - */ - unsigned char *in_first_hdr = ssl->in_buf + MBEDTLS_SSL_SEQUENCE_NUMBER_LEN; - unsigned char *p = in_first_hdr, *q = NULL; - size_t merged_rec_len = 0; - do { - mbedtls_record rec; - ret = ssl_parse_record_header(ssl, p, mbedtls_ssl_in_hdr_len(ssl), &rec); - if (ret != 0) { - return ret; - } - merged_rec_len += rec.data_len; - p = rec.buf + rec.buf_len; - if (q != NULL) { - memmove(q, rec.buf + rec.data_offset, rec.data_len); - q += rec.data_len; - } else { - q = p; - } - } while (merged_rec_len < ssl->in_hslen); - ssl->in_hdr = in_first_hdr; - mbedtls_ssl_update_in_pointers(ssl); - ssl->in_msglen = merged_rec_len; - /* Adjust message length. */ - MBEDTLS_PUT_UINT16_BE(merged_rec_len, ssl->in_len, 0); + } else { + ssl->in_msglen = ssl->in_hsfraglen; ssl->in_hsfraglen = 0; + ssl->in_hdr = reassembled_record_start; + mbedtls_ssl_update_in_pointers(ssl); + + /* Update the record length in the fully reassembled record */ + if (ssl->in_msglen > 0xffff) { + MBEDTLS_SSL_DEBUG_MSG(1, + ("Shouldn't happen: in_msglen=%" + MBEDTLS_PRINTF_SIZET " > 0xffff", + ssl->in_msglen)); + return MBEDTLS_ERR_ERROR_CORRUPTION_DETECTED; + } + MBEDTLS_PUT_UINT16_BE(ssl->in_msglen, ssl->in_len, 0); + MBEDTLS_SSL_DEBUG_BUF(4, "reassembled record", - ssl->in_hdr, mbedtls_ssl_in_hdr_len(ssl) + merged_rec_len); + ssl->in_hdr, + mbedtls_ssl_in_hdr_len(ssl) + ssl->in_msglen); } - } else { - return MBEDTLS_ERR_ERROR_CORRUPTION_DETECTED; } return 0; diff --git a/tests/scripts/analyze_outcomes.py b/tests/scripts/analyze_outcomes.py index 394601762..e68c2cbf0 100755 --- a/tests/scripts/analyze_outcomes.py +++ b/tests/scripts/analyze_outcomes.py @@ -34,13 +34,6 @@ class CoverageTask(outcome_analysis.CoverageTask): re.DOTALL) IGNORED_TESTS = { - 'handshake-generated': [ - # Temporary disable Handshake defragmentation tests until mbedtls - # pr #10011 has been merged. - 'Handshake defragmentation on client: len=4, TLS 1.2', - 'Handshake defragmentation on client: len=5, TLS 1.2', - 'Handshake defragmentation on client: len=13, TLS 1.2' - ], 'ssl-opt': [ # We don't run ssl-opt.sh with Valgrind on the CI because # it's extremely slow. We don't intend to change this. From 90a9593bbd3ec343e16d73cbaf998f8e5768a9b6 Mon Sep 17 00:00:00 2001 From: Gilles Peskine Date: Tue, 25 Feb 2025 23:57:20 +0100 Subject: [PATCH 58/74] Fix dodgy printf calls Pacify `clang -Wformat-pedantic`. Signed-off-by: Gilles Peskine --- library/ssl_msg.c | 4 ++-- 1 file changed, 2 insertions(+), 2 deletions(-) diff --git a/library/ssl_msg.c b/library/ssl_msg.c index 454b1ebbd..9d8857dfa 100644 --- a/library/ssl_msg.c +++ b/library/ssl_msg.c @@ -3127,8 +3127,8 @@ int mbedtls_ssl_prepare_handshake_record(mbedtls_ssl_context *ssl) MBEDTLS_PRINTF_SIZET " from %p to %p (buf=%p len=%" MBEDTLS_PRINTF_SIZET ")", ssl->in_msglen, - ssl->in_msg, payload_end, - ssl->in_buf, in_buf_len)); + (void *) ssl->in_msg, (void *) payload_end, + (void *) ssl->in_buf, in_buf_len)); return MBEDTLS_ERR_ERROR_CORRUPTION_DETECTED; } memmove(payload_end, ssl->in_msg, ssl->in_msglen); From 36edd48c61c9c86edd9d3774496c83d12d2cfaa5 Mon Sep 17 00:00:00 2001 From: Gilles Peskine Date: Wed, 5 Mar 2025 17:41:59 +0100 Subject: [PATCH 59/74] Document the limitations of TLS handshake message defragmentation Signed-off-by: Gilles Peskine --- include/mbedtls/ssl.h | 18 ++++++++++++++++++ 1 file changed, 18 insertions(+) diff --git a/include/mbedtls/ssl.h b/include/mbedtls/ssl.h index 0c0c8bb4d..85255498b 100644 --- a/include/mbedtls/ssl.h +++ b/include/mbedtls/ssl.h @@ -4360,6 +4360,24 @@ void mbedtls_ssl_conf_cert_req_ca_list(mbedtls_ssl_config *conf, * with \c mbedtls_ssl_read()), not handshake messages. * With DTLS, this affects both ApplicationData and handshake. * + * \note Defragmentation of incoming handshake messages in TLS + * (excluding DTLS) is supported with some limitations: + * - On an Mbed TLS server that only accepts TLS 1.2, + * the initial ClientHello message must not be fragmented. + * A TLS 1.2 ClientHello may be fragmented if the server + * also accepts TLS 1.3 connections (meaning + * that #MBEDTLS_SSL_PROTO_TLS1_3 enabled, and the + * accepted versions have not been restricted with + * mbedtls_ssl_conf_max_tls_version() or the like). + * - A ClientHello message that initiates a renegotiation + * must not be fragmented. + * - The first fragment of a handshake message must be + * at least 4 bytes long. + * - Non-handshake records must not be interleaved between + * the fragments of a handshake message. (This is permitted + * in TLS 1.2 but not in TLS 1.3, but Mbed TLS rejects it + * even in TLS 1.2.) + * * \note This sets the maximum length for a record's payload, * excluding record overhead that will be added to it, see * \c mbedtls_ssl_get_record_expansion(). From 1b785e2201b9c3047cee8a86caa3ba2718aeee3b Mon Sep 17 00:00:00 2001 From: Gilles Peskine Date: Wed, 5 Mar 2025 17:44:20 +0100 Subject: [PATCH 60/74] Refer to the API documentation for details Signed-off-by: Gilles Peskine --- ChangeLog.d/tls-hs-defrag-in.txt | 17 ++++++----------- 1 file changed, 6 insertions(+), 11 deletions(-) diff --git a/ChangeLog.d/tls-hs-defrag-in.txt b/ChangeLog.d/tls-hs-defrag-in.txt index 4fd4a4e37..748f95c10 100644 --- a/ChangeLog.d/tls-hs-defrag-in.txt +++ b/ChangeLog.d/tls-hs-defrag-in.txt @@ -1,12 +1,7 @@ Bugfix - * Support re-assembly of fragmented handshake messages in TLS, as mandated - by the spec. Lack of support was causing handshake failures with some - servers, especially with TLS 1.3 in practice (though both protocol - version could be affected in principle, and both are fixed now). - The initial fragment for each handshake message must be at least 4 bytes. - - Server-side, defragmentation of the ClientHello message is only - supported if the server accepts TLS 1.3 (regardless of whether the - ClientHello is 1.3 or 1.2). That is, servers configured (either - at compile time or at runtime) to only accept TLS 1.2 will - still fail the handshake if the ClientHello message is fragmented. + * Support re-assembly of fragmented handshake messages in TLS (both + 1.2 and 1.3). The lack of support was causing handshake failures with + some servers, especially with TLS 1.3 in practice. There are a few + limitations, notably a fragmented ClientHello is only supported when + TLS 1.3 support is enabled. See the documentation of + mbedtls_ssl_conf_max_frag_len() for details. From e4a3fc2f5818729fc13739448c9518f41094d627 Mon Sep 17 00:00:00 2001 From: Gilles Peskine Date: Mon, 3 Mar 2025 17:53:53 +0100 Subject: [PATCH 61/74] Update framework Changed log messages and added more tests in `tests/opt-testcases/handshake-generated.sh`. Signed-off-by: Gilles Peskine --- framework | 2 +- 1 file changed, 1 insertion(+), 1 deletion(-) diff --git a/framework b/framework index 4a009d4b3..8d85112a4 160000 --- a/framework +++ b/framework @@ -1 +1 @@ -Subproject commit 4a009d4b3cf6c55a558d90c92c1aa2d1ea2bb99b +Subproject commit 8d85112a44d052a5d89cb0a135e162384da42584 From 0851ec93444b55b1dbb0db7cec3c4845f9cefcd3 Mon Sep 17 00:00:00 2001 From: Gilles Peskine Date: Thu, 6 Mar 2025 15:15:20 +0100 Subject: [PATCH 62/74] Fix end check before memmove Signed-off-by: Gilles Peskine --- library/ssl_msg.c | 2 +- 1 file changed, 1 insertion(+), 1 deletion(-) diff --git a/library/ssl_msg.c b/library/ssl_msg.c index 9d8857dfa..ad3bf5759 100644 --- a/library/ssl_msg.c +++ b/library/ssl_msg.c @@ -3121,7 +3121,7 @@ int mbedtls_ssl_prepare_handshake_record(mbedtls_ssl_context *ssl) #else size_t const in_buf_len = MBEDTLS_SSL_IN_BUFFER_LEN; #endif - if (payload_end + ssl->in_hsfraglen > ssl->in_buf + in_buf_len) { + if (payload_end + ssl->in_msglen > ssl->in_buf + in_buf_len) { MBEDTLS_SSL_DEBUG_MSG(1, ("Shouldn't happen: no room to move handshake fragment %" MBEDTLS_PRINTF_SIZET " from %p to %p (buf=%p len=%" From 15c072f0de4555c4810acec14e074c01ddf871de Mon Sep 17 00:00:00 2001 From: Gilles Peskine Date: Thu, 6 Mar 2025 19:03:00 +0100 Subject: [PATCH 63/74] Fix handshake defragmentation when the record has multiple messages A handshake record may contain multiple handshake messages, or multiple fragments (there can be the final fragment of a pending message, then zero or more whole messages, and an initial fragment of an incomplete message). This was previously untested, but supported, so don't break it. Signed-off-by: Gilles Peskine --- library/ssl_msg.c | 43 ++++++++++++++++++++++++------------------- 1 file changed, 24 insertions(+), 19 deletions(-) diff --git a/library/ssl_msg.c b/library/ssl_msg.c index ad3bf5759..acd05b038 100644 --- a/library/ssl_msg.c +++ b/library/ssl_msg.c @@ -3055,6 +3055,15 @@ int mbedtls_ssl_prepare_handshake_record(mbedtls_ssl_context *ssl) unsigned char *const payload_start = reassembled_record_start + mbedtls_ssl_in_hdr_len(ssl); unsigned char *payload_end = payload_start + ssl->in_hsfraglen; + /* How many more bytes we want to have a complete handshake message. */ + const size_t hs_remain = ssl->in_hslen - ssl->in_hsfraglen; + /* How many bytes of the current record are part of the first + * handshake message. There may be more handshake messages (possibly + * incomplete) in the same record; if so, we leave them after the + * current record, and ssl_consume_current_message() will take + * care of consuming the next handshake message. */ + const size_t hs_this_fragment_len = + ssl->in_msglen > hs_remain ? hs_remain : ssl->in_msglen; if (ssl->in_hsfraglen != 0) { /* We already had a handshake fragment. Prepare to append @@ -3066,21 +3075,9 @@ int mbedtls_ssl_prepare_handshake_record(mbedtls_ssl_context *ssl) " of %" MBEDTLS_PRINTF_SIZET, ssl->in_msglen, ssl->in_hsfraglen, - ssl->in_hsfraglen + ssl->in_msglen, + ssl->in_hsfraglen + hs_this_fragment_len, ssl->in_hslen)); - - const size_t hs_remain = ssl->in_hslen - ssl->in_hsfraglen; - if (ssl->in_msglen > hs_remain) { - MBEDTLS_SSL_DEBUG_MSG(1, ("Handshake fragment too long: %" - MBEDTLS_PRINTF_SIZET " but only %" - MBEDTLS_PRINTF_SIZET " of %" - MBEDTLS_PRINTF_SIZET " remain", - ssl->in_msglen, - hs_remain, - ssl->in_hslen)); - return MBEDTLS_ERR_SSL_INVALID_RECORD; - } - } else if (ssl->in_msglen == ssl->in_hslen) { + } else if (hs_this_fragment_len == ssl->in_hslen) { /* This is the sole fragment. */ /* Emit a log message in the same format as when there are * multiple fragments, for ease of matching. */ @@ -3091,7 +3088,7 @@ int mbedtls_ssl_prepare_handshake_record(mbedtls_ssl_context *ssl) " of %" MBEDTLS_PRINTF_SIZET, ssl->in_msglen, ssl->in_hsfraglen, - ssl->in_hsfraglen + ssl->in_msglen, + ssl->in_hsfraglen + hs_this_fragment_len, ssl->in_hslen)); } else { /* This is the first fragment of many. */ @@ -3102,7 +3099,7 @@ int mbedtls_ssl_prepare_handshake_record(mbedtls_ssl_context *ssl) " of %" MBEDTLS_PRINTF_SIZET, ssl->in_msglen, ssl->in_hsfraglen, - ssl->in_hsfraglen + ssl->in_msglen, + ssl->in_hsfraglen + hs_this_fragment_len, ssl->in_hslen)); } @@ -3154,16 +3151,24 @@ int mbedtls_ssl_prepare_handshake_record(mbedtls_ssl_context *ssl) /* Update the record length in the fully reassembled record */ if (ssl->in_msglen > 0xffff) { MBEDTLS_SSL_DEBUG_MSG(1, - ("Shouldn't happen: in_msglen=%" + ("Shouldn't happen: in_hslen=%" MBEDTLS_PRINTF_SIZET " > 0xffff", ssl->in_msglen)); return MBEDTLS_ERR_ERROR_CORRUPTION_DETECTED; } MBEDTLS_PUT_UINT16_BE(ssl->in_msglen, ssl->in_len, 0); + size_t record_len = mbedtls_ssl_in_hdr_len(ssl) + ssl->in_msglen; MBEDTLS_SSL_DEBUG_BUF(4, "reassembled record", - ssl->in_hdr, - mbedtls_ssl_in_hdr_len(ssl) + ssl->in_msglen); + ssl->in_hdr, record_len); + if (ssl->in_hslen < ssl->in_msglen) { + MBEDTLS_SSL_DEBUG_MSG(3, + ("More handshake messages in the record: " + "%" MBEDTLS_PRINTF_SIZET " + " + "%" MBEDTLS_PRINTF_SIZET, + ssl->in_hslen, + ssl->in_msglen - ssl->in_hslen)); + } } } From afb254c5fed409cf3811e468aae82a72198f38ae Mon Sep 17 00:00:00 2001 From: Gilles Peskine Date: Thu, 6 Mar 2025 19:23:22 +0100 Subject: [PATCH 64/74] Unify handshake fragment log messages There is no longer any different processing at this point, just near-identical log messages. Signed-off-by: Gilles Peskine --- library/ssl_msg.c | 51 +++++++++++++---------------------------------- 1 file changed, 14 insertions(+), 37 deletions(-) diff --git a/library/ssl_msg.c b/library/ssl_msg.c index acd05b038..851c0df39 100644 --- a/library/ssl_msg.c +++ b/library/ssl_msg.c @@ -3065,43 +3065,20 @@ int mbedtls_ssl_prepare_handshake_record(mbedtls_ssl_context *ssl) const size_t hs_this_fragment_len = ssl->in_msglen > hs_remain ? hs_remain : ssl->in_msglen; - if (ssl->in_hsfraglen != 0) { - /* We already had a handshake fragment. Prepare to append - * to the initial segment. */ - MBEDTLS_SSL_DEBUG_MSG(3, - ("subsequent handshake fragment: %" MBEDTLS_PRINTF_SIZET - ", %" MBEDTLS_PRINTF_SIZET - "..%" MBEDTLS_PRINTF_SIZET - " of %" MBEDTLS_PRINTF_SIZET, - ssl->in_msglen, - ssl->in_hsfraglen, - ssl->in_hsfraglen + hs_this_fragment_len, - ssl->in_hslen)); - } else if (hs_this_fragment_len == ssl->in_hslen) { - /* This is the sole fragment. */ - /* Emit a log message in the same format as when there are - * multiple fragments, for ease of matching. */ - MBEDTLS_SSL_DEBUG_MSG(3, - ("sole handshake fragment: %" MBEDTLS_PRINTF_SIZET - ", %" MBEDTLS_PRINTF_SIZET - "..%" MBEDTLS_PRINTF_SIZET - " of %" MBEDTLS_PRINTF_SIZET, - ssl->in_msglen, - ssl->in_hsfraglen, - ssl->in_hsfraglen + hs_this_fragment_len, - ssl->in_hslen)); - } else { - /* This is the first fragment of many. */ - MBEDTLS_SSL_DEBUG_MSG(3, - ("initial handshake fragment: %" MBEDTLS_PRINTF_SIZET - ", %" MBEDTLS_PRINTF_SIZET - "..%" MBEDTLS_PRINTF_SIZET - " of %" MBEDTLS_PRINTF_SIZET, - ssl->in_msglen, - ssl->in_hsfraglen, - ssl->in_hsfraglen + hs_this_fragment_len, - ssl->in_hslen)); - } + MBEDTLS_SSL_DEBUG_MSG(3, + ("%s handshake fragment: %" MBEDTLS_PRINTF_SIZET + ", %" MBEDTLS_PRINTF_SIZET + "..%" MBEDTLS_PRINTF_SIZET + " of %" MBEDTLS_PRINTF_SIZET, + (ssl->in_hsfraglen != 0 ? + "subsequent" : + hs_this_fragment_len == ssl->in_hslen ? + "sole" : + "initial"), + ssl->in_msglen, + ssl->in_hsfraglen, + ssl->in_hsfraglen + hs_this_fragment_len, + ssl->in_hslen)); /* Move the received handshake fragment to have the whole message * (at least the part received so far) in a single segment at a From b8f1e4bae3fa26743ee3dfe43f22c2425dbb2db9 Mon Sep 17 00:00:00 2001 From: Gilles Peskine Date: Thu, 6 Mar 2025 21:32:08 +0100 Subject: [PATCH 65/74] Pacify uncrustify Signed-off-by: Gilles Peskine --- library/ssl_msg.c | 3 +-- 1 file changed, 1 insertion(+), 2 deletions(-) diff --git a/library/ssl_msg.c b/library/ssl_msg.c index 851c0df39..3c7ff8279 100644 --- a/library/ssl_msg.c +++ b/library/ssl_msg.c @@ -3141,8 +3141,7 @@ int mbedtls_ssl_prepare_handshake_record(mbedtls_ssl_context *ssl) if (ssl->in_hslen < ssl->in_msglen) { MBEDTLS_SSL_DEBUG_MSG(3, ("More handshake messages in the record: " - "%" MBEDTLS_PRINTF_SIZET " + " - "%" MBEDTLS_PRINTF_SIZET, + "%" MBEDTLS_PRINTF_SIZET " + %" MBEDTLS_PRINTF_SIZET, ssl->in_hslen, ssl->in_msglen - ssl->in_hslen)); } From dab1cb5b4515c683e0016b381afc0b1bd30b797b Mon Sep 17 00:00:00 2001 From: Gilles Peskine Date: Thu, 6 Mar 2025 21:30:23 +0100 Subject: [PATCH 66/74] Note unused variables when debugging is disabled Signed-off-by: Gilles Peskine --- library/ssl_msg.c | 2 ++ 1 file changed, 2 insertions(+) diff --git a/library/ssl_msg.c b/library/ssl_msg.c index 3c7ff8279..cc133be27 100644 --- a/library/ssl_msg.c +++ b/library/ssl_msg.c @@ -3064,6 +3064,7 @@ int mbedtls_ssl_prepare_handshake_record(mbedtls_ssl_context *ssl) * care of consuming the next handshake message. */ const size_t hs_this_fragment_len = ssl->in_msglen > hs_remain ? hs_remain : ssl->in_msglen; + (void) hs_this_fragment_len; MBEDTLS_SSL_DEBUG_MSG(3, ("%s handshake fragment: %" MBEDTLS_PRINTF_SIZET @@ -3136,6 +3137,7 @@ int mbedtls_ssl_prepare_handshake_record(mbedtls_ssl_context *ssl) MBEDTLS_PUT_UINT16_BE(ssl->in_msglen, ssl->in_len, 0); size_t record_len = mbedtls_ssl_in_hdr_len(ssl) + ssl->in_msglen; + (void) record_len; MBEDTLS_SSL_DEBUG_BUF(4, "reassembled record", ssl->in_hdr, record_len); if (ssl->in_hslen < ssl->in_msglen) { From e34ec86370b340bc845a91ea0b08e016c84c9d92 Mon Sep 17 00:00:00 2001 From: Gilles Peskine Date: Fri, 7 Mar 2025 10:43:39 +0100 Subject: [PATCH 67/74] Fix a log message Signed-off-by: Gilles Peskine --- library/ssl_msg.c | 2 +- 1 file changed, 1 insertion(+), 1 deletion(-) diff --git a/library/ssl_msg.c b/library/ssl_msg.c index cc133be27..d91e8300a 100644 --- a/library/ssl_msg.c +++ b/library/ssl_msg.c @@ -3129,7 +3129,7 @@ int mbedtls_ssl_prepare_handshake_record(mbedtls_ssl_context *ssl) /* Update the record length in the fully reassembled record */ if (ssl->in_msglen > 0xffff) { MBEDTLS_SSL_DEBUG_MSG(1, - ("Shouldn't happen: in_hslen=%" + ("Shouldn't happen: in_msglen=%" MBEDTLS_PRINTF_SIZET " > 0xffff", ssl->in_msglen)); return MBEDTLS_ERR_ERROR_CORRUPTION_DETECTED; From e26a060194d347ade965050fe94bfb665b8f4d83 Mon Sep 17 00:00:00 2001 From: =?UTF-8?q?Manuel=20P=C3=A9gouri=C3=A9-Gonnard?= Date: Wed, 5 Mar 2025 12:52:18 +0100 Subject: [PATCH 68/74] Cleanly reject non-HS in-between HS fragments MIME-Version: 1.0 Content-Type: text/plain; charset=UTF-8 Content-Transfer-Encoding: 8bit Signed-off-by: Manuel Pégourié-Gonnard --- library/ssl_msg.c | 12 ++++++++++++ 1 file changed, 12 insertions(+) diff --git a/library/ssl_msg.c b/library/ssl_msg.c index d91e8300a..f5ea8dd27 100644 --- a/library/ssl_msg.c +++ b/library/ssl_msg.c @@ -4889,6 +4889,18 @@ int mbedtls_ssl_handle_message_type(mbedtls_ssl_context *ssl) { int ret = MBEDTLS_ERR_ERROR_CORRUPTION_DETECTED; + /* If we're in the middle of a fragmented TLS handshake message, + * we don't accept any other message type. For TLS 1.3, the spec forbids + * interleaving other message types between handshake fragments. For TLS + * 1.2, the spec does not forbid it but we do. */ + if (ssl->conf->transport == MBEDTLS_SSL_TRANSPORT_STREAM && + ssl->in_hsfraglen != 0 && + ssl->in_msgtype != MBEDTLS_SSL_MSG_HANDSHAKE) { + MBEDTLS_SSL_DEBUG_MSG(1, ("non-handshake message in the middle" + " of a fragmented handshake message")); + return MBEDTLS_ERR_SSL_UNEXPECTED_MESSAGE; + } + /* * Handle particular types of records */ From d8f9e22b5e7f5aa896c2a923fe0e67c160b0c3af Mon Sep 17 00:00:00 2001 From: Gilles Peskine Date: Tue, 11 Mar 2025 13:45:27 +0100 Subject: [PATCH 69/74] Move the defragmentation documentation to mbedtls_ssl_handshake Signed-off-by: Gilles Peskine --- include/mbedtls/ssl.h | 38 +++++++++++++++++++++----------------- 1 file changed, 21 insertions(+), 17 deletions(-) diff --git a/include/mbedtls/ssl.h b/include/mbedtls/ssl.h index 85255498b..41dc13f62 100644 --- a/include/mbedtls/ssl.h +++ b/include/mbedtls/ssl.h @@ -4360,23 +4360,9 @@ void mbedtls_ssl_conf_cert_req_ca_list(mbedtls_ssl_config *conf, * with \c mbedtls_ssl_read()), not handshake messages. * With DTLS, this affects both ApplicationData and handshake. * - * \note Defragmentation of incoming handshake messages in TLS - * (excluding DTLS) is supported with some limitations: - * - On an Mbed TLS server that only accepts TLS 1.2, - * the initial ClientHello message must not be fragmented. - * A TLS 1.2 ClientHello may be fragmented if the server - * also accepts TLS 1.3 connections (meaning - * that #MBEDTLS_SSL_PROTO_TLS1_3 enabled, and the - * accepted versions have not been restricted with - * mbedtls_ssl_conf_max_tls_version() or the like). - * - A ClientHello message that initiates a renegotiation - * must not be fragmented. - * - The first fragment of a handshake message must be - * at least 4 bytes long. - * - Non-handshake records must not be interleaved between - * the fragments of a handshake message. (This is permitted - * in TLS 1.2 but not in TLS 1.3, but Mbed TLS rejects it - * even in TLS 1.2.) + * \note Defragmentation of TLS handshake messages is supported + * with some limitations. See the documentation of + * mbedtls_ssl_handshake() for details. * * \note This sets the maximum length for a record's payload, * excluding record overhead that will be added to it, see @@ -4867,6 +4853,24 @@ int mbedtls_ssl_get_session(const mbedtls_ssl_context *ssl, * currently being processed might or might not contain further * DTLS records. * + * \note Defragmentation of incoming handshake messages in TLS + * (excluding DTLS) is supported with some limitations: + * - On an Mbed TLS server that only accepts TLS 1.2, + * the initial ClientHello message must not be fragmented. + * A TLS 1.2 ClientHello may be fragmented if the server + * also accepts TLS 1.3 connections (meaning + * that #MBEDTLS_SSL_PROTO_TLS1_3 enabled, and the + * accepted versions have not been restricted with + * mbedtls_ssl_conf_max_tls_version() or the like). + * - A ClientHello message that initiates a renegotiation + * must not be fragmented. + * - The first fragment of a handshake message must be + * at least 4 bytes long. + * - Non-handshake records must not be interleaved between + * the fragments of a handshake message. (This is permitted + * in TLS 1.2 but not in TLS 1.3, but Mbed TLS rejects it + * even in TLS 1.2.) + * * \note The PSA crypto subsystem must have been initialized by * calling psa_crypto_init() before calling this function. */ From 80facedad9742ee83584bfcfe6ebdc30af223563 Mon Sep 17 00:00:00 2001 From: Gilles Peskine Date: Tue, 11 Mar 2025 13:47:14 +0100 Subject: [PATCH 70/74] ClientHello may be fragmented in renegotiation Signed-off-by: Gilles Peskine --- include/mbedtls/ssl.h | 2 -- 1 file changed, 2 deletions(-) diff --git a/include/mbedtls/ssl.h b/include/mbedtls/ssl.h index 41dc13f62..469364d3f 100644 --- a/include/mbedtls/ssl.h +++ b/include/mbedtls/ssl.h @@ -4862,8 +4862,6 @@ int mbedtls_ssl_get_session(const mbedtls_ssl_context *ssl, * that #MBEDTLS_SSL_PROTO_TLS1_3 enabled, and the * accepted versions have not been restricted with * mbedtls_ssl_conf_max_tls_version() or the like). - * - A ClientHello message that initiates a renegotiation - * must not be fragmented. * - The first fragment of a handshake message must be * at least 4 bytes long. * - Non-handshake records must not be interleaved between From d9c858039e524f5f3460bed520991cf09575ab2e Mon Sep 17 00:00:00 2001 From: Gilles Peskine Date: Tue, 11 Mar 2025 13:47:49 +0100 Subject: [PATCH 71/74] Clarify DTLS Signed-off-by: Gilles Peskine --- include/mbedtls/ssl.h | 3 ++- 1 file changed, 2 insertions(+), 1 deletion(-) diff --git a/include/mbedtls/ssl.h b/include/mbedtls/ssl.h index 469364d3f..e28c8ee73 100644 --- a/include/mbedtls/ssl.h +++ b/include/mbedtls/ssl.h @@ -4854,7 +4854,7 @@ int mbedtls_ssl_get_session(const mbedtls_ssl_context *ssl, * DTLS records. * * \note Defragmentation of incoming handshake messages in TLS - * (excluding DTLS) is supported with some limitations: + * is supported with some limitations: * - On an Mbed TLS server that only accepts TLS 1.2, * the initial ClientHello message must not be fragmented. * A TLS 1.2 ClientHello may be fragmented if the server @@ -4862,6 +4862,7 @@ int mbedtls_ssl_get_session(const mbedtls_ssl_context *ssl, * that #MBEDTLS_SSL_PROTO_TLS1_3 enabled, and the * accepted versions have not been restricted with * mbedtls_ssl_conf_max_tls_version() or the like). + * This limitation does not apply to DTLS. * - The first fragment of a handshake message must be * at least 4 bytes long. * - Non-handshake records must not be interleaved between From 2b78a5abfa2a19b6ec38066a080a6b6d10ad23fc Mon Sep 17 00:00:00 2001 From: Gilles Peskine Date: Wed, 12 Mar 2025 10:07:33 +0100 Subject: [PATCH 72/74] State globally that the limitations don't apply to DTLS Signed-off-by: Gilles Peskine --- include/mbedtls/ssl.h | 7 ++++--- 1 file changed, 4 insertions(+), 3 deletions(-) diff --git a/include/mbedtls/ssl.h b/include/mbedtls/ssl.h index e28c8ee73..4547976e3 100644 --- a/include/mbedtls/ssl.h +++ b/include/mbedtls/ssl.h @@ -4853,8 +4853,10 @@ int mbedtls_ssl_get_session(const mbedtls_ssl_context *ssl, * currently being processed might or might not contain further * DTLS records. * - * \note Defragmentation of incoming handshake messages in TLS - * is supported with some limitations: + * \note In TLS, reception of fragmented handshake messages is + * supported with some limitations (those limitations do + * not apply to DTLS, where defragmentation is fully + * supported): * - On an Mbed TLS server that only accepts TLS 1.2, * the initial ClientHello message must not be fragmented. * A TLS 1.2 ClientHello may be fragmented if the server @@ -4862,7 +4864,6 @@ int mbedtls_ssl_get_session(const mbedtls_ssl_context *ssl, * that #MBEDTLS_SSL_PROTO_TLS1_3 enabled, and the * accepted versions have not been restricted with * mbedtls_ssl_conf_max_tls_version() or the like). - * This limitation does not apply to DTLS. * - The first fragment of a handshake message must be * at least 4 bytes long. * - Non-handshake records must not be interleaved between From 4c30cd8e492e9230a68afa2f85a83368449f7eec Mon Sep 17 00:00:00 2001 From: Gilles Peskine Date: Wed, 12 Mar 2025 10:08:14 +0100 Subject: [PATCH 73/74] Update the location of defragmentation limitations Signed-off-by: Gilles Peskine --- ChangeLog.d/tls-hs-defrag-in.txt | 2 +- 1 file changed, 1 insertion(+), 1 deletion(-) diff --git a/ChangeLog.d/tls-hs-defrag-in.txt b/ChangeLog.d/tls-hs-defrag-in.txt index 748f95c10..6bab02a02 100644 --- a/ChangeLog.d/tls-hs-defrag-in.txt +++ b/ChangeLog.d/tls-hs-defrag-in.txt @@ -4,4 +4,4 @@ Bugfix some servers, especially with TLS 1.3 in practice. There are a few limitations, notably a fragmented ClientHello is only supported when TLS 1.3 support is enabled. See the documentation of - mbedtls_ssl_conf_max_frag_len() for details. + mbedtls_ssl_handshake() for details. From a4c9233292caad5612c135ddbf1c005c9cd04fb3 Mon Sep 17 00:00:00 2001 From: Minos Galanakis Date: Wed, 12 Mar 2025 15:25:17 +0000 Subject: [PATCH 74/74] Updated framework pointer. Signed-off-by: Minos Galanakis --- framework | 2 +- 1 file changed, 1 insertion(+), 1 deletion(-) diff --git a/framework b/framework index 8d85112a4..cab0c5fe1 160000 --- a/framework +++ b/framework @@ -1 +1 @@ -Subproject commit 8d85112a44d052a5d89cb0a135e162384da42584 +Subproject commit cab0c5fe19d5747cb9603552b80ebe64b9c67fdd