cuberite/polarssl
1
0
Fork 0
mirror of https://github.com/cuberite/polarssl.git synced 2025-09-10 15:50:47 -04:00
Code Issues Packages Projects Releases Wiki Activity

Merge pull request #9137 from gilles-peskine-arm/ssl-opt-server2-detection-2.28

Browse Source 
Backport 2.28: Fix skipped tests in configurations without RSA
This commit is contained in:
Gilles Peskine 2024-05-15 12:06:42 +00:00 committed by GitHub
commit b86ce2ee36
No known key found for this signature in database
GPG Key ID: B5690EEEBB952194
1 changed files with 120 additions and 65 deletions
Show Stats Download Patch File Download Diff File Expand all files Collapse all files

185
tests/ssl-opt.sh
View File

@ -69,6 +69,32 @@ TCP_CLIENT="$PERL scripts/tcp_client.pl"
# alternative versions of OpenSSL and GnuTLS (no default path)
# If $OPENSSL is at least 1.1.1, use it as OPENSSL_NEXT as well.
if [ -z "${OPENSSL_NEXT:-}" ]; then
case $($OPENSSL version) in
OpenSSL\ 1.1.[1-9]*) OPENSSL_NEXT=$OPENSSL;;
OpenSSL\ [3-9]*) OPENSSL_NEXT=$OPENSSL;;
esac
fi
# If $GNUTLS_CLI is at least 3.7, use it as GNUTLS_NEXT_CLI as well.
if [ -z "${GNUTLS_NEXT_CLI:-}" ]; then
case $($GNUTLS_CLI --version) in
gnutls-cli\ 3.[1-9][0-9]*) GNUTLS_NEXT_CLI=$GNUTLS_CLI;;
gnutls-cli\ 3.[7-9].*) GNUTLS_NEXT_CLI=$GNUTLS_CLI;;
gnutls-cli\ [4-9]*) GNUTLS_NEXT_CLI=$GNUTLS_CLI;;
esac
fi
# If $GNUTLS_SERV is at least 3.7, use it as GNUTLS_NEXT_SERV as well.
if [ -z "${GNUTLS_NEXT_SERV:-}" ]; then
case $($GNUTLS_SERV --version) in
gnutls-cli\ 3.[1-9][0-9]*) GNUTLS_NEXT_SERV=$GNUTLS_SERV;;
gnutls-cli\ 3.[7-9].*) GNUTLS_NEXT_SERV=$GNUTLS_SERV;;
gnutls-cli\ [4-9]*) GNUTLS_NEXT_SERV=$GNUTLS_SERV;;
esac
fi
if [ -n "${OPENSSL_NEXT:-}" ]; then
O_NEXT_SRV="$OPENSSL_NEXT s_server -www -cert data_files/server5.crt -key data_files/server5.key"
O_NEXT_CLI="echo 'GET / HTTP/1.0' | $OPENSSL_NEXT s_client"
@ -352,9 +378,10 @@ requires_certificate_authentication () {
adapt_cmd_for_psk () {
case "$2" in
*openssl*) s='-psk abc123 -nocert';;
*gnutls-*) s='--pskkey=abc123';;
*) s='psk=abc123';;
*openssl*s_server*) s='-psk 73776f726466697368 -nocert';;
*openssl*) s='-psk 73776f726466697368';;
*gnutls-*) s='--pskusername=Client_identity --pskkey=73776f726466697368';;
*) s='psk=73776f726466697368';;
esac
eval $1='"$2 $s"'
unset s
@ -1154,7 +1181,7 @@ do_run_test_once() {
if [ -n "$PXY_CMD" ]; then
kill $PXY_PID >/dev/null 2>&1
wait $PXY_PID
wait $PXY_PID >> $PXY_OUT 2>&1
fi
}
@ -1723,8 +1750,8 @@ run_test "Opaque key: server: ECDH-RSA not supported" \
requires_config_enabled MBEDTLS_USE_PSA_CRYPTO
run_test "Opaque psk: client: ECDHE-PSK not supported" \
"$P_SRV debug_level=1 psk=abc123 psk_identity=foo" \
"$P_CLI debug_level=1 psk=abc123 psk_identity=foo psk_opaque=1 \
"$P_SRV debug_level=1 psk=73776f726466697368 psk_identity=foo" \
"$P_CLI debug_level=1 psk=73776f726466697368 psk_identity=foo psk_opaque=1 \
force_version=tls12 \
force_ciphersuite=TLS-ECDHE-PSK-WITH-AES-128-CBC-SHA" \
1 \
@ -1734,8 +1761,8 @@ run_test "Opaque psk: client: ECDHE-PSK not supported" \
requires_config_enabled MBEDTLS_USE_PSA_CRYPTO
run_test "Opaque psk: client: DHE-PSK not supported" \
"$P_SRV debug_level=1 psk=abc123 psk_identity=foo" \
"$P_CLI debug_level=1 psk=abc123 psk_identity=foo psk_opaque=1 \
"$P_SRV debug_level=1 psk=73776f726466697368 psk_identity=foo" \
"$P_CLI debug_level=1 psk=73776f726466697368 psk_identity=foo psk_opaque=1 \
force_version=tls12 \
force_ciphersuite=TLS-DHE-PSK-WITH-AES-128-CBC-SHA" \
1 \
@ -1745,8 +1772,8 @@ run_test "Opaque psk: client: DHE-PSK not supported" \
requires_config_enabled MBEDTLS_USE_PSA_CRYPTO
run_test "Opaque psk: client: RSA-PSK not supported" \
"$P_SRV debug_level=1 psk=abc123 psk_identity=foo" \
"$P_CLI debug_level=1 psk=abc123 psk_identity=foo psk_opaque=1 \
"$P_SRV debug_level=1 psk=73776f726466697368 psk_identity=foo" \
"$P_CLI debug_level=1 psk=73776f726466697368 psk_identity=foo psk_opaque=1 \
force_version=tls12 \
force_ciphersuite=TLS-RSA-PSK-WITH-AES-128-CBC-SHA" \
1 \
@ -1756,10 +1783,10 @@ run_test "Opaque psk: client: RSA-PSK not supported" \
requires_config_enabled MBEDTLS_USE_PSA_CRYPTO
run_test "Opaque psk: server: ECDHE-PSK not supported" \
"$P_SRV debug_level=1 psk=abc123 psk_identity=foo psk_opaque=1 \
"$P_SRV debug_level=1 psk=73776f726466697368 psk_identity=foo psk_opaque=1 \
force_version=tls12 \
force_ciphersuite=TLS-ECDHE-PSK-WITH-AES-128-CBC-SHA" \
"$P_CLI debug_level=1 psk=abc123 psk_identity=foo" \
"$P_CLI debug_level=1 psk=73776f726466697368 psk_identity=foo" \
1 \
-s "opaque PSK not supported with ECDHE-PSK" \
-s "error" \
@ -1767,10 +1794,10 @@ run_test "Opaque psk: server: ECDHE-PSK not supported" \
requires_config_enabled MBEDTLS_USE_PSA_CRYPTO
run_test "Opaque psk: server: DHE-PSK not supported" \
"$P_SRV debug_level=1 psk=abc123 psk_identity=foo psk_opaque=1 \
"$P_SRV debug_level=1 psk=73776f726466697368 psk_identity=foo psk_opaque=1 \
force_version=tls12 \
force_ciphersuite=TLS-DHE-PSK-WITH-AES-128-CBC-SHA" \
"$P_CLI debug_level=1 psk=abc123 psk_identity=foo" \
"$P_CLI debug_level=1 psk=73776f726466697368 psk_identity=foo" \
1 \
-s "opaque PSK not supported with DHE-PSK" \
-s "error" \
@ -1778,10 +1805,10 @@ run_test "Opaque psk: server: DHE-PSK not supported" \
requires_config_enabled MBEDTLS_USE_PSA_CRYPTO
run_test "Opaque psk: server: RSA-PSK not supported" \
"$P_SRV debug_level=1 psk=abc123 psk_identity=foo psk_opaque=1 \
"$P_SRV debug_level=1 psk=73776f726466697368 psk_identity=foo psk_opaque=1 \
force_version=tls12 \
force_ciphersuite=TLS-RSA-PSK-WITH-AES-128-CBC-SHA" \
"$P_CLI debug_level=1 psk=abc123 psk_identity=foo" \
"$P_CLI debug_level=1 psk=73776f726466697368 psk_identity=foo" \
1 \
-s "opaque PSK not supported with RSA-PSK" \
-s "error" \
@ -1935,12 +1962,14 @@ run_test "CertificateRequest with empty CA list, TLS 1.0 (GnuTLS server)" \
# Tests for SHA-1 support
requires_config_enabled MBEDTLS_SHA1_C
run_test "SHA-1 forbidden by default in server certificate" \
"$P_SRV key_file=data_files/server2.key crt_file=data_files/server2.crt" \
"$P_CLI debug_level=2 allow_sha1=0" \
1 \
-c "The certificate is signed with an unacceptable hash"
requires_config_enabled MBEDTLS_SHA1_C
run_test "SHA-1 explicitly allowed in server certificate" \
"$P_SRV key_file=data_files/server2.key crt_file=data_files/server2.crt" \
"$P_CLI allow_sha1=1" \
@ -1951,17 +1980,23 @@ run_test "SHA-256 allowed by default in server certificate" \
"$P_CLI allow_sha1=0" \
0
requires_config_enabled MBEDTLS_SHA1_C
requires_config_enabled MBEDTLS_RSA_C
run_test "SHA-1 forbidden by default in client certificate" \
"$P_SRV auth_mode=required allow_sha1=0" \
"$P_CLI key_file=data_files/cli-rsa.key crt_file=data_files/cli-rsa-sha1.crt" \
1 \
-s "The certificate is signed with an unacceptable hash"
requires_config_enabled MBEDTLS_SHA1_C
requires_config_enabled MBEDTLS_RSA_C
run_test "SHA-1 explicitly allowed in client certificate" \
"$P_SRV auth_mode=required allow_sha1=1" \
"$P_CLI key_file=data_files/cli-rsa.key crt_file=data_files/cli-rsa-sha1.crt" \
0
requires_config_enabled MBEDTLS_RSA_C
requires_config_enabled MBEDTLS_SHA256_C
run_test "SHA-256 allowed by default in client certificate" \
"$P_SRV auth_mode=required allow_sha1=0" \
"$P_CLI key_file=data_files/cli-rsa.key crt_file=data_files/cli-rsa-sha256.crt" \
@ -4449,6 +4484,7 @@ run_test "Renegotiation: DTLS, gnutls server, client-initiated" \
# Test for the "secure renegotiation" extension only (no actual renegotiation)
requires_gnutls
requires_config_enabled MBEDTLS_SSL_RENEGOTIATION
run_test "Renego ext: gnutls server strict, client default" \
"$G_SRV --priority=NORMAL:%SAFE_RENEGOTIATION" \
"$P_CLI debug_level=3" \
@ -4458,6 +4494,7 @@ run_test "Renego ext: gnutls server strict, client default" \
-c "HTTP/1.0 200 [Oo][Kk]"
requires_gnutls
requires_config_enabled MBEDTLS_SSL_RENEGOTIATION
run_test "Renego ext: gnutls server unsafe, client default" \
"$G_SRV --priority=NORMAL:%DISABLE_SAFE_RENEGOTIATION" \
"$P_CLI debug_level=3" \
@ -4467,6 +4504,7 @@ run_test "Renego ext: gnutls server unsafe, client default" \
-c "HTTP/1.0 200 [Oo][Kk]"
requires_gnutls
requires_config_enabled MBEDTLS_SSL_RENEGOTIATION
run_test "Renego ext: gnutls server unsafe, client break legacy" \
"$G_SRV --priority=NORMAL:%DISABLE_SAFE_RENEGOTIATION" \
"$P_CLI debug_level=3 allow_legacy=-1" \
@ -4476,6 +4514,7 @@ run_test "Renego ext: gnutls server unsafe, client break legacy" \
-C "HTTP/1.0 200 [Oo][Kk]"
requires_gnutls
requires_config_enabled MBEDTLS_SSL_RENEGOTIATION
run_test "Renego ext: gnutls client strict, server default" \
"$P_SRV debug_level=3" \
"$G_CLI --priority=NORMAL:%SAFE_RENEGOTIATION localhost" \
@ -4484,6 +4523,7 @@ run_test "Renego ext: gnutls client strict, server default" \
-s "server hello, secure renegotiation extension"
requires_gnutls
requires_config_enabled MBEDTLS_SSL_RENEGOTIATION
run_test "Renego ext: gnutls client unsafe, server default" \
"$P_SRV debug_level=3" \
"$G_CLI --priority=NORMAL:%DISABLE_SAFE_RENEGOTIATION localhost" \
@ -4492,6 +4532,7 @@ run_test "Renego ext: gnutls client unsafe, server default" \
-S "server hello, secure renegotiation extension"
requires_gnutls
requires_config_enabled MBEDTLS_SSL_RENEGOTIATION
run_test "Renego ext: gnutls client unsafe, server break legacy" \
"$P_SRV debug_level=3 allow_legacy=-1" \
"$G_CLI --priority=NORMAL:%DISABLE_SAFE_RENEGOTIATION localhost" \
@ -6197,9 +6238,9 @@ run_test "DHM size: server default, client 2049, rejected" \
# Tests for PSK callback
run_test "PSK callback: psk, no callback" \
"$P_SRV psk=abc123 psk_identity=foo" \
"$P_SRV psk=73776f726466697368 psk_identity=foo" \
"$P_CLI force_ciphersuite=TLS-PSK-WITH-AES-128-CBC-SHA \
psk_identity=foo psk=abc123" \
psk_identity=foo psk=73776f726466697368" \
0 \
-S "SSL - None of the common ciphersuites is usable" \
-S "SSL - Unknown identity received" \
@ -6207,9 +6248,9 @@ run_test "PSK callback: psk, no callback" \
requires_config_enabled MBEDTLS_USE_PSA_CRYPTO
run_test "PSK callback: opaque psk on client, no callback" \
"$P_SRV extended_ms=0 debug_level=1 psk=abc123 psk_identity=foo" \
"$P_SRV extended_ms=0 debug_level=1 psk=73776f726466697368 psk_identity=foo" \
"$P_CLI extended_ms=0 debug_level=1 min_version=tls12 force_ciphersuite=TLS-PSK-WITH-AES-128-CBC-SHA \
psk_identity=foo psk=abc123 psk_opaque=1" \
psk_identity=foo psk=73776f726466697368 psk_opaque=1" \
0 \
-c "skip PMS generation for opaque PSK"\
-S "skip PMS generation for opaque PSK"\
@ -6221,9 +6262,9 @@ run_test "PSK callback: opaque psk on client, no callback" \
requires_config_enabled MBEDTLS_USE_PSA_CRYPTO
run_test "PSK callback: opaque psk on client, no callback, SHA-384" \
"$P_SRV extended_ms=0 debug_level=1 psk=abc123 psk_identity=foo" \
"$P_SRV extended_ms=0 debug_level=1 psk=73776f726466697368 psk_identity=foo" \
"$P_CLI extended_ms=0 debug_level=1 min_version=tls12 force_ciphersuite=TLS-PSK-WITH-AES-256-CBC-SHA384 \
psk_identity=foo psk=abc123 psk_opaque=1" \
psk_identity=foo psk=73776f726466697368 psk_opaque=1" \
0 \
-c "skip PMS generation for opaque PSK"\
-S "skip PMS generation for opaque PSK"\
@ -6235,9 +6276,9 @@ run_test "PSK callback: opaque psk on client, no callback, SHA-384" \
requires_config_enabled MBEDTLS_USE_PSA_CRYPTO
run_test "PSK callback: opaque psk on client, no callback, EMS" \
"$P_SRV extended_ms=1 debug_level=3 psk=abc123 psk_identity=foo" \
"$P_SRV extended_ms=1 debug_level=3 psk=73776f726466697368 psk_identity=foo" \
"$P_CLI extended_ms=1 debug_level=3 min_version=tls12 force_ciphersuite=TLS-PSK-WITH-AES-128-CBC-SHA \
psk_identity=foo psk=abc123 psk_opaque=1" \
psk_identity=foo psk=73776f726466697368 psk_opaque=1" \
0 \
-c "skip PMS generation for opaque PSK"\
-S "skip PMS generation for opaque PSK"\
@ -6249,9 +6290,9 @@ run_test "PSK callback: opaque psk on client, no callback, EMS" \
requires_config_enabled MBEDTLS_USE_PSA_CRYPTO
run_test "PSK callback: opaque psk on client, no callback, SHA-384, EMS" \
"$P_SRV extended_ms=1 debug_level=3 psk=abc123 psk_identity=foo" \
"$P_SRV extended_ms=1 debug_level=3 psk=73776f726466697368 psk_identity=foo" \
"$P_CLI extended_ms=1 debug_level=3 min_version=tls12 force_ciphersuite=TLS-PSK-WITH-AES-256-CBC-SHA384 \
psk_identity=foo psk=abc123 psk_opaque=1" \
psk_identity=foo psk=73776f726466697368 psk_opaque=1" \
0 \
-c "skip PMS generation for opaque PSK"\
-S "skip PMS generation for opaque PSK"\
@ -6263,9 +6304,9 @@ run_test "PSK callback: opaque psk on client, no callback, SHA-384, EMS" \
requires_config_enabled MBEDTLS_USE_PSA_CRYPTO
run_test "PSK callback: raw psk on client, static opaque on server, no callback" \
"$P_SRV extended_ms=0 debug_level=1 psk=abc123 psk_identity=foo psk_opaque=1 min_version=tls12 force_ciphersuite=TLS-PSK-WITH-AES-128-CBC-SHA" \
"$P_SRV extended_ms=0 debug_level=1 psk=73776f726466697368 psk_identity=foo psk_opaque=1 min_version=tls12 force_ciphersuite=TLS-PSK-WITH-AES-128-CBC-SHA" \
"$P_CLI extended_ms=0 debug_level=1 min_version=tls12 force_ciphersuite=TLS-PSK-WITH-AES-128-CBC-SHA \
psk_identity=foo psk=abc123" \
psk_identity=foo psk=73776f726466697368" \
0 \
-C "skip PMS generation for opaque PSK"\
-s "skip PMS generation for opaque PSK"\
@ -6277,9 +6318,9 @@ run_test "PSK callback: raw psk on client, static opaque on server, no callba
requires_config_enabled MBEDTLS_USE_PSA_CRYPTO
run_test "PSK callback: raw psk on client, static opaque on server, no callback, SHA-384" \
"$P_SRV extended_ms=0 debug_level=1 psk=abc123 psk_identity=foo psk_opaque=1 min_version=tls12 force_ciphersuite=TLS-PSK-WITH-AES-256-CBC-SHA384" \
"$P_SRV extended_ms=0 debug_level=1 psk=73776f726466697368 psk_identity=foo psk_opaque=1 min_version=tls12 force_ciphersuite=TLS-PSK-WITH-AES-256-CBC-SHA384" \
"$P_CLI extended_ms=0 debug_level=1 min_version=tls12 force_ciphersuite=TLS-PSK-WITH-AES-256-CBC-SHA384 \
psk_identity=foo psk=abc123" \
psk_identity=foo psk=73776f726466697368" \
0 \
-C "skip PMS generation for opaque PSK"\
-s "skip PMS generation for opaque PSK"\
@ -6291,10 +6332,10 @@ run_test "PSK callback: raw psk on client, static opaque on server, no callba
requires_config_enabled MBEDTLS_USE_PSA_CRYPTO
run_test "PSK callback: raw psk on client, static opaque on server, no callback, EMS" \
"$P_SRV debug_level=3 psk=abc123 psk_identity=foo psk_opaque=1 min_version=tls12 \
"$P_SRV debug_level=3 psk=73776f726466697368 psk_identity=foo psk_opaque=1 min_version=tls12 \
force_ciphersuite=TLS-PSK-WITH-AES-128-CBC-SHA extended_ms=1" \
"$P_CLI debug_level=3 min_version=tls12 force_ciphersuite=TLS-PSK-WITH-AES-128-CBC-SHA \
psk_identity=foo psk=abc123 extended_ms=1" \
psk_identity=foo psk=73776f726466697368 extended_ms=1" \
0 \
-c "session hash for extended master secret"\
-s "session hash for extended master secret"\
@ -6306,10 +6347,10 @@ run_test "PSK callback: raw psk on client, static opaque on server, no callba
requires_config_enabled MBEDTLS_USE_PSA_CRYPTO
run_test "PSK callback: raw psk on client, static opaque on server, no callback, EMS, SHA384" \
"$P_SRV debug_level=3 psk=abc123 psk_identity=foo psk_opaque=1 min_version=tls12 \
"$P_SRV debug_level=3 psk=73776f726466697368 psk_identity=foo psk_opaque=1 min_version=tls12 \
force_ciphersuite=TLS-PSK-WITH-AES-256-CBC-SHA384 extended_ms=1" \
"$P_CLI debug_level=3 min_version=tls12 force_ciphersuite=TLS-PSK-WITH-AES-256-CBC-SHA384 \
psk_identity=foo psk=abc123 extended_ms=1" \
psk_identity=foo psk=73776f726466697368 extended_ms=1" \
0 \
-c "session hash for extended master secret"\
-s "session hash for extended master secret"\
@ -6379,7 +6420,7 @@ run_test "PSK callback: raw psk on client, no static PSK on server, opaque PS
requires_config_enabled MBEDTLS_USE_PSA_CRYPTO
run_test "PSK callback: raw psk on client, mismatching static raw PSK on server, opaque PSK from callback" \
"$P_SRV extended_ms=0 psk_identity=foo psk=abc123 debug_level=3 psk_list=abc,dead,def,beef psk_list_opaque=1 min_version=tls12 force_ciphersuite=TLS-PSK-WITH-AES-128-CBC-SHA" \
"$P_SRV extended_ms=0 psk_identity=foo psk=73776f726466697368 debug_level=3 psk_list=abc,dead,def,beef psk_list_opaque=1 min_version=tls12 force_ciphersuite=TLS-PSK-WITH-AES-128-CBC-SHA" \
"$P_CLI extended_ms=0 debug_level=3 min_version=tls12 force_ciphersuite=TLS-PSK-WITH-AES-128-CBC-SHA \
psk_identity=def psk=beef" \
0 \
@ -6393,7 +6434,7 @@ run_test "PSK callback: raw psk on client, mismatching static raw PSK on serv
requires_config_enabled MBEDTLS_USE_PSA_CRYPTO
run_test "PSK callback: raw psk on client, mismatching static opaque PSK on server, opaque PSK from callback" \
"$P_SRV extended_ms=0 psk_opaque=1 psk_identity=foo psk=abc123 debug_level=3 psk_list=abc,dead,def,beef psk_list_opaque=1 min_version=tls12 force_ciphersuite=TLS-PSK-WITH-AES-128-CBC-SHA" \
"$P_SRV extended_ms=0 psk_opaque=1 psk_identity=foo psk=73776f726466697368 debug_level=3 psk_list=abc,dead,def,beef psk_list_opaque=1 min_version=tls12 force_ciphersuite=TLS-PSK-WITH-AES-128-CBC-SHA" \
"$P_CLI extended_ms=0 debug_level=3 min_version=tls12 force_ciphersuite=TLS-PSK-WITH-AES-128-CBC-SHA \
psk_identity=def psk=beef" \
0 \
@ -6407,7 +6448,7 @@ run_test "PSK callback: raw psk on client, mismatching static opaque PSK on s
requires_config_enabled MBEDTLS_USE_PSA_CRYPTO
run_test "PSK callback: raw psk on client, mismatching static opaque PSK on server, raw PSK from callback" \
"$P_SRV extended_ms=0 psk_opaque=1 psk_identity=foo psk=abc123 debug_level=3 psk_list=abc,dead,def,beef min_version=tls12 force_ciphersuite=TLS-PSK-WITH-AES-128-CBC-SHA" \
"$P_SRV extended_ms=0 psk_opaque=1 psk_identity=foo psk=73776f726466697368 debug_level=3 psk_list=abc,dead,def,beef min_version=tls12 force_ciphersuite=TLS-PSK-WITH-AES-128-CBC-SHA" \
"$P_CLI extended_ms=0 debug_level=3 min_version=tls12 force_ciphersuite=TLS-PSK-WITH-AES-128-CBC-SHA \
psk_identity=def psk=beef" \
0 \
@ -6420,7 +6461,7 @@ run_test "PSK callback: raw psk on client, mismatching static opaque PSK on s
requires_config_enabled MBEDTLS_USE_PSA_CRYPTO
run_test "PSK callback: raw psk on client, id-matching but wrong raw PSK on server, opaque PSK from callback" \
"$P_SRV extended_ms=0 psk_opaque=1 psk_identity=def psk=abc123 debug_level=3 psk_list=abc,dead,def,beef min_version=tls12 force_ciphersuite=TLS-PSK-WITH-AES-128-CBC-SHA" \
"$P_SRV extended_ms=0 psk_opaque=1 psk_identity=def psk=73776f726466697368 debug_level=3 psk_list=abc,dead,def,beef min_version=tls12 force_ciphersuite=TLS-PSK-WITH-AES-128-CBC-SHA" \
"$P_CLI extended_ms=0 debug_level=3 min_version=tls12 force_ciphersuite=TLS-PSK-WITH-AES-128-CBC-SHA \
psk_identity=def psk=beef" \
0 \
@ -6433,7 +6474,7 @@ run_test "PSK callback: raw psk on client, id-matching but wrong raw PSK on s
requires_config_enabled MBEDTLS_USE_PSA_CRYPTO
run_test "PSK callback: raw psk on client, matching opaque PSK on server, wrong opaque PSK from callback" \
"$P_SRV extended_ms=0 psk_opaque=1 psk_identity=def psk=beef debug_level=3 psk_list=abc,dead,def,abc123 min_version=tls12 force_ciphersuite=TLS-PSK-WITH-AES-128-CBC-SHA" \
"$P_SRV extended_ms=0 psk_opaque=1 psk_identity=def psk=beef debug_level=3 psk_list=abc,dead,def,73776f726466697368 min_version=tls12 force_ciphersuite=TLS-PSK-WITH-AES-128-CBC-SHA" \
"$P_CLI extended_ms=0 debug_level=3 min_version=tls12 force_ciphersuite=TLS-PSK-WITH-AES-128-CBC-SHA \
psk_identity=def psk=beef" \
1 \
@ -6442,16 +6483,16 @@ run_test "PSK callback: raw psk on client, matching opaque PSK on server, wro
run_test "PSK callback: no psk, no callback" \
"$P_SRV" \
"$P_CLI force_ciphersuite=TLS-PSK-WITH-AES-128-CBC-SHA \
psk_identity=foo psk=abc123" \
psk_identity=foo psk=73776f726466697368" \
1 \
-s "SSL - None of the common ciphersuites is usable" \
-S "SSL - Unknown identity received" \
-S "SSL - Verification of the message MAC failed"
run_test "PSK callback: callback overrides other settings" \
"$P_SRV psk=abc123 psk_identity=foo psk_list=abc,dead,def,beef" \
"$P_SRV psk=73776f726466697368 psk_identity=foo psk_list=abc,dead,def,beef" \
"$P_CLI force_ciphersuite=TLS-PSK-WITH-AES-128-CBC-SHA \
psk_identity=foo psk=abc123" \
psk_identity=foo psk=73776f726466697368" \
1 \
-S "SSL - None of the common ciphersuites is usable" \
-s "SSL - Unknown identity received" \
@ -6624,11 +6665,25 @@ run_test "Per-version suites: TLS 1.2" \
# Test for ClientHello without extensions
# Without extensions, ECC is impossible (no curve negotiation).
requires_config_enabled MBEDTLS_RSA_C
requires_gnutls
run_test "ClientHello without extensions" \
run_test "ClientHello without extensions: RSA" \
"$P_SRV debug_level=3" \
"$G_CLI --priority=NORMAL:%NO_EXTENSIONS:%DISABLE_SAFE_RENEGOTIATION localhost" \
0 \
-s "Ciphersuite is .*-RSA-WITH-.*" \
-S "Ciphersuite is .*-EC.*" \
-s "dumping 'client hello extensions' (0 bytes)"
requires_config_enabled MBEDTLS_KEY_EXCHANGE_PSK_ENABLED
requires_gnutls
run_test "ClientHello without extensions: PSK" \
"$P_SRV debug_level=3 psk=73776f726466697368" \
"$G_CLI --priority=NORMAL:+PSK:-RSA:-DHE-RSA:%NO_EXTENSIONS:%DISABLE_SAFE_RENEGOTIATION --pskusername=Client_identity --pskkey=73776f726466697368 localhost" \
0 \
-s "Ciphersuite is .*-PSK-.*" \
-S "Ciphersuite is .*-EC.*" \
-s "dumping 'client hello extensions' (0 bytes)"
# Tests for mbedtls_ssl_get_bytes_avail()
@ -7964,9 +8019,9 @@ run_test "SSL async private: decrypt, delay=1" \
requires_config_enabled MBEDTLS_SSL_ASYNC_PRIVATE
run_test "SSL async private: decrypt RSA-PSK, delay=0" \
"$P_SRV psk=abc123 \
"$P_SRV psk=73776f726466697368 \
async_operations=d async_private_delay1=0 async_private_delay2=0" \
"$P_CLI psk=abc123 \
"$P_CLI psk=73776f726466697368 \
force_ciphersuite=TLS-RSA-PSK-WITH-AES-128-CBC-SHA256" \
0 \
-s "Async decrypt callback: using key slot " \
@ -7974,9 +8029,9 @@ run_test "SSL async private: decrypt RSA-PSK, delay=0" \
requires_config_enabled MBEDTLS_SSL_ASYNC_PRIVATE
run_test "SSL async private: decrypt RSA-PSK, delay=1" \
"$P_SRV psk=abc123 \
"$P_SRV psk=73776f726466697368 \
async_operations=d async_private_delay1=1 async_private_delay2=1" \
"$P_CLI psk=abc123 \
"$P_CLI psk=73776f726466697368 \
force_ciphersuite=TLS-RSA-PSK-WITH-AES-128-CBC-SHA256" \
0 \
-s "Async decrypt callback: using key slot " \
@ -8414,8 +8469,8 @@ run_test "DTLS client auth: none, client has no cert" \
-s "! Certificate verification was skipped"
run_test "DTLS wrong PSK: badmac alert" \
"$P_SRV dtls=1 psk=abc123 force_ciphersuite=TLS-PSK-WITH-AES-128-GCM-SHA256" \
"$P_CLI dtls=1 psk=abc124" \
"$P_SRV dtls=1 psk=73776f726466697368 force_ciphersuite=TLS-PSK-WITH-AES-128-GCM-SHA256" \
"$P_CLI dtls=1 psk=73776f726466697374" \
1 \
-s "SSL - Verification of the message MAC failed" \
-c "SSL - A fatal alert message was received from our peer"
@ -10292,8 +10347,8 @@ requires_config_value_at_least "MBEDTLS_SSL_DTLS_MAX_BUFFERING" 190
requires_config_value_at_most "MBEDTLS_SSL_DTLS_MAX_BUFFERING" 230
run_test "DTLS reordering: Buffer encrypted Finished message, drop for fragmented NewSessionTicket" \
-p "$P_PXY delay_srv=NewSessionTicket delay_srv=NewSessionTicket delay_ccs=1" \
"$P_SRV mtu=140 response_size=90 dgram_packing=0 psk=abc123 psk_identity=foo cookies=0 dtls=1 debug_level=2" \
"$P_CLI dgram_packing=0 dtls=1 debug_level=2 force_ciphersuite=TLS-PSK-WITH-AES-128-CCM-8 psk=abc123 psk_identity=foo" \
"$P_SRV mtu=140 response_size=90 dgram_packing=0 psk=73776f726466697368 psk_identity=foo cookies=0 dtls=1 debug_level=2" \
"$P_CLI dgram_packing=0 dtls=1 debug_level=2 force_ciphersuite=TLS-PSK-WITH-AES-128-CCM-8 psk=73776f726466697368 psk_identity=foo" \
0 \
-s "Buffer record from epoch 1" \
-s "Found buffered record from current epoch - load" \
@ -10307,8 +10362,8 @@ client_needs_more_time 2
run_test "DTLS proxy: 3d (drop, delay, duplicate), \"short\" PSK handshake" \
-p "$P_PXY drop=5 delay=5 duplicate=5" \
"$P_SRV dtls=1 dgram_packing=0 hs_timeout=500-10000 tickets=0 auth_mode=none \
psk=abc123" \
"$P_CLI dtls=1 dgram_packing=0 hs_timeout=500-10000 tickets=0 psk=abc123 \
psk=73776f726466697368" \
"$P_CLI dtls=1 dgram_packing=0 hs_timeout=500-10000 tickets=0 psk=73776f726466697368 \
force_ciphersuite=TLS-PSK-WITH-AES-128-CCM-8" \
0 \
-s "Extra-header:" \
@ -10375,8 +10430,8 @@ requires_config_enabled MBEDTLS_SSL_CACHE_C
run_test "DTLS proxy: 3d, min handshake, resumption" \
-p "$P_PXY drop=5 delay=5 duplicate=5" \
"$P_SRV dtls=1 dgram_packing=0 hs_timeout=500-10000 tickets=0 auth_mode=none \
psk=abc123 debug_level=3" \
"$P_CLI dtls=1 dgram_packing=0 hs_timeout=500-10000 tickets=0 psk=abc123 \
psk=73776f726466697368 debug_level=3" \
"$P_CLI dtls=1 dgram_packing=0 hs_timeout=500-10000 tickets=0 psk=73776f726466697368 \
debug_level=3 reconnect=1 skip_close_notify=1 read_timeout=1000 max_resend=10 \
force_ciphersuite=TLS-PSK-WITH-AES-128-CCM-8" \
0 \
@ -10390,8 +10445,8 @@ requires_config_enabled MBEDTLS_SSL_CACHE_C
run_test "DTLS proxy: 3d, min handshake, resumption, nbio" \
-p "$P_PXY drop=5 delay=5 duplicate=5" \
"$P_SRV dtls=1 dgram_packing=0 hs_timeout=500-10000 tickets=0 auth_mode=none \
psk=abc123 debug_level=3 nbio=2" \
"$P_CLI dtls=1 dgram_packing=0 hs_timeout=500-10000 tickets=0 psk=abc123 \
psk=73776f726466697368 debug_level=3 nbio=2" \
"$P_CLI dtls=1 dgram_packing=0 hs_timeout=500-10000 tickets=0 psk=73776f726466697368 \
debug_level=3 reconnect=1 skip_close_notify=1 read_timeout=1000 max_resend=10 \
force_ciphersuite=TLS-PSK-WITH-AES-128-CCM-8 nbio=2" \
0 \
@ -10405,8 +10460,8 @@ requires_config_enabled MBEDTLS_SSL_RENEGOTIATION
run_test "DTLS proxy: 3d, min handshake, client-initiated renego" \
-p "$P_PXY drop=5 delay=5 duplicate=5" \
"$P_SRV dtls=1 dgram_packing=0 hs_timeout=500-10000 tickets=0 auth_mode=none \
psk=abc123 renegotiation=1 debug_level=2" \
"$P_CLI dtls=1 dgram_packing=0 hs_timeout=500-10000 tickets=0 psk=abc123 \
psk=73776f726466697368 renegotiation=1 debug_level=2" \
"$P_CLI dtls=1 dgram_packing=0 hs_timeout=500-10000 tickets=0 psk=73776f726466697368 \
renegotiate=1 debug_level=2 \
force_ciphersuite=TLS-PSK-WITH-AES-128-CCM-8" \
0 \
@ -10420,8 +10475,8 @@ requires_config_enabled MBEDTLS_SSL_RENEGOTIATION
run_test "DTLS proxy: 3d, min handshake, client-initiated renego, nbio" \
-p "$P_PXY drop=5 delay=5 duplicate=5" \
"$P_SRV dtls=1 dgram_packing=0 hs_timeout=500-10000 tickets=0 auth_mode=none \
psk=abc123 renegotiation=1 debug_level=2" \
"$P_CLI dtls=1 dgram_packing=0 hs_timeout=500-10000 tickets=0 psk=abc123 \
psk=73776f726466697368 renegotiation=1 debug_level=2" \
"$P_CLI dtls=1 dgram_packing=0 hs_timeout=500-10000 tickets=0 psk=73776f726466697368 \
renegotiate=1 debug_level=2 \
force_ciphersuite=TLS-PSK-WITH-AES-128-CCM-8" \
0 \
@ -10435,9 +10490,9 @@ requires_config_enabled MBEDTLS_SSL_RENEGOTIATION
run_test "DTLS proxy: 3d, min handshake, server-initiated renego" \
-p "$P_PXY drop=5 delay=5 duplicate=5" \
"$P_SRV dtls=1 dgram_packing=0 hs_timeout=500-10000 tickets=0 auth_mode=none \
psk=abc123 renegotiate=1 renegotiation=1 exchanges=4 \
psk=73776f726466697368 renegotiate=1 renegotiation=1 exchanges=4 \
debug_level=2" \
"$P_CLI dtls=1 dgram_packing=0 hs_timeout=500-10000 tickets=0 psk=abc123 \
"$P_CLI dtls=1 dgram_packing=0 hs_timeout=500-10000 tickets=0 psk=73776f726466697368 \
renegotiation=1 exchanges=4 debug_level=2 \
force_ciphersuite=TLS-PSK-WITH-AES-128-CCM-8" \
0 \
@ -10451,9 +10506,9 @@ requires_config_enabled MBEDTLS_SSL_RENEGOTIATION
run_test "DTLS proxy: 3d, min handshake, server-initiated renego, nbio" \
-p "$P_PXY drop=5 delay=5 duplicate=5" \
"$P_SRV dtls=1 dgram_packing=0 hs_timeout=500-10000 tickets=0 auth_mode=none \
psk=abc123 renegotiate=1 renegotiation=1 exchanges=4 \
psk=73776f726466697368 renegotiate=1 renegotiation=1 exchanges=4 \
debug_level=2 nbio=2" \
"$P_CLI dtls=1 dgram_packing=0 hs_timeout=500-10000 tickets=0 psk=abc123 \
"$P_CLI dtls=1 dgram_packing=0 hs_timeout=500-10000 tickets=0 psk=73776f726466697368 \
renegotiation=1 exchanges=4 debug_level=2 nbio=2 \
force_ciphersuite=TLS-PSK-WITH-AES-128-CCM-8" \
0 \