2014-02-20 11:01:30 +01:00
|
|
|
#!/bin/sh
|
|
|
|
|
|
|
|
# Test various options that are not covered by compat.sh
|
|
|
|
#
|
|
|
|
# Here the goal is not to cover every ciphersuite/version, but
|
|
|
|
# rather specific options (max fragment length, truncated hmac, etc)
|
|
|
|
# or procedures (session resumption from cache or ticket, renego, etc).
|
|
|
|
#
|
|
|
|
# Assumes all options are compiled in.
|
|
|
|
|
2014-02-25 17:14:15 +01:00
|
|
|
set -u
|
|
|
|
|
2014-02-20 11:01:30 +01:00
|
|
|
PROGS_DIR='../programs/ssl'
|
2014-02-25 17:14:15 +01:00
|
|
|
P_SRV="$PROGS_DIR/ssl_server2 server_addr=0.0.0.0" # force IPv4 for OpenSSL
|
2014-02-25 14:18:30 +01:00
|
|
|
P_CLI="$PROGS_DIR/ssl_client2"
|
2014-02-20 11:01:30 +01:00
|
|
|
|
2014-02-25 17:14:15 +01:00
|
|
|
O_ARGS="-www -cert data_files/server5.crt -key data_files/server5.key"
|
|
|
|
O_CLI="echo 'GET / HTTP/1.0' | openssl s_client"
|
|
|
|
|
2014-02-21 09:47:37 +01:00
|
|
|
TESTS=0
|
|
|
|
FAILS=0
|
|
|
|
|
2014-02-21 09:20:14 +01:00
|
|
|
# print_name <name>
|
|
|
|
print_name() {
|
|
|
|
echo -n "$1 "
|
|
|
|
LEN=`echo "$1" | wc -c`
|
|
|
|
LEN=`echo 72 - $LEN | bc`
|
|
|
|
for i in `seq 1 $LEN`; do echo -n '.'; done
|
|
|
|
echo -n ' '
|
2014-02-21 09:47:37 +01:00
|
|
|
|
|
|
|
TESTS=`echo $TESTS + 1 | bc`
|
2014-02-21 09:20:14 +01:00
|
|
|
}
|
|
|
|
|
|
|
|
# fail <message>
|
|
|
|
fail() {
|
|
|
|
echo "FAIL"
|
|
|
|
echo " $1"
|
2014-02-21 09:47:37 +01:00
|
|
|
|
|
|
|
cp srv_out srv-${TESTS}.log
|
|
|
|
cp cli_out cli-${TESTS}.log
|
|
|
|
echo " outputs saved to srv-${TESTS}.log and cli-${TESTS}.log"
|
|
|
|
|
|
|
|
FAILS=`echo $FAILS + 1 | bc`
|
2014-02-21 09:20:14 +01:00
|
|
|
}
|
|
|
|
|
2014-02-25 16:42:31 +01:00
|
|
|
# is_polar <cmd_line>
|
|
|
|
is_polar() {
|
|
|
|
echo "$1" | grep 'ssl_server2\|ssl_client2' > /dev/null
|
|
|
|
}
|
|
|
|
|
2014-02-25 17:14:15 +01:00
|
|
|
# Usage: run_test name srv_cmd cli_cmd cli_exit [option [...]]
|
2014-02-20 11:01:30 +01:00
|
|
|
# Options: -s pattern pattern that must be present in server output
|
|
|
|
# -c pattern pattern that must be present in client output
|
|
|
|
# -S pattern pattern that must be absent in server output
|
|
|
|
# -C pattern pattern that must be absent in client output
|
|
|
|
run_test() {
|
2014-02-25 17:14:15 +01:00
|
|
|
NAME="$1"
|
|
|
|
SRV_CMD="$2"
|
|
|
|
CLI_CMD="$3"
|
|
|
|
CLI_EXPECT="$4"
|
|
|
|
shift 4
|
|
|
|
|
|
|
|
print_name "$NAME"
|
2014-02-20 11:01:30 +01:00
|
|
|
|
|
|
|
# run the commands
|
2014-02-25 17:14:15 +01:00
|
|
|
$SHELL -c "$SRV_CMD" > srv_out 2>&1 &
|
2014-02-20 11:01:30 +01:00
|
|
|
SRV_PID=$!
|
|
|
|
sleep 1
|
2014-02-25 17:14:15 +01:00
|
|
|
$SHELL -c "$CLI_CMD" > cli_out 2>&1
|
2014-02-20 11:01:30 +01:00
|
|
|
CLI_EXIT=$?
|
2014-02-25 17:14:15 +01:00
|
|
|
if is_polar "$SRV_CMD"; then
|
2014-02-25 16:42:31 +01:00
|
|
|
echo SERVERQUIT | openssl s_client -no_ticket \
|
|
|
|
-cert data_files/cli2.crt -key data_files/cli2.key \
|
|
|
|
>/dev/null 2>&1
|
|
|
|
else
|
|
|
|
kill $SRV_PID
|
|
|
|
fi
|
2014-02-20 11:01:30 +01:00
|
|
|
wait $SRV_PID
|
2014-02-25 16:42:31 +01:00
|
|
|
|
|
|
|
# check if the client and server went at least to the handshake stage
|
|
|
|
# (usefull to avoid tests with only negative assertions and non-zero
|
|
|
|
# expected client exit to incorrectly succeed in case of catastrophic
|
|
|
|
# failure)
|
2014-02-25 17:14:15 +01:00
|
|
|
if is_polar "$SRV_CMD"; then
|
2014-02-25 16:42:31 +01:00
|
|
|
if grep "Performing the SSL/TLS handshake" srv_out >/dev/null; then :;
|
|
|
|
else
|
|
|
|
fail "server failed to start"
|
|
|
|
return
|
|
|
|
fi
|
|
|
|
fi
|
2014-02-25 17:14:15 +01:00
|
|
|
if is_polar "$CLI_CMD"; then
|
2014-02-25 16:42:31 +01:00
|
|
|
if grep "Performing the SSL/TLS handshake" cli_out >/dev/null; then :;
|
|
|
|
else
|
|
|
|
fail "client failed to start"
|
|
|
|
return
|
|
|
|
fi
|
|
|
|
fi
|
|
|
|
|
2014-02-21 09:20:14 +01:00
|
|
|
# check server exit code
|
|
|
|
if [ $? != 0 ]; then
|
|
|
|
fail "server fail"
|
|
|
|
return
|
|
|
|
fi
|
|
|
|
|
2014-02-20 11:01:30 +01:00
|
|
|
# check client exit code
|
2014-02-25 17:14:15 +01:00
|
|
|
if [ \( "$CLI_EXPECT" = 0 -a "$CLI_EXIT" != 0 \) -o \
|
|
|
|
\( "$CLI_EXPECT" != 0 -a "$CLI_EXIT" = 0 \) ]
|
2014-02-20 17:19:59 +01:00
|
|
|
then
|
2014-02-21 12:12:23 +01:00
|
|
|
fail "bad client exit code"
|
2014-02-20 11:01:30 +01:00
|
|
|
return
|
|
|
|
fi
|
|
|
|
|
|
|
|
# check options
|
|
|
|
while [ $# -gt 0 ]
|
|
|
|
do
|
|
|
|
case $1 in
|
|
|
|
"-s")
|
|
|
|
if grep "$2" srv_out >/dev/null; then :; else
|
2014-02-21 09:20:14 +01:00
|
|
|
fail "-s $2"
|
2014-02-20 11:01:30 +01:00
|
|
|
return
|
|
|
|
fi
|
|
|
|
;;
|
|
|
|
|
|
|
|
"-c")
|
|
|
|
if grep "$2" cli_out >/dev/null; then :; else
|
2014-02-21 09:20:14 +01:00
|
|
|
fail "-c $2"
|
2014-02-20 11:01:30 +01:00
|
|
|
return
|
|
|
|
fi
|
|
|
|
;;
|
|
|
|
|
|
|
|
"-S")
|
|
|
|
if grep "$2" srv_out >/dev/null; then
|
2014-02-21 09:20:14 +01:00
|
|
|
fail "-S $2"
|
2014-02-20 11:01:30 +01:00
|
|
|
return
|
|
|
|
fi
|
|
|
|
;;
|
|
|
|
|
|
|
|
"-C")
|
|
|
|
if grep "$2" cli_out >/dev/null; then
|
2014-02-21 09:20:14 +01:00
|
|
|
fail "-C $2"
|
2014-02-20 11:01:30 +01:00
|
|
|
return
|
|
|
|
fi
|
|
|
|
;;
|
|
|
|
|
|
|
|
*)
|
|
|
|
echo "Unkown test: $1" >&2
|
|
|
|
exit 1
|
|
|
|
esac
|
|
|
|
shift 2
|
|
|
|
done
|
|
|
|
|
|
|
|
# if we're here, everything is ok
|
|
|
|
echo "PASS"
|
|
|
|
rm -r srv_out cli_out
|
|
|
|
}
|
|
|
|
|
2014-02-25 16:21:22 +01:00
|
|
|
cleanup() {
|
|
|
|
kill $SRV_PID
|
|
|
|
exit 1
|
|
|
|
}
|
|
|
|
|
2014-02-20 11:01:30 +01:00
|
|
|
killall -q openssl ssl_server ssl_server2
|
2014-02-25 16:21:22 +01:00
|
|
|
trap cleanup INT TERM HUP
|
2014-02-20 11:01:30 +01:00
|
|
|
|
2014-02-25 14:18:30 +01:00
|
|
|
# Test for SSLv2 ClientHello
|
|
|
|
|
|
|
|
run_test "SSLv2 ClientHello #0 (reference)" \
|
|
|
|
"$P_SRV debug_level=3" \
|
|
|
|
"echo GET / HTTP/1.0 | openssl s_client -no_ssl2" \
|
|
|
|
0 \
|
|
|
|
-S "parse client hello v2" \
|
|
|
|
-S "ssl_handshake returned"
|
|
|
|
|
|
|
|
# Adding a SSL2-only suite makes OpenSSL client send SSLv2 ClientHello
|
|
|
|
run_test "SSLv2 ClientHello #1 (actual test)" \
|
|
|
|
"$P_SRV debug_level=3" \
|
2014-02-25 17:14:15 +01:00
|
|
|
"$O_CLI -cipher 'DES-CBC-MD5:ALL'" \
|
2014-02-25 14:18:30 +01:00
|
|
|
0 \
|
|
|
|
-s "parse client hello v2" \
|
|
|
|
-S "ssl_handshake returned"
|
|
|
|
|
2014-02-20 17:19:59 +01:00
|
|
|
# Tests for Truncated HMAC extension
|
|
|
|
|
|
|
|
run_test "Truncated HMAC #0" \
|
2014-02-25 14:18:30 +01:00
|
|
|
"$P_SRV debug_level=5" \
|
|
|
|
"$P_CLI trunc_hmac=0 force_ciphersuite=TLS-RSA-WITH-AES-128-CBC-SHA" \
|
2014-02-20 17:19:59 +01:00
|
|
|
0 \
|
|
|
|
-s "dumping 'computed mac' (20 bytes)"
|
|
|
|
|
|
|
|
run_test "Truncated HMAC #1" \
|
2014-02-25 14:18:30 +01:00
|
|
|
"$P_SRV debug_level=5" \
|
|
|
|
"$P_CLI trunc_hmac=1 force_ciphersuite=TLS-RSA-WITH-AES-128-CBC-SHA" \
|
2014-02-20 11:01:30 +01:00
|
|
|
0 \
|
2014-02-20 11:43:46 +01:00
|
|
|
-s "dumping 'computed mac' (10 bytes)"
|
|
|
|
|
2014-02-20 17:19:59 +01:00
|
|
|
# Tests for Session Tickets
|
|
|
|
|
2014-02-25 17:14:15 +01:00
|
|
|
run_test "Session resume using tickets #1 (basic)" \
|
2014-02-25 14:18:30 +01:00
|
|
|
"$P_SRV debug_level=4 tickets=1" \
|
|
|
|
"$P_CLI debug_level=4 tickets=1 reconnect=1" \
|
2014-02-20 11:43:46 +01:00
|
|
|
0 \
|
2014-02-20 22:50:56 +01:00
|
|
|
-c "client hello, adding session ticket extension" \
|
|
|
|
-s "found session ticket extension" \
|
|
|
|
-s "server hello, adding session ticket extension" \
|
|
|
|
-c "found session_ticket extension" \
|
|
|
|
-c "parse new session ticket" \
|
2014-02-20 11:43:46 +01:00
|
|
|
-S "session successfully restored from cache" \
|
|
|
|
-s "session successfully restored from ticket" \
|
|
|
|
-s "a session has been resumed" \
|
|
|
|
-c "a session has been resumed"
|
|
|
|
|
2014-02-25 17:14:15 +01:00
|
|
|
run_test "Session resume using tickets #2 (cache disabled)" \
|
2014-02-25 14:18:30 +01:00
|
|
|
"$P_SRV debug_level=4 tickets=1 cache_max=0" \
|
|
|
|
"$P_CLI debug_level=4 tickets=1 reconnect=1" \
|
2014-02-21 09:18:13 +01:00
|
|
|
0 \
|
|
|
|
-c "client hello, adding session ticket extension" \
|
|
|
|
-s "found session ticket extension" \
|
|
|
|
-s "server hello, adding session ticket extension" \
|
|
|
|
-c "found session_ticket extension" \
|
|
|
|
-c "parse new session ticket" \
|
|
|
|
-S "session successfully restored from cache" \
|
|
|
|
-s "session successfully restored from ticket" \
|
|
|
|
-s "a session has been resumed" \
|
|
|
|
-c "a session has been resumed"
|
|
|
|
|
2014-02-25 17:14:15 +01:00
|
|
|
run_test "Session resume using tickets #3 (timeout)" \
|
2014-02-25 14:18:30 +01:00
|
|
|
"$P_SRV debug_level=4 tickets=1 cache_max=0 ticket_timeout=1" \
|
|
|
|
"$P_CLI debug_level=4 tickets=1 reconnect=1 reco_delay=2" \
|
2014-02-21 09:18:13 +01:00
|
|
|
0 \
|
|
|
|
-c "client hello, adding session ticket extension" \
|
|
|
|
-s "found session ticket extension" \
|
|
|
|
-s "server hello, adding session ticket extension" \
|
|
|
|
-c "found session_ticket extension" \
|
|
|
|
-c "parse new session ticket" \
|
|
|
|
-S "session successfully restored from cache" \
|
|
|
|
-S "session successfully restored from ticket" \
|
|
|
|
-S "a session has been resumed" \
|
|
|
|
-C "a session has been resumed"
|
|
|
|
|
2014-02-25 17:14:15 +01:00
|
|
|
run_test "Session resume using tickets #4 (no timeout)" \
|
2014-02-25 14:18:30 +01:00
|
|
|
"$P_SRV debug_level=4 tickets=1 cache_max=0 ticket_timeout=2" \
|
|
|
|
"$P_CLI debug_level=4 tickets=1 reconnect=1 reco_delay=0" \
|
2014-02-20 21:32:41 +01:00
|
|
|
0 \
|
2014-02-20 22:50:56 +01:00
|
|
|
-c "client hello, adding session ticket extension" \
|
|
|
|
-s "found session ticket extension" \
|
|
|
|
-s "server hello, adding session ticket extension" \
|
|
|
|
-c "found session_ticket extension" \
|
|
|
|
-c "parse new session ticket" \
|
2014-02-20 21:32:41 +01:00
|
|
|
-S "session successfully restored from cache" \
|
|
|
|
-s "session successfully restored from ticket" \
|
|
|
|
-s "a session has been resumed" \
|
|
|
|
-c "a session has been resumed"
|
|
|
|
|
2014-02-25 17:14:15 +01:00
|
|
|
run_test "Session resume using tickets #5 (openssl server)" \
|
|
|
|
"openssl s_server $O_ARGS" \
|
|
|
|
"$P_CLI debug_level=4 tickets=1 reconnect=1" \
|
|
|
|
0 \
|
|
|
|
-c "client hello, adding session ticket extension" \
|
|
|
|
-c "found session_ticket extension" \
|
|
|
|
-c "parse new session ticket" \
|
|
|
|
-c "a session has been resumed"
|
|
|
|
|
|
|
|
run_test "Session resume using tickets #6 (openssl client)" \
|
|
|
|
"$P_SRV debug_level=4 tickets=1" \
|
|
|
|
"($O_CLI -sess_out sess; $O_CLI -sess_in sess; rm -f sess)" \
|
|
|
|
0 \
|
|
|
|
-s "found session ticket extension" \
|
|
|
|
-s "server hello, adding session ticket extension" \
|
|
|
|
-S "session successfully restored from cache" \
|
|
|
|
-s "session successfully restored from ticket" \
|
|
|
|
-s "a session has been resumed"
|
|
|
|
|
2014-02-20 22:50:56 +01:00
|
|
|
# Tests for Session Resume based on session-ID and cache
|
2014-02-20 17:19:59 +01:00
|
|
|
|
2014-02-20 22:50:56 +01:00
|
|
|
run_test "Session resume using cache #1 (tickets enabled on client)" \
|
2014-02-25 14:18:30 +01:00
|
|
|
"$P_SRV debug_level=4 tickets=0" \
|
|
|
|
"$P_CLI debug_level=4 tickets=1 reconnect=1" \
|
2014-02-20 11:43:46 +01:00
|
|
|
0 \
|
2014-02-20 22:50:56 +01:00
|
|
|
-c "client hello, adding session ticket extension" \
|
|
|
|
-s "found session ticket extension" \
|
|
|
|
-S "server hello, adding session ticket extension" \
|
|
|
|
-C "found session_ticket extension" \
|
|
|
|
-C "parse new session ticket" \
|
2014-02-20 11:43:46 +01:00
|
|
|
-s "session successfully restored from cache" \
|
|
|
|
-S "session successfully restored from ticket" \
|
|
|
|
-s "a session has been resumed" \
|
|
|
|
-c "a session has been resumed"
|
|
|
|
|
2014-02-20 22:50:56 +01:00
|
|
|
run_test "Session resume using cache #2 (tickets enabled on server)" \
|
2014-02-25 14:18:30 +01:00
|
|
|
"$P_SRV debug_level=4 tickets=1" \
|
|
|
|
"$P_CLI debug_level=4 tickets=0 reconnect=1" \
|
2014-02-20 11:43:46 +01:00
|
|
|
0 \
|
2014-02-20 22:50:56 +01:00
|
|
|
-C "client hello, adding session ticket extension" \
|
|
|
|
-S "found session ticket extension" \
|
|
|
|
-S "server hello, adding session ticket extension" \
|
|
|
|
-C "found session_ticket extension" \
|
|
|
|
-C "parse new session ticket" \
|
2014-02-20 11:43:46 +01:00
|
|
|
-s "session successfully restored from cache" \
|
|
|
|
-S "session successfully restored from ticket" \
|
|
|
|
-s "a session has been resumed" \
|
|
|
|
-c "a session has been resumed"
|
2014-02-20 14:50:42 +01:00
|
|
|
|
2014-02-20 22:50:56 +01:00
|
|
|
run_test "Session resume using cache #3 (cache_max=0)" \
|
2014-02-25 14:18:30 +01:00
|
|
|
"$P_SRV debug_level=4 tickets=0 cache_max=0" \
|
|
|
|
"$P_CLI debug_level=4 tickets=0 reconnect=1" \
|
2014-02-20 22:50:56 +01:00
|
|
|
0 \
|
|
|
|
-S "session successfully restored from cache" \
|
|
|
|
-S "session successfully restored from ticket" \
|
|
|
|
-S "a session has been resumed" \
|
|
|
|
-C "a session has been resumed"
|
|
|
|
|
|
|
|
run_test "Session resume using cache #4 (cache_max=1)" \
|
2014-02-25 14:18:30 +01:00
|
|
|
"$P_SRV debug_level=4 tickets=0 cache_max=1" \
|
|
|
|
"$P_CLI debug_level=4 tickets=0 reconnect=1" \
|
2014-02-20 22:50:56 +01:00
|
|
|
0 \
|
|
|
|
-s "session successfully restored from cache" \
|
|
|
|
-S "session successfully restored from ticket" \
|
|
|
|
-s "a session has been resumed" \
|
|
|
|
-c "a session has been resumed"
|
|
|
|
|
|
|
|
run_test "Session resume using cache #5 (timemout > delay)" \
|
2014-02-25 14:18:30 +01:00
|
|
|
"$P_SRV debug_level=4 tickets=0 cache_timeout=1" \
|
|
|
|
"$P_CLI debug_level=4 tickets=0 reconnect=1 reco_delay=0" \
|
2014-02-20 22:50:56 +01:00
|
|
|
0 \
|
|
|
|
-s "session successfully restored from cache" \
|
|
|
|
-S "session successfully restored from ticket" \
|
|
|
|
-s "a session has been resumed" \
|
|
|
|
-c "a session has been resumed"
|
|
|
|
|
|
|
|
run_test "Session resume using cache #6 (timeout < delay)" \
|
2014-02-25 14:18:30 +01:00
|
|
|
"$P_SRV debug_level=4 tickets=0 cache_timeout=1" \
|
|
|
|
"$P_CLI debug_level=4 tickets=0 reconnect=1 reco_delay=2" \
|
2014-02-20 21:32:41 +01:00
|
|
|
0 \
|
|
|
|
-S "session successfully restored from cache" \
|
|
|
|
-S "session successfully restored from ticket" \
|
2014-02-20 22:50:56 +01:00
|
|
|
-S "a session has been resumed" \
|
|
|
|
-C "a session has been resumed"
|
2014-02-20 21:32:41 +01:00
|
|
|
|
2014-02-20 22:50:56 +01:00
|
|
|
run_test "Session resume using cache #7 (no timeout)" \
|
2014-02-25 14:18:30 +01:00
|
|
|
"$P_SRV debug_level=4 tickets=0 cache_timeout=0" \
|
|
|
|
"$P_CLI debug_level=4 tickets=0 reconnect=1 reco_delay=2" \
|
2014-02-20 21:32:41 +01:00
|
|
|
0 \
|
|
|
|
-s "session successfully restored from cache" \
|
|
|
|
-S "session successfully restored from ticket" \
|
|
|
|
-s "a session has been resumed" \
|
|
|
|
-c "a session has been resumed"
|
|
|
|
|
2014-02-25 17:57:59 +01:00
|
|
|
run_test "Session resume using cache #8 (openssl client)" \
|
|
|
|
"$P_SRV debug_level=4 tickets=0" \
|
|
|
|
"($O_CLI -sess_out sess; $O_CLI -sess_in sess; rm -f sess)" \
|
|
|
|
0 \
|
|
|
|
-s "found session ticket extension" \
|
|
|
|
-S "server hello, adding session ticket extension" \
|
|
|
|
-s "session successfully restored from cache" \
|
|
|
|
-S "session successfully restored from ticket" \
|
|
|
|
-s "a session has been resumed"
|
|
|
|
|
|
|
|
run_test "Session resume using cache #9 (openssl server)" \
|
|
|
|
"openssl s_server $O_ARGS" \
|
|
|
|
"$P_CLI debug_level=4 tickets=0 reconnect=1" \
|
|
|
|
0 \
|
|
|
|
-C "found session_ticket extension" \
|
|
|
|
-C "parse new session ticket" \
|
|
|
|
-c "a session has been resumed"
|
|
|
|
|
2014-02-20 17:19:59 +01:00
|
|
|
# Tests for Max Fragment Length extension
|
|
|
|
|
2014-02-20 14:50:42 +01:00
|
|
|
run_test "Max fragment length #1" \
|
2014-02-25 14:18:30 +01:00
|
|
|
"$P_SRV debug_level=4" \
|
|
|
|
"$P_CLI debug_level=4" \
|
2014-02-20 14:50:42 +01:00
|
|
|
0 \
|
|
|
|
-C "client hello, adding max_fragment_length extension" \
|
|
|
|
-S "found max fragment length extension" \
|
|
|
|
-S "server hello, max_fragment_length extension" \
|
|
|
|
-C "found max_fragment_length extension"
|
|
|
|
|
|
|
|
run_test "Max fragment length #2" \
|
2014-02-25 14:18:30 +01:00
|
|
|
"$P_SRV debug_level=4" \
|
|
|
|
"$P_CLI debug_level=4 max_frag_len=4096" \
|
2014-02-20 14:50:42 +01:00
|
|
|
0 \
|
|
|
|
-c "client hello, adding max_fragment_length extension" \
|
|
|
|
-s "found max fragment length extension" \
|
|
|
|
-s "server hello, max_fragment_length extension" \
|
|
|
|
-c "found max_fragment_length extension"
|
|
|
|
|
|
|
|
run_test "Max fragment length #3" \
|
2014-02-25 14:18:30 +01:00
|
|
|
"$P_SRV debug_level=4 max_frag_len=4096" \
|
|
|
|
"$P_CLI debug_level=4" \
|
2014-02-20 14:50:42 +01:00
|
|
|
0 \
|
|
|
|
-C "client hello, adding max_fragment_length extension" \
|
|
|
|
-S "found max fragment length extension" \
|
|
|
|
-S "server hello, max_fragment_length extension" \
|
|
|
|
-C "found max_fragment_length extension"
|
2014-02-20 17:19:59 +01:00
|
|
|
|
|
|
|
# Tests for renegotiation
|
|
|
|
|
|
|
|
run_test "Renegotiation #0 (none)" \
|
2014-02-25 14:18:30 +01:00
|
|
|
"$P_SRV debug_level=4" \
|
|
|
|
"$P_CLI debug_level=4" \
|
2014-02-20 17:19:59 +01:00
|
|
|
0 \
|
|
|
|
-C "client hello, adding renegotiation extension" \
|
|
|
|
-s "received TLS_EMPTY_RENEGOTIATION_INFO" \
|
|
|
|
-S "found renegotiation extension" \
|
|
|
|
-s "server hello, secure renegotiation extension" \
|
|
|
|
-c "found renegotiation extension" \
|
|
|
|
-C "renegotiate" \
|
|
|
|
-S "renegotiate" \
|
|
|
|
-S "write hello request"
|
|
|
|
|
|
|
|
run_test "Renegotiation #1 (enabled, client-initiated)" \
|
2014-02-25 14:18:30 +01:00
|
|
|
"$P_SRV debug_level=4" \
|
|
|
|
"$P_CLI debug_level=4 renegotiate=1" \
|
2014-02-20 17:19:59 +01:00
|
|
|
0 \
|
|
|
|
-c "client hello, adding renegotiation extension" \
|
|
|
|
-s "received TLS_EMPTY_RENEGOTIATION_INFO" \
|
|
|
|
-s "found renegotiation extension" \
|
|
|
|
-s "server hello, secure renegotiation extension" \
|
|
|
|
-c "found renegotiation extension" \
|
|
|
|
-c "renegotiate" \
|
|
|
|
-s "renegotiate" \
|
|
|
|
-S "write hello request"
|
|
|
|
|
|
|
|
run_test "Renegotiation #2 (enabled, server-initiated)" \
|
2014-02-25 14:18:30 +01:00
|
|
|
"$P_SRV debug_level=4 renegotiate=1" \
|
|
|
|
"$P_CLI debug_level=4" \
|
2014-02-20 17:19:59 +01:00
|
|
|
0 \
|
|
|
|
-c "client hello, adding renegotiation extension" \
|
|
|
|
-s "received TLS_EMPTY_RENEGOTIATION_INFO" \
|
|
|
|
-s "found renegotiation extension" \
|
|
|
|
-s "server hello, secure renegotiation extension" \
|
|
|
|
-c "found renegotiation extension" \
|
|
|
|
-c "renegotiate" \
|
|
|
|
-s "renegotiate" \
|
|
|
|
-s "write hello request"
|
|
|
|
|
|
|
|
run_test "Renegotiation #3 (enabled, double)" \
|
2014-02-25 14:18:30 +01:00
|
|
|
"$P_SRV debug_level=4 renegotiate=1" \
|
|
|
|
"$P_CLI debug_level=4 renegotiate=1" \
|
2014-02-20 17:19:59 +01:00
|
|
|
0 \
|
|
|
|
-c "client hello, adding renegotiation extension" \
|
|
|
|
-s "received TLS_EMPTY_RENEGOTIATION_INFO" \
|
|
|
|
-s "found renegotiation extension" \
|
|
|
|
-s "server hello, secure renegotiation extension" \
|
|
|
|
-c "found renegotiation extension" \
|
|
|
|
-c "renegotiate" \
|
|
|
|
-s "renegotiate" \
|
|
|
|
-s "write hello request"
|
|
|
|
|
|
|
|
run_test "Renegotiation #4 (client-initiated, server-rejected)" \
|
2014-02-25 14:18:30 +01:00
|
|
|
"$P_SRV debug_level=4 renegotiation=0" \
|
|
|
|
"$P_CLI debug_level=4 renegotiate=1" \
|
2014-02-20 17:19:59 +01:00
|
|
|
1 \
|
|
|
|
-c "client hello, adding renegotiation extension" \
|
|
|
|
-s "received TLS_EMPTY_RENEGOTIATION_INFO" \
|
|
|
|
-S "found renegotiation extension" \
|
|
|
|
-s "server hello, secure renegotiation extension" \
|
|
|
|
-c "found renegotiation extension" \
|
|
|
|
-c "renegotiate" \
|
|
|
|
-S "renegotiate" \
|
|
|
|
-S "write hello request"
|
|
|
|
|
|
|
|
run_test "Renegotiation #5 (server-initiated, client-rejected)" \
|
2014-02-25 14:18:30 +01:00
|
|
|
"$P_SRV debug_level=4 renegotiate=1" \
|
|
|
|
"$P_CLI debug_level=4 renegotiation=0" \
|
2014-02-20 17:19:59 +01:00
|
|
|
0 \
|
|
|
|
-C "client hello, adding renegotiation extension" \
|
|
|
|
-s "received TLS_EMPTY_RENEGOTIATION_INFO" \
|
|
|
|
-S "found renegotiation extension" \
|
|
|
|
-s "server hello, secure renegotiation extension" \
|
|
|
|
-c "found renegotiation extension" \
|
|
|
|
-C "renegotiate" \
|
|
|
|
-S "renegotiate" \
|
|
|
|
-s "write hello request" \
|
|
|
|
-s "SSL - An unexpected message was received from our peer" \
|
|
|
|
-s "failed"
|
2014-02-21 09:47:37 +01:00
|
|
|
|
2014-02-21 12:12:23 +01:00
|
|
|
# Tests for auth_mode
|
|
|
|
|
|
|
|
run_test "Authentication #1 (server badcert, client required)" \
|
2014-02-25 14:18:30 +01:00
|
|
|
"$P_SRV crt_file=data_files/server5-badsign.crt \
|
2014-02-21 12:12:23 +01:00
|
|
|
key_file=data_files/server5.key" \
|
2014-02-25 14:18:30 +01:00
|
|
|
"$P_CLI debug_level=2 auth_mode=required" \
|
2014-02-21 12:12:23 +01:00
|
|
|
1 \
|
|
|
|
-c "x509_verify_cert() returned" \
|
|
|
|
-c "! self-signed or not signed by a trusted CA" \
|
|
|
|
-c "! ssl_handshake returned" \
|
|
|
|
-c "X509 - Certificate verification failed"
|
|
|
|
|
|
|
|
run_test "Authentication #2 (server badcert, client optional)" \
|
2014-02-25 14:18:30 +01:00
|
|
|
"$P_SRV crt_file=data_files/server5-badsign.crt \
|
2014-02-21 12:12:23 +01:00
|
|
|
key_file=data_files/server5.key" \
|
2014-02-25 14:18:30 +01:00
|
|
|
"$P_CLI debug_level=2 auth_mode=optional" \
|
2014-02-21 12:12:23 +01:00
|
|
|
0 \
|
|
|
|
-c "x509_verify_cert() returned" \
|
|
|
|
-c "! self-signed or not signed by a trusted CA" \
|
|
|
|
-C "! ssl_handshake returned" \
|
|
|
|
-C "X509 - Certificate verification failed"
|
|
|
|
|
|
|
|
run_test "Authentication #3 (server badcert, client none)" \
|
2014-02-25 14:18:30 +01:00
|
|
|
"$P_SRV crt_file=data_files/server5-badsign.crt \
|
2014-02-21 12:12:23 +01:00
|
|
|
key_file=data_files/server5.key" \
|
2014-02-25 14:18:30 +01:00
|
|
|
"$P_CLI debug_level=2 auth_mode=none" \
|
2014-02-21 12:12:23 +01:00
|
|
|
0 \
|
|
|
|
-C "x509_verify_cert() returned" \
|
|
|
|
-C "! self-signed or not signed by a trusted CA" \
|
|
|
|
-C "! ssl_handshake returned" \
|
|
|
|
-C "X509 - Certificate verification failed"
|
|
|
|
|
|
|
|
run_test "Authentication #4 (client badcert, server required)" \
|
2014-02-25 14:18:30 +01:00
|
|
|
"$P_SRV debug_level=4 auth_mode=required" \
|
|
|
|
"$P_CLI debug_level=4 crt_file=data_files/server5-badsign.crt \
|
2014-02-21 12:12:23 +01:00
|
|
|
key_file=data_files/server5.key" \
|
|
|
|
1 \
|
|
|
|
-S "skip write certificate request" \
|
|
|
|
-C "skip parse certificate request" \
|
|
|
|
-c "got a certificate request" \
|
|
|
|
-C "skip write certificate" \
|
|
|
|
-C "skip write certificate verify" \
|
|
|
|
-S "skip parse certificate verify" \
|
|
|
|
-s "x509_verify_cert() returned" \
|
|
|
|
-S "! self-signed or not signed by a trusted CA" \
|
|
|
|
-s "! ssl_handshake returned" \
|
|
|
|
-c "! ssl_handshake returned" \
|
|
|
|
-s "X509 - Certificate verification failed"
|
|
|
|
|
|
|
|
run_test "Authentication #5 (client badcert, server optional)" \
|
2014-02-25 14:18:30 +01:00
|
|
|
"$P_SRV debug_level=4 auth_mode=optional" \
|
|
|
|
"$P_CLI debug_level=4 crt_file=data_files/server5-badsign.crt \
|
2014-02-21 12:12:23 +01:00
|
|
|
key_file=data_files/server5.key" \
|
|
|
|
0 \
|
|
|
|
-S "skip write certificate request" \
|
|
|
|
-C "skip parse certificate request" \
|
|
|
|
-c "got a certificate request" \
|
|
|
|
-C "skip write certificate" \
|
|
|
|
-C "skip write certificate verify" \
|
|
|
|
-S "skip parse certificate verify" \
|
|
|
|
-s "x509_verify_cert() returned" \
|
|
|
|
-s "! self-signed or not signed by a trusted CA" \
|
|
|
|
-S "! ssl_handshake returned" \
|
|
|
|
-C "! ssl_handshake returned" \
|
|
|
|
-S "X509 - Certificate verification failed"
|
|
|
|
|
|
|
|
run_test "Authentication #6 (client badcert, server none)" \
|
2014-02-25 14:18:30 +01:00
|
|
|
"$P_SRV debug_level=4 auth_mode=none" \
|
|
|
|
"$P_CLI debug_level=4 crt_file=data_files/server5-badsign.crt \
|
2014-02-21 12:12:23 +01:00
|
|
|
key_file=data_files/server5.key" \
|
|
|
|
0 \
|
|
|
|
-s "skip write certificate request" \
|
|
|
|
-C "skip parse certificate request" \
|
|
|
|
-c "got no certificate request" \
|
|
|
|
-c "skip write certificate" \
|
|
|
|
-c "skip write certificate verify" \
|
|
|
|
-s "skip parse certificate verify" \
|
|
|
|
-S "x509_verify_cert() returned" \
|
|
|
|
-S "! self-signed or not signed by a trusted CA" \
|
|
|
|
-S "! ssl_handshake returned" \
|
|
|
|
-C "! ssl_handshake returned" \
|
|
|
|
-S "X509 - Certificate verification failed"
|
|
|
|
|
2014-02-25 12:26:29 +01:00
|
|
|
# tests for SNI
|
|
|
|
|
|
|
|
run_test "SNI #0 (no SNI callback)" \
|
2014-02-25 14:18:30 +01:00
|
|
|
"$P_SRV debug_level=4 server_addr=127.0.0.1 \
|
2014-02-25 12:26:29 +01:00
|
|
|
crt_file=data_files/server5.crt key_file=data_files/server5.key" \
|
2014-02-25 14:18:30 +01:00
|
|
|
"$P_CLI debug_level=0 server_addr=127.0.0.1 \
|
2014-02-25 12:26:29 +01:00
|
|
|
server_name=localhost" \
|
|
|
|
0 \
|
|
|
|
-S "parse ServerName extension" \
|
|
|
|
-c "issuer name *: C=NL, O=PolarSSL, CN=Polarssl Test EC CA" \
|
|
|
|
-c "subject name *: C=NL, O=PolarSSL, CN=localhost"
|
|
|
|
|
|
|
|
run_test "SNI #1 (matching cert 1)" \
|
2014-02-25 14:18:30 +01:00
|
|
|
"$P_SRV debug_level=4 server_addr=127.0.0.1 \
|
2014-02-25 12:26:29 +01:00
|
|
|
crt_file=data_files/server5.crt key_file=data_files/server5.key \
|
|
|
|
sni='localhost,data_files/server2.crt,data_files/server2.key,PolarSSL Server 1,data_files/server1.crt,data_files/server1.key'" \
|
2014-02-25 14:18:30 +01:00
|
|
|
"$P_CLI debug_level=0 server_addr=127.0.0.1 \
|
2014-02-25 12:26:29 +01:00
|
|
|
server_name=localhost" \
|
|
|
|
0 \
|
|
|
|
-s "parse ServerName extension" \
|
|
|
|
-c "issuer name *: C=NL, O=PolarSSL, CN=PolarSSL Test CA" \
|
|
|
|
-c "subject name *: C=NL, O=PolarSSL, CN=localhost"
|
|
|
|
|
|
|
|
run_test "SNI #2 (matching cert 2)" \
|
2014-02-25 14:18:30 +01:00
|
|
|
"$P_SRV debug_level=4 server_addr=127.0.0.1 \
|
2014-02-25 12:26:29 +01:00
|
|
|
crt_file=data_files/server5.crt key_file=data_files/server5.key \
|
|
|
|
sni='localhost,data_files/server2.crt,data_files/server2.key,PolarSSL Server 1,data_files/server1.crt,data_files/server1.key'" \
|
2014-02-25 14:18:30 +01:00
|
|
|
"$P_CLI debug_level=0 server_addr=127.0.0.1 \
|
2014-02-25 12:26:29 +01:00
|
|
|
server_name='PolarSSL Server 1'" \
|
|
|
|
0 \
|
|
|
|
-s "parse ServerName extension" \
|
|
|
|
-c "issuer name *: C=NL, O=PolarSSL, CN=PolarSSL Test CA" \
|
|
|
|
-c "subject name *: C=NL, O=PolarSSL, CN=PolarSSL Server 1"
|
|
|
|
|
|
|
|
run_test "SNI #3 (no matching cert)" \
|
2014-02-25 14:18:30 +01:00
|
|
|
"$P_SRV debug_level=4 server_addr=127.0.0.1 \
|
2014-02-25 12:26:29 +01:00
|
|
|
crt_file=data_files/server5.crt key_file=data_files/server5.key \
|
|
|
|
sni='localhost,data_files/server2.crt,data_files/server2.key,PolarSSL Server 1,data_files/server1.crt,data_files/server1.key'" \
|
2014-02-25 14:18:30 +01:00
|
|
|
"$P_CLI debug_level=0 server_addr=127.0.0.1 \
|
2014-02-25 12:26:29 +01:00
|
|
|
server_name='PolarSSL Server 2'" \
|
|
|
|
1 \
|
|
|
|
-s "parse ServerName extension" \
|
|
|
|
-s "ssl_sni_wrapper() returned" \
|
|
|
|
-s "ssl_handshake returned" \
|
|
|
|
-c "ssl_handshake returned" \
|
|
|
|
-c "SSL - A fatal alert message was received from our peer"
|
|
|
|
|
2014-02-21 12:12:23 +01:00
|
|
|
# Final report
|
|
|
|
|
2014-02-21 09:47:37 +01:00
|
|
|
echo "------------------------------------------------------------------------"
|
|
|
|
|
|
|
|
if [ $FAILS = 0 ]; then
|
|
|
|
echo -n "PASSED"
|
|
|
|
else
|
|
|
|
echo -n "FAILED"
|
|
|
|
fi
|
|
|
|
PASSES=`echo $TESTS - $FAILS | bc`
|
2014-02-24 13:20:14 +01:00
|
|
|
echo " ($PASSES / $TESTS tests)"
|
2014-02-21 09:47:37 +01:00
|
|
|
|
|
|
|
exit $FAILS
|