From 30e731decd2cd4266b74d544ca81294d2947bf97 Mon Sep 17 00:00:00 2001 From: Andrzej Kurek Date: Thu, 12 Oct 2017 13:50:29 +0200 Subject: [PATCH 01/12] Added buffer_size and response_size options for ssl-server2. Added appropriate tests. --- programs/ssl/ssl_server2.c | 64 ++++++++++-- tests/ssl-opt.sh | 193 +++++++++++++++++++++++++++++++------ 2 files changed, 220 insertions(+), 37 deletions(-) diff --git a/programs/ssl/ssl_server2.c b/programs/ssl/ssl_server2.c index 3a413ad5e..74d3a1d01 100644 --- a/programs/ssl/ssl_server2.c +++ b/programs/ssl/ssl_server2.c @@ -99,6 +99,7 @@ int main( void ) #define DFL_SERVER_ADDR NULL #define DFL_SERVER_PORT "4433" +#define DFL_RESPONSE_SIZE -1 #define DFL_DEBUG_LEVEL 0 #define DFL_NBIO 0 #define DFL_EVENT 0 @@ -171,7 +172,7 @@ int main( void ) * You will need to adapt the mbedtls_ssl_get_bytes_avail() test in ssl-opt.sh * if you change this value to something outside the range <= 100 or > 500 */ -#define IO_BUF_LEN 200 +#define DFL_IO_BUF_LEN 200 #if defined(MBEDTLS_X509_CRT_PARSE_C) #if defined(MBEDTLS_FS_IO) @@ -346,6 +347,11 @@ int main( void ) " server_addr=%%s default: (all interfaces)\n" \ " server_port=%%d default: 4433\n" \ " debug_level=%%d default: 0 (disabled)\n" \ + " buffer_size=%%d default: 200 \n" \ + " (minimum: 1, max: 16385)\n" \ + " response_size=%%d default: about 152 (basic response)\n" \ + " (minimum: 0, max: 16384)\n" \ + " increases buffer_size if bigger\n"\ " nbio=%%d default: 0 (blocking I/O)\n" \ " options: 1 (non-blocking), 2 (added delays)\n" \ " event=%%d default: 0 (loop)\n" \ @@ -421,6 +427,8 @@ struct options int nbio; /* should I/O be blocking? */ int event; /* loop or event-driven IO? level or edge triggered? */ uint32_t read_timeout; /* timeout on mbedtls_ssl_read() in milliseconds */ + int response_size; /* pad response with header to requested size */ + uint16_t buffer_size; /* IO buffer size */ const char *ca_file; /* the file with the CA certificate(s) */ const char *ca_path; /* the path with the CA certificate(s) reside */ const char *crt_file; /* the file with the server certificate */ @@ -1154,7 +1162,7 @@ int main( int argc, char *argv[] ) { int ret = 0, len, written, frags, exchanges_left; int version_suites[4][2]; - unsigned char buf[IO_BUF_LEN]; + unsigned char* buf = 0; #if defined(MBEDTLS_KEY_EXCHANGE__SOME__PSK_ENABLED) unsigned char psk[MBEDTLS_PSK_MAX_LEN]; size_t psk_len = 0; @@ -1285,10 +1293,12 @@ int main( int argc, char *argv[] ) goto exit; } + opt.buffer_size = DFL_IO_BUF_LEN; opt.server_addr = DFL_SERVER_ADDR; opt.server_port = DFL_SERVER_PORT; opt.debug_level = DFL_DEBUG_LEVEL; opt.event = DFL_EVENT; + opt.response_size = DFL_RESPONSE_SIZE; opt.nbio = DFL_NBIO; opt.read_timeout = DFL_READ_TIMEOUT; opt.ca_file = DFL_CA_FILE; @@ -1379,6 +1389,20 @@ int main( int argc, char *argv[] ) } else if( strcmp( p, "read_timeout" ) == 0 ) opt.read_timeout = atoi( q ); + else if( strcmp( p, "buffer_size" ) == 0 ) + { + opt.buffer_size = atoi( q ); + if( opt.buffer_size < 1 || opt.buffer_size > MBEDTLS_SSL_MAX_CONTENT_LEN + 1 ) + goto usage; + } + else if( strcmp( p, "response_size" ) == 0 ) + { + opt.response_size = atoi( q ); + if( opt.response_size < 0 || opt.response_size > MBEDTLS_SSL_MAX_CONTENT_LEN ) + goto usage; + if( opt.buffer_size < opt.response_size ) + opt.buffer_size = opt.response_size; + } else if( strcmp( p, "ca_file" ) == 0 ) opt.ca_file = q; else if( strcmp( p, "ca_path" ) == 0 ) @@ -1700,7 +1724,14 @@ int main( int argc, char *argv[] ) #if defined(MBEDTLS_DEBUG_C) mbedtls_debug_set_threshold( opt.debug_level ); #endif - + buf = malloc( opt.buffer_size ); + if( buf == NULL ) + { + mbedtls_printf("Could not allocate %u bytes\n", opt.buffer_size); + ret = 3; + goto exit; + } + if( opt.force_ciphersuite[0] > 0 ) { const mbedtls_ssl_ciphersuite_t *ciphersuite_info; @@ -2708,8 +2739,8 @@ data_exchange: do { int terminated = 0; - len = sizeof( buf ) - 1; - memset( buf, 0, sizeof( buf ) ); + len = opt.buffer_size - 1; + memset( buf, 0, opt.buffer_size ); ret = mbedtls_ssl_read( &ssl, buf, len ); if( mbedtls_status_is_ssl_in_progress( ret ) ) @@ -2809,8 +2840,8 @@ data_exchange: } else /* Not stream, so datagram */ { - len = sizeof( buf ) - 1; - memset( buf, 0, sizeof( buf ) ); + len = opt.buffer_size - 1; + memset( buf, 0, opt.buffer_size ); do { @@ -2908,6 +2939,25 @@ data_exchange: len = sprintf( (char *) buf, HTTP_RESPONSE, mbedtls_ssl_get_ciphersuite( &ssl ) ); + /* Add padding to the response to reach opt.response_size in length */ + if( opt.response_size != DFL_RESPONSE_SIZE && + len < opt.response_size ) + { + memset( buf + len, 'B', opt.response_size - len ); + len += opt.response_size - len; + } + + /* Truncate if response size is smaller than the "natural" size */ + if( opt.response_size != DFL_RESPONSE_SIZE && + len > opt.response_size ) + { + len = opt.response_size; + + /* Still end with \r\n unless that's really not possible */ + if( len >= 2 ) buf[len - 2] = '\r'; + if( len >= 1 ) buf[len - 1] = '\n'; + } + if( opt.transport == MBEDTLS_SSL_TRANSPORT_STREAM ) { for( written = 0, frags = 0; written < len; written += ret, frags++ ) diff --git a/tests/ssl-opt.sh b/tests/ssl-opt.sh index 9faeb6703..a9dd5c03f 100755 --- a/tests/ssl-opt.sh +++ b/tests/ssl-opt.sh @@ -3968,10 +3968,10 @@ run_test "SSLv3 with extensions, server side" \ -S "dumping 'client hello extensions'" \ -S "server hello, total extension length:" -# Test for large packets +# Test for large client packets requires_config_enabled MBEDTLS_SSL_PROTO_SSL3 -run_test "Large packet SSLv3 BlockCipher" \ +run_test "Large client packet SSLv3 BlockCipher" \ "$P_SRV min_version=ssl3" \ "$P_CLI request_size=16384 force_version=ssl3 recsplit=0 \ force_ciphersuite=TLS-RSA-WITH-AES-256-CBC-SHA" \ @@ -3980,7 +3980,7 @@ run_test "Large packet SSLv3 BlockCipher" \ -s "Read from client: 16384 bytes read" requires_config_enabled MBEDTLS_SSL_PROTO_SSL3 -run_test "Large packet SSLv3 StreamCipher" \ +run_test "Large client packet SSLv3 StreamCipher" \ "$P_SRV min_version=ssl3 arc4=1 force_ciphersuite=TLS-RSA-WITH-RC4-128-SHA" \ "$P_CLI request_size=16384 force_version=ssl3 \ force_ciphersuite=TLS-RSA-WITH-RC4-128-SHA" \ @@ -3988,7 +3988,7 @@ run_test "Large packet SSLv3 StreamCipher" \ -c "16384 bytes written in 1 fragments" \ -s "Read from client: 16384 bytes read" -run_test "Large packet TLS 1.0 BlockCipher" \ +run_test "Large client packet TLS 1.0 BlockCipher" \ "$P_SRV" \ "$P_CLI request_size=16384 force_version=tls1 recsplit=0 \ force_ciphersuite=TLS-RSA-WITH-AES-256-CBC-SHA" \ @@ -3996,7 +3996,7 @@ run_test "Large packet TLS 1.0 BlockCipher" \ -c "16384 bytes written in 1 fragments" \ -s "Read from client: 16384 bytes read" -run_test "Large packet TLS 1.0 BlockCipher, without EtM" \ +run_test "Large client packet TLS 1.0 BlockCipher, without EtM" \ "$P_SRV" \ "$P_CLI request_size=16384 force_version=tls1 etm=0 recsplit=0 \ force_ciphersuite=TLS-RSA-WITH-AES-256-CBC-SHA" \ @@ -4004,7 +4004,7 @@ run_test "Large packet TLS 1.0 BlockCipher, without EtM" \ -s "Read from client: 16384 bytes read" requires_config_enabled MBEDTLS_SSL_TRUNCATED_HMAC -run_test "Large packet TLS 1.0 BlockCipher, truncated MAC" \ +run_test "Large client packet TLS 1.0 BlockCipher, truncated MAC" \ "$P_SRV trunc_hmac=1" \ "$P_CLI request_size=16384 force_version=tls1 recsplit=0 \ force_ciphersuite=TLS-RSA-WITH-AES-256-CBC-SHA trunc_hmac=1" \ @@ -4013,21 +4013,21 @@ run_test "Large packet TLS 1.0 BlockCipher, truncated MAC" \ -s "Read from client: 16384 bytes read" requires_config_enabled MBEDTLS_SSL_TRUNCATED_HMAC -run_test "Large packet TLS 1.0 BlockCipher, without EtM, truncated MAC" \ +run_test "Large client packet TLS 1.0 BlockCipher, without EtM, truncated MAC" \ "$P_SRV trunc_hmac=1" \ "$P_CLI request_size=16384 force_version=tls1 etm=0 recsplit=0 \ force_ciphersuite=TLS-RSA-WITH-AES-256-CBC-SHA trunc_hmac=1" \ 0 \ -s "Read from client: 16384 bytes read" -run_test "Large packet TLS 1.0 StreamCipher" \ +run_test "Large client packet TLS 1.0 StreamCipher" \ "$P_SRV arc4=1 force_ciphersuite=TLS-RSA-WITH-RC4-128-SHA" \ "$P_CLI request_size=16384 force_version=tls1 \ force_ciphersuite=TLS-RSA-WITH-RC4-128-SHA" \ 0 \ -s "Read from client: 16384 bytes read" -run_test "Large packet TLS 1.0 StreamCipher, without EtM" \ +run_test "Large client packet TLS 1.0 StreamCipher, without EtM" \ "$P_SRV arc4=1 force_ciphersuite=TLS-RSA-WITH-RC4-128-SHA" \ "$P_CLI request_size=16384 force_version=tls1 \ force_ciphersuite=TLS-RSA-WITH-RC4-128-SHA etm=0" \ @@ -4035,7 +4035,7 @@ run_test "Large packet TLS 1.0 StreamCipher, without EtM" \ -s "Read from client: 16384 bytes read" requires_config_enabled MBEDTLS_SSL_TRUNCATED_HMAC -run_test "Large packet TLS 1.0 StreamCipher, truncated MAC" \ +run_test "Large client packet TLS 1.0 StreamCipher, truncated MAC" \ "$P_SRV arc4=1 force_ciphersuite=TLS-RSA-WITH-RC4-128-SHA trunc_hmac=1" \ "$P_CLI request_size=16384 force_version=tls1 \ force_ciphersuite=TLS-RSA-WITH-RC4-128-SHA trunc_hmac=1" \ @@ -4043,7 +4043,7 @@ run_test "Large packet TLS 1.0 StreamCipher, truncated MAC" \ -s "Read from client: 16384 bytes read" requires_config_enabled MBEDTLS_SSL_TRUNCATED_HMAC -run_test "Large packet TLS 1.0 StreamCipher, without EtM, truncated MAC" \ +run_test "Large client packet TLS 1.0 StreamCipher, without EtM, truncated MAC" \ "$P_SRV arc4=1 force_ciphersuite=TLS-RSA-WITH-RC4-128-SHA trunc_hmac=1" \ "$P_CLI request_size=16384 force_version=tls1 \ force_ciphersuite=TLS-RSA-WITH-RC4-128-SHA trunc_hmac=1 etm=0" \ @@ -4051,7 +4051,7 @@ run_test "Large packet TLS 1.0 StreamCipher, without EtM, truncated MAC" \ -c "16384 bytes written in 1 fragments" \ -s "Read from client: 16384 bytes read" -run_test "Large packet TLS 1.1 BlockCipher" \ +run_test "Large client packet TLS 1.1 BlockCipher" \ "$P_SRV" \ "$P_CLI request_size=16384 force_version=tls1_1 \ force_ciphersuite=TLS-RSA-WITH-AES-256-CBC-SHA" \ @@ -4059,7 +4059,7 @@ run_test "Large packet TLS 1.1 BlockCipher" \ -c "16384 bytes written in 1 fragments" \ -s "Read from client: 16384 bytes read" -run_test "Large packet TLS 1.1 BlockCipher, without EtM" \ +run_test "Large client packet TLS 1.1 BlockCipher, without EtM" \ "$P_SRV" \ "$P_CLI request_size=16384 force_version=tls1_1 etm=0 \ force_ciphersuite=TLS-RSA-WITH-AES-256-CBC-SHA" \ @@ -4067,7 +4067,7 @@ run_test "Large packet TLS 1.1 BlockCipher, without EtM" \ -s "Read from client: 16384 bytes read" requires_config_enabled MBEDTLS_SSL_TRUNCATED_HMAC -run_test "Large packet TLS 1.1 BlockCipher, truncated MAC" \ +run_test "Large client packet TLS 1.1 BlockCipher, truncated MAC" \ "$P_SRV trunc_hmac=1" \ "$P_CLI request_size=16384 force_version=tls1_1 \ force_ciphersuite=TLS-RSA-WITH-AES-256-CBC-SHA trunc_hmac=1" \ @@ -4075,14 +4075,14 @@ run_test "Large packet TLS 1.1 BlockCipher, truncated MAC" \ -s "Read from client: 16384 bytes read" requires_config_enabled MBEDTLS_SSL_TRUNCATED_HMAC -run_test "Large packet TLS 1.1 BlockCipher, without EtM, truncated MAC" \ +run_test "Large client packet TLS 1.1 BlockCipher, without EtM, truncated MAC" \ "$P_SRV trunc_hmac=1" \ "$P_CLI request_size=16384 force_version=tls1_1 \ force_ciphersuite=TLS-RSA-WITH-AES-256-CBC-SHA trunc_hmac=1 etm=0" \ 0 \ -s "Read from client: 16384 bytes read" -run_test "Large packet TLS 1.1 StreamCipher" \ +run_test "Large client packet TLS 1.1 StreamCipher" \ "$P_SRV arc4=1 force_ciphersuite=TLS-RSA-WITH-RC4-128-SHA" \ "$P_CLI request_size=16384 force_version=tls1_1 \ force_ciphersuite=TLS-RSA-WITH-RC4-128-SHA" \ @@ -4090,7 +4090,7 @@ run_test "Large packet TLS 1.1 StreamCipher" \ -c "16384 bytes written in 1 fragments" \ -s "Read from client: 16384 bytes read" -run_test "Large packet TLS 1.1 StreamCipher, without EtM" \ +run_test "Large client packet TLS 1.1 StreamCipher, without EtM" \ "$P_SRV arc4=1 force_ciphersuite=TLS-RSA-WITH-RC4-128-SHA" \ "$P_CLI request_size=16384 force_version=tls1_1 \ force_ciphersuite=TLS-RSA-WITH-RC4-128-SHA etm=0" \ @@ -4099,7 +4099,7 @@ run_test "Large packet TLS 1.1 StreamCipher, without EtM" \ -s "Read from client: 16384 bytes read" requires_config_enabled MBEDTLS_SSL_TRUNCATED_HMAC -run_test "Large packet TLS 1.1 StreamCipher, truncated MAC" \ +run_test "Large client packet TLS 1.1 StreamCipher, truncated MAC" \ "$P_SRV arc4=1 force_ciphersuite=TLS-RSA-WITH-RC4-128-SHA trunc_hmac=1" \ "$P_CLI request_size=16384 force_version=tls1_1 \ force_ciphersuite=TLS-RSA-WITH-RC4-128-SHA trunc_hmac=1" \ @@ -4107,7 +4107,7 @@ run_test "Large packet TLS 1.1 StreamCipher, truncated MAC" \ -s "Read from client: 16384 bytes read" requires_config_enabled MBEDTLS_SSL_TRUNCATED_HMAC -run_test "Large packet TLS 1.1 StreamCipher, without EtM, truncated MAC" \ +run_test "Large client packet TLS 1.1 StreamCipher, without EtM, truncated MAC" \ "$P_SRV arc4=1 force_ciphersuite=TLS-RSA-WITH-RC4-128-SHA trunc_hmac=1" \ "$P_CLI request_size=16384 force_version=tls1_1 \ force_ciphersuite=TLS-RSA-WITH-RC4-128-SHA trunc_hmac=1 etm=0" \ @@ -4115,7 +4115,7 @@ run_test "Large packet TLS 1.1 StreamCipher, without EtM, truncated MAC" \ -c "16384 bytes written in 1 fragments" \ -s "Read from client: 16384 bytes read" -run_test "Large packet TLS 1.2 BlockCipher" \ +run_test "Large client packet TLS 1.2 BlockCipher" \ "$P_SRV" \ "$P_CLI request_size=16384 force_version=tls1_2 \ force_ciphersuite=TLS-RSA-WITH-AES-256-CBC-SHA" \ @@ -4123,14 +4123,14 @@ run_test "Large packet TLS 1.2 BlockCipher" \ -c "16384 bytes written in 1 fragments" \ -s "Read from client: 16384 bytes read" -run_test "Large packet TLS 1.2 BlockCipher, without EtM" \ +run_test "Large client packet TLS 1.2 BlockCipher, without EtM" \ "$P_SRV" \ "$P_CLI request_size=16384 force_version=tls1_2 etm=0 \ force_ciphersuite=TLS-RSA-WITH-AES-256-CBC-SHA" \ 0 \ -s "Read from client: 16384 bytes read" -run_test "Large packet TLS 1.2 BlockCipher larger MAC" \ +run_test "Large client packet TLS 1.2 BlockCipher larger MAC" \ "$P_SRV" \ "$P_CLI request_size=16384 force_version=tls1_2 \ force_ciphersuite=TLS-ECDHE-RSA-WITH-AES-256-CBC-SHA384" \ @@ -4139,7 +4139,7 @@ run_test "Large packet TLS 1.2 BlockCipher larger MAC" \ -s "Read from client: 16384 bytes read" requires_config_enabled MBEDTLS_SSL_TRUNCATED_HMAC -run_test "Large packet TLS 1.2 BlockCipher, truncated MAC" \ +run_test "Large client packet TLS 1.2 BlockCipher, truncated MAC" \ "$P_SRV trunc_hmac=1" \ "$P_CLI request_size=16384 force_version=tls1_2 \ force_ciphersuite=TLS-RSA-WITH-AES-256-CBC-SHA trunc_hmac=1" \ @@ -4147,7 +4147,7 @@ run_test "Large packet TLS 1.2 BlockCipher, truncated MAC" \ -s "Read from client: 16384 bytes read" requires_config_enabled MBEDTLS_SSL_TRUNCATED_HMAC -run_test "Large packet TLS 1.2 BlockCipher, without EtM, truncated MAC" \ +run_test "Large client packet TLS 1.2 BlockCipher, without EtM, truncated MAC" \ "$P_SRV trunc_hmac=1" \ "$P_CLI request_size=16384 force_version=tls1_2 \ force_ciphersuite=TLS-RSA-WITH-AES-256-CBC-SHA trunc_hmac=1 etm=0" \ @@ -4155,7 +4155,7 @@ run_test "Large packet TLS 1.2 BlockCipher, without EtM, truncated MAC" \ -c "16384 bytes written in 1 fragments" \ -s "Read from client: 16384 bytes read" -run_test "Large packet TLS 1.2 StreamCipher" \ +run_test "Large client packet TLS 1.2 StreamCipher" \ "$P_SRV arc4=1 force_ciphersuite=TLS-RSA-WITH-RC4-128-SHA" \ "$P_CLI request_size=16384 force_version=tls1_2 \ force_ciphersuite=TLS-RSA-WITH-RC4-128-SHA" \ @@ -4163,7 +4163,7 @@ run_test "Large packet TLS 1.2 StreamCipher" \ -c "16384 bytes written in 1 fragments" \ -s "Read from client: 16384 bytes read" -run_test "Large packet TLS 1.2 StreamCipher, without EtM" \ +run_test "Large client packet TLS 1.2 StreamCipher, without EtM" \ "$P_SRV arc4=1 force_ciphersuite=TLS-RSA-WITH-RC4-128-SHA" \ "$P_CLI request_size=16384 force_version=tls1_2 \ force_ciphersuite=TLS-RSA-WITH-RC4-128-SHA etm=0" \ @@ -4171,7 +4171,7 @@ run_test "Large packet TLS 1.2 StreamCipher, without EtM" \ -s "Read from client: 16384 bytes read" requires_config_enabled MBEDTLS_SSL_TRUNCATED_HMAC -run_test "Large packet TLS 1.2 StreamCipher, truncated MAC" \ +run_test "Large client packet TLS 1.2 StreamCipher, truncated MAC" \ "$P_SRV arc4=1 force_ciphersuite=TLS-RSA-WITH-RC4-128-SHA trunc_hmac=1" \ "$P_CLI request_size=16384 force_version=tls1_2 \ force_ciphersuite=TLS-RSA-WITH-RC4-128-SHA trunc_hmac=1" \ @@ -4179,7 +4179,7 @@ run_test "Large packet TLS 1.2 StreamCipher, truncated MAC" \ -s "Read from client: 16384 bytes read" requires_config_enabled MBEDTLS_SSL_TRUNCATED_HMAC -run_test "Large packet TLS 1.2 StreamCipher, without EtM, truncated MAC" \ +run_test "Large client packet TLS 1.2 StreamCipher, without EtM, truncated MAC" \ "$P_SRV arc4=1 force_ciphersuite=TLS-RSA-WITH-RC4-128-SHA trunc_hmac=1" \ "$P_CLI request_size=16384 force_version=tls1_2 \ force_ciphersuite=TLS-RSA-WITH-RC4-128-SHA trunc_hmac=1 etm=0" \ @@ -4187,7 +4187,7 @@ run_test "Large packet TLS 1.2 StreamCipher, without EtM, truncated MAC" \ -c "16384 bytes written in 1 fragments" \ -s "Read from client: 16384 bytes read" -run_test "Large packet TLS 1.2 AEAD" \ +run_test "Large client packet TLS 1.2 AEAD" \ "$P_SRV" \ "$P_CLI request_size=16384 force_version=tls1_2 \ force_ciphersuite=TLS-RSA-WITH-AES-256-CCM" \ @@ -4195,7 +4195,7 @@ run_test "Large packet TLS 1.2 AEAD" \ -c "16384 bytes written in 1 fragments" \ -s "Read from client: 16384 bytes read" -run_test "Large packet TLS 1.2 AEAD shorter tag" \ +run_test "Large client packet TLS 1.2 AEAD shorter tag" \ "$P_SRV" \ "$P_CLI request_size=16384 force_version=tls1_2 \ force_ciphersuite=TLS-RSA-WITH-AES-256-CCM-8" \ @@ -4203,6 +4203,139 @@ run_test "Large packet TLS 1.2 AEAD shorter tag" \ -c "16384 bytes written in 1 fragments" \ -s "Read from client: 16384 bytes read" +# Test for large server packets + +requires_config_enabled MBEDTLS_SSL_PROTO_SSL3 +run_test "Large server packet SSLv3 BlockCipher" \ + "$P_SRV response_size=16384 min_version=ssl3" \ + "$P_CLI force_version=ssl3 recsplit=0 \ + force_ciphersuite=TLS-RSA-WITH-AES-256-CBC-SHA" \ + 0 \ + -c "Read from server: 16384 bytes read" + +requires_config_enabled MBEDTLS_SSL_PROTO_SSL3 +run_test "Large server packet SSLv3 StreamCipher" \ + "$P_SRV response_size=16384 min_version=ssl3 arc4=1 force_ciphersuite=TLS-RSA-WITH-RC4-128-SHA" \ + "$P_CLI force_version=ssl3 \ + force_ciphersuite=TLS-RSA-WITH-RC4-128-SHA" \ + 0 \ + -c "Read from server: 16384 bytes read" + +# Checking next 2 tests logs for 1n-1 split against BEAST too +run_test "Large server packet TLS 1.0 BlockCipher" \ + "$P_SRV response_size=16384" \ + "$P_CLI force_version=tls1 recsplit=0 \ + force_ciphersuite=TLS-RSA-WITH-AES-256-CBC-SHA" \ + 0 \ + -c "Read from server: 1 bytes read"\ + -c "16383 bytes read"\ + -C "Read from server: 16384 bytes read" + +requires_config_enabled MBEDTLS_SSL_TRUNCATED_HMAC +run_test "Large server packet TLS 1.0 BlockCipher truncated MAC" \ + "$P_SRV response_size=16384" \ + "$P_CLI force_version=tls1 recsplit=0 \ + force_ciphersuite=TLS-RSA-WITH-AES-256-CBC-SHA \ + trunc_hmac=1" \ + 0 \ + -c "Read from server: 1 bytes read"\ + -c "16383 bytes read"\ + -C "Read from server: 16384 bytes read" + +requires_config_enabled MBEDTLS_SSL_TRUNCATED_HMAC +run_test "Large server packet TLS 1.0 StreamCipher truncated MAC" \ + "$P_SRV response_size=16384 arc4=1 force_ciphersuite=TLS-RSA-WITH-RC4-128-SHA" \ + "$P_CLI force_version=tls1 \ + force_ciphersuite=TLS-RSA-WITH-RC4-128-SHA \ + trunc_hmac=1" \ + 0 \ + -c "Read from server: 16384 bytes read" + +run_test "Large server packet TLS 1.1 BlockCipher" \ + "$P_SRV response_size=16384" \ + "$P_CLI force_version=tls1_1 \ + force_ciphersuite=TLS-RSA-WITH-AES-256-CBC-SHA" \ + 0 \ + -c "Read from server: 16384 bytes read" + +run_test "Large server packet TLS 1.1 StreamCipher" \ + "$P_SRV response_size=16384 arc4=1 force_ciphersuite=TLS-RSA-WITH-RC4-128-SHA" \ + "$P_CLI force_version=tls1_1 \ + force_ciphersuite=TLS-RSA-WITH-RC4-128-SHA" \ + 0 \ + -c "Read from server: 16384 bytes read" + +requires_config_enabled MBEDTLS_SSL_TRUNCATED_HMAC +run_test "Large server packet TLS 1.1 BlockCipher truncated MAC" \ + "$P_SRV response_size=16384" \ + "$P_CLI force_version=tls1_1 \ + force_ciphersuite=TLS-RSA-WITH-AES-256-CBC-SHA \ + trunc_hmac=1" \ + 0 \ + -c "Read from server: 16384 bytes read" + +requires_config_enabled MBEDTLS_SSL_TRUNCATED_HMAC +run_test "Large server packet TLS 1.1 StreamCipher truncated MAC" \ + "$P_SRV response_size=16384 arc4=1 force_ciphersuite=TLS-RSA-WITH-RC4-128-SHA" \ + "$P_CLI force_version=tls1_1 \ + force_ciphersuite=TLS-RSA-WITH-RC4-128-SHA \ + trunc_hmac=1" \ + 0 \ + -c "Read from server: 16384 bytes read" + +run_test "Large server packet TLS 1.2 BlockCipher" \ + "$P_SRV response_size=16384" \ + "$P_CLI force_version=tls1_2 \ + force_ciphersuite=TLS-RSA-WITH-AES-256-CBC-SHA" \ + 0 \ + -c "Read from server: 16384 bytes read" + +run_test "Large server packet TLS 1.2 BlockCipher larger MAC" \ + "$P_SRV response_size=16384" \ + "$P_CLI force_version=tls1_2 \ + force_ciphersuite=TLS-ECDHE-RSA-WITH-AES-256-CBC-SHA384" \ + 0 \ + -c "Read from server: 16384 bytes read" + +requires_config_enabled MBEDTLS_SSL_TRUNCATED_HMAC +run_test "Large server packet TLS 1.2 BlockCipher truncated MAC" \ + "$P_SRV response_size=16384" \ + "$P_CLI force_version=tls1_2 \ + force_ciphersuite=TLS-RSA-WITH-AES-256-CBC-SHA \ + trunc_hmac=1" \ + 0 \ + -c "Read from server: 16384 bytes read" + +run_test "Large server packet TLS 1.2 StreamCipher" \ + "$P_SRV response_size=16384 arc4=1 force_ciphersuite=TLS-RSA-WITH-RC4-128-SHA" \ + "$P_CLI force_version=tls1_2 \ + force_ciphersuite=TLS-RSA-WITH-RC4-128-SHA" \ + 0 \ + -c "Read from server: 16384 bytes read" + +requires_config_enabled MBEDTLS_SSL_TRUNCATED_HMAC +run_test "Large server packet TLS 1.2 StreamCipher truncated MAC" \ + "$P_SRV response_size=16384 arc4=1 force_ciphersuite=TLS-RSA-WITH-RC4-128-SHA" \ + "$P_CLI force_version=tls1_2 \ + force_ciphersuite=TLS-RSA-WITH-RC4-128-SHA \ + trunc_hmac=1" \ + 0 \ + -c "Read from server: 16384 bytes read" + +run_test "Large server packet TLS 1.2 AEAD" \ + "$P_SRV response_size=16384" \ + "$P_CLI force_version=tls1_2 \ + force_ciphersuite=TLS-RSA-WITH-AES-256-CCM" \ + 0 \ + -c "Read from server: 16384 bytes read" + +run_test "Large server packet TLS 1.2 AEAD shorter tag" \ + "$P_SRV response_size=16384" \ + "$P_CLI force_version=tls1_2 \ + force_ciphersuite=TLS-RSA-WITH-AES-256-CCM-8" \ + 0 \ + -c "Read from server: 16384 bytes read" + # Tests of asynchronous private key support in SSL requires_config_enabled MBEDTLS_SSL_ASYNC_PRIVATE From c19fc55538eff85877ce5aeb9ccbb4c57130d6fc Mon Sep 17 00:00:00 2001 From: Andrzej Kurek Date: Tue, 19 Jun 2018 09:37:30 -0400 Subject: [PATCH 02/12] Add missing large and small packet tests for ssl_server2 --- tests/ssl-opt.sh | 486 ++++++++++++++++++++++++++++++++++++++++++----- 1 file changed, 443 insertions(+), 43 deletions(-) diff --git a/tests/ssl-opt.sh b/tests/ssl-opt.sh index a9dd5c03f..92151fd87 100755 --- a/tests/ssl-opt.sh +++ b/tests/ssl-opt.sh @@ -3669,10 +3669,10 @@ run_test "mbedtls_ssl_get_bytes_avail: extra data" \ 0 \ -s "Read from client: 500 bytes read (.*+.*)" -# Tests for small packets +# Tests for small client packets requires_config_enabled MBEDTLS_SSL_PROTO_SSL3 -run_test "Small packet SSLv3 BlockCipher" \ +run_test "Small client packet SSLv3 BlockCipher" \ "$P_SRV min_version=ssl3" \ "$P_CLI request_size=1 force_version=ssl3 \ force_ciphersuite=TLS-RSA-WITH-AES-256-CBC-SHA" \ @@ -3680,21 +3680,21 @@ run_test "Small packet SSLv3 BlockCipher" \ -s "Read from client: 1 bytes read" requires_config_enabled MBEDTLS_SSL_PROTO_SSL3 -run_test "Small packet SSLv3 StreamCipher" \ +run_test "Small client packet SSLv3 StreamCipher" \ "$P_SRV min_version=ssl3 arc4=1 force_ciphersuite=TLS-RSA-WITH-RC4-128-SHA" \ "$P_CLI request_size=1 force_version=ssl3 \ force_ciphersuite=TLS-RSA-WITH-RC4-128-SHA" \ 0 \ -s "Read from client: 1 bytes read" -run_test "Small packet TLS 1.0 BlockCipher" \ +run_test "Small client packet TLS 1.0 BlockCipher" \ "$P_SRV" \ "$P_CLI request_size=1 force_version=tls1 \ force_ciphersuite=TLS-RSA-WITH-AES-256-CBC-SHA" \ 0 \ -s "Read from client: 1 bytes read" -run_test "Small packet TLS 1.0 BlockCipher, without EtM" \ +run_test "Small client packet TLS 1.0 BlockCipher, without EtM" \ "$P_SRV" \ "$P_CLI request_size=1 force_version=tls1 etm=0 \ force_ciphersuite=TLS-RSA-WITH-AES-256-CBC-SHA" \ @@ -3702,7 +3702,7 @@ run_test "Small packet TLS 1.0 BlockCipher, without EtM" \ -s "Read from client: 1 bytes read" requires_config_enabled MBEDTLS_SSL_TRUNCATED_HMAC -run_test "Small packet TLS 1.0 BlockCipher, truncated MAC" \ +run_test "Small client packet TLS 1.0 BlockCipher, truncated MAC" \ "$P_SRV trunc_hmac=1" \ "$P_CLI request_size=1 force_version=tls1 \ force_ciphersuite=TLS-RSA-WITH-AES-256-CBC-SHA trunc_hmac=1" \ @@ -3710,21 +3710,21 @@ run_test "Small packet TLS 1.0 BlockCipher, truncated MAC" \ -s "Read from client: 1 bytes read" requires_config_enabled MBEDTLS_SSL_TRUNCATED_HMAC -run_test "Small packet TLS 1.0 BlockCipher, without EtM, truncated MAC" \ +run_test "Small client packet TLS 1.0 BlockCipher, without EtM, truncated MAC" \ "$P_SRV trunc_hmac=1" \ "$P_CLI request_size=1 force_version=tls1 \ force_ciphersuite=TLS-RSA-WITH-AES-256-CBC-SHA trunc_hmac=1 etm=0" \ 0 \ -s "Read from client: 1 bytes read" -run_test "Small packet TLS 1.0 StreamCipher" \ +run_test "Small client packet TLS 1.0 StreamCipher" \ "$P_SRV arc4=1 force_ciphersuite=TLS-RSA-WITH-RC4-128-SHA" \ "$P_CLI request_size=1 force_version=tls1 \ force_ciphersuite=TLS-RSA-WITH-RC4-128-SHA" \ 0 \ -s "Read from client: 1 bytes read" -run_test "Small packet TLS 1.0 StreamCipher, without EtM" \ +run_test "Small client packet TLS 1.0 StreamCipher, without EtM" \ "$P_SRV arc4=1 force_ciphersuite=TLS-RSA-WITH-RC4-128-SHA" \ "$P_CLI request_size=1 force_version=tls1 \ force_ciphersuite=TLS-RSA-WITH-RC4-128-SHA etm=0" \ @@ -3732,7 +3732,7 @@ run_test "Small packet TLS 1.0 StreamCipher, without EtM" \ -s "Read from client: 1 bytes read" requires_config_enabled MBEDTLS_SSL_TRUNCATED_HMAC -run_test "Small packet TLS 1.0 StreamCipher, truncated MAC" \ +run_test "Small client packet TLS 1.0 StreamCipher, truncated MAC" \ "$P_SRV arc4=1 force_ciphersuite=TLS-RSA-WITH-RC4-128-SHA trunc_hmac=1" \ "$P_CLI request_size=1 force_version=tls1 \ force_ciphersuite=TLS-RSA-WITH-RC4-128-SHA trunc_hmac=1" \ @@ -3740,21 +3740,21 @@ run_test "Small packet TLS 1.0 StreamCipher, truncated MAC" \ -s "Read from client: 1 bytes read" requires_config_enabled MBEDTLS_SSL_TRUNCATED_HMAC -run_test "Small packet TLS 1.0 StreamCipher, without EtM, truncated MAC" \ +run_test "Small client packet TLS 1.0 StreamCipher, without EtM, truncated MAC" \ "$P_SRV arc4=1 force_ciphersuite=TLS-RSA-WITH-RC4-128-SHA trunc_hmac=1" \ "$P_CLI request_size=1 force_version=tls1 force_ciphersuite=TLS-RSA-WITH-RC4-128-SHA \ trunc_hmac=1 etm=0" \ 0 \ -s "Read from client: 1 bytes read" -run_test "Small packet TLS 1.1 BlockCipher" \ +run_test "Small client packet TLS 1.1 BlockCipher" \ "$P_SRV" \ "$P_CLI request_size=1 force_version=tls1_1 \ force_ciphersuite=TLS-RSA-WITH-AES-256-CBC-SHA" \ 0 \ -s "Read from client: 1 bytes read" -run_test "Small packet TLS 1.1 BlockCipher, without EtM" \ +run_test "Small client packet TLS 1.1 BlockCipher, without EtM" \ "$P_SRV" \ "$P_CLI request_size=1 force_version=tls1_1 \ force_ciphersuite=TLS-RSA-WITH-AES-256-CBC-SHA etm=0" \ @@ -3762,7 +3762,7 @@ run_test "Small packet TLS 1.1 BlockCipher, without EtM" \ -s "Read from client: 1 bytes read" requires_config_enabled MBEDTLS_SSL_TRUNCATED_HMAC -run_test "Small packet TLS 1.1 BlockCipher, truncated MAC" \ +run_test "Small client packet TLS 1.1 BlockCipher, truncated MAC" \ "$P_SRV trunc_hmac=1" \ "$P_CLI request_size=1 force_version=tls1_1 \ force_ciphersuite=TLS-RSA-WITH-AES-256-CBC-SHA trunc_hmac=1" \ @@ -3770,21 +3770,21 @@ run_test "Small packet TLS 1.1 BlockCipher, truncated MAC" \ -s "Read from client: 1 bytes read" requires_config_enabled MBEDTLS_SSL_TRUNCATED_HMAC -run_test "Small packet TLS 1.1 BlockCipher, without EtM, truncated MAC" \ +run_test "Small client packet TLS 1.1 BlockCipher, without EtM, truncated MAC" \ "$P_SRV trunc_hmac=1" \ "$P_CLI request_size=1 force_version=tls1_1 \ force_ciphersuite=TLS-RSA-WITH-AES-256-CBC-SHA trunc_hmac=1 etm=0" \ 0 \ -s "Read from client: 1 bytes read" -run_test "Small packet TLS 1.1 StreamCipher" \ +run_test "Small client packet TLS 1.1 StreamCipher" \ "$P_SRV arc4=1 force_ciphersuite=TLS-RSA-WITH-RC4-128-SHA" \ "$P_CLI request_size=1 force_version=tls1_1 \ force_ciphersuite=TLS-RSA-WITH-RC4-128-SHA" \ 0 \ -s "Read from client: 1 bytes read" -run_test "Small packet TLS 1.1 StreamCipher, without EtM" \ +run_test "Small client packet TLS 1.1 StreamCipher, without EtM" \ "$P_SRV arc4=1 force_ciphersuite=TLS-RSA-WITH-RC4-128-SHA" \ "$P_CLI request_size=1 force_version=tls1_1 \ force_ciphersuite=TLS-RSA-WITH-RC4-128-SHA etm=0" \ @@ -3792,7 +3792,7 @@ run_test "Small packet TLS 1.1 StreamCipher, without EtM" \ -s "Read from client: 1 bytes read" requires_config_enabled MBEDTLS_SSL_TRUNCATED_HMAC -run_test "Small packet TLS 1.1 StreamCipher, truncated MAC" \ +run_test "Small client packet TLS 1.1 StreamCipher, truncated MAC" \ "$P_SRV arc4=1 force_ciphersuite=TLS-RSA-WITH-RC4-128-SHA trunc_hmac=1" \ "$P_CLI request_size=1 force_version=tls1_1 \ force_ciphersuite=TLS-RSA-WITH-RC4-128-SHA trunc_hmac=1" \ @@ -3800,28 +3800,28 @@ run_test "Small packet TLS 1.1 StreamCipher, truncated MAC" \ -s "Read from client: 1 bytes read" requires_config_enabled MBEDTLS_SSL_TRUNCATED_HMAC -run_test "Small packet TLS 1.1 StreamCipher, without EtM, truncated MAC" \ +run_test "Small client packet TLS 1.1 StreamCipher, without EtM, truncated MAC" \ "$P_SRV arc4=1 force_ciphersuite=TLS-RSA-WITH-RC4-128-SHA trunc_hmac=1" \ "$P_CLI request_size=1 force_version=tls1_1 \ force_ciphersuite=TLS-RSA-WITH-RC4-128-SHA trunc_hmac=1 etm=0" \ 0 \ -s "Read from client: 1 bytes read" -run_test "Small packet TLS 1.2 BlockCipher" \ +run_test "Small client packet TLS 1.2 BlockCipher" \ "$P_SRV" \ "$P_CLI request_size=1 force_version=tls1_2 \ force_ciphersuite=TLS-RSA-WITH-AES-256-CBC-SHA" \ 0 \ -s "Read from client: 1 bytes read" -run_test "Small packet TLS 1.2 BlockCipher, without EtM" \ +run_test "Small client packet TLS 1.2 BlockCipher, without EtM" \ "$P_SRV" \ "$P_CLI request_size=1 force_version=tls1_2 \ force_ciphersuite=TLS-RSA-WITH-AES-256-CBC-SHA etm=0" \ 0 \ -s "Read from client: 1 bytes read" -run_test "Small packet TLS 1.2 BlockCipher larger MAC" \ +run_test "Small client packet TLS 1.2 BlockCipher larger MAC" \ "$P_SRV" \ "$P_CLI request_size=1 force_version=tls1_2 \ force_ciphersuite=TLS-ECDHE-RSA-WITH-AES-256-CBC-SHA384" \ @@ -3829,7 +3829,7 @@ run_test "Small packet TLS 1.2 BlockCipher larger MAC" \ -s "Read from client: 1 bytes read" requires_config_enabled MBEDTLS_SSL_TRUNCATED_HMAC -run_test "Small packet TLS 1.2 BlockCipher, truncated MAC" \ +run_test "Small client packet TLS 1.2 BlockCipher, truncated MAC" \ "$P_SRV trunc_hmac=1" \ "$P_CLI request_size=1 force_version=tls1_2 \ force_ciphersuite=TLS-RSA-WITH-AES-256-CBC-SHA trunc_hmac=1" \ @@ -3837,21 +3837,21 @@ run_test "Small packet TLS 1.2 BlockCipher, truncated MAC" \ -s "Read from client: 1 bytes read" requires_config_enabled MBEDTLS_SSL_TRUNCATED_HMAC -run_test "Small packet TLS 1.2 BlockCipher, without EtM, truncated MAC" \ +run_test "Small client packet TLS 1.2 BlockCipher, without EtM, truncated MAC" \ "$P_SRV trunc_hmac=1" \ "$P_CLI request_size=1 force_version=tls1_2 \ force_ciphersuite=TLS-RSA-WITH-AES-256-CBC-SHA trunc_hmac=1 etm=0" \ 0 \ -s "Read from client: 1 bytes read" -run_test "Small packet TLS 1.2 StreamCipher" \ +run_test "Small client packet TLS 1.2 StreamCipher" \ "$P_SRV arc4=1 force_ciphersuite=TLS-RSA-WITH-RC4-128-SHA" \ "$P_CLI request_size=1 force_version=tls1_2 \ force_ciphersuite=TLS-RSA-WITH-RC4-128-SHA" \ 0 \ -s "Read from client: 1 bytes read" -run_test "Small packet TLS 1.2 StreamCipher, without EtM" \ +run_test "Small client packet TLS 1.2 StreamCipher, without EtM" \ "$P_SRV arc4=1 force_ciphersuite=TLS-RSA-WITH-RC4-128-SHA" \ "$P_CLI request_size=1 force_version=tls1_2 \ force_ciphersuite=TLS-RSA-WITH-RC4-128-SHA etm=0" \ @@ -3859,7 +3859,7 @@ run_test "Small packet TLS 1.2 StreamCipher, without EtM" \ -s "Read from client: 1 bytes read" requires_config_enabled MBEDTLS_SSL_TRUNCATED_HMAC -run_test "Small packet TLS 1.2 StreamCipher, truncated MAC" \ +run_test "Small client packet TLS 1.2 StreamCipher, truncated MAC" \ "$P_SRV arc4=1 force_ciphersuite=TLS-RSA-WITH-RC4-128-SHA trunc_hmac=1" \ "$P_CLI request_size=1 force_version=tls1_2 \ force_ciphersuite=TLS-RSA-WITH-RC4-128-SHA trunc_hmac=1" \ @@ -3867,31 +3867,31 @@ run_test "Small packet TLS 1.2 StreamCipher, truncated MAC" \ -s "Read from client: 1 bytes read" requires_config_enabled MBEDTLS_SSL_TRUNCATED_HMAC -run_test "Small packet TLS 1.2 StreamCipher, without EtM, truncated MAC" \ +run_test "Small client packet TLS 1.2 StreamCipher, without EtM, truncated MAC" \ "$P_SRV arc4=1 force_ciphersuite=TLS-RSA-WITH-RC4-128-SHA trunc_hmac=1" \ "$P_CLI request_size=1 force_version=tls1_2 \ force_ciphersuite=TLS-RSA-WITH-RC4-128-SHA trunc_hmac=1 etm=0" \ 0 \ -s "Read from client: 1 bytes read" -run_test "Small packet TLS 1.2 AEAD" \ +run_test "Small client packet TLS 1.2 AEAD" \ "$P_SRV" \ "$P_CLI request_size=1 force_version=tls1_2 \ force_ciphersuite=TLS-RSA-WITH-AES-256-CCM" \ 0 \ -s "Read from client: 1 bytes read" -run_test "Small packet TLS 1.2 AEAD shorter tag" \ +run_test "Small client packet TLS 1.2 AEAD shorter tag" \ "$P_SRV" \ "$P_CLI request_size=1 force_version=tls1_2 \ force_ciphersuite=TLS-RSA-WITH-AES-256-CCM-8" \ 0 \ -s "Read from client: 1 bytes read" -# Tests for small packets in DTLS +# Tests for small client packets in DTLS requires_config_enabled MBEDTLS_SSL_PROTO_DTLS -run_test "Small packet DTLS 1.0" \ +run_test "Small client packet DTLS 1.0" \ "$P_SRV dtls=1 force_version=dtls1" \ "$P_CLI dtls=1 request_size=1 \ force_ciphersuite=TLS-RSA-WITH-AES-256-CBC-SHA" \ @@ -3899,7 +3899,7 @@ run_test "Small packet DTLS 1.0" \ -s "Read from client: 1 bytes read" requires_config_enabled MBEDTLS_SSL_PROTO_DTLS -run_test "Small packet DTLS 1.0, without EtM" \ +run_test "Small client packet DTLS 1.0, without EtM" \ "$P_SRV dtls=1 force_version=dtls1 etm=0" \ "$P_CLI dtls=1 request_size=1 \ force_ciphersuite=TLS-RSA-WITH-AES-256-CBC-SHA" \ @@ -3908,7 +3908,7 @@ run_test "Small packet DTLS 1.0, without EtM" \ requires_config_enabled MBEDTLS_SSL_PROTO_DTLS requires_config_enabled MBEDTLS_SSL_TRUNCATED_HMAC -run_test "Small packet DTLS 1.0, truncated hmac" \ +run_test "Small client packet DTLS 1.0, truncated hmac" \ "$P_SRV dtls=1 force_version=dtls1 trunc_hmac=1" \ "$P_CLI dtls=1 request_size=1 trunc_hmac=1 \ force_ciphersuite=TLS-RSA-WITH-AES-256-CBC-SHA" \ @@ -3917,7 +3917,7 @@ run_test "Small packet DTLS 1.0, truncated hmac" \ requires_config_enabled MBEDTLS_SSL_PROTO_DTLS requires_config_enabled MBEDTLS_SSL_TRUNCATED_HMAC -run_test "Small packet DTLS 1.0, without EtM, truncated MAC" \ +run_test "Small client packet DTLS 1.0, without EtM, truncated MAC" \ "$P_SRV dtls=1 force_version=dtls1 trunc_hmac=1 etm=0" \ "$P_CLI dtls=1 request_size=1 \ force_ciphersuite=TLS-RSA-WITH-AES-256-CBC-SHA trunc_hmac=1"\ @@ -3925,7 +3925,7 @@ run_test "Small packet DTLS 1.0, without EtM, truncated MAC" \ -s "Read from client: 1 bytes read" requires_config_enabled MBEDTLS_SSL_PROTO_DTLS -run_test "Small packet DTLS 1.2" \ +run_test "Small client packet DTLS 1.2" \ "$P_SRV dtls=1 force_version=dtls1_2" \ "$P_CLI dtls=1 request_size=1 \ force_ciphersuite=TLS-RSA-WITH-AES-256-CBC-SHA" \ @@ -3933,7 +3933,7 @@ run_test "Small packet DTLS 1.2" \ -s "Read from client: 1 bytes read" requires_config_enabled MBEDTLS_SSL_PROTO_DTLS -run_test "Small packet DTLS 1.2, without EtM" \ +run_test "Small client packet DTLS 1.2, without EtM" \ "$P_SRV dtls=1 force_version=dtls1_2 etm=0" \ "$P_CLI dtls=1 request_size=1 \ force_ciphersuite=TLS-RSA-WITH-AES-256-CBC-SHA" \ @@ -3942,7 +3942,7 @@ run_test "Small packet DTLS 1.2, without EtM" \ requires_config_enabled MBEDTLS_SSL_PROTO_DTLS requires_config_enabled MBEDTLS_SSL_TRUNCATED_HMAC -run_test "Small packet DTLS 1.2, truncated hmac" \ +run_test "Small client packet DTLS 1.2, truncated hmac" \ "$P_SRV dtls=1 force_version=dtls1_2 trunc_hmac=1" \ "$P_CLI dtls=1 request_size=1 \ force_ciphersuite=TLS-RSA-WITH-AES-256-CBC-SHA trunc_hmac=1" \ @@ -3951,13 +3951,302 @@ run_test "Small packet DTLS 1.2, truncated hmac" \ requires_config_enabled MBEDTLS_SSL_PROTO_DTLS requires_config_enabled MBEDTLS_SSL_TRUNCATED_HMAC -run_test "Small packet DTLS 1.2, without EtM, truncated MAC" \ +run_test "Small client packet DTLS 1.2, without EtM, truncated MAC" \ "$P_SRV dtls=1 force_version=dtls1_2 trunc_hmac=1 etm=0" \ "$P_CLI dtls=1 request_size=1 \ force_ciphersuite=TLS-RSA-WITH-AES-256-CBC-SHA trunc_hmac=1"\ 0 \ -s "Read from client: 1 bytes read" +# Tests for small server packets + +requires_config_enabled MBEDTLS_SSL_PROTO_SSL3 +run_test "Small server packet SSLv3 BlockCipher" \ + "$P_SRV response_size=1 min_version=ssl3" \ + "$P_CLI force_version=ssl3 \ + force_ciphersuite=TLS-RSA-WITH-AES-256-CBC-SHA" \ + 0 \ + -c "Read from server: 1 bytes read" + +requires_config_enabled MBEDTLS_SSL_PROTO_SSL3 +run_test "Small server packet SSLv3 StreamCipher" \ + "$P_SRV response_size=1 min_version=ssl3 arc4=1 force_ciphersuite=TLS-RSA-WITH-RC4-128-SHA" \ + "$P_CLI force_version=ssl3 \ + force_ciphersuite=TLS-RSA-WITH-RC4-128-SHA" \ + 0 \ + -c "Read from server: 1 bytes read" + +run_test "Small server packet TLS 1.0 BlockCipher" \ + "$P_SRV response_size=1" \ + "$P_CLI force_version=tls1 \ + force_ciphersuite=TLS-RSA-WITH-AES-256-CBC-SHA" \ + 0 \ + -c "Read from server: 1 bytes read" + +run_test "Small server packet TLS 1.0 BlockCipher, without EtM" \ + "$P_SRV response_size=1" \ + "$P_CLI force_version=tls1 etm=0 \ + force_ciphersuite=TLS-RSA-WITH-AES-256-CBC-SHA" \ + 0 \ + -c "Read from server: 1 bytes read" + +requires_config_enabled MBEDTLS_SSL_TRUNCATED_HMAC +run_test "Small server packet TLS 1.0 BlockCipher, truncated MAC" \ + "$P_SRV response_size=1 trunc_hmac=1" \ + "$P_CLI force_version=tls1 \ + force_ciphersuite=TLS-RSA-WITH-AES-256-CBC-SHA trunc_hmac=1" \ + 0 \ + -c "Read from server: 1 bytes read" + +requires_config_enabled MBEDTLS_SSL_TRUNCATED_HMAC +run_test "Small server packet TLS 1.0 BlockCipher, without EtM, truncated MAC" \ + "$P_SRV response_size=1 trunc_hmac=1" \ + "$P_CLI force_version=tls1 \ + force_ciphersuite=TLS-RSA-WITH-AES-256-CBC-SHA trunc_hmac=1 etm=0" \ + 0 \ + -c "Read from server: 1 bytes read" + +run_test "Small server packet TLS 1.0 StreamCipher" \ + "$P_SRV response_size=1 arc4=1 force_ciphersuite=TLS-RSA-WITH-RC4-128-SHA" \ + "$P_CLI force_version=tls1 \ + force_ciphersuite=TLS-RSA-WITH-RC4-128-SHA" \ + 0 \ + -c "Read from server: 1 bytes read" + +run_test "Small server packet TLS 1.0 StreamCipher, without EtM" \ + "$P_SRV response_size=1 arc4=1 force_ciphersuite=TLS-RSA-WITH-RC4-128-SHA" \ + "$P_CLI force_version=tls1 \ + force_ciphersuite=TLS-RSA-WITH-RC4-128-SHA etm=0" \ + 0 \ + -c "Read from server: 1 bytes read" + +requires_config_enabled MBEDTLS_SSL_TRUNCATED_HMAC +run_test "Small server packet TLS 1.0 StreamCipher, truncated MAC" \ + "$P_SRV response_size=1 arc4=1 force_ciphersuite=TLS-RSA-WITH-RC4-128-SHA trunc_hmac=1" \ + "$P_CLI force_version=tls1 \ + force_ciphersuite=TLS-RSA-WITH-RC4-128-SHA trunc_hmac=1" \ + 0 \ + -c "Read from server: 1 bytes read" + +requires_config_enabled MBEDTLS_SSL_TRUNCATED_HMAC +run_test "Small server packet TLS 1.0 StreamCipher, without EtM, truncated MAC" \ + "$P_SRV response_size=1 arc4=1 force_ciphersuite=TLS-RSA-WITH-RC4-128-SHA trunc_hmac=1" \ + "$P_CLI force_version=tls1 force_ciphersuite=TLS-RSA-WITH-RC4-128-SHA \ + trunc_hmac=1 etm=0" \ + 0 \ + -c "Read from server: 1 bytes read" + +run_test "Small server packet TLS 1.1 BlockCipher" \ + "$P_SRV response_size=1" \ + "$P_CLI force_version=tls1_1 \ + force_ciphersuite=TLS-RSA-WITH-AES-256-CBC-SHA" \ + 0 \ + -c "Read from server: 1 bytes read" + +run_test "Small server packet TLS 1.1 BlockCipher, without EtM" \ + "$P_SRV response_size=1" \ + "$P_CLI force_version=tls1_1 \ + force_ciphersuite=TLS-RSA-WITH-AES-256-CBC-SHA etm=0" \ + 0 \ + -c "Read from server: 1 bytes read" + +requires_config_enabled MBEDTLS_SSL_TRUNCATED_HMAC +run_test "Small server packet TLS 1.1 BlockCipher, truncated MAC" \ + "$P_SRV response_size=1 trunc_hmac=1" \ + "$P_CLI force_version=tls1_1 \ + force_ciphersuite=TLS-RSA-WITH-AES-256-CBC-SHA trunc_hmac=1" \ + 0 \ + -c "Read from server: 1 bytes read" + +requires_config_enabled MBEDTLS_SSL_TRUNCATED_HMAC +run_test "Small server packet TLS 1.1 BlockCipher, without EtM, truncated MAC" \ + "$P_SRV response_size=1 trunc_hmac=1" \ + "$P_CLI force_version=tls1_1 \ + force_ciphersuite=TLS-RSA-WITH-AES-256-CBC-SHA trunc_hmac=1 etm=0" \ + 0 \ + -c "Read from server: 1 bytes read" + +run_test "Small server packet TLS 1.1 StreamCipher" \ + "$P_SRV response_size=1 arc4=1 force_ciphersuite=TLS-RSA-WITH-RC4-128-SHA" \ + "$P_CLI force_version=tls1_1 \ + force_ciphersuite=TLS-RSA-WITH-RC4-128-SHA" \ + 0 \ + -c "Read from server: 1 bytes read" + +run_test "Small server packet TLS 1.1 StreamCipher, without EtM" \ + "$P_SRV response_size=1 arc4=1 force_ciphersuite=TLS-RSA-WITH-RC4-128-SHA" \ + "$P_CLI force_version=tls1_1 \ + force_ciphersuite=TLS-RSA-WITH-RC4-128-SHA etm=0" \ + 0 \ + -c "Read from server: 1 bytes read" + +requires_config_enabled MBEDTLS_SSL_TRUNCATED_HMAC +run_test "Small server packet TLS 1.1 StreamCipher, truncated MAC" \ + "$P_SRV response_size=1 arc4=1 force_ciphersuite=TLS-RSA-WITH-RC4-128-SHA trunc_hmac=1" \ + "$P_CLI force_version=tls1_1 \ + force_ciphersuite=TLS-RSA-WITH-RC4-128-SHA trunc_hmac=1" \ + 0 \ + -c "Read from server: 1 bytes read" + +requires_config_enabled MBEDTLS_SSL_TRUNCATED_HMAC +run_test "Small server packet TLS 1.1 StreamCipher, without EtM, truncated MAC" \ + "$P_SRV response_size=1 arc4=1 force_ciphersuite=TLS-RSA-WITH-RC4-128-SHA trunc_hmac=1" \ + "$P_CLI force_version=tls1_1 \ + force_ciphersuite=TLS-RSA-WITH-RC4-128-SHA trunc_hmac=1 etm=0" \ + 0 \ + -c "Read from server: 1 bytes read" + +run_test "Small server packet TLS 1.2 BlockCipher" \ + "$P_SRV response_size=1" \ + "$P_CLI force_version=tls1_2 \ + force_ciphersuite=TLS-RSA-WITH-AES-256-CBC-SHA" \ + 0 \ + -c "Read from server: 1 bytes read" + +run_test "Small server packet TLS 1.2 BlockCipher, without EtM" \ + "$P_SRV response_size=1" \ + "$P_CLI force_version=tls1_2 \ + force_ciphersuite=TLS-RSA-WITH-AES-256-CBC-SHA etm=0" \ + 0 \ + -c "Read from server: 1 bytes read" + +run_test "Small server packet TLS 1.2 BlockCipher larger MAC" \ + "$P_SRV response_size=1" \ + "$P_CLI force_version=tls1_2 \ + force_ciphersuite=TLS-ECDHE-RSA-WITH-AES-256-CBC-SHA384" \ + 0 \ + -c "Read from server: 1 bytes read" + +requires_config_enabled MBEDTLS_SSL_TRUNCATED_HMAC +run_test "Small server packet TLS 1.2 BlockCipher, truncated MAC" \ + "$P_SRV response_size=1 trunc_hmac=1" \ + "$P_CLI force_version=tls1_2 \ + force_ciphersuite=TLS-RSA-WITH-AES-256-CBC-SHA trunc_hmac=1" \ + 0 \ + -c "Read from server: 1 bytes read" + +requires_config_enabled MBEDTLS_SSL_TRUNCATED_HMAC +run_test "Small server packet TLS 1.2 BlockCipher, without EtM, truncated MAC" \ + "$P_SRV response_size=1 trunc_hmac=1" \ + "$P_CLI force_version=tls1_2 \ + force_ciphersuite=TLS-RSA-WITH-AES-256-CBC-SHA trunc_hmac=1 etm=0" \ + 0 \ + -c "Read from server: 1 bytes read" + +run_test "Small server packet TLS 1.2 StreamCipher" \ + "$P_SRV response_size=1 arc4=1 force_ciphersuite=TLS-RSA-WITH-RC4-128-SHA" \ + "$P_CLI force_version=tls1_2 \ + force_ciphersuite=TLS-RSA-WITH-RC4-128-SHA" \ + 0 \ + -c "Read from server: 1 bytes read" + +run_test "Small server packet TLS 1.2 StreamCipher, without EtM" \ + "$P_SRV response_size=1 arc4=1 force_ciphersuite=TLS-RSA-WITH-RC4-128-SHA" \ + "$P_CLI force_version=tls1_2 \ + force_ciphersuite=TLS-RSA-WITH-RC4-128-SHA etm=0" \ + 0 \ + -c "Read from server: 1 bytes read" + +requires_config_enabled MBEDTLS_SSL_TRUNCATED_HMAC +run_test "Small server packet TLS 1.2 StreamCipher, truncated MAC" \ + "$P_SRV response_size=1 arc4=1 force_ciphersuite=TLS-RSA-WITH-RC4-128-SHA trunc_hmac=1" \ + "$P_CLI force_version=tls1_2 \ + force_ciphersuite=TLS-RSA-WITH-RC4-128-SHA trunc_hmac=1" \ + 0 \ + -c "Read from server: 1 bytes read" + +requires_config_enabled MBEDTLS_SSL_TRUNCATED_HMAC +run_test "Small server packet TLS 1.2 StreamCipher, without EtM, truncated MAC" \ + "$P_SRV response_size=1 arc4=1 force_ciphersuite=TLS-RSA-WITH-RC4-128-SHA trunc_hmac=1" \ + "$P_CLI force_version=tls1_2 \ + force_ciphersuite=TLS-RSA-WITH-RC4-128-SHA trunc_hmac=1 etm=0" \ + 0 \ + -c "Read from server: 1 bytes read" + +run_test "Small server packet TLS 1.2 AEAD" \ + "$P_SRV response_size=1" \ + "$P_CLI force_version=tls1_2 \ + force_ciphersuite=TLS-RSA-WITH-AES-256-CCM" \ + 0 \ + -c "Read from server: 1 bytes read" + +run_test "Small server packet TLS 1.2 AEAD shorter tag" \ + "$P_SRV response_size=1" \ + "$P_CLI force_version=tls1_2 \ + force_ciphersuite=TLS-RSA-WITH-AES-256-CCM-8" \ + 0 \ + -c "Read from server: 1 bytes read" + +# Tests for small server packets in DTLS + +requires_config_enabled MBEDTLS_SSL_PROTO_DTLS +run_test "Small server packet DTLS 1.0" \ + "$P_SRV dtls=1 response_size=1 force_version=dtls1" \ + "$P_CLI dtls=1 \ + force_ciphersuite=TLS-RSA-WITH-AES-256-CBC-SHA" \ + 0 \ + -c "Read from server: 1 bytes read" + +requires_config_enabled MBEDTLS_SSL_PROTO_DTLS +run_test "Small server packet DTLS 1.0, without EtM" \ + "$P_SRV dtls=1 response_size=1 force_version=dtls1 etm=0" \ + "$P_CLI dtls=1 \ + force_ciphersuite=TLS-RSA-WITH-AES-256-CBC-SHA" \ + 0 \ + -c "Read from server: 1 bytes read" + +requires_config_enabled MBEDTLS_SSL_PROTO_DTLS +requires_config_enabled MBEDTLS_SSL_TRUNCATED_HMAC +run_test "Small server packet DTLS 1.0, truncated hmac" \ + "$P_SRV dtls=1 response_size=1 force_version=dtls1 trunc_hmac=1" \ + "$P_CLI dtls=1 trunc_hmac=1 \ + force_ciphersuite=TLS-RSA-WITH-AES-256-CBC-SHA" \ + 0 \ + -c "Read from server: 1 bytes read" + +requires_config_enabled MBEDTLS_SSL_PROTO_DTLS +requires_config_enabled MBEDTLS_SSL_TRUNCATED_HMAC +run_test "Small server packet DTLS 1.0, without EtM, truncated MAC" \ + "$P_SRV dtls=1 response_size=1 force_version=dtls1 trunc_hmac=1 etm=0" \ + "$P_CLI dtls=1 \ + force_ciphersuite=TLS-RSA-WITH-AES-256-CBC-SHA trunc_hmac=1"\ + 0 \ + -c "Read from server: 1 bytes read" + +requires_config_enabled MBEDTLS_SSL_PROTO_DTLS +run_test "Small server packet DTLS 1.2" \ + "$P_SRV dtls=1 response_size=1 force_version=dtls1_2" \ + "$P_CLI dtls=1 \ + force_ciphersuite=TLS-RSA-WITH-AES-256-CBC-SHA" \ + 0 \ + -c "Read from server: 1 bytes read" + +requires_config_enabled MBEDTLS_SSL_PROTO_DTLS +run_test "Small server packet DTLS 1.2, without EtM" \ + "$P_SRV dtls=1 response_size=1 force_version=dtls1_2 etm=0" \ + "$P_CLI dtls=1 \ + force_ciphersuite=TLS-RSA-WITH-AES-256-CBC-SHA" \ + 0 \ + -c "Read from server: 1 bytes read" + +requires_config_enabled MBEDTLS_SSL_PROTO_DTLS +requires_config_enabled MBEDTLS_SSL_TRUNCATED_HMAC +run_test "Small server packet DTLS 1.2, truncated hmac" \ + "$P_SRV dtls=1 response_size=1 force_version=dtls1_2 trunc_hmac=1" \ + "$P_CLI dtls=1 \ + force_ciphersuite=TLS-RSA-WITH-AES-256-CBC-SHA trunc_hmac=1" \ + 0 \ + -c "Read from server: 1 bytes read" + +requires_config_enabled MBEDTLS_SSL_PROTO_DTLS +requires_config_enabled MBEDTLS_SSL_TRUNCATED_HMAC +run_test "Small server packet DTLS 1.2, without EtM, truncated MAC" \ + "$P_SRV dtls=1 response_size=1 force_version=dtls1_2 trunc_hmac=1 etm=0" \ + "$P_CLI dtls=1 \ + force_ciphersuite=TLS-RSA-WITH-AES-256-CBC-SHA trunc_hmac=1"\ + 0 \ + -c "Read from server: 1 bytes read" + # A test for extensions in SSLv3 requires_config_enabled MBEDTLS_SSL_PROTO_SSL3 @@ -4231,6 +4520,15 @@ run_test "Large server packet TLS 1.0 BlockCipher" \ -c "16383 bytes read"\ -C "Read from server: 16384 bytes read" +run_test "Large server packet TLS 1.0 BlockCipher, without EtM" \ + "$P_SRV response_size=16384" \ + "$P_CLI force_version=tls1 etm=0 recsplit=0 \ + force_ciphersuite=TLS-RSA-WITH-AES-256-CBC-SHA" \ + 0 \ + -c "Read from server: 1 bytes read"\ + -c "16383 bytes read"\ + -C "Read from server: 16384 bytes read" + requires_config_enabled MBEDTLS_SSL_TRUNCATED_HMAC run_test "Large server packet TLS 1.0 BlockCipher truncated MAC" \ "$P_SRV response_size=16384" \ @@ -4249,6 +4547,41 @@ run_test "Large server packet TLS 1.0 StreamCipher truncated MAC" \ force_ciphersuite=TLS-RSA-WITH-RC4-128-SHA \ trunc_hmac=1" \ 0 \ + -s "16384 bytes written in 1 fragments" \ + -c "Read from server: 16384 bytes read" + +run_test "Large server packet TLS 1.0 StreamCipher" \ + "$P_SRV response_size=16384 arc4=1 force_ciphersuite=TLS-RSA-WITH-RC4-128-SHA" \ + "$P_CLI force_version=tls1 \ + force_ciphersuite=TLS-RSA-WITH-RC4-128-SHA" \ + 0 \ + -s "16384 bytes written in 1 fragments" \ + -c "Read from server: 16384 bytes read" + +run_test "Large server packet TLS 1.0 StreamCipher, without EtM" \ + "$P_SRV response_size=16384 arc4=1 force_ciphersuite=TLS-RSA-WITH-RC4-128-SHA" \ + "$P_CLI force_version=tls1 \ + force_ciphersuite=TLS-RSA-WITH-RC4-128-SHA etm=0" \ + 0 \ + -s "16384 bytes written in 1 fragments" \ + -c "Read from server: 16384 bytes read" + +requires_config_enabled MBEDTLS_SSL_TRUNCATED_HMAC +run_test "Large server packet TLS 1.0 StreamCipher, truncated MAC" \ + "$P_SRV response_size=16384 arc4=1 force_ciphersuite=TLS-RSA-WITH-RC4-128-SHA trunc_hmac=1" \ + "$P_CLI force_version=tls1 \ + force_ciphersuite=TLS-RSA-WITH-RC4-128-SHA trunc_hmac=1" \ + 0 \ + -s "16384 bytes written in 1 fragments" \ + -c "Read from server: 16384 bytes read" + +requires_config_enabled MBEDTLS_SSL_TRUNCATED_HMAC +run_test "Large server packet TLS 1.0 StreamCipher, without EtM, truncated MAC" \ + "$P_SRV response_size=16384 arc4=1 force_ciphersuite=TLS-RSA-WITH-RC4-128-SHA trunc_hmac=1" \ + "$P_CLI force_version=tls1 \ + force_ciphersuite=TLS-RSA-WITH-RC4-128-SHA trunc_hmac=1 etm=0" \ + 0 \ + -s "16384 bytes written in 1 fragments" \ -c "Read from server: 16384 bytes read" run_test "Large server packet TLS 1.1 BlockCipher" \ @@ -4258,11 +4591,12 @@ run_test "Large server packet TLS 1.1 BlockCipher" \ 0 \ -c "Read from server: 16384 bytes read" -run_test "Large server packet TLS 1.1 StreamCipher" \ - "$P_SRV response_size=16384 arc4=1 force_ciphersuite=TLS-RSA-WITH-RC4-128-SHA" \ - "$P_CLI force_version=tls1_1 \ - force_ciphersuite=TLS-RSA-WITH-RC4-128-SHA" \ +run_test "Large server packet TLS 1.1 BlockCipher, without EtM" \ + "$P_SRV response_size=16384" \ + "$P_CLI force_version=tls1_1 etm=0 \ + force_ciphersuite=TLS-RSA-WITH-AES-256-CBC-SHA" \ 0 \ + -s "16384 bytes written in 1 fragments" \ -c "Read from server: 16384 bytes read" requires_config_enabled MBEDTLS_SSL_TRUNCATED_HMAC @@ -4274,6 +4608,30 @@ run_test "Large server packet TLS 1.1 BlockCipher truncated MAC" \ 0 \ -c "Read from server: 16384 bytes read" +requires_config_enabled MBEDTLS_SSL_TRUNCATED_HMAC +run_test "Large server packet TLS 1.1 BlockCipher, without EtM, truncated MAC" \ + "$P_SRV response_size=16384 trunc_hmac=1" \ + "$P_CLI force_version=tls1_1 \ + force_ciphersuite=TLS-RSA-WITH-AES-256-CBC-SHA trunc_hmac=1 etm=0" \ + 0 \ + -s "16384 bytes written in 1 fragments" \ + -c "Read from server: 16384 bytes read" + +run_test "Large server packet TLS 1.1 StreamCipher" \ + "$P_SRV response_size=16384 arc4=1 force_ciphersuite=TLS-RSA-WITH-RC4-128-SHA" \ + "$P_CLI force_version=tls1_1 \ + force_ciphersuite=TLS-RSA-WITH-RC4-128-SHA" \ + 0 \ + -c "Read from server: 16384 bytes read" + +run_test "Large server packet TLS 1.1 StreamCipher, without EtM" \ + "$P_SRV response_size=16384 arc4=1 force_ciphersuite=TLS-RSA-WITH-RC4-128-SHA" \ + "$P_CLI force_version=tls1_1 \ + force_ciphersuite=TLS-RSA-WITH-RC4-128-SHA etm=0" \ + 0 \ + -s "16384 bytes written in 1 fragments" \ + -c "Read from server: 16384 bytes read" + requires_config_enabled MBEDTLS_SSL_TRUNCATED_HMAC run_test "Large server packet TLS 1.1 StreamCipher truncated MAC" \ "$P_SRV response_size=16384 arc4=1 force_ciphersuite=TLS-RSA-WITH-RC4-128-SHA" \ @@ -4283,6 +4641,14 @@ run_test "Large server packet TLS 1.1 StreamCipher truncated MAC" \ 0 \ -c "Read from server: 16384 bytes read" +run_test "Large server packet TLS 1.1 StreamCipher, without EtM, truncated MAC" \ + "$P_SRV response_size=16384 arc4=1 force_ciphersuite=TLS-RSA-WITH-RC4-128-SHA trunc_hmac=1" \ + "$P_CLI force_version=tls1_1 \ + force_ciphersuite=TLS-RSA-WITH-RC4-128-SHA trunc_hmac=1 etm=0" \ + 0 \ + -s "16384 bytes written in 1 fragments" \ + -c "Read from server: 16384 bytes read" + run_test "Large server packet TLS 1.2 BlockCipher" \ "$P_SRV response_size=16384" \ "$P_CLI force_version=tls1_2 \ @@ -4290,6 +4656,14 @@ run_test "Large server packet TLS 1.2 BlockCipher" \ 0 \ -c "Read from server: 16384 bytes read" +run_test "Large server packet TLS 1.2 BlockCipher, without EtM" \ + "$P_SRV response_size=16384" \ + "$P_CLI force_version=tls1_2 etm=0 \ + force_ciphersuite=TLS-RSA-WITH-AES-256-CBC-SHA" \ + 0 \ + -s "16384 bytes written in 1 fragments" \ + -c "Read from server: 16384 bytes read" + run_test "Large server packet TLS 1.2 BlockCipher larger MAC" \ "$P_SRV response_size=16384" \ "$P_CLI force_version=tls1_2 \ @@ -4306,11 +4680,28 @@ run_test "Large server packet TLS 1.2 BlockCipher truncated MAC" \ 0 \ -c "Read from server: 16384 bytes read" +run_test "Large server packet TLS 1.2 BlockCipher, without EtM, truncated MAC" \ + "$P_SRV response_size=16384 trunc_hmac=1" \ + "$P_CLI force_version=tls1_2 \ + force_ciphersuite=TLS-RSA-WITH-AES-256-CBC-SHA trunc_hmac=1 etm=0" \ + 0 \ + -s "16384 bytes written in 1 fragments" \ + -c "Read from server: 16384 bytes read" + run_test "Large server packet TLS 1.2 StreamCipher" \ "$P_SRV response_size=16384 arc4=1 force_ciphersuite=TLS-RSA-WITH-RC4-128-SHA" \ "$P_CLI force_version=tls1_2 \ force_ciphersuite=TLS-RSA-WITH-RC4-128-SHA" \ 0 \ + -s "16384 bytes written in 1 fragments" \ + -c "Read from server: 16384 bytes read" + +run_test "Large server packet TLS 1.2 StreamCipher, without EtM" \ + "$P_SRV response_size=16384 arc4=1 force_ciphersuite=TLS-RSA-WITH-RC4-128-SHA" \ + "$P_CLI force_version=tls1_2 \ + force_ciphersuite=TLS-RSA-WITH-RC4-128-SHA etm=0" \ + 0 \ + -s "16384 bytes written in 1 fragments" \ -c "Read from server: 16384 bytes read" requires_config_enabled MBEDTLS_SSL_TRUNCATED_HMAC @@ -4322,6 +4713,15 @@ run_test "Large server packet TLS 1.2 StreamCipher truncated MAC" \ 0 \ -c "Read from server: 16384 bytes read" +requires_config_enabled MBEDTLS_SSL_TRUNCATED_HMAC +run_test "Large server packet TLS 1.2 StreamCipher, without EtM, truncated MAC" \ + "$P_SRV response_size=16384 arc4=1 force_ciphersuite=TLS-RSA-WITH-RC4-128-SHA trunc_hmac=1" \ + "$P_CLI force_version=tls1_2 \ + force_ciphersuite=TLS-RSA-WITH-RC4-128-SHA trunc_hmac=1 etm=0" \ + 0 \ + -s "16384 bytes written in 1 fragments" \ + -c "Read from server: 16384 bytes read" + run_test "Large server packet TLS 1.2 AEAD" \ "$P_SRV response_size=16384" \ "$P_CLI force_version=tls1_2 \ From da4029d665a37a290fa4d33e0ed8a3bb29b76f5e Mon Sep 17 00:00:00 2001 From: Andrzej Kurek Date: Wed, 20 Jun 2018 07:07:55 -0400 Subject: [PATCH 03/12] ssl_server2: add buffer overhead for a termination character Switch to mbedtls style of memory allocation --- programs/ssl/ssl_server2.c | 3 ++- 1 file changed, 2 insertions(+), 1 deletion(-) diff --git a/programs/ssl/ssl_server2.c b/programs/ssl/ssl_server2.c index 74d3a1d01..b201c8bda 100644 --- a/programs/ssl/ssl_server2.c +++ b/programs/ssl/ssl_server2.c @@ -1724,7 +1724,7 @@ int main( int argc, char *argv[] ) #if defined(MBEDTLS_DEBUG_C) mbedtls_debug_set_threshold( opt.debug_level ); #endif - buf = malloc( opt.buffer_size ); + buf = mbedtls_calloc( 1, opt.buffer_size + 1 ); if( buf == NULL ) { mbedtls_printf("Could not allocate %u bytes\n", opt.buffer_size); @@ -3116,6 +3116,7 @@ exit: mbedtls_memory_buffer_alloc_free(); #endif + mbedtls_free(buf); mbedtls_printf( " done.\n" ); #if defined(_WIN32) From 5c7e76eb4a4a9a284066896a40f6e026fbe27f59 Mon Sep 17 00:00:00 2001 From: Andrzej Kurek Date: Wed, 20 Jun 2018 08:17:04 -0400 Subject: [PATCH 04/12] Remove trailing whitespace --- programs/ssl/ssl_server2.c | 2 +- 1 file changed, 1 insertion(+), 1 deletion(-) diff --git a/programs/ssl/ssl_server2.c b/programs/ssl/ssl_server2.c index b201c8bda..a08d6b2f1 100644 --- a/programs/ssl/ssl_server2.c +++ b/programs/ssl/ssl_server2.c @@ -1731,7 +1731,7 @@ int main( int argc, char *argv[] ) ret = 3; goto exit; } - + if( opt.force_ciphersuite[0] > 0 ) { const mbedtls_ssl_ciphersuite_t *ciphersuite_info; From 755890f5293902086e1ff53d88565c737069d921 Mon Sep 17 00:00:00 2001 From: Andrzej Kurek Date: Wed, 20 Jun 2018 08:17:04 -0400 Subject: [PATCH 05/12] Remove trailing whitespace --- programs/ssl/ssl_server2.c | 6 +++--- 1 file changed, 3 insertions(+), 3 deletions(-) diff --git a/programs/ssl/ssl_server2.c b/programs/ssl/ssl_server2.c index b201c8bda..cef910054 100644 --- a/programs/ssl/ssl_server2.c +++ b/programs/ssl/ssl_server2.c @@ -1727,11 +1727,11 @@ int main( int argc, char *argv[] ) buf = mbedtls_calloc( 1, opt.buffer_size + 1 ); if( buf == NULL ) { - mbedtls_printf("Could not allocate %u bytes\n", opt.buffer_size); + mbedtls_printf( "Could not allocate %u bytes\n", opt.buffer_size ); ret = 3; goto exit; } - + if( opt.force_ciphersuite[0] > 0 ) { const mbedtls_ssl_ciphersuite_t *ciphersuite_info; @@ -3116,7 +3116,7 @@ exit: mbedtls_memory_buffer_alloc_free(); #endif - mbedtls_free(buf); + mbedtls_free( buf ); mbedtls_printf( " done.\n" ); #if defined(_WIN32) From 278af4536ccedd9f5ab9d814ece2a3f5146842c4 Mon Sep 17 00:00:00 2001 From: Ron Eldor Date: Wed, 20 Jun 2018 18:40:21 +0300 Subject: [PATCH 06/12] Fix hmac_drbg failure in benchmark, with threading Remove redunadnat calls to `hmac_drbg_free()` between seeding operations, which make the mutex invalid. Fixes #1095 --- ChangeLog | 2 ++ programs/test/benchmark.c | 5 +---- 2 files changed, 3 insertions(+), 4 deletions(-) diff --git a/ChangeLog b/ChangeLog index 44533d2ae..5e00c0ecc 100644 --- a/ChangeLog +++ b/ChangeLog @@ -22,6 +22,8 @@ Bugfix Changes * Change the shebang line in Perl scripts to look up perl in the PATH. Contributed by fbrosson. + * Fix efailure in hmac_drbg in the benchmark sample application, when + MBEDTLS_THREADING_C is defined. Found by TrinityTonic, #1095 = mbed TLS 2.11.0 branch released 2018-06-18 diff --git a/programs/test/benchmark.c b/programs/test/benchmark.c index 5277ceb79..e7d29c396 100644 --- a/programs/test/benchmark.c +++ b/programs/test/benchmark.c @@ -700,7 +700,6 @@ int main( int argc, char *argv[] ) mbedtls_exit(1); TIME_AND_TSC( "HMAC_DRBG SHA-1 (NOPR)", mbedtls_hmac_drbg_random( &hmac_drbg, buf, BUFSIZE ) ); - mbedtls_hmac_drbg_free( &hmac_drbg ); if( mbedtls_hmac_drbg_seed( &hmac_drbg, md_info, myrand, NULL, NULL, 0 ) != 0 ) mbedtls_exit(1); @@ -708,7 +707,6 @@ int main( int argc, char *argv[] ) MBEDTLS_HMAC_DRBG_PR_ON ); TIME_AND_TSC( "HMAC_DRBG SHA-1 (PR)", mbedtls_hmac_drbg_random( &hmac_drbg, buf, BUFSIZE ) ); - mbedtls_hmac_drbg_free( &hmac_drbg ); #endif #if defined(MBEDTLS_SHA256_C) @@ -719,7 +717,6 @@ int main( int argc, char *argv[] ) mbedtls_exit(1); TIME_AND_TSC( "HMAC_DRBG SHA-256 (NOPR)", mbedtls_hmac_drbg_random( &hmac_drbg, buf, BUFSIZE ) ); - mbedtls_hmac_drbg_free( &hmac_drbg ); if( mbedtls_hmac_drbg_seed( &hmac_drbg, md_info, myrand, NULL, NULL, 0 ) != 0 ) mbedtls_exit(1); @@ -727,8 +724,8 @@ int main( int argc, char *argv[] ) MBEDTLS_HMAC_DRBG_PR_ON ); TIME_AND_TSC( "HMAC_DRBG SHA-256 (PR)", mbedtls_hmac_drbg_random( &hmac_drbg, buf, BUFSIZE ) ); - mbedtls_hmac_drbg_free( &hmac_drbg ); #endif + mbedtls_hmac_drbg_free( &hmac_drbg ); } #endif From 636179a277200cb05bb6b0bcfafb46afec3498cc Mon Sep 17 00:00:00 2001 From: Ron Eldor Date: Wed, 4 Jul 2018 17:35:29 +0300 Subject: [PATCH 07/12] Fix typo Fix typo in ChangeLog entry. --- ChangeLog | 2 +- 1 file changed, 1 insertion(+), 1 deletion(-) diff --git a/ChangeLog b/ChangeLog index 5e00c0ecc..81dca1a3e 100644 --- a/ChangeLog +++ b/ChangeLog @@ -22,7 +22,7 @@ Bugfix Changes * Change the shebang line in Perl scripts to look up perl in the PATH. Contributed by fbrosson. - * Fix efailure in hmac_drbg in the benchmark sample application, when + * Fix failure in hmac_drbg in the benchmark sample application, when MBEDTLS_THREADING_C is defined. Found by TrinityTonic, #1095 = mbed TLS 2.11.0 branch released 2018-06-18 From 604ccc660847d5ba59db420f3ca2aad6bd71402e Mon Sep 17 00:00:00 2001 From: Gilles Peskine Date: Tue, 10 Jul 2018 15:55:52 +0200 Subject: [PATCH 08/12] Add ChangeLog entry --- ChangeLog | 7 +++++++ 1 file changed, 7 insertions(+) diff --git a/ChangeLog b/ChangeLog index 027a97174..8c2d90d4f 100644 --- a/ChangeLog +++ b/ChangeLog @@ -1,5 +1,12 @@ mbed TLS ChangeLog (Sorted per branch, date) += mbed TLS 2.xx.xx branch released xxxx-xx-xx + +Changes + * Close a test gap in (D)TLS between the client side and the server side: + test the handling of large packets and small packets on the client side + in the same way as on the server side. + = mbed TLS 2.11.0 branch released 2018-06-18 Features From 1d7399351e8e3685c5811d0008f9e80d0aac7ad7 Mon Sep 17 00:00:00 2001 From: Hanno Becker Date: Tue, 21 Aug 2018 13:55:22 +0100 Subject: [PATCH 09/12] ssl-opt.sh: Add DTLS session resumption tests Fixes #1969. --- tests/ssl-opt.sh | 160 +++++++++++++++++++++++++++++++++++++++++++++++ 1 file changed, 160 insertions(+) diff --git a/tests/ssl-opt.sh b/tests/ssl-opt.sh index 937a27b76..92b7686ed 100755 --- a/tests/ssl-opt.sh +++ b/tests/ssl-opt.sh @@ -1364,6 +1364,71 @@ run_test "Session resume using tickets: openssl client" \ -s "session successfully restored from ticket" \ -s "a session has been resumed" +# Tests for Session Tickets with DTLS + +run_test "Session resume using tickets, DTLS: basic" \ + "$P_SRV debug_level=3 dtls=1 tickets=1" \ + "$P_CLI debug_level=3 dtls=1 tickets=1 reconnect=1" \ + 0 \ + -c "client hello, adding session ticket extension" \ + -s "found session ticket extension" \ + -s "server hello, adding session ticket extension" \ + -c "found session_ticket extension" \ + -c "parse new session ticket" \ + -S "session successfully restored from cache" \ + -s "session successfully restored from ticket" \ + -s "a session has been resumed" \ + -c "a session has been resumed" + +run_test "Session resume using tickets, DTLS: cache disabled" \ + "$P_SRV debug_level=3 dtls=1 tickets=1 cache_max=0" \ + "$P_CLI debug_level=3 dtls=1 tickets=1 reconnect=1" \ + 0 \ + -c "client hello, adding session ticket extension" \ + -s "found session ticket extension" \ + -s "server hello, adding session ticket extension" \ + -c "found session_ticket extension" \ + -c "parse new session ticket" \ + -S "session successfully restored from cache" \ + -s "session successfully restored from ticket" \ + -s "a session has been resumed" \ + -c "a session has been resumed" + +run_test "Session resume using tickets, DTLS: timeout" \ + "$P_SRV debug_level=3 dtls=1 tickets=1 cache_max=0 ticket_timeout=1" \ + "$P_CLI debug_level=3 dtls=1 tickets=1 reconnect=1 reco_delay=2" \ + 0 \ + -c "client hello, adding session ticket extension" \ + -s "found session ticket extension" \ + -s "server hello, adding session ticket extension" \ + -c "found session_ticket extension" \ + -c "parse new session ticket" \ + -S "session successfully restored from cache" \ + -S "session successfully restored from ticket" \ + -S "a session has been resumed" \ + -C "a session has been resumed" + +run_test "Session resume using tickets, DTLS: openssl server" \ + "$O_SRV -dtls1" \ + "$P_CLI dtls=1 debug_level=3 tickets=1 reconnect=1" \ + 0 \ + -c "client hello, adding session ticket extension" \ + -c "found session_ticket extension" \ + -c "parse new session ticket" \ + -c "a session has been resumed" + +run_test "Session resume using tickets, DTLS: openssl client" \ + "$P_SRV dtls=1 debug_level=3 tickets=1" \ + "( $O_CLI -dtls1 -sess_out $SESSION; \ + $O_CLI -dtls1 -sess_in $SESSION; \ + rm -f $SESSION )" \ + 0 \ + -s "found session ticket extension" \ + -s "server hello, adding session ticket extension" \ + -S "session successfully restored from cache" \ + -s "session successfully restored from ticket" \ + -s "a session has been resumed" + # Tests for Session Resume based on session-ID and cache run_test "Session resume using cache: tickets enabled on client" \ @@ -1459,6 +1524,101 @@ run_test "Session resume using cache: openssl server" \ -C "parse new session ticket" \ -c "a session has been resumed" +# Tests for Session Resume based on session-ID and cache, DTLS + +run_test "Session resume using cache, DTLS: tickets enabled on client" \ + "$P_SRV dtls=1 debug_level=3 tickets=0" \ + "$P_CLI dtls=1 debug_level=3 tickets=1 reconnect=1" \ + 0 \ + -c "client hello, adding session ticket extension" \ + -s "found session ticket extension" \ + -S "server hello, adding session ticket extension" \ + -C "found session_ticket extension" \ + -C "parse new session ticket" \ + -s "session successfully restored from cache" \ + -S "session successfully restored from ticket" \ + -s "a session has been resumed" \ + -c "a session has been resumed" + +run_test "Session resume using cache, DTLS: tickets enabled on server" \ + "$P_SRV dtls=1 debug_level=3 tickets=1" \ + "$P_CLI dtls=1 debug_level=3 tickets=0 reconnect=1" \ + 0 \ + -C "client hello, adding session ticket extension" \ + -S "found session ticket extension" \ + -S "server hello, adding session ticket extension" \ + -C "found session_ticket extension" \ + -C "parse new session ticket" \ + -s "session successfully restored from cache" \ + -S "session successfully restored from ticket" \ + -s "a session has been resumed" \ + -c "a session has been resumed" + +run_test "Session resume using cache, DTLS: cache_max=0" \ + "$P_SRV dtls=1 debug_level=3 tickets=0 cache_max=0" \ + "$P_CLI dtls=1 debug_level=3 tickets=0 reconnect=1" \ + 0 \ + -S "session successfully restored from cache" \ + -S "session successfully restored from ticket" \ + -S "a session has been resumed" \ + -C "a session has been resumed" + +run_test "Session resume using cache, DTLS: cache_max=1" \ + "$P_SRV dtls=1 debug_level=3 tickets=0 cache_max=1" \ + "$P_CLI dtls=1 debug_level=3 tickets=0 reconnect=1" \ + 0 \ + -s "session successfully restored from cache" \ + -S "session successfully restored from ticket" \ + -s "a session has been resumed" \ + -c "a session has been resumed" + +run_test "Session resume using cache, DTLS: timeout > delay" \ + "$P_SRV dtls=1 debug_level=3 tickets=0" \ + "$P_CLI dtls=1 debug_level=3 tickets=0 reconnect=1 reco_delay=0" \ + 0 \ + -s "session successfully restored from cache" \ + -S "session successfully restored from ticket" \ + -s "a session has been resumed" \ + -c "a session has been resumed" + +run_test "Session resume using cache, DTLS: timeout < delay" \ + "$P_SRV dtls=1 debug_level=3 tickets=0 cache_timeout=1" \ + "$P_CLI dtls=1 debug_level=3 tickets=0 reconnect=1 reco_delay=2" \ + 0 \ + -S "session successfully restored from cache" \ + -S "session successfully restored from ticket" \ + -S "a session has been resumed" \ + -C "a session has been resumed" + +run_test "Session resume using cache, DTLS: no timeout" \ + "$P_SRV dtls=1 debug_level=3 tickets=0 cache_timeout=0" \ + "$P_CLI dtls=1 debug_level=3 tickets=0 reconnect=1 reco_delay=2" \ + 0 \ + -s "session successfully restored from cache" \ + -S "session successfully restored from ticket" \ + -s "a session has been resumed" \ + -c "a session has been resumed" + +run_test "Session resume using cache, DTLS: openssl client" \ + "$P_SRV dtls=1 debug_level=3 tickets=0" \ + "( $O_CLI -dtls1 -sess_out $SESSION; \ + $O_CLI -dtls1 -sess_in $SESSION; \ + rm -f $SESSION )" \ + 0 \ + -s "found session ticket extension" \ + -S "server hello, adding session ticket extension" \ + -s "session successfully restored from cache" \ + -S "session successfully restored from ticket" \ + -s "a session has been resumed" + +run_test "Session resume using cache, DTLS: openssl server" \ + "$O_SRV -dtls1" \ + "$P_CLI dtls=1 debug_level=3 tickets=0 reconnect=1" \ + 0 \ + -C "found session_ticket extension" \ + -C "parse new session ticket" \ + -c "a session has been resumed" + # Tests for Max Fragment Length extension if [ "$MAX_CONTENT_LEN" -lt "4096" ]; then From aa71500173ada7bb0c2d7f533d461f29a752932a Mon Sep 17 00:00:00 2001 From: Hanno Becker Date: Tue, 21 Aug 2018 13:55:31 +0100 Subject: [PATCH 10/12] Fix bug in SSL ticket implementation removing keys of age < 1s Fixes #1968. --- library/ssl_ticket.c | 2 +- 1 file changed, 1 insertion(+), 1 deletion(-) diff --git a/library/ssl_ticket.c b/library/ssl_ticket.c index a2b304869..985b7cd50 100644 --- a/library/ssl_ticket.c +++ b/library/ssl_ticket.c @@ -97,7 +97,7 @@ static int ssl_ticket_update_keys( mbedtls_ssl_ticket_context *ctx ) uint32_t current_time = (uint32_t) mbedtls_time( NULL ); uint32_t key_time = ctx->keys[ctx->active].generation_time; - if( current_time > key_time && + if( current_time >= key_time && current_time - key_time < ctx->ticket_lifetime ) { return( 0 ); From 5e863e02ac202341beceb33942fa6f63ec37d56d Mon Sep 17 00:00:00 2001 From: Hanno Becker Date: Tue, 21 Aug 2018 17:51:53 +0100 Subject: [PATCH 11/12] Adapt ChangeLog --- ChangeLog | 3 +++ 1 file changed, 3 insertions(+) diff --git a/ChangeLog b/ChangeLog index 0598cfa1a..fb1e91810 100644 --- a/ChangeLog +++ b/ChangeLog @@ -13,6 +13,8 @@ Bugfix * Replace printf with mbedtls_printf in aria. Found by TrinityTonic in #1908. * Fix potential use-after-free in mbedtls_ssl_get_max_frag_len() and mbedtls_ssl_get_record_expansion() after a session reset. Fixes #1941. + * Fix a bug in the update function for SSL ticket keys which previously + invalidated keys of a lifetime of less than a 1s. Fixes #1968. Changes * Copy headers preserving timestamps when doing a "make install". @@ -21,6 +23,7 @@ Changes Drozd. Fixes #1215 raised by randombit. * Improve compatibility with some alternative CCM implementations by using CCM test vectors from RAM. + * Add tests for session resumption in DTLS. = mbed TLS 2.12.0 branch released 2018-07-25 From 6a4f224ac3406d8afa6ed5753aa77110a132c454 Mon Sep 17 00:00:00 2001 From: Andrzej Kurek Date: Mon, 27 Aug 2018 08:00:13 -0400 Subject: [PATCH 12/12] ssl-opt.sh: change expected output for large srv packet test with SSLv3 This test also exercises a protection against BEAST and should expect message splitting. --- tests/ssl-opt.sh | 21 +++++++++++---------- 1 file changed, 11 insertions(+), 10 deletions(-) diff --git a/tests/ssl-opt.sh b/tests/ssl-opt.sh index 92151fd87..9903aad73 100755 --- a/tests/ssl-opt.sh +++ b/tests/ssl-opt.sh @@ -4493,15 +4493,6 @@ run_test "Large client packet TLS 1.2 AEAD shorter tag" \ -s "Read from client: 16384 bytes read" # Test for large server packets - -requires_config_enabled MBEDTLS_SSL_PROTO_SSL3 -run_test "Large server packet SSLv3 BlockCipher" \ - "$P_SRV response_size=16384 min_version=ssl3" \ - "$P_CLI force_version=ssl3 recsplit=0 \ - force_ciphersuite=TLS-RSA-WITH-AES-256-CBC-SHA" \ - 0 \ - -c "Read from server: 16384 bytes read" - requires_config_enabled MBEDTLS_SSL_PROTO_SSL3 run_test "Large server packet SSLv3 StreamCipher" \ "$P_SRV response_size=16384 min_version=ssl3 arc4=1 force_ciphersuite=TLS-RSA-WITH-RC4-128-SHA" \ @@ -4510,7 +4501,17 @@ run_test "Large server packet SSLv3 StreamCipher" \ 0 \ -c "Read from server: 16384 bytes read" -# Checking next 2 tests logs for 1n-1 split against BEAST too +# Checking next 4 tests logs for 1n-1 split against BEAST too +requires_config_enabled MBEDTLS_SSL_PROTO_SSL3 +run_test "Large server packet SSLv3 BlockCipher" \ + "$P_SRV response_size=16384 min_version=ssl3" \ + "$P_CLI force_version=ssl3 recsplit=0 \ + force_ciphersuite=TLS-RSA-WITH-AES-256-CBC-SHA" \ + 0 \ + -c "Read from server: 1 bytes read"\ + -c "16383 bytes read"\ + -C "Read from server: 16384 bytes read" + run_test "Large server packet TLS 1.0 BlockCipher" \ "$P_SRV response_size=16384" \ "$P_CLI force_version=tls1 recsplit=0 \