From c1da664e8954883f265e54dc5104bf1c04d8beaf Mon Sep 17 00:00:00 2001 From: =?UTF-8?q?Manuel=20P=C3=A9gouri=C3=A9-Gonnard?= Date: Tue, 25 Feb 2014 14:18:30 +0100 Subject: [PATCH] Add test for SSLv2 ClientHello --- tests/ssl-opt.sh | 153 ++++++++++++++++++++++++++--------------------- 1 file changed, 85 insertions(+), 68 deletions(-) diff --git a/tests/ssl-opt.sh b/tests/ssl-opt.sh index d24fa0b98..c815cc3d4 100755 --- a/tests/ssl-opt.sh +++ b/tests/ssl-opt.sh @@ -9,8 +9,8 @@ # Assumes all options are compiled in. PROGS_DIR='../programs/ssl' -SRV_CMD="$PROGS_DIR/ssl_server2" -CLI_CMD="$PROGS_DIR/ssl_client2" +P_SRV="$PROGS_DIR/ssl_server2" +P_CLI="$PROGS_DIR/ssl_client2" TESTS=0 FAILS=0 @@ -48,10 +48,10 @@ run_test() { shift # run the commands - $SHELL -c "$SRV_CMD $1" > srv_out & + eval "$1" > srv_out 2>&1 & SRV_PID=$! sleep 1 - $SHELL -c "$CLI_CMD $2" > cli_out + eval "$2" > cli_out 2>&1 CLI_EXIT=$? echo SERVERQUIT | openssl s_client -no_ticket \ -cert data_files/cli2.crt -key data_files/cli2.key \ @@ -120,25 +120,42 @@ run_test() { killall -q openssl ssl_server ssl_server2 +# Test for SSLv2 ClientHello + +run_test "SSLv2 ClientHello #0 (reference)" \ + "$P_SRV debug_level=3" \ + "echo GET / HTTP/1.0 | openssl s_client -no_ssl2" \ + 0 \ + -S "parse client hello v2" \ + -S "ssl_handshake returned" + +# Adding a SSL2-only suite makes OpenSSL client send SSLv2 ClientHello +run_test "SSLv2 ClientHello #1 (actual test)" \ + "$P_SRV debug_level=3" \ + "echo GET / HTTP/1.0 | openssl s_client -cipher DES-CBC-MD5:ALL" \ + 0 \ + -s "parse client hello v2" \ + -S "ssl_handshake returned" + # Tests for Truncated HMAC extension run_test "Truncated HMAC #0" \ - "debug_level=5" \ - "trunc_hmac=0 force_ciphersuite=TLS-RSA-WITH-AES-128-CBC-SHA" \ + "$P_SRV debug_level=5" \ + "$P_CLI trunc_hmac=0 force_ciphersuite=TLS-RSA-WITH-AES-128-CBC-SHA" \ 0 \ -s "dumping 'computed mac' (20 bytes)" run_test "Truncated HMAC #1" \ - "debug_level=5" \ - "trunc_hmac=1 force_ciphersuite=TLS-RSA-WITH-AES-128-CBC-SHA" \ + "$P_SRV debug_level=5" \ + "$P_CLI trunc_hmac=1 force_ciphersuite=TLS-RSA-WITH-AES-128-CBC-SHA" \ 0 \ -s "dumping 'computed mac' (10 bytes)" # Tests for Session Tickets run_test "Session resume using tickets #1" \ - "debug_level=4 tickets=1" \ - "debug_level=4 tickets=1 reconnect=1" \ + "$P_SRV debug_level=4 tickets=1" \ + "$P_CLI debug_level=4 tickets=1 reconnect=1" \ 0 \ -c "client hello, adding session ticket extension" \ -s "found session ticket extension" \ @@ -151,8 +168,8 @@ run_test "Session resume using tickets #1" \ -c "a session has been resumed" run_test "Session resume using tickets #2" \ - "debug_level=4 tickets=1 cache_max=0" \ - "debug_level=4 tickets=1 reconnect=1" \ + "$P_SRV debug_level=4 tickets=1 cache_max=0" \ + "$P_CLI debug_level=4 tickets=1 reconnect=1" \ 0 \ -c "client hello, adding session ticket extension" \ -s "found session ticket extension" \ @@ -165,8 +182,8 @@ run_test "Session resume using tickets #2" \ -c "a session has been resumed" run_test "Session resume using tickets #3" \ - "debug_level=4 tickets=1 cache_max=0 ticket_timeout=1" \ - "debug_level=4 tickets=1 reconnect=1 reco_delay=2" \ + "$P_SRV debug_level=4 tickets=1 cache_max=0 ticket_timeout=1" \ + "$P_CLI debug_level=4 tickets=1 reconnect=1 reco_delay=2" \ 0 \ -c "client hello, adding session ticket extension" \ -s "found session ticket extension" \ @@ -179,8 +196,8 @@ run_test "Session resume using tickets #3" \ -C "a session has been resumed" run_test "Session resume using tickets #4" \ - "debug_level=4 tickets=1 cache_max=0 ticket_timeout=2" \ - "debug_level=4 tickets=1 reconnect=1 reco_delay=0" \ + "$P_SRV debug_level=4 tickets=1 cache_max=0 ticket_timeout=2" \ + "$P_CLI debug_level=4 tickets=1 reconnect=1 reco_delay=0" \ 0 \ -c "client hello, adding session ticket extension" \ -s "found session ticket extension" \ @@ -195,8 +212,8 @@ run_test "Session resume using tickets #4" \ # Tests for Session Resume based on session-ID and cache run_test "Session resume using cache #1 (tickets enabled on client)" \ - "debug_level=4 tickets=0" \ - "debug_level=4 tickets=1 reconnect=1" \ + "$P_SRV debug_level=4 tickets=0" \ + "$P_CLI debug_level=4 tickets=1 reconnect=1" \ 0 \ -c "client hello, adding session ticket extension" \ -s "found session ticket extension" \ @@ -209,8 +226,8 @@ run_test "Session resume using cache #1 (tickets enabled on client)" \ -c "a session has been resumed" run_test "Session resume using cache #2 (tickets enabled on server)" \ - "debug_level=4 tickets=1" \ - "debug_level=4 tickets=0 reconnect=1" \ + "$P_SRV debug_level=4 tickets=1" \ + "$P_CLI debug_level=4 tickets=0 reconnect=1" \ 0 \ -C "client hello, adding session ticket extension" \ -S "found session ticket extension" \ @@ -223,8 +240,8 @@ run_test "Session resume using cache #2 (tickets enabled on server)" \ -c "a session has been resumed" run_test "Session resume using cache #3 (cache_max=0)" \ - "debug_level=4 tickets=0 cache_max=0" \ - "debug_level=4 tickets=0 reconnect=1" \ + "$P_SRV debug_level=4 tickets=0 cache_max=0" \ + "$P_CLI debug_level=4 tickets=0 reconnect=1" \ 0 \ -S "session successfully restored from cache" \ -S "session successfully restored from ticket" \ @@ -232,8 +249,8 @@ run_test "Session resume using cache #3 (cache_max=0)" \ -C "a session has been resumed" run_test "Session resume using cache #4 (cache_max=1)" \ - "debug_level=4 tickets=0 cache_max=1" \ - "debug_level=4 tickets=0 reconnect=1" \ + "$P_SRV debug_level=4 tickets=0 cache_max=1" \ + "$P_CLI debug_level=4 tickets=0 reconnect=1" \ 0 \ -s "session successfully restored from cache" \ -S "session successfully restored from ticket" \ @@ -241,8 +258,8 @@ run_test "Session resume using cache #4 (cache_max=1)" \ -c "a session has been resumed" run_test "Session resume using cache #5 (timemout > delay)" \ - "debug_level=4 tickets=0 cache_timeout=1" \ - "debug_level=4 tickets=0 reconnect=1 reco_delay=0" \ + "$P_SRV debug_level=4 tickets=0 cache_timeout=1" \ + "$P_CLI debug_level=4 tickets=0 reconnect=1 reco_delay=0" \ 0 \ -s "session successfully restored from cache" \ -S "session successfully restored from ticket" \ @@ -250,8 +267,8 @@ run_test "Session resume using cache #5 (timemout > delay)" \ -c "a session has been resumed" run_test "Session resume using cache #6 (timeout < delay)" \ - "debug_level=4 tickets=0 cache_timeout=1" \ - "debug_level=4 tickets=0 reconnect=1 reco_delay=2" \ + "$P_SRV debug_level=4 tickets=0 cache_timeout=1" \ + "$P_CLI debug_level=4 tickets=0 reconnect=1 reco_delay=2" \ 0 \ -S "session successfully restored from cache" \ -S "session successfully restored from ticket" \ @@ -259,8 +276,8 @@ run_test "Session resume using cache #6 (timeout < delay)" \ -C "a session has been resumed" run_test "Session resume using cache #7 (no timeout)" \ - "debug_level=4 tickets=0 cache_timeout=0" \ - "debug_level=4 tickets=0 reconnect=1 reco_delay=2" \ + "$P_SRV debug_level=4 tickets=0 cache_timeout=0" \ + "$P_CLI debug_level=4 tickets=0 reconnect=1 reco_delay=2" \ 0 \ -s "session successfully restored from cache" \ -S "session successfully restored from ticket" \ @@ -270,8 +287,8 @@ run_test "Session resume using cache #7 (no timeout)" \ # Tests for Max Fragment Length extension run_test "Max fragment length #1" \ - "debug_level=4" \ - "debug_level=4" \ + "$P_SRV debug_level=4" \ + "$P_CLI debug_level=4" \ 0 \ -C "client hello, adding max_fragment_length extension" \ -S "found max fragment length extension" \ @@ -279,8 +296,8 @@ run_test "Max fragment length #1" \ -C "found max_fragment_length extension" run_test "Max fragment length #2" \ - "debug_level=4" \ - "debug_level=4 max_frag_len=4096" \ + "$P_SRV debug_level=4" \ + "$P_CLI debug_level=4 max_frag_len=4096" \ 0 \ -c "client hello, adding max_fragment_length extension" \ -s "found max fragment length extension" \ @@ -288,8 +305,8 @@ run_test "Max fragment length #2" \ -c "found max_fragment_length extension" run_test "Max fragment length #3" \ - "debug_level=4 max_frag_len=4096" \ - "debug_level=4" \ + "$P_SRV debug_level=4 max_frag_len=4096" \ + "$P_CLI debug_level=4" \ 0 \ -C "client hello, adding max_fragment_length extension" \ -S "found max fragment length extension" \ @@ -299,8 +316,8 @@ run_test "Max fragment length #3" \ # Tests for renegotiation run_test "Renegotiation #0 (none)" \ - "debug_level=4" \ - "debug_level=4" \ + "$P_SRV debug_level=4" \ + "$P_CLI debug_level=4" \ 0 \ -C "client hello, adding renegotiation extension" \ -s "received TLS_EMPTY_RENEGOTIATION_INFO" \ @@ -312,8 +329,8 @@ run_test "Renegotiation #0 (none)" \ -S "write hello request" run_test "Renegotiation #1 (enabled, client-initiated)" \ - "debug_level=4" \ - "debug_level=4 renegotiate=1" \ + "$P_SRV debug_level=4" \ + "$P_CLI debug_level=4 renegotiate=1" \ 0 \ -c "client hello, adding renegotiation extension" \ -s "received TLS_EMPTY_RENEGOTIATION_INFO" \ @@ -325,8 +342,8 @@ run_test "Renegotiation #1 (enabled, client-initiated)" \ -S "write hello request" run_test "Renegotiation #2 (enabled, server-initiated)" \ - "debug_level=4 renegotiate=1" \ - "debug_level=4" \ + "$P_SRV debug_level=4 renegotiate=1" \ + "$P_CLI debug_level=4" \ 0 \ -c "client hello, adding renegotiation extension" \ -s "received TLS_EMPTY_RENEGOTIATION_INFO" \ @@ -338,8 +355,8 @@ run_test "Renegotiation #2 (enabled, server-initiated)" \ -s "write hello request" run_test "Renegotiation #3 (enabled, double)" \ - "debug_level=4 renegotiate=1" \ - "debug_level=4 renegotiate=1" \ + "$P_SRV debug_level=4 renegotiate=1" \ + "$P_CLI debug_level=4 renegotiate=1" \ 0 \ -c "client hello, adding renegotiation extension" \ -s "received TLS_EMPTY_RENEGOTIATION_INFO" \ @@ -351,8 +368,8 @@ run_test "Renegotiation #3 (enabled, double)" \ -s "write hello request" run_test "Renegotiation #4 (client-initiated, server-rejected)" \ - "debug_level=4 renegotiation=0" \ - "debug_level=4 renegotiate=1" \ + "$P_SRV debug_level=4 renegotiation=0" \ + "$P_CLI debug_level=4 renegotiate=1" \ 1 \ -c "client hello, adding renegotiation extension" \ -s "received TLS_EMPTY_RENEGOTIATION_INFO" \ @@ -364,8 +381,8 @@ run_test "Renegotiation #4 (client-initiated, server-rejected)" \ -S "write hello request" run_test "Renegotiation #5 (server-initiated, client-rejected)" \ - "debug_level=4 renegotiate=1" \ - "debug_level=4 renegotiation=0" \ + "$P_SRV debug_level=4 renegotiate=1" \ + "$P_CLI debug_level=4 renegotiation=0" \ 0 \ -C "client hello, adding renegotiation extension" \ -s "received TLS_EMPTY_RENEGOTIATION_INFO" \ @@ -381,9 +398,9 @@ run_test "Renegotiation #5 (server-initiated, client-rejected)" \ # Tests for auth_mode run_test "Authentication #1 (server badcert, client required)" \ - "crt_file=data_files/server5-badsign.crt \ + "$P_SRV crt_file=data_files/server5-badsign.crt \ key_file=data_files/server5.key" \ - "debug_level=2 auth_mode=required" \ + "$P_CLI debug_level=2 auth_mode=required" \ 1 \ -c "x509_verify_cert() returned" \ -c "! self-signed or not signed by a trusted CA" \ @@ -391,9 +408,9 @@ run_test "Authentication #1 (server badcert, client required)" \ -c "X509 - Certificate verification failed" run_test "Authentication #2 (server badcert, client optional)" \ - "crt_file=data_files/server5-badsign.crt \ + "$P_SRV crt_file=data_files/server5-badsign.crt \ key_file=data_files/server5.key" \ - "debug_level=2 auth_mode=optional" \ + "$P_CLI debug_level=2 auth_mode=optional" \ 0 \ -c "x509_verify_cert() returned" \ -c "! self-signed or not signed by a trusted CA" \ @@ -401,9 +418,9 @@ run_test "Authentication #2 (server badcert, client optional)" \ -C "X509 - Certificate verification failed" run_test "Authentication #3 (server badcert, client none)" \ - "crt_file=data_files/server5-badsign.crt \ + "$P_SRV crt_file=data_files/server5-badsign.crt \ key_file=data_files/server5.key" \ - "debug_level=2 auth_mode=none" \ + "$P_CLI debug_level=2 auth_mode=none" \ 0 \ -C "x509_verify_cert() returned" \ -C "! self-signed or not signed by a trusted CA" \ @@ -411,8 +428,8 @@ run_test "Authentication #3 (server badcert, client none)" \ -C "X509 - Certificate verification failed" run_test "Authentication #4 (client badcert, server required)" \ - "debug_level=4 auth_mode=required" \ - "debug_level=4 crt_file=data_files/server5-badsign.crt \ + "$P_SRV debug_level=4 auth_mode=required" \ + "$P_CLI debug_level=4 crt_file=data_files/server5-badsign.crt \ key_file=data_files/server5.key" \ 1 \ -S "skip write certificate request" \ @@ -428,8 +445,8 @@ run_test "Authentication #4 (client badcert, server required)" \ -s "X509 - Certificate verification failed" run_test "Authentication #5 (client badcert, server optional)" \ - "debug_level=4 auth_mode=optional" \ - "debug_level=4 crt_file=data_files/server5-badsign.crt \ + "$P_SRV debug_level=4 auth_mode=optional" \ + "$P_CLI debug_level=4 crt_file=data_files/server5-badsign.crt \ key_file=data_files/server5.key" \ 0 \ -S "skip write certificate request" \ @@ -445,8 +462,8 @@ run_test "Authentication #5 (client badcert, server optional)" \ -S "X509 - Certificate verification failed" run_test "Authentication #6 (client badcert, server none)" \ - "debug_level=4 auth_mode=none" \ - "debug_level=4 crt_file=data_files/server5-badsign.crt \ + "$P_SRV debug_level=4 auth_mode=none" \ + "$P_CLI debug_level=4 crt_file=data_files/server5-badsign.crt \ key_file=data_files/server5.key" \ 0 \ -s "skip write certificate request" \ @@ -464,9 +481,9 @@ run_test "Authentication #6 (client badcert, server none)" \ # tests for SNI run_test "SNI #0 (no SNI callback)" \ - "debug_level=4 server_addr=127.0.0.1 \ + "$P_SRV debug_level=4 server_addr=127.0.0.1 \ crt_file=data_files/server5.crt key_file=data_files/server5.key" \ - "debug_level=0 server_addr=127.0.0.1 \ + "$P_CLI debug_level=0 server_addr=127.0.0.1 \ server_name=localhost" \ 0 \ -S "parse ServerName extension" \ @@ -474,10 +491,10 @@ run_test "SNI #0 (no SNI callback)" \ -c "subject name *: C=NL, O=PolarSSL, CN=localhost" run_test "SNI #1 (matching cert 1)" \ - "debug_level=4 server_addr=127.0.0.1 \ + "$P_SRV debug_level=4 server_addr=127.0.0.1 \ crt_file=data_files/server5.crt key_file=data_files/server5.key \ sni='localhost,data_files/server2.crt,data_files/server2.key,PolarSSL Server 1,data_files/server1.crt,data_files/server1.key'" \ - "debug_level=0 server_addr=127.0.0.1 \ + "$P_CLI debug_level=0 server_addr=127.0.0.1 \ server_name=localhost" \ 0 \ -s "parse ServerName extension" \ @@ -485,10 +502,10 @@ run_test "SNI #1 (matching cert 1)" \ -c "subject name *: C=NL, O=PolarSSL, CN=localhost" run_test "SNI #2 (matching cert 2)" \ - "debug_level=4 server_addr=127.0.0.1 \ + "$P_SRV debug_level=4 server_addr=127.0.0.1 \ crt_file=data_files/server5.crt key_file=data_files/server5.key \ sni='localhost,data_files/server2.crt,data_files/server2.key,PolarSSL Server 1,data_files/server1.crt,data_files/server1.key'" \ - "debug_level=0 server_addr=127.0.0.1 \ + "$P_CLI debug_level=0 server_addr=127.0.0.1 \ server_name='PolarSSL Server 1'" \ 0 \ -s "parse ServerName extension" \ @@ -496,10 +513,10 @@ run_test "SNI #2 (matching cert 2)" \ -c "subject name *: C=NL, O=PolarSSL, CN=PolarSSL Server 1" run_test "SNI #3 (no matching cert)" \ - "debug_level=4 server_addr=127.0.0.1 \ + "$P_SRV debug_level=4 server_addr=127.0.0.1 \ crt_file=data_files/server5.crt key_file=data_files/server5.key \ sni='localhost,data_files/server2.crt,data_files/server2.key,PolarSSL Server 1,data_files/server1.crt,data_files/server1.key'" \ - "debug_level=0 server_addr=127.0.0.1 \ + "$P_CLI debug_level=0 server_addr=127.0.0.1 \ server_name='PolarSSL Server 2'" \ 1 \ -s "parse ServerName extension" \