From 6b3ec174631d5c1689a742cfb62680122350f66a Mon Sep 17 00:00:00 2001 From: Andrzej Kurek Date: Thu, 28 Jun 2018 04:03:10 -0400 Subject: [PATCH 1/5] Added buffer_size and response_size options for ssl-server2. Added appropriate tests. --- programs/ssl/ssl_server2.c | 62 ++++++++++-- tests/ssl-opt.sh | 193 +++++++++++++++++++++++++++++++------ 2 files changed, 219 insertions(+), 36 deletions(-) diff --git a/programs/ssl/ssl_server2.c b/programs/ssl/ssl_server2.c index cc29b493f..1a57a7994 100644 --- a/programs/ssl/ssl_server2.c +++ b/programs/ssl/ssl_server2.c @@ -99,6 +99,7 @@ int main( void ) #define DFL_SERVER_ADDR NULL #define DFL_SERVER_PORT "4433" +#define DFL_RESPONSE_SIZE -1 #define DFL_DEBUG_LEVEL 0 #define DFL_NBIO 0 #define DFL_READ_TIMEOUT 0 @@ -166,7 +167,7 @@ int main( void ) * You will need to adapt the mbedtls_ssl_get_bytes_avail() test in ssl-opt.sh * if you change this value to something outside the range <= 100 or > 500 */ -#define IO_BUF_LEN 200 +#define DFL_IO_BUF_LEN 200 #if defined(MBEDTLS_X509_CRT_PARSE_C) #if defined(MBEDTLS_FS_IO) @@ -329,6 +330,11 @@ int main( void ) " server_addr=%%s default: (all interfaces)\n" \ " server_port=%%d default: 4433\n" \ " debug_level=%%d default: 0 (disabled)\n" \ + " buffer_size=%%d default: 200 \n" \ + " (minimum: 1, max: 16385)\n" \ + " response_size=%%d default: about 152 (basic response)\n" \ + " (minimum: 0, max: 16384)\n" \ + " increases buffer_size if bigger\n"\ " nbio=%%d default: 0 (blocking I/O)\n" \ " options: 1 (non-blocking), 2 (added delays)\n" \ " read_timeout=%%d default: 0 ms (no timeout)\n" \ @@ -400,6 +406,8 @@ struct options int debug_level; /* level of debugging */ int nbio; /* should I/O be blocking? */ uint32_t read_timeout; /* timeout on mbedtls_ssl_read() in milliseconds */ + int response_size; /* pad response with header to requested size */ + uint16_t buffer_size; /* IO buffer size */ const char *ca_file; /* the file with the CA certificate(s) */ const char *ca_path; /* the path with the CA certificate(s) reside */ const char *crt_file; /* the file with the server certificate */ @@ -841,7 +849,7 @@ int main( int argc, char *argv[] ) { int ret = 0, len, written, frags, exchanges_left; int version_suites[4][2]; - unsigned char buf[IO_BUF_LEN]; + unsigned char* buf = 0; #if defined(MBEDTLS_KEY_EXCHANGE__SOME__PSK_ENABLED) unsigned char psk[MBEDTLS_PSK_MAX_LEN]; size_t psk_len = 0; @@ -966,9 +974,11 @@ int main( int argc, char *argv[] ) goto exit; } + opt.buffer_size = DFL_IO_BUF_LEN; opt.server_addr = DFL_SERVER_ADDR; opt.server_port = DFL_SERVER_PORT; opt.debug_level = DFL_DEBUG_LEVEL; + opt.response_size = DFL_RESPONSE_SIZE; opt.nbio = DFL_NBIO; opt.read_timeout = DFL_READ_TIMEOUT; opt.ca_file = DFL_CA_FILE; @@ -1049,6 +1059,20 @@ int main( int argc, char *argv[] ) } else if( strcmp( p, "read_timeout" ) == 0 ) opt.read_timeout = atoi( q ); + else if( strcmp( p, "buffer_size" ) == 0 ) + { + opt.buffer_size = atoi( q ); + if( opt.buffer_size < 1 || opt.buffer_size > MBEDTLS_SSL_MAX_CONTENT_LEN + 1 ) + goto usage; + } + else if( strcmp( p, "response_size" ) == 0 ) + { + opt.response_size = atoi( q ); + if( opt.response_size < 0 || opt.response_size > MBEDTLS_SSL_MAX_CONTENT_LEN ) + goto usage; + if( opt.buffer_size < opt.response_size ) + opt.buffer_size = opt.response_size; + } else if( strcmp( p, "ca_file" ) == 0 ) opt.ca_file = q; else if( strcmp( p, "ca_path" ) == 0 ) @@ -1331,6 +1355,13 @@ int main( int argc, char *argv[] ) #if defined(MBEDTLS_DEBUG_C) mbedtls_debug_set_threshold( opt.debug_level ); #endif + buf = malloc( opt.buffer_size ); + if( buf == NULL ) + { + mbedtls_printf("Could not allocate %u bytes\n", opt.buffer_size); + ret = 3; + goto exit; + } if( opt.force_ciphersuite[0] > 0 ) { @@ -2219,8 +2250,8 @@ data_exchange: do { int terminated = 0; - len = sizeof( buf ) - 1; - memset( buf, 0, sizeof( buf ) ); + len = opt.buffer_size - 1; + memset( buf, 0, opt.buffer_size ); ret = mbedtls_ssl_read( &ssl, buf, len ); if( ret == MBEDTLS_ERR_SSL_WANT_READ || @@ -2310,8 +2341,8 @@ data_exchange: } else /* Not stream, so datagram */ { - len = sizeof( buf ) - 1; - memset( buf, 0, sizeof( buf ) ); + len = opt.buffer_size - 1; + memset( buf, 0, opt.buffer_size ); do ret = mbedtls_ssl_read( &ssl, buf, len ); while( ret == MBEDTLS_ERR_SSL_WANT_READ || @@ -2371,6 +2402,25 @@ data_exchange: len = sprintf( (char *) buf, HTTP_RESPONSE, mbedtls_ssl_get_ciphersuite( &ssl ) ); + /* Add padding to the response to reach opt.response_size in length */ + if( opt.response_size != DFL_RESPONSE_SIZE && + len < opt.response_size ) + { + memset( buf + len, 'B', opt.response_size - len ); + len += opt.response_size - len; + } + + /* Truncate if response size is smaller than the "natural" size */ + if( opt.response_size != DFL_RESPONSE_SIZE && + len > opt.response_size ) + { + len = opt.response_size; + + /* Still end with \r\n unless that's really not possible */ + if( len >= 2 ) buf[len - 2] = '\r'; + if( len >= 1 ) buf[len - 1] = '\n'; + } + if( opt.transport == MBEDTLS_SSL_TRANSPORT_STREAM ) { for( written = 0, frags = 0; written < len; written += ret, frags++ ) diff --git a/tests/ssl-opt.sh b/tests/ssl-opt.sh index 839c77d9c..ef5aa5b7e 100755 --- a/tests/ssl-opt.sh +++ b/tests/ssl-opt.sh @@ -3882,10 +3882,10 @@ run_test "SSLv3 with extensions, server side" \ -S "dumping 'client hello extensions'" \ -S "server hello, total extension length:" -# Test for large packets +# Test for large client packets requires_config_enabled MBEDTLS_SSL_PROTO_SSL3 -run_test "Large packet SSLv3 BlockCipher" \ +run_test "Large client packet SSLv3 BlockCipher" \ "$P_SRV min_version=ssl3" \ "$P_CLI request_size=16384 force_version=ssl3 recsplit=0 \ force_ciphersuite=TLS-RSA-WITH-AES-256-CBC-SHA" \ @@ -3894,7 +3894,7 @@ run_test "Large packet SSLv3 BlockCipher" \ -s "Read from client: 16384 bytes read" requires_config_enabled MBEDTLS_SSL_PROTO_SSL3 -run_test "Large packet SSLv3 StreamCipher" \ +run_test "Large client packet SSLv3 StreamCipher" \ "$P_SRV min_version=ssl3 arc4=1 force_ciphersuite=TLS-RSA-WITH-RC4-128-SHA" \ "$P_CLI request_size=16384 force_version=ssl3 \ force_ciphersuite=TLS-RSA-WITH-RC4-128-SHA" \ @@ -3902,7 +3902,7 @@ run_test "Large packet SSLv3 StreamCipher" \ -c "16384 bytes written in 1 fragments" \ -s "Read from client: 16384 bytes read" -run_test "Large packet TLS 1.0 BlockCipher" \ +run_test "Large client packet TLS 1.0 BlockCipher" \ "$P_SRV" \ "$P_CLI request_size=16384 force_version=tls1 recsplit=0 \ force_ciphersuite=TLS-RSA-WITH-AES-256-CBC-SHA" \ @@ -3910,7 +3910,7 @@ run_test "Large packet TLS 1.0 BlockCipher" \ -c "16384 bytes written in 1 fragments" \ -s "Read from client: 16384 bytes read" -run_test "Large packet TLS 1.0 BlockCipher, without EtM" \ +run_test "Large client packet TLS 1.0 BlockCipher, without EtM" \ "$P_SRV" \ "$P_CLI request_size=16384 force_version=tls1 etm=0 recsplit=0 \ force_ciphersuite=TLS-RSA-WITH-AES-256-CBC-SHA" \ @@ -3918,7 +3918,7 @@ run_test "Large packet TLS 1.0 BlockCipher, without EtM" \ -s "Read from client: 16384 bytes read" requires_config_enabled MBEDTLS_SSL_TRUNCATED_HMAC -run_test "Large packet TLS 1.0 BlockCipher, truncated MAC" \ +run_test "Large client packet TLS 1.0 BlockCipher, truncated MAC" \ "$P_SRV trunc_hmac=1" \ "$P_CLI request_size=16384 force_version=tls1 recsplit=0 \ force_ciphersuite=TLS-RSA-WITH-AES-256-CBC-SHA trunc_hmac=1" \ @@ -3927,21 +3927,21 @@ run_test "Large packet TLS 1.0 BlockCipher, truncated MAC" \ -s "Read from client: 16384 bytes read" requires_config_enabled MBEDTLS_SSL_TRUNCATED_HMAC -run_test "Large packet TLS 1.0 BlockCipher, without EtM, truncated MAC" \ +run_test "Large client packet TLS 1.0 BlockCipher, without EtM, truncated MAC" \ "$P_SRV trunc_hmac=1" \ "$P_CLI request_size=16384 force_version=tls1 etm=0 recsplit=0 \ force_ciphersuite=TLS-RSA-WITH-AES-256-CBC-SHA trunc_hmac=1" \ 0 \ -s "Read from client: 16384 bytes read" -run_test "Large packet TLS 1.0 StreamCipher" \ +run_test "Large client packet TLS 1.0 StreamCipher" \ "$P_SRV arc4=1 force_ciphersuite=TLS-RSA-WITH-RC4-128-SHA" \ "$P_CLI request_size=16384 force_version=tls1 \ force_ciphersuite=TLS-RSA-WITH-RC4-128-SHA" \ 0 \ -s "Read from client: 16384 bytes read" -run_test "Large packet TLS 1.0 StreamCipher, without EtM" \ +run_test "Large client packet TLS 1.0 StreamCipher, without EtM" \ "$P_SRV arc4=1 force_ciphersuite=TLS-RSA-WITH-RC4-128-SHA" \ "$P_CLI request_size=16384 force_version=tls1 \ force_ciphersuite=TLS-RSA-WITH-RC4-128-SHA etm=0" \ @@ -3949,7 +3949,7 @@ run_test "Large packet TLS 1.0 StreamCipher, without EtM" \ -s "Read from client: 16384 bytes read" requires_config_enabled MBEDTLS_SSL_TRUNCATED_HMAC -run_test "Large packet TLS 1.0 StreamCipher, truncated MAC" \ +run_test "Large client packet TLS 1.0 StreamCipher, truncated MAC" \ "$P_SRV arc4=1 force_ciphersuite=TLS-RSA-WITH-RC4-128-SHA trunc_hmac=1" \ "$P_CLI request_size=16384 force_version=tls1 \ force_ciphersuite=TLS-RSA-WITH-RC4-128-SHA trunc_hmac=1" \ @@ -3957,7 +3957,7 @@ run_test "Large packet TLS 1.0 StreamCipher, truncated MAC" \ -s "Read from client: 16384 bytes read" requires_config_enabled MBEDTLS_SSL_TRUNCATED_HMAC -run_test "Large packet TLS 1.0 StreamCipher, without EtM, truncated MAC" \ +run_test "Large client packet TLS 1.0 StreamCipher, without EtM, truncated MAC" \ "$P_SRV arc4=1 force_ciphersuite=TLS-RSA-WITH-RC4-128-SHA trunc_hmac=1" \ "$P_CLI request_size=16384 force_version=tls1 \ force_ciphersuite=TLS-RSA-WITH-RC4-128-SHA trunc_hmac=1 etm=0" \ @@ -3965,7 +3965,7 @@ run_test "Large packet TLS 1.0 StreamCipher, without EtM, truncated MAC" \ -c "16384 bytes written in 1 fragments" \ -s "Read from client: 16384 bytes read" -run_test "Large packet TLS 1.1 BlockCipher" \ +run_test "Large client packet TLS 1.1 BlockCipher" \ "$P_SRV" \ "$P_CLI request_size=16384 force_version=tls1_1 \ force_ciphersuite=TLS-RSA-WITH-AES-256-CBC-SHA" \ @@ -3973,7 +3973,7 @@ run_test "Large packet TLS 1.1 BlockCipher" \ -c "16384 bytes written in 1 fragments" \ -s "Read from client: 16384 bytes read" -run_test "Large packet TLS 1.1 BlockCipher, without EtM" \ +run_test "Large client packet TLS 1.1 BlockCipher, without EtM" \ "$P_SRV" \ "$P_CLI request_size=16384 force_version=tls1_1 etm=0 \ force_ciphersuite=TLS-RSA-WITH-AES-256-CBC-SHA" \ @@ -3981,7 +3981,7 @@ run_test "Large packet TLS 1.1 BlockCipher, without EtM" \ -s "Read from client: 16384 bytes read" requires_config_enabled MBEDTLS_SSL_TRUNCATED_HMAC -run_test "Large packet TLS 1.1 BlockCipher, truncated MAC" \ +run_test "Large client packet TLS 1.1 BlockCipher, truncated MAC" \ "$P_SRV trunc_hmac=1" \ "$P_CLI request_size=16384 force_version=tls1_1 \ force_ciphersuite=TLS-RSA-WITH-AES-256-CBC-SHA trunc_hmac=1" \ @@ -3989,14 +3989,14 @@ run_test "Large packet TLS 1.1 BlockCipher, truncated MAC" \ -s "Read from client: 16384 bytes read" requires_config_enabled MBEDTLS_SSL_TRUNCATED_HMAC -run_test "Large packet TLS 1.1 BlockCipher, without EtM, truncated MAC" \ +run_test "Large client packet TLS 1.1 BlockCipher, without EtM, truncated MAC" \ "$P_SRV trunc_hmac=1" \ "$P_CLI request_size=16384 force_version=tls1_1 \ force_ciphersuite=TLS-RSA-WITH-AES-256-CBC-SHA trunc_hmac=1 etm=0" \ 0 \ -s "Read from client: 16384 bytes read" -run_test "Large packet TLS 1.1 StreamCipher" \ +run_test "Large client packet TLS 1.1 StreamCipher" \ "$P_SRV arc4=1 force_ciphersuite=TLS-RSA-WITH-RC4-128-SHA" \ "$P_CLI request_size=16384 force_version=tls1_1 \ force_ciphersuite=TLS-RSA-WITH-RC4-128-SHA" \ @@ -4004,7 +4004,7 @@ run_test "Large packet TLS 1.1 StreamCipher" \ -c "16384 bytes written in 1 fragments" \ -s "Read from client: 16384 bytes read" -run_test "Large packet TLS 1.1 StreamCipher, without EtM" \ +run_test "Large client packet TLS 1.1 StreamCipher, without EtM" \ "$P_SRV arc4=1 force_ciphersuite=TLS-RSA-WITH-RC4-128-SHA" \ "$P_CLI request_size=16384 force_version=tls1_1 \ force_ciphersuite=TLS-RSA-WITH-RC4-128-SHA etm=0" \ @@ -4013,7 +4013,7 @@ run_test "Large packet TLS 1.1 StreamCipher, without EtM" \ -s "Read from client: 16384 bytes read" requires_config_enabled MBEDTLS_SSL_TRUNCATED_HMAC -run_test "Large packet TLS 1.1 StreamCipher, truncated MAC" \ +run_test "Large client packet TLS 1.1 StreamCipher, truncated MAC" \ "$P_SRV arc4=1 force_ciphersuite=TLS-RSA-WITH-RC4-128-SHA trunc_hmac=1" \ "$P_CLI request_size=16384 force_version=tls1_1 \ force_ciphersuite=TLS-RSA-WITH-RC4-128-SHA trunc_hmac=1" \ @@ -4021,7 +4021,7 @@ run_test "Large packet TLS 1.1 StreamCipher, truncated MAC" \ -s "Read from client: 16384 bytes read" requires_config_enabled MBEDTLS_SSL_TRUNCATED_HMAC -run_test "Large packet TLS 1.1 StreamCipher, without EtM, truncated MAC" \ +run_test "Large client packet TLS 1.1 StreamCipher, without EtM, truncated MAC" \ "$P_SRV arc4=1 force_ciphersuite=TLS-RSA-WITH-RC4-128-SHA trunc_hmac=1" \ "$P_CLI request_size=16384 force_version=tls1_1 \ force_ciphersuite=TLS-RSA-WITH-RC4-128-SHA trunc_hmac=1 etm=0" \ @@ -4029,7 +4029,7 @@ run_test "Large packet TLS 1.1 StreamCipher, without EtM, truncated MAC" \ -c "16384 bytes written in 1 fragments" \ -s "Read from client: 16384 bytes read" -run_test "Large packet TLS 1.2 BlockCipher" \ +run_test "Large client packet TLS 1.2 BlockCipher" \ "$P_SRV" \ "$P_CLI request_size=16384 force_version=tls1_2 \ force_ciphersuite=TLS-RSA-WITH-AES-256-CBC-SHA" \ @@ -4037,14 +4037,14 @@ run_test "Large packet TLS 1.2 BlockCipher" \ -c "16384 bytes written in 1 fragments" \ -s "Read from client: 16384 bytes read" -run_test "Large packet TLS 1.2 BlockCipher, without EtM" \ +run_test "Large client packet TLS 1.2 BlockCipher, without EtM" \ "$P_SRV" \ "$P_CLI request_size=16384 force_version=tls1_2 etm=0 \ force_ciphersuite=TLS-RSA-WITH-AES-256-CBC-SHA" \ 0 \ -s "Read from client: 16384 bytes read" -run_test "Large packet TLS 1.2 BlockCipher larger MAC" \ +run_test "Large client packet TLS 1.2 BlockCipher larger MAC" \ "$P_SRV" \ "$P_CLI request_size=16384 force_version=tls1_2 \ force_ciphersuite=TLS-ECDHE-RSA-WITH-AES-256-CBC-SHA384" \ @@ -4053,7 +4053,7 @@ run_test "Large packet TLS 1.2 BlockCipher larger MAC" \ -s "Read from client: 16384 bytes read" requires_config_enabled MBEDTLS_SSL_TRUNCATED_HMAC -run_test "Large packet TLS 1.2 BlockCipher, truncated MAC" \ +run_test "Large client packet TLS 1.2 BlockCipher, truncated MAC" \ "$P_SRV trunc_hmac=1" \ "$P_CLI request_size=16384 force_version=tls1_2 \ force_ciphersuite=TLS-RSA-WITH-AES-256-CBC-SHA trunc_hmac=1" \ @@ -4061,7 +4061,7 @@ run_test "Large packet TLS 1.2 BlockCipher, truncated MAC" \ -s "Read from client: 16384 bytes read" requires_config_enabled MBEDTLS_SSL_TRUNCATED_HMAC -run_test "Large packet TLS 1.2 BlockCipher, without EtM, truncated MAC" \ +run_test "Large client packet TLS 1.2 BlockCipher, without EtM, truncated MAC" \ "$P_SRV trunc_hmac=1" \ "$P_CLI request_size=16384 force_version=tls1_2 \ force_ciphersuite=TLS-RSA-WITH-AES-256-CBC-SHA trunc_hmac=1 etm=0" \ @@ -4069,7 +4069,7 @@ run_test "Large packet TLS 1.2 BlockCipher, without EtM, truncated MAC" \ -c "16384 bytes written in 1 fragments" \ -s "Read from client: 16384 bytes read" -run_test "Large packet TLS 1.2 StreamCipher" \ +run_test "Large client packet TLS 1.2 StreamCipher" \ "$P_SRV arc4=1 force_ciphersuite=TLS-RSA-WITH-RC4-128-SHA" \ "$P_CLI request_size=16384 force_version=tls1_2 \ force_ciphersuite=TLS-RSA-WITH-RC4-128-SHA" \ @@ -4077,7 +4077,7 @@ run_test "Large packet TLS 1.2 StreamCipher" \ -c "16384 bytes written in 1 fragments" \ -s "Read from client: 16384 bytes read" -run_test "Large packet TLS 1.2 StreamCipher, without EtM" \ +run_test "Large client packet TLS 1.2 StreamCipher, without EtM" \ "$P_SRV arc4=1 force_ciphersuite=TLS-RSA-WITH-RC4-128-SHA" \ "$P_CLI request_size=16384 force_version=tls1_2 \ force_ciphersuite=TLS-RSA-WITH-RC4-128-SHA etm=0" \ @@ -4085,7 +4085,7 @@ run_test "Large packet TLS 1.2 StreamCipher, without EtM" \ -s "Read from client: 16384 bytes read" requires_config_enabled MBEDTLS_SSL_TRUNCATED_HMAC -run_test "Large packet TLS 1.2 StreamCipher, truncated MAC" \ +run_test "Large client packet TLS 1.2 StreamCipher, truncated MAC" \ "$P_SRV arc4=1 force_ciphersuite=TLS-RSA-WITH-RC4-128-SHA trunc_hmac=1" \ "$P_CLI request_size=16384 force_version=tls1_2 \ force_ciphersuite=TLS-RSA-WITH-RC4-128-SHA trunc_hmac=1" \ @@ -4093,7 +4093,7 @@ run_test "Large packet TLS 1.2 StreamCipher, truncated MAC" \ -s "Read from client: 16384 bytes read" requires_config_enabled MBEDTLS_SSL_TRUNCATED_HMAC -run_test "Large packet TLS 1.2 StreamCipher, without EtM, truncated MAC" \ +run_test "Large client packet TLS 1.2 StreamCipher, without EtM, truncated MAC" \ "$P_SRV arc4=1 force_ciphersuite=TLS-RSA-WITH-RC4-128-SHA trunc_hmac=1" \ "$P_CLI request_size=16384 force_version=tls1_2 \ force_ciphersuite=TLS-RSA-WITH-RC4-128-SHA trunc_hmac=1 etm=0" \ @@ -4101,7 +4101,7 @@ run_test "Large packet TLS 1.2 StreamCipher, without EtM, truncated MAC" \ -c "16384 bytes written in 1 fragments" \ -s "Read from client: 16384 bytes read" -run_test "Large packet TLS 1.2 AEAD" \ +run_test "Large client packet TLS 1.2 AEAD" \ "$P_SRV" \ "$P_CLI request_size=16384 force_version=tls1_2 \ force_ciphersuite=TLS-RSA-WITH-AES-256-CCM" \ @@ -4109,7 +4109,7 @@ run_test "Large packet TLS 1.2 AEAD" \ -c "16384 bytes written in 1 fragments" \ -s "Read from client: 16384 bytes read" -run_test "Large packet TLS 1.2 AEAD shorter tag" \ +run_test "Large client packet TLS 1.2 AEAD shorter tag" \ "$P_SRV" \ "$P_CLI request_size=16384 force_version=tls1_2 \ force_ciphersuite=TLS-RSA-WITH-AES-256-CCM-8" \ @@ -4167,6 +4167,139 @@ run_test "Force an ECC ciphersuite in the server side" \ -c "found supported_point_formats extension" \ -s "server hello, supported_point_formats extension" +# Test for large server packets + +requires_config_enabled MBEDTLS_SSL_PROTO_SSL3 +run_test "Large server packet SSLv3 BlockCipher" \ + "$P_SRV response_size=16384 min_version=ssl3" \ + "$P_CLI force_version=ssl3 recsplit=0 \ + force_ciphersuite=TLS-RSA-WITH-AES-256-CBC-SHA" \ + 0 \ + -c "Read from server: 16384 bytes read" + +requires_config_enabled MBEDTLS_SSL_PROTO_SSL3 +run_test "Large server packet SSLv3 StreamCipher" \ + "$P_SRV response_size=16384 min_version=ssl3 arc4=1 force_ciphersuite=TLS-RSA-WITH-RC4-128-SHA" \ + "$P_CLI force_version=ssl3 \ + force_ciphersuite=TLS-RSA-WITH-RC4-128-SHA" \ + 0 \ + -c "Read from server: 16384 bytes read" + +# Checking next 2 tests logs for 1n-1 split against BEAST too +run_test "Large server packet TLS 1.0 BlockCipher" \ + "$P_SRV response_size=16384" \ + "$P_CLI force_version=tls1 recsplit=0 \ + force_ciphersuite=TLS-RSA-WITH-AES-256-CBC-SHA" \ + 0 \ + -c "Read from server: 1 bytes read"\ + -c "16383 bytes read"\ + -C "Read from server: 16384 bytes read" + +requires_config_enabled MBEDTLS_SSL_TRUNCATED_HMAC +run_test "Large server packet TLS 1.0 BlockCipher truncated MAC" \ + "$P_SRV response_size=16384" \ + "$P_CLI force_version=tls1 recsplit=0 \ + force_ciphersuite=TLS-RSA-WITH-AES-256-CBC-SHA \ + trunc_hmac=1" \ + 0 \ + -c "Read from server: 1 bytes read"\ + -c "16383 bytes read"\ + -C "Read from server: 16384 bytes read" + +requires_config_enabled MBEDTLS_SSL_TRUNCATED_HMAC +run_test "Large server packet TLS 1.0 StreamCipher truncated MAC" \ + "$P_SRV response_size=16384 arc4=1 force_ciphersuite=TLS-RSA-WITH-RC4-128-SHA" \ + "$P_CLI force_version=tls1 \ + force_ciphersuite=TLS-RSA-WITH-RC4-128-SHA \ + trunc_hmac=1" \ + 0 \ + -c "Read from server: 16384 bytes read" + +run_test "Large server packet TLS 1.1 BlockCipher" \ + "$P_SRV response_size=16384" \ + "$P_CLI force_version=tls1_1 \ + force_ciphersuite=TLS-RSA-WITH-AES-256-CBC-SHA" \ + 0 \ + -c "Read from server: 16384 bytes read" + +run_test "Large server packet TLS 1.1 StreamCipher" \ + "$P_SRV response_size=16384 arc4=1 force_ciphersuite=TLS-RSA-WITH-RC4-128-SHA" \ + "$P_CLI force_version=tls1_1 \ + force_ciphersuite=TLS-RSA-WITH-RC4-128-SHA" \ + 0 \ + -c "Read from server: 16384 bytes read" + +requires_config_enabled MBEDTLS_SSL_TRUNCATED_HMAC +run_test "Large server packet TLS 1.1 BlockCipher truncated MAC" \ + "$P_SRV response_size=16384" \ + "$P_CLI force_version=tls1_1 \ + force_ciphersuite=TLS-RSA-WITH-AES-256-CBC-SHA \ + trunc_hmac=1" \ + 0 \ + -c "Read from server: 16384 bytes read" + +requires_config_enabled MBEDTLS_SSL_TRUNCATED_HMAC +run_test "Large server packet TLS 1.1 StreamCipher truncated MAC" \ + "$P_SRV response_size=16384 arc4=1 force_ciphersuite=TLS-RSA-WITH-RC4-128-SHA" \ + "$P_CLI force_version=tls1_1 \ + force_ciphersuite=TLS-RSA-WITH-RC4-128-SHA \ + trunc_hmac=1" \ + 0 \ + -c "Read from server: 16384 bytes read" + +run_test "Large server packet TLS 1.2 BlockCipher" \ + "$P_SRV response_size=16384" \ + "$P_CLI force_version=tls1_2 \ + force_ciphersuite=TLS-RSA-WITH-AES-256-CBC-SHA" \ + 0 \ + -c "Read from server: 16384 bytes read" + +run_test "Large server packet TLS 1.2 BlockCipher larger MAC" \ + "$P_SRV response_size=16384" \ + "$P_CLI force_version=tls1_2 \ + force_ciphersuite=TLS-ECDHE-RSA-WITH-AES-256-CBC-SHA384" \ + 0 \ + -c "Read from server: 16384 bytes read" + +requires_config_enabled MBEDTLS_SSL_TRUNCATED_HMAC +run_test "Large server packet TLS 1.2 BlockCipher truncated MAC" \ + "$P_SRV response_size=16384" \ + "$P_CLI force_version=tls1_2 \ + force_ciphersuite=TLS-RSA-WITH-AES-256-CBC-SHA \ + trunc_hmac=1" \ + 0 \ + -c "Read from server: 16384 bytes read" + +run_test "Large server packet TLS 1.2 StreamCipher" \ + "$P_SRV response_size=16384 arc4=1 force_ciphersuite=TLS-RSA-WITH-RC4-128-SHA" \ + "$P_CLI force_version=tls1_2 \ + force_ciphersuite=TLS-RSA-WITH-RC4-128-SHA" \ + 0 \ + -c "Read from server: 16384 bytes read" + +requires_config_enabled MBEDTLS_SSL_TRUNCATED_HMAC +run_test "Large server packet TLS 1.2 StreamCipher truncated MAC" \ + "$P_SRV response_size=16384 arc4=1 force_ciphersuite=TLS-RSA-WITH-RC4-128-SHA" \ + "$P_CLI force_version=tls1_2 \ + force_ciphersuite=TLS-RSA-WITH-RC4-128-SHA \ + trunc_hmac=1" \ + 0 \ + -c "Read from server: 16384 bytes read" + +run_test "Large server packet TLS 1.2 AEAD" \ + "$P_SRV response_size=16384" \ + "$P_CLI force_version=tls1_2 \ + force_ciphersuite=TLS-RSA-WITH-AES-256-CCM" \ + 0 \ + -c "Read from server: 16384 bytes read" + +run_test "Large server packet TLS 1.2 AEAD shorter tag" \ + "$P_SRV response_size=16384" \ + "$P_CLI force_version=tls1_2 \ + force_ciphersuite=TLS-RSA-WITH-AES-256-CCM-8" \ + 0 \ + -c "Read from server: 16384 bytes read" + # Tests for DTLS HelloVerifyRequest run_test "DTLS cookie: enabled" \ From d5ab1883b7f4713aa85653e13ee76d93774cad07 Mon Sep 17 00:00:00 2001 From: Andrzej Kurek Date: Tue, 19 Jun 2018 09:37:30 -0400 Subject: [PATCH 2/5] Add missing large and small packet tests for ssl_server2 --- tests/ssl-opt.sh | 486 ++++++++++++++++++++++++++++++++++++++++++----- 1 file changed, 443 insertions(+), 43 deletions(-) diff --git a/tests/ssl-opt.sh b/tests/ssl-opt.sh index ef5aa5b7e..0f804af29 100755 --- a/tests/ssl-opt.sh +++ b/tests/ssl-opt.sh @@ -3583,10 +3583,10 @@ run_test "mbedtls_ssl_get_bytes_avail: extra data" \ 0 \ -s "Read from client: 500 bytes read (.*+.*)" -# Tests for small packets +# Tests for small client packets requires_config_enabled MBEDTLS_SSL_PROTO_SSL3 -run_test "Small packet SSLv3 BlockCipher" \ +run_test "Small client packet SSLv3 BlockCipher" \ "$P_SRV min_version=ssl3" \ "$P_CLI request_size=1 force_version=ssl3 \ force_ciphersuite=TLS-RSA-WITH-AES-256-CBC-SHA" \ @@ -3594,21 +3594,21 @@ run_test "Small packet SSLv3 BlockCipher" \ -s "Read from client: 1 bytes read" requires_config_enabled MBEDTLS_SSL_PROTO_SSL3 -run_test "Small packet SSLv3 StreamCipher" \ +run_test "Small client packet SSLv3 StreamCipher" \ "$P_SRV min_version=ssl3 arc4=1 force_ciphersuite=TLS-RSA-WITH-RC4-128-SHA" \ "$P_CLI request_size=1 force_version=ssl3 \ force_ciphersuite=TLS-RSA-WITH-RC4-128-SHA" \ 0 \ -s "Read from client: 1 bytes read" -run_test "Small packet TLS 1.0 BlockCipher" \ +run_test "Small client packet TLS 1.0 BlockCipher" \ "$P_SRV" \ "$P_CLI request_size=1 force_version=tls1 \ force_ciphersuite=TLS-RSA-WITH-AES-256-CBC-SHA" \ 0 \ -s "Read from client: 1 bytes read" -run_test "Small packet TLS 1.0 BlockCipher, without EtM" \ +run_test "Small client packet TLS 1.0 BlockCipher, without EtM" \ "$P_SRV" \ "$P_CLI request_size=1 force_version=tls1 etm=0 \ force_ciphersuite=TLS-RSA-WITH-AES-256-CBC-SHA" \ @@ -3616,7 +3616,7 @@ run_test "Small packet TLS 1.0 BlockCipher, without EtM" \ -s "Read from client: 1 bytes read" requires_config_enabled MBEDTLS_SSL_TRUNCATED_HMAC -run_test "Small packet TLS 1.0 BlockCipher, truncated MAC" \ +run_test "Small client packet TLS 1.0 BlockCipher, truncated MAC" \ "$P_SRV trunc_hmac=1" \ "$P_CLI request_size=1 force_version=tls1 \ force_ciphersuite=TLS-RSA-WITH-AES-256-CBC-SHA trunc_hmac=1" \ @@ -3624,21 +3624,21 @@ run_test "Small packet TLS 1.0 BlockCipher, truncated MAC" \ -s "Read from client: 1 bytes read" requires_config_enabled MBEDTLS_SSL_TRUNCATED_HMAC -run_test "Small packet TLS 1.0 BlockCipher, without EtM, truncated MAC" \ +run_test "Small client packet TLS 1.0 BlockCipher, without EtM, truncated MAC" \ "$P_SRV trunc_hmac=1" \ "$P_CLI request_size=1 force_version=tls1 \ force_ciphersuite=TLS-RSA-WITH-AES-256-CBC-SHA trunc_hmac=1 etm=0" \ 0 \ -s "Read from client: 1 bytes read" -run_test "Small packet TLS 1.0 StreamCipher" \ +run_test "Small client packet TLS 1.0 StreamCipher" \ "$P_SRV arc4=1 force_ciphersuite=TLS-RSA-WITH-RC4-128-SHA" \ "$P_CLI request_size=1 force_version=tls1 \ force_ciphersuite=TLS-RSA-WITH-RC4-128-SHA" \ 0 \ -s "Read from client: 1 bytes read" -run_test "Small packet TLS 1.0 StreamCipher, without EtM" \ +run_test "Small client packet TLS 1.0 StreamCipher, without EtM" \ "$P_SRV arc4=1 force_ciphersuite=TLS-RSA-WITH-RC4-128-SHA" \ "$P_CLI request_size=1 force_version=tls1 \ force_ciphersuite=TLS-RSA-WITH-RC4-128-SHA etm=0" \ @@ -3646,7 +3646,7 @@ run_test "Small packet TLS 1.0 StreamCipher, without EtM" \ -s "Read from client: 1 bytes read" requires_config_enabled MBEDTLS_SSL_TRUNCATED_HMAC -run_test "Small packet TLS 1.0 StreamCipher, truncated MAC" \ +run_test "Small client packet TLS 1.0 StreamCipher, truncated MAC" \ "$P_SRV arc4=1 force_ciphersuite=TLS-RSA-WITH-RC4-128-SHA trunc_hmac=1" \ "$P_CLI request_size=1 force_version=tls1 \ force_ciphersuite=TLS-RSA-WITH-RC4-128-SHA trunc_hmac=1" \ @@ -3654,21 +3654,21 @@ run_test "Small packet TLS 1.0 StreamCipher, truncated MAC" \ -s "Read from client: 1 bytes read" requires_config_enabled MBEDTLS_SSL_TRUNCATED_HMAC -run_test "Small packet TLS 1.0 StreamCipher, without EtM, truncated MAC" \ +run_test "Small client packet TLS 1.0 StreamCipher, without EtM, truncated MAC" \ "$P_SRV arc4=1 force_ciphersuite=TLS-RSA-WITH-RC4-128-SHA trunc_hmac=1" \ "$P_CLI request_size=1 force_version=tls1 force_ciphersuite=TLS-RSA-WITH-RC4-128-SHA \ trunc_hmac=1 etm=0" \ 0 \ -s "Read from client: 1 bytes read" -run_test "Small packet TLS 1.1 BlockCipher" \ +run_test "Small client packet TLS 1.1 BlockCipher" \ "$P_SRV" \ "$P_CLI request_size=1 force_version=tls1_1 \ force_ciphersuite=TLS-RSA-WITH-AES-256-CBC-SHA" \ 0 \ -s "Read from client: 1 bytes read" -run_test "Small packet TLS 1.1 BlockCipher, without EtM" \ +run_test "Small client packet TLS 1.1 BlockCipher, without EtM" \ "$P_SRV" \ "$P_CLI request_size=1 force_version=tls1_1 \ force_ciphersuite=TLS-RSA-WITH-AES-256-CBC-SHA etm=0" \ @@ -3676,7 +3676,7 @@ run_test "Small packet TLS 1.1 BlockCipher, without EtM" \ -s "Read from client: 1 bytes read" requires_config_enabled MBEDTLS_SSL_TRUNCATED_HMAC -run_test "Small packet TLS 1.1 BlockCipher, truncated MAC" \ +run_test "Small client packet TLS 1.1 BlockCipher, truncated MAC" \ "$P_SRV trunc_hmac=1" \ "$P_CLI request_size=1 force_version=tls1_1 \ force_ciphersuite=TLS-RSA-WITH-AES-256-CBC-SHA trunc_hmac=1" \ @@ -3684,21 +3684,21 @@ run_test "Small packet TLS 1.1 BlockCipher, truncated MAC" \ -s "Read from client: 1 bytes read" requires_config_enabled MBEDTLS_SSL_TRUNCATED_HMAC -run_test "Small packet TLS 1.1 BlockCipher, without EtM, truncated MAC" \ +run_test "Small client packet TLS 1.1 BlockCipher, without EtM, truncated MAC" \ "$P_SRV trunc_hmac=1" \ "$P_CLI request_size=1 force_version=tls1_1 \ force_ciphersuite=TLS-RSA-WITH-AES-256-CBC-SHA trunc_hmac=1 etm=0" \ 0 \ -s "Read from client: 1 bytes read" -run_test "Small packet TLS 1.1 StreamCipher" \ +run_test "Small client packet TLS 1.1 StreamCipher" \ "$P_SRV arc4=1 force_ciphersuite=TLS-RSA-WITH-RC4-128-SHA" \ "$P_CLI request_size=1 force_version=tls1_1 \ force_ciphersuite=TLS-RSA-WITH-RC4-128-SHA" \ 0 \ -s "Read from client: 1 bytes read" -run_test "Small packet TLS 1.1 StreamCipher, without EtM" \ +run_test "Small client packet TLS 1.1 StreamCipher, without EtM" \ "$P_SRV arc4=1 force_ciphersuite=TLS-RSA-WITH-RC4-128-SHA" \ "$P_CLI request_size=1 force_version=tls1_1 \ force_ciphersuite=TLS-RSA-WITH-RC4-128-SHA etm=0" \ @@ -3706,7 +3706,7 @@ run_test "Small packet TLS 1.1 StreamCipher, without EtM" \ -s "Read from client: 1 bytes read" requires_config_enabled MBEDTLS_SSL_TRUNCATED_HMAC -run_test "Small packet TLS 1.1 StreamCipher, truncated MAC" \ +run_test "Small client packet TLS 1.1 StreamCipher, truncated MAC" \ "$P_SRV arc4=1 force_ciphersuite=TLS-RSA-WITH-RC4-128-SHA trunc_hmac=1" \ "$P_CLI request_size=1 force_version=tls1_1 \ force_ciphersuite=TLS-RSA-WITH-RC4-128-SHA trunc_hmac=1" \ @@ -3714,28 +3714,28 @@ run_test "Small packet TLS 1.1 StreamCipher, truncated MAC" \ -s "Read from client: 1 bytes read" requires_config_enabled MBEDTLS_SSL_TRUNCATED_HMAC -run_test "Small packet TLS 1.1 StreamCipher, without EtM, truncated MAC" \ +run_test "Small client packet TLS 1.1 StreamCipher, without EtM, truncated MAC" \ "$P_SRV arc4=1 force_ciphersuite=TLS-RSA-WITH-RC4-128-SHA trunc_hmac=1" \ "$P_CLI request_size=1 force_version=tls1_1 \ force_ciphersuite=TLS-RSA-WITH-RC4-128-SHA trunc_hmac=1 etm=0" \ 0 \ -s "Read from client: 1 bytes read" -run_test "Small packet TLS 1.2 BlockCipher" \ +run_test "Small client packet TLS 1.2 BlockCipher" \ "$P_SRV" \ "$P_CLI request_size=1 force_version=tls1_2 \ force_ciphersuite=TLS-RSA-WITH-AES-256-CBC-SHA" \ 0 \ -s "Read from client: 1 bytes read" -run_test "Small packet TLS 1.2 BlockCipher, without EtM" \ +run_test "Small client packet TLS 1.2 BlockCipher, without EtM" \ "$P_SRV" \ "$P_CLI request_size=1 force_version=tls1_2 \ force_ciphersuite=TLS-RSA-WITH-AES-256-CBC-SHA etm=0" \ 0 \ -s "Read from client: 1 bytes read" -run_test "Small packet TLS 1.2 BlockCipher larger MAC" \ +run_test "Small client packet TLS 1.2 BlockCipher larger MAC" \ "$P_SRV" \ "$P_CLI request_size=1 force_version=tls1_2 \ force_ciphersuite=TLS-ECDHE-RSA-WITH-AES-256-CBC-SHA384" \ @@ -3743,7 +3743,7 @@ run_test "Small packet TLS 1.2 BlockCipher larger MAC" \ -s "Read from client: 1 bytes read" requires_config_enabled MBEDTLS_SSL_TRUNCATED_HMAC -run_test "Small packet TLS 1.2 BlockCipher, truncated MAC" \ +run_test "Small client packet TLS 1.2 BlockCipher, truncated MAC" \ "$P_SRV trunc_hmac=1" \ "$P_CLI request_size=1 force_version=tls1_2 \ force_ciphersuite=TLS-RSA-WITH-AES-256-CBC-SHA trunc_hmac=1" \ @@ -3751,21 +3751,21 @@ run_test "Small packet TLS 1.2 BlockCipher, truncated MAC" \ -s "Read from client: 1 bytes read" requires_config_enabled MBEDTLS_SSL_TRUNCATED_HMAC -run_test "Small packet TLS 1.2 BlockCipher, without EtM, truncated MAC" \ +run_test "Small client packet TLS 1.2 BlockCipher, without EtM, truncated MAC" \ "$P_SRV trunc_hmac=1" \ "$P_CLI request_size=1 force_version=tls1_2 \ force_ciphersuite=TLS-RSA-WITH-AES-256-CBC-SHA trunc_hmac=1 etm=0" \ 0 \ -s "Read from client: 1 bytes read" -run_test "Small packet TLS 1.2 StreamCipher" \ +run_test "Small client packet TLS 1.2 StreamCipher" \ "$P_SRV arc4=1 force_ciphersuite=TLS-RSA-WITH-RC4-128-SHA" \ "$P_CLI request_size=1 force_version=tls1_2 \ force_ciphersuite=TLS-RSA-WITH-RC4-128-SHA" \ 0 \ -s "Read from client: 1 bytes read" -run_test "Small packet TLS 1.2 StreamCipher, without EtM" \ +run_test "Small client packet TLS 1.2 StreamCipher, without EtM" \ "$P_SRV arc4=1 force_ciphersuite=TLS-RSA-WITH-RC4-128-SHA" \ "$P_CLI request_size=1 force_version=tls1_2 \ force_ciphersuite=TLS-RSA-WITH-RC4-128-SHA etm=0" \ @@ -3773,7 +3773,7 @@ run_test "Small packet TLS 1.2 StreamCipher, without EtM" \ -s "Read from client: 1 bytes read" requires_config_enabled MBEDTLS_SSL_TRUNCATED_HMAC -run_test "Small packet TLS 1.2 StreamCipher, truncated MAC" \ +run_test "Small client packet TLS 1.2 StreamCipher, truncated MAC" \ "$P_SRV arc4=1 force_ciphersuite=TLS-RSA-WITH-RC4-128-SHA trunc_hmac=1" \ "$P_CLI request_size=1 force_version=tls1_2 \ force_ciphersuite=TLS-RSA-WITH-RC4-128-SHA trunc_hmac=1" \ @@ -3781,31 +3781,31 @@ run_test "Small packet TLS 1.2 StreamCipher, truncated MAC" \ -s "Read from client: 1 bytes read" requires_config_enabled MBEDTLS_SSL_TRUNCATED_HMAC -run_test "Small packet TLS 1.2 StreamCipher, without EtM, truncated MAC" \ +run_test "Small client packet TLS 1.2 StreamCipher, without EtM, truncated MAC" \ "$P_SRV arc4=1 force_ciphersuite=TLS-RSA-WITH-RC4-128-SHA trunc_hmac=1" \ "$P_CLI request_size=1 force_version=tls1_2 \ force_ciphersuite=TLS-RSA-WITH-RC4-128-SHA trunc_hmac=1 etm=0" \ 0 \ -s "Read from client: 1 bytes read" -run_test "Small packet TLS 1.2 AEAD" \ +run_test "Small client packet TLS 1.2 AEAD" \ "$P_SRV" \ "$P_CLI request_size=1 force_version=tls1_2 \ force_ciphersuite=TLS-RSA-WITH-AES-256-CCM" \ 0 \ -s "Read from client: 1 bytes read" -run_test "Small packet TLS 1.2 AEAD shorter tag" \ +run_test "Small client packet TLS 1.2 AEAD shorter tag" \ "$P_SRV" \ "$P_CLI request_size=1 force_version=tls1_2 \ force_ciphersuite=TLS-RSA-WITH-AES-256-CCM-8" \ 0 \ -s "Read from client: 1 bytes read" -# Tests for small packets in DTLS +# Tests for small client packets in DTLS requires_config_enabled MBEDTLS_SSL_PROTO_DTLS -run_test "Small packet DTLS 1.0" \ +run_test "Small client packet DTLS 1.0" \ "$P_SRV dtls=1 force_version=dtls1" \ "$P_CLI dtls=1 request_size=1 \ force_ciphersuite=TLS-RSA-WITH-AES-256-CBC-SHA" \ @@ -3813,7 +3813,7 @@ run_test "Small packet DTLS 1.0" \ -s "Read from client: 1 bytes read" requires_config_enabled MBEDTLS_SSL_PROTO_DTLS -run_test "Small packet DTLS 1.0, without EtM" \ +run_test "Small client packet DTLS 1.0, without EtM" \ "$P_SRV dtls=1 force_version=dtls1 etm=0" \ "$P_CLI dtls=1 request_size=1 \ force_ciphersuite=TLS-RSA-WITH-AES-256-CBC-SHA" \ @@ -3822,7 +3822,7 @@ run_test "Small packet DTLS 1.0, without EtM" \ requires_config_enabled MBEDTLS_SSL_PROTO_DTLS requires_config_enabled MBEDTLS_SSL_TRUNCATED_HMAC -run_test "Small packet DTLS 1.0, truncated hmac" \ +run_test "Small client packet DTLS 1.0, truncated hmac" \ "$P_SRV dtls=1 force_version=dtls1 trunc_hmac=1" \ "$P_CLI dtls=1 request_size=1 trunc_hmac=1 \ force_ciphersuite=TLS-RSA-WITH-AES-256-CBC-SHA" \ @@ -3831,7 +3831,7 @@ run_test "Small packet DTLS 1.0, truncated hmac" \ requires_config_enabled MBEDTLS_SSL_PROTO_DTLS requires_config_enabled MBEDTLS_SSL_TRUNCATED_HMAC -run_test "Small packet DTLS 1.0, without EtM, truncated MAC" \ +run_test "Small client packet DTLS 1.0, without EtM, truncated MAC" \ "$P_SRV dtls=1 force_version=dtls1 trunc_hmac=1 etm=0" \ "$P_CLI dtls=1 request_size=1 \ force_ciphersuite=TLS-RSA-WITH-AES-256-CBC-SHA trunc_hmac=1"\ @@ -3839,7 +3839,7 @@ run_test "Small packet DTLS 1.0, without EtM, truncated MAC" \ -s "Read from client: 1 bytes read" requires_config_enabled MBEDTLS_SSL_PROTO_DTLS -run_test "Small packet DTLS 1.2" \ +run_test "Small client packet DTLS 1.2" \ "$P_SRV dtls=1 force_version=dtls1_2" \ "$P_CLI dtls=1 request_size=1 \ force_ciphersuite=TLS-RSA-WITH-AES-256-CBC-SHA" \ @@ -3847,7 +3847,7 @@ run_test "Small packet DTLS 1.2" \ -s "Read from client: 1 bytes read" requires_config_enabled MBEDTLS_SSL_PROTO_DTLS -run_test "Small packet DTLS 1.2, without EtM" \ +run_test "Small client packet DTLS 1.2, without EtM" \ "$P_SRV dtls=1 force_version=dtls1_2 etm=0" \ "$P_CLI dtls=1 request_size=1 \ force_ciphersuite=TLS-RSA-WITH-AES-256-CBC-SHA" \ @@ -3856,7 +3856,7 @@ run_test "Small packet DTLS 1.2, without EtM" \ requires_config_enabled MBEDTLS_SSL_PROTO_DTLS requires_config_enabled MBEDTLS_SSL_TRUNCATED_HMAC -run_test "Small packet DTLS 1.2, truncated hmac" \ +run_test "Small client packet DTLS 1.2, truncated hmac" \ "$P_SRV dtls=1 force_version=dtls1_2 trunc_hmac=1" \ "$P_CLI dtls=1 request_size=1 \ force_ciphersuite=TLS-RSA-WITH-AES-256-CBC-SHA trunc_hmac=1" \ @@ -3865,13 +3865,302 @@ run_test "Small packet DTLS 1.2, truncated hmac" \ requires_config_enabled MBEDTLS_SSL_PROTO_DTLS requires_config_enabled MBEDTLS_SSL_TRUNCATED_HMAC -run_test "Small packet DTLS 1.2, without EtM, truncated MAC" \ +run_test "Small client packet DTLS 1.2, without EtM, truncated MAC" \ "$P_SRV dtls=1 force_version=dtls1_2 trunc_hmac=1 etm=0" \ "$P_CLI dtls=1 request_size=1 \ force_ciphersuite=TLS-RSA-WITH-AES-256-CBC-SHA trunc_hmac=1"\ 0 \ -s "Read from client: 1 bytes read" +# Tests for small server packets + +requires_config_enabled MBEDTLS_SSL_PROTO_SSL3 +run_test "Small server packet SSLv3 BlockCipher" \ + "$P_SRV response_size=1 min_version=ssl3" \ + "$P_CLI force_version=ssl3 \ + force_ciphersuite=TLS-RSA-WITH-AES-256-CBC-SHA" \ + 0 \ + -c "Read from server: 1 bytes read" + +requires_config_enabled MBEDTLS_SSL_PROTO_SSL3 +run_test "Small server packet SSLv3 StreamCipher" \ + "$P_SRV response_size=1 min_version=ssl3 arc4=1 force_ciphersuite=TLS-RSA-WITH-RC4-128-SHA" \ + "$P_CLI force_version=ssl3 \ + force_ciphersuite=TLS-RSA-WITH-RC4-128-SHA" \ + 0 \ + -c "Read from server: 1 bytes read" + +run_test "Small server packet TLS 1.0 BlockCipher" \ + "$P_SRV response_size=1" \ + "$P_CLI force_version=tls1 \ + force_ciphersuite=TLS-RSA-WITH-AES-256-CBC-SHA" \ + 0 \ + -c "Read from server: 1 bytes read" + +run_test "Small server packet TLS 1.0 BlockCipher, without EtM" \ + "$P_SRV response_size=1" \ + "$P_CLI force_version=tls1 etm=0 \ + force_ciphersuite=TLS-RSA-WITH-AES-256-CBC-SHA" \ + 0 \ + -c "Read from server: 1 bytes read" + +requires_config_enabled MBEDTLS_SSL_TRUNCATED_HMAC +run_test "Small server packet TLS 1.0 BlockCipher, truncated MAC" \ + "$P_SRV response_size=1 trunc_hmac=1" \ + "$P_CLI force_version=tls1 \ + force_ciphersuite=TLS-RSA-WITH-AES-256-CBC-SHA trunc_hmac=1" \ + 0 \ + -c "Read from server: 1 bytes read" + +requires_config_enabled MBEDTLS_SSL_TRUNCATED_HMAC +run_test "Small server packet TLS 1.0 BlockCipher, without EtM, truncated MAC" \ + "$P_SRV response_size=1 trunc_hmac=1" \ + "$P_CLI force_version=tls1 \ + force_ciphersuite=TLS-RSA-WITH-AES-256-CBC-SHA trunc_hmac=1 etm=0" \ + 0 \ + -c "Read from server: 1 bytes read" + +run_test "Small server packet TLS 1.0 StreamCipher" \ + "$P_SRV response_size=1 arc4=1 force_ciphersuite=TLS-RSA-WITH-RC4-128-SHA" \ + "$P_CLI force_version=tls1 \ + force_ciphersuite=TLS-RSA-WITH-RC4-128-SHA" \ + 0 \ + -c "Read from server: 1 bytes read" + +run_test "Small server packet TLS 1.0 StreamCipher, without EtM" \ + "$P_SRV response_size=1 arc4=1 force_ciphersuite=TLS-RSA-WITH-RC4-128-SHA" \ + "$P_CLI force_version=tls1 \ + force_ciphersuite=TLS-RSA-WITH-RC4-128-SHA etm=0" \ + 0 \ + -c "Read from server: 1 bytes read" + +requires_config_enabled MBEDTLS_SSL_TRUNCATED_HMAC +run_test "Small server packet TLS 1.0 StreamCipher, truncated MAC" \ + "$P_SRV response_size=1 arc4=1 force_ciphersuite=TLS-RSA-WITH-RC4-128-SHA trunc_hmac=1" \ + "$P_CLI force_version=tls1 \ + force_ciphersuite=TLS-RSA-WITH-RC4-128-SHA trunc_hmac=1" \ + 0 \ + -c "Read from server: 1 bytes read" + +requires_config_enabled MBEDTLS_SSL_TRUNCATED_HMAC +run_test "Small server packet TLS 1.0 StreamCipher, without EtM, truncated MAC" \ + "$P_SRV response_size=1 arc4=1 force_ciphersuite=TLS-RSA-WITH-RC4-128-SHA trunc_hmac=1" \ + "$P_CLI force_version=tls1 force_ciphersuite=TLS-RSA-WITH-RC4-128-SHA \ + trunc_hmac=1 etm=0" \ + 0 \ + -c "Read from server: 1 bytes read" + +run_test "Small server packet TLS 1.1 BlockCipher" \ + "$P_SRV response_size=1" \ + "$P_CLI force_version=tls1_1 \ + force_ciphersuite=TLS-RSA-WITH-AES-256-CBC-SHA" \ + 0 \ + -c "Read from server: 1 bytes read" + +run_test "Small server packet TLS 1.1 BlockCipher, without EtM" \ + "$P_SRV response_size=1" \ + "$P_CLI force_version=tls1_1 \ + force_ciphersuite=TLS-RSA-WITH-AES-256-CBC-SHA etm=0" \ + 0 \ + -c "Read from server: 1 bytes read" + +requires_config_enabled MBEDTLS_SSL_TRUNCATED_HMAC +run_test "Small server packet TLS 1.1 BlockCipher, truncated MAC" \ + "$P_SRV response_size=1 trunc_hmac=1" \ + "$P_CLI force_version=tls1_1 \ + force_ciphersuite=TLS-RSA-WITH-AES-256-CBC-SHA trunc_hmac=1" \ + 0 \ + -c "Read from server: 1 bytes read" + +requires_config_enabled MBEDTLS_SSL_TRUNCATED_HMAC +run_test "Small server packet TLS 1.1 BlockCipher, without EtM, truncated MAC" \ + "$P_SRV response_size=1 trunc_hmac=1" \ + "$P_CLI force_version=tls1_1 \ + force_ciphersuite=TLS-RSA-WITH-AES-256-CBC-SHA trunc_hmac=1 etm=0" \ + 0 \ + -c "Read from server: 1 bytes read" + +run_test "Small server packet TLS 1.1 StreamCipher" \ + "$P_SRV response_size=1 arc4=1 force_ciphersuite=TLS-RSA-WITH-RC4-128-SHA" \ + "$P_CLI force_version=tls1_1 \ + force_ciphersuite=TLS-RSA-WITH-RC4-128-SHA" \ + 0 \ + -c "Read from server: 1 bytes read" + +run_test "Small server packet TLS 1.1 StreamCipher, without EtM" \ + "$P_SRV response_size=1 arc4=1 force_ciphersuite=TLS-RSA-WITH-RC4-128-SHA" \ + "$P_CLI force_version=tls1_1 \ + force_ciphersuite=TLS-RSA-WITH-RC4-128-SHA etm=0" \ + 0 \ + -c "Read from server: 1 bytes read" + +requires_config_enabled MBEDTLS_SSL_TRUNCATED_HMAC +run_test "Small server packet TLS 1.1 StreamCipher, truncated MAC" \ + "$P_SRV response_size=1 arc4=1 force_ciphersuite=TLS-RSA-WITH-RC4-128-SHA trunc_hmac=1" \ + "$P_CLI force_version=tls1_1 \ + force_ciphersuite=TLS-RSA-WITH-RC4-128-SHA trunc_hmac=1" \ + 0 \ + -c "Read from server: 1 bytes read" + +requires_config_enabled MBEDTLS_SSL_TRUNCATED_HMAC +run_test "Small server packet TLS 1.1 StreamCipher, without EtM, truncated MAC" \ + "$P_SRV response_size=1 arc4=1 force_ciphersuite=TLS-RSA-WITH-RC4-128-SHA trunc_hmac=1" \ + "$P_CLI force_version=tls1_1 \ + force_ciphersuite=TLS-RSA-WITH-RC4-128-SHA trunc_hmac=1 etm=0" \ + 0 \ + -c "Read from server: 1 bytes read" + +run_test "Small server packet TLS 1.2 BlockCipher" \ + "$P_SRV response_size=1" \ + "$P_CLI force_version=tls1_2 \ + force_ciphersuite=TLS-RSA-WITH-AES-256-CBC-SHA" \ + 0 \ + -c "Read from server: 1 bytes read" + +run_test "Small server packet TLS 1.2 BlockCipher, without EtM" \ + "$P_SRV response_size=1" \ + "$P_CLI force_version=tls1_2 \ + force_ciphersuite=TLS-RSA-WITH-AES-256-CBC-SHA etm=0" \ + 0 \ + -c "Read from server: 1 bytes read" + +run_test "Small server packet TLS 1.2 BlockCipher larger MAC" \ + "$P_SRV response_size=1" \ + "$P_CLI force_version=tls1_2 \ + force_ciphersuite=TLS-ECDHE-RSA-WITH-AES-256-CBC-SHA384" \ + 0 \ + -c "Read from server: 1 bytes read" + +requires_config_enabled MBEDTLS_SSL_TRUNCATED_HMAC +run_test "Small server packet TLS 1.2 BlockCipher, truncated MAC" \ + "$P_SRV response_size=1 trunc_hmac=1" \ + "$P_CLI force_version=tls1_2 \ + force_ciphersuite=TLS-RSA-WITH-AES-256-CBC-SHA trunc_hmac=1" \ + 0 \ + -c "Read from server: 1 bytes read" + +requires_config_enabled MBEDTLS_SSL_TRUNCATED_HMAC +run_test "Small server packet TLS 1.2 BlockCipher, without EtM, truncated MAC" \ + "$P_SRV response_size=1 trunc_hmac=1" \ + "$P_CLI force_version=tls1_2 \ + force_ciphersuite=TLS-RSA-WITH-AES-256-CBC-SHA trunc_hmac=1 etm=0" \ + 0 \ + -c "Read from server: 1 bytes read" + +run_test "Small server packet TLS 1.2 StreamCipher" \ + "$P_SRV response_size=1 arc4=1 force_ciphersuite=TLS-RSA-WITH-RC4-128-SHA" \ + "$P_CLI force_version=tls1_2 \ + force_ciphersuite=TLS-RSA-WITH-RC4-128-SHA" \ + 0 \ + -c "Read from server: 1 bytes read" + +run_test "Small server packet TLS 1.2 StreamCipher, without EtM" \ + "$P_SRV response_size=1 arc4=1 force_ciphersuite=TLS-RSA-WITH-RC4-128-SHA" \ + "$P_CLI force_version=tls1_2 \ + force_ciphersuite=TLS-RSA-WITH-RC4-128-SHA etm=0" \ + 0 \ + -c "Read from server: 1 bytes read" + +requires_config_enabled MBEDTLS_SSL_TRUNCATED_HMAC +run_test "Small server packet TLS 1.2 StreamCipher, truncated MAC" \ + "$P_SRV response_size=1 arc4=1 force_ciphersuite=TLS-RSA-WITH-RC4-128-SHA trunc_hmac=1" \ + "$P_CLI force_version=tls1_2 \ + force_ciphersuite=TLS-RSA-WITH-RC4-128-SHA trunc_hmac=1" \ + 0 \ + -c "Read from server: 1 bytes read" + +requires_config_enabled MBEDTLS_SSL_TRUNCATED_HMAC +run_test "Small server packet TLS 1.2 StreamCipher, without EtM, truncated MAC" \ + "$P_SRV response_size=1 arc4=1 force_ciphersuite=TLS-RSA-WITH-RC4-128-SHA trunc_hmac=1" \ + "$P_CLI force_version=tls1_2 \ + force_ciphersuite=TLS-RSA-WITH-RC4-128-SHA trunc_hmac=1 etm=0" \ + 0 \ + -c "Read from server: 1 bytes read" + +run_test "Small server packet TLS 1.2 AEAD" \ + "$P_SRV response_size=1" \ + "$P_CLI force_version=tls1_2 \ + force_ciphersuite=TLS-RSA-WITH-AES-256-CCM" \ + 0 \ + -c "Read from server: 1 bytes read" + +run_test "Small server packet TLS 1.2 AEAD shorter tag" \ + "$P_SRV response_size=1" \ + "$P_CLI force_version=tls1_2 \ + force_ciphersuite=TLS-RSA-WITH-AES-256-CCM-8" \ + 0 \ + -c "Read from server: 1 bytes read" + +# Tests for small server packets in DTLS + +requires_config_enabled MBEDTLS_SSL_PROTO_DTLS +run_test "Small server packet DTLS 1.0" \ + "$P_SRV dtls=1 response_size=1 force_version=dtls1" \ + "$P_CLI dtls=1 \ + force_ciphersuite=TLS-RSA-WITH-AES-256-CBC-SHA" \ + 0 \ + -c "Read from server: 1 bytes read" + +requires_config_enabled MBEDTLS_SSL_PROTO_DTLS +run_test "Small server packet DTLS 1.0, without EtM" \ + "$P_SRV dtls=1 response_size=1 force_version=dtls1 etm=0" \ + "$P_CLI dtls=1 \ + force_ciphersuite=TLS-RSA-WITH-AES-256-CBC-SHA" \ + 0 \ + -c "Read from server: 1 bytes read" + +requires_config_enabled MBEDTLS_SSL_PROTO_DTLS +requires_config_enabled MBEDTLS_SSL_TRUNCATED_HMAC +run_test "Small server packet DTLS 1.0, truncated hmac" \ + "$P_SRV dtls=1 response_size=1 force_version=dtls1 trunc_hmac=1" \ + "$P_CLI dtls=1 trunc_hmac=1 \ + force_ciphersuite=TLS-RSA-WITH-AES-256-CBC-SHA" \ + 0 \ + -c "Read from server: 1 bytes read" + +requires_config_enabled MBEDTLS_SSL_PROTO_DTLS +requires_config_enabled MBEDTLS_SSL_TRUNCATED_HMAC +run_test "Small server packet DTLS 1.0, without EtM, truncated MAC" \ + "$P_SRV dtls=1 response_size=1 force_version=dtls1 trunc_hmac=1 etm=0" \ + "$P_CLI dtls=1 \ + force_ciphersuite=TLS-RSA-WITH-AES-256-CBC-SHA trunc_hmac=1"\ + 0 \ + -c "Read from server: 1 bytes read" + +requires_config_enabled MBEDTLS_SSL_PROTO_DTLS +run_test "Small server packet DTLS 1.2" \ + "$P_SRV dtls=1 response_size=1 force_version=dtls1_2" \ + "$P_CLI dtls=1 \ + force_ciphersuite=TLS-RSA-WITH-AES-256-CBC-SHA" \ + 0 \ + -c "Read from server: 1 bytes read" + +requires_config_enabled MBEDTLS_SSL_PROTO_DTLS +run_test "Small server packet DTLS 1.2, without EtM" \ + "$P_SRV dtls=1 response_size=1 force_version=dtls1_2 etm=0" \ + "$P_CLI dtls=1 \ + force_ciphersuite=TLS-RSA-WITH-AES-256-CBC-SHA" \ + 0 \ + -c "Read from server: 1 bytes read" + +requires_config_enabled MBEDTLS_SSL_PROTO_DTLS +requires_config_enabled MBEDTLS_SSL_TRUNCATED_HMAC +run_test "Small server packet DTLS 1.2, truncated hmac" \ + "$P_SRV dtls=1 response_size=1 force_version=dtls1_2 trunc_hmac=1" \ + "$P_CLI dtls=1 \ + force_ciphersuite=TLS-RSA-WITH-AES-256-CBC-SHA trunc_hmac=1" \ + 0 \ + -c "Read from server: 1 bytes read" + +requires_config_enabled MBEDTLS_SSL_PROTO_DTLS +requires_config_enabled MBEDTLS_SSL_TRUNCATED_HMAC +run_test "Small server packet DTLS 1.2, without EtM, truncated MAC" \ + "$P_SRV dtls=1 response_size=1 force_version=dtls1_2 trunc_hmac=1 etm=0" \ + "$P_CLI dtls=1 \ + force_ciphersuite=TLS-RSA-WITH-AES-256-CBC-SHA trunc_hmac=1"\ + 0 \ + -c "Read from server: 1 bytes read" + # A test for extensions in SSLv3 requires_config_enabled MBEDTLS_SSL_PROTO_SSL3 @@ -4195,6 +4484,15 @@ run_test "Large server packet TLS 1.0 BlockCipher" \ -c "16383 bytes read"\ -C "Read from server: 16384 bytes read" +run_test "Large server packet TLS 1.0 BlockCipher, without EtM" \ + "$P_SRV response_size=16384" \ + "$P_CLI force_version=tls1 etm=0 recsplit=0 \ + force_ciphersuite=TLS-RSA-WITH-AES-256-CBC-SHA" \ + 0 \ + -c "Read from server: 1 bytes read"\ + -c "16383 bytes read"\ + -C "Read from server: 16384 bytes read" + requires_config_enabled MBEDTLS_SSL_TRUNCATED_HMAC run_test "Large server packet TLS 1.0 BlockCipher truncated MAC" \ "$P_SRV response_size=16384" \ @@ -4213,6 +4511,41 @@ run_test "Large server packet TLS 1.0 StreamCipher truncated MAC" \ force_ciphersuite=TLS-RSA-WITH-RC4-128-SHA \ trunc_hmac=1" \ 0 \ + -s "16384 bytes written in 1 fragments" \ + -c "Read from server: 16384 bytes read" + +run_test "Large server packet TLS 1.0 StreamCipher" \ + "$P_SRV response_size=16384 arc4=1 force_ciphersuite=TLS-RSA-WITH-RC4-128-SHA" \ + "$P_CLI force_version=tls1 \ + force_ciphersuite=TLS-RSA-WITH-RC4-128-SHA" \ + 0 \ + -s "16384 bytes written in 1 fragments" \ + -c "Read from server: 16384 bytes read" + +run_test "Large server packet TLS 1.0 StreamCipher, without EtM" \ + "$P_SRV response_size=16384 arc4=1 force_ciphersuite=TLS-RSA-WITH-RC4-128-SHA" \ + "$P_CLI force_version=tls1 \ + force_ciphersuite=TLS-RSA-WITH-RC4-128-SHA etm=0" \ + 0 \ + -s "16384 bytes written in 1 fragments" \ + -c "Read from server: 16384 bytes read" + +requires_config_enabled MBEDTLS_SSL_TRUNCATED_HMAC +run_test "Large server packet TLS 1.0 StreamCipher, truncated MAC" \ + "$P_SRV response_size=16384 arc4=1 force_ciphersuite=TLS-RSA-WITH-RC4-128-SHA trunc_hmac=1" \ + "$P_CLI force_version=tls1 \ + force_ciphersuite=TLS-RSA-WITH-RC4-128-SHA trunc_hmac=1" \ + 0 \ + -s "16384 bytes written in 1 fragments" \ + -c "Read from server: 16384 bytes read" + +requires_config_enabled MBEDTLS_SSL_TRUNCATED_HMAC +run_test "Large server packet TLS 1.0 StreamCipher, without EtM, truncated MAC" \ + "$P_SRV response_size=16384 arc4=1 force_ciphersuite=TLS-RSA-WITH-RC4-128-SHA trunc_hmac=1" \ + "$P_CLI force_version=tls1 \ + force_ciphersuite=TLS-RSA-WITH-RC4-128-SHA trunc_hmac=1 etm=0" \ + 0 \ + -s "16384 bytes written in 1 fragments" \ -c "Read from server: 16384 bytes read" run_test "Large server packet TLS 1.1 BlockCipher" \ @@ -4222,11 +4555,12 @@ run_test "Large server packet TLS 1.1 BlockCipher" \ 0 \ -c "Read from server: 16384 bytes read" -run_test "Large server packet TLS 1.1 StreamCipher" \ - "$P_SRV response_size=16384 arc4=1 force_ciphersuite=TLS-RSA-WITH-RC4-128-SHA" \ - "$P_CLI force_version=tls1_1 \ - force_ciphersuite=TLS-RSA-WITH-RC4-128-SHA" \ +run_test "Large server packet TLS 1.1 BlockCipher, without EtM" \ + "$P_SRV response_size=16384" \ + "$P_CLI force_version=tls1_1 etm=0 \ + force_ciphersuite=TLS-RSA-WITH-AES-256-CBC-SHA" \ 0 \ + -s "16384 bytes written in 1 fragments" \ -c "Read from server: 16384 bytes read" requires_config_enabled MBEDTLS_SSL_TRUNCATED_HMAC @@ -4238,6 +4572,30 @@ run_test "Large server packet TLS 1.1 BlockCipher truncated MAC" \ 0 \ -c "Read from server: 16384 bytes read" +requires_config_enabled MBEDTLS_SSL_TRUNCATED_HMAC +run_test "Large server packet TLS 1.1 BlockCipher, without EtM, truncated MAC" \ + "$P_SRV response_size=16384 trunc_hmac=1" \ + "$P_CLI force_version=tls1_1 \ + force_ciphersuite=TLS-RSA-WITH-AES-256-CBC-SHA trunc_hmac=1 etm=0" \ + 0 \ + -s "16384 bytes written in 1 fragments" \ + -c "Read from server: 16384 bytes read" + +run_test "Large server packet TLS 1.1 StreamCipher" \ + "$P_SRV response_size=16384 arc4=1 force_ciphersuite=TLS-RSA-WITH-RC4-128-SHA" \ + "$P_CLI force_version=tls1_1 \ + force_ciphersuite=TLS-RSA-WITH-RC4-128-SHA" \ + 0 \ + -c "Read from server: 16384 bytes read" + +run_test "Large server packet TLS 1.1 StreamCipher, without EtM" \ + "$P_SRV response_size=16384 arc4=1 force_ciphersuite=TLS-RSA-WITH-RC4-128-SHA" \ + "$P_CLI force_version=tls1_1 \ + force_ciphersuite=TLS-RSA-WITH-RC4-128-SHA etm=0" \ + 0 \ + -s "16384 bytes written in 1 fragments" \ + -c "Read from server: 16384 bytes read" + requires_config_enabled MBEDTLS_SSL_TRUNCATED_HMAC run_test "Large server packet TLS 1.1 StreamCipher truncated MAC" \ "$P_SRV response_size=16384 arc4=1 force_ciphersuite=TLS-RSA-WITH-RC4-128-SHA" \ @@ -4247,6 +4605,14 @@ run_test "Large server packet TLS 1.1 StreamCipher truncated MAC" \ 0 \ -c "Read from server: 16384 bytes read" +run_test "Large server packet TLS 1.1 StreamCipher, without EtM, truncated MAC" \ + "$P_SRV response_size=16384 arc4=1 force_ciphersuite=TLS-RSA-WITH-RC4-128-SHA trunc_hmac=1" \ + "$P_CLI force_version=tls1_1 \ + force_ciphersuite=TLS-RSA-WITH-RC4-128-SHA trunc_hmac=1 etm=0" \ + 0 \ + -s "16384 bytes written in 1 fragments" \ + -c "Read from server: 16384 bytes read" + run_test "Large server packet TLS 1.2 BlockCipher" \ "$P_SRV response_size=16384" \ "$P_CLI force_version=tls1_2 \ @@ -4254,6 +4620,14 @@ run_test "Large server packet TLS 1.2 BlockCipher" \ 0 \ -c "Read from server: 16384 bytes read" +run_test "Large server packet TLS 1.2 BlockCipher, without EtM" \ + "$P_SRV response_size=16384" \ + "$P_CLI force_version=tls1_2 etm=0 \ + force_ciphersuite=TLS-RSA-WITH-AES-256-CBC-SHA" \ + 0 \ + -s "16384 bytes written in 1 fragments" \ + -c "Read from server: 16384 bytes read" + run_test "Large server packet TLS 1.2 BlockCipher larger MAC" \ "$P_SRV response_size=16384" \ "$P_CLI force_version=tls1_2 \ @@ -4270,11 +4644,28 @@ run_test "Large server packet TLS 1.2 BlockCipher truncated MAC" \ 0 \ -c "Read from server: 16384 bytes read" +run_test "Large server packet TLS 1.2 BlockCipher, without EtM, truncated MAC" \ + "$P_SRV response_size=16384 trunc_hmac=1" \ + "$P_CLI force_version=tls1_2 \ + force_ciphersuite=TLS-RSA-WITH-AES-256-CBC-SHA trunc_hmac=1 etm=0" \ + 0 \ + -s "16384 bytes written in 1 fragments" \ + -c "Read from server: 16384 bytes read" + run_test "Large server packet TLS 1.2 StreamCipher" \ "$P_SRV response_size=16384 arc4=1 force_ciphersuite=TLS-RSA-WITH-RC4-128-SHA" \ "$P_CLI force_version=tls1_2 \ force_ciphersuite=TLS-RSA-WITH-RC4-128-SHA" \ 0 \ + -s "16384 bytes written in 1 fragments" \ + -c "Read from server: 16384 bytes read" + +run_test "Large server packet TLS 1.2 StreamCipher, without EtM" \ + "$P_SRV response_size=16384 arc4=1 force_ciphersuite=TLS-RSA-WITH-RC4-128-SHA" \ + "$P_CLI force_version=tls1_2 \ + force_ciphersuite=TLS-RSA-WITH-RC4-128-SHA etm=0" \ + 0 \ + -s "16384 bytes written in 1 fragments" \ -c "Read from server: 16384 bytes read" requires_config_enabled MBEDTLS_SSL_TRUNCATED_HMAC @@ -4286,6 +4677,15 @@ run_test "Large server packet TLS 1.2 StreamCipher truncated MAC" \ 0 \ -c "Read from server: 16384 bytes read" +requires_config_enabled MBEDTLS_SSL_TRUNCATED_HMAC +run_test "Large server packet TLS 1.2 StreamCipher, without EtM, truncated MAC" \ + "$P_SRV response_size=16384 arc4=1 force_ciphersuite=TLS-RSA-WITH-RC4-128-SHA trunc_hmac=1" \ + "$P_CLI force_version=tls1_2 \ + force_ciphersuite=TLS-RSA-WITH-RC4-128-SHA trunc_hmac=1 etm=0" \ + 0 \ + -s "16384 bytes written in 1 fragments" \ + -c "Read from server: 16384 bytes read" + run_test "Large server packet TLS 1.2 AEAD" \ "$P_SRV response_size=16384" \ "$P_CLI force_version=tls1_2 \ From fb764931ee89a7db111b66f1f01a18357ba93327 Mon Sep 17 00:00:00 2001 From: Andrzej Kurek Date: Wed, 20 Jun 2018 07:07:55 -0400 Subject: [PATCH 3/5] ssl_server2: add buffer overhead for a termination character Switch to mbedtls style of memory allocation --- programs/ssl/ssl_server2.c | 3 ++- 1 file changed, 2 insertions(+), 1 deletion(-) diff --git a/programs/ssl/ssl_server2.c b/programs/ssl/ssl_server2.c index 1a57a7994..6736bcc4a 100644 --- a/programs/ssl/ssl_server2.c +++ b/programs/ssl/ssl_server2.c @@ -1355,7 +1355,7 @@ int main( int argc, char *argv[] ) #if defined(MBEDTLS_DEBUG_C) mbedtls_debug_set_threshold( opt.debug_level ); #endif - buf = malloc( opt.buffer_size ); + buf = mbedtls_calloc( 1, opt.buffer_size + 1 ); if( buf == NULL ) { mbedtls_printf("Could not allocate %u bytes\n", opt.buffer_size); @@ -2545,6 +2545,7 @@ exit: mbedtls_memory_buffer_alloc_free(); #endif + mbedtls_free(buf); mbedtls_printf( " done.\n" ); #if defined(_WIN32) From 0d50aeb4d41b8d10323d2bcc3a321b1d341620b5 Mon Sep 17 00:00:00 2001 From: Andrzej Kurek Date: Wed, 20 Jun 2018 08:17:04 -0400 Subject: [PATCH 4/5] Remove trailing whitespace --- programs/ssl/ssl_server2.c | 4 ++-- 1 file changed, 2 insertions(+), 2 deletions(-) diff --git a/programs/ssl/ssl_server2.c b/programs/ssl/ssl_server2.c index 6736bcc4a..a770f1b89 100644 --- a/programs/ssl/ssl_server2.c +++ b/programs/ssl/ssl_server2.c @@ -1358,7 +1358,7 @@ int main( int argc, char *argv[] ) buf = mbedtls_calloc( 1, opt.buffer_size + 1 ); if( buf == NULL ) { - mbedtls_printf("Could not allocate %u bytes\n", opt.buffer_size); + mbedtls_printf( "Could not allocate %u bytes\n", opt.buffer_size ); ret = 3; goto exit; } @@ -2545,7 +2545,7 @@ exit: mbedtls_memory_buffer_alloc_free(); #endif - mbedtls_free(buf); + mbedtls_free( buf ); mbedtls_printf( " done.\n" ); #if defined(_WIN32) From 77798b9f2d759140b1f0f87d95edd60b5fcc06bd Mon Sep 17 00:00:00 2001 From: Andrzej Kurek Date: Mon, 27 Aug 2018 08:00:13 -0400 Subject: [PATCH 5/5] ssl-opt.sh: change expected output for large srv packet test with SSLv3 This test also exercises a protection against BEAST and should expect message splitting. --- tests/ssl-opt.sh | 21 +++++++++++---------- 1 file changed, 11 insertions(+), 10 deletions(-) diff --git a/tests/ssl-opt.sh b/tests/ssl-opt.sh index 0f804af29..7a3abda3c 100755 --- a/tests/ssl-opt.sh +++ b/tests/ssl-opt.sh @@ -4457,15 +4457,6 @@ run_test "Force an ECC ciphersuite in the server side" \ -s "server hello, supported_point_formats extension" # Test for large server packets - -requires_config_enabled MBEDTLS_SSL_PROTO_SSL3 -run_test "Large server packet SSLv3 BlockCipher" \ - "$P_SRV response_size=16384 min_version=ssl3" \ - "$P_CLI force_version=ssl3 recsplit=0 \ - force_ciphersuite=TLS-RSA-WITH-AES-256-CBC-SHA" \ - 0 \ - -c "Read from server: 16384 bytes read" - requires_config_enabled MBEDTLS_SSL_PROTO_SSL3 run_test "Large server packet SSLv3 StreamCipher" \ "$P_SRV response_size=16384 min_version=ssl3 arc4=1 force_ciphersuite=TLS-RSA-WITH-RC4-128-SHA" \ @@ -4474,7 +4465,17 @@ run_test "Large server packet SSLv3 StreamCipher" \ 0 \ -c "Read from server: 16384 bytes read" -# Checking next 2 tests logs for 1n-1 split against BEAST too +# Checking next 4 tests logs for 1n-1 split against BEAST too +requires_config_enabled MBEDTLS_SSL_PROTO_SSL3 +run_test "Large server packet SSLv3 BlockCipher" \ + "$P_SRV response_size=16384 min_version=ssl3" \ + "$P_CLI force_version=ssl3 recsplit=0 \ + force_ciphersuite=TLS-RSA-WITH-AES-256-CBC-SHA" \ + 0 \ + -c "Read from server: 1 bytes read"\ + -c "16383 bytes read"\ + -C "Read from server: 16384 bytes read" + run_test "Large server packet TLS 1.0 BlockCipher" \ "$P_SRV response_size=16384" \ "$P_CLI force_version=tls1 recsplit=0 \