From 30fae8ee7dc247116da968aa07d8164eaa6f07af Mon Sep 17 00:00:00 2001 From: Jaeden Amero Date: Thu, 20 Dec 2018 17:44:21 +0000 Subject: [PATCH 01/19] programs/Makefile: List all programs one by one This makes it easier to add or remove programs as well as see which programs were added or removed in diffs. --- programs/Makefile | 81 ++++++++++++++++++++++++++++++----------------- 1 file changed, 52 insertions(+), 29 deletions(-) diff --git a/programs/Makefile b/programs/Makefile index 58358e5d9..07599149c 100644 --- a/programs/Makefile +++ b/programs/Makefile @@ -47,35 +47,58 @@ ifdef ZLIB LOCAL_LDFLAGS += -lz endif -APPS = aes/aescrypt2$(EXEXT) aes/crypt_and_hash$(EXEXT) \ - hash/hello$(EXEXT) hash/generic_sum$(EXEXT) \ - pkey/dh_genprime$(EXEXT) \ - pkey/ecdh_curve25519$(EXEXT) \ - pkey/ecdsa$(EXEXT) pkey/gen_key$(EXEXT) \ - pkey/key_app$(EXEXT) pkey/key_app_writer$(EXEXT) \ - pkey/mpi_demo$(EXEXT) pkey/pk_decrypt$(EXEXT) \ - pkey/pk_encrypt$(EXEXT) pkey/pk_sign$(EXEXT) \ - pkey/pk_verify$(EXEXT) pkey/rsa_genkey$(EXEXT) \ - pkey/rsa_decrypt$(EXEXT) pkey/rsa_encrypt$(EXEXT) \ - pkey/rsa_sign$(EXEXT) pkey/rsa_verify$(EXEXT) \ - pkey/rsa_sign_pss$(EXEXT) pkey/rsa_verify_pss$(EXEXT) \ - psa/crypto_examples$(EXEXT) \ - psa/key_ladder_demo$(EXEXT) psa/psa_constant_names$(EXEXT) \ - ssl/dtls_client$(EXEXT) ssl/dtls_server$(EXEXT) \ - ssl/ssl_client1$(EXEXT) ssl/ssl_client2$(EXEXT) \ - ssl/ssl_server$(EXEXT) ssl/ssl_server2$(EXEXT) \ - ssl/ssl_fork_server$(EXEXT) ssl/mini_client$(EXEXT) \ - ssl/ssl_mail_client$(EXEXT) random/gen_entropy$(EXEXT) \ - random/gen_random_havege$(EXEXT) \ - random/gen_random_ctr_drbg$(EXEXT) \ - test/ssl_cert_test$(EXEXT) test/benchmark$(EXEXT) \ - test/selftest$(EXEXT) test/udp_proxy$(EXEXT) \ - test/zeroize$(EXEXT) \ - test/query_compile_time_config$(EXEXT) \ - util/pem2der$(EXEXT) util/strerror$(EXEXT) \ - x509/cert_app$(EXEXT) x509/crl_app$(EXEXT) \ - x509/cert_req$(EXEXT) x509/cert_write$(EXEXT) \ - x509/req_app$(EXEXT) +APPS = \ + aes/aescrypt2$(EXEXT) \ + aes/crypt_and_hash$(EXEXT) \ + hash/hello$(EXEXT) \ + hash/generic_sum$(EXEXT) \ + pkey/dh_genprime$(EXEXT) \ + pkey/ecdh_curve25519$(EXEXT) \ + pkey/ecdsa$(EXEXT) \ + pkey/gen_key$(EXEXT) \ + pkey/key_app$(EXEXT) \ + pkey/key_app_writer$(EXEXT) \ + pkey/mpi_demo$(EXEXT) \ + pkey/pk_decrypt$(EXEXT) \ + pkey/pk_encrypt$(EXEXT) \ + pkey/pk_sign$(EXEXT) \ + pkey/pk_verify$(EXEXT) \ + pkey/rsa_genkey$(EXEXT) \ + pkey/rsa_decrypt$(EXEXT) \ + pkey/rsa_encrypt$(EXEXT) \ + pkey/rsa_sign$(EXEXT) \ + pkey/rsa_verify$(EXEXT) \ + pkey/rsa_sign_pss$(EXEXT) \ + pkey/rsa_verify_pss$(EXEXT) \ + psa/crypto_examples$(EXEXT) \ + psa/key_ladder_demo$(EXEXT) \ + psa/psa_constant_names$(EXEXT) \ + ssl/dtls_client$(EXEXT) \ + ssl/dtls_server$(EXEXT) \ + ssl/ssl_client1$(EXEXT) \ + ssl/ssl_client2$(EXEXT) \ + ssl/ssl_server$(EXEXT) \ + ssl/ssl_server2$(EXEXT) \ + ssl/ssl_fork_server$(EXEXT) \ + ssl/mini_client$(EXEXT) \ + ssl/ssl_mail_client$(EXEXT) \ + random/gen_entropy$(EXEXT) \ + random/gen_random_havege$(EXEXT) \ + random/gen_random_ctr_drbg$(EXEXT) \ + test/ssl_cert_test$(EXEXT) \ + test/benchmark$(EXEXT) \ + test/selftest$(EXEXT) \ + test/udp_proxy$(EXEXT) \ + test/zeroize$(EXEXT) \ + test/query_compile_time_config$(EXEXT) \ + util/pem2der$(EXEXT) \ + util/strerror$(EXEXT) \ + x509/cert_app$(EXEXT) \ + x509/crl_app$(EXEXT) \ + x509/cert_req$(EXEXT) \ + x509/cert_write$(EXEXT) \ + x509/req_app$(EXEXT) \ +# End of APPS ifdef PTHREAD APPS += ssl/ssl_pthread_server$(EXEXT) From bce557dbb956f399d720a93bdb65e3cca6e7fde6 Mon Sep 17 00:00:00 2001 From: Jaeden Amero Date: Fri, 22 Feb 2019 16:34:57 +0000 Subject: [PATCH 02/19] configs: Update example PSA config Our default configuration file, include/mbedtls/config.h, should always match configs/config-psa-crypto.h. It had gotten out of sync, so put it back into sync. --- configs/config-psa-crypto.h | 15 +++++++++++++++ 1 file changed, 15 insertions(+) diff --git a/configs/config-psa-crypto.h b/configs/config-psa-crypto.h index fa1d3cf07..097361ade 100644 --- a/configs/config-psa-crypto.h +++ b/configs/config-psa-crypto.h @@ -1156,6 +1156,21 @@ */ //#define MBEDTLS_PSA_HAS_ITS_IO +/* MBEDTLS_PSA_CRYPTO_KEY_FILE_ID_ENCODES_OWNER + * + * In PSA key storage, encode the owner of the key. + * + * This is only meaningful when building the library as part of a + * multi-client service. When you activate this option, you must provide + * an implementation of the type psa_key_owner_id_t and a translation + * from psa_key_file_id_t to file name in all the storage backends that + * you wish to support. + * + * Note that this option is meant for internal use only and may be removed + * without notice. + */ +//#define MBEDTLS_PSA_CRYPTO_KEY_FILE_ID_ENCODES_OWNER + /** * \def MBEDTLS_MEMORY_DEBUG * From 95666b78acb3fb04cbc8bb385411e345f64c55ea Mon Sep 17 00:00:00 2001 From: Jaeden Amero Date: Fri, 22 Feb 2019 16:57:56 +0000 Subject: [PATCH 03/19] pkey/rsa_genkey: Remove commented out code There is some commented out X.509 certificate writing code present in rsa_genkey. It looks like it has been commented out since the beginning of time. Let's remove it, since commented out code is not in good style. --- programs/pkey/rsa_genkey.c | 13 ------------- 1 file changed, 13 deletions(-) diff --git a/programs/pkey/rsa_genkey.c b/programs/pkey/rsa_genkey.c index 81867ee9e..b46c89824 100644 --- a/programs/pkey/rsa_genkey.c +++ b/programs/pkey/rsa_genkey.c @@ -160,19 +160,6 @@ int main( void ) mbedtls_printf( " failed\n ! mbedtls_mpi_write_file returned %d\n\n", ret ); goto exit; } -/* - mbedtls_printf( " ok\n . Generating the certificate..." ); - - x509write_init_raw( &cert ); - x509write_add_pubkey( &cert, &rsa ); - x509write_add_subject( &cert, "CN='localhost'" ); - x509write_add_validity( &cert, "2007-09-06 17:00:32", - "2010-09-06 17:00:32" ); - x509write_create_selfsign( &cert, &rsa ); - x509write_crtfile( &cert, "cert.der", X509_OUTPUT_DER ); - x509write_crtfile( &cert, "cert.pem", X509_OUTPUT_PEM ); - x509write_free_raw( &cert ); -*/ mbedtls_printf( " ok\n\n" ); exit_code = MBEDTLS_EXIT_SUCCESS; From 47a3635fc7107c7d838816475c6c816d9b47f047 Mon Sep 17 00:00:00 2001 From: Jaeden Amero Date: Fri, 2 Nov 2018 10:49:14 +0000 Subject: [PATCH 04/19] selftest: Remove X.509 selftest --- programs/test/selftest.c | 4 ---- 1 file changed, 4 deletions(-) diff --git a/programs/test/selftest.c b/programs/test/selftest.c index 9d3ea7ec0..fac7e9204 100644 --- a/programs/test/selftest.c +++ b/programs/test/selftest.c @@ -51,7 +51,6 @@ #include "mbedtls/base64.h" #include "mbedtls/bignum.h" #include "mbedtls/rsa.h" -#include "mbedtls/x509.h" #include "mbedtls/xtea.h" #include "mbedtls/pkcs5.h" #include "mbedtls/ecp.h" @@ -245,9 +244,6 @@ const selftest_t selftests[] = #if defined(MBEDTLS_RSA_C) {"rsa", mbedtls_rsa_self_test}, #endif -#if defined(MBEDTLS_X509_USE_C) - {"x509", mbedtls_x509_self_test}, -#endif #if defined(MBEDTLS_XTEA_C) {"xtea", mbedtls_xtea_self_test}, #endif From bf564c77fa97e67ac577d28258918ba29cde6af3 Mon Sep 17 00:00:00 2001 From: Jaeden Amero Date: Fri, 26 Oct 2018 16:55:14 +0100 Subject: [PATCH 05/19] pkey: Remove dependency on X.509 --- programs/pkey/key_app.c | 2 +- programs/pkey/rsa_genkey.c | 1 - programs/pkey/rsa_sign_pss.c | 2 +- programs/pkey/rsa_verify_pss.c | 1 - 4 files changed, 2 insertions(+), 4 deletions(-) diff --git a/programs/pkey/key_app.c b/programs/pkey/key_app.c index 0bd61e481..b4860fe04 100644 --- a/programs/pkey/key_app.c +++ b/programs/pkey/key_app.c @@ -40,7 +40,7 @@ defined(MBEDTLS_PK_PARSE_C) && defined(MBEDTLS_FS_IO) #include "mbedtls/error.h" #include "mbedtls/rsa.h" -#include "mbedtls/x509.h" +#include "mbedtls/pk.h" #include #endif diff --git a/programs/pkey/rsa_genkey.c b/programs/pkey/rsa_genkey.c index b46c89824..c66f4e7bd 100644 --- a/programs/pkey/rsa_genkey.c +++ b/programs/pkey/rsa_genkey.c @@ -42,7 +42,6 @@ #include "mbedtls/entropy.h" #include "mbedtls/ctr_drbg.h" #include "mbedtls/bignum.h" -#include "mbedtls/x509.h" #include "mbedtls/rsa.h" #include diff --git a/programs/pkey/rsa_sign_pss.c b/programs/pkey/rsa_sign_pss.c index 51317457b..cb69fa6ed 100644 --- a/programs/pkey/rsa_sign_pss.c +++ b/programs/pkey/rsa_sign_pss.c @@ -55,7 +55,7 @@ int main( void ) #include "mbedtls/ctr_drbg.h" #include "mbedtls/md.h" #include "mbedtls/rsa.h" -#include "mbedtls/x509.h" +#include "mbedtls/pk.h" #include #include diff --git a/programs/pkey/rsa_verify_pss.c b/programs/pkey/rsa_verify_pss.c index 34122ca4f..d745274bf 100644 --- a/programs/pkey/rsa_verify_pss.c +++ b/programs/pkey/rsa_verify_pss.c @@ -55,7 +55,6 @@ int main( void ) #include "mbedtls/pem.h" #include "mbedtls/pk.h" #include "mbedtls/md.h" -#include "mbedtls/x509.h" #include #include From ebbc5f7940e5271d3cdd31818119d558ba040155 Mon Sep 17 00:00:00 2001 From: Jaeden Amero Date: Fri, 22 Feb 2019 16:52:44 +0000 Subject: [PATCH 06/19] md: Remove dependency on X.509 --- library/md.c | 2 +- 1 file changed, 1 insertion(+), 1 deletion(-) diff --git a/library/md.c b/library/md.c index 303cdcbee..ac8fac5bb 100644 --- a/library/md.c +++ b/library/md.c @@ -50,7 +50,7 @@ #endif /* - * Reminder: update profiles in x509_crt.c when adding a new hash! + * Reminder: update profiles in Mbed TLS's x509_crt.c when adding a new hash! */ static const int supported_digests[] = { From de0a41b716ae4d9e938236771d49a880480eb66e Mon Sep 17 00:00:00 2001 From: Jaeden Amero Date: Fri, 2 Nov 2018 18:40:14 +0000 Subject: [PATCH 07/19] ecp: Remove dependency on TLS and X.509 --- configs/config-psa-crypto.h | 10 +++++----- include/mbedtls/config.h | 10 +++++----- include/mbedtls/ecp.h | 24 ++++++++++++------------ library/ecp.c | 2 +- 4 files changed, 23 insertions(+), 23 deletions(-) diff --git a/configs/config-psa-crypto.h b/configs/config-psa-crypto.h index 097361ade..a8e06348b 100644 --- a/configs/config-psa-crypto.h +++ b/configs/config-psa-crypto.h @@ -726,11 +726,11 @@ * Enable "non-blocking" ECC operations that can return early and be resumed. * * This allows various functions to pause by returning - * #MBEDTLS_ERR_ECP_IN_PROGRESS (or, for functions in the SSL module, - * #MBEDTLS_ERR_SSL_CRYPTO_IN_PROGRESS) and then be called later again in - * order to further progress and eventually complete their operation. This is - * controlled through mbedtls_ecp_set_max_ops() which limits the maximum - * number of ECC operations a function may perform before pausing; see + * #MBEDTLS_ERR_ECP_IN_PROGRESS (or, for functions in Mbed TLS's SSL module, + * MBEDTLS_ERR_SSL_CRYPTO_IN_PROGRESS) and then be called later again in order + * to further progress and eventually complete their operation. This is + * controlled through mbedtls_ecp_set_max_ops() which limits the maximum number + * of ECC operations a function may perform before pausing; see * mbedtls_ecp_set_max_ops() for more information. * * This is useful in non-threaded environments if you want to avoid blocking diff --git a/include/mbedtls/config.h b/include/mbedtls/config.h index f17381efa..7f96e50cf 100644 --- a/include/mbedtls/config.h +++ b/include/mbedtls/config.h @@ -746,11 +746,11 @@ * Enable "non-blocking" ECC operations that can return early and be resumed. * * This allows various functions to pause by returning - * #MBEDTLS_ERR_ECP_IN_PROGRESS (or, for functions in the SSL module, - * #MBEDTLS_ERR_SSL_CRYPTO_IN_PROGRESS) and then be called later again in - * order to further progress and eventually complete their operation. This is - * controlled through mbedtls_ecp_set_max_ops() which limits the maximum - * number of ECC operations a function may perform before pausing; see + * #MBEDTLS_ERR_ECP_IN_PROGRESS (or, for functions in Mbed TLS's SSL module, + * MBEDTLS_ERR_SSL_CRYPTO_IN_PROGRESS) and then be called later again in order + * to further progress and eventually complete their operation. This is + * controlled through mbedtls_ecp_set_max_ops() which limits the maximum number + * of ECC operations a function may perform before pausing; see * mbedtls_ecp_set_max_ops() for more information. * * This is useful in non-threaded environments if you want to avoid blocking diff --git a/include/mbedtls/ecp.h b/include/mbedtls/ecp.h index 24017780d..1bc85909b 100644 --- a/include/mbedtls/ecp.h +++ b/include/mbedtls/ecp.h @@ -365,19 +365,19 @@ mbedtls_ecp_keypair; * same; they must not be used until the function finally * returns 0. * - * This only applies to functions whose documentation - * mentions they may return #MBEDTLS_ERR_ECP_IN_PROGRESS (or - * #MBEDTLS_ERR_SSL_CRYPTO_IN_PROGRESS for functions in the - * SSL module). For functions that accept a "restart context" - * argument, passing NULL disables restart and makes the - * function equivalent to the function with the same name + * This only applies to functions whose documentation mentions + * they may return #MBEDTLS_ERR_ECP_IN_PROGRESS (or + * `MBEDTLS_ERR_SSL_CRYPTO_IN_PROGRESS` for functions in the + * Mbed TLS SSL module). For functions that accept a "restart + * context" argument, passing NULL disables restart and makes + * the function equivalent to the function with the same name * with \c _restartable removed. For functions in the ECDH - * module, restart is disabled unless the function accepts - * an "ECDH context" argument and - * mbedtls_ecdh_enable_restart() was previously called on - * that context. For function in the SSL module, restart is - * only enabled for specific sides and key exchanges - * (currently only for clients and ECDHE-ECDSA). + * module, restart is disabled unless the function accepts an + * "ECDH context" argument and mbedtls_ecdh_enable_restart() + * was previously called on that context. For function in the + * Mbed TLS SSL module, restart is only enabled for specific + * sides and key exchanges (currently only for clients and + * ECDHE-ECDSA). * * \param max_ops Maximum number of basic operations done in a row. * Default: 0 (unlimited). diff --git a/library/ecp.c b/library/ecp.c index ecea5910e..77bb2c022 100644 --- a/library/ecp.c +++ b/library/ecp.c @@ -383,7 +383,7 @@ typedef enum * Curves are listed in order: largest curves first, and for a given size, * fastest curves first. This provides the default order for the SSL module. * - * Reminder: update profiles in x509_crt.c when adding a new curves! + * Reminder: update profiles in Mbed TLS's x509_crt.c when adding new curves! */ static const mbedtls_ecp_curve_info ecp_supported_curves[] = { From ed16ca7b63a13358d62f1ad6882ec60fd92158e3 Mon Sep 17 00:00:00 2001 From: Jaeden Amero Date: Tue, 26 Feb 2019 10:39:48 +0000 Subject: [PATCH 08/19] dhm: Remove dependency on TLS --- include/mbedtls/dhm.h | 9 ++++----- 1 file changed, 4 insertions(+), 5 deletions(-) diff --git a/include/mbedtls/dhm.h b/include/mbedtls/dhm.h index 2909f5fbc..98cd4e21a 100644 --- a/include/mbedtls/dhm.h +++ b/include/mbedtls/dhm.h @@ -350,11 +350,10 @@ int mbedtls_dhm_self_test( int verbose ); #endif /** - * RFC 3526, RFC 5114 and RFC 7919 standardize a number of - * Diffie-Hellman groups, some of which are included here - * for use within the SSL/TLS module and the user's convenience - * when configuring the Diffie-Hellman parameters by hand - * through \c mbedtls_ssl_conf_dh_param. + * RFC 3526, RFC 5114 and RFC 7919 standardize a number of Diffie-Hellman + * groups, some of which are included here for use by Mbed TLS's SSL/TLS module + * and the user's convenience when configuring the Diffie-Hellman parameters by + * hand through Mbed TLS's \c mbedtls_ssl_conf_dh_param. * * The following lists the source of the above groups in the standards: * - RFC 5114 section 2.2: 2048-bit MODP Group with 224-bit Prime Order Subgroup From 9b90f2e294970ade3e4aa94879a19470f2c052e0 Mon Sep 17 00:00:00 2001 From: Jaeden Amero Date: Fri, 2 Nov 2018 18:34:17 +0000 Subject: [PATCH 09/19] all.sh: Remove dependency on TLS, NET, and X.509 --- tests/scripts/all.sh | 300 +++---------------------------------------- 1 file changed, 16 insertions(+), 284 deletions(-) diff --git a/tests/scripts/all.sh b/tests/scripts/all.sh index 0f3d3ec3c..2806426c1 100755 --- a/tests/scripts/all.sh +++ b/tests/scripts/all.sh @@ -38,10 +38,6 @@ # * G++ # * arm-gcc and mingw-gcc # * ArmCC 5 and ArmCC 6, unless invoked with --no-armcc -# * OpenSSL and GnuTLS command line tools, recent enough for the -# interoperability tests. If they don't support SSLv3 then a legacy -# version of these tools must be present as well (search for LEGACY -# below). # See the invocation of check_tools below for details. # # This script must be invoked from the toplevel directory of a git @@ -116,18 +112,10 @@ pre_initialize_variables () { CONFIG_H='include/mbedtls/config.h' CONFIG_BAK="$CONFIG_H.bak" - MEMORY=0 FORCE=0 KEEP_GOING=0 # Default commands, can be overridden by the environment - : ${OPENSSL:="openssl"} - : ${OPENSSL_LEGACY:="$OPENSSL"} - : ${OPENSSL_NEXT:="$OPENSSL"} - : ${GNUTLS_CLI:="gnutls-cli"} - : ${GNUTLS_SERV:="gnutls-serv"} - : ${GNUTLS_LEGACY_CLI:="$GNUTLS_CLI"} - : ${GNUTLS_LEGACY_SERV:="$GNUTLS_SERV"} : ${OUT_OF_SOURCE_DIR:=./mbedtls_out_of_source_build} : ${ARMC5_BIN_DIR:=/usr/bin} : ${ARMC6_BIN_DIR:=/usr/bin} @@ -207,13 +195,6 @@ General options: Tool path options: --armc5-bin-dir= ARM Compiler 5 bin directory. --armc6-bin-dir= ARM Compiler 6 bin directory. - --gnutls-cli= GnuTLS client executable to use for most tests. - --gnutls-serv= GnuTLS server executable to use for most tests. - --gnutls-legacy-cli= GnuTLS client executable to use for legacy tests. - --gnutls-legacy-serv= GnuTLS server executable to use for legacy tests. - --openssl= OpenSSL executable to use for most tests. - --openssl-legacy= OpenSSL executable to use for legacy tests e.g. SSLv3. - --openssl-next= OpenSSL executable to use for recent things like ARIA EOF } @@ -310,6 +291,9 @@ pre_parse_command_line () { all_except=0 no_armcc= + # Note that legacy options are ignored instead of being omitted from this + # list of options, so invocations that worked with previous version of + # all.sh will still run and work properly. while [ $# -gt 0 ]; do case "$1" in --armcc) no_armcc=;; @@ -317,26 +301,26 @@ pre_parse_command_line () { --armc6-bin-dir) shift; ARMC6_BIN_DIR="$1";; --except) all_except=1;; --force|-f) FORCE=1;; - --gnutls-cli) shift; GNUTLS_CLI="$1";; - --gnutls-legacy-cli) shift; GNUTLS_LEGACY_CLI="$1";; - --gnutls-legacy-serv) shift; GNUTLS_LEGACY_SERV="$1";; - --gnutls-serv) shift; GNUTLS_SERV="$1";; + --gnutls-cli) shift;; + --gnutls-legacy-cli) shift;; + --gnutls-legacy-serv) shift;; + --gnutls-serv) shift;; --help|-h) usage; exit;; --keep-going|-k) KEEP_GOING=1;; --list-all-components) printf '%s\n' $ALL_COMPONENTS; exit;; --list-components) printf '%s\n' $SUPPORTED_COMPONENTS; exit;; - --memory|-m) MEMORY=1;; + --memory|-m) ;; --no-armcc) no_armcc=1;; --no-force) FORCE=0;; --no-keep-going) KEEP_GOING=0;; - --no-memory) MEMORY=0;; - --openssl) shift; OPENSSL="$1";; - --openssl-legacy) shift; OPENSSL_LEGACY="$1";; - --openssl-next) shift; OPENSSL_NEXT="$1";; + --no-memory) ;; + --openssl) shift;; + --openssl-legacy) shift;; + --openssl-next) shift;; --out-of-source-dir) shift; OUT_OF_SOURCE_DIR="$1";; - --random-seed) unset SEED;; - --release-test|-r) SEED=1;; - --seed|-s) shift; SEED="$1";; + --random-seed) ;; + --release-test|-r) ;; + --seed|-s) shift;; -*) echo >&2 "Unknown option: $1" echo >&2 "Run $0 --help for usage." @@ -469,16 +453,7 @@ not() { pre_print_configuration () { msg "info: $0 configuration" - echo "MEMORY: $MEMORY" echo "FORCE: $FORCE" - echo "SEED: ${SEED-"UNSET"}" - echo "OPENSSL: $OPENSSL" - echo "OPENSSL_LEGACY: $OPENSSL_LEGACY" - echo "OPENSSL_NEXT: $OPENSSL_NEXT" - echo "GNUTLS_CLI: $GNUTLS_CLI" - echo "GNUTLS_SERV: $GNUTLS_SERV" - echo "GNUTLS_LEGACY_CLI: $GNUTLS_LEGACY_CLI" - echo "GNUTLS_LEGACY_SERV: $GNUTLS_LEGACY_SERV" echo "ARMC5_BIN_DIR: $ARMC5_BIN_DIR" echo "ARMC6_BIN_DIR: $ARMC6_BIN_DIR" } @@ -488,30 +463,6 @@ pre_check_tools () { # Build the list of variables to pass to output_env.sh. set env - case " $RUN_COMPONENTS " in - # Require OpenSSL and GnuTLS if running any tests (as opposed to - # only doing builds). Not all tests run OpenSSL and GnuTLS, but this - # is a good enough approximation in practice. - *" test_"*) - # To avoid setting OpenSSL and GnuTLS for each call to compat.sh - # and ssl-opt.sh, we just export the variables they require. - export OPENSSL_CMD="$OPENSSL" - export GNUTLS_CLI="$GNUTLS_CLI" - export GNUTLS_SERV="$GNUTLS_SERV" - # Avoid passing --seed flag in every call to ssl-opt.sh - if [ -n "${SEED-}" ]; then - export SEED - fi - set "$@" OPENSSL="$OPENSSL" OPENSSL_LEGACY="$OPENSSL_LEGACY" - set "$@" GNUTLS_CLI="$GNUTLS_CLI" GNUTLS_SERV="$GNUTLS_SERV" - set "$@" GNUTLS_LEGACY_CLI="$GNUTLS_LEGACY_CLI" - set "$@" GNUTLS_LEGACY_SERV="$GNUTLS_LEGACY_SERV" - check_tools "$OPENSSL" "$OPENSSL_LEGACY" "$OPENSSL_NEXT" \ - "$GNUTLS_CLI" "$GNUTLS_SERV" \ - "$GNUTLS_LEGACY_CLI" "$GNUTLS_LEGACY_SERV" - ;; - esac - case " $RUN_COMPONENTS " in *_doxygen[_\ ]*) check_tools "doxygen" "dot";; esac @@ -605,12 +556,6 @@ component_test_default_cmake_gcc_asan () { msg "test: main suites (inc. selftests) (ASan build)" # ~ 50s make test - - msg "test: ssl-opt.sh (ASan build)" # ~ 1 min - if_build_succeeded tests/ssl-opt.sh - - msg "test: compat.sh (ASan build)" # ~ 6 min - if_build_succeeded tests/compat.sh } component_test_ref_configs () { @@ -619,36 +564,6 @@ component_test_ref_configs () { record_status tests/scripts/test-ref-configs.pl } -component_test_sslv3 () { - msg "build: Default + SSLv3 (ASan build)" # ~ 6 min - scripts/config.pl set MBEDTLS_SSL_PROTO_SSL3 - CC=gcc cmake -D CMAKE_BUILD_TYPE:String=Asan . - make - - msg "test: SSLv3 - main suites (inc. selftests) (ASan build)" # ~ 50s - make test - - msg "build: SSLv3 - compat.sh (ASan build)" # ~ 6 min - if_build_succeeded tests/compat.sh -m 'tls1 tls1_1 tls1_2 dtls1 dtls1_2' - if_build_succeeded env OPENSSL_CMD="$OPENSSL_LEGACY" tests/compat.sh -m 'ssl3' - - msg "build: SSLv3 - ssl-opt.sh (ASan build)" # ~ 6 min - if_build_succeeded tests/ssl-opt.sh -} - -component_test_no_renegotiation () { - msg "build: Default + !MBEDTLS_SSL_RENEGOTIATION (ASan build)" # ~ 6 min - scripts/config.pl unset MBEDTLS_SSL_RENEGOTIATION - CC=gcc cmake -D CMAKE_BUILD_TYPE:String=Asan . - make - - msg "test: !MBEDTLS_SSL_RENEGOTIATION - main suites (inc. selftests) (ASan build)" # ~ 50s - make test - - msg "test: !MBEDTLS_SSL_RENEGOTIATION - ssl-opt.sh (ASan build)" # ~ 6 min - if_build_succeeded tests/ssl-opt.sh -} - component_test_rsa_no_crt () { msg "build: Default + RSA_NO_CRT (ASan build)" # ~ 6 min scripts/config.pl set MBEDTLS_RSA_NO_CRT @@ -657,54 +572,6 @@ component_test_rsa_no_crt () { msg "test: RSA_NO_CRT - main suites (inc. selftests) (ASan build)" # ~ 50s make test - - msg "test: RSA_NO_CRT - RSA-related part of ssl-opt.sh (ASan build)" # ~ 5s - if_build_succeeded tests/ssl-opt.sh -f RSA - - msg "test: RSA_NO_CRT - RSA-related part of compat.sh (ASan build)" # ~ 3 min - if_build_succeeded tests/compat.sh -t RSA -} - -component_test_small_ssl_out_content_len () { - msg "build: small SSL_OUT_CONTENT_LEN (ASan build)" - scripts/config.pl set MBEDTLS_SSL_IN_CONTENT_LEN 16384 - scripts/config.pl set MBEDTLS_SSL_OUT_CONTENT_LEN 4096 - CC=gcc cmake -D CMAKE_BUILD_TYPE:String=Asan . - make - - msg "test: small SSL_OUT_CONTENT_LEN - ssl-opt.sh MFL and large packet tests" - if_build_succeeded tests/ssl-opt.sh -f "Max fragment\|Large packet" -} - -component_test_small_ssl_in_content_len () { - msg "build: small SSL_IN_CONTENT_LEN (ASan build)" - scripts/config.pl set MBEDTLS_SSL_IN_CONTENT_LEN 4096 - scripts/config.pl set MBEDTLS_SSL_OUT_CONTENT_LEN 16384 - CC=gcc cmake -D CMAKE_BUILD_TYPE:String=Asan . - make - - msg "test: small SSL_IN_CONTENT_LEN - ssl-opt.sh MFL tests" - if_build_succeeded tests/ssl-opt.sh -f "Max fragment" -} - -component_test_small_ssl_dtls_max_buffering () { - msg "build: small MBEDTLS_SSL_DTLS_MAX_BUFFERING #0" - scripts/config.pl set MBEDTLS_SSL_DTLS_MAX_BUFFERING 1000 - CC=gcc cmake -D CMAKE_BUILD_TYPE:String=Asan . - make - - msg "test: small MBEDTLS_SSL_DTLS_MAX_BUFFERING #0 - ssl-opt.sh specific reordering test" - if_build_succeeded tests/ssl-opt.sh -f "DTLS reordering: Buffer out-of-order hs msg before reassembling next, free buffered msg" -} - -component_test_small_mbedtls_ssl_dtls_max_buffering () { - msg "build: small MBEDTLS_SSL_DTLS_MAX_BUFFERING #1" - scripts/config.pl set MBEDTLS_SSL_DTLS_MAX_BUFFERING 240 - CC=gcc cmake -D CMAKE_BUILD_TYPE:String=Asan . - make - - msg "test: small MBEDTLS_SSL_DTLS_MAX_BUFFERING #1 - ssl-opt.sh specific reordering test" - if_build_succeeded tests/ssl-opt.sh -f "DTLS reordering: Buffer encrypted Finished message, drop for fragmented NewSessionTicket" } component_test_full_cmake_clang () { @@ -719,15 +586,6 @@ component_test_full_cmake_clang () { msg "test: psa_constant_names (full config)" # ~ 1s record_status tests/scripts/test_psa_constant_names.py - - msg "test: ssl-opt.sh default, ECJPAKE, SSL async (full config)" # ~ 1s - if_build_succeeded tests/ssl-opt.sh -f 'Default\|ECJPAKE\|SSL async private' - - msg "test: compat.sh RC4, DES, 3DES & NULL (full config)" # ~ 2 min - if_build_succeeded env OPENSSL_CMD="$OPENSSL_LEGACY" GNUTLS_CLI="$GNUTLS_LEGACY_CLI" GNUTLS_SERV="$GNUTLS_LEGACY_SERV" tests/compat.sh -e '^$' -f 'NULL\|DES\|RC4\|ARCFOUR' - - msg "test: compat.sh ARIA + ChachaPoly" - if_build_succeeded env OPENSSL_CMD="$OPENSSL_NEXT" tests/compat.sh -e '^$' -f 'ARIA\|CHACHA' } component_build_deprecated () { @@ -764,11 +622,6 @@ component_test_depends_pkalgs () { record_status tests/scripts/depends-pkalgs.pl } -component_build_key_exchanges () { - msg "test/build: key-exchanges (gcc)" # ~ 1 min - record_status tests/scripts/key-exchanges.pl -} - component_build_default_make_gcc_and_cxx () { msg "build: Unix make, -Os (gcc)" # ~ 30s make CC=gcc CFLAGS='-Werror -Wall -Wextra -Os' @@ -793,21 +646,6 @@ component_test_use_psa_crypto_full_cmake_asan() { msg "test: main suites (MBEDTLS_USE_PSA_CRYPTO)" make test - - msg "test: ssl-opt.sh (MBEDTLS_USE_PSA_CRYPTO)" - if_build_succeeded tests/ssl-opt.sh - - msg "test: compat.sh default (MBEDTLS_USE_PSA_CRYPTO)" - if_build_succeeded tests/compat.sh - - msg "test: compat.sh ssl3 (MBEDTLS_USE_PSA_CRYPTO)" - if_build_succeeded env OPENSSL_CMD="$OPENSSL_LEGACY" tests/compat.sh -m 'ssl3' - - msg "test: compat.sh RC4, DES & NULL (MBEDTLS_USE_PSA_CRYPTO)" - if_build_succeeded env OPENSSL_CMD="$OPENSSL_LEGACY" GNUTLS_CLI="$GNUTLS_LEGACY_CLI" GNUTLS_SERV="$GNUTLS_LEGACY_SERV" tests/compat.sh -e '3DES\|DES-CBC3' -f 'NULL\|DES\|RC4\|ARCFOUR' - - msg "test: compat.sh ARIA + ChachaPoly (MBEDTLS_USE_PSA_CRYPTO)" - if_build_succeeded env OPENSSL_CMD="$OPENSSL_NEXT" tests/compat.sh -e '^$' -f 'ARIA\|CHACHA' } component_test_check_params_without_platform () { @@ -868,69 +706,6 @@ component_build_no_std_function () { make CC=gcc CFLAGS='-Werror -Wall -Wextra -O0' } -component_build_no_ssl_srv () { - msg "build: full config except ssl_srv.c, make, gcc" # ~ 30s - scripts/config.pl full - scripts/config.pl unset MBEDTLS_SSL_SRV_C - make CC=gcc CFLAGS='-Werror -Wall -Wextra -O0' -} - -component_build_no_ssl_cli () { - msg "build: full config except ssl_cli.c, make, gcc" # ~ 30s - scripts/config.pl full - scripts/config.pl unset MBEDTLS_SSL_CLI_C - make CC=gcc CFLAGS='-Werror -Wall -Wextra -O0' -} - -component_build_no_sockets () { - # Note, C99 compliance can also be tested with the sockets support disabled, - # as that requires a POSIX platform (which isn't the same as C99). - msg "build: full config except net_sockets.c, make, gcc -std=c99 -pedantic" # ~ 30s - scripts/config.pl full - scripts/config.pl unset MBEDTLS_NET_C # getaddrinfo() undeclared, etc. - scripts/config.pl set MBEDTLS_NO_PLATFORM_ENTROPY # uses syscall() on GNU/Linux - make CC=gcc CFLAGS='-Werror -Wall -Wextra -O0 -std=c99 -pedantic' lib -} - -component_test_no_max_fragment_length () { - # Run max fragment length tests with MFL disabled - msg "build: default config except MFL extension (ASan build)" # ~ 30s - scripts/config.pl unset MBEDTLS_SSL_MAX_FRAGMENT_LENGTH - CC=gcc cmake -D CMAKE_BUILD_TYPE:String=Asan . - make - - msg "test: ssl-opt.sh, MFL-related tests" - if_build_succeeded tests/ssl-opt.sh -f "Max fragment length" -} - -component_test_asan_remove_peer_certificate () { - msg "build: default config with MBEDTLS_SSL_KEEP_PEER_CERTIFICATE disabled (ASan build)" - scripts/config.pl unset MBEDTLS_SSL_KEEP_PEER_CERTIFICATE - CC=gcc cmake -D CMAKE_BUILD_TYPE:String=Asan . - make - - msg "test: !MBEDTLS_SSL_KEEP_PEER_CERTIFICATE" - make test - - msg "test: ssl-opt.sh, !MBEDTLS_SSL_KEEP_PEER_CERTIFICATE" - if_build_succeeded tests/ssl-opt.sh - - msg "test: compat.sh, !MBEDTLS_SSL_KEEP_PEER_CERTIFICATE" - if_build_succeeded tests/compat.sh -} - -component_test_no_max_fragment_length_small_ssl_out_content_len () { - msg "build: no MFL extension, small SSL_OUT_CONTENT_LEN (ASan build)" - scripts/config.pl unset MBEDTLS_SSL_MAX_FRAGMENT_LENGTH - scripts/config.pl set MBEDTLS_SSL_IN_CONTENT_LEN 16384 - scripts/config.pl set MBEDTLS_SSL_OUT_CONTENT_LEN 4096 - CC=gcc cmake -D CMAKE_BUILD_TYPE:String=Asan . - make - - msg "test: MFL tests (disabled MFL extension case) & large packet tests" - if_build_succeeded tests/ssl-opt.sh -f "Max fragment length\|Large buffer" -} - component_test_null_entropy () { msg "build: default config with MBEDTLS_TEST_NULL_ENTROPY (ASan build)" scripts/config.pl set MBEDTLS_TEST_NULL_ENTROPY @@ -1192,15 +967,6 @@ component_build_armcc () { armc6_build_test "--target=aarch64-arm-none-eabi -march=armv8.2-a" } -component_test_allow_sha1 () { - msg "build: allow SHA1 in certificates by default" - scripts/config.pl set MBEDTLS_TLS_DEFAULT_ALLOW_SHA1_IN_CERTIFICATES - make CFLAGS='-Werror -Wall -Wextra' - msg "test: allow SHA1 in certificates by default" - make test - if_build_succeeded tests/ssl-opt.sh -f SHA-1 -} - component_build_mingw () { msg "build: Windows cross build - mingw64, make (Link Library)" # ~ 30s make CC=i686-w64-mingw32-gcc AR=i686-w64-mingw32-ar LD=i686-w64-minggw32-ld CFLAGS='-Werror -Wall -Wextra' WINDOWS_BUILD=1 lib programs @@ -1223,16 +989,6 @@ component_test_memsan () { msg "test: main suites (MSan)" # ~ 10s make test - - msg "test: ssl-opt.sh (MSan)" # ~ 1 min - if_build_succeeded tests/ssl-opt.sh - - # Optional part(s) - - if [ "$MEMORY" -gt 0 ]; then - msg "test: compat.sh (MSan)" # ~ 6 min 20s - if_build_succeeded tests/compat.sh - fi } component_test_valgrind () { @@ -1242,20 +998,6 @@ component_test_valgrind () { msg "test: main suites valgrind (Release)" make memcheck - - # Optional part(s) - # Currently broken, programs don't seem to receive signals - # under valgrind on OS X - - if [ "$MEMORY" -gt 0 ]; then - msg "test: ssl-opt.sh --memcheck (Release)" - if_build_succeeded tests/ssl-opt.sh --memcheck - fi - - if [ "$MEMORY" -gt 1 ]; then - msg "test: compat.sh --memcheck (Release)" - if_build_succeeded tests/compat.sh --memcheck - fi } component_test_cmake_out_of_source () { @@ -1268,17 +1010,7 @@ component_test_cmake_out_of_source () { msg "test: cmake 'out-of-source' build" make test - # Test an SSL option that requires an auxiliary script in test/scripts/. - # Also ensure that there are no error messages such as - # "No such file or directory", which would indicate that some required - # file is missing (ssl-opt.sh tolerates the absence of some files so - # may exit with status 0 but emit errors). - if_build_succeeded ./tests/ssl-opt.sh -f 'Fallback SCSV: beginning of list' 2>ssl-opt.err - if [ -s ssl-opt.err ]; then - cat ssl-opt.err >&2 - record_status [ ! -s ssl-opt.err ] - rm ssl-opt.err - fi + cd "$MBEDTLS_ROOT_DIR" rm -rf "$OUT_OF_SOURCE_DIR" unset MBEDTLS_ROOT_DIR From d8087713aea2bf3d61bb2470a8d74409e74907fb Mon Sep 17 00:00:00 2001 From: Jaeden Amero Date: Mon, 5 Nov 2018 14:24:29 +0000 Subject: [PATCH 10/19] asn1: Remove dependency on X.509 Doxygen will fail to build if we have references to files that don't exist. Since we are planning on removing X.509 soon, we even need to remove explicit Doxygen references to X.509 things as those will no longer resolve once the X.509 files are deleted. fixup! asn1: Remove dependency on X.509 --- include/mbedtls/asn1.h | 2 +- 1 file changed, 1 insertion(+), 1 deletion(-) diff --git a/include/mbedtls/asn1.h b/include/mbedtls/asn1.h index 96c1c9a8a..f80acd7e1 100644 --- a/include/mbedtls/asn1.h +++ b/include/mbedtls/asn1.h @@ -66,7 +66,7 @@ * - 0x02 -- tag indicating INTEGER * - 0x01 -- length in octets * - 0x05 -- value - * Such sequences are typically read into \c ::mbedtls_x509_buf. + * Such sequences are typically read into Mbed TLS's \c mbedtls_x509_buf. * \{ */ #define MBEDTLS_ASN1_BOOLEAN 0x01 From 03c60de0e034df9d54798bd3d34071184ac2b66a Mon Sep 17 00:00:00 2001 From: Jaeden Amero Date: Thu, 28 Feb 2019 11:37:23 +0000 Subject: [PATCH 11/19] query_config: Move to programs/test As the SSL programs, like ssl_client2 and ssl_server2, are dependent on SSL and therefore about to be removed, the only consumer of query_config is the query_compile_time_config test. As such, it makes sense to move query_config to be next to what uses it. --- programs/Makefile | 12 ++++++------ programs/ssl/CMakeLists.txt | 4 ++-- programs/test/CMakeLists.txt | 2 +- programs/{ssl => test}/query_config.c | 0 scripts/bump_version.sh | 2 +- scripts/generate_query_config.pl | 2 +- scripts/generate_visualc_files.pl | 2 +- tests/scripts/check-generated-files.sh | 2 +- visualc/VS2010/query_compile_time_config.vcxproj | 2 +- visualc/VS2010/ssl_client2.vcxproj | 2 +- visualc/VS2010/ssl_server2.vcxproj | 2 +- 11 files changed, 16 insertions(+), 16 deletions(-) rename programs/{ssl => test}/query_config.c (100%) diff --git a/programs/Makefile b/programs/Makefile index 07599149c..939f4d56c 100644 --- a/programs/Makefile +++ b/programs/Makefile @@ -249,17 +249,17 @@ ssl/ssl_client1$(EXEXT): ssl/ssl_client1.c $(DEP) echo " CC ssl/ssl_client1.c" $(CC) $(LOCAL_CFLAGS) $(CFLAGS) ssl/ssl_client1.c $(LOCAL_LDFLAGS) $(LDFLAGS) -o $@ -ssl/ssl_client2$(EXEXT): ssl/ssl_client2.c ssl/query_config.c $(DEP) +ssl/ssl_client2$(EXEXT): ssl/ssl_client2.c test/query_config.c $(DEP) echo " CC ssl/ssl_client2.c" - $(CC) $(LOCAL_CFLAGS) $(CFLAGS) ssl/ssl_client2.c ssl/query_config.c $(LOCAL_LDFLAGS) $(LDFLAGS) -o $@ + $(CC) $(LOCAL_CFLAGS) $(CFLAGS) ssl/ssl_client2.c test/query_config.c $(LOCAL_LDFLAGS) $(LDFLAGS) -o $@ ssl/ssl_server$(EXEXT): ssl/ssl_server.c $(DEP) echo " CC ssl/ssl_server.c" $(CC) $(LOCAL_CFLAGS) $(CFLAGS) ssl/ssl_server.c $(LOCAL_LDFLAGS) $(LDFLAGS) -o $@ -ssl/ssl_server2$(EXEXT): ssl/ssl_server2.c ssl/query_config.c $(DEP) +ssl/ssl_server2$(EXEXT): ssl/ssl_server2.c test/query_config.c $(DEP) echo " CC ssl/ssl_server2.c" - $(CC) $(LOCAL_CFLAGS) $(CFLAGS) ssl/ssl_server2.c ssl/query_config.c $(LOCAL_LDFLAGS) $(LDFLAGS) -o $@ + $(CC) $(LOCAL_CFLAGS) $(CFLAGS) ssl/ssl_server2.c test/query_config.c $(LOCAL_LDFLAGS) $(LDFLAGS) -o $@ ssl/ssl_fork_server$(EXEXT): ssl/ssl_fork_server.c $(DEP) echo " CC ssl/ssl_fork_server.c" @@ -301,9 +301,9 @@ test/zeroize$(EXEXT): test/zeroize.c $(DEP) echo " CC test/zeroize.c" $(CC) $(LOCAL_CFLAGS) $(CFLAGS) test/zeroize.c $(LOCAL_LDFLAGS) $(LDFLAGS) -o $@ -test/query_compile_time_config$(EXEXT): test/query_compile_time_config.c ssl/query_config.c $(DEP) +test/query_compile_time_config$(EXEXT): test/query_compile_time_config.c test/query_config.c $(DEP) echo " CC test/query_compile_time_config.c" - $(CC) $(LOCAL_CFLAGS) $(CFLAGS) test/query_compile_time_config.c ssl/query_config.c $(LOCAL_LDFLAGS) $(LDFLAGS) -o $@ + $(CC) $(LOCAL_CFLAGS) $(CFLAGS) test/query_compile_time_config.c test/query_config.c $(LOCAL_LDFLAGS) $(LDFLAGS) -o $@ util/pem2der$(EXEXT): util/pem2der.c $(DEP) echo " CC util/pem2der.c" diff --git a/programs/ssl/CMakeLists.txt b/programs/ssl/CMakeLists.txt index 803920cde..f28a47d87 100644 --- a/programs/ssl/CMakeLists.txt +++ b/programs/ssl/CMakeLists.txt @@ -34,14 +34,14 @@ add_executable(ssl_client1 ssl_client1.c) target_link_libraries(ssl_client1 ${libs}) add_executable(ssl_client2 ssl_client2.c) -target_sources(ssl_client2 PUBLIC query_config.c) +target_sources(ssl_client2 PUBLIC ../test/query_config.c) target_link_libraries(ssl_client2 ${libs}) add_executable(ssl_server ssl_server.c) target_link_libraries(ssl_server ${libs}) add_executable(ssl_server2 ssl_server2.c) -target_sources(ssl_server2 PUBLIC query_config.c) +target_sources(ssl_server2 PUBLIC ../test/query_config.c) target_link_libraries(ssl_server2 ${libs}) add_executable(ssl_fork_server ssl_fork_server.c) diff --git a/programs/test/CMakeLists.txt b/programs/test/CMakeLists.txt index 65ff24948..0c928251d 100644 --- a/programs/test/CMakeLists.txt +++ b/programs/test/CMakeLists.txt @@ -31,7 +31,7 @@ add_executable(zeroize zeroize.c) target_link_libraries(zeroize ${libs}) add_executable(query_compile_time_config query_compile_time_config.c) -target_sources(query_compile_time_config PUBLIC ../ssl/query_config.c) +target_sources(query_compile_time_config PUBLIC query_config.c) target_link_libraries(query_compile_time_config ${libs}) install(TARGETS selftest benchmark ssl_cert_test udp_proxy query_compile_time_config diff --git a/programs/ssl/query_config.c b/programs/test/query_config.c similarity index 100% rename from programs/ssl/query_config.c rename to programs/test/query_config.c diff --git a/scripts/bump_version.sh b/scripts/bump_version.sh index c39a86a5e..cf875c88d 100755 --- a/scripts/bump_version.sh +++ b/scripts/bump_version.sh @@ -132,7 +132,7 @@ done [ $VERBOSE ] && echo "Re-generating library/error.c" scripts/generate_errors.pl -[ $VERBOSE ] && echo "Re-generating programs/ssl/query_config.c" +[ $VERBOSE ] && echo "Re-generating programs/test/query_config.c" scripts/generate_query_config.pl [ $VERBOSE ] && echo "Re-generating library/version_features.c" diff --git a/scripts/generate_query_config.pl b/scripts/generate_query_config.pl index f15e03a35..d94fdad62 100755 --- a/scripts/generate_query_config.pl +++ b/scripts/generate_query_config.pl @@ -21,7 +21,7 @@ use strict; my $config_file = "./include/mbedtls/config.h"; my $query_config_format_file = "./scripts/data_files/query_config.fmt"; -my $query_config_file = "./programs/ssl/query_config.c"; +my $query_config_file = "./programs/test/query_config.c"; # Excluded macros from the generated query_config.c. For example, macros that # have commas or function-like macros cannot be transformed into strings easily diff --git a/scripts/generate_visualc_files.pl b/scripts/generate_visualc_files.pl index 68a1bd40b..42f302428 100755 --- a/scripts/generate_visualc_files.pl +++ b/scripts/generate_visualc_files.pl @@ -98,7 +98,7 @@ sub gen_app { my $srcs = "\n \r"; if( $appname eq "ssl_client2" or $appname eq "ssl_server2" or $appname eq "query_compile_time_config" ) { - $srcs .= "\n \r"; + $srcs .= "\n \r"; } my $content = $template; diff --git a/tests/scripts/check-generated-files.sh b/tests/scripts/check-generated-files.sh index 065ea33a2..f41e465c3 100755 --- a/tests/scripts/check-generated-files.sh +++ b/tests/scripts/check-generated-files.sh @@ -65,6 +65,6 @@ check() } check scripts/generate_errors.pl library/error.c -check scripts/generate_query_config.pl programs/ssl/query_config.c +check scripts/generate_query_config.pl programs/test/query_config.c check scripts/generate_features.pl library/version_features.c check scripts/generate_visualc_files.pl visualc/VS2010 diff --git a/visualc/VS2010/query_compile_time_config.vcxproj b/visualc/VS2010/query_compile_time_config.vcxproj index 83a29f067..dcb6f32c7 100644 --- a/visualc/VS2010/query_compile_time_config.vcxproj +++ b/visualc/VS2010/query_compile_time_config.vcxproj @@ -20,7 +20,7 @@ - + diff --git a/visualc/VS2010/ssl_client2.vcxproj b/visualc/VS2010/ssl_client2.vcxproj index a960facf0..9b6db7f89 100644 --- a/visualc/VS2010/ssl_client2.vcxproj +++ b/visualc/VS2010/ssl_client2.vcxproj @@ -20,7 +20,7 @@ - + diff --git a/visualc/VS2010/ssl_server2.vcxproj b/visualc/VS2010/ssl_server2.vcxproj index 06a91cb49..9bfe6ce56 100644 --- a/visualc/VS2010/ssl_server2.vcxproj +++ b/visualc/VS2010/ssl_server2.vcxproj @@ -20,7 +20,7 @@ - + From 4c1fdb51292bbe0450dee6f7e3e794fd498635ec Mon Sep 17 00:00:00 2001 From: Jaeden Amero Date: Thu, 21 Feb 2019 13:52:21 +0000 Subject: [PATCH 12/19] cpp_dummy_build: Remove X.509 dependency --- programs/test/cpp_dummy_build.cpp | 4 ---- 1 file changed, 4 deletions(-) diff --git a/programs/test/cpp_dummy_build.cpp b/programs/test/cpp_dummy_build.cpp index c65288404..f5179cf43 100644 --- a/programs/test/cpp_dummy_build.cpp +++ b/programs/test/cpp_dummy_build.cpp @@ -96,10 +96,6 @@ #include "mbedtls/threading.h" #include "mbedtls/timing.h" #include "mbedtls/version.h" -#include "mbedtls/x509.h" -#include "mbedtls/x509_crl.h" -#include "mbedtls/x509_crt.h" -#include "mbedtls/x509_csr.h" #include "mbedtls/xtea.h" #if defined(MBEDTLS_PLATFORM_C) From e23737c618e93c99143bbe8343f3df4c4888ddc8 Mon Sep 17 00:00:00 2001 From: Jaeden Amero Date: Wed, 27 Feb 2019 17:11:22 +0000 Subject: [PATCH 13/19] recursion.pl: Don't depend on X.509 --- tests/scripts/recursion.pl | 3 +-- 1 file changed, 1 insertion(+), 2 deletions(-) diff --git a/tests/scripts/recursion.pl b/tests/scripts/recursion.pl index 431e59211..0c405813c 100755 --- a/tests/scripts/recursion.pl +++ b/tests/scripts/recursion.pl @@ -16,8 +16,7 @@ use open qw(:std utf8); # exclude functions that are ok: # - mpi_write_hlp: bounded by size of mbedtls_mpi, a compile-time constant -# - x509_crt_verify_child: bounded by MBEDTLS_X509_MAX_INTERMEDIATE_CA -my $known_ok = qr/mpi_write_hlp|x509_crt_verify_child/; +my $known_ok = qr/mpi_write_hlp/; my $cur_name; my $inside; From fa30c3382d193a47fc28462b29c257070ba60afd Mon Sep 17 00:00:00 2001 From: Jaeden Amero Date: Fri, 21 Dec 2018 18:42:18 +0000 Subject: [PATCH 14/19] programs: psa: Remove dependency on platform.h platform.h should only be used internally by the library implementation itself, not the examples. Remove the dependency on platform.h from all PSA programs. --- programs/psa/crypto_examples.c | 40 +++++------- programs/psa/key_ladder_demo.c | 110 +++++++++++++++------------------ 2 files changed, 66 insertions(+), 84 deletions(-) diff --git a/programs/psa/crypto_examples.c b/programs/psa/crypto_examples.c index 090875613..2f7c4453d 100644 --- a/programs/psa/crypto_examples.c +++ b/programs/psa/crypto_examples.c @@ -1,23 +1,15 @@ #include "psa/crypto.h" #include - -#if defined(MBEDTLS_PLATFORM_C) -#include "mbedtls/platform.h" -#else #include #include -#define MBEDTLS_EXIT_FAILURE EXIT_FAILURE -#define mbedtls_printf printf -#define mbedtls_exit exit -#endif #define ASSERT( predicate ) \ do \ { \ if( ! ( predicate ) ) \ { \ - mbedtls_printf( "\tassertion failed at %s:%d - '%s'\r\n", \ - __FILE__, __LINE__, #predicate); \ + printf( "\tassertion failed at %s:%d - '%s'\r\n", \ + __FILE__, __LINE__, #predicate); \ goto exit; \ } \ } while ( 0 ) @@ -27,8 +19,8 @@ { \ if( ( actual ) != ( expected ) ) \ { \ - mbedtls_printf( "\tassertion failed at %s:%d - " \ - "actual:%d expected:%d\r\n", __FILE__, __LINE__, \ + printf( "\tassertion failed at %s:%d - " \ + "actual:%d expected:%d\r\n", __FILE__, __LINE__, \ (psa_status_t) actual, (psa_status_t) expected ); \ goto exit; \ } \ @@ -39,10 +31,10 @@ !defined(MBEDTLS_CIPHER_MODE_WITH_PADDING) int main( void ) { - mbedtls_printf( "MBEDTLS_PSA_CRYPTO_C and/or MBEDTLS_AES_C and/or " - "MBEDTLS_CIPHER_MODE_CBC and/or MBEDTLS_CIPHER_MODE_CTR " - "and/or MBEDTLS_CIPHER_MODE_WITH_PADDING " - "not defined.\r\n" ); + printf( "MBEDTLS_PSA_CRYPTO_C and/or MBEDTLS_AES_C and/or " + "MBEDTLS_CIPHER_MODE_CBC and/or MBEDTLS_CIPHER_MODE_CTR " + "and/or MBEDTLS_CIPHER_MODE_WITH_PADDING " + "not defined.\r\n" ); return( 0 ); } #else @@ -311,20 +303,20 @@ static void cipher_examples( void ) { psa_status_t status; - mbedtls_printf( "cipher encrypt/decrypt AES CBC no padding:\r\n" ); + printf( "cipher encrypt/decrypt AES CBC no padding:\r\n" ); status = cipher_example_encrypt_decrypt_aes_cbc_nopad_1_block( ); if( status == PSA_SUCCESS ) - mbedtls_printf( "\tsuccess!\r\n" ); + printf( "\tsuccess!\r\n" ); - mbedtls_printf( "cipher encrypt/decrypt AES CBC PKCS7 multipart:\r\n" ); + printf( "cipher encrypt/decrypt AES CBC PKCS7 multipart:\r\n" ); status = cipher_example_encrypt_decrypt_aes_cbc_pkcs7_multi( ); if( status == PSA_SUCCESS ) - mbedtls_printf( "\tsuccess!\r\n" ); + printf( "\tsuccess!\r\n" ); - mbedtls_printf( "cipher encrypt/decrypt AES CTR multipart:\r\n" ); + printf( "cipher encrypt/decrypt AES CTR multipart:\r\n" ); status = cipher_example_encrypt_decrypt_aes_ctr_multi( ); if( status == PSA_SUCCESS ) - mbedtls_printf( "\tsuccess!\r\n" ); + printf( "\tsuccess!\r\n" ); } #if defined(MBEDTLS_CHECK_PARAMS) @@ -333,9 +325,9 @@ void mbedtls_param_failed( const char *failure_condition, const char *file, int line ) { - mbedtls_printf( "%s:%i: Input param failed - %s\n", + printf( "%s:%i: Input param failed - %s\n", file, line, failure_condition ); - mbedtls_exit( MBEDTLS_EXIT_FAILURE ); + exit( EXIT_FAILURE ); } #endif diff --git a/programs/psa/key_ladder_demo.c b/programs/psa/key_ladder_demo.c index c9d76763e..23c234753 100644 --- a/programs/psa/key_ladder_demo.c +++ b/programs/psa/key_ladder_demo.c @@ -57,17 +57,7 @@ #include MBEDTLS_CONFIG_FILE #endif -#if defined(MBEDTLS_PLATFORM_C) -#include "mbedtls/platform.h" -#else #include -#define MBEDTLS_EXIT_SUCCESS EXIT_SUCCESS -#define MBEDTLS_EXIT_FAILURE EXIT_FAILURE -#define mbedtls_calloc calloc -#define mbedtls_free free -#define mbedtls_printf printf -#define mbedtls_exit exit -#endif #include #include @@ -79,9 +69,9 @@ !defined(MBEDTLS_PSA_CRYPTO_C) || !defined(MBEDTLS_FS_IO) int main( void ) { - mbedtls_printf("MBEDTLS_SHA256_C and/or MBEDTLS_MD_C and/or " - "MBEDTLS_AES_C and/or MBEDTLS_CCM_C and/or " - "MBEDTLS_PSA_CRYPTO_C and/or MBEDTLS_FS_IO not defined.\n"); + printf("MBEDTLS_SHA256_C and/or MBEDTLS_MD_C and/or " + "MBEDTLS_AES_C and/or MBEDTLS_CCM_C and/or " + "MBEDTLS_PSA_CRYPTO_C and/or MBEDTLS_FS_IO not defined.\n"); return( 0 ); } #else @@ -112,10 +102,10 @@ int main( void ) status = ( expr ); \ if( status != PSA_SUCCESS ) \ { \ - mbedtls_printf( "Error %d at line %u: %s\n", \ - (int) status, \ - __LINE__, \ - #expr ); \ + printf( "Error %d at line %u: %s\n", \ + (int) status, \ + __LINE__, \ + #expr ); \ goto exit; \ } \ } \ @@ -254,8 +244,8 @@ static psa_status_t import_key_from_file( psa_key_usage_t usage, key_file ) ) != 0 ); if( fread( &extra_byte, 1, 1, key_file ) != 0 ) { - mbedtls_printf( "Key file too large (max: %u).\n", - (unsigned) sizeof( key_data ) ); + printf( "Key file too large (max: %u).\n", + (unsigned) sizeof( key_data ) ); status = DEMO_ERROR; goto exit; } @@ -395,7 +385,7 @@ static psa_status_t wrap_data( const char *input_file_name, #if LONG_MAX > SIZE_MAX if( input_position > SIZE_MAX ) { - mbedtls_printf( "Input file too large.\n" ); + printf( "Input file too large.\n" ); status = DEMO_ERROR; goto exit; } @@ -405,14 +395,14 @@ static psa_status_t wrap_data( const char *input_file_name, /* Check for integer overflow. */ if( buffer_size < input_size ) { - mbedtls_printf( "Input file too large.\n" ); + printf( "Input file too large.\n" ); status = DEMO_ERROR; goto exit; } /* Load the data to wrap. */ SYS_CHECK( fseek( input_file, 0, SEEK_SET ) == 0 ); - SYS_CHECK( ( buffer = mbedtls_calloc( 1, buffer_size ) ) != NULL ); + SYS_CHECK( ( buffer = calloc( 1, buffer_size ) ) != NULL ); SYS_CHECK( fread( buffer, 1, input_size, input_file ) == input_size ); SYS_CHECK( fclose( input_file ) == 0 ); input_file = NULL; @@ -447,7 +437,7 @@ exit: fclose( output_file ); if( buffer != NULL ) mbedtls_platform_zeroize( buffer, buffer_size ); - mbedtls_free( buffer ); + free( buffer ); return( status ); } @@ -471,13 +461,13 @@ static psa_status_t unwrap_data( const char *input_file_name, if( memcmp( &header.magic, WRAPPED_DATA_MAGIC, WRAPPED_DATA_MAGIC_LENGTH ) != 0 ) { - mbedtls_printf( "The input does not start with a valid magic header.\n" ); + printf( "The input does not start with a valid magic header.\n" ); status = DEMO_ERROR; goto exit; } if( header.ad_size != sizeof( header ) ) { - mbedtls_printf( "The header size is not correct.\n" ); + printf( "The header size is not correct.\n" ); status = DEMO_ERROR; goto exit; } @@ -486,18 +476,18 @@ static psa_status_t unwrap_data( const char *input_file_name, /* Check for integer overflow. */ if( ciphertext_size < header.payload_size ) { - mbedtls_printf( "Input file too large.\n" ); + printf( "Input file too large.\n" ); status = DEMO_ERROR; goto exit; } /* Load the payload data. */ - SYS_CHECK( ( buffer = mbedtls_calloc( 1, ciphertext_size ) ) != NULL ); + SYS_CHECK( ( buffer = calloc( 1, ciphertext_size ) ) != NULL ); SYS_CHECK( fread( buffer, 1, ciphertext_size, input_file ) == ciphertext_size ); if( fread( &extra_byte, 1, 1, input_file ) != 0 ) { - mbedtls_printf( "Extra garbage after ciphertext\n" ); + printf( "Extra garbage after ciphertext\n" ); status = DEMO_ERROR; goto exit; } @@ -513,7 +503,7 @@ static psa_status_t unwrap_data( const char *input_file_name, &plaintext_size ) ); if( plaintext_size != header.payload_size ) { - mbedtls_printf( "Incorrect payload size in the header.\n" ); + printf( "Incorrect payload size in the header.\n" ); status = DEMO_ERROR; goto exit; } @@ -532,7 +522,7 @@ exit: fclose( output_file ); if( buffer != NULL ) mbedtls_platform_zeroize( buffer, ciphertext_size ); - mbedtls_free( buffer ); + free( buffer ); return( status ); } @@ -600,23 +590,23 @@ exit: static void usage( void ) { - mbedtls_printf( "Usage: key_ladder_demo MODE [OPTION=VALUE]...\n" ); - mbedtls_printf( "Demonstrate the usage of a key derivation ladder.\n" ); - mbedtls_printf( "\n" ); - mbedtls_printf( "Modes:\n" ); - mbedtls_printf( " generate Generate the master key\n" ); - mbedtls_printf( " save Save the derived key\n" ); - mbedtls_printf( " unwrap Unwrap (decrypt) input with the derived key\n" ); - mbedtls_printf( " wrap Wrap (encrypt) input with the derived key\n" ); - mbedtls_printf( "\n" ); - mbedtls_printf( "Options:\n" ); - mbedtls_printf( " input=FILENAME Input file (required for wrap/unwrap)\n" ); - mbedtls_printf( " master=FILENAME File containing the master key (default: master.key)\n" ); - mbedtls_printf( " output=FILENAME Output file (required for save/wrap/unwrap)\n" ); - mbedtls_printf( " label=TEXT Label for the key derivation.\n" ); - mbedtls_printf( " This may be repeated multiple times.\n" ); - mbedtls_printf( " To get the same key, you must use the same master key\n" ); - mbedtls_printf( " and the same sequence of labels.\n" ); + printf( "Usage: key_ladder_demo MODE [OPTION=VALUE]...\n" ); + printf( "Demonstrate the usage of a key derivation ladder.\n" ); + printf( "\n" ); + printf( "Modes:\n" ); + printf( " generate Generate the master key\n" ); + printf( " save Save the derived key\n" ); + printf( " unwrap Unwrap (decrypt) input with the derived key\n" ); + printf( " wrap Wrap (encrypt) input with the derived key\n" ); + printf( "\n" ); + printf( "Options:\n" ); + printf( " input=FILENAME Input file (required for wrap/unwrap)\n" ); + printf( " master=FILENAME File containing the master key (default: master.key)\n" ); + printf( " output=FILENAME Output file (required for save/wrap/unwrap)\n" ); + printf( " label=TEXT Label for the key derivation.\n" ); + printf( " This may be repeated multiple times.\n" ); + printf( " To get the same key, you must use the same master key\n" ); + printf( " and the same sequence of labels.\n" ); } #if defined(MBEDTLS_CHECK_PARAMS) @@ -625,9 +615,9 @@ void mbedtls_param_failed( const char *failure_condition, const char *file, int line ) { - mbedtls_printf( "%s:%i: Input param failed - %s\n", + printf( "%s:%i: Input param failed - %s\n", file, line, failure_condition ); - mbedtls_exit( MBEDTLS_EXIT_FAILURE ); + exit( EXIT_FAILURE ); } #endif @@ -648,7 +638,7 @@ int main( int argc, char *argv[] ) strcmp( argv[1], "--help" ) == 0 ) { usage( ); - return( MBEDTLS_EXIT_SUCCESS ); + return( EXIT_SUCCESS ); } for( i = 2; i < argc; i++ ) @@ -656,7 +646,7 @@ int main( int argc, char *argv[] ) char *q = strchr( argv[i], '=' ); if( q == NULL ) { - mbedtls_printf( "Missing argument to option %s\n", argv[i] ); + printf( "Missing argument to option %s\n", argv[i] ); goto usage_failure; } *q = 0; @@ -667,9 +657,9 @@ int main( int argc, char *argv[] ) { if( ladder_depth == MAX_LADDER_DEPTH ) { - mbedtls_printf( "Maximum ladder depth %u exceeded.\n", + printf( "Maximum ladder depth %u exceeded.\n", (unsigned) MAX_LADDER_DEPTH ); - return( MBEDTLS_EXIT_FAILURE ); + return( EXIT_FAILURE ); } ladder[ladder_depth] = q; ++ladder_depth; @@ -680,7 +670,7 @@ int main( int argc, char *argv[] ) output_file_name = q; else { - mbedtls_printf( "Unknown option: %s\n", argv[i] ); + printf( "Unknown option: %s\n", argv[i] ); goto usage_failure; } } @@ -695,20 +685,20 @@ int main( int argc, char *argv[] ) mode = MODE_WRAP; else { - mbedtls_printf( "Unknown action: %s\n", argv[1] ); + printf( "Unknown action: %s\n", argv[1] ); goto usage_failure; } if( input_file_name == NULL && ( mode == MODE_WRAP || mode == MODE_UNWRAP ) ) { - mbedtls_printf( "Required argument missing: input\n" ); + printf( "Required argument missing: input\n" ); return( DEMO_ERROR ); } if( output_file_name == NULL && ( mode == MODE_SAVE || mode == MODE_WRAP || mode == MODE_UNWRAP ) ) { - mbedtls_printf( "Required argument missing: output\n" ); + printf( "Required argument missing: output\n" ); return( DEMO_ERROR ); } @@ -716,11 +706,11 @@ int main( int argc, char *argv[] ) ladder, ladder_depth, input_file_name, output_file_name ); return( status == PSA_SUCCESS ? - MBEDTLS_EXIT_SUCCESS : - MBEDTLS_EXIT_FAILURE ); + EXIT_SUCCESS : + EXIT_FAILURE ); usage_failure: usage( ); - return( MBEDTLS_EXIT_FAILURE ); + return( EXIT_FAILURE ); } #endif /* MBEDTLS_SHA256_C && MBEDTLS_MD_C && MBEDTLS_AES_C && MBEDTLS_CCM_C && MBEDTLS_PSA_CRYPTO_C && MBEDTLS_FS_IO */ From 2b725ef727583c95eed05e33acdbdc71997a9a9e Mon Sep 17 00:00:00 2001 From: Jaeden Amero Date: Wed, 19 Dec 2018 18:17:29 +0000 Subject: [PATCH 15/19] cpp_dummy_build: Remove dependency on compat-1.3.h --- programs/test/cpp_dummy_build.cpp | 1 - 1 file changed, 1 deletion(-) diff --git a/programs/test/cpp_dummy_build.cpp b/programs/test/cpp_dummy_build.cpp index f5179cf43..f94331794 100644 --- a/programs/test/cpp_dummy_build.cpp +++ b/programs/test/cpp_dummy_build.cpp @@ -45,7 +45,6 @@ #include "mbedtls/cipher.h" #include "mbedtls/cipher_internal.h" #include "mbedtls/cmac.h" -#include "mbedtls/compat-1.3.h" #include "mbedtls/ctr_drbg.h" #include "mbedtls/debug.h" #include "mbedtls/des.h" From 9afb2e992136db3fae9a669c3faaf6d5d27602a8 Mon Sep 17 00:00:00 2001 From: Jaeden Amero Date: Fri, 2 Nov 2018 10:51:09 +0000 Subject: [PATCH 16/19] Remove tests that depend on TLS or X.509 --- .travis.yml | 5 - CMakeLists.txt | 2 - Makefile | 2 - configs/config-mini-tls1_1.h | 3 - configs/config-thread.h | 4 - include/CMakeLists.txt | 2 +- scripts/output_env.sh | 37 - tests/CMakeLists.txt | 6 - tests/Descriptions.txt | 14 +- tests/compat.sh | 1414 ---- tests/scripts/basic-build-test.sh | 87 +- tests/scripts/key-exchanges.pl | 62 - tests/scripts/tcp_client.pl | 86 - tests/scripts/test-ref-configs.pl | 32 +- tests/scripts/travis-log-failure.sh | 36 - tests/ssl-opt.sh | 7707 -------------------- tests/suites/test_suite_debug.data | 64 - tests/suites/test_suite_debug.function | 195 - tests/suites/test_suite_ssl.data | 59 - tests/suites/test_suite_ssl.function | 54 - tests/suites/test_suite_x509parse.data | 1995 ----- tests/suites/test_suite_x509parse.function | 861 --- tests/suites/test_suite_x509write.data | 105 - tests/suites/test_suite_x509write.function | 338 - 24 files changed, 4 insertions(+), 13166 deletions(-) delete mode 100755 tests/compat.sh delete mode 100755 tests/scripts/key-exchanges.pl delete mode 100755 tests/scripts/tcp_client.pl delete mode 100755 tests/scripts/travis-log-failure.sh delete mode 100755 tests/ssl-opt.sh delete mode 100644 tests/suites/test_suite_debug.data delete mode 100644 tests/suites/test_suite_debug.function delete mode 100644 tests/suites/test_suite_ssl.data delete mode 100644 tests/suites/test_suite_ssl.function delete mode 100644 tests/suites/test_suite_x509parse.data delete mode 100644 tests/suites/test_suite_x509parse.function delete mode 100644 tests/suites/test_suite_x509write.data delete mode 100644 tests/suites/test_suite_x509write.function diff --git a/.travis.yml b/.travis.yml index bd5e750ba..fe3c1ec29 100644 --- a/.travis.yml +++ b/.travis.yml @@ -22,13 +22,8 @@ script: - make - make test - programs/test/selftest -- OSSL_NO_DTLS=1 tests/compat.sh -- tests/ssl-opt.sh -e '\(DTLS\|SCSV\).*openssl' --seed 4 - tests/scripts/test-ref-configs.pl - tests/scripts/curves.pl -- tests/scripts/key-exchanges.pl -after_failure: -- tests/scripts/travis-log-failure.sh env: global: secure: "barHldniAfXyoWOD/vcO+E6/Xm4fmcaUoC9BeKW+LwsHqlDMLvugaJnmLXkSpkbYhVL61Hzf3bo0KPJn88AFc5Rkf8oYHPjH4adMnVXkf3B9ghHCgznqHsAH3choo6tnPxaFgOwOYmLGb382nQxfE5lUdvnM/W/psQjWt66A1+k=" diff --git a/CMakeLists.txt b/CMakeLists.txt index 11efd87e4..feca4abaf 100644 --- a/CMakeLists.txt +++ b/CMakeLists.txt @@ -200,8 +200,6 @@ if(ENABLE_TESTING) ADD_CUSTOM_TARGET(covtest COMMAND make test COMMAND programs/test/selftest - COMMAND tests/compat.sh - COMMAND tests/ssl-opt.sh ) ADD_CUSTOM_TARGET(lcov diff --git a/Makefile b/Makefile index f32641a22..12d300820 100644 --- a/Makefile +++ b/Makefile @@ -102,8 +102,6 @@ ifndef WINDOWS covtest: $(MAKE) check programs/test/selftest - tests/compat.sh - tests/ssl-opt.sh lcov: rm -rf Coverage diff --git a/configs/config-mini-tls1_1.h b/configs/config-mini-tls1_1.h index 013bc0300..d4743bb22 100644 --- a/configs/config-mini-tls1_1.h +++ b/configs/config-mini-tls1_1.h @@ -70,9 +70,6 @@ #define MBEDTLS_CERTS_C #define MBEDTLS_PEM_PARSE_C -/* For testing with compat.sh */ -#define MBEDTLS_FS_IO - #include "mbedtls/check_config.h" #endif /* MBEDTLS_CONFIG_H */ diff --git a/configs/config-thread.h b/configs/config-thread.h index 25db16bf0..f729a0381 100644 --- a/configs/config-thread.h +++ b/configs/config-thread.h @@ -75,10 +75,6 @@ #define MBEDTLS_SSL_SRV_C #define MBEDTLS_SSL_TLS_C -/* For tests using ssl-opt.sh */ -#define MBEDTLS_NET_C -#define MBEDTLS_TIMING_C - /* Save RAM at the expense of ROM */ #define MBEDTLS_AES_ROM_TABLES diff --git a/include/CMakeLists.txt b/include/CMakeLists.txt index 462127176..dac97f44e 100644 --- a/include/CMakeLists.txt +++ b/include/CMakeLists.txt @@ -15,7 +15,7 @@ if(INSTALL_MBEDTLS_HEADERS) endif(INSTALL_MBEDTLS_HEADERS) -# Make config.h available in an out-of-source build. ssl-opt.sh requires it. +# Make config.h available in an out-of-source build. if (NOT ${CMAKE_CURRENT_BINARY_DIR} STREQUAL ${CMAKE_CURRENT_SOURCE_DIR}) link_to_source(mbedtls) link_to_source(psa) diff --git a/scripts/output_env.sh b/scripts/output_env.sh index c809d46fe..132963c04 100755 --- a/scripts/output_env.sh +++ b/scripts/output_env.sh @@ -15,7 +15,6 @@ # - type and version of the operating system # - version of armcc, clang, gcc-arm and gcc compilers # - version of libc, clang, asan and valgrind if installed -# - version of gnuTLS and OpenSSL print_version() { @@ -74,42 +73,6 @@ echo print_version "valgrind" "--version" "valgrind not found!" echo -: ${OPENSSL:=openssl} -print_version "$OPENSSL" "version" "openssl not found!" -echo - -if [ -n "${OPENSSL_LEGACY+set}" ]; then - print_version "$OPENSSL_LEGACY" "version" "openssl legacy version not found!" - echo -fi - -if [ -n "${OPENSSL_NEXT+set}" ]; then - print_version "$OPENSSL_NEXT" "version" "openssl next version not found!" - echo -fi - -: ${GNUTLS_CLI:=gnutls-cli} -print_version "$GNUTLS_CLI" "--version" "gnuTLS client not found!" "head -n 1" -echo - -: ${GNUTLS_SERV:=gnutls-serv} -print_version "$GNUTLS_SERV" "--version" "gnuTLS server not found!" "head -n 1" -echo - -if [ -n "${GNUTLS_LEGACY_CLI+set}" ]; then - print_version "$GNUTLS_LEGACY_CLI" "--version" \ - "gnuTLS client legacy version not found!" \ - "head -n 1" - echo -fi - -if [ -n "${GNUTLS_LEGACY_SERV+set}" ]; then - print_version "$GNUTLS_LEGACY_SERV" "--version" \ - "gnuTLS server legacy version not found!" \ - "head -n 1" - echo -fi - if `hash dpkg > /dev/null 2>&1`; then echo "* asan:" dpkg -s libasan2 2> /dev/null | grep -i version diff --git a/tests/CMakeLists.txt b/tests/CMakeLists.txt index 4b46e3dea..4720008c6 100644 --- a/tests/CMakeLists.txt +++ b/tests/CMakeLists.txt @@ -89,7 +89,6 @@ add_test_suite(cipher cipher.null) add_test_suite(cipher cipher.padding) add_test_suite(cmac) add_test_suite(ctr_drbg) -add_test_suite(debug) add_test_suite(des) add_test_suite(dhm) add_test_suite(ecdh) @@ -133,20 +132,15 @@ add_test_suite(psa_crypto_persistent_key) add_test_suite(psa_crypto_slot_management) add_test_suite(psa_crypto_storage_file) add_test_suite(shax) -add_test_suite(ssl) add_test_suite(timing) add_test_suite(rsa) add_test_suite(version) add_test_suite(xtea) -add_test_suite(x509parse) -add_test_suite(x509write) # Make scripts and data files needed for testing available in an # out-of-source build. if (NOT ${CMAKE_CURRENT_BINARY_DIR} STREQUAL ${CMAKE_CURRENT_SOURCE_DIR}) - link_to_source(compat.sh) link_to_source(data_files) link_to_source(scripts) - link_to_source(ssl-opt.sh) link_to_source(suites) endif() diff --git a/tests/Descriptions.txt b/tests/Descriptions.txt index 8b13bb39f..3e9b25565 100644 --- a/tests/Descriptions.txt +++ b/tests/Descriptions.txt @@ -2,21 +2,9 @@ test_suites The various 'test_suite_XXX' programs from the 'tests' directory, executed using 'make check' (Unix make) or 'make test' (Cmake), include test cases (reference test vectors, sanity checks, malformed input for parsing - functions, etc.) for all modules except the SSL modules. + functions, etc.) for all modules. selftests The 'programs/test/selftest' program runs the 'XXX_self_test()' functions of each individual module. Most of them are included in the respective test suite, but some slower ones are only included here. - -compat - The 'tests/compat.sh' script checks interoperability with OpenSSL and - GnuTLS (and ourselves!) for every common ciphersuite, in every TLS - version, both ways (client/server), using client authentication or not. - For each ciphersuite/version/side/authmode it performs a full handshake - and a small data exchange. - -ssl_opt - The 'tests/ssl-opt.sh' script checks various options and/or operations not - covered by compat.sh: session resumption (using session cache or tickets), - renegotiation, SNI, other extensions, etc. diff --git a/tests/compat.sh b/tests/compat.sh deleted file mode 100755 index 0eae1eab3..000000000 --- a/tests/compat.sh +++ /dev/null @@ -1,1414 +0,0 @@ -#!/bin/sh - -# compat.sh -# -# This file is part of mbed TLS (https://tls.mbed.org) -# -# Copyright (c) 2012-2016, ARM Limited, All Rights Reserved -# -# Purpose -# -# Test interoperbility with OpenSSL, GnuTLS as well as itself. -# -# Check each common ciphersuite, with each version, both ways (client/server), -# with and without client authentication. - -set -u - -# initialise counters -TESTS=0 -FAILED=0 -SKIPPED=0 -SRVMEM=0 - -# default commands, can be overridden by the environment -: ${M_SRV:=../programs/ssl/ssl_server2} -: ${M_CLI:=../programs/ssl/ssl_client2} -: ${OPENSSL_CMD:=openssl} # OPENSSL would conflict with the build system -: ${GNUTLS_CLI:=gnutls-cli} -: ${GNUTLS_SERV:=gnutls-serv} - -# do we have a recent enough GnuTLS? -if ( which $GNUTLS_CLI && which $GNUTLS_SERV ) >/dev/null 2>&1; then - G_VER="$( $GNUTLS_CLI --version | head -n1 )" - if echo "$G_VER" | grep '@VERSION@' > /dev/null; then # git version - PEER_GNUTLS=" GnuTLS" - else - eval $( echo $G_VER | sed 's/.* \([0-9]*\)\.\([0-9]\)*\.\([0-9]*\)$/MAJOR="\1" MINOR="\2" PATCH="\3"/' ) - if [ $MAJOR -lt 3 -o \ - \( $MAJOR -eq 3 -a $MINOR -lt 2 \) -o \ - \( $MAJOR -eq 3 -a $MINOR -eq 2 -a $PATCH -lt 15 \) ] - then - PEER_GNUTLS="" - else - PEER_GNUTLS=" GnuTLS" - if [ $MINOR -lt 4 ]; then - GNUTLS_MINOR_LT_FOUR='x' - fi - fi - fi -else - PEER_GNUTLS="" -fi - -# default values for options -MODES="tls1 tls1_1 tls1_2 dtls1 dtls1_2" -VERIFIES="NO YES" -TYPES="ECDSA RSA PSK" -FILTER="" -# exclude: -# - NULL: excluded from our default config -# - RC4, single-DES: requires legacy OpenSSL/GnuTLS versions -# avoid plain DES but keep 3DES-EDE-CBC (mbedTLS), DES-CBC3 (OpenSSL) -# - ARIA: not in default config.h + requires OpenSSL >= 1.1.1 -# - ChachaPoly: requires OpenSSL >= 1.1.0 -# - 3DES: not in default config -EXCLUDE='NULL\|DES\|RC4\|ARCFOUR\|ARIA\|CHACHA20-POLY1305' -VERBOSE="" -MEMCHECK=0 -PEERS="OpenSSL$PEER_GNUTLS mbedTLS" - -# hidden option: skip DTLS with OpenSSL -# (travis CI has a version that doesn't work for us) -: ${OSSL_NO_DTLS:=0} - -print_usage() { - echo "Usage: $0" - printf " -h|--help\tPrint this help.\n" - printf " -f|--filter\tOnly matching ciphersuites are tested (Default: '$FILTER')\n" - printf " -e|--exclude\tMatching ciphersuites are excluded (Default: '$EXCLUDE')\n" - printf " -m|--modes\tWhich modes to perform (Default: '$MODES')\n" - printf " -t|--types\tWhich key exchange type to perform (Default: '$TYPES')\n" - printf " -V|--verify\tWhich verification modes to perform (Default: '$VERIFIES')\n" - printf " -p|--peers\tWhich peers to use (Default: '$PEERS')\n" - printf " \tAlso available: GnuTLS (needs v3.2.15 or higher)\n" - printf " -M|--memcheck\tCheck memory leaks and errors.\n" - printf " -v|--verbose\tSet verbose output.\n" -} - -get_options() { - while [ $# -gt 0 ]; do - case "$1" in - -f|--filter) - shift; FILTER=$1 - ;; - -e|--exclude) - shift; EXCLUDE=$1 - ;; - -m|--modes) - shift; MODES=$1 - ;; - -t|--types) - shift; TYPES=$1 - ;; - -V|--verify) - shift; VERIFIES=$1 - ;; - -p|--peers) - shift; PEERS=$1 - ;; - -v|--verbose) - VERBOSE=1 - ;; - -M|--memcheck) - MEMCHECK=1 - ;; - -h|--help) - print_usage - exit 0 - ;; - *) - echo "Unknown argument: '$1'" - print_usage - exit 1 - ;; - esac - shift - done - - # sanitize some options (modes checked later) - VERIFIES="$( echo $VERIFIES | tr [a-z] [A-Z] )" - TYPES="$( echo $TYPES | tr [a-z] [A-Z] )" -} - -log() { - if [ "X" != "X$VERBOSE" ]; then - echo "" - echo "$@" - fi -} - -# is_dtls -is_dtls() -{ - test "$1" = "dtls1" -o "$1" = "dtls1_2" -} - -# minor_ver -minor_ver() -{ - case "$1" in - ssl3) - echo 0 - ;; - tls1) - echo 1 - ;; - tls1_1|dtls1) - echo 2 - ;; - tls1_2|dtls1_2) - echo 3 - ;; - *) - echo "error: invalid mode: $MODE" >&2 - # exiting is no good here, typically called in a subshell - echo -1 - esac -} - -filter() -{ - LIST="$1" - NEW_LIST="" - - if is_dtls "$MODE"; then - EXCLMODE="$EXCLUDE"'\|RC4\|ARCFOUR' - else - EXCLMODE="$EXCLUDE" - fi - - for i in $LIST; - do - NEW_LIST="$NEW_LIST $( echo "$i" | grep "$FILTER" | grep -v "$EXCLMODE" )" - done - - # normalize whitespace - echo "$NEW_LIST" | sed -e 's/[[:space:]][[:space:]]*/ /g' -e 's/^ //' -e 's/ $//' -} - -# OpenSSL 1.0.1h with -Verify wants a ClientCertificate message even for -# PSK ciphersuites with DTLS, which is incorrect, so disable them for now -check_openssl_server_bug() -{ - if test "X$VERIFY" = "XYES" && is_dtls "$MODE" && \ - echo "$1" | grep "^TLS-PSK" >/dev/null; - then - SKIP_NEXT="YES" - fi -} - -filter_ciphersuites() -{ - if [ "X" != "X$FILTER" -o "X" != "X$EXCLUDE" ]; - then - # Ciphersuite for mbed TLS - M_CIPHERS=$( filter "$M_CIPHERS" ) - - # Ciphersuite for OpenSSL - O_CIPHERS=$( filter "$O_CIPHERS" ) - - # Ciphersuite for GnuTLS - G_CIPHERS=$( filter "$G_CIPHERS" ) - fi - - # OpenSSL 1.0.1h doesn't support DTLS 1.2 - if [ `minor_ver "$MODE"` -ge 3 ] && is_dtls "$MODE"; then - O_CIPHERS="" - case "$PEER" in - [Oo]pen*) - M_CIPHERS="" - ;; - esac - fi - - # For GnuTLS client -> mbed TLS server, - # we need to force IPv4 by connecting to 127.0.0.1 but then auth fails - if [ "X$VERIFY" = "XYES" ] && is_dtls "$MODE"; then - G_CIPHERS="" - fi -} - -reset_ciphersuites() -{ - M_CIPHERS="" - O_CIPHERS="" - G_CIPHERS="" -} - -# Ciphersuites that can be used with all peers. -# Since we currently have three possible peers, each ciphersuite should appear -# three times: in each peer's list (with the name that this peer uses). -add_common_ciphersuites() -{ - case $TYPE in - - "ECDSA") - if [ `minor_ver "$MODE"` -gt 0 ] - then - M_CIPHERS="$M_CIPHERS \ - TLS-ECDHE-ECDSA-WITH-NULL-SHA \ - TLS-ECDHE-ECDSA-WITH-RC4-128-SHA \ - TLS-ECDHE-ECDSA-WITH-3DES-EDE-CBC-SHA \ - TLS-ECDHE-ECDSA-WITH-AES-128-CBC-SHA \ - TLS-ECDHE-ECDSA-WITH-AES-256-CBC-SHA \ - " - G_CIPHERS="$G_CIPHERS \ - +ECDHE-ECDSA:+NULL:+SHA1 \ - +ECDHE-ECDSA:+ARCFOUR-128:+SHA1 \ - +ECDHE-ECDSA:+3DES-CBC:+SHA1 \ - +ECDHE-ECDSA:+AES-128-CBC:+SHA1 \ - +ECDHE-ECDSA:+AES-256-CBC:+SHA1 \ - " - O_CIPHERS="$O_CIPHERS \ - ECDHE-ECDSA-NULL-SHA \ - ECDHE-ECDSA-RC4-SHA \ - ECDHE-ECDSA-DES-CBC3-SHA \ - ECDHE-ECDSA-AES128-SHA \ - ECDHE-ECDSA-AES256-SHA \ - " - fi - if [ `minor_ver "$MODE"` -ge 3 ] - then - M_CIPHERS="$M_CIPHERS \ - TLS-ECDHE-ECDSA-WITH-AES-128-CBC-SHA256 \ - TLS-ECDHE-ECDSA-WITH-AES-256-CBC-SHA384 \ - TLS-ECDHE-ECDSA-WITH-AES-128-GCM-SHA256 \ - TLS-ECDHE-ECDSA-WITH-AES-256-GCM-SHA384 \ - " - G_CIPHERS="$G_CIPHERS \ - +ECDHE-ECDSA:+AES-128-CBC:+SHA256 \ - +ECDHE-ECDSA:+AES-256-CBC:+SHA384 \ - +ECDHE-ECDSA:+AES-128-GCM:+AEAD \ - +ECDHE-ECDSA:+AES-256-GCM:+AEAD \ - " - O_CIPHERS="$O_CIPHERS \ - ECDHE-ECDSA-AES128-SHA256 \ - ECDHE-ECDSA-AES256-SHA384 \ - ECDHE-ECDSA-AES128-GCM-SHA256 \ - ECDHE-ECDSA-AES256-GCM-SHA384 \ - " - fi - ;; - - "RSA") - M_CIPHERS="$M_CIPHERS \ - TLS-DHE-RSA-WITH-AES-128-CBC-SHA \ - TLS-DHE-RSA-WITH-AES-256-CBC-SHA \ - TLS-DHE-RSA-WITH-CAMELLIA-128-CBC-SHA \ - TLS-DHE-RSA-WITH-CAMELLIA-256-CBC-SHA \ - TLS-DHE-RSA-WITH-3DES-EDE-CBC-SHA \ - TLS-RSA-WITH-AES-256-CBC-SHA \ - TLS-RSA-WITH-CAMELLIA-256-CBC-SHA \ - TLS-RSA-WITH-AES-128-CBC-SHA \ - TLS-RSA-WITH-CAMELLIA-128-CBC-SHA \ - TLS-RSA-WITH-3DES-EDE-CBC-SHA \ - TLS-RSA-WITH-RC4-128-SHA \ - TLS-RSA-WITH-RC4-128-MD5 \ - TLS-RSA-WITH-NULL-MD5 \ - TLS-RSA-WITH-NULL-SHA \ - " - G_CIPHERS="$G_CIPHERS \ - +DHE-RSA:+AES-128-CBC:+SHA1 \ - +DHE-RSA:+AES-256-CBC:+SHA1 \ - +DHE-RSA:+CAMELLIA-128-CBC:+SHA1 \ - +DHE-RSA:+CAMELLIA-256-CBC:+SHA1 \ - +DHE-RSA:+3DES-CBC:+SHA1 \ - +RSA:+AES-256-CBC:+SHA1 \ - +RSA:+CAMELLIA-256-CBC:+SHA1 \ - +RSA:+AES-128-CBC:+SHA1 \ - +RSA:+CAMELLIA-128-CBC:+SHA1 \ - +RSA:+3DES-CBC:+SHA1 \ - +RSA:+ARCFOUR-128:+SHA1 \ - +RSA:+ARCFOUR-128:+MD5 \ - +RSA:+NULL:+MD5 \ - +RSA:+NULL:+SHA1 \ - " - O_CIPHERS="$O_CIPHERS \ - DHE-RSA-AES128-SHA \ - DHE-RSA-AES256-SHA \ - DHE-RSA-CAMELLIA128-SHA \ - DHE-RSA-CAMELLIA256-SHA \ - EDH-RSA-DES-CBC3-SHA \ - AES256-SHA \ - CAMELLIA256-SHA \ - AES128-SHA \ - CAMELLIA128-SHA \ - DES-CBC3-SHA \ - RC4-SHA \ - RC4-MD5 \ - NULL-MD5 \ - NULL-SHA \ - " - if [ `minor_ver "$MODE"` -gt 0 ] - then - M_CIPHERS="$M_CIPHERS \ - TLS-ECDHE-RSA-WITH-AES-128-CBC-SHA \ - TLS-ECDHE-RSA-WITH-AES-256-CBC-SHA \ - TLS-ECDHE-RSA-WITH-3DES-EDE-CBC-SHA \ - TLS-ECDHE-RSA-WITH-RC4-128-SHA \ - TLS-ECDHE-RSA-WITH-NULL-SHA \ - " - G_CIPHERS="$G_CIPHERS \ - +ECDHE-RSA:+AES-128-CBC:+SHA1 \ - +ECDHE-RSA:+AES-256-CBC:+SHA1 \ - +ECDHE-RSA:+3DES-CBC:+SHA1 \ - +ECDHE-RSA:+ARCFOUR-128:+SHA1 \ - +ECDHE-RSA:+NULL:+SHA1 \ - " - O_CIPHERS="$O_CIPHERS \ - ECDHE-RSA-AES256-SHA \ - ECDHE-RSA-AES128-SHA \ - ECDHE-RSA-DES-CBC3-SHA \ - ECDHE-RSA-RC4-SHA \ - ECDHE-RSA-NULL-SHA \ - " - fi - if [ `minor_ver "$MODE"` -ge 3 ] - then - M_CIPHERS="$M_CIPHERS \ - TLS-RSA-WITH-AES-128-CBC-SHA256 \ - TLS-DHE-RSA-WITH-AES-128-CBC-SHA256 \ - TLS-RSA-WITH-AES-256-CBC-SHA256 \ - TLS-DHE-RSA-WITH-AES-256-CBC-SHA256 \ - TLS-ECDHE-RSA-WITH-AES-128-CBC-SHA256 \ - TLS-ECDHE-RSA-WITH-AES-256-CBC-SHA384 \ - TLS-RSA-WITH-AES-128-GCM-SHA256 \ - TLS-RSA-WITH-AES-256-GCM-SHA384 \ - TLS-DHE-RSA-WITH-AES-128-GCM-SHA256 \ - TLS-DHE-RSA-WITH-AES-256-GCM-SHA384 \ - TLS-ECDHE-RSA-WITH-AES-128-GCM-SHA256 \ - TLS-ECDHE-RSA-WITH-AES-256-GCM-SHA384 \ - " - G_CIPHERS="$G_CIPHERS \ - +RSA:+AES-128-CBC:+SHA256 \ - +DHE-RSA:+AES-128-CBC:+SHA256 \ - +RSA:+AES-256-CBC:+SHA256 \ - +DHE-RSA:+AES-256-CBC:+SHA256 \ - +ECDHE-RSA:+AES-128-CBC:+SHA256 \ - +ECDHE-RSA:+AES-256-CBC:+SHA384 \ - +RSA:+AES-128-GCM:+AEAD \ - +RSA:+AES-256-GCM:+AEAD \ - +DHE-RSA:+AES-128-GCM:+AEAD \ - +DHE-RSA:+AES-256-GCM:+AEAD \ - +ECDHE-RSA:+AES-128-GCM:+AEAD \ - +ECDHE-RSA:+AES-256-GCM:+AEAD \ - " - O_CIPHERS="$O_CIPHERS \ - NULL-SHA256 \ - AES128-SHA256 \ - DHE-RSA-AES128-SHA256 \ - AES256-SHA256 \ - DHE-RSA-AES256-SHA256 \ - ECDHE-RSA-AES128-SHA256 \ - ECDHE-RSA-AES256-SHA384 \ - AES128-GCM-SHA256 \ - DHE-RSA-AES128-GCM-SHA256 \ - AES256-GCM-SHA384 \ - DHE-RSA-AES256-GCM-SHA384 \ - ECDHE-RSA-AES128-GCM-SHA256 \ - ECDHE-RSA-AES256-GCM-SHA384 \ - " - fi - ;; - - "PSK") - M_CIPHERS="$M_CIPHERS \ - TLS-PSK-WITH-RC4-128-SHA \ - TLS-PSK-WITH-3DES-EDE-CBC-SHA \ - TLS-PSK-WITH-AES-128-CBC-SHA \ - TLS-PSK-WITH-AES-256-CBC-SHA \ - " - G_CIPHERS="$G_CIPHERS \ - +PSK:+ARCFOUR-128:+SHA1 \ - +PSK:+3DES-CBC:+SHA1 \ - +PSK:+AES-128-CBC:+SHA1 \ - +PSK:+AES-256-CBC:+SHA1 \ - " - O_CIPHERS="$O_CIPHERS \ - PSK-RC4-SHA \ - PSK-3DES-EDE-CBC-SHA \ - PSK-AES128-CBC-SHA \ - PSK-AES256-CBC-SHA \ - " - ;; - esac -} - -# Ciphersuites usable only with Mbed TLS and OpenSSL -# Each ciphersuite should appear two times, once with its OpenSSL name, once -# with its Mbed TLS name. -# -# NOTE: for some reason RSA-PSK doesn't work with OpenSSL, -# so RSA-PSK ciphersuites need to go in other sections, see -# https://github.com/ARMmbed/mbedtls/issues/1419 -# -# ChachaPoly suites are here rather than in "common", as they were added in -# GnuTLS in 3.5.0 and the CI only has 3.4.x so far. -add_openssl_ciphersuites() -{ - case $TYPE in - - "ECDSA") - if [ `minor_ver "$MODE"` -gt 0 ] - then - M_CIPHERS="$M_CIPHERS \ - TLS-ECDH-ECDSA-WITH-NULL-SHA \ - TLS-ECDH-ECDSA-WITH-RC4-128-SHA \ - TLS-ECDH-ECDSA-WITH-3DES-EDE-CBC-SHA \ - TLS-ECDH-ECDSA-WITH-AES-128-CBC-SHA \ - TLS-ECDH-ECDSA-WITH-AES-256-CBC-SHA \ - " - O_CIPHERS="$O_CIPHERS \ - ECDH-ECDSA-NULL-SHA \ - ECDH-ECDSA-RC4-SHA \ - ECDH-ECDSA-DES-CBC3-SHA \ - ECDH-ECDSA-AES128-SHA \ - ECDH-ECDSA-AES256-SHA \ - " - fi - if [ `minor_ver "$MODE"` -ge 3 ] - then - M_CIPHERS="$M_CIPHERS \ - TLS-ECDH-ECDSA-WITH-AES-128-CBC-SHA256 \ - TLS-ECDH-ECDSA-WITH-AES-256-CBC-SHA384 \ - TLS-ECDH-ECDSA-WITH-AES-128-GCM-SHA256 \ - TLS-ECDH-ECDSA-WITH-AES-256-GCM-SHA384 \ - TLS-ECDHE-ECDSA-WITH-ARIA-256-GCM-SHA384 \ - TLS-ECDHE-ECDSA-WITH-ARIA-128-GCM-SHA256 \ - TLS-ECDHE-ECDSA-WITH-CHACHA20-POLY1305-SHA256 \ - " - O_CIPHERS="$O_CIPHERS \ - ECDH-ECDSA-AES128-SHA256 \ - ECDH-ECDSA-AES256-SHA384 \ - ECDH-ECDSA-AES128-GCM-SHA256 \ - ECDH-ECDSA-AES256-GCM-SHA384 \ - ECDHE-ECDSA-ARIA256-GCM-SHA384 \ - ECDHE-ECDSA-ARIA128-GCM-SHA256 \ - ECDHE-ECDSA-CHACHA20-POLY1305 \ - " - fi - ;; - - "RSA") - M_CIPHERS="$M_CIPHERS \ - TLS-RSA-WITH-DES-CBC-SHA \ - TLS-DHE-RSA-WITH-DES-CBC-SHA \ - " - O_CIPHERS="$O_CIPHERS \ - DES-CBC-SHA \ - EDH-RSA-DES-CBC-SHA \ - " - if [ `minor_ver "$MODE"` -ge 3 ] - then - M_CIPHERS="$M_CIPHERS \ - TLS-ECDHE-RSA-WITH-ARIA-256-GCM-SHA384 \ - TLS-DHE-RSA-WITH-ARIA-256-GCM-SHA384 \ - TLS-RSA-WITH-ARIA-256-GCM-SHA384 \ - TLS-ECDHE-RSA-WITH-ARIA-128-GCM-SHA256 \ - TLS-DHE-RSA-WITH-ARIA-128-GCM-SHA256 \ - TLS-RSA-WITH-ARIA-128-GCM-SHA256 \ - TLS-DHE-RSA-WITH-CHACHA20-POLY1305-SHA256 \ - TLS-ECDHE-RSA-WITH-CHACHA20-POLY1305-SHA256 \ - " - O_CIPHERS="$O_CIPHERS \ - ECDHE-ARIA256-GCM-SHA384 \ - DHE-RSA-ARIA256-GCM-SHA384 \ - ARIA256-GCM-SHA384 \ - ECDHE-ARIA128-GCM-SHA256 \ - DHE-RSA-ARIA128-GCM-SHA256 \ - ARIA128-GCM-SHA256 \ - DHE-RSA-CHACHA20-POLY1305 \ - ECDHE-RSA-CHACHA20-POLY1305 \ - " - fi - ;; - - "PSK") - if [ `minor_ver "$MODE"` -ge 3 ] - then - M_CIPHERS="$M_CIPHERS \ - TLS-DHE-PSK-WITH-ARIA-256-GCM-SHA384 \ - TLS-DHE-PSK-WITH-ARIA-128-GCM-SHA256 \ - TLS-PSK-WITH-ARIA-256-GCM-SHA384 \ - TLS-PSK-WITH-ARIA-128-GCM-SHA256 \ - TLS-PSK-WITH-CHACHA20-POLY1305-SHA256 \ - TLS-ECDHE-PSK-WITH-CHACHA20-POLY1305-SHA256 \ - TLS-DHE-PSK-WITH-CHACHA20-POLY1305-SHA256 \ - " - O_CIPHERS="$O_CIPHERS \ - DHE-PSK-ARIA256-GCM-SHA384 \ - DHE-PSK-ARIA128-GCM-SHA256 \ - PSK-ARIA256-GCM-SHA384 \ - PSK-ARIA128-GCM-SHA256 \ - DHE-PSK-CHACHA20-POLY1305 \ - ECDHE-PSK-CHACHA20-POLY1305 \ - PSK-CHACHA20-POLY1305 \ - " - fi - ;; - esac -} - -# Ciphersuites usable only with Mbed TLS and GnuTLS -# Each ciphersuite should appear two times, once with its GnuTLS name, once -# with its Mbed TLS name. -add_gnutls_ciphersuites() -{ - case $TYPE in - - "ECDSA") - if [ `minor_ver "$MODE"` -ge 3 ] - then - M_CIPHERS="$M_CIPHERS \ - TLS-ECDHE-ECDSA-WITH-CAMELLIA-128-CBC-SHA256 \ - TLS-ECDHE-ECDSA-WITH-CAMELLIA-256-CBC-SHA384 \ - TLS-ECDHE-ECDSA-WITH-CAMELLIA-128-GCM-SHA256 \ - TLS-ECDHE-ECDSA-WITH-CAMELLIA-256-GCM-SHA384 \ - TLS-ECDHE-ECDSA-WITH-AES-128-CCM \ - TLS-ECDHE-ECDSA-WITH-AES-256-CCM \ - TLS-ECDHE-ECDSA-WITH-AES-128-CCM-8 \ - TLS-ECDHE-ECDSA-WITH-AES-256-CCM-8 \ - " - G_CIPHERS="$G_CIPHERS \ - +ECDHE-ECDSA:+CAMELLIA-128-CBC:+SHA256 \ - +ECDHE-ECDSA:+CAMELLIA-256-CBC:+SHA384 \ - +ECDHE-ECDSA:+CAMELLIA-128-GCM:+AEAD \ - +ECDHE-ECDSA:+CAMELLIA-256-GCM:+AEAD \ - +ECDHE-ECDSA:+AES-128-CCM:+AEAD \ - +ECDHE-ECDSA:+AES-256-CCM:+AEAD \ - +ECDHE-ECDSA:+AES-128-CCM-8:+AEAD \ - +ECDHE-ECDSA:+AES-256-CCM-8:+AEAD \ - " - fi - ;; - - "RSA") - if [ `minor_ver "$MODE"` -gt 0 ] - then - M_CIPHERS="$M_CIPHERS \ - TLS-RSA-WITH-NULL-SHA256 \ - " - G_CIPHERS="$G_CIPHERS \ - +RSA:+NULL:+SHA256 \ - " - fi - if [ `minor_ver "$MODE"` -ge 3 ] - then - M_CIPHERS="$M_CIPHERS \ - TLS-ECDHE-RSA-WITH-CAMELLIA-128-CBC-SHA256 \ - TLS-ECDHE-RSA-WITH-CAMELLIA-256-CBC-SHA384 \ - TLS-RSA-WITH-CAMELLIA-128-CBC-SHA256 \ - TLS-RSA-WITH-CAMELLIA-256-CBC-SHA256 \ - TLS-DHE-RSA-WITH-CAMELLIA-128-CBC-SHA256 \ - TLS-DHE-RSA-WITH-CAMELLIA-256-CBC-SHA256 \ - TLS-ECDHE-RSA-WITH-CAMELLIA-128-GCM-SHA256 \ - TLS-ECDHE-RSA-WITH-CAMELLIA-256-GCM-SHA384 \ - TLS-DHE-RSA-WITH-CAMELLIA-128-GCM-SHA256 \ - TLS-DHE-RSA-WITH-CAMELLIA-256-GCM-SHA384 \ - TLS-RSA-WITH-CAMELLIA-128-GCM-SHA256 \ - TLS-RSA-WITH-CAMELLIA-256-GCM-SHA384 \ - TLS-RSA-WITH-AES-128-CCM \ - TLS-RSA-WITH-AES-256-CCM \ - TLS-DHE-RSA-WITH-AES-128-CCM \ - TLS-DHE-RSA-WITH-AES-256-CCM \ - TLS-RSA-WITH-AES-128-CCM-8 \ - TLS-RSA-WITH-AES-256-CCM-8 \ - TLS-DHE-RSA-WITH-AES-128-CCM-8 \ - TLS-DHE-RSA-WITH-AES-256-CCM-8 \ - " - G_CIPHERS="$G_CIPHERS \ - +ECDHE-RSA:+CAMELLIA-128-CBC:+SHA256 \ - +ECDHE-RSA:+CAMELLIA-256-CBC:+SHA384 \ - +RSA:+CAMELLIA-128-CBC:+SHA256 \ - +RSA:+CAMELLIA-256-CBC:+SHA256 \ - +DHE-RSA:+CAMELLIA-128-CBC:+SHA256 \ - +DHE-RSA:+CAMELLIA-256-CBC:+SHA256 \ - +ECDHE-RSA:+CAMELLIA-128-GCM:+AEAD \ - +ECDHE-RSA:+CAMELLIA-256-GCM:+AEAD \ - +DHE-RSA:+CAMELLIA-128-GCM:+AEAD \ - +DHE-RSA:+CAMELLIA-256-GCM:+AEAD \ - +RSA:+CAMELLIA-128-GCM:+AEAD \ - +RSA:+CAMELLIA-256-GCM:+AEAD \ - +RSA:+AES-128-CCM:+AEAD \ - +RSA:+AES-256-CCM:+AEAD \ - +RSA:+AES-128-CCM-8:+AEAD \ - +RSA:+AES-256-CCM-8:+AEAD \ - +DHE-RSA:+AES-128-CCM:+AEAD \ - +DHE-RSA:+AES-256-CCM:+AEAD \ - +DHE-RSA:+AES-128-CCM-8:+AEAD \ - +DHE-RSA:+AES-256-CCM-8:+AEAD \ - " - fi - ;; - - "PSK") - M_CIPHERS="$M_CIPHERS \ - TLS-DHE-PSK-WITH-3DES-EDE-CBC-SHA \ - TLS-DHE-PSK-WITH-AES-128-CBC-SHA \ - TLS-DHE-PSK-WITH-AES-256-CBC-SHA \ - TLS-DHE-PSK-WITH-RC4-128-SHA \ - " - G_CIPHERS="$G_CIPHERS \ - +DHE-PSK:+3DES-CBC:+SHA1 \ - +DHE-PSK:+AES-128-CBC:+SHA1 \ - +DHE-PSK:+AES-256-CBC:+SHA1 \ - +DHE-PSK:+ARCFOUR-128:+SHA1 \ - " - if [ `minor_ver "$MODE"` -gt 0 ] - then - M_CIPHERS="$M_CIPHERS \ - TLS-ECDHE-PSK-WITH-AES-256-CBC-SHA \ - TLS-ECDHE-PSK-WITH-AES-128-CBC-SHA \ - TLS-ECDHE-PSK-WITH-3DES-EDE-CBC-SHA \ - TLS-ECDHE-PSK-WITH-RC4-128-SHA \ - TLS-RSA-PSK-WITH-3DES-EDE-CBC-SHA \ - TLS-RSA-PSK-WITH-AES-256-CBC-SHA \ - TLS-RSA-PSK-WITH-AES-128-CBC-SHA \ - TLS-RSA-PSK-WITH-RC4-128-SHA \ - " - G_CIPHERS="$G_CIPHERS \ - +ECDHE-PSK:+3DES-CBC:+SHA1 \ - +ECDHE-PSK:+AES-128-CBC:+SHA1 \ - +ECDHE-PSK:+AES-256-CBC:+SHA1 \ - +ECDHE-PSK:+ARCFOUR-128:+SHA1 \ - +RSA-PSK:+3DES-CBC:+SHA1 \ - +RSA-PSK:+AES-256-CBC:+SHA1 \ - +RSA-PSK:+AES-128-CBC:+SHA1 \ - +RSA-PSK:+ARCFOUR-128:+SHA1 \ - " - fi - if [ `minor_ver "$MODE"` -ge 3 ] - then - M_CIPHERS="$M_CIPHERS \ - TLS-ECDHE-PSK-WITH-AES-256-CBC-SHA384 \ - TLS-ECDHE-PSK-WITH-CAMELLIA-256-CBC-SHA384 \ - TLS-ECDHE-PSK-WITH-AES-128-CBC-SHA256 \ - TLS-ECDHE-PSK-WITH-CAMELLIA-128-CBC-SHA256 \ - TLS-ECDHE-PSK-WITH-NULL-SHA384 \ - TLS-ECDHE-PSK-WITH-NULL-SHA256 \ - TLS-PSK-WITH-AES-128-CBC-SHA256 \ - TLS-PSK-WITH-AES-256-CBC-SHA384 \ - TLS-DHE-PSK-WITH-AES-128-CBC-SHA256 \ - TLS-DHE-PSK-WITH-AES-256-CBC-SHA384 \ - TLS-PSK-WITH-NULL-SHA256 \ - TLS-PSK-WITH-NULL-SHA384 \ - TLS-DHE-PSK-WITH-NULL-SHA256 \ - TLS-DHE-PSK-WITH-NULL-SHA384 \ - TLS-RSA-PSK-WITH-AES-256-CBC-SHA384 \ - TLS-RSA-PSK-WITH-AES-128-CBC-SHA256 \ - TLS-RSA-PSK-WITH-NULL-SHA256 \ - TLS-RSA-PSK-WITH-NULL-SHA384 \ - TLS-DHE-PSK-WITH-CAMELLIA-128-CBC-SHA256 \ - TLS-DHE-PSK-WITH-CAMELLIA-256-CBC-SHA384 \ - TLS-PSK-WITH-CAMELLIA-128-CBC-SHA256 \ - TLS-PSK-WITH-CAMELLIA-256-CBC-SHA384 \ - TLS-RSA-PSK-WITH-CAMELLIA-256-CBC-SHA384 \ - TLS-RSA-PSK-WITH-CAMELLIA-128-CBC-SHA256 \ - TLS-PSK-WITH-AES-128-GCM-SHA256 \ - TLS-PSK-WITH-AES-256-GCM-SHA384 \ - TLS-DHE-PSK-WITH-AES-128-GCM-SHA256 \ - TLS-DHE-PSK-WITH-AES-256-GCM-SHA384 \ - TLS-PSK-WITH-AES-128-CCM \ - TLS-PSK-WITH-AES-256-CCM \ - TLS-DHE-PSK-WITH-AES-128-CCM \ - TLS-DHE-PSK-WITH-AES-256-CCM \ - TLS-PSK-WITH-AES-128-CCM-8 \ - TLS-PSK-WITH-AES-256-CCM-8 \ - TLS-DHE-PSK-WITH-AES-128-CCM-8 \ - TLS-DHE-PSK-WITH-AES-256-CCM-8 \ - TLS-RSA-PSK-WITH-CAMELLIA-128-GCM-SHA256 \ - TLS-RSA-PSK-WITH-CAMELLIA-256-GCM-SHA384 \ - TLS-PSK-WITH-CAMELLIA-128-GCM-SHA256 \ - TLS-PSK-WITH-CAMELLIA-256-GCM-SHA384 \ - TLS-DHE-PSK-WITH-CAMELLIA-128-GCM-SHA256 \ - TLS-DHE-PSK-WITH-CAMELLIA-256-GCM-SHA384 \ - TLS-RSA-PSK-WITH-AES-256-GCM-SHA384 \ - TLS-RSA-PSK-WITH-AES-128-GCM-SHA256 \ - " - G_CIPHERS="$G_CIPHERS \ - +ECDHE-PSK:+AES-256-CBC:+SHA384 \ - +ECDHE-PSK:+CAMELLIA-256-CBC:+SHA384 \ - +ECDHE-PSK:+AES-128-CBC:+SHA256 \ - +ECDHE-PSK:+CAMELLIA-128-CBC:+SHA256 \ - +PSK:+AES-128-CBC:+SHA256 \ - +PSK:+AES-256-CBC:+SHA384 \ - +DHE-PSK:+AES-128-CBC:+SHA256 \ - +DHE-PSK:+AES-256-CBC:+SHA384 \ - +RSA-PSK:+AES-256-CBC:+SHA384 \ - +RSA-PSK:+AES-128-CBC:+SHA256 \ - +DHE-PSK:+CAMELLIA-128-CBC:+SHA256 \ - +DHE-PSK:+CAMELLIA-256-CBC:+SHA384 \ - +PSK:+CAMELLIA-128-CBC:+SHA256 \ - +PSK:+CAMELLIA-256-CBC:+SHA384 \ - +RSA-PSK:+CAMELLIA-256-CBC:+SHA384 \ - +RSA-PSK:+CAMELLIA-128-CBC:+SHA256 \ - +PSK:+AES-128-GCM:+AEAD \ - +PSK:+AES-256-GCM:+AEAD \ - +DHE-PSK:+AES-128-GCM:+AEAD \ - +DHE-PSK:+AES-256-GCM:+AEAD \ - +PSK:+AES-128-CCM:+AEAD \ - +PSK:+AES-256-CCM:+AEAD \ - +DHE-PSK:+AES-128-CCM:+AEAD \ - +DHE-PSK:+AES-256-CCM:+AEAD \ - +PSK:+AES-128-CCM-8:+AEAD \ - +PSK:+AES-256-CCM-8:+AEAD \ - +DHE-PSK:+AES-128-CCM-8:+AEAD \ - +DHE-PSK:+AES-256-CCM-8:+AEAD \ - +RSA-PSK:+CAMELLIA-128-GCM:+AEAD \ - +RSA-PSK:+CAMELLIA-256-GCM:+AEAD \ - +PSK:+CAMELLIA-128-GCM:+AEAD \ - +PSK:+CAMELLIA-256-GCM:+AEAD \ - +DHE-PSK:+CAMELLIA-128-GCM:+AEAD \ - +DHE-PSK:+CAMELLIA-256-GCM:+AEAD \ - +RSA-PSK:+AES-256-GCM:+AEAD \ - +RSA-PSK:+AES-128-GCM:+AEAD \ - +ECDHE-PSK:+NULL:+SHA384 \ - +ECDHE-PSK:+NULL:+SHA256 \ - +PSK:+NULL:+SHA256 \ - +PSK:+NULL:+SHA384 \ - +DHE-PSK:+NULL:+SHA256 \ - +DHE-PSK:+NULL:+SHA384 \ - +RSA-PSK:+NULL:+SHA256 \ - +RSA-PSK:+NULL:+SHA384 \ - " - fi - ;; - esac -} - -# Ciphersuites usable only with Mbed TLS (not currently supported by another -# peer usable in this script). This provide only very rudimentaty testing, as -# this is not interop testing, but it's better than nothing. -add_mbedtls_ciphersuites() -{ - case $TYPE in - - "ECDSA") - if [ `minor_ver "$MODE"` -gt 0 ] - then - M_CIPHERS="$M_CIPHERS \ - TLS-ECDH-ECDSA-WITH-CAMELLIA-128-CBC-SHA256 \ - TLS-ECDH-ECDSA-WITH-CAMELLIA-256-CBC-SHA384 \ - " - fi - if [ `minor_ver "$MODE"` -ge 3 ] - then - M_CIPHERS="$M_CIPHERS \ - TLS-ECDH-ECDSA-WITH-CAMELLIA-128-GCM-SHA256 \ - TLS-ECDH-ECDSA-WITH-CAMELLIA-256-GCM-SHA384 \ - TLS-ECDHE-ECDSA-WITH-ARIA-256-CBC-SHA384 \ - TLS-ECDHE-ECDSA-WITH-ARIA-128-CBC-SHA256 \ - TLS-ECDH-ECDSA-WITH-ARIA-256-GCM-SHA384 \ - TLS-ECDH-ECDSA-WITH-ARIA-128-GCM-SHA256 \ - TLS-ECDH-ECDSA-WITH-ARIA-256-CBC-SHA384 \ - TLS-ECDH-ECDSA-WITH-ARIA-128-CBC-SHA256 \ - " - fi - ;; - - "RSA") - if [ `minor_ver "$MODE"` -ge 3 ] - then - M_CIPHERS="$M_CIPHERS \ - TLS-ECDHE-RSA-WITH-ARIA-256-CBC-SHA384 \ - TLS-DHE-RSA-WITH-ARIA-256-CBC-SHA384 \ - TLS-ECDHE-RSA-WITH-ARIA-128-CBC-SHA256 \ - TLS-DHE-RSA-WITH-ARIA-128-CBC-SHA256 \ - TLS-RSA-WITH-ARIA-256-CBC-SHA384 \ - TLS-RSA-WITH-ARIA-128-CBC-SHA256 \ - " - fi - ;; - - "PSK") - # *PSK-NULL-SHA suites supported by GnuTLS 3.3.5 but not 3.2.15 - M_CIPHERS="$M_CIPHERS \ - TLS-PSK-WITH-NULL-SHA \ - TLS-DHE-PSK-WITH-NULL-SHA \ - " - if [ `minor_ver "$MODE"` -gt 0 ] - then - M_CIPHERS="$M_CIPHERS \ - TLS-ECDHE-PSK-WITH-NULL-SHA \ - TLS-RSA-PSK-WITH-NULL-SHA \ - " - fi - if [ `minor_ver "$MODE"` -ge 3 ] - then - M_CIPHERS="$M_CIPHERS \ - TLS-RSA-PSK-WITH-ARIA-256-CBC-SHA384 \ - TLS-RSA-PSK-WITH-ARIA-128-CBC-SHA256 \ - TLS-PSK-WITH-ARIA-256-CBC-SHA384 \ - TLS-PSK-WITH-ARIA-128-CBC-SHA256 \ - TLS-RSA-PSK-WITH-ARIA-256-GCM-SHA384 \ - TLS-RSA-PSK-WITH-ARIA-128-GCM-SHA256 \ - TLS-ECDHE-PSK-WITH-ARIA-256-CBC-SHA384 \ - TLS-ECDHE-PSK-WITH-ARIA-128-CBC-SHA256 \ - TLS-DHE-PSK-WITH-ARIA-256-CBC-SHA384 \ - TLS-DHE-PSK-WITH-ARIA-128-CBC-SHA256 \ - TLS-RSA-PSK-WITH-CHACHA20-POLY1305-SHA256 \ - " - fi - ;; - esac -} - -setup_arguments() -{ - G_MODE="" - case "$MODE" in - "ssl3") - G_PRIO_MODE="+VERS-SSL3.0" - ;; - "tls1") - G_PRIO_MODE="+VERS-TLS1.0" - ;; - "tls1_1") - G_PRIO_MODE="+VERS-TLS1.1" - ;; - "tls1_2") - G_PRIO_MODE="+VERS-TLS1.2" - ;; - "dtls1") - G_PRIO_MODE="+VERS-DTLS1.0" - G_MODE="-u" - ;; - "dtls1_2") - G_PRIO_MODE="+VERS-DTLS1.2" - G_MODE="-u" - ;; - *) - echo "error: invalid mode: $MODE" >&2 - exit 1; - esac - - # GnuTLS < 3.4 will choke if we try to allow CCM-8 - if [ -z "${GNUTLS_MINOR_LT_FOUR-}" ]; then - G_PRIO_CCM="+AES-256-CCM-8:+AES-128-CCM-8:" - else - G_PRIO_CCM="" - fi - - M_SERVER_ARGS="server_port=$PORT server_addr=0.0.0.0 force_version=$MODE arc4=1" - O_SERVER_ARGS="-accept $PORT -cipher NULL,ALL -$MODE -dhparam data_files/dhparams.pem" - G_SERVER_ARGS="-p $PORT --http $G_MODE" - G_SERVER_PRIO="NORMAL:${G_PRIO_CCM}+ARCFOUR-128:+NULL:+MD5:+PSK:+DHE-PSK:+ECDHE-PSK:+RSA-PSK:-VERS-TLS-ALL:$G_PRIO_MODE" - - # with OpenSSL 1.0.1h, -www, -WWW and -HTTP break DTLS handshakes - if is_dtls "$MODE"; then - O_SERVER_ARGS="$O_SERVER_ARGS" - else - O_SERVER_ARGS="$O_SERVER_ARGS -www" - fi - - M_CLIENT_ARGS="server_port=$PORT server_addr=127.0.0.1 force_version=$MODE" - O_CLIENT_ARGS="-connect localhost:$PORT -$MODE" - G_CLIENT_ARGS="-p $PORT --debug 3 $G_MODE" - G_CLIENT_PRIO="NONE:$G_PRIO_MODE:+COMP-NULL:+CURVE-ALL:+SIGN-ALL" - - if [ "X$VERIFY" = "XYES" ]; - then - M_SERVER_ARGS="$M_SERVER_ARGS ca_file=data_files/test-ca_cat12.crt auth_mode=required" - O_SERVER_ARGS="$O_SERVER_ARGS -CAfile data_files/test-ca_cat12.crt -Verify 10" - G_SERVER_ARGS="$G_SERVER_ARGS --x509cafile data_files/test-ca_cat12.crt --require-client-cert" - - M_CLIENT_ARGS="$M_CLIENT_ARGS ca_file=data_files/test-ca_cat12.crt auth_mode=required" - O_CLIENT_ARGS="$O_CLIENT_ARGS -CAfile data_files/test-ca_cat12.crt -verify 10" - G_CLIENT_ARGS="$G_CLIENT_ARGS --x509cafile data_files/test-ca_cat12.crt" - else - # don't request a client cert at all - M_SERVER_ARGS="$M_SERVER_ARGS ca_file=none auth_mode=none" - G_SERVER_ARGS="$G_SERVER_ARGS --disable-client-cert" - - M_CLIENT_ARGS="$M_CLIENT_ARGS ca_file=none auth_mode=none" - O_CLIENT_ARGS="$O_CLIENT_ARGS" - G_CLIENT_ARGS="$G_CLIENT_ARGS --insecure" - fi - - case $TYPE in - "ECDSA") - M_SERVER_ARGS="$M_SERVER_ARGS crt_file=data_files/server5.crt key_file=data_files/server5.key" - O_SERVER_ARGS="$O_SERVER_ARGS -cert data_files/server5.crt -key data_files/server5.key" - G_SERVER_ARGS="$G_SERVER_ARGS --x509certfile data_files/server5.crt --x509keyfile data_files/server5.key" - - if [ "X$VERIFY" = "XYES" ]; then - M_CLIENT_ARGS="$M_CLIENT_ARGS crt_file=data_files/server6.crt key_file=data_files/server6.key" - O_CLIENT_ARGS="$O_CLIENT_ARGS -cert data_files/server6.crt -key data_files/server6.key" - G_CLIENT_ARGS="$G_CLIENT_ARGS --x509certfile data_files/server6.crt --x509keyfile data_files/server6.key" - else - M_CLIENT_ARGS="$M_CLIENT_ARGS crt_file=none key_file=none" - fi - ;; - - "RSA") - M_SERVER_ARGS="$M_SERVER_ARGS crt_file=data_files/server2.crt key_file=data_files/server2.key" - O_SERVER_ARGS="$O_SERVER_ARGS -cert data_files/server2.crt -key data_files/server2.key" - G_SERVER_ARGS="$G_SERVER_ARGS --x509certfile data_files/server2.crt --x509keyfile data_files/server2.key" - - if [ "X$VERIFY" = "XYES" ]; then - M_CLIENT_ARGS="$M_CLIENT_ARGS crt_file=data_files/server1.crt key_file=data_files/server1.key" - O_CLIENT_ARGS="$O_CLIENT_ARGS -cert data_files/server1.crt -key data_files/server1.key" - G_CLIENT_ARGS="$G_CLIENT_ARGS --x509certfile data_files/server1.crt --x509keyfile data_files/server1.key" - else - M_CLIENT_ARGS="$M_CLIENT_ARGS crt_file=none key_file=none" - fi - - # Allow SHA-1. It's disabled by default for security reasons but - # our tests still use certificates signed with it. - M_SERVER_ARGS="$M_SERVER_ARGS allow_sha1=1" - M_CLIENT_ARGS="$M_CLIENT_ARGS allow_sha1=1" - ;; - - "PSK") - # give RSA-PSK-capable server a RSA cert - # (should be a separate type, but harder to close with openssl) - M_SERVER_ARGS="$M_SERVER_ARGS psk=6162636465666768696a6b6c6d6e6f70 ca_file=none crt_file=data_files/server2.crt key_file=data_files/server2.key" - O_SERVER_ARGS="$O_SERVER_ARGS -psk 6162636465666768696a6b6c6d6e6f70 -nocert" - G_SERVER_ARGS="$G_SERVER_ARGS --x509certfile data_files/server2.crt --x509keyfile data_files/server2.key --pskpasswd data_files/passwd.psk" - - M_CLIENT_ARGS="$M_CLIENT_ARGS psk=6162636465666768696a6b6c6d6e6f70 crt_file=none key_file=none" - O_CLIENT_ARGS="$O_CLIENT_ARGS -psk 6162636465666768696a6b6c6d6e6f70" - G_CLIENT_ARGS="$G_CLIENT_ARGS --pskusername Client_identity --pskkey=6162636465666768696a6b6c6d6e6f70" - - # Allow SHA-1. It's disabled by default for security reasons but - # our tests still use certificates signed with it. - M_SERVER_ARGS="$M_SERVER_ARGS allow_sha1=1" - M_CLIENT_ARGS="$M_CLIENT_ARGS allow_sha1=1" - ;; - esac -} - -# is_mbedtls -is_mbedtls() { - echo "$1" | grep 'ssl_server2\|ssl_client2' > /dev/null -} - -# has_mem_err -has_mem_err() { - if ( grep -F 'All heap blocks were freed -- no leaks are possible' "$1" && - grep -F 'ERROR SUMMARY: 0 errors from 0 contexts' "$1" ) > /dev/null - then - return 1 # false: does not have errors - else - return 0 # true: has errors - fi -} - -# Wait for process $2 to be listening on port $1 -if type lsof >/dev/null 2>/dev/null; then - wait_server_start() { - START_TIME=$(date +%s) - if is_dtls "$MODE"; then - proto=UDP - else - proto=TCP - fi - while ! lsof -a -n -b -i "$proto:$1" -p "$2" >/dev/null 2>/dev/null; do - if [ $(( $(date +%s) - $START_TIME )) -gt $DOG_DELAY ]; then - echo "SERVERSTART TIMEOUT" - echo "SERVERSTART TIMEOUT" >> $SRV_OUT - break - fi - # Linux and *BSD support decimal arguments to sleep. On other - # OSes this may be a tight loop. - sleep 0.1 2>/dev/null || true - done - } -else - echo "Warning: lsof not available, wait_server_start = sleep" - wait_server_start() { - sleep 2 - } -fi - - -# start_server -# also saves name and command -start_server() { - case $1 in - [Oo]pen*) - SERVER_CMD="$OPENSSL_CMD s_server $O_SERVER_ARGS" - ;; - [Gg]nu*) - SERVER_CMD="$GNUTLS_SERV $G_SERVER_ARGS --priority $G_SERVER_PRIO" - ;; - mbed*) - SERVER_CMD="$M_SRV $M_SERVER_ARGS" - if [ "$MEMCHECK" -gt 0 ]; then - SERVER_CMD="valgrind --leak-check=full $SERVER_CMD" - fi - ;; - *) - echo "error: invalid server name: $1" >&2 - exit 1 - ;; - esac - SERVER_NAME=$1 - - log "$SERVER_CMD" - echo "$SERVER_CMD" > $SRV_OUT - # for servers without -www or equivalent - while :; do echo bla; sleep 1; done | $SERVER_CMD >> $SRV_OUT 2>&1 & - PROCESS_ID=$! - - wait_server_start "$PORT" "$PROCESS_ID" -} - -# terminate the running server -stop_server() { - kill $PROCESS_ID 2>/dev/null - wait $PROCESS_ID 2>/dev/null - - if [ "$MEMCHECK" -gt 0 ]; then - if is_mbedtls "$SERVER_CMD" && has_mem_err $SRV_OUT; then - echo " ! Server had memory errors" - SRVMEM=$(( $SRVMEM + 1 )) - return - fi - fi - - rm -f $SRV_OUT -} - -# kill the running server (used when killed by signal) -cleanup() { - rm -f $SRV_OUT $CLI_OUT - kill $PROCESS_ID >/dev/null 2>&1 - kill $WATCHDOG_PID >/dev/null 2>&1 - exit 1 -} - -# wait for client to terminate and set EXIT -# must be called right after starting the client -wait_client_done() { - CLI_PID=$! - - ( sleep "$DOG_DELAY"; echo "TIMEOUT" >> $CLI_OUT; kill $CLI_PID ) & - WATCHDOG_PID=$! - - wait $CLI_PID - EXIT=$? - - kill $WATCHDOG_PID - wait $WATCHDOG_PID - - echo "EXIT: $EXIT" >> $CLI_OUT -} - -# run_client -run_client() { - # announce what we're going to do - TESTS=$(( $TESTS + 1 )) - VERIF=$(echo $VERIFY | tr '[:upper:]' '[:lower:]') - TITLE="`echo $1 | head -c1`->`echo $SERVER_NAME | head -c1`" - TITLE="$TITLE $MODE,$VERIF $2" - printf "$TITLE " - LEN=$(( 72 - `echo "$TITLE" | wc -c` )) - for i in `seq 1 $LEN`; do printf '.'; done; printf ' ' - - # should we skip? - if [ "X$SKIP_NEXT" = "XYES" ]; then - SKIP_NEXT="NO" - echo "SKIP" - SKIPPED=$(( $SKIPPED + 1 )) - return - fi - - # run the command and interpret result - case $1 in - [Oo]pen*) - CLIENT_CMD="$OPENSSL_CMD s_client $O_CLIENT_ARGS -cipher $2" - log "$CLIENT_CMD" - echo "$CLIENT_CMD" > $CLI_OUT - printf 'GET HTTP/1.0\r\n\r\n' | $CLIENT_CMD >> $CLI_OUT 2>&1 & - wait_client_done - - if [ $EXIT -eq 0 ]; then - RESULT=0 - else - # If the cipher isn't supported... - if grep 'Cipher is (NONE)' $CLI_OUT >/dev/null; then - RESULT=1 - else - RESULT=2 - fi - fi - ;; - - [Gg]nu*) - # need to force IPv4 with UDP, but keep localhost for auth - if is_dtls "$MODE"; then - G_HOST="127.0.0.1" - else - G_HOST="localhost" - fi - CLIENT_CMD="$GNUTLS_CLI $G_CLIENT_ARGS --priority $G_PRIO_MODE:$2 $G_HOST" - log "$CLIENT_CMD" - echo "$CLIENT_CMD" > $CLI_OUT - printf 'GET HTTP/1.0\r\n\r\n' | $CLIENT_CMD >> $CLI_OUT 2>&1 & - wait_client_done - - if [ $EXIT -eq 0 ]; then - RESULT=0 - else - RESULT=2 - # interpret early failure, with a handshake_failure alert - # before the server hello, as "no ciphersuite in common" - if grep -F 'Received alert [40]: Handshake failed' $CLI_OUT; then - if grep -i 'SERVER HELLO .* was received' $CLI_OUT; then : - else - RESULT=1 - fi - fi >/dev/null - fi - ;; - - mbed*) - CLIENT_CMD="$M_CLI $M_CLIENT_ARGS force_ciphersuite=$2" - if [ "$MEMCHECK" -gt 0 ]; then - CLIENT_CMD="valgrind --leak-check=full $CLIENT_CMD" - fi - log "$CLIENT_CMD" - echo "$CLIENT_CMD" > $CLI_OUT - $CLIENT_CMD >> $CLI_OUT 2>&1 & - wait_client_done - - case $EXIT in - # Success - "0") RESULT=0 ;; - - # Ciphersuite not supported - "2") RESULT=1 ;; - - # Error - *) RESULT=2 ;; - esac - - if [ "$MEMCHECK" -gt 0 ]; then - if is_mbedtls "$CLIENT_CMD" && has_mem_err $CLI_OUT; then - RESULT=2 - fi - fi - - ;; - - *) - echo "error: invalid client name: $1" >&2 - exit 1 - ;; - esac - - echo "EXIT: $EXIT" >> $CLI_OUT - - # report and count result - case $RESULT in - "0") - echo PASS - ;; - "1") - echo SKIP - SKIPPED=$(( $SKIPPED + 1 )) - ;; - "2") - echo FAIL - cp $SRV_OUT c-srv-${TESTS}.log - cp $CLI_OUT c-cli-${TESTS}.log - echo " ! outputs saved to c-srv-${TESTS}.log, c-cli-${TESTS}.log" - - if [ "X${USER:-}" = Xbuildbot -o "X${LOGNAME:-}" = Xbuildbot -o "${LOG_FAILURE_ON_STDOUT:-0}" != 0 ]; then - echo " ! server output:" - cat c-srv-${TESTS}.log - echo " ! ===================================================" - echo " ! client output:" - cat c-cli-${TESTS}.log - fi - - FAILED=$(( $FAILED + 1 )) - ;; - esac - - rm -f $CLI_OUT -} - -# -# MAIN -# - -if cd $( dirname $0 ); then :; else - echo "cd $( dirname $0 ) failed" >&2 - exit 1 -fi - -get_options "$@" - -# sanity checks, avoid an avalanche of errors -if [ ! -x "$M_SRV" ]; then - echo "Command '$M_SRV' is not an executable file" >&2 - exit 1 -fi -if [ ! -x "$M_CLI" ]; then - echo "Command '$M_CLI' is not an executable file" >&2 - exit 1 -fi - -if echo "$PEERS" | grep -i openssl > /dev/null; then - if which "$OPENSSL_CMD" >/dev/null 2>&1; then :; else - echo "Command '$OPENSSL_CMD' not found" >&2 - exit 1 - fi -fi - -if echo "$PEERS" | grep -i gnutls > /dev/null; then - for CMD in "$GNUTLS_CLI" "$GNUTLS_SERV"; do - if which "$CMD" >/dev/null 2>&1; then :; else - echo "Command '$CMD' not found" >&2 - exit 1 - fi - done -fi - -for PEER in $PEERS; do - case "$PEER" in - mbed*|[Oo]pen*|[Gg]nu*) - ;; - *) - echo "Unknown peers: $PEER" >&2 - exit 1 - esac -done - -# Pick a "unique" port in the range 10000-19999. -PORT="0000$$" -PORT="1$(echo $PORT | tail -c 5)" - -# Also pick a unique name for intermediate files -SRV_OUT="srv_out.$$" -CLI_OUT="cli_out.$$" - -# client timeout delay: be more patient with valgrind -if [ "$MEMCHECK" -gt 0 ]; then - DOG_DELAY=30 -else - DOG_DELAY=10 -fi - -SKIP_NEXT="NO" - -trap cleanup INT TERM HUP - -for VERIFY in $VERIFIES; do - for MODE in $MODES; do - for TYPE in $TYPES; do - for PEER in $PEERS; do - - setup_arguments - - case "$PEER" in - - [Oo]pen*) - - if test "$OSSL_NO_DTLS" -gt 0 && is_dtls "$MODE"; then - continue; - fi - - reset_ciphersuites - add_common_ciphersuites - add_openssl_ciphersuites - filter_ciphersuites - - if [ "X" != "X$M_CIPHERS" ]; then - start_server "OpenSSL" - for i in $M_CIPHERS; do - check_openssl_server_bug $i - run_client mbedTLS $i - done - stop_server - fi - - if [ "X" != "X$O_CIPHERS" ]; then - start_server "mbedTLS" - for i in $O_CIPHERS; do - run_client OpenSSL $i - done - stop_server - fi - - ;; - - [Gg]nu*) - - reset_ciphersuites - add_common_ciphersuites - add_gnutls_ciphersuites - filter_ciphersuites - - if [ "X" != "X$M_CIPHERS" ]; then - start_server "GnuTLS" - for i in $M_CIPHERS; do - run_client mbedTLS $i - done - stop_server - fi - - if [ "X" != "X$G_CIPHERS" ]; then - start_server "mbedTLS" - for i in $G_CIPHERS; do - run_client GnuTLS $i - done - stop_server - fi - - ;; - - mbed*) - - reset_ciphersuites - add_common_ciphersuites - add_openssl_ciphersuites - add_gnutls_ciphersuites - add_mbedtls_ciphersuites - filter_ciphersuites - - if [ "X" != "X$M_CIPHERS" ]; then - start_server "mbedTLS" - for i in $M_CIPHERS; do - run_client mbedTLS $i - done - stop_server - fi - - ;; - - *) - echo "Unknown peer: $PEER" >&2 - exit 1 - ;; - - esac - - done - done - done -done - -echo "------------------------------------------------------------------------" - -if [ $FAILED -ne 0 -o $SRVMEM -ne 0 ]; -then - printf "FAILED" -else - printf "PASSED" -fi - -if [ "$MEMCHECK" -gt 0 ]; then - MEMREPORT=", $SRVMEM server memory errors" -else - MEMREPORT="" -fi - -PASSED=$(( $TESTS - $FAILED )) -echo " ($PASSED / $TESTS tests ($SKIPPED skipped$MEMREPORT))" - -FAILED=$(( $FAILED + $SRVMEM )) -exit $FAILED diff --git a/tests/scripts/basic-build-test.sh b/tests/scripts/basic-build-test.sh index ab95e2290..a653001e7 100755 --- a/tests/scripts/basic-build-test.sh +++ b/tests/scripts/basic-build-test.sh @@ -14,8 +14,6 @@ # The tests include: # * Unit tests - executed using tests/scripts/run-test-suite.pl # * Self-tests - executed using the test suites above -# * System tests - executed using tests/ssl-opt.sh -# * Interoperability tests - executed using tests/compat.sh # # The tests focus on functionality and do not consider performance. # @@ -36,30 +34,11 @@ if [ -d library -a -d include -a -d tests ]; then :; else exit 1 fi -: ${OPENSSL:="openssl"} -: ${OPENSSL_LEGACY:="$OPENSSL"} -: ${GNUTLS_CLI:="gnutls-cli"} -: ${GNUTLS_SERV:="gnutls-serv"} -: ${GNUTLS_LEGACY_CLI:="$GNUTLS_CLI"} -: ${GNUTLS_LEGACY_SERV:="$GNUTLS_SERV"} - -# To avoid setting OpenSSL and GnuTLS for each call to compat.sh and ssl-opt.sh -# we just export the variables they require -export OPENSSL_CMD="$OPENSSL" -export GNUTLS_CLI="$GNUTLS_CLI" -export GNUTLS_SERV="$GNUTLS_SERV" - CONFIG_H='include/mbedtls/config.h' CONFIG_BAK="$CONFIG_H.bak" # Step 0 - print build environment info -OPENSSL="$OPENSSL" \ - OPENSSL_LEGACY="$OPENSSL_LEGACY" \ - GNUTLS_CLI="$GNUTLS_CLI" \ - GNUTLS_SERV="$GNUTLS_SERV" \ - GNUTLS_LEGACY_CLI="$GNUTLS_LEGACY_CLI" \ - GNUTLS_LEGACY_SERV="$GNUTLS_LEGACY_SERV" \ - scripts/output_env.sh +scripts/output_env.sh echo # Step 1 - Make and instrumented build for code coverage @@ -79,25 +58,6 @@ cd tests perl scripts/run-test-suites.pl -v 2 |tee unit-test-$TEST_OUTPUT echo -# Step 2b - System Tests -sh ssl-opt.sh |tee sys-test-$TEST_OUTPUT -echo - -# Step 2c - Compatibility tests -sh compat.sh -m 'tls1 tls1_1 tls1_2 dtls1 dtls1_2' | \ - tee compat-test-$TEST_OUTPUT -OPENSSL_CMD="$OPENSSL_LEGACY" \ - sh compat.sh -m 'ssl3' |tee -a compat-test-$TEST_OUTPUT -OPENSSL_CMD="$OPENSSL_LEGACY" \ - GNUTLS_CLI="$GNUTLS_LEGACY_CLI" \ - GNUTLS_SERV="$GNUTLS_LEGACY_SERV" \ - sh compat.sh -e '^$' -f 'NULL\|DES\|RC4\|ARCFOUR' | \ - tee -a compat-test-$TEST_OUTPUT -OPENSSL_CMD="$OPENSSL_NEXT" \ - sh compat.sh -e '^$' -f 'ARIA\|CHACHA' | \ - tee -a compat-test-$TEST_OUTPUT -echo - # Step 3 - Process the coverage report cd .. make lcov |tee tests/cov-$TEST_OUTPUT @@ -133,49 +93,6 @@ TOTAL_SKIP=$SKIPPED_TESTS TOTAL_AVAIL=$(($PASSED_TESTS + $FAILED_TESTS + $SKIPPED_TESTS)) TOTAL_EXED=$(($PASSED_TESTS + $FAILED_TESTS)) -# Step 4b - TLS Options tests -echo "TLS Options tests - tests/ssl-opt.sh" - -PASSED_TESTS=$(tail -n5 sys-test-$TEST_OUTPUT|sed -n -e 's/.* (\([0-9]*\) \/ [0-9]* tests ([0-9]* skipped))$/\1/p') -SKIPPED_TESTS=$(tail -n5 sys-test-$TEST_OUTPUT|sed -n -e 's/.* ([0-9]* \/ [0-9]* tests (\([0-9]*\) skipped))$/\1/p') -TOTAL_TESTS=$(tail -n5 sys-test-$TEST_OUTPUT|sed -n -e 's/.* ([0-9]* \/ \([0-9]*\) tests ([0-9]* skipped))$/\1/p') -FAILED_TESTS=$(($TOTAL_TESTS - $PASSED_TESTS)) - -echo "Passed : $PASSED_TESTS" -echo "Failed : $FAILED_TESTS" -echo "Skipped : $SKIPPED_TESTS" -echo "Total exec'd tests : $TOTAL_TESTS" -echo "Total avail tests : $(($TOTAL_TESTS + $SKIPPED_TESTS))" -echo - -TOTAL_PASS=$(($TOTAL_PASS+$PASSED_TESTS)) -TOTAL_FAIL=$(($TOTAL_FAIL+$FAILED_TESTS)) -TOTAL_SKIP=$(($TOTAL_SKIP+$SKIPPED_TESTS)) -TOTAL_AVAIL=$(($TOTAL_AVAIL + $TOTAL_TESTS + $SKIPPED_TESTS)) -TOTAL_EXED=$(($TOTAL_EXED + $TOTAL_TESTS)) - - -# Step 4c - System Compatibility tests -echo "System/Compatibility tests - tests/compat.sh" - -PASSED_TESTS=$(cat compat-test-$TEST_OUTPUT | sed -n -e 's/.* (\([0-9]*\) \/ [0-9]* tests ([0-9]* skipped))$/\1/p' | awk 'BEGIN{ s = 0 } { s += $1 } END{ print s }') -SKIPPED_TESTS=$(cat compat-test-$TEST_OUTPUT | sed -n -e 's/.* ([0-9]* \/ [0-9]* tests (\([0-9]*\) skipped))$/\1/p' | awk 'BEGIN{ s = 0 } { s += $1 } END{ print s }') -EXED_TESTS=$(cat compat-test-$TEST_OUTPUT | sed -n -e 's/.* ([0-9]* \/ \([0-9]*\) tests ([0-9]* skipped))$/\1/p' | awk 'BEGIN{ s = 0 } { s += $1 } END{ print s }') -FAILED_TESTS=$(($EXED_TESTS - $PASSED_TESTS)) - -echo "Passed : $PASSED_TESTS" -echo "Failed : $FAILED_TESTS" -echo "Skipped : $SKIPPED_TESTS" -echo "Total exec'd tests : $EXED_TESTS" -echo "Total avail tests : $(($EXED_TESTS + $SKIPPED_TESTS))" -echo - -TOTAL_PASS=$(($TOTAL_PASS+$PASSED_TESTS)) -TOTAL_FAIL=$(($TOTAL_FAIL+$FAILED_TESTS)) -TOTAL_SKIP=$(($TOTAL_SKIP+$SKIPPED_TESTS)) -TOTAL_AVAIL=$(($TOTAL_AVAIL + $EXED_TESTS + $SKIPPED_TESTS)) -TOTAL_EXED=$(($TOTAL_EXED + $EXED_TESTS)) - # Step 4d - Grand totals echo "-------------------------------------------------------------------------" @@ -209,8 +126,6 @@ echo rm unit-test-$TEST_OUTPUT -rm sys-test-$TEST_OUTPUT -rm compat-test-$TEST_OUTPUT rm cov-$TEST_OUTPUT cd .. diff --git a/tests/scripts/key-exchanges.pl b/tests/scripts/key-exchanges.pl deleted file mode 100755 index 3bf7ae34f..000000000 --- a/tests/scripts/key-exchanges.pl +++ /dev/null @@ -1,62 +0,0 @@ -#!/usr/bin/env perl - -# key-exchanges.pl -# -# Copyright (c) 2015-2017, ARM Limited, All Rights Reserved -# -# Purpose -# -# To test the code dependencies on individual key exchanges in the SSL module. -# is a verification step to ensure we don't ship SSL code that do not work -# for some build options. -# -# The process is: -# for each possible key exchange -# build the library with all but that key exchange disabled -# -# Usage: tests/scripts/key-exchanges.pl -# -# This script should be executed from the root of the project directory. -# -# For best effect, run either with cmake disabled, or cmake enabled in a mode -# that includes -Werror. - -use warnings; -use strict; - --d 'library' && -d 'include' && -d 'tests' or die "Must be run from root\n"; - -my $sed_cmd = 's/^#define \(MBEDTLS_KEY_EXCHANGE_.*_ENABLED\)/\1/p'; -my $config_h = 'include/mbedtls/config.h'; -my @kexes = split( /\s+/, `sed -n -e '$sed_cmd' $config_h` ); - -system( "cp $config_h $config_h.bak" ) and die; -sub abort { - system( "mv $config_h.bak $config_h" ) and warn "$config_h not restored\n"; - # use an exit code between 1 and 124 for git bisect (die returns 255) - warn $_[0]; - exit 1; -} - -for my $kex (@kexes) { - system( "cp $config_h.bak $config_h" ) and die "$config_h not restored\n"; - system( "make clean" ) and die; - - print "\n******************************************\n"; - print "* Testing with key exchange: $kex\n"; - print "******************************************\n"; - - # full config with all key exchanges disabled except one - system( "scripts/config.pl full" ) and abort "Failed config full\n"; - for my $k (@kexes) { - next if $k eq $kex; - system( "scripts/config.pl unset $k" ) - and abort "Failed to disable $k\n"; - } - - system( "make lib CFLAGS='-Os -Werror'" ) and abort "Failed to build lib: $kex\n"; -} - -system( "mv $config_h.bak $config_h" ) and die "$config_h not restored\n"; -system( "make clean" ) and die; -exit 0; diff --git a/tests/scripts/tcp_client.pl b/tests/scripts/tcp_client.pl deleted file mode 100755 index 11cbf1b1b..000000000 --- a/tests/scripts/tcp_client.pl +++ /dev/null @@ -1,86 +0,0 @@ -#!/usr/bin/env perl - -# A simple TCP client that sends some data and expects a response. -# Usage: tcp_client.pl HOSTNAME PORT DATA1 RESPONSE1 -# DATA: hex-encoded data to send to the server -# RESPONSE: regexp that must match the server's response - -use warnings; -use strict; -use IO::Socket::INET; - -# Pack hex digits into a binary string, ignoring whitespace. -sub parse_hex { - my ($hex) = @_; - $hex =~ s/\s+//g; - return pack('H*', $hex); -} - -## Open a TCP connection to the specified host and port. -sub open_connection { - my ($host, $port) = @_; - my $socket = IO::Socket::INET->new(PeerAddr => $host, - PeerPort => $port, - Proto => 'tcp', - Timeout => 1); - die "Cannot connect to $host:$port: $!" unless $socket; - return $socket; -} - -## Close the TCP connection. -sub close_connection { - my ($connection) = @_; - $connection->shutdown(2); - # Ignore shutdown failures (at least for now) - return 1; -} - -## Write the given data, expressed as hexadecimal -sub write_data { - my ($connection, $hexdata) = @_; - my $data = parse_hex($hexdata); - my $total_sent = 0; - while ($total_sent < length($data)) { - my $sent = $connection->send($data, 0); - if (!defined $sent) { - die "Unable to send data: $!"; - } - $total_sent += $sent; - } - return 1; -} - -## Read a response and check it against an expected prefix -sub read_response { - my ($connection, $expected_hex) = @_; - my $expected_data = parse_hex($expected_hex); - my $start_offset = 0; - while ($start_offset < length($expected_data)) { - my $actual_data; - my $ok = $connection->recv($actual_data, length($expected_data)); - if (!defined $ok) { - die "Unable to receive data: $!"; - } - if (($actual_data ^ substr($expected_data, $start_offset)) =~ /[^\000]/) { - printf STDERR ("Received \\x%02x instead of \\x%02x at offset %d\n", - ord(substr($actual_data, $-[0], 1)), - ord(substr($expected_data, $start_offset + $-[0], 1)), - $start_offset + $-[0]); - return 0; - } - $start_offset += length($actual_data); - } - return 1; -} - -if (@ARGV != 4) { - print STDERR "Usage: $0 HOSTNAME PORT DATA1 RESPONSE1\n"; - exit(3); -} -my ($host, $port, $data1, $response1) = @ARGV; -my $connection = open_connection($host, $port); -write_data($connection, $data1); -if (!read_response($connection, $response1)) { - exit(1); -} -close_connection($connection); diff --git a/tests/scripts/test-ref-configs.pl b/tests/scripts/test-ref-configs.pl index d12c4c2f0..56f2036ee 100755 --- a/tests/scripts/test-ref-configs.pl +++ b/tests/scripts/test-ref-configs.pl @@ -9,7 +9,7 @@ # Purpose # # For each reference configuration file in the configs directory, build the -# configuration, run the test suites and compat.sh +# configuration and run the test suites. # # Usage: tests/scripts/test-ref-configs.pl [config-name [...]] @@ -18,20 +18,14 @@ use strict; my %configs = ( 'config-default.h' => { - 'opt' => '-f Default', - 'compat' => '-m tls1_2 -V NO', }, 'config-mini-tls1_1.h' => { - 'compat' => '-m tls1_1 -f \'^DES-CBC3-SHA$\|^TLS-RSA-WITH-3DES-EDE-CBC-SHA$\'', }, 'config-suite-b.h' => { - 'compat' => "-m tls1_2 -f 'ECDHE-ECDSA.*AES.*GCM' -p mbedTLS", }, 'config-ccm-psk-tls1_2.h' => { - 'compat' => '-m tls1_2 -f \'^TLS-PSK-WITH-AES-...-CCM-8\'', }, 'config-thread.h' => { - 'opt' => '-f ECJPAKE.*nolog', }, ); @@ -75,30 +69,6 @@ while( my ($conf, $data) = each %configs ) { system( "CFLAGS='-Os -Werror -Wall -Wextra' make" ) and abort "Failed to build: $conf\n"; system( "make test" ) and abort "Failed test suite: $conf\n"; - - my $compat = $data->{'compat'}; - if( $compat ) - { - print "\nrunning compat.sh $compat\n"; - system( "tests/compat.sh $compat" ) - and abort "Failed compat.sh: $conf\n"; - } - else - { - print "\nskipping compat.sh\n"; - } - - my $opt = $data->{'opt'}; - if( $opt ) - { - print "\nrunning ssl-opt.sh $opt\n"; - system( "tests/ssl-opt.sh $opt" ) - and abort "Failed ssl-opt.sh: $conf\n"; - } - else - { - print "\nskipping ssl-opt.sh\n"; - } } system( "mv $config_h.bak $config_h" ) and warn "$config_h not restored\n"; diff --git a/tests/scripts/travis-log-failure.sh b/tests/scripts/travis-log-failure.sh deleted file mode 100755 index 9866ca7da..000000000 --- a/tests/scripts/travis-log-failure.sh +++ /dev/null @@ -1,36 +0,0 @@ -#!/bin/sh - -# travis-log-failure.sh -# -# This file is part of mbed TLS (https://tls.mbed.org) -# -# Copyright (c) 2016, ARM Limited, All Rights Reserved -# -# Purpose -# -# List the server and client logs on failed ssl-opt.sh and compat.sh tests. -# This script is used to make the logs show up in the Travis test results. -# -# Some of the logs can be very long: this means usually a couple of megabytes -# but it can be much more. For example, the client log of test 273 in ssl-opt.sh -# is more than 630 Megabytes long. - -if [ -d include/mbedtls ]; then :; else - echo "$0: must be run from root" >&2 - exit 1 -fi - -FILES="o-srv-*.log o-cli-*.log c-srv-*.log c-cli-*.log o-pxy-*.log" -MAX_LOG_SIZE=1048576 - -for PATTERN in $FILES; do - for LOG in $( ls tests/$PATTERN 2>/dev/null ); do - echo - echo "****** BEGIN file: $LOG ******" - echo - tail -c $MAX_LOG_SIZE $LOG - echo "****** END file: $LOG ******" - echo - rm $LOG - done -done diff --git a/tests/ssl-opt.sh b/tests/ssl-opt.sh deleted file mode 100755 index d952f33fd..000000000 --- a/tests/ssl-opt.sh +++ /dev/null @@ -1,7707 +0,0 @@ -#!/bin/sh - -# ssl-opt.sh -# -# This file is part of mbed TLS (https://tls.mbed.org) -# -# Copyright (c) 2016, ARM Limited, All Rights Reserved -# -# Purpose -# -# Executes tests to prove various TLS/SSL options and extensions. -# -# The goal is not to cover every ciphersuite/version, but instead to cover -# specific options (max fragment length, truncated hmac, etc) or procedures -# (session resumption from cache or ticket, renego, etc). -# -# The tests assume a build with default options, with exceptions expressed -# with a dependency. The tests focus on functionality and do not consider -# performance. -# - -set -u - -if cd $( dirname $0 ); then :; else - echo "cd $( dirname $0 ) failed" >&2 - exit 1 -fi - -# default values, can be overridden by the environment -: ${P_SRV:=../programs/ssl/ssl_server2} -: ${P_CLI:=../programs/ssl/ssl_client2} -: ${P_PXY:=../programs/test/udp_proxy} -: ${OPENSSL_CMD:=openssl} # OPENSSL would conflict with the build system -: ${GNUTLS_CLI:=gnutls-cli} -: ${GNUTLS_SERV:=gnutls-serv} -: ${PERL:=perl} - -O_SRV="$OPENSSL_CMD s_server -www -cert data_files/server5.crt -key data_files/server5.key" -O_CLI="echo 'GET / HTTP/1.0' | $OPENSSL_CMD s_client" -G_SRV="$GNUTLS_SERV --x509certfile data_files/server5.crt --x509keyfile data_files/server5.key" -G_CLI="echo 'GET / HTTP/1.0' | $GNUTLS_CLI --x509cafile data_files/test-ca_cat12.crt" -TCP_CLIENT="$PERL scripts/tcp_client.pl" - -# alternative versions of OpenSSL and GnuTLS (no default path) - -if [ -n "${OPENSSL_LEGACY:-}" ]; then - O_LEGACY_SRV="$OPENSSL_LEGACY s_server -www -cert data_files/server5.crt -key data_files/server5.key" - O_LEGACY_CLI="echo 'GET / HTTP/1.0' | $OPENSSL_LEGACY s_client" -else - O_LEGACY_SRV=false - O_LEGACY_CLI=false -fi - -if [ -n "${GNUTLS_NEXT_SERV:-}" ]; then - G_NEXT_SRV="$GNUTLS_NEXT_SERV --x509certfile data_files/server5.crt --x509keyfile data_files/server5.key" -else - G_NEXT_SRV=false -fi - -if [ -n "${GNUTLS_NEXT_CLI:-}" ]; then - G_NEXT_CLI="echo 'GET / HTTP/1.0' | $GNUTLS_NEXT_CLI --x509cafile data_files/test-ca_cat12.crt" -else - G_NEXT_CLI=false -fi - -TESTS=0 -FAILS=0 -SKIPS=0 - -CONFIG_H='../include/mbedtls/config.h' - -MEMCHECK=0 -FILTER='.*' -EXCLUDE='^$' - -SHOW_TEST_NUMBER=0 -RUN_TEST_NUMBER='' - -PRESERVE_LOGS=0 - -# Pick a "unique" server port in the range 10000-19999, and a proxy -# port which is this plus 10000. Each port number may be independently -# overridden by a command line option. -SRV_PORT=$(($$ % 10000 + 10000)) -PXY_PORT=$((SRV_PORT + 10000)) - -print_usage() { - echo "Usage: $0 [options]" - printf " -h|--help\tPrint this help.\n" - printf " -m|--memcheck\tCheck memory leaks and errors.\n" - printf " -f|--filter\tOnly matching tests are executed (BRE; default: '$FILTER')\n" - printf " -e|--exclude\tMatching tests are excluded (BRE; default: '$EXCLUDE')\n" - printf " -n|--number\tExecute only numbered test (comma-separated, e.g. '245,256')\n" - printf " -s|--show-numbers\tShow test numbers in front of test names\n" - printf " -p|--preserve-logs\tPreserve logs of successful tests as well\n" - printf " --port\tTCP/UDP port (default: randomish 1xxxx)\n" - printf " --proxy-port\tTCP/UDP proxy port (default: randomish 2xxxx)\n" - printf " --seed\tInteger seed value to use for this test run\n" -} - -get_options() { - while [ $# -gt 0 ]; do - case "$1" in - -f|--filter) - shift; FILTER=$1 - ;; - -e|--exclude) - shift; EXCLUDE=$1 - ;; - -m|--memcheck) - MEMCHECK=1 - ;; - -n|--number) - shift; RUN_TEST_NUMBER=$1 - ;; - -s|--show-numbers) - SHOW_TEST_NUMBER=1 - ;; - -p|--preserve-logs) - PRESERVE_LOGS=1 - ;; - --port) - shift; SRV_PORT=$1 - ;; - --proxy-port) - shift; PXY_PORT=$1 - ;; - --seed) - shift; SEED="$1" - ;; - -h|--help) - print_usage - exit 0 - ;; - *) - echo "Unknown argument: '$1'" - print_usage - exit 1 - ;; - esac - shift - done -} - -# Skip next test; use this macro to skip tests which are legitimate -# in theory and expected to be re-introduced at some point, but -# aren't expected to succeed at the moment due to problems outside -# our control (such as bugs in other TLS implementations). -skip_next_test() { - SKIP_NEXT="YES" -} - -# skip next test if the flag is not enabled in config.h -requires_config_enabled() { - if grep "^#define $1" $CONFIG_H > /dev/null; then :; else - SKIP_NEXT="YES" - fi -} - -# skip next test if the flag is enabled in config.h -requires_config_disabled() { - if grep "^#define $1" $CONFIG_H > /dev/null; then - SKIP_NEXT="YES" - fi -} - -get_config_value_or_default() { - # This function uses the query_config command line option to query the - # required Mbed TLS compile time configuration from the ssl_server2 - # program. The command will always return a success value if the - # configuration is defined and the value will be printed to stdout. - # - # Note that if the configuration is not defined or is defined to nothing, - # the output of this function will be an empty string. - ${P_SRV} "query_config=${1}" -} - -requires_config_value_at_least() { - VAL="$( get_config_value_or_default "$1" )" - if [ -z "$VAL" ]; then - # Should never happen - echo "Mbed TLS configuration $1 is not defined" - exit 1 - elif [ "$VAL" -lt "$2" ]; then - SKIP_NEXT="YES" - fi -} - -requires_config_value_at_most() { - VAL=$( get_config_value_or_default "$1" ) - if [ -z "$VAL" ]; then - # Should never happen - echo "Mbed TLS configuration $1 is not defined" - exit 1 - elif [ "$VAL" -gt "$2" ]; then - SKIP_NEXT="YES" - fi -} - -requires_ciphersuite_enabled() { - if [ -z "$($P_CLI --help | grep $1)" ]; then - SKIP_NEXT="YES" - fi -} - -# skip next test if OpenSSL doesn't support FALLBACK_SCSV -requires_openssl_with_fallback_scsv() { - if [ -z "${OPENSSL_HAS_FBSCSV:-}" ]; then - if $OPENSSL_CMD s_client -help 2>&1 | grep fallback_scsv >/dev/null - then - OPENSSL_HAS_FBSCSV="YES" - else - OPENSSL_HAS_FBSCSV="NO" - fi - fi - if [ "$OPENSSL_HAS_FBSCSV" = "NO" ]; then - SKIP_NEXT="YES" - fi -} - -# skip next test if GnuTLS isn't available -requires_gnutls() { - if [ -z "${GNUTLS_AVAILABLE:-}" ]; then - if ( which "$GNUTLS_CLI" && which "$GNUTLS_SERV" ) >/dev/null 2>&1; then - GNUTLS_AVAILABLE="YES" - else - GNUTLS_AVAILABLE="NO" - fi - fi - if [ "$GNUTLS_AVAILABLE" = "NO" ]; then - SKIP_NEXT="YES" - fi -} - -# skip next test if GnuTLS-next isn't available -requires_gnutls_next() { - if [ -z "${GNUTLS_NEXT_AVAILABLE:-}" ]; then - if ( which "${GNUTLS_NEXT_CLI:-}" && which "${GNUTLS_NEXT_SERV:-}" ) >/dev/null 2>&1; then - GNUTLS_NEXT_AVAILABLE="YES" - else - GNUTLS_NEXT_AVAILABLE="NO" - fi - fi - if [ "$GNUTLS_NEXT_AVAILABLE" = "NO" ]; then - SKIP_NEXT="YES" - fi -} - -# skip next test if OpenSSL-legacy isn't available -requires_openssl_legacy() { - if [ -z "${OPENSSL_LEGACY_AVAILABLE:-}" ]; then - if which "${OPENSSL_LEGACY:-}" >/dev/null 2>&1; then - OPENSSL_LEGACY_AVAILABLE="YES" - else - OPENSSL_LEGACY_AVAILABLE="NO" - fi - fi - if [ "$OPENSSL_LEGACY_AVAILABLE" = "NO" ]; then - SKIP_NEXT="YES" - fi -} - -# skip next test if IPv6 isn't available on this host -requires_ipv6() { - if [ -z "${HAS_IPV6:-}" ]; then - $P_SRV server_addr='::1' > $SRV_OUT 2>&1 & - SRV_PID=$! - sleep 1 - kill $SRV_PID >/dev/null 2>&1 - if grep "NET - Binding of the socket failed" $SRV_OUT >/dev/null; then - HAS_IPV6="NO" - else - HAS_IPV6="YES" - fi - rm -r $SRV_OUT - fi - - if [ "$HAS_IPV6" = "NO" ]; then - SKIP_NEXT="YES" - fi -} - -# skip next test if it's i686 or uname is not available -requires_not_i686() { - if [ -z "${IS_I686:-}" ]; then - IS_I686="YES" - if which "uname" >/dev/null 2>&1; then - if [ -z "$(uname -a | grep i686)" ]; then - IS_I686="NO" - fi - fi - fi - if [ "$IS_I686" = "YES" ]; then - SKIP_NEXT="YES" - fi -} - -# Calculate the input & output maximum content lengths set in the config -MAX_CONTENT_LEN=$( ../scripts/config.pl get MBEDTLS_SSL_MAX_CONTENT_LEN || echo "16384") -MAX_IN_LEN=$( ../scripts/config.pl get MBEDTLS_SSL_IN_CONTENT_LEN || echo "$MAX_CONTENT_LEN") -MAX_OUT_LEN=$( ../scripts/config.pl get MBEDTLS_SSL_OUT_CONTENT_LEN || echo "$MAX_CONTENT_LEN") - -if [ "$MAX_IN_LEN" -lt "$MAX_CONTENT_LEN" ]; then - MAX_CONTENT_LEN="$MAX_IN_LEN" -fi -if [ "$MAX_OUT_LEN" -lt "$MAX_CONTENT_LEN" ]; then - MAX_CONTENT_LEN="$MAX_OUT_LEN" -fi - -# skip the next test if the SSL output buffer is less than 16KB -requires_full_size_output_buffer() { - if [ "$MAX_OUT_LEN" -ne 16384 ]; then - SKIP_NEXT="YES" - fi -} - -# skip the next test if valgrind is in use -not_with_valgrind() { - if [ "$MEMCHECK" -gt 0 ]; then - SKIP_NEXT="YES" - fi -} - -# skip the next test if valgrind is NOT in use -only_with_valgrind() { - if [ "$MEMCHECK" -eq 0 ]; then - SKIP_NEXT="YES" - fi -} - -# multiply the client timeout delay by the given factor for the next test -client_needs_more_time() { - CLI_DELAY_FACTOR=$1 -} - -# wait for the given seconds after the client finished in the next test -server_needs_more_time() { - SRV_DELAY_SECONDS=$1 -} - -# print_name -print_name() { - TESTS=$(( $TESTS + 1 )) - LINE="" - - if [ "$SHOW_TEST_NUMBER" -gt 0 ]; then - LINE="$TESTS " - fi - - LINE="$LINE$1" - printf "$LINE " - LEN=$(( 72 - `echo "$LINE" | wc -c` )) - for i in `seq 1 $LEN`; do printf '.'; done - printf ' ' - -} - -# fail -fail() { - echo "FAIL" - echo " ! $1" - - mv $SRV_OUT o-srv-${TESTS}.log - mv $CLI_OUT o-cli-${TESTS}.log - if [ -n "$PXY_CMD" ]; then - mv $PXY_OUT o-pxy-${TESTS}.log - fi - echo " ! outputs saved to o-XXX-${TESTS}.log" - - if [ "X${USER:-}" = Xbuildbot -o "X${LOGNAME:-}" = Xbuildbot -o "${LOG_FAILURE_ON_STDOUT:-0}" != 0 ]; then - echo " ! server output:" - cat o-srv-${TESTS}.log - echo " ! ========================================================" - echo " ! client output:" - cat o-cli-${TESTS}.log - if [ -n "$PXY_CMD" ]; then - echo " ! ========================================================" - echo " ! proxy output:" - cat o-pxy-${TESTS}.log - fi - echo "" - fi - - FAILS=$(( $FAILS + 1 )) -} - -# is_polar -is_polar() { - echo "$1" | grep 'ssl_server2\|ssl_client2' > /dev/null -} - -# openssl s_server doesn't have -www with DTLS -check_osrv_dtls() { - if echo "$SRV_CMD" | grep 's_server.*-dtls' >/dev/null; then - NEEDS_INPUT=1 - SRV_CMD="$( echo $SRV_CMD | sed s/-www// )" - else - NEEDS_INPUT=0 - fi -} - -# provide input to commands that need it -provide_input() { - if [ $NEEDS_INPUT -eq 0 ]; then - return - fi - - while true; do - echo "HTTP/1.0 200 OK" - sleep 1 - done -} - -# has_mem_err -has_mem_err() { - if ( grep -F 'All heap blocks were freed -- no leaks are possible' "$1" && - grep -F 'ERROR SUMMARY: 0 errors from 0 contexts' "$1" ) > /dev/null - then - return 1 # false: does not have errors - else - return 0 # true: has errors - fi -} - -# Wait for process $2 to be listening on port $1 -if type lsof >/dev/null 2>/dev/null; then - wait_server_start() { - START_TIME=$(date +%s) - if [ "$DTLS" -eq 1 ]; then - proto=UDP - else - proto=TCP - fi - # Make a tight loop, server normally takes less than 1s to start. - while ! lsof -a -n -b -i "$proto:$1" -p "$2" >/dev/null 2>/dev/null; do - if [ $(( $(date +%s) - $START_TIME )) -gt $DOG_DELAY ]; then - echo "SERVERSTART TIMEOUT" - echo "SERVERSTART TIMEOUT" >> $SRV_OUT - break - fi - # Linux and *BSD support decimal arguments to sleep. On other - # OSes this may be a tight loop. - sleep 0.1 2>/dev/null || true - done - } -else - echo "Warning: lsof not available, wait_server_start = sleep" - wait_server_start() { - sleep "$START_DELAY" - } -fi - -# Given the client or server debug output, parse the unix timestamp that is -# included in the first 4 bytes of the random bytes and check that it's within -# acceptable bounds -check_server_hello_time() { - # Extract the time from the debug (lvl 3) output of the client - SERVER_HELLO_TIME="$(sed -n 's/.*server hello, current time: //p' < "$1")" - # Get the Unix timestamp for now - CUR_TIME=$(date +'%s') - THRESHOLD_IN_SECS=300 - - # Check if the ServerHello time was printed - if [ -z "$SERVER_HELLO_TIME" ]; then - return 1 - fi - - # Check the time in ServerHello is within acceptable bounds - if [ $SERVER_HELLO_TIME -lt $(( $CUR_TIME - $THRESHOLD_IN_SECS )) ]; then - # The time in ServerHello is at least 5 minutes before now - return 1 - elif [ $SERVER_HELLO_TIME -gt $(( $CUR_TIME + $THRESHOLD_IN_SECS )) ]; then - # The time in ServerHello is at least 5 minutes later than now - return 1 - else - return 0 - fi -} - -# wait for client to terminate and set CLI_EXIT -# must be called right after starting the client -wait_client_done() { - CLI_PID=$! - - CLI_DELAY=$(( $DOG_DELAY * $CLI_DELAY_FACTOR )) - CLI_DELAY_FACTOR=1 - - ( sleep $CLI_DELAY; echo "===CLIENT_TIMEOUT===" >> $CLI_OUT; kill $CLI_PID ) & - DOG_PID=$! - - wait $CLI_PID - CLI_EXIT=$? - - kill $DOG_PID >/dev/null 2>&1 - wait $DOG_PID - - echo "EXIT: $CLI_EXIT" >> $CLI_OUT - - sleep $SRV_DELAY_SECONDS - SRV_DELAY_SECONDS=0 -} - -# check if the given command uses dtls and sets global variable DTLS -detect_dtls() { - if echo "$1" | grep 'dtls=1\|-dtls1\|-u' >/dev/null; then - DTLS=1 - else - DTLS=0 - fi -} - -# Usage: run_test name [-p proxy_cmd] srv_cmd cli_cmd cli_exit [option [...]] -# Options: -s pattern pattern that must be present in server output -# -c pattern pattern that must be present in client output -# -u pattern lines after pattern must be unique in client output -# -f call shell function on client output -# -S pattern pattern that must be absent in server output -# -C pattern pattern that must be absent in client output -# -U pattern lines after pattern must be unique in server output -# -F call shell function on server output -run_test() { - NAME="$1" - shift 1 - - if echo "$NAME" | grep "$FILTER" | grep -v "$EXCLUDE" >/dev/null; then : - else - SKIP_NEXT="NO" - return - fi - - print_name "$NAME" - - # Do we only run numbered tests? - if [ "X$RUN_TEST_NUMBER" = "X" ]; then : - elif echo ",$RUN_TEST_NUMBER," | grep ",$TESTS," >/dev/null; then : - else - SKIP_NEXT="YES" - fi - - # does this test use a proxy? - if [ "X$1" = "X-p" ]; then - PXY_CMD="$2" - shift 2 - else - PXY_CMD="" - fi - - # get commands and client output - SRV_CMD="$1" - CLI_CMD="$2" - CLI_EXPECT="$3" - shift 3 - - # Check if server forces ciphersuite - FORCE_CIPHERSUITE=$(echo "$SRV_CMD" | sed -n 's/^.*force_ciphersuite=\([a-zA-Z0-9\-]*\).*$/\1/p') - if [ ! -z "$FORCE_CIPHERSUITE" ]; then - requires_ciphersuite_enabled $FORCE_CIPHERSUITE - fi - - # Check if client forces ciphersuite - FORCE_CIPHERSUITE=$(echo "$CLI_CMD" | sed -n 's/^.*force_ciphersuite=\([a-zA-Z0-9\-]*\).*$/\1/p') - if [ ! -z "$FORCE_CIPHERSUITE" ]; then - requires_ciphersuite_enabled $FORCE_CIPHERSUITE - fi - - # should we skip? - if [ "X$SKIP_NEXT" = "XYES" ]; then - SKIP_NEXT="NO" - echo "SKIP" - SKIPS=$(( $SKIPS + 1 )) - return - fi - - # fix client port - if [ -n "$PXY_CMD" ]; then - CLI_CMD=$( echo "$CLI_CMD" | sed s/+SRV_PORT/$PXY_PORT/g ) - else - CLI_CMD=$( echo "$CLI_CMD" | sed s/+SRV_PORT/$SRV_PORT/g ) - fi - - # update DTLS variable - detect_dtls "$SRV_CMD" - - # prepend valgrind to our commands if active - if [ "$MEMCHECK" -gt 0 ]; then - if is_polar "$SRV_CMD"; then - SRV_CMD="valgrind --leak-check=full $SRV_CMD" - fi - if is_polar "$CLI_CMD"; then - CLI_CMD="valgrind --leak-check=full $CLI_CMD" - fi - fi - - TIMES_LEFT=2 - while [ $TIMES_LEFT -gt 0 ]; do - TIMES_LEFT=$(( $TIMES_LEFT - 1 )) - - # run the commands - if [ -n "$PXY_CMD" ]; then - echo "$PXY_CMD" > $PXY_OUT - $PXY_CMD >> $PXY_OUT 2>&1 & - PXY_PID=$! - # assume proxy starts faster than server - fi - - check_osrv_dtls - echo "$SRV_CMD" > $SRV_OUT - provide_input | $SRV_CMD >> $SRV_OUT 2>&1 & - SRV_PID=$! - wait_server_start "$SRV_PORT" "$SRV_PID" - - echo "$CLI_CMD" > $CLI_OUT - eval "$CLI_CMD" >> $CLI_OUT 2>&1 & - wait_client_done - - sleep 0.05 - - # terminate the server (and the proxy) - kill $SRV_PID - wait $SRV_PID - - if [ -n "$PXY_CMD" ]; then - kill $PXY_PID >/dev/null 2>&1 - wait $PXY_PID - fi - - # retry only on timeouts - if grep '===CLIENT_TIMEOUT===' $CLI_OUT >/dev/null; then - printf "RETRY " - else - TIMES_LEFT=0 - fi - done - - # check if the client and server went at least to the handshake stage - # (useful to avoid tests with only negative assertions and non-zero - # expected client exit to incorrectly succeed in case of catastrophic - # failure) - if is_polar "$SRV_CMD"; then - if grep "Performing the SSL/TLS handshake" $SRV_OUT >/dev/null; then :; - else - fail "server or client failed to reach handshake stage" - return - fi - fi - if is_polar "$CLI_CMD"; then - if grep "Performing the SSL/TLS handshake" $CLI_OUT >/dev/null; then :; - else - fail "server or client failed to reach handshake stage" - return - fi - fi - - # check server exit code - if [ $? != 0 ]; then - fail "server fail" - return - fi - - # check client exit code - if [ \( "$CLI_EXPECT" = 0 -a "$CLI_EXIT" != 0 \) -o \ - \( "$CLI_EXPECT" != 0 -a "$CLI_EXIT" = 0 \) ] - then - fail "bad client exit code (expected $CLI_EXPECT, got $CLI_EXIT)" - return - fi - - # check other assertions - # lines beginning with == are added by valgrind, ignore them - # lines with 'Serious error when reading debug info', are valgrind issues as well - while [ $# -gt 0 ] - do - case $1 in - "-s") - if grep -v '^==' $SRV_OUT | grep -v 'Serious error when reading debug info' | grep "$2" >/dev/null; then :; else - fail "pattern '$2' MUST be present in the Server output" - return - fi - ;; - - "-c") - if grep -v '^==' $CLI_OUT | grep -v 'Serious error when reading debug info' | grep "$2" >/dev/null; then :; else - fail "pattern '$2' MUST be present in the Client output" - return - fi - ;; - - "-S") - if grep -v '^==' $SRV_OUT | grep -v 'Serious error when reading debug info' | grep "$2" >/dev/null; then - fail "pattern '$2' MUST NOT be present in the Server output" - return - fi - ;; - - "-C") - if grep -v '^==' $CLI_OUT | grep -v 'Serious error when reading debug info' | grep "$2" >/dev/null; then - fail "pattern '$2' MUST NOT be present in the Client output" - return - fi - ;; - - # The filtering in the following two options (-u and -U) do the following - # - ignore valgrind output - # - filter out everything but lines right after the pattern occurrences - # - keep one of each non-unique line - # - count how many lines remain - # A line with '--' will remain in the result from previous outputs, so the number of lines in the result will be 1 - # if there were no duplicates. - "-U") - if [ $(grep -v '^==' $SRV_OUT | grep -v 'Serious error when reading debug info' | grep -A1 "$2" | grep -v "$2" | sort | uniq -d | wc -l) -gt 1 ]; then - fail "lines following pattern '$2' must be unique in Server output" - return - fi - ;; - - "-u") - if [ $(grep -v '^==' $CLI_OUT | grep -v 'Serious error when reading debug info' | grep -A1 "$2" | grep -v "$2" | sort | uniq -d | wc -l) -gt 1 ]; then - fail "lines following pattern '$2' must be unique in Client output" - return - fi - ;; - "-F") - if ! $2 "$SRV_OUT"; then - fail "function call to '$2' failed on Server output" - return - fi - ;; - "-f") - if ! $2 "$CLI_OUT"; then - fail "function call to '$2' failed on Client output" - return - fi - ;; - - *) - echo "Unknown test: $1" >&2 - exit 1 - esac - shift 2 - done - - # check valgrind's results - if [ "$MEMCHECK" -gt 0 ]; then - if is_polar "$SRV_CMD" && has_mem_err $SRV_OUT; then - fail "Server has memory errors" - return - fi - if is_polar "$CLI_CMD" && has_mem_err $CLI_OUT; then - fail "Client has memory errors" - return - fi - fi - - # if we're here, everything is ok - echo "PASS" - if [ "$PRESERVE_LOGS" -gt 0 ]; then - mv $SRV_OUT o-srv-${TESTS}.log - mv $CLI_OUT o-cli-${TESTS}.log - if [ -n "$PXY_CMD" ]; then - mv $PXY_OUT o-pxy-${TESTS}.log - fi - fi - - rm -f $SRV_OUT $CLI_OUT $PXY_OUT -} - -run_test_psa() { - requires_config_enabled MBEDTLS_USE_PSA_CRYPTO - run_test "PSA-supported ciphersuite: $1" \ - "$P_SRV debug_level=2 force_version=tls1_2" \ - "$P_CLI debug_level=2 force_version=tls1_2 force_ciphersuite=$1" \ - 0 \ - -c "Successfully setup PSA-based decryption cipher context" \ - -c "Successfully setup PSA-based encryption cipher context" \ - -c "PSA calc verify" \ - -c "calc PSA finished" \ - -s "Successfully setup PSA-based decryption cipher context" \ - -s "Successfully setup PSA-based encryption cipher context" \ - -s "PSA calc verify" \ - -s "calc PSA finished" \ - -C "Failed to setup PSA-based cipher context"\ - -S "Failed to setup PSA-based cipher context"\ - -s "Protocol is TLSv1.2" \ - -c "Perform PSA-based ECDH computation."\ - -c "Perform PSA-based computation of digest of ServerKeyExchange" \ - -S "error" \ - -C "error" -} - -run_test_psa_force_curve() { - requires_config_enabled MBEDTLS_USE_PSA_CRYPTO - run_test "PSA - ECDH with $1" \ - "$P_SRV debug_level=4 force_version=tls1_2" \ - "$P_CLI debug_level=4 force_version=tls1_2 force_ciphersuite=TLS-ECDHE-RSA-WITH-AES-128-GCM-SHA256 curves=$1" \ - 0 \ - -c "Successfully setup PSA-based decryption cipher context" \ - -c "Successfully setup PSA-based encryption cipher context" \ - -c "PSA calc verify" \ - -c "calc PSA finished" \ - -s "Successfully setup PSA-based decryption cipher context" \ - -s "Successfully setup PSA-based encryption cipher context" \ - -s "PSA calc verify" \ - -s "calc PSA finished" \ - -C "Failed to setup PSA-based cipher context"\ - -S "Failed to setup PSA-based cipher context"\ - -s "Protocol is TLSv1.2" \ - -c "Perform PSA-based ECDH computation."\ - -c "Perform PSA-based computation of digest of ServerKeyExchange" \ - -S "error" \ - -C "error" -} - -cleanup() { - rm -f $CLI_OUT $SRV_OUT $PXY_OUT $SESSION - test -n "${SRV_PID:-}" && kill $SRV_PID >/dev/null 2>&1 - test -n "${PXY_PID:-}" && kill $PXY_PID >/dev/null 2>&1 - test -n "${CLI_PID:-}" && kill $CLI_PID >/dev/null 2>&1 - test -n "${DOG_PID:-}" && kill $DOG_PID >/dev/null 2>&1 - exit 1 -} - -# -# MAIN -# - -get_options "$@" - -# sanity checks, avoid an avalanche of errors -P_SRV_BIN="${P_SRV%%[ ]*}" -P_CLI_BIN="${P_CLI%%[ ]*}" -P_PXY_BIN="${P_PXY%%[ ]*}" -if [ ! -x "$P_SRV_BIN" ]; then - echo "Command '$P_SRV_BIN' is not an executable file" - exit 1 -fi -if [ ! -x "$P_CLI_BIN" ]; then - echo "Command '$P_CLI_BIN' is not an executable file" - exit 1 -fi -if [ ! -x "$P_PXY_BIN" ]; then - echo "Command '$P_PXY_BIN' is not an executable file" - exit 1 -fi -if [ "$MEMCHECK" -gt 0 ]; then - if which valgrind >/dev/null 2>&1; then :; else - echo "Memcheck not possible. Valgrind not found" - exit 1 - fi -fi -if which $OPENSSL_CMD >/dev/null 2>&1; then :; else - echo "Command '$OPENSSL_CMD' not found" - exit 1 -fi - -# used by watchdog -MAIN_PID="$$" - -# We use somewhat arbitrary delays for tests: -# - how long do we wait for the server to start (when lsof not available)? -# - how long do we allow for the client to finish? -# (not to check performance, just to avoid waiting indefinitely) -# Things are slower with valgrind, so give extra time here. -# -# Note: without lsof, there is a trade-off between the running time of this -# script and the risk of spurious errors because we didn't wait long enough. -# The watchdog delay on the other hand doesn't affect normal running time of -# the script, only the case where a client or server gets stuck. -if [ "$MEMCHECK" -gt 0 ]; then - START_DELAY=6 - DOG_DELAY=60 -else - START_DELAY=2 - DOG_DELAY=20 -fi - -# some particular tests need more time: -# - for the client, we multiply the usual watchdog limit by a factor -# - for the server, we sleep for a number of seconds after the client exits -# see client_need_more_time() and server_needs_more_time() -CLI_DELAY_FACTOR=1 -SRV_DELAY_SECONDS=0 - -# fix commands to use this port, force IPv4 while at it -# +SRV_PORT will be replaced by either $SRV_PORT or $PXY_PORT later -P_SRV="$P_SRV server_addr=127.0.0.1 server_port=$SRV_PORT" -P_CLI="$P_CLI server_addr=127.0.0.1 server_port=+SRV_PORT" -P_PXY="$P_PXY server_addr=127.0.0.1 server_port=$SRV_PORT listen_addr=127.0.0.1 listen_port=$PXY_PORT ${SEED:+"seed=$SEED"}" -O_SRV="$O_SRV -accept $SRV_PORT -dhparam data_files/dhparams.pem" -O_CLI="$O_CLI -connect localhost:+SRV_PORT" -G_SRV="$G_SRV -p $SRV_PORT" -G_CLI="$G_CLI -p +SRV_PORT" - -if [ -n "${OPENSSL_LEGACY:-}" ]; then - O_LEGACY_SRV="$O_LEGACY_SRV -accept $SRV_PORT -dhparam data_files/dhparams.pem" - O_LEGACY_CLI="$O_LEGACY_CLI -connect localhost:+SRV_PORT" -fi - -if [ -n "${GNUTLS_NEXT_SERV:-}" ]; then - G_NEXT_SRV="$G_NEXT_SRV -p $SRV_PORT" -fi - -if [ -n "${GNUTLS_NEXT_CLI:-}" ]; then - G_NEXT_CLI="$G_NEXT_CLI -p +SRV_PORT" -fi - -# Allow SHA-1, because many of our test certificates use it -P_SRV="$P_SRV allow_sha1=1" -P_CLI="$P_CLI allow_sha1=1" - -# Also pick a unique name for intermediate files -SRV_OUT="srv_out.$$" -CLI_OUT="cli_out.$$" -PXY_OUT="pxy_out.$$" -SESSION="session.$$" - -SKIP_NEXT="NO" - -trap cleanup INT TERM HUP - -# Basic test - -# Checks that: -# - things work with all ciphersuites active (used with config-full in all.sh) -# - the expected (highest security) parameters are selected -# ("signature_algorithm ext: 6" means SHA-512 (highest common hash)) -run_test "Default" \ - "$P_SRV debug_level=3" \ - "$P_CLI" \ - 0 \ - -s "Protocol is TLSv1.2" \ - -s "Ciphersuite is TLS-ECDHE-RSA-WITH-CHACHA20-POLY1305-SHA256" \ - -s "client hello v3, signature_algorithm ext: 6" \ - -s "ECDHE curve: secp521r1" \ - -S "error" \ - -C "error" - -run_test "Default, DTLS" \ - "$P_SRV dtls=1" \ - "$P_CLI dtls=1" \ - 0 \ - -s "Protocol is DTLSv1.2" \ - -s "Ciphersuite is TLS-ECDHE-RSA-WITH-CHACHA20-POLY1305-SHA256" - -# Test using an opaque private key for client authentication -requires_config_enabled MBEDTLS_USE_PSA_CRYPTO -requires_config_enabled MBEDTLS_X509_CRT_PARSE_C -requires_config_enabled MBEDTLS_ECDSA_C -requires_config_enabled MBEDTLS_SHA256_C -run_test "Opaque key for client authentication" \ - "$P_SRV auth_mode=required" \ - "$P_CLI key_opaque=1 crt_file=data_files/server5.crt \ - key_file=data_files/server5.key" \ - 0 \ - -c "key type: Opaque" \ - -s "Verifying peer X.509 certificate... ok" \ - -S "error" \ - -C "error" - -# Test ciphersuites which we expect to be fully supported by PSA Crypto -# and check that we don't fall back to Mbed TLS' internal crypto primitives. -run_test_psa TLS-ECDHE-ECDSA-WITH-AES-128-CCM -run_test_psa TLS-ECDHE-ECDSA-WITH-AES-128-CCM-8 -run_test_psa TLS-ECDHE-ECDSA-WITH-AES-256-CCM -run_test_psa TLS-ECDHE-ECDSA-WITH-AES-256-CCM-8 -run_test_psa TLS-ECDHE-ECDSA-WITH-AES-128-GCM-SHA256 -run_test_psa TLS-ECDHE-ECDSA-WITH-AES-256-GCM-SHA384 -run_test_psa TLS-ECDHE-ECDSA-WITH-AES-128-CBC-SHA -run_test_psa TLS-ECDHE-ECDSA-WITH-AES-128-CBC-SHA256 -run_test_psa TLS-ECDHE-ECDSA-WITH-AES-256-CBC-SHA384 - -requires_config_enabled MBEDTLS_ECP_DP_SECP521R1_ENABLED -run_test_psa_force_curve "secp521r1" -requires_config_enabled MBEDTLS_ECP_DP_BP512R1_ENABLED -run_test_psa_force_curve "brainpoolP512r1" -requires_config_enabled MBEDTLS_ECP_DP_SECP384R1_ENABLED -run_test_psa_force_curve "secp384r1" -requires_config_enabled MBEDTLS_ECP_DP_BP384R1_ENABLED -run_test_psa_force_curve "brainpoolP384r1" -requires_config_enabled MBEDTLS_ECP_DP_SECP256R1_ENABLED -run_test_psa_force_curve "secp256r1" -requires_config_enabled MBEDTLS_ECP_DP_SECP256K1_ENABLED -run_test_psa_force_curve "secp256k1" -requires_config_enabled MBEDTLS_ECP_DP_BP256R1_ENABLED -run_test_psa_force_curve "brainpoolP256r1" -requires_config_enabled MBEDTLS_ECP_DP_SECP224R1_ENABLED -run_test_psa_force_curve "secp224r1" -requires_config_enabled MBEDTLS_ECP_DP_SECP224K1_ENABLED -run_test_psa_force_curve "secp224k1" -requires_config_enabled MBEDTLS_ECP_DP_SECP192R1_ENABLED -run_test_psa_force_curve "secp192r1" -requires_config_enabled MBEDTLS_ECP_DP_SECP192K1_ENABLED -run_test_psa_force_curve "secp192k1" - -# Test current time in ServerHello -requires_config_enabled MBEDTLS_HAVE_TIME -run_test "ServerHello contains gmt_unix_time" \ - "$P_SRV debug_level=3" \ - "$P_CLI debug_level=3" \ - 0 \ - -f "check_server_hello_time" \ - -F "check_server_hello_time" - -# Test for uniqueness of IVs in AEAD ciphersuites -run_test "Unique IV in GCM" \ - "$P_SRV exchanges=20 debug_level=4" \ - "$P_CLI exchanges=20 debug_level=4 force_ciphersuite=TLS-ECDHE-ECDSA-WITH-AES-256-GCM-SHA384" \ - 0 \ - -u "IV used" \ - -U "IV used" - -# Tests for rc4 option - -requires_config_enabled MBEDTLS_REMOVE_ARC4_CIPHERSUITES -run_test "RC4: server disabled, client enabled" \ - "$P_SRV" \ - "$P_CLI force_ciphersuite=TLS-RSA-WITH-RC4-128-SHA" \ - 1 \ - -s "SSL - The server has no ciphersuites in common" - -requires_config_enabled MBEDTLS_REMOVE_ARC4_CIPHERSUITES -run_test "RC4: server half, client enabled" \ - "$P_SRV arc4=1" \ - "$P_CLI force_ciphersuite=TLS-RSA-WITH-RC4-128-SHA" \ - 1 \ - -s "SSL - The server has no ciphersuites in common" - -run_test "RC4: server enabled, client disabled" \ - "$P_SRV force_ciphersuite=TLS-RSA-WITH-RC4-128-SHA" \ - "$P_CLI" \ - 1 \ - -s "SSL - The server has no ciphersuites in common" - -run_test "RC4: both enabled" \ - "$P_SRV force_ciphersuite=TLS-RSA-WITH-RC4-128-SHA" \ - "$P_CLI force_ciphersuite=TLS-RSA-WITH-RC4-128-SHA" \ - 0 \ - -S "SSL - None of the common ciphersuites is usable" \ - -S "SSL - The server has no ciphersuites in common" - -# Test empty CA list in CertificateRequest in TLS 1.1 and earlier - -requires_gnutls -requires_config_enabled MBEDTLS_SSL_PROTO_TLS1_1 -run_test "CertificateRequest with empty CA list, TLS 1.1 (GnuTLS server)" \ - "$G_SRV"\ - "$P_CLI force_version=tls1_1" \ - 0 - -requires_gnutls -requires_config_enabled MBEDTLS_SSL_PROTO_TLS1 -run_test "CertificateRequest with empty CA list, TLS 1.0 (GnuTLS server)" \ - "$G_SRV"\ - "$P_CLI force_version=tls1" \ - 0 - -# Tests for SHA-1 support - -requires_config_disabled MBEDTLS_TLS_DEFAULT_ALLOW_SHA1_IN_CERTIFICATES -run_test "SHA-1 forbidden by default in server certificate" \ - "$P_SRV key_file=data_files/server2.key crt_file=data_files/server2.crt" \ - "$P_CLI debug_level=2 allow_sha1=0" \ - 1 \ - -c "The certificate is signed with an unacceptable hash" - -requires_config_enabled MBEDTLS_TLS_DEFAULT_ALLOW_SHA1_IN_CERTIFICATES -run_test "SHA-1 forbidden by default in server certificate" \ - "$P_SRV key_file=data_files/server2.key crt_file=data_files/server2.crt" \ - "$P_CLI debug_level=2 allow_sha1=0" \ - 0 - -run_test "SHA-1 explicitly allowed in server certificate" \ - "$P_SRV key_file=data_files/server2.key crt_file=data_files/server2.crt" \ - "$P_CLI allow_sha1=1" \ - 0 - -run_test "SHA-256 allowed by default in server certificate" \ - "$P_SRV key_file=data_files/server2.key crt_file=data_files/server2-sha256.crt" \ - "$P_CLI allow_sha1=0" \ - 0 - -requires_config_disabled MBEDTLS_TLS_DEFAULT_ALLOW_SHA1_IN_CERTIFICATES -run_test "SHA-1 forbidden by default in client certificate" \ - "$P_SRV auth_mode=required allow_sha1=0" \ - "$P_CLI key_file=data_files/cli-rsa.key crt_file=data_files/cli-rsa-sha1.crt" \ - 1 \ - -s "The certificate is signed with an unacceptable hash" - -requires_config_enabled MBEDTLS_TLS_DEFAULT_ALLOW_SHA1_IN_CERTIFICATES -run_test "SHA-1 forbidden by default in client certificate" \ - "$P_SRV auth_mode=required allow_sha1=0" \ - "$P_CLI key_file=data_files/cli-rsa.key crt_file=data_files/cli-rsa-sha1.crt" \ - 0 - -run_test "SHA-1 explicitly allowed in client certificate" \ - "$P_SRV auth_mode=required allow_sha1=1" \ - "$P_CLI key_file=data_files/cli-rsa.key crt_file=data_files/cli-rsa-sha1.crt" \ - 0 - -run_test "SHA-256 allowed by default in client certificate" \ - "$P_SRV auth_mode=required allow_sha1=0" \ - "$P_CLI key_file=data_files/cli-rsa.key crt_file=data_files/cli-rsa-sha256.crt" \ - 0 - -# Tests for datagram packing -run_test "DTLS: multiple records in same datagram, client and server" \ - "$P_SRV dtls=1 dgram_packing=1 debug_level=2" \ - "$P_CLI dtls=1 dgram_packing=1 debug_level=2" \ - 0 \ - -c "next record in same datagram" \ - -s "next record in same datagram" - -run_test "DTLS: multiple records in same datagram, client only" \ - "$P_SRV dtls=1 dgram_packing=0 debug_level=2" \ - "$P_CLI dtls=1 dgram_packing=1 debug_level=2" \ - 0 \ - -s "next record in same datagram" \ - -C "next record in same datagram" - -run_test "DTLS: multiple records in same datagram, server only" \ - "$P_SRV dtls=1 dgram_packing=1 debug_level=2" \ - "$P_CLI dtls=1 dgram_packing=0 debug_level=2" \ - 0 \ - -S "next record in same datagram" \ - -c "next record in same datagram" - -run_test "DTLS: multiple records in same datagram, neither client nor server" \ - "$P_SRV dtls=1 dgram_packing=0 debug_level=2" \ - "$P_CLI dtls=1 dgram_packing=0 debug_level=2" \ - 0 \ - -S "next record in same datagram" \ - -C "next record in same datagram" - -# Tests for Truncated HMAC extension - -run_test "Truncated HMAC: client default, server default" \ - "$P_SRV debug_level=4" \ - "$P_CLI force_ciphersuite=TLS-RSA-WITH-AES-128-CBC-SHA" \ - 0 \ - -s "dumping 'expected mac' (20 bytes)" \ - -S "dumping 'expected mac' (10 bytes)" - -requires_config_enabled MBEDTLS_SSL_TRUNCATED_HMAC -run_test "Truncated HMAC: client disabled, server default" \ - "$P_SRV debug_level=4" \ - "$P_CLI force_ciphersuite=TLS-RSA-WITH-AES-128-CBC-SHA trunc_hmac=0" \ - 0 \ - -s "dumping 'expected mac' (20 bytes)" \ - -S "dumping 'expected mac' (10 bytes)" - -requires_config_enabled MBEDTLS_SSL_TRUNCATED_HMAC -run_test "Truncated HMAC: client enabled, server default" \ - "$P_SRV debug_level=4" \ - "$P_CLI force_ciphersuite=TLS-RSA-WITH-AES-128-CBC-SHA trunc_hmac=1" \ - 0 \ - -s "dumping 'expected mac' (20 bytes)" \ - -S "dumping 'expected mac' (10 bytes)" - -requires_config_enabled MBEDTLS_SSL_TRUNCATED_HMAC -run_test "Truncated HMAC: client enabled, server disabled" \ - "$P_SRV debug_level=4 trunc_hmac=0" \ - "$P_CLI force_ciphersuite=TLS-RSA-WITH-AES-128-CBC-SHA trunc_hmac=1" \ - 0 \ - -s "dumping 'expected mac' (20 bytes)" \ - -S "dumping 'expected mac' (10 bytes)" - -requires_config_enabled MBEDTLS_SSL_TRUNCATED_HMAC -run_test "Truncated HMAC: client disabled, server enabled" \ - "$P_SRV debug_level=4 trunc_hmac=1" \ - "$P_CLI force_ciphersuite=TLS-RSA-WITH-AES-128-CBC-SHA trunc_hmac=0" \ - 0 \ - -s "dumping 'expected mac' (20 bytes)" \ - -S "dumping 'expected mac' (10 bytes)" - -requires_config_enabled MBEDTLS_SSL_TRUNCATED_HMAC -run_test "Truncated HMAC: client enabled, server enabled" \ - "$P_SRV debug_level=4 trunc_hmac=1" \ - "$P_CLI force_ciphersuite=TLS-RSA-WITH-AES-128-CBC-SHA trunc_hmac=1" \ - 0 \ - -S "dumping 'expected mac' (20 bytes)" \ - -s "dumping 'expected mac' (10 bytes)" - -run_test "Truncated HMAC, DTLS: client default, server default" \ - "$P_SRV dtls=1 debug_level=4" \ - "$P_CLI dtls=1 force_ciphersuite=TLS-RSA-WITH-AES-128-CBC-SHA" \ - 0 \ - -s "dumping 'expected mac' (20 bytes)" \ - -S "dumping 'expected mac' (10 bytes)" - -requires_config_enabled MBEDTLS_SSL_TRUNCATED_HMAC -run_test "Truncated HMAC, DTLS: client disabled, server default" \ - "$P_SRV dtls=1 debug_level=4" \ - "$P_CLI dtls=1 force_ciphersuite=TLS-RSA-WITH-AES-128-CBC-SHA trunc_hmac=0" \ - 0 \ - -s "dumping 'expected mac' (20 bytes)" \ - -S "dumping 'expected mac' (10 bytes)" - -requires_config_enabled MBEDTLS_SSL_TRUNCATED_HMAC -run_test "Truncated HMAC, DTLS: client enabled, server default" \ - "$P_SRV dtls=1 debug_level=4" \ - "$P_CLI dtls=1 force_ciphersuite=TLS-RSA-WITH-AES-128-CBC-SHA trunc_hmac=1" \ - 0 \ - -s "dumping 'expected mac' (20 bytes)" \ - -S "dumping 'expected mac' (10 bytes)" - -requires_config_enabled MBEDTLS_SSL_TRUNCATED_HMAC -run_test "Truncated HMAC, DTLS: client enabled, server disabled" \ - "$P_SRV dtls=1 debug_level=4 trunc_hmac=0" \ - "$P_CLI dtls=1 force_ciphersuite=TLS-RSA-WITH-AES-128-CBC-SHA trunc_hmac=1" \ - 0 \ - -s "dumping 'expected mac' (20 bytes)" \ - -S "dumping 'expected mac' (10 bytes)" - -requires_config_enabled MBEDTLS_SSL_TRUNCATED_HMAC -run_test "Truncated HMAC, DTLS: client disabled, server enabled" \ - "$P_SRV dtls=1 debug_level=4 trunc_hmac=1" \ - "$P_CLI dtls=1 force_ciphersuite=TLS-RSA-WITH-AES-128-CBC-SHA trunc_hmac=0" \ - 0 \ - -s "dumping 'expected mac' (20 bytes)" \ - -S "dumping 'expected mac' (10 bytes)" - -requires_config_enabled MBEDTLS_SSL_TRUNCATED_HMAC -run_test "Truncated HMAC, DTLS: client enabled, server enabled" \ - "$P_SRV dtls=1 debug_level=4 trunc_hmac=1" \ - "$P_CLI dtls=1 force_ciphersuite=TLS-RSA-WITH-AES-128-CBC-SHA trunc_hmac=1" \ - 0 \ - -S "dumping 'expected mac' (20 bytes)" \ - -s "dumping 'expected mac' (10 bytes)" - -# Tests for Encrypt-then-MAC extension - -run_test "Encrypt then MAC: default" \ - "$P_SRV debug_level=3 \ - force_ciphersuite=TLS-RSA-WITH-AES-128-CBC-SHA" \ - "$P_CLI debug_level=3" \ - 0 \ - -c "client hello, adding encrypt_then_mac extension" \ - -s "found encrypt then mac extension" \ - -s "server hello, adding encrypt then mac extension" \ - -c "found encrypt_then_mac extension" \ - -c "using encrypt then mac" \ - -s "using encrypt then mac" - -run_test "Encrypt then MAC: client enabled, server disabled" \ - "$P_SRV debug_level=3 etm=0 \ - force_ciphersuite=TLS-RSA-WITH-AES-128-CBC-SHA" \ - "$P_CLI debug_level=3 etm=1" \ - 0 \ - -c "client hello, adding encrypt_then_mac extension" \ - -s "found encrypt then mac extension" \ - -S "server hello, adding encrypt then mac extension" \ - -C "found encrypt_then_mac extension" \ - -C "using encrypt then mac" \ - -S "using encrypt then mac" - -run_test "Encrypt then MAC: client enabled, aead cipher" \ - "$P_SRV debug_level=3 etm=1 \ - force_ciphersuite=TLS-RSA-WITH-AES-128-GCM-SHA256" \ - "$P_CLI debug_level=3 etm=1" \ - 0 \ - -c "client hello, adding encrypt_then_mac extension" \ - -s "found encrypt then mac extension" \ - -S "server hello, adding encrypt then mac extension" \ - -C "found encrypt_then_mac extension" \ - -C "using encrypt then mac" \ - -S "using encrypt then mac" - -run_test "Encrypt then MAC: client enabled, stream cipher" \ - "$P_SRV debug_level=3 etm=1 \ - force_ciphersuite=TLS-RSA-WITH-RC4-128-SHA" \ - "$P_CLI debug_level=3 etm=1 arc4=1 force_ciphersuite=TLS-RSA-WITH-RC4-128-SHA" \ - 0 \ - -c "client hello, adding encrypt_then_mac extension" \ - -s "found encrypt then mac extension" \ - -S "server hello, adding encrypt then mac extension" \ - -C "found encrypt_then_mac extension" \ - -C "using encrypt then mac" \ - -S "using encrypt then mac" - -run_test "Encrypt then MAC: client disabled, server enabled" \ - "$P_SRV debug_level=3 etm=1 \ - force_ciphersuite=TLS-RSA-WITH-AES-128-CBC-SHA" \ - "$P_CLI debug_level=3 etm=0" \ - 0 \ - -C "client hello, adding encrypt_then_mac extension" \ - -S "found encrypt then mac extension" \ - -S "server hello, adding encrypt then mac extension" \ - -C "found encrypt_then_mac extension" \ - -C "using encrypt then mac" \ - -S "using encrypt then mac" - -requires_config_enabled MBEDTLS_SSL_PROTO_SSL3 -run_test "Encrypt then MAC: client SSLv3, server enabled" \ - "$P_SRV debug_level=3 min_version=ssl3 \ - force_ciphersuite=TLS-RSA-WITH-AES-128-CBC-SHA" \ - "$P_CLI debug_level=3 force_version=ssl3" \ - 0 \ - -C "client hello, adding encrypt_then_mac extension" \ - -S "found encrypt then mac extension" \ - -S "server hello, adding encrypt then mac extension" \ - -C "found encrypt_then_mac extension" \ - -C "using encrypt then mac" \ - -S "using encrypt then mac" - -requires_config_enabled MBEDTLS_SSL_PROTO_SSL3 -run_test "Encrypt then MAC: client enabled, server SSLv3" \ - "$P_SRV debug_level=3 force_version=ssl3 \ - force_ciphersuite=TLS-RSA-WITH-AES-128-CBC-SHA" \ - "$P_CLI debug_level=3 min_version=ssl3" \ - 0 \ - -c "client hello, adding encrypt_then_mac extension" \ - -S "found encrypt then mac extension" \ - -S "server hello, adding encrypt then mac extension" \ - -C "found encrypt_then_mac extension" \ - -C "using encrypt then mac" \ - -S "using encrypt then mac" - -# Tests for Extended Master Secret extension - -run_test "Extended Master Secret: default" \ - "$P_SRV debug_level=3" \ - "$P_CLI debug_level=3" \ - 0 \ - -c "client hello, adding extended_master_secret extension" \ - -s "found extended master secret extension" \ - -s "server hello, adding extended master secret extension" \ - -c "found extended_master_secret extension" \ - -c "using extended master secret" \ - -s "using extended master secret" - -run_test "Extended Master Secret: client enabled, server disabled" \ - "$P_SRV debug_level=3 extended_ms=0" \ - "$P_CLI debug_level=3 extended_ms=1" \ - 0 \ - -c "client hello, adding extended_master_secret extension" \ - -s "found extended master secret extension" \ - -S "server hello, adding extended master secret extension" \ - -C "found extended_master_secret extension" \ - -C "using extended master secret" \ - -S "using extended master secret" - -run_test "Extended Master Secret: client disabled, server enabled" \ - "$P_SRV debug_level=3 extended_ms=1" \ - "$P_CLI debug_level=3 extended_ms=0" \ - 0 \ - -C "client hello, adding extended_master_secret extension" \ - -S "found extended master secret extension" \ - -S "server hello, adding extended master secret extension" \ - -C "found extended_master_secret extension" \ - -C "using extended master secret" \ - -S "using extended master secret" - -requires_config_enabled MBEDTLS_SSL_PROTO_SSL3 -run_test "Extended Master Secret: client SSLv3, server enabled" \ - "$P_SRV debug_level=3 min_version=ssl3" \ - "$P_CLI debug_level=3 force_version=ssl3" \ - 0 \ - -C "client hello, adding extended_master_secret extension" \ - -S "found extended master secret extension" \ - -S "server hello, adding extended master secret extension" \ - -C "found extended_master_secret extension" \ - -C "using extended master secret" \ - -S "using extended master secret" - -requires_config_enabled MBEDTLS_SSL_PROTO_SSL3 -run_test "Extended Master Secret: client enabled, server SSLv3" \ - "$P_SRV debug_level=3 force_version=ssl3" \ - "$P_CLI debug_level=3 min_version=ssl3" \ - 0 \ - -c "client hello, adding extended_master_secret extension" \ - -S "found extended master secret extension" \ - -S "server hello, adding extended master secret extension" \ - -C "found extended_master_secret extension" \ - -C "using extended master secret" \ - -S "using extended master secret" - -# Tests for FALLBACK_SCSV - -run_test "Fallback SCSV: default" \ - "$P_SRV debug_level=2" \ - "$P_CLI debug_level=3 force_version=tls1_1" \ - 0 \ - -C "adding FALLBACK_SCSV" \ - -S "received FALLBACK_SCSV" \ - -S "inapropriate fallback" \ - -C "is a fatal alert message (msg 86)" - -run_test "Fallback SCSV: explicitly disabled" \ - "$P_SRV debug_level=2" \ - "$P_CLI debug_level=3 force_version=tls1_1 fallback=0" \ - 0 \ - -C "adding FALLBACK_SCSV" \ - -S "received FALLBACK_SCSV" \ - -S "inapropriate fallback" \ - -C "is a fatal alert message (msg 86)" - -run_test "Fallback SCSV: enabled" \ - "$P_SRV debug_level=2" \ - "$P_CLI debug_level=3 force_version=tls1_1 fallback=1" \ - 1 \ - -c "adding FALLBACK_SCSV" \ - -s "received FALLBACK_SCSV" \ - -s "inapropriate fallback" \ - -c "is a fatal alert message (msg 86)" - -run_test "Fallback SCSV: enabled, max version" \ - "$P_SRV debug_level=2" \ - "$P_CLI debug_level=3 fallback=1" \ - 0 \ - -c "adding FALLBACK_SCSV" \ - -s "received FALLBACK_SCSV" \ - -S "inapropriate fallback" \ - -C "is a fatal alert message (msg 86)" - -requires_openssl_with_fallback_scsv -run_test "Fallback SCSV: default, openssl server" \ - "$O_SRV" \ - "$P_CLI debug_level=3 force_version=tls1_1 fallback=0" \ - 0 \ - -C "adding FALLBACK_SCSV" \ - -C "is a fatal alert message (msg 86)" - -requires_openssl_with_fallback_scsv -run_test "Fallback SCSV: enabled, openssl server" \ - "$O_SRV" \ - "$P_CLI debug_level=3 force_version=tls1_1 fallback=1" \ - 1 \ - -c "adding FALLBACK_SCSV" \ - -c "is a fatal alert message (msg 86)" - -requires_openssl_with_fallback_scsv -run_test "Fallback SCSV: disabled, openssl client" \ - "$P_SRV debug_level=2" \ - "$O_CLI -tls1_1" \ - 0 \ - -S "received FALLBACK_SCSV" \ - -S "inapropriate fallback" - -requires_openssl_with_fallback_scsv -run_test "Fallback SCSV: enabled, openssl client" \ - "$P_SRV debug_level=2" \ - "$O_CLI -tls1_1 -fallback_scsv" \ - 1 \ - -s "received FALLBACK_SCSV" \ - -s "inapropriate fallback" - -requires_openssl_with_fallback_scsv -run_test "Fallback SCSV: enabled, max version, openssl client" \ - "$P_SRV debug_level=2" \ - "$O_CLI -fallback_scsv" \ - 0 \ - -s "received FALLBACK_SCSV" \ - -S "inapropriate fallback" - -# Test sending and receiving empty application data records - -run_test "Encrypt then MAC: empty application data record" \ - "$P_SRV auth_mode=none debug_level=4 etm=1" \ - "$P_CLI auth_mode=none etm=1 request_size=0 force_ciphersuite=TLS-ECDHE-RSA-WITH-AES-256-CBC-SHA" \ - 0 \ - -S "0000: 0f 0f 0f 0f 0f 0f 0f 0f 0f 0f 0f 0f 0f 0f 0f 0f" \ - -s "dumping 'input payload after decrypt' (0 bytes)" \ - -c "0 bytes written in 1 fragments" - -run_test "Default, no Encrypt then MAC: empty application data record" \ - "$P_SRV auth_mode=none debug_level=4 etm=0" \ - "$P_CLI auth_mode=none etm=0 request_size=0" \ - 0 \ - -s "dumping 'input payload after decrypt' (0 bytes)" \ - -c "0 bytes written in 1 fragments" - -run_test "Encrypt then MAC, DTLS: empty application data record" \ - "$P_SRV auth_mode=none debug_level=4 etm=1 dtls=1" \ - "$P_CLI auth_mode=none etm=1 request_size=0 force_ciphersuite=TLS-ECDHE-RSA-WITH-AES-256-CBC-SHA dtls=1" \ - 0 \ - -S "0000: 0f 0f 0f 0f 0f 0f 0f 0f 0f 0f 0f 0f 0f 0f 0f 0f" \ - -s "dumping 'input payload after decrypt' (0 bytes)" \ - -c "0 bytes written in 1 fragments" - -run_test "Default, no Encrypt then MAC, DTLS: empty application data record" \ - "$P_SRV auth_mode=none debug_level=4 etm=0 dtls=1" \ - "$P_CLI auth_mode=none etm=0 request_size=0 dtls=1" \ - 0 \ - -s "dumping 'input payload after decrypt' (0 bytes)" \ - -c "0 bytes written in 1 fragments" - -## ClientHello generated with -## "openssl s_client -CAfile tests/data_files/test-ca.crt -tls1_1 -connect localhost:4433 -cipher ..." -## then manually twiddling the ciphersuite list. -## The ClientHello content is spelled out below as a hex string as -## "prefix ciphersuite1 ciphersuite2 ciphersuite3 ciphersuite4 suffix". -## The expected response is an inappropriate_fallback alert. -requires_openssl_with_fallback_scsv -run_test "Fallback SCSV: beginning of list" \ - "$P_SRV debug_level=2" \ - "$TCP_CLIENT localhost $SRV_PORT '160301003e0100003a03022aafb94308dc22ca1086c65acc00e414384d76b61ecab37df1633b1ae1034dbe000008 5600 0031 0032 0033 0100000900230000000f000101' '15030200020256'" \ - 0 \ - -s "received FALLBACK_SCSV" \ - -s "inapropriate fallback" - -requires_openssl_with_fallback_scsv -run_test "Fallback SCSV: end of list" \ - "$P_SRV debug_level=2" \ - "$TCP_CLIENT localhost $SRV_PORT '160301003e0100003a03022aafb94308dc22ca1086c65acc00e414384d76b61ecab37df1633b1ae1034dbe000008 0031 0032 0033 5600 0100000900230000000f000101' '15030200020256'" \ - 0 \ - -s "received FALLBACK_SCSV" \ - -s "inapropriate fallback" - -## Here the expected response is a valid ServerHello prefix, up to the random. -requires_openssl_with_fallback_scsv -run_test "Fallback SCSV: not in list" \ - "$P_SRV debug_level=2" \ - "$TCP_CLIENT localhost $SRV_PORT '160301003e0100003a03022aafb94308dc22ca1086c65acc00e414384d76b61ecab37df1633b1ae1034dbe000008 0056 0031 0032 0033 0100000900230000000f000101' '16030200300200002c0302'" \ - 0 \ - -S "received FALLBACK_SCSV" \ - -S "inapropriate fallback" - -# Tests for CBC 1/n-1 record splitting - -run_test "CBC Record splitting: TLS 1.2, no splitting" \ - "$P_SRV" \ - "$P_CLI force_ciphersuite=TLS-RSA-WITH-AES-128-CBC-SHA \ - request_size=123 force_version=tls1_2" \ - 0 \ - -s "Read from client: 123 bytes read" \ - -S "Read from client: 1 bytes read" \ - -S "122 bytes read" - -run_test "CBC Record splitting: TLS 1.1, no splitting" \ - "$P_SRV" \ - "$P_CLI force_ciphersuite=TLS-RSA-WITH-AES-128-CBC-SHA \ - request_size=123 force_version=tls1_1" \ - 0 \ - -s "Read from client: 123 bytes read" \ - -S "Read from client: 1 bytes read" \ - -S "122 bytes read" - -run_test "CBC Record splitting: TLS 1.0, splitting" \ - "$P_SRV" \ - "$P_CLI force_ciphersuite=TLS-RSA-WITH-AES-128-CBC-SHA \ - request_size=123 force_version=tls1" \ - 0 \ - -S "Read from client: 123 bytes read" \ - -s "Read from client: 1 bytes read" \ - -s "122 bytes read" - -requires_config_enabled MBEDTLS_SSL_PROTO_SSL3 -run_test "CBC Record splitting: SSLv3, splitting" \ - "$P_SRV min_version=ssl3" \ - "$P_CLI force_ciphersuite=TLS-RSA-WITH-AES-128-CBC-SHA \ - request_size=123 force_version=ssl3" \ - 0 \ - -S "Read from client: 123 bytes read" \ - -s "Read from client: 1 bytes read" \ - -s "122 bytes read" - -run_test "CBC Record splitting: TLS 1.0 RC4, no splitting" \ - "$P_SRV arc4=1 force_ciphersuite=TLS-RSA-WITH-RC4-128-SHA" \ - "$P_CLI force_ciphersuite=TLS-RSA-WITH-RC4-128-SHA \ - request_size=123 force_version=tls1" \ - 0 \ - -s "Read from client: 123 bytes read" \ - -S "Read from client: 1 bytes read" \ - -S "122 bytes read" - -run_test "CBC Record splitting: TLS 1.0, splitting disabled" \ - "$P_SRV" \ - "$P_CLI force_ciphersuite=TLS-RSA-WITH-AES-128-CBC-SHA \ - request_size=123 force_version=tls1 recsplit=0" \ - 0 \ - -s "Read from client: 123 bytes read" \ - -S "Read from client: 1 bytes read" \ - -S "122 bytes read" - -run_test "CBC Record splitting: TLS 1.0, splitting, nbio" \ - "$P_SRV nbio=2" \ - "$P_CLI nbio=2 force_ciphersuite=TLS-RSA-WITH-AES-128-CBC-SHA \ - request_size=123 force_version=tls1" \ - 0 \ - -S "Read from client: 123 bytes read" \ - -s "Read from client: 1 bytes read" \ - -s "122 bytes read" - -# Tests for Session Tickets - -run_test "Session resume using tickets: basic" \ - "$P_SRV debug_level=3 tickets=1" \ - "$P_CLI debug_level=3 tickets=1 reconnect=1" \ - 0 \ - -c "client hello, adding session ticket extension" \ - -s "found session ticket extension" \ - -s "server hello, adding session ticket extension" \ - -c "found session_ticket extension" \ - -c "parse new session ticket" \ - -S "session successfully restored from cache" \ - -s "session successfully restored from ticket" \ - -s "a session has been resumed" \ - -c "a session has been resumed" - -run_test "Session resume using tickets: cache disabled" \ - "$P_SRV debug_level=3 tickets=1 cache_max=0" \ - "$P_CLI debug_level=3 tickets=1 reconnect=1" \ - 0 \ - -c "client hello, adding session ticket extension" \ - -s "found session ticket extension" \ - -s "server hello, adding session ticket extension" \ - -c "found session_ticket extension" \ - -c "parse new session ticket" \ - -S "session successfully restored from cache" \ - -s "session successfully restored from ticket" \ - -s "a session has been resumed" \ - -c "a session has been resumed" - -run_test "Session resume using tickets: timeout" \ - "$P_SRV debug_level=3 tickets=1 cache_max=0 ticket_timeout=1" \ - "$P_CLI debug_level=3 tickets=1 reconnect=1 reco_delay=2" \ - 0 \ - -c "client hello, adding session ticket extension" \ - -s "found session ticket extension" \ - -s "server hello, adding session ticket extension" \ - -c "found session_ticket extension" \ - -c "parse new session ticket" \ - -S "session successfully restored from cache" \ - -S "session successfully restored from ticket" \ - -S "a session has been resumed" \ - -C "a session has been resumed" - -run_test "Session resume using tickets: openssl server" \ - "$O_SRV" \ - "$P_CLI debug_level=3 tickets=1 reconnect=1" \ - 0 \ - -c "client hello, adding session ticket extension" \ - -c "found session_ticket extension" \ - -c "parse new session ticket" \ - -c "a session has been resumed" - -run_test "Session resume using tickets: openssl client" \ - "$P_SRV debug_level=3 tickets=1" \ - "( $O_CLI -sess_out $SESSION; \ - $O_CLI -sess_in $SESSION; \ - rm -f $SESSION )" \ - 0 \ - -s "found session ticket extension" \ - -s "server hello, adding session ticket extension" \ - -S "session successfully restored from cache" \ - -s "session successfully restored from ticket" \ - -s "a session has been resumed" - -# Tests for Session Tickets with DTLS - -run_test "Session resume using tickets, DTLS: basic" \ - "$P_SRV debug_level=3 dtls=1 tickets=1" \ - "$P_CLI debug_level=3 dtls=1 tickets=1 reconnect=1" \ - 0 \ - -c "client hello, adding session ticket extension" \ - -s "found session ticket extension" \ - -s "server hello, adding session ticket extension" \ - -c "found session_ticket extension" \ - -c "parse new session ticket" \ - -S "session successfully restored from cache" \ - -s "session successfully restored from ticket" \ - -s "a session has been resumed" \ - -c "a session has been resumed" - -run_test "Session resume using tickets, DTLS: cache disabled" \ - "$P_SRV debug_level=3 dtls=1 tickets=1 cache_max=0" \ - "$P_CLI debug_level=3 dtls=1 tickets=1 reconnect=1" \ - 0 \ - -c "client hello, adding session ticket extension" \ - -s "found session ticket extension" \ - -s "server hello, adding session ticket extension" \ - -c "found session_ticket extension" \ - -c "parse new session ticket" \ - -S "session successfully restored from cache" \ - -s "session successfully restored from ticket" \ - -s "a session has been resumed" \ - -c "a session has been resumed" - -run_test "Session resume using tickets, DTLS: timeout" \ - "$P_SRV debug_level=3 dtls=1 tickets=1 cache_max=0 ticket_timeout=1" \ - "$P_CLI debug_level=3 dtls=1 tickets=1 reconnect=1 reco_delay=2" \ - 0 \ - -c "client hello, adding session ticket extension" \ - -s "found session ticket extension" \ - -s "server hello, adding session ticket extension" \ - -c "found session_ticket extension" \ - -c "parse new session ticket" \ - -S "session successfully restored from cache" \ - -S "session successfully restored from ticket" \ - -S "a session has been resumed" \ - -C "a session has been resumed" - -run_test "Session resume using tickets, DTLS: openssl server" \ - "$O_SRV -dtls1" \ - "$P_CLI dtls=1 debug_level=3 tickets=1 reconnect=1" \ - 0 \ - -c "client hello, adding session ticket extension" \ - -c "found session_ticket extension" \ - -c "parse new session ticket" \ - -c "a session has been resumed" - -run_test "Session resume using tickets, DTLS: openssl client" \ - "$P_SRV dtls=1 debug_level=3 tickets=1" \ - "( $O_CLI -dtls1 -sess_out $SESSION; \ - $O_CLI -dtls1 -sess_in $SESSION; \ - rm -f $SESSION )" \ - 0 \ - -s "found session ticket extension" \ - -s "server hello, adding session ticket extension" \ - -S "session successfully restored from cache" \ - -s "session successfully restored from ticket" \ - -s "a session has been resumed" - -# Tests for Session Resume based on session-ID and cache - -run_test "Session resume using cache: tickets enabled on client" \ - "$P_SRV debug_level=3 tickets=0" \ - "$P_CLI debug_level=3 tickets=1 reconnect=1" \ - 0 \ - -c "client hello, adding session ticket extension" \ - -s "found session ticket extension" \ - -S "server hello, adding session ticket extension" \ - -C "found session_ticket extension" \ - -C "parse new session ticket" \ - -s "session successfully restored from cache" \ - -S "session successfully restored from ticket" \ - -s "a session has been resumed" \ - -c "a session has been resumed" - -run_test "Session resume using cache: tickets enabled on server" \ - "$P_SRV debug_level=3 tickets=1" \ - "$P_CLI debug_level=3 tickets=0 reconnect=1" \ - 0 \ - -C "client hello, adding session ticket extension" \ - -S "found session ticket extension" \ - -S "server hello, adding session ticket extension" \ - -C "found session_ticket extension" \ - -C "parse new session ticket" \ - -s "session successfully restored from cache" \ - -S "session successfully restored from ticket" \ - -s "a session has been resumed" \ - -c "a session has been resumed" - -run_test "Session resume using cache: cache_max=0" \ - "$P_SRV debug_level=3 tickets=0 cache_max=0" \ - "$P_CLI debug_level=3 tickets=0 reconnect=1" \ - 0 \ - -S "session successfully restored from cache" \ - -S "session successfully restored from ticket" \ - -S "a session has been resumed" \ - -C "a session has been resumed" - -run_test "Session resume using cache: cache_max=1" \ - "$P_SRV debug_level=3 tickets=0 cache_max=1" \ - "$P_CLI debug_level=3 tickets=0 reconnect=1" \ - 0 \ - -s "session successfully restored from cache" \ - -S "session successfully restored from ticket" \ - -s "a session has been resumed" \ - -c "a session has been resumed" - -run_test "Session resume using cache: timeout > delay" \ - "$P_SRV debug_level=3 tickets=0" \ - "$P_CLI debug_level=3 tickets=0 reconnect=1 reco_delay=0" \ - 0 \ - -s "session successfully restored from cache" \ - -S "session successfully restored from ticket" \ - -s "a session has been resumed" \ - -c "a session has been resumed" - -run_test "Session resume using cache: timeout < delay" \ - "$P_SRV debug_level=3 tickets=0 cache_timeout=1" \ - "$P_CLI debug_level=3 tickets=0 reconnect=1 reco_delay=2" \ - 0 \ - -S "session successfully restored from cache" \ - -S "session successfully restored from ticket" \ - -S "a session has been resumed" \ - -C "a session has been resumed" - -run_test "Session resume using cache: no timeout" \ - "$P_SRV debug_level=3 tickets=0 cache_timeout=0" \ - "$P_CLI debug_level=3 tickets=0 reconnect=1 reco_delay=2" \ - 0 \ - -s "session successfully restored from cache" \ - -S "session successfully restored from ticket" \ - -s "a session has been resumed" \ - -c "a session has been resumed" - -run_test "Session resume using cache: openssl client" \ - "$P_SRV debug_level=3 tickets=0" \ - "( $O_CLI -sess_out $SESSION; \ - $O_CLI -sess_in $SESSION; \ - rm -f $SESSION )" \ - 0 \ - -s "found session ticket extension" \ - -S "server hello, adding session ticket extension" \ - -s "session successfully restored from cache" \ - -S "session successfully restored from ticket" \ - -s "a session has been resumed" - -run_test "Session resume using cache: openssl server" \ - "$O_SRV" \ - "$P_CLI debug_level=3 tickets=0 reconnect=1" \ - 0 \ - -C "found session_ticket extension" \ - -C "parse new session ticket" \ - -c "a session has been resumed" - -# Tests for Session Resume based on session-ID and cache, DTLS - -run_test "Session resume using cache, DTLS: tickets enabled on client" \ - "$P_SRV dtls=1 debug_level=3 tickets=0" \ - "$P_CLI dtls=1 debug_level=3 tickets=1 reconnect=1" \ - 0 \ - -c "client hello, adding session ticket extension" \ - -s "found session ticket extension" \ - -S "server hello, adding session ticket extension" \ - -C "found session_ticket extension" \ - -C "parse new session ticket" \ - -s "session successfully restored from cache" \ - -S "session successfully restored from ticket" \ - -s "a session has been resumed" \ - -c "a session has been resumed" - -run_test "Session resume using cache, DTLS: tickets enabled on server" \ - "$P_SRV dtls=1 debug_level=3 tickets=1" \ - "$P_CLI dtls=1 debug_level=3 tickets=0 reconnect=1" \ - 0 \ - -C "client hello, adding session ticket extension" \ - -S "found session ticket extension" \ - -S "server hello, adding session ticket extension" \ - -C "found session_ticket extension" \ - -C "parse new session ticket" \ - -s "session successfully restored from cache" \ - -S "session successfully restored from ticket" \ - -s "a session has been resumed" \ - -c "a session has been resumed" - -run_test "Session resume using cache, DTLS: cache_max=0" \ - "$P_SRV dtls=1 debug_level=3 tickets=0 cache_max=0" \ - "$P_CLI dtls=1 debug_level=3 tickets=0 reconnect=1" \ - 0 \ - -S "session successfully restored from cache" \ - -S "session successfully restored from ticket" \ - -S "a session has been resumed" \ - -C "a session has been resumed" - -run_test "Session resume using cache, DTLS: cache_max=1" \ - "$P_SRV dtls=1 debug_level=3 tickets=0 cache_max=1" \ - "$P_CLI dtls=1 debug_level=3 tickets=0 reconnect=1" \ - 0 \ - -s "session successfully restored from cache" \ - -S "session successfully restored from ticket" \ - -s "a session has been resumed" \ - -c "a session has been resumed" - -run_test "Session resume using cache, DTLS: timeout > delay" \ - "$P_SRV dtls=1 debug_level=3 tickets=0" \ - "$P_CLI dtls=1 debug_level=3 tickets=0 reconnect=1 reco_delay=0" \ - 0 \ - -s "session successfully restored from cache" \ - -S "session successfully restored from ticket" \ - -s "a session has been resumed" \ - -c "a session has been resumed" - -run_test "Session resume using cache, DTLS: timeout < delay" \ - "$P_SRV dtls=1 debug_level=3 tickets=0 cache_timeout=1" \ - "$P_CLI dtls=1 debug_level=3 tickets=0 reconnect=1 reco_delay=2" \ - 0 \ - -S "session successfully restored from cache" \ - -S "session successfully restored from ticket" \ - -S "a session has been resumed" \ - -C "a session has been resumed" - -run_test "Session resume using cache, DTLS: no timeout" \ - "$P_SRV dtls=1 debug_level=3 tickets=0 cache_timeout=0" \ - "$P_CLI dtls=1 debug_level=3 tickets=0 reconnect=1 reco_delay=2" \ - 0 \ - -s "session successfully restored from cache" \ - -S "session successfully restored from ticket" \ - -s "a session has been resumed" \ - -c "a session has been resumed" - -run_test "Session resume using cache, DTLS: openssl client" \ - "$P_SRV dtls=1 debug_level=3 tickets=0" \ - "( $O_CLI -dtls1 -sess_out $SESSION; \ - $O_CLI -dtls1 -sess_in $SESSION; \ - rm -f $SESSION )" \ - 0 \ - -s "found session ticket extension" \ - -S "server hello, adding session ticket extension" \ - -s "session successfully restored from cache" \ - -S "session successfully restored from ticket" \ - -s "a session has been resumed" - -run_test "Session resume using cache, DTLS: openssl server" \ - "$O_SRV -dtls1" \ - "$P_CLI dtls=1 debug_level=3 tickets=0 reconnect=1" \ - 0 \ - -C "found session_ticket extension" \ - -C "parse new session ticket" \ - -c "a session has been resumed" - -# Tests for Max Fragment Length extension - -if [ "$MAX_CONTENT_LEN" -lt "4096" ]; then - printf "${CONFIG_H} defines MBEDTLS_SSL_MAX_CONTENT_LEN to be less than 4096. Fragment length tests will fail.\n" - exit 1 -fi - -if [ $MAX_CONTENT_LEN -ne 16384 ]; then - printf "Using non-default maximum content length $MAX_CONTENT_LEN\n" -fi - -requires_config_enabled MBEDTLS_SSL_MAX_FRAGMENT_LENGTH -run_test "Max fragment length: enabled, default" \ - "$P_SRV debug_level=3" \ - "$P_CLI debug_level=3" \ - 0 \ - -c "Maximum fragment length is $MAX_CONTENT_LEN" \ - -s "Maximum fragment length is $MAX_CONTENT_LEN" \ - -C "client hello, adding max_fragment_length extension" \ - -S "found max fragment length extension" \ - -S "server hello, max_fragment_length extension" \ - -C "found max_fragment_length extension" - -requires_config_enabled MBEDTLS_SSL_MAX_FRAGMENT_LENGTH -run_test "Max fragment length: enabled, default, larger message" \ - "$P_SRV debug_level=3" \ - "$P_CLI debug_level=3 request_size=$(( $MAX_CONTENT_LEN + 1))" \ - 0 \ - -c "Maximum fragment length is $MAX_CONTENT_LEN" \ - -s "Maximum fragment length is $MAX_CONTENT_LEN" \ - -C "client hello, adding max_fragment_length extension" \ - -S "found max fragment length extension" \ - -S "server hello, max_fragment_length extension" \ - -C "found max_fragment_length extension" \ - -c "$(( $MAX_CONTENT_LEN + 1)) bytes written in 2 fragments" \ - -s "$MAX_CONTENT_LEN bytes read" \ - -s "1 bytes read" - -requires_config_enabled MBEDTLS_SSL_MAX_FRAGMENT_LENGTH -run_test "Max fragment length, DTLS: enabled, default, larger message" \ - "$P_SRV debug_level=3 dtls=1" \ - "$P_CLI debug_level=3 dtls=1 request_size=$(( $MAX_CONTENT_LEN + 1))" \ - 1 \ - -c "Maximum fragment length is $MAX_CONTENT_LEN" \ - -s "Maximum fragment length is $MAX_CONTENT_LEN" \ - -C "client hello, adding max_fragment_length extension" \ - -S "found max fragment length extension" \ - -S "server hello, max_fragment_length extension" \ - -C "found max_fragment_length extension" \ - -c "fragment larger than.*maximum " - -# Run some tests with MBEDTLS_SSL_MAX_FRAGMENT_LENGTH disabled -# (session fragment length will be 16384 regardless of mbedtls -# content length configuration.) - -requires_config_disabled MBEDTLS_SSL_MAX_FRAGMENT_LENGTH -run_test "Max fragment length: disabled, larger message" \ - "$P_SRV debug_level=3" \ - "$P_CLI debug_level=3 request_size=$(( $MAX_CONTENT_LEN + 1))" \ - 0 \ - -C "Maximum fragment length is 16384" \ - -S "Maximum fragment length is 16384" \ - -c "$(( $MAX_CONTENT_LEN + 1)) bytes written in 2 fragments" \ - -s "$MAX_CONTENT_LEN bytes read" \ - -s "1 bytes read" - -requires_config_disabled MBEDTLS_SSL_MAX_FRAGMENT_LENGTH -run_test "Max fragment length DTLS: disabled, larger message" \ - "$P_SRV debug_level=3 dtls=1" \ - "$P_CLI debug_level=3 dtls=1 request_size=$(( $MAX_CONTENT_LEN + 1))" \ - 1 \ - -C "Maximum fragment length is 16384" \ - -S "Maximum fragment length is 16384" \ - -c "fragment larger than.*maximum " - -requires_config_enabled MBEDTLS_SSL_MAX_FRAGMENT_LENGTH -run_test "Max fragment length: used by client" \ - "$P_SRV debug_level=3" \ - "$P_CLI debug_level=3 max_frag_len=4096" \ - 0 \ - -c "Maximum fragment length is 4096" \ - -s "Maximum fragment length is 4096" \ - -c "client hello, adding max_fragment_length extension" \ - -s "found max fragment length extension" \ - -s "server hello, max_fragment_length extension" \ - -c "found max_fragment_length extension" - -requires_config_enabled MBEDTLS_SSL_MAX_FRAGMENT_LENGTH -run_test "Max fragment length: used by server" \ - "$P_SRV debug_level=3 max_frag_len=4096" \ - "$P_CLI debug_level=3" \ - 0 \ - -c "Maximum fragment length is $MAX_CONTENT_LEN" \ - -s "Maximum fragment length is 4096" \ - -C "client hello, adding max_fragment_length extension" \ - -S "found max fragment length extension" \ - -S "server hello, max_fragment_length extension" \ - -C "found max_fragment_length extension" - -requires_config_enabled MBEDTLS_SSL_MAX_FRAGMENT_LENGTH -requires_gnutls -run_test "Max fragment length: gnutls server" \ - "$G_SRV" \ - "$P_CLI debug_level=3 max_frag_len=4096" \ - 0 \ - -c "Maximum fragment length is 4096" \ - -c "client hello, adding max_fragment_length extension" \ - -c "found max_fragment_length extension" - -requires_config_enabled MBEDTLS_SSL_MAX_FRAGMENT_LENGTH -run_test "Max fragment length: client, message just fits" \ - "$P_SRV debug_level=3" \ - "$P_CLI debug_level=3 max_frag_len=2048 request_size=2048" \ - 0 \ - -c "Maximum fragment length is 2048" \ - -s "Maximum fragment length is 2048" \ - -c "client hello, adding max_fragment_length extension" \ - -s "found max fragment length extension" \ - -s "server hello, max_fragment_length extension" \ - -c "found max_fragment_length extension" \ - -c "2048 bytes written in 1 fragments" \ - -s "2048 bytes read" - -requires_config_enabled MBEDTLS_SSL_MAX_FRAGMENT_LENGTH -run_test "Max fragment length: client, larger message" \ - "$P_SRV debug_level=3" \ - "$P_CLI debug_level=3 max_frag_len=2048 request_size=2345" \ - 0 \ - -c "Maximum fragment length is 2048" \ - -s "Maximum fragment length is 2048" \ - -c "client hello, adding max_fragment_length extension" \ - -s "found max fragment length extension" \ - -s "server hello, max_fragment_length extension" \ - -c "found max_fragment_length extension" \ - -c "2345 bytes written in 2 fragments" \ - -s "2048 bytes read" \ - -s "297 bytes read" - -requires_config_enabled MBEDTLS_SSL_MAX_FRAGMENT_LENGTH -run_test "Max fragment length: DTLS client, larger message" \ - "$P_SRV debug_level=3 dtls=1" \ - "$P_CLI debug_level=3 dtls=1 max_frag_len=2048 request_size=2345" \ - 1 \ - -c "Maximum fragment length is 2048" \ - -s "Maximum fragment length is 2048" \ - -c "client hello, adding max_fragment_length extension" \ - -s "found max fragment length extension" \ - -s "server hello, max_fragment_length extension" \ - -c "found max_fragment_length extension" \ - -c "fragment larger than.*maximum" - -# Tests for renegotiation - -# Renegotiation SCSV always added, regardless of SSL_RENEGOTIATION -run_test "Renegotiation: none, for reference" \ - "$P_SRV debug_level=3 exchanges=2 auth_mode=optional" \ - "$P_CLI debug_level=3 exchanges=2" \ - 0 \ - -C "client hello, adding renegotiation extension" \ - -s "received TLS_EMPTY_RENEGOTIATION_INFO" \ - -S "found renegotiation extension" \ - -s "server hello, secure renegotiation extension" \ - -c "found renegotiation extension" \ - -C "=> renegotiate" \ - -S "=> renegotiate" \ - -S "write hello request" - -requires_config_enabled MBEDTLS_SSL_RENEGOTIATION -run_test "Renegotiation: client-initiated" \ - "$P_SRV debug_level=3 exchanges=2 renegotiation=1 auth_mode=optional" \ - "$P_CLI debug_level=3 exchanges=2 renegotiation=1 renegotiate=1" \ - 0 \ - -c "client hello, adding renegotiation extension" \ - -s "received TLS_EMPTY_RENEGOTIATION_INFO" \ - -s "found renegotiation extension" \ - -s "server hello, secure renegotiation extension" \ - -c "found renegotiation extension" \ - -c "=> renegotiate" \ - -s "=> renegotiate" \ - -S "write hello request" - -requires_config_enabled MBEDTLS_SSL_RENEGOTIATION -run_test "Renegotiation: server-initiated" \ - "$P_SRV debug_level=3 exchanges=2 renegotiation=1 auth_mode=optional renegotiate=1" \ - "$P_CLI debug_level=3 exchanges=2 renegotiation=1" \ - 0 \ - -c "client hello, adding renegotiation extension" \ - -s "received TLS_EMPTY_RENEGOTIATION_INFO" \ - -s "found renegotiation extension" \ - -s "server hello, secure renegotiation extension" \ - -c "found renegotiation extension" \ - -c "=> renegotiate" \ - -s "=> renegotiate" \ - -s "write hello request" - -# Checks that no Signature Algorithm with SHA-1 gets negotiated. Negotiating SHA-1 would mean that -# the server did not parse the Signature Algorithm extension. This test is valid only if an MD -# algorithm stronger than SHA-1 is enabled in config.h -requires_config_enabled MBEDTLS_SSL_RENEGOTIATION -run_test "Renegotiation: Signature Algorithms parsing, client-initiated" \ - "$P_SRV debug_level=3 exchanges=2 renegotiation=1 auth_mode=optional" \ - "$P_CLI debug_level=3 exchanges=2 renegotiation=1 renegotiate=1" \ - 0 \ - -c "client hello, adding renegotiation extension" \ - -s "received TLS_EMPTY_RENEGOTIATION_INFO" \ - -s "found renegotiation extension" \ - -s "server hello, secure renegotiation extension" \ - -c "found renegotiation extension" \ - -c "=> renegotiate" \ - -s "=> renegotiate" \ - -S "write hello request" \ - -S "client hello v3, signature_algorithm ext: 2" # Is SHA-1 negotiated? - -# Checks that no Signature Algorithm with SHA-1 gets negotiated. Negotiating SHA-1 would mean that -# the server did not parse the Signature Algorithm extension. This test is valid only if an MD -# algorithm stronger than SHA-1 is enabled in config.h -requires_config_enabled MBEDTLS_SSL_RENEGOTIATION -run_test "Renegotiation: Signature Algorithms parsing, server-initiated" \ - "$P_SRV debug_level=3 exchanges=2 renegotiation=1 auth_mode=optional renegotiate=1" \ - "$P_CLI debug_level=3 exchanges=2 renegotiation=1" \ - 0 \ - -c "client hello, adding renegotiation extension" \ - -s "received TLS_EMPTY_RENEGOTIATION_INFO" \ - -s "found renegotiation extension" \ - -s "server hello, secure renegotiation extension" \ - -c "found renegotiation extension" \ - -c "=> renegotiate" \ - -s "=> renegotiate" \ - -s "write hello request" \ - -S "client hello v3, signature_algorithm ext: 2" # Is SHA-1 negotiated? - -requires_config_enabled MBEDTLS_SSL_RENEGOTIATION -run_test "Renegotiation: double" \ - "$P_SRV debug_level=3 exchanges=2 renegotiation=1 auth_mode=optional renegotiate=1" \ - "$P_CLI debug_level=3 exchanges=2 renegotiation=1 renegotiate=1" \ - 0 \ - -c "client hello, adding renegotiation extension" \ - -s "received TLS_EMPTY_RENEGOTIATION_INFO" \ - -s "found renegotiation extension" \ - -s "server hello, secure renegotiation extension" \ - -c "found renegotiation extension" \ - -c "=> renegotiate" \ - -s "=> renegotiate" \ - -s "write hello request" - -requires_config_enabled MBEDTLS_SSL_RENEGOTIATION -run_test "Renegotiation: client-initiated, server-rejected" \ - "$P_SRV debug_level=3 exchanges=2 renegotiation=0 auth_mode=optional" \ - "$P_CLI debug_level=3 exchanges=2 renegotiation=1 renegotiate=1" \ - 1 \ - -c "client hello, adding renegotiation extension" \ - -s "received TLS_EMPTY_RENEGOTIATION_INFO" \ - -S "found renegotiation extension" \ - -s "server hello, secure renegotiation extension" \ - -c "found renegotiation extension" \ - -c "=> renegotiate" \ - -S "=> renegotiate" \ - -S "write hello request" \ - -c "SSL - Unexpected message at ServerHello in renegotiation" \ - -c "failed" - -requires_config_enabled MBEDTLS_SSL_RENEGOTIATION -run_test "Renegotiation: server-initiated, client-rejected, default" \ - "$P_SRV debug_level=3 exchanges=2 renegotiation=1 renegotiate=1 auth_mode=optional" \ - "$P_CLI debug_level=3 exchanges=2 renegotiation=0" \ - 0 \ - -C "client hello, adding renegotiation extension" \ - -s "received TLS_EMPTY_RENEGOTIATION_INFO" \ - -S "found renegotiation extension" \ - -s "server hello, secure renegotiation extension" \ - -c "found renegotiation extension" \ - -C "=> renegotiate" \ - -S "=> renegotiate" \ - -s "write hello request" \ - -S "SSL - An unexpected message was received from our peer" \ - -S "failed" - -requires_config_enabled MBEDTLS_SSL_RENEGOTIATION -run_test "Renegotiation: server-initiated, client-rejected, not enforced" \ - "$P_SRV debug_level=3 exchanges=2 renegotiation=1 renegotiate=1 \ - renego_delay=-1 auth_mode=optional" \ - "$P_CLI debug_level=3 exchanges=2 renegotiation=0" \ - 0 \ - -C "client hello, adding renegotiation extension" \ - -s "received TLS_EMPTY_RENEGOTIATION_INFO" \ - -S "found renegotiation extension" \ - -s "server hello, secure renegotiation extension" \ - -c "found renegotiation extension" \ - -C "=> renegotiate" \ - -S "=> renegotiate" \ - -s "write hello request" \ - -S "SSL - An unexpected message was received from our peer" \ - -S "failed" - -# delay 2 for 1 alert record + 1 application data record -requires_config_enabled MBEDTLS_SSL_RENEGOTIATION -run_test "Renegotiation: server-initiated, client-rejected, delay 2" \ - "$P_SRV debug_level=3 exchanges=2 renegotiation=1 renegotiate=1 \ - renego_delay=2 auth_mode=optional" \ - "$P_CLI debug_level=3 exchanges=2 renegotiation=0" \ - 0 \ - -C "client hello, adding renegotiation extension" \ - -s "received TLS_EMPTY_RENEGOTIATION_INFO" \ - -S "found renegotiation extension" \ - -s "server hello, secure renegotiation extension" \ - -c "found renegotiation extension" \ - -C "=> renegotiate" \ - -S "=> renegotiate" \ - -s "write hello request" \ - -S "SSL - An unexpected message was received from our peer" \ - -S "failed" - -requires_config_enabled MBEDTLS_SSL_RENEGOTIATION -run_test "Renegotiation: server-initiated, client-rejected, delay 0" \ - "$P_SRV debug_level=3 exchanges=2 renegotiation=1 renegotiate=1 \ - renego_delay=0 auth_mode=optional" \ - "$P_CLI debug_level=3 exchanges=2 renegotiation=0" \ - 0 \ - -C "client hello, adding renegotiation extension" \ - -s "received TLS_EMPTY_RENEGOTIATION_INFO" \ - -S "found renegotiation extension" \ - -s "server hello, secure renegotiation extension" \ - -c "found renegotiation extension" \ - -C "=> renegotiate" \ - -S "=> renegotiate" \ - -s "write hello request" \ - -s "SSL - An unexpected message was received from our peer" - -requires_config_enabled MBEDTLS_SSL_RENEGOTIATION -run_test "Renegotiation: server-initiated, client-accepted, delay 0" \ - "$P_SRV debug_level=3 exchanges=2 renegotiation=1 renegotiate=1 \ - renego_delay=0 auth_mode=optional" \ - "$P_CLI debug_level=3 exchanges=2 renegotiation=1" \ - 0 \ - -c "client hello, adding renegotiation extension" \ - -s "received TLS_EMPTY_RENEGOTIATION_INFO" \ - -s "found renegotiation extension" \ - -s "server hello, secure renegotiation extension" \ - -c "found renegotiation extension" \ - -c "=> renegotiate" \ - -s "=> renegotiate" \ - -s "write hello request" \ - -S "SSL - An unexpected message was received from our peer" \ - -S "failed" - -requires_config_enabled MBEDTLS_SSL_RENEGOTIATION -run_test "Renegotiation: periodic, just below period" \ - "$P_SRV debug_level=3 exchanges=9 renegotiation=1 renego_period=3 auth_mode=optional" \ - "$P_CLI debug_level=3 exchanges=2 renegotiation=1" \ - 0 \ - -C "client hello, adding renegotiation extension" \ - -s "received TLS_EMPTY_RENEGOTIATION_INFO" \ - -S "found renegotiation extension" \ - -s "server hello, secure renegotiation extension" \ - -c "found renegotiation extension" \ - -S "record counter limit reached: renegotiate" \ - -C "=> renegotiate" \ - -S "=> renegotiate" \ - -S "write hello request" \ - -S "SSL - An unexpected message was received from our peer" \ - -S "failed" - -# one extra exchange to be able to complete renego -requires_config_enabled MBEDTLS_SSL_RENEGOTIATION -run_test "Renegotiation: periodic, just above period" \ - "$P_SRV debug_level=3 exchanges=9 renegotiation=1 renego_period=3 auth_mode=optional" \ - "$P_CLI debug_level=3 exchanges=4 renegotiation=1" \ - 0 \ - -c "client hello, adding renegotiation extension" \ - -s "received TLS_EMPTY_RENEGOTIATION_INFO" \ - -s "found renegotiation extension" \ - -s "server hello, secure renegotiation extension" \ - -c "found renegotiation extension" \ - -s "record counter limit reached: renegotiate" \ - -c "=> renegotiate" \ - -s "=> renegotiate" \ - -s "write hello request" \ - -S "SSL - An unexpected message was received from our peer" \ - -S "failed" - -requires_config_enabled MBEDTLS_SSL_RENEGOTIATION -run_test "Renegotiation: periodic, two times period" \ - "$P_SRV debug_level=3 exchanges=9 renegotiation=1 renego_period=3 auth_mode=optional" \ - "$P_CLI debug_level=3 exchanges=7 renegotiation=1" \ - 0 \ - -c "client hello, adding renegotiation extension" \ - -s "received TLS_EMPTY_RENEGOTIATION_INFO" \ - -s "found renegotiation extension" \ - -s "server hello, secure renegotiation extension" \ - -c "found renegotiation extension" \ - -s "record counter limit reached: renegotiate" \ - -c "=> renegotiate" \ - -s "=> renegotiate" \ - -s "write hello request" \ - -S "SSL - An unexpected message was received from our peer" \ - -S "failed" - -requires_config_enabled MBEDTLS_SSL_RENEGOTIATION -run_test "Renegotiation: periodic, above period, disabled" \ - "$P_SRV debug_level=3 exchanges=9 renegotiation=0 renego_period=3 auth_mode=optional" \ - "$P_CLI debug_level=3 exchanges=4 renegotiation=1" \ - 0 \ - -C "client hello, adding renegotiation extension" \ - -s "received TLS_EMPTY_RENEGOTIATION_INFO" \ - -S "found renegotiation extension" \ - -s "server hello, secure renegotiation extension" \ - -c "found renegotiation extension" \ - -S "record counter limit reached: renegotiate" \ - -C "=> renegotiate" \ - -S "=> renegotiate" \ - -S "write hello request" \ - -S "SSL - An unexpected message was received from our peer" \ - -S "failed" - -requires_config_enabled MBEDTLS_SSL_RENEGOTIATION -run_test "Renegotiation: nbio, client-initiated" \ - "$P_SRV debug_level=3 nbio=2 exchanges=2 renegotiation=1 auth_mode=optional" \ - "$P_CLI debug_level=3 nbio=2 exchanges=2 renegotiation=1 renegotiate=1" \ - 0 \ - -c "client hello, adding renegotiation extension" \ - -s "received TLS_EMPTY_RENEGOTIATION_INFO" \ - -s "found renegotiation extension" \ - -s "server hello, secure renegotiation extension" \ - -c "found renegotiation extension" \ - -c "=> renegotiate" \ - -s "=> renegotiate" \ - -S "write hello request" - -requires_config_enabled MBEDTLS_SSL_RENEGOTIATION -run_test "Renegotiation: nbio, server-initiated" \ - "$P_SRV debug_level=3 nbio=2 exchanges=2 renegotiation=1 renegotiate=1 auth_mode=optional" \ - "$P_CLI debug_level=3 nbio=2 exchanges=2 renegotiation=1" \ - 0 \ - -c "client hello, adding renegotiation extension" \ - -s "received TLS_EMPTY_RENEGOTIATION_INFO" \ - -s "found renegotiation extension" \ - -s "server hello, secure renegotiation extension" \ - -c "found renegotiation extension" \ - -c "=> renegotiate" \ - -s "=> renegotiate" \ - -s "write hello request" - -requires_config_enabled MBEDTLS_SSL_RENEGOTIATION -run_test "Renegotiation: openssl server, client-initiated" \ - "$O_SRV -www" \ - "$P_CLI debug_level=3 exchanges=1 renegotiation=1 renegotiate=1" \ - 0 \ - -c "client hello, adding renegotiation extension" \ - -c "found renegotiation extension" \ - -c "=> renegotiate" \ - -C "ssl_hanshake() returned" \ - -C "error" \ - -c "HTTP/1.0 200 [Oo][Kk]" - -requires_gnutls -requires_config_enabled MBEDTLS_SSL_RENEGOTIATION -run_test "Renegotiation: gnutls server strict, client-initiated" \ - "$G_SRV --priority=NORMAL:%SAFE_RENEGOTIATION" \ - "$P_CLI debug_level=3 exchanges=1 renegotiation=1 renegotiate=1" \ - 0 \ - -c "client hello, adding renegotiation extension" \ - -c "found renegotiation extension" \ - -c "=> renegotiate" \ - -C "ssl_hanshake() returned" \ - -C "error" \ - -c "HTTP/1.0 200 [Oo][Kk]" - -requires_gnutls -requires_config_enabled MBEDTLS_SSL_RENEGOTIATION -run_test "Renegotiation: gnutls server unsafe, client-initiated default" \ - "$G_SRV --priority=NORMAL:%DISABLE_SAFE_RENEGOTIATION" \ - "$P_CLI debug_level=3 exchanges=1 renegotiation=1 renegotiate=1" \ - 1 \ - -c "client hello, adding renegotiation extension" \ - -C "found renegotiation extension" \ - -c "=> renegotiate" \ - -c "mbedtls_ssl_handshake() returned" \ - -c "error" \ - -C "HTTP/1.0 200 [Oo][Kk]" - -requires_gnutls -requires_config_enabled MBEDTLS_SSL_RENEGOTIATION -run_test "Renegotiation: gnutls server unsafe, client-inititated no legacy" \ - "$G_SRV --priority=NORMAL:%DISABLE_SAFE_RENEGOTIATION" \ - "$P_CLI debug_level=3 exchanges=1 renegotiation=1 renegotiate=1 \ - allow_legacy=0" \ - 1 \ - -c "client hello, adding renegotiation extension" \ - -C "found renegotiation extension" \ - -c "=> renegotiate" \ - -c "mbedtls_ssl_handshake() returned" \ - -c "error" \ - -C "HTTP/1.0 200 [Oo][Kk]" - -requires_gnutls -requires_config_enabled MBEDTLS_SSL_RENEGOTIATION -run_test "Renegotiation: gnutls server unsafe, client-inititated legacy" \ - "$G_SRV --priority=NORMAL:%DISABLE_SAFE_RENEGOTIATION" \ - "$P_CLI debug_level=3 exchanges=1 renegotiation=1 renegotiate=1 \ - allow_legacy=1" \ - 0 \ - -c "client hello, adding renegotiation extension" \ - -C "found renegotiation extension" \ - -c "=> renegotiate" \ - -C "ssl_hanshake() returned" \ - -C "error" \ - -c "HTTP/1.0 200 [Oo][Kk]" - -requires_config_enabled MBEDTLS_SSL_RENEGOTIATION -run_test "Renegotiation: DTLS, client-initiated" \ - "$P_SRV debug_level=3 dtls=1 exchanges=2 renegotiation=1" \ - "$P_CLI debug_level=3 dtls=1 exchanges=2 renegotiation=1 renegotiate=1" \ - 0 \ - -c "client hello, adding renegotiation extension" \ - -s "received TLS_EMPTY_RENEGOTIATION_INFO" \ - -s "found renegotiation extension" \ - -s "server hello, secure renegotiation extension" \ - -c "found renegotiation extension" \ - -c "=> renegotiate" \ - -s "=> renegotiate" \ - -S "write hello request" - -requires_config_enabled MBEDTLS_SSL_RENEGOTIATION -run_test "Renegotiation: DTLS, server-initiated" \ - "$P_SRV debug_level=3 dtls=1 exchanges=2 renegotiation=1 renegotiate=1" \ - "$P_CLI debug_level=3 dtls=1 exchanges=2 renegotiation=1 \ - read_timeout=1000 max_resend=2" \ - 0 \ - -c "client hello, adding renegotiation extension" \ - -s "received TLS_EMPTY_RENEGOTIATION_INFO" \ - -s "found renegotiation extension" \ - -s "server hello, secure renegotiation extension" \ - -c "found renegotiation extension" \ - -c "=> renegotiate" \ - -s "=> renegotiate" \ - -s "write hello request" - -requires_config_enabled MBEDTLS_SSL_RENEGOTIATION -run_test "Renegotiation: DTLS, renego_period overflow" \ - "$P_SRV debug_level=3 dtls=1 exchanges=4 renegotiation=1 renego_period=18446462598732840962 auth_mode=optional" \ - "$P_CLI debug_level=3 dtls=1 exchanges=4 renegotiation=1" \ - 0 \ - -c "client hello, adding renegotiation extension" \ - -s "received TLS_EMPTY_RENEGOTIATION_INFO" \ - -s "found renegotiation extension" \ - -s "server hello, secure renegotiation extension" \ - -s "record counter limit reached: renegotiate" \ - -c "=> renegotiate" \ - -s "=> renegotiate" \ - -s "write hello request" - -requires_gnutls -requires_config_enabled MBEDTLS_SSL_RENEGOTIATION -run_test "Renegotiation: DTLS, gnutls server, client-initiated" \ - "$G_SRV -u --mtu 4096" \ - "$P_CLI debug_level=3 dtls=1 exchanges=1 renegotiation=1 renegotiate=1" \ - 0 \ - -c "client hello, adding renegotiation extension" \ - -c "found renegotiation extension" \ - -c "=> renegotiate" \ - -C "mbedtls_ssl_handshake returned" \ - -C "error" \ - -s "Extra-header:" - -# Test for the "secure renegotation" extension only (no actual renegotiation) - -requires_gnutls -run_test "Renego ext: gnutls server strict, client default" \ - "$G_SRV --priority=NORMAL:%SAFE_RENEGOTIATION" \ - "$P_CLI debug_level=3" \ - 0 \ - -c "found renegotiation extension" \ - -C "error" \ - -c "HTTP/1.0 200 [Oo][Kk]" - -requires_gnutls -run_test "Renego ext: gnutls server unsafe, client default" \ - "$G_SRV --priority=NORMAL:%DISABLE_SAFE_RENEGOTIATION" \ - "$P_CLI debug_level=3" \ - 0 \ - -C "found renegotiation extension" \ - -C "error" \ - -c "HTTP/1.0 200 [Oo][Kk]" - -requires_gnutls -run_test "Renego ext: gnutls server unsafe, client break legacy" \ - "$G_SRV --priority=NORMAL:%DISABLE_SAFE_RENEGOTIATION" \ - "$P_CLI debug_level=3 allow_legacy=-1" \ - 1 \ - -C "found renegotiation extension" \ - -c "error" \ - -C "HTTP/1.0 200 [Oo][Kk]" - -requires_gnutls -run_test "Renego ext: gnutls client strict, server default" \ - "$P_SRV debug_level=3" \ - "$G_CLI --priority=NORMAL:%SAFE_RENEGOTIATION localhost" \ - 0 \ - -s "received TLS_EMPTY_RENEGOTIATION_INFO\|found renegotiation extension" \ - -s "server hello, secure renegotiation extension" - -requires_gnutls -run_test "Renego ext: gnutls client unsafe, server default" \ - "$P_SRV debug_level=3" \ - "$G_CLI --priority=NORMAL:%DISABLE_SAFE_RENEGOTIATION localhost" \ - 0 \ - -S "received TLS_EMPTY_RENEGOTIATION_INFO\|found renegotiation extension" \ - -S "server hello, secure renegotiation extension" - -requires_gnutls -run_test "Renego ext: gnutls client unsafe, server break legacy" \ - "$P_SRV debug_level=3 allow_legacy=-1" \ - "$G_CLI --priority=NORMAL:%DISABLE_SAFE_RENEGOTIATION localhost" \ - 1 \ - -S "received TLS_EMPTY_RENEGOTIATION_INFO\|found renegotiation extension" \ - -S "server hello, secure renegotiation extension" - -# Tests for silently dropping trailing extra bytes in .der certificates - -requires_gnutls -run_test "DER format: no trailing bytes" \ - "$P_SRV crt_file=data_files/server5-der0.crt \ - key_file=data_files/server5.key" \ - "$G_CLI localhost" \ - 0 \ - -c "Handshake was completed" \ - -requires_gnutls -run_test "DER format: with a trailing zero byte" \ - "$P_SRV crt_file=data_files/server5-der1a.crt \ - key_file=data_files/server5.key" \ - "$G_CLI localhost" \ - 0 \ - -c "Handshake was completed" \ - -requires_gnutls -run_test "DER format: with a trailing random byte" \ - "$P_SRV crt_file=data_files/server5-der1b.crt \ - key_file=data_files/server5.key" \ - "$G_CLI localhost" \ - 0 \ - -c "Handshake was completed" \ - -requires_gnutls -run_test "DER format: with 2 trailing random bytes" \ - "$P_SRV crt_file=data_files/server5-der2.crt \ - key_file=data_files/server5.key" \ - "$G_CLI localhost" \ - 0 \ - -c "Handshake was completed" \ - -requires_gnutls -run_test "DER format: with 4 trailing random bytes" \ - "$P_SRV crt_file=data_files/server5-der4.crt \ - key_file=data_files/server5.key" \ - "$G_CLI localhost" \ - 0 \ - -c "Handshake was completed" \ - -requires_gnutls -run_test "DER format: with 8 trailing random bytes" \ - "$P_SRV crt_file=data_files/server5-der8.crt \ - key_file=data_files/server5.key" \ - "$G_CLI localhost" \ - 0 \ - -c "Handshake was completed" \ - -requires_gnutls -run_test "DER format: with 9 trailing random bytes" \ - "$P_SRV crt_file=data_files/server5-der9.crt \ - key_file=data_files/server5.key" \ - "$G_CLI localhost" \ - 0 \ - -c "Handshake was completed" \ - -# Tests for auth_mode - -run_test "Authentication: server badcert, client required" \ - "$P_SRV crt_file=data_files/server5-badsign.crt \ - key_file=data_files/server5.key" \ - "$P_CLI debug_level=1 auth_mode=required" \ - 1 \ - -c "x509_verify_cert() returned" \ - -c "! The certificate is not correctly signed by the trusted CA" \ - -c "! mbedtls_ssl_handshake returned" \ - -c "X509 - Certificate verification failed" - -run_test "Authentication: server badcert, client optional" \ - "$P_SRV crt_file=data_files/server5-badsign.crt \ - key_file=data_files/server5.key" \ - "$P_CLI debug_level=1 auth_mode=optional" \ - 0 \ - -c "x509_verify_cert() returned" \ - -c "! The certificate is not correctly signed by the trusted CA" \ - -C "! mbedtls_ssl_handshake returned" \ - -C "X509 - Certificate verification failed" - -run_test "Authentication: server goodcert, client optional, no trusted CA" \ - "$P_SRV" \ - "$P_CLI debug_level=3 auth_mode=optional ca_file=none ca_path=none" \ - 0 \ - -c "x509_verify_cert() returned" \ - -c "! The certificate is not correctly signed by the trusted CA" \ - -c "! Certificate verification flags"\ - -C "! mbedtls_ssl_handshake returned" \ - -C "X509 - Certificate verification failed" \ - -C "SSL - No CA Chain is set, but required to operate" - -run_test "Authentication: server goodcert, client required, no trusted CA" \ - "$P_SRV" \ - "$P_CLI debug_level=3 auth_mode=required ca_file=none ca_path=none" \ - 1 \ - -c "x509_verify_cert() returned" \ - -c "! The certificate is not correctly signed by the trusted CA" \ - -c "! Certificate verification flags"\ - -c "! mbedtls_ssl_handshake returned" \ - -c "SSL - No CA Chain is set, but required to operate" - -# The purpose of the next two tests is to test the client's behaviour when receiving a server -# certificate with an unsupported elliptic curve. This should usually not happen because -# the client informs the server about the supported curves - it does, though, in the -# corner case of a static ECDH suite, because the server doesn't check the curve on that -# occasion (to be fixed). If that bug's fixed, the test needs to be altered to use a -# different means to have the server ignoring the client's supported curve list. - -requires_config_enabled MBEDTLS_ECP_C -run_test "Authentication: server ECDH p256v1, client required, p256v1 unsupported" \ - "$P_SRV debug_level=1 key_file=data_files/server5.key \ - crt_file=data_files/server5.ku-ka.crt" \ - "$P_CLI debug_level=3 auth_mode=required curves=secp521r1" \ - 1 \ - -c "bad certificate (EC key curve)"\ - -c "! Certificate verification flags"\ - -C "bad server certificate (ECDH curve)" # Expect failure at earlier verification stage - -requires_config_enabled MBEDTLS_ECP_C -run_test "Authentication: server ECDH p256v1, client optional, p256v1 unsupported" \ - "$P_SRV debug_level=1 key_file=data_files/server5.key \ - crt_file=data_files/server5.ku-ka.crt" \ - "$P_CLI debug_level=3 auth_mode=optional curves=secp521r1" \ - 1 \ - -c "bad certificate (EC key curve)"\ - -c "! Certificate verification flags"\ - -c "bad server certificate (ECDH curve)" # Expect failure only at ECDH params check - -run_test "Authentication: server badcert, client none" \ - "$P_SRV crt_file=data_files/server5-badsign.crt \ - key_file=data_files/server5.key" \ - "$P_CLI debug_level=1 auth_mode=none" \ - 0 \ - -C "x509_verify_cert() returned" \ - -C "! The certificate is not correctly signed by the trusted CA" \ - -C "! mbedtls_ssl_handshake returned" \ - -C "X509 - Certificate verification failed" - -run_test "Authentication: client SHA256, server required" \ - "$P_SRV auth_mode=required" \ - "$P_CLI debug_level=3 crt_file=data_files/server6.crt \ - key_file=data_files/server6.key \ - force_ciphersuite=TLS-ECDHE-ECDSA-WITH-AES-256-GCM-SHA384" \ - 0 \ - -c "Supported Signature Algorithm found: 4," \ - -c "Supported Signature Algorithm found: 5," - -run_test "Authentication: client SHA384, server required" \ - "$P_SRV auth_mode=required" \ - "$P_CLI debug_level=3 crt_file=data_files/server6.crt \ - key_file=data_files/server6.key \ - force_ciphersuite=TLS-ECDHE-ECDSA-WITH-AES-128-GCM-SHA256" \ - 0 \ - -c "Supported Signature Algorithm found: 4," \ - -c "Supported Signature Algorithm found: 5," - -requires_config_enabled MBEDTLS_SSL_PROTO_SSL3 -run_test "Authentication: client has no cert, server required (SSLv3)" \ - "$P_SRV debug_level=3 min_version=ssl3 auth_mode=required" \ - "$P_CLI debug_level=3 force_version=ssl3 crt_file=none \ - key_file=data_files/server5.key" \ - 1 \ - -S "skip write certificate request" \ - -C "skip parse certificate request" \ - -c "got a certificate request" \ - -c "got no certificate to send" \ - -S "x509_verify_cert() returned" \ - -s "client has no certificate" \ - -s "! mbedtls_ssl_handshake returned" \ - -c "! mbedtls_ssl_handshake returned" \ - -s "No client certification received from the client, but required by the authentication mode" - -run_test "Authentication: client has no cert, server required (TLS)" \ - "$P_SRV debug_level=3 auth_mode=required" \ - "$P_CLI debug_level=3 crt_file=none \ - key_file=data_files/server5.key" \ - 1 \ - -S "skip write certificate request" \ - -C "skip parse certificate request" \ - -c "got a certificate request" \ - -c "= write certificate$" \ - -C "skip write certificate$" \ - -S "x509_verify_cert() returned" \ - -s "client has no certificate" \ - -s "! mbedtls_ssl_handshake returned" \ - -c "! mbedtls_ssl_handshake returned" \ - -s "No client certification received from the client, but required by the authentication mode" - -run_test "Authentication: client badcert, server required" \ - "$P_SRV debug_level=3 auth_mode=required" \ - "$P_CLI debug_level=3 crt_file=data_files/server5-badsign.crt \ - key_file=data_files/server5.key" \ - 1 \ - -S "skip write certificate request" \ - -C "skip parse certificate request" \ - -c "got a certificate request" \ - -C "skip write certificate" \ - -C "skip write certificate verify" \ - -S "skip parse certificate verify" \ - -s "x509_verify_cert() returned" \ - -s "! The certificate is not correctly signed by the trusted CA" \ - -s "! mbedtls_ssl_handshake returned" \ - -s "send alert level=2 message=48" \ - -c "! mbedtls_ssl_handshake returned" \ - -s "X509 - Certificate verification failed" -# We don't check that the client receives the alert because it might -# detect that its write end of the connection is closed and abort -# before reading the alert message. - -run_test "Authentication: client cert not trusted, server required" \ - "$P_SRV debug_level=3 auth_mode=required" \ - "$P_CLI debug_level=3 crt_file=data_files/server5-selfsigned.crt \ - key_file=data_files/server5.key" \ - 1 \ - -S "skip write certificate request" \ - -C "skip parse certificate request" \ - -c "got a certificate request" \ - -C "skip write certificate" \ - -C "skip write certificate verify" \ - -S "skip parse certificate verify" \ - -s "x509_verify_cert() returned" \ - -s "! The certificate is not correctly signed by the trusted CA" \ - -s "! mbedtls_ssl_handshake returned" \ - -c "! mbedtls_ssl_handshake returned" \ - -s "X509 - Certificate verification failed" - -run_test "Authentication: client badcert, server optional" \ - "$P_SRV debug_level=3 auth_mode=optional" \ - "$P_CLI debug_level=3 crt_file=data_files/server5-badsign.crt \ - key_file=data_files/server5.key" \ - 0 \ - -S "skip write certificate request" \ - -C "skip parse certificate request" \ - -c "got a certificate request" \ - -C "skip write certificate" \ - -C "skip write certificate verify" \ - -S "skip parse certificate verify" \ - -s "x509_verify_cert() returned" \ - -s "! The certificate is not correctly signed by the trusted CA" \ - -S "! mbedtls_ssl_handshake returned" \ - -C "! mbedtls_ssl_handshake returned" \ - -S "X509 - Certificate verification failed" - -run_test "Authentication: client badcert, server none" \ - "$P_SRV debug_level=3 auth_mode=none" \ - "$P_CLI debug_level=3 crt_file=data_files/server5-badsign.crt \ - key_file=data_files/server5.key" \ - 0 \ - -s "skip write certificate request" \ - -C "skip parse certificate request" \ - -c "got no certificate request" \ - -c "skip write certificate" \ - -c "skip write certificate verify" \ - -s "skip parse certificate verify" \ - -S "x509_verify_cert() returned" \ - -S "! The certificate is not correctly signed by the trusted CA" \ - -S "! mbedtls_ssl_handshake returned" \ - -C "! mbedtls_ssl_handshake returned" \ - -S "X509 - Certificate verification failed" - -run_test "Authentication: client no cert, server optional" \ - "$P_SRV debug_level=3 auth_mode=optional" \ - "$P_CLI debug_level=3 crt_file=none key_file=none" \ - 0 \ - -S "skip write certificate request" \ - -C "skip parse certificate request" \ - -c "got a certificate request" \ - -C "skip write certificate$" \ - -C "got no certificate to send" \ - -S "SSLv3 client has no certificate" \ - -c "skip write certificate verify" \ - -s "skip parse certificate verify" \ - -s "! Certificate was missing" \ - -S "! mbedtls_ssl_handshake returned" \ - -C "! mbedtls_ssl_handshake returned" \ - -S "X509 - Certificate verification failed" - -run_test "Authentication: openssl client no cert, server optional" \ - "$P_SRV debug_level=3 auth_mode=optional" \ - "$O_CLI" \ - 0 \ - -S "skip write certificate request" \ - -s "skip parse certificate verify" \ - -s "! Certificate was missing" \ - -S "! mbedtls_ssl_handshake returned" \ - -S "X509 - Certificate verification failed" - -run_test "Authentication: client no cert, openssl server optional" \ - "$O_SRV -verify 10" \ - "$P_CLI debug_level=3 crt_file=none key_file=none" \ - 0 \ - -C "skip parse certificate request" \ - -c "got a certificate request" \ - -C "skip write certificate$" \ - -c "skip write certificate verify" \ - -C "! mbedtls_ssl_handshake returned" - -run_test "Authentication: client no cert, openssl server required" \ - "$O_SRV -Verify 10" \ - "$P_CLI debug_level=3 crt_file=none key_file=none" \ - 1 \ - -C "skip parse certificate request" \ - -c "got a certificate request" \ - -C "skip write certificate$" \ - -c "skip write certificate verify" \ - -c "! mbedtls_ssl_handshake returned" - -requires_config_enabled MBEDTLS_SSL_PROTO_SSL3 -run_test "Authentication: client no cert, ssl3" \ - "$P_SRV debug_level=3 auth_mode=optional force_version=ssl3" \ - "$P_CLI debug_level=3 crt_file=none key_file=none min_version=ssl3" \ - 0 \ - -S "skip write certificate request" \ - -C "skip parse certificate request" \ - -c "got a certificate request" \ - -C "skip write certificate$" \ - -c "skip write certificate verify" \ - -c "got no certificate to send" \ - -s "SSLv3 client has no certificate" \ - -s "skip parse certificate verify" \ - -s "! Certificate was missing" \ - -S "! mbedtls_ssl_handshake returned" \ - -C "! mbedtls_ssl_handshake returned" \ - -S "X509 - Certificate verification failed" - -# The "max_int chain" tests assume that MAX_INTERMEDIATE_CA is set to its -# default value (8) - -MAX_IM_CA='8' -MAX_IM_CA_CONFIG=$( ../scripts/config.pl get MBEDTLS_X509_MAX_INTERMEDIATE_CA) - -if [ -n "$MAX_IM_CA_CONFIG" ] && [ "$MAX_IM_CA_CONFIG" -ne "$MAX_IM_CA" ]; then - printf "The ${CONFIG_H} file contains a value for the configuration of\n" - printf "MBEDTLS_X509_MAX_INTERMEDIATE_CA that is different from the script’s\n" - printf "test value of ${MAX_IM_CA}. \n" - printf "\n" - printf "The tests assume this value and if it changes, the tests in this\n" - printf "script should also be adjusted.\n" - printf "\n" - - exit 1 -fi - -requires_full_size_output_buffer -run_test "Authentication: server max_int chain, client default" \ - "$P_SRV crt_file=data_files/dir-maxpath/c09.pem \ - key_file=data_files/dir-maxpath/09.key" \ - "$P_CLI server_name=CA09 ca_file=data_files/dir-maxpath/00.crt" \ - 0 \ - -C "X509 - A fatal error occurred" - -requires_full_size_output_buffer -run_test "Authentication: server max_int+1 chain, client default" \ - "$P_SRV crt_file=data_files/dir-maxpath/c10.pem \ - key_file=data_files/dir-maxpath/10.key" \ - "$P_CLI server_name=CA10 ca_file=data_files/dir-maxpath/00.crt" \ - 1 \ - -c "X509 - A fatal error occurred" - -requires_full_size_output_buffer -run_test "Authentication: server max_int+1 chain, client optional" \ - "$P_SRV crt_file=data_files/dir-maxpath/c10.pem \ - key_file=data_files/dir-maxpath/10.key" \ - "$P_CLI server_name=CA10 ca_file=data_files/dir-maxpath/00.crt \ - auth_mode=optional" \ - 1 \ - -c "X509 - A fatal error occurred" - -requires_full_size_output_buffer -run_test "Authentication: server max_int+1 chain, client none" \ - "$P_SRV crt_file=data_files/dir-maxpath/c10.pem \ - key_file=data_files/dir-maxpath/10.key" \ - "$P_CLI server_name=CA10 ca_file=data_files/dir-maxpath/00.crt \ - auth_mode=none" \ - 0 \ - -C "X509 - A fatal error occurred" - -requires_full_size_output_buffer -run_test "Authentication: client max_int+1 chain, server default" \ - "$P_SRV ca_file=data_files/dir-maxpath/00.crt" \ - "$P_CLI crt_file=data_files/dir-maxpath/c10.pem \ - key_file=data_files/dir-maxpath/10.key" \ - 0 \ - -S "X509 - A fatal error occurred" - -requires_full_size_output_buffer -run_test "Authentication: client max_int+1 chain, server optional" \ - "$P_SRV ca_file=data_files/dir-maxpath/00.crt auth_mode=optional" \ - "$P_CLI crt_file=data_files/dir-maxpath/c10.pem \ - key_file=data_files/dir-maxpath/10.key" \ - 1 \ - -s "X509 - A fatal error occurred" - -requires_full_size_output_buffer -run_test "Authentication: client max_int+1 chain, server required" \ - "$P_SRV ca_file=data_files/dir-maxpath/00.crt auth_mode=required" \ - "$P_CLI crt_file=data_files/dir-maxpath/c10.pem \ - key_file=data_files/dir-maxpath/10.key" \ - 1 \ - -s "X509 - A fatal error occurred" - -requires_full_size_output_buffer -run_test "Authentication: client max_int chain, server required" \ - "$P_SRV ca_file=data_files/dir-maxpath/00.crt auth_mode=required" \ - "$P_CLI crt_file=data_files/dir-maxpath/c09.pem \ - key_file=data_files/dir-maxpath/09.key" \ - 0 \ - -S "X509 - A fatal error occurred" - -# Tests for CA list in CertificateRequest messages - -run_test "Authentication: send CA list in CertificateRequest (default)" \ - "$P_SRV debug_level=3 auth_mode=required" \ - "$P_CLI crt_file=data_files/server6.crt \ - key_file=data_files/server6.key" \ - 0 \ - -s "requested DN" - -run_test "Authentication: do not send CA list in CertificateRequest" \ - "$P_SRV debug_level=3 auth_mode=required cert_req_ca_list=0" \ - "$P_CLI crt_file=data_files/server6.crt \ - key_file=data_files/server6.key" \ - 0 \ - -S "requested DN" - -run_test "Authentication: send CA list in CertificateRequest, client self signed" \ - "$P_SRV debug_level=3 auth_mode=required cert_req_ca_list=0" \ - "$P_CLI debug_level=3 crt_file=data_files/server5-selfsigned.crt \ - key_file=data_files/server5.key" \ - 1 \ - -S "requested DN" \ - -s "x509_verify_cert() returned" \ - -s "! The certificate is not correctly signed by the trusted CA" \ - -s "! mbedtls_ssl_handshake returned" \ - -c "! mbedtls_ssl_handshake returned" \ - -s "X509 - Certificate verification failed" - -# Tests for certificate selection based on SHA verson - -run_test "Certificate hash: client TLS 1.2 -> SHA-2" \ - "$P_SRV crt_file=data_files/server5.crt \ - key_file=data_files/server5.key \ - crt_file2=data_files/server5-sha1.crt \ - key_file2=data_files/server5.key" \ - "$P_CLI force_version=tls1_2" \ - 0 \ - -c "signed using.*ECDSA with SHA256" \ - -C "signed using.*ECDSA with SHA1" - -run_test "Certificate hash: client TLS 1.1 -> SHA-1" \ - "$P_SRV crt_file=data_files/server5.crt \ - key_file=data_files/server5.key \ - crt_file2=data_files/server5-sha1.crt \ - key_file2=data_files/server5.key" \ - "$P_CLI force_version=tls1_1" \ - 0 \ - -C "signed using.*ECDSA with SHA256" \ - -c "signed using.*ECDSA with SHA1" - -run_test "Certificate hash: client TLS 1.0 -> SHA-1" \ - "$P_SRV crt_file=data_files/server5.crt \ - key_file=data_files/server5.key \ - crt_file2=data_files/server5-sha1.crt \ - key_file2=data_files/server5.key" \ - "$P_CLI force_version=tls1" \ - 0 \ - -C "signed using.*ECDSA with SHA256" \ - -c "signed using.*ECDSA with SHA1" - -run_test "Certificate hash: client TLS 1.1, no SHA-1 -> SHA-2 (order 1)" \ - "$P_SRV crt_file=data_files/server5.crt \ - key_file=data_files/server5.key \ - crt_file2=data_files/server6.crt \ - key_file2=data_files/server6.key" \ - "$P_CLI force_version=tls1_1" \ - 0 \ - -c "serial number.*09" \ - -c "signed using.*ECDSA with SHA256" \ - -C "signed using.*ECDSA with SHA1" - -run_test "Certificate hash: client TLS 1.1, no SHA-1 -> SHA-2 (order 2)" \ - "$P_SRV crt_file=data_files/server6.crt \ - key_file=data_files/server6.key \ - crt_file2=data_files/server5.crt \ - key_file2=data_files/server5.key" \ - "$P_CLI force_version=tls1_1" \ - 0 \ - -c "serial number.*0A" \ - -c "signed using.*ECDSA with SHA256" \ - -C "signed using.*ECDSA with SHA1" - -# tests for SNI - -run_test "SNI: no SNI callback" \ - "$P_SRV debug_level=3 \ - crt_file=data_files/server5.crt key_file=data_files/server5.key" \ - "$P_CLI server_name=localhost" \ - 0 \ - -S "parse ServerName extension" \ - -c "issuer name *: C=NL, O=PolarSSL, CN=Polarssl Test EC CA" \ - -c "subject name *: C=NL, O=PolarSSL, CN=localhost" - -run_test "SNI: matching cert 1" \ - "$P_SRV debug_level=3 \ - crt_file=data_files/server5.crt key_file=data_files/server5.key \ - sni=localhost,data_files/server2.crt,data_files/server2.key,-,-,-,polarssl.example,data_files/server1-nospace.crt,data_files/server1.key,-,-,-" \ - "$P_CLI server_name=localhost" \ - 0 \ - -s "parse ServerName extension" \ - -c "issuer name *: C=NL, O=PolarSSL, CN=PolarSSL Test CA" \ - -c "subject name *: C=NL, O=PolarSSL, CN=localhost" - -run_test "SNI: matching cert 2" \ - "$P_SRV debug_level=3 \ - crt_file=data_files/server5.crt key_file=data_files/server5.key \ - sni=localhost,data_files/server2.crt,data_files/server2.key,-,-,-,polarssl.example,data_files/server1-nospace.crt,data_files/server1.key,-,-,-" \ - "$P_CLI server_name=polarssl.example" \ - 0 \ - -s "parse ServerName extension" \ - -c "issuer name *: C=NL, O=PolarSSL, CN=PolarSSL Test CA" \ - -c "subject name *: C=NL, O=PolarSSL, CN=polarssl.example" - -run_test "SNI: no matching cert" \ - "$P_SRV debug_level=3 \ - crt_file=data_files/server5.crt key_file=data_files/server5.key \ - sni=localhost,data_files/server2.crt,data_files/server2.key,-,-,-,polarssl.example,data_files/server1-nospace.crt,data_files/server1.key,-,-,-" \ - "$P_CLI server_name=nonesuch.example" \ - 1 \ - -s "parse ServerName extension" \ - -s "ssl_sni_wrapper() returned" \ - -s "mbedtls_ssl_handshake returned" \ - -c "mbedtls_ssl_handshake returned" \ - -c "SSL - A fatal alert message was received from our peer" - -run_test "SNI: client auth no override: optional" \ - "$P_SRV debug_level=3 auth_mode=optional \ - crt_file=data_files/server5.crt key_file=data_files/server5.key \ - sni=localhost,data_files/server2.crt,data_files/server2.key,-,-,-" \ - "$P_CLI debug_level=3 server_name=localhost" \ - 0 \ - -S "skip write certificate request" \ - -C "skip parse certificate request" \ - -c "got a certificate request" \ - -C "skip write certificate" \ - -C "skip write certificate verify" \ - -S "skip parse certificate verify" - -run_test "SNI: client auth override: none -> optional" \ - "$P_SRV debug_level=3 auth_mode=none \ - crt_file=data_files/server5.crt key_file=data_files/server5.key \ - sni=localhost,data_files/server2.crt,data_files/server2.key,-,-,optional" \ - "$P_CLI debug_level=3 server_name=localhost" \ - 0 \ - -S "skip write certificate request" \ - -C "skip parse certificate request" \ - -c "got a certificate request" \ - -C "skip write certificate" \ - -C "skip write certificate verify" \ - -S "skip parse certificate verify" - -run_test "SNI: client auth override: optional -> none" \ - "$P_SRV debug_level=3 auth_mode=optional \ - crt_file=data_files/server5.crt key_file=data_files/server5.key \ - sni=localhost,data_files/server2.crt,data_files/server2.key,-,-,none" \ - "$P_CLI debug_level=3 server_name=localhost" \ - 0 \ - -s "skip write certificate request" \ - -C "skip parse certificate request" \ - -c "got no certificate request" \ - -c "skip write certificate" \ - -c "skip write certificate verify" \ - -s "skip parse certificate verify" - -run_test "SNI: CA no override" \ - "$P_SRV debug_level=3 auth_mode=optional \ - crt_file=data_files/server5.crt key_file=data_files/server5.key \ - ca_file=data_files/test-ca.crt \ - sni=localhost,data_files/server2.crt,data_files/server2.key,-,-,required" \ - "$P_CLI debug_level=3 server_name=localhost \ - crt_file=data_files/server6.crt key_file=data_files/server6.key" \ - 1 \ - -S "skip write certificate request" \ - -C "skip parse certificate request" \ - -c "got a certificate request" \ - -C "skip write certificate" \ - -C "skip write certificate verify" \ - -S "skip parse certificate verify" \ - -s "x509_verify_cert() returned" \ - -s "! The certificate is not correctly signed by the trusted CA" \ - -S "The certificate has been revoked (is on a CRL)" - -run_test "SNI: CA override" \ - "$P_SRV debug_level=3 auth_mode=optional \ - crt_file=data_files/server5.crt key_file=data_files/server5.key \ - ca_file=data_files/test-ca.crt \ - sni=localhost,data_files/server2.crt,data_files/server2.key,data_files/test-ca2.crt,-,required" \ - "$P_CLI debug_level=3 server_name=localhost \ - crt_file=data_files/server6.crt key_file=data_files/server6.key" \ - 0 \ - -S "skip write certificate request" \ - -C "skip parse certificate request" \ - -c "got a certificate request" \ - -C "skip write certificate" \ - -C "skip write certificate verify" \ - -S "skip parse certificate verify" \ - -S "x509_verify_cert() returned" \ - -S "! The certificate is not correctly signed by the trusted CA" \ - -S "The certificate has been revoked (is on a CRL)" - -run_test "SNI: CA override with CRL" \ - "$P_SRV debug_level=3 auth_mode=optional \ - crt_file=data_files/server5.crt key_file=data_files/server5.key \ - ca_file=data_files/test-ca.crt \ - sni=localhost,data_files/server2.crt,data_files/server2.key,data_files/test-ca2.crt,data_files/crl-ec-sha256.pem,required" \ - "$P_CLI debug_level=3 server_name=localhost \ - crt_file=data_files/server6.crt key_file=data_files/server6.key" \ - 1 \ - -S "skip write certificate request" \ - -C "skip parse certificate request" \ - -c "got a certificate request" \ - -C "skip write certificate" \ - -C "skip write certificate verify" \ - -S "skip parse certificate verify" \ - -s "x509_verify_cert() returned" \ - -S "! The certificate is not correctly signed by the trusted CA" \ - -s "The certificate has been revoked (is on a CRL)" - -# Tests for SNI and DTLS - -run_test "SNI: DTLS, no SNI callback" \ - "$P_SRV debug_level=3 dtls=1 \ - crt_file=data_files/server5.crt key_file=data_files/server5.key" \ - "$P_CLI server_name=localhost dtls=1" \ - 0 \ - -S "parse ServerName extension" \ - -c "issuer name *: C=NL, O=PolarSSL, CN=Polarssl Test EC CA" \ - -c "subject name *: C=NL, O=PolarSSL, CN=localhost" - -run_test "SNI: DTLS, matching cert 1" \ - "$P_SRV debug_level=3 dtls=1 \ - crt_file=data_files/server5.crt key_file=data_files/server5.key \ - sni=localhost,data_files/server2.crt,data_files/server2.key,-,-,-,polarssl.example,data_files/server1-nospace.crt,data_files/server1.key,-,-,-" \ - "$P_CLI server_name=localhost dtls=1" \ - 0 \ - -s "parse ServerName extension" \ - -c "issuer name *: C=NL, O=PolarSSL, CN=PolarSSL Test CA" \ - -c "subject name *: C=NL, O=PolarSSL, CN=localhost" - -run_test "SNI: DTLS, matching cert 2" \ - "$P_SRV debug_level=3 dtls=1 \ - crt_file=data_files/server5.crt key_file=data_files/server5.key \ - sni=localhost,data_files/server2.crt,data_files/server2.key,-,-,-,polarssl.example,data_files/server1-nospace.crt,data_files/server1.key,-,-,-" \ - "$P_CLI server_name=polarssl.example dtls=1" \ - 0 \ - -s "parse ServerName extension" \ - -c "issuer name *: C=NL, O=PolarSSL, CN=PolarSSL Test CA" \ - -c "subject name *: C=NL, O=PolarSSL, CN=polarssl.example" - -run_test "SNI: DTLS, no matching cert" \ - "$P_SRV debug_level=3 dtls=1 \ - crt_file=data_files/server5.crt key_file=data_files/server5.key \ - sni=localhost,data_files/server2.crt,data_files/server2.key,-,-,-,polarssl.example,data_files/server1-nospace.crt,data_files/server1.key,-,-,-" \ - "$P_CLI server_name=nonesuch.example dtls=1" \ - 1 \ - -s "parse ServerName extension" \ - -s "ssl_sni_wrapper() returned" \ - -s "mbedtls_ssl_handshake returned" \ - -c "mbedtls_ssl_handshake returned" \ - -c "SSL - A fatal alert message was received from our peer" - -run_test "SNI: DTLS, client auth no override: optional" \ - "$P_SRV debug_level=3 auth_mode=optional dtls=1 \ - crt_file=data_files/server5.crt key_file=data_files/server5.key \ - sni=localhost,data_files/server2.crt,data_files/server2.key,-,-,-" \ - "$P_CLI debug_level=3 server_name=localhost dtls=1" \ - 0 \ - -S "skip write certificate request" \ - -C "skip parse certificate request" \ - -c "got a certificate request" \ - -C "skip write certificate" \ - -C "skip write certificate verify" \ - -S "skip parse certificate verify" - -run_test "SNI: DTLS, client auth override: none -> optional" \ - "$P_SRV debug_level=3 auth_mode=none dtls=1 \ - crt_file=data_files/server5.crt key_file=data_files/server5.key \ - sni=localhost,data_files/server2.crt,data_files/server2.key,-,-,optional" \ - "$P_CLI debug_level=3 server_name=localhost dtls=1" \ - 0 \ - -S "skip write certificate request" \ - -C "skip parse certificate request" \ - -c "got a certificate request" \ - -C "skip write certificate" \ - -C "skip write certificate verify" \ - -S "skip parse certificate verify" - -run_test "SNI: DTLS, client auth override: optional -> none" \ - "$P_SRV debug_level=3 auth_mode=optional dtls=1 \ - crt_file=data_files/server5.crt key_file=data_files/server5.key \ - sni=localhost,data_files/server2.crt,data_files/server2.key,-,-,none" \ - "$P_CLI debug_level=3 server_name=localhost dtls=1" \ - 0 \ - -s "skip write certificate request" \ - -C "skip parse certificate request" \ - -c "got no certificate request" \ - -c "skip write certificate" \ - -c "skip write certificate verify" \ - -s "skip parse certificate verify" - -run_test "SNI: DTLS, CA no override" \ - "$P_SRV debug_level=3 auth_mode=optional dtls=1 \ - crt_file=data_files/server5.crt key_file=data_files/server5.key \ - ca_file=data_files/test-ca.crt \ - sni=localhost,data_files/server2.crt,data_files/server2.key,-,-,required" \ - "$P_CLI debug_level=3 server_name=localhost dtls=1 \ - crt_file=data_files/server6.crt key_file=data_files/server6.key" \ - 1 \ - -S "skip write certificate request" \ - -C "skip parse certificate request" \ - -c "got a certificate request" \ - -C "skip write certificate" \ - -C "skip write certificate verify" \ - -S "skip parse certificate verify" \ - -s "x509_verify_cert() returned" \ - -s "! The certificate is not correctly signed by the trusted CA" \ - -S "The certificate has been revoked (is on a CRL)" - -run_test "SNI: DTLS, CA override" \ - "$P_SRV debug_level=3 auth_mode=optional dtls=1 \ - crt_file=data_files/server5.crt key_file=data_files/server5.key \ - ca_file=data_files/test-ca.crt \ - sni=localhost,data_files/server2.crt,data_files/server2.key,data_files/test-ca2.crt,-,required" \ - "$P_CLI debug_level=3 server_name=localhost dtls=1 \ - crt_file=data_files/server6.crt key_file=data_files/server6.key" \ - 0 \ - -S "skip write certificate request" \ - -C "skip parse certificate request" \ - -c "got a certificate request" \ - -C "skip write certificate" \ - -C "skip write certificate verify" \ - -S "skip parse certificate verify" \ - -S "x509_verify_cert() returned" \ - -S "! The certificate is not correctly signed by the trusted CA" \ - -S "The certificate has been revoked (is on a CRL)" - -run_test "SNI: DTLS, CA override with CRL" \ - "$P_SRV debug_level=3 auth_mode=optional \ - crt_file=data_files/server5.crt key_file=data_files/server5.key dtls=1 \ - ca_file=data_files/test-ca.crt \ - sni=localhost,data_files/server2.crt,data_files/server2.key,data_files/test-ca2.crt,data_files/crl-ec-sha256.pem,required" \ - "$P_CLI debug_level=3 server_name=localhost dtls=1 \ - crt_file=data_files/server6.crt key_file=data_files/server6.key" \ - 1 \ - -S "skip write certificate request" \ - -C "skip parse certificate request" \ - -c "got a certificate request" \ - -C "skip write certificate" \ - -C "skip write certificate verify" \ - -S "skip parse certificate verify" \ - -s "x509_verify_cert() returned" \ - -S "! The certificate is not correctly signed by the trusted CA" \ - -s "The certificate has been revoked (is on a CRL)" - -# Tests for non-blocking I/O: exercise a variety of handshake flows - -run_test "Non-blocking I/O: basic handshake" \ - "$P_SRV nbio=2 tickets=0 auth_mode=none" \ - "$P_CLI nbio=2 tickets=0" \ - 0 \ - -S "mbedtls_ssl_handshake returned" \ - -C "mbedtls_ssl_handshake returned" \ - -c "Read from server: .* bytes read" - -run_test "Non-blocking I/O: client auth" \ - "$P_SRV nbio=2 tickets=0 auth_mode=required" \ - "$P_CLI nbio=2 tickets=0" \ - 0 \ - -S "mbedtls_ssl_handshake returned" \ - -C "mbedtls_ssl_handshake returned" \ - -c "Read from server: .* bytes read" - -run_test "Non-blocking I/O: ticket" \ - "$P_SRV nbio=2 tickets=1 auth_mode=none" \ - "$P_CLI nbio=2 tickets=1" \ - 0 \ - -S "mbedtls_ssl_handshake returned" \ - -C "mbedtls_ssl_handshake returned" \ - -c "Read from server: .* bytes read" - -run_test "Non-blocking I/O: ticket + client auth" \ - "$P_SRV nbio=2 tickets=1 auth_mode=required" \ - "$P_CLI nbio=2 tickets=1" \ - 0 \ - -S "mbedtls_ssl_handshake returned" \ - -C "mbedtls_ssl_handshake returned" \ - -c "Read from server: .* bytes read" - -run_test "Non-blocking I/O: ticket + client auth + resume" \ - "$P_SRV nbio=2 tickets=1 auth_mode=required" \ - "$P_CLI nbio=2 tickets=1 reconnect=1" \ - 0 \ - -S "mbedtls_ssl_handshake returned" \ - -C "mbedtls_ssl_handshake returned" \ - -c "Read from server: .* bytes read" - -run_test "Non-blocking I/O: ticket + resume" \ - "$P_SRV nbio=2 tickets=1 auth_mode=none" \ - "$P_CLI nbio=2 tickets=1 reconnect=1" \ - 0 \ - -S "mbedtls_ssl_handshake returned" \ - -C "mbedtls_ssl_handshake returned" \ - -c "Read from server: .* bytes read" - -run_test "Non-blocking I/O: session-id resume" \ - "$P_SRV nbio=2 tickets=0 auth_mode=none" \ - "$P_CLI nbio=2 tickets=0 reconnect=1" \ - 0 \ - -S "mbedtls_ssl_handshake returned" \ - -C "mbedtls_ssl_handshake returned" \ - -c "Read from server: .* bytes read" - -# Tests for event-driven I/O: exercise a variety of handshake flows - -run_test "Event-driven I/O: basic handshake" \ - "$P_SRV event=1 tickets=0 auth_mode=none" \ - "$P_CLI event=1 tickets=0" \ - 0 \ - -S "mbedtls_ssl_handshake returned" \ - -C "mbedtls_ssl_handshake returned" \ - -c "Read from server: .* bytes read" - -run_test "Event-driven I/O: client auth" \ - "$P_SRV event=1 tickets=0 auth_mode=required" \ - "$P_CLI event=1 tickets=0" \ - 0 \ - -S "mbedtls_ssl_handshake returned" \ - -C "mbedtls_ssl_handshake returned" \ - -c "Read from server: .* bytes read" - -run_test "Event-driven I/O: ticket" \ - "$P_SRV event=1 tickets=1 auth_mode=none" \ - "$P_CLI event=1 tickets=1" \ - 0 \ - -S "mbedtls_ssl_handshake returned" \ - -C "mbedtls_ssl_handshake returned" \ - -c "Read from server: .* bytes read" - -run_test "Event-driven I/O: ticket + client auth" \ - "$P_SRV event=1 tickets=1 auth_mode=required" \ - "$P_CLI event=1 tickets=1" \ - 0 \ - -S "mbedtls_ssl_handshake returned" \ - -C "mbedtls_ssl_handshake returned" \ - -c "Read from server: .* bytes read" - -run_test "Event-driven I/O: ticket + client auth + resume" \ - "$P_SRV event=1 tickets=1 auth_mode=required" \ - "$P_CLI event=1 tickets=1 reconnect=1" \ - 0 \ - -S "mbedtls_ssl_handshake returned" \ - -C "mbedtls_ssl_handshake returned" \ - -c "Read from server: .* bytes read" - -run_test "Event-driven I/O: ticket + resume" \ - "$P_SRV event=1 tickets=1 auth_mode=none" \ - "$P_CLI event=1 tickets=1 reconnect=1" \ - 0 \ - -S "mbedtls_ssl_handshake returned" \ - -C "mbedtls_ssl_handshake returned" \ - -c "Read from server: .* bytes read" - -run_test "Event-driven I/O: session-id resume" \ - "$P_SRV event=1 tickets=0 auth_mode=none" \ - "$P_CLI event=1 tickets=0 reconnect=1" \ - 0 \ - -S "mbedtls_ssl_handshake returned" \ - -C "mbedtls_ssl_handshake returned" \ - -c "Read from server: .* bytes read" - -run_test "Event-driven I/O, DTLS: basic handshake" \ - "$P_SRV dtls=1 event=1 tickets=0 auth_mode=none" \ - "$P_CLI dtls=1 event=1 tickets=0" \ - 0 \ - -c "Read from server: .* bytes read" - -run_test "Event-driven I/O, DTLS: client auth" \ - "$P_SRV dtls=1 event=1 tickets=0 auth_mode=required" \ - "$P_CLI dtls=1 event=1 tickets=0" \ - 0 \ - -c "Read from server: .* bytes read" - -run_test "Event-driven I/O, DTLS: ticket" \ - "$P_SRV dtls=1 event=1 tickets=1 auth_mode=none" \ - "$P_CLI dtls=1 event=1 tickets=1" \ - 0 \ - -c "Read from server: .* bytes read" - -run_test "Event-driven I/O, DTLS: ticket + client auth" \ - "$P_SRV dtls=1 event=1 tickets=1 auth_mode=required" \ - "$P_CLI dtls=1 event=1 tickets=1" \ - 0 \ - -c "Read from server: .* bytes read" - -run_test "Event-driven I/O, DTLS: ticket + client auth + resume" \ - "$P_SRV dtls=1 event=1 tickets=1 auth_mode=required" \ - "$P_CLI dtls=1 event=1 tickets=1 reconnect=1" \ - 0 \ - -c "Read from server: .* bytes read" - -run_test "Event-driven I/O, DTLS: ticket + resume" \ - "$P_SRV dtls=1 event=1 tickets=1 auth_mode=none" \ - "$P_CLI dtls=1 event=1 tickets=1 reconnect=1" \ - 0 \ - -c "Read from server: .* bytes read" - -run_test "Event-driven I/O, DTLS: session-id resume" \ - "$P_SRV dtls=1 event=1 tickets=0 auth_mode=none" \ - "$P_CLI dtls=1 event=1 tickets=0 reconnect=1" \ - 0 \ - -c "Read from server: .* bytes read" - -# This test demonstrates the need for the mbedtls_ssl_check_pending function. -# During session resumption, the client will send its ApplicationData record -# within the same datagram as the Finished messages. In this situation, the -# server MUST NOT idle on the underlying transport after handshake completion, -# because the ApplicationData request has already been queued internally. -run_test "Event-driven I/O, DTLS: session-id resume, UDP packing" \ - -p "$P_PXY pack=50" \ - "$P_SRV dtls=1 event=1 tickets=0 auth_mode=required" \ - "$P_CLI dtls=1 event=1 tickets=0 reconnect=1" \ - 0 \ - -c "Read from server: .* bytes read" - -# Tests for version negotiation - -run_test "Version check: all -> 1.2" \ - "$P_SRV" \ - "$P_CLI" \ - 0 \ - -S "mbedtls_ssl_handshake returned" \ - -C "mbedtls_ssl_handshake returned" \ - -s "Protocol is TLSv1.2" \ - -c "Protocol is TLSv1.2" - -run_test "Version check: cli max 1.1 -> 1.1" \ - "$P_SRV" \ - "$P_CLI max_version=tls1_1" \ - 0 \ - -S "mbedtls_ssl_handshake returned" \ - -C "mbedtls_ssl_handshake returned" \ - -s "Protocol is TLSv1.1" \ - -c "Protocol is TLSv1.1" - -run_test "Version check: srv max 1.1 -> 1.1" \ - "$P_SRV max_version=tls1_1" \ - "$P_CLI" \ - 0 \ - -S "mbedtls_ssl_handshake returned" \ - -C "mbedtls_ssl_handshake returned" \ - -s "Protocol is TLSv1.1" \ - -c "Protocol is TLSv1.1" - -run_test "Version check: cli+srv max 1.1 -> 1.1" \ - "$P_SRV max_version=tls1_1" \ - "$P_CLI max_version=tls1_1" \ - 0 \ - -S "mbedtls_ssl_handshake returned" \ - -C "mbedtls_ssl_handshake returned" \ - -s "Protocol is TLSv1.1" \ - -c "Protocol is TLSv1.1" - -run_test "Version check: cli max 1.1, srv min 1.1 -> 1.1" \ - "$P_SRV min_version=tls1_1" \ - "$P_CLI max_version=tls1_1" \ - 0 \ - -S "mbedtls_ssl_handshake returned" \ - -C "mbedtls_ssl_handshake returned" \ - -s "Protocol is TLSv1.1" \ - -c "Protocol is TLSv1.1" - -run_test "Version check: cli min 1.1, srv max 1.1 -> 1.1" \ - "$P_SRV max_version=tls1_1" \ - "$P_CLI min_version=tls1_1" \ - 0 \ - -S "mbedtls_ssl_handshake returned" \ - -C "mbedtls_ssl_handshake returned" \ - -s "Protocol is TLSv1.1" \ - -c "Protocol is TLSv1.1" - -run_test "Version check: cli min 1.2, srv max 1.1 -> fail" \ - "$P_SRV max_version=tls1_1" \ - "$P_CLI min_version=tls1_2" \ - 1 \ - -s "mbedtls_ssl_handshake returned" \ - -c "mbedtls_ssl_handshake returned" \ - -c "SSL - Handshake protocol not within min/max boundaries" - -run_test "Version check: srv min 1.2, cli max 1.1 -> fail" \ - "$P_SRV min_version=tls1_2" \ - "$P_CLI max_version=tls1_1" \ - 1 \ - -s "mbedtls_ssl_handshake returned" \ - -c "mbedtls_ssl_handshake returned" \ - -s "SSL - Handshake protocol not within min/max boundaries" - -# Tests for ALPN extension - -run_test "ALPN: none" \ - "$P_SRV debug_level=3" \ - "$P_CLI debug_level=3" \ - 0 \ - -C "client hello, adding alpn extension" \ - -S "found alpn extension" \ - -C "got an alert message, type: \\[2:120]" \ - -S "server hello, adding alpn extension" \ - -C "found alpn extension " \ - -C "Application Layer Protocol is" \ - -S "Application Layer Protocol is" - -run_test "ALPN: client only" \ - "$P_SRV debug_level=3" \ - "$P_CLI debug_level=3 alpn=abc,1234" \ - 0 \ - -c "client hello, adding alpn extension" \ - -s "found alpn extension" \ - -C "got an alert message, type: \\[2:120]" \ - -S "server hello, adding alpn extension" \ - -C "found alpn extension " \ - -c "Application Layer Protocol is (none)" \ - -S "Application Layer Protocol is" - -run_test "ALPN: server only" \ - "$P_SRV debug_level=3 alpn=abc,1234" \ - "$P_CLI debug_level=3" \ - 0 \ - -C "client hello, adding alpn extension" \ - -S "found alpn extension" \ - -C "got an alert message, type: \\[2:120]" \ - -S "server hello, adding alpn extension" \ - -C "found alpn extension " \ - -C "Application Layer Protocol is" \ - -s "Application Layer Protocol is (none)" - -run_test "ALPN: both, common cli1-srv1" \ - "$P_SRV debug_level=3 alpn=abc,1234" \ - "$P_CLI debug_level=3 alpn=abc,1234" \ - 0 \ - -c "client hello, adding alpn extension" \ - -s "found alpn extension" \ - -C "got an alert message, type: \\[2:120]" \ - -s "server hello, adding alpn extension" \ - -c "found alpn extension" \ - -c "Application Layer Protocol is abc" \ - -s "Application Layer Protocol is abc" - -run_test "ALPN: both, common cli2-srv1" \ - "$P_SRV debug_level=3 alpn=abc,1234" \ - "$P_CLI debug_level=3 alpn=1234,abc" \ - 0 \ - -c "client hello, adding alpn extension" \ - -s "found alpn extension" \ - -C "got an alert message, type: \\[2:120]" \ - -s "server hello, adding alpn extension" \ - -c "found alpn extension" \ - -c "Application Layer Protocol is abc" \ - -s "Application Layer Protocol is abc" - -run_test "ALPN: both, common cli1-srv2" \ - "$P_SRV debug_level=3 alpn=abc,1234" \ - "$P_CLI debug_level=3 alpn=1234,abcde" \ - 0 \ - -c "client hello, adding alpn extension" \ - -s "found alpn extension" \ - -C "got an alert message, type: \\[2:120]" \ - -s "server hello, adding alpn extension" \ - -c "found alpn extension" \ - -c "Application Layer Protocol is 1234" \ - -s "Application Layer Protocol is 1234" - -run_test "ALPN: both, no common" \ - "$P_SRV debug_level=3 alpn=abc,123" \ - "$P_CLI debug_level=3 alpn=1234,abcde" \ - 1 \ - -c "client hello, adding alpn extension" \ - -s "found alpn extension" \ - -c "got an alert message, type: \\[2:120]" \ - -S "server hello, adding alpn extension" \ - -C "found alpn extension" \ - -C "Application Layer Protocol is 1234" \ - -S "Application Layer Protocol is 1234" - - -# Tests for keyUsage in leaf certificates, part 1: -# server-side certificate/suite selection - -run_test "keyUsage srv: RSA, digitalSignature -> (EC)DHE-RSA" \ - "$P_SRV key_file=data_files/server2.key \ - crt_file=data_files/server2.ku-ds.crt" \ - "$P_CLI" \ - 0 \ - -c "Ciphersuite is TLS-[EC]*DHE-RSA-WITH-" - - -run_test "keyUsage srv: RSA, keyEncipherment -> RSA" \ - "$P_SRV key_file=data_files/server2.key \ - crt_file=data_files/server2.ku-ke.crt" \ - "$P_CLI" \ - 0 \ - -c "Ciphersuite is TLS-RSA-WITH-" - -run_test "keyUsage srv: RSA, keyAgreement -> fail" \ - "$P_SRV key_file=data_files/server2.key \ - crt_file=data_files/server2.ku-ka.crt" \ - "$P_CLI" \ - 1 \ - -C "Ciphersuite is " - -run_test "keyUsage srv: ECDSA, digitalSignature -> ECDHE-ECDSA" \ - "$P_SRV key_file=data_files/server5.key \ - crt_file=data_files/server5.ku-ds.crt" \ - "$P_CLI" \ - 0 \ - -c "Ciphersuite is TLS-ECDHE-ECDSA-WITH-" - - -run_test "keyUsage srv: ECDSA, keyAgreement -> ECDH-" \ - "$P_SRV key_file=data_files/server5.key \ - crt_file=data_files/server5.ku-ka.crt" \ - "$P_CLI" \ - 0 \ - -c "Ciphersuite is TLS-ECDH-" - -run_test "keyUsage srv: ECDSA, keyEncipherment -> fail" \ - "$P_SRV key_file=data_files/server5.key \ - crt_file=data_files/server5.ku-ke.crt" \ - "$P_CLI" \ - 1 \ - -C "Ciphersuite is " - -# Tests for keyUsage in leaf certificates, part 2: -# client-side checking of server cert - -run_test "keyUsage cli: DigitalSignature+KeyEncipherment, RSA: OK" \ - "$O_SRV -key data_files/server2.key \ - -cert data_files/server2.ku-ds_ke.crt" \ - "$P_CLI debug_level=1 \ - force_ciphersuite=TLS-RSA-WITH-AES-128-CBC-SHA" \ - 0 \ - -C "bad certificate (usage extensions)" \ - -C "Processing of the Certificate handshake message failed" \ - -c "Ciphersuite is TLS-" - -run_test "keyUsage cli: DigitalSignature+KeyEncipherment, DHE-RSA: OK" \ - "$O_SRV -key data_files/server2.key \ - -cert data_files/server2.ku-ds_ke.crt" \ - "$P_CLI debug_level=1 \ - force_ciphersuite=TLS-DHE-RSA-WITH-AES-128-CBC-SHA" \ - 0 \ - -C "bad certificate (usage extensions)" \ - -C "Processing of the Certificate handshake message failed" \ - -c "Ciphersuite is TLS-" - -run_test "keyUsage cli: KeyEncipherment, RSA: OK" \ - "$O_SRV -key data_files/server2.key \ - -cert data_files/server2.ku-ke.crt" \ - "$P_CLI debug_level=1 \ - force_ciphersuite=TLS-RSA-WITH-AES-128-CBC-SHA" \ - 0 \ - -C "bad certificate (usage extensions)" \ - -C "Processing of the Certificate handshake message failed" \ - -c "Ciphersuite is TLS-" - -run_test "keyUsage cli: KeyEncipherment, DHE-RSA: fail" \ - "$O_SRV -key data_files/server2.key \ - -cert data_files/server2.ku-ke.crt" \ - "$P_CLI debug_level=1 \ - force_ciphersuite=TLS-DHE-RSA-WITH-AES-128-CBC-SHA" \ - 1 \ - -c "bad certificate (usage extensions)" \ - -c "Processing of the Certificate handshake message failed" \ - -C "Ciphersuite is TLS-" - -run_test "keyUsage cli: KeyEncipherment, DHE-RSA: fail, soft" \ - "$O_SRV -key data_files/server2.key \ - -cert data_files/server2.ku-ke.crt" \ - "$P_CLI debug_level=1 auth_mode=optional \ - force_ciphersuite=TLS-DHE-RSA-WITH-AES-128-CBC-SHA" \ - 0 \ - -c "bad certificate (usage extensions)" \ - -C "Processing of the Certificate handshake message failed" \ - -c "Ciphersuite is TLS-" \ - -c "! Usage does not match the keyUsage extension" - -run_test "keyUsage cli: DigitalSignature, DHE-RSA: OK" \ - "$O_SRV -key data_files/server2.key \ - -cert data_files/server2.ku-ds.crt" \ - "$P_CLI debug_level=1 \ - force_ciphersuite=TLS-DHE-RSA-WITH-AES-128-CBC-SHA" \ - 0 \ - -C "bad certificate (usage extensions)" \ - -C "Processing of the Certificate handshake message failed" \ - -c "Ciphersuite is TLS-" - -run_test "keyUsage cli: DigitalSignature, RSA: fail" \ - "$O_SRV -key data_files/server2.key \ - -cert data_files/server2.ku-ds.crt" \ - "$P_CLI debug_level=1 \ - force_ciphersuite=TLS-RSA-WITH-AES-128-CBC-SHA" \ - 1 \ - -c "bad certificate (usage extensions)" \ - -c "Processing of the Certificate handshake message failed" \ - -C "Ciphersuite is TLS-" - -run_test "keyUsage cli: DigitalSignature, RSA: fail, soft" \ - "$O_SRV -key data_files/server2.key \ - -cert data_files/server2.ku-ds.crt" \ - "$P_CLI debug_level=1 auth_mode=optional \ - force_ciphersuite=TLS-RSA-WITH-AES-128-CBC-SHA" \ - 0 \ - -c "bad certificate (usage extensions)" \ - -C "Processing of the Certificate handshake message failed" \ - -c "Ciphersuite is TLS-" \ - -c "! Usage does not match the keyUsage extension" - -# Tests for keyUsage in leaf certificates, part 3: -# server-side checking of client cert - -run_test "keyUsage cli-auth: RSA, DigitalSignature: OK" \ - "$P_SRV debug_level=1 auth_mode=optional" \ - "$O_CLI -key data_files/server2.key \ - -cert data_files/server2.ku-ds.crt" \ - 0 \ - -S "bad certificate (usage extensions)" \ - -S "Processing of the Certificate handshake message failed" - -run_test "keyUsage cli-auth: RSA, KeyEncipherment: fail (soft)" \ - "$P_SRV debug_level=1 auth_mode=optional" \ - "$O_CLI -key data_files/server2.key \ - -cert data_files/server2.ku-ke.crt" \ - 0 \ - -s "bad certificate (usage extensions)" \ - -S "Processing of the Certificate handshake message failed" - -run_test "keyUsage cli-auth: RSA, KeyEncipherment: fail (hard)" \ - "$P_SRV debug_level=1 auth_mode=required" \ - "$O_CLI -key data_files/server2.key \ - -cert data_files/server2.ku-ke.crt" \ - 1 \ - -s "bad certificate (usage extensions)" \ - -s "Processing of the Certificate handshake message failed" - -run_test "keyUsage cli-auth: ECDSA, DigitalSignature: OK" \ - "$P_SRV debug_level=1 auth_mode=optional" \ - "$O_CLI -key data_files/server5.key \ - -cert data_files/server5.ku-ds.crt" \ - 0 \ - -S "bad certificate (usage extensions)" \ - -S "Processing of the Certificate handshake message failed" - -run_test "keyUsage cli-auth: ECDSA, KeyAgreement: fail (soft)" \ - "$P_SRV debug_level=1 auth_mode=optional" \ - "$O_CLI -key data_files/server5.key \ - -cert data_files/server5.ku-ka.crt" \ - 0 \ - -s "bad certificate (usage extensions)" \ - -S "Processing of the Certificate handshake message failed" - -# Tests for extendedKeyUsage, part 1: server-side certificate/suite selection - -run_test "extKeyUsage srv: serverAuth -> OK" \ - "$P_SRV key_file=data_files/server5.key \ - crt_file=data_files/server5.eku-srv.crt" \ - "$P_CLI" \ - 0 - -run_test "extKeyUsage srv: serverAuth,clientAuth -> OK" \ - "$P_SRV key_file=data_files/server5.key \ - crt_file=data_files/server5.eku-srv.crt" \ - "$P_CLI" \ - 0 - -run_test "extKeyUsage srv: codeSign,anyEKU -> OK" \ - "$P_SRV key_file=data_files/server5.key \ - crt_file=data_files/server5.eku-cs_any.crt" \ - "$P_CLI" \ - 0 - -run_test "extKeyUsage srv: codeSign -> fail" \ - "$P_SRV key_file=data_files/server5.key \ - crt_file=data_files/server5.eku-cli.crt" \ - "$P_CLI" \ - 1 - -# Tests for extendedKeyUsage, part 2: client-side checking of server cert - -run_test "extKeyUsage cli: serverAuth -> OK" \ - "$O_SRV -key data_files/server5.key \ - -cert data_files/server5.eku-srv.crt" \ - "$P_CLI debug_level=1" \ - 0 \ - -C "bad certificate (usage extensions)" \ - -C "Processing of the Certificate handshake message failed" \ - -c "Ciphersuite is TLS-" - -run_test "extKeyUsage cli: serverAuth,clientAuth -> OK" \ - "$O_SRV -key data_files/server5.key \ - -cert data_files/server5.eku-srv_cli.crt" \ - "$P_CLI debug_level=1" \ - 0 \ - -C "bad certificate (usage extensions)" \ - -C "Processing of the Certificate handshake message failed" \ - -c "Ciphersuite is TLS-" - -run_test "extKeyUsage cli: codeSign,anyEKU -> OK" \ - "$O_SRV -key data_files/server5.key \ - -cert data_files/server5.eku-cs_any.crt" \ - "$P_CLI debug_level=1" \ - 0 \ - -C "bad certificate (usage extensions)" \ - -C "Processing of the Certificate handshake message failed" \ - -c "Ciphersuite is TLS-" - -run_test "extKeyUsage cli: codeSign -> fail" \ - "$O_SRV -key data_files/server5.key \ - -cert data_files/server5.eku-cs.crt" \ - "$P_CLI debug_level=1" \ - 1 \ - -c "bad certificate (usage extensions)" \ - -c "Processing of the Certificate handshake message failed" \ - -C "Ciphersuite is TLS-" - -# Tests for extendedKeyUsage, part 3: server-side checking of client cert - -run_test "extKeyUsage cli-auth: clientAuth -> OK" \ - "$P_SRV debug_level=1 auth_mode=optional" \ - "$O_CLI -key data_files/server5.key \ - -cert data_files/server5.eku-cli.crt" \ - 0 \ - -S "bad certificate (usage extensions)" \ - -S "Processing of the Certificate handshake message failed" - -run_test "extKeyUsage cli-auth: serverAuth,clientAuth -> OK" \ - "$P_SRV debug_level=1 auth_mode=optional" \ - "$O_CLI -key data_files/server5.key \ - -cert data_files/server5.eku-srv_cli.crt" \ - 0 \ - -S "bad certificate (usage extensions)" \ - -S "Processing of the Certificate handshake message failed" - -run_test "extKeyUsage cli-auth: codeSign,anyEKU -> OK" \ - "$P_SRV debug_level=1 auth_mode=optional" \ - "$O_CLI -key data_files/server5.key \ - -cert data_files/server5.eku-cs_any.crt" \ - 0 \ - -S "bad certificate (usage extensions)" \ - -S "Processing of the Certificate handshake message failed" - -run_test "extKeyUsage cli-auth: codeSign -> fail (soft)" \ - "$P_SRV debug_level=1 auth_mode=optional" \ - "$O_CLI -key data_files/server5.key \ - -cert data_files/server5.eku-cs.crt" \ - 0 \ - -s "bad certificate (usage extensions)" \ - -S "Processing of the Certificate handshake message failed" - -run_test "extKeyUsage cli-auth: codeSign -> fail (hard)" \ - "$P_SRV debug_level=1 auth_mode=required" \ - "$O_CLI -key data_files/server5.key \ - -cert data_files/server5.eku-cs.crt" \ - 1 \ - -s "bad certificate (usage extensions)" \ - -s "Processing of the Certificate handshake message failed" - -# Tests for DHM parameters loading - -run_test "DHM parameters: reference" \ - "$P_SRV" \ - "$P_CLI force_ciphersuite=TLS-DHE-RSA-WITH-AES-128-CBC-SHA \ - debug_level=3" \ - 0 \ - -c "value of 'DHM: P ' (2048 bits)" \ - -c "value of 'DHM: G ' (2 bits)" - -run_test "DHM parameters: other parameters" \ - "$P_SRV dhm_file=data_files/dhparams.pem" \ - "$P_CLI force_ciphersuite=TLS-DHE-RSA-WITH-AES-128-CBC-SHA \ - debug_level=3" \ - 0 \ - -c "value of 'DHM: P ' (1024 bits)" \ - -c "value of 'DHM: G ' (2 bits)" - -# Tests for DHM client-side size checking - -run_test "DHM size: server default, client default, OK" \ - "$P_SRV" \ - "$P_CLI force_ciphersuite=TLS-DHE-RSA-WITH-AES-128-CBC-SHA \ - debug_level=1" \ - 0 \ - -C "DHM prime too short:" - -run_test "DHM size: server default, client 2048, OK" \ - "$P_SRV" \ - "$P_CLI force_ciphersuite=TLS-DHE-RSA-WITH-AES-128-CBC-SHA \ - debug_level=1 dhmlen=2048" \ - 0 \ - -C "DHM prime too short:" - -run_test "DHM size: server 1024, client default, OK" \ - "$P_SRV dhm_file=data_files/dhparams.pem" \ - "$P_CLI force_ciphersuite=TLS-DHE-RSA-WITH-AES-128-CBC-SHA \ - debug_level=1" \ - 0 \ - -C "DHM prime too short:" - -run_test "DHM size: server 1000, client default, rejected" \ - "$P_SRV dhm_file=data_files/dh.1000.pem" \ - "$P_CLI force_ciphersuite=TLS-DHE-RSA-WITH-AES-128-CBC-SHA \ - debug_level=1" \ - 1 \ - -c "DHM prime too short:" - -run_test "DHM size: server default, client 2049, rejected" \ - "$P_SRV" \ - "$P_CLI force_ciphersuite=TLS-DHE-RSA-WITH-AES-128-CBC-SHA \ - debug_level=1 dhmlen=2049" \ - 1 \ - -c "DHM prime too short:" - -# Tests for PSK callback - -run_test "PSK callback: psk, no callback" \ - "$P_SRV psk=abc123 psk_identity=foo" \ - "$P_CLI force_ciphersuite=TLS-PSK-WITH-AES-128-CBC-SHA \ - psk_identity=foo psk=abc123" \ - 0 \ - -S "SSL - None of the common ciphersuites is usable" \ - -S "SSL - Unknown identity received" \ - -S "SSL - Verification of the message MAC failed" - -requires_config_enabled MBEDTLS_USE_PSA_CRYPTO -run_test "PSK callback: opaque psk on client, no callback" \ - "$P_SRV extended_ms=0 debug_level=1 psk=abc123 psk_identity=foo" \ - "$P_CLI extended_ms=0 debug_level=1 min_version=tls1_2 force_ciphersuite=TLS-PSK-WITH-AES-128-CBC-SHA \ - psk_identity=foo psk=abc123 psk_opaque=1" \ - 0 \ - -c "skip PMS generation for opaque PSK"\ - -S "skip PMS generation for opaque PSK"\ - -C "using extended master secret"\ - -S "using extended master secret"\ - -S "SSL - None of the common ciphersuites is usable" \ - -S "SSL - Unknown identity received" \ - -S "SSL - Verification of the message MAC failed" - -requires_config_enabled MBEDTLS_USE_PSA_CRYPTO -run_test "PSK callback: opaque psk on client, no callback, SHA-384" \ - "$P_SRV extended_ms=0 debug_level=1 psk=abc123 psk_identity=foo" \ - "$P_CLI extended_ms=0 debug_level=1 min_version=tls1_2 force_ciphersuite=TLS-PSK-WITH-AES-256-CBC-SHA384 \ - psk_identity=foo psk=abc123 psk_opaque=1" \ - 0 \ - -c "skip PMS generation for opaque PSK"\ - -S "skip PMS generation for opaque PSK"\ - -C "using extended master secret"\ - -S "using extended master secret"\ - -S "SSL - None of the common ciphersuites is usable" \ - -S "SSL - Unknown identity received" \ - -S "SSL - Verification of the message MAC failed" - -requires_config_enabled MBEDTLS_USE_PSA_CRYPTO -run_test "PSK callback: opaque psk on client, no callback, EMS" \ - "$P_SRV extended_ms=1 debug_level=3 psk=abc123 psk_identity=foo" \ - "$P_CLI extended_ms=1 debug_level=3 min_version=tls1_2 force_ciphersuite=TLS-PSK-WITH-AES-128-CBC-SHA \ - psk_identity=foo psk=abc123 psk_opaque=1" \ - 0 \ - -c "skip PMS generation for opaque PSK"\ - -S "skip PMS generation for opaque PSK"\ - -c "using extended master secret"\ - -s "using extended master secret"\ - -S "SSL - None of the common ciphersuites is usable" \ - -S "SSL - Unknown identity received" \ - -S "SSL - Verification of the message MAC failed" - -requires_config_enabled MBEDTLS_USE_PSA_CRYPTO -run_test "PSK callback: opaque psk on client, no callback, SHA-384, EMS" \ - "$P_SRV extended_ms=1 debug_level=3 psk=abc123 psk_identity=foo" \ - "$P_CLI extended_ms=1 debug_level=3 min_version=tls1_2 force_ciphersuite=TLS-PSK-WITH-AES-256-CBC-SHA384 \ - psk_identity=foo psk=abc123 psk_opaque=1" \ - 0 \ - -c "skip PMS generation for opaque PSK"\ - -S "skip PMS generation for opaque PSK"\ - -c "using extended master secret"\ - -s "using extended master secret"\ - -S "SSL - None of the common ciphersuites is usable" \ - -S "SSL - Unknown identity received" \ - -S "SSL - Verification of the message MAC failed" - -requires_config_enabled MBEDTLS_USE_PSA_CRYPTO -run_test "PSK callback: raw psk on client, static opaque on server, no callback" \ - "$P_SRV extended_ms=0 debug_level=1 psk=abc123 psk_identity=foo psk_opaque=1 min_version=tls1_2 force_ciphersuite=TLS-PSK-WITH-AES-128-CBC-SHA" \ - "$P_CLI extended_ms=0 debug_level=1 min_version=tls1_2 force_ciphersuite=TLS-PSK-WITH-AES-128-CBC-SHA \ - psk_identity=foo psk=abc123" \ - 0 \ - -C "skip PMS generation for opaque PSK"\ - -s "skip PMS generation for opaque PSK"\ - -C "using extended master secret"\ - -S "using extended master secret"\ - -S "SSL - None of the common ciphersuites is usable" \ - -S "SSL - Unknown identity received" \ - -S "SSL - Verification of the message MAC failed" - -requires_config_enabled MBEDTLS_USE_PSA_CRYPTO -run_test "PSK callback: raw psk on client, static opaque on server, no callback, SHA-384" \ - "$P_SRV extended_ms=0 debug_level=1 psk=abc123 psk_identity=foo psk_opaque=1 min_version=tls1_2 force_ciphersuite=TLS-PSK-WITH-AES-256-CBC-SHA384" \ - "$P_CLI extended_ms=0 debug_level=1 min_version=tls1_2 force_ciphersuite=TLS-PSK-WITH-AES-256-CBC-SHA384 \ - psk_identity=foo psk=abc123" \ - 0 \ - -C "skip PMS generation for opaque PSK"\ - -s "skip PMS generation for opaque PSK"\ - -C "using extended master secret"\ - -S "using extended master secret"\ - -S "SSL - None of the common ciphersuites is usable" \ - -S "SSL - Unknown identity received" \ - -S "SSL - Verification of the message MAC failed" - -requires_config_enabled MBEDTLS_USE_PSA_CRYPTO -run_test "PSK callback: raw psk on client, static opaque on server, no callback, EMS" \ - "$P_SRV debug_level=3 psk=abc123 psk_identity=foo psk_opaque=1 min_version=tls1_2 \ - force_ciphersuite=TLS-PSK-WITH-AES-128-CBC-SHA extended_ms=1" \ - "$P_CLI debug_level=3 min_version=tls1_2 force_ciphersuite=TLS-PSK-WITH-AES-128-CBC-SHA \ - psk_identity=foo psk=abc123 extended_ms=1" \ - 0 \ - -c "using extended master secret"\ - -s "using extended master secret"\ - -C "skip PMS generation for opaque PSK"\ - -s "skip PMS generation for opaque PSK"\ - -S "SSL - None of the common ciphersuites is usable" \ - -S "SSL - Unknown identity received" \ - -S "SSL - Verification of the message MAC failed" - -requires_config_enabled MBEDTLS_USE_PSA_CRYPTO -run_test "PSK callback: raw psk on client, static opaque on server, no callback, EMS, SHA384" \ - "$P_SRV debug_level=3 psk=abc123 psk_identity=foo psk_opaque=1 min_version=tls1_2 \ - force_ciphersuite=TLS-PSK-WITH-AES-256-CBC-SHA384 extended_ms=1" \ - "$P_CLI debug_level=3 min_version=tls1_2 force_ciphersuite=TLS-PSK-WITH-AES-256-CBC-SHA384 \ - psk_identity=foo psk=abc123 extended_ms=1" \ - 0 \ - -c "using extended master secret"\ - -s "using extended master secret"\ - -C "skip PMS generation for opaque PSK"\ - -s "skip PMS generation for opaque PSK"\ - -S "SSL - None of the common ciphersuites is usable" \ - -S "SSL - Unknown identity received" \ - -S "SSL - Verification of the message MAC failed" - -requires_config_enabled MBEDTLS_USE_PSA_CRYPTO -run_test "PSK callback: raw psk on client, no static PSK on server, opaque PSK from callback" \ - "$P_SRV extended_ms=0 debug_level=3 psk_list=abc,dead,def,beef psk_list_opaque=1 min_version=tls1_2 force_ciphersuite=TLS-PSK-WITH-AES-128-CBC-SHA" \ - "$P_CLI extended_ms=0 debug_level=3 min_version=tls1_2 force_ciphersuite=TLS-PSK-WITH-AES-128-CBC-SHA \ - psk_identity=def psk=beef" \ - 0 \ - -C "skip PMS generation for opaque PSK"\ - -s "skip PMS generation for opaque PSK"\ - -C "using extended master secret"\ - -S "using extended master secret"\ - -S "SSL - None of the common ciphersuites is usable" \ - -S "SSL - Unknown identity received" \ - -S "SSL - Verification of the message MAC failed" - -requires_config_enabled MBEDTLS_USE_PSA_CRYPTO -run_test "PSK callback: raw psk on client, no static PSK on server, opaque PSK from callback, SHA-384" \ - "$P_SRV extended_ms=0 debug_level=3 psk_list=abc,dead,def,beef psk_list_opaque=1 min_version=tls1_2 force_ciphersuite=TLS-PSK-WITH-AES-256-CBC-SHA384" \ - "$P_CLI extended_ms=0 debug_level=3 min_version=tls1_2 force_ciphersuite=TLS-PSK-WITH-AES-256-CBC-SHA384 \ - psk_identity=def psk=beef" \ - 0 \ - -C "skip PMS generation for opaque PSK"\ - -s "skip PMS generation for opaque PSK"\ - -C "using extended master secret"\ - -S "using extended master secret"\ - -S "SSL - None of the common ciphersuites is usable" \ - -S "SSL - Unknown identity received" \ - -S "SSL - Verification of the message MAC failed" - -requires_config_enabled MBEDTLS_USE_PSA_CRYPTO -run_test "PSK callback: raw psk on client, no static PSK on server, opaque PSK from callback, EMS" \ - "$P_SRV debug_level=3 psk_list=abc,dead,def,beef psk_list_opaque=1 min_version=tls1_2 \ - force_ciphersuite=TLS-PSK-WITH-AES-128-CBC-SHA extended_ms=1" \ - "$P_CLI debug_level=3 min_version=tls1_2 force_ciphersuite=TLS-PSK-WITH-AES-128-CBC-SHA \ - psk_identity=abc psk=dead extended_ms=1" \ - 0 \ - -c "using extended master secret"\ - -s "using extended master secret"\ - -C "skip PMS generation for opaque PSK"\ - -s "skip PMS generation for opaque PSK"\ - -S "SSL - None of the common ciphersuites is usable" \ - -S "SSL - Unknown identity received" \ - -S "SSL - Verification of the message MAC failed" - -requires_config_enabled MBEDTLS_USE_PSA_CRYPTO -run_test "PSK callback: raw psk on client, no static PSK on server, opaque PSK from callback, EMS, SHA384" \ - "$P_SRV debug_level=3 psk_list=abc,dead,def,beef psk_list_opaque=1 min_version=tls1_2 \ - force_ciphersuite=TLS-PSK-WITH-AES-256-CBC-SHA384 extended_ms=1" \ - "$P_CLI debug_level=3 min_version=tls1_2 force_ciphersuite=TLS-PSK-WITH-AES-256-CBC-SHA384 \ - psk_identity=abc psk=dead extended_ms=1" \ - 0 \ - -c "using extended master secret"\ - -s "using extended master secret"\ - -C "skip PMS generation for opaque PSK"\ - -s "skip PMS generation for opaque PSK"\ - -S "SSL - None of the common ciphersuites is usable" \ - -S "SSL - Unknown identity received" \ - -S "SSL - Verification of the message MAC failed" - -requires_config_enabled MBEDTLS_USE_PSA_CRYPTO -run_test "PSK callback: raw psk on client, mismatching static raw PSK on server, opaque PSK from callback" \ - "$P_SRV extended_ms=0 psk_identity=foo psk=abc123 debug_level=3 psk_list=abc,dead,def,beef psk_list_opaque=1 min_version=tls1_2 force_ciphersuite=TLS-PSK-WITH-AES-128-CBC-SHA" \ - "$P_CLI extended_ms=0 debug_level=3 min_version=tls1_2 force_ciphersuite=TLS-PSK-WITH-AES-128-CBC-SHA \ - psk_identity=def psk=beef" \ - 0 \ - -C "skip PMS generation for opaque PSK"\ - -s "skip PMS generation for opaque PSK"\ - -C "using extended master secret"\ - -S "using extended master secret"\ - -S "SSL - None of the common ciphersuites is usable" \ - -S "SSL - Unknown identity received" \ - -S "SSL - Verification of the message MAC failed" - -requires_config_enabled MBEDTLS_USE_PSA_CRYPTO -run_test "PSK callback: raw psk on client, mismatching static opaque PSK on server, opaque PSK from callback" \ - "$P_SRV extended_ms=0 psk_opaque=1 psk_identity=foo psk=abc123 debug_level=3 psk_list=abc,dead,def,beef psk_list_opaque=1 min_version=tls1_2 force_ciphersuite=TLS-PSK-WITH-AES-128-CBC-SHA" \ - "$P_CLI extended_ms=0 debug_level=3 min_version=tls1_2 force_ciphersuite=TLS-PSK-WITH-AES-128-CBC-SHA \ - psk_identity=def psk=beef" \ - 0 \ - -C "skip PMS generation for opaque PSK"\ - -s "skip PMS generation for opaque PSK"\ - -C "using extended master secret"\ - -S "using extended master secret"\ - -S "SSL - None of the common ciphersuites is usable" \ - -S "SSL - Unknown identity received" \ - -S "SSL - Verification of the message MAC failed" - -requires_config_enabled MBEDTLS_USE_PSA_CRYPTO -run_test "PSK callback: raw psk on client, mismatching static opaque PSK on server, raw PSK from callback" \ - "$P_SRV extended_ms=0 psk_opaque=1 psk_identity=foo psk=abc123 debug_level=3 psk_list=abc,dead,def,beef min_version=tls1_2 force_ciphersuite=TLS-PSK-WITH-AES-128-CBC-SHA" \ - "$P_CLI extended_ms=0 debug_level=3 min_version=tls1_2 force_ciphersuite=TLS-PSK-WITH-AES-128-CBC-SHA \ - psk_identity=def psk=beef" \ - 0 \ - -C "skip PMS generation for opaque PSK"\ - -C "using extended master secret"\ - -S "using extended master secret"\ - -S "SSL - None of the common ciphersuites is usable" \ - -S "SSL - Unknown identity received" \ - -S "SSL - Verification of the message MAC failed" - -requires_config_enabled MBEDTLS_USE_PSA_CRYPTO -run_test "PSK callback: raw psk on client, id-matching but wrong raw PSK on server, opaque PSK from callback" \ - "$P_SRV extended_ms=0 psk_opaque=1 psk_identity=def psk=abc123 debug_level=3 psk_list=abc,dead,def,beef min_version=tls1_2 force_ciphersuite=TLS-PSK-WITH-AES-128-CBC-SHA" \ - "$P_CLI extended_ms=0 debug_level=3 min_version=tls1_2 force_ciphersuite=TLS-PSK-WITH-AES-128-CBC-SHA \ - psk_identity=def psk=beef" \ - 0 \ - -C "skip PMS generation for opaque PSK"\ - -C "using extended master secret"\ - -S "using extended master secret"\ - -S "SSL - None of the common ciphersuites is usable" \ - -S "SSL - Unknown identity received" \ - -S "SSL - Verification of the message MAC failed" - -requires_config_enabled MBEDTLS_USE_PSA_CRYPTO -run_test "PSK callback: raw psk on client, matching opaque PSK on server, wrong opaque PSK from callback" \ - "$P_SRV extended_ms=0 psk_opaque=1 psk_identity=def psk=beef debug_level=3 psk_list=abc,dead,def,abc123 min_version=tls1_2 force_ciphersuite=TLS-PSK-WITH-AES-128-CBC-SHA" \ - "$P_CLI extended_ms=0 debug_level=3 min_version=tls1_2 force_ciphersuite=TLS-PSK-WITH-AES-128-CBC-SHA \ - psk_identity=def psk=beef" \ - 1 \ - -s "SSL - Verification of the message MAC failed" - -run_test "PSK callback: no psk, no callback" \ - "$P_SRV" \ - "$P_CLI force_ciphersuite=TLS-PSK-WITH-AES-128-CBC-SHA \ - psk_identity=foo psk=abc123" \ - 1 \ - -s "SSL - None of the common ciphersuites is usable" \ - -S "SSL - Unknown identity received" \ - -S "SSL - Verification of the message MAC failed" - -run_test "PSK callback: callback overrides other settings" \ - "$P_SRV psk=abc123 psk_identity=foo psk_list=abc,dead,def,beef" \ - "$P_CLI force_ciphersuite=TLS-PSK-WITH-AES-128-CBC-SHA \ - psk_identity=foo psk=abc123" \ - 1 \ - -S "SSL - None of the common ciphersuites is usable" \ - -s "SSL - Unknown identity received" \ - -S "SSL - Verification of the message MAC failed" - -run_test "PSK callback: first id matches" \ - "$P_SRV psk_list=abc,dead,def,beef" \ - "$P_CLI force_ciphersuite=TLS-PSK-WITH-AES-128-CBC-SHA \ - psk_identity=abc psk=dead" \ - 0 \ - -S "SSL - None of the common ciphersuites is usable" \ - -S "SSL - Unknown identity received" \ - -S "SSL - Verification of the message MAC failed" - -run_test "PSK callback: second id matches" \ - "$P_SRV psk_list=abc,dead,def,beef" \ - "$P_CLI force_ciphersuite=TLS-PSK-WITH-AES-128-CBC-SHA \ - psk_identity=def psk=beef" \ - 0 \ - -S "SSL - None of the common ciphersuites is usable" \ - -S "SSL - Unknown identity received" \ - -S "SSL - Verification of the message MAC failed" - -run_test "PSK callback: no match" \ - "$P_SRV psk_list=abc,dead,def,beef" \ - "$P_CLI force_ciphersuite=TLS-PSK-WITH-AES-128-CBC-SHA \ - psk_identity=ghi psk=beef" \ - 1 \ - -S "SSL - None of the common ciphersuites is usable" \ - -s "SSL - Unknown identity received" \ - -S "SSL - Verification of the message MAC failed" - -run_test "PSK callback: wrong key" \ - "$P_SRV psk_list=abc,dead,def,beef" \ - "$P_CLI force_ciphersuite=TLS-PSK-WITH-AES-128-CBC-SHA \ - psk_identity=abc psk=beef" \ - 1 \ - -S "SSL - None of the common ciphersuites is usable" \ - -S "SSL - Unknown identity received" \ - -s "SSL - Verification of the message MAC failed" - -# Tests for EC J-PAKE - -requires_config_enabled MBEDTLS_KEY_EXCHANGE_ECJPAKE -run_test "ECJPAKE: client not configured" \ - "$P_SRV debug_level=3" \ - "$P_CLI debug_level=3" \ - 0 \ - -C "add ciphersuite: c0ff" \ - -C "adding ecjpake_kkpp extension" \ - -S "found ecjpake kkpp extension" \ - -S "skip ecjpake kkpp extension" \ - -S "ciphersuite mismatch: ecjpake not configured" \ - -S "server hello, ecjpake kkpp extension" \ - -C "found ecjpake_kkpp extension" \ - -S "None of the common ciphersuites is usable" - -requires_config_enabled MBEDTLS_KEY_EXCHANGE_ECJPAKE -run_test "ECJPAKE: server not configured" \ - "$P_SRV debug_level=3" \ - "$P_CLI debug_level=3 ecjpake_pw=bla \ - force_ciphersuite=TLS-ECJPAKE-WITH-AES-128-CCM-8" \ - 1 \ - -c "add ciphersuite: c0ff" \ - -c "adding ecjpake_kkpp extension" \ - -s "found ecjpake kkpp extension" \ - -s "skip ecjpake kkpp extension" \ - -s "ciphersuite mismatch: ecjpake not configured" \ - -S "server hello, ecjpake kkpp extension" \ - -C "found ecjpake_kkpp extension" \ - -s "None of the common ciphersuites is usable" - -requires_config_enabled MBEDTLS_KEY_EXCHANGE_ECJPAKE -run_test "ECJPAKE: working, TLS" \ - "$P_SRV debug_level=3 ecjpake_pw=bla" \ - "$P_CLI debug_level=3 ecjpake_pw=bla \ - force_ciphersuite=TLS-ECJPAKE-WITH-AES-128-CCM-8" \ - 0 \ - -c "add ciphersuite: c0ff" \ - -c "adding ecjpake_kkpp extension" \ - -C "re-using cached ecjpake parameters" \ - -s "found ecjpake kkpp extension" \ - -S "skip ecjpake kkpp extension" \ - -S "ciphersuite mismatch: ecjpake not configured" \ - -s "server hello, ecjpake kkpp extension" \ - -c "found ecjpake_kkpp extension" \ - -S "None of the common ciphersuites is usable" \ - -S "SSL - Verification of the message MAC failed" - -server_needs_more_time 1 -requires_config_enabled MBEDTLS_KEY_EXCHANGE_ECJPAKE -run_test "ECJPAKE: password mismatch, TLS" \ - "$P_SRV debug_level=3 ecjpake_pw=bla" \ - "$P_CLI debug_level=3 ecjpake_pw=bad \ - force_ciphersuite=TLS-ECJPAKE-WITH-AES-128-CCM-8" \ - 1 \ - -C "re-using cached ecjpake parameters" \ - -s "SSL - Verification of the message MAC failed" - -requires_config_enabled MBEDTLS_KEY_EXCHANGE_ECJPAKE -run_test "ECJPAKE: working, DTLS" \ - "$P_SRV debug_level=3 dtls=1 ecjpake_pw=bla" \ - "$P_CLI debug_level=3 dtls=1 ecjpake_pw=bla \ - force_ciphersuite=TLS-ECJPAKE-WITH-AES-128-CCM-8" \ - 0 \ - -c "re-using cached ecjpake parameters" \ - -S "SSL - Verification of the message MAC failed" - -requires_config_enabled MBEDTLS_KEY_EXCHANGE_ECJPAKE -run_test "ECJPAKE: working, DTLS, no cookie" \ - "$P_SRV debug_level=3 dtls=1 ecjpake_pw=bla cookies=0" \ - "$P_CLI debug_level=3 dtls=1 ecjpake_pw=bla \ - force_ciphersuite=TLS-ECJPAKE-WITH-AES-128-CCM-8" \ - 0 \ - -C "re-using cached ecjpake parameters" \ - -S "SSL - Verification of the message MAC failed" - -server_needs_more_time 1 -requires_config_enabled MBEDTLS_KEY_EXCHANGE_ECJPAKE -run_test "ECJPAKE: password mismatch, DTLS" \ - "$P_SRV debug_level=3 dtls=1 ecjpake_pw=bla" \ - "$P_CLI debug_level=3 dtls=1 ecjpake_pw=bad \ - force_ciphersuite=TLS-ECJPAKE-WITH-AES-128-CCM-8" \ - 1 \ - -c "re-using cached ecjpake parameters" \ - -s "SSL - Verification of the message MAC failed" - -# for tests with configs/config-thread.h -requires_config_enabled MBEDTLS_KEY_EXCHANGE_ECJPAKE -run_test "ECJPAKE: working, DTLS, nolog" \ - "$P_SRV dtls=1 ecjpake_pw=bla" \ - "$P_CLI dtls=1 ecjpake_pw=bla \ - force_ciphersuite=TLS-ECJPAKE-WITH-AES-128-CCM-8" \ - 0 - -# Tests for ciphersuites per version - -requires_config_enabled MBEDTLS_SSL_PROTO_SSL3 -requires_config_enabled MBEDTLS_CAMELLIA_C -requires_config_enabled MBEDTLS_AES_C -run_test "Per-version suites: SSL3" \ - "$P_SRV min_version=ssl3 version_suites=TLS-RSA-WITH-CAMELLIA-128-CBC-SHA,TLS-RSA-WITH-AES-256-CBC-SHA,TLS-RSA-WITH-AES-128-CBC-SHA,TLS-RSA-WITH-AES-128-GCM-SHA256" \ - "$P_CLI force_version=ssl3" \ - 0 \ - -c "Ciphersuite is TLS-RSA-WITH-CAMELLIA-128-CBC-SHA" - -requires_config_enabled MBEDTLS_SSL_PROTO_TLS1 -requires_config_enabled MBEDTLS_CAMELLIA_C -requires_config_enabled MBEDTLS_AES_C -run_test "Per-version suites: TLS 1.0" \ - "$P_SRV version_suites=TLS-RSA-WITH-CAMELLIA-128-CBC-SHA,TLS-RSA-WITH-AES-256-CBC-SHA,TLS-RSA-WITH-AES-128-CBC-SHA,TLS-RSA-WITH-AES-128-GCM-SHA256" \ - "$P_CLI force_version=tls1 arc4=1" \ - 0 \ - -c "Ciphersuite is TLS-RSA-WITH-AES-256-CBC-SHA" - -requires_config_enabled MBEDTLS_SSL_PROTO_TLS1_1 -requires_config_enabled MBEDTLS_CAMELLIA_C -requires_config_enabled MBEDTLS_AES_C -run_test "Per-version suites: TLS 1.1" \ - "$P_SRV version_suites=TLS-RSA-WITH-CAMELLIA-128-CBC-SHA,TLS-RSA-WITH-AES-256-CBC-SHA,TLS-RSA-WITH-AES-128-CBC-SHA,TLS-RSA-WITH-AES-128-GCM-SHA256" \ - "$P_CLI force_version=tls1_1" \ - 0 \ - -c "Ciphersuite is TLS-RSA-WITH-AES-128-CBC-SHA" - -requires_config_enabled MBEDTLS_SSL_PROTO_TLS1_2 -requires_config_enabled MBEDTLS_CAMELLIA_C -requires_config_enabled MBEDTLS_AES_C -run_test "Per-version suites: TLS 1.2" \ - "$P_SRV version_suites=TLS-RSA-WITH-CAMELLIA-128-CBC-SHA,TLS-RSA-WITH-AES-256-CBC-SHA,TLS-RSA-WITH-AES-128-CBC-SHA,TLS-RSA-WITH-AES-128-GCM-SHA256" \ - "$P_CLI force_version=tls1_2" \ - 0 \ - -c "Ciphersuite is TLS-RSA-WITH-AES-128-GCM-SHA256" - -# Test for ClientHello without extensions - -requires_gnutls -run_test "ClientHello without extensions, SHA-1 allowed" \ - "$P_SRV debug_level=3 key_file=data_files/server2.key crt_file=data_files/server2.crt" \ - "$G_CLI --priority=NORMAL:%NO_EXTENSIONS:%DISABLE_SAFE_RENEGOTIATION localhost" \ - 0 \ - -s "dumping 'client hello extensions' (0 bytes)" - -requires_gnutls -run_test "ClientHello without extensions, SHA-1 forbidden in certificates on server" \ - "$P_SRV debug_level=3 key_file=data_files/server2.key crt_file=data_files/server2.crt allow_sha1=0" \ - "$G_CLI --priority=NORMAL:%NO_EXTENSIONS:%DISABLE_SAFE_RENEGOTIATION localhost" \ - 0 \ - -s "dumping 'client hello extensions' (0 bytes)" - -# Tests for mbedtls_ssl_get_bytes_avail() - -run_test "mbedtls_ssl_get_bytes_avail: no extra data" \ - "$P_SRV" \ - "$P_CLI request_size=100" \ - 0 \ - -s "Read from client: 100 bytes read$" - -run_test "mbedtls_ssl_get_bytes_avail: extra data" \ - "$P_SRV" \ - "$P_CLI request_size=500" \ - 0 \ - -s "Read from client: 500 bytes read (.*+.*)" - -# Tests for small client packets - -requires_config_enabled MBEDTLS_SSL_PROTO_SSL3 -run_test "Small client packet SSLv3 BlockCipher" \ - "$P_SRV min_version=ssl3" \ - "$P_CLI request_size=1 force_version=ssl3 \ - force_ciphersuite=TLS-RSA-WITH-AES-256-CBC-SHA" \ - 0 \ - -s "Read from client: 1 bytes read" - -requires_config_enabled MBEDTLS_SSL_PROTO_SSL3 -run_test "Small client packet SSLv3 StreamCipher" \ - "$P_SRV min_version=ssl3 arc4=1 force_ciphersuite=TLS-RSA-WITH-RC4-128-SHA" \ - "$P_CLI request_size=1 force_version=ssl3 \ - force_ciphersuite=TLS-RSA-WITH-RC4-128-SHA" \ - 0 \ - -s "Read from client: 1 bytes read" - -run_test "Small client packet TLS 1.0 BlockCipher" \ - "$P_SRV" \ - "$P_CLI request_size=1 force_version=tls1 \ - force_ciphersuite=TLS-RSA-WITH-AES-256-CBC-SHA" \ - 0 \ - -s "Read from client: 1 bytes read" - -run_test "Small client packet TLS 1.0 BlockCipher, without EtM" \ - "$P_SRV" \ - "$P_CLI request_size=1 force_version=tls1 etm=0 \ - force_ciphersuite=TLS-RSA-WITH-AES-256-CBC-SHA" \ - 0 \ - -s "Read from client: 1 bytes read" - -requires_config_enabled MBEDTLS_SSL_TRUNCATED_HMAC -run_test "Small client packet TLS 1.0 BlockCipher, truncated MAC" \ - "$P_SRV trunc_hmac=1" \ - "$P_CLI request_size=1 force_version=tls1 \ - force_ciphersuite=TLS-RSA-WITH-AES-256-CBC-SHA trunc_hmac=1" \ - 0 \ - -s "Read from client: 1 bytes read" - -requires_config_enabled MBEDTLS_SSL_TRUNCATED_HMAC -run_test "Small client packet TLS 1.0 BlockCipher, without EtM, truncated MAC" \ - "$P_SRV trunc_hmac=1" \ - "$P_CLI request_size=1 force_version=tls1 \ - force_ciphersuite=TLS-RSA-WITH-AES-256-CBC-SHA trunc_hmac=1 etm=0" \ - 0 \ - -s "Read from client: 1 bytes read" - -run_test "Small client packet TLS 1.0 StreamCipher" \ - "$P_SRV arc4=1 force_ciphersuite=TLS-RSA-WITH-RC4-128-SHA" \ - "$P_CLI request_size=1 force_version=tls1 \ - force_ciphersuite=TLS-RSA-WITH-RC4-128-SHA" \ - 0 \ - -s "Read from client: 1 bytes read" - -run_test "Small client packet TLS 1.0 StreamCipher, without EtM" \ - "$P_SRV arc4=1 force_ciphersuite=TLS-RSA-WITH-RC4-128-SHA" \ - "$P_CLI request_size=1 force_version=tls1 \ - force_ciphersuite=TLS-RSA-WITH-RC4-128-SHA etm=0" \ - 0 \ - -s "Read from client: 1 bytes read" - -requires_config_enabled MBEDTLS_SSL_TRUNCATED_HMAC -run_test "Small client packet TLS 1.0 StreamCipher, truncated MAC" \ - "$P_SRV arc4=1 force_ciphersuite=TLS-RSA-WITH-RC4-128-SHA trunc_hmac=1" \ - "$P_CLI request_size=1 force_version=tls1 \ - force_ciphersuite=TLS-RSA-WITH-RC4-128-SHA trunc_hmac=1" \ - 0 \ - -s "Read from client: 1 bytes read" - -requires_config_enabled MBEDTLS_SSL_TRUNCATED_HMAC -run_test "Small client packet TLS 1.0 StreamCipher, without EtM, truncated MAC" \ - "$P_SRV arc4=1 force_ciphersuite=TLS-RSA-WITH-RC4-128-SHA trunc_hmac=1" \ - "$P_CLI request_size=1 force_version=tls1 force_ciphersuite=TLS-RSA-WITH-RC4-128-SHA \ - trunc_hmac=1 etm=0" \ - 0 \ - -s "Read from client: 1 bytes read" - -run_test "Small client packet TLS 1.1 BlockCipher" \ - "$P_SRV" \ - "$P_CLI request_size=1 force_version=tls1_1 \ - force_ciphersuite=TLS-RSA-WITH-AES-256-CBC-SHA" \ - 0 \ - -s "Read from client: 1 bytes read" - -run_test "Small client packet TLS 1.1 BlockCipher, without EtM" \ - "$P_SRV" \ - "$P_CLI request_size=1 force_version=tls1_1 \ - force_ciphersuite=TLS-RSA-WITH-AES-256-CBC-SHA etm=0" \ - 0 \ - -s "Read from client: 1 bytes read" - -requires_config_enabled MBEDTLS_SSL_TRUNCATED_HMAC -run_test "Small client packet TLS 1.1 BlockCipher, truncated MAC" \ - "$P_SRV trunc_hmac=1" \ - "$P_CLI request_size=1 force_version=tls1_1 \ - force_ciphersuite=TLS-RSA-WITH-AES-256-CBC-SHA trunc_hmac=1" \ - 0 \ - -s "Read from client: 1 bytes read" - -requires_config_enabled MBEDTLS_SSL_TRUNCATED_HMAC -run_test "Small client packet TLS 1.1 BlockCipher, without EtM, truncated MAC" \ - "$P_SRV trunc_hmac=1" \ - "$P_CLI request_size=1 force_version=tls1_1 \ - force_ciphersuite=TLS-RSA-WITH-AES-256-CBC-SHA trunc_hmac=1 etm=0" \ - 0 \ - -s "Read from client: 1 bytes read" - -run_test "Small client packet TLS 1.1 StreamCipher" \ - "$P_SRV arc4=1 force_ciphersuite=TLS-RSA-WITH-RC4-128-SHA" \ - "$P_CLI request_size=1 force_version=tls1_1 \ - force_ciphersuite=TLS-RSA-WITH-RC4-128-SHA" \ - 0 \ - -s "Read from client: 1 bytes read" - -run_test "Small client packet TLS 1.1 StreamCipher, without EtM" \ - "$P_SRV arc4=1 force_ciphersuite=TLS-RSA-WITH-RC4-128-SHA" \ - "$P_CLI request_size=1 force_version=tls1_1 \ - force_ciphersuite=TLS-RSA-WITH-RC4-128-SHA etm=0" \ - 0 \ - -s "Read from client: 1 bytes read" - -requires_config_enabled MBEDTLS_SSL_TRUNCATED_HMAC -run_test "Small client packet TLS 1.1 StreamCipher, truncated MAC" \ - "$P_SRV arc4=1 force_ciphersuite=TLS-RSA-WITH-RC4-128-SHA trunc_hmac=1" \ - "$P_CLI request_size=1 force_version=tls1_1 \ - force_ciphersuite=TLS-RSA-WITH-RC4-128-SHA trunc_hmac=1" \ - 0 \ - -s "Read from client: 1 bytes read" - -requires_config_enabled MBEDTLS_SSL_TRUNCATED_HMAC -run_test "Small client packet TLS 1.1 StreamCipher, without EtM, truncated MAC" \ - "$P_SRV arc4=1 force_ciphersuite=TLS-RSA-WITH-RC4-128-SHA trunc_hmac=1" \ - "$P_CLI request_size=1 force_version=tls1_1 \ - force_ciphersuite=TLS-RSA-WITH-RC4-128-SHA trunc_hmac=1 etm=0" \ - 0 \ - -s "Read from client: 1 bytes read" - -run_test "Small client packet TLS 1.2 BlockCipher" \ - "$P_SRV" \ - "$P_CLI request_size=1 force_version=tls1_2 \ - force_ciphersuite=TLS-RSA-WITH-AES-256-CBC-SHA" \ - 0 \ - -s "Read from client: 1 bytes read" - -run_test "Small client packet TLS 1.2 BlockCipher, without EtM" \ - "$P_SRV" \ - "$P_CLI request_size=1 force_version=tls1_2 \ - force_ciphersuite=TLS-RSA-WITH-AES-256-CBC-SHA etm=0" \ - 0 \ - -s "Read from client: 1 bytes read" - -run_test "Small client packet TLS 1.2 BlockCipher larger MAC" \ - "$P_SRV" \ - "$P_CLI request_size=1 force_version=tls1_2 \ - force_ciphersuite=TLS-ECDHE-RSA-WITH-AES-256-CBC-SHA384" \ - 0 \ - -s "Read from client: 1 bytes read" - -requires_config_enabled MBEDTLS_SSL_TRUNCATED_HMAC -run_test "Small client packet TLS 1.2 BlockCipher, truncated MAC" \ - "$P_SRV trunc_hmac=1" \ - "$P_CLI request_size=1 force_version=tls1_2 \ - force_ciphersuite=TLS-RSA-WITH-AES-256-CBC-SHA trunc_hmac=1" \ - 0 \ - -s "Read from client: 1 bytes read" - -requires_config_enabled MBEDTLS_SSL_TRUNCATED_HMAC -run_test "Small client packet TLS 1.2 BlockCipher, without EtM, truncated MAC" \ - "$P_SRV trunc_hmac=1" \ - "$P_CLI request_size=1 force_version=tls1_2 \ - force_ciphersuite=TLS-RSA-WITH-AES-256-CBC-SHA trunc_hmac=1 etm=0" \ - 0 \ - -s "Read from client: 1 bytes read" - -run_test "Small client packet TLS 1.2 StreamCipher" \ - "$P_SRV arc4=1 force_ciphersuite=TLS-RSA-WITH-RC4-128-SHA" \ - "$P_CLI request_size=1 force_version=tls1_2 \ - force_ciphersuite=TLS-RSA-WITH-RC4-128-SHA" \ - 0 \ - -s "Read from client: 1 bytes read" - -run_test "Small client packet TLS 1.2 StreamCipher, without EtM" \ - "$P_SRV arc4=1 force_ciphersuite=TLS-RSA-WITH-RC4-128-SHA" \ - "$P_CLI request_size=1 force_version=tls1_2 \ - force_ciphersuite=TLS-RSA-WITH-RC4-128-SHA etm=0" \ - 0 \ - -s "Read from client: 1 bytes read" - -requires_config_enabled MBEDTLS_SSL_TRUNCATED_HMAC -run_test "Small client packet TLS 1.2 StreamCipher, truncated MAC" \ - "$P_SRV arc4=1 force_ciphersuite=TLS-RSA-WITH-RC4-128-SHA trunc_hmac=1" \ - "$P_CLI request_size=1 force_version=tls1_2 \ - force_ciphersuite=TLS-RSA-WITH-RC4-128-SHA trunc_hmac=1" \ - 0 \ - -s "Read from client: 1 bytes read" - -requires_config_enabled MBEDTLS_SSL_TRUNCATED_HMAC -run_test "Small client packet TLS 1.2 StreamCipher, without EtM, truncated MAC" \ - "$P_SRV arc4=1 force_ciphersuite=TLS-RSA-WITH-RC4-128-SHA trunc_hmac=1" \ - "$P_CLI request_size=1 force_version=tls1_2 \ - force_ciphersuite=TLS-RSA-WITH-RC4-128-SHA trunc_hmac=1 etm=0" \ - 0 \ - -s "Read from client: 1 bytes read" - -run_test "Small client packet TLS 1.2 AEAD" \ - "$P_SRV" \ - "$P_CLI request_size=1 force_version=tls1_2 \ - force_ciphersuite=TLS-RSA-WITH-AES-256-CCM" \ - 0 \ - -s "Read from client: 1 bytes read" - -run_test "Small client packet TLS 1.2 AEAD shorter tag" \ - "$P_SRV" \ - "$P_CLI request_size=1 force_version=tls1_2 \ - force_ciphersuite=TLS-RSA-WITH-AES-256-CCM-8" \ - 0 \ - -s "Read from client: 1 bytes read" - -# Tests for small client packets in DTLS - -requires_config_enabled MBEDTLS_SSL_PROTO_DTLS -run_test "Small client packet DTLS 1.0" \ - "$P_SRV dtls=1 force_version=dtls1" \ - "$P_CLI dtls=1 request_size=1 \ - force_ciphersuite=TLS-RSA-WITH-AES-256-CBC-SHA" \ - 0 \ - -s "Read from client: 1 bytes read" - -requires_config_enabled MBEDTLS_SSL_PROTO_DTLS -run_test "Small client packet DTLS 1.0, without EtM" \ - "$P_SRV dtls=1 force_version=dtls1 etm=0" \ - "$P_CLI dtls=1 request_size=1 \ - force_ciphersuite=TLS-RSA-WITH-AES-256-CBC-SHA" \ - 0 \ - -s "Read from client: 1 bytes read" - -requires_config_enabled MBEDTLS_SSL_PROTO_DTLS -requires_config_enabled MBEDTLS_SSL_TRUNCATED_HMAC -run_test "Small client packet DTLS 1.0, truncated hmac" \ - "$P_SRV dtls=1 force_version=dtls1 trunc_hmac=1" \ - "$P_CLI dtls=1 request_size=1 trunc_hmac=1 \ - force_ciphersuite=TLS-RSA-WITH-AES-256-CBC-SHA" \ - 0 \ - -s "Read from client: 1 bytes read" - -requires_config_enabled MBEDTLS_SSL_PROTO_DTLS -requires_config_enabled MBEDTLS_SSL_TRUNCATED_HMAC -run_test "Small client packet DTLS 1.0, without EtM, truncated MAC" \ - "$P_SRV dtls=1 force_version=dtls1 trunc_hmac=1 etm=0" \ - "$P_CLI dtls=1 request_size=1 \ - force_ciphersuite=TLS-RSA-WITH-AES-256-CBC-SHA trunc_hmac=1"\ - 0 \ - -s "Read from client: 1 bytes read" - -requires_config_enabled MBEDTLS_SSL_PROTO_DTLS -run_test "Small client packet DTLS 1.2" \ - "$P_SRV dtls=1 force_version=dtls1_2" \ - "$P_CLI dtls=1 request_size=1 \ - force_ciphersuite=TLS-RSA-WITH-AES-256-CBC-SHA" \ - 0 \ - -s "Read from client: 1 bytes read" - -requires_config_enabled MBEDTLS_SSL_PROTO_DTLS -run_test "Small client packet DTLS 1.2, without EtM" \ - "$P_SRV dtls=1 force_version=dtls1_2 etm=0" \ - "$P_CLI dtls=1 request_size=1 \ - force_ciphersuite=TLS-RSA-WITH-AES-256-CBC-SHA" \ - 0 \ - -s "Read from client: 1 bytes read" - -requires_config_enabled MBEDTLS_SSL_PROTO_DTLS -requires_config_enabled MBEDTLS_SSL_TRUNCATED_HMAC -run_test "Small client packet DTLS 1.2, truncated hmac" \ - "$P_SRV dtls=1 force_version=dtls1_2 trunc_hmac=1" \ - "$P_CLI dtls=1 request_size=1 \ - force_ciphersuite=TLS-RSA-WITH-AES-256-CBC-SHA trunc_hmac=1" \ - 0 \ - -s "Read from client: 1 bytes read" - -requires_config_enabled MBEDTLS_SSL_PROTO_DTLS -requires_config_enabled MBEDTLS_SSL_TRUNCATED_HMAC -run_test "Small client packet DTLS 1.2, without EtM, truncated MAC" \ - "$P_SRV dtls=1 force_version=dtls1_2 trunc_hmac=1 etm=0" \ - "$P_CLI dtls=1 request_size=1 \ - force_ciphersuite=TLS-RSA-WITH-AES-256-CBC-SHA trunc_hmac=1"\ - 0 \ - -s "Read from client: 1 bytes read" - -# Tests for small server packets - -requires_config_enabled MBEDTLS_SSL_PROTO_SSL3 -run_test "Small server packet SSLv3 BlockCipher" \ - "$P_SRV response_size=1 min_version=ssl3" \ - "$P_CLI force_version=ssl3 \ - force_ciphersuite=TLS-RSA-WITH-AES-256-CBC-SHA" \ - 0 \ - -c "Read from server: 1 bytes read" - -requires_config_enabled MBEDTLS_SSL_PROTO_SSL3 -run_test "Small server packet SSLv3 StreamCipher" \ - "$P_SRV response_size=1 min_version=ssl3 arc4=1 force_ciphersuite=TLS-RSA-WITH-RC4-128-SHA" \ - "$P_CLI force_version=ssl3 \ - force_ciphersuite=TLS-RSA-WITH-RC4-128-SHA" \ - 0 \ - -c "Read from server: 1 bytes read" - -run_test "Small server packet TLS 1.0 BlockCipher" \ - "$P_SRV response_size=1" \ - "$P_CLI force_version=tls1 \ - force_ciphersuite=TLS-RSA-WITH-AES-256-CBC-SHA" \ - 0 \ - -c "Read from server: 1 bytes read" - -run_test "Small server packet TLS 1.0 BlockCipher, without EtM" \ - "$P_SRV response_size=1" \ - "$P_CLI force_version=tls1 etm=0 \ - force_ciphersuite=TLS-RSA-WITH-AES-256-CBC-SHA" \ - 0 \ - -c "Read from server: 1 bytes read" - -requires_config_enabled MBEDTLS_SSL_TRUNCATED_HMAC -run_test "Small server packet TLS 1.0 BlockCipher, truncated MAC" \ - "$P_SRV response_size=1 trunc_hmac=1" \ - "$P_CLI force_version=tls1 \ - force_ciphersuite=TLS-RSA-WITH-AES-256-CBC-SHA trunc_hmac=1" \ - 0 \ - -c "Read from server: 1 bytes read" - -requires_config_enabled MBEDTLS_SSL_TRUNCATED_HMAC -run_test "Small server packet TLS 1.0 BlockCipher, without EtM, truncated MAC" \ - "$P_SRV response_size=1 trunc_hmac=1" \ - "$P_CLI force_version=tls1 \ - force_ciphersuite=TLS-RSA-WITH-AES-256-CBC-SHA trunc_hmac=1 etm=0" \ - 0 \ - -c "Read from server: 1 bytes read" - -run_test "Small server packet TLS 1.0 StreamCipher" \ - "$P_SRV response_size=1 arc4=1 force_ciphersuite=TLS-RSA-WITH-RC4-128-SHA" \ - "$P_CLI force_version=tls1 \ - force_ciphersuite=TLS-RSA-WITH-RC4-128-SHA" \ - 0 \ - -c "Read from server: 1 bytes read" - -run_test "Small server packet TLS 1.0 StreamCipher, without EtM" \ - "$P_SRV response_size=1 arc4=1 force_ciphersuite=TLS-RSA-WITH-RC4-128-SHA" \ - "$P_CLI force_version=tls1 \ - force_ciphersuite=TLS-RSA-WITH-RC4-128-SHA etm=0" \ - 0 \ - -c "Read from server: 1 bytes read" - -requires_config_enabled MBEDTLS_SSL_TRUNCATED_HMAC -run_test "Small server packet TLS 1.0 StreamCipher, truncated MAC" \ - "$P_SRV response_size=1 arc4=1 force_ciphersuite=TLS-RSA-WITH-RC4-128-SHA trunc_hmac=1" \ - "$P_CLI force_version=tls1 \ - force_ciphersuite=TLS-RSA-WITH-RC4-128-SHA trunc_hmac=1" \ - 0 \ - -c "Read from server: 1 bytes read" - -requires_config_enabled MBEDTLS_SSL_TRUNCATED_HMAC -run_test "Small server packet TLS 1.0 StreamCipher, without EtM, truncated MAC" \ - "$P_SRV response_size=1 arc4=1 force_ciphersuite=TLS-RSA-WITH-RC4-128-SHA trunc_hmac=1" \ - "$P_CLI force_version=tls1 force_ciphersuite=TLS-RSA-WITH-RC4-128-SHA \ - trunc_hmac=1 etm=0" \ - 0 \ - -c "Read from server: 1 bytes read" - -run_test "Small server packet TLS 1.1 BlockCipher" \ - "$P_SRV response_size=1" \ - "$P_CLI force_version=tls1_1 \ - force_ciphersuite=TLS-RSA-WITH-AES-256-CBC-SHA" \ - 0 \ - -c "Read from server: 1 bytes read" - -run_test "Small server packet TLS 1.1 BlockCipher, without EtM" \ - "$P_SRV response_size=1" \ - "$P_CLI force_version=tls1_1 \ - force_ciphersuite=TLS-RSA-WITH-AES-256-CBC-SHA etm=0" \ - 0 \ - -c "Read from server: 1 bytes read" - -requires_config_enabled MBEDTLS_SSL_TRUNCATED_HMAC -run_test "Small server packet TLS 1.1 BlockCipher, truncated MAC" \ - "$P_SRV response_size=1 trunc_hmac=1" \ - "$P_CLI force_version=tls1_1 \ - force_ciphersuite=TLS-RSA-WITH-AES-256-CBC-SHA trunc_hmac=1" \ - 0 \ - -c "Read from server: 1 bytes read" - -requires_config_enabled MBEDTLS_SSL_TRUNCATED_HMAC -run_test "Small server packet TLS 1.1 BlockCipher, without EtM, truncated MAC" \ - "$P_SRV response_size=1 trunc_hmac=1" \ - "$P_CLI force_version=tls1_1 \ - force_ciphersuite=TLS-RSA-WITH-AES-256-CBC-SHA trunc_hmac=1 etm=0" \ - 0 \ - -c "Read from server: 1 bytes read" - -run_test "Small server packet TLS 1.1 StreamCipher" \ - "$P_SRV response_size=1 arc4=1 force_ciphersuite=TLS-RSA-WITH-RC4-128-SHA" \ - "$P_CLI force_version=tls1_1 \ - force_ciphersuite=TLS-RSA-WITH-RC4-128-SHA" \ - 0 \ - -c "Read from server: 1 bytes read" - -run_test "Small server packet TLS 1.1 StreamCipher, without EtM" \ - "$P_SRV response_size=1 arc4=1 force_ciphersuite=TLS-RSA-WITH-RC4-128-SHA" \ - "$P_CLI force_version=tls1_1 \ - force_ciphersuite=TLS-RSA-WITH-RC4-128-SHA etm=0" \ - 0 \ - -c "Read from server: 1 bytes read" - -requires_config_enabled MBEDTLS_SSL_TRUNCATED_HMAC -run_test "Small server packet TLS 1.1 StreamCipher, truncated MAC" \ - "$P_SRV response_size=1 arc4=1 force_ciphersuite=TLS-RSA-WITH-RC4-128-SHA trunc_hmac=1" \ - "$P_CLI force_version=tls1_1 \ - force_ciphersuite=TLS-RSA-WITH-RC4-128-SHA trunc_hmac=1" \ - 0 \ - -c "Read from server: 1 bytes read" - -requires_config_enabled MBEDTLS_SSL_TRUNCATED_HMAC -run_test "Small server packet TLS 1.1 StreamCipher, without EtM, truncated MAC" \ - "$P_SRV response_size=1 arc4=1 force_ciphersuite=TLS-RSA-WITH-RC4-128-SHA trunc_hmac=1" \ - "$P_CLI force_version=tls1_1 \ - force_ciphersuite=TLS-RSA-WITH-RC4-128-SHA trunc_hmac=1 etm=0" \ - 0 \ - -c "Read from server: 1 bytes read" - -run_test "Small server packet TLS 1.2 BlockCipher" \ - "$P_SRV response_size=1" \ - "$P_CLI force_version=tls1_2 \ - force_ciphersuite=TLS-RSA-WITH-AES-256-CBC-SHA" \ - 0 \ - -c "Read from server: 1 bytes read" - -run_test "Small server packet TLS 1.2 BlockCipher, without EtM" \ - "$P_SRV response_size=1" \ - "$P_CLI force_version=tls1_2 \ - force_ciphersuite=TLS-RSA-WITH-AES-256-CBC-SHA etm=0" \ - 0 \ - -c "Read from server: 1 bytes read" - -run_test "Small server packet TLS 1.2 BlockCipher larger MAC" \ - "$P_SRV response_size=1" \ - "$P_CLI force_version=tls1_2 \ - force_ciphersuite=TLS-ECDHE-RSA-WITH-AES-256-CBC-SHA384" \ - 0 \ - -c "Read from server: 1 bytes read" - -requires_config_enabled MBEDTLS_SSL_TRUNCATED_HMAC -run_test "Small server packet TLS 1.2 BlockCipher, truncated MAC" \ - "$P_SRV response_size=1 trunc_hmac=1" \ - "$P_CLI force_version=tls1_2 \ - force_ciphersuite=TLS-RSA-WITH-AES-256-CBC-SHA trunc_hmac=1" \ - 0 \ - -c "Read from server: 1 bytes read" - -requires_config_enabled MBEDTLS_SSL_TRUNCATED_HMAC -run_test "Small server packet TLS 1.2 BlockCipher, without EtM, truncated MAC" \ - "$P_SRV response_size=1 trunc_hmac=1" \ - "$P_CLI force_version=tls1_2 \ - force_ciphersuite=TLS-RSA-WITH-AES-256-CBC-SHA trunc_hmac=1 etm=0" \ - 0 \ - -c "Read from server: 1 bytes read" - -run_test "Small server packet TLS 1.2 StreamCipher" \ - "$P_SRV response_size=1 arc4=1 force_ciphersuite=TLS-RSA-WITH-RC4-128-SHA" \ - "$P_CLI force_version=tls1_2 \ - force_ciphersuite=TLS-RSA-WITH-RC4-128-SHA" \ - 0 \ - -c "Read from server: 1 bytes read" - -run_test "Small server packet TLS 1.2 StreamCipher, without EtM" \ - "$P_SRV response_size=1 arc4=1 force_ciphersuite=TLS-RSA-WITH-RC4-128-SHA" \ - "$P_CLI force_version=tls1_2 \ - force_ciphersuite=TLS-RSA-WITH-RC4-128-SHA etm=0" \ - 0 \ - -c "Read from server: 1 bytes read" - -requires_config_enabled MBEDTLS_SSL_TRUNCATED_HMAC -run_test "Small server packet TLS 1.2 StreamCipher, truncated MAC" \ - "$P_SRV response_size=1 arc4=1 force_ciphersuite=TLS-RSA-WITH-RC4-128-SHA trunc_hmac=1" \ - "$P_CLI force_version=tls1_2 \ - force_ciphersuite=TLS-RSA-WITH-RC4-128-SHA trunc_hmac=1" \ - 0 \ - -c "Read from server: 1 bytes read" - -requires_config_enabled MBEDTLS_SSL_TRUNCATED_HMAC -run_test "Small server packet TLS 1.2 StreamCipher, without EtM, truncated MAC" \ - "$P_SRV response_size=1 arc4=1 force_ciphersuite=TLS-RSA-WITH-RC4-128-SHA trunc_hmac=1" \ - "$P_CLI force_version=tls1_2 \ - force_ciphersuite=TLS-RSA-WITH-RC4-128-SHA trunc_hmac=1 etm=0" \ - 0 \ - -c "Read from server: 1 bytes read" - -run_test "Small server packet TLS 1.2 AEAD" \ - "$P_SRV response_size=1" \ - "$P_CLI force_version=tls1_2 \ - force_ciphersuite=TLS-RSA-WITH-AES-256-CCM" \ - 0 \ - -c "Read from server: 1 bytes read" - -run_test "Small server packet TLS 1.2 AEAD shorter tag" \ - "$P_SRV response_size=1" \ - "$P_CLI force_version=tls1_2 \ - force_ciphersuite=TLS-RSA-WITH-AES-256-CCM-8" \ - 0 \ - -c "Read from server: 1 bytes read" - -# Tests for small server packets in DTLS - -requires_config_enabled MBEDTLS_SSL_PROTO_DTLS -run_test "Small server packet DTLS 1.0" \ - "$P_SRV dtls=1 response_size=1 force_version=dtls1" \ - "$P_CLI dtls=1 \ - force_ciphersuite=TLS-RSA-WITH-AES-256-CBC-SHA" \ - 0 \ - -c "Read from server: 1 bytes read" - -requires_config_enabled MBEDTLS_SSL_PROTO_DTLS -run_test "Small server packet DTLS 1.0, without EtM" \ - "$P_SRV dtls=1 response_size=1 force_version=dtls1 etm=0" \ - "$P_CLI dtls=1 \ - force_ciphersuite=TLS-RSA-WITH-AES-256-CBC-SHA" \ - 0 \ - -c "Read from server: 1 bytes read" - -requires_config_enabled MBEDTLS_SSL_PROTO_DTLS -requires_config_enabled MBEDTLS_SSL_TRUNCATED_HMAC -run_test "Small server packet DTLS 1.0, truncated hmac" \ - "$P_SRV dtls=1 response_size=1 force_version=dtls1 trunc_hmac=1" \ - "$P_CLI dtls=1 trunc_hmac=1 \ - force_ciphersuite=TLS-RSA-WITH-AES-256-CBC-SHA" \ - 0 \ - -c "Read from server: 1 bytes read" - -requires_config_enabled MBEDTLS_SSL_PROTO_DTLS -requires_config_enabled MBEDTLS_SSL_TRUNCATED_HMAC -run_test "Small server packet DTLS 1.0, without EtM, truncated MAC" \ - "$P_SRV dtls=1 response_size=1 force_version=dtls1 trunc_hmac=1 etm=0" \ - "$P_CLI dtls=1 \ - force_ciphersuite=TLS-RSA-WITH-AES-256-CBC-SHA trunc_hmac=1"\ - 0 \ - -c "Read from server: 1 bytes read" - -requires_config_enabled MBEDTLS_SSL_PROTO_DTLS -run_test "Small server packet DTLS 1.2" \ - "$P_SRV dtls=1 response_size=1 force_version=dtls1_2" \ - "$P_CLI dtls=1 \ - force_ciphersuite=TLS-RSA-WITH-AES-256-CBC-SHA" \ - 0 \ - -c "Read from server: 1 bytes read" - -requires_config_enabled MBEDTLS_SSL_PROTO_DTLS -run_test "Small server packet DTLS 1.2, without EtM" \ - "$P_SRV dtls=1 response_size=1 force_version=dtls1_2 etm=0" \ - "$P_CLI dtls=1 \ - force_ciphersuite=TLS-RSA-WITH-AES-256-CBC-SHA" \ - 0 \ - -c "Read from server: 1 bytes read" - -requires_config_enabled MBEDTLS_SSL_PROTO_DTLS -requires_config_enabled MBEDTLS_SSL_TRUNCATED_HMAC -run_test "Small server packet DTLS 1.2, truncated hmac" \ - "$P_SRV dtls=1 response_size=1 force_version=dtls1_2 trunc_hmac=1" \ - "$P_CLI dtls=1 \ - force_ciphersuite=TLS-RSA-WITH-AES-256-CBC-SHA trunc_hmac=1" \ - 0 \ - -c "Read from server: 1 bytes read" - -requires_config_enabled MBEDTLS_SSL_PROTO_DTLS -requires_config_enabled MBEDTLS_SSL_TRUNCATED_HMAC -run_test "Small server packet DTLS 1.2, without EtM, truncated MAC" \ - "$P_SRV dtls=1 response_size=1 force_version=dtls1_2 trunc_hmac=1 etm=0" \ - "$P_CLI dtls=1 \ - force_ciphersuite=TLS-RSA-WITH-AES-256-CBC-SHA trunc_hmac=1"\ - 0 \ - -c "Read from server: 1 bytes read" - -# A test for extensions in SSLv3 - -requires_config_enabled MBEDTLS_SSL_PROTO_SSL3 -run_test "SSLv3 with extensions, server side" \ - "$P_SRV min_version=ssl3 debug_level=3" \ - "$P_CLI force_version=ssl3 tickets=1 max_frag_len=4096 alpn=abc,1234" \ - 0 \ - -S "dumping 'client hello extensions'" \ - -S "server hello, total extension length:" - -# Test for large client packets - -# How many fragments do we expect to write $1 bytes? -fragments_for_write() { - echo "$(( ( $1 + $MAX_OUT_LEN - 1 ) / $MAX_OUT_LEN ))" -} - -requires_config_enabled MBEDTLS_SSL_PROTO_SSL3 -run_test "Large client packet SSLv3 BlockCipher" \ - "$P_SRV min_version=ssl3" \ - "$P_CLI request_size=16384 force_version=ssl3 recsplit=0 \ - force_ciphersuite=TLS-RSA-WITH-AES-256-CBC-SHA" \ - 0 \ - -c "16384 bytes written in $(fragments_for_write 16384) fragments" \ - -s "Read from client: $MAX_CONTENT_LEN bytes read" - -requires_config_enabled MBEDTLS_SSL_PROTO_SSL3 -run_test "Large client packet SSLv3 StreamCipher" \ - "$P_SRV min_version=ssl3 arc4=1 force_ciphersuite=TLS-RSA-WITH-RC4-128-SHA" \ - "$P_CLI request_size=16384 force_version=ssl3 \ - force_ciphersuite=TLS-RSA-WITH-RC4-128-SHA" \ - 0 \ - -c "16384 bytes written in $(fragments_for_write 16384) fragments" \ - -s "Read from client: $MAX_CONTENT_LEN bytes read" - -run_test "Large client packet TLS 1.0 BlockCipher" \ - "$P_SRV" \ - "$P_CLI request_size=16384 force_version=tls1 recsplit=0 \ - force_ciphersuite=TLS-RSA-WITH-AES-256-CBC-SHA" \ - 0 \ - -c "16384 bytes written in $(fragments_for_write 16384) fragments" \ - -s "Read from client: $MAX_CONTENT_LEN bytes read" - -run_test "Large client packet TLS 1.0 BlockCipher, without EtM" \ - "$P_SRV" \ - "$P_CLI request_size=16384 force_version=tls1 etm=0 recsplit=0 \ - force_ciphersuite=TLS-RSA-WITH-AES-256-CBC-SHA" \ - 0 \ - -s "Read from client: $MAX_CONTENT_LEN bytes read" - -requires_config_enabled MBEDTLS_SSL_TRUNCATED_HMAC -run_test "Large client packet TLS 1.0 BlockCipher, truncated MAC" \ - "$P_SRV trunc_hmac=1" \ - "$P_CLI request_size=16384 force_version=tls1 recsplit=0 \ - force_ciphersuite=TLS-RSA-WITH-AES-256-CBC-SHA trunc_hmac=1" \ - 0 \ - -c "16384 bytes written in $(fragments_for_write 16384) fragments" \ - -s "Read from client: $MAX_CONTENT_LEN bytes read" - -requires_config_enabled MBEDTLS_SSL_TRUNCATED_HMAC -run_test "Large client packet TLS 1.0 BlockCipher, without EtM, truncated MAC" \ - "$P_SRV trunc_hmac=1" \ - "$P_CLI request_size=16384 force_version=tls1 etm=0 recsplit=0 \ - force_ciphersuite=TLS-RSA-WITH-AES-256-CBC-SHA trunc_hmac=1" \ - 0 \ - -s "Read from client: $MAX_CONTENT_LEN bytes read" - -run_test "Large client packet TLS 1.0 StreamCipher" \ - "$P_SRV arc4=1 force_ciphersuite=TLS-RSA-WITH-RC4-128-SHA" \ - "$P_CLI request_size=16384 force_version=tls1 \ - force_ciphersuite=TLS-RSA-WITH-RC4-128-SHA" \ - 0 \ - -s "Read from client: $MAX_CONTENT_LEN bytes read" - -run_test "Large client packet TLS 1.0 StreamCipher, without EtM" \ - "$P_SRV arc4=1 force_ciphersuite=TLS-RSA-WITH-RC4-128-SHA" \ - "$P_CLI request_size=16384 force_version=tls1 \ - force_ciphersuite=TLS-RSA-WITH-RC4-128-SHA etm=0" \ - 0 \ - -s "Read from client: $MAX_CONTENT_LEN bytes read" - -requires_config_enabled MBEDTLS_SSL_TRUNCATED_HMAC -run_test "Large client packet TLS 1.0 StreamCipher, truncated MAC" \ - "$P_SRV arc4=1 force_ciphersuite=TLS-RSA-WITH-RC4-128-SHA trunc_hmac=1" \ - "$P_CLI request_size=16384 force_version=tls1 \ - force_ciphersuite=TLS-RSA-WITH-RC4-128-SHA trunc_hmac=1" \ - 0 \ - -s "Read from client: $MAX_CONTENT_LEN bytes read" - -requires_config_enabled MBEDTLS_SSL_TRUNCATED_HMAC -run_test "Large client packet TLS 1.0 StreamCipher, without EtM, truncated MAC" \ - "$P_SRV arc4=1 force_ciphersuite=TLS-RSA-WITH-RC4-128-SHA trunc_hmac=1" \ - "$P_CLI request_size=16384 force_version=tls1 \ - force_ciphersuite=TLS-RSA-WITH-RC4-128-SHA trunc_hmac=1 etm=0" \ - 0 \ - -c "16384 bytes written in $(fragments_for_write 16384) fragments" \ - -s "Read from client: $MAX_CONTENT_LEN bytes read" - -run_test "Large client packet TLS 1.1 BlockCipher" \ - "$P_SRV" \ - "$P_CLI request_size=16384 force_version=tls1_1 \ - force_ciphersuite=TLS-RSA-WITH-AES-256-CBC-SHA" \ - 0 \ - -c "16384 bytes written in $(fragments_for_write 16384) fragments" \ - -s "Read from client: $MAX_CONTENT_LEN bytes read" - -run_test "Large client packet TLS 1.1 BlockCipher, without EtM" \ - "$P_SRV" \ - "$P_CLI request_size=16384 force_version=tls1_1 etm=0 \ - force_ciphersuite=TLS-RSA-WITH-AES-256-CBC-SHA" \ - 0 \ - -s "Read from client: $MAX_CONTENT_LEN bytes read" - -requires_config_enabled MBEDTLS_SSL_TRUNCATED_HMAC -run_test "Large client packet TLS 1.1 BlockCipher, truncated MAC" \ - "$P_SRV trunc_hmac=1" \ - "$P_CLI request_size=16384 force_version=tls1_1 \ - force_ciphersuite=TLS-RSA-WITH-AES-256-CBC-SHA trunc_hmac=1" \ - 0 \ - -s "Read from client: $MAX_CONTENT_LEN bytes read" - -requires_config_enabled MBEDTLS_SSL_TRUNCATED_HMAC -run_test "Large client packet TLS 1.1 BlockCipher, without EtM, truncated MAC" \ - "$P_SRV trunc_hmac=1" \ - "$P_CLI request_size=16384 force_version=tls1_1 \ - force_ciphersuite=TLS-RSA-WITH-AES-256-CBC-SHA trunc_hmac=1 etm=0" \ - 0 \ - -s "Read from client: $MAX_CONTENT_LEN bytes read" - -run_test "Large client packet TLS 1.1 StreamCipher" \ - "$P_SRV arc4=1 force_ciphersuite=TLS-RSA-WITH-RC4-128-SHA" \ - "$P_CLI request_size=16384 force_version=tls1_1 \ - force_ciphersuite=TLS-RSA-WITH-RC4-128-SHA" \ - 0 \ - -c "16384 bytes written in $(fragments_for_write 16384) fragments" \ - -s "Read from client: $MAX_CONTENT_LEN bytes read" - -run_test "Large client packet TLS 1.1 StreamCipher, without EtM" \ - "$P_SRV arc4=1 force_ciphersuite=TLS-RSA-WITH-RC4-128-SHA" \ - "$P_CLI request_size=16384 force_version=tls1_1 \ - force_ciphersuite=TLS-RSA-WITH-RC4-128-SHA etm=0" \ - 0 \ - -c "16384 bytes written in $(fragments_for_write 16384) fragments" \ - -s "Read from client: $MAX_CONTENT_LEN bytes read" - -requires_config_enabled MBEDTLS_SSL_TRUNCATED_HMAC -run_test "Large client packet TLS 1.1 StreamCipher, truncated MAC" \ - "$P_SRV arc4=1 force_ciphersuite=TLS-RSA-WITH-RC4-128-SHA trunc_hmac=1" \ - "$P_CLI request_size=16384 force_version=tls1_1 \ - force_ciphersuite=TLS-RSA-WITH-RC4-128-SHA trunc_hmac=1" \ - 0 \ - -s "Read from client: $MAX_CONTENT_LEN bytes read" - -requires_config_enabled MBEDTLS_SSL_TRUNCATED_HMAC -run_test "Large client packet TLS 1.1 StreamCipher, without EtM, truncated MAC" \ - "$P_SRV arc4=1 force_ciphersuite=TLS-RSA-WITH-RC4-128-SHA trunc_hmac=1" \ - "$P_CLI request_size=16384 force_version=tls1_1 \ - force_ciphersuite=TLS-RSA-WITH-RC4-128-SHA trunc_hmac=1 etm=0" \ - 0 \ - -c "16384 bytes written in $(fragments_for_write 16384) fragments" \ - -s "Read from client: $MAX_CONTENT_LEN bytes read" - -run_test "Large client packet TLS 1.2 BlockCipher" \ - "$P_SRV" \ - "$P_CLI request_size=16384 force_version=tls1_2 \ - force_ciphersuite=TLS-RSA-WITH-AES-256-CBC-SHA" \ - 0 \ - -c "16384 bytes written in $(fragments_for_write 16384) fragments" \ - -s "Read from client: $MAX_CONTENT_LEN bytes read" - -run_test "Large client packet TLS 1.2 BlockCipher, without EtM" \ - "$P_SRV" \ - "$P_CLI request_size=16384 force_version=tls1_2 etm=0 \ - force_ciphersuite=TLS-RSA-WITH-AES-256-CBC-SHA" \ - 0 \ - -s "Read from client: $MAX_CONTENT_LEN bytes read" - -run_test "Large client packet TLS 1.2 BlockCipher larger MAC" \ - "$P_SRV" \ - "$P_CLI request_size=16384 force_version=tls1_2 \ - force_ciphersuite=TLS-ECDHE-RSA-WITH-AES-256-CBC-SHA384" \ - 0 \ - -c "16384 bytes written in $(fragments_for_write 16384) fragments" \ - -s "Read from client: $MAX_CONTENT_LEN bytes read" - -requires_config_enabled MBEDTLS_SSL_TRUNCATED_HMAC -run_test "Large client packet TLS 1.2 BlockCipher, truncated MAC" \ - "$P_SRV trunc_hmac=1" \ - "$P_CLI request_size=16384 force_version=tls1_2 \ - force_ciphersuite=TLS-RSA-WITH-AES-256-CBC-SHA trunc_hmac=1" \ - 0 \ - -s "Read from client: $MAX_CONTENT_LEN bytes read" - -requires_config_enabled MBEDTLS_SSL_TRUNCATED_HMAC -run_test "Large client packet TLS 1.2 BlockCipher, without EtM, truncated MAC" \ - "$P_SRV trunc_hmac=1" \ - "$P_CLI request_size=16384 force_version=tls1_2 \ - force_ciphersuite=TLS-RSA-WITH-AES-256-CBC-SHA trunc_hmac=1 etm=0" \ - 0 \ - -c "16384 bytes written in $(fragments_for_write 16384) fragments" \ - -s "Read from client: $MAX_CONTENT_LEN bytes read" - -run_test "Large client packet TLS 1.2 StreamCipher" \ - "$P_SRV arc4=1 force_ciphersuite=TLS-RSA-WITH-RC4-128-SHA" \ - "$P_CLI request_size=16384 force_version=tls1_2 \ - force_ciphersuite=TLS-RSA-WITH-RC4-128-SHA" \ - 0 \ - -c "16384 bytes written in $(fragments_for_write 16384) fragments" \ - -s "Read from client: $MAX_CONTENT_LEN bytes read" - -run_test "Large client packet TLS 1.2 StreamCipher, without EtM" \ - "$P_SRV arc4=1 force_ciphersuite=TLS-RSA-WITH-RC4-128-SHA" \ - "$P_CLI request_size=16384 force_version=tls1_2 \ - force_ciphersuite=TLS-RSA-WITH-RC4-128-SHA etm=0" \ - 0 \ - -s "Read from client: $MAX_CONTENT_LEN bytes read" - -requires_config_enabled MBEDTLS_SSL_TRUNCATED_HMAC -run_test "Large client packet TLS 1.2 StreamCipher, truncated MAC" \ - "$P_SRV arc4=1 force_ciphersuite=TLS-RSA-WITH-RC4-128-SHA trunc_hmac=1" \ - "$P_CLI request_size=16384 force_version=tls1_2 \ - force_ciphersuite=TLS-RSA-WITH-RC4-128-SHA trunc_hmac=1" \ - 0 \ - -s "Read from client: $MAX_CONTENT_LEN bytes read" - -requires_config_enabled MBEDTLS_SSL_TRUNCATED_HMAC -run_test "Large client packet TLS 1.2 StreamCipher, without EtM, truncated MAC" \ - "$P_SRV arc4=1 force_ciphersuite=TLS-RSA-WITH-RC4-128-SHA trunc_hmac=1" \ - "$P_CLI request_size=16384 force_version=tls1_2 \ - force_ciphersuite=TLS-RSA-WITH-RC4-128-SHA trunc_hmac=1 etm=0" \ - 0 \ - -c "16384 bytes written in $(fragments_for_write 16384) fragments" \ - -s "Read from client: $MAX_CONTENT_LEN bytes read" - -run_test "Large client packet TLS 1.2 AEAD" \ - "$P_SRV" \ - "$P_CLI request_size=16384 force_version=tls1_2 \ - force_ciphersuite=TLS-RSA-WITH-AES-256-CCM" \ - 0 \ - -c "16384 bytes written in $(fragments_for_write 16384) fragments" \ - -s "Read from client: $MAX_CONTENT_LEN bytes read" - -run_test "Large client packet TLS 1.2 AEAD shorter tag" \ - "$P_SRV" \ - "$P_CLI request_size=16384 force_version=tls1_2 \ - force_ciphersuite=TLS-RSA-WITH-AES-256-CCM-8" \ - 0 \ - -c "16384 bytes written in $(fragments_for_write 16384) fragments" \ - -s "Read from client: $MAX_CONTENT_LEN bytes read" - -# Test for large server packets -requires_config_enabled MBEDTLS_SSL_PROTO_SSL3 -run_test "Large server packet SSLv3 StreamCipher" \ - "$P_SRV response_size=16384 min_version=ssl3 arc4=1 force_ciphersuite=TLS-RSA-WITH-RC4-128-SHA" \ - "$P_CLI force_version=ssl3 \ - force_ciphersuite=TLS-RSA-WITH-RC4-128-SHA" \ - 0 \ - -c "Read from server: 16384 bytes read" - -# Checking next 4 tests logs for 1n-1 split against BEAST too -requires_config_enabled MBEDTLS_SSL_PROTO_SSL3 -run_test "Large server packet SSLv3 BlockCipher" \ - "$P_SRV response_size=16384 min_version=ssl3" \ - "$P_CLI force_version=ssl3 recsplit=0 \ - force_ciphersuite=TLS-RSA-WITH-AES-256-CBC-SHA" \ - 0 \ - -c "Read from server: 1 bytes read"\ - -c "16383 bytes read"\ - -C "Read from server: 16384 bytes read" - -run_test "Large server packet TLS 1.0 BlockCipher" \ - "$P_SRV response_size=16384" \ - "$P_CLI force_version=tls1 recsplit=0 \ - force_ciphersuite=TLS-RSA-WITH-AES-256-CBC-SHA" \ - 0 \ - -c "Read from server: 1 bytes read"\ - -c "16383 bytes read"\ - -C "Read from server: 16384 bytes read" - -run_test "Large server packet TLS 1.0 BlockCipher, without EtM" \ - "$P_SRV response_size=16384" \ - "$P_CLI force_version=tls1 etm=0 recsplit=0 \ - force_ciphersuite=TLS-RSA-WITH-AES-256-CBC-SHA" \ - 0 \ - -c "Read from server: 1 bytes read"\ - -c "16383 bytes read"\ - -C "Read from server: 16384 bytes read" - -requires_config_enabled MBEDTLS_SSL_TRUNCATED_HMAC -run_test "Large server packet TLS 1.0 BlockCipher truncated MAC" \ - "$P_SRV response_size=16384" \ - "$P_CLI force_version=tls1 recsplit=0 \ - force_ciphersuite=TLS-RSA-WITH-AES-256-CBC-SHA \ - trunc_hmac=1" \ - 0 \ - -c "Read from server: 1 bytes read"\ - -c "16383 bytes read"\ - -C "Read from server: 16384 bytes read" - -requires_config_enabled MBEDTLS_SSL_TRUNCATED_HMAC -run_test "Large server packet TLS 1.0 StreamCipher truncated MAC" \ - "$P_SRV response_size=16384 arc4=1 force_ciphersuite=TLS-RSA-WITH-RC4-128-SHA" \ - "$P_CLI force_version=tls1 \ - force_ciphersuite=TLS-RSA-WITH-RC4-128-SHA \ - trunc_hmac=1" \ - 0 \ - -s "16384 bytes written in 1 fragments" \ - -c "Read from server: 16384 bytes read" - -run_test "Large server packet TLS 1.0 StreamCipher" \ - "$P_SRV response_size=16384 arc4=1 force_ciphersuite=TLS-RSA-WITH-RC4-128-SHA" \ - "$P_CLI force_version=tls1 \ - force_ciphersuite=TLS-RSA-WITH-RC4-128-SHA" \ - 0 \ - -s "16384 bytes written in 1 fragments" \ - -c "Read from server: 16384 bytes read" - -run_test "Large server packet TLS 1.0 StreamCipher, without EtM" \ - "$P_SRV response_size=16384 arc4=1 force_ciphersuite=TLS-RSA-WITH-RC4-128-SHA" \ - "$P_CLI force_version=tls1 \ - force_ciphersuite=TLS-RSA-WITH-RC4-128-SHA etm=0" \ - 0 \ - -s "16384 bytes written in 1 fragments" \ - -c "Read from server: 16384 bytes read" - -requires_config_enabled MBEDTLS_SSL_TRUNCATED_HMAC -run_test "Large server packet TLS 1.0 StreamCipher, truncated MAC" \ - "$P_SRV response_size=16384 arc4=1 force_ciphersuite=TLS-RSA-WITH-RC4-128-SHA trunc_hmac=1" \ - "$P_CLI force_version=tls1 \ - force_ciphersuite=TLS-RSA-WITH-RC4-128-SHA trunc_hmac=1" \ - 0 \ - -s "16384 bytes written in 1 fragments" \ - -c "Read from server: 16384 bytes read" - -requires_config_enabled MBEDTLS_SSL_TRUNCATED_HMAC -run_test "Large server packet TLS 1.0 StreamCipher, without EtM, truncated MAC" \ - "$P_SRV response_size=16384 arc4=1 force_ciphersuite=TLS-RSA-WITH-RC4-128-SHA trunc_hmac=1" \ - "$P_CLI force_version=tls1 \ - force_ciphersuite=TLS-RSA-WITH-RC4-128-SHA trunc_hmac=1 etm=0" \ - 0 \ - -s "16384 bytes written in 1 fragments" \ - -c "Read from server: 16384 bytes read" - -run_test "Large server packet TLS 1.1 BlockCipher" \ - "$P_SRV response_size=16384" \ - "$P_CLI force_version=tls1_1 \ - force_ciphersuite=TLS-RSA-WITH-AES-256-CBC-SHA" \ - 0 \ - -c "Read from server: 16384 bytes read" - -run_test "Large server packet TLS 1.1 BlockCipher, without EtM" \ - "$P_SRV response_size=16384" \ - "$P_CLI force_version=tls1_1 etm=0 \ - force_ciphersuite=TLS-RSA-WITH-AES-256-CBC-SHA" \ - 0 \ - -s "16384 bytes written in 1 fragments" \ - -c "Read from server: 16384 bytes read" - -requires_config_enabled MBEDTLS_SSL_TRUNCATED_HMAC -run_test "Large server packet TLS 1.1 BlockCipher truncated MAC" \ - "$P_SRV response_size=16384" \ - "$P_CLI force_version=tls1_1 \ - force_ciphersuite=TLS-RSA-WITH-AES-256-CBC-SHA \ - trunc_hmac=1" \ - 0 \ - -c "Read from server: 16384 bytes read" - -requires_config_enabled MBEDTLS_SSL_TRUNCATED_HMAC -run_test "Large server packet TLS 1.1 BlockCipher, without EtM, truncated MAC" \ - "$P_SRV response_size=16384 trunc_hmac=1" \ - "$P_CLI force_version=tls1_1 \ - force_ciphersuite=TLS-RSA-WITH-AES-256-CBC-SHA trunc_hmac=1 etm=0" \ - 0 \ - -s "16384 bytes written in 1 fragments" \ - -c "Read from server: 16384 bytes read" - -run_test "Large server packet TLS 1.1 StreamCipher" \ - "$P_SRV response_size=16384 arc4=1 force_ciphersuite=TLS-RSA-WITH-RC4-128-SHA" \ - "$P_CLI force_version=tls1_1 \ - force_ciphersuite=TLS-RSA-WITH-RC4-128-SHA" \ - 0 \ - -c "Read from server: 16384 bytes read" - -run_test "Large server packet TLS 1.1 StreamCipher, without EtM" \ - "$P_SRV response_size=16384 arc4=1 force_ciphersuite=TLS-RSA-WITH-RC4-128-SHA" \ - "$P_CLI force_version=tls1_1 \ - force_ciphersuite=TLS-RSA-WITH-RC4-128-SHA etm=0" \ - 0 \ - -s "16384 bytes written in 1 fragments" \ - -c "Read from server: 16384 bytes read" - -requires_config_enabled MBEDTLS_SSL_TRUNCATED_HMAC -run_test "Large server packet TLS 1.1 StreamCipher truncated MAC" \ - "$P_SRV response_size=16384 arc4=1 force_ciphersuite=TLS-RSA-WITH-RC4-128-SHA" \ - "$P_CLI force_version=tls1_1 \ - force_ciphersuite=TLS-RSA-WITH-RC4-128-SHA \ - trunc_hmac=1" \ - 0 \ - -c "Read from server: 16384 bytes read" - -run_test "Large server packet TLS 1.1 StreamCipher, without EtM, truncated MAC" \ - "$P_SRV response_size=16384 arc4=1 force_ciphersuite=TLS-RSA-WITH-RC4-128-SHA trunc_hmac=1" \ - "$P_CLI force_version=tls1_1 \ - force_ciphersuite=TLS-RSA-WITH-RC4-128-SHA trunc_hmac=1 etm=0" \ - 0 \ - -s "16384 bytes written in 1 fragments" \ - -c "Read from server: 16384 bytes read" - -run_test "Large server packet TLS 1.2 BlockCipher" \ - "$P_SRV response_size=16384" \ - "$P_CLI force_version=tls1_2 \ - force_ciphersuite=TLS-RSA-WITH-AES-256-CBC-SHA" \ - 0 \ - -c "Read from server: 16384 bytes read" - -run_test "Large server packet TLS 1.2 BlockCipher, without EtM" \ - "$P_SRV response_size=16384" \ - "$P_CLI force_version=tls1_2 etm=0 \ - force_ciphersuite=TLS-RSA-WITH-AES-256-CBC-SHA" \ - 0 \ - -s "16384 bytes written in 1 fragments" \ - -c "Read from server: 16384 bytes read" - -run_test "Large server packet TLS 1.2 BlockCipher larger MAC" \ - "$P_SRV response_size=16384" \ - "$P_CLI force_version=tls1_2 \ - force_ciphersuite=TLS-ECDHE-RSA-WITH-AES-256-CBC-SHA384" \ - 0 \ - -c "Read from server: 16384 bytes read" - -requires_config_enabled MBEDTLS_SSL_TRUNCATED_HMAC -run_test "Large server packet TLS 1.2 BlockCipher truncated MAC" \ - "$P_SRV response_size=16384" \ - "$P_CLI force_version=tls1_2 \ - force_ciphersuite=TLS-RSA-WITH-AES-256-CBC-SHA \ - trunc_hmac=1" \ - 0 \ - -c "Read from server: 16384 bytes read" - -run_test "Large server packet TLS 1.2 BlockCipher, without EtM, truncated MAC" \ - "$P_SRV response_size=16384 trunc_hmac=1" \ - "$P_CLI force_version=tls1_2 \ - force_ciphersuite=TLS-RSA-WITH-AES-256-CBC-SHA trunc_hmac=1 etm=0" \ - 0 \ - -s "16384 bytes written in 1 fragments" \ - -c "Read from server: 16384 bytes read" - -run_test "Large server packet TLS 1.2 StreamCipher" \ - "$P_SRV response_size=16384 arc4=1 force_ciphersuite=TLS-RSA-WITH-RC4-128-SHA" \ - "$P_CLI force_version=tls1_2 \ - force_ciphersuite=TLS-RSA-WITH-RC4-128-SHA" \ - 0 \ - -s "16384 bytes written in 1 fragments" \ - -c "Read from server: 16384 bytes read" - -run_test "Large server packet TLS 1.2 StreamCipher, without EtM" \ - "$P_SRV response_size=16384 arc4=1 force_ciphersuite=TLS-RSA-WITH-RC4-128-SHA" \ - "$P_CLI force_version=tls1_2 \ - force_ciphersuite=TLS-RSA-WITH-RC4-128-SHA etm=0" \ - 0 \ - -s "16384 bytes written in 1 fragments" \ - -c "Read from server: 16384 bytes read" - -requires_config_enabled MBEDTLS_SSL_TRUNCATED_HMAC -run_test "Large server packet TLS 1.2 StreamCipher truncated MAC" \ - "$P_SRV response_size=16384 arc4=1 force_ciphersuite=TLS-RSA-WITH-RC4-128-SHA" \ - "$P_CLI force_version=tls1_2 \ - force_ciphersuite=TLS-RSA-WITH-RC4-128-SHA \ - trunc_hmac=1" \ - 0 \ - -c "Read from server: 16384 bytes read" - -requires_config_enabled MBEDTLS_SSL_TRUNCATED_HMAC -run_test "Large server packet TLS 1.2 StreamCipher, without EtM, truncated MAC" \ - "$P_SRV response_size=16384 arc4=1 force_ciphersuite=TLS-RSA-WITH-RC4-128-SHA trunc_hmac=1" \ - "$P_CLI force_version=tls1_2 \ - force_ciphersuite=TLS-RSA-WITH-RC4-128-SHA trunc_hmac=1 etm=0" \ - 0 \ - -s "16384 bytes written in 1 fragments" \ - -c "Read from server: 16384 bytes read" - -run_test "Large server packet TLS 1.2 AEAD" \ - "$P_SRV response_size=16384" \ - "$P_CLI force_version=tls1_2 \ - force_ciphersuite=TLS-RSA-WITH-AES-256-CCM" \ - 0 \ - -c "Read from server: 16384 bytes read" - -run_test "Large server packet TLS 1.2 AEAD shorter tag" \ - "$P_SRV response_size=16384" \ - "$P_CLI force_version=tls1_2 \ - force_ciphersuite=TLS-RSA-WITH-AES-256-CCM-8" \ - 0 \ - -c "Read from server: 16384 bytes read" - -# Tests for restartable ECC - -requires_config_enabled MBEDTLS_ECP_RESTARTABLE -run_test "EC restart: TLS, default" \ - "$P_SRV auth_mode=required" \ - "$P_CLI force_ciphersuite=TLS-ECDHE-ECDSA-WITH-AES-128-GCM-SHA256 \ - key_file=data_files/server5.key crt_file=data_files/server5.crt \ - debug_level=1" \ - 0 \ - -C "x509_verify_cert.*4b00" \ - -C "mbedtls_pk_verify.*4b00" \ - -C "mbedtls_ecdh_make_public.*4b00" \ - -C "mbedtls_pk_sign.*4b00" - -requires_config_enabled MBEDTLS_ECP_RESTARTABLE -run_test "EC restart: TLS, max_ops=0" \ - "$P_SRV auth_mode=required" \ - "$P_CLI force_ciphersuite=TLS-ECDHE-ECDSA-WITH-AES-128-GCM-SHA256 \ - key_file=data_files/server5.key crt_file=data_files/server5.crt \ - debug_level=1 ec_max_ops=0" \ - 0 \ - -C "x509_verify_cert.*4b00" \ - -C "mbedtls_pk_verify.*4b00" \ - -C "mbedtls_ecdh_make_public.*4b00" \ - -C "mbedtls_pk_sign.*4b00" - -requires_config_enabled MBEDTLS_ECP_RESTARTABLE -run_test "EC restart: TLS, max_ops=65535" \ - "$P_SRV auth_mode=required" \ - "$P_CLI force_ciphersuite=TLS-ECDHE-ECDSA-WITH-AES-128-GCM-SHA256 \ - key_file=data_files/server5.key crt_file=data_files/server5.crt \ - debug_level=1 ec_max_ops=65535" \ - 0 \ - -C "x509_verify_cert.*4b00" \ - -C "mbedtls_pk_verify.*4b00" \ - -C "mbedtls_ecdh_make_public.*4b00" \ - -C "mbedtls_pk_sign.*4b00" - -requires_config_enabled MBEDTLS_ECP_RESTARTABLE -run_test "EC restart: TLS, max_ops=1000" \ - "$P_SRV auth_mode=required" \ - "$P_CLI force_ciphersuite=TLS-ECDHE-ECDSA-WITH-AES-128-GCM-SHA256 \ - key_file=data_files/server5.key crt_file=data_files/server5.crt \ - debug_level=1 ec_max_ops=1000" \ - 0 \ - -c "x509_verify_cert.*4b00" \ - -c "mbedtls_pk_verify.*4b00" \ - -c "mbedtls_ecdh_make_public.*4b00" \ - -c "mbedtls_pk_sign.*4b00" - -requires_config_enabled MBEDTLS_ECP_RESTARTABLE -run_test "EC restart: TLS, max_ops=1000, badsign" \ - "$P_SRV auth_mode=required \ - crt_file=data_files/server5-badsign.crt \ - key_file=data_files/server5.key" \ - "$P_CLI force_ciphersuite=TLS-ECDHE-ECDSA-WITH-AES-128-GCM-SHA256 \ - key_file=data_files/server5.key crt_file=data_files/server5.crt \ - debug_level=1 ec_max_ops=1000" \ - 1 \ - -c "x509_verify_cert.*4b00" \ - -C "mbedtls_pk_verify.*4b00" \ - -C "mbedtls_ecdh_make_public.*4b00" \ - -C "mbedtls_pk_sign.*4b00" \ - -c "! The certificate is not correctly signed by the trusted CA" \ - -c "! mbedtls_ssl_handshake returned" \ - -c "X509 - Certificate verification failed" - -requires_config_enabled MBEDTLS_ECP_RESTARTABLE -run_test "EC restart: TLS, max_ops=1000, auth_mode=optional badsign" \ - "$P_SRV auth_mode=required \ - crt_file=data_files/server5-badsign.crt \ - key_file=data_files/server5.key" \ - "$P_CLI force_ciphersuite=TLS-ECDHE-ECDSA-WITH-AES-128-GCM-SHA256 \ - key_file=data_files/server5.key crt_file=data_files/server5.crt \ - debug_level=1 ec_max_ops=1000 auth_mode=optional" \ - 0 \ - -c "x509_verify_cert.*4b00" \ - -c "mbedtls_pk_verify.*4b00" \ - -c "mbedtls_ecdh_make_public.*4b00" \ - -c "mbedtls_pk_sign.*4b00" \ - -c "! The certificate is not correctly signed by the trusted CA" \ - -C "! mbedtls_ssl_handshake returned" \ - -C "X509 - Certificate verification failed" - -requires_config_enabled MBEDTLS_ECP_RESTARTABLE -run_test "EC restart: TLS, max_ops=1000, auth_mode=none badsign" \ - "$P_SRV auth_mode=required \ - crt_file=data_files/server5-badsign.crt \ - key_file=data_files/server5.key" \ - "$P_CLI force_ciphersuite=TLS-ECDHE-ECDSA-WITH-AES-128-GCM-SHA256 \ - key_file=data_files/server5.key crt_file=data_files/server5.crt \ - debug_level=1 ec_max_ops=1000 auth_mode=none" \ - 0 \ - -C "x509_verify_cert.*4b00" \ - -c "mbedtls_pk_verify.*4b00" \ - -c "mbedtls_ecdh_make_public.*4b00" \ - -c "mbedtls_pk_sign.*4b00" \ - -C "! The certificate is not correctly signed by the trusted CA" \ - -C "! mbedtls_ssl_handshake returned" \ - -C "X509 - Certificate verification failed" - -requires_config_enabled MBEDTLS_ECP_RESTARTABLE -run_test "EC restart: DTLS, max_ops=1000" \ - "$P_SRV auth_mode=required dtls=1" \ - "$P_CLI force_ciphersuite=TLS-ECDHE-ECDSA-WITH-AES-128-GCM-SHA256 \ - key_file=data_files/server5.key crt_file=data_files/server5.crt \ - dtls=1 debug_level=1 ec_max_ops=1000" \ - 0 \ - -c "x509_verify_cert.*4b00" \ - -c "mbedtls_pk_verify.*4b00" \ - -c "mbedtls_ecdh_make_public.*4b00" \ - -c "mbedtls_pk_sign.*4b00" - -requires_config_enabled MBEDTLS_ECP_RESTARTABLE -run_test "EC restart: TLS, max_ops=1000 no client auth" \ - "$P_SRV" \ - "$P_CLI force_ciphersuite=TLS-ECDHE-ECDSA-WITH-AES-128-GCM-SHA256 \ - debug_level=1 ec_max_ops=1000" \ - 0 \ - -c "x509_verify_cert.*4b00" \ - -c "mbedtls_pk_verify.*4b00" \ - -c "mbedtls_ecdh_make_public.*4b00" \ - -C "mbedtls_pk_sign.*4b00" - -requires_config_enabled MBEDTLS_ECP_RESTARTABLE -run_test "EC restart: TLS, max_ops=1000, ECDHE-PSK" \ - "$P_SRV psk=abc123" \ - "$P_CLI force_ciphersuite=TLS-ECDHE-PSK-WITH-AES-128-CBC-SHA256 \ - psk=abc123 debug_level=1 ec_max_ops=1000" \ - 0 \ - -C "x509_verify_cert.*4b00" \ - -C "mbedtls_pk_verify.*4b00" \ - -C "mbedtls_ecdh_make_public.*4b00" \ - -C "mbedtls_pk_sign.*4b00" - -# Tests of asynchronous private key support in SSL - -requires_config_enabled MBEDTLS_SSL_ASYNC_PRIVATE -run_test "SSL async private: sign, delay=0" \ - "$P_SRV \ - async_operations=s async_private_delay1=0 async_private_delay2=0" \ - "$P_CLI" \ - 0 \ - -s "Async sign callback: using key slot " \ - -s "Async resume (slot [0-9]): sign done, status=0" - -requires_config_enabled MBEDTLS_SSL_ASYNC_PRIVATE -run_test "SSL async private: sign, delay=1" \ - "$P_SRV \ - async_operations=s async_private_delay1=1 async_private_delay2=1" \ - "$P_CLI" \ - 0 \ - -s "Async sign callback: using key slot " \ - -s "Async resume (slot [0-9]): call 0 more times." \ - -s "Async resume (slot [0-9]): sign done, status=0" - -requires_config_enabled MBEDTLS_SSL_ASYNC_PRIVATE -run_test "SSL async private: sign, delay=2" \ - "$P_SRV \ - async_operations=s async_private_delay1=2 async_private_delay2=2" \ - "$P_CLI" \ - 0 \ - -s "Async sign callback: using key slot " \ - -U "Async sign callback: using key slot " \ - -s "Async resume (slot [0-9]): call 1 more times." \ - -s "Async resume (slot [0-9]): call 0 more times." \ - -s "Async resume (slot [0-9]): sign done, status=0" - -# Test that the async callback correctly signs the 36-byte hash of TLS 1.0/1.1 -# with RSA PKCS#1v1.5 as used in TLS 1.0/1.1. -requires_config_enabled MBEDTLS_SSL_ASYNC_PRIVATE -requires_config_enabled MBEDTLS_SSL_PROTO_TLS1_1 -run_test "SSL async private: sign, RSA, TLS 1.1" \ - "$P_SRV key_file=data_files/server2.key crt_file=data_files/server2.crt \ - async_operations=s async_private_delay1=0 async_private_delay2=0" \ - "$P_CLI force_version=tls1_1" \ - 0 \ - -s "Async sign callback: using key slot " \ - -s "Async resume (slot [0-9]): sign done, status=0" - -requires_config_enabled MBEDTLS_SSL_ASYNC_PRIVATE -run_test "SSL async private: sign, SNI" \ - "$P_SRV debug_level=3 \ - async_operations=s async_private_delay1=0 async_private_delay2=0 \ - crt_file=data_files/server5.crt key_file=data_files/server5.key \ - sni=localhost,data_files/server2.crt,data_files/server2.key,-,-,-,polarssl.example,data_files/server1-nospace.crt,data_files/server1.key,-,-,-" \ - "$P_CLI server_name=polarssl.example" \ - 0 \ - -s "Async sign callback: using key slot " \ - -s "Async resume (slot [0-9]): sign done, status=0" \ - -s "parse ServerName extension" \ - -c "issuer name *: C=NL, O=PolarSSL, CN=PolarSSL Test CA" \ - -c "subject name *: C=NL, O=PolarSSL, CN=polarssl.example" - -requires_config_enabled MBEDTLS_SSL_ASYNC_PRIVATE -run_test "SSL async private: decrypt, delay=0" \ - "$P_SRV \ - async_operations=d async_private_delay1=0 async_private_delay2=0" \ - "$P_CLI force_ciphersuite=TLS-RSA-WITH-AES-128-CBC-SHA" \ - 0 \ - -s "Async decrypt callback: using key slot " \ - -s "Async resume (slot [0-9]): decrypt done, status=0" - -requires_config_enabled MBEDTLS_SSL_ASYNC_PRIVATE -run_test "SSL async private: decrypt, delay=1" \ - "$P_SRV \ - async_operations=d async_private_delay1=1 async_private_delay2=1" \ - "$P_CLI force_ciphersuite=TLS-RSA-WITH-AES-128-CBC-SHA" \ - 0 \ - -s "Async decrypt callback: using key slot " \ - -s "Async resume (slot [0-9]): call 0 more times." \ - -s "Async resume (slot [0-9]): decrypt done, status=0" - -requires_config_enabled MBEDTLS_SSL_ASYNC_PRIVATE -run_test "SSL async private: decrypt RSA-PSK, delay=0" \ - "$P_SRV psk=abc123 \ - async_operations=d async_private_delay1=0 async_private_delay2=0" \ - "$P_CLI psk=abc123 \ - force_ciphersuite=TLS-RSA-PSK-WITH-AES-128-CBC-SHA256" \ - 0 \ - -s "Async decrypt callback: using key slot " \ - -s "Async resume (slot [0-9]): decrypt done, status=0" - -requires_config_enabled MBEDTLS_SSL_ASYNC_PRIVATE -run_test "SSL async private: decrypt RSA-PSK, delay=1" \ - "$P_SRV psk=abc123 \ - async_operations=d async_private_delay1=1 async_private_delay2=1" \ - "$P_CLI psk=abc123 \ - force_ciphersuite=TLS-RSA-PSK-WITH-AES-128-CBC-SHA256" \ - 0 \ - -s "Async decrypt callback: using key slot " \ - -s "Async resume (slot [0-9]): call 0 more times." \ - -s "Async resume (slot [0-9]): decrypt done, status=0" - -requires_config_enabled MBEDTLS_SSL_ASYNC_PRIVATE -run_test "SSL async private: sign callback not present" \ - "$P_SRV \ - async_operations=d async_private_delay1=1 async_private_delay2=1" \ - "$P_CLI; [ \$? -eq 1 ] && - $P_CLI force_ciphersuite=TLS-RSA-WITH-AES-128-CBC-SHA" \ - 0 \ - -S "Async sign callback" \ - -s "! mbedtls_ssl_handshake returned" \ - -s "The own private key or pre-shared key is not set, but needed" \ - -s "Async resume (slot [0-9]): decrypt done, status=0" \ - -s "Successful connection" - -requires_config_enabled MBEDTLS_SSL_ASYNC_PRIVATE -run_test "SSL async private: decrypt callback not present" \ - "$P_SRV debug_level=1 \ - async_operations=s async_private_delay1=1 async_private_delay2=1" \ - "$P_CLI force_ciphersuite=TLS-RSA-WITH-AES-128-CBC-SHA; - [ \$? -eq 1 ] && $P_CLI" \ - 0 \ - -S "Async decrypt callback" \ - -s "! mbedtls_ssl_handshake returned" \ - -s "got no RSA private key" \ - -s "Async resume (slot [0-9]): sign done, status=0" \ - -s "Successful connection" - -# key1: ECDSA, key2: RSA; use key1 from slot 0 -requires_config_enabled MBEDTLS_SSL_ASYNC_PRIVATE -run_test "SSL async private: slot 0 used with key1" \ - "$P_SRV \ - async_operations=s async_private_delay1=1 \ - key_file=data_files/server5.key crt_file=data_files/server5.crt \ - key_file2=data_files/server2.key crt_file2=data_files/server2.crt" \ - "$P_CLI force_ciphersuite=TLS-ECDHE-ECDSA-WITH-AES-128-CBC-SHA256" \ - 0 \ - -s "Async sign callback: using key slot 0," \ - -s "Async resume (slot 0): call 0 more times." \ - -s "Async resume (slot 0): sign done, status=0" - -# key1: ECDSA, key2: RSA; use key2 from slot 0 -requires_config_enabled MBEDTLS_SSL_ASYNC_PRIVATE -run_test "SSL async private: slot 0 used with key2" \ - "$P_SRV \ - async_operations=s async_private_delay2=1 \ - key_file=data_files/server5.key crt_file=data_files/server5.crt \ - key_file2=data_files/server2.key crt_file2=data_files/server2.crt" \ - "$P_CLI force_ciphersuite=TLS-ECDHE-RSA-WITH-AES-128-CBC-SHA256" \ - 0 \ - -s "Async sign callback: using key slot 0," \ - -s "Async resume (slot 0): call 0 more times." \ - -s "Async resume (slot 0): sign done, status=0" - -# key1: ECDSA, key2: RSA; use key2 from slot 1 -requires_config_enabled MBEDTLS_SSL_ASYNC_PRIVATE -run_test "SSL async private: slot 1 used with key2" \ - "$P_SRV \ - async_operations=s async_private_delay1=1 async_private_delay2=1 \ - key_file=data_files/server5.key crt_file=data_files/server5.crt \ - key_file2=data_files/server2.key crt_file2=data_files/server2.crt" \ - "$P_CLI force_ciphersuite=TLS-ECDHE-RSA-WITH-AES-128-CBC-SHA256" \ - 0 \ - -s "Async sign callback: using key slot 1," \ - -s "Async resume (slot 1): call 0 more times." \ - -s "Async resume (slot 1): sign done, status=0" - -# key1: ECDSA, key2: RSA; use key2 directly -requires_config_enabled MBEDTLS_SSL_ASYNC_PRIVATE -run_test "SSL async private: fall back to transparent key" \ - "$P_SRV \ - async_operations=s async_private_delay1=1 \ - key_file=data_files/server5.key crt_file=data_files/server5.crt \ - key_file2=data_files/server2.key crt_file2=data_files/server2.crt " \ - "$P_CLI force_ciphersuite=TLS-ECDHE-RSA-WITH-AES-128-CBC-SHA256" \ - 0 \ - -s "Async sign callback: no key matches this certificate." - -requires_config_enabled MBEDTLS_SSL_ASYNC_PRIVATE -run_test "SSL async private: sign, error in start" \ - "$P_SRV \ - async_operations=s async_private_delay1=1 async_private_delay2=1 \ - async_private_error=1" \ - "$P_CLI" \ - 1 \ - -s "Async sign callback: injected error" \ - -S "Async resume" \ - -S "Async cancel" \ - -s "! mbedtls_ssl_handshake returned" - -requires_config_enabled MBEDTLS_SSL_ASYNC_PRIVATE -run_test "SSL async private: sign, cancel after start" \ - "$P_SRV \ - async_operations=s async_private_delay1=1 async_private_delay2=1 \ - async_private_error=2" \ - "$P_CLI" \ - 1 \ - -s "Async sign callback: using key slot " \ - -S "Async resume" \ - -s "Async cancel" - -requires_config_enabled MBEDTLS_SSL_ASYNC_PRIVATE -run_test "SSL async private: sign, error in resume" \ - "$P_SRV \ - async_operations=s async_private_delay1=1 async_private_delay2=1 \ - async_private_error=3" \ - "$P_CLI" \ - 1 \ - -s "Async sign callback: using key slot " \ - -s "Async resume callback: sign done but injected error" \ - -S "Async cancel" \ - -s "! mbedtls_ssl_handshake returned" - -requires_config_enabled MBEDTLS_SSL_ASYNC_PRIVATE -run_test "SSL async private: decrypt, error in start" \ - "$P_SRV \ - async_operations=d async_private_delay1=1 async_private_delay2=1 \ - async_private_error=1" \ - "$P_CLI force_ciphersuite=TLS-RSA-WITH-AES-128-CBC-SHA" \ - 1 \ - -s "Async decrypt callback: injected error" \ - -S "Async resume" \ - -S "Async cancel" \ - -s "! mbedtls_ssl_handshake returned" - -requires_config_enabled MBEDTLS_SSL_ASYNC_PRIVATE -run_test "SSL async private: decrypt, cancel after start" \ - "$P_SRV \ - async_operations=d async_private_delay1=1 async_private_delay2=1 \ - async_private_error=2" \ - "$P_CLI force_ciphersuite=TLS-RSA-WITH-AES-128-CBC-SHA" \ - 1 \ - -s "Async decrypt callback: using key slot " \ - -S "Async resume" \ - -s "Async cancel" - -requires_config_enabled MBEDTLS_SSL_ASYNC_PRIVATE -run_test "SSL async private: decrypt, error in resume" \ - "$P_SRV \ - async_operations=d async_private_delay1=1 async_private_delay2=1 \ - async_private_error=3" \ - "$P_CLI force_ciphersuite=TLS-RSA-WITH-AES-128-CBC-SHA" \ - 1 \ - -s "Async decrypt callback: using key slot " \ - -s "Async resume callback: decrypt done but injected error" \ - -S "Async cancel" \ - -s "! mbedtls_ssl_handshake returned" - -requires_config_enabled MBEDTLS_SSL_ASYNC_PRIVATE -run_test "SSL async private: cancel after start then operate correctly" \ - "$P_SRV \ - async_operations=s async_private_delay1=1 async_private_delay2=1 \ - async_private_error=-2" \ - "$P_CLI; [ \$? -eq 1 ] && $P_CLI" \ - 0 \ - -s "Async cancel" \ - -s "! mbedtls_ssl_handshake returned" \ - -s "Async resume" \ - -s "Successful connection" - -requires_config_enabled MBEDTLS_SSL_ASYNC_PRIVATE -run_test "SSL async private: error in resume then operate correctly" \ - "$P_SRV \ - async_operations=s async_private_delay1=1 async_private_delay2=1 \ - async_private_error=-3" \ - "$P_CLI; [ \$? -eq 1 ] && $P_CLI" \ - 0 \ - -s "! mbedtls_ssl_handshake returned" \ - -s "Async resume" \ - -s "Successful connection" - -# key1: ECDSA, key2: RSA; use key1 through async, then key2 directly -requires_config_enabled MBEDTLS_SSL_ASYNC_PRIVATE -run_test "SSL async private: cancel after start then fall back to transparent key" \ - "$P_SRV \ - async_operations=s async_private_delay1=1 async_private_error=-2 \ - key_file=data_files/server5.key crt_file=data_files/server5.crt \ - key_file2=data_files/server2.key crt_file2=data_files/server2.crt" \ - "$P_CLI force_ciphersuite=TLS-ECDHE-ECDSA-WITH-AES-128-CBC-SHA256; - [ \$? -eq 1 ] && - $P_CLI force_ciphersuite=TLS-ECDHE-RSA-WITH-AES-128-CBC-SHA256" \ - 0 \ - -s "Async sign callback: using key slot 0" \ - -S "Async resume" \ - -s "Async cancel" \ - -s "! mbedtls_ssl_handshake returned" \ - -s "Async sign callback: no key matches this certificate." \ - -s "Successful connection" - -# key1: ECDSA, key2: RSA; use key1 through async, then key2 directly -requires_config_enabled MBEDTLS_SSL_ASYNC_PRIVATE -run_test "SSL async private: sign, error in resume then fall back to transparent key" \ - "$P_SRV \ - async_operations=s async_private_delay1=1 async_private_error=-3 \ - key_file=data_files/server5.key crt_file=data_files/server5.crt \ - key_file2=data_files/server2.key crt_file2=data_files/server2.crt" \ - "$P_CLI force_ciphersuite=TLS-ECDHE-ECDSA-WITH-AES-128-CBC-SHA256; - [ \$? -eq 1 ] && - $P_CLI force_ciphersuite=TLS-ECDHE-RSA-WITH-AES-128-CBC-SHA256" \ - 0 \ - -s "Async resume" \ - -s "! mbedtls_ssl_handshake returned" \ - -s "Async sign callback: no key matches this certificate." \ - -s "Successful connection" - -requires_config_enabled MBEDTLS_SSL_ASYNC_PRIVATE -requires_config_enabled MBEDTLS_SSL_RENEGOTIATION -run_test "SSL async private: renegotiation: client-initiated; sign" \ - "$P_SRV \ - async_operations=s async_private_delay1=1 async_private_delay2=1 \ - exchanges=2 renegotiation=1" \ - "$P_CLI exchanges=2 renegotiation=1 renegotiate=1" \ - 0 \ - -s "Async sign callback: using key slot " \ - -s "Async resume (slot [0-9]): sign done, status=0" - -requires_config_enabled MBEDTLS_SSL_ASYNC_PRIVATE -requires_config_enabled MBEDTLS_SSL_RENEGOTIATION -run_test "SSL async private: renegotiation: server-initiated; sign" \ - "$P_SRV \ - async_operations=s async_private_delay1=1 async_private_delay2=1 \ - exchanges=2 renegotiation=1 renegotiate=1" \ - "$P_CLI exchanges=2 renegotiation=1" \ - 0 \ - -s "Async sign callback: using key slot " \ - -s "Async resume (slot [0-9]): sign done, status=0" - -requires_config_enabled MBEDTLS_SSL_ASYNC_PRIVATE -requires_config_enabled MBEDTLS_SSL_RENEGOTIATION -run_test "SSL async private: renegotiation: client-initiated; decrypt" \ - "$P_SRV \ - async_operations=d async_private_delay1=1 async_private_delay2=1 \ - exchanges=2 renegotiation=1" \ - "$P_CLI exchanges=2 renegotiation=1 renegotiate=1 \ - force_ciphersuite=TLS-RSA-WITH-AES-128-CBC-SHA" \ - 0 \ - -s "Async decrypt callback: using key slot " \ - -s "Async resume (slot [0-9]): decrypt done, status=0" - -requires_config_enabled MBEDTLS_SSL_ASYNC_PRIVATE -requires_config_enabled MBEDTLS_SSL_RENEGOTIATION -run_test "SSL async private: renegotiation: server-initiated; decrypt" \ - "$P_SRV \ - async_operations=d async_private_delay1=1 async_private_delay2=1 \ - exchanges=2 renegotiation=1 renegotiate=1" \ - "$P_CLI exchanges=2 renegotiation=1 \ - force_ciphersuite=TLS-RSA-WITH-AES-128-CBC-SHA" \ - 0 \ - -s "Async decrypt callback: using key slot " \ - -s "Async resume (slot [0-9]): decrypt done, status=0" - -# Tests for ECC extensions (rfc 4492) - -requires_config_enabled MBEDTLS_AES_C -requires_config_enabled MBEDTLS_CIPHER_MODE_CBC -requires_config_enabled MBEDTLS_SHA256_C -requires_config_enabled MBEDTLS_KEY_EXCHANGE_RSA_ENABLED -run_test "Force a non ECC ciphersuite in the client side" \ - "$P_SRV debug_level=3" \ - "$P_CLI debug_level=3 force_ciphersuite=TLS-RSA-WITH-AES-128-CBC-SHA256" \ - 0 \ - -C "client hello, adding supported_elliptic_curves extension" \ - -C "client hello, adding supported_point_formats extension" \ - -S "found supported elliptic curves extension" \ - -S "found supported point formats extension" - -requires_config_enabled MBEDTLS_AES_C -requires_config_enabled MBEDTLS_CIPHER_MODE_CBC -requires_config_enabled MBEDTLS_SHA256_C -requires_config_enabled MBEDTLS_KEY_EXCHANGE_RSA_ENABLED -run_test "Force a non ECC ciphersuite in the server side" \ - "$P_SRV debug_level=3 force_ciphersuite=TLS-RSA-WITH-AES-128-CBC-SHA256" \ - "$P_CLI debug_level=3" \ - 0 \ - -C "found supported_point_formats extension" \ - -S "server hello, supported_point_formats extension" - -requires_config_enabled MBEDTLS_AES_C -requires_config_enabled MBEDTLS_CIPHER_MODE_CBC -requires_config_enabled MBEDTLS_SHA256_C -requires_config_enabled MBEDTLS_KEY_EXCHANGE_ECDHE_ECDSA_ENABLED -run_test "Force an ECC ciphersuite in the client side" \ - "$P_SRV debug_level=3" \ - "$P_CLI debug_level=3 force_ciphersuite=TLS-ECDHE-ECDSA-WITH-AES-128-CBC-SHA256" \ - 0 \ - -c "client hello, adding supported_elliptic_curves extension" \ - -c "client hello, adding supported_point_formats extension" \ - -s "found supported elliptic curves extension" \ - -s "found supported point formats extension" - -requires_config_enabled MBEDTLS_AES_C -requires_config_enabled MBEDTLS_CIPHER_MODE_CBC -requires_config_enabled MBEDTLS_SHA256_C -requires_config_enabled MBEDTLS_KEY_EXCHANGE_ECDHE_ECDSA_ENABLED -run_test "Force an ECC ciphersuite in the server side" \ - "$P_SRV debug_level=3 force_ciphersuite=TLS-ECDHE-ECDSA-WITH-AES-128-CBC-SHA256" \ - "$P_CLI debug_level=3" \ - 0 \ - -c "found supported_point_formats extension" \ - -s "server hello, supported_point_formats extension" - -# Tests for DTLS HelloVerifyRequest - -run_test "DTLS cookie: enabled" \ - "$P_SRV dtls=1 debug_level=2" \ - "$P_CLI dtls=1 debug_level=2" \ - 0 \ - -s "cookie verification failed" \ - -s "cookie verification passed" \ - -S "cookie verification skipped" \ - -c "received hello verify request" \ - -s "hello verification requested" \ - -S "SSL - The requested feature is not available" - -run_test "DTLS cookie: disabled" \ - "$P_SRV dtls=1 debug_level=2 cookies=0" \ - "$P_CLI dtls=1 debug_level=2" \ - 0 \ - -S "cookie verification failed" \ - -S "cookie verification passed" \ - -s "cookie verification skipped" \ - -C "received hello verify request" \ - -S "hello verification requested" \ - -S "SSL - The requested feature is not available" - -run_test "DTLS cookie: default (failing)" \ - "$P_SRV dtls=1 debug_level=2 cookies=-1" \ - "$P_CLI dtls=1 debug_level=2 hs_timeout=100-400" \ - 1 \ - -s "cookie verification failed" \ - -S "cookie verification passed" \ - -S "cookie verification skipped" \ - -C "received hello verify request" \ - -S "hello verification requested" \ - -s "SSL - The requested feature is not available" - -requires_ipv6 -run_test "DTLS cookie: enabled, IPv6" \ - "$P_SRV dtls=1 debug_level=2 server_addr=::1" \ - "$P_CLI dtls=1 debug_level=2 server_addr=::1" \ - 0 \ - -s "cookie verification failed" \ - -s "cookie verification passed" \ - -S "cookie verification skipped" \ - -c "received hello verify request" \ - -s "hello verification requested" \ - -S "SSL - The requested feature is not available" - -run_test "DTLS cookie: enabled, nbio" \ - "$P_SRV dtls=1 nbio=2 debug_level=2" \ - "$P_CLI dtls=1 nbio=2 debug_level=2" \ - 0 \ - -s "cookie verification failed" \ - -s "cookie verification passed" \ - -S "cookie verification skipped" \ - -c "received hello verify request" \ - -s "hello verification requested" \ - -S "SSL - The requested feature is not available" - -# Tests for client reconnecting from the same port with DTLS - -not_with_valgrind # spurious resend -run_test "DTLS client reconnect from same port: reference" \ - "$P_SRV dtls=1 exchanges=2 read_timeout=1000" \ - "$P_CLI dtls=1 exchanges=2 debug_level=2 hs_timeout=500-1000" \ - 0 \ - -C "resend" \ - -S "The operation timed out" \ - -S "Client initiated reconnection from same port" - -not_with_valgrind # spurious resend -run_test "DTLS client reconnect from same port: reconnect" \ - "$P_SRV dtls=1 exchanges=2 read_timeout=1000" \ - "$P_CLI dtls=1 exchanges=2 debug_level=2 hs_timeout=500-1000 reconnect_hard=1" \ - 0 \ - -C "resend" \ - -S "The operation timed out" \ - -s "Client initiated reconnection from same port" - -not_with_valgrind # server/client too slow to respond in time (next test has higher timeouts) -run_test "DTLS client reconnect from same port: reconnect, nbio, no valgrind" \ - "$P_SRV dtls=1 exchanges=2 read_timeout=1000 nbio=2" \ - "$P_CLI dtls=1 exchanges=2 debug_level=2 hs_timeout=500-1000 reconnect_hard=1" \ - 0 \ - -S "The operation timed out" \ - -s "Client initiated reconnection from same port" - -only_with_valgrind # Only with valgrind, do previous test but with higher read_timeout and hs_timeout -run_test "DTLS client reconnect from same port: reconnect, nbio, valgrind" \ - "$P_SRV dtls=1 exchanges=2 read_timeout=2000 nbio=2 hs_timeout=1500-6000" \ - "$P_CLI dtls=1 exchanges=2 debug_level=2 hs_timeout=1500-3000 reconnect_hard=1" \ - 0 \ - -S "The operation timed out" \ - -s "Client initiated reconnection from same port" - -run_test "DTLS client reconnect from same port: no cookies" \ - "$P_SRV dtls=1 exchanges=2 read_timeout=1000 cookies=0" \ - "$P_CLI dtls=1 exchanges=2 debug_level=2 hs_timeout=500-8000 reconnect_hard=1" \ - 0 \ - -s "The operation timed out" \ - -S "Client initiated reconnection from same port" - -# Tests for various cases of client authentication with DTLS -# (focused on handshake flows and message parsing) - -run_test "DTLS client auth: required" \ - "$P_SRV dtls=1 auth_mode=required" \ - "$P_CLI dtls=1" \ - 0 \ - -s "Verifying peer X.509 certificate... ok" - -run_test "DTLS client auth: optional, client has no cert" \ - "$P_SRV dtls=1 auth_mode=optional" \ - "$P_CLI dtls=1 crt_file=none key_file=none" \ - 0 \ - -s "! Certificate was missing" - -run_test "DTLS client auth: none, client has no cert" \ - "$P_SRV dtls=1 auth_mode=none" \ - "$P_CLI dtls=1 crt_file=none key_file=none debug_level=2" \ - 0 \ - -c "skip write certificate$" \ - -s "! Certificate verification was skipped" - -run_test "DTLS wrong PSK: badmac alert" \ - "$P_SRV dtls=1 psk=abc123 force_ciphersuite=TLS-PSK-WITH-AES-128-GCM-SHA256" \ - "$P_CLI dtls=1 psk=abc124" \ - 1 \ - -s "SSL - Verification of the message MAC failed" \ - -c "SSL - A fatal alert message was received from our peer" - -# Tests for receiving fragmented handshake messages with DTLS - -requires_gnutls -run_test "DTLS reassembly: no fragmentation (gnutls server)" \ - "$G_SRV -u --mtu 2048 -a" \ - "$P_CLI dtls=1 debug_level=2" \ - 0 \ - -C "found fragmented DTLS handshake message" \ - -C "error" - -requires_gnutls -run_test "DTLS reassembly: some fragmentation (gnutls server)" \ - "$G_SRV -u --mtu 512" \ - "$P_CLI dtls=1 debug_level=2" \ - 0 \ - -c "found fragmented DTLS handshake message" \ - -C "error" - -requires_gnutls -run_test "DTLS reassembly: more fragmentation (gnutls server)" \ - "$G_SRV -u --mtu 128" \ - "$P_CLI dtls=1 debug_level=2" \ - 0 \ - -c "found fragmented DTLS handshake message" \ - -C "error" - -requires_gnutls -run_test "DTLS reassembly: more fragmentation, nbio (gnutls server)" \ - "$G_SRV -u --mtu 128" \ - "$P_CLI dtls=1 nbio=2 debug_level=2" \ - 0 \ - -c "found fragmented DTLS handshake message" \ - -C "error" - -requires_gnutls -requires_config_enabled MBEDTLS_SSL_RENEGOTIATION -run_test "DTLS reassembly: fragmentation, renego (gnutls server)" \ - "$G_SRV -u --mtu 256" \ - "$P_CLI debug_level=3 dtls=1 renegotiation=1 renegotiate=1" \ - 0 \ - -c "found fragmented DTLS handshake message" \ - -c "client hello, adding renegotiation extension" \ - -c "found renegotiation extension" \ - -c "=> renegotiate" \ - -C "mbedtls_ssl_handshake returned" \ - -C "error" \ - -s "Extra-header:" - -requires_gnutls -requires_config_enabled MBEDTLS_SSL_RENEGOTIATION -run_test "DTLS reassembly: fragmentation, nbio, renego (gnutls server)" \ - "$G_SRV -u --mtu 256" \ - "$P_CLI debug_level=3 nbio=2 dtls=1 renegotiation=1 renegotiate=1" \ - 0 \ - -c "found fragmented DTLS handshake message" \ - -c "client hello, adding renegotiation extension" \ - -c "found renegotiation extension" \ - -c "=> renegotiate" \ - -C "mbedtls_ssl_handshake returned" \ - -C "error" \ - -s "Extra-header:" - -run_test "DTLS reassembly: no fragmentation (openssl server)" \ - "$O_SRV -dtls1 -mtu 2048" \ - "$P_CLI dtls=1 debug_level=2" \ - 0 \ - -C "found fragmented DTLS handshake message" \ - -C "error" - -run_test "DTLS reassembly: some fragmentation (openssl server)" \ - "$O_SRV -dtls1 -mtu 768" \ - "$P_CLI dtls=1 debug_level=2" \ - 0 \ - -c "found fragmented DTLS handshake message" \ - -C "error" - -run_test "DTLS reassembly: more fragmentation (openssl server)" \ - "$O_SRV -dtls1 -mtu 256" \ - "$P_CLI dtls=1 debug_level=2" \ - 0 \ - -c "found fragmented DTLS handshake message" \ - -C "error" - -run_test "DTLS reassembly: fragmentation, nbio (openssl server)" \ - "$O_SRV -dtls1 -mtu 256" \ - "$P_CLI dtls=1 nbio=2 debug_level=2" \ - 0 \ - -c "found fragmented DTLS handshake message" \ - -C "error" - -# Tests for sending fragmented handshake messages with DTLS -# -# Use client auth when we need the client to send large messages, -# and use large cert chains on both sides too (the long chains we have all use -# both RSA and ECDSA, but ideally we should have long chains with either). -# Sizes reached (UDP payload): -# - 2037B for server certificate -# - 1542B for client certificate -# - 1013B for newsessionticket -# - all others below 512B -# All those tests assume MAX_CONTENT_LEN is at least 2048 - -requires_config_enabled MBEDTLS_SSL_PROTO_DTLS -requires_config_enabled MBEDTLS_RSA_C -requires_config_enabled MBEDTLS_ECDSA_C -requires_config_enabled MBEDTLS_SSL_MAX_FRAGMENT_LENGTH -run_test "DTLS fragmenting: none (for reference)" \ - "$P_SRV dtls=1 debug_level=2 auth_mode=required \ - crt_file=data_files/server7_int-ca.crt \ - key_file=data_files/server7.key \ - hs_timeout=2500-60000 \ - max_frag_len=4096" \ - "$P_CLI dtls=1 debug_level=2 \ - crt_file=data_files/server8_int-ca2.crt \ - key_file=data_files/server8.key \ - hs_timeout=2500-60000 \ - max_frag_len=4096" \ - 0 \ - -S "found fragmented DTLS handshake message" \ - -C "found fragmented DTLS handshake message" \ - -C "error" - -requires_config_enabled MBEDTLS_SSL_PROTO_DTLS -requires_config_enabled MBEDTLS_RSA_C -requires_config_enabled MBEDTLS_ECDSA_C -requires_config_enabled MBEDTLS_SSL_MAX_FRAGMENT_LENGTH -run_test "DTLS fragmenting: server only (max_frag_len)" \ - "$P_SRV dtls=1 debug_level=2 auth_mode=required \ - crt_file=data_files/server7_int-ca.crt \ - key_file=data_files/server7.key \ - hs_timeout=2500-60000 \ - max_frag_len=1024" \ - "$P_CLI dtls=1 debug_level=2 \ - crt_file=data_files/server8_int-ca2.crt \ - key_file=data_files/server8.key \ - hs_timeout=2500-60000 \ - max_frag_len=2048" \ - 0 \ - -S "found fragmented DTLS handshake message" \ - -c "found fragmented DTLS handshake message" \ - -C "error" - -# With the MFL extension, the server has no way of forcing -# the client to not exceed a certain MTU; hence, the following -# test can't be replicated with an MTU proxy such as the one -# `client-initiated, server only (max_frag_len)` below. -requires_config_enabled MBEDTLS_SSL_PROTO_DTLS -requires_config_enabled MBEDTLS_RSA_C -requires_config_enabled MBEDTLS_ECDSA_C -requires_config_enabled MBEDTLS_SSL_MAX_FRAGMENT_LENGTH -run_test "DTLS fragmenting: server only (more) (max_frag_len)" \ - "$P_SRV dtls=1 debug_level=2 auth_mode=required \ - crt_file=data_files/server7_int-ca.crt \ - key_file=data_files/server7.key \ - hs_timeout=2500-60000 \ - max_frag_len=512" \ - "$P_CLI dtls=1 debug_level=2 \ - crt_file=data_files/server8_int-ca2.crt \ - key_file=data_files/server8.key \ - hs_timeout=2500-60000 \ - max_frag_len=4096" \ - 0 \ - -S "found fragmented DTLS handshake message" \ - -c "found fragmented DTLS handshake message" \ - -C "error" - -requires_config_enabled MBEDTLS_SSL_PROTO_DTLS -requires_config_enabled MBEDTLS_RSA_C -requires_config_enabled MBEDTLS_ECDSA_C -requires_config_enabled MBEDTLS_SSL_MAX_FRAGMENT_LENGTH -run_test "DTLS fragmenting: client-initiated, server only (max_frag_len)" \ - "$P_SRV dtls=1 debug_level=2 auth_mode=none \ - crt_file=data_files/server7_int-ca.crt \ - key_file=data_files/server7.key \ - hs_timeout=2500-60000 \ - max_frag_len=2048" \ - "$P_CLI dtls=1 debug_level=2 \ - crt_file=data_files/server8_int-ca2.crt \ - key_file=data_files/server8.key \ - hs_timeout=2500-60000 \ - max_frag_len=1024" \ - 0 \ - -S "found fragmented DTLS handshake message" \ - -c "found fragmented DTLS handshake message" \ - -C "error" - -# While not required by the standard defining the MFL extension -# (according to which it only applies to records, not to datagrams), -# Mbed TLS will never send datagrams larger than MFL + { Max record expansion }, -# as otherwise there wouldn't be any means to communicate MTU restrictions -# to the peer. -# The next test checks that no datagrams significantly larger than the -# negotiated MFL are sent. -requires_config_enabled MBEDTLS_SSL_PROTO_DTLS -requires_config_enabled MBEDTLS_RSA_C -requires_config_enabled MBEDTLS_ECDSA_C -requires_config_enabled MBEDTLS_SSL_MAX_FRAGMENT_LENGTH -run_test "DTLS fragmenting: client-initiated, server only (max_frag_len), proxy MTU" \ - -p "$P_PXY mtu=1110" \ - "$P_SRV dtls=1 debug_level=2 auth_mode=none \ - crt_file=data_files/server7_int-ca.crt \ - key_file=data_files/server7.key \ - hs_timeout=2500-60000 \ - max_frag_len=2048" \ - "$P_CLI dtls=1 debug_level=2 \ - crt_file=data_files/server8_int-ca2.crt \ - key_file=data_files/server8.key \ - hs_timeout=2500-60000 \ - max_frag_len=1024" \ - 0 \ - -S "found fragmented DTLS handshake message" \ - -c "found fragmented DTLS handshake message" \ - -C "error" - -requires_config_enabled MBEDTLS_SSL_PROTO_DTLS -requires_config_enabled MBEDTLS_RSA_C -requires_config_enabled MBEDTLS_ECDSA_C -requires_config_enabled MBEDTLS_SSL_MAX_FRAGMENT_LENGTH -run_test "DTLS fragmenting: client-initiated, both (max_frag_len)" \ - "$P_SRV dtls=1 debug_level=2 auth_mode=required \ - crt_file=data_files/server7_int-ca.crt \ - key_file=data_files/server7.key \ - hs_timeout=2500-60000 \ - max_frag_len=2048" \ - "$P_CLI dtls=1 debug_level=2 \ - crt_file=data_files/server8_int-ca2.crt \ - key_file=data_files/server8.key \ - hs_timeout=2500-60000 \ - max_frag_len=1024" \ - 0 \ - -s "found fragmented DTLS handshake message" \ - -c "found fragmented DTLS handshake message" \ - -C "error" - -# While not required by the standard defining the MFL extension -# (according to which it only applies to records, not to datagrams), -# Mbed TLS will never send datagrams larger than MFL + { Max record expansion }, -# as otherwise there wouldn't be any means to communicate MTU restrictions -# to the peer. -# The next test checks that no datagrams significantly larger than the -# negotiated MFL are sent. -requires_config_enabled MBEDTLS_SSL_PROTO_DTLS -requires_config_enabled MBEDTLS_RSA_C -requires_config_enabled MBEDTLS_ECDSA_C -requires_config_enabled MBEDTLS_SSL_MAX_FRAGMENT_LENGTH -run_test "DTLS fragmenting: client-initiated, both (max_frag_len), proxy MTU" \ - -p "$P_PXY mtu=1110" \ - "$P_SRV dtls=1 debug_level=2 auth_mode=required \ - crt_file=data_files/server7_int-ca.crt \ - key_file=data_files/server7.key \ - hs_timeout=2500-60000 \ - max_frag_len=2048" \ - "$P_CLI dtls=1 debug_level=2 \ - crt_file=data_files/server8_int-ca2.crt \ - key_file=data_files/server8.key \ - hs_timeout=2500-60000 \ - max_frag_len=1024" \ - 0 \ - -s "found fragmented DTLS handshake message" \ - -c "found fragmented DTLS handshake message" \ - -C "error" - -requires_config_enabled MBEDTLS_SSL_PROTO_DTLS -requires_config_enabled MBEDTLS_RSA_C -requires_config_enabled MBEDTLS_ECDSA_C -run_test "DTLS fragmenting: none (for reference) (MTU)" \ - "$P_SRV dtls=1 debug_level=2 auth_mode=required \ - crt_file=data_files/server7_int-ca.crt \ - key_file=data_files/server7.key \ - hs_timeout=2500-60000 \ - mtu=4096" \ - "$P_CLI dtls=1 debug_level=2 \ - crt_file=data_files/server8_int-ca2.crt \ - key_file=data_files/server8.key \ - hs_timeout=2500-60000 \ - mtu=4096" \ - 0 \ - -S "found fragmented DTLS handshake message" \ - -C "found fragmented DTLS handshake message" \ - -C "error" - -requires_config_enabled MBEDTLS_SSL_PROTO_DTLS -requires_config_enabled MBEDTLS_RSA_C -requires_config_enabled MBEDTLS_ECDSA_C -run_test "DTLS fragmenting: client (MTU)" \ - "$P_SRV dtls=1 debug_level=2 auth_mode=required \ - crt_file=data_files/server7_int-ca.crt \ - key_file=data_files/server7.key \ - hs_timeout=3500-60000 \ - mtu=4096" \ - "$P_CLI dtls=1 debug_level=2 \ - crt_file=data_files/server8_int-ca2.crt \ - key_file=data_files/server8.key \ - hs_timeout=3500-60000 \ - mtu=1024" \ - 0 \ - -s "found fragmented DTLS handshake message" \ - -C "found fragmented DTLS handshake message" \ - -C "error" - -requires_config_enabled MBEDTLS_SSL_PROTO_DTLS -requires_config_enabled MBEDTLS_RSA_C -requires_config_enabled MBEDTLS_ECDSA_C -run_test "DTLS fragmenting: server (MTU)" \ - "$P_SRV dtls=1 debug_level=2 auth_mode=required \ - crt_file=data_files/server7_int-ca.crt \ - key_file=data_files/server7.key \ - hs_timeout=2500-60000 \ - mtu=512" \ - "$P_CLI dtls=1 debug_level=2 \ - crt_file=data_files/server8_int-ca2.crt \ - key_file=data_files/server8.key \ - hs_timeout=2500-60000 \ - mtu=2048" \ - 0 \ - -S "found fragmented DTLS handshake message" \ - -c "found fragmented DTLS handshake message" \ - -C "error" - -requires_config_enabled MBEDTLS_SSL_PROTO_DTLS -requires_config_enabled MBEDTLS_RSA_C -requires_config_enabled MBEDTLS_ECDSA_C -run_test "DTLS fragmenting: both (MTU=1024)" \ - -p "$P_PXY mtu=1024" \ - "$P_SRV dtls=1 debug_level=2 auth_mode=required \ - crt_file=data_files/server7_int-ca.crt \ - key_file=data_files/server7.key \ - hs_timeout=2500-60000 \ - mtu=1024" \ - "$P_CLI dtls=1 debug_level=2 \ - crt_file=data_files/server8_int-ca2.crt \ - key_file=data_files/server8.key \ - hs_timeout=2500-60000 \ - mtu=1024" \ - 0 \ - -s "found fragmented DTLS handshake message" \ - -c "found fragmented DTLS handshake message" \ - -C "error" - -# Forcing ciphersuite for this test to fit the MTU of 512 with full config. -requires_config_enabled MBEDTLS_SSL_PROTO_DTLS -requires_config_enabled MBEDTLS_RSA_C -requires_config_enabled MBEDTLS_ECDSA_C -requires_config_enabled MBEDTLS_SHA256_C -requires_config_enabled MBEDTLS_KEY_EXCHANGE_ECDHE_ECDSA -requires_config_enabled MBEDTLS_AES_C -requires_config_enabled MBEDTLS_GCM_C -run_test "DTLS fragmenting: both (MTU=512)" \ - -p "$P_PXY mtu=512" \ - "$P_SRV dtls=1 debug_level=2 auth_mode=required \ - crt_file=data_files/server7_int-ca.crt \ - key_file=data_files/server7.key \ - hs_timeout=2500-60000 \ - mtu=512" \ - "$P_CLI dtls=1 debug_level=2 \ - crt_file=data_files/server8_int-ca2.crt \ - key_file=data_files/server8.key \ - force_ciphersuite=TLS-ECDHE-ECDSA-WITH-AES-128-GCM-SHA256 \ - hs_timeout=2500-60000 \ - mtu=512" \ - 0 \ - -s "found fragmented DTLS handshake message" \ - -c "found fragmented DTLS handshake message" \ - -C "error" - -# Test for automatic MTU reduction on repeated resend. -# Forcing ciphersuite for this test to fit the MTU of 508 with full config. -# The ratio of max/min timeout should ideally equal 4 to accept two -# retransmissions, but in some cases (like both the server and client using -# fragmentation and auto-reduction) an extra retransmission might occur, -# hence the ratio of 8. -not_with_valgrind -requires_config_enabled MBEDTLS_SSL_PROTO_DTLS -requires_config_enabled MBEDTLS_RSA_C -requires_config_enabled MBEDTLS_ECDSA_C -requires_config_enabled MBEDTLS_KEY_EXCHANGE_ECDHE_ECDSA -requires_config_enabled MBEDTLS_AES_C -requires_config_enabled MBEDTLS_GCM_C -run_test "DTLS fragmenting: proxy MTU: auto-reduction" \ - -p "$P_PXY mtu=508" \ - "$P_SRV dtls=1 debug_level=2 auth_mode=required \ - crt_file=data_files/server7_int-ca.crt \ - key_file=data_files/server7.key \ - hs_timeout=400-3200" \ - "$P_CLI dtls=1 debug_level=2 \ - crt_file=data_files/server8_int-ca2.crt \ - key_file=data_files/server8.key \ - force_ciphersuite=TLS-ECDHE-ECDSA-WITH-AES-128-GCM-SHA256 \ - hs_timeout=400-3200" \ - 0 \ - -s "found fragmented DTLS handshake message" \ - -c "found fragmented DTLS handshake message" \ - -C "error" - -# Forcing ciphersuite for this test to fit the MTU of 508 with full config. -only_with_valgrind -requires_config_enabled MBEDTLS_SSL_PROTO_DTLS -requires_config_enabled MBEDTLS_RSA_C -requires_config_enabled MBEDTLS_ECDSA_C -requires_config_enabled MBEDTLS_KEY_EXCHANGE_ECDHE_ECDSA -requires_config_enabled MBEDTLS_AES_C -requires_config_enabled MBEDTLS_GCM_C -run_test "DTLS fragmenting: proxy MTU: auto-reduction" \ - -p "$P_PXY mtu=508" \ - "$P_SRV dtls=1 debug_level=2 auth_mode=required \ - crt_file=data_files/server7_int-ca.crt \ - key_file=data_files/server7.key \ - hs_timeout=250-10000" \ - "$P_CLI dtls=1 debug_level=2 \ - crt_file=data_files/server8_int-ca2.crt \ - key_file=data_files/server8.key \ - force_ciphersuite=TLS-ECDHE-ECDSA-WITH-AES-128-GCM-SHA256 \ - hs_timeout=250-10000" \ - 0 \ - -s "found fragmented DTLS handshake message" \ - -c "found fragmented DTLS handshake message" \ - -C "error" - -# the proxy shouldn't drop or mess up anything, so we shouldn't need to resend -# OTOH the client might resend if the server is to slow to reset after sending -# a HelloVerifyRequest, so only check for no retransmission server-side -not_with_valgrind # spurious autoreduction due to timeout -requires_config_enabled MBEDTLS_SSL_PROTO_DTLS -requires_config_enabled MBEDTLS_RSA_C -requires_config_enabled MBEDTLS_ECDSA_C -run_test "DTLS fragmenting: proxy MTU, simple handshake (MTU=1024)" \ - -p "$P_PXY mtu=1024" \ - "$P_SRV dtls=1 debug_level=2 auth_mode=required \ - crt_file=data_files/server7_int-ca.crt \ - key_file=data_files/server7.key \ - hs_timeout=10000-60000 \ - mtu=1024" \ - "$P_CLI dtls=1 debug_level=2 \ - crt_file=data_files/server8_int-ca2.crt \ - key_file=data_files/server8.key \ - hs_timeout=10000-60000 \ - mtu=1024" \ - 0 \ - -S "autoreduction" \ - -s "found fragmented DTLS handshake message" \ - -c "found fragmented DTLS handshake message" \ - -C "error" - -# Forcing ciphersuite for this test to fit the MTU of 512 with full config. -# the proxy shouldn't drop or mess up anything, so we shouldn't need to resend -# OTOH the client might resend if the server is to slow to reset after sending -# a HelloVerifyRequest, so only check for no retransmission server-side -not_with_valgrind # spurious autoreduction due to timeout -requires_config_enabled MBEDTLS_SSL_PROTO_DTLS -requires_config_enabled MBEDTLS_RSA_C -requires_config_enabled MBEDTLS_ECDSA_C -requires_config_enabled MBEDTLS_KEY_EXCHANGE_ECDHE_ECDSA -requires_config_enabled MBEDTLS_AES_C -requires_config_enabled MBEDTLS_GCM_C -run_test "DTLS fragmenting: proxy MTU, simple handshake (MTU=512)" \ - -p "$P_PXY mtu=512" \ - "$P_SRV dtls=1 debug_level=2 auth_mode=required \ - crt_file=data_files/server7_int-ca.crt \ - key_file=data_files/server7.key \ - hs_timeout=10000-60000 \ - mtu=512" \ - "$P_CLI dtls=1 debug_level=2 \ - crt_file=data_files/server8_int-ca2.crt \ - key_file=data_files/server8.key \ - force_ciphersuite=TLS-ECDHE-ECDSA-WITH-AES-128-GCM-SHA256 \ - hs_timeout=10000-60000 \ - mtu=512" \ - 0 \ - -S "autoreduction" \ - -s "found fragmented DTLS handshake message" \ - -c "found fragmented DTLS handshake message" \ - -C "error" - -not_with_valgrind # spurious autoreduction due to timeout -requires_config_enabled MBEDTLS_SSL_PROTO_DTLS -requires_config_enabled MBEDTLS_RSA_C -requires_config_enabled MBEDTLS_ECDSA_C -run_test "DTLS fragmenting: proxy MTU, simple handshake, nbio (MTU=1024)" \ - -p "$P_PXY mtu=1024" \ - "$P_SRV dtls=1 debug_level=2 auth_mode=required \ - crt_file=data_files/server7_int-ca.crt \ - key_file=data_files/server7.key \ - hs_timeout=10000-60000 \ - mtu=1024 nbio=2" \ - "$P_CLI dtls=1 debug_level=2 \ - crt_file=data_files/server8_int-ca2.crt \ - key_file=data_files/server8.key \ - hs_timeout=10000-60000 \ - mtu=1024 nbio=2" \ - 0 \ - -S "autoreduction" \ - -s "found fragmented DTLS handshake message" \ - -c "found fragmented DTLS handshake message" \ - -C "error" - -# Forcing ciphersuite for this test to fit the MTU of 512 with full config. -not_with_valgrind # spurious autoreduction due to timeout -requires_config_enabled MBEDTLS_SSL_PROTO_DTLS -requires_config_enabled MBEDTLS_RSA_C -requires_config_enabled MBEDTLS_ECDSA_C -requires_config_enabled MBEDTLS_KEY_EXCHANGE_ECDHE_ECDSA -requires_config_enabled MBEDTLS_AES_C -requires_config_enabled MBEDTLS_GCM_C -run_test "DTLS fragmenting: proxy MTU, simple handshake, nbio (MTU=512)" \ - -p "$P_PXY mtu=512" \ - "$P_SRV dtls=1 debug_level=2 auth_mode=required \ - crt_file=data_files/server7_int-ca.crt \ - key_file=data_files/server7.key \ - hs_timeout=10000-60000 \ - mtu=512 nbio=2" \ - "$P_CLI dtls=1 debug_level=2 \ - crt_file=data_files/server8_int-ca2.crt \ - key_file=data_files/server8.key \ - force_ciphersuite=TLS-ECDHE-ECDSA-WITH-AES-128-GCM-SHA256 \ - hs_timeout=10000-60000 \ - mtu=512 nbio=2" \ - 0 \ - -S "autoreduction" \ - -s "found fragmented DTLS handshake message" \ - -c "found fragmented DTLS handshake message" \ - -C "error" - -# Forcing ciphersuite for this test to fit the MTU of 1450 with full config. -# This ensures things still work after session_reset(). -# It also exercises the "resumed handshake" flow. -# Since we don't support reading fragmented ClientHello yet, -# up the MTU to 1450 (larger than ClientHello with session ticket, -# but still smaller than client's Certificate to ensure fragmentation). -# An autoreduction on the client-side might happen if the server is -# slow to reset, therefore omitting '-C "autoreduction"' below. -# reco_delay avoids races where the client reconnects before the server has -# resumed listening, which would result in a spurious autoreduction. -not_with_valgrind # spurious autoreduction due to timeout -requires_config_enabled MBEDTLS_SSL_PROTO_DTLS -requires_config_enabled MBEDTLS_RSA_C -requires_config_enabled MBEDTLS_ECDSA_C -requires_config_enabled MBEDTLS_KEY_EXCHANGE_ECDHE_ECDSA -requires_config_enabled MBEDTLS_AES_C -requires_config_enabled MBEDTLS_GCM_C -run_test "DTLS fragmenting: proxy MTU, resumed handshake" \ - -p "$P_PXY mtu=1450" \ - "$P_SRV dtls=1 debug_level=2 auth_mode=required \ - crt_file=data_files/server7_int-ca.crt \ - key_file=data_files/server7.key \ - hs_timeout=10000-60000 \ - mtu=1450" \ - "$P_CLI dtls=1 debug_level=2 \ - crt_file=data_files/server8_int-ca2.crt \ - key_file=data_files/server8.key \ - hs_timeout=10000-60000 \ - force_ciphersuite=TLS-ECDHE-ECDSA-WITH-AES-128-GCM-SHA256 \ - mtu=1450 reconnect=1 reco_delay=1" \ - 0 \ - -S "autoreduction" \ - -s "found fragmented DTLS handshake message" \ - -c "found fragmented DTLS handshake message" \ - -C "error" - -# An autoreduction on the client-side might happen if the server is -# slow to reset, therefore omitting '-C "autoreduction"' below. -not_with_valgrind # spurious autoreduction due to timeout -requires_config_enabled MBEDTLS_SSL_PROTO_DTLS -requires_config_enabled MBEDTLS_RSA_C -requires_config_enabled MBEDTLS_ECDSA_C -requires_config_enabled MBEDTLS_SHA256_C -requires_config_enabled MBEDTLS_KEY_EXCHANGE_ECDHE_ECDSA -requires_config_enabled MBEDTLS_SSL_RENEGOTIATION -requires_config_enabled MBEDTLS_CHACHAPOLY_C -run_test "DTLS fragmenting: proxy MTU, ChachaPoly renego" \ - -p "$P_PXY mtu=512" \ - "$P_SRV dtls=1 debug_level=2 auth_mode=required \ - crt_file=data_files/server7_int-ca.crt \ - key_file=data_files/server7.key \ - exchanges=2 renegotiation=1 \ - hs_timeout=10000-60000 \ - mtu=512" \ - "$P_CLI dtls=1 debug_level=2 \ - crt_file=data_files/server8_int-ca2.crt \ - key_file=data_files/server8.key \ - exchanges=2 renegotiation=1 renegotiate=1 \ - force_ciphersuite=TLS-ECDHE-ECDSA-WITH-AES-128-GCM-SHA256 \ - hs_timeout=10000-60000 \ - mtu=512" \ - 0 \ - -S "autoreduction" \ - -s "found fragmented DTLS handshake message" \ - -c "found fragmented DTLS handshake message" \ - -C "error" - -# An autoreduction on the client-side might happen if the server is -# slow to reset, therefore omitting '-C "autoreduction"' below. -not_with_valgrind # spurious autoreduction due to timeout -requires_config_enabled MBEDTLS_SSL_PROTO_DTLS -requires_config_enabled MBEDTLS_RSA_C -requires_config_enabled MBEDTLS_ECDSA_C -requires_config_enabled MBEDTLS_SHA256_C -requires_config_enabled MBEDTLS_KEY_EXCHANGE_ECDHE_ECDSA -requires_config_enabled MBEDTLS_SSL_RENEGOTIATION -requires_config_enabled MBEDTLS_AES_C -requires_config_enabled MBEDTLS_GCM_C -run_test "DTLS fragmenting: proxy MTU, AES-GCM renego" \ - -p "$P_PXY mtu=512" \ - "$P_SRV dtls=1 debug_level=2 auth_mode=required \ - crt_file=data_files/server7_int-ca.crt \ - key_file=data_files/server7.key \ - exchanges=2 renegotiation=1 \ - hs_timeout=10000-60000 \ - mtu=512" \ - "$P_CLI dtls=1 debug_level=2 \ - crt_file=data_files/server8_int-ca2.crt \ - key_file=data_files/server8.key \ - exchanges=2 renegotiation=1 renegotiate=1 \ - force_ciphersuite=TLS-ECDHE-ECDSA-WITH-AES-128-GCM-SHA256 \ - hs_timeout=10000-60000 \ - mtu=512" \ - 0 \ - -S "autoreduction" \ - -s "found fragmented DTLS handshake message" \ - -c "found fragmented DTLS handshake message" \ - -C "error" - -# An autoreduction on the client-side might happen if the server is -# slow to reset, therefore omitting '-C "autoreduction"' below. -not_with_valgrind # spurious autoreduction due to timeout -requires_config_enabled MBEDTLS_SSL_PROTO_DTLS -requires_config_enabled MBEDTLS_RSA_C -requires_config_enabled MBEDTLS_ECDSA_C -requires_config_enabled MBEDTLS_SHA256_C -requires_config_enabled MBEDTLS_KEY_EXCHANGE_ECDHE_ECDSA -requires_config_enabled MBEDTLS_SSL_RENEGOTIATION -requires_config_enabled MBEDTLS_AES_C -requires_config_enabled MBEDTLS_CCM_C -run_test "DTLS fragmenting: proxy MTU, AES-CCM renego" \ - -p "$P_PXY mtu=1024" \ - "$P_SRV dtls=1 debug_level=2 auth_mode=required \ - crt_file=data_files/server7_int-ca.crt \ - key_file=data_files/server7.key \ - exchanges=2 renegotiation=1 \ - force_ciphersuite=TLS-ECDHE-ECDSA-WITH-AES-128-CCM-8 \ - hs_timeout=10000-60000 \ - mtu=1024" \ - "$P_CLI dtls=1 debug_level=2 \ - crt_file=data_files/server8_int-ca2.crt \ - key_file=data_files/server8.key \ - exchanges=2 renegotiation=1 renegotiate=1 \ - hs_timeout=10000-60000 \ - mtu=1024" \ - 0 \ - -S "autoreduction" \ - -s "found fragmented DTLS handshake message" \ - -c "found fragmented DTLS handshake message" \ - -C "error" - -# An autoreduction on the client-side might happen if the server is -# slow to reset, therefore omitting '-C "autoreduction"' below. -not_with_valgrind # spurious autoreduction due to timeout -requires_config_enabled MBEDTLS_SSL_PROTO_DTLS -requires_config_enabled MBEDTLS_RSA_C -requires_config_enabled MBEDTLS_ECDSA_C -requires_config_enabled MBEDTLS_SHA256_C -requires_config_enabled MBEDTLS_KEY_EXCHANGE_ECDHE_ECDSA -requires_config_enabled MBEDTLS_SSL_RENEGOTIATION -requires_config_enabled MBEDTLS_AES_C -requires_config_enabled MBEDTLS_CIPHER_MODE_CBC -requires_config_enabled MBEDTLS_SSL_ENCRYPT_THEN_MAC -run_test "DTLS fragmenting: proxy MTU, AES-CBC EtM renego" \ - -p "$P_PXY mtu=1024" \ - "$P_SRV dtls=1 debug_level=2 auth_mode=required \ - crt_file=data_files/server7_int-ca.crt \ - key_file=data_files/server7.key \ - exchanges=2 renegotiation=1 \ - force_ciphersuite=TLS-ECDHE-ECDSA-WITH-AES-128-CBC-SHA256 \ - hs_timeout=10000-60000 \ - mtu=1024" \ - "$P_CLI dtls=1 debug_level=2 \ - crt_file=data_files/server8_int-ca2.crt \ - key_file=data_files/server8.key \ - exchanges=2 renegotiation=1 renegotiate=1 \ - hs_timeout=10000-60000 \ - mtu=1024" \ - 0 \ - -S "autoreduction" \ - -s "found fragmented DTLS handshake message" \ - -c "found fragmented DTLS handshake message" \ - -C "error" - -# An autoreduction on the client-side might happen if the server is -# slow to reset, therefore omitting '-C "autoreduction"' below. -not_with_valgrind # spurious autoreduction due to timeout -requires_config_enabled MBEDTLS_SSL_PROTO_DTLS -requires_config_enabled MBEDTLS_RSA_C -requires_config_enabled MBEDTLS_ECDSA_C -requires_config_enabled MBEDTLS_SHA256_C -requires_config_enabled MBEDTLS_KEY_EXCHANGE_ECDHE_ECDSA -requires_config_enabled MBEDTLS_SSL_RENEGOTIATION -requires_config_enabled MBEDTLS_AES_C -requires_config_enabled MBEDTLS_CIPHER_MODE_CBC -run_test "DTLS fragmenting: proxy MTU, AES-CBC non-EtM renego" \ - -p "$P_PXY mtu=1024" \ - "$P_SRV dtls=1 debug_level=2 auth_mode=required \ - crt_file=data_files/server7_int-ca.crt \ - key_file=data_files/server7.key \ - exchanges=2 renegotiation=1 \ - force_ciphersuite=TLS-ECDHE-ECDSA-WITH-AES-128-CBC-SHA256 etm=0 \ - hs_timeout=10000-60000 \ - mtu=1024" \ - "$P_CLI dtls=1 debug_level=2 \ - crt_file=data_files/server8_int-ca2.crt \ - key_file=data_files/server8.key \ - exchanges=2 renegotiation=1 renegotiate=1 \ - hs_timeout=10000-60000 \ - mtu=1024" \ - 0 \ - -S "autoreduction" \ - -s "found fragmented DTLS handshake message" \ - -c "found fragmented DTLS handshake message" \ - -C "error" - -# Forcing ciphersuite for this test to fit the MTU of 512 with full config. -requires_config_enabled MBEDTLS_SSL_PROTO_DTLS -requires_config_enabled MBEDTLS_RSA_C -requires_config_enabled MBEDTLS_ECDSA_C -requires_config_enabled MBEDTLS_KEY_EXCHANGE_ECDHE_ECDSA -requires_config_enabled MBEDTLS_AES_C -requires_config_enabled MBEDTLS_GCM_C -client_needs_more_time 2 -run_test "DTLS fragmenting: proxy MTU + 3d" \ - -p "$P_PXY mtu=512 drop=8 delay=8 duplicate=8" \ - "$P_SRV dgram_packing=0 dtls=1 debug_level=2 auth_mode=required \ - crt_file=data_files/server7_int-ca.crt \ - key_file=data_files/server7.key \ - hs_timeout=250-10000 mtu=512" \ - "$P_CLI dgram_packing=0 dtls=1 debug_level=2 \ - crt_file=data_files/server8_int-ca2.crt \ - key_file=data_files/server8.key \ - force_ciphersuite=TLS-ECDHE-ECDSA-WITH-AES-128-GCM-SHA256 \ - hs_timeout=250-10000 mtu=512" \ - 0 \ - -s "found fragmented DTLS handshake message" \ - -c "found fragmented DTLS handshake message" \ - -C "error" - -# Forcing ciphersuite for this test to fit the MTU of 512 with full config. -requires_config_enabled MBEDTLS_SSL_PROTO_DTLS -requires_config_enabled MBEDTLS_RSA_C -requires_config_enabled MBEDTLS_ECDSA_C -requires_config_enabled MBEDTLS_KEY_EXCHANGE_ECDHE_ECDSA -requires_config_enabled MBEDTLS_AES_C -requires_config_enabled MBEDTLS_GCM_C -client_needs_more_time 2 -run_test "DTLS fragmenting: proxy MTU + 3d, nbio" \ - -p "$P_PXY mtu=512 drop=8 delay=8 duplicate=8" \ - "$P_SRV dtls=1 debug_level=2 auth_mode=required \ - crt_file=data_files/server7_int-ca.crt \ - key_file=data_files/server7.key \ - hs_timeout=250-10000 mtu=512 nbio=2" \ - "$P_CLI dtls=1 debug_level=2 \ - crt_file=data_files/server8_int-ca2.crt \ - key_file=data_files/server8.key \ - force_ciphersuite=TLS-ECDHE-ECDSA-WITH-AES-128-GCM-SHA256 \ - hs_timeout=250-10000 mtu=512 nbio=2" \ - 0 \ - -s "found fragmented DTLS handshake message" \ - -c "found fragmented DTLS handshake message" \ - -C "error" - -# interop tests for DTLS fragmentating with reliable connection -# -# here and below we just want to test that the we fragment in a way that -# pleases other implementations, so we don't need the peer to fragment -requires_config_enabled MBEDTLS_SSL_PROTO_DTLS -requires_config_enabled MBEDTLS_RSA_C -requires_config_enabled MBEDTLS_ECDSA_C -requires_config_enabled MBEDTLS_SSL_PROTO_TLS1_2 -requires_gnutls -run_test "DTLS fragmenting: gnutls server, DTLS 1.2" \ - "$G_SRV -u" \ - "$P_CLI dtls=1 debug_level=2 \ - crt_file=data_files/server8_int-ca2.crt \ - key_file=data_files/server8.key \ - mtu=512 force_version=dtls1_2" \ - 0 \ - -c "fragmenting handshake message" \ - -C "error" - -requires_config_enabled MBEDTLS_SSL_PROTO_DTLS -requires_config_enabled MBEDTLS_RSA_C -requires_config_enabled MBEDTLS_ECDSA_C -requires_config_enabled MBEDTLS_SSL_PROTO_TLS1_1 -requires_gnutls -run_test "DTLS fragmenting: gnutls server, DTLS 1.0" \ - "$G_SRV -u" \ - "$P_CLI dtls=1 debug_level=2 \ - crt_file=data_files/server8_int-ca2.crt \ - key_file=data_files/server8.key \ - mtu=512 force_version=dtls1" \ - 0 \ - -c "fragmenting handshake message" \ - -C "error" - -# We use --insecure for the GnuTLS client because it expects -# the hostname / IP it connects to to be the name used in the -# certificate obtained from the server. Here, however, it -# connects to 127.0.0.1 while our test certificates use 'localhost' -# as the server name in the certificate. This will make the -# certifiate validation fail, but passing --insecure makes -# GnuTLS continue the connection nonetheless. -requires_config_enabled MBEDTLS_SSL_PROTO_DTLS -requires_config_enabled MBEDTLS_RSA_C -requires_config_enabled MBEDTLS_ECDSA_C -requires_config_enabled MBEDTLS_SSL_PROTO_TLS1_2 -requires_gnutls -requires_not_i686 -run_test "DTLS fragmenting: gnutls client, DTLS 1.2" \ - "$P_SRV dtls=1 debug_level=2 \ - crt_file=data_files/server7_int-ca.crt \ - key_file=data_files/server7.key \ - mtu=512 force_version=dtls1_2" \ - "$G_CLI -u --insecure 127.0.0.1" \ - 0 \ - -s "fragmenting handshake message" - -# See previous test for the reason to use --insecure -requires_config_enabled MBEDTLS_SSL_PROTO_DTLS -requires_config_enabled MBEDTLS_RSA_C -requires_config_enabled MBEDTLS_ECDSA_C -requires_config_enabled MBEDTLS_SSL_PROTO_TLS1_1 -requires_gnutls -requires_not_i686 -run_test "DTLS fragmenting: gnutls client, DTLS 1.0" \ - "$P_SRV dtls=1 debug_level=2 \ - crt_file=data_files/server7_int-ca.crt \ - key_file=data_files/server7.key \ - mtu=512 force_version=dtls1" \ - "$G_CLI -u --insecure 127.0.0.1" \ - 0 \ - -s "fragmenting handshake message" - -requires_config_enabled MBEDTLS_SSL_PROTO_DTLS -requires_config_enabled MBEDTLS_RSA_C -requires_config_enabled MBEDTLS_ECDSA_C -requires_config_enabled MBEDTLS_SSL_PROTO_TLS1_2 -run_test "DTLS fragmenting: openssl server, DTLS 1.2" \ - "$O_SRV -dtls1_2 -verify 10" \ - "$P_CLI dtls=1 debug_level=2 \ - crt_file=data_files/server8_int-ca2.crt \ - key_file=data_files/server8.key \ - mtu=512 force_version=dtls1_2" \ - 0 \ - -c "fragmenting handshake message" \ - -C "error" - -requires_config_enabled MBEDTLS_SSL_PROTO_DTLS -requires_config_enabled MBEDTLS_RSA_C -requires_config_enabled MBEDTLS_ECDSA_C -requires_config_enabled MBEDTLS_SSL_PROTO_TLS1_1 -run_test "DTLS fragmenting: openssl server, DTLS 1.0" \ - "$O_SRV -dtls1 -verify 10" \ - "$P_CLI dtls=1 debug_level=2 \ - crt_file=data_files/server8_int-ca2.crt \ - key_file=data_files/server8.key \ - mtu=512 force_version=dtls1" \ - 0 \ - -c "fragmenting handshake message" \ - -C "error" - -requires_config_enabled MBEDTLS_SSL_PROTO_DTLS -requires_config_enabled MBEDTLS_RSA_C -requires_config_enabled MBEDTLS_ECDSA_C -requires_config_enabled MBEDTLS_SSL_PROTO_TLS1_2 -run_test "DTLS fragmenting: openssl client, DTLS 1.2" \ - "$P_SRV dtls=1 debug_level=2 \ - crt_file=data_files/server7_int-ca.crt \ - key_file=data_files/server7.key \ - mtu=512 force_version=dtls1_2" \ - "$O_CLI -dtls1_2" \ - 0 \ - -s "fragmenting handshake message" - -requires_config_enabled MBEDTLS_SSL_PROTO_DTLS -requires_config_enabled MBEDTLS_RSA_C -requires_config_enabled MBEDTLS_ECDSA_C -requires_config_enabled MBEDTLS_SSL_PROTO_TLS1_1 -run_test "DTLS fragmenting: openssl client, DTLS 1.0" \ - "$P_SRV dtls=1 debug_level=2 \ - crt_file=data_files/server7_int-ca.crt \ - key_file=data_files/server7.key \ - mtu=512 force_version=dtls1" \ - "$O_CLI -dtls1" \ - 0 \ - -s "fragmenting handshake message" - -# interop tests for DTLS fragmentating with unreliable connection -# -# again we just want to test that the we fragment in a way that -# pleases other implementations, so we don't need the peer to fragment -requires_gnutls_next -requires_config_enabled MBEDTLS_SSL_PROTO_DTLS -requires_config_enabled MBEDTLS_RSA_C -requires_config_enabled MBEDTLS_ECDSA_C -requires_config_enabled MBEDTLS_SSL_PROTO_TLS1_2 -client_needs_more_time 4 -run_test "DTLS fragmenting: 3d, gnutls server, DTLS 1.2" \ - -p "$P_PXY drop=8 delay=8 duplicate=8" \ - "$G_NEXT_SRV -u" \ - "$P_CLI dgram_packing=0 dtls=1 debug_level=2 \ - crt_file=data_files/server8_int-ca2.crt \ - key_file=data_files/server8.key \ - hs_timeout=250-60000 mtu=512 force_version=dtls1_2" \ - 0 \ - -c "fragmenting handshake message" \ - -C "error" - -requires_gnutls_next -requires_config_enabled MBEDTLS_SSL_PROTO_DTLS -requires_config_enabled MBEDTLS_RSA_C -requires_config_enabled MBEDTLS_ECDSA_C -requires_config_enabled MBEDTLS_SSL_PROTO_TLS1_1 -client_needs_more_time 4 -run_test "DTLS fragmenting: 3d, gnutls server, DTLS 1.0" \ - -p "$P_PXY drop=8 delay=8 duplicate=8" \ - "$G_NEXT_SRV -u" \ - "$P_CLI dgram_packing=0 dtls=1 debug_level=2 \ - crt_file=data_files/server8_int-ca2.crt \ - key_file=data_files/server8.key \ - hs_timeout=250-60000 mtu=512 force_version=dtls1" \ - 0 \ - -c "fragmenting handshake message" \ - -C "error" - -requires_gnutls_next -requires_config_enabled MBEDTLS_SSL_PROTO_DTLS -requires_config_enabled MBEDTLS_RSA_C -requires_config_enabled MBEDTLS_ECDSA_C -requires_config_enabled MBEDTLS_SSL_PROTO_TLS1_2 -client_needs_more_time 4 -run_test "DTLS fragmenting: 3d, gnutls client, DTLS 1.2" \ - -p "$P_PXY drop=8 delay=8 duplicate=8" \ - "$P_SRV dtls=1 debug_level=2 \ - crt_file=data_files/server7_int-ca.crt \ - key_file=data_files/server7.key \ - hs_timeout=250-60000 mtu=512 force_version=dtls1_2" \ - "$G_NEXT_CLI -u --insecure 127.0.0.1" \ - 0 \ - -s "fragmenting handshake message" - -requires_gnutls_next -requires_config_enabled MBEDTLS_SSL_PROTO_DTLS -requires_config_enabled MBEDTLS_RSA_C -requires_config_enabled MBEDTLS_ECDSA_C -requires_config_enabled MBEDTLS_SSL_PROTO_TLS1_1 -client_needs_more_time 4 -run_test "DTLS fragmenting: 3d, gnutls client, DTLS 1.0" \ - -p "$P_PXY drop=8 delay=8 duplicate=8" \ - "$P_SRV dtls=1 debug_level=2 \ - crt_file=data_files/server7_int-ca.crt \ - key_file=data_files/server7.key \ - hs_timeout=250-60000 mtu=512 force_version=dtls1" \ - "$G_NEXT_CLI -u --insecure 127.0.0.1" \ - 0 \ - -s "fragmenting handshake message" - -## Interop test with OpenSSL might trigger a bug in recent versions (including -## all versions installed on the CI machines), reported here: -## Bug report: https://github.com/openssl/openssl/issues/6902 -## They should be re-enabled once a fixed version of OpenSSL is available -## (this should happen in some 1.1.1_ release according to the ticket). -skip_next_test -requires_config_enabled MBEDTLS_SSL_PROTO_DTLS -requires_config_enabled MBEDTLS_RSA_C -requires_config_enabled MBEDTLS_ECDSA_C -requires_config_enabled MBEDTLS_SSL_PROTO_TLS1_2 -client_needs_more_time 4 -run_test "DTLS fragmenting: 3d, openssl server, DTLS 1.2" \ - -p "$P_PXY drop=8 delay=8 duplicate=8" \ - "$O_SRV -dtls1_2 -verify 10" \ - "$P_CLI dtls=1 debug_level=2 \ - crt_file=data_files/server8_int-ca2.crt \ - key_file=data_files/server8.key \ - hs_timeout=250-60000 mtu=512 force_version=dtls1_2" \ - 0 \ - -c "fragmenting handshake message" \ - -C "error" - -skip_next_test -requires_config_enabled MBEDTLS_SSL_PROTO_DTLS -requires_config_enabled MBEDTLS_RSA_C -requires_config_enabled MBEDTLS_ECDSA_C -requires_config_enabled MBEDTLS_SSL_PROTO_TLS1_1 -client_needs_more_time 4 -run_test "DTLS fragmenting: 3d, openssl server, DTLS 1.0" \ - -p "$P_PXY drop=8 delay=8 duplicate=8" \ - "$O_SRV -dtls1 -verify 10" \ - "$P_CLI dgram_packing=0 dtls=1 debug_level=2 \ - crt_file=data_files/server8_int-ca2.crt \ - key_file=data_files/server8.key \ - hs_timeout=250-60000 mtu=512 force_version=dtls1" \ - 0 \ - -c "fragmenting handshake message" \ - -C "error" - -skip_next_test -requires_config_enabled MBEDTLS_SSL_PROTO_DTLS -requires_config_enabled MBEDTLS_RSA_C -requires_config_enabled MBEDTLS_ECDSA_C -requires_config_enabled MBEDTLS_SSL_PROTO_TLS1_2 -client_needs_more_time 4 -run_test "DTLS fragmenting: 3d, openssl client, DTLS 1.2" \ - -p "$P_PXY drop=8 delay=8 duplicate=8" \ - "$P_SRV dtls=1 debug_level=2 \ - crt_file=data_files/server7_int-ca.crt \ - key_file=data_files/server7.key \ - hs_timeout=250-60000 mtu=512 force_version=dtls1_2" \ - "$O_CLI -dtls1_2" \ - 0 \ - -s "fragmenting handshake message" - -# -nbio is added to prevent s_client from blocking in case of duplicated -# messages at the end of the handshake -skip_next_test -requires_config_enabled MBEDTLS_SSL_PROTO_DTLS -requires_config_enabled MBEDTLS_RSA_C -requires_config_enabled MBEDTLS_ECDSA_C -requires_config_enabled MBEDTLS_SSL_PROTO_TLS1_1 -client_needs_more_time 4 -run_test "DTLS fragmenting: 3d, openssl client, DTLS 1.0" \ - -p "$P_PXY drop=8 delay=8 duplicate=8" \ - "$P_SRV dgram_packing=0 dtls=1 debug_level=2 \ - crt_file=data_files/server7_int-ca.crt \ - key_file=data_files/server7.key \ - hs_timeout=250-60000 mtu=512 force_version=dtls1" \ - "$O_CLI -nbio -dtls1" \ - 0 \ - -s "fragmenting handshake message" - -# Tests for specific things with "unreliable" UDP connection - -not_with_valgrind # spurious resend due to timeout -run_test "DTLS proxy: reference" \ - -p "$P_PXY" \ - "$P_SRV dtls=1 debug_level=2" \ - "$P_CLI dtls=1 debug_level=2" \ - 0 \ - -C "replayed record" \ - -S "replayed record" \ - -C "record from another epoch" \ - -S "record from another epoch" \ - -C "discarding invalid record" \ - -S "discarding invalid record" \ - -S "resend" \ - -s "Extra-header:" \ - -c "HTTP/1.0 200 OK" - -not_with_valgrind # spurious resend due to timeout -run_test "DTLS proxy: duplicate every packet" \ - -p "$P_PXY duplicate=1" \ - "$P_SRV dtls=1 dgram_packing=0 debug_level=2" \ - "$P_CLI dtls=1 dgram_packing=0 debug_level=2" \ - 0 \ - -c "replayed record" \ - -s "replayed record" \ - -c "record from another epoch" \ - -s "record from another epoch" \ - -S "resend" \ - -s "Extra-header:" \ - -c "HTTP/1.0 200 OK" - -run_test "DTLS proxy: duplicate every packet, server anti-replay off" \ - -p "$P_PXY duplicate=1" \ - "$P_SRV dtls=1 dgram_packing=0 debug_level=2 anti_replay=0" \ - "$P_CLI dtls=1 dgram_packing=0 debug_level=2" \ - 0 \ - -c "replayed record" \ - -S "replayed record" \ - -c "record from another epoch" \ - -s "record from another epoch" \ - -c "resend" \ - -s "resend" \ - -s "Extra-header:" \ - -c "HTTP/1.0 200 OK" - -run_test "DTLS proxy: multiple records in same datagram" \ - -p "$P_PXY pack=50" \ - "$P_SRV dtls=1 dgram_packing=0 debug_level=2" \ - "$P_CLI dtls=1 dgram_packing=0 debug_level=2" \ - 0 \ - -c "next record in same datagram" \ - -s "next record in same datagram" - -run_test "DTLS proxy: multiple records in same datagram, duplicate every packet" \ - -p "$P_PXY pack=50 duplicate=1" \ - "$P_SRV dtls=1 dgram_packing=0 debug_level=2" \ - "$P_CLI dtls=1 dgram_packing=0 debug_level=2" \ - 0 \ - -c "next record in same datagram" \ - -s "next record in same datagram" - -run_test "DTLS proxy: inject invalid AD record, default badmac_limit" \ - -p "$P_PXY bad_ad=1" \ - "$P_SRV dtls=1 dgram_packing=0 debug_level=1" \ - "$P_CLI dtls=1 dgram_packing=0 debug_level=1 read_timeout=100" \ - 0 \ - -c "discarding invalid record (mac)" \ - -s "discarding invalid record (mac)" \ - -s "Extra-header:" \ - -c "HTTP/1.0 200 OK" \ - -S "too many records with bad MAC" \ - -S "Verification of the message MAC failed" - -run_test "DTLS proxy: inject invalid AD record, badmac_limit 1" \ - -p "$P_PXY bad_ad=1" \ - "$P_SRV dtls=1 dgram_packing=0 debug_level=1 badmac_limit=1" \ - "$P_CLI dtls=1 dgram_packing=0 debug_level=1 read_timeout=100" \ - 1 \ - -C "discarding invalid record (mac)" \ - -S "discarding invalid record (mac)" \ - -S "Extra-header:" \ - -C "HTTP/1.0 200 OK" \ - -s "too many records with bad MAC" \ - -s "Verification of the message MAC failed" - -run_test "DTLS proxy: inject invalid AD record, badmac_limit 2" \ - -p "$P_PXY bad_ad=1" \ - "$P_SRV dtls=1 dgram_packing=0 debug_level=1 badmac_limit=2" \ - "$P_CLI dtls=1 dgram_packing=0 debug_level=1 read_timeout=100" \ - 0 \ - -c "discarding invalid record (mac)" \ - -s "discarding invalid record (mac)" \ - -s "Extra-header:" \ - -c "HTTP/1.0 200 OK" \ - -S "too many records with bad MAC" \ - -S "Verification of the message MAC failed" - -run_test "DTLS proxy: inject invalid AD record, badmac_limit 2, exchanges 2"\ - -p "$P_PXY bad_ad=1" \ - "$P_SRV dtls=1 dgram_packing=0 debug_level=1 badmac_limit=2 exchanges=2" \ - "$P_CLI dtls=1 dgram_packing=0 debug_level=1 read_timeout=100 exchanges=2" \ - 1 \ - -c "discarding invalid record (mac)" \ - -s "discarding invalid record (mac)" \ - -s "Extra-header:" \ - -c "HTTP/1.0 200 OK" \ - -s "too many records with bad MAC" \ - -s "Verification of the message MAC failed" - -run_test "DTLS proxy: delay ChangeCipherSpec" \ - -p "$P_PXY delay_ccs=1" \ - "$P_SRV dtls=1 debug_level=1 dgram_packing=0" \ - "$P_CLI dtls=1 debug_level=1 dgram_packing=0" \ - 0 \ - -c "record from another epoch" \ - -s "record from another epoch" \ - -s "Extra-header:" \ - -c "HTTP/1.0 200 OK" - -# Tests for reordering support with DTLS - -run_test "DTLS reordering: Buffer out-of-order handshake message on client" \ - -p "$P_PXY delay_srv=ServerHello" \ - "$P_SRV dgram_packing=0 cookies=0 dtls=1 debug_level=2 \ - hs_timeout=2500-60000" \ - "$P_CLI dgram_packing=0 dtls=1 debug_level=2 \ - hs_timeout=2500-60000" \ - 0 \ - -c "Buffering HS message" \ - -c "Next handshake message has been buffered - load"\ - -S "Buffering HS message" \ - -S "Next handshake message has been buffered - load"\ - -C "Injecting buffered CCS message" \ - -C "Remember CCS message" \ - -S "Injecting buffered CCS message" \ - -S "Remember CCS message" - -run_test "DTLS reordering: Buffer out-of-order handshake message fragment on client" \ - -p "$P_PXY delay_srv=ServerHello" \ - "$P_SRV mtu=512 dgram_packing=0 cookies=0 dtls=1 debug_level=2 \ - hs_timeout=2500-60000" \ - "$P_CLI dgram_packing=0 dtls=1 debug_level=2 \ - hs_timeout=2500-60000" \ - 0 \ - -c "Buffering HS message" \ - -c "found fragmented DTLS handshake message"\ - -c "Next handshake message 1 not or only partially bufffered" \ - -c "Next handshake message has been buffered - load"\ - -S "Buffering HS message" \ - -S "Next handshake message has been buffered - load"\ - -C "Injecting buffered CCS message" \ - -C "Remember CCS message" \ - -S "Injecting buffered CCS message" \ - -S "Remember CCS message" - -# The client buffers the ServerKeyExchange before receiving the fragmented -# Certificate message; at the time of writing, together these are aroudn 1200b -# in size, so that the bound below ensures that the certificate can be reassembled -# while keeping the ServerKeyExchange. -requires_config_value_at_least "MBEDTLS_SSL_DTLS_MAX_BUFFERING" 1300 -run_test "DTLS reordering: Buffer out-of-order hs msg before reassembling next" \ - -p "$P_PXY delay_srv=Certificate delay_srv=Certificate" \ - "$P_SRV mtu=512 dgram_packing=0 cookies=0 dtls=1 debug_level=2 \ - hs_timeout=2500-60000" \ - "$P_CLI dgram_packing=0 dtls=1 debug_level=2 \ - hs_timeout=2500-60000" \ - 0 \ - -c "Buffering HS message" \ - -c "Next handshake message has been buffered - load"\ - -C "attempt to make space by freeing buffered messages" \ - -S "Buffering HS message" \ - -S "Next handshake message has been buffered - load"\ - -C "Injecting buffered CCS message" \ - -C "Remember CCS message" \ - -S "Injecting buffered CCS message" \ - -S "Remember CCS message" - -# The size constraints ensure that the delayed certificate message can't -# be reassembled while keeping the ServerKeyExchange message, but it can -# when dropping it first. -requires_config_value_at_least "MBEDTLS_SSL_DTLS_MAX_BUFFERING" 900 -requires_config_value_at_most "MBEDTLS_SSL_DTLS_MAX_BUFFERING" 1299 -run_test "DTLS reordering: Buffer out-of-order hs msg before reassembling next, free buffered msg" \ - -p "$P_PXY delay_srv=Certificate delay_srv=Certificate" \ - "$P_SRV mtu=512 dgram_packing=0 cookies=0 dtls=1 debug_level=2 \ - hs_timeout=2500-60000" \ - "$P_CLI dgram_packing=0 dtls=1 debug_level=2 \ - hs_timeout=2500-60000" \ - 0 \ - -c "Buffering HS message" \ - -c "attempt to make space by freeing buffered future messages" \ - -c "Enough space available after freeing buffered HS messages" \ - -S "Buffering HS message" \ - -S "Next handshake message has been buffered - load"\ - -C "Injecting buffered CCS message" \ - -C "Remember CCS message" \ - -S "Injecting buffered CCS message" \ - -S "Remember CCS message" - -run_test "DTLS reordering: Buffer out-of-order handshake message on server" \ - -p "$P_PXY delay_cli=Certificate" \ - "$P_SRV dgram_packing=0 auth_mode=required cookies=0 dtls=1 debug_level=2 \ - hs_timeout=2500-60000" \ - "$P_CLI dgram_packing=0 dtls=1 debug_level=2 \ - hs_timeout=2500-60000" \ - 0 \ - -C "Buffering HS message" \ - -C "Next handshake message has been buffered - load"\ - -s "Buffering HS message" \ - -s "Next handshake message has been buffered - load" \ - -C "Injecting buffered CCS message" \ - -C "Remember CCS message" \ - -S "Injecting buffered CCS message" \ - -S "Remember CCS message" - -run_test "DTLS reordering: Buffer out-of-order CCS message on client"\ - -p "$P_PXY delay_srv=NewSessionTicket" \ - "$P_SRV dgram_packing=0 cookies=0 dtls=1 debug_level=2 \ - hs_timeout=2500-60000" \ - "$P_CLI dgram_packing=0 dtls=1 debug_level=2 \ - hs_timeout=2500-60000" \ - 0 \ - -C "Buffering HS message" \ - -C "Next handshake message has been buffered - load"\ - -S "Buffering HS message" \ - -S "Next handshake message has been buffered - load" \ - -c "Injecting buffered CCS message" \ - -c "Remember CCS message" \ - -S "Injecting buffered CCS message" \ - -S "Remember CCS message" - -run_test "DTLS reordering: Buffer out-of-order CCS message on server"\ - -p "$P_PXY delay_cli=ClientKeyExchange" \ - "$P_SRV dgram_packing=0 cookies=0 dtls=1 debug_level=2 \ - hs_timeout=2500-60000" \ - "$P_CLI dgram_packing=0 dtls=1 debug_level=2 \ - hs_timeout=2500-60000" \ - 0 \ - -C "Buffering HS message" \ - -C "Next handshake message has been buffered - load"\ - -S "Buffering HS message" \ - -S "Next handshake message has been buffered - load" \ - -C "Injecting buffered CCS message" \ - -C "Remember CCS message" \ - -s "Injecting buffered CCS message" \ - -s "Remember CCS message" - -run_test "DTLS reordering: Buffer encrypted Finished message" \ - -p "$P_PXY delay_ccs=1" \ - "$P_SRV dgram_packing=0 cookies=0 dtls=1 debug_level=2 \ - hs_timeout=2500-60000" \ - "$P_CLI dgram_packing=0 dtls=1 debug_level=2 \ - hs_timeout=2500-60000" \ - 0 \ - -s "Buffer record from epoch 1" \ - -s "Found buffered record from current epoch - load" \ - -c "Buffer record from epoch 1" \ - -c "Found buffered record from current epoch - load" - -# In this test, both the fragmented NewSessionTicket and the ChangeCipherSpec -# from the server are delayed, so that the encrypted Finished message -# is received and buffered. When the fragmented NewSessionTicket comes -# in afterwards, the encrypted Finished message must be freed in order -# to make space for the NewSessionTicket to be reassembled. -# This works only in very particular circumstances: -# - MBEDTLS_SSL_DTLS_MAX_BUFFERING must be large enough to allow buffering -# of the NewSessionTicket, but small enough to also allow buffering of -# the encrypted Finished message. -# - The MTU setting on the server must be so small that the NewSessionTicket -# needs to be fragmented. -# - All messages sent by the server must be small enough to be either sent -# without fragmentation or be reassembled within the bounds of -# MBEDTLS_SSL_DTLS_MAX_BUFFERING. Achieve this by testing with a PSK-based -# handshake, omitting CRTs. -requires_config_value_at_least "MBEDTLS_SSL_DTLS_MAX_BUFFERING" 240 -requires_config_value_at_most "MBEDTLS_SSL_DTLS_MAX_BUFFERING" 280 -run_test "DTLS reordering: Buffer encrypted Finished message, drop for fragmented NewSessionTicket" \ - -p "$P_PXY delay_srv=NewSessionTicket delay_srv=NewSessionTicket delay_ccs=1" \ - "$P_SRV mtu=190 dgram_packing=0 psk=abc123 psk_identity=foo cookies=0 dtls=1 debug_level=2" \ - "$P_CLI dgram_packing=0 dtls=1 debug_level=2 force_ciphersuite=TLS-PSK-WITH-AES-128-CCM-8 psk=abc123 psk_identity=foo" \ - 0 \ - -s "Buffer record from epoch 1" \ - -s "Found buffered record from current epoch - load" \ - -c "Buffer record from epoch 1" \ - -C "Found buffered record from current epoch - load" \ - -c "Enough space available after freeing future epoch record" - -# Tests for "randomly unreliable connection": try a variety of flows and peers - -client_needs_more_time 2 -run_test "DTLS proxy: 3d (drop, delay, duplicate), \"short\" PSK handshake" \ - -p "$P_PXY drop=5 delay=5 duplicate=5" \ - "$P_SRV dtls=1 dgram_packing=0 hs_timeout=500-10000 tickets=0 auth_mode=none \ - psk=abc123" \ - "$P_CLI dtls=1 dgram_packing=0 hs_timeout=500-10000 tickets=0 psk=abc123 \ - force_ciphersuite=TLS-PSK-WITH-AES-128-CCM-8" \ - 0 \ - -s "Extra-header:" \ - -c "HTTP/1.0 200 OK" - -client_needs_more_time 2 -run_test "DTLS proxy: 3d, \"short\" RSA handshake" \ - -p "$P_PXY drop=5 delay=5 duplicate=5" \ - "$P_SRV dtls=1 dgram_packing=0 hs_timeout=500-10000 tickets=0 auth_mode=none" \ - "$P_CLI dtls=1 dgram_packing=0 hs_timeout=500-10000 tickets=0 \ - force_ciphersuite=TLS-RSA-WITH-AES-128-CBC-SHA" \ - 0 \ - -s "Extra-header:" \ - -c "HTTP/1.0 200 OK" - -client_needs_more_time 2 -run_test "DTLS proxy: 3d, \"short\" (no ticket, no cli_auth) FS handshake" \ - -p "$P_PXY drop=5 delay=5 duplicate=5" \ - "$P_SRV dtls=1 dgram_packing=0 hs_timeout=500-10000 tickets=0 auth_mode=none" \ - "$P_CLI dtls=1 dgram_packing=0 hs_timeout=500-10000 tickets=0" \ - 0 \ - -s "Extra-header:" \ - -c "HTTP/1.0 200 OK" - -client_needs_more_time 2 -run_test "DTLS proxy: 3d, FS, client auth" \ - -p "$P_PXY drop=5 delay=5 duplicate=5" \ - "$P_SRV dtls=1 dgram_packing=0 hs_timeout=500-10000 tickets=0 auth_mode=required" \ - "$P_CLI dtls=1 dgram_packing=0 hs_timeout=500-10000 tickets=0" \ - 0 \ - -s "Extra-header:" \ - -c "HTTP/1.0 200 OK" - -client_needs_more_time 2 -run_test "DTLS proxy: 3d, FS, ticket" \ - -p "$P_PXY drop=5 delay=5 duplicate=5" \ - "$P_SRV dtls=1 dgram_packing=0 hs_timeout=500-10000 tickets=1 auth_mode=none" \ - "$P_CLI dtls=1 dgram_packing=0 hs_timeout=500-10000 tickets=1" \ - 0 \ - -s "Extra-header:" \ - -c "HTTP/1.0 200 OK" - -client_needs_more_time 2 -run_test "DTLS proxy: 3d, max handshake (FS, ticket + client auth)" \ - -p "$P_PXY drop=5 delay=5 duplicate=5" \ - "$P_SRV dtls=1 dgram_packing=0 hs_timeout=500-10000 tickets=1 auth_mode=required" \ - "$P_CLI dtls=1 dgram_packing=0 hs_timeout=500-10000 tickets=1" \ - 0 \ - -s "Extra-header:" \ - -c "HTTP/1.0 200 OK" - -client_needs_more_time 2 -run_test "DTLS proxy: 3d, max handshake, nbio" \ - -p "$P_PXY drop=5 delay=5 duplicate=5" \ - "$P_SRV dtls=1 dgram_packing=0 hs_timeout=500-10000 nbio=2 tickets=1 \ - auth_mode=required" \ - "$P_CLI dtls=1 dgram_packing=0 hs_timeout=500-10000 nbio=2 tickets=1" \ - 0 \ - -s "Extra-header:" \ - -c "HTTP/1.0 200 OK" - -client_needs_more_time 4 -run_test "DTLS proxy: 3d, min handshake, resumption" \ - -p "$P_PXY drop=5 delay=5 duplicate=5" \ - "$P_SRV dtls=1 dgram_packing=0 hs_timeout=500-10000 tickets=0 auth_mode=none \ - psk=abc123 debug_level=3" \ - "$P_CLI dtls=1 dgram_packing=0 hs_timeout=500-10000 tickets=0 psk=abc123 \ - debug_level=3 reconnect=1 read_timeout=1000 max_resend=10 \ - force_ciphersuite=TLS-PSK-WITH-AES-128-CCM-8" \ - 0 \ - -s "a session has been resumed" \ - -c "a session has been resumed" \ - -s "Extra-header:" \ - -c "HTTP/1.0 200 OK" - -client_needs_more_time 4 -run_test "DTLS proxy: 3d, min handshake, resumption, nbio" \ - -p "$P_PXY drop=5 delay=5 duplicate=5" \ - "$P_SRV dtls=1 dgram_packing=0 hs_timeout=500-10000 tickets=0 auth_mode=none \ - psk=abc123 debug_level=3 nbio=2" \ - "$P_CLI dtls=1 dgram_packing=0 hs_timeout=500-10000 tickets=0 psk=abc123 \ - debug_level=3 reconnect=1 read_timeout=1000 max_resend=10 \ - force_ciphersuite=TLS-PSK-WITH-AES-128-CCM-8 nbio=2" \ - 0 \ - -s "a session has been resumed" \ - -c "a session has been resumed" \ - -s "Extra-header:" \ - -c "HTTP/1.0 200 OK" - -client_needs_more_time 4 -requires_config_enabled MBEDTLS_SSL_RENEGOTIATION -run_test "DTLS proxy: 3d, min handshake, client-initiated renego" \ - -p "$P_PXY drop=5 delay=5 duplicate=5" \ - "$P_SRV dtls=1 dgram_packing=0 hs_timeout=500-10000 tickets=0 auth_mode=none \ - psk=abc123 renegotiation=1 debug_level=2" \ - "$P_CLI dtls=1 dgram_packing=0 hs_timeout=500-10000 tickets=0 psk=abc123 \ - renegotiate=1 debug_level=2 \ - force_ciphersuite=TLS-PSK-WITH-AES-128-CCM-8" \ - 0 \ - -c "=> renegotiate" \ - -s "=> renegotiate" \ - -s "Extra-header:" \ - -c "HTTP/1.0 200 OK" - -client_needs_more_time 4 -requires_config_enabled MBEDTLS_SSL_RENEGOTIATION -run_test "DTLS proxy: 3d, min handshake, client-initiated renego, nbio" \ - -p "$P_PXY drop=5 delay=5 duplicate=5" \ - "$P_SRV dtls=1 dgram_packing=0 hs_timeout=500-10000 tickets=0 auth_mode=none \ - psk=abc123 renegotiation=1 debug_level=2" \ - "$P_CLI dtls=1 dgram_packing=0 hs_timeout=500-10000 tickets=0 psk=abc123 \ - renegotiate=1 debug_level=2 \ - force_ciphersuite=TLS-PSK-WITH-AES-128-CCM-8" \ - 0 \ - -c "=> renegotiate" \ - -s "=> renegotiate" \ - -s "Extra-header:" \ - -c "HTTP/1.0 200 OK" - -client_needs_more_time 4 -requires_config_enabled MBEDTLS_SSL_RENEGOTIATION -run_test "DTLS proxy: 3d, min handshake, server-initiated renego" \ - -p "$P_PXY drop=5 delay=5 duplicate=5" \ - "$P_SRV dtls=1 dgram_packing=0 hs_timeout=500-10000 tickets=0 auth_mode=none \ - psk=abc123 renegotiate=1 renegotiation=1 exchanges=4 \ - debug_level=2" \ - "$P_CLI dtls=1 dgram_packing=0 hs_timeout=500-10000 tickets=0 psk=abc123 \ - renegotiation=1 exchanges=4 debug_level=2 \ - force_ciphersuite=TLS-PSK-WITH-AES-128-CCM-8" \ - 0 \ - -c "=> renegotiate" \ - -s "=> renegotiate" \ - -s "Extra-header:" \ - -c "HTTP/1.0 200 OK" - -client_needs_more_time 4 -requires_config_enabled MBEDTLS_SSL_RENEGOTIATION -run_test "DTLS proxy: 3d, min handshake, server-initiated renego, nbio" \ - -p "$P_PXY drop=5 delay=5 duplicate=5" \ - "$P_SRV dtls=1 dgram_packing=0 hs_timeout=500-10000 tickets=0 auth_mode=none \ - psk=abc123 renegotiate=1 renegotiation=1 exchanges=4 \ - debug_level=2 nbio=2" \ - "$P_CLI dtls=1 dgram_packing=0 hs_timeout=500-10000 tickets=0 psk=abc123 \ - renegotiation=1 exchanges=4 debug_level=2 nbio=2 \ - force_ciphersuite=TLS-PSK-WITH-AES-128-CCM-8" \ - 0 \ - -c "=> renegotiate" \ - -s "=> renegotiate" \ - -s "Extra-header:" \ - -c "HTTP/1.0 200 OK" - -## Interop tests with OpenSSL might trigger a bug in recent versions (including -## all versions installed on the CI machines), reported here: -## Bug report: https://github.com/openssl/openssl/issues/6902 -## They should be re-enabled once a fixed version of OpenSSL is available -## (this should happen in some 1.1.1_ release according to the ticket). -skip_next_test -client_needs_more_time 6 -not_with_valgrind # risk of non-mbedtls peer timing out -run_test "DTLS proxy: 3d, openssl server" \ - -p "$P_PXY drop=5 delay=5 duplicate=5 protect_hvr=1" \ - "$O_SRV -dtls1 -mtu 2048" \ - "$P_CLI dgram_packing=0 dtls=1 hs_timeout=500-60000 tickets=0" \ - 0 \ - -c "HTTP/1.0 200 OK" - -skip_next_test # see above -client_needs_more_time 8 -not_with_valgrind # risk of non-mbedtls peer timing out -run_test "DTLS proxy: 3d, openssl server, fragmentation" \ - -p "$P_PXY drop=5 delay=5 duplicate=5 protect_hvr=1" \ - "$O_SRV -dtls1 -mtu 768" \ - "$P_CLI dgram_packing=0 dtls=1 hs_timeout=500-60000 tickets=0" \ - 0 \ - -c "HTTP/1.0 200 OK" - -skip_next_test # see above -client_needs_more_time 8 -not_with_valgrind # risk of non-mbedtls peer timing out -run_test "DTLS proxy: 3d, openssl server, fragmentation, nbio" \ - -p "$P_PXY drop=5 delay=5 duplicate=5 protect_hvr=1" \ - "$O_SRV -dtls1 -mtu 768" \ - "$P_CLI dgram_packing=0 dtls=1 hs_timeout=500-60000 nbio=2 tickets=0" \ - 0 \ - -c "HTTP/1.0 200 OK" - -requires_gnutls -client_needs_more_time 6 -not_with_valgrind # risk of non-mbedtls peer timing out -run_test "DTLS proxy: 3d, gnutls server" \ - -p "$P_PXY drop=5 delay=5 duplicate=5" \ - "$G_SRV -u --mtu 2048 -a" \ - "$P_CLI dgram_packing=0 dtls=1 hs_timeout=500-60000" \ - 0 \ - -s "Extra-header:" \ - -c "Extra-header:" - -requires_gnutls_next -client_needs_more_time 8 -not_with_valgrind # risk of non-mbedtls peer timing out -run_test "DTLS proxy: 3d, gnutls server, fragmentation" \ - -p "$P_PXY drop=5 delay=5 duplicate=5" \ - "$G_NEXT_SRV -u --mtu 512" \ - "$P_CLI dgram_packing=0 dtls=1 hs_timeout=500-60000" \ - 0 \ - -s "Extra-header:" \ - -c "Extra-header:" - -requires_gnutls_next -client_needs_more_time 8 -not_with_valgrind # risk of non-mbedtls peer timing out -run_test "DTLS proxy: 3d, gnutls server, fragmentation, nbio" \ - -p "$P_PXY drop=5 delay=5 duplicate=5" \ - "$G_NEXT_SRV -u --mtu 512" \ - "$P_CLI dgram_packing=0 dtls=1 hs_timeout=500-60000 nbio=2" \ - 0 \ - -s "Extra-header:" \ - -c "Extra-header:" - -# Final report - -echo "------------------------------------------------------------------------" - -if [ $FAILS = 0 ]; then - printf "PASSED" -else - printf "FAILED" -fi -PASSES=$(( $TESTS - $FAILS )) -echo " ($PASSES / $TESTS tests ($SKIPS skipped))" - -exit $FAILS diff --git a/tests/suites/test_suite_debug.data b/tests/suites/test_suite_debug.data deleted file mode 100644 index 7f747d07b..000000000 --- a/tests/suites/test_suite_debug.data +++ /dev/null @@ -1,64 +0,0 @@ -Debug print msg (threshold 1, level 0) -debug_print_msg_threshold:1:0:"MyFile":999:"MyFile(0999)\: Text message, 2 == 2\n" - -Debug print msg (threshold 1, level 1) -debug_print_msg_threshold:1:1:"MyFile":999:"MyFile(0999)\: Text message, 2 == 2\n" - -Debug print msg (threshold 1, level 2) -debug_print_msg_threshold:1:2:"MyFile":999:"" - -Debug print msg (threshold 0, level 1) -debug_print_msg_threshold:0:1:"MyFile":999:"" - -Debug print msg (threshold 0, level 5) -debug_print_msg_threshold:0:5:"MyFile":999:"" - -Debug print return value #1 -mbedtls_debug_print_ret:"MyFile":999:"Test return value":0:"MyFile(0999)\: Test return value() returned 0 (-0x0000)\n" - -Debug print return value #2 -mbedtls_debug_print_ret:"MyFile":999:"Test return value":-0x1000:"MyFile(0999)\: Test return value() returned -4096 (-0x1000)\n" - -Debug print return value #3 -mbedtls_debug_print_ret:"MyFile":999:"Test return value":-0xFFFF:"MyFile(0999)\: Test return value() returned -65535 (-0xffff)\n" - -Debug print buffer #1 -mbedtls_debug_print_buf:"MyFile":999:"Test return value":"":"MyFile(0999)\: dumping 'Test return value' (0 bytes)\n" - -Debug print buffer #2 -mbedtls_debug_print_buf:"MyFile":999:"Test return value":"00":"MyFile(0999)\: dumping 'Test return value' (1 bytes)\nMyFile(0999)\: 0000\: 00 .\n" - -Debug print buffer #3 -mbedtls_debug_print_buf:"MyFile":999:"Test return value":"000102030405060708090A0B0C0D0E0F":"MyFile(0999)\: dumping 'Test return value' (16 bytes)\nMyFile(0999)\: 0000\: 00 01 02 03 04 05 06 07 08 09 0a 0b 0c 0d 0e 0f ................\n" - -Debug print buffer #4 -mbedtls_debug_print_buf:"MyFile":999:"Test return value":"000102030405060708090A0B0C0D0E0F00":"MyFile(0999)\: dumping 'Test return value' (17 bytes)\nMyFile(0999)\: 0000\: 00 01 02 03 04 05 06 07 08 09 0a 0b 0c 0d 0e 0f ................\nMyFile(0999)\: 0010\: 00 .\n" - -Debug print buffer #5 -mbedtls_debug_print_buf:"MyFile":999:"Test return value":"000102030405060708090A0B0C0D0E0F101112131415161718191A1B1C1D1E1F202122232425262728292A2B2C2D2E2F30":"MyFile(0999)\: dumping 'Test return value' (49 bytes)\nMyFile(0999)\: 0000\: 00 01 02 03 04 05 06 07 08 09 0a 0b 0c 0d 0e 0f ................\nMyFile(0999)\: 0010\: 10 11 12 13 14 15 16 17 18 19 1a 1b 1c 1d 1e 1f ................\nMyFile(0999)\: 0020\: 20 21 22 23 24 25 26 27 28 29 2a 2b 2c 2d 2e 2f !"#$%&'()*+,-./\nMyFile(0999)\: 0030\: 30 0\n" - -Debug print certificate #1 (RSA) -depends_on:MBEDTLS_PEM_PARSE_C:MBEDTLS_BASE64_C:MBEDTLS_RSA_C:MBEDTLS_SHA1_C -mbedtls_debug_print_crt:"data_files/server1.crt":"MyFile":999:"PREFIX_":"MyFile(0999)\: PREFIX_ #1\:\nMyFile(0999)\: cert. version \: 3\nMyFile(0999)\: serial number \: 01\nMyFile(0999)\: issuer name \: C=NL, O=PolarSSL, CN=PolarSSL Test CA\nMyFile(0999)\: subject name \: C=NL, O=PolarSSL, CN=PolarSSL Server 1\nMyFile(0999)\: issued on \: 2011-02-12 14\:44\:06\nMyFile(0999)\: expires on \: 2021-02-12 14\:44\:06\nMyFile(0999)\: signed using \: RSA with SHA1\nMyFile(0999)\: RSA key size \: 2048 bits\nMyFile(0999)\: basic constraints \: CA=false\nMyFile(0999)\: value of 'crt->rsa.N' (2048 bits) is\:\nMyFile(0999)\: a9 02 1f 3d 40 6a d5 55 53 8b fd 36 ee 82 65 2e\nMyFile(0999)\: 15 61 5e 89 bf b8 e8 45 90 db ee 88 16 52 d3 f1\nMyFile(0999)\: 43 50 47 96 12 59 64 87 6b fd 2b e0 46 f9 73 be\nMyFile(0999)\: dd cf 92 e1 91 5b ed 66 a0 6f 89 29 79 45 80 d0\nMyFile(0999)\: 83 6a d5 41 43 77 5f 39 7c 09 04 47 82 b0 57 39\nMyFile(0999)\: 70 ed a3 ec 15 19 1e a8 33 08 47 c1 05 42 a9 fd\nMyFile(0999)\: 4c c3 b4 df dd 06 1f 4d 10 51 40 67 73 13 0f 40\nMyFile(0999)\: f8 6d 81 25 5f 0a b1 53 c6 30 7e 15 39 ac f9 5a\nMyFile(0999)\: ee 7f 92 9e a6 05 5b e7 13 97 85 b5 23 92 d9 d4\nMyFile(0999)\: 24 06 d5 09 25 89 75 07 dd a6 1a 8f 3f 09 19 be\nMyFile(0999)\: ad 65 2c 64 eb 95 9b dc fe 41 5e 17 a6 da 6c 5b\nMyFile(0999)\: 69 cc 02 ba 14 2c 16 24 9c 4a dc cd d0 f7 52 67\nMyFile(0999)\: 73 f1 2d a0 23 fd 7e f4 31 ca 2d 70 ca 89 0b 04\nMyFile(0999)\: db 2e a6 4f 70 6e 9e ce bd 58 89 e2 53 59 9e 6e\nMyFile(0999)\: 5a 92 65 e2 88 3f 0c 94 19 a3 dd e5 e8 9d 95 13\nMyFile(0999)\: ed 29 db ab 70 12 dc 5a ca 6b 17 ab 52 82 54 b1\nMyFile(0999)\: value of 'crt->rsa.E' (17 bits) is\:\nMyFile(0999)\: 01 00 01\n" - -Debug print certificate #2 (EC) -depends_on:MBEDTLS_PEM_PARSE_C:MBEDTLS_BASE64_C:MBEDTLS_ECDSA_C:MBEDTLS_ECP_C:MBEDTLS_ECP_DP_SECP384R1_ENABLED:MBEDTLS_SHA256_C -mbedtls_debug_print_crt:"data_files/test-ca2.crt":"MyFile":999:"PREFIX_":"MyFile(0999)\: PREFIX_ #1\:\nMyFile(0999)\: cert. version \: 3\nMyFile(0999)\: serial number \: C1\:43\:E2\:7E\:62\:43\:CC\:E8\nMyFile(0999)\: issuer name \: C=NL, O=PolarSSL, CN=Polarssl Test EC CA\nMyFile(0999)\: subject name \: C=NL, O=PolarSSL, CN=Polarssl Test EC CA\nMyFile(0999)\: issued on \: 2013-09-24 15\:49\:48\nMyFile(0999)\: expires on \: 2023-09-22 15\:49\:48\nMyFile(0999)\: signed using \: ECDSA with SHA256\nMyFile(0999)\: EC key size \: 384 bits\nMyFile(0999)\: basic constraints \: CA=true\nMyFile(0999)\: value of 'crt->eckey.Q(X)' (384 bits) is\:\nMyFile(0999)\: c3 da 2b 34 41 37 58 2f 87 56 fe fc 89 ba 29 43\nMyFile(0999)\: 4b 4e e0 6e c3 0e 57 53 33 39 58 d4 52 b4 91 95\nMyFile(0999)\: 39 0b 23 df 5f 17 24 62 48 fc 1a 95 29 ce 2c 2d\nMyFile(0999)\: value of 'crt->eckey.Q(Y)' (384 bits) is\:\nMyFile(0999)\: 87 c2 88 52 80 af d6 6a ab 21 dd b8 d3 1c 6e 58\nMyFile(0999)\: b8 ca e8 b2 69 8e f3 41 ad 29 c3 b4 5f 75 a7 47\nMyFile(0999)\: 6f d5 19 29 55 69 9a 53 3b 20 b4 66 16 60 33 1e\n" - -Debug print mbedtls_mpi #1 -mbedtls_debug_print_mpi:16:"01020304050607":"MyFile":999:"VALUE":"MyFile(0999)\: value of 'VALUE' (49 bits) is\:\nMyFile(0999)\: 01 02 03 04 05 06 07\n" - -Debug print mbedtls_mpi #2 -mbedtls_debug_print_mpi:16:"00000000000007":"MyFile":999:"VALUE":"MyFile(0999)\: value of 'VALUE' (3 bits) is\:\nMyFile(0999)\: 07\n" - -Debug print mbedtls_mpi #3 -mbedtls_debug_print_mpi:16:"00000000000000":"MyFile":999:"VALUE":"MyFile(0999)\: value of 'VALUE' (0 bits) is\:\nMyFile(0999)\: 00\n" - -Debug print mbedtls_mpi #4 -mbedtls_debug_print_mpi:16:"0941379d00fed1491fe15df284dfde4a142f68aa8d412023195cee66883e6290ffe703f4ea5963bf212713cee46b107c09182b5edcd955adac418bf4918e2889af48e1099d513830cec85c26ac1e158b52620e33ba8692f893efbb2f958b4424":"MyFile":999:"VALUE":"MyFile(0999)\: value of 'VALUE' (764 bits) is\:\nMyFile(0999)\: 09 41 37 9d 00 fe d1 49 1f e1 5d f2 84 df de 4a\nMyFile(0999)\: 14 2f 68 aa 8d 41 20 23 19 5c ee 66 88 3e 62 90\nMyFile(0999)\: ff e7 03 f4 ea 59 63 bf 21 27 13 ce e4 6b 10 7c\nMyFile(0999)\: 09 18 2b 5e dc d9 55 ad ac 41 8b f4 91 8e 28 89\nMyFile(0999)\: af 48 e1 09 9d 51 38 30 ce c8 5c 26 ac 1e 15 8b\nMyFile(0999)\: 52 62 0e 33 ba 86 92 f8 93 ef bb 2f 95 8b 44 24\n" - -Debug print mbedtls_mpi #5 -mbedtls_debug_print_mpi:16:"0000000000000000000000000000000000000000000000000000000941379d00fed1491fe15df284dfde4a142f68aa8d412023195cee66883e6290ffe703f4ea5963bf212713cee46b107c09182b5edcd955adac418bf4918e2889af48e1099d513830cec85c26ac1e158b52620e33ba8692f893efbb2f958b4424":"MyFile":999:"VALUE":"MyFile(0999)\: value of 'VALUE' (764 bits) is\:\nMyFile(0999)\: 09 41 37 9d 00 fe d1 49 1f e1 5d f2 84 df de 4a\nMyFile(0999)\: 14 2f 68 aa 8d 41 20 23 19 5c ee 66 88 3e 62 90\nMyFile(0999)\: ff e7 03 f4 ea 59 63 bf 21 27 13 ce e4 6b 10 7c\nMyFile(0999)\: 09 18 2b 5e dc d9 55 ad ac 41 8b f4 91 8e 28 89\nMyFile(0999)\: af 48 e1 09 9d 51 38 30 ce c8 5c 26 ac 1e 15 8b\nMyFile(0999)\: 52 62 0e 33 ba 86 92 f8 93 ef bb 2f 95 8b 44 24\n" - -Debug print mbedtls_mpi #6 -mbedtls_debug_print_mpi:16:"0000000000000000000000000000000000000000000000000000000041379d00fed1491fe15df284dfde4a142f68aa8d412023195cee66883e6290ffe703f4ea5963bf212713cee46b107c09182b5edcd955adac418bf4918e2889af48e1099d513830cec85c26ac1e158b52620e33ba8692f893efbb2f958b4424":"MyFile":999:"VALUE":"MyFile(0999)\: value of 'VALUE' (759 bits) is\:\nMyFile(0999)\: 41 37 9d 00 fe d1 49 1f e1 5d f2 84 df de 4a 14\nMyFile(0999)\: 2f 68 aa 8d 41 20 23 19 5c ee 66 88 3e 62 90 ff\nMyFile(0999)\: e7 03 f4 ea 59 63 bf 21 27 13 ce e4 6b 10 7c 09\nMyFile(0999)\: 18 2b 5e dc d9 55 ad ac 41 8b f4 91 8e 28 89 af\nMyFile(0999)\: 48 e1 09 9d 51 38 30 ce c8 5c 26 ac 1e 15 8b 52\nMyFile(0999)\: 62 0e 33 ba 86 92 f8 93 ef bb 2f 95 8b 44 24\n" diff --git a/tests/suites/test_suite_debug.function b/tests/suites/test_suite_debug.function deleted file mode 100644 index 377d630d9..000000000 --- a/tests/suites/test_suite_debug.function +++ /dev/null @@ -1,195 +0,0 @@ -/* BEGIN_HEADER */ -#include "mbedtls/debug.h" -#include "string.h" - -struct buffer_data -{ - char buf[2000]; - char *ptr; -}; - -void string_debug(void *data, int level, const char *file, int line, const char *str) -{ - struct buffer_data *buffer = (struct buffer_data *) data; - char *p = buffer->ptr; - ((void) level); - - memcpy( p, file, strlen( file ) ); - p += strlen( file ); - - *p++ = '('; - *p++ = '0' + ( line / 1000 ) % 10; - *p++ = '0' + ( line / 100 ) % 10; - *p++ = '0' + ( line / 10 ) % 10; - *p++ = '0' + ( line / 1 ) % 10; - *p++ = ')'; - *p++ = ':'; - *p++ = ' '; - -#if defined(MBEDTLS_THREADING_C) - /* Skip "thread ID" (up to the first space) as it is not predictable */ - while( *str++ != ' ' ); -#endif - - memcpy( p, str, strlen( str ) ); - p += strlen( str ); - - /* Detect if debug messages output partial lines and mark them */ - if( p[-1] != '\n' ) - *p++ = '*'; - - buffer->ptr = p; -} -/* END_HEADER */ - -/* BEGIN_DEPENDENCIES - * depends_on:MBEDTLS_DEBUG_C:MBEDTLS_SSL_TLS_C - * END_DEPENDENCIES - */ - -/* BEGIN_CASE */ -void debug_print_msg_threshold( int threshold, int level, char * file, - int line, char * result_str ) -{ - mbedtls_ssl_context ssl; - mbedtls_ssl_config conf; - struct buffer_data buffer; - - mbedtls_ssl_init( &ssl ); - mbedtls_ssl_config_init( &conf ); - memset( buffer.buf, 0, 2000 ); - buffer.ptr = buffer.buf; - - TEST_ASSERT( mbedtls_ssl_setup( &ssl, &conf ) == 0 ); - - mbedtls_debug_set_threshold( threshold ); - mbedtls_ssl_conf_dbg( &conf, string_debug, &buffer); - - mbedtls_debug_print_msg( &ssl, level, file, line, - "Text message, 2 == %d", 2 ); - - TEST_ASSERT( strcmp( buffer.buf, result_str ) == 0 ); - -exit: - mbedtls_ssl_free( &ssl ); - mbedtls_ssl_config_free( &conf ); -} -/* END_CASE */ - -/* BEGIN_CASE */ -void mbedtls_debug_print_ret( char * file, int line, char * text, int value, - char * result_str ) -{ - mbedtls_ssl_context ssl; - mbedtls_ssl_config conf; - struct buffer_data buffer; - - mbedtls_ssl_init( &ssl ); - mbedtls_ssl_config_init( &conf ); - memset( buffer.buf, 0, 2000 ); - buffer.ptr = buffer.buf; - - TEST_ASSERT( mbedtls_ssl_setup( &ssl, &conf ) == 0 ); - - mbedtls_ssl_conf_dbg( &conf, string_debug, &buffer); - - mbedtls_debug_print_ret( &ssl, 0, file, line, text, value); - - TEST_ASSERT( strcmp( buffer.buf, result_str ) == 0 ); - -exit: - mbedtls_ssl_free( &ssl ); - mbedtls_ssl_config_free( &conf ); -} -/* END_CASE */ - -/* BEGIN_CASE */ -void mbedtls_debug_print_buf( char * file, int line, char * text, - data_t * data, char * result_str ) -{ - mbedtls_ssl_context ssl; - mbedtls_ssl_config conf; - struct buffer_data buffer; - - mbedtls_ssl_init( &ssl ); - mbedtls_ssl_config_init( &conf ); - memset( buffer.buf, 0, 2000 ); - buffer.ptr = buffer.buf; - - - TEST_ASSERT( mbedtls_ssl_setup( &ssl, &conf ) == 0 ); - - mbedtls_ssl_conf_dbg( &conf, string_debug, &buffer); - - mbedtls_debug_print_buf( &ssl, 0, file, line, text, data->x, data->len ); - - TEST_ASSERT( strcmp( buffer.buf, result_str ) == 0 ); - -exit: - mbedtls_ssl_free( &ssl ); - mbedtls_ssl_config_free( &conf ); -} -/* END_CASE */ - -/* BEGIN_CASE depends_on:MBEDTLS_FS_IO:MBEDTLS_X509_CRT_PARSE_C */ -void mbedtls_debug_print_crt( char * crt_file, char * file, int line, - char * prefix, char * result_str ) -{ - mbedtls_x509_crt crt; - mbedtls_ssl_context ssl; - mbedtls_ssl_config conf; - struct buffer_data buffer; - - mbedtls_ssl_init( &ssl ); - mbedtls_ssl_config_init( &conf ); - mbedtls_x509_crt_init( &crt ); - memset( buffer.buf, 0, 2000 ); - buffer.ptr = buffer.buf; - - TEST_ASSERT( mbedtls_ssl_setup( &ssl, &conf ) == 0 ); - - mbedtls_ssl_conf_dbg( &conf, string_debug, &buffer); - - TEST_ASSERT( mbedtls_x509_crt_parse_file( &crt, crt_file ) == 0 ); - mbedtls_debug_print_crt( &ssl, 0, file, line, prefix, &crt); - - TEST_ASSERT( strcmp( buffer.buf, result_str ) == 0 ); - -exit: - mbedtls_x509_crt_free( &crt ); - mbedtls_ssl_free( &ssl ); - mbedtls_ssl_config_free( &conf ); -} -/* END_CASE */ - -/* BEGIN_CASE depends_on:MBEDTLS_BIGNUM_C */ -void mbedtls_debug_print_mpi( int radix, char * value, char * file, int line, - char * prefix, char * result_str ) -{ - mbedtls_ssl_context ssl; - mbedtls_ssl_config conf; - struct buffer_data buffer; - mbedtls_mpi val; - - mbedtls_ssl_init( &ssl ); - mbedtls_ssl_config_init( &conf ); - mbedtls_mpi_init( &val ); - memset( buffer.buf, 0, 2000 ); - buffer.ptr = buffer.buf; - - TEST_ASSERT( mbedtls_ssl_setup( &ssl, &conf ) == 0 ); - - TEST_ASSERT( mbedtls_mpi_read_string( &val, radix, value ) == 0 ); - - mbedtls_ssl_conf_dbg( &conf, string_debug, &buffer); - - mbedtls_debug_print_mpi( &ssl, 0, file, line, prefix, &val); - - TEST_ASSERT( strcmp( buffer.buf, result_str ) == 0 ); - -exit: - mbedtls_mpi_free( &val ); - mbedtls_ssl_free( &ssl ); - mbedtls_ssl_config_free( &conf ); -} -/* END_CASE */ diff --git a/tests/suites/test_suite_ssl.data b/tests/suites/test_suite_ssl.data deleted file mode 100644 index 147350744..000000000 --- a/tests/suites/test_suite_ssl.data +++ /dev/null @@ -1,59 +0,0 @@ -SSL DTLS replay: initial state, seqnum 0 -ssl_dtls_replay:"":"000000000000":0 - -SSL DTLS replay: 0 seen, 1 arriving -ssl_dtls_replay:"000000000000":"000000000001":0 - -SSL DTLS replay: 0 seen, 0 replayed -ssl_dtls_replay:"000000000000":"000000000000":-1 - -SSL DTLS replay: 0-1 seen, 2 arriving -ssl_dtls_replay:"000000000000000000000001":"000000000002":0 - -SSL DTLS replay: 0-1 seen, 1 replayed -ssl_dtls_replay:"000000000000000000000001":"000000000001":-1 - -SSL DTLS replay: 0-1 seen, 0 replayed -ssl_dtls_replay:"000000000000000000000001":"000000000000":-1 - -SSL DTLS replay: new -ssl_dtls_replay:"abcd12340000abcd12340001abcd12340003":"abcd12340004":0 - -SSL DTLS replay: way new -ssl_dtls_replay:"abcd12340000abcd12340001abcd12340003":"abcd12350000":0 - -SSL DTLS replay: delayed -ssl_dtls_replay:"abcd12340000abcd12340001abcd12340003":"abcd12340002":0 - -SSL DTLS replay: lastest replayed -ssl_dtls_replay:"abcd12340000abcd12340001abcd12340003":"abcd12340003":-1 - -SSL DTLS replay: older replayed -ssl_dtls_replay:"abcd12340000abcd12340001abcd12340003":"abcd12340001":-1 - -SSL DTLS replay: most recent in window, replayed -ssl_dtls_replay:"abcd12340000abcd12340002abcd12340003":"abcd12340002":-1 - -SSL DTLS replay: oldest in window, replayed -ssl_dtls_replay:"abcd12340000abcd12340001abcd1234003f":"abcd12340000":-1 - -SSL DTLS replay: oldest in window, not replayed -ssl_dtls_replay:"abcd12340001abcd12340002abcd1234003f":"abcd12340000":0 - -SSL DTLS replay: just out of the window -ssl_dtls_replay:"abcd12340001abcd12340002abcd1234003f":"abcd1233ffff":-1 - -SSL DTLS replay: way out of the window -ssl_dtls_replay:"abcd12340001abcd12340002abcd1234003f":"abcd12330000":-1 - -SSL DTLS replay: big jump then replay -ssl_dtls_replay:"abcd12340000abcd12340100":"abcd12340100":-1 - -SSL DTLS replay: big jump then new -ssl_dtls_replay:"abcd12340000abcd12340100":"abcd12340101":0 - -SSL DTLS replay: big jump then just delayed -ssl_dtls_replay:"abcd12340000abcd12340100":"abcd123400ff":0 - -SSL SET_HOSTNAME memory leak: call ssl_set_hostname twice -ssl_set_hostname_twice:"server0":"server1" diff --git a/tests/suites/test_suite_ssl.function b/tests/suites/test_suite_ssl.function deleted file mode 100644 index 326f22d3b..000000000 --- a/tests/suites/test_suite_ssl.function +++ /dev/null @@ -1,54 +0,0 @@ -/* BEGIN_HEADER */ -#include -#include -/* END_HEADER */ - -/* BEGIN_DEPENDENCIES - * depends_on:MBEDTLS_SSL_TLS_C - * END_DEPENDENCIES - */ - -/* BEGIN_CASE depends_on:MBEDTLS_SSL_DTLS_ANTI_REPLAY */ -void ssl_dtls_replay( data_t * prevs, data_t * new, int ret ) -{ - uint32_t len = 0; - mbedtls_ssl_context ssl; - mbedtls_ssl_config conf; - - mbedtls_ssl_init( &ssl ); - mbedtls_ssl_config_init( &conf ); - - TEST_ASSERT( mbedtls_ssl_config_defaults( &conf, - MBEDTLS_SSL_IS_CLIENT, - MBEDTLS_SSL_TRANSPORT_DATAGRAM, - MBEDTLS_SSL_PRESET_DEFAULT ) == 0 ); - TEST_ASSERT( mbedtls_ssl_setup( &ssl, &conf ) == 0 ); - - /* Read previous record numbers */ - for( len = 0; len < prevs->len; len += 6 ) - { - memcpy( ssl.in_ctr + 2, prevs->x + len, 6 ); - mbedtls_ssl_dtls_replay_update( &ssl ); - } - - /* Check new number */ - memcpy( ssl.in_ctr + 2, new->x, 6 ); - TEST_ASSERT( mbedtls_ssl_dtls_replay_check( &ssl ) == ret ); - - mbedtls_ssl_free( &ssl ); - mbedtls_ssl_config_free( &conf ); -} -/* END_CASE */ - -/* BEGIN_CASE depends_on:MBEDTLS_X509_CRT_PARSE_C */ -void ssl_set_hostname_twice( char *hostname0, char *hostname1 ) -{ - mbedtls_ssl_context ssl; - mbedtls_ssl_init( &ssl ); - - TEST_ASSERT( mbedtls_ssl_set_hostname( &ssl, hostname0 ) == 0 ); - TEST_ASSERT( mbedtls_ssl_set_hostname( &ssl, hostname1 ) == 0 ); - - mbedtls_ssl_free( &ssl ); -} -/* END_CASE */ diff --git a/tests/suites/test_suite_x509parse.data b/tests/suites/test_suite_x509parse.data deleted file mode 100644 index 042d653b5..000000000 --- a/tests/suites/test_suite_x509parse.data +++ /dev/null @@ -1,1995 +0,0 @@ -X509 Certificate information #1 -depends_on:MBEDTLS_PEM_PARSE_C:MBEDTLS_RSA_C:MBEDTLS_SHA1_C -x509_cert_info:"data_files/server1.crt":"cert. version \: 3\nserial number \: 01\nissuer name \: C=NL, O=PolarSSL, CN=PolarSSL Test CA\nsubject name \: C=NL, O=PolarSSL, CN=PolarSSL Server 1\nissued on \: 2011-02-12 14\:44\:06\nexpires on \: 2021-02-12 14\:44\:06\nsigned using \: RSA with SHA1\nRSA key size \: 2048 bits\nbasic constraints \: CA=false\n" - -X509 Certificate information #1 (DER) -depends_on:MBEDTLS_RSA_C:MBEDTLS_SHA1_C -x509_cert_info:"data_files/server1.der":"cert. version \: 3\nserial number \: 01\nissuer name \: C=NL, O=PolarSSL, CN=PolarSSL Test CA\nsubject name \: C=NL, O=PolarSSL, CN=PolarSSL Server 1\nissued on \: 2011-02-12 14\:44\:06\nexpires on \: 2021-02-12 14\:44\:06\nsigned using \: RSA with SHA1\nRSA key size \: 2048 bits\nbasic constraints \: CA=false\n" - -X509 Certificate information #2 -depends_on:MBEDTLS_PEM_PARSE_C:MBEDTLS_RSA_C:MBEDTLS_SHA1_C -x509_cert_info:"data_files/server2.crt":"cert. version \: 3\nserial number \: 02\nissuer name \: C=NL, O=PolarSSL, CN=PolarSSL Test CA\nsubject name \: C=NL, O=PolarSSL, CN=localhost\nissued on \: 2011-02-12 14\:44\:06\nexpires on \: 2021-02-12 14\:44\:06\nsigned using \: RSA with SHA1\nRSA key size \: 2048 bits\nbasic constraints \: CA=false\n" - -X509 Certificate information #2 (DER) -depends_on:MBEDTLS_RSA_C:MBEDTLS_SHA1_C -x509_cert_info:"data_files/server2.der":"cert. version \: 3\nserial number \: 02\nissuer name \: C=NL, O=PolarSSL, CN=PolarSSL Test CA\nsubject name \: C=NL, O=PolarSSL, CN=localhost\nissued on \: 2011-02-12 14\:44\:06\nexpires on \: 2021-02-12 14\:44\:06\nsigned using \: RSA with SHA1\nRSA key size \: 2048 bits\nbasic constraints \: CA=false\n" - -X509 Certificate information #3 -depends_on:MBEDTLS_PEM_PARSE_C:MBEDTLS_RSA_C:MBEDTLS_SHA1_C -x509_cert_info:"data_files/test-ca.crt":"cert. version \: 3\nserial number \: 03\nissuer name \: C=NL, O=PolarSSL, CN=PolarSSL Test CA\nsubject name \: C=NL, O=PolarSSL, CN=PolarSSL Test CA\nissued on \: 2011-02-12 14\:44\:00\nexpires on \: 2021-02-12 14\:44\:00\nsigned using \: RSA with SHA1\nRSA key size \: 2048 bits\nbasic constraints \: CA=true\n" - -X509 Certificate information #3 (DER) -depends_on:MBEDTLS_RSA_C:MBEDTLS_SHA1_C -x509_cert_info:"data_files/test-ca.der":"cert. version \: 3\nserial number \: 03\nissuer name \: C=NL, O=PolarSSL, CN=PolarSSL Test CA\nsubject name \: C=NL, O=PolarSSL, CN=PolarSSL Test CA\nissued on \: 2011-02-12 14\:44\:00\nexpires on \: 2021-02-12 14\:44\:00\nsigned using \: RSA with SHA1\nRSA key size \: 2048 bits\nbasic constraints \: CA=true\n" - -X509 Certificate information MD2 Digest -depends_on:MBEDTLS_PEM_PARSE_C:MBEDTLS_RSA_C:MBEDTLS_MD2_C -x509_cert_info:"data_files/cert_md2.crt":"cert. version \: 3\nserial number \: 09\nissuer name \: C=NL, O=PolarSSL, CN=PolarSSL Test CA\nsubject name \: C=NL, O=PolarSSL, CN=PolarSSL Cert MD2\nissued on \: 2009-07-12 10\:56\:59\nexpires on \: 2011-07-12 10\:56\:59\nsigned using \: RSA with MD2\nRSA key size \: 2048 bits\nbasic constraints \: CA=false\n" - -X509 Certificate information MD4 Digest -depends_on:MBEDTLS_PEM_PARSE_C:MBEDTLS_RSA_C:MBEDTLS_MD4_C -x509_cert_info:"data_files/cert_md4.crt":"cert. version \: 3\nserial number \: 05\nissuer name \: C=NL, O=PolarSSL, CN=PolarSSL Test CA\nsubject name \: C=NL, O=PolarSSL, CN=PolarSSL Cert MD4\nissued on \: 2011-02-12 14\:44\:07\nexpires on \: 2021-02-12 14\:44\:07\nsigned using \: RSA with MD4\nRSA key size \: 2048 bits\nbasic constraints \: CA=false\n" - -X509 Certificate information MD5 Digest -depends_on:MBEDTLS_PEM_PARSE_C:MBEDTLS_RSA_C:MBEDTLS_MD5_C -x509_cert_info:"data_files/cert_md5.crt":"cert. version \: 3\nserial number \: 06\nissuer name \: C=NL, O=PolarSSL, CN=PolarSSL Test CA\nsubject name \: C=NL, O=PolarSSL, CN=PolarSSL Cert MD5\nissued on \: 2011-02-12 14\:44\:07\nexpires on \: 2021-02-12 14\:44\:07\nsigned using \: RSA with MD5\nRSA key size \: 2048 bits\nbasic constraints \: CA=false\n" - -X509 Certificate information SHA1 Digest -depends_on:MBEDTLS_PEM_PARSE_C:MBEDTLS_RSA_C:MBEDTLS_SHA1_C -x509_cert_info:"data_files/cert_sha1.crt":"cert. version \: 3\nserial number \: 07\nissuer name \: C=NL, O=PolarSSL, CN=PolarSSL Test CA\nsubject name \: C=NL, O=PolarSSL, CN=PolarSSL Cert SHA1\nissued on \: 2011-02-12 14\:44\:07\nexpires on \: 2021-02-12 14\:44\:07\nsigned using \: RSA with SHA1\nRSA key size \: 2048 bits\nbasic constraints \: CA=false\n" - -X509 Certificate information SHA224 Digest -depends_on:MBEDTLS_PEM_PARSE_C:MBEDTLS_RSA_C:MBEDTLS_SHA256_C -x509_cert_info:"data_files/cert_sha224.crt":"cert. version \: 3\nserial number \: 08\nissuer name \: C=NL, O=PolarSSL, CN=PolarSSL Test CA\nsubject name \: C=NL, O=PolarSSL, CN=PolarSSL Cert SHA224\nissued on \: 2011-02-12 14\:44\:07\nexpires on \: 2021-02-12 14\:44\:07\nsigned using \: RSA with SHA-224\nRSA key size \: 2048 bits\nbasic constraints \: CA=false\n" - -X509 Certificate information SHA256 Digest -depends_on:MBEDTLS_PEM_PARSE_C:MBEDTLS_RSA_C:MBEDTLS_SHA256_C -x509_cert_info:"data_files/cert_sha256.crt":"cert. version \: 3\nserial number \: 09\nissuer name \: C=NL, O=PolarSSL, CN=PolarSSL Test CA\nsubject name \: C=NL, O=PolarSSL, CN=PolarSSL Cert SHA256\nissued on \: 2011-02-12 14\:44\:07\nexpires on \: 2021-02-12 14\:44\:07\nsigned using \: RSA with SHA-256\nRSA key size \: 2048 bits\nbasic constraints \: CA=false\n" - -X509 Certificate information SHA384 Digest -depends_on:MBEDTLS_PEM_PARSE_C:MBEDTLS_RSA_C:MBEDTLS_SHA512_C -x509_cert_info:"data_files/cert_sha384.crt":"cert. version \: 3\nserial number \: 0A\nissuer name \: C=NL, O=PolarSSL, CN=PolarSSL Test CA\nsubject name \: C=NL, O=PolarSSL, CN=PolarSSL Cert SHA384\nissued on \: 2011-02-12 14\:44\:07\nexpires on \: 2021-02-12 14\:44\:07\nsigned using \: RSA with SHA-384\nRSA key size \: 2048 bits\nbasic constraints \: CA=false\n" - -X509 Certificate information SHA512 Digest -depends_on:MBEDTLS_PEM_PARSE_C:MBEDTLS_RSA_C:MBEDTLS_SHA512_C -x509_cert_info:"data_files/cert_sha512.crt":"cert. version \: 3\nserial number \: 0B\nissuer name \: C=NL, O=PolarSSL, CN=PolarSSL Test CA\nsubject name \: C=NL, O=PolarSSL, CN=PolarSSL Cert SHA512\nissued on \: 2011-02-12 14\:44\:07\nexpires on \: 2021-02-12 14\:44\:07\nsigned using \: RSA with SHA-512\nRSA key size \: 2048 bits\nbasic constraints \: CA=false\n" - -X509 Certificate information RSA-PSS, SHA1 Digest -depends_on:MBEDTLS_PEM_PARSE_C:MBEDTLS_X509_RSASSA_PSS_SUPPORT:MBEDTLS_SHA1_C -x509_cert_info:"data_files/server9.crt":"cert. version \: 3\nserial number \: 16\nissuer name \: C=NL, O=PolarSSL, CN=PolarSSL Test CA\nsubject name \: C=NL, O=PolarSSL, CN=localhost\nissued on \: 2014-01-20 13\:38\:16\nexpires on \: 2024-01-18 13\:38\:16\nsigned using \: RSASSA-PSS (SHA1, MGF1-SHA1, 0xEA)\nRSA key size \: 1024 bits\nbasic constraints \: CA=false\n" - -X509 Certificate information RSA-PSS, SHA224 Digest -depends_on:MBEDTLS_PEM_PARSE_C:MBEDTLS_X509_RSASSA_PSS_SUPPORT:MBEDTLS_SHA256_C -x509_cert_info:"data_files/server9-sha224.crt":"cert. version \: 3\nserial number \: 17\nissuer name \: C=NL, O=PolarSSL, CN=PolarSSL Test CA\nsubject name \: C=NL, O=PolarSSL, CN=localhost\nissued on \: 2014-01-20 13\:57\:36\nexpires on \: 2024-01-18 13\:57\:36\nsigned using \: RSASSA-PSS (SHA224, MGF1-SHA224, 0xE2)\nRSA key size \: 1024 bits\nbasic constraints \: CA=false\n" - -X509 Certificate information RSA-PSS, SHA256 Digest -depends_on:MBEDTLS_PEM_PARSE_C:MBEDTLS_X509_RSASSA_PSS_SUPPORT:MBEDTLS_SHA256_C -x509_cert_info:"data_files/server9-sha256.crt":"cert. version \: 3\nserial number \: 18\nissuer name \: C=NL, O=PolarSSL, CN=PolarSSL Test CA\nsubject name \: C=NL, O=PolarSSL, CN=localhost\nissued on \: 2014-01-20 13\:57\:45\nexpires on \: 2024-01-18 13\:57\:45\nsigned using \: RSASSA-PSS (SHA256, MGF1-SHA256, 0xDE)\nRSA key size \: 1024 bits\nbasic constraints \: CA=false\n" - -X509 Certificate information RSA-PSS, SHA384 Digest -depends_on:MBEDTLS_PEM_PARSE_C:MBEDTLS_X509_RSASSA_PSS_SUPPORT:MBEDTLS_SHA512_C -x509_cert_info:"data_files/server9-sha384.crt":"cert. version \: 3\nserial number \: 19\nissuer name \: C=NL, O=PolarSSL, CN=PolarSSL Test CA\nsubject name \: C=NL, O=PolarSSL, CN=localhost\nissued on \: 2014-01-20 13\:57\:58\nexpires on \: 2024-01-18 13\:57\:58\nsigned using \: RSASSA-PSS (SHA384, MGF1-SHA384, 0xCE)\nRSA key size \: 1024 bits\nbasic constraints \: CA=false\n" - -X509 Certificate information RSA-PSS, SHA512 Digest -depends_on:MBEDTLS_PEM_PARSE_C:MBEDTLS_X509_RSASSA_PSS_SUPPORT:MBEDTLS_SHA512_C -x509_cert_info:"data_files/server9-sha512.crt":"cert. version \: 3\nserial number \: 1A\nissuer name \: C=NL, O=PolarSSL, CN=PolarSSL Test CA\nsubject name \: C=NL, O=PolarSSL, CN=localhost\nissued on \: 2014-01-20 13\:58\:12\nexpires on \: 2024-01-18 13\:58\:12\nsigned using \: RSASSA-PSS (SHA512, MGF1-SHA512, 0xBE)\nRSA key size \: 1024 bits\nbasic constraints \: CA=false\n" - -X509 Certificate information EC, SHA1 Digest -depends_on:MBEDTLS_PEM_PARSE_C:MBEDTLS_ECDSA_C:MBEDTLS_ECP_DP_SECP256R1_ENABLED:MBEDTLS_SHA1_C -x509_cert_info:"data_files/server5-sha1.crt":"cert. version \: 3\nserial number \: 12\nissuer name \: C=NL, O=PolarSSL, CN=Polarssl Test EC CA\nsubject name \: C=NL, O=PolarSSL, CN=localhost\nissued on \: 2013-09-24 16\:21\:27\nexpires on \: 2023-09-22 16\:21\:27\nsigned using \: ECDSA with SHA1\nEC key size \: 256 bits\nbasic constraints \: CA=false\n" - -X509 Certificate information EC, SHA224 Digest -depends_on:MBEDTLS_PEM_PARSE_C:MBEDTLS_ECDSA_C:MBEDTLS_ECP_DP_SECP256R1_ENABLED:MBEDTLS_SHA256_C -x509_cert_info:"data_files/server5-sha224.crt":"cert. version \: 3\nserial number \: 13\nissuer name \: C=NL, O=PolarSSL, CN=Polarssl Test EC CA\nsubject name \: C=NL, O=PolarSSL, CN=localhost\nissued on \: 2013-09-24 16\:21\:27\nexpires on \: 2023-09-22 16\:21\:27\nsigned using \: ECDSA with SHA224\nEC key size \: 256 bits\nbasic constraints \: CA=false\n" - -X509 Certificate information EC, SHA256 Digest -depends_on:MBEDTLS_PEM_PARSE_C:MBEDTLS_ECDSA_C:MBEDTLS_ECP_DP_SECP256R1_ENABLED:MBEDTLS_SHA256_C -x509_cert_info:"data_files/server5.crt":"cert. version \: 3\nserial number \: 09\nissuer name \: C=NL, O=PolarSSL, CN=Polarssl Test EC CA\nsubject name \: C=NL, O=PolarSSL, CN=localhost\nissued on \: 2013-09-24 15\:52\:04\nexpires on \: 2023-09-22 15\:52\:04\nsigned using \: ECDSA with SHA256\nEC key size \: 256 bits\nbasic constraints \: CA=false\n" - -X509 Certificate information EC, SHA384 Digest -depends_on:MBEDTLS_PEM_PARSE_C:MBEDTLS_ECDSA_C:MBEDTLS_ECP_DP_SECP256R1_ENABLED:MBEDTLS_SHA512_C -x509_cert_info:"data_files/server5-sha384.crt":"cert. version \: 3\nserial number \: 14\nissuer name \: C=NL, O=PolarSSL, CN=Polarssl Test EC CA\nsubject name \: C=NL, O=PolarSSL, CN=localhost\nissued on \: 2013-09-24 16\:21\:27\nexpires on \: 2023-09-22 16\:21\:27\nsigned using \: ECDSA with SHA384\nEC key size \: 256 bits\nbasic constraints \: CA=false\n" - -X509 Certificate information EC, SHA512 Digest -depends_on:MBEDTLS_PEM_PARSE_C:MBEDTLS_ECDSA_C:MBEDTLS_ECP_DP_SECP256R1_ENABLED:MBEDTLS_SHA512_C -x509_cert_info:"data_files/server5-sha512.crt":"cert. version \: 3\nserial number \: 15\nissuer name \: C=NL, O=PolarSSL, CN=Polarssl Test EC CA\nsubject name \: C=NL, O=PolarSSL, CN=localhost\nissued on \: 2013-09-24 16\:21\:27\nexpires on \: 2023-09-22 16\:21\:27\nsigned using \: ECDSA with SHA512\nEC key size \: 256 bits\nbasic constraints \: CA=false\n" - -X509 Certificate information, NS Cert Type -depends_on:MBEDTLS_PEM_PARSE_C:MBEDTLS_RSA_C:MBEDTLS_SHA1_C -x509_cert_info:"data_files/server1.cert_type.crt":"cert. version \: 3\nserial number \: 01\nissuer name \: C=NL, O=PolarSSL, CN=PolarSSL Test CA\nsubject name \: C=NL, O=PolarSSL, CN=PolarSSL Server 1\nissued on \: 2011-02-12 14\:44\:06\nexpires on \: 2021-02-12 14\:44\:06\nsigned using \: RSA with SHA1\nRSA key size \: 2048 bits\nbasic constraints \: CA=false\ncert. type \: SSL Server\n" - -X509 Certificate information, Key Usage -depends_on:MBEDTLS_PEM_PARSE_C:MBEDTLS_RSA_C:MBEDTLS_SHA1_C -x509_cert_info:"data_files/server1.key_usage.crt":"cert. version \: 3\nserial number \: 01\nissuer name \: C=NL, O=PolarSSL, CN=PolarSSL Test CA\nsubject name \: C=NL, O=PolarSSL, CN=PolarSSL Server 1\nissued on \: 2011-02-12 14\:44\:06\nexpires on \: 2021-02-12 14\:44\:06\nsigned using \: RSA with SHA1\nRSA key size \: 2048 bits\nbasic constraints \: CA=false\nkey usage \: Digital Signature, Non Repudiation, Key Encipherment\n" - -X509 Certificate information, Key Usage with decipherOnly -depends_on:MBEDTLS_PEM_PARSE_C:MBEDTLS_RSA_C:MBEDTLS_SHA1_C -x509_cert_info:"data_files/keyUsage.decipherOnly.crt":"cert. version \: 3\nserial number \: 9B\:13\:CE\:4C\:A5\:6F\:DE\:52\nissuer name \: C=GB, L=Cambridge, O=Default Company Ltd\nsubject name \: C=GB, L=Cambridge, O=Default Company Ltd\nissued on \: 2015-05-12 10\:36\:55\nexpires on \: 2018-05-11 10\:36\:55\nsigned using \: RSA with SHA1\nRSA key size \: 1024 bits\nbasic constraints \: CA=false\nkey usage \: Digital Signature, Non Repudiation, Key Encipherment, Decipher Only\n" - -X509 Certificate information, Subject Alt Name -depends_on:MBEDTLS_PEM_PARSE_C:MBEDTLS_RSA_C:MBEDTLS_SHA1_C -x509_cert_info:"data_files/cert_example_multi.crt":"cert. version \: 3\nserial number \: 11\nissuer name \: C=NL, O=PolarSSL, CN=PolarSSL Test CA\nsubject name \: C=NL, O=PolarSSL, CN=www.example.com\nissued on \: 2012-05-10 13\:23\:41\nexpires on \: 2022-05-11 13\:23\:41\nsigned using \: RSA with SHA1\nRSA key size \: 2048 bits\nbasic constraints \: CA=false\nsubject alt name \: example.com, example.net, *.example.org\n" - -X509 Certificate information, Subject Alt Name + Key Usage -depends_on:MBEDTLS_PEM_PARSE_C:MBEDTLS_RSA_C:MBEDTLS_SHA1_C -x509_cert_info:"data_files/cert_example_multi_nocn.crt":"cert. version \: 3\nserial number \: F7\:C6\:7F\:F8\:E9\:A9\:63\:F9\nissuer name \: C=NL\nsubject name \: C=NL\nissued on \: 2014-01-22 10\:04\:33\nexpires on \: 2024-01-22 10\:04\:33\nsigned using \: RSA with SHA1\nRSA key size \: 1024 bits\nbasic constraints \: CA=false\nsubject alt name \: www.shotokan-braunschweig.de, www.massimo-abate.eu\nkey usage \: Digital Signature, Non Repudiation, Key Encipherment\n" - -X509 Certificate information, Key Usage + Extended Key Usage -depends_on:MBEDTLS_PEM_PARSE_C:MBEDTLS_RSA_C:MBEDTLS_SHA256_C -x509_cert_info:"data_files/server1.ext_ku.crt":"cert. version \: 3\nserial number \: 21\nissuer name \: C=NL, O=PolarSSL, CN=PolarSSL Test CA\nsubject name \: C=NL, O=PolarSSL, CN=PolarSSL Server 1\nissued on \: 2014-04-01 14\:44\:43\nexpires on \: 2024-03-29 14\:44\:43\nsigned using \: RSA with SHA-256\nRSA key size \: 2048 bits\nbasic constraints \: CA=false\nkey usage \: Digital Signature, Non Repudiation, Key Encipherment\next key usage \: TLS Web Server Authentication\n" - -X509 Certificate information RSA signed by EC -depends_on:MBEDTLS_PEM_PARSE_C:MBEDTLS_RSA_C:MBEDTLS_SHA256_C:MBEDTLS_ECDSA_C -x509_cert_info:"data_files/server4.crt":"cert. version \: 3\nserial number \: 08\nissuer name \: C=NL, O=PolarSSL, CN=Polarssl Test EC CA\nsubject name \: C=NL, O=PolarSSL, CN=localhost\nissued on \: 2013-09-24 15\:52\:04\nexpires on \: 2023-09-22 15\:52\:04\nsigned using \: ECDSA with SHA256\nRSA key size \: 2048 bits\nbasic constraints \: CA=false\n" - -X509 Certificate information EC signed by RSA -depends_on:MBEDTLS_PEM_PARSE_C:MBEDTLS_ECDSA_C:MBEDTLS_ECP_DP_SECP192R1_ENABLED:MBEDTLS_SHA1_C:MBEDTLS_RSA_C -x509_cert_info:"data_files/server3.crt":"cert. version \: 3\nserial number \: 0D\nissuer name \: C=NL, O=PolarSSL, CN=PolarSSL Test CA\nsubject name \: C=NL, O=PolarSSL, CN=localhost\nissued on \: 2013-08-09 09\:17\:03\nexpires on \: 2023-08-07 09\:17\:03\nsigned using \: RSA with SHA1\nEC key size \: 192 bits\nbasic constraints \: CA=false\n" - -X509 Certificate information Bitstring in subject name -depends_on:MBEDTLS_PEM_PARSE_C:MBEDTLS_RSA_C:MBEDTLS_SHA1_C -x509_cert_info:"data_files/bitstring-in-dn.pem":"cert. version \: 3\nserial number \: 02\nissuer name \: CN=Test CA 01, ST=Ecnivorp, C=XX, emailAddress=tca@example.com, O=Test CA Authority\nsubject name \: C=XX, O=tca, ST=Ecnivorp, OU=TCA, CN=Client, emailAddress=client@example.com, serialNumber=7101012255, uniqueIdentifier=?7101012255\nissued on \: 2015-03-11 12\:06\:51\nexpires on \: 2025-03-08 12\:06\:51\nsigned using \: RSA with SHA1\nRSA key size \: 2048 bits\nbasic constraints \: CA=false\nsubject alt name \: \next key usage \: TLS Web Client Authentication\n" - -X509 certificate v1 with extension -depends_on:MBEDTLS_PEM_PARSE_C:MBEDTLS_RSA_C:MBEDTLS_X509_ALLOW_EXTENSIONS_NON_V3:MBEDTLS_SHA1_C -x509_cert_info:"data_files/cert_v1_with_ext.crt":"cert. version \: 1\nserial number \: BD\:ED\:44\:C7\:D2\:3E\:C2\:A4\nissuer name \: C=XX, ST=XX, L=XX, O=XX, OU=XX, emailAddress=admin@identity-check.org, CN=identity-check.org\nsubject name \: C=XX, ST=XX, L=XX, O=XX, OU=XX, emailAddress=admin@identity-check.org, CN=identity-check.org\nissued on \: 2013-07-04 16\:17\:02\nexpires on \: 2014-07-04 16\:17\:02\nsigned using \: RSA with SHA1\nRSA key size \: 2048 bits\nsubject alt name \: identity-check.org, www.identity-check.org\n" - -X509 CRL information #1 -depends_on:MBEDTLS_PEM_PARSE_C:MBEDTLS_SHA1_C:MBEDTLS_RSA_C -mbedtls_x509_crl_info:"data_files/crl_expired.pem":"CRL version \: 1\nissuer name \: C=NL, O=PolarSSL, CN=PolarSSL Test CA\nthis update \: 2011-02-20 10\:24\:19\nnext update \: 2011-02-20 11\:24\:19\nRevoked certificates\:\nserial number\: 01 revocation date\: 2011-02-12 14\:44\:07\nserial number\: 03 revocation date\: 2011-02-12 14\:44\:07\nsigned using \: RSA with SHA1\n" - -X509 CRL Information MD2 Digest -depends_on:MBEDTLS_PEM_PARSE_C:MBEDTLS_MD2_C:MBEDTLS_RSA_C -mbedtls_x509_crl_info:"data_files/crl_md2.pem":"CRL version \: 1\nissuer name \: C=NL, O=PolarSSL, CN=PolarSSL Test CA\nthis update \: 2009-07-19 19\:56\:37\nnext update \: 2009-09-17 19\:56\:37\nRevoked certificates\:\nserial number\: 01 revocation date\: 2009-02-09 21\:12\:36\nserial number\: 03 revocation date\: 2009-02-09 21\:12\:36\nsigned using \: RSA with MD2\n" - -X509 CRL Information MD4 Digest -depends_on:MBEDTLS_PEM_PARSE_C:MBEDTLS_MD4_C -mbedtls_x509_crl_info:"data_files/crl_md4.pem":"CRL version \: 1\nissuer name \: C=NL, O=PolarSSL, CN=PolarSSL Test CA\nthis update \: 2011-02-12 14\:44\:07\nnext update \: 2011-04-13 14\:44\:07\nRevoked certificates\:\nserial number\: 01 revocation date\: 2011-02-12 14\:44\:07\nserial number\: 03 revocation date\: 2011-02-12 14\:44\:07\nsigned using \: RSA with MD4\n" - -X509 CRL Information MD5 Digest -depends_on:MBEDTLS_PEM_PARSE_C:MBEDTLS_MD5_C:MBEDTLS_RSA_C -mbedtls_x509_crl_info:"data_files/crl_md5.pem":"CRL version \: 1\nissuer name \: C=NL, O=PolarSSL, CN=PolarSSL Test CA\nthis update \: 2011-02-12 14\:44\:07\nnext update \: 2011-04-13 14\:44\:07\nRevoked certificates\:\nserial number\: 01 revocation date\: 2011-02-12 14\:44\:07\nserial number\: 03 revocation date\: 2011-02-12 14\:44\:07\nsigned using \: RSA with MD5\n" - -X509 CRL Information SHA1 Digest -depends_on:MBEDTLS_PEM_PARSE_C:MBEDTLS_SHA1_C:MBEDTLS_RSA_C -mbedtls_x509_crl_info:"data_files/crl_sha1.pem":"CRL version \: 1\nissuer name \: C=NL, O=PolarSSL, CN=PolarSSL Test CA\nthis update \: 2011-02-12 14\:44\:07\nnext update \: 2011-04-13 14\:44\:07\nRevoked certificates\:\nserial number\: 01 revocation date\: 2011-02-12 14\:44\:07\nserial number\: 03 revocation date\: 2011-02-12 14\:44\:07\nsigned using \: RSA with SHA1\n" - -X509 CRL Information SHA224 Digest -depends_on:MBEDTLS_PEM_PARSE_C:MBEDTLS_SHA256_C:MBEDTLS_RSA_C -mbedtls_x509_crl_info:"data_files/crl_sha224.pem":"CRL version \: 1\nissuer name \: C=NL, O=PolarSSL, CN=PolarSSL Test CA\nthis update \: 2011-02-12 14\:44\:07\nnext update \: 2011-04-13 14\:44\:07\nRevoked certificates\:\nserial number\: 01 revocation date\: 2011-02-12 14\:44\:07\nserial number\: 03 revocation date\: 2011-02-12 14\:44\:07\nsigned using \: RSA with SHA-224\n" - -X509 CRL Information SHA256 Digest -depends_on:MBEDTLS_PEM_PARSE_C:MBEDTLS_SHA256_C:MBEDTLS_RSA_C -mbedtls_x509_crl_info:"data_files/crl_sha256.pem":"CRL version \: 1\nissuer name \: C=NL, O=PolarSSL, CN=PolarSSL Test CA\nthis update \: 2011-02-12 14\:44\:07\nnext update \: 2011-04-13 14\:44\:07\nRevoked certificates\:\nserial number\: 01 revocation date\: 2011-02-12 14\:44\:07\nserial number\: 03 revocation date\: 2011-02-12 14\:44\:07\nsigned using \: RSA with SHA-256\n" - -X509 CRL Information SHA384 Digest -depends_on:MBEDTLS_PEM_PARSE_C:MBEDTLS_SHA512_C:MBEDTLS_RSA_C -mbedtls_x509_crl_info:"data_files/crl_sha384.pem":"CRL version \: 1\nissuer name \: C=NL, O=PolarSSL, CN=PolarSSL Test CA\nthis update \: 2011-02-12 14\:44\:07\nnext update \: 2011-04-13 14\:44\:07\nRevoked certificates\:\nserial number\: 01 revocation date\: 2011-02-12 14\:44\:07\nserial number\: 03 revocation date\: 2011-02-12 14\:44\:07\nsigned using \: RSA with SHA-384\n" - -X509 CRL Information SHA512 Digest -depends_on:MBEDTLS_PEM_PARSE_C:MBEDTLS_SHA512_C:MBEDTLS_RSA_C -mbedtls_x509_crl_info:"data_files/crl_sha512.pem":"CRL version \: 1\nissuer name \: C=NL, O=PolarSSL, CN=PolarSSL Test CA\nthis update \: 2011-02-12 14\:44\:07\nnext update \: 2011-04-13 14\:44\:07\nRevoked certificates\:\nserial number\: 01 revocation date\: 2011-02-12 14\:44\:07\nserial number\: 03 revocation date\: 2011-02-12 14\:44\:07\nsigned using \: RSA with SHA-512\n" - -X509 CRL information RSA-PSS, SHA1 Digest -depends_on:MBEDTLS_PEM_PARSE_C:MBEDTLS_X509_RSASSA_PSS_SUPPORT:MBEDTLS_SHA1_C -mbedtls_x509_crl_info:"data_files/crl-rsa-pss-sha1.pem":"CRL version \: 2\nissuer name \: C=NL, O=PolarSSL, CN=PolarSSL Test CA\nthis update \: 2014-01-20 13\:46\:35\nnext update \: 2024-01-18 13\:46\:35\nRevoked certificates\:\nserial number\: 0A revocation date\: 2013-09-24 16\:28\:38\nserial number\: 16 revocation date\: 2014-01-20 13\:43\:05\nsigned using \: RSASSA-PSS (SHA1, MGF1-SHA1, 0xEA)\n" - -X509 CRL information RSA-PSS, SHA224 Digest -depends_on:MBEDTLS_PEM_PARSE_C:MBEDTLS_X509_RSASSA_PSS_SUPPORT:MBEDTLS_SHA256_C -mbedtls_x509_crl_info:"data_files/crl-rsa-pss-sha224.pem":"CRL version \: 2\nissuer name \: C=NL, O=PolarSSL, CN=PolarSSL Test CA\nthis update \: 2014-01-20 13\:56\:06\nnext update \: 2024-01-18 13\:56\:06\nRevoked certificates\:\nserial number\: 0A revocation date\: 2013-09-24 16\:28\:38\nserial number\: 16 revocation date\: 2014-01-20 13\:43\:05\nsigned using \: RSASSA-PSS (SHA224, MGF1-SHA224, 0xE2)\n" - -X509 CRL information RSA-PSS, SHA256 Digest -depends_on:MBEDTLS_PEM_PARSE_C:MBEDTLS_X509_RSASSA_PSS_SUPPORT:MBEDTLS_SHA256_C -mbedtls_x509_crl_info:"data_files/crl-rsa-pss-sha256.pem":"CRL version \: 2\nissuer name \: C=NL, O=PolarSSL, CN=PolarSSL Test CA\nthis update \: 2014-01-20 13\:56\:16\nnext update \: 2024-01-18 13\:56\:16\nRevoked certificates\:\nserial number\: 0A revocation date\: 2013-09-24 16\:28\:38\nserial number\: 16 revocation date\: 2014-01-20 13\:43\:05\nsigned using \: RSASSA-PSS (SHA256, MGF1-SHA256, 0xDE)\n" - -X509 CRL information RSA-PSS, SHA384 Digest -depends_on:MBEDTLS_PEM_PARSE_C:MBEDTLS_X509_RSASSA_PSS_SUPPORT:MBEDTLS_SHA512_C -mbedtls_x509_crl_info:"data_files/crl-rsa-pss-sha384.pem":"CRL version \: 2\nissuer name \: C=NL, O=PolarSSL, CN=PolarSSL Test CA\nthis update \: 2014-01-20 13\:56\:28\nnext update \: 2024-01-18 13\:56\:28\nRevoked certificates\:\nserial number\: 0A revocation date\: 2013-09-24 16\:28\:38\nserial number\: 16 revocation date\: 2014-01-20 13\:43\:05\nsigned using \: RSASSA-PSS (SHA384, MGF1-SHA384, 0xCE)\n" - -X509 CRL information RSA-PSS, SHA512 Digest -depends_on:MBEDTLS_PEM_PARSE_C:MBEDTLS_X509_RSASSA_PSS_SUPPORT:MBEDTLS_SHA512_C -mbedtls_x509_crl_info:"data_files/crl-rsa-pss-sha512.pem":"CRL version \: 2\nissuer name \: C=NL, O=PolarSSL, CN=PolarSSL Test CA\nthis update \: 2014-01-20 13\:56\:38\nnext update \: 2024-01-18 13\:56\:38\nRevoked certificates\:\nserial number\: 0A revocation date\: 2013-09-24 16\:28\:38\nserial number\: 16 revocation date\: 2014-01-20 13\:43\:05\nsigned using \: RSASSA-PSS (SHA512, MGF1-SHA512, 0xBE)\n" - -X509 CRL Information EC, SHA1 Digest -depends_on:MBEDTLS_PEM_PARSE_C:MBEDTLS_SHA1_C:MBEDTLS_ECDSA_C -mbedtls_x509_crl_info:"data_files/crl-ec-sha1.pem":"CRL version \: 2\nissuer name \: C=NL, O=PolarSSL, CN=Polarssl Test EC CA\nthis update \: 2013-09-24 16\:31\:08\nnext update \: 2023-09-22 16\:31\:08\nRevoked certificates\:\nserial number\: 0A revocation date\: 2013-09-24 16\:28\:38\nsigned using \: ECDSA with SHA1\n" - -X509 CRL Information EC, SHA224 Digest -depends_on:MBEDTLS_PEM_PARSE_C:MBEDTLS_SHA256_C:MBEDTLS_ECDSA_C -mbedtls_x509_crl_info:"data_files/crl-ec-sha224.pem":"CRL version \: 2\nissuer name \: C=NL, O=PolarSSL, CN=Polarssl Test EC CA\nthis update \: 2013-09-24 16\:31\:08\nnext update \: 2023-09-22 16\:31\:08\nRevoked certificates\:\nserial number\: 0A revocation date\: 2013-09-24 16\:28\:38\nsigned using \: ECDSA with SHA224\n" - -X509 CRL Information EC, SHA256 Digest -depends_on:MBEDTLS_PEM_PARSE_C:MBEDTLS_SHA256_C:MBEDTLS_ECDSA_C -mbedtls_x509_crl_info:"data_files/crl-ec-sha256.pem":"CRL version \: 2\nissuer name \: C=NL, O=PolarSSL, CN=Polarssl Test EC CA\nthis update \: 2013-09-24 16\:31\:08\nnext update \: 2023-09-22 16\:31\:08\nRevoked certificates\:\nserial number\: 0A revocation date\: 2013-09-24 16\:28\:38\nsigned using \: ECDSA with SHA256\n" - -X509 CRL Information EC, SHA384 Digest -depends_on:MBEDTLS_PEM_PARSE_C:MBEDTLS_SHA512_C:MBEDTLS_ECDSA_C -mbedtls_x509_crl_info:"data_files/crl-ec-sha384.pem":"CRL version \: 2\nissuer name \: C=NL, O=PolarSSL, CN=Polarssl Test EC CA\nthis update \: 2013-09-24 16\:31\:08\nnext update \: 2023-09-22 16\:31\:08\nRevoked certificates\:\nserial number\: 0A revocation date\: 2013-09-24 16\:28\:38\nsigned using \: ECDSA with SHA384\n" - -X509 CRL Information EC, SHA512 Digest -depends_on:MBEDTLS_PEM_PARSE_C:MBEDTLS_SHA512_C:MBEDTLS_ECDSA_C -mbedtls_x509_crl_info:"data_files/crl-ec-sha512.pem":"CRL version \: 2\nissuer name \: C=NL, O=PolarSSL, CN=Polarssl Test EC CA\nthis update \: 2013-09-24 16\:31\:08\nnext update \: 2023-09-22 16\:31\:08\nRevoked certificates\:\nserial number\: 0A revocation date\: 2013-09-24 16\:28\:38\nsigned using \: ECDSA with SHA512\n" - -X509 CRL Malformed Input (trailing spaces at end of file) -depends_on:MBEDTLS_PEM_PARSE_C:MBEDTLS_SHA1_C:MBEDTLS_SHA512_C:MBEDTLS_ECDSA_C -mbedtls_x509_crl_parse:"data_files/crl-malformed-trailing-spaces.pem":MBEDTLS_ERR_PEM_NO_HEADER_FOOTER_PRESENT - -X509 CRL Unsupported critical extension (issuingDistributionPoint) -depends_on:MBEDTLS_PEM_PARSE_C:MBEDTLS_RSA_C:MBEDTLS_SHA256_C -mbedtls_x509_crl_parse:"data_files/crl-idp.pem":MBEDTLS_ERR_X509_INVALID_EXTENSIONS + MBEDTLS_ERR_ASN1_UNEXPECTED_TAG - -X509 CRL Unsupported non-critical extension (issuingDistributionPoint) -depends_on:MBEDTLS_PEM_PARSE_C:MBEDTLS_RSA_C:MBEDTLS_SHA256_C -mbedtls_x509_crl_parse:"data_files/crl-idpnc.pem":0 - -X509 CSR Information RSA with MD4 -depends_on:MBEDTLS_PEM_PARSE_C:MBEDTLS_MD4_C:MBEDTLS_RSA_C -mbedtls_x509_csr_info:"data_files/server1.req.md4":"CSR version \: 1\nsubject name \: C=NL, O=PolarSSL, CN=PolarSSL Server 1\nsigned using \: RSA with MD4\nRSA key size \: 2048 bits\n" - -X509 CSR Information RSA with MD5 -depends_on:MBEDTLS_PEM_PARSE_C:MBEDTLS_MD5_C:MBEDTLS_RSA_C -mbedtls_x509_csr_info:"data_files/server1.req.md5":"CSR version \: 1\nsubject name \: C=NL, O=PolarSSL, CN=PolarSSL Server 1\nsigned using \: RSA with MD5\nRSA key size \: 2048 bits\n" - -X509 CSR Information RSA with SHA1 -depends_on:MBEDTLS_PEM_PARSE_C:MBEDTLS_SHA1_C:MBEDTLS_RSA_C -mbedtls_x509_csr_info:"data_files/server1.req.sha1":"CSR version \: 1\nsubject name \: C=NL, O=PolarSSL, CN=PolarSSL Server 1\nsigned using \: RSA with SHA1\nRSA key size \: 2048 bits\n" - -X509 CSR Information RSA with SHA224 -depends_on:MBEDTLS_PEM_PARSE_C:MBEDTLS_SHA256_C:MBEDTLS_RSA_C -mbedtls_x509_csr_info:"data_files/server1.req.sha224":"CSR version \: 1\nsubject name \: C=NL, O=PolarSSL, CN=PolarSSL Server 1\nsigned using \: RSA with SHA-224\nRSA key size \: 2048 bits\n" - -X509 CSR Information RSA with SHA256 -depends_on:MBEDTLS_PEM_PARSE_C:MBEDTLS_SHA256_C:MBEDTLS_RSA_C -mbedtls_x509_csr_info:"data_files/server1.req.sha256":"CSR version \: 1\nsubject name \: C=NL, O=PolarSSL, CN=PolarSSL Server 1\nsigned using \: RSA with SHA-256\nRSA key size \: 2048 bits\n" - -X509 CSR Information RSA with SHA384 -depends_on:MBEDTLS_PEM_PARSE_C:MBEDTLS_SHA512_C:MBEDTLS_RSA_C -mbedtls_x509_csr_info:"data_files/server1.req.sha384":"CSR version \: 1\nsubject name \: C=NL, O=PolarSSL, CN=PolarSSL Server 1\nsigned using \: RSA with SHA-384\nRSA key size \: 2048 bits\n" - -X509 CSR Information RSA with SHA512 -depends_on:MBEDTLS_PEM_PARSE_C:MBEDTLS_SHA512_C:MBEDTLS_RSA_C -mbedtls_x509_csr_info:"data_files/server1.req.sha512":"CSR version \: 1\nsubject name \: C=NL, O=PolarSSL, CN=PolarSSL Server 1\nsigned using \: RSA with SHA-512\nRSA key size \: 2048 bits\n" - -X509 CSR Information EC with SHA1 -depends_on:MBEDTLS_ECDSA_C:MBEDTLS_PEM_PARSE_C:MBEDTLS_ECP_DP_SECP256R1_ENABLED:MBEDTLS_SHA1_C -mbedtls_x509_csr_info:"data_files/server5.req.sha1":"CSR version \: 1\nsubject name \: C=NL, O=PolarSSL, CN=localhost\nsigned using \: ECDSA with SHA1\nEC key size \: 256 bits\n" - -X509 CSR Information EC with SHA224 -depends_on:MBEDTLS_ECDSA_C:MBEDTLS_PEM_PARSE_C:MBEDTLS_ECP_DP_SECP256R1_ENABLED:MBEDTLS_SHA256_C -mbedtls_x509_csr_info:"data_files/server5.req.sha224":"CSR version \: 1\nsubject name \: C=NL, O=PolarSSL, CN=localhost\nsigned using \: ECDSA with SHA224\nEC key size \: 256 bits\n" - -X509 CSR Information EC with SHA256 -depends_on:MBEDTLS_ECDSA_C:MBEDTLS_PEM_PARSE_C:MBEDTLS_ECP_DP_SECP256R1_ENABLED:MBEDTLS_SHA256_C -mbedtls_x509_csr_info:"data_files/server5.req.sha256":"CSR version \: 1\nsubject name \: C=NL, O=PolarSSL, CN=localhost\nsigned using \: ECDSA with SHA256\nEC key size \: 256 bits\n" - -X509 CSR Information EC with SHA384 -depends_on:MBEDTLS_ECDSA_C:MBEDTLS_PEM_PARSE_C:MBEDTLS_ECP_DP_SECP256R1_ENABLED:MBEDTLS_SHA512_C -mbedtls_x509_csr_info:"data_files/server5.req.sha384":"CSR version \: 1\nsubject name \: C=NL, O=PolarSSL, CN=localhost\nsigned using \: ECDSA with SHA384\nEC key size \: 256 bits\n" - -X509 CSR Information EC with SHA512 -depends_on:MBEDTLS_ECDSA_C:MBEDTLS_PEM_PARSE_C:MBEDTLS_ECP_DP_SECP256R1_ENABLED:MBEDTLS_SHA512_C -mbedtls_x509_csr_info:"data_files/server5.req.sha512":"CSR version \: 1\nsubject name \: C=NL, O=PolarSSL, CN=localhost\nsigned using \: ECDSA with SHA512\nEC key size \: 256 bits\n" - -X509 CSR Information RSA-PSS with SHA1 -depends_on:MBEDTLS_PEM_PARSE_C:MBEDTLS_X509_RSASSA_PSS_SUPPORT:MBEDTLS_SHA1_C -mbedtls_x509_csr_info:"data_files/server9.req.sha1":"CSR version \: 1\nsubject name \: C=NL, O=PolarSSL, CN=localhost\nsigned using \: RSASSA-PSS (SHA1, MGF1-SHA1, 0x6A)\nRSA key size \: 1024 bits\n" - -X509 CSR Information RSA-PSS with SHA224 -depends_on:MBEDTLS_PEM_PARSE_C:MBEDTLS_X509_RSASSA_PSS_SUPPORT:MBEDTLS_SHA256_C -mbedtls_x509_csr_info:"data_files/server9.req.sha224":"CSR version \: 1\nsubject name \: C=NL, O=PolarSSL, CN=localhost\nsigned using \: RSASSA-PSS (SHA224, MGF1-SHA224, 0x62)\nRSA key size \: 1024 bits\n" - -X509 CSR Information RSA-PSS with SHA256 -depends_on:MBEDTLS_PEM_PARSE_C:MBEDTLS_X509_RSASSA_PSS_SUPPORT:MBEDTLS_SHA256_C -mbedtls_x509_csr_info:"data_files/server9.req.sha256":"CSR version \: 1\nsubject name \: C=NL, O=PolarSSL, CN=localhost\nsigned using \: RSASSA-PSS (SHA256, MGF1-SHA256, 0x5E)\nRSA key size \: 1024 bits\n" - -X509 CSR Information RSA-PSS with SHA384 -depends_on:MBEDTLS_PEM_PARSE_C:MBEDTLS_X509_RSASSA_PSS_SUPPORT:MBEDTLS_SHA512_C -mbedtls_x509_csr_info:"data_files/server9.req.sha384":"CSR version \: 1\nsubject name \: C=NL, O=PolarSSL, CN=localhost\nsigned using \: RSASSA-PSS (SHA384, MGF1-SHA384, 0x4E)\nRSA key size \: 1024 bits\n" - -X509 CSR Information RSA-PSS with SHA512 -depends_on:MBEDTLS_PEM_PARSE_C:MBEDTLS_X509_RSASSA_PSS_SUPPORT:MBEDTLS_SHA512_C -mbedtls_x509_csr_info:"data_files/server9.req.sha512":"CSR version \: 1\nsubject name \: C=NL, O=PolarSSL, CN=localhost\nsigned using \: RSASSA-PSS (SHA512, MGF1-SHA512, 0x3E)\nRSA key size \: 1024 bits\n" - -X509 CSR Information RSA with SHA256 - Microsoft header -depends_on:MBEDTLS_PEM_PARSE_C:MBEDTLS_SHA256_C:MBEDTLS_RSA_C -mbedtls_x509_csr_info:"data_files/server1-ms.req.sha256":"CSR version \: 1\nsubject name \: C=NL, O=PolarSSL, CN=PolarSSL Server 1\nsigned using \: RSA with SHA-256\nRSA key size \: 2048 bits\n" - -X509 Verify Information: empty -x509_verify_info:0:"":"" - -X509 Verify Information: one issue -x509_verify_info:MBEDTLS_X509_BADCERT_MISSING:"":"Certificate was missing\n" - -X509 Verify Information: two issues -x509_verify_info:MBEDTLS_X509_BADCERT_EXPIRED | MBEDTLS_X509_BADCRL_EXPIRED:"":"The certificate validity has expired\nThe CRL is expired\n" - -X509 Verify Information: two issues, one unknown -x509_verify_info:MBEDTLS_X509_BADCERT_OTHER | 0x80000000:"":"Other reason (can be used by verify callback)\nUnknown reason (this should not happen)\n" - -X509 Verify Information: empty, with prefix -x509_verify_info:0:" ! ":"" - -X509 Verify Information: one issue, with prefix -x509_verify_info:MBEDTLS_X509_BADCERT_MISSING:" ! ":" ! Certificate was missing\n" - -X509 Verify Information: two issues, with prefix -x509_verify_info:MBEDTLS_X509_BADCERT_EXPIRED | MBEDTLS_X509_BADCRL_EXPIRED:" ! ":" ! The certificate validity has expired\n ! The CRL is expired\n" - -X509 Get Distinguished Name #1 -depends_on:MBEDTLS_PEM_PARSE_C:MBEDTLS_RSA_C:MBEDTLS_SHA1_C -mbedtls_x509_dn_gets:"data_files/server1.crt":"subject":"C=NL, O=PolarSSL, CN=PolarSSL Server 1" - -X509 Get Distinguished Name #2 -depends_on:MBEDTLS_PEM_PARSE_C:MBEDTLS_RSA_C:MBEDTLS_SHA1_C -mbedtls_x509_dn_gets:"data_files/server1.crt":"issuer":"C=NL, O=PolarSSL, CN=PolarSSL Test CA" - -X509 Get Distinguished Name #3 -depends_on:MBEDTLS_PEM_PARSE_C:MBEDTLS_RSA_C:MBEDTLS_SHA1_C -mbedtls_x509_dn_gets:"data_files/server2.crt":"subject":"C=NL, O=PolarSSL, CN=localhost" - -X509 Get Distinguished Name #4 -depends_on:MBEDTLS_PEM_PARSE_C:MBEDTLS_RSA_C:MBEDTLS_SHA1_C -mbedtls_x509_dn_gets:"data_files/server2.crt":"issuer":"C=NL, O=PolarSSL, CN=PolarSSL Test CA" - -X509 Time Expired #1 -depends_on:MBEDTLS_PEM_PARSE_C:MBEDTLS_RSA_C:MBEDTLS_HAVE_TIME_DATE:MBEDTLS_SHA1_C -mbedtls_x509_time_is_past:"data_files/server1.crt":"valid_from":1 - -X509 Time Expired #2 -depends_on:MBEDTLS_PEM_PARSE_C:MBEDTLS_RSA_C:MBEDTLS_HAVE_TIME_DATE:MBEDTLS_SHA1_C -mbedtls_x509_time_is_past:"data_files/server1.crt":"valid_to":0 - -X509 Time Expired #3 -depends_on:MBEDTLS_PEM_PARSE_C:MBEDTLS_RSA_C:MBEDTLS_HAVE_TIME_DATE:MBEDTLS_SHA1_C -mbedtls_x509_time_is_past:"data_files/server2.crt":"valid_from":1 - -X509 Time Expired #4 -depends_on:MBEDTLS_PEM_PARSE_C:MBEDTLS_RSA_C:MBEDTLS_HAVE_TIME_DATE:MBEDTLS_SHA1_C -mbedtls_x509_time_is_past:"data_files/server2.crt":"valid_to":0 - -X509 Time Expired #5 -depends_on:MBEDTLS_PEM_PARSE_C:MBEDTLS_RSA_C:MBEDTLS_HAVE_TIME_DATE:MBEDTLS_SHA1_C -mbedtls_x509_time_is_past:"data_files/test-ca.crt":"valid_from":1 - -X509 Time Expired #6 -depends_on:MBEDTLS_PEM_PARSE_C:MBEDTLS_RSA_C:MBEDTLS_HAVE_TIME_DATE:MBEDTLS_SHA1_C -mbedtls_x509_time_is_past:"data_files/test-ca.crt":"valid_to":0 - -X509 Time Future #1 -depends_on:MBEDTLS_PEM_PARSE_C:MBEDTLS_ECDSA_C:MBEDTLS_ECP_DP_SECP256R1_ENABLED:MBEDTLS_HAVE_TIME_DATE:MBEDTLS_SHA256_C -mbedtls_x509_time_is_future:"data_files/server5.crt":"valid_from":0 - -X509 Time Future #2 -depends_on:MBEDTLS_PEM_PARSE_C:MBEDTLS_ECDSA_C:MBEDTLS_ECP_DP_SECP256R1_ENABLED:MBEDTLS_HAVE_TIME_DATE:MBEDTLS_SHA256_C -mbedtls_x509_time_is_future:"data_files/server5.crt":"valid_to":1 - -X509 Time Future #3 -depends_on:MBEDTLS_PEM_PARSE_C:MBEDTLS_ECDSA_C:MBEDTLS_ECP_DP_SECP256R1_ENABLED:MBEDTLS_HAVE_TIME_DATE:MBEDTLS_SHA256_C -mbedtls_x509_time_is_future:"data_files/server5-future.crt":"valid_from":1 - -X509 Time Future #4 -depends_on:MBEDTLS_PEM_PARSE_C:MBEDTLS_ECDSA_C:MBEDTLS_ECP_DP_SECP256R1_ENABLED:MBEDTLS_HAVE_TIME_DATE:MBEDTLS_SHA256_C -mbedtls_x509_time_is_future:"data_files/server5-future.crt":"valid_to":1 - -X509 Time Future #5 -depends_on:MBEDTLS_PEM_PARSE_C:MBEDTLS_ECDSA_C:MBEDTLS_ECP_DP_SECP384R1_ENABLED:MBEDTLS_HAVE_TIME_DATE:MBEDTLS_SHA256_C -mbedtls_x509_time_is_future:"data_files/test-ca2.crt":"valid_from":0 - -X509 Time Future #6 -depends_on:MBEDTLS_PEM_PARSE_C:MBEDTLS_ECDSA_C:MBEDTLS_ECP_DP_SECP384R1_ENABLED:MBEDTLS_HAVE_TIME_DATE:MBEDTLS_SHA256_C -mbedtls_x509_time_is_future:"data_files/test-ca2.crt":"valid_to":1 - -X509 Certificate verification #1 (Revoked Cert, Expired CRL, no CN) -depends_on:MBEDTLS_PEM_PARSE_C:MBEDTLS_SHA1_C:MBEDTLS_RSA_C:MBEDTLS_PKCS1_V15:MBEDTLS_HAVE_TIME_DATE -x509_verify:"data_files/server1.crt":"data_files/test-ca.crt":"data_files/crl_expired.pem":"NULL":MBEDTLS_ERR_X509_CERT_VERIFY_FAILED:MBEDTLS_X509_BADCERT_REVOKED | MBEDTLS_X509_BADCRL_EXPIRED:"compat":"NULL" - -X509 Certificate verification #1a (Revoked Cert, Future CRL, no CN) -depends_on:MBEDTLS_PEM_PARSE_C:MBEDTLS_SHA256_C:MBEDTLS_ECDSA_C:MBEDTLS_ECP_DP_SECP256R1_ENABLED:MBEDTLS_ECP_DP_SECP384R1_ENABLED:MBEDTLS_SHA1_C:MBEDTLS_HAVE_TIME_DATE -x509_verify:"data_files/server6.crt":"data_files/test-ca2.crt":"data_files/crl-future.pem":"NULL":MBEDTLS_ERR_X509_CERT_VERIFY_FAILED:MBEDTLS_X509_BADCERT_REVOKED | MBEDTLS_X509_BADCRL_FUTURE:"compat":"NULL" - -X509 Certificate verification #2 (Revoked Cert, Expired CRL) -depends_on:MBEDTLS_PEM_PARSE_C:MBEDTLS_SHA1_C:MBEDTLS_RSA_C:MBEDTLS_PKCS1_V15:MBEDTLS_HAVE_TIME_DATE -x509_verify:"data_files/server1.crt":"data_files/test-ca.crt":"data_files/crl_expired.pem":"PolarSSL Server 1":MBEDTLS_ERR_X509_CERT_VERIFY_FAILED:MBEDTLS_X509_BADCERT_REVOKED | MBEDTLS_X509_BADCRL_EXPIRED:"compat":"NULL" - -X509 Certificate verification #2a (Revoked Cert, Future CRL) -depends_on:MBEDTLS_PEM_PARSE_C:MBEDTLS_SHA256_C:MBEDTLS_ECDSA_C:MBEDTLS_ECP_DP_SECP256R1_ENABLED:MBEDTLS_ECP_DP_SECP384R1_ENABLED:MBEDTLS_SHA1_C:MBEDTLS_HAVE_TIME_DATE -x509_verify:"data_files/server6.crt":"data_files/test-ca2.crt":"data_files/crl-future.pem":"localhost":MBEDTLS_ERR_X509_CERT_VERIFY_FAILED:MBEDTLS_X509_BADCERT_REVOKED | MBEDTLS_X509_BADCRL_FUTURE:"compat":"NULL" - -X509 Certificate verification #3 (Revoked Cert, Future CRL, CN Mismatch) -depends_on:MBEDTLS_PEM_PARSE_C:MBEDTLS_SHA1_C:MBEDTLS_RSA_C:MBEDTLS_PKCS1_V15:MBEDTLS_HAVE_TIME_DATE -x509_verify:"data_files/server1.crt":"data_files/test-ca.crt":"data_files/crl_expired.pem":"PolarSSL Wrong CN":MBEDTLS_ERR_X509_CERT_VERIFY_FAILED:MBEDTLS_X509_BADCERT_REVOKED | MBEDTLS_X509_BADCRL_EXPIRED | MBEDTLS_X509_BADCERT_CN_MISMATCH:"compat":"NULL" - -X509 Certificate verification #3a (Revoked Cert, Expired CRL, CN Mismatch) -depends_on:MBEDTLS_PEM_PARSE_C:MBEDTLS_SHA256_C:MBEDTLS_ECDSA_C:MBEDTLS_ECP_DP_SECP256R1_ENABLED:MBEDTLS_ECP_DP_SECP384R1_ENABLED:MBEDTLS_SHA1_C:MBEDTLS_HAVE_TIME_DATE -x509_verify:"data_files/server6.crt":"data_files/test-ca2.crt":"data_files/crl-future.pem":"Wrong CN":MBEDTLS_ERR_X509_CERT_VERIFY_FAILED:MBEDTLS_X509_BADCERT_REVOKED | MBEDTLS_X509_BADCRL_FUTURE | MBEDTLS_X509_BADCERT_CN_MISMATCH:"compat":"NULL" - -X509 Certificate verification #4 (Valid Cert, Expired CRL) -depends_on:MBEDTLS_PEM_PARSE_C:MBEDTLS_SHA1_C:MBEDTLS_RSA_C:MBEDTLS_PKCS1_V15:MBEDTLS_HAVE_TIME_DATE -x509_verify:"data_files/server2.crt":"data_files/test-ca.crt":"data_files/crl_expired.pem":"NULL":MBEDTLS_ERR_X509_CERT_VERIFY_FAILED:MBEDTLS_X509_BADCRL_EXPIRED:"compat":"NULL" - -X509 Certificate verification #4a (Revoked Cert, Future CRL) -depends_on:MBEDTLS_PEM_PARSE_C:MBEDTLS_SHA256_C:MBEDTLS_ECDSA_C:MBEDTLS_ECP_DP_SECP256R1_ENABLED:MBEDTLS_ECP_DP_SECP384R1_ENABLED:MBEDTLS_SHA1_C:MBEDTLS_HAVE_TIME_DATE -x509_verify:"data_files/server5.crt":"data_files/test-ca2.crt":"data_files/crl-future.pem":"NULL":MBEDTLS_ERR_X509_CERT_VERIFY_FAILED:MBEDTLS_X509_BADCRL_FUTURE:"compat":"NULL" - -X509 Certificate verification #5 (Revoked Cert) -depends_on:MBEDTLS_PEM_PARSE_C:MBEDTLS_SHA1_C:MBEDTLS_RSA_C:MBEDTLS_PKCS1_V15:MBEDTLS_HAVE_TIME_DATE -x509_verify:"data_files/server1.crt":"data_files/test-ca.crt":"data_files/crl.pem":"NULL":MBEDTLS_ERR_X509_CERT_VERIFY_FAILED:MBEDTLS_X509_BADCERT_REVOKED:"compat":"NULL" - -X509 Certificate verification #5' (Revoked Cert, differing DN string formats #1) -depends_on:MBEDTLS_PEM_PARSE_C:MBEDTLS_SHA1_C:MBEDTLS_RSA_C:MBEDTLS_PKCS1_V15:MBEDTLS_HAVE_TIME_DATE -x509_verify:"data_files/server1.crt":"data_files/test-ca_utf8.crt":"data_files/crl.pem":"NULL":MBEDTLS_ERR_X509_CERT_VERIFY_FAILED:MBEDTLS_X509_BADCERT_REVOKED:"compat":"NULL" - -X509 Certificate verification #5'' (Revoked Cert, differing DN string formats #2) -depends_on:MBEDTLS_PEM_PARSE_C:MBEDTLS_SHA1_C:MBEDTLS_RSA_C:MBEDTLS_PKCS1_V15:MBEDTLS_HAVE_TIME_DATE -x509_verify:"data_files/server1.crt":"data_files/test-ca_printable.crt":"data_files/crl.pem":"NULL":MBEDTLS_ERR_X509_CERT_VERIFY_FAILED:MBEDTLS_X509_BADCERT_REVOKED:"compat":"NULL" - -X509 Certificate verification #5''' (Revoked Cert, differing upper and lower case) -depends_on:MBEDTLS_PEM_PARSE_C:MBEDTLS_SHA1_C:MBEDTLS_RSA_C:MBEDTLS_PKCS1_V15:MBEDTLS_HAVE_TIME_DATE -x509_verify:"data_files/server1.crt":"data_files/test-ca_uppercase.crt":"data_files/crl.pem":"NULL":MBEDTLS_ERR_X509_CERT_VERIFY_FAILED:MBEDTLS_X509_BADCERT_REVOKED:"compat":"NULL" - -X509 Certificate verification #6 (Revoked Cert) -depends_on:MBEDTLS_PEM_PARSE_C:MBEDTLS_SHA1_C:MBEDTLS_RSA_C:MBEDTLS_PKCS1_V15:MBEDTLS_HAVE_TIME_DATE -x509_verify:"data_files/server1.crt":"data_files/test-ca.crt":"data_files/crl.pem":"PolarSSL Server 1":MBEDTLS_ERR_X509_CERT_VERIFY_FAILED:MBEDTLS_X509_BADCERT_REVOKED:"compat":"NULL" - -X509 Certificate verification #7 (Revoked Cert, CN Mismatch) -depends_on:MBEDTLS_PEM_PARSE_C:MBEDTLS_SHA1_C:MBEDTLS_RSA_C:MBEDTLS_PKCS1_V15:MBEDTLS_HAVE_TIME_DATE -x509_verify:"data_files/server1.crt":"data_files/test-ca.crt":"data_files/crl.pem":"PolarSSL Wrong CN":MBEDTLS_ERR_X509_CERT_VERIFY_FAILED:MBEDTLS_X509_BADCERT_REVOKED | MBEDTLS_X509_BADCERT_CN_MISMATCH:"compat":"NULL" - -X509 Certificate verification #8 (Valid Cert) -depends_on:MBEDTLS_PEM_PARSE_C:MBEDTLS_SHA256_C:MBEDTLS_ECDSA_C:MBEDTLS_ECP_DP_SECP256R1_ENABLED:MBEDTLS_ECP_DP_SECP384R1_ENABLED:MBEDTLS_SHA1_C -x509_verify:"data_files/server5.crt":"data_files/test-ca2.crt":"data_files/crl-ec-sha1.pem":"NULL":0:0:"compat":"NULL" - -X509 Certificate verification #8a (Expired Cert) -depends_on:MBEDTLS_PEM_PARSE_C:MBEDTLS_SHA256_C:MBEDTLS_ECDSA_C:MBEDTLS_ECP_DP_SECP256R1_ENABLED:MBEDTLS_ECP_DP_SECP384R1_ENABLED:MBEDTLS_SHA1_C:MBEDTLS_HAVE_TIME_DATE -x509_verify:"data_files/server5-expired.crt":"data_files/test-ca2.crt":"data_files/crl-ec-sha1.pem":"NULL":MBEDTLS_ERR_X509_CERT_VERIFY_FAILED:MBEDTLS_X509_BADCERT_EXPIRED:"compat":"NULL" - -X509 Certificate verification #8b (Future Cert) -depends_on:MBEDTLS_PEM_PARSE_C:MBEDTLS_SHA256_C:MBEDTLS_ECDSA_C:MBEDTLS_ECP_DP_SECP256R1_ENABLED:MBEDTLS_ECP_DP_SECP384R1_ENABLED:MBEDTLS_SHA1_C:MBEDTLS_HAVE_TIME_DATE -x509_verify:"data_files/server5-future.crt":"data_files/test-ca2.crt":"data_files/crl-ec-sha1.pem":"NULL":MBEDTLS_ERR_X509_CERT_VERIFY_FAILED:MBEDTLS_X509_BADCERT_FUTURE:"compat":"NULL" - -X509 Certificate verification #8c (Expired Cert, longer chain) -depends_on:MBEDTLS_PEM_PARSE_C:MBEDTLS_SHA256_C:MBEDTLS_ECDSA_C:MBEDTLS_ECP_DP_SECP256R1_ENABLED:MBEDTLS_ECP_DP_SECP384R1_ENABLED:MBEDTLS_SHA1_C:MBEDTLS_RSA_C:MBEDTLS_PKCS1_V15:MBEDTLS_HAVE_TIME_DATE -x509_verify:"data_files/server7-expired.crt":"data_files/test-ca2.crt":"data_files/crl-ec-sha1.pem":"NULL":MBEDTLS_ERR_X509_CERT_VERIFY_FAILED:MBEDTLS_X509_BADCERT_EXPIRED:"compat":"NULL" - -X509 Certificate verification #8d (Future Cert, longer chain) -depends_on:MBEDTLS_PEM_PARSE_C:MBEDTLS_SHA256_C:MBEDTLS_ECDSA_C:MBEDTLS_ECP_DP_SECP256R1_ENABLED:MBEDTLS_ECP_DP_SECP384R1_ENABLED:MBEDTLS_SHA1_C:MBEDTLS_RSA_C:MBEDTLS_PKCS1_V15:MBEDTLS_HAVE_TIME_DATE -x509_verify:"data_files/server7-future.crt":"data_files/test-ca2.crt":"data_files/crl-ec-sha1.pem":"NULL":MBEDTLS_ERR_X509_CERT_VERIFY_FAILED:MBEDTLS_X509_BADCERT_FUTURE:"compat":"NULL" - -X509 Certificate verification #9 (Not trusted Cert) -depends_on:MBEDTLS_PEM_PARSE_C:MBEDTLS_SHA1_C:MBEDTLS_RSA_C:MBEDTLS_PKCS1_V15 -x509_verify:"data_files/server2.crt":"data_files/server1.crt":"data_files/crl.pem":"NULL":MBEDTLS_ERR_X509_CERT_VERIFY_FAILED:MBEDTLS_X509_BADCERT_NOT_TRUSTED:"compat":"NULL" - -X509 Certificate verification #10 (Not trusted Cert, Expired CRL) -depends_on:MBEDTLS_PEM_PARSE_C:MBEDTLS_RSA_C:MBEDTLS_PKCS1_V15:MBEDTLS_SHA1_C -x509_verify:"data_files/server2.crt":"data_files/server1.crt":"data_files/crl_expired.pem":"NULL":MBEDTLS_ERR_X509_CERT_VERIFY_FAILED:MBEDTLS_X509_BADCERT_NOT_TRUSTED:"compat":"NULL" - -X509 Certificate verification #12 (Valid Cert MD4 Digest) -depends_on:MBEDTLS_MD4_C:MBEDTLS_PEM_PARSE_C:MBEDTLS_SHA1_C:MBEDTLS_RSA_C:MBEDTLS_PKCS1_V15 -x509_verify:"data_files/cert_md4.crt":"data_files/test-ca.crt":"data_files/crl.pem":"NULL":MBEDTLS_ERR_X509_CERT_VERIFY_FAILED:MBEDTLS_X509_BADCERT_BAD_MD:"compat":"NULL" - -X509 Certificate verification #13 (Valid Cert MD5 Digest) -depends_on:MBEDTLS_MD5_C:MBEDTLS_PEM_PARSE_C:MBEDTLS_SHA1_C:MBEDTLS_RSA_C:MBEDTLS_PKCS1_V15 -x509_verify:"data_files/cert_md5.crt":"data_files/test-ca.crt":"data_files/crl.pem":"NULL":MBEDTLS_ERR_X509_CERT_VERIFY_FAILED:MBEDTLS_X509_BADCERT_BAD_MD:"compat":"NULL" - -X509 Certificate verification #14 (Valid Cert SHA1 Digest explicitly allowed in profile) -depends_on:MBEDTLS_SHA1_C:MBEDTLS_PEM_PARSE_C:MBEDTLS_SHA1_C:MBEDTLS_RSA_C:MBEDTLS_PKCS1_V15 -x509_verify:"data_files/cert_sha1.crt":"data_files/test-ca.crt":"data_files/crl.pem":"NULL":0:0:"compat":"NULL" - -X509 Certificate verification #14 (Valid Cert SHA1 Digest allowed in compile-time default profile) -depends_on:MBEDTLS_SHA1_C:MBEDTLS_PEM_PARSE_C:MBEDTLS_SHA1_C:MBEDTLS_RSA_C:MBEDTLS_PKCS1_V15:MBEDTLS_TLS_DEFAULT_ALLOW_SHA1_IN_CERTIFICATES -x509_verify:"data_files/cert_sha1.crt":"data_files/test-ca.crt":"data_files/crl.pem":"NULL":0:0:"":"NULL" - -X509 Certificate verification #14 (Valid Cert SHA1 Digest forbidden in default profile) -depends_on:MBEDTLS_SHA1_C:MBEDTLS_PEM_PARSE_C:MBEDTLS_SHA1_C:MBEDTLS_RSA_C:MBEDTLS_PKCS1_V15:!MBEDTLS_TLS_DEFAULT_ALLOW_SHA1_IN_CERTIFICATES -x509_verify:"data_files/cert_sha1.crt":"data_files/test-ca.crt":"data_files/crl.pem":"NULL":MBEDTLS_ERR_X509_CERT_VERIFY_FAILED:MBEDTLS_X509_BADCRL_BAD_MD | MBEDTLS_X509_BADCERT_BAD_MD:"":"NULL" - -X509 Certificate verification #15 (Valid Cert SHA224 Digest) -depends_on:MBEDTLS_SHA256_C:MBEDTLS_PEM_PARSE_C:MBEDTLS_SHA1_C:MBEDTLS_RSA_C:MBEDTLS_PKCS1_V15 -x509_verify:"data_files/cert_sha224.crt":"data_files/test-ca.crt":"data_files/crl.pem":"NULL":0:0:"compat":"NULL" - -X509 Certificate verification #16 (Valid Cert SHA256 Digest) -depends_on:MBEDTLS_SHA256_C:MBEDTLS_PEM_PARSE_C:MBEDTLS_SHA1_C:MBEDTLS_RSA_C:MBEDTLS_PKCS1_V15 -x509_verify:"data_files/cert_sha256.crt":"data_files/test-ca.crt":"data_files/crl.pem":"NULL":0:0:"compat":"NULL" - -X509 Certificate verification #17 (Valid Cert SHA384 Digest) -depends_on:MBEDTLS_SHA512_C:MBEDTLS_PEM_PARSE_C:MBEDTLS_SHA1_C:MBEDTLS_RSA_C:MBEDTLS_PKCS1_V15 -x509_verify:"data_files/cert_sha384.crt":"data_files/test-ca.crt":"data_files/crl.pem":"NULL":0:0:"compat":"NULL" - -X509 Certificate verification #18 (Valid Cert SHA512 Digest) -depends_on:MBEDTLS_SHA512_C:MBEDTLS_PEM_PARSE_C:MBEDTLS_SHA1_C:MBEDTLS_RSA_C:MBEDTLS_PKCS1_V15 -x509_verify:"data_files/cert_sha512.crt":"data_files/test-ca.crt":"data_files/crl.pem":"NULL":0:0:"compat":"NULL" - -X509 Certificate verification #19 (Valid Cert, denying callback) -depends_on:MBEDTLS_SHA512_C:MBEDTLS_PEM_PARSE_C:MBEDTLS_SHA1_C:MBEDTLS_RSA_C:MBEDTLS_PKCS1_V15 -x509_verify:"data_files/cert_sha512.crt":"data_files/test-ca.crt":"data_files/crl.pem":"NULL":MBEDTLS_ERR_X509_CERT_VERIFY_FAILED:MBEDTLS_X509_BADCERT_OTHER:"compat":"verify_none" - -X509 Certificate verification #19 (Not trusted Cert, allowing callback) -depends_on:MBEDTLS_PEM_PARSE_C:MBEDTLS_RSA_C:MBEDTLS_PKCS1_V15:MBEDTLS_SHA1_C -x509_verify:"data_files/server2.crt":"data_files/server1.crt":"data_files/crl_expired.pem":"NULL":0:0:"compat":"verify_all" - -X509 Certificate verification #21 (domain matching wildcard certificate, case insensitive) -depends_on:MBEDTLS_PEM_PARSE_C:MBEDTLS_SHA1_C:MBEDTLS_RSA_C:MBEDTLS_PKCS1_V15 -x509_verify:"data_files/cert_example_wildcard.crt":"data_files/test-ca.crt":"data_files/crl.pem":"mail.ExAmPlE.com":0:0:"compat":"NULL" - -X509 Certificate verification #22 (domain not matching wildcard certificate) -depends_on:MBEDTLS_PEM_PARSE_C:MBEDTLS_SHA1_C:MBEDTLS_RSA_C:MBEDTLS_PKCS1_V15 -x509_verify:"data_files/cert_example_wildcard.crt":"data_files/test-ca.crt":"data_files/crl.pem":"mail.example.net":MBEDTLS_ERR_X509_CERT_VERIFY_FAILED:MBEDTLS_X509_BADCERT_CN_MISMATCH:"compat":"NULL" - -X509 Certificate verification #23 (domain not matching wildcard certificate) -depends_on:MBEDTLS_PEM_PARSE_C:MBEDTLS_SHA1_C:MBEDTLS_RSA_C:MBEDTLS_PKCS1_V15 -x509_verify:"data_files/cert_example_wildcard.crt":"data_files/test-ca.crt":"data_files/crl.pem":"example.com":MBEDTLS_ERR_X509_CERT_VERIFY_FAILED:MBEDTLS_X509_BADCERT_CN_MISMATCH:"compat":"NULL" - -X509 Certificate verification #24 (domain matching CN of multi certificate) -depends_on:MBEDTLS_PEM_PARSE_C:MBEDTLS_SHA1_C:MBEDTLS_RSA_C:MBEDTLS_PKCS1_V15 -x509_verify:"data_files/cert_example_multi.crt":"data_files/test-ca.crt":"data_files/crl.pem":"www.example.com":MBEDTLS_ERR_X509_CERT_VERIFY_FAILED:MBEDTLS_X509_BADCERT_CN_MISMATCH:"compat":"NULL" - -X509 Certificate verification #25 (domain matching multi certificate) -depends_on:MBEDTLS_PEM_PARSE_C:MBEDTLS_SHA1_C:MBEDTLS_RSA_C:MBEDTLS_PKCS1_V15 -x509_verify:"data_files/cert_example_multi.crt":"data_files/test-ca.crt":"data_files/crl.pem":"example.net":0:0:"compat":"NULL" - -X509 Certificate verification #26 (domain not matching multi certificate) -depends_on:MBEDTLS_PEM_PARSE_C:MBEDTLS_SHA1_C:MBEDTLS_RSA_C:MBEDTLS_PKCS1_V15 -x509_verify:"data_files/cert_example_multi.crt":"data_files/test-ca.crt":"data_files/crl.pem":"www.example.net":MBEDTLS_ERR_X509_CERT_VERIFY_FAILED:MBEDTLS_X509_BADCERT_CN_MISMATCH:"compat":"NULL" - -X509 Certificate verification #27 (domain not matching multi certificate) -depends_on:MBEDTLS_PEM_PARSE_C:MBEDTLS_SHA1_C:MBEDTLS_RSA_C:MBEDTLS_PKCS1_V15 -x509_verify:"data_files/cert_example_multi.crt":"data_files/test-ca.crt":"data_files/crl.pem":"xample.net":MBEDTLS_ERR_X509_CERT_VERIFY_FAILED:MBEDTLS_X509_BADCERT_CN_MISMATCH:"compat":"NULL" - -X509 Certificate verification #27 (domain not matching multi certificate) -depends_on:MBEDTLS_PEM_PARSE_C:MBEDTLS_SHA1_C:MBEDTLS_RSA_C:MBEDTLS_PKCS1_V15 -x509_verify:"data_files/cert_example_multi.crt":"data_files/test-ca.crt":"data_files/crl.pem":"bexample.net":MBEDTLS_ERR_X509_CERT_VERIFY_FAILED:MBEDTLS_X509_BADCERT_CN_MISMATCH:"compat":"NULL" - -X509 Certificate verification #28 (domain not matching wildcard in multi certificate) -depends_on:MBEDTLS_PEM_PARSE_C:MBEDTLS_SHA1_C:MBEDTLS_RSA_C:MBEDTLS_PKCS1_V15 -x509_verify:"data_files/cert_example_multi.crt":"data_files/test-ca.crt":"data_files/crl.pem":"example.org":MBEDTLS_ERR_X509_CERT_VERIFY_FAILED:MBEDTLS_X509_BADCERT_CN_MISMATCH:"compat":"NULL" - -X509 Certificate verification #29 (domain matching wildcard in multi certificate) -depends_on:MBEDTLS_PEM_PARSE_C:MBEDTLS_SHA1_C:MBEDTLS_RSA_C:MBEDTLS_PKCS1_V15 -x509_verify:"data_files/cert_example_multi.crt":"data_files/test-ca.crt":"data_files/crl.pem":"mail.example.org":0:0:"compat":"NULL" - -X509 Certificate verification #30 (domain matching multi certificate without CN) -depends_on:MBEDTLS_PEM_PARSE_C:MBEDTLS_SHA1_C:MBEDTLS_RSA_C:MBEDTLS_PKCS1_V15 -x509_verify:"data_files/cert_example_multi_nocn.crt":"data_files/test-ca.crt":"data_files/crl.pem":"www.shotokan-braunschweig.de":MBEDTLS_ERR_X509_CERT_VERIFY_FAILED:MBEDTLS_X509_BADCERT_NOT_TRUSTED:"compat":"NULL" - -X509 Certificate verification #31 (domain not matching multi certificate without CN) -depends_on:MBEDTLS_PEM_PARSE_C:MBEDTLS_SHA1_C:MBEDTLS_RSA_C:MBEDTLS_PKCS1_V15 -x509_verify:"data_files/cert_example_multi_nocn.crt":"data_files/test-ca.crt":"data_files/crl.pem":"www.example.net":MBEDTLS_ERR_X509_CERT_VERIFY_FAILED:MBEDTLS_X509_BADCERT_CN_MISMATCH + MBEDTLS_X509_BADCERT_NOT_TRUSTED:"compat":"NULL" - -X509 Certificate verification #32 (Valid, EC cert, RSA CA) -depends_on:MBEDTLS_PEM_PARSE_C:MBEDTLS_RSA_C:MBEDTLS_ECDSA_C:MBEDTLS_ECP_DP_SECP192R1_ENABLED:MBEDTLS_RSA_C:MBEDTLS_PKCS1_V15:MBEDTLS_SHA1_C -x509_verify:"data_files/server3.crt":"data_files/test-ca.crt":"data_files/crl.pem":"NULL":0:0:"compat":"NULL" - -X509 Certificate verification #33 (Valid, RSA cert, EC CA) -depends_on:MBEDTLS_PEM_PARSE_C:MBEDTLS_RSA_C:MBEDTLS_ECDSA_C:MBEDTLS_SHA256_C:MBEDTLS_ECP_DP_SECP256R1_ENABLED:MBEDTLS_RSA_C:MBEDTLS_PKCS1_V15:MBEDTLS_ECP_DP_SECP384R1_ENABLED -x509_verify:"data_files/server4.crt":"data_files/test-ca2.crt":"data_files/crl-ec-sha256.pem":"NULL":0:0:"compat":"NULL" - -X509 Certificate verification #34 (Valid, EC cert, EC CA) -depends_on:MBEDTLS_PEM_PARSE_C:MBEDTLS_ECDSA_C:MBEDTLS_SHA256_C:MBEDTLS_ECP_DP_SECP256R1_ENABLED:MBEDTLS_ECP_DP_SECP384R1_ENABLED -x509_verify:"data_files/server5.crt":"data_files/test-ca2.crt":"data_files/crl-ec-sha256.pem":"NULL":0:0:"compat":"NULL" - -X509 Certificate verification #35 (Revoked, EC CA) -depends_on:MBEDTLS_PEM_PARSE_C:MBEDTLS_ECDSA_C:MBEDTLS_SHA256_C:MBEDTLS_ECP_DP_SECP256R1_ENABLED:MBEDTLS_ECP_DP_SECP384R1_ENABLED:MBEDTLS_HAVE_TIME_DATE -x509_verify:"data_files/server6.crt":"data_files/test-ca2.crt":"data_files/crl-ec-sha256.pem":"NULL":MBEDTLS_ERR_X509_CERT_VERIFY_FAILED:MBEDTLS_X509_BADCERT_REVOKED:"compat":"NULL" - -X509 Certificate verification #36 (Valid, EC CA, SHA1 Digest) -depends_on:MBEDTLS_PEM_PARSE_C:MBEDTLS_ECDSA_C:MBEDTLS_SHA256_C:MBEDTLS_ECP_DP_SECP256R1_ENABLED:MBEDTLS_ECP_DP_SECP384R1_ENABLED:MBEDTLS_SHA1_C -x509_verify:"data_files/server5-sha1.crt":"data_files/test-ca2.crt":"data_files/crl-ec-sha256.pem":"NULL":0:0:"compat":"NULL" - -X509 Certificate verification #37 (Valid, EC CA, SHA224 Digest) -depends_on:MBEDTLS_PEM_PARSE_C:MBEDTLS_ECDSA_C:MBEDTLS_SHA256_C:MBEDTLS_ECP_DP_SECP256R1_ENABLED:MBEDTLS_ECP_DP_SECP384R1_ENABLED -x509_verify:"data_files/server5-sha224.crt":"data_files/test-ca2.crt":"data_files/crl-ec-sha256.pem":"NULL":0:0:"compat":"NULL" - -X509 Certificate verification #38 (Valid, EC CA, SHA384 Digest) -depends_on:MBEDTLS_PEM_PARSE_C:MBEDTLS_ECDSA_C:MBEDTLS_SHA256_C:MBEDTLS_SHA512_C:MBEDTLS_ECP_DP_SECP256R1_ENABLED:MBEDTLS_ECP_DP_SECP384R1_ENABLED -x509_verify:"data_files/server5-sha384.crt":"data_files/test-ca2.crt":"data_files/crl-ec-sha256.pem":"NULL":0:0:"compat":"NULL" - -X509 Certificate verification #39 (Valid, EC CA, SHA512 Digest) -depends_on:MBEDTLS_PEM_PARSE_C:MBEDTLS_ECDSA_C:MBEDTLS_SHA256_C:MBEDTLS_SHA512_C:MBEDTLS_ECP_DP_SECP256R1_ENABLED:MBEDTLS_ECP_DP_SECP384R1_ENABLED -x509_verify:"data_files/server5-sha512.crt":"data_files/test-ca2.crt":"data_files/crl-ec-sha256.pem":"NULL":0:0:"compat":"NULL" - -X509 Certificate verification #40 (Valid, depth 0, RSA, CA) -depends_on:MBEDTLS_PEM_PARSE_C:MBEDTLS_RSA_C:MBEDTLS_PKCS1_V15:MBEDTLS_SHA256_C:MBEDTLS_SHA1_C -x509_verify:"data_files/test-ca.crt":"data_files/test-ca.crt":"data_files/crl.pem":"NULL":0:0:"compat":"NULL" - -X509 Certificate verification #41 (Valid, depth 0, EC, CA) -depends_on:MBEDTLS_PEM_PARSE_C:MBEDTLS_ECDSA_C:MBEDTLS_ECP_DP_SECP256R1_ENABLED:MBEDTLS_ECP_DP_SECP384R1_ENABLED:MBEDTLS_SHA256_C -x509_verify:"data_files/test-ca2.crt":"data_files/test-ca2.crt":"data_files/crl-ec-sha256.pem":"NULL":0:0:"compat":"NULL" - -X509 Certificate verification #42 (Depth 0, not CA, RSA) -depends_on:MBEDTLS_PEM_PARSE_C:MBEDTLS_RSA_C:MBEDTLS_PKCS1_V15:MBEDTLS_SHA1_C -x509_verify:"data_files/server2.crt":"data_files/server2.crt":"data_files/crl.pem":"NULL":MBEDTLS_ERR_X509_CERT_VERIFY_FAILED:MBEDTLS_X509_BADCERT_NOT_TRUSTED:"compat":"NULL" - -X509 Certificate verification #43 (Depth 0, not CA, EC) -depends_on:MBEDTLS_PEM_PARSE_C:MBEDTLS_ECDSA_C:MBEDTLS_ECP_DP_SECP256R1_ENABLED:MBEDTLS_SHA256_C -x509_verify:"data_files/server5.crt":"data_files/server5.crt":"data_files/crl-ec-sha256.pem":"NULL":MBEDTLS_ERR_X509_CERT_VERIFY_FAILED:MBEDTLS_X509_BADCERT_NOT_TRUSTED:"compat":"NULL" - -X509 Certificate verification #44 (Corrupted signature, EC) -depends_on:MBEDTLS_PEM_PARSE_C:MBEDTLS_ECDSA_C:MBEDTLS_ECP_DP_SECP256R1_ENABLED:MBEDTLS_ECP_DP_SECP384R1_ENABLED:MBEDTLS_SHA256_C -x509_verify:"data_files/server5-badsign.crt":"data_files/test-ca2.crt":"data_files/crl-ec-sha256.pem":"NULL":MBEDTLS_ERR_X509_CERT_VERIFY_FAILED:MBEDTLS_X509_BADCERT_NOT_TRUSTED:"compat":"NULL" - -X509 Certificate verification #45 (Corrupted signature, RSA) -depends_on:MBEDTLS_PEM_PARSE_C:MBEDTLS_RSA_C:MBEDTLS_PKCS1_V15:MBEDTLS_SHA1_C -x509_verify:"data_files/server2-badsign.crt":"data_files/test-ca.crt":"data_files/crl.pem":"NULL":MBEDTLS_ERR_X509_CERT_VERIFY_FAILED:MBEDTLS_X509_BADCERT_NOT_TRUSTED:"compat":"NULL" - -X509 Certificate verification #45b (Corrupted signature, intermediate CA) -depends_on:MBEDTLS_PEM_PARSE_C:MBEDTLS_RSA_C:MBEDTLS_PKCS1_V15:MBEDTLS_SHA1_C:MBEDTLS_ECDSA_C:MBEDTLS_ECP_DP_SECP256R1_ENABLED:MBEDTLS_ECP_DP_SECP384R1_ENABLED:MBEDTLS_SHA256_C -x509_verify:"data_files/server7-badsign.crt":"data_files/test-ca2.crt":"data_files/crl.pem":"NULL":MBEDTLS_ERR_X509_CERT_VERIFY_FAILED:MBEDTLS_X509_BADCERT_NOT_TRUSTED:"compat":"NULL" - -X509 Certificate verification #46 (Valid, depth 2, EC-RSA-EC) -depends_on:MBEDTLS_PEM_PARSE_C:MBEDTLS_ECDSA_C:MBEDTLS_RSA_C:MBEDTLS_ECP_DP_SECP256R1_ENABLED:MBEDTLS_ECP_DP_SECP384R1_ENABLED:MBEDTLS_RSA_C:MBEDTLS_PKCS1_V15:MBEDTLS_SHA256_C -x509_verify:"data_files/server7_int-ca.crt":"data_files/test-ca2.crt":"data_files/crl-ec-sha256.pem":"NULL":0:0:"compat":"NULL" - -X509 Certificate verification #47 (Untrusted, depth 2, EC-RSA-EC) -depends_on:MBEDTLS_PEM_PARSE_C:MBEDTLS_ECDSA_C:MBEDTLS_RSA_C:MBEDTLS_ECP_DP_SECP256R1_ENABLED:MBEDTLS_RSA_C:MBEDTLS_PKCS1_V15:MBEDTLS_SHA1_C:MBEDTLS_SHA256_C -x509_verify:"data_files/server7_int-ca.crt":"data_files/test-ca.crt":"data_files/crl-ec-sha256.pem":"NULL":MBEDTLS_ERR_X509_CERT_VERIFY_FAILED:MBEDTLS_X509_BADCERT_NOT_TRUSTED:"compat":"NULL" - -X509 Certificate verification #48 (Missing intermediate CA, EC-RSA-EC) -depends_on:MBEDTLS_PEM_PARSE_C:MBEDTLS_ECDSA_C:MBEDTLS_RSA_C:MBEDTLS_ECP_DP_SECP256R1_ENABLED:MBEDTLS_RSA_C:MBEDTLS_PKCS1_V15:MBEDTLS_SHA1_C:MBEDTLS_SHA256_C -x509_verify:"data_files/server7.crt":"data_files/test-ca.crt":"data_files/crl-ec-sha256.pem":"NULL":MBEDTLS_ERR_X509_CERT_VERIFY_FAILED:MBEDTLS_X509_BADCERT_NOT_TRUSTED:"compat":"NULL" - -X509 Certificate verification #49 (Valid, depth 2, RSA-EC-RSA) -depends_on:MBEDTLS_PEM_PARSE_C:MBEDTLS_ECDSA_C:MBEDTLS_RSA_C:MBEDTLS_ECP_DP_SECP384R1_ENABLED:MBEDTLS_RSA_C:MBEDTLS_PKCS1_V15:MBEDTLS_SHA256_C:MBEDTLS_SHA1_C -x509_verify:"data_files/server8_int-ca2.crt":"data_files/test-ca.crt":"data_files/crl-ec-sha256.pem":"NULL":0:0:"compat":"NULL" - -X509 Certificate verification #50 (Valid, multiple CAs) -depends_on:MBEDTLS_PEM_PARSE_C:MBEDTLS_RSA_C:MBEDTLS_PKCS1_V15:MBEDTLS_ECDSA_C:MBEDTLS_ECP_DP_SECP384R1_ENABLED:MBEDTLS_SHA1_C:MBEDTLS_SHA256_C -x509_verify:"data_files/server2.crt":"data_files/test-ca_cat12.crt":"data_files/crl.pem":"NULL":0:0:"compat":"NULL" - -X509 Certificate verification #51 (Valid, multiple CAs, reverse order) -depends_on:MBEDTLS_PEM_PARSE_C:MBEDTLS_RSA_C:MBEDTLS_PKCS1_V15:MBEDTLS_ECDSA_C:MBEDTLS_ECP_DP_SECP384R1_ENABLED:MBEDTLS_SHA1_C:MBEDTLS_SHA256_C -x509_verify:"data_files/server2.crt":"data_files/test-ca_cat21.crt":"data_files/crl.pem":"NULL":0:0:"compat":"NULL" - -X509 Certificate verification #52 (CA keyUsage valid) -depends_on:MBEDTLS_PEM_PARSE_C:MBEDTLS_ECDSA_C:MBEDTLS_SHA256_C:MBEDTLS_ECP_DP_SECP256R1_ENABLED:MBEDTLS_ECP_DP_SECP384R1_ENABLED -x509_verify:"data_files/server5.crt":"data_files/test-ca2.ku-crt_crl.crt":"data_files/crl-ec-sha256.pem":"NULL":0:0:"compat":"NULL" - -X509 Certificate verification #53 (CA keyUsage missing cRLSign) -depends_on:MBEDTLS_PEM_PARSE_C:MBEDTLS_ECDSA_C:MBEDTLS_SHA256_C:MBEDTLS_X509_CHECK_KEY_USAGE:MBEDTLS_ECP_DP_SECP256R1_ENABLED:MBEDTLS_ECP_DP_SECP384R1_ENABLED -x509_verify:"data_files/server5.crt":"data_files/test-ca2.ku-crt.crt":"data_files/crl-ec-sha256.pem":"NULL":MBEDTLS_ERR_X509_CERT_VERIFY_FAILED:MBEDTLS_X509_BADCRL_NOT_TRUSTED:"compat":"NULL" - -X509 Certificate verification #54 (CA keyUsage missing cRLSign, no CRL) -depends_on:MBEDTLS_PEM_PARSE_C:MBEDTLS_ECDSA_C:MBEDTLS_SHA256_C:MBEDTLS_ECP_DP_SECP256R1_ENABLED:MBEDTLS_ECP_DP_SECP384R1_ENABLED:MBEDTLS_SHA1_C:MBEDTLS_RSA_C -x509_verify:"data_files/server5.crt":"data_files/test-ca2.ku-crt.crt":"data_files/crl.pem":"NULL":0:0:"compat":"NULL" - -X509 Certificate verification #55 (CA keyUsage missing keyCertSign) -depends_on:MBEDTLS_PEM_PARSE_C:MBEDTLS_ECDSA_C:MBEDTLS_SHA256_C:MBEDTLS_X509_CHECK_KEY_USAGE:MBEDTLS_ECP_DP_SECP256R1_ENABLED:MBEDTLS_ECP_DP_SECP384R1_ENABLED -x509_verify:"data_files/server5.crt":"data_files/test-ca2.ku-crl.crt":"data_files/crl-ec-sha256.pem":"NULL":MBEDTLS_ERR_X509_CERT_VERIFY_FAILED:MBEDTLS_X509_BADCERT_NOT_TRUSTED:"compat":"NULL" - -X509 Certificate verification #56 (CA keyUsage plain wrong) -depends_on:MBEDTLS_PEM_PARSE_C:MBEDTLS_ECDSA_C:MBEDTLS_SHA256_C:MBEDTLS_X509_CHECK_KEY_USAGE:MBEDTLS_ECP_DP_SECP256R1_ENABLED:MBEDTLS_ECP_DP_SECP384R1_ENABLED -x509_verify:"data_files/server5.crt":"data_files/test-ca2.ku-ds.crt":"data_files/crl-ec-sha256.pem":"NULL":MBEDTLS_ERR_X509_CERT_VERIFY_FAILED:MBEDTLS_X509_BADCERT_NOT_TRUSTED:"compat":"NULL" - -X509 Certificate verification #57 (Valid, RSASSA-PSS, SHA-1) -depends_on:MBEDTLS_PEM_PARSE_C:MBEDTLS_X509_RSASSA_PSS_SUPPORT:MBEDTLS_SHA1_C:MBEDTLS_PKCS1_V15 -x509_verify:"data_files/server9.crt":"data_files/test-ca.crt":"data_files/crl.pem":"NULL":0:0:"compat":"NULL" - -X509 Certificate verification #58 (Valid, RSASSA-PSS, SHA-224) -depends_on:MBEDTLS_PEM_PARSE_C:MBEDTLS_X509_RSASSA_PSS_SUPPORT:MBEDTLS_SHA256_C:MBEDTLS_SHA1_C -x509_verify:"data_files/server9-sha224.crt":"data_files/test-ca.crt":"data_files/crl-rsa-pss-sha224.pem":"NULL":0:0:"compat":"NULL" - -X509 Certificate verification #59 (Valid, RSASSA-PSS, SHA-256) -depends_on:MBEDTLS_PEM_PARSE_C:MBEDTLS_X509_RSASSA_PSS_SUPPORT:MBEDTLS_SHA256_C:MBEDTLS_SHA1_C -x509_verify:"data_files/server9-sha256.crt":"data_files/test-ca.crt":"data_files/crl-rsa-pss-sha256.pem":"NULL":0:0:"compat":"NULL" - -X509 Certificate verification #60 (Valid, RSASSA-PSS, SHA-384) -depends_on:MBEDTLS_PEM_PARSE_C:MBEDTLS_X509_RSASSA_PSS_SUPPORT:MBEDTLS_SHA512_C:MBEDTLS_SHA1_C -x509_verify:"data_files/server9-sha384.crt":"data_files/test-ca.crt":"data_files/crl-rsa-pss-sha384.pem":"NULL":0:0:"compat":"NULL" - -X509 Certificate verification #61 (Valid, RSASSA-PSS, SHA-512) -depends_on:MBEDTLS_PEM_PARSE_C:MBEDTLS_X509_RSASSA_PSS_SUPPORT:MBEDTLS_SHA512_C:MBEDTLS_SHA1_C -x509_verify:"data_files/server9-sha512.crt":"data_files/test-ca.crt":"data_files/crl-rsa-pss-sha512.pem":"NULL":0:0:"compat":"NULL" - -X509 Certificate verification #62 (Revoked, RSASSA-PSS, SHA-1) -depends_on:MBEDTLS_PEM_PARSE_C:MBEDTLS_X509_RSASSA_PSS_SUPPORT:MBEDTLS_SHA1_C:MBEDTLS_HAVE_TIME_DATE -x509_verify:"data_files/server9.crt":"data_files/test-ca.crt":"data_files/crl-rsa-pss-sha1.pem":"NULL":MBEDTLS_ERR_X509_CERT_VERIFY_FAILED:MBEDTLS_X509_BADCERT_REVOKED:"compat":"NULL" - -X509 Certificate verification #63 (Revoked, RSASSA-PSS, SHA-1, CRL badsign) -depends_on:MBEDTLS_PEM_PARSE_C:MBEDTLS_X509_RSASSA_PSS_SUPPORT:MBEDTLS_SHA1_C -x509_verify:"data_files/server9.crt":"data_files/test-ca.crt":"data_files/crl-rsa-pss-sha1-badsign.pem":"NULL":MBEDTLS_ERR_X509_CERT_VERIFY_FAILED:MBEDTLS_X509_BADCRL_NOT_TRUSTED:"compat":"NULL" - -X509 Certificate verification #64 (Valid, RSASSA-PSS, SHA-1, not top) -depends_on:MBEDTLS_PEM_PARSE_C:MBEDTLS_X509_RSASSA_PSS_SUPPORT:MBEDTLS_SHA1_C:MBEDTLS_RSA_C:MBEDTLS_PKCS1_V15 -x509_verify:"data_files/server9-with-ca.crt":"data_files/test-ca.crt":"data_files/crl.pem":"NULL":0:0:"compat":"NULL" - -X509 Certificate verification #65 (RSASSA-PSS, SHA1, bad cert signature) -depends_on:MBEDTLS_PEM_PARSE_C:MBEDTLS_X509_RSASSA_PSS_SUPPORT:MBEDTLS_SHA1_C -x509_verify:"data_files/server9-badsign.crt":"data_files/test-ca.crt":"data_files/crl.pem":"NULL":MBEDTLS_ERR_X509_CERT_VERIFY_FAILED:MBEDTLS_X509_BADCERT_NOT_TRUSTED:"compat":"NULL" - -X509 Certificate verification #66 (RSASSA-PSS, SHA1, no RSA CA) -depends_on:MBEDTLS_PEM_PARSE_C:MBEDTLS_X509_RSASSA_PSS_SUPPORT:MBEDTLS_SHA1_C:MBEDTLS_ECDSA_C:MBEDTLS_ECP_DP_SECP384R1_ENABLED:MBEDTLS_SHA256_C -x509_verify:"data_files/server9.crt":"data_files/test-ca2.crt":"data_files/crl.pem":"NULL":MBEDTLS_ERR_X509_CERT_VERIFY_FAILED:MBEDTLS_X509_BADCERT_NOT_TRUSTED:"compat":"NULL" - -X509 Certificate verification #67 (Valid, RSASSA-PSS, all defaults) -depends_on:MBEDTLS_PEM_PARSE_C:MBEDTLS_X509_RSASSA_PSS_SUPPORT:MBEDTLS_SHA1_C -x509_verify:"data_files/server9-defaults.crt":"data_files/test-ca.crt":"data_files/crl-rsa-pss-sha1.pem":"NULL":0:0:"compat":"NULL" - -X509 Certificate verification #68 (RSASSA-PSS, wrong salt_len) -depends_on:MBEDTLS_PEM_PARSE_C:MBEDTLS_X509_RSASSA_PSS_SUPPORT:MBEDTLS_SHA256_C:MBEDTLS_SHA1_C -x509_verify:"data_files/server9-bad-saltlen.crt":"data_files/test-ca.crt":"data_files/crl.pem":"NULL":MBEDTLS_ERR_X509_CERT_VERIFY_FAILED:MBEDTLS_X509_BADCERT_NOT_TRUSTED:"compat":"NULL" - -X509 Certificate verification #69 (RSASSA-PSS, wrong mgf_hash) -depends_on:MBEDTLS_PEM_PARSE_C:MBEDTLS_X509_RSASSA_PSS_SUPPORT:MBEDTLS_SHA256_C:MBEDTLS_SHA1_C -x509_verify:"data_files/server9-bad-mgfhash.crt":"data_files/test-ca.crt":"data_files/crl.pem":"NULL":MBEDTLS_ERR_X509_CERT_VERIFY_FAILED:MBEDTLS_X509_BADCERT_NOT_TRUSTED:"compat":"NULL" - -X509 Certificate verification #70 (v1 trusted CA) -depends_on:MBEDTLS_PEM_PARSE_C:MBEDTLS_RSA_C:MBEDTLS_PKCS1_V15:MBEDTLS_SHA256_C:MBEDTLS_SHA1_C -x509_verify:"data_files/server1-v1.crt":"data_files/test-ca-v1.crt":"data_files/crl.pem":"NULL":0:0:"compat":"NULL" - -X509 Certificate verification #71 (v1 trusted CA, other) -depends_on:MBEDTLS_PEM_PARSE_C:MBEDTLS_RSA_C:MBEDTLS_PKCS1_V15:MBEDTLS_SHA256_C:MBEDTLS_SHA1_C -x509_verify:"data_files/server2-v1.crt":"data_files/server1-v1.crt":"data_files/crl.pem":"NULL":0:0:"compat":"NULL" - -X509 Certificate verification #72 (v1 chain) -depends_on:MBEDTLS_PEM_PARSE_C:MBEDTLS_RSA_C:MBEDTLS_PKCS1_V15:MBEDTLS_SHA256_C:MBEDTLS_SHA1_C -x509_verify:"data_files/server2-v1-chain.crt":"data_files/test-ca-v1.crt":"data_files/crl.pem":"NULL":MBEDTLS_ERR_X509_CERT_VERIFY_FAILED:MBEDTLS_X509_BADCERT_NOT_TRUSTED:"compat":"NULL" - -X509 Certificate verification #73 (selfsigned trusted without CA bit) -depends_on:MBEDTLS_PEM_PARSE_C:MBEDTLS_ECDSA_C:MBEDTLS_SHA256_C:MBEDTLS_ECP_DP_SECP256R1_ENABLED:MBEDTLS_SHA1_C:MBEDTLS_RSA_C -x509_verify:"data_files/server5-selfsigned.crt":"data_files/server5-selfsigned.crt":"data_files/crl.pem":"NULL":0:0:"compat":"NULL" - -X509 Certificate verification #74 (signed by selfsigned trusted without CA bit) -depends_on:MBEDTLS_PEM_PARSE_C:MBEDTLS_ECDSA_C:MBEDTLS_SHA256_C:MBEDTLS_ECP_DP_SECP256R1_ENABLED:MBEDTLS_SHA1_C:MBEDTLS_RSA_C -x509_verify:"data_files/server6-ss-child.crt":"data_files/server5-selfsigned.crt":"data_files/crl.pem":"NULL":MBEDTLS_ERR_X509_CERT_VERIFY_FAILED:MBEDTLS_X509_BADCERT_NOT_TRUSTED:"compat":"NULL" - -X509 Certificate verification #75 (encoding mismatch) -depends_on:MBEDTLS_PEM_PARSE_C:MBEDTLS_SHA1_C:MBEDTLS_RSA_C:MBEDTLS_PKCS1_V15 -x509_verify:"data_files/enco-cert-utf8str.pem":"data_files/enco-ca-prstr.pem":"data_files/crl.pem":"NULL":0:0:"compat":"NULL" - -X509 Certificate verification #76 (multiple CRLs, not revoked) -depends_on:MBEDTLS_PEM_PARSE_C:MBEDTLS_ECDSA_C:MBEDTLS_ECP_DP_SECP384R1_ENABLED:MBEDTLS_ECP_DP_SECP256R1_ENABLED:MBEDTLS_SHA256_C:MBEDTLS_RSA_C:MBEDTLS_SHA1_C -x509_verify:"data_files/server5.crt":"data_files/test-ca_cat12.crt":"data_files/crl_cat_ec-rsa.pem":"NULL":0:0:"compat":"NULL" - -X509 Certificate verification #77 (multiple CRLs, revoked) -depends_on:MBEDTLS_PEM_PARSE_C:MBEDTLS_ECDSA_C:MBEDTLS_ECP_DP_SECP384R1_ENABLED:MBEDTLS_ECP_DP_SECP256R1_ENABLED:MBEDTLS_SHA256_C:MBEDTLS_RSA_C:MBEDTLS_SHA1_C:MBEDTLS_HAVE_TIME_DATE -x509_verify:"data_files/server6.crt":"data_files/test-ca_cat12.crt":"data_files/crl_cat_ec-rsa.pem":"NULL":MBEDTLS_ERR_X509_CERT_VERIFY_FAILED:MBEDTLS_X509_BADCERT_REVOKED:"compat":"NULL" - -X509 Certificate verification #78 (multiple CRLs, revoked by second) -depends_on:MBEDTLS_PEM_PARSE_C:MBEDTLS_ECDSA_C:MBEDTLS_ECP_DP_SECP384R1_ENABLED:MBEDTLS_ECP_DP_SECP256R1_ENABLED:MBEDTLS_SHA256_C:MBEDTLS_RSA_C:MBEDTLS_SHA1_C:MBEDTLS_HAVE_TIME_DATE -x509_verify:"data_files/server6.crt":"data_files/test-ca_cat12.crt":"data_files/crl_cat_rsa-ec.pem":"NULL":MBEDTLS_ERR_X509_CERT_VERIFY_FAILED:MBEDTLS_X509_BADCERT_REVOKED:"compat":"NULL" - -X509 Certificate verification #79 (multiple CRLs, revoked by future) -depends_on:MBEDTLS_PEM_PARSE_C:MBEDTLS_ECDSA_C:MBEDTLS_ECP_DP_SECP384R1_ENABLED:MBEDTLS_ECP_DP_SECP256R1_ENABLED:MBEDTLS_SHA256_C:MBEDTLS_RSA_C:MBEDTLS_SHA1_C:MBEDTLS_HAVE_TIME_DATE -x509_verify:"data_files/server6.crt":"data_files/test-ca_cat12.crt":"data_files/crl_cat_ecfut-rsa.pem":"NULL":MBEDTLS_ERR_X509_CERT_VERIFY_FAILED:MBEDTLS_X509_BADCERT_REVOKED|MBEDTLS_X509_BADCRL_FUTURE:"compat":"NULL" - -X509 Certificate verification #80 (multiple CRLs, first future, revoked by second) -depends_on:MBEDTLS_PEM_PARSE_C:MBEDTLS_ECDSA_C:MBEDTLS_ECP_DP_SECP384R1_ENABLED:MBEDTLS_ECP_DP_SECP256R1_ENABLED:MBEDTLS_SHA256_C:MBEDTLS_RSA_C:MBEDTLS_PKCS1_V15:MBEDTLS_SHA1_C:MBEDTLS_HAVE_TIME_DATE -x509_verify:"data_files/server1.crt":"data_files/test-ca_cat12.crt":"data_files/crl_cat_ecfut-rsa.pem":"NULL":MBEDTLS_ERR_X509_CERT_VERIFY_FAILED:MBEDTLS_X509_BADCERT_REVOKED:"compat":"NULL" - -X509 Certificate verification #81 (multiple CRLs, none relevant) -depends_on:MBEDTLS_PEM_PARSE_C:MBEDTLS_ECDSA_C:MBEDTLS_ECP_DP_SECP384R1_ENABLED:MBEDTLS_ECP_DP_SECP256R1_ENABLED:MBEDTLS_SHA256_C:MBEDTLS_RSA_C:MBEDTLS_PKCS1_V15:MBEDTLS_SHA1_C -x509_verify:"data_files/enco-cert-utf8str.pem":"data_files/enco-ca-prstr.pem":"data_files/crl_cat_rsa-ec.pem":"NULL":0:0:"compat":"NULL" - -X509 Certificate verification #82 (Not yet valid CA and valid CA) -depends_on:MBEDTLS_PEM_PARSE_C:MBEDTLS_ECDSA_C:MBEDTLS_ECP_DP_SECP256R1_ENABLED:MBEDTLS_ECP_DP_SECP384R1_ENABLED:MBEDTLS_SHA1_C:MBEDTLS_SHA256_C -x509_verify:"data_files/server5.crt":"data_files/test-ca2_cat-future-present.crt":"data_files/crl-ec-sha1.pem":"NULL":0:0:"compat":"NULL" - -X509 Certificate verification #83 (valid CA and Not yet valid CA) -depends_on:MBEDTLS_PEM_PARSE_C:MBEDTLS_ECDSA_C:MBEDTLS_ECP_DP_SECP256R1_ENABLED:MBEDTLS_ECP_DP_SECP384R1_ENABLED:MBEDTLS_SHA1_C:MBEDTLS_SHA256_C -x509_verify:"data_files/server5.crt":"data_files/test-ca2_cat-present-future.crt":"data_files/crl-ec-sha1.pem":"NULL":0:0:"compat":"NULL" - -X509 Certificate verification #84 (valid CA and Not yet valid CA) -depends_on:MBEDTLS_PEM_PARSE_C:MBEDTLS_ECDSA_C:MBEDTLS_ECP_DP_SECP256R1_ENABLED:MBEDTLS_ECP_DP_SECP384R1_ENABLED:MBEDTLS_SHA1_C:MBEDTLS_SHA256_C -x509_verify:"data_files/server5.crt":"data_files/test-ca2_cat-present-past.crt":"data_files/crl-ec-sha1.pem":"NULL":0:0:"compat":"NULL" - -X509 Certificate verification #85 (Not yet valid CA and valid CA) -depends_on:MBEDTLS_PEM_PARSE_C:MBEDTLS_ECDSA_C:MBEDTLS_ECP_DP_SECP256R1_ENABLED:MBEDTLS_ECP_DP_SECP384R1_ENABLED:MBEDTLS_SHA1_C:MBEDTLS_SHA256_C -x509_verify:"data_files/server5.crt":"data_files/test-ca2_cat-past-present.crt":"data_files/crl-ec-sha1.pem":"NULL":0:0:"compat":"NULL" - -X509 Certificate verification #86 (Not yet valid CA and invalid CA) -depends_on:MBEDTLS_PEM_PARSE_C:MBEDTLS_ECDSA_C:MBEDTLS_ECP_DP_SECP256R1_ENABLED:MBEDTLS_ECP_DP_SECP384R1_ENABLED:MBEDTLS_SHA1_C:MBEDTLS_SHA256_C:MBEDTLS_HAVE_TIME_DATE -x509_verify:"data_files/server5.crt":"data_files/test-ca2_cat-future-invalid.crt":"data_files/crl-ec-sha1.pem":"NULL":MBEDTLS_ERR_X509_CERT_VERIFY_FAILED:MBEDTLS_X509_BADCERT_FUTURE:"compat":"NULL" - -X509 Certificate verification #87 (Expired CA and invalid CA) -depends_on:MBEDTLS_PEM_PARSE_C:MBEDTLS_ECDSA_C:MBEDTLS_ECP_DP_SECP256R1_ENABLED:MBEDTLS_ECP_DP_SECP384R1_ENABLED:MBEDTLS_SHA1_C:MBEDTLS_SHA256_C:MBEDTLS_HAVE_TIME_DATE -x509_verify:"data_files/server5.crt":"data_files/test-ca2_cat-past-invalid.crt":"data_files/crl-ec-sha1.pem":"NULL":MBEDTLS_ERR_X509_CERT_VERIFY_FAILED:MBEDTLS_X509_BADCERT_EXPIRED:"compat":"NULL" - -X509 Certificate verification #88 (Spurious cert in the chain) -depends_on:MBEDTLS_PEM_PARSE_C:MBEDTLS_ECDSA_C:MBEDTLS_ECP_DP_SECP256R1_ENABLED:MBEDTLS_ECP_DP_SECP384R1_ENABLED:MBEDTLS_SHA1_C:MBEDTLS_SHA256_C:MBEDTLS_RSA_C:MBEDTLS_PKCS1_V15 -x509_verify:"data_files/server7_spurious_int-ca.crt":"data_files/test-ca2.crt":"data_files/crl-ec-sha1.pem":"NULL":0:0:"compat":"NULL" - -X509 Certificate verification #89 (Spurious cert later in the chain) -depends_on:MBEDTLS_PEM_PARSE_C:MBEDTLS_ECDSA_C:MBEDTLS_ECP_DP_SECP256R1_ENABLED:MBEDTLS_ECP_DP_SECP384R1_ENABLED:MBEDTLS_SHA1_C:MBEDTLS_SHA256_C:MBEDTLS_RSA_C:MBEDTLS_PKCS1_V15 -x509_verify:"data_files/server10_int3_spurious_int-ca2.crt":"data_files/test-ca.crt":"data_files/crl-ec-sha1.pem":"NULL":0:0:"compat":"NULL" - -X509 Certificate verification #90 (EE with same name as trusted root) -depends_on:MBEDTLS_PEM_PARSE_C:MBEDTLS_ECDSA_C:MBEDTLS_ECP_DP_SECP256R1_ENABLED:MBEDTLS_SHA256_C:MBEDTLS_SHA1_C -x509_verify:"data_files/server5-ss-forgeca.crt":"data_files/test-int-ca3.crt":"data_files/crl-ec-sha1.pem":"NULL":MBEDTLS_ERR_X509_CERT_VERIFY_FAILED:MBEDTLS_X509_BADCERT_NOT_TRUSTED:"":"NULL" - -X509 Certificate verification #91 (same CA with good then bad key) -depends_on:MBEDTLS_PEM_PARSE_C:MBEDTLS_SHA1_C:MBEDTLS_RSA_C:MBEDTLS_PKCS1_V15:MBEDTLS_SHA256_C:MBEDTLS_ECDSA_C -x509_verify:"data_files/server1.crt":"data_files/test-ca-good-alt.crt":"data_files/crl-ec-sha256.pem":"NULL":0:0:"compat":"NULL" - -X509 Certificate verification #91 (same CA with bad then good key) -depends_on:MBEDTLS_PEM_PARSE_C:MBEDTLS_SHA1_C:MBEDTLS_RSA_C:MBEDTLS_PKCS1_V15:MBEDTLS_SHA256_C:MBEDTLS_ECDSA_C -x509_verify:"data_files/server1.crt":"data_files/test-ca-alt-good.crt":"data_files/crl-ec-sha256.pem":"NULL":0:0:"compat":"NULL" - -X509 Certificate verification #92 (bad name, allowing callback) -depends_on:MBEDTLS_PEM_PARSE_C:MBEDTLS_ECDSA_C:MBEDTLS_SHA256_C:MBEDTLS_ECP_DP_SECP256R1_ENABLED:MBEDTLS_ECP_DP_SECP384R1_ENABLED -x509_verify:"data_files/server5.crt":"data_files/test-ca2.crt":"data_files/crl-ec-sha256.pem":"globalhost":0:0:"":"verify_all" - -X509 Certificate verification #93 (Suite B invalid, EC cert, RSA CA) -depends_on:MBEDTLS_PEM_PARSE_C:MBEDTLS_RSA_C:MBEDTLS_ECP_C:MBEDTLS_ECP_DP_SECP192R1_ENABLED:MBEDTLS_PKCS1_V15:MBEDTLS_SHA1_C -x509_verify:"data_files/server3.crt":"data_files/test-ca.crt":"data_files/crl.pem":"NULL":MBEDTLS_ERR_X509_CERT_VERIFY_FAILED:MBEDTLS_X509_BADCERT_BAD_MD|MBEDTLS_X509_BADCERT_BAD_PK|MBEDTLS_X509_BADCERT_BAD_KEY|MBEDTLS_X509_BADCRL_BAD_MD|MBEDTLS_X509_BADCRL_BAD_PK:"suite_b":"NULL" - -X509 Certificate verification #94 (Suite B invalid, RSA cert, EC CA) -depends_on:MBEDTLS_PEM_PARSE_C:MBEDTLS_RSA_C:MBEDTLS_ECDSA_C:MBEDTLS_SHA256_C:MBEDTLS_ECP_DP_SECP256R1_ENABLED:MBEDTLS_PKCS1_V15:MBEDTLS_ECP_DP_SECP384R1_ENABLED -x509_verify:"data_files/server4.crt":"data_files/test-ca2.crt":"data_files/crl-ec-sha256.pem":"NULL":MBEDTLS_ERR_X509_CERT_VERIFY_FAILED:MBEDTLS_X509_BADCERT_BAD_PK:"suite_b":"NULL" - -X509 Certificate verification #95 (Suite B Valid, EC cert, EC CA) -depends_on:MBEDTLS_PEM_PARSE_C:MBEDTLS_ECDSA_C:MBEDTLS_SHA256_C:MBEDTLS_ECP_DP_SECP256R1_ENABLED:MBEDTLS_ECP_DP_SECP384R1_ENABLED -x509_verify:"data_files/server5.crt":"data_files/test-ca2.crt":"data_files/crl-ec-sha256.pem":"NULL":0:0:"suite_b":"NULL" - -X509 Certificate verification #96 (next profile Invalid Cert SHA224 Digest) -depends_on:MBEDTLS_SHA256_C:MBEDTLS_PEM_PARSE_C:MBEDTLS_RSA_C:MBEDTLS_PKCS1_V15:MBEDTLS_SHA1_C -x509_verify:"data_files/cert_sha224.crt":"data_files/test-ca.crt":"data_files/crl.pem":"NULL":MBEDTLS_ERR_X509_CERT_VERIFY_FAILED:MBEDTLS_X509_BADCERT_BAD_MD|MBEDTLS_X509_BADCRL_BAD_MD:"next":"NULL" - -X509 Certificate verification #97 (next profile Valid Cert SHA256 Digest) -depends_on:MBEDTLS_SHA256_C:MBEDTLS_PEM_PARSE_C:MBEDTLS_RSA_C:MBEDTLS_PKCS1_V15:MBEDTLS_ECDSA_C:MBEDTLS_SHA1_C -x509_verify:"data_files/cert_sha256.crt":"data_files/test-ca.crt":"data_files/crl-ec-sha256.pem":"NULL":0:0:"next":"NULL" - -X509 Certificate verification callback: bad name -depends_on:MBEDTLS_PEM_PARSE_C:MBEDTLS_ECDSA_C:MBEDTLS_SHA256_C:MBEDTLS_ECP_DP_SECP256R1_ENABLED:MBEDTLS_ECP_DP_SECP384R1_ENABLED -x509_verify_callback:"data_files/server5.crt":"data_files/test-ca2.crt":"globalhost":MBEDTLS_ERR_X509_CERT_VERIFY_FAILED:"depth 1 - serial C1\:43\:E2\:7E\:62\:43\:CC\:E8 - subject C=NL, O=PolarSSL, CN=Polarssl Test EC CA - flags 0x00000000\ndepth 0 - serial 09 - subject C=NL, O=PolarSSL, CN=localhost - flags 0x00000004\n" - -X509 Certificate verification callback: trusted EE cert -depends_on:MBEDTLS_PEM_PARSE_C:MBEDTLS_ECDSA_C:MBEDTLS_SHA256_C:MBEDTLS_ECP_DP_SECP256R1_ENABLED -x509_verify_callback:"data_files/server5-selfsigned.crt":"data_files/server5-selfsigned.crt":"NULL":0:"depth 0 - serial 53\:A2\:CB\:4B\:12\:4E\:AD\:83\:7D\:A8\:94\:B2 - subject CN=selfsigned, OU=testing, O=PolarSSL, C=NL - flags 0x00000000\n" - -X509 Certificate verification callback: trusted EE cert, expired -depends_on:MBEDTLS_PEM_PARSE_C:MBEDTLS_ECDSA_C:MBEDTLS_SHA256_C:MBEDTLS_ECP_DP_SECP256R1_ENABLED:MBEDTLS_HAVE_TIME_DATE -x509_verify_callback:"data_files/server5-ss-expired.crt":"data_files/server5-ss-expired.crt":"NULL":MBEDTLS_ERR_X509_CERT_VERIFY_FAILED:"depth 0 - serial D8\:64\:61\:05\:E3\:A3\:CD\:78 - subject C=UK, O=mbed TLS, OU=testsuite, CN=localhost - flags 0x00000001\n" - -X509 Certificate verification callback: simple -depends_on:MBEDTLS_PEM_PARSE_C:MBEDTLS_SHA1_C:MBEDTLS_RSA_C:MBEDTLS_PKCS1_V15 -x509_verify_callback:"data_files/server1.crt":"data_files/test-ca.crt":"NULL":0:"depth 1 - serial 03 - subject C=NL, O=PolarSSL, CN=PolarSSL Test CA - flags 0x00000000\ndepth 0 - serial 01 - subject C=NL, O=PolarSSL, CN=PolarSSL Server 1 - flags 0x00000000\n" - -X509 Certificate verification callback: simple, EE expired -depends_on:MBEDTLS_PEM_PARSE_C:MBEDTLS_SHA256_C:MBEDTLS_ECDSA_C:MBEDTLS_ECP_DP_SECP256R1_ENABLED:MBEDTLS_ECP_DP_SECP384R1_ENABLED:MBEDTLS_SHA1_C:MBEDTLS_HAVE_TIME_DATE -x509_verify_callback:"data_files/server5-expired.crt":"data_files/test-ca2.crt":"NULL":MBEDTLS_ERR_X509_CERT_VERIFY_FAILED:"depth 1 - serial C1\:43\:E2\:7E\:62\:43\:CC\:E8 - subject C=NL, O=PolarSSL, CN=Polarssl Test EC CA - flags 0x00000000\ndepth 0 - serial 1E - subject C=NL, O=PolarSSL, CN=localhost - flags 0x00000001\n" - -X509 Certificate verification callback: simple, root expired -depends_on:MBEDTLS_PEM_PARSE_C:MBEDTLS_SHA256_C:MBEDTLS_ECDSA_C:MBEDTLS_ECP_DP_SECP256R1_ENABLED:MBEDTLS_ECP_DP_SECP384R1_ENABLED:MBEDTLS_SHA1_C:MBEDTLS_HAVE_TIME_DATE -x509_verify_callback:"data_files/server5.crt":"data_files/test-ca2-expired.crt":"NULL":MBEDTLS_ERR_X509_CERT_VERIFY_FAILED:"depth 1 - serial 01 - subject C=NL, O=PolarSSL, CN=Polarssl Test EC CA - flags 0x00000001\ndepth 0 - serial 09 - subject C=NL, O=PolarSSL, CN=localhost - flags 0x00000000\n" - -X509 Certificate verification callback: two trusted roots -depends_on:MBEDTLS_PEM_PARSE_C:MBEDTLS_SHA1_C:MBEDTLS_RSA_C:MBEDTLS_PKCS1_V15:MBEDTLS_ECDSA_C:MBEDTLS_ECP_DP_SECP384R1_ENABLED:MBEDTLS_SHA256_C -x509_verify_callback:"data_files/server1.crt":"data_files/test-ca_cat12.crt":"NULL":0:"depth 1 - serial 03 - subject C=NL, O=PolarSSL, CN=PolarSSL Test CA - flags 0x00000000\ndepth 0 - serial 01 - subject C=NL, O=PolarSSL, CN=PolarSSL Server 1 - flags 0x00000000\n" - -X509 Certificate verification callback: two trusted roots, reversed order -depends_on:MBEDTLS_PEM_PARSE_C:MBEDTLS_SHA1_C:MBEDTLS_RSA_C:MBEDTLS_PKCS1_V15:MBEDTLS_ECDSA_C:MBEDTLS_ECP_DP_SECP384R1_ENABLED:MBEDTLS_SHA256_C -x509_verify_callback:"data_files/server1.crt":"data_files/test-ca_cat21.crt":"NULL":0:"depth 1 - serial 03 - subject C=NL, O=PolarSSL, CN=PolarSSL Test CA - flags 0x00000000\ndepth 0 - serial 01 - subject C=NL, O=PolarSSL, CN=PolarSSL Server 1 - flags 0x00000000\n" - -X509 Certificate verification callback: root included -depends_on:MBEDTLS_PEM_PARSE_C:MBEDTLS_SHA1_C:MBEDTLS_RSA_C:MBEDTLS_PKCS1_V15:MBEDTLS_ECDSA_C:MBEDTLS_ECP_DP_SECP384R1_ENABLED:MBEDTLS_SHA256_C -x509_verify_callback:"data_files/server1_ca.crt":"data_files/test-ca_cat21.crt":"NULL":0:"depth 1 - serial 03 - subject C=NL, O=PolarSSL, CN=PolarSSL Test CA - flags 0x00000000\ndepth 0 - serial 01 - subject C=NL, O=PolarSSL, CN=PolarSSL Server 1 - flags 0x00000000\n" - -X509 Certificate verification callback: intermediate ca -depends_on:MBEDTLS_PEM_PARSE_C:MBEDTLS_ECDSA_C:MBEDTLS_RSA_C:MBEDTLS_ECP_DP_SECP256R1_ENABLED:MBEDTLS_ECP_DP_SECP384R1_ENABLED:MBEDTLS_RSA_C:MBEDTLS_PKCS1_V15:MBEDTLS_SHA256_C:MBEDTLS_SHA1_C -x509_verify_callback:"data_files/server7_int-ca.crt":"data_files/test-ca_cat12.crt":"NULL":0:"depth 2 - serial C1\:43\:E2\:7E\:62\:43\:CC\:E8 - subject C=NL, O=PolarSSL, CN=Polarssl Test EC CA - flags 0x00000000\ndepth 1 - serial 0E - subject C=NL, O=PolarSSL, CN=PolarSSL Test Intermediate CA - flags 0x00000000\ndepth 0 - serial 10 - subject C=NL, O=PolarSSL, CN=localhost - flags 0x00000000\n" - -X509 Certificate verification callback: intermediate ca, root included -depends_on:MBEDTLS_PEM_PARSE_C:MBEDTLS_ECDSA_C:MBEDTLS_RSA_C:MBEDTLS_ECP_DP_SECP256R1_ENABLED:MBEDTLS_ECP_DP_SECP384R1_ENABLED:MBEDTLS_RSA_C:MBEDTLS_PKCS1_V15:MBEDTLS_SHA256_C:MBEDTLS_SHA1_C -x509_verify_callback:"data_files/server7_int-ca_ca2.crt":"data_files/test-ca_cat12.crt":"NULL":0:"depth 2 - serial C1\:43\:E2\:7E\:62\:43\:CC\:E8 - subject C=NL, O=PolarSSL, CN=Polarssl Test EC CA - flags 0x00000000\ndepth 1 - serial 0E - subject C=NL, O=PolarSSL, CN=PolarSSL Test Intermediate CA - flags 0x00000000\ndepth 0 - serial 10 - subject C=NL, O=PolarSSL, CN=localhost - flags 0x00000000\n" - -X509 Certificate verification callback: intermediate ca trusted -depends_on:MBEDTLS_PEM_PARSE_C:MBEDTLS_ECDSA_C:MBEDTLS_RSA_C:MBEDTLS_ECP_DP_SECP256R1_ENABLED:MBEDTLS_ECP_DP_SECP384R1_ENABLED:MBEDTLS_RSA_C:MBEDTLS_PKCS1_V15:MBEDTLS_SHA256_C -x509_verify_callback:"data_files/server7_int-ca_ca2.crt":"data_files/test-int-ca.crt":"NULL":0:"depth 1 - serial 0E - subject C=NL, O=PolarSSL, CN=PolarSSL Test Intermediate CA - flags 0x00000000\ndepth 0 - serial 10 - subject C=NL, O=PolarSSL, CN=localhost - flags 0x00000000\n" - -X509 Certificate verification callback: intermediate ca, EE expired -depends_on:MBEDTLS_PEM_PARSE_C:MBEDTLS_ECDSA_C:MBEDTLS_RSA_C:MBEDTLS_ECP_DP_SECP256R1_ENABLED:MBEDTLS_ECP_DP_SECP384R1_ENABLED:MBEDTLS_RSA_C:MBEDTLS_PKCS1_V15:MBEDTLS_SHA256_C:MBEDTLS_SHA1_C:MBEDTLS_HAVE_TIME_DATE -x509_verify_callback:"data_files/server7-expired.crt":"data_files/test-ca2.crt":"NULL":MBEDTLS_ERR_X509_CERT_VERIFY_FAILED:"depth 2 - serial C1\:43\:E2\:7E\:62\:43\:CC\:E8 - subject C=NL, O=PolarSSL, CN=Polarssl Test EC CA - flags 0x00000000\ndepth 1 - serial 0E - subject C=NL, O=PolarSSL, CN=PolarSSL Test Intermediate CA - flags 0x00000000\ndepth 0 - serial 10 - subject C=NL, O=PolarSSL, CN=localhost - flags 0x00000001\n" - -X509 Certificate verification callback: intermediate ca, int expired -depends_on:MBEDTLS_PEM_PARSE_C:MBEDTLS_ECDSA_C:MBEDTLS_RSA_C:MBEDTLS_ECP_DP_SECP256R1_ENABLED:MBEDTLS_ECP_DP_SECP384R1_ENABLED:MBEDTLS_RSA_C:MBEDTLS_PKCS1_V15:MBEDTLS_SHA256_C:MBEDTLS_SHA1_C:MBEDTLS_HAVE_TIME_DATE -x509_verify_callback:"data_files/server7_int-ca-exp.crt":"data_files/test-ca2.crt":"NULL":MBEDTLS_ERR_X509_CERT_VERIFY_FAILED:"depth 2 - serial C1\:43\:E2\:7E\:62\:43\:CC\:E8 - subject C=NL, O=PolarSSL, CN=Polarssl Test EC CA - flags 0x00000000\ndepth 1 - serial 0E - subject C=NL, O=PolarSSL, CN=PolarSSL Test Intermediate CA - flags 0x00000001\ndepth 0 - serial 10 - subject C=NL, O=PolarSSL, CN=localhost - flags 0x00000000\n" - -X509 Certificate verification callback: intermediate ca, root expired -depends_on:MBEDTLS_PEM_PARSE_C:MBEDTLS_ECDSA_C:MBEDTLS_RSA_C:MBEDTLS_ECP_DP_SECP256R1_ENABLED:MBEDTLS_ECP_DP_SECP384R1_ENABLED:MBEDTLS_RSA_C:MBEDTLS_PKCS1_V15:MBEDTLS_SHA256_C:MBEDTLS_SHA1_C:MBEDTLS_HAVE_TIME_DATE -x509_verify_callback:"data_files/server7_int-ca.crt":"data_files/test-ca2-expired.crt":"NULL":MBEDTLS_ERR_X509_CERT_VERIFY_FAILED:"depth 2 - serial 01 - subject C=NL, O=PolarSSL, CN=Polarssl Test EC CA - flags 0x00000001\ndepth 1 - serial 0E - subject C=NL, O=PolarSSL, CN=PolarSSL Test Intermediate CA - flags 0x00000000\ndepth 0 - serial 10 - subject C=NL, O=PolarSSL, CN=localhost - flags 0x00000000\n" - -X509 Certificate verification callback: two intermediates -depends_on:MBEDTLS_PEM_PARSE_C:MBEDTLS_ECDSA_C:MBEDTLS_RSA_C:MBEDTLS_ECP_DP_SECP256R1_ENABLED:MBEDTLS_ECP_DP_SECP384R1_ENABLED:MBEDTLS_RSA_C:MBEDTLS_PKCS1_V15:MBEDTLS_SHA256_C:MBEDTLS_SHA1_C -x509_verify_callback:"data_files/server10_int3_int-ca2.crt":"data_files/test-ca_cat21.crt":"NULL":0:"depth 3 - serial 03 - subject C=NL, O=PolarSSL, CN=PolarSSL Test CA - flags 0x00000000\ndepth 2 - serial 0F - subject C=NL, O=PolarSSL, CN=PolarSSL Test Intermediate EC CA - flags 0x00000000\ndepth 1 - serial 4D - subject C=UK, O=mbed TLS, CN=mbed TLS Test intermediate CA 3 - flags 0x00000000\ndepth 0 - serial 4B - subject CN=localhost - flags 0x00000000\n" - -X509 Certificate verification callback: two intermediates, root included -depends_on:MBEDTLS_PEM_PARSE_C:MBEDTLS_ECDSA_C:MBEDTLS_RSA_C:MBEDTLS_ECP_DP_SECP256R1_ENABLED:MBEDTLS_ECP_DP_SECP384R1_ENABLED:MBEDTLS_RSA_C:MBEDTLS_PKCS1_V15:MBEDTLS_SHA256_C:MBEDTLS_SHA1_C -x509_verify_callback:"data_files/server10_int3_int-ca2_ca.crt":"data_files/test-ca_cat21.crt":"NULL":0:"depth 3 - serial 03 - subject C=NL, O=PolarSSL, CN=PolarSSL Test CA - flags 0x00000000\ndepth 2 - serial 0F - subject C=NL, O=PolarSSL, CN=PolarSSL Test Intermediate EC CA - flags 0x00000000\ndepth 1 - serial 4D - subject C=UK, O=mbed TLS, CN=mbed TLS Test intermediate CA 3 - flags 0x00000000\ndepth 0 - serial 4B - subject CN=localhost - flags 0x00000000\n" - -X509 Certificate verification callback: two intermediates, top int trusted -depends_on:MBEDTLS_PEM_PARSE_C:MBEDTLS_ECDSA_C:MBEDTLS_RSA_C:MBEDTLS_ECP_DP_SECP256R1_ENABLED:MBEDTLS_ECP_DP_SECP384R1_ENABLED:MBEDTLS_RSA_C:MBEDTLS_PKCS1_V15:MBEDTLS_SHA256_C -x509_verify_callback:"data_files/server10_int3_int-ca2.crt":"data_files/test-int-ca2.crt":"NULL":0:"depth 2 - serial 0F - subject C=NL, O=PolarSSL, CN=PolarSSL Test Intermediate EC CA - flags 0x00000000\ndepth 1 - serial 4D - subject C=UK, O=mbed TLS, CN=mbed TLS Test intermediate CA 3 - flags 0x00000000\ndepth 0 - serial 4B - subject CN=localhost - flags 0x00000000\n" - -X509 Certificate verification callback: two intermediates, low int trusted -depends_on:MBEDTLS_PEM_PARSE_C:MBEDTLS_ECDSA_C:MBEDTLS_RSA_C:MBEDTLS_ECP_DP_SECP256R1_ENABLED:MBEDTLS_ECP_DP_SECP384R1_ENABLED:MBEDTLS_RSA_C:MBEDTLS_PKCS1_V15:MBEDTLS_SHA256_C:MBEDTLS_SHA1_C -x509_verify_callback:"data_files/server10_int3_int-ca2_ca.crt":"data_files/test-int-ca3.crt":"NULL":0:"depth 1 - serial 4D - subject C=UK, O=mbed TLS, CN=mbed TLS Test intermediate CA 3 - flags 0x00000000\ndepth 0 - serial 4B - subject CN=localhost - flags 0x00000000\n" - -X509 Certificate verification callback: no intermediate, bad signature -depends_on:MBEDTLS_PEM_PARSE_C:MBEDTLS_ECDSA_C:MBEDTLS_SHA256_C:MBEDTLS_ECP_DP_SECP256R1_ENABLED:MBEDTLS_ECP_DP_SECP384R1_ENABLED -x509_verify_callback:"data_files/server5-badsign.crt":"data_files/test-ca2.crt":"NULL":MBEDTLS_ERR_X509_CERT_VERIFY_FAILED:"depth 0 - serial 09 - subject C=NL, O=PolarSSL, CN=localhost - flags 0x00000008\n" - -X509 Certificate verification callback: one intermediate, bad signature -depends_on:MBEDTLS_PEM_PARSE_C:MBEDTLS_RSA_C:MBEDTLS_PKCS1_V15:MBEDTLS_SHA1_C:MBEDTLS_ECDSA_C:MBEDTLS_ECP_DP_SECP256R1_ENABLED:MBEDTLS_ECP_DP_SECP384R1_ENABLED:MBEDTLS_SHA256_C -x509_verify_callback:"data_files/server7-badsign.crt":"data_files/test-ca2.crt":"NULL":MBEDTLS_ERR_X509_CERT_VERIFY_FAILED:"depth 2 - serial C1\:43\:E2\:7E\:62\:43\:CC\:E8 - subject C=NL, O=PolarSSL, CN=Polarssl Test EC CA - flags 0x00000000\ndepth 1 - serial 0E - subject C=NL, O=PolarSSL, CN=PolarSSL Test Intermediate CA - flags 0x00000000\ndepth 0 - serial 10 - subject C=NL, O=PolarSSL, CN=localhost - flags 0x00000008\n" - -X509 Parse Selftest -depends_on:MBEDTLS_SHA1_C:MBEDTLS_PEM_PARSE_C:MBEDTLS_CERTS_C:MBEDTLS_RSA_C:MBEDTLS_PKCS1_V15 -x509_selftest: - -X509 Certificate ASN1 (Incorrect first tag) -x509parse_crt:"":"":MBEDTLS_ERR_X509_INVALID_FORMAT - -X509 Certificate ASN1 (Correct first tag, data length does not match) -x509parse_crt:"300000":"":MBEDTLS_ERR_X509_INVALID_FORMAT + MBEDTLS_ERR_ASN1_OUT_OF_DATA - -X509 Certificate ASN1 (Correct first tag, no more data) -x509parse_crt:"3000":"":MBEDTLS_ERR_X509_INVALID_FORMAT + MBEDTLS_ERR_ASN1_OUT_OF_DATA - -X509 Certificate ASN1 (Correct first tag, length data incorrect) -x509parse_crt:"30023085":"":MBEDTLS_ERR_X509_INVALID_FORMAT + MBEDTLS_ERR_ASN1_INVALID_LENGTH - -X509 Certificate ASN1 (Correct first tag, length data incomplete) -x509parse_crt:"30023083":"":MBEDTLS_ERR_X509_INVALID_FORMAT + MBEDTLS_ERR_ASN1_OUT_OF_DATA - -X509 Certificate ASN1 (Correct first tag, length data incomplete) -x509parse_crt:"30023081":"":MBEDTLS_ERR_X509_INVALID_FORMAT + MBEDTLS_ERR_ASN1_OUT_OF_DATA - -X509 Certificate ASN1 (Correct first tag, length data incomplete) -x509parse_crt:"3003308200":"":MBEDTLS_ERR_X509_INVALID_FORMAT + MBEDTLS_ERR_ASN1_OUT_OF_DATA - -X509 Certificate ASN1 (Correct first tag, second tag no TBSCertificate) -x509parse_crt:"300100":"":MBEDTLS_ERR_X509_INVALID_FORMAT + MBEDTLS_ERR_ASN1_UNEXPECTED_TAG - -X509 Certificate ASN1 (TBSCertificate, no version tag, serial missing) -x509parse_crt:"3003300100":"":MBEDTLS_ERR_X509_INVALID_SERIAL + MBEDTLS_ERR_ASN1_UNEXPECTED_TAG - -X509 Certificate ASN1 (TBSCertificate, invalid version tag) -x509parse_crt:"30053003a00101":"":MBEDTLS_ERR_X509_INVALID_VERSION + MBEDTLS_ERR_ASN1_UNEXPECTED_TAG - -X509 Certificate ASN1 (TBSCertificate, valid version tag, no length) -x509parse_crt:"30053003a00102":"":MBEDTLS_ERR_X509_INVALID_VERSION + MBEDTLS_ERR_ASN1_OUT_OF_DATA - -X509 Certificate ASN1 (TBSCertificate, valid version tag, invalid length) -x509parse_crt:"30163014a012021000000000000000000000000000000000":"":MBEDTLS_ERR_X509_INVALID_VERSION + MBEDTLS_ERR_ASN1_INVALID_LENGTH - -X509 Certificate ASN1 (TBSCertificate, valid version tag, no serial) -x509parse_crt:"30073005a003020104":"":MBEDTLS_ERR_X509_INVALID_SERIAL + MBEDTLS_ERR_ASN1_OUT_OF_DATA - -X509 Certificate ASN1 (TBSCertificate, invalid length version tag) -x509parse_crt:"30083006a00402010400":"":MBEDTLS_ERR_X509_INVALID_VERSION + MBEDTLS_ERR_ASN1_LENGTH_MISMATCH - -X509 Certificate ASN1 (TBSCertificate, incorrect serial tag) -x509parse_crt:"30083006a00302010400":"":MBEDTLS_ERR_X509_INVALID_SERIAL + MBEDTLS_ERR_ASN1_UNEXPECTED_TAG - -X509 Certificate ASN1 (TBSCertificate, incorrect serial length) -x509parse_crt:"30083006a00302010482":"":MBEDTLS_ERR_X509_INVALID_SERIAL + MBEDTLS_ERR_ASN1_OUT_OF_DATA - -X509 Certificate ASN1 (TBSCertificate, correct serial, no alg) -x509parse_crt:"300d300ba0030201048204deadbeef":"":MBEDTLS_ERR_X509_INVALID_ALG + MBEDTLS_ERR_ASN1_OUT_OF_DATA - -X509 Certificate ASN1 (TBSCertificate, correct serial, no alg oid) -x509parse_crt:"300e300ca0030201048204deadbeef00":"":MBEDTLS_ERR_X509_INVALID_ALG + MBEDTLS_ERR_ASN1_UNEXPECTED_TAG - -X509 Certificate ASN1 (TBSCertificate, alg oid no data in sequence) -x509parse_crt:"300f300da0030201048204deadbeef3000":"":MBEDTLS_ERR_X509_INVALID_ALG + MBEDTLS_ERR_ASN1_OUT_OF_DATA - -X509 Certificate ASN1 (TBSCertificate, alg with params) -x509parse_crt:"30163014a0030201048204deadbeef30070604cafed00d01":"":MBEDTLS_ERR_X509_INVALID_ALG + MBEDTLS_ERR_ASN1_OUT_OF_DATA - -X509 Certificate ASN1 (TBSCertificate, correct alg data, no params unknown version) -x509parse_crt:"30153013a0030201048204deadbeef30060604cafed00d":"":MBEDTLS_ERR_X509_UNKNOWN_VERSION - -X509 Certificate ASN1 (TBSCertificate, correct alg data, unknown version) -x509parse_crt:"30173015a0030201048204deadbeef30080604cafed00d0500":"":MBEDTLS_ERR_X509_UNKNOWN_VERSION - -X509 Certificate ASN1 (TBSCertificate, correct alg data, length mismatch) -x509parse_crt:"30183016a0030201048204deadbeef30090604cafed00d050000":"":MBEDTLS_ERR_X509_INVALID_ALG + MBEDTLS_ERR_ASN1_LENGTH_MISMATCH - -X509 Certificate ASN1 (TBSCertificate, correct alg, unknown alg_id) -x509parse_crt:"30173015a0030201028204deadbeef30080604cafed00d0500":"":MBEDTLS_ERR_X509_UNKNOWN_SIG_ALG + MBEDTLS_ERR_OID_NOT_FOUND - -X509 Certificate ASN1 (TBSCertificate, correct alg, specific alg_id) -depends_on:MBEDTLS_RSA_C:MBEDTLS_MD2_C -x509parse_crt:"301c301aa0030201028204deadbeef300d06092a864886f70d0101020500":"":MBEDTLS_ERR_X509_INVALID_FORMAT + MBEDTLS_ERR_ASN1_OUT_OF_DATA - -X509 Certificate ASN1 (TBSCertificate, correct alg, unknown specific alg_id) -x509parse_crt:"301c301aa0030201028204deadbeef300d06092a864886f70d0101010500":"":MBEDTLS_ERR_X509_UNKNOWN_SIG_ALG + MBEDTLS_ERR_OID_NOT_FOUND - -X509 Certificate ASN1 (TBSCertificate, correct alg, bad RSASSA-PSS params) -depends_on:MBEDTLS_X509_RSASSA_PSS_SUPPORT -x509parse_crt:"30193017A003020102020118300D06092A864886F70D01010A3100":"":MBEDTLS_ERR_X509_INVALID_ALG + MBEDTLS_ERR_ASN1_UNEXPECTED_TAG - -X509 Certificate ASN1 (TBSCertificate, issuer no set data) -depends_on:MBEDTLS_RSA_C:MBEDTLS_MD2_C -x509parse_crt:"301e301ca0030201028204deadbeef300d06092a864886f70d01010205003000":"":MBEDTLS_ERR_X509_INVALID_NAME + MBEDTLS_ERR_ASN1_OUT_OF_DATA - -X509 Certificate ASN1 (TBSCertificate, issuer no inner seq data) -depends_on:MBEDTLS_RSA_C:MBEDTLS_MD2_C -x509parse_crt:"3020301ea0030201028204deadbeef300d06092a864886f70d010102050030023100":"":MBEDTLS_ERR_X509_INVALID_NAME + MBEDTLS_ERR_ASN1_OUT_OF_DATA - -X509 Certificate ASN1 (TBSCertificate, issuer no inner set data) -depends_on:MBEDTLS_RSA_C:MBEDTLS_MD2_C -x509parse_crt:"30223020a0030201028204deadbeef300d06092a864886f70d0101020500300431023000":"":MBEDTLS_ERR_X509_INVALID_NAME + MBEDTLS_ERR_ASN1_OUT_OF_DATA - -X509 Certificate ASN1 (TBSCertificate, issuer two inner set datas) -depends_on:MBEDTLS_RSA_C:MBEDTLS_MD2_C -x509parse_crt:"30243022a0030201028204deadbeef300d06092a864886f70d01010205003006310430003000":"":MBEDTLS_ERR_X509_INVALID_NAME + MBEDTLS_ERR_ASN1_UNEXPECTED_TAG - -X509 Certificate ASN1 (TBSCertificate, issuer no oid data) -depends_on:MBEDTLS_RSA_C:MBEDTLS_MD2_C -x509parse_crt:"30243022a0030201028204deadbeef300d06092a864886f70d01010205003006310430020600":"":MBEDTLS_ERR_X509_INVALID_NAME + MBEDTLS_ERR_ASN1_OUT_OF_DATA - -X509 Certificate ASN1 (TBSCertificate, issuer invalid tag) -depends_on:MBEDTLS_RSA_C:MBEDTLS_MD2_C -x509parse_crt:"302a3028a0030201028204deadbeef300d06092a864886f70d0101020500300c310a30080600060454657374":"":MBEDTLS_ERR_X509_INVALID_NAME + MBEDTLS_ERR_ASN1_UNEXPECTED_TAG - -X509 Certificate ASN1 (TBSCertificate, issuer, no string data) -depends_on:MBEDTLS_RSA_C:MBEDTLS_MD2_C -x509parse_crt:"30253023a0030201028204deadbeef300d06092a864886f70d0101020500300731053003060013":"":MBEDTLS_ERR_X509_INVALID_NAME + MBEDTLS_ERR_ASN1_OUT_OF_DATA - -X509 Certificate ASN1 (TBSCertificate, issuer, no full following string) -depends_on:MBEDTLS_RSA_C:MBEDTLS_MD2_C -x509parse_crt:"302b3029a0030201028204deadbeef300d06092a864886f70d0101020500300d310b3009060013045465737400":"":MBEDTLS_ERR_X509_INVALID_NAME+MBEDTLS_ERR_ASN1_UNEXPECTED_TAG - -X509 Certificate ASN1 (TBSCertificate, valid issuer, no validity) -depends_on:MBEDTLS_RSA_C:MBEDTLS_MD2_C -x509parse_crt:"302a3028a0030201028204deadbeef300d06092a864886f70d0101020500300c310a30080600130454657374":"":MBEDTLS_ERR_X509_INVALID_DATE + MBEDTLS_ERR_ASN1_OUT_OF_DATA - -X509 Certificate ASN1 (TBSCertificate, too much date data) -depends_on:MBEDTLS_RSA_C:MBEDTLS_MD2_C -x509parse_crt:"30493047a0030201028204deadbeef300d06092a864886f70d0101020500300c310a30080600130454657374301d170c303930313031303030303030170c30393132333132333539353900":"":MBEDTLS_ERR_X509_INVALID_DATE + MBEDTLS_ERR_ASN1_LENGTH_MISMATCH - -X509 Certificate ASN1 (TBSCertificate, invalid from date) -depends_on:MBEDTLS_RSA_C:MBEDTLS_MD2_C -x509parse_crt:"30483046a0030201028204deadbeef300d06092a864886f70d0101020500300c310a30080600130454657374301c170c303930313031303000000000170c303931323331323300000000":"":MBEDTLS_ERR_X509_INVALID_DATE - -X509 Certificate ASN1 (TBSCertificate, invalid to date) -depends_on:MBEDTLS_RSA_C:MBEDTLS_MD2_C -x509parse_crt:"30483046a0030201028204deadbeef300d06092a864886f70d0101020500300c310a30080600130454657374301c170c303930313031303030303030170c303931323331323300000000":"":MBEDTLS_ERR_X509_INVALID_DATE - -X509 Certificate ASN1 (TBSCertificate, valid validity, no subject) -depends_on:MBEDTLS_RSA_C:MBEDTLS_MD2_C -x509parse_crt:"30493047a0030201028204deadbeef300d06092a864886f70d0101020500300c310a30080600130454657374301c170c303930313031303030303030170c30393132333132333539353930":"":MBEDTLS_ERR_X509_INVALID_FORMAT + MBEDTLS_ERR_ASN1_OUT_OF_DATA - -X509 Certificate ASN1 (TBSCertificate, valid subject, no pubkeyinfo) -depends_on:MBEDTLS_RSA_C:MBEDTLS_MD2_C -x509parse_crt:"30563054a0030201028204deadbeef300d06092a864886f70d0101020500300c310a30080600130454657374301c170c303930313031303030303030170c303931323331323335393539300c310a30080600130454657374":"":MBEDTLS_ERR_PK_KEY_INVALID_FORMAT + MBEDTLS_ERR_ASN1_OUT_OF_DATA - -X509 Certificate ASN1 (TBSCertificate, pubkey, no alg) -depends_on:MBEDTLS_RSA_C:MBEDTLS_MD2_C -x509parse_crt:"30583056a0030201028204deadbeef300d06092a864886f70d0101020500300c310a30080600130454657374301c170c303930313031303030303030170c303931323331323335393539300c310a300806001304546573743000":"":MBEDTLS_ERR_PK_INVALID_ALG + MBEDTLS_ERR_ASN1_OUT_OF_DATA - -X509 Certificate ASN1 (TBSCertificate, valid subject, unknown pk alg) -depends_on:MBEDTLS_RSA_C:MBEDTLS_MD2_C -x509parse_crt:"30673065a0030201028204deadbeef300d06092a864886f70d0101020500300c310a30080600130454657374301c170c303930313031303030303030170c303931323331323335393539300c310a30080600130454657374300f300d06092A864886F70D0101000500":"":MBEDTLS_ERR_PK_UNKNOWN_PK_ALG - -X509 Certificate ASN1 (TBSCertificate, pubkey, no bitstring) -depends_on:MBEDTLS_RSA_C:MBEDTLS_MD2_C -x509parse_crt:"30673065a0030201028204deadbeef300d06092a864886f70d0101020500300c310a30080600130454657374301c170c303930313031303030303030170c303931323331323335393539300c310a30080600130454657374300f300d06092A864886F70D0101010500":"":MBEDTLS_ERR_PK_INVALID_PUBKEY + MBEDTLS_ERR_ASN1_OUT_OF_DATA - -X509 Certificate ASN1 (TBSCertificate, pubkey, no bitstring data) -depends_on:MBEDTLS_RSA_C:MBEDTLS_MD2_C -x509parse_crt:"30693067a0030201028204deadbeef300d06092a864886f70d0101020500300c310a30080600130454657374301c170c303930313031303030303030170c303931323331323335393539300c310a300806001304546573743011300d06092A864886F70D01010105000300":"":MBEDTLS_ERR_PK_INVALID_PUBKEY + MBEDTLS_ERR_ASN1_INVALID_DATA - -X509 Certificate ASN1 (TBSCertificate, pubkey, invalid bitstring start) -depends_on:MBEDTLS_RSA_C:MBEDTLS_MD2_C -x509parse_crt:"306a3068a0030201028204deadbeef300d06092a864886f70d0101020500300c310a30080600130454657374301c170c303930313031303030303030170c303931323331323335393539300c310a300806001304546573743012300d06092A864886F70D0101010500030101":"":MBEDTLS_ERR_PK_INVALID_PUBKEY + MBEDTLS_ERR_ASN1_INVALID_DATA - -X509 Certificate ASN1 (TBSCertificate, pubkey, invalid internal bitstring length) -depends_on:MBEDTLS_RSA_C:MBEDTLS_MD2_C -x509parse_crt:"306d306ba0030201028204deadbeef300d06092a864886f70d0101020500300c310a30080600130454657374301c170c303930313031303030303030170c303931323331323335393539300c310a300806001304546573743015300d06092A864886F70D0101010500030400300000":"":MBEDTLS_ERR_PK_INVALID_PUBKEY + MBEDTLS_ERR_ASN1_LENGTH_MISMATCH - -X509 Certificate ASN1 (TBSCertificate, pubkey, invalid internal bitstring tag) -depends_on:MBEDTLS_RSA_C:MBEDTLS_MD2_C -x509parse_crt:"306d306ba0030201028204deadbeef300d06092a864886f70d0101020500300c310a30080600130454657374301c170c303930313031303030303030170c303931323331323335393539300c310a300806001304546573743015300d06092A864886F70D0101010500030400310000":"":MBEDTLS_ERR_PK_INVALID_PUBKEY + MBEDTLS_ERR_ASN1_UNEXPECTED_TAG - -X509 Certificate ASN1 (TBSCertificate, pubkey, invalid mbedtls_mpi) -depends_on:MBEDTLS_RSA_C:MBEDTLS_MD2_C -x509parse_crt:"30743072a0030201028204deadbeef300d06092a864886f70d0101020500300c310a30080600130454657374301c170c303930313031303030303030170c303931323331323335393539300c310a30080600130454657374301c300d06092A864886F70D0101010500030b0030080202ffff0302ffff":"":MBEDTLS_ERR_PK_INVALID_PUBKEY + MBEDTLS_ERR_ASN1_UNEXPECTED_TAG - -X509 Certificate ASN1 (TBSCertificate, pubkey, total length mismatch) -depends_on:MBEDTLS_RSA_C:MBEDTLS_MD2_C -x509parse_crt:"30753073a0030201028204deadbeef300d06092a864886f70d0101020500300c310a30080600130454657374301c170c303930313031303030303030170c303931323331323335393539300c310a30080600130454657374301d300d06092A864886F70D0101010500030b0030080202ffff0202ffff00":"":MBEDTLS_ERR_PK_INVALID_PUBKEY + MBEDTLS_ERR_ASN1_LENGTH_MISMATCH - -X509 Certificate ASN1 (TBSCertificate, pubkey, check failed) -depends_on:MBEDTLS_RSA_C:MBEDTLS_MD2_C -x509parse_crt:"30743072a0030201028204deadbeef300d06092a864886f70d0101020500300c310a30080600130454657374301c170c303930313031303030303030170c303931323331323335393539300c310a30080600130454657374301c300d06092A864886F70D0101010500030b0030080202ffff0202ffff":"":MBEDTLS_ERR_PK_INVALID_PUBKEY - -X509 Certificate ASN1 (TBSCertificate, pubkey, check failed, expanded length notation) -depends_on:MBEDTLS_RSA_C:MBEDTLS_MD2_C -x509parse_crt:"308183308180a0030201028204deadbeef300d06092a864886f70d0101020500300c310a30080600130454657374301c170c303930313031303030303030170c303931323331323335393539300c310a30080600130454657374302a300d06092A864886F70D010101050003190030160210fffffffffffffffffffffffffffffffe0202ffff":"":MBEDTLS_ERR_PK_INVALID_PUBKEY - -X509 Certificate ASN1 (TBSCertificate v3, Optional UIDs, Extensions not present) -depends_on:MBEDTLS_RSA_C:MBEDTLS_MD2_C -x509parse_crt:"308183308180a0030201028204deadbeef300d06092a864886f70d0101020500300c310a30080600130454657374301c170c303930313031303030303030170c303931323331323335393539300c310a30080600130454657374302a300d06092A864886F70D010101050003190030160210ffffffffffffffffffffffffffffffff0202ffff":"":MBEDTLS_ERR_X509_INVALID_ALG + MBEDTLS_ERR_ASN1_OUT_OF_DATA - -X509 Certificate ASN1 (TBSCertificate v3, issuerID wrong tag) -depends_on:MBEDTLS_RSA_C:MBEDTLS_MD2_C -x509parse_crt:"308184308181a0030201028204deadbeef300d06092a864886f70d0101020500300c310a30080600130454657374301c170c303930313031303030303030170c303931323331323335393539300c310a30080600130454657374302a300d06092A864886F70D010101050003190030160210ffffffffffffffffffffffffffffffff0202ffff00":"":MBEDTLS_ERR_X509_INVALID_FORMAT + MBEDTLS_ERR_ASN1_LENGTH_MISMATCH - -X509 Certificate ASN1 (TBSCertificate v3, UIDs, no ext) -depends_on:MBEDTLS_RSA_C:MBEDTLS_MD2_C -x509parse_crt:"308189308186a0030201028204deadbeef300d06092a864886f70d0101020500300c310a30080600130454657374301c170c303930313031303030303030170c303931323331323335393539300c310a30080600130454657374302a300d06092A864886F70D010101050003190030160210ffffffffffffffffffffffffffffffff0202ffffa101aaa201bb":"":MBEDTLS_ERR_X509_INVALID_ALG + MBEDTLS_ERR_ASN1_OUT_OF_DATA - -X509 Certificate ASN1 (TBSCertificate v3, UIDs, invalid length) -depends_on:MBEDTLS_RSA_C:MBEDTLS_MD2_C -x509parse_crt:"308189308186a0030201028204deadbeef300d06092a864886f70d0101020500300c310a30080600130454657374301c170c303930313031303030303030170c303931323331323335393539300c310a30080600130454657374302a300d06092A864886F70D010101050003190030160210ffffffffffffffffffffffffffffffff0202ffffa185aaa201bb":"":MBEDTLS_ERR_ASN1_INVALID_LENGTH - -X509 Certificate ASN1 (TBSCertificate v3, ext empty) -depends_on:MBEDTLS_RSA_C:MBEDTLS_MD2_C -x509parse_crt:"30818b308188a0030201028204deadbeef300d06092a864886f70d0101020500300c310a30080600130454657374301c170c303930313031303030303030170c303931323331323335393539300c310a30080600130454657374302a300d06092A864886F70D010101050003190030160210ffffffffffffffffffffffffffffffff0202ffffa101aaa201bba300":"":MBEDTLS_ERR_X509_INVALID_EXTENSIONS + MBEDTLS_ERR_ASN1_OUT_OF_DATA - -X509 Certificate ASN1 (TBSCertificate v3, ext length mismatch) -depends_on:MBEDTLS_RSA_C:MBEDTLS_MD2_C -x509parse_crt:"30818e30818ba0030201028204deadbeef300d06092a864886f70d0101020500300c310a30080600130454657374301c170c303930313031303030303030170c303931323331323335393539300c310a30080600130454657374302a300d06092A864886F70D010101050003190030160210ffffffffffffffffffffffffffffffff0202ffffa101aaa201bba303300000":"":MBEDTLS_ERR_X509_INVALID_EXTENSIONS + MBEDTLS_ERR_ASN1_LENGTH_MISMATCH - -X509 Certificate ASN1 (TBSCertificate v3, first ext invalid) -depends_on:MBEDTLS_RSA_C:MBEDTLS_MD2_C -x509parse_crt:"30818f30818ca0030201028204deadbeef300d06092a864886f70d0101020500300c310a30080600130454657374301c170c303930313031303030303030170c303931323331323335393539300c310a30080600130454657374302a300d06092A864886F70D010101050003190030160210ffffffffffffffffffffffffffffffff0202ffffa101aaa201bba30330023000":"":MBEDTLS_ERR_X509_INVALID_EXTENSIONS + MBEDTLS_ERR_ASN1_OUT_OF_DATA - -X509 Certificate ASN1 (TBSCertificate v3, first ext invalid tag) -depends_on:MBEDTLS_RSA_C:MBEDTLS_MD2_C -x509parse_crt:"30819030818da0030201028204deadbeef300d06092a864886f70d0101020500300c310a30080600130454657374301c170c303930313031303030303030170c303931323331323335393539300c310a30080600130454657374302a300d06092A864886F70D010101050003190030160210ffffffffffffffffffffffffffffffff0202ffffa101aaa201bba3043002310000":"":MBEDTLS_ERR_X509_INVALID_EXTENSIONS + MBEDTLS_ERR_ASN1_UNEXPECTED_TAG - -X509 Certificate ASN1 (TBSCertificate v3, ext BasicContraint tag, bool len missing) -depends_on:MBEDTLS_RSA_C:MBEDTLS_MD2_C -x509parse_crt:"308198308195a0030201028204deadbeef300d06092a864886f70d0101020500300c310a30080600130454657374301c170c303930313031303030303030170c303931323331323335393539300c310a30080600130454657374302a300d06092A864886F70D010101050003190030160210ffffffffffffffffffffffffffffffff0202ffffa101aaa201bba30c300a30060603551d1301010100":"":MBEDTLS_ERR_X509_INVALID_EXTENSIONS + MBEDTLS_ERR_ASN1_OUT_OF_DATA - -X509 Certificate ASN1 (TBSCertificate v3, ext BasicContraint tag, data missing) -depends_on:MBEDTLS_RSA_C:MBEDTLS_MD2_C -x509parse_crt:"308198308195a0030201028204deadbeef300d06092a864886f70d0101020500300c310a30080600130454657374301c170c303930313031303030303030170c303931323331323335393539300c310a30080600130454657374302a300d06092A864886F70D010101050003190030160210ffffffffffffffffffffffffffffffff0202ffffa101aaa201bba30c300a30080603551d1301010100":"":MBEDTLS_ERR_X509_INVALID_EXTENSIONS + MBEDTLS_ERR_ASN1_OUT_OF_DATA - -X509 Certificate ASN1 (TBSCertificate v3, ext BasicContraint tag, no octet present) -depends_on:MBEDTLS_RSA_C:MBEDTLS_MD2_C -x509parse_crt:"308198308195a0030201028204deadbeef300d06092a864886f70d0101020500300c310a30080600130454657374301c170c303930313031303030303030170c303931323331323335393539300c310a30080600130454657374302a300d06092A864886F70D010101050003190030160210ffffffffffffffffffffffffffffffff0202ffffa101aaa201bba30d300b30090603551d1301010100":"":MBEDTLS_ERR_X509_INVALID_EXTENSIONS + MBEDTLS_ERR_ASN1_UNEXPECTED_TAG - -X509 Certificate ASN1 (TBSCertificate v3, ext BasicContraint tag, octet data missing) -depends_on:MBEDTLS_RSA_C:MBEDTLS_MD2_C -x509parse_crt:"30819c308199a0030201028204deadbeef300d06092a864886f70d0101020500300c310a30080600130454657374301c170c303930313031303030303030170c303931323331323335393539300c310a30080600130454657374302a300d06092A864886F70D010101050003190030160210ffffffffffffffffffffffffffffffff0202ffffa101aaa201bba311300f300d0603551d130101010403300100":"":MBEDTLS_ERR_X509_INVALID_EXTENSIONS + MBEDTLS_ERR_ASN1_UNEXPECTED_TAG - -X509 Certificate ASN1 (TBSCertificate v3, ext BasicContraint tag, no pathlen) -depends_on:MBEDTLS_RSA_C:MBEDTLS_MD2_C -x509parse_crt:"30819f30819ca0030201028204deadbeef300d06092a864886f70d0101020500300c310a30080600130454657374301c170c303930313031303030303030170c303931323331323335393539300c310a30080600130454657374302a300d06092A864886F70D010101050003190030160210ffffffffffffffffffffffffffffffff0202ffffa101aaa201bba314301230100603551d130101010406300402010102":"":MBEDTLS_ERR_X509_INVALID_EXTENSIONS + MBEDTLS_ERR_ASN1_OUT_OF_DATA - -X509 Certificate ASN1 (TBSCertificate v3, ext BasicContraint tag, octet len mismatch) -depends_on:MBEDTLS_RSA_C:MBEDTLS_MD2_C -x509parse_crt:"3081a230819fa0030201028204deadbeef300d06092a864886f70d0101020500300c310a30080600130454657374301c170c303930313031303030303030170c303931323331323335393539300c310a30080600130454657374302a300d06092A864886F70D010101050003190030160210ffffffffffffffffffffffffffffffff0202ffffa101aaa201bba317301530130603551d130101010409300702010102010100":"":MBEDTLS_ERR_X509_INVALID_EXTENSIONS + MBEDTLS_ERR_ASN1_LENGTH_MISMATCH - -X509 Certificate ASN1 (ExtKeyUsage, bad second tag) -depends_on:MBEDTLS_ECDSA_C:MBEDTLS_ECP_DP_SECP256R1_ENABLED:MBEDTLS_SHA1_C -x509parse_crt:"3081de3081dba003020102020900ebdbcd14105e1839300906072a8648ce3d0401300f310d300b0603550403130454657374301e170d3134313131313230353935345a170d3234313130383230353935345a300f310d300b06035504031304546573743059301306072a8648ce3d020106082a8648ce3d0301070342000437cc56d976091e5a723ec7592dff206eee7cf9069174d0ad14b5f768225962924ee500d82311ffea2fd2345d5d16bd8a88c26b770d55cd8a2a0efa01c8b4edffa321301f301d0603551d250416301406082b0601050507030107082b06010505070302":"":MBEDTLS_ERR_X509_INVALID_EXTENSIONS + MBEDTLS_ERR_ASN1_UNEXPECTED_TAG - -X509 Certificate ASN1 (SubjectAltName repeated) -depends_on:MBEDTLS_ECDSA_C:MBEDTLS_ECP_DP_SECP256R1_ENABLED:MBEDTLS_SHA1_C -x509parse_crt:"3081fd3081faa003020102020900a8b31ff37d09a37f300906072a8648ce3d0401300f310d300b0603550403130454657374301e170d3134313131313231333731365a170d3234313130383231333731365a300f310d300b06035504031304546573743059301306072a8648ce3d020106082a8648ce3d0301070342000437cc56d976091e5a723ec7592dff206eee7cf9069174d0ad14b5f768225962924ee500d82311ffea2fd2345d5d16bd8a88c26b770d55cd8a2a0efa01c8b4edffa321301f301d0603551d11041630148208666f6f2e7465737482086261722e74657374301d0603551d11041630148208666f6f2e7465737482086261722e74657374":"":MBEDTLS_ERR_X509_INVALID_EXTENSIONS - -X509 Certificate ASN1 (ExtKeyUsage repeated) -depends_on:MBEDTLS_ECDSA_C:MBEDTLS_ECP_DP_SECP256R1_ENABLED:MBEDTLS_SHA1_C -x509parse_crt:"3081fd3081faa003020102020900ebdbcd14105e1839300906072a8648ce3d0401300f310d300b0603550403130454657374301e170d3134313131313230353935345a170d3234313130383230353935345a300f310d300b06035504031304546573743059301306072a8648ce3d020106082a8648ce3d0301070342000437cc56d976091e5a723ec7592dff206eee7cf9069174d0ad14b5f768225962924ee500d82311ffea2fd2345d5d16bd8a88c26b770d55cd8a2a0efa01c8b4edffa340303e301d0603551d250416301406082b0601050507030106082b06010505070302301d0603551d250416301406082b0601050507030106082b06010505070302":"":MBEDTLS_ERR_X509_INVALID_EXTENSIONS - -X509 Certificate ASN1 (correct pubkey, no sig_alg) -depends_on:MBEDTLS_RSA_C:MBEDTLS_MD2_C -x509parse_crt:"308183308180a0030201008204deadbeef300d06092a864886f70d0101020500300c310a30080600130454657374301c170c303930313031303030303030170c303931323331323335393539300c310a30080600130454657374302a300d06092A864886F70D010101050003190030160210ffffffffffffffffffffffffffffffff0202ffff":"":MBEDTLS_ERR_X509_INVALID_ALG + MBEDTLS_ERR_ASN1_OUT_OF_DATA - -X509 Certificate ASN1 (sig_alg mismatch) -depends_on:MBEDTLS_RSA_C:MBEDTLS_MD2_C -x509parse_crt:"308192308180a0030201008204deadbeef300d06092a864886f70d0101020500300c310a30080600130454657374301c170c303930313031303030303030170c303931323331323335393539300c310a30080600130454657374302a300d06092A864886F70D010101050003190030160210ffffffffffffffffffffffffffffffff0202ffff300d06092a864886f70d0102020500":"":MBEDTLS_ERR_X509_SIG_MISMATCH - -X509 Certificate ASN1 (sig_alg, no sig) -depends_on:MBEDTLS_RSA_C:MBEDTLS_MD2_C -x509parse_crt:"308192308180a0030201008204deadbeef300d06092a864886f70d0101020500300c310a30080600130454657374301c170c303930313031303030303030170c303931323331323335393539300c310a30080600130454657374302a300d06092A864886F70D010101050003190030160210ffffffffffffffffffffffffffffffff0202ffff300d06092a864886f70d0101020500":"":MBEDTLS_ERR_X509_INVALID_SIGNATURE + MBEDTLS_ERR_ASN1_OUT_OF_DATA - -X509 Certificate ASN1 (signature, invalid sig data) -depends_on:MBEDTLS_RSA_C:MBEDTLS_MD2_C -x509parse_crt:"308195308180a0030201008204deadbeef300d06092a864886f70d0101020500300c310a30080600130454657374301c170c303930313031303030303030170c303931323331323335393539300c310a30080600130454657374302a300d06092A864886F70D010101050003190030160210ffffffffffffffffffffffffffffffff0202ffff300d06092a864886f70d0101020500030100":"":MBEDTLS_ERR_X509_INVALID_SIGNATURE + MBEDTLS_ERR_ASN1_INVALID_DATA - -X509 Certificate ASN1 (signature, data left) -depends_on:MBEDTLS_RSA_C:MBEDTLS_MD2_C -x509parse_crt:"308197308180a0030201008204deadbeef300d06092a864886f70d0101020500300c310a30080600130454657374301c170c303930313031303030303030170c303931323331323335393539300c310a30080600130454657374302a300d06092A864886F70D010101050003190030160210ffffffffffffffffffffffffffffffff0202ffff300d06092a864886f70d0101020500030200ff00":"":MBEDTLS_ERR_X509_INVALID_FORMAT + MBEDTLS_ERR_ASN1_LENGTH_MISMATCH - -X509 Certificate ASN1 (correct) -depends_on:MBEDTLS_RSA_C:MBEDTLS_MD2_C -x509parse_crt:"308196308180a0030201008204deadbeef300d06092a864886f70d0101020500300c310a30080600130454657374301c170c303930313031303030303030170c303931323331323335393539300c310a30080600130454657374302a300d06092A864886F70D010101050003190030160210ffffffffffffffffffffffffffffffff0202ffff300d06092a864886f70d0101020500030200ff":"cert. version \: 1\nserial number \: DE\:AD\:BE\:EF\nissuer name \: ?\?=Test\nsubject name \: ?\?=Test\nissued on \: 2009-01-01 00\:00\:00\nexpires on \: 2009-12-31 23\:59\:59\nsigned using \: RSA with MD2\nRSA key size \: 128 bits\n":0 - -X509 Certificate ASN1 (GeneralizedTime instead of UTCTime) -depends_on:MBEDTLS_RSA_C:MBEDTLS_MD2_C -x509parse_crt:"308198308182a0030201008204deadbeef300d06092a864886f70d0101020500300c310a30080600130454657374301e180e3230313030313031303030303030170c303931323331323335393539300c310a30080600130454657374302a300d06092A864886F70D010101050003190030160210ffffffffffffffffffffffffffffffff0202ffff300d06092a864886f70d0101020500030200ff":"cert. version \: 1\nserial number \: DE\:AD\:BE\:EF\nissuer name \: ?\?=Test\nsubject name \: ?\?=Test\nissued on \: 2010-01-01 00\:00\:00\nexpires on \: 2009-12-31 23\:59\:59\nsigned using \: RSA with MD2\nRSA key size \: 128 bits\n":0 - -X509 Certificate ASN1 (Name with X520 CN) -depends_on:MBEDTLS_RSA_C:MBEDTLS_MD2_C -x509parse_crt:"308199308183a0030201008204deadbeef300d06092a864886f70d0101020500300f310d300b0603550403130454657374301c170c303930313031303030303030170c303931323331323335393539300c310a30080600130454657374302a300d06092A864886F70D010101050003190030160210ffffffffffffffffffffffffffffffff0202ffff300d06092a864886f70d0101020500030200ff":"cert. version \: 1\nserial number \: DE\:AD\:BE\:EF\nissuer name \: CN=Test\nsubject name \: ?\?=Test\nissued on \: 2009-01-01 00\:00\:00\nexpires on \: 2009-12-31 23\:59\:59\nsigned using \: RSA with MD2\nRSA key size \: 128 bits\n":0 - -X509 Certificate ASN1 (Name with X520 C) -depends_on:MBEDTLS_RSA_C:MBEDTLS_MD2_C -x509parse_crt:"308199308183a0030201008204deadbeef300d06092a864886f70d0101020500300f310d300b0603550406130454657374301c170c303930313031303030303030170c303931323331323335393539300c310a30080600130454657374302a300d06092A864886F70D010101050003190030160210ffffffffffffffffffffffffffffffff0202ffff300d06092a864886f70d0101020500030200ff":"cert. version \: 1\nserial number \: DE\:AD\:BE\:EF\nissuer name \: C=Test\nsubject name \: ?\?=Test\nissued on \: 2009-01-01 00\:00\:00\nexpires on \: 2009-12-31 23\:59\:59\nsigned using \: RSA with MD2\nRSA key size \: 128 bits\n":0 - -X509 Certificate ASN1 (Name with X520 L) -depends_on:MBEDTLS_RSA_C:MBEDTLS_MD2_C -x509parse_crt:"308199308183a0030201008204deadbeef300d06092a864886f70d0101020500300f310d300b0603550407130454657374301c170c303930313031303030303030170c303931323331323335393539300c310a30080600130454657374302a300d06092A864886F70D010101050003190030160210ffffffffffffffffffffffffffffffff0202ffff300d06092a864886f70d0101020500030200ff":"cert. version \: 1\nserial number \: DE\:AD\:BE\:EF\nissuer name \: L=Test\nsubject name \: ?\?=Test\nissued on \: 2009-01-01 00\:00\:00\nexpires on \: 2009-12-31 23\:59\:59\nsigned using \: RSA with MD2\nRSA key size \: 128 bits\n":0 - -X509 Certificate ASN1 (Name with X520 ST) -depends_on:MBEDTLS_RSA_C:MBEDTLS_MD2_C -x509parse_crt:"308199308183a0030201008204deadbeef300d06092a864886f70d0101020500300f310d300b0603550408130454657374301c170c303930313031303030303030170c303931323331323335393539300c310a30080600130454657374302a300d06092A864886F70D010101050003190030160210ffffffffffffffffffffffffffffffff0202ffff300d06092a864886f70d0101020500030200ff":"cert. version \: 1\nserial number \: DE\:AD\:BE\:EF\nissuer name \: ST=Test\nsubject name \: ?\?=Test\nissued on \: 2009-01-01 00\:00\:00\nexpires on \: 2009-12-31 23\:59\:59\nsigned using \: RSA with MD2\nRSA key size \: 128 bits\n":0 - -X509 Certificate ASN1 (Name with X520 O) -depends_on:MBEDTLS_RSA_C:MBEDTLS_MD2_C -x509parse_crt:"308199308183a0030201008204deadbeef300d06092a864886f70d0101020500300f310d300b060355040a130454657374301c170c303930313031303030303030170c303931323331323335393539300c310a30080600130454657374302a300d06092A864886F70D010101050003190030160210ffffffffffffffffffffffffffffffff0202ffff300d06092a864886f70d0101020500030200ff":"cert. version \: 1\nserial number \: DE\:AD\:BE\:EF\nissuer name \: O=Test\nsubject name \: ?\?=Test\nissued on \: 2009-01-01 00\:00\:00\nexpires on \: 2009-12-31 23\:59\:59\nsigned using \: RSA with MD2\nRSA key size \: 128 bits\n":0 - -X509 Certificate ASN1 (Name with X520 OU) -depends_on:MBEDTLS_RSA_C:MBEDTLS_MD2_C -x509parse_crt:"308199308183a0030201008204deadbeef300d06092a864886f70d0101020500300f310d300b060355040b130454657374301c170c303930313031303030303030170c303931323331323335393539300c310a30080600130454657374302a300d06092A864886F70D010101050003190030160210ffffffffffffffffffffffffffffffff0202ffff300d06092a864886f70d0101020500030200ff":"cert. version \: 1\nserial number \: DE\:AD\:BE\:EF\nissuer name \: OU=Test\nsubject name \: ?\?=Test\nissued on \: 2009-01-01 00\:00\:00\nexpires on \: 2009-12-31 23\:59\:59\nsigned using \: RSA with MD2\nRSA key size \: 128 bits\n":0 - -X509 Certificate ASN1 (Name with unknown X520 part) -depends_on:MBEDTLS_RSA_C:MBEDTLS_MD2_C -x509parse_crt:"308199308183a0030201008204deadbeef300d06092a864886f70d0101020500300f310d300b06035504de130454657374301c170c303930313031303030303030170c303931323331323335393539300c310a30080600130454657374302a300d06092A864886F70D010101050003190030160210ffffffffffffffffffffffffffffffff0202ffff300d06092a864886f70d0101020500030200ff":"cert. version \: 1\nserial number \: DE\:AD\:BE\:EF\nissuer name \: ?\?=Test\nsubject name \: ?\?=Test\nissued on \: 2009-01-01 00\:00\:00\nexpires on \: 2009-12-31 23\:59\:59\nsigned using \: RSA with MD2\nRSA key size \: 128 bits\n":0 - -X509 Certificate ASN1 (Name with composite RDN) -depends_on:MBEDTLS_RSA_C:MBEDTLS_SHA1_C -x509parse_crt:"3082029f30820208a00302010202044c20e3bd300d06092a864886f70d01010505003056310b3009060355040613025553310b300906035504080c0243413121301f060355040a0c18496e7465726e6574205769646769747320507479204c74643117301506035504030c0e4672616e6b656e63657274204341301e170d3133303830323135313433375a170d3135303831373035353433315a3081d1310b3009060355040613025553311330110603550408130a57617368696e67746f6e31133011060b2b0601040182373c0201031302555331193017060b2b0601040182373c020102130844656c6177617265311a3018060355040a1311417574686f72697a652e4e6574204c4c43311d301b060355040f131450726976617465204f7267616e697a6174696f6e312a300e06035504051307343336393139313018060355040313117777772e617574686f72697a652e6e6574311630140603550407130d53616e204672616e636973636f30819f300d06092a864886f70d010101050003818d0030818902818100d885c62e209b6ac005c64f0bcfdaac1f2b67a18802f75b08851ff933deed888b7b68a62fcabdb21d4a8914becfeaaa1b7e08a09ffaf9916563586dc95e2877262b0b5f5ec27eb4d754aa6facd1d39d25b38a2372891bacdd3e919f791ed25704e8920e380e5623a38e6a23935978a3aec7a8e761e211d42effa2713e44e7de0b0203010001300d06092a864886f70d010105050003818100092f7424d3f6da4b8553829d958ed1980b9270b42c0d3d5833509a28c66bb207df9f3c51d122065e00b87c08c2730d2745fe1c279d16fae4d53b4bf5bdfa3631fceeb2e772b6b08a3eca5a2e2c687aefd23b4b73bf77ac6099711342cf070b35c6f61333a7cbf613d8dd4bd73e9df34bcd4284b0b4df57c36c450613f11e5dac":"cert. version \: 3\nserial number \: 4C\:20\:E3\:BD\nissuer name \: C=US, ST=CA, O=Internet Widgits Pty Ltd, CN=Frankencert CA\nsubject name \: C=US, ST=Washington, ??=US, ??=Delaware, O=Authorize.Net LLC, ??=Private Organization, serialNumber=4369191 + CN=www.authorize.net, L=San Francisco\nissued on \: 2013-08-02 15\:14\:37\nexpires on \: 2015-08-17 05\:54\:31\nsigned using \: RSA with SHA1\nRSA key size \: 1024 bits\n":0 - -X509 Certificate ASN1 (Name with PKCS9 email) -depends_on:MBEDTLS_RSA_C:MBEDTLS_MD2_C -x509parse_crt:"30819f308189a0030201008204deadbeef300d06092a864886f70d010102050030153113301106092a864886f70d010901130454657374301c170c303930313031303030303030170c303931323331323335393539300c310a30080600130454657374302a300d06092A864886F70D010101050003190030160210ffffffffffffffffffffffffffffffff0202ffff300d06092a864886f70d0101020500030200ff":"cert. version \: 1\nserial number \: DE\:AD\:BE\:EF\nissuer name \: emailAddress=Test\nsubject name \: ?\?=Test\nissued on \: 2009-01-01 00\:00\:00\nexpires on \: 2009-12-31 23\:59\:59\nsigned using \: RSA with MD2\nRSA key size \: 128 bits\n":0 - -X509 Certificate ASN1 (Name with unknown PKCS9 part) -depends_on:MBEDTLS_RSA_C:MBEDTLS_MD2_C -x509parse_crt:"30819f308189a0030201008204deadbeef300d06092a864886f70d010102050030153113301106092a864886f70d0109ab130454657374301c170c303930313031303030303030170c303931323331323335393539300c310a30080600130454657374302a300d06092A864886F70D010101050003190030160210ffffffffffffffffffffffffffffffff0202ffff300d06092a864886f70d0101020500030200ff":"cert. version \: 1\nserial number \: DE\:AD\:BE\:EF\nissuer name \: ?\?=Test\nsubject name \: ?\?=Test\nissued on \: 2009-01-01 00\:00\:00\nexpires on \: 2009-12-31 23\:59\:59\nsigned using \: RSA with MD2\nRSA key size \: 128 bits\n":0 - -X509 Certificate ASN1 (ECDSA signature, RSA key) -depends_on:MBEDTLS_RSA_C:MBEDTLS_SHA1_C:MBEDTLS_ECDSA_C -x509parse_crt:"3081E630819E020103300906072A8648CE3D0401300F310D300B0603550403130454657374301E170D3133303731303039343631385A170D3233303730383039343631385A300F310D300B0603550403130454657374304C300D06092A864886F70D0101010500033B003038023100E8F546061D3B49BC2F6B7524B7EA4D73A8D5293EE8C64D9407B70B5D16BAEBC32B8205591EAB4E1EB57E9241883701250203010001300906072A8648CE3D0401033800303502186E18209AFBED14A0D9A796EFCAD68891E3CCD5F75815C833021900E92B4FD460B1994693243B9FFAD54729DE865381BDA41D25":"cert. version \: 1\nserial number \: 03\nissuer name \: CN=Test\nsubject name \: CN=Test\nissued on \: 2013-07-10 09\:46\:18\nexpires on \: 2023-07-08 09\:46\:18\nsigned using \: ECDSA with SHA1\nRSA key size \: 384 bits\n":0 - -X509 Certificate ASN1 (ECDSA signature, EC key) -depends_on:MBEDTLS_ECDSA_C:MBEDTLS_ECP_DP_SECP192R1_ENABLED:MBEDTLS_SHA1_C -x509parse_crt:"3081EB3081A3020900F41534662EC7E912300906072A8648CE3D0401300F310D300B0603550403130454657374301E170D3133303731303039343031395A170D3233303730383039343031395A300F310D300B06035504031304546573743049301306072A8648CE3D020106082A8648CE3D030101033200042137969FABD4E370624A0E1A33E379CAB950CCE00EF8C3C3E2ADAEB7271C8F07659D65D3D777DCF21614363AE4B6E617300906072A8648CE3D04010338003035021858CC0F957946FE6A303D92885A456AA74C743C7B708CBD37021900FE293CAC21AF352D16B82EB8EA54E9410B3ABAADD9F05DD6":"cert. version \: 1\nserial number \: F4\:15\:34\:66\:2E\:C7\:E9\:12\nissuer name \: CN=Test\nsubject name \: CN=Test\nissued on \: 2013-07-10 09\:40\:19\nexpires on \: 2023-07-08 09\:40\:19\nsigned using \: ECDSA with SHA1\nEC key size \: 192 bits\n":0 - -X509 Certificate ASN1 (RSA signature, EC key) -depends_on:MBEDTLS_ECDSA_C:MBEDTLS_ECP_DP_SECP192R1_ENABLED:MBEDTLS_SHA1_C:MBEDTLS_RSA_C -x509parse_crt:"3081E430819F020104300D06092A864886F70D0101050500300F310D300B0603550403130454657374301E170D3133303731303135303233375A170D3233303730383135303233375A300F310D300B06035504031304546573743049301306072A8648CE3D020106082A8648CE3D03010103320004E962551A325B21B50CF6B990E33D4318FD16677130726357A196E3EFE7107BCB6BDC6D9DB2A4DF7C964ACFE81798433D300D06092A864886F70D01010505000331001A6C18CD1E457474B2D3912743F44B571341A7859A0122774A8E19A671680878936949F904C9255BDD6FFFDB33A7E6D8":"cert. version \: 1\nserial number \: 04\nissuer name \: CN=Test\nsubject name \: CN=Test\nissued on \: 2013-07-10 15\:02\:37\nexpires on \: 2023-07-08 15\:02\:37\nsigned using \: RSA with SHA1\nEC key size \: 192 bits\n":0 - -X509 Certificate ASN1 (invalid version 3) -x509parse_crt:"30173015a0030201038204deadbeef30080604cafed00d0500":"":MBEDTLS_ERR_X509_UNKNOWN_VERSION - -X509 Certificate ASN1 (invalid version overflow) -x509parse_crt:"301A3018a00602047FFFFFFF8204deadbeef30080604cafed00d0500":"":MBEDTLS_ERR_X509_UNKNOWN_VERSION - -X509 Certificate ASN1 (invalid SubjectAltNames tag) -depends_on:MBEDTLS_RSA_C:MBEDTLS_SHA1_C -x509parse_crt:"308203723082025AA003020102020111300D06092A864886F70D0101050500303B310B3009060355040613024E4C3111300F060355040A1308506F6C617253534C3119301706035504031310506F6C617253534C2054657374204341301E170D3132303531303133323334315A170D3232303531313133323334315A303A310B3009060355040613024E4C3111300F060355040A1308506F6C617253534C311830160603550403130F7777772E6578616D706C652E636F6D30820122300D06092A864886F70D01010105000382010F003082010A0282010100B93C4AC5C8A38E9017A49E52AA7175266180E7C7B56D8CFFAAB64126B7BE11AD5C73160C64114804FFD6E13B05DB89BBB39709D51C14DD688739B03D71CBE276D01AD8182D801B54F6E5449AF1CBAF612EDF490D9D09B7EDB1FD3CFD3CFA24CF5DBF7CE453E725B5EA4422E926D3EA20949EE66167BA2E07670B032FA209EDF0338F0BCE10EF67A4C608DAC1EDC23FD74ADD153DF95E1C8160463EB5B33D2FA6DE471CBC92AEEBDF276B1656B7DCECD15557A56EEC7525F5B77BDFABD23A5A91987D97170B130AA76B4A8BC14730FB3AF84104D5C1DFB81DBF7B01A565A2E01E36B7A65CCC305AF8CD6FCDF1196225CA01E3357FFA20F5DCFD69B26A007D17F70203010001A38181307F30090603551D1304023000301D0603551D0E041604147DE49C6BE6F9717D46D2123DAD6B1DFDC2AA784C301F0603551D23041830168014B45AE4A5B3DED252F6B9D5A6950FEB3EBCC7FDFF30320603551D11042B3029C20B6578616D706C652E636F6D820B6578616D706C652E6E6574820D2A2E6578616D706C652E6F7267300D06092A864886F70D010105050003820101004F09CB7AD5EEF5EF620DDC7BA285D68CCA95B46BDA115B92007513B9CA0BCEEAFBC31FE23F7F217479E2E6BCDA06E52F6FF655C67339CF48BC0D2F0CD27A06C34A4CD9485DA0D07389E4D4851D969A0E5799C66F1D21271F8D0529E840AE823968C39707CF3C934C1ADF2FA6A455487F7C8C1AC922DA24CD9239C68AECB08DF5698267CB04EEDE534196C127DC2FFE33FAD30EB8D432A9842853A5F0D189D5A298E71691BB9CC0418E8C58ACFFE3DD2E7AABB0B97176AD0F2733F7A929D3C076C0BF06407C0ED5A47C8AE2326E16AEDA641FB0557CDBDDF1A4BA447CB39958D2346E00EA976C143AF2101E0AA249107601F4F2C818FDCC6346128B091BF194E6":"":MBEDTLS_ERR_X509_INVALID_EXTENSIONS + MBEDTLS_ERR_ASN1_UNEXPECTED_TAG - -X509 CRL ASN1 (Incorrect first tag) -x509parse_crl:"":"":MBEDTLS_ERR_X509_INVALID_FORMAT - -X509 CRL ASN1 (Correct first tag, data length does not match) -x509parse_crl:"300000":"":MBEDTLS_ERR_X509_INVALID_FORMAT + MBEDTLS_ERR_ASN1_LENGTH_MISMATCH - -X509 CRL ASN1 (TBSCertList, tag missing) -x509parse_crl:"3000":"":MBEDTLS_ERR_X509_INVALID_FORMAT + MBEDTLS_ERR_ASN1_OUT_OF_DATA - -X509 CRL ASN1 (TBSCertList, version tag len missing) -x509parse_crl:"3003300102":"":MBEDTLS_ERR_X509_INVALID_VERSION + MBEDTLS_ERR_ASN1_OUT_OF_DATA - -X509 CRL ASN1 (TBSCertList, version correct, alg missing) -x509parse_crl:"30053003020100":"":MBEDTLS_ERR_X509_INVALID_ALG + MBEDTLS_ERR_ASN1_OUT_OF_DATA - -X509 CRL ASN1 (TBSCertList, alg correct, incorrect version) -x509parse_crl:"300b3009020102300406000500":"":MBEDTLS_ERR_X509_UNKNOWN_VERSION - -X509 CRL ASN1 (TBSCertList, correct version, sig_oid1 unknown) -x509parse_crl:"300b3009020100300406000500":"":MBEDTLS_ERR_X509_UNKNOWN_SIG_ALG - -X509 CRL ASN1 (TBSCertList, sig_oid1 id unknown) -x509parse_crl:"30143012020100300d06092a864886f70d01010f0500":"":MBEDTLS_ERR_X509_UNKNOWN_SIG_ALG - -X509 CRL ASN1 (TBSCertList, sig_oid1 correct, issuer missing) -depends_on:MBEDTLS_RSA_C:MBEDTLS_SHA256_C -x509parse_crl:"30143012020100300d06092a864886f70d01010e0500":"":MBEDTLS_ERR_X509_INVALID_FORMAT + MBEDTLS_ERR_ASN1_OUT_OF_DATA - -X509 CRL ASN1 (TBSCertList, issuer set missing) -depends_on:MBEDTLS_RSA_C:MBEDTLS_SHA256_C -x509parse_crl:"30163014020100300d06092a864886f70d01010e05003000":"":MBEDTLS_ERR_X509_INVALID_NAME + MBEDTLS_ERR_ASN1_OUT_OF_DATA - -X509 CRL ASN1 (TBSCertList, correct issuer, thisUpdate missing) -depends_on:MBEDTLS_RSA_C:MBEDTLS_SHA256_C -x509parse_crl:"30253023020100300d06092a864886f70d01010e0500300f310d300b0603550403130441424344":"":MBEDTLS_ERR_X509_INVALID_DATE + MBEDTLS_ERR_ASN1_OUT_OF_DATA - -X509 CRL ASN1 (TBSCertList, correct thisUpdate, nextUpdate missing, entries length missing) -depends_on:MBEDTLS_RSA_C:MBEDTLS_SHA256_C -x509parse_crl:"30343032020100300d06092a864886f70d01010e0500300f310d300b0603550403130441424344170c30393031303130303030303030":"":MBEDTLS_ERR_ASN1_OUT_OF_DATA - -X509 CRL ASN1 (TBSCertList, entries present, invalid sig_alg) -depends_on:MBEDTLS_RSA_C:MBEDTLS_SHA256_C -x509parse_crl:"304a3047020100300d06092a864886f70d01010e0500300f310d300b0603550403130441424344170c303930313031303030303030301430128202abcd170c30383132333132333539353900":"":MBEDTLS_ERR_X509_INVALID_ALG + MBEDTLS_ERR_ASN1_UNEXPECTED_TAG - -X509 CRL ASN1 (TBSCertList, entries present, date in entry invalid) -depends_on:MBEDTLS_RSA_C:MBEDTLS_SHA256_C -x509parse_crl:"304a3047020100300d06092a864886f70d01010e0500300f310d300b0603550403130441424344170c303930313031303030303030301430128202abcd190c30383132333132333539353900":"":MBEDTLS_ERR_X509_INVALID_DATE + MBEDTLS_ERR_ASN1_UNEXPECTED_TAG - -X509 CRL ASN1 (TBSCertList, sig_alg present, sig_alg does not match) -depends_on:MBEDTLS_RSA_C:MBEDTLS_SHA256_C -x509parse_crl:"30583047020100300d06092a864886f70d01010e0500300f310d300b0603550403130441424344170c303930313031303030303030301430128202abcd170c303831323331323335393539300d06092a864886f70d01010d0500":"":MBEDTLS_ERR_X509_SIG_MISMATCH - -X509 CRL ASN1 (TBSCertList, sig present, len mismatch) -depends_on:MBEDTLS_RSA_C:MBEDTLS_SHA256_C -x509parse_crl:"305d3047020100300d06092a864886f70d01010e0500300f310d300b0603550403130441424344170c303930313031303030303030301430128202abcd170c303831323331323335393539300d06092a864886f70d01010e05000302000100":"":MBEDTLS_ERR_X509_INVALID_FORMAT + MBEDTLS_ERR_ASN1_LENGTH_MISMATCH - -X509 CRL ASN1 (TBSCertList, sig present) -depends_on:MBEDTLS_RSA_C:MBEDTLS_SHA256_C -x509parse_crl:"305c3047020100300d06092a864886f70d01010e0500300f310d300b0603550403130441424344170c303930313031303030303030301430128202abcd170c303831323331323335393539300d06092a864886f70d01010e050003020001":"CRL version \: 1\nissuer name \: CN=ABCD\nthis update \: 2009-01-01 00\:00\:00\nnext update \: 0000-00-00 00\:00\:00\nRevoked certificates\:\nserial number\: AB\:CD revocation date\: 2008-12-31 23\:59\:59\nsigned using \: RSA with SHA-224\n":0 - -X509 CRL ASN1 (TBSCertList, no entries) -depends_on:MBEDTLS_RSA_C:MBEDTLS_SHA256_C -x509parse_crl:"30463031020100300d06092a864886f70d01010e0500300f310d300b0603550403130441424344170c303930313031303030303030300d06092a864886f70d01010e050003020001":"CRL version \: 1\nissuer name \: CN=ABCD\nthis update \: 2009-01-01 00\:00\:00\nnext update \: 0000-00-00 00\:00\:00\nRevoked certificates\:\nsigned using \: RSA with SHA-224\n":0 - -X509 CRL ASN1 (invalid version 2) -x509parse_crl:"30463031020102300d06092a864886f70d01010e0500300f310d300b0603550403130441424344170c303930313031303030303030300d06092a864886f70d01010e050003020001":"":MBEDTLS_ERR_X509_UNKNOWN_VERSION - -X509 CRL ASN1 (invalid version overflow) -x509parse_crl:"3049303102047FFFFFFF300d06092a864886f70d01010e0500300f310d300b0603550403130441424344170c303930313031303030303030300d06092a864886f70d01010e050003020001":"":MBEDTLS_ERR_X509_UNKNOWN_VERSION - -X509 CRL ASN1 (extension seq too long, crl-idp.pem byte 121) -depends_on:MBEDTLS_PEM_PARSE_C:MBEDTLS_RSA_C:MBEDTLS_SHA256_C -x509parse_crl:"308201b330819c020101300d06092a864886f70d01010b0500303b310b3009060355040613024e4c3111300f060355040a1308506f6c617253534c3119301706035504031310506f6c617253534c2054657374204341170d3138303331343037333134385a170d3238303331343037333134385aa02d302b30300603551d1c0101ff041f301da01ba0198617687474703a2f2f706b692e6578616d706c652e636f6d2f300d06092a864886f70d01010b05000382010100b3fbe9d586eaf4b8ff60cf8edae06a85135db78f78198498719725b5b403c0b803c2c150f52faae7306d6a7871885dc2e9dc83a164bac7263776474ef642b660040b35a1410ac291ac8f6f18ab85e7fd6e22bd1af1c41ca95cf2448f6e2b42a018493dfc03c6b6aa1b9e3fe7b76af2182fb2121db4166bf0167d6f379c5a58adee5082423434d97be2909f5e7488053f996646db10dd49782626da53ad8eada01813c031b2bacdb0203bc017aac1735951a11d013ee4d1d5f7143ccbebf2371e66a1bec6e1febe69148f50784eef8adbb66664c96196d7e0c0bcdc807f447b54e058f37642a3337995bfbcd332208bd6016936705c82263eabd7affdba92fae3":"":MBEDTLS_ERR_X509_INVALID_EXTENSIONS + MBEDTLS_ERR_ASN1_OUT_OF_DATA - -X509 CRL ASN1 (extension oid too long, crl-idp.pem byte 123) -depends_on:MBEDTLS_PEM_PARSE_C:MBEDTLS_RSA_C:MBEDTLS_SHA256_C -x509parse_crl:"308201b330819c020101300d06092a864886f70d01010b0500303b310b3009060355040613024e4c3111300f060355040a1308506f6c617253534c3119301706035504031310506f6c617253534c2054657374204341170d3138303331343037333134385a170d3238303331343037333134385aa02d302b30290628551d1c0101ff041f301da01ba0198617687474703a2f2f706b692e6578616d706c652e636f6d2f300d06092a864886f70d01010b05000382010100b3fbe9d586eaf4b8ff60cf8edae06a85135db78f78198498719725b5b403c0b803c2c150f52faae7306d6a7871885dc2e9dc83a164bac7263776474ef642b660040b35a1410ac291ac8f6f18ab85e7fd6e22bd1af1c41ca95cf2448f6e2b42a018493dfc03c6b6aa1b9e3fe7b76af2182fb2121db4166bf0167d6f379c5a58adee5082423434d97be2909f5e7488053f996646db10dd49782626da53ad8eada01813c031b2bacdb0203bc017aac1735951a11d013ee4d1d5f7143ccbebf2371e66a1bec6e1febe69148f50784eef8adbb66664c96196d7e0c0bcdc807f447b54e058f37642a3337995bfbcd332208bd6016936705c82263eabd7affdba92fae3":"":MBEDTLS_ERR_X509_INVALID_EXTENSIONS + MBEDTLS_ERR_ASN1_OUT_OF_DATA - -X509 CRL ASN1 (extension critical invalid length, crl-idp.pem byte 128) -depends_on:MBEDTLS_PEM_PARSE_C:MBEDTLS_RSA_C:MBEDTLS_SHA256_C -x509parse_crl:"308201b330819c020101300d06092a864886f70d01010b0500303b310b3009060355040613024e4c3111300f060355040a1308506f6c617253534c3119301706035504031310506f6c617253534c2054657374204341170d3138303331343037333134385a170d3238303331343037333134385aa02d302b30290603551d1c0102ff041f301da01ba0198617687474703a2f2f706b692e6578616d706c652e636f6d2f300d06092a864886f70d01010b05000382010100b3fbe9d586eaf4b8ff60cf8edae06a85135db78f78198498719725b5b403c0b803c2c150f52faae7306d6a7871885dc2e9dc83a164bac7263776474ef642b660040b35a1410ac291ac8f6f18ab85e7fd6e22bd1af1c41ca95cf2448f6e2b42a018493dfc03c6b6aa1b9e3fe7b76af2182fb2121db4166bf0167d6f379c5a58adee5082423434d97be2909f5e7488053f996646db10dd49782626da53ad8eada01813c031b2bacdb0203bc017aac1735951a11d013ee4d1d5f7143ccbebf2371e66a1bec6e1febe69148f50784eef8adbb66664c96196d7e0c0bcdc807f447b54e058f37642a3337995bfbcd332208bd6016936705c82263eabd7affdba92fae3":"":MBEDTLS_ERR_X509_INVALID_EXTENSIONS + MBEDTLS_ERR_ASN1_INVALID_LENGTH - -X509 CRL ASN1 (extension data too long, crl-idp.pem byte 131) -depends_on:MBEDTLS_PEM_PARSE_C:MBEDTLS_RSA_C:MBEDTLS_SHA256_C -x509parse_crl:"308201b330819c020101300d06092a864886f70d01010b0500303b310b3009060355040613024e4c3111300f060355040a1308506f6c617253534c3119301706035504031310506f6c617253534c2054657374204341170d3138303331343037333134385a170d3238303331343037333134385aa02d302b30290603551d1c0101ff0420301da01ba0198617687474703a2f2f706b692e6578616d706c652e636f6d2f300d06092a864886f70d01010b05000382010100b3fbe9d586eaf4b8ff60cf8edae06a85135db78f78198498719725b5b403c0b803c2c150f52faae7306d6a7871885dc2e9dc83a164bac7263776474ef642b660040b35a1410ac291ac8f6f18ab85e7fd6e22bd1af1c41ca95cf2448f6e2b42a018493dfc03c6b6aa1b9e3fe7b76af2182fb2121db4166bf0167d6f379c5a58adee5082423434d97be2909f5e7488053f996646db10dd49782626da53ad8eada01813c031b2bacdb0203bc017aac1735951a11d013ee4d1d5f7143ccbebf2371e66a1bec6e1febe69148f50784eef8adbb66664c96196d7e0c0bcdc807f447b54e058f37642a3337995bfbcd332208bd6016936705c82263eabd7affdba92fae3":"":MBEDTLS_ERR_X509_INVALID_EXTENSIONS + MBEDTLS_ERR_ASN1_OUT_OF_DATA - -X509 CRL ASN1 (extension data too short, crl-idp.pem byte 131) -depends_on:MBEDTLS_PEM_PARSE_C:MBEDTLS_RSA_C:MBEDTLS_SHA256_C -x509parse_crl:"308201b330819c020101300d06092a864886f70d01010b0500303b310b3009060355040613024e4c3111300f060355040a1308506f6c617253534c3119301706035504031310506f6c617253534c2054657374204341170d3138303331343037333134385a170d3238303331343037333134385aa02d302b30290603551d1c0101ff041e301da01ba0198617687474703a2f2f706b692e6578616d706c652e636f6d2f300d06092a864886f70d01010b05000382010100b3fbe9d586eaf4b8ff60cf8edae06a85135db78f78198498719725b5b403c0b803c2c150f52faae7306d6a7871885dc2e9dc83a164bac7263776474ef642b660040b35a1410ac291ac8f6f18ab85e7fd6e22bd1af1c41ca95cf2448f6e2b42a018493dfc03c6b6aa1b9e3fe7b76af2182fb2121db4166bf0167d6f379c5a58adee5082423434d97be2909f5e7488053f996646db10dd49782626da53ad8eada01813c031b2bacdb0203bc017aac1735951a11d013ee4d1d5f7143ccbebf2371e66a1bec6e1febe69148f50784eef8adbb66664c96196d7e0c0bcdc807f447b54e058f37642a3337995bfbcd332208bd6016936705c82263eabd7affdba92fae3":"":MBEDTLS_ERR_X509_INVALID_EXTENSIONS + MBEDTLS_ERR_ASN1_LENGTH_MISMATCH - -X509 CRL ASN1 (extension not critical explicit, crl-idp.pem byte 129) -depends_on:MBEDTLS_PEM_PARSE_C:MBEDTLS_RSA_C:MBEDTLS_SHA256_C -x509parse_crl:"308201b330819c020101300d06092a864886f70d01010b0500303b310b3009060355040613024e4c3111300f060355040a1308506f6c617253534c3119301706035504031310506f6c617253534c2054657374204341170d3138303331343037333134385a170d3238303331343037333134385aa02d302b30290603551d1c010100041f301da01ba0198617687474703a2f2f706b692e6578616d706c652e636f6d2f300d06092a864886f70d01010b05000382010100b3fbe9d586eaf4b8ff60cf8edae06a85135db78f78198498719725b5b403c0b803c2c150f52faae7306d6a7871885dc2e9dc83a164bac7263776474ef642b660040b35a1410ac291ac8f6f18ab85e7fd6e22bd1af1c41ca95cf2448f6e2b42a018493dfc03c6b6aa1b9e3fe7b76af2182fb2121db4166bf0167d6f379c5a58adee5082423434d97be2909f5e7488053f996646db10dd49782626da53ad8eada01813c031b2bacdb0203bc017aac1735951a11d013ee4d1d5f7143ccbebf2371e66a1bec6e1febe69148f50784eef8adbb66664c96196d7e0c0bcdc807f447b54e058f37642a3337995bfbcd332208bd6016936705c82263eabd7affdba92fae3":"CRL version \: 2\nissuer name \: C=NL, O=PolarSSL, CN=PolarSSL Test CA\nthis update \: 2018-03-14 07\:31\:48\nnext update \: 2028-03-14 07\:31\:48\nRevoked certificates\:\nsigned using \: RSA with SHA-256\n":0 - -X509 CRT parse path #2 (one cert) -depends_on:MBEDTLS_SHA1_C:MBEDTLS_RSA_C -mbedtls_x509_crt_parse_path:"data_files/dir1":0:1 - -X509 CRT parse path #3 (two certs) -depends_on:MBEDTLS_SHA1_C:MBEDTLS_RSA_C:MBEDTLS_SHA256_C:MBEDTLS_ECDSA_C:MBEDTLS_ECP_DP_SECP384R1_ENABLED -mbedtls_x509_crt_parse_path:"data_files/dir2":0:2 - -X509 CRT parse path #4 (two certs, one non-cert) -depends_on:MBEDTLS_SHA1_C:MBEDTLS_RSA_C:MBEDTLS_SHA256_C:MBEDTLS_ECDSA_C:MBEDTLS_ECP_DP_SECP384R1_ENABLED -mbedtls_x509_crt_parse_path:"data_files/dir3":1:2 - -X509 CRT verify long chain (max intermediate CA, trusted) -depends_on:MBEDTLS_SHA256_C:MBEDTLS_ECDSA_C:MBEDTLS_ECP_DP_SECP256R1_ENABLED -mbedtls_x509_crt_verify_max:"data_files/dir-maxpath/00.crt":"data_files/dir-maxpath":MBEDTLS_X509_MAX_INTERMEDIATE_CA:0:0 - -X509 CRT verify long chain (max intermediate CA, untrusted) -depends_on:MBEDTLS_SHA256_C:MBEDTLS_ECDSA_C:MBEDTLS_ECP_DP_SECP256R1_ENABLED:MBEDTLS_ECP_DP_SECP384R1_ENABLED -mbedtls_x509_crt_verify_max:"data_files/test-ca2.crt":"data_files/dir-maxpath":MBEDTLS_X509_MAX_INTERMEDIATE_CA-1:MBEDTLS_ERR_X509_CERT_VERIFY_FAILED:MBEDTLS_X509_BADCERT_NOT_TRUSTED - -X509 CRT verify long chain (max intermediate CA + 1) -depends_on:MBEDTLS_SHA256_C:MBEDTLS_ECDSA_C:MBEDTLS_ECP_DP_SECP256R1_ENABLED -mbedtls_x509_crt_verify_max:"data_files/dir-maxpath/00.crt":"data_files/dir-maxpath":MBEDTLS_X509_MAX_INTERMEDIATE_CA+1:MBEDTLS_ERR_X509_FATAL_ERROR:-1 - -X509 CRT verify chain #1 (zero pathlen intermediate) -depends_on:MBEDTLS_SHA256_C:MBEDTLS_RSA_C -mbedtls_x509_crt_verify_chain:"data_files/dir4/cert14.crt data_files/dir4/cert13.crt data_files/dir4/cert12.crt":"data_files/dir4/cert11.crt":MBEDTLS_X509_BADCERT_NOT_TRUSTED:MBEDTLS_ERR_X509_CERT_VERIFY_FAILED:"":0 - -X509 CRT verify chain #2 (zero pathlen root) -depends_on:MBEDTLS_SHA256_C:MBEDTLS_RSA_C -mbedtls_x509_crt_verify_chain:"data_files/dir4/cert23.crt data_files/dir4/cert22.crt":"data_files/dir4/cert21.crt":MBEDTLS_X509_BADCERT_NOT_TRUSTED:MBEDTLS_ERR_X509_CERT_VERIFY_FAILED:"":0 - -X509 CRT verify chain #3 (nonzero pathlen root) -depends_on:MBEDTLS_SHA256_C:MBEDTLS_RSA_C -mbedtls_x509_crt_verify_chain:"data_files/dir4/cert34.crt data_files/dir4/cert33.crt data_files/dir4/cert32.crt":"data_files/dir4/cert31.crt":MBEDTLS_X509_BADCERT_NOT_TRUSTED:MBEDTLS_ERR_X509_CERT_VERIFY_FAILED:"":0 - -X509 CRT verify chain #4 (nonzero pathlen intermediate) -depends_on:MBEDTLS_SHA256_C:MBEDTLS_RSA_C -mbedtls_x509_crt_verify_chain:"data_files/dir4/cert45.crt data_files/dir4/cert44.crt data_files/dir4/cert43.crt data_files/dir4/cert42.crt":"data_files/dir4/cert41.crt":MBEDTLS_X509_BADCERT_NOT_TRUSTED:MBEDTLS_ERR_X509_CERT_VERIFY_FAILED:"":0 - -X509 CRT verify chain #5 (nonzero maxpathlen intermediate) -depends_on:MBEDTLS_SHA256_C:MBEDTLS_RSA_C:MBEDTLS_PKCS1_V15 -mbedtls_x509_crt_verify_chain:"data_files/dir4/cert54.crt data_files/dir4/cert53.crt data_files/dir4/cert52.crt":"data_files/dir4/cert51.crt":0:0:"":0 - -X509 CRT verify chain #6 (nonzero maxpathlen root) -depends_on:MBEDTLS_SHA256_C:MBEDTLS_RSA_C:MBEDTLS_PKCS1_V15 -mbedtls_x509_crt_verify_chain:"data_files/dir4/cert63.crt data_files/dir4/cert62.crt":"data_files/dir4/cert61.crt":0:0:"":0 - -X509 CRT verify chain #7 (maxpathlen root, self signed in path) -depends_on:MBEDTLS_SHA256_C:MBEDTLS_RSA_C:MBEDTLS_PKCS1_V15 -mbedtls_x509_crt_verify_chain:"data_files/dir4/cert74.crt data_files/dir4/cert73.crt data_files/dir4/cert72.crt":"data_files/dir4/cert71.crt":0:0:"":0 - -X509 CRT verify chain #8 (self signed maxpathlen root) -depends_on:MBEDTLS_SHA256_C:MBEDTLS_RSA_C:MBEDTLS_PKCS1_V15 -mbedtls_x509_crt_verify_chain:"data_files/dir4/cert61.crt data_files/dir4/cert63.crt data_files/dir4/cert62.crt":"data_files/dir4/cert61.crt":0:0:"":0 - -X509 CRT verify chain #9 (zero pathlen first intermediate, valid) -depends_on:MBEDTLS_SHA256_C:MBEDTLS_ECDSA_C:MBEDTLS_ECP_DP_SECP256R1_ENABLED -mbedtls_x509_crt_verify_chain:"data_files/dir4/cert83.crt data_files/dir4/cert82.crt":"data_files/dir4/cert81.crt":0:0:"":0 - -X509 CRT verify chain #10 (zero pathlen root, valid) -depends_on:MBEDTLS_SHA256_C:MBEDTLS_ECDSA_C:MBEDTLS_ECP_DP_SECP256R1_ENABLED -mbedtls_x509_crt_verify_chain:"data_files/dir4/cert92.crt":"data_files/dir4/cert91.crt":0:0:"":0 - -X509 CRT verify chain #11 (valid chain, missing profile) -depends_on:MBEDTLS_SHA256_C:MBEDTLS_ECDSA_C:MBEDTLS_ECP_DP_SECP256R1_ENABLED -mbedtls_x509_crt_verify_chain:"data_files/dir4/cert92.crt":"data_files/dir4/cert91.crt":-1:MBEDTLS_ERR_X509_BAD_INPUT_DATA:"nonesuch":0 - -X509 CRT verify chain #12 (suiteb profile, RSA root) -depends_on:MBEDTLS_SHA256_C:MBEDTLS_RSA_C:MBEDTLS_PKCS1_V15:MBEDTLS_ECDSA_C:MBEDTLS_ECP_DP_SECP192R1_ENABLED:MBEDTLS_SHA1_C -mbedtls_x509_crt_verify_chain:"data_files/server3.crt":"data_files/test-ca.crt":MBEDTLS_X509_BADCERT_BAD_MD|MBEDTLS_X509_BADCERT_BAD_PK|MBEDTLS_X509_BADCERT_BAD_KEY:MBEDTLS_ERR_X509_CERT_VERIFY_FAILED:"suiteb":0 - -X509 CRT verify chain #13 (RSA only profile, EC root) -depends_on:MBEDTLS_SHA256_C:MBEDTLS_RSA_C:MBEDTLS_ECDSA_C:MBEDTLS_ECP_DP_SECP384R1_ENABLED -mbedtls_x509_crt_verify_chain:"data_files/server4.crt":"data_files/test-ca2.crt":MBEDTLS_X509_BADCERT_BAD_PK|MBEDTLS_X509_BADCERT_BAD_KEY:MBEDTLS_ERR_X509_CERT_VERIFY_FAILED:"rsa3072":0 - -X509 CRT verify chain #13 (RSA only profile, EC trusted EE) -depends_on:MBEDTLS_SHA256_C:MBEDTLS_RSA_C:MBEDTLS_ECDSA_C:MBEDTLS_ECP_DP_SECP256R1_ENABLED -mbedtls_x509_crt_verify_chain:"data_files/server5-selfsigned.crt":"data_files/server5-selfsigned.crt":MBEDTLS_X509_BADCERT_BAD_PK|MBEDTLS_X509_BADCERT_BAD_KEY:MBEDTLS_ERR_X509_CERT_VERIFY_FAILED:"rsa3072":0 - -X509 CRT verify chain #14 (RSA-3072 profile, root key too small) -depends_on:MBEDTLS_SHA256_C:MBEDTLS_RSA_C:MBEDTLS_PKCS1_V15:MBEDTLS_SHA1_C -mbedtls_x509_crt_verify_chain:"data_files/server1.crt":"data_files/test-ca.crt":MBEDTLS_X509_BADCERT_BAD_MD|MBEDTLS_X509_BADCERT_BAD_KEY:MBEDTLS_ERR_X509_CERT_VERIFY_FAILED:"rsa3072":0 - -X509 CRT verify chain #15 (suiteb profile, rsa intermediate) -depends_on:MBEDTLS_SHA256_C:MBEDTLS_RSA_C:MBEDTLS_PKCS1_V15:MBEDTLS_ECDSA_C:MBEDTLS_ECP_DP_SECP384R1_ENABLED:MBEDTLS_ECP_DP_SECP256R1_ENABLED -mbedtls_x509_crt_verify_chain:"data_files/server7.crt data_files/test-int-ca.crt":"data_files/test-ca2.crt":MBEDTLS_X509_BADCERT_BAD_PK:MBEDTLS_ERR_X509_CERT_VERIFY_FAILED:"suiteb":0 - -X509 CRT verify chain #16 (RSA-only profile, EC intermediate) -depends_on:MBEDTLS_SHA256_C:MBEDTLS_RSA_C:MBEDTLS_PKCS1_V15:MBEDTLS_ECDSA_C:MBEDTLS_ECP_DP_SECP384R1_ENABLED:MBEDTLS_ECP_DP_SECP256R1_ENABLED:MBEDTLS_SHA1_C -mbedtls_x509_crt_verify_chain:"data_files/server8.crt data_files/test-int-ca2.crt":"data_files/test-ca.crt":MBEDTLS_X509_BADCERT_BAD_PK|MBEDTLS_X509_BADCERT_BAD_KEY:MBEDTLS_ERR_X509_CERT_VERIFY_FAILED:"rsa3072":0 - -X509 CRT verify chain #17 (SHA-512 profile) -depends_on:MBEDTLS_SHA256_C:MBEDTLS_RSA_C:MBEDTLS_PKCS1_V15:MBEDTLS_ECDSA_C:MBEDTLS_ECP_DP_SECP256R1_ENABLED:MBEDTLS_ECP_DP_SECP384R1_ENABLED -mbedtls_x509_crt_verify_chain:"data_files/server7.crt data_files/test-int-ca.crt":"data_files/test-ca2.crt":MBEDTLS_X509_BADCERT_BAD_MD:MBEDTLS_ERR_X509_CERT_VERIFY_FAILED:"sha512":0 - -X509 CRT verify chain #18 (len=1, vrfy fatal on depth 1) -depends_on:MBEDTLS_SHA256_C:MBEDTLS_ECDSA_C:MBEDTLS_ECP_DP_SECP256R1_ENABLED:MBEDTLS_ECP_DP_SECP384R1_ENABLED:MBEDTLS_SHA512_C -mbedtls_x509_crt_verify_chain:"data_files/server5.crt":"data_files/test-ca2.crt":-1:-2:"":2 - -X509 CRT verify chain #19 (len=0, vrfy fatal on depth 0) -depends_on:MBEDTLS_SHA256_C:MBEDTLS_ECDSA_C:MBEDTLS_ECP_DP_SECP256R1_ENABLED:MBEDTLS_ECP_DP_SECP384R1_ENABLED:MBEDTLS_SHA512_C -mbedtls_x509_crt_verify_chain:"data_files/server5.crt":"data_files/test-ca2.crt":-1:-1:"":1 - -X509 CRT verify chain #20 (len=1, vrfy fatal on depth 0) -depends_on:MBEDTLS_SHA256_C:MBEDTLS_ECDSA_C:MBEDTLS_ECP_DP_SECP256R1_ENABLED:MBEDTLS_ECP_DP_SECP384R1_ENABLED:MBEDTLS_SHA512_C:MBEDTLS_SHA1_C:MBEDTLS_RSA_C -mbedtls_x509_crt_verify_chain:"data_files/server5.crt":"data_files/test-ca.crt":-1:-1:"":1 - -X509 CRT verify chain #21 (len=3, vrfy fatal on depth 3) -depends_on:MBEDTLS_SHA256_C:MBEDTLS_ECDSA_C:MBEDTLS_ECP_DP_SECP256R1_ENABLED:MBEDTLS_RSA_C:MBEDTLS_PKCS1_V15:MBEDTLS_SHA1_C:MBEDTLS_ECP_DP_SECP384R1_ENABLED -mbedtls_x509_crt_verify_chain:"data_files/server10_int3_int-ca2_ca.crt":"data_files/test-ca.crt":-1:-4:"":8 - -X509 CRT verify chain #22 (len=3, vrfy fatal on depth 2) -depends_on:MBEDTLS_SHA256_C:MBEDTLS_ECDSA_C:MBEDTLS_ECP_DP_SECP256R1_ENABLED:MBEDTLS_RSA_C:MBEDTLS_SHA1_C:MBEDTLS_ECP_DP_SECP384R1_ENABLED -mbedtls_x509_crt_verify_chain:"data_files/server10_int3_int-ca2_ca.crt":"data_files/test-ca.crt":-1:-3:"":4 - -X509 CRT verify chain #23 (len=3, vrfy fatal on depth 1) -depends_on:MBEDTLS_SHA256_C:MBEDTLS_ECDSA_C:MBEDTLS_ECP_DP_SECP256R1_ENABLED:MBEDTLS_RSA_C:MBEDTLS_SHA1_C:MBEDTLS_ECP_DP_SECP384R1_ENABLED -mbedtls_x509_crt_verify_chain:"data_files/server10_int3_int-ca2_ca.crt":"data_files/test-ca.crt":-1:-2:"":2 - -X509 CRT verify chain #24 (len=3, vrfy fatal on depth 0) -depends_on:MBEDTLS_SHA256_C:MBEDTLS_ECDSA_C:MBEDTLS_ECP_DP_SECP256R1_ENABLED:MBEDTLS_RSA_C:MBEDTLS_SHA1_C:MBEDTLS_ECP_DP_SECP384R1_ENABLED -mbedtls_x509_crt_verify_chain:"data_files/server10_int3_int-ca2_ca.crt":"data_files/test-ca.crt":-1:-1:"":1 - -X509 CRT verify chain #25 (len=3, vrfy fatal on depth 3, untrusted) -depends_on:MBEDTLS_SHA256_C:MBEDTLS_ECDSA_C:MBEDTLS_ECP_DP_SECP256R1_ENABLED:MBEDTLS_RSA_C:MBEDTLS_SHA1_C:MBEDTLS_ECP_DP_SECP384R1_ENABLED -mbedtls_x509_crt_verify_chain:"data_files/server10_int3_int-ca2_ca.crt":"data_files/test-ca2.crt":-1:-4:"":8 - -X509 OID description #1 -x509_oid_desc:"2B06010505070301":"TLS Web Server Authentication" - -X509 OID description #2 -x509_oid_desc:"2B0601050507030f":"notfound" - -X509 OID description #3 -x509_oid_desc:"2B0601050507030100":"notfound" - -X509 OID numstring #1 (wide buffer) -x509_oid_numstr:"2B06010505070301":"1.3.6.1.5.5.7.3.1":20:17 - -X509 OID numstring #2 (buffer just fits) -x509_oid_numstr:"2B06010505070301":"1.3.6.1.5.5.7.3.1":18:17 - -X509 OID numstring #3 (buffer too small) -x509_oid_numstr:"2B06010505070301":"1.3.6.1.5.5.7.3.1":17:MBEDTLS_ERR_OID_BUF_TOO_SMALL - -X509 OID numstring #4 (larger number) -x509_oid_numstr:"2A864886F70D":"1.2.840.113549":15:14 - -X509 OID numstring #5 (arithmetic overflow) -x509_oid_numstr:"2A8648F9F8F7F6F5F4F3F2F1F001":"":100:MBEDTLS_ERR_OID_BUF_TOO_SMALL - -X509 crt keyUsage #1 (no extension, expected KU) -depends_on:MBEDTLS_RSA_C:MBEDTLS_SHA1_C -x509_check_key_usage:"data_files/server1.crt":MBEDTLS_X509_KU_DIGITAL_SIGNATURE|MBEDTLS_X509_KU_KEY_ENCIPHERMENT:0 - -X509 crt keyUsage #2 (no extension, surprising KU) -depends_on:MBEDTLS_RSA_C:MBEDTLS_SHA1_C -x509_check_key_usage:"data_files/server1.crt":MBEDTLS_X509_KU_KEY_CERT_SIGN:0 - -X509 crt keyUsage #3 (extension present, no KU) -depends_on:MBEDTLS_RSA_C:MBEDTLS_SHA1_C -x509_check_key_usage:"data_files/server1.key_usage.crt":0:0 - -X509 crt keyUsage #4 (extension present, single KU present) -depends_on:MBEDTLS_RSA_C:MBEDTLS_SHA1_C -x509_check_key_usage:"data_files/server1.key_usage.crt":MBEDTLS_X509_KU_DIGITAL_SIGNATURE:0 - -X509 crt keyUsage #5 (extension present, single KU absent) -depends_on:MBEDTLS_RSA_C:MBEDTLS_SHA1_C -x509_check_key_usage:"data_files/server1.key_usage.crt":MBEDTLS_X509_KU_KEY_CERT_SIGN:MBEDTLS_ERR_X509_BAD_INPUT_DATA - -X509 crt keyUsage #6 (extension present, combined KU present) -depends_on:MBEDTLS_RSA_C:MBEDTLS_SHA1_C -x509_check_key_usage:"data_files/server1.key_usage.crt":MBEDTLS_X509_KU_DIGITAL_SIGNATURE|MBEDTLS_X509_KU_KEY_ENCIPHERMENT:0 - -X509 crt keyUsage #7 (extension present, combined KU both absent) -depends_on:MBEDTLS_RSA_C:MBEDTLS_SHA1_C -x509_check_key_usage:"data_files/server1.key_usage.crt":MBEDTLS_X509_KU_KEY_CERT_SIGN|MBEDTLS_X509_KU_CRL_SIGN:MBEDTLS_ERR_X509_BAD_INPUT_DATA - -X509 crt keyUsage #8 (extension present, combined KU one absent) -depends_on:MBEDTLS_RSA_C:MBEDTLS_SHA1_C -x509_check_key_usage:"data_files/server1.key_usage.crt":MBEDTLS_X509_KU_KEY_ENCIPHERMENT|MBEDTLS_X509_KU_KEY_AGREEMENT:MBEDTLS_ERR_X509_BAD_INPUT_DATA - -X509 crt keyUsage #9 (extension present, decOnly allowed absent) -depends_on:MBEDTLS_RSA_C:MBEDTLS_SHA1_C -x509_check_key_usage:"data_files/server1.key_usage.crt":MBEDTLS_X509_KU_DIGITAL_SIGNATURE|MBEDTLS_X509_KU_KEY_ENCIPHERMENT|MBEDTLS_X509_KU_DECIPHER_ONLY:0 - -X509 crt keyUsage #10 (extension present, decOnly non-allowed present) -depends_on:MBEDTLS_RSA_C:MBEDTLS_SHA1_C -x509_check_key_usage:"data_files/keyUsage.decipherOnly.crt":MBEDTLS_X509_KU_DIGITAL_SIGNATURE|MBEDTLS_X509_KU_KEY_ENCIPHERMENT:MBEDTLS_ERR_X509_BAD_INPUT_DATA - -X509 crt keyUsage #11 (extension present, decOnly allowed present) -depends_on:MBEDTLS_RSA_C:MBEDTLS_SHA1_C -x509_check_key_usage:"data_files/keyUsage.decipherOnly.crt":MBEDTLS_X509_KU_DIGITAL_SIGNATURE|MBEDTLS_X509_KU_KEY_ENCIPHERMENT|MBEDTLS_X509_KU_DECIPHER_ONLY:0 - -X509 crt extendedKeyUsage #1 (no extension, serverAuth) -depends_on:MBEDTLS_ECDSA_C:MBEDTLS_ECP_DP_SECP256R1_ENABLED:MBEDTLS_SHA256_C -x509_check_extended_key_usage:"data_files/server5.crt":"2B06010505070301":0 - -X509 crt extendedKeyUsage #2 (single value, present) -depends_on:MBEDTLS_ECDSA_C:MBEDTLS_ECP_DP_SECP256R1_ENABLED:MBEDTLS_SHA256_C -x509_check_extended_key_usage:"data_files/server5.eku-srv.crt":"2B06010505070301":0 - -X509 crt extendedKeyUsage #3 (single value, absent) -depends_on:MBEDTLS_ECDSA_C:MBEDTLS_ECP_DP_SECP256R1_ENABLED:MBEDTLS_SHA256_C -x509_check_extended_key_usage:"data_files/server5.eku-cli.crt":"2B06010505070301":MBEDTLS_ERR_X509_BAD_INPUT_DATA - -X509 crt extendedKeyUsage #4 (two values, first) -depends_on:MBEDTLS_ECDSA_C:MBEDTLS_ECP_DP_SECP256R1_ENABLED:MBEDTLS_SHA256_C -x509_check_extended_key_usage:"data_files/server5.eku-srv_cli.crt":"2B06010505070301":0 - -X509 crt extendedKeyUsage #5 (two values, second) -depends_on:MBEDTLS_ECDSA_C:MBEDTLS_ECP_DP_SECP256R1_ENABLED:MBEDTLS_SHA256_C -x509_check_extended_key_usage:"data_files/server5.eku-srv_cli.crt":"2B06010505070302":0 - -X509 crt extendedKeyUsage #6 (two values, other) -depends_on:MBEDTLS_ECDSA_C:MBEDTLS_ECP_DP_SECP256R1_ENABLED:MBEDTLS_SHA256_C -x509_check_extended_key_usage:"data_files/server5.eku-srv_cli.crt":"2B06010505070303":MBEDTLS_ERR_X509_BAD_INPUT_DATA - -X509 crt extendedKeyUsage #7 (any, random) -depends_on:MBEDTLS_ECDSA_C:MBEDTLS_ECP_DP_SECP256R1_ENABLED:MBEDTLS_SHA256_C -x509_check_extended_key_usage:"data_files/server5.eku-cs_any.crt":"2B060105050703FF":0 - -X509 RSASSA-PSS parameters ASN1 (good, all defaults) -x509_parse_rsassa_pss_params:"":MBEDTLS_ASN1_CONSTRUCTED | MBEDTLS_ASN1_SEQUENCE:MBEDTLS_MD_SHA1:MBEDTLS_MD_SHA1:20:0 - -X509 RSASSA-PSS parameters ASN1 (wrong initial tag) -x509_parse_rsassa_pss_params:"":MBEDTLS_ASN1_SEQUENCE:MBEDTLS_MD_SHA1:MBEDTLS_MD_SHA1:20:MBEDTLS_ERR_X509_INVALID_ALG + MBEDTLS_ERR_ASN1_UNEXPECTED_TAG - -X509 RSASSA-PSS parameters ASN1 (unknown tag in top-level sequence) -x509_parse_rsassa_pss_params:"A400":MBEDTLS_ASN1_CONSTRUCTED | MBEDTLS_ASN1_SEQUENCE:MBEDTLS_MD_SHA1:MBEDTLS_MD_SHA1:20:MBEDTLS_ERR_X509_INVALID_ALG + MBEDTLS_ERR_ASN1_LENGTH_MISMATCH - -X509 RSASSA-PSS parameters ASN1 (good, HashAlg SHA256) -depends_on:MBEDTLS_RSA_C:MBEDTLS_SHA256_C -x509_parse_rsassa_pss_params:"A00D300B0609608648016503040201":MBEDTLS_ASN1_CONSTRUCTED | MBEDTLS_ASN1_SEQUENCE:MBEDTLS_MD_SHA256:MBEDTLS_MD_SHA1:20:0 - -X509 RSASSA-PSS parameters ASN1 (good, explicit HashAlg = default) -depends_on:MBEDTLS_RSA_C:MBEDTLS_SHA1_C -x509_parse_rsassa_pss_params:"A009300706052B0E03021A":MBEDTLS_ASN1_CONSTRUCTED | MBEDTLS_ASN1_SEQUENCE:MBEDTLS_MD_SHA1:MBEDTLS_MD_SHA1:20:0 - -X509 RSASSA-PSS parameters ASN1 (HashAlg wrong len #1) -x509_parse_rsassa_pss_params:"A00A300706052B0E03021A":MBEDTLS_ASN1_CONSTRUCTED | MBEDTLS_ASN1_SEQUENCE:MBEDTLS_MD_SHA1:MBEDTLS_MD_SHA1:20:MBEDTLS_ERR_X509_INVALID_ALG + MBEDTLS_ERR_ASN1_OUT_OF_DATA - -X509 RSASSA-PSS parameters ASN1 (HashAlg wrong len #2) -depends_on:MBEDTLS_RSA_C:MBEDTLS_SHA1_C -x509_parse_rsassa_pss_params:"A00A300706052B0E03021A00":MBEDTLS_ASN1_CONSTRUCTED | MBEDTLS_ASN1_SEQUENCE:MBEDTLS_MD_SHA1:MBEDTLS_MD_SHA1:20:MBEDTLS_ERR_X509_INVALID_ALG + MBEDTLS_ERR_ASN1_LENGTH_MISMATCH - -X509 RSASSA-PSS parameters ASN1 (HashAlg with parameters) -x509_parse_rsassa_pss_params:"A00F300D06096086480165030402013000":MBEDTLS_ASN1_CONSTRUCTED | MBEDTLS_ASN1_SEQUENCE:MBEDTLS_MD_SHA256:MBEDTLS_MD_SHA1:20:MBEDTLS_ERR_X509_INVALID_ALG + MBEDTLS_ERR_ASN1_INVALID_DATA - -X509 RSASSA-PSS parameters ASN1 (HashAlg unknown OID) -x509_parse_rsassa_pss_params:"A00D300B06096086480165030402FF":MBEDTLS_ASN1_CONSTRUCTED | MBEDTLS_ASN1_SEQUENCE:MBEDTLS_MD_SHA256:MBEDTLS_MD_SHA1:20:MBEDTLS_ERR_X509_INVALID_ALG + MBEDTLS_ERR_OID_NOT_FOUND - -X509 RSASSA-PSS parameters ASN1 (good, MGAlg = MGF1-SHA256) -depends_on:MBEDTLS_RSA_C:MBEDTLS_SHA256_C -x509_parse_rsassa_pss_params:"A11A301806092A864886F70D010108300B0609608648016503040201":MBEDTLS_ASN1_CONSTRUCTED | MBEDTLS_ASN1_SEQUENCE:MBEDTLS_MD_SHA1:MBEDTLS_MD_SHA256:20:0 - -X509 RSASSA-PSS parameters ASN1 (good, explicit MGAlg = default) -depends_on:MBEDTLS_RSA_C:MBEDTLS_SHA1_C -x509_parse_rsassa_pss_params:"A116301406092A864886F70D010108300706052B0E03021A":MBEDTLS_ASN1_CONSTRUCTED | MBEDTLS_ASN1_SEQUENCE:MBEDTLS_MD_SHA1:MBEDTLS_MD_SHA1:20:0 - -X509 RSASSA-PSS parameters ASN1 (MGAlg wrong len #1) -x509_parse_rsassa_pss_params:"A11B301806092A864886F70D010108300B0609608648016503040201":MBEDTLS_ASN1_CONSTRUCTED | MBEDTLS_ASN1_SEQUENCE:MBEDTLS_MD_SHA1:MBEDTLS_MD_SHA256:20:MBEDTLS_ERR_X509_INVALID_ALG + MBEDTLS_ERR_ASN1_OUT_OF_DATA - -X509 RSASSA-PSS parameters ASN1 (MGAlg wrong len #2) -depends_on:MBEDTLS_RSA_C:MBEDTLS_SHA256_C -x509_parse_rsassa_pss_params:"A11B301806092A864886F70D010108300B060960864801650304020100":MBEDTLS_ASN1_CONSTRUCTED | MBEDTLS_ASN1_SEQUENCE:MBEDTLS_MD_SHA1:MBEDTLS_MD_SHA256:20:MBEDTLS_ERR_X509_INVALID_ALG + MBEDTLS_ERR_ASN1_LENGTH_MISMATCH - -X509 RSASSA-PSS parameters ASN1 (MGAlg AlgId wrong len #1) -x509_parse_rsassa_pss_params:"A11A301906092A864886F70D010108300B0609608648016503040201":MBEDTLS_ASN1_CONSTRUCTED | MBEDTLS_ASN1_SEQUENCE:MBEDTLS_MD_SHA1:MBEDTLS_MD_SHA256:20:MBEDTLS_ERR_X509_INVALID_ALG + MBEDTLS_ERR_ASN1_OUT_OF_DATA - -X509 RSASSA-PSS parameters ASN1 (MGAlg OID != MGF1) -x509_parse_rsassa_pss_params:"A11A301806092A864886F70D010109300B0609608648016503040201":MBEDTLS_ASN1_CONSTRUCTED | MBEDTLS_ASN1_SEQUENCE:MBEDTLS_MD_SHA1:MBEDTLS_MD_SHA256:20:MBEDTLS_ERR_X509_FEATURE_UNAVAILABLE + MBEDTLS_ERR_OID_NOT_FOUND - -X509 RSASSA-PSS parameters ASN1 (MGAlg.params wrong tag) -x509_parse_rsassa_pss_params:"A11A301806092A864886F70D010108310B0609608648016503040201":MBEDTLS_ASN1_CONSTRUCTED | MBEDTLS_ASN1_SEQUENCE:MBEDTLS_MD_SHA1:MBEDTLS_MD_SHA256:20:MBEDTLS_ERR_X509_INVALID_ALG + MBEDTLS_ERR_ASN1_UNEXPECTED_TAG - -X509 RSASSA-PSS parameters ASN1 (MGAlg.params wrong len #1a) -x509_parse_rsassa_pss_params:"A10F300D06092A864886F70D0101083000":MBEDTLS_ASN1_CONSTRUCTED | MBEDTLS_ASN1_SEQUENCE:MBEDTLS_MD_SHA1:MBEDTLS_MD_SHA256:20:MBEDTLS_ERR_X509_INVALID_ALG + MBEDTLS_ERR_ASN1_OUT_OF_DATA - -X509 RSASSA-PSS parameters ASN1 (MGAlg.params wrong len #1b) -x509_parse_rsassa_pss_params:"A11B301906092A864886F70D010108300C0609608648016503040201":MBEDTLS_ASN1_CONSTRUCTED | MBEDTLS_ASN1_SEQUENCE:MBEDTLS_MD_SHA1:MBEDTLS_MD_SHA256:20:MBEDTLS_ERR_X509_INVALID_ALG + MBEDTLS_ERR_ASN1_OUT_OF_DATA - -X509 RSASSA-PSS parameters ASN1 (MGAlg.params.alg not an OID) -x509_parse_rsassa_pss_params:"A11A301806092A864886F70D010108300B0709608648016503040201":MBEDTLS_ASN1_CONSTRUCTED | MBEDTLS_ASN1_SEQUENCE:MBEDTLS_MD_SHA1:MBEDTLS_MD_SHA256:20:MBEDTLS_ERR_X509_INVALID_ALG + MBEDTLS_ERR_ASN1_UNEXPECTED_TAG - -X509 RSASSA-PSS parameters ASN1 (MGAlg.params.alg unknown OID) -x509_parse_rsassa_pss_params:"A11A301806092A864886F70D010108300B06096086480165030402FF":MBEDTLS_ASN1_CONSTRUCTED | MBEDTLS_ASN1_SEQUENCE:MBEDTLS_MD_SHA1:MBEDTLS_MD_SHA256:20:MBEDTLS_ERR_X509_INVALID_ALG + MBEDTLS_ERR_OID_NOT_FOUND - -X509 RSASSA-PSS parameters ASN1 (MGAlg.params.params NULL) -depends_on:MBEDTLS_RSA_C:MBEDTLS_SHA256_C -x509_parse_rsassa_pss_params:"A11C301A06092A864886F70D010108300D06096086480165030402010500":MBEDTLS_ASN1_CONSTRUCTED | MBEDTLS_ASN1_SEQUENCE:MBEDTLS_MD_SHA1:MBEDTLS_MD_SHA256:20:0 - -X509 RSASSA-PSS parameters ASN1 (MGAlg.params.params wrong tag) -depends_on:MBEDTLS_RSA_C:MBEDTLS_SHA256_C -x509_parse_rsassa_pss_params:"A11C301A06092A864886F70D010108300D06096086480165030402013000":MBEDTLS_ASN1_CONSTRUCTED | MBEDTLS_ASN1_SEQUENCE:MBEDTLS_MD_SHA1:MBEDTLS_MD_SHA256:20:MBEDTLS_ERR_X509_INVALID_ALG + MBEDTLS_ERR_ASN1_UNEXPECTED_TAG - -X509 RSASSA-PSS parameters ASN1 (MGAlg.params wrong len #1c) -x509_parse_rsassa_pss_params:"A11D301B06092A864886F70D010108300E06096086480165030402010500":MBEDTLS_ASN1_CONSTRUCTED | MBEDTLS_ASN1_SEQUENCE:MBEDTLS_MD_SHA1:MBEDTLS_MD_SHA256:20:MBEDTLS_ERR_X509_INVALID_ALG + MBEDTLS_ERR_ASN1_OUT_OF_DATA - -X509 RSASSA-PSS parameters ASN1 (MGAlg.params wrong len #2) -depends_on:MBEDTLS_RSA_C:MBEDTLS_SHA256_C -x509_parse_rsassa_pss_params:"A11D301B06092A864886F70D010108300E0609608648016503040201050000":MBEDTLS_ASN1_CONSTRUCTED | MBEDTLS_ASN1_SEQUENCE:MBEDTLS_MD_SHA1:MBEDTLS_MD_SHA256:20:MBEDTLS_ERR_X509_INVALID_ALG + MBEDTLS_ERR_ASN1_LENGTH_MISMATCH - -X509 RSASSA-PSS parameters ASN1 (good, saltLen = 94) -x509_parse_rsassa_pss_params:"A20302015E":MBEDTLS_ASN1_CONSTRUCTED | MBEDTLS_ASN1_SEQUENCE:MBEDTLS_MD_SHA1:MBEDTLS_MD_SHA1:94:0 - -X509 RSASSA-PSS parameters ASN1 (good, explicit saltLen = default) -x509_parse_rsassa_pss_params:"A203020114":MBEDTLS_ASN1_CONSTRUCTED | MBEDTLS_ASN1_SEQUENCE:MBEDTLS_MD_SHA1:MBEDTLS_MD_SHA1:20:0 - -X509 RSASSA-PSS parameters ASN1 (saltLen wrong len #1) -x509_parse_rsassa_pss_params:"A20402015E":MBEDTLS_ASN1_CONSTRUCTED | MBEDTLS_ASN1_SEQUENCE:MBEDTLS_MD_SHA1:MBEDTLS_MD_SHA1:94:MBEDTLS_ERR_X509_INVALID_ALG + MBEDTLS_ERR_ASN1_OUT_OF_DATA - -X509 RSASSA-PSS parameters ASN1 (saltLen wrong len #2) -x509_parse_rsassa_pss_params:"A20402015E00":MBEDTLS_ASN1_CONSTRUCTED | MBEDTLS_ASN1_SEQUENCE:MBEDTLS_MD_SHA1:MBEDTLS_MD_SHA1:94:MBEDTLS_ERR_X509_INVALID_ALG + MBEDTLS_ERR_ASN1_LENGTH_MISMATCH - -X509 RSASSA-PSS parameters ASN1 (saltLen not an int) -x509_parse_rsassa_pss_params:"A2023000":MBEDTLS_ASN1_CONSTRUCTED | MBEDTLS_ASN1_SEQUENCE:MBEDTLS_MD_SHA1:MBEDTLS_MD_SHA1:94:MBEDTLS_ERR_X509_INVALID_ALG + MBEDTLS_ERR_ASN1_UNEXPECTED_TAG - -X509 RSASSA-PSS parameters ASN1 (good, explicit trailerField = default) -x509_parse_rsassa_pss_params:"A303020101":MBEDTLS_ASN1_CONSTRUCTED | MBEDTLS_ASN1_SEQUENCE:MBEDTLS_MD_SHA1:MBEDTLS_MD_SHA1:20:0 - -X509 RSASSA-PSS parameters ASN1 (trailerField wrong len #1) -x509_parse_rsassa_pss_params:"A304020101":MBEDTLS_ASN1_CONSTRUCTED | MBEDTLS_ASN1_SEQUENCE:MBEDTLS_MD_SHA1:MBEDTLS_MD_SHA1:20:MBEDTLS_ERR_X509_INVALID_ALG + MBEDTLS_ERR_ASN1_OUT_OF_DATA - -X509 RSASSA-PSS parameters ASN1 (trailerField wrong len #2) -x509_parse_rsassa_pss_params:"A30402010100":MBEDTLS_ASN1_CONSTRUCTED | MBEDTLS_ASN1_SEQUENCE:MBEDTLS_MD_SHA1:MBEDTLS_MD_SHA1:20:MBEDTLS_ERR_X509_INVALID_ALG + MBEDTLS_ERR_ASN1_LENGTH_MISMATCH - -X509 RSASSA-PSS parameters ASN1 (trailerField not an int) -x509_parse_rsassa_pss_params:"A3023000":MBEDTLS_ASN1_CONSTRUCTED | MBEDTLS_ASN1_SEQUENCE:MBEDTLS_MD_SHA1:MBEDTLS_MD_SHA1:20:MBEDTLS_ERR_X509_INVALID_ALG + MBEDTLS_ERR_ASN1_UNEXPECTED_TAG - -X509 RSASSA-PSS parameters ASN1 (trailerField not 1) -x509_parse_rsassa_pss_params:"A303020102":MBEDTLS_ASN1_CONSTRUCTED | MBEDTLS_ASN1_SEQUENCE:MBEDTLS_MD_SHA1:MBEDTLS_MD_SHA1:20:MBEDTLS_ERR_X509_INVALID_ALG - -X509 CSR ASN.1 (OK) -depends_on:MBEDTLS_ECDSA_C:MBEDTLS_ECP_DP_SECP256R1_ENABLED:MBEDTLS_SHA1_C -mbedtls_x509_csr_parse:"308201183081BF0201003034310B3009060355040613024E4C3111300F060355040A1308506F6C617253534C31123010060355040313096C6F63616C686F73743059301306072A8648CE3D020106082A8648CE3D0301070342000437CC56D976091E5A723EC7592DFF206EEE7CF9069174D0AD14B5F768225962924EE500D82311FFEA2FD2345D5D16BD8A88C26B770D55CD8A2A0EFA01C8B4EDFFA029302706092A864886F70D01090E311A301830090603551D1304023000300B0603551D0F0404030205E0300906072A8648CE3D04010349003046022100B49FD8C8F77ABFA871908DFBE684A08A793D0F490A43D86FCF2086E4F24BB0C2022100F829D5CCD3742369299E6294394717C4B723A0F68B44E831B6E6C3BCABF97243":"CSR version \: 1\nsubject name \: C=NL, O=PolarSSL, CN=localhost\nsigned using \: ECDSA with SHA1\nEC key size \: 256 bits\n":0 - -X509 CSR ASN.1 (bad first tag) -mbedtls_x509_csr_parse:"3100":"":MBEDTLS_ERR_X509_INVALID_FORMAT - -X509 CSR ASN.1 (bad sequence: overlong) -mbedtls_x509_csr_parse:"3001":"":MBEDTLS_ERR_X509_INVALID_FORMAT - -X509 CSR ASN.1 (total length mistmatch) -mbedtls_x509_csr_parse:"30010000":"":MBEDTLS_ERR_X509_INVALID_FORMAT + MBEDTLS_ERR_ASN1_LENGTH_MISMATCH - -X509 CSR ASN.1 (bad CRI: not a sequence) -mbedtls_x509_csr_parse:"30023100":"":MBEDTLS_ERR_X509_INVALID_FORMAT + MBEDTLS_ERR_ASN1_UNEXPECTED_TAG - -X509 CSR ASN.1 (bad CRI: overlong) -mbedtls_x509_csr_parse:"30023001":"":MBEDTLS_ERR_X509_INVALID_FORMAT + MBEDTLS_ERR_ASN1_OUT_OF_DATA - -X509 CSR ASN.1 (bad CRI.Version: overlong) -mbedtls_x509_csr_parse:"30053002020100":"":MBEDTLS_ERR_X509_INVALID_VERSION + MBEDTLS_ERR_ASN1_OUT_OF_DATA - -X509 CSR ASN.1 (bad CRI.Version: not v1) -mbedtls_x509_csr_parse:"30053003020101":"":MBEDTLS_ERR_X509_UNKNOWN_VERSION - -X509 CSR ASN.1 (bad CRI.Name: not a sequence) -mbedtls_x509_csr_parse:"300730050201003100":"":MBEDTLS_ERR_X509_INVALID_FORMAT + MBEDTLS_ERR_ASN1_UNEXPECTED_TAG - -X509 CSR ASN.1 (bad CRI.Name: overlong) -mbedtls_x509_csr_parse:"30083005020100300100":"":MBEDTLS_ERR_X509_INVALID_FORMAT + MBEDTLS_ERR_ASN1_OUT_OF_DATA - -X509 CSR ASN.1 (bad CRI.Name payload: not a set) -mbedtls_x509_csr_parse:"3009300702010030023000":"":MBEDTLS_ERR_X509_INVALID_NAME + MBEDTLS_ERR_ASN1_UNEXPECTED_TAG - -X509 CSR ASN.1 (bad CRI.Name payload: overlong) -mbedtls_x509_csr_parse:"300A30080201003002310100":"":MBEDTLS_ERR_X509_INVALID_NAME + MBEDTLS_ERR_ASN1_OUT_OF_DATA - -X509 CSR ASN.1 (bad SubjectPublicKeyInfo: missing) -mbedtls_x509_csr_parse:"30143012020100300D310B3009060355040613024E4C":"":MBEDTLS_ERR_PK_KEY_INVALID_FORMAT + MBEDTLS_ERR_ASN1_OUT_OF_DATA - -X509 CSR ASN.1 (bad SubjectPublicKeyInfo: not a sequence) -mbedtls_x509_csr_parse:"30163014020100300D310B3009060355040613024E4C3100":"":MBEDTLS_ERR_PK_KEY_INVALID_FORMAT + MBEDTLS_ERR_ASN1_UNEXPECTED_TAG - -X509 CSR ASN.1 (bad SubjectPublicKeyInfo: overlong) -mbedtls_x509_csr_parse:"30173014020100300D310B3009060355040613024E4C300100":"":MBEDTLS_ERR_PK_KEY_INVALID_FORMAT + MBEDTLS_ERR_ASN1_OUT_OF_DATA - -X509 CSR ASN.1 (bad attributes: missing) -depends_on:MBEDTLS_ECDSA_C:MBEDTLS_ECP_DP_SECP256R1_ENABLED -mbedtls_x509_csr_parse:"3081973081940201003034310B3009060355040613024E4C3111300F060355040A1308506F6C617253534C31123010060355040313096C6F63616C686F73743059301306072A8648CE3D020106082A8648CE3D0301070342000437CC56D976091E5A723EC7592DFF206EEE7CF9069174D0AD14B5F768225962924EE500D82311FFEA2FD2345D5D16BD8A88C26B770D55CD8A2A0EFA01C8B4EDFF":"":MBEDTLS_ERR_X509_INVALID_FORMAT + MBEDTLS_ERR_ASN1_OUT_OF_DATA - -X509 CSR ASN.1 (bad attributes: bad tag) -depends_on:MBEDTLS_ECDSA_C:MBEDTLS_ECP_DP_SECP256R1_ENABLED -mbedtls_x509_csr_parse:"3081993081960201003034310B3009060355040613024E4C3111300F060355040A1308506F6C617253534C31123010060355040313096C6F63616C686F73743059301306072A8648CE3D020106082A8648CE3D0301070342000437CC56D976091E5A723EC7592DFF206EEE7CF9069174D0AD14B5F768225962924EE500D82311FFEA2FD2345D5D16BD8A88C26B770D55CD8A2A0EFA01C8B4EDFF0500":"":MBEDTLS_ERR_X509_INVALID_FORMAT + MBEDTLS_ERR_ASN1_UNEXPECTED_TAG - -X509 CSR ASN.1 (bad attributes: overlong) -depends_on:MBEDTLS_ECDSA_C:MBEDTLS_ECP_DP_SECP256R1_ENABLED -mbedtls_x509_csr_parse:"30819A3081960201003034310B3009060355040613024E4C3111300F060355040A1308506F6C617253534C31123010060355040313096C6F63616C686F73743059301306072A8648CE3D020106082A8648CE3D0301070342000437CC56D976091E5A723EC7592DFF206EEE7CF9069174D0AD14B5F768225962924EE500D82311FFEA2FD2345D5D16BD8A88C26B770D55CD8A2A0EFA01C8B4EDFFA00100":"":MBEDTLS_ERR_X509_INVALID_FORMAT + MBEDTLS_ERR_ASN1_OUT_OF_DATA - -X509 CSR ASN.1 (bad sigAlg: missing) -depends_on:MBEDTLS_ECDSA_C:MBEDTLS_ECP_DP_SECP256R1_ENABLED -mbedtls_x509_csr_parse:"3081C23081BF0201003034310B3009060355040613024E4C3111300F060355040A1308506F6C617253534C31123010060355040313096C6F63616C686F73743059301306072A8648CE3D020106082A8648CE3D0301070342000437CC56D976091E5A723EC7592DFF206EEE7CF9069174D0AD14B5F768225962924EE500D82311FFEA2FD2345D5D16BD8A88C26B770D55CD8A2A0EFA01C8B4EDFFA029302706092A864886F70D01090E311A301830090603551D1304023000300B0603551D0F0404030205E0":"":MBEDTLS_ERR_X509_INVALID_ALG + MBEDTLS_ERR_ASN1_OUT_OF_DATA - -X509 CSR ASN.1 (bad sigAlg: not a sequence) -depends_on:MBEDTLS_ECDSA_C:MBEDTLS_ECP_DP_SECP256R1_ENABLED -mbedtls_x509_csr_parse:"3081C43081BF0201003034310B3009060355040613024E4C3111300F060355040A1308506F6C617253534C31123010060355040313096C6F63616C686F73743059301306072A8648CE3D020106082A8648CE3D0301070342000437CC56D976091E5A723EC7592DFF206EEE7CF9069174D0AD14B5F768225962924EE500D82311FFEA2FD2345D5D16BD8A88C26B770D55CD8A2A0EFA01C8B4EDFFA029302706092A864886F70D01090E311A301830090603551D1304023000300B0603551D0F0404030205E03100":"":MBEDTLS_ERR_X509_INVALID_ALG + MBEDTLS_ERR_ASN1_UNEXPECTED_TAG - -X509 CSR ASN.1 (bad sigAlg: overlong) -depends_on:MBEDTLS_ECDSA_C:MBEDTLS_ECP_DP_SECP256R1_ENABLED -mbedtls_x509_csr_parse:"3081C43081BF0201003034310B3009060355040613024E4C3111300F060355040A1308506F6C617253534C31123010060355040313096C6F63616C686F73743059301306072A8648CE3D020106082A8648CE3D0301070342000437CC56D976091E5A723EC7592DFF206EEE7CF9069174D0AD14B5F768225962924EE500D82311FFEA2FD2345D5D16BD8A88C26B770D55CD8A2A0EFA01C8B4EDFFA029302706092A864886F70D01090E311A301830090603551D1304023000300B0603551D0F0404030205E03001":"":MBEDTLS_ERR_X509_INVALID_ALG + MBEDTLS_ERR_ASN1_OUT_OF_DATA - -X509 CSR ASN.1 (bad sigAlg: unknown) -depends_on:MBEDTLS_ECDSA_C:MBEDTLS_ECP_DP_SECP256R1_ENABLED -mbedtls_x509_csr_parse:"3081CD3081BF0201003034310B3009060355040613024E4C3111300F060355040A1308506F6C617253534C31123010060355040313096C6F63616C686F73743059301306072A8648CE3D020106082A8648CE3D0301070342000437CC56D976091E5A723EC7592DFF206EEE7CF9069174D0AD14B5F768225962924EE500D82311FFEA2FD2345D5D16BD8A88C26B770D55CD8A2A0EFA01C8B4EDFFA029302706092A864886F70D01090E311A301830090603551D1304023000300B0603551D0F0404030205E0300906072A8648CE3D04FF":"":MBEDTLS_ERR_X509_UNKNOWN_SIG_ALG - -X509 CSR ASN.1 (bad sig: missing) -depends_on:MBEDTLS_ECDSA_C:MBEDTLS_ECP_DP_SECP256R1_ENABLED:MBEDTLS_SHA1_C -mbedtls_x509_csr_parse:"3081CD3081BF0201003034310B3009060355040613024E4C3111300F060355040A1308506F6C617253534C31123010060355040313096C6F63616C686F73743059301306072A8648CE3D020106082A8648CE3D0301070342000437CC56D976091E5A723EC7592DFF206EEE7CF9069174D0AD14B5F768225962924EE500D82311FFEA2FD2345D5D16BD8A88C26B770D55CD8A2A0EFA01C8B4EDFFA029302706092A864886F70D01090E311A301830090603551D1304023000300B0603551D0F0404030205E0300906072A8648CE3D0401":"":MBEDTLS_ERR_X509_INVALID_SIGNATURE + MBEDTLS_ERR_ASN1_OUT_OF_DATA - -X509 CSR ASN.1 (bad sig: not a bit string) -depends_on:MBEDTLS_ECDSA_C:MBEDTLS_ECP_DP_SECP256R1_ENABLED:MBEDTLS_SHA1_C -mbedtls_x509_csr_parse:"3081CF3081BF0201003034310B3009060355040613024E4C3111300F060355040A1308506F6C617253534C31123010060355040313096C6F63616C686F73743059301306072A8648CE3D020106082A8648CE3D0301070342000437CC56D976091E5A723EC7592DFF206EEE7CF9069174D0AD14B5F768225962924EE500D82311FFEA2FD2345D5D16BD8A88C26B770D55CD8A2A0EFA01C8B4EDFFA029302706092A864886F70D01090E311A301830090603551D1304023000300B0603551D0F0404030205E0300906072A8648CE3D04010400":"":MBEDTLS_ERR_X509_INVALID_SIGNATURE + MBEDTLS_ERR_ASN1_UNEXPECTED_TAG - -X509 CSR ASN.1 (bad sig: overlong) -depends_on:MBEDTLS_ECDSA_C:MBEDTLS_ECP_DP_SECP256R1_ENABLED:MBEDTLS_SHA1_C -mbedtls_x509_csr_parse:"3081CF3081BF0201003034310B3009060355040613024E4C3111300F060355040A1308506F6C617253534C31123010060355040313096C6F63616C686F73743059301306072A8648CE3D020106082A8648CE3D0301070342000437CC56D976091E5A723EC7592DFF206EEE7CF9069174D0AD14B5F768225962924EE500D82311FFEA2FD2345D5D16BD8A88C26B770D55CD8A2A0EFA01C8B4EDFFA029302706092A864886F70D01090E311A301830090603551D1304023000300B0603551D0F0404030205E0300906072A8648CE3D04010301":"":MBEDTLS_ERR_X509_INVALID_SIGNATURE + MBEDTLS_ERR_ASN1_OUT_OF_DATA - -X509 CSR ASN.1 (extra data after signature) -depends_on:MBEDTLS_ECDSA_C:MBEDTLS_ECP_DP_SECP256R1_ENABLED:MBEDTLS_SHA1_C -mbedtls_x509_csr_parse:"308201193081BF0201003034310B3009060355040613024E4C3111300F060355040A1308506F6C617253534C31123010060355040313096C6F63616C686F73743059301306072A8648CE3D020106082A8648CE3D0301070342000437CC56D976091E5A723EC7592DFF206EEE7CF9069174D0AD14B5F768225962924EE500D82311FFEA2FD2345D5D16BD8A88C26B770D55CD8A2A0EFA01C8B4EDFFA029302706092A864886F70D01090E311A301830090603551D1304023000300B0603551D0F0404030205E0300906072A8648CE3D04010349003046022100B49FD8C8F77ABFA871908DFBE684A08A793D0F490A43D86FCF2086E4F24BB0C2022100F829D5CCD3742369299E6294394717C4B723A0F68B44E831B6E6C3BCABF9724300":"":MBEDTLS_ERR_X509_INVALID_FORMAT + MBEDTLS_ERR_ASN1_LENGTH_MISMATCH - -X509 CSR ASN.1 (invalid version overflow) -mbedtls_x509_csr_parse:"3008300602047FFFFFFF":"":MBEDTLS_ERR_X509_UNKNOWN_VERSION - -X509 File parse (no issues) -depends_on:MBEDTLS_ECDSA_C:MBEDTLS_ECP_DP_SECP256R1_ENABLED:MBEDTLS_SHA256_C:MBEDTLS_RSA_C -x509parse_crt_file:"data_files/server7_int-ca.crt":0 - -X509 File parse (extra space in one certificate) -depends_on:MBEDTLS_ECDSA_C:MBEDTLS_SHA256_C:MBEDTLS_RSA_C -x509parse_crt_file:"data_files/server7_pem_space.crt":1 - -X509 File parse (all certificates fail) -depends_on:MBEDTLS_ECDSA_C:MBEDTLS_RSA_C -x509parse_crt_file:"data_files/server7_all_space.crt":MBEDTLS_ERR_PEM_INVALID_DATA + MBEDTLS_ERR_BASE64_INVALID_CHARACTER - -X509 File parse (trailing spaces, OK) -depends_on:MBEDTLS_ECDSA_C:MBEDTLS_ECP_DP_SECP256R1_ENABLED:MBEDTLS_SHA256_C:MBEDTLS_RSA_C -x509parse_crt_file:"data_files/server7_trailing_space.crt":0 - -X509 Get time (UTC no issues) -depends_on:MBEDTLS_X509_USE_C -x509_get_time:MBEDTLS_ASN1_UTC_TIME:"500101000000Z":0:1950:1:1:0:0:0 - -X509 Get time (Generalized Time no issues) -depends_on:MBEDTLS_X509_USE_C -x509_get_time:MBEDTLS_ASN1_GENERALIZED_TIME:"99991231235959Z":0:9999:12:31:23:59:59 - -X509 Get time (UTC year without leap day) -depends_on:MBEDTLS_X509_USE_C -x509_get_time:MBEDTLS_ASN1_UTC_TIME:"490229121212Z":MBEDTLS_ERR_X509_INVALID_DATE:0:0:0:0:0:0 - -X509 Get time (UTC year with leap day) -depends_on:MBEDTLS_X509_USE_C -x509_get_time:MBEDTLS_ASN1_UTC_TIME:"000229121212Z":0:2000:2:29:12:12:12 - -X509 Get time (UTC invalid day of month #1) -depends_on:MBEDTLS_X509_USE_C -x509_get_time:MBEDTLS_ASN1_UTC_TIME:"000132121212Z":MBEDTLS_ERR_X509_INVALID_DATE:0:0:0:0:0:0 - -X509 Get time (UTC invalid day of month #2) -depends_on:MBEDTLS_X509_USE_C -x509_get_time:MBEDTLS_ASN1_UTC_TIME:"001131121212Z":MBEDTLS_ERR_X509_INVALID_DATE:0:0:0:0:0:0 - -X509 Get time (UTC invalid hour) -depends_on:MBEDTLS_X509_USE_C -x509_get_time:MBEDTLS_ASN1_UTC_TIME:"001130241212Z":MBEDTLS_ERR_X509_INVALID_DATE:0:0:0:0:0:0 - -X509 Get time (UTC invalid min) -depends_on:MBEDTLS_X509_USE_C -x509_get_time:MBEDTLS_ASN1_UTC_TIME:"001130236012Z":MBEDTLS_ERR_X509_INVALID_DATE:0:0:0:0:0:0 - -X509 Get time (UTC invalid sec) -depends_on:MBEDTLS_X509_USE_C -x509_get_time:MBEDTLS_ASN1_UTC_TIME:"001130235960Z":MBEDTLS_ERR_X509_INVALID_DATE:0:0:0:0:0:0 - -X509 Get time (UTC without time zone) -depends_on:MBEDTLS_X509_USE_C -x509_get_time:MBEDTLS_ASN1_UTC_TIME:"000229121212":0:2000:2:29:12:12:12 - -X509 Get time (UTC with invalid time zone #1) -depends_on:MBEDTLS_X509_USE_C -x509_get_time:MBEDTLS_ASN1_UTC_TIME:"000229121212J":MBEDTLS_ERR_X509_INVALID_DATE:0:0:0:0:0:0 - -X509 Get time (UTC with invalid time zone #2) -depends_on:MBEDTLS_X509_USE_C -x509_get_time:MBEDTLS_ASN1_UTC_TIME:"000229121212+0300":MBEDTLS_ERR_X509_INVALID_DATE:0:0:0:0:0:0 - -X509 Get time (Date with invalid tag) -depends_on:MBEDTLS_X509_USE_C -x509_get_time:MBEDTLS_ASN1_CONTEXT_SPECIFIC:"000229121212":MBEDTLS_ERR_X509_INVALID_DATE+MBEDTLS_ERR_ASN1_UNEXPECTED_TAG:0:0:0:0:0:0 - -X509 Get time (UTC, truncated) -depends_on:MBEDTLS_X509_USE_C -x509_get_time:MBEDTLS_ASN1_UTC_TIME:"000229121":MBEDTLS_ERR_X509_INVALID_DATE:0:0:0:0:0:0 - -X509 Get time (Generalized Time, truncated) -depends_on:MBEDTLS_X509_USE_C -x509_get_time:MBEDTLS_ASN1_GENERALIZED_TIME:"20000229121":MBEDTLS_ERR_X509_INVALID_DATE:0:0:0:0:0:0 - -X509 Get time (UTC without seconds) -depends_on:MBEDTLS_X509_USE_C -x509_get_time:MBEDTLS_ASN1_UTC_TIME:"0002291212":MBEDTLS_ERR_X509_INVALID_DATE:2000:2:29:12:12:0 - -X509 Get time (UTC without seconds and with invalid time zone #1) -depends_on:MBEDTLS_X509_USE_C -x509_get_time:MBEDTLS_ASN1_UTC_TIME:"0002291212J":MBEDTLS_ERR_X509_INVALID_DATE:0:0:0:0:0:0 - -X509 Get time (UTC without second and with invalid time zone #2) -depends_on:MBEDTLS_X509_USE_C -x509_get_time:MBEDTLS_ASN1_UTC_TIME:"0002291212+0300":MBEDTLS_ERR_X509_INVALID_DATE:0:0:0:0:0:0 - -X509 Get time (UTC invalid character in year) -depends_on:MBEDTLS_X509_USE_C -x509_get_time:MBEDTLS_ASN1_UTC_TIME:"0\1130231212Z":MBEDTLS_ERR_X509_INVALID_DATE:0:0:0:0:0:0 - -X509 Get time (UTC invalid character in month) -depends_on:MBEDTLS_X509_USE_C -x509_get_time:MBEDTLS_ASN1_UTC_TIME:"001%30231212Z":MBEDTLS_ERR_X509_INVALID_DATE:0:0:0:0:0:0 - -X509 Get time (UTC invalid character in day) -depends_on:MBEDTLS_X509_USE_C -x509_get_time:MBEDTLS_ASN1_UTC_TIME:"0011`0231212Z":MBEDTLS_ERR_X509_INVALID_DATE:0:0:0:0:0:0 - -X509 Get time (UTC invalid character in hour) -depends_on:MBEDTLS_X509_USE_C -x509_get_time:MBEDTLS_ASN1_UTC_TIME:"0011302h1212Z":MBEDTLS_ERR_X509_INVALID_DATE:0:0:0:0:0:0 - -X509 Get time (UTC invalid character in min) -depends_on:MBEDTLS_X509_USE_C -x509_get_time:MBEDTLS_ASN1_UTC_TIME:"00113023u012Z":MBEDTLS_ERR_X509_INVALID_DATE:0:0:0:0:0:0 - -X509 Get time (UTC invalid character in sec) -depends_on:MBEDTLS_X509_USE_C -x509_get_time:MBEDTLS_ASN1_UTC_TIME:"0011302359n0Z":MBEDTLS_ERR_X509_INVALID_DATE:0:0:0:0:0:0 - -X509 Get time (Generalized Time, year multiple of 100 but not 400 is not a leap year) -depends_on:MBEDTLS_X509_USE_C -x509_get_time:MBEDTLS_ASN1_GENERALIZED_TIME:"19000229000000Z":MBEDTLS_ERR_X509_INVALID_DATE:0:0:0:0:0:0 - -X509 Get time (Generalized Time, year multiple of 4 but not 100 is a leap year) -depends_on:MBEDTLS_X509_USE_C -x509_get_time:MBEDTLS_ASN1_GENERALIZED_TIME:"19920229000000Z":0:1992:2:29:0:0:0 - -X509 Get time (Generalized Time, year multiple of 400 is a leap year) -depends_on:MBEDTLS_X509_USE_C -x509_get_time:MBEDTLS_ASN1_GENERALIZED_TIME:"20000229000000Z":0:2000:2:29:0:0:0 - -X509 Get time (Generalized Time invalid leap year not multiple of 4, 100 or 400) -depends_on:MBEDTLS_X509_USE_C -x509_get_time:MBEDTLS_ASN1_GENERALIZED_TIME:"19910229000000Z":MBEDTLS_ERR_X509_INVALID_DATE:0:0:0:0:0:0 - -X509 cert verify restart: trusted EE, max_ops=0 (disabled) -depends_on:MBEDTLS_PEM_PARSE_C:MBEDTLS_ECDSA_C:MBEDTLS_SHA256_C:MBEDTLS_ECP_DP_SECP256R1_ENABLED -x509_verify_restart:"data_files/server5-selfsigned.crt":"data_files/server5-selfsigned.crt":0:0:0:0:0 - -X509 cert verify restart: trusted EE, max_ops=1 -depends_on:MBEDTLS_PEM_PARSE_C:MBEDTLS_ECDSA_C:MBEDTLS_SHA256_C:MBEDTLS_ECP_DP_SECP256R1_ENABLED -x509_verify_restart:"data_files/server5-selfsigned.crt":"data_files/server5-selfsigned.crt":0:0:1:0:0 - -X509 cert verify restart: no intermediate, max_ops=0 (disabled) -depends_on:MBEDTLS_PEM_PARSE_C:MBEDTLS_ECDSA_C:MBEDTLS_SHA256_C:MBEDTLS_ECP_DP_SECP256R1_ENABLED:MBEDTLS_ECP_DP_SECP384R1_ENABLED -x509_verify_restart:"data_files/server5.crt":"data_files/test-ca2.crt":0:0:0:0:0 - -X509 cert verify restart: no intermediate, max_ops=1 -depends_on:MBEDTLS_PEM_PARSE_C:MBEDTLS_ECDSA_C:MBEDTLS_SHA256_C:MBEDTLS_ECP_DP_SECP256R1_ENABLED:MBEDTLS_ECP_DP_SECP384R1_ENABLED -x509_verify_restart:"data_files/server5.crt":"data_files/test-ca2.crt":0:0:1:100:10000 - -X509 cert verify restart: no intermediate, max_ops=40000 -depends_on:MBEDTLS_PEM_PARSE_C:MBEDTLS_ECDSA_C:MBEDTLS_SHA256_C:MBEDTLS_ECP_DP_SECP256R1_ENABLED:MBEDTLS_ECP_DP_SECP384R1_ENABLED -x509_verify_restart:"data_files/server5.crt":"data_files/test-ca2.crt":0:0:40000:0:0 - -X509 cert verify restart: no intermediate, max_ops=500 -depends_on:MBEDTLS_PEM_PARSE_C:MBEDTLS_ECDSA_C:MBEDTLS_SHA256_C:MBEDTLS_ECP_DP_SECP256R1_ENABLED:MBEDTLS_ECP_DP_SECP384R1_ENABLED -x509_verify_restart:"data_files/server5.crt":"data_files/test-ca2.crt":0:0:500:20:80 - -X509 cert verify restart: no intermediate, badsign, max_ops=0 (disabled) -depends_on:MBEDTLS_PEM_PARSE_C:MBEDTLS_ECDSA_C:MBEDTLS_SHA256_C:MBEDTLS_ECP_DP_SECP256R1_ENABLED:MBEDTLS_ECP_DP_SECP384R1_ENABLED -x509_verify_restart:"data_files/server5-badsign.crt":"data_files/test-ca2.crt":MBEDTLS_ERR_X509_CERT_VERIFY_FAILED:MBEDTLS_X509_BADCERT_NOT_TRUSTED:0:0:0 - -X509 cert verify restart: no intermediate, badsign, max_ops=1 -depends_on:MBEDTLS_PEM_PARSE_C:MBEDTLS_ECDSA_C:MBEDTLS_SHA256_C:MBEDTLS_ECP_DP_SECP256R1_ENABLED:MBEDTLS_ECP_DP_SECP384R1_ENABLED -x509_verify_restart:"data_files/server5-badsign.crt":"data_files/test-ca2.crt":MBEDTLS_ERR_X509_CERT_VERIFY_FAILED:MBEDTLS_X509_BADCERT_NOT_TRUSTED:1:100:10000 - -X509 cert verify restart: no intermediate, badsign, max_ops=40000 -depends_on:MBEDTLS_PEM_PARSE_C:MBEDTLS_ECDSA_C:MBEDTLS_SHA256_C:MBEDTLS_ECP_DP_SECP256R1_ENABLED:MBEDTLS_ECP_DP_SECP384R1_ENABLED -x509_verify_restart:"data_files/server5-badsign.crt":"data_files/test-ca2.crt":MBEDTLS_ERR_X509_CERT_VERIFY_FAILED:MBEDTLS_X509_BADCERT_NOT_TRUSTED:40000:0:0 - -X509 cert verify restart: no intermediate, badsign, max_ops=500 -depends_on:MBEDTLS_PEM_PARSE_C:MBEDTLS_ECDSA_C:MBEDTLS_SHA256_C:MBEDTLS_ECP_DP_SECP256R1_ENABLED:MBEDTLS_ECP_DP_SECP384R1_ENABLED -x509_verify_restart:"data_files/server5-badsign.crt":"data_files/test-ca2.crt":MBEDTLS_ERR_X509_CERT_VERIFY_FAILED:MBEDTLS_X509_BADCERT_NOT_TRUSTED:500:20:80 - -X509 cert verify restart: one int, max_ops=0 (disabled) -depends_on:MBEDTLS_PEM_PARSE_C:MBEDTLS_ECDSA_C:MBEDTLS_SHA256_C:MBEDTLS_ECP_DP_SECP256R1_ENABLED:MBEDTLS_ECP_DP_SECP384R1_ENABLED:MBEDTLS_RSA_C -x509_verify_restart:"data_files/server10_int3_int-ca2.crt":"data_files/test-int-ca2.crt":0:0:0:0:0 - -X509 cert verify restart: one int, max_ops=1 -depends_on:MBEDTLS_PEM_PARSE_C:MBEDTLS_ECDSA_C:MBEDTLS_SHA256_C:MBEDTLS_ECP_DP_SECP256R1_ENABLED:MBEDTLS_ECP_DP_SECP384R1_ENABLED:MBEDTLS_RSA_C -x509_verify_restart:"data_files/server10_int3_int-ca2.crt":"data_files/test-int-ca2.crt":0:0:1:100:10000 - -X509 cert verify restart: one int, max_ops=30000 -depends_on:MBEDTLS_PEM_PARSE_C:MBEDTLS_ECDSA_C:MBEDTLS_SHA256_C:MBEDTLS_ECP_DP_SECP256R1_ENABLED:MBEDTLS_ECP_DP_SECP384R1_ENABLED:MBEDTLS_RSA_C -x509_verify_restart:"data_files/server10_int3_int-ca2.crt":"data_files/test-int-ca2.crt":0:0:30000:0:0 - -X509 cert verify restart: one int, max_ops=500 -depends_on:MBEDTLS_PEM_PARSE_C:MBEDTLS_ECDSA_C:MBEDTLS_SHA256_C:MBEDTLS_ECP_DP_SECP256R1_ENABLED:MBEDTLS_ECP_DP_SECP384R1_ENABLED:MBEDTLS_RSA_C -x509_verify_restart:"data_files/server10_int3_int-ca2.crt":"data_files/test-int-ca2.crt":0:0:500:25:100 - -X509 cert verify restart: one int, EE badsign, max_ops=0 (disabled) -depends_on:MBEDTLS_PEM_PARSE_C:MBEDTLS_ECDSA_C:MBEDTLS_SHA256_C:MBEDTLS_ECP_DP_SECP256R1_ENABLED:MBEDTLS_ECP_DP_SECP384R1_ENABLED:MBEDTLS_RSA_C -x509_verify_restart:"data_files/server10-bs_int3.pem":"data_files/test-int-ca2.crt":MBEDTLS_ERR_X509_CERT_VERIFY_FAILED:MBEDTLS_X509_BADCERT_NOT_TRUSTED:0:0:0 - -X509 cert verify restart: one int, EE badsign, max_ops=1 -depends_on:MBEDTLS_PEM_PARSE_C:MBEDTLS_ECDSA_C:MBEDTLS_SHA256_C:MBEDTLS_ECP_DP_SECP256R1_ENABLED:MBEDTLS_ECP_DP_SECP384R1_ENABLED:MBEDTLS_RSA_C -x509_verify_restart:"data_files/server10-bs_int3.pem":"data_files/test-int-ca2.crt":MBEDTLS_ERR_X509_CERT_VERIFY_FAILED:MBEDTLS_X509_BADCERT_NOT_TRUSTED:1:100:10000 - -X509 cert verify restart: one int, EE badsign, max_ops=30000 -depends_on:MBEDTLS_PEM_PARSE_C:MBEDTLS_ECDSA_C:MBEDTLS_SHA256_C:MBEDTLS_ECP_DP_SECP256R1_ENABLED:MBEDTLS_ECP_DP_SECP384R1_ENABLED:MBEDTLS_RSA_C -x509_verify_restart:"data_files/server10-bs_int3.pem":"data_files/test-int-ca2.crt":MBEDTLS_ERR_X509_CERT_VERIFY_FAILED:MBEDTLS_X509_BADCERT_NOT_TRUSTED:30000:0:0 - -X509 cert verify restart: one int, EE badsign, max_ops=500 -depends_on:MBEDTLS_PEM_PARSE_C:MBEDTLS_ECDSA_C:MBEDTLS_SHA256_C:MBEDTLS_ECP_DP_SECP256R1_ENABLED:MBEDTLS_ECP_DP_SECP384R1_ENABLED:MBEDTLS_RSA_C -x509_verify_restart:"data_files/server10-bs_int3.pem":"data_files/test-int-ca2.crt":MBEDTLS_ERR_X509_CERT_VERIFY_FAILED:MBEDTLS_X509_BADCERT_NOT_TRUSTED:500:25:100 - -X509 cert verify restart: one int, int badsign, max_ops=0 (disabled) -depends_on:MBEDTLS_PEM_PARSE_C:MBEDTLS_ECDSA_C:MBEDTLS_SHA256_C:MBEDTLS_ECP_DP_SECP256R1_ENABLED:MBEDTLS_ECP_DP_SECP384R1_ENABLED:MBEDTLS_RSA_C -x509_verify_restart:"data_files/server10_int3-bs.pem":"data_files/test-int-ca2.crt":MBEDTLS_ERR_X509_CERT_VERIFY_FAILED:MBEDTLS_X509_BADCERT_NOT_TRUSTED:0:0:0 - -X509 cert verify restart: one int, int badsign, max_ops=1 -depends_on:MBEDTLS_PEM_PARSE_C:MBEDTLS_ECDSA_C:MBEDTLS_SHA256_C:MBEDTLS_ECP_DP_SECP256R1_ENABLED:MBEDTLS_ECP_DP_SECP384R1_ENABLED:MBEDTLS_RSA_C -x509_verify_restart:"data_files/server10_int3-bs.pem":"data_files/test-int-ca2.crt":MBEDTLS_ERR_X509_CERT_VERIFY_FAILED:MBEDTLS_X509_BADCERT_NOT_TRUSTED:1:100:10000 - -X509 cert verify restart: one int, int badsign, max_ops=30000 -depends_on:MBEDTLS_PEM_PARSE_C:MBEDTLS_ECDSA_C:MBEDTLS_SHA256_C:MBEDTLS_ECP_DP_SECP256R1_ENABLED:MBEDTLS_ECP_DP_SECP384R1_ENABLED:MBEDTLS_RSA_C -x509_verify_restart:"data_files/server10_int3-bs.pem":"data_files/test-int-ca2.crt":MBEDTLS_ERR_X509_CERT_VERIFY_FAILED:MBEDTLS_X509_BADCERT_NOT_TRUSTED:30000:0:0 - -X509 cert verify restart: one int, int badsign, max_ops=500 -depends_on:MBEDTLS_PEM_PARSE_C:MBEDTLS_ECDSA_C:MBEDTLS_SHA256_C:MBEDTLS_ECP_DP_SECP256R1_ENABLED:MBEDTLS_ECP_DP_SECP384R1_ENABLED:MBEDTLS_RSA_C -x509_verify_restart:"data_files/server10_int3-bs.pem":"data_files/test-int-ca2.crt":MBEDTLS_ERR_X509_CERT_VERIFY_FAILED:MBEDTLS_X509_BADCERT_NOT_TRUSTED:500:25:100 diff --git a/tests/suites/test_suite_x509parse.function b/tests/suites/test_suite_x509parse.function deleted file mode 100644 index 4a826082b..000000000 --- a/tests/suites/test_suite_x509parse.function +++ /dev/null @@ -1,861 +0,0 @@ -/* BEGIN_HEADER */ -#include "mbedtls/bignum.h" -#include "mbedtls/x509.h" -#include "mbedtls/x509_crt.h" -#include "mbedtls/x509_crl.h" -#include "mbedtls/x509_csr.h" -#include "mbedtls/pem.h" -#include "mbedtls/oid.h" -#include "mbedtls/base64.h" -#include "string.h" - -#if MBEDTLS_X509_MAX_INTERMEDIATE_CA > 19 -#error "The value of MBEDTLS_X509_MAX_INTERMEDIATE_C is larger \ -than the current threshold 19. To test larger values, please \ -adapt the script tests/data_files/dir-max/long.sh." -#endif - -/* Profile for backward compatibility. Allows SHA-1, unlike the default - profile. */ -const mbedtls_x509_crt_profile compat_profile = -{ - MBEDTLS_X509_ID_FLAG( MBEDTLS_MD_SHA1 ) | - MBEDTLS_X509_ID_FLAG( MBEDTLS_MD_RIPEMD160 ) | - MBEDTLS_X509_ID_FLAG( MBEDTLS_MD_SHA224 ) | - MBEDTLS_X509_ID_FLAG( MBEDTLS_MD_SHA256 ) | - MBEDTLS_X509_ID_FLAG( MBEDTLS_MD_SHA384 ) | - MBEDTLS_X509_ID_FLAG( MBEDTLS_MD_SHA512 ), - 0xFFFFFFF, /* Any PK alg */ - 0xFFFFFFF, /* Any curve */ - 1024, -}; - -const mbedtls_x509_crt_profile profile_rsa3072 = -{ - MBEDTLS_X509_ID_FLAG( MBEDTLS_MD_SHA256 ) | - MBEDTLS_X509_ID_FLAG( MBEDTLS_MD_SHA384 ) | - MBEDTLS_X509_ID_FLAG( MBEDTLS_MD_SHA512 ), - MBEDTLS_X509_ID_FLAG( MBEDTLS_PK_RSA ), - 0, - 3072, -}; - -const mbedtls_x509_crt_profile profile_sha512 = -{ - MBEDTLS_X509_ID_FLAG( MBEDTLS_MD_SHA512 ), - 0xFFFFFFF, /* Any PK alg */ - 0xFFFFFFF, /* Any curve */ - 1024, -}; - -int verify_none( void *data, mbedtls_x509_crt *crt, int certificate_depth, uint32_t *flags ) -{ - ((void) data); - ((void) crt); - ((void) certificate_depth); - *flags |= MBEDTLS_X509_BADCERT_OTHER; - - return 0; -} - -int verify_all( void *data, mbedtls_x509_crt *crt, int certificate_depth, uint32_t *flags ) -{ - ((void) data); - ((void) crt); - ((void) certificate_depth); - *flags = 0; - - return 0; -} - -int verify_fatal( void *data, mbedtls_x509_crt *crt, int certificate_depth, uint32_t *flags ) -{ - int *levels = (int *) data; - - ((void) crt); - ((void) certificate_depth); - - /* Simulate a fatal error in the callback */ - if( *levels & ( 1 << certificate_depth ) ) - { - *flags |= ( 1 << certificate_depth ); - return( -1 - certificate_depth ); - } - - return( 0 ); -} - -/* strsep() not available on Windows */ -char *mystrsep(char **stringp, const char *delim) -{ - const char *p; - char *ret = *stringp; - - if( *stringp == NULL ) - return( NULL ); - - for( ; ; (*stringp)++ ) - { - if( **stringp == '\0' ) - { - *stringp = NULL; - goto done; - } - - for( p = delim; *p != '\0'; p++ ) - if( **stringp == *p ) - { - **stringp = '\0'; - (*stringp)++; - goto done; - } - } - -done: - return( ret ); -} - -#if defined(MBEDTLS_X509_CRT_PARSE_C) -typedef struct { - char buf[512]; - char *p; -} verify_print_context; - -void verify_print_init( verify_print_context *ctx ) -{ - memset( ctx, 0, sizeof( verify_print_context ) ); - ctx->p = ctx->buf; -} - -int verify_print( void *data, mbedtls_x509_crt *crt, int certificate_depth, uint32_t *flags ) -{ - int ret; - verify_print_context *ctx = (verify_print_context *) data; - char *p = ctx->p; - size_t n = ctx->buf + sizeof( ctx->buf ) - ctx->p; - ((void) flags); - - ret = mbedtls_snprintf( p, n, "depth %d - serial ", certificate_depth ); - MBEDTLS_X509_SAFE_SNPRINTF; - - ret = mbedtls_x509_serial_gets( p, n, &crt->serial ); - MBEDTLS_X509_SAFE_SNPRINTF; - - ret = mbedtls_snprintf( p, n, " - subject " ); - MBEDTLS_X509_SAFE_SNPRINTF; - - ret = mbedtls_x509_dn_gets( p, n, &crt->subject ); - MBEDTLS_X509_SAFE_SNPRINTF; - - ret = mbedtls_snprintf( p, n, " - flags 0x%08x\n", *flags ); - MBEDTLS_X509_SAFE_SNPRINTF; - - ctx->p = p; - - return( 0 ); -} -#endif /* MBEDTLS_X509_CRT_PARSE_C */ -/* END_HEADER */ - -/* BEGIN_DEPENDENCIES - * depends_on:MBEDTLS_BIGNUM_C - * END_DEPENDENCIES - */ - -/* BEGIN_CASE depends_on:MBEDTLS_FS_IO:MBEDTLS_X509_CRT_PARSE_C */ -void x509_cert_info( char * crt_file, char * result_str ) -{ - mbedtls_x509_crt crt; - char buf[2000]; - int res; - - mbedtls_x509_crt_init( &crt ); - memset( buf, 0, 2000 ); - - TEST_ASSERT( mbedtls_x509_crt_parse_file( &crt, crt_file ) == 0 ); - res = mbedtls_x509_crt_info( buf, 2000, "", &crt ); - - TEST_ASSERT( res != -1 ); - TEST_ASSERT( res != -2 ); - - TEST_ASSERT( strcmp( buf, result_str ) == 0 ); - -exit: - mbedtls_x509_crt_free( &crt ); -} -/* END_CASE */ - -/* BEGIN_CASE depends_on:MBEDTLS_FS_IO:MBEDTLS_X509_CRL_PARSE_C */ -void mbedtls_x509_crl_info( char * crl_file, char * result_str ) -{ - mbedtls_x509_crl crl; - char buf[2000]; - int res; - - mbedtls_x509_crl_init( &crl ); - memset( buf, 0, 2000 ); - - TEST_ASSERT( mbedtls_x509_crl_parse_file( &crl, crl_file ) == 0 ); - res = mbedtls_x509_crl_info( buf, 2000, "", &crl ); - - TEST_ASSERT( res != -1 ); - TEST_ASSERT( res != -2 ); - - TEST_ASSERT( strcmp( buf, result_str ) == 0 ); - -exit: - mbedtls_x509_crl_free( &crl ); -} -/* END_CASE */ - -/* BEGIN_CASE depends_on:MBEDTLS_FS_IO:MBEDTLS_X509_CRL_PARSE_C */ -void mbedtls_x509_crl_parse( char * crl_file, int result ) -{ - mbedtls_x509_crl crl; - char buf[2000]; - - mbedtls_x509_crl_init( &crl ); - memset( buf, 0, 2000 ); - - TEST_ASSERT( mbedtls_x509_crl_parse_file( &crl, crl_file ) == result ); - -exit: - mbedtls_x509_crl_free( &crl ); -} -/* END_CASE */ - -/* BEGIN_CASE depends_on:MBEDTLS_FS_IO:MBEDTLS_X509_CSR_PARSE_C */ -void mbedtls_x509_csr_info( char * csr_file, char * result_str ) -{ - mbedtls_x509_csr csr; - char buf[2000]; - int res; - - mbedtls_x509_csr_init( &csr ); - memset( buf, 0, 2000 ); - - TEST_ASSERT( mbedtls_x509_csr_parse_file( &csr, csr_file ) == 0 ); - res = mbedtls_x509_csr_info( buf, 2000, "", &csr ); - - TEST_ASSERT( res != -1 ); - TEST_ASSERT( res != -2 ); - - TEST_ASSERT( strcmp( buf, result_str ) == 0 ); - -exit: - mbedtls_x509_csr_free( &csr ); -} -/* END_CASE */ - -/* BEGIN_CASE depends_on:MBEDTLS_X509_CRT_PARSE_C */ -void x509_verify_info( int flags, char * prefix, char * result_str ) -{ - char buf[2000]; - int res; - - memset( buf, 0, sizeof( buf ) ); - - res = mbedtls_x509_crt_verify_info( buf, sizeof( buf ), prefix, flags ); - - TEST_ASSERT( res >= 0 ); - - TEST_ASSERT( strcmp( buf, result_str ) == 0 ); -} -/* END_CASE */ - -/* BEGIN_CASE depends_on:MBEDTLS_FS_IO:MBEDTLS_X509_CRT_PARSE_C:MBEDTLS_X509_CRL_PARSE_C:MBEDTLS_ECP_RESTARTABLE:MBEDTLS_ECDSA_C */ -void x509_verify_restart( char *crt_file, char *ca_file, - int result, int flags_result, - int max_ops, int min_restart, int max_restart ) -{ - int ret, cnt_restart; - mbedtls_x509_crt_restart_ctx rs_ctx; - mbedtls_x509_crt crt; - mbedtls_x509_crt ca; - uint32_t flags = 0; - - /* - * See comments on ecp_test_vect_restart() for op count precision. - * - * For reference, with mbed TLS 2.6 and default settings: - * - ecdsa_verify() for P-256: ~ 6700 - * - ecdsa_verify() for P-384: ~ 18800 - * - x509_verify() for server5 -> test-ca2: ~ 18800 - * - x509_verify() for server10 -> int-ca3 -> int-ca2: ~ 25500 - */ - - mbedtls_x509_crt_restart_init( &rs_ctx ); - mbedtls_x509_crt_init( &crt ); - mbedtls_x509_crt_init( &ca ); - - TEST_ASSERT( mbedtls_x509_crt_parse_file( &crt, crt_file ) == 0 ); - TEST_ASSERT( mbedtls_x509_crt_parse_file( &ca, ca_file ) == 0 ); - - mbedtls_ecp_set_max_ops( max_ops ); - - cnt_restart = 0; - do { - ret = mbedtls_x509_crt_verify_restartable( &crt, &ca, NULL, - &mbedtls_x509_crt_profile_default, NULL, &flags, - NULL, NULL, &rs_ctx ); - } while( ret == MBEDTLS_ERR_ECP_IN_PROGRESS && ++cnt_restart ); - - TEST_ASSERT( ret == result ); - TEST_ASSERT( flags == (uint32_t) flags_result ); - - TEST_ASSERT( cnt_restart >= min_restart ); - TEST_ASSERT( cnt_restart <= max_restart ); - - /* Do we leak memory when aborting? */ - ret = mbedtls_x509_crt_verify_restartable( &crt, &ca, NULL, - &mbedtls_x509_crt_profile_default, NULL, &flags, - NULL, NULL, &rs_ctx ); - TEST_ASSERT( ret == result || ret == MBEDTLS_ERR_ECP_IN_PROGRESS ); - -exit: - mbedtls_x509_crt_restart_free( &rs_ctx ); - mbedtls_x509_crt_free( &crt ); - mbedtls_x509_crt_free( &ca ); -} -/* END_CASE */ - -/* BEGIN_CASE depends_on:MBEDTLS_FS_IO:MBEDTLS_X509_CRT_PARSE_C:MBEDTLS_X509_CRL_PARSE_C */ -void x509_verify( char *crt_file, char *ca_file, char *crl_file, - char *cn_name_str, int result, int flags_result, - char *profile_str, - char *verify_callback ) -{ - mbedtls_x509_crt crt; - mbedtls_x509_crt ca; - mbedtls_x509_crl crl; - uint32_t flags = 0; - int res; - int (*f_vrfy)(void *, mbedtls_x509_crt *, int, uint32_t *) = NULL; - char * cn_name = NULL; - const mbedtls_x509_crt_profile *profile; - -#if defined(MBEDTLS_USE_PSA_CRYPTO) - TEST_ASSERT( psa_crypto_init() == 0 ); -#endif - - mbedtls_x509_crt_init( &crt ); - mbedtls_x509_crt_init( &ca ); - mbedtls_x509_crl_init( &crl ); - - if( strcmp( cn_name_str, "NULL" ) != 0 ) - cn_name = cn_name_str; - - if( strcmp( profile_str, "" ) == 0 ) - profile = &mbedtls_x509_crt_profile_default; - else if( strcmp( profile_str, "next" ) == 0 ) - profile = &mbedtls_x509_crt_profile_next; - else if( strcmp( profile_str, "suite_b" ) == 0 ) - profile = &mbedtls_x509_crt_profile_suiteb; - else if( strcmp( profile_str, "compat" ) == 0 ) - profile = &compat_profile; - else - TEST_ASSERT( "Unknown algorithm profile" == 0 ); - - if( strcmp( verify_callback, "NULL" ) == 0 ) - f_vrfy = NULL; - else if( strcmp( verify_callback, "verify_none" ) == 0 ) - f_vrfy = verify_none; - else if( strcmp( verify_callback, "verify_all" ) == 0 ) - f_vrfy = verify_all; - else - TEST_ASSERT( "No known verify callback selected" == 0 ); - - TEST_ASSERT( mbedtls_x509_crt_parse_file( &crt, crt_file ) == 0 ); - TEST_ASSERT( mbedtls_x509_crt_parse_file( &ca, ca_file ) == 0 ); - TEST_ASSERT( mbedtls_x509_crl_parse_file( &crl, crl_file ) == 0 ); - - res = mbedtls_x509_crt_verify_with_profile( &crt, &ca, &crl, profile, cn_name, &flags, f_vrfy, NULL ); - - TEST_ASSERT( res == ( result ) ); - TEST_ASSERT( flags == (uint32_t)( flags_result ) ); - -exit: - mbedtls_x509_crt_free( &crt ); - mbedtls_x509_crt_free( &ca ); - mbedtls_x509_crl_free( &crl ); -} -/* END_CASE */ - -/* BEGIN_CASE depends_on:MBEDTLS_FS_IO:MBEDTLS_X509_CRT_PARSE_C */ -void x509_verify_callback( char *crt_file, char *ca_file, char *name, - int exp_ret, char *exp_vrfy_out ) -{ - int ret; - mbedtls_x509_crt crt; - mbedtls_x509_crt ca; - uint32_t flags = 0; - verify_print_context vrfy_ctx; - -#if defined(MBEDTLS_USE_PSA_CRYPTO) - TEST_ASSERT( psa_crypto_init() == 0 ); -#endif - - mbedtls_x509_crt_init( &crt ); - mbedtls_x509_crt_init( &ca ); - verify_print_init( &vrfy_ctx ); - - TEST_ASSERT( mbedtls_x509_crt_parse_file( &crt, crt_file ) == 0 ); - TEST_ASSERT( mbedtls_x509_crt_parse_file( &ca, ca_file ) == 0 ); - - if( strcmp( name, "NULL" ) == 0 ) - name = NULL; - - ret = mbedtls_x509_crt_verify_with_profile( &crt, &ca, NULL, - &compat_profile, - name, &flags, - verify_print, &vrfy_ctx ); - - TEST_ASSERT( ret == exp_ret ); - TEST_ASSERT( strcmp( vrfy_ctx.buf, exp_vrfy_out ) == 0 ); - -exit: - mbedtls_x509_crt_free( &crt ); - mbedtls_x509_crt_free( &ca ); -} -/* END_CASE */ - -/* BEGIN_CASE depends_on:MBEDTLS_FS_IO:MBEDTLS_X509_CRT_PARSE_C */ -void mbedtls_x509_dn_gets( char * crt_file, char * entity, char * result_str ) -{ - mbedtls_x509_crt crt; - char buf[2000]; - int res = 0; - - mbedtls_x509_crt_init( &crt ); - memset( buf, 0, 2000 ); - - TEST_ASSERT( mbedtls_x509_crt_parse_file( &crt, crt_file ) == 0 ); - if( strcmp( entity, "subject" ) == 0 ) - res = mbedtls_x509_dn_gets( buf, 2000, &crt.subject ); - else if( strcmp( entity, "issuer" ) == 0 ) - res = mbedtls_x509_dn_gets( buf, 2000, &crt.issuer ); - else - TEST_ASSERT( "Unknown entity" == 0 ); - - TEST_ASSERT( res != -1 ); - TEST_ASSERT( res != -2 ); - - TEST_ASSERT( strcmp( buf, result_str ) == 0 ); - -exit: - mbedtls_x509_crt_free( &crt ); -} -/* END_CASE */ - -/* BEGIN_CASE depends_on:MBEDTLS_FS_IO:MBEDTLS_X509_CRT_PARSE_C */ -void mbedtls_x509_time_is_past( char * crt_file, char * entity, int result ) -{ - mbedtls_x509_crt crt; - - mbedtls_x509_crt_init( &crt ); - - TEST_ASSERT( mbedtls_x509_crt_parse_file( &crt, crt_file ) == 0 ); - - if( strcmp( entity, "valid_from" ) == 0 ) - TEST_ASSERT( mbedtls_x509_time_is_past( &crt.valid_from ) == result ); - else if( strcmp( entity, "valid_to" ) == 0 ) - TEST_ASSERT( mbedtls_x509_time_is_past( &crt.valid_to ) == result ); - else - TEST_ASSERT( "Unknown entity" == 0 ); - -exit: - mbedtls_x509_crt_free( &crt ); -} -/* END_CASE */ - -/* BEGIN_CASE depends_on:MBEDTLS_FS_IO:MBEDTLS_X509_CRT_PARSE_C */ -void mbedtls_x509_time_is_future( char * crt_file, char * entity, int result ) -{ - mbedtls_x509_crt crt; - - mbedtls_x509_crt_init( &crt ); - - TEST_ASSERT( mbedtls_x509_crt_parse_file( &crt, crt_file ) == 0 ); - - if( strcmp( entity, "valid_from" ) == 0 ) - TEST_ASSERT( mbedtls_x509_time_is_future( &crt.valid_from ) == result ); - else if( strcmp( entity, "valid_to" ) == 0 ) - TEST_ASSERT( mbedtls_x509_time_is_future( &crt.valid_to ) == result ); - else - TEST_ASSERT( "Unknown entity" == 0 ); - -exit: - mbedtls_x509_crt_free( &crt ); -} -/* END_CASE */ - -/* BEGIN_CASE depends_on:MBEDTLS_X509_CRT_PARSE_C:MBEDTLS_FS_IO */ -void x509parse_crt_file( char * crt_file, int result ) -{ - mbedtls_x509_crt crt; - - mbedtls_x509_crt_init( &crt ); - - TEST_ASSERT( mbedtls_x509_crt_parse_file( &crt, crt_file ) == result ); - -exit: - mbedtls_x509_crt_free( &crt ); -} -/* END_CASE */ - -/* BEGIN_CASE depends_on:MBEDTLS_X509_CRT_PARSE_C */ -void x509parse_crt( data_t * buf, char * result_str, int result ) -{ - mbedtls_x509_crt crt; - unsigned char output[2000]; - int res; - - mbedtls_x509_crt_init( &crt ); - memset( output, 0, 2000 ); - - TEST_ASSERT( mbedtls_x509_crt_parse_der( &crt, buf->x, buf->len ) == ( result ) ); - if( ( result ) == 0 ) - { - res = mbedtls_x509_crt_info( (char *) output, 2000, "", &crt ); - - TEST_ASSERT( res != -1 ); - TEST_ASSERT( res != -2 ); - - TEST_ASSERT( strcmp( (char *) output, result_str ) == 0 ); - } - - mbedtls_x509_crt_free( &crt ); - mbedtls_x509_crt_init( &crt ); - memset( output, 0, 2000 ); - - TEST_ASSERT( mbedtls_x509_crt_parse_der_nocopy( &crt, buf->x, buf->len ) == ( result ) ); - if( ( result ) == 0 ) - { - res = mbedtls_x509_crt_info( (char *) output, 2000, "", &crt ); - - TEST_ASSERT( res != -1 ); - TEST_ASSERT( res != -2 ); - - TEST_ASSERT( strcmp( (char *) output, result_str ) == 0 ); - } - -exit: - mbedtls_x509_crt_free( &crt ); -} -/* END_CASE */ - -/* BEGIN_CASE depends_on:MBEDTLS_X509_CRL_PARSE_C */ -void x509parse_crl( data_t * buf, char * result_str, int result ) -{ - mbedtls_x509_crl crl; - unsigned char output[2000]; - int res; - - mbedtls_x509_crl_init( &crl ); - memset( output, 0, 2000 ); - - - TEST_ASSERT( mbedtls_x509_crl_parse( &crl, buf->x, buf->len ) == ( result ) ); - if( ( result ) == 0 ) - { - res = mbedtls_x509_crl_info( (char *) output, 2000, "", &crl ); - - TEST_ASSERT( res != -1 ); - TEST_ASSERT( res != -2 ); - - TEST_ASSERT( strcmp( (char *) output, result_str ) == 0 ); - } - -exit: - mbedtls_x509_crl_free( &crl ); -} -/* END_CASE */ - -/* BEGIN_CASE depends_on:MBEDTLS_X509_CSR_PARSE_C */ -void mbedtls_x509_csr_parse( data_t * csr_der, char * ref_out, int ref_ret ) -{ - mbedtls_x509_csr csr; - char my_out[1000]; - int my_ret; - - mbedtls_x509_csr_init( &csr ); - memset( my_out, 0, sizeof( my_out ) ); - - my_ret = mbedtls_x509_csr_parse_der( &csr, csr_der->x, csr_der->len ); - TEST_ASSERT( my_ret == ref_ret ); - - if( ref_ret == 0 ) - { - size_t my_out_len = mbedtls_x509_csr_info( my_out, sizeof( my_out ), "", &csr ); - TEST_ASSERT( my_out_len == strlen( ref_out ) ); - TEST_ASSERT( strcmp( my_out, ref_out ) == 0 ); - } - -exit: - mbedtls_x509_csr_free( &csr ); -} -/* END_CASE */ - -/* BEGIN_CASE depends_on:MBEDTLS_FS_IO:MBEDTLS_X509_CRT_PARSE_C */ -void mbedtls_x509_crt_parse_path( char * crt_path, int ret, int nb_crt ) -{ - mbedtls_x509_crt chain, *cur; - int i; - - mbedtls_x509_crt_init( &chain ); - - TEST_ASSERT( mbedtls_x509_crt_parse_path( &chain, crt_path ) == ret ); - - /* Check how many certs we got */ - for( i = 0, cur = &chain; cur != NULL; cur = cur->next ) - if( cur->raw.p != NULL ) - i++; - - TEST_ASSERT( i == nb_crt ); - -exit: - mbedtls_x509_crt_free( &chain ); -} -/* END_CASE */ - -/* BEGIN_CASE depends_on:MBEDTLS_FS_IO:MBEDTLS_X509_CRT_PARSE_C */ -void mbedtls_x509_crt_verify_max( char *ca_file, char *chain_dir, int nb_int, - int ret_chk, int flags_chk ) -{ - char file_buf[128]; - int ret; - uint32_t flags; - mbedtls_x509_crt trusted, chain; - -#if defined(MBEDTLS_USE_PSA_CRYPTO) - TEST_ASSERT( psa_crypto_init() == 0 ); -#endif - - /* - * We expect chain_dir to contain certificates 00.crt, 01.crt, etc. - * with NN.crt signed by NN-1.crt - */ - - mbedtls_x509_crt_init( &trusted ); - mbedtls_x509_crt_init( &chain ); - - /* Load trusted root */ - TEST_ASSERT( mbedtls_x509_crt_parse_file( &trusted, ca_file ) == 0 ); - - /* Load a chain with nb_int intermediates (from 01 to nb_int), - * plus one "end-entity" cert (nb_int + 1) */ - ret = mbedtls_snprintf( file_buf, sizeof file_buf, "%s/c%02d.pem", chain_dir, - nb_int + 1 ); - TEST_ASSERT( ret > 0 && (size_t) ret < sizeof file_buf ); - TEST_ASSERT( mbedtls_x509_crt_parse_file( &chain, file_buf ) == 0 ); - - /* Try to verify that chain */ - ret = mbedtls_x509_crt_verify( &chain, &trusted, NULL, NULL, &flags, - NULL, NULL ); - TEST_ASSERT( ret == ret_chk ); - TEST_ASSERT( flags == (uint32_t) flags_chk ); - -exit: - mbedtls_x509_crt_free( &chain ); - mbedtls_x509_crt_free( &trusted ); -} -/* END_CASE */ - -/* BEGIN_CASE depends_on:MBEDTLS_FS_IO:MBEDTLS_X509_CRT_PARSE_C */ -void mbedtls_x509_crt_verify_chain( char *chain_paths, char *trusted_ca, - int flags_result, int result, - char *profile_name, int vrfy_fatal_lvls ) -{ - char* act; - uint32_t flags; - int res; - mbedtls_x509_crt trusted, chain; - const mbedtls_x509_crt_profile *profile = NULL; - -#if defined(MBEDTLS_USE_PSA_CRYPTO) - TEST_ASSERT( psa_crypto_init() == 0 ); -#endif - - mbedtls_x509_crt_init( &chain ); - mbedtls_x509_crt_init( &trusted ); - - while( ( act = mystrsep( &chain_paths, " " ) ) != NULL ) - TEST_ASSERT( mbedtls_x509_crt_parse_file( &chain, act ) == 0 ); - TEST_ASSERT( mbedtls_x509_crt_parse_file( &trusted, trusted_ca ) == 0 ); - - if( strcmp( profile_name, "" ) == 0 ) - profile = &mbedtls_x509_crt_profile_default; - else if( strcmp( profile_name, "next" ) == 0 ) - profile = &mbedtls_x509_crt_profile_next; - else if( strcmp( profile_name, "suiteb" ) == 0 ) - profile = &mbedtls_x509_crt_profile_suiteb; - else if( strcmp( profile_name, "rsa3072" ) == 0 ) - profile = &profile_rsa3072; - else if( strcmp( profile_name, "sha512" ) == 0 ) - profile = &profile_sha512; - - res = mbedtls_x509_crt_verify_with_profile( &chain, &trusted, NULL, profile, - NULL, &flags, verify_fatal, &vrfy_fatal_lvls ); - - TEST_ASSERT( res == ( result ) ); - TEST_ASSERT( flags == (uint32_t)( flags_result ) ); - -exit: - mbedtls_x509_crt_free( &trusted ); - mbedtls_x509_crt_free( &chain ); -} -/* END_CASE */ - -/* BEGIN_CASE depends_on:MBEDTLS_X509_USE_C */ -void x509_oid_desc( data_t * buf, char * ref_desc ) -{ - mbedtls_x509_buf oid; - const char *desc = NULL; - int ret; - - - oid.tag = MBEDTLS_ASN1_OID; - oid.p = buf->x; - oid.len = buf->len; - - ret = mbedtls_oid_get_extended_key_usage( &oid, &desc ); - - if( strcmp( ref_desc, "notfound" ) == 0 ) - { - TEST_ASSERT( ret != 0 ); - TEST_ASSERT( desc == NULL ); - } - else - { - TEST_ASSERT( ret == 0 ); - TEST_ASSERT( desc != NULL ); - TEST_ASSERT( strcmp( desc, ref_desc ) == 0 ); - } -} -/* END_CASE */ - -/* BEGIN_CASE depends_on:MBEDTLS_X509_USE_C */ -void x509_oid_numstr( data_t * oid_buf, char * numstr, int blen, int ret ) -{ - mbedtls_x509_buf oid; - char num_buf[100]; - - memset( num_buf, 0x2a, sizeof num_buf ); - - oid.tag = MBEDTLS_ASN1_OID; - oid.p = oid_buf->x; - oid.len = oid_buf->len; - - TEST_ASSERT( (size_t) blen <= sizeof num_buf ); - - TEST_ASSERT( mbedtls_oid_get_numeric_string( num_buf, blen, &oid ) == ret ); - - if( ret >= 0 ) - { - TEST_ASSERT( num_buf[ret] == 0 ); - TEST_ASSERT( strcmp( num_buf, numstr ) == 0 ); - } -} -/* END_CASE */ - -/* BEGIN_CASE depends_on:MBEDTLS_FS_IO:MBEDTLS_X509_CRT_PARSE_C:MBEDTLS_X509_CHECK_KEY_USAGE */ -void x509_check_key_usage( char * crt_file, int usage, int ret ) -{ - mbedtls_x509_crt crt; - - mbedtls_x509_crt_init( &crt ); - - TEST_ASSERT( mbedtls_x509_crt_parse_file( &crt, crt_file ) == 0 ); - - TEST_ASSERT( mbedtls_x509_crt_check_key_usage( &crt, usage ) == ret ); - -exit: - mbedtls_x509_crt_free( &crt ); -} -/* END_CASE */ - -/* BEGIN_CASE depends_on:MBEDTLS_FS_IO:MBEDTLS_X509_CRT_PARSE_C:MBEDTLS_X509_CHECK_EXTENDED_KEY_USAGE */ -void x509_check_extended_key_usage( char * crt_file, data_t * oid, int ret - ) -{ - mbedtls_x509_crt crt; - - mbedtls_x509_crt_init( &crt ); - - - TEST_ASSERT( mbedtls_x509_crt_parse_file( &crt, crt_file ) == 0 ); - - TEST_ASSERT( mbedtls_x509_crt_check_extended_key_usage( &crt, (const char *)oid->x, oid->len ) == ret ); - -exit: - mbedtls_x509_crt_free( &crt ); -} -/* END_CASE */ - -/* BEGIN_CASE depends_on:MBEDTLS_X509_USE_C */ -void x509_get_time( int tag, char * time_str, int ret, int year, int mon, - int day, int hour, int min, int sec ) -{ - mbedtls_x509_time time; - unsigned char buf[21]; - unsigned char* start = buf; - unsigned char* end = buf; - - memset( &time, 0x00, sizeof( time ) ); - *end = (unsigned char)tag; end++; - *end = strlen( time_str ); - TEST_ASSERT( *end < 20 ); - end++; - memcpy( end, time_str, (size_t)*(end - 1) ); - end += *(end - 1); - - TEST_ASSERT( mbedtls_x509_get_time( &start, end, &time ) == ret ); - if( ret == 0 ) - { - TEST_ASSERT( year == time.year ); - TEST_ASSERT( mon == time.mon ); - TEST_ASSERT( day == time.day ); - TEST_ASSERT( hour == time.hour ); - TEST_ASSERT( min == time.min ); - TEST_ASSERT( sec == time.sec ); - } -} -/* END_CASE */ - -/* BEGIN_CASE depends_on:MBEDTLS_X509_CRT_PARSE_C:MBEDTLS_X509_RSASSA_PSS_SUPPORT */ -void x509_parse_rsassa_pss_params( data_t * hex_params, int params_tag, - int ref_msg_md, int ref_mgf_md, - int ref_salt_len, int ref_ret ) -{ - int my_ret; - mbedtls_x509_buf params; - mbedtls_md_type_t my_msg_md, my_mgf_md; - int my_salt_len; - - params.p = hex_params->x; - params.len = hex_params->len; - params.tag = params_tag; - - my_ret = mbedtls_x509_get_rsassa_pss_params( ¶ms, &my_msg_md, &my_mgf_md, - &my_salt_len ); - - TEST_ASSERT( my_ret == ref_ret ); - - if( ref_ret == 0 ) - { - TEST_ASSERT( my_msg_md == (mbedtls_md_type_t) ref_msg_md ); - TEST_ASSERT( my_mgf_md == (mbedtls_md_type_t) ref_mgf_md ); - TEST_ASSERT( my_salt_len == ref_salt_len ); - } - -exit: - ;; -} -/* END_CASE */ - -/* BEGIN_CASE depends_on:MBEDTLS_X509_CRT_PARSE_C:MBEDTLS_SELF_TEST */ -void x509_selftest( ) -{ - TEST_ASSERT( mbedtls_x509_self_test( 1 ) == 0 ); -} -/* END_CASE */ diff --git a/tests/suites/test_suite_x509write.data b/tests/suites/test_suite_x509write.data deleted file mode 100644 index 54d72701e..000000000 --- a/tests/suites/test_suite_x509write.data +++ /dev/null @@ -1,105 +0,0 @@ -Certificate Request check Server1 SHA1 -depends_on:MBEDTLS_SHA1_C:MBEDTLS_RSA_C:MBEDTLS_PKCS1_V15 -x509_csr_check:"data_files/server1.key":"data_files/server1.req.sha1":MBEDTLS_MD_SHA1:0:0:0:0 - -Certificate Request check Server1 SHA224 -depends_on:MBEDTLS_SHA256_C:MBEDTLS_RSA_C:MBEDTLS_PKCS1_V15 -x509_csr_check:"data_files/server1.key":"data_files/server1.req.sha224":MBEDTLS_MD_SHA224:0:0:0:0 - -Certificate Request check Server1 SHA256 -depends_on:MBEDTLS_SHA256_C:MBEDTLS_RSA_C:MBEDTLS_PKCS1_V15 -x509_csr_check:"data_files/server1.key":"data_files/server1.req.sha256":MBEDTLS_MD_SHA256:0:0:0:0 - -Certificate Request check Server1 SHA384 -depends_on:MBEDTLS_SHA512_C:MBEDTLS_RSA_C:MBEDTLS_PKCS1_V15 -x509_csr_check:"data_files/server1.key":"data_files/server1.req.sha384":MBEDTLS_MD_SHA384:0:0:0:0 - -Certificate Request check Server1 SHA512 -depends_on:MBEDTLS_SHA512_C:MBEDTLS_RSA_C:MBEDTLS_PKCS1_V15 -x509_csr_check:"data_files/server1.key":"data_files/server1.req.sha512":MBEDTLS_MD_SHA512:0:0:0:0 - -Certificate Request check Server1 MD4 -depends_on:MBEDTLS_MD4_C:MBEDTLS_RSA_C:MBEDTLS_PKCS1_V15 -x509_csr_check:"data_files/server1.key":"data_files/server1.req.md4":MBEDTLS_MD_MD4:0:0:0:0 - -Certificate Request check Server1 MD5 -depends_on:MBEDTLS_MD5_C:MBEDTLS_RSA_C:MBEDTLS_PKCS1_V15 -x509_csr_check:"data_files/server1.key":"data_files/server1.req.md5":MBEDTLS_MD_MD5:0:0:0:0 - -Certificate Request check Server1 key_usage -depends_on:MBEDTLS_SHA1_C:MBEDTLS_RSA_C:MBEDTLS_PKCS1_V15 -x509_csr_check:"data_files/server1.key":"data_files/server1.req.key_usage":MBEDTLS_MD_SHA1:MBEDTLS_X509_KU_DIGITAL_SIGNATURE | MBEDTLS_X509_KU_NON_REPUDIATION | MBEDTLS_X509_KU_KEY_ENCIPHERMENT:1:0:0 - -Certificate Request check Server1 key_usage empty -depends_on:MBEDTLS_SHA1_C:MBEDTLS_RSA_C:MBEDTLS_PKCS1_V15 -x509_csr_check:"data_files/server1.key":"data_files/server1.req.key_usage_empty":MBEDTLS_MD_SHA1:0:1:0:0 - -Certificate Request check Server1 ns_cert_type -depends_on:MBEDTLS_SHA1_C:MBEDTLS_RSA_C:MBEDTLS_PKCS1_V15 -x509_csr_check:"data_files/server1.key":"data_files/server1.req.cert_type":MBEDTLS_MD_SHA1:0:0:MBEDTLS_X509_NS_CERT_TYPE_SSL_SERVER:1 - -Certificate Request check Server1 ns_cert_type empty -depends_on:MBEDTLS_SHA1_C:MBEDTLS_RSA_C:MBEDTLS_PKCS1_V15 -x509_csr_check:"data_files/server1.key":"data_files/server1.req.cert_type_empty":MBEDTLS_MD_SHA1:0:0:0:1 - -Certificate Request check Server1 key_usage + ns_cert_type -depends_on:MBEDTLS_SHA1_C:MBEDTLS_RSA_C:MBEDTLS_PKCS1_V15 -x509_csr_check:"data_files/server1.key":"data_files/server1.req.ku-ct":MBEDTLS_MD_SHA1:MBEDTLS_X509_KU_DIGITAL_SIGNATURE | MBEDTLS_X509_KU_NON_REPUDIATION | MBEDTLS_X509_KU_KEY_ENCIPHERMENT:1:MBEDTLS_X509_NS_CERT_TYPE_SSL_SERVER:1 - -Certificate Request check Server5 ECDSA, key_usage -depends_on:MBEDTLS_SHA1_C:MBEDTLS_ECDSA_C:MBEDTLS_ECDSA_DETERMINISTIC:MBEDTLS_ECP_DP_SECP256R1_ENABLED -x509_csr_check:"data_files/server5.key":"data_files/server5.req.ku.sha1":MBEDTLS_MD_SHA1:MBEDTLS_X509_KU_DIGITAL_SIGNATURE | MBEDTLS_X509_KU_NON_REPUDIATION:1:0:0 - -Certificate Request check opaque Server5 ECDSA, key_usage -depends_on:MBEDTLS_SHA256_C:MBEDTLS_ECDSA_C:MBEDTLS_ECP_DP_SECP256R1_ENABLED -x509_csr_check_opaque:"data_files/server5.key":MBEDTLS_MD_SHA256:MBEDTLS_X509_KU_DIGITAL_SIGNATURE | MBEDTLS_X509_KU_NON_REPUDIATION:0 - -Certificate write check Server1 SHA1 -depends_on:MBEDTLS_SHA1_C:MBEDTLS_RSA_C:MBEDTLS_PKCS1_V15:MBEDTLS_DES_C:MBEDTLS_CIPHER_MODE_CBC:MBEDTLS_MD5_C -x509_crt_check:"data_files/server1.key":"":"C=NL,O=PolarSSL,CN=PolarSSL Server 1":"data_files/test-ca.key":"PolarSSLTest":"C=NL,O=PolarSSL,CN=PolarSSL Test CA":"1":"20110212144406":"20210212144406":MBEDTLS_MD_SHA1:0:0:0:0:1:-1:"data_files/server1.crt":0 - -Certificate write check Server1 SHA1, key_usage -depends_on:MBEDTLS_SHA1_C:MBEDTLS_RSA_C:MBEDTLS_PKCS1_V15:MBEDTLS_DES_C:MBEDTLS_CIPHER_MODE_CBC:MBEDTLS_MD5_C -x509_crt_check:"data_files/server1.key":"":"C=NL,O=PolarSSL,CN=PolarSSL Server 1":"data_files/test-ca.key":"PolarSSLTest":"C=NL,O=PolarSSL,CN=PolarSSL Test CA":"1":"20110212144406":"20210212144406":MBEDTLS_MD_SHA1:MBEDTLS_X509_KU_DIGITAL_SIGNATURE | MBEDTLS_X509_KU_NON_REPUDIATION | MBEDTLS_X509_KU_KEY_ENCIPHERMENT:1:0:0:1:-1:"data_files/server1.key_usage.crt":0 - -Certificate write check Server1 SHA1, ns_cert_type -depends_on:MBEDTLS_SHA1_C:MBEDTLS_RSA_C:MBEDTLS_PKCS1_V15:MBEDTLS_DES_C:MBEDTLS_CIPHER_MODE_CBC:MBEDTLS_MD5_C -x509_crt_check:"data_files/server1.key":"":"C=NL,O=PolarSSL,CN=PolarSSL Server 1":"data_files/test-ca.key":"PolarSSLTest":"C=NL,O=PolarSSL,CN=PolarSSL Test CA":"1":"20110212144406":"20210212144406":MBEDTLS_MD_SHA1:0:0:MBEDTLS_X509_NS_CERT_TYPE_SSL_SERVER:1:1:-1:"data_files/server1.cert_type.crt":0 - -Certificate write check Server1 SHA1, version 1 -depends_on:MBEDTLS_SHA1_C:MBEDTLS_RSA_C:MBEDTLS_PKCS1_V15:MBEDTLS_DES_C:MBEDTLS_CIPHER_MODE_CBC:MBEDTLS_MD5_C -x509_crt_check:"data_files/server1.key":"":"C=NL,O=PolarSSL,CN=PolarSSL Server 1":"data_files/test-ca.key":"PolarSSLTest":"C=NL,O=PolarSSL,CN=PolarSSL Test CA":"1":"20110212144406":"20210212144406":MBEDTLS_MD_SHA1:0:0:0:0:1:MBEDTLS_X509_CRT_VERSION_1:"data_files/server1.v1.crt":0 - -Certificate write check Server1 SHA1, RSA_ALT -depends_on:MBEDTLS_SHA1_C:MBEDTLS_RSA_C:MBEDTLS_PKCS1_V15:MBEDTLS_DES_C:MBEDTLS_CIPHER_MODE_CBC:MBEDTLS_MD5_C -x509_crt_check:"data_files/server1.key":"":"C=NL,O=PolarSSL,CN=PolarSSL Server 1":"data_files/test-ca.key":"PolarSSLTest":"C=NL,O=PolarSSL,CN=PolarSSL Test CA":"1":"20110212144406":"20210212144406":MBEDTLS_MD_SHA1:0:0:0:0:0:-1:"data_files/server1.noauthid.crt":1 - -Certificate write check Server1 SHA1, RSA_ALT, key_usage -depends_on:MBEDTLS_SHA1_C:MBEDTLS_RSA_C:MBEDTLS_PKCS1_V15:MBEDTLS_DES_C:MBEDTLS_CIPHER_MODE_CBC:MBEDTLS_MD5_C -x509_crt_check:"data_files/server1.key":"":"C=NL,O=PolarSSL,CN=PolarSSL Server 1":"data_files/test-ca.key":"PolarSSLTest":"C=NL,O=PolarSSL,CN=PolarSSL Test CA":"1":"20110212144406":"20210212144406":MBEDTLS_MD_SHA1:MBEDTLS_X509_KU_DIGITAL_SIGNATURE | MBEDTLS_X509_KU_NON_REPUDIATION | MBEDTLS_X509_KU_KEY_ENCIPHERMENT:1:0:0:0:-1:"data_files/server1.key_usage_noauthid.crt":1 - -Certificate write check Server1 SHA1, RSA_ALT, ns_cert_type -depends_on:MBEDTLS_SHA1_C:MBEDTLS_RSA_C:MBEDTLS_PKCS1_V15:MBEDTLS_DES_C:MBEDTLS_CIPHER_MODE_CBC:MBEDTLS_MD5_C -x509_crt_check:"data_files/server1.key":"":"C=NL,O=PolarSSL,CN=PolarSSL Server 1":"data_files/test-ca.key":"PolarSSLTest":"C=NL,O=PolarSSL,CN=PolarSSL Test CA":"1":"20110212144406":"20210212144406":MBEDTLS_MD_SHA1:0:0:MBEDTLS_X509_NS_CERT_TYPE_SSL_SERVER:1:0:-1:"data_files/server1.cert_type_noauthid.crt":1 - -Certificate write check Server1 SHA1, RSA_ALT, version 1 -depends_on:MBEDTLS_SHA1_C:MBEDTLS_RSA_C:MBEDTLS_PKCS1_V15:MBEDTLS_DES_C:MBEDTLS_CIPHER_MODE_CBC:MBEDTLS_MD5_C -x509_crt_check:"data_files/server1.key":"":"C=NL,O=PolarSSL,CN=PolarSSL Server 1":"data_files/test-ca.key":"PolarSSLTest":"C=NL,O=PolarSSL,CN=PolarSSL Test CA":"1":"20110212144406":"20210212144406":MBEDTLS_MD_SHA1:0:0:0:0:0:MBEDTLS_X509_CRT_VERSION_1:"data_files/server1.v1.crt":1 - -X509 String to Names #1 -mbedtls_x509_string_to_names:"C=NL,O=Offspark\, Inc., OU=PolarSSL":"C=NL, O=Offspark, Inc., OU=PolarSSL":0 - -X509 String to Names #2 -mbedtls_x509_string_to_names:"C=NL, O=Offspark, Inc., OU=PolarSSL":"":MBEDTLS_ERR_X509_UNKNOWN_OID - -X509 String to Names #3 (Name precisely 255 bytes) -mbedtls_x509_string_to_names:"C=NL, O=123456789012345678901234567890123456789012345678901234567890123456789012345678901234567890123456789012345678901234567890123456789012345678901234567890123456789012345678901234567890123456789012345678901234567890123456789012345678901234567890123456789012345,OU=PolarSSL":"C=NL, O=123456789012345678901234567890123456789012345678901234567890123456789012345678901234567890123456789012345678901234567890123456789012345678901234567890123456789012345678901234567890123456789012345678901234567890123456789012345678901234567890123456789012345, OU=PolarSSL":0 - -X509 String to Names #4 (Name larger than 255 bytes) -mbedtls_x509_string_to_names:"C=NL, O=1234567890123456789012345678901234567890123456789012345678901234567890123456789012345678901234567890123456789012345678901234567890123456789012345678901234567890123456789012345678901234567890123456789012345678901234567890123456789012345678901234567890123456, OU=PolarSSL":"":MBEDTLS_ERR_X509_INVALID_NAME - -X509 String to Names #5 (Escape non-allowed characters) -mbedtls_x509_string_to_names:"C=NL, O=Offspark\a Inc., OU=PolarSSL":"":MBEDTLS_ERR_X509_INVALID_NAME - -X509 String to Names #6 (Escape at end) -mbedtls_x509_string_to_names:"C=NL, O=Offspark\":"":MBEDTLS_ERR_X509_INVALID_NAME diff --git a/tests/suites/test_suite_x509write.function b/tests/suites/test_suite_x509write.function deleted file mode 100644 index e15802ff1..000000000 --- a/tests/suites/test_suite_x509write.function +++ /dev/null @@ -1,338 +0,0 @@ -/* BEGIN_HEADER */ -#include "mbedtls/bignum.h" -#include "mbedtls/x509_crt.h" -#include "mbedtls/x509_csr.h" -#include "mbedtls/pem.h" -#include "mbedtls/oid.h" -#include "mbedtls/rsa.h" -#if defined(MBEDTLS_USE_PSA_CRYPTO) -#include "psa/crypto.h" -#include "mbedtls/psa_util.h" -#endif - - -#if defined(MBEDTLS_RSA_C) -int mbedtls_rsa_decrypt_func( void *ctx, int mode, size_t *olen, - const unsigned char *input, unsigned char *output, - size_t output_max_len ) -{ - return( mbedtls_rsa_pkcs1_decrypt( (mbedtls_rsa_context *) ctx, NULL, NULL, mode, olen, - input, output, output_max_len ) ); -} -int mbedtls_rsa_sign_func( void *ctx, - int (*f_rng)(void *, unsigned char *, size_t), void *p_rng, - int mode, mbedtls_md_type_t md_alg, unsigned int hashlen, - const unsigned char *hash, unsigned char *sig ) -{ - return( mbedtls_rsa_pkcs1_sign( (mbedtls_rsa_context *) ctx, f_rng, p_rng, mode, - md_alg, hashlen, hash, sig ) ); -} -size_t mbedtls_rsa_key_len_func( void *ctx ) -{ - return( ((const mbedtls_rsa_context *) ctx)->len ); -} -#endif /* MBEDTLS_RSA_C */ - -#if defined(MBEDTLS_USE_PSA_CRYPTO) -static int x509_crt_verifycsr( const unsigned char *buf, size_t buflen ) -{ - unsigned char hash[MBEDTLS_MD_MAX_SIZE]; - const mbedtls_md_info_t *md_info; - mbedtls_x509_csr csr; - - if( mbedtls_x509_csr_parse( &csr, buf, buflen ) != 0 ) - return( MBEDTLS_ERR_X509_BAD_INPUT_DATA ); - - md_info = mbedtls_md_info_from_type( csr.sig_md ); - if( mbedtls_md( md_info, csr.cri.p, csr.cri.len, hash ) != 0 ) - { - /* Note: this can't happen except after an internal error */ - return( MBEDTLS_ERR_X509_BAD_INPUT_DATA ); - } - - if( mbedtls_pk_verify_ext( csr.sig_pk, csr.sig_opts, &csr.pk, - csr.sig_md, hash, mbedtls_md_get_size( md_info ), - csr.sig.p, csr.sig.len ) != 0 ) - { - return( MBEDTLS_ERR_X509_CERT_VERIFY_FAILED ); - } - - return( 0 ); -} -#endif /* MBEDTLS_USE_PSA_CRYPTO */ - -/* END_HEADER */ - -/* BEGIN_DEPENDENCIES - * depends_on:MBEDTLS_BIGNUM_C:MBEDTLS_FS_IO:MBEDTLS_PK_PARSE_C - * END_DEPENDENCIES - */ - -/* BEGIN_CASE depends_on:MBEDTLS_PEM_WRITE_C:MBEDTLS_X509_CSR_WRITE_C */ -void x509_csr_check( char * key_file, char * cert_req_check_file, int md_type, - int key_usage, int set_key_usage, int cert_type, - int set_cert_type ) -{ - mbedtls_pk_context key; - mbedtls_x509write_csr req; - unsigned char buf[4096]; - unsigned char check_buf[4000]; - int ret; - size_t olen = 0, pem_len = 0; - int der_len = -1; - FILE *f; - const char *subject_name = "C=NL,O=PolarSSL,CN=PolarSSL Server 1"; - rnd_pseudo_info rnd_info; - - memset( &rnd_info, 0x2a, sizeof( rnd_pseudo_info ) ); - - mbedtls_pk_init( &key ); - TEST_ASSERT( mbedtls_pk_parse_keyfile( &key, key_file, NULL ) == 0 ); - - mbedtls_x509write_csr_init( &req ); - mbedtls_x509write_csr_set_md_alg( &req, md_type ); - mbedtls_x509write_csr_set_key( &req, &key ); - TEST_ASSERT( mbedtls_x509write_csr_set_subject_name( &req, subject_name ) == 0 ); - if( set_key_usage != 0 ) - TEST_ASSERT( mbedtls_x509write_csr_set_key_usage( &req, key_usage ) == 0 ); - if( set_cert_type != 0 ) - TEST_ASSERT( mbedtls_x509write_csr_set_ns_cert_type( &req, cert_type ) == 0 ); - - ret = mbedtls_x509write_csr_pem( &req, buf, sizeof( buf ), - rnd_pseudo_rand, &rnd_info ); - TEST_ASSERT( ret == 0 ); - - pem_len = strlen( (char *) buf ); - - f = fopen( cert_req_check_file, "r" ); - TEST_ASSERT( f != NULL ); - olen = fread( check_buf, 1, sizeof( check_buf ), f ); - fclose( f ); - - TEST_ASSERT( olen >= pem_len - 1 ); - TEST_ASSERT( memcmp( buf, check_buf, pem_len - 1 ) == 0 ); - - der_len = mbedtls_x509write_csr_der( &req, buf, sizeof( buf ), - rnd_pseudo_rand, &rnd_info ); - TEST_ASSERT( der_len >= 0 ); - - if( der_len == 0 ) - goto exit; - - ret = mbedtls_x509write_csr_der( &req, buf, (size_t)( der_len - 1 ), - rnd_pseudo_rand, &rnd_info ); - TEST_ASSERT( ret == MBEDTLS_ERR_ASN1_BUF_TOO_SMALL ); - -exit: - mbedtls_x509write_csr_free( &req ); - mbedtls_pk_free( &key ); -} -/* END_CASE */ - -/* BEGIN_CASE depends_on:MBEDTLS_PEM_WRITE_C:MBEDTLS_X509_CSR_WRITE_C:MBEDTLS_USE_PSA_CRYPTO */ -void x509_csr_check_opaque( char *key_file, int md_type, int key_usage, - int cert_type ) -{ - mbedtls_pk_context key; - psa_key_handle_t slot; - psa_algorithm_t md_alg_psa; - mbedtls_x509write_csr req; - unsigned char buf[4096]; - int ret; - size_t pem_len = 0; - const char *subject_name = "C=NL,O=PolarSSL,CN=PolarSSL Server 1"; - rnd_pseudo_info rnd_info; - - psa_crypto_init(); - memset( &rnd_info, 0x2a, sizeof( rnd_pseudo_info ) ); - - md_alg_psa = mbedtls_psa_translate_md( (mbedtls_md_type_t) md_type ); - TEST_ASSERT( md_alg_psa != MBEDTLS_MD_NONE ); - - mbedtls_pk_init( &key ); - TEST_ASSERT( mbedtls_pk_parse_keyfile( &key, key_file, NULL ) == 0 ); - TEST_ASSERT( mbedtls_pk_wrap_as_opaque( &key, &slot, md_alg_psa ) == 0 ); - - mbedtls_x509write_csr_init( &req ); - mbedtls_x509write_csr_set_md_alg( &req, md_type ); - mbedtls_x509write_csr_set_key( &req, &key ); - TEST_ASSERT( mbedtls_x509write_csr_set_subject_name( &req, subject_name ) == 0 ); - if( key_usage != 0 ) - TEST_ASSERT( mbedtls_x509write_csr_set_key_usage( &req, key_usage ) == 0 ); - if( cert_type != 0 ) - TEST_ASSERT( mbedtls_x509write_csr_set_ns_cert_type( &req, cert_type ) == 0 ); - - ret = mbedtls_x509write_csr_pem( &req, buf, sizeof( buf ) - 1, - rnd_pseudo_rand, &rnd_info ); - TEST_ASSERT( ret == 0 ); - - pem_len = strlen( (char *) buf ); - buf[pem_len] = '\0'; - TEST_ASSERT( x509_crt_verifycsr( buf, pem_len + 1 ) == 0 ); - -exit: - mbedtls_x509write_csr_free( &req ); - mbedtls_pk_free( &key ); -} -/* END_CASE */ - -/* BEGIN_CASE depends_on:MBEDTLS_PEM_WRITE_C:MBEDTLS_X509_CRT_WRITE_C:MBEDTLS_SHA1_C */ -void x509_crt_check( char *subject_key_file, char *subject_pwd, - char *subject_name, char *issuer_key_file, - char *issuer_pwd, char *issuer_name, - char *serial_str, char *not_before, char *not_after, - int md_type, int key_usage, int set_key_usage, - int cert_type, int set_cert_type, int auth_ident, - int ver, char *cert_check_file, int rsa_alt ) -{ - mbedtls_pk_context subject_key, issuer_key, issuer_key_alt; - mbedtls_pk_context *key = &issuer_key; - - mbedtls_x509write_cert crt; - unsigned char buf[4096]; - unsigned char check_buf[5000]; - mbedtls_mpi serial; - int ret; - size_t olen = 0, pem_len = 0; - int der_len = -1; - FILE *f; - rnd_pseudo_info rnd_info; - - memset( &rnd_info, 0x2a, sizeof( rnd_pseudo_info ) ); - mbedtls_mpi_init( &serial ); - - mbedtls_pk_init( &subject_key ); - mbedtls_pk_init( &issuer_key ); - mbedtls_pk_init( &issuer_key_alt ); - - mbedtls_x509write_crt_init( &crt ); - - TEST_ASSERT( mbedtls_pk_parse_keyfile( &subject_key, subject_key_file, - subject_pwd ) == 0 ); - - TEST_ASSERT( mbedtls_pk_parse_keyfile( &issuer_key, issuer_key_file, - issuer_pwd ) == 0 ); - -#if defined(MBEDTLS_RSA_C) - /* For RSA PK contexts, create a copy as an alternative RSA context. */ - if( rsa_alt == 1 && mbedtls_pk_get_type( &issuer_key ) == MBEDTLS_PK_RSA ) - { - TEST_ASSERT( mbedtls_pk_setup_rsa_alt( &issuer_key_alt, - mbedtls_pk_rsa( issuer_key ), - mbedtls_rsa_decrypt_func, - mbedtls_rsa_sign_func, - mbedtls_rsa_key_len_func ) == 0 ); - - key = &issuer_key_alt; - } -#else - (void) rsa_alt; -#endif - - TEST_ASSERT( mbedtls_mpi_read_string( &serial, 10, serial_str ) == 0 ); - - if( ver != -1 ) - mbedtls_x509write_crt_set_version( &crt, ver ); - - TEST_ASSERT( mbedtls_x509write_crt_set_serial( &crt, &serial ) == 0 ); - TEST_ASSERT( mbedtls_x509write_crt_set_validity( &crt, not_before, - not_after ) == 0 ); - mbedtls_x509write_crt_set_md_alg( &crt, md_type ); - TEST_ASSERT( mbedtls_x509write_crt_set_issuer_name( &crt, issuer_name ) == 0 ); - TEST_ASSERT( mbedtls_x509write_crt_set_subject_name( &crt, subject_name ) == 0 ); - mbedtls_x509write_crt_set_subject_key( &crt, &subject_key ); - - mbedtls_x509write_crt_set_issuer_key( &crt, key ); - - if( crt.version >= MBEDTLS_X509_CRT_VERSION_3 ) - { - TEST_ASSERT( mbedtls_x509write_crt_set_basic_constraints( &crt, 0, 0 ) == 0 ); - TEST_ASSERT( mbedtls_x509write_crt_set_subject_key_identifier( &crt ) == 0 ); - if( auth_ident ) - TEST_ASSERT( mbedtls_x509write_crt_set_authority_key_identifier( &crt ) == 0 ); - if( set_key_usage != 0 ) - TEST_ASSERT( mbedtls_x509write_crt_set_key_usage( &crt, key_usage ) == 0 ); - if( set_cert_type != 0 ) - TEST_ASSERT( mbedtls_x509write_crt_set_ns_cert_type( &crt, cert_type ) == 0 ); - } - - ret = mbedtls_x509write_crt_pem( &crt, buf, sizeof( buf ), - rnd_pseudo_rand, &rnd_info ); - TEST_ASSERT( ret == 0 ); - - pem_len = strlen( (char *) buf ); - - f = fopen( cert_check_file, "r" ); - TEST_ASSERT( f != NULL ); - olen = fread( check_buf, 1, sizeof( check_buf ), f ); - fclose( f ); - TEST_ASSERT( olen < sizeof( check_buf ) ); - - TEST_ASSERT( olen >= pem_len - 1 ); - TEST_ASSERT( memcmp( buf, check_buf, pem_len - 1 ) == 0 ); - - der_len = mbedtls_x509write_crt_der( &crt, buf, sizeof( buf ), - rnd_pseudo_rand, &rnd_info ); - TEST_ASSERT( der_len >= 0 ); - - if( der_len == 0 ) - goto exit; - - ret = mbedtls_x509write_crt_der( &crt, buf, (size_t)( der_len - 1 ), - rnd_pseudo_rand, &rnd_info ); - TEST_ASSERT( ret == MBEDTLS_ERR_ASN1_BUF_TOO_SMALL ); - -exit: - mbedtls_x509write_crt_free( &crt ); - mbedtls_pk_free( &issuer_key_alt ); - mbedtls_pk_free( &subject_key ); - mbedtls_pk_free( &issuer_key ); - mbedtls_mpi_free( &serial ); -} -/* END_CASE */ - -/* BEGIN_CASE depends_on:MBEDTLS_X509_CREATE_C:MBEDTLS_X509_USE_C */ -void mbedtls_x509_string_to_names( char * name, char * parsed_name, int result - ) -{ - int ret; - size_t len = 0; - mbedtls_asn1_named_data *names = NULL; - mbedtls_x509_name parsed, *parsed_cur, *parsed_prv; - unsigned char buf[1024], out[1024], *c; - - memset( &parsed, 0, sizeof( parsed ) ); - memset( out, 0, sizeof( out ) ); - memset( buf, 0, sizeof( buf ) ); - c = buf + sizeof( buf ); - - ret = mbedtls_x509_string_to_names( &names, name ); - TEST_ASSERT( ret == result ); - - if( ret != 0 ) - goto exit; - - ret = mbedtls_x509_write_names( &c, buf, names ); - TEST_ASSERT( ret > 0 ); - - TEST_ASSERT( mbedtls_asn1_get_tag( &c, buf + sizeof( buf ), &len, - MBEDTLS_ASN1_CONSTRUCTED | MBEDTLS_ASN1_SEQUENCE ) == 0 ); - TEST_ASSERT( mbedtls_x509_get_name( &c, buf + sizeof( buf ), &parsed ) == 0 ); - - ret = mbedtls_x509_dn_gets( (char *) out, sizeof( out ), &parsed ); - TEST_ASSERT( ret > 0 ); - - TEST_ASSERT( strcmp( (char *) out, parsed_name ) == 0 ); - -exit: - mbedtls_asn1_free_named_data_list( &names ); - - parsed_cur = parsed.next; - while( parsed_cur != 0 ) - { - parsed_prv = parsed_cur; - parsed_cur = parsed_cur->next; - mbedtls_free( parsed_prv ); - } -} -/* END_CASE */ From 120d571e8e835afde4a5c31fdc26c2452c0b54d7 Mon Sep 17 00:00:00 2001 From: Jaeden Amero Date: Thu, 7 Mar 2019 15:32:49 +0000 Subject: [PATCH 17/19] tests: Use parent module includes when used as a submodule For Makefiles, enable overriding where includes can come from in order to enable the parent module to set the include path. This allows the parent module to specify that its config.h should be used, even when the submodule when built standalone would use a different config.h. For CMake, always look in the parent's include folder and our own. List the parent's include folder first, so that preference is given to parent include files. --- tests/CMakeLists.txt | 4 ++++ tests/Makefile | 3 ++- 2 files changed, 6 insertions(+), 1 deletion(-) diff --git a/tests/CMakeLists.txt b/tests/CMakeLists.txt index 4720008c6..06df85dfe 100644 --- a/tests/CMakeLists.txt +++ b/tests/CMakeLists.txt @@ -43,6 +43,10 @@ function(add_test_suite suite_name) include_directories(${CMAKE_CURRENT_SOURCE_DIR}) add_executable(test_suite_${data_name} test_suite_${data_name}.c) target_link_libraries(test_suite_${data_name} ${libs}) + target_include_directories(test_suite_${data_name} + PUBLIC ${CMAKE_SOURCE_DIR}/include/ + PUBLIC ${CMAKE_SOURCE_DIR}/crypto/include/) + if(${data_name} MATCHES ${SKIP_TEST_SUITES_REGEX}) message(STATUS "The test suite ${data_name} will not be executed.") else() diff --git a/tests/Makefile b/tests/Makefile index 1512fa7f6..50a054969 100644 --- a/tests/Makefile +++ b/tests/Makefile @@ -6,7 +6,8 @@ CFLAGS ?= -O2 WARNING_CFLAGS ?= -Wall -W -Wdeclaration-after-statement -Wno-unused-function -Wno-unused-value LDFLAGS ?= -LOCAL_CFLAGS = $(WARNING_CFLAGS) -I../include -I../library -D_FILE_OFFSET_BITS=64 +CRYPTO_INCLUDES ?= -I../include +LOCAL_CFLAGS = $(WARNING_CFLAGS) $(CRYPTO_INCLUDES) -I../library -D_FILE_OFFSET_BITS=64 LOCAL_LDFLAGS = -L../library \ -lmbedtls$(SHARED_SUFFIX) \ -lmbedx509$(SHARED_SUFFIX) \ From 1264c2a86f0b578b6f82a4c1993a22cbbe956a27 Mon Sep 17 00:00:00 2001 From: Jaeden Amero Date: Thu, 7 Mar 2019 16:01:11 +0000 Subject: [PATCH 18/19] tests: Exclude version suite when used as a submodule The version test suite is duplicated between Mbed TLS and Mbed Crypto. Use TLS's copy and not Crypto's copy when Crypto is used as a submodule of TLS. The version test is the only test that is tested from both TLS and Crypto, despite being entirely in libmbedcrypto. This is because the test data is code-gen'd from the version updating script and the version between Mbed TLS and Mbed Crypto don't necessarily always agree. The test data must come from the top level module, as only the top level module will have test data that matches the expected version. --- tests/CMakeLists.txt | 4 +++- tests/Makefile | 9 +++++++++ 2 files changed, 12 insertions(+), 1 deletion(-) diff --git a/tests/CMakeLists.txt b/tests/CMakeLists.txt index 06df85dfe..e9cae9a9b 100644 --- a/tests/CMakeLists.txt +++ b/tests/CMakeLists.txt @@ -138,8 +138,10 @@ add_test_suite(psa_crypto_storage_file) add_test_suite(shax) add_test_suite(timing) add_test_suite(rsa) -add_test_suite(version) add_test_suite(xtea) +if (NOT USE_CRYPTO_SUBMODULE) + add_test_suite(version) +endif() # Make scripts and data files needed for testing available in an # out-of-source build. diff --git a/tests/Makefile b/tests/Makefile index 50a054969..8db7920d7 100644 --- a/tests/Makefile +++ b/tests/Makefile @@ -59,6 +59,15 @@ endif # constructed by stripping path 'suites/' and extension .data. APPS = $(basename $(subst suites/,,$(wildcard suites/test_suite_*.data))) +# When this project is used as a submodule, exclude the following list of +# tests, which will be run from the parent module instead. +ifdef USE_CRYPTO_SUBMODULE +APPS := $(filter-out \ + test_suite_version \ + ,$(APPS)) +endif + + # Construct executable name by adding OS specific suffix $(EXEXT). BINARIES := $(addsuffix $(EXEXT),$(APPS)) From b478bb6ddbb1f3b7969ad9d6ccfdb0fa6d4843bd Mon Sep 17 00:00:00 2001 From: Jaeden Amero Date: Thu, 7 Mar 2019 16:44:54 +0000 Subject: [PATCH 19/19] tests: Add a crypto prefix to submodule tests Prepend ".crypto" to tests that came from the crypto submodule. This allows, when this project is used as a submodule, for tests with names the same between the parent and this project when used as a submodule to both be built and run. --- tests/CMakeLists.txt | 15 +++++++++++---- 1 file changed, 11 insertions(+), 4 deletions(-) diff --git a/tests/CMakeLists.txt b/tests/CMakeLists.txt index e9cae9a9b..76a4608e1 100644 --- a/tests/CMakeLists.txt +++ b/tests/CMakeLists.txt @@ -40,17 +40,24 @@ function(add_test_suite suite_name) DEPENDS ${CMAKE_CURRENT_SOURCE_DIR}/scripts/generate_test_code.py mbedtls ${CMAKE_CURRENT_SOURCE_DIR}/suites/helpers.function ${CMAKE_CURRENT_SOURCE_DIR}/suites/main_test.function ${CMAKE_CURRENT_SOURCE_DIR}/suites/host_test.function ${CMAKE_CURRENT_SOURCE_DIR}/suites/test_suite_${suite_name}.function ${CMAKE_CURRENT_SOURCE_DIR}/suites/test_suite_${data_name}.data ) + set(exe_name test_suite_${data_name}) + # Add a prefix to differentiate these tests from those of the parent + # module, when this project is built as a submodule. + if(USE_CRYPTO_SUBMODULE) + set(exe_name crypto.${exe_name}) + endif() + include_directories(${CMAKE_CURRENT_SOURCE_DIR}) - add_executable(test_suite_${data_name} test_suite_${data_name}.c) - target_link_libraries(test_suite_${data_name} ${libs}) - target_include_directories(test_suite_${data_name} + add_executable(${exe_name} test_suite_${data_name}.c) + target_link_libraries(${exe_name} ${libs}) + target_include_directories(${exe_name} PUBLIC ${CMAKE_SOURCE_DIR}/include/ PUBLIC ${CMAKE_SOURCE_DIR}/crypto/include/) if(${data_name} MATCHES ${SKIP_TEST_SUITES_REGEX}) message(STATUS "The test suite ${data_name} will not be executed.") else() - add_test(${data_name}-suite test_suite_${data_name} --verbose) + add_test(${data_name}-suite ${exe_name} --verbose) endif() endfunction(add_test_suite)