Commit graph

430 commits

Author SHA1 Message Date
Manuel Pégourié-Gonnard 590f416142 Add tests for periodic renegotiation 2014-12-02 10:40:55 +01:00
Manuel Pégourié-Gonnard 85d915b81d Add tests for renego security enforcement 2014-12-02 10:40:54 +01:00
Manuel Pégourié-Gonnard f9d778d635 Merge branch 'etm' into dtls
* etm:
  Fix warning in reduced config
  Update Changelog for EtM
  Keep EtM state across renegotiations
  Adjust minimum length for EtM
  Don't send back EtM extension if not using CBC
  Fix for the RFC erratum
  Implement EtM
  Preparation for EtM
  Implement initial negotiation of EtM

Conflicts:
	include/polarssl/check_config.h
2014-11-06 01:36:32 +01:00
Manuel Pégourié-Gonnard 56d985d0a6 Merge branch 'session-hash' into dtls
* session-hash:
  Update Changelog for session-hash
  Make session-hash depend on TLS versions
  Forbid extended master secret with SSLv3
  compat.sh: allow git version of gnutls
  compat.sh: make options a bit more robust
  Implement extended master secret
  Add negotiation of Extended Master Secret

Conflicts:
	include/polarssl/check_config.h
	programs/ssl/ssl_server2.c
2014-11-06 01:25:09 +01:00
Manuel Pégourié-Gonnard fedba98ede Merge branch 'fb-scsv' into dtls
* fb-scsv:
  Update Changelog for FALLBACK_SCSV
  Implement FALLBACK_SCSV server-side
  Implement FALLBACK_SCSV client-side
2014-11-05 16:12:09 +01:00
Manuel Pégourié-Gonnard b575b54cb9 Forbid extended master secret with SSLv3 2014-11-05 16:00:50 +01:00
Manuel Pégourié-Gonnard 169dd6a514 Adjust minimum length for EtM 2014-11-05 16:00:50 +01:00
Manuel Pégourié-Gonnard 78e745fc0a Don't send back EtM extension if not using CBC 2014-11-05 16:00:50 +01:00
Manuel Pégourié-Gonnard 0098e7dc70 Preparation for EtM 2014-11-05 16:00:50 +01:00
Manuel Pégourié-Gonnard 699cafaea2 Implement initial negotiation of EtM
Not implemented yet:
- actually using EtM
- conditions on renegotiation
2014-11-05 16:00:50 +01:00
Manuel Pégourié-Gonnard 01b2699198 Implement FALLBACK_SCSV server-side 2014-11-05 16:00:49 +01:00
Manuel Pégourié-Gonnard 1cbd39dbeb Implement FALLBACK_SCSV client-side 2014-11-05 16:00:49 +01:00
Manuel Pégourié-Gonnard 367381fddd Add negotiation of Extended Master Secret
(But not the actual thing yet.)
2014-11-05 16:00:49 +01:00
Manuel Pégourié-Gonnard a6ace04c5c Test for lost HelloRequest 2014-10-21 16:32:57 +02:00
Manuel Pégourié-Gonnard f1384470bf Avoid spurious timeout in ssl-opt.sh 2014-10-21 16:32:57 +02:00
Manuel Pégourié-Gonnard 74a1378175 Avoid false positive in ssl-opt.sh with memcheck 2014-10-21 16:32:56 +02:00
Manuel Pégourié-Gonnard e698f59a25 Add tests for ssl_set_dtls_badmac_limit() 2014-10-21 16:32:56 +02:00
Manuel Pégourié-Gonnard caecdaed25 Cosmetics in ssl_server2 & complete tests for HVR 2014-10-21 16:32:54 +02:00
Manuel Pégourié-Gonnard 37e08e1689 Fix max_fragment_length with DTLS 2014-10-21 16:32:53 +02:00
Manuel Pégourié-Gonnard 127ab88dba Give more time to lossy tests with normal timers 2014-10-21 16:32:51 +02:00
Manuel Pégourié-Gonnard ba958b8bdc Add test for server-initiated renego
Just assuming the HelloRequest isn't lost for now
2014-10-21 16:32:50 +02:00
Manuel Pégourié-Gonnard 85beb30b11 Add test for resumption with non-blocking I/O 2014-10-21 16:32:48 +02:00
Manuel Pégourié-Gonnard a59af05dce Give more time to tests that time out too often 2014-10-21 16:32:47 +02:00
Manuel Pégourié-Gonnard 7a26d73735 Add test for session resumption 2014-10-21 16:32:47 +02:00
Manuel Pégourié-Gonnard df9a0a8460 Drop unexpected ApplicationData
This is likely to happen on resumption if client speaks first at the
application level.
2014-10-21 16:32:46 +02:00
Manuel Pégourié-Gonnard 37a4de2cec Use shorter timeouts in ssl-opt.sh proxy tests 2014-10-21 16:32:44 +02:00
Manuel Pégourié-Gonnard 6093d81c20 Add tests with proxy and non-blocking I/O 2014-10-21 16:32:42 +02:00
Manuel Pégourié-Gonnard 579950c2bb Fix bug with non-blocking I/O and cookies 2014-10-21 16:32:42 +02:00
Manuel Pégourié-Gonnard bd97fdb3a4 Make ssl_server2's HVR handling more realistic
It makes not sense to keep the connection open until the client is verified.
Until now it was useful since closing it crates a race where the second
ClientHello might be lost. But now that our client is able to resend, that's
not an issue any more.
2014-10-21 16:32:40 +02:00
Manuel Pégourié-Gonnard 7a66cbca75 Rm some redundant tests 2014-10-21 16:32:40 +02:00
Manuel Pégourié-Gonnard 9590e0a176 Add proxy tests with gnutls-srv & fragmentation 2014-10-21 16:32:40 +02:00
Manuel Pégourié-Gonnard fa60f128d6 Quit using "yes" in ssl-opt.sh with openssl
It caused s_server to send an AppData record of 16Kb every millisecond or so,
which destroyed readability of the proxy and client logs.
2014-10-21 16:32:39 +02:00
Manuel Pégourié-Gonnard 08a1d4bce1 Fix bug with client auth with DTLS 2014-10-21 16:32:39 +02:00
Manuel Pégourié-Gonnard d0fd1daa6b Add test with proxy and openssl server 2014-10-21 16:32:38 +02:00
Manuel Pégourié-Gonnard 1b753f1e27 Add test for renego with proxy 2014-10-21 16:32:38 +02:00
Manuel Pégourié-Gonnard 18e519a660 Add proxy tests with more handshake flows 2014-10-21 16:32:37 +02:00
Manuel Pégourié-Gonnard 76fe9e41c1 Test that anti-replay ignores all duplicates 2014-10-21 16:32:36 +02:00
Manuel Pégourié-Gonnard 2739313cea Make anti-replay a runtime option 2014-10-21 16:32:35 +02:00
Manuel Pégourié-Gonnard 246c13a05f Fix epoch checking 2014-10-21 16:32:34 +02:00
Manuel Pégourié-Gonnard b47368a00a Add replay detection 2014-10-21 16:32:34 +02:00
Manuel Pégourié-Gonnard 825a49ed7c Add more udp_proxy tests 2014-10-21 16:32:32 +02:00
Manuel Pégourié-Gonnard a6189f0fb0 udp_proxy wasn't actually killed 2014-10-21 16:32:30 +02:00
Manuel Pégourié-Gonnard a0719727da Add tests with dropped packets 2014-10-21 16:32:30 +02:00
Manuel Pégourié-Gonnard 63eca930d7 Drop invalid records with DTLS 2014-10-21 16:30:28 +02:00
Manuel Pégourié-Gonnard 990f9e428a Handle late handshake messages gracefully 2014-10-21 16:30:26 +02:00
Manuel Pégourié-Gonnard be9eb877f7 Adapt ssl-opt.sh to allow using udp_proxy in tests 2014-10-21 16:30:25 +02:00
Manuel Pégourié-Gonnard 0a65934ef3 Re-enable valgrind for all tests
Now we can handle duplicated messages due to the peer re-sending (due to us
being soooo slow with valgrind)
2014-10-21 16:30:24 +02:00
Manuel Pégourié-Gonnard 0c4cbc7895 Add test for fragmentation + renego with GnuTLS 2014-10-21 16:30:23 +02:00
Manuel Pégourié-Gonnard f1499f602e Add interop testing for renego with GnuTLS 2014-10-21 16:30:23 +02:00
Manuel Pégourié-Gonnard 77b0b8d100 Disable some tests with valgrind for now 2014-10-21 16:30:23 +02:00
Manuel Pégourié-Gonnard 64dffc5d14 Make handshake reassembly work with openssl 2014-10-21 16:30:22 +02:00
Manuel Pégourié-Gonnard a77561765f Add test with openssl with DTLS in ssl-opt.sh 2014-10-21 16:30:22 +02:00
Manuel Pégourié-Gonnard 502bf30fb5 Handle reassembly of handshake messages
Works only with GnuTLS for now, OpenSSL packs other records in the same
datagram after the last fragmented one, which we don't handle yet.

Also, ssl-opt.sh fails the tests with valgrind for now: we're so slow with
valgrind that gnutls-serv retransmits some messages, and we don't handle
duplicated messages yet.
2014-10-21 16:30:22 +02:00
Manuel Pégourié-Gonnard c392b240c4 Fix server-initiated renegotiation with DTLS 2014-10-21 16:30:21 +02:00
Manuel Pégourié-Gonnard 30d16eb429 Fix client-initiated renegotiation with DTLS 2014-10-21 16:30:20 +02:00
Manuel Pégourié-Gonnard 0eb6cab979 Add DTLS cookies test to ssl-opt.sh 2014-10-21 16:30:19 +02:00
Manuel Pégourié-Gonnard 7fa67728ad Scripts print more info on failure within buildbot 2014-08-31 17:42:53 +02:00
Manuel Pégourié-Gonnard c2b0092a1b Fix leaving around temporary file in ssl-opt.sh 2014-08-31 17:17:36 +02:00
Manuel Pégourié-Gonnard 72e51ee7be Use arithmetic expansion in scripts, avoid bashisms 2014-08-31 10:22:11 +02:00
Manuel Pégourié-Gonnard c0f6a692fb Add client timeout to ssl-opt.sh and compat.sh 2014-08-30 22:59:55 +02:00
Manuel Pégourié-Gonnard a4afadfccd Fix bug in OpenSSL v2 support testing 2014-08-30 22:09:36 +02:00
Manuel Pégourié-Gonnard 644e8f377d Adapt debug_level in ssl-opt.sh to new levels
The meaning of debug_level was shift by one during the last debug overhaul.
(The new one is more rational, previously debug_level=1 didn't do anything.)
2014-08-30 21:59:31 +02:00
Manuel Pégourié-Gonnard 8e03c71b23 Normalize names in ssl-opt.sh
No numbering: does not add value, and painful to maintain, esp. with branches
2014-08-30 21:42:40 +02:00
Manuel Pégourié-Gonnard 51362961b8 Add interop testing of renegotiation 2014-08-30 21:22:47 +02:00
Manuel Pégourié-Gonnard f2629b965e Rm now useless tricks from ssl-opt.sh 2014-08-30 14:20:14 +02:00
Manuel Pégourié-Gonnard 480905d563 Fix selection of hash from sig_alg ClientHello ext. 2014-08-30 14:19:59 +02:00
Manuel Pégourié-Gonnard baa7f07809 Add GnuTLS support to ssl-opt.sh 2014-08-20 20:15:53 +02:00
Manuel Pégourié-Gonnard f07f421759 Fix server-initiated renego with non-blocking I/O 2014-08-19 13:32:15 +02:00
Manuel Pégourié-Gonnard a8c0a0dbd0 Add "exchanges" option to test server and client
Goal is to test renegotiation better: we need more than one exchange for
server-initiated renego to work reliably (the previous hack for this wouldn't
work with non-blocking I/O and probably not with DTLS either).

Also check message termination in a semi-realistic way.
2014-08-19 13:26:05 +02:00
Manuel Pégourié-Gonnard 6591962f06 Allow delay on renego on client
Currently unbounded: will be fixed later
2014-08-19 12:50:30 +02:00
Manuel Pégourié-Gonnard 74b11702d7 Simplify terminating ssl_server2 in test scripts 2014-08-14 18:33:00 +02:00
Manuel Pégourié-Gonnard 6f4fbbb3e1 Add a "skip" feature in ssl-opt.sh 2014-08-14 18:33:00 +02:00
Manuel Pégourié-Gonnard e73b26391d Add config-full to all.sh 2014-08-14 11:34:34 +02:00
Manuel Pégourié-Gonnard fae355e8ee Add tests for ssl_set_renegotiation_enforced() 2014-07-04 14:32:27 +02:00
Manuel Pégourié-Gonnard a9964dbcd5 Add ssl_set_renegotiation_enforced() 2014-07-04 14:16:07 +02:00
Manuel Pégourié-Gonnard 8920f69fef Add test for packets of max size 2014-06-25 11:26:12 +02:00
Manuel Pégourié-Gonnard ee415031e5 Add tests for small packets
Some truncated HMAC test failing right now.
2014-06-25 11:26:11 +02:00
Manuel Pégourié-Gonnard fab2a3c3d6 Fix port selection in ssl test scripts
Port was selected in the 1000-1999 range which is bad (system ports).
2014-06-23 11:54:57 +02:00
Manuel Pégourié-Gonnard 0c1ec479fe Make ssl-opt.sh faster and more robust 2014-06-20 20:03:33 +02:00
Manuel Pégourié-Gonnard bbcb1ce703 Revert "Avoid sleep 1 at server start in ssl-opt.sh"
This reverts commit db2a6c1a20.

Does not seem to work as expected on the buildbots. Reverted while
investigating, since it had no other used than speeding up the test script.
2014-06-13 18:05:23 +02:00
Paul Bakker 14c78c93d5 Merge more SSL tests and required ssl_server2 additions 2014-06-12 21:24:34 +02:00
Manuel Pégourié-Gonnard 95c0a63023 Add tests for ssl_get_bytes_avail() 2014-06-11 18:34:47 +02:00
Manuel Pégourié-Gonnard 90805a8d01 Add test for ssl_set_ciphersuites_for_version() 2014-06-11 14:08:10 +02:00
Manuel Pégourié-Gonnard 10c3c9fda8 Add test for PSK without a key 2014-06-10 15:32:02 +02:00
Manuel Pégourié-Gonnard a6781c99ee Add tests for PSK callback 2014-06-10 15:32:02 +02:00
Manuel Pégourié-Gonnard 0cc7e31ad1 Add test for ssl_set_dh_param_ctx() 2014-06-10 15:32:01 +02:00
Manuel Pégourié-Gonnard db2a6c1a20 Avoid sleep 1 at server start in ssl-opt.sh
On my machine, brings running time from 135 to 45 seconds...
3 times faster :)
2014-05-29 12:15:40 +02:00
Manuel Pégourié-Gonnard 32f8f4d1a0 Catch SERVERQUIT timeout in ssl test scripts 2014-05-29 11:57:44 +02:00
Manuel Pégourié-Gonnard bc3b16c7e2 Also use unique names for temp files 2014-05-29 11:57:43 +02:00
Manuel Pégourié-Gonnard 8066b81a54 Pick a "unique" port in SSL test scripts 2014-05-29 11:57:43 +02:00
Paul Bakker 1ebc0c592c Fix typos 2014-05-22 15:47:58 +02:00
Manuel Pégourié-Gonnard 17cde5f8ef Fix ssl-opt.sh for new ciphersuites order 2014-05-22 14:42:39 +02:00
Manuel Pégourié-Gonnard 0408fd1fbb Add extendedKeyUsage checking in SSL modules 2014-04-11 11:09:09 +02:00
Manuel Pégourié-Gonnard a9db85df73 Add tests for keyUsage with client auth 2014-04-09 15:50:58 +02:00
Manuel Pégourié-Gonnard 7f2a07d7b2 Check keyUsage in SSL client and server 2014-04-09 15:50:57 +02:00
Paul Bakker 17b85cbd69 Merged additional tests and improved code coverage
Conflicts:
	ChangeLog
2014-04-08 14:38:48 +02:00
Manuel Pégourié-Gonnard 83d8c73c91 Disable ALPN by default 2014-04-07 13:24:21 +02:00
Manuel Pégourié-Gonnard f6521de17b Add ALPN tests to ssl-opt.sh
Only self-op for now, required peer versions are a bit high:
- OpenSSL 1.0.2-beta
- GnuTLS 3.2.0 (released 2013-05-10) (gnutls-cli only)
2014-04-07 12:42:04 +02:00
Manuel Pégourié-Gonnard 913030c286 Enable SSLv2 testing if OPENSSL_CMD is set 2014-04-04 16:33:01 +02:00
Manuel Pégourié-Gonnard 00d538f8f9 Disable renegotiation by default in example cli/srv 2014-03-31 11:03:06 +02:00
Manuel Pégourié-Gonnard 76b8ab73cd ssl-opt.sh: address some robustness issues 2014-03-26 14:21:34 +01:00
Manuel Pégourié-Gonnard e01af4cd37 Tune compat.sh and ssl-opt.sh error reporting 2014-03-26 12:58:48 +01:00
Manuel Pégourié-Gonnard 417d46cdb0 Add --filter, --exclude to ssl-opt.sh 2014-03-14 08:41:02 +01:00
Manuel Pégourié-Gonnard 74faf3c400 Fix usage of environment variables for commands 2014-03-14 08:41:02 +01:00
Manuel Pégourié-Gonnard 84fd6877c6 Use ssl_client2 to terminate ssl_server2 2014-03-14 08:41:02 +01:00
Manuel Pégourié-Gonnard ba0b8442f0 compat.sh and ssl-opt.sh cosmetics
- do not print '0 memory errors' when memcheck was not used
- add commands to the log files
2014-03-14 08:41:02 +01:00
Manuel Pégourié-Gonnard 3eec60402f Add memcheck support to compat.sh 2014-03-14 08:41:02 +01:00
Manuel Pégourié-Gonnard de515ccdf5 Add tests for client w/o certificate 2014-03-14 08:41:02 +01:00
Manuel Pégourié-Gonnard f7a2690561 Make the openssl command configurable in sh tests 2014-03-14 08:41:02 +01:00
Manuel Pégourié-Gonnard 9dea8bd658 Minor compat.sh clean-up 2014-03-14 08:41:01 +01:00
Manuel Pégourié-Gonnard c73339fd50 Add a --memcheck option to ssl-opt.sh 2014-03-14 08:41:01 +01:00
Manuel Pégourié-Gonnard a3d808e140 Add tests for version bounds 2014-03-14 08:41:01 +01:00
Manuel Pégourié-Gonnard 0b6609b34c Add tests for non-blocking I/O 2014-03-14 08:41:01 +01:00
Manuel Pégourié-Gonnard db735f67b9 Add tests for sess-id-based resume with OpenSSL 2014-03-14 08:41:01 +01:00
Manuel Pégourié-Gonnard fccd3255f9 Add tests for tickets with OpenSSL 2014-03-14 08:41:01 +01:00
Manuel Pégourié-Gonnard 677884d174 Add a few checks in ssl-opt.sh 2014-03-14 08:41:01 +01:00
Manuel Pégourié-Gonnard a9062e96e7 shell scripts: clean up when exiting on signal 2014-03-14 08:41:01 +01:00
Manuel Pégourié-Gonnard c1da664e89 Add test for SSLv2 ClientHello 2014-03-14 08:41:01 +01:00
Manuel Pégourié-Gonnard 96ea2f2557 Add tests for SNI 2014-03-14 08:41:01 +01:00
Manuel Pégourié-Gonnard 4145b89091 compat.sh cosmetics 2014-03-14 08:41:01 +01:00
Manuel Pégourié-Gonnard 8520dac292 Add tests for auth_mode 2014-03-14 08:41:00 +01:00
Manuel Pégourié-Gonnard 33a752e180 ssl-opt.sh: count and report failures 2014-03-14 08:41:00 +01:00
Manuel Pégourié-Gonnard f8bdbb5d62 ssl-opt.sh: cosmetics 2014-03-14 08:41:00 +01:00
Manuel Pégourié-Gonnard dbe1ee1988 Add tests for session ticket lifetime 2014-03-14 08:41:00 +01:00
Manuel Pégourié-Gonnard c55a5b7d6f Add tests for cache timeout 2014-03-14 08:41:00 +01:00
Manuel Pégourié-Gonnard 4c88345f19 Add test for ssl_cache max_entries 2014-03-14 08:41:00 +01:00
Manuel Pégourié-Gonnard 780d671f9d Add tests for renegotiation 2014-03-14 08:41:00 +01:00
Manuel Pégourié-Gonnard de14378a53 Add tests for max fragment length extension 2014-03-14 08:41:00 +01:00
Manuel Pégourié-Gonnard f7c52014ec Add basic tests for session resumption 2014-03-14 08:41:00 +01:00
Manuel Pégourié-Gonnard eaadc508fb New ssl-opt.sh test script 2014-03-14 08:41:00 +01:00