2014-02-20 10:01:30 +00:00
|
|
|
#!/bin/sh
|
|
|
|
|
|
|
|
# Test various options that are not covered by compat.sh
|
|
|
|
#
|
|
|
|
# Here the goal is not to cover every ciphersuite/version, but
|
|
|
|
# rather specific options (max fragment length, truncated hmac, etc)
|
|
|
|
# or procedures (session resumption from cache or ticket, renego, etc).
|
|
|
|
#
|
|
|
|
# Assumes all options are compiled in.
|
|
|
|
|
|
|
|
PROGS_DIR='../programs/ssl'
|
|
|
|
SRV_CMD="$PROGS_DIR/ssl_server2"
|
|
|
|
CLI_CMD="$PROGS_DIR/ssl_client2"
|
|
|
|
|
|
|
|
# Usage: run_test name srv_args cli_args cli_exit [option [...]]
|
|
|
|
# Options: -s pattern pattern that must be present in server output
|
|
|
|
# -c pattern pattern that must be present in client output
|
|
|
|
# -S pattern pattern that must be absent in server output
|
|
|
|
# -C pattern pattern that must be absent in client output
|
|
|
|
run_test() {
|
|
|
|
echo -n "$1: "
|
|
|
|
shift
|
|
|
|
|
|
|
|
# run the commands
|
|
|
|
$SRV_CMD $1 > srv_out &
|
|
|
|
SRV_PID=$!
|
|
|
|
sleep 1
|
|
|
|
$CLI_CMD $2 > cli_out
|
|
|
|
CLI_EXIT=$?
|
|
|
|
echo SERVERQUIT | openssl s_client >/dev/null 2>&1
|
|
|
|
wait $SRV_PID
|
|
|
|
shift 2
|
|
|
|
|
|
|
|
# check client exit code
|
2014-02-20 16:19:59 +00:00
|
|
|
if [ \( "$1" = 0 -a "$CLI_EXIT" != 0 \) -o \
|
|
|
|
\( "$1" != 0 -a "$CLI_EXIT" = 0 \) ]
|
|
|
|
then
|
2014-02-20 10:01:30 +00:00
|
|
|
echo "FAIL - client exit"
|
|
|
|
return
|
|
|
|
fi
|
|
|
|
shift
|
|
|
|
|
|
|
|
# check options
|
|
|
|
while [ $# -gt 0 ]
|
|
|
|
do
|
|
|
|
case $1 in
|
|
|
|
"-s")
|
|
|
|
if grep "$2" srv_out >/dev/null; then :; else
|
|
|
|
echo "FAIL - -s $2"
|
|
|
|
return
|
|
|
|
fi
|
|
|
|
;;
|
|
|
|
|
|
|
|
"-c")
|
|
|
|
if grep "$2" cli_out >/dev/null; then :; else
|
|
|
|
echo "FAIL - -c $2"
|
|
|
|
return
|
|
|
|
fi
|
|
|
|
;;
|
|
|
|
|
|
|
|
"-S")
|
|
|
|
if grep "$2" srv_out >/dev/null; then
|
|
|
|
echo "FAIL - -S $2"
|
|
|
|
return
|
|
|
|
fi
|
|
|
|
;;
|
|
|
|
|
|
|
|
"-C")
|
|
|
|
if grep "$2" cli_out >/dev/null; then
|
|
|
|
echo "FAIL - -C $2"
|
|
|
|
return
|
|
|
|
fi
|
|
|
|
;;
|
|
|
|
|
|
|
|
*)
|
|
|
|
echo "Unkown test: $1" >&2
|
|
|
|
exit 1
|
|
|
|
esac
|
|
|
|
shift 2
|
|
|
|
done
|
|
|
|
|
|
|
|
# if we're here, everything is ok
|
|
|
|
echo "PASS"
|
|
|
|
rm -r srv_out cli_out
|
|
|
|
}
|
|
|
|
|
|
|
|
killall -q openssl ssl_server ssl_server2
|
|
|
|
|
2014-02-20 16:19:59 +00:00
|
|
|
# Tests for Truncated HMAC extension
|
|
|
|
|
|
|
|
run_test "Truncated HMAC #0" \
|
|
|
|
"debug_level=5" \
|
|
|
|
"trunc_hmac=0 force_ciphersuite=TLS-RSA-WITH-AES-128-CBC-SHA" \
|
|
|
|
0 \
|
|
|
|
-s "dumping 'computed mac' (20 bytes)"
|
|
|
|
|
|
|
|
run_test "Truncated HMAC #1" \
|
2014-02-20 10:01:30 +00:00
|
|
|
"debug_level=5" \
|
2014-02-20 10:43:46 +00:00
|
|
|
"trunc_hmac=1 force_ciphersuite=TLS-RSA-WITH-AES-128-CBC-SHA" \
|
2014-02-20 10:01:30 +00:00
|
|
|
0 \
|
2014-02-20 10:43:46 +00:00
|
|
|
-s "dumping 'computed mac' (10 bytes)"
|
|
|
|
|
2014-02-20 16:19:59 +00:00
|
|
|
# Tests for Session Tickets
|
|
|
|
|
2014-02-20 20:32:41 +00:00
|
|
|
run_test "Session resume using tickets #1" \
|
2014-02-20 10:43:46 +00:00
|
|
|
"debug_level=4 tickets=1" \
|
|
|
|
"debug_level=4 reconnect=1 tickets=1" \
|
|
|
|
0 \
|
|
|
|
-S "session successfully restored from cache" \
|
|
|
|
-s "session successfully restored from ticket" \
|
|
|
|
-s "a session has been resumed" \
|
|
|
|
-c "a session has been resumed"
|
|
|
|
|
2014-02-20 20:32:41 +00:00
|
|
|
run_test "Session resume using tickets #2" \
|
|
|
|
"debug_level=4 tickets=1 cache_max=0" \
|
|
|
|
"debug_level=4 reconnect=1 tickets=1" \
|
|
|
|
0 \
|
|
|
|
-S "session successfully restored from cache" \
|
|
|
|
-s "session successfully restored from ticket" \
|
|
|
|
-s "a session has been resumed" \
|
|
|
|
-c "a session has been resumed"
|
|
|
|
|
|
|
|
# Test for Session Resume based on session-ID and cache
|
2014-02-20 16:19:59 +00:00
|
|
|
|
2014-02-20 10:43:46 +00:00
|
|
|
run_test "Session resume using cache #1" \
|
|
|
|
"debug_level=4 tickets=0" \
|
|
|
|
"debug_level=4 reconnect=1 tickets=1" \
|
|
|
|
0 \
|
|
|
|
-s "session successfully restored from cache" \
|
|
|
|
-S "session successfully restored from ticket" \
|
|
|
|
-s "a session has been resumed" \
|
|
|
|
-c "a session has been resumed"
|
|
|
|
|
|
|
|
run_test "Session resume using cache #2" \
|
|
|
|
"debug_level=4 tickets=1" \
|
|
|
|
"debug_level=4 reconnect=1 tickets=0" \
|
|
|
|
0 \
|
|
|
|
-s "session successfully restored from cache" \
|
|
|
|
-S "session successfully restored from ticket" \
|
|
|
|
-s "a session has been resumed" \
|
|
|
|
-c "a session has been resumed"
|
2014-02-20 13:50:42 +00:00
|
|
|
|
2014-02-20 20:32:41 +00:00
|
|
|
run_test "Session resume using cache #3" \
|
|
|
|
"debug_level=4 tickets=0 cache_max=0" \
|
|
|
|
"debug_level=4 reconnect=1 tickets=0" \
|
|
|
|
0 \
|
|
|
|
-S "session successfully restored from cache" \
|
|
|
|
-S "session successfully restored from ticket" \
|
|
|
|
-s "no session has been resumed" \
|
|
|
|
-c "no session has been resumed"
|
|
|
|
|
|
|
|
run_test "Session resume using cache #4" \
|
|
|
|
"debug_level=4 tickets=1 cache_max=1" \
|
|
|
|
"debug_level=4 reconnect=1 tickets=0" \
|
|
|
|
0 \
|
|
|
|
-s "session successfully restored from cache" \
|
|
|
|
-S "session successfully restored from ticket" \
|
|
|
|
-s "a session has been resumed" \
|
|
|
|
-c "a session has been resumed"
|
|
|
|
|
2014-02-20 16:19:59 +00:00
|
|
|
# Tests for Max Fragment Length extension
|
|
|
|
|
2014-02-20 13:50:42 +00:00
|
|
|
run_test "Max fragment length #1" \
|
|
|
|
"debug_level=4" \
|
|
|
|
"debug_level=4" \
|
|
|
|
0 \
|
|
|
|
-C "client hello, adding max_fragment_length extension" \
|
|
|
|
-S "found max fragment length extension" \
|
|
|
|
-S "server hello, max_fragment_length extension" \
|
|
|
|
-C "found max_fragment_length extension"
|
|
|
|
|
|
|
|
run_test "Max fragment length #2" \
|
|
|
|
"debug_level=4" \
|
|
|
|
"debug_level=4 max_frag_len=4096" \
|
|
|
|
0 \
|
|
|
|
-c "client hello, adding max_fragment_length extension" \
|
|
|
|
-s "found max fragment length extension" \
|
|
|
|
-s "server hello, max_fragment_length extension" \
|
|
|
|
-c "found max_fragment_length extension"
|
|
|
|
|
|
|
|
run_test "Max fragment length #3" \
|
|
|
|
"debug_level=4 max_frag_len=4096" \
|
|
|
|
"debug_level=4" \
|
|
|
|
0 \
|
|
|
|
-C "client hello, adding max_fragment_length extension" \
|
|
|
|
-S "found max fragment length extension" \
|
|
|
|
-S "server hello, max_fragment_length extension" \
|
|
|
|
-C "found max_fragment_length extension"
|
2014-02-20 16:19:59 +00:00
|
|
|
|
|
|
|
# Tests for renegotiation
|
|
|
|
|
|
|
|
run_test "Renegotiation #0 (none)" \
|
|
|
|
"debug_level=4" \
|
|
|
|
"debug_level=4" \
|
|
|
|
0 \
|
|
|
|
-C "client hello, adding renegotiation extension" \
|
|
|
|
-s "received TLS_EMPTY_RENEGOTIATION_INFO" \
|
|
|
|
-S "found renegotiation extension" \
|
|
|
|
-s "server hello, secure renegotiation extension" \
|
|
|
|
-c "found renegotiation extension" \
|
|
|
|
-C "renegotiate" \
|
|
|
|
-S "renegotiate" \
|
|
|
|
-S "write hello request"
|
|
|
|
|
|
|
|
run_test "Renegotiation #1 (enabled, client-initiated)" \
|
|
|
|
"debug_level=4" \
|
|
|
|
"debug_level=4 renegotiate=1" \
|
|
|
|
0 \
|
|
|
|
-c "client hello, adding renegotiation extension" \
|
|
|
|
-s "received TLS_EMPTY_RENEGOTIATION_INFO" \
|
|
|
|
-s "found renegotiation extension" \
|
|
|
|
-s "server hello, secure renegotiation extension" \
|
|
|
|
-c "found renegotiation extension" \
|
|
|
|
-c "renegotiate" \
|
|
|
|
-s "renegotiate" \
|
|
|
|
-S "write hello request"
|
|
|
|
|
|
|
|
run_test "Renegotiation #2 (enabled, server-initiated)" \
|
|
|
|
"debug_level=4 renegotiate=1" \
|
|
|
|
"debug_level=4" \
|
|
|
|
0 \
|
|
|
|
-c "client hello, adding renegotiation extension" \
|
|
|
|
-s "received TLS_EMPTY_RENEGOTIATION_INFO" \
|
|
|
|
-s "found renegotiation extension" \
|
|
|
|
-s "server hello, secure renegotiation extension" \
|
|
|
|
-c "found renegotiation extension" \
|
|
|
|
-c "renegotiate" \
|
|
|
|
-s "renegotiate" \
|
|
|
|
-s "write hello request"
|
|
|
|
|
|
|
|
run_test "Renegotiation #3 (enabled, double)" \
|
|
|
|
"debug_level=4 renegotiate=1" \
|
|
|
|
"debug_level=4 renegotiate=1" \
|
|
|
|
0 \
|
|
|
|
-c "client hello, adding renegotiation extension" \
|
|
|
|
-s "received TLS_EMPTY_RENEGOTIATION_INFO" \
|
|
|
|
-s "found renegotiation extension" \
|
|
|
|
-s "server hello, secure renegotiation extension" \
|
|
|
|
-c "found renegotiation extension" \
|
|
|
|
-c "renegotiate" \
|
|
|
|
-s "renegotiate" \
|
|
|
|
-s "write hello request"
|
|
|
|
|
|
|
|
run_test "Renegotiation #4 (client-initiated, server-rejected)" \
|
|
|
|
"debug_level=4 renegotiation=0" \
|
|
|
|
"debug_level=4 renegotiate=1" \
|
|
|
|
1 \
|
|
|
|
-c "client hello, adding renegotiation extension" \
|
|
|
|
-s "received TLS_EMPTY_RENEGOTIATION_INFO" \
|
|
|
|
-S "found renegotiation extension" \
|
|
|
|
-s "server hello, secure renegotiation extension" \
|
|
|
|
-c "found renegotiation extension" \
|
|
|
|
-c "renegotiate" \
|
|
|
|
-S "renegotiate" \
|
|
|
|
-S "write hello request"
|
|
|
|
|
|
|
|
run_test "Renegotiation #5 (server-initiated, client-rejected)" \
|
|
|
|
"debug_level=4 renegotiate=1" \
|
|
|
|
"debug_level=4 renegotiation=0" \
|
|
|
|
0 \
|
|
|
|
-C "client hello, adding renegotiation extension" \
|
|
|
|
-s "received TLS_EMPTY_RENEGOTIATION_INFO" \
|
|
|
|
-S "found renegotiation extension" \
|
|
|
|
-s "server hello, secure renegotiation extension" \
|
|
|
|
-c "found renegotiation extension" \
|
|
|
|
-C "renegotiate" \
|
|
|
|
-S "renegotiate" \
|
|
|
|
-s "write hello request" \
|
|
|
|
-s "SSL - An unexpected message was received from our peer" \
|
|
|
|
-s "failed"
|