ssl-opt.sh 31.8 KB
Newer Older
1 2 3 4 5 6 7 8 9 10
#!/bin/sh

# Test various options that are not covered by compat.sh
#
# Here the goal is not to cover every ciphersuite/version, but
# rather specific options (max fragment length, truncated hmac, etc)
# or procedures (session resumption from cache or ticket, renego, etc).
#
# Assumes all options are compiled in.

11 12
set -u

13 14 15 16
# default values, can be overriden by the environment
: ${P_SRV:=../programs/ssl/ssl_server2}
: ${P_CLI:=../programs/ssl/ssl_client2}
: ${OPENSSL:=openssl}
17

18 19
O_SRV="$OPENSSL s_server -www -cert data_files/server5.crt -key data_files/server5.key"
O_CLI="echo 'GET / HTTP/1.0' | $OPENSSL s_client"
20

21 22 23
TESTS=0
FAILS=0

24 25 26 27 28
MEMCHECK=0

print_usage() {
    echo "Usage: $0 [options]"
    echo -e "  -h, --help\tPrint this help."
29
    echo -e "  -m, --memcheck\tCheck memory leaks and errors."
30 31 32 33 34 35 36 37 38 39 40 41 42 43 44 45 46 47 48 49 50 51
}

get_options() {
    while [ $# -gt 0 ]; do
        case "$1" in
            -m|--memcheck)
                MEMCHECK=1
                ;;
            -h|--help)
                print_usage
                exit 0
                ;;
            *)
                echo "Unkown argument: '$1'"
                print_usage
                exit 1
                ;;
        esac
        shift
    done
}

52 53 54 55 56 57 58
# print_name <name>
print_name() {
    echo -n "$1 "
    LEN=`echo "$1" | wc -c`
    LEN=`echo 72 - $LEN | bc`
    for i in `seq 1 $LEN`; do echo -n '.'; done
    echo -n ' '
59 60

    TESTS=`echo $TESTS + 1 | bc`
61 62 63 64 65
}

# fail <message>
fail() {
    echo "FAIL"
66
    echo "  ! $1"
67

68 69 70
    cp srv_out o-srv-${TESTS}.log
    cp cli_out o-cli-${TESTS}.log
    echo "  ! outputs saved to o-srv-${TESTS}.log and o-cli-${TESTS}.log"
71 72

    FAILS=`echo $FAILS + 1 | bc`
73 74
}

75 76 77 78 79
# is_polar <cmd_line>
is_polar() {
    echo "$1" | grep 'ssl_server2\|ssl_client2' > /dev/null
}

80 81 82 83 84 85 86 87 88 89 90
# has_mem_err <log_file_name>
has_mem_err() {
    if ( grep -F 'All heap blocks were freed -- no leaks are possible' "$1" &&
         grep -F 'ERROR SUMMARY: 0 errors from 0 contexts' "$1" ) > /dev/null
    then
        return 1 # false: does not have errors
    else
        return 0 # true: has errors
    fi
}

91
# Usage: run_test name srv_cmd cli_cmd cli_exit [option [...]]
92 93 94 95 96
# Options:  -s pattern  pattern that must be present in server output
#           -c pattern  pattern that must be present in client output
#           -S pattern  pattern that must be absent in server output
#           -C pattern  pattern that must be absent in client output
run_test() {
97 98 99 100 101 102 103
    NAME="$1"
    SRV_CMD="$2"
    CLI_CMD="$3"
    CLI_EXPECT="$4"
    shift 4

    print_name "$NAME"
104

105 106 107 108 109 110 111 112 113 114
    # prepend valgrind to our commands if active
    if [ "$MEMCHECK" -gt 0 ]; then
        if is_polar "$SRV_CMD"; then
            SRV_CMD="valgrind --leak-check=full $SRV_CMD"
        fi
        if is_polar "$CLI_CMD"; then
            CLI_CMD="valgrind --leak-check=full $CLI_CMD"
        fi
    fi

115
    # run the commands
116 117
    echo "$SRV_CMD" > srv_out
    $SHELL -c "$SRV_CMD" >> srv_out 2>&1 &
118 119
    SRV_PID=$!
    sleep 1
120 121
    echo "$CLI_CMD" > cli_out
    $SHELL -c "$CLI_CMD" >> cli_out 2>&1
122
    CLI_EXIT=$?
123
    if is_polar "$SRV_CMD"; then
124
        echo SERVERQUIT | $OPENSSL s_client -no_ticket \
125 126 127 128 129
            -cert data_files/cli2.crt -key data_files/cli2.key \
            >/dev/null 2>&1
    else
        kill $SRV_PID
    fi
130
    wait $SRV_PID
131 132 133 134 135

    # check if the client and server went at least to the handshake stage
    # (usefull to avoid tests with only negative assertions and non-zero
    # expected client exit to incorrectly succeed in case of catastrophic
    # failure)
136
    if is_polar "$SRV_CMD"; then
137 138 139 140 141 142
        if grep "Performing the SSL/TLS handshake" srv_out >/dev/null; then :;
        else
            fail "server failed to start"
            return
        fi
    fi
143
    if is_polar "$CLI_CMD"; then
144 145 146 147 148 149 150
        if grep "Performing the SSL/TLS handshake" cli_out >/dev/null; then :;
        else
            fail "client failed to start"
            return
        fi
    fi

151 152 153 154 155 156
    # check server exit code
    if [ $? != 0 ]; then
        fail "server fail"
        return
    fi

157
    # check client exit code
158 159
    if [ \( "$CLI_EXPECT" = 0 -a "$CLI_EXIT" != 0 \) -o \
         \( "$CLI_EXPECT" != 0 -a "$CLI_EXIT" = 0 \) ]
160
    then
161
        fail "bad client exit code"
162 163 164
        return
    fi

165
    # check other assertions
166 167 168 169 170
    while [ $# -gt 0 ]
    do
        case $1 in
            "-s")
                if grep "$2" srv_out >/dev/null; then :; else
171
                    fail "-s $2"
172 173 174 175 176 177
                    return
                fi
                ;;

            "-c")
                if grep "$2" cli_out >/dev/null; then :; else
178
                    fail "-c $2"
179 180 181 182 183 184
                    return
                fi
                ;;

            "-S")
                if grep "$2" srv_out >/dev/null; then
185
                    fail "-S $2"
186 187 188 189 190 191
                    return
                fi
                ;;

            "-C")
                if grep "$2" cli_out >/dev/null; then
192
                    fail "-C $2"
193 194 195 196 197 198 199 200 201 202 203
                    return
                fi
                ;;

            *)
                echo "Unkown test: $1" >&2
                exit 1
        esac
        shift 2
    done

204 205 206 207 208 209 210 211 212 213 214 215
    # check valgrind's results
    if [ "$MEMCHECK" -gt 0 ]; then
        if is_polar "$SRV_CMD" && has_mem_err srv_out; then
            fail "Server has memory errors"
            return
        fi
        if is_polar "$CLI_CMD" && has_mem_err cli_out; then
            fail "Client has memory errors"
            return
        fi
    fi

216 217
    # if we're here, everything is ok
    echo "PASS"
218
    rm -f srv_out cli_out
219 220
}

221
cleanup() {
222
    rm -f cli_out srv_out sess
223 224 225 226
    kill $SRV_PID
    exit 1
}

227 228 229 230
#
# MAIN
#

231 232 233 234 235 236 237 238 239 240 241 242 243 244
# sanity checks, avoid an avalanche of errors
if [ ! -x "$P_SRV" ]; then
    echo "Command '$P_SRV' is not an executable file"
    exit 1
fi
if [ ! -x "$P_CLI" ]; then
    echo "Command '$P_CLI' is not an executable file"
    exit 1
fi
if which $OPENSSL >/dev/null 2>&1; then :; else
    echo "Command '$OPENSSL' not found"
    exit 1
fi

245 246
get_options "$@"

247
killall -q openssl ssl_server ssl_server2
248
trap cleanup INT TERM HUP
249

250 251 252 253
# Test for SSLv2 ClientHello

run_test    "SSLv2 ClientHello #0 (reference)" \
            "$P_SRV debug_level=3" \
254
            "$O_CLI -no_ssl2" \
255 256 257 258 259 260 261
            0 \
            -S "parse client hello v2" \
            -S "ssl_handshake returned"

# Adding a SSL2-only suite makes OpenSSL client send SSLv2 ClientHello
run_test    "SSLv2 ClientHello #1 (actual test)" \
            "$P_SRV debug_level=3" \
262
            "$O_CLI -cipher 'DES-CBC-MD5:ALL'" \
263 264 265 266
            0 \
            -s "parse client hello v2" \
            -S "ssl_handshake returned"

267 268 269
# Tests for Truncated HMAC extension

run_test    "Truncated HMAC #0" \
270 271
            "$P_SRV debug_level=5" \
            "$P_CLI trunc_hmac=0 force_ciphersuite=TLS-RSA-WITH-AES-128-CBC-SHA" \
272 273 274 275
            0 \
            -s "dumping 'computed mac' (20 bytes)"

run_test    "Truncated HMAC #1" \
276 277
            "$P_SRV debug_level=5" \
            "$P_CLI trunc_hmac=1 force_ciphersuite=TLS-RSA-WITH-AES-128-CBC-SHA" \
278
            0 \
279 280
            -s "dumping 'computed mac' (10 bytes)"

281 282
# Tests for Session Tickets

283
run_test    "Session resume using tickets #1 (basic)" \
284 285
            "$P_SRV debug_level=4 tickets=1" \
            "$P_CLI debug_level=4 tickets=1 reconnect=1" \
286
            0 \
287 288 289 290 291
            -c "client hello, adding session ticket extension" \
            -s "found session ticket extension" \
            -s "server hello, adding session ticket extension" \
            -c "found session_ticket extension" \
            -c "parse new session ticket" \
292 293 294 295 296
            -S "session successfully restored from cache" \
            -s "session successfully restored from ticket" \
            -s "a session has been resumed" \
            -c "a session has been resumed"

297
run_test    "Session resume using tickets #2 (cache disabled)" \
298 299
            "$P_SRV debug_level=4 tickets=1 cache_max=0" \
            "$P_CLI debug_level=4 tickets=1 reconnect=1" \
300 301 302 303 304 305 306 307 308 309 310
            0 \
            -c "client hello, adding session ticket extension" \
            -s "found session ticket extension" \
            -s "server hello, adding session ticket extension" \
            -c "found session_ticket extension" \
            -c "parse new session ticket" \
            -S "session successfully restored from cache" \
            -s "session successfully restored from ticket" \
            -s "a session has been resumed" \
            -c "a session has been resumed"

311
run_test    "Session resume using tickets #3 (timeout)" \
312 313
            "$P_SRV debug_level=4 tickets=1 cache_max=0 ticket_timeout=1" \
            "$P_CLI debug_level=4 tickets=1 reconnect=1 reco_delay=2" \
314 315 316 317 318 319 320 321 322 323 324
            0 \
            -c "client hello, adding session ticket extension" \
            -s "found session ticket extension" \
            -s "server hello, adding session ticket extension" \
            -c "found session_ticket extension" \
            -c "parse new session ticket" \
            -S "session successfully restored from cache" \
            -S "session successfully restored from ticket" \
            -S "a session has been resumed" \
            -C "a session has been resumed"

325
run_test    "Session resume using tickets #4 (openssl server)" \
326
            "$O_SRV" \
327 328 329 330 331 332 333
            "$P_CLI debug_level=4 tickets=1 reconnect=1" \
            0 \
            -c "client hello, adding session ticket extension" \
            -c "found session_ticket extension" \
            -c "parse new session ticket" \
            -c "a session has been resumed"

334
run_test    "Session resume using tickets #5 (openssl client)" \
335 336 337 338 339 340 341 342 343
            "$P_SRV debug_level=4 tickets=1" \
            "($O_CLI -sess_out sess; $O_CLI -sess_in sess; rm -f sess)" \
            0 \
            -s "found session ticket extension" \
            -s "server hello, adding session ticket extension" \
            -S "session successfully restored from cache" \
            -s "session successfully restored from ticket" \
            -s "a session has been resumed"

344
# Tests for Session Resume based on session-ID and cache
345

346
run_test    "Session resume using cache #1 (tickets enabled on client)" \
347 348
            "$P_SRV debug_level=4 tickets=0" \
            "$P_CLI debug_level=4 tickets=1 reconnect=1" \
349
            0 \
350 351 352 353 354
            -c "client hello, adding session ticket extension" \
            -s "found session ticket extension" \
            -S "server hello, adding session ticket extension" \
            -C "found session_ticket extension" \
            -C "parse new session ticket" \
355 356 357 358 359
            -s "session successfully restored from cache" \
            -S "session successfully restored from ticket" \
            -s "a session has been resumed" \
            -c "a session has been resumed"

360
run_test    "Session resume using cache #2 (tickets enabled on server)" \
361 362
            "$P_SRV debug_level=4 tickets=1" \
            "$P_CLI debug_level=4 tickets=0 reconnect=1" \
363
            0 \
364 365 366 367 368
            -C "client hello, adding session ticket extension" \
            -S "found session ticket extension" \
            -S "server hello, adding session ticket extension" \
            -C "found session_ticket extension" \
            -C "parse new session ticket" \
369 370 371 372
            -s "session successfully restored from cache" \
            -S "session successfully restored from ticket" \
            -s "a session has been resumed" \
            -c "a session has been resumed"
373

374
run_test    "Session resume using cache #3 (cache_max=0)" \
375 376
            "$P_SRV debug_level=4 tickets=0 cache_max=0" \
            "$P_CLI debug_level=4 tickets=0 reconnect=1" \
377 378 379 380 381 382 383
            0 \
            -S "session successfully restored from cache" \
            -S "session successfully restored from ticket" \
            -S "a session has been resumed" \
            -C "a session has been resumed"

run_test    "Session resume using cache #4 (cache_max=1)" \
384 385
            "$P_SRV debug_level=4 tickets=0 cache_max=1" \
            "$P_CLI debug_level=4 tickets=0 reconnect=1" \
386 387 388 389 390 391 392
            0 \
            -s "session successfully restored from cache" \
            -S "session successfully restored from ticket" \
            -s "a session has been resumed" \
            -c "a session has been resumed"

run_test    "Session resume using cache #5 (timemout > delay)" \
393
            "$P_SRV debug_level=4 tickets=0" \
394
            "$P_CLI debug_level=4 tickets=0 reconnect=1 reco_delay=0" \
395 396 397 398 399 400 401
            0 \
            -s "session successfully restored from cache" \
            -S "session successfully restored from ticket" \
            -s "a session has been resumed" \
            -c "a session has been resumed"

run_test    "Session resume using cache #6 (timeout < delay)" \
402 403
            "$P_SRV debug_level=4 tickets=0 cache_timeout=1" \
            "$P_CLI debug_level=4 tickets=0 reconnect=1 reco_delay=2" \
404 405 406
            0 \
            -S "session successfully restored from cache" \
            -S "session successfully restored from ticket" \
407 408
            -S "a session has been resumed" \
            -C "a session has been resumed"
409

410
run_test    "Session resume using cache #7 (no timeout)" \
411 412
            "$P_SRV debug_level=4 tickets=0 cache_timeout=0" \
            "$P_CLI debug_level=4 tickets=0 reconnect=1 reco_delay=2" \
413 414 415 416 417 418
            0 \
            -s "session successfully restored from cache" \
            -S "session successfully restored from ticket" \
            -s "a session has been resumed" \
            -c "a session has been resumed"

419 420 421 422 423 424 425 426 427 428 429
run_test    "Session resume using cache #8 (openssl client)" \
            "$P_SRV debug_level=4 tickets=0" \
            "($O_CLI -sess_out sess; $O_CLI -sess_in sess; rm -f sess)" \
            0 \
            -s "found session ticket extension" \
            -S "server hello, adding session ticket extension" \
            -s "session successfully restored from cache" \
            -S "session successfully restored from ticket" \
            -s "a session has been resumed"

run_test    "Session resume using cache #9 (openssl server)" \
430
            "$O_SRV" \
431 432 433 434 435 436
            "$P_CLI debug_level=4 tickets=0 reconnect=1" \
            0 \
            -C "found session_ticket extension" \
            -C "parse new session ticket" \
            -c "a session has been resumed"

437 438
# Tests for Max Fragment Length extension

439
run_test    "Max fragment length #1" \
440 441
            "$P_SRV debug_level=4" \
            "$P_CLI debug_level=4" \
442 443 444 445 446 447 448
            0 \
            -C "client hello, adding max_fragment_length extension" \
            -S "found max fragment length extension" \
            -S "server hello, max_fragment_length extension" \
            -C "found max_fragment_length extension"

run_test    "Max fragment length #2" \
449 450
            "$P_SRV debug_level=4" \
            "$P_CLI debug_level=4 max_frag_len=4096" \
451 452 453 454 455 456 457
            0 \
            -c "client hello, adding max_fragment_length extension" \
            -s "found max fragment length extension" \
            -s "server hello, max_fragment_length extension" \
            -c "found max_fragment_length extension"

run_test    "Max fragment length #3" \
458 459
            "$P_SRV debug_level=4 max_frag_len=4096" \
            "$P_CLI debug_level=4" \
460 461 462 463 464
            0 \
            -C "client hello, adding max_fragment_length extension" \
            -S "found max fragment length extension" \
            -S "server hello, max_fragment_length extension" \
            -C "found max_fragment_length extension"
465 466 467 468

# Tests for renegotiation

run_test    "Renegotiation #0 (none)" \
469 470
            "$P_SRV debug_level=4" \
            "$P_CLI debug_level=4" \
471 472 473 474 475 476
            0 \
            -C "client hello, adding renegotiation extension" \
            -s "received TLS_EMPTY_RENEGOTIATION_INFO" \
            -S "found renegotiation extension" \
            -s "server hello, secure renegotiation extension" \
            -c "found renegotiation extension" \
477 478
            -C "=> renegotiate" \
            -S "=> renegotiate" \
479 480 481
            -S "write hello request"

run_test    "Renegotiation #1 (enabled, client-initiated)" \
482 483
            "$P_SRV debug_level=4" \
            "$P_CLI debug_level=4 renegotiate=1" \
484 485 486 487 488 489
            0 \
            -c "client hello, adding renegotiation extension" \
            -s "received TLS_EMPTY_RENEGOTIATION_INFO" \
            -s "found renegotiation extension" \
            -s "server hello, secure renegotiation extension" \
            -c "found renegotiation extension" \
490 491
            -c "=> renegotiate" \
            -s "=> renegotiate" \
492 493 494
            -S "write hello request"

run_test    "Renegotiation #2 (enabled, server-initiated)" \
495 496
            "$P_SRV debug_level=4 renegotiate=1" \
            "$P_CLI debug_level=4" \
497 498 499 500 501 502
            0 \
            -c "client hello, adding renegotiation extension" \
            -s "received TLS_EMPTY_RENEGOTIATION_INFO" \
            -s "found renegotiation extension" \
            -s "server hello, secure renegotiation extension" \
            -c "found renegotiation extension" \
503 504
            -c "=> renegotiate" \
            -s "=> renegotiate" \
505 506 507
            -s "write hello request"

run_test    "Renegotiation #3 (enabled, double)" \
508 509
            "$P_SRV debug_level=4 renegotiate=1" \
            "$P_CLI debug_level=4 renegotiate=1" \
510 511 512 513 514 515
            0 \
            -c "client hello, adding renegotiation extension" \
            -s "received TLS_EMPTY_RENEGOTIATION_INFO" \
            -s "found renegotiation extension" \
            -s "server hello, secure renegotiation extension" \
            -c "found renegotiation extension" \
516 517
            -c "=> renegotiate" \
            -s "=> renegotiate" \
518 519 520
            -s "write hello request"

run_test    "Renegotiation #4 (client-initiated, server-rejected)" \
521 522
            "$P_SRV debug_level=4 renegotiation=0" \
            "$P_CLI debug_level=4 renegotiate=1" \
523 524 525 526 527 528
            1 \
            -c "client hello, adding renegotiation extension" \
            -s "received TLS_EMPTY_RENEGOTIATION_INFO" \
            -S "found renegotiation extension" \
            -s "server hello, secure renegotiation extension" \
            -c "found renegotiation extension" \
529 530
            -c "=> renegotiate" \
            -S "=> renegotiate" \
531 532 533
            -S "write hello request"

run_test    "Renegotiation #5 (server-initiated, client-rejected)" \
534 535
            "$P_SRV debug_level=4 renegotiate=1" \
            "$P_CLI debug_level=4 renegotiation=0" \
536 537 538 539 540 541
            0 \
            -C "client hello, adding renegotiation extension" \
            -s "received TLS_EMPTY_RENEGOTIATION_INFO" \
            -S "found renegotiation extension" \
            -s "server hello, secure renegotiation extension" \
            -c "found renegotiation extension" \
542 543
            -C "=> renegotiate" \
            -S "=> renegotiate" \
544 545 546
            -s "write hello request" \
            -s "SSL - An unexpected message was received from our peer" \
            -s "failed"
547

548 549 550
# Tests for auth_mode

run_test    "Authentication #1 (server badcert, client required)" \
551
            "$P_SRV crt_file=data_files/server5-badsign.crt \
552
             key_file=data_files/server5.key" \
553
            "$P_CLI debug_level=2 auth_mode=required" \
554 555 556 557 558 559 560
            1 \
            -c "x509_verify_cert() returned" \
            -c "! self-signed or not signed by a trusted CA" \
            -c "! ssl_handshake returned" \
            -c "X509 - Certificate verification failed"

run_test    "Authentication #2 (server badcert, client optional)" \
561
            "$P_SRV crt_file=data_files/server5-badsign.crt \
562
             key_file=data_files/server5.key" \
563
            "$P_CLI debug_level=2 auth_mode=optional" \
564 565 566 567 568 569 570
            0 \
            -c "x509_verify_cert() returned" \
            -c "! self-signed or not signed by a trusted CA" \
            -C "! ssl_handshake returned" \
            -C "X509 - Certificate verification failed"

run_test    "Authentication #3 (server badcert, client none)" \
571
            "$P_SRV crt_file=data_files/server5-badsign.crt \
572
             key_file=data_files/server5.key" \
573
            "$P_CLI debug_level=2 auth_mode=none" \
574 575 576 577 578 579 580
            0 \
            -C "x509_verify_cert() returned" \
            -C "! self-signed or not signed by a trusted CA" \
            -C "! ssl_handshake returned" \
            -C "X509 - Certificate verification failed"

run_test    "Authentication #4 (client badcert, server required)" \
581 582
            "$P_SRV debug_level=4 auth_mode=required" \
            "$P_CLI debug_level=4 crt_file=data_files/server5-badsign.crt \
583 584 585 586 587 588 589 590 591 592 593 594 595 596 597
             key_file=data_files/server5.key" \
            1 \
            -S "skip write certificate request" \
            -C "skip parse certificate request" \
            -c "got a certificate request" \
            -C "skip write certificate" \
            -C "skip write certificate verify" \
            -S "skip parse certificate verify" \
            -s "x509_verify_cert() returned" \
            -S "! self-signed or not signed by a trusted CA" \
            -s "! ssl_handshake returned" \
            -c "! ssl_handshake returned" \
            -s "X509 - Certificate verification failed"

run_test    "Authentication #5 (client badcert, server optional)" \
598 599
            "$P_SRV debug_level=4 auth_mode=optional" \
            "$P_CLI debug_level=4 crt_file=data_files/server5-badsign.crt \
600 601 602 603 604 605 606 607 608 609 610 611 612 613 614
             key_file=data_files/server5.key" \
            0 \
            -S "skip write certificate request" \
            -C "skip parse certificate request" \
            -c "got a certificate request" \
            -C "skip write certificate" \
            -C "skip write certificate verify" \
            -S "skip parse certificate verify" \
            -s "x509_verify_cert() returned" \
            -s "! self-signed or not signed by a trusted CA" \
            -S "! ssl_handshake returned" \
            -C "! ssl_handshake returned" \
            -S "X509 - Certificate verification failed"

run_test    "Authentication #6 (client badcert, server none)" \
615 616
            "$P_SRV debug_level=4 auth_mode=none" \
            "$P_CLI debug_level=4 crt_file=data_files/server5-badsign.crt \
617 618 619 620 621 622 623 624 625 626 627 628 629 630
             key_file=data_files/server5.key" \
            0 \
            -s "skip write certificate request" \
            -C "skip parse certificate request" \
            -c "got no certificate request" \
            -c "skip write certificate" \
            -c "skip write certificate verify" \
            -s "skip parse certificate verify" \
            -S "x509_verify_cert() returned" \
            -S "! self-signed or not signed by a trusted CA" \
            -S "! ssl_handshake returned" \
            -C "! ssl_handshake returned" \
            -S "X509 - Certificate verification failed"

631 632 633 634 635 636 637 638 639 640 641 642 643 644 645 646 647 648 649 650 651 652 653 654 655 656 657 658 659 660 661 662 663 664 665 666 667 668 669 670 671 672 673 674 675 676 677 678 679 680 681 682 683 684
run_test    "Authentication #7 (client no cert, server optional)" \
            "$P_SRV debug_level=4 auth_mode=optional" \
            "$P_CLI debug_level=4 crt_file=none key_file=none" \
            0 \
            -S "skip write certificate request" \
            -C "skip parse certificate request" \
            -c "got a certificate request" \
            -C "skip write certificate$" \
            -C "got no certificate to send" \
            -S "SSLv3 client has no certificate" \
            -c "skip write certificate verify" \
            -s "skip parse certificate verify" \
            -s "! no client certificate sent" \
            -S "! ssl_handshake returned" \
            -C "! ssl_handshake returned" \
            -S "X509 - Certificate verification failed"

run_test    "Authentication #8 (openssl client no cert, server optional)" \
            "$P_SRV debug_level=4 auth_mode=optional" \
            "$O_CLI" \
            0 \
            -S "skip write certificate request" \
            -s "skip parse certificate verify" \
            -s "! no client certificate sent" \
            -S "! ssl_handshake returned" \
            -S "X509 - Certificate verification failed"

run_test    "Authentication #9 (client no cert, openssl server optional)" \
            "$O_SRV -verify 10" \
            "$P_CLI debug_level=4 crt_file=none key_file=none" \
            0 \
            -C "skip parse certificate request" \
            -c "got a certificate request" \
            -C "skip write certificate$" \
            -c "skip write certificate verify" \
            -C "! ssl_handshake returned"

run_test    "Authentication #10 (client no cert, ssl3)" \
            "$P_SRV debug_level=4 auth_mode=optional force_version=ssl3" \
            "$P_CLI debug_level=4 crt_file=none key_file=none" \
            0 \
            -S "skip write certificate request" \
            -C "skip parse certificate request" \
            -c "got a certificate request" \
            -C "skip write certificate$" \
            -c "skip write certificate verify" \
            -c "got no certificate to send" \
            -s "SSLv3 client has no certificate" \
            -s "skip parse certificate verify" \
            -s "! no client certificate sent" \
            -S "! ssl_handshake returned" \
            -C "! ssl_handshake returned" \
            -S "X509 - Certificate verification failed"

Manuel Pégourié-Gonnard's avatar
Manuel Pégourié-Gonnard committed
685 686 687
# tests for SNI

run_test    "SNI #0 (no SNI callback)" \
688
            "$P_SRV debug_level=4 server_addr=127.0.0.1 \
Manuel Pégourié-Gonnard's avatar
Manuel Pégourié-Gonnard committed
689
             crt_file=data_files/server5.crt key_file=data_files/server5.key" \
690
            "$P_CLI debug_level=0 server_addr=127.0.0.1 \
Manuel Pégourié-Gonnard's avatar
Manuel Pégourié-Gonnard committed
691 692 693 694 695 696 697
             server_name=localhost" \
             0 \
             -S "parse ServerName extension" \
             -c "issuer name *: C=NL, O=PolarSSL, CN=Polarssl Test EC CA" \
             -c "subject name *: C=NL, O=PolarSSL, CN=localhost"

run_test    "SNI #1 (matching cert 1)" \
698
            "$P_SRV debug_level=4 server_addr=127.0.0.1 \
Manuel Pégourié-Gonnard's avatar
Manuel Pégourié-Gonnard committed
699 700
             crt_file=data_files/server5.crt key_file=data_files/server5.key \
             sni='localhost,data_files/server2.crt,data_files/server2.key,PolarSSL Server 1,data_files/server1.crt,data_files/server1.key'" \
701
            "$P_CLI debug_level=0 server_addr=127.0.0.1 \
Manuel Pégourié-Gonnard's avatar
Manuel Pégourié-Gonnard committed
702 703 704 705 706 707 708
             server_name=localhost" \
             0 \
             -s "parse ServerName extension" \
             -c "issuer name *: C=NL, O=PolarSSL, CN=PolarSSL Test CA" \
             -c "subject name *: C=NL, O=PolarSSL, CN=localhost"

run_test    "SNI #2 (matching cert 2)" \
709
            "$P_SRV debug_level=4 server_addr=127.0.0.1 \
Manuel Pégourié-Gonnard's avatar
Manuel Pégourié-Gonnard committed
710 711
             crt_file=data_files/server5.crt key_file=data_files/server5.key \
             sni='localhost,data_files/server2.crt,data_files/server2.key,PolarSSL Server 1,data_files/server1.crt,data_files/server1.key'" \
712
            "$P_CLI debug_level=0 server_addr=127.0.0.1 \
Manuel Pégourié-Gonnard's avatar
Manuel Pégourié-Gonnard committed
713 714 715 716 717 718 719
             server_name='PolarSSL Server 1'" \
             0 \
             -s "parse ServerName extension" \
             -c "issuer name *: C=NL, O=PolarSSL, CN=PolarSSL Test CA" \
             -c "subject name *: C=NL, O=PolarSSL, CN=PolarSSL Server 1"

run_test    "SNI #3 (no matching cert)" \
720
            "$P_SRV debug_level=4 server_addr=127.0.0.1 \
Manuel Pégourié-Gonnard's avatar
Manuel Pégourié-Gonnard committed
721 722
             crt_file=data_files/server5.crt key_file=data_files/server5.key \
             sni='localhost,data_files/server2.crt,data_files/server2.key,PolarSSL Server 1,data_files/server1.crt,data_files/server1.key'" \
723
            "$P_CLI debug_level=0 server_addr=127.0.0.1 \
Manuel Pégourié-Gonnard's avatar
Manuel Pégourié-Gonnard committed
724 725 726 727 728 729 730 731
             server_name='PolarSSL Server 2'" \
             1 \
             -s "parse ServerName extension" \
             -s "ssl_sni_wrapper() returned" \
             -s "ssl_handshake returned" \
             -c "ssl_handshake returned" \
             -c "SSL - A fatal alert message was received from our peer"

732 733 734 735 736 737 738 739 740 741 742 743 744 745 746 747 748 749 750 751 752 753 754 755 756 757 758 759 760 761 762 763 764 765 766 767 768 769 770 771 772 773 774 775 776 777 778 779 780 781 782 783 784 785 786 787 788 789
# Tests for non-blocking I/O: exercise a variety of handshake flows

run_test    "Non-blocking I/O #1 (basic handshake)" \
            "$P_SRV nbio=2 tickets=0 auth_mode=none" \
            "$P_CLI nbio=2 tickets=0" \
            0 \
            -S "ssl_handshake returned" \
            -C "ssl_handshake returned" \
            -c "Read from server: .* bytes read"

run_test    "Non-blocking I/O #2 (client auth)" \
            "$P_SRV nbio=2 tickets=0 auth_mode=required" \
            "$P_CLI nbio=2 tickets=0" \
            0 \
            -S "ssl_handshake returned" \
            -C "ssl_handshake returned" \
            -c "Read from server: .* bytes read"

run_test    "Non-blocking I/O #3 (ticket)" \
            "$P_SRV nbio=2 tickets=1 auth_mode=none" \
            "$P_CLI nbio=2 tickets=1" \
            0 \
            -S "ssl_handshake returned" \
            -C "ssl_handshake returned" \
            -c "Read from server: .* bytes read"

run_test    "Non-blocking I/O #4 (ticket + client auth)" \
            "$P_SRV nbio=2 tickets=1 auth_mode=required" \
            "$P_CLI nbio=2 tickets=1" \
            0 \
            -S "ssl_handshake returned" \
            -C "ssl_handshake returned" \
            -c "Read from server: .* bytes read"

run_test    "Non-blocking I/O #5 (ticket + client auth + resume)" \
            "$P_SRV nbio=2 tickets=1 auth_mode=required" \
            "$P_CLI nbio=2 tickets=1 reconnect=1" \
            0 \
            -S "ssl_handshake returned" \
            -C "ssl_handshake returned" \
            -c "Read from server: .* bytes read"

run_test    "Non-blocking I/O #6 (ticket + resume)" \
            "$P_SRV nbio=2 tickets=1 auth_mode=none" \
            "$P_CLI nbio=2 tickets=1 reconnect=1" \
            0 \
            -S "ssl_handshake returned" \
            -C "ssl_handshake returned" \
            -c "Read from server: .* bytes read"

run_test    "Non-blocking I/O #7 (session-id resume)" \
            "$P_SRV nbio=2 tickets=0 auth_mode=none" \
            "$P_CLI nbio=2 tickets=0 reconnect=1" \
            0 \
            -S "ssl_handshake returned" \
            -C "ssl_handshake returned" \
            -c "Read from server: .* bytes read"

790 791 792 793 794 795 796 797 798 799 800 801 802 803 804 805 806 807 808 809 810 811 812 813 814 815 816 817 818 819 820 821 822 823 824 825 826 827 828 829 830 831 832 833 834 835 836 837 838 839 840 841 842 843 844 845 846 847 848 849 850 851 852 853 854 855 856 857 858 859
run_test    "Version check #1 (all -> 1.2)" \
            "$P_SRV" \
            "$P_CLI" \
            0 \
            -S "ssl_handshake returned" \
            -C "ssl_handshake returned" \
            -s "Protocol is TLSv1.2" \
            -c "Protocol is TLSv1.2"

run_test    "Version check #2 (cli max 1.1 -> 1.1)" \
            "$P_SRV" \
            "$P_CLI max_version=tls1_1" \
            0 \
            -S "ssl_handshake returned" \
            -C "ssl_handshake returned" \
            -s "Protocol is TLSv1.1" \
            -c "Protocol is TLSv1.1"

run_test    "Version check #3 (srv max 1.1 -> 1.1)" \
            "$P_SRV max_version=tls1_1" \
            "$P_CLI" \
            0 \
            -S "ssl_handshake returned" \
            -C "ssl_handshake returned" \
            -s "Protocol is TLSv1.1" \
            -c "Protocol is TLSv1.1"

run_test    "Version check #4 (cli+srv max 1.1 -> 1.1)" \
            "$P_SRV max_version=tls1_1" \
            "$P_CLI max_version=tls1_1" \
            0 \
            -S "ssl_handshake returned" \
            -C "ssl_handshake returned" \
            -s "Protocol is TLSv1.1" \
            -c "Protocol is TLSv1.1"

run_test    "Version check #5 (cli max 1.1, srv min 1.1 -> 1.1)" \
            "$P_SRV min_version=tls1_1" \
            "$P_CLI max_version=tls1_1" \
            0 \
            -S "ssl_handshake returned" \
            -C "ssl_handshake returned" \
            -s "Protocol is TLSv1.1" \
            -c "Protocol is TLSv1.1"

run_test    "Version check #6 (cli min 1.1, srv max 1.1 -> 1.1)" \
            "$P_SRV max_version=tls1_1" \
            "$P_CLI min_version=tls1_1" \
            0 \
            -S "ssl_handshake returned" \
            -C "ssl_handshake returned" \
            -s "Protocol is TLSv1.1" \
            -c "Protocol is TLSv1.1"

run_test    "Version check #7 (cli min 1.2, srv max 1.1 -> fail)" \
            "$P_SRV max_version=tls1_1" \
            "$P_CLI min_version=tls1_2" \
            1 \
            -s "ssl_handshake returned" \
            -c "ssl_handshake returned" \
            -c "SSL - Handshake protocol not within min/max boundaries"

run_test    "Version check #8 (srv min 1.2, cli max 1.1 -> fail)" \
            "$P_SRV min_version=tls1_2" \
            "$P_CLI max_version=tls1_1" \
            1 \
            -s "ssl_handshake returned" \
            -c "ssl_handshake returned" \
            -s "SSL - Handshake protocol not within min/max boundaries"

860 861
# Final report

862 863 864 865 866 867 868 869
echo "------------------------------------------------------------------------"

if [ $FAILS = 0 ]; then
    echo -n "PASSED"
else
    echo -n "FAILED"
fi
PASSES=`echo $TESTS - $FAILS | bc`
870
echo " ($PASSES / $TESTS tests)"
871 872

exit $FAILS