Merge remote-tracking branch 'restricted/pr/517' into development
This commit is contained in:
commit
c774e32939
2 changed files with 302 additions and 112 deletions
|
@ -151,7 +151,7 @@ static int ssl_get_remaining_payload_in_datagram( mbedtls_ssl_context const *ssl
|
||||||
{
|
{
|
||||||
int ret;
|
int ret;
|
||||||
size_t remaining, expansion;
|
size_t remaining, expansion;
|
||||||
size_t max_len = MBEDTLS_SSL_MAX_CONTENT_LEN;
|
size_t max_len = MBEDTLS_SSL_OUT_CONTENT_LEN;
|
||||||
|
|
||||||
#if defined(MBEDTLS_SSL_MAX_FRAGMENT_LENGTH)
|
#if defined(MBEDTLS_SSL_MAX_FRAGMENT_LENGTH)
|
||||||
const size_t mfl = mbedtls_ssl_get_max_frag_len( ssl );
|
const size_t mfl = mbedtls_ssl_get_max_frag_len( ssl );
|
||||||
|
@ -212,7 +212,10 @@ static int ssl_double_retransmit_timeout( mbedtls_ssl_context *ssl )
|
||||||
* delivered) of any compliant IPv4 (and IPv6) network, and should work
|
* delivered) of any compliant IPv4 (and IPv6) network, and should work
|
||||||
* on most non-IP stacks too. */
|
* on most non-IP stacks too. */
|
||||||
if( ssl->handshake->retransmit_timeout != ssl->conf->hs_timeout_min )
|
if( ssl->handshake->retransmit_timeout != ssl->conf->hs_timeout_min )
|
||||||
|
{
|
||||||
ssl->handshake->mtu = 508;
|
ssl->handshake->mtu = 508;
|
||||||
|
MBEDTLS_SSL_DEBUG_MSG( 2, ( "mtu autoreduction to %d bytes", ssl->handshake->mtu ) );
|
||||||
|
}
|
||||||
|
|
||||||
new_timeout = 2 * ssl->handshake->retransmit_timeout;
|
new_timeout = 2 * ssl->handshake->retransmit_timeout;
|
||||||
|
|
||||||
|
@ -7905,6 +7908,12 @@ size_t mbedtls_ssl_get_max_frag_len( const mbedtls_ssl_context *ssl )
|
||||||
#if defined(MBEDTLS_SSL_PROTO_DTLS)
|
#if defined(MBEDTLS_SSL_PROTO_DTLS)
|
||||||
static size_t ssl_get_current_mtu( const mbedtls_ssl_context *ssl )
|
static size_t ssl_get_current_mtu( const mbedtls_ssl_context *ssl )
|
||||||
{
|
{
|
||||||
|
/* Return unlimited mtu for client hello messages to avoid fragmentation. */
|
||||||
|
if( ssl->conf->endpoint == MBEDTLS_SSL_IS_CLIENT &&
|
||||||
|
( ssl->state == MBEDTLS_SSL_CLIENT_HELLO ||
|
||||||
|
ssl->state == MBEDTLS_SSL_SERVER_HELLO ) )
|
||||||
|
return ( 0 );
|
||||||
|
|
||||||
if( ssl->handshake == NULL || ssl->handshake->mtu == 0 )
|
if( ssl->handshake == NULL || ssl->handshake->mtu == 0 )
|
||||||
return( ssl->mtu );
|
return( ssl->mtu );
|
||||||
|
|
||||||
|
|
403
tests/ssl-opt.sh
403
tests/ssl-opt.sh
|
@ -262,6 +262,21 @@ requires_ipv6() {
|
||||||
fi
|
fi
|
||||||
}
|
}
|
||||||
|
|
||||||
|
# skip next test if it's i686 or uname is not available
|
||||||
|
requires_not_i686() {
|
||||||
|
if [ -z "${IS_I686:-}" ]; then
|
||||||
|
IS_I686="YES"
|
||||||
|
if which "uname" >/dev/null 2>&1; then
|
||||||
|
if [ -z "$(uname -a | grep i686)" ]; then
|
||||||
|
IS_I686="NO"
|
||||||
|
fi
|
||||||
|
fi
|
||||||
|
fi
|
||||||
|
if [ "$IS_I686" = "YES" ]; then
|
||||||
|
SKIP_NEXT="YES"
|
||||||
|
fi
|
||||||
|
}
|
||||||
|
|
||||||
# Calculate the input & output maximum content lengths set in the config
|
# Calculate the input & output maximum content lengths set in the config
|
||||||
MAX_CONTENT_LEN=$( ../scripts/config.pl get MBEDTLS_SSL_MAX_CONTENT_LEN || echo "16384")
|
MAX_CONTENT_LEN=$( ../scripts/config.pl get MBEDTLS_SSL_MAX_CONTENT_LEN || echo "16384")
|
||||||
MAX_IN_LEN=$( ../scripts/config.pl get MBEDTLS_SSL_IN_CONTENT_LEN || echo "$MAX_CONTENT_LEN")
|
MAX_IN_LEN=$( ../scripts/config.pl get MBEDTLS_SSL_IN_CONTENT_LEN || echo "$MAX_CONTENT_LEN")
|
||||||
|
@ -5731,10 +5746,12 @@ run_test "DTLS fragmenting: none (for reference)" \
|
||||||
"$P_SRV dtls=1 debug_level=2 auth_mode=required \
|
"$P_SRV dtls=1 debug_level=2 auth_mode=required \
|
||||||
crt_file=data_files/server7_int-ca.crt \
|
crt_file=data_files/server7_int-ca.crt \
|
||||||
key_file=data_files/server7.key \
|
key_file=data_files/server7.key \
|
||||||
|
hs_timeout=2500-60000 \
|
||||||
max_frag_len=4096" \
|
max_frag_len=4096" \
|
||||||
"$P_CLI dtls=1 debug_level=2 \
|
"$P_CLI dtls=1 debug_level=2 \
|
||||||
crt_file=data_files/server8_int-ca2.crt \
|
crt_file=data_files/server8_int-ca2.crt \
|
||||||
key_file=data_files/server8.key \
|
key_file=data_files/server8.key \
|
||||||
|
hs_timeout=2500-60000 \
|
||||||
max_frag_len=4096" \
|
max_frag_len=4096" \
|
||||||
0 \
|
0 \
|
||||||
-S "found fragmented DTLS handshake message" \
|
-S "found fragmented DTLS handshake message" \
|
||||||
|
@ -5749,10 +5766,12 @@ run_test "DTLS fragmenting: server only (max_frag_len)" \
|
||||||
"$P_SRV dtls=1 debug_level=2 auth_mode=required \
|
"$P_SRV dtls=1 debug_level=2 auth_mode=required \
|
||||||
crt_file=data_files/server7_int-ca.crt \
|
crt_file=data_files/server7_int-ca.crt \
|
||||||
key_file=data_files/server7.key \
|
key_file=data_files/server7.key \
|
||||||
|
hs_timeout=2500-60000 \
|
||||||
max_frag_len=1024" \
|
max_frag_len=1024" \
|
||||||
"$P_CLI dtls=1 debug_level=2 \
|
"$P_CLI dtls=1 debug_level=2 \
|
||||||
crt_file=data_files/server8_int-ca2.crt \
|
crt_file=data_files/server8_int-ca2.crt \
|
||||||
key_file=data_files/server8.key \
|
key_file=data_files/server8.key \
|
||||||
|
hs_timeout=2500-60000 \
|
||||||
max_frag_len=2048" \
|
max_frag_len=2048" \
|
||||||
0 \
|
0 \
|
||||||
-S "found fragmented DTLS handshake message" \
|
-S "found fragmented DTLS handshake message" \
|
||||||
|
@ -5771,10 +5790,12 @@ run_test "DTLS fragmenting: server only (more) (max_frag_len)" \
|
||||||
"$P_SRV dtls=1 debug_level=2 auth_mode=required \
|
"$P_SRV dtls=1 debug_level=2 auth_mode=required \
|
||||||
crt_file=data_files/server7_int-ca.crt \
|
crt_file=data_files/server7_int-ca.crt \
|
||||||
key_file=data_files/server7.key \
|
key_file=data_files/server7.key \
|
||||||
|
hs_timeout=2500-60000 \
|
||||||
max_frag_len=512" \
|
max_frag_len=512" \
|
||||||
"$P_CLI dtls=1 debug_level=2 \
|
"$P_CLI dtls=1 debug_level=2 \
|
||||||
crt_file=data_files/server8_int-ca2.crt \
|
crt_file=data_files/server8_int-ca2.crt \
|
||||||
key_file=data_files/server8.key \
|
key_file=data_files/server8.key \
|
||||||
|
hs_timeout=2500-60000 \
|
||||||
max_frag_len=4096" \
|
max_frag_len=4096" \
|
||||||
0 \
|
0 \
|
||||||
-S "found fragmented DTLS handshake message" \
|
-S "found fragmented DTLS handshake message" \
|
||||||
|
@ -5789,12 +5810,14 @@ run_test "DTLS fragmenting: client-initiated, server only (max_frag_len)" \
|
||||||
"$P_SRV dtls=1 debug_level=2 auth_mode=none \
|
"$P_SRV dtls=1 debug_level=2 auth_mode=none \
|
||||||
crt_file=data_files/server7_int-ca.crt \
|
crt_file=data_files/server7_int-ca.crt \
|
||||||
key_file=data_files/server7.key \
|
key_file=data_files/server7.key \
|
||||||
|
hs_timeout=2500-60000 \
|
||||||
max_frag_len=2048" \
|
max_frag_len=2048" \
|
||||||
"$P_CLI dtls=1 debug_level=2 \
|
"$P_CLI dtls=1 debug_level=2 \
|
||||||
crt_file=data_files/server8_int-ca2.crt \
|
crt_file=data_files/server8_int-ca2.crt \
|
||||||
key_file=data_files/server8.key \
|
key_file=data_files/server8.key \
|
||||||
max_frag_len=512" \
|
hs_timeout=2500-60000 \
|
||||||
0 \
|
max_frag_len=1024" \
|
||||||
|
0 \
|
||||||
-S "found fragmented DTLS handshake message" \
|
-S "found fragmented DTLS handshake message" \
|
||||||
-c "found fragmented DTLS handshake message" \
|
-c "found fragmented DTLS handshake message" \
|
||||||
-C "error"
|
-C "error"
|
||||||
|
@ -5811,15 +5834,17 @@ requires_config_enabled MBEDTLS_RSA_C
|
||||||
requires_config_enabled MBEDTLS_ECDSA_C
|
requires_config_enabled MBEDTLS_ECDSA_C
|
||||||
requires_config_enabled MBEDTLS_SSL_MAX_FRAGMENT_LENGTH
|
requires_config_enabled MBEDTLS_SSL_MAX_FRAGMENT_LENGTH
|
||||||
run_test "DTLS fragmenting: client-initiated, server only (max_frag_len), proxy MTU" \
|
run_test "DTLS fragmenting: client-initiated, server only (max_frag_len), proxy MTU" \
|
||||||
-p "$P_PXY mtu=560" \
|
-p "$P_PXY mtu=1110" \
|
||||||
"$P_SRV dtls=1 debug_level=2 auth_mode=none \
|
"$P_SRV dtls=1 debug_level=2 auth_mode=none \
|
||||||
crt_file=data_files/server7_int-ca.crt \
|
crt_file=data_files/server7_int-ca.crt \
|
||||||
key_file=data_files/server7.key \
|
key_file=data_files/server7.key \
|
||||||
|
hs_timeout=2500-60000 \
|
||||||
max_frag_len=2048" \
|
max_frag_len=2048" \
|
||||||
"$P_CLI dtls=1 debug_level=2 \
|
"$P_CLI dtls=1 debug_level=2 \
|
||||||
crt_file=data_files/server8_int-ca2.crt \
|
crt_file=data_files/server8_int-ca2.crt \
|
||||||
key_file=data_files/server8.key \
|
key_file=data_files/server8.key \
|
||||||
max_frag_len=512" \
|
hs_timeout=2500-60000 \
|
||||||
|
max_frag_len=1024" \
|
||||||
0 \
|
0 \
|
||||||
-S "found fragmented DTLS handshake message" \
|
-S "found fragmented DTLS handshake message" \
|
||||||
-c "found fragmented DTLS handshake message" \
|
-c "found fragmented DTLS handshake message" \
|
||||||
|
@ -5833,11 +5858,13 @@ run_test "DTLS fragmenting: client-initiated, both (max_frag_len)" \
|
||||||
"$P_SRV dtls=1 debug_level=2 auth_mode=required \
|
"$P_SRV dtls=1 debug_level=2 auth_mode=required \
|
||||||
crt_file=data_files/server7_int-ca.crt \
|
crt_file=data_files/server7_int-ca.crt \
|
||||||
key_file=data_files/server7.key \
|
key_file=data_files/server7.key \
|
||||||
|
hs_timeout=2500-60000 \
|
||||||
max_frag_len=2048" \
|
max_frag_len=2048" \
|
||||||
"$P_CLI dtls=1 debug_level=2 \
|
"$P_CLI dtls=1 debug_level=2 \
|
||||||
crt_file=data_files/server8_int-ca2.crt \
|
crt_file=data_files/server8_int-ca2.crt \
|
||||||
key_file=data_files/server8.key \
|
key_file=data_files/server8.key \
|
||||||
max_frag_len=512" \
|
hs_timeout=2500-60000 \
|
||||||
|
max_frag_len=1024" \
|
||||||
0 \
|
0 \
|
||||||
-s "found fragmented DTLS handshake message" \
|
-s "found fragmented DTLS handshake message" \
|
||||||
-c "found fragmented DTLS handshake message" \
|
-c "found fragmented DTLS handshake message" \
|
||||||
|
@ -5855,15 +5882,17 @@ requires_config_enabled MBEDTLS_RSA_C
|
||||||
requires_config_enabled MBEDTLS_ECDSA_C
|
requires_config_enabled MBEDTLS_ECDSA_C
|
||||||
requires_config_enabled MBEDTLS_SSL_MAX_FRAGMENT_LENGTH
|
requires_config_enabled MBEDTLS_SSL_MAX_FRAGMENT_LENGTH
|
||||||
run_test "DTLS fragmenting: client-initiated, both (max_frag_len), proxy MTU" \
|
run_test "DTLS fragmenting: client-initiated, both (max_frag_len), proxy MTU" \
|
||||||
-p "$P_PXY mtu=560" \
|
-p "$P_PXY mtu=1110" \
|
||||||
"$P_SRV dtls=1 debug_level=2 auth_mode=required \
|
"$P_SRV dtls=1 debug_level=2 auth_mode=required \
|
||||||
crt_file=data_files/server7_int-ca.crt \
|
crt_file=data_files/server7_int-ca.crt \
|
||||||
key_file=data_files/server7.key \
|
key_file=data_files/server7.key \
|
||||||
|
hs_timeout=2500-60000 \
|
||||||
max_frag_len=2048" \
|
max_frag_len=2048" \
|
||||||
"$P_CLI dtls=1 debug_level=2 \
|
"$P_CLI dtls=1 debug_level=2 \
|
||||||
crt_file=data_files/server8_int-ca2.crt \
|
crt_file=data_files/server8_int-ca2.crt \
|
||||||
key_file=data_files/server8.key \
|
key_file=data_files/server8.key \
|
||||||
max_frag_len=512" \
|
hs_timeout=2500-60000 \
|
||||||
|
max_frag_len=1024" \
|
||||||
0 \
|
0 \
|
||||||
-s "found fragmented DTLS handshake message" \
|
-s "found fragmented DTLS handshake message" \
|
||||||
-c "found fragmented DTLS handshake message" \
|
-c "found fragmented DTLS handshake message" \
|
||||||
|
@ -5876,10 +5905,12 @@ run_test "DTLS fragmenting: none (for reference) (MTU)" \
|
||||||
"$P_SRV dtls=1 debug_level=2 auth_mode=required \
|
"$P_SRV dtls=1 debug_level=2 auth_mode=required \
|
||||||
crt_file=data_files/server7_int-ca.crt \
|
crt_file=data_files/server7_int-ca.crt \
|
||||||
key_file=data_files/server7.key \
|
key_file=data_files/server7.key \
|
||||||
|
hs_timeout=2500-60000 \
|
||||||
mtu=4096" \
|
mtu=4096" \
|
||||||
"$P_CLI dtls=1 debug_level=2 \
|
"$P_CLI dtls=1 debug_level=2 \
|
||||||
crt_file=data_files/server8_int-ca2.crt \
|
crt_file=data_files/server8_int-ca2.crt \
|
||||||
key_file=data_files/server8.key \
|
key_file=data_files/server8.key \
|
||||||
|
hs_timeout=2500-60000 \
|
||||||
mtu=4096" \
|
mtu=4096" \
|
||||||
0 \
|
0 \
|
||||||
-S "found fragmented DTLS handshake message" \
|
-S "found fragmented DTLS handshake message" \
|
||||||
|
@ -5893,11 +5924,13 @@ run_test "DTLS fragmenting: client (MTU)" \
|
||||||
"$P_SRV dtls=1 debug_level=2 auth_mode=required \
|
"$P_SRV dtls=1 debug_level=2 auth_mode=required \
|
||||||
crt_file=data_files/server7_int-ca.crt \
|
crt_file=data_files/server7_int-ca.crt \
|
||||||
key_file=data_files/server7.key \
|
key_file=data_files/server7.key \
|
||||||
|
hs_timeout=3500-60000 \
|
||||||
mtu=4096" \
|
mtu=4096" \
|
||||||
"$P_CLI dtls=1 debug_level=2 \
|
"$P_CLI dtls=1 debug_level=2 \
|
||||||
crt_file=data_files/server8_int-ca2.crt \
|
crt_file=data_files/server8_int-ca2.crt \
|
||||||
key_file=data_files/server8.key \
|
key_file=data_files/server8.key \
|
||||||
mtu=512" \
|
hs_timeout=3500-60000 \
|
||||||
|
mtu=1024" \
|
||||||
0 \
|
0 \
|
||||||
-s "found fragmented DTLS handshake message" \
|
-s "found fragmented DTLS handshake message" \
|
||||||
-C "found fragmented DTLS handshake message" \
|
-C "found fragmented DTLS handshake message" \
|
||||||
|
@ -5910,10 +5943,12 @@ run_test "DTLS fragmenting: server (MTU)" \
|
||||||
"$P_SRV dtls=1 debug_level=2 auth_mode=required \
|
"$P_SRV dtls=1 debug_level=2 auth_mode=required \
|
||||||
crt_file=data_files/server7_int-ca.crt \
|
crt_file=data_files/server7_int-ca.crt \
|
||||||
key_file=data_files/server7.key \
|
key_file=data_files/server7.key \
|
||||||
|
hs_timeout=2500-60000 \
|
||||||
mtu=512" \
|
mtu=512" \
|
||||||
"$P_CLI dtls=1 debug_level=2 \
|
"$P_CLI dtls=1 debug_level=2 \
|
||||||
crt_file=data_files/server8_int-ca2.crt \
|
crt_file=data_files/server8_int-ca2.crt \
|
||||||
key_file=data_files/server8.key \
|
key_file=data_files/server8.key \
|
||||||
|
hs_timeout=2500-60000 \
|
||||||
mtu=2048" \
|
mtu=2048" \
|
||||||
0 \
|
0 \
|
||||||
-S "found fragmented DTLS handshake message" \
|
-S "found fragmented DTLS handshake message" \
|
||||||
|
@ -5923,54 +5958,96 @@ run_test "DTLS fragmenting: server (MTU)" \
|
||||||
requires_config_enabled MBEDTLS_SSL_PROTO_DTLS
|
requires_config_enabled MBEDTLS_SSL_PROTO_DTLS
|
||||||
requires_config_enabled MBEDTLS_RSA_C
|
requires_config_enabled MBEDTLS_RSA_C
|
||||||
requires_config_enabled MBEDTLS_ECDSA_C
|
requires_config_enabled MBEDTLS_ECDSA_C
|
||||||
run_test "DTLS fragmenting: both (MTU)" \
|
run_test "DTLS fragmenting: both (MTU=1024)" \
|
||||||
|
-p "$P_PXY mtu=1024" \
|
||||||
|
"$P_SRV dtls=1 debug_level=2 auth_mode=required \
|
||||||
|
crt_file=data_files/server7_int-ca.crt \
|
||||||
|
key_file=data_files/server7.key \
|
||||||
|
hs_timeout=2500-60000 \
|
||||||
|
mtu=1024" \
|
||||||
|
"$P_CLI dtls=1 debug_level=2 \
|
||||||
|
crt_file=data_files/server8_int-ca2.crt \
|
||||||
|
key_file=data_files/server8.key \
|
||||||
|
hs_timeout=2500-60000 \
|
||||||
|
mtu=1024" \
|
||||||
|
0 \
|
||||||
|
-s "found fragmented DTLS handshake message" \
|
||||||
|
-c "found fragmented DTLS handshake message" \
|
||||||
|
-C "error"
|
||||||
|
|
||||||
|
# Forcing ciphersuite for this test to fit the MTU of 512 with full config.
|
||||||
|
requires_config_enabled MBEDTLS_SSL_PROTO_DTLS
|
||||||
|
requires_config_enabled MBEDTLS_RSA_C
|
||||||
|
requires_config_enabled MBEDTLS_ECDSA_C
|
||||||
|
requires_config_enabled MBEDTLS_SHA256_C
|
||||||
|
requires_config_enabled MBEDTLS_KEY_EXCHANGE_ECDHE_ECDSA
|
||||||
|
requires_config_enabled MBEDTLS_AES_C
|
||||||
|
requires_config_enabled MBEDTLS_GCM_C
|
||||||
|
run_test "DTLS fragmenting: both (MTU=512)" \
|
||||||
-p "$P_PXY mtu=512" \
|
-p "$P_PXY mtu=512" \
|
||||||
"$P_SRV dtls=1 debug_level=2 auth_mode=required \
|
"$P_SRV dtls=1 debug_level=2 auth_mode=required \
|
||||||
crt_file=data_files/server7_int-ca.crt \
|
crt_file=data_files/server7_int-ca.crt \
|
||||||
key_file=data_files/server7.key \
|
key_file=data_files/server7.key \
|
||||||
|
hs_timeout=2500-60000 \
|
||||||
mtu=512" \
|
mtu=512" \
|
||||||
"$P_CLI dtls=1 debug_level=2 \
|
"$P_CLI dtls=1 debug_level=2 \
|
||||||
crt_file=data_files/server8_int-ca2.crt \
|
crt_file=data_files/server8_int-ca2.crt \
|
||||||
key_file=data_files/server8.key \
|
key_file=data_files/server8.key \
|
||||||
|
force_ciphersuite=TLS-ECDHE-ECDSA-WITH-AES-128-GCM-SHA256 \
|
||||||
|
hs_timeout=2500-60000 \
|
||||||
mtu=512" \
|
mtu=512" \
|
||||||
0 \
|
0 \
|
||||||
-s "found fragmented DTLS handshake message" \
|
-s "found fragmented DTLS handshake message" \
|
||||||
-c "found fragmented DTLS handshake message" \
|
-c "found fragmented DTLS handshake message" \
|
||||||
-C "error"
|
-C "error"
|
||||||
|
|
||||||
# Test for automatic MTU reduction on repeated resend
|
# Test for automatic MTU reduction on repeated resend.
|
||||||
|
# Forcing ciphersuite for this test to fit the MTU of 508 with full config.
|
||||||
|
# The ratio of max/min timeout should ideally equal 4 to accept two
|
||||||
|
# retransmissions, but in some cases (like both the server and client using
|
||||||
|
# fragmentation and auto-reduction) an extra retransmission might occur,
|
||||||
|
# hence the ratio of 8.
|
||||||
not_with_valgrind
|
not_with_valgrind
|
||||||
requires_config_enabled MBEDTLS_SSL_PROTO_DTLS
|
requires_config_enabled MBEDTLS_SSL_PROTO_DTLS
|
||||||
requires_config_enabled MBEDTLS_RSA_C
|
requires_config_enabled MBEDTLS_RSA_C
|
||||||
requires_config_enabled MBEDTLS_ECDSA_C
|
requires_config_enabled MBEDTLS_ECDSA_C
|
||||||
|
requires_config_enabled MBEDTLS_KEY_EXCHANGE_ECDHE_ECDSA
|
||||||
|
requires_config_enabled MBEDTLS_AES_C
|
||||||
|
requires_config_enabled MBEDTLS_GCM_C
|
||||||
run_test "DTLS fragmenting: proxy MTU: auto-reduction" \
|
run_test "DTLS fragmenting: proxy MTU: auto-reduction" \
|
||||||
-p "$P_PXY mtu=508" \
|
-p "$P_PXY mtu=508" \
|
||||||
"$P_SRV dtls=1 debug_level=2 auth_mode=required \
|
"$P_SRV dtls=1 debug_level=2 auth_mode=required \
|
||||||
crt_file=data_files/server7_int-ca.crt \
|
crt_file=data_files/server7_int-ca.crt \
|
||||||
key_file=data_files/server7.key\
|
key_file=data_files/server7.key \
|
||||||
hs_timeout=100-400" \
|
hs_timeout=400-3200" \
|
||||||
"$P_CLI dtls=1 debug_level=2 \
|
"$P_CLI dtls=1 debug_level=2 \
|
||||||
crt_file=data_files/server8_int-ca2.crt \
|
crt_file=data_files/server8_int-ca2.crt \
|
||||||
key_file=data_files/server8.key \
|
key_file=data_files/server8.key \
|
||||||
hs_timeout=100-400" \
|
force_ciphersuite=TLS-ECDHE-ECDSA-WITH-AES-128-GCM-SHA256 \
|
||||||
|
hs_timeout=400-3200" \
|
||||||
0 \
|
0 \
|
||||||
-s "found fragmented DTLS handshake message" \
|
-s "found fragmented DTLS handshake message" \
|
||||||
-c "found fragmented DTLS handshake message" \
|
-c "found fragmented DTLS handshake message" \
|
||||||
-C "error"
|
-C "error"
|
||||||
|
|
||||||
|
# Forcing ciphersuite for this test to fit the MTU of 508 with full config.
|
||||||
only_with_valgrind
|
only_with_valgrind
|
||||||
requires_config_enabled MBEDTLS_SSL_PROTO_DTLS
|
requires_config_enabled MBEDTLS_SSL_PROTO_DTLS
|
||||||
requires_config_enabled MBEDTLS_RSA_C
|
requires_config_enabled MBEDTLS_RSA_C
|
||||||
requires_config_enabled MBEDTLS_ECDSA_C
|
requires_config_enabled MBEDTLS_ECDSA_C
|
||||||
|
requires_config_enabled MBEDTLS_KEY_EXCHANGE_ECDHE_ECDSA
|
||||||
|
requires_config_enabled MBEDTLS_AES_C
|
||||||
|
requires_config_enabled MBEDTLS_GCM_C
|
||||||
run_test "DTLS fragmenting: proxy MTU: auto-reduction" \
|
run_test "DTLS fragmenting: proxy MTU: auto-reduction" \
|
||||||
-p "$P_PXY mtu=508" \
|
-p "$P_PXY mtu=508" \
|
||||||
"$P_SRV dtls=1 debug_level=2 auth_mode=required \
|
"$P_SRV dtls=1 debug_level=2 auth_mode=required \
|
||||||
crt_file=data_files/server7_int-ca.crt \
|
crt_file=data_files/server7_int-ca.crt \
|
||||||
key_file=data_files/server7.key\
|
key_file=data_files/server7.key \
|
||||||
hs_timeout=250-10000" \
|
hs_timeout=250-10000" \
|
||||||
"$P_CLI dtls=1 debug_level=2 \
|
"$P_CLI dtls=1 debug_level=2 \
|
||||||
crt_file=data_files/server8_int-ca2.crt \
|
crt_file=data_files/server8_int-ca2.crt \
|
||||||
key_file=data_files/server8.key \
|
key_file=data_files/server8.key \
|
||||||
|
force_ciphersuite=TLS-ECDHE-ECDSA-WITH-AES-128-GCM-SHA256 \
|
||||||
hs_timeout=250-10000" \
|
hs_timeout=250-10000" \
|
||||||
0 \
|
0 \
|
||||||
-s "found fragmented DTLS handshake message" \
|
-s "found fragmented DTLS handshake message" \
|
||||||
|
@ -5980,78 +6057,146 @@ run_test "DTLS fragmenting: proxy MTU: auto-reduction" \
|
||||||
# the proxy shouldn't drop or mess up anything, so we shouldn't need to resend
|
# the proxy shouldn't drop or mess up anything, so we shouldn't need to resend
|
||||||
# OTOH the client might resend if the server is to slow to reset after sending
|
# OTOH the client might resend if the server is to slow to reset after sending
|
||||||
# a HelloVerifyRequest, so only check for no retransmission server-side
|
# a HelloVerifyRequest, so only check for no retransmission server-side
|
||||||
not_with_valgrind # spurious resend due to timeout
|
not_with_valgrind # spurious autoreduction due to timeout
|
||||||
requires_config_enabled MBEDTLS_SSL_PROTO_DTLS
|
requires_config_enabled MBEDTLS_SSL_PROTO_DTLS
|
||||||
requires_config_enabled MBEDTLS_RSA_C
|
requires_config_enabled MBEDTLS_RSA_C
|
||||||
requires_config_enabled MBEDTLS_ECDSA_C
|
requires_config_enabled MBEDTLS_ECDSA_C
|
||||||
run_test "DTLS fragmenting: proxy MTU, simple handshake" \
|
run_test "DTLS fragmenting: proxy MTU, simple handshake (MTU=1024)" \
|
||||||
-p "$P_PXY mtu=512" \
|
-p "$P_PXY mtu=1024" \
|
||||||
"$P_SRV dtls=1 debug_level=2 auth_mode=required \
|
"$P_SRV dtls=1 debug_level=2 auth_mode=required \
|
||||||
crt_file=data_files/server7_int-ca.crt \
|
crt_file=data_files/server7_int-ca.crt \
|
||||||
key_file=data_files/server7.key \
|
key_file=data_files/server7.key \
|
||||||
mtu=512" \
|
hs_timeout=10000-60000 \
|
||||||
|
mtu=1024" \
|
||||||
"$P_CLI dtls=1 debug_level=2 \
|
"$P_CLI dtls=1 debug_level=2 \
|
||||||
crt_file=data_files/server8_int-ca2.crt \
|
crt_file=data_files/server8_int-ca2.crt \
|
||||||
key_file=data_files/server8.key \
|
key_file=data_files/server8.key \
|
||||||
mtu=512" \
|
hs_timeout=10000-60000 \
|
||||||
|
mtu=1024" \
|
||||||
0 \
|
0 \
|
||||||
-S "resend" \
|
-S "autoreduction" \
|
||||||
-s "found fragmented DTLS handshake message" \
|
-s "found fragmented DTLS handshake message" \
|
||||||
-c "found fragmented DTLS handshake message" \
|
-c "found fragmented DTLS handshake message" \
|
||||||
-C "error"
|
-C "error"
|
||||||
|
|
||||||
not_with_valgrind # spurious resend due to timeout
|
# Forcing ciphersuite for this test to fit the MTU of 512 with full config.
|
||||||
|
# the proxy shouldn't drop or mess up anything, so we shouldn't need to resend
|
||||||
|
# OTOH the client might resend if the server is to slow to reset after sending
|
||||||
|
# a HelloVerifyRequest, so only check for no retransmission server-side
|
||||||
|
not_with_valgrind # spurious autoreduction due to timeout
|
||||||
requires_config_enabled MBEDTLS_SSL_PROTO_DTLS
|
requires_config_enabled MBEDTLS_SSL_PROTO_DTLS
|
||||||
requires_config_enabled MBEDTLS_RSA_C
|
requires_config_enabled MBEDTLS_RSA_C
|
||||||
requires_config_enabled MBEDTLS_ECDSA_C
|
requires_config_enabled MBEDTLS_ECDSA_C
|
||||||
run_test "DTLS fragmenting: proxy MTU, simple handshake, nbio" \
|
requires_config_enabled MBEDTLS_KEY_EXCHANGE_ECDHE_ECDSA
|
||||||
|
requires_config_enabled MBEDTLS_AES_C
|
||||||
|
requires_config_enabled MBEDTLS_GCM_C
|
||||||
|
run_test "DTLS fragmenting: proxy MTU, simple handshake (MTU=512)" \
|
||||||
-p "$P_PXY mtu=512" \
|
-p "$P_PXY mtu=512" \
|
||||||
"$P_SRV dtls=1 debug_level=2 auth_mode=required \
|
"$P_SRV dtls=1 debug_level=2 auth_mode=required \
|
||||||
crt_file=data_files/server7_int-ca.crt \
|
crt_file=data_files/server7_int-ca.crt \
|
||||||
key_file=data_files/server7.key \
|
key_file=data_files/server7.key \
|
||||||
mtu=512 nbio=2" \
|
hs_timeout=10000-60000 \
|
||||||
|
mtu=512" \
|
||||||
"$P_CLI dtls=1 debug_level=2 \
|
"$P_CLI dtls=1 debug_level=2 \
|
||||||
crt_file=data_files/server8_int-ca2.crt \
|
crt_file=data_files/server8_int-ca2.crt \
|
||||||
key_file=data_files/server8.key \
|
key_file=data_files/server8.key \
|
||||||
mtu=512 nbio=2" \
|
force_ciphersuite=TLS-ECDHE-ECDSA-WITH-AES-128-GCM-SHA256 \
|
||||||
|
hs_timeout=10000-60000 \
|
||||||
|
mtu=512" \
|
||||||
0 \
|
0 \
|
||||||
-S "resend" \
|
-S "autoreduction" \
|
||||||
-s "found fragmented DTLS handshake message" \
|
-s "found fragmented DTLS handshake message" \
|
||||||
-c "found fragmented DTLS handshake message" \
|
-c "found fragmented DTLS handshake message" \
|
||||||
-C "error"
|
-C "error"
|
||||||
|
|
||||||
|
not_with_valgrind # spurious autoreduction due to timeout
|
||||||
|
requires_config_enabled MBEDTLS_SSL_PROTO_DTLS
|
||||||
|
requires_config_enabled MBEDTLS_RSA_C
|
||||||
|
requires_config_enabled MBEDTLS_ECDSA_C
|
||||||
|
run_test "DTLS fragmenting: proxy MTU, simple handshake, nbio (MTU=1024)" \
|
||||||
|
-p "$P_PXY mtu=1024" \
|
||||||
|
"$P_SRV dtls=1 debug_level=2 auth_mode=required \
|
||||||
|
crt_file=data_files/server7_int-ca.crt \
|
||||||
|
key_file=data_files/server7.key \
|
||||||
|
hs_timeout=10000-60000 \
|
||||||
|
mtu=1024 nbio=2" \
|
||||||
|
"$P_CLI dtls=1 debug_level=2 \
|
||||||
|
crt_file=data_files/server8_int-ca2.crt \
|
||||||
|
key_file=data_files/server8.key \
|
||||||
|
hs_timeout=10000-60000 \
|
||||||
|
mtu=1024 nbio=2" \
|
||||||
|
0 \
|
||||||
|
-S "autoreduction" \
|
||||||
|
-s "found fragmented DTLS handshake message" \
|
||||||
|
-c "found fragmented DTLS handshake message" \
|
||||||
|
-C "error"
|
||||||
|
|
||||||
|
# Forcing ciphersuite for this test to fit the MTU of 512 with full config.
|
||||||
|
not_with_valgrind # spurious autoreduction due to timeout
|
||||||
|
requires_config_enabled MBEDTLS_SSL_PROTO_DTLS
|
||||||
|
requires_config_enabled MBEDTLS_RSA_C
|
||||||
|
requires_config_enabled MBEDTLS_ECDSA_C
|
||||||
|
requires_config_enabled MBEDTLS_KEY_EXCHANGE_ECDHE_ECDSA
|
||||||
|
requires_config_enabled MBEDTLS_AES_C
|
||||||
|
requires_config_enabled MBEDTLS_GCM_C
|
||||||
|
run_test "DTLS fragmenting: proxy MTU, simple handshake, nbio (MTU=512)" \
|
||||||
|
-p "$P_PXY mtu=512" \
|
||||||
|
"$P_SRV dtls=1 debug_level=2 auth_mode=required \
|
||||||
|
crt_file=data_files/server7_int-ca.crt \
|
||||||
|
key_file=data_files/server7.key \
|
||||||
|
hs_timeout=10000-60000 \
|
||||||
|
mtu=512 nbio=2" \
|
||||||
|
"$P_CLI dtls=1 debug_level=2 \
|
||||||
|
crt_file=data_files/server8_int-ca2.crt \
|
||||||
|
key_file=data_files/server8.key \
|
||||||
|
force_ciphersuite=TLS-ECDHE-ECDSA-WITH-AES-128-GCM-SHA256 \
|
||||||
|
hs_timeout=10000-60000 \
|
||||||
|
mtu=512 nbio=2" \
|
||||||
|
0 \
|
||||||
|
-S "autoreduction" \
|
||||||
|
-s "found fragmented DTLS handshake message" \
|
||||||
|
-c "found fragmented DTLS handshake message" \
|
||||||
|
-C "error"
|
||||||
|
|
||||||
|
# Forcing ciphersuite for this test to fit the MTU of 1450 with full config.
|
||||||
# This ensures things still work after session_reset().
|
# This ensures things still work after session_reset().
|
||||||
# It also exercises the "resumed handshake" flow.
|
# It also exercises the "resumed handshake" flow.
|
||||||
# Since we don't support reading fragmented ClientHello yet,
|
# Since we don't support reading fragmented ClientHello yet,
|
||||||
# up the MTU to 1450 (larger than ClientHello with session ticket,
|
# up the MTU to 1450 (larger than ClientHello with session ticket,
|
||||||
# but still smaller than client's Certificate to ensure fragmentation).
|
# but still smaller than client's Certificate to ensure fragmentation).
|
||||||
# A resend on the client-side might happen if the server is
|
# An autoreduction on the client-side might happen if the server is
|
||||||
# slow to reset, therefore omitting '-C "resend"' below.
|
# slow to reset, therefore omitting '-C "autoreduction"' below.
|
||||||
# reco_delay avoids races where the client reconnects before the server has
|
# reco_delay avoids races where the client reconnects before the server has
|
||||||
# resumed listening, which would result in a spurious resend.
|
# resumed listening, which would result in a spurious autoreduction.
|
||||||
not_with_valgrind # spurious resend due to timeout
|
not_with_valgrind # spurious autoreduction due to timeout
|
||||||
requires_config_enabled MBEDTLS_SSL_PROTO_DTLS
|
requires_config_enabled MBEDTLS_SSL_PROTO_DTLS
|
||||||
requires_config_enabled MBEDTLS_RSA_C
|
requires_config_enabled MBEDTLS_RSA_C
|
||||||
requires_config_enabled MBEDTLS_ECDSA_C
|
requires_config_enabled MBEDTLS_ECDSA_C
|
||||||
|
requires_config_enabled MBEDTLS_KEY_EXCHANGE_ECDHE_ECDSA
|
||||||
|
requires_config_enabled MBEDTLS_AES_C
|
||||||
|
requires_config_enabled MBEDTLS_GCM_C
|
||||||
run_test "DTLS fragmenting: proxy MTU, resumed handshake" \
|
run_test "DTLS fragmenting: proxy MTU, resumed handshake" \
|
||||||
-p "$P_PXY mtu=1450" \
|
-p "$P_PXY mtu=1450" \
|
||||||
"$P_SRV dtls=1 debug_level=2 auth_mode=required \
|
"$P_SRV dtls=1 debug_level=2 auth_mode=required \
|
||||||
crt_file=data_files/server7_int-ca.crt \
|
crt_file=data_files/server7_int-ca.crt \
|
||||||
key_file=data_files/server7.key \
|
key_file=data_files/server7.key \
|
||||||
|
hs_timeout=10000-60000 \
|
||||||
mtu=1450" \
|
mtu=1450" \
|
||||||
"$P_CLI dtls=1 debug_level=2 \
|
"$P_CLI dtls=1 debug_level=2 \
|
||||||
crt_file=data_files/server8_int-ca2.crt \
|
crt_file=data_files/server8_int-ca2.crt \
|
||||||
key_file=data_files/server8.key \
|
key_file=data_files/server8.key \
|
||||||
|
hs_timeout=10000-60000 \
|
||||||
|
force_ciphersuite=TLS-ECDHE-ECDSA-WITH-AES-128-GCM-SHA256 \
|
||||||
mtu=1450 reconnect=1 reco_delay=1" \
|
mtu=1450 reconnect=1 reco_delay=1" \
|
||||||
0 \
|
0 \
|
||||||
-S "resend" \
|
-S "autoreduction" \
|
||||||
-s "found fragmented DTLS handshake message" \
|
-s "found fragmented DTLS handshake message" \
|
||||||
-c "found fragmented DTLS handshake message" \
|
-c "found fragmented DTLS handshake message" \
|
||||||
-C "error"
|
-C "error"
|
||||||
|
|
||||||
# A resend on the client-side might happen if the server is
|
# An autoreduction on the client-side might happen if the server is
|
||||||
# slow to reset, therefore omitting '-C "resend"' below.
|
# slow to reset, therefore omitting '-C "autoreduction"' below.
|
||||||
not_with_valgrind # spurious resend due to timeout
|
not_with_valgrind # spurious autoreduction due to timeout
|
||||||
requires_config_enabled MBEDTLS_SSL_PROTO_DTLS
|
requires_config_enabled MBEDTLS_SSL_PROTO_DTLS
|
||||||
requires_config_enabled MBEDTLS_RSA_C
|
requires_config_enabled MBEDTLS_RSA_C
|
||||||
requires_config_enabled MBEDTLS_ECDSA_C
|
requires_config_enabled MBEDTLS_ECDSA_C
|
||||||
|
@ -6065,22 +6210,24 @@ run_test "DTLS fragmenting: proxy MTU, ChachaPoly renego" \
|
||||||
crt_file=data_files/server7_int-ca.crt \
|
crt_file=data_files/server7_int-ca.crt \
|
||||||
key_file=data_files/server7.key \
|
key_file=data_files/server7.key \
|
||||||
exchanges=2 renegotiation=1 \
|
exchanges=2 renegotiation=1 \
|
||||||
force_ciphersuite=TLS-ECDHE-ECDSA-WITH-CHACHA20-POLY1305-SHA256 \
|
hs_timeout=10000-60000 \
|
||||||
mtu=512" \
|
mtu=512" \
|
||||||
"$P_CLI dtls=1 debug_level=2 \
|
"$P_CLI dtls=1 debug_level=2 \
|
||||||
crt_file=data_files/server8_int-ca2.crt \
|
crt_file=data_files/server8_int-ca2.crt \
|
||||||
key_file=data_files/server8.key \
|
key_file=data_files/server8.key \
|
||||||
exchanges=2 renegotiation=1 renegotiate=1 \
|
exchanges=2 renegotiation=1 renegotiate=1 \
|
||||||
|
force_ciphersuite=TLS-ECDHE-ECDSA-WITH-AES-128-GCM-SHA256 \
|
||||||
|
hs_timeout=10000-60000 \
|
||||||
mtu=512" \
|
mtu=512" \
|
||||||
0 \
|
0 \
|
||||||
-S "resend" \
|
-S "autoreduction" \
|
||||||
-s "found fragmented DTLS handshake message" \
|
-s "found fragmented DTLS handshake message" \
|
||||||
-c "found fragmented DTLS handshake message" \
|
-c "found fragmented DTLS handshake message" \
|
||||||
-C "error"
|
-C "error"
|
||||||
|
|
||||||
# A resend on the client-side might happen if the server is
|
# An autoreduction on the client-side might happen if the server is
|
||||||
# slow to reset, therefore omitting '-C "resend"' below.
|
# slow to reset, therefore omitting '-C "autoreduction"' below.
|
||||||
not_with_valgrind # spurious resend due to timeout
|
not_with_valgrind # spurious autoreduction due to timeout
|
||||||
requires_config_enabled MBEDTLS_SSL_PROTO_DTLS
|
requires_config_enabled MBEDTLS_SSL_PROTO_DTLS
|
||||||
requires_config_enabled MBEDTLS_RSA_C
|
requires_config_enabled MBEDTLS_RSA_C
|
||||||
requires_config_enabled MBEDTLS_ECDSA_C
|
requires_config_enabled MBEDTLS_ECDSA_C
|
||||||
|
@ -6095,22 +6242,24 @@ run_test "DTLS fragmenting: proxy MTU, AES-GCM renego" \
|
||||||
crt_file=data_files/server7_int-ca.crt \
|
crt_file=data_files/server7_int-ca.crt \
|
||||||
key_file=data_files/server7.key \
|
key_file=data_files/server7.key \
|
||||||
exchanges=2 renegotiation=1 \
|
exchanges=2 renegotiation=1 \
|
||||||
force_ciphersuite=TLS-ECDHE-ECDSA-WITH-AES-128-GCM-SHA256 \
|
hs_timeout=10000-60000 \
|
||||||
mtu=512" \
|
mtu=512" \
|
||||||
"$P_CLI dtls=1 debug_level=2 \
|
"$P_CLI dtls=1 debug_level=2 \
|
||||||
crt_file=data_files/server8_int-ca2.crt \
|
crt_file=data_files/server8_int-ca2.crt \
|
||||||
key_file=data_files/server8.key \
|
key_file=data_files/server8.key \
|
||||||
exchanges=2 renegotiation=1 renegotiate=1 \
|
exchanges=2 renegotiation=1 renegotiate=1 \
|
||||||
|
force_ciphersuite=TLS-ECDHE-ECDSA-WITH-AES-128-GCM-SHA256 \
|
||||||
|
hs_timeout=10000-60000 \
|
||||||
mtu=512" \
|
mtu=512" \
|
||||||
0 \
|
0 \
|
||||||
-S "resend" \
|
-S "autoreduction" \
|
||||||
-s "found fragmented DTLS handshake message" \
|
-s "found fragmented DTLS handshake message" \
|
||||||
-c "found fragmented DTLS handshake message" \
|
-c "found fragmented DTLS handshake message" \
|
||||||
-C "error"
|
-C "error"
|
||||||
|
|
||||||
# A resend on the client-side might happen if the server is
|
# An autoreduction on the client-side might happen if the server is
|
||||||
# slow to reset, therefore omitting '-C "resend"' below.
|
# slow to reset, therefore omitting '-C "autoreduction"' below.
|
||||||
not_with_valgrind # spurious resend due to timeout
|
not_with_valgrind # spurious autoreduction due to timeout
|
||||||
requires_config_enabled MBEDTLS_SSL_PROTO_DTLS
|
requires_config_enabled MBEDTLS_SSL_PROTO_DTLS
|
||||||
requires_config_enabled MBEDTLS_RSA_C
|
requires_config_enabled MBEDTLS_RSA_C
|
||||||
requires_config_enabled MBEDTLS_ECDSA_C
|
requires_config_enabled MBEDTLS_ECDSA_C
|
||||||
|
@ -6120,27 +6269,29 @@ requires_config_enabled MBEDTLS_SSL_RENEGOTIATION
|
||||||
requires_config_enabled MBEDTLS_AES_C
|
requires_config_enabled MBEDTLS_AES_C
|
||||||
requires_config_enabled MBEDTLS_CCM_C
|
requires_config_enabled MBEDTLS_CCM_C
|
||||||
run_test "DTLS fragmenting: proxy MTU, AES-CCM renego" \
|
run_test "DTLS fragmenting: proxy MTU, AES-CCM renego" \
|
||||||
-p "$P_PXY mtu=512" \
|
-p "$P_PXY mtu=1024" \
|
||||||
"$P_SRV dtls=1 debug_level=2 auth_mode=required \
|
"$P_SRV dtls=1 debug_level=2 auth_mode=required \
|
||||||
crt_file=data_files/server7_int-ca.crt \
|
crt_file=data_files/server7_int-ca.crt \
|
||||||
key_file=data_files/server7.key \
|
key_file=data_files/server7.key \
|
||||||
exchanges=2 renegotiation=1 \
|
exchanges=2 renegotiation=1 \
|
||||||
force_ciphersuite=TLS-ECDHE-ECDSA-WITH-AES-128-CCM-8 \
|
force_ciphersuite=TLS-ECDHE-ECDSA-WITH-AES-128-CCM-8 \
|
||||||
mtu=512" \
|
hs_timeout=10000-60000 \
|
||||||
|
mtu=1024" \
|
||||||
"$P_CLI dtls=1 debug_level=2 \
|
"$P_CLI dtls=1 debug_level=2 \
|
||||||
crt_file=data_files/server8_int-ca2.crt \
|
crt_file=data_files/server8_int-ca2.crt \
|
||||||
key_file=data_files/server8.key \
|
key_file=data_files/server8.key \
|
||||||
exchanges=2 renegotiation=1 renegotiate=1 \
|
exchanges=2 renegotiation=1 renegotiate=1 \
|
||||||
mtu=512" \
|
hs_timeout=10000-60000 \
|
||||||
|
mtu=1024" \
|
||||||
0 \
|
0 \
|
||||||
-S "resend" \
|
-S "autoreduction" \
|
||||||
-s "found fragmented DTLS handshake message" \
|
-s "found fragmented DTLS handshake message" \
|
||||||
-c "found fragmented DTLS handshake message" \
|
-c "found fragmented DTLS handshake message" \
|
||||||
-C "error"
|
-C "error"
|
||||||
|
|
||||||
# A resend on the client-side might happen if the server is
|
# An autoreduction on the client-side might happen if the server is
|
||||||
# slow to reset, therefore omitting '-C "resend"' below.
|
# slow to reset, therefore omitting '-C "autoreduction"' below.
|
||||||
not_with_valgrind # spurious resend due to timeout
|
not_with_valgrind # spurious autoreduction due to timeout
|
||||||
requires_config_enabled MBEDTLS_SSL_PROTO_DTLS
|
requires_config_enabled MBEDTLS_SSL_PROTO_DTLS
|
||||||
requires_config_enabled MBEDTLS_RSA_C
|
requires_config_enabled MBEDTLS_RSA_C
|
||||||
requires_config_enabled MBEDTLS_ECDSA_C
|
requires_config_enabled MBEDTLS_ECDSA_C
|
||||||
|
@ -6151,27 +6302,29 @@ requires_config_enabled MBEDTLS_AES_C
|
||||||
requires_config_enabled MBEDTLS_CIPHER_MODE_CBC
|
requires_config_enabled MBEDTLS_CIPHER_MODE_CBC
|
||||||
requires_config_enabled MBEDTLS_SSL_ENCRYPT_THEN_MAC
|
requires_config_enabled MBEDTLS_SSL_ENCRYPT_THEN_MAC
|
||||||
run_test "DTLS fragmenting: proxy MTU, AES-CBC EtM renego" \
|
run_test "DTLS fragmenting: proxy MTU, AES-CBC EtM renego" \
|
||||||
-p "$P_PXY mtu=512" \
|
-p "$P_PXY mtu=1024" \
|
||||||
"$P_SRV dtls=1 debug_level=2 auth_mode=required \
|
"$P_SRV dtls=1 debug_level=2 auth_mode=required \
|
||||||
crt_file=data_files/server7_int-ca.crt \
|
crt_file=data_files/server7_int-ca.crt \
|
||||||
key_file=data_files/server7.key \
|
key_file=data_files/server7.key \
|
||||||
exchanges=2 renegotiation=1 \
|
exchanges=2 renegotiation=1 \
|
||||||
force_ciphersuite=TLS-ECDHE-ECDSA-WITH-AES-128-CBC-SHA256 \
|
force_ciphersuite=TLS-ECDHE-ECDSA-WITH-AES-128-CBC-SHA256 \
|
||||||
mtu=512" \
|
hs_timeout=10000-60000 \
|
||||||
|
mtu=1024" \
|
||||||
"$P_CLI dtls=1 debug_level=2 \
|
"$P_CLI dtls=1 debug_level=2 \
|
||||||
crt_file=data_files/server8_int-ca2.crt \
|
crt_file=data_files/server8_int-ca2.crt \
|
||||||
key_file=data_files/server8.key \
|
key_file=data_files/server8.key \
|
||||||
exchanges=2 renegotiation=1 renegotiate=1 \
|
exchanges=2 renegotiation=1 renegotiate=1 \
|
||||||
mtu=512" \
|
hs_timeout=10000-60000 \
|
||||||
|
mtu=1024" \
|
||||||
0 \
|
0 \
|
||||||
-S "resend" \
|
-S "autoreduction" \
|
||||||
-s "found fragmented DTLS handshake message" \
|
-s "found fragmented DTLS handshake message" \
|
||||||
-c "found fragmented DTLS handshake message" \
|
-c "found fragmented DTLS handshake message" \
|
||||||
-C "error"
|
-C "error"
|
||||||
|
|
||||||
# A resend on the client-side might happen if the server is
|
# An autoreduction on the client-side might happen if the server is
|
||||||
# slow to reset, therefore omitting '-C "resend"' below.
|
# slow to reset, therefore omitting '-C "autoreduction"' below.
|
||||||
not_with_valgrind # spurious resend due to timeout
|
not_with_valgrind # spurious autoreduction due to timeout
|
||||||
requires_config_enabled MBEDTLS_SSL_PROTO_DTLS
|
requires_config_enabled MBEDTLS_SSL_PROTO_DTLS
|
||||||
requires_config_enabled MBEDTLS_RSA_C
|
requires_config_enabled MBEDTLS_RSA_C
|
||||||
requires_config_enabled MBEDTLS_ECDSA_C
|
requires_config_enabled MBEDTLS_ECDSA_C
|
||||||
|
@ -6181,27 +6334,33 @@ requires_config_enabled MBEDTLS_SSL_RENEGOTIATION
|
||||||
requires_config_enabled MBEDTLS_AES_C
|
requires_config_enabled MBEDTLS_AES_C
|
||||||
requires_config_enabled MBEDTLS_CIPHER_MODE_CBC
|
requires_config_enabled MBEDTLS_CIPHER_MODE_CBC
|
||||||
run_test "DTLS fragmenting: proxy MTU, AES-CBC non-EtM renego" \
|
run_test "DTLS fragmenting: proxy MTU, AES-CBC non-EtM renego" \
|
||||||
-p "$P_PXY mtu=512" \
|
-p "$P_PXY mtu=1024" \
|
||||||
"$P_SRV dtls=1 debug_level=2 auth_mode=required \
|
"$P_SRV dtls=1 debug_level=2 auth_mode=required \
|
||||||
crt_file=data_files/server7_int-ca.crt \
|
crt_file=data_files/server7_int-ca.crt \
|
||||||
key_file=data_files/server7.key \
|
key_file=data_files/server7.key \
|
||||||
exchanges=2 renegotiation=1 \
|
exchanges=2 renegotiation=1 \
|
||||||
force_ciphersuite=TLS-ECDHE-ECDSA-WITH-AES-128-CBC-SHA256 etm=0 \
|
force_ciphersuite=TLS-ECDHE-ECDSA-WITH-AES-128-CBC-SHA256 etm=0 \
|
||||||
mtu=512" \
|
hs_timeout=10000-60000 \
|
||||||
|
mtu=1024" \
|
||||||
"$P_CLI dtls=1 debug_level=2 \
|
"$P_CLI dtls=1 debug_level=2 \
|
||||||
crt_file=data_files/server8_int-ca2.crt \
|
crt_file=data_files/server8_int-ca2.crt \
|
||||||
key_file=data_files/server8.key \
|
key_file=data_files/server8.key \
|
||||||
exchanges=2 renegotiation=1 renegotiate=1 \
|
exchanges=2 renegotiation=1 renegotiate=1 \
|
||||||
mtu=512" \
|
hs_timeout=10000-60000 \
|
||||||
|
mtu=1024" \
|
||||||
0 \
|
0 \
|
||||||
-S "resend" \
|
-S "autoreduction" \
|
||||||
-s "found fragmented DTLS handshake message" \
|
-s "found fragmented DTLS handshake message" \
|
||||||
-c "found fragmented DTLS handshake message" \
|
-c "found fragmented DTLS handshake message" \
|
||||||
-C "error"
|
-C "error"
|
||||||
|
|
||||||
|
# Forcing ciphersuite for this test to fit the MTU of 512 with full config.
|
||||||
requires_config_enabled MBEDTLS_SSL_PROTO_DTLS
|
requires_config_enabled MBEDTLS_SSL_PROTO_DTLS
|
||||||
requires_config_enabled MBEDTLS_RSA_C
|
requires_config_enabled MBEDTLS_RSA_C
|
||||||
requires_config_enabled MBEDTLS_ECDSA_C
|
requires_config_enabled MBEDTLS_ECDSA_C
|
||||||
|
requires_config_enabled MBEDTLS_KEY_EXCHANGE_ECDHE_ECDSA
|
||||||
|
requires_config_enabled MBEDTLS_AES_C
|
||||||
|
requires_config_enabled MBEDTLS_GCM_C
|
||||||
client_needs_more_time 2
|
client_needs_more_time 2
|
||||||
run_test "DTLS fragmenting: proxy MTU + 3d" \
|
run_test "DTLS fragmenting: proxy MTU + 3d" \
|
||||||
-p "$P_PXY mtu=512 drop=8 delay=8 duplicate=8" \
|
-p "$P_PXY mtu=512 drop=8 delay=8 duplicate=8" \
|
||||||
|
@ -6212,15 +6371,20 @@ run_test "DTLS fragmenting: proxy MTU + 3d" \
|
||||||
"$P_CLI dgram_packing=0 dtls=1 debug_level=2 \
|
"$P_CLI dgram_packing=0 dtls=1 debug_level=2 \
|
||||||
crt_file=data_files/server8_int-ca2.crt \
|
crt_file=data_files/server8_int-ca2.crt \
|
||||||
key_file=data_files/server8.key \
|
key_file=data_files/server8.key \
|
||||||
|
force_ciphersuite=TLS-ECDHE-ECDSA-WITH-AES-128-GCM-SHA256 \
|
||||||
hs_timeout=250-10000 mtu=512" \
|
hs_timeout=250-10000 mtu=512" \
|
||||||
0 \
|
0 \
|
||||||
-s "found fragmented DTLS handshake message" \
|
-s "found fragmented DTLS handshake message" \
|
||||||
-c "found fragmented DTLS handshake message" \
|
-c "found fragmented DTLS handshake message" \
|
||||||
-C "error"
|
-C "error"
|
||||||
|
|
||||||
|
# Forcing ciphersuite for this test to fit the MTU of 512 with full config.
|
||||||
requires_config_enabled MBEDTLS_SSL_PROTO_DTLS
|
requires_config_enabled MBEDTLS_SSL_PROTO_DTLS
|
||||||
requires_config_enabled MBEDTLS_RSA_C
|
requires_config_enabled MBEDTLS_RSA_C
|
||||||
requires_config_enabled MBEDTLS_ECDSA_C
|
requires_config_enabled MBEDTLS_ECDSA_C
|
||||||
|
requires_config_enabled MBEDTLS_KEY_EXCHANGE_ECDHE_ECDSA
|
||||||
|
requires_config_enabled MBEDTLS_AES_C
|
||||||
|
requires_config_enabled MBEDTLS_GCM_C
|
||||||
client_needs_more_time 2
|
client_needs_more_time 2
|
||||||
run_test "DTLS fragmenting: proxy MTU + 3d, nbio" \
|
run_test "DTLS fragmenting: proxy MTU + 3d, nbio" \
|
||||||
-p "$P_PXY mtu=512 drop=8 delay=8 duplicate=8" \
|
-p "$P_PXY mtu=512 drop=8 delay=8 duplicate=8" \
|
||||||
|
@ -6231,6 +6395,7 @@ run_test "DTLS fragmenting: proxy MTU + 3d, nbio" \
|
||||||
"$P_CLI dtls=1 debug_level=2 \
|
"$P_CLI dtls=1 debug_level=2 \
|
||||||
crt_file=data_files/server8_int-ca2.crt \
|
crt_file=data_files/server8_int-ca2.crt \
|
||||||
key_file=data_files/server8.key \
|
key_file=data_files/server8.key \
|
||||||
|
force_ciphersuite=TLS-ECDHE-ECDSA-WITH-AES-128-GCM-SHA256 \
|
||||||
hs_timeout=250-10000 mtu=512 nbio=2" \
|
hs_timeout=250-10000 mtu=512 nbio=2" \
|
||||||
0 \
|
0 \
|
||||||
-s "found fragmented DTLS handshake message" \
|
-s "found fragmented DTLS handshake message" \
|
||||||
|
@ -6241,7 +6406,6 @@ run_test "DTLS fragmenting: proxy MTU + 3d, nbio" \
|
||||||
#
|
#
|
||||||
# here and below we just want to test that the we fragment in a way that
|
# here and below we just want to test that the we fragment in a way that
|
||||||
# pleases other implementations, so we don't need the peer to fragment
|
# pleases other implementations, so we don't need the peer to fragment
|
||||||
requires_gnutls
|
|
||||||
requires_config_enabled MBEDTLS_SSL_PROTO_DTLS
|
requires_config_enabled MBEDTLS_SSL_PROTO_DTLS
|
||||||
requires_config_enabled MBEDTLS_RSA_C
|
requires_config_enabled MBEDTLS_RSA_C
|
||||||
requires_config_enabled MBEDTLS_ECDSA_C
|
requires_config_enabled MBEDTLS_ECDSA_C
|
||||||
|
@ -6257,7 +6421,6 @@ run_test "DTLS fragmenting: gnutls server, DTLS 1.2" \
|
||||||
-c "fragmenting handshake message" \
|
-c "fragmenting handshake message" \
|
||||||
-C "error"
|
-C "error"
|
||||||
|
|
||||||
requires_gnutls
|
|
||||||
requires_config_enabled MBEDTLS_SSL_PROTO_DTLS
|
requires_config_enabled MBEDTLS_SSL_PROTO_DTLS
|
||||||
requires_config_enabled MBEDTLS_RSA_C
|
requires_config_enabled MBEDTLS_RSA_C
|
||||||
requires_config_enabled MBEDTLS_ECDSA_C
|
requires_config_enabled MBEDTLS_ECDSA_C
|
||||||
|
@ -6285,6 +6448,7 @@ requires_config_enabled MBEDTLS_RSA_C
|
||||||
requires_config_enabled MBEDTLS_ECDSA_C
|
requires_config_enabled MBEDTLS_ECDSA_C
|
||||||
requires_config_enabled MBEDTLS_SSL_PROTO_TLS1_2
|
requires_config_enabled MBEDTLS_SSL_PROTO_TLS1_2
|
||||||
requires_gnutls
|
requires_gnutls
|
||||||
|
requires_not_i686
|
||||||
run_test "DTLS fragmenting: gnutls client, DTLS 1.2" \
|
run_test "DTLS fragmenting: gnutls client, DTLS 1.2" \
|
||||||
"$P_SRV dtls=1 debug_level=2 \
|
"$P_SRV dtls=1 debug_level=2 \
|
||||||
crt_file=data_files/server7_int-ca.crt \
|
crt_file=data_files/server7_int-ca.crt \
|
||||||
|
@ -6300,6 +6464,7 @@ requires_config_enabled MBEDTLS_RSA_C
|
||||||
requires_config_enabled MBEDTLS_ECDSA_C
|
requires_config_enabled MBEDTLS_ECDSA_C
|
||||||
requires_config_enabled MBEDTLS_SSL_PROTO_TLS1_1
|
requires_config_enabled MBEDTLS_SSL_PROTO_TLS1_1
|
||||||
requires_gnutls
|
requires_gnutls
|
||||||
|
requires_not_i686
|
||||||
run_test "DTLS fragmenting: gnutls client, DTLS 1.0" \
|
run_test "DTLS fragmenting: gnutls client, DTLS 1.0" \
|
||||||
"$P_SRV dtls=1 debug_level=2 \
|
"$P_SRV dtls=1 debug_level=2 \
|
||||||
crt_file=data_files/server7_int-ca.crt \
|
crt_file=data_files/server7_int-ca.crt \
|
||||||
|
@ -6637,8 +6802,10 @@ run_test "DTLS proxy: delay ChangeCipherSpec" \
|
||||||
|
|
||||||
run_test "DTLS reordering: Buffer out-of-order handshake message on client" \
|
run_test "DTLS reordering: Buffer out-of-order handshake message on client" \
|
||||||
-p "$P_PXY delay_srv=ServerHello" \
|
-p "$P_PXY delay_srv=ServerHello" \
|
||||||
"$P_SRV dgram_packing=0 cookies=0 dtls=1 debug_level=2" \
|
"$P_SRV dgram_packing=0 cookies=0 dtls=1 debug_level=2 \
|
||||||
"$P_CLI dgram_packing=0 dtls=1 debug_level=2" \
|
hs_timeout=2500-60000" \
|
||||||
|
"$P_CLI dgram_packing=0 dtls=1 debug_level=2 \
|
||||||
|
hs_timeout=2500-60000" \
|
||||||
0 \
|
0 \
|
||||||
-c "Buffering HS message" \
|
-c "Buffering HS message" \
|
||||||
-c "Next handshake message has been buffered - load"\
|
-c "Next handshake message has been buffered - load"\
|
||||||
|
@ -6651,8 +6818,10 @@ run_test "DTLS reordering: Buffer out-of-order handshake message on client" \
|
||||||
|
|
||||||
run_test "DTLS reordering: Buffer out-of-order handshake message fragment on client" \
|
run_test "DTLS reordering: Buffer out-of-order handshake message fragment on client" \
|
||||||
-p "$P_PXY delay_srv=ServerHello" \
|
-p "$P_PXY delay_srv=ServerHello" \
|
||||||
"$P_SRV mtu=512 dgram_packing=0 cookies=0 dtls=1 debug_level=2" \
|
"$P_SRV mtu=512 dgram_packing=0 cookies=0 dtls=1 debug_level=2 \
|
||||||
"$P_CLI dgram_packing=0 dtls=1 debug_level=2" \
|
hs_timeout=2500-60000" \
|
||||||
|
"$P_CLI dgram_packing=0 dtls=1 debug_level=2 \
|
||||||
|
hs_timeout=2500-60000" \
|
||||||
0 \
|
0 \
|
||||||
-c "Buffering HS message" \
|
-c "Buffering HS message" \
|
||||||
-c "found fragmented DTLS handshake message"\
|
-c "found fragmented DTLS handshake message"\
|
||||||
|
@ -6672,8 +6841,10 @@ run_test "DTLS reordering: Buffer out-of-order handshake message fragment on
|
||||||
requires_config_value_at_least "MBEDTLS_SSL_DTLS_MAX_BUFFERING" 1300
|
requires_config_value_at_least "MBEDTLS_SSL_DTLS_MAX_BUFFERING" 1300
|
||||||
run_test "DTLS reordering: Buffer out-of-order hs msg before reassembling next" \
|
run_test "DTLS reordering: Buffer out-of-order hs msg before reassembling next" \
|
||||||
-p "$P_PXY delay_srv=Certificate delay_srv=Certificate" \
|
-p "$P_PXY delay_srv=Certificate delay_srv=Certificate" \
|
||||||
"$P_SRV mtu=512 dgram_packing=0 cookies=0 dtls=1 debug_level=2" \
|
"$P_SRV mtu=512 dgram_packing=0 cookies=0 dtls=1 debug_level=2 \
|
||||||
"$P_CLI dgram_packing=0 dtls=1 debug_level=2" \
|
hs_timeout=2500-60000" \
|
||||||
|
"$P_CLI dgram_packing=0 dtls=1 debug_level=2 \
|
||||||
|
hs_timeout=2500-60000" \
|
||||||
0 \
|
0 \
|
||||||
-c "Buffering HS message" \
|
-c "Buffering HS message" \
|
||||||
-c "Next handshake message has been buffered - load"\
|
-c "Next handshake message has been buffered - load"\
|
||||||
|
@ -6692,8 +6863,10 @@ requires_config_value_at_least "MBEDTLS_SSL_DTLS_MAX_BUFFERING" 900
|
||||||
requires_config_value_at_most "MBEDTLS_SSL_DTLS_MAX_BUFFERING" 1299
|
requires_config_value_at_most "MBEDTLS_SSL_DTLS_MAX_BUFFERING" 1299
|
||||||
run_test "DTLS reordering: Buffer out-of-order hs msg before reassembling next, free buffered msg" \
|
run_test "DTLS reordering: Buffer out-of-order hs msg before reassembling next, free buffered msg" \
|
||||||
-p "$P_PXY delay_srv=Certificate delay_srv=Certificate" \
|
-p "$P_PXY delay_srv=Certificate delay_srv=Certificate" \
|
||||||
"$P_SRV mtu=512 dgram_packing=0 cookies=0 dtls=1 debug_level=2" \
|
"$P_SRV mtu=512 dgram_packing=0 cookies=0 dtls=1 debug_level=2 \
|
||||||
"$P_CLI dgram_packing=0 dtls=1 debug_level=2" \
|
hs_timeout=2500-60000" \
|
||||||
|
"$P_CLI dgram_packing=0 dtls=1 debug_level=2 \
|
||||||
|
hs_timeout=2500-60000" \
|
||||||
0 \
|
0 \
|
||||||
-c "Buffering HS message" \
|
-c "Buffering HS message" \
|
||||||
-c "attempt to make space by freeing buffered future messages" \
|
-c "attempt to make space by freeing buffered future messages" \
|
||||||
|
@ -6707,8 +6880,10 @@ run_test "DTLS reordering: Buffer out-of-order hs msg before reassembling nex
|
||||||
|
|
||||||
run_test "DTLS reordering: Buffer out-of-order handshake message on server" \
|
run_test "DTLS reordering: Buffer out-of-order handshake message on server" \
|
||||||
-p "$P_PXY delay_cli=Certificate" \
|
-p "$P_PXY delay_cli=Certificate" \
|
||||||
"$P_SRV dgram_packing=0 auth_mode=required cookies=0 dtls=1 debug_level=2" \
|
"$P_SRV dgram_packing=0 auth_mode=required cookies=0 dtls=1 debug_level=2 \
|
||||||
"$P_CLI dgram_packing=0 dtls=1 debug_level=2" \
|
hs_timeout=2500-60000" \
|
||||||
|
"$P_CLI dgram_packing=0 dtls=1 debug_level=2 \
|
||||||
|
hs_timeout=2500-60000" \
|
||||||
0 \
|
0 \
|
||||||
-C "Buffering HS message" \
|
-C "Buffering HS message" \
|
||||||
-C "Next handshake message has been buffered - load"\
|
-C "Next handshake message has been buffered - load"\
|
||||||
|
@ -6721,8 +6896,10 @@ run_test "DTLS reordering: Buffer out-of-order handshake message on server" \
|
||||||
|
|
||||||
run_test "DTLS reordering: Buffer out-of-order CCS message on client"\
|
run_test "DTLS reordering: Buffer out-of-order CCS message on client"\
|
||||||
-p "$P_PXY delay_srv=NewSessionTicket" \
|
-p "$P_PXY delay_srv=NewSessionTicket" \
|
||||||
"$P_SRV dgram_packing=0 cookies=0 dtls=1 debug_level=2" \
|
"$P_SRV dgram_packing=0 cookies=0 dtls=1 debug_level=2 \
|
||||||
"$P_CLI dgram_packing=0 dtls=1 debug_level=2" \
|
hs_timeout=2500-60000" \
|
||||||
|
"$P_CLI dgram_packing=0 dtls=1 debug_level=2 \
|
||||||
|
hs_timeout=2500-60000" \
|
||||||
0 \
|
0 \
|
||||||
-C "Buffering HS message" \
|
-C "Buffering HS message" \
|
||||||
-C "Next handshake message has been buffered - load"\
|
-C "Next handshake message has been buffered - load"\
|
||||||
|
@ -6735,8 +6912,10 @@ run_test "DTLS reordering: Buffer out-of-order CCS message on client"\
|
||||||
|
|
||||||
run_test "DTLS reordering: Buffer out-of-order CCS message on server"\
|
run_test "DTLS reordering: Buffer out-of-order CCS message on server"\
|
||||||
-p "$P_PXY delay_cli=ClientKeyExchange" \
|
-p "$P_PXY delay_cli=ClientKeyExchange" \
|
||||||
"$P_SRV dgram_packing=0 cookies=0 dtls=1 debug_level=2" \
|
"$P_SRV dgram_packing=0 cookies=0 dtls=1 debug_level=2 \
|
||||||
"$P_CLI dgram_packing=0 dtls=1 debug_level=2" \
|
hs_timeout=2500-60000" \
|
||||||
|
"$P_CLI dgram_packing=0 dtls=1 debug_level=2 \
|
||||||
|
hs_timeout=2500-60000" \
|
||||||
0 \
|
0 \
|
||||||
-C "Buffering HS message" \
|
-C "Buffering HS message" \
|
||||||
-C "Next handshake message has been buffered - load"\
|
-C "Next handshake message has been buffered - load"\
|
||||||
|
@ -6749,8 +6928,10 @@ run_test "DTLS reordering: Buffer out-of-order CCS message on server"\
|
||||||
|
|
||||||
run_test "DTLS reordering: Buffer encrypted Finished message" \
|
run_test "DTLS reordering: Buffer encrypted Finished message" \
|
||||||
-p "$P_PXY delay_ccs=1" \
|
-p "$P_PXY delay_ccs=1" \
|
||||||
"$P_SRV dgram_packing=0 cookies=0 dtls=1 debug_level=2" \
|
"$P_SRV dgram_packing=0 cookies=0 dtls=1 debug_level=2 \
|
||||||
"$P_CLI dgram_packing=0 dtls=1 debug_level=2" \
|
hs_timeout=2500-60000" \
|
||||||
|
"$P_CLI dgram_packing=0 dtls=1 debug_level=2 \
|
||||||
|
hs_timeout=2500-60000" \
|
||||||
0 \
|
0 \
|
||||||
-s "Buffer record from epoch 1" \
|
-s "Buffer record from epoch 1" \
|
||||||
-s "Found buffered record from current epoch - load" \
|
-s "Found buffered record from current epoch - load" \
|
||||||
|
@ -6790,9 +6971,9 @@ run_test "DTLS reordering: Buffer encrypted Finished message, drop for fragme
|
||||||
client_needs_more_time 2
|
client_needs_more_time 2
|
||||||
run_test "DTLS proxy: 3d (drop, delay, duplicate), \"short\" PSK handshake" \
|
run_test "DTLS proxy: 3d (drop, delay, duplicate), \"short\" PSK handshake" \
|
||||||
-p "$P_PXY drop=5 delay=5 duplicate=5" \
|
-p "$P_PXY drop=5 delay=5 duplicate=5" \
|
||||||
"$P_SRV dtls=1 dgram_packing=0 hs_timeout=250-10000 tickets=0 auth_mode=none \
|
"$P_SRV dtls=1 dgram_packing=0 hs_timeout=500-10000 tickets=0 auth_mode=none \
|
||||||
psk=abc123" \
|
psk=abc123" \
|
||||||
"$P_CLI dtls=1 dgram_packing=0 hs_timeout=250-10000 tickets=0 psk=abc123 \
|
"$P_CLI dtls=1 dgram_packing=0 hs_timeout=500-10000 tickets=0 psk=abc123 \
|
||||||
force_ciphersuite=TLS-PSK-WITH-AES-128-CCM-8" \
|
force_ciphersuite=TLS-PSK-WITH-AES-128-CCM-8" \
|
||||||
0 \
|
0 \
|
||||||
-s "Extra-header:" \
|
-s "Extra-header:" \
|
||||||
|
@ -6801,8 +6982,8 @@ run_test "DTLS proxy: 3d (drop, delay, duplicate), \"short\" PSK handshake" \
|
||||||
client_needs_more_time 2
|
client_needs_more_time 2
|
||||||
run_test "DTLS proxy: 3d, \"short\" RSA handshake" \
|
run_test "DTLS proxy: 3d, \"short\" RSA handshake" \
|
||||||
-p "$P_PXY drop=5 delay=5 duplicate=5" \
|
-p "$P_PXY drop=5 delay=5 duplicate=5" \
|
||||||
"$P_SRV dtls=1 dgram_packing=0 hs_timeout=250-10000 tickets=0 auth_mode=none" \
|
"$P_SRV dtls=1 dgram_packing=0 hs_timeout=500-10000 tickets=0 auth_mode=none" \
|
||||||
"$P_CLI dtls=1 dgram_packing=0 hs_timeout=250-10000 tickets=0 \
|
"$P_CLI dtls=1 dgram_packing=0 hs_timeout=500-10000 tickets=0 \
|
||||||
force_ciphersuite=TLS-RSA-WITH-AES-128-CBC-SHA" \
|
force_ciphersuite=TLS-RSA-WITH-AES-128-CBC-SHA" \
|
||||||
0 \
|
0 \
|
||||||
-s "Extra-header:" \
|
-s "Extra-header:" \
|
||||||
|
@ -6811,8 +6992,8 @@ run_test "DTLS proxy: 3d, \"short\" RSA handshake" \
|
||||||
client_needs_more_time 2
|
client_needs_more_time 2
|
||||||
run_test "DTLS proxy: 3d, \"short\" (no ticket, no cli_auth) FS handshake" \
|
run_test "DTLS proxy: 3d, \"short\" (no ticket, no cli_auth) FS handshake" \
|
||||||
-p "$P_PXY drop=5 delay=5 duplicate=5" \
|
-p "$P_PXY drop=5 delay=5 duplicate=5" \
|
||||||
"$P_SRV dtls=1 dgram_packing=0 hs_timeout=250-10000 tickets=0 auth_mode=none" \
|
"$P_SRV dtls=1 dgram_packing=0 hs_timeout=500-10000 tickets=0 auth_mode=none" \
|
||||||
"$P_CLI dtls=1 dgram_packing=0 hs_timeout=250-10000 tickets=0" \
|
"$P_CLI dtls=1 dgram_packing=0 hs_timeout=500-10000 tickets=0" \
|
||||||
0 \
|
0 \
|
||||||
-s "Extra-header:" \
|
-s "Extra-header:" \
|
||||||
-c "HTTP/1.0 200 OK"
|
-c "HTTP/1.0 200 OK"
|
||||||
|
@ -6820,8 +7001,8 @@ run_test "DTLS proxy: 3d, \"short\" (no ticket, no cli_auth) FS handshake" \
|
||||||
client_needs_more_time 2
|
client_needs_more_time 2
|
||||||
run_test "DTLS proxy: 3d, FS, client auth" \
|
run_test "DTLS proxy: 3d, FS, client auth" \
|
||||||
-p "$P_PXY drop=5 delay=5 duplicate=5" \
|
-p "$P_PXY drop=5 delay=5 duplicate=5" \
|
||||||
"$P_SRV dtls=1 dgram_packing=0 hs_timeout=250-10000 tickets=0 auth_mode=required" \
|
"$P_SRV dtls=1 dgram_packing=0 hs_timeout=500-10000 tickets=0 auth_mode=required" \
|
||||||
"$P_CLI dtls=1 dgram_packing=0 hs_timeout=250-10000 tickets=0" \
|
"$P_CLI dtls=1 dgram_packing=0 hs_timeout=500-10000 tickets=0" \
|
||||||
0 \
|
0 \
|
||||||
-s "Extra-header:" \
|
-s "Extra-header:" \
|
||||||
-c "HTTP/1.0 200 OK"
|
-c "HTTP/1.0 200 OK"
|
||||||
|
@ -6829,8 +7010,8 @@ run_test "DTLS proxy: 3d, FS, client auth" \
|
||||||
client_needs_more_time 2
|
client_needs_more_time 2
|
||||||
run_test "DTLS proxy: 3d, FS, ticket" \
|
run_test "DTLS proxy: 3d, FS, ticket" \
|
||||||
-p "$P_PXY drop=5 delay=5 duplicate=5" \
|
-p "$P_PXY drop=5 delay=5 duplicate=5" \
|
||||||
"$P_SRV dtls=1 dgram_packing=0 hs_timeout=250-10000 tickets=1 auth_mode=none" \
|
"$P_SRV dtls=1 dgram_packing=0 hs_timeout=500-10000 tickets=1 auth_mode=none" \
|
||||||
"$P_CLI dtls=1 dgram_packing=0 hs_timeout=250-10000 tickets=1" \
|
"$P_CLI dtls=1 dgram_packing=0 hs_timeout=500-10000 tickets=1" \
|
||||||
0 \
|
0 \
|
||||||
-s "Extra-header:" \
|
-s "Extra-header:" \
|
||||||
-c "HTTP/1.0 200 OK"
|
-c "HTTP/1.0 200 OK"
|
||||||
|
@ -6838,8 +7019,8 @@ run_test "DTLS proxy: 3d, FS, ticket" \
|
||||||
client_needs_more_time 2
|
client_needs_more_time 2
|
||||||
run_test "DTLS proxy: 3d, max handshake (FS, ticket + client auth)" \
|
run_test "DTLS proxy: 3d, max handshake (FS, ticket + client auth)" \
|
||||||
-p "$P_PXY drop=5 delay=5 duplicate=5" \
|
-p "$P_PXY drop=5 delay=5 duplicate=5" \
|
||||||
"$P_SRV dtls=1 dgram_packing=0 hs_timeout=250-10000 tickets=1 auth_mode=required" \
|
"$P_SRV dtls=1 dgram_packing=0 hs_timeout=500-10000 tickets=1 auth_mode=required" \
|
||||||
"$P_CLI dtls=1 dgram_packing=0 hs_timeout=250-10000 tickets=1" \
|
"$P_CLI dtls=1 dgram_packing=0 hs_timeout=500-10000 tickets=1" \
|
||||||
0 \
|
0 \
|
||||||
-s "Extra-header:" \
|
-s "Extra-header:" \
|
||||||
-c "HTTP/1.0 200 OK"
|
-c "HTTP/1.0 200 OK"
|
||||||
|
@ -6847,9 +7028,9 @@ run_test "DTLS proxy: 3d, max handshake (FS, ticket + client auth)" \
|
||||||
client_needs_more_time 2
|
client_needs_more_time 2
|
||||||
run_test "DTLS proxy: 3d, max handshake, nbio" \
|
run_test "DTLS proxy: 3d, max handshake, nbio" \
|
||||||
-p "$P_PXY drop=5 delay=5 duplicate=5" \
|
-p "$P_PXY drop=5 delay=5 duplicate=5" \
|
||||||
"$P_SRV dtls=1 dgram_packing=0 hs_timeout=250-10000 nbio=2 tickets=1 \
|
"$P_SRV dtls=1 dgram_packing=0 hs_timeout=500-10000 nbio=2 tickets=1 \
|
||||||
auth_mode=required" \
|
auth_mode=required" \
|
||||||
"$P_CLI dtls=1 dgram_packing=0 hs_timeout=250-10000 nbio=2 tickets=1" \
|
"$P_CLI dtls=1 dgram_packing=0 hs_timeout=500-10000 nbio=2 tickets=1" \
|
||||||
0 \
|
0 \
|
||||||
-s "Extra-header:" \
|
-s "Extra-header:" \
|
||||||
-c "HTTP/1.0 200 OK"
|
-c "HTTP/1.0 200 OK"
|
||||||
|
@ -6857,9 +7038,9 @@ run_test "DTLS proxy: 3d, max handshake, nbio" \
|
||||||
client_needs_more_time 4
|
client_needs_more_time 4
|
||||||
run_test "DTLS proxy: 3d, min handshake, resumption" \
|
run_test "DTLS proxy: 3d, min handshake, resumption" \
|
||||||
-p "$P_PXY drop=5 delay=5 duplicate=5" \
|
-p "$P_PXY drop=5 delay=5 duplicate=5" \
|
||||||
"$P_SRV dtls=1 dgram_packing=0 hs_timeout=250-10000 tickets=0 auth_mode=none \
|
"$P_SRV dtls=1 dgram_packing=0 hs_timeout=500-10000 tickets=0 auth_mode=none \
|
||||||
psk=abc123 debug_level=3" \
|
psk=abc123 debug_level=3" \
|
||||||
"$P_CLI dtls=1 dgram_packing=0 hs_timeout=250-10000 tickets=0 psk=abc123 \
|
"$P_CLI dtls=1 dgram_packing=0 hs_timeout=500-10000 tickets=0 psk=abc123 \
|
||||||
debug_level=3 reconnect=1 read_timeout=1000 max_resend=10 \
|
debug_level=3 reconnect=1 read_timeout=1000 max_resend=10 \
|
||||||
force_ciphersuite=TLS-PSK-WITH-AES-128-CCM-8" \
|
force_ciphersuite=TLS-PSK-WITH-AES-128-CCM-8" \
|
||||||
0 \
|
0 \
|
||||||
|
@ -6871,9 +7052,9 @@ run_test "DTLS proxy: 3d, min handshake, resumption" \
|
||||||
client_needs_more_time 4
|
client_needs_more_time 4
|
||||||
run_test "DTLS proxy: 3d, min handshake, resumption, nbio" \
|
run_test "DTLS proxy: 3d, min handshake, resumption, nbio" \
|
||||||
-p "$P_PXY drop=5 delay=5 duplicate=5" \
|
-p "$P_PXY drop=5 delay=5 duplicate=5" \
|
||||||
"$P_SRV dtls=1 dgram_packing=0 hs_timeout=250-10000 tickets=0 auth_mode=none \
|
"$P_SRV dtls=1 dgram_packing=0 hs_timeout=500-10000 tickets=0 auth_mode=none \
|
||||||
psk=abc123 debug_level=3 nbio=2" \
|
psk=abc123 debug_level=3 nbio=2" \
|
||||||
"$P_CLI dtls=1 dgram_packing=0 hs_timeout=250-10000 tickets=0 psk=abc123 \
|
"$P_CLI dtls=1 dgram_packing=0 hs_timeout=500-10000 tickets=0 psk=abc123 \
|
||||||
debug_level=3 reconnect=1 read_timeout=1000 max_resend=10 \
|
debug_level=3 reconnect=1 read_timeout=1000 max_resend=10 \
|
||||||
force_ciphersuite=TLS-PSK-WITH-AES-128-CCM-8 nbio=2" \
|
force_ciphersuite=TLS-PSK-WITH-AES-128-CCM-8 nbio=2" \
|
||||||
0 \
|
0 \
|
||||||
|
@ -6886,9 +7067,9 @@ client_needs_more_time 4
|
||||||
requires_config_enabled MBEDTLS_SSL_RENEGOTIATION
|
requires_config_enabled MBEDTLS_SSL_RENEGOTIATION
|
||||||
run_test "DTLS proxy: 3d, min handshake, client-initiated renego" \
|
run_test "DTLS proxy: 3d, min handshake, client-initiated renego" \
|
||||||
-p "$P_PXY drop=5 delay=5 duplicate=5" \
|
-p "$P_PXY drop=5 delay=5 duplicate=5" \
|
||||||
"$P_SRV dtls=1 dgram_packing=0 hs_timeout=250-10000 tickets=0 auth_mode=none \
|
"$P_SRV dtls=1 dgram_packing=0 hs_timeout=500-10000 tickets=0 auth_mode=none \
|
||||||
psk=abc123 renegotiation=1 debug_level=2" \
|
psk=abc123 renegotiation=1 debug_level=2" \
|
||||||
"$P_CLI dtls=1 dgram_packing=0 hs_timeout=250-10000 tickets=0 psk=abc123 \
|
"$P_CLI dtls=1 dgram_packing=0 hs_timeout=500-10000 tickets=0 psk=abc123 \
|
||||||
renegotiate=1 debug_level=2 \
|
renegotiate=1 debug_level=2 \
|
||||||
force_ciphersuite=TLS-PSK-WITH-AES-128-CCM-8" \
|
force_ciphersuite=TLS-PSK-WITH-AES-128-CCM-8" \
|
||||||
0 \
|
0 \
|
||||||
|
@ -6901,9 +7082,9 @@ client_needs_more_time 4
|
||||||
requires_config_enabled MBEDTLS_SSL_RENEGOTIATION
|
requires_config_enabled MBEDTLS_SSL_RENEGOTIATION
|
||||||
run_test "DTLS proxy: 3d, min handshake, client-initiated renego, nbio" \
|
run_test "DTLS proxy: 3d, min handshake, client-initiated renego, nbio" \
|
||||||
-p "$P_PXY drop=5 delay=5 duplicate=5" \
|
-p "$P_PXY drop=5 delay=5 duplicate=5" \
|
||||||
"$P_SRV dtls=1 dgram_packing=0 hs_timeout=250-10000 tickets=0 auth_mode=none \
|
"$P_SRV dtls=1 dgram_packing=0 hs_timeout=500-10000 tickets=0 auth_mode=none \
|
||||||
psk=abc123 renegotiation=1 debug_level=2" \
|
psk=abc123 renegotiation=1 debug_level=2" \
|
||||||
"$P_CLI dtls=1 dgram_packing=0 hs_timeout=250-10000 tickets=0 psk=abc123 \
|
"$P_CLI dtls=1 dgram_packing=0 hs_timeout=500-10000 tickets=0 psk=abc123 \
|
||||||
renegotiate=1 debug_level=2 \
|
renegotiate=1 debug_level=2 \
|
||||||
force_ciphersuite=TLS-PSK-WITH-AES-128-CCM-8" \
|
force_ciphersuite=TLS-PSK-WITH-AES-128-CCM-8" \
|
||||||
0 \
|
0 \
|
||||||
|
@ -6916,10 +7097,10 @@ client_needs_more_time 4
|
||||||
requires_config_enabled MBEDTLS_SSL_RENEGOTIATION
|
requires_config_enabled MBEDTLS_SSL_RENEGOTIATION
|
||||||
run_test "DTLS proxy: 3d, min handshake, server-initiated renego" \
|
run_test "DTLS proxy: 3d, min handshake, server-initiated renego" \
|
||||||
-p "$P_PXY drop=5 delay=5 duplicate=5" \
|
-p "$P_PXY drop=5 delay=5 duplicate=5" \
|
||||||
"$P_SRV dtls=1 dgram_packing=0 hs_timeout=250-10000 tickets=0 auth_mode=none \
|
"$P_SRV dtls=1 dgram_packing=0 hs_timeout=500-10000 tickets=0 auth_mode=none \
|
||||||
psk=abc123 renegotiate=1 renegotiation=1 exchanges=4 \
|
psk=abc123 renegotiate=1 renegotiation=1 exchanges=4 \
|
||||||
debug_level=2" \
|
debug_level=2" \
|
||||||
"$P_CLI dtls=1 dgram_packing=0 hs_timeout=250-10000 tickets=0 psk=abc123 \
|
"$P_CLI dtls=1 dgram_packing=0 hs_timeout=500-10000 tickets=0 psk=abc123 \
|
||||||
renegotiation=1 exchanges=4 debug_level=2 \
|
renegotiation=1 exchanges=4 debug_level=2 \
|
||||||
force_ciphersuite=TLS-PSK-WITH-AES-128-CCM-8" \
|
force_ciphersuite=TLS-PSK-WITH-AES-128-CCM-8" \
|
||||||
0 \
|
0 \
|
||||||
|
@ -6932,10 +7113,10 @@ client_needs_more_time 4
|
||||||
requires_config_enabled MBEDTLS_SSL_RENEGOTIATION
|
requires_config_enabled MBEDTLS_SSL_RENEGOTIATION
|
||||||
run_test "DTLS proxy: 3d, min handshake, server-initiated renego, nbio" \
|
run_test "DTLS proxy: 3d, min handshake, server-initiated renego, nbio" \
|
||||||
-p "$P_PXY drop=5 delay=5 duplicate=5" \
|
-p "$P_PXY drop=5 delay=5 duplicate=5" \
|
||||||
"$P_SRV dtls=1 dgram_packing=0 hs_timeout=250-10000 tickets=0 auth_mode=none \
|
"$P_SRV dtls=1 dgram_packing=0 hs_timeout=500-10000 tickets=0 auth_mode=none \
|
||||||
psk=abc123 renegotiate=1 renegotiation=1 exchanges=4 \
|
psk=abc123 renegotiate=1 renegotiation=1 exchanges=4 \
|
||||||
debug_level=2 nbio=2" \
|
debug_level=2 nbio=2" \
|
||||||
"$P_CLI dtls=1 dgram_packing=0 hs_timeout=250-10000 tickets=0 psk=abc123 \
|
"$P_CLI dtls=1 dgram_packing=0 hs_timeout=500-10000 tickets=0 psk=abc123 \
|
||||||
renegotiation=1 exchanges=4 debug_level=2 nbio=2 \
|
renegotiation=1 exchanges=4 debug_level=2 nbio=2 \
|
||||||
force_ciphersuite=TLS-PSK-WITH-AES-128-CCM-8" \
|
force_ciphersuite=TLS-PSK-WITH-AES-128-CCM-8" \
|
||||||
0 \
|
0 \
|
||||||
|
@ -6955,7 +7136,7 @@ not_with_valgrind # risk of non-mbedtls peer timing out
|
||||||
run_test "DTLS proxy: 3d, openssl server" \
|
run_test "DTLS proxy: 3d, openssl server" \
|
||||||
-p "$P_PXY drop=5 delay=5 duplicate=5 protect_hvr=1" \
|
-p "$P_PXY drop=5 delay=5 duplicate=5 protect_hvr=1" \
|
||||||
"$O_SRV -dtls1 -mtu 2048" \
|
"$O_SRV -dtls1 -mtu 2048" \
|
||||||
"$P_CLI dgram_packing=0 dtls=1 hs_timeout=250-60000 tickets=0" \
|
"$P_CLI dgram_packing=0 dtls=1 hs_timeout=500-60000 tickets=0" \
|
||||||
0 \
|
0 \
|
||||||
-c "HTTP/1.0 200 OK"
|
-c "HTTP/1.0 200 OK"
|
||||||
|
|
||||||
|
@ -6965,7 +7146,7 @@ not_with_valgrind # risk of non-mbedtls peer timing out
|
||||||
run_test "DTLS proxy: 3d, openssl server, fragmentation" \
|
run_test "DTLS proxy: 3d, openssl server, fragmentation" \
|
||||||
-p "$P_PXY drop=5 delay=5 duplicate=5 protect_hvr=1" \
|
-p "$P_PXY drop=5 delay=5 duplicate=5 protect_hvr=1" \
|
||||||
"$O_SRV -dtls1 -mtu 768" \
|
"$O_SRV -dtls1 -mtu 768" \
|
||||||
"$P_CLI dgram_packing=0 dtls=1 hs_timeout=250-60000 tickets=0" \
|
"$P_CLI dgram_packing=0 dtls=1 hs_timeout=500-60000 tickets=0" \
|
||||||
0 \
|
0 \
|
||||||
-c "HTTP/1.0 200 OK"
|
-c "HTTP/1.0 200 OK"
|
||||||
|
|
||||||
|
@ -6975,7 +7156,7 @@ not_with_valgrind # risk of non-mbedtls peer timing out
|
||||||
run_test "DTLS proxy: 3d, openssl server, fragmentation, nbio" \
|
run_test "DTLS proxy: 3d, openssl server, fragmentation, nbio" \
|
||||||
-p "$P_PXY drop=5 delay=5 duplicate=5 protect_hvr=1" \
|
-p "$P_PXY drop=5 delay=5 duplicate=5 protect_hvr=1" \
|
||||||
"$O_SRV -dtls1 -mtu 768" \
|
"$O_SRV -dtls1 -mtu 768" \
|
||||||
"$P_CLI dgram_packing=0 dtls=1 hs_timeout=250-60000 nbio=2 tickets=0" \
|
"$P_CLI dgram_packing=0 dtls=1 hs_timeout=500-60000 nbio=2 tickets=0" \
|
||||||
0 \
|
0 \
|
||||||
-c "HTTP/1.0 200 OK"
|
-c "HTTP/1.0 200 OK"
|
||||||
|
|
||||||
|
@ -6985,7 +7166,7 @@ not_with_valgrind # risk of non-mbedtls peer timing out
|
||||||
run_test "DTLS proxy: 3d, gnutls server" \
|
run_test "DTLS proxy: 3d, gnutls server" \
|
||||||
-p "$P_PXY drop=5 delay=5 duplicate=5" \
|
-p "$P_PXY drop=5 delay=5 duplicate=5" \
|
||||||
"$G_SRV -u --mtu 2048 -a" \
|
"$G_SRV -u --mtu 2048 -a" \
|
||||||
"$P_CLI dgram_packing=0 dtls=1 hs_timeout=250-60000" \
|
"$P_CLI dgram_packing=0 dtls=1 hs_timeout=500-60000" \
|
||||||
0 \
|
0 \
|
||||||
-s "Extra-header:" \
|
-s "Extra-header:" \
|
||||||
-c "Extra-header:"
|
-c "Extra-header:"
|
||||||
|
@ -6996,7 +7177,7 @@ not_with_valgrind # risk of non-mbedtls peer timing out
|
||||||
run_test "DTLS proxy: 3d, gnutls server, fragmentation" \
|
run_test "DTLS proxy: 3d, gnutls server, fragmentation" \
|
||||||
-p "$P_PXY drop=5 delay=5 duplicate=5" \
|
-p "$P_PXY drop=5 delay=5 duplicate=5" \
|
||||||
"$G_SRV -u --mtu 512" \
|
"$G_SRV -u --mtu 512" \
|
||||||
"$P_CLI dgram_packing=0 dtls=1 hs_timeout=250-60000" \
|
"$P_CLI dgram_packing=0 dtls=1 hs_timeout=500-60000" \
|
||||||
0 \
|
0 \
|
||||||
-s "Extra-header:" \
|
-s "Extra-header:" \
|
||||||
-c "Extra-header:"
|
-c "Extra-header:"
|
||||||
|
@ -7007,7 +7188,7 @@ not_with_valgrind # risk of non-mbedtls peer timing out
|
||||||
run_test "DTLS proxy: 3d, gnutls server, fragmentation, nbio" \
|
run_test "DTLS proxy: 3d, gnutls server, fragmentation, nbio" \
|
||||||
-p "$P_PXY drop=5 delay=5 duplicate=5" \
|
-p "$P_PXY drop=5 delay=5 duplicate=5" \
|
||||||
"$G_SRV -u --mtu 512" \
|
"$G_SRV -u --mtu 512" \
|
||||||
"$P_CLI dgram_packing=0 dtls=1 hs_timeout=250-60000 nbio=2" \
|
"$P_CLI dgram_packing=0 dtls=1 hs_timeout=500-60000 nbio=2" \
|
||||||
0 \
|
0 \
|
||||||
-s "Extra-header:" \
|
-s "Extra-header:" \
|
||||||
-c "Extra-header:"
|
-c "Extra-header:"
|
||||||
|
|
Loading…
Reference in a new issue