From 30e731decd2cd4266b74d544ca81294d2947bf97 Mon Sep 17 00:00:00 2001 From: Andrzej Kurek Date: Thu, 12 Oct 2017 13:50:29 +0200 Subject: [PATCH 1/7] Added buffer_size and response_size options for ssl-server2. Added appropriate tests. --- programs/ssl/ssl_server2.c | 64 ++++++++++-- tests/ssl-opt.sh | 193 +++++++++++++++++++++++++++++++------ 2 files changed, 220 insertions(+), 37 deletions(-) diff --git a/programs/ssl/ssl_server2.c b/programs/ssl/ssl_server2.c index 3a413ad5e..74d3a1d01 100644 --- a/programs/ssl/ssl_server2.c +++ b/programs/ssl/ssl_server2.c @@ -99,6 +99,7 @@ int main( void ) #define DFL_SERVER_ADDR NULL #define DFL_SERVER_PORT "4433" +#define DFL_RESPONSE_SIZE -1 #define DFL_DEBUG_LEVEL 0 #define DFL_NBIO 0 #define DFL_EVENT 0 @@ -171,7 +172,7 @@ int main( void ) * You will need to adapt the mbedtls_ssl_get_bytes_avail() test in ssl-opt.sh * if you change this value to something outside the range <= 100 or > 500 */ -#define IO_BUF_LEN 200 +#define DFL_IO_BUF_LEN 200 #if defined(MBEDTLS_X509_CRT_PARSE_C) #if defined(MBEDTLS_FS_IO) @@ -346,6 +347,11 @@ int main( void ) " server_addr=%%s default: (all interfaces)\n" \ " server_port=%%d default: 4433\n" \ " debug_level=%%d default: 0 (disabled)\n" \ + " buffer_size=%%d default: 200 \n" \ + " (minimum: 1, max: 16385)\n" \ + " response_size=%%d default: about 152 (basic response)\n" \ + " (minimum: 0, max: 16384)\n" \ + " increases buffer_size if bigger\n"\ " nbio=%%d default: 0 (blocking I/O)\n" \ " options: 1 (non-blocking), 2 (added delays)\n" \ " event=%%d default: 0 (loop)\n" \ @@ -421,6 +427,8 @@ struct options int nbio; /* should I/O be blocking? */ int event; /* loop or event-driven IO? level or edge triggered? */ uint32_t read_timeout; /* timeout on mbedtls_ssl_read() in milliseconds */ + int response_size; /* pad response with header to requested size */ + uint16_t buffer_size; /* IO buffer size */ const char *ca_file; /* the file with the CA certificate(s) */ const char *ca_path; /* the path with the CA certificate(s) reside */ const char *crt_file; /* the file with the server certificate */ @@ -1154,7 +1162,7 @@ int main( int argc, char *argv[] ) { int ret = 0, len, written, frags, exchanges_left; int version_suites[4][2]; - unsigned char buf[IO_BUF_LEN]; + unsigned char* buf = 0; #if defined(MBEDTLS_KEY_EXCHANGE__SOME__PSK_ENABLED) unsigned char psk[MBEDTLS_PSK_MAX_LEN]; size_t psk_len = 0; @@ -1285,10 +1293,12 @@ int main( int argc, char *argv[] ) goto exit; } + opt.buffer_size = DFL_IO_BUF_LEN; opt.server_addr = DFL_SERVER_ADDR; opt.server_port = DFL_SERVER_PORT; opt.debug_level = DFL_DEBUG_LEVEL; opt.event = DFL_EVENT; + opt.response_size = DFL_RESPONSE_SIZE; opt.nbio = DFL_NBIO; opt.read_timeout = DFL_READ_TIMEOUT; opt.ca_file = DFL_CA_FILE; @@ -1379,6 +1389,20 @@ int main( int argc, char *argv[] ) } else if( strcmp( p, "read_timeout" ) == 0 ) opt.read_timeout = atoi( q ); + else if( strcmp( p, "buffer_size" ) == 0 ) + { + opt.buffer_size = atoi( q ); + if( opt.buffer_size < 1 || opt.buffer_size > MBEDTLS_SSL_MAX_CONTENT_LEN + 1 ) + goto usage; + } + else if( strcmp( p, "response_size" ) == 0 ) + { + opt.response_size = atoi( q ); + if( opt.response_size < 0 || opt.response_size > MBEDTLS_SSL_MAX_CONTENT_LEN ) + goto usage; + if( opt.buffer_size < opt.response_size ) + opt.buffer_size = opt.response_size; + } else if( strcmp( p, "ca_file" ) == 0 ) opt.ca_file = q; else if( strcmp( p, "ca_path" ) == 0 ) @@ -1700,7 +1724,14 @@ int main( int argc, char *argv[] ) #if defined(MBEDTLS_DEBUG_C) mbedtls_debug_set_threshold( opt.debug_level ); #endif - + buf = malloc( opt.buffer_size ); + if( buf == NULL ) + { + mbedtls_printf("Could not allocate %u bytes\n", opt.buffer_size); + ret = 3; + goto exit; + } + if( opt.force_ciphersuite[0] > 0 ) { const mbedtls_ssl_ciphersuite_t *ciphersuite_info; @@ -2708,8 +2739,8 @@ data_exchange: do { int terminated = 0; - len = sizeof( buf ) - 1; - memset( buf, 0, sizeof( buf ) ); + len = opt.buffer_size - 1; + memset( buf, 0, opt.buffer_size ); ret = mbedtls_ssl_read( &ssl, buf, len ); if( mbedtls_status_is_ssl_in_progress( ret ) ) @@ -2809,8 +2840,8 @@ data_exchange: } else /* Not stream, so datagram */ { - len = sizeof( buf ) - 1; - memset( buf, 0, sizeof( buf ) ); + len = opt.buffer_size - 1; + memset( buf, 0, opt.buffer_size ); do { @@ -2908,6 +2939,25 @@ data_exchange: len = sprintf( (char *) buf, HTTP_RESPONSE, mbedtls_ssl_get_ciphersuite( &ssl ) ); + /* Add padding to the response to reach opt.response_size in length */ + if( opt.response_size != DFL_RESPONSE_SIZE && + len < opt.response_size ) + { + memset( buf + len, 'B', opt.response_size - len ); + len += opt.response_size - len; + } + + /* Truncate if response size is smaller than the "natural" size */ + if( opt.response_size != DFL_RESPONSE_SIZE && + len > opt.response_size ) + { + len = opt.response_size; + + /* Still end with \r\n unless that's really not possible */ + if( len >= 2 ) buf[len - 2] = '\r'; + if( len >= 1 ) buf[len - 1] = '\n'; + } + if( opt.transport == MBEDTLS_SSL_TRANSPORT_STREAM ) { for( written = 0, frags = 0; written < len; written += ret, frags++ ) diff --git a/tests/ssl-opt.sh b/tests/ssl-opt.sh index 9faeb6703..a9dd5c03f 100755 --- a/tests/ssl-opt.sh +++ b/tests/ssl-opt.sh @@ -3968,10 +3968,10 @@ run_test "SSLv3 with extensions, server side" \ -S "dumping 'client hello extensions'" \ -S "server hello, total extension length:" -# Test for large packets +# Test for large client packets requires_config_enabled MBEDTLS_SSL_PROTO_SSL3 -run_test "Large packet SSLv3 BlockCipher" \ +run_test "Large client packet SSLv3 BlockCipher" \ "$P_SRV min_version=ssl3" \ "$P_CLI request_size=16384 force_version=ssl3 recsplit=0 \ force_ciphersuite=TLS-RSA-WITH-AES-256-CBC-SHA" \ @@ -3980,7 +3980,7 @@ run_test "Large packet SSLv3 BlockCipher" \ -s "Read from client: 16384 bytes read" requires_config_enabled MBEDTLS_SSL_PROTO_SSL3 -run_test "Large packet SSLv3 StreamCipher" \ +run_test "Large client packet SSLv3 StreamCipher" \ "$P_SRV min_version=ssl3 arc4=1 force_ciphersuite=TLS-RSA-WITH-RC4-128-SHA" \ "$P_CLI request_size=16384 force_version=ssl3 \ force_ciphersuite=TLS-RSA-WITH-RC4-128-SHA" \ @@ -3988,7 +3988,7 @@ run_test "Large packet SSLv3 StreamCipher" \ -c "16384 bytes written in 1 fragments" \ -s "Read from client: 16384 bytes read" -run_test "Large packet TLS 1.0 BlockCipher" \ +run_test "Large client packet TLS 1.0 BlockCipher" \ "$P_SRV" \ "$P_CLI request_size=16384 force_version=tls1 recsplit=0 \ force_ciphersuite=TLS-RSA-WITH-AES-256-CBC-SHA" \ @@ -3996,7 +3996,7 @@ run_test "Large packet TLS 1.0 BlockCipher" \ -c "16384 bytes written in 1 fragments" \ -s "Read from client: 16384 bytes read" -run_test "Large packet TLS 1.0 BlockCipher, without EtM" \ +run_test "Large client packet TLS 1.0 BlockCipher, without EtM" \ "$P_SRV" \ "$P_CLI request_size=16384 force_version=tls1 etm=0 recsplit=0 \ force_ciphersuite=TLS-RSA-WITH-AES-256-CBC-SHA" \ @@ -4004,7 +4004,7 @@ run_test "Large packet TLS 1.0 BlockCipher, without EtM" \ -s "Read from client: 16384 bytes read" requires_config_enabled MBEDTLS_SSL_TRUNCATED_HMAC -run_test "Large packet TLS 1.0 BlockCipher, truncated MAC" \ +run_test "Large client packet TLS 1.0 BlockCipher, truncated MAC" \ "$P_SRV trunc_hmac=1" \ "$P_CLI request_size=16384 force_version=tls1 recsplit=0 \ force_ciphersuite=TLS-RSA-WITH-AES-256-CBC-SHA trunc_hmac=1" \ @@ -4013,21 +4013,21 @@ run_test "Large packet TLS 1.0 BlockCipher, truncated MAC" \ -s "Read from client: 16384 bytes read" requires_config_enabled MBEDTLS_SSL_TRUNCATED_HMAC -run_test "Large packet TLS 1.0 BlockCipher, without EtM, truncated MAC" \ +run_test "Large client packet TLS 1.0 BlockCipher, without EtM, truncated MAC" \ "$P_SRV trunc_hmac=1" \ "$P_CLI request_size=16384 force_version=tls1 etm=0 recsplit=0 \ force_ciphersuite=TLS-RSA-WITH-AES-256-CBC-SHA trunc_hmac=1" \ 0 \ -s "Read from client: 16384 bytes read" -run_test "Large packet TLS 1.0 StreamCipher" \ +run_test "Large client packet TLS 1.0 StreamCipher" \ "$P_SRV arc4=1 force_ciphersuite=TLS-RSA-WITH-RC4-128-SHA" \ "$P_CLI request_size=16384 force_version=tls1 \ force_ciphersuite=TLS-RSA-WITH-RC4-128-SHA" \ 0 \ -s "Read from client: 16384 bytes read" -run_test "Large packet TLS 1.0 StreamCipher, without EtM" \ +run_test "Large client packet TLS 1.0 StreamCipher, without EtM" \ "$P_SRV arc4=1 force_ciphersuite=TLS-RSA-WITH-RC4-128-SHA" \ "$P_CLI request_size=16384 force_version=tls1 \ force_ciphersuite=TLS-RSA-WITH-RC4-128-SHA etm=0" \ @@ -4035,7 +4035,7 @@ run_test "Large packet TLS 1.0 StreamCipher, without EtM" \ -s "Read from client: 16384 bytes read" requires_config_enabled MBEDTLS_SSL_TRUNCATED_HMAC -run_test "Large packet TLS 1.0 StreamCipher, truncated MAC" \ +run_test "Large client packet TLS 1.0 StreamCipher, truncated MAC" \ "$P_SRV arc4=1 force_ciphersuite=TLS-RSA-WITH-RC4-128-SHA trunc_hmac=1" \ "$P_CLI request_size=16384 force_version=tls1 \ force_ciphersuite=TLS-RSA-WITH-RC4-128-SHA trunc_hmac=1" \ @@ -4043,7 +4043,7 @@ run_test "Large packet TLS 1.0 StreamCipher, truncated MAC" \ -s "Read from client: 16384 bytes read" requires_config_enabled MBEDTLS_SSL_TRUNCATED_HMAC -run_test "Large packet TLS 1.0 StreamCipher, without EtM, truncated MAC" \ +run_test "Large client packet TLS 1.0 StreamCipher, without EtM, truncated MAC" \ "$P_SRV arc4=1 force_ciphersuite=TLS-RSA-WITH-RC4-128-SHA trunc_hmac=1" \ "$P_CLI request_size=16384 force_version=tls1 \ force_ciphersuite=TLS-RSA-WITH-RC4-128-SHA trunc_hmac=1 etm=0" \ @@ -4051,7 +4051,7 @@ run_test "Large packet TLS 1.0 StreamCipher, without EtM, truncated MAC" \ -c "16384 bytes written in 1 fragments" \ -s "Read from client: 16384 bytes read" -run_test "Large packet TLS 1.1 BlockCipher" \ +run_test "Large client packet TLS 1.1 BlockCipher" \ "$P_SRV" \ "$P_CLI request_size=16384 force_version=tls1_1 \ force_ciphersuite=TLS-RSA-WITH-AES-256-CBC-SHA" \ @@ -4059,7 +4059,7 @@ run_test "Large packet TLS 1.1 BlockCipher" \ -c "16384 bytes written in 1 fragments" \ -s "Read from client: 16384 bytes read" -run_test "Large packet TLS 1.1 BlockCipher, without EtM" \ +run_test "Large client packet TLS 1.1 BlockCipher, without EtM" \ "$P_SRV" \ "$P_CLI request_size=16384 force_version=tls1_1 etm=0 \ force_ciphersuite=TLS-RSA-WITH-AES-256-CBC-SHA" \ @@ -4067,7 +4067,7 @@ run_test "Large packet TLS 1.1 BlockCipher, without EtM" \ -s "Read from client: 16384 bytes read" requires_config_enabled MBEDTLS_SSL_TRUNCATED_HMAC -run_test "Large packet TLS 1.1 BlockCipher, truncated MAC" \ +run_test "Large client packet TLS 1.1 BlockCipher, truncated MAC" \ "$P_SRV trunc_hmac=1" \ "$P_CLI request_size=16384 force_version=tls1_1 \ force_ciphersuite=TLS-RSA-WITH-AES-256-CBC-SHA trunc_hmac=1" \ @@ -4075,14 +4075,14 @@ run_test "Large packet TLS 1.1 BlockCipher, truncated MAC" \ -s "Read from client: 16384 bytes read" requires_config_enabled MBEDTLS_SSL_TRUNCATED_HMAC -run_test "Large packet TLS 1.1 BlockCipher, without EtM, truncated MAC" \ +run_test "Large client packet TLS 1.1 BlockCipher, without EtM, truncated MAC" \ "$P_SRV trunc_hmac=1" \ "$P_CLI request_size=16384 force_version=tls1_1 \ force_ciphersuite=TLS-RSA-WITH-AES-256-CBC-SHA trunc_hmac=1 etm=0" \ 0 \ -s "Read from client: 16384 bytes read" -run_test "Large packet TLS 1.1 StreamCipher" \ +run_test "Large client packet TLS 1.1 StreamCipher" \ "$P_SRV arc4=1 force_ciphersuite=TLS-RSA-WITH-RC4-128-SHA" \ "$P_CLI request_size=16384 force_version=tls1_1 \ force_ciphersuite=TLS-RSA-WITH-RC4-128-SHA" \ @@ -4090,7 +4090,7 @@ run_test "Large packet TLS 1.1 StreamCipher" \ -c "16384 bytes written in 1 fragments" \ -s "Read from client: 16384 bytes read" -run_test "Large packet TLS 1.1 StreamCipher, without EtM" \ +run_test "Large client packet TLS 1.1 StreamCipher, without EtM" \ "$P_SRV arc4=1 force_ciphersuite=TLS-RSA-WITH-RC4-128-SHA" \ "$P_CLI request_size=16384 force_version=tls1_1 \ force_ciphersuite=TLS-RSA-WITH-RC4-128-SHA etm=0" \ @@ -4099,7 +4099,7 @@ run_test "Large packet TLS 1.1 StreamCipher, without EtM" \ -s "Read from client: 16384 bytes read" requires_config_enabled MBEDTLS_SSL_TRUNCATED_HMAC -run_test "Large packet TLS 1.1 StreamCipher, truncated MAC" \ +run_test "Large client packet TLS 1.1 StreamCipher, truncated MAC" \ "$P_SRV arc4=1 force_ciphersuite=TLS-RSA-WITH-RC4-128-SHA trunc_hmac=1" \ "$P_CLI request_size=16384 force_version=tls1_1 \ force_ciphersuite=TLS-RSA-WITH-RC4-128-SHA trunc_hmac=1" \ @@ -4107,7 +4107,7 @@ run_test "Large packet TLS 1.1 StreamCipher, truncated MAC" \ -s "Read from client: 16384 bytes read" requires_config_enabled MBEDTLS_SSL_TRUNCATED_HMAC -run_test "Large packet TLS 1.1 StreamCipher, without EtM, truncated MAC" \ +run_test "Large client packet TLS 1.1 StreamCipher, without EtM, truncated MAC" \ "$P_SRV arc4=1 force_ciphersuite=TLS-RSA-WITH-RC4-128-SHA trunc_hmac=1" \ "$P_CLI request_size=16384 force_version=tls1_1 \ force_ciphersuite=TLS-RSA-WITH-RC4-128-SHA trunc_hmac=1 etm=0" \ @@ -4115,7 +4115,7 @@ run_test "Large packet TLS 1.1 StreamCipher, without EtM, truncated MAC" \ -c "16384 bytes written in 1 fragments" \ -s "Read from client: 16384 bytes read" -run_test "Large packet TLS 1.2 BlockCipher" \ +run_test "Large client packet TLS 1.2 BlockCipher" \ "$P_SRV" \ "$P_CLI request_size=16384 force_version=tls1_2 \ force_ciphersuite=TLS-RSA-WITH-AES-256-CBC-SHA" \ @@ -4123,14 +4123,14 @@ run_test "Large packet TLS 1.2 BlockCipher" \ -c "16384 bytes written in 1 fragments" \ -s "Read from client: 16384 bytes read" -run_test "Large packet TLS 1.2 BlockCipher, without EtM" \ +run_test "Large client packet TLS 1.2 BlockCipher, without EtM" \ "$P_SRV" \ "$P_CLI request_size=16384 force_version=tls1_2 etm=0 \ force_ciphersuite=TLS-RSA-WITH-AES-256-CBC-SHA" \ 0 \ -s "Read from client: 16384 bytes read" -run_test "Large packet TLS 1.2 BlockCipher larger MAC" \ +run_test "Large client packet TLS 1.2 BlockCipher larger MAC" \ "$P_SRV" \ "$P_CLI request_size=16384 force_version=tls1_2 \ force_ciphersuite=TLS-ECDHE-RSA-WITH-AES-256-CBC-SHA384" \ @@ -4139,7 +4139,7 @@ run_test "Large packet TLS 1.2 BlockCipher larger MAC" \ -s "Read from client: 16384 bytes read" requires_config_enabled MBEDTLS_SSL_TRUNCATED_HMAC -run_test "Large packet TLS 1.2 BlockCipher, truncated MAC" \ +run_test "Large client packet TLS 1.2 BlockCipher, truncated MAC" \ "$P_SRV trunc_hmac=1" \ "$P_CLI request_size=16384 force_version=tls1_2 \ force_ciphersuite=TLS-RSA-WITH-AES-256-CBC-SHA trunc_hmac=1" \ @@ -4147,7 +4147,7 @@ run_test "Large packet TLS 1.2 BlockCipher, truncated MAC" \ -s "Read from client: 16384 bytes read" requires_config_enabled MBEDTLS_SSL_TRUNCATED_HMAC -run_test "Large packet TLS 1.2 BlockCipher, without EtM, truncated MAC" \ +run_test "Large client packet TLS 1.2 BlockCipher, without EtM, truncated MAC" \ "$P_SRV trunc_hmac=1" \ "$P_CLI request_size=16384 force_version=tls1_2 \ force_ciphersuite=TLS-RSA-WITH-AES-256-CBC-SHA trunc_hmac=1 etm=0" \ @@ -4155,7 +4155,7 @@ run_test "Large packet TLS 1.2 BlockCipher, without EtM, truncated MAC" \ -c "16384 bytes written in 1 fragments" \ -s "Read from client: 16384 bytes read" -run_test "Large packet TLS 1.2 StreamCipher" \ +run_test "Large client packet TLS 1.2 StreamCipher" \ "$P_SRV arc4=1 force_ciphersuite=TLS-RSA-WITH-RC4-128-SHA" \ "$P_CLI request_size=16384 force_version=tls1_2 \ force_ciphersuite=TLS-RSA-WITH-RC4-128-SHA" \ @@ -4163,7 +4163,7 @@ run_test "Large packet TLS 1.2 StreamCipher" \ -c "16384 bytes written in 1 fragments" \ -s "Read from client: 16384 bytes read" -run_test "Large packet TLS 1.2 StreamCipher, without EtM" \ +run_test "Large client packet TLS 1.2 StreamCipher, without EtM" \ "$P_SRV arc4=1 force_ciphersuite=TLS-RSA-WITH-RC4-128-SHA" \ "$P_CLI request_size=16384 force_version=tls1_2 \ force_ciphersuite=TLS-RSA-WITH-RC4-128-SHA etm=0" \ @@ -4171,7 +4171,7 @@ run_test "Large packet TLS 1.2 StreamCipher, without EtM" \ -s "Read from client: 16384 bytes read" requires_config_enabled MBEDTLS_SSL_TRUNCATED_HMAC -run_test "Large packet TLS 1.2 StreamCipher, truncated MAC" \ +run_test "Large client packet TLS 1.2 StreamCipher, truncated MAC" \ "$P_SRV arc4=1 force_ciphersuite=TLS-RSA-WITH-RC4-128-SHA trunc_hmac=1" \ "$P_CLI request_size=16384 force_version=tls1_2 \ force_ciphersuite=TLS-RSA-WITH-RC4-128-SHA trunc_hmac=1" \ @@ -4179,7 +4179,7 @@ run_test "Large packet TLS 1.2 StreamCipher, truncated MAC" \ -s "Read from client: 16384 bytes read" requires_config_enabled MBEDTLS_SSL_TRUNCATED_HMAC -run_test "Large packet TLS 1.2 StreamCipher, without EtM, truncated MAC" \ +run_test "Large client packet TLS 1.2 StreamCipher, without EtM, truncated MAC" \ "$P_SRV arc4=1 force_ciphersuite=TLS-RSA-WITH-RC4-128-SHA trunc_hmac=1" \ "$P_CLI request_size=16384 force_version=tls1_2 \ force_ciphersuite=TLS-RSA-WITH-RC4-128-SHA trunc_hmac=1 etm=0" \ @@ -4187,7 +4187,7 @@ run_test "Large packet TLS 1.2 StreamCipher, without EtM, truncated MAC" \ -c "16384 bytes written in 1 fragments" \ -s "Read from client: 16384 bytes read" -run_test "Large packet TLS 1.2 AEAD" \ +run_test "Large client packet TLS 1.2 AEAD" \ "$P_SRV" \ "$P_CLI request_size=16384 force_version=tls1_2 \ force_ciphersuite=TLS-RSA-WITH-AES-256-CCM" \ @@ -4195,7 +4195,7 @@ run_test "Large packet TLS 1.2 AEAD" \ -c "16384 bytes written in 1 fragments" \ -s "Read from client: 16384 bytes read" -run_test "Large packet TLS 1.2 AEAD shorter tag" \ +run_test "Large client packet TLS 1.2 AEAD shorter tag" \ "$P_SRV" \ "$P_CLI request_size=16384 force_version=tls1_2 \ force_ciphersuite=TLS-RSA-WITH-AES-256-CCM-8" \ @@ -4203,6 +4203,139 @@ run_test "Large packet TLS 1.2 AEAD shorter tag" \ -c "16384 bytes written in 1 fragments" \ -s "Read from client: 16384 bytes read" +# Test for large server packets + +requires_config_enabled MBEDTLS_SSL_PROTO_SSL3 +run_test "Large server packet SSLv3 BlockCipher" \ + "$P_SRV response_size=16384 min_version=ssl3" \ + "$P_CLI force_version=ssl3 recsplit=0 \ + force_ciphersuite=TLS-RSA-WITH-AES-256-CBC-SHA" \ + 0 \ + -c "Read from server: 16384 bytes read" + +requires_config_enabled MBEDTLS_SSL_PROTO_SSL3 +run_test "Large server packet SSLv3 StreamCipher" \ + "$P_SRV response_size=16384 min_version=ssl3 arc4=1 force_ciphersuite=TLS-RSA-WITH-RC4-128-SHA" \ + "$P_CLI force_version=ssl3 \ + force_ciphersuite=TLS-RSA-WITH-RC4-128-SHA" \ + 0 \ + -c "Read from server: 16384 bytes read" + +# Checking next 2 tests logs for 1n-1 split against BEAST too +run_test "Large server packet TLS 1.0 BlockCipher" \ + "$P_SRV response_size=16384" \ + "$P_CLI force_version=tls1 recsplit=0 \ + force_ciphersuite=TLS-RSA-WITH-AES-256-CBC-SHA" \ + 0 \ + -c "Read from server: 1 bytes read"\ + -c "16383 bytes read"\ + -C "Read from server: 16384 bytes read" + +requires_config_enabled MBEDTLS_SSL_TRUNCATED_HMAC +run_test "Large server packet TLS 1.0 BlockCipher truncated MAC" \ + "$P_SRV response_size=16384" \ + "$P_CLI force_version=tls1 recsplit=0 \ + force_ciphersuite=TLS-RSA-WITH-AES-256-CBC-SHA \ + trunc_hmac=1" \ + 0 \ + -c "Read from server: 1 bytes read"\ + -c "16383 bytes read"\ + -C "Read from server: 16384 bytes read" + +requires_config_enabled MBEDTLS_SSL_TRUNCATED_HMAC +run_test "Large server packet TLS 1.0 StreamCipher truncated MAC" \ + "$P_SRV response_size=16384 arc4=1 force_ciphersuite=TLS-RSA-WITH-RC4-128-SHA" \ + "$P_CLI force_version=tls1 \ + force_ciphersuite=TLS-RSA-WITH-RC4-128-SHA \ + trunc_hmac=1" \ + 0 \ + -c "Read from server: 16384 bytes read" + +run_test "Large server packet TLS 1.1 BlockCipher" \ + "$P_SRV response_size=16384" \ + "$P_CLI force_version=tls1_1 \ + force_ciphersuite=TLS-RSA-WITH-AES-256-CBC-SHA" \ + 0 \ + -c "Read from server: 16384 bytes read" + +run_test "Large server packet TLS 1.1 StreamCipher" \ + "$P_SRV response_size=16384 arc4=1 force_ciphersuite=TLS-RSA-WITH-RC4-128-SHA" \ + "$P_CLI force_version=tls1_1 \ + force_ciphersuite=TLS-RSA-WITH-RC4-128-SHA" \ + 0 \ + -c "Read from server: 16384 bytes read" + +requires_config_enabled MBEDTLS_SSL_TRUNCATED_HMAC +run_test "Large server packet TLS 1.1 BlockCipher truncated MAC" \ + "$P_SRV response_size=16384" \ + "$P_CLI force_version=tls1_1 \ + force_ciphersuite=TLS-RSA-WITH-AES-256-CBC-SHA \ + trunc_hmac=1" \ + 0 \ + -c "Read from server: 16384 bytes read" + +requires_config_enabled MBEDTLS_SSL_TRUNCATED_HMAC +run_test "Large server packet TLS 1.1 StreamCipher truncated MAC" \ + "$P_SRV response_size=16384 arc4=1 force_ciphersuite=TLS-RSA-WITH-RC4-128-SHA" \ + "$P_CLI force_version=tls1_1 \ + force_ciphersuite=TLS-RSA-WITH-RC4-128-SHA \ + trunc_hmac=1" \ + 0 \ + -c "Read from server: 16384 bytes read" + +run_test "Large server packet TLS 1.2 BlockCipher" \ + "$P_SRV response_size=16384" \ + "$P_CLI force_version=tls1_2 \ + force_ciphersuite=TLS-RSA-WITH-AES-256-CBC-SHA" \ + 0 \ + -c "Read from server: 16384 bytes read" + +run_test "Large server packet TLS 1.2 BlockCipher larger MAC" \ + "$P_SRV response_size=16384" \ + "$P_CLI force_version=tls1_2 \ + force_ciphersuite=TLS-ECDHE-RSA-WITH-AES-256-CBC-SHA384" \ + 0 \ + -c "Read from server: 16384 bytes read" + +requires_config_enabled MBEDTLS_SSL_TRUNCATED_HMAC +run_test "Large server packet TLS 1.2 BlockCipher truncated MAC" \ + "$P_SRV response_size=16384" \ + "$P_CLI force_version=tls1_2 \ + force_ciphersuite=TLS-RSA-WITH-AES-256-CBC-SHA \ + trunc_hmac=1" \ + 0 \ + -c "Read from server: 16384 bytes read" + +run_test "Large server packet TLS 1.2 StreamCipher" \ + "$P_SRV response_size=16384 arc4=1 force_ciphersuite=TLS-RSA-WITH-RC4-128-SHA" \ + "$P_CLI force_version=tls1_2 \ + force_ciphersuite=TLS-RSA-WITH-RC4-128-SHA" \ + 0 \ + -c "Read from server: 16384 bytes read" + +requires_config_enabled MBEDTLS_SSL_TRUNCATED_HMAC +run_test "Large server packet TLS 1.2 StreamCipher truncated MAC" \ + "$P_SRV response_size=16384 arc4=1 force_ciphersuite=TLS-RSA-WITH-RC4-128-SHA" \ + "$P_CLI force_version=tls1_2 \ + force_ciphersuite=TLS-RSA-WITH-RC4-128-SHA \ + trunc_hmac=1" \ + 0 \ + -c "Read from server: 16384 bytes read" + +run_test "Large server packet TLS 1.2 AEAD" \ + "$P_SRV response_size=16384" \ + "$P_CLI force_version=tls1_2 \ + force_ciphersuite=TLS-RSA-WITH-AES-256-CCM" \ + 0 \ + -c "Read from server: 16384 bytes read" + +run_test "Large server packet TLS 1.2 AEAD shorter tag" \ + "$P_SRV response_size=16384" \ + "$P_CLI force_version=tls1_2 \ + force_ciphersuite=TLS-RSA-WITH-AES-256-CCM-8" \ + 0 \ + -c "Read from server: 16384 bytes read" + # Tests of asynchronous private key support in SSL requires_config_enabled MBEDTLS_SSL_ASYNC_PRIVATE From c19fc55538eff85877ce5aeb9ccbb4c57130d6fc Mon Sep 17 00:00:00 2001 From: Andrzej Kurek Date: Tue, 19 Jun 2018 09:37:30 -0400 Subject: [PATCH 2/7] Add missing large and small packet tests for ssl_server2 --- tests/ssl-opt.sh | 486 ++++++++++++++++++++++++++++++++++++++++++----- 1 file changed, 443 insertions(+), 43 deletions(-) diff --git a/tests/ssl-opt.sh b/tests/ssl-opt.sh index a9dd5c03f..92151fd87 100755 --- a/tests/ssl-opt.sh +++ b/tests/ssl-opt.sh @@ -3669,10 +3669,10 @@ run_test "mbedtls_ssl_get_bytes_avail: extra data" \ 0 \ -s "Read from client: 500 bytes read (.*+.*)" -# Tests for small packets +# Tests for small client packets requires_config_enabled MBEDTLS_SSL_PROTO_SSL3 -run_test "Small packet SSLv3 BlockCipher" \ +run_test "Small client packet SSLv3 BlockCipher" \ "$P_SRV min_version=ssl3" \ "$P_CLI request_size=1 force_version=ssl3 \ force_ciphersuite=TLS-RSA-WITH-AES-256-CBC-SHA" \ @@ -3680,21 +3680,21 @@ run_test "Small packet SSLv3 BlockCipher" \ -s "Read from client: 1 bytes read" requires_config_enabled MBEDTLS_SSL_PROTO_SSL3 -run_test "Small packet SSLv3 StreamCipher" \ +run_test "Small client packet SSLv3 StreamCipher" \ "$P_SRV min_version=ssl3 arc4=1 force_ciphersuite=TLS-RSA-WITH-RC4-128-SHA" \ "$P_CLI request_size=1 force_version=ssl3 \ force_ciphersuite=TLS-RSA-WITH-RC4-128-SHA" \ 0 \ -s "Read from client: 1 bytes read" -run_test "Small packet TLS 1.0 BlockCipher" \ +run_test "Small client packet TLS 1.0 BlockCipher" \ "$P_SRV" \ "$P_CLI request_size=1 force_version=tls1 \ force_ciphersuite=TLS-RSA-WITH-AES-256-CBC-SHA" \ 0 \ -s "Read from client: 1 bytes read" -run_test "Small packet TLS 1.0 BlockCipher, without EtM" \ +run_test "Small client packet TLS 1.0 BlockCipher, without EtM" \ "$P_SRV" \ "$P_CLI request_size=1 force_version=tls1 etm=0 \ force_ciphersuite=TLS-RSA-WITH-AES-256-CBC-SHA" \ @@ -3702,7 +3702,7 @@ run_test "Small packet TLS 1.0 BlockCipher, without EtM" \ -s "Read from client: 1 bytes read" requires_config_enabled MBEDTLS_SSL_TRUNCATED_HMAC -run_test "Small packet TLS 1.0 BlockCipher, truncated MAC" \ +run_test "Small client packet TLS 1.0 BlockCipher, truncated MAC" \ "$P_SRV trunc_hmac=1" \ "$P_CLI request_size=1 force_version=tls1 \ force_ciphersuite=TLS-RSA-WITH-AES-256-CBC-SHA trunc_hmac=1" \ @@ -3710,21 +3710,21 @@ run_test "Small packet TLS 1.0 BlockCipher, truncated MAC" \ -s "Read from client: 1 bytes read" requires_config_enabled MBEDTLS_SSL_TRUNCATED_HMAC -run_test "Small packet TLS 1.0 BlockCipher, without EtM, truncated MAC" \ +run_test "Small client packet TLS 1.0 BlockCipher, without EtM, truncated MAC" \ "$P_SRV trunc_hmac=1" \ "$P_CLI request_size=1 force_version=tls1 \ force_ciphersuite=TLS-RSA-WITH-AES-256-CBC-SHA trunc_hmac=1 etm=0" \ 0 \ -s "Read from client: 1 bytes read" -run_test "Small packet TLS 1.0 StreamCipher" \ +run_test "Small client packet TLS 1.0 StreamCipher" \ "$P_SRV arc4=1 force_ciphersuite=TLS-RSA-WITH-RC4-128-SHA" \ "$P_CLI request_size=1 force_version=tls1 \ force_ciphersuite=TLS-RSA-WITH-RC4-128-SHA" \ 0 \ -s "Read from client: 1 bytes read" -run_test "Small packet TLS 1.0 StreamCipher, without EtM" \ +run_test "Small client packet TLS 1.0 StreamCipher, without EtM" \ "$P_SRV arc4=1 force_ciphersuite=TLS-RSA-WITH-RC4-128-SHA" \ "$P_CLI request_size=1 force_version=tls1 \ force_ciphersuite=TLS-RSA-WITH-RC4-128-SHA etm=0" \ @@ -3732,7 +3732,7 @@ run_test "Small packet TLS 1.0 StreamCipher, without EtM" \ -s "Read from client: 1 bytes read" requires_config_enabled MBEDTLS_SSL_TRUNCATED_HMAC -run_test "Small packet TLS 1.0 StreamCipher, truncated MAC" \ +run_test "Small client packet TLS 1.0 StreamCipher, truncated MAC" \ "$P_SRV arc4=1 force_ciphersuite=TLS-RSA-WITH-RC4-128-SHA trunc_hmac=1" \ "$P_CLI request_size=1 force_version=tls1 \ force_ciphersuite=TLS-RSA-WITH-RC4-128-SHA trunc_hmac=1" \ @@ -3740,21 +3740,21 @@ run_test "Small packet TLS 1.0 StreamCipher, truncated MAC" \ -s "Read from client: 1 bytes read" requires_config_enabled MBEDTLS_SSL_TRUNCATED_HMAC -run_test "Small packet TLS 1.0 StreamCipher, without EtM, truncated MAC" \ +run_test "Small client packet TLS 1.0 StreamCipher, without EtM, truncated MAC" \ "$P_SRV arc4=1 force_ciphersuite=TLS-RSA-WITH-RC4-128-SHA trunc_hmac=1" \ "$P_CLI request_size=1 force_version=tls1 force_ciphersuite=TLS-RSA-WITH-RC4-128-SHA \ trunc_hmac=1 etm=0" \ 0 \ -s "Read from client: 1 bytes read" -run_test "Small packet TLS 1.1 BlockCipher" \ +run_test "Small client packet TLS 1.1 BlockCipher" \ "$P_SRV" \ "$P_CLI request_size=1 force_version=tls1_1 \ force_ciphersuite=TLS-RSA-WITH-AES-256-CBC-SHA" \ 0 \ -s "Read from client: 1 bytes read" -run_test "Small packet TLS 1.1 BlockCipher, without EtM" \ +run_test "Small client packet TLS 1.1 BlockCipher, without EtM" \ "$P_SRV" \ "$P_CLI request_size=1 force_version=tls1_1 \ force_ciphersuite=TLS-RSA-WITH-AES-256-CBC-SHA etm=0" \ @@ -3762,7 +3762,7 @@ run_test "Small packet TLS 1.1 BlockCipher, without EtM" \ -s "Read from client: 1 bytes read" requires_config_enabled MBEDTLS_SSL_TRUNCATED_HMAC -run_test "Small packet TLS 1.1 BlockCipher, truncated MAC" \ +run_test "Small client packet TLS 1.1 BlockCipher, truncated MAC" \ "$P_SRV trunc_hmac=1" \ "$P_CLI request_size=1 force_version=tls1_1 \ force_ciphersuite=TLS-RSA-WITH-AES-256-CBC-SHA trunc_hmac=1" \ @@ -3770,21 +3770,21 @@ run_test "Small packet TLS 1.1 BlockCipher, truncated MAC" \ -s "Read from client: 1 bytes read" requires_config_enabled MBEDTLS_SSL_TRUNCATED_HMAC -run_test "Small packet TLS 1.1 BlockCipher, without EtM, truncated MAC" \ +run_test "Small client packet TLS 1.1 BlockCipher, without EtM, truncated MAC" \ "$P_SRV trunc_hmac=1" \ "$P_CLI request_size=1 force_version=tls1_1 \ force_ciphersuite=TLS-RSA-WITH-AES-256-CBC-SHA trunc_hmac=1 etm=0" \ 0 \ -s "Read from client: 1 bytes read" -run_test "Small packet TLS 1.1 StreamCipher" \ +run_test "Small client packet TLS 1.1 StreamCipher" \ "$P_SRV arc4=1 force_ciphersuite=TLS-RSA-WITH-RC4-128-SHA" \ "$P_CLI request_size=1 force_version=tls1_1 \ force_ciphersuite=TLS-RSA-WITH-RC4-128-SHA" \ 0 \ -s "Read from client: 1 bytes read" -run_test "Small packet TLS 1.1 StreamCipher, without EtM" \ +run_test "Small client packet TLS 1.1 StreamCipher, without EtM" \ "$P_SRV arc4=1 force_ciphersuite=TLS-RSA-WITH-RC4-128-SHA" \ "$P_CLI request_size=1 force_version=tls1_1 \ force_ciphersuite=TLS-RSA-WITH-RC4-128-SHA etm=0" \ @@ -3792,7 +3792,7 @@ run_test "Small packet TLS 1.1 StreamCipher, without EtM" \ -s "Read from client: 1 bytes read" requires_config_enabled MBEDTLS_SSL_TRUNCATED_HMAC -run_test "Small packet TLS 1.1 StreamCipher, truncated MAC" \ +run_test "Small client packet TLS 1.1 StreamCipher, truncated MAC" \ "$P_SRV arc4=1 force_ciphersuite=TLS-RSA-WITH-RC4-128-SHA trunc_hmac=1" \ "$P_CLI request_size=1 force_version=tls1_1 \ force_ciphersuite=TLS-RSA-WITH-RC4-128-SHA trunc_hmac=1" \ @@ -3800,28 +3800,28 @@ run_test "Small packet TLS 1.1 StreamCipher, truncated MAC" \ -s "Read from client: 1 bytes read" requires_config_enabled MBEDTLS_SSL_TRUNCATED_HMAC -run_test "Small packet TLS 1.1 StreamCipher, without EtM, truncated MAC" \ +run_test "Small client packet TLS 1.1 StreamCipher, without EtM, truncated MAC" \ "$P_SRV arc4=1 force_ciphersuite=TLS-RSA-WITH-RC4-128-SHA trunc_hmac=1" \ "$P_CLI request_size=1 force_version=tls1_1 \ force_ciphersuite=TLS-RSA-WITH-RC4-128-SHA trunc_hmac=1 etm=0" \ 0 \ -s "Read from client: 1 bytes read" -run_test "Small packet TLS 1.2 BlockCipher" \ +run_test "Small client packet TLS 1.2 BlockCipher" \ "$P_SRV" \ "$P_CLI request_size=1 force_version=tls1_2 \ force_ciphersuite=TLS-RSA-WITH-AES-256-CBC-SHA" \ 0 \ -s "Read from client: 1 bytes read" -run_test "Small packet TLS 1.2 BlockCipher, without EtM" \ +run_test "Small client packet TLS 1.2 BlockCipher, without EtM" \ "$P_SRV" \ "$P_CLI request_size=1 force_version=tls1_2 \ force_ciphersuite=TLS-RSA-WITH-AES-256-CBC-SHA etm=0" \ 0 \ -s "Read from client: 1 bytes read" -run_test "Small packet TLS 1.2 BlockCipher larger MAC" \ +run_test "Small client packet TLS 1.2 BlockCipher larger MAC" \ "$P_SRV" \ "$P_CLI request_size=1 force_version=tls1_2 \ force_ciphersuite=TLS-ECDHE-RSA-WITH-AES-256-CBC-SHA384" \ @@ -3829,7 +3829,7 @@ run_test "Small packet TLS 1.2 BlockCipher larger MAC" \ -s "Read from client: 1 bytes read" requires_config_enabled MBEDTLS_SSL_TRUNCATED_HMAC -run_test "Small packet TLS 1.2 BlockCipher, truncated MAC" \ +run_test "Small client packet TLS 1.2 BlockCipher, truncated MAC" \ "$P_SRV trunc_hmac=1" \ "$P_CLI request_size=1 force_version=tls1_2 \ force_ciphersuite=TLS-RSA-WITH-AES-256-CBC-SHA trunc_hmac=1" \ @@ -3837,21 +3837,21 @@ run_test "Small packet TLS 1.2 BlockCipher, truncated MAC" \ -s "Read from client: 1 bytes read" requires_config_enabled MBEDTLS_SSL_TRUNCATED_HMAC -run_test "Small packet TLS 1.2 BlockCipher, without EtM, truncated MAC" \ +run_test "Small client packet TLS 1.2 BlockCipher, without EtM, truncated MAC" \ "$P_SRV trunc_hmac=1" \ "$P_CLI request_size=1 force_version=tls1_2 \ force_ciphersuite=TLS-RSA-WITH-AES-256-CBC-SHA trunc_hmac=1 etm=0" \ 0 \ -s "Read from client: 1 bytes read" -run_test "Small packet TLS 1.2 StreamCipher" \ +run_test "Small client packet TLS 1.2 StreamCipher" \ "$P_SRV arc4=1 force_ciphersuite=TLS-RSA-WITH-RC4-128-SHA" \ "$P_CLI request_size=1 force_version=tls1_2 \ force_ciphersuite=TLS-RSA-WITH-RC4-128-SHA" \ 0 \ -s "Read from client: 1 bytes read" -run_test "Small packet TLS 1.2 StreamCipher, without EtM" \ +run_test "Small client packet TLS 1.2 StreamCipher, without EtM" \ "$P_SRV arc4=1 force_ciphersuite=TLS-RSA-WITH-RC4-128-SHA" \ "$P_CLI request_size=1 force_version=tls1_2 \ force_ciphersuite=TLS-RSA-WITH-RC4-128-SHA etm=0" \ @@ -3859,7 +3859,7 @@ run_test "Small packet TLS 1.2 StreamCipher, without EtM" \ -s "Read from client: 1 bytes read" requires_config_enabled MBEDTLS_SSL_TRUNCATED_HMAC -run_test "Small packet TLS 1.2 StreamCipher, truncated MAC" \ +run_test "Small client packet TLS 1.2 StreamCipher, truncated MAC" \ "$P_SRV arc4=1 force_ciphersuite=TLS-RSA-WITH-RC4-128-SHA trunc_hmac=1" \ "$P_CLI request_size=1 force_version=tls1_2 \ force_ciphersuite=TLS-RSA-WITH-RC4-128-SHA trunc_hmac=1" \ @@ -3867,31 +3867,31 @@ run_test "Small packet TLS 1.2 StreamCipher, truncated MAC" \ -s "Read from client: 1 bytes read" requires_config_enabled MBEDTLS_SSL_TRUNCATED_HMAC -run_test "Small packet TLS 1.2 StreamCipher, without EtM, truncated MAC" \ +run_test "Small client packet TLS 1.2 StreamCipher, without EtM, truncated MAC" \ "$P_SRV arc4=1 force_ciphersuite=TLS-RSA-WITH-RC4-128-SHA trunc_hmac=1" \ "$P_CLI request_size=1 force_version=tls1_2 \ force_ciphersuite=TLS-RSA-WITH-RC4-128-SHA trunc_hmac=1 etm=0" \ 0 \ -s "Read from client: 1 bytes read" -run_test "Small packet TLS 1.2 AEAD" \ +run_test "Small client packet TLS 1.2 AEAD" \ "$P_SRV" \ "$P_CLI request_size=1 force_version=tls1_2 \ force_ciphersuite=TLS-RSA-WITH-AES-256-CCM" \ 0 \ -s "Read from client: 1 bytes read" -run_test "Small packet TLS 1.2 AEAD shorter tag" \ +run_test "Small client packet TLS 1.2 AEAD shorter tag" \ "$P_SRV" \ "$P_CLI request_size=1 force_version=tls1_2 \ force_ciphersuite=TLS-RSA-WITH-AES-256-CCM-8" \ 0 \ -s "Read from client: 1 bytes read" -# Tests for small packets in DTLS +# Tests for small client packets in DTLS requires_config_enabled MBEDTLS_SSL_PROTO_DTLS -run_test "Small packet DTLS 1.0" \ +run_test "Small client packet DTLS 1.0" \ "$P_SRV dtls=1 force_version=dtls1" \ "$P_CLI dtls=1 request_size=1 \ force_ciphersuite=TLS-RSA-WITH-AES-256-CBC-SHA" \ @@ -3899,7 +3899,7 @@ run_test "Small packet DTLS 1.0" \ -s "Read from client: 1 bytes read" requires_config_enabled MBEDTLS_SSL_PROTO_DTLS -run_test "Small packet DTLS 1.0, without EtM" \ +run_test "Small client packet DTLS 1.0, without EtM" \ "$P_SRV dtls=1 force_version=dtls1 etm=0" \ "$P_CLI dtls=1 request_size=1 \ force_ciphersuite=TLS-RSA-WITH-AES-256-CBC-SHA" \ @@ -3908,7 +3908,7 @@ run_test "Small packet DTLS 1.0, without EtM" \ requires_config_enabled MBEDTLS_SSL_PROTO_DTLS requires_config_enabled MBEDTLS_SSL_TRUNCATED_HMAC -run_test "Small packet DTLS 1.0, truncated hmac" \ +run_test "Small client packet DTLS 1.0, truncated hmac" \ "$P_SRV dtls=1 force_version=dtls1 trunc_hmac=1" \ "$P_CLI dtls=1 request_size=1 trunc_hmac=1 \ force_ciphersuite=TLS-RSA-WITH-AES-256-CBC-SHA" \ @@ -3917,7 +3917,7 @@ run_test "Small packet DTLS 1.0, truncated hmac" \ requires_config_enabled MBEDTLS_SSL_PROTO_DTLS requires_config_enabled MBEDTLS_SSL_TRUNCATED_HMAC -run_test "Small packet DTLS 1.0, without EtM, truncated MAC" \ +run_test "Small client packet DTLS 1.0, without EtM, truncated MAC" \ "$P_SRV dtls=1 force_version=dtls1 trunc_hmac=1 etm=0" \ "$P_CLI dtls=1 request_size=1 \ force_ciphersuite=TLS-RSA-WITH-AES-256-CBC-SHA trunc_hmac=1"\ @@ -3925,7 +3925,7 @@ run_test "Small packet DTLS 1.0, without EtM, truncated MAC" \ -s "Read from client: 1 bytes read" requires_config_enabled MBEDTLS_SSL_PROTO_DTLS -run_test "Small packet DTLS 1.2" \ +run_test "Small client packet DTLS 1.2" \ "$P_SRV dtls=1 force_version=dtls1_2" \ "$P_CLI dtls=1 request_size=1 \ force_ciphersuite=TLS-RSA-WITH-AES-256-CBC-SHA" \ @@ -3933,7 +3933,7 @@ run_test "Small packet DTLS 1.2" \ -s "Read from client: 1 bytes read" requires_config_enabled MBEDTLS_SSL_PROTO_DTLS -run_test "Small packet DTLS 1.2, without EtM" \ +run_test "Small client packet DTLS 1.2, without EtM" \ "$P_SRV dtls=1 force_version=dtls1_2 etm=0" \ "$P_CLI dtls=1 request_size=1 \ force_ciphersuite=TLS-RSA-WITH-AES-256-CBC-SHA" \ @@ -3942,7 +3942,7 @@ run_test "Small packet DTLS 1.2, without EtM" \ requires_config_enabled MBEDTLS_SSL_PROTO_DTLS requires_config_enabled MBEDTLS_SSL_TRUNCATED_HMAC -run_test "Small packet DTLS 1.2, truncated hmac" \ +run_test "Small client packet DTLS 1.2, truncated hmac" \ "$P_SRV dtls=1 force_version=dtls1_2 trunc_hmac=1" \ "$P_CLI dtls=1 request_size=1 \ force_ciphersuite=TLS-RSA-WITH-AES-256-CBC-SHA trunc_hmac=1" \ @@ -3951,13 +3951,302 @@ run_test "Small packet DTLS 1.2, truncated hmac" \ requires_config_enabled MBEDTLS_SSL_PROTO_DTLS requires_config_enabled MBEDTLS_SSL_TRUNCATED_HMAC -run_test "Small packet DTLS 1.2, without EtM, truncated MAC" \ +run_test "Small client packet DTLS 1.2, without EtM, truncated MAC" \ "$P_SRV dtls=1 force_version=dtls1_2 trunc_hmac=1 etm=0" \ "$P_CLI dtls=1 request_size=1 \ force_ciphersuite=TLS-RSA-WITH-AES-256-CBC-SHA trunc_hmac=1"\ 0 \ -s "Read from client: 1 bytes read" +# Tests for small server packets + +requires_config_enabled MBEDTLS_SSL_PROTO_SSL3 +run_test "Small server packet SSLv3 BlockCipher" \ + "$P_SRV response_size=1 min_version=ssl3" \ + "$P_CLI force_version=ssl3 \ + force_ciphersuite=TLS-RSA-WITH-AES-256-CBC-SHA" \ + 0 \ + -c "Read from server: 1 bytes read" + +requires_config_enabled MBEDTLS_SSL_PROTO_SSL3 +run_test "Small server packet SSLv3 StreamCipher" \ + "$P_SRV response_size=1 min_version=ssl3 arc4=1 force_ciphersuite=TLS-RSA-WITH-RC4-128-SHA" \ + "$P_CLI force_version=ssl3 \ + force_ciphersuite=TLS-RSA-WITH-RC4-128-SHA" \ + 0 \ + -c "Read from server: 1 bytes read" + +run_test "Small server packet TLS 1.0 BlockCipher" \ + "$P_SRV response_size=1" \ + "$P_CLI force_version=tls1 \ + force_ciphersuite=TLS-RSA-WITH-AES-256-CBC-SHA" \ + 0 \ + -c "Read from server: 1 bytes read" + +run_test "Small server packet TLS 1.0 BlockCipher, without EtM" \ + "$P_SRV response_size=1" \ + "$P_CLI force_version=tls1 etm=0 \ + force_ciphersuite=TLS-RSA-WITH-AES-256-CBC-SHA" \ + 0 \ + -c "Read from server: 1 bytes read" + +requires_config_enabled MBEDTLS_SSL_TRUNCATED_HMAC +run_test "Small server packet TLS 1.0 BlockCipher, truncated MAC" \ + "$P_SRV response_size=1 trunc_hmac=1" \ + "$P_CLI force_version=tls1 \ + force_ciphersuite=TLS-RSA-WITH-AES-256-CBC-SHA trunc_hmac=1" \ + 0 \ + -c "Read from server: 1 bytes read" + +requires_config_enabled MBEDTLS_SSL_TRUNCATED_HMAC +run_test "Small server packet TLS 1.0 BlockCipher, without EtM, truncated MAC" \ + "$P_SRV response_size=1 trunc_hmac=1" \ + "$P_CLI force_version=tls1 \ + force_ciphersuite=TLS-RSA-WITH-AES-256-CBC-SHA trunc_hmac=1 etm=0" \ + 0 \ + -c "Read from server: 1 bytes read" + +run_test "Small server packet TLS 1.0 StreamCipher" \ + "$P_SRV response_size=1 arc4=1 force_ciphersuite=TLS-RSA-WITH-RC4-128-SHA" \ + "$P_CLI force_version=tls1 \ + force_ciphersuite=TLS-RSA-WITH-RC4-128-SHA" \ + 0 \ + -c "Read from server: 1 bytes read" + +run_test "Small server packet TLS 1.0 StreamCipher, without EtM" \ + "$P_SRV response_size=1 arc4=1 force_ciphersuite=TLS-RSA-WITH-RC4-128-SHA" \ + "$P_CLI force_version=tls1 \ + force_ciphersuite=TLS-RSA-WITH-RC4-128-SHA etm=0" \ + 0 \ + -c "Read from server: 1 bytes read" + +requires_config_enabled MBEDTLS_SSL_TRUNCATED_HMAC +run_test "Small server packet TLS 1.0 StreamCipher, truncated MAC" \ + "$P_SRV response_size=1 arc4=1 force_ciphersuite=TLS-RSA-WITH-RC4-128-SHA trunc_hmac=1" \ + "$P_CLI force_version=tls1 \ + force_ciphersuite=TLS-RSA-WITH-RC4-128-SHA trunc_hmac=1" \ + 0 \ + -c "Read from server: 1 bytes read" + +requires_config_enabled MBEDTLS_SSL_TRUNCATED_HMAC +run_test "Small server packet TLS 1.0 StreamCipher, without EtM, truncated MAC" \ + "$P_SRV response_size=1 arc4=1 force_ciphersuite=TLS-RSA-WITH-RC4-128-SHA trunc_hmac=1" \ + "$P_CLI force_version=tls1 force_ciphersuite=TLS-RSA-WITH-RC4-128-SHA \ + trunc_hmac=1 etm=0" \ + 0 \ + -c "Read from server: 1 bytes read" + +run_test "Small server packet TLS 1.1 BlockCipher" \ + "$P_SRV response_size=1" \ + "$P_CLI force_version=tls1_1 \ + force_ciphersuite=TLS-RSA-WITH-AES-256-CBC-SHA" \ + 0 \ + -c "Read from server: 1 bytes read" + +run_test "Small server packet TLS 1.1 BlockCipher, without EtM" \ + "$P_SRV response_size=1" \ + "$P_CLI force_version=tls1_1 \ + force_ciphersuite=TLS-RSA-WITH-AES-256-CBC-SHA etm=0" \ + 0 \ + -c "Read from server: 1 bytes read" + +requires_config_enabled MBEDTLS_SSL_TRUNCATED_HMAC +run_test "Small server packet TLS 1.1 BlockCipher, truncated MAC" \ + "$P_SRV response_size=1 trunc_hmac=1" \ + "$P_CLI force_version=tls1_1 \ + force_ciphersuite=TLS-RSA-WITH-AES-256-CBC-SHA trunc_hmac=1" \ + 0 \ + -c "Read from server: 1 bytes read" + +requires_config_enabled MBEDTLS_SSL_TRUNCATED_HMAC +run_test "Small server packet TLS 1.1 BlockCipher, without EtM, truncated MAC" \ + "$P_SRV response_size=1 trunc_hmac=1" \ + "$P_CLI force_version=tls1_1 \ + force_ciphersuite=TLS-RSA-WITH-AES-256-CBC-SHA trunc_hmac=1 etm=0" \ + 0 \ + -c "Read from server: 1 bytes read" + +run_test "Small server packet TLS 1.1 StreamCipher" \ + "$P_SRV response_size=1 arc4=1 force_ciphersuite=TLS-RSA-WITH-RC4-128-SHA" \ + "$P_CLI force_version=tls1_1 \ + force_ciphersuite=TLS-RSA-WITH-RC4-128-SHA" \ + 0 \ + -c "Read from server: 1 bytes read" + +run_test "Small server packet TLS 1.1 StreamCipher, without EtM" \ + "$P_SRV response_size=1 arc4=1 force_ciphersuite=TLS-RSA-WITH-RC4-128-SHA" \ + "$P_CLI force_version=tls1_1 \ + force_ciphersuite=TLS-RSA-WITH-RC4-128-SHA etm=0" \ + 0 \ + -c "Read from server: 1 bytes read" + +requires_config_enabled MBEDTLS_SSL_TRUNCATED_HMAC +run_test "Small server packet TLS 1.1 StreamCipher, truncated MAC" \ + "$P_SRV response_size=1 arc4=1 force_ciphersuite=TLS-RSA-WITH-RC4-128-SHA trunc_hmac=1" \ + "$P_CLI force_version=tls1_1 \ + force_ciphersuite=TLS-RSA-WITH-RC4-128-SHA trunc_hmac=1" \ + 0 \ + -c "Read from server: 1 bytes read" + +requires_config_enabled MBEDTLS_SSL_TRUNCATED_HMAC +run_test "Small server packet TLS 1.1 StreamCipher, without EtM, truncated MAC" \ + "$P_SRV response_size=1 arc4=1 force_ciphersuite=TLS-RSA-WITH-RC4-128-SHA trunc_hmac=1" \ + "$P_CLI force_version=tls1_1 \ + force_ciphersuite=TLS-RSA-WITH-RC4-128-SHA trunc_hmac=1 etm=0" \ + 0 \ + -c "Read from server: 1 bytes read" + +run_test "Small server packet TLS 1.2 BlockCipher" \ + "$P_SRV response_size=1" \ + "$P_CLI force_version=tls1_2 \ + force_ciphersuite=TLS-RSA-WITH-AES-256-CBC-SHA" \ + 0 \ + -c "Read from server: 1 bytes read" + +run_test "Small server packet TLS 1.2 BlockCipher, without EtM" \ + "$P_SRV response_size=1" \ + "$P_CLI force_version=tls1_2 \ + force_ciphersuite=TLS-RSA-WITH-AES-256-CBC-SHA etm=0" \ + 0 \ + -c "Read from server: 1 bytes read" + +run_test "Small server packet TLS 1.2 BlockCipher larger MAC" \ + "$P_SRV response_size=1" \ + "$P_CLI force_version=tls1_2 \ + force_ciphersuite=TLS-ECDHE-RSA-WITH-AES-256-CBC-SHA384" \ + 0 \ + -c "Read from server: 1 bytes read" + +requires_config_enabled MBEDTLS_SSL_TRUNCATED_HMAC +run_test "Small server packet TLS 1.2 BlockCipher, truncated MAC" \ + "$P_SRV response_size=1 trunc_hmac=1" \ + "$P_CLI force_version=tls1_2 \ + force_ciphersuite=TLS-RSA-WITH-AES-256-CBC-SHA trunc_hmac=1" \ + 0 \ + -c "Read from server: 1 bytes read" + +requires_config_enabled MBEDTLS_SSL_TRUNCATED_HMAC +run_test "Small server packet TLS 1.2 BlockCipher, without EtM, truncated MAC" \ + "$P_SRV response_size=1 trunc_hmac=1" \ + "$P_CLI force_version=tls1_2 \ + force_ciphersuite=TLS-RSA-WITH-AES-256-CBC-SHA trunc_hmac=1 etm=0" \ + 0 \ + -c "Read from server: 1 bytes read" + +run_test "Small server packet TLS 1.2 StreamCipher" \ + "$P_SRV response_size=1 arc4=1 force_ciphersuite=TLS-RSA-WITH-RC4-128-SHA" \ + "$P_CLI force_version=tls1_2 \ + force_ciphersuite=TLS-RSA-WITH-RC4-128-SHA" \ + 0 \ + -c "Read from server: 1 bytes read" + +run_test "Small server packet TLS 1.2 StreamCipher, without EtM" \ + "$P_SRV response_size=1 arc4=1 force_ciphersuite=TLS-RSA-WITH-RC4-128-SHA" \ + "$P_CLI force_version=tls1_2 \ + force_ciphersuite=TLS-RSA-WITH-RC4-128-SHA etm=0" \ + 0 \ + -c "Read from server: 1 bytes read" + +requires_config_enabled MBEDTLS_SSL_TRUNCATED_HMAC +run_test "Small server packet TLS 1.2 StreamCipher, truncated MAC" \ + "$P_SRV response_size=1 arc4=1 force_ciphersuite=TLS-RSA-WITH-RC4-128-SHA trunc_hmac=1" \ + "$P_CLI force_version=tls1_2 \ + force_ciphersuite=TLS-RSA-WITH-RC4-128-SHA trunc_hmac=1" \ + 0 \ + -c "Read from server: 1 bytes read" + +requires_config_enabled MBEDTLS_SSL_TRUNCATED_HMAC +run_test "Small server packet TLS 1.2 StreamCipher, without EtM, truncated MAC" \ + "$P_SRV response_size=1 arc4=1 force_ciphersuite=TLS-RSA-WITH-RC4-128-SHA trunc_hmac=1" \ + "$P_CLI force_version=tls1_2 \ + force_ciphersuite=TLS-RSA-WITH-RC4-128-SHA trunc_hmac=1 etm=0" \ + 0 \ + -c "Read from server: 1 bytes read" + +run_test "Small server packet TLS 1.2 AEAD" \ + "$P_SRV response_size=1" \ + "$P_CLI force_version=tls1_2 \ + force_ciphersuite=TLS-RSA-WITH-AES-256-CCM" \ + 0 \ + -c "Read from server: 1 bytes read" + +run_test "Small server packet TLS 1.2 AEAD shorter tag" \ + "$P_SRV response_size=1" \ + "$P_CLI force_version=tls1_2 \ + force_ciphersuite=TLS-RSA-WITH-AES-256-CCM-8" \ + 0 \ + -c "Read from server: 1 bytes read" + +# Tests for small server packets in DTLS + +requires_config_enabled MBEDTLS_SSL_PROTO_DTLS +run_test "Small server packet DTLS 1.0" \ + "$P_SRV dtls=1 response_size=1 force_version=dtls1" \ + "$P_CLI dtls=1 \ + force_ciphersuite=TLS-RSA-WITH-AES-256-CBC-SHA" \ + 0 \ + -c "Read from server: 1 bytes read" + +requires_config_enabled MBEDTLS_SSL_PROTO_DTLS +run_test "Small server packet DTLS 1.0, without EtM" \ + "$P_SRV dtls=1 response_size=1 force_version=dtls1 etm=0" \ + "$P_CLI dtls=1 \ + force_ciphersuite=TLS-RSA-WITH-AES-256-CBC-SHA" \ + 0 \ + -c "Read from server: 1 bytes read" + +requires_config_enabled MBEDTLS_SSL_PROTO_DTLS +requires_config_enabled MBEDTLS_SSL_TRUNCATED_HMAC +run_test "Small server packet DTLS 1.0, truncated hmac" \ + "$P_SRV dtls=1 response_size=1 force_version=dtls1 trunc_hmac=1" \ + "$P_CLI dtls=1 trunc_hmac=1 \ + force_ciphersuite=TLS-RSA-WITH-AES-256-CBC-SHA" \ + 0 \ + -c "Read from server: 1 bytes read" + +requires_config_enabled MBEDTLS_SSL_PROTO_DTLS +requires_config_enabled MBEDTLS_SSL_TRUNCATED_HMAC +run_test "Small server packet DTLS 1.0, without EtM, truncated MAC" \ + "$P_SRV dtls=1 response_size=1 force_version=dtls1 trunc_hmac=1 etm=0" \ + "$P_CLI dtls=1 \ + force_ciphersuite=TLS-RSA-WITH-AES-256-CBC-SHA trunc_hmac=1"\ + 0 \ + -c "Read from server: 1 bytes read" + +requires_config_enabled MBEDTLS_SSL_PROTO_DTLS +run_test "Small server packet DTLS 1.2" \ + "$P_SRV dtls=1 response_size=1 force_version=dtls1_2" \ + "$P_CLI dtls=1 \ + force_ciphersuite=TLS-RSA-WITH-AES-256-CBC-SHA" \ + 0 \ + -c "Read from server: 1 bytes read" + +requires_config_enabled MBEDTLS_SSL_PROTO_DTLS +run_test "Small server packet DTLS 1.2, without EtM" \ + "$P_SRV dtls=1 response_size=1 force_version=dtls1_2 etm=0" \ + "$P_CLI dtls=1 \ + force_ciphersuite=TLS-RSA-WITH-AES-256-CBC-SHA" \ + 0 \ + -c "Read from server: 1 bytes read" + +requires_config_enabled MBEDTLS_SSL_PROTO_DTLS +requires_config_enabled MBEDTLS_SSL_TRUNCATED_HMAC +run_test "Small server packet DTLS 1.2, truncated hmac" \ + "$P_SRV dtls=1 response_size=1 force_version=dtls1_2 trunc_hmac=1" \ + "$P_CLI dtls=1 \ + force_ciphersuite=TLS-RSA-WITH-AES-256-CBC-SHA trunc_hmac=1" \ + 0 \ + -c "Read from server: 1 bytes read" + +requires_config_enabled MBEDTLS_SSL_PROTO_DTLS +requires_config_enabled MBEDTLS_SSL_TRUNCATED_HMAC +run_test "Small server packet DTLS 1.2, without EtM, truncated MAC" \ + "$P_SRV dtls=1 response_size=1 force_version=dtls1_2 trunc_hmac=1 etm=0" \ + "$P_CLI dtls=1 \ + force_ciphersuite=TLS-RSA-WITH-AES-256-CBC-SHA trunc_hmac=1"\ + 0 \ + -c "Read from server: 1 bytes read" + # A test for extensions in SSLv3 requires_config_enabled MBEDTLS_SSL_PROTO_SSL3 @@ -4231,6 +4520,15 @@ run_test "Large server packet TLS 1.0 BlockCipher" \ -c "16383 bytes read"\ -C "Read from server: 16384 bytes read" +run_test "Large server packet TLS 1.0 BlockCipher, without EtM" \ + "$P_SRV response_size=16384" \ + "$P_CLI force_version=tls1 etm=0 recsplit=0 \ + force_ciphersuite=TLS-RSA-WITH-AES-256-CBC-SHA" \ + 0 \ + -c "Read from server: 1 bytes read"\ + -c "16383 bytes read"\ + -C "Read from server: 16384 bytes read" + requires_config_enabled MBEDTLS_SSL_TRUNCATED_HMAC run_test "Large server packet TLS 1.0 BlockCipher truncated MAC" \ "$P_SRV response_size=16384" \ @@ -4249,6 +4547,41 @@ run_test "Large server packet TLS 1.0 StreamCipher truncated MAC" \ force_ciphersuite=TLS-RSA-WITH-RC4-128-SHA \ trunc_hmac=1" \ 0 \ + -s "16384 bytes written in 1 fragments" \ + -c "Read from server: 16384 bytes read" + +run_test "Large server packet TLS 1.0 StreamCipher" \ + "$P_SRV response_size=16384 arc4=1 force_ciphersuite=TLS-RSA-WITH-RC4-128-SHA" \ + "$P_CLI force_version=tls1 \ + force_ciphersuite=TLS-RSA-WITH-RC4-128-SHA" \ + 0 \ + -s "16384 bytes written in 1 fragments" \ + -c "Read from server: 16384 bytes read" + +run_test "Large server packet TLS 1.0 StreamCipher, without EtM" \ + "$P_SRV response_size=16384 arc4=1 force_ciphersuite=TLS-RSA-WITH-RC4-128-SHA" \ + "$P_CLI force_version=tls1 \ + force_ciphersuite=TLS-RSA-WITH-RC4-128-SHA etm=0" \ + 0 \ + -s "16384 bytes written in 1 fragments" \ + -c "Read from server: 16384 bytes read" + +requires_config_enabled MBEDTLS_SSL_TRUNCATED_HMAC +run_test "Large server packet TLS 1.0 StreamCipher, truncated MAC" \ + "$P_SRV response_size=16384 arc4=1 force_ciphersuite=TLS-RSA-WITH-RC4-128-SHA trunc_hmac=1" \ + "$P_CLI force_version=tls1 \ + force_ciphersuite=TLS-RSA-WITH-RC4-128-SHA trunc_hmac=1" \ + 0 \ + -s "16384 bytes written in 1 fragments" \ + -c "Read from server: 16384 bytes read" + +requires_config_enabled MBEDTLS_SSL_TRUNCATED_HMAC +run_test "Large server packet TLS 1.0 StreamCipher, without EtM, truncated MAC" \ + "$P_SRV response_size=16384 arc4=1 force_ciphersuite=TLS-RSA-WITH-RC4-128-SHA trunc_hmac=1" \ + "$P_CLI force_version=tls1 \ + force_ciphersuite=TLS-RSA-WITH-RC4-128-SHA trunc_hmac=1 etm=0" \ + 0 \ + -s "16384 bytes written in 1 fragments" \ -c "Read from server: 16384 bytes read" run_test "Large server packet TLS 1.1 BlockCipher" \ @@ -4258,11 +4591,12 @@ run_test "Large server packet TLS 1.1 BlockCipher" \ 0 \ -c "Read from server: 16384 bytes read" -run_test "Large server packet TLS 1.1 StreamCipher" \ - "$P_SRV response_size=16384 arc4=1 force_ciphersuite=TLS-RSA-WITH-RC4-128-SHA" \ - "$P_CLI force_version=tls1_1 \ - force_ciphersuite=TLS-RSA-WITH-RC4-128-SHA" \ +run_test "Large server packet TLS 1.1 BlockCipher, without EtM" \ + "$P_SRV response_size=16384" \ + "$P_CLI force_version=tls1_1 etm=0 \ + force_ciphersuite=TLS-RSA-WITH-AES-256-CBC-SHA" \ 0 \ + -s "16384 bytes written in 1 fragments" \ -c "Read from server: 16384 bytes read" requires_config_enabled MBEDTLS_SSL_TRUNCATED_HMAC @@ -4274,6 +4608,30 @@ run_test "Large server packet TLS 1.1 BlockCipher truncated MAC" \ 0 \ -c "Read from server: 16384 bytes read" +requires_config_enabled MBEDTLS_SSL_TRUNCATED_HMAC +run_test "Large server packet TLS 1.1 BlockCipher, without EtM, truncated MAC" \ + "$P_SRV response_size=16384 trunc_hmac=1" \ + "$P_CLI force_version=tls1_1 \ + force_ciphersuite=TLS-RSA-WITH-AES-256-CBC-SHA trunc_hmac=1 etm=0" \ + 0 \ + -s "16384 bytes written in 1 fragments" \ + -c "Read from server: 16384 bytes read" + +run_test "Large server packet TLS 1.1 StreamCipher" \ + "$P_SRV response_size=16384 arc4=1 force_ciphersuite=TLS-RSA-WITH-RC4-128-SHA" \ + "$P_CLI force_version=tls1_1 \ + force_ciphersuite=TLS-RSA-WITH-RC4-128-SHA" \ + 0 \ + -c "Read from server: 16384 bytes read" + +run_test "Large server packet TLS 1.1 StreamCipher, without EtM" \ + "$P_SRV response_size=16384 arc4=1 force_ciphersuite=TLS-RSA-WITH-RC4-128-SHA" \ + "$P_CLI force_version=tls1_1 \ + force_ciphersuite=TLS-RSA-WITH-RC4-128-SHA etm=0" \ + 0 \ + -s "16384 bytes written in 1 fragments" \ + -c "Read from server: 16384 bytes read" + requires_config_enabled MBEDTLS_SSL_TRUNCATED_HMAC run_test "Large server packet TLS 1.1 StreamCipher truncated MAC" \ "$P_SRV response_size=16384 arc4=1 force_ciphersuite=TLS-RSA-WITH-RC4-128-SHA" \ @@ -4283,6 +4641,14 @@ run_test "Large server packet TLS 1.1 StreamCipher truncated MAC" \ 0 \ -c "Read from server: 16384 bytes read" +run_test "Large server packet TLS 1.1 StreamCipher, without EtM, truncated MAC" \ + "$P_SRV response_size=16384 arc4=1 force_ciphersuite=TLS-RSA-WITH-RC4-128-SHA trunc_hmac=1" \ + "$P_CLI force_version=tls1_1 \ + force_ciphersuite=TLS-RSA-WITH-RC4-128-SHA trunc_hmac=1 etm=0" \ + 0 \ + -s "16384 bytes written in 1 fragments" \ + -c "Read from server: 16384 bytes read" + run_test "Large server packet TLS 1.2 BlockCipher" \ "$P_SRV response_size=16384" \ "$P_CLI force_version=tls1_2 \ @@ -4290,6 +4656,14 @@ run_test "Large server packet TLS 1.2 BlockCipher" \ 0 \ -c "Read from server: 16384 bytes read" +run_test "Large server packet TLS 1.2 BlockCipher, without EtM" \ + "$P_SRV response_size=16384" \ + "$P_CLI force_version=tls1_2 etm=0 \ + force_ciphersuite=TLS-RSA-WITH-AES-256-CBC-SHA" \ + 0 \ + -s "16384 bytes written in 1 fragments" \ + -c "Read from server: 16384 bytes read" + run_test "Large server packet TLS 1.2 BlockCipher larger MAC" \ "$P_SRV response_size=16384" \ "$P_CLI force_version=tls1_2 \ @@ -4306,11 +4680,28 @@ run_test "Large server packet TLS 1.2 BlockCipher truncated MAC" \ 0 \ -c "Read from server: 16384 bytes read" +run_test "Large server packet TLS 1.2 BlockCipher, without EtM, truncated MAC" \ + "$P_SRV response_size=16384 trunc_hmac=1" \ + "$P_CLI force_version=tls1_2 \ + force_ciphersuite=TLS-RSA-WITH-AES-256-CBC-SHA trunc_hmac=1 etm=0" \ + 0 \ + -s "16384 bytes written in 1 fragments" \ + -c "Read from server: 16384 bytes read" + run_test "Large server packet TLS 1.2 StreamCipher" \ "$P_SRV response_size=16384 arc4=1 force_ciphersuite=TLS-RSA-WITH-RC4-128-SHA" \ "$P_CLI force_version=tls1_2 \ force_ciphersuite=TLS-RSA-WITH-RC4-128-SHA" \ 0 \ + -s "16384 bytes written in 1 fragments" \ + -c "Read from server: 16384 bytes read" + +run_test "Large server packet TLS 1.2 StreamCipher, without EtM" \ + "$P_SRV response_size=16384 arc4=1 force_ciphersuite=TLS-RSA-WITH-RC4-128-SHA" \ + "$P_CLI force_version=tls1_2 \ + force_ciphersuite=TLS-RSA-WITH-RC4-128-SHA etm=0" \ + 0 \ + -s "16384 bytes written in 1 fragments" \ -c "Read from server: 16384 bytes read" requires_config_enabled MBEDTLS_SSL_TRUNCATED_HMAC @@ -4322,6 +4713,15 @@ run_test "Large server packet TLS 1.2 StreamCipher truncated MAC" \ 0 \ -c "Read from server: 16384 bytes read" +requires_config_enabled MBEDTLS_SSL_TRUNCATED_HMAC +run_test "Large server packet TLS 1.2 StreamCipher, without EtM, truncated MAC" \ + "$P_SRV response_size=16384 arc4=1 force_ciphersuite=TLS-RSA-WITH-RC4-128-SHA trunc_hmac=1" \ + "$P_CLI force_version=tls1_2 \ + force_ciphersuite=TLS-RSA-WITH-RC4-128-SHA trunc_hmac=1 etm=0" \ + 0 \ + -s "16384 bytes written in 1 fragments" \ + -c "Read from server: 16384 bytes read" + run_test "Large server packet TLS 1.2 AEAD" \ "$P_SRV response_size=16384" \ "$P_CLI force_version=tls1_2 \ From da4029d665a37a290fa4d33e0ed8a3bb29b76f5e Mon Sep 17 00:00:00 2001 From: Andrzej Kurek Date: Wed, 20 Jun 2018 07:07:55 -0400 Subject: [PATCH 3/7] ssl_server2: add buffer overhead for a termination character Switch to mbedtls style of memory allocation --- programs/ssl/ssl_server2.c | 3 ++- 1 file changed, 2 insertions(+), 1 deletion(-) diff --git a/programs/ssl/ssl_server2.c b/programs/ssl/ssl_server2.c index 74d3a1d01..b201c8bda 100644 --- a/programs/ssl/ssl_server2.c +++ b/programs/ssl/ssl_server2.c @@ -1724,7 +1724,7 @@ int main( int argc, char *argv[] ) #if defined(MBEDTLS_DEBUG_C) mbedtls_debug_set_threshold( opt.debug_level ); #endif - buf = malloc( opt.buffer_size ); + buf = mbedtls_calloc( 1, opt.buffer_size + 1 ); if( buf == NULL ) { mbedtls_printf("Could not allocate %u bytes\n", opt.buffer_size); @@ -3116,6 +3116,7 @@ exit: mbedtls_memory_buffer_alloc_free(); #endif + mbedtls_free(buf); mbedtls_printf( " done.\n" ); #if defined(_WIN32) From 5c7e76eb4a4a9a284066896a40f6e026fbe27f59 Mon Sep 17 00:00:00 2001 From: Andrzej Kurek Date: Wed, 20 Jun 2018 08:17:04 -0400 Subject: [PATCH 4/7] Remove trailing whitespace --- programs/ssl/ssl_server2.c | 2 +- 1 file changed, 1 insertion(+), 1 deletion(-) diff --git a/programs/ssl/ssl_server2.c b/programs/ssl/ssl_server2.c index b201c8bda..a08d6b2f1 100644 --- a/programs/ssl/ssl_server2.c +++ b/programs/ssl/ssl_server2.c @@ -1731,7 +1731,7 @@ int main( int argc, char *argv[] ) ret = 3; goto exit; } - + if( opt.force_ciphersuite[0] > 0 ) { const mbedtls_ssl_ciphersuite_t *ciphersuite_info; From 755890f5293902086e1ff53d88565c737069d921 Mon Sep 17 00:00:00 2001 From: Andrzej Kurek Date: Wed, 20 Jun 2018 08:17:04 -0400 Subject: [PATCH 5/7] Remove trailing whitespace --- programs/ssl/ssl_server2.c | 6 +++--- 1 file changed, 3 insertions(+), 3 deletions(-) diff --git a/programs/ssl/ssl_server2.c b/programs/ssl/ssl_server2.c index b201c8bda..cef910054 100644 --- a/programs/ssl/ssl_server2.c +++ b/programs/ssl/ssl_server2.c @@ -1727,11 +1727,11 @@ int main( int argc, char *argv[] ) buf = mbedtls_calloc( 1, opt.buffer_size + 1 ); if( buf == NULL ) { - mbedtls_printf("Could not allocate %u bytes\n", opt.buffer_size); + mbedtls_printf( "Could not allocate %u bytes\n", opt.buffer_size ); ret = 3; goto exit; } - + if( opt.force_ciphersuite[0] > 0 ) { const mbedtls_ssl_ciphersuite_t *ciphersuite_info; @@ -3116,7 +3116,7 @@ exit: mbedtls_memory_buffer_alloc_free(); #endif - mbedtls_free(buf); + mbedtls_free( buf ); mbedtls_printf( " done.\n" ); #if defined(_WIN32) From 604ccc660847d5ba59db420f3ca2aad6bd71402e Mon Sep 17 00:00:00 2001 From: Gilles Peskine Date: Tue, 10 Jul 2018 15:55:52 +0200 Subject: [PATCH 6/7] Add ChangeLog entry --- ChangeLog | 7 +++++++ 1 file changed, 7 insertions(+) diff --git a/ChangeLog b/ChangeLog index 027a97174..8c2d90d4f 100644 --- a/ChangeLog +++ b/ChangeLog @@ -1,5 +1,12 @@ mbed TLS ChangeLog (Sorted per branch, date) += mbed TLS 2.xx.xx branch released xxxx-xx-xx + +Changes + * Close a test gap in (D)TLS between the client side and the server side: + test the handling of large packets and small packets on the client side + in the same way as on the server side. + = mbed TLS 2.11.0 branch released 2018-06-18 Features From 6a4f224ac3406d8afa6ed5753aa77110a132c454 Mon Sep 17 00:00:00 2001 From: Andrzej Kurek Date: Mon, 27 Aug 2018 08:00:13 -0400 Subject: [PATCH 7/7] ssl-opt.sh: change expected output for large srv packet test with SSLv3 This test also exercises a protection against BEAST and should expect message splitting. --- tests/ssl-opt.sh | 21 +++++++++++---------- 1 file changed, 11 insertions(+), 10 deletions(-) diff --git a/tests/ssl-opt.sh b/tests/ssl-opt.sh index 92151fd87..9903aad73 100755 --- a/tests/ssl-opt.sh +++ b/tests/ssl-opt.sh @@ -4493,15 +4493,6 @@ run_test "Large client packet TLS 1.2 AEAD shorter tag" \ -s "Read from client: 16384 bytes read" # Test for large server packets - -requires_config_enabled MBEDTLS_SSL_PROTO_SSL3 -run_test "Large server packet SSLv3 BlockCipher" \ - "$P_SRV response_size=16384 min_version=ssl3" \ - "$P_CLI force_version=ssl3 recsplit=0 \ - force_ciphersuite=TLS-RSA-WITH-AES-256-CBC-SHA" \ - 0 \ - -c "Read from server: 16384 bytes read" - requires_config_enabled MBEDTLS_SSL_PROTO_SSL3 run_test "Large server packet SSLv3 StreamCipher" \ "$P_SRV response_size=16384 min_version=ssl3 arc4=1 force_ciphersuite=TLS-RSA-WITH-RC4-128-SHA" \ @@ -4510,7 +4501,17 @@ run_test "Large server packet SSLv3 StreamCipher" \ 0 \ -c "Read from server: 16384 bytes read" -# Checking next 2 tests logs for 1n-1 split against BEAST too +# Checking next 4 tests logs for 1n-1 split against BEAST too +requires_config_enabled MBEDTLS_SSL_PROTO_SSL3 +run_test "Large server packet SSLv3 BlockCipher" \ + "$P_SRV response_size=16384 min_version=ssl3" \ + "$P_CLI force_version=ssl3 recsplit=0 \ + force_ciphersuite=TLS-RSA-WITH-AES-256-CBC-SHA" \ + 0 \ + -c "Read from server: 1 bytes read"\ + -c "16383 bytes read"\ + -C "Read from server: 16384 bytes read" + run_test "Large server packet TLS 1.0 BlockCipher" \ "$P_SRV response_size=16384" \ "$P_CLI force_version=tls1 recsplit=0 \