From 18ddccc417d19d56dd352a0a05f4535a444db22a Mon Sep 17 00:00:00 2001 From: Yuto Takano Date: Mon, 21 Jun 2021 19:43:33 +0100 Subject: [PATCH 01/10] Remove hard exit in ssh-opt.sh, replace with `requires` functions - Replace calls to config.py for MAX_IN_LEN and MAX_OUT_LEN with `get_config_value_or_default` - Remove hard exit when MAX_IN/OUT_LEN < 4096, replace with `requires_config_value_at_least` Signed-off-by: Yuto Takano --- tests/ssl-opt.sh | 53 +++++++++++++++++++++++++++++++++++++++--------- 1 file changed, 43 insertions(+), 10 deletions(-) diff --git a/tests/ssl-opt.sh b/tests/ssl-opt.sh index 5954004d47..06e4b95643 100755 --- a/tests/ssl-opt.sh +++ b/tests/ssl-opt.sh @@ -374,10 +374,11 @@ requires_not_i686() { } # Calculate the input & output maximum content lengths set in the config -MAX_CONTENT_LEN=$( ../scripts/config.py get MBEDTLS_SSL_MAX_CONTENT_LEN || echo "16384") -MAX_IN_LEN=$( ../scripts/config.py get MBEDTLS_SSL_IN_CONTENT_LEN || echo "$MAX_CONTENT_LEN") -MAX_OUT_LEN=$( ../scripts/config.py get MBEDTLS_SSL_OUT_CONTENT_LEN || echo "$MAX_CONTENT_LEN") +MAX_CONTENT_LEN=$(get_config_value_or_default "MBEDTLS_SSL_MAX_CONTENT_LEN") +MAX_IN_LEN=$(get_config_value_or_default "MBEDTLS_SSL_IN_CONTENT_LEN") +MAX_OUT_LEN=$(get_config_value_or_default "MBEDTLS_SSL_OUT_CONTENT_LEN") +# Calculate the maximum content length that fits both if [ "$MAX_IN_LEN" -lt "$MAX_CONTENT_LEN" ]; then MAX_CONTENT_LEN="$MAX_IN_LEN" fi @@ -3151,13 +3152,8 @@ run_test "Session resume using cache, DTLS: openssl server" \ # Tests for Max Fragment Length extension -if [ "$MAX_CONTENT_LEN" -lt "4096" ]; then - printf '%s defines MBEDTLS_SSL_MAX_CONTENT_LEN to be less than 4096. Fragment length tests will fail.\n' "${CONFIG_H}" - exit 1 -fi - if [ $MAX_CONTENT_LEN -ne 16384 ]; then - echo "Using non-default maximum content length $MAX_CONTENT_LEN" + echo "Using non-default maximum content length $MAX_CONTENT_LEN instead of 16384 " fi requires_config_enabled MBEDTLS_SSL_MAX_FRAGMENT_LENGTH @@ -3224,7 +3220,7 @@ run_test "Max fragment length: disabled, larger message" \ -s "1 bytes read" requires_config_disabled MBEDTLS_SSL_MAX_FRAGMENT_LENGTH -run_test "Max fragment length DTLS: disabled, larger message" \ +run_test "Max fragment length, DTLS: disabled, larger message" \ "$P_SRV debug_level=3 dtls=1" \ "$P_CLI debug_level=3 dtls=1 request_size=$(( $MAX_CONTENT_LEN + 1))" \ 1 \ @@ -3234,6 +3230,9 @@ run_test "Max fragment length DTLS: disabled, larger message" \ -S "Maximum output fragment length is 16384" \ -c "fragment larger than.*maximum " +# Make sure it was compiled with lengths over 4096 +requires_config_value_at_least "MBEDTLS_SSL_IN_CONTENT_LEN" 4096 +requires_config_value_at_least "MBEDTLS_SSL_OUT_CONTENT_LEN" 4096 requires_config_enabled MBEDTLS_SSL_MAX_FRAGMENT_LENGTH run_test "Max fragment length: used by client" \ "$P_SRV debug_level=3" \ @@ -3248,6 +3247,8 @@ run_test "Max fragment length: used by client" \ -s "server hello, max_fragment_length extension" \ -c "found max_fragment_length extension" +requires_config_value_at_least "MBEDTLS_SSL_IN_CONTENT_LEN" 1024 +requires_config_value_at_least "MBEDTLS_SSL_OUT_CONTENT_LEN" 1024 requires_config_enabled MBEDTLS_SSL_MAX_FRAGMENT_LENGTH run_test "Max fragment length: client 512, server 1024" \ "$P_SRV debug_level=3 max_frag_len=1024" \ @@ -3262,6 +3263,8 @@ run_test "Max fragment length: client 512, server 1024" \ -s "server hello, max_fragment_length extension" \ -c "found max_fragment_length extension" +requires_config_value_at_least "MBEDTLS_SSL_IN_CONTENT_LEN" 2048 +requires_config_value_at_least "MBEDTLS_SSL_OUT_CONTENT_LEN" 2048 requires_config_enabled MBEDTLS_SSL_MAX_FRAGMENT_LENGTH run_test "Max fragment length: client 512, server 2048" \ "$P_SRV debug_level=3 max_frag_len=2048" \ @@ -3276,6 +3279,8 @@ run_test "Max fragment length: client 512, server 2048" \ -s "server hello, max_fragment_length extension" \ -c "found max_fragment_length extension" +requires_config_value_at_least "MBEDTLS_SSL_IN_CONTENT_LEN" 4096 +requires_config_value_at_least "MBEDTLS_SSL_OUT_CONTENT_LEN" 4096 requires_config_enabled MBEDTLS_SSL_MAX_FRAGMENT_LENGTH run_test "Max fragment length: client 512, server 4096" \ "$P_SRV debug_level=3 max_frag_len=4096" \ @@ -3290,6 +3295,8 @@ run_test "Max fragment length: client 512, server 4096" \ -s "server hello, max_fragment_length extension" \ -c "found max_fragment_length extension" +requires_config_value_at_least "MBEDTLS_SSL_IN_CONTENT_LEN" 1024 +requires_config_value_at_least "MBEDTLS_SSL_OUT_CONTENT_LEN" 1024 requires_config_enabled MBEDTLS_SSL_MAX_FRAGMENT_LENGTH run_test "Max fragment length: client 1024, server 512" \ "$P_SRV debug_level=3 max_frag_len=512" \ @@ -3304,6 +3311,8 @@ run_test "Max fragment length: client 1024, server 512" \ -s "server hello, max_fragment_length extension" \ -c "found max_fragment_length extension" +requires_config_value_at_least "MBEDTLS_SSL_IN_CONTENT_LEN" 2048 +requires_config_value_at_least "MBEDTLS_SSL_OUT_CONTENT_LEN" 2048 requires_config_enabled MBEDTLS_SSL_MAX_FRAGMENT_LENGTH run_test "Max fragment length: client 1024, server 2048" \ "$P_SRV debug_level=3 max_frag_len=2048" \ @@ -3318,6 +3327,8 @@ run_test "Max fragment length: client 1024, server 2048" \ -s "server hello, max_fragment_length extension" \ -c "found max_fragment_length extension" +requires_config_value_at_least "MBEDTLS_SSL_IN_CONTENT_LEN" 4096 +requires_config_value_at_least "MBEDTLS_SSL_OUT_CONTENT_LEN" 4096 requires_config_enabled MBEDTLS_SSL_MAX_FRAGMENT_LENGTH run_test "Max fragment length: client 1024, server 4096" \ "$P_SRV debug_level=3 max_frag_len=4096" \ @@ -3332,6 +3343,8 @@ run_test "Max fragment length: client 1024, server 4096" \ -s "server hello, max_fragment_length extension" \ -c "found max_fragment_length extension" +requires_config_value_at_least "MBEDTLS_SSL_IN_CONTENT_LEN" 2048 +requires_config_value_at_least "MBEDTLS_SSL_OUT_CONTENT_LEN" 2048 requires_config_enabled MBEDTLS_SSL_MAX_FRAGMENT_LENGTH run_test "Max fragment length: client 2048, server 512" \ "$P_SRV debug_level=3 max_frag_len=512" \ @@ -3346,6 +3359,8 @@ run_test "Max fragment length: client 2048, server 512" \ -s "server hello, max_fragment_length extension" \ -c "found max_fragment_length extension" +requires_config_value_at_least "MBEDTLS_SSL_IN_CONTENT_LEN" 2048 +requires_config_value_at_least "MBEDTLS_SSL_OUT_CONTENT_LEN" 2048 requires_config_enabled MBEDTLS_SSL_MAX_FRAGMENT_LENGTH run_test "Max fragment length: client 2048, server 1024" \ "$P_SRV debug_level=3 max_frag_len=1024" \ @@ -3360,6 +3375,8 @@ run_test "Max fragment length: client 2048, server 1024" \ -s "server hello, max_fragment_length extension" \ -c "found max_fragment_length extension" +requires_config_value_at_least "MBEDTLS_SSL_IN_CONTENT_LEN" 4096 +requires_config_value_at_least "MBEDTLS_SSL_OUT_CONTENT_LEN" 4096 requires_config_enabled MBEDTLS_SSL_MAX_FRAGMENT_LENGTH run_test "Max fragment length: client 2048, server 4096" \ "$P_SRV debug_level=3 max_frag_len=4096" \ @@ -3374,6 +3391,8 @@ run_test "Max fragment length: client 2048, server 4096" \ -s "server hello, max_fragment_length extension" \ -c "found max_fragment_length extension" +requires_config_value_at_least "MBEDTLS_SSL_IN_CONTENT_LEN" 4096 +requires_config_value_at_least "MBEDTLS_SSL_OUT_CONTENT_LEN" 4096 requires_config_enabled MBEDTLS_SSL_MAX_FRAGMENT_LENGTH run_test "Max fragment length: client 4096, server 512" \ "$P_SRV debug_level=3 max_frag_len=512" \ @@ -3388,6 +3407,8 @@ run_test "Max fragment length: client 4096, server 512" \ -s "server hello, max_fragment_length extension" \ -c "found max_fragment_length extension" +requires_config_value_at_least "MBEDTLS_SSL_IN_CONTENT_LEN" 4096 +requires_config_value_at_least "MBEDTLS_SSL_OUT_CONTENT_LEN" 4096 requires_config_enabled MBEDTLS_SSL_MAX_FRAGMENT_LENGTH run_test "Max fragment length: client 4096, server 1024" \ "$P_SRV debug_level=3 max_frag_len=1024" \ @@ -3402,6 +3423,8 @@ run_test "Max fragment length: client 4096, server 1024" \ -s "server hello, max_fragment_length extension" \ -c "found max_fragment_length extension" +requires_config_value_at_least "MBEDTLS_SSL_IN_CONTENT_LEN" 4096 +requires_config_value_at_least "MBEDTLS_SSL_OUT_CONTENT_LEN" 4096 requires_config_enabled MBEDTLS_SSL_MAX_FRAGMENT_LENGTH run_test "Max fragment length: client 4096, server 2048" \ "$P_SRV debug_level=3 max_frag_len=2048" \ @@ -3416,6 +3439,8 @@ run_test "Max fragment length: client 4096, server 2048" \ -s "server hello, max_fragment_length extension" \ -c "found max_fragment_length extension" +requires_config_value_at_least "MBEDTLS_SSL_IN_CONTENT_LEN" 4096 +requires_config_value_at_least "MBEDTLS_SSL_OUT_CONTENT_LEN" 4096 requires_config_enabled MBEDTLS_SSL_MAX_FRAGMENT_LENGTH run_test "Max fragment length: used by server" \ "$P_SRV debug_level=3 max_frag_len=4096" \ @@ -3430,6 +3455,8 @@ run_test "Max fragment length: used by server" \ -S "server hello, max_fragment_length extension" \ -C "found max_fragment_length extension" +requires_config_value_at_least "MBEDTLS_SSL_IN_CONTENT_LEN" 4096 +requires_config_value_at_least "MBEDTLS_SSL_OUT_CONTENT_LEN" 4096 requires_config_enabled MBEDTLS_SSL_MAX_FRAGMENT_LENGTH requires_gnutls run_test "Max fragment length: gnutls server" \ @@ -3441,6 +3468,8 @@ run_test "Max fragment length: gnutls server" \ -c "client hello, adding max_fragment_length extension" \ -c "found max_fragment_length extension" +requires_config_value_at_least "MBEDTLS_SSL_IN_CONTENT_LEN" 2048 +requires_config_value_at_least "MBEDTLS_SSL_OUT_CONTENT_LEN" 2048 requires_config_enabled MBEDTLS_SSL_MAX_FRAGMENT_LENGTH run_test "Max fragment length: client, message just fits" \ "$P_SRV debug_level=3" \ @@ -3457,6 +3486,8 @@ run_test "Max fragment length: client, message just fits" \ -c "2048 bytes written in 1 fragments" \ -s "2048 bytes read" +requires_config_value_at_least "MBEDTLS_SSL_IN_CONTENT_LEN" 2048 +requires_config_value_at_least "MBEDTLS_SSL_OUT_CONTENT_LEN" 2048 requires_config_enabled MBEDTLS_SSL_MAX_FRAGMENT_LENGTH run_test "Max fragment length: client, larger message" \ "$P_SRV debug_level=3" \ @@ -3474,6 +3505,8 @@ run_test "Max fragment length: client, larger message" \ -s "2048 bytes read" \ -s "297 bytes read" +requires_config_value_at_least "MBEDTLS_SSL_IN_CONTENT_LEN" 2048 +requires_config_value_at_least "MBEDTLS_SSL_OUT_CONTENT_LEN" 2048 requires_config_enabled MBEDTLS_SSL_MAX_FRAGMENT_LENGTH run_test "Max fragment length: DTLS client, larger message" \ "$P_SRV debug_level=3 dtls=1" \ From 05d43f49a11811e9a73c2f4bcc80fba30db3505d Mon Sep 17 00:00:00 2001 From: Yuto Takano Date: Mon, 21 Jun 2021 20:07:12 +0100 Subject: [PATCH 02/10] Remove hard exit with MAX_INTERMEDIATE_CA in ssl-opt.sh - Replace last remaining dependency on config.py with query_config - Replace hard exit with `requires_config_value_at_least` and `requires_config_value_at_most` to maintain the same effect Signed-off-by: Yuto Takano --- tests/ssl-opt.sh | 26 +++++++++++--------------- 1 file changed, 11 insertions(+), 15 deletions(-) diff --git a/tests/ssl-opt.sh b/tests/ssl-opt.sh index 06e4b95643..df97b18ad7 100755 --- a/tests/ssl-opt.sh +++ b/tests/ssl-opt.sh @@ -4337,24 +4337,14 @@ run_test "Authentication: client no cert, ssl3" \ -C "! mbedtls_ssl_handshake returned" \ -S "X509 - Certificate verification failed" -# The "max_int chain" tests assume that MAX_INTERMEDIATE_CA is set to its -# default value (8) +# config.h contains a value for MBEDTLS_X509_MAX_INTERMEDIATE_CA that is +# different from the script's assumed default value (below). +# Relevant tests are skipped if they do not match. MAX_IM_CA='8' -MAX_IM_CA_CONFIG=$( ../scripts/config.py get MBEDTLS_X509_MAX_INTERMEDIATE_CA) - -if [ -n "$MAX_IM_CA_CONFIG" ] && [ "$MAX_IM_CA_CONFIG" -ne "$MAX_IM_CA" ]; then - cat < Date: Tue, 22 Jun 2021 06:08:11 +0100 Subject: [PATCH 03/10] Add MAX_IM_CA requirement to int_max+1 chain as well Signed-off-by: Yuto Takano --- tests/ssl-opt.sh | 20 ++++++++++++++++++++ 1 file changed, 20 insertions(+) diff --git a/tests/ssl-opt.sh b/tests/ssl-opt.sh index df97b18ad7..5d4eef035e 100755 --- a/tests/ssl-opt.sh +++ b/tests/ssl-opt.sh @@ -4353,6 +4353,8 @@ run_test "Authentication: server max_int chain, client default" \ 0 \ -C "X509 - A fatal error occurred" +requires_config_value_at_least "MBEDTLS_X509_MAX_INTERMEDIATE_CA" $MAX_IM_CA +requires_config_value_at_most "MBEDTLS_X509_MAX_INTERMEDIATE_CA" $MAX_IM_CA requires_full_size_output_buffer run_test "Authentication: server max_int+1 chain, client default" \ "$P_SRV crt_file=data_files/dir-maxpath/c10.pem \ @@ -4361,6 +4363,8 @@ run_test "Authentication: server max_int+1 chain, client default" \ 1 \ -c "X509 - A fatal error occurred" +requires_config_value_at_least "MBEDTLS_X509_MAX_INTERMEDIATE_CA" $MAX_IM_CA +requires_config_value_at_most "MBEDTLS_X509_MAX_INTERMEDIATE_CA" $MAX_IM_CA requires_full_size_output_buffer run_test "Authentication: server max_int+1 chain, client optional" \ "$P_SRV crt_file=data_files/dir-maxpath/c10.pem \ @@ -4370,6 +4374,8 @@ run_test "Authentication: server max_int+1 chain, client optional" \ 1 \ -c "X509 - A fatal error occurred" +requires_config_value_at_least "MBEDTLS_X509_MAX_INTERMEDIATE_CA" $MAX_IM_CA +requires_config_value_at_most "MBEDTLS_X509_MAX_INTERMEDIATE_CA" $MAX_IM_CA requires_full_size_output_buffer run_test "Authentication: server max_int+1 chain, client none" \ "$P_SRV crt_file=data_files/dir-maxpath/c10.pem \ @@ -4379,6 +4385,8 @@ run_test "Authentication: server max_int+1 chain, client none" \ 0 \ -C "X509 - A fatal error occurred" +requires_config_value_at_least "MBEDTLS_X509_MAX_INTERMEDIATE_CA" $MAX_IM_CA +requires_config_value_at_most "MBEDTLS_X509_MAX_INTERMEDIATE_CA" $MAX_IM_CA requires_full_size_output_buffer run_test "Authentication: client max_int+1 chain, server default" \ "$P_SRV ca_file=data_files/dir-maxpath/00.crt" \ @@ -4387,6 +4395,8 @@ run_test "Authentication: client max_int+1 chain, server default" \ 0 \ -S "X509 - A fatal error occurred" +requires_config_value_at_least "MBEDTLS_X509_MAX_INTERMEDIATE_CA" $MAX_IM_CA +requires_config_value_at_most "MBEDTLS_X509_MAX_INTERMEDIATE_CA" $MAX_IM_CA requires_full_size_output_buffer run_test "Authentication: client max_int+1 chain, server optional" \ "$P_SRV ca_file=data_files/dir-maxpath/00.crt auth_mode=optional" \ @@ -4395,6 +4405,8 @@ run_test "Authentication: client max_int+1 chain, server optional" \ 1 \ -s "X509 - A fatal error occurred" +requires_config_value_at_least "MBEDTLS_X509_MAX_INTERMEDIATE_CA" $MAX_IM_CA +requires_config_value_at_most "MBEDTLS_X509_MAX_INTERMEDIATE_CA" $MAX_IM_CA requires_full_size_output_buffer run_test "Authentication: client max_int+1 chain, server required" \ "$P_SRV ca_file=data_files/dir-maxpath/00.crt auth_mode=required" \ @@ -4594,6 +4606,8 @@ run_test "Authentication, CA callback: server max_int chain, client default" -c "use CA callback for X.509 CRT verification" \ -C "X509 - A fatal error occurred" +requires_config_value_at_least "MBEDTLS_X509_MAX_INTERMEDIATE_CA" $MAX_IM_CA +requires_config_value_at_most "MBEDTLS_X509_MAX_INTERMEDIATE_CA" $MAX_IM_CA requires_full_size_output_buffer requires_config_enabled MBEDTLS_X509_TRUSTED_CERTIFICATE_CALLBACK run_test "Authentication, CA callback: server max_int+1 chain, client default" \ @@ -4604,6 +4618,8 @@ run_test "Authentication, CA callback: server max_int+1 chain, client default -c "use CA callback for X.509 CRT verification" \ -c "X509 - A fatal error occurred" +requires_config_value_at_least "MBEDTLS_X509_MAX_INTERMEDIATE_CA" $MAX_IM_CA +requires_config_value_at_most "MBEDTLS_X509_MAX_INTERMEDIATE_CA" $MAX_IM_CA requires_full_size_output_buffer requires_config_enabled MBEDTLS_X509_TRUSTED_CERTIFICATE_CALLBACK run_test "Authentication, CA callback: server max_int+1 chain, client optional" \ @@ -4615,6 +4631,8 @@ run_test "Authentication, CA callback: server max_int+1 chain, client optiona -c "use CA callback for X.509 CRT verification" \ -c "X509 - A fatal error occurred" +requires_config_value_at_least "MBEDTLS_X509_MAX_INTERMEDIATE_CA" $MAX_IM_CA +requires_config_value_at_most "MBEDTLS_X509_MAX_INTERMEDIATE_CA" $MAX_IM_CA requires_full_size_output_buffer requires_config_enabled MBEDTLS_X509_TRUSTED_CERTIFICATE_CALLBACK run_test "Authentication, CA callback: client max_int+1 chain, server optional" \ @@ -4625,6 +4643,8 @@ run_test "Authentication, CA callback: client max_int+1 chain, server optiona -s "use CA callback for X.509 CRT verification" \ -s "X509 - A fatal error occurred" +requires_config_value_at_least "MBEDTLS_X509_MAX_INTERMEDIATE_CA" $MAX_IM_CA +requires_config_value_at_most "MBEDTLS_X509_MAX_INTERMEDIATE_CA" $MAX_IM_CA requires_full_size_output_buffer requires_config_enabled MBEDTLS_X509_TRUSTED_CERTIFICATE_CALLBACK run_test "Authentication, CA callback: client max_int+1 chain, server required" \ From ab9e433376fee257c2df07309721c080138b43ec Mon Sep 17 00:00:00 2001 From: Yuto Takano Date: Tue, 22 Jun 2021 07:16:40 +0100 Subject: [PATCH 04/10] Add space between command substitution braces and content Signed-off-by: Yuto Takano --- tests/ssl-opt.sh | 6 +++--- 1 file changed, 3 insertions(+), 3 deletions(-) diff --git a/tests/ssl-opt.sh b/tests/ssl-opt.sh index 5d4eef035e..6c08b51b16 100755 --- a/tests/ssl-opt.sh +++ b/tests/ssl-opt.sh @@ -374,9 +374,9 @@ requires_not_i686() { } # Calculate the input & output maximum content lengths set in the config -MAX_CONTENT_LEN=$(get_config_value_or_default "MBEDTLS_SSL_MAX_CONTENT_LEN") -MAX_IN_LEN=$(get_config_value_or_default "MBEDTLS_SSL_IN_CONTENT_LEN") -MAX_OUT_LEN=$(get_config_value_or_default "MBEDTLS_SSL_OUT_CONTENT_LEN") +MAX_CONTENT_LEN=$( get_config_value_or_default "MBEDTLS_SSL_MAX_CONTENT_LEN" ) +MAX_IN_LEN=$( get_config_value_or_default "MBEDTLS_SSL_IN_CONTENT_LEN" ) +MAX_OUT_LEN=$( get_config_value_or_default "MBEDTLS_SSL_OUT_CONTENT_LEN" ) # Calculate the maximum content length that fits both if [ "$MAX_IN_LEN" -lt "$MAX_CONTENT_LEN" ]; then From bec7cf762d1edf6eb04a1683b123011bd37b4e49 Mon Sep 17 00:00:00 2001 From: Yuto Takano Date: Fri, 2 Jul 2021 10:10:49 +0100 Subject: [PATCH 05/10] Use `requires_max_content_len`, add check in Renegotiation - Abstract out repetitive checks for IN and OUT content lens - Remove unclear comment and redundant echo - Add content length constraints in Renegotiation with fragment length test Signed-off-by: Yuto Takano --- tests/ssl-opt.sh | 66 ++++++++++++++++++------------------------------ 1 file changed, 25 insertions(+), 41 deletions(-) diff --git a/tests/ssl-opt.sh b/tests/ssl-opt.sh index 6c08b51b16..338678e99f 100755 --- a/tests/ssl-opt.sh +++ b/tests/ssl-opt.sh @@ -296,6 +296,12 @@ requires_openssl_with_fallback_scsv() { fi } +# skip next test if either IN_CONTENT_LEN or MAX_CONTENT_LEN are below a value +requires_max_content_len() { + requires_config_value_at_least "MBEDTLS_SSL_IN_CONTENT_LEN" $1 + requires_config_value_at_least "MBEDTLS_SSL_OUT_CONTENT_LEN" $1 +} + # skip next test if GnuTLS isn't available requires_gnutls() { if [ -z "${GNUTLS_AVAILABLE:-}" ]; then @@ -3152,10 +3158,6 @@ run_test "Session resume using cache, DTLS: openssl server" \ # Tests for Max Fragment Length extension -if [ $MAX_CONTENT_LEN -ne 16384 ]; then - echo "Using non-default maximum content length $MAX_CONTENT_LEN instead of 16384 " -fi - requires_config_enabled MBEDTLS_SSL_MAX_FRAGMENT_LENGTH run_test "Max fragment length: enabled, default" \ "$P_SRV debug_level=3" \ @@ -3230,9 +3232,7 @@ run_test "Max fragment length, DTLS: disabled, larger message" \ -S "Maximum output fragment length is 16384" \ -c "fragment larger than.*maximum " -# Make sure it was compiled with lengths over 4096 -requires_config_value_at_least "MBEDTLS_SSL_IN_CONTENT_LEN" 4096 -requires_config_value_at_least "MBEDTLS_SSL_OUT_CONTENT_LEN" 4096 +requires_max_content_len 4096 requires_config_enabled MBEDTLS_SSL_MAX_FRAGMENT_LENGTH run_test "Max fragment length: used by client" \ "$P_SRV debug_level=3" \ @@ -3247,8 +3247,7 @@ run_test "Max fragment length: used by client" \ -s "server hello, max_fragment_length extension" \ -c "found max_fragment_length extension" -requires_config_value_at_least "MBEDTLS_SSL_IN_CONTENT_LEN" 1024 -requires_config_value_at_least "MBEDTLS_SSL_OUT_CONTENT_LEN" 1024 +requires_max_content_len 1024 requires_config_enabled MBEDTLS_SSL_MAX_FRAGMENT_LENGTH run_test "Max fragment length: client 512, server 1024" \ "$P_SRV debug_level=3 max_frag_len=1024" \ @@ -3263,8 +3262,7 @@ run_test "Max fragment length: client 512, server 1024" \ -s "server hello, max_fragment_length extension" \ -c "found max_fragment_length extension" -requires_config_value_at_least "MBEDTLS_SSL_IN_CONTENT_LEN" 2048 -requires_config_value_at_least "MBEDTLS_SSL_OUT_CONTENT_LEN" 2048 +requires_max_content_len 2048 requires_config_enabled MBEDTLS_SSL_MAX_FRAGMENT_LENGTH run_test "Max fragment length: client 512, server 2048" \ "$P_SRV debug_level=3 max_frag_len=2048" \ @@ -3279,8 +3277,7 @@ run_test "Max fragment length: client 512, server 2048" \ -s "server hello, max_fragment_length extension" \ -c "found max_fragment_length extension" -requires_config_value_at_least "MBEDTLS_SSL_IN_CONTENT_LEN" 4096 -requires_config_value_at_least "MBEDTLS_SSL_OUT_CONTENT_LEN" 4096 +requires_max_content_len 4096 requires_config_enabled MBEDTLS_SSL_MAX_FRAGMENT_LENGTH run_test "Max fragment length: client 512, server 4096" \ "$P_SRV debug_level=3 max_frag_len=4096" \ @@ -3295,8 +3292,7 @@ run_test "Max fragment length: client 512, server 4096" \ -s "server hello, max_fragment_length extension" \ -c "found max_fragment_length extension" -requires_config_value_at_least "MBEDTLS_SSL_IN_CONTENT_LEN" 1024 -requires_config_value_at_least "MBEDTLS_SSL_OUT_CONTENT_LEN" 1024 +requires_max_content_len 1024 requires_config_enabled MBEDTLS_SSL_MAX_FRAGMENT_LENGTH run_test "Max fragment length: client 1024, server 512" \ "$P_SRV debug_level=3 max_frag_len=512" \ @@ -3311,8 +3307,7 @@ run_test "Max fragment length: client 1024, server 512" \ -s "server hello, max_fragment_length extension" \ -c "found max_fragment_length extension" -requires_config_value_at_least "MBEDTLS_SSL_IN_CONTENT_LEN" 2048 -requires_config_value_at_least "MBEDTLS_SSL_OUT_CONTENT_LEN" 2048 +requires_max_content_len 2048 requires_config_enabled MBEDTLS_SSL_MAX_FRAGMENT_LENGTH run_test "Max fragment length: client 1024, server 2048" \ "$P_SRV debug_level=3 max_frag_len=2048" \ @@ -3327,8 +3322,7 @@ run_test "Max fragment length: client 1024, server 2048" \ -s "server hello, max_fragment_length extension" \ -c "found max_fragment_length extension" -requires_config_value_at_least "MBEDTLS_SSL_IN_CONTENT_LEN" 4096 -requires_config_value_at_least "MBEDTLS_SSL_OUT_CONTENT_LEN" 4096 +requires_max_content_len 4096 requires_config_enabled MBEDTLS_SSL_MAX_FRAGMENT_LENGTH run_test "Max fragment length: client 1024, server 4096" \ "$P_SRV debug_level=3 max_frag_len=4096" \ @@ -3343,8 +3337,7 @@ run_test "Max fragment length: client 1024, server 4096" \ -s "server hello, max_fragment_length extension" \ -c "found max_fragment_length extension" -requires_config_value_at_least "MBEDTLS_SSL_IN_CONTENT_LEN" 2048 -requires_config_value_at_least "MBEDTLS_SSL_OUT_CONTENT_LEN" 2048 +requires_max_content_len 2048 requires_config_enabled MBEDTLS_SSL_MAX_FRAGMENT_LENGTH run_test "Max fragment length: client 2048, server 512" \ "$P_SRV debug_level=3 max_frag_len=512" \ @@ -3359,8 +3352,7 @@ run_test "Max fragment length: client 2048, server 512" \ -s "server hello, max_fragment_length extension" \ -c "found max_fragment_length extension" -requires_config_value_at_least "MBEDTLS_SSL_IN_CONTENT_LEN" 2048 -requires_config_value_at_least "MBEDTLS_SSL_OUT_CONTENT_LEN" 2048 +requires_max_content_len 2048 requires_config_enabled MBEDTLS_SSL_MAX_FRAGMENT_LENGTH run_test "Max fragment length: client 2048, server 1024" \ "$P_SRV debug_level=3 max_frag_len=1024" \ @@ -3375,8 +3367,7 @@ run_test "Max fragment length: client 2048, server 1024" \ -s "server hello, max_fragment_length extension" \ -c "found max_fragment_length extension" -requires_config_value_at_least "MBEDTLS_SSL_IN_CONTENT_LEN" 4096 -requires_config_value_at_least "MBEDTLS_SSL_OUT_CONTENT_LEN" 4096 +requires_max_content_len 4096 requires_config_enabled MBEDTLS_SSL_MAX_FRAGMENT_LENGTH run_test "Max fragment length: client 2048, server 4096" \ "$P_SRV debug_level=3 max_frag_len=4096" \ @@ -3391,8 +3382,7 @@ run_test "Max fragment length: client 2048, server 4096" \ -s "server hello, max_fragment_length extension" \ -c "found max_fragment_length extension" -requires_config_value_at_least "MBEDTLS_SSL_IN_CONTENT_LEN" 4096 -requires_config_value_at_least "MBEDTLS_SSL_OUT_CONTENT_LEN" 4096 +requires_max_content_len 4096 requires_config_enabled MBEDTLS_SSL_MAX_FRAGMENT_LENGTH run_test "Max fragment length: client 4096, server 512" \ "$P_SRV debug_level=3 max_frag_len=512" \ @@ -3407,8 +3397,7 @@ run_test "Max fragment length: client 4096, server 512" \ -s "server hello, max_fragment_length extension" \ -c "found max_fragment_length extension" -requires_config_value_at_least "MBEDTLS_SSL_IN_CONTENT_LEN" 4096 -requires_config_value_at_least "MBEDTLS_SSL_OUT_CONTENT_LEN" 4096 +requires_max_content_len 4096 requires_config_enabled MBEDTLS_SSL_MAX_FRAGMENT_LENGTH run_test "Max fragment length: client 4096, server 1024" \ "$P_SRV debug_level=3 max_frag_len=1024" \ @@ -3423,8 +3412,7 @@ run_test "Max fragment length: client 4096, server 1024" \ -s "server hello, max_fragment_length extension" \ -c "found max_fragment_length extension" -requires_config_value_at_least "MBEDTLS_SSL_IN_CONTENT_LEN" 4096 -requires_config_value_at_least "MBEDTLS_SSL_OUT_CONTENT_LEN" 4096 +requires_max_content_len 4096 requires_config_enabled MBEDTLS_SSL_MAX_FRAGMENT_LENGTH run_test "Max fragment length: client 4096, server 2048" \ "$P_SRV debug_level=3 max_frag_len=2048" \ @@ -3439,8 +3427,7 @@ run_test "Max fragment length: client 4096, server 2048" \ -s "server hello, max_fragment_length extension" \ -c "found max_fragment_length extension" -requires_config_value_at_least "MBEDTLS_SSL_IN_CONTENT_LEN" 4096 -requires_config_value_at_least "MBEDTLS_SSL_OUT_CONTENT_LEN" 4096 +requires_max_content_len 4096 requires_config_enabled MBEDTLS_SSL_MAX_FRAGMENT_LENGTH run_test "Max fragment length: used by server" \ "$P_SRV debug_level=3 max_frag_len=4096" \ @@ -3455,8 +3442,7 @@ run_test "Max fragment length: used by server" \ -S "server hello, max_fragment_length extension" \ -C "found max_fragment_length extension" -requires_config_value_at_least "MBEDTLS_SSL_IN_CONTENT_LEN" 4096 -requires_config_value_at_least "MBEDTLS_SSL_OUT_CONTENT_LEN" 4096 +requires_max_content_len 4096 requires_config_enabled MBEDTLS_SSL_MAX_FRAGMENT_LENGTH requires_gnutls run_test "Max fragment length: gnutls server" \ @@ -3468,8 +3454,7 @@ run_test "Max fragment length: gnutls server" \ -c "client hello, adding max_fragment_length extension" \ -c "found max_fragment_length extension" -requires_config_value_at_least "MBEDTLS_SSL_IN_CONTENT_LEN" 2048 -requires_config_value_at_least "MBEDTLS_SSL_OUT_CONTENT_LEN" 2048 +requires_max_content_len 2048 requires_config_enabled MBEDTLS_SSL_MAX_FRAGMENT_LENGTH run_test "Max fragment length: client, message just fits" \ "$P_SRV debug_level=3" \ @@ -3486,8 +3471,7 @@ run_test "Max fragment length: client, message just fits" \ -c "2048 bytes written in 1 fragments" \ -s "2048 bytes read" -requires_config_value_at_least "MBEDTLS_SSL_IN_CONTENT_LEN" 2048 -requires_config_value_at_least "MBEDTLS_SSL_OUT_CONTENT_LEN" 2048 +requires_max_content_len 2048 requires_config_enabled MBEDTLS_SSL_MAX_FRAGMENT_LENGTH run_test "Max fragment length: client, larger message" \ "$P_SRV debug_level=3" \ @@ -3505,8 +3489,7 @@ run_test "Max fragment length: client, larger message" \ -s "2048 bytes read" \ -s "297 bytes read" -requires_config_value_at_least "MBEDTLS_SSL_IN_CONTENT_LEN" 2048 -requires_config_value_at_least "MBEDTLS_SSL_OUT_CONTENT_LEN" 2048 +requires_max_content_len 2048 requires_config_enabled MBEDTLS_SSL_MAX_FRAGMENT_LENGTH run_test "Max fragment length: DTLS client, larger message" \ "$P_SRV debug_level=3 dtls=1" \ @@ -3618,6 +3601,7 @@ run_test "Renegotiation: double" \ requires_config_enabled MBEDTLS_SSL_RENEGOTIATION requires_config_enabled MBEDTLS_SSL_MAX_FRAGMENT_LENGTH +requires_max_content_len 2048 run_test "Renegotiation with max fragment length: client 2048, server 512" \ "$P_SRV debug_level=3 exchanges=2 renegotiation=1 auth_mode=optional renegotiate=1 max_frag_len=512" \ "$P_CLI debug_level=3 exchanges=2 renegotiation=1 renegotiate=1 max_frag_len=2048 force_ciphersuite=TLS-ECDHE-ECDSA-WITH-AES-128-CCM-8" \ From ccdd25cbc50a46e644470ba5f4ffe4aa36f265b4 Mon Sep 17 00:00:00 2001 From: Yuto Takano Date: Fri, 2 Jul 2021 13:05:15 +0100 Subject: [PATCH 06/10] Reword and add explanatory comments for MAX_IM_CA tests - Reword the comment on config.h to suggest that `MAX_INTERMEDIATE_CA` may not exist in the config. - Add a comment explaining why the tests are more restrictive than necessary. Signed-off-by: Yuto Takano --- tests/ssl-opt.sh | 10 +++++++--- 1 file changed, 7 insertions(+), 3 deletions(-) diff --git a/tests/ssl-opt.sh b/tests/ssl-opt.sh index 338678e99f..0583e1171b 100755 --- a/tests/ssl-opt.sh +++ b/tests/ssl-opt.sh @@ -4321,12 +4321,16 @@ run_test "Authentication: client no cert, ssl3" \ -C "! mbedtls_ssl_handshake returned" \ -S "X509 - Certificate verification failed" -# config.h contains a value for MBEDTLS_X509_MAX_INTERMEDIATE_CA that is -# different from the script's assumed default value (below). -# Relevant tests are skipped if they do not match. +# This script assumes that MBEDTLS_X509_MAX_INTERMEDIATE_CA has its default +# value, defined here as MAX_IM_CA. Some test cases will be skipped if the +# library is configured with a different value. MAX_IM_CA='8' +# The tests for the max_int tests can pass with any number higher than MAX_IM_CA +# because only a chain of MAX_IM_CA length is tested. Equally, the max_int+1 +# tests can pass with any number less than MAX_IM_CA. However, stricter preconditions +# are in place so that the semantics are consistent with the test description. requires_config_value_at_least "MBEDTLS_X509_MAX_INTERMEDIATE_CA" $MAX_IM_CA requires_config_value_at_most "MBEDTLS_X509_MAX_INTERMEDIATE_CA" $MAX_IM_CA requires_full_size_output_buffer From 8a693efe9b17ba4b1e5119ff0b5a0b24466f8bbe Mon Sep 17 00:00:00 2001 From: Yuto Takano Date: Fri, 2 Jul 2021 13:10:41 +0100 Subject: [PATCH 07/10] Move repetitive equality check to `requires_config_value_equals` Signed-off-by: Yuto Takano --- tests/ssl-opt.sh | 53 +++++++++++++++++++++++------------------------- 1 file changed, 25 insertions(+), 28 deletions(-) diff --git a/tests/ssl-opt.sh b/tests/ssl-opt.sh index 0583e1171b..f55c31f196 100755 --- a/tests/ssl-opt.sh +++ b/tests/ssl-opt.sh @@ -242,6 +242,17 @@ requires_config_value_at_most() { fi } +requires_config_value_equals() { + VAL=$( get_config_value_or_default "$1" ) + if [ -z "$VAL" ]; then + # Should never happen + echo "Mbed TLS configuration $1 is not defined" + exit 1 + elif [ "$VAL" -ne "$2" ]; then + SKIP_NEXT="YES" + fi +} + # Space-separated list of ciphersuites supported by this build of # Mbed TLS. P_CIPHERSUITES=" $($P_CLI --help 2>/dev/null | @@ -4331,8 +4342,7 @@ MAX_IM_CA='8' # because only a chain of MAX_IM_CA length is tested. Equally, the max_int+1 # tests can pass with any number less than MAX_IM_CA. However, stricter preconditions # are in place so that the semantics are consistent with the test description. -requires_config_value_at_least "MBEDTLS_X509_MAX_INTERMEDIATE_CA" $MAX_IM_CA -requires_config_value_at_most "MBEDTLS_X509_MAX_INTERMEDIATE_CA" $MAX_IM_CA +requires_config_value_equals "MBEDTLS_X509_MAX_INTERMEDIATE_CA" $MAX_IM_CA requires_full_size_output_buffer run_test "Authentication: server max_int chain, client default" \ "$P_SRV crt_file=data_files/dir-maxpath/c09.pem \ @@ -4341,8 +4351,7 @@ run_test "Authentication: server max_int chain, client default" \ 0 \ -C "X509 - A fatal error occurred" -requires_config_value_at_least "MBEDTLS_X509_MAX_INTERMEDIATE_CA" $MAX_IM_CA -requires_config_value_at_most "MBEDTLS_X509_MAX_INTERMEDIATE_CA" $MAX_IM_CA +requires_config_value_equals "MBEDTLS_X509_MAX_INTERMEDIATE_CA" $MAX_IM_CA requires_full_size_output_buffer run_test "Authentication: server max_int+1 chain, client default" \ "$P_SRV crt_file=data_files/dir-maxpath/c10.pem \ @@ -4351,8 +4360,7 @@ run_test "Authentication: server max_int+1 chain, client default" \ 1 \ -c "X509 - A fatal error occurred" -requires_config_value_at_least "MBEDTLS_X509_MAX_INTERMEDIATE_CA" $MAX_IM_CA -requires_config_value_at_most "MBEDTLS_X509_MAX_INTERMEDIATE_CA" $MAX_IM_CA +requires_config_value_equals "MBEDTLS_X509_MAX_INTERMEDIATE_CA" $MAX_IM_CA requires_full_size_output_buffer run_test "Authentication: server max_int+1 chain, client optional" \ "$P_SRV crt_file=data_files/dir-maxpath/c10.pem \ @@ -4362,8 +4370,7 @@ run_test "Authentication: server max_int+1 chain, client optional" \ 1 \ -c "X509 - A fatal error occurred" -requires_config_value_at_least "MBEDTLS_X509_MAX_INTERMEDIATE_CA" $MAX_IM_CA -requires_config_value_at_most "MBEDTLS_X509_MAX_INTERMEDIATE_CA" $MAX_IM_CA +requires_config_value_equals "MBEDTLS_X509_MAX_INTERMEDIATE_CA" $MAX_IM_CA requires_full_size_output_buffer run_test "Authentication: server max_int+1 chain, client none" \ "$P_SRV crt_file=data_files/dir-maxpath/c10.pem \ @@ -4373,8 +4380,7 @@ run_test "Authentication: server max_int+1 chain, client none" \ 0 \ -C "X509 - A fatal error occurred" -requires_config_value_at_least "MBEDTLS_X509_MAX_INTERMEDIATE_CA" $MAX_IM_CA -requires_config_value_at_most "MBEDTLS_X509_MAX_INTERMEDIATE_CA" $MAX_IM_CA +requires_config_value_equals "MBEDTLS_X509_MAX_INTERMEDIATE_CA" $MAX_IM_CA requires_full_size_output_buffer run_test "Authentication: client max_int+1 chain, server default" \ "$P_SRV ca_file=data_files/dir-maxpath/00.crt" \ @@ -4383,8 +4389,7 @@ run_test "Authentication: client max_int+1 chain, server default" \ 0 \ -S "X509 - A fatal error occurred" -requires_config_value_at_least "MBEDTLS_X509_MAX_INTERMEDIATE_CA" $MAX_IM_CA -requires_config_value_at_most "MBEDTLS_X509_MAX_INTERMEDIATE_CA" $MAX_IM_CA +requires_config_value_equals "MBEDTLS_X509_MAX_INTERMEDIATE_CA" $MAX_IM_CA requires_full_size_output_buffer run_test "Authentication: client max_int+1 chain, server optional" \ "$P_SRV ca_file=data_files/dir-maxpath/00.crt auth_mode=optional" \ @@ -4393,8 +4398,7 @@ run_test "Authentication: client max_int+1 chain, server optional" \ 1 \ -s "X509 - A fatal error occurred" -requires_config_value_at_least "MBEDTLS_X509_MAX_INTERMEDIATE_CA" $MAX_IM_CA -requires_config_value_at_most "MBEDTLS_X509_MAX_INTERMEDIATE_CA" $MAX_IM_CA +requires_config_value_equals "MBEDTLS_X509_MAX_INTERMEDIATE_CA" $MAX_IM_CA requires_full_size_output_buffer run_test "Authentication: client max_int+1 chain, server required" \ "$P_SRV ca_file=data_files/dir-maxpath/00.crt auth_mode=required" \ @@ -4403,8 +4407,7 @@ run_test "Authentication: client max_int+1 chain, server required" \ 1 \ -s "X509 - A fatal error occurred" -requires_config_value_at_least "MBEDTLS_X509_MAX_INTERMEDIATE_CA" $MAX_IM_CA -requires_config_value_at_most "MBEDTLS_X509_MAX_INTERMEDIATE_CA" $MAX_IM_CA +requires_config_value_equals "MBEDTLS_X509_MAX_INTERMEDIATE_CA" $MAX_IM_CA requires_full_size_output_buffer run_test "Authentication: client max_int chain, server required" \ "$P_SRV ca_file=data_files/dir-maxpath/00.crt auth_mode=required" \ @@ -4582,8 +4585,7 @@ run_test "Authentication, CA callback: client badcert, server optional" \ -C "! mbedtls_ssl_handshake returned" \ -S "X509 - Certificate verification failed" -requires_config_value_at_least "MBEDTLS_X509_MAX_INTERMEDIATE_CA" $MAX_IM_CA -requires_config_value_at_most "MBEDTLS_X509_MAX_INTERMEDIATE_CA" $MAX_IM_CA +requires_config_value_equals "MBEDTLS_X509_MAX_INTERMEDIATE_CA" $MAX_IM_CA requires_full_size_output_buffer requires_config_enabled MBEDTLS_X509_TRUSTED_CERTIFICATE_CALLBACK run_test "Authentication, CA callback: server max_int chain, client default" \ @@ -4594,8 +4596,7 @@ run_test "Authentication, CA callback: server max_int chain, client default" -c "use CA callback for X.509 CRT verification" \ -C "X509 - A fatal error occurred" -requires_config_value_at_least "MBEDTLS_X509_MAX_INTERMEDIATE_CA" $MAX_IM_CA -requires_config_value_at_most "MBEDTLS_X509_MAX_INTERMEDIATE_CA" $MAX_IM_CA +requires_config_value_equals "MBEDTLS_X509_MAX_INTERMEDIATE_CA" $MAX_IM_CA requires_full_size_output_buffer requires_config_enabled MBEDTLS_X509_TRUSTED_CERTIFICATE_CALLBACK run_test "Authentication, CA callback: server max_int+1 chain, client default" \ @@ -4606,8 +4607,7 @@ run_test "Authentication, CA callback: server max_int+1 chain, client default -c "use CA callback for X.509 CRT verification" \ -c "X509 - A fatal error occurred" -requires_config_value_at_least "MBEDTLS_X509_MAX_INTERMEDIATE_CA" $MAX_IM_CA -requires_config_value_at_most "MBEDTLS_X509_MAX_INTERMEDIATE_CA" $MAX_IM_CA +requires_config_value_equals "MBEDTLS_X509_MAX_INTERMEDIATE_CA" $MAX_IM_CA requires_full_size_output_buffer requires_config_enabled MBEDTLS_X509_TRUSTED_CERTIFICATE_CALLBACK run_test "Authentication, CA callback: server max_int+1 chain, client optional" \ @@ -4619,8 +4619,7 @@ run_test "Authentication, CA callback: server max_int+1 chain, client optiona -c "use CA callback for X.509 CRT verification" \ -c "X509 - A fatal error occurred" -requires_config_value_at_least "MBEDTLS_X509_MAX_INTERMEDIATE_CA" $MAX_IM_CA -requires_config_value_at_most "MBEDTLS_X509_MAX_INTERMEDIATE_CA" $MAX_IM_CA +requires_config_value_equals "MBEDTLS_X509_MAX_INTERMEDIATE_CA" $MAX_IM_CA requires_full_size_output_buffer requires_config_enabled MBEDTLS_X509_TRUSTED_CERTIFICATE_CALLBACK run_test "Authentication, CA callback: client max_int+1 chain, server optional" \ @@ -4631,8 +4630,7 @@ run_test "Authentication, CA callback: client max_int+1 chain, server optiona -s "use CA callback for X.509 CRT verification" \ -s "X509 - A fatal error occurred" -requires_config_value_at_least "MBEDTLS_X509_MAX_INTERMEDIATE_CA" $MAX_IM_CA -requires_config_value_at_most "MBEDTLS_X509_MAX_INTERMEDIATE_CA" $MAX_IM_CA +requires_config_value_equals "MBEDTLS_X509_MAX_INTERMEDIATE_CA" $MAX_IM_CA requires_full_size_output_buffer requires_config_enabled MBEDTLS_X509_TRUSTED_CERTIFICATE_CALLBACK run_test "Authentication, CA callback: client max_int+1 chain, server required" \ @@ -4643,8 +4641,7 @@ run_test "Authentication, CA callback: client max_int+1 chain, server require -s "use CA callback for X.509 CRT verification" \ -s "X509 - A fatal error occurred" -requires_config_value_at_least "MBEDTLS_X509_MAX_INTERMEDIATE_CA" $MAX_IM_CA -requires_config_value_at_most "MBEDTLS_X509_MAX_INTERMEDIATE_CA" $MAX_IM_CA +requires_config_value_equals "MBEDTLS_X509_MAX_INTERMEDIATE_CA" $MAX_IM_CA requires_full_size_output_buffer requires_config_enabled MBEDTLS_X509_TRUSTED_CERTIFICATE_CALLBACK run_test "Authentication, CA callback: client max_int chain, server required" \ From a49124e528a1d03055f4ded2e3b0b0319ba64df2 Mon Sep 17 00:00:00 2001 From: Yuto Takano Date: Thu, 8 Jul 2021 15:56:33 +0100 Subject: [PATCH 08/10] Add content length constraint to tests that use max_frag_len Includes: - handshake memory tests - Connection ID (MFL) tests - DTLS fragmenting tests - SSLv3 with extensions test (backport only) Signed-off-by: Yuto Takano --- tests/ssl-opt.sh | 40 +++++++++++++++++++++++++++++++++++++++- 1 file changed, 39 insertions(+), 1 deletion(-) diff --git a/tests/ssl-opt.sh b/tests/ssl-opt.sh index f55c31f196..7a9f8a5827 100755 --- a/tests/ssl-opt.sh +++ b/tests/ssl-opt.sh @@ -2423,6 +2423,7 @@ run_test "Connection ID, 3D: Cli+Srv enabled, Srv disables on renegotiation" requires_config_enabled MBEDTLS_SSL_DTLS_CONNECTION_ID requires_config_enabled MBEDTLS_SSL_VARIABLE_BUFFER_LENGTH +requires_max_content_len 512 run_test "Connection ID: Cli+Srv enabled, variable buffer lengths, MFL=512" \ "$P_SRV dtls=1 cid=1 cid_val=dead debug_level=2" \ "$P_CLI force_ciphersuite="TLS-ECDHE-ECDSA-WITH-AES-128-CCM-8" max_frag_len=512 dtls=1 cid=1 cid_val=beef" \ @@ -2436,6 +2437,7 @@ run_test "Connection ID: Cli+Srv enabled, variable buffer lengths, MFL=512" \ requires_config_enabled MBEDTLS_SSL_DTLS_CONNECTION_ID requires_config_enabled MBEDTLS_SSL_VARIABLE_BUFFER_LENGTH +requires_max_content_len 1024 run_test "Connection ID: Cli+Srv enabled, variable buffer lengths, MFL=1024" \ "$P_SRV dtls=1 cid=1 cid_val=dead debug_level=2" \ "$P_CLI force_ciphersuite="TLS-ECDHE-ECDSA-WITH-AES-128-CCM-8" max_frag_len=1024 dtls=1 cid=1 cid_val=beef" \ @@ -6711,8 +6713,8 @@ run_test "Small server packet DTLS 1.2, without EtM, truncated MAC" \ -c "Read from server: 1 bytes read" # A test for extensions in SSLv3 - requires_config_enabled MBEDTLS_SSL_PROTO_SSL3 +requires_max_content_len 4096 run_test "SSLv3 with extensions, server side" \ "$P_SRV min_version=ssl3 debug_level=3" \ "$P_CLI force_version=ssl3 tickets=1 max_frag_len=4096 alpn=abc,1234" \ @@ -6961,6 +6963,7 @@ run_test "Large client packet TLS 1.2 AEAD shorter tag" \ -s "Read from client: $MAX_CONTENT_LEN bytes read" # Test for large server packets +# The tests below fail when the server's OUT_CONTENT_LEN is less than 16384. requires_config_enabled MBEDTLS_SSL_PROTO_SSL3 run_test "Large server packet SSLv3 StreamCipher" \ "$P_SRV response_size=16384 min_version=ssl3 arc4=1 force_ciphersuite=TLS-RSA-WITH-RC4-128-SHA" \ @@ -7982,6 +7985,7 @@ requires_config_enabled MBEDTLS_SSL_PROTO_DTLS requires_config_enabled MBEDTLS_RSA_C requires_config_enabled MBEDTLS_ECDSA_C requires_config_enabled MBEDTLS_SSL_MAX_FRAGMENT_LENGTH +requires_max_content_len 4096 run_test "DTLS fragmenting: none (for reference)" \ "$P_SRV dtls=1 debug_level=2 auth_mode=required \ crt_file=data_files/server7_int-ca.crt \ @@ -8002,6 +8006,7 @@ requires_config_enabled MBEDTLS_SSL_PROTO_DTLS requires_config_enabled MBEDTLS_RSA_C requires_config_enabled MBEDTLS_ECDSA_C requires_config_enabled MBEDTLS_SSL_MAX_FRAGMENT_LENGTH +requires_max_content_len 2048 run_test "DTLS fragmenting: server only (max_frag_len)" \ "$P_SRV dtls=1 debug_level=2 auth_mode=required \ crt_file=data_files/server7_int-ca.crt \ @@ -8026,6 +8031,7 @@ requires_config_enabled MBEDTLS_SSL_PROTO_DTLS requires_config_enabled MBEDTLS_RSA_C requires_config_enabled MBEDTLS_ECDSA_C requires_config_enabled MBEDTLS_SSL_MAX_FRAGMENT_LENGTH +requires_max_content_len 4096 run_test "DTLS fragmenting: server only (more) (max_frag_len)" \ "$P_SRV dtls=1 debug_level=2 auth_mode=required \ crt_file=data_files/server7_int-ca.crt \ @@ -8046,6 +8052,7 @@ requires_config_enabled MBEDTLS_SSL_PROTO_DTLS requires_config_enabled MBEDTLS_RSA_C requires_config_enabled MBEDTLS_ECDSA_C requires_config_enabled MBEDTLS_SSL_MAX_FRAGMENT_LENGTH +requires_max_content_len 2048 run_test "DTLS fragmenting: client-initiated, server only (max_frag_len)" \ "$P_SRV dtls=1 debug_level=2 auth_mode=none \ crt_file=data_files/server7_int-ca.crt \ @@ -8073,6 +8080,7 @@ requires_config_enabled MBEDTLS_SSL_PROTO_DTLS requires_config_enabled MBEDTLS_RSA_C requires_config_enabled MBEDTLS_ECDSA_C requires_config_enabled MBEDTLS_SSL_MAX_FRAGMENT_LENGTH +requires_max_content_len 2048 run_test "DTLS fragmenting: client-initiated, server only (max_frag_len), proxy MTU" \ -p "$P_PXY mtu=1110" \ "$P_SRV dtls=1 debug_level=2 auth_mode=none \ @@ -8094,6 +8102,7 @@ requires_config_enabled MBEDTLS_SSL_PROTO_DTLS requires_config_enabled MBEDTLS_RSA_C requires_config_enabled MBEDTLS_ECDSA_C requires_config_enabled MBEDTLS_SSL_MAX_FRAGMENT_LENGTH +requires_max_content_len 2048 run_test "DTLS fragmenting: client-initiated, both (max_frag_len)" \ "$P_SRV dtls=1 debug_level=2 auth_mode=required \ crt_file=data_files/server7_int-ca.crt \ @@ -8121,6 +8130,7 @@ requires_config_enabled MBEDTLS_SSL_PROTO_DTLS requires_config_enabled MBEDTLS_RSA_C requires_config_enabled MBEDTLS_ECDSA_C requires_config_enabled MBEDTLS_SSL_MAX_FRAGMENT_LENGTH +requires_max_content_len 2048 run_test "DTLS fragmenting: client-initiated, both (max_frag_len), proxy MTU" \ -p "$P_PXY mtu=1110" \ "$P_SRV dtls=1 debug_level=2 auth_mode=required \ @@ -8141,6 +8151,7 @@ run_test "DTLS fragmenting: client-initiated, both (max_frag_len), proxy MTU" requires_config_enabled MBEDTLS_SSL_PROTO_DTLS requires_config_enabled MBEDTLS_RSA_C requires_config_enabled MBEDTLS_ECDSA_C +requires_max_content_len 4096 run_test "DTLS fragmenting: none (for reference) (MTU)" \ "$P_SRV dtls=1 debug_level=2 auth_mode=required \ crt_file=data_files/server7_int-ca.crt \ @@ -8160,6 +8171,7 @@ run_test "DTLS fragmenting: none (for reference) (MTU)" \ requires_config_enabled MBEDTLS_SSL_PROTO_DTLS requires_config_enabled MBEDTLS_RSA_C requires_config_enabled MBEDTLS_ECDSA_C +requires_max_content_len 4096 run_test "DTLS fragmenting: client (MTU)" \ "$P_SRV dtls=1 debug_level=2 auth_mode=required \ crt_file=data_files/server7_int-ca.crt \ @@ -8179,6 +8191,7 @@ run_test "DTLS fragmenting: client (MTU)" \ requires_config_enabled MBEDTLS_SSL_PROTO_DTLS requires_config_enabled MBEDTLS_RSA_C requires_config_enabled MBEDTLS_ECDSA_C +requires_max_content_len 2048 run_test "DTLS fragmenting: server (MTU)" \ "$P_SRV dtls=1 debug_level=2 auth_mode=required \ crt_file=data_files/server7_int-ca.crt \ @@ -8198,6 +8211,7 @@ run_test "DTLS fragmenting: server (MTU)" \ requires_config_enabled MBEDTLS_SSL_PROTO_DTLS requires_config_enabled MBEDTLS_RSA_C requires_config_enabled MBEDTLS_ECDSA_C +requires_max_content_len 2048 run_test "DTLS fragmenting: both (MTU=1024)" \ -p "$P_PXY mtu=1024" \ "$P_SRV dtls=1 debug_level=2 auth_mode=required \ @@ -8223,6 +8237,7 @@ requires_config_enabled MBEDTLS_SHA256_C requires_config_enabled MBEDTLS_KEY_EXCHANGE_ECDHE_ECDSA requires_config_enabled MBEDTLS_AES_C requires_config_enabled MBEDTLS_GCM_C +requires_max_content_len 2048 run_test "DTLS fragmenting: both (MTU=512)" \ -p "$P_PXY mtu=512" \ "$P_SRV dtls=1 debug_level=2 auth_mode=required \ @@ -8254,6 +8269,7 @@ requires_config_enabled MBEDTLS_ECDSA_C requires_config_enabled MBEDTLS_KEY_EXCHANGE_ECDHE_ECDSA requires_config_enabled MBEDTLS_AES_C requires_config_enabled MBEDTLS_GCM_C +requires_max_content_len 2048 run_test "DTLS fragmenting: proxy MTU: auto-reduction (not valgrind)" \ -p "$P_PXY mtu=508" \ "$P_SRV dtls=1 debug_level=2 auth_mode=required \ @@ -8278,6 +8294,7 @@ requires_config_enabled MBEDTLS_ECDSA_C requires_config_enabled MBEDTLS_KEY_EXCHANGE_ECDHE_ECDSA requires_config_enabled MBEDTLS_AES_C requires_config_enabled MBEDTLS_GCM_C +requires_max_content_len 2048 run_test "DTLS fragmenting: proxy MTU: auto-reduction (with valgrind)" \ -p "$P_PXY mtu=508" \ "$P_SRV dtls=1 debug_level=2 auth_mode=required \ @@ -8301,6 +8318,7 @@ not_with_valgrind # spurious autoreduction due to timeout requires_config_enabled MBEDTLS_SSL_PROTO_DTLS requires_config_enabled MBEDTLS_RSA_C requires_config_enabled MBEDTLS_ECDSA_C +requires_max_content_len 2048 run_test "DTLS fragmenting: proxy MTU, simple handshake (MTU=1024)" \ -p "$P_PXY mtu=1024" \ "$P_SRV dtls=1 debug_level=2 auth_mode=required \ @@ -8330,6 +8348,7 @@ requires_config_enabled MBEDTLS_ECDSA_C requires_config_enabled MBEDTLS_KEY_EXCHANGE_ECDHE_ECDSA requires_config_enabled MBEDTLS_AES_C requires_config_enabled MBEDTLS_GCM_C +requires_max_content_len 2048 run_test "DTLS fragmenting: proxy MTU, simple handshake (MTU=512)" \ -p "$P_PXY mtu=512" \ "$P_SRV dtls=1 debug_level=2 auth_mode=required \ @@ -8353,6 +8372,7 @@ not_with_valgrind # spurious autoreduction due to timeout requires_config_enabled MBEDTLS_SSL_PROTO_DTLS requires_config_enabled MBEDTLS_RSA_C requires_config_enabled MBEDTLS_ECDSA_C +requires_max_content_len 2048 run_test "DTLS fragmenting: proxy MTU, simple handshake, nbio (MTU=1024)" \ -p "$P_PXY mtu=1024" \ "$P_SRV dtls=1 debug_level=2 auth_mode=required \ @@ -8379,6 +8399,7 @@ requires_config_enabled MBEDTLS_ECDSA_C requires_config_enabled MBEDTLS_KEY_EXCHANGE_ECDHE_ECDSA requires_config_enabled MBEDTLS_AES_C requires_config_enabled MBEDTLS_GCM_C +requires_max_content_len 2048 run_test "DTLS fragmenting: proxy MTU, simple handshake, nbio (MTU=512)" \ -p "$P_PXY mtu=512" \ "$P_SRV dtls=1 debug_level=2 auth_mode=required \ @@ -8415,6 +8436,7 @@ requires_config_enabled MBEDTLS_ECDSA_C requires_config_enabled MBEDTLS_KEY_EXCHANGE_ECDHE_ECDSA requires_config_enabled MBEDTLS_AES_C requires_config_enabled MBEDTLS_GCM_C +requires_max_content_len 2048 run_test "DTLS fragmenting: proxy MTU, resumed handshake" \ -p "$P_PXY mtu=1450" \ "$P_SRV dtls=1 debug_level=2 auth_mode=required \ @@ -8444,6 +8466,7 @@ requires_config_enabled MBEDTLS_SHA256_C requires_config_enabled MBEDTLS_KEY_EXCHANGE_ECDHE_ECDSA requires_config_enabled MBEDTLS_SSL_RENEGOTIATION requires_config_enabled MBEDTLS_CHACHAPOLY_C +requires_max_content_len 2048 run_test "DTLS fragmenting: proxy MTU, ChachaPoly renego" \ -p "$P_PXY mtu=512" \ "$P_SRV dtls=1 debug_level=2 auth_mode=required \ @@ -8476,6 +8499,7 @@ requires_config_enabled MBEDTLS_KEY_EXCHANGE_ECDHE_ECDSA requires_config_enabled MBEDTLS_SSL_RENEGOTIATION requires_config_enabled MBEDTLS_AES_C requires_config_enabled MBEDTLS_GCM_C +requires_max_content_len 2048 run_test "DTLS fragmenting: proxy MTU, AES-GCM renego" \ -p "$P_PXY mtu=512" \ "$P_SRV dtls=1 debug_level=2 auth_mode=required \ @@ -8508,6 +8532,7 @@ requires_config_enabled MBEDTLS_KEY_EXCHANGE_ECDHE_ECDSA requires_config_enabled MBEDTLS_SSL_RENEGOTIATION requires_config_enabled MBEDTLS_AES_C requires_config_enabled MBEDTLS_CCM_C +requires_max_content_len 2048 run_test "DTLS fragmenting: proxy MTU, AES-CCM renego" \ -p "$P_PXY mtu=1024" \ "$P_SRV dtls=1 debug_level=2 auth_mode=required \ @@ -8541,6 +8566,7 @@ requires_config_enabled MBEDTLS_SSL_RENEGOTIATION requires_config_enabled MBEDTLS_AES_C requires_config_enabled MBEDTLS_CIPHER_MODE_CBC requires_config_enabled MBEDTLS_SSL_ENCRYPT_THEN_MAC +requires_max_content_len 2048 run_test "DTLS fragmenting: proxy MTU, AES-CBC EtM renego" \ -p "$P_PXY mtu=1024" \ "$P_SRV dtls=1 debug_level=2 auth_mode=required \ @@ -8573,6 +8599,7 @@ requires_config_enabled MBEDTLS_KEY_EXCHANGE_ECDHE_ECDSA requires_config_enabled MBEDTLS_SSL_RENEGOTIATION requires_config_enabled MBEDTLS_AES_C requires_config_enabled MBEDTLS_CIPHER_MODE_CBC +requires_max_content_len 2048 run_test "DTLS fragmenting: proxy MTU, AES-CBC non-EtM renego" \ -p "$P_PXY mtu=1024" \ "$P_SRV dtls=1 debug_level=2 auth_mode=required \ @@ -8602,6 +8629,7 @@ requires_config_enabled MBEDTLS_KEY_EXCHANGE_ECDHE_ECDSA requires_config_enabled MBEDTLS_AES_C requires_config_enabled MBEDTLS_GCM_C client_needs_more_time 2 +requires_max_content_len 2048 run_test "DTLS fragmenting: proxy MTU + 3d" \ -p "$P_PXY mtu=512 drop=8 delay=8 duplicate=8" \ "$P_SRV dgram_packing=0 dtls=1 debug_level=2 auth_mode=required \ @@ -8626,6 +8654,7 @@ requires_config_enabled MBEDTLS_KEY_EXCHANGE_ECDHE_ECDSA requires_config_enabled MBEDTLS_AES_C requires_config_enabled MBEDTLS_GCM_C client_needs_more_time 2 +requires_max_content_len 2048 run_test "DTLS fragmenting: proxy MTU + 3d, nbio" \ -p "$P_PXY mtu=512 drop=8 delay=8 duplicate=8" \ "$P_SRV dtls=1 debug_level=2 auth_mode=required \ @@ -8651,6 +8680,7 @@ requires_config_enabled MBEDTLS_RSA_C requires_config_enabled MBEDTLS_ECDSA_C requires_config_enabled MBEDTLS_SSL_PROTO_TLS1_2 requires_gnutls +requires_max_content_len 2048 run_test "DTLS fragmenting: gnutls server, DTLS 1.2" \ "$G_SRV -u" \ "$P_CLI dtls=1 debug_level=2 \ @@ -8689,6 +8719,7 @@ requires_config_enabled MBEDTLS_ECDSA_C requires_config_enabled MBEDTLS_SSL_PROTO_TLS1_2 requires_gnutls requires_not_i686 +requires_max_content_len 2048 run_test "DTLS fragmenting: gnutls client, DTLS 1.2" \ "$P_SRV dtls=1 debug_level=2 \ crt_file=data_files/server7_int-ca.crt \ @@ -8718,6 +8749,7 @@ requires_config_enabled MBEDTLS_SSL_PROTO_DTLS requires_config_enabled MBEDTLS_RSA_C requires_config_enabled MBEDTLS_ECDSA_C requires_config_enabled MBEDTLS_SSL_PROTO_TLS1_2 +requires_max_content_len 2048 run_test "DTLS fragmenting: openssl server, DTLS 1.2" \ "$O_SRV -dtls1_2 -verify 10" \ "$P_CLI dtls=1 debug_level=2 \ @@ -8746,6 +8778,7 @@ requires_config_enabled MBEDTLS_SSL_PROTO_DTLS requires_config_enabled MBEDTLS_RSA_C requires_config_enabled MBEDTLS_ECDSA_C requires_config_enabled MBEDTLS_SSL_PROTO_TLS1_2 +requires_max_content_len 2048 run_test "DTLS fragmenting: openssl client, DTLS 1.2" \ "$P_SRV dtls=1 debug_level=2 \ crt_file=data_files/server7_int-ca.crt \ @@ -8778,6 +8811,7 @@ requires_config_enabled MBEDTLS_RSA_C requires_config_enabled MBEDTLS_ECDSA_C requires_config_enabled MBEDTLS_SSL_PROTO_TLS1_2 client_needs_more_time 4 +requires_max_content_len 2048 run_test "DTLS fragmenting: 3d, gnutls server, DTLS 1.2" \ -p "$P_PXY drop=8 delay=8 duplicate=8" \ "$G_NEXT_SRV -u" \ @@ -8812,6 +8846,7 @@ requires_config_enabled MBEDTLS_RSA_C requires_config_enabled MBEDTLS_ECDSA_C requires_config_enabled MBEDTLS_SSL_PROTO_TLS1_2 client_needs_more_time 4 +requires_max_content_len 2048 run_test "DTLS fragmenting: 3d, gnutls client, DTLS 1.2" \ -p "$P_PXY drop=8 delay=8 duplicate=8" \ "$P_SRV dtls=1 debug_level=2 \ @@ -8849,6 +8884,7 @@ requires_config_enabled MBEDTLS_RSA_C requires_config_enabled MBEDTLS_ECDSA_C requires_config_enabled MBEDTLS_SSL_PROTO_TLS1_2 client_needs_more_time 4 +requires_max_content_len 2048 run_test "DTLS fragmenting: 3d, openssl server, DTLS 1.2" \ -p "$P_PXY drop=8 delay=8 duplicate=8" \ "$O_SRV -dtls1_2 -verify 10" \ @@ -8883,6 +8919,7 @@ requires_config_enabled MBEDTLS_RSA_C requires_config_enabled MBEDTLS_ECDSA_C requires_config_enabled MBEDTLS_SSL_PROTO_TLS1_2 client_needs_more_time 4 +requires_max_content_len 2048 run_test "DTLS fragmenting: 3d, openssl client, DTLS 1.2" \ -p "$P_PXY drop=8 delay=8 duplicate=8" \ "$P_SRV dtls=1 debug_level=2 \ @@ -9981,6 +10018,7 @@ run_test "export keys functionality" \ requires_config_enabled MBEDTLS_MEMORY_DEBUG requires_config_enabled MBEDTLS_MEMORY_BUFFER_ALLOC_C requires_config_enabled MBEDTLS_SSL_MAX_FRAGMENT_LENGTH +requires_max_content_len 16384 run_tests_memory_after_hanshake # Final report From 7187953fc5e7629da9ebe506f0950543facd0ec8 Mon Sep 17 00:00:00 2001 From: Yuto Takano Date: Fri, 9 Jul 2021 11:32:38 +0100 Subject: [PATCH 09/10] Raise max_content_len constraint by one in Connection ID tests - Also incorporates the grammar fix commit in the development branch Signed-off-by: Yuto Takano --- tests/ssl-opt.sh | 7 +++++-- 1 file changed, 5 insertions(+), 2 deletions(-) diff --git a/tests/ssl-opt.sh b/tests/ssl-opt.sh index 7a9f8a5827..ee68a980dc 100755 --- a/tests/ssl-opt.sh +++ b/tests/ssl-opt.sh @@ -2421,9 +2421,12 @@ run_test "Connection ID, 3D: Cli+Srv enabled, Srv disables on renegotiation" -c "ignoring unexpected CID" \ -s "ignoring unexpected CID" +# This and the test below it require MAX_CONTENT_LEN to be at least MFL+1, because the +# tests check that the buffer contents are reallocated when the message is +# larger than the buffer. requires_config_enabled MBEDTLS_SSL_DTLS_CONNECTION_ID requires_config_enabled MBEDTLS_SSL_VARIABLE_BUFFER_LENGTH -requires_max_content_len 512 +requires_max_content_len 513 run_test "Connection ID: Cli+Srv enabled, variable buffer lengths, MFL=512" \ "$P_SRV dtls=1 cid=1 cid_val=dead debug_level=2" \ "$P_CLI force_ciphersuite="TLS-ECDHE-ECDSA-WITH-AES-128-CCM-8" max_frag_len=512 dtls=1 cid=1 cid_val=beef" \ @@ -2437,7 +2440,7 @@ run_test "Connection ID: Cli+Srv enabled, variable buffer lengths, MFL=512" \ requires_config_enabled MBEDTLS_SSL_DTLS_CONNECTION_ID requires_config_enabled MBEDTLS_SSL_VARIABLE_BUFFER_LENGTH -requires_max_content_len 1024 +requires_max_content_len 1025 run_test "Connection ID: Cli+Srv enabled, variable buffer lengths, MFL=1024" \ "$P_SRV dtls=1 cid=1 cid_val=dead debug_level=2" \ "$P_CLI force_ciphersuite="TLS-ECDHE-ECDSA-WITH-AES-128-CCM-8" max_frag_len=1024 dtls=1 cid=1 cid_val=beef" \ From 75ab92849638ca07838bb99b09dcfbe5f2e03805 Mon Sep 17 00:00:00 2001 From: Yuto Takano Date: Mon, 26 Jul 2021 08:27:47 +0100 Subject: [PATCH 10/10] Fix DTLS 1.0 fragment tests not having length constraint Signed-off-by: Yuto Takano --- tests/ssl-opt.sh | 8 ++++++++ 1 file changed, 8 insertions(+) diff --git a/tests/ssl-opt.sh b/tests/ssl-opt.sh index ee68a980dc..88804fbe12 100755 --- a/tests/ssl-opt.sh +++ b/tests/ssl-opt.sh @@ -8699,6 +8699,7 @@ requires_config_enabled MBEDTLS_RSA_C requires_config_enabled MBEDTLS_ECDSA_C requires_config_enabled MBEDTLS_SSL_PROTO_TLS1_1 requires_gnutls +requires_max_content_len 2048 run_test "DTLS fragmenting: gnutls server, DTLS 1.0" \ "$G_SRV -u" \ "$P_CLI dtls=1 debug_level=2 \ @@ -8739,6 +8740,7 @@ requires_config_enabled MBEDTLS_ECDSA_C requires_config_enabled MBEDTLS_SSL_PROTO_TLS1_1 requires_gnutls requires_not_i686 +requires_max_content_len 2048 run_test "DTLS fragmenting: gnutls client, DTLS 1.0" \ "$P_SRV dtls=1 debug_level=2 \ crt_file=data_files/server7_int-ca.crt \ @@ -8767,6 +8769,7 @@ requires_config_enabled MBEDTLS_SSL_PROTO_DTLS requires_config_enabled MBEDTLS_RSA_C requires_config_enabled MBEDTLS_ECDSA_C requires_config_enabled MBEDTLS_SSL_PROTO_TLS1_1 +requires_max_content_len 2048 run_test "DTLS fragmenting: openssl server, DTLS 1.0" \ "$O_SRV -dtls1 -verify 10" \ "$P_CLI dtls=1 debug_level=2 \ @@ -8795,6 +8798,7 @@ requires_config_enabled MBEDTLS_SSL_PROTO_DTLS requires_config_enabled MBEDTLS_RSA_C requires_config_enabled MBEDTLS_ECDSA_C requires_config_enabled MBEDTLS_SSL_PROTO_TLS1_1 +requires_max_content_len 2048 run_test "DTLS fragmenting: openssl client, DTLS 1.0" \ "$P_SRV dtls=1 debug_level=2 \ crt_file=data_files/server7_int-ca.crt \ @@ -8832,6 +8836,7 @@ requires_config_enabled MBEDTLS_RSA_C requires_config_enabled MBEDTLS_ECDSA_C requires_config_enabled MBEDTLS_SSL_PROTO_TLS1_1 client_needs_more_time 4 +requires_max_content_len 2048 run_test "DTLS fragmenting: 3d, gnutls server, DTLS 1.0" \ -p "$P_PXY drop=8 delay=8 duplicate=8" \ "$G_NEXT_SRV -u" \ @@ -8866,6 +8871,7 @@ requires_config_enabled MBEDTLS_RSA_C requires_config_enabled MBEDTLS_ECDSA_C requires_config_enabled MBEDTLS_SSL_PROTO_TLS1_1 client_needs_more_time 4 +requires_max_content_len 2048 run_test "DTLS fragmenting: 3d, gnutls client, DTLS 1.0" \ -p "$P_PXY drop=8 delay=8 duplicate=8" \ "$P_SRV dtls=1 debug_level=2 \ @@ -8905,6 +8911,7 @@ requires_config_enabled MBEDTLS_RSA_C requires_config_enabled MBEDTLS_ECDSA_C requires_config_enabled MBEDTLS_SSL_PROTO_TLS1_1 client_needs_more_time 4 +requires_max_content_len 2048 run_test "DTLS fragmenting: 3d, openssl server, DTLS 1.0" \ -p "$P_PXY drop=8 delay=8 duplicate=8" \ "$O_SRV -dtls1 -verify 10" \ @@ -8941,6 +8948,7 @@ requires_config_enabled MBEDTLS_RSA_C requires_config_enabled MBEDTLS_ECDSA_C requires_config_enabled MBEDTLS_SSL_PROTO_TLS1_1 client_needs_more_time 4 +requires_max_content_len 2048 run_test "DTLS fragmenting: 3d, openssl client, DTLS 1.0" \ -p "$P_PXY drop=8 delay=8 duplicate=8" \ "$P_SRV dgram_packing=0 dtls=1 debug_level=2 \