diff --git a/tests/opt-testcases/tls13-compat.sh b/tests/opt-testcases/tls13-compat.sh index a1bb526526..291fe1c44d 100755 --- a/tests/opt-testcases/tls13-compat.sh +++ b/tests/opt-testcases/tls13-compat.sh @@ -3475,48 +3475,14 @@ run_test "TLS 1.3 m->G: TLS_AES_128_CCM_8_SHA256,x448,rsa_pss_rsae_sha256" \ -c "Verifying peer X.509 certificate... ok" \ -C "received HelloRetryRequest message" -requires_openssl_tls1_3 -requires_config_enabled MBEDTLS_DEBUG_C -requires_config_enabled MBEDTLS_SSL_CLI_C -requires_config_enabled MBEDTLS_SSL_PROTO_TLS1_3 -requires_config_enabled MBEDTLS_SSL_TLS1_3_COMPATIBILITY_MODE -run_test "TLS 1.3 m->O: HRR secp384r1 -> secp256r1" \ - "$O_NEXT_SRV_NO_CERT -cert data_files/ecdsa_secp256r1.crt -key data_files/ecdsa_secp256r1.key -accept $SRV_PORT -groups P-256 -msg -tls1_3 -num_tickets 0 -no_resume_ephemeral -no_cache" \ - "$P_CLI server_addr=127.0.0.1 server_port=$SRV_PORT debug_level=4 force_version=tls13 ca_file=data_files/test-ca2.crt sig_algs=ecdsa_secp256r1_sha256 curves=secp384r1,secp256r1" \ - 0 \ - -c "HTTP/1.0 200 ok" \ - -c "NamedGroup: secp384r1 ( 18 )" \ - -c "NamedGroup: secp256r1 ( 17 )" \ - -c "Verifying peer X.509 certificate... ok" \ - -c "received HelloRetryRequest message" \ - -c "selected_group ( 23 )" - -requires_gnutls_tls1_3 -requires_gnutls_next_no_ticket -requires_gnutls_next_disable_tls13_compat -requires_config_enabled MBEDTLS_DEBUG_C -requires_config_enabled MBEDTLS_SSL_CLI_C -requires_config_enabled MBEDTLS_SSL_PROTO_TLS1_3 -requires_config_enabled MBEDTLS_SSL_TLS1_3_COMPATIBILITY_MODE -run_test "TLS 1.3 m->G: HRR secp384r1 -> secp256r1" \ - "$G_NEXT_SRV_NO_CERT --http --disable-client-cert --debug=4 --x509certfile data_files/ecdsa_secp256r1.crt --x509keyfile data_files/ecdsa_secp256r1.key --priority=NONE:+CIPHER-ALL:+GROUP-SECP256R1:+MAC-ALL:+SIGN-ALL:+VERS-TLS1.3:%NO_TICKETS" \ - "$P_CLI server_addr=127.0.0.1 server_port=$SRV_PORT debug_level=4 force_version=tls13 ca_file=data_files/test-ca2.crt sig_algs=ecdsa_secp256r1_sha256 curves=secp384r1,secp256r1" \ - 0 \ - -c "HTTP/1.0 200 OK" \ - -c "NamedGroup: secp384r1 ( 18 )" \ - -c "NamedGroup: secp256r1 ( 17 )" \ - -c "Verifying peer X.509 certificate... ok" \ - -c "received HelloRetryRequest message" \ - -c "selected_group ( 23 )" - requires_openssl_tls1_3 requires_config_enabled MBEDTLS_DEBUG_C requires_config_enabled MBEDTLS_SSL_CLI_C requires_config_enabled MBEDTLS_SSL_PROTO_TLS1_3 requires_config_enabled MBEDTLS_SSL_TLS1_3_COMPATIBILITY_MODE run_test "TLS 1.3 m->O: HRR secp256r1 -> secp384r1" \ - "$O_NEXT_SRV_NO_CERT -cert data_files/ecdsa_secp384r1.crt -key data_files/ecdsa_secp384r1.key -accept $SRV_PORT -groups P-384 -msg -tls1_3 -num_tickets 0 -no_resume_ephemeral -no_cache" \ - "$P_CLI server_addr=127.0.0.1 server_port=$SRV_PORT debug_level=4 force_version=tls13 ca_file=data_files/test-ca2.crt sig_algs=ecdsa_secp384r1_sha384 curves=secp256r1,secp384r1" \ + "$O_NEXT_SRV_NO_CERT -cert data_files/ecdsa_secp256r1.crt -key data_files/ecdsa_secp256r1.key -accept $SRV_PORT -groups P-384 -msg -tls1_3 -num_tickets 0 -no_resume_ephemeral -no_cache" \ + "$P_CLI server_addr=127.0.0.1 server_port=$SRV_PORT debug_level=4 force_version=tls13 ca_file=data_files/test-ca2.crt sig_algs=ecdsa_secp256r1_sha256 curves=secp256r1,secp384r1" \ 0 \ -c "HTTP/1.0 200 ok" \ -c "NamedGroup: secp256r1 ( 17 )" \ @@ -3525,32 +3491,14 @@ run_test "TLS 1.3 m->O: HRR secp256r1 -> secp384r1" \ -c "received HelloRetryRequest message" \ -c "selected_group ( 24 )" -requires_gnutls_tls1_3 -requires_gnutls_next_no_ticket -requires_gnutls_next_disable_tls13_compat -requires_config_enabled MBEDTLS_DEBUG_C -requires_config_enabled MBEDTLS_SSL_CLI_C -requires_config_enabled MBEDTLS_SSL_PROTO_TLS1_3 -requires_config_enabled MBEDTLS_SSL_TLS1_3_COMPATIBILITY_MODE -run_test "TLS 1.3 m->G: HRR secp256r1 -> secp384r1" \ - "$G_NEXT_SRV_NO_CERT --http --disable-client-cert --debug=4 --x509certfile data_files/ecdsa_secp384r1.crt --x509keyfile data_files/ecdsa_secp384r1.key --priority=NONE:+CIPHER-ALL:+GROUP-SECP384R1:+MAC-ALL:+SIGN-ALL:+VERS-TLS1.3:%NO_TICKETS" \ - "$P_CLI server_addr=127.0.0.1 server_port=$SRV_PORT debug_level=4 force_version=tls13 ca_file=data_files/test-ca2.crt sig_algs=ecdsa_secp384r1_sha384 curves=secp256r1,secp384r1" \ - 0 \ - -c "HTTP/1.0 200 OK" \ - -c "NamedGroup: secp256r1 ( 17 )" \ - -c "NamedGroup: secp384r1 ( 18 )" \ - -c "Verifying peer X.509 certificate... ok" \ - -c "received HelloRetryRequest message" \ - -c "selected_group ( 24 )" - requires_openssl_tls1_3 requires_config_enabled MBEDTLS_DEBUG_C requires_config_enabled MBEDTLS_SSL_CLI_C requires_config_enabled MBEDTLS_SSL_PROTO_TLS1_3 requires_config_enabled MBEDTLS_SSL_TLS1_3_COMPATIBILITY_MODE run_test "TLS 1.3 m->O: HRR secp256r1 -> secp521r1" \ - "$O_NEXT_SRV_NO_CERT -cert data_files/ecdsa_secp521r1.crt -key data_files/ecdsa_secp521r1.key -accept $SRV_PORT -groups P-521 -msg -tls1_3 -num_tickets 0 -no_resume_ephemeral -no_cache" \ - "$P_CLI server_addr=127.0.0.1 server_port=$SRV_PORT debug_level=4 force_version=tls13 ca_file=data_files/test-ca2.crt sig_algs=ecdsa_secp521r1_sha512 curves=secp256r1,secp521r1" \ + "$O_NEXT_SRV_NO_CERT -cert data_files/ecdsa_secp256r1.crt -key data_files/ecdsa_secp256r1.key -accept $SRV_PORT -groups P-521 -msg -tls1_3 -num_tickets 0 -no_resume_ephemeral -no_cache" \ + "$P_CLI server_addr=127.0.0.1 server_port=$SRV_PORT debug_level=4 force_version=tls13 ca_file=data_files/test-ca2.crt sig_algs=ecdsa_secp256r1_sha256 curves=secp256r1,secp521r1" \ 0 \ -c "HTTP/1.0 200 ok" \ -c "NamedGroup: secp256r1 ( 17 )" \ @@ -3559,33 +3507,14 @@ run_test "TLS 1.3 m->O: HRR secp256r1 -> secp521r1" \ -c "received HelloRetryRequest message" \ -c "selected_group ( 25 )" -requires_gnutls_tls1_3 -requires_gnutls_next_no_ticket -requires_gnutls_next_disable_tls13_compat -requires_config_enabled MBEDTLS_DEBUG_C -requires_config_enabled MBEDTLS_SSL_CLI_C -requires_config_enabled MBEDTLS_SSL_PROTO_TLS1_3 -requires_config_enabled MBEDTLS_SSL_TLS1_3_COMPATIBILITY_MODE -run_test "TLS 1.3 m->G: HRR secp256r1 -> secp521r1" \ - "$G_NEXT_SRV_NO_CERT --http --disable-client-cert --debug=4 --x509certfile data_files/ecdsa_secp521r1.crt --x509keyfile data_files/ecdsa_secp521r1.key --priority=NONE:+CIPHER-ALL:+GROUP-SECP521R1:+MAC-ALL:+SIGN-ALL:+VERS-TLS1.3:%NO_TICKETS" \ - "$P_CLI server_addr=127.0.0.1 server_port=$SRV_PORT debug_level=4 force_version=tls13 ca_file=data_files/test-ca2.crt sig_algs=ecdsa_secp521r1_sha512 curves=secp256r1,secp521r1" \ - 0 \ - -c "HTTP/1.0 200 OK" \ - -c "NamedGroup: secp256r1 ( 17 )" \ - -c "NamedGroup: secp521r1 ( 19 )" \ - -c "Verifying peer X.509 certificate... ok" \ - -c "received HelloRetryRequest message" \ - -c "selected_group ( 25 )" - requires_openssl_tls1_3 requires_config_enabled MBEDTLS_DEBUG_C requires_config_enabled MBEDTLS_SSL_CLI_C requires_config_enabled MBEDTLS_SSL_PROTO_TLS1_3 requires_config_enabled MBEDTLS_SSL_TLS1_3_COMPATIBILITY_MODE -requires_config_enabled MBEDTLS_X509_RSASSA_PSS_SUPPORT run_test "TLS 1.3 m->O: HRR secp256r1 -> x25519" \ - "$O_NEXT_SRV_NO_CERT -cert data_files/server2-sha256.crt -key data_files/server2.key -accept $SRV_PORT -groups X25519 -msg -tls1_3 -num_tickets 0 -no_resume_ephemeral -no_cache" \ - "$P_CLI server_addr=127.0.0.1 server_port=$SRV_PORT debug_level=4 force_version=tls13 ca_file=data_files/test-ca_cat12.crt sig_algs=rsa_pss_rsae_sha256 curves=secp256r1,x25519" \ + "$O_NEXT_SRV_NO_CERT -cert data_files/ecdsa_secp256r1.crt -key data_files/ecdsa_secp256r1.key -accept $SRV_PORT -groups X25519 -msg -tls1_3 -num_tickets 0 -no_resume_ephemeral -no_cache" \ + "$P_CLI server_addr=127.0.0.1 server_port=$SRV_PORT debug_level=4 force_version=tls13 ca_file=data_files/test-ca2.crt sig_algs=ecdsa_secp256r1_sha256 curves=secp256r1,x25519" \ 0 \ -c "HTTP/1.0 200 ok" \ -c "NamedGroup: secp256r1 ( 17 )" \ @@ -3594,25 +3523,6 @@ run_test "TLS 1.3 m->O: HRR secp256r1 -> x25519" \ -c "received HelloRetryRequest message" \ -c "selected_group ( 29 )" -requires_gnutls_tls1_3 -requires_gnutls_next_no_ticket -requires_gnutls_next_disable_tls13_compat -requires_config_enabled MBEDTLS_DEBUG_C -requires_config_enabled MBEDTLS_SSL_CLI_C -requires_config_enabled MBEDTLS_SSL_PROTO_TLS1_3 -requires_config_enabled MBEDTLS_SSL_TLS1_3_COMPATIBILITY_MODE -requires_config_enabled MBEDTLS_X509_RSASSA_PSS_SUPPORT -run_test "TLS 1.3 m->G: HRR secp256r1 -> x25519" \ - "$G_NEXT_SRV_NO_CERT --http --disable-client-cert --debug=4 --x509certfile data_files/server2-sha256.crt --x509keyfile data_files/server2.key --priority=NONE:+CIPHER-ALL:+GROUP-X25519:+MAC-ALL:+SIGN-ALL:+VERS-TLS1.3:%NO_TICKETS" \ - "$P_CLI server_addr=127.0.0.1 server_port=$SRV_PORT debug_level=4 force_version=tls13 ca_file=data_files/test-ca_cat12.crt sig_algs=rsa_pss_rsae_sha256 curves=secp256r1,x25519" \ - 0 \ - -c "HTTP/1.0 200 OK" \ - -c "NamedGroup: secp256r1 ( 17 )" \ - -c "NamedGroup: x25519 ( 1d )" \ - -c "Verifying peer X.509 certificate... ok" \ - -c "received HelloRetryRequest message" \ - -c "selected_group ( 29 )" - requires_openssl_tls1_3 requires_config_enabled MBEDTLS_DEBUG_C requires_config_enabled MBEDTLS_SSL_CLI_C @@ -3629,6 +3539,316 @@ run_test "TLS 1.3 m->O: HRR secp256r1 -> x448" \ -c "received HelloRetryRequest message" \ -c "selected_group ( 30 )" +requires_openssl_tls1_3 +requires_config_enabled MBEDTLS_DEBUG_C +requires_config_enabled MBEDTLS_SSL_CLI_C +requires_config_enabled MBEDTLS_SSL_PROTO_TLS1_3 +requires_config_enabled MBEDTLS_SSL_TLS1_3_COMPATIBILITY_MODE +run_test "TLS 1.3 m->O: HRR secp384r1 -> secp256r1" \ + "$O_NEXT_SRV_NO_CERT -cert data_files/ecdsa_secp256r1.crt -key data_files/ecdsa_secp256r1.key -accept $SRV_PORT -groups P-256 -msg -tls1_3 -num_tickets 0 -no_resume_ephemeral -no_cache" \ + "$P_CLI server_addr=127.0.0.1 server_port=$SRV_PORT debug_level=4 force_version=tls13 ca_file=data_files/test-ca2.crt sig_algs=ecdsa_secp256r1_sha256 curves=secp384r1,secp256r1" \ + 0 \ + -c "HTTP/1.0 200 ok" \ + -c "NamedGroup: secp384r1 ( 18 )" \ + -c "NamedGroup: secp256r1 ( 17 )" \ + -c "Verifying peer X.509 certificate... ok" \ + -c "received HelloRetryRequest message" \ + -c "selected_group ( 23 )" + +requires_openssl_tls1_3 +requires_config_enabled MBEDTLS_DEBUG_C +requires_config_enabled MBEDTLS_SSL_CLI_C +requires_config_enabled MBEDTLS_SSL_PROTO_TLS1_3 +requires_config_enabled MBEDTLS_SSL_TLS1_3_COMPATIBILITY_MODE +run_test "TLS 1.3 m->O: HRR secp384r1 -> secp521r1" \ + "$O_NEXT_SRV_NO_CERT -cert data_files/ecdsa_secp256r1.crt -key data_files/ecdsa_secp256r1.key -accept $SRV_PORT -groups P-521 -msg -tls1_3 -num_tickets 0 -no_resume_ephemeral -no_cache" \ + "$P_CLI server_addr=127.0.0.1 server_port=$SRV_PORT debug_level=4 force_version=tls13 ca_file=data_files/test-ca2.crt sig_algs=ecdsa_secp256r1_sha256 curves=secp384r1,secp521r1" \ + 0 \ + -c "HTTP/1.0 200 ok" \ + -c "NamedGroup: secp384r1 ( 18 )" \ + -c "NamedGroup: secp521r1 ( 19 )" \ + -c "Verifying peer X.509 certificate... ok" \ + -c "received HelloRetryRequest message" \ + -c "selected_group ( 25 )" + +requires_openssl_tls1_3 +requires_config_enabled MBEDTLS_DEBUG_C +requires_config_enabled MBEDTLS_SSL_CLI_C +requires_config_enabled MBEDTLS_SSL_PROTO_TLS1_3 +requires_config_enabled MBEDTLS_SSL_TLS1_3_COMPATIBILITY_MODE +run_test "TLS 1.3 m->O: HRR secp384r1 -> x25519" \ + "$O_NEXT_SRV_NO_CERT -cert data_files/ecdsa_secp256r1.crt -key data_files/ecdsa_secp256r1.key -accept $SRV_PORT -groups X25519 -msg -tls1_3 -num_tickets 0 -no_resume_ephemeral -no_cache" \ + "$P_CLI server_addr=127.0.0.1 server_port=$SRV_PORT debug_level=4 force_version=tls13 ca_file=data_files/test-ca2.crt sig_algs=ecdsa_secp256r1_sha256 curves=secp384r1,x25519" \ + 0 \ + -c "HTTP/1.0 200 ok" \ + -c "NamedGroup: secp384r1 ( 18 )" \ + -c "NamedGroup: x25519 ( 1d )" \ + -c "Verifying peer X.509 certificate... ok" \ + -c "received HelloRetryRequest message" \ + -c "selected_group ( 29 )" + +requires_openssl_tls1_3 +requires_config_enabled MBEDTLS_DEBUG_C +requires_config_enabled MBEDTLS_SSL_CLI_C +requires_config_enabled MBEDTLS_SSL_PROTO_TLS1_3 +requires_config_enabled MBEDTLS_SSL_TLS1_3_COMPATIBILITY_MODE +run_test "TLS 1.3 m->O: HRR secp384r1 -> x448" \ + "$O_NEXT_SRV_NO_CERT -cert data_files/ecdsa_secp256r1.crt -key data_files/ecdsa_secp256r1.key -accept $SRV_PORT -groups X448 -msg -tls1_3 -num_tickets 0 -no_resume_ephemeral -no_cache" \ + "$P_CLI server_addr=127.0.0.1 server_port=$SRV_PORT debug_level=4 force_version=tls13 ca_file=data_files/test-ca2.crt sig_algs=ecdsa_secp256r1_sha256 curves=secp384r1,x448" \ + 0 \ + -c "HTTP/1.0 200 ok" \ + -c "NamedGroup: secp384r1 ( 18 )" \ + -c "NamedGroup: x448 ( 1e )" \ + -c "Verifying peer X.509 certificate... ok" \ + -c "received HelloRetryRequest message" \ + -c "selected_group ( 30 )" + +requires_openssl_tls1_3 +requires_config_enabled MBEDTLS_DEBUG_C +requires_config_enabled MBEDTLS_SSL_CLI_C +requires_config_enabled MBEDTLS_SSL_PROTO_TLS1_3 +requires_config_enabled MBEDTLS_SSL_TLS1_3_COMPATIBILITY_MODE +run_test "TLS 1.3 m->O: HRR secp521r1 -> secp256r1" \ + "$O_NEXT_SRV_NO_CERT -cert data_files/ecdsa_secp256r1.crt -key data_files/ecdsa_secp256r1.key -accept $SRV_PORT -groups P-256 -msg -tls1_3 -num_tickets 0 -no_resume_ephemeral -no_cache" \ + "$P_CLI server_addr=127.0.0.1 server_port=$SRV_PORT debug_level=4 force_version=tls13 ca_file=data_files/test-ca2.crt sig_algs=ecdsa_secp256r1_sha256 curves=secp521r1,secp256r1" \ + 0 \ + -c "HTTP/1.0 200 ok" \ + -c "NamedGroup: secp521r1 ( 19 )" \ + -c "NamedGroup: secp256r1 ( 17 )" \ + -c "Verifying peer X.509 certificate... ok" \ + -c "received HelloRetryRequest message" \ + -c "selected_group ( 23 )" + +requires_openssl_tls1_3 +requires_config_enabled MBEDTLS_DEBUG_C +requires_config_enabled MBEDTLS_SSL_CLI_C +requires_config_enabled MBEDTLS_SSL_PROTO_TLS1_3 +requires_config_enabled MBEDTLS_SSL_TLS1_3_COMPATIBILITY_MODE +run_test "TLS 1.3 m->O: HRR secp521r1 -> secp384r1" \ + "$O_NEXT_SRV_NO_CERT -cert data_files/ecdsa_secp256r1.crt -key data_files/ecdsa_secp256r1.key -accept $SRV_PORT -groups P-384 -msg -tls1_3 -num_tickets 0 -no_resume_ephemeral -no_cache" \ + "$P_CLI server_addr=127.0.0.1 server_port=$SRV_PORT debug_level=4 force_version=tls13 ca_file=data_files/test-ca2.crt sig_algs=ecdsa_secp256r1_sha256 curves=secp521r1,secp384r1" \ + 0 \ + -c "HTTP/1.0 200 ok" \ + -c "NamedGroup: secp521r1 ( 19 )" \ + -c "NamedGroup: secp384r1 ( 18 )" \ + -c "Verifying peer X.509 certificate... ok" \ + -c "received HelloRetryRequest message" \ + -c "selected_group ( 24 )" + +requires_openssl_tls1_3 +requires_config_enabled MBEDTLS_DEBUG_C +requires_config_enabled MBEDTLS_SSL_CLI_C +requires_config_enabled MBEDTLS_SSL_PROTO_TLS1_3 +requires_config_enabled MBEDTLS_SSL_TLS1_3_COMPATIBILITY_MODE +run_test "TLS 1.3 m->O: HRR secp521r1 -> x25519" \ + "$O_NEXT_SRV_NO_CERT -cert data_files/ecdsa_secp256r1.crt -key data_files/ecdsa_secp256r1.key -accept $SRV_PORT -groups X25519 -msg -tls1_3 -num_tickets 0 -no_resume_ephemeral -no_cache" \ + "$P_CLI server_addr=127.0.0.1 server_port=$SRV_PORT debug_level=4 force_version=tls13 ca_file=data_files/test-ca2.crt sig_algs=ecdsa_secp256r1_sha256 curves=secp521r1,x25519" \ + 0 \ + -c "HTTP/1.0 200 ok" \ + -c "NamedGroup: secp521r1 ( 19 )" \ + -c "NamedGroup: x25519 ( 1d )" \ + -c "Verifying peer X.509 certificate... ok" \ + -c "received HelloRetryRequest message" \ + -c "selected_group ( 29 )" + +requires_openssl_tls1_3 +requires_config_enabled MBEDTLS_DEBUG_C +requires_config_enabled MBEDTLS_SSL_CLI_C +requires_config_enabled MBEDTLS_SSL_PROTO_TLS1_3 +requires_config_enabled MBEDTLS_SSL_TLS1_3_COMPATIBILITY_MODE +run_test "TLS 1.3 m->O: HRR secp521r1 -> x448" \ + "$O_NEXT_SRV_NO_CERT -cert data_files/ecdsa_secp256r1.crt -key data_files/ecdsa_secp256r1.key -accept $SRV_PORT -groups X448 -msg -tls1_3 -num_tickets 0 -no_resume_ephemeral -no_cache" \ + "$P_CLI server_addr=127.0.0.1 server_port=$SRV_PORT debug_level=4 force_version=tls13 ca_file=data_files/test-ca2.crt sig_algs=ecdsa_secp256r1_sha256 curves=secp521r1,x448" \ + 0 \ + -c "HTTP/1.0 200 ok" \ + -c "NamedGroup: secp521r1 ( 19 )" \ + -c "NamedGroup: x448 ( 1e )" \ + -c "Verifying peer X.509 certificate... ok" \ + -c "received HelloRetryRequest message" \ + -c "selected_group ( 30 )" + +requires_openssl_tls1_3 +requires_config_enabled MBEDTLS_DEBUG_C +requires_config_enabled MBEDTLS_SSL_CLI_C +requires_config_enabled MBEDTLS_SSL_PROTO_TLS1_3 +requires_config_enabled MBEDTLS_SSL_TLS1_3_COMPATIBILITY_MODE +run_test "TLS 1.3 m->O: HRR x25519 -> secp256r1" \ + "$O_NEXT_SRV_NO_CERT -cert data_files/ecdsa_secp256r1.crt -key data_files/ecdsa_secp256r1.key -accept $SRV_PORT -groups P-256 -msg -tls1_3 -num_tickets 0 -no_resume_ephemeral -no_cache" \ + "$P_CLI server_addr=127.0.0.1 server_port=$SRV_PORT debug_level=4 force_version=tls13 ca_file=data_files/test-ca2.crt sig_algs=ecdsa_secp256r1_sha256 curves=x25519,secp256r1" \ + 0 \ + -c "HTTP/1.0 200 ok" \ + -c "NamedGroup: x25519 ( 1d )" \ + -c "NamedGroup: secp256r1 ( 17 )" \ + -c "Verifying peer X.509 certificate... ok" \ + -c "received HelloRetryRequest message" \ + -c "selected_group ( 23 )" + +requires_openssl_tls1_3 +requires_config_enabled MBEDTLS_DEBUG_C +requires_config_enabled MBEDTLS_SSL_CLI_C +requires_config_enabled MBEDTLS_SSL_PROTO_TLS1_3 +requires_config_enabled MBEDTLS_SSL_TLS1_3_COMPATIBILITY_MODE +run_test "TLS 1.3 m->O: HRR x25519 -> secp384r1" \ + "$O_NEXT_SRV_NO_CERT -cert data_files/ecdsa_secp256r1.crt -key data_files/ecdsa_secp256r1.key -accept $SRV_PORT -groups P-384 -msg -tls1_3 -num_tickets 0 -no_resume_ephemeral -no_cache" \ + "$P_CLI server_addr=127.0.0.1 server_port=$SRV_PORT debug_level=4 force_version=tls13 ca_file=data_files/test-ca2.crt sig_algs=ecdsa_secp256r1_sha256 curves=x25519,secp384r1" \ + 0 \ + -c "HTTP/1.0 200 ok" \ + -c "NamedGroup: x25519 ( 1d )" \ + -c "NamedGroup: secp384r1 ( 18 )" \ + -c "Verifying peer X.509 certificate... ok" \ + -c "received HelloRetryRequest message" \ + -c "selected_group ( 24 )" + +requires_openssl_tls1_3 +requires_config_enabled MBEDTLS_DEBUG_C +requires_config_enabled MBEDTLS_SSL_CLI_C +requires_config_enabled MBEDTLS_SSL_PROTO_TLS1_3 +requires_config_enabled MBEDTLS_SSL_TLS1_3_COMPATIBILITY_MODE +run_test "TLS 1.3 m->O: HRR x25519 -> secp521r1" \ + "$O_NEXT_SRV_NO_CERT -cert data_files/ecdsa_secp256r1.crt -key data_files/ecdsa_secp256r1.key -accept $SRV_PORT -groups P-521 -msg -tls1_3 -num_tickets 0 -no_resume_ephemeral -no_cache" \ + "$P_CLI server_addr=127.0.0.1 server_port=$SRV_PORT debug_level=4 force_version=tls13 ca_file=data_files/test-ca2.crt sig_algs=ecdsa_secp256r1_sha256 curves=x25519,secp521r1" \ + 0 \ + -c "HTTP/1.0 200 ok" \ + -c "NamedGroup: x25519 ( 1d )" \ + -c "NamedGroup: secp521r1 ( 19 )" \ + -c "Verifying peer X.509 certificate... ok" \ + -c "received HelloRetryRequest message" \ + -c "selected_group ( 25 )" + +requires_openssl_tls1_3 +requires_config_enabled MBEDTLS_DEBUG_C +requires_config_enabled MBEDTLS_SSL_CLI_C +requires_config_enabled MBEDTLS_SSL_PROTO_TLS1_3 +requires_config_enabled MBEDTLS_SSL_TLS1_3_COMPATIBILITY_MODE +run_test "TLS 1.3 m->O: HRR x25519 -> x448" \ + "$O_NEXT_SRV_NO_CERT -cert data_files/ecdsa_secp256r1.crt -key data_files/ecdsa_secp256r1.key -accept $SRV_PORT -groups X448 -msg -tls1_3 -num_tickets 0 -no_resume_ephemeral -no_cache" \ + "$P_CLI server_addr=127.0.0.1 server_port=$SRV_PORT debug_level=4 force_version=tls13 ca_file=data_files/test-ca2.crt sig_algs=ecdsa_secp256r1_sha256 curves=x25519,x448" \ + 0 \ + -c "HTTP/1.0 200 ok" \ + -c "NamedGroup: x25519 ( 1d )" \ + -c "NamedGroup: x448 ( 1e )" \ + -c "Verifying peer X.509 certificate... ok" \ + -c "received HelloRetryRequest message" \ + -c "selected_group ( 30 )" + +requires_openssl_tls1_3 +requires_config_enabled MBEDTLS_DEBUG_C +requires_config_enabled MBEDTLS_SSL_CLI_C +requires_config_enabled MBEDTLS_SSL_PROTO_TLS1_3 +requires_config_enabled MBEDTLS_SSL_TLS1_3_COMPATIBILITY_MODE +run_test "TLS 1.3 m->O: HRR x448 -> secp256r1" \ + "$O_NEXT_SRV_NO_CERT -cert data_files/ecdsa_secp256r1.crt -key data_files/ecdsa_secp256r1.key -accept $SRV_PORT -groups P-256 -msg -tls1_3 -num_tickets 0 -no_resume_ephemeral -no_cache" \ + "$P_CLI server_addr=127.0.0.1 server_port=$SRV_PORT debug_level=4 force_version=tls13 ca_file=data_files/test-ca2.crt sig_algs=ecdsa_secp256r1_sha256 curves=x448,secp256r1" \ + 0 \ + -c "HTTP/1.0 200 ok" \ + -c "NamedGroup: x448 ( 1e )" \ + -c "NamedGroup: secp256r1 ( 17 )" \ + -c "Verifying peer X.509 certificate... ok" \ + -c "received HelloRetryRequest message" \ + -c "selected_group ( 23 )" + +requires_openssl_tls1_3 +requires_config_enabled MBEDTLS_DEBUG_C +requires_config_enabled MBEDTLS_SSL_CLI_C +requires_config_enabled MBEDTLS_SSL_PROTO_TLS1_3 +requires_config_enabled MBEDTLS_SSL_TLS1_3_COMPATIBILITY_MODE +run_test "TLS 1.3 m->O: HRR x448 -> secp384r1" \ + "$O_NEXT_SRV_NO_CERT -cert data_files/ecdsa_secp256r1.crt -key data_files/ecdsa_secp256r1.key -accept $SRV_PORT -groups P-384 -msg -tls1_3 -num_tickets 0 -no_resume_ephemeral -no_cache" \ + "$P_CLI server_addr=127.0.0.1 server_port=$SRV_PORT debug_level=4 force_version=tls13 ca_file=data_files/test-ca2.crt sig_algs=ecdsa_secp256r1_sha256 curves=x448,secp384r1" \ + 0 \ + -c "HTTP/1.0 200 ok" \ + -c "NamedGroup: x448 ( 1e )" \ + -c "NamedGroup: secp384r1 ( 18 )" \ + -c "Verifying peer X.509 certificate... ok" \ + -c "received HelloRetryRequest message" \ + -c "selected_group ( 24 )" + +requires_openssl_tls1_3 +requires_config_enabled MBEDTLS_DEBUG_C +requires_config_enabled MBEDTLS_SSL_CLI_C +requires_config_enabled MBEDTLS_SSL_PROTO_TLS1_3 +requires_config_enabled MBEDTLS_SSL_TLS1_3_COMPATIBILITY_MODE +run_test "TLS 1.3 m->O: HRR x448 -> secp521r1" \ + "$O_NEXT_SRV_NO_CERT -cert data_files/ecdsa_secp256r1.crt -key data_files/ecdsa_secp256r1.key -accept $SRV_PORT -groups P-521 -msg -tls1_3 -num_tickets 0 -no_resume_ephemeral -no_cache" \ + "$P_CLI server_addr=127.0.0.1 server_port=$SRV_PORT debug_level=4 force_version=tls13 ca_file=data_files/test-ca2.crt sig_algs=ecdsa_secp256r1_sha256 curves=x448,secp521r1" \ + 0 \ + -c "HTTP/1.0 200 ok" \ + -c "NamedGroup: x448 ( 1e )" \ + -c "NamedGroup: secp521r1 ( 19 )" \ + -c "Verifying peer X.509 certificate... ok" \ + -c "received HelloRetryRequest message" \ + -c "selected_group ( 25 )" + +requires_openssl_tls1_3 +requires_config_enabled MBEDTLS_DEBUG_C +requires_config_enabled MBEDTLS_SSL_CLI_C +requires_config_enabled MBEDTLS_SSL_PROTO_TLS1_3 +requires_config_enabled MBEDTLS_SSL_TLS1_3_COMPATIBILITY_MODE +run_test "TLS 1.3 m->O: HRR x448 -> x25519" \ + "$O_NEXT_SRV_NO_CERT -cert data_files/ecdsa_secp256r1.crt -key data_files/ecdsa_secp256r1.key -accept $SRV_PORT -groups X25519 -msg -tls1_3 -num_tickets 0 -no_resume_ephemeral -no_cache" \ + "$P_CLI server_addr=127.0.0.1 server_port=$SRV_PORT debug_level=4 force_version=tls13 ca_file=data_files/test-ca2.crt sig_algs=ecdsa_secp256r1_sha256 curves=x448,x25519" \ + 0 \ + -c "HTTP/1.0 200 ok" \ + -c "NamedGroup: x448 ( 1e )" \ + -c "NamedGroup: x25519 ( 1d )" \ + -c "Verifying peer X.509 certificate... ok" \ + -c "received HelloRetryRequest message" \ + -c "selected_group ( 29 )" + +requires_gnutls_tls1_3 +requires_gnutls_next_no_ticket +requires_gnutls_next_disable_tls13_compat +requires_config_enabled MBEDTLS_DEBUG_C +requires_config_enabled MBEDTLS_SSL_CLI_C +requires_config_enabled MBEDTLS_SSL_PROTO_TLS1_3 +requires_config_enabled MBEDTLS_SSL_TLS1_3_COMPATIBILITY_MODE +run_test "TLS 1.3 m->G: HRR secp256r1 -> secp384r1" \ + "$G_NEXT_SRV_NO_CERT --http --disable-client-cert --debug=4 --x509certfile data_files/ecdsa_secp256r1.crt --x509keyfile data_files/ecdsa_secp256r1.key --priority=NONE:+CIPHER-ALL:+GROUP-SECP384R1:+MAC-ALL:+SIGN-ALL:+VERS-TLS1.3:%NO_TICKETS" \ + "$P_CLI server_addr=127.0.0.1 server_port=$SRV_PORT debug_level=4 force_version=tls13 ca_file=data_files/test-ca2.crt sig_algs=ecdsa_secp256r1_sha256 curves=secp256r1,secp384r1" \ + 0 \ + -c "HTTP/1.0 200 OK" \ + -c "NamedGroup: secp256r1 ( 17 )" \ + -c "NamedGroup: secp384r1 ( 18 )" \ + -c "Verifying peer X.509 certificate... ok" \ + -c "received HelloRetryRequest message" \ + -c "selected_group ( 24 )" + +requires_gnutls_tls1_3 +requires_gnutls_next_no_ticket +requires_gnutls_next_disable_tls13_compat +requires_config_enabled MBEDTLS_DEBUG_C +requires_config_enabled MBEDTLS_SSL_CLI_C +requires_config_enabled MBEDTLS_SSL_PROTO_TLS1_3 +requires_config_enabled MBEDTLS_SSL_TLS1_3_COMPATIBILITY_MODE +run_test "TLS 1.3 m->G: HRR secp256r1 -> secp521r1" \ + "$G_NEXT_SRV_NO_CERT --http --disable-client-cert --debug=4 --x509certfile data_files/ecdsa_secp256r1.crt --x509keyfile data_files/ecdsa_secp256r1.key --priority=NONE:+CIPHER-ALL:+GROUP-SECP521R1:+MAC-ALL:+SIGN-ALL:+VERS-TLS1.3:%NO_TICKETS" \ + "$P_CLI server_addr=127.0.0.1 server_port=$SRV_PORT debug_level=4 force_version=tls13 ca_file=data_files/test-ca2.crt sig_algs=ecdsa_secp256r1_sha256 curves=secp256r1,secp521r1" \ + 0 \ + -c "HTTP/1.0 200 OK" \ + -c "NamedGroup: secp256r1 ( 17 )" \ + -c "NamedGroup: secp521r1 ( 19 )" \ + -c "Verifying peer X.509 certificate... ok" \ + -c "received HelloRetryRequest message" \ + -c "selected_group ( 25 )" + +requires_gnutls_tls1_3 +requires_gnutls_next_no_ticket +requires_gnutls_next_disable_tls13_compat +requires_config_enabled MBEDTLS_DEBUG_C +requires_config_enabled MBEDTLS_SSL_CLI_C +requires_config_enabled MBEDTLS_SSL_PROTO_TLS1_3 +requires_config_enabled MBEDTLS_SSL_TLS1_3_COMPATIBILITY_MODE +run_test "TLS 1.3 m->G: HRR secp256r1 -> x25519" \ + "$G_NEXT_SRV_NO_CERT --http --disable-client-cert --debug=4 --x509certfile data_files/ecdsa_secp256r1.crt --x509keyfile data_files/ecdsa_secp256r1.key --priority=NONE:+CIPHER-ALL:+GROUP-X25519:+MAC-ALL:+SIGN-ALL:+VERS-TLS1.3:%NO_TICKETS" \ + "$P_CLI server_addr=127.0.0.1 server_port=$SRV_PORT debug_level=4 force_version=tls13 ca_file=data_files/test-ca2.crt sig_algs=ecdsa_secp256r1_sha256 curves=secp256r1,x25519" \ + 0 \ + -c "HTTP/1.0 200 OK" \ + -c "NamedGroup: secp256r1 ( 17 )" \ + -c "NamedGroup: x25519 ( 1d )" \ + -c "Verifying peer X.509 certificate... ok" \ + -c "received HelloRetryRequest message" \ + -c "selected_group ( 29 )" + requires_gnutls_tls1_3 requires_gnutls_next_no_ticket requires_gnutls_next_disable_tls13_compat @@ -3646,3 +3866,291 @@ run_test "TLS 1.3 m->G: HRR secp256r1 -> x448" \ -c "Verifying peer X.509 certificate... ok" \ -c "received HelloRetryRequest message" \ -c "selected_group ( 30 )" + +requires_gnutls_tls1_3 +requires_gnutls_next_no_ticket +requires_gnutls_next_disable_tls13_compat +requires_config_enabled MBEDTLS_DEBUG_C +requires_config_enabled MBEDTLS_SSL_CLI_C +requires_config_enabled MBEDTLS_SSL_PROTO_TLS1_3 +requires_config_enabled MBEDTLS_SSL_TLS1_3_COMPATIBILITY_MODE +run_test "TLS 1.3 m->G: HRR secp384r1 -> secp256r1" \ + "$G_NEXT_SRV_NO_CERT --http --disable-client-cert --debug=4 --x509certfile data_files/ecdsa_secp256r1.crt --x509keyfile data_files/ecdsa_secp256r1.key --priority=NONE:+CIPHER-ALL:+GROUP-SECP256R1:+MAC-ALL:+SIGN-ALL:+VERS-TLS1.3:%NO_TICKETS" \ + "$P_CLI server_addr=127.0.0.1 server_port=$SRV_PORT debug_level=4 force_version=tls13 ca_file=data_files/test-ca2.crt sig_algs=ecdsa_secp256r1_sha256 curves=secp384r1,secp256r1" \ + 0 \ + -c "HTTP/1.0 200 OK" \ + -c "NamedGroup: secp384r1 ( 18 )" \ + -c "NamedGroup: secp256r1 ( 17 )" \ + -c "Verifying peer X.509 certificate... ok" \ + -c "received HelloRetryRequest message" \ + -c "selected_group ( 23 )" + +requires_gnutls_tls1_3 +requires_gnutls_next_no_ticket +requires_gnutls_next_disable_tls13_compat +requires_config_enabled MBEDTLS_DEBUG_C +requires_config_enabled MBEDTLS_SSL_CLI_C +requires_config_enabled MBEDTLS_SSL_PROTO_TLS1_3 +requires_config_enabled MBEDTLS_SSL_TLS1_3_COMPATIBILITY_MODE +run_test "TLS 1.3 m->G: HRR secp384r1 -> secp521r1" \ + "$G_NEXT_SRV_NO_CERT --http --disable-client-cert --debug=4 --x509certfile data_files/ecdsa_secp256r1.crt --x509keyfile data_files/ecdsa_secp256r1.key --priority=NONE:+CIPHER-ALL:+GROUP-SECP521R1:+MAC-ALL:+SIGN-ALL:+VERS-TLS1.3:%NO_TICKETS" \ + "$P_CLI server_addr=127.0.0.1 server_port=$SRV_PORT debug_level=4 force_version=tls13 ca_file=data_files/test-ca2.crt sig_algs=ecdsa_secp256r1_sha256 curves=secp384r1,secp521r1" \ + 0 \ + -c "HTTP/1.0 200 OK" \ + -c "NamedGroup: secp384r1 ( 18 )" \ + -c "NamedGroup: secp521r1 ( 19 )" \ + -c "Verifying peer X.509 certificate... ok" \ + -c "received HelloRetryRequest message" \ + -c "selected_group ( 25 )" + +requires_gnutls_tls1_3 +requires_gnutls_next_no_ticket +requires_gnutls_next_disable_tls13_compat +requires_config_enabled MBEDTLS_DEBUG_C +requires_config_enabled MBEDTLS_SSL_CLI_C +requires_config_enabled MBEDTLS_SSL_PROTO_TLS1_3 +requires_config_enabled MBEDTLS_SSL_TLS1_3_COMPATIBILITY_MODE +run_test "TLS 1.3 m->G: HRR secp384r1 -> x25519" \ + "$G_NEXT_SRV_NO_CERT --http --disable-client-cert --debug=4 --x509certfile data_files/ecdsa_secp256r1.crt --x509keyfile data_files/ecdsa_secp256r1.key --priority=NONE:+CIPHER-ALL:+GROUP-X25519:+MAC-ALL:+SIGN-ALL:+VERS-TLS1.3:%NO_TICKETS" \ + "$P_CLI server_addr=127.0.0.1 server_port=$SRV_PORT debug_level=4 force_version=tls13 ca_file=data_files/test-ca2.crt sig_algs=ecdsa_secp256r1_sha256 curves=secp384r1,x25519" \ + 0 \ + -c "HTTP/1.0 200 OK" \ + -c "NamedGroup: secp384r1 ( 18 )" \ + -c "NamedGroup: x25519 ( 1d )" \ + -c "Verifying peer X.509 certificate... ok" \ + -c "received HelloRetryRequest message" \ + -c "selected_group ( 29 )" + +requires_gnutls_tls1_3 +requires_gnutls_next_no_ticket +requires_gnutls_next_disable_tls13_compat +requires_config_enabled MBEDTLS_DEBUG_C +requires_config_enabled MBEDTLS_SSL_CLI_C +requires_config_enabled MBEDTLS_SSL_PROTO_TLS1_3 +requires_config_enabled MBEDTLS_SSL_TLS1_3_COMPATIBILITY_MODE +run_test "TLS 1.3 m->G: HRR secp384r1 -> x448" \ + "$G_NEXT_SRV_NO_CERT --http --disable-client-cert --debug=4 --x509certfile data_files/ecdsa_secp256r1.crt --x509keyfile data_files/ecdsa_secp256r1.key --priority=NONE:+CIPHER-ALL:+GROUP-X448:+MAC-ALL:+SIGN-ALL:+VERS-TLS1.3:%NO_TICKETS" \ + "$P_CLI server_addr=127.0.0.1 server_port=$SRV_PORT debug_level=4 force_version=tls13 ca_file=data_files/test-ca2.crt sig_algs=ecdsa_secp256r1_sha256 curves=secp384r1,x448" \ + 0 \ + -c "HTTP/1.0 200 OK" \ + -c "NamedGroup: secp384r1 ( 18 )" \ + -c "NamedGroup: x448 ( 1e )" \ + -c "Verifying peer X.509 certificate... ok" \ + -c "received HelloRetryRequest message" \ + -c "selected_group ( 30 )" + +requires_gnutls_tls1_3 +requires_gnutls_next_no_ticket +requires_gnutls_next_disable_tls13_compat +requires_config_enabled MBEDTLS_DEBUG_C +requires_config_enabled MBEDTLS_SSL_CLI_C +requires_config_enabled MBEDTLS_SSL_PROTO_TLS1_3 +requires_config_enabled MBEDTLS_SSL_TLS1_3_COMPATIBILITY_MODE +run_test "TLS 1.3 m->G: HRR secp521r1 -> secp256r1" \ + "$G_NEXT_SRV_NO_CERT --http --disable-client-cert --debug=4 --x509certfile data_files/ecdsa_secp256r1.crt --x509keyfile data_files/ecdsa_secp256r1.key --priority=NONE:+CIPHER-ALL:+GROUP-SECP256R1:+MAC-ALL:+SIGN-ALL:+VERS-TLS1.3:%NO_TICKETS" \ + "$P_CLI server_addr=127.0.0.1 server_port=$SRV_PORT debug_level=4 force_version=tls13 ca_file=data_files/test-ca2.crt sig_algs=ecdsa_secp256r1_sha256 curves=secp521r1,secp256r1" \ + 0 \ + -c "HTTP/1.0 200 OK" \ + -c "NamedGroup: secp521r1 ( 19 )" \ + -c "NamedGroup: secp256r1 ( 17 )" \ + -c "Verifying peer X.509 certificate... ok" \ + -c "received HelloRetryRequest message" \ + -c "selected_group ( 23 )" + +requires_gnutls_tls1_3 +requires_gnutls_next_no_ticket +requires_gnutls_next_disable_tls13_compat +requires_config_enabled MBEDTLS_DEBUG_C +requires_config_enabled MBEDTLS_SSL_CLI_C +requires_config_enabled MBEDTLS_SSL_PROTO_TLS1_3 +requires_config_enabled MBEDTLS_SSL_TLS1_3_COMPATIBILITY_MODE +run_test "TLS 1.3 m->G: HRR secp521r1 -> secp384r1" \ + "$G_NEXT_SRV_NO_CERT --http --disable-client-cert --debug=4 --x509certfile data_files/ecdsa_secp256r1.crt --x509keyfile data_files/ecdsa_secp256r1.key --priority=NONE:+CIPHER-ALL:+GROUP-SECP384R1:+MAC-ALL:+SIGN-ALL:+VERS-TLS1.3:%NO_TICKETS" \ + "$P_CLI server_addr=127.0.0.1 server_port=$SRV_PORT debug_level=4 force_version=tls13 ca_file=data_files/test-ca2.crt sig_algs=ecdsa_secp256r1_sha256 curves=secp521r1,secp384r1" \ + 0 \ + -c "HTTP/1.0 200 OK" \ + -c "NamedGroup: secp521r1 ( 19 )" \ + -c "NamedGroup: secp384r1 ( 18 )" \ + -c "Verifying peer X.509 certificate... ok" \ + -c "received HelloRetryRequest message" \ + -c "selected_group ( 24 )" + +requires_gnutls_tls1_3 +requires_gnutls_next_no_ticket +requires_gnutls_next_disable_tls13_compat +requires_config_enabled MBEDTLS_DEBUG_C +requires_config_enabled MBEDTLS_SSL_CLI_C +requires_config_enabled MBEDTLS_SSL_PROTO_TLS1_3 +requires_config_enabled MBEDTLS_SSL_TLS1_3_COMPATIBILITY_MODE +run_test "TLS 1.3 m->G: HRR secp521r1 -> x25519" \ + "$G_NEXT_SRV_NO_CERT --http --disable-client-cert --debug=4 --x509certfile data_files/ecdsa_secp256r1.crt --x509keyfile data_files/ecdsa_secp256r1.key --priority=NONE:+CIPHER-ALL:+GROUP-X25519:+MAC-ALL:+SIGN-ALL:+VERS-TLS1.3:%NO_TICKETS" \ + "$P_CLI server_addr=127.0.0.1 server_port=$SRV_PORT debug_level=4 force_version=tls13 ca_file=data_files/test-ca2.crt sig_algs=ecdsa_secp256r1_sha256 curves=secp521r1,x25519" \ + 0 \ + -c "HTTP/1.0 200 OK" \ + -c "NamedGroup: secp521r1 ( 19 )" \ + -c "NamedGroup: x25519 ( 1d )" \ + -c "Verifying peer X.509 certificate... ok" \ + -c "received HelloRetryRequest message" \ + -c "selected_group ( 29 )" + +requires_gnutls_tls1_3 +requires_gnutls_next_no_ticket +requires_gnutls_next_disable_tls13_compat +requires_config_enabled MBEDTLS_DEBUG_C +requires_config_enabled MBEDTLS_SSL_CLI_C +requires_config_enabled MBEDTLS_SSL_PROTO_TLS1_3 +requires_config_enabled MBEDTLS_SSL_TLS1_3_COMPATIBILITY_MODE +run_test "TLS 1.3 m->G: HRR secp521r1 -> x448" \ + "$G_NEXT_SRV_NO_CERT --http --disable-client-cert --debug=4 --x509certfile data_files/ecdsa_secp256r1.crt --x509keyfile data_files/ecdsa_secp256r1.key --priority=NONE:+CIPHER-ALL:+GROUP-X448:+MAC-ALL:+SIGN-ALL:+VERS-TLS1.3:%NO_TICKETS" \ + "$P_CLI server_addr=127.0.0.1 server_port=$SRV_PORT debug_level=4 force_version=tls13 ca_file=data_files/test-ca2.crt sig_algs=ecdsa_secp256r1_sha256 curves=secp521r1,x448" \ + 0 \ + -c "HTTP/1.0 200 OK" \ + -c "NamedGroup: secp521r1 ( 19 )" \ + -c "NamedGroup: x448 ( 1e )" \ + -c "Verifying peer X.509 certificate... ok" \ + -c "received HelloRetryRequest message" \ + -c "selected_group ( 30 )" + +requires_gnutls_tls1_3 +requires_gnutls_next_no_ticket +requires_gnutls_next_disable_tls13_compat +requires_config_enabled MBEDTLS_DEBUG_C +requires_config_enabled MBEDTLS_SSL_CLI_C +requires_config_enabled MBEDTLS_SSL_PROTO_TLS1_3 +requires_config_enabled MBEDTLS_SSL_TLS1_3_COMPATIBILITY_MODE +run_test "TLS 1.3 m->G: HRR x25519 -> secp256r1" \ + "$G_NEXT_SRV_NO_CERT --http --disable-client-cert --debug=4 --x509certfile data_files/ecdsa_secp256r1.crt --x509keyfile data_files/ecdsa_secp256r1.key --priority=NONE:+CIPHER-ALL:+GROUP-SECP256R1:+MAC-ALL:+SIGN-ALL:+VERS-TLS1.3:%NO_TICKETS" \ + "$P_CLI server_addr=127.0.0.1 server_port=$SRV_PORT debug_level=4 force_version=tls13 ca_file=data_files/test-ca2.crt sig_algs=ecdsa_secp256r1_sha256 curves=x25519,secp256r1" \ + 0 \ + -c "HTTP/1.0 200 OK" \ + -c "NamedGroup: x25519 ( 1d )" \ + -c "NamedGroup: secp256r1 ( 17 )" \ + -c "Verifying peer X.509 certificate... ok" \ + -c "received HelloRetryRequest message" \ + -c "selected_group ( 23 )" + +requires_gnutls_tls1_3 +requires_gnutls_next_no_ticket +requires_gnutls_next_disable_tls13_compat +requires_config_enabled MBEDTLS_DEBUG_C +requires_config_enabled MBEDTLS_SSL_CLI_C +requires_config_enabled MBEDTLS_SSL_PROTO_TLS1_3 +requires_config_enabled MBEDTLS_SSL_TLS1_3_COMPATIBILITY_MODE +run_test "TLS 1.3 m->G: HRR x25519 -> secp384r1" \ + "$G_NEXT_SRV_NO_CERT --http --disable-client-cert --debug=4 --x509certfile data_files/ecdsa_secp256r1.crt --x509keyfile data_files/ecdsa_secp256r1.key --priority=NONE:+CIPHER-ALL:+GROUP-SECP384R1:+MAC-ALL:+SIGN-ALL:+VERS-TLS1.3:%NO_TICKETS" \ + "$P_CLI server_addr=127.0.0.1 server_port=$SRV_PORT debug_level=4 force_version=tls13 ca_file=data_files/test-ca2.crt sig_algs=ecdsa_secp256r1_sha256 curves=x25519,secp384r1" \ + 0 \ + -c "HTTP/1.0 200 OK" \ + -c "NamedGroup: x25519 ( 1d )" \ + -c "NamedGroup: secp384r1 ( 18 )" \ + -c "Verifying peer X.509 certificate... ok" \ + -c "received HelloRetryRequest message" \ + -c "selected_group ( 24 )" + +requires_gnutls_tls1_3 +requires_gnutls_next_no_ticket +requires_gnutls_next_disable_tls13_compat +requires_config_enabled MBEDTLS_DEBUG_C +requires_config_enabled MBEDTLS_SSL_CLI_C +requires_config_enabled MBEDTLS_SSL_PROTO_TLS1_3 +requires_config_enabled MBEDTLS_SSL_TLS1_3_COMPATIBILITY_MODE +run_test "TLS 1.3 m->G: HRR x25519 -> secp521r1" \ + "$G_NEXT_SRV_NO_CERT --http --disable-client-cert --debug=4 --x509certfile data_files/ecdsa_secp256r1.crt --x509keyfile data_files/ecdsa_secp256r1.key --priority=NONE:+CIPHER-ALL:+GROUP-SECP521R1:+MAC-ALL:+SIGN-ALL:+VERS-TLS1.3:%NO_TICKETS" \ + "$P_CLI server_addr=127.0.0.1 server_port=$SRV_PORT debug_level=4 force_version=tls13 ca_file=data_files/test-ca2.crt sig_algs=ecdsa_secp256r1_sha256 curves=x25519,secp521r1" \ + 0 \ + -c "HTTP/1.0 200 OK" \ + -c "NamedGroup: x25519 ( 1d )" \ + -c "NamedGroup: secp521r1 ( 19 )" \ + -c "Verifying peer X.509 certificate... ok" \ + -c "received HelloRetryRequest message" \ + -c "selected_group ( 25 )" + +requires_gnutls_tls1_3 +requires_gnutls_next_no_ticket +requires_gnutls_next_disable_tls13_compat +requires_config_enabled MBEDTLS_DEBUG_C +requires_config_enabled MBEDTLS_SSL_CLI_C +requires_config_enabled MBEDTLS_SSL_PROTO_TLS1_3 +requires_config_enabled MBEDTLS_SSL_TLS1_3_COMPATIBILITY_MODE +run_test "TLS 1.3 m->G: HRR x25519 -> x448" \ + "$G_NEXT_SRV_NO_CERT --http --disable-client-cert --debug=4 --x509certfile data_files/ecdsa_secp256r1.crt --x509keyfile data_files/ecdsa_secp256r1.key --priority=NONE:+CIPHER-ALL:+GROUP-X448:+MAC-ALL:+SIGN-ALL:+VERS-TLS1.3:%NO_TICKETS" \ + "$P_CLI server_addr=127.0.0.1 server_port=$SRV_PORT debug_level=4 force_version=tls13 ca_file=data_files/test-ca2.crt sig_algs=ecdsa_secp256r1_sha256 curves=x25519,x448" \ + 0 \ + -c "HTTP/1.0 200 OK" \ + -c "NamedGroup: x25519 ( 1d )" \ + -c "NamedGroup: x448 ( 1e )" \ + -c "Verifying peer X.509 certificate... ok" \ + -c "received HelloRetryRequest message" \ + -c "selected_group ( 30 )" + +requires_gnutls_tls1_3 +requires_gnutls_next_no_ticket +requires_gnutls_next_disable_tls13_compat +requires_config_enabled MBEDTLS_DEBUG_C +requires_config_enabled MBEDTLS_SSL_CLI_C +requires_config_enabled MBEDTLS_SSL_PROTO_TLS1_3 +requires_config_enabled MBEDTLS_SSL_TLS1_3_COMPATIBILITY_MODE +run_test "TLS 1.3 m->G: HRR x448 -> secp256r1" \ + "$G_NEXT_SRV_NO_CERT --http --disable-client-cert --debug=4 --x509certfile data_files/ecdsa_secp256r1.crt --x509keyfile data_files/ecdsa_secp256r1.key --priority=NONE:+CIPHER-ALL:+GROUP-SECP256R1:+MAC-ALL:+SIGN-ALL:+VERS-TLS1.3:%NO_TICKETS" \ + "$P_CLI server_addr=127.0.0.1 server_port=$SRV_PORT debug_level=4 force_version=tls13 ca_file=data_files/test-ca2.crt sig_algs=ecdsa_secp256r1_sha256 curves=x448,secp256r1" \ + 0 \ + -c "HTTP/1.0 200 OK" \ + -c "NamedGroup: x448 ( 1e )" \ + -c "NamedGroup: secp256r1 ( 17 )" \ + -c "Verifying peer X.509 certificate... ok" \ + -c "received HelloRetryRequest message" \ + -c "selected_group ( 23 )" + +requires_gnutls_tls1_3 +requires_gnutls_next_no_ticket +requires_gnutls_next_disable_tls13_compat +requires_config_enabled MBEDTLS_DEBUG_C +requires_config_enabled MBEDTLS_SSL_CLI_C +requires_config_enabled MBEDTLS_SSL_PROTO_TLS1_3 +requires_config_enabled MBEDTLS_SSL_TLS1_3_COMPATIBILITY_MODE +run_test "TLS 1.3 m->G: HRR x448 -> secp384r1" \ + "$G_NEXT_SRV_NO_CERT --http --disable-client-cert --debug=4 --x509certfile data_files/ecdsa_secp256r1.crt --x509keyfile data_files/ecdsa_secp256r1.key --priority=NONE:+CIPHER-ALL:+GROUP-SECP384R1:+MAC-ALL:+SIGN-ALL:+VERS-TLS1.3:%NO_TICKETS" \ + "$P_CLI server_addr=127.0.0.1 server_port=$SRV_PORT debug_level=4 force_version=tls13 ca_file=data_files/test-ca2.crt sig_algs=ecdsa_secp256r1_sha256 curves=x448,secp384r1" \ + 0 \ + -c "HTTP/1.0 200 OK" \ + -c "NamedGroup: x448 ( 1e )" \ + -c "NamedGroup: secp384r1 ( 18 )" \ + -c "Verifying peer X.509 certificate... ok" \ + -c "received HelloRetryRequest message" \ + -c "selected_group ( 24 )" + +requires_gnutls_tls1_3 +requires_gnutls_next_no_ticket +requires_gnutls_next_disable_tls13_compat +requires_config_enabled MBEDTLS_DEBUG_C +requires_config_enabled MBEDTLS_SSL_CLI_C +requires_config_enabled MBEDTLS_SSL_PROTO_TLS1_3 +requires_config_enabled MBEDTLS_SSL_TLS1_3_COMPATIBILITY_MODE +run_test "TLS 1.3 m->G: HRR x448 -> secp521r1" \ + "$G_NEXT_SRV_NO_CERT --http --disable-client-cert --debug=4 --x509certfile data_files/ecdsa_secp256r1.crt --x509keyfile data_files/ecdsa_secp256r1.key --priority=NONE:+CIPHER-ALL:+GROUP-SECP521R1:+MAC-ALL:+SIGN-ALL:+VERS-TLS1.3:%NO_TICKETS" \ + "$P_CLI server_addr=127.0.0.1 server_port=$SRV_PORT debug_level=4 force_version=tls13 ca_file=data_files/test-ca2.crt sig_algs=ecdsa_secp256r1_sha256 curves=x448,secp521r1" \ + 0 \ + -c "HTTP/1.0 200 OK" \ + -c "NamedGroup: x448 ( 1e )" \ + -c "NamedGroup: secp521r1 ( 19 )" \ + -c "Verifying peer X.509 certificate... ok" \ + -c "received HelloRetryRequest message" \ + -c "selected_group ( 25 )" + +requires_gnutls_tls1_3 +requires_gnutls_next_no_ticket +requires_gnutls_next_disable_tls13_compat +requires_config_enabled MBEDTLS_DEBUG_C +requires_config_enabled MBEDTLS_SSL_CLI_C +requires_config_enabled MBEDTLS_SSL_PROTO_TLS1_3 +requires_config_enabled MBEDTLS_SSL_TLS1_3_COMPATIBILITY_MODE +run_test "TLS 1.3 m->G: HRR x448 -> x25519" \ + "$G_NEXT_SRV_NO_CERT --http --disable-client-cert --debug=4 --x509certfile data_files/ecdsa_secp256r1.crt --x509keyfile data_files/ecdsa_secp256r1.key --priority=NONE:+CIPHER-ALL:+GROUP-X25519:+MAC-ALL:+SIGN-ALL:+VERS-TLS1.3:%NO_TICKETS" \ + "$P_CLI server_addr=127.0.0.1 server_port=$SRV_PORT debug_level=4 force_version=tls13 ca_file=data_files/test-ca2.crt sig_algs=ecdsa_secp256r1_sha256 curves=x448,x25519" \ + 0 \ + -c "HTTP/1.0 200 OK" \ + -c "NamedGroup: x448 ( 1e )" \ + -c "NamedGroup: x25519 ( 1d )" \ + -c "Verifying peer X.509 certificate... ok" \ + -c "received HelloRetryRequest message" \ + -c "selected_group ( 29 )" diff --git a/tests/scripts/generate_tls13_compat_tests.py b/tests/scripts/generate_tls13_compat_tests.py index 63993459a6..fdc0c6d8ed 100755 --- a/tests/scripts/generate_tls13_compat_tests.py +++ b/tests/scripts/generate_tls13_compat_tests.py @@ -251,7 +251,7 @@ class GnuTLSServ(TLSProgram): priority_string_list.extend(update_priority_string_list( signature_algorithms, self.SIGNATURE_ALGORITHM)) else: - priority_string_list.extend(['SIGN-ALL','MAC-ALL']) + priority_string_list.extend(['SIGN-ALL', 'MAC-ALL']) if self._named_groups: @@ -375,24 +375,19 @@ def generate_compat_test(server=None, client=None, cipher=None, sig_alg=None, na return '\n'.join(server_object.pre_checks() + client_object.pre_checks() + [cmd]) -def generate_hrr_compat_test(server=None, client=None, cipher=None, sig_alg=None, - server_named_group=None): +def generate_hrr_compat_test(client=None, server=None, cert_sig_alg=None, + client_named_group=None, server_named_group=None): """ Generate Hello Retry Request test case with `ssl-opt.sh` format. """ - # Get a named_group for client side which does not equal input named_group - client_named_group = list(sorted(set(NAMED_GROUP_IANA_VALUE.keys() - {server_named_group})))[0] name = 'TLS 1.3 {client[0]}->{server[0]}: HRR {c_named_group} -> {s_named_group}'.format( - client=client, server=server, c_named_group=client_named_group, - s_named_group=server_named_group) - server_object = SERVER_CLASSES[server](ciphersuite=cipher, - named_group=server_named_group, - cert_sig_alg=sig_alg) + client=client, server=server, c_named_group=client_named_group, + s_named_group=server_named_group) + server_object = SERVER_CLASSES[server](named_group=server_named_group, + cert_sig_alg=cert_sig_alg) - client_object = CLIENT_CLASSES[client](ciphersuite=cipher, - named_group=client_named_group, - cert_sig_alg=sig_alg) - # after here, the named_group order is client_named_group, named_group. + client_object = CLIENT_CLASSES[client](named_group=client_named_group, + cert_sig_alg=cert_sig_alg) client_object.add_named_groups(server_named_group) cmd = ['run_test "{}"'.format(name), '"{}"'.format( @@ -438,12 +433,6 @@ SSL_OUTPUT_HEADER = '''#!/bin/sh # ''' -def cycle_zip(*iters, max_len=None): - max_len = max_len or max([len(i) for i in iters]) - cycle_iters = zip(*[itertools.cycle(i) for i in iters]) - for _, c in zip(range(max_len), cycle_iters): - yield c - def main(): """ Main function of this program @@ -501,15 +490,16 @@ def main(): server=server, client=client) # Generate Hello Retry Request compat test cases - for combine_fields, server, client in \ - itertools.product(list(cycle_zip(CIPHER_SUITE_IANA_VALUE.keys(), - SIG_ALG_IANA_VALUE.keys(), - NAMED_GROUP_IANA_VALUE.keys())), + for client, server, client_named_group, server_named_group in \ + itertools.product(CLIENT_CLASSES.keys(), SERVER_CLASSES.keys(), - CLIENT_CLASSES.keys()): - cipher, sig_alg, named_group = combine_fields - yield generate_hrr_compat_test( server_named_group=named_group, sig_alg=sig_alg, - server=server, client=client) + NAMED_GROUP_IANA_VALUE.keys(), + NAMED_GROUP_IANA_VALUE.keys()): + if client_named_group != server_named_group: + yield generate_hrr_compat_test(client=client, server=server, + cert_sig_alg="ecdsa_secp256r1_sha256", + client_named_group=client_named_group, + server_named_group=server_named_group) if args.generate_all_tls13_compat_tests: if args.output: