diff --git a/tests/ssl-opt.sh b/tests/ssl-opt.sh index afabb64529..89565b4cb3 100755 --- a/tests/ssl-opt.sh +++ b/tests/ssl-opt.sh @@ -11882,6 +11882,249 @@ run_test "TLS 1.3 G->m HRR both with middlebox compat support" \ -s "tls13 server state: MBEDTLS_SSL_SERVER_CCS_AFTER_HELLO_RETRY_REQUEST" \ -c "SSL 3.3 ChangeCipherSpec packet received" +requires_openssl_tls1_3 +requires_config_enabled MBEDTLS_SSL_PROTO_TLS1_2 +requires_config_enabled MBEDTLS_SSL_PROTO_TLS1_3 +requires_config_enabled MBEDTLS_SSL_TLS1_3_COMPATIBILITY_MODE +requires_config_enabled MBEDTLS_DEBUG_C +requires_config_enabled MBEDTLS_SSL_CLI_C +run_test "TLS 1.3: Check signature algorithm order, m->O" \ + "$O_NEXT_SRV_NO_CERT -cert data_files/server2-sha256.crt -key data_files/server2.key + -msg -tls1_3 -num_tickets 0 -no_resume_ephemeral -no_cache + -Verify 10 -sigalgs rsa_pkcs1_sha512:rsa_pss_rsae_sha512:rsa_pss_rsae_sha384:ecdsa_secp256r1_sha256" \ + "$P_CLI debug_level=4 crt_file=data_files/server2-sha256.crt key_file=data_files/server2.key \ + min_version=tls12 max_version=tls13 sig_algs=rsa_pkcs1_sha512,rsa_pss_rsae_sha512,rsa_pss_rsae_sha384,ecdsa_secp256r1_sha256" \ + 0 \ + -c "Protocol is TLSv1.3" \ + -c "select_sig_alg_for_certificate_verify:selected signature algorithm rsa_pss_rsae_sha512" \ + -c "HTTP/1.0 200 [Oo][Kk]" + +requires_gnutls_tls1_3 +requires_config_enabled MBEDTLS_SSL_PROTO_TLS1_2 +requires_config_enabled MBEDTLS_SSL_PROTO_TLS1_3 +requires_config_enabled MBEDTLS_SSL_TLS1_3_COMPATIBILITY_MODE +requires_config_enabled MBEDTLS_DEBUG_C +requires_config_enabled MBEDTLS_SSL_CLI_C +run_test "TLS 1.3: Check signature algorithm order, m->G" \ + "$G_NEXT_SRV_NO_CERT --x509certfile data_files/server2-sha256.crt --x509keyfile data_files/server2.key + -d 4 + --priority=NORMAL:-VERS-ALL:-SIGN-ALL:+SIGN-RSA-SHA512:+SIGN-RSA-PSS-RSAE-SHA512:+SIGN-RSA-PSS-RSAE-SHA384:+VERS-TLS1.3:+CIPHER-ALL:%NO_TICKETS " \ + "$P_CLI debug_level=4 crt_file=data_files/server2-sha256.crt key_file=data_files/server2.key \ + min_version=tls12 max_version=tls13 sig_algs=rsa_pkcs1_sha512,rsa_pss_rsae_sha512,rsa_pss_rsae_sha384,ecdsa_secp256r1_sha256" \ + 0 \ + -c "Protocol is TLSv1.3" \ + -c "select_sig_alg_for_certificate_verify:selected signature algorithm rsa_pss_rsae_sha512" \ + -c "HTTP/1.0 200 [Oo][Kk]" + +requires_config_enabled MBEDTLS_SSL_PROTO_TLS1_2 +requires_config_enabled MBEDTLS_SSL_PROTO_TLS1_3 +requires_config_enabled MBEDTLS_SSL_TLS1_3_COMPATIBILITY_MODE +requires_config_enabled MBEDTLS_DEBUG_C +requires_config_enabled MBEDTLS_SSL_SRV_C +requires_config_enabled MBEDTLS_SSL_CLI_C +run_test "TLS 1.3: Check signature algorithm order, m->m" \ + "$P_SRV debug_level=4 force_version=tls13 auth_mode=required + crt_file2=data_files/server2-sha256.crt key_file2=data_files/server2.key + crt_file=data_files/server5.crt key_file=data_files/server5.key + sig_algs=rsa_pkcs1_sha512,rsa_pss_rsae_sha512,rsa_pss_rsae_sha384,ecdsa_secp256r1_sha256 " \ + "$P_CLI debug_level=4 crt_file=data_files/server2-sha256.crt key_file=data_files/server2.key \ + sig_algs=rsa_pkcs1_sha512,rsa_pss_rsae_sha512,rsa_pss_rsae_sha384,ecdsa_secp256r1_sha256 \ + min_version=tls12 max_version=tls13 " \ + 0 \ + -c "Protocol is TLSv1.3" \ + -c "select_sig_alg_for_certificate_verify:selected signature algorithm rsa_pss_rsae_sha512" \ + -s "select_sig_alg_for_certificate_verify:selected signature algorithm rsa_pss_rsae_sha512" \ + -s "ssl_tls13_pick_key_cert:selected signature algorithm rsa_pss_rsae_sha512" \ + -c "HTTP/1.0 200 [Oo][Kk]" + +requires_openssl_tls1_3 +requires_config_enabled MBEDTLS_SSL_PROTO_TLS1_2 +requires_config_enabled MBEDTLS_SSL_PROTO_TLS1_3 +requires_config_enabled MBEDTLS_SSL_TLS1_3_COMPATIBILITY_MODE +requires_config_enabled MBEDTLS_DEBUG_C +requires_config_enabled MBEDTLS_SSL_SRV_C +requires_config_enabled MBEDTLS_SSL_CLI_C +run_test "TLS 1.3: Check signature algorithm order, O->m" \ + "$P_SRV debug_level=4 force_version=tls13 auth_mode=required + crt_file2=data_files/server2-sha256.crt key_file2=data_files/server2.key + crt_file=data_files/server5.crt key_file=data_files/server5.key + sig_algs=rsa_pkcs1_sha512,rsa_pss_rsae_sha512,rsa_pss_rsae_sha384,ecdsa_secp256r1_sha256 " \ + "$O_NEXT_CLI_NO_CERT -msg -CAfile data_files/test-ca_cat12.crt \ + -cert data_files/server2-sha256.crt -key data_files/server2.key \ + -sigalgs rsa_pkcs1_sha512:rsa_pss_rsae_sha512:rsa_pss_rsae_sha384:ecdsa_secp256r1_sha256" \ + 0 \ + -c "TLSv1.3" \ + -s "select_sig_alg_for_certificate_verify:selected signature algorithm rsa_pss_rsae_sha512" \ + -s "ssl_tls13_pick_key_cert:selected signature algorithm rsa_pss_rsae_sha512" + +requires_gnutls_tls1_3 +requires_config_enabled MBEDTLS_SSL_PROTO_TLS1_2 +requires_config_enabled MBEDTLS_SSL_PROTO_TLS1_3 +requires_config_enabled MBEDTLS_SSL_TLS1_3_COMPATIBILITY_MODE +requires_config_enabled MBEDTLS_DEBUG_C +requires_config_enabled MBEDTLS_SSL_SRV_C +requires_config_enabled MBEDTLS_SSL_CLI_C +run_test "TLS 1.3: Check signature algorithm order, G->m" \ + "$P_SRV debug_level=4 force_version=tls13 auth_mode=required + crt_file2=data_files/server2-sha256.crt key_file2=data_files/server2.key + crt_file=data_files/server5.crt key_file=data_files/server5.key + sig_algs=rsa_pkcs1_sha512,rsa_pss_rsae_sha512,rsa_pss_rsae_sha384,ecdsa_secp256r1_sha256 " \ + "$G_NEXT_CLI_NO_CERT localhost -d 4 --x509cafile data_files/test-ca_cat12.crt \ + --x509certfile data_files/server2-sha256.crt --x509keyfile data_files/server2.key \ + --priority=NORMAL:-SIGN-ALL:+SIGN-RSA-SHA512:+SIGN-RSA-PSS-RSAE-SHA512:+SIGN-RSA-PSS-RSAE-SHA384" \ + 0 \ + -c "Negotiated version: 3.4" \ + -c "HTTP/1.0 200 [Oo][Kk]" \ + -s "select_sig_alg_for_certificate_verify:selected signature algorithm rsa_pss_rsae_sha512" \ + -s "ssl_tls13_pick_key_cert:selected signature algorithm rsa_pss_rsae_sha512" + +requires_gnutls_tls1_3 +requires_config_enabled MBEDTLS_SSL_PROTO_TLS1_2 +requires_config_enabled MBEDTLS_SSL_PROTO_TLS1_3 +requires_config_enabled MBEDTLS_SSL_TLS1_3_COMPATIBILITY_MODE +requires_config_enabled MBEDTLS_DEBUG_C +requires_config_enabled MBEDTLS_SSL_SRV_C +run_test "TLS 1.3: Check server no suitable signature algorithm, G->m" \ + "$P_SRV debug_level=4 force_version=tls13 auth_mode=required + crt_file2=data_files/server2-sha256.crt key_file2=data_files/server2.key + crt_file=data_files/server5.crt key_file=data_files/server5.key + sig_algs=rsa_pkcs1_sha512,ecdsa_secp256r1_sha256 " \ + "$G_NEXT_CLI_NO_CERT localhost -d 4 --x509cafile data_files/test-ca_cat12.crt \ + --x509certfile data_files/server2-sha256.crt --x509keyfile data_files/server2.key \ + --priority=NORMAL:-SIGN-ALL:+SIGN-RSA-SHA512:+SIGN-RSA-PSS-RSAE-SHA512:+SIGN-ECDSA-SECP521R1-SHA512" \ + 1 \ + -s "ssl_tls13_pick_key_cert:selected signature algorithm rsa_pss_rsae_sha512" \ + -s "select_sig_alg_for_certificate_verify:no suitable signature algorithm found" + +requires_openssl_tls1_3 +requires_config_enabled MBEDTLS_SSL_PROTO_TLS1_2 +requires_config_enabled MBEDTLS_SSL_PROTO_TLS1_3 +requires_config_enabled MBEDTLS_SSL_TLS1_3_COMPATIBILITY_MODE +requires_config_enabled MBEDTLS_DEBUG_C +requires_config_enabled MBEDTLS_SSL_SRV_C +run_test "TLS 1.3: Check server no suitable signature algorithm, O->m" \ + "$P_SRV debug_level=4 force_version=tls13 auth_mode=required + crt_file2=data_files/server2-sha256.crt key_file2=data_files/server2.key + crt_file=data_files/server5.crt key_file=data_files/server5.key + sig_algs=rsa_pkcs1_sha512,ecdsa_secp256r1_sha256" \ + "$O_NEXT_CLI_NO_CERT -msg -CAfile data_files/test-ca_cat12.crt \ + -cert data_files/server2-sha256.crt -key data_files/server2.key \ + -sigalgs rsa_pkcs1_sha512:rsa_pss_rsae_sha512:ecdsa_secp521r1_sha512" \ + 1 \ + -s "ssl_tls13_pick_key_cert:selected signature algorithm rsa_pss_rsae_sha512" \ + -s "select_sig_alg_for_certificate_verify:no suitable signature algorithm found" + +requires_config_enabled MBEDTLS_SSL_PROTO_TLS1_2 +requires_config_enabled MBEDTLS_SSL_PROTO_TLS1_3 +requires_config_enabled MBEDTLS_SSL_TLS1_3_COMPATIBILITY_MODE +requires_config_enabled MBEDTLS_DEBUG_C +requires_config_enabled MBEDTLS_SSL_SRV_C +requires_config_enabled MBEDTLS_SSL_CLI_C +run_test "TLS 1.3: Check server no suitable signature algorithm, m->m" \ + "$P_SRV debug_level=4 force_version=tls13 auth_mode=required + crt_file2=data_files/server2-sha256.crt key_file2=data_files/server2.key + crt_file=data_files/server5.crt key_file=data_files/server5.key + sig_algs=rsa_pkcs1_sha512,ecdsa_secp256r1_sha256 " \ + "$P_CLI allow_sha1=0 debug_level=4 crt_file=data_files/server2-sha256.crt key_file=data_files/server2.key \ + sig_algs=rsa_pkcs1_sha512,rsa_pss_rsae_sha512,ecdsa_secp521r1_sha512 \ + min_version=tls12 max_version=tls13 " \ + 1 \ + -s "ssl_tls13_pick_key_cert:selected signature algorithm rsa_pss_rsae_sha512" \ + -s "select_sig_alg_for_certificate_verify:no suitable signature algorithm found" + +requires_gnutls_tls1_3 +requires_config_enabled MBEDTLS_SSL_PROTO_TLS1_2 +requires_config_enabled MBEDTLS_SSL_PROTO_TLS1_3 +requires_config_enabled MBEDTLS_SSL_TLS1_3_COMPATIBILITY_MODE +requires_config_enabled MBEDTLS_DEBUG_C +requires_config_enabled MBEDTLS_SSL_SRV_C +run_test "TLS 1.3: Check server no suitable certificate, G->m" \ + "$P_SRV debug_level=4 force_version=tls13 + crt_file=data_files/server2-sha256.crt key_file=data_files/server2.key + sig_algs=rsa_pkcs1_sha512,rsa_pss_rsae_sha512,rsa_pss_rsae_sha384,ecdsa_secp256r1_sha256 " \ + "$G_NEXT_CLI_NO_CERT localhost -d 4 --x509cafile data_files/test-ca_cat12.crt \ + --priority=NORMAL:-SIGN-ALL:+SIGN-ECDSA-SECP521R1-SHA512:+SIGN-ECDSA-SECP256R1-SHA256" \ + 1 \ + -s "ssl_tls13_pick_key_cert:no suitable certificate found" + +requires_openssl_tls1_3 +requires_config_enabled MBEDTLS_SSL_PROTO_TLS1_2 +requires_config_enabled MBEDTLS_SSL_PROTO_TLS1_3 +requires_config_enabled MBEDTLS_SSL_TLS1_3_COMPATIBILITY_MODE +requires_config_enabled MBEDTLS_DEBUG_C +requires_config_enabled MBEDTLS_SSL_SRV_C +run_test "TLS 1.3: Check server no suitable certificate, O->m" \ + "$P_SRV debug_level=4 force_version=tls13 + crt_file=data_files/server2-sha256.crt key_file=data_files/server2.key + sig_algs=rsa_pkcs1_sha512,rsa_pss_rsae_sha512,rsa_pss_rsae_sha384,ecdsa_secp256r1_sha256 " \ + "$O_NEXT_CLI_NO_CERT -msg -CAfile data_files/test-ca_cat12.crt \ + -sigalgs ecdsa_secp521r1_sha512:ecdsa_secp256r1_sha256" \ + 1 \ + -s "ssl_tls13_pick_key_cert:no suitable certificate found" + +requires_config_enabled MBEDTLS_SSL_PROTO_TLS1_2 +requires_config_enabled MBEDTLS_SSL_PROTO_TLS1_3 +requires_config_enabled MBEDTLS_SSL_TLS1_3_COMPATIBILITY_MODE +requires_config_enabled MBEDTLS_DEBUG_C +requires_config_enabled MBEDTLS_SSL_SRV_C +requires_config_enabled MBEDTLS_SSL_CLI_C +run_test "TLS 1.3: Check server no suitable certificate, m->m" \ + "$P_SRV debug_level=4 force_version=tls13 + crt_file=data_files/server2-sha256.crt key_file=data_files/server2.key + sig_algs=rsa_pkcs1_sha512,rsa_pss_rsae_sha512,rsa_pss_rsae_sha384,ecdsa_secp256r1_sha256 " \ + "$P_CLI allow_sha1=0 debug_level=4 \ + sig_algs=ecdsa_secp521r1_sha512,ecdsa_secp256r1_sha256 \ + min_version=tls12 max_version=tls13 " \ + 1 \ + -s "ssl_tls13_pick_key_cert:no suitable certificate found" + +requires_openssl_tls1_3 +requires_config_enabled MBEDTLS_SSL_PROTO_TLS1_2 +requires_config_enabled MBEDTLS_SSL_PROTO_TLS1_3 +requires_config_enabled MBEDTLS_SSL_TLS1_3_COMPATIBILITY_MODE +requires_config_enabled MBEDTLS_DEBUG_C +requires_config_enabled MBEDTLS_SSL_CLI_C +run_test "TLS 1.3: Check client no signature algorithm, m->O" \ + "$O_NEXT_SRV_NO_CERT -cert data_files/server2-sha256.crt -key data_files/server2.key + -msg -tls1_3 -num_tickets 0 -no_resume_ephemeral -no_cache + -Verify 10 -sigalgs rsa_pkcs1_sha512:rsa_pss_rsae_sha512:rsa_pss_rsae_sha384:ecdsa_secp521r1_sha512" \ + "$P_CLI debug_level=4 crt_file=data_files/server5.crt key_file=data_files/server5.key \ + min_version=tls12 max_version=tls13 sig_algs=rsa_pkcs1_sha512,rsa_pss_rsae_sha512,rsa_pss_rsae_sha384,ecdsa_secp256r1_sha256" \ + 1 \ + -c "select_sig_alg_for_certificate_verify:no suitable signature algorithm found" + +requires_gnutls_tls1_3 +requires_config_enabled MBEDTLS_SSL_PROTO_TLS1_2 +requires_config_enabled MBEDTLS_SSL_PROTO_TLS1_3 +requires_config_enabled MBEDTLS_SSL_TLS1_3_COMPATIBILITY_MODE +requires_config_enabled MBEDTLS_DEBUG_C +requires_config_enabled MBEDTLS_SSL_CLI_C +run_test "TLS 1.3: Check client no signature algorithm, m->G" \ + "$G_NEXT_SRV_NO_CERT --x509certfile data_files/server2-sha256.crt --x509keyfile data_files/server2.key + -d 4 + --priority=NORMAL:-VERS-ALL:-SIGN-ALL:+SIGN-RSA-SHA512:+SIGN-RSA-PSS-RSAE-SHA512:+SIGN-RSA-PSS-RSAE-SHA384:+VERS-TLS1.3:+CIPHER-ALL:%NO_TICKETS " \ + "$P_CLI debug_level=4 crt_file=data_files/server5.crt key_file=data_files/server5.key \ + min_version=tls12 max_version=tls13 sig_algs=rsa_pkcs1_sha512,rsa_pss_rsae_sha512,rsa_pss_rsae_sha384,ecdsa_secp256r1_sha256" \ + 1 \ + -c "select_sig_alg_for_certificate_verify:no suitable signature algorithm found" + +requires_config_enabled MBEDTLS_SSL_PROTO_TLS1_2 +requires_config_enabled MBEDTLS_SSL_PROTO_TLS1_3 +requires_config_enabled MBEDTLS_SSL_TLS1_3_COMPATIBILITY_MODE +requires_config_enabled MBEDTLS_DEBUG_C +requires_config_enabled MBEDTLS_SSL_SRV_C +requires_config_enabled MBEDTLS_SSL_CLI_C +run_test "TLS 1.3: Check client no signature algorithm, m->m" \ + "$P_SRV debug_level=4 force_version=tls13 auth_mode=required + crt_file2=data_files/server2-sha256.crt key_file2=data_files/server2.key + crt_file=data_files/server5.crt key_file=data_files/server5.key + sig_algs=rsa_pkcs1_sha512,rsa_pss_rsae_sha512,rsa_pss_rsae_sha384,ecdsa_secp521r1_sha512" \ + "$P_CLI debug_level=4 crt_file=data_files/server5.crt key_file=data_files/server5.key \ + sig_algs=rsa_pkcs1_sha512,rsa_pss_rsae_sha512,rsa_pss_rsae_sha384,ecdsa_secp256r1_sha256 \ + min_version=tls12 max_version=tls13 " \ + 1 \ + -c "select_sig_alg_for_certificate_verify:no suitable signature algorithm found" + # Test heap memory usage after handshake requires_config_enabled MBEDTLS_SSL_PROTO_TLS1_2 requires_config_enabled MBEDTLS_MEMORY_DEBUG