From daa14a4212bdb88fd8e62e22944c899ac3830331 Mon Sep 17 00:00:00 2001 From: Minos Galanakis Date: Wed, 12 Feb 2025 16:20:01 +0000 Subject: [PATCH 01/21] ssl-opt: Added fragmented HS tests for SSL_VARIABLE_BUFFER_LENGTH. Signed-off-by: Minos Galanakis --- tests/ssl-opt.sh | 20 +++++++++++++++++++- 1 file changed, 19 insertions(+), 1 deletion(-) diff --git a/tests/ssl-opt.sh b/tests/ssl-opt.sh index 0736d0e3d0..d260cb7498 100755 --- a/tests/ssl-opt.sh +++ b/tests/ssl-opt.sh @@ -13711,7 +13711,7 @@ run_test "TLS 1.2 ClientHello indicating support for deflate compression meth requires_config_enabled MBEDTLS_SSL_PROTO_TLS1_2 requires_certificate_authentication -run_test "Handshake defragmentation on server: len=32, TLS 1.2 ClientHello" \ +run_test "Handshake defragmentation on server: len=32, TLS 1.2 ClientHello (unsupported)" \ "$P_SRV debug_level=4 force_version=tls12 auth_mode=required" \ "$O_NEXT_CLI -tls1_2 -split_send_frag 32 -cert $DATA_FILES_PATH/server5.crt -key $DATA_FILES_PATH/server5.key" \ 1 \ @@ -13719,6 +13719,24 @@ run_test "Handshake defragmentation on server: len=32, TLS 1.2 ClientHello" \ -s "bad client hello message" \ -s "SSL - A message could not be parsed due to a syntactic error" +# Test Server Buffer resizing with fragmented handshake on TLS1.2 +requires_openssl_3_x +requires_protocol_version tls12 +requires_certificate_authentication +requires_config_enabled MBEDTLS_SSL_MAX_FRAGMENT_LENGTH +requires_config_enabled MBEDTLS_SSL_VARIABLE_BUFFER_LENGTH +requires_max_content_len 1025 +run_test "Handshake defragmentation on server with buffer resizing: len=256, MFL=1024" \ + "$P_SRV debug_level=4 auth_mode=required" \ + "$O_NEXT_CLI -tls1_2 -split_send_frag 256 -maxfraglen 1024 -cert $DATA_FILES_PATH/server5.crt -key $DATA_FILES_PATH/server5.key" \ + 0 \ + -s "Reallocating in_buf" \ + -s "Reallocating out_buf" \ + -s "reassembled record" \ + -s "initial handshake fragment: 256, 0..256 of [0-9]\\+" \ + -s "Prepare: waiting for more handshake fragments 256/[0-9]\\+" \ + -s "Consume: waiting for more handshake fragments 256/[0-9]\\+" + # Test heap memory usage after handshake requires_config_enabled MBEDTLS_SSL_PROTO_TLS1_2 requires_config_enabled MBEDTLS_MEMORY_DEBUG From 5aaa6e048bb0e46d9b014d7df7b44f792603f6b2 Mon Sep 17 00:00:00 2001 From: Minos Galanakis Date: Wed, 12 Feb 2025 18:23:09 +0000 Subject: [PATCH 02/21] ssl-opt: Added fragmented HS tests for client-initiated renegotiation. Signed-off-by: Minos Galanakis --- tests/ssl-opt.sh | 39 +++++++++++++++++++++++++++++++++++++++ 1 file changed, 39 insertions(+) diff --git a/tests/ssl-opt.sh b/tests/ssl-opt.sh index d260cb7498..d2ebaaee51 100755 --- a/tests/ssl-opt.sh +++ b/tests/ssl-opt.sh @@ -103,12 +103,14 @@ if [ -n "${OPENSSL_NEXT:-}" ]; then O_NEXT_SRV_NO_CERT="$OPENSSL_NEXT s_server -www " O_NEXT_CLI="echo 'GET / HTTP/1.0' | $OPENSSL_NEXT s_client -CAfile $DATA_FILES_PATH/test-ca_cat12.crt" O_NEXT_CLI_NO_CERT="echo 'GET / HTTP/1.0' | $OPENSSL_NEXT s_client" + O_NEXT_CLI_RENEGOTIATE="echo 'R' | $OPENSSL_NEXT s_client" else O_NEXT_SRV=false O_NEXT_SRV_NO_CERT=false O_NEXT_SRV_EARLY_DATA=false O_NEXT_CLI_NO_CERT=false O_NEXT_CLI=false + O_NEXT_CLI_RENEGOTIATE=false fi if [ -n "${GNUTLS_NEXT_SERV:-}" ]; then @@ -13737,6 +13739,43 @@ run_test "Handshake defragmentation on server with buffer resizing: len=256, -s "Prepare: waiting for more handshake fragments 256/[0-9]\\+" \ -s "Consume: waiting for more handshake fragments 256/[0-9]\\+" +# Test Client initiated renegotiation with fragmented handshake on TLS1.2 +requires_openssl_3_x +requires_protocol_version tls12 +requires_certificate_authentication +requires_config_enabled MBEDTLS_SSL_RENEGOTIATION +run_test "Handshake defragmentation with client-initiated renegotiation: len=256" \ + "$P_SRV debug_level=4 exchanges=2 renegotiation=1 auth_mode=required" \ + "$O_NEXT_CLI_RENEGOTIATE -tls1_2 -split_send_frag 256 -cert $DATA_FILES_PATH/server5.crt -key $DATA_FILES_PATH/server5.key -connect 127.0.0.1:+$SRV_PORT" \ + 0 \ + -s "received TLS_EMPTY_RENEGOTIATION_INFO" \ + -s "found renegotiation extension" \ + -s "server hello, secure renegotiation extension" \ + -s "=> renegotiate" \ + -S "write hello request" \ + -s "reassembled record" \ + -s "initial handshake fragment: 256, 0..256 of [0-9]\\+" \ + -s "Prepare: waiting for more handshake fragments 256/[0-9]\\+" \ + -s "Consume: waiting for more handshake fragments 256/[0-9]\\+" \ + +requires_openssl_3_x +requires_protocol_version tls12 +requires_certificate_authentication +requires_config_enabled MBEDTLS_SSL_RENEGOTIATION +run_test "Handshake defragmentation with client-initiated renegotiation: len=512" \ + "$P_SRV debug_level=4 exchanges=2 renegotiation=1 auth_mode=required" \ + "$O_NEXT_CLI_RENEGOTIATE -tls1_2 -split_send_frag 512 -cert $DATA_FILES_PATH/server5.crt -key $DATA_FILES_PATH/server5.key -connect 127.0.0.1:+$SRV_PORT" \ + 0 \ + -s "received TLS_EMPTY_RENEGOTIATION_INFO" \ + -s "found renegotiation extension" \ + -s "server hello, secure renegotiation extension" \ + -s "=> renegotiate" \ + -S "write hello request" \ + -s "reassembled record" \ + -s "initial handshake fragment: 512, 0..512 of [0-9]\\+" \ + -s "Prepare: waiting for more handshake fragments 512/[0-9]\\+" \ + -s "Consume: waiting for more handshake fragments 512/[0-9]\\+" \ + # Test heap memory usage after handshake requires_config_enabled MBEDTLS_SSL_PROTO_TLS1_2 requires_config_enabled MBEDTLS_MEMORY_DEBUG From 529188f30bbd304bb84acace66cdc6d7135cf84b Mon Sep 17 00:00:00 2001 From: Minos Galanakis Date: Thu, 6 Mar 2025 15:09:39 +0000 Subject: [PATCH 03/21] ssl-opt: Added fragmented HS tests for server-initiated renegotiation. Signed-off-by: Minos Galanakis --- tests/ssl-opt.sh | 31 +++++++++++++++++++++++++++++++ 1 file changed, 31 insertions(+) diff --git a/tests/ssl-opt.sh b/tests/ssl-opt.sh index d2ebaaee51..3d9ddd9eb4 100755 --- a/tests/ssl-opt.sh +++ b/tests/ssl-opt.sh @@ -13776,6 +13776,37 @@ run_test "Handshake defragmentation with client-initiated renegotiation: len= -s "Prepare: waiting for more handshake fragments 512/[0-9]\\+" \ -s "Consume: waiting for more handshake fragments 512/[0-9]\\+" \ +# Test Server initiated renegotiation with fragmented handshake on TLS1.2 +requires_openssl_3_x +requires_protocol_version tls12 +requires_certificate_authentication +requires_config_enabled MBEDTLS_SSL_RENEGOTIATION +run_test "Handshake defragmentation with server-initiated renegotiation: len=300" \ + "$O_NEXT_SRV -tls1_2 -split_send_frag 300 -legacy_renegotiation -cert $DATA_FILES_PATH/server5.crt -key $DATA_FILES_PATH/server5.key" \ + "$P_CLI debug_level=3 renegotiation=1 request_page=/reneg" \ + 0 \ + -c "initial handshake fragment: 300, 0..300 of [0-9]\\+" \ + -c "Prepare: waiting for more handshake fragments 300/[0-9]\\+" \ + -c "Consume: waiting for more handshake fragments 300/[0-9]\\+" \ + -c "client hello, adding renegotiation extension" \ + -c "found renegotiation extension" \ + -c "=> renegotiate" + +requires_openssl_3_x +requires_protocol_version tls12 +requires_certificate_authentication +requires_config_enabled MBEDTLS_SSL_RENEGOTIATION +run_test "Handshake defragmentation with server-initiated renegotiation: len=512" \ + "$O_NEXT_SRV -tls1_2 -split_send_frag 512 -legacy_renegotiation -cert $DATA_FILES_PATH/server5.crt -key $DATA_FILES_PATH/server5.key" \ + "$P_CLI debug_level=3 renegotiation=1 request_page=/reneg" \ + 0 \ + -c "initial handshake fragment: 512, 0..512 of [0-9]\\+" \ + -c "Prepare: waiting for more handshake fragments 512/[0-9]\\+" \ + -c "Consume: waiting for more handshake fragments 512/[0-9]\\+" \ + -c "client hello, adding renegotiation extension" \ + -c "found renegotiation extension" \ + -c "=> renegotiate" + # Test heap memory usage after handshake requires_config_enabled MBEDTLS_SSL_PROTO_TLS1_2 requires_config_enabled MBEDTLS_MEMORY_DEBUG From 05009c736c146a94ad2d4090cb0e8f2e684bc2e8 Mon Sep 17 00:00:00 2001 From: Minos Galanakis Date: Thu, 6 Mar 2025 15:19:53 +0000 Subject: [PATCH 04/21] Added Mock Renegotiation negative test for testing. Signed-off-by: Minos Galanakis --- tests/ssl-opt.sh | 16 ++++++++++++++++ 1 file changed, 16 insertions(+) diff --git a/tests/ssl-opt.sh b/tests/ssl-opt.sh index 3d9ddd9eb4..2ec090609f 100755 --- a/tests/ssl-opt.sh +++ b/tests/ssl-opt.sh @@ -13807,6 +13807,22 @@ run_test "Handshake defragmentation with server-initiated renegotiation: len= -c "found renegotiation extension" \ -c "=> renegotiate" +# Mock negative test to demonstrate the failure with n-bit sized fragments, where ClientHello < n. +requires_openssl_3_x +requires_protocol_version tls12 +requires_certificate_authentication +requires_config_enabled MBEDTLS_SSL_RENEGOTIATION +run_test "Handshake defragmentation mock with server-initiated renegotation: len=256 renego_delay=default(16)" \ + "$O_NEXT_SRV -tls1_2 -split_send_frag 256 -legacy_renegotiation -cert $DATA_FILES_PATH/server5.crt -key $DATA_FILES_PATH/server5.key" \ + "$P_CLI debug_level=3 renegotiation=1 request_page=/reneg" \ + 1 \ + -c "initial handshake fragment: 256, 0..256 of [0-9]\\+" \ + -c "Prepare: waiting for more handshake fragments 256/[0-9]\\+" \ + -c "Consume: waiting for more handshake fragments 256/[0-9]\\+" \ + -c "client hello, adding renegotiation extension" \ + -c "found renegotiation extension" \ + -c "renegotiation requested, but not honored by server" + # Test heap memory usage after handshake requires_config_enabled MBEDTLS_SSL_PROTO_TLS1_2 requires_config_enabled MBEDTLS_MEMORY_DEBUG From 7134e52decd3866e393d1ebdc925c5ffd530ca0d Mon Sep 17 00:00:00 2001 From: Minos Galanakis Date: Thu, 6 Mar 2025 18:51:09 +0000 Subject: [PATCH 05/21] programs -> ssl_client2.c: Added option renego_delay to set record buffer depth. Signed-off-by: Minos Galanakis --- programs/ssl/ssl_client2.c | 12 +++++++++++- 1 file changed, 11 insertions(+), 1 deletion(-) diff --git a/programs/ssl/ssl_client2.c b/programs/ssl/ssl_client2.c index 6742925f2a..d5c2a63ff7 100644 --- a/programs/ssl/ssl_client2.c +++ b/programs/ssl/ssl_client2.c @@ -75,6 +75,7 @@ int main(void) #define DFL_RECO_SERVER_NAME NULL #define DFL_RECO_DELAY 0 #define DFL_RECO_MODE 1 +#define DFL_RENEGO_DELAY -2 #define DFL_CID_ENABLED 0 #define DFL_CID_VALUE "" #define DFL_CID_ENABLED_RENEGO -1 @@ -298,7 +299,8 @@ int main(void) #if defined(MBEDTLS_SSL_RENEGOTIATION) #define USAGE_RENEGO \ " renegotiation=%%d default: 0 (disabled)\n" \ - " renegotiate=%%d default: 0 (disabled)\n" + " renegotiate=%%d default: 0 (disabled)\n" \ + " renego_delay=%%d default: -2 (library default)\n" #else #define USAGE_RENEGO "" #endif @@ -938,6 +940,7 @@ int main(int argc, char *argv[]) opt.renegotiation = DFL_RENEGOTIATION; opt.allow_legacy = DFL_ALLOW_LEGACY; opt.renegotiate = DFL_RENEGOTIATE; + opt.renego_delay = DFL_RENEGO_DELAY; opt.exchanges = DFL_EXCHANGES; opt.min_version = DFL_MIN_VERSION; opt.max_version = DFL_MAX_VERSION; @@ -1172,6 +1175,8 @@ usage: break; default: goto usage; } + } else if (strcmp(p, "renego_delay") == 0) { + opt.renego_delay = (atoi(q)); } else if (strcmp(p, "renegotiate") == 0) { opt.renegotiate = atoi(q); if (opt.renegotiate < 0 || opt.renegotiate > 1) { @@ -1923,6 +1928,9 @@ usage: } #if defined(MBEDTLS_SSL_RENEGOTIATION) mbedtls_ssl_conf_renegotiation(&conf, opt.renegotiation); + if (opt.renego_delay != DFL_RENEGO_DELAY) { + mbedtls_ssl_conf_renegotiation_enforced(&conf, opt.renego_delay); + } #endif #if defined(MBEDTLS_SSL_HANDSHAKE_WITH_CERT_ENABLED) @@ -2467,6 +2475,8 @@ usage: } mbedtls_printf(" ok\n"); } + + #endif /* MBEDTLS_SSL_RENEGOTIATION */ #if defined(MBEDTLS_SSL_DTLS_CONNECTION_ID) From 87be69a3fc99efa2504114267ee309978fe11879 Mon Sep 17 00:00:00 2001 From: Minos Galanakis Date: Fri, 7 Mar 2025 09:58:10 +0000 Subject: [PATCH 06/21] sll-opt: Added refence fix for the Mock HS Defrag test using renegotitiation delay Signed-off-by: Minos Galanakis --- tests/ssl-opt.sh | 16 ++++++++++++++++ 1 file changed, 16 insertions(+) diff --git a/tests/ssl-opt.sh b/tests/ssl-opt.sh index 2ec090609f..7ea00d2bbc 100755 --- a/tests/ssl-opt.sh +++ b/tests/ssl-opt.sh @@ -13823,6 +13823,22 @@ run_test "Handshake defragmentation mock with server-initiated renegotation: -c "found renegotiation extension" \ -c "renegotiation requested, but not honored by server" +# Fixing the above mock negative using the new renego_delay parameter +requires_openssl_3_x +requires_protocol_version tls12 +requires_certificate_authentication +requires_config_enabled MBEDTLS_SSL_RENEGOTIATION +run_test "Handshake defragmentation mock with server-initiated renegotiation: len=256 renego_delay=32" \ + "$O_NEXT_SRV -tls1_2 -split_send_frag 256 -legacy_renegotiation -cert $DATA_FILES_PATH/server5.crt -key $DATA_FILES_PATH/server5.key" \ + "$P_CLI debug_level=3 allow_legacy=1 renegotiation=1 renego_delay=32 request_page=/reneg" \ + 0 \ + -c "initial handshake fragment: 200, 0..200 of [0-9]\\+" \ + -c "Prepare: waiting for more handshake fragments 200/[0-9]\\+" \ + -c "Consume: waiting for more handshake fragments 200/[0-9]\\+" \ + -c "client hello, adding renegotiation extension" \ + -c "found renegotiation extension" \ + -c "=> renegotiate" + # Test heap memory usage after handshake requires_config_enabled MBEDTLS_SSL_PROTO_TLS1_2 requires_config_enabled MBEDTLS_MEMORY_DEBUG From 135ebd3241b3f817d03fe7f609036bb6613fe1bd Mon Sep 17 00:00:00 2001 From: Minos Galanakis Date: Tue, 11 Mar 2025 14:03:38 +0000 Subject: [PATCH 07/21] ssl-opt: Removed mock-tests from HS renegotiation. Signed-off-by: Minos Galanakis --- tests/ssl-opt.sh | 44 ++++++-------------------------------------- 1 file changed, 6 insertions(+), 38 deletions(-) diff --git a/tests/ssl-opt.sh b/tests/ssl-opt.sh index 7ea00d2bbc..19e4b95610 100755 --- a/tests/ssl-opt.sh +++ b/tests/ssl-opt.sh @@ -13781,13 +13781,13 @@ requires_openssl_3_x requires_protocol_version tls12 requires_certificate_authentication requires_config_enabled MBEDTLS_SSL_RENEGOTIATION -run_test "Handshake defragmentation with server-initiated renegotiation: len=300" \ - "$O_NEXT_SRV -tls1_2 -split_send_frag 300 -legacy_renegotiation -cert $DATA_FILES_PATH/server5.crt -key $DATA_FILES_PATH/server5.key" \ - "$P_CLI debug_level=3 renegotiation=1 request_page=/reneg" \ +run_test "Handshake defragmentation with server-initiated renegotiation: len=256" \ + "$O_NEXT_SRV -tls1_2 -split_send_frag 256 -legacy_renegotiation -cert $DATA_FILES_PATH/server5.crt -key $DATA_FILES_PATH/server5.key" \ + "$P_CLI debug_level=3 renegotiation=1 renego_delay=32 request_page=/reneg" \ 0 \ - -c "initial handshake fragment: 300, 0..300 of [0-9]\\+" \ - -c "Prepare: waiting for more handshake fragments 300/[0-9]\\+" \ - -c "Consume: waiting for more handshake fragments 300/[0-9]\\+" \ + -c "initial handshake fragment: 256, 0..256 of [0-9]\\+" \ + -c "Prepare: waiting for more handshake fragments 256/[0-9]\\+" \ + -c "Consume: waiting for more handshake fragments 256/[0-9]\\+" \ -c "client hello, adding renegotiation extension" \ -c "found renegotiation extension" \ -c "=> renegotiate" @@ -13807,38 +13807,6 @@ run_test "Handshake defragmentation with server-initiated renegotiation: len= -c "found renegotiation extension" \ -c "=> renegotiate" -# Mock negative test to demonstrate the failure with n-bit sized fragments, where ClientHello < n. -requires_openssl_3_x -requires_protocol_version tls12 -requires_certificate_authentication -requires_config_enabled MBEDTLS_SSL_RENEGOTIATION -run_test "Handshake defragmentation mock with server-initiated renegotation: len=256 renego_delay=default(16)" \ - "$O_NEXT_SRV -tls1_2 -split_send_frag 256 -legacy_renegotiation -cert $DATA_FILES_PATH/server5.crt -key $DATA_FILES_PATH/server5.key" \ - "$P_CLI debug_level=3 renegotiation=1 request_page=/reneg" \ - 1 \ - -c "initial handshake fragment: 256, 0..256 of [0-9]\\+" \ - -c "Prepare: waiting for more handshake fragments 256/[0-9]\\+" \ - -c "Consume: waiting for more handshake fragments 256/[0-9]\\+" \ - -c "client hello, adding renegotiation extension" \ - -c "found renegotiation extension" \ - -c "renegotiation requested, but not honored by server" - -# Fixing the above mock negative using the new renego_delay parameter -requires_openssl_3_x -requires_protocol_version tls12 -requires_certificate_authentication -requires_config_enabled MBEDTLS_SSL_RENEGOTIATION -run_test "Handshake defragmentation mock with server-initiated renegotiation: len=256 renego_delay=32" \ - "$O_NEXT_SRV -tls1_2 -split_send_frag 256 -legacy_renegotiation -cert $DATA_FILES_PATH/server5.crt -key $DATA_FILES_PATH/server5.key" \ - "$P_CLI debug_level=3 allow_legacy=1 renegotiation=1 renego_delay=32 request_page=/reneg" \ - 0 \ - -c "initial handshake fragment: 200, 0..200 of [0-9]\\+" \ - -c "Prepare: waiting for more handshake fragments 200/[0-9]\\+" \ - -c "Consume: waiting for more handshake fragments 200/[0-9]\\+" \ - -c "client hello, adding renegotiation extension" \ - -c "found renegotiation extension" \ - -c "=> renegotiate" - # Test heap memory usage after handshake requires_config_enabled MBEDTLS_SSL_PROTO_TLS1_2 requires_config_enabled MBEDTLS_MEMORY_DEBUG From 990a10909df5c6069df924d5b2d1a6f1c3ffd4f8 Mon Sep 17 00:00:00 2001 From: Minos Galanakis Date: Tue, 11 Mar 2025 14:06:38 +0000 Subject: [PATCH 08/21] ssl-opt: Fragmented HS renegotiation, updated documentation. Signed-off-by: Minos Galanakis --- tests/ssl-opt.sh | 12 +++++++++--- 1 file changed, 9 insertions(+), 3 deletions(-) diff --git a/tests/ssl-opt.sh b/tests/ssl-opt.sh index 19e4b95610..b680c11eb5 100755 --- a/tests/ssl-opt.sh +++ b/tests/ssl-opt.sh @@ -13721,7 +13721,7 @@ run_test "Handshake defragmentation on server: len=32, TLS 1.2 ClientHello (u -s "bad client hello message" \ -s "SSL - A message could not be parsed due to a syntactic error" -# Test Server Buffer resizing with fragmented handshake on TLS1.2 +# Test server-side buffer resizing with fragmented handshake on TLS1.2 requires_openssl_3_x requires_protocol_version tls12 requires_certificate_authentication @@ -13739,7 +13739,7 @@ run_test "Handshake defragmentation on server with buffer resizing: len=256, -s "Prepare: waiting for more handshake fragments 256/[0-9]\\+" \ -s "Consume: waiting for more handshake fragments 256/[0-9]\\+" -# Test Client initiated renegotiation with fragmented handshake on TLS1.2 +# Test client-initiated renegotiation with fragmented handshake on TLS1.2 requires_openssl_3_x requires_protocol_version tls12 requires_certificate_authentication @@ -13776,7 +13776,13 @@ run_test "Handshake defragmentation with client-initiated renegotiation: len= -s "Prepare: waiting for more handshake fragments 512/[0-9]\\+" \ -s "Consume: waiting for more handshake fragments 512/[0-9]\\+" \ -# Test Server initiated renegotiation with fragmented handshake on TLS1.2 +# Test server-initiated renegotiation with fragmented handshake on TLS1.2 +# Note: The /reneg endpoint serves as a directive for OpenSSL's s_server +# to initiate a handshake renegotiation. +# Note: Adjusting the renegotiation delay beyond the library's default value +# of 16 is necessary, as it sets the maximum record depth to match it. +# Splitting messages during the renegotiation process requires a deeper +# stack to accommodate the increased processing complexity. requires_openssl_3_x requires_protocol_version tls12 requires_certificate_authentication From a7b19aa8572e93da788d74fa9b222e0f2549fb7e Mon Sep 17 00:00:00 2001 From: Minos Galanakis Date: Tue, 11 Mar 2025 14:17:25 +0000 Subject: [PATCH 09/21] ssl-opt: Refactored fragmented HS renegotiation tests. - Switched to using MBEDTLS_SSL_PROTO_TLS1_2 for dependency. - Re-ordered tests. Signed-off-by: Minos Galanakis --- tests/ssl-opt.sh | 77 ++++++++++++++++++++++++------------------------ 1 file changed, 39 insertions(+), 38 deletions(-) diff --git a/tests/ssl-opt.sh b/tests/ssl-opt.sh index b680c11eb5..2aa124874c 100755 --- a/tests/ssl-opt.sh +++ b/tests/ssl-opt.sh @@ -13723,7 +13723,7 @@ run_test "Handshake defragmentation on server: len=32, TLS 1.2 ClientHello (u # Test server-side buffer resizing with fragmented handshake on TLS1.2 requires_openssl_3_x -requires_protocol_version tls12 +requires_config_enabled MBEDTLS_SSL_PROTO_TLS1_2 requires_certificate_authentication requires_config_enabled MBEDTLS_SSL_MAX_FRAGMENT_LENGTH requires_config_enabled MBEDTLS_SSL_VARIABLE_BUFFER_LENGTH @@ -13741,25 +13741,7 @@ run_test "Handshake defragmentation on server with buffer resizing: len=256, # Test client-initiated renegotiation with fragmented handshake on TLS1.2 requires_openssl_3_x -requires_protocol_version tls12 -requires_certificate_authentication -requires_config_enabled MBEDTLS_SSL_RENEGOTIATION -run_test "Handshake defragmentation with client-initiated renegotiation: len=256" \ - "$P_SRV debug_level=4 exchanges=2 renegotiation=1 auth_mode=required" \ - "$O_NEXT_CLI_RENEGOTIATE -tls1_2 -split_send_frag 256 -cert $DATA_FILES_PATH/server5.crt -key $DATA_FILES_PATH/server5.key -connect 127.0.0.1:+$SRV_PORT" \ - 0 \ - -s "received TLS_EMPTY_RENEGOTIATION_INFO" \ - -s "found renegotiation extension" \ - -s "server hello, secure renegotiation extension" \ - -s "=> renegotiate" \ - -S "write hello request" \ - -s "reassembled record" \ - -s "initial handshake fragment: 256, 0..256 of [0-9]\\+" \ - -s "Prepare: waiting for more handshake fragments 256/[0-9]\\+" \ - -s "Consume: waiting for more handshake fragments 256/[0-9]\\+" \ - -requires_openssl_3_x -requires_protocol_version tls12 +requires_config_enabled MBEDTLS_SSL_PROTO_TLS1_2 requires_certificate_authentication requires_config_enabled MBEDTLS_SSL_RENEGOTIATION run_test "Handshake defragmentation with client-initiated renegotiation: len=512" \ @@ -13776,30 +13758,27 @@ run_test "Handshake defragmentation with client-initiated renegotiation: len= -s "Prepare: waiting for more handshake fragments 512/[0-9]\\+" \ -s "Consume: waiting for more handshake fragments 512/[0-9]\\+" \ -# Test server-initiated renegotiation with fragmented handshake on TLS1.2 -# Note: The /reneg endpoint serves as a directive for OpenSSL's s_server -# to initiate a handshake renegotiation. -# Note: Adjusting the renegotiation delay beyond the library's default value -# of 16 is necessary, as it sets the maximum record depth to match it. -# Splitting messages during the renegotiation process requires a deeper -# stack to accommodate the increased processing complexity. requires_openssl_3_x -requires_protocol_version tls12 +requires_config_enabled MBEDTLS_SSL_PROTO_TLS1_2 requires_certificate_authentication requires_config_enabled MBEDTLS_SSL_RENEGOTIATION -run_test "Handshake defragmentation with server-initiated renegotiation: len=256" \ - "$O_NEXT_SRV -tls1_2 -split_send_frag 256 -legacy_renegotiation -cert $DATA_FILES_PATH/server5.crt -key $DATA_FILES_PATH/server5.key" \ - "$P_CLI debug_level=3 renegotiation=1 renego_delay=32 request_page=/reneg" \ +run_test "Handshake defragmentation with client-initiated renegotiation: len=256" \ + "$P_SRV debug_level=4 exchanges=2 renegotiation=1 auth_mode=required" \ + "$O_NEXT_CLI_RENEGOTIATE -tls1_2 -split_send_frag 256 -cert $DATA_FILES_PATH/server5.crt -key $DATA_FILES_PATH/server5.key -connect 127.0.0.1:+$SRV_PORT" \ 0 \ - -c "initial handshake fragment: 256, 0..256 of [0-9]\\+" \ - -c "Prepare: waiting for more handshake fragments 256/[0-9]\\+" \ - -c "Consume: waiting for more handshake fragments 256/[0-9]\\+" \ - -c "client hello, adding renegotiation extension" \ - -c "found renegotiation extension" \ - -c "=> renegotiate" + -s "received TLS_EMPTY_RENEGOTIATION_INFO" \ + -s "found renegotiation extension" \ + -s "server hello, secure renegotiation extension" \ + -s "=> renegotiate" \ + -S "write hello request" \ + -s "reassembled record" \ + -s "initial handshake fragment: 256, 0..256 of [0-9]\\+" \ + -s "Prepare: waiting for more handshake fragments 256/[0-9]\\+" \ + -s "Consume: waiting for more handshake fragments 256/[0-9]\\+" \ +# Test server-initiated renegotiation with fragmented handshake on TLS1.2 requires_openssl_3_x -requires_protocol_version tls12 +requires_config_enabled MBEDTLS_SSL_PROTO_TLS1_2 requires_certificate_authentication requires_config_enabled MBEDTLS_SSL_RENEGOTIATION run_test "Handshake defragmentation with server-initiated renegotiation: len=512" \ @@ -13813,6 +13792,28 @@ run_test "Handshake defragmentation with server-initiated renegotiation: len= -c "found renegotiation extension" \ -c "=> renegotiate" + +# Note: The /reneg endpoint serves as a directive for OpenSSL's s_server +# to initiate a handshake renegotiation. +# Note: Adjusting the renegotiation delay beyond the library's default value +# of 16 is necessary, as it sets the maximum record depth to match it. +# Splitting messages during the renegotiation process requires a deeper +# stack to accommodate the increased processing complexity. +requires_openssl_3_x +requires_config_enabled MBEDTLS_SSL_PROTO_TLS1_2 +requires_certificate_authentication +requires_config_enabled MBEDTLS_SSL_RENEGOTIATION +run_test "Handshake defragmentation with server-initiated renegotiation: len=256" \ + "$O_NEXT_SRV -tls1_2 -split_send_frag 256 -legacy_renegotiation -cert $DATA_FILES_PATH/server5.crt -key $DATA_FILES_PATH/server5.key" \ + "$P_CLI debug_level=3 renegotiation=1 renego_delay=32 request_page=/reneg" \ + 0 \ + -c "initial handshake fragment: 256, 0..256 of [0-9]\\+" \ + -c "Prepare: waiting for more handshake fragments 256/[0-9]\\+" \ + -c "Consume: waiting for more handshake fragments 256/[0-9]\\+" \ + -c "client hello, adding renegotiation extension" \ + -c "found renegotiation extension" \ + -c "=> renegotiate" + # Test heap memory usage after handshake requires_config_enabled MBEDTLS_SSL_PROTO_TLS1_2 requires_config_enabled MBEDTLS_MEMORY_DEBUG From ae54c749fca3f4c8c74bebcaeefd8c740243bfdf Mon Sep 17 00:00:00 2001 From: Minos Galanakis Date: Tue, 11 Mar 2025 14:19:48 +0000 Subject: [PATCH 10/21] ssl-opt: Added coverage for client-initiated fragmented HS renegotiation tests. Signed-off-by: Minos Galanakis --- tests/ssl-opt.sh | 37 +++++++++++++++++++++++++++++++++++++ 1 file changed, 37 insertions(+) diff --git a/tests/ssl-opt.sh b/tests/ssl-opt.sh index 2aa124874c..9e5930a269 100755 --- a/tests/ssl-opt.sh +++ b/tests/ssl-opt.sh @@ -13776,6 +13776,43 @@ run_test "Handshake defragmentation with client-initiated renegotiation: len= -s "Prepare: waiting for more handshake fragments 256/[0-9]\\+" \ -s "Consume: waiting for more handshake fragments 256/[0-9]\\+" \ +requires_openssl_3_x +requires_config_enabled MBEDTLS_SSL_PROTO_TLS1_2 +requires_config_enabled MBEDTLS_SSL_PROTO_TLS1_3 +requires_certificate_authentication +requires_config_enabled MBEDTLS_SSL_RENEGOTIATION +run_test "Handshake defragmentation with client-initiated renegotiation: len=128" \ + "$P_SRV debug_level=4 exchanges=2 renegotiation=1 auth_mode=required" \ + "$O_NEXT_CLI_RENEGOTIATE -tls1_2 -split_send_frag 128 -cert $DATA_FILES_PATH/server5.crt -key $DATA_FILES_PATH/server5.key -connect 127.0.0.1:+$SRV_PORT" \ + 0 \ + -s "received TLS_EMPTY_RENEGOTIATION_INFO" \ + -s "found renegotiation extension" \ + -s "server hello, secure renegotiation extension" \ + -s "=> renegotiate" \ + -S "write hello request" \ + -s "reassembled record" \ + -s "initial handshake fragment: 128, 0..128 of [0-9]\\+" \ + -s "Prepare: waiting for more handshake fragments 128/[0-9]\\+" \ + -s "Consume: waiting for more handshake fragments 128/[0-9]\\+" \ + +requires_openssl_3_x +requires_config_enabled MBEDTLS_SSL_PROTO_TLS1_2 +requires_config_enabled MBEDTLS_SSL_PROTO_TLS1_3 +requires_config_enabled MBEDTLS_SSL_RENEGOTIATION +run_test "Handshake defragmentation with client-initiated renegotiation: len=4" \ + "$P_SRV debug_level=4 exchanges=2 renegotiation=1 auth_mode=required" \ + "$O_NEXT_CLI_RENEGOTIATE -tls1_2 -split_send_frag 4 -cert $DATA_FILES_PATH/server5.crt -key $DATA_FILES_PATH/server5.key -connect 127.0.0.1:+$SRV_PORT" \ + 0 \ + -s "received TLS_EMPTY_RENEGOTIATION_INFO" \ + -s "found renegotiation extension" \ + -s "server hello, secure renegotiation extension" \ + -s "=> renegotiate" \ + -S "write hello request" \ + -s "reassembled record" \ + -s "initial handshake fragment: 4, 0..4 of [0-9]\\+" \ + -s "Prepare: waiting for more handshake fragments 4/[0-9]\\+" \ + -s "Consume: waiting for more handshake fragments 4/[0-9]\\+" \ + # Test server-initiated renegotiation with fragmented handshake on TLS1.2 requires_openssl_3_x requires_config_enabled MBEDTLS_SSL_PROTO_TLS1_2 From 70be67b97e1fe1119be949d89e062549c1057e4b Mon Sep 17 00:00:00 2001 From: Minos Galanakis Date: Tue, 11 Mar 2025 17:00:45 +0000 Subject: [PATCH 11/21] ssl-opt: Fragmented HS renegotiation, updated matching regex Signed-off-by: Minos Galanakis --- tests/ssl-opt.sh | 42 +++++++++++++++++++++--------------------- 1 file changed, 21 insertions(+), 21 deletions(-) diff --git a/tests/ssl-opt.sh b/tests/ssl-opt.sh index 9e5930a269..17dc43a42c 100755 --- a/tests/ssl-opt.sh +++ b/tests/ssl-opt.sh @@ -13735,9 +13735,9 @@ run_test "Handshake defragmentation on server with buffer resizing: len=256, -s "Reallocating in_buf" \ -s "Reallocating out_buf" \ -s "reassembled record" \ - -s "initial handshake fragment: 256, 0..256 of [0-9]\\+" \ - -s "Prepare: waiting for more handshake fragments 256/[0-9]\\+" \ - -s "Consume: waiting for more handshake fragments 256/[0-9]\\+" + -s "initial handshake fragment: 256, 0\\.\\.256 of [0-9]\\+" \ + -s "Prepare: waiting for more handshake fragments 256/" \ + -s "Consume: waiting for more handshake fragments 256/" # Test client-initiated renegotiation with fragmented handshake on TLS1.2 requires_openssl_3_x @@ -13754,9 +13754,9 @@ run_test "Handshake defragmentation with client-initiated renegotiation: len= -s "=> renegotiate" \ -S "write hello request" \ -s "reassembled record" \ - -s "initial handshake fragment: 512, 0..512 of [0-9]\\+" \ - -s "Prepare: waiting for more handshake fragments 512/[0-9]\\+" \ - -s "Consume: waiting for more handshake fragments 512/[0-9]\\+" \ + -s "initial handshake fragment: 512, 0\\.\\.512 of [0-9]\\+" \ + -s "Prepare: waiting for more handshake fragments 512/" \ + -s "Consume: waiting for more handshake fragments 512/" \ requires_openssl_3_x requires_config_enabled MBEDTLS_SSL_PROTO_TLS1_2 @@ -13772,9 +13772,9 @@ run_test "Handshake defragmentation with client-initiated renegotiation: len= -s "=> renegotiate" \ -S "write hello request" \ -s "reassembled record" \ - -s "initial handshake fragment: 256, 0..256 of [0-9]\\+" \ - -s "Prepare: waiting for more handshake fragments 256/[0-9]\\+" \ - -s "Consume: waiting for more handshake fragments 256/[0-9]\\+" \ + -s "initial handshake fragment: 256, 0\\.\\.256 of [0-9]\\+" \ + -s "Prepare: waiting for more handshake fragments 256/" \ + -s "Consume: waiting for more handshake fragments 256/" \ requires_openssl_3_x requires_config_enabled MBEDTLS_SSL_PROTO_TLS1_2 @@ -13791,9 +13791,9 @@ run_test "Handshake defragmentation with client-initiated renegotiation: len= -s "=> renegotiate" \ -S "write hello request" \ -s "reassembled record" \ - -s "initial handshake fragment: 128, 0..128 of [0-9]\\+" \ - -s "Prepare: waiting for more handshake fragments 128/[0-9]\\+" \ - -s "Consume: waiting for more handshake fragments 128/[0-9]\\+" \ + -s "initial handshake fragment: 128, 0\\.\\.128 of [0-9]\\+" \ + -s "Prepare: waiting for more handshake fragments 128/" \ + -s "Consume: waiting for more handshake fragments 128/" \ requires_openssl_3_x requires_config_enabled MBEDTLS_SSL_PROTO_TLS1_2 @@ -13809,9 +13809,9 @@ run_test "Handshake defragmentation with client-initiated renegotiation: len= -s "=> renegotiate" \ -S "write hello request" \ -s "reassembled record" \ - -s "initial handshake fragment: 4, 0..4 of [0-9]\\+" \ - -s "Prepare: waiting for more handshake fragments 4/[0-9]\\+" \ - -s "Consume: waiting for more handshake fragments 4/[0-9]\\+" \ + -s "initial handshake fragment: 4, 0\\.\\.4 of [0-9]\\+" \ + -s "Prepare: waiting for more handshake fragments 4/" \ + -s "Consume: waiting for more handshake fragments 4/" \ # Test server-initiated renegotiation with fragmented handshake on TLS1.2 requires_openssl_3_x @@ -13822,9 +13822,9 @@ run_test "Handshake defragmentation with server-initiated renegotiation: len= "$O_NEXT_SRV -tls1_2 -split_send_frag 512 -legacy_renegotiation -cert $DATA_FILES_PATH/server5.crt -key $DATA_FILES_PATH/server5.key" \ "$P_CLI debug_level=3 renegotiation=1 request_page=/reneg" \ 0 \ - -c "initial handshake fragment: 512, 0..512 of [0-9]\\+" \ - -c "Prepare: waiting for more handshake fragments 512/[0-9]\\+" \ - -c "Consume: waiting for more handshake fragments 512/[0-9]\\+" \ + -c "initial handshake fragment: 512, 0\\.\\.512 of [0-9]\\+" \ + -c "Prepare: waiting for more handshake fragments 512/" \ + -c "Consume: waiting for more handshake fragments 512/" \ -c "client hello, adding renegotiation extension" \ -c "found renegotiation extension" \ -c "=> renegotiate" @@ -13844,9 +13844,9 @@ run_test "Handshake defragmentation with server-initiated renegotiation: len= "$O_NEXT_SRV -tls1_2 -split_send_frag 256 -legacy_renegotiation -cert $DATA_FILES_PATH/server5.crt -key $DATA_FILES_PATH/server5.key" \ "$P_CLI debug_level=3 renegotiation=1 renego_delay=32 request_page=/reneg" \ 0 \ - -c "initial handshake fragment: 256, 0..256 of [0-9]\\+" \ - -c "Prepare: waiting for more handshake fragments 256/[0-9]\\+" \ - -c "Consume: waiting for more handshake fragments 256/[0-9]\\+" \ + -c "initial handshake fragment: 256, 0\\.\\.256 of [0-9]\\+" \ + -c "Prepare: waiting for more handshake fragments 256/" \ + -c "Consume: waiting for more handshake fragments 256/" \ -c "client hello, adding renegotiation extension" \ -c "found renegotiation extension" \ -c "=> renegotiate" From af0e60b38f534029f361efcc03c6a33676ec611d Mon Sep 17 00:00:00 2001 From: Minos Galanakis Date: Tue, 11 Mar 2025 17:08:01 +0000 Subject: [PATCH 12/21] ssl-opt: Fragmented HS renegotiation, adjusted test names for consistency. Signed-off-by: Minos Galanakis --- tests/ssl-opt.sh | 14 +++++++------- 1 file changed, 7 insertions(+), 7 deletions(-) diff --git a/tests/ssl-opt.sh b/tests/ssl-opt.sh index 17dc43a42c..07323858e4 100755 --- a/tests/ssl-opt.sh +++ b/tests/ssl-opt.sh @@ -13728,7 +13728,7 @@ requires_certificate_authentication requires_config_enabled MBEDTLS_SSL_MAX_FRAGMENT_LENGTH requires_config_enabled MBEDTLS_SSL_VARIABLE_BUFFER_LENGTH requires_max_content_len 1025 -run_test "Handshake defragmentation on server with buffer resizing: len=256, MFL=1024" \ +run_test "Handshake defragmentation on server: len=256, buffer resizing with MFL=1024" \ "$P_SRV debug_level=4 auth_mode=required" \ "$O_NEXT_CLI -tls1_2 -split_send_frag 256 -maxfraglen 1024 -cert $DATA_FILES_PATH/server5.crt -key $DATA_FILES_PATH/server5.key" \ 0 \ @@ -13744,7 +13744,7 @@ requires_openssl_3_x requires_config_enabled MBEDTLS_SSL_PROTO_TLS1_2 requires_certificate_authentication requires_config_enabled MBEDTLS_SSL_RENEGOTIATION -run_test "Handshake defragmentation with client-initiated renegotiation: len=512" \ +run_test "Handshake defragmentation on server: len=512, client-initiated renegotation" \ "$P_SRV debug_level=4 exchanges=2 renegotiation=1 auth_mode=required" \ "$O_NEXT_CLI_RENEGOTIATE -tls1_2 -split_send_frag 512 -cert $DATA_FILES_PATH/server5.crt -key $DATA_FILES_PATH/server5.key -connect 127.0.0.1:+$SRV_PORT" \ 0 \ @@ -13762,7 +13762,7 @@ requires_openssl_3_x requires_config_enabled MBEDTLS_SSL_PROTO_TLS1_2 requires_certificate_authentication requires_config_enabled MBEDTLS_SSL_RENEGOTIATION -run_test "Handshake defragmentation with client-initiated renegotiation: len=256" \ +run_test "Handshake defragmentation on server: len=256, client-initiated renegotation" \ "$P_SRV debug_level=4 exchanges=2 renegotiation=1 auth_mode=required" \ "$O_NEXT_CLI_RENEGOTIATE -tls1_2 -split_send_frag 256 -cert $DATA_FILES_PATH/server5.crt -key $DATA_FILES_PATH/server5.key -connect 127.0.0.1:+$SRV_PORT" \ 0 \ @@ -13781,7 +13781,7 @@ requires_config_enabled MBEDTLS_SSL_PROTO_TLS1_2 requires_config_enabled MBEDTLS_SSL_PROTO_TLS1_3 requires_certificate_authentication requires_config_enabled MBEDTLS_SSL_RENEGOTIATION -run_test "Handshake defragmentation with client-initiated renegotiation: len=128" \ +run_test "Handshake defragmentation on server: len=128, client-initiated renegotation" \ "$P_SRV debug_level=4 exchanges=2 renegotiation=1 auth_mode=required" \ "$O_NEXT_CLI_RENEGOTIATE -tls1_2 -split_send_frag 128 -cert $DATA_FILES_PATH/server5.crt -key $DATA_FILES_PATH/server5.key -connect 127.0.0.1:+$SRV_PORT" \ 0 \ @@ -13799,7 +13799,7 @@ requires_openssl_3_x requires_config_enabled MBEDTLS_SSL_PROTO_TLS1_2 requires_config_enabled MBEDTLS_SSL_PROTO_TLS1_3 requires_config_enabled MBEDTLS_SSL_RENEGOTIATION -run_test "Handshake defragmentation with client-initiated renegotiation: len=4" \ +run_test "Handshake defragmentation on server: len=4, client-initiated renegotation" \ "$P_SRV debug_level=4 exchanges=2 renegotiation=1 auth_mode=required" \ "$O_NEXT_CLI_RENEGOTIATE -tls1_2 -split_send_frag 4 -cert $DATA_FILES_PATH/server5.crt -key $DATA_FILES_PATH/server5.key -connect 127.0.0.1:+$SRV_PORT" \ 0 \ @@ -13818,7 +13818,7 @@ requires_openssl_3_x requires_config_enabled MBEDTLS_SSL_PROTO_TLS1_2 requires_certificate_authentication requires_config_enabled MBEDTLS_SSL_RENEGOTIATION -run_test "Handshake defragmentation with server-initiated renegotiation: len=512" \ +run_test "Handshake defragmentation on client: len=512, server-initiated renegotation" \ "$O_NEXT_SRV -tls1_2 -split_send_frag 512 -legacy_renegotiation -cert $DATA_FILES_PATH/server5.crt -key $DATA_FILES_PATH/server5.key" \ "$P_CLI debug_level=3 renegotiation=1 request_page=/reneg" \ 0 \ @@ -13840,7 +13840,7 @@ requires_openssl_3_x requires_config_enabled MBEDTLS_SSL_PROTO_TLS1_2 requires_certificate_authentication requires_config_enabled MBEDTLS_SSL_RENEGOTIATION -run_test "Handshake defragmentation with server-initiated renegotiation: len=256" \ +run_test "Handshake defragmentation on client: len=256, server-initiated renegotation" \ "$O_NEXT_SRV -tls1_2 -split_send_frag 256 -legacy_renegotiation -cert $DATA_FILES_PATH/server5.crt -key $DATA_FILES_PATH/server5.key" \ "$P_CLI debug_level=3 renegotiation=1 renego_delay=32 request_page=/reneg" \ 0 \ From 9b2e4b80e706762efd2dd50127872b937307e8e3 Mon Sep 17 00:00:00 2001 From: Minos Galanakis Date: Tue, 11 Mar 2025 17:10:12 +0000 Subject: [PATCH 13/21] ssl-opt: Fragmented HS renegotiation, removed requires_openssl_3_x dependency. Signed-off-by: Minos Galanakis --- tests/ssl-opt.sh | 7 ------- 1 file changed, 7 deletions(-) diff --git a/tests/ssl-opt.sh b/tests/ssl-opt.sh index 07323858e4..447a30de68 100755 --- a/tests/ssl-opt.sh +++ b/tests/ssl-opt.sh @@ -13722,7 +13722,6 @@ run_test "Handshake defragmentation on server: len=32, TLS 1.2 ClientHello (u -s "SSL - A message could not be parsed due to a syntactic error" # Test server-side buffer resizing with fragmented handshake on TLS1.2 -requires_openssl_3_x requires_config_enabled MBEDTLS_SSL_PROTO_TLS1_2 requires_certificate_authentication requires_config_enabled MBEDTLS_SSL_MAX_FRAGMENT_LENGTH @@ -13740,7 +13739,6 @@ run_test "Handshake defragmentation on server: len=256, buffer resizing with -s "Consume: waiting for more handshake fragments 256/" # Test client-initiated renegotiation with fragmented handshake on TLS1.2 -requires_openssl_3_x requires_config_enabled MBEDTLS_SSL_PROTO_TLS1_2 requires_certificate_authentication requires_config_enabled MBEDTLS_SSL_RENEGOTIATION @@ -13758,7 +13756,6 @@ run_test "Handshake defragmentation on server: len=512, client-initiated rene -s "Prepare: waiting for more handshake fragments 512/" \ -s "Consume: waiting for more handshake fragments 512/" \ -requires_openssl_3_x requires_config_enabled MBEDTLS_SSL_PROTO_TLS1_2 requires_certificate_authentication requires_config_enabled MBEDTLS_SSL_RENEGOTIATION @@ -13776,7 +13773,6 @@ run_test "Handshake defragmentation on server: len=256, client-initiated rene -s "Prepare: waiting for more handshake fragments 256/" \ -s "Consume: waiting for more handshake fragments 256/" \ -requires_openssl_3_x requires_config_enabled MBEDTLS_SSL_PROTO_TLS1_2 requires_config_enabled MBEDTLS_SSL_PROTO_TLS1_3 requires_certificate_authentication @@ -13795,7 +13791,6 @@ run_test "Handshake defragmentation on server: len=128, client-initiated rene -s "Prepare: waiting for more handshake fragments 128/" \ -s "Consume: waiting for more handshake fragments 128/" \ -requires_openssl_3_x requires_config_enabled MBEDTLS_SSL_PROTO_TLS1_2 requires_config_enabled MBEDTLS_SSL_PROTO_TLS1_3 requires_config_enabled MBEDTLS_SSL_RENEGOTIATION @@ -13814,7 +13809,6 @@ run_test "Handshake defragmentation on server: len=4, client-initiated renego -s "Consume: waiting for more handshake fragments 4/" \ # Test server-initiated renegotiation with fragmented handshake on TLS1.2 -requires_openssl_3_x requires_config_enabled MBEDTLS_SSL_PROTO_TLS1_2 requires_certificate_authentication requires_config_enabled MBEDTLS_SSL_RENEGOTIATION @@ -13836,7 +13830,6 @@ run_test "Handshake defragmentation on client: len=512, server-initiated rene # of 16 is necessary, as it sets the maximum record depth to match it. # Splitting messages during the renegotiation process requires a deeper # stack to accommodate the increased processing complexity. -requires_openssl_3_x requires_config_enabled MBEDTLS_SSL_PROTO_TLS1_2 requires_certificate_authentication requires_config_enabled MBEDTLS_SSL_RENEGOTIATION From 0b830f145f0898695924d1fbe8178b9b74c3abad Mon Sep 17 00:00:00 2001 From: Minos Galanakis Date: Tue, 11 Mar 2025 17:11:09 +0000 Subject: [PATCH 14/21] ssl-opt: Fragmented HS renegotiation, removed requires_certificate_authentication dependency. Signed-off-by: Minos Galanakis --- tests/ssl-opt.sh | 6 ------ 1 file changed, 6 deletions(-) diff --git a/tests/ssl-opt.sh b/tests/ssl-opt.sh index 447a30de68..98dc61e60b 100755 --- a/tests/ssl-opt.sh +++ b/tests/ssl-opt.sh @@ -13723,7 +13723,6 @@ run_test "Handshake defragmentation on server: len=32, TLS 1.2 ClientHello (u # Test server-side buffer resizing with fragmented handshake on TLS1.2 requires_config_enabled MBEDTLS_SSL_PROTO_TLS1_2 -requires_certificate_authentication requires_config_enabled MBEDTLS_SSL_MAX_FRAGMENT_LENGTH requires_config_enabled MBEDTLS_SSL_VARIABLE_BUFFER_LENGTH requires_max_content_len 1025 @@ -13740,7 +13739,6 @@ run_test "Handshake defragmentation on server: len=256, buffer resizing with # Test client-initiated renegotiation with fragmented handshake on TLS1.2 requires_config_enabled MBEDTLS_SSL_PROTO_TLS1_2 -requires_certificate_authentication requires_config_enabled MBEDTLS_SSL_RENEGOTIATION run_test "Handshake defragmentation on server: len=512, client-initiated renegotation" \ "$P_SRV debug_level=4 exchanges=2 renegotiation=1 auth_mode=required" \ @@ -13757,7 +13755,6 @@ run_test "Handshake defragmentation on server: len=512, client-initiated rene -s "Consume: waiting for more handshake fragments 512/" \ requires_config_enabled MBEDTLS_SSL_PROTO_TLS1_2 -requires_certificate_authentication requires_config_enabled MBEDTLS_SSL_RENEGOTIATION run_test "Handshake defragmentation on server: len=256, client-initiated renegotation" \ "$P_SRV debug_level=4 exchanges=2 renegotiation=1 auth_mode=required" \ @@ -13775,7 +13772,6 @@ run_test "Handshake defragmentation on server: len=256, client-initiated rene requires_config_enabled MBEDTLS_SSL_PROTO_TLS1_2 requires_config_enabled MBEDTLS_SSL_PROTO_TLS1_3 -requires_certificate_authentication requires_config_enabled MBEDTLS_SSL_RENEGOTIATION run_test "Handshake defragmentation on server: len=128, client-initiated renegotation" \ "$P_SRV debug_level=4 exchanges=2 renegotiation=1 auth_mode=required" \ @@ -13810,7 +13806,6 @@ run_test "Handshake defragmentation on server: len=4, client-initiated renego # Test server-initiated renegotiation with fragmented handshake on TLS1.2 requires_config_enabled MBEDTLS_SSL_PROTO_TLS1_2 -requires_certificate_authentication requires_config_enabled MBEDTLS_SSL_RENEGOTIATION run_test "Handshake defragmentation on client: len=512, server-initiated renegotation" \ "$O_NEXT_SRV -tls1_2 -split_send_frag 512 -legacy_renegotiation -cert $DATA_FILES_PATH/server5.crt -key $DATA_FILES_PATH/server5.key" \ @@ -13831,7 +13826,6 @@ run_test "Handshake defragmentation on client: len=512, server-initiated rene # Splitting messages during the renegotiation process requires a deeper # stack to accommodate the increased processing complexity. requires_config_enabled MBEDTLS_SSL_PROTO_TLS1_2 -requires_certificate_authentication requires_config_enabled MBEDTLS_SSL_RENEGOTIATION run_test "Handshake defragmentation on client: len=256, server-initiated renegotation" \ "$O_NEXT_SRV -tls1_2 -split_send_frag 256 -legacy_renegotiation -cert $DATA_FILES_PATH/server5.crt -key $DATA_FILES_PATH/server5.key" \ From df4ddfdf0ce3f668c6646b6859ef397cbff4352a Mon Sep 17 00:00:00 2001 From: Minos Galanakis Date: Tue, 11 Mar 2025 17:24:04 +0000 Subject: [PATCH 15/21] ssl-opt: Fragmented HS renegotiation, removed -legacy_renegotiation argument. Signed-off-by: Minos Galanakis --- tests/ssl-opt.sh | 4 ++-- 1 file changed, 2 insertions(+), 2 deletions(-) diff --git a/tests/ssl-opt.sh b/tests/ssl-opt.sh index 98dc61e60b..0b3442dd3b 100755 --- a/tests/ssl-opt.sh +++ b/tests/ssl-opt.sh @@ -13808,7 +13808,7 @@ run_test "Handshake defragmentation on server: len=4, client-initiated renego requires_config_enabled MBEDTLS_SSL_PROTO_TLS1_2 requires_config_enabled MBEDTLS_SSL_RENEGOTIATION run_test "Handshake defragmentation on client: len=512, server-initiated renegotation" \ - "$O_NEXT_SRV -tls1_2 -split_send_frag 512 -legacy_renegotiation -cert $DATA_FILES_PATH/server5.crt -key $DATA_FILES_PATH/server5.key" \ + "$O_NEXT_SRV -tls1_2 -split_send_frag 512 -cert $DATA_FILES_PATH/server5.crt -key $DATA_FILES_PATH/server5.key" \ "$P_CLI debug_level=3 renegotiation=1 request_page=/reneg" \ 0 \ -c "initial handshake fragment: 512, 0\\.\\.512 of [0-9]\\+" \ @@ -13828,7 +13828,7 @@ run_test "Handshake defragmentation on client: len=512, server-initiated rene requires_config_enabled MBEDTLS_SSL_PROTO_TLS1_2 requires_config_enabled MBEDTLS_SSL_RENEGOTIATION run_test "Handshake defragmentation on client: len=256, server-initiated renegotation" \ - "$O_NEXT_SRV -tls1_2 -split_send_frag 256 -legacy_renegotiation -cert $DATA_FILES_PATH/server5.crt -key $DATA_FILES_PATH/server5.key" \ + "$O_NEXT_SRV -tls1_2 -split_send_frag 256 -cert $DATA_FILES_PATH/server5.crt -key $DATA_FILES_PATH/server5.key" \ "$P_CLI debug_level=3 renegotiation=1 renego_delay=32 request_page=/reneg" \ 0 \ -c "initial handshake fragment: 256, 0\\.\\.256 of [0-9]\\+" \ From a8f14384f8ca36246a067d236f61186375295c1b Mon Sep 17 00:00:00 2001 From: Minos Galanakis Date: Tue, 11 Mar 2025 17:29:33 +0000 Subject: [PATCH 16/21] ssl-opt: Updated O_NEXT_CLI_RENEGOTIATE used by fragmented HS renegotiation with certificates. Signed-off-by: Minos Galanakis --- tests/ssl-opt.sh | 10 +++++----- 1 file changed, 5 insertions(+), 5 deletions(-) diff --git a/tests/ssl-opt.sh b/tests/ssl-opt.sh index 0b3442dd3b..7ee8e33565 100755 --- a/tests/ssl-opt.sh +++ b/tests/ssl-opt.sh @@ -103,7 +103,7 @@ if [ -n "${OPENSSL_NEXT:-}" ]; then O_NEXT_SRV_NO_CERT="$OPENSSL_NEXT s_server -www " O_NEXT_CLI="echo 'GET / HTTP/1.0' | $OPENSSL_NEXT s_client -CAfile $DATA_FILES_PATH/test-ca_cat12.crt" O_NEXT_CLI_NO_CERT="echo 'GET / HTTP/1.0' | $OPENSSL_NEXT s_client" - O_NEXT_CLI_RENEGOTIATE="echo 'R' | $OPENSSL_NEXT s_client" + O_NEXT_CLI_RENEGOTIATE="echo 'R' | $OPENSSL_NEXT s_client -cert $DATA_FILES_PATH/server5.crt -key $DATA_FILES_PATH/server5.key" else O_NEXT_SRV=false O_NEXT_SRV_NO_CERT=false @@ -13742,7 +13742,7 @@ requires_config_enabled MBEDTLS_SSL_PROTO_TLS1_2 requires_config_enabled MBEDTLS_SSL_RENEGOTIATION run_test "Handshake defragmentation on server: len=512, client-initiated renegotation" \ "$P_SRV debug_level=4 exchanges=2 renegotiation=1 auth_mode=required" \ - "$O_NEXT_CLI_RENEGOTIATE -tls1_2 -split_send_frag 512 -cert $DATA_FILES_PATH/server5.crt -key $DATA_FILES_PATH/server5.key -connect 127.0.0.1:+$SRV_PORT" \ + "$O_NEXT_CLI_RENEGOTIATE -tls1_2 -split_send_frag 512 -connect 127.0.0.1:+$SRV_PORT" \ 0 \ -s "received TLS_EMPTY_RENEGOTIATION_INFO" \ -s "found renegotiation extension" \ @@ -13758,7 +13758,7 @@ requires_config_enabled MBEDTLS_SSL_PROTO_TLS1_2 requires_config_enabled MBEDTLS_SSL_RENEGOTIATION run_test "Handshake defragmentation on server: len=256, client-initiated renegotation" \ "$P_SRV debug_level=4 exchanges=2 renegotiation=1 auth_mode=required" \ - "$O_NEXT_CLI_RENEGOTIATE -tls1_2 -split_send_frag 256 -cert $DATA_FILES_PATH/server5.crt -key $DATA_FILES_PATH/server5.key -connect 127.0.0.1:+$SRV_PORT" \ + "$O_NEXT_CLI_RENEGOTIATE -tls1_2 -split_send_frag 256 -connect 127.0.0.1:+$SRV_PORT" \ 0 \ -s "received TLS_EMPTY_RENEGOTIATION_INFO" \ -s "found renegotiation extension" \ @@ -13775,7 +13775,7 @@ requires_config_enabled MBEDTLS_SSL_PROTO_TLS1_3 requires_config_enabled MBEDTLS_SSL_RENEGOTIATION run_test "Handshake defragmentation on server: len=128, client-initiated renegotation" \ "$P_SRV debug_level=4 exchanges=2 renegotiation=1 auth_mode=required" \ - "$O_NEXT_CLI_RENEGOTIATE -tls1_2 -split_send_frag 128 -cert $DATA_FILES_PATH/server5.crt -key $DATA_FILES_PATH/server5.key -connect 127.0.0.1:+$SRV_PORT" \ + "$O_NEXT_CLI_RENEGOTIATE -tls1_2 -split_send_frag 128 -connect 127.0.0.1:+$SRV_PORT" \ 0 \ -s "received TLS_EMPTY_RENEGOTIATION_INFO" \ -s "found renegotiation extension" \ @@ -13792,7 +13792,7 @@ requires_config_enabled MBEDTLS_SSL_PROTO_TLS1_3 requires_config_enabled MBEDTLS_SSL_RENEGOTIATION run_test "Handshake defragmentation on server: len=4, client-initiated renegotation" \ "$P_SRV debug_level=4 exchanges=2 renegotiation=1 auth_mode=required" \ - "$O_NEXT_CLI_RENEGOTIATE -tls1_2 -split_send_frag 4 -cert $DATA_FILES_PATH/server5.crt -key $DATA_FILES_PATH/server5.key -connect 127.0.0.1:+$SRV_PORT" \ + "$O_NEXT_CLI_RENEGOTIATE -tls1_2 -split_send_frag 4 -connect 127.0.0.1:+$SRV_PORT" \ 0 \ -s "received TLS_EMPTY_RENEGOTIATION_INFO" \ -s "found renegotiation extension" \ From 1d78c7d58d9f30ca5de5ba93908550627be5bac6 Mon Sep 17 00:00:00 2001 From: Minos Galanakis Date: Wed, 12 Mar 2025 01:07:58 +0000 Subject: [PATCH 17/21] ssl-opt: Added client-initiated server-rejected renegotation test. Signed-off-by: Minos Galanakis --- tests/ssl-opt.sh | 14 ++++++++++++++ 1 file changed, 14 insertions(+) diff --git a/tests/ssl-opt.sh b/tests/ssl-opt.sh index 7ee8e33565..ff8f4d5e65 100755 --- a/tests/ssl-opt.sh +++ b/tests/ssl-opt.sh @@ -13804,6 +13804,20 @@ run_test "Handshake defragmentation on server: len=4, client-initiated renego -s "Prepare: waiting for more handshake fragments 4/" \ -s "Consume: waiting for more handshake fragments 4/" \ +requires_config_enabled MBEDTLS_SSL_PROTO_TLS1_2 +requires_config_enabled MBEDTLS_SSL_PROTO_TLS1_3 +requires_config_enabled MBEDTLS_SSL_RENEGOTIATION +run_test "Handshake defragmentation on server: len=4, client-initiated server-rejected renegotation" \ + "$P_SRV debug_level=4 exchanges=2 renegotiation=0 auth_mode=required" \ + "$O_NEXT_CLI_RENEGOTIATE -tls1_2 -split_send_frag 4 -connect 127.0.0.1:+$SRV_PORT" \ + 1 \ + -s "received TLS_EMPTY_RENEGOTIATION_INFO" \ + -s "refusing renegotiation, sending alert" \ + -s "server hello, secure renegotiation extension" \ + -s "initial handshake fragment: 4, 0\\.\\.4 of [0-9]\\+" \ + -s "Prepare: waiting for more handshake fragments 4/" \ + -s "Consume: waiting for more handshake fragments 4/" \ + # Test server-initiated renegotiation with fragmented handshake on TLS1.2 requires_config_enabled MBEDTLS_SSL_PROTO_TLS1_2 requires_config_enabled MBEDTLS_SSL_RENEGOTIATION From 641e08e2aa3a1c703943f4149ceda240528b3886 Mon Sep 17 00:00:00 2001 From: Minos Galanakis Date: Thu, 13 Mar 2025 11:42:05 +0000 Subject: [PATCH 18/21] ssl-opt: Updated documentation. Signed-off-by: Minos Galanakis --- tests/ssl-opt.sh | 9 +++++---- 1 file changed, 5 insertions(+), 4 deletions(-) diff --git a/tests/ssl-opt.sh b/tests/ssl-opt.sh index ff8f4d5e65..e4756c0ad5 100755 --- a/tests/ssl-opt.sh +++ b/tests/ssl-opt.sh @@ -13835,10 +13835,11 @@ run_test "Handshake defragmentation on client: len=512, server-initiated rene # Note: The /reneg endpoint serves as a directive for OpenSSL's s_server # to initiate a handshake renegotiation. -# Note: Adjusting the renegotiation delay beyond the library's default value -# of 16 is necessary, as it sets the maximum record depth to match it. -# Splitting messages during the renegotiation process requires a deeper -# stack to accommodate the increased processing complexity. +# Note: Adjusting the renegotiation delay beyond the library's default +# value of 16 is necessary. This parameter defines the maximum +# number of records received before renegotiation is completed. +# By fragmenting records and thereby increasing their quantity, +# the default threshold can be reached more quickly. requires_config_enabled MBEDTLS_SSL_PROTO_TLS1_2 requires_config_enabled MBEDTLS_SSL_RENEGOTIATION run_test "Handshake defragmentation on client: len=256, server-initiated renegotation" \ From f475a15d5da6fbfbdd3aedcfce3e5d9761b596aa Mon Sep 17 00:00:00 2001 From: Minos Galanakis Date: Thu, 13 Mar 2025 11:43:53 +0000 Subject: [PATCH 19/21] ssl-opt: Disabled the renegotiation delay for fragmented HS renegotiation. Signed-off-by: Minos Galanakis --- tests/ssl-opt.sh | 3 ++- 1 file changed, 2 insertions(+), 1 deletion(-) diff --git a/tests/ssl-opt.sh b/tests/ssl-opt.sh index e4756c0ad5..1e71bef7f7 100755 --- a/tests/ssl-opt.sh +++ b/tests/ssl-opt.sh @@ -13840,11 +13840,12 @@ run_test "Handshake defragmentation on client: len=512, server-initiated rene # number of records received before renegotiation is completed. # By fragmenting records and thereby increasing their quantity, # the default threshold can be reached more quickly. +# Setting it to -1 disables that policy's enforment. requires_config_enabled MBEDTLS_SSL_PROTO_TLS1_2 requires_config_enabled MBEDTLS_SSL_RENEGOTIATION run_test "Handshake defragmentation on client: len=256, server-initiated renegotation" \ "$O_NEXT_SRV -tls1_2 -split_send_frag 256 -cert $DATA_FILES_PATH/server5.crt -key $DATA_FILES_PATH/server5.key" \ - "$P_CLI debug_level=3 renegotiation=1 renego_delay=32 request_page=/reneg" \ + "$P_CLI debug_level=3 renegotiation=1 renego_delay=-1 request_page=/reneg" \ 0 \ -c "initial handshake fragment: 256, 0\\.\\.256 of [0-9]\\+" \ -c "Prepare: waiting for more handshake fragments 256/" \ From dfc082e16cb7d469d0955214e2682c012f93720f Mon Sep 17 00:00:00 2001 From: Minos Galanakis Date: Tue, 18 Mar 2025 10:25:24 +0000 Subject: [PATCH 20/21] ssl-opt: Fixed a minor typo. Signed-off-by: Minos Galanakis --- tests/ssl-opt.sh | 14 +++++++------- 1 file changed, 7 insertions(+), 7 deletions(-) diff --git a/tests/ssl-opt.sh b/tests/ssl-opt.sh index 1e71bef7f7..7707d97d13 100755 --- a/tests/ssl-opt.sh +++ b/tests/ssl-opt.sh @@ -13740,7 +13740,7 @@ run_test "Handshake defragmentation on server: len=256, buffer resizing with # Test client-initiated renegotiation with fragmented handshake on TLS1.2 requires_config_enabled MBEDTLS_SSL_PROTO_TLS1_2 requires_config_enabled MBEDTLS_SSL_RENEGOTIATION -run_test "Handshake defragmentation on server: len=512, client-initiated renegotation" \ +run_test "Handshake defragmentation on server: len=512, client-initiated renegotiation" \ "$P_SRV debug_level=4 exchanges=2 renegotiation=1 auth_mode=required" \ "$O_NEXT_CLI_RENEGOTIATE -tls1_2 -split_send_frag 512 -connect 127.0.0.1:+$SRV_PORT" \ 0 \ @@ -13756,7 +13756,7 @@ run_test "Handshake defragmentation on server: len=512, client-initiated rene requires_config_enabled MBEDTLS_SSL_PROTO_TLS1_2 requires_config_enabled MBEDTLS_SSL_RENEGOTIATION -run_test "Handshake defragmentation on server: len=256, client-initiated renegotation" \ +run_test "Handshake defragmentation on server: len=256, client-initiated renegotiation" \ "$P_SRV debug_level=4 exchanges=2 renegotiation=1 auth_mode=required" \ "$O_NEXT_CLI_RENEGOTIATE -tls1_2 -split_send_frag 256 -connect 127.0.0.1:+$SRV_PORT" \ 0 \ @@ -13773,7 +13773,7 @@ run_test "Handshake defragmentation on server: len=256, client-initiated rene requires_config_enabled MBEDTLS_SSL_PROTO_TLS1_2 requires_config_enabled MBEDTLS_SSL_PROTO_TLS1_3 requires_config_enabled MBEDTLS_SSL_RENEGOTIATION -run_test "Handshake defragmentation on server: len=128, client-initiated renegotation" \ +run_test "Handshake defragmentation on server: len=128, client-initiated renegotiation" \ "$P_SRV debug_level=4 exchanges=2 renegotiation=1 auth_mode=required" \ "$O_NEXT_CLI_RENEGOTIATE -tls1_2 -split_send_frag 128 -connect 127.0.0.1:+$SRV_PORT" \ 0 \ @@ -13790,7 +13790,7 @@ run_test "Handshake defragmentation on server: len=128, client-initiated rene requires_config_enabled MBEDTLS_SSL_PROTO_TLS1_2 requires_config_enabled MBEDTLS_SSL_PROTO_TLS1_3 requires_config_enabled MBEDTLS_SSL_RENEGOTIATION -run_test "Handshake defragmentation on server: len=4, client-initiated renegotation" \ +run_test "Handshake defragmentation on server: len=4, client-initiated renegotiation" \ "$P_SRV debug_level=4 exchanges=2 renegotiation=1 auth_mode=required" \ "$O_NEXT_CLI_RENEGOTIATE -tls1_2 -split_send_frag 4 -connect 127.0.0.1:+$SRV_PORT" \ 0 \ @@ -13807,7 +13807,7 @@ run_test "Handshake defragmentation on server: len=4, client-initiated renego requires_config_enabled MBEDTLS_SSL_PROTO_TLS1_2 requires_config_enabled MBEDTLS_SSL_PROTO_TLS1_3 requires_config_enabled MBEDTLS_SSL_RENEGOTIATION -run_test "Handshake defragmentation on server: len=4, client-initiated server-rejected renegotation" \ +run_test "Handshake defragmentation on server: len=4, client-initiated server-rejected renegotiation" \ "$P_SRV debug_level=4 exchanges=2 renegotiation=0 auth_mode=required" \ "$O_NEXT_CLI_RENEGOTIATE -tls1_2 -split_send_frag 4 -connect 127.0.0.1:+$SRV_PORT" \ 1 \ @@ -13821,7 +13821,7 @@ run_test "Handshake defragmentation on server: len=4, client-initiated server # Test server-initiated renegotiation with fragmented handshake on TLS1.2 requires_config_enabled MBEDTLS_SSL_PROTO_TLS1_2 requires_config_enabled MBEDTLS_SSL_RENEGOTIATION -run_test "Handshake defragmentation on client: len=512, server-initiated renegotation" \ +run_test "Handshake defragmentation on client: len=512, server-initiated renegotiation" \ "$O_NEXT_SRV -tls1_2 -split_send_frag 512 -cert $DATA_FILES_PATH/server5.crt -key $DATA_FILES_PATH/server5.key" \ "$P_CLI debug_level=3 renegotiation=1 request_page=/reneg" \ 0 \ @@ -13843,7 +13843,7 @@ run_test "Handshake defragmentation on client: len=512, server-initiated rene # Setting it to -1 disables that policy's enforment. requires_config_enabled MBEDTLS_SSL_PROTO_TLS1_2 requires_config_enabled MBEDTLS_SSL_RENEGOTIATION -run_test "Handshake defragmentation on client: len=256, server-initiated renegotation" \ +run_test "Handshake defragmentation on client: len=256, server-initiated renegotiation" \ "$O_NEXT_SRV -tls1_2 -split_send_frag 256 -cert $DATA_FILES_PATH/server5.crt -key $DATA_FILES_PATH/server5.key" \ "$P_CLI debug_level=3 renegotiation=1 renego_delay=-1 request_page=/reneg" \ 0 \ From 625c8fd2d9d39f7618cf4de081857483471dae1d Mon Sep 17 00:00:00 2001 From: Minos Galanakis Date: Tue, 18 Mar 2025 10:31:37 +0000 Subject: [PATCH 21/21] ssl-opt: Added 4 and 128 bytes tests to HS defragmentation for server initiated reneg Signed-off-by: Minos Galanakis --- tests/ssl-opt.sh | 44 +++++++++++++++++++++++++++++++++++--------- 1 file changed, 35 insertions(+), 9 deletions(-) diff --git a/tests/ssl-opt.sh b/tests/ssl-opt.sh index 7707d97d13..6a5e7603c8 100755 --- a/tests/ssl-opt.sh +++ b/tests/ssl-opt.sh @@ -13819,6 +13819,15 @@ run_test "Handshake defragmentation on server: len=4, client-initiated server -s "Consume: waiting for more handshake fragments 4/" \ # Test server-initiated renegotiation with fragmented handshake on TLS1.2 + +# Note: The /reneg endpoint serves as a directive for OpenSSL's s_server +# to initiate a handshake renegotiation. +# Note: Adjusting the renegotiation delay beyond the library's default +# value of 16 is necessary. This parameter defines the maximum +# number of records received before renegotiation is completed. +# By fragmenting records and thereby increasing their quantity, +# the default threshold can be reached more quickly. +# Setting it to -1 disables that policy's enforment. requires_config_enabled MBEDTLS_SSL_PROTO_TLS1_2 requires_config_enabled MBEDTLS_SSL_RENEGOTIATION run_test "Handshake defragmentation on client: len=512, server-initiated renegotiation" \ @@ -13832,15 +13841,6 @@ run_test "Handshake defragmentation on client: len=512, server-initiated rene -c "found renegotiation extension" \ -c "=> renegotiate" - -# Note: The /reneg endpoint serves as a directive for OpenSSL's s_server -# to initiate a handshake renegotiation. -# Note: Adjusting the renegotiation delay beyond the library's default -# value of 16 is necessary. This parameter defines the maximum -# number of records received before renegotiation is completed. -# By fragmenting records and thereby increasing their quantity, -# the default threshold can be reached more quickly. -# Setting it to -1 disables that policy's enforment. requires_config_enabled MBEDTLS_SSL_PROTO_TLS1_2 requires_config_enabled MBEDTLS_SSL_RENEGOTIATION run_test "Handshake defragmentation on client: len=256, server-initiated renegotiation" \ @@ -13854,6 +13854,32 @@ run_test "Handshake defragmentation on client: len=256, server-initiated rene -c "found renegotiation extension" \ -c "=> renegotiate" +requires_config_enabled MBEDTLS_SSL_PROTO_TLS1_2 +requires_config_enabled MBEDTLS_SSL_RENEGOTIATION +run_test "Handshake defragmentation on client: len=128, server-initiated renegotiation" \ + "$O_NEXT_SRV -tls1_2 -split_send_frag 128 -cert $DATA_FILES_PATH/server5.crt -key $DATA_FILES_PATH/server5.key" \ + "$P_CLI debug_level=3 renegotiation=1 renego_delay=-1 request_page=/reneg" \ + 0 \ + -c "initial handshake fragment: 128, 0\\.\\.128 of [0-9]\\+" \ + -c "Prepare: waiting for more handshake fragments 128/" \ + -c "Consume: waiting for more handshake fragments 128/" \ + -c "client hello, adding renegotiation extension" \ + -c "found renegotiation extension" \ + -c "=> renegotiate" + +requires_config_enabled MBEDTLS_SSL_PROTO_TLS1_2 +requires_config_enabled MBEDTLS_SSL_RENEGOTIATION +run_test "Handshake defragmentation on client: len=4, server-initiated renegotiation" \ + "$O_NEXT_SRV -tls1_2 -split_send_frag 4 -cert $DATA_FILES_PATH/server5.crt -key $DATA_FILES_PATH/server5.key" \ + "$P_CLI debug_level=3 renegotiation=1 renego_delay=-1 request_page=/reneg" \ + 0 \ + -c "initial handshake fragment: 4, 0\\.\\.4 of [0-9]\\+" \ + -c "Prepare: waiting for more handshake fragments 4/" \ + -c "Consume: waiting for more handshake fragments 4/" \ + -c "client hello, adding renegotiation extension" \ + -c "found renegotiation extension" \ + -c "=> renegotiate" + # Test heap memory usage after handshake requires_config_enabled MBEDTLS_SSL_PROTO_TLS1_2 requires_config_enabled MBEDTLS_MEMORY_DEBUG