TeamHepta/mbedtls
1
0
Fork 0
mirror of https://github.com/Mbed-TLS/mbedtls.git synced 2026-03-20 11:11:08 +01:00
Code Issues Packages Projects Releases Wiki Activity

Merge pull request #10575 from ronald-cron-arm/dtls-client-hello-defragmentation-prep

Browse Source 
Some preparatory work for DTLS client hello defragmentation
This commit is contained in:
Bence Szépkúti
2026-02-22 23:30:39 +00:00
committed by GitHub
parent 3b4984243f 73be048c8a
commit bbf8bbbdb6
12 changed files with 186 additions and 66 deletions
Download Patch File Download Diff File Expand all files Collapse all files

2
framework

Submodule framework updated: 4a57bd209d...8ed11c99fe

2
library/ssl_debug_helpers.h
View File

@@ -36,6 +36,8 @@ const char *mbedtls_ssl_named_group_to_str(uint16_t in);
const char *mbedtls_ssl_get_extension_name(unsigned int extension_type);
const char *mbedtls_ssl_get_hs_msg_name(int hs_msg_type);
void mbedtls_ssl_print_extensions(const mbedtls_ssl_context *ssl,
int level, const char *file, int line,
int hs_msg_type, uint32_t extensions_mask,

8
library/ssl_msg.c
View File

@@ -18,6 +18,7 @@
#include "mbedtls/ssl.h"
#include "debug_internal.h"
#include "ssl_debug_helpers.h"
#include "mbedtls/error.h"
#include "mbedtls/platform_util.h"
#include "mbedtls/version.h"
@@ -2325,7 +2326,8 @@ int mbedtls_ssl_flight_transmit(mbedtls_ssl_context *ssl)
max_hs_frag_len : rem_len;
if (frag_off == 0 && cur_hs_frag_len != hs_len) {
MBEDTLS_SSL_DEBUG_MSG(2, ("fragmenting handshake message (%u > %u)",
MBEDTLS_SSL_DEBUG_MSG(2, ("fragmenting %s handshake message (%u > %u)",
mbedtls_ssl_get_hs_msg_name(cur->p[0]),
(unsigned) cur_hs_frag_len,
(unsigned) max_hs_frag_len));
}
@@ -4157,7 +4159,9 @@ static int ssl_load_buffered_message(mbedtls_ssl_context *ssl)
return MBEDTLS_ERR_SSL_INTERNAL_ERROR;
}
MBEDTLS_SSL_DEBUG_MSG(2, ("Next handshake message has been buffered - load"));
MBEDTLS_SSL_DEBUG_MSG(2, ("%s handshake message has been buffered%s",
mbedtls_ssl_get_hs_msg_name(hs_buf->data[0]),
hs_buf->is_fragmented ? " and reassembled" : ""));
MBEDTLS_SSL_DEBUG_BUF(3, "Buffered handshake message (incl. header)",
hs_buf->data, msg_len + 12);

16
library/ssl_tls.c
View File

@@ -679,7 +679,7 @@ const char *mbedtls_ssl_get_extension_name(unsigned int extension_type)
mbedtls_ssl_get_extension_id(extension_type)];
}
static const char *ssl_tls13_get_hs_msg_name(int hs_msg_type)
const char *mbedtls_ssl_get_hs_msg_name(int hs_msg_type)
{
switch (hs_msg_type) {
case MBEDTLS_SSL_HS_CLIENT_HELLO:
@@ -694,8 +694,16 @@ static const char *ssl_tls13_get_hs_msg_name(int hs_msg_type)
return "EncryptedExtensions";
case MBEDTLS_SSL_HS_CERTIFICATE:
return "Certificate";
case MBEDTLS_SSL_HS_SERVER_KEY_EXCHANGE:
return "ServerKeyExchange";
case MBEDTLS_SSL_HS_CERTIFICATE_REQUEST:
return "CertificateRequest";
case MBEDTLS_SSL_HS_CERTIFICATE_VERIFY:
return "CertificateVerify";
case MBEDTLS_SSL_HS_CLIENT_KEY_EXCHANGE:
return "ClientKeyExchange";
case MBEDTLS_SSL_HS_FINISHED:
return "Finished";
}
return "Unknown";
}
@@ -710,7 +718,7 @@ void mbedtls_ssl_print_extension(const mbedtls_ssl_context *ssl,
mbedtls_debug_print_msg(
ssl, level, file, line,
"%s: %s(%u) extension %s %s.",
ssl_tls13_get_hs_msg_name(hs_msg_type),
mbedtls_ssl_get_hs_msg_name(hs_msg_type),
mbedtls_ssl_get_extension_name(extension_type),
extension_type,
extra_msg0, extra_msg1);
@@ -721,7 +729,7 @@ void mbedtls_ssl_print_extension(const mbedtls_ssl_context *ssl,
if (extra_msg) {
mbedtls_debug_print_msg(
ssl, level, file, line,
"%s: %s(%u) extension %s.", ssl_tls13_get_hs_msg_name(hs_msg_type),
"%s: %s(%u) extension %s.", mbedtls_ssl_get_hs_msg_name(hs_msg_type),
mbedtls_ssl_get_extension_name(extension_type), extension_type,
extra_msg);
return;
@@ -729,7 +737,7 @@ void mbedtls_ssl_print_extension(const mbedtls_ssl_context *ssl,
mbedtls_debug_print_msg(
ssl, level, file, line,
"%s: %s(%u) extension.", ssl_tls13_get_hs_msg_name(hs_msg_type),
"%s: %s(%u) extension.", mbedtls_ssl_get_hs_msg_name(hs_msg_type),
mbedtls_ssl_get_extension_name(extension_type), extension_type);
}

8
programs/ssl/ssl_server2.c
View File

@@ -3490,6 +3490,7 @@ handshake:
* 5. Verify the client certificate
*/
mbedtls_printf(" . Verifying peer X.509 certificate...");
fflush(stdout);
if ((flags = mbedtls_ssl_get_verify_result(&ssl)) != 0) {
char vrfy_buf[512];
@@ -3507,6 +3508,7 @@ handshake:
char crt_buf[512];
mbedtls_printf(" . Peer certificate information ...\n");
fflush(stdout);
mbedtls_x509_crt_info(crt_buf, sizeof(crt_buf), " ",
mbedtls_ssl_get_peer_cert(&ssl));
mbedtls_printf("%s\n", crt_buf);
@@ -3959,6 +3961,7 @@ data_exchange:
size_t buf_len;
mbedtls_printf(" . Serializing live connection...");
fflush(stdout);
ret = mbedtls_ssl_context_save(&ssl, NULL, 0, &buf_len);
if (ret != MBEDTLS_ERR_SSL_BUFFER_TOO_SMALL) {
@@ -3993,6 +3996,7 @@ data_exchange:
size_t b64_len;
mbedtls_printf(" . Save serialized context to a file... ");
fflush(stdout);
mbedtls_base64_encode(NULL, 0, &b64_len, context_buf, buf_len);
@@ -4041,6 +4045,7 @@ data_exchange:
if (opt.serialize == 1) {
/* nothing to do here, done by context_save() already */
mbedtls_printf(" . Context has been reset... ok\n");
fflush(stdout);
}
/*
@@ -4053,6 +4058,7 @@ data_exchange:
*/
if (opt.serialize == 2) {
mbedtls_printf(" . Freeing and reinitializing context...");
fflush(stdout);
mbedtls_ssl_free(&ssl);
@@ -4089,6 +4095,7 @@ data_exchange:
}
mbedtls_printf(" . Deserializing connection...");
fflush(stdout);
if ((ret = mbedtls_ssl_context_load(&ssl, context_buf,
buf_len)) != 0) {
@@ -4118,6 +4125,7 @@ data_exchange:
*/
close_notify:
mbedtls_printf(" . Closing the connection...");
fflush(stdout);
/* No error checking, the connection might be closed already */
do {

17
scripts/generate_tls_handshake_tests.py Executable file
View File

@@ -0,0 +1,17 @@
#!/usr/bin/env python3
"""
Generate miscellaneous TLS test cases relating to the handshake.
"""
# Copyright The Mbed TLS Contributors
# SPDX-License-Identifier: Apache-2.0 OR GPL-2.0-or-later
import sys
import framework_scripts_path # pylint: disable=unused-import
from mbedtls_framework import tls_handshake_tests
if __name__ == '__main__':
sys.argv[1:1] = ["--no-tls12-client-hello-defragmentation-support"]
tls_handshake_tests.main()

2
scripts/make_generated_files.bat
View File

@@ -12,4 +12,4 @@ python framework\scripts\make_generated_files.py || exit /b 1
cd ..
@rem @@@@ mbedtls @@@@
python framework\scripts\make_generated_files.py || exit /b 1
python scripts\make_generated_files.py || exit /b 1

81
scripts/make_generated_files.py Executable file
View File

@@ -0,0 +1,81 @@
#!/usr/bin/env python3
"""Generate, check and list the generated files
"""
# Copyright The Mbed TLS Contributors
# SPDX-License-Identifier: Apache-2.0 OR GPL-2.0-or-later
import sys
from pathlib import Path
import framework_scripts_path # pylint: disable=unused-import
from mbedtls_framework import build_tree
from mbedtls_framework import generated_files
from mbedtls_framework.generated_files import GenerationScript, get_generation_script_files
GENERATION_SCRIPTS = [
GenerationScript(
Path("scripts/generate_errors.pl"),
[Path("library/error.c")],
None, "tf-psa-crypto/drivers/builtin/include/mbedtls \
include/mbedtls/ \
scripts/data_files"
),
GenerationScript(
Path("scripts/generate_features.pl"),
[Path("library/version_features.c")],
None, "include/mbedtls/ scripts/data_files"
),
GenerationScript(
Path("framework/scripts/generate_ssl_debug_helpers.py"),
[Path("library/ssl_debug_helpers_generated.c")],
"", None
),
GenerationScript(
Path("framework/scripts/generate_test_keys.py"),
[Path("tests/include/test/test_keys.h")],
None, "--output"
),
GenerationScript(
Path("framework/scripts/generate_test_cert_macros.py"),
[Path("tests/include/test/test_certs.h")],
None, "--output"
),
GenerationScript(
Path("scripts/generate_query_config.pl"),
[Path("programs/test/query_config.c")],
None, "include/mbedtls/mbedtls_config.h \
tf-psa-crypto/include/psa/crypto_config.h \
scripts/data_files/query_config.fmt"
),
GenerationScript(
Path("framework/scripts/generate_config_tests.py"),
get_generation_script_files("framework/scripts/generate_config_tests.py"),
"--directory", None
),
GenerationScript(
Path("framework/scripts/generate_tls13_compat_tests.py"),
[Path("tests/opt-testcases/tls13-compat.sh")],
None, "--output"
),
GenerationScript(
Path("scripts/generate_tls_handshake_tests.py"),
[Path("tests/opt-testcases/handshake-generated.sh")],
None, "--output"
),
GenerationScript(
Path("scripts/generate_config_checks.py"),
get_generation_script_files("scripts/generate_config_checks.py"),
output_dir_option="",
optional=True)
]
def main() -> int:
if not build_tree.looks_like_mbedtls_root("."):
raise RuntimeError("This script must be run from Mbed TLS.")
return generated_files.main(GENERATION_SCRIPTS)
if __name__ == "__main__":
sys.exit(main())

4
tests/CMakeLists.txt
View File

@@ -58,10 +58,10 @@ if(GEN_FILES)
${CMAKE_CURRENT_SOURCE_DIR}/..
COMMAND
"${MBEDTLS_PYTHON_EXECUTABLE}"
"${CMAKE_CURRENT_SOURCE_DIR}/../framework/scripts/generate_tls_handshake_tests.py"
"${PROJECT_SOURCE_DIR}/scripts/generate_tls_handshake_tests.py"
DEPENDS
${CMAKE_CURRENT_SOURCE_DIR}/../framework/scripts/mbedtls_framework/tls_test_case.py
${CMAKE_CURRENT_SOURCE_DIR}/../framework/scripts/generate_tls_handshake_tests.py
${PROJECT_SOURCE_DIR}/scripts/generate_tls_handshake_tests.py
)
add_custom_target(handshake-generated.sh
DEPENDS ${CMAKE_CURRENT_SOURCE_DIR}/opt-testcases/handshake-generated.sh)

4
tests/Makefile
View File

@@ -45,9 +45,9 @@ GENERATED_FILES = \
.PHONY: ssl-opt
opt-testcases/handshake-generated.sh: ../framework/scripts/mbedtls_framework/tls_test_case.py
opt-testcases/handshake-generated.sh: ../framework/scripts/generate_tls_handshake_tests.py
opt-testcases/handshake-generated.sh: ../scripts/generate_tls_handshake_tests.py
echo " Gen $@"
$(PYTHON) ../framework/scripts/generate_tls_handshake_tests.py -o $@
$(PYTHON) ../scripts/generate_tls_handshake_tests.py -o $@
GENERATED_FILES += opt-testcases/handshake-generated.sh
ssl-opt: opt-testcases/handshake-generated.sh

8
tests/scripts/components-basic-checks.sh
View File

@@ -19,14 +19,14 @@ component_check_recursion () {
component_check_generated_files () {
msg "Check make_generated_files.py consistency"
$MAKE_COMMAND neat
$FRAMEWORK/scripts/make_generated_files.py
$FRAMEWORK/scripts/make_generated_files.py --check
scripts/make_generated_files.py
scripts/make_generated_files.py --check
$MAKE_COMMAND neat
msg "Check files generated with make"
MBEDTLS_ROOT_DIR="$PWD"
$MAKE_COMMAND generated_files
$FRAMEWORK/scripts/make_generated_files.py --check
scripts/make_generated_files.py --check
cd $TF_PSA_CRYPTO_ROOT_DIR
./framework/scripts/make_generated_files.py --check
@@ -39,7 +39,7 @@ component_check_generated_files () {
make
cd "$MBEDTLS_ROOT_DIR"
$FRAMEWORK/scripts/make_generated_files.py --root "$OUT_OF_SOURCE_DIR" --check
scripts/make_generated_files.py --root "$OUT_OF_SOURCE_DIR" --check
cd $TF_PSA_CRYPTO_ROOT_DIR
./framework/scripts/make_generated_files.py --root "$OUT_OF_SOURCE_DIR/tf-psa-crypto" --check

100
tests/ssl-opt.sh
View File

@@ -9914,6 +9914,7 @@ run_test "DTLS reassembly: some fragmentation (gnutls server)" \
"$P_CLI dtls=1 debug_level=2" \
0 \
-c "found fragmented DTLS handshake message" \
-c "Certificate handshake message has been buffered and reassembled" \
-C "error"
requires_gnutls
@@ -9923,6 +9924,8 @@ run_test "DTLS reassembly: more fragmentation (gnutls server)" \
"$P_CLI dtls=1 debug_level=2" \
0 \
-c "found fragmented DTLS handshake message" \
-c "Certificate handshake message has been buffered and reassembled" \
-c "ServerKeyExchange handshake message has been buffered and reassembled" \
-C "error"
requires_gnutls
@@ -9932,6 +9935,8 @@ run_test "DTLS reassembly: more fragmentation, nbio (gnutls server)" \
"$P_CLI dtls=1 nbio=2 debug_level=2" \
0 \
-c "found fragmented DTLS handshake message" \
-c "Certificate handshake message has been buffered and reassembled" \
-c "ServerKeyExchange handshake message has been buffered and reassembled" \
-C "error"
requires_gnutls
@@ -9942,6 +9947,7 @@ run_test "DTLS reassembly: fragmentation, renego (gnutls server)" \
"$P_CLI debug_level=3 dtls=1 renegotiation=1 renegotiate=1" \
0 \
-c "found fragmented DTLS handshake message" \
-c "Certificate handshake message has been buffered and reassembled" \
-c "client hello, adding renegotiation extension" \
-c "found renegotiation extension" \
-c "=> renegotiate" \
@@ -9957,6 +9963,7 @@ run_test "DTLS reassembly: fragmentation, nbio, renego (gnutls server)" \
"$P_CLI debug_level=3 nbio=2 dtls=1 renegotiation=1 renegotiate=1" \
0 \
-c "found fragmented DTLS handshake message" \
-c "Certificate handshake message has been buffered and reassembled" \
-c "client hello, adding renegotiation extension" \
-c "found renegotiation extension" \
-c "=> renegotiate" \
@@ -9972,20 +9979,17 @@ run_test "DTLS reassembly: no fragmentation (openssl server)" \
-C "found fragmented DTLS handshake message" \
-C "error"
# Minimum possible MTU for OpenSSL server: 256 bytes.
# We expect the server Certificate handshake to be fragmented and verify that
# this is the case. Depending on the configuration, other handshake messages may
# also be fragmented.
requires_config_enabled MBEDTLS_SSL_PROTO_TLS1_2
run_test "DTLS reassembly: some fragmentation (openssl server)" \
"$O_SRV -dtls -mtu 256" \
"$P_CLI dtls=1 debug_level=2" \
0 \
-c "found fragmented DTLS handshake message" \
-C "error"
requires_config_enabled MBEDTLS_SSL_PROTO_TLS1_2
run_test "DTLS reassembly: more fragmentation (openssl server)" \
run_test "DTLS reassembly: fragmentation (openssl server)" \
"$O_SRV -dtls -mtu 256" \
"$P_CLI dtls=1 debug_level=2" \
0 \
-c "found fragmented DTLS handshake message" \
-c "Certificate handshake message has been buffered and reassembled" \
-C "error"
requires_config_enabled MBEDTLS_SSL_PROTO_TLS1_2
@@ -9994,6 +9998,7 @@ run_test "DTLS reassembly: fragmentation, nbio (openssl server)" \
"$P_CLI dtls=1 nbio=2 debug_level=2" \
0 \
-c "found fragmented DTLS handshake message" \
-c "Certificate handshake message has been buffered and reassembled" \
-C "error"
# Tests for sending fragmented handshake messages with DTLS
@@ -10662,7 +10667,7 @@ run_test "DTLS fragmenting: gnutls server, DTLS 1.2" \
key_file=$DATA_FILES_PATH/server8.key \
mtu=512 force_version=dtls12" \
0 \
-c "fragmenting handshake message" \
-c "fragmenting Certificate handshake message" \
-C "error"
# We use --insecure for the GnuTLS client because it expects
@@ -10684,7 +10689,7 @@ run_test "DTLS fragmenting: gnutls client, DTLS 1.2" \
mtu=512 force_version=dtls12" \
"$G_CLI -u --insecure 127.0.0.1" \
0 \
-s "fragmenting handshake message"
-s "fragmenting Certificate handshake message"
requires_config_enabled MBEDTLS_SSL_PROTO_DTLS
requires_config_enabled PSA_WANT_KEY_TYPE_RSA_KEY_PAIR_BASIC
@@ -10696,7 +10701,7 @@ run_test "DTLS fragmenting: openssl server, DTLS 1.2" \
key_file=$DATA_FILES_PATH/server8.key \
mtu=512 force_version=dtls12" \
0 \
-c "fragmenting handshake message" \
-c "fragmenting Certificate handshake message" \
-C "error"
requires_config_enabled MBEDTLS_SSL_PROTO_DTLS
@@ -10709,7 +10714,7 @@ run_test "DTLS fragmenting: openssl client, DTLS 1.2" \
mtu=512 force_version=dtls12" \
"$O_CLI -dtls1_2" \
0 \
-s "fragmenting handshake message"
-s "fragmenting Certificate handshake message"
# interop tests for DTLS fragmentating with unreliable connection
#
@@ -10728,7 +10733,7 @@ run_test "DTLS fragmenting: 3d, gnutls server, DTLS 1.2" \
key_file=$DATA_FILES_PATH/server8.key \
hs_timeout=250-60000 mtu=512 force_version=dtls12" \
0 \
-c "fragmenting handshake message" \
-c "fragmenting Certificate handshake message" \
-C "error"
requires_gnutls_next
@@ -10744,7 +10749,7 @@ run_test "DTLS fragmenting: 3d, gnutls client, DTLS 1.2" \
hs_timeout=250-60000 mtu=512 force_version=dtls12" \
"$G_NEXT_CLI -u --insecure 127.0.0.1" \
0 \
-s "fragmenting handshake message"
-s "fragmenting Certificate handshake message"
## The test below requires 1.1.1a or higher version of openssl, otherwise
## it might trigger a bug due to openssl server (https://github.com/openssl/openssl/issues/6902)
@@ -10761,7 +10766,7 @@ run_test "DTLS fragmenting: 3d, openssl server, DTLS 1.2" \
key_file=$DATA_FILES_PATH/server8.key \
hs_timeout=250-60000 mtu=512 force_version=dtls12" \
0 \
-c "fragmenting handshake message" \
-c "fragmenting Certificate handshake message" \
-C "error"
## the test below will time out with certain seed.
@@ -10779,7 +10784,7 @@ run_test "DTLS fragmenting: 3d, openssl client, DTLS 1.2" \
hs_timeout=250-60000 mtu=512 force_version=dtls12" \
"$O_CLI -dtls1_2" \
0 \
-s "fragmenting handshake message"
-s "fragmenting Certificate handshake message"
# Tests for DTLS-SRTP (RFC 5764)
requires_config_enabled MBEDTLS_SSL_DTLS_SRTP
@@ -11496,9 +11501,9 @@ run_test "DTLS reordering: Buffer out-of-order handshake message on client" \
hs_timeout=2500-60000" \
0 \
-c "Buffering HS message" \
-c "Next handshake message has been buffered - load"\
-c "Certificate handshake message has been buffered$"\
-S "Buffering HS message" \
-S "Next handshake message has been buffered - load"\
-S "handshake message has been buffered"\
-C "Injecting buffered CCS message" \
-C "Remember CCS message" \
-S "Injecting buffered CCS message" \
@@ -11516,9 +11521,9 @@ run_test "DTLS reordering: Buffer out-of-order handshake message fragment on
-c "Buffering HS message" \
-c "found fragmented DTLS handshake message"\
-c "Next handshake message 1 not or only partially buffered" \
-c "Next handshake message has been buffered - load"\
-c "Certificate handshake message has been buffered and reassembled"\
-S "Buffering HS message" \
-S "Next handshake message has been buffered - load"\
-S "handshake message has been buffered" \
-C "Injecting buffered CCS message" \
-C "Remember CCS message" \
-S "Injecting buffered CCS message" \
@@ -11539,10 +11544,11 @@ run_test "DTLS reordering: Buffer out-of-order hs msg before reassembling nex
hs_timeout=2500-60000" \
0 \
-c "Buffering HS message" \
-c "Next handshake message has been buffered - load"\
-c "Certificate handshake message has been buffered and reassembled"\
-c "ServerKeyExchange handshake message has been buffered$"\
-C "attempt to make space by freeing buffered messages" \
-S "Buffering HS message" \
-S "Next handshake message has been buffered - load"\
-S "handshake message has been buffered" \
-C "Injecting buffered CCS message" \
-C "Remember CCS message" \
-S "Injecting buffered CCS message" \
@@ -11566,7 +11572,7 @@ run_test "DTLS reordering: Buffer out-of-order hs msg before reassembling nex
-c "attempt to make space by freeing buffered future messages" \
-c "Enough space available after freeing buffered HS messages" \
-S "Buffering HS message" \
-S "Next handshake message has been buffered - load"\
-S "handshake message has been buffered" \
-C "Injecting buffered CCS message" \
-C "Remember CCS message" \
-S "Injecting buffered CCS message" \
@@ -11582,9 +11588,9 @@ run_test "DTLS reordering: Buffer out-of-order handshake message on server" \
hs_timeout=2500-60000" \
0 \
-C "Buffering HS message" \
-C "Next handshake message has been buffered - load"\
-C "handshake message has been buffered" \
-s "Buffering HS message" \
-s "Next handshake message has been buffered - load" \
-s "ClientKeyExchange handshake message has been buffered$" \
-C "Injecting buffered CCS message" \
-C "Remember CCS message" \
-S "Injecting buffered CCS message" \
@@ -11601,9 +11607,9 @@ run_test "DTLS reordering: Buffer out-of-order CCS message on client"\
hs_timeout=2500-60000" \
0 \
-C "Buffering HS message" \
-C "Next handshake message has been buffered - load"\
-C "handshake message has been buffered" \
-S "Buffering HS message" \
-S "Next handshake message has been buffered - load" \
-S "handshake message has been buffered" \
-c "Injecting buffered CCS message" \
-c "Remember CCS message" \
-S "Injecting buffered CCS message" \
@@ -11619,9 +11625,9 @@ run_test "DTLS reordering: Buffer out-of-order CCS message on server"\
hs_timeout=2500-60000" \
0 \
-C "Buffering HS message" \
-C "Next handshake message has been buffered - load"\
-C "handshake message has been buffered" \
-S "Buffering HS message" \
-S "Next handshake message has been buffered - load" \
-S "handshake message has been buffered" \
-C "Injecting buffered CCS message" \
-C "Remember CCS message" \
-s "Injecting buffered CCS message" \
@@ -11857,10 +11863,11 @@ not_with_valgrind # risk of non-mbedtls peer timing out
requires_config_enabled MBEDTLS_SSL_PROTO_TLS1_2
run_test "DTLS proxy: 3d, openssl server, fragmentation" \
-p "$P_PXY drop=5 delay=5 duplicate=5 protect_hvr=1" \
"$O_NEXT_SRV -dtls1_2 -mtu 768" \
"$P_CLI dgram_packing=0 dtls=1 hs_timeout=500-60000 tickets=0" \
"$O_NEXT_SRV -dtls1_2 -mtu 256" \
"$P_CLI dgram_packing=0 dtls=1 debug_level=2 hs_timeout=500-60000 tickets=0" \
0 \
-c "HTTP/1.0 200 OK"
-c "HTTP/1.0 200 OK" \
-c "Certificate handshake message has been buffered and reassembled"
requires_openssl_next
client_needs_more_time 8
@@ -11868,10 +11875,11 @@ not_with_valgrind # risk of non-mbedtls peer timing out
requires_config_enabled MBEDTLS_SSL_PROTO_TLS1_2
run_test "DTLS proxy: 3d, openssl server, fragmentation, nbio" \
-p "$P_PXY drop=5 delay=5 duplicate=5 protect_hvr=1" \
"$O_NEXT_SRV -dtls1_2 -mtu 768" \
"$P_CLI dgram_packing=0 dtls=1 hs_timeout=500-60000 nbio=2 tickets=0" \
"$O_NEXT_SRV -dtls1_2 -mtu 256" \
"$P_CLI dgram_packing=0 dtls=1 debug_level=2 hs_timeout=500-60000 nbio=2 tickets=0" \
0 \
-c "HTTP/1.0 200 OK"
-c "HTTP/1.0 200 OK" \
-c "Certificate handshake message has been buffered and reassembled"
requires_gnutls
client_needs_more_time 6
@@ -11892,10 +11900,11 @@ requires_config_enabled MBEDTLS_SSL_PROTO_TLS1_2
run_test "DTLS proxy: 3d, gnutls server, fragmentation" \
-p "$P_PXY drop=5 delay=5 duplicate=5" \
"$G_NEXT_SRV -u --mtu 512" \
"$P_CLI dgram_packing=0 dtls=1 hs_timeout=500-60000" \
"$P_CLI dgram_packing=0 dtls=1 debug_level=2 hs_timeout=500-60000" \
0 \
-s "Extra-header:" \
-c "Extra-header:"
-c "Extra-header:" \
-c "Certificate handshake message has been buffered and reassembled"
requires_gnutls_next
client_needs_more_time 8
@@ -11904,10 +11913,11 @@ requires_config_enabled MBEDTLS_SSL_PROTO_TLS1_2
run_test "DTLS proxy: 3d, gnutls server, fragmentation, nbio" \
-p "$P_PXY drop=5 delay=5 duplicate=5" \
"$G_NEXT_SRV -u --mtu 512" \
"$P_CLI dgram_packing=0 dtls=1 hs_timeout=500-60000 nbio=2" \
"$P_CLI dgram_packing=0 dtls=1 debug_level=2 hs_timeout=500-60000 nbio=2" \
0 \
-s "Extra-header:" \
-c "Extra-header:"
-c "Extra-header:" \
-c "Certificate handshake message has been buffered and reassembled"
requires_config_enabled MBEDTLS_SSL_PROTO_TLS1_2
run_test "export keys functionality" \
@@ -13766,16 +13776,6 @@ run_test "TLS 1.2 ClientHello indicating support for deflate compression meth
# Most test cases are in opt-testcases/handshake-generated.sh
requires_config_enabled MBEDTLS_SSL_PROTO_TLS1_2
requires_certificate_authentication
run_test "Handshake defragmentation on server: len=32, TLS 1.2 ClientHello (unsupported)" \
"$P_SRV debug_level=4 force_version=tls12 auth_mode=required" \
"$O_NEXT_CLI -tls1_2 -split_send_frag 32 -cert $DATA_FILES_PATH/server5.crt -key $DATA_FILES_PATH/server5.key" \
1 \
-s "The SSL configuration is tls12 only" \
-s "bad client hello message" \
-s "SSL - A message could not be parsed due to a syntactic error"
# Test server-side buffer resizing with fragmented handshake on TLS1.2
requires_config_enabled MBEDTLS_SSL_PROTO_TLS1_2
requires_config_enabled MBEDTLS_SSL_MAX_FRAGMENT_LENGTH