From 1e6438d8b9e9f57f066b57c62e55ae3d504e483e Mon Sep 17 00:00:00 2001 From: Minos Galanakis Date: Wed, 12 Feb 2025 16:20:01 +0000 Subject: [PATCH 01/21] ssl-opt: Added fragmented HS tests for SSL_VARIABLE_BUFFER_LENGTH. Signed-off-by: Minos Galanakis --- tests/ssl-opt.sh | 20 +++++++++++++++++++- 1 file changed, 19 insertions(+), 1 deletion(-) diff --git a/tests/ssl-opt.sh b/tests/ssl-opt.sh index fdbe0a900d..bcff90c0ad 100755 --- a/tests/ssl-opt.sh +++ b/tests/ssl-opt.sh @@ -14463,7 +14463,7 @@ run_test "TLS 1.2 ClientHello indicating support for deflate compression meth requires_config_enabled MBEDTLS_SSL_PROTO_TLS1_2 requires_certificate_authentication -run_test "Handshake defragmentation on server: len=32, TLS 1.2 ClientHello" \ +run_test "Handshake defragmentation on server: len=32, TLS 1.2 ClientHello (unsupported)" \ "$P_SRV debug_level=4 force_version=tls12 auth_mode=required" \ "$O_NEXT_CLI -tls1_2 -split_send_frag 32 -cert $DATA_FILES_PATH/server5.crt -key $DATA_FILES_PATH/server5.key" \ 1 \ @@ -14471,6 +14471,24 @@ run_test "Handshake defragmentation on server: len=32, TLS 1.2 ClientHello" \ -s "bad client hello message" \ -s "SSL - A message could not be parsed due to a syntactic error" +# Test Server Buffer resizing with fragmented handshake on TLS1.2 +requires_openssl_3_x +requires_protocol_version tls12 +requires_certificate_authentication +requires_config_enabled MBEDTLS_SSL_MAX_FRAGMENT_LENGTH +requires_config_enabled MBEDTLS_SSL_VARIABLE_BUFFER_LENGTH +requires_max_content_len 1025 +run_test "Handshake defragmentation on server with buffer resizing: len=256, MFL=1024" \ + "$P_SRV debug_level=4 auth_mode=required" \ + "$O_NEXT_CLI -tls1_2 -split_send_frag 256 -maxfraglen 1024 -cert $DATA_FILES_PATH/server5.crt -key $DATA_FILES_PATH/server5.key" \ + 0 \ + -s "Reallocating in_buf" \ + -s "Reallocating out_buf" \ + -s "reassembled record" \ + -s "initial handshake fragment: 256, 0..256 of [0-9]\\+" \ + -s "Prepare: waiting for more handshake fragments 256/[0-9]\\+" \ + -s "Consume: waiting for more handshake fragments 256/[0-9]\\+" + # Test heap memory usage after handshake requires_config_enabled MBEDTLS_SSL_PROTO_TLS1_2 requires_config_enabled MBEDTLS_MEMORY_DEBUG From c4595a4c6a9dd1b78cc63f871ff0874e28782907 Mon Sep 17 00:00:00 2001 From: Minos Galanakis Date: Wed, 12 Feb 2025 18:23:09 +0000 Subject: [PATCH 02/21] ssl-opt: Added fragmented HS tests for client-initiated renegotiation. Signed-off-by: Minos Galanakis --- tests/ssl-opt.sh | 39 +++++++++++++++++++++++++++++++++++++++ 1 file changed, 39 insertions(+) diff --git a/tests/ssl-opt.sh b/tests/ssl-opt.sh index bcff90c0ad..a9b4fee7fb 100755 --- a/tests/ssl-opt.sh +++ b/tests/ssl-opt.sh @@ -103,12 +103,14 @@ if [ -n "${OPENSSL_NEXT:-}" ]; then O_NEXT_SRV_NO_CERT="$OPENSSL_NEXT s_server -www " O_NEXT_CLI="echo 'GET / HTTP/1.0' | $OPENSSL_NEXT s_client -CAfile $DATA_FILES_PATH/test-ca_cat12.crt" O_NEXT_CLI_NO_CERT="echo 'GET / HTTP/1.0' | $OPENSSL_NEXT s_client" + O_NEXT_CLI_RENEGOTIATE="echo 'R' | $OPENSSL_NEXT s_client" else O_NEXT_SRV=false O_NEXT_SRV_NO_CERT=false O_NEXT_SRV_EARLY_DATA=false O_NEXT_CLI_NO_CERT=false O_NEXT_CLI=false + O_NEXT_CLI_RENEGOTIATE=false fi if [ -n "${GNUTLS_NEXT_SERV:-}" ]; then @@ -14489,6 +14491,43 @@ run_test "Handshake defragmentation on server with buffer resizing: len=256, -s "Prepare: waiting for more handshake fragments 256/[0-9]\\+" \ -s "Consume: waiting for more handshake fragments 256/[0-9]\\+" +# Test Client initiated renegotiation with fragmented handshake on TLS1.2 +requires_openssl_3_x +requires_protocol_version tls12 +requires_certificate_authentication +requires_config_enabled MBEDTLS_SSL_RENEGOTIATION +run_test "Handshake defragmentation with client-initiated renegotiation: len=256" \ + "$P_SRV debug_level=4 exchanges=2 renegotiation=1 auth_mode=required" \ + "$O_NEXT_CLI_RENEGOTIATE -tls1_2 -split_send_frag 256 -cert $DATA_FILES_PATH/server5.crt -key $DATA_FILES_PATH/server5.key -connect 127.0.0.1:+$SRV_PORT" \ + 0 \ + -s "received TLS_EMPTY_RENEGOTIATION_INFO" \ + -s "found renegotiation extension" \ + -s "server hello, secure renegotiation extension" \ + -s "=> renegotiate" \ + -S "write hello request" \ + -s "reassembled record" \ + -s "initial handshake fragment: 256, 0..256 of [0-9]\\+" \ + -s "Prepare: waiting for more handshake fragments 256/[0-9]\\+" \ + -s "Consume: waiting for more handshake fragments 256/[0-9]\\+" \ + +requires_openssl_3_x +requires_protocol_version tls12 +requires_certificate_authentication +requires_config_enabled MBEDTLS_SSL_RENEGOTIATION +run_test "Handshake defragmentation with client-initiated renegotiation: len=512" \ + "$P_SRV debug_level=4 exchanges=2 renegotiation=1 auth_mode=required" \ + "$O_NEXT_CLI_RENEGOTIATE -tls1_2 -split_send_frag 512 -cert $DATA_FILES_PATH/server5.crt -key $DATA_FILES_PATH/server5.key -connect 127.0.0.1:+$SRV_PORT" \ + 0 \ + -s "received TLS_EMPTY_RENEGOTIATION_INFO" \ + -s "found renegotiation extension" \ + -s "server hello, secure renegotiation extension" \ + -s "=> renegotiate" \ + -S "write hello request" \ + -s "reassembled record" \ + -s "initial handshake fragment: 512, 0..512 of [0-9]\\+" \ + -s "Prepare: waiting for more handshake fragments 512/[0-9]\\+" \ + -s "Consume: waiting for more handshake fragments 512/[0-9]\\+" \ + # Test heap memory usage after handshake requires_config_enabled MBEDTLS_SSL_PROTO_TLS1_2 requires_config_enabled MBEDTLS_MEMORY_DEBUG From a37a936beb467149add764092690b6c2451bd1ad Mon Sep 17 00:00:00 2001 From: Minos Galanakis Date: Thu, 6 Mar 2025 15:09:39 +0000 Subject: [PATCH 03/21] ssl-opt: Added fragmented HS tests for server-initiated renegotiation. Signed-off-by: Minos Galanakis --- tests/ssl-opt.sh | 31 +++++++++++++++++++++++++++++++ 1 file changed, 31 insertions(+) diff --git a/tests/ssl-opt.sh b/tests/ssl-opt.sh index a9b4fee7fb..2acf33c038 100755 --- a/tests/ssl-opt.sh +++ b/tests/ssl-opt.sh @@ -14528,6 +14528,37 @@ run_test "Handshake defragmentation with client-initiated renegotiation: len= -s "Prepare: waiting for more handshake fragments 512/[0-9]\\+" \ -s "Consume: waiting for more handshake fragments 512/[0-9]\\+" \ +# Test Server initiated renegotiation with fragmented handshake on TLS1.2 +requires_openssl_3_x +requires_protocol_version tls12 +requires_certificate_authentication +requires_config_enabled MBEDTLS_SSL_RENEGOTIATION +run_test "Handshake defragmentation with server-initiated renegotiation: len=300" \ + "$O_NEXT_SRV -tls1_2 -split_send_frag 300 -legacy_renegotiation -cert $DATA_FILES_PATH/server5.crt -key $DATA_FILES_PATH/server5.key" \ + "$P_CLI debug_level=3 renegotiation=1 request_page=/reneg" \ + 0 \ + -c "initial handshake fragment: 300, 0..300 of [0-9]\\+" \ + -c "Prepare: waiting for more handshake fragments 300/[0-9]\\+" \ + -c "Consume: waiting for more handshake fragments 300/[0-9]\\+" \ + -c "client hello, adding renegotiation extension" \ + -c "found renegotiation extension" \ + -c "=> renegotiate" + +requires_openssl_3_x +requires_protocol_version tls12 +requires_certificate_authentication +requires_config_enabled MBEDTLS_SSL_RENEGOTIATION +run_test "Handshake defragmentation with server-initiated renegotiation: len=512" \ + "$O_NEXT_SRV -tls1_2 -split_send_frag 512 -legacy_renegotiation -cert $DATA_FILES_PATH/server5.crt -key $DATA_FILES_PATH/server5.key" \ + "$P_CLI debug_level=3 renegotiation=1 request_page=/reneg" \ + 0 \ + -c "initial handshake fragment: 512, 0..512 of [0-9]\\+" \ + -c "Prepare: waiting for more handshake fragments 512/[0-9]\\+" \ + -c "Consume: waiting for more handshake fragments 512/[0-9]\\+" \ + -c "client hello, adding renegotiation extension" \ + -c "found renegotiation extension" \ + -c "=> renegotiate" + # Test heap memory usage after handshake requires_config_enabled MBEDTLS_SSL_PROTO_TLS1_2 requires_config_enabled MBEDTLS_MEMORY_DEBUG From 12cf38885655faffd83b9292c499a87ab468652b Mon Sep 17 00:00:00 2001 From: Minos Galanakis Date: Thu, 6 Mar 2025 15:19:53 +0000 Subject: [PATCH 04/21] Added Mock Renegotiation negative test for testing. Signed-off-by: Minos Galanakis --- tests/ssl-opt.sh | 16 ++++++++++++++++ 1 file changed, 16 insertions(+) diff --git a/tests/ssl-opt.sh b/tests/ssl-opt.sh index 2acf33c038..0dd40e8ef9 100755 --- a/tests/ssl-opt.sh +++ b/tests/ssl-opt.sh @@ -14559,6 +14559,22 @@ run_test "Handshake defragmentation with server-initiated renegotiation: len= -c "found renegotiation extension" \ -c "=> renegotiate" +# Mock negative test to demonstrate the failure with n-bit sized fragments, where ClientHello < n. +requires_openssl_3_x +requires_protocol_version tls12 +requires_certificate_authentication +requires_config_enabled MBEDTLS_SSL_RENEGOTIATION +run_test "Handshake defragmentation mock with server-initiated renegotation: len=256 renego_delay=default(16)" \ + "$O_NEXT_SRV -tls1_2 -split_send_frag 256 -legacy_renegotiation -cert $DATA_FILES_PATH/server5.crt -key $DATA_FILES_PATH/server5.key" \ + "$P_CLI debug_level=3 renegotiation=1 request_page=/reneg" \ + 1 \ + -c "initial handshake fragment: 256, 0..256 of [0-9]\\+" \ + -c "Prepare: waiting for more handshake fragments 256/[0-9]\\+" \ + -c "Consume: waiting for more handshake fragments 256/[0-9]\\+" \ + -c "client hello, adding renegotiation extension" \ + -c "found renegotiation extension" \ + -c "renegotiation requested, but not honored by server" + # Test heap memory usage after handshake requires_config_enabled MBEDTLS_SSL_PROTO_TLS1_2 requires_config_enabled MBEDTLS_MEMORY_DEBUG From eec6eb9cd457a85e22432621177695aecf020fff Mon Sep 17 00:00:00 2001 From: Minos Galanakis Date: Thu, 6 Mar 2025 18:51:09 +0000 Subject: [PATCH 05/21] programs -> ssl_client2.c: Added option renego_delay to set record buffer depth. Signed-off-by: Minos Galanakis --- programs/ssl/ssl_client2.c | 12 +++++++++++- 1 file changed, 11 insertions(+), 1 deletion(-) diff --git a/programs/ssl/ssl_client2.c b/programs/ssl/ssl_client2.c index ec68730da0..e169d3eb4c 100644 --- a/programs/ssl/ssl_client2.c +++ b/programs/ssl/ssl_client2.c @@ -76,6 +76,7 @@ int main(void) #define DFL_RECO_SERVER_NAME NULL #define DFL_RECO_DELAY 0 #define DFL_RECO_MODE 1 +#define DFL_RENEGO_DELAY -2 #define DFL_CID_ENABLED 0 #define DFL_CID_VALUE "" #define DFL_CID_ENABLED_RENEGO -1 @@ -308,7 +309,8 @@ int main(void) #if defined(MBEDTLS_SSL_RENEGOTIATION) #define USAGE_RENEGO \ " renegotiation=%%d default: 0 (disabled)\n" \ - " renegotiate=%%d default: 0 (disabled)\n" + " renegotiate=%%d default: 0 (disabled)\n" \ + " renego_delay=%%d default: -2 (library default)\n" #else #define USAGE_RENEGO "" #endif @@ -957,6 +959,7 @@ int main(int argc, char *argv[]) opt.renegotiation = DFL_RENEGOTIATION; opt.allow_legacy = DFL_ALLOW_LEGACY; opt.renegotiate = DFL_RENEGOTIATE; + opt.renego_delay = DFL_RENEGO_DELAY; opt.exchanges = DFL_EXCHANGES; opt.min_version = DFL_MIN_VERSION; opt.max_version = DFL_MAX_VERSION; @@ -1193,6 +1196,8 @@ usage: break; default: goto usage; } + } else if (strcmp(p, "renego_delay") == 0) { + opt.renego_delay = (atoi(q)); } else if (strcmp(p, "renegotiate") == 0) { opt.renegotiate = atoi(q); if (opt.renegotiate < 0 || opt.renegotiate > 1) { @@ -1966,6 +1971,9 @@ usage: } #if defined(MBEDTLS_SSL_RENEGOTIATION) mbedtls_ssl_conf_renegotiation(&conf, opt.renegotiation); + if (opt.renego_delay != DFL_RENEGO_DELAY) { + mbedtls_ssl_conf_renegotiation_enforced(&conf, opt.renego_delay); + } #endif #if defined(MBEDTLS_SSL_HANDSHAKE_WITH_CERT_ENABLED) @@ -2510,6 +2518,8 @@ usage: } mbedtls_printf(" ok\n"); } + + #endif /* MBEDTLS_SSL_RENEGOTIATION */ #if defined(MBEDTLS_SSL_DTLS_CONNECTION_ID) From a23e697ef33f5926aa2235fddb150327582577cb Mon Sep 17 00:00:00 2001 From: Minos Galanakis Date: Fri, 7 Mar 2025 09:58:10 +0000 Subject: [PATCH 06/21] sll-opt: Added refence fix for the Mock HS Defrag test using renegotitiation delay Signed-off-by: Minos Galanakis --- tests/ssl-opt.sh | 16 ++++++++++++++++ 1 file changed, 16 insertions(+) diff --git a/tests/ssl-opt.sh b/tests/ssl-opt.sh index 0dd40e8ef9..4fda2e44f5 100755 --- a/tests/ssl-opt.sh +++ b/tests/ssl-opt.sh @@ -14575,6 +14575,22 @@ run_test "Handshake defragmentation mock with server-initiated renegotation: -c "found renegotiation extension" \ -c "renegotiation requested, but not honored by server" +# Fixing the above mock negative using the new renego_delay parameter +requires_openssl_3_x +requires_protocol_version tls12 +requires_certificate_authentication +requires_config_enabled MBEDTLS_SSL_RENEGOTIATION +run_test "Handshake defragmentation mock with server-initiated renegotiation: len=256 renego_delay=32" \ + "$O_NEXT_SRV -tls1_2 -split_send_frag 256 -legacy_renegotiation -cert $DATA_FILES_PATH/server5.crt -key $DATA_FILES_PATH/server5.key" \ + "$P_CLI debug_level=3 allow_legacy=1 renegotiation=1 renego_delay=32 request_page=/reneg" \ + 0 \ + -c "initial handshake fragment: 200, 0..200 of [0-9]\\+" \ + -c "Prepare: waiting for more handshake fragments 200/[0-9]\\+" \ + -c "Consume: waiting for more handshake fragments 200/[0-9]\\+" \ + -c "client hello, adding renegotiation extension" \ + -c "found renegotiation extension" \ + -c "=> renegotiate" + # Test heap memory usage after handshake requires_config_enabled MBEDTLS_SSL_PROTO_TLS1_2 requires_config_enabled MBEDTLS_MEMORY_DEBUG From 6d1491d6c42d7007ef0bdc5f70e413867ca4445d Mon Sep 17 00:00:00 2001 From: Minos Galanakis Date: Tue, 11 Mar 2025 14:03:38 +0000 Subject: [PATCH 07/21] ssl-opt: Removed mock-tests from HS renegotiation. Signed-off-by: Minos Galanakis --- tests/ssl-opt.sh | 44 ++++++-------------------------------------- 1 file changed, 6 insertions(+), 38 deletions(-) diff --git a/tests/ssl-opt.sh b/tests/ssl-opt.sh index 4fda2e44f5..5ba8c3ffe0 100755 --- a/tests/ssl-opt.sh +++ b/tests/ssl-opt.sh @@ -14533,13 +14533,13 @@ requires_openssl_3_x requires_protocol_version tls12 requires_certificate_authentication requires_config_enabled MBEDTLS_SSL_RENEGOTIATION -run_test "Handshake defragmentation with server-initiated renegotiation: len=300" \ - "$O_NEXT_SRV -tls1_2 -split_send_frag 300 -legacy_renegotiation -cert $DATA_FILES_PATH/server5.crt -key $DATA_FILES_PATH/server5.key" \ - "$P_CLI debug_level=3 renegotiation=1 request_page=/reneg" \ +run_test "Handshake defragmentation with server-initiated renegotiation: len=256" \ + "$O_NEXT_SRV -tls1_2 -split_send_frag 256 -legacy_renegotiation -cert $DATA_FILES_PATH/server5.crt -key $DATA_FILES_PATH/server5.key" \ + "$P_CLI debug_level=3 renegotiation=1 renego_delay=32 request_page=/reneg" \ 0 \ - -c "initial handshake fragment: 300, 0..300 of [0-9]\\+" \ - -c "Prepare: waiting for more handshake fragments 300/[0-9]\\+" \ - -c "Consume: waiting for more handshake fragments 300/[0-9]\\+" \ + -c "initial handshake fragment: 256, 0..256 of [0-9]\\+" \ + -c "Prepare: waiting for more handshake fragments 256/[0-9]\\+" \ + -c "Consume: waiting for more handshake fragments 256/[0-9]\\+" \ -c "client hello, adding renegotiation extension" \ -c "found renegotiation extension" \ -c "=> renegotiate" @@ -14559,38 +14559,6 @@ run_test "Handshake defragmentation with server-initiated renegotiation: len= -c "found renegotiation extension" \ -c "=> renegotiate" -# Mock negative test to demonstrate the failure with n-bit sized fragments, where ClientHello < n. -requires_openssl_3_x -requires_protocol_version tls12 -requires_certificate_authentication -requires_config_enabled MBEDTLS_SSL_RENEGOTIATION -run_test "Handshake defragmentation mock with server-initiated renegotation: len=256 renego_delay=default(16)" \ - "$O_NEXT_SRV -tls1_2 -split_send_frag 256 -legacy_renegotiation -cert $DATA_FILES_PATH/server5.crt -key $DATA_FILES_PATH/server5.key" \ - "$P_CLI debug_level=3 renegotiation=1 request_page=/reneg" \ - 1 \ - -c "initial handshake fragment: 256, 0..256 of [0-9]\\+" \ - -c "Prepare: waiting for more handshake fragments 256/[0-9]\\+" \ - -c "Consume: waiting for more handshake fragments 256/[0-9]\\+" \ - -c "client hello, adding renegotiation extension" \ - -c "found renegotiation extension" \ - -c "renegotiation requested, but not honored by server" - -# Fixing the above mock negative using the new renego_delay parameter -requires_openssl_3_x -requires_protocol_version tls12 -requires_certificate_authentication -requires_config_enabled MBEDTLS_SSL_RENEGOTIATION -run_test "Handshake defragmentation mock with server-initiated renegotiation: len=256 renego_delay=32" \ - "$O_NEXT_SRV -tls1_2 -split_send_frag 256 -legacy_renegotiation -cert $DATA_FILES_PATH/server5.crt -key $DATA_FILES_PATH/server5.key" \ - "$P_CLI debug_level=3 allow_legacy=1 renegotiation=1 renego_delay=32 request_page=/reneg" \ - 0 \ - -c "initial handshake fragment: 200, 0..200 of [0-9]\\+" \ - -c "Prepare: waiting for more handshake fragments 200/[0-9]\\+" \ - -c "Consume: waiting for more handshake fragments 200/[0-9]\\+" \ - -c "client hello, adding renegotiation extension" \ - -c "found renegotiation extension" \ - -c "=> renegotiate" - # Test heap memory usage after handshake requires_config_enabled MBEDTLS_SSL_PROTO_TLS1_2 requires_config_enabled MBEDTLS_MEMORY_DEBUG From 44c1c5fc69f2595ac8170bc7789e4215dedf3216 Mon Sep 17 00:00:00 2001 From: Minos Galanakis Date: Tue, 11 Mar 2025 14:06:38 +0000 Subject: [PATCH 08/21] ssl-opt: Fragmented HS renegotiation, updated documentation. Signed-off-by: Minos Galanakis --- tests/ssl-opt.sh | 12 +++++++++--- 1 file changed, 9 insertions(+), 3 deletions(-) diff --git a/tests/ssl-opt.sh b/tests/ssl-opt.sh index 5ba8c3ffe0..e8fe07772c 100755 --- a/tests/ssl-opt.sh +++ b/tests/ssl-opt.sh @@ -14473,7 +14473,7 @@ run_test "Handshake defragmentation on server: len=32, TLS 1.2 ClientHello (u -s "bad client hello message" \ -s "SSL - A message could not be parsed due to a syntactic error" -# Test Server Buffer resizing with fragmented handshake on TLS1.2 +# Test server-side buffer resizing with fragmented handshake on TLS1.2 requires_openssl_3_x requires_protocol_version tls12 requires_certificate_authentication @@ -14491,7 +14491,7 @@ run_test "Handshake defragmentation on server with buffer resizing: len=256, -s "Prepare: waiting for more handshake fragments 256/[0-9]\\+" \ -s "Consume: waiting for more handshake fragments 256/[0-9]\\+" -# Test Client initiated renegotiation with fragmented handshake on TLS1.2 +# Test client-initiated renegotiation with fragmented handshake on TLS1.2 requires_openssl_3_x requires_protocol_version tls12 requires_certificate_authentication @@ -14528,7 +14528,13 @@ run_test "Handshake defragmentation with client-initiated renegotiation: len= -s "Prepare: waiting for more handshake fragments 512/[0-9]\\+" \ -s "Consume: waiting for more handshake fragments 512/[0-9]\\+" \ -# Test Server initiated renegotiation with fragmented handshake on TLS1.2 +# Test server-initiated renegotiation with fragmented handshake on TLS1.2 +# Note: The /reneg endpoint serves as a directive for OpenSSL's s_server +# to initiate a handshake renegotiation. +# Note: Adjusting the renegotiation delay beyond the library's default value +# of 16 is necessary, as it sets the maximum record depth to match it. +# Splitting messages during the renegotiation process requires a deeper +# stack to accommodate the increased processing complexity. requires_openssl_3_x requires_protocol_version tls12 requires_certificate_authentication From 9d1aa0870e36e7308865abd7e81e5356455ac7a6 Mon Sep 17 00:00:00 2001 From: Minos Galanakis Date: Tue, 11 Mar 2025 14:17:25 +0000 Subject: [PATCH 09/21] ssl-opt: Refactored fragmented HS renegotiation tests. - Switched to using MBEDTLS_SSL_PROTO_TLS1_2 for dependency. - Re-ordered tests. Signed-off-by: Minos Galanakis --- tests/ssl-opt.sh | 77 ++++++++++++++++++++++++------------------------ 1 file changed, 39 insertions(+), 38 deletions(-) diff --git a/tests/ssl-opt.sh b/tests/ssl-opt.sh index e8fe07772c..ac21e68f82 100755 --- a/tests/ssl-opt.sh +++ b/tests/ssl-opt.sh @@ -14475,7 +14475,7 @@ run_test "Handshake defragmentation on server: len=32, TLS 1.2 ClientHello (u # Test server-side buffer resizing with fragmented handshake on TLS1.2 requires_openssl_3_x -requires_protocol_version tls12 +requires_config_enabled MBEDTLS_SSL_PROTO_TLS1_2 requires_certificate_authentication requires_config_enabled MBEDTLS_SSL_MAX_FRAGMENT_LENGTH requires_config_enabled MBEDTLS_SSL_VARIABLE_BUFFER_LENGTH @@ -14493,25 +14493,7 @@ run_test "Handshake defragmentation on server with buffer resizing: len=256, # Test client-initiated renegotiation with fragmented handshake on TLS1.2 requires_openssl_3_x -requires_protocol_version tls12 -requires_certificate_authentication -requires_config_enabled MBEDTLS_SSL_RENEGOTIATION -run_test "Handshake defragmentation with client-initiated renegotiation: len=256" \ - "$P_SRV debug_level=4 exchanges=2 renegotiation=1 auth_mode=required" \ - "$O_NEXT_CLI_RENEGOTIATE -tls1_2 -split_send_frag 256 -cert $DATA_FILES_PATH/server5.crt -key $DATA_FILES_PATH/server5.key -connect 127.0.0.1:+$SRV_PORT" \ - 0 \ - -s "received TLS_EMPTY_RENEGOTIATION_INFO" \ - -s "found renegotiation extension" \ - -s "server hello, secure renegotiation extension" \ - -s "=> renegotiate" \ - -S "write hello request" \ - -s "reassembled record" \ - -s "initial handshake fragment: 256, 0..256 of [0-9]\\+" \ - -s "Prepare: waiting for more handshake fragments 256/[0-9]\\+" \ - -s "Consume: waiting for more handshake fragments 256/[0-9]\\+" \ - -requires_openssl_3_x -requires_protocol_version tls12 +requires_config_enabled MBEDTLS_SSL_PROTO_TLS1_2 requires_certificate_authentication requires_config_enabled MBEDTLS_SSL_RENEGOTIATION run_test "Handshake defragmentation with client-initiated renegotiation: len=512" \ @@ -14528,30 +14510,27 @@ run_test "Handshake defragmentation with client-initiated renegotiation: len= -s "Prepare: waiting for more handshake fragments 512/[0-9]\\+" \ -s "Consume: waiting for more handshake fragments 512/[0-9]\\+" \ -# Test server-initiated renegotiation with fragmented handshake on TLS1.2 -# Note: The /reneg endpoint serves as a directive for OpenSSL's s_server -# to initiate a handshake renegotiation. -# Note: Adjusting the renegotiation delay beyond the library's default value -# of 16 is necessary, as it sets the maximum record depth to match it. -# Splitting messages during the renegotiation process requires a deeper -# stack to accommodate the increased processing complexity. requires_openssl_3_x -requires_protocol_version tls12 +requires_config_enabled MBEDTLS_SSL_PROTO_TLS1_2 requires_certificate_authentication requires_config_enabled MBEDTLS_SSL_RENEGOTIATION -run_test "Handshake defragmentation with server-initiated renegotiation: len=256" \ - "$O_NEXT_SRV -tls1_2 -split_send_frag 256 -legacy_renegotiation -cert $DATA_FILES_PATH/server5.crt -key $DATA_FILES_PATH/server5.key" \ - "$P_CLI debug_level=3 renegotiation=1 renego_delay=32 request_page=/reneg" \ +run_test "Handshake defragmentation with client-initiated renegotiation: len=256" \ + "$P_SRV debug_level=4 exchanges=2 renegotiation=1 auth_mode=required" \ + "$O_NEXT_CLI_RENEGOTIATE -tls1_2 -split_send_frag 256 -cert $DATA_FILES_PATH/server5.crt -key $DATA_FILES_PATH/server5.key -connect 127.0.0.1:+$SRV_PORT" \ 0 \ - -c "initial handshake fragment: 256, 0..256 of [0-9]\\+" \ - -c "Prepare: waiting for more handshake fragments 256/[0-9]\\+" \ - -c "Consume: waiting for more handshake fragments 256/[0-9]\\+" \ - -c "client hello, adding renegotiation extension" \ - -c "found renegotiation extension" \ - -c "=> renegotiate" + -s "received TLS_EMPTY_RENEGOTIATION_INFO" \ + -s "found renegotiation extension" \ + -s "server hello, secure renegotiation extension" \ + -s "=> renegotiate" \ + -S "write hello request" \ + -s "reassembled record" \ + -s "initial handshake fragment: 256, 0..256 of [0-9]\\+" \ + -s "Prepare: waiting for more handshake fragments 256/[0-9]\\+" \ + -s "Consume: waiting for more handshake fragments 256/[0-9]\\+" \ +# Test server-initiated renegotiation with fragmented handshake on TLS1.2 requires_openssl_3_x -requires_protocol_version tls12 +requires_config_enabled MBEDTLS_SSL_PROTO_TLS1_2 requires_certificate_authentication requires_config_enabled MBEDTLS_SSL_RENEGOTIATION run_test "Handshake defragmentation with server-initiated renegotiation: len=512" \ @@ -14565,6 +14544,28 @@ run_test "Handshake defragmentation with server-initiated renegotiation: len= -c "found renegotiation extension" \ -c "=> renegotiate" + +# Note: The /reneg endpoint serves as a directive for OpenSSL's s_server +# to initiate a handshake renegotiation. +# Note: Adjusting the renegotiation delay beyond the library's default value +# of 16 is necessary, as it sets the maximum record depth to match it. +# Splitting messages during the renegotiation process requires a deeper +# stack to accommodate the increased processing complexity. +requires_openssl_3_x +requires_config_enabled MBEDTLS_SSL_PROTO_TLS1_2 +requires_certificate_authentication +requires_config_enabled MBEDTLS_SSL_RENEGOTIATION +run_test "Handshake defragmentation with server-initiated renegotiation: len=256" \ + "$O_NEXT_SRV -tls1_2 -split_send_frag 256 -legacy_renegotiation -cert $DATA_FILES_PATH/server5.crt -key $DATA_FILES_PATH/server5.key" \ + "$P_CLI debug_level=3 renegotiation=1 renego_delay=32 request_page=/reneg" \ + 0 \ + -c "initial handshake fragment: 256, 0..256 of [0-9]\\+" \ + -c "Prepare: waiting for more handshake fragments 256/[0-9]\\+" \ + -c "Consume: waiting for more handshake fragments 256/[0-9]\\+" \ + -c "client hello, adding renegotiation extension" \ + -c "found renegotiation extension" \ + -c "=> renegotiate" + # Test heap memory usage after handshake requires_config_enabled MBEDTLS_SSL_PROTO_TLS1_2 requires_config_enabled MBEDTLS_MEMORY_DEBUG From 9d78547692e6cae8e180bffc2496a6574e95b50c Mon Sep 17 00:00:00 2001 From: Minos Galanakis Date: Tue, 11 Mar 2025 14:19:48 +0000 Subject: [PATCH 10/21] ssl-opt: Added coverage for client-initiated fragmented HS renegotiation tests. Signed-off-by: Minos Galanakis --- tests/ssl-opt.sh | 37 +++++++++++++++++++++++++++++++++++++ 1 file changed, 37 insertions(+) diff --git a/tests/ssl-opt.sh b/tests/ssl-opt.sh index ac21e68f82..045e1448e9 100755 --- a/tests/ssl-opt.sh +++ b/tests/ssl-opt.sh @@ -14528,6 +14528,43 @@ run_test "Handshake defragmentation with client-initiated renegotiation: len= -s "Prepare: waiting for more handshake fragments 256/[0-9]\\+" \ -s "Consume: waiting for more handshake fragments 256/[0-9]\\+" \ +requires_openssl_3_x +requires_config_enabled MBEDTLS_SSL_PROTO_TLS1_2 +requires_config_enabled MBEDTLS_SSL_PROTO_TLS1_3 +requires_certificate_authentication +requires_config_enabled MBEDTLS_SSL_RENEGOTIATION +run_test "Handshake defragmentation with client-initiated renegotiation: len=128" \ + "$P_SRV debug_level=4 exchanges=2 renegotiation=1 auth_mode=required" \ + "$O_NEXT_CLI_RENEGOTIATE -tls1_2 -split_send_frag 128 -cert $DATA_FILES_PATH/server5.crt -key $DATA_FILES_PATH/server5.key -connect 127.0.0.1:+$SRV_PORT" \ + 0 \ + -s "received TLS_EMPTY_RENEGOTIATION_INFO" \ + -s "found renegotiation extension" \ + -s "server hello, secure renegotiation extension" \ + -s "=> renegotiate" \ + -S "write hello request" \ + -s "reassembled record" \ + -s "initial handshake fragment: 128, 0..128 of [0-9]\\+" \ + -s "Prepare: waiting for more handshake fragments 128/[0-9]\\+" \ + -s "Consume: waiting for more handshake fragments 128/[0-9]\\+" \ + +requires_openssl_3_x +requires_config_enabled MBEDTLS_SSL_PROTO_TLS1_2 +requires_config_enabled MBEDTLS_SSL_PROTO_TLS1_3 +requires_config_enabled MBEDTLS_SSL_RENEGOTIATION +run_test "Handshake defragmentation with client-initiated renegotiation: len=4" \ + "$P_SRV debug_level=4 exchanges=2 renegotiation=1 auth_mode=required" \ + "$O_NEXT_CLI_RENEGOTIATE -tls1_2 -split_send_frag 4 -cert $DATA_FILES_PATH/server5.crt -key $DATA_FILES_PATH/server5.key -connect 127.0.0.1:+$SRV_PORT" \ + 0 \ + -s "received TLS_EMPTY_RENEGOTIATION_INFO" \ + -s "found renegotiation extension" \ + -s "server hello, secure renegotiation extension" \ + -s "=> renegotiate" \ + -S "write hello request" \ + -s "reassembled record" \ + -s "initial handshake fragment: 4, 0..4 of [0-9]\\+" \ + -s "Prepare: waiting for more handshake fragments 4/[0-9]\\+" \ + -s "Consume: waiting for more handshake fragments 4/[0-9]\\+" \ + # Test server-initiated renegotiation with fragmented handshake on TLS1.2 requires_openssl_3_x requires_config_enabled MBEDTLS_SSL_PROTO_TLS1_2 From 135aed519e29ee266c20a9a7f370ed1eb5927913 Mon Sep 17 00:00:00 2001 From: Minos Galanakis Date: Tue, 11 Mar 2025 17:00:45 +0000 Subject: [PATCH 11/21] ssl-opt: Fragmented HS renegotiation, updated matching regex Signed-off-by: Minos Galanakis --- tests/ssl-opt.sh | 42 +++++++++++++++++++++--------------------- 1 file changed, 21 insertions(+), 21 deletions(-) diff --git a/tests/ssl-opt.sh b/tests/ssl-opt.sh index 045e1448e9..14270a8ce1 100755 --- a/tests/ssl-opt.sh +++ b/tests/ssl-opt.sh @@ -14487,9 +14487,9 @@ run_test "Handshake defragmentation on server with buffer resizing: len=256, -s "Reallocating in_buf" \ -s "Reallocating out_buf" \ -s "reassembled record" \ - -s "initial handshake fragment: 256, 0..256 of [0-9]\\+" \ - -s "Prepare: waiting for more handshake fragments 256/[0-9]\\+" \ - -s "Consume: waiting for more handshake fragments 256/[0-9]\\+" + -s "initial handshake fragment: 256, 0\\.\\.256 of [0-9]\\+" \ + -s "Prepare: waiting for more handshake fragments 256/" \ + -s "Consume: waiting for more handshake fragments 256/" # Test client-initiated renegotiation with fragmented handshake on TLS1.2 requires_openssl_3_x @@ -14506,9 +14506,9 @@ run_test "Handshake defragmentation with client-initiated renegotiation: len= -s "=> renegotiate" \ -S "write hello request" \ -s "reassembled record" \ - -s "initial handshake fragment: 512, 0..512 of [0-9]\\+" \ - -s "Prepare: waiting for more handshake fragments 512/[0-9]\\+" \ - -s "Consume: waiting for more handshake fragments 512/[0-9]\\+" \ + -s "initial handshake fragment: 512, 0\\.\\.512 of [0-9]\\+" \ + -s "Prepare: waiting for more handshake fragments 512/" \ + -s "Consume: waiting for more handshake fragments 512/" \ requires_openssl_3_x requires_config_enabled MBEDTLS_SSL_PROTO_TLS1_2 @@ -14524,9 +14524,9 @@ run_test "Handshake defragmentation with client-initiated renegotiation: len= -s "=> renegotiate" \ -S "write hello request" \ -s "reassembled record" \ - -s "initial handshake fragment: 256, 0..256 of [0-9]\\+" \ - -s "Prepare: waiting for more handshake fragments 256/[0-9]\\+" \ - -s "Consume: waiting for more handshake fragments 256/[0-9]\\+" \ + -s "initial handshake fragment: 256, 0\\.\\.256 of [0-9]\\+" \ + -s "Prepare: waiting for more handshake fragments 256/" \ + -s "Consume: waiting for more handshake fragments 256/" \ requires_openssl_3_x requires_config_enabled MBEDTLS_SSL_PROTO_TLS1_2 @@ -14543,9 +14543,9 @@ run_test "Handshake defragmentation with client-initiated renegotiation: len= -s "=> renegotiate" \ -S "write hello request" \ -s "reassembled record" \ - -s "initial handshake fragment: 128, 0..128 of [0-9]\\+" \ - -s "Prepare: waiting for more handshake fragments 128/[0-9]\\+" \ - -s "Consume: waiting for more handshake fragments 128/[0-9]\\+" \ + -s "initial handshake fragment: 128, 0\\.\\.128 of [0-9]\\+" \ + -s "Prepare: waiting for more handshake fragments 128/" \ + -s "Consume: waiting for more handshake fragments 128/" \ requires_openssl_3_x requires_config_enabled MBEDTLS_SSL_PROTO_TLS1_2 @@ -14561,9 +14561,9 @@ run_test "Handshake defragmentation with client-initiated renegotiation: len= -s "=> renegotiate" \ -S "write hello request" \ -s "reassembled record" \ - -s "initial handshake fragment: 4, 0..4 of [0-9]\\+" \ - -s "Prepare: waiting for more handshake fragments 4/[0-9]\\+" \ - -s "Consume: waiting for more handshake fragments 4/[0-9]\\+" \ + -s "initial handshake fragment: 4, 0\\.\\.4 of [0-9]\\+" \ + -s "Prepare: waiting for more handshake fragments 4/" \ + -s "Consume: waiting for more handshake fragments 4/" \ # Test server-initiated renegotiation with fragmented handshake on TLS1.2 requires_openssl_3_x @@ -14574,9 +14574,9 @@ run_test "Handshake defragmentation with server-initiated renegotiation: len= "$O_NEXT_SRV -tls1_2 -split_send_frag 512 -legacy_renegotiation -cert $DATA_FILES_PATH/server5.crt -key $DATA_FILES_PATH/server5.key" \ "$P_CLI debug_level=3 renegotiation=1 request_page=/reneg" \ 0 \ - -c "initial handshake fragment: 512, 0..512 of [0-9]\\+" \ - -c "Prepare: waiting for more handshake fragments 512/[0-9]\\+" \ - -c "Consume: waiting for more handshake fragments 512/[0-9]\\+" \ + -c "initial handshake fragment: 512, 0\\.\\.512 of [0-9]\\+" \ + -c "Prepare: waiting for more handshake fragments 512/" \ + -c "Consume: waiting for more handshake fragments 512/" \ -c "client hello, adding renegotiation extension" \ -c "found renegotiation extension" \ -c "=> renegotiate" @@ -14596,9 +14596,9 @@ run_test "Handshake defragmentation with server-initiated renegotiation: len= "$O_NEXT_SRV -tls1_2 -split_send_frag 256 -legacy_renegotiation -cert $DATA_FILES_PATH/server5.crt -key $DATA_FILES_PATH/server5.key" \ "$P_CLI debug_level=3 renegotiation=1 renego_delay=32 request_page=/reneg" \ 0 \ - -c "initial handshake fragment: 256, 0..256 of [0-9]\\+" \ - -c "Prepare: waiting for more handshake fragments 256/[0-9]\\+" \ - -c "Consume: waiting for more handshake fragments 256/[0-9]\\+" \ + -c "initial handshake fragment: 256, 0\\.\\.256 of [0-9]\\+" \ + -c "Prepare: waiting for more handshake fragments 256/" \ + -c "Consume: waiting for more handshake fragments 256/" \ -c "client hello, adding renegotiation extension" \ -c "found renegotiation extension" \ -c "=> renegotiate" From 620e8c29a38810e6fa48c096c0b07cffeca3b7f4 Mon Sep 17 00:00:00 2001 From: Minos Galanakis Date: Tue, 11 Mar 2025 17:08:01 +0000 Subject: [PATCH 12/21] ssl-opt: Fragmented HS renegotiation, adjusted test names for consistency. Signed-off-by: Minos Galanakis --- tests/ssl-opt.sh | 14 +++++++------- 1 file changed, 7 insertions(+), 7 deletions(-) diff --git a/tests/ssl-opt.sh b/tests/ssl-opt.sh index 14270a8ce1..5368c9c4bc 100755 --- a/tests/ssl-opt.sh +++ b/tests/ssl-opt.sh @@ -14480,7 +14480,7 @@ requires_certificate_authentication requires_config_enabled MBEDTLS_SSL_MAX_FRAGMENT_LENGTH requires_config_enabled MBEDTLS_SSL_VARIABLE_BUFFER_LENGTH requires_max_content_len 1025 -run_test "Handshake defragmentation on server with buffer resizing: len=256, MFL=1024" \ +run_test "Handshake defragmentation on server: len=256, buffer resizing with MFL=1024" \ "$P_SRV debug_level=4 auth_mode=required" \ "$O_NEXT_CLI -tls1_2 -split_send_frag 256 -maxfraglen 1024 -cert $DATA_FILES_PATH/server5.crt -key $DATA_FILES_PATH/server5.key" \ 0 \ @@ -14496,7 +14496,7 @@ requires_openssl_3_x requires_config_enabled MBEDTLS_SSL_PROTO_TLS1_2 requires_certificate_authentication requires_config_enabled MBEDTLS_SSL_RENEGOTIATION -run_test "Handshake defragmentation with client-initiated renegotiation: len=512" \ +run_test "Handshake defragmentation on server: len=512, client-initiated renegotation" \ "$P_SRV debug_level=4 exchanges=2 renegotiation=1 auth_mode=required" \ "$O_NEXT_CLI_RENEGOTIATE -tls1_2 -split_send_frag 512 -cert $DATA_FILES_PATH/server5.crt -key $DATA_FILES_PATH/server5.key -connect 127.0.0.1:+$SRV_PORT" \ 0 \ @@ -14514,7 +14514,7 @@ requires_openssl_3_x requires_config_enabled MBEDTLS_SSL_PROTO_TLS1_2 requires_certificate_authentication requires_config_enabled MBEDTLS_SSL_RENEGOTIATION -run_test "Handshake defragmentation with client-initiated renegotiation: len=256" \ +run_test "Handshake defragmentation on server: len=256, client-initiated renegotation" \ "$P_SRV debug_level=4 exchanges=2 renegotiation=1 auth_mode=required" \ "$O_NEXT_CLI_RENEGOTIATE -tls1_2 -split_send_frag 256 -cert $DATA_FILES_PATH/server5.crt -key $DATA_FILES_PATH/server5.key -connect 127.0.0.1:+$SRV_PORT" \ 0 \ @@ -14533,7 +14533,7 @@ requires_config_enabled MBEDTLS_SSL_PROTO_TLS1_2 requires_config_enabled MBEDTLS_SSL_PROTO_TLS1_3 requires_certificate_authentication requires_config_enabled MBEDTLS_SSL_RENEGOTIATION -run_test "Handshake defragmentation with client-initiated renegotiation: len=128" \ +run_test "Handshake defragmentation on server: len=128, client-initiated renegotation" \ "$P_SRV debug_level=4 exchanges=2 renegotiation=1 auth_mode=required" \ "$O_NEXT_CLI_RENEGOTIATE -tls1_2 -split_send_frag 128 -cert $DATA_FILES_PATH/server5.crt -key $DATA_FILES_PATH/server5.key -connect 127.0.0.1:+$SRV_PORT" \ 0 \ @@ -14551,7 +14551,7 @@ requires_openssl_3_x requires_config_enabled MBEDTLS_SSL_PROTO_TLS1_2 requires_config_enabled MBEDTLS_SSL_PROTO_TLS1_3 requires_config_enabled MBEDTLS_SSL_RENEGOTIATION -run_test "Handshake defragmentation with client-initiated renegotiation: len=4" \ +run_test "Handshake defragmentation on server: len=4, client-initiated renegotation" \ "$P_SRV debug_level=4 exchanges=2 renegotiation=1 auth_mode=required" \ "$O_NEXT_CLI_RENEGOTIATE -tls1_2 -split_send_frag 4 -cert $DATA_FILES_PATH/server5.crt -key $DATA_FILES_PATH/server5.key -connect 127.0.0.1:+$SRV_PORT" \ 0 \ @@ -14570,7 +14570,7 @@ requires_openssl_3_x requires_config_enabled MBEDTLS_SSL_PROTO_TLS1_2 requires_certificate_authentication requires_config_enabled MBEDTLS_SSL_RENEGOTIATION -run_test "Handshake defragmentation with server-initiated renegotiation: len=512" \ +run_test "Handshake defragmentation on client: len=512, server-initiated renegotation" \ "$O_NEXT_SRV -tls1_2 -split_send_frag 512 -legacy_renegotiation -cert $DATA_FILES_PATH/server5.crt -key $DATA_FILES_PATH/server5.key" \ "$P_CLI debug_level=3 renegotiation=1 request_page=/reneg" \ 0 \ @@ -14592,7 +14592,7 @@ requires_openssl_3_x requires_config_enabled MBEDTLS_SSL_PROTO_TLS1_2 requires_certificate_authentication requires_config_enabled MBEDTLS_SSL_RENEGOTIATION -run_test "Handshake defragmentation with server-initiated renegotiation: len=256" \ +run_test "Handshake defragmentation on client: len=256, server-initiated renegotation" \ "$O_NEXT_SRV -tls1_2 -split_send_frag 256 -legacy_renegotiation -cert $DATA_FILES_PATH/server5.crt -key $DATA_FILES_PATH/server5.key" \ "$P_CLI debug_level=3 renegotiation=1 renego_delay=32 request_page=/reneg" \ 0 \ From 5b6ec1566dbe91557a4f97419eba811ddc4e7d33 Mon Sep 17 00:00:00 2001 From: Minos Galanakis Date: Tue, 11 Mar 2025 17:10:12 +0000 Subject: [PATCH 13/21] ssl-opt: Fragmented HS renegotiation, removed requires_openssl_3_x dependency. Signed-off-by: Minos Galanakis --- tests/ssl-opt.sh | 7 ------- 1 file changed, 7 deletions(-) diff --git a/tests/ssl-opt.sh b/tests/ssl-opt.sh index 5368c9c4bc..4311fffb51 100755 --- a/tests/ssl-opt.sh +++ b/tests/ssl-opt.sh @@ -14474,7 +14474,6 @@ run_test "Handshake defragmentation on server: len=32, TLS 1.2 ClientHello (u -s "SSL - A message could not be parsed due to a syntactic error" # Test server-side buffer resizing with fragmented handshake on TLS1.2 -requires_openssl_3_x requires_config_enabled MBEDTLS_SSL_PROTO_TLS1_2 requires_certificate_authentication requires_config_enabled MBEDTLS_SSL_MAX_FRAGMENT_LENGTH @@ -14492,7 +14491,6 @@ run_test "Handshake defragmentation on server: len=256, buffer resizing with -s "Consume: waiting for more handshake fragments 256/" # Test client-initiated renegotiation with fragmented handshake on TLS1.2 -requires_openssl_3_x requires_config_enabled MBEDTLS_SSL_PROTO_TLS1_2 requires_certificate_authentication requires_config_enabled MBEDTLS_SSL_RENEGOTIATION @@ -14510,7 +14508,6 @@ run_test "Handshake defragmentation on server: len=512, client-initiated rene -s "Prepare: waiting for more handshake fragments 512/" \ -s "Consume: waiting for more handshake fragments 512/" \ -requires_openssl_3_x requires_config_enabled MBEDTLS_SSL_PROTO_TLS1_2 requires_certificate_authentication requires_config_enabled MBEDTLS_SSL_RENEGOTIATION @@ -14528,7 +14525,6 @@ run_test "Handshake defragmentation on server: len=256, client-initiated rene -s "Prepare: waiting for more handshake fragments 256/" \ -s "Consume: waiting for more handshake fragments 256/" \ -requires_openssl_3_x requires_config_enabled MBEDTLS_SSL_PROTO_TLS1_2 requires_config_enabled MBEDTLS_SSL_PROTO_TLS1_3 requires_certificate_authentication @@ -14547,7 +14543,6 @@ run_test "Handshake defragmentation on server: len=128, client-initiated rene -s "Prepare: waiting for more handshake fragments 128/" \ -s "Consume: waiting for more handshake fragments 128/" \ -requires_openssl_3_x requires_config_enabled MBEDTLS_SSL_PROTO_TLS1_2 requires_config_enabled MBEDTLS_SSL_PROTO_TLS1_3 requires_config_enabled MBEDTLS_SSL_RENEGOTIATION @@ -14566,7 +14561,6 @@ run_test "Handshake defragmentation on server: len=4, client-initiated renego -s "Consume: waiting for more handshake fragments 4/" \ # Test server-initiated renegotiation with fragmented handshake on TLS1.2 -requires_openssl_3_x requires_config_enabled MBEDTLS_SSL_PROTO_TLS1_2 requires_certificate_authentication requires_config_enabled MBEDTLS_SSL_RENEGOTIATION @@ -14588,7 +14582,6 @@ run_test "Handshake defragmentation on client: len=512, server-initiated rene # of 16 is necessary, as it sets the maximum record depth to match it. # Splitting messages during the renegotiation process requires a deeper # stack to accommodate the increased processing complexity. -requires_openssl_3_x requires_config_enabled MBEDTLS_SSL_PROTO_TLS1_2 requires_certificate_authentication requires_config_enabled MBEDTLS_SSL_RENEGOTIATION From e5a3fd2f9d202490aecd0b4daef1ad6c907bbed4 Mon Sep 17 00:00:00 2001 From: Minos Galanakis Date: Tue, 11 Mar 2025 17:11:09 +0000 Subject: [PATCH 14/21] ssl-opt: Fragmented HS renegotiation, removed requires_certificate_authentication dependency. Signed-off-by: Minos Galanakis --- tests/ssl-opt.sh | 6 ------ 1 file changed, 6 deletions(-) diff --git a/tests/ssl-opt.sh b/tests/ssl-opt.sh index 4311fffb51..bfc55511c8 100755 --- a/tests/ssl-opt.sh +++ b/tests/ssl-opt.sh @@ -14475,7 +14475,6 @@ run_test "Handshake defragmentation on server: len=32, TLS 1.2 ClientHello (u # Test server-side buffer resizing with fragmented handshake on TLS1.2 requires_config_enabled MBEDTLS_SSL_PROTO_TLS1_2 -requires_certificate_authentication requires_config_enabled MBEDTLS_SSL_MAX_FRAGMENT_LENGTH requires_config_enabled MBEDTLS_SSL_VARIABLE_BUFFER_LENGTH requires_max_content_len 1025 @@ -14492,7 +14491,6 @@ run_test "Handshake defragmentation on server: len=256, buffer resizing with # Test client-initiated renegotiation with fragmented handshake on TLS1.2 requires_config_enabled MBEDTLS_SSL_PROTO_TLS1_2 -requires_certificate_authentication requires_config_enabled MBEDTLS_SSL_RENEGOTIATION run_test "Handshake defragmentation on server: len=512, client-initiated renegotation" \ "$P_SRV debug_level=4 exchanges=2 renegotiation=1 auth_mode=required" \ @@ -14509,7 +14507,6 @@ run_test "Handshake defragmentation on server: len=512, client-initiated rene -s "Consume: waiting for more handshake fragments 512/" \ requires_config_enabled MBEDTLS_SSL_PROTO_TLS1_2 -requires_certificate_authentication requires_config_enabled MBEDTLS_SSL_RENEGOTIATION run_test "Handshake defragmentation on server: len=256, client-initiated renegotation" \ "$P_SRV debug_level=4 exchanges=2 renegotiation=1 auth_mode=required" \ @@ -14527,7 +14524,6 @@ run_test "Handshake defragmentation on server: len=256, client-initiated rene requires_config_enabled MBEDTLS_SSL_PROTO_TLS1_2 requires_config_enabled MBEDTLS_SSL_PROTO_TLS1_3 -requires_certificate_authentication requires_config_enabled MBEDTLS_SSL_RENEGOTIATION run_test "Handshake defragmentation on server: len=128, client-initiated renegotation" \ "$P_SRV debug_level=4 exchanges=2 renegotiation=1 auth_mode=required" \ @@ -14562,7 +14558,6 @@ run_test "Handshake defragmentation on server: len=4, client-initiated renego # Test server-initiated renegotiation with fragmented handshake on TLS1.2 requires_config_enabled MBEDTLS_SSL_PROTO_TLS1_2 -requires_certificate_authentication requires_config_enabled MBEDTLS_SSL_RENEGOTIATION run_test "Handshake defragmentation on client: len=512, server-initiated renegotation" \ "$O_NEXT_SRV -tls1_2 -split_send_frag 512 -legacy_renegotiation -cert $DATA_FILES_PATH/server5.crt -key $DATA_FILES_PATH/server5.key" \ @@ -14583,7 +14578,6 @@ run_test "Handshake defragmentation on client: len=512, server-initiated rene # Splitting messages during the renegotiation process requires a deeper # stack to accommodate the increased processing complexity. requires_config_enabled MBEDTLS_SSL_PROTO_TLS1_2 -requires_certificate_authentication requires_config_enabled MBEDTLS_SSL_RENEGOTIATION run_test "Handshake defragmentation on client: len=256, server-initiated renegotation" \ "$O_NEXT_SRV -tls1_2 -split_send_frag 256 -legacy_renegotiation -cert $DATA_FILES_PATH/server5.crt -key $DATA_FILES_PATH/server5.key" \ From 2a1eacc0b60c43ed24a14204daec68b084225b42 Mon Sep 17 00:00:00 2001 From: Minos Galanakis Date: Tue, 11 Mar 2025 17:24:04 +0000 Subject: [PATCH 15/21] ssl-opt: Fragmented HS renegotiation, removed -legacy_renegotiation argument. Signed-off-by: Minos Galanakis --- tests/ssl-opt.sh | 4 ++-- 1 file changed, 2 insertions(+), 2 deletions(-) diff --git a/tests/ssl-opt.sh b/tests/ssl-opt.sh index bfc55511c8..0778b1efd0 100755 --- a/tests/ssl-opt.sh +++ b/tests/ssl-opt.sh @@ -14560,7 +14560,7 @@ run_test "Handshake defragmentation on server: len=4, client-initiated renego requires_config_enabled MBEDTLS_SSL_PROTO_TLS1_2 requires_config_enabled MBEDTLS_SSL_RENEGOTIATION run_test "Handshake defragmentation on client: len=512, server-initiated renegotation" \ - "$O_NEXT_SRV -tls1_2 -split_send_frag 512 -legacy_renegotiation -cert $DATA_FILES_PATH/server5.crt -key $DATA_FILES_PATH/server5.key" \ + "$O_NEXT_SRV -tls1_2 -split_send_frag 512 -cert $DATA_FILES_PATH/server5.crt -key $DATA_FILES_PATH/server5.key" \ "$P_CLI debug_level=3 renegotiation=1 request_page=/reneg" \ 0 \ -c "initial handshake fragment: 512, 0\\.\\.512 of [0-9]\\+" \ @@ -14580,7 +14580,7 @@ run_test "Handshake defragmentation on client: len=512, server-initiated rene requires_config_enabled MBEDTLS_SSL_PROTO_TLS1_2 requires_config_enabled MBEDTLS_SSL_RENEGOTIATION run_test "Handshake defragmentation on client: len=256, server-initiated renegotation" \ - "$O_NEXT_SRV -tls1_2 -split_send_frag 256 -legacy_renegotiation -cert $DATA_FILES_PATH/server5.crt -key $DATA_FILES_PATH/server5.key" \ + "$O_NEXT_SRV -tls1_2 -split_send_frag 256 -cert $DATA_FILES_PATH/server5.crt -key $DATA_FILES_PATH/server5.key" \ "$P_CLI debug_level=3 renegotiation=1 renego_delay=32 request_page=/reneg" \ 0 \ -c "initial handshake fragment: 256, 0\\.\\.256 of [0-9]\\+" \ From 27988889e572e8c8596de8c70b344dad2333cc59 Mon Sep 17 00:00:00 2001 From: Minos Galanakis Date: Tue, 11 Mar 2025 17:29:33 +0000 Subject: [PATCH 16/21] ssl-opt: Updated O_NEXT_CLI_RENEGOTIATE used by fragmented HS renegotiation with certificates. Signed-off-by: Minos Galanakis --- tests/ssl-opt.sh | 10 +++++----- 1 file changed, 5 insertions(+), 5 deletions(-) diff --git a/tests/ssl-opt.sh b/tests/ssl-opt.sh index 0778b1efd0..7d46ed3079 100755 --- a/tests/ssl-opt.sh +++ b/tests/ssl-opt.sh @@ -103,7 +103,7 @@ if [ -n "${OPENSSL_NEXT:-}" ]; then O_NEXT_SRV_NO_CERT="$OPENSSL_NEXT s_server -www " O_NEXT_CLI="echo 'GET / HTTP/1.0' | $OPENSSL_NEXT s_client -CAfile $DATA_FILES_PATH/test-ca_cat12.crt" O_NEXT_CLI_NO_CERT="echo 'GET / HTTP/1.0' | $OPENSSL_NEXT s_client" - O_NEXT_CLI_RENEGOTIATE="echo 'R' | $OPENSSL_NEXT s_client" + O_NEXT_CLI_RENEGOTIATE="echo 'R' | $OPENSSL_NEXT s_client -cert $DATA_FILES_PATH/server5.crt -key $DATA_FILES_PATH/server5.key" else O_NEXT_SRV=false O_NEXT_SRV_NO_CERT=false @@ -14494,7 +14494,7 @@ requires_config_enabled MBEDTLS_SSL_PROTO_TLS1_2 requires_config_enabled MBEDTLS_SSL_RENEGOTIATION run_test "Handshake defragmentation on server: len=512, client-initiated renegotation" \ "$P_SRV debug_level=4 exchanges=2 renegotiation=1 auth_mode=required" \ - "$O_NEXT_CLI_RENEGOTIATE -tls1_2 -split_send_frag 512 -cert $DATA_FILES_PATH/server5.crt -key $DATA_FILES_PATH/server5.key -connect 127.0.0.1:+$SRV_PORT" \ + "$O_NEXT_CLI_RENEGOTIATE -tls1_2 -split_send_frag 512 -connect 127.0.0.1:+$SRV_PORT" \ 0 \ -s "received TLS_EMPTY_RENEGOTIATION_INFO" \ -s "found renegotiation extension" \ @@ -14510,7 +14510,7 @@ requires_config_enabled MBEDTLS_SSL_PROTO_TLS1_2 requires_config_enabled MBEDTLS_SSL_RENEGOTIATION run_test "Handshake defragmentation on server: len=256, client-initiated renegotation" \ "$P_SRV debug_level=4 exchanges=2 renegotiation=1 auth_mode=required" \ - "$O_NEXT_CLI_RENEGOTIATE -tls1_2 -split_send_frag 256 -cert $DATA_FILES_PATH/server5.crt -key $DATA_FILES_PATH/server5.key -connect 127.0.0.1:+$SRV_PORT" \ + "$O_NEXT_CLI_RENEGOTIATE -tls1_2 -split_send_frag 256 -connect 127.0.0.1:+$SRV_PORT" \ 0 \ -s "received TLS_EMPTY_RENEGOTIATION_INFO" \ -s "found renegotiation extension" \ @@ -14527,7 +14527,7 @@ requires_config_enabled MBEDTLS_SSL_PROTO_TLS1_3 requires_config_enabled MBEDTLS_SSL_RENEGOTIATION run_test "Handshake defragmentation on server: len=128, client-initiated renegotation" \ "$P_SRV debug_level=4 exchanges=2 renegotiation=1 auth_mode=required" \ - "$O_NEXT_CLI_RENEGOTIATE -tls1_2 -split_send_frag 128 -cert $DATA_FILES_PATH/server5.crt -key $DATA_FILES_PATH/server5.key -connect 127.0.0.1:+$SRV_PORT" \ + "$O_NEXT_CLI_RENEGOTIATE -tls1_2 -split_send_frag 128 -connect 127.0.0.1:+$SRV_PORT" \ 0 \ -s "received TLS_EMPTY_RENEGOTIATION_INFO" \ -s "found renegotiation extension" \ @@ -14544,7 +14544,7 @@ requires_config_enabled MBEDTLS_SSL_PROTO_TLS1_3 requires_config_enabled MBEDTLS_SSL_RENEGOTIATION run_test "Handshake defragmentation on server: len=4, client-initiated renegotation" \ "$P_SRV debug_level=4 exchanges=2 renegotiation=1 auth_mode=required" \ - "$O_NEXT_CLI_RENEGOTIATE -tls1_2 -split_send_frag 4 -cert $DATA_FILES_PATH/server5.crt -key $DATA_FILES_PATH/server5.key -connect 127.0.0.1:+$SRV_PORT" \ + "$O_NEXT_CLI_RENEGOTIATE -tls1_2 -split_send_frag 4 -connect 127.0.0.1:+$SRV_PORT" \ 0 \ -s "received TLS_EMPTY_RENEGOTIATION_INFO" \ -s "found renegotiation extension" \ From e61d0e9f7c2d99751581716437b8128c7aea66d5 Mon Sep 17 00:00:00 2001 From: Minos Galanakis Date: Wed, 12 Mar 2025 01:07:58 +0000 Subject: [PATCH 17/21] ssl-opt: Added client-initiated server-rejected renegotation test. Signed-off-by: Minos Galanakis --- tests/ssl-opt.sh | 14 ++++++++++++++ 1 file changed, 14 insertions(+) diff --git a/tests/ssl-opt.sh b/tests/ssl-opt.sh index 7d46ed3079..d168d09ac3 100755 --- a/tests/ssl-opt.sh +++ b/tests/ssl-opt.sh @@ -14556,6 +14556,20 @@ run_test "Handshake defragmentation on server: len=4, client-initiated renego -s "Prepare: waiting for more handshake fragments 4/" \ -s "Consume: waiting for more handshake fragments 4/" \ +requires_config_enabled MBEDTLS_SSL_PROTO_TLS1_2 +requires_config_enabled MBEDTLS_SSL_PROTO_TLS1_3 +requires_config_enabled MBEDTLS_SSL_RENEGOTIATION +run_test "Handshake defragmentation on server: len=4, client-initiated server-rejected renegotation" \ + "$P_SRV debug_level=4 exchanges=2 renegotiation=0 auth_mode=required" \ + "$O_NEXT_CLI_RENEGOTIATE -tls1_2 -split_send_frag 4 -connect 127.0.0.1:+$SRV_PORT" \ + 1 \ + -s "received TLS_EMPTY_RENEGOTIATION_INFO" \ + -s "refusing renegotiation, sending alert" \ + -s "server hello, secure renegotiation extension" \ + -s "initial handshake fragment: 4, 0\\.\\.4 of [0-9]\\+" \ + -s "Prepare: waiting for more handshake fragments 4/" \ + -s "Consume: waiting for more handshake fragments 4/" \ + # Test server-initiated renegotiation with fragmented handshake on TLS1.2 requires_config_enabled MBEDTLS_SSL_PROTO_TLS1_2 requires_config_enabled MBEDTLS_SSL_RENEGOTIATION From 875cce945a51f6b32567269f1d21cbf5d1a09025 Mon Sep 17 00:00:00 2001 From: Minos Galanakis Date: Thu, 13 Mar 2025 11:42:05 +0000 Subject: [PATCH 18/21] ssl-opt: Updated documentation. Signed-off-by: Minos Galanakis --- tests/ssl-opt.sh | 9 +++++---- 1 file changed, 5 insertions(+), 4 deletions(-) diff --git a/tests/ssl-opt.sh b/tests/ssl-opt.sh index d168d09ac3..393d19b9f8 100755 --- a/tests/ssl-opt.sh +++ b/tests/ssl-opt.sh @@ -14587,10 +14587,11 @@ run_test "Handshake defragmentation on client: len=512, server-initiated rene # Note: The /reneg endpoint serves as a directive for OpenSSL's s_server # to initiate a handshake renegotiation. -# Note: Adjusting the renegotiation delay beyond the library's default value -# of 16 is necessary, as it sets the maximum record depth to match it. -# Splitting messages during the renegotiation process requires a deeper -# stack to accommodate the increased processing complexity. +# Note: Adjusting the renegotiation delay beyond the library's default +# value of 16 is necessary. This parameter defines the maximum +# number of records received before renegotiation is completed. +# By fragmenting records and thereby increasing their quantity, +# the default threshold can be reached more quickly. requires_config_enabled MBEDTLS_SSL_PROTO_TLS1_2 requires_config_enabled MBEDTLS_SSL_RENEGOTIATION run_test "Handshake defragmentation on client: len=256, server-initiated renegotation" \ From bde759b7920385a970ca38ee4ee92a0308c9bcd9 Mon Sep 17 00:00:00 2001 From: Minos Galanakis Date: Thu, 13 Mar 2025 11:43:53 +0000 Subject: [PATCH 19/21] ssl-opt: Disabled the renegotiation delay for fragmented HS renegotiation. Signed-off-by: Minos Galanakis --- tests/ssl-opt.sh | 3 ++- 1 file changed, 2 insertions(+), 1 deletion(-) diff --git a/tests/ssl-opt.sh b/tests/ssl-opt.sh index 393d19b9f8..1abb4c0187 100755 --- a/tests/ssl-opt.sh +++ b/tests/ssl-opt.sh @@ -14592,11 +14592,12 @@ run_test "Handshake defragmentation on client: len=512, server-initiated rene # number of records received before renegotiation is completed. # By fragmenting records and thereby increasing their quantity, # the default threshold can be reached more quickly. +# Setting it to -1 disables that policy's enforment. requires_config_enabled MBEDTLS_SSL_PROTO_TLS1_2 requires_config_enabled MBEDTLS_SSL_RENEGOTIATION run_test "Handshake defragmentation on client: len=256, server-initiated renegotation" \ "$O_NEXT_SRV -tls1_2 -split_send_frag 256 -cert $DATA_FILES_PATH/server5.crt -key $DATA_FILES_PATH/server5.key" \ - "$P_CLI debug_level=3 renegotiation=1 renego_delay=32 request_page=/reneg" \ + "$P_CLI debug_level=3 renegotiation=1 renego_delay=-1 request_page=/reneg" \ 0 \ -c "initial handshake fragment: 256, 0\\.\\.256 of [0-9]\\+" \ -c "Prepare: waiting for more handshake fragments 256/" \ From 5c6d3173fa42bf92745901b44c89ed0e0e81f8ec Mon Sep 17 00:00:00 2001 From: Minos Galanakis Date: Tue, 18 Mar 2025 10:25:24 +0000 Subject: [PATCH 20/21] ssl-opt: Fixed a minor typo. Signed-off-by: Minos Galanakis --- tests/ssl-opt.sh | 14 +++++++------- 1 file changed, 7 insertions(+), 7 deletions(-) diff --git a/tests/ssl-opt.sh b/tests/ssl-opt.sh index 1abb4c0187..ace59b0451 100755 --- a/tests/ssl-opt.sh +++ b/tests/ssl-opt.sh @@ -14492,7 +14492,7 @@ run_test "Handshake defragmentation on server: len=256, buffer resizing with # Test client-initiated renegotiation with fragmented handshake on TLS1.2 requires_config_enabled MBEDTLS_SSL_PROTO_TLS1_2 requires_config_enabled MBEDTLS_SSL_RENEGOTIATION -run_test "Handshake defragmentation on server: len=512, client-initiated renegotation" \ +run_test "Handshake defragmentation on server: len=512, client-initiated renegotiation" \ "$P_SRV debug_level=4 exchanges=2 renegotiation=1 auth_mode=required" \ "$O_NEXT_CLI_RENEGOTIATE -tls1_2 -split_send_frag 512 -connect 127.0.0.1:+$SRV_PORT" \ 0 \ @@ -14508,7 +14508,7 @@ run_test "Handshake defragmentation on server: len=512, client-initiated rene requires_config_enabled MBEDTLS_SSL_PROTO_TLS1_2 requires_config_enabled MBEDTLS_SSL_RENEGOTIATION -run_test "Handshake defragmentation on server: len=256, client-initiated renegotation" \ +run_test "Handshake defragmentation on server: len=256, client-initiated renegotiation" \ "$P_SRV debug_level=4 exchanges=2 renegotiation=1 auth_mode=required" \ "$O_NEXT_CLI_RENEGOTIATE -tls1_2 -split_send_frag 256 -connect 127.0.0.1:+$SRV_PORT" \ 0 \ @@ -14525,7 +14525,7 @@ run_test "Handshake defragmentation on server: len=256, client-initiated rene requires_config_enabled MBEDTLS_SSL_PROTO_TLS1_2 requires_config_enabled MBEDTLS_SSL_PROTO_TLS1_3 requires_config_enabled MBEDTLS_SSL_RENEGOTIATION -run_test "Handshake defragmentation on server: len=128, client-initiated renegotation" \ +run_test "Handshake defragmentation on server: len=128, client-initiated renegotiation" \ "$P_SRV debug_level=4 exchanges=2 renegotiation=1 auth_mode=required" \ "$O_NEXT_CLI_RENEGOTIATE -tls1_2 -split_send_frag 128 -connect 127.0.0.1:+$SRV_PORT" \ 0 \ @@ -14542,7 +14542,7 @@ run_test "Handshake defragmentation on server: len=128, client-initiated rene requires_config_enabled MBEDTLS_SSL_PROTO_TLS1_2 requires_config_enabled MBEDTLS_SSL_PROTO_TLS1_3 requires_config_enabled MBEDTLS_SSL_RENEGOTIATION -run_test "Handshake defragmentation on server: len=4, client-initiated renegotation" \ +run_test "Handshake defragmentation on server: len=4, client-initiated renegotiation" \ "$P_SRV debug_level=4 exchanges=2 renegotiation=1 auth_mode=required" \ "$O_NEXT_CLI_RENEGOTIATE -tls1_2 -split_send_frag 4 -connect 127.0.0.1:+$SRV_PORT" \ 0 \ @@ -14559,7 +14559,7 @@ run_test "Handshake defragmentation on server: len=4, client-initiated renego requires_config_enabled MBEDTLS_SSL_PROTO_TLS1_2 requires_config_enabled MBEDTLS_SSL_PROTO_TLS1_3 requires_config_enabled MBEDTLS_SSL_RENEGOTIATION -run_test "Handshake defragmentation on server: len=4, client-initiated server-rejected renegotation" \ +run_test "Handshake defragmentation on server: len=4, client-initiated server-rejected renegotiation" \ "$P_SRV debug_level=4 exchanges=2 renegotiation=0 auth_mode=required" \ "$O_NEXT_CLI_RENEGOTIATE -tls1_2 -split_send_frag 4 -connect 127.0.0.1:+$SRV_PORT" \ 1 \ @@ -14573,7 +14573,7 @@ run_test "Handshake defragmentation on server: len=4, client-initiated server # Test server-initiated renegotiation with fragmented handshake on TLS1.2 requires_config_enabled MBEDTLS_SSL_PROTO_TLS1_2 requires_config_enabled MBEDTLS_SSL_RENEGOTIATION -run_test "Handshake defragmentation on client: len=512, server-initiated renegotation" \ +run_test "Handshake defragmentation on client: len=512, server-initiated renegotiation" \ "$O_NEXT_SRV -tls1_2 -split_send_frag 512 -cert $DATA_FILES_PATH/server5.crt -key $DATA_FILES_PATH/server5.key" \ "$P_CLI debug_level=3 renegotiation=1 request_page=/reneg" \ 0 \ @@ -14595,7 +14595,7 @@ run_test "Handshake defragmentation on client: len=512, server-initiated rene # Setting it to -1 disables that policy's enforment. requires_config_enabled MBEDTLS_SSL_PROTO_TLS1_2 requires_config_enabled MBEDTLS_SSL_RENEGOTIATION -run_test "Handshake defragmentation on client: len=256, server-initiated renegotation" \ +run_test "Handshake defragmentation on client: len=256, server-initiated renegotiation" \ "$O_NEXT_SRV -tls1_2 -split_send_frag 256 -cert $DATA_FILES_PATH/server5.crt -key $DATA_FILES_PATH/server5.key" \ "$P_CLI debug_level=3 renegotiation=1 renego_delay=-1 request_page=/reneg" \ 0 \ From 6c129c36ff69092cfcd8e5ddd716012f0a41b6e9 Mon Sep 17 00:00:00 2001 From: Minos Galanakis Date: Tue, 18 Mar 2025 10:31:37 +0000 Subject: [PATCH 21/21] ssl-opt: Added 4 and 128 bytes tests to HS defragmentation for server initiated reneg Signed-off-by: Minos Galanakis --- tests/ssl-opt.sh | 44 +++++++++++++++++++++++++++++++++++--------- 1 file changed, 35 insertions(+), 9 deletions(-) diff --git a/tests/ssl-opt.sh b/tests/ssl-opt.sh index ace59b0451..8945ef5df2 100755 --- a/tests/ssl-opt.sh +++ b/tests/ssl-opt.sh @@ -14571,6 +14571,15 @@ run_test "Handshake defragmentation on server: len=4, client-initiated server -s "Consume: waiting for more handshake fragments 4/" \ # Test server-initiated renegotiation with fragmented handshake on TLS1.2 + +# Note: The /reneg endpoint serves as a directive for OpenSSL's s_server +# to initiate a handshake renegotiation. +# Note: Adjusting the renegotiation delay beyond the library's default +# value of 16 is necessary. This parameter defines the maximum +# number of records received before renegotiation is completed. +# By fragmenting records and thereby increasing their quantity, +# the default threshold can be reached more quickly. +# Setting it to -1 disables that policy's enforment. requires_config_enabled MBEDTLS_SSL_PROTO_TLS1_2 requires_config_enabled MBEDTLS_SSL_RENEGOTIATION run_test "Handshake defragmentation on client: len=512, server-initiated renegotiation" \ @@ -14584,15 +14593,6 @@ run_test "Handshake defragmentation on client: len=512, server-initiated rene -c "found renegotiation extension" \ -c "=> renegotiate" - -# Note: The /reneg endpoint serves as a directive for OpenSSL's s_server -# to initiate a handshake renegotiation. -# Note: Adjusting the renegotiation delay beyond the library's default -# value of 16 is necessary. This parameter defines the maximum -# number of records received before renegotiation is completed. -# By fragmenting records and thereby increasing their quantity, -# the default threshold can be reached more quickly. -# Setting it to -1 disables that policy's enforment. requires_config_enabled MBEDTLS_SSL_PROTO_TLS1_2 requires_config_enabled MBEDTLS_SSL_RENEGOTIATION run_test "Handshake defragmentation on client: len=256, server-initiated renegotiation" \ @@ -14606,6 +14606,32 @@ run_test "Handshake defragmentation on client: len=256, server-initiated rene -c "found renegotiation extension" \ -c "=> renegotiate" +requires_config_enabled MBEDTLS_SSL_PROTO_TLS1_2 +requires_config_enabled MBEDTLS_SSL_RENEGOTIATION +run_test "Handshake defragmentation on client: len=128, server-initiated renegotiation" \ + "$O_NEXT_SRV -tls1_2 -split_send_frag 128 -cert $DATA_FILES_PATH/server5.crt -key $DATA_FILES_PATH/server5.key" \ + "$P_CLI debug_level=3 renegotiation=1 renego_delay=-1 request_page=/reneg" \ + 0 \ + -c "initial handshake fragment: 128, 0\\.\\.128 of [0-9]\\+" \ + -c "Prepare: waiting for more handshake fragments 128/" \ + -c "Consume: waiting for more handshake fragments 128/" \ + -c "client hello, adding renegotiation extension" \ + -c "found renegotiation extension" \ + -c "=> renegotiate" + +requires_config_enabled MBEDTLS_SSL_PROTO_TLS1_2 +requires_config_enabled MBEDTLS_SSL_RENEGOTIATION +run_test "Handshake defragmentation on client: len=4, server-initiated renegotiation" \ + "$O_NEXT_SRV -tls1_2 -split_send_frag 4 -cert $DATA_FILES_PATH/server5.crt -key $DATA_FILES_PATH/server5.key" \ + "$P_CLI debug_level=3 renegotiation=1 renego_delay=-1 request_page=/reneg" \ + 0 \ + -c "initial handshake fragment: 4, 0\\.\\.4 of [0-9]\\+" \ + -c "Prepare: waiting for more handshake fragments 4/" \ + -c "Consume: waiting for more handshake fragments 4/" \ + -c "client hello, adding renegotiation extension" \ + -c "found renegotiation extension" \ + -c "=> renegotiate" + # Test heap memory usage after handshake requires_config_enabled MBEDTLS_SSL_PROTO_TLS1_2 requires_config_enabled MBEDTLS_MEMORY_DEBUG