Merge branch 'development' into iotssl-1260-non-blocking-ecc-restricted

* development:
  ssl-opt.sh: change expected output for large srv packet test with SSLv3
  Adapt ChangeLog
  Fix bug in SSL ticket implementation removing keys of age < 1s
  ssl-opt.sh: Add DTLS session resumption tests
  Add ChangeLog entry
  Fix typo
  Fix hmac_drbg failure in benchmark, with threading
  Remove trailing whitespace
  Remove trailing whitespace
  ssl_server2: add buffer overhead for a termination character
  Add missing large and small packet tests for ssl_server2
  Added buffer_size and response_size options for ssl-server2. Added appropriate tests.

Solving a conflict in tests/ssl-opt.sh: two set of tests were added at the
same place (just after large packets):
- restartable ECC tests (in this branch)
- server-side large packets (in development)

Resolution was to move the ECC tests after the newly added server large packet
ones.
This commit is contained in:
Manuel Pégourié-Gonnard 2018-10-15 11:26:17 +02:00
commit 6346a75dfb
5 changed files with 835 additions and 80 deletions

View File

@ -10,6 +10,18 @@ Features
functions in ECDH and SSL (currently only implemented client-side, for functions in ECDH and SSL (currently only implemented client-side, for
ECDHE-ECDSA ciphersuites with TLS 1.2, including client authentication). ECDHE-ECDSA ciphersuites with TLS 1.2, including client authentication).
Bugfix
* Fix a bug in the update function for SSL ticket keys which previously
invalidated keys of a lifetime of less than a 1s. Fixes #1968.
* Fix failure in hmac_drbg in the benchmark sample application, when
MBEDTLS_THREADING_C is defined. Found by TrinityTonic, #1095
Changes
* Add tests for session resumption in DTLS.
* Close a test gap in (D)TLS between the client side and the server side:
test the handling of large packets and small packets on the client side
in the same way as on the server side.
= mbed TLS 2.13.1 branch released 2018-09-06 = mbed TLS 2.13.1 branch released 2018-09-06
API Changes API Changes

View File

@ -97,7 +97,7 @@ static int ssl_ticket_update_keys( mbedtls_ssl_ticket_context *ctx )
uint32_t current_time = (uint32_t) mbedtls_time( NULL ); uint32_t current_time = (uint32_t) mbedtls_time( NULL );
uint32_t key_time = ctx->keys[ctx->active].generation_time; uint32_t key_time = ctx->keys[ctx->active].generation_time;
if( current_time > key_time && if( current_time >= key_time &&
current_time - key_time < ctx->ticket_lifetime ) current_time - key_time < ctx->ticket_lifetime )
{ {
return( 0 ); return( 0 );

View File

@ -103,6 +103,7 @@ int main( void )
#define DFL_SERVER_ADDR NULL #define DFL_SERVER_ADDR NULL
#define DFL_SERVER_PORT "4433" #define DFL_SERVER_PORT "4433"
#define DFL_RESPONSE_SIZE -1
#define DFL_DEBUG_LEVEL 0 #define DFL_DEBUG_LEVEL 0
#define DFL_NBIO 0 #define DFL_NBIO 0
#define DFL_EVENT 0 #define DFL_EVENT 0
@ -177,7 +178,7 @@ int main( void )
* You will need to adapt the mbedtls_ssl_get_bytes_avail() test in ssl-opt.sh * You will need to adapt the mbedtls_ssl_get_bytes_avail() test in ssl-opt.sh
* if you change this value to something outside the range <= 100 or > 500 * if you change this value to something outside the range <= 100 or > 500
*/ */
#define IO_BUF_LEN 200 #define DFL_IO_BUF_LEN 200
#if defined(MBEDTLS_X509_CRT_PARSE_C) #if defined(MBEDTLS_X509_CRT_PARSE_C)
#if defined(MBEDTLS_FS_IO) #if defined(MBEDTLS_FS_IO)
@ -356,6 +357,11 @@ int main( void )
" server_addr=%%s default: (all interfaces)\n" \ " server_addr=%%s default: (all interfaces)\n" \
" server_port=%%d default: 4433\n" \ " server_port=%%d default: 4433\n" \
" debug_level=%%d default: 0 (disabled)\n" \ " debug_level=%%d default: 0 (disabled)\n" \
" buffer_size=%%d default: 200 \n" \
" (minimum: 1, max: 16385)\n" \
" response_size=%%d default: about 152 (basic response)\n" \
" (minimum: 0, max: 16384)\n" \
" increases buffer_size if bigger\n"\
" nbio=%%d default: 0 (blocking I/O)\n" \ " nbio=%%d default: 0 (blocking I/O)\n" \
" options: 1 (non-blocking), 2 (added delays)\n" \ " options: 1 (non-blocking), 2 (added delays)\n" \
" event=%%d default: 0 (loop)\n" \ " event=%%d default: 0 (loop)\n" \
@ -431,6 +437,8 @@ struct options
int nbio; /* should I/O be blocking? */ int nbio; /* should I/O be blocking? */
int event; /* loop or event-driven IO? level or edge triggered? */ int event; /* loop or event-driven IO? level or edge triggered? */
uint32_t read_timeout; /* timeout on mbedtls_ssl_read() in milliseconds */ uint32_t read_timeout; /* timeout on mbedtls_ssl_read() in milliseconds */
int response_size; /* pad response with header to requested size */
uint16_t buffer_size; /* IO buffer size */
const char *ca_file; /* the file with the CA certificate(s) */ const char *ca_file; /* the file with the CA certificate(s) */
const char *ca_path; /* the path with the CA certificate(s) reside */ const char *ca_path; /* the path with the CA certificate(s) reside */
const char *crt_file; /* the file with the server certificate */ const char *crt_file; /* the file with the server certificate */
@ -1166,7 +1174,7 @@ int main( int argc, char *argv[] )
{ {
int ret = 0, len, written, frags, exchanges_left; int ret = 0, len, written, frags, exchanges_left;
int version_suites[4][2]; int version_suites[4][2];
unsigned char buf[IO_BUF_LEN]; unsigned char* buf = 0;
#if defined(MBEDTLS_KEY_EXCHANGE__SOME__PSK_ENABLED) #if defined(MBEDTLS_KEY_EXCHANGE__SOME__PSK_ENABLED)
unsigned char psk[MBEDTLS_PSK_MAX_LEN]; unsigned char psk[MBEDTLS_PSK_MAX_LEN];
size_t psk_len = 0; size_t psk_len = 0;
@ -1297,10 +1305,12 @@ int main( int argc, char *argv[] )
goto exit; goto exit;
} }
opt.buffer_size = DFL_IO_BUF_LEN;
opt.server_addr = DFL_SERVER_ADDR; opt.server_addr = DFL_SERVER_ADDR;
opt.server_port = DFL_SERVER_PORT; opt.server_port = DFL_SERVER_PORT;
opt.debug_level = DFL_DEBUG_LEVEL; opt.debug_level = DFL_DEBUG_LEVEL;
opt.event = DFL_EVENT; opt.event = DFL_EVENT;
opt.response_size = DFL_RESPONSE_SIZE;
opt.nbio = DFL_NBIO; opt.nbio = DFL_NBIO;
opt.read_timeout = DFL_READ_TIMEOUT; opt.read_timeout = DFL_READ_TIMEOUT;
opt.ca_file = DFL_CA_FILE; opt.ca_file = DFL_CA_FILE;
@ -1393,6 +1403,20 @@ int main( int argc, char *argv[] )
} }
else if( strcmp( p, "read_timeout" ) == 0 ) else if( strcmp( p, "read_timeout" ) == 0 )
opt.read_timeout = atoi( q ); opt.read_timeout = atoi( q );
else if( strcmp( p, "buffer_size" ) == 0 )
{
opt.buffer_size = atoi( q );
if( opt.buffer_size < 1 || opt.buffer_size > MBEDTLS_SSL_MAX_CONTENT_LEN + 1 )
goto usage;
}
else if( strcmp( p, "response_size" ) == 0 )
{
opt.response_size = atoi( q );
if( opt.response_size < 0 || opt.response_size > MBEDTLS_SSL_MAX_CONTENT_LEN )
goto usage;
if( opt.buffer_size < opt.response_size )
opt.buffer_size = opt.response_size;
}
else if( strcmp( p, "ca_file" ) == 0 ) else if( strcmp( p, "ca_file" ) == 0 )
opt.ca_file = q; opt.ca_file = q;
else if( strcmp( p, "ca_path" ) == 0 ) else if( strcmp( p, "ca_path" ) == 0 )
@ -1729,6 +1753,13 @@ int main( int argc, char *argv[] )
#if defined(MBEDTLS_DEBUG_C) #if defined(MBEDTLS_DEBUG_C)
mbedtls_debug_set_threshold( opt.debug_level ); mbedtls_debug_set_threshold( opt.debug_level );
#endif #endif
buf = mbedtls_calloc( 1, opt.buffer_size + 1 );
if( buf == NULL )
{
mbedtls_printf( "Could not allocate %u bytes\n", opt.buffer_size );
ret = 3;
goto exit;
}
if( opt.force_ciphersuite[0] > 0 ) if( opt.force_ciphersuite[0] > 0 )
{ {
@ -2745,8 +2776,8 @@ data_exchange:
do do
{ {
int terminated = 0; int terminated = 0;
len = sizeof( buf ) - 1; len = opt.buffer_size - 1;
memset( buf, 0, sizeof( buf ) ); memset( buf, 0, opt.buffer_size );
ret = mbedtls_ssl_read( &ssl, buf, len ); ret = mbedtls_ssl_read( &ssl, buf, len );
if( mbedtls_status_is_ssl_in_progress( ret ) ) if( mbedtls_status_is_ssl_in_progress( ret ) )
@ -2846,8 +2877,8 @@ data_exchange:
} }
else /* Not stream, so datagram */ else /* Not stream, so datagram */
{ {
len = sizeof( buf ) - 1; len = opt.buffer_size - 1;
memset( buf, 0, sizeof( buf ) ); memset( buf, 0, opt.buffer_size );
do do
{ {
@ -2945,6 +2976,25 @@ data_exchange:
len = sprintf( (char *) buf, HTTP_RESPONSE, len = sprintf( (char *) buf, HTTP_RESPONSE,
mbedtls_ssl_get_ciphersuite( &ssl ) ); mbedtls_ssl_get_ciphersuite( &ssl ) );
/* Add padding to the response to reach opt.response_size in length */
if( opt.response_size != DFL_RESPONSE_SIZE &&
len < opt.response_size )
{
memset( buf + len, 'B', opt.response_size - len );
len += opt.response_size - len;
}
/* Truncate if response size is smaller than the "natural" size */
if( opt.response_size != DFL_RESPONSE_SIZE &&
len > opt.response_size )
{
len = opt.response_size;
/* Still end with \r\n unless that's really not possible */
if( len >= 2 ) buf[len - 2] = '\r';
if( len >= 1 ) buf[len - 1] = '\n';
}
if( opt.transport == MBEDTLS_SSL_TRANSPORT_STREAM ) if( opt.transport == MBEDTLS_SSL_TRANSPORT_STREAM )
{ {
for( written = 0, frags = 0; written < len; written += ret, frags++ ) for( written = 0, frags = 0; written < len; written += ret, frags++ )
@ -3103,6 +3153,7 @@ exit:
mbedtls_memory_buffer_alloc_free(); mbedtls_memory_buffer_alloc_free();
#endif #endif
mbedtls_free( buf );
mbedtls_printf( " done.\n" ); mbedtls_printf( " done.\n" );
#if defined(_WIN32) #if defined(_WIN32)

View File

@ -700,7 +700,6 @@ int main( int argc, char *argv[] )
mbedtls_exit(1); mbedtls_exit(1);
TIME_AND_TSC( "HMAC_DRBG SHA-1 (NOPR)", TIME_AND_TSC( "HMAC_DRBG SHA-1 (NOPR)",
mbedtls_hmac_drbg_random( &hmac_drbg, buf, BUFSIZE ) ); mbedtls_hmac_drbg_random( &hmac_drbg, buf, BUFSIZE ) );
mbedtls_hmac_drbg_free( &hmac_drbg );
if( mbedtls_hmac_drbg_seed( &hmac_drbg, md_info, myrand, NULL, NULL, 0 ) != 0 ) if( mbedtls_hmac_drbg_seed( &hmac_drbg, md_info, myrand, NULL, NULL, 0 ) != 0 )
mbedtls_exit(1); mbedtls_exit(1);
@ -708,7 +707,6 @@ int main( int argc, char *argv[] )
MBEDTLS_HMAC_DRBG_PR_ON ); MBEDTLS_HMAC_DRBG_PR_ON );
TIME_AND_TSC( "HMAC_DRBG SHA-1 (PR)", TIME_AND_TSC( "HMAC_DRBG SHA-1 (PR)",
mbedtls_hmac_drbg_random( &hmac_drbg, buf, BUFSIZE ) ); mbedtls_hmac_drbg_random( &hmac_drbg, buf, BUFSIZE ) );
mbedtls_hmac_drbg_free( &hmac_drbg );
#endif #endif
#if defined(MBEDTLS_SHA256_C) #if defined(MBEDTLS_SHA256_C)
@ -719,7 +717,6 @@ int main( int argc, char *argv[] )
mbedtls_exit(1); mbedtls_exit(1);
TIME_AND_TSC( "HMAC_DRBG SHA-256 (NOPR)", TIME_AND_TSC( "HMAC_DRBG SHA-256 (NOPR)",
mbedtls_hmac_drbg_random( &hmac_drbg, buf, BUFSIZE ) ); mbedtls_hmac_drbg_random( &hmac_drbg, buf, BUFSIZE ) );
mbedtls_hmac_drbg_free( &hmac_drbg );
if( mbedtls_hmac_drbg_seed( &hmac_drbg, md_info, myrand, NULL, NULL, 0 ) != 0 ) if( mbedtls_hmac_drbg_seed( &hmac_drbg, md_info, myrand, NULL, NULL, 0 ) != 0 )
mbedtls_exit(1); mbedtls_exit(1);
@ -727,8 +724,8 @@ int main( int argc, char *argv[] )
MBEDTLS_HMAC_DRBG_PR_ON ); MBEDTLS_HMAC_DRBG_PR_ON );
TIME_AND_TSC( "HMAC_DRBG SHA-256 (PR)", TIME_AND_TSC( "HMAC_DRBG SHA-256 (PR)",
mbedtls_hmac_drbg_random( &hmac_drbg, buf, BUFSIZE ) ); mbedtls_hmac_drbg_random( &hmac_drbg, buf, BUFSIZE ) );
mbedtls_hmac_drbg_free( &hmac_drbg );
#endif #endif
mbedtls_hmac_drbg_free( &hmac_drbg );
} }
#endif #endif

File diff suppressed because it is too large Load Diff