Merge branch 'mbedtls-1.3'

This commit is contained in:
Simon Butcher 2016-03-16 23:13:30 +00:00
commit 77bc55dc4c
5 changed files with 42 additions and 2 deletions

View File

@ -16,6 +16,7 @@ Changes
* On ARM platforms, when compiling with -O0 with GCC, Clang or armcc5,
don't use the optimized assembly for bignum multiplication. This removes
the need to pass -fomit-frame-pointer to avoid a build error with -O0.
* Disabled SSLv3 in the default configuration.
= mbed TLS 1.3.16 released 2016-01-05

View File

@ -1012,7 +1012,7 @@
*
* Comment this macro to disable support for SSL 3.0
*/
#define POLARSSL_SSL_PROTO_SSL3
//#define POLARSSL_SSL_PROTO_SSL3
/**
* \def POLARSSL_SSL_PROTO_TLS1

View File

@ -45,7 +45,7 @@ else
fi
# default values for options
MODES="ssl3 tls1 tls1_1 tls1_2"
MODES="tls1 tls1_1 tls1_2"
VERIFIES="NO YES"
TYPES="ECDSA RSA PSK"
FILTER=""

View File

@ -103,6 +103,27 @@ cd tests
./compat.sh
cd ..
msg "build: Default + SSLv3 (ASan build)" # ~ 6 min
cleanup
cp "$CONFIG_H" "$CONFIG_BAK"
scripts/config.pl set POLARSSL_SSL_PROTO_SSL3
CC=gcc cmake -D CMAKE_BUILD_TYPE:String=Asan .
make
msg "test: SSLv3 - main suites and selftest (ASan build)" # ~ 50s
make test
programs/test/selftest
msg "build: SSLv3 - compat.sh (ASan build)" # ~ 6 min
cd tests
./compat.sh -m 'ssl3 tls1 tls1_1 tls1_2'
cd ..
msg "build: SSLv3 - ssl-opt.sh (ASan build)" # ~ 6 min
cd tests
./ssl-opt.sh
cd ..
msg "build: cmake, full config, clang" # ~ 50s
cleanup
cp "$CONFIG_H" "$CONFIG_BAK"

View File

@ -66,6 +66,13 @@ get_options() {
done
}
# skip next test if the flag is not enabled in config.h
requires_config_enabled() {
if grep "^#define $1" $CONFIG_H > /dev/null; then :; else
SKIP_NEXT="YES"
fi
}
# skip next test if OpenSSL can't send SSLv2 ClientHello
requires_openssl_with_sslv2() {
if [ -z "${OPENSSL_HAS_SSL2:-}" ]; then
@ -560,6 +567,7 @@ run_test "Encrypt then MAC: client disabled, server enabled" \
-C "using encrypt then mac" \
-S "using encrypt then mac"
requires_config_enabled POLARSSL_SSL_PROTO_SSL3
run_test "Encrypt then MAC: client SSLv3, server enabled" \
"$P_SRV debug_level=3 min_version=ssl3 \
force_ciphersuite=TLS-RSA-WITH-AES-128-CBC-SHA" \
@ -572,6 +580,7 @@ run_test "Encrypt then MAC: client SSLv3, server enabled" \
-C "using encrypt then mac" \
-S "using encrypt then mac"
requires_config_enabled POLARSSL_SSL_PROTO_SSL3
run_test "Encrypt then MAC: client enabled, server SSLv3" \
"$P_SRV debug_level=3 force_version=ssl3 \
force_ciphersuite=TLS-RSA-WITH-AES-128-CBC-SHA" \
@ -619,6 +628,7 @@ run_test "Extended Master Secret: client disabled, server enabled" \
-C "using extended master secret" \
-S "using extended master secret"
requires_config_enabled POLARSSL_SSL_PROTO_SSL3
run_test "Extended Master Secret: client SSLv3, server enabled" \
"$P_SRV debug_level=3 min_version=ssl3" \
"$P_CLI debug_level=3 force_version=ssl3" \
@ -630,6 +640,7 @@ run_test "Extended Master Secret: client SSLv3, server enabled" \
-C "using extended master secret" \
-S "using extended master secret"
requires_config_enabled POLARSSL_SSL_PROTO_SSL3
run_test "Extended Master Secret: client enabled, server SSLv3" \
"$P_SRV debug_level=3 force_version=ssl3" \
"$P_CLI debug_level=3 min_version=ssl3" \
@ -748,6 +759,7 @@ run_test "CBC Record splitting: TLS 1.0, splitting" \
-s "Read from client: 1 bytes read" \
-s "122 bytes read"
requires_config_enabled POLARSSL_SSL_PROTO_SSL3
run_test "CBC Record splitting: SSLv3, splitting" \
"$P_SRV min_version=ssl3" \
"$P_CLI force_ciphersuite=TLS-RSA-WITH-AES-128-CBC-SHA \
@ -1454,6 +1466,7 @@ run_test "Authentication: client no cert, openssl server optional" \
-c "skip write certificate verify" \
-C "! ssl_handshake returned"
requires_config_enabled POLARSSL_SSL_PROTO_SSL3
run_test "Authentication: client no cert, ssl3" \
"$P_SRV debug_level=3 auth_mode=optional force_version=ssl3" \
"$P_CLI debug_level=3 crt_file=none key_file=none min_version=ssl3" \
@ -2159,6 +2172,7 @@ run_test "PSK callback: wrong key" \
# Tests for ciphersuites per version
requires_config_enabled POLARSSL_SSL_PROTO_SSL3
run_test "Per-version suites: SSL3" \
"$P_SRV min_version=ssl3 version_suites=TLS-RSA-WITH-3DES-EDE-CBC-SHA,TLS-RSA-WITH-RC4-128-SHA,TLS-RSA-WITH-AES-128-CBC-SHA,TLS-RSA-WITH-AES-128-GCM-SHA256" \
"$P_CLI force_version=ssl3" \
@ -2199,6 +2213,7 @@ run_test "ssl_get_bytes_avail: extra data" \
# Tests for small packets
requires_config_enabled POLARSSL_SSL_PROTO_SSL3
run_test "Small packet SSLv3 BlockCipher" \
"$P_SRV min_version=ssl3" \
"$P_CLI request_size=1 force_version=ssl3 \
@ -2206,6 +2221,7 @@ run_test "Small packet SSLv3 BlockCipher" \
0 \
-s "Read from client: 1 bytes read"
requires_config_enabled POLARSSL_SSL_PROTO_SSL3
run_test "Small packet SSLv3 StreamCipher" \
"$P_SRV min_version=ssl3 arc4=1" \
"$P_CLI request_size=1 force_version=ssl3 \
@ -2340,6 +2356,7 @@ run_test "Small packet TLS 1.2 AEAD shorter tag" \
# Test for large packets
requires_config_enabled POLARSSL_SSL_PROTO_SSL3
run_test "Large packet SSLv3 BlockCipher" \
"$P_SRV min_version=ssl3" \
"$P_CLI request_size=16384 force_version=ssl3 recsplit=0 \
@ -2347,6 +2364,7 @@ run_test "Large packet SSLv3 BlockCipher" \
0 \
-s "Read from client: 16384 bytes read"
requires_config_enabled POLARSSL_SSL_PROTO_SSL3
run_test "Large packet SSLv3 StreamCipher" \
"$P_SRV min_version=ssl3 arc4=1" \
"$P_CLI request_size=16384 force_version=ssl3 \