Merge remote-tracking branch 'public/pr/2910' into baremetal

This commit is contained in:
Simon Butcher 2019-11-20 11:59:55 +00:00
commit b2af693900
6 changed files with 74 additions and 5 deletions

View File

@ -43,6 +43,9 @@
/* Use Mbed TLS' timer implementation for Linux. */ /* Use Mbed TLS' timer implementation for Linux. */
#define MBEDTLS_TIMING_C #define MBEDTLS_TIMING_C
/* Needed for certificates in ssl_opt.sh */
#define MBEDTLS_FS_IO
#undef MBEDTLS_NO_PLATFORM_ENTROPY #undef MBEDTLS_NO_PLATFORM_ENTROPY
#undef MBEDTLS_ENTROPY_MAX_SOURCES #undef MBEDTLS_ENTROPY_MAX_SOURCES

View File

@ -107,6 +107,7 @@ List of certificates:
_int3_int-ca2_ca.crt: S10 + I3 + I2 + 1 _int3_int-ca2_ca.crt: S10 + I3 + I2 + 1
_int3_spurious_int-ca2.crt: S10 + I3 + I1(spurious) + I2 _int3_spurious_int-ca2.crt: S10 + I3 + I1(spurious) + I2
- server11.crt: 3 E, secp256r1 curve - server11.crt: 3 E, secp256r1 curve
-bad.crt.der: S11 with corrupted public key and signature
Certificate revocation lists Certificate revocation lists
---------------------------- ----------------------------

Binary file not shown.

Binary file not shown.

View File

@ -656,7 +656,6 @@ check_cmdline_force_version_compat() {
SKIP_NEXT="YES" SKIP_NEXT="YES"
elif ( [ "$__ARG" = "tls1_2" ] || [ "$__ARG" = "dtls1_2" ] ) && \ elif ( [ "$__ARG" = "tls1_2" ] || [ "$__ARG" = "dtls1_2" ] ) && \
( [ "$__VAL_MIN" != "3" ] || [ "$__VAL_MAX" != "3" ] ); then ( [ "$__VAL_MIN" != "3" ] || [ "$__VAL_MAX" != "3" ] ); then
echo "FORCE SKIP"
SKIP_NEXT="YES" SKIP_NEXT="YES"
fi fi
@ -2376,6 +2375,17 @@ run_test "Extended Master Secret: client enabled, server SSLv3" \
-C "session hash for extended master secret" \ -C "session hash for extended master secret" \
-S "session hash for extended master secret" -S "session hash for extended master secret"
run_test "Extended Master Secret: both enabled, both enforcing, DTLS" \
"$P_SRV dtls=1 debug_level=3 extended_ms=1 enforce_extended_master_secret=1" \
"$P_CLI dtls=1 debug_level=3 extended_ms=1 enforce_extended_master_secret=1" \
0 \
-c "client hello, adding extended_master_secret extension" \
-s "found extended master secret extension" \
-s "server hello, adding extended master secret extension" \
-c "found extended_master_secret extension" \
-c "session hash for extended master secret" \
-s "session hash for extended master secret"
# Tests for FALLBACK_SCSV # Tests for FALLBACK_SCSV
run_test "Fallback SCSV: default" \ run_test "Fallback SCSV: default" \
@ -3777,6 +3787,25 @@ run_test "Authentication: server ECDH p256v1, client optional, p256v1 unsuppo
-c "! Certificate verification flags"\ -c "! Certificate verification flags"\
-c "bad server certificate (ECDH curve)" # Expect failure only at ECDH params check -c "bad server certificate (ECDH curve)" # Expect failure only at ECDH params check
requires_config_enabled MBEDTLS_USE_TINYCRYPT
run_test "Authentication: DTLS server ECDH p256, client required, server goodcert" \
"$P_SRV dtls=1 debug_level=1 key_file=data_files/server11.key.der \
crt_file=data_files/server11.crt.der" \
"$P_CLI dtls=1 debug_level=3 auth_mode=required" \
0 \
-C "bad certificate (EC key curve)"\
-C "! Certificate verification flags"\
-C "! mbedtls_ssl_handshake returned"
requires_config_enabled MBEDTLS_USE_TINYCRYPT
run_test "Authentication: DTLS server ECDH p256, client required, server badcert" \
"$P_SRV dtls=1 debug_level=1 key_file=data_files/server11.key.der \
crt_file=data_files/server11-bad.crt.der" \
"$P_CLI dtls=1 debug_level=3 auth_mode=required" \
1 \
-c "! Certificate verification flags"\
-c "! mbedtls_ssl_handshake returned"
run_test "Authentication: server badcert, client none" \ run_test "Authentication: server badcert, client none" \
"$P_SRV crt_file=data_files/server5-badsign.crt \ "$P_SRV crt_file=data_files/server5-badsign.crt \
key_file=data_files/server5.key" \ key_file=data_files/server5.key" \
@ -4825,6 +4854,12 @@ run_test "keyUsage srv: ECDSA, digitalSignature -> ECDHE-ECDSA" \
0 \ 0 \
-c "Ciphersuite is TLS-ECDHE-ECDSA-WITH-" -c "Ciphersuite is TLS-ECDHE-ECDSA-WITH-"
run_test "keyUsage srv: ECDSA, digitalSignature -> ECDHE-ECDSA p256" \
"$P_SRV dtls=1 key_file=data_files/server11.key.der \
crt_file=data_files/server11.crt.der" \
"$P_CLI dtls=1 ca_file=data_files/test-ca3.crt.der" \
0 \
-c "Ciphersuite is TLS-ECDHE-ECDSA-WITH-"
run_test "keyUsage srv: ECDSA, keyAgreement -> ECDH-" \ run_test "keyUsage srv: ECDSA, keyAgreement -> ECDH-" \
"$P_SRV key_file=data_files/server5.key \ "$P_SRV key_file=data_files/server5.key \
@ -5641,6 +5676,13 @@ run_test "Small client packet DTLS 1.2, without EtM, truncated MAC" \
0 \ 0 \
-s "Read from client: 1 bytes read" -s "Read from client: 1 bytes read"
run_test "Small client packet DTLS, ECDHE-ECDSA" \
"$P_SRV dtls=1" \
"$P_CLI dtls=1 request_size=1 \
force_ciphersuite=TLS-ECDHE-ECDSA-WITH-AES-128-CCM-8" \
0 \
-s "Read from client: 1 bytes read"
# Tests for small server packets # Tests for small server packets
requires_config_enabled MBEDTLS_SSL_PROTO_SSL3 requires_config_enabled MBEDTLS_SSL_PROTO_SSL3
@ -5922,6 +5964,13 @@ run_test "Small server packet DTLS 1.2, without EtM, truncated MAC" \
0 \ 0 \
-c "Read from server: 1 bytes read" -c "Read from server: 1 bytes read"
run_test "Small server packet DTLS, ECDHE-ECDSA" \
"$P_SRV dtls=1 response_size=1" \
"$P_CLI dtls=1 \
force_ciphersuite=TLS-ECDHE-ECDSA-WITH-AES-128-CCM-8" \
0 \
-c "Read from server: 1 bytes read"
# A test for extensions in SSLv3 # A test for extensions in SSLv3
requires_config_enabled MBEDTLS_SSL_PROTO_SSL3 requires_config_enabled MBEDTLS_SSL_PROTO_SSL3
@ -6957,6 +7006,24 @@ run_test "Force an ECC ciphersuite in the server side" \
-c "found supported_point_formats extension" \ -c "found supported_point_formats extension" \
-s "server hello, supported_point_formats extension" -s "server hello, supported_point_formats extension"
requires_ciphersuite_enabled TLS-ECDHE-ECDSA-WITH-AES-128-CCM-8
run_test "Force an ECC ciphersuite with CCM in the client side" \
"$P_SRV dtls=1 debug_level=3" \
"$P_CLI dtls=1 debug_level=3 force_ciphersuite=TLS-ECDHE-ECDSA-WITH-AES-128-CCM-8" \
0 \
-c "client hello, adding supported_elliptic_curves extension" \
-c "client hello, adding supported_point_formats extension" \
-s "found supported elliptic curves extension" \
-s "found supported point formats extension"
requires_ciphersuite_enabled TLS-ECDHE-ECDSA-WITH-AES-128-CCM-8
run_test "Force an ECC ciphersuite with CCM in the server side" \
"$P_SRV dtls=1 debug_level=3 force_ciphersuite=TLS-ECDHE-ECDSA-WITH-AES-128-CCM-8" \
"$P_CLI dtls=1 debug_level=3" \
0 \
-c "found supported_point_formats extension" \
-s "server hello, supported_point_formats extension"
# Tests for DTLS HelloVerifyRequest # Tests for DTLS HelloVerifyRequest
run_test "DTLS cookie: enabled" \ run_test "DTLS cookie: enabled" \
@ -6981,7 +7048,6 @@ run_test "DTLS cookie: disabled" \
-S "hello verification requested" \ -S "hello verification requested" \
-S "SSL - The requested feature is not available" -S "SSL - The requested feature is not available"
requires_config_enabled MBEDTLS_ERROR_C
run_test "DTLS cookie: default (failing)" \ run_test "DTLS cookie: default (failing)" \
"$P_SRV dtls=1 debug_level=2 cookies=-1" \ "$P_SRV dtls=1 debug_level=2 cookies=-1" \
"$P_CLI dtls=1 debug_level=2 hs_timeout=100-400" \ "$P_CLI dtls=1 debug_level=2 hs_timeout=100-400" \
@ -6990,8 +7056,7 @@ run_test "DTLS cookie: default (failing)" \
-S "cookie verification passed" \ -S "cookie verification passed" \
-S "cookie verification skipped" \ -S "cookie verification skipped" \
-C "received hello verify request" \ -C "received hello verify request" \
-S "hello verification requested" \ -S "hello verification requested"
-s "SSL - The requested feature is not available"
requires_ipv6 requires_ipv6
run_test "DTLS cookie: enabled, IPv6" \ run_test "DTLS cookie: enabled, IPv6" \

View File

@ -154,7 +154,7 @@ mbedtls_pk_check_pair:"data_files/ec_256_pub.pem":"data_files/server5.key":MBEDT
Check pair #2 (EC, bad, TinyCrypt) Check pair #2 (EC, bad, TinyCrypt)
depends_on:MBEDTLS_USE_TINYCRYPT depends_on:MBEDTLS_USE_TINYCRYPT
mbedtls_pk_check_pair:"data_files/ec_256_pub.pem":"data_files/server5.key":MBEDTLS_ERR_PK_BAD_INPUT_DATA mbedtls_pk_check_pair:"data_files/ec_256_pub.der":"data_files/server5.key.der":MBEDTLS_ERR_PK_BAD_INPUT_DATA
Check pair #3 (RSA, OK) Check pair #3 (RSA, OK)
depends_on:MBEDTLS_RSA_C:MBEDTLS_PKCS1_V15 depends_on:MBEDTLS_RSA_C:MBEDTLS_PKCS1_V15