From 7c45b6767b8b00e629fffdc5425fd62259f2826b Mon Sep 17 00:00:00 2001 From: Gilles Peskine Date: Fri, 25 Feb 2022 15:26:13 +0100 Subject: [PATCH 01/36] Fix the build when MBEDTLS_PLATFORM_C is unset Signed-off-by: Gilles Peskine --- programs/test/dlopen.c | 3 ++- 1 file changed, 2 insertions(+), 1 deletion(-) diff --git a/programs/test/dlopen.c b/programs/test/dlopen.c index 2ee531645..62c85544c 100644 --- a/programs/test/dlopen.c +++ b/programs/test/dlopen.c @@ -23,8 +23,9 @@ #include MBEDTLS_CONFIG_FILE #endif +#if defined(MBEDTLS_PLATFORM_C) #include "mbedtls/platform.h" -#if !defined(MBEDTLS_PLATFORM_C) +#else #include #include #define mbedtls_fprintf fprintf From a132beb750ada440172804b98ba49c31b932bc9a Mon Sep 17 00:00:00 2001 From: Gilles Peskine Date: Fri, 25 Feb 2022 19:20:36 +0100 Subject: [PATCH 02/36] Minimal TLS configuration: documentation improvements Some of the options have been moved around, but there are no semantic changes. Signed-off-by: Gilles Peskine --- configs/config-ccm-psk-tls1_2.h | 46 ++++++++++++++++++--------------- 1 file changed, 25 insertions(+), 21 deletions(-) diff --git a/configs/config-ccm-psk-tls1_2.h b/configs/config-ccm-psk-tls1_2.h index cbebf8c00..0e8f570b2 100644 --- a/configs/config-ccm-psk-tls1_2.h +++ b/configs/config-ccm-psk-tls1_2.h @@ -21,11 +21,15 @@ */ /* * Minimal configuration for TLS 1.2 with PSK and AES-CCM ciphersuites + * * Distinguishing features: - * - no bignum, no PK, no X509 - * - fully modern and secure (provided the pre-shared keys have high entropy) - * - very low record overhead with CCM-8 - * - optimized for low RAM usage + * - Optimized for small code size, low bandwidth (on a reliable network), + * and low RAM usage. + * - No asymmetric cryptography (no certificates, no Diffie-Hellman key + * exchange). + * - Fully modern and secure (provided the pre-shared keys are generated and + * stored securely). + * - Very low record overhead with CCM-8. * * See README.txt for usage instructions. */ @@ -36,11 +40,7 @@ //#define MBEDTLS_HAVE_TIME /* Optionally used in Hello messages */ /* Other MBEDTLS_HAVE_XXX flags irrelevant for this configuration */ -/* mbed TLS feature support */ -#define MBEDTLS_KEY_EXCHANGE_PSK_ENABLED -#define MBEDTLS_SSL_PROTO_TLS1_2 - -/* mbed TLS modules */ +/* Mbed TLS modules */ #define MBEDTLS_AES_C #define MBEDTLS_CCM_C #define MBEDTLS_CIPHER_C @@ -53,18 +53,9 @@ #define MBEDTLS_SSL_SRV_C #define MBEDTLS_SSL_TLS_C -/* Save RAM at the expense of ROM */ -#define MBEDTLS_AES_ROM_TABLES - -/* Save some RAM by adjusting to your exact needs */ -#define MBEDTLS_PSK_MAX_LEN 16 /* 128-bits keys are generally enough */ - -/* - * You should adjust this to the exact number of sources you're using: default - * is the "platform_entropy_poll" source, but you may want to add other ones - * Minimum is 2 for the entropy test suite. - */ -#define MBEDTLS_ENTROPY_MAX_SOURCES 2 +/* TLS protocol feature support */ +#define MBEDTLS_KEY_EXCHANGE_PSK_ENABLED +#define MBEDTLS_SSL_PROTO_TLS1_2 /* * Use only CCM_8 ciphersuites, and @@ -81,6 +72,19 @@ */ #define MBEDTLS_SSL_MAX_CONTENT_LEN 1024 +/* Save RAM at the expense of ROM */ +#define MBEDTLS_AES_ROM_TABLES + +/* Save some RAM by adjusting to your exact needs */ +#define MBEDTLS_PSK_MAX_LEN 16 /* 128-bits keys are generally enough */ + +/* + * You should adjust this to the exact number of sources you're using: default + * is the "platform_entropy_poll" source, but you may want to add other ones + * Minimum is 2 for the entropy test suite. + */ +#define MBEDTLS_ENTROPY_MAX_SOURCES 2 + /* These defines are present so that the config modifying scripts can enable * them during tests/scripts/test-ref-configs.pl */ //#define MBEDTLS_USE_PSA_CRYPTO From 8c5c2930db4144e0c381a3975b5a441daf872667 Mon Sep 17 00:00:00 2001 From: Gilles Peskine Date: Fri, 25 Feb 2022 19:28:00 +0100 Subject: [PATCH 03/36] New sample/test configuration: small DTLS 1.2 1. Copy config-ccm-psk-tls1_2.h 2. Add DTLS support 3. Add some TLS and DTLS features that are useful in low-bandwidth, low-reliability networks 4. Reduce the SSL buffer to a very small size Signed-off-by: Gilles Peskine --- configs/config-ccm-psk-dtls1_2.h | 104 ++++++++++++++++++++++++++++++ tests/scripts/test-ref-configs.pl | 4 ++ 2 files changed, 108 insertions(+) create mode 100644 configs/config-ccm-psk-dtls1_2.h diff --git a/configs/config-ccm-psk-dtls1_2.h b/configs/config-ccm-psk-dtls1_2.h new file mode 100644 index 000000000..75a92f540 --- /dev/null +++ b/configs/config-ccm-psk-dtls1_2.h @@ -0,0 +1,104 @@ +/** + * \file config-ccm-psk-dtls1_2.h + * + * \brief Small configuration for DTLS 1.2 with PSK and AES-CCM ciphersuites + */ +/* + * Copyright The Mbed TLS Contributors + * SPDX-License-Identifier: Apache-2.0 + * + * Licensed under the Apache License, Version 2.0 (the "License"); you may + * not use this file except in compliance with the License. + * You may obtain a copy of the License at + * + * http://www.apache.org/licenses/LICENSE-2.0 + * + * Unless required by applicable law or agreed to in writing, software + * distributed under the License is distributed on an "AS IS" BASIS, WITHOUT + * WARRANTIES OR CONDITIONS OF ANY KIND, either express or implied. + * See the License for the specific language governing permissions and + * limitations under the License. + */ +/* + * Minimal configuration for DTLS 1.2 with PSK and AES-CCM ciphersuites + * + * Distinguishing features: + * - Optimized for small code size, low bandwidth (on an unreliable network), + * and low RAM usage. + * - No asymmetric cryptography (no certificates, no Diffie-Hellman key + * exchange). + * - Fully modern and secure (provided the pre-shared keys are generated and + * stored securely). + * - Very low record overhead with CCM-8. + * - Includes several optional DTLS features typically used in IoT. + * + * See README.txt for usage instructions. + */ +#ifndef MBEDTLS_CONFIG_H +#define MBEDTLS_CONFIG_H + +/* System support */ +//#define MBEDTLS_HAVE_TIME /* Optionally used in Hello messages */ +/* Other MBEDTLS_HAVE_XXX flags irrelevant for this configuration */ + +/* Mbed TLS modules */ +#define MBEDTLS_AES_C +#define MBEDTLS_CCM_C +#define MBEDTLS_CIPHER_C +#define MBEDTLS_CTR_DRBG_C +#define MBEDTLS_ENTROPY_C +#define MBEDTLS_MD_C +#define MBEDTLS_NET_C +#define MBEDTLS_SHA256_C +#define MBEDTLS_SSL_CLI_C +#define MBEDTLS_SSL_COOKIE_C +#define MBEDTLS_SSL_SRV_C +#define MBEDTLS_SSL_TLS_C +#define MBEDTLS_TIMING_C + +/* TLS protocol feature support */ +#define MBEDTLS_KEY_EXCHANGE_PSK_ENABLED +#define MBEDTLS_SSL_PROTO_TLS1_2 +#define MBEDTLS_SSL_PROTO_DTLS +#define MBEDTLS_SSL_DTLS_ANTI_REPLAY +#define MBEDTLS_SSL_DTLS_CLIENT_PORT_REUSE +#define MBEDTLS_SSL_DTLS_CONNECTION_ID +#define MBEDTLS_SSL_DTLS_HELLO_VERIFY +#define MBEDTLS_SSL_MAX_FRAGMENT_LENGTH + +/* + * Use only CCM_8 ciphersuites, and + * save ROM and a few bytes of RAM by specifying our own ciphersuite list + */ +#define MBEDTLS_SSL_CIPHERSUITES \ + MBEDTLS_TLS_PSK_WITH_AES_256_CCM_8, \ + MBEDTLS_TLS_PSK_WITH_AES_128_CCM_8 + +/* + * Save RAM at the expense of interoperability: do this only if you control + * both ends of the connection! (See comments in "mbedtls/ssl.h".) + * The optimal size here depends on the typical size of records. + */ +#define MBEDTLS_SSL_MAX_CONTENT_LEN 256 + +/* Save RAM at the expense of ROM */ +#define MBEDTLS_AES_ROM_TABLES + +/* Save some RAM by adjusting to your exact needs */ +#define MBEDTLS_PSK_MAX_LEN 16 /* 128-bits keys are generally enough */ + +/* + * You should adjust this to the exact number of sources you're using: default + * is the "platform_entropy_poll" source, but you may want to add other ones + * Minimum is 2 for the entropy test suite. + */ +#define MBEDTLS_ENTROPY_MAX_SOURCES 2 + +/* These defines are present so that the config modifying scripts can enable + * them during tests/scripts/test-ref-configs.pl */ +//#define MBEDTLS_USE_PSA_CRYPTO +//#define MBEDTLS_PSA_CRYPTO_C + +#include "mbedtls/check_config.h" + +#endif /* MBEDTLS_CONFIG_H */ diff --git a/tests/scripts/test-ref-configs.pl b/tests/scripts/test-ref-configs.pl index cbcdecec3..339a8ea85 100755 --- a/tests/scripts/test-ref-configs.pl +++ b/tests/scripts/test-ref-configs.pl @@ -32,6 +32,10 @@ my %configs = ( 'compat' => '-m tls12 -f \'^TLS-PSK-WITH-AES-...-CCM-8\'', 'test_again_with_use_psa' => 1 }, + 'config-ccm-psk-dtls1_2.h' => { + 'compat' => '-m dtls12 -f \'^TLS-PSK-WITH-AES-...-CCM-8\'', + 'test_again_with_use_psa' => 1 + }, 'config-mini-tls1_1.h' => { 'compat' => '-m tls1_1 -f \'^DES-CBC3-SHA$\|^TLS-RSA-WITH-3DES-EDE-CBC-SHA$\'', #', 'test_again_with_use_psa' => 1 From 83f7108f3d8a1bb2e26013b35d03cb6823112b16 Mon Sep 17 00:00:00 2001 From: Gilles Peskine Date: Fri, 8 Apr 2022 16:18:14 +0200 Subject: [PATCH 04/36] Small DTLS 1.2 config: timing is a default entropy source Since MBEDTLS_TIMING_C is enabled, mbedtls_entropy_init() adds the weak source MBEDTLS_ENTROPY_MAX_SOURCES(). With mbedtls_platform_entropy_poll(), this makes two sources. The unit tests need room for a third source. Signed-off-by: Gilles Peskine --- configs/config-ccm-psk-dtls1_2.h | 6 +++--- 1 file changed, 3 insertions(+), 3 deletions(-) diff --git a/configs/config-ccm-psk-dtls1_2.h b/configs/config-ccm-psk-dtls1_2.h index 75a92f540..9150e05db 100644 --- a/configs/config-ccm-psk-dtls1_2.h +++ b/configs/config-ccm-psk-dtls1_2.h @@ -89,10 +89,10 @@ /* * You should adjust this to the exact number of sources you're using: default - * is the "platform_entropy_poll" source, but you may want to add other ones - * Minimum is 2 for the entropy test suite. + * is the "platform_entropy_poll" source plus a weak clock source, but you may + * want to add other ones. Minimum is 3 for the entropy test suite. */ -#define MBEDTLS_ENTROPY_MAX_SOURCES 2 +#define MBEDTLS_ENTROPY_MAX_SOURCES 3 /* These defines are present so that the config modifying scripts can enable * them during tests/scripts/test-ref-configs.pl */ From e5f4958c8005fb14221ab5e49d07bf5806e5a502 Mon Sep 17 00:00:00 2001 From: Gilles Peskine Date: Fri, 25 Feb 2022 19:46:30 +0100 Subject: [PATCH 05/36] ssl-opt: automatically skip DTLS tests in builds without DTLS Signed-off-by: Gilles Peskine --- tests/ssl-opt.sh | 10 ++++++---- 1 file changed, 6 insertions(+), 4 deletions(-) diff --git a/tests/ssl-opt.sh b/tests/ssl-opt.sh index ced863a3f..7b82f3805 100755 --- a/tests/ssl-opt.sh +++ b/tests/ssl-opt.sh @@ -761,11 +761,7 @@ find_in_both() { # # Analyze and possibly instrument $PXY_CMD, $CLI_CMD, $SRV_CMD to pass # extra arguments or go through wrappers. -# Set $DTLS (0=TLS, 1=DTLS). analyze_test_commands() { - # update DTLS variable - detect_dtls "$SRV_CMD" - # if the test uses DTLS but no custom proxy, add a simple proxy # as it provides timing info that's useful to debug failures if [ -z "$PXY_CMD" ] && [ "$DTLS" -eq 1 ]; then @@ -1068,6 +1064,12 @@ run_test() { requires_config_enabled MBEDTLS_FS_IO;; esac + # Check if the test uses DTLS. + detect_dtls "$SRV_CMD" + if [ "$DTLS" -eq 1 ]; then + requires_config_enabled MBEDTLS_SSL_PROTO_DTLS + fi + # If the client or serve requires a ciphersuite, check that it's enabled. maybe_requires_ciphersuite_enabled "$SRV_CMD" "$@" maybe_requires_ciphersuite_enabled "$CLI_CMD" "$@" From 4502671e0be9c570a7181b77030ab68e3d0c67d8 Mon Sep 17 00:00:00 2001 From: Gilles Peskine Date: Fri, 25 Feb 2022 19:47:04 +0100 Subject: [PATCH 06/36] Automatically skip tests for some absent features: tickets, ALPN Signed-off-by: Gilles Peskine --- tests/ssl-opt.sh | 10 ++++++++++ 1 file changed, 10 insertions(+) diff --git a/tests/ssl-opt.sh b/tests/ssl-opt.sh index 7b82f3805..54377d12c 100755 --- a/tests/ssl-opt.sh +++ b/tests/ssl-opt.sh @@ -1070,6 +1070,16 @@ run_test() { requires_config_enabled MBEDTLS_SSL_PROTO_DTLS fi + # Check more TLS protocol features. + case "$SRV_CMD $CLI_CMD" in + *[-_\ =]tickets=[^0]*) + requires_config_enabled MBEDTLS_SSL_TICKET_C;; + esac + case "$SRV_CMD $CLI_CMD" in + *[-_\ =]alpn=*) + requires_config_enabled MBEDTLS_SSL_ALPN;; + esac + # If the client or serve requires a ciphersuite, check that it's enabled. maybe_requires_ciphersuite_enabled "$SRV_CMD" "$@" maybe_requires_ciphersuite_enabled "$CLI_CMD" "$@" From df4ad90a156879ff35383b8c60ba81a0d3b9668c Mon Sep 17 00:00:00 2001 From: Gilles Peskine Date: Fri, 8 Apr 2022 15:14:38 +0200 Subject: [PATCH 07/36] ssl-opt: check for protocol version support Skip tests that require a specific version of the protocol if that version is disabled at compile time. This commit only partially does the job, mostly covering tests that check the protocol version in client or server logs. It is not intended to be exhaustive; in particular many uses of force_version are not covered (I think they should instead be covered automatically, but this is out of scope of the current commit). Signed-off-by: Gilles Peskine --- tests/ssl-opt.sh | 10 ++++++++++ 1 file changed, 10 insertions(+) diff --git a/tests/ssl-opt.sh b/tests/ssl-opt.sh index 54377d12c..88338301d 100755 --- a/tests/ssl-opt.sh +++ b/tests/ssl-opt.sh @@ -1123,6 +1123,7 @@ run_test() { } run_test_psa() { + requires_config_enabled MBEDTLS_SSL_PROTO_TLS1_2 requires_config_enabled MBEDTLS_USE_PSA_CRYPTO run_test "PSA-supported ciphersuite: $1" \ "$P_SRV debug_level=3 force_version=tls12" \ @@ -1146,6 +1147,7 @@ run_test_psa() { } run_test_psa_force_curve() { + requires_config_enabled MBEDTLS_SSL_PROTO_TLS1_2 requires_config_enabled MBEDTLS_USE_PSA_CRYPTO run_test "PSA - ECDH with $1" \ "$P_SRV debug_level=4 force_version=tls12" \ @@ -1382,6 +1384,7 @@ trap cleanup INT TERM HUP # - things work with all ciphersuites active (used with config-full in all.sh) # - the expected (highest security) parameters are selected # ("signature_algorithm ext: 6" means SHA-512 (highest common hash)) +requires_config_enabled MBEDTLS_SSL_PROTO_TLS1_2 run_test "Default" \ "$P_SRV debug_level=3" \ "$P_CLI" \ @@ -1393,6 +1396,7 @@ run_test "Default" \ -S "error" \ -C "error" +requires_config_enabled MBEDTLS_SSL_PROTO_TLS1_2 run_test "Default, DTLS" \ "$P_SRV dtls=1" \ "$P_CLI dtls=1" \ @@ -5291,6 +5295,7 @@ run_test "Event-driven I/O, DTLS: session-id resume, UDP packing" \ # Tests for version negotiation +requires_config_enabled MBEDTLS_SSL_PROTO_TLS1_2 run_test "Version check: all -> 1.2" \ "$P_SRV" \ "$P_CLI" \ @@ -5300,6 +5305,7 @@ run_test "Version check: all -> 1.2" \ -s "Protocol is TLSv1.2" \ -c "Protocol is TLSv1.2" +requires_config_enabled MBEDTLS_SSL_PROTO_TLS1_1 run_test "Version check: cli max 1.1 -> 1.1" \ "$P_SRV" \ "$P_CLI max_version=tls1_1" \ @@ -5309,6 +5315,7 @@ run_test "Version check: cli max 1.1 -> 1.1" \ -s "Protocol is TLSv1.1" \ -c "Protocol is TLSv1.1" +requires_config_enabled MBEDTLS_SSL_PROTO_TLS1_1 run_test "Version check: srv max 1.1 -> 1.1" \ "$P_SRV max_version=tls1_1" \ "$P_CLI" \ @@ -5318,6 +5325,7 @@ run_test "Version check: srv max 1.1 -> 1.1" \ -s "Protocol is TLSv1.1" \ -c "Protocol is TLSv1.1" +requires_config_enabled MBEDTLS_SSL_PROTO_TLS1_1 run_test "Version check: cli+srv max 1.1 -> 1.1" \ "$P_SRV max_version=tls1_1" \ "$P_CLI max_version=tls1_1" \ @@ -5327,6 +5335,7 @@ run_test "Version check: cli+srv max 1.1 -> 1.1" \ -s "Protocol is TLSv1.1" \ -c "Protocol is TLSv1.1" +requires_config_enabled MBEDTLS_SSL_PROTO_TLS1_1 run_test "Version check: cli max 1.1, srv min 1.1 -> 1.1" \ "$P_SRV min_version=tls1_1" \ "$P_CLI max_version=tls1_1" \ @@ -5336,6 +5345,7 @@ run_test "Version check: cli max 1.1, srv min 1.1 -> 1.1" \ -s "Protocol is TLSv1.1" \ -c "Protocol is TLSv1.1" +requires_config_enabled MBEDTLS_SSL_PROTO_TLS1_1 run_test "Version check: cli min 1.1, srv max 1.1 -> 1.1" \ "$P_SRV max_version=tls1_1" \ "$P_CLI min_version=tls1_1" \ From dff48c1c655e7b1470cbd475ba499fd97876ab19 Mon Sep 17 00:00:00 2001 From: Gilles Peskine Date: Fri, 25 Feb 2022 19:50:38 +0100 Subject: [PATCH 08/36] Only run "Default" tests if the ciphersuite is enabled These tests ensure that a certain cipher suite is in use, so they fail in builds that lack one of the corresponding algorithms. Signed-off-by: Gilles Peskine --- tests/ssl-opt.sh | 2 ++ 1 file changed, 2 insertions(+) diff --git a/tests/ssl-opt.sh b/tests/ssl-opt.sh index 88338301d..0d79ae5fd 100755 --- a/tests/ssl-opt.sh +++ b/tests/ssl-opt.sh @@ -1385,6 +1385,7 @@ trap cleanup INT TERM HUP # - the expected (highest security) parameters are selected # ("signature_algorithm ext: 6" means SHA-512 (highest common hash)) requires_config_enabled MBEDTLS_SSL_PROTO_TLS1_2 +requires_ciphersuite_enabled TLS-ECDHE-RSA-WITH-CHACHA20-POLY1305-SHA256 run_test "Default" \ "$P_SRV debug_level=3" \ "$P_CLI" \ @@ -1397,6 +1398,7 @@ run_test "Default" \ -C "error" requires_config_enabled MBEDTLS_SSL_PROTO_TLS1_2 +requires_ciphersuite_enabled TLS-ECDHE-RSA-WITH-CHACHA20-POLY1305-SHA256 run_test "Default, DTLS" \ "$P_SRV dtls=1" \ "$P_CLI dtls=1" \ From 111fde4ce9c5005cfb06327d903d65d3adab5645 Mon Sep 17 00:00:00 2001 From: Gilles Peskine Date: Fri, 25 Feb 2022 19:51:52 +0100 Subject: [PATCH 09/36] Add some missing dependencies: EXTENDED_MASTER_SECRET, CACHE This commit is not necessarily complete, but it's a step forward. Signed-off-by: Gilles Peskine --- tests/ssl-opt.sh | 22 ++++++++++++++++++++++ 1 file changed, 22 insertions(+) diff --git a/tests/ssl-opt.sh b/tests/ssl-opt.sh index 0d79ae5fd..2a6a04f1a 100755 --- a/tests/ssl-opt.sh +++ b/tests/ssl-opt.sh @@ -2663,6 +2663,7 @@ run_test "Encrypt then MAC: client enabled, server SSLv3" \ # Tests for Extended Master Secret extension +requires_config_enabled MBEDTLS_SSL_EXTENDED_MASTER_SECRET run_test "Extended Master Secret: default" \ "$P_SRV debug_level=3" \ "$P_CLI debug_level=3" \ @@ -2674,6 +2675,7 @@ run_test "Extended Master Secret: default" \ -c "session hash for extended master secret" \ -s "session hash for extended master secret" +requires_config_enabled MBEDTLS_SSL_EXTENDED_MASTER_SECRET run_test "Extended Master Secret: client enabled, server disabled" \ "$P_SRV debug_level=3 extended_ms=0" \ "$P_CLI debug_level=3 extended_ms=1" \ @@ -2685,6 +2687,7 @@ run_test "Extended Master Secret: client enabled, server disabled" \ -C "session hash for extended master secret" \ -S "session hash for extended master secret" +requires_config_enabled MBEDTLS_SSL_EXTENDED_MASTER_SECRET run_test "Extended Master Secret: client disabled, server enabled" \ "$P_SRV debug_level=3 extended_ms=1" \ "$P_CLI debug_level=3 extended_ms=0" \ @@ -3127,6 +3130,7 @@ run_test "Session resume using cache: cache_max=0" \ -S "a session has been resumed" \ -C "a session has been resumed" +requires_config_enabled MBEDTLS_SSL_CACHE_C run_test "Session resume using cache: cache_max=1" \ "$P_SRV debug_level=3 tickets=0 cache_max=1" \ "$P_CLI debug_level=3 tickets=0 reconnect=1" \ @@ -3136,6 +3140,7 @@ run_test "Session resume using cache: cache_max=1" \ -s "a session has been resumed" \ -c "a session has been resumed" +requires_config_enabled MBEDTLS_SSL_CACHE_C run_test "Session resume using cache: timeout > delay" \ "$P_SRV debug_level=3 tickets=0" \ "$P_CLI debug_level=3 tickets=0 reconnect=1 reco_delay=0" \ @@ -3145,6 +3150,7 @@ run_test "Session resume using cache: timeout > delay" \ -s "a session has been resumed" \ -c "a session has been resumed" +requires_config_enabled MBEDTLS_SSL_CACHE_C run_test "Session resume using cache: timeout < delay" \ "$P_SRV debug_level=3 tickets=0 cache_timeout=1" \ "$P_CLI debug_level=3 tickets=0 reconnect=1 reco_delay=2" \ @@ -3154,6 +3160,7 @@ run_test "Session resume using cache: timeout < delay" \ -S "a session has been resumed" \ -C "a session has been resumed" +requires_config_enabled MBEDTLS_SSL_CACHE_C run_test "Session resume using cache: no timeout" \ "$P_SRV debug_level=3 tickets=0 cache_timeout=0" \ "$P_CLI debug_level=3 tickets=0 reconnect=1 reco_delay=2" \ @@ -3163,6 +3170,7 @@ run_test "Session resume using cache: no timeout" \ -s "a session has been resumed" \ -c "a session has been resumed" +requires_config_enabled MBEDTLS_SSL_CACHE_C run_test "Session resume using cache: session copy" \ "$P_SRV debug_level=3 tickets=0" \ "$P_CLI debug_level=3 tickets=0 reconnect=1 reco_mode=0" \ @@ -3172,6 +3180,7 @@ run_test "Session resume using cache: session copy" \ -s "a session has been resumed" \ -c "a session has been resumed" +requires_config_enabled MBEDTLS_SSL_CACHE_C run_test "Session resume using cache: openssl client" \ "$P_SRV debug_level=3 tickets=0" \ "( $O_CLI -sess_out $SESSION; \ @@ -3184,6 +3193,7 @@ run_test "Session resume using cache: openssl client" \ -S "session successfully restored from ticket" \ -s "a session has been resumed" +requires_config_enabled MBEDTLS_SSL_CACHE_C run_test "Session resume using cache: openssl server" \ "$O_SRV" \ "$P_CLI debug_level=3 tickets=0 reconnect=1" \ @@ -3194,6 +3204,7 @@ run_test "Session resume using cache: openssl server" \ # Tests for Session Resume based on session-ID and cache, DTLS +requires_config_enabled MBEDTLS_SSL_CACHE_C run_test "Session resume using cache, DTLS: tickets enabled on client" \ "$P_SRV dtls=1 debug_level=3 tickets=0" \ "$P_CLI dtls=1 debug_level=3 tickets=1 reconnect=1 skip_close_notify=1" \ @@ -3208,6 +3219,7 @@ run_test "Session resume using cache, DTLS: tickets enabled on client" \ -s "a session has been resumed" \ -c "a session has been resumed" +requires_config_enabled MBEDTLS_SSL_CACHE_C run_test "Session resume using cache, DTLS: tickets enabled on server" \ "$P_SRV dtls=1 debug_level=3 tickets=1" \ "$P_CLI dtls=1 debug_level=3 tickets=0 reconnect=1 skip_close_notify=1" \ @@ -3222,6 +3234,7 @@ run_test "Session resume using cache, DTLS: tickets enabled on server" \ -s "a session has been resumed" \ -c "a session has been resumed" +requires_config_enabled MBEDTLS_SSL_CACHE_C run_test "Session resume using cache, DTLS: cache_max=0" \ "$P_SRV dtls=1 debug_level=3 tickets=0 cache_max=0" \ "$P_CLI dtls=1 debug_level=3 tickets=0 reconnect=1 skip_close_notify=1" \ @@ -3231,6 +3244,7 @@ run_test "Session resume using cache, DTLS: cache_max=0" \ -S "a session has been resumed" \ -C "a session has been resumed" +requires_config_enabled MBEDTLS_SSL_CACHE_C run_test "Session resume using cache, DTLS: cache_max=1" \ "$P_SRV dtls=1 debug_level=3 tickets=0 cache_max=1" \ "$P_CLI dtls=1 debug_level=3 tickets=0 reconnect=1 skip_close_notify=1" \ @@ -3240,6 +3254,7 @@ run_test "Session resume using cache, DTLS: cache_max=1" \ -s "a session has been resumed" \ -c "a session has been resumed" +requires_config_enabled MBEDTLS_SSL_CACHE_C run_test "Session resume using cache, DTLS: timeout > delay" \ "$P_SRV dtls=1 debug_level=3 tickets=0" \ "$P_CLI dtls=1 debug_level=3 tickets=0 reconnect=1 skip_close_notify=1 reco_delay=0" \ @@ -3249,6 +3264,7 @@ run_test "Session resume using cache, DTLS: timeout > delay" \ -s "a session has been resumed" \ -c "a session has been resumed" +requires_config_enabled MBEDTLS_SSL_CACHE_C run_test "Session resume using cache, DTLS: timeout < delay" \ "$P_SRV dtls=1 debug_level=3 tickets=0 cache_timeout=1" \ "$P_CLI dtls=1 debug_level=3 tickets=0 reconnect=1 skip_close_notify=1 reco_delay=2" \ @@ -3258,6 +3274,7 @@ run_test "Session resume using cache, DTLS: timeout < delay" \ -S "a session has been resumed" \ -C "a session has been resumed" +requires_config_enabled MBEDTLS_SSL_CACHE_C run_test "Session resume using cache, DTLS: no timeout" \ "$P_SRV dtls=1 debug_level=3 tickets=0 cache_timeout=0" \ "$P_CLI dtls=1 debug_level=3 tickets=0 reconnect=1 skip_close_notify=1 reco_delay=2" \ @@ -3267,6 +3284,7 @@ run_test "Session resume using cache, DTLS: no timeout" \ -s "a session has been resumed" \ -c "a session has been resumed" +requires_config_enabled MBEDTLS_SSL_CACHE_C run_test "Session resume using cache, DTLS: session copy" \ "$P_SRV dtls=1 debug_level=3 tickets=0" \ "$P_CLI dtls=1 debug_level=3 tickets=0 reconnect=1 skip_close_notify=1 reco_mode=0" \ @@ -3279,6 +3297,7 @@ run_test "Session resume using cache, DTLS: session copy" \ # For reasons that aren't fully understood, this test randomly fails with high # probability with OpenSSL 1.0.2g on the CI, see #5012. requires_openssl_next +requires_config_enabled MBEDTLS_SSL_CACHE_C run_test "Session resume using cache, DTLS: openssl client" \ "$P_SRV dtls=1 debug_level=3 tickets=0" \ "( $O_NEXT_CLI -dtls1 -sess_out $SESSION; \ @@ -3291,6 +3310,7 @@ run_test "Session resume using cache, DTLS: openssl client" \ -S "session successfully restored from ticket" \ -s "a session has been resumed" +requires_config_enabled MBEDTLS_SSL_CACHE_C run_test "Session resume using cache, DTLS: openssl server" \ "$O_SRV -dtls1" \ "$P_CLI dtls=1 debug_level=3 tickets=0 reconnect=1" \ @@ -10000,6 +10020,7 @@ run_test "DTLS proxy: 3d, max handshake, nbio" \ -c "HTTP/1.0 200 OK" client_needs_more_time 4 +requires_config_enabled MBEDTLS_SSL_CACHE_C run_test "DTLS proxy: 3d, min handshake, resumption" \ -p "$P_PXY drop=5 delay=5 duplicate=5" \ "$P_SRV dtls=1 dgram_packing=0 hs_timeout=500-10000 tickets=0 auth_mode=none \ @@ -10014,6 +10035,7 @@ run_test "DTLS proxy: 3d, min handshake, resumption" \ -c "HTTP/1.0 200 OK" client_needs_more_time 4 +requires_config_enabled MBEDTLS_SSL_CACHE_C run_test "DTLS proxy: 3d, min handshake, resumption, nbio" \ -p "$P_PXY drop=5 delay=5 duplicate=5" \ "$P_SRV dtls=1 dgram_packing=0 hs_timeout=500-10000 tickets=0 auth_mode=none \ From 89d892ffdd8b98eadad4630bc3ab691b6a59491d Mon Sep 17 00:00:00 2001 From: Gilles Peskine Date: Fri, 25 Feb 2022 19:52:52 +0100 Subject: [PATCH 10/36] Adapt tests for PSK in PSK-only builds In a PSK-only build: * Skip tests that rely on a specific non-PSK cipher suite. * Skip tests that exercise a certificate authentication feature. * Pass a pre-shared key in tests that don't mind the key exchange type. This commit only considers PSK-only builds vs builds with certificates. It does not aim to do something useful for builds with an asymmetric key exchange and a pre-shared key for authentication. Signed-off-by: Gilles Peskine --- tests/ssl-opt.sh | 66 ++++++++++++++++++++++++++++++++++++++++++++++++ 1 file changed, 66 insertions(+) diff --git a/tests/ssl-opt.sh b/tests/ssl-opt.sh index 2a6a04f1a..6a016955f 100755 --- a/tests/ssl-opt.sh +++ b/tests/ssl-opt.sh @@ -298,6 +298,69 @@ maybe_requires_ciphersuite_enabled() { unset ciphersuite } +adapt_cmd_for_psk () { + case "$2" in + *openssl*) s='-psk abc123 -nocert';; + *gnutls-*) s='--pskkey=abc123';; + *) s='psk=abc123';; + esac + eval $1='"$2 $s"' + unset s +} + +# maybe_adapt_for_psk [RUN_TEST_OPTION...] +# If running in a PSK-only build, maybe adapt the test to use a pre-shared key. +# +# If not running in a PSK-only build, do nothing. +# If the test looks like it doesn't use a pre-shared key but can run with a +# pre-shared key, pass a pre-shared key. If the test looks like it can't run +# with a pre-shared key, skip it. If the test looks like it's already using +# a pre-shared key, do nothing. +# +# This code does not consider builds with ECDH-PSK or RSA-PSK. +# +# Inputs: +# * $CLI_CMD, $SRV_CMD, $PXY_CMD: client/server/proxy commands. +# * $PSK_ONLY: YES if running in a PSK-only build (no asymmetric key exchanges). +# * "$@": options passed to run_test. +# +# Outputs: +# * $CLI_CMD, $SRV_CMD: may be modified to add PSK-relevant arguments. +# * $SKIP_NEXT: set to YES if the test can't run with PSK. +maybe_adapt_for_psk() { + if [ "$PSK_ONLY" != "YES" ]; then + return + fi + if [ "$SKIP_NEXT" = "YES" ]; then + return + fi + case "$CLI_CMD $SRV_CMD" in + *[-_\ =]psk*|*[-_\ =]PSK*) + return;; + *force_ciphersuite*) + # The test case forces a non-PSK cipher suite. In some cases, a + # PSK cipher suite could be substituted, but we're not ready for + # that yet. + SKIP_NEXT="YES" + return;; + *\ auth_mode=*|*[-_\ =]crt[_=]*) + # The test case involves certificates. PSK won't do. + SKIP_NEXT="YES" + return;; + esac + adapt_cmd_for_psk CLI_CMD "$CLI_CMD" + adapt_cmd_for_psk SRV_CMD "$SRV_CMD" +} + +case " $CONFIGS_ENABLED " in + *\ MBEDTLS_KEY_EXCHANGE_[^P]*) PSK_ONLY="NO";; + *\ MBEDTLS_KEY_EXCHANGE_P[^S]*) PSK_ONLY="NO";; + *\ MBEDTLS_KEY_EXCHANGE_PS[^K]*) PSK_ONLY="NO";; + *\ MBEDTLS_KEY_EXCHANGE_PSK[^_]*) PSK_ONLY="NO";; + *\ MBEDTLS_KEY_EXCHANGE_PSK_ENABLED\ *) PSK_ONLY="YES";; + *) PSK_ONLY="NO";; +esac + # skip next test if OpenSSL doesn't support FALLBACK_SCSV requires_openssl_with_fallback_scsv() { if [ -z "${OPENSSL_HAS_FBSCSV:-}" ]; then @@ -1084,6 +1147,9 @@ run_test() { maybe_requires_ciphersuite_enabled "$SRV_CMD" "$@" maybe_requires_ciphersuite_enabled "$CLI_CMD" "$@" + # If we're in a PSK-only build and the test can be adapted to PSK, do that. + maybe_adapt_for_psk "$@" + # should we skip? if [ "X$SKIP_NEXT" = "XYES" ]; then SKIP_NEXT="NO" From dcb13af8374451bf794e64bc0267c3c7362f8155 Mon Sep 17 00:00:00 2001 From: Gilles Peskine Date: Fri, 25 Feb 2022 21:00:16 +0100 Subject: [PATCH 11/36] ssl-opt needs debug messages Many test cases in ssl-opt.sh need error messages (MBEDTLS_ERROR_C) or SSL traces (MBEDTLS_DEBUG_C). Some sample configurations don't include these options. When running ssl-opt.sh on those configurations, enable the required options. They must be listed in the config*.h file, commented out. Run ssl-opt in the following configurations with debug options: ccm-psk-tls1_2, ccm-psk-dtls1_2, suite-b. Skip mini-tls1_1 for now because it requires significant improvements to ssl-opt.sh (lots of missing requires_xxx). Signed-off-by: Gilles Peskine --- configs/config-ccm-psk-dtls1_2.h | 5 +++++ configs/config-ccm-psk-tls1_2.h | 5 +++++ configs/config-mini-tls1_1.h | 5 +++++ configs/config-suite-b.h | 5 +++++ tests/scripts/test-ref-configs.pl | 17 +++++++++++++++++ 5 files changed, 37 insertions(+) diff --git a/configs/config-ccm-psk-dtls1_2.h b/configs/config-ccm-psk-dtls1_2.h index 9150e05db..0be4f05e4 100644 --- a/configs/config-ccm-psk-dtls1_2.h +++ b/configs/config-ccm-psk-dtls1_2.h @@ -99,6 +99,11 @@ //#define MBEDTLS_USE_PSA_CRYPTO //#define MBEDTLS_PSA_CRYPTO_C +/* Error messages and TLS debugging traces + * (huge code size increase, needed for tests/ssl-opt.sh) */ +//#define MBEDTLS_DEBUG_C +//#define MBEDTLS_ERROR_C + #include "mbedtls/check_config.h" #endif /* MBEDTLS_CONFIG_H */ diff --git a/configs/config-ccm-psk-tls1_2.h b/configs/config-ccm-psk-tls1_2.h index 0e8f570b2..ca1e6c94f 100644 --- a/configs/config-ccm-psk-tls1_2.h +++ b/configs/config-ccm-psk-tls1_2.h @@ -90,6 +90,11 @@ //#define MBEDTLS_USE_PSA_CRYPTO //#define MBEDTLS_PSA_CRYPTO_C +/* Error messages and TLS debugging traces + * (huge code size increase, needed for tests/ssl-opt.sh) */ +//#define MBEDTLS_DEBUG_C +//#define MBEDTLS_ERROR_C + #include "mbedtls/check_config.h" #endif /* MBEDTLS_CONFIG_H */ diff --git a/configs/config-mini-tls1_1.h b/configs/config-mini-tls1_1.h index 90928293d..78e31d548 100644 --- a/configs/config-mini-tls1_1.h +++ b/configs/config-mini-tls1_1.h @@ -82,4 +82,9 @@ #endif #include "mbedtls/check_config.h" +/* Error messages and TLS debugging traces + * (huge code size increase, needed for tests/ssl-opt.sh) */ +//#define MBEDTLS_DEBUG_C +//#define MBEDTLS_ERROR_C + #endif /* MBEDTLS_CONFIG_H */ diff --git a/configs/config-suite-b.h b/configs/config-suite-b.h index 05f14c8e4..3923ec027 100644 --- a/configs/config-suite-b.h +++ b/configs/config-suite-b.h @@ -119,6 +119,11 @@ #define MBEDTLS_PK_WRITE_C #endif +/* Error messages and TLS debugging traces + * (huge code size increase, needed for tests/ssl-opt.sh) */ +//#define MBEDTLS_DEBUG_C +//#define MBEDTLS_ERROR_C + #include "mbedtls/check_config.h" #endif /* MBEDTLS_CONFIG_H */ diff --git a/tests/scripts/test-ref-configs.pl b/tests/scripts/test-ref-configs.pl index 339a8ea85..53833b105 100755 --- a/tests/scripts/test-ref-configs.pl +++ b/tests/scripts/test-ref-configs.pl @@ -34,10 +34,16 @@ my %configs = ( }, 'config-ccm-psk-dtls1_2.h' => { 'compat' => '-m dtls12 -f \'^TLS-PSK-WITH-AES-...-CCM-8\'', + 'opt' => ' ', + 'opt_needs_debug' => 1, 'test_again_with_use_psa' => 1 }, 'config-mini-tls1_1.h' => { 'compat' => '-m tls1_1 -f \'^DES-CBC3-SHA$\|^TLS-RSA-WITH-3DES-EDE-CBC-SHA$\'', #', + ## Skip ssl-opt testing for now because ssl-opt.sh is missing a lot + ## of requires_xxx so it would try to run tests that don't apply. + # 'opt' => ' ', + # 'opt_needs_debug' => 1, 'test_again_with_use_psa' => 1 }, 'config-no-entropy.h' => { @@ -45,6 +51,8 @@ my %configs = ( 'config-suite-b.h' => { 'compat' => "-m tls12 -f 'ECDHE-ECDSA.*AES.*GCM' -p mbedTLS", 'test_again_with_use_psa' => 1, + 'opt' => ' ', + 'opt_needs_debug' => 1, }, 'config-symmetric-only.h' => { 'test_again_with_use_psa' => 0, # Uses PSA by default, no need to test it twice @@ -136,6 +144,15 @@ sub perform_test { my $opt = $data->{'opt'}; if( $opt ) { + if( $data->{'opt_needs_debug'} ) + { + print "\nrebuilding with debug traces for ssl-opt\n"; + system( "make clean" ); + system( "scripts/config.py set MBEDTLS_DEBUG_C" ); + system( "scripts/config.py set MBEDTLS_ERROR_C" ); + system( "CFLAGS='-Os -Werror -Wall -Wextra' make" ) and abort "Failed to build: $conf +debug\n"; + } + print "\nrunning ssl-opt.sh $opt\n"; system( "tests/ssl-opt.sh $opt" ) and abort "Failed ssl-opt.sh: $conf\n"; From 291372fd41dce701f0a0af113dede01a1fc47aee Mon Sep 17 00:00:00 2001 From: Gilles Peskine Date: Fri, 25 Feb 2022 21:02:28 +0100 Subject: [PATCH 12/36] Add a missing requires_max_content_len Slightly reduce the amount of data so that the test passes with 512. Signed-off-by: Gilles Peskine --- tests/ssl-opt.sh | 5 +++-- 1 file changed, 3 insertions(+), 2 deletions(-) diff --git a/tests/ssl-opt.sh b/tests/ssl-opt.sh index 6a016955f..d7f4b713f 100755 --- a/tests/ssl-opt.sh +++ b/tests/ssl-opt.sh @@ -6365,11 +6365,12 @@ run_test "mbedtls_ssl_get_bytes_avail: no extra data" \ 0 \ -s "Read from client: 100 bytes read$" +requires_max_content_len 474 run_test "mbedtls_ssl_get_bytes_avail: extra data" \ "$P_SRV" \ - "$P_CLI request_size=500" \ + "$P_CLI request_size=450" \ 0 \ - -s "Read from client: 500 bytes read (.*+.*)" + -s "Read from client: 450 bytes read (.*+.*)" # Tests for small client packets From 20e25b901291ff654517749a6d82ab563c51dd4a Mon Sep 17 00:00:00 2001 From: Gilles Peskine Date: Sat, 26 Feb 2022 18:16:07 +0100 Subject: [PATCH 13/36] Simplify the logic to select configurations User-visible changes: * With no argument, configurations are now tested in a deterministic order. * When given arguments, configurations are now tested in the order given. * When given arguments, if the same configuration is passed multiple times, it will now be tested multiple times. Signed-off-by: Gilles Peskine --- tests/scripts/test-ref-configs.pl | 19 ++++++++----------- 1 file changed, 8 insertions(+), 11 deletions(-) diff --git a/tests/scripts/test-ref-configs.pl b/tests/scripts/test-ref-configs.pl index 53833b105..676c1f9f5 100755 --- a/tests/scripts/test-ref-configs.pl +++ b/tests/scripts/test-ref-configs.pl @@ -65,17 +65,14 @@ my %configs = ( # If no config-name is provided, use all known configs. # Otherwise, use the provided names only. +my @configs_to_test = sort keys %configs; if ($#ARGV >= 0) { - my %configs_ori = ( %configs ); - %configs = (); - - foreach my $conf_name (@ARGV) { - if( ! exists $configs_ori{$conf_name} ) { + foreach my $conf_name ( @ARGV ) { + if( ! exists $configs{$conf_name} ) { die "Unknown configuration: $conf_name\n"; - } else { - $configs{$conf_name} = $configs_ori{$conf_name}; } } + @configs_to_test = @ARGV; } -d 'library' && -d 'include' && -d 'tests' or die "Must be run from root\n"; @@ -163,13 +160,13 @@ sub perform_test { } } -while( my ($conf, $data) = each %configs ) { - my $test_with_psa = $data->{'test_again_with_use_psa'}; +foreach my $conf ( @configs_to_test ) { + my $test_with_psa = $configs{$conf}{'test_again_with_use_psa'}; if ( $test_with_psa ) { - perform_test( $conf, $data, $test_with_psa ); + perform_test( $conf, $configs{$conf}, $test_with_psa ); } - perform_test( $conf, $data, 0 ); + perform_test( $conf, $configs{$conf}, 0 ); } system( "mv $config_h.bak $config_h" ) and warn "$config_h not restored\n"; From def0e147abaa5f8cf0e01fb26c783a4b928e57a4 Mon Sep 17 00:00:00 2001 From: Gilles Peskine Date: Mon, 14 Mar 2022 19:05:48 +0100 Subject: [PATCH 14/36] test-ref-configs: clarify configuration-related traces When doing builds with PSA enabled or with debug traces enabled, convey this in $MBEDTLS_TEST_CONFIGURATION and in the terminal logs. This fixes a bug that the outcome file did not distinguish entries from test cases run in a reference configuration with or without PSA. Signed-off-by: Gilles Peskine --- tests/scripts/test-ref-configs.pl | 42 +++++++++++++++++-------------- 1 file changed, 23 insertions(+), 19 deletions(-) diff --git a/tests/scripts/test-ref-configs.pl b/tests/scripts/test-ref-configs.pl index 676c1f9f5..78e01fce9 100755 --- a/tests/scripts/test-ref-configs.pl +++ b/tests/scripts/test-ref-configs.pl @@ -97,25 +97,27 @@ if (!-e "tests/seedfile" || -s "tests/seedfile" < 64) { } sub perform_test { - my $conf = $_[0]; + my $conf_file = $_[0]; my $data = $_[1]; my $test_with_psa = $_[2]; + my $conf_name = $conf_file; + if ( $test_with_psa ) + { + $conf_name .= "+PSA"; + } + system( "cp $config_h.bak $config_h" ) and die; system( "make clean" ) and die; print "\n******************************************\n"; - print "* Testing configuration: $conf\n"; - if ( $test_with_psa ) - { - print "* ENABLING MBEDTLS_PSA_CRYPTO_C and MBEDTLS_USE_PSA_CRYPTO \n"; - } + print "* Testing configuration: $conf_name\n"; print "******************************************\n"; - $ENV{MBEDTLS_TEST_CONFIGURATION} = $conf; + $ENV{MBEDTLS_TEST_CONFIGURATION} = $conf_name; - system( "cp configs/$conf $config_h" ) - and abort "Failed to activate $conf\n"; + system( "cp configs/$conf_file $config_h" ) + and abort "Failed to activate $conf_file\n"; if ( $test_with_psa ) { @@ -123,19 +125,19 @@ sub perform_test { system( "scripts/config.py set MBEDTLS_USE_PSA_CRYPTO" ); } - system( "CFLAGS='-Os -Werror -Wall -Wextra' make" ) and abort "Failed to build: $conf\n"; - system( "make test" ) and abort "Failed test suite: $conf\n"; + system( "CFLAGS='-Os -Werror -Wall -Wextra' make" ) and abort "Failed to build: $conf_name\n"; + system( "make test" ) and abort "Failed test suite: $conf_name\n"; my $compat = $data->{'compat'}; if( $compat ) { - print "\nrunning compat.sh $compat\n"; + print "\nrunning compat.sh $compat ($conf_name)\n"; system( "tests/compat.sh $compat" ) - and abort "Failed compat.sh: $conf\n"; + and abort "Failed compat.sh: $conf_name\n"; } else { - print "\nskipping compat.sh\n"; + print "\nskipping compat.sh ($conf_name)\n"; } my $opt = $data->{'opt'}; @@ -143,20 +145,22 @@ sub perform_test { { if( $data->{'opt_needs_debug'} ) { - print "\nrebuilding with debug traces for ssl-opt\n"; + print "\nrebuilding with debug traces for ssl-opt ($conf_name)\n"; + $conf_name .= '+DEBUG'; + $ENV{MBEDTLS_TEST_CONFIGURATION} = $conf_name; system( "make clean" ); system( "scripts/config.py set MBEDTLS_DEBUG_C" ); system( "scripts/config.py set MBEDTLS_ERROR_C" ); - system( "CFLAGS='-Os -Werror -Wall -Wextra' make" ) and abort "Failed to build: $conf +debug\n"; + system( "CFLAGS='-Os -Werror -Wall -Wextra' make" ) and abort "Failed to build: $conf_name\n"; } - print "\nrunning ssl-opt.sh $opt\n"; + print "\nrunning ssl-opt.sh $opt ($conf_name)\n"; system( "tests/ssl-opt.sh $opt" ) - and abort "Failed ssl-opt.sh: $conf\n"; + and abort "Failed ssl-opt.sh: $conf_name\n"; } else { - print "\nskipping ssl-opt.sh\n"; + print "\nskipping ssl-opt.sh ($conf_name)\n"; } } From 64c683fd1882ee8681ae4298cf65dcc7bffa7f58 Mon Sep 17 00:00:00 2001 From: Gilles Peskine Date: Mon, 14 Mar 2022 17:55:04 +0100 Subject: [PATCH 15/36] calc_verify is only called in some configurations If MBEDTLS_SSL_EXTENDED_MASTER_SECRET is disabled or the feature is disabled at runtime, and if client authentication is not used, then calc_verify is not called, so don't require the corresponding debug trace. Signed-off-by: Gilles Peskine --- tests/ssl-opt.sh | 44 ++++++++++++++++++++++++++++++++++++++++---- 1 file changed, 40 insertions(+), 4 deletions(-) diff --git a/tests/ssl-opt.sh b/tests/ssl-opt.sh index d7f4b713f..77f529cbc 100755 --- a/tests/ssl-opt.sh +++ b/tests/ssl-opt.sh @@ -803,6 +803,38 @@ is_gnutls() { esac } +# Determine what calc_verify trace is to be expected, if any. +# +# calc_verify is only called for two things: to calculate the +# extended master secret, and to process client authentication. +# +# Warning: the current implementation assumes that extended_ms is not +# disabled on the client or on the server. +# +# Inputs: +# * $1: 'required' or 1 if client authentication is expected, +# 'none' or 0 or absent if not. +# * $CONFIGS_ENABLED +# +# Outputs: +# * $maybe_calc_verify: set to a trace expected in the debug logs +set_maybe_calc_verify() { + maybe_calc_verify= + case $CONFIGS_ENABLED in + *\ MBEDTLS_SSL_EXTENDED_MASTER_SECRET\ *) :;; + *) + case ${1-} in + ''|0|none) return;; + 1|required) :;; + *) echo "Bad parameter 1 to set_maybe_calc_verify: $1"; exit 1;; + esac + esac + case $CONFIGS_ENABLED in + *\ MBEDTLS_USE_PSA_CRYPTO\ *) maybe_calc_verify="PSA calc verify";; + *) maybe_calc_verify="<= calc verify";; + esac +} + # Compare file content # Usage: find_in_both pattern file1 file2 # extract from file1 the first line matching the pattern @@ -1191,17 +1223,18 @@ run_test() { run_test_psa() { requires_config_enabled MBEDTLS_SSL_PROTO_TLS1_2 requires_config_enabled MBEDTLS_USE_PSA_CRYPTO + set_maybe_calc_verify none run_test "PSA-supported ciphersuite: $1" \ "$P_SRV debug_level=3 force_version=tls12" \ "$P_CLI debug_level=3 force_version=tls12 force_ciphersuite=$1" \ 0 \ -c "Successfully setup PSA-based decryption cipher context" \ -c "Successfully setup PSA-based encryption cipher context" \ - -c "PSA calc verify" \ + -c "$maybe_calc_verify" \ -c "calc PSA finished" \ -s "Successfully setup PSA-based decryption cipher context" \ -s "Successfully setup PSA-based encryption cipher context" \ - -s "PSA calc verify" \ + -s "$maybe_calc_verify" \ -s "calc PSA finished" \ -C "Failed to setup PSA-based cipher context"\ -S "Failed to setup PSA-based cipher context"\ @@ -1210,22 +1243,24 @@ run_test_psa() { -c "Perform PSA-based computation of digest of ServerKeyExchange" \ -S "error" \ -C "error" + unset maybe_calc_verify } run_test_psa_force_curve() { requires_config_enabled MBEDTLS_SSL_PROTO_TLS1_2 requires_config_enabled MBEDTLS_USE_PSA_CRYPTO + set_maybe_calc_verify none run_test "PSA - ECDH with $1" \ "$P_SRV debug_level=4 force_version=tls12" \ "$P_CLI debug_level=4 force_version=tls12 force_ciphersuite=TLS-ECDHE-RSA-WITH-AES-128-GCM-SHA256 curves=$1" \ 0 \ -c "Successfully setup PSA-based decryption cipher context" \ -c "Successfully setup PSA-based encryption cipher context" \ - -c "PSA calc verify" \ + -c "$maybe_calc_verify" \ -c "calc PSA finished" \ -s "Successfully setup PSA-based decryption cipher context" \ -s "Successfully setup PSA-based encryption cipher context" \ - -s "PSA calc verify" \ + -s "$maybe_calc_verify" \ -s "calc PSA finished" \ -C "Failed to setup PSA-based cipher context"\ -S "Failed to setup PSA-based cipher context"\ @@ -1234,6 +1269,7 @@ run_test_psa_force_curve() { -c "Perform PSA-based computation of digest of ServerKeyExchange" \ -S "error" \ -C "error" + unset maybe_calc_verify } # Test that the server's memory usage after a handshake is reduced when a client specifies From 22cc6497696c36c51c048a89e4bdef5b7b2dfff2 Mon Sep 17 00:00:00 2001 From: Gilles Peskine Date: Mon, 14 Mar 2022 18:21:24 +0100 Subject: [PATCH 16/36] Skip some DTLS reordering tests in PSK-only builds Some DTLS reordering tests rely on certificate authentication messages. It is probably possible to adapt them to rely on different messages, but for now, skip them in PSK-only builds. Signed-off-by: Gilles Peskine --- tests/ssl-opt.sh | 13 +++++++++++++ 1 file changed, 13 insertions(+) diff --git a/tests/ssl-opt.sh b/tests/ssl-opt.sh index 77f529cbc..82e2023c8 100755 --- a/tests/ssl-opt.sh +++ b/tests/ssl-opt.sh @@ -298,6 +298,12 @@ maybe_requires_ciphersuite_enabled() { unset ciphersuite } +requires_certificate_authentication () { + if [ "$PSK_ONLY" = "YES" ]; then + SKIP_NEXT="YES" + fi +} + adapt_cmd_for_psk () { case "$2" in *openssl*) s='-psk abc123 -nocert';; @@ -9887,6 +9893,7 @@ run_test "DTLS proxy: delay ChangeCipherSpec" \ # Tests for reordering support with DTLS +requires_certificate_authentication run_test "DTLS reordering: Buffer out-of-order handshake message on client" \ -p "$P_PXY delay_srv=ServerHello" \ "$P_SRV dgram_packing=0 cookies=0 dtls=1 debug_level=2 \ @@ -9903,6 +9910,7 @@ run_test "DTLS reordering: Buffer out-of-order handshake message on client" \ -S "Injecting buffered CCS message" \ -S "Remember CCS message" +requires_certificate_authentication run_test "DTLS reordering: Buffer out-of-order handshake message fragment on client" \ -p "$P_PXY delay_srv=ServerHello" \ "$P_SRV mtu=512 dgram_packing=0 cookies=0 dtls=1 debug_level=2 \ @@ -9925,6 +9933,7 @@ run_test "DTLS reordering: Buffer out-of-order handshake message fragment on # Certificate message; at the time of writing, together these are aroudn 1200b # in size, so that the bound below ensures that the certificate can be reassembled # while keeping the ServerKeyExchange. +requires_certificate_authentication requires_config_value_at_least "MBEDTLS_SSL_DTLS_MAX_BUFFERING" 1300 run_test "DTLS reordering: Buffer out-of-order hs msg before reassembling next" \ -p "$P_PXY delay_srv=Certificate delay_srv=Certificate" \ @@ -9946,6 +9955,7 @@ run_test "DTLS reordering: Buffer out-of-order hs msg before reassembling nex # The size constraints ensure that the delayed certificate message can't # be reassembled while keeping the ServerKeyExchange message, but it can # when dropping it first. +requires_certificate_authentication requires_config_value_at_least "MBEDTLS_SSL_DTLS_MAX_BUFFERING" 900 requires_config_value_at_most "MBEDTLS_SSL_DTLS_MAX_BUFFERING" 1299 run_test "DTLS reordering: Buffer out-of-order hs msg before reassembling next, free buffered msg" \ @@ -9965,6 +9975,7 @@ run_test "DTLS reordering: Buffer out-of-order hs msg before reassembling nex -S "Injecting buffered CCS message" \ -S "Remember CCS message" +requires_certificate_authentication run_test "DTLS reordering: Buffer out-of-order handshake message on server" \ -p "$P_PXY delay_cli=Certificate" \ "$P_SRV dgram_packing=0 auth_mode=required cookies=0 dtls=1 debug_level=2 \ @@ -9981,6 +9992,7 @@ run_test "DTLS reordering: Buffer out-of-order handshake message on server" \ -S "Injecting buffered CCS message" \ -S "Remember CCS message" +requires_certificate_authentication run_test "DTLS reordering: Buffer out-of-order CCS message on client"\ -p "$P_PXY delay_srv=NewSessionTicket" \ "$P_SRV dgram_packing=0 cookies=0 dtls=1 debug_level=2 \ @@ -9997,6 +10009,7 @@ run_test "DTLS reordering: Buffer out-of-order CCS message on client"\ -S "Injecting buffered CCS message" \ -S "Remember CCS message" +requires_certificate_authentication run_test "DTLS reordering: Buffer out-of-order CCS message on server"\ -p "$P_PXY delay_cli=ClientKeyExchange" \ "$P_SRV dgram_packing=0 cookies=0 dtls=1 debug_level=2 \ From e719d174c99f514fe79ec379595f25de6844293a Mon Sep 17 00:00:00 2001 From: Gilles Peskine Date: Tue, 5 Apr 2022 21:52:14 +0200 Subject: [PATCH 17/36] Minor documentation improvement Signed-off-by: Gilles Peskine --- configs/config-ccm-psk-dtls1_2.h | 2 +- configs/config-ccm-psk-tls1_2.h | 2 +- 2 files changed, 2 insertions(+), 2 deletions(-) diff --git a/configs/config-ccm-psk-dtls1_2.h b/configs/config-ccm-psk-dtls1_2.h index 0be4f05e4..982bc2ce2 100644 --- a/configs/config-ccm-psk-dtls1_2.h +++ b/configs/config-ccm-psk-dtls1_2.h @@ -23,7 +23,7 @@ * Minimal configuration for DTLS 1.2 with PSK and AES-CCM ciphersuites * * Distinguishing features: - * - Optimized for small code size, low bandwidth (on an unreliable network), + * - Optimized for small code size, low bandwidth (on an unreliable transport), * and low RAM usage. * - No asymmetric cryptography (no certificates, no Diffie-Hellman key * exchange). diff --git a/configs/config-ccm-psk-tls1_2.h b/configs/config-ccm-psk-tls1_2.h index ca1e6c94f..3216e17f3 100644 --- a/configs/config-ccm-psk-tls1_2.h +++ b/configs/config-ccm-psk-tls1_2.h @@ -23,7 +23,7 @@ * Minimal configuration for TLS 1.2 with PSK and AES-CCM ciphersuites * * Distinguishing features: - * - Optimized for small code size, low bandwidth (on a reliable network), + * - Optimized for small code size, low bandwidth (on a reliable transport), * and low RAM usage. * - No asymmetric cryptography (no certificates, no Diffie-Hellman key * exchange). From d5b1a30c2f341fe358be04ccc3d1050769c01687 Mon Sep 17 00:00:00 2001 From: Gilles Peskine Date: Tue, 5 Apr 2022 22:00:17 +0200 Subject: [PATCH 18/36] Documentation improvements Signed-off-by: Gilles Peskine --- tests/ssl-opt.sh | 10 +++++++++- 1 file changed, 9 insertions(+), 1 deletion(-) diff --git a/tests/ssl-opt.sh b/tests/ssl-opt.sh index 82e2023c8..fb3b3f08e 100755 --- a/tests/ssl-opt.sh +++ b/tests/ssl-opt.sh @@ -323,7 +323,7 @@ adapt_cmd_for_psk () { # with a pre-shared key, skip it. If the test looks like it's already using # a pre-shared key, do nothing. # -# This code does not consider builds with ECDH-PSK or RSA-PSK. +# This code does not consider builds with ECDHE-PSK or RSA-PSK. # # Inputs: # * $CLI_CMD, $SRV_CMD, $PXY_CMD: client/server/proxy commands. @@ -862,6 +862,14 @@ find_in_both() { # # Analyze and possibly instrument $PXY_CMD, $CLI_CMD, $SRV_CMD to pass # extra arguments or go through wrappers. +# +# Inputs: +# * $@: supplemental options to run_test() (after the mandatory arguments). +# * $CLI_CMD, $PXY_CMD, $SRV_CMD: the client, proxy and server commands. +# * $DTLS: 1 if DTLS, otherwise 0. +# +# Outputs: +# * $CLI_CMD, $PXY_CMD, $SRV_CMD: may be tweaked. analyze_test_commands() { # if the test uses DTLS but no custom proxy, add a simple proxy # as it provides timing info that's useful to debug failures From de4cb3569e98216b324fbcd20c9f8e70ae2de3f0 Mon Sep 17 00:00:00 2001 From: Gilles Peskine Date: Tue, 5 Apr 2022 22:00:32 +0200 Subject: [PATCH 19/36] Add requirements of "Default" The log checks require a specific hash and a specific curve. Signed-off-by: Gilles Peskine --- tests/ssl-opt.sh | 5 +++-- 1 file changed, 3 insertions(+), 2 deletions(-) diff --git a/tests/ssl-opt.sh b/tests/ssl-opt.sh index fb3b3f08e..c7b02c232 100755 --- a/tests/ssl-opt.sh +++ b/tests/ssl-opt.sh @@ -1498,10 +1498,11 @@ trap cleanup INT TERM HUP # Checks that: # - things work with all ciphersuites active (used with config-full in all.sh) -# - the expected (highest security) parameters are selected -# ("signature_algorithm ext: 6" means SHA-512 (highest common hash)) +# - the expected parameters are selected requires_config_enabled MBEDTLS_SSL_PROTO_TLS1_2 requires_ciphersuite_enabled TLS-ECDHE-RSA-WITH-CHACHA20-POLY1305-SHA256 +requires_config_enabled MBEDTLS_SHA512_C # "signature_algorithm ext: 6" +requires_config_enabled MBEDTLS_ECP_DP_SECP521R1_ENABLED run_test "Default" \ "$P_SRV debug_level=3" \ "$P_CLI" \ From f2e1f47b2ebdbe41e4b254b07a6209588e7f1328 Mon Sep 17 00:00:00 2001 From: Gilles Peskine Date: Wed, 6 Apr 2022 22:23:45 +0200 Subject: [PATCH 20/36] set_maybe_calc_verify: $1 is intended to be auth_mode Document that this is what it is. Don't allow made-up numerical values. Signed-off-by: Gilles Peskine --- tests/ssl-opt.sh | 9 +++++---- 1 file changed, 5 insertions(+), 4 deletions(-) diff --git a/tests/ssl-opt.sh b/tests/ssl-opt.sh index c7b02c232..ac99d9240 100755 --- a/tests/ssl-opt.sh +++ b/tests/ssl-opt.sh @@ -818,8 +818,9 @@ is_gnutls() { # disabled on the client or on the server. # # Inputs: -# * $1: 'required' or 1 if client authentication is expected, -# 'none' or 0 or absent if not. +# * $1: the value of the server auth_mode parameter. +# 'required' if client authentication is expected, +# 'none' or absent if not. # * $CONFIGS_ENABLED # # Outputs: @@ -830,8 +831,8 @@ set_maybe_calc_verify() { *\ MBEDTLS_SSL_EXTENDED_MASTER_SECRET\ *) :;; *) case ${1-} in - ''|0|none) return;; - 1|required) :;; + ''|none) return;; + required) :;; *) echo "Bad parameter 1 to set_maybe_calc_verify: $1"; exit 1;; esac esac From 736d91dae68f781ea8b641daa9b7ce902d8e79ac Mon Sep 17 00:00:00 2001 From: Gilles Peskine Date: Wed, 6 Apr 2022 23:31:05 +0200 Subject: [PATCH 21/36] Fix buffer size calculation Make sure that buf always has enough room for what it will contain. Before, this was not the case if the buffer was smaller than the default response, leading to memory corruption in ssl_server2. Signed-off-by: Gilles Peskine --- programs/ssl/ssl_server2.c | 25 ++++++++++++++++++++----- 1 file changed, 20 insertions(+), 5 deletions(-) diff --git a/programs/ssl/ssl_server2.c b/programs/ssl/ssl_server2.c index 2cce7551b..4b1b6dffd 100644 --- a/programs/ssl/ssl_server2.c +++ b/programs/ssl/ssl_server2.c @@ -164,9 +164,6 @@ int main( void ) /* * Size of the basic I/O buffer. Able to hold our default response. - * - * You will need to adapt the mbedtls_ssl_get_bytes_avail() test in ssl-opt.sh - * if you change this value to something outside the range <= 100 or > 500 */ #define DFL_IO_BUF_LEN 200 @@ -2032,10 +2029,26 @@ int main( int argc, char *argv[] ) #if defined(MBEDTLS_DEBUG_C) mbedtls_debug_set_threshold( opt.debug_level ); #endif - buf = mbedtls_calloc( 1, opt.buffer_size + 1 ); + + /* buf will alternatively contain the input read from the client and the + * response that's about to be sent, plus a null byte in each case. */ + size_t buf_content_size = opt.buffer_size; + /* The default response contains the ciphersuite name. Leave enough + * room for that plus some margin. */ + if( buf_content_size < strlen( HTTP_RESPONSE ) + 80 ) + { + buf_content_size = strlen( HTTP_RESPONSE ) + 80; + } + if( opt.response_size != DFL_RESPONSE_SIZE && + buf_content_size < (size_t) opt.response_size ) + { + buf_content_size = opt.response_size; + } + buf = mbedtls_calloc( 1, buf_content_size + 1 ); if( buf == NULL ) { - mbedtls_printf( "Could not allocate %u bytes\n", opt.buffer_size ); + mbedtls_printf( "Could not allocate %lu bytes\n", + (unsigned long) buf_content_size + 1 ); ret = 3; goto exit; } @@ -3654,6 +3667,8 @@ data_exchange: mbedtls_printf( " > Write to client:" ); fflush( stdout ); + /* If the format of the response changes, make sure there is enough + * room in buf (buf_content_size calculation above). */ len = sprintf( (char *) buf, HTTP_RESPONSE, mbedtls_ssl_get_ciphersuite( &ssl ) ); From a30439a7f94d8a3e4dc974bfc6e24817ee79f9a0 Mon Sep 17 00:00:00 2001 From: Gilles Peskine Date: Wed, 6 Apr 2022 23:34:36 +0200 Subject: [PATCH 22/36] Fix off-by-one in buffer_size usage The added null byte was accounted for twice, once by taking opt.buffer_size+1 when allocating the buffer and once by taking opt.buffer-1 when filling the buffer. Make opt.buffer_size the size that is actually read, it's less confusing that way. Signed-off-by: Gilles Peskine --- programs/ssl/ssl_server2.c | 4 ++-- 1 file changed, 2 insertions(+), 2 deletions(-) diff --git a/programs/ssl/ssl_server2.c b/programs/ssl/ssl_server2.c index 4b1b6dffd..2b4d8e1a9 100644 --- a/programs/ssl/ssl_server2.c +++ b/programs/ssl/ssl_server2.c @@ -3464,7 +3464,7 @@ data_exchange: do { int terminated = 0; - len = opt.buffer_size - 1; + len = opt.buffer_size; memset( buf, 0, opt.buffer_size ); ret = mbedtls_ssl_read( &ssl, buf, len ); @@ -3565,7 +3565,7 @@ data_exchange: } else /* Not stream, so datagram */ { - len = opt.buffer_size - 1; + len = opt.buffer_size; memset( buf, 0, opt.buffer_size ); do From 5a1b3bdc446cd9224e8f36e29865337a61da3037 Mon Sep 17 00:00:00 2001 From: Gilles Peskine Date: Wed, 6 Apr 2022 23:35:56 +0200 Subject: [PATCH 23/36] Make mbedtls_ssl_get_bytes_avail tests more independent Don't depend on the default sizes in the test programs: pass explicit request and buffer sizes. Don't depend on MAX_CONTENT_LEN (other than it not being extremely small: this commit assumes that it will never be less than 101). Signed-off-by: Gilles Peskine --- tests/ssl-opt.sh | 25 +++++++++++++++++++------ 1 file changed, 19 insertions(+), 6 deletions(-) diff --git a/tests/ssl-opt.sh b/tests/ssl-opt.sh index ac99d9240..325bdebde 100755 --- a/tests/ssl-opt.sh +++ b/tests/ssl-opt.sh @@ -6411,18 +6411,31 @@ run_test "ClientHello without extensions" \ # Tests for mbedtls_ssl_get_bytes_avail() +# The server first reads buffer_size-1 bytes, then reads the remainder. run_test "mbedtls_ssl_get_bytes_avail: no extra data" \ - "$P_SRV" \ + "$P_SRV buffer_size=100" \ "$P_CLI request_size=100" \ 0 \ -s "Read from client: 100 bytes read$" -requires_max_content_len 474 -run_test "mbedtls_ssl_get_bytes_avail: extra data" \ - "$P_SRV" \ - "$P_CLI request_size=450" \ +run_test "mbedtls_ssl_get_bytes_avail: extra data (+1)" \ + "$P_SRV buffer_size=100" \ + "$P_CLI request_size=101" \ 0 \ - -s "Read from client: 450 bytes read (.*+.*)" + -s "Read from client: 101 bytes read (100 + 1)" + +requires_max_content_len 200 +run_test "mbedtls_ssl_get_bytes_avail: extra data (*2)" \ + "$P_SRV buffer_size=100" \ + "$P_CLI request_size=200" \ + 0 \ + -s "Read from client: 200 bytes read (100 + 100)" + +run_test "mbedtls_ssl_get_bytes_avail: extra data (max)" \ + "$P_SRV buffer_size=100" \ + "$P_CLI request_size=$MAX_CONTENT_LEN" \ + 0 \ + -s "Read from client: $MAX_CONTENT_LEN bytes read (100 + $((MAX_CONTENT_LEN - 100)))" # Tests for small client packets From e70605c28ec960d4933ba2d944eccb9c81f1ac9d Mon Sep 17 00:00:00 2001 From: Gilles Peskine Date: Fri, 8 Apr 2022 17:22:03 +0200 Subject: [PATCH 24/36] Add requirement for RC4 tests The automatic ciphersuite detection deliberately doesn't operate on test cases that verify that the test suite is rejected, but some RC4 test cases only apply to configurations where the algorithm must be enabled at compile time (otherwise the connection would fail in a different way). Signed-off-by: Gilles Peskine --- tests/ssl-opt.sh | 2 ++ 1 file changed, 2 insertions(+) diff --git a/tests/ssl-opt.sh b/tests/ssl-opt.sh index 325bdebde..039ae8082 100755 --- a/tests/ssl-opt.sh +++ b/tests/ssl-opt.sh @@ -1701,12 +1701,14 @@ run_test "RC4: server half, client enabled" \ 1 \ -s "SSL - The server has no ciphersuites in common" +requires_ciphersuite_enabled TLS-RSA-WITH-RC4-128-SHA run_test "RC4: server enabled, client disabled" \ "$P_SRV force_ciphersuite=TLS-RSA-WITH-RC4-128-SHA" \ "$P_CLI" \ 1 \ -s "SSL - The server has no ciphersuites in common" +requires_ciphersuite_enabled TLS-RSA-WITH-RC4-128-SHA run_test "RC4: both enabled" \ "$P_SRV force_ciphersuite=TLS-RSA-WITH-RC4-128-SHA" \ "$P_CLI force_ciphersuite=TLS-RSA-WITH-RC4-128-SHA" \ From 511fdf435fe94367f75d42aeb35f33b2904c975c Mon Sep 17 00:00:00 2001 From: Gilles Peskine Date: Fri, 8 Apr 2022 19:26:26 +0200 Subject: [PATCH 25/36] Prepare to generalize maybe_requires_ciphersuite_enabled Rename maybe_requires_ciphersuite_enabled() to detect_required_features() and refactor its code a little. No intended behavior change. In subsequent commits, this function will detect other requirements in a similar way. Signed-off-by: Gilles Peskine --- tests/ssl-opt.sh | 44 +++++++++++++++++++------------------------- 1 file changed, 19 insertions(+), 25 deletions(-) diff --git a/tests/ssl-opt.sh b/tests/ssl-opt.sh index 039ae8082..da8317476 100755 --- a/tests/ssl-opt.sh +++ b/tests/ssl-opt.sh @@ -271,31 +271,24 @@ requires_ciphersuite_enabled() { esac } -# maybe_requires_ciphersuite_enabled CMD [RUN_TEST_OPTION...] -# If CMD (call to a TLS client or server program) requires a specific -# ciphersuite, arrange to only run the test case if this ciphersuite is -# enabled. As an exception, do run the test case if it expects a ciphersuite -# mismatch. -maybe_requires_ciphersuite_enabled() { +# detect_required_features CMD [RUN_TEST_OPTION...] +# If CMD (call to a TLS client or server program) requires certain features, +# arrange to only run the following test case if those features are enabled. +detect_required_features() { case "$1" in - *\ force_ciphersuite=*) :;; - *) return;; # No specific required ciphersuite - esac - ciphersuite="${1##*\ force_ciphersuite=}" - ciphersuite="${ciphersuite%%[!-0-9A-Z_a-z]*}" - shift - - case "$*" in - *"-s SSL - The server has no ciphersuites in common"*) - # This test case expects a ciphersuite mismatch, so it doesn't - # require the ciphersuite to be enabled. - ;; - *) - requires_ciphersuite_enabled "$ciphersuite" - ;; + *\ force_ciphersuite=*) + tmp="${1##*\ force_ciphersuite=}" + tmp="${tmp%%[!-0-9A-Z_a-z]*}" + case "$*" in + *"-s SSL - The server has no ciphersuites in common"*) + # This test case expects a ciphersuite mismatch, so it + # doesn't actually require the ciphersuite to be enabled. + :;; + *) requires_ciphersuite_enabled "$tmp";; + esac;; esac - unset ciphersuite + unset tmp } requires_certificate_authentication () { @@ -1190,9 +1183,10 @@ run_test() { requires_config_enabled MBEDTLS_SSL_ALPN;; esac - # If the client or serve requires a ciphersuite, check that it's enabled. - maybe_requires_ciphersuite_enabled "$SRV_CMD" "$@" - maybe_requires_ciphersuite_enabled "$CLI_CMD" "$@" + # If the client or server requires certain features that can be detected + # from their command-line arguments, check that they're enabled. + detect_required_features "$SRV_CMD" "$@" + detect_required_features "$CLI_CMD" "$@" # If we're in a PSK-only build and the test can be adapted to PSK, do that. maybe_adapt_for_psk "$@" From 3c985f6b70f0b50fcc7eb7219bde11c08eb6d44f Mon Sep 17 00:00:00 2001 From: Gilles Peskine Date: Fri, 8 Apr 2022 19:29:27 +0200 Subject: [PATCH 26/36] Move ticket, alpn detection into maybe_requires_ciphersuite_enabled No intended behavior change. Signed-off-by: Gilles Peskine --- tests/ssl-opt.sh | 19 +++++++++---------- 1 file changed, 9 insertions(+), 10 deletions(-) diff --git a/tests/ssl-opt.sh b/tests/ssl-opt.sh index da8317476..910f6848a 100755 --- a/tests/ssl-opt.sh +++ b/tests/ssl-opt.sh @@ -288,6 +288,15 @@ detect_required_features() { esac;; esac + case " $1 " in + *[-_\ =]tickets=[^0]*) + requires_config_enabled MBEDTLS_SSL_TICKET_C;; + esac + case " $1 " in + *[-_\ =]alpn=*) + requires_config_enabled MBEDTLS_SSL_ALPN;; + esac + unset tmp } @@ -1173,16 +1182,6 @@ run_test() { requires_config_enabled MBEDTLS_SSL_PROTO_DTLS fi - # Check more TLS protocol features. - case "$SRV_CMD $CLI_CMD" in - *[-_\ =]tickets=[^0]*) - requires_config_enabled MBEDTLS_SSL_TICKET_C;; - esac - case "$SRV_CMD $CLI_CMD" in - *[-_\ =]alpn=*) - requires_config_enabled MBEDTLS_SSL_ALPN;; - esac - # If the client or server requires certain features that can be detected # from their command-line arguments, check that they're enabled. detect_required_features "$SRV_CMD" "$@" From 4b137d1bc4c5f0ae22271a9eaada624ba1cff4b2 Mon Sep 17 00:00:00 2001 From: Gilles Peskine Date: Fri, 8 Apr 2022 19:33:07 +0200 Subject: [PATCH 27/36] Automatically detect protocol version requirement from force_version When the client or server uses a specific protocol version, automatically require that version to be enabled at compile time. An explicit call is still needed in test cases that require a specific protocol version (due to analyzing version-specific behavior, or checking the version in logs), but do not force that specific protocol version, or that force a specific version only on the openssl/gnutls side. Signed-off-by: Gilles Peskine --- tests/ssl-opt.sh | 63 +++++++++++++++++------------------------------- 1 file changed, 22 insertions(+), 41 deletions(-) diff --git a/tests/ssl-opt.sh b/tests/ssl-opt.sh index 910f6848a..30f632b9d 100755 --- a/tests/ssl-opt.sh +++ b/tests/ssl-opt.sh @@ -259,6 +259,21 @@ requires_config_value_equals() { fi } +# Require Mbed TLS to support the given protocol version. +# +# Inputs: +# * $1: protocol version in mbedtls syntax (argument to force_version=) +requires_protocol_version() { + # Support for DTLS is detected separately in detect_dtls(). + case "$1" in + ssl3) requires_config_enabled MBEDTLS_SSL_PROTO_SSL3;; + tls1) requires_config_enabled MBEDTLS_SSL_PROTO_TLS1;; + tls1_1|dtls1) requires_config_enabled MBEDTLS_SSL_PROTO_TLS1_1;; + tls12|dtls12) requires_config_enabled MBEDTLS_SSL_PROTO_TLS1_2;; + *) echo "Unknown required protocol version: $1"; exit 1;; + esac +} + # Space-separated list of ciphersuites supported by this build of # Mbed TLS. P_CIPHERSUITES=" $($P_CLI --help 2>/dev/null | @@ -275,6 +290,13 @@ requires_ciphersuite_enabled() { # If CMD (call to a TLS client or server program) requires certain features, # arrange to only run the following test case if those features are enabled. detect_required_features() { + case "$1" in + *\ force_version=*) + tmp="${1##*\ force_version=}" + tmp="${tmp%%[!-0-9A-Z_a-z]*}" + requires_protocol_version "$tmp";; + esac + case "$1" in *\ force_ciphersuite=*) tmp="${1##*\ force_ciphersuite=}" @@ -1229,7 +1251,6 @@ run_test() { } run_test_psa() { - requires_config_enabled MBEDTLS_SSL_PROTO_TLS1_2 requires_config_enabled MBEDTLS_USE_PSA_CRYPTO set_maybe_calc_verify none run_test "PSA-supported ciphersuite: $1" \ @@ -1255,7 +1276,6 @@ run_test_psa() { } run_test_psa_force_curve() { - requires_config_enabled MBEDTLS_SSL_PROTO_TLS1_2 requires_config_enabled MBEDTLS_USE_PSA_CRYPTO set_maybe_calc_verify none run_test "PSA - ECDH with $1" \ @@ -1712,14 +1732,12 @@ run_test "RC4: both enabled" \ # Test empty CA list in CertificateRequest in TLS 1.1 and earlier requires_gnutls -requires_config_enabled MBEDTLS_SSL_PROTO_TLS1_1 run_test "CertificateRequest with empty CA list, TLS 1.1 (GnuTLS server)" \ "$G_SRV"\ "$P_CLI force_version=tls1_1" \ 0 requires_gnutls -requires_config_enabled MBEDTLS_SSL_PROTO_TLS1 run_test "CertificateRequest with empty CA list, TLS 1.0 (GnuTLS server)" \ "$G_SRV"\ "$P_CLI force_version=tls1" \ @@ -2748,7 +2766,6 @@ run_test "Encrypt then MAC: client disabled, server enabled" \ -C "using encrypt then mac" \ -S "using encrypt then mac" -requires_config_enabled MBEDTLS_SSL_PROTO_SSL3 run_test "Encrypt then MAC: client SSLv3, server enabled" \ "$P_SRV debug_level=3 min_version=ssl3 \ force_ciphersuite=TLS-RSA-WITH-AES-128-CBC-SHA" \ @@ -2761,7 +2778,6 @@ run_test "Encrypt then MAC: client SSLv3, server enabled" \ -C "using encrypt then mac" \ -S "using encrypt then mac" -requires_config_enabled MBEDTLS_SSL_PROTO_SSL3 run_test "Encrypt then MAC: client enabled, server SSLv3" \ "$P_SRV debug_level=3 force_version=ssl3 \ force_ciphersuite=TLS-RSA-WITH-AES-128-CBC-SHA" \ @@ -2812,7 +2828,6 @@ run_test "Extended Master Secret: client disabled, server enabled" \ -C "session hash for extended master secret" \ -S "session hash for extended master secret" -requires_config_enabled MBEDTLS_SSL_PROTO_SSL3 run_test "Extended Master Secret: client SSLv3, server enabled" \ "$P_SRV debug_level=3 min_version=ssl3" \ "$P_CLI debug_level=3 force_version=ssl3" \ @@ -2824,7 +2839,6 @@ run_test "Extended Master Secret: client SSLv3, server enabled" \ -C "session hash for extended master secret" \ -S "session hash for extended master secret" -requires_config_enabled MBEDTLS_SSL_PROTO_SSL3 run_test "Extended Master Secret: client enabled, server SSLv3" \ "$P_SRV debug_level=3 force_version=ssl3" \ "$P_CLI debug_level=3 min_version=ssl3" \ @@ -3006,7 +3020,6 @@ run_test "CBC Record splitting: TLS 1.0, splitting" \ -s "Read from client: 1 bytes read" \ -s "122 bytes read" -requires_config_enabled MBEDTLS_SSL_PROTO_SSL3 run_test "CBC Record splitting: SSLv3, splitting" \ "$P_SRV min_version=ssl3" \ "$P_CLI force_ciphersuite=TLS-RSA-WITH-AES-128-CBC-SHA \ @@ -4428,7 +4441,6 @@ run_test "Authentication: client SHA384, server required" \ -c "Supported Signature Algorithm found: 4," \ -c "Supported Signature Algorithm found: 5," -requires_config_enabled MBEDTLS_SSL_PROTO_SSL3 run_test "Authentication: client has no cert, server required (SSLv3)" \ "$P_SRV debug_level=3 min_version=ssl3 auth_mode=required" \ "$P_CLI debug_level=3 force_version=ssl3 crt_file=none \ @@ -4594,7 +4606,6 @@ run_test "Authentication: client no cert, openssl server required" \ -c "skip write certificate verify" \ -c "! mbedtls_ssl_handshake returned" -requires_config_enabled MBEDTLS_SSL_PROTO_SSL3 run_test "Authentication: client no cert, ssl3" \ "$P_SRV debug_level=3 auth_mode=optional force_version=ssl3" \ "$P_CLI debug_level=3 crt_file=none key_file=none min_version=ssl3" \ @@ -6359,7 +6370,6 @@ run_test "ECJPAKE: working, DTLS, nolog" \ # Tests for ciphersuites per version -requires_config_enabled MBEDTLS_SSL_PROTO_SSL3 requires_config_enabled MBEDTLS_CAMELLIA_C requires_config_enabled MBEDTLS_AES_C run_test "Per-version suites: SSL3" \ @@ -6368,7 +6378,6 @@ run_test "Per-version suites: SSL3" \ 0 \ -c "Ciphersuite is TLS-RSA-WITH-CAMELLIA-128-CBC-SHA" -requires_config_enabled MBEDTLS_SSL_PROTO_TLS1 requires_config_enabled MBEDTLS_CAMELLIA_C requires_config_enabled MBEDTLS_AES_C run_test "Per-version suites: TLS 1.0" \ @@ -6377,7 +6386,6 @@ run_test "Per-version suites: TLS 1.0" \ 0 \ -c "Ciphersuite is TLS-RSA-WITH-AES-256-CBC-SHA" -requires_config_enabled MBEDTLS_SSL_PROTO_TLS1_1 requires_config_enabled MBEDTLS_CAMELLIA_C requires_config_enabled MBEDTLS_AES_C run_test "Per-version suites: TLS 1.1" \ @@ -6386,7 +6394,6 @@ run_test "Per-version suites: TLS 1.1" \ 0 \ -c "Ciphersuite is TLS-RSA-WITH-AES-128-CBC-SHA" -requires_config_enabled MBEDTLS_SSL_PROTO_TLS1_2 requires_config_enabled MBEDTLS_CAMELLIA_C requires_config_enabled MBEDTLS_AES_C run_test "Per-version suites: TLS 1.2" \ @@ -6434,7 +6441,6 @@ run_test "mbedtls_ssl_get_bytes_avail: extra data (max)" \ # Tests for small client packets -requires_config_enabled MBEDTLS_SSL_PROTO_SSL3 run_test "Small client packet SSLv3 BlockCipher" \ "$P_SRV min_version=ssl3" \ "$P_CLI request_size=1 force_version=ssl3 \ @@ -6442,7 +6448,6 @@ run_test "Small client packet SSLv3 BlockCipher" \ 0 \ -s "Read from client: 1 bytes read" -requires_config_enabled MBEDTLS_SSL_PROTO_SSL3 run_test "Small client packet SSLv3 StreamCipher" \ "$P_SRV min_version=ssl3 arc4=1 force_ciphersuite=TLS-RSA-WITH-RC4-128-SHA" \ "$P_CLI request_size=1 force_version=ssl3 \ @@ -6723,7 +6728,6 @@ run_test "Small client packet DTLS 1.2, without EtM, truncated MAC" \ # Tests for small server packets -requires_config_enabled MBEDTLS_SSL_PROTO_SSL3 run_test "Small server packet SSLv3 BlockCipher" \ "$P_SRV response_size=1 min_version=ssl3" \ "$P_CLI force_version=ssl3 \ @@ -6731,7 +6735,6 @@ run_test "Small server packet SSLv3 BlockCipher" \ 0 \ -c "Read from server: 1 bytes read" -requires_config_enabled MBEDTLS_SSL_PROTO_SSL3 run_test "Small server packet SSLv3 StreamCipher" \ "$P_SRV response_size=1 min_version=ssl3 arc4=1 force_ciphersuite=TLS-RSA-WITH-RC4-128-SHA" \ "$P_CLI force_version=ssl3 \ @@ -7011,7 +7014,6 @@ run_test "Small server packet DTLS 1.2, without EtM, truncated MAC" \ -c "Read from server: 1 bytes read" # A test for extensions in SSLv3 -requires_config_enabled MBEDTLS_SSL_PROTO_SSL3 requires_max_content_len 4096 run_test "SSLv3 with extensions, server side" \ "$P_SRV min_version=ssl3 debug_level=3" \ @@ -7027,7 +7029,6 @@ fragments_for_write() { echo "$(( ( $1 + $MAX_OUT_LEN - 1 ) / $MAX_OUT_LEN ))" } -requires_config_enabled MBEDTLS_SSL_PROTO_SSL3 run_test "Large client packet SSLv3 BlockCipher" \ "$P_SRV min_version=ssl3" \ "$P_CLI request_size=16384 force_version=ssl3 recsplit=0 \ @@ -7036,7 +7037,6 @@ run_test "Large client packet SSLv3 BlockCipher" \ -c "16384 bytes written in $(fragments_for_write 16384) fragments" \ -s "Read from client: $MAX_CONTENT_LEN bytes read" -requires_config_enabled MBEDTLS_SSL_PROTO_SSL3 run_test "Large client packet SSLv3 StreamCipher" \ "$P_SRV min_version=ssl3 arc4=1 force_ciphersuite=TLS-RSA-WITH-RC4-128-SHA" \ "$P_CLI request_size=16384 force_version=ssl3 \ @@ -7262,7 +7262,6 @@ run_test "Large client packet TLS 1.2 AEAD shorter tag" \ # Test for large server packets # The tests below fail when the server's OUT_CONTENT_LEN is less than 16384. -requires_config_enabled MBEDTLS_SSL_PROTO_SSL3 run_test "Large server packet SSLv3 StreamCipher" \ "$P_SRV response_size=16384 min_version=ssl3 arc4=1 force_ciphersuite=TLS-RSA-WITH-RC4-128-SHA" \ "$P_CLI force_version=ssl3 \ @@ -7271,7 +7270,6 @@ run_test "Large server packet SSLv3 StreamCipher" \ -c "Read from server: 16384 bytes read" # Checking next 4 tests logs for 1n-1 split against BEAST too -requires_config_enabled MBEDTLS_SSL_PROTO_SSL3 run_test "Large server packet SSLv3 BlockCipher" \ "$P_SRV response_size=16384 min_version=ssl3" \ "$P_CLI force_version=ssl3 recsplit=0 \ @@ -7677,7 +7675,6 @@ run_test "SSL async private: sign, delay=2" \ # Test that the async callback correctly signs the 36-byte hash of TLS 1.0/1.1 # with RSA PKCS#1v1.5 as used in TLS 1.0/1.1. requires_config_enabled MBEDTLS_SSL_ASYNC_PRIVATE -requires_config_enabled MBEDTLS_SSL_PROTO_TLS1_1 run_test "SSL async private: sign, RSA, TLS 1.1" \ "$P_SRV key_file=data_files/server2.key crt_file=data_files/server2.crt \ async_operations=s async_private_delay1=0 async_private_delay2=0" \ @@ -8976,7 +8973,6 @@ run_test "DTLS fragmenting: proxy MTU + 3d, nbio" \ requires_config_enabled MBEDTLS_SSL_PROTO_DTLS requires_config_enabled MBEDTLS_RSA_C requires_config_enabled MBEDTLS_ECDSA_C -requires_config_enabled MBEDTLS_SSL_PROTO_TLS1_2 requires_gnutls requires_max_content_len 2048 run_test "DTLS fragmenting: gnutls server, DTLS 1.2" \ @@ -8992,7 +8988,6 @@ run_test "DTLS fragmenting: gnutls server, DTLS 1.2" \ requires_config_enabled MBEDTLS_SSL_PROTO_DTLS requires_config_enabled MBEDTLS_RSA_C requires_config_enabled MBEDTLS_ECDSA_C -requires_config_enabled MBEDTLS_SSL_PROTO_TLS1_1 requires_gnutls requires_max_content_len 2048 run_test "DTLS fragmenting: gnutls server, DTLS 1.0" \ @@ -9015,7 +9010,6 @@ run_test "DTLS fragmenting: gnutls server, DTLS 1.0" \ requires_config_enabled MBEDTLS_SSL_PROTO_DTLS requires_config_enabled MBEDTLS_RSA_C requires_config_enabled MBEDTLS_ECDSA_C -requires_config_enabled MBEDTLS_SSL_PROTO_TLS1_2 requires_gnutls requires_not_i686 requires_max_content_len 2048 @@ -9032,7 +9026,6 @@ run_test "DTLS fragmenting: gnutls client, DTLS 1.2" \ requires_config_enabled MBEDTLS_SSL_PROTO_DTLS requires_config_enabled MBEDTLS_RSA_C requires_config_enabled MBEDTLS_ECDSA_C -requires_config_enabled MBEDTLS_SSL_PROTO_TLS1_1 requires_gnutls requires_not_i686 requires_max_content_len 2048 @@ -9048,7 +9041,6 @@ run_test "DTLS fragmenting: gnutls client, DTLS 1.0" \ requires_config_enabled MBEDTLS_SSL_PROTO_DTLS requires_config_enabled MBEDTLS_RSA_C requires_config_enabled MBEDTLS_ECDSA_C -requires_config_enabled MBEDTLS_SSL_PROTO_TLS1_2 requires_max_content_len 2048 run_test "DTLS fragmenting: openssl server, DTLS 1.2" \ "$O_SRV -dtls1_2 -verify 10" \ @@ -9063,7 +9055,6 @@ run_test "DTLS fragmenting: openssl server, DTLS 1.2" \ requires_config_enabled MBEDTLS_SSL_PROTO_DTLS requires_config_enabled MBEDTLS_RSA_C requires_config_enabled MBEDTLS_ECDSA_C -requires_config_enabled MBEDTLS_SSL_PROTO_TLS1_1 requires_max_content_len 2048 run_test "DTLS fragmenting: openssl server, DTLS 1.0" \ "$O_SRV -dtls1 -verify 10" \ @@ -9078,7 +9069,6 @@ run_test "DTLS fragmenting: openssl server, DTLS 1.0" \ requires_config_enabled MBEDTLS_SSL_PROTO_DTLS requires_config_enabled MBEDTLS_RSA_C requires_config_enabled MBEDTLS_ECDSA_C -requires_config_enabled MBEDTLS_SSL_PROTO_TLS1_2 requires_max_content_len 2048 run_test "DTLS fragmenting: openssl client, DTLS 1.2" \ "$P_SRV dtls=1 debug_level=2 \ @@ -9092,7 +9082,6 @@ run_test "DTLS fragmenting: openssl client, DTLS 1.2" \ requires_config_enabled MBEDTLS_SSL_PROTO_DTLS requires_config_enabled MBEDTLS_RSA_C requires_config_enabled MBEDTLS_ECDSA_C -requires_config_enabled MBEDTLS_SSL_PROTO_TLS1_1 requires_max_content_len 2048 run_test "DTLS fragmenting: openssl client, DTLS 1.0" \ "$P_SRV dtls=1 debug_level=2 \ @@ -9111,7 +9100,6 @@ requires_gnutls_next requires_config_enabled MBEDTLS_SSL_PROTO_DTLS requires_config_enabled MBEDTLS_RSA_C requires_config_enabled MBEDTLS_ECDSA_C -requires_config_enabled MBEDTLS_SSL_PROTO_TLS1_2 client_needs_more_time 4 requires_max_content_len 2048 run_test "DTLS fragmenting: 3d, gnutls server, DTLS 1.2" \ @@ -9129,7 +9117,6 @@ requires_gnutls_next requires_config_enabled MBEDTLS_SSL_PROTO_DTLS requires_config_enabled MBEDTLS_RSA_C requires_config_enabled MBEDTLS_ECDSA_C -requires_config_enabled MBEDTLS_SSL_PROTO_TLS1_1 client_needs_more_time 4 requires_max_content_len 2048 run_test "DTLS fragmenting: 3d, gnutls server, DTLS 1.0" \ @@ -9147,7 +9134,6 @@ requires_gnutls_next requires_config_enabled MBEDTLS_SSL_PROTO_DTLS requires_config_enabled MBEDTLS_RSA_C requires_config_enabled MBEDTLS_ECDSA_C -requires_config_enabled MBEDTLS_SSL_PROTO_TLS1_2 client_needs_more_time 4 requires_max_content_len 2048 run_test "DTLS fragmenting: 3d, gnutls client, DTLS 1.2" \ @@ -9164,7 +9150,6 @@ requires_gnutls_next requires_config_enabled MBEDTLS_SSL_PROTO_DTLS requires_config_enabled MBEDTLS_RSA_C requires_config_enabled MBEDTLS_ECDSA_C -requires_config_enabled MBEDTLS_SSL_PROTO_TLS1_1 client_needs_more_time 4 requires_max_content_len 2048 run_test "DTLS fragmenting: 3d, gnutls client, DTLS 1.0" \ @@ -9186,7 +9171,6 @@ skip_next_test requires_config_enabled MBEDTLS_SSL_PROTO_DTLS requires_config_enabled MBEDTLS_RSA_C requires_config_enabled MBEDTLS_ECDSA_C -requires_config_enabled MBEDTLS_SSL_PROTO_TLS1_2 client_needs_more_time 4 requires_max_content_len 2048 run_test "DTLS fragmenting: 3d, openssl server, DTLS 1.2" \ @@ -9204,7 +9188,6 @@ skip_next_test requires_config_enabled MBEDTLS_SSL_PROTO_DTLS requires_config_enabled MBEDTLS_RSA_C requires_config_enabled MBEDTLS_ECDSA_C -requires_config_enabled MBEDTLS_SSL_PROTO_TLS1_1 client_needs_more_time 4 requires_max_content_len 2048 run_test "DTLS fragmenting: 3d, openssl server, DTLS 1.0" \ @@ -9222,7 +9205,6 @@ skip_next_test requires_config_enabled MBEDTLS_SSL_PROTO_DTLS requires_config_enabled MBEDTLS_RSA_C requires_config_enabled MBEDTLS_ECDSA_C -requires_config_enabled MBEDTLS_SSL_PROTO_TLS1_2 client_needs_more_time 4 requires_max_content_len 2048 run_test "DTLS fragmenting: 3d, openssl client, DTLS 1.2" \ @@ -9241,7 +9223,6 @@ skip_next_test requires_config_enabled MBEDTLS_SSL_PROTO_DTLS requires_config_enabled MBEDTLS_RSA_C requires_config_enabled MBEDTLS_ECDSA_C -requires_config_enabled MBEDTLS_SSL_PROTO_TLS1_1 client_needs_more_time 4 requires_max_content_len 2048 run_test "DTLS fragmenting: 3d, openssl client, DTLS 1.0" \ From bba3b4c79aec28ba3eb2c8d1e4346b5b4e415438 Mon Sep 17 00:00:00 2001 From: Gilles Peskine Date: Sat, 9 Apr 2022 00:08:47 +0200 Subject: [PATCH 28/36] Add or fix requirements on FALLBACK_SCSV Automatically detect when an mbedtls or openssl client enables fallback SCSV. For test cases with a hard-coded ClientHello with FALLBACK_SCSV, declare the dependency manually. Remove the erroneous requirement on openssl in these test cases. Signed-off-by: Gilles Peskine --- tests/ssl-opt.sh | 11 ++++++++--- 1 file changed, 8 insertions(+), 3 deletions(-) diff --git a/tests/ssl-opt.sh b/tests/ssl-opt.sh index 30f632b9d..ba57a1d58 100755 --- a/tests/ssl-opt.sh +++ b/tests/ssl-opt.sh @@ -319,6 +319,11 @@ detect_required_features() { requires_config_enabled MBEDTLS_SSL_ALPN;; esac + case " $1 " in + *\ fallback=1\ *|*\ -fallback_scsv\ *) + requires_config_enabled MBEDTLS_SSL_FALLBACK_SCSV;; + esac + unset tmp } @@ -2966,7 +2971,7 @@ run_test "Encrypt then MAC, DTLS: disabled, empty application data record" \ ## The ClientHello content is spelled out below as a hex string as ## "prefix ciphersuite1 ciphersuite2 ciphersuite3 ciphersuite4 suffix". ## The expected response is an inappropriate_fallback alert. -requires_openssl_with_fallback_scsv +requires_config_enabled MBEDTLS_SSL_FALLBACK_SCSV run_test "Fallback SCSV: beginning of list" \ "$P_SRV debug_level=2" \ "$TCP_CLIENT localhost $SRV_PORT '160301003e0100003a03022aafb94308dc22ca1086c65acc00e414384d76b61ecab37df1633b1ae1034dbe000008 5600 0031 0032 0033 0100000900230000000f000101' '15030200020256'" \ @@ -2974,7 +2979,7 @@ run_test "Fallback SCSV: beginning of list" \ -s "received FALLBACK_SCSV" \ -s "inapropriate fallback" -requires_openssl_with_fallback_scsv +requires_config_enabled MBEDTLS_SSL_FALLBACK_SCSV run_test "Fallback SCSV: end of list" \ "$P_SRV debug_level=2" \ "$TCP_CLIENT localhost $SRV_PORT '160301003e0100003a03022aafb94308dc22ca1086c65acc00e414384d76b61ecab37df1633b1ae1034dbe000008 0031 0032 0033 5600 0100000900230000000f000101' '15030200020256'" \ @@ -2983,7 +2988,7 @@ run_test "Fallback SCSV: end of list" \ -s "inapropriate fallback" ## Here the expected response is a valid ServerHello prefix, up to the random. -requires_openssl_with_fallback_scsv +requires_config_enabled MBEDTLS_SSL_FALLBACK_SCSV run_test "Fallback SCSV: not in list" \ "$P_SRV debug_level=2" \ "$TCP_CLIENT localhost $SRV_PORT '160301003e0100003a03022aafb94308dc22ca1086c65acc00e414384d76b61ecab37df1633b1ae1034dbe000008 0056 0031 0032 0033 0100000900230000000f000101' '16030200300200002c0302'" \ From bcb2ab0cb3377b9b6387b43008870138e1c1f425 Mon Sep 17 00:00:00 2001 From: Gilles Peskine Date: Sat, 9 Apr 2022 00:11:16 +0200 Subject: [PATCH 29/36] Add a few more protocol version support requirements Signed-off-by: Gilles Peskine --- tests/ssl-opt.sh | 6 ++++++ 1 file changed, 6 insertions(+) diff --git a/tests/ssl-opt.sh b/tests/ssl-opt.sh index ba57a1d58..bdf1daa0c 100755 --- a/tests/ssl-opt.sh +++ b/tests/ssl-opt.sh @@ -2909,6 +2909,7 @@ run_test "Fallback SCSV: enabled, openssl server" \ -c "adding FALLBACK_SCSV" \ -c "is a fatal alert message (msg 86)" +requires_config_enabled MBEDTLS_SSL_PROTO_TLS_1_1 requires_openssl_with_fallback_scsv run_test "Fallback SCSV: disabled, openssl client" \ "$P_SRV debug_level=2" \ @@ -2917,6 +2918,7 @@ run_test "Fallback SCSV: disabled, openssl client" \ -S "received FALLBACK_SCSV" \ -S "inapropriate fallback" +requires_config_enabled MBEDTLS_SSL_PROTO_TLS_1_1 requires_openssl_with_fallback_scsv run_test "Fallback SCSV: enabled, openssl client" \ "$P_SRV debug_level=2" \ @@ -5506,6 +5508,8 @@ run_test "Version check: cli min 1.1, srv max 1.1 -> 1.1" \ -s "Protocol is TLSv1.1" \ -c "Protocol is TLSv1.1" +requires_config_enabled MBEDTLS_SSL_PROTO_TLS1_1 +requires_config_enabled MBEDTLS_SSL_PROTO_TLS1_2 run_test "Version check: cli min 1.2, srv max 1.1 -> fail" \ "$P_SRV max_version=tls1_1" \ "$P_CLI min_version=tls12" \ @@ -5514,6 +5518,8 @@ run_test "Version check: cli min 1.2, srv max 1.1 -> fail" \ -c "mbedtls_ssl_handshake returned" \ -c "SSL - Handshake protocol not within min/max boundaries" +requires_config_enabled MBEDTLS_SSL_PROTO_TLS1_1 +requires_config_enabled MBEDTLS_SSL_PROTO_TLS1_2 run_test "Version check: srv min 1.2, cli max 1.1 -> fail" \ "$P_SRV min_version=tls12" \ "$P_CLI max_version=tls1_1" \ From a6f99a1aab741afd9fb60d91e2a2afb1c207e0e1 Mon Sep 17 00:00:00 2001 From: Gilles Peskine Date: Wed, 13 Apr 2022 13:24:56 +0200 Subject: [PATCH 30/36] Fix crash with DTLS_CONNECTION_ID but not other SSL features In configurations with MBEDTLS_SSL_DTLS_CONNECTION_ID enabled but none of MBEDTLS_SSL_HW_RECORD_ACCEL, MBEDTLS_SSL_EXPORT_KEYS or MBEDTLS_DEBUG_C, DTLS handshakes using CID would crash due to a null pointer dereference. Fix this. Fixes #3998. Detected by running compat.sh in config-ccm-psk-dtls1_2.h. Signed-off-by: Gilles Peskine --- ChangeLog.d/dtls-cid-null.txt | 5 +++++ library/ssl_tls.c | 1 + 2 files changed, 6 insertions(+) create mode 100644 ChangeLog.d/dtls-cid-null.txt diff --git a/ChangeLog.d/dtls-cid-null.txt b/ChangeLog.d/dtls-cid-null.txt new file mode 100644 index 000000000..f6f4c5462 --- /dev/null +++ b/ChangeLog.d/dtls-cid-null.txt @@ -0,0 +1,5 @@ +Bugfix + * In configurations with MBEDTLS_SSL_DTLS_CONNECTION_ID enabled but none of + MBEDTLS_SSL_HW_RECORD_ACCEL, MBEDTLS_SSL_EXPORT_KEYS or MBEDTLS_DEBUG_C, + DTLS handshakes using CID would crash due to a null pointer dereference. + Fix this. Fixes #3998. diff --git a/library/ssl_tls.c b/library/ssl_tls.c index c85291e1e..4878585bb 100644 --- a/library/ssl_tls.c +++ b/library/ssl_tls.c @@ -990,6 +990,7 @@ static int ssl_populate_transform( mbedtls_ssl_transform *transform, #if !defined(MBEDTLS_SSL_HW_RECORD_ACCEL) && \ !defined(MBEDTLS_SSL_EXPORT_KEYS) && \ + !defined(MBEDTLS_SSL_DTLS_CONNECTION_ID) && \ !defined(MBEDTLS_DEBUG_C) ssl = NULL; /* make sure we don't use it except for those cases */ (void) ssl; From 6e257b0bc77bba5a887052ea74ab4d245de580fa Mon Sep 17 00:00:00 2001 From: Gilles Peskine Date: Wed, 13 Apr 2022 14:19:57 +0200 Subject: [PATCH 31/36] Detect requirement on DTLS_BADMAC_LIMIT Signed-off-by: Gilles Peskine --- tests/ssl-opt.sh | 5 +++++ 1 file changed, 5 insertions(+) diff --git a/tests/ssl-opt.sh b/tests/ssl-opt.sh index bdf1daa0c..419001a16 100755 --- a/tests/ssl-opt.sh +++ b/tests/ssl-opt.sh @@ -319,6 +319,11 @@ detect_required_features() { requires_config_enabled MBEDTLS_SSL_ALPN;; esac + case " $1 " in + *\ badmac_limit=*) + requires_config_enabled MBEDTLS_SSL_DTLS_BADMAC_LIMIT;; + esac + case " $1 " in *\ fallback=1\ *|*\ -fallback_scsv\ *) requires_config_enabled MBEDTLS_SSL_FALLBACK_SCSV;; From 9220fee17b75f0389ef82151bac09b1b58055785 Mon Sep 17 00:00:00 2001 From: Gilles Peskine Date: Wed, 13 Apr 2022 14:20:19 +0200 Subject: [PATCH 32/36] Enable DTLS_BADMAC_LIMIT I originally missed this when backporting because the option was removed (and changed to always-on) in 3.0. Signed-off-by: Gilles Peskine --- configs/config-ccm-psk-dtls1_2.h | 1 + 1 file changed, 1 insertion(+) diff --git a/configs/config-ccm-psk-dtls1_2.h b/configs/config-ccm-psk-dtls1_2.h index 982bc2ce2..78b75c860 100644 --- a/configs/config-ccm-psk-dtls1_2.h +++ b/configs/config-ccm-psk-dtls1_2.h @@ -61,6 +61,7 @@ #define MBEDTLS_SSL_PROTO_TLS1_2 #define MBEDTLS_SSL_PROTO_DTLS #define MBEDTLS_SSL_DTLS_ANTI_REPLAY +#define MBEDTLS_SSL_DTLS_BADMAC_LIMIT #define MBEDTLS_SSL_DTLS_CLIENT_PORT_REUSE #define MBEDTLS_SSL_DTLS_CONNECTION_ID #define MBEDTLS_SSL_DTLS_HELLO_VERIFY From add21ad96730c84306083223b5cc1ce6622a328a Mon Sep 17 00:00:00 2001 From: Gilles Peskine Date: Fri, 15 Apr 2022 15:14:58 +0200 Subject: [PATCH 33/36] Fix typo in config symbol Signed-off-by: Gilles Peskine --- tests/ssl-opt.sh | 4 ++-- 1 file changed, 2 insertions(+), 2 deletions(-) diff --git a/tests/ssl-opt.sh b/tests/ssl-opt.sh index 419001a16..6d6baf422 100755 --- a/tests/ssl-opt.sh +++ b/tests/ssl-opt.sh @@ -2914,7 +2914,7 @@ run_test "Fallback SCSV: enabled, openssl server" \ -c "adding FALLBACK_SCSV" \ -c "is a fatal alert message (msg 86)" -requires_config_enabled MBEDTLS_SSL_PROTO_TLS_1_1 +requires_config_enabled MBEDTLS_SSL_PROTO_TLS1_1 requires_openssl_with_fallback_scsv run_test "Fallback SCSV: disabled, openssl client" \ "$P_SRV debug_level=2" \ @@ -2923,7 +2923,7 @@ run_test "Fallback SCSV: disabled, openssl client" \ -S "received FALLBACK_SCSV" \ -S "inapropriate fallback" -requires_config_enabled MBEDTLS_SSL_PROTO_TLS_1_1 +requires_config_enabled MBEDTLS_SSL_PROTO_TLS1_1 requires_openssl_with_fallback_scsv run_test "Fallback SCSV: enabled, openssl client" \ "$P_SRV debug_level=2" \ From 719a6528348928be2d99aa52575b8bf94b680357 Mon Sep 17 00:00:00 2001 From: Gilles Peskine Date: Fri, 15 Apr 2022 20:03:33 +0200 Subject: [PATCH 34/36] Fix REMOVE_ARC4 test case dependencies When ARC4 ciphersuites are compiled in, but removed from the default list, requires_ciphersuite_enabled does not consider them to be enabled. Therefore test cases for MBEDTLS_REMOVE_ARC4_CIPHERSUITES, which must run in such configurations, must not use requires_ciphersuite_enabled. Instead, require the corresponding cryptographic mechanisms. In addition, for the test case "RC4: both enabled", bypass the automatic ciphersuite support detection based on force_ciphersuite= that would otherwise cause this test case to be skipped. (This automatic detection doesn't cause the negative tests to be skipped because it has an exception whenthe handshake is supposed to fail.) Signed-off-by: Gilles Peskine --- tests/ssl-opt.sh | 31 +++++++++++++++++++++++++++---- 1 file changed, 27 insertions(+), 4 deletions(-) diff --git a/tests/ssl-opt.sh b/tests/ssl-opt.sh index 6d6baf422..9a4a6aa1c 100755 --- a/tests/ssl-opt.sh +++ b/tests/ssl-opt.sh @@ -1710,6 +1710,13 @@ run_test "Context-specific CRT verification callback" \ # Tests for rc4 option +# Manual dependencies on the ciphersuite support are necessary +# because the automatic requirements from force_ciphersuite=... detection +# make an exception for these test cases since they expect a handshake +# failure. +requires_config_enabled MBEDTLS_ARC4_C +requires_config_enabled MBEDTLS_SHA1_C +requires_config_enabled MBEDTLS_KEY_EXCHANGE_RSA_ENABLED requires_config_enabled MBEDTLS_REMOVE_ARC4_CIPHERSUITES run_test "RC4: server disabled, client enabled" \ "$P_SRV" \ @@ -1717,6 +1724,9 @@ run_test "RC4: server disabled, client enabled" \ 1 \ -s "SSL - The server has no ciphersuites in common" +requires_config_enabled MBEDTLS_ARC4_C +requires_config_enabled MBEDTLS_SHA1_C +requires_config_enabled MBEDTLS_KEY_EXCHANGE_RSA_ENABLED requires_config_enabled MBEDTLS_REMOVE_ARC4_CIPHERSUITES run_test "RC4: server half, client enabled" \ "$P_SRV arc4=1" \ @@ -1724,17 +1734,30 @@ run_test "RC4: server half, client enabled" \ 1 \ -s "SSL - The server has no ciphersuites in common" -requires_ciphersuite_enabled TLS-RSA-WITH-RC4-128-SHA +requires_config_enabled MBEDTLS_ARC4_C +requires_config_enabled MBEDTLS_SHA1_C +requires_config_enabled MBEDTLS_KEY_EXCHANGE_RSA_ENABLED +requires_config_enabled MBEDTLS_REMOVE_ARC4_CIPHERSUITES run_test "RC4: server enabled, client disabled" \ "$P_SRV force_ciphersuite=TLS-RSA-WITH-RC4-128-SHA" \ "$P_CLI" \ 1 \ -s "SSL - The server has no ciphersuites in common" -requires_ciphersuite_enabled TLS-RSA-WITH-RC4-128-SHA +# Run even if the ciphersuite is disabled by default, but only if the +# requisite cryptographic mechanisms are present. +# Having "force_ciphersuite=..." in the client or server arguments would +# prevent that due to the automatic detection, so hide behind some +# shell expansion to fool the automatic detection. +with_rc4_ciphersuite() { + exec "$@" force_ciphersuite=TLS-RSA-WITH-RC4-128-SHA +} +requires_config_enabled MBEDTLS_ARC4_C +requires_config_enabled MBEDTLS_SHA1_C +requires_config_enabled MBEDTLS_KEY_EXCHANGE_RSA_ENABLED run_test "RC4: both enabled" \ - "$P_SRV force_ciphersuite=TLS-RSA-WITH-RC4-128-SHA" \ - "$P_CLI force_ciphersuite=TLS-RSA-WITH-RC4-128-SHA" \ + "with_rc4_ciphersuite $P_SRV" \ + "with_rc4_ciphersuite $P_CLI" \ 0 \ -S "SSL - None of the common ciphersuites is usable" \ -S "SSL - The server has no ciphersuites in common" From e8133cbeccf95d8196b2937987e3b662aaa0c506 Mon Sep 17 00:00:00 2001 From: Gilles Peskine Date: Fri, 15 Apr 2022 22:43:38 +0200 Subject: [PATCH 35/36] test_cmake_out_of_source: validate that ssl-opt passed If the ssl-opt test case was skipped, the test was ineffective. Signed-off-by: Gilles Peskine --- tests/scripts/all.sh | 5 +++-- 1 file changed, 3 insertions(+), 2 deletions(-) diff --git a/tests/scripts/all.sh b/tests/scripts/all.sh index 6677b20b8..2908e986c 100755 --- a/tests/scripts/all.sh +++ b/tests/scripts/all.sh @@ -2983,11 +2983,12 @@ component_test_cmake_out_of_source () { # "No such file or directory", which would indicate that some required # file is missing (ssl-opt.sh tolerates the absence of some files so # may exit with status 0 but emit errors). - ./tests/ssl-opt.sh -f 'Fallback SCSV: beginning of list' 2>ssl-opt.err + ./tests/ssl-opt.sh -f 'Fallback SCSV: beginning of list' >ssl-opt.out 2>ssl-opt.err + grep PASS ssl-opt.out cat ssl-opt.err >&2 # If ssl-opt.err is non-empty, record an error and keep going. [ ! -s ssl-opt.err ] - rm ssl-opt.err + rm ssl-opt.out ssl-opt.err cd "$MBEDTLS_ROOT_DIR" rm -rf "$OUT_OF_SOURCE_DIR" } From 36019d5182da6a46b7031663312923b006fabb75 Mon Sep 17 00:00:00 2001 From: Gilles Peskine Date: Fri, 15 Apr 2022 22:53:18 +0200 Subject: [PATCH 36/36] Use terse output from lsof This both simplifies parsing a little, and suppresses warnings. Suppressing warnings is both good and bad: on the one hand it resolves problems such as https://github.com/Mbed-TLS/mbedtls/issues/5731, on the other hand it may hide clues as to why lsof wouldn't be working as expected. Signed-off-by: Gilles Peskine --- tests/ssl-opt.sh | 6 ++---- 1 file changed, 2 insertions(+), 4 deletions(-) diff --git a/tests/ssl-opt.sh b/tests/ssl-opt.sh index 9a4a6aa1c..9313d74fa 100755 --- a/tests/ssl-opt.sh +++ b/tests/ssl-opt.sh @@ -696,13 +696,11 @@ if type lsof >/dev/null 2>/dev/null; then fi # Make a tight loop, server normally takes less than 1s to start. while true; do - SERVER_PIDS=$(lsof -a -n -b -i "$proto:$1" -F p) + SERVER_PIDS=$(lsof -a -n -b -i "$proto:$1" -t) # When we use a proxy, it will be listening on the same port we # are checking for as well as the server and lsof will list both. - # If multiple PIDs are returned, each one will be on a separate - # line, each prepended with 'p'. case ${newline}${SERVER_PIDS}${newline} in - *${newline}p${2}${newline}*) break;; + *${newline}${2}${newline}*) break;; esac if [ $(( $(date +%s) - $START_TIME )) -gt $DOG_DELAY ]; then echo "$3 START TIMEOUT"