Add a positive test case where both the client and the server require
authentication and both use a non-CA self-signed certificate.
Signed-off-by: Gilles Peskine <Gilles.Peskine@arm.com>
Use case pattern matching instead of multiline split, given there is
only the well formatted PIDs to match on this should be safe.
Signed-off-by: Paul Elliott <paul.elliott@arm.com>
On machines with more modern kernels (>5.4 from testing so far) the
useage of -b seems to conflict with the usage of -p. Whilst the usage of
-b seems like a good idea to avoid blocks as we are tight looping on it,
the usage of -p seems to require the usage of stat() (specifically in
/proc) which -b forbids. All you get is a load of warnings
(suppressable by -w) but never a positive result, which means that all
servers are reported as "Failed to start". We are not keen on losing
-b, so instead parse the output of lsof (using -F to format it) to
check the if PIDs that it outputs match that we are looking for.
Signed-off-by: Paul Elliott <paul.elliott@arm.com>
Improve the code structure in case we want to add other similar conditions
later. Document better what we're doing, and document why we're doing it.
Signed-off-by: Gilles Peskine <Gilles.Peskine@arm.com>
Palliative for https://github.com/ARMmbed/mbedtls/issues/3377. If a test
case fails due to an unexpected resend, allow retrying, like in the case of
a client timeout.
Signed-off-by: Gilles Peskine <Gilles.Peskine@arm.com>
This was causing some tests using the openssl s_client to not connect -
I suspect this was due to localhost (at least on my machine) resolving
to ::1 rather than 127.0.0.1. Note that the error seen would have been
that the session file specified with -sess_out did not get created.
Signed-off-by: Paul Elliott <paul.elliott@arm.com>
Missing wildcards meant that some servers were not identified as DTLS,
which lead to port checking on TCP rather than UDP, and thus mistakenly
cancelling tests as the server had not come up.
Signed-off-by: Paul Elliott <paul.elliott@arm.com>
- Reword the comment on config.h to suggest that
`MAX_INTERMEDIATE_CA` may not exist in the config.
- Add a comment explaining why the tests are more restrictive
than necessary.
Signed-off-by: Yuto Takano <yuto.takano@arm.com>
- Abstract out repetitive checks for IN and OUT content lens
- Remove unclear comment and redundant echo
- Add content length constraints in Renegotiation with fragment length test
Signed-off-by: Yuto Takano <yuto.takano@arm.com>
- Replace last remaining dependency on config.py with query_config
- Replace hard exit with `requires_config_value_at_least` and
`requires_config_value_at_most` to maintain the same effect
Signed-off-by: Yuto Takano <yuto.takano@arm.com>
- Replace calls to config.py for MAX_IN_LEN and MAX_OUT_LEN with
`get_config_value_or_default`
- Remove hard exit when MAX_IN/OUT_LEN < 4096, replace with
`requires_config_value_at_least`
Signed-off-by: Yuto Takano <yuto.takano@arm.com>
An SSL client can be configured to insist on a minimum size for the
Diffie-Hellman (DHM) parameters sent by the server. Add several test
cases where the server sends parameters with exactly the minimum
size (must be accepted) or parameters that are one bit too short (must
be rejected). Make sure that there are test cases both where the
boundary is byte-aligned and where it isn't.
Signed-off-by: Gilles Peskine <Gilles.Peskine@arm.com>
Our interoperability tests fail with a recent OpenSSL server. The
reason is that they force 1024-bit Diffie-Hellman parameters, which
recent OpenSSL (e.g. 1.1.1f on Ubuntu 20.04) reject:
```
140072814650688:error:1408518A:SSL routines:ssl3_ctx_ctrl:dh key too small:../ssl/s3_lib.c:3782:
```
We've been passing custom DH parameters since
6195767554 because OpenSSL <=1.0.2a
requires it. This is only concerns the version we use as
OPENSSL_LEGACY. So only use custom DH parameters for that version. In
compat.sh, use it based on the observed version of $OPENSSL_CMD.
This way, ssl-opt.sh and compat.sh work (barring other issues) for all
our reference versions of OpenSSL as well as for a modern system OpenSSL.
Signed-off-by: Gilles Peskine <Gilles.Peskine@arm.com>
For calls to gnutls-serv and gnutls-cli where --priority is not
specified, explicitly add the default value: --priority=normal. This is
needed for some tests on Ubuntu 20.04 (gnutls 3.6.13).
For example:
./ssl-opt.sh -f "DTLS fragmenting: gnutls.*1.0"
requires this PR to work on Ubuntu 20.04
Signed-off-by: Dave Rodgman <dave.rodgman@arm.com>
We care about the exit code of our server, for example if it's
reporting a memory leak after having otherwise executed correctly.
We don't care about the exit code of the servers we're using for
interoperability testing (openssl s_server, gnutls-serv). We assume
that they're working correctly anyway, and they return 1 (gnutls-serv)
or die by the signal handle the signal (openssl) when killed by a
signal.
Signed-off-by: Gilles Peskine <Gilles.Peskine@arm.com>
This used to be the case a long time ago but was accidentally broken.
Fix <github:nogrep> #4103 for ssl-opt.sh.
Signed-off-by: Gilles Peskine <Gilles.Peskine@arm.com>
