lib/mbedtls
1
0
Fork 0
mirror of https://github.com/Mbed-TLS/mbedtls.git synced 2025-08-01 10:06:53 +03:00
Code Activity

Merge pull request #9638 from gilles-peskine-arm/ssl-opt-sample-programs-dev

Browse Source 
Test sample programs in ssl-opt.sh
This commit is contained in:
David Horstmann
2024-09-26 14:33:11 +00:00
committed by GitHub
parent b268d270ed f88f6d6b83
commit 1a09caa8a8
12 changed files with 549 additions and 168 deletions
Download Patch File Download Diff File Expand all files Collapse all files

391
tests/opt-testcases/sample.sh Normal file
View File

@ -0,0 +1,391 @@
# Test that SSL sample programs can interoperate with each other
# and with OpenSSL and GnuTLS.
# Copyright The Mbed TLS Contributors
# SPDX-License-Identifier: Apache-2.0 OR GPL-2.0-or-later
: ${PROGRAMS_DIR:=../programs/ssl}
# Disable session tickets for ssl_client1 when potentially using TLS 1.3
# until https://github.com/Mbed-TLS/mbedtls/issues/6640 is resolved
# and (if relevant) implemented in ssl_client1.
run_test "Sample: ssl_client1, ssl_server2" \
-P 4433 \
"$PROGRAMS_DIR/ssl_server2 tickets=0" \
"$PROGRAMS_DIR/ssl_client1" \
0 \
-s "[1-9][0-9]* bytes read" \
-s "[1-9][0-9]* bytes written" \
-c "[1-9][0-9]* bytes read" \
-c "[1-9][0-9]* bytes written" \
-S "error" \
-C "error"
requires_protocol_version tls12
run_test "Sample: ssl_client1, openssl server, TLS 1.2" \
-P 4433 \
"$O_SRV -tls1_2" \
"$PROGRAMS_DIR/ssl_client1" \
0 \
-c "Protocol.*TLSv1.2" \
-S "ERROR" \
-C "error"
requires_protocol_version tls12
run_test "Sample: ssl_client1, gnutls server, TLS 1.2" \
-P 4433 \
"$G_SRV --priority=NORMAL:-VERS-TLS-ALL:+VERS-TLS1.2" \
"$PROGRAMS_DIR/ssl_client1" \
0 \
-s "Version: TLS1.2" \
-c "<TD>Protocol version:</TD><TD>TLS1.2</TD>" \
-S "Error" \
-C "error"
# Disable session tickets for ssl_client1 when using TLS 1.3
# until https://github.com/Mbed-TLS/mbedtls/issues/6640 is resolved
# and (if relevant) implemented in ssl_client1.
requires_protocol_version tls13
requires_openssl_tls1_3
run_test "Sample: ssl_client1, openssl server, TLS 1.3" \
-P 4433 \
"$O_NEXT_SRV -tls1_3 -num_tickets 0" \
"$PROGRAMS_DIR/ssl_client1" \
0 \
-c "New, TLSv1.3, Cipher is" \
-S "ERROR" \
-C "error"
# Disable session tickets for ssl_client1 when using TLS 1.3
# until https://github.com/Mbed-TLS/mbedtls/issues/6640 is resolved
# and (if relevant) implemented in ssl_client1.
requires_protocol_version tls13
requires_gnutls_tls1_3
run_test "Sample: ssl_client1, gnutls server, TLS 1.3" \
-P 4433 \
"$G_NEXT_SRV --priority=NORMAL:-VERS-TLS-ALL:+VERS-TLS1.3 --noticket" \
"$PROGRAMS_DIR/ssl_client1" \
0 \
-s "Version: TLS1.3" \
-c "<TD>Protocol version:</TD><TD>TLS1.3</TD>" \
-S "Error" \
-C "error"
# The server complains of extra data after it closes the connection
# because the client keeps sending data, so the server receives
# more application data when it expects a new handshake. We consider
# the test a success if both sides have sent and received application
# data, no matter what happens afterwards.
run_test "Sample: dtls_client, ssl_server2" \
-P 4433 \
"$PROGRAMS_DIR/ssl_server2 dtls=1 server_addr=localhost" \
"$PROGRAMS_DIR/dtls_client" \
0 \
-s "[1-9][0-9]* bytes read" \
-s "[1-9][0-9]* bytes written" \
-c "[1-9][0-9]* bytes read" \
-c "[1-9][0-9]* bytes written" \
-C "error"
# The dtls_client program connects to localhost. This test case fails on
# systems where the name "localhost" resolves to an IPv6 address, but
# the IPv6 connection is not possible. Possible reasons include:
# * OpenSSL is too old (IPv6 support was added in 1.1.0).
# * OpenSSL was built without IPv6 support.
# * A firewall blocks IPv6.
#
# To facilitate working with this test case, have it run with $OPENSSL_NEXT
# which is at least 1.1.1a. At the time it was introduced, this test case
# passed with OpenSSL 1.0.2g on an environment where IPv6 is disabled.
requires_protocol_version dtls12
run_test "Sample: dtls_client, openssl server, DTLS 1.2" \
-P 4433 \
"$O_NEXT_SRV -dtls1_2" \
"$PROGRAMS_DIR/dtls_client" \
0 \
-s "Echo this" \
-c "Echo this" \
-c "[1-9][0-9]* bytes written" \
-c "[1-9][0-9]* bytes read" \
-S "ERROR" \
-C "error"
requires_protocol_version dtls12
run_test "Sample: dtls_client, gnutls server, DTLS 1.2" \
-P 4433 \
"$G_SRV -u --echo --priority=NORMAL:-VERS-TLS-ALL:+VERS-TLS1.2" \
"$PROGRAMS_DIR/dtls_client" \
0 \
-s "Server listening" \
-s "[1-9][0-9]* bytes command:" \
-c "Echo this" \
-c "[1-9][0-9]* bytes written" \
-c "[1-9][0-9]* bytes read" \
-S "Error" \
-C "error"
run_test "Sample: ssl_server, ssl_client2" \
-P 4433 \
"$PROGRAMS_DIR/ssl_server" \
"$PROGRAMS_DIR/ssl_client2" \
0 \
-s "[1-9][0-9]* bytes read" \
-s "[1-9][0-9]* bytes written" \
-c "[1-9][0-9]* bytes read" \
-c "[1-9][0-9]* bytes written" \
-S "error" \
-C "error"
run_test "Sample: ssl_client1 with ssl_server" \
-P 4433 \
"$PROGRAMS_DIR/ssl_server" \
"$PROGRAMS_DIR/ssl_client1" \
0 \
-s "[1-9][0-9]* bytes read" \
-s "[1-9][0-9]* bytes written" \
-c "[1-9][0-9]* bytes read" \
-c "[1-9][0-9]* bytes written" \
-S "error" \
-C "error"
requires_protocol_version tls12
run_test "Sample: ssl_server, openssl client, TLS 1.2" \
-P 4433 \
"$PROGRAMS_DIR/ssl_server" \
"$O_CLI -tls1_2" \
0 \
-s "Successful connection using: TLS-" \
-c "Protocol.*TLSv1.2" \
-S "error" \
-C "ERROR"
requires_protocol_version tls12
run_test "Sample: ssl_server, gnutls client, TLS 1.2" \
-P 4433 \
"$PROGRAMS_DIR/ssl_server" \
"$G_CLI --priority=NORMAL:-VERS-TLS-ALL:+VERS-TLS1.2 localhost" \
0 \
-s "Successful connection using: TLS-" \
-c "Description:.*TLS1.2" \
-S "error" \
-C "ERROR"
requires_protocol_version tls13
requires_openssl_tls1_3
run_test "Sample: ssl_server, openssl client, TLS 1.3" \
-P 4433 \
"$PROGRAMS_DIR/ssl_server" \
"$O_NEXT_CLI -tls1_3" \
0 \
-s "Successful connection using: TLS1-3-" \
-c "New, TLSv1.3, Cipher is" \
-S "error" \
-C "ERROR"
requires_protocol_version tls13
requires_gnutls_tls1_3
run_test "Sample: ssl_server, gnutls client, TLS 1.3" \
-P 4433 \
"$PROGRAMS_DIR/ssl_server" \
"$G_NEXT_CLI --priority=NORMAL:-VERS-TLS-ALL:+VERS-TLS1.3 localhost" \
0 \
-s "Successful connection using: TLS1-3-" \
-c "Description:.*TLS1.3" \
-S "error" \
-C "ERROR"
run_test "Sample: ssl_fork_server, ssl_client2" \
-P 4433 \
"$PROGRAMS_DIR/ssl_fork_server" \
"$PROGRAMS_DIR/ssl_client2" \
0 \
-s "[1-9][0-9]* bytes read" \
-s "[1-9][0-9]* bytes written" \
-c "[1-9][0-9]* bytes read" \
-c "[1-9][0-9]* bytes written" \
-S "error" \
-C "error"
run_test "Sample: ssl_client1 with ssl_fork_server" \
-P 4433 \
"$PROGRAMS_DIR/ssl_fork_server" \
"$PROGRAMS_DIR/ssl_client1" \
0 \
-s "[1-9][0-9]* bytes read" \
-s "[1-9][0-9]* bytes written" \
-c "[1-9][0-9]* bytes read" \
-c "[1-9][0-9]* bytes written" \
-S "error" \
-C "error"
requires_protocol_version tls12
run_test "Sample: ssl_fork_server, openssl client, TLS 1.2" \
-P 4433 \
"$PROGRAMS_DIR/ssl_fork_server" \
"$O_CLI -tls1_2" \
0 \
-s "Successful connection using: TLS-" \
-c "Protocol.*TLSv1.2" \
-S "error" \
-C "ERROR"
requires_protocol_version tls12
run_test "Sample: ssl_fork_server, gnutls client, TLS 1.2" \
-P 4433 \
"$PROGRAMS_DIR/ssl_fork_server" \
"$G_CLI --priority=NORMAL:-VERS-TLS-ALL:+VERS-TLS1.2 localhost" \
0 \
-s "Successful connection using: TLS-" \
-c "Description:.*TLS1.2" \
-S "error" \
-C "ERROR"
requires_protocol_version tls13
requires_openssl_tls1_3
run_test "Sample: ssl_fork_server, openssl client, TLS 1.3" \
-P 4433 \
"$PROGRAMS_DIR/ssl_fork_server" \
"$O_NEXT_CLI -tls1_3" \
0 \
-s "Successful connection using: TLS1-3-" \
-c "New, TLSv1.3, Cipher is" \
-S "error" \
-C "ERROR"
requires_protocol_version tls13
requires_gnutls_tls1_3
run_test "Sample: ssl_fork_server, gnutls client, TLS 1.3" \
-P 4433 \
"$PROGRAMS_DIR/ssl_fork_server" \
"$G_NEXT_CLI --priority=NORMAL:-VERS-TLS-ALL:+VERS-TLS1.3 localhost" \
0 \
-s "Successful connection using: TLS1-3-" \
-c "Description:.*TLS1.3" \
-S "error" \
-C "ERROR"
run_test "Sample: ssl_pthread_server, ssl_client2" \
-P 4433 \
"$PROGRAMS_DIR/ssl_pthread_server" \
"$PROGRAMS_DIR/ssl_client2" \
0 \
-s "[1-9][0-9]* bytes read" \
-s "[1-9][0-9]* bytes written" \
-c "[1-9][0-9]* bytes read" \
-c "[1-9][0-9]* bytes written" \
-S "error" \
-C "error"
run_test "Sample: ssl_client1 with ssl_pthread_server" \
-P 4433 \
"$PROGRAMS_DIR/ssl_pthread_server" \
"$PROGRAMS_DIR/ssl_client1" \
0 \
-s "[1-9][0-9]* bytes read" \
-s "[1-9][0-9]* bytes written" \
-c "[1-9][0-9]* bytes read" \
-c "[1-9][0-9]* bytes written" \
-S "error" \
-C "error"
requires_protocol_version tls12
run_test "Sample: ssl_pthread_server, openssl client, TLS 1.2" \
-P 4433 \
"$PROGRAMS_DIR/ssl_pthread_server" \
"$O_CLI -tls1_2" \
0 \
-s "Successful connection using: TLS-" \
-c "Protocol.*TLSv1.2" \
-S "error" \
-C "ERROR"
requires_protocol_version tls12
run_test "Sample: ssl_pthread_server, gnutls client, TLS 1.2" \
-P 4433 \
"$PROGRAMS_DIR/ssl_pthread_server" \
"$G_CLI --priority=NORMAL:-VERS-TLS-ALL:+VERS-TLS1.2 localhost" \
0 \
-s "Successful connection using: TLS-" \
-c "Description:.*TLS1.2" \
-S "error" \
-C "ERROR"
requires_protocol_version tls13
requires_openssl_tls1_3
run_test "Sample: ssl_pthread_server, openssl client, TLS 1.3" \
-P 4433 \
"$PROGRAMS_DIR/ssl_pthread_server" \
"$O_NEXT_CLI -tls1_3" \
0 \
-s "Successful connection using: TLS1-3-" \
-c "New, TLSv1.3, Cipher is" \
-S "error" \
-C "ERROR"
requires_protocol_version tls13
requires_gnutls_tls1_3
run_test "Sample: ssl_pthread_server, gnutls client, TLS 1.3" \
-P 4433 \
"$PROGRAMS_DIR/ssl_pthread_server" \
"$G_NEXT_CLI --priority=NORMAL:-VERS-TLS-ALL:+VERS-TLS1.3 localhost" \
0 \
-s "Successful connection using: TLS1-3-" \
-c "Description:.*TLS1.3" \
-S "error" \
-C "ERROR"
# The server complains of extra data after it closes the connection
# because the client keeps sending data, so the server receives
# more application data when it expects a new handshake. We consider
# the test a success if both sides have sent and received application
# data, no matter what happens afterwards.
run_test "Sample: dtls_client with dtls_server" \
-P 4433 \
"$PROGRAMS_DIR/dtls_server" \
"$PROGRAMS_DIR/dtls_client" \
0 \
-s "[1-9][0-9]* bytes read" \
-s "[1-9][0-9]* bytes written" \
-c "[1-9][0-9]* bytes read" \
-c "[1-9][0-9]* bytes written" \
-C "error"
# The server complains of extra data after it closes the connection
# because the client keeps sending data, so the server receives
# more application data when it expects a new handshake. We consider
# the test a success if both sides have sent and received application
# data, no matter what happens afterwards.
run_test "Sample: ssl_client2, dtls_server" \
-P 4433 \
"$PROGRAMS_DIR/dtls_server" \
"$PROGRAMS_DIR/ssl_client2 dtls=1" \
0 \
-s "[1-9][0-9]* bytes read" \
-s "[1-9][0-9]* bytes written" \
-c "[1-9][0-9]* bytes read" \
-c "[1-9][0-9]* bytes written" \
-C "error"
requires_protocol_version dtls12
run_test "Sample: dtls_server, openssl client, DTLS 1.2" \
-P 4433 \
"$PROGRAMS_DIR/dtls_server" \
"$O_CLI -dtls1_2" \
0 \
-s "[1-9][0-9]* bytes read" \
-s "[1-9][0-9]* bytes written" \
-c "Protocol.*TLSv1.2" \
-S "error" \
-C "ERROR"
requires_protocol_version dtls12
run_test "Sample: dtls_server, gnutls client, DTLS 1.2" \
-P 4433 \
"$PROGRAMS_DIR/dtls_server" \
"$G_CLI -u --priority=NORMAL:-VERS-TLS-ALL:+VERS-TLS1.2 localhost" \
0 \
-s "[1-9][0-9]* bytes read" \
-s "[1-9][0-9]* bytes written" \
-c "Description:.*DTLS1.2" \
-S "error" \
-C "ERROR"

34
tests/scripts/components-configuration.sh
View File

@ -229,40 +229,6 @@ support_build_baremetal () {
! grep -q -F time.h /usr/include/x86_64-linux-gnu/sys/types.h
}
component_test_no_psa_crypto_full_cmake_asan () {
# full minus MBEDTLS_PSA_CRYPTO_C: run the same set of tests as basic-build-test.sh
msg "build: cmake, full config minus PSA crypto, ASan"
scripts/config.py full
scripts/config.py unset MBEDTLS_PSA_CRYPTO_C
scripts/config.py unset MBEDTLS_PSA_CRYPTO_CLIENT
scripts/config.py unset MBEDTLS_USE_PSA_CRYPTO
scripts/config.py unset MBEDTLS_SSL_PROTO_TLS1_3
scripts/config.py unset MBEDTLS_PSA_ITS_FILE_C
scripts/config.py unset MBEDTLS_PSA_CRYPTO_SE_C
scripts/config.py unset MBEDTLS_PSA_CRYPTO_STORAGE_C
scripts/config.py unset MBEDTLS_LMS_C
scripts/config.py unset MBEDTLS_LMS_PRIVATE
CC=$ASAN_CC cmake -D CMAKE_BUILD_TYPE:String=Asan .
make
msg "test: main suites (full minus PSA crypto)"
make test
# Note: ssl-opt.sh has some test cases that depend on
# MBEDTLS_ECP_RESTARTABLE && !MBEDTLS_USE_PSA_CRYPTO
# This is the only component where those tests are not skipped.
msg "test: ssl-opt.sh (full minus PSA crypto)"
tests/ssl-opt.sh
# Note: the next two invocations cover all compat.sh test cases.
# We should use the same here and in basic-build-test.sh.
msg "test: compat.sh: default version (full minus PSA crypto)"
tests/compat.sh -e 'ARIA\|CHACHA'
msg "test: compat.sh: next: ARIA, Chacha (full minus PSA crypto)"
env OPENSSL="$OPENSSL_NEXT" tests/compat.sh -e '^$' -f 'ARIA\|CHACHA'
}
component_build_tfm () {
# Check that the TF-M configuration can build cleanly with various
# warning flags enabled. We don't build or run tests, since the

75
tests/ssl-opt.sh
View File

@ -491,6 +491,37 @@ detect_required_features() {
requires_certificate_authentication;;
esac
case " $CMD_LINE " in
*"programs/ssl/dtls_client "*|\
*"programs/ssl/ssl_client1 "*)
requires_config_enabled MBEDTLS_CTR_DRBG_C
requires_config_enabled MBEDTLS_ENTROPY_C
requires_config_enabled MBEDTLS_PEM_PARSE_C
requires_config_enabled MBEDTLS_SSL_CLI_C
requires_certificate_authentication
;;
*"programs/ssl/dtls_server "*|\
*"programs/ssl/ssl_fork_server "*|\
*"programs/ssl/ssl_pthread_server "*|\
*"programs/ssl/ssl_server "*)
requires_config_enabled MBEDTLS_CTR_DRBG_C
requires_config_enabled MBEDTLS_ENTROPY_C
requires_config_enabled MBEDTLS_PEM_PARSE_C
requires_config_enabled MBEDTLS_SSL_SRV_C
requires_certificate_authentication
# The actual minimum depends on the configuration since it's
# mostly about the certificate size.
# In config-suite-b.h, for the test certificates (server5.crt),
# 1024 is not enough.
requires_config_value_at_least MBEDTLS_SSL_OUT_CONTENT_LEN 2000
;;
esac
case " $CMD_LINE " in
*"programs/ssl/ssl_pthread_server "*)
requires_config_enabled MBEDTLS_THREADING_PTHREAD;;
esac
case "$CMD_LINE" in
*[-_\ =]psk*|*[-_\ =]PSK*) :;; # No certificate requirement with PSK
*/server5*|\
@ -1252,7 +1283,7 @@ wait_client_done() {
# check if the given command uses dtls and sets global variable DTLS
detect_dtls() {
case "$1" in
*dtls=1*|*-dtls*|*-u*) DTLS=1;;
*dtls=1*|*-dtls*|*-u*|*/dtls_*) DTLS=1;;
*) DTLS=0;;
esac
}
@ -1372,9 +1403,13 @@ skip_handshake_stage_check() {
# Outputs:
# * $CLI_CMD, $PXY_CMD, $SRV_CMD: may be tweaked.
analyze_test_commands() {
# if the test uses DTLS but no custom proxy, add a simple proxy
# as it provides timing info that's useful to debug failures
if [ -z "$PXY_CMD" ] && [ "$DTLS" -eq 1 ]; then
# If the test uses DTLS, does not force a specific port, and does not
# specify a custom proxy, add a simple proxy.
# It provides timing info that's useful to debug failures.
if [ "$DTLS" -eq 1 ] &&
[ "$THIS_SRV_PORT" = "$SRV_PORT" ] &&
[ -z "$PXY_CMD" ]
then
PXY_CMD="$P_PXY"
case " $SRV_CMD " in
*' server_addr=::1 '*)
@ -1410,7 +1445,20 @@ analyze_test_commands() {
if [ -n "$PXY_CMD" ]; then
CLI_CMD=$( echo "$CLI_CMD" | sed s/+SRV_PORT/$PXY_PORT/g )
else
CLI_CMD=$( echo "$CLI_CMD" | sed s/+SRV_PORT/$SRV_PORT/g )
CLI_CMD=$( echo "$CLI_CMD" | sed s/+SRV_PORT/$THIS_SRV_PORT/g )
fi
# If the test forces a specific port and the server is OpenSSL or
# GnuTLS, override its port specification.
if [ "$THIS_SRV_PORT" != "$SRV_PORT" ]; then
case "$SRV_CMD" in
"$G_SRV"*|"$G_NEXT_SRV"*)
SRV_CMD=$(
printf %s "$SRV_CMD " |
sed -e "s/ -p $SRV_PORT / -p $THIS_SRV_PORT /"
);;
"$O_SRV"*|"$O_NEXT_SRV"*) SRV_CMD="$SRV_CMD -accept $THIS_SRV_PORT";;
esac
fi
# prepend valgrind to our commands if active
@ -1609,7 +1657,7 @@ do_run_test_once() {
printf '# %s\n%s\n' "$NAME" "$SRV_CMD" > $SRV_OUT
provide_input | $SRV_CMD >> $SRV_OUT 2>&1 &
SRV_PID=$!
wait_server_start "$SRV_PORT" "$SRV_PID"
wait_server_start "$THIS_SRV_PORT" "$SRV_PID"
printf '# %s\n%s\n' "$NAME" "$CLI_CMD" > $CLI_OUT
# The client must be a subprocess of the script in order for killing it to
@ -1732,7 +1780,7 @@ run_test() {
esac
fi
# does this test use a proxy?
# Does this test specify a proxy?
if [ "X$1" = "X-p" ]; then
PXY_CMD="$2"
shift 2
@ -1740,6 +1788,14 @@ run_test() {
PXY_CMD=""
fi
# Does this test force a specific port?
if [ "$1" = "-P" ]; then
THIS_SRV_PORT="$2"
shift 2
else
THIS_SRV_PORT="$SRV_PORT"
fi
# get commands and client output
SRV_CMD="$1"
CLI_CMD="$2"
@ -1761,7 +1817,10 @@ run_test() {
# Check if we are trying to use an external tool which does not support ECDH
EXT_WO_ECDH=$(use_ext_tool_without_ecdh_support "$SRV_CMD" "$CLI_CMD")
# Guess the TLS version which is going to be used
# Guess the TLS version which is going to be used.
# Note that this detection is wrong in some cases, which causes unduly
# skipped test cases in builds with TLS 1.3 but not TLS 1.2.
# https://github.com/Mbed-TLS/mbedtls/issues/9560
if [ "$EXT_WO_ECDH" = "no" ]; then
TLS_VERSION=$(get_tls_version "$SRV_CMD" "$CLI_CMD")
else