From 0509fea3b2b62b063459e6ea1cb5848390c773bb Mon Sep 17 00:00:00 2001 From: Yuto Takano Date: Mon, 21 Jun 2021 19:43:33 +0100 Subject: [PATCH 01/10] Remove hard exit in ssh-opt.sh, replace with `requires` functions - Replace calls to config.py for MAX_IN_LEN and MAX_OUT_LEN with `get_config_value_or_default` - Remove hard exit when MAX_IN/OUT_LEN < 4096, replace with `requires_config_value_at_least` Signed-off-by: Yuto Takano --- tests/ssl-opt.sh | 56 ++++++++++++++++++++++++++++++++++++------------ 1 file changed, 42 insertions(+), 14 deletions(-) diff --git a/tests/ssl-opt.sh b/tests/ssl-opt.sh index 0729755f0e..355e712bd4 100755 --- a/tests/ssl-opt.sh +++ b/tests/ssl-opt.sh @@ -366,9 +366,10 @@ requires_not_i686() { # Calculate the input & output maximum content lengths set in the config MAX_CONTENT_LEN=16384 -MAX_IN_LEN=$( ../scripts/config.py get MBEDTLS_SSL_IN_CONTENT_LEN || echo "$MAX_CONTENT_LEN") -MAX_OUT_LEN=$( ../scripts/config.py get MBEDTLS_SSL_OUT_CONTENT_LEN || echo "$MAX_CONTENT_LEN") +MAX_IN_LEN=$(get_config_value_or_default "MBEDTLS_SSL_IN_CONTENT_LEN") +MAX_OUT_LEN=$(get_config_value_or_default "MBEDTLS_SSL_OUT_CONTENT_LEN") +# Calculate the maximum content length that fits both if [ "$MAX_IN_LEN" -lt "$MAX_CONTENT_LEN" ]; then MAX_CONTENT_LEN="$MAX_IN_LEN" fi @@ -2748,18 +2749,8 @@ run_test "Session resume using cache, DTLS: openssl server" \ # Tests for Max Fragment Length extension -if [ "$MAX_IN_LEN" -lt "4096" ]; then - printf '%s defines MBEDTLS_SSL_IN_CONTENT_LEN to be less than 4096. Fragment length tests will fail.\n' "${CONFIG_H}" - exit 1 -fi - -if [ "$MAX_OUT_LEN" -lt "4096" ]; then - printf '%s defines MBEDTLS_SSL_OUT_CONTENT_LEN to be less than 4096. Fragment length tests will fail.\n' "${CONFIG_H}" - exit 1 -fi - if [ $MAX_CONTENT_LEN -ne 16384 ]; then - echo "Using non-default maximum content length $MAX_CONTENT_LEN" + echo "Using non-default maximum content length $MAX_CONTENT_LEN instead of 16384 " fi requires_config_enabled MBEDTLS_SSL_MAX_FRAGMENT_LENGTH @@ -2826,7 +2817,7 @@ run_test "Max fragment length: disabled, larger message" \ -s "1 bytes read" requires_config_disabled MBEDTLS_SSL_MAX_FRAGMENT_LENGTH -run_test "Max fragment length DTLS: disabled, larger message" \ +run_test "Max fragment length, DTLS: disabled, larger message" \ "$P_SRV debug_level=3 dtls=1" \ "$P_CLI debug_level=3 dtls=1 request_size=$(( $MAX_CONTENT_LEN + 1))" \ 1 \ @@ -2836,6 +2827,9 @@ run_test "Max fragment length DTLS: disabled, larger message" \ -S "Maximum outgoing record payload length is 16384" \ -c "fragment larger than.*maximum " +# Make sure it was compiled with lengths over 4096 +requires_config_value_at_least "MBEDTLS_SSL_IN_CONTENT_LEN" 4096 +requires_config_value_at_least "MBEDTLS_SSL_OUT_CONTENT_LEN" 4096 requires_config_enabled MBEDTLS_SSL_MAX_FRAGMENT_LENGTH run_test "Max fragment length: used by client" \ "$P_SRV debug_level=3" \ @@ -2850,6 +2844,8 @@ run_test "Max fragment length: used by client" \ -s "server hello, max_fragment_length extension" \ -c "found max_fragment_length extension" +requires_config_value_at_least "MBEDTLS_SSL_IN_CONTENT_LEN" 1024 +requires_config_value_at_least "MBEDTLS_SSL_OUT_CONTENT_LEN" 1024 requires_config_enabled MBEDTLS_SSL_MAX_FRAGMENT_LENGTH run_test "Max fragment length: client 512, server 1024" \ "$P_SRV debug_level=3 max_frag_len=1024" \ @@ -2864,6 +2860,8 @@ run_test "Max fragment length: client 512, server 1024" \ -s "server hello, max_fragment_length extension" \ -c "found max_fragment_length extension" +requires_config_value_at_least "MBEDTLS_SSL_IN_CONTENT_LEN" 2048 +requires_config_value_at_least "MBEDTLS_SSL_OUT_CONTENT_LEN" 2048 requires_config_enabled MBEDTLS_SSL_MAX_FRAGMENT_LENGTH run_test "Max fragment length: client 512, server 2048" \ "$P_SRV debug_level=3 max_frag_len=2048" \ @@ -2878,6 +2876,8 @@ run_test "Max fragment length: client 512, server 2048" \ -s "server hello, max_fragment_length extension" \ -c "found max_fragment_length extension" +requires_config_value_at_least "MBEDTLS_SSL_IN_CONTENT_LEN" 4096 +requires_config_value_at_least "MBEDTLS_SSL_OUT_CONTENT_LEN" 4096 requires_config_enabled MBEDTLS_SSL_MAX_FRAGMENT_LENGTH run_test "Max fragment length: client 512, server 4096" \ "$P_SRV debug_level=3 max_frag_len=4096" \ @@ -2892,6 +2892,8 @@ run_test "Max fragment length: client 512, server 4096" \ -s "server hello, max_fragment_length extension" \ -c "found max_fragment_length extension" +requires_config_value_at_least "MBEDTLS_SSL_IN_CONTENT_LEN" 1024 +requires_config_value_at_least "MBEDTLS_SSL_OUT_CONTENT_LEN" 1024 requires_config_enabled MBEDTLS_SSL_MAX_FRAGMENT_LENGTH run_test "Max fragment length: client 1024, server 512" \ "$P_SRV debug_level=3 max_frag_len=512" \ @@ -2906,6 +2908,8 @@ run_test "Max fragment length: client 1024, server 512" \ -s "server hello, max_fragment_length extension" \ -c "found max_fragment_length extension" +requires_config_value_at_least "MBEDTLS_SSL_IN_CONTENT_LEN" 2048 +requires_config_value_at_least "MBEDTLS_SSL_OUT_CONTENT_LEN" 2048 requires_config_enabled MBEDTLS_SSL_MAX_FRAGMENT_LENGTH run_test "Max fragment length: client 1024, server 2048" \ "$P_SRV debug_level=3 max_frag_len=2048" \ @@ -2920,6 +2924,8 @@ run_test "Max fragment length: client 1024, server 2048" \ -s "server hello, max_fragment_length extension" \ -c "found max_fragment_length extension" +requires_config_value_at_least "MBEDTLS_SSL_IN_CONTENT_LEN" 4096 +requires_config_value_at_least "MBEDTLS_SSL_OUT_CONTENT_LEN" 4096 requires_config_enabled MBEDTLS_SSL_MAX_FRAGMENT_LENGTH run_test "Max fragment length: client 1024, server 4096" \ "$P_SRV debug_level=3 max_frag_len=4096" \ @@ -2934,6 +2940,8 @@ run_test "Max fragment length: client 1024, server 4096" \ -s "server hello, max_fragment_length extension" \ -c "found max_fragment_length extension" +requires_config_value_at_least "MBEDTLS_SSL_IN_CONTENT_LEN" 2048 +requires_config_value_at_least "MBEDTLS_SSL_OUT_CONTENT_LEN" 2048 requires_config_enabled MBEDTLS_SSL_MAX_FRAGMENT_LENGTH run_test "Max fragment length: client 2048, server 512" \ "$P_SRV debug_level=3 max_frag_len=512" \ @@ -2948,6 +2956,8 @@ run_test "Max fragment length: client 2048, server 512" \ -s "server hello, max_fragment_length extension" \ -c "found max_fragment_length extension" +requires_config_value_at_least "MBEDTLS_SSL_IN_CONTENT_LEN" 2048 +requires_config_value_at_least "MBEDTLS_SSL_OUT_CONTENT_LEN" 2048 requires_config_enabled MBEDTLS_SSL_MAX_FRAGMENT_LENGTH run_test "Max fragment length: client 2048, server 1024" \ "$P_SRV debug_level=3 max_frag_len=1024" \ @@ -2962,6 +2972,8 @@ run_test "Max fragment length: client 2048, server 1024" \ -s "server hello, max_fragment_length extension" \ -c "found max_fragment_length extension" +requires_config_value_at_least "MBEDTLS_SSL_IN_CONTENT_LEN" 4096 +requires_config_value_at_least "MBEDTLS_SSL_OUT_CONTENT_LEN" 4096 requires_config_enabled MBEDTLS_SSL_MAX_FRAGMENT_LENGTH run_test "Max fragment length: client 2048, server 4096" \ "$P_SRV debug_level=3 max_frag_len=4096" \ @@ -2976,6 +2988,8 @@ run_test "Max fragment length: client 2048, server 4096" \ -s "server hello, max_fragment_length extension" \ -c "found max_fragment_length extension" +requires_config_value_at_least "MBEDTLS_SSL_IN_CONTENT_LEN" 4096 +requires_config_value_at_least "MBEDTLS_SSL_OUT_CONTENT_LEN" 4096 requires_config_enabled MBEDTLS_SSL_MAX_FRAGMENT_LENGTH run_test "Max fragment length: client 4096, server 512" \ "$P_SRV debug_level=3 max_frag_len=512" \ @@ -2990,6 +3004,8 @@ run_test "Max fragment length: client 4096, server 512" \ -s "server hello, max_fragment_length extension" \ -c "found max_fragment_length extension" +requires_config_value_at_least "MBEDTLS_SSL_IN_CONTENT_LEN" 4096 +requires_config_value_at_least "MBEDTLS_SSL_OUT_CONTENT_LEN" 4096 requires_config_enabled MBEDTLS_SSL_MAX_FRAGMENT_LENGTH run_test "Max fragment length: client 4096, server 1024" \ "$P_SRV debug_level=3 max_frag_len=1024" \ @@ -3004,6 +3020,8 @@ run_test "Max fragment length: client 4096, server 1024" \ -s "server hello, max_fragment_length extension" \ -c "found max_fragment_length extension" +requires_config_value_at_least "MBEDTLS_SSL_IN_CONTENT_LEN" 4096 +requires_config_value_at_least "MBEDTLS_SSL_OUT_CONTENT_LEN" 4096 requires_config_enabled MBEDTLS_SSL_MAX_FRAGMENT_LENGTH run_test "Max fragment length: client 4096, server 2048" \ "$P_SRV debug_level=3 max_frag_len=2048" \ @@ -3018,6 +3036,8 @@ run_test "Max fragment length: client 4096, server 2048" \ -s "server hello, max_fragment_length extension" \ -c "found max_fragment_length extension" +requires_config_value_at_least "MBEDTLS_SSL_IN_CONTENT_LEN" 4096 +requires_config_value_at_least "MBEDTLS_SSL_OUT_CONTENT_LEN" 4096 requires_config_enabled MBEDTLS_SSL_MAX_FRAGMENT_LENGTH run_test "Max fragment length: used by server" \ "$P_SRV debug_level=3 max_frag_len=4096" \ @@ -3032,6 +3052,8 @@ run_test "Max fragment length: used by server" \ -S "server hello, max_fragment_length extension" \ -C "found max_fragment_length extension" +requires_config_value_at_least "MBEDTLS_SSL_IN_CONTENT_LEN" 4096 +requires_config_value_at_least "MBEDTLS_SSL_OUT_CONTENT_LEN" 4096 requires_config_enabled MBEDTLS_SSL_MAX_FRAGMENT_LENGTH requires_gnutls run_test "Max fragment length: gnutls server" \ @@ -3043,6 +3065,8 @@ run_test "Max fragment length: gnutls server" \ -c "client hello, adding max_fragment_length extension" \ -c "found max_fragment_length extension" +requires_config_value_at_least "MBEDTLS_SSL_IN_CONTENT_LEN" 2048 +requires_config_value_at_least "MBEDTLS_SSL_OUT_CONTENT_LEN" 2048 requires_config_enabled MBEDTLS_SSL_MAX_FRAGMENT_LENGTH run_test "Max fragment length: client, message just fits" \ "$P_SRV debug_level=3" \ @@ -3059,6 +3083,8 @@ run_test "Max fragment length: client, message just fits" \ -c "2048 bytes written in 1 fragments" \ -s "2048 bytes read" +requires_config_value_at_least "MBEDTLS_SSL_IN_CONTENT_LEN" 2048 +requires_config_value_at_least "MBEDTLS_SSL_OUT_CONTENT_LEN" 2048 requires_config_enabled MBEDTLS_SSL_MAX_FRAGMENT_LENGTH run_test "Max fragment length: client, larger message" \ "$P_SRV debug_level=3" \ @@ -3076,6 +3102,8 @@ run_test "Max fragment length: client, larger message" \ -s "2048 bytes read" \ -s "297 bytes read" +requires_config_value_at_least "MBEDTLS_SSL_IN_CONTENT_LEN" 2048 +requires_config_value_at_least "MBEDTLS_SSL_OUT_CONTENT_LEN" 2048 requires_config_enabled MBEDTLS_SSL_MAX_FRAGMENT_LENGTH run_test "Max fragment length: DTLS client, larger message" \ "$P_SRV debug_level=3 dtls=1" \ From e43556b6bf96f970c5d69a3a91f701ac60704b33 Mon Sep 17 00:00:00 2001 From: Yuto Takano Date: Mon, 21 Jun 2021 20:07:12 +0100 Subject: [PATCH 02/10] Remove hard exit with MAX_INTERMEDIATE_CA in ssl-opt.sh - Replace last remaining dependency on config.py with query_config - Replace hard exit with `requires_config_value_at_least` and `requires_config_value_at_most` to maintain the same effect Signed-off-by: Yuto Takano --- tests/ssl-opt.sh | 26 +++++++++++--------------- 1 file changed, 11 insertions(+), 15 deletions(-) diff --git a/tests/ssl-opt.sh b/tests/ssl-opt.sh index 355e712bd4..ac10b26f05 100755 --- a/tests/ssl-opt.sh +++ b/tests/ssl-opt.sh @@ -3899,24 +3899,14 @@ run_test "Authentication: client no cert, openssl server required" \ -c "skip write certificate verify" \ -c "! mbedtls_ssl_handshake returned" -# The "max_int chain" tests assume that MAX_INTERMEDIATE_CA is set to its -# default value (8) +# config.h contains a value for MBEDTLS_X509_MAX_INTERMEDIATE_CA that is +# different from the script's assumed default value (below). +# Relevant tests are skipped if they do not match. MAX_IM_CA='8' -MAX_IM_CA_CONFIG=$( ../scripts/config.py get MBEDTLS_X509_MAX_INTERMEDIATE_CA) - -if [ -n "$MAX_IM_CA_CONFIG" ] && [ "$MAX_IM_CA_CONFIG" -ne "$MAX_IM_CA" ]; then - cat < Date: Tue, 22 Jun 2021 06:08:11 +0100 Subject: [PATCH 03/10] Add MAX_IM_CA requirement to int_max+1 chain as well Signed-off-by: Yuto Takano --- tests/ssl-opt.sh | 20 ++++++++++++++++++++ 1 file changed, 20 insertions(+) diff --git a/tests/ssl-opt.sh b/tests/ssl-opt.sh index ac10b26f05..f102183b77 100755 --- a/tests/ssl-opt.sh +++ b/tests/ssl-opt.sh @@ -3915,6 +3915,8 @@ run_test "Authentication: server max_int chain, client default" \ 0 \ -C "X509 - A fatal error occurred" +requires_config_value_at_least "MBEDTLS_X509_MAX_INTERMEDIATE_CA" $MAX_IM_CA +requires_config_value_at_most "MBEDTLS_X509_MAX_INTERMEDIATE_CA" $MAX_IM_CA requires_full_size_output_buffer run_test "Authentication: server max_int+1 chain, client default" \ "$P_SRV crt_file=data_files/dir-maxpath/c10.pem \ @@ -3923,6 +3925,8 @@ run_test "Authentication: server max_int+1 chain, client default" \ 1 \ -c "X509 - A fatal error occurred" +requires_config_value_at_least "MBEDTLS_X509_MAX_INTERMEDIATE_CA" $MAX_IM_CA +requires_config_value_at_most "MBEDTLS_X509_MAX_INTERMEDIATE_CA" $MAX_IM_CA requires_full_size_output_buffer run_test "Authentication: server max_int+1 chain, client optional" \ "$P_SRV crt_file=data_files/dir-maxpath/c10.pem \ @@ -3932,6 +3936,8 @@ run_test "Authentication: server max_int+1 chain, client optional" \ 1 \ -c "X509 - A fatal error occurred" +requires_config_value_at_least "MBEDTLS_X509_MAX_INTERMEDIATE_CA" $MAX_IM_CA +requires_config_value_at_most "MBEDTLS_X509_MAX_INTERMEDIATE_CA" $MAX_IM_CA requires_full_size_output_buffer run_test "Authentication: server max_int+1 chain, client none" \ "$P_SRV crt_file=data_files/dir-maxpath/c10.pem \ @@ -3941,6 +3947,8 @@ run_test "Authentication: server max_int+1 chain, client none" \ 0 \ -C "X509 - A fatal error occurred" +requires_config_value_at_least "MBEDTLS_X509_MAX_INTERMEDIATE_CA" $MAX_IM_CA +requires_config_value_at_most "MBEDTLS_X509_MAX_INTERMEDIATE_CA" $MAX_IM_CA requires_full_size_output_buffer run_test "Authentication: client max_int+1 chain, server default" \ "$P_SRV ca_file=data_files/dir-maxpath/00.crt" \ @@ -3949,6 +3957,8 @@ run_test "Authentication: client max_int+1 chain, server default" \ 0 \ -S "X509 - A fatal error occurred" +requires_config_value_at_least "MBEDTLS_X509_MAX_INTERMEDIATE_CA" $MAX_IM_CA +requires_config_value_at_most "MBEDTLS_X509_MAX_INTERMEDIATE_CA" $MAX_IM_CA requires_full_size_output_buffer run_test "Authentication: client max_int+1 chain, server optional" \ "$P_SRV ca_file=data_files/dir-maxpath/00.crt auth_mode=optional" \ @@ -3957,6 +3967,8 @@ run_test "Authentication: client max_int+1 chain, server optional" \ 1 \ -s "X509 - A fatal error occurred" +requires_config_value_at_least "MBEDTLS_X509_MAX_INTERMEDIATE_CA" $MAX_IM_CA +requires_config_value_at_most "MBEDTLS_X509_MAX_INTERMEDIATE_CA" $MAX_IM_CA requires_full_size_output_buffer run_test "Authentication: client max_int+1 chain, server required" \ "$P_SRV ca_file=data_files/dir-maxpath/00.crt auth_mode=required" \ @@ -4156,6 +4168,8 @@ run_test "Authentication, CA callback: server max_int chain, client default" -c "use CA callback for X.509 CRT verification" \ -C "X509 - A fatal error occurred" +requires_config_value_at_least "MBEDTLS_X509_MAX_INTERMEDIATE_CA" $MAX_IM_CA +requires_config_value_at_most "MBEDTLS_X509_MAX_INTERMEDIATE_CA" $MAX_IM_CA requires_full_size_output_buffer requires_config_enabled MBEDTLS_X509_TRUSTED_CERTIFICATE_CALLBACK run_test "Authentication, CA callback: server max_int+1 chain, client default" \ @@ -4166,6 +4180,8 @@ run_test "Authentication, CA callback: server max_int+1 chain, client default -c "use CA callback for X.509 CRT verification" \ -c "X509 - A fatal error occurred" +requires_config_value_at_least "MBEDTLS_X509_MAX_INTERMEDIATE_CA" $MAX_IM_CA +requires_config_value_at_most "MBEDTLS_X509_MAX_INTERMEDIATE_CA" $MAX_IM_CA requires_full_size_output_buffer requires_config_enabled MBEDTLS_X509_TRUSTED_CERTIFICATE_CALLBACK run_test "Authentication, CA callback: server max_int+1 chain, client optional" \ @@ -4177,6 +4193,8 @@ run_test "Authentication, CA callback: server max_int+1 chain, client optiona -c "use CA callback for X.509 CRT verification" \ -c "X509 - A fatal error occurred" +requires_config_value_at_least "MBEDTLS_X509_MAX_INTERMEDIATE_CA" $MAX_IM_CA +requires_config_value_at_most "MBEDTLS_X509_MAX_INTERMEDIATE_CA" $MAX_IM_CA requires_full_size_output_buffer requires_config_enabled MBEDTLS_X509_TRUSTED_CERTIFICATE_CALLBACK run_test "Authentication, CA callback: client max_int+1 chain, server optional" \ @@ -4187,6 +4205,8 @@ run_test "Authentication, CA callback: client max_int+1 chain, server optiona -s "use CA callback for X.509 CRT verification" \ -s "X509 - A fatal error occurred" +requires_config_value_at_least "MBEDTLS_X509_MAX_INTERMEDIATE_CA" $MAX_IM_CA +requires_config_value_at_most "MBEDTLS_X509_MAX_INTERMEDIATE_CA" $MAX_IM_CA requires_full_size_output_buffer requires_config_enabled MBEDTLS_X509_TRUSTED_CERTIFICATE_CALLBACK run_test "Authentication, CA callback: client max_int+1 chain, server required" \ From 2be6f1ac5b307fc97235cac1738ac22a79516573 Mon Sep 17 00:00:00 2001 From: Yuto Takano Date: Tue, 22 Jun 2021 07:16:40 +0100 Subject: [PATCH 04/10] Add space between command substitution braces and content Signed-off-by: Yuto Takano --- tests/ssl-opt.sh | 4 ++-- 1 file changed, 2 insertions(+), 2 deletions(-) diff --git a/tests/ssl-opt.sh b/tests/ssl-opt.sh index f102183b77..a38c4dd535 100755 --- a/tests/ssl-opt.sh +++ b/tests/ssl-opt.sh @@ -366,8 +366,8 @@ requires_not_i686() { # Calculate the input & output maximum content lengths set in the config MAX_CONTENT_LEN=16384 -MAX_IN_LEN=$(get_config_value_or_default "MBEDTLS_SSL_IN_CONTENT_LEN") -MAX_OUT_LEN=$(get_config_value_or_default "MBEDTLS_SSL_OUT_CONTENT_LEN") +MAX_IN_LEN=$( get_config_value_or_default "MBEDTLS_SSL_IN_CONTENT_LEN" ) +MAX_OUT_LEN=$( get_config_value_or_default "MBEDTLS_SSL_OUT_CONTENT_LEN" ) # Calculate the maximum content length that fits both if [ "$MAX_IN_LEN" -lt "$MAX_CONTENT_LEN" ]; then From b0a1c5b0217a07d3542b37d131a2652d66e86175 Mon Sep 17 00:00:00 2001 From: Yuto Takano Date: Fri, 2 Jul 2021 10:10:49 +0100 Subject: [PATCH 05/10] Use `requires_max_content_len`, add check in Renegotiation - Abstract out repetitive checks for IN and OUT content lens - Remove unclear comment and redundant echo - Add content length constraints in Renegotiation with fragment length test Signed-off-by: Yuto Takano --- tests/ssl-opt.sh | 66 ++++++++++++++++++------------------------------ 1 file changed, 25 insertions(+), 41 deletions(-) diff --git a/tests/ssl-opt.sh b/tests/ssl-opt.sh index a38c4dd535..bc38a39859 100755 --- a/tests/ssl-opt.sh +++ b/tests/ssl-opt.sh @@ -287,6 +287,12 @@ requires_openssl_with_fallback_scsv() { fi } +# skip next test if either IN_CONTENT_LEN or MAX_CONTENT_LEN are below a value +requires_max_content_len() { + requires_config_value_at_least "MBEDTLS_SSL_IN_CONTENT_LEN" $1 + requires_config_value_at_least "MBEDTLS_SSL_OUT_CONTENT_LEN" $1 +} + # skip next test if GnuTLS isn't available requires_gnutls() { if [ -z "${GNUTLS_AVAILABLE:-}" ]; then @@ -2749,10 +2755,6 @@ run_test "Session resume using cache, DTLS: openssl server" \ # Tests for Max Fragment Length extension -if [ $MAX_CONTENT_LEN -ne 16384 ]; then - echo "Using non-default maximum content length $MAX_CONTENT_LEN instead of 16384 " -fi - requires_config_enabled MBEDTLS_SSL_MAX_FRAGMENT_LENGTH run_test "Max fragment length: enabled, default" \ "$P_SRV debug_level=3" \ @@ -2827,9 +2829,7 @@ run_test "Max fragment length, DTLS: disabled, larger message" \ -S "Maximum outgoing record payload length is 16384" \ -c "fragment larger than.*maximum " -# Make sure it was compiled with lengths over 4096 -requires_config_value_at_least "MBEDTLS_SSL_IN_CONTENT_LEN" 4096 -requires_config_value_at_least "MBEDTLS_SSL_OUT_CONTENT_LEN" 4096 +requires_max_content_len 4096 requires_config_enabled MBEDTLS_SSL_MAX_FRAGMENT_LENGTH run_test "Max fragment length: used by client" \ "$P_SRV debug_level=3" \ @@ -2844,8 +2844,7 @@ run_test "Max fragment length: used by client" \ -s "server hello, max_fragment_length extension" \ -c "found max_fragment_length extension" -requires_config_value_at_least "MBEDTLS_SSL_IN_CONTENT_LEN" 1024 -requires_config_value_at_least "MBEDTLS_SSL_OUT_CONTENT_LEN" 1024 +requires_max_content_len 1024 requires_config_enabled MBEDTLS_SSL_MAX_FRAGMENT_LENGTH run_test "Max fragment length: client 512, server 1024" \ "$P_SRV debug_level=3 max_frag_len=1024" \ @@ -2860,8 +2859,7 @@ run_test "Max fragment length: client 512, server 1024" \ -s "server hello, max_fragment_length extension" \ -c "found max_fragment_length extension" -requires_config_value_at_least "MBEDTLS_SSL_IN_CONTENT_LEN" 2048 -requires_config_value_at_least "MBEDTLS_SSL_OUT_CONTENT_LEN" 2048 +requires_max_content_len 2048 requires_config_enabled MBEDTLS_SSL_MAX_FRAGMENT_LENGTH run_test "Max fragment length: client 512, server 2048" \ "$P_SRV debug_level=3 max_frag_len=2048" \ @@ -2876,8 +2874,7 @@ run_test "Max fragment length: client 512, server 2048" \ -s "server hello, max_fragment_length extension" \ -c "found max_fragment_length extension" -requires_config_value_at_least "MBEDTLS_SSL_IN_CONTENT_LEN" 4096 -requires_config_value_at_least "MBEDTLS_SSL_OUT_CONTENT_LEN" 4096 +requires_max_content_len 4096 requires_config_enabled MBEDTLS_SSL_MAX_FRAGMENT_LENGTH run_test "Max fragment length: client 512, server 4096" \ "$P_SRV debug_level=3 max_frag_len=4096" \ @@ -2892,8 +2889,7 @@ run_test "Max fragment length: client 512, server 4096" \ -s "server hello, max_fragment_length extension" \ -c "found max_fragment_length extension" -requires_config_value_at_least "MBEDTLS_SSL_IN_CONTENT_LEN" 1024 -requires_config_value_at_least "MBEDTLS_SSL_OUT_CONTENT_LEN" 1024 +requires_max_content_len 1024 requires_config_enabled MBEDTLS_SSL_MAX_FRAGMENT_LENGTH run_test "Max fragment length: client 1024, server 512" \ "$P_SRV debug_level=3 max_frag_len=512" \ @@ -2908,8 +2904,7 @@ run_test "Max fragment length: client 1024, server 512" \ -s "server hello, max_fragment_length extension" \ -c "found max_fragment_length extension" -requires_config_value_at_least "MBEDTLS_SSL_IN_CONTENT_LEN" 2048 -requires_config_value_at_least "MBEDTLS_SSL_OUT_CONTENT_LEN" 2048 +requires_max_content_len 2048 requires_config_enabled MBEDTLS_SSL_MAX_FRAGMENT_LENGTH run_test "Max fragment length: client 1024, server 2048" \ "$P_SRV debug_level=3 max_frag_len=2048" \ @@ -2924,8 +2919,7 @@ run_test "Max fragment length: client 1024, server 2048" \ -s "server hello, max_fragment_length extension" \ -c "found max_fragment_length extension" -requires_config_value_at_least "MBEDTLS_SSL_IN_CONTENT_LEN" 4096 -requires_config_value_at_least "MBEDTLS_SSL_OUT_CONTENT_LEN" 4096 +requires_max_content_len 4096 requires_config_enabled MBEDTLS_SSL_MAX_FRAGMENT_LENGTH run_test "Max fragment length: client 1024, server 4096" \ "$P_SRV debug_level=3 max_frag_len=4096" \ @@ -2940,8 +2934,7 @@ run_test "Max fragment length: client 1024, server 4096" \ -s "server hello, max_fragment_length extension" \ -c "found max_fragment_length extension" -requires_config_value_at_least "MBEDTLS_SSL_IN_CONTENT_LEN" 2048 -requires_config_value_at_least "MBEDTLS_SSL_OUT_CONTENT_LEN" 2048 +requires_max_content_len 2048 requires_config_enabled MBEDTLS_SSL_MAX_FRAGMENT_LENGTH run_test "Max fragment length: client 2048, server 512" \ "$P_SRV debug_level=3 max_frag_len=512" \ @@ -2956,8 +2949,7 @@ run_test "Max fragment length: client 2048, server 512" \ -s "server hello, max_fragment_length extension" \ -c "found max_fragment_length extension" -requires_config_value_at_least "MBEDTLS_SSL_IN_CONTENT_LEN" 2048 -requires_config_value_at_least "MBEDTLS_SSL_OUT_CONTENT_LEN" 2048 +requires_max_content_len 2048 requires_config_enabled MBEDTLS_SSL_MAX_FRAGMENT_LENGTH run_test "Max fragment length: client 2048, server 1024" \ "$P_SRV debug_level=3 max_frag_len=1024" \ @@ -2972,8 +2964,7 @@ run_test "Max fragment length: client 2048, server 1024" \ -s "server hello, max_fragment_length extension" \ -c "found max_fragment_length extension" -requires_config_value_at_least "MBEDTLS_SSL_IN_CONTENT_LEN" 4096 -requires_config_value_at_least "MBEDTLS_SSL_OUT_CONTENT_LEN" 4096 +requires_max_content_len 4096 requires_config_enabled MBEDTLS_SSL_MAX_FRAGMENT_LENGTH run_test "Max fragment length: client 2048, server 4096" \ "$P_SRV debug_level=3 max_frag_len=4096" \ @@ -2988,8 +2979,7 @@ run_test "Max fragment length: client 2048, server 4096" \ -s "server hello, max_fragment_length extension" \ -c "found max_fragment_length extension" -requires_config_value_at_least "MBEDTLS_SSL_IN_CONTENT_LEN" 4096 -requires_config_value_at_least "MBEDTLS_SSL_OUT_CONTENT_LEN" 4096 +requires_max_content_len 4096 requires_config_enabled MBEDTLS_SSL_MAX_FRAGMENT_LENGTH run_test "Max fragment length: client 4096, server 512" \ "$P_SRV debug_level=3 max_frag_len=512" \ @@ -3004,8 +2994,7 @@ run_test "Max fragment length: client 4096, server 512" \ -s "server hello, max_fragment_length extension" \ -c "found max_fragment_length extension" -requires_config_value_at_least "MBEDTLS_SSL_IN_CONTENT_LEN" 4096 -requires_config_value_at_least "MBEDTLS_SSL_OUT_CONTENT_LEN" 4096 +requires_max_content_len 4096 requires_config_enabled MBEDTLS_SSL_MAX_FRAGMENT_LENGTH run_test "Max fragment length: client 4096, server 1024" \ "$P_SRV debug_level=3 max_frag_len=1024" \ @@ -3020,8 +3009,7 @@ run_test "Max fragment length: client 4096, server 1024" \ -s "server hello, max_fragment_length extension" \ -c "found max_fragment_length extension" -requires_config_value_at_least "MBEDTLS_SSL_IN_CONTENT_LEN" 4096 -requires_config_value_at_least "MBEDTLS_SSL_OUT_CONTENT_LEN" 4096 +requires_max_content_len 4096 requires_config_enabled MBEDTLS_SSL_MAX_FRAGMENT_LENGTH run_test "Max fragment length: client 4096, server 2048" \ "$P_SRV debug_level=3 max_frag_len=2048" \ @@ -3036,8 +3024,7 @@ run_test "Max fragment length: client 4096, server 2048" \ -s "server hello, max_fragment_length extension" \ -c "found max_fragment_length extension" -requires_config_value_at_least "MBEDTLS_SSL_IN_CONTENT_LEN" 4096 -requires_config_value_at_least "MBEDTLS_SSL_OUT_CONTENT_LEN" 4096 +requires_max_content_len 4096 requires_config_enabled MBEDTLS_SSL_MAX_FRAGMENT_LENGTH run_test "Max fragment length: used by server" \ "$P_SRV debug_level=3 max_frag_len=4096" \ @@ -3052,8 +3039,7 @@ run_test "Max fragment length: used by server" \ -S "server hello, max_fragment_length extension" \ -C "found max_fragment_length extension" -requires_config_value_at_least "MBEDTLS_SSL_IN_CONTENT_LEN" 4096 -requires_config_value_at_least "MBEDTLS_SSL_OUT_CONTENT_LEN" 4096 +requires_max_content_len 4096 requires_config_enabled MBEDTLS_SSL_MAX_FRAGMENT_LENGTH requires_gnutls run_test "Max fragment length: gnutls server" \ @@ -3065,8 +3051,7 @@ run_test "Max fragment length: gnutls server" \ -c "client hello, adding max_fragment_length extension" \ -c "found max_fragment_length extension" -requires_config_value_at_least "MBEDTLS_SSL_IN_CONTENT_LEN" 2048 -requires_config_value_at_least "MBEDTLS_SSL_OUT_CONTENT_LEN" 2048 +requires_max_content_len 2048 requires_config_enabled MBEDTLS_SSL_MAX_FRAGMENT_LENGTH run_test "Max fragment length: client, message just fits" \ "$P_SRV debug_level=3" \ @@ -3083,8 +3068,7 @@ run_test "Max fragment length: client, message just fits" \ -c "2048 bytes written in 1 fragments" \ -s "2048 bytes read" -requires_config_value_at_least "MBEDTLS_SSL_IN_CONTENT_LEN" 2048 -requires_config_value_at_least "MBEDTLS_SSL_OUT_CONTENT_LEN" 2048 +requires_max_content_len 2048 requires_config_enabled MBEDTLS_SSL_MAX_FRAGMENT_LENGTH run_test "Max fragment length: client, larger message" \ "$P_SRV debug_level=3" \ @@ -3102,8 +3086,7 @@ run_test "Max fragment length: client, larger message" \ -s "2048 bytes read" \ -s "297 bytes read" -requires_config_value_at_least "MBEDTLS_SSL_IN_CONTENT_LEN" 2048 -requires_config_value_at_least "MBEDTLS_SSL_OUT_CONTENT_LEN" 2048 +requires_max_content_len 2048 requires_config_enabled MBEDTLS_SSL_MAX_FRAGMENT_LENGTH run_test "Max fragment length: DTLS client, larger message" \ "$P_SRV debug_level=3 dtls=1" \ @@ -3215,6 +3198,7 @@ run_test "Renegotiation: double" \ requires_config_enabled MBEDTLS_SSL_RENEGOTIATION requires_config_enabled MBEDTLS_SSL_MAX_FRAGMENT_LENGTH +requires_max_content_len 2048 run_test "Renegotiation with max fragment length: client 2048, server 512" \ "$P_SRV debug_level=3 exchanges=2 renegotiation=1 auth_mode=optional renegotiate=1 max_frag_len=512" \ "$P_CLI debug_level=3 exchanges=2 renegotiation=1 renegotiate=1 max_frag_len=2048 force_ciphersuite=TLS-ECDHE-ECDSA-WITH-AES-128-CCM-8" \ From 02485820333eca1dd0c1d4e36f9a1552e986a021 Mon Sep 17 00:00:00 2001 From: Yuto Takano Date: Fri, 2 Jul 2021 13:05:15 +0100 Subject: [PATCH 06/10] Reword and add explanatory comments for MAX_IM_CA tests - Reword the comment on config.h to suggest that `MAX_INTERMEDIATE_CA` may not exist in the config. - Add a comment explaining why the tests are more restrictive than necessary. Signed-off-by: Yuto Takano --- tests/ssl-opt.sh | 10 +++++++--- 1 file changed, 7 insertions(+), 3 deletions(-) diff --git a/tests/ssl-opt.sh b/tests/ssl-opt.sh index bc38a39859..ee7d869573 100755 --- a/tests/ssl-opt.sh +++ b/tests/ssl-opt.sh @@ -3883,12 +3883,16 @@ run_test "Authentication: client no cert, openssl server required" \ -c "skip write certificate verify" \ -c "! mbedtls_ssl_handshake returned" -# config.h contains a value for MBEDTLS_X509_MAX_INTERMEDIATE_CA that is -# different from the script's assumed default value (below). -# Relevant tests are skipped if they do not match. +# This script assumes that MBEDTLS_X509_MAX_INTERMEDIATE_CA has its default +# value, defined here as MAX_IM_CA. Some test cases will be skipped if the +# library is configured with a different value. MAX_IM_CA='8' +# The tests for the max_int tests can pass with any number higher than MAX_IM_CA +# because only a chain of MAX_IM_CA length is tested. Equally, the max_int+1 +# tests can pass with any number less than MAX_IM_CA. However, stricter preconditions +# are in place so that the semantics are consistent with the test description. requires_config_value_at_least "MBEDTLS_X509_MAX_INTERMEDIATE_CA" $MAX_IM_CA requires_config_value_at_most "MBEDTLS_X509_MAX_INTERMEDIATE_CA" $MAX_IM_CA requires_full_size_output_buffer From 6f6574381e0d771828c86e9d8153e8b98f3045cc Mon Sep 17 00:00:00 2001 From: Yuto Takano Date: Fri, 2 Jul 2021 13:10:41 +0100 Subject: [PATCH 07/10] Move repetitive equality check to `requires_config_value_equals` Signed-off-by: Yuto Takano --- tests/ssl-opt.sh | 53 +++++++++++++++++++++++------------------------- 1 file changed, 25 insertions(+), 28 deletions(-) diff --git a/tests/ssl-opt.sh b/tests/ssl-opt.sh index ee7d869573..8131413e2e 100755 --- a/tests/ssl-opt.sh +++ b/tests/ssl-opt.sh @@ -242,6 +242,17 @@ requires_config_value_at_most() { fi } +requires_config_value_equals() { + VAL=$( get_config_value_or_default "$1" ) + if [ -z "$VAL" ]; then + # Should never happen + echo "Mbed TLS configuration $1 is not defined" + exit 1 + elif [ "$VAL" -ne "$2" ]; then + SKIP_NEXT="YES" + fi +} + # Space-separated list of ciphersuites supported by this build of # Mbed TLS. P_CIPHERSUITES=" $($P_CLI --help 2>/dev/null | @@ -3893,8 +3904,7 @@ MAX_IM_CA='8' # because only a chain of MAX_IM_CA length is tested. Equally, the max_int+1 # tests can pass with any number less than MAX_IM_CA. However, stricter preconditions # are in place so that the semantics are consistent with the test description. -requires_config_value_at_least "MBEDTLS_X509_MAX_INTERMEDIATE_CA" $MAX_IM_CA -requires_config_value_at_most "MBEDTLS_X509_MAX_INTERMEDIATE_CA" $MAX_IM_CA +requires_config_value_equals "MBEDTLS_X509_MAX_INTERMEDIATE_CA" $MAX_IM_CA requires_full_size_output_buffer run_test "Authentication: server max_int chain, client default" \ "$P_SRV crt_file=data_files/dir-maxpath/c09.pem \ @@ -3903,8 +3913,7 @@ run_test "Authentication: server max_int chain, client default" \ 0 \ -C "X509 - A fatal error occurred" -requires_config_value_at_least "MBEDTLS_X509_MAX_INTERMEDIATE_CA" $MAX_IM_CA -requires_config_value_at_most "MBEDTLS_X509_MAX_INTERMEDIATE_CA" $MAX_IM_CA +requires_config_value_equals "MBEDTLS_X509_MAX_INTERMEDIATE_CA" $MAX_IM_CA requires_full_size_output_buffer run_test "Authentication: server max_int+1 chain, client default" \ "$P_SRV crt_file=data_files/dir-maxpath/c10.pem \ @@ -3913,8 +3922,7 @@ run_test "Authentication: server max_int+1 chain, client default" \ 1 \ -c "X509 - A fatal error occurred" -requires_config_value_at_least "MBEDTLS_X509_MAX_INTERMEDIATE_CA" $MAX_IM_CA -requires_config_value_at_most "MBEDTLS_X509_MAX_INTERMEDIATE_CA" $MAX_IM_CA +requires_config_value_equals "MBEDTLS_X509_MAX_INTERMEDIATE_CA" $MAX_IM_CA requires_full_size_output_buffer run_test "Authentication: server max_int+1 chain, client optional" \ "$P_SRV crt_file=data_files/dir-maxpath/c10.pem \ @@ -3924,8 +3932,7 @@ run_test "Authentication: server max_int+1 chain, client optional" \ 1 \ -c "X509 - A fatal error occurred" -requires_config_value_at_least "MBEDTLS_X509_MAX_INTERMEDIATE_CA" $MAX_IM_CA -requires_config_value_at_most "MBEDTLS_X509_MAX_INTERMEDIATE_CA" $MAX_IM_CA +requires_config_value_equals "MBEDTLS_X509_MAX_INTERMEDIATE_CA" $MAX_IM_CA requires_full_size_output_buffer run_test "Authentication: server max_int+1 chain, client none" \ "$P_SRV crt_file=data_files/dir-maxpath/c10.pem \ @@ -3935,8 +3942,7 @@ run_test "Authentication: server max_int+1 chain, client none" \ 0 \ -C "X509 - A fatal error occurred" -requires_config_value_at_least "MBEDTLS_X509_MAX_INTERMEDIATE_CA" $MAX_IM_CA -requires_config_value_at_most "MBEDTLS_X509_MAX_INTERMEDIATE_CA" $MAX_IM_CA +requires_config_value_equals "MBEDTLS_X509_MAX_INTERMEDIATE_CA" $MAX_IM_CA requires_full_size_output_buffer run_test "Authentication: client max_int+1 chain, server default" \ "$P_SRV ca_file=data_files/dir-maxpath/00.crt" \ @@ -3945,8 +3951,7 @@ run_test "Authentication: client max_int+1 chain, server default" \ 0 \ -S "X509 - A fatal error occurred" -requires_config_value_at_least "MBEDTLS_X509_MAX_INTERMEDIATE_CA" $MAX_IM_CA -requires_config_value_at_most "MBEDTLS_X509_MAX_INTERMEDIATE_CA" $MAX_IM_CA +requires_config_value_equals "MBEDTLS_X509_MAX_INTERMEDIATE_CA" $MAX_IM_CA requires_full_size_output_buffer run_test "Authentication: client max_int+1 chain, server optional" \ "$P_SRV ca_file=data_files/dir-maxpath/00.crt auth_mode=optional" \ @@ -3955,8 +3960,7 @@ run_test "Authentication: client max_int+1 chain, server optional" \ 1 \ -s "X509 - A fatal error occurred" -requires_config_value_at_least "MBEDTLS_X509_MAX_INTERMEDIATE_CA" $MAX_IM_CA -requires_config_value_at_most "MBEDTLS_X509_MAX_INTERMEDIATE_CA" $MAX_IM_CA +requires_config_value_equals "MBEDTLS_X509_MAX_INTERMEDIATE_CA" $MAX_IM_CA requires_full_size_output_buffer run_test "Authentication: client max_int+1 chain, server required" \ "$P_SRV ca_file=data_files/dir-maxpath/00.crt auth_mode=required" \ @@ -3965,8 +3969,7 @@ run_test "Authentication: client max_int+1 chain, server required" \ 1 \ -s "X509 - A fatal error occurred" -requires_config_value_at_least "MBEDTLS_X509_MAX_INTERMEDIATE_CA" $MAX_IM_CA -requires_config_value_at_most "MBEDTLS_X509_MAX_INTERMEDIATE_CA" $MAX_IM_CA +requires_config_value_equals "MBEDTLS_X509_MAX_INTERMEDIATE_CA" $MAX_IM_CA requires_full_size_output_buffer run_test "Authentication: client max_int chain, server required" \ "$P_SRV ca_file=data_files/dir-maxpath/00.crt auth_mode=required" \ @@ -4144,8 +4147,7 @@ run_test "Authentication, CA callback: client badcert, server optional" \ -C "! mbedtls_ssl_handshake returned" \ -S "X509 - Certificate verification failed" -requires_config_value_at_least "MBEDTLS_X509_MAX_INTERMEDIATE_CA" $MAX_IM_CA -requires_config_value_at_most "MBEDTLS_X509_MAX_INTERMEDIATE_CA" $MAX_IM_CA +requires_config_value_equals "MBEDTLS_X509_MAX_INTERMEDIATE_CA" $MAX_IM_CA requires_full_size_output_buffer requires_config_enabled MBEDTLS_X509_TRUSTED_CERTIFICATE_CALLBACK run_test "Authentication, CA callback: server max_int chain, client default" \ @@ -4156,8 +4158,7 @@ run_test "Authentication, CA callback: server max_int chain, client default" -c "use CA callback for X.509 CRT verification" \ -C "X509 - A fatal error occurred" -requires_config_value_at_least "MBEDTLS_X509_MAX_INTERMEDIATE_CA" $MAX_IM_CA -requires_config_value_at_most "MBEDTLS_X509_MAX_INTERMEDIATE_CA" $MAX_IM_CA +requires_config_value_equals "MBEDTLS_X509_MAX_INTERMEDIATE_CA" $MAX_IM_CA requires_full_size_output_buffer requires_config_enabled MBEDTLS_X509_TRUSTED_CERTIFICATE_CALLBACK run_test "Authentication, CA callback: server max_int+1 chain, client default" \ @@ -4168,8 +4169,7 @@ run_test "Authentication, CA callback: server max_int+1 chain, client default -c "use CA callback for X.509 CRT verification" \ -c "X509 - A fatal error occurred" -requires_config_value_at_least "MBEDTLS_X509_MAX_INTERMEDIATE_CA" $MAX_IM_CA -requires_config_value_at_most "MBEDTLS_X509_MAX_INTERMEDIATE_CA" $MAX_IM_CA +requires_config_value_equals "MBEDTLS_X509_MAX_INTERMEDIATE_CA" $MAX_IM_CA requires_full_size_output_buffer requires_config_enabled MBEDTLS_X509_TRUSTED_CERTIFICATE_CALLBACK run_test "Authentication, CA callback: server max_int+1 chain, client optional" \ @@ -4181,8 +4181,7 @@ run_test "Authentication, CA callback: server max_int+1 chain, client optiona -c "use CA callback for X.509 CRT verification" \ -c "X509 - A fatal error occurred" -requires_config_value_at_least "MBEDTLS_X509_MAX_INTERMEDIATE_CA" $MAX_IM_CA -requires_config_value_at_most "MBEDTLS_X509_MAX_INTERMEDIATE_CA" $MAX_IM_CA +requires_config_value_equals "MBEDTLS_X509_MAX_INTERMEDIATE_CA" $MAX_IM_CA requires_full_size_output_buffer requires_config_enabled MBEDTLS_X509_TRUSTED_CERTIFICATE_CALLBACK run_test "Authentication, CA callback: client max_int+1 chain, server optional" \ @@ -4193,8 +4192,7 @@ run_test "Authentication, CA callback: client max_int+1 chain, server optiona -s "use CA callback for X.509 CRT verification" \ -s "X509 - A fatal error occurred" -requires_config_value_at_least "MBEDTLS_X509_MAX_INTERMEDIATE_CA" $MAX_IM_CA -requires_config_value_at_most "MBEDTLS_X509_MAX_INTERMEDIATE_CA" $MAX_IM_CA +requires_config_value_equals "MBEDTLS_X509_MAX_INTERMEDIATE_CA" $MAX_IM_CA requires_full_size_output_buffer requires_config_enabled MBEDTLS_X509_TRUSTED_CERTIFICATE_CALLBACK run_test "Authentication, CA callback: client max_int+1 chain, server required" \ @@ -4205,8 +4203,7 @@ run_test "Authentication, CA callback: client max_int+1 chain, server require -s "use CA callback for X.509 CRT verification" \ -s "X509 - A fatal error occurred" -requires_config_value_at_least "MBEDTLS_X509_MAX_INTERMEDIATE_CA" $MAX_IM_CA -requires_config_value_at_most "MBEDTLS_X509_MAX_INTERMEDIATE_CA" $MAX_IM_CA +requires_config_value_equals "MBEDTLS_X509_MAX_INTERMEDIATE_CA" $MAX_IM_CA requires_full_size_output_buffer requires_config_enabled MBEDTLS_X509_TRUSTED_CERTIFICATE_CALLBACK run_test "Authentication, CA callback: client max_int chain, server required" \ From bc87b1ddf32f66b380801c02d6aa6e2f524417b3 Mon Sep 17 00:00:00 2001 From: Yuto Takano Date: Thu, 8 Jul 2021 15:56:33 +0100 Subject: [PATCH 08/10] Add content length constraint to tests that use max_frag_len Includes: - handshake memory tests - Connection ID (MFL) tests - DTLS fragmenting tests Signed-off-by: Yuto Takano --- tests/ssl-opt.sh | 38 ++++++++++++++++++++++++++++++++++++++ 1 file changed, 38 insertions(+) diff --git a/tests/ssl-opt.sh b/tests/ssl-opt.sh index 8131413e2e..e91b5ad065 100755 --- a/tests/ssl-opt.sh +++ b/tests/ssl-opt.sh @@ -2246,6 +2246,7 @@ run_test "Connection ID, 3D: Cli+Srv enabled, Srv disables on renegotiation" requires_config_enabled MBEDTLS_SSL_DTLS_CONNECTION_ID requires_config_enabled MBEDTLS_SSL_VARIABLE_BUFFER_LENGTH +requires_max_content_len 512 run_test "Connection ID: Cli+Srv enabled, variable buffer lengths, MFL=512" \ "$P_SRV dtls=1 cid=1 cid_val=dead debug_level=2" \ "$P_CLI force_ciphersuite="TLS-ECDHE-ECDSA-WITH-AES-128-CCM-8" max_frag_len=512 dtls=1 cid=1 cid_val=beef" \ @@ -2259,6 +2260,7 @@ run_test "Connection ID: Cli+Srv enabled, variable buffer lengths, MFL=512" \ requires_config_enabled MBEDTLS_SSL_DTLS_CONNECTION_ID requires_config_enabled MBEDTLS_SSL_VARIABLE_BUFFER_LENGTH +requires_max_content_len 1024 run_test "Connection ID: Cli+Srv enabled, variable buffer lengths, MFL=1024" \ "$P_SRV dtls=1 cid=1 cid_val=dead debug_level=2" \ "$P_CLI force_ciphersuite="TLS-ECDHE-ECDSA-WITH-AES-128-CCM-8" max_frag_len=1024 dtls=1 cid=1 cid_val=beef" \ @@ -5717,6 +5719,7 @@ run_test "Large client packet TLS 1.2 AEAD shorter tag" \ -c "16384 bytes written in $(fragments_for_write 16384) fragments" \ -s "Read from client: $MAX_CONTENT_LEN bytes read" +# The tests below fail when the server's OUT_CONTENT_LEN is less than 16384. run_test "Large server packet TLS 1.2 BlockCipher" \ "$P_SRV response_size=16384" \ "$P_CLI force_version=tls1_2 \ @@ -6539,6 +6542,7 @@ requires_config_enabled MBEDTLS_SSL_PROTO_DTLS requires_config_enabled MBEDTLS_RSA_C requires_config_enabled MBEDTLS_ECDSA_C requires_config_enabled MBEDTLS_SSL_MAX_FRAGMENT_LENGTH +requires_max_content_len 4096 run_test "DTLS fragmenting: none (for reference)" \ "$P_SRV dtls=1 debug_level=2 auth_mode=required \ crt_file=data_files/server7_int-ca.crt \ @@ -6559,6 +6563,7 @@ requires_config_enabled MBEDTLS_SSL_PROTO_DTLS requires_config_enabled MBEDTLS_RSA_C requires_config_enabled MBEDTLS_ECDSA_C requires_config_enabled MBEDTLS_SSL_MAX_FRAGMENT_LENGTH +requires_max_content_len 2048 run_test "DTLS fragmenting: server only (max_frag_len)" \ "$P_SRV dtls=1 debug_level=2 auth_mode=required \ crt_file=data_files/server7_int-ca.crt \ @@ -6583,6 +6588,7 @@ requires_config_enabled MBEDTLS_SSL_PROTO_DTLS requires_config_enabled MBEDTLS_RSA_C requires_config_enabled MBEDTLS_ECDSA_C requires_config_enabled MBEDTLS_SSL_MAX_FRAGMENT_LENGTH +requires_max_content_len 4096 run_test "DTLS fragmenting: server only (more) (max_frag_len)" \ "$P_SRV dtls=1 debug_level=2 auth_mode=required \ crt_file=data_files/server7_int-ca.crt \ @@ -6603,6 +6609,7 @@ requires_config_enabled MBEDTLS_SSL_PROTO_DTLS requires_config_enabled MBEDTLS_RSA_C requires_config_enabled MBEDTLS_ECDSA_C requires_config_enabled MBEDTLS_SSL_MAX_FRAGMENT_LENGTH +requires_max_content_len 2048 run_test "DTLS fragmenting: client-initiated, server only (max_frag_len)" \ "$P_SRV dtls=1 debug_level=2 auth_mode=none \ crt_file=data_files/server7_int-ca.crt \ @@ -6630,6 +6637,7 @@ requires_config_enabled MBEDTLS_SSL_PROTO_DTLS requires_config_enabled MBEDTLS_RSA_C requires_config_enabled MBEDTLS_ECDSA_C requires_config_enabled MBEDTLS_SSL_MAX_FRAGMENT_LENGTH +requires_max_content_len 2048 run_test "DTLS fragmenting: client-initiated, server only (max_frag_len), proxy MTU" \ -p "$P_PXY mtu=1110" \ "$P_SRV dtls=1 debug_level=2 auth_mode=none \ @@ -6651,6 +6659,7 @@ requires_config_enabled MBEDTLS_SSL_PROTO_DTLS requires_config_enabled MBEDTLS_RSA_C requires_config_enabled MBEDTLS_ECDSA_C requires_config_enabled MBEDTLS_SSL_MAX_FRAGMENT_LENGTH +requires_max_content_len 2048 run_test "DTLS fragmenting: client-initiated, both (max_frag_len)" \ "$P_SRV dtls=1 debug_level=2 auth_mode=required \ crt_file=data_files/server7_int-ca.crt \ @@ -6678,6 +6687,7 @@ requires_config_enabled MBEDTLS_SSL_PROTO_DTLS requires_config_enabled MBEDTLS_RSA_C requires_config_enabled MBEDTLS_ECDSA_C requires_config_enabled MBEDTLS_SSL_MAX_FRAGMENT_LENGTH +requires_max_content_len 2048 run_test "DTLS fragmenting: client-initiated, both (max_frag_len), proxy MTU" \ -p "$P_PXY mtu=1110" \ "$P_SRV dtls=1 debug_level=2 auth_mode=required \ @@ -6698,6 +6708,7 @@ run_test "DTLS fragmenting: client-initiated, both (max_frag_len), proxy MTU" requires_config_enabled MBEDTLS_SSL_PROTO_DTLS requires_config_enabled MBEDTLS_RSA_C requires_config_enabled MBEDTLS_ECDSA_C +requires_max_content_len 4096 run_test "DTLS fragmenting: none (for reference) (MTU)" \ "$P_SRV dtls=1 debug_level=2 auth_mode=required \ crt_file=data_files/server7_int-ca.crt \ @@ -6717,6 +6728,7 @@ run_test "DTLS fragmenting: none (for reference) (MTU)" \ requires_config_enabled MBEDTLS_SSL_PROTO_DTLS requires_config_enabled MBEDTLS_RSA_C requires_config_enabled MBEDTLS_ECDSA_C +requires_max_content_len 4096 run_test "DTLS fragmenting: client (MTU)" \ "$P_SRV dtls=1 debug_level=2 auth_mode=required \ crt_file=data_files/server7_int-ca.crt \ @@ -6736,6 +6748,7 @@ run_test "DTLS fragmenting: client (MTU)" \ requires_config_enabled MBEDTLS_SSL_PROTO_DTLS requires_config_enabled MBEDTLS_RSA_C requires_config_enabled MBEDTLS_ECDSA_C +requires_max_content_len 2048 run_test "DTLS fragmenting: server (MTU)" \ "$P_SRV dtls=1 debug_level=2 auth_mode=required \ crt_file=data_files/server7_int-ca.crt \ @@ -6755,6 +6768,7 @@ run_test "DTLS fragmenting: server (MTU)" \ requires_config_enabled MBEDTLS_SSL_PROTO_DTLS requires_config_enabled MBEDTLS_RSA_C requires_config_enabled MBEDTLS_ECDSA_C +requires_max_content_len 2048 run_test "DTLS fragmenting: both (MTU=1024)" \ -p "$P_PXY mtu=1024" \ "$P_SRV dtls=1 debug_level=2 auth_mode=required \ @@ -6780,6 +6794,7 @@ requires_config_enabled MBEDTLS_SHA256_C requires_config_enabled MBEDTLS_KEY_EXCHANGE_ECDHE_ECDSA requires_config_enabled MBEDTLS_AES_C requires_config_enabled MBEDTLS_GCM_C +requires_max_content_len 2048 run_test "DTLS fragmenting: both (MTU=512)" \ -p "$P_PXY mtu=512" \ "$P_SRV dtls=1 debug_level=2 auth_mode=required \ @@ -6811,6 +6826,7 @@ requires_config_enabled MBEDTLS_ECDSA_C requires_config_enabled MBEDTLS_KEY_EXCHANGE_ECDHE_ECDSA requires_config_enabled MBEDTLS_AES_C requires_config_enabled MBEDTLS_GCM_C +requires_max_content_len 2048 run_test "DTLS fragmenting: proxy MTU: auto-reduction (not valgrind)" \ -p "$P_PXY mtu=508" \ "$P_SRV dtls=1 debug_level=2 auth_mode=required \ @@ -6835,6 +6851,7 @@ requires_config_enabled MBEDTLS_ECDSA_C requires_config_enabled MBEDTLS_KEY_EXCHANGE_ECDHE_ECDSA requires_config_enabled MBEDTLS_AES_C requires_config_enabled MBEDTLS_GCM_C +requires_max_content_len 2048 run_test "DTLS fragmenting: proxy MTU: auto-reduction (with valgrind)" \ -p "$P_PXY mtu=508" \ "$P_SRV dtls=1 debug_level=2 auth_mode=required \ @@ -6858,6 +6875,7 @@ not_with_valgrind # spurious autoreduction due to timeout requires_config_enabled MBEDTLS_SSL_PROTO_DTLS requires_config_enabled MBEDTLS_RSA_C requires_config_enabled MBEDTLS_ECDSA_C +requires_max_content_len 2048 run_test "DTLS fragmenting: proxy MTU, simple handshake (MTU=1024)" \ -p "$P_PXY mtu=1024" \ "$P_SRV dtls=1 debug_level=2 auth_mode=required \ @@ -6887,6 +6905,7 @@ requires_config_enabled MBEDTLS_ECDSA_C requires_config_enabled MBEDTLS_KEY_EXCHANGE_ECDHE_ECDSA requires_config_enabled MBEDTLS_AES_C requires_config_enabled MBEDTLS_GCM_C +requires_max_content_len 2048 run_test "DTLS fragmenting: proxy MTU, simple handshake (MTU=512)" \ -p "$P_PXY mtu=512" \ "$P_SRV dtls=1 debug_level=2 auth_mode=required \ @@ -6910,6 +6929,7 @@ not_with_valgrind # spurious autoreduction due to timeout requires_config_enabled MBEDTLS_SSL_PROTO_DTLS requires_config_enabled MBEDTLS_RSA_C requires_config_enabled MBEDTLS_ECDSA_C +requires_max_content_len 2048 run_test "DTLS fragmenting: proxy MTU, simple handshake, nbio (MTU=1024)" \ -p "$P_PXY mtu=1024" \ "$P_SRV dtls=1 debug_level=2 auth_mode=required \ @@ -6936,6 +6956,7 @@ requires_config_enabled MBEDTLS_ECDSA_C requires_config_enabled MBEDTLS_KEY_EXCHANGE_ECDHE_ECDSA requires_config_enabled MBEDTLS_AES_C requires_config_enabled MBEDTLS_GCM_C +requires_max_content_len 2048 run_test "DTLS fragmenting: proxy MTU, simple handshake, nbio (MTU=512)" \ -p "$P_PXY mtu=512" \ "$P_SRV dtls=1 debug_level=2 auth_mode=required \ @@ -6972,6 +6993,7 @@ requires_config_enabled MBEDTLS_ECDSA_C requires_config_enabled MBEDTLS_KEY_EXCHANGE_ECDHE_ECDSA requires_config_enabled MBEDTLS_AES_C requires_config_enabled MBEDTLS_GCM_C +requires_max_content_len 2048 run_test "DTLS fragmenting: proxy MTU, resumed handshake" \ -p "$P_PXY mtu=1450" \ "$P_SRV dtls=1 debug_level=2 auth_mode=required \ @@ -7001,6 +7023,7 @@ requires_config_enabled MBEDTLS_SHA256_C requires_config_enabled MBEDTLS_KEY_EXCHANGE_ECDHE_ECDSA requires_config_enabled MBEDTLS_SSL_RENEGOTIATION requires_config_enabled MBEDTLS_CHACHAPOLY_C +requires_max_content_len 2048 run_test "DTLS fragmenting: proxy MTU, ChachaPoly renego" \ -p "$P_PXY mtu=512" \ "$P_SRV dtls=1 debug_level=2 auth_mode=required \ @@ -7033,6 +7056,7 @@ requires_config_enabled MBEDTLS_KEY_EXCHANGE_ECDHE_ECDSA requires_config_enabled MBEDTLS_SSL_RENEGOTIATION requires_config_enabled MBEDTLS_AES_C requires_config_enabled MBEDTLS_GCM_C +requires_max_content_len 2048 run_test "DTLS fragmenting: proxy MTU, AES-GCM renego" \ -p "$P_PXY mtu=512" \ "$P_SRV dtls=1 debug_level=2 auth_mode=required \ @@ -7065,6 +7089,7 @@ requires_config_enabled MBEDTLS_KEY_EXCHANGE_ECDHE_ECDSA requires_config_enabled MBEDTLS_SSL_RENEGOTIATION requires_config_enabled MBEDTLS_AES_C requires_config_enabled MBEDTLS_CCM_C +requires_max_content_len 2048 run_test "DTLS fragmenting: proxy MTU, AES-CCM renego" \ -p "$P_PXY mtu=1024" \ "$P_SRV dtls=1 debug_level=2 auth_mode=required \ @@ -7098,6 +7123,7 @@ requires_config_enabled MBEDTLS_SSL_RENEGOTIATION requires_config_enabled MBEDTLS_AES_C requires_config_enabled MBEDTLS_CIPHER_MODE_CBC requires_config_enabled MBEDTLS_SSL_ENCRYPT_THEN_MAC +requires_max_content_len 2048 run_test "DTLS fragmenting: proxy MTU, AES-CBC EtM renego" \ -p "$P_PXY mtu=1024" \ "$P_SRV dtls=1 debug_level=2 auth_mode=required \ @@ -7130,6 +7156,7 @@ requires_config_enabled MBEDTLS_KEY_EXCHANGE_ECDHE_ECDSA requires_config_enabled MBEDTLS_SSL_RENEGOTIATION requires_config_enabled MBEDTLS_AES_C requires_config_enabled MBEDTLS_CIPHER_MODE_CBC +requires_max_content_len 2048 run_test "DTLS fragmenting: proxy MTU, AES-CBC non-EtM renego" \ -p "$P_PXY mtu=1024" \ "$P_SRV dtls=1 debug_level=2 auth_mode=required \ @@ -7159,6 +7186,7 @@ requires_config_enabled MBEDTLS_KEY_EXCHANGE_ECDHE_ECDSA requires_config_enabled MBEDTLS_AES_C requires_config_enabled MBEDTLS_GCM_C client_needs_more_time 2 +requires_max_content_len 2048 run_test "DTLS fragmenting: proxy MTU + 3d" \ -p "$P_PXY mtu=512 drop=8 delay=8 duplicate=8" \ "$P_SRV dgram_packing=0 dtls=1 debug_level=2 auth_mode=required \ @@ -7183,6 +7211,7 @@ requires_config_enabled MBEDTLS_KEY_EXCHANGE_ECDHE_ECDSA requires_config_enabled MBEDTLS_AES_C requires_config_enabled MBEDTLS_GCM_C client_needs_more_time 2 +requires_max_content_len 2048 run_test "DTLS fragmenting: proxy MTU + 3d, nbio" \ -p "$P_PXY mtu=512 drop=8 delay=8 duplicate=8" \ "$P_SRV dtls=1 debug_level=2 auth_mode=required \ @@ -7208,6 +7237,7 @@ requires_config_enabled MBEDTLS_RSA_C requires_config_enabled MBEDTLS_ECDSA_C requires_config_enabled MBEDTLS_SSL_PROTO_TLS1_2 requires_gnutls +requires_max_content_len 2048 run_test "DTLS fragmenting: gnutls server, DTLS 1.2" \ "$G_SRV -u" \ "$P_CLI dtls=1 debug_level=2 \ @@ -7231,6 +7261,7 @@ requires_config_enabled MBEDTLS_ECDSA_C requires_config_enabled MBEDTLS_SSL_PROTO_TLS1_2 requires_gnutls requires_not_i686 +requires_max_content_len 2048 run_test "DTLS fragmenting: gnutls client, DTLS 1.2" \ "$P_SRV dtls=1 debug_level=2 \ crt_file=data_files/server7_int-ca.crt \ @@ -7244,6 +7275,7 @@ requires_config_enabled MBEDTLS_SSL_PROTO_DTLS requires_config_enabled MBEDTLS_RSA_C requires_config_enabled MBEDTLS_ECDSA_C requires_config_enabled MBEDTLS_SSL_PROTO_TLS1_2 +requires_max_content_len 2048 run_test "DTLS fragmenting: openssl server, DTLS 1.2" \ "$O_SRV -dtls1_2 -verify 10" \ "$P_CLI dtls=1 debug_level=2 \ @@ -7258,6 +7290,7 @@ requires_config_enabled MBEDTLS_SSL_PROTO_DTLS requires_config_enabled MBEDTLS_RSA_C requires_config_enabled MBEDTLS_ECDSA_C requires_config_enabled MBEDTLS_SSL_PROTO_TLS1_2 +requires_max_content_len 2048 run_test "DTLS fragmenting: openssl client, DTLS 1.2" \ "$P_SRV dtls=1 debug_level=2 \ crt_file=data_files/server7_int-ca.crt \ @@ -7277,6 +7310,7 @@ requires_config_enabled MBEDTLS_RSA_C requires_config_enabled MBEDTLS_ECDSA_C requires_config_enabled MBEDTLS_SSL_PROTO_TLS1_2 client_needs_more_time 4 +requires_max_content_len 2048 run_test "DTLS fragmenting: 3d, gnutls server, DTLS 1.2" \ -p "$P_PXY drop=8 delay=8 duplicate=8" \ "$G_NEXT_SRV -u" \ @@ -7294,6 +7328,7 @@ requires_config_enabled MBEDTLS_RSA_C requires_config_enabled MBEDTLS_ECDSA_C requires_config_enabled MBEDTLS_SSL_PROTO_TLS1_2 client_needs_more_time 4 +requires_max_content_len 2048 run_test "DTLS fragmenting: 3d, gnutls client, DTLS 1.2" \ -p "$P_PXY drop=8 delay=8 duplicate=8" \ "$P_SRV dtls=1 debug_level=2 \ @@ -7315,6 +7350,7 @@ requires_config_enabled MBEDTLS_RSA_C requires_config_enabled MBEDTLS_ECDSA_C requires_config_enabled MBEDTLS_SSL_PROTO_TLS1_2 client_needs_more_time 4 +requires_max_content_len 2048 run_test "DTLS fragmenting: 3d, openssl server, DTLS 1.2" \ -p "$P_PXY drop=8 delay=8 duplicate=8" \ "$O_SRV -dtls1_2 -verify 10" \ @@ -7332,6 +7368,7 @@ requires_config_enabled MBEDTLS_RSA_C requires_config_enabled MBEDTLS_ECDSA_C requires_config_enabled MBEDTLS_SSL_PROTO_TLS1_2 client_needs_more_time 4 +requires_max_content_len 2048 run_test "DTLS fragmenting: 3d, openssl client, DTLS 1.2" \ -p "$P_PXY drop=8 delay=8 duplicate=8" \ "$P_SRV dtls=1 debug_level=2 \ @@ -8406,6 +8443,7 @@ run_test "export keys functionality" \ requires_config_enabled MBEDTLS_MEMORY_DEBUG requires_config_enabled MBEDTLS_MEMORY_BUFFER_ALLOC_C requires_config_enabled MBEDTLS_SSL_MAX_FRAGMENT_LENGTH +requires_max_content_len 16384 run_tests_memory_after_hanshake # Final report From 9c09d5513e687a2949059aecc738badcf987277b Mon Sep 17 00:00:00 2001 From: Yuto Takano Date: Thu, 8 Jul 2021 16:03:44 +0100 Subject: [PATCH 09/10] Raise max_content_len constraint by one in Connection ID tests Signed-off-by: Yuto Takano --- tests/ssl-opt.sh | 7 +++++-- 1 file changed, 5 insertions(+), 2 deletions(-) diff --git a/tests/ssl-opt.sh b/tests/ssl-opt.sh index e91b5ad065..85dce76b04 100755 --- a/tests/ssl-opt.sh +++ b/tests/ssl-opt.sh @@ -2244,9 +2244,12 @@ run_test "Connection ID, 3D: Cli+Srv enabled, Srv disables on renegotiation" -c "ignoring unexpected CID" \ -s "ignoring unexpected CID" +# This and the test below it requires MAX_CONTENT_LEN to be MFL+1, because the +# tests check that the buffer contents are reallocated when the message is +# larger than the buffer. requires_config_enabled MBEDTLS_SSL_DTLS_CONNECTION_ID requires_config_enabled MBEDTLS_SSL_VARIABLE_BUFFER_LENGTH -requires_max_content_len 512 +requires_max_content_len 513 run_test "Connection ID: Cli+Srv enabled, variable buffer lengths, MFL=512" \ "$P_SRV dtls=1 cid=1 cid_val=dead debug_level=2" \ "$P_CLI force_ciphersuite="TLS-ECDHE-ECDSA-WITH-AES-128-CCM-8" max_frag_len=512 dtls=1 cid=1 cid_val=beef" \ @@ -2260,7 +2263,7 @@ run_test "Connection ID: Cli+Srv enabled, variable buffer lengths, MFL=512" \ requires_config_enabled MBEDTLS_SSL_DTLS_CONNECTION_ID requires_config_enabled MBEDTLS_SSL_VARIABLE_BUFFER_LENGTH -requires_max_content_len 1024 +requires_max_content_len 1025 run_test "Connection ID: Cli+Srv enabled, variable buffer lengths, MFL=1024" \ "$P_SRV dtls=1 cid=1 cid_val=dead debug_level=2" \ "$P_CLI force_ciphersuite="TLS-ECDHE-ECDSA-WITH-AES-128-CCM-8" max_frag_len=1024 dtls=1 cid=1 cid_val=beef" \ From 3fa1673cf62be68d75661bf8b4e795985b348db6 Mon Sep 17 00:00:00 2001 From: Yuto Takano Date: Fri, 9 Jul 2021 11:21:43 +0100 Subject: [PATCH 10/10] Fix grammar suggesting an upper bound on MAX_CONTENT_LEN Co-authored-by: Gilles Peskine Signed-off-by: Yuto Takano --- tests/ssl-opt.sh | 2 +- 1 file changed, 1 insertion(+), 1 deletion(-) diff --git a/tests/ssl-opt.sh b/tests/ssl-opt.sh index 85dce76b04..3df667a2a3 100755 --- a/tests/ssl-opt.sh +++ b/tests/ssl-opt.sh @@ -2244,7 +2244,7 @@ run_test "Connection ID, 3D: Cli+Srv enabled, Srv disables on renegotiation" -c "ignoring unexpected CID" \ -s "ignoring unexpected CID" -# This and the test below it requires MAX_CONTENT_LEN to be MFL+1, because the +# This and the test below it require MAX_CONTENT_LEN to be at least MFL+1, because the # tests check that the buffer contents are reallocated when the message is # larger than the buffer. requires_config_enabled MBEDTLS_SSL_DTLS_CONNECTION_ID