From a21e893398eb71ef4e333d74eb5f71d314312334 Mon Sep 17 00:00:00 2001
From: Gilles Peskine <Gilles.Peskine@arm.com>
Date: Wed, 4 Sep 2024 16:30:32 +0200
Subject: [PATCH] Test ssl_server

Test ssl_server with both TLS 1.2 and TLS 1.3.
Test against both OpenSSL and GnuTLS.

Clean up compile-time requirements in ssl_server.c: any certificate-based
key exchange is ok, so don't insist on built-in RSA.

Signed-off-by: Gilles Peskine <Gilles.Peskine@arm.com>
---
 programs/ssl/ssl_server.c     | 23 +++++++-----------
 tests/opt-testcases/sample.sh | 44 +++++++++++++++++++++++++++++++++++
 tests/ssl-opt.sh              |  7 ++++++
 3 files changed, 60 insertions(+), 14 deletions(-)

diff --git a/programs/ssl/ssl_server.c b/programs/ssl/ssl_server.c
index 6becf8d913..c3bd8fc610 100644
--- a/programs/ssl/ssl_server.c
+++ b/programs/ssl/ssl_server.c
@@ -9,18 +9,15 @@
 
 #include "mbedtls/platform.h"
 
-#if !defined(MBEDTLS_BIGNUM_C) || !defined(MBEDTLS_PEM_PARSE_C) || \
-    !defined(MBEDTLS_ENTROPY_C) || !defined(MBEDTLS_SSL_TLS_C) ||  \
-    !defined(MBEDTLS_SSL_SRV_C) || !defined(MBEDTLS_NET_C) ||      \
-    !defined(MBEDTLS_RSA_C) || !defined(MBEDTLS_CTR_DRBG_C) ||     \
-    !defined(MBEDTLS_X509_CRT_PARSE_C) || !defined(MBEDTLS_FS_IO)
+#if !defined(MBEDTLS_ENTROPY_C) || !defined(MBEDTLS_CTR_DRBG_C) ||      \
+    !defined(MBEDTLS_NET_C) || !defined(MBEDTLS_SSL_SRV_C) ||           \
+    !defined(MBEDTLS_PEM_PARSE_C) || !defined(MBEDTLS_X509_CRT_PARSE_C)
 int main(void)
 {
-    mbedtls_printf("MBEDTLS_BIGNUM_C and/or MBEDTLS_ENTROPY_C "
-                   "and/or MBEDTLS_SSL_TLS_C and/or MBEDTLS_SSL_SRV_C and/or "
-                   "MBEDTLS_NET_C and/or MBEDTLS_RSA_C and/or "
-                   "MBEDTLS_CTR_DRBG_C and/or MBEDTLS_X509_CRT_PARSE_C "
-                   "and/or MBEDTLS_PEM_PARSE_C not defined.\n");
+    mbedtls_printf("MBEDTLS_ENTROPY_C and/or MBEDTLS_CTR_DRBG_C and/or "
+                   "MBEDTLS_NET_C and/or MBEDTLS_SSL_SRV_C and/or "
+                   "MBEDTLS_PEM_PARSE_C and/or MBEDTLS_X509_CRT_PARSE_C "
+                   "not defined.\n");
     mbedtls_exit(0);
 }
 #else
@@ -356,7 +353,5 @@ exit:
 
     mbedtls_exit(ret);
 }
-#endif /* MBEDTLS_BIGNUM_C && MBEDTLS_ENTROPY_C &&
-          MBEDTLS_SSL_TLS_C && MBEDTLS_SSL_SRV_C && MBEDTLS_NET_C &&
-          MBEDTLS_RSA_C && MBEDTLS_CTR_DRBG_C && MBEDTLS_X509_CRT_PARSE_C
-          && MBEDTLS_FS_IO && MBEDTLS_PEM_PARSE_C */
+
+#endif /* configuration allows running this program */
diff --git a/tests/opt-testcases/sample.sh b/tests/opt-testcases/sample.sh
index 171bb4e22a..82a95b8b9c 100644
--- a/tests/opt-testcases/sample.sh
+++ b/tests/opt-testcases/sample.sh
@@ -74,3 +74,47 @@ run_test    "Sample: dtls_client, gnutls server, DTLS 1.2" \
             -c "[1-9][0-9]* bytes read" \
             -S "Error" \
             -C "error"
+
+requires_protocol_version tls12
+run_test    "Sample: ssl_server, openssl client, TLS 1.2" \
+            -P 4433 \
+            "$PROGRAMS_DIR/ssl_server" \
+            "$O_CLI -tls1_2" \
+            0 \
+            -s "Successful connection using: TLS-" \
+            -c "New, TLSv1.2, Cipher is" \
+            -S "error" \
+            -C "ERROR"
+
+requires_protocol_version tls12
+run_test    "Sample: ssl_server, gnutls client, TLS 1.2" \
+            -P 4433 \
+            "$PROGRAMS_DIR/ssl_server" \
+            "$G_CLI --priority=NORMAL:-VERS-TLS-ALL:+VERS-TLS1.2 localhost" \
+            0 \
+            -s "Successful connection using: TLS-" \
+            -c "Description:.*TLS1.2" \
+            -S "error" \
+            -C "ERROR"
+
+requires_protocol_version tls13
+run_test    "Sample: ssl_server, openssl client, TLS 1.3" \
+            -P 4433 \
+            "$PROGRAMS_DIR/ssl_server" \
+            "$O_CLI -tls1_3" \
+            0 \
+            -s "Successful connection using: TLS1-3-" \
+            -c "New, TLSv1.3, Cipher is" \
+            -S "error" \
+            -C "ERROR"
+
+requires_protocol_version tls13
+run_test    "Sample: ssl_server, gnutls client, TLS 1.3" \
+            -P 4433 \
+            "$PROGRAMS_DIR/ssl_server" \
+            "$G_CLI --priority=NORMAL:-VERS-TLS-ALL:+VERS-TLS1.3 localhost" \
+            0 \
+            -s "Successful connection using: TLS1-3-" \
+            -c "Description:.*TLS1.3" \
+            -S "error" \
+            -C "ERROR"
diff --git a/tests/ssl-opt.sh b/tests/ssl-opt.sh
index bc74128ed9..c1b5421957 100755
--- a/tests/ssl-opt.sh
+++ b/tests/ssl-opt.sh
@@ -500,6 +500,13 @@ detect_required_features() {
             requires_config_enabled MBEDTLS_SSL_CLI_C
             requires_certificate_authentication
             ;;
+        *"programs/ssl/ssl_server "*)
+            requires_config_enabled MBEDTLS_CTR_DRBG_C
+            requires_config_enabled MBEDTLS_ENTROPY_C
+            requires_config_enabled MBEDTLS_PEM_PARSE_C
+            requires_config_enabled MBEDTLS_SSL_SRV_C
+            requires_certificate_authentication
+            ;;
     esac
 
     case "$CMD_LINE" in