diff --git a/.travis.yml b/.travis.yml index 1259152ad..f30a4e398 100644 --- a/.travis.yml +++ b/.travis.yml @@ -17,6 +17,7 @@ script: - tests/ssl-opt.sh -e '\(DTLS\|SCSV\).*openssl' - tests/scripts/test-ref-configs.pl - tests/scripts/curves.pl +- tests/scripts/key-exchanges.pl env: global: secure: "barHldniAfXyoWOD/vcO+E6/Xm4fmcaUoC9BeKW+LwsHqlDMLvugaJnmLXkSpkbYhVL61Hzf3bo0KPJn88AFc5Rkf8oYHPjH4adMnVXkf3B9ghHCgznqHsAH3choo6tnPxaFgOwOYmLGb382nQxfE5lUdvnM/W/psQjWt66A1+k=" diff --git a/ChangeLog b/ChangeLog index fdc66fe73..0d4dc64ef 100644 --- a/ChangeLog +++ b/ChangeLog @@ -9,6 +9,10 @@ Features block. (Potential uses include EAP-TLS and Thread.) Bugfix + * Fix build error with configurations where ECDHE-PSK is the only key + exchange. Found and fix provided by Chris Hammond. #270 + * Fix build error with configurations where RSA, RSA-PSK, ECDH-RSA or + ECHD-ECDSA if the only key exchange. Multiple reports. #310 * Fixed a bug causing some handshakes to fail due to some non-fatal alerts not being properly ignored. Found by mancha and Kasom Koht-arsa, #308 * mbedtls_x509_crt_verify(_with_profile)() now also checks the key type and diff --git a/include/mbedtls/ssl.h b/include/mbedtls/ssl.h index cd0505fea..810409c65 100644 --- a/include/mbedtls/ssl.h +++ b/include/mbedtls/ssl.h @@ -55,26 +55,6 @@ #include #endif -/* For convenience below and in programs */ -#if defined(MBEDTLS_KEY_EXCHANGE_PSK_ENABLED) || \ - defined(MBEDTLS_KEY_EXCHANGE_RSA_PSK_ENABLED) || \ - defined(MBEDTLS_KEY_EXCHANGE_DHE_PSK_ENABLED) || \ - defined(MBEDTLS_KEY_EXCHANGE_ECDHE_PSK_ENABLED) -#define MBEDTLS_KEY_EXCHANGE__SOME__PSK_ENABLED -#endif - -#if defined(MBEDTLS_KEY_EXCHANGE_ECDHE_RSA_ENABLED) || \ - defined(MBEDTLS_KEY_EXCHANGE_ECDHE_ECDSA_ENABLED) || \ - defined(MBEDTLS_KEY_EXCHANGE_ECDHE_PSK_ENABLED) -#define MBEDTLS_KEY_EXCHANGE__SOME__ECDHE_ENABLED -#endif - -#if defined(MBEDTLS_KEY_EXCHANGE_DHE_RSA_ENABLED) || \ - defined(MBEDTLS_KEY_EXCHANGE_ECDHE_RSA_ENABLED) || \ - defined(MBEDTLS_KEY_EXCHANGE_ECDHE_ECDSA_ENABLED) -#define MBEDTLS_KEY_EXCHANGE__SOME__SIGNATURE_ENABLED -#endif - /* * SSL Error codes */ @@ -561,7 +541,7 @@ struct mbedtls_ssl_config mbedtls_x509_crl *ca_crl; /*!< trusted CAs CRLs */ #endif /* MBEDTLS_X509_CRT_PARSE_C */ -#if defined(MBEDTLS_KEY_EXCHANGE__SOME__SIGNATURE_ENABLED) +#if defined(MBEDTLS_KEY_EXCHANGE__WITH_CERT__ENABLED) const int *sig_hashes; /*!< allowed signature hashes */ #endif @@ -1627,7 +1607,7 @@ void mbedtls_ssl_conf_curves( mbedtls_ssl_config *conf, const mbedtls_ecp_group_id *curves ); #endif /* MBEDTLS_ECP_C */ -#if defined(MBEDTLS_KEY_EXCHANGE__SOME__SIGNATURE_ENABLED) +#if defined(MBEDTLS_KEY_EXCHANGE__WITH_CERT__ENABLED) /** * \brief Set the allowed hashes for signatures during the handshake. * (Default: all available hashes.) @@ -1648,7 +1628,7 @@ void mbedtls_ssl_conf_curves( mbedtls_ssl_config *conf, */ void mbedtls_ssl_conf_sig_hashes( mbedtls_ssl_config *conf, const int *hashes ); -#endif /* MBEDTLS_KEY_EXCHANGE__SOME__SIGNATURE_ENABLED */ +#endif /* MBEDTLS_KEY_EXCHANGE__WITH_CERT__ENABLED */ #if defined(MBEDTLS_X509_CRT_PARSE_C) /** diff --git a/include/mbedtls/ssl_ciphersuites.h b/include/mbedtls/ssl_ciphersuites.h index 9cf3f4258..deaaa3751 100644 --- a/include/mbedtls/ssl_ciphersuites.h +++ b/include/mbedtls/ssl_ciphersuites.h @@ -232,7 +232,7 @@ extern "C" { #define MBEDTLS_TLS_ECJPAKE_WITH_AES_128_CCM_8 0xC0FF /**< experimental */ /* Reminder: update mbedtls_ssl_premaster_secret when adding a new key exchange. - * Reminder: update MBEDTLS_KEY_EXCHANGE__WITH_CERT__ENABLED below. + * Reminder: update MBEDTLS_KEY_EXCHANGE__xxx below */ typedef enum { MBEDTLS_KEY_EXCHANGE_NONE = 0, @@ -249,17 +249,32 @@ typedef enum { MBEDTLS_KEY_EXCHANGE_ECJPAKE, } mbedtls_key_exchange_type_t; -#if defined(MBEDTLS_KEY_EXCHANGE_RSA_ENABLED) || \ - defined(MBEDTLS_KEY_EXCHANGE_DHE_RSA_ENABLED) || \ - defined(MBEDTLS_KEY_EXCHANGE_ECDHE_RSA_ENABLED) || \ - defined(MBEDTLS_KEY_EXCHANGE_ECDHE_ECDSA_ENABLED) || \ - defined(MBEDTLS_KEY_EXCHANGE_RSA_PSK_ENABLED) || \ - defined(MBEDTLS_KEY_EXCHANGE_ECDHE_PSK_ENABLED) || \ - defined(MBEDTLS_KEY_EXCHANGE_ECDH_RSA_ENABLED) || \ +/* Key exchanges using a certificate */ +#if defined(MBEDTLS_KEY_EXCHANGE_RSA_ENABLED) || \ + defined(MBEDTLS_KEY_EXCHANGE_DHE_RSA_ENABLED) || \ + defined(MBEDTLS_KEY_EXCHANGE_ECDHE_RSA_ENABLED) || \ + defined(MBEDTLS_KEY_EXCHANGE_ECDHE_ECDSA_ENABLED) || \ + defined(MBEDTLS_KEY_EXCHANGE_RSA_PSK_ENABLED) || \ + defined(MBEDTLS_KEY_EXCHANGE_ECDH_RSA_ENABLED) || \ defined(MBEDTLS_KEY_EXCHANGE_ECDH_ECDSA_ENABLED) #define MBEDTLS_KEY_EXCHANGE__WITH_CERT__ENABLED #endif +/* Key exchanges using a PSK */ +#if defined(MBEDTLS_KEY_EXCHANGE_PSK_ENABLED) || \ + defined(MBEDTLS_KEY_EXCHANGE_RSA_PSK_ENABLED) || \ + defined(MBEDTLS_KEY_EXCHANGE_DHE_PSK_ENABLED) || \ + defined(MBEDTLS_KEY_EXCHANGE_ECDHE_PSK_ENABLED) +#define MBEDTLS_KEY_EXCHANGE__SOME__PSK_ENABLED +#endif + +/* Key exchanges using a ECDHE */ +#if defined(MBEDTLS_KEY_EXCHANGE_ECDHE_RSA_ENABLED) || \ + defined(MBEDTLS_KEY_EXCHANGE_ECDHE_ECDSA_ENABLED) || \ + defined(MBEDTLS_KEY_EXCHANGE_ECDHE_PSK_ENABLED) +#define MBEDTLS_KEY_EXCHANGE__SOME__ECDHE_ENABLED +#endif + typedef struct mbedtls_ssl_ciphersuite_t mbedtls_ssl_ciphersuite_t; #define MBEDTLS_CIPHERSUITE_WEAK 0x01 /**< Weak ciphersuite flag */ diff --git a/include/mbedtls/ssl_internal.h b/include/mbedtls/ssl_internal.h index ecfc971dd..3af059f89 100644 --- a/include/mbedtls/ssl_internal.h +++ b/include/mbedtls/ssl_internal.h @@ -390,7 +390,7 @@ unsigned char mbedtls_ssl_hash_from_md_alg( int md ); int mbedtls_ssl_check_curve( const mbedtls_ssl_context *ssl, mbedtls_ecp_group_id grp_id ); #endif -#if defined(MBEDTLS_KEY_EXCHANGE__SOME__SIGNATURE_ENABLED) +#if defined(MBEDTLS_KEY_EXCHANGE__WITH_CERT__ENABLED) int mbedtls_ssl_check_sig_hash( const mbedtls_ssl_context *ssl, mbedtls_md_type_t md ); #endif diff --git a/library/ssl_cli.c b/library/ssl_cli.c index 5d9af17e4..9663fae4a 100644 --- a/library/ssl_cli.c +++ b/library/ssl_cli.c @@ -2069,7 +2069,9 @@ static int ssl_write_encrypted_pms( mbedtls_ssl_context *ssl, MBEDTLS_KEY_EXCHANGE_RSA_PSK_ENABLED */ #if defined(MBEDTLS_SSL_PROTO_TLS1_2) -#if defined(MBEDTLS_KEY_EXCHANGE__SOME__SIGNATURE_ENABLED) +#if defined(MBEDTLS_KEY_EXCHANGE_DHE_RSA_ENABLED) || \ + defined(MBEDTLS_KEY_EXCHANGE_ECDHE_RSA_ENABLED) || \ + defined(MBEDTLS_KEY_EXCHANGE_ECDHE_ECDSA_ENABLED) static int ssl_parse_signature_algorithm( mbedtls_ssl_context *ssl, unsigned char **p, unsigned char *end, @@ -2125,7 +2127,9 @@ static int ssl_parse_signature_algorithm( mbedtls_ssl_context *ssl, return( 0 ); } -#endif /* MBEDTLS_KEY_EXCHANGE__SOME__SIGNATURE_ENABLED */ +#endif /* MBEDTLS_KEY_EXCHANGE_DHE_RSA_ENABLED || + MBEDTLS_KEY_EXCHANGE_ECDHE_RSA_ENABLED || + MBEDTLS_KEY_EXCHANGE_ECDHE_ECDSA_ENABLED */ #endif /* MBEDTLS_SSL_PROTO_TLS1_2 */ #if defined(MBEDTLS_KEY_EXCHANGE_ECDH_RSA_ENABLED) || \ diff --git a/library/ssl_tls.c b/library/ssl_tls.c index ef121376c..4577849b0 100644 --- a/library/ssl_tls.c +++ b/library/ssl_tls.c @@ -5867,7 +5867,7 @@ void mbedtls_ssl_conf_dhm_min_bitlen( mbedtls_ssl_config *conf, } #endif /* MBEDTLS_DHM_C && MBEDTLS_SSL_CLI_C */ -#if defined(MBEDTLS_KEY_EXCHANGE__SOME__SIGNATURE_ENABLED) +#if defined(MBEDTLS_KEY_EXCHANGE__WITH_CERT__ENABLED) /* * Set allowed/preferred hashes for handshake signatures */ @@ -7066,7 +7066,7 @@ static int ssl_preset_suiteb_ciphersuites[] = { 0 }; -#if defined(MBEDTLS_KEY_EXCHANGE__SOME__SIGNATURE_ENABLED) +#if defined(MBEDTLS_KEY_EXCHANGE__WITH_CERT__ENABLED) static int ssl_preset_suiteb_hashes[] = { MBEDTLS_MD_SHA256, MBEDTLS_MD_SHA384, @@ -7182,7 +7182,7 @@ int mbedtls_ssl_config_defaults( mbedtls_ssl_config *conf, conf->cert_profile = &mbedtls_x509_crt_profile_suiteb; #endif -#if defined(MBEDTLS_KEY_EXCHANGE__SOME__SIGNATURE_ENABLED) +#if defined(MBEDTLS_KEY_EXCHANGE__WITH_CERT__ENABLED) conf->sig_hashes = ssl_preset_suiteb_hashes; #endif @@ -7215,7 +7215,7 @@ int mbedtls_ssl_config_defaults( mbedtls_ssl_config *conf, conf->cert_profile = &mbedtls_x509_crt_profile_default; #endif -#if defined(MBEDTLS_KEY_EXCHANGE__SOME__SIGNATURE_ENABLED) +#if defined(MBEDTLS_KEY_EXCHANGE__WITH_CERT__ENABLED) conf->sig_hashes = mbedtls_md_list(); #endif @@ -7380,7 +7380,7 @@ int mbedtls_ssl_check_curve( const mbedtls_ssl_context *ssl, mbedtls_ecp_group_i } #endif /* MBEDTLS_ECP_C */ -#if defined(MBEDTLS_KEY_EXCHANGE__SOME__SIGNATURE_ENABLED) +#if defined(MBEDTLS_KEY_EXCHANGE__WITH_CERT__ENABLED) /* * Check if a hash proposed by the peer is in our list. * Return 0 if we're willing to use it, -1 otherwise. @@ -7399,7 +7399,7 @@ int mbedtls_ssl_check_sig_hash( const mbedtls_ssl_context *ssl, return( -1 ); } -#endif /* MBEDTLS_KEY_EXCHANGE__SOME__SIGNATURE_ENABLED */ +#endif /* MBEDTLS_KEY_EXCHANGE__WITH_CERT__ENABLED */ #if defined(MBEDTLS_X509_CRT_PARSE_C) int mbedtls_ssl_check_cert_usage( const mbedtls_x509_crt *cert, diff --git a/programs/Makefile b/programs/Makefile index 544a2d8f9..443689b1b 100644 --- a/programs/Makefile +++ b/programs/Makefile @@ -49,6 +49,7 @@ APPS = aes/aescrypt2$(EXEXT) aes/crypt_and_hash$(EXEXT) \ hash/hello$(EXEXT) hash/generic_sum$(EXEXT) \ pkey/dh_client$(EXEXT) \ pkey/dh_genprime$(EXEXT) pkey/dh_server$(EXEXT) \ + pkey/ecdh_curve25519$(EXEXT) \ pkey/ecdsa$(EXEXT) pkey/gen_key$(EXEXT) \ pkey/key_app$(EXEXT) pkey/key_app_writer$(EXEXT) \ pkey/mpi_demo$(EXEXT) pkey/pk_decrypt$(EXEXT) \ @@ -112,6 +113,10 @@ pkey/dh_server$(EXEXT): pkey/dh_server.c $(DEP) echo " CC pkey/dh_server.c" $(CC) $(LOCAL_CFLAGS) $(CFLAGS) pkey/dh_server.c $(LOCAL_LDFLAGS) $(LDFLAGS) -o $@ +pkey/ecdh_curve25519$(EXEXT): pkey/ecdh_curve25519.c $(DEP) + echo " CC pkey/ecdh_curve25519.c" + $(CC) $(LOCAL_CFLAGS) $(CFLAGS) pkey/ecdh_curve25519.c $(LOCAL_LDFLAGS) $(LDFLAGS) -o $@ + pkey/ecdsa$(EXEXT): pkey/ecdsa.c $(DEP) echo " CC pkey/ecdsa.c" $(CC) $(LOCAL_CFLAGS) $(CFLAGS) pkey/ecdsa.c $(LOCAL_LDFLAGS) $(LDFLAGS) -o $@ diff --git a/programs/pkey/CMakeLists.txt b/programs/pkey/CMakeLists.txt index 8dc7def6e..5a37a4212 100644 --- a/programs/pkey/CMakeLists.txt +++ b/programs/pkey/CMakeLists.txt @@ -7,6 +7,9 @@ target_link_libraries(dh_genprime mbedtls) add_executable(dh_server dh_server.c) target_link_libraries(dh_server mbedtls) +add_executable(ecdh_curve25519 ecdh_curve25519.c) +target_link_libraries(ecdh_curve25519 mbedtls) + add_executable(ecdsa ecdsa.c) target_link_libraries(ecdsa mbedtls) diff --git a/programs/pkey/ecdh_curve25519.c b/programs/pkey/ecdh_curve25519.c new file mode 100644 index 000000000..aa15c4687 --- /dev/null +++ b/programs/pkey/ecdh_curve25519.c @@ -0,0 +1,237 @@ +/* + * Example ECDHE with Curve25519 program + * + * Copyright (C) 2006-2015, ARM Limited, All Rights Reserved + * SPDX-License-Identifier: Apache-2.0 + * + * Licensed under the Apache License, Version 2.0 (the "License"); you may + * not use this file except in compliance with the License. + * You may obtain a copy of the License at + * + * http://www.apache.org/licenses/LICENSE-2.0 + * + * Unless required by applicable law or agreed to in writing, software + * distributed under the License is distributed on an "AS IS" BASIS, WITHOUT + * WARRANTIES OR CONDITIONS OF ANY KIND, either express or implied. + * See the License for the specific language governing permissions and + * limitations under the License. + * + * This file is part of mbed TLS (https://tls.mbed.org) + */ + +#if !defined(MBEDTLS_CONFIG_FILE) +#include "mbedtls/config.h" +#else +#include MBEDTLS_CONFIG_FILE +#endif + +#if defined(MBEDTLS_PLATFORM_C) +#include "mbedtls/platform.h" +#else +#include +#define mbedtls_printf printf +#endif + +#if !defined(MBEDTLS_ECDH_C) || \ + !defined(MBEDTLS_ECP_DP_CURVE25519_ENABLED) || \ + !defined(MBEDTLS_ENTROPY_C) || !defined(MBEDTLS_CTR_DRBG_C) +int main( void ) +{ + mbedtls_printf( "MBEDTLS_ECDH_C and/or " + "MBEDTLS_ECP_DP_CURVE25519_ENABLED and/or " + "MBEDTLS_ENTROPY_C and/or MBEDTLS_CTR_DRBG_C " + "not defined\n" ); + return( 0 ); +} +#else + +#include "mbedtls/entropy.h" +#include "mbedtls/ctr_drbg.h" +#include "mbedtls/ecdh.h" + +int main( int argc, char *argv[] ) +{ + int ret; + mbedtls_ecdh_context ctx_cli, ctx_srv; + mbedtls_entropy_context entropy; + mbedtls_ctr_drbg_context ctr_drbg; + unsigned char cli_to_srv[32], srv_to_cli[32]; + const char pers[] = "ecdh"; + ((void) argc); + ((void) argv); + + mbedtls_ecdh_init( &ctx_cli ); + mbedtls_ecdh_init( &ctx_srv ); + mbedtls_ctr_drbg_init( &ctr_drbg ); + + /* + * Initialize random number generation + */ + mbedtls_printf( " . Seeding the random number generator..." ); + fflush( stdout ); + + mbedtls_entropy_init( &entropy ); + if( ( ret = mbedtls_ctr_drbg_seed( &ctr_drbg, mbedtls_entropy_func, &entropy, + (const unsigned char *) pers, + sizeof pers ) ) != 0 ) + { + mbedtls_printf( " failed\n ! mbedtls_ctr_drbg_seed returned %d\n", ret ); + goto exit; + } + + mbedtls_printf( " ok\n" ); + + /* + * Client: inialize context and generate keypair + */ + mbedtls_printf( " . Setting up client context..." ); + fflush( stdout ); + + ret = mbedtls_ecp_group_load( &ctx_cli.grp, MBEDTLS_ECP_DP_CURVE25519 ); + if( ret != 0 ) + { + mbedtls_printf( " failed\n ! mbedtls_ecp_group_load returned %d\n", ret ); + goto exit; + } + + ret = mbedtls_ecdh_gen_public( &ctx_cli.grp, &ctx_cli.d, &ctx_cli.Q, + mbedtls_ctr_drbg_random, &ctr_drbg ); + if( ret != 0 ) + { + mbedtls_printf( " failed\n ! mbedtls_ecdh_gen_public returned %d\n", ret ); + goto exit; + } + + ret = mbedtls_mpi_write_binary( &ctx_cli.Q.X, cli_to_srv, 32 ); + if( ret != 0 ) + { + mbedtls_printf( " failed\n ! mbedtls_mpi_write_binary returned %d\n", ret ); + goto exit; + } + + mbedtls_printf( " ok\n" ); + + /* + * Server: initialize context and generate keypair + */ + mbedtls_printf( " . Setting up server context..." ); + fflush( stdout ); + + ret = mbedtls_ecp_group_load( &ctx_srv.grp, MBEDTLS_ECP_DP_CURVE25519 ); + if( ret != 0 ) + { + mbedtls_printf( " failed\n ! mbedtls_ecp_group_load returned %d\n", ret ); + goto exit; + } + + ret = mbedtls_ecdh_gen_public( &ctx_srv.grp, &ctx_srv.d, &ctx_srv.Q, + mbedtls_ctr_drbg_random, &ctr_drbg ); + if( ret != 0 ) + { + mbedtls_printf( " failed\n ! mbedtls_ecdh_gen_public returned %d\n", ret ); + goto exit; + } + + ret = mbedtls_mpi_write_binary( &ctx_srv.Q.X, srv_to_cli, 32 ); + if( ret != 0 ) + { + mbedtls_printf( " failed\n ! mbedtls_mpi_write_binary returned %d\n", ret ); + goto exit; + } + + mbedtls_printf( " ok\n" ); + + /* + * Server: read peer's key and generate shared secret + */ + mbedtls_printf( " . Server reading client key and computing secret..." ); + fflush( stdout ); + + ret = mbedtls_mpi_lset( &ctx_srv.Qp.Z, 1 ); + if( ret != 0 ) + { + mbedtls_printf( " failed\n ! mbedtls_mpi_lset returned %d\n", ret ); + goto exit; + } + + ret = mbedtls_mpi_read_binary( &ctx_srv.Qp.X, cli_to_srv, 32 ); + if( ret != 0 ) + { + mbedtls_printf( " failed\n ! mbedtls_mpi_read_binary returned %d\n", ret ); + goto exit; + } + + ret = mbedtls_ecdh_compute_shared( &ctx_srv.grp, &ctx_srv.z, + &ctx_srv.Qp, &ctx_srv.d, + mbedtls_ctr_drbg_random, &ctr_drbg ); + if( ret != 0 ) + { + mbedtls_printf( " failed\n ! mbedtls_ecdh_compute_shared returned %d\n", ret ); + goto exit; + } + + mbedtls_printf( " ok\n" ); + + /* + * Client: read peer's key and generate shared secret + */ + mbedtls_printf( " . Client reading server key and computing secret..." ); + fflush( stdout ); + + ret = mbedtls_mpi_lset( &ctx_cli.Qp.Z, 1 ); + if( ret != 0 ) + { + mbedtls_printf( " failed\n ! mbedtls_mpi_lset returned %d\n", ret ); + goto exit; + } + + ret = mbedtls_mpi_read_binary( &ctx_cli.Qp.X, srv_to_cli, 32 ); + if( ret != 0 ) + { + mbedtls_printf( " failed\n ! mbedtls_mpi_read_binary returned %d\n", ret ); + goto exit; + } + + ret = mbedtls_ecdh_compute_shared( &ctx_cli.grp, &ctx_cli.z, + &ctx_cli.Qp, &ctx_cli.d, + mbedtls_ctr_drbg_random, &ctr_drbg ); + if( ret != 0 ) + { + mbedtls_printf( " failed\n ! mbedtls_ecdh_compute_shared returned %d\n", ret ); + goto exit; + } + + mbedtls_printf( " ok\n" ); + + /* + * Verification: are the computed secret equal? + */ + mbedtls_printf( " . Checking if both computed secrets are equal..." ); + fflush( stdout ); + + ret = mbedtls_mpi_cmp_mpi( &ctx_cli.z, &ctx_srv.z ); + if( ret != 0 ) + { + mbedtls_printf( " failed\n ! mbedtls_ecdh_compute_shared returned %d\n", ret ); + goto exit; + } + + mbedtls_printf( " ok\n" ); + + +exit: + +#if defined(_WIN32) + mbedtls_printf( " + Press Enter to exit this program.\n" ); + fflush( stdout ); getchar(); +#endif + + mbedtls_ecdh_free( &ctx_srv ); + mbedtls_ecdh_free( &ctx_cli ); + mbedtls_ctr_drbg_free( &ctr_drbg ); + mbedtls_entropy_free( &entropy ); + + return( ret != 0 ); +} +#endif /* MBEDTLS_ECDH_C && MBEDTLS_ECP_DP_CURVE25519_ENABLED && + MBEDTLS_ENTROPY_C && MBEDTLS_CTR_DRBG_C */ diff --git a/tests/scripts/all.sh b/tests/scripts/all.sh index 863ff3a4e..d96615b48 100755 --- a/tests/scripts/all.sh +++ b/tests/scripts/all.sh @@ -127,11 +127,16 @@ tests/ssl-opt.sh -f Default msg "test: compat.sh RC4, DES & NULL (full config)" # ~ 2 min tests/compat.sh -e '3DES\|DES-CBC3' -f 'NULL\|DES\|RC4\|ARCFOUR' -msg "test/build: curves.pl (gcc)" # ~ 5 min (?) +msg "test/build: curves.pl (gcc)" # ~ 4 min cleanup cmake -D CMAKE_BUILD_TYPE:String=Debug . tests/scripts/curves.pl +msg "test/build: key-exchanges (gcc)" # ~ 1 min +cleanup +cmake -D CMAKE_BUILD_TYPE:String=Check . +tests/scripts/key-exchanges.pl + msg "build: Unix make, -Os (gcc)" # ~ 30s cleanup CC=gcc CFLAGS='-Werror -Os' make diff --git a/tests/scripts/key-exchanges.pl b/tests/scripts/key-exchanges.pl new file mode 100755 index 000000000..46826c3de --- /dev/null +++ b/tests/scripts/key-exchanges.pl @@ -0,0 +1,43 @@ +#!/usr/bin/perl + +# test that all configs with only a single key exchange enabled build +# +# Usage: tests/scripts/key-exchanges.pl + +use warnings; +use strict; + +-d 'library' && -d 'include' && -d 'tests' or die "Must be run from root\n"; + +my $sed_cmd = 's/^#define \(MBEDTLS_KEY_EXCHANGE_.*_ENABLED\)/\1/p'; +my $config_h = 'include/mbedtls/config.h'; +my @kexes = split( /\s+/, `sed -n -e '$sed_cmd' $config_h` ); + +system( "cp $config_h $config_h.bak" ) and die; +sub abort { + system( "mv $config_h.bak $config_h" ) and warn "$config_h not restored\n"; + die $_[0]; +} + +for my $kex (@kexes) { + system( "cp $config_h.bak $config_h" ) and die "$config_h not restored\n"; + system( "make clean" ) and die; + + print "\n******************************************\n"; + print "* Testing with key exchange: $kex\n"; + print "******************************************\n"; + + # full config with all key exchanges disabled except one + system( "scripts/config.pl full" ) and abort "Failed config full\n"; + for my $k (@kexes) { + next if $k eq $kex; + system( "scripts/config.pl unset $k" ) + and abort "Failed to disable $k\n"; + } + + system( "make lib CFLAGS='-Os -Werror'" ) and abort "Failed to build lib: $kex\n"; +} + +system( "mv $config_h.bak $config_h" ) and die "$config_h not restored\n"; +system( "make clean" ) and die; +exit 0; diff --git a/tests/scripts/test-ref-configs.pl b/tests/scripts/test-ref-configs.pl index b27d64c4b..8f4738cb4 100755 --- a/tests/scripts/test-ref-configs.pl +++ b/tests/scripts/test-ref-configs.pl @@ -63,7 +63,7 @@ while( my ($conf, $data) = each %configs ) { system( "cp configs/$conf $config_h" ) and abort "Failed to activate $conf\n"; - system( "make" ) and abort "Failed to build: $conf\n"; + system( "make CFLAGS='-Os -Werror'" ) and abort "Failed to build: $conf\n"; system( "make test" ) and abort "Failed test suite: $conf\n"; my $compat = $data->{'compat'};