From e58a630cb04d1e5117ce7b9801e465b16f79a8ac Mon Sep 17 00:00:00 2001 From: Hanno Becker Date: Wed, 7 Nov 2018 16:20:16 +0000 Subject: [PATCH 01/14] Add support for password protected key file to ssl_server2 The example application programs/ssl/ssl_server2 allows the configuration of up to two CRTs through the command line parameters - crt_file, key_file - crt_file2, key_file2. However, password protected key files are not supported. This commit adds command line options - key_pwd - key_pwd2 which allow to specify passwords for the key files specified in key_file and key_file2, respectively. --- programs/ssl/ssl_server2.c | 20 ++++++++++++++++++-- 1 file changed, 18 insertions(+), 2 deletions(-) diff --git a/programs/ssl/ssl_server2.c b/programs/ssl/ssl_server2.c index 15346070c..ee7ec7958 100644 --- a/programs/ssl/ssl_server2.c +++ b/programs/ssl/ssl_server2.c @@ -124,8 +124,10 @@ int main( void ) #define DFL_CA_PATH "" #define DFL_CRT_FILE "" #define DFL_KEY_FILE "" +#define DFL_KEY_PWD "" #define DFL_CRT_FILE2 "" #define DFL_KEY_FILE2 "" +#define DFL_KEY_PWD2 "" #define DFL_ASYNC_OPERATIONS "-" #define DFL_ASYNC_PRIVATE_DELAY1 ( -1 ) #define DFL_ASYNC_PRIVATE_DELAY2 ( -1 ) @@ -218,11 +220,15 @@ int main( void ) " crt_file=%%s Your own cert and chain (in bottom to top order, top may be omitted)\n" \ " default: see note after key_file2\n" \ " key_file=%%s default: see note after key_file2\n" \ + " key_pwd=%%s Password for key specified by key_file argument\n"\ + " default: none\n" \ " crt_file2=%%s Your second cert and chain (in bottom to top order, top may be omitted)\n" \ " default: see note after key_file2\n" \ " key_file2=%%s default: see note below\n" \ " note: if neither crt_file/key_file nor crt_file2/key_file2 are used,\n" \ " preloaded certificate(s) and key(s) are used if available\n" \ + " key_pwd2=%%s Password for key specified by key_file2 argument\n"\ + " default: none\n" \ " dhm_file=%%s File containing Diffie-Hellman parameters\n" \ " default: preloaded parameters\n" #else @@ -572,8 +578,10 @@ struct options const char *ca_path; /* the path with the CA certificate(s) reside */ const char *crt_file; /* the file with the server certificate */ const char *key_file; /* the file with the server key */ + const char *key_pwd; /* the password for the server key */ const char *crt_file2; /* the file with the 2nd server certificate */ const char *key_file2; /* the file with the 2nd server key */ + const char *key_pwd2; /* the password for the 2nd server key */ const char *async_operations; /* supported SSL asynchronous operations */ int async_private_delay1; /* number of times f_async_resume needs to be called for key 1, or -1 for no async */ int async_private_delay2; /* number of times f_async_resume needs to be called for key 2, or -1 for no async */ @@ -1907,8 +1915,10 @@ int main( int argc, char *argv[] ) opt.ca_path = DFL_CA_PATH; opt.crt_file = DFL_CRT_FILE; opt.key_file = DFL_KEY_FILE; + opt.key_pwd = DFL_KEY_PWD; opt.crt_file2 = DFL_CRT_FILE2; opt.key_file2 = DFL_KEY_FILE2; + opt.key_pwd2 = DFL_KEY_PWD2; opt.async_operations = DFL_ASYNC_OPERATIONS; opt.async_private_delay1 = DFL_ASYNC_PRIVATE_DELAY1; opt.async_private_delay2 = DFL_ASYNC_PRIVATE_DELAY2; @@ -2028,10 +2038,14 @@ int main( int argc, char *argv[] ) opt.crt_file = q; else if( strcmp( p, "key_file" ) == 0 ) opt.key_file = q; + else if( strcmp( p, "key_pwd" ) == 0 ) + opt.key_pwd = q; else if( strcmp( p, "crt_file2" ) == 0 ) opt.crt_file2 = q; else if( strcmp( p, "key_file2" ) == 0 ) opt.key_file2 = q; + else if( strcmp( p, "key_pwd2" ) == 0 ) + opt.key_pwd2 = q; else if( strcmp( p, "dhm_file" ) == 0 ) opt.dhm_file = q; #if defined(MBEDTLS_SSL_ASYNC_PRIVATE) @@ -2817,7 +2831,8 @@ int main( int argc, char *argv[] ) if( strlen( opt.key_file ) && strcmp( opt.key_file, "none" ) != 0 ) { key_cert_init++; - if( ( ret = mbedtls_pk_parse_keyfile( &pkey, opt.key_file, "" ) ) != 0 ) + if( ( ret = mbedtls_pk_parse_keyfile( &pkey, opt.key_file, + opt.key_pwd ) ) != 0 ) { mbedtls_printf( " failed\n ! mbedtls_pk_parse_keyfile returned -0x%x\n\n", (unsigned int) -ret ); goto exit; @@ -2842,7 +2857,8 @@ int main( int argc, char *argv[] ) if( strlen( opt.key_file2 ) && strcmp( opt.key_file2, "none" ) != 0 ) { key_cert_init2++; - if( ( ret = mbedtls_pk_parse_keyfile( &pkey2, opt.key_file2, "" ) ) != 0 ) + if( ( ret = mbedtls_pk_parse_keyfile( &pkey2, opt.key_file2, + opt.key_pwd2 ) ) != 0 ) { mbedtls_printf( " failed\n ! mbedtls_pk_parse_keyfile(2) returned -0x%x\n\n", (unsigned int) -ret ); From ca04fdc2cc14c5399144cf5bc27f328eb5646c20 Mon Sep 17 00:00:00 2001 From: Hanno Becker Date: Wed, 7 Nov 2018 16:22:14 +0000 Subject: [PATCH 02/14] Add support for password protected key file to ssl_client2 The example application programs/ssl/ssl_client2 allows the configuration of a client CRT through the parameters - crt_file, key_file However, password protected key files are not supported. This commit adds a new command line option - key_pwd which allow to specify a password for the key file specified in the key_file parameter. --- programs/ssl/ssl_client2.c | 7 ++++++- 1 file changed, 6 insertions(+), 1 deletion(-) diff --git a/programs/ssl/ssl_client2.c b/programs/ssl/ssl_client2.c index 2e8e105b7..62ca1cbcb 100644 --- a/programs/ssl/ssl_client2.c +++ b/programs/ssl/ssl_client2.c @@ -103,6 +103,7 @@ int main( void ) #define DFL_CRT_FILE "" #define DFL_KEY_FILE "" #define DFL_KEY_OPAQUE 0 +#define DFL_KEY_PWD "" #define DFL_PSK "" #define DFL_PSK_OPAQUE 0 #define DFL_PSK_IDENTITY "Client_identity" @@ -487,6 +488,7 @@ struct options #if defined(MBEDTLS_X509_TRUSTED_CERTIFICATE_CALLBACK) int ca_callback; /* Use callback for trusted certificate list */ #endif + const char *key_pwd; /* the password for the client key */ const char *psk; /* the pre-shared key */ const char *psk_identity; /* the pre-shared key identity */ const char *ecjpake_pw; /* the EC J-PAKE password */ @@ -1251,6 +1253,7 @@ int main( int argc, char *argv[] ) opt.crt_file = DFL_CRT_FILE; opt.key_file = DFL_KEY_FILE; opt.key_opaque = DFL_KEY_OPAQUE; + opt.key_pwd = DFL_KEY_PWD; opt.psk = DFL_PSK; #if defined(MBEDTLS_USE_PSA_CRYPTO) opt.psk_opaque = DFL_PSK_OPAQUE; @@ -1396,6 +1399,8 @@ int main( int argc, char *argv[] ) opt.cid_val_renego = q; } #endif /* MBEDTLS_SSL_DTLS_CONNECTION_ID */ + else if( strcmp( p, "key_pwd" ) == 0 ) + opt.key_pwd = q; else if( strcmp( p, "psk" ) == 0 ) opt.psk = q; #if defined(MBEDTLS_USE_PSA_CRYPTO) @@ -2079,7 +2084,7 @@ int main( int argc, char *argv[] ) else #if defined(MBEDTLS_FS_IO) if( strlen( opt.key_file ) ) - ret = mbedtls_pk_parse_keyfile( &pkey, opt.key_file, "" ); + ret = mbedtls_pk_parse_keyfile( &pkey, opt.key_file, opt.key_pwd ); else #endif #if defined(MBEDTLS_CERTS_C) From ecea07d6c30a8c7819637e4297b292542e10598a Mon Sep 17 00:00:00 2001 From: Hanno Becker Date: Wed, 7 Nov 2018 16:24:35 +0000 Subject: [PATCH 03/14] Unify ciphersuite related debug output on client and server The client previously reproted the offered ciphersuites through their numerical identifier only, while the server reported them through their name. This commit modifies the debug output on client and server to both use the format `ID (NAME)` for the ciphersuites. --- library/ssl_cli.c | 4 ++-- library/ssl_srv.c | 3 ++- 2 files changed, 4 insertions(+), 3 deletions(-) diff --git a/library/ssl_cli.c b/library/ssl_cli.c index 361e6e6d2..395303e33 100644 --- a/library/ssl_cli.c +++ b/library/ssl_cli.c @@ -1063,8 +1063,8 @@ static int ssl_write_client_hello( mbedtls_ssl_context *ssl ) ssl->conf->max_minor_ver ) != 0 ) continue; - MBEDTLS_SSL_DEBUG_MSG( 3, ( "client hello, add ciphersuite: %04x", - ciphersuites[i] ) ); + MBEDTLS_SSL_DEBUG_MSG( 3, ( "client hello, add ciphersuite: %04x (%s)", + ciphersuites[i], ciphersuite_info->name ) ); #if defined(MBEDTLS_ECDH_C) || defined(MBEDTLS_ECDSA_C) || \ defined(MBEDTLS_KEY_EXCHANGE_ECJPAKE_ENABLED) diff --git a/library/ssl_srv.c b/library/ssl_srv.c index 91bd83aa2..bc25b39b8 100644 --- a/library/ssl_srv.c +++ b/library/ssl_srv.c @@ -929,7 +929,8 @@ static int ssl_ciphersuite_match( mbedtls_ssl_context *ssl, int suite_id, return( MBEDTLS_ERR_SSL_INTERNAL_ERROR ); } - MBEDTLS_SSL_DEBUG_MSG( 3, ( "trying ciphersuite: %s", suite_info->name ) ); + MBEDTLS_SSL_DEBUG_MSG( 3, ( "trying ciphersuite: %04x (%s)", + suite_id, suite_info->name ) ); if( suite_info->min_minor_ver > ssl->minor_ver || suite_info->max_minor_ver < ssl->minor_ver ) From 3c88c654265d7f2f6f0b63113192669305a69533 Mon Sep 17 00:00:00 2001 From: Hanno Becker Date: Wed, 2 Jan 2019 11:17:25 +0000 Subject: [PATCH 04/14] Fix debug format specifier in ClientHello ciphersuite log --- library/ssl_cli.c | 2 +- 1 file changed, 1 insertion(+), 1 deletion(-) diff --git a/library/ssl_cli.c b/library/ssl_cli.c index 395303e33..e94fd7208 100644 --- a/library/ssl_cli.c +++ b/library/ssl_cli.c @@ -1063,7 +1063,7 @@ static int ssl_write_client_hello( mbedtls_ssl_context *ssl ) ssl->conf->max_minor_ver ) != 0 ) continue; - MBEDTLS_SSL_DEBUG_MSG( 3, ( "client hello, add ciphersuite: %04x (%s)", + MBEDTLS_SSL_DEBUG_MSG( 3, ( "client hello, add ciphersuite: %#04x (%s)", ciphersuites[i], ciphersuite_info->name ) ); #if defined(MBEDTLS_ECDH_C) || defined(MBEDTLS_ECDSA_C) || \ From 5c5efdfcf9fbee70093b72cc1db2620866440d0f Mon Sep 17 00:00:00 2001 From: Hanno Becker Date: Mon, 28 Jan 2019 14:59:35 +0000 Subject: [PATCH 05/14] Fix format specifier in ssl_ciphersuite_match() --- library/ssl_srv.c | 2 +- 1 file changed, 1 insertion(+), 1 deletion(-) diff --git a/library/ssl_srv.c b/library/ssl_srv.c index bc25b39b8..4a3f4a17c 100644 --- a/library/ssl_srv.c +++ b/library/ssl_srv.c @@ -929,7 +929,7 @@ static int ssl_ciphersuite_match( mbedtls_ssl_context *ssl, int suite_id, return( MBEDTLS_ERR_SSL_INTERNAL_ERROR ); } - MBEDTLS_SSL_DEBUG_MSG( 3, ( "trying ciphersuite: %04x (%s)", + MBEDTLS_SSL_DEBUG_MSG( 3, ( "trying ciphersuite: %#04x (%s)", suite_id, suite_info->name ) ); if( suite_info->min_minor_ver > ssl->minor_ver || From 063f3bba90b515a122feb02eeb231c9a3ab274b8 Mon Sep 17 00:00:00 2001 From: Hanno Becker Date: Fri, 14 Aug 2020 10:02:36 +0100 Subject: [PATCH 06/14] Add ChangeLog entry Signed-off-by: Hanno Becker --- ChangeLog.d/pw_protected_key_file_ssl_clisrv2.txt | 8 ++++++++ 1 file changed, 8 insertions(+) create mode 100644 ChangeLog.d/pw_protected_key_file_ssl_clisrv2.txt diff --git a/ChangeLog.d/pw_protected_key_file_ssl_clisrv2.txt b/ChangeLog.d/pw_protected_key_file_ssl_clisrv2.txt new file mode 100644 index 000000000..ad1ad3038 --- /dev/null +++ b/ChangeLog.d/pw_protected_key_file_ssl_clisrv2.txt @@ -0,0 +1,8 @@ +Changes + * Add the command line parameter key_pwd to the ssl_client2 and ssl_server2 + example applications which allows to provide a password for the key file + specified through the existing key_file argument. This allows the use of + these applications with password-protected key files. Analogously but for + ssl_server2 only, add the command line parameter key_pwd2 which allows to + set a password for the key file provided through the existing key_file2 + argument. From ee63af6f8f1af2ab4ea7d6f9e1b18cf4dc87aae5 Mon Sep 17 00:00:00 2001 From: Hanno Becker Date: Fri, 14 Aug 2020 15:41:23 +0100 Subject: [PATCH 07/14] Adapt ssl-opt.sh to modified ciphersuite log format The debug output for supported ciphersuites has been changed from `deadbeef` to `0xdeadbeef` in a previous commit, but the test script `ssl-opt.sh` grepping for lines in the debug log to determine test success/failure hadn't been adjusted accordingly. This commit fixes this. Signed-off-by: Hanno Becker --- tests/ssl-opt.sh | 6 +++--- 1 file changed, 3 insertions(+), 3 deletions(-) diff --git a/tests/ssl-opt.sh b/tests/ssl-opt.sh index 5864a87a7..e7849cdd3 100755 --- a/tests/ssl-opt.sh +++ b/tests/ssl-opt.sh @@ -5745,7 +5745,7 @@ run_test "ECJPAKE: client not configured" \ "$P_SRV debug_level=3" \ "$P_CLI debug_level=3" \ 0 \ - -C "add ciphersuite: c0ff" \ + -C "add ciphersuite: 0xc0ff" \ -C "adding ecjpake_kkpp extension" \ -S "found ecjpake kkpp extension" \ -S "skip ecjpake kkpp extension" \ @@ -5760,7 +5760,7 @@ run_test "ECJPAKE: server not configured" \ "$P_CLI debug_level=3 ecjpake_pw=bla \ force_ciphersuite=TLS-ECJPAKE-WITH-AES-128-CCM-8" \ 1 \ - -c "add ciphersuite: c0ff" \ + -c "add ciphersuite: 0xc0ff" \ -c "adding ecjpake_kkpp extension" \ -s "found ecjpake kkpp extension" \ -s "skip ecjpake kkpp extension" \ @@ -5775,7 +5775,7 @@ run_test "ECJPAKE: working, TLS" \ "$P_CLI debug_level=3 ecjpake_pw=bla \ force_ciphersuite=TLS-ECJPAKE-WITH-AES-128-CCM-8" \ 0 \ - -c "add ciphersuite: c0ff" \ + -c "add ciphersuite: 0xc0ff" \ -c "adding ecjpake_kkpp extension" \ -C "re-using cached ecjpake parameters" \ -s "found ecjpake kkpp extension" \ From fa452c4566745721add9e305ada68c6d9801e284 Mon Sep 17 00:00:00 2001 From: Hanno Becker Date: Fri, 14 Aug 2020 15:42:49 +0100 Subject: [PATCH 08/14] Fix guard in ECJPAKE tests in ssl-opt.sh Three tests were guarded by `MBEDTLS_KEY_EXCHANGE_ECJPAKE`, not `MBEDTLS_KEY_EXCHANGE_ECJPAKE_ENABLED`, as it should be. Curiously, the guard still functioned as intended, perhaps because `MBEDTLS_KEY_EXCHANGE_ECJPAKE` is a prefix of `MBEDTLS_KEY_EXCHANGE_ECJPAKE_ENABLED`. Signed-off-by: Hanno Becker --- tests/ssl-opt.sh | 6 +++--- 1 file changed, 3 insertions(+), 3 deletions(-) diff --git a/tests/ssl-opt.sh b/tests/ssl-opt.sh index e7849cdd3..1ebab3edd 100755 --- a/tests/ssl-opt.sh +++ b/tests/ssl-opt.sh @@ -5740,7 +5740,7 @@ run_test "PSK callback: wrong key" \ # Tests for EC J-PAKE -requires_config_enabled MBEDTLS_KEY_EXCHANGE_ECJPAKE +requires_config_enabled MBEDTLS_KEY_EXCHANGE_ECJPAKE_ENABLED run_test "ECJPAKE: client not configured" \ "$P_SRV debug_level=3" \ "$P_CLI debug_level=3" \ @@ -5754,7 +5754,7 @@ run_test "ECJPAKE: client not configured" \ -C "found ecjpake_kkpp extension" \ -S "None of the common ciphersuites is usable" -requires_config_enabled MBEDTLS_KEY_EXCHANGE_ECJPAKE +requires_config_enabled MBEDTLS_KEY_EXCHANGE_ECJPAKE_ENABLED run_test "ECJPAKE: server not configured" \ "$P_SRV debug_level=3" \ "$P_CLI debug_level=3 ecjpake_pw=bla \ @@ -5769,7 +5769,7 @@ run_test "ECJPAKE: server not configured" \ -C "found ecjpake_kkpp extension" \ -s "None of the common ciphersuites is usable" -requires_config_enabled MBEDTLS_KEY_EXCHANGE_ECJPAKE +requires_config_enabled MBEDTLS_KEY_EXCHANGE_ECJPAKE_ENABLED run_test "ECJPAKE: working, TLS" \ "$P_SRV debug_level=3 ecjpake_pw=bla" \ "$P_CLI debug_level=3 ecjpake_pw=bla \ From 34ce81f896be0b42558e16397cf8ab7282b4a67b Mon Sep 17 00:00:00 2001 From: Hanno Becker Date: Mon, 17 Aug 2020 09:40:54 +0100 Subject: [PATCH 09/14] Avoid overly long usage string literal in ssl_server2 program Signed-off-by: Hanno Becker --- programs/ssl/ssl_server2.c | 4 ++-- 1 file changed, 2 insertions(+), 2 deletions(-) diff --git a/programs/ssl/ssl_server2.c b/programs/ssl/ssl_server2.c index ee7ec7958..88095c612 100644 --- a/programs/ssl/ssl_server2.c +++ b/programs/ssl/ssl_server2.c @@ -501,8 +501,6 @@ int main( void ) " cert_req_ca_list=%%d default: 1 (send ca list)\n" \ " options: 1 (send ca list), 0 (don't send)\n" \ USAGE_IO \ - USAGE_SSL_ASYNC \ - USAGE_SNI \ "\n" \ USAGE_PSK \ USAGE_CA_CALLBACK \ @@ -527,6 +525,8 @@ int main( void ) USAGE_CURVES \ "\n" #define USAGE4 \ + USAGE_SSL_ASYNC \ + USAGE_SNI \ " arc4=%%d default: (library default: 0)\n" \ " allow_sha1=%%d default: 0\n" \ " min_version=%%s default: (library default: tls1)\n" \ From bffa54f4eb5ba7241e59b7a2c93ba847b1545e78 Mon Sep 17 00:00:00 2001 From: Hanno Becker Date: Mon, 17 Aug 2020 09:42:19 +0100 Subject: [PATCH 10/14] Add usage string for `key_pwd` argument in ssl_client2 program Signed-off-by: Hanno Becker --- programs/ssl/ssl_client2.c | 4 +++- 1 file changed, 3 insertions(+), 1 deletion(-) diff --git a/programs/ssl/ssl_client2.c b/programs/ssl/ssl_client2.c index 62ca1cbcb..ebe71ce50 100644 --- a/programs/ssl/ssl_client2.c +++ b/programs/ssl/ssl_client2.c @@ -176,7 +176,9 @@ int main( void ) " use \"none\" to skip loading any top-level CAs.\n" \ " crt_file=%%s Your own cert and chain (in bottom to top order, top may be omitted)\n" \ " default: \"\" (pre-loaded)\n" \ - " key_file=%%s default: \"\" (pre-loaded)\n" + " key_file=%%s default: \"\" (pre-loaded)\n"\ + " key_pwd=%%s Password for key specified by key_file argument\n"\ + " default: none\n" #else #define USAGE_IO \ " No file operations available (MBEDTLS_FS_IO not defined)\n" From 2d3ac68336f36af3dbb94be6596059d6c0a925f0 Mon Sep 17 00:00:00 2001 From: Hanno Becker Date: Mon, 17 Aug 2020 09:42:37 +0100 Subject: [PATCH 11/14] Parse key-file and -password parameters in same place in ssl_client2 Signed-off-by: Hanno Becker --- programs/ssl/ssl_client2.c | 4 ++-- 1 file changed, 2 insertions(+), 2 deletions(-) diff --git a/programs/ssl/ssl_client2.c b/programs/ssl/ssl_client2.c index ebe71ce50..553598c55 100644 --- a/programs/ssl/ssl_client2.c +++ b/programs/ssl/ssl_client2.c @@ -1375,6 +1375,8 @@ int main( int argc, char *argv[] ) opt.crt_file = q; else if( strcmp( p, "key_file" ) == 0 ) opt.key_file = q; + else if( strcmp( p, "key_pwd" ) == 0 ) + opt.key_pwd = q; #if defined(MBEDTLS_USE_PSA_CRYPTO) && defined(MBEDTLS_X509_CRT_PARSE_C) else if( strcmp( p, "key_opaque" ) == 0 ) opt.key_opaque = atoi( q ); @@ -1401,8 +1403,6 @@ int main( int argc, char *argv[] ) opt.cid_val_renego = q; } #endif /* MBEDTLS_SSL_DTLS_CONNECTION_ID */ - else if( strcmp( p, "key_pwd" ) == 0 ) - opt.key_pwd = q; else if( strcmp( p, "psk" ) == 0 ) opt.psk = q; #if defined(MBEDTLS_USE_PSA_CRYPTO) From 226eedb5f352a85f76ebea33a585f1a4350951b2 Mon Sep 17 00:00:00 2001 From: Hanno Becker Date: Mon, 17 Aug 2020 12:14:00 +0100 Subject: [PATCH 12/14] Add password protected version of key for data_files/server{2,5}.key Signed-off-by: Hanno Becker --- tests/data_files/Makefile | 12 ++++++++++++ tests/data_files/server2.key.enc | 30 ++++++++++++++++++++++++++++++ tests/data_files/server5.key.enc | 8 ++++++++ 3 files changed, 50 insertions(+) create mode 100644 tests/data_files/server2.key.enc create mode 100644 tests/data_files/server5.key.enc diff --git a/tests/data_files/Makefile b/tests/data_files/Makefile index 99d64eb3a..436b4a90a 100644 --- a/tests/data_files/Makefile +++ b/tests/data_files/Makefile @@ -244,6 +244,8 @@ cli2.key.der: cli2.key $(OPENSSL) pkey -in $< -out $@ -inform PEM -outform DER all_final += cli2.key.der +server5_pwd_ec = PolarSSLTest + server5.crt.der: server5.crt $(OPENSSL) x509 -in $< -out $@ -inform PEM -outform DER all_final += server5.crt.der @@ -252,6 +254,10 @@ server5.key.der: server5.key $(OPENSSL) pkey -in $< -out $@ -inform PEM -outform DER all_final += server5.key.der +server5.key.enc: server5.key + $(OPENSSL) ec -aes256 -in $< -out $@ -passout "pass:$(server5_pwd_ec)" +all_final += server5.key.enc + server5-ss-expired.crt: server5.key $(FAKETIME) -f -3653d $(OPENSSL) req -x509 -new -subj "/C=UK/O=mbed TLS/OU=testsuite/CN=localhost" -days 3653 -sha256 -key $< -out $@ all_final += server5-ss-expired.crt @@ -923,6 +929,8 @@ all_final += server1.req.cert_type_empty # server2* +server2_pwd_ec = PolarSSLTest + server2.req.sha256: server2.key $(MBEDTLS_CERT_REQ) output_file=$@ filename=$< subject_name="C=NL,O=PolarSSL,CN=localhost" md=SHA256 all_intermediate += server2.req.sha256 @@ -939,6 +947,10 @@ server2.key.der: server2.key $(OPENSSL) pkey -in $< -out $@ -inform PEM -outform DER all_final += server2.key.der +server2.key.enc: server2.key + $(OPENSSL) rsa -aes256 -in $< -out $@ -passout "pass:$(server2_pwd_ec)" +all_final += server2.key.enc + # server5* # The use of 'Server 1' in the DN is intentional here, as the DN is hardcoded in the x509_write test suite.' diff --git a/tests/data_files/server2.key.enc b/tests/data_files/server2.key.enc new file mode 100644 index 000000000..773aaad40 --- /dev/null +++ b/tests/data_files/server2.key.enc @@ -0,0 +1,30 @@ +-----BEGIN RSA PRIVATE KEY----- +Proc-Type: 4,ENCRYPTED +DEK-Info: AES-256-CBC,3DDADF5AEA525DD282D9D5E0B978AEE2 + +thP0fyNhHEWvVWHpBSGAA4C6wlqWwuCbYTGVs6GW07YNiyvInE/XxtKCrEJ6ORpR +tPZ0sTtmRFQgiAW4nSjol6AhnMAYCkt+bl2opihuKHr2IBKpGIytCwYwDB/soMw5 +/vYuZU3osENnWcv+R1+0PohU6eqo1bVBrk+Mrm+ZSX886uDNxAaqAW9dtsC7fZYV +w/uCOlk78rtrJUOTKfh3VEXG1fb/rYAP7bZYwzkmJZRozFPzjhnZZSOssz4xwCwY +04oHHrMDFCpbBmlZRLg60c5u0nduQx3SKig9o6gHCDoOYT0Bq64lvZLiPcwN7axV +L7+7TJ9u/kALO0CqAltiuz18msaErXIE3pHEGDt5zxgUcLxT4IhhixWfOL09nqjl +IltEBn0JAVC3qYsEzFGnr3C2NXLTYIFU8m1qtIyEc8vuhKw7HCgp3W/xw9f2jKZF +JivFX80URuBTs2/TWuGBKTmIGLQFWYPKwhyl9HNbbI8q5XdxKNiVxDnZfPU/icef +nJ+nM7msrkvXj4SdHO/if+rxQ07T/MHfU8PeqUL2LQAxY4gfBvkKJ/UAjfsHv0B2 +1WcZAt0yqrJu/ydOkQpwmQ/XCh/dITNYnxXZ0bjtY5fG+QGxA3RvqyfKbQFTi8qg +Nx8cxOUD1dZwZ6KrosdSFGkNkZwgIWAbIK4O3TLN5lD42031kx4iiKlxdjw6Q2df +MEVL6FqYXf4n5MhGQ5mu5MkEO9IDaz/iBdm2jkkjWaxozNC51r/i+STtsVQnY2f2 +pubekEnCOoqXN6BjuVLN28XSTLLTlJ5i9tdIMlIFUKfiNpJjOTjYBopZEf5hm3h4 +ollq6QhW9DIIsVuYgSpvoyLYLl57kvYgk1oGhV0KZyh7IPzRXTjEBiMTO+MZEoH0 +f3x2RU3LvMagb36zWs6CShV/TwAE08Mwbi7UDWYRHHaeO2bcKoEDGOXiOfsXE9HW +OVmAlIheR/W1eVAcszHcSVtXOjlsJ02CeVEcATnJCk6Ug0vc0TspCnwOCvM8+RmE +jQ0E6GeT6R/DVHW9XBNFxFxiS6ySd3yo9rKVLdGGPHns+qmlSMTAfYROoR1V8UiQ +0Tvd1CfVVBeYCm9UrWUXvGzoC3rstbD7SinGbdSU4wATIPeb+v1Tz/vVhr8AoRLJ +JK3jHMKCHH59Wx+tk8JdqAm8fgUK/69A5+gitZlM6sAmnfBJ6Vm8hqACLpjPXDWy +LjNDwWGqgWgqDOubY+ZJQwjUGQdPdGbEUF0ABZ6si9wW+RVVGSPAfiFqE4b/QwA/ +RZh1nm7dc/3elXxwXP60MyEsVddAP691xlDdL9mRpbDMx/JSp/hABFmdPOEtu5EB +02DS37+pOdI1kWkFiI4kkccZL04CTWLWh2lxb0RqUqQMeOf6j/WSTJ2In5etbHSB +R8IQOsfRINm3fD11SXXKUM7IzMi9VBD7TblN2HR9iXbW7twa8O0MRH805eY+vjsM +kcYoOtWSh+OFP9txcwjiXUBmVQDPtb+myGXmchSpMIFNV2tHVvVmUFBSipyAKr98 +3YI7mvWO0AVWXAqRHYmM3DLjlEXCauXCjgVicC/EUdA5CAO95X/ZQTNwBk8kYjy+ +-----END RSA PRIVATE KEY----- diff --git a/tests/data_files/server5.key.enc b/tests/data_files/server5.key.enc new file mode 100644 index 000000000..8e622c0e9 --- /dev/null +++ b/tests/data_files/server5.key.enc @@ -0,0 +1,8 @@ +-----BEGIN EC PRIVATE KEY----- +Proc-Type: 4,ENCRYPTED +DEK-Info: AES-256-CBC,69FEA263918128D4DD673B2732E2D7EC + ++Q4P1nVcfGoittxagWHvyBLVPbhjmTA/SZ6W5TB+5scOzgfRlcse4jIII899EQxx +HrfhgQwzQ12TgTZ2Y8neI+RsUqFLTLinvd8c/luBKLeDECjjhyBXOJic2dRPUaLQ +Nyg3bI0Srr6aq6nETjh8i+dSzE/wjyNzXBMdN3KhOjE= +-----END EC PRIVATE KEY----- From 2f54a3c2e4f181cd97e204ad6e7f00345d354505 Mon Sep 17 00:00:00 2001 From: Hanno Becker Date: Mon, 17 Aug 2020 12:14:06 +0100 Subject: [PATCH 13/14] Add tests to ssl-opt.sh exercising new `key_pwd[2]` parameters Signed-off-by: Hanno Becker --- tests/ssl-opt.sh | 27 +++++++++++++++++++++++++++ 1 file changed, 27 insertions(+) diff --git a/tests/ssl-opt.sh b/tests/ssl-opt.sh index 1ebab3edd..80943bd6e 100755 --- a/tests/ssl-opt.sh +++ b/tests/ssl-opt.sh @@ -1121,6 +1121,33 @@ run_test "Default, DTLS" \ -s "Protocol is DTLSv1.2" \ -s "Ciphersuite is TLS-ECDHE-RSA-WITH-CHACHA20-POLY1305-SHA256" +requires_config_enabled MBEDTLS_X509_CRT_PARSE_C +requires_config_enabled MBEDTLS_ECDSA_C +requires_config_enabled MBEDTLS_SHA256_C +run_test "TLS: password protected client key" \ + "$P_SRV auth_mode=required" \ + "$P_CLI crt_file=data_files/server5.crt key_file=data_files/server5.key.enc key_pwd=PolarSSLTest" \ + 0 + +requires_config_enabled MBEDTLS_X509_CRT_PARSE_C +requires_config_enabled MBEDTLS_ECDSA_C +requires_config_enabled MBEDTLS_SHA256_C +run_test "TLS: password protected server key" \ + "$P_SRV crt_file=data_files/server5.crt key_file=data_files/server5.key.enc key_pwd=PolarSSLTest" \ + "$P_CLI" \ + 0 + +requires_config_enabled MBEDTLS_X509_CRT_PARSE_C +requires_config_enabled MBEDTLS_ECDSA_C +requires_config_enabled MBEDTLS_RSA_C +requires_config_enabled MBEDTLS_SHA256_C +run_test "TLS: password protected server key, two certificates" \ + "$P_SRV \ + key_file=data_files/server5.key.enc key_pwd=PolarSSLTest crt_file=data_files/server5.crt \ + key_file2=data_files/server2.key.enc key_pwd2=PolarSSLTest crt_file2=data_files/server2.crt" \ + "$P_CLI" \ + 0 + requires_config_enabled MBEDTLS_ZLIB_SUPPORT run_test "Default (compression enabled)" \ "$P_SRV debug_level=3" \ From 721f7c1e644462a2849a2d85ccba69a32a224ada Mon Sep 17 00:00:00 2001 From: Hanno Becker Date: Mon, 17 Aug 2020 12:17:32 +0100 Subject: [PATCH 14/14] Add minimal client authentication test to ssl-opt.sh Signed-off-by: Hanno Becker --- tests/ssl-opt.sh | 6 ++++++ 1 file changed, 6 insertions(+) diff --git a/tests/ssl-opt.sh b/tests/ssl-opt.sh index 80943bd6e..3b576e65b 100755 --- a/tests/ssl-opt.sh +++ b/tests/ssl-opt.sh @@ -1121,6 +1121,12 @@ run_test "Default, DTLS" \ -s "Protocol is DTLSv1.2" \ -s "Ciphersuite is TLS-ECDHE-RSA-WITH-CHACHA20-POLY1305-SHA256" +run_test "TLS client auth: required" \ + "$P_SRV auth_mode=required" \ + "$P_CLI" \ + 0 \ + -s "Verifying peer X.509 certificate... ok" + requires_config_enabled MBEDTLS_X509_CRT_PARSE_C requires_config_enabled MBEDTLS_ECDSA_C requires_config_enabled MBEDTLS_SHA256_C