diff --git a/configs/baremetal_test.h b/configs/baremetal_test.h index 33b51673d..7a0377708 100644 --- a/configs/baremetal_test.h +++ b/configs/baremetal_test.h @@ -43,6 +43,9 @@ /* Use Mbed TLS' timer implementation for Linux. */ #define MBEDTLS_TIMING_C +/* Needed for certificates in ssl_opt.sh */ +#define MBEDTLS_FS_IO + #undef MBEDTLS_NO_PLATFORM_ENTROPY #undef MBEDTLS_ENTROPY_MAX_SOURCES diff --git a/tests/data_files/Readme-x509.txt b/tests/data_files/Readme-x509.txt index 388865be5..850237a84 100644 --- a/tests/data_files/Readme-x509.txt +++ b/tests/data_files/Readme-x509.txt @@ -107,6 +107,7 @@ List of certificates: _int3_int-ca2_ca.crt: S10 + I3 + I2 + 1 _int3_spurious_int-ca2.crt: S10 + I3 + I1(spurious) + I2 - server11.crt: 3 E, secp256r1 curve + -bad.crt.der: S11 with corrupted public key and signature Certificate revocation lists ---------------------------- diff --git a/tests/data_files/ec_256_pub.der b/tests/data_files/ec_256_pub.der new file mode 100644 index 000000000..2ba259538 Binary files /dev/null and b/tests/data_files/ec_256_pub.der differ diff --git a/tests/data_files/server11-bad.crt.der b/tests/data_files/server11-bad.crt.der new file mode 100644 index 000000000..0a782a766 Binary files /dev/null and b/tests/data_files/server11-bad.crt.der differ diff --git a/tests/ssl-opt.sh b/tests/ssl-opt.sh index a6ad765e7..cd0b03119 100755 --- a/tests/ssl-opt.sh +++ b/tests/ssl-opt.sh @@ -656,7 +656,6 @@ check_cmdline_force_version_compat() { SKIP_NEXT="YES" elif ( [ "$__ARG" = "tls1_2" ] || [ "$__ARG" = "dtls1_2" ] ) && \ ( [ "$__VAL_MIN" != "3" ] || [ "$__VAL_MAX" != "3" ] ); then - echo "FORCE SKIP" SKIP_NEXT="YES" fi @@ -2376,6 +2375,17 @@ run_test "Extended Master Secret: client enabled, server SSLv3" \ -C "session hash for extended master secret" \ -S "session hash for extended master secret" +run_test "Extended Master Secret: both enabled, both enforcing, DTLS" \ + "$P_SRV dtls=1 debug_level=3 extended_ms=1 enforce_extended_master_secret=1" \ + "$P_CLI dtls=1 debug_level=3 extended_ms=1 enforce_extended_master_secret=1" \ + 0 \ + -c "client hello, adding extended_master_secret extension" \ + -s "found extended master secret extension" \ + -s "server hello, adding extended master secret extension" \ + -c "found extended_master_secret extension" \ + -c "session hash for extended master secret" \ + -s "session hash for extended master secret" + # Tests for FALLBACK_SCSV run_test "Fallback SCSV: default" \ @@ -3777,6 +3787,25 @@ run_test "Authentication: server ECDH p256v1, client optional, p256v1 unsuppo -c "! Certificate verification flags"\ -c "bad server certificate (ECDH curve)" # Expect failure only at ECDH params check +requires_config_enabled MBEDTLS_USE_TINYCRYPT +run_test "Authentication: DTLS server ECDH p256, client required, server goodcert" \ + "$P_SRV dtls=1 debug_level=1 key_file=data_files/server11.key.der \ + crt_file=data_files/server11.crt.der" \ + "$P_CLI dtls=1 debug_level=3 auth_mode=required" \ + 0 \ + -C "bad certificate (EC key curve)"\ + -C "! Certificate verification flags"\ + -C "! mbedtls_ssl_handshake returned" + +requires_config_enabled MBEDTLS_USE_TINYCRYPT +run_test "Authentication: DTLS server ECDH p256, client required, server badcert" \ + "$P_SRV dtls=1 debug_level=1 key_file=data_files/server11.key.der \ + crt_file=data_files/server11-bad.crt.der" \ + "$P_CLI dtls=1 debug_level=3 auth_mode=required" \ + 1 \ + -c "! Certificate verification flags"\ + -c "! mbedtls_ssl_handshake returned" + run_test "Authentication: server badcert, client none" \ "$P_SRV crt_file=data_files/server5-badsign.crt \ key_file=data_files/server5.key" \ @@ -4825,6 +4854,12 @@ run_test "keyUsage srv: ECDSA, digitalSignature -> ECDHE-ECDSA" \ 0 \ -c "Ciphersuite is TLS-ECDHE-ECDSA-WITH-" +run_test "keyUsage srv: ECDSA, digitalSignature -> ECDHE-ECDSA p256" \ + "$P_SRV dtls=1 key_file=data_files/server11.key.der \ + crt_file=data_files/server11.crt.der" \ + "$P_CLI dtls=1 ca_file=data_files/test-ca3.crt.der" \ + 0 \ + -c "Ciphersuite is TLS-ECDHE-ECDSA-WITH-" run_test "keyUsage srv: ECDSA, keyAgreement -> ECDH-" \ "$P_SRV key_file=data_files/server5.key \ @@ -5641,6 +5676,13 @@ run_test "Small client packet DTLS 1.2, without EtM, truncated MAC" \ 0 \ -s "Read from client: 1 bytes read" +run_test "Small client packet DTLS, ECDHE-ECDSA" \ + "$P_SRV dtls=1" \ + "$P_CLI dtls=1 request_size=1 \ + force_ciphersuite=TLS-ECDHE-ECDSA-WITH-AES-128-CCM-8" \ + 0 \ + -s "Read from client: 1 bytes read" + # Tests for small server packets requires_config_enabled MBEDTLS_SSL_PROTO_SSL3 @@ -5922,6 +5964,13 @@ run_test "Small server packet DTLS 1.2, without EtM, truncated MAC" \ 0 \ -c "Read from server: 1 bytes read" +run_test "Small server packet DTLS, ECDHE-ECDSA" \ + "$P_SRV dtls=1 response_size=1" \ + "$P_CLI dtls=1 \ + force_ciphersuite=TLS-ECDHE-ECDSA-WITH-AES-128-CCM-8" \ + 0 \ + -c "Read from server: 1 bytes read" + # A test for extensions in SSLv3 requires_config_enabled MBEDTLS_SSL_PROTO_SSL3 @@ -6957,6 +7006,24 @@ run_test "Force an ECC ciphersuite in the server side" \ -c "found supported_point_formats extension" \ -s "server hello, supported_point_formats extension" +requires_ciphersuite_enabled TLS-ECDHE-ECDSA-WITH-AES-128-CCM-8 +run_test "Force an ECC ciphersuite with CCM in the client side" \ + "$P_SRV dtls=1 debug_level=3" \ + "$P_CLI dtls=1 debug_level=3 force_ciphersuite=TLS-ECDHE-ECDSA-WITH-AES-128-CCM-8" \ + 0 \ + -c "client hello, adding supported_elliptic_curves extension" \ + -c "client hello, adding supported_point_formats extension" \ + -s "found supported elliptic curves extension" \ + -s "found supported point formats extension" + +requires_ciphersuite_enabled TLS-ECDHE-ECDSA-WITH-AES-128-CCM-8 +run_test "Force an ECC ciphersuite with CCM in the server side" \ + "$P_SRV dtls=1 debug_level=3 force_ciphersuite=TLS-ECDHE-ECDSA-WITH-AES-128-CCM-8" \ + "$P_CLI dtls=1 debug_level=3" \ + 0 \ + -c "found supported_point_formats extension" \ + -s "server hello, supported_point_formats extension" + # Tests for DTLS HelloVerifyRequest run_test "DTLS cookie: enabled" \ @@ -6981,7 +7048,6 @@ run_test "DTLS cookie: disabled" \ -S "hello verification requested" \ -S "SSL - The requested feature is not available" -requires_config_enabled MBEDTLS_ERROR_C run_test "DTLS cookie: default (failing)" \ "$P_SRV dtls=1 debug_level=2 cookies=-1" \ "$P_CLI dtls=1 debug_level=2 hs_timeout=100-400" \ @@ -6990,8 +7056,7 @@ run_test "DTLS cookie: default (failing)" \ -S "cookie verification passed" \ -S "cookie verification skipped" \ -C "received hello verify request" \ - -S "hello verification requested" \ - -s "SSL - The requested feature is not available" + -S "hello verification requested" requires_ipv6 run_test "DTLS cookie: enabled, IPv6" \ diff --git a/tests/suites/test_suite_pk.data b/tests/suites/test_suite_pk.data index 5bdbea05c..c8f4d70d6 100644 --- a/tests/suites/test_suite_pk.data +++ b/tests/suites/test_suite_pk.data @@ -154,7 +154,7 @@ mbedtls_pk_check_pair:"data_files/ec_256_pub.pem":"data_files/server5.key":MBEDT Check pair #2 (EC, bad, TinyCrypt) depends_on:MBEDTLS_USE_TINYCRYPT -mbedtls_pk_check_pair:"data_files/ec_256_pub.pem":"data_files/server5.key":MBEDTLS_ERR_PK_BAD_INPUT_DATA +mbedtls_pk_check_pair:"data_files/ec_256_pub.der":"data_files/server5.key.der":MBEDTLS_ERR_PK_BAD_INPUT_DATA Check pair #3 (RSA, OK) depends_on:MBEDTLS_RSA_C:MBEDTLS_PKCS1_V15