From 4efd089ed5e6e2cb43b45bd1433c6c2eb6aab949 Mon Sep 17 00:00:00 2001 From: Hanno Becker Date: Fri, 5 Apr 2019 12:16:24 +0100 Subject: [PATCH 1/8] Add build instructions for CRTs and keys using P-256 --- tests/data_files/Makefile | 37 ++++++++++++++++++++++++++++++++ tests/data_files/Readme-x509.txt | 5 +++++ 2 files changed, 42 insertions(+) diff --git a/tests/data_files/Makefile b/tests/data_files/Makefile index 44496911e..2732c3021 100644 --- a/tests/data_files/Makefile +++ b/tests/data_files/Makefile @@ -15,6 +15,7 @@ OPENSSL ?= openssl FAKETIME ?= faketime MBEDTLS_CERT_WRITE ?= $(PWD)/../../programs/x509/cert_write MBEDTLS_CERT_REQ ?= $(PWD)/../../programs/x509/cert_req +MBEDTLS_GEN_KEY ?= $(PWD)/../../programs/pkey/gen_key ## Build the generated test data. Note that since the final outputs ## are committed to the repository, this target should do nothing on a @@ -146,6 +147,42 @@ all_final += cli-rsa-sha256.crt.der $(OPENSSL) pkey -in $< -out $@ -inform PEM -outform DER all_final += cli-rsa.key.der +test-ca3.key.pem: + $(MBEDTLS_GEN_KEY) type=ec ec_curve=secp256r1 format=pem filename=$@ +test-ca3.key.der: test-ca3.key.pem + $(OPENSSL) ec -inform PEM -outform DER -in $< -out $@ +test-ca3.csr: test-ca3.key.der + $(MBEDTLS_CERT_REQ) filename=$< output_file=$@ subject_name="CN=Test CA Secp256r1, O=MbedTLS, C=UK" md=SHA256 +test-ca3.crt.pem: test-ca3.csr test-ca3.key.der + $(MBEDTLS_CERT_WRITE) request_file=test-ca3.csr selfsign=1 issuer_name="CN=Test CA Secp256r1, O=MbedTLS, C=UK" is_ca=1 md=SHA256 issuer_key=test-ca3.key.der output_file=$@ +test-ca3.crt.der: test-ca3.crt.pem + $(OPENSSL) x509 -inform PEM -outform DER -in $< -out $@ +all_final += test-ca3.key.pem test-ca3.key.der test-ca3.csr test-ca3.crt.pem test-ca3.crt.der + +cli3.key.pem: + $(MBEDTLS_GEN_KEY) type=ec ec_curve=secp256r1 format=pem filename=$@ +cli3.key.der: cli3.key.pem + $(OPENSSL) ec -inform PEM -outform DER -in $< -out $@ +cli3.csr: cli3.key.der + $(MBEDTLS_CERT_REQ) filename=$< output_file=$@ subject_name="CN=Test CRT2 Secp256r1, O=MbedTLS, C=UK" md=SHA256 +cli3.crt.pem: cli3.csr test-ca3.key.der + $(MBEDTLS_CERT_WRITE) request_file=cli3.csr issuer_name="CN=Test CA Secp256r1, O=MbedTLS, C=UK" md=SHA256 issuer_key=test-ca3.key.der output_file=$@ +cli3.crt.der: cli3.crt.pem + $(OPENSSL) x509 -inform PEM -outform DER -in $< -out $@ +all_final += cli3.key.pem cli3.key.der cli3.csr cli3.crt.pem cli3.crt.der + +server11.key.pem: + $(MBEDTLS_GEN_KEY) type=ec ec_curve=secp256r1 format=pem filename=$@ +server11.key.der: server11.key.pem + $(OPENSSL) ec -inform PEM -outform DER -in $< -out $@ +server11.csr: server11.key.der + $(MBEDTLS_CERT_REQ) filename=$< output_file=$@ subject_name="CN=localhost, O=MbedTLS, C=UK" md=SHA256 +server11.crt.pem: server11.csr test-ca3.key.der + $(MBEDTLS_CERT_WRITE) request_file=server11.csr issuer_name="CN=Test CA Secp256r1, O=MbedTLS, C=UK" md=SHA256 issuer_key=test-ca3.key.der output_file=$@ +server11.crt.der: server11.crt.pem + $(OPENSSL) x509 -inform PEM -outform DER -in $< -out $@ +all_final += server11.key.pem server11.key.der server11.csr server11.crt.pem server11.crt.der + test_ca_int_rsa1 = test-int-ca.crt server7.csr: server7.key diff --git a/tests/data_files/Readme-x509.txt b/tests/data_files/Readme-x509.txt index 6f54ed0c1..388865be5 100644 --- a/tests/data_files/Readme-x509.txt +++ b/tests/data_files/Readme-x509.txt @@ -11,6 +11,8 @@ There are two main CAs for use as trusted roots: - test-ca2*.crt aka "C=NL, O=PolarSSL, CN=Polarssl Test EC CA" uses an EC key with NIST P-384 (aka secp384r1) variants used to test the keyUsage extension +- test-ca3.crt aka "CN=TestCASecp256r1, O=MbedTLS, C=UK" + uses an EC key with NIST P-256 (aka secp256r1) The files test-ca_cat12 and test-ca_cat21 contain them concatenated both ways. Two intermediate CAs are signed by them: @@ -40,6 +42,7 @@ Short information fields: - name or pattern - issuing CA: 1 -> test-ca.crt 2 -> test-ca2.crt + 3 -> test-ca3.crt I1 -> test-int-ca.crt I2 -> test-int-ca2.crt I3 -> test-int-ca3.crt @@ -57,6 +60,7 @@ List of certificates: - cert_md*.crt, cert_sha*.crt: 1 R: signature hash - cert_v1_with_ext.crt: 1 R: v1 with extensions (illegal) - cli2.crt: 2 E: basic +- cli3.crt: 3 E, secp256r1 curve - cli-rsa.key, cli-rsa-*.crt: RSA key used for test clients, signed by the RSA test CA. - enco-cert-utf8str.pem: see enco-ca-prstr.pem above @@ -102,6 +106,7 @@ List of certificates: _int3_int-ca2.crt: S10 + I3 + I2 _int3_int-ca2_ca.crt: S10 + I3 + I2 + 1 _int3_spurious_int-ca2.crt: S10 + I3 + I1(spurious) + I2 + - server11.crt: 3 E, secp256r1 curve Certificate revocation lists ---------------------------- From 585dfc4f56d9e3c2590183fbe0ab06d513a68c90 Mon Sep 17 00:00:00 2001 From: Hanno Becker Date: Fri, 5 Apr 2019 12:23:12 +0100 Subject: [PATCH 2/8] Add Secp256R1 test keys and CRTs --- tests/data_files/cli3.crt.der | Bin 0 -> 445 bytes tests/data_files/cli3.crt.pem | 12 ++++++++++++ tests/data_files/cli3.csr | 8 ++++++++ tests/data_files/cli3.key.der | Bin 0 -> 121 bytes tests/data_files/cli3.key.pem | 5 +++++ tests/data_files/server11.crt.der | Bin 0 -> 435 bytes tests/data_files/server11.crt.pem | 12 ++++++++++++ tests/data_files/server11.csr | 8 ++++++++ tests/data_files/server11.key.der | Bin 0 -> 121 bytes tests/data_files/server11.key.pem | 5 +++++ tests/data_files/test-ca3.crt.der | Bin 0 -> 445 bytes tests/data_files/test-ca3.crt.pem | 12 ++++++++++++ tests/data_files/test-ca3.csr | 8 ++++++++ tests/data_files/test-ca3.key.der | Bin 0 -> 121 bytes tests/data_files/test-ca3.key.pem | 5 +++++ 15 files changed, 75 insertions(+) create mode 100644 tests/data_files/cli3.crt.der create mode 100644 tests/data_files/cli3.crt.pem create mode 100644 tests/data_files/cli3.csr create mode 100644 tests/data_files/cli3.key.der create mode 100644 tests/data_files/cli3.key.pem create mode 100644 tests/data_files/server11.crt.der create mode 100644 tests/data_files/server11.crt.pem create mode 100644 tests/data_files/server11.csr create mode 100644 tests/data_files/server11.key.der create mode 100644 tests/data_files/server11.key.pem create mode 100644 tests/data_files/test-ca3.crt.der create mode 100644 tests/data_files/test-ca3.crt.pem create mode 100644 tests/data_files/test-ca3.csr create mode 100644 tests/data_files/test-ca3.key.der create mode 100644 tests/data_files/test-ca3.key.pem diff --git a/tests/data_files/cli3.crt.der b/tests/data_files/cli3.crt.der new file mode 100644 index 0000000000000000000000000000000000000000..70878cb8cbb2e4c1d7d1962eb143af36b9ab9a65 GIT binary patch literal 445 zcmXqLV%%xa#2B-HnTe5!iILHOhmAw4&EuRc3o{cdgMqc7lz{{rb0`Zlk6=h@afyPn zqe5_Ma)FVlS&^ZkfB_#!j*ExgHz_qG#3$I0+kg`!!Y0fV>TMt=&TC)@h6W%ICC+PX zU}$6vM5dOemQe<_hB5|H5W|Hbh6jZh5pR5?fiN38*sV;AP)9Q}vNJm|un6T(R&P4U ze$IouODdx2M*)0|2gVg9!it literal 0 HcmV?d00001 diff --git a/tests/data_files/cli3.crt.pem b/tests/data_files/cli3.crt.pem new file mode 100644 index 000000000..e823c0a23 --- /dev/null +++ b/tests/data_files/cli3.crt.pem @@ -0,0 +1,12 @@ +-----BEGIN CERTIFICATE----- +MIIBuTCCAVygAwIBAgIBATAMBggqhkjOPQQDAgUAMDsxGjAYBgNVBAMMEVRlc3Qg +Q0EgU2VjcDI1NnIxMRAwDgYDVQQKDAdNYmVkVExTMQswCQYDVQQGEwJVSzAeFw0w +MTAxMDEwMDAwMDBaFw0zMDEyMzEyMzU5NTlaMD0xHDAaBgNVBAMME1Rlc3QgQ1JU +MiBTZWNwMjU2cjExEDAOBgNVBAoMB01iZWRUTFMxCzAJBgNVBAYTAlVLMFkwEwYH +KoZIzj0CAQYIKoZIzj0DAQcDQgAEEm+TJ4LBB85IBjWNcNIodr2L06CZqLbVClmH +uxPqiZafsAZDl0lqgL6cCigF/ML2EqFyKW+Oext3uAmNkemj6aNNMEswCQYDVR0T +BAIwADAdBgNVHQ4EFgQUF9Yq9UkoSClnXwrdghuhrokH/hIwHwYDVR0jBBgwFoAU +Sl6kYTNLFkgMMXgiNdb7zlDnIBIwDAYIKoZIzj0EAwIFAANJADBGAiEAg3UsTyLd +vCPRG13gbf1R8gb85g4K1VbZ+CKl58HW2VgCIQDXk/8WFrt7vA+m3L1xJxj8iln9 +wMR16i9Fqykw7cqsRw== +-----END CERTIFICATE----- diff --git a/tests/data_files/cli3.csr b/tests/data_files/cli3.csr new file mode 100644 index 000000000..501bc3088 --- /dev/null +++ b/tests/data_files/cli3.csr @@ -0,0 +1,8 @@ +-----BEGIN CERTIFICATE REQUEST----- +MIH6MIGfAgEAMD0xHDAaBgNVBAMME1Rlc3QgQ1JUMiBTZWNwMjU2cjExEDAOBgNV +BAoMB01iZWRUTFMxCzAJBgNVBAYTAlVLMFkwEwYHKoZIzj0CAQYIKoZIzj0DAQcD +QgAEEm+TJ4LBB85IBjWNcNIodr2L06CZqLbVClmHuxPqiZafsAZDl0lqgL6cCigF +/ML2EqFyKW+Oext3uAmNkemj6aAAMAwGCCqGSM49BAMCBQADSAAwRQIgPbHQgHvW +f/gN4jV+GHIkQGhI4OAa7d82/dVzxXbYxnACIQCoqAs7agETcK6jp7A36pnKT9Jc +Lck5I3roXwDPXMtzSg== +-----END CERTIFICATE REQUEST----- diff --git a/tests/data_files/cli3.key.der b/tests/data_files/cli3.key.der new file mode 100644 index 0000000000000000000000000000000000000000..0a1851e6e1ad89337562d536e39f4d6b2428a193 GIT binary patch literal 121 zcmV-<0EYiCcLD(c1R!BV@RCdfr>N8!&l(KIY3*#Ziq>>Sl)gGW#P1GFE>NHf1_&yK zNX|V20SBQ(13~}<5^s|yg24yQNCq{HaMCDty^GVJnW(na3R#D{6Y7bUpRfi)mq}`X bzMKju1^mMH5}|S_Z;pE#cen|Sk?Eu9JmWI- literal 0 HcmV?d00001 diff --git a/tests/data_files/cli3.key.pem b/tests/data_files/cli3.key.pem new file mode 100644 index 000000000..3d1cd1a82 --- /dev/null +++ b/tests/data_files/cli3.key.pem @@ -0,0 +1,5 @@ +-----BEGIN EC PRIVATE KEY----- +MHcCAQEEIGFE8JJMBKeo1BnPGgzGae1stIrWdEaUvjo9xO8OTC5QoAoGCCqGSM49 +AwEHoUQDQgAEEm+TJ4LBB85IBjWNcNIodr2L06CZqLbVClmHuxPqiZafsAZDl0lq +gL6cCigF/ML2EqFyKW+Oext3uAmNkemj6Q== +-----END EC PRIVATE KEY----- diff --git a/tests/data_files/server11.crt.der b/tests/data_files/server11.crt.der new file mode 100644 index 0000000000000000000000000000000000000000..e47f10ffe8ff0188c947fc3afba3158de88f81f6 GIT binary patch literal 435 zcmXqLVq9;~#2B=InTe5!iILHOhmAw4&EuRc3o{cdgMqc7lz{{rb0`Zlk6=h@afyPn zqe5_Ma)FVlS&^ZkfB_#!j*ExgHz_qG#3$I0+kg`!!Y0fV>TMt=&TC)@h6W%ICC+PX zU}$6vM5dOemQe=AhC&7c5W_ih@{<#DGV+T{2pJk_Ak4-Nb|DiZ)Tzvj?95IKEXN=D zcKp70?0*8!!^0&@e#%>~om;YW!xn2<(Kk02tSN}?+`<(WcXpau-OQTfQ>=f+u8`ur z9M`bN=jHSs?x@@kXBYb#c!QlUE6l=Vz+fN?beb$5ix`WDa-6N)ZBCc4DNXq*D|crx zt8xC`WFQZcR%Vef5Ni@DWOV_2bNdhPeQfaeNAs3FPh$zb5dq{z_w{$nNY zW{V&`--3nrG{SD*aeTQ!;=$$r4`SD+sc*690V?Tvw0QLg&d$&4P8M%8JHISD6eTPT5a&nANe;0 literal 0 HcmV?d00001 diff --git a/tests/data_files/server11.key.pem b/tests/data_files/server11.key.pem new file mode 100644 index 000000000..ec7587513 --- /dev/null +++ b/tests/data_files/server11.key.pem @@ -0,0 +1,5 @@ +-----BEGIN EC PRIVATE KEY----- +MHcCAQEEIGEWs7/9cQHgEI5v2qeQRGLoFhjrNK4lul6tmcqDACKuoAoGCCqGSM49 +AwEHoUQDQgAEx+JNiPvRxv9gDOHDdKT5HzutnXSlsLQ7HRXs2aCscF2JtApWXs2W +Jn6ZfMeUO/ldqBoN016AvEzpl4wLWm3wzQ== +-----END EC PRIVATE KEY----- diff --git a/tests/data_files/test-ca3.crt.der b/tests/data_files/test-ca3.crt.der new file mode 100644 index 0000000000000000000000000000000000000000..75ba4bc9fd62317c85679942f8db965bf9e864f2 GIT binary patch literal 445 zcmXqLV%%xa#2CAPnTe5!iILHOhmAw4&EuRc3o{cdgMqc7lz{{rb0`Zlk6=h@afyPn zqe5_Ma)FVlS&^ZkfB_#!j*ExgHz_qG#3$I0+kg`!!Y0fV>TMt=&TC)@h6W%ICC+PX zU}$6vM5dOemQj=$9%&%V#twEV6C>2g%#7^JP7EyDJmff*p67qWEt`G$rcv6l_^dsj zx7Hb5^W5S+*>K%K$Jd*agG7(K{w8rZ_s?SS84n-n3+^j@Aw2OP@4Y*Zemfss9AMxF z3_23U?fnLL$fS j&^OzI#KS^X&2Z2zxY3@udwTe!qe|1+^P@^P*1iG&2%CbL literal 0 HcmV?d00001 diff --git a/tests/data_files/test-ca3.crt.pem b/tests/data_files/test-ca3.crt.pem new file mode 100644 index 000000000..66c233522 --- /dev/null +++ b/tests/data_files/test-ca3.crt.pem @@ -0,0 +1,12 @@ +-----BEGIN CERTIFICATE----- +MIIBuTCCAV2gAwIBAgIBATAMBggqhkjOPQQDAgUAMDsxGjAYBgNVBAMMEVRlc3Qg +Q0EgU2VjcDI1NnIxMRAwDgYDVQQKDAdNYmVkVExTMQswCQYDVQQGEwJVSzAeFw0w +MTAxMDEwMDAwMDBaFw0zMDEyMzEyMzU5NTlaMDsxGjAYBgNVBAMMEVRlc3QgQ0Eg +U2VjcDI1NnIxMRAwDgYDVQQKDAdNYmVkVExTMQswCQYDVQQGEwJVSzBZMBMGByqG +SM49AgEGCCqGSM49AwEHA0IABLZIHgilzw/iCx1r09kyZsZfarzztX4y1km0S5Mx +rsFB67NjUhXE6/YY3W38oxeY4eIvEb516BOR/g3e3OL7Q8WjUDBOMAwGA1UdEwQF +MAMBAf8wHQYDVR0OBBYEFEpepGEzSxZIDDF4IjXW+85Q5yASMB8GA1UdIwQYMBaA +FEpepGEzSxZIDDF4IjXW+85Q5yASMAwGCCqGSM49BAMCBQADSAAwRQIhAKejV1jK +vPH1vIsZAr6/VmSvjXkxmT2rpzEP9iJvJAteAiBhCPtV7LdSF1ZUqphAK3DYh2m7 +l1eSxSKXB29adbF96g== +-----END CERTIFICATE----- diff --git a/tests/data_files/test-ca3.csr b/tests/data_files/test-ca3.csr new file mode 100644 index 000000000..b79b65578 --- /dev/null +++ b/tests/data_files/test-ca3.csr @@ -0,0 +1,8 @@ +-----BEGIN CERTIFICATE REQUEST----- +MIH5MIGdAgEAMDsxGjAYBgNVBAMMEVRlc3QgQ0EgU2VjcDI1NnIxMRAwDgYDVQQK +DAdNYmVkVExTMQswCQYDVQQGEwJVSzBZMBMGByqGSM49AgEGCCqGSM49AwEHA0IA +BLZIHgilzw/iCx1r09kyZsZfarzztX4y1km0S5MxrsFB67NjUhXE6/YY3W38oxeY +4eIvEb516BOR/g3e3OL7Q8WgADAMBggqhkjOPQQDAgUAA0kAMEYCIQD55eBPVcht +2trIK3YYWKJbGXIoKF0930KQh8eFAcFD8AIhAI2exrMqoNF8JDoUS2m3Vv0ZFYRG +982wT8Ok59LiWCOX +-----END CERTIFICATE REQUEST----- diff --git a/tests/data_files/test-ca3.key.der b/tests/data_files/test-ca3.key.der new file mode 100644 index 0000000000000000000000000000000000000000..f5d2972f42ce70221531bd78d42968c01d5b663c GIT binary patch literal 121 zcmV-<0EYiCcLD(c1RyzIAy72pmv-L2R3;MN(o1?uL{53i;XSifwX7n55Tu|A1_&yK zNX|V20SBQ(13~}$7806~ycI b7~O6BqZgRr;x7@tb?6h3{te#T;`>9zPoFkQ literal 0 HcmV?d00001 diff --git a/tests/data_files/test-ca3.key.pem b/tests/data_files/test-ca3.key.pem new file mode 100644 index 000000000..e67005f00 --- /dev/null +++ b/tests/data_files/test-ca3.key.pem @@ -0,0 +1,5 @@ +-----BEGIN EC PRIVATE KEY----- +MHcCAQEEIDlfIVA04pd23r9UJhLf0kt6SkROecrhPbNWtawigBCkoAoGCCqGSM49 +AwEHoUQDQgAEtkgeCKXPD+ILHWvT2TJmxl9qvPO1fjLWSbRLkzGuwUHrs2NSFcTr +9hjdbfyjF5jh4i8RvnXoE5H+Dd7c4vtDxQ== +-----END EC PRIVATE KEY----- From 4a4047c326d717d30fb0bf9d001ba57c1e20af77 Mon Sep 17 00:00:00 2001 From: Hanno Becker Date: Wed, 24 Apr 2019 15:27:29 +0100 Subject: [PATCH 3/8] Add script to auto-generate certs.c This commit adds the script scripts/generate_certs.sh which parses library/certs.c and inserts certificate and key files for any block of the form /* BEGIN FILE [string|binary] [variable|macro] NAME FILE */ ... /* END FILE */ Here, the first argument string / binary indicates whether the file should be inserted as a string or as a binary array. The second argument indicates whether the resulting object should be registered as a C variable or a macro. This script allows to easily update certs.c in case any of the test certificates from tests/data_files change, or new test certificates / keys need to be added. --- scripts/generate_certs.sh | 66 +++++++++++++++++++++++++++++++++++++++ 1 file changed, 66 insertions(+) create mode 100755 scripts/generate_certs.sh diff --git a/scripts/generate_certs.sh b/scripts/generate_certs.sh new file mode 100755 index 000000000..4de4a5324 --- /dev/null +++ b/scripts/generate_certs.sh @@ -0,0 +1,66 @@ +#!/bin/sh + +if [ -d include/mbedtls ]; then :; else + echo "$0: must be run from root" >&2 + exit 1 +fi + +CERTS="library/certs.c" +CERTS_TMP="${CERTS}.tmp" +CERTS_NEW="${CERTS}.new" + +# Remove bodies of BEGIN FILE ... END FILE blocks +SED_RM_FILE_BODIES=":o; /BEGIN FILE/!{p;n;bo}; /BEGIN FILE/{p; n; :i; /END FILE/{n; bo}; n; bi}" +sed -n "${SED_RM_FILE_BODIES}" $CERTS > ${CERTS_TMP} +while IFS= read -r line; do + echo "$line" + CMD=`echo "$line" | sed -n 's/^\/\* BEGIN FILE \([^ ]*\) \([^ ]*\) \([^ ]*\) \([^ ]*\)*.*$/\1 \2 \3 \4/p'` + if [ -n "$CMD" ]; then + enc=$(echo "$CMD" | cut -f1 -d' ' ) + type=$(echo "$CMD" | cut -f2 -d' ' ) + name=$(echo "$CMD" | cut -f3 -d' ' ) + file=$(echo "$CMD" | cut -f4 -d' ' ) + + if [ "$type" != "variable" ] && [ "$type" != "macro" ]; then + exit 1 + fi + + if [ "$enc" != "string" ] && [ "$enc" != "binary" ]; then + exit 1 + fi + + # Support 'binary' and 'string' encoding + # Support 'variable' and 'macro' types + + if [ "$enc" = "binary" ]; then + DATA=`xxd -i "$file" | tail -n +2 | head -n -2 | sed 's/^[ ]*/ /'` + elif [ "$enc" = "string" ]; then + DATA=`cat "$file" | sed 's/^/ \"/;s/$/\\r\\n\"/'` + fi + + if [ "$type" = "variable" ]; then + if [ "$enc" = "binary" ]; then + echo "const unsigned char ${name}[] = {" + xxd -i "$file" | sed 's/^[ ]*/ /' | tail -n +2 | head -n -2 + echo "};" + elif [ "$enc" = "string" ]; then + echo "const char ${name}[] =" + cat "$file" | head -n -1 | sed 's/^/ \"/;s/$/\\r\\n\"/' + cat "$file" | tail -n 1 | sed 's/^/ \"/;s/$/\\r\\n\";/' + fi + elif [ "$type" = "macro" ]; then + if [ "$enc" = "binary" ]; then + printf '%-77s\\\n' "#define ${name} {" + xxd -i "$file" | sed 's/^[ ]*/ /' | tail -n +2 | head -n -2 | + xargs -d'\n' printf '%-77s\\\n' + echo "}" + elif [ "$enc" = "string" ]; then + printf '%-75s\\\n' "#define ${name}" + cat "$file" | head -n -1 | sed 's/^/ \"/; s/$/\\r\\n\"/' | xargs -d'\n' printf '%-75s\\\n' + cat "$file" | tail -n 1 | sed 's/^/ \"/; s/$/\\r\\n\"/' + fi + fi + + echo "/* END FILE */" + fi +done < ${CERTS_TMP} > ${CERTS} From e7124b557d7d6f5807cd24f949ae532073ac462b Mon Sep 17 00:00:00 2001 From: Hanno Becker Date: Wed, 21 Aug 2019 17:42:09 +0100 Subject: [PATCH 4/8] Remove Secp384r1 from baremetal_test config Previously, configs/baremetal_test.h added MBEDTLS_ECP_DP_SECP384R1_ENABLED because we didn't have sufficient test certificates using Secp256r1. Now that these test certificates have been added, we can successfully run ssl_client2 and ssl_server2 with just Secp256r1 enabled. --- configs/baremetal_test.h | 12 ------------ 1 file changed, 12 deletions(-) diff --git a/configs/baremetal_test.h b/configs/baremetal_test.h index 82c0ed17c..b7e36f0f4 100644 --- a/configs/baremetal_test.h +++ b/configs/baremetal_test.h @@ -37,18 +37,6 @@ /* Debug output */ #define MBEDTLS_DEBUG_C -/* We don't have DER-encoded test CRTs yet. */ -#define MBEDTLS_PEM_PARSE_C -#define MBEDTLS_BASE64_C -/* We don't have Secp256r1 test CRTs at the moment. */ -#define MBEDTLS_ECP_DP_SECP384R1_ENABLED - -/* Correct ECP configuration values */ -#undef MBEDTLS_ECP_MAX_BITS -#undef MBEDTLS_MPI_MAX_SIZE -#define MBEDTLS_ECP_MAX_BITS 384 -#define MBEDTLS_MPI_MAX_SIZE 48 - /* ssl_client2 and ssl_server2 use CTR-DRBG so far. */ #define MBEDTLS_CTR_DRBG_C From ba7082cc43772b386cc1ede3ec34ed87a35a8ee9 Mon Sep 17 00:00:00 2001 From: Hanno Becker Date: Wed, 21 Aug 2019 17:34:31 +0100 Subject: [PATCH 5/8] Add prototypes for Secp256r1 test CRTs and keys to certs.c --- library/certs.c | 77 +++++++++++++++++++++++++++++++++++++++++++++++++ 1 file changed, 77 insertions(+) diff --git a/library/certs.c b/library/certs.c index b07fd8a3a..bd5026010 100644 --- a/library/certs.c +++ b/library/certs.c @@ -42,6 +42,29 @@ * */ +/* Use CRTs with Secp256r1 curve if enabled. + * Otherwise, fall back to previous EC test + * certificates. */ +#if defined(MBEDTLS_ECP_DP_SECP256R1_ENABLED) + +/* This is taken from tests/data_files/test-ca3.crt.pem */ +/* BEGIN FILE string macro TEST_CA_CRT_EC_PEM tests/data_files/test-ca3.crt.pem */ +/* END FILE */ + +/* This is generated from tests/data_files/test-ca3.crt.der using `xxd -i`. */ +/* BEGIN FILE binary macro TEST_CA_CRT_EC_DER tests/data_files/test-ca3.crt.der */ +/* END FILE */ + +/* This is taken from tests/data_files/test-ca3.key.pem */ +/* BEGIN FILE string macro TEST_CA_KEY_EC_PEM tests/data_files/test-ca3.key.pem */ +/* END FILE */ + +/* This is generated from tests/data_files/test-ca3.key.der using `xxd -i`. */ +/* BEGIN FILE binary macro TEST_CA_KEY_EC_DER tests/data_files/test-ca3.key.der */ +/* END FILE */ + +#else /* MBEDTLS_ECP_DP_SECP256R1_ENABLED */ + /* This is taken from tests/data_files/test-ca2.crt */ /* BEGIN FILE string macro TEST_CA_CRT_EC_PEM tests/data_files/test-ca2.crt */ #define TEST_CA_CRT_EC_PEM \ @@ -154,6 +177,10 @@ } /* END FILE */ +#endif /* MBEDTLS_ECP_DP_SECP256R1_ENABLED */ + +#define TEST_CA_PWD_EC_PEM "PolarSSLTest" + /* This is taken from tests/data_files/test-ca-sha256.crt. */ /* BEGIN FILE string macro TEST_CA_CRT_RSA_SHA256_PEM tests/data_files/test-ca-sha256.crt */ #define TEST_CA_CRT_RSA_SHA256_PEM \ @@ -513,6 +540,29 @@ * - multiple EC curve types */ +/* Use CRTs with Secp256r1 curve if enabled. + * Otherwise, fall back to previous EC test + * certificates. */ +#if defined(MBEDTLS_ECP_DP_SECP256R1_ENABLED) + +/* This is taken from tests/data_files/server11.crt.pem. */ +/* BEGIN FILE string macro TEST_SRV_CRT_EC_PEM tests/data_files/server11.crt.pem */ +/* END FILE */ + +/* This is generated from tests/data_files/server11.crt.der using `xxd -i`. */ +/* BEGIN FILE binary macro TEST_SRV_CRT_EC_DER tests/data_files/server11.crt.der */ +/* END FILE */ + +/* This is taken from tests/data_files/server11.key.pem. */ +/* BEGIN FILE string macro TEST_SRV_KEY_EC_PEM tests/data_files/server11.key.pem */ +/* END FILE */ + +/* This is generated from tests/data_files/server11.key.der using `xxd -i`. */ +/* BEGIN FILE binary macro TEST_SRV_KEY_EC_DER tests/data_files/server11.key.der */ +/* END FILE */ + +#else /* MBEDTLS_ECP_DP_SECP256R1_ENABLED */ + /* This is taken from tests/data_files/server5.crt. */ /* BEGIN FILE string macro TEST_SRV_CRT_EC_PEM tests/data_files/server5.crt */ #define TEST_SRV_CRT_EC_PEM \ @@ -611,6 +661,8 @@ } /* END FILE */ +#endif /* MBEDTLS_ECP_DP_SECP256R1_ENABLED */ + /* This is taken from tests/data_files/server2-sha256.crt. */ /* BEGIN FILE string macro TEST_SRV_CRT_RSA_SHA256_PEM tests/data_files/server2-sha256.crt */ #define TEST_SRV_CRT_RSA_SHA256_PEM \ @@ -962,6 +1014,29 @@ * - multiple EC curve types */ +/* Use CRTs with Secp256r1 curve if enabled. + * Otherwise, fall back to previous EC test + * certificates. */ +#if defined(MBEDTLS_ECP_DP_SECP256R1_ENABLED) + +/* This is taken from tests/data_files/cli3.crt. */ +/* BEGIN FILE string macro TEST_CLI_CRT_EC_PEM tests/data_files/cli3.crt.pem */ +/* END FILE */ + +/* This is generated from tests/data_files/cli3.crt.der using `xxd -i`. */ +/* BEGIN FILE binary macro TEST_CLI_CRT_EC_DER tests/data_files/cli3.crt.der */ +/* END FILE */ + +/* This is taken from tests/data_files/cli3.key.pem. */ +/* BEGIN FILE string macro TEST_CLI_KEY_EC_PEM tests/data_files/cli3.key.pem */ +/* END FILE */ + +/* This is generated from tests/data_files/cli3.key.der using `xxd -i`. */ +/* BEGIN FILE binary macro TEST_CLI_KEY_EC_DER tests/data_files/cli3.key.der */ +/* END FILE */ + +#else /* MBEDTLS_ECP_DP_SECP256R1_ENABLED */ + /* This is taken from tests/data_files/cli2.crt. */ /* BEGIN FILE string macro TEST_CLI_CRT_EC_PEM tests/data_files/cli2.crt */ #define TEST_CLI_CRT_EC_PEM \ @@ -1061,6 +1136,8 @@ } /* END FILE */ +#endif /* MBEDTLS_ECP_DP_SECP256R1_ENABLED */ + /* This is taken from tests/data_files/cli-rsa-sha256.crt. */ /* BEGIN FILE string macro TEST_CLI_CRT_RSA_PEM tests/data_files/cli-rsa-sha256.crt */ #define TEST_CLI_CRT_RSA_PEM \ From 75bc82702f6dbf98aec9e39f08c6bdea826f8d26 Mon Sep 17 00:00:00 2001 From: Hanno Becker Date: Fri, 23 Aug 2019 11:26:35 +0100 Subject: [PATCH 6/8] Load raw certificate and key data from files to certs.c --- library/certs.c | 215 ++++++++++++++++++++++++++++++++++++++++++++++++ 1 file changed, 215 insertions(+) diff --git a/library/certs.c b/library/certs.c index bd5026010..edf7e5a7b 100644 --- a/library/certs.c +++ b/library/certs.c @@ -49,18 +49,90 @@ /* This is taken from tests/data_files/test-ca3.crt.pem */ /* BEGIN FILE string macro TEST_CA_CRT_EC_PEM tests/data_files/test-ca3.crt.pem */ +#define TEST_CA_CRT_EC_PEM \ + "-----BEGIN CERTIFICATE-----\r\n" \ + "MIIBuTCCAV2gAwIBAgIBATAMBggqhkjOPQQDAgUAMDsxGjAYBgNVBAMMEVRlc3Qg\r\n" \ + "Q0EgU2VjcDI1NnIxMRAwDgYDVQQKDAdNYmVkVExTMQswCQYDVQQGEwJVSzAeFw0w\r\n" \ + "MTAxMDEwMDAwMDBaFw0zMDEyMzEyMzU5NTlaMDsxGjAYBgNVBAMMEVRlc3QgQ0Eg\r\n" \ + "U2VjcDI1NnIxMRAwDgYDVQQKDAdNYmVkVExTMQswCQYDVQQGEwJVSzBZMBMGByqG\r\n" \ + "SM49AgEGCCqGSM49AwEHA0IABLZIHgilzw/iCx1r09kyZsZfarzztX4y1km0S5Mx\r\n" \ + "rsFB67NjUhXE6/YY3W38oxeY4eIvEb516BOR/g3e3OL7Q8WjUDBOMAwGA1UdEwQF\r\n" \ + "MAMBAf8wHQYDVR0OBBYEFEpepGEzSxZIDDF4IjXW+85Q5yASMB8GA1UdIwQYMBaA\r\n" \ + "FEpepGEzSxZIDDF4IjXW+85Q5yASMAwGCCqGSM49BAMCBQADSAAwRQIhAKejV1jK\r\n" \ + "vPH1vIsZAr6/VmSvjXkxmT2rpzEP9iJvJAteAiBhCPtV7LdSF1ZUqphAK3DYh2m7\r\n" \ + "l1eSxSKXB29adbF96g==\r\n" \ + "-----END CERTIFICATE-----\r\n" /* END FILE */ /* This is generated from tests/data_files/test-ca3.crt.der using `xxd -i`. */ /* BEGIN FILE binary macro TEST_CA_CRT_EC_DER tests/data_files/test-ca3.crt.der */ +#define TEST_CA_CRT_EC_DER { \ + 0x30, 0x82, 0x01, 0xb9, 0x30, 0x82, 0x01, 0x5d, 0xa0, 0x03, 0x02, 0x01, \ + 0x02, 0x02, 0x01, 0x01, 0x30, 0x0c, 0x06, 0x08, 0x2a, 0x86, 0x48, 0xce, \ + 0x3d, 0x04, 0x03, 0x02, 0x05, 0x00, 0x30, 0x3b, 0x31, 0x1a, 0x30, 0x18, \ + 0x06, 0x03, 0x55, 0x04, 0x03, 0x0c, 0x11, 0x54, 0x65, 0x73, 0x74, 0x20, \ + 0x43, 0x41, 0x20, 0x53, 0x65, 0x63, 0x70, 0x32, 0x35, 0x36, 0x72, 0x31, \ + 0x31, 0x10, 0x30, 0x0e, 0x06, 0x03, 0x55, 0x04, 0x0a, 0x0c, 0x07, 0x4d, \ + 0x62, 0x65, 0x64, 0x54, 0x4c, 0x53, 0x31, 0x0b, 0x30, 0x09, 0x06, 0x03, \ + 0x55, 0x04, 0x06, 0x13, 0x02, 0x55, 0x4b, 0x30, 0x1e, 0x17, 0x0d, 0x30, \ + 0x31, 0x30, 0x31, 0x30, 0x31, 0x30, 0x30, 0x30, 0x30, 0x30, 0x30, 0x5a, \ + 0x17, 0x0d, 0x33, 0x30, 0x31, 0x32, 0x33, 0x31, 0x32, 0x33, 0x35, 0x39, \ + 0x35, 0x39, 0x5a, 0x30, 0x3b, 0x31, 0x1a, 0x30, 0x18, 0x06, 0x03, 0x55, \ + 0x04, 0x03, 0x0c, 0x11, 0x54, 0x65, 0x73, 0x74, 0x20, 0x43, 0x41, 0x20, \ + 0x53, 0x65, 0x63, 0x70, 0x32, 0x35, 0x36, 0x72, 0x31, 0x31, 0x10, 0x30, \ + 0x0e, 0x06, 0x03, 0x55, 0x04, 0x0a, 0x0c, 0x07, 0x4d, 0x62, 0x65, 0x64, \ + 0x54, 0x4c, 0x53, 0x31, 0x0b, 0x30, 0x09, 0x06, 0x03, 0x55, 0x04, 0x06, \ + 0x13, 0x02, 0x55, 0x4b, 0x30, 0x59, 0x30, 0x13, 0x06, 0x07, 0x2a, 0x86, \ + 0x48, 0xce, 0x3d, 0x02, 0x01, 0x06, 0x08, 0x2a, 0x86, 0x48, 0xce, 0x3d, \ + 0x03, 0x01, 0x07, 0x03, 0x42, 0x00, 0x04, 0xb6, 0x48, 0x1e, 0x08, 0xa5, \ + 0xcf, 0x0f, 0xe2, 0x0b, 0x1d, 0x6b, 0xd3, 0xd9, 0x32, 0x66, 0xc6, 0x5f, \ + 0x6a, 0xbc, 0xf3, 0xb5, 0x7e, 0x32, 0xd6, 0x49, 0xb4, 0x4b, 0x93, 0x31, \ + 0xae, 0xc1, 0x41, 0xeb, 0xb3, 0x63, 0x52, 0x15, 0xc4, 0xeb, 0xf6, 0x18, \ + 0xdd, 0x6d, 0xfc, 0xa3, 0x17, 0x98, 0xe1, 0xe2, 0x2f, 0x11, 0xbe, 0x75, \ + 0xe8, 0x13, 0x91, 0xfe, 0x0d, 0xde, 0xdc, 0xe2, 0xfb, 0x43, 0xc5, 0xa3, \ + 0x50, 0x30, 0x4e, 0x30, 0x0c, 0x06, 0x03, 0x55, 0x1d, 0x13, 0x04, 0x05, \ + 0x30, 0x03, 0x01, 0x01, 0xff, 0x30, 0x1d, 0x06, 0x03, 0x55, 0x1d, 0x0e, \ + 0x04, 0x16, 0x04, 0x14, 0x4a, 0x5e, 0xa4, 0x61, 0x33, 0x4b, 0x16, 0x48, \ + 0x0c, 0x31, 0x78, 0x22, 0x35, 0xd6, 0xfb, 0xce, 0x50, 0xe7, 0x20, 0x12, \ + 0x30, 0x1f, 0x06, 0x03, 0x55, 0x1d, 0x23, 0x04, 0x18, 0x30, 0x16, 0x80, \ + 0x14, 0x4a, 0x5e, 0xa4, 0x61, 0x33, 0x4b, 0x16, 0x48, 0x0c, 0x31, 0x78, \ + 0x22, 0x35, 0xd6, 0xfb, 0xce, 0x50, 0xe7, 0x20, 0x12, 0x30, 0x0c, 0x06, \ + 0x08, 0x2a, 0x86, 0x48, 0xce, 0x3d, 0x04, 0x03, 0x02, 0x05, 0x00, 0x03, \ + 0x48, 0x00, 0x30, 0x45, 0x02, 0x21, 0x00, 0xa7, 0xa3, 0x57, 0x58, 0xca, \ + 0xbc, 0xf1, 0xf5, 0xbc, 0x8b, 0x19, 0x02, 0xbe, 0xbf, 0x56, 0x64, 0xaf, \ + 0x8d, 0x79, 0x31, 0x99, 0x3d, 0xab, 0xa7, 0x31, 0x0f, 0xf6, 0x22, 0x6f, \ + 0x24, 0x0b, 0x5e, 0x02, 0x20, 0x61, 0x08, 0xfb, 0x55, 0xec, 0xb7, 0x52, \ + 0x17, 0x56, 0x54, 0xaa, 0x98, 0x40, 0x2b, 0x70, 0xd8, 0x87, 0x69, 0xbb, \ + 0x97, 0x57, 0x92, 0xc5, 0x22, 0x97, 0x07, 0x6f, 0x5a, 0x75, 0xb1, 0x7d, \ + 0xea \ +} /* END FILE */ /* This is taken from tests/data_files/test-ca3.key.pem */ /* BEGIN FILE string macro TEST_CA_KEY_EC_PEM tests/data_files/test-ca3.key.pem */ +#define TEST_CA_KEY_EC_PEM \ + "-----BEGIN EC PRIVATE KEY-----\r\n" \ + "MHcCAQEEIDlfIVA04pd23r9UJhLf0kt6SkROecrhPbNWtawigBCkoAoGCCqGSM49\r\n" \ + "AwEHoUQDQgAEtkgeCKXPD+ILHWvT2TJmxl9qvPO1fjLWSbRLkzGuwUHrs2NSFcTr\r\n" \ + "9hjdbfyjF5jh4i8RvnXoE5H+Dd7c4vtDxQ==\r\n" \ + "-----END EC PRIVATE KEY-----\r\n" /* END FILE */ /* This is generated from tests/data_files/test-ca3.key.der using `xxd -i`. */ /* BEGIN FILE binary macro TEST_CA_KEY_EC_DER tests/data_files/test-ca3.key.der */ +#define TEST_CA_KEY_EC_DER { \ + 0x30, 0x77, 0x02, 0x01, 0x01, 0x04, 0x20, 0x39, 0x5f, 0x21, 0x50, 0x34, \ + 0xe2, 0x97, 0x76, 0xde, 0xbf, 0x54, 0x26, 0x12, 0xdf, 0xd2, 0x4b, 0x7a, \ + 0x4a, 0x44, 0x4e, 0x79, 0xca, 0xe1, 0x3d, 0xb3, 0x56, 0xb5, 0xac, 0x22, \ + 0x80, 0x10, 0xa4, 0xa0, 0x0a, 0x06, 0x08, 0x2a, 0x86, 0x48, 0xce, 0x3d, \ + 0x03, 0x01, 0x07, 0xa1, 0x44, 0x03, 0x42, 0x00, 0x04, 0xb6, 0x48, 0x1e, \ + 0x08, 0xa5, 0xcf, 0x0f, 0xe2, 0x0b, 0x1d, 0x6b, 0xd3, 0xd9, 0x32, 0x66, \ + 0xc6, 0x5f, 0x6a, 0xbc, 0xf3, 0xb5, 0x7e, 0x32, 0xd6, 0x49, 0xb4, 0x4b, \ + 0x93, 0x31, 0xae, 0xc1, 0x41, 0xeb, 0xb3, 0x63, 0x52, 0x15, 0xc4, 0xeb, \ + 0xf6, 0x18, 0xdd, 0x6d, 0xfc, 0xa3, 0x17, 0x98, 0xe1, 0xe2, 0x2f, 0x11, \ + 0xbe, 0x75, 0xe8, 0x13, 0x91, 0xfe, 0x0d, 0xde, 0xdc, 0xe2, 0xfb, 0x43, \ + 0xc5 \ +} /* END FILE */ #else /* MBEDTLS_ECP_DP_SECP256R1_ENABLED */ @@ -547,18 +619,89 @@ /* This is taken from tests/data_files/server11.crt.pem. */ /* BEGIN FILE string macro TEST_SRV_CRT_EC_PEM tests/data_files/server11.crt.pem */ +#define TEST_SRV_CRT_EC_PEM \ + "-----BEGIN CERTIFICATE-----\r\n" \ + "MIIBrzCCAVKgAwIBAgIBATAMBggqhkjOPQQDAgUAMDsxGjAYBgNVBAMMEVRlc3Qg\r\n" \ + "Q0EgU2VjcDI1NnIxMRAwDgYDVQQKDAdNYmVkVExTMQswCQYDVQQGEwJVSzAeFw0w\r\n" \ + "MTAxMDEwMDAwMDBaFw0zMDEyMzEyMzU5NTlaMDMxEjAQBgNVBAMMCWxvY2FsaG9z\r\n" \ + "dDEQMA4GA1UECgwHTWJlZFRMUzELMAkGA1UEBhMCVUswWTATBgcqhkjOPQIBBggq\r\n" \ + "hkjOPQMBBwNCAATH4k2I+9HG/2AM4cN0pPkfO62ddKWwtDsdFezZoKxwXYm0ClZe\r\n" \ + "zZYmfpl8x5Q7+V2oGg3TXoC8TOmXjAtabfDNo00wSzAJBgNVHRMEAjAAMB0GA1Ud\r\n" \ + "DgQWBBQjXj0e2wlEVpSCbySpu2oDJgn7sjAfBgNVHSMEGDAWgBRKXqRhM0sWSAwx\r\n" \ + "eCI11vvOUOcgEjAMBggqhkjOPQQDAgUAA0kAMEYCIQCN7/F5DbM4Ug5NcKHeKFbb\r\n" \ + "3EHpsBjg0//gXa9mJ7Q4jAIhAIzio6vwCYnzrslzsTbPpmtU+6Op6SlzdGO/iR77\r\n" \ + "bcfp\r\n" \ + "-----END CERTIFICATE-----\r\n" /* END FILE */ /* This is generated from tests/data_files/server11.crt.der using `xxd -i`. */ /* BEGIN FILE binary macro TEST_SRV_CRT_EC_DER tests/data_files/server11.crt.der */ +#define TEST_SRV_CRT_EC_DER { \ + 0x30, 0x82, 0x01, 0xaf, 0x30, 0x82, 0x01, 0x52, 0xa0, 0x03, 0x02, 0x01, \ + 0x02, 0x02, 0x01, 0x01, 0x30, 0x0c, 0x06, 0x08, 0x2a, 0x86, 0x48, 0xce, \ + 0x3d, 0x04, 0x03, 0x02, 0x05, 0x00, 0x30, 0x3b, 0x31, 0x1a, 0x30, 0x18, \ + 0x06, 0x03, 0x55, 0x04, 0x03, 0x0c, 0x11, 0x54, 0x65, 0x73, 0x74, 0x20, \ + 0x43, 0x41, 0x20, 0x53, 0x65, 0x63, 0x70, 0x32, 0x35, 0x36, 0x72, 0x31, \ + 0x31, 0x10, 0x30, 0x0e, 0x06, 0x03, 0x55, 0x04, 0x0a, 0x0c, 0x07, 0x4d, \ + 0x62, 0x65, 0x64, 0x54, 0x4c, 0x53, 0x31, 0x0b, 0x30, 0x09, 0x06, 0x03, \ + 0x55, 0x04, 0x06, 0x13, 0x02, 0x55, 0x4b, 0x30, 0x1e, 0x17, 0x0d, 0x30, \ + 0x31, 0x30, 0x31, 0x30, 0x31, 0x30, 0x30, 0x30, 0x30, 0x30, 0x30, 0x5a, \ + 0x17, 0x0d, 0x33, 0x30, 0x31, 0x32, 0x33, 0x31, 0x32, 0x33, 0x35, 0x39, \ + 0x35, 0x39, 0x5a, 0x30, 0x33, 0x31, 0x12, 0x30, 0x10, 0x06, 0x03, 0x55, \ + 0x04, 0x03, 0x0c, 0x09, 0x6c, 0x6f, 0x63, 0x61, 0x6c, 0x68, 0x6f, 0x73, \ + 0x74, 0x31, 0x10, 0x30, 0x0e, 0x06, 0x03, 0x55, 0x04, 0x0a, 0x0c, 0x07, \ + 0x4d, 0x62, 0x65, 0x64, 0x54, 0x4c, 0x53, 0x31, 0x0b, 0x30, 0x09, 0x06, \ + 0x03, 0x55, 0x04, 0x06, 0x13, 0x02, 0x55, 0x4b, 0x30, 0x59, 0x30, 0x13, \ + 0x06, 0x07, 0x2a, 0x86, 0x48, 0xce, 0x3d, 0x02, 0x01, 0x06, 0x08, 0x2a, \ + 0x86, 0x48, 0xce, 0x3d, 0x03, 0x01, 0x07, 0x03, 0x42, 0x00, 0x04, 0xc7, \ + 0xe2, 0x4d, 0x88, 0xfb, 0xd1, 0xc6, 0xff, 0x60, 0x0c, 0xe1, 0xc3, 0x74, \ + 0xa4, 0xf9, 0x1f, 0x3b, 0xad, 0x9d, 0x74, 0xa5, 0xb0, 0xb4, 0x3b, 0x1d, \ + 0x15, 0xec, 0xd9, 0xa0, 0xac, 0x70, 0x5d, 0x89, 0xb4, 0x0a, 0x56, 0x5e, \ + 0xcd, 0x96, 0x26, 0x7e, 0x99, 0x7c, 0xc7, 0x94, 0x3b, 0xf9, 0x5d, 0xa8, \ + 0x1a, 0x0d, 0xd3, 0x5e, 0x80, 0xbc, 0x4c, 0xe9, 0x97, 0x8c, 0x0b, 0x5a, \ + 0x6d, 0xf0, 0xcd, 0xa3, 0x4d, 0x30, 0x4b, 0x30, 0x09, 0x06, 0x03, 0x55, \ + 0x1d, 0x13, 0x04, 0x02, 0x30, 0x00, 0x30, 0x1d, 0x06, 0x03, 0x55, 0x1d, \ + 0x0e, 0x04, 0x16, 0x04, 0x14, 0x23, 0x5e, 0x3d, 0x1e, 0xdb, 0x09, 0x44, \ + 0x56, 0x94, 0x82, 0x6f, 0x24, 0xa9, 0xbb, 0x6a, 0x03, 0x26, 0x09, 0xfb, \ + 0xb2, 0x30, 0x1f, 0x06, 0x03, 0x55, 0x1d, 0x23, 0x04, 0x18, 0x30, 0x16, \ + 0x80, 0x14, 0x4a, 0x5e, 0xa4, 0x61, 0x33, 0x4b, 0x16, 0x48, 0x0c, 0x31, \ + 0x78, 0x22, 0x35, 0xd6, 0xfb, 0xce, 0x50, 0xe7, 0x20, 0x12, 0x30, 0x0c, \ + 0x06, 0x08, 0x2a, 0x86, 0x48, 0xce, 0x3d, 0x04, 0x03, 0x02, 0x05, 0x00, \ + 0x03, 0x49, 0x00, 0x30, 0x46, 0x02, 0x21, 0x00, 0x8d, 0xef, 0xf1, 0x79, \ + 0x0d, 0xb3, 0x38, 0x52, 0x0e, 0x4d, 0x70, 0xa1, 0xde, 0x28, 0x56, 0xdb, \ + 0xdc, 0x41, 0xe9, 0xb0, 0x18, 0xe0, 0xd3, 0xff, 0xe0, 0x5d, 0xaf, 0x66, \ + 0x27, 0xb4, 0x38, 0x8c, 0x02, 0x21, 0x00, 0x8c, 0xe2, 0xa3, 0xab, 0xf0, \ + 0x09, 0x89, 0xf3, 0xae, 0xc9, 0x73, 0xb1, 0x36, 0xcf, 0xa6, 0x6b, 0x54, \ + 0xfb, 0xa3, 0xa9, 0xe9, 0x29, 0x73, 0x74, 0x63, 0xbf, 0x89, 0x1e, 0xfb, \ + 0x6d, 0xc7, 0xe9 \ +} /* END FILE */ /* This is taken from tests/data_files/server11.key.pem. */ /* BEGIN FILE string macro TEST_SRV_KEY_EC_PEM tests/data_files/server11.key.pem */ +#define TEST_SRV_KEY_EC_PEM \ + "-----BEGIN EC PRIVATE KEY-----\r\n" \ + "MHcCAQEEIGEWs7/9cQHgEI5v2qeQRGLoFhjrNK4lul6tmcqDACKuoAoGCCqGSM49\r\n" \ + "AwEHoUQDQgAEx+JNiPvRxv9gDOHDdKT5HzutnXSlsLQ7HRXs2aCscF2JtApWXs2W\r\n" \ + "Jn6ZfMeUO/ldqBoN016AvEzpl4wLWm3wzQ==\r\n" \ + "-----END EC PRIVATE KEY-----\r\n" /* END FILE */ /* This is generated from tests/data_files/server11.key.der using `xxd -i`. */ /* BEGIN FILE binary macro TEST_SRV_KEY_EC_DER tests/data_files/server11.key.der */ +#define TEST_SRV_KEY_EC_DER { \ + 0x30, 0x77, 0x02, 0x01, 0x01, 0x04, 0x20, 0x61, 0x16, 0xb3, 0xbf, 0xfd, \ + 0x71, 0x01, 0xe0, 0x10, 0x8e, 0x6f, 0xda, 0xa7, 0x90, 0x44, 0x62, 0xe8, \ + 0x16, 0x18, 0xeb, 0x34, 0xae, 0x25, 0xba, 0x5e, 0xad, 0x99, 0xca, 0x83, \ + 0x00, 0x22, 0xae, 0xa0, 0x0a, 0x06, 0x08, 0x2a, 0x86, 0x48, 0xce, 0x3d, \ + 0x03, 0x01, 0x07, 0xa1, 0x44, 0x03, 0x42, 0x00, 0x04, 0xc7, 0xe2, 0x4d, \ + 0x88, 0xfb, 0xd1, 0xc6, 0xff, 0x60, 0x0c, 0xe1, 0xc3, 0x74, 0xa4, 0xf9, \ + 0x1f, 0x3b, 0xad, 0x9d, 0x74, 0xa5, 0xb0, 0xb4, 0x3b, 0x1d, 0x15, 0xec, \ + 0xd9, 0xa0, 0xac, 0x70, 0x5d, 0x89, 0xb4, 0x0a, 0x56, 0x5e, 0xcd, 0x96, \ + 0x26, 0x7e, 0x99, 0x7c, 0xc7, 0x94, 0x3b, 0xf9, 0x5d, 0xa8, 0x1a, 0x0d, \ + 0xd3, 0x5e, 0x80, 0xbc, 0x4c, 0xe9, 0x97, 0x8c, 0x0b, 0x5a, 0x6d, 0xf0, \ + 0xcd \ +} /* END FILE */ #else /* MBEDTLS_ECP_DP_SECP256R1_ENABLED */ @@ -1021,18 +1164,90 @@ /* This is taken from tests/data_files/cli3.crt. */ /* BEGIN FILE string macro TEST_CLI_CRT_EC_PEM tests/data_files/cli3.crt.pem */ +#define TEST_CLI_CRT_EC_PEM \ + "-----BEGIN CERTIFICATE-----\r\n" \ + "MIIBuTCCAVygAwIBAgIBATAMBggqhkjOPQQDAgUAMDsxGjAYBgNVBAMMEVRlc3Qg\r\n" \ + "Q0EgU2VjcDI1NnIxMRAwDgYDVQQKDAdNYmVkVExTMQswCQYDVQQGEwJVSzAeFw0w\r\n" \ + "MTAxMDEwMDAwMDBaFw0zMDEyMzEyMzU5NTlaMD0xHDAaBgNVBAMME1Rlc3QgQ1JU\r\n" \ + "MiBTZWNwMjU2cjExEDAOBgNVBAoMB01iZWRUTFMxCzAJBgNVBAYTAlVLMFkwEwYH\r\n" \ + "KoZIzj0CAQYIKoZIzj0DAQcDQgAEEm+TJ4LBB85IBjWNcNIodr2L06CZqLbVClmH\r\n" \ + "uxPqiZafsAZDl0lqgL6cCigF/ML2EqFyKW+Oext3uAmNkemj6aNNMEswCQYDVR0T\r\n" \ + "BAIwADAdBgNVHQ4EFgQUF9Yq9UkoSClnXwrdghuhrokH/hIwHwYDVR0jBBgwFoAU\r\n" \ + "Sl6kYTNLFkgMMXgiNdb7zlDnIBIwDAYIKoZIzj0EAwIFAANJADBGAiEAg3UsTyLd\r\n" \ + "vCPRG13gbf1R8gb85g4K1VbZ+CKl58HW2VgCIQDXk/8WFrt7vA+m3L1xJxj8iln9\r\n" \ + "wMR16i9Fqykw7cqsRw==\r\n" \ + "-----END CERTIFICATE-----\r\n" /* END FILE */ /* This is generated from tests/data_files/cli3.crt.der using `xxd -i`. */ /* BEGIN FILE binary macro TEST_CLI_CRT_EC_DER tests/data_files/cli3.crt.der */ +#define TEST_CLI_CRT_EC_DER { \ + 0x30, 0x82, 0x01, 0xb9, 0x30, 0x82, 0x01, 0x5c, 0xa0, 0x03, 0x02, 0x01, \ + 0x02, 0x02, 0x01, 0x01, 0x30, 0x0c, 0x06, 0x08, 0x2a, 0x86, 0x48, 0xce, \ + 0x3d, 0x04, 0x03, 0x02, 0x05, 0x00, 0x30, 0x3b, 0x31, 0x1a, 0x30, 0x18, \ + 0x06, 0x03, 0x55, 0x04, 0x03, 0x0c, 0x11, 0x54, 0x65, 0x73, 0x74, 0x20, \ + 0x43, 0x41, 0x20, 0x53, 0x65, 0x63, 0x70, 0x32, 0x35, 0x36, 0x72, 0x31, \ + 0x31, 0x10, 0x30, 0x0e, 0x06, 0x03, 0x55, 0x04, 0x0a, 0x0c, 0x07, 0x4d, \ + 0x62, 0x65, 0x64, 0x54, 0x4c, 0x53, 0x31, 0x0b, 0x30, 0x09, 0x06, 0x03, \ + 0x55, 0x04, 0x06, 0x13, 0x02, 0x55, 0x4b, 0x30, 0x1e, 0x17, 0x0d, 0x30, \ + 0x31, 0x30, 0x31, 0x30, 0x31, 0x30, 0x30, 0x30, 0x30, 0x30, 0x30, 0x5a, \ + 0x17, 0x0d, 0x33, 0x30, 0x31, 0x32, 0x33, 0x31, 0x32, 0x33, 0x35, 0x39, \ + 0x35, 0x39, 0x5a, 0x30, 0x3d, 0x31, 0x1c, 0x30, 0x1a, 0x06, 0x03, 0x55, \ + 0x04, 0x03, 0x0c, 0x13, 0x54, 0x65, 0x73, 0x74, 0x20, 0x43, 0x52, 0x54, \ + 0x32, 0x20, 0x53, 0x65, 0x63, 0x70, 0x32, 0x35, 0x36, 0x72, 0x31, 0x31, \ + 0x10, 0x30, 0x0e, 0x06, 0x03, 0x55, 0x04, 0x0a, 0x0c, 0x07, 0x4d, 0x62, \ + 0x65, 0x64, 0x54, 0x4c, 0x53, 0x31, 0x0b, 0x30, 0x09, 0x06, 0x03, 0x55, \ + 0x04, 0x06, 0x13, 0x02, 0x55, 0x4b, 0x30, 0x59, 0x30, 0x13, 0x06, 0x07, \ + 0x2a, 0x86, 0x48, 0xce, 0x3d, 0x02, 0x01, 0x06, 0x08, 0x2a, 0x86, 0x48, \ + 0xce, 0x3d, 0x03, 0x01, 0x07, 0x03, 0x42, 0x00, 0x04, 0x12, 0x6f, 0x93, \ + 0x27, 0x82, 0xc1, 0x07, 0xce, 0x48, 0x06, 0x35, 0x8d, 0x70, 0xd2, 0x28, \ + 0x76, 0xbd, 0x8b, 0xd3, 0xa0, 0x99, 0xa8, 0xb6, 0xd5, 0x0a, 0x59, 0x87, \ + 0xbb, 0x13, 0xea, 0x89, 0x96, 0x9f, 0xb0, 0x06, 0x43, 0x97, 0x49, 0x6a, \ + 0x80, 0xbe, 0x9c, 0x0a, 0x28, 0x05, 0xfc, 0xc2, 0xf6, 0x12, 0xa1, 0x72, \ + 0x29, 0x6f, 0x8e, 0x7b, 0x1b, 0x77, 0xb8, 0x09, 0x8d, 0x91, 0xe9, 0xa3, \ + 0xe9, 0xa3, 0x4d, 0x30, 0x4b, 0x30, 0x09, 0x06, 0x03, 0x55, 0x1d, 0x13, \ + 0x04, 0x02, 0x30, 0x00, 0x30, 0x1d, 0x06, 0x03, 0x55, 0x1d, 0x0e, 0x04, \ + 0x16, 0x04, 0x14, 0x17, 0xd6, 0x2a, 0xf5, 0x49, 0x28, 0x48, 0x29, 0x67, \ + 0x5f, 0x0a, 0xdd, 0x82, 0x1b, 0xa1, 0xae, 0x89, 0x07, 0xfe, 0x12, 0x30, \ + 0x1f, 0x06, 0x03, 0x55, 0x1d, 0x23, 0x04, 0x18, 0x30, 0x16, 0x80, 0x14, \ + 0x4a, 0x5e, 0xa4, 0x61, 0x33, 0x4b, 0x16, 0x48, 0x0c, 0x31, 0x78, 0x22, \ + 0x35, 0xd6, 0xfb, 0xce, 0x50, 0xe7, 0x20, 0x12, 0x30, 0x0c, 0x06, 0x08, \ + 0x2a, 0x86, 0x48, 0xce, 0x3d, 0x04, 0x03, 0x02, 0x05, 0x00, 0x03, 0x49, \ + 0x00, 0x30, 0x46, 0x02, 0x21, 0x00, 0x83, 0x75, 0x2c, 0x4f, 0x22, 0xdd, \ + 0xbc, 0x23, 0xd1, 0x1b, 0x5d, 0xe0, 0x6d, 0xfd, 0x51, 0xf2, 0x06, 0xfc, \ + 0xe6, 0x0e, 0x0a, 0xd5, 0x56, 0xd9, 0xf8, 0x22, 0xa5, 0xe7, 0xc1, 0xd6, \ + 0xd9, 0x58, 0x02, 0x21, 0x00, 0xd7, 0x93, 0xff, 0x16, 0x16, 0xbb, 0x7b, \ + 0xbc, 0x0f, 0xa6, 0xdc, 0xbd, 0x71, 0x27, 0x18, 0xfc, 0x8a, 0x59, 0xfd, \ + 0xc0, 0xc4, 0x75, 0xea, 0x2f, 0x45, 0xab, 0x29, 0x30, 0xed, 0xca, 0xac, \ + 0x47 \ +} /* END FILE */ /* This is taken from tests/data_files/cli3.key.pem. */ /* BEGIN FILE string macro TEST_CLI_KEY_EC_PEM tests/data_files/cli3.key.pem */ +#define TEST_CLI_KEY_EC_PEM \ + "-----BEGIN EC PRIVATE KEY-----\r\n" \ + "MHcCAQEEIGFE8JJMBKeo1BnPGgzGae1stIrWdEaUvjo9xO8OTC5QoAoGCCqGSM49\r\n" \ + "AwEHoUQDQgAEEm+TJ4LBB85IBjWNcNIodr2L06CZqLbVClmHuxPqiZafsAZDl0lq\r\n" \ + "gL6cCigF/ML2EqFyKW+Oext3uAmNkemj6Q==\r\n" \ + "-----END EC PRIVATE KEY-----\r\n" /* END FILE */ /* This is generated from tests/data_files/cli3.key.der using `xxd -i`. */ /* BEGIN FILE binary macro TEST_CLI_KEY_EC_DER tests/data_files/cli3.key.der */ +#define TEST_CLI_KEY_EC_DER { \ + 0x30, 0x77, 0x02, 0x01, 0x01, 0x04, 0x20, 0x61, 0x44, 0xf0, 0x92, 0x4c, \ + 0x04, 0xa7, 0xa8, 0xd4, 0x19, 0xcf, 0x1a, 0x0c, 0xc6, 0x69, 0xed, 0x6c, \ + 0xb4, 0x8a, 0xd6, 0x74, 0x46, 0x94, 0xbe, 0x3a, 0x3d, 0xc4, 0xef, 0x0e, \ + 0x4c, 0x2e, 0x50, 0xa0, 0x0a, 0x06, 0x08, 0x2a, 0x86, 0x48, 0xce, 0x3d, \ + 0x03, 0x01, 0x07, 0xa1, 0x44, 0x03, 0x42, 0x00, 0x04, 0x12, 0x6f, 0x93, \ + 0x27, 0x82, 0xc1, 0x07, 0xce, 0x48, 0x06, 0x35, 0x8d, 0x70, 0xd2, 0x28, \ + 0x76, 0xbd, 0x8b, 0xd3, 0xa0, 0x99, 0xa8, 0xb6, 0xd5, 0x0a, 0x59, 0x87, \ + 0xbb, 0x13, 0xea, 0x89, 0x96, 0x9f, 0xb0, 0x06, 0x43, 0x97, 0x49, 0x6a, \ + 0x80, 0xbe, 0x9c, 0x0a, 0x28, 0x05, 0xfc, 0xc2, 0xf6, 0x12, 0xa1, 0x72, \ + 0x29, 0x6f, 0x8e, 0x7b, 0x1b, 0x77, 0xb8, 0x09, 0x8d, 0x91, 0xe9, 0xa3, \ + 0xe9 \ +} /* END FILE */ #else /* MBEDTLS_ECP_DP_SECP256R1_ENABLED */ From 843f5bb06cb921bf104e23533242ef5f374dbe13 Mon Sep 17 00:00:00 2001 From: Hanno Becker Date: Fri, 23 Aug 2019 17:17:09 +0100 Subject: [PATCH 7/8] ssl-opt.sh: Configure trusted CA explicitly ssl_client2 and ssl_server2 either allow loading specific CRTs and CAs from files, or to leave them unspecified, in which case they're automatically picked from the test certificates. The test certificates should be chosen in a way that when not specifying any CRT or CA parameters, the automatically chosen ones match - but if one of them is specified but not the other, one should not expect tests to succeed. With the recent switch to Secp256r1-based test certificates, the default test certificates have changed, which breaks some ssl-opt.sh tests which specify the server CRT explicitly but not the client trusted CAs. This commit fixes this by specifying the client's trusted CA explicitly in accordance with the explicitly specified server CRT. --- tests/ssl-opt.sh | 214 +++++++++++++++++++++++++++++++---------------- 1 file changed, 142 insertions(+), 72 deletions(-) diff --git a/tests/ssl-opt.sh b/tests/ssl-opt.sh index 5ad73d693..3fd1f3973 100755 --- a/tests/ssl-opt.sh +++ b/tests/ssl-opt.sh @@ -1139,14 +1139,14 @@ requires_gnutls requires_config_enabled MBEDTLS_SSL_PROTO_TLS1_1 run_test "CertificateRequest with empty CA list, TLS 1.1 (GnuTLS server)" \ "$G_SRV"\ - "$P_CLI force_version=tls1_1" \ + "$P_CLI force_version=tls1_1 ca_file=data_files/test-ca2.crt" \ 0 requires_gnutls requires_config_enabled MBEDTLS_SSL_PROTO_TLS1 run_test "CertificateRequest with empty CA list, TLS 1.0 (GnuTLS server)" \ "$G_SRV"\ - "$P_CLI force_version=tls1" \ + "$P_CLI force_version=tls1 ca_file=data_files/test-ca2.crt" \ 0 # Tests for SHA-1 support @@ -2187,7 +2187,7 @@ run_test "Fallback SCSV: enabled, max version" \ requires_openssl_with_fallback_scsv run_test "Fallback SCSV: default, openssl server" \ "$O_SRV" \ - "$P_CLI debug_level=3 force_version=tls1_1 fallback=0" \ + "$P_CLI debug_level=3 force_version=tls1_1 fallback=0 ca_file=data_files/test-ca2.crt" \ 0 \ -C "adding FALLBACK_SCSV" \ -C "is a fatal alert message (msg 86)" @@ -2195,7 +2195,7 @@ run_test "Fallback SCSV: default, openssl server" \ requires_openssl_with_fallback_scsv run_test "Fallback SCSV: enabled, openssl server" \ "$O_SRV" \ - "$P_CLI debug_level=3 force_version=tls1_1 fallback=1" \ + "$P_CLI debug_level=3 force_version=tls1_1 fallback=1 ca_file=data_files/test-ca2.crt" \ 1 \ -c "adding FALLBACK_SCSV" \ -c "is a fatal alert message (msg 86)" @@ -2426,7 +2426,7 @@ requires_config_disabled MBEDTLS_SSL_NO_SESSION_RESUMPTION requires_config_enabled MBEDTLS_SSL_SESSION_TICKETS run_test "Session resume using tickets: openssl server" \ "$O_SRV" \ - "$P_CLI debug_level=3 tickets=1 reconnect=1" \ + "$P_CLI debug_level=3 tickets=1 reconnect=1 ca_file=data_files/test-ca2.crt" \ 0 \ -c "client hello, adding session ticket extension" \ -c "found session_ticket extension" \ @@ -2517,7 +2517,7 @@ requires_config_disabled MBEDTLS_SSL_NO_SESSION_RESUMPTION requires_config_enabled MBEDTLS_SSL_SESSION_TICKETS run_test "Session resume using tickets, DTLS: openssl server" \ "$O_SRV -dtls1" \ - "$P_CLI dtls=1 debug_level=3 tickets=1 reconnect=1" \ + "$P_CLI dtls=1 debug_level=3 tickets=1 reconnect=1 ca_file=data_files/test-ca2.crt" \ 0 \ -c "client hello, adding session ticket extension" \ -c "found session_ticket extension" \ @@ -2658,7 +2658,7 @@ requires_config_disabled MBEDTLS_SSL_NO_SESSION_RESUMPTION requires_config_disabled MBEDTLS_SSL_NO_SESSION_CACHE run_test "Session resume using cache: openssl server" \ "$O_SRV" \ - "$P_CLI debug_level=3 tickets=0 reconnect=1" \ + "$P_CLI debug_level=3 tickets=0 reconnect=1 ca_file=data_files/test-ca2.crt" \ 0 \ -C "found session_ticket extension" \ -C "parse new session ticket" \ @@ -2784,7 +2784,7 @@ requires_config_disabled MBEDTLS_SSL_NO_SESSION_RESUMPTION requires_config_disabled MBEDTLS_SSL_NO_SESSION_CACHE run_test "Session resume using cache, DTLS: openssl server" \ "$O_SRV -dtls1" \ - "$P_CLI dtls=1 debug_level=3 tickets=0 reconnect=1" \ + "$P_CLI dtls=1 debug_level=3 tickets=0 reconnect=1 ca_file=data_files/test-ca2.crt" \ 0 \ -C "found session_ticket extension" \ -C "parse new session ticket" \ @@ -2893,7 +2893,7 @@ requires_config_enabled MBEDTLS_SSL_MAX_FRAGMENT_LENGTH requires_gnutls run_test "Max fragment length: gnutls server" \ "$G_SRV" \ - "$P_CLI debug_level=3 max_frag_len=4096" \ + "$P_CLI debug_level=3 max_frag_len=4096 ca_file=data_files/test-ca2.crt" \ 0 \ -c "Maximum fragment length is 4096" \ -c "client hello, adding max_fragment_length extension" \ @@ -3235,7 +3235,7 @@ run_test "Renegotiation: nbio, server-initiated" \ requires_config_enabled MBEDTLS_SSL_RENEGOTIATION run_test "Renegotiation: openssl server, client-initiated" \ "$O_SRV -www" \ - "$P_CLI debug_level=3 exchanges=1 renegotiation=1 renegotiate=1" \ + "$P_CLI debug_level=3 exchanges=1 renegotiation=1 renegotiate=1 ca_file=data_files/test-ca2.crt" \ 0 \ -c "client hello, adding renegotiation extension" \ -c "found renegotiation extension" \ @@ -3248,7 +3248,7 @@ requires_gnutls requires_config_enabled MBEDTLS_SSL_RENEGOTIATION run_test "Renegotiation: gnutls server strict, client-initiated" \ "$G_SRV --priority=NORMAL:%SAFE_RENEGOTIATION" \ - "$P_CLI debug_level=3 exchanges=1 renegotiation=1 renegotiate=1" \ + "$P_CLI debug_level=3 exchanges=1 renegotiation=1 renegotiate=1 ca_file=data_files/test-ca2.crt" \ 0 \ -c "client hello, adding renegotiation extension" \ -c "found renegotiation extension" \ @@ -3261,7 +3261,7 @@ requires_gnutls requires_config_enabled MBEDTLS_SSL_RENEGOTIATION run_test "Renegotiation: gnutls server unsafe, client-initiated default" \ "$G_SRV --priority=NORMAL:%DISABLE_SAFE_RENEGOTIATION" \ - "$P_CLI debug_level=3 exchanges=1 renegotiation=1 renegotiate=1" \ + "$P_CLI debug_level=3 exchanges=1 renegotiation=1 renegotiate=1 ca_file=data_files/test-ca2.crt" \ 1 \ -c "client hello, adding renegotiation extension" \ -C "found renegotiation extension" \ @@ -3274,7 +3274,7 @@ requires_gnutls requires_config_enabled MBEDTLS_SSL_RENEGOTIATION run_test "Renegotiation: gnutls server unsafe, client-inititated no legacy" \ "$G_SRV --priority=NORMAL:%DISABLE_SAFE_RENEGOTIATION" \ - "$P_CLI debug_level=3 exchanges=1 renegotiation=1 renegotiate=1 \ + "$P_CLI debug_level=3 exchanges=1 renegotiation=1 renegotiate=1 ca_file=data_files/test-ca2.crt \ allow_legacy=0" \ 1 \ -c "client hello, adding renegotiation extension" \ @@ -3288,7 +3288,7 @@ requires_gnutls requires_config_enabled MBEDTLS_SSL_RENEGOTIATION run_test "Renegotiation: gnutls server unsafe, client-inititated legacy" \ "$G_SRV --priority=NORMAL:%DISABLE_SAFE_RENEGOTIATION" \ - "$P_CLI debug_level=3 exchanges=1 renegotiation=1 renegotiate=1 \ + "$P_CLI debug_level=3 exchanges=1 renegotiation=1 renegotiate=1 ca_file=data_files/test-ca2.crt \ allow_legacy=1" \ 0 \ -c "client hello, adding renegotiation extension" \ @@ -3345,7 +3345,7 @@ requires_gnutls requires_config_enabled MBEDTLS_SSL_RENEGOTIATION run_test "Renegotiation: DTLS, gnutls server, client-initiated" \ "$G_SRV -u --mtu 4096" \ - "$P_CLI debug_level=3 dtls=1 exchanges=1 renegotiation=1 renegotiate=1" \ + "$P_CLI debug_level=3 dtls=1 exchanges=1 renegotiation=1 renegotiate=1 ca_file=data_files/test-ca2.crt" \ 0 \ -c "client hello, adding renegotiation extension" \ -c "found renegotiation extension" \ @@ -3359,7 +3359,7 @@ run_test "Renegotiation: DTLS, gnutls server, client-initiated" \ requires_gnutls run_test "Renego ext: gnutls server strict, client default" \ "$G_SRV --priority=NORMAL:%SAFE_RENEGOTIATION" \ - "$P_CLI debug_level=3" \ + "$P_CLI debug_level=3 ca_file=data_files/test-ca2.crt" \ 0 \ -c "found renegotiation extension" \ -C "error" \ @@ -3368,7 +3368,7 @@ run_test "Renego ext: gnutls server strict, client default" \ requires_gnutls run_test "Renego ext: gnutls server unsafe, client default" \ "$G_SRV --priority=NORMAL:%DISABLE_SAFE_RENEGOTIATION" \ - "$P_CLI debug_level=3" \ + "$P_CLI debug_level=3 ca_file=data_files/test-ca2.crt" \ 0 \ -C "found renegotiation extension" \ -C "error" \ @@ -3385,7 +3385,7 @@ run_test "Renego ext: gnutls server unsafe, client break legacy" \ requires_gnutls run_test "Renego ext: gnutls client strict, server default" \ - "$P_SRV debug_level=3" \ + "$P_SRV debug_level=3 crt_file=data_files/server5.crt key_file=data_files/server5.key" \ "$G_CLI --priority=NORMAL:%SAFE_RENEGOTIATION localhost" \ 0 \ -s "received TLS_EMPTY_RENEGOTIATION_INFO\|found renegotiation extension" \ @@ -3393,7 +3393,7 @@ run_test "Renego ext: gnutls client strict, server default" \ requires_gnutls run_test "Renego ext: gnutls client unsafe, server default" \ - "$P_SRV debug_level=3" \ + "$P_SRV debug_level=3 crt_file=data_files/server5.crt key_file=data_files/server5.key" \ "$G_CLI --priority=NORMAL:%DISABLE_SAFE_RENEGOTIATION localhost" \ 0 \ -S "received TLS_EMPTY_RENEGOTIATION_INFO\|found renegotiation extension" \ @@ -3401,7 +3401,7 @@ run_test "Renego ext: gnutls client unsafe, server default" \ requires_gnutls run_test "Renego ext: gnutls client unsafe, server break legacy" \ - "$P_SRV debug_level=3 allow_legacy=-1" \ + "$P_SRV debug_level=3 allow_legacy=-1 crt_file=data_files/server5.crt key_file=data_files/server5.key" \ "$G_CLI --priority=NORMAL:%DISABLE_SAFE_RENEGOTIATION localhost" \ 1 \ -S "received TLS_EMPTY_RENEGOTIATION_INFO\|found renegotiation extension" \ @@ -3550,7 +3550,7 @@ run_test "Authentication: server badcert, client none" \ -C "X509 - Certificate verification failed" run_test "Authentication: client SHA256, server required" \ - "$P_SRV auth_mode=required" \ + "$P_SRV auth_mode=required ca_file=data_files/test-ca2.crt" \ "$P_CLI debug_level=3 crt_file=data_files/server6.crt \ key_file=data_files/server6.key \ force_ciphersuite=TLS-ECDHE-ECDSA-WITH-AES-256-GCM-SHA384" \ @@ -3558,7 +3558,7 @@ run_test "Authentication: client SHA256, server required" \ -c "Supported Signature Algorithm found: 5," run_test "Authentication: client SHA384, server required" \ - "$P_SRV auth_mode=required" \ + "$P_SRV auth_mode=required ca_file=data_files/test-ca2.crt" \ "$P_CLI debug_level=3 crt_file=data_files/server6.crt \ key_file=data_files/server6.key \ force_ciphersuite=TLS-ECDHE-ECDSA-WITH-AES-128-GCM-SHA256" \ @@ -3692,7 +3692,7 @@ run_test "Authentication: client no cert, server optional" \ requires_config_disabled MBEDTLS_X509_REMOVE_INFO run_test "Authentication: openssl client no cert, server optional" \ - "$P_SRV debug_level=3 auth_mode=optional" \ + "$P_SRV debug_level=3 auth_mode=optional ca_file=data_files/test-ca2.crt" \ "$O_CLI" \ 0 \ -S "skip write certificate request" \ @@ -3703,7 +3703,7 @@ run_test "Authentication: openssl client no cert, server optional" \ run_test "Authentication: client no cert, openssl server optional" \ "$O_SRV -verify 10" \ - "$P_CLI debug_level=3 crt_file=none key_file=none" \ + "$P_CLI debug_level=3 crt_file=none key_file=none ca_file=data_files/test-ca2.crt" \ 0 \ -C "skip parse certificate request" \ -c "got a certificate request" \ @@ -3713,7 +3713,7 @@ run_test "Authentication: client no cert, openssl server optional" \ run_test "Authentication: client no cert, openssl server required" \ "$O_SRV -Verify 10" \ - "$P_CLI debug_level=3 crt_file=none key_file=none" \ + "$P_CLI debug_level=3 crt_file=none key_file=none ca_file=data_files/test-ca2.crt" \ 1 \ -C "skip parse certificate request" \ -c "got a certificate request" \ @@ -3827,14 +3827,14 @@ run_test "Authentication: client max_int chain, server required" \ # Tests for CA list in CertificateRequest messages run_test "Authentication: send CA list in CertificateRequest (default)" \ - "$P_SRV debug_level=3 auth_mode=required" \ + "$P_SRV debug_level=3 auth_mode=required ca_file=data_files/test-ca2.crt" \ "$P_CLI crt_file=data_files/server6.crt \ key_file=data_files/server6.key" \ 0 \ -s "requested DN" run_test "Authentication: do not send CA list in CertificateRequest" \ - "$P_SRV debug_level=3 auth_mode=required cert_req_ca_list=0" \ + "$P_SRV debug_level=3 auth_mode=required cert_req_ca_list=0 ca_file=data_files/test-ca2.crt" \ "$P_CLI crt_file=data_files/server6.crt \ key_file=data_files/server6.key" \ 0 \ @@ -3861,7 +3861,7 @@ run_test "Certificate hash: client TLS 1.2 -> SHA-2" \ key_file=data_files/server5.key \ crt_file2=data_files/server5-sha1.crt \ key_file2=data_files/server5.key" \ - "$P_CLI force_version=tls1_2" \ + "$P_CLI force_version=tls1_2 ca_file=data_files/test-ca2.crt" \ 0 \ -c "signed using.*ECDSA with SHA256" \ -C "signed using.*ECDSA with SHA1" @@ -3872,7 +3872,7 @@ run_test "Certificate hash: client TLS 1.1 -> SHA-1" \ key_file=data_files/server5.key \ crt_file2=data_files/server5-sha1.crt \ key_file2=data_files/server5.key" \ - "$P_CLI force_version=tls1_1" \ + "$P_CLI force_version=tls1_1 ca_file=data_files/test-ca2.crt" \ 0 \ -C "signed using.*ECDSA with SHA256" \ -c "signed using.*ECDSA with SHA1" @@ -3883,7 +3883,7 @@ run_test "Certificate hash: client TLS 1.0 -> SHA-1" \ key_file=data_files/server5.key \ crt_file2=data_files/server5-sha1.crt \ key_file2=data_files/server5.key" \ - "$P_CLI force_version=tls1" \ + "$P_CLI force_version=tls1 ca_file=data_files/test-ca2.crt" \ 0 \ -C "signed using.*ECDSA with SHA256" \ -c "signed using.*ECDSA with SHA1" @@ -3894,7 +3894,7 @@ run_test "Certificate hash: client TLS 1.1, no SHA-1 -> SHA-2 (order 1)" \ key_file=data_files/server5.key \ crt_file2=data_files/server6.crt \ key_file2=data_files/server6.key" \ - "$P_CLI force_version=tls1_1" \ + "$P_CLI force_version=tls1_1 ca_file=data_files/test-ca2.crt" \ 0 \ -c "serial number.*09" \ -c "signed using.*ECDSA with SHA256" \ @@ -3906,7 +3906,7 @@ run_test "Certificate hash: client TLS 1.1, no SHA-1 -> SHA-2 (order 2)" \ key_file=data_files/server6.key \ crt_file2=data_files/server5.crt \ key_file2=data_files/server5.key" \ - "$P_CLI force_version=tls1_1" \ + "$P_CLI force_version=tls1_1 ca_file=data_files/test-ca2.crt" \ 0 \ -c "serial number.*0A" \ -c "signed using.*ECDSA with SHA256" \ @@ -3918,7 +3918,7 @@ requires_config_disabled MBEDTLS_X509_REMOVE_INFO run_test "SNI: no SNI callback" \ "$P_SRV debug_level=3 \ crt_file=data_files/server5.crt key_file=data_files/server5.key" \ - "$P_CLI server_name=localhost" \ + "$P_CLI server_name=localhost ca_file=data_files/test-ca2.crt" \ 0 \ -S "parse ServerName extension" \ -c "issuer name *: C=NL, O=PolarSSL, CN=Polarssl Test EC CA" \ @@ -3929,7 +3929,7 @@ run_test "SNI: matching cert 1" \ "$P_SRV debug_level=3 \ crt_file=data_files/server5.crt key_file=data_files/server5.key \ sni=localhost,data_files/server2.crt,data_files/server2.key,-,-,-,polarssl.example,data_files/server1-nospace.crt,data_files/server1.key,-,-,-" \ - "$P_CLI server_name=localhost" \ + "$P_CLI server_name=localhost ca_file=data_files/test-ca.crt" \ 0 \ -s "parse ServerName extension" \ -c "issuer name *: C=NL, O=PolarSSL, CN=PolarSSL Test CA" \ @@ -4060,7 +4060,7 @@ requires_config_disabled MBEDTLS_X509_REMOVE_INFO run_test "SNI: DTLS, no SNI callback" \ "$P_SRV debug_level=3 dtls=1 \ crt_file=data_files/server5.crt key_file=data_files/server5.key" \ - "$P_CLI server_name=localhost dtls=1" \ + "$P_CLI server_name=localhost dtls=1 ca_file=data_files/test-ca2.crt" \ 0 \ -S "parse ServerName extension" \ -c "issuer name *: C=NL, O=PolarSSL, CN=Polarssl Test EC CA" \ @@ -4071,7 +4071,7 @@ run_test "SNI: DTLS, matching cert 1" \ "$P_SRV debug_level=3 dtls=1 \ crt_file=data_files/server5.crt key_file=data_files/server5.key \ sni=localhost,data_files/server2.crt,data_files/server2.key,-,-,-,polarssl.example,data_files/server1-nospace.crt,data_files/server1.key,-,-,-" \ - "$P_CLI server_name=localhost dtls=1" \ + "$P_CLI server_name=localhost dtls=1 ca_file=data_files/test-ca.crt" \ 0 \ -s "parse ServerName extension" \ -c "issuer name *: C=NL, O=PolarSSL, CN=PolarSSL Test CA" \ @@ -4082,7 +4082,7 @@ run_test "SNI: DTLS, matching cert 2" \ "$P_SRV debug_level=3 dtls=1 \ crt_file=data_files/server5.crt key_file=data_files/server5.key \ sni=localhost,data_files/server2.crt,data_files/server2.key,-,-,-,polarssl.example,data_files/server1-nospace.crt,data_files/server1.key,-,-,-" \ - "$P_CLI server_name=polarssl.example dtls=1" \ + "$P_CLI server_name=polarssl.example dtls=1 ca_file=data_files/test-ca.crt" \ 0 \ -s "parse ServerName extension" \ -c "issuer name *: C=NL, O=PolarSSL, CN=PolarSSL Test CA" \ @@ -4552,7 +4552,7 @@ run_test "keyUsage srv: RSA, keyAgreement -> fail" \ run_test "keyUsage srv: ECDSA, digitalSignature -> ECDHE-ECDSA" \ "$P_SRV key_file=data_files/server5.key \ crt_file=data_files/server5.ku-ds.crt" \ - "$P_CLI" \ + "$P_CLI ca_file=data_files/test-ca2.crt" \ 0 \ -c "Ciphersuite is TLS-ECDHE-ECDSA-WITH-" @@ -4560,14 +4560,14 @@ run_test "keyUsage srv: ECDSA, digitalSignature -> ECDHE-ECDSA" \ run_test "keyUsage srv: ECDSA, keyAgreement -> ECDH-" \ "$P_SRV key_file=data_files/server5.key \ crt_file=data_files/server5.ku-ka.crt" \ - "$P_CLI" \ + "$P_CLI ca_file=data_files/test-ca2.crt" \ 0 \ -c "Ciphersuite is TLS-ECDH-" run_test "keyUsage srv: ECDSA, keyEncipherment -> fail" \ "$P_SRV key_file=data_files/server5.key \ crt_file=data_files/server5.ku-ke.crt" \ - "$P_CLI" \ + "$P_CLI ca_file=data_files/test-ca2.crt" \ 1 \ -C "Ciphersuite is " @@ -4706,25 +4706,25 @@ run_test "keyUsage cli-auth: ECDSA, KeyAgreement: fail (soft)" \ run_test "extKeyUsage srv: serverAuth -> OK" \ "$P_SRV key_file=data_files/server5.key \ crt_file=data_files/server5.eku-srv.crt" \ - "$P_CLI" \ + "$P_CLI ca_file=data_files/test-ca2.crt" \ 0 run_test "extKeyUsage srv: serverAuth,clientAuth -> OK" \ "$P_SRV key_file=data_files/server5.key \ crt_file=data_files/server5.eku-srv.crt" \ - "$P_CLI" \ + "$P_CLI ca_file=data_files/test-ca2.crt" \ 0 run_test "extKeyUsage srv: codeSign,anyEKU -> OK" \ "$P_SRV key_file=data_files/server5.key \ crt_file=data_files/server5.eku-cs_any.crt" \ - "$P_CLI" \ + "$P_CLI ca_file=data_files/test-ca2.crt" \ 0 run_test "extKeyUsage srv: codeSign -> fail" \ "$P_SRV key_file=data_files/server5.key \ crt_file=data_files/server5.eku-cli.crt" \ - "$P_CLI" \ + "$P_CLI ca_file=data_files/test-ca2.crt" \ 1 # Tests for extendedKeyUsage, part 2: client-side checking of server cert @@ -4732,7 +4732,7 @@ run_test "extKeyUsage srv: codeSign -> fail" \ run_test "extKeyUsage cli: serverAuth -> OK" \ "$O_SRV -key data_files/server5.key \ -cert data_files/server5.eku-srv.crt" \ - "$P_CLI debug_level=1" \ + "$P_CLI debug_level=1 ca_file=data_files/test-ca2.crt" \ 0 \ -C "bad certificate (usage extensions)" \ -C "Processing of the Certificate handshake message failed" \ @@ -4741,7 +4741,7 @@ run_test "extKeyUsage cli: serverAuth -> OK" \ run_test "extKeyUsage cli: serverAuth,clientAuth -> OK" \ "$O_SRV -key data_files/server5.key \ -cert data_files/server5.eku-srv_cli.crt" \ - "$P_CLI debug_level=1" \ + "$P_CLI debug_level=1 ca_file=data_files/test-ca2.crt" \ 0 \ -C "bad certificate (usage extensions)" \ -C "Processing of the Certificate handshake message failed" \ @@ -4750,7 +4750,7 @@ run_test "extKeyUsage cli: serverAuth,clientAuth -> OK" \ run_test "extKeyUsage cli: codeSign,anyEKU -> OK" \ "$O_SRV -key data_files/server5.key \ -cert data_files/server5.eku-cs_any.crt" \ - "$P_CLI debug_level=1" \ + "$P_CLI debug_level=1 ca_file=data_files/test-ca2.crt" \ 0 \ -C "bad certificate (usage extensions)" \ -C "Processing of the Certificate handshake message failed" \ @@ -4759,7 +4759,7 @@ run_test "extKeyUsage cli: codeSign,anyEKU -> OK" \ run_test "extKeyUsage cli: codeSign -> fail" \ "$O_SRV -key data_files/server5.key \ -cert data_files/server5.eku-cs.crt" \ - "$P_CLI debug_level=1" \ + "$P_CLI debug_level=1 ca_file=data_files/test-ca2.crt" \ 1 \ -c "bad certificate (usage extensions)" \ -c "Processing of the Certificate handshake message failed" \ @@ -4800,7 +4800,7 @@ run_test "extKeyUsage cli-auth: codeSign -> fail (soft)" \ -S "Processing of the Certificate handshake message failed" run_test "extKeyUsage cli-auth: codeSign -> fail (hard)" \ - "$P_SRV debug_level=1 auth_mode=required" \ + "$P_SRV debug_level=1 auth_mode=required ca_file=data_files/test-ca2.crt" \ "$O_CLI -key data_files/server5.key \ -cert data_files/server5.eku-cs.crt" \ 1 \ @@ -6166,7 +6166,7 @@ run_test "Large server packet TLS 1.2 AEAD shorter tag" \ requires_config_enabled MBEDTLS_ECP_RESTARTABLE run_test "EC restart: TLS, default" \ - "$P_SRV auth_mode=required" \ + "$P_SRV auth_mode=required ca_file=data_files/test-ca2.crt" \ "$P_CLI force_ciphersuite=TLS-ECDHE-ECDSA-WITH-AES-128-GCM-SHA256 \ key_file=data_files/server5.key crt_file=data_files/server5.crt \ debug_level=1" \ @@ -6178,7 +6178,7 @@ run_test "EC restart: TLS, default" \ requires_config_enabled MBEDTLS_ECP_RESTARTABLE run_test "EC restart: TLS, max_ops=0" \ - "$P_SRV auth_mode=required" \ + "$P_SRV auth_mode=required ca_file=data_files/test-ca2.crt" \ "$P_CLI force_ciphersuite=TLS-ECDHE-ECDSA-WITH-AES-128-GCM-SHA256 \ key_file=data_files/server5.key crt_file=data_files/server5.crt \ debug_level=1 ec_max_ops=0" \ @@ -6190,7 +6190,7 @@ run_test "EC restart: TLS, max_ops=0" \ requires_config_enabled MBEDTLS_ECP_RESTARTABLE run_test "EC restart: TLS, max_ops=65535" \ - "$P_SRV auth_mode=required" \ + "$P_SRV auth_mode=required ca_file=data_files/test-ca2.crt" \ "$P_CLI force_ciphersuite=TLS-ECDHE-ECDSA-WITH-AES-128-GCM-SHA256 \ key_file=data_files/server5.key crt_file=data_files/server5.crt \ debug_level=1 ec_max_ops=65535" \ @@ -6202,7 +6202,7 @@ run_test "EC restart: TLS, max_ops=65535" \ requires_config_enabled MBEDTLS_ECP_RESTARTABLE run_test "EC restart: TLS, max_ops=1000" \ - "$P_SRV auth_mode=required" \ + "$P_SRV auth_mode=required ca_file=data_files/test-ca2.crt" \ "$P_CLI force_ciphersuite=TLS-ECDHE-ECDSA-WITH-AES-128-GCM-SHA256 \ key_file=data_files/server5.key crt_file=data_files/server5.crt \ debug_level=1 ec_max_ops=1000" \ @@ -6215,11 +6215,11 @@ run_test "EC restart: TLS, max_ops=1000" \ requires_config_enabled MBEDTLS_ECP_RESTARTABLE requires_config_disabled MBEDTLS_X509_REMOVE_INFO run_test "EC restart: TLS, max_ops=1000, badsign" \ - "$P_SRV auth_mode=required \ + "$P_SRV auth_mode=required ca_file=data_files/test-ca2.crt \ crt_file=data_files/server5-badsign.crt \ key_file=data_files/server5.key" \ "$P_CLI force_ciphersuite=TLS-ECDHE-ECDSA-WITH-AES-128-GCM-SHA256 \ - key_file=data_files/server5.key crt_file=data_files/server5.crt \ + key_file=data_files/server5.key crt_file=data_files/server5.crt ca_file=data_files/test-ca2.crt \ debug_level=1 ec_max_ops=1000" \ 1 \ -c "x509_verify_cert.*4b00" \ @@ -6233,11 +6233,12 @@ run_test "EC restart: TLS, max_ops=1000, badsign" \ requires_config_disabled MBEDTLS_X509_REMOVE_INFO requires_config_enabled MBEDTLS_ECP_RESTARTABLE run_test "EC restart: TLS, max_ops=1000, auth_mode=optional badsign" \ - "$P_SRV auth_mode=required \ + "$P_SRV auth_mode=required ca_file=data_files/test-ca2.crt \ crt_file=data_files/server5-badsign.crt \ key_file=data_files/server5.key" \ "$P_CLI force_ciphersuite=TLS-ECDHE-ECDSA-WITH-AES-128-GCM-SHA256 \ key_file=data_files/server5.key crt_file=data_files/server5.crt \ + ca_file=data_files/test-ca2.crt \ debug_level=1 ec_max_ops=1000 auth_mode=optional" \ 0 \ -c "x509_verify_cert.*4b00" \ @@ -6251,10 +6252,11 @@ run_test "EC restart: TLS, max_ops=1000, auth_mode=optional badsign" \ requires_config_disabled MBEDTLS_X509_REMOVE_INFO requires_config_enabled MBEDTLS_ECP_RESTARTABLE run_test "EC restart: TLS, max_ops=1000, auth_mode=none badsign" \ - "$P_SRV auth_mode=required \ + "$P_SRV auth_mode=required ca_file=data_files/test-ca2.crt \ crt_file=data_files/server5-badsign.crt \ key_file=data_files/server5.key" \ "$P_CLI force_ciphersuite=TLS-ECDHE-ECDSA-WITH-AES-128-GCM-SHA256 \ + ca_file=data_files/test-ca2.crt \ key_file=data_files/server5.key crt_file=data_files/server5.crt \ debug_level=1 ec_max_ops=1000 auth_mode=none" \ 0 \ @@ -6268,7 +6270,7 @@ run_test "EC restart: TLS, max_ops=1000, auth_mode=none badsign" \ requires_config_enabled MBEDTLS_ECP_RESTARTABLE run_test "EC restart: DTLS, max_ops=1000" \ - "$P_SRV auth_mode=required dtls=1" \ + "$P_SRV auth_mode=required dtls=1 ca_file=data_files/test-ca2.crt" \ "$P_CLI force_ciphersuite=TLS-ECDHE-ECDSA-WITH-AES-128-GCM-SHA256 \ key_file=data_files/server5.key crt_file=data_files/server5.crt \ dtls=1 debug_level=1 ec_max_ops=1000" \ @@ -6433,7 +6435,7 @@ run_test "SSL async private: slot 0 used with key1" \ async_operations=s async_private_delay1=1 \ key_file=data_files/server5.key crt_file=data_files/server5.crt \ key_file2=data_files/server2.key crt_file2=data_files/server2.crt" \ - "$P_CLI force_ciphersuite=TLS-ECDHE-ECDSA-WITH-AES-128-CBC-SHA256" \ + "$P_CLI force_ciphersuite=TLS-ECDHE-ECDSA-WITH-AES-128-CBC-SHA256 ca_file=data_files/test-ca2.crt" \ 0 \ -s "Async sign callback: using key slot 0," \ -s "Async resume (slot 0): call 0 more times." \ @@ -6836,7 +6838,7 @@ run_test "DTLS wrong PSK: badmac alert" \ requires_gnutls run_test "DTLS reassembly: no fragmentation (gnutls server)" \ "$G_SRV -u --mtu 2048 -a" \ - "$P_CLI dtls=1 debug_level=2" \ + "$P_CLI dtls=1 debug_level=2 ca_file=data_files/test-ca2.crt" \ 0 \ -C "found fragmented DTLS handshake message" \ -C "error" @@ -6844,7 +6846,7 @@ run_test "DTLS reassembly: no fragmentation (gnutls server)" \ requires_gnutls run_test "DTLS reassembly: some fragmentation (gnutls server)" \ "$G_SRV -u --mtu 512" \ - "$P_CLI dtls=1 debug_level=2" \ + "$P_CLI dtls=1 debug_level=2 ca_file=data_files/test-ca2.crt" \ 0 \ -c "found fragmented DTLS handshake message" \ -C "error" @@ -6852,7 +6854,7 @@ run_test "DTLS reassembly: some fragmentation (gnutls server)" \ requires_gnutls run_test "DTLS reassembly: more fragmentation (gnutls server)" \ "$G_SRV -u --mtu 128" \ - "$P_CLI dtls=1 debug_level=2" \ + "$P_CLI dtls=1 debug_level=2 ca_file=data_files/test-ca2.crt" \ 0 \ -c "found fragmented DTLS handshake message" \ -C "error" @@ -6860,7 +6862,7 @@ run_test "DTLS reassembly: more fragmentation (gnutls server)" \ requires_gnutls run_test "DTLS reassembly: more fragmentation, nbio (gnutls server)" \ "$G_SRV -u --mtu 128" \ - "$P_CLI dtls=1 nbio=2 debug_level=2" \ + "$P_CLI dtls=1 nbio=2 debug_level=2 ca_file=data_files/test-ca2.crt" \ 0 \ -c "found fragmented DTLS handshake message" \ -C "error" @@ -6869,7 +6871,7 @@ requires_gnutls requires_config_enabled MBEDTLS_SSL_RENEGOTIATION run_test "DTLS reassembly: fragmentation, renego (gnutls server)" \ "$G_SRV -u --mtu 256" \ - "$P_CLI debug_level=3 dtls=1 renegotiation=1 renegotiate=1" \ + "$P_CLI debug_level=3 dtls=1 renegotiation=1 renegotiate=1 ca_file=data_files/test-ca2.crt" \ 0 \ -c "found fragmented DTLS handshake message" \ -c "client hello, adding renegotiation extension" \ @@ -6883,7 +6885,7 @@ requires_gnutls requires_config_enabled MBEDTLS_SSL_RENEGOTIATION run_test "DTLS reassembly: fragmentation, nbio, renego (gnutls server)" \ "$G_SRV -u --mtu 256" \ - "$P_CLI debug_level=3 nbio=2 dtls=1 renegotiation=1 renegotiate=1" \ + "$P_CLI debug_level=3 nbio=2 dtls=1 renegotiation=1 renegotiate=1 ca_file=data_files/test-ca2.crt" \ 0 \ -c "found fragmented DTLS handshake message" \ -c "client hello, adding renegotiation extension" \ @@ -6895,28 +6897,28 @@ run_test "DTLS reassembly: fragmentation, nbio, renego (gnutls server)" \ run_test "DTLS reassembly: no fragmentation (openssl server)" \ "$O_SRV -dtls1 -mtu 2048" \ - "$P_CLI dtls=1 debug_level=2" \ + "$P_CLI dtls=1 debug_level=2 ca_file=data_files/test-ca2.crt" \ 0 \ -C "found fragmented DTLS handshake message" \ -C "error" run_test "DTLS reassembly: some fragmentation (openssl server)" \ "$O_SRV -dtls1 -mtu 768" \ - "$P_CLI dtls=1 debug_level=2" \ + "$P_CLI dtls=1 debug_level=2 ca_file=data_files/test-ca2.crt" \ 0 \ -c "found fragmented DTLS handshake message" \ -C "error" run_test "DTLS reassembly: more fragmentation (openssl server)" \ "$O_SRV -dtls1 -mtu 256" \ - "$P_CLI dtls=1 debug_level=2" \ + "$P_CLI dtls=1 debug_level=2 ca_file=data_files/test-ca2.crt" \ 0 \ -c "found fragmented DTLS handshake message" \ -C "error" run_test "DTLS reassembly: fragmentation, nbio (openssl server)" \ "$O_SRV -dtls1 -mtu 256" \ - "$P_CLI dtls=1 nbio=2 debug_level=2" \ + "$P_CLI dtls=1 nbio=2 debug_level=2 ca_file=data_files/test-ca2.crt" \ 0 \ -c "found fragmented DTLS handshake message" \ -C "error" @@ -6941,11 +6943,13 @@ run_test "DTLS fragmenting: none (for reference)" \ "$P_SRV dtls=1 debug_level=2 auth_mode=required \ crt_file=data_files/server7_int-ca.crt \ key_file=data_files/server7.key \ + ca_file=data_files/test-ca.crt \ hs_timeout=2500-60000 \ max_frag_len=4096" \ "$P_CLI dtls=1 debug_level=2 \ crt_file=data_files/server8_int-ca2.crt \ key_file=data_files/server8.key \ + ca_file=data_files/test-ca2.crt \ hs_timeout=2500-60000 \ max_frag_len=4096" \ 0 \ @@ -6961,11 +6965,13 @@ run_test "DTLS fragmenting: server only (max_frag_len)" \ "$P_SRV dtls=1 debug_level=2 auth_mode=required \ crt_file=data_files/server7_int-ca.crt \ key_file=data_files/server7.key \ + ca_file=data_files/test-ca.crt \ hs_timeout=2500-60000 \ max_frag_len=1024" \ "$P_CLI dtls=1 debug_level=2 \ crt_file=data_files/server8_int-ca2.crt \ key_file=data_files/server8.key \ + ca_file=data_files/test-ca2.crt \ hs_timeout=2500-60000 \ max_frag_len=2048" \ 0 \ @@ -6985,11 +6991,13 @@ run_test "DTLS fragmenting: server only (more) (max_frag_len)" \ "$P_SRV dtls=1 debug_level=2 auth_mode=required \ crt_file=data_files/server7_int-ca.crt \ key_file=data_files/server7.key \ + ca_file=data_files/test-ca.crt \ hs_timeout=2500-60000 \ max_frag_len=512" \ "$P_CLI dtls=1 debug_level=2 \ crt_file=data_files/server8_int-ca2.crt \ key_file=data_files/server8.key \ + ca_file=data_files/test-ca2.crt \ hs_timeout=2500-60000 \ max_frag_len=4096" \ 0 \ @@ -7005,11 +7013,13 @@ run_test "DTLS fragmenting: client-initiated, server only (max_frag_len)" \ "$P_SRV dtls=1 debug_level=2 auth_mode=none \ crt_file=data_files/server7_int-ca.crt \ key_file=data_files/server7.key \ + ca_file=data_files/test-ca.crt \ hs_timeout=2500-60000 \ max_frag_len=2048" \ "$P_CLI dtls=1 debug_level=2 \ crt_file=data_files/server8_int-ca2.crt \ key_file=data_files/server8.key \ + ca_file=data_files/test-ca2.crt \ hs_timeout=2500-60000 \ max_frag_len=1024" \ 0 \ @@ -7033,11 +7043,13 @@ run_test "DTLS fragmenting: client-initiated, server only (max_frag_len), pro "$P_SRV dtls=1 debug_level=2 auth_mode=none \ crt_file=data_files/server7_int-ca.crt \ key_file=data_files/server7.key \ + ca_file=data_files/test-ca.crt \ hs_timeout=2500-60000 \ max_frag_len=2048" \ "$P_CLI dtls=1 debug_level=2 \ crt_file=data_files/server8_int-ca2.crt \ key_file=data_files/server8.key \ + ca_file=data_files/test-ca2.crt \ hs_timeout=2500-60000 \ max_frag_len=1024" \ 0 \ @@ -7053,11 +7065,13 @@ run_test "DTLS fragmenting: client-initiated, both (max_frag_len)" \ "$P_SRV dtls=1 debug_level=2 auth_mode=required \ crt_file=data_files/server7_int-ca.crt \ key_file=data_files/server7.key \ + ca_file=data_files/test-ca.crt \ hs_timeout=2500-60000 \ max_frag_len=2048" \ "$P_CLI dtls=1 debug_level=2 \ crt_file=data_files/server8_int-ca2.crt \ key_file=data_files/server8.key \ + ca_file=data_files/test-ca2.crt \ hs_timeout=2500-60000 \ max_frag_len=1024" \ 0 \ @@ -7081,11 +7095,13 @@ run_test "DTLS fragmenting: client-initiated, both (max_frag_len), proxy MTU" "$P_SRV dtls=1 debug_level=2 auth_mode=required \ crt_file=data_files/server7_int-ca.crt \ key_file=data_files/server7.key \ + ca_file=data_files/test-ca.crt \ hs_timeout=2500-60000 \ max_frag_len=2048" \ "$P_CLI dtls=1 debug_level=2 \ crt_file=data_files/server8_int-ca2.crt \ key_file=data_files/server8.key \ + ca_file=data_files/test-ca2.crt \ hs_timeout=2500-60000 \ max_frag_len=1024" \ 0 \ @@ -7100,11 +7116,13 @@ run_test "DTLS fragmenting: none (for reference) (MTU)" \ "$P_SRV dtls=1 debug_level=2 auth_mode=required \ crt_file=data_files/server7_int-ca.crt \ key_file=data_files/server7.key \ + ca_file=data_files/test-ca.crt \ hs_timeout=2500-60000 \ mtu=4096" \ "$P_CLI dtls=1 debug_level=2 \ crt_file=data_files/server8_int-ca2.crt \ key_file=data_files/server8.key \ + ca_file=data_files/test-ca2.crt \ hs_timeout=2500-60000 \ mtu=4096" \ 0 \ @@ -7119,11 +7137,13 @@ run_test "DTLS fragmenting: client (MTU)" \ "$P_SRV dtls=1 debug_level=2 auth_mode=required \ crt_file=data_files/server7_int-ca.crt \ key_file=data_files/server7.key \ + ca_file=data_files/test-ca.crt \ hs_timeout=3500-60000 \ mtu=4096" \ "$P_CLI dtls=1 debug_level=2 \ crt_file=data_files/server8_int-ca2.crt \ key_file=data_files/server8.key \ + ca_file=data_files/test-ca2.crt \ hs_timeout=3500-60000 \ mtu=1024" \ 0 \ @@ -7138,11 +7158,13 @@ run_test "DTLS fragmenting: server (MTU)" \ "$P_SRV dtls=1 debug_level=2 auth_mode=required \ crt_file=data_files/server7_int-ca.crt \ key_file=data_files/server7.key \ + ca_file=data_files/test-ca.crt \ hs_timeout=2500-60000 \ mtu=512" \ "$P_CLI dtls=1 debug_level=2 \ crt_file=data_files/server8_int-ca2.crt \ key_file=data_files/server8.key \ + ca_file=data_files/test-ca2.crt \ hs_timeout=2500-60000 \ mtu=2048" \ 0 \ @@ -7158,11 +7180,13 @@ run_test "DTLS fragmenting: both (MTU=1024)" \ "$P_SRV dtls=1 debug_level=2 auth_mode=required \ crt_file=data_files/server7_int-ca.crt \ key_file=data_files/server7.key \ + ca_file=data_files/test-ca.crt \ hs_timeout=2500-60000 \ mtu=1024" \ "$P_CLI dtls=1 debug_level=2 \ crt_file=data_files/server8_int-ca2.crt \ key_file=data_files/server8.key \ + ca_file=data_files/test-ca2.crt \ hs_timeout=2500-60000 \ mtu=1024" \ 0 \ @@ -7183,11 +7207,13 @@ run_test "DTLS fragmenting: both (MTU=512)" \ "$P_SRV dtls=1 debug_level=2 auth_mode=required \ crt_file=data_files/server7_int-ca.crt \ key_file=data_files/server7.key \ + ca_file=data_files/test-ca.crt \ hs_timeout=2500-60000 \ mtu=512" \ "$P_CLI dtls=1 debug_level=2 \ crt_file=data_files/server8_int-ca2.crt \ key_file=data_files/server8.key \ + ca_file=data_files/test-ca2.crt \ force_ciphersuite=TLS-ECDHE-ECDSA-WITH-AES-128-GCM-SHA256 \ hs_timeout=2500-60000 \ mtu=512" \ @@ -7214,10 +7240,12 @@ run_test "DTLS fragmenting: proxy MTU: auto-reduction" \ "$P_SRV dtls=1 debug_level=2 auth_mode=required \ crt_file=data_files/server7_int-ca.crt \ key_file=data_files/server7.key \ + ca_file=data_files/test-ca.crt \ hs_timeout=400-3200" \ "$P_CLI dtls=1 debug_level=2 \ crt_file=data_files/server8_int-ca2.crt \ key_file=data_files/server8.key \ + ca_file=data_files/test-ca2.crt \ force_ciphersuite=TLS-ECDHE-ECDSA-WITH-AES-128-GCM-SHA256 \ hs_timeout=400-3200" \ 0 \ @@ -7238,10 +7266,12 @@ run_test "DTLS fragmenting: proxy MTU: auto-reduction" \ "$P_SRV dtls=1 debug_level=2 auth_mode=required \ crt_file=data_files/server7_int-ca.crt \ key_file=data_files/server7.key \ + ca_file=data_files/test-ca.crt \ hs_timeout=250-10000" \ "$P_CLI dtls=1 debug_level=2 \ crt_file=data_files/server8_int-ca2.crt \ key_file=data_files/server8.key \ + ca_file=data_files/test-ca2.crt \ force_ciphersuite=TLS-ECDHE-ECDSA-WITH-AES-128-GCM-SHA256 \ hs_timeout=250-10000" \ 0 \ @@ -7261,11 +7291,13 @@ run_test "DTLS fragmenting: proxy MTU, simple handshake (MTU=1024)" \ "$P_SRV dtls=1 debug_level=2 auth_mode=required \ crt_file=data_files/server7_int-ca.crt \ key_file=data_files/server7.key \ + ca_file=data_files/test-ca.crt \ hs_timeout=10000-60000 \ mtu=1024" \ "$P_CLI dtls=1 debug_level=2 \ crt_file=data_files/server8_int-ca2.crt \ key_file=data_files/server8.key \ + ca_file=data_files/test-ca2.crt \ hs_timeout=10000-60000 \ mtu=1024" \ 0 \ @@ -7290,11 +7322,13 @@ run_test "DTLS fragmenting: proxy MTU, simple handshake (MTU=512)" \ "$P_SRV dtls=1 debug_level=2 auth_mode=required \ crt_file=data_files/server7_int-ca.crt \ key_file=data_files/server7.key \ + ca_file=data_files/test-ca.crt \ hs_timeout=10000-60000 \ mtu=512" \ "$P_CLI dtls=1 debug_level=2 \ crt_file=data_files/server8_int-ca2.crt \ key_file=data_files/server8.key \ + ca_file=data_files/test-ca2.crt \ force_ciphersuite=TLS-ECDHE-ECDSA-WITH-AES-128-GCM-SHA256 \ hs_timeout=10000-60000 \ mtu=512" \ @@ -7313,11 +7347,13 @@ run_test "DTLS fragmenting: proxy MTU, simple handshake, nbio (MTU=1024)" \ "$P_SRV dtls=1 debug_level=2 auth_mode=required \ crt_file=data_files/server7_int-ca.crt \ key_file=data_files/server7.key \ + ca_file=data_files/test-ca.crt \ hs_timeout=10000-60000 \ mtu=1024 nbio=2" \ "$P_CLI dtls=1 debug_level=2 \ crt_file=data_files/server8_int-ca2.crt \ key_file=data_files/server8.key \ + ca_file=data_files/test-ca2.crt \ hs_timeout=10000-60000 \ mtu=1024 nbio=2" \ 0 \ @@ -7339,11 +7375,13 @@ run_test "DTLS fragmenting: proxy MTU, simple handshake, nbio (MTU=512)" \ "$P_SRV dtls=1 debug_level=2 auth_mode=required \ crt_file=data_files/server7_int-ca.crt \ key_file=data_files/server7.key \ + ca_file=data_files/test-ca.crt \ hs_timeout=10000-60000 \ mtu=512 nbio=2" \ "$P_CLI dtls=1 debug_level=2 \ crt_file=data_files/server8_int-ca2.crt \ key_file=data_files/server8.key \ + ca_file=data_files/test-ca2.crt \ force_ciphersuite=TLS-ECDHE-ECDSA-WITH-AES-128-GCM-SHA256 \ hs_timeout=10000-60000 \ mtu=512 nbio=2" \ @@ -7375,11 +7413,13 @@ run_test "DTLS fragmenting: proxy MTU, resumed handshake" \ "$P_SRV dtls=1 debug_level=2 auth_mode=required \ crt_file=data_files/server7_int-ca.crt \ key_file=data_files/server7.key \ + ca_file=data_files/test-ca.crt \ hs_timeout=10000-60000 \ mtu=1450" \ "$P_CLI dtls=1 debug_level=2 \ crt_file=data_files/server8_int-ca2.crt \ key_file=data_files/server8.key \ + ca_file=data_files/test-ca2.crt \ hs_timeout=10000-60000 \ force_ciphersuite=TLS-ECDHE-ECDSA-WITH-AES-128-GCM-SHA256 \ mtu=1450 reconnect=1 reco_delay=1" \ @@ -7404,12 +7444,14 @@ run_test "DTLS fragmenting: proxy MTU, ChachaPoly renego" \ "$P_SRV dtls=1 debug_level=2 auth_mode=required \ crt_file=data_files/server7_int-ca.crt \ key_file=data_files/server7.key \ + ca_file=data_files/test-ca.crt \ exchanges=2 renegotiation=1 \ hs_timeout=10000-60000 \ mtu=512" \ "$P_CLI dtls=1 debug_level=2 \ crt_file=data_files/server8_int-ca2.crt \ key_file=data_files/server8.key \ + ca_file=data_files/test-ca2.crt \ exchanges=2 renegotiation=1 renegotiate=1 \ force_ciphersuite=TLS-ECDHE-ECDSA-WITH-AES-128-GCM-SHA256 \ hs_timeout=10000-60000 \ @@ -7436,12 +7478,14 @@ run_test "DTLS fragmenting: proxy MTU, AES-GCM renego" \ "$P_SRV dtls=1 debug_level=2 auth_mode=required \ crt_file=data_files/server7_int-ca.crt \ key_file=data_files/server7.key \ + ca_file=data_files/test-ca.crt \ exchanges=2 renegotiation=1 \ hs_timeout=10000-60000 \ mtu=512" \ "$P_CLI dtls=1 debug_level=2 \ crt_file=data_files/server8_int-ca2.crt \ key_file=data_files/server8.key \ + ca_file=data_files/test-ca2.crt \ exchanges=2 renegotiation=1 renegotiate=1 \ force_ciphersuite=TLS-ECDHE-ECDSA-WITH-AES-128-GCM-SHA256 \ hs_timeout=10000-60000 \ @@ -7468,6 +7512,7 @@ run_test "DTLS fragmenting: proxy MTU, AES-CCM renego" \ "$P_SRV dtls=1 debug_level=2 auth_mode=required \ crt_file=data_files/server7_int-ca.crt \ key_file=data_files/server7.key \ + ca_file=data_files/test-ca.crt \ exchanges=2 renegotiation=1 \ force_ciphersuite=TLS-ECDHE-ECDSA-WITH-AES-128-CCM-8 \ hs_timeout=10000-60000 \ @@ -7475,6 +7520,7 @@ run_test "DTLS fragmenting: proxy MTU, AES-CCM renego" \ "$P_CLI dtls=1 debug_level=2 \ crt_file=data_files/server8_int-ca2.crt \ key_file=data_files/server8.key \ + ca_file=data_files/test-ca2.crt \ exchanges=2 renegotiation=1 renegotiate=1 \ hs_timeout=10000-60000 \ mtu=1024" \ @@ -7501,6 +7547,7 @@ run_test "DTLS fragmenting: proxy MTU, AES-CBC EtM renego" \ "$P_SRV dtls=1 debug_level=2 auth_mode=required \ crt_file=data_files/server7_int-ca.crt \ key_file=data_files/server7.key \ + ca_file=data_files/test-ca.crt \ exchanges=2 renegotiation=1 \ force_ciphersuite=TLS-ECDHE-ECDSA-WITH-AES-128-CBC-SHA256 \ hs_timeout=10000-60000 \ @@ -7508,6 +7555,7 @@ run_test "DTLS fragmenting: proxy MTU, AES-CBC EtM renego" \ "$P_CLI dtls=1 debug_level=2 \ crt_file=data_files/server8_int-ca2.crt \ key_file=data_files/server8.key \ + ca_file=data_files/test-ca2.crt \ exchanges=2 renegotiation=1 renegotiate=1 \ hs_timeout=10000-60000 \ mtu=1024" \ @@ -7533,6 +7581,7 @@ run_test "DTLS fragmenting: proxy MTU, AES-CBC non-EtM renego" \ "$P_SRV dtls=1 debug_level=2 auth_mode=required \ crt_file=data_files/server7_int-ca.crt \ key_file=data_files/server7.key \ + ca_file=data_files/test-ca.crt \ exchanges=2 renegotiation=1 \ force_ciphersuite=TLS-ECDHE-ECDSA-WITH-AES-128-CBC-SHA256 etm=0 \ hs_timeout=10000-60000 \ @@ -7540,6 +7589,7 @@ run_test "DTLS fragmenting: proxy MTU, AES-CBC non-EtM renego" \ "$P_CLI dtls=1 debug_level=2 \ crt_file=data_files/server8_int-ca2.crt \ key_file=data_files/server8.key \ + ca_file=data_files/test-ca2.crt \ exchanges=2 renegotiation=1 renegotiate=1 \ hs_timeout=10000-60000 \ mtu=1024" \ @@ -7562,10 +7612,12 @@ run_test "DTLS fragmenting: proxy MTU + 3d" \ "$P_SRV dgram_packing=0 dtls=1 debug_level=2 auth_mode=required \ crt_file=data_files/server7_int-ca.crt \ key_file=data_files/server7.key \ + ca_file=data_files/test-ca.crt \ hs_timeout=250-10000 mtu=512" \ "$P_CLI dgram_packing=0 dtls=1 debug_level=2 \ crt_file=data_files/server8_int-ca2.crt \ key_file=data_files/server8.key \ + ca_file=data_files/test-ca2.crt \ force_ciphersuite=TLS-ECDHE-ECDSA-WITH-AES-128-GCM-SHA256 \ hs_timeout=250-10000 mtu=512" \ 0 \ @@ -7586,10 +7638,12 @@ run_test "DTLS fragmenting: proxy MTU + 3d, nbio" \ "$P_SRV dtls=1 debug_level=2 auth_mode=required \ crt_file=data_files/server7_int-ca.crt \ key_file=data_files/server7.key \ + ca_file=data_files/test-ca.crt \ hs_timeout=250-10000 mtu=512 nbio=2" \ "$P_CLI dtls=1 debug_level=2 \ crt_file=data_files/server8_int-ca2.crt \ key_file=data_files/server8.key \ + ca_file=data_files/test-ca2.crt \ force_ciphersuite=TLS-ECDHE-ECDSA-WITH-AES-128-GCM-SHA256 \ hs_timeout=250-10000 mtu=512 nbio=2" \ 0 \ @@ -7611,6 +7665,7 @@ run_test "DTLS fragmenting: gnutls server, DTLS 1.2" \ "$P_CLI dtls=1 debug_level=2 \ crt_file=data_files/server8_int-ca2.crt \ key_file=data_files/server8.key \ + ca_file=data_files/test-ca2.crt \ mtu=512 force_version=dtls1_2" \ 0 \ -c "fragmenting handshake message" \ @@ -7626,6 +7681,7 @@ run_test "DTLS fragmenting: gnutls server, DTLS 1.0" \ "$P_CLI dtls=1 debug_level=2 \ crt_file=data_files/server8_int-ca2.crt \ key_file=data_files/server8.key \ + ca_file=data_files/test-ca2.crt \ mtu=512 force_version=dtls1" \ 0 \ -c "fragmenting handshake message" \ @@ -7648,6 +7704,7 @@ run_test "DTLS fragmenting: gnutls client, DTLS 1.2" \ "$P_SRV dtls=1 debug_level=2 \ crt_file=data_files/server7_int-ca.crt \ key_file=data_files/server7.key \ + ca_file=data_files/test-ca2.crt \ mtu=512 force_version=dtls1_2" \ "$G_CLI -u --insecure 127.0.0.1" \ 0 \ @@ -7664,6 +7721,7 @@ run_test "DTLS fragmenting: gnutls client, DTLS 1.0" \ "$P_SRV dtls=1 debug_level=2 \ crt_file=data_files/server7_int-ca.crt \ key_file=data_files/server7.key \ + ca_file=data_files/test-ca2.crt \ mtu=512 force_version=dtls1" \ "$G_CLI -u --insecure 127.0.0.1" \ 0 \ @@ -7678,6 +7736,7 @@ run_test "DTLS fragmenting: openssl server, DTLS 1.2" \ "$P_CLI dtls=1 debug_level=2 \ crt_file=data_files/server8_int-ca2.crt \ key_file=data_files/server8.key \ + ca_file=data_files/test-ca2.crt \ mtu=512 force_version=dtls1_2" \ 0 \ -c "fragmenting handshake message" \ @@ -7692,6 +7751,7 @@ run_test "DTLS fragmenting: openssl server, DTLS 1.0" \ "$P_CLI dtls=1 debug_level=2 \ crt_file=data_files/server8_int-ca2.crt \ key_file=data_files/server8.key \ + ca_file=data_files/test-ca2.crt \ mtu=512 force_version=dtls1" \ 0 \ -c "fragmenting handshake message" \ @@ -7705,6 +7765,7 @@ run_test "DTLS fragmenting: openssl client, DTLS 1.2" \ "$P_SRV dtls=1 debug_level=2 \ crt_file=data_files/server7_int-ca.crt \ key_file=data_files/server7.key \ + ca_file=data_files/test-ca2.crt \ mtu=512 force_version=dtls1_2" \ "$O_CLI -dtls1_2" \ 0 \ @@ -7718,6 +7779,7 @@ run_test "DTLS fragmenting: openssl client, DTLS 1.0" \ "$P_SRV dtls=1 debug_level=2 \ crt_file=data_files/server7_int-ca.crt \ key_file=data_files/server7.key \ + ca_file=data_files/test-ca2.crt \ mtu=512 force_version=dtls1" \ "$O_CLI -dtls1" \ 0 \ @@ -7739,6 +7801,7 @@ run_test "DTLS fragmenting: 3d, gnutls server, DTLS 1.2" \ "$P_CLI dgram_packing=0 dtls=1 debug_level=2 \ crt_file=data_files/server8_int-ca2.crt \ key_file=data_files/server8.key \ + ca_file=data_files/test-ca2.crt \ hs_timeout=250-60000 mtu=512 force_version=dtls1_2" \ 0 \ -c "fragmenting handshake message" \ @@ -7756,6 +7819,7 @@ run_test "DTLS fragmenting: 3d, gnutls server, DTLS 1.0" \ "$P_CLI dgram_packing=0 dtls=1 debug_level=2 \ crt_file=data_files/server8_int-ca2.crt \ key_file=data_files/server8.key \ + ca_file=data_files/test-ca2.crt \ hs_timeout=250-60000 mtu=512 force_version=dtls1" \ 0 \ -c "fragmenting handshake message" \ @@ -7772,6 +7836,7 @@ run_test "DTLS fragmenting: 3d, gnutls client, DTLS 1.2" \ "$P_SRV dtls=1 debug_level=2 \ crt_file=data_files/server7_int-ca.crt \ key_file=data_files/server7.key \ + ca_file=data_files/test-ca2.crt \ hs_timeout=250-60000 mtu=512 force_version=dtls1_2" \ "$G_NEXT_CLI -u --insecure 127.0.0.1" \ 0 \ @@ -7788,6 +7853,7 @@ run_test "DTLS fragmenting: 3d, gnutls client, DTLS 1.0" \ "$P_SRV dtls=1 debug_level=2 \ crt_file=data_files/server7_int-ca.crt \ key_file=data_files/server7.key \ + ca_file=data_files/test-ca2.crt \ hs_timeout=250-60000 mtu=512 force_version=dtls1" \ "$G_NEXT_CLI -u --insecure 127.0.0.1" \ 0 \ @@ -7810,6 +7876,7 @@ run_test "DTLS fragmenting: 3d, openssl server, DTLS 1.2" \ "$P_CLI dtls=1 debug_level=2 \ crt_file=data_files/server8_int-ca2.crt \ key_file=data_files/server8.key \ + ca_file=data_files/test-ca2.crt \ hs_timeout=250-60000 mtu=512 force_version=dtls1_2" \ 0 \ -c "fragmenting handshake message" \ @@ -7827,6 +7894,7 @@ run_test "DTLS fragmenting: 3d, openssl server, DTLS 1.0" \ "$P_CLI dgram_packing=0 dtls=1 debug_level=2 \ crt_file=data_files/server8_int-ca2.crt \ key_file=data_files/server8.key \ + ca_file=data_files/test-ca2.crt \ hs_timeout=250-60000 mtu=512 force_version=dtls1" \ 0 \ -c "fragmenting handshake message" \ @@ -7843,6 +7911,7 @@ run_test "DTLS fragmenting: 3d, openssl client, DTLS 1.2" \ "$P_SRV dtls=1 debug_level=2 \ crt_file=data_files/server7_int-ca.crt \ key_file=data_files/server7.key \ + ca_file=data_files/test-ca2.crt \ hs_timeout=250-60000 mtu=512 force_version=dtls1_2" \ "$O_CLI -dtls1_2" \ 0 \ @@ -7861,6 +7930,7 @@ run_test "DTLS fragmenting: 3d, openssl client, DTLS 1.0" \ "$P_SRV dgram_packing=0 dtls=1 debug_level=2 \ crt_file=data_files/server7_int-ca.crt \ key_file=data_files/server7.key \ + ca_file=data_files/test-ca2.crt \ hs_timeout=250-60000 mtu=512 force_version=dtls1" \ "$O_CLI -nbio -dtls1" \ 0 \ @@ -8364,7 +8434,7 @@ not_with_valgrind # risk of non-mbedtls peer timing out run_test "DTLS proxy: 3d, gnutls server" \ -p "$P_PXY drop=5 delay=5 duplicate=5" \ "$G_SRV -u --mtu 2048 -a" \ - "$P_CLI dgram_packing=0 dtls=1 hs_timeout=500-60000" \ + "$P_CLI dgram_packing=0 dtls=1 hs_timeout=500-60000 ca_file=data_files/test-ca2.crt" \ 0 \ -s "Extra-header:" \ -c "Extra-header:" @@ -8375,7 +8445,7 @@ not_with_valgrind # risk of non-mbedtls peer timing out run_test "DTLS proxy: 3d, gnutls server, fragmentation" \ -p "$P_PXY drop=5 delay=5 duplicate=5" \ "$G_NEXT_SRV -u --mtu 512" \ - "$P_CLI dgram_packing=0 dtls=1 hs_timeout=500-60000" \ + "$P_CLI dgram_packing=0 dtls=1 hs_timeout=500-60000 ca_file=data_files/test-ca2.crt" \ 0 \ -s "Extra-header:" \ -c "Extra-header:" @@ -8386,7 +8456,7 @@ not_with_valgrind # risk of non-mbedtls peer timing out run_test "DTLS proxy: 3d, gnutls server, fragmentation, nbio" \ -p "$P_PXY drop=5 delay=5 duplicate=5" \ "$G_NEXT_SRV -u --mtu 512" \ - "$P_CLI dgram_packing=0 dtls=1 hs_timeout=500-60000 nbio=2" \ + "$P_CLI dgram_packing=0 dtls=1 hs_timeout=500-60000 nbio=2 ca_file=data_files/test-ca2.crt" \ 0 \ -s "Extra-header:" \ -c "Extra-header:" From 4598e4991695b96388ef58b7c7ff0d3f45fbc3df Mon Sep 17 00:00:00 2001 From: Hanno Becker Date: Tue, 27 Aug 2019 11:40:29 +0100 Subject: [PATCH 8/8] Don't use P-256 test CRTs if P-256 is known to be disabled --- library/certs.c | 36 ++++++++++++++++++------------------ 1 file changed, 18 insertions(+), 18 deletions(-) diff --git a/library/certs.c b/library/certs.c index edf7e5a7b..e89cfe1c5 100644 --- a/library/certs.c +++ b/library/certs.c @@ -42,10 +42,10 @@ * */ -/* Use CRTs with Secp256r1 curve if enabled. - * Otherwise, fall back to previous EC test - * certificates. */ -#if defined(MBEDTLS_ECP_DP_SECP256R1_ENABLED) +/* Use CRTs with Secp256r1-only if Secp384r1 is disabled. + * Otherwise, fall back to previous test CRTs using both + * Secp256r1 and Secp384r1. */ +#if !defined(MBEDTLS_ECP_DP_SECP384R1_ENABLED) /* This is taken from tests/data_files/test-ca3.crt.pem */ /* BEGIN FILE string macro TEST_CA_CRT_EC_PEM tests/data_files/test-ca3.crt.pem */ @@ -135,7 +135,7 @@ } /* END FILE */ -#else /* MBEDTLS_ECP_DP_SECP256R1_ENABLED */ +#else /* !MBEDTLS_ECP_DP_SECP384R1_ENABLED */ /* This is taken from tests/data_files/test-ca2.crt */ /* BEGIN FILE string macro TEST_CA_CRT_EC_PEM tests/data_files/test-ca2.crt */ @@ -249,7 +249,7 @@ } /* END FILE */ -#endif /* MBEDTLS_ECP_DP_SECP256R1_ENABLED */ +#endif /* MBEDTLS_ECP_DP_SECP384R1_ENABLED */ #define TEST_CA_PWD_EC_PEM "PolarSSLTest" @@ -612,10 +612,10 @@ * - multiple EC curve types */ -/* Use CRTs with Secp256r1 curve if enabled. - * Otherwise, fall back to previous EC test - * certificates. */ -#if defined(MBEDTLS_ECP_DP_SECP256R1_ENABLED) +/* Use CRTs with Secp256r1-only if Secp384r1 is disabled. + * Otherwise, fall back to previous test CRTs using both + * Secp256r1 and Secp384r1. */ +#if !defined(MBEDTLS_ECP_DP_SECP384R1_ENABLED) /* This is taken from tests/data_files/server11.crt.pem. */ /* BEGIN FILE string macro TEST_SRV_CRT_EC_PEM tests/data_files/server11.crt.pem */ @@ -704,7 +704,7 @@ } /* END FILE */ -#else /* MBEDTLS_ECP_DP_SECP256R1_ENABLED */ +#else /* MBEDTLS_ECP_DP_SECP384R1_ENABLED */ /* This is taken from tests/data_files/server5.crt. */ /* BEGIN FILE string macro TEST_SRV_CRT_EC_PEM tests/data_files/server5.crt */ @@ -804,7 +804,7 @@ } /* END FILE */ -#endif /* MBEDTLS_ECP_DP_SECP256R1_ENABLED */ +#endif /* MBEDTLS_ECP_DP_SECP384R1_ENABLED */ /* This is taken from tests/data_files/server2-sha256.crt. */ /* BEGIN FILE string macro TEST_SRV_CRT_RSA_SHA256_PEM tests/data_files/server2-sha256.crt */ @@ -1157,10 +1157,10 @@ * - multiple EC curve types */ -/* Use CRTs with Secp256r1 curve if enabled. - * Otherwise, fall back to previous EC test - * certificates. */ -#if defined(MBEDTLS_ECP_DP_SECP256R1_ENABLED) +/* Use CRTs with Secp256r1-only if Secp384r1 is disabled. + * Otherwise, fall back to previous test CRTs using both + * Secp256r1 and Secp384r1. */ +#if !defined(MBEDTLS_ECP_DP_SECP384R1_ENABLED) /* This is taken from tests/data_files/cli3.crt. */ /* BEGIN FILE string macro TEST_CLI_CRT_EC_PEM tests/data_files/cli3.crt.pem */ @@ -1250,7 +1250,7 @@ } /* END FILE */ -#else /* MBEDTLS_ECP_DP_SECP256R1_ENABLED */ +#else /* MBEDTLS_ECP_DP_SECP384R1_ENABLED */ /* This is taken from tests/data_files/cli2.crt. */ /* BEGIN FILE string macro TEST_CLI_CRT_EC_PEM tests/data_files/cli2.crt */ @@ -1351,7 +1351,7 @@ } /* END FILE */ -#endif /* MBEDTLS_ECP_DP_SECP256R1_ENABLED */ +#endif /* MBEDTLS_ECP_DP_SECP384R1_ENABLED */ /* This is taken from tests/data_files/cli-rsa-sha256.crt. */ /* BEGIN FILE string macro TEST_CLI_CRT_RSA_PEM tests/data_files/cli-rsa-sha256.crt */