Commit graph

360 commits

Author SHA1 Message Date
Simon Butcher 14dac0953e Merge remote-tracking branch 'public/pr/1918' into development 2018-08-28 12:21:41 +01:00
Simon Butcher 1846e406c8 Merge remote-tracking branch 'public/pr/1939' into development 2018-08-28 12:19:56 +01:00
Simon Butcher 9598845d11 Merge remote-tracking branch 'public/pr/1955' into development 2018-08-28 12:00:18 +01:00
Simon Butcher badeb07872 Merge remote-tracking branch 'public/pr/1967' into development 2018-08-28 10:20:23 +01:00
Hanno Becker 69ca0ad5c4 ssl-opt.sh: Remove wrong test exercising MTU implications of MFL
The negotiated MFL is always the one suggested by the client, even
if the server has a smaller MFL configured locally. Hence, in the test
where the client asks for an MFL of 4096 bytes while the server locally
has an MFL of 512 bytes configured, the client will still send datagrams
of up to ~4K size.
2018-08-24 12:14:00 +01:00
Hanno Becker 6b6f602174 Merge branch 'iotssl-165-dtls-hs-fragmentation-new' into datagram_packing 2018-08-24 11:55:03 +01:00
Hanno Becker c92b5c8a0d ssl-opt.sh: Add tests checking that MFL implies bounds on MTU
This commit introduces some tests to ssl-opt.sh checking that
setting the MFL limits the MTU to MFL + { Maximum Record Expansion }.
2018-08-24 11:48:01 +01:00
Manuel Pégourié-Gonnard 34aa187df6 Force IPv4 for gnutls-cli DTLS tests
Depending on the settings of the local machine, gnutls-cli will either try
IPv4 or IPv6 when trying to connect to localhost. With TLS, whatever it tries
first, it will notice if any failure happens and try the other protocol if
necessary. With DTLS it can't do that. Unfortunately for now there isn't
really any good way to specify an address and hostname independently, though
that might come soon: https://gitlab.com/gnutls/gnutls/issues/344

A work around is to specify an address directly and then use --insecure to
ignore certificate hostname mismatch; that is OK for tests that are completely
unrelated to certificate verification (such as the recent fragmenting tests)
but unacceptable for others.

For that reason, don't specify a default hostname for gnutls-cli, but instead
let each test choose between `--insecure 127.0.0.1` and `localhost` (or
`--insecure '::1'` if desired).

Alternatives include:
- having test certificates with 127.0.0.1 as the hostname, but having an IP as
  the CN is unusual, and we would need to change our test certs;
- have our server open two sockets under the hood and listen on both IPv4 and
  IPv6 (that's what gnutls-serv does, and IMO it's a good thing) but that
obviously requires development and testing (esp. for windows compatibility)
- wait for a newer version of GnuTLS to be released, install it on the CI and
  developer machines, and use that in all tests - quite satisfying but can't
be done now (and puts stronger requirements on test environment).
2018-08-23 19:07:15 +02:00
Hanno Becker a67dee256d Merge branch 'iotssl-2402-basic-pmtu-adaptation' into datagram_packing 2018-08-22 10:06:38 +01:00
Manuel Pégourié-Gonnard b8eec192f6 Implement PMTU auto-reduction in handshake 2018-08-22 10:50:30 +02:00
Hanno Becker 170e2d89da Merge branch 'iotssl-165-dtls-hs-fragmentation-new' into datagram_packing 2018-08-22 09:44:54 +01:00
Manuel Pégourié-Gonnard c1d54b74ec Add tests with non-blocking I/O
Make sure we behave properly when f_send() or f_recv() return
MBEDTLS_ERR_SSL_WANT_{WRITE,READ}.
2018-08-22 10:02:59 +02:00
Manuel Pégourié-Gonnard 3d183cefb5 Allow client-side resend in proxy MTU tests
From Hanno:
When a server replies to a cookieless ClientHello with a HelloVerifyRequest,
it is supposed to reset the connection and wait for a subsequent ClientHello
which includes the cookie from the HelloVerifyRequest.
In testing environments, it might happen that the reset of the server
takes longer than for the client to replying to the HelloVerifyRequest
with the ClientHello+Cookie. In this case, the ClientHello gets lost
and the client will need retransmit. This may happen even if the underlying
datagram transport is reliable.
2018-08-22 09:56:22 +02:00
Hanno Becker 175cb8fc69 ssl-opt.sh: Allow resend in DTLS session resumption tests, cont'd
This commit continues commit 47db877 by removing resend guards in the
ssl-opt.sh tests 'DTLS fragmenting: proxy MTU, XXX' which sometimes made
the tests fail in case the log showed a resend from the client.

See 47db877 for more information.
2018-08-21 17:00:10 +01:00
Hanno Becker 5bcf2b081f ssl-opt.sh: Allow spurious resend in DTLS session resumption test
When a server replies to a cookieless ClientHello with a HelloVerifyRequest,
it is supposed to reset the connection and wait for a subsequent ClientHello
which includes the cookie from the HelloVerifyRequest.
In testing environments, it might happen that the reset of the server
takes longer than for the client to replying to the HelloVerifyRequest
with the ClientHello+Cookie. In this case, the ClientHello gets lost
and the client will need retransmit. This may happen even if the underlying
datagram transport is reliable.

This commit removes a guard in the ssl-opt.sh test
'DTLS fragmenting: proxy MTU, resumed handshake' which made
the test fail in case the log showed a resend from the client.
2018-08-21 15:04:22 +01:00
Manuel Pégourié-Gonnard 2f2d9020cd Add delay in test to avoid race condition
We previously observed random-looking failures from this test. I think they
were caused by a race condition where the client tries to reconnect while the
server is still closing the connection and has not yet returned to an
accepting state. In that case, the server would fail to see and reply to the
ClientHello, and the client would have to resend it.

I believe logs of failing runs are compatible with this interpretation:
- the proxy logs show the new ClientHello and the server's closing Alert are
  sent the same millisecond.
- the client logs show the server's closing Alert is received after the new
  handshake has been started (discarding message from wrong epoch).

The attempted fix is for the client to wait a bit before reconnecting, which
should vastly enhance the probability of the server reaching its accepting
state before the client tries to reconnect. The value of 1 second is arbitrary
but should be more than enough even on loaded machines.

The test was run locally 100 times in a row on a slightly loaded machine (an
instance of all.sh running in parallel) without any failure after this fix.
2018-08-21 12:17:54 +02:00
Manuel Pégourié-Gonnard 6151298395 Add missing requires_gnutls guards 2018-08-21 09:40:07 +02:00
Hanno Becker 6aeaa05a95 Merge branch 'iotssl-165-dtls-hs-fragmentation-new' into datagram_packing 2018-08-20 12:53:37 +01:00
Hanno Becker f362c297fa ssl-opt.sh Add dependency on gnutls in two fragmentation tests 2018-08-20 12:40:23 +01:00
Hanno Becker 7be2e5bb16 ssl-opt.sh: Preserve proxy log, too, if --preserve-logs is specified 2018-08-20 12:23:37 +01:00
Hanno Becker 4e1a9c17f2 ssl-opt.sh: Preserve proxy log, too, if --preserve-logs is specified 2018-08-20 12:22:09 +01:00
Manuel Pégourié-Gonnard 4532329397 Add proxy-enforcement to a MTU test 2018-08-20 11:52:24 +02:00
Hanno Becker 9829315235 Add missing dependency in ssl-opt.sh 2018-08-20 11:18:34 +02:00
Hanno Becker 58e9dc3d4b Allow GNUTLS_NEXT_CLI / GNUTLS_NEXT_SERV to be unset in ssl-opt.sh 2018-08-20 11:18:15 +02:00
Manuel Pégourié-Gonnard 02f3a8a921 Adjust timeout values for 3d test
Use the same values as other 3d tests: this makes the test hopefully a bit
faster than the default values, while not increasing the failure rate.

While at it:
- adjust "needs_more_time" setting for 3d interop tests (we can't set the
  timeout values for other implementations, so the test might be slow)
- fix some supposedly DTLS 1.0 test that were using dtls1_2 on the command
  line
2018-08-20 10:54:25 +02:00
Hanno Becker 4a9d006f5f Add missing dependency in ssl-opt.sh 2018-08-17 16:10:47 +01:00
Hanno Becker bc73e4a822 Allow GNUTLS_NEXT_CLI / GNUTLS_NEXT_SERV to be unset in ssl-opt.sh 2018-08-17 15:53:21 +01:00
Hanno Becker 7ae8a76ced Add tests for datagram packing option to ssl-opt.sh
This commit adds four tests to ssl-opt.sh running default
DTLS client and server with and without datagram packing
enabled, and checking that datagram packing is / is not
used by inspecting the debug output.
2018-08-17 15:51:24 +01:00
Hanno Becker 1c9a24ce8c Disable datagram packing for various UDP proxy tests
The UDP proxy does currently not dissect datagrams into records,
an hence the coverage of the reordering, package loss and duplication
tests is much smaller if datagram packing is in use.

This commit disables datagram packing for most UDP proxy tests,
in particular all 3D (drop, duplicate, delay) tests.
2018-08-17 15:51:21 +01:00
Hanno Becker c4305238b5 Re-enable delayed CCS test
Now that datagram packing can be dynamically configured,
the test exercising the behavior of Mbed TLS when facing
an out-of-order CCS message can be re-introduced, disabling
datagram packing for the sender of the delayed CCS.
2018-08-17 15:45:45 +01:00
Hanno Becker 12405e76b5 Increase max_frag_len / MTU in fragmentation ref tests
The tests "DTLS fragmenting: none (for reference)" and
"DTLS fragmenting: none (for reference) (MTU)" used a
maximum fragment length resp. MTU value of 2048 which
was meant to be large enough so that fragmentation
of the certificate message would not be necessary.
However, it is not large enough to hold the entire flight
to which the certificate belongs, and hence there will
be fragmentation as soon as datagram packing is used.

This commit increases the maximum fragment length resp.
MTU values to 4096 bytes to ensure that even with datagram
packing in place, no fragmentation is necessary.

A similar change was made in "DTLS fragmenting: client (MTU)".
2018-08-17 15:45:19 +01:00
Hanno Becker 111fa497aa TEST-ONLY: Remove delayed CCS test
The test exercising a delayed CCS message is not
expected to work when datagram packing is used,
as the current UDP proxy is not able to recognize
records which are not at the beginning of a
datagram.
2018-08-17 15:44:37 +01:00
Manuel Pégourié-Gonnard 38110dfc0e Add interop test with unreliable connection
Adds a requirement for GNUTLS_NEXT (3.5.3 or above, in practice we should
install 3.6.3) on the CI.

See internal ref IOTSSL-2401 for analysis of the bugs and their impact on the
tests.
2018-08-17 12:44:54 +02:00
Hanno Becker d26bb2090f Add tests for empty CA list in CertificateRequest, TLS 1.0 & 1.1 2018-08-17 09:57:36 +01:00
Manuel Pégourié-Gonnard 0794d49566 Skip some tests with valgrind (spurious resend) 2018-08-17 10:54:24 +02:00
Manuel Pégourié-Gonnard 1218bc0f74 Add simple interop tests (reliable connection) 2018-08-17 10:51:26 +02:00
Manuel Pégourié-Gonnard 2d56f0d346 Add test with unreliable connection 2018-08-16 11:09:03 +02:00
Manuel Pégourié-Gonnard 19c62f90e4 Add test for session resumption 2018-08-16 10:50:39 +02:00
Manuel Pégourié-Gonnard 72c2707d9c Add tests for MTU with renegotiation
This exercises our computation of record expansion.
2018-08-16 10:01:47 +02:00
Manuel Pégourié-Gonnard b747c6cf9b Add basic first tests for MTU setting
For now, just check that it causes us to fragment. More tests are coming in
follow-up commits to ensure we respect the exact value set, including when
renegotiating.
2018-08-16 10:01:47 +02:00
Manuel Pégourié-Gonnard 2cb17e201b Make handshake fragmentation follow max_frag_len
Note: no interop tests in ssl-opt.sh for now, as some of them make us run into
bugs in (the CI's default versions of) OpenSSL and GnuTLS, so interop tests
will be added later once the situation is clarified. <- TODO
2018-08-16 10:01:10 +02:00
Jaeden Amero cac0c1a250 Merge remote-tracking branch 'upstream-public/pr/1378' into development 2018-08-10 10:59:53 +01:00
Andres Amaya Garcia 4c761fab7f Add test for empty app data records to ssl-opt.sh 2018-07-20 23:09:29 +01:00
Simon Butcher 922bd1efb2 Merge remote-tracking branch 'public/pr/1752' into development 2018-07-20 14:33:18 +01:00
Simon Butcher e7aeef09ee Merge remote-tracking branch 'public/pr/536' into development 2018-07-10 15:24:26 +01:00
Gilles Peskine a931265509 Fix ssl-opt.sh not starting when lsof is not available
$START_DELAY was used before it was defined.
2018-06-29 15:48:13 +02:00
Ron Eldor 643df7c8a1 Update ssl-opt.sh test to run condition
1. Update the test script to un the ECC tests only if the relevant
configurations are defined in `config.h` file
2. Change the HASH of the ciphersuite from SHA1 based to SHA256
for better example
2018-06-28 16:17:00 +03:00
Ron Eldor 58093c8bec Add ECC extensions test in ssl-opts.sh
Add test to verify if an ecc based extension exists
or not if an ecc based ciphersuite is used or not.
2018-06-28 13:22:05 +03:00
Manuel Pégourié-Gonnard ce66d5e8e1 Declare ChaCha-Poly ciphersuites
Prefer them over AES-GCM as they have better performance and fewer side
channel considerations in software implementations.
2018-06-19 12:11:38 +02:00
Angus Gratton c4dd07369f test: Add test cases for separately reduced inward/outward buffer sizes 2018-06-18 20:51:51 +10:00