Commit graph

9050 commits

Author SHA1 Message Date
Manuel Pégourié-Gonnard 57a348ba8c Add tests for session copy without serialisation 2019-06-03 09:51:08 +02:00
Manuel Pégourié-Gonnard 37a5324c74 Add mbedtls_ssl_get_session_pointer()
Avoid useless copy with mbedtls_ssl_get_session() before serialising.

Used in ssl_client2 for testing and demonstrating usage, but unfortunately
that means mbedtls_ssl_get_session() is no longer tested, which will be fixed
in the next commit.
2019-06-03 09:51:08 +02:00
Manuel Pégourié-Gonnard fbb44a422f Save session in serialised form in ssl_client2.
This provides basic testing for the session (de)serialisation functions, as
well as an example of how to use them.

Tested locally with tests/ssl-opt.sh -f '^Session resume'.
2019-06-03 09:51:08 +02:00
Manuel Pégourié-Gonnard ef4ae611e4 Add support for serialisation session with ticket
On client side, this is required for the main use case where of serialising a
session for later resumption, in case tickets are used.

On server side, this doesn't change much as ticket_len will always be 0.

This unblocks testing the functions by using them in ssl_client2, which will
be done in the next commit.
2019-06-03 09:51:08 +02:00
Manuel Pégourié-Gonnard 91f4ca2ed1 Move session save/load function to ssl_tls.c
This finishes making these functions public. Next step is to get them tested,
but there's currently a blocker for that, see next commit (and the commit
after it for tests).
2019-06-03 09:51:08 +02:00
Manuel Pégourié-Gonnard 2843fe10b9 Declare and document session save/load functions
The next commit with make the implementation publicly available as well.

For now the API is kept unchanged. The save function API has a serious drawback in that the user
must guess what an appropriate buffer size is.
Internally so far this didn't matter because we were only using that API for
ticket creation, and tickets are written to the SSL output buffer whose size
is fixed anyway, but for external users this might not be suitable. Improving
that is left for later.

Also, so far the functions are defined unconditionally. Whether we want to
re-use existing flags or introduce a new one is left for later.

Finally, currently suggested usage of calling get_session() then
session_save() is memory-inefficient in that get_session() already makes a
copy. I don't want to recommend accessing `ssl->session` directly as we want
to prohibit direct access to struct member in the future. Providing a clean
and efficient way is also left to a later commit.
2019-06-03 09:51:08 +02:00
Jaeden Amero ada38317dd test: Always use make clean by itself
When running make with parallelization, running both "clean" and "lib"
with a single make invocation can lead to each target building in
parallel. It's bad if lib is partially done building something, and then
clean deletes what was built. This can lead to errors later on in the
lib target.

    $ make -j9 clean lib
      CC    aes.c
      CC    aesni.c
      CC    arc4.c
      CC    aria.c
      CC    asn1parse.c
      CC    ./library/error.c
      CC    ./library/version.c
      CC    ./library/version_features.c
      AR    libmbedcrypto.a
    ar: aes.o: No such file or directory
    Makefile:120: recipe for target 'libmbedcrypto.a' failed
    make[2]: *** [libmbedcrypto.a] Error 1
    Makefile:152: recipe for target 'libmbedcrypto.a' failed
    make[1]: *** [libmbedcrypto.a] Error 2
    Makefile:19: recipe for target 'lib' failed
    make: *** [lib] Error 2
    make: *** Waiting for unfinished jobs....

To avoid this sort of trouble, always invoke clean by itself without
other targets throughout the library. Don't run clean in parallel with
other rules. The only place where clean was run in parallel with other
targets was in list-symbols.sh.
2019-05-31 17:49:25 +01:00
Hanno Becker 8d90015acb Correct placement of ChangeLog entry 2019-05-30 11:19:19 +01:00
Hanno Becker ba774bc0b6 Adapt ChangeLog 2019-05-30 11:19:08 +01:00
Hanno Becker 67d1848ed0 Use SHA-256 instead of MD2 in X.509 CRT parsing tests
- Replace 'RSA with MD2' OID '2a864886f70d010102' by
  'RSA with SHA-256' OID '2a864886f70d01010b':
  Only the last byte determines the hash, and
  `MBEDTLS_OID_PKCS1_MD2 == MBEDTLS_OID_PKCS1 "\x02"`
  `MBEDTLS_OID_PKCS1_SHA256 == MBEDTLS_OID_PKCS1 "\x0b"`
  See oid.h.
- Replace MD2 dependency by SHA256 dependency.
- Adapt expected CRT info output.
2019-05-30 11:19:08 +01:00
Hanno Becker 556e6d84ea Consistently use lower case hex data in X.509 parsing tests 2019-05-30 11:19:08 +01:00
Hanno Becker 9582a47460 Re-generate library/certs.c from script 2019-05-30 10:58:12 +01:00
Hanno Becker dd7e193f49 Add new line at the end of test-ca2.key.enc 2019-05-30 10:58:12 +01:00
Hanno Becker bc12242f4f Use strict syntax to annotate origin of test data in certs.c
This allows to auto-generate them from scripts.
2019-05-30 10:58:12 +01:00
Hanno Becker e562e7dbeb Add run to all.sh exercising !MBEDTLS_PEM_PARSE_C + !MBEDTLS_FS_IO 2019-05-30 10:58:12 +01:00
Hanno Becker 7b34f0ff69 Allow DHM self test to run without MBEDTLS_PEM_PARSE_C 2019-05-30 10:58:12 +01:00
Hanno Becker 7a11e72a4f ssl-opt.sh: Auto-skip tests that use files if MBEDTLS_FS_IO unset
This should allow to run ssl-opt.sh successfully in the default
configuration minus MBEDTLS_PEM_PARSE_C minus MBEDTLS_FS_IO.
2019-05-30 10:58:07 +01:00
Hanno Becker 72309d0847 Document origin of hardcoded certificates in library/certs.c
All of them are copied from (former) CRT and key files in `tests/data_files`.
For files which have been regenerated since they've been copied to `certs.c`,
update the copy.

Add declarations for DER encoded test CRTs to certs.h

Add DER encoded versions of CRTs to certs.c

fix comment in certs.c

Don't use (signed) char for DER encoded certificates

Consistently use `const char *` for test CRTs regardless of encoding

Remove non-sensical and unused PW variable for DER encoded key

Provide test CRTs in PEM and DER fmt, + pick suitable per config

This commit modifies `certs.h` and `certs.c` to start following the
following pattern for the provided test certificates and files:

- Raw test data is named `NAME_ATTR1_ATTR2_..._ATTRn`

  For example, there are
     `TEST_CA_CRT_{RSA|EC}_{PEM|DER}_{SHA1|SHA256}`.

- Derived test data with fewer attributes, iteratively defined as one
  of the raw test data instances which suits the current configuration.

  For example,
     `TEST_CA_CRT_RSA_PEM`
  is one of `TEST_CA_CRT_RSA_PEM_SHA1` or `TEST_CA_CRT_RSA_PEM_SHA256`,
  depending on whether SHA-1 and/or SHA-256 are defined in the current
  config.

Add missing public declaration of test key password

Fix signedness and naming mismatches

Further improve structure of certs.h and certs.c

Fix definition of mbedtls_test_cas test CRTs depending on config

Remove semicolon after macro string constant in certs.c
2019-05-30 10:27:49 +01:00
Hanno Becker 820c021f4e Adapt ChangeLog 2019-05-30 10:27:49 +01:00
Hanno Becker f8b0b15c90 Rename server1.der to server1.crt.der 2019-05-30 10:27:49 +01:00
Hanno Becker 389ee9b40b Add DER encoded files to git tree 2019-05-30 10:27:14 +01:00
Hanno Becker 5895a2db7b Add build instructions to generate DER versions of CRTs and keys 2019-05-30 10:27:14 +01:00
Hanno Becker 1ce1a51816 Document "none" value for ca_path/ca_file in ssl_client2/ssl_server2 2019-05-30 10:21:59 +01:00
Hanno Becker 7ae36e4179 ssl_server2: Skip CA setup if ca_path or ca_file argument "none"
This allows to test PSK-based ciphersuites via ssl_server2 in builds
which have MBEDTLS_X509_CRT_PARSE_C enabled but both MBEDTLS_FS_IO and
MBEDTLS_CERTS_C disabled.
2019-05-30 10:21:59 +01:00
Hanno Becker a7242061c4 ssl_client2: Skip CA setup if ca_path or ca_file argument "none"
This allows to test PSK-based ciphersuites via ssl_client2 in builds
which have MBEDTLS_X509_CRT_PARSE_C enabled but both MBEDTLS_FS_IO and
MBEDTLS_CERTS_C disabled.

A similar change is applied to the `crt_file` and `key_file` arguments.
2019-05-30 10:21:59 +01:00
Hanno Becker c258c440b5 Correct white spaces in ssl_server2 and ssl_client2 2019-05-30 10:21:59 +01:00
Hanno Becker bb676f7d32 Adapt ssl_client2 to parse DER encoded test CRTs if PEM is disabled 2019-05-30 10:21:59 +01:00
Hanno Becker 38566ccbd5 Adapt ssl_server2 to parse DER encoded test CRTs if PEM is disabled 2019-05-30 10:21:59 +01:00
Simon Butcher 0d1d76f987 Merge remote-tracking branch 'origin/pr/561' into baremetal 2019-05-29 15:09:24 +01:00
Darryl Green e831f5575b Remove all abi dumps, not just ones shared between versions
While the abi-checking script handled comparing only the modules
that were shared between the old and new versions correctly, the
cleanup of the abi dumps only removed what was shared. Change the
cleanup logic to remove all abi dumps instead.
2019-05-29 13:40:19 +01:00
Renz Christian Bagaporo ac859f39bd Create link to include/mbedtls only when testing is enabled 2019-05-27 15:58:36 +08:00
Simon Butcher d5e1bfc6b4 Merge remote-tracking branch 'origin/pr/569' into baremetal 2019-05-24 15:07:10 +01:00
Simon Butcher 0edb924e16 Merge remote-tracking branch 'origin/pr/565' into baremetal 2019-05-24 15:06:56 +01:00
Simon Butcher 5a790f9214 Merge remote-tracking branch 'origin/pr/563' into baremetal 2019-05-24 15:06:16 +01:00
Simon Butcher 6961760eb8 Merge remote-tracking branch 'origin/pr/560' into baremetal 2019-05-24 15:05:42 +01:00
Simon Butcher ba13ff514f Merge remote-tracking branch 'origin/pr/559' into baremetal 2019-05-24 15:05:07 +01:00
Hanno Becker 948a34adcc Add description of CID feature to ChangeLog 2019-05-24 10:23:43 +01:00
Hanno Becker f6fb4ea632 Insert records with unexpected CID in CID tests in ssl-opt.sh 2019-05-24 10:11:23 +01:00
Hanno Becker 675c4d6d35 Add debug line witnessing receipt of unexpected CID 2019-05-24 10:11:06 +01:00
Hanno Becker 34dcf4e6f6 Add bad_cid option UDP proxy to insert unexpected CID records
This commit adds the command line option 'bad_cid' to the UDP proxy
`./programs/test/udp_proxy`. It takes a non-negative integral value N,
which if not 0 has the effect of duplicating every 1:N CID records
and modifying the CID in the first copy sent.

This is to exercise the stacks documented behaviour on receipt
of unexpected CIDs.

It is important to send the record with the unexpected CID first,
because otherwise the packet would be dropped already during
replay protection (the same holds for the implementation of the
existing 'bad_ad' option).
2019-05-24 10:07:42 +01:00
Hanno Becker d8f7c4aa59 Fix indentation in debug message in ssl_tls.c 2019-05-23 17:03:44 +01:00
Hanno Becker 3b2bf5b214 Improve comment in ssl_parse_record_header() 2019-05-23 17:03:19 +01:00
Hanno Becker 4753e65e9b Disable Connection ID feature by default 2019-05-23 17:02:14 +01:00
Hanno Becker f4e8ed116c Remove superfluous new line in ssl_server2 2019-05-23 17:01:43 +01:00
Hanno Becker c8f43d82b8 Improve readability of ssl_client2/ssl_server2 usage instructions 2019-05-23 17:01:06 +01:00
Hanno Becker b8260c64d6 Remove superfluous newline in ssl_client2 2019-05-23 17:00:23 +01:00
Hanno Becker 76581052f9 Use negative-hex format for error codes in ssl_client2/ssl_server2 2019-05-23 16:58:22 +01:00
Hanno Becker 948d2d5611 Expand CID to Connection ID in documentation of mbedtls_ssl_conf_cid 2019-05-23 16:55:50 +01:00
Jaeden Amero bab2367924 Merge remote-tracking branch 'origin/pr/2648' into mbedtls-2.16
* origin/pr/2648:
  list-symbols.sh: if the build fails, print the build transcript
  Document "check-names.sh -v"
  all.sh: invoke check-names.sh in print-trace-on-exit mode
  Print a command trace if the check-names.sh exits unexpectedly
2019-05-23 15:14:35 +01:00
Jaeden Amero cbcd327376 Merge remote-tracking branch 'origin/pr/2611' into mbedtls-2.16
* origin/pr/2611:
  Update change log
  Reword ssl_conf_max_frag_len documentation for clarity
2019-05-23 15:14:06 +01:00