Commit graph

561 commits

Author SHA1 Message Date
Gilles Peskine 4ad0967125
Merge pull request #4430 from gilles-peskine-arm/dhm_min_bitlen-bits
Backport 2.x: Enforce dhm_min_bitlen exactly
2021-04-29 14:55:36 +02:00
Gilles Peskine a8a7033cb1
Merge pull request #3615 from gilles-peskine-arm/ssl-opt-less-grep-development
Speed up ssl-opt.sh when running a small number of test cases
2021-04-06 11:05:34 +02:00
Gilles Peskine c6b0d96c31 More precise testing of dhm_min_len
An SSL client can be configured to insist on a minimum size for the
Diffie-Hellman (DHM) parameters sent by the server. Add several test
cases where the server sends parameters with exactly the minimum
size (must be accepted) or parameters that are one bit too short (must
be rejected). Make sure that there are test cases both where the
boundary is byte-aligned and where it isn't.

Signed-off-by: Gilles Peskine <Gilles.Peskine@arm.com>
2021-04-01 14:18:31 +02:00
Gilles Peskine defdc3bc53 SECP224K1 is not yet supported via the PSA API
Filed as https://github.com/ARMmbed/mbedtls/issues/3541. In the
meantime, disable the ssl-opt.sh test case that uses it.

Signed-off-by: Gilles Peskine <Gilles.Peskine@arm.com>
2021-03-23 13:59:58 +01:00
Dave Rodgman e31fb03310
Merge pull request #4136 from daverodgman/ssl-opt-gnutls-priority
ssl-opt.sh: add --priority=normal to gnutls-serv
2021-02-16 14:37:51 +00:00
Dave Rodgman 0279c2fc70 ssl-opt.sh: add --priority=normal to gnutls
For calls to gnutls-serv and gnutls-cli where --priority is not
specified, explicitly add the default value: --priority=normal. This is
needed for some tests on Ubuntu 20.04 (gnutls 3.6.13).

For example:
./ssl-opt.sh -f "DTLS fragmenting: gnutls.*1.0"
requires this PR to work on Ubuntu 20.04

Signed-off-by: Dave Rodgman <dave.rodgman@arm.com>
2021-02-15 12:45:43 +00:00
Gilles Peskine aaf866edd2 ssl-opt.sh: Only check the server exit for Mbed TLS
We care about the exit code of our server, for example if it's
reporting a memory leak after having otherwise executed correctly.

We don't care about the exit code of the servers we're using for
interoperability testing (openssl s_server, gnutls-serv). We assume
that they're working correctly anyway, and they return 1 (gnutls-serv)
or die by the signal handle the signal (openssl) when killed by a
signal.

Signed-off-by: Gilles Peskine <Gilles.Peskine@arm.com>
2021-02-09 21:01:33 +01:00
Gilles Peskine 7f919de1ce ssl-opt.sh: if the server fails, do treat it as a test failure
This used to be the case a long time ago but was accidentally broken.

Fix <github:nogrep> #4103 for ssl-opt.sh.

Signed-off-by: Gilles Peskine <Gilles.Peskine@arm.com>
2021-02-03 18:09:33 +01:00
Ronald Cron efcf52d521
Merge pull request #3614 from gilles-peskine-arm/ssl-opt-gnutls-printf-development
Fix printf escape errors in shell scripts
2020-11-04 17:55:42 +01:00
Johan Pascal 5ef72d214f Style and typos
Signed-off-by: Johan Pascal <johan.pascal@belledonne-communications.com>
2020-10-29 01:14:50 +01:00
Johan Pascal 20c7db3a67 API modified so server side can get mki value
+ client side discards self mki if server does not support it

Signed-off-by: Johan Pascal <johan.pascal@belledonne-communications.com>
2020-10-29 01:14:50 +01:00
Johan Pascal 104031547f style
Signed-off-by: Johan Pascal <johan.pascal@belledonne-communications.com>
2020-10-29 01:14:50 +01:00
Johan Pascal 9bc50b0122 Test check the key material exported match
- include interop with openssl client

Signed-off-by: Johan Pascal <johan.pascal@belledonne-communications.com>
2020-10-29 01:14:50 +01:00
Johan Pascal 39cfd3b96e interop test: openssl generate the DTLS-SRTP keys
Missing a command in the test script to compare with peer's output

Signed-off-by: Johan Pascal <johan.pascal@belledonne-communications.com>
2020-10-29 01:14:50 +01:00
Johan Pascal 43f9490a52 SRTP profiles definition use macros only
Signed-off-by: Johan Pascal <johan.pascal@belledonne-communications.com>
2020-10-29 01:14:49 +01:00
Johan Pascal 9bc97ca19d SRTP-DTLS protection profile configuration list not copied into ssl_config
+ improve test
+ minor style fix

Signed-off-by: Johan Pascal <johan.pascal@belledonne-communications.com>
2020-10-29 01:14:49 +01:00
Ron Eldor 5d991c9549 Force IPv4 in gnutls_cli srtp tests
Force using IPv4 in the GNU_CLI SRTP tests, as introduced for
other tests in #1918.

Signed-off-by: Johan Pascal <johan.pascal@belledonne-communications.com>
2020-10-29 01:14:49 +01:00
Ron Eldor 2b3dfe41af Force IPv6 for DTLS interop tests with gnutls-cli
Since `gnutls-cli` resolves `localhost` as an IPv6 address, and the server
is bound to IPv4 address, gnutl-cli fails to negotiate DTLS sessions.
Force the server to bind to IPv6 address, as a workaround.

Signed-off-by: Johan Pascal <johan.pascal@belledonne-communications.com>
2020-10-29 01:14:49 +01:00
Ron Eldor 3c6a44bed8 Add interop tests
Add some interoperability tests with openssl and gnutls, in ssl-opts.sh.

Signed-off-by: Johan Pascal <johan.pascal@belledonne-communications.com>
2020-10-29 01:14:49 +01:00
Ron Eldor b465539476 Add tests and code to support
1. Add DTLS-SRTP tests in `ssl-opts.sh`
2. Add logs for the tests to filter.
3. Add function to get the profile informations.

Signed-off-by: Johan Pascal <johan.pascal@belledonne-communications.com>
2020-10-29 01:14:49 +01:00
Gilles Peskine b09e001d69 Fix regexp detection
In a case exprssion, `|` separates patterns so it needs to be quoted.
Also `\` was not actually part of the set since it was quoting another
character.

Signed-off-by: Gilles Peskine <Gilles.Peskine@arm.com>
2020-09-29 23:50:46 +02:00
Gilles Peskine 9fa4ed673d Avoid using grep for test case names if possible
If `$FILTER` (`-f`) and `$EXCLUDE` (`-e`) are simple selections that
can be expressed as shell patterns, use a case statement instead of
calling grep to determine whether a test case should be executed.
Using a case statement significantly reduces the time it takes to
determine that a test case is excluded (but the improvement is small
compared to running the test).

This noticeably speeds up running a single test or a small number of
tests. Before:
```
tests/ssl-opt.sh -f Default  1.75s user 0.54s system 79% cpu 2.885 total
```
After:
```
tests/ssl-opt.sh -f Default  0.37s user 0.14s system 29% cpu 1.715 total
```
There is no perceptible difference when running a large number of tests.

Signed-off-by: Gilles Peskine <Gilles.Peskine@arm.com>
2020-08-26 22:57:28 +02:00
Gilles Peskine 6445749d3c Reduce the use of grep
Avoid using the external command grep for simple string-based checks.
Prefer a case statement. This improves performance.

The performance improvement is moderate but noticeable when skipping
most tests. When a test is run, the cost of the associated grep calls
is negligible. In this commit, I focused on the uses of grep that can
be easily replaced and that are executed a large number of times.

Signed-off-by: Gilles Peskine <Gilles.Peskine@arm.com>
2020-08-26 22:57:28 +02:00
Gilles Peskine 5b428d7d2a Remove non-portable shell builtin local
Dash and bash have `local`, but other sh implementations such as ksh
don't.

Signed-off-by: Gilles Peskine <Gilles.Peskine@arm.com>
2020-08-26 22:57:28 +02:00
Gilles Peskine 231befab51 Fix printf escape errors in shell scripts
Fix `printf "$foo"` which treats the value of `foo` as a printf format
rather than a string.

I used the following command to find potentially problematic lines:
```
git ls-files '*.sh' | xargs egrep 'printf +("?[^"]*|[^ ]*)\$'
```
The remaining ones are false positives for this regexp.

The errors only had minor consequences: the output of `ssl-opt.sh`
contained lines like
```
Renegotiation: gnutls server strict, client-initiated .................. ./tests/ssl-opt.sh: 741: printf: %S: invalid directive
PASS
```
and in case of failure the GnuTLS command containing a substring like
`--priority=NORMAL:%SAFE_RENEGOTIATION` was not included in the log
file. With the current tests, there was no risk of a test failure
going undetected.

Signed-off-by: Gilles Peskine <Gilles.Peskine@arm.com>
2020-08-26 22:54:19 +02:00
Gilles Peskine 880f7f2c42 ssl-opt.sh --help: don't show regexps for -f and -e
Showing a regexp to say that by default all tests are executed is not
particularly helpful.

If we ever add a default exclusion list or a default filter, we can
edit the documentation again.

Signed-off-by: Gilles Peskine <Gilles.Peskine@arm.com>
2020-08-26 22:52:25 +02:00
Manuel Pégourié-Gonnard 6edfe60e0d
Merge pull request #2182 from hanno-arm/key_pwd
Add support for password protected key files to ssl_server2 and ssl_client2
2020-08-24 09:42:38 +02:00
danh-arm e8582ba0f3
Merge pull request #3546 from bensze01/copyright
Update copyright notices to use Linux Foundation guidance
2020-08-19 15:59:42 +01:00
Bence Szépkúti 1e14827beb Update copyright notices to use Linux Foundation guidance
As a result, the copyright of contributors other than Arm is now
acknowledged, and the years of publishing are no longer tracked in the
source files.

Also remove the now-redundant lines declaring that the files are part of
MbedTLS.

This commit was generated using the following script:

# ========================
#!/bin/sh

# Find files
find '(' -path './.git' -o -path './3rdparty' ')' -prune -o -type f -print | xargs sed -bi '

# Replace copyright attribution line
s/Copyright.*Arm.*/Copyright The Mbed TLS Contributors/I

# Remove redundant declaration and the preceding line
$!N
/This file is part of Mbed TLS/Id
P
D
'
# ========================

Signed-off-by: Bence Szépkúti <bence.szepkuti@arm.com>
2020-08-19 10:35:41 +02:00
Hanno Becker 721f7c1e64 Add minimal client authentication test to ssl-opt.sh
Signed-off-by: Hanno Becker <hanno.becker@arm.com>
2020-08-17 12:17:32 +01:00
Hanno Becker 2f54a3c2e4 Add tests to ssl-opt.sh exercising new key_pwd[2] parameters
Signed-off-by: Hanno Becker <hanno.becker@arm.com>
2020-08-17 12:17:28 +01:00
Manuel Pégourié-Gonnard 98944cd756
Merge pull request #3404 from mpg/improve-ssl-opt-logs
Improve ssl-opt.sh logs
2020-08-17 12:04:36 +02:00
Hanno Becker fa452c4566 Fix guard in ECJPAKE tests in ssl-opt.sh
Three tests were guarded by `MBEDTLS_KEY_EXCHANGE_ECJPAKE`,
not `MBEDTLS_KEY_EXCHANGE_ECJPAKE_ENABLED`, as it should be.

Curiously, the guard still functioned as intended, perhaps
because `MBEDTLS_KEY_EXCHANGE_ECJPAKE` is a prefix of
`MBEDTLS_KEY_EXCHANGE_ECJPAKE_ENABLED`.

Signed-off-by: Hanno Becker <hanno.becker@arm.com>
2020-08-14 15:42:49 +01:00
Hanno Becker ee63af6f8f Adapt ssl-opt.sh to modified ciphersuite log format
The debug output for supported ciphersuites has been changed
from `deadbeef` to `0xdeadbeef` in a previous commit, but the
test script `ssl-opt.sh` grepping for lines in the debug log
to determine test success/failure hadn't been adjusted accordingly.

This commit fixes this.

Signed-off-by: Hanno Becker <hanno.becker@arm.com>
2020-08-14 15:41:23 +01:00
Manuel Pégourié-Gonnard a3b994fa4d Fix misuse of printf in shell script
Signed-off-by: Manuel Pégourié-Gonnard <manuel.pegourie-gonnard@arm.com>
2020-07-27 09:45:32 +02:00
Manuel Pégourié-Gonnard 8779e9a70b Fix added proxy command when IPv6 is used
For explicit proxy commands (included with `-p "$P_PXY <args>` in the test
case), it's the test's writer responsibility to handle IPv6; only fix the
proxy command when we're auto-adding it.

Signed-off-by: Manuel Pégourié-Gonnard <manuel.pegourie-gonnard@arm.com>
2020-07-24 11:33:49 +02:00
Gilles Peskine 0d7216511f Fix erroneous skip of test cases for disabled ciphersuites
Test cases that force a specific ciphersuites are only executed if
this ciphersuite is enabled. But there are test cases (for RC4) whose
goal is to check that the ciphersuite is not used. These test cases
must run even if (or only if) the ciphersuite is disable, so add an
exception for these test cases.

Signed-off-by: Gilles Peskine <Gilles.Peskine@arm.com>
2020-07-02 11:38:21 +02:00
Manuel Pégourié-Gonnard 70fce9831e Simplify test syntax
Signed-off-by: Manuel Pégourié-Gonnard <manuel.pegourie-gonnard@arm.com>
2020-06-25 09:54:46 +02:00
Manuel Pégourié-Gonnard 69b01f7694 Fix logic error in setting client port
We need to do this after we possibly added the proxy.

Signed-off-by: Manuel Pégourié-Gonnard <manuel.pegourie-gonnard@arm.com>
2020-06-25 09:52:54 +02:00
Janos Follath 0c00407432
Merge pull request #3430 from bensze01/license
[Forward-port] Add Apache-2.0 headers to all source files
2020-06-18 15:54:26 +01:00
danh-arm c4b6656a91
Merge pull request #3405 from AndrzejKurek/variable-buffers-cid-serialization
Update iv and len context pointers manually when reallocating buffers
2020-06-17 12:26:24 +01:00
Andrzej Kurek b657783269
Update iv and len context pointers manually when reallocating buffers
These fields might be shifted accordingly in `ssl_parse_record_header()`
when receiving a connection with CID, so they require a manual update
after calling the generic `mbedtls_ssl_reset_in_out_pointers()`.

This commit also adds a regression test which is run by all.sh.

Signed-off-by: Andrzej Kurek <andrzej.kurek@arm.com>
2020-06-16 11:54:51 -04:00
Bence Szépkúti c7da1fe381 Add Apache-2.0 headers to all scripts
This commit was generated using the following script:

# ========================
#!/bin/sh

# Find scripts
find -path './.git' -prune -o '(' -name '*.gdb' -o -name '*.pl' -o -name '*.py' -o -name '*.sh' ')' -print | xargs sed -i '

# Remove Mbed TLS declaration if it occurs before the copyright line
1,/Copyright.*Arm/I {
  /This file is part of/,$ {
    /Copyright.*Arm/I! d
  }
}

# Convert non-standard header in scripts/abi_check.py to the format used in the other scripts
/"""/,/"""/ {

  # Cut copyright declaration
  /Copyright.*Arm/I {
    h
    N
    d
  }

  # Paste copyright declaration
  /"""/ {
    x
    /./ {
      s/^/# /    # Add #
      x          # Replace orignal buffer with Copyright declaration
      p          # Print original buffer, insert newline
      i\

      s/.*//     # Clear original buffer
    }
    x
  }
}

/Copyright.*Arm/I {

  # Print copyright declaration
  p

  # Read the two lines immediately following the copyright declaration
  N
  N

  # Insert Apache header if it is missing
  /SPDX/! {
    i\
# SPDX-License-Identifier: Apache-2.0\
#\
# Licensed under the Apache License, Version 2.0 (the "License"); you may\
# not use this file except in compliance with the License.\
# You may obtain a copy of the License at\
#\
# http://www.apache.org/licenses/LICENSE-2.0\
#\
# Unless required by applicable law or agreed to in writing, software\
# distributed under the License is distributed on an "AS IS" BASIS, WITHOUT\
# WARRANTIES OR CONDITIONS OF ANY KIND, either express or implied.\
# See the License for the specific language governing permissions and\
# limitations under the License.

    # Insert Mbed TLS declaration if it is missing
    /This file is part of/! i\
#\
# This file is part of Mbed TLS (https://tls.mbed.org)
  }

  # Clear copyright declaration from buffer
  D
}
'
# ========================

Signed-off-by: Bence Szépkúti <bence.szepkuti@arm.com>
2020-06-15 12:05:47 +02:00
Ron Eldor 65d8c2651d Show failure in ssl-opts.sh when key export fails
1. When `ssl_server2` export key functionality fails,
don't exit the server, but reset it, to have the
server recover for next connection.
2. Add text filters for `export keys functionality` test in ssl-opt.sh
to check for additional output, to verify if the export suceeded.

This was discovered in the `ssl-opt.sh` script, where the server exited,
before the test tried to kill the server priocess, resulting in a
`kill: No such process` message.

Fixes #2662

Signed-off-by: Ron Eldor <Ron.Eldor@arm.com>
2020-06-15 11:21:41 +03:00
Manuel Pégourié-Gonnard d06125c649 ssl-opt.sh: include test name in log files
This is a convenience for when we get log files from failed CI runs, or attach
them to bug reports, etc.

Signed-off-by: Manuel Pégourié-Gonnard <manuel.pegourie-gonnard@arm.com>
2020-06-08 12:06:21 +02:00
Manuel Pégourié-Gonnard 3f3302f183 ssl-opt.sh: remove old buildbot-specific condition
Signed-off-by: Manuel Pégourié-Gonnard <manuel.pegourie-gonnard@arm.com>
2020-06-08 11:49:05 +02:00
Manuel Pégourié-Gonnard f45578648a ssl-opt.sh: add proxy to all DTLS tests
A lot of DTLS test are timing-sensitive, especially those that contain
assertions about retransmission. Sometimes some DTLS test fails intermittently
on the CI with no clear apparent reason; we need more information in the log
to understand the cause of those failures.

Adding a proxy means we'll get timing information from the proxy logs.

An alternative would be to add timing information to the debug output of
ssl_server2 and ssl_client2. But that's more complex because getting
sub-second timing info is outside the scope of the C standard, and our current
timing module only provides a APi for sub-second intervals, not absolute time.
Using the proxy is easier as it's a single point that sees all messages, so
elapsed time is fine here, and it's already implemented in the proxy output.

Signed-off-by: Manuel Pégourié-Gonnard <manuel.pegourie-gonnard@arm.com>
2020-06-08 11:40:06 +02:00
Piotr Nowicki 3de298f18f Saving the serialized context to a file
Signed-off-by: Piotr Nowicki <piotr.nowicki@arm.com>
2020-04-17 16:26:43 +02:00
Jaeden Amero 66e21efe47
Merge pull request #3163 from AndrzejKurek/variable-buffers-renegotiation
Variable buffers & renegotiation - fixes
2020-04-09 12:11:02 +01:00
Andrzej Kurek 8ea6872889
Improve pointer calculations when resizing I/O buffers
This commit introduces two changes:
- Add in_msg and out_msg calculations for buffer upsizing. This was previously
considered as unnecessary, but renegotiation using certain ciphersuites needs
this.
- Improving the way out_msg and in_msg pointers are calculated, so that even 
if no resizing is introduced, the pointers remain the same;

New tests added:
- various renegotiation schemes with a range of MFL's and ciphersuites;
- an ssl-opt.sh test exercising two things that were problematic: renegotiation
with TLS-ECDHE-ECDSA-WITH-AES-128-CCM-8 and a server MFL that's smaller
than the one negotiated by the client.
Signed-off-by: Andrzej Kurek <andrzej.kurek@arm.com>
2020-04-09 04:33:00 -04:00