Commit graph

312 commits

Author SHA1 Message Date
Manuel Pégourié-Gonnard b1ee30bfe9 Adjust timeout of tests with "no resend" assertions
There are currently 4 tests in ssl-opt.sh with either -C "resend" or -S
"resend", that is, asserting that no retransmission will occur. They sometimes
fail on loaded CI machines as one side doesn't send a message fast enough,
causing the other side to retransmit, causing the test to fail.

(For the "reconnect" test there was an other issue causing random failures,
fixed in a previous commit, but even after that fix the test would still
sometimes randomly fail, even if much more rarely.)

While it's a hard problem to fix in a general and perfect way, in practice the
probability of failures can be drastically reduced by making the timeout
values much larger.

For some tests, where retransmissions are actually expected, this would have
the negative effect of increasing the average running time of the test, as
each side would wait for longer before it starts retransmission, so we have a
trade-off between average running time and probability of spurious failures.

But for tests where retransmission is not expected, there is no such trade-off
as the expected running time of the test (assuming the code is correct most of
the time) is not impacted by the timeout value. So the only negative effect of
increasing the timeout value is on the worst-case running time on the test,
which is much less important, as test should only fail quite rarely.

This commit addresses the easy case of tests that don't expect retransmission
by increasing the value of their timeout range to 10s-20s. This value
corresponds to the value used for tests that assert `-S "autoreduction"` which
are in the same case and where the current value seems acceptable so far.

It also represents an increase, compared to the values before this commit, of
a factor 20 for the "reconnect" tests which were frequently observed to fail
in the CI, and of a factor 10 for the first two "DTLS proxy" tests, which were
observed to fail much less frequently, so hopefully the new values are enough
to reduce the probability of spurious failures to an acceptable level.

Signed-off-by: Manuel Pégourié-Gonnard <manuel.pegourie-gonnard@arm.com>
2020-03-31 09:57:45 +02:00
Manuel Pégourié-Gonnard a58b04649b Add negative test for hard reconnect cookie check
The server must check client reachability (we chose to do that by checking a
cookie) before destroying the existing association (RFC 6347 section 4.2.8).
Let's make sure we do, by having a proxy-in-the-middle inject a ClientHello -
the server should notice, but not destroy the connection.

Signed-off-by: Manuel Pégourié-Gonnard <manuel.pegourie-gonnard@arm.com>
2020-03-31 09:57:45 +02:00
Manuel Pégourié-Gonnard d6e4454de8 Improve some test names in ssl-opt.sh
- "Default" should only be used for tests that actually use the defaults (ie,
  not passing options on the command line, except maybe debug/dtls)
- All tests in the "Encrypt then MAC" group should start with that string as a
  common prefix

Signed-off-by: Manuel Pégourié-Gonnard <manuel.pegourie-gonnard@arm.com>
2020-03-24 10:58:20 +01:00
Manuel Pégourié-Gonnard aa719e78ce Align some timeouts with the 2.16 branch in ssl-opt.sh
This commit only addresses the timeouts in the "DTLS proxy: 3d, ..." tests.
The discrepancy with the 2.16 branch became apparent for some of these tests
when backporting the previous commit (skip_close_nofity), so let's align the
whole series for consistency and to make future backporting easier.

Signed-off-by: Manuel Pégourié-Gonnard <manuel.pegourie-gonnard@arm.com>
2020-03-03 10:15:50 +01:00
Manuel Pégourié-Gonnard 5e261e958c Fix possible close_notify/ClientHello confusion
The ssl-opt.sh test cases using session resumption tend to fail occasionally
on the CI due to a race condition in how ssl_server2 and ssl_client2 handle
the reconnection cycle.

The server does the following in order:
- S1 send application data
- S2 send a close_notify alert
- S3 close the client socket
- S4 wait for a "new connection" (actually a new datagram)
- S5 start a handshake

The client does the following in order:
- C1 wait for and read application data from the server
- C2 send a close_notify alert
- C3 close the server socket
- C4 reset session data and re-open a server socket
- C5 start a handshake

If the client has been able to send the close_notify (C2) and if has been
delivered to the server before if closes the client socket (S3), when the
server reaches S4, the datagram that we start the new connection will be the
ClientHello and everything will be fine.

However if S3 wins the race and happens before the close_notify is delivered,
in S4 the close_notify is what will be seen as the first datagram in a new
connection, and then in S5 this will rightfully be rejected as not being a
valid ClientHello and the server will close the connection (and go wait for
another one). The client will then fail to read from the socket and exit
non-zero and the ssl-opt.sh harness will correctly report this as a failure.

In order to avoid this race condition in test using ssl_client2 and
ssl_server2, this commits introduces a new command-line option
skip_close_notify to ssl_client2 and uses it in all ssl-opt.sh tests that use
session resumption with DTLS and ssl_server2.

This works because ssl_server2 knows how many messages it expects in each
direction and in what order, and closes the connection after that rather than
relying on close_notify (which is also why there was a race in the first
place).

Tests that use another server (in practice there are two of them, using
OpenSSL as a server) wouldn't work with skip_close_notify, as the server won't
close the connection until the client sends a close_notify, but for the same
reason they don't need it (there is no race between receiving close_notify and
closing as the former is the cause of the later).

An alternative approach would be to make ssl_server2 keep the connection open
until it receives a close_notify. Unfortunately it creates problems for tests
where we simulate a lossy network, as the close_notify could be lost (and the
client can't retransmit it). We could modify udp_proxy with an option to never
drop alert messages, but when TLS 1.3 comes that would no longer work as the
type of messages will be encrypted.

Signed-off-by: Manuel Pégourié-Gonnard <manuel.pegourie-gonnard@arm.com>
2020-03-03 10:15:26 +01:00
Janos Follath 5d1171268c
Merge pull request #3020 from mpg/fix-ssl-opt-gnutls-no-sha1-2.7
[backport 2.7] Fix ssl-opt.sh for GnuTLS versions rejecting SHA-1
2020-02-04 11:19:18 +00:00
Manuel Pégourié-Gonnard 179c227203 Fix CA encoding issue with gnutls-cli
In the 2.7 branch, test-ca.crt has all the components of its Subject name
encoded as PrintableString, because it's generated with our cert_write
program, and our code writes all components that way until Mbed TLS 2.14.

But the default RSA SHA-256 certificate, server2-sha256.crt, has the O and CN
components of its Issuer name encoded as UTF8String, because it was generated
with OpenSSL and that's what OpenSSL does, regardless of how those components
were encoded in the CA's Subject name.

This triggers some overly strict behaviour in some libraries, most notably NSS
and GnuTLS (of interest to us in ssl-opt.sh) which won't recognize the trusted
root as a possible parent for the presented certificate, see for example:
https://github.com/ARMmbed/mbedtls/issues/1033

Fortunately, we have at our disposal a version of test-ca.crt with encodings
matching the ones in server2-sha256.crt, in the file test-ca_utf8.crt. So
let's append that to gnutls-cli's list of trusted roots, so that it recognizes
certs signed by this CA but with the O and CN components as UTF8String.

Note: Since https://github.com/ARMmbed/mbedtls/pull/1641 was merged (in Mbed
TLS 2.14), we changed how we encode those components, so in the 2.16 branch,
cert_write generates test-ca.crt with encodings that matches the ones used by
openssl when generating server2-sha256.crt, so the issue of gnutls-cli
rejecting server2-sha256.crt is specific to the 2.7 branch.
2020-02-03 15:55:43 +01:00
Manuel Pégourié-Gonnard 37abf12631 De-duplicate SHA1-independent test in ssl-opt.sh
The splitting of this test into two versions depending on whether SHA-1 was
allowed by the server was a mistake in
5d2511c4d4 - the test has nothing to do with
SHA-1 in the first place, as the server doesn't request a certificate from
the client so it doesn't matter if the server accepts SHA-1 or not.
2020-01-30 12:49:43 +01:00
Manuel Pégourié-Gonnard a92990a082 Fix ssl-opt.sh for GnuTLS versions rejecting SHA-1
While the whole script makes (often implicit) assumptions about the version of
GnuTLS used, generally speaking it should work out of the box with the version
packaged on our reference testing platform, which is Ubuntu 16.04 so far.

With the update from Jan 8 2020 (3.4.10-4ubuntu1.6), the patches for rejecting
SHA-1 in certificate signatures were backported, so we should avoid presenting
SHA-1 signed certificates to a GnuTLS peer in ssl-opt.sh.
2020-01-30 11:19:45 +01:00
Manuel Pégourié-Gonnard 455755177e Add test for record compression in ssl-opt.sh
Deprecated but still needs to be tested.
2020-01-06 09:52:27 +01:00
Unknown b86bcb4f71 ssl-opt.sh: wait for proxy to start before running the script further 2019-09-04 06:09:26 -04:00
Jaeden Amero 347309141f tests: Limit each log to 10 GiB
Limit log output in compat.sh and ssl-opt.sh, in case of failures with
these scripts where they may output seemingly unlimited length error
logs.

Note that ulimit -f uses units of 512 bytes, so we use 10 * 1024 * 1024
* 2 to get 10 GiB.
2019-07-10 08:50:52 +01:00
Jaeden Amero 0cf1776a2d Merge remote-tracking branch 'origin/pr/2451' into mbedtls-2.7
* origin/pr/2451:
  Fix #2370, minor typos and spelling mistakes
2019-06-21 15:55:21 +01:00
Jaeden Amero 3a70ab9319 Merge remote-tracking branch 'origin/pr/2390' into mbedtls-2.7
* origin/pr/2390:
  Correct length check for DTLS records from old epochs.
2019-03-05 16:38:00 +00:00
Jaeden Amero 6ee6f181ff Merge remote-tracking branch 'origin/pr/2435' into mbedtls-2.7
* origin/pr/2435:
  Use certificates from data_files and refer them
  Specify server certificate to use in SHA-1 test
  refactor CA and SRV certificates into separate blocks
  refactor SHA-1 certificate defintions and assignment
  refactor server SHA-1 certificate definition into a new block
  define TEST_SRV_CRT_RSA_SOME in similar logic to TEST_CA_CRT_RSA_SOME
  server SHA-256 certificate now follows the same logic as CA SHA-256 certificate
  add entry to ChangeLog
2019-03-05 16:25:53 +00:00
Manuel Pégourié-Gonnard a82d38dc7c Fix failure in SSLv3 per-version suites test
The test used 3DES as the suite for SSLv3, which now makes the handshake fails
with "no ciphersuite in common", failing the test as well. Use Camellia
instead (as there are not enough AES ciphersuites before TLS 1.2 to
distinguish between the 3 versions).

Document some dependencies, but not all. Just trying to avoid introducing new
issues by using a new cipher here, not trying to make it perfect, which is a
much larger task out of scope of this commit.
2019-03-01 10:33:58 +01:00
Antonin Décimo 8fd9156a4a Fix #2370, minor typos and spelling mistakes 2019-02-18 15:57:54 +00:00
Ron Eldor 664623ebbc Specify server certificate to use in SHA-1 test
Specify the SHA-1 server certificate to use in the SHA-1 test,
because now the default certificates use SHA256 certificates.
2019-02-12 15:39:42 +02:00
Hanno Becker a34cc6b1c6 Correct length check for DTLS records from old epochs.
DTLS records from previous epochs were incorrectly checked against the
current epoch transform's minimal content length, leading to the
rejection of entire datagrams. This commit fixed that and adapts two
test cases accordingly.

Internal reference: IOTSSL-1417
2019-01-30 15:07:09 +01:00
Andrzej Kurek c895821766 ssl-opt.sh: change expected output for large srv packet test with SSLv3
This test also exercises a protection against BEAST
and should expect message splitting.
2018-09-26 22:53:13 +01:00
Andrzej Kurek d731a6348a Add missing large and small packet tests for ssl_server2 2018-09-26 22:53:12 +01:00
Andrzej Kurek 557335e56d Added buffer_size and response_size options for ssl-server2.
Added appropriate tests.
2018-09-26 22:53:12 +01:00
Simon Butcher 651902d062 Merge remote-tracking branch 'public/pr/1972' into mbedtls-2.7 2018-09-26 22:35:51 +01:00
Simon Butcher cc4f58d08c Merge remote-tracking branch 'public/pr/1956' into mbedtls-2.7 2018-08-28 12:16:11 +01:00
Hanno Becker dc6c0e49ad ssl-opt.sh: Preserve proxy log, too, if --preserve-logs is specified 2018-08-22 15:24:25 +01:00
Hanno Becker b554636236 ssl-opt.sh: Add DTLS session resumption tests
Fixes #1969.
2018-08-22 15:07:31 +01:00
Hanno Becker 3a333a58ba Add tests for empty CA list in CertificateRequest, TLS 1.0 & 1.1 2018-08-17 10:04:08 +01:00
Jaeden Amero f37a99e3fc Merge remote-tracking branch 'upstream-public/pr/1814' into mbedtls-2.7 2018-08-10 11:01:29 +01:00
Andres Amaya Garcia 14783c47e7 Add test for empty app data records to ssl-opt.sh 2018-07-16 20:14:54 +01:00
Gilles Peskine 7163a6ad91 Fix ssl-opt.sh not starting when lsof is not available
$START_DELAY was used before it was defined.
2018-06-29 16:03:22 +02:00
Ron Eldor 94226d8e61 Update ssl-opt.sh test to run condition
1. Update the test script to un the ECC tests only if the relevant
configurations are defined in `config.h` file
2. Change the HASH of the ciphersuite from SHA1 based to SHA256
for better example
2018-06-28 16:19:14 +03:00
Ron Eldor c7f1523a9e Add ECC extensions test in ssl-opts.sh
Add test to verify if an ecc based extension exists
or not if an ecc based ciphersuite is used or not.
2018-06-28 15:53:22 +03:00
Andres Amaya Garcia f9519bfa60 Add more SNI/DTLS tests
Run the normal SNI/TLS tests over DTLS in ssl-opt.sh for greater
coverage.
2018-05-30 08:21:26 +01:00
Andres Amaya Garcia 914eea44e7 Rename SNI/DTLS tests in ssl-opt.sh script 2018-05-30 08:21:25 +01:00
Andres AG e8b0774392 Add SNI with DTLS tests to ssl-opt.sh script 2018-05-30 08:21:22 +01:00
Azim Khan 03da121663 Enable SSL test scripts to dump logs on stdout 2018-04-03 17:58:35 +01:00
Gilles Peskine 3f9cff20d7 Merge branch 'prr_424' into mbedtls-2.7-proposed 2018-02-22 16:07:32 +01:00
Jaeden Amero ade51aff1a Merge branch 'development' into development-restricted 2018-01-29 12:49:05 +00:00
Jaeden Amero 784de59ccd Merge remote-tracking branch 'upstream-restricted/pr/410' into development-restricted
- Resolve ChangeLog conflicts
- Update Doxygen warning block in dhm.h to render correctly
- Prefix the exported identifier deprecated_constant_t with mbedtls_
2018-01-26 18:43:04 +00:00
Gilles Peskine 3c9e2b5004 wait_server_start: warn if lsof is not available
If lsof is not available, wait_server_start uses a fixed timeout,
which can trigger a race condition if the timeout turns out to be too
short. Emit a warning so that we know this is going on from the test
logs.
2018-01-22 10:29:24 +01:00
Manuel Pégourié-Gonnard 0d225daf7d Increase waiting times compat.sh and ssl-opt.sh
- Some of the CI machines don't have lsof installed yet, so rely on an sleeping
an arbitrary number of seconds while the server starts. We're seeing
occasional failures with the current delay because the CI machines are highly
loaded, which seems to indicate the current delay is not quite enough, but
hopefully not to far either, so double it.

- While at it, also double the watchdog delay: while I don't remember seeing
  much failures due to client timeout, this change doesn't impact normal
running time of the script, so better err on the safe side.

These changes don't affect the test and should only affect the false positive
rate coming from the test framework in those scripts.
2018-01-22 10:22:09 +01:00
Manuel Pégourié-Gonnard d08d958813 Merge branch 'development' into development-restricted
* development:
  compat.sh: use wait_server_start
  wait_server_start: minor efficiency improvement
2017-12-21 11:12:36 +01:00
Gilles Peskine 418b536028 wait_server_start: minor efficiency improvement
In wait_server_start, fork less. When lsof is present, call it on the
expected process. This saves a few percent of execution time on a
lightly loaded machine. Also, sleep for a short duration rather than
using a tight loop.
2017-12-14 18:58:42 +01:00
Gilles Peskine 02e28fe0fd Merge remote-tracking branch 'upstream-restricted/pr/425' into development-restricted 2017-12-01 17:58:12 +01:00
Gilles Peskine 0884f4811b Merge remote-tracking branch 'upstream-public/pr/1141' into development 2017-11-29 20:50:59 +01:00
Gilles Peskine 68306ed31f Merge remote-tracking branch 'upstream-public/pr/1094' into development 2017-11-23 20:02:46 +01:00
Hanno Becker 909f9a389a Improve style in tests/ssl-opt.sh
Try to avoid line breaks in server and client command line arguments to ease
reading of test cases.
2017-11-21 17:10:12 +00:00
Hanno Becker 45ee7877d0 Correct truncated HMAC tests in ssl-opt.sh
Many truncated HMAC tests were missing the `trunc_hmac=1` for the server
application, thereby not testing the extension.
2017-11-20 16:51:44 +00:00
Hanno Becker 4c4f41030c Add truncated HMAC extension tests for DTLS 2017-11-20 16:25:50 +00:00
Hanno Becker 34d0c3f02e Add missing truncated HMAC test for TLS
The case 'Client disabled, Server enabled' was missing.
2017-11-20 16:25:50 +00:00