- Replace last remaining dependency on config.py with query_config
- Replace hard exit with `requires_config_value_at_least` and
`requires_config_value_at_most` to maintain the same effect
Signed-off-by: Yuto Takano <yuto.takano@arm.com>
- Replace calls to config.py for MAX_IN_LEN and MAX_OUT_LEN with
`get_config_value_or_default`
- Remove hard exit when MAX_IN/OUT_LEN < 4096, replace with
`requires_config_value_at_least`
Signed-off-by: Yuto Takano <yuto.takano@arm.com>
Update maybe_requires_ciphersuite_enabled so that it will not skip the
ciphersuite requirement when running a test case where the test expects
a ciphersuite mismatch
Signed-off-by: Dave Rodgman <dave.rodgman@arm.com>
The default curve is now Curve25519, which doesn't support restartable ECC.
So run the restartable ECC tests with a curve that does support it. Use
secp256r1 which is required for these tests anyway for the server's
certificate.
Signed-off-by: Gilles Peskine <Gilles.Peskine@arm.com>
Commit removes tests from ssl-opt.sh
that were specific to
MBEDTLS_SSL_TRUNCATED_HMAC extention.
Signed-off-by: Thomas Daubney <thomas.daubney@arm.com>
This commit removes the API
```
mbedtls_ssl_conf_ciphersuites_for_version()
```
which allows to configure lists of acceptable ciphersuites
for each supported version of SSL/TLS: SSL3, TLS 1.{0,1,2}.
With Mbed TLS 3.0, support for SSL3, TLS 1.0 and TLS 1.1
is dropped. Moreover, upcoming TLS 1.3 support has a different
notion of cipher suite and will require a different API.
This means that it's only for TLS 1.2 that we require
a ciphersuite configuration API, and
```
mbedtls_ssl_conf_ciphersuites()
```
can be used for that. The version-specific ciphersuite
configuration API `mbedtls_ssl_conf_ciphersuites_for_version()`,
in turn, is no longer needed.
Signed-off-by: Hanno Becker <hanno.becker@arm.com>
Signed-off-by: Manuel Pégourié-Gonnard <manuel.pegourie-gonnard@arm.com>
Our interoperability tests fail with a recent OpenSSL server. The
reason is that they force 1024-bit Diffie-Hellman parameters, which
recent OpenSSL (e.g. 1.1.1f on Ubuntu 20.04) reject:
```
140072814650688:error:1408518A:SSL routines:ssl3_ctx_ctrl:dh key too small:../ssl/s3_lib.c:3782:
```
We've been passing custom DH parameters since
6195767554 because OpenSSL <=1.0.2a
requires it. This is only concerns the version we use as
OPENSSL_LEGACY. So only use custom DH parameters for that version. In
compat.sh, use it based on the observed version of $OPENSSL_CMD.
This way, ssl-opt.sh and compat.sh work (barring other issues) for all
our reference versions of OpenSSL as well as for a modern system OpenSSL.
Signed-off-by: Gilles Peskine <Gilles.Peskine@arm.com>
An SSL client can be configured to insist on a minimum size for the
Diffie-Hellman (DHM) parameters sent by the server. Add several test
cases where the server sends parameters with exactly the minimum
size (must be accepted) or parameters that are one bit too short (must
be rejected). Make sure that there are test cases both where the
boundary is byte-aligned and where it isn't.
Signed-off-by: Gilles Peskine <Gilles.Peskine@arm.com>
For calls to gnutls-serv and gnutls-cli where --priority is not
specified, explicitly add the default value: --priority=normal. This is
needed for some tests on Ubuntu 20.04 (gnutls 3.6.13).
For example:
./ssl-opt.sh -f "DTLS fragmenting: gnutls.*1.0"
requires this PR to work on Ubuntu 20.04
Signed-off-by: Dave Rodgman <dave.rodgman@arm.com>
We care about the exit code of our server, for example if it's
reporting a memory leak after having otherwise executed correctly.
We don't care about the exit code of the servers we're using for
interoperability testing (openssl s_server, gnutls-serv). We assume
that they're working correctly anyway, and they return 1 (gnutls-serv)
or die by the signal handle the signal (openssl) when killed by a
signal.
Signed-off-by: Gilles Peskine <Gilles.Peskine@arm.com>
This used to be the case a long time ago but was accidentally broken.
Fix <github:nogrep> #4103 for ssl-opt.sh.
Signed-off-by: Gilles Peskine <Gilles.Peskine@arm.com>
Force using IPv4 in the GNU_CLI SRTP tests, as introduced for
other tests in #1918.
Signed-off-by: Johan Pascal <johan.pascal@belledonne-communications.com>