Commit graph

610 commits

Author SHA1 Message Date
Jerry Yu
0402979ed3 Add openssl/gnutls tls1.3 feature tests.
Add functions and test cases to make sure
tls1.3 is available in openssl/gnutls

Change-Id: I797d15117a8de96614f392e6bb2ed16b6d71ba69
Signed-off-by: Jerry Yu <jerry.h.yu@arm.com>
2021-08-11 18:09:49 +08:00
Jerry Yu
b9930e7d70 Add dummy tls1.3 handshake dispatch functions
Base on version config, `handshack_{clinet,server}_step`
will call different step function. TLS1.3 features will
be gradully added base on it.

And a new test cases is added to make sure it reports
`feature is not available`.

Change-Id: I4f0e36cb610f5aa59f97910fb8204bfbf2825949
Signed-off-by: Jerry Yu <jerry.h.yu@arm.com>
2021-08-10 13:34:32 +08:00
Jerry Yu
c46e9b4091 tests: Add negative version config tests.
tls1.3 and tls1.2 can not be enabled at same
time before #4832 resolved.

And the test won't run into `handshake` stage, add
`skip_handshak_check` function to skip it.

Change-Id: I13f3b06b2f33b9c9beb8cac90f5fda41a4ed53f3
Signed-off-by: Jerry Yu <jerry.h.yu@arm.com>
2021-08-10 13:34:32 +08:00
Gilles Peskine
78f6f05778
Merge pull request #4695 from yutotakano/fix-ssl-opt.sh-hard-abort
ssl-opt.sh: Skip tests instead of conditional hard abort
2021-08-04 10:16:19 +02:00
Manuel Pégourié-Gonnard
06672ef771
Merge pull request #4776 from gilles-peskine-arm/generate_psa_tests-robutness-202107
Fix bugs around generate_psa_tests.py invocation from tests/Makefile
2021-07-29 09:58:19 +02:00
Manuel Pégourié-Gonnard
b637150dfe
Merge pull request #4730 from TRodziewicz/finish_removing_tls_1.0_and_1.1
Remove all TLS 1.0 and 1.1 instances and add some compatibility tests
2021-07-27 09:42:53 +02:00
Gilles Peskine
6ee3bc09ed Fix typo in test dependencies
Signed-off-by: Gilles Peskine <Gilles.Peskine@arm.com>
2021-07-13 20:34:55 +02:00
TRodziewicz
c3366a4185 Added mis-removed test and removed unneeded tests
Signed-off-by: TRodziewicz <tomasz.rodziewicz@mobica.com>
2021-07-09 16:57:20 +02:00
Yuto Takano
3fa1673cf6 Fix grammar suggesting an upper bound on MAX_CONTENT_LEN
Co-authored-by: Gilles Peskine <gilles.peskine@arm.com>
Signed-off-by: Yuto Takano <yuto.takano@arm.com>
2021-07-09 11:23:40 +01:00
Yuto Takano
9c09d5513e Raise max_content_len constraint by one in Connection ID tests
Signed-off-by: Yuto Takano <yuto.takano@arm.com>
2021-07-08 16:03:44 +01:00
Yuto Takano
bc87b1ddf3 Add content length constraint to tests that use max_frag_len
Includes:
- handshake memory tests
- Connection ID (MFL) tests
- DTLS fragmenting tests

Signed-off-by: Yuto Takano <yuto.takano@arm.com>
2021-07-08 15:56:33 +01:00
Yuto Takano
6f6574381e Move repetitive equality check to requires_config_value_equals
Signed-off-by: Yuto Takano <yuto.takano@arm.com>
2021-07-02 15:37:19 +01:00
Yuto Takano
0248582033 Reword and add explanatory comments for MAX_IM_CA tests
- Reword the comment on config.h to suggest that
  `MAX_INTERMEDIATE_CA` may not exist in the config.
- Add a comment explaining why the tests are more restrictive
  than necessary.

Signed-off-by: Yuto Takano <yuto.takano@arm.com>
2021-07-02 15:37:19 +01:00
Yuto Takano
b0a1c5b021 Use requires_max_content_len, add check in Renegotiation
- Abstract out repetitive checks for IN and OUT content lens
- Remove unclear comment and redundant echo
- Add content length constraints in Renegotiation with fragment length test

Signed-off-by: Yuto Takano <yuto.takano@arm.com>
2021-07-02 15:37:19 +01:00
Yuto Takano
2be6f1ac5b Add space between command substitution braces and content
Signed-off-by: Yuto Takano <yuto.takano@arm.com>
2021-07-02 15:37:19 +01:00
Yuto Takano
73e7dcbdfc Add MAX_IM_CA requirement to int_max+1 chain as well
Signed-off-by: Yuto Takano <yuto.takano@arm.com>
2021-07-02 15:37:19 +01:00
Yuto Takano
e43556b6bf Remove hard exit with MAX_INTERMEDIATE_CA in ssl-opt.sh
- Replace last remaining dependency on config.py with query_config
- Replace hard exit with `requires_config_value_at_least` and
  `requires_config_value_at_most` to maintain the same effect

Signed-off-by: Yuto Takano <yuto.takano@arm.com>
2021-07-02 15:37:19 +01:00
Yuto Takano
0509fea3b2 Remove hard exit in ssh-opt.sh, replace with requires functions
- Replace calls to config.py for MAX_IN_LEN and MAX_OUT_LEN with
  `get_config_value_or_default`
- Remove hard exit when MAX_IN/OUT_LEN < 4096, replace with
  `requires_config_value_at_least`

Signed-off-by: Yuto Takano <yuto.takano@arm.com>
2021-07-02 15:37:19 +01:00
Dave Rodgman
dc1a3b2d70
Merge pull request #4724 from hanno-arm/ssl_hs_parse_error_3_0
Cleanup SSL error code space
2021-06-30 09:02:55 +01:00
Dave Rodgman
c42409820b Change exceptional case for running negative tests
Update maybe_requires_ciphersuite_enabled so that it will not skip the
ciphersuite requirement when running a test case where the test expects
a ciphersuite mismatch

Signed-off-by: Dave Rodgman <dave.rodgman@arm.com>
2021-06-29 19:53:16 +01:00
Dave Rodgman
e5b828cb32 Fix error string checked for by ssl-opt.sh negative tests
Signed-off-by: Dave Rodgman <dave.rodgman@arm.com>
2021-06-29 19:37:52 +01:00
Dave Rodgman
bec7cafbe1 Correct required config flag in ECJPAKE tests
Signed-off-by: Dave Rodgman <dave.rodgman@arm.com>
2021-06-29 19:10:46 +01:00
Dave Rodgman
737237fe37 Fix ECJPAKE test failures
Signed-off-by: Dave Rodgman <dave.rodgman@arm.com>
2021-06-29 19:08:33 +01:00
Dave Rodgman
6ce10be0ce Fix test failure
The test was checking for an obsolete error.

Signed-off-by: Dave Rodgman <dave.rodgman@arm.com>
2021-06-29 14:23:47 +01:00
TRodziewicz
2abf03c551 Remove all TLS 1.0 and 1.1 instances and add some compatibility tests
Signed-off-by: TRodziewicz <tomasz.rodziewicz@mobica.com>
2021-06-28 14:36:37 +02:00
Bence Szépkúti
bb0cfeb2d4 Rename config.h to mbedtls_config.h
This commit was generated using the following script:

# ========================
#!/bin/sh
git ls-files | grep -v '^ChangeLog' | xargs sed -b -E -i '
s/((check|crypto|full|mbedtls|query)_config)\.h/\1\nh/g
s/config\.h/mbedtls_config.h/g
y/\n/./
'
mv include/mbedtls/config.h include/mbedtls/mbedtls_config.h
# ========================

Signed-off-by: Bence Szépkúti <bence.szepkuti@arm.com>
2021-06-28 09:28:33 +01:00
Gilles Peskine
e9bc857327
Merge pull request #4552 from hanno-arm/mbedtls_3_0_key_export
Implement modified key export API for Mbed TLS 3.0
2021-06-22 18:52:37 +02:00
Manuel Pégourié-Gonnard
3e7ddb2bb6
Merge pull request #4604 from gilles-peskine-arm/default-hashes-curves-3.0
Update the default hash and curve selection for X.509 and TLS
2021-06-22 12:08:37 +02:00
Hanno Becker
11a4c1abcd Adapt key export test in ssl-opt.sh to reduced output
Signed-off-by: Hanno Becker <hanno.becker@arm.com>
2021-06-18 18:40:19 +01:00
Gilles Peskine
4a02cef402 Test restartable ECC with a curve that supports it
The default curve is now Curve25519, which doesn't support restartable ECC.
So run the restartable ECC tests with a curve that does support it. Use
secp256r1 which is required for these tests anyway for the server's
certificate.

Signed-off-by: Gilles Peskine <Gilles.Peskine@arm.com>
2021-06-17 21:46:29 +02:00
Gilles Peskine
799eee65fd Update the expected default curve in ssl-opt.sh
Signed-off-by: Gilles Peskine <Gilles.Peskine@arm.com>
2021-06-17 21:46:29 +02:00
Gilles Peskine
12b5b38981 Fix "PSA - ECDH with [non-default curve]"
Signed-off-by: Gilles Peskine <Gilles.Peskine@arm.com>
2021-06-17 21:46:14 +02:00
Thomas Daubney
5f43f978f0 Removes tests from ssl-opt.sh
Commit removes tests from ssl-opt.sh
that were specific to
MBEDTLS_SSL_TRUNCATED_HMAC extention.

Signed-off-by: Thomas Daubney <thomas.daubney@arm.com>
2021-06-16 16:19:53 +01:00
Manuel Pégourié-Gonnard
16fdab79a5
Merge pull request #4382 from hanno-arm/max_record_payload_api
Remove MFL query API and add API for maximum plaintext size of incoming records
2021-06-08 11:07:27 +02:00
Hanno Becker
59d3670fa5 Fix ssl-opt.sh test cases grepping for MFL configuration output
Use and grep for the new max in/out record payload length API instead.

Signed-off-by: Hanno Becker <hanno.becker@arm.com>
2021-06-08 05:35:29 +01:00
Hanno Becker
d60b6c62d5 Remove per-version ciphersuite configuration API
This commit removes the API

```
    mbedtls_ssl_conf_ciphersuites_for_version()
```

which allows to configure lists of acceptable ciphersuites
for each supported version of SSL/TLS: SSL3, TLS 1.{0,1,2}.

With Mbed TLS 3.0, support for SSL3, TLS 1.0 and TLS 1.1
is dropped. Moreover, upcoming TLS 1.3 support has a different
notion of cipher suite and will require a different API.

This means that it's only for TLS 1.2 that we require
a ciphersuite configuration API, and

```
   mbedtls_ssl_conf_ciphersuites()
```

can be used for that. The version-specific ciphersuite
configuration API `mbedtls_ssl_conf_ciphersuites_for_version()`,
in turn, is no longer needed.

Signed-off-by: Hanno Becker <hanno.becker@arm.com>
Signed-off-by: Manuel Pégourié-Gonnard <manuel.pegourie-gonnard@arm.com>
2021-06-04 12:20:10 +02:00
TRodziewicz
4ca18aae38 Corrections after the code review
Signed-off-by: TRodziewicz <tomasz.rodziewicz@mobica.com>
2021-05-24 13:38:00 +02:00
TRodziewicz
97e41723fa Remove the _SSL_FALLBACK_ tests
Signed-off-by: TRodziewicz <tomasz.rodziewicz@mobica.com>
2021-05-24 12:50:42 +02:00
TRodziewicz
ef73f01927 Removing strayed dtls1 after doing tests
Signed-off-by: TRodziewicz <tomasz.rodziewicz@mobica.com>
2021-05-24 12:49:04 +02:00
TRodziewicz
0f82ec6740 Remove the TLS 1.0 and 1.1 support
Signed-off-by: TRodziewicz <tomasz.rodziewicz@mobica.com>
2021-05-24 12:45:20 +02:00
Manuel Pégourié-Gonnard
ea047c8590
Merge pull request #4429 from gilles-peskine-arm/openssl-dhparam-robustness-3.0
Fix SSL tests scripts with recent OpenSSL server with Diffie-Hellman
2021-05-21 10:16:38 +02:00
David Horstmann
95d516f319 Remove MBEDTLS_SSL_MAX_CONTENT_LEN option
Signed-off-by: David Horstmann <david.horstmann@arm.com>
2021-05-10 17:02:48 +01:00
Gilles Peskine
85f023b007
Merge pull request #3950 from gilles-peskine-arm/dhm_min_bitlen-bits
Enforce dhm_min_bitlen exactly
2021-04-29 14:55:30 +02:00
Hanno Becker
c5722d1fb1 Add missing MBEDTLS_X509_REMOVE_INFO guards to ssl-opt.sh
Signed-off-by: Hanno Becker <hanno.becker@arm.com>
Signed-off-by: Chris Jones <christopher.jones@arm.com>
2021-04-27 17:20:56 +01:00
Gilles Peskine
96f5baecec Fix SSL tests scripts with recent OpenSSL server with Diffie-Hellman
Our interoperability tests fail with a recent OpenSSL server. The
reason is that they force 1024-bit Diffie-Hellman parameters, which
recent OpenSSL (e.g. 1.1.1f on Ubuntu 20.04) reject:
```
140072814650688:error:1408518A:SSL routines:ssl3_ctx_ctrl:dh key too small:../ssl/s3_lib.c:3782:
```

We've been passing custom DH parameters since
6195767554 because OpenSSL <=1.0.2a
requires it. This is only concerns the version we use as
OPENSSL_LEGACY. So only use custom DH parameters for that version. In
compat.sh, use it based on the observed version of $OPENSSL_CMD.

This way, ssl-opt.sh and compat.sh work (barring other issues) for all
our reference versions of OpenSSL as well as for a modern system OpenSSL.

Signed-off-by: Gilles Peskine <Gilles.Peskine@arm.com>
2021-04-27 11:54:53 +02:00
Mateusz Starzyk
a58625f90d Remove optional SHA-1 in the default TLS configuration.
Signed-off-by: Mateusz Starzyk <mateusz.starzyk@mobica.com>
2021-04-16 18:39:10 +02:00
Mateusz Starzyk
c301bd56f0 Merge branch 'development_3.0' into drop_old_tls_options 2021-04-15 13:55:20 +02:00
Gilles Peskine
a8a7033cb1
Merge pull request #3615 from gilles-peskine-arm/ssl-opt-less-grep-development
Speed up ssl-opt.sh when running a small number of test cases
2021-04-06 11:05:34 +02:00
Gilles Peskine
c6b0d96c31 More precise testing of dhm_min_len
An SSL client can be configured to insist on a minimum size for the
Diffie-Hellman (DHM) parameters sent by the server. Add several test
cases where the server sends parameters with exactly the minimum
size (must be accepted) or parameters that are one bit too short (must
be rejected). Make sure that there are test cases both where the
boundary is byte-aligned and where it isn't.

Signed-off-by: Gilles Peskine <Gilles.Peskine@arm.com>
2021-04-01 14:18:31 +02:00
Gilles Peskine
defdc3bc53 SECP224K1 is not yet supported via the PSA API
Filed as https://github.com/ARMmbed/mbedtls/issues/3541. In the
meantime, disable the ssl-opt.sh test case that uses it.

Signed-off-by: Gilles Peskine <Gilles.Peskine@arm.com>
2021-03-23 13:59:58 +01:00