mirror of
https://github.com/Mbed-TLS/mbedtls.git
synced 2025-03-14 07:20:52 +00:00
Merge pull request #9954 from gabor-mezei-arm/9753_migrate_RSA_key_exchange_tests
Migrate RSA-decryption test cases
This commit is contained in:
Ronald Cron
GitHub
commit
2d1f26037f
@ -70,6 +70,13 @@
|
||||
defined(MBEDTLS_KEY_EXCHANGE_RSA_ENABLED)
|
||||
#define MBEDTLS_CAN_HANDLE_RSA_TEST_KEY
|
||||
#endif
|
||||
|
||||
#if defined(PSA_WANT_ALG_GCM) || \
|
||||
defined(PSA_WANT_ALG_CCM) || \
|
||||
defined(PSA_WANT_ALG_CHACHA20_POLY1305)
|
||||
#define MBEDTLS_TEST_HAS_AEAD_ALG
|
||||
#endif
|
||||
|
||||
enum {
|
||||
#define MBEDTLS_SSL_TLS1_3_LABEL(name, string) \
|
||||
tls13_label_ ## name,
|
||||
|
||||
@ -242,8 +242,8 @@ component_test_small_mbedtls_ssl_dtls_max_buffering () {
|
||||
tests/ssl-opt.sh -f "DTLS reordering: Buffer encrypted Finished message, drop for fragmented NewSessionTicket"
|
||||
}
|
||||
|
||||
# Common helper for component_full_without_ecdhe_ecdsa() and
|
||||
# component_full_without_ecdhe_ecdsa_and_tls13() which:
|
||||
# Common helper for component_full_without_ecdhe_ecdsa(),
|
||||
# component_full_without_ecdhe_ecdsa_and_tls13() and component_full_without_tls13 which:
|
||||
# - starts from the "full" configuration minus the list of symbols passed in
|
||||
# as 1st parameter
|
||||
# - build
|
||||
@ -277,6 +277,10 @@ component_full_without_ecdhe_ecdsa_and_tls13 () {
|
||||
MBEDTLS_SSL_PROTO_TLS1_3"
|
||||
}
|
||||
|
||||
component_full_without_tls13 () {
|
||||
build_full_minus_something_and_test_tls "MBEDTLS_SSL_PROTO_TLS1_3"
|
||||
}
|
||||
|
||||
component_build_no_ssl_srv () {
|
||||
msg "build: full config except SSL server, make, gcc" # ~ 30s
|
||||
scripts/config.py full
|
||||
|
||||
235
tests/ssl-opt.sh
235
tests/ssl-opt.sh
@ -2502,20 +2502,6 @@ run_test "Opaque key for server authentication: ECDHE-RSA" \
|
||||
-S "error" \
|
||||
-C "error"
|
||||
|
||||
requires_config_enabled MBEDTLS_X509_CRT_PARSE_C
|
||||
requires_config_enabled MBEDTLS_RSA_C
|
||||
requires_hash_alg SHA_256
|
||||
run_test "Opaque key for server authentication: RSA-" \
|
||||
"$P_SRV debug_level=3 key_opaque=1 key_opaque_algs=rsa-decrypt,none " \
|
||||
"$P_CLI force_version=tls12 force_ciphersuite=TLS-RSA-WITH-AES-256-CBC-SHA256" \
|
||||
0 \
|
||||
-c "Verifying peer X.509 certificate... ok" \
|
||||
-c "Ciphersuite is TLS-RSA-" \
|
||||
-s "key types: Opaque, Opaque" \
|
||||
-s "Ciphersuite is TLS-RSA-" \
|
||||
-S "error" \
|
||||
-C "error"
|
||||
|
||||
requires_config_enabled MBEDTLS_X509_CRT_PARSE_C
|
||||
requires_config_enabled MBEDTLS_RSA_C
|
||||
requires_hash_alg SHA_256
|
||||
@ -3618,7 +3604,7 @@ run_test "Connection ID: Cli+Srv enabled, variable buffer lengths, MFL=1024"
|
||||
|
||||
run_test "Encrypt then MAC: default" \
|
||||
"$P_SRV debug_level=3 \
|
||||
force_ciphersuite=TLS-RSA-WITH-AES-128-CBC-SHA" \
|
||||
force_ciphersuite=TLS-ECDHE-RSA-WITH-AES-128-CBC-SHA" \
|
||||
"$P_CLI debug_level=3" \
|
||||
0 \
|
||||
-c "client hello, adding encrypt_then_mac extension" \
|
||||
@ -3630,7 +3616,7 @@ run_test "Encrypt then MAC: default" \
|
||||
|
||||
run_test "Encrypt then MAC: client enabled, server disabled" \
|
||||
"$P_SRV debug_level=3 etm=0 \
|
||||
force_ciphersuite=TLS-RSA-WITH-AES-128-CBC-SHA" \
|
||||
force_ciphersuite=TLS-ECDHE-RSA-WITH-AES-128-CBC-SHA" \
|
||||
"$P_CLI debug_level=3 etm=1" \
|
||||
0 \
|
||||
-c "client hello, adding encrypt_then_mac extension" \
|
||||
@ -3642,7 +3628,7 @@ run_test "Encrypt then MAC: client enabled, server disabled" \
|
||||
|
||||
run_test "Encrypt then MAC: client enabled, aead cipher" \
|
||||
"$P_SRV debug_level=3 etm=1 \
|
||||
force_ciphersuite=TLS-RSA-WITH-AES-128-GCM-SHA256" \
|
||||
force_ciphersuite=TLS-ECDHE-RSA-WITH-AES-128-GCM-SHA256" \
|
||||
"$P_CLI debug_level=3 etm=1" \
|
||||
0 \
|
||||
-c "client hello, adding encrypt_then_mac extension" \
|
||||
@ -3654,7 +3640,7 @@ run_test "Encrypt then MAC: client enabled, aead cipher" \
|
||||
|
||||
run_test "Encrypt then MAC: client disabled, server enabled" \
|
||||
"$P_SRV debug_level=3 etm=1 \
|
||||
force_ciphersuite=TLS-RSA-WITH-AES-128-CBC-SHA" \
|
||||
force_ciphersuite=TLS-ECDHE-RSA-WITH-AES-128-CBC-SHA" \
|
||||
"$P_CLI debug_level=3 etm=0" \
|
||||
0 \
|
||||
-C "client hello, adding encrypt_then_mac extension" \
|
||||
@ -3740,7 +3726,7 @@ run_test "Encrypt then MAC, DTLS: disabled, empty application data record" \
|
||||
|
||||
run_test "CBC Record splitting: TLS 1.2, no splitting" \
|
||||
"$P_SRV force_version=tls12" \
|
||||
"$P_CLI force_ciphersuite=TLS-RSA-WITH-AES-128-CBC-SHA \
|
||||
"$P_CLI force_ciphersuite=TLS-ECDHE-RSA-WITH-AES-128-CBC-SHA \
|
||||
request_size=123" \
|
||||
0 \
|
||||
-s "Read from client: 123 bytes read" \
|
||||
@ -7776,20 +7762,6 @@ run_test "keyUsage srv 1.2: ECC, keyEncipherment -> fail" \
|
||||
|
||||
# Tests for keyUsage in leaf certificates, part 2:
|
||||
# client-side checking of server cert
|
||||
#
|
||||
# TLS 1.3 uses only signature, but for 1.2 it depends on the key exchange.
|
||||
# In 4.0 this will probably change as all TLS 1.2 key exchanges will use
|
||||
# signatures too, following the removal of RSA #8170 and static ECDH #9201.
|
||||
|
||||
run_test "keyUsage cli 1.2: DigitalSignature+KeyEncipherment, RSA: OK" \
|
||||
"$O_SRV -tls1_2 -key $DATA_FILES_PATH/server2.key \
|
||||
-cert $DATA_FILES_PATH/server2.ku-ds_ke.crt" \
|
||||
"$P_CLI debug_level=1 \
|
||||
force_ciphersuite=TLS-RSA-WITH-AES-128-CBC-SHA" \
|
||||
0 \
|
||||
-C "bad certificate (usage extensions)" \
|
||||
-C "Processing of the Certificate handshake message failed" \
|
||||
-c "Ciphersuite is TLS-"
|
||||
|
||||
run_test "keyUsage cli 1.2: DigitalSignature+KeyEncipherment, ECDHE-RSA: OK" \
|
||||
"$O_SRV -tls1_2 -key $DATA_FILES_PATH/server2.key \
|
||||
@ -7801,16 +7773,6 @@ run_test "keyUsage cli 1.2: DigitalSignature+KeyEncipherment, ECDHE-RSA: OK"
|
||||
-C "Processing of the Certificate handshake message failed" \
|
||||
-c "Ciphersuite is TLS-"
|
||||
|
||||
run_test "keyUsage cli 1.2: KeyEncipherment, RSA: OK" \
|
||||
"$O_SRV -tls1_2 -key $DATA_FILES_PATH/server2.key \
|
||||
-cert $DATA_FILES_PATH/server2.ku-ke.crt" \
|
||||
"$P_CLI debug_level=1 \
|
||||
force_ciphersuite=TLS-RSA-WITH-AES-128-CBC-SHA" \
|
||||
0 \
|
||||
-C "bad certificate (usage extensions)" \
|
||||
-C "Processing of the Certificate handshake message failed" \
|
||||
-c "Ciphersuite is TLS-"
|
||||
|
||||
run_test "keyUsage cli 1.2: KeyEncipherment, ECDHE-RSA: fail (hard)" \
|
||||
"$O_SRV -tls1_2 -key $DATA_FILES_PATH/server2.key \
|
||||
-cert $DATA_FILES_PATH/server2.ku-ke.crt" \
|
||||
@ -7846,31 +7808,6 @@ run_test "keyUsage cli 1.2: DigitalSignature, ECDHE-RSA: OK" \
|
||||
-C "Processing of the Certificate handshake message failed" \
|
||||
-c "Ciphersuite is TLS-"
|
||||
|
||||
run_test "keyUsage cli 1.2: DigitalSignature, RSA: fail (hard)" \
|
||||
"$O_SRV -tls1_2 -key $DATA_FILES_PATH/server2.key \
|
||||
-cert $DATA_FILES_PATH/server2.ku-ds.crt" \
|
||||
"$P_CLI debug_level=3 \
|
||||
force_ciphersuite=TLS-RSA-WITH-AES-128-CBC-SHA" \
|
||||
1 \
|
||||
-c "bad certificate (usage extensions)" \
|
||||
-c "Processing of the Certificate handshake message failed" \
|
||||
-C "Ciphersuite is TLS-" \
|
||||
-c "send alert level=2 message=43" \
|
||||
-c "! Usage does not match the keyUsage extension"
|
||||
# MBEDTLS_X509_BADCERT_KEY_USAGE -> MBEDTLS_SSL_ALERT_MSG_UNSUPPORTED_CERT
|
||||
|
||||
run_test "keyUsage cli 1.2: DigitalSignature, RSA: fail (soft)" \
|
||||
"$O_SRV -tls1_2 -key $DATA_FILES_PATH/server2.key \
|
||||
-cert $DATA_FILES_PATH/server2.ku-ds.crt" \
|
||||
"$P_CLI debug_level=3 auth_mode=optional \
|
||||
force_ciphersuite=TLS-RSA-WITH-AES-128-CBC-SHA" \
|
||||
0 \
|
||||
-c "bad certificate (usage extensions)" \
|
||||
-C "Processing of the Certificate handshake message failed" \
|
||||
-c "Ciphersuite is TLS-" \
|
||||
-C "send alert level=2 message=43" \
|
||||
-c "! Usage does not match the keyUsage extension"
|
||||
|
||||
requires_openssl_tls1_3_with_compatible_ephemeral
|
||||
requires_config_enabled MBEDTLS_SSL_TLS1_3_KEY_EXCHANGE_MODE_EPHEMERAL_ENABLED
|
||||
run_test "keyUsage cli 1.3: DigitalSignature, RSA: OK" \
|
||||
@ -8981,14 +8918,14 @@ run_test "mbedtls_ssl_get_bytes_avail: extra data (max)" \
|
||||
run_test "Small client packet TLS 1.2 BlockCipher" \
|
||||
"$P_SRV force_version=tls12" \
|
||||
"$P_CLI request_size=1 \
|
||||
force_ciphersuite=TLS-RSA-WITH-AES-256-CBC-SHA" \
|
||||
force_ciphersuite=TLS-ECDHE-RSA-WITH-AES-256-CBC-SHA" \
|
||||
0 \
|
||||
-s "Read from client: 1 bytes read"
|
||||
|
||||
run_test "Small client packet TLS 1.2 BlockCipher, without EtM" \
|
||||
"$P_SRV force_version=tls12" \
|
||||
"$P_CLI request_size=1 \
|
||||
force_ciphersuite=TLS-RSA-WITH-AES-256-CBC-SHA etm=0" \
|
||||
force_ciphersuite=TLS-ECDHE-RSA-WITH-AES-256-CBC-SHA etm=0" \
|
||||
0 \
|
||||
-s "Read from client: 1 bytes read"
|
||||
|
||||
@ -9002,14 +8939,14 @@ run_test "Small client packet TLS 1.2 BlockCipher larger MAC" \
|
||||
run_test "Small client packet TLS 1.2 AEAD" \
|
||||
"$P_SRV force_version=tls12" \
|
||||
"$P_CLI request_size=1 \
|
||||
force_ciphersuite=TLS-RSA-WITH-AES-256-CCM" \
|
||||
force_ciphersuite=TLS-ECDHE-ECDSA-WITH-AES-256-CCM" \
|
||||
0 \
|
||||
-s "Read from client: 1 bytes read"
|
||||
|
||||
run_test "Small client packet TLS 1.2 AEAD shorter tag" \
|
||||
"$P_SRV force_version=tls12" \
|
||||
"$P_CLI request_size=1 \
|
||||
force_ciphersuite=TLS-RSA-WITH-AES-256-CCM-8" \
|
||||
force_ciphersuite=TLS-ECDHE-ECDSA-WITH-AES-256-CCM-8" \
|
||||
0 \
|
||||
-s "Read from client: 1 bytes read"
|
||||
|
||||
@ -9035,7 +8972,7 @@ requires_config_enabled MBEDTLS_SSL_PROTO_DTLS
|
||||
run_test "Small client packet DTLS 1.2" \
|
||||
"$P_SRV dtls=1 force_version=dtls12" \
|
||||
"$P_CLI dtls=1 request_size=1 \
|
||||
force_ciphersuite=TLS-RSA-WITH-AES-256-CBC-SHA" \
|
||||
force_ciphersuite=TLS-ECDHE-RSA-WITH-AES-256-CBC-SHA" \
|
||||
0 \
|
||||
-s "Read from client: 1 bytes read"
|
||||
|
||||
@ -9043,7 +8980,7 @@ requires_config_enabled MBEDTLS_SSL_PROTO_DTLS
|
||||
run_test "Small client packet DTLS 1.2, without EtM" \
|
||||
"$P_SRV dtls=1 force_version=dtls12 etm=0" \
|
||||
"$P_CLI dtls=1 request_size=1 \
|
||||
force_ciphersuite=TLS-RSA-WITH-AES-256-CBC-SHA" \
|
||||
force_ciphersuite=TLS-ECDHE-RSA-WITH-AES-256-CBC-SHA" \
|
||||
0 \
|
||||
-s "Read from client: 1 bytes read"
|
||||
|
||||
@ -9051,13 +8988,13 @@ run_test "Small client packet DTLS 1.2, without EtM" \
|
||||
|
||||
run_test "Small server packet TLS 1.2 BlockCipher" \
|
||||
"$P_SRV response_size=1 force_version=tls12" \
|
||||
"$P_CLI force_ciphersuite=TLS-RSA-WITH-AES-256-CBC-SHA" \
|
||||
"$P_CLI force_ciphersuite=TLS-ECDHE-RSA-WITH-AES-256-CBC-SHA" \
|
||||
0 \
|
||||
-c "Read from server: 1 bytes read"
|
||||
|
||||
run_test "Small server packet TLS 1.2 BlockCipher, without EtM" \
|
||||
"$P_SRV response_size=1 force_version=tls12" \
|
||||
"$P_CLI force_ciphersuite=TLS-RSA-WITH-AES-256-CBC-SHA etm=0" \
|
||||
"$P_CLI force_ciphersuite=TLS-ECDHE-RSA-WITH-AES-256-CBC-SHA etm=0" \
|
||||
0 \
|
||||
-c "Read from server: 1 bytes read"
|
||||
|
||||
@ -9069,13 +9006,13 @@ run_test "Small server packet TLS 1.2 BlockCipher larger MAC" \
|
||||
|
||||
run_test "Small server packet TLS 1.2 AEAD" \
|
||||
"$P_SRV response_size=1 force_version=tls12" \
|
||||
"$P_CLI force_ciphersuite=TLS-RSA-WITH-AES-256-CCM" \
|
||||
"$P_CLI force_ciphersuite=TLS-ECDHE-ECDSA-WITH-AES-256-CCM" \
|
||||
0 \
|
||||
-c "Read from server: 1 bytes read"
|
||||
|
||||
run_test "Small server packet TLS 1.2 AEAD shorter tag" \
|
||||
"$P_SRV response_size=1 force_version=tls12" \
|
||||
"$P_CLI force_ciphersuite=TLS-RSA-WITH-AES-256-CCM-8" \
|
||||
"$P_CLI force_ciphersuite=TLS-ECDHE-ECDSA-WITH-AES-256-CCM-8" \
|
||||
0 \
|
||||
-c "Read from server: 1 bytes read"
|
||||
|
||||
@ -9099,7 +9036,7 @@ requires_config_enabled MBEDTLS_SSL_PROTO_DTLS
|
||||
run_test "Small server packet DTLS 1.2" \
|
||||
"$P_SRV dtls=1 response_size=1 force_version=dtls12" \
|
||||
"$P_CLI dtls=1 \
|
||||
force_ciphersuite=TLS-RSA-WITH-AES-256-CBC-SHA" \
|
||||
force_ciphersuite=TLS-ECDHE-RSA-WITH-AES-256-CBC-SHA" \
|
||||
0 \
|
||||
-c "Read from server: 1 bytes read"
|
||||
|
||||
@ -9107,7 +9044,7 @@ requires_config_enabled MBEDTLS_SSL_PROTO_DTLS
|
||||
run_test "Small server packet DTLS 1.2, without EtM" \
|
||||
"$P_SRV dtls=1 response_size=1 force_version=dtls12 etm=0" \
|
||||
"$P_CLI dtls=1 \
|
||||
force_ciphersuite=TLS-RSA-WITH-AES-256-CBC-SHA" \
|
||||
force_ciphersuite=TLS-ECDHE-RSA-WITH-AES-256-CBC-SHA" \
|
||||
0 \
|
||||
-c "Read from server: 1 bytes read"
|
||||
|
||||
@ -9121,7 +9058,7 @@ fragments_for_write() {
|
||||
run_test "Large client packet TLS 1.2 BlockCipher" \
|
||||
"$P_SRV force_version=tls12" \
|
||||
"$P_CLI request_size=16384 \
|
||||
force_ciphersuite=TLS-RSA-WITH-AES-256-CBC-SHA" \
|
||||
force_ciphersuite=TLS-ECDHE-RSA-WITH-AES-256-CBC-SHA" \
|
||||
0 \
|
||||
-c "16384 bytes written in $(fragments_for_write 16384) fragments" \
|
||||
-s "Read from client: $MAX_CONTENT_LEN bytes read"
|
||||
@ -9129,7 +9066,7 @@ run_test "Large client packet TLS 1.2 BlockCipher" \
|
||||
run_test "Large client packet TLS 1.2 BlockCipher, without EtM" \
|
||||
"$P_SRV force_version=tls12" \
|
||||
"$P_CLI request_size=16384 etm=0 \
|
||||
force_ciphersuite=TLS-RSA-WITH-AES-256-CBC-SHA" \
|
||||
force_ciphersuite=TLS-ECDHE-RSA-WITH-AES-256-CBC-SHA" \
|
||||
0 \
|
||||
-s "Read from client: $MAX_CONTENT_LEN bytes read"
|
||||
|
||||
@ -9144,7 +9081,7 @@ run_test "Large client packet TLS 1.2 BlockCipher larger MAC" \
|
||||
run_test "Large client packet TLS 1.2 AEAD" \
|
||||
"$P_SRV force_version=tls12" \
|
||||
"$P_CLI request_size=16384 \
|
||||
force_ciphersuite=TLS-RSA-WITH-AES-256-CCM" \
|
||||
force_ciphersuite=TLS-ECDHE-ECDSA-WITH-AES-256-CCM" \
|
||||
0 \
|
||||
-c "16384 bytes written in $(fragments_for_write 16384) fragments" \
|
||||
-s "Read from client: $MAX_CONTENT_LEN bytes read"
|
||||
@ -9152,7 +9089,7 @@ run_test "Large client packet TLS 1.2 AEAD" \
|
||||
run_test "Large client packet TLS 1.2 AEAD shorter tag" \
|
||||
"$P_SRV force_version=tls12" \
|
||||
"$P_CLI request_size=16384 \
|
||||
force_ciphersuite=TLS-RSA-WITH-AES-256-CCM-8" \
|
||||
force_ciphersuite=TLS-ECDHE-ECDSA-WITH-AES-256-CCM-8" \
|
||||
0 \
|
||||
-c "16384 bytes written in $(fragments_for_write 16384) fragments" \
|
||||
-s "Read from client: $MAX_CONTENT_LEN bytes read"
|
||||
@ -9178,13 +9115,13 @@ run_test "Large client packet TLS 1.3 AEAD shorter tag" \
|
||||
# The tests below fail when the server's OUT_CONTENT_LEN is less than 16384.
|
||||
run_test "Large server packet TLS 1.2 BlockCipher" \
|
||||
"$P_SRV response_size=16384 force_version=tls12" \
|
||||
"$P_CLI force_ciphersuite=TLS-RSA-WITH-AES-256-CBC-SHA" \
|
||||
"$P_CLI force_ciphersuite=TLS-ECDHE-RSA-WITH-AES-256-CBC-SHA" \
|
||||
0 \
|
||||
-c "Read from server: 16384 bytes read"
|
||||
|
||||
run_test "Large server packet TLS 1.2 BlockCipher, without EtM" \
|
||||
"$P_SRV response_size=16384 force_version=tls12" \
|
||||
"$P_CLI etm=0 force_ciphersuite=TLS-RSA-WITH-AES-256-CBC-SHA" \
|
||||
"$P_CLI etm=0 force_ciphersuite=TLS-ECDHE-RSA-WITH-AES-256-CBC-SHA" \
|
||||
0 \
|
||||
-s "16384 bytes written in 1 fragments" \
|
||||
-c "Read from server: 16384 bytes read"
|
||||
@ -9197,20 +9134,20 @@ run_test "Large server packet TLS 1.2 BlockCipher larger MAC" \
|
||||
|
||||
run_test "Large server packet TLS 1.2 BlockCipher, without EtM, truncated MAC" \
|
||||
"$P_SRV response_size=16384 trunc_hmac=1 force_version=tls12" \
|
||||
"$P_CLI force_ciphersuite=TLS-RSA-WITH-AES-256-CBC-SHA trunc_hmac=1 etm=0" \
|
||||
"$P_CLI force_ciphersuite=TLS-ECDHE-RSA-WITH-AES-256-CBC-SHA trunc_hmac=1 etm=0" \
|
||||
0 \
|
||||
-s "16384 bytes written in 1 fragments" \
|
||||
-c "Read from server: 16384 bytes read"
|
||||
|
||||
run_test "Large server packet TLS 1.2 AEAD" \
|
||||
"$P_SRV response_size=16384 force_version=tls12" \
|
||||
"$P_CLI force_ciphersuite=TLS-RSA-WITH-AES-256-CCM" \
|
||||
"$P_CLI force_ciphersuite=TLS-ECDHE-ECDSA-WITH-AES-256-CCM" \
|
||||
0 \
|
||||
-c "Read from server: 16384 bytes read"
|
||||
|
||||
run_test "Large server packet TLS 1.2 AEAD shorter tag" \
|
||||
"$P_SRV response_size=16384 force_version=tls12" \
|
||||
"$P_CLI force_ciphersuite=TLS-RSA-WITH-AES-256-CCM-8" \
|
||||
"$P_CLI force_ciphersuite=TLS-ECDHE-ECDSA-WITH-AES-256-CCM-8" \
|
||||
0 \
|
||||
-c "Read from server: 16384 bytes read"
|
||||
|
||||
@ -9538,51 +9475,6 @@ run_test "SSL async private: sign, SNI" \
|
||||
-c "issuer name *: C=NL, O=PolarSSL, CN=PolarSSL Test CA" \
|
||||
-c "subject name *: C=NL, O=PolarSSL, CN=polarssl.example"
|
||||
|
||||
requires_config_enabled MBEDTLS_SSL_ASYNC_PRIVATE
|
||||
run_test "SSL async private: decrypt, delay=0" \
|
||||
"$P_SRV \
|
||||
async_operations=d async_private_delay1=0 async_private_delay2=0" \
|
||||
"$P_CLI force_ciphersuite=TLS-RSA-WITH-AES-128-CBC-SHA" \
|
||||
0 \
|
||||
-s "Async decrypt callback: using key slot " \
|
||||
-s "Async resume (slot [0-9]): decrypt done, status=0"
|
||||
|
||||
requires_config_enabled MBEDTLS_SSL_ASYNC_PRIVATE
|
||||
run_test "SSL async private: decrypt, delay=1" \
|
||||
"$P_SRV \
|
||||
async_operations=d async_private_delay1=1 async_private_delay2=1" \
|
||||
"$P_CLI force_ciphersuite=TLS-RSA-WITH-AES-128-CBC-SHA" \
|
||||
0 \
|
||||
-s "Async decrypt callback: using key slot " \
|
||||
-s "Async resume (slot [0-9]): call 0 more times." \
|
||||
-s "Async resume (slot [0-9]): decrypt done, status=0"
|
||||
|
||||
requires_config_enabled MBEDTLS_SSL_ASYNC_PRIVATE
|
||||
run_test "SSL async private: sign callback not present" \
|
||||
"$P_SRV \
|
||||
async_operations=d async_private_delay1=1 async_private_delay2=1" \
|
||||
"$P_CLI force_version=tls12; [ \$? -eq 1 ] &&
|
||||
$P_CLI force_ciphersuite=TLS-RSA-WITH-AES-128-CBC-SHA" \
|
||||
0 \
|
||||
-S "Async sign callback" \
|
||||
-s "! mbedtls_ssl_handshake returned" \
|
||||
-s "The own private key or pre-shared key is not set, but needed" \
|
||||
-s "Async resume (slot [0-9]): decrypt done, status=0" \
|
||||
-s "Successful connection"
|
||||
|
||||
requires_config_enabled MBEDTLS_SSL_ASYNC_PRIVATE
|
||||
run_test "SSL async private: decrypt callback not present" \
|
||||
"$P_SRV debug_level=1 \
|
||||
async_operations=s async_private_delay1=1 async_private_delay2=1" \
|
||||
"$P_CLI force_ciphersuite=TLS-RSA-WITH-AES-128-CBC-SHA;
|
||||
[ \$? -eq 1 ] && $P_CLI force_version=tls12" \
|
||||
0 \
|
||||
-S "Async decrypt callback" \
|
||||
-s "! mbedtls_ssl_handshake returned" \
|
||||
-s "got no RSA private key" \
|
||||
-s "Async resume (slot [0-9]): sign done, status=0" \
|
||||
-s "Successful connection"
|
||||
|
||||
# key1: ECDSA, key2: RSA; use key1 from slot 0
|
||||
requires_config_enabled MBEDTLS_SSL_ASYNC_PRIVATE
|
||||
run_test "SSL async private: slot 0 used with key1" \
|
||||
@ -9668,41 +9560,6 @@ run_test "SSL async private: sign, error in resume" \
|
||||
-S "Async cancel" \
|
||||
-s "! mbedtls_ssl_handshake returned"
|
||||
|
||||
requires_config_enabled MBEDTLS_SSL_ASYNC_PRIVATE
|
||||
run_test "SSL async private: decrypt, error in start" \
|
||||
"$P_SRV \
|
||||
async_operations=d async_private_delay1=1 async_private_delay2=1 \
|
||||
async_private_error=1" \
|
||||
"$P_CLI force_ciphersuite=TLS-RSA-WITH-AES-128-CBC-SHA" \
|
||||
1 \
|
||||
-s "Async decrypt callback: injected error" \
|
||||
-S "Async resume" \
|
||||
-S "Async cancel" \
|
||||
-s "! mbedtls_ssl_handshake returned"
|
||||
|
||||
requires_config_enabled MBEDTLS_SSL_ASYNC_PRIVATE
|
||||
run_test "SSL async private: decrypt, cancel after start" \
|
||||
"$P_SRV \
|
||||
async_operations=d async_private_delay1=1 async_private_delay2=1 \
|
||||
async_private_error=2" \
|
||||
"$P_CLI force_ciphersuite=TLS-RSA-WITH-AES-128-CBC-SHA" \
|
||||
1 \
|
||||
-s "Async decrypt callback: using key slot " \
|
||||
-S "Async resume" \
|
||||
-s "Async cancel"
|
||||
|
||||
requires_config_enabled MBEDTLS_SSL_ASYNC_PRIVATE
|
||||
run_test "SSL async private: decrypt, error in resume" \
|
||||
"$P_SRV \
|
||||
async_operations=d async_private_delay1=1 async_private_delay2=1 \
|
||||
async_private_error=3" \
|
||||
"$P_CLI force_ciphersuite=TLS-RSA-WITH-AES-128-CBC-SHA" \
|
||||
1 \
|
||||
-s "Async decrypt callback: using key slot " \
|
||||
-s "Async resume callback: decrypt done but injected error" \
|
||||
-S "Async cancel" \
|
||||
-s "! mbedtls_ssl_handshake returned"
|
||||
|
||||
requires_config_enabled MBEDTLS_SSL_ASYNC_PRIVATE
|
||||
run_test "SSL async private: cancel after start then operate correctly" \
|
||||
"$P_SRV force_version=tls12 \
|
||||
@ -9790,37 +9647,13 @@ run_test "SSL async private: renegotiation: server-initiated, sign" \
|
||||
-s "Async sign callback: using key slot " \
|
||||
-s "Async resume (slot [0-9]): sign done, status=0"
|
||||
|
||||
requires_config_enabled MBEDTLS_SSL_ASYNC_PRIVATE
|
||||
requires_config_enabled MBEDTLS_SSL_RENEGOTIATION
|
||||
run_test "SSL async private: renegotiation: client-initiated, decrypt" \
|
||||
"$P_SRV \
|
||||
async_operations=d async_private_delay1=1 async_private_delay2=1 \
|
||||
exchanges=2 renegotiation=1" \
|
||||
"$P_CLI exchanges=2 renegotiation=1 renegotiate=1 \
|
||||
force_ciphersuite=TLS-RSA-WITH-AES-128-CBC-SHA" \
|
||||
0 \
|
||||
-s "Async decrypt callback: using key slot " \
|
||||
-s "Async resume (slot [0-9]): decrypt done, status=0"
|
||||
|
||||
requires_config_enabled MBEDTLS_SSL_ASYNC_PRIVATE
|
||||
requires_config_enabled MBEDTLS_SSL_RENEGOTIATION
|
||||
run_test "SSL async private: renegotiation: server-initiated, decrypt" \
|
||||
"$P_SRV \
|
||||
async_operations=d async_private_delay1=1 async_private_delay2=1 \
|
||||
exchanges=2 renegotiation=1 renegotiate=1" \
|
||||
"$P_CLI exchanges=2 renegotiation=1 \
|
||||
force_ciphersuite=TLS-RSA-WITH-AES-128-CBC-SHA" \
|
||||
0 \
|
||||
-s "Async decrypt callback: using key slot " \
|
||||
-s "Async resume (slot [0-9]): decrypt done, status=0"
|
||||
|
||||
# Tests for ECC extensions (rfc 4492)
|
||||
|
||||
requires_hash_alg SHA_256
|
||||
requires_config_enabled MBEDTLS_KEY_EXCHANGE_RSA_ENABLED
|
||||
requires_config_enabled MBEDTLS_KEY_EXCHANGE_PSK_ENABLED
|
||||
run_test "Force a non ECC ciphersuite in the client side" \
|
||||
"$P_SRV debug_level=3" \
|
||||
"$P_CLI debug_level=3 force_ciphersuite=TLS-RSA-WITH-AES-128-CBC-SHA256" \
|
||||
"$P_SRV debug_level=3 psk=73776f726466697368" \
|
||||
"$P_CLI debug_level=3 psk=73776f726466697368 force_ciphersuite=TLS-PSK-WITH-AES-128-CBC-SHA256" \
|
||||
0 \
|
||||
-C "client hello, adding supported_groups extension" \
|
||||
-C "client hello, adding supported_point_formats extension" \
|
||||
@ -9828,10 +9661,10 @@ run_test "Force a non ECC ciphersuite in the client side" \
|
||||
-S "found supported point formats extension"
|
||||
|
||||
requires_hash_alg SHA_256
|
||||
requires_config_enabled MBEDTLS_KEY_EXCHANGE_RSA_ENABLED
|
||||
requires_config_enabled MBEDTLS_KEY_EXCHANGE_PSK_ENABLED
|
||||
run_test "Force a non ECC ciphersuite in the server side" \
|
||||
"$P_SRV debug_level=3 force_ciphersuite=TLS-RSA-WITH-AES-128-CBC-SHA256" \
|
||||
"$P_CLI debug_level=3" \
|
||||
"$P_SRV debug_level=3 psk=73776f726466697368 force_ciphersuite=TLS-PSK-WITH-AES-128-CBC-SHA256" \
|
||||
"$P_CLI debug_level=3 psk=73776f726466697368" \
|
||||
0 \
|
||||
-C "found supported_point_formats extension" \
|
||||
-S "server hello, supported_point_formats extension"
|
||||
@ -11792,11 +11625,11 @@ run_test "DTLS proxy: 3d (drop, delay, duplicate), \"short\" PSK handshake" \
|
||||
-c "HTTP/1.0 200 OK"
|
||||
|
||||
client_needs_more_time 2
|
||||
run_test "DTLS proxy: 3d, \"short\" RSA handshake" \
|
||||
run_test "DTLS proxy: 3d, \"short\" ECDHE-RSA handshake" \
|
||||
-p "$P_PXY drop=5 delay=5 duplicate=5" \
|
||||
"$P_SRV dtls=1 dgram_packing=0 hs_timeout=500-10000 tickets=0 auth_mode=none" \
|
||||
"$P_CLI dtls=1 dgram_packing=0 hs_timeout=500-10000 tickets=0 \
|
||||
force_ciphersuite=TLS-RSA-WITH-AES-128-CBC-SHA" \
|
||||
force_ciphersuite=TLS-ECDHE-RSA-WITH-AES-128-CBC-SHA" \
|
||||
0 \
|
||||
-s "Extra-header:" \
|
||||
-c "HTTP/1.0 200 OK"
|
||||
|
||||
@ -368,9 +368,9 @@ Handshake, ECDHE-RSA-WITH-AES-256-GCM-SHA384
|
||||
depends_on:PSA_WANT_ALG_SHA_384:PSA_WANT_KEY_TYPE_AES:PSA_WANT_ALG_GCM:MBEDTLS_RSA_C:PSA_WANT_ECC_SECP_R1_384:MBEDTLS_KEY_EXCHANGE_ECDHE_RSA_ENABLED:!MBEDTLS_AES_ONLY_128_BIT_KEY_LENGTH
|
||||
handshake_cipher:"TLS-ECDHE-RSA-WITH-AES-256-GCM-SHA384":MBEDTLS_PK_RSA:0
|
||||
|
||||
Handshake, RSA-WITH-AES-128-CCM
|
||||
depends_on:PSA_WANT_ALG_CCM:PSA_WANT_KEY_TYPE_AES:MBEDTLS_RSA_C:PSA_WANT_ECC_SECP_R1_384:MBEDTLS_KEY_EXCHANGE_RSA_ENABLED
|
||||
handshake_cipher:"TLS-RSA-WITH-AES-128-CCM":MBEDTLS_PK_RSA:0
|
||||
Handshake, ECDHE-RSA-WITH-AES-128-CBC-SHA256
|
||||
depends_on:PSA_WANT_KEY_TYPE_AES:PSA_WANT_ALG_CBC_NO_PADDING:PSA_WANT_ALG_SHA_256:MBEDTLS_RSA_C:PSA_WANT_ECC_SECP_R1_384:MBEDTLS_KEY_EXCHANGE_ECDHE_RSA_ENABLED
|
||||
handshake_cipher:"TLS-ECDHE-RSA-WITH-AES-128-CBC-SHA256":MBEDTLS_PK_RSA:0
|
||||
|
||||
Handshake, ECDHE-RSA-WITH-AES-256-CBC-SHA384
|
||||
depends_on:PSA_WANT_KEY_TYPE_AES:PSA_WANT_ALG_CBC_NO_PADDING:PSA_WANT_ALG_SHA_384:MBEDTLS_RSA_C:PSA_WANT_ECC_SECP_R1_384:MBEDTLS_KEY_EXCHANGE_ECDHE_RSA_ENABLED:!MBEDTLS_AES_ONLY_128_BIT_KEY_LENGTH
|
||||
@ -396,9 +396,9 @@ DTLS Handshake, ECDHE-RSA-WITH-AES-256-GCM-SHA384
|
||||
depends_on:PSA_WANT_ALG_SHA_384:PSA_WANT_KEY_TYPE_AES:PSA_WANT_ALG_GCM:MBEDTLS_RSA_C:PSA_WANT_ECC_SECP_R1_384:MBEDTLS_KEY_EXCHANGE_ECDHE_RSA_ENABLED:MBEDTLS_SSL_PROTO_DTLS:!MBEDTLS_AES_ONLY_128_BIT_KEY_LENGTH
|
||||
handshake_cipher:"TLS-ECDHE-RSA-WITH-AES-256-GCM-SHA384":MBEDTLS_PK_RSA:1
|
||||
|
||||
DTLS Handshake, RSA-WITH-AES-128-CCM
|
||||
depends_on:PSA_WANT_ALG_CCM:PSA_WANT_KEY_TYPE_AES:MBEDTLS_RSA_C:PSA_WANT_ECC_SECP_R1_384:MBEDTLS_SSL_PROTO_DTLS:MBEDTLS_KEY_EXCHANGE_RSA_ENABLED
|
||||
handshake_cipher:"TLS-RSA-WITH-AES-128-CCM":MBEDTLS_PK_RSA:1
|
||||
DTLS Handshake, ECDHE-RSA-WITH-AES-128-CBC-SHA256
|
||||
depends_on:PSA_WANT_KEY_TYPE_AES:PSA_WANT_ALG_CBC_NO_PADDING:PSA_WANT_ALG_SHA_256:MBEDTLS_RSA_C:PSA_WANT_ECC_SECP_R1_384:MBEDTLS_SSL_PROTO_DTLS:MBEDTLS_KEY_EXCHANGE_ECDHE_RSA_ENABLED
|
||||
handshake_cipher:"TLS-ECDHE-RSA-WITH-AES-128-CBC-SHA256":MBEDTLS_PK_RSA:1
|
||||
|
||||
DTLS Handshake, ECDHE-RSA-WITH-AES-256-CBC-SHA384
|
||||
depends_on:PSA_WANT_KEY_TYPE_AES:PSA_WANT_ALG_CBC_NO_PADDING:PSA_WANT_ALG_SHA_384:MBEDTLS_RSA_C:PSA_WANT_ECC_SECP_R1_384:MBEDTLS_SSL_PROTO_DTLS:MBEDTLS_KEY_EXCHANGE_ECDHE_RSA_ENABLED:!MBEDTLS_AES_ONLY_128_BIT_KEY_LENGTH
|
||||
@ -435,22 +435,6 @@ Handshake min/max version check, all -> 1.3
|
||||
depends_on:MBEDTLS_SSL_PROTO_TLS1_3:MBEDTLS_TEST_AT_LEAST_ONE_TLS1_3_CIPHERSUITE:MBEDTLS_SSL_TLS1_3_KEY_EXCHANGE_MODE_EPHEMERAL_ENABLED:MBEDTLS_PKCS1_V21:MBEDTLS_X509_RSASSA_PSS_SUPPORT
|
||||
handshake_version:0:MBEDTLS_SSL_VERSION_UNKNOWN:MBEDTLS_SSL_VERSION_UNKNOWN:MBEDTLS_SSL_VERSION_UNKNOWN:MBEDTLS_SSL_VERSION_UNKNOWN:MBEDTLS_SSL_VERSION_TLS1_3
|
||||
|
||||
Handshake, select RSA-WITH-AES-256-CBC-SHA256, non-opaque
|
||||
depends_on:PSA_WANT_ALG_SHA_256:PSA_WANT_KEY_TYPE_AES:PSA_WANT_ALG_CBC_NO_PADDING:MBEDTLS_RSA_C:PSA_WANT_KEY_TYPE_ECC_PUBLIC_KEY:PSA_WANT_ECC_SECP_R1_384:MBEDTLS_KEY_EXCHANGE_RSA_ENABLED:!MBEDTLS_AES_ONLY_128_BIT_KEY_LENGTH
|
||||
handshake_ciphersuite_select:"TLS-RSA-WITH-AES-256-CBC-SHA256":MBEDTLS_PK_RSA:"":PSA_ALG_NONE:PSA_ALG_NONE:0:0:MBEDTLS_TLS_RSA_WITH_AES_256_CBC_SHA256
|
||||
|
||||
Handshake, select RSA-WITH-AES-256-CBC-SHA256, opaque
|
||||
depends_on:PSA_WANT_ALG_SHA_256:PSA_WANT_KEY_TYPE_AES:PSA_WANT_ALG_CBC_NO_PADDING:MBEDTLS_RSA_C:PSA_WANT_KEY_TYPE_ECC_PUBLIC_KEY:PSA_WANT_ECC_SECP_R1_384:MBEDTLS_KEY_EXCHANGE_RSA_ENABLED:MBEDTLS_USE_PSA_CRYPTO:!MBEDTLS_AES_ONLY_128_BIT_KEY_LENGTH
|
||||
handshake_ciphersuite_select:"TLS-RSA-WITH-AES-256-CBC-SHA256":MBEDTLS_PK_RSA:"":PSA_ALG_RSA_PKCS1V15_CRYPT:PSA_ALG_NONE:PSA_KEY_USAGE_DECRYPT:0:MBEDTLS_TLS_RSA_WITH_AES_256_CBC_SHA256
|
||||
|
||||
Handshake, select RSA-WITH-AES-256-CBC-SHA256, opaque, bad alg
|
||||
depends_on:PSA_WANT_ALG_SHA_256:PSA_WANT_KEY_TYPE_AES:PSA_WANT_ALG_CBC_NO_PADDING:MBEDTLS_RSA_C:PSA_WANT_KEY_TYPE_ECC_PUBLIC_KEY:PSA_WANT_ECC_SECP_R1_384:MBEDTLS_KEY_EXCHANGE_RSA_ENABLED:MBEDTLS_USE_PSA_CRYPTO:!MBEDTLS_AES_ONLY_128_BIT_KEY_LENGTH
|
||||
handshake_ciphersuite_select:"TLS-RSA-WITH-AES-256-CBC-SHA256":MBEDTLS_PK_RSA:"":PSA_ALG_RSA_PKCS1V15_SIGN(PSA_ALG_ANY_HASH):PSA_ALG_NONE:PSA_KEY_USAGE_DECRYPT:MBEDTLS_ERR_SSL_HANDSHAKE_FAILURE:0
|
||||
|
||||
Handshake, select RSA-WITH-AES-256-CBC-SHA256, opaque, bad usage
|
||||
depends_on:PSA_WANT_ALG_SHA_256:PSA_WANT_KEY_TYPE_AES:PSA_WANT_ALG_CBC_NO_PADDING:MBEDTLS_RSA_C:PSA_WANT_KEY_TYPE_ECC_PUBLIC_KEY:PSA_WANT_ECC_SECP_R1_384:MBEDTLS_KEY_EXCHANGE_RSA_ENABLED:MBEDTLS_USE_PSA_CRYPTO:!MBEDTLS_AES_ONLY_128_BIT_KEY_LENGTH
|
||||
handshake_ciphersuite_select:"TLS-RSA-WITH-AES-256-CBC-SHA256":MBEDTLS_PK_RSA:"":PSA_ALG_RSA_PKCS1V15_CRYPT:PSA_ALG_NONE:PSA_KEY_USAGE_DERIVE:MBEDTLS_ERR_SSL_HANDSHAKE_FAILURE:0
|
||||
|
||||
Handshake, select ECDHE-RSA-WITH-AES-256-GCM-SHA384, non-opaque
|
||||
depends_on:PSA_WANT_ALG_SHA_384:PSA_WANT_KEY_TYPE_AES:PSA_WANT_ALG_GCM:MBEDTLS_RSA_C:PSA_WANT_KEY_TYPE_ECC_PUBLIC_KEY:PSA_WANT_ECC_SECP_R1_384:MBEDTLS_KEY_EXCHANGE_ECDHE_RSA_ENABLED:!MBEDTLS_AES_ONLY_128_BIT_KEY_LENGTH
|
||||
handshake_ciphersuite_select:"TLS-ECDHE-RSA-WITH-AES-256-GCM-SHA384":MBEDTLS_PK_RSA:"":PSA_ALG_NONE:PSA_ALG_NONE:0:0:MBEDTLS_TLS_ECDHE_RSA_WITH_AES_256_GCM_SHA384
|
||||
@ -629,39 +613,51 @@ DTLS serialization with MFL=4096
|
||||
resize_buffers_serialize_mfl:MBEDTLS_SSL_MAX_FRAG_LEN_4096
|
||||
|
||||
DTLS no legacy renegotiation with MFL=512
|
||||
depends_on:MBEDTLS_PKCS1_V15:MBEDTLS_CAN_HANDLE_RSA_TEST_KEY
|
||||
resize_buffers_renegotiate_mfl:MBEDTLS_SSL_MAX_FRAG_LEN_512:MBEDTLS_SSL_LEGACY_NO_RENEGOTIATION:""
|
||||
|
||||
DTLS no legacy renegotiation with MFL=1024
|
||||
depends_on:MBEDTLS_PKCS1_V15:MBEDTLS_CAN_HANDLE_RSA_TEST_KEY
|
||||
resize_buffers_renegotiate_mfl:MBEDTLS_SSL_MAX_FRAG_LEN_1024:MBEDTLS_SSL_LEGACY_NO_RENEGOTIATION:""
|
||||
|
||||
DTLS no legacy renegotiation with MFL=2048
|
||||
depends_on:MBEDTLS_PKCS1_V15:MBEDTLS_CAN_HANDLE_RSA_TEST_KEY
|
||||
resize_buffers_renegotiate_mfl:MBEDTLS_SSL_MAX_FRAG_LEN_2048:MBEDTLS_SSL_LEGACY_NO_RENEGOTIATION:""
|
||||
|
||||
DTLS no legacy renegotiation with MFL=4096
|
||||
depends_on:MBEDTLS_PKCS1_V15:MBEDTLS_CAN_HANDLE_RSA_TEST_KEY
|
||||
resize_buffers_renegotiate_mfl:MBEDTLS_SSL_MAX_FRAG_LEN_4096:MBEDTLS_SSL_LEGACY_NO_RENEGOTIATION:""
|
||||
|
||||
DTLS legacy allow renegotiation with MFL=512
|
||||
depends_on:MBEDTLS_PKCS1_V15:MBEDTLS_CAN_HANDLE_RSA_TEST_KEY
|
||||
resize_buffers_renegotiate_mfl:MBEDTLS_SSL_MAX_FRAG_LEN_512:MBEDTLS_SSL_LEGACY_ALLOW_RENEGOTIATION:""
|
||||
|
||||
DTLS legacy allow renegotiation with MFL=1024
|
||||
depends_on:MBEDTLS_PKCS1_V15:MBEDTLS_CAN_HANDLE_RSA_TEST_KEY
|
||||
resize_buffers_renegotiate_mfl:MBEDTLS_SSL_MAX_FRAG_LEN_1024:MBEDTLS_SSL_LEGACY_ALLOW_RENEGOTIATION:""
|
||||
|
||||
DTLS legacy allow renegotiation with MFL=2048
|
||||
depends_on:MBEDTLS_PKCS1_V15:MBEDTLS_CAN_HANDLE_RSA_TEST_KEY
|
||||
resize_buffers_renegotiate_mfl:MBEDTLS_SSL_MAX_FRAG_LEN_2048:MBEDTLS_SSL_LEGACY_ALLOW_RENEGOTIATION:""
|
||||
|
||||
DTLS legacy allow renegotiation with MFL=4096
|
||||
depends_on:MBEDTLS_PKCS1_V15:MBEDTLS_CAN_HANDLE_RSA_TEST_KEY
|
||||
resize_buffers_renegotiate_mfl:MBEDTLS_SSL_MAX_FRAG_LEN_4096:MBEDTLS_SSL_LEGACY_ALLOW_RENEGOTIATION:""
|
||||
|
||||
DTLS legacy break handshake renegotiation with MFL=512
|
||||
depends_on:MBEDTLS_PKCS1_V15:MBEDTLS_CAN_HANDLE_RSA_TEST_KEY
|
||||
resize_buffers_renegotiate_mfl:MBEDTLS_SSL_MAX_FRAG_LEN_512:MBEDTLS_SSL_LEGACY_BREAK_HANDSHAKE:""
|
||||
|
||||
DTLS legacy break handshake renegotiation with MFL=1024
|
||||
depends_on:MBEDTLS_PKCS1_V15:MBEDTLS_CAN_HANDLE_RSA_TEST_KEY
|
||||
resize_buffers_renegotiate_mfl:MBEDTLS_SSL_MAX_FRAG_LEN_1024:MBEDTLS_SSL_LEGACY_BREAK_HANDSHAKE:""
|
||||
|
||||
DTLS legacy break handshake renegotiation with MFL=2048
|
||||
depends_on:MBEDTLS_PKCS1_V15:MBEDTLS_CAN_HANDLE_RSA_TEST_KEY
|
||||
resize_buffers_renegotiate_mfl:MBEDTLS_SSL_MAX_FRAG_LEN_2048:MBEDTLS_SSL_LEGACY_BREAK_HANDSHAKE:""
|
||||
|
||||
DTLS legacy break handshake renegotiation with MFL=4096
|
||||
depends_on:MBEDTLS_PKCS1_V15:MBEDTLS_CAN_HANDLE_RSA_TEST_KEY
|
||||
resize_buffers_renegotiate_mfl:MBEDTLS_SSL_MAX_FRAG_LEN_4096:MBEDTLS_SSL_LEGACY_BREAK_HANDSHAKE:""
|
||||
|
||||
DTLS no legacy renegotiation with MFL=512, ECDHE-RSA-WITH-AES-256-GCM-SHA384
|
||||
@ -712,53 +708,53 @@ DTLS legacy break handshake renegotiation with MFL=4096, ECDHE-RSA-WITH-AES-256-
|
||||
depends_on:PSA_WANT_ALG_SHA_384:PSA_WANT_KEY_TYPE_AES:PSA_WANT_ALG_GCM:MBEDTLS_KEY_EXCHANGE_ECDHE_RSA_ENABLED:!MBEDTLS_AES_ONLY_128_BIT_KEY_LENGTH
|
||||
resize_buffers_renegotiate_mfl:MBEDTLS_SSL_MAX_FRAG_LEN_4096:MBEDTLS_SSL_LEGACY_BREAK_HANDSHAKE:"TLS-ECDHE-RSA-WITH-AES-256-GCM-SHA384"
|
||||
|
||||
DTLS no legacy renegotiation with MFL=512, RSA-WITH-AES-128-CCM
|
||||
depends_on:PSA_WANT_ALG_CCM:PSA_WANT_KEY_TYPE_AES:MBEDTLS_KEY_EXCHANGE_RSA_ENABLED
|
||||
resize_buffers_renegotiate_mfl:MBEDTLS_SSL_MAX_FRAG_LEN_512:MBEDTLS_SSL_LEGACY_NO_RENEGOTIATION:"TLS-RSA-WITH-AES-128-CCM"
|
||||
DTLS no legacy renegotiation with MFL=512, ECDHE-ECDSA-WITH-AES-128-CCM
|
||||
depends_on:PSA_WANT_ALG_CCM:PSA_WANT_KEY_TYPE_AES:PSA_WANT_ECC_SECP_R1_256:MBEDTLS_KEY_EXCHANGE_ECDHE_ECDSA_ENABLED
|
||||
resize_buffers_renegotiate_mfl:MBEDTLS_SSL_MAX_FRAG_LEN_512:MBEDTLS_SSL_LEGACY_NO_RENEGOTIATION:"TLS-ECDHE-ECDSA-WITH-AES-128-CCM"
|
||||
|
||||
DTLS no legacy renegotiation with MFL=1024, RSA-WITH-AES-128-CCM
|
||||
depends_on:PSA_WANT_ALG_CCM:PSA_WANT_KEY_TYPE_AES:MBEDTLS_KEY_EXCHANGE_RSA_ENABLED
|
||||
resize_buffers_renegotiate_mfl:MBEDTLS_SSL_MAX_FRAG_LEN_1024:MBEDTLS_SSL_LEGACY_NO_RENEGOTIATION:"TLS-RSA-WITH-AES-128-CCM"
|
||||
DTLS no legacy renegotiation with MFL=1024, ECDHE-ECDSA-WITH-AES-128-CCM
|
||||
depends_on:PSA_WANT_ALG_CCM:PSA_WANT_KEY_TYPE_AES:PSA_WANT_ECC_SECP_R1_256:MBEDTLS_KEY_EXCHANGE_ECDHE_ECDSA_ENABLED
|
||||
resize_buffers_renegotiate_mfl:MBEDTLS_SSL_MAX_FRAG_LEN_1024:MBEDTLS_SSL_LEGACY_NO_RENEGOTIATION:"TLS-ECDHE-ECDSA-WITH-AES-128-CCM"
|
||||
|
||||
DTLS no legacy renegotiation with MFL=2048, RSA-WITH-AES-128-CCM
|
||||
depends_on:PSA_WANT_ALG_CCM:PSA_WANT_KEY_TYPE_AES:MBEDTLS_KEY_EXCHANGE_RSA_ENABLED
|
||||
resize_buffers_renegotiate_mfl:MBEDTLS_SSL_MAX_FRAG_LEN_2048:MBEDTLS_SSL_LEGACY_NO_RENEGOTIATION:"TLS-RSA-WITH-AES-128-CCM"
|
||||
DTLS no legacy renegotiation with MFL=2048, ECDHE-ECDSA-WITH-AES-128-CCM
|
||||
depends_on:PSA_WANT_ALG_CCM:PSA_WANT_KEY_TYPE_AES:PSA_WANT_ECC_SECP_R1_256:MBEDTLS_KEY_EXCHANGE_ECDHE_ECDSA_ENABLED
|
||||
resize_buffers_renegotiate_mfl:MBEDTLS_SSL_MAX_FRAG_LEN_2048:MBEDTLS_SSL_LEGACY_NO_RENEGOTIATION:"TLS-ECDHE-ECDSA-WITH-AES-128-CCM"
|
||||
|
||||
DTLS no legacy renegotiation with MFL=4096, RSA-WITH-AES-128-CCM
|
||||
depends_on:PSA_WANT_ALG_CCM:PSA_WANT_KEY_TYPE_AES:MBEDTLS_KEY_EXCHANGE_RSA_ENABLED
|
||||
resize_buffers_renegotiate_mfl:MBEDTLS_SSL_MAX_FRAG_LEN_4096:MBEDTLS_SSL_LEGACY_NO_RENEGOTIATION:"TLS-RSA-WITH-AES-128-CCM"
|
||||
DTLS no legacy renegotiation with MFL=4096, ECDHE-ECDSA-WITH-AES-128-CCM
|
||||
depends_on:PSA_WANT_ALG_CCM:PSA_WANT_KEY_TYPE_AES:PSA_WANT_ECC_SECP_R1_256:MBEDTLS_KEY_EXCHANGE_ECDHE_ECDSA_ENABLED
|
||||
resize_buffers_renegotiate_mfl:MBEDTLS_SSL_MAX_FRAG_LEN_4096:MBEDTLS_SSL_LEGACY_NO_RENEGOTIATION:"TLS-ECDHE-ECDSA-WITH-AES-128-CCM"
|
||||
|
||||
DTLS legacy allow renegotiation with MFL=512, RSA-WITH-AES-128-CCM
|
||||
depends_on:PSA_WANT_ALG_CCM:PSA_WANT_KEY_TYPE_AES:MBEDTLS_KEY_EXCHANGE_RSA_ENABLED
|
||||
resize_buffers_renegotiate_mfl:MBEDTLS_SSL_MAX_FRAG_LEN_512:MBEDTLS_SSL_LEGACY_ALLOW_RENEGOTIATION:"TLS-RSA-WITH-AES-128-CCM"
|
||||
DTLS legacy allow renegotiation with MFL=512, ECDHE-ECDSA-WITH-AES-128-CCM
|
||||
depends_on:PSA_WANT_ALG_CCM:PSA_WANT_KEY_TYPE_AES:PSA_WANT_ECC_SECP_R1_256:MBEDTLS_KEY_EXCHANGE_ECDHE_ECDSA_ENABLED
|
||||
resize_buffers_renegotiate_mfl:MBEDTLS_SSL_MAX_FRAG_LEN_512:MBEDTLS_SSL_LEGACY_ALLOW_RENEGOTIATION:"TLS-ECDHE-ECDSA-WITH-AES-128-CCM"
|
||||
|
||||
DTLS legacy allow renegotiation with MFL=1024, RSA-WITH-AES-128-CCM
|
||||
depends_on:PSA_WANT_ALG_CCM:PSA_WANT_KEY_TYPE_AES:MBEDTLS_KEY_EXCHANGE_RSA_ENABLED
|
||||
resize_buffers_renegotiate_mfl:MBEDTLS_SSL_MAX_FRAG_LEN_1024:MBEDTLS_SSL_LEGACY_ALLOW_RENEGOTIATION:"TLS-RSA-WITH-AES-128-CCM"
|
||||
DTLS legacy allow renegotiation with MFL=1024, ECDHE-ECDSA-WITH-AES-128-CCM
|
||||
depends_on:PSA_WANT_ALG_CCM:PSA_WANT_KEY_TYPE_AES:PSA_WANT_ECC_SECP_R1_256:MBEDTLS_KEY_EXCHANGE_ECDHE_ECDSA_ENABLED
|
||||
resize_buffers_renegotiate_mfl:MBEDTLS_SSL_MAX_FRAG_LEN_1024:MBEDTLS_SSL_LEGACY_ALLOW_RENEGOTIATION:"TLS-ECDHE-ECDSA-WITH-AES-128-CCM"
|
||||
|
||||
DTLS legacy allow renegotiation with MFL=2048, RSA-WITH-AES-128-CCM
|
||||
depends_on:PSA_WANT_ALG_CCM:PSA_WANT_KEY_TYPE_AES:MBEDTLS_KEY_EXCHANGE_RSA_ENABLED
|
||||
resize_buffers_renegotiate_mfl:MBEDTLS_SSL_MAX_FRAG_LEN_2048:MBEDTLS_SSL_LEGACY_ALLOW_RENEGOTIATION:"TLS-RSA-WITH-AES-128-CCM"
|
||||
DTLS legacy allow renegotiation with MFL=2048, ECDHE-ECDSA-WITH-AES-128-CCM
|
||||
depends_on:PSA_WANT_ALG_CCM:PSA_WANT_KEY_TYPE_AES:PSA_WANT_ECC_SECP_R1_256:MBEDTLS_KEY_EXCHANGE_ECDHE_ECDSA_ENABLED
|
||||
resize_buffers_renegotiate_mfl:MBEDTLS_SSL_MAX_FRAG_LEN_2048:MBEDTLS_SSL_LEGACY_ALLOW_RENEGOTIATION:"TLS-ECDHE-ECDSA-WITH-AES-128-CCM"
|
||||
|
||||
DTLS legacy allow renegotiation with MFL=4096, RSA-WITH-AES-128-CCM
|
||||
depends_on:PSA_WANT_ALG_CCM:PSA_WANT_KEY_TYPE_AES:MBEDTLS_KEY_EXCHANGE_RSA_ENABLED
|
||||
resize_buffers_renegotiate_mfl:MBEDTLS_SSL_MAX_FRAG_LEN_4096:MBEDTLS_SSL_LEGACY_ALLOW_RENEGOTIATION:"TLS-RSA-WITH-AES-128-CCM"
|
||||
DTLS legacy allow renegotiation with MFL=4096, ECDHE-ECDSA-WITH-AES-128-CCM
|
||||
depends_on:PSA_WANT_ALG_CCM:PSA_WANT_KEY_TYPE_AES:PSA_WANT_ECC_SECP_R1_256:MBEDTLS_KEY_EXCHANGE_ECDHE_ECDSA_ENABLED
|
||||
resize_buffers_renegotiate_mfl:MBEDTLS_SSL_MAX_FRAG_LEN_4096:MBEDTLS_SSL_LEGACY_ALLOW_RENEGOTIATION:"TLS-ECDHE-ECDSA-WITH-AES-128-CCM"
|
||||
|
||||
DTLS legacy break handshake renegotiation with MFL=512, RSA-WITH-AES-128-CCM
|
||||
depends_on:PSA_WANT_ALG_CCM:PSA_WANT_KEY_TYPE_AES:MBEDTLS_KEY_EXCHANGE_RSA_ENABLED
|
||||
resize_buffers_renegotiate_mfl:MBEDTLS_SSL_MAX_FRAG_LEN_512:MBEDTLS_SSL_LEGACY_BREAK_HANDSHAKE:"TLS-RSA-WITH-AES-128-CCM"
|
||||
DTLS legacy break handshake renegotiation with MFL=512, ECDHE-ECDSA-WITH-AES-128-CCM
|
||||
depends_on:PSA_WANT_ALG_CCM:PSA_WANT_KEY_TYPE_AES:PSA_WANT_ECC_SECP_R1_256:MBEDTLS_KEY_EXCHANGE_ECDHE_ECDSA_ENABLED
|
||||
resize_buffers_renegotiate_mfl:MBEDTLS_SSL_MAX_FRAG_LEN_512:MBEDTLS_SSL_LEGACY_BREAK_HANDSHAKE:"TLS-ECDHE-ECDSA-WITH-AES-128-CCM"
|
||||
|
||||
DTLS legacy break handshake renegotiation with MFL=1024, RSA-WITH-AES-128-CCM
|
||||
depends_on:PSA_WANT_ALG_CCM:PSA_WANT_KEY_TYPE_AES:MBEDTLS_KEY_EXCHANGE_RSA_ENABLED
|
||||
resize_buffers_renegotiate_mfl:MBEDTLS_SSL_MAX_FRAG_LEN_1024:MBEDTLS_SSL_LEGACY_BREAK_HANDSHAKE:"TLS-RSA-WITH-AES-128-CCM"
|
||||
DTLS legacy break handshake renegotiation with MFL=1024, ECDHE-ECDSA-WITH-AES-128-CCM
|
||||
depends_on:PSA_WANT_ALG_CCM:PSA_WANT_KEY_TYPE_AES:PSA_WANT_ECC_SECP_R1_256:MBEDTLS_KEY_EXCHANGE_ECDHE_ECDSA_ENABLED
|
||||
resize_buffers_renegotiate_mfl:MBEDTLS_SSL_MAX_FRAG_LEN_1024:MBEDTLS_SSL_LEGACY_BREAK_HANDSHAKE:"TLS-ECDHE-ECDSA-WITH-AES-128-CCM"
|
||||
|
||||
DTLS legacy break handshake renegotiation with MFL=2048, RSA-WITH-AES-128-CCM
|
||||
depends_on:PSA_WANT_ALG_CCM:PSA_WANT_KEY_TYPE_AES:MBEDTLS_KEY_EXCHANGE_RSA_ENABLED
|
||||
resize_buffers_renegotiate_mfl:MBEDTLS_SSL_MAX_FRAG_LEN_2048:MBEDTLS_SSL_LEGACY_BREAK_HANDSHAKE:"TLS-RSA-WITH-AES-128-CCM"
|
||||
DTLS legacy break handshake renegotiation with MFL=2048, ECDHE-ECDSA-WITH-AES-128-CCM
|
||||
depends_on:PSA_WANT_ALG_CCM:PSA_WANT_KEY_TYPE_AES:PSA_WANT_ECC_SECP_R1_256:MBEDTLS_KEY_EXCHANGE_ECDHE_ECDSA_ENABLED
|
||||
resize_buffers_renegotiate_mfl:MBEDTLS_SSL_MAX_FRAG_LEN_2048:MBEDTLS_SSL_LEGACY_BREAK_HANDSHAKE:"TLS-ECDHE-ECDSA-WITH-AES-128-CCM"
|
||||
|
||||
DTLS legacy break handshake renegotiation with MFL=4096, RSA-WITH-AES-128-CCM
|
||||
depends_on:PSA_WANT_ALG_CCM:PSA_WANT_KEY_TYPE_AES:MBEDTLS_KEY_EXCHANGE_RSA_ENABLED
|
||||
resize_buffers_renegotiate_mfl:MBEDTLS_SSL_MAX_FRAG_LEN_4096:MBEDTLS_SSL_LEGACY_BREAK_HANDSHAKE:"TLS-RSA-WITH-AES-128-CCM"
|
||||
DTLS legacy break handshake renegotiation with MFL=4096, ECDHE-ECDSA-WITH-AES-128-CCM
|
||||
depends_on:PSA_WANT_ALG_CCM:PSA_WANT_KEY_TYPE_AES:PSA_WANT_ECC_SECP_R1_256:MBEDTLS_KEY_EXCHANGE_ECDHE_ECDSA_ENABLED
|
||||
resize_buffers_renegotiate_mfl:MBEDTLS_SSL_MAX_FRAG_LEN_4096:MBEDTLS_SSL_LEGACY_BREAK_HANDSHAKE:"TLS-ECDHE-ECDSA-WITH-AES-128-CCM"
|
||||
|
||||
DTLS no legacy renegotiation with MFL=512, ECDHE-RSA-WITH-AES-256-CBC-SHA384
|
||||
depends_on:PSA_WANT_KEY_TYPE_AES:PSA_WANT_ALG_CBC_NO_PADDING:PSA_WANT_ALG_SHA_384:MBEDTLS_KEY_EXCHANGE_ECDHE_RSA_ENABLED:!MBEDTLS_AES_ONLY_128_BIT_KEY_LENGTH
|
||||
|
||||
@ -2825,7 +2825,7 @@ exit:
|
||||
}
|
||||
/* END_CASE */
|
||||
|
||||
/* BEGIN_CASE depends_on:MBEDTLS_SSL_HANDSHAKE_WITH_CERT_ENABLED:MBEDTLS_PKCS1_V15:MBEDTLS_SSL_VARIABLE_BUFFER_LENGTH:MBEDTLS_SSL_PROTO_TLS1_2:MBEDTLS_RSA_C:PSA_WANT_ECC_SECP_R1_384:PSA_WANT_ALG_SHA_256 */
|
||||
/* BEGIN_CASE depends_on:MBEDTLS_SSL_HANDSHAKE_WITH_CERT_ENABLED:MBEDTLS_SSL_VARIABLE_BUFFER_LENGTH:MBEDTLS_SSL_PROTO_TLS1_2:PSA_WANT_ECC_SECP_R1_384:PSA_WANT_ALG_SHA_256 */
|
||||
void resize_buffers(int mfl, int renegotiation, int legacy_renegotiation,
|
||||
int serialize, int dtls, char *cipher)
|
||||
{
|
||||
@ -2843,6 +2843,12 @@ void resize_buffers(int mfl, int renegotiation, int legacy_renegotiation,
|
||||
}
|
||||
options.resize_buffers = 1;
|
||||
|
||||
const mbedtls_ssl_ciphersuite_t *ciphersuite =
|
||||
mbedtls_ssl_ciphersuite_from_string(cipher);
|
||||
if (ciphersuite != NULL) {
|
||||
options.pk_alg = mbedtls_ssl_get_ciphersuite_sig_pk_alg(ciphersuite);
|
||||
}
|
||||
|
||||
mbedtls_test_ssl_perform_handshake(&options);
|
||||
|
||||
/* The goto below is used to avoid an "unused label" warning.*/
|
||||
@ -2852,17 +2858,39 @@ exit:
|
||||
}
|
||||
/* END_CASE */
|
||||
|
||||
/* BEGIN_CASE depends_on:MBEDTLS_SSL_HANDSHAKE_WITH_CERT_ENABLED:!MBEDTLS_SSL_PROTO_TLS1_3:MBEDTLS_PKCS1_V15:MBEDTLS_SSL_VARIABLE_BUFFER_LENGTH:MBEDTLS_SSL_CONTEXT_SERIALIZATION:MBEDTLS_SSL_PROTO_TLS1_2:MBEDTLS_RSA_C:PSA_WANT_ECC_SECP_R1_384:MBEDTLS_SSL_PROTO_DTLS:PSA_WANT_ALG_SHA_256:MBEDTLS_CAN_HANDLE_RSA_TEST_KEY */
|
||||
/* BEGIN_CASE depends_on:MBEDTLS_SSL_HANDSHAKE_WITH_CERT_ENABLED:MBEDTLS_SSL_VARIABLE_BUFFER_LENGTH:MBEDTLS_SSL_CONTEXT_SERIALIZATION:MBEDTLS_SSL_PROTO_TLS1_2:PSA_WANT_ECC_SECP_R1_384:MBEDTLS_SSL_PROTO_DTLS:PSA_WANT_ALG_SHA_256:MBEDTLS_TEST_HAS_AEAD_ALG:MBEDTLS_CAN_HANDLE_RSA_TEST_KEY */
|
||||
void resize_buffers_serialize_mfl(int mfl)
|
||||
{
|
||||
/* Choose an AEAD ciphersuite */
|
||||
const int *ciphersuites = mbedtls_ssl_list_ciphersuites();
|
||||
const mbedtls_ssl_ciphersuite_t *ciphersuite = NULL;
|
||||
int i = 0;
|
||||
while (ciphersuites[i] != 0) {
|
||||
ciphersuite = mbedtls_ssl_ciphersuite_from_id(ciphersuites[i]);
|
||||
|
||||
if (ciphersuite->min_tls_version == MBEDTLS_SSL_VERSION_TLS1_2) {
|
||||
const mbedtls_ssl_mode_t mode =
|
||||
#if defined(MBEDTLS_SSL_SOME_SUITES_USE_CBC_ETM)
|
||||
mbedtls_ssl_get_mode_from_ciphersuite(0, ciphersuite);
|
||||
#else
|
||||
mbedtls_ssl_get_mode_from_ciphersuite(ciphersuite);
|
||||
#endif
|
||||
if (mode == MBEDTLS_SSL_MODE_AEAD) {
|
||||
break;
|
||||
}
|
||||
}
|
||||
|
||||
i++;
|
||||
}
|
||||
|
||||
TEST_ASSERT(ciphersuite != NULL);
|
||||
|
||||
test_resize_buffers(mfl, 0, MBEDTLS_SSL_LEGACY_NO_RENEGOTIATION, 1, 1,
|
||||
(char *) "");
|
||||
/* The goto below is used to avoid an "unused label" warning.*/
|
||||
goto exit;
|
||||
(char *) ciphersuite->name);
|
||||
}
|
||||
/* END_CASE */
|
||||
|
||||
/* BEGIN_CASE depends_on:MBEDTLS_SSL_HANDSHAKE_WITH_CERT_ENABLED:!MBEDTLS_SSL_PROTO_TLS1_3:MBEDTLS_PKCS1_V15:MBEDTLS_SSL_VARIABLE_BUFFER_LENGTH:MBEDTLS_SSL_RENEGOTIATION:MBEDTLS_SSL_PROTO_TLS1_2:MBEDTLS_RSA_C:PSA_WANT_ECC_SECP_R1_384:PSA_WANT_ALG_SHA_256:MBEDTLS_CAN_HANDLE_RSA_TEST_KEY */
|
||||
/* BEGIN_CASE depends_on:MBEDTLS_SSL_HANDSHAKE_WITH_CERT_ENABLED:MBEDTLS_SSL_VARIABLE_BUFFER_LENGTH:MBEDTLS_SSL_RENEGOTIATION:MBEDTLS_SSL_PROTO_TLS1_2:PSA_WANT_ECC_SECP_R1_384:PSA_WANT_ALG_SHA_256 */
|
||||
void resize_buffers_renegotiate_mfl(int mfl, int legacy_renegotiation,
|
||||
char *cipher)
|
||||
{
|
||||
|
||||
Loading…
x
Reference in New Issue
Block a user