From 3abca9510a7fb40688a2be115e41e93c15f3b38b Mon Sep 17 00:00:00 2001 From: Gilles Peskine Date: Wed, 4 Sep 2024 16:31:06 +0200 Subject: [PATCH] Test ssl_pthread_server Test ssl_pthread_server with both TLS 1.2 and TLS 1.3. Test against both OpenSSL and GnuTLS. In the server, flush more often. Otherwise, when stdout is redirected to a file, the server gets killed before it writes important information, such as the logs that we expect in the test cases. Clean up compile-time requirements in ssl_pthread_server.c: any certificate-based key exchange is ok, so don't insist on built-in RSA. Signed-off-by: Gilles Peskine --- programs/ssl/ssl_pthread_server.c | 37 +++++++++++++++----------- tests/opt-testcases/sample.sh | 44 +++++++++++++++++++++++++++++++ tests/ssl-opt.sh | 6 +++++ 3 files changed, 71 insertions(+), 16 deletions(-) diff --git a/programs/ssl/ssl_pthread_server.c b/programs/ssl/ssl_pthread_server.c index fcb8f2f4d5..7edf4a81b0 100644 --- a/programs/ssl/ssl_pthread_server.c +++ b/programs/ssl/ssl_pthread_server.c @@ -10,20 +10,21 @@ #include "mbedtls/platform.h" -#if !defined(MBEDTLS_BIGNUM_C) || !defined(MBEDTLS_ENTROPY_C) || \ - !defined(MBEDTLS_SSL_TLS_C) || !defined(MBEDTLS_SSL_SRV_C) || \ - !defined(MBEDTLS_NET_C) || !defined(MBEDTLS_RSA_C) || \ - !defined(MBEDTLS_CTR_DRBG_C) || !defined(MBEDTLS_X509_CRT_PARSE_C) || \ - !defined(MBEDTLS_FS_IO) || !defined(MBEDTLS_THREADING_C) || \ - !defined(MBEDTLS_THREADING_PTHREAD) || !defined(MBEDTLS_PEM_PARSE_C) +#if !defined(MBEDTLS_ENTROPY_C) || !defined(MBEDTLS_CTR_DRBG_C) || \ + !defined(MBEDTLS_NET_C) || !defined(MBEDTLS_SSL_SRV_C) || \ + !defined(MBEDTLS_PEM_PARSE_C) || !defined(MBEDTLS_X509_CRT_PARSE_C) int main(void) { - mbedtls_printf("MBEDTLS_BIGNUM_C and/or MBEDTLS_ENTROPY_C " - "and/or MBEDTLS_SSL_TLS_C and/or MBEDTLS_SSL_SRV_C and/or " - "MBEDTLS_NET_C and/or MBEDTLS_RSA_C and/or " - "MBEDTLS_CTR_DRBG_C and/or MBEDTLS_X509_CRT_PARSE_C and/or " - "MBEDTLS_THREADING_C and/or MBEDTLS_THREADING_PTHREAD " - "and/or MBEDTLS_PEM_PARSE_C not defined.\n"); + mbedtls_printf("MBEDTLS_ENTROPY_C and/or MBEDTLS_CTR_DRBG_C and/or " + "MBEDTLS_NET_C and/or MBEDTLS_SSL_SRV_C and/or " + "MBEDTLS_PEM_PARSE_C and/or MBEDTLS_X509_CRT_PARSE_C " + "not defined.\n"); + mbedtls_exit(0); +} +#elif !defined(MBEDTLS_THREADING_C) || !defined(MBEDTLS_THREADING_PTHREAD) +int main(void) +{ + mbedtls_printf("MBEDTLS_THREADING_PTHREAD not defined.\n"); mbedtls_exit(0); } #else @@ -123,6 +124,7 @@ static void *handle_ssl_connection(void *data) * 5. Handshake */ mbedtls_printf(" [ #%ld ] Performing the SSL/TLS handshake\n", thread_id); + fflush(stdout); while ((ret = mbedtls_ssl_handshake(&ssl)) != 0) { if (ret != MBEDTLS_ERR_SSL_WANT_READ && ret != MBEDTLS_ERR_SSL_WANT_WRITE) { @@ -138,6 +140,7 @@ static void *handle_ssl_connection(void *data) * 6. Read the HTTP Request */ mbedtls_printf(" [ #%ld ] < Read from client\n", thread_id); + fflush(stdout); do { len = sizeof(buf) - 1; @@ -170,6 +173,7 @@ static void *handle_ssl_connection(void *data) len = ret; mbedtls_printf(" [ #%ld ] %d bytes read\n=====\n%s\n=====\n", thread_id, len, (char *) buf); + fflush(stdout); if (ret > 0) { break; @@ -180,6 +184,7 @@ static void *handle_ssl_connection(void *data) * 7. Write the 200 Response */ mbedtls_printf(" [ #%ld ] > Write to client:\n", thread_id); + fflush(stdout); len = sprintf((char *) buf, HTTP_RESPONSE, mbedtls_ssl_get_ciphersuite(&ssl)); @@ -201,6 +206,7 @@ static void *handle_ssl_connection(void *data) len = ret; mbedtls_printf(" [ #%ld ] %d bytes written\n=====\n%s\n=====\n", thread_id, len, (char *) buf); + fflush(stdout); mbedtls_printf(" [ #%ld ] . Closing the connection...", thread_id); @@ -214,6 +220,7 @@ static void *handle_ssl_connection(void *data) } mbedtls_printf(" ok\n"); + fflush(stdout); ret = 0; @@ -442,6 +449,7 @@ reset: * 3. Wait until a client connects */ mbedtls_printf(" [ main ] Waiting for a remote connection\n"); + fflush(stdout); if ((ret = mbedtls_net_accept(&listen_fd, &client_fd, NULL, 0, NULL)) != 0) { @@ -483,7 +491,4 @@ exit: mbedtls_exit(ret); } -#endif /* MBEDTLS_BIGNUM_C && MBEDTLS_ENTROPY_C && - MBEDTLS_SSL_TLS_C && MBEDTLS_SSL_SRV_C && MBEDTLS_NET_C && - MBEDTLS_RSA_C && MBEDTLS_CTR_DRBG_C && MBEDTLS_THREADING_C && - MBEDTLS_THREADING_PTHREAD && MBEDTLS_PEM_PARSE_C */ +#endif /* configuration allows running this program */ diff --git a/tests/opt-testcases/sample.sh b/tests/opt-testcases/sample.sh index 82a95b8b9c..4684172c3b 100644 --- a/tests/opt-testcases/sample.sh +++ b/tests/opt-testcases/sample.sh @@ -118,3 +118,47 @@ run_test "Sample: ssl_server, gnutls client, TLS 1.3" \ -c "Description:.*TLS1.3" \ -S "error" \ -C "ERROR" + +requires_protocol_version tls12 +run_test "Sample: ssl_pthread_server, openssl client, TLS 1.2" \ + -P 4433 \ + "$PROGRAMS_DIR/ssl_pthread_server" \ + "$O_CLI -tls1_2" \ + 0 \ + -s "Successful connection using: TLS-" \ + -c "New, TLSv1.2, Cipher is" \ + -S "error" \ + -C "ERROR" + +requires_protocol_version tls12 +run_test "Sample: ssl_pthread_server, gnutls client, TLS 1.2" \ + -P 4433 \ + "$PROGRAMS_DIR/ssl_pthread_server" \ + "$G_CLI --priority=NORMAL:-VERS-TLS-ALL:+VERS-TLS1.2 localhost" \ + 0 \ + -s "Successful connection using: TLS-" \ + -c "Description:.*TLS1.2" \ + -S "error" \ + -C "ERROR" + +requires_protocol_version tls13 +run_test "Sample: ssl_pthread_server, openssl client, TLS 1.3" \ + -P 4433 \ + "$PROGRAMS_DIR/ssl_pthread_server" \ + "$O_CLI -tls1_3" \ + 0 \ + -s "Successful connection using: TLS1-3-" \ + -c "New, TLSv1.3, Cipher is" \ + -S "error" \ + -C "ERROR" + +requires_protocol_version tls13 +run_test "Sample: ssl_pthread_server, gnutls client, TLS 1.3" \ + -P 4433 \ + "$PROGRAMS_DIR/ssl_pthread_server" \ + "$G_CLI --priority=NORMAL:-VERS-TLS-ALL:+VERS-TLS1.3 localhost" \ + 0 \ + -s "Successful connection using: TLS1-3-" \ + -c "Description:.*TLS1.3" \ + -S "error" \ + -C "ERROR" diff --git a/tests/ssl-opt.sh b/tests/ssl-opt.sh index c1b5421957..cb2cc0f687 100755 --- a/tests/ssl-opt.sh +++ b/tests/ssl-opt.sh @@ -500,6 +500,7 @@ detect_required_features() { requires_config_enabled MBEDTLS_SSL_CLI_C requires_certificate_authentication ;; + *"programs/ssl/ssl_pthread_server "*|\ *"programs/ssl/ssl_server "*) requires_config_enabled MBEDTLS_CTR_DRBG_C requires_config_enabled MBEDTLS_ENTROPY_C @@ -509,6 +510,11 @@ detect_required_features() { ;; esac + case " $CMD_LINE " in + *"programs/ssl/ssl_pthread_server "*) + requires_config_enabled MBEDTLS_THREADING_PTHREAD;; + esac + case "$CMD_LINE" in *[-_\ =]psk*|*[-_\ =]PSK*) :;; # No certificate requirement with PSK */server5*|\