mirror/mbedtls
1
0
Fork 0
mirror of https://github.com/Mbed-TLS/mbedtls.git synced 2025-03-22 22:20:52 +00:00
Code Issues Actions Packages Projects Releases Wiki Activity

Merge pull request #9541 from gilles-peskine-arm/ssl-opt-sample-programs-3.6

Browse Source 
Backport 3.6: test sample programs in ssl-opt.sh
This commit is contained in:
David Horstmann 2024-09-26 14:33:13 +00:00 committed by GitHub
commit 55b43e5cfb
No known key found for this signature in database
GPG Key ID: B5690EEEBB952194
8 changed files with 540 additions and 98 deletions
Show Stats Download Patch File Download Diff File Expand all files Collapse all files

26
programs/ssl/dtls_client.c
View File

@ -9,18 +9,17 @@
#include "mbedtls/platform.h"
#if !defined(MBEDTLS_SSL_CLI_C) || !defined(MBEDTLS_SSL_PROTO_DTLS) || \
!defined(MBEDTLS_NET_C) || !defined(MBEDTLS_TIMING_C) || \
!defined(MBEDTLS_ENTROPY_C) || !defined(MBEDTLS_CTR_DRBG_C) || \
!defined(MBEDTLS_X509_CRT_PARSE_C) || !defined(MBEDTLS_RSA_C) || \
!defined(MBEDTLS_PEM_PARSE_C)
#if !defined(MBEDTLS_ENTROPY_C) || !defined(MBEDTLS_CTR_DRBG_C) || \
!defined(MBEDTLS_NET_C) || !defined(MBEDTLS_SSL_CLI_C) || \
!defined(MBEDTLS_TIMING_C) || !defined(MBEDTLS_SSL_PROTO_DTLS) || \
!defined(MBEDTLS_PEM_PARSE_C) || !defined(MBEDTLS_X509_CRT_PARSE_C)
int main(void)
{
mbedtls_printf("MBEDTLS_SSL_CLI_C and/or MBEDTLS_SSL_PROTO_DTLS and/or "
"MBEDTLS_NET_C and/or MBEDTLS_TIMING_C and/or "
"MBEDTLS_ENTROPY_C and/or MBEDTLS_CTR_DRBG_C and/or "
"MBEDTLS_X509_CRT_PARSE_C and/or MBEDTLS_RSA_C and/or "
"MBEDTLS_PEM_PARSE_C not defined.\n");
mbedtls_printf("MBEDTLS_ENTROPY_C and/or MBEDTLS_CTR_DRBG_C and/or "
"MBEDTLS_NET_C and/or MBEDTLS_SSL_CLI_C and/or "
"MBEDTLS_TIMING_C and/or MBEDTLS_SSL_PROTO_DTLS and/or "
"MBEDTLS_PEM_PARSE_C and/or MBEDTLS_X509_CRT_PARSE_C "
"not defined.\n");
mbedtls_exit(0);
}
#else
@ -45,7 +44,7 @@ int main(void)
#ifdef FORCE_IPV4
#define SERVER_ADDR "127.0.0.1" /* Forces IPv4 */
#else
#define SERVER_ADDR "::1"
#define SERVER_ADDR SERVER_NAME
#endif
#define MESSAGE "Echo this"
@ -337,6 +336,5 @@ exit:
mbedtls_exit(ret);
}
#endif /* MBEDTLS_SSL_CLI_C && MBEDTLS_SSL_PROTO_DTLS && MBEDTLS_NET_C &&
MBEDTLS_TIMING_C && MBEDTLS_ENTROPY_C && MBEDTLS_CTR_DRBG_C &&
MBEDTLS_X509_CRT_PARSE_C && MBEDTLS_RSA_C && MBEDTLS_PEM_PARSE_C */
#endif /* configuration allows running this program */

28
programs/ssl/dtls_server.c
View File

@ -18,19 +18,19 @@
#define BIND_IP "::"
#endif
#if !defined(MBEDTLS_SSL_SRV_C) || !defined(MBEDTLS_SSL_PROTO_DTLS) || \
!defined(MBEDTLS_SSL_COOKIE_C) || !defined(MBEDTLS_NET_C) || \
!defined(MBEDTLS_ENTROPY_C) || !defined(MBEDTLS_CTR_DRBG_C) || \
!defined(MBEDTLS_X509_CRT_PARSE_C) || !defined(MBEDTLS_RSA_C) || \
!defined(MBEDTLS_PEM_PARSE_C) || !defined(MBEDTLS_TIMING_C)
#if !defined(MBEDTLS_ENTROPY_C) || !defined(MBEDTLS_CTR_DRBG_C) || \
!defined(MBEDTLS_NET_C) || !defined(MBEDTLS_SSL_SRV_C) || \
!defined(MBEDTLS_TIMING_C) || !defined(MBEDTLS_SSL_PROTO_DTLS) || \
!defined(MBEDTLS_SSL_COOKIE_C) || \
!defined(MBEDTLS_PEM_PARSE_C) || !defined(MBEDTLS_X509_CRT_PARSE_C)
int main(void)
{
printf("MBEDTLS_SSL_SRV_C and/or MBEDTLS_SSL_PROTO_DTLS and/or "
"MBEDTLS_SSL_COOKIE_C and/or MBEDTLS_NET_C and/or "
"MBEDTLS_ENTROPY_C and/or MBEDTLS_CTR_DRBG_C and/or "
"MBEDTLS_X509_CRT_PARSE_C and/or MBEDTLS_RSA_C and/or "
"MBEDTLS_PEM_PARSE_C and/or MBEDTLS_TIMING_C not defined.\n");
mbedtls_printf("MBEDTLS_ENTROPY_C and/or MBEDTLS_CTR_DRBG_C and/or "
"MBEDTLS_NET_C and/or MBEDTLS_SSL_SRV_C and/or "
"MBEDTLS_TIMING_C and/or MBEDTLS_SSL_PROTO_DTLS and/or "
"MBEDTLS_SSL_COOKIE_C and/or "
"MBEDTLS_PEM_PARSE_C and/or MBEDTLS_X509_CRT_PARSE_C "
"not defined.\n");
mbedtls_exit(0);
}
#else
@ -402,7 +402,5 @@ exit:
mbedtls_exit(ret);
}
#endif /* MBEDTLS_SSL_SRV_C && MBEDTLS_SSL_PROTO_DTLS &&
MBEDTLS_SSL_COOKIE_C && MBEDTLS_NET_C && MBEDTLS_ENTROPY_C &&
MBEDTLS_CTR_DRBG_C && MBEDTLS_X509_CRT_PARSE_C && MBEDTLS_RSA_C
&& MBEDTLS_PEM_PARSE_C && MBEDTLS_TIMING_C */
#endif /* configuration allows running this program */

27
programs/ssl/ssl_client1.c
View File

@ -9,17 +9,14 @@
#include "mbedtls/platform.h"
#if !defined(MBEDTLS_BIGNUM_C) || !defined(MBEDTLS_ENTROPY_C) || \
!defined(MBEDTLS_SSL_TLS_C) || !defined(MBEDTLS_SSL_CLI_C) || \
!defined(MBEDTLS_NET_C) || !defined(MBEDTLS_RSA_C) || \
!defined(MBEDTLS_PEM_PARSE_C) || !defined(MBEDTLS_CTR_DRBG_C) || \
!defined(MBEDTLS_X509_CRT_PARSE_C)
#if !defined(MBEDTLS_ENTROPY_C) || !defined(MBEDTLS_CTR_DRBG_C) || \
!defined(MBEDTLS_NET_C) || !defined(MBEDTLS_SSL_CLI_C) || \
!defined(MBEDTLS_PEM_PARSE_C) || !defined(MBEDTLS_X509_CRT_PARSE_C)
int main(void)
{
mbedtls_printf("MBEDTLS_BIGNUM_C and/or MBEDTLS_ENTROPY_C and/or "
"MBEDTLS_SSL_TLS_C and/or MBEDTLS_SSL_CLI_C and/or "
"MBEDTLS_NET_C and/or MBEDTLS_RSA_C and/or "
"MBEDTLS_CTR_DRBG_C and/or MBEDTLS_X509_CRT_PARSE_C "
mbedtls_printf("MBEDTLS_ENTROPY_C and/or MBEDTLS_CTR_DRBG_C and/or "
"MBEDTLS_NET_C and/or MBEDTLS_SSL_CLI_C and/or "
"MBEDTLS_PEM_PARSE_C and/or MBEDTLS_X509_CRT_PARSE_C "
"not defined.\n");
mbedtls_exit(0);
}
@ -240,6 +237,9 @@ int main(void)
}
if (ret == MBEDTLS_ERR_SSL_PEER_CLOSE_NOTIFY) {
mbedtls_printf("The return value %d from mbedtls_ssl_read() means that the server\n"
"closed the connection first. We're ok with that.\n",
MBEDTLS_ERR_SSL_PEER_CLOSE_NOTIFY);
break;
}
@ -259,7 +259,9 @@ int main(void)
mbedtls_ssl_close_notify(&ssl);
exit_code = MBEDTLS_EXIT_SUCCESS;
if (ret == 0 || ret == MBEDTLS_ERR_SSL_PEER_CLOSE_NOTIFY) {
exit_code = MBEDTLS_EXIT_SUCCESS;
}
exit:
@ -283,6 +285,5 @@ exit:
mbedtls_exit(exit_code);
}
#endif /* MBEDTLS_BIGNUM_C && MBEDTLS_ENTROPY_C && MBEDTLS_SSL_TLS_C &&
MBEDTLS_SSL_CLI_C && MBEDTLS_NET_C && MBEDTLS_RSA_C &&
MBEDTLS_PEM_PARSE_C && MBEDTLS_CTR_DRBG_C && MBEDTLS_X509_CRT_PARSE_C */
#endif /* configuration allows running this program */

35
programs/ssl/ssl_fork_server.c
View File

@ -9,22 +9,15 @@
#include "mbedtls/platform.h"
#if !defined(MBEDTLS_BIGNUM_C) || !defined(MBEDTLS_ENTROPY_C) || \
!defined(MBEDTLS_SSL_TLS_C) || !defined(MBEDTLS_SSL_SRV_C) || \
!defined(MBEDTLS_NET_C) || !defined(MBEDTLS_RSA_C) || \
!defined(MBEDTLS_CTR_DRBG_C) || !defined(MBEDTLS_X509_CRT_PARSE_C) || \
!defined(MBEDTLS_TIMING_C) || !defined(MBEDTLS_FS_IO) || \
!defined(MBEDTLS_PEM_PARSE_C)
int main(int argc, char *argv[])
#if !defined(MBEDTLS_ENTROPY_C) || !defined(MBEDTLS_CTR_DRBG_C) || \
!defined(MBEDTLS_NET_C) || !defined(MBEDTLS_SSL_SRV_C) || \
!defined(MBEDTLS_PEM_PARSE_C) || !defined(MBEDTLS_X509_CRT_PARSE_C)
int main(void)
{
((void) argc);
((void) argv);
mbedtls_printf("MBEDTLS_BIGNUM_C and/or MBEDTLS_ENTROPY_C "
"and/or MBEDTLS_SSL_TLS_C and/or MBEDTLS_SSL_SRV_C and/or "
"MBEDTLS_NET_C and/or MBEDTLS_RSA_C and/or "
"MBEDTLS_CTR_DRBG_C and/or MBEDTLS_X509_CRT_PARSE_C and/or "
"MBEDTLS_TIMING_C and/or MBEDTLS_PEM_PARSE_C not defined.\n");
mbedtls_printf("MBEDTLS_ENTROPY_C and/or MBEDTLS_CTR_DRBG_C and/or "
"MBEDTLS_NET_C and/or MBEDTLS_SSL_SRV_C and/or "
"MBEDTLS_PEM_PARSE_C and/or MBEDTLS_X509_CRT_PARSE_C "
"not defined.\n");
mbedtls_exit(0);
}
#elif defined(_WIN32)
@ -225,6 +218,7 @@ int main(void)
if (pid != 0) {
mbedtls_printf(" ok\n");
mbedtls_net_close(&client_fd);
fflush(stdout);
if ((ret = mbedtls_ctr_drbg_reseed(&ctr_drbg,
(const unsigned char *) "parent",
@ -282,6 +276,7 @@ int main(void)
}
mbedtls_printf("pid %d: SSL handshake ok\n", pid);
fflush(stdout);
/*
* 6. Read the HTTP Request
@ -312,12 +307,14 @@ int main(void)
mbedtls_printf("pid %d: mbedtls_ssl_read returned %d\n", pid, ret);
break;
}
fflush(stdout);
break;
}
len = ret;
mbedtls_printf("pid %d: %d bytes read\n\n%s", pid, len, (char *) buf);
fflush(stdout);
if (ret > 0) {
break;
@ -333,7 +330,7 @@ int main(void)
len = sprintf((char *) buf, HTTP_RESPONSE,
mbedtls_ssl_get_ciphersuite(&ssl));
while (cnt++ < 100) {
while (cnt++ < 10) {
while ((ret = mbedtls_ssl_write(&ssl, buf, len)) <= 0) {
if (ret == MBEDTLS_ERR_NET_CONN_RESET) {
mbedtls_printf(
@ -349,12 +346,16 @@ int main(void)
}
}
len = ret;
mbedtls_printf("pid %d: %d bytes written\n\n%s\n", pid, len, (char *) buf);
mbedtls_printf("pid %d: %d bytes written (cnt=%d)\n\n%s\n",
pid, len, cnt, (char *) buf);
fflush(stdout);
mbedtls_net_usleep(1000000);
}
mbedtls_ssl_close_notify(&ssl);
mbedtls_printf("pid %d: shutting down\n", pid);
fflush(stdout);
goto exit;
}

37
programs/ssl/ssl_pthread_server.c
View File

@ -10,20 +10,21 @@
#include "mbedtls/platform.h"
#if !defined(MBEDTLS_BIGNUM_C) || !defined(MBEDTLS_ENTROPY_C) || \
!defined(MBEDTLS_SSL_TLS_C) || !defined(MBEDTLS_SSL_SRV_C) || \
!defined(MBEDTLS_NET_C) || !defined(MBEDTLS_RSA_C) || \
!defined(MBEDTLS_CTR_DRBG_C) || !defined(MBEDTLS_X509_CRT_PARSE_C) || \
!defined(MBEDTLS_FS_IO) || !defined(MBEDTLS_THREADING_C) || \
!defined(MBEDTLS_THREADING_PTHREAD) || !defined(MBEDTLS_PEM_PARSE_C)
#if !defined(MBEDTLS_ENTROPY_C) || !defined(MBEDTLS_CTR_DRBG_C) || \
!defined(MBEDTLS_NET_C) || !defined(MBEDTLS_SSL_SRV_C) || \
!defined(MBEDTLS_PEM_PARSE_C) || !defined(MBEDTLS_X509_CRT_PARSE_C)
int main(void)
{
mbedtls_printf("MBEDTLS_BIGNUM_C and/or MBEDTLS_ENTROPY_C "
"and/or MBEDTLS_SSL_TLS_C and/or MBEDTLS_SSL_SRV_C and/or "
"MBEDTLS_NET_C and/or MBEDTLS_RSA_C and/or "
"MBEDTLS_CTR_DRBG_C and/or MBEDTLS_X509_CRT_PARSE_C and/or "
"MBEDTLS_THREADING_C and/or MBEDTLS_THREADING_PTHREAD "
"and/or MBEDTLS_PEM_PARSE_C not defined.\n");
mbedtls_printf("MBEDTLS_ENTROPY_C and/or MBEDTLS_CTR_DRBG_C and/or "
"MBEDTLS_NET_C and/or MBEDTLS_SSL_SRV_C and/or "
"MBEDTLS_PEM_PARSE_C and/or MBEDTLS_X509_CRT_PARSE_C "
"not defined.\n");
mbedtls_exit(0);
}
#elif !defined(MBEDTLS_THREADING_C) || !defined(MBEDTLS_THREADING_PTHREAD)
int main(void)
{
mbedtls_printf("MBEDTLS_THREADING_PTHREAD not defined.\n");
mbedtls_exit(0);
}
#else
@ -123,6 +124,7 @@ static void *handle_ssl_connection(void *data)
* 5. Handshake
*/
mbedtls_printf(" [ #%ld ] Performing the SSL/TLS handshake\n", thread_id);
fflush(stdout);
while ((ret = mbedtls_ssl_handshake(&ssl)) != 0) {
if (ret != MBEDTLS_ERR_SSL_WANT_READ && ret != MBEDTLS_ERR_SSL_WANT_WRITE) {
@ -138,6 +140,7 @@ static void *handle_ssl_connection(void *data)
* 6. Read the HTTP Request
*/
mbedtls_printf(" [ #%ld ] < Read from client\n", thread_id);
fflush(stdout);
do {
len = sizeof(buf) - 1;
@ -170,6 +173,7 @@ static void *handle_ssl_connection(void *data)
len = ret;
mbedtls_printf(" [ #%ld ] %d bytes read\n=====\n%s\n=====\n",
thread_id, len, (char *) buf);
fflush(stdout);
if (ret > 0) {
break;
@ -180,6 +184,7 @@ static void *handle_ssl_connection(void *data)
* 7. Write the 200 Response
*/
mbedtls_printf(" [ #%ld ] > Write to client:\n", thread_id);
fflush(stdout);
len = sprintf((char *) buf, HTTP_RESPONSE,
mbedtls_ssl_get_ciphersuite(&ssl));
@ -201,6 +206,7 @@ static void *handle_ssl_connection(void *data)
len = ret;
mbedtls_printf(" [ #%ld ] %d bytes written\n=====\n%s\n=====\n",
thread_id, len, (char *) buf);
fflush(stdout);
mbedtls_printf(" [ #%ld ] . Closing the connection...", thread_id);
@ -214,6 +220,7 @@ static void *handle_ssl_connection(void *data)
}
mbedtls_printf(" ok\n");
fflush(stdout);
ret = 0;
@ -442,6 +449,7 @@ reset:
* 3. Wait until a client connects
*/
mbedtls_printf(" [ main ] Waiting for a remote connection\n");
fflush(stdout);
if ((ret = mbedtls_net_accept(&listen_fd, &client_fd,
NULL, 0, NULL)) != 0) {
@ -483,7 +491,4 @@ exit:
mbedtls_exit(ret);
}
#endif /* MBEDTLS_BIGNUM_C && MBEDTLS_ENTROPY_C &&
MBEDTLS_SSL_TLS_C && MBEDTLS_SSL_SRV_C && MBEDTLS_NET_C &&
MBEDTLS_RSA_C && MBEDTLS_CTR_DRBG_C && MBEDTLS_THREADING_C &&
MBEDTLS_THREADING_PTHREAD && MBEDTLS_PEM_PARSE_C */
#endif /* configuration allows running this program */

28
programs/ssl/ssl_server.c
View File

@ -9,18 +9,15 @@
#include "mbedtls/platform.h"
#if !defined(MBEDTLS_BIGNUM_C) || !defined(MBEDTLS_PEM_PARSE_C) || \
!defined(MBEDTLS_ENTROPY_C) || !defined(MBEDTLS_SSL_TLS_C) || \
!defined(MBEDTLS_SSL_SRV_C) || !defined(MBEDTLS_NET_C) || \
!defined(MBEDTLS_RSA_C) || !defined(MBEDTLS_CTR_DRBG_C) || \
!defined(MBEDTLS_X509_CRT_PARSE_C) || !defined(MBEDTLS_FS_IO)
#if !defined(MBEDTLS_ENTROPY_C) || !defined(MBEDTLS_CTR_DRBG_C) || \
!defined(MBEDTLS_NET_C) || !defined(MBEDTLS_SSL_SRV_C) || \
!defined(MBEDTLS_PEM_PARSE_C) || !defined(MBEDTLS_X509_CRT_PARSE_C)
int main(void)
{
mbedtls_printf("MBEDTLS_BIGNUM_C and/or MBEDTLS_ENTROPY_C "
"and/or MBEDTLS_SSL_TLS_C and/or MBEDTLS_SSL_SRV_C and/or "
"MBEDTLS_NET_C and/or MBEDTLS_RSA_C and/or "
"MBEDTLS_CTR_DRBG_C and/or MBEDTLS_X509_CRT_PARSE_C "
"and/or MBEDTLS_PEM_PARSE_C not defined.\n");
mbedtls_printf("MBEDTLS_ENTROPY_C and/or MBEDTLS_CTR_DRBG_C and/or "
"MBEDTLS_NET_C and/or MBEDTLS_SSL_SRV_C and/or "
"MBEDTLS_PEM_PARSE_C and/or MBEDTLS_X509_CRT_PARSE_C "
"not defined.\n");
mbedtls_exit(0);
}
#else
@ -315,16 +312,19 @@ reset:
mbedtls_printf(" %d bytes written\n\n%s\n", len, (char *) buf);
mbedtls_printf(" . Closing the connection...");
fflush(stdout);
while ((ret = mbedtls_ssl_close_notify(&ssl)) < 0) {
if (ret != MBEDTLS_ERR_SSL_WANT_READ &&
ret != MBEDTLS_ERR_SSL_WANT_WRITE) {
ret != MBEDTLS_ERR_SSL_WANT_WRITE &&
ret != MBEDTLS_ERR_NET_CONN_RESET) {
mbedtls_printf(" failed\n ! mbedtls_ssl_close_notify returned %d\n\n", ret);
goto reset;
}
}
mbedtls_printf(" ok\n");
fflush(stdout);
ret = 0;
goto reset;
@ -356,7 +356,5 @@ exit:
mbedtls_exit(ret);
}
#endif /* MBEDTLS_BIGNUM_C && MBEDTLS_ENTROPY_C &&
MBEDTLS_SSL_TLS_C && MBEDTLS_SSL_SRV_C && MBEDTLS_NET_C &&
MBEDTLS_RSA_C && MBEDTLS_CTR_DRBG_C && MBEDTLS_X509_CRT_PARSE_C
&& MBEDTLS_FS_IO && MBEDTLS_PEM_PARSE_C */
#endif /* configuration allows running this program */

382
tests/opt-testcases/sample.sh Normal file
View File

@ -0,0 +1,382 @@
# Test that SSL sample programs can interoperate with each other
# and with OpenSSL and GnuTLS.
# Copyright The Mbed TLS Contributors
# SPDX-License-Identifier: Apache-2.0 OR GPL-2.0-or-later
: ${PROGRAMS_DIR:=../programs/ssl}
run_test "Sample: ssl_client1, ssl_server2" \
-P 4433 \
"$PROGRAMS_DIR/ssl_server2" \
"$PROGRAMS_DIR/ssl_client1" \
0 \
-s "[1-9][0-9]* bytes read" \
-s "[1-9][0-9]* bytes written" \
-c "[1-9][0-9]* bytes read" \
-c "[1-9][0-9]* bytes written" \
-S "error" \
-C "error"
requires_protocol_version tls12
run_test "Sample: ssl_client1, openssl server, TLS 1.2" \
-P 4433 \
"$O_SRV -tls1_2" \
"$PROGRAMS_DIR/ssl_client1" \
0 \
-c "Protocol.*TLSv1.2" \
-S "ERROR" \
-C "error"
requires_protocol_version tls12
run_test "Sample: ssl_client1, gnutls server, TLS 1.2" \
-P 4433 \
"$G_SRV --priority=NORMAL:-VERS-TLS-ALL:+VERS-TLS1.2" \
"$PROGRAMS_DIR/ssl_client1" \
0 \
-s "Version: TLS1.2" \
-c "<TD>Protocol version:</TD><TD>TLS1.2</TD>" \
-S "Error" \
-C "error"
requires_protocol_version tls13
requires_openssl_tls1_3
run_test "Sample: ssl_client1, openssl server, TLS 1.3" \
-P 4433 \
"$O_NEXT_SRV -tls1_3" \
"$PROGRAMS_DIR/ssl_client1" \
0 \
-c "New, TLSv1.3, Cipher is" \
-S "ERROR" \
-C "error"
requires_protocol_version tls13
requires_gnutls_tls1_3
run_test "Sample: ssl_client1, gnutls server, TLS 1.3" \
-P 4433 \
"$G_NEXT_SRV --priority=NORMAL:-VERS-TLS-ALL:+VERS-TLS1.3" \
"$PROGRAMS_DIR/ssl_client1" \
0 \
-s "Version: TLS1.3" \
-c "<TD>Protocol version:</TD><TD>TLS1.3</TD>" \
-S "Error" \
-C "error"
# The server complains of extra data after it closes the connection
# because the client keeps sending data, so the server receives
# more application data when it expects a new handshake. We consider
# the test a success if both sides have sent and received application
# data, no matter what happens afterwards.
run_test "Sample: dtls_client, ssl_server2" \
-P 4433 \
"$PROGRAMS_DIR/ssl_server2 dtls=1 server_addr=localhost" \
"$PROGRAMS_DIR/dtls_client" \
0 \
-s "[1-9][0-9]* bytes read" \
-s "[1-9][0-9]* bytes written" \
-c "[1-9][0-9]* bytes read" \
-c "[1-9][0-9]* bytes written" \
-C "error"
# The dtls_client program connects to localhost. This test case fails on
# systems where the name "localhost" resolves to an IPv6 address, but
# the IPv6 connection is not possible. Possible reasons include:
# * OpenSSL is too old (IPv6 support was added in 1.1.0).
# * OpenSSL was built without IPv6 support.
# * A firewall blocks IPv6.
#
# To facilitate working with this test case, have it run with $OPENSSL_NEXT
# which is at least 1.1.1a. At the time it was introduced, this test case
# passed with OpenSSL 1.0.2g on an environment where IPv6 is disabled.
requires_protocol_version dtls12
run_test "Sample: dtls_client, openssl server, DTLS 1.2" \
-P 4433 \
"$O_NEXT_SRV -dtls1_2" \
"$PROGRAMS_DIR/dtls_client" \
0 \
-s "Echo this" \
-c "Echo this" \
-c "[1-9][0-9]* bytes written" \
-c "[1-9][0-9]* bytes read" \
-S "ERROR" \
-C "error"
requires_protocol_version dtls12
run_test "Sample: dtls_client, gnutls server, DTLS 1.2" \
-P 4433 \
"$G_SRV -u --echo --priority=NORMAL:-VERS-TLS-ALL:+VERS-TLS1.2" \
"$PROGRAMS_DIR/dtls_client" \
0 \
-s "Server listening" \
-s "[1-9][0-9]* bytes command:" \
-c "Echo this" \
-c "[1-9][0-9]* bytes written" \
-c "[1-9][0-9]* bytes read" \
-S "Error" \
-C "error"
run_test "Sample: ssl_server, ssl_client2" \
-P 4433 \
"$PROGRAMS_DIR/ssl_server" \
"$PROGRAMS_DIR/ssl_client2" \
0 \
-s "[1-9][0-9]* bytes read" \
-s "[1-9][0-9]* bytes written" \
-c "[1-9][0-9]* bytes read" \
-c "[1-9][0-9]* bytes written" \
-S "error" \
-C "error"
run_test "Sample: ssl_client1 with ssl_server" \
-P 4433 \
"$PROGRAMS_DIR/ssl_server" \
"$PROGRAMS_DIR/ssl_client1" \
0 \
-s "[1-9][0-9]* bytes read" \
-s "[1-9][0-9]* bytes written" \
-c "[1-9][0-9]* bytes read" \
-c "[1-9][0-9]* bytes written" \
-S "error" \
-C "error"
requires_protocol_version tls12
run_test "Sample: ssl_server, openssl client, TLS 1.2" \
-P 4433 \
"$PROGRAMS_DIR/ssl_server" \
"$O_CLI -tls1_2" \
0 \
-s "Successful connection using: TLS-" \
-c "Protocol.*TLSv1.2" \
-S "error" \
-C "ERROR"
requires_protocol_version tls12
run_test "Sample: ssl_server, gnutls client, TLS 1.2" \
-P 4433 \
"$PROGRAMS_DIR/ssl_server" \
"$G_CLI --priority=NORMAL:-VERS-TLS-ALL:+VERS-TLS1.2 localhost" \
0 \
-s "Successful connection using: TLS-" \
-c "Description:.*TLS1.2" \
-S "error" \
-C "ERROR"
requires_protocol_version tls13
requires_openssl_tls1_3
run_test "Sample: ssl_server, openssl client, TLS 1.3" \
-P 4433 \
"$PROGRAMS_DIR/ssl_server" \
"$O_NEXT_CLI -tls1_3" \
0 \
-s "Successful connection using: TLS1-3-" \
-c "New, TLSv1.3, Cipher is" \
-S "error" \
-C "ERROR"
requires_protocol_version tls13
requires_gnutls_tls1_3
run_test "Sample: ssl_server, gnutls client, TLS 1.3" \
-P 4433 \
"$PROGRAMS_DIR/ssl_server" \
"$G_NEXT_CLI --priority=NORMAL:-VERS-TLS-ALL:+VERS-TLS1.3 localhost" \
0 \
-s "Successful connection using: TLS1-3-" \
-c "Description:.*TLS1.3" \
-S "error" \
-C "ERROR"
run_test "Sample: ssl_fork_server, ssl_client2" \
-P 4433 \
"$PROGRAMS_DIR/ssl_fork_server" \
"$PROGRAMS_DIR/ssl_client2" \
0 \
-s "[1-9][0-9]* bytes read" \
-s "[1-9][0-9]* bytes written" \
-c "[1-9][0-9]* bytes read" \
-c "[1-9][0-9]* bytes written" \
-S "error" \
-C "error"
run_test "Sample: ssl_client1 with ssl_fork_server" \
-P 4433 \
"$PROGRAMS_DIR/ssl_fork_server" \
"$PROGRAMS_DIR/ssl_client1" \
0 \
-s "[1-9][0-9]* bytes read" \
-s "[1-9][0-9]* bytes written" \
-c "[1-9][0-9]* bytes read" \
-c "[1-9][0-9]* bytes written" \
-S "error" \
-C "error"
requires_protocol_version tls12
run_test "Sample: ssl_fork_server, openssl client, TLS 1.2" \
-P 4433 \
"$PROGRAMS_DIR/ssl_fork_server" \
"$O_CLI -tls1_2" \
0 \
-s "Successful connection using: TLS-" \
-c "Protocol.*TLSv1.2" \
-S "error" \
-C "ERROR"
requires_protocol_version tls12
run_test "Sample: ssl_fork_server, gnutls client, TLS 1.2" \
-P 4433 \
"$PROGRAMS_DIR/ssl_fork_server" \
"$G_CLI --priority=NORMAL:-VERS-TLS-ALL:+VERS-TLS1.2 localhost" \
0 \
-s "Successful connection using: TLS-" \
-c "Description:.*TLS1.2" \
-S "error" \
-C "ERROR"
requires_protocol_version tls13
requires_openssl_tls1_3
run_test "Sample: ssl_fork_server, openssl client, TLS 1.3" \
-P 4433 \
"$PROGRAMS_DIR/ssl_fork_server" \
"$O_NEXT_CLI -tls1_3" \
0 \
-s "Successful connection using: TLS1-3-" \
-c "New, TLSv1.3, Cipher is" \
-S "error" \
-C "ERROR"
requires_protocol_version tls13
requires_gnutls_tls1_3
run_test "Sample: ssl_fork_server, gnutls client, TLS 1.3" \
-P 4433 \
"$PROGRAMS_DIR/ssl_fork_server" \
"$G_NEXT_CLI --priority=NORMAL:-VERS-TLS-ALL:+VERS-TLS1.3 localhost" \
0 \
-s "Successful connection using: TLS1-3-" \
-c "Description:.*TLS1.3" \
-S "error" \
-C "ERROR"
run_test "Sample: ssl_pthread_server, ssl_client2" \
-P 4433 \
"$PROGRAMS_DIR/ssl_pthread_server" \
"$PROGRAMS_DIR/ssl_client2" \
0 \
-s "[1-9][0-9]* bytes read" \
-s "[1-9][0-9]* bytes written" \
-c "[1-9][0-9]* bytes read" \
-c "[1-9][0-9]* bytes written" \
-S "error" \
-C "error"
run_test "Sample: ssl_client1 with ssl_pthread_server" \
-P 4433 \
"$PROGRAMS_DIR/ssl_pthread_server" \
"$PROGRAMS_DIR/ssl_client1" \
0 \
-s "[1-9][0-9]* bytes read" \
-s "[1-9][0-9]* bytes written" \
-c "[1-9][0-9]* bytes read" \
-c "[1-9][0-9]* bytes written" \
-S "error" \
-C "error"
requires_protocol_version tls12
run_test "Sample: ssl_pthread_server, openssl client, TLS 1.2" \
-P 4433 \
"$PROGRAMS_DIR/ssl_pthread_server" \
"$O_CLI -tls1_2" \
0 \
-s "Successful connection using: TLS-" \
-c "Protocol.*TLSv1.2" \
-S "error" \
-C "ERROR"
requires_protocol_version tls12
run_test "Sample: ssl_pthread_server, gnutls client, TLS 1.2" \
-P 4433 \
"$PROGRAMS_DIR/ssl_pthread_server" \
"$G_CLI --priority=NORMAL:-VERS-TLS-ALL:+VERS-TLS1.2 localhost" \
0 \
-s "Successful connection using: TLS-" \
-c "Description:.*TLS1.2" \
-S "error" \
-C "ERROR"
requires_protocol_version tls13
requires_openssl_tls1_3
run_test "Sample: ssl_pthread_server, openssl client, TLS 1.3" \
-P 4433 \
"$PROGRAMS_DIR/ssl_pthread_server" \
"$O_NEXT_CLI -tls1_3" \
0 \
-s "Successful connection using: TLS1-3-" \
-c "New, TLSv1.3, Cipher is" \
-S "error" \
-C "ERROR"
requires_protocol_version tls13
requires_gnutls_tls1_3
run_test "Sample: ssl_pthread_server, gnutls client, TLS 1.3" \
-P 4433 \
"$PROGRAMS_DIR/ssl_pthread_server" \
"$G_NEXT_CLI --priority=NORMAL:-VERS-TLS-ALL:+VERS-TLS1.3 localhost" \
0 \
-s "Successful connection using: TLS1-3-" \
-c "Description:.*TLS1.3" \
-S "error" \
-C "ERROR"
# The server complains of extra data after it closes the connection
# because the client keeps sending data, so the server receives
# more application data when it expects a new handshake. We consider
# the test a success if both sides have sent and received application
# data, no matter what happens afterwards.
run_test "Sample: dtls_client with dtls_server" \
-P 4433 \
"$PROGRAMS_DIR/dtls_server" \
"$PROGRAMS_DIR/dtls_client" \
0 \
-s "[1-9][0-9]* bytes read" \
-s "[1-9][0-9]* bytes written" \
-c "[1-9][0-9]* bytes read" \
-c "[1-9][0-9]* bytes written" \
-C "error"
# The server complains of extra data after it closes the connection
# because the client keeps sending data, so the server receives
# more application data when it expects a new handshake. We consider
# the test a success if both sides have sent and received application
# data, no matter what happens afterwards.
run_test "Sample: ssl_client2, dtls_server" \
-P 4433 \
"$PROGRAMS_DIR/dtls_server" \
"$PROGRAMS_DIR/ssl_client2 dtls=1" \
0 \
-s "[1-9][0-9]* bytes read" \
-s "[1-9][0-9]* bytes written" \
-c "[1-9][0-9]* bytes read" \
-c "[1-9][0-9]* bytes written" \
-C "error"
requires_protocol_version dtls12
run_test "Sample: dtls_server, openssl client, DTLS 1.2" \
-P 4433 \
"$PROGRAMS_DIR/dtls_server" \
"$O_CLI -dtls1_2" \
0 \
-s "[1-9][0-9]* bytes read" \
-s "[1-9][0-9]* bytes written" \
-c "Protocol.*TLSv1.2" \
-S "error" \
-C "ERROR"
requires_protocol_version dtls12
run_test "Sample: dtls_server, gnutls client, DTLS 1.2" \
-P 4433 \
"$PROGRAMS_DIR/dtls_server" \
"$G_CLI -u --priority=NORMAL:-VERS-TLS-ALL:+VERS-TLS1.2 localhost" \
0 \
-s "[1-9][0-9]* bytes read" \
-s "[1-9][0-9]* bytes written" \
-c "Description:.*DTLS1.2" \
-S "error" \
-C "ERROR"

75
tests/ssl-opt.sh
View File

@ -491,6 +491,37 @@ detect_required_features() {
requires_certificate_authentication;;
esac
case " $CMD_LINE " in
*"programs/ssl/dtls_client "*|\
*"programs/ssl/ssl_client1 "*)
requires_config_enabled MBEDTLS_CTR_DRBG_C
requires_config_enabled MBEDTLS_ENTROPY_C
requires_config_enabled MBEDTLS_PEM_PARSE_C
requires_config_enabled MBEDTLS_SSL_CLI_C
requires_certificate_authentication
;;
*"programs/ssl/dtls_server "*|\
*"programs/ssl/ssl_fork_server "*|\
*"programs/ssl/ssl_pthread_server "*|\
*"programs/ssl/ssl_server "*)
requires_config_enabled MBEDTLS_CTR_DRBG_C
requires_config_enabled MBEDTLS_ENTROPY_C
requires_config_enabled MBEDTLS_PEM_PARSE_C
requires_config_enabled MBEDTLS_SSL_SRV_C
requires_certificate_authentication
# The actual minimum depends on the configuration since it's
# mostly about the certificate size.
# In config-suite-b.h, for the test certificates (server5.crt),
# 1024 is not enough.
requires_config_value_at_least MBEDTLS_SSL_OUT_CONTENT_LEN 2000
;;
esac
case " $CMD_LINE " in
*"programs/ssl/ssl_pthread_server "*)
requires_config_enabled MBEDTLS_THREADING_PTHREAD;;
esac
case "$CMD_LINE" in
*[-_\ =]psk*|*[-_\ =]PSK*) :;; # No certificate requirement with PSK
*/server5*|\
@ -1252,7 +1283,7 @@ wait_client_done() {
# check if the given command uses dtls and sets global variable DTLS
detect_dtls() {
case "$1" in
*dtls=1*|*-dtls*|*-u*) DTLS=1;;
*dtls=1*|*-dtls*|*-u*|*/dtls_*) DTLS=1;;
*) DTLS=0;;
esac
}
@ -1372,9 +1403,13 @@ skip_handshake_stage_check() {
# Outputs:
# * $CLI_CMD, $PXY_CMD, $SRV_CMD: may be tweaked.
analyze_test_commands() {
# if the test uses DTLS but no custom proxy, add a simple proxy
# as it provides timing info that's useful to debug failures
if [ -z "$PXY_CMD" ] && [ "$DTLS" -eq 1 ]; then
# If the test uses DTLS, does not force a specific port, and does not
# specify a custom proxy, add a simple proxy.
# It provides timing info that's useful to debug failures.
if [ "$DTLS" -eq 1 ] &&
[ "$THIS_SRV_PORT" = "$SRV_PORT" ] &&
[ -z "$PXY_CMD" ]
then
PXY_CMD="$P_PXY"
case " $SRV_CMD " in
*' server_addr=::1 '*)
@ -1410,7 +1445,20 @@ analyze_test_commands() {
if [ -n "$PXY_CMD" ]; then
CLI_CMD=$( echo "$CLI_CMD" | sed s/+SRV_PORT/$PXY_PORT/g )
else
CLI_CMD=$( echo "$CLI_CMD" | sed s/+SRV_PORT/$SRV_PORT/g )
CLI_CMD=$( echo "$CLI_CMD" | sed s/+SRV_PORT/$THIS_SRV_PORT/g )
fi
# If the test forces a specific port and the server is OpenSSL or
# GnuTLS, override its port specification.
if [ "$THIS_SRV_PORT" != "$SRV_PORT" ]; then
case "$SRV_CMD" in
"$G_SRV"*|"$G_NEXT_SRV"*)
SRV_CMD=$(
printf %s "$SRV_CMD " |
sed -e "s/ -p $SRV_PORT / -p $THIS_SRV_PORT /"
);;
"$O_SRV"*|"$O_NEXT_SRV"*) SRV_CMD="$SRV_CMD -accept $THIS_SRV_PORT";;
esac
fi
# prepend valgrind to our commands if active
@ -1609,7 +1657,7 @@ do_run_test_once() {
printf '# %s\n%s\n' "$NAME" "$SRV_CMD" > $SRV_OUT
provide_input | $SRV_CMD >> $SRV_OUT 2>&1 &
SRV_PID=$!
wait_server_start "$SRV_PORT" "$SRV_PID"
wait_server_start "$THIS_SRV_PORT" "$SRV_PID"
printf '# %s\n%s\n' "$NAME" "$CLI_CMD" > $CLI_OUT
# The client must be a subprocess of the script in order for killing it to
@ -1732,7 +1780,7 @@ run_test() {
esac
fi
# does this test use a proxy?
# Does this test specify a proxy?
if [ "X$1" = "X-p" ]; then
PXY_CMD="$2"
shift 2
@ -1740,6 +1788,14 @@ run_test() {
PXY_CMD=""
fi
# Does this test force a specific port?
if [ "$1" = "-P" ]; then
THIS_SRV_PORT="$2"
shift 2
else
THIS_SRV_PORT="$SRV_PORT"
fi
# get commands and client output
SRV_CMD="$1"
CLI_CMD="$2"
@ -1761,7 +1817,10 @@ run_test() {
# Check if we are trying to use an external tool which does not support ECDH
EXT_WO_ECDH=$(use_ext_tool_without_ecdh_support "$SRV_CMD" "$CLI_CMD")
# Guess the TLS version which is going to be used
# Guess the TLS version which is going to be used.
# Note that this detection is wrong in some cases, which causes unduly
# skipped test cases in builds with TLS 1.3 but not TLS 1.2.
# https://github.com/Mbed-TLS/mbedtls/issues/9560
if [ "$EXT_WO_ECDH" = "no" ]; then
TLS_VERSION=$(get_tls_version "$SRV_CMD" "$CLI_CMD")
else