From c83e56cc451898ceec91cb63273d2bc5db6fb79a Mon Sep 17 00:00:00 2001
From: Gilles Peskine <Gilles.Peskine@arm.com>
Date: Wed, 4 Sep 2024 17:47:14 +0200
Subject: [PATCH] Test ssl_fork_server

Test ssl_fork_server with both TLS 1.2 and TLS 1.3.
Test against both OpenSSL and GnuTLS.

In the server, flush more often. Otherwise, when stdout is redirected to a
file, the server gets killed before it writes important information, such as
the logs that we expect in the test cases.

In the server, only write output for 10 seconds, not 100. That's enough time
to start concurrent clients if desired. 100 seconds causes ssl-opt to take a
very long time when the client actually listens to the whole input (which
`gnutls-cli` does, but not `openssl s_client`).

Clean up compile-time requirements in ssl_fork_server.c: any certificate-based
key exchange is ok, so don't insist on built-in RSA.

Signed-off-by: Gilles Peskine <Gilles.Peskine@arm.com>
---
 programs/ssl/ssl_fork_server.c | 35 ++++++++++++++-------------
 tests/opt-testcases/sample.sh  | 44 ++++++++++++++++++++++++++++++++++
 tests/ssl-opt.sh               |  1 +
 3 files changed, 63 insertions(+), 17 deletions(-)

diff --git a/programs/ssl/ssl_fork_server.c b/programs/ssl/ssl_fork_server.c
index f4822b7e68..0edadd4b74 100644
--- a/programs/ssl/ssl_fork_server.c
+++ b/programs/ssl/ssl_fork_server.c
@@ -9,22 +9,15 @@
 
 #include "mbedtls/platform.h"
 
-#if !defined(MBEDTLS_BIGNUM_C) || !defined(MBEDTLS_ENTROPY_C) ||          \
-    !defined(MBEDTLS_SSL_TLS_C) || !defined(MBEDTLS_SSL_SRV_C) ||         \
-    !defined(MBEDTLS_NET_C) || !defined(MBEDTLS_RSA_C) ||                 \
-    !defined(MBEDTLS_CTR_DRBG_C) || !defined(MBEDTLS_X509_CRT_PARSE_C) || \
-    !defined(MBEDTLS_TIMING_C) || !defined(MBEDTLS_FS_IO) ||              \
-    !defined(MBEDTLS_PEM_PARSE_C)
-int main(int argc, char *argv[])
+#if !defined(MBEDTLS_ENTROPY_C) || !defined(MBEDTLS_CTR_DRBG_C) ||      \
+    !defined(MBEDTLS_NET_C) || !defined(MBEDTLS_SSL_SRV_C) ||           \
+    !defined(MBEDTLS_PEM_PARSE_C) || !defined(MBEDTLS_X509_CRT_PARSE_C)
+int main(void)
 {
-    ((void) argc);
-    ((void) argv);
-
-    mbedtls_printf("MBEDTLS_BIGNUM_C and/or MBEDTLS_ENTROPY_C "
-                   "and/or MBEDTLS_SSL_TLS_C and/or MBEDTLS_SSL_SRV_C and/or "
-                   "MBEDTLS_NET_C and/or MBEDTLS_RSA_C and/or "
-                   "MBEDTLS_CTR_DRBG_C and/or MBEDTLS_X509_CRT_PARSE_C and/or "
-                   "MBEDTLS_TIMING_C and/or MBEDTLS_PEM_PARSE_C not defined.\n");
+    mbedtls_printf("MBEDTLS_ENTROPY_C and/or MBEDTLS_CTR_DRBG_C and/or "
+                   "MBEDTLS_NET_C and/or MBEDTLS_SSL_SRV_C and/or "
+                   "MBEDTLS_PEM_PARSE_C and/or MBEDTLS_X509_CRT_PARSE_C "
+                   "not defined.\n");
     mbedtls_exit(0);
 }
 #elif defined(_WIN32)
@@ -225,6 +218,7 @@ int main(void)
         if (pid != 0) {
             mbedtls_printf(" ok\n");
             mbedtls_net_close(&client_fd);
+            fflush(stdout);
 
             if ((ret = mbedtls_ctr_drbg_reseed(&ctr_drbg,
                                                (const unsigned char *) "parent",
@@ -282,6 +276,7 @@ int main(void)
         }
 
         mbedtls_printf("pid %d: SSL handshake ok\n", pid);
+        fflush(stdout);
 
         /*
          * 6. Read the HTTP Request
@@ -312,12 +307,14 @@ int main(void)
                         mbedtls_printf("pid %d: mbedtls_ssl_read returned %d\n", pid, ret);
                         break;
                 }
+                fflush(stdout);
 
                 break;
             }
 
             len = ret;
             mbedtls_printf("pid %d: %d bytes read\n\n%s", pid, len, (char *) buf);
+            fflush(stdout);
 
             if (ret > 0) {
                 break;
@@ -333,7 +330,7 @@ int main(void)
         len = sprintf((char *) buf, HTTP_RESPONSE,
                       mbedtls_ssl_get_ciphersuite(&ssl));
 
-        while (cnt++ < 100) {
+        while (cnt++ < 10) {
             while ((ret = mbedtls_ssl_write(&ssl, buf, len)) <= 0) {
                 if (ret == MBEDTLS_ERR_NET_CONN_RESET) {
                     mbedtls_printf(
@@ -349,12 +346,16 @@ int main(void)
                 }
             }
             len = ret;
-            mbedtls_printf("pid %d: %d bytes written\n\n%s\n", pid, len, (char *) buf);
+            mbedtls_printf("pid %d: %d bytes written (cnt=%d)\n\n%s\n",
+                           pid, len, cnt, (char *) buf);
+            fflush(stdout);
 
             mbedtls_net_usleep(1000000);
         }
 
         mbedtls_ssl_close_notify(&ssl);
+        mbedtls_printf("pid %d: shutting down\n", pid);
+        fflush(stdout);
         goto exit;
     }
 
diff --git a/tests/opt-testcases/sample.sh b/tests/opt-testcases/sample.sh
index 4684172c3b..a74d597c28 100644
--- a/tests/opt-testcases/sample.sh
+++ b/tests/opt-testcases/sample.sh
@@ -119,6 +119,50 @@ run_test    "Sample: ssl_server, gnutls client, TLS 1.3" \
             -S "error" \
             -C "ERROR"
 
+requires_protocol_version tls12
+run_test    "Sample: ssl_fork_server, openssl client, TLS 1.2" \
+            -P 4433 \
+            "$PROGRAMS_DIR/ssl_fork_server" \
+            "$O_CLI -tls1_2" \
+            0 \
+            -s "Successful connection using: TLS-" \
+            -c "New, TLSv1.2, Cipher is" \
+            -S "error" \
+            -C "ERROR"
+
+requires_protocol_version tls12
+run_test    "Sample: ssl_fork_server, gnutls client, TLS 1.2" \
+            -P 4433 \
+            "$PROGRAMS_DIR/ssl_fork_server" \
+            "$G_CLI --priority=NORMAL:-VERS-TLS-ALL:+VERS-TLS1.2 localhost" \
+            0 \
+            -s "Successful connection using: TLS-" \
+            -c "Description:.*TLS1.2" \
+            -S "error" \
+            -C "ERROR"
+
+requires_protocol_version tls13
+run_test    "Sample: ssl_fork_server, openssl client, TLS 1.3" \
+            -P 4433 \
+            "$PROGRAMS_DIR/ssl_fork_server" \
+            "$O_CLI -tls1_3" \
+            0 \
+            -s "Successful connection using: TLS1-3-" \
+            -c "New, TLSv1.3, Cipher is" \
+            -S "error" \
+            -C "ERROR"
+
+requires_protocol_version tls13
+run_test    "Sample: ssl_fork_server, gnutls client, TLS 1.3" \
+            -P 4433 \
+            "$PROGRAMS_DIR/ssl_fork_server" \
+            "$G_CLI --priority=NORMAL:-VERS-TLS-ALL:+VERS-TLS1.3 localhost" \
+            0 \
+            -s "Successful connection using: TLS1-3-" \
+            -c "Description:.*TLS1.3" \
+            -S "error" \
+            -C "ERROR"
+
 requires_protocol_version tls12
 run_test    "Sample: ssl_pthread_server, openssl client, TLS 1.2" \
             -P 4433 \
diff --git a/tests/ssl-opt.sh b/tests/ssl-opt.sh
index cb2cc0f687..b5d6266876 100755
--- a/tests/ssl-opt.sh
+++ b/tests/ssl-opt.sh
@@ -500,6 +500,7 @@ detect_required_features() {
             requires_config_enabled MBEDTLS_SSL_CLI_C
             requires_certificate_authentication
             ;;
+        *"programs/ssl/ssl_fork_server "*|\
         *"programs/ssl/ssl_pthread_server "*|\
         *"programs/ssl/ssl_server "*)
             requires_config_enabled MBEDTLS_CTR_DRBG_C