Ensure that both server and client can call mbedtls_version_get_string_full()
to verify that they are linked against proper libraries.
Note: each side (client/server) performs the call against its own
MbedTLS library. There is no IPC communication involved in this
test. Client/server communication will come later.
Signed-off-by: Valerio Setti <valerio.setti@nordicsemi.no>
It includes changes to:
- tests/Makefile: build the library for client and server in different
folders. It mimica the libtestdriver1 behavior (without functions
renaming though).
- tests/scripts/all.sh: helper function to build for client and
server with some default configuration for each of them.
- crypto_spe.h: this is dummy file taken from the already existing
tests. It's just meant to pacify the compiler, not to provide
something useful. It will likely be changed in the future.
Signed-off-by: Valerio Setti <valerio.setti@nordicsemi.no>
- remove new line at beginning of test_keys.h
- add footer at the end of both generated files
Signed-off-by: Valerio Setti <valerio.setti@nordicsemi.no>
This helps removing the previous pylint exception.
Also use "with" statement for opening the file in order to
ensure that all the content is flushed to the file before
exiting.
Signed-off-by: Valerio Setti <valerio.setti@nordicsemi.no>
Without this fix keys could be listed differently on Ubuntu 16
between different runs therefore causing
check_generated_files() to fail.
Signed-off-by: Valerio Setti <valerio.setti@nordicsemi.no>
This is a temporary fix that will be reverted once the framework
repository will have CI checks.
Signed-off-by: Valerio Setti <valerio.setti@nordicsemi.no>
On the CI, the git version when running on
Ubuntu 16.04 is 2.7 and it does not support
the "--recurse-submodules" option of
"git ls-files" thus do not use it.
Another argument to not use it is that
when TF-PSA-Crypto will be a submodule of
mbedtls we will not want check_files.py to
check the TF-PSA-Crypto files as well.
Signed-off-by: Ronald Cron <ronald.cron@arm.com>
- rewrite output file (do not append)
- remove useless "os" import
- move pylint for main() function
Signed-off-by: Valerio Setti <valerio.setti@nordicsemi.no>
This allows many tests to pass with the system openssl and gnutls-*. As
before, not all test cases will pass due to differences between versions and
build options.
Signed-off-by: Gilles Peskine <Gilles.Peskine@arm.com>
Some OpenSSL or GnuTLS interoperability test cases fail if the other
implementation is recent enough to support TLS 1.3. Force those test cases
to use TLS 1.2 so that the script works with more recent $OPENSSL or
$GNUTLS_CLI or $GNUTLS_SERV than our official CI versions.
Signed-off-by: Gilles Peskine <Gilles.Peskine@arm.com>
- Embed input arguments inside the script so as to simplify the
calls in Makefiles/CMakeLists.
- add a new "--list-dependencies" command line option to print
out the list of dependencies.
- Modify tests/Makefile accordinlgy.
Signed-off-by: Valerio Setti <valerio.setti@nordicsemi.no>
ssl-opt.sh uses a 3-byte PSK in many test cases. Unfortunately GnuTLS >=3.4.0
rejects a PSK that is less than 4 bytes long:
> Error setting the PSK credentials: The request is invalid.
Use a longer PSK throughout ssl-opt. Only the test cases involving GnuTLS
need to change, but it's easier to do a global search-and-replace, and it's
easier to not have to worry about mismatches in constructed test cases
later, so replace everything.
Signed-off-by: Gilles Peskine <Gilles.Peskine@arm.com>
When given a PSK key but no username, gnutls-cli prompts for a password.
Prevent that by passing --pskusername with the same identity that
ssl_server2 uses by default.
Signed-off-by: Gilles Peskine <Gilles.Peskine@arm.com>
Only s_server has a -nocert option, s_client doesn't. Fixes OpenSSL client
test cases in PSK-only builds.
Signed-off-by: Gilles Peskine <Gilles.Peskine@arm.com>
Tighten the matching when detecting which certificates are in use to
determine algorithm requirements. This fixes a bug whereby all tests were
skipped in configurations without RSA except for an Mbed TLS client against
a GnuTLS or OpenSSL server, due to *server2* matching ssl_server2.
Fixes#8366.
Signed-off-by: Gilles Peskine <Gilles.Peskine@arm.com>
Like `openssl rsa`, `openssl genrsa` changed its output format from PKCS8 to
PKCS1 in OpenSSL 3.0. Note that the makefile instructions assume older
OpenSSL. Convert the files that were generated with OpenSSL 3.x and hence
were not in the intended format. The files are converted, not regenerated,
so the key material is the same.
Signed-off-by: Gilles Peskine <Gilles.Peskine@arm.com>
With OpenSSL 3.0.2 (which I used to generate the previous set of "pkcs1" DER
files), the output of `openssl rsa -outform DER` is actually a
PKCS#8-encoded key, despite what the documentation says. This is a change
from OpenSSL 1.x, where the output is a PKCS#1-encoded key. OpenSSL 3.0.8
documents the output as PKCS#8.
Change to `openssl pkey`, which seems more reliable. The documentation
states that the output is PKCS#8, but the output is actually consistently
PKCS#1 at least from 1.0.2g to 3.3.0.
Signed-off-by: Gilles Peskine <Gilles.Peskine@arm.com>
