Stop testing configurations without PSA (MBEDTLS_PSA_CRYPTO_C or at least
MBEDTLS_PSA_CRYPTO_CLIENT). No future release from this branch will support
such configurations, and we can no longer build the SSL sample programs
without psa_crypto_init.
Signed-off-by: Gilles Peskine <Gilles.Peskine@arm.com>
When building with `configs/config-suite-b.h`, the SSL I/O buffer size is
1024 bytes. Experimentally, this isn't quite enough for the test certificate
that we use: the server aborts the handshake with
`MBEDTLS_ERR_SSL_BUFFER_TOO_SMALL` raised from
`mbedtls_ssl_write_certificate()`. State an ad hoc minimum output buffer
size to skip testing `ssl_server` in `config-suite-b`.
Signed-off-by: Gilles Peskine <Gilles.Peskine@arm.com>
dtls_client connects to "localhost", which is usually IPv6 on modern
systems. On our CI, $OPENSSL is OpenSSL 1.0.2g which doesn't support IPv6.
Pitching dtls_client against $OPENSSL works on the CI at the moment, but
only because the CI runs in Docker with default network settings which has
IPv6 disabled. This would stop working if we changed the CI's Docker setup,
and the test case is likely to fail on a developer machine. So switch the
test case to using $OPENSSL_NEXT (which is a version of OpenSSL that has
IPv6 support).
Signed-off-by: Gilles Peskine <Gilles.Peskine@arm.com>
GnuTLS 3.4.x doesn't allow repeated `-p PORT` arguments.
OpenSSL 1.0.2 has different logs. For TLS 1.2 test cases, use a line that
is present in logs from OpenSSL 1.0.2g, 3.3.0 and presumably all versions
in between.
Signed-off-by: Gilles Peskine <Gilles.Peskine@arm.com>
Test against both OpenSSL and GnuTLS.
Don't use a proxy. It's not particularly useful here, and would complicate
figuring out port numbers.
Clean up compile-time requirements dtls_server.c: any certificate-based key
exchange is ok, so don't insist on built-in RSA.
Signed-off-by: Gilles Peskine <Gilles.Peskine@arm.com>
Test ssl_fork_server with both TLS 1.2 and TLS 1.3.
Test against both OpenSSL and GnuTLS.
In the server, flush more often. Otherwise, when stdout is redirected to a
file, the server gets killed before it writes important information, such as
the logs that we expect in the test cases.
In the server, only write output for 10 seconds, not 100. That's enough time
to start concurrent clients if desired. 100 seconds causes ssl-opt to take a
very long time when the client actually listens to the whole input (which
`gnutls-cli` does, but not `openssl s_client`).
Clean up compile-time requirements in ssl_fork_server.c: any certificate-based
key exchange is ok, so don't insist on built-in RSA.
Signed-off-by: Gilles Peskine <Gilles.Peskine@arm.com>
Test ssl_pthread_server with both TLS 1.2 and TLS 1.3.
Test against both OpenSSL and GnuTLS.
In the server, flush more often. Otherwise, when stdout is redirected to a
file, the server gets killed before it writes important information, such as
the logs that we expect in the test cases.
Clean up compile-time requirements in ssl_pthread_server.c: any certificate-based
key exchange is ok, so don't insist on built-in RSA.
Signed-off-by: Gilles Peskine <Gilles.Peskine@arm.com>
Test ssl_server with both TLS 1.2 and TLS 1.3.
Test against both OpenSSL and GnuTLS.
Clean up compile-time requirements in ssl_server.c: any certificate-based
key exchange is ok, so don't insist on built-in RSA.
Signed-off-by: Gilles Peskine <Gilles.Peskine@arm.com>
Test against both OpenSSL and GnuTLS.
Don't use a proxy. It's not particularly useful here, and would complicate
figuring out port numbers.
Clean up compile-time requirements in dtls_client.c: any certificate-based
key exchange is ok, so don't insist on built-in RSA.
Signed-off-by: Gilles Peskine <Gilles.Peskine@arm.com>
Test ssl_client1 with both TLS 1.2 and TLS 1.3.
Test against both OpenSSL and GnuTLS.
Clean up compile-time requirements in ssl_client1.c: any certificate-based
key exchange is ok, so don't insist on built-in RSA.
Signed-off-by: Gilles Peskine <Gilles.Peskine@arm.com>
Fix `tls13-compat.sh` changing based on exactly how
`generate_tls13_compat_tests.py` was run (e.g. from which directory). This
made `check-generated-files.sh` behave differently from `make`. The script
has no official variations of the content of its output file, so we don't
need to record the full command line.
Signed-off-by: Gilles Peskine <Gilles.Peskine@arm.com>
`tests/opt-testcases/tls13-compat.sh` is supposed to be automatically
generated by `tests/scripts/generate_tls13_compat_tests.py`. So far, the
output has been updated by running the script manually and committing the
output. Switch to using our framework for generated files.
Signed-off-by: Gilles Peskine <Gilles.Peskine@arm.com>
With no options, update the output file (former behavior with -a).
Pass -1 to generate a single test case.
Also have the intended output file location as the default.
This way, you can just run the script after updating it, without having to
know the details of the directory structure.
Signed-off-by: Gilles Peskine <Gilles.Peskine@arm.com>
MBEDTLS_SSL_TLS1_3_COMPATIBILITY_MODE is no longer required, except in test
cases that are specifically about it. This commit removes the requirement in
tls13-compat.sh (which does not have test cases that actually depend on the
feature).
Signed-off-by: Gilles Peskine <Gilles.Peskine@arm.com>
MBEDTLS_SSL_TLS1_3_COMPATIBILITY_MODE is no longer required, except in test
cases that are specifically about it. This commit removes the requirement on
all test cases except those whose description contains "middlebox".
Exclude tls13-compat.sh which is automatically generated and will be handled
in a separate commit.
```
perl -0777 -i -pe '
# With -0777, we act on the whole file.
# s[REGEXP][EXPR]gm replaces every occurrence of REGEXP by EXPR.
# The regexp matches "requires_config_enabled MBEDTLS_SSL_TLS1_3_COMPATIBILITY_MODE",
# followed by zero or more non-empty lines, followed by a line starting
# with "run_test" and not containing "middlebox".
# The replacement is everything matched except the first line.
s[^requires_config_enabled MBEDTLS_SSL_TLS1_3_COMPATIBILITY_MODE\n((?:.+\n)*run_test (?!.*middlebox))]
[$1]gm' tests/ssl-opt.sh tests/opt-testcases/tls13-kex-modes.sh tests/opt-testcases/tls13-misc.sh
```
Signed-off-by: Gilles Peskine <Gilles.Peskine@arm.com>
Adapt the test cases for TLS 1.3 middlebox compatibility mode, now that we
always interoperate with peers that support it, regardless of whether
MBEDTLS_SSL_TLS1_3_COMPATIBILITY_MODE is enabled.
Signed-off-by: Gilles Peskine <Gilles.Peskine@arm.com>
For better searchability and readability, call requires_config_enabled or
requires_config_disabled for each option, instead of calling
requires_all_configs_enabled or requires_all_configs_disabled with a long
list of options.
```
perl -0777 -i -pe '
# With -0777, we act on the whole file.
# s[REGEXP][CODE]egm replaces every occurrence of REGEXP by the result
# of running CODE.
# The regexp matches "requires_all_configs_enabled" or
# "requires_all_configs_disabled" followed by a list of words ending
# with a line break. The words can be separated by a sequence of
# spaces and optionally a backslash-newline.
s[^requires_all_configs_(enabled|disabled) *((?:(?: \w+) *(?:\\\n)? *)+)\n][
$state = $1;
# Extract all the words from the list of words (/(\w+)/g). For each word,
# For each word, construct a line "requires_config_XXXabled WORD".
# The replacement text is the concatenation of these lines.
join("", map {"requires_config_$state $_\n"} $2 =~ /(\w+)/g)
]egm' tests/ssl-opt.sh tests/opt-testcases/*.sh
```
Signed-off-by: Gilles Peskine <Gilles.Peskine@arm.com>
The *.sh files in opt-testcases cannot be executed directly: they can only
be sourced by ssl-opt.sh. So don't make them executable and don't give them
a shebang line.
Also make sure that the first paragraph of each file is a short description.
Signed-off-by: Gilles Peskine <Gilles.Peskine@arm.com>
In the components migrated from test-ref-configs.pl, we don't need to
activate PSA: it's always on. Also, since there is no "_legacy" component to
contrast with, drop "_psa" from the component names.
Signed-off-by: Gilles Peskine <Gilles.Peskine@arm.com>
Remove the components migrated from test-ref-configs.pl that use legacy
crypto (no enabling of MBEDTLS_USE_PSA_CRYPTO). In the 4.0 preparation
branch, we are no longer interested in such configurations.
Signed-off-by: Gilles Peskine <Gilles.Peskine@arm.com>
This commit moves all related mbedtls_oid_from_numeric_string unit tests
from test_suite_oid to test_suite_x509write.
Signed-off-by: Sam Berry <sam.berry@arm.com>
This commit moves all related mbedtls_oid_get_numeric_string unit tests
from test_suite_oid to test_suite_x509parse.
Signed-off-by: Sam Berry <sam.berry@arm.com>
Rename the existing component_test_tfm_config which tests a modified version
of config-tfm.h for the sake of driver-vs-reference comparison.
Signed-off-by: Gilles Peskine <Gilles.Peskine@arm.com>
