diff options
Diffstat (limited to 'tests/ssl-opt.sh')
-rwxr-xr-x | tests/ssl-opt.sh | 92 |
1 files changed, 58 insertions, 34 deletions
diff --git a/tests/ssl-opt.sh b/tests/ssl-opt.sh index 335f59d0..d2f36e69 100755 --- a/tests/ssl-opt.sh +++ b/tests/ssl-opt.sh @@ -165,22 +165,34 @@ requires_config_disabled() { } get_config_value_or_default() { - NAME="$1" - DEF_VAL=$( grep ".*#define.*${NAME}" ../include/mbedtls/config.h | - sed 's/^.*\s\([0-9]*\)$/\1/' ) - ../scripts/config.pl get $NAME || echo "$DEF_VAL" + # This function uses the query_config command line option to query the + # required Mbed TLS compile time configuration from the ssl_server2 + # program. The command will always return a success value if the + # configuration is defined and the value will be printed to stdout. + # + # Note that if the configuration is not defined or is defined to nothing, + # the output of this function will be an empty string. + ${P_SRV} "query_config=${1}" } requires_config_value_at_least() { - VAL=$( get_config_value_or_default "$1" ) - if [ "$VAL" -lt "$2" ]; then + VAL="$( get_config_value_or_default "$1" )" + if [ -z "$VAL" ]; then + # Should never happen + echo "Mbed TLS configuration $1 is not defined" + exit 1 + elif [ "$VAL" -lt "$2" ]; then SKIP_NEXT="YES" fi } requires_config_value_at_most() { VAL=$( get_config_value_or_default "$1" ) - if [ "$VAL" -gt "$2" ]; then + if [ -z "$VAL" ]; then + # Should never happen + echo "Mbed TLS configuration $1 is not defined" + exit 1 + elif [ "$VAL" -gt "$2" ]; then SKIP_NEXT="YES" fi } @@ -541,6 +553,20 @@ run_test() { CLI_EXPECT="$3" shift 3 + # Check if test uses files + TEST_USES_FILES=$(echo "$SRV_CMD $CLI_CMD" | grep "\.\(key\|crt\|pem\)" ) + if [ ! -z "$TEST_USES_FILES" ]; then + requires_config_enabled MBEDTLS_FS_IO + fi + + # should we skip? + if [ "X$SKIP_NEXT" = "XYES" ]; then + SKIP_NEXT="NO" + echo "SKIP" + SKIPS=$(( $SKIPS + 1 )) + return + fi + # fix client port if [ -n "$PXY_CMD" ]; then CLI_CMD=$( echo "$CLI_CMD" | sed s/+SRV_PORT/$PXY_PORT/g ) @@ -3981,26 +4007,37 @@ run_test "ECJPAKE: working, DTLS, nolog" \ # Tests for ciphersuites per version requires_config_enabled MBEDTLS_SSL_PROTO_SSL3 +requires_config_enabled MBEDTLS_CAMELLIA_C +requires_config_enabled MBEDTLS_AES_C run_test "Per-version suites: SSL3" \ - "$P_SRV min_version=ssl3 version_suites=TLS-RSA-WITH-3DES-EDE-CBC-SHA,TLS-RSA-WITH-AES-256-CBC-SHA,TLS-RSA-WITH-AES-128-CBC-SHA,TLS-RSA-WITH-AES-128-GCM-SHA256" \ + "$P_SRV min_version=ssl3 version_suites=TLS-RSA-WITH-CAMELLIA-128-CBC-SHA,TLS-RSA-WITH-AES-256-CBC-SHA,TLS-RSA-WITH-AES-128-CBC-SHA,TLS-RSA-WITH-AES-128-GCM-SHA256" \ "$P_CLI force_version=ssl3" \ 0 \ - -c "Ciphersuite is TLS-RSA-WITH-3DES-EDE-CBC-SHA" + -c "Ciphersuite is TLS-RSA-WITH-CAMELLIA-128-CBC-SHA" +requires_config_enabled MBEDTLS_SSL_PROTO_TLS1 +requires_config_enabled MBEDTLS_CAMELLIA_C +requires_config_enabled MBEDTLS_AES_C run_test "Per-version suites: TLS 1.0" \ - "$P_SRV arc4=1 version_suites=TLS-RSA-WITH-3DES-EDE-CBC-SHA,TLS-RSA-WITH-AES-256-CBC-SHA,TLS-RSA-WITH-AES-128-CBC-SHA,TLS-RSA-WITH-AES-128-GCM-SHA256" \ + "$P_SRV version_suites=TLS-RSA-WITH-CAMELLIA-128-CBC-SHA,TLS-RSA-WITH-AES-256-CBC-SHA,TLS-RSA-WITH-AES-128-CBC-SHA,TLS-RSA-WITH-AES-128-GCM-SHA256" \ "$P_CLI force_version=tls1 arc4=1" \ 0 \ -c "Ciphersuite is TLS-RSA-WITH-AES-256-CBC-SHA" +requires_config_enabled MBEDTLS_SSL_PROTO_TLS1_1 +requires_config_enabled MBEDTLS_CAMELLIA_C +requires_config_enabled MBEDTLS_AES_C run_test "Per-version suites: TLS 1.1" \ - "$P_SRV version_suites=TLS-RSA-WITH-3DES-EDE-CBC-SHA,TLS-RSA-WITH-AES-256-CBC-SHA,TLS-RSA-WITH-AES-128-CBC-SHA,TLS-RSA-WITH-AES-128-GCM-SHA256" \ + "$P_SRV version_suites=TLS-RSA-WITH-CAMELLIA-128-CBC-SHA,TLS-RSA-WITH-AES-256-CBC-SHA,TLS-RSA-WITH-AES-128-CBC-SHA,TLS-RSA-WITH-AES-128-GCM-SHA256" \ "$P_CLI force_version=tls1_1" \ 0 \ -c "Ciphersuite is TLS-RSA-WITH-AES-128-CBC-SHA" +requires_config_enabled MBEDTLS_SSL_PROTO_TLS1_2 +requires_config_enabled MBEDTLS_CAMELLIA_C +requires_config_enabled MBEDTLS_AES_C run_test "Per-version suites: TLS 1.2" \ - "$P_SRV version_suites=TLS-RSA-WITH-3DES-EDE-CBC-SHA,TLS-RSA-WITH-AES-256-CBC-SHA,TLS-RSA-WITH-AES-128-CBC-SHA,TLS-RSA-WITH-AES-128-GCM-SHA256" \ + "$P_SRV version_suites=TLS-RSA-WITH-CAMELLIA-128-CBC-SHA,TLS-RSA-WITH-AES-256-CBC-SHA,TLS-RSA-WITH-AES-128-CBC-SHA,TLS-RSA-WITH-AES-128-GCM-SHA256" \ "$P_CLI force_version=tls1_2" \ 0 \ -c "Ciphersuite is TLS-RSA-WITH-AES-128-GCM-SHA256" @@ -4009,7 +4046,7 @@ run_test "Per-version suites: TLS 1.2" \ requires_gnutls run_test "ClientHello without extensions, SHA-1 allowed" \ - "$P_SRV debug_level=3" \ + "$P_SRV debug_level=3 key_file=data_files/server2.key crt_file=data_files/server2.crt" \ "$G_CLI --priority=NORMAL:%NO_EXTENSIONS:%DISABLE_SAFE_RENEGOTIATION localhost" \ 0 \ -s "dumping 'client hello extensions' (0 bytes)" @@ -6701,13 +6738,7 @@ run_test "DTLS fragmenting: 3d, gnutls server, DTLS 1.0" \ -c "fragmenting handshake message" \ -C "error" -## The two tests below are disabled due to a bug in GnuTLS client that causes -## handshake failures when the NewSessionTicket message is lost, see -## https://gitlab.com/gnutls/gnutls/issues/543 -## We can re-enable them when a fixed version fo GnuTLS is available -## and installed in our CI system. -skip_next_test -requires_gnutls +requires_gnutls_next requires_config_enabled MBEDTLS_SSL_PROTO_DTLS requires_config_enabled MBEDTLS_RSA_C requires_config_enabled MBEDTLS_ECDSA_C @@ -6719,12 +6750,11 @@ run_test "DTLS fragmenting: 3d, gnutls client, DTLS 1.2" \ crt_file=data_files/server7_int-ca.crt \ key_file=data_files/server7.key \ hs_timeout=250-60000 mtu=512 force_version=dtls1_2" \ - "$G_CLI -u --insecure 127.0.0.1" \ + "$G_NEXT_CLI -u --insecure 127.0.0.1" \ 0 \ -s "fragmenting handshake message" -skip_next_test -requires_gnutls +requires_gnutls_next requires_config_enabled MBEDTLS_SSL_PROTO_DTLS requires_config_enabled MBEDTLS_RSA_C requires_config_enabled MBEDTLS_ECDSA_C @@ -6736,7 +6766,7 @@ run_test "DTLS fragmenting: 3d, gnutls client, DTLS 1.0" \ crt_file=data_files/server7_int-ca.crt \ key_file=data_files/server7.key \ hs_timeout=250-60000 mtu=512 force_version=dtls1" \ - "$G_CLI -u --insecure 127.0.0.1" \ + "$G_NEXT_CLI -u --insecure 127.0.0.1" \ 0 \ -s "fragmenting handshake message" @@ -7306,29 +7336,23 @@ run_test "DTLS proxy: 3d, gnutls server" \ -s "Extra-header:" \ -c "Extra-header:" -# The next two test are disabled because they tend to trigger a bug in the -# version of GnuTLS that's currently installed on our CI. The bug occurs when -# different fragments of the same handshake message are received out-of-order -# by GnuTLS and results in a timeout. It's been fixed in GnuTLS 3.5.2. -skip_next_test -requires_gnutls +requires_gnutls_next client_needs_more_time 8 not_with_valgrind # risk of non-mbedtls peer timing out run_test "DTLS proxy: 3d, gnutls server, fragmentation" \ -p "$P_PXY drop=5 delay=5 duplicate=5" \ - "$G_SRV -u --mtu 512" \ + "$G_NEXT_SRV -u --mtu 512" \ "$P_CLI dgram_packing=0 dtls=1 hs_timeout=500-60000" \ 0 \ -s "Extra-header:" \ -c "Extra-header:" -skip_next_test -requires_gnutls +requires_gnutls_next client_needs_more_time 8 not_with_valgrind # risk of non-mbedtls peer timing out run_test "DTLS proxy: 3d, gnutls server, fragmentation, nbio" \ -p "$P_PXY drop=5 delay=5 duplicate=5" \ - "$G_SRV -u --mtu 512" \ + "$G_NEXT_SRV -u --mtu 512" \ "$P_CLI dgram_packing=0 dtls=1 hs_timeout=500-60000 nbio=2" \ 0 \ -s "Extra-header:" \ |