diff --git a/tests/scripts/components-configuration-tls.sh b/tests/scripts/components-configuration-tls.sh index 4622c3ad07..c46130a6f9 100644 --- a/tests/scripts/components-configuration-tls.sh +++ b/tests/scripts/components-configuration-tls.sh @@ -9,4 +9,827 @@ #### Configuration Testing - TLS ################################################################ +component_test_no_renegotiation () { + msg "build: Default + !MBEDTLS_SSL_RENEGOTIATION (ASan build)" # ~ 6 min + scripts/config.py unset MBEDTLS_SSL_RENEGOTIATION + CC=$ASAN_CC cmake -D CMAKE_BUILD_TYPE:String=Asan . + make + + msg "test: !MBEDTLS_SSL_RENEGOTIATION - main suites (inc. selftests) (ASan build)" # ~ 50s + make test + + msg "test: !MBEDTLS_SSL_RENEGOTIATION - ssl-opt.sh (ASan build)" # ~ 6 min + tests/ssl-opt.sh +} + +component_test_no_pem_no_fs () { + msg "build: Default + !MBEDTLS_PEM_PARSE_C + !MBEDTLS_FS_IO (ASan build)" + scripts/config.py unset MBEDTLS_PEM_PARSE_C + scripts/config.py unset MBEDTLS_FS_IO + scripts/config.py unset MBEDTLS_PSA_ITS_FILE_C # requires a filesystem + scripts/config.py unset MBEDTLS_PSA_CRYPTO_STORAGE_C # requires PSA ITS + CC=$ASAN_CC cmake -D CMAKE_BUILD_TYPE:String=Asan . + make + + msg "test: !MBEDTLS_PEM_PARSE_C !MBEDTLS_FS_IO - main suites (inc. selftests) (ASan build)" # ~ 50s + make test + + msg "test: !MBEDTLS_PEM_PARSE_C !MBEDTLS_FS_IO - ssl-opt.sh (ASan build)" # ~ 6 min + tests/ssl-opt.sh +} + +component_test_rsa_no_crt () { + msg "build: Default + RSA_NO_CRT (ASan build)" # ~ 6 min + scripts/config.py set MBEDTLS_RSA_NO_CRT + CC=$ASAN_CC cmake -D CMAKE_BUILD_TYPE:String=Asan . + make + + msg "test: RSA_NO_CRT - main suites (inc. selftests) (ASan build)" # ~ 50s + make test + + msg "test: RSA_NO_CRT - RSA-related part of ssl-opt.sh (ASan build)" # ~ 5s + tests/ssl-opt.sh -f RSA + + msg "test: RSA_NO_CRT - RSA-related part of compat.sh (ASan build)" # ~ 3 min + tests/compat.sh -t RSA + + msg "test: RSA_NO_CRT - RSA-related part of context-info.sh (ASan build)" # ~ 15 sec + tests/context-info.sh +} + +component_test_no_ctr_drbg_classic () { + msg "build: Full minus CTR_DRBG, classic crypto in TLS" + scripts/config.py full + scripts/config.py unset MBEDTLS_CTR_DRBG_C + scripts/config.py unset MBEDTLS_USE_PSA_CRYPTO + scripts/config.py unset MBEDTLS_SSL_PROTO_TLS1_3 + + CC=$ASAN_CC cmake -D CMAKE_BUILD_TYPE:String=Asan . + make + + msg "test: Full minus CTR_DRBG, classic crypto - main suites" + make test + + # In this configuration, the TLS test programs use HMAC_DRBG. + # The SSL tests are slow, so run a small subset, just enough to get + # confidence that the SSL code copes with HMAC_DRBG. + msg "test: Full minus CTR_DRBG, classic crypto - ssl-opt.sh (subset)" + tests/ssl-opt.sh -f 'Default\|SSL async private.*delay=\|tickets enabled on server' + + msg "test: Full minus CTR_DRBG, classic crypto - compat.sh (subset)" + tests/compat.sh -m tls12 -t 'ECDSA PSK' -V NO -p OpenSSL +} + +component_test_no_ctr_drbg_use_psa () { + msg "build: Full minus CTR_DRBG, PSA crypto in TLS" + scripts/config.py full + scripts/config.py unset MBEDTLS_CTR_DRBG_C + scripts/config.py set MBEDTLS_USE_PSA_CRYPTO + + CC=$ASAN_CC cmake -D CMAKE_BUILD_TYPE:String=Asan . + make + + msg "test: Full minus CTR_DRBG, USE_PSA_CRYPTO - main suites" + make test + + # In this configuration, the TLS test programs use HMAC_DRBG. + # The SSL tests are slow, so run a small subset, just enough to get + # confidence that the SSL code copes with HMAC_DRBG. + msg "test: Full minus CTR_DRBG, USE_PSA_CRYPTO - ssl-opt.sh (subset)" + tests/ssl-opt.sh -f 'Default\|SSL async private.*delay=\|tickets enabled on server' + + msg "test: Full minus CTR_DRBG, USE_PSA_CRYPTO - compat.sh (subset)" + tests/compat.sh -m tls12 -t 'ECDSA PSK' -V NO -p OpenSSL +} + +component_test_no_hmac_drbg_classic () { + msg "build: Full minus HMAC_DRBG, classic crypto in TLS" + scripts/config.py full + scripts/config.py unset MBEDTLS_HMAC_DRBG_C + scripts/config.py unset MBEDTLS_ECDSA_DETERMINISTIC # requires HMAC_DRBG + scripts/config.py unset MBEDTLS_USE_PSA_CRYPTO + scripts/config.py unset MBEDTLS_SSL_PROTO_TLS1_3 + + CC=$ASAN_CC cmake -D CMAKE_BUILD_TYPE:String=Asan . + make + + msg "test: Full minus HMAC_DRBG, classic crypto - main suites" + make test + + # Normally our ECDSA implementation uses deterministic ECDSA. But since + # HMAC_DRBG is disabled in this configuration, randomized ECDSA is used + # instead. + # Test SSL with non-deterministic ECDSA. Only test features that + # might be affected by how ECDSA signature is performed. + msg "test: Full minus HMAC_DRBG, classic crypto - ssl-opt.sh (subset)" + tests/ssl-opt.sh -f 'Default\|SSL async private: sign' + + # To save time, only test one protocol version, since this part of + # the protocol is identical in (D)TLS up to 1.2. + msg "test: Full minus HMAC_DRBG, classic crypto - compat.sh (ECDSA)" + tests/compat.sh -m tls12 -t 'ECDSA' +} + +component_test_no_hmac_drbg_use_psa () { + msg "build: Full minus HMAC_DRBG, PSA crypto in TLS" + scripts/config.py full + scripts/config.py unset MBEDTLS_HMAC_DRBG_C + scripts/config.py unset MBEDTLS_ECDSA_DETERMINISTIC # requires HMAC_DRBG + scripts/config.py set MBEDTLS_USE_PSA_CRYPTO + + CC=$ASAN_CC cmake -D CMAKE_BUILD_TYPE:String=Asan . + make + + msg "test: Full minus HMAC_DRBG, USE_PSA_CRYPTO - main suites" + make test + + # Normally our ECDSA implementation uses deterministic ECDSA. But since + # HMAC_DRBG is disabled in this configuration, randomized ECDSA is used + # instead. + # Test SSL with non-deterministic ECDSA. Only test features that + # might be affected by how ECDSA signature is performed. + msg "test: Full minus HMAC_DRBG, USE_PSA_CRYPTO - ssl-opt.sh (subset)" + tests/ssl-opt.sh -f 'Default\|SSL async private: sign' + + # To save time, only test one protocol version, since this part of + # the protocol is identical in (D)TLS up to 1.2. + msg "test: Full minus HMAC_DRBG, USE_PSA_CRYPTO - compat.sh (ECDSA)" + tests/compat.sh -m tls12 -t 'ECDSA' +} + +component_test_psa_external_rng_no_drbg_classic () { + msg "build: PSA_CRYPTO_EXTERNAL_RNG minus *_DRBG, classic crypto in TLS" + scripts/config.py full + scripts/config.py unset MBEDTLS_USE_PSA_CRYPTO + scripts/config.py unset MBEDTLS_SSL_PROTO_TLS1_3 + scripts/config.py set MBEDTLS_PSA_CRYPTO_EXTERNAL_RNG + scripts/config.py unset MBEDTLS_ENTROPY_C + scripts/config.py unset MBEDTLS_ENTROPY_NV_SEED + scripts/config.py unset MBEDTLS_PLATFORM_NV_SEED_ALT + scripts/config.py unset MBEDTLS_CTR_DRBG_C + scripts/config.py unset MBEDTLS_HMAC_DRBG_C + scripts/config.py unset MBEDTLS_ECDSA_DETERMINISTIC # requires HMAC_DRBG + # When MBEDTLS_USE_PSA_CRYPTO is disabled and there is no DRBG, + # the SSL test programs don't have an RNG and can't work. Explicitly + # make them use the PSA RNG with -DMBEDTLS_TEST_USE_PSA_CRYPTO_RNG. + make CC=$ASAN_CC CFLAGS="$ASAN_CFLAGS -DMBEDTLS_TEST_USE_PSA_CRYPTO_RNG" LDFLAGS="$ASAN_CFLAGS" + + msg "test: PSA_CRYPTO_EXTERNAL_RNG minus *_DRBG, classic crypto - main suites" + make test + + msg "test: PSA_CRYPTO_EXTERNAL_RNG minus *_DRBG, classic crypto - ssl-opt.sh (subset)" + tests/ssl-opt.sh -f 'Default' +} + +component_test_psa_external_rng_no_drbg_use_psa () { + msg "build: PSA_CRYPTO_EXTERNAL_RNG minus *_DRBG, PSA crypto in TLS" + scripts/config.py full + scripts/config.py set MBEDTLS_PSA_CRYPTO_EXTERNAL_RNG + scripts/config.py unset MBEDTLS_ENTROPY_C + scripts/config.py unset MBEDTLS_ENTROPY_NV_SEED + scripts/config.py unset MBEDTLS_PLATFORM_NV_SEED_ALT + scripts/config.py unset MBEDTLS_CTR_DRBG_C + scripts/config.py unset MBEDTLS_HMAC_DRBG_C + scripts/config.py unset MBEDTLS_ECDSA_DETERMINISTIC # requires HMAC_DRBG + make CC=$ASAN_CC CFLAGS="$ASAN_CFLAGS" LDFLAGS="$ASAN_CFLAGS" + + msg "test: PSA_CRYPTO_EXTERNAL_RNG minus *_DRBG, PSA crypto - main suites" + make test + + msg "test: PSA_CRYPTO_EXTERNAL_RNG minus *_DRBG, PSA crypto - ssl-opt.sh (subset)" + tests/ssl-opt.sh -f 'Default\|opaque' +} + +component_test_sw_inet_pton () { + msg "build: default plus MBEDTLS_TEST_SW_INET_PTON" + + # MBEDTLS_TEST_HOOKS required for x509_crt_parse_cn_inet_pton + scripts/config.py set MBEDTLS_TEST_HOOKS + make CFLAGS="-DMBEDTLS_TEST_SW_INET_PTON" + + msg "test: default plus MBEDTLS_TEST_SW_INET_PTON" + make test +} + +component_test_tls1_2_default_stream_cipher_only () { + msg "build: default with only stream cipher use psa" + + scripts/config.py set MBEDTLS_USE_PSA_CRYPTO + scripts/config.py set MBEDTLS_PSA_CRYPTO_CONFIG + # Disable AEAD (controlled by the presence of one of GCM_C, CCM_C, CHACHAPOLY_C) + scripts/config.py -f $CRYPTO_CONFIG_H unset PSA_WANT_ALG_CCM + scripts/config.py -f $CRYPTO_CONFIG_H unset PSA_WANT_ALG_CCM_STAR_NO_TAG + scripts/config.py -f $CRYPTO_CONFIG_H unset PSA_WANT_ALG_GCM + scripts/config.py -f $CRYPTO_CONFIG_H unset PSA_WANT_ALG_CHACHA20_POLY1305 + # Note: The three unsets below are to be removed for Mbed TLS 4.0 + scripts/config.py unset MBEDTLS_GCM_C + scripts/config.py unset MBEDTLS_CCM_C + scripts/config.py unset MBEDTLS_CHACHAPOLY_C + #Disable TLS 1.3 (as no AEAD) + scripts/config.py unset MBEDTLS_SSL_PROTO_TLS1_3 + # Disable CBC. Note: When implemented, PSA_WANT_ALG_CBC_MAC will also need to be unset here to fully disable CBC + scripts/config.py -f $CRYPTO_CONFIG_H unset PSA_WANT_ALG_CBC_NO_PADDING + scripts/config.py -f $CRYPTO_CONFIG_H unset PSA_WANT_ALG_CBC_PKCS7 + # Disable CBC-legacy (controlled by MBEDTLS_CIPHER_MODE_CBC plus at least one block cipher (AES, ARIA, Camellia, DES)) + # Note: The unset below is to be removed for 4.0 + scripts/config.py unset MBEDTLS_CIPHER_MODE_CBC + # Disable CBC-EtM (controlled by the same as CBC-legacy plus MBEDTLS_SSL_ENCRYPT_THEN_MAC) + scripts/config.py unset MBEDTLS_SSL_ENCRYPT_THEN_MAC + # Enable stream (currently that's just the NULL pseudo-cipher (controlled by MBEDTLS_CIPHER_NULL_CIPHER)) + scripts/config.py set MBEDTLS_CIPHER_NULL_CIPHER + # Modules that depend on AEAD + scripts/config.py unset MBEDTLS_SSL_CONTEXT_SERIALIZATION + scripts/config.py unset MBEDTLS_SSL_TICKET_C + + make + + msg "test: default with only stream cipher use psa" + make test + + # Not running ssl-opt.sh because most tests require a non-NULL ciphersuite. +} + +component_test_tls1_2_default_cbc_legacy_cipher_only () { + msg "build: default with only CBC-legacy cipher use psa" + + scripts/config.py set MBEDTLS_USE_PSA_CRYPTO + scripts/config.py set MBEDTLS_PSA_CRYPTO_CONFIG + # Disable AEAD (controlled by the presence of one of GCM_C, CCM_C, CHACHAPOLY_C) + scripts/config.py -f $CRYPTO_CONFIG_H unset PSA_WANT_ALG_CCM + scripts/config.py -f $CRYPTO_CONFIG_H unset PSA_WANT_ALG_CCM_STAR_NO_TAG + scripts/config.py -f $CRYPTO_CONFIG_H unset PSA_WANT_ALG_GCM + scripts/config.py -f $CRYPTO_CONFIG_H unset PSA_WANT_ALG_CHACHA20_POLY1305 + # Note: The three unsets below are to be removed for Mbed TLS 4.0 + scripts/config.py unset MBEDTLS_GCM_C + scripts/config.py unset MBEDTLS_CCM_C + scripts/config.py unset MBEDTLS_CHACHAPOLY_C + #Disable TLS 1.3 (as no AEAD) + scripts/config.py unset MBEDTLS_SSL_PROTO_TLS1_3 + # Enable CBC-legacy (controlled by MBEDTLS_CIPHER_MODE_CBC plus at least one block cipher (AES, ARIA, Camellia, DES)) + scripts/config.py -f $CRYPTO_CONFIG_H set PSA_WANT_ALG_CBC_NO_PADDING + # Disable CBC-EtM (controlled by the same as CBC-legacy plus MBEDTLS_SSL_ENCRYPT_THEN_MAC) + scripts/config.py unset MBEDTLS_SSL_ENCRYPT_THEN_MAC + # Disable stream (currently that's just the NULL pseudo-cipher (controlled by MBEDTLS_CIPHER_NULL_CIPHER)) + scripts/config.py unset MBEDTLS_CIPHER_NULL_CIPHER + # Modules that depend on AEAD + scripts/config.py unset MBEDTLS_SSL_CONTEXT_SERIALIZATION + scripts/config.py unset MBEDTLS_SSL_TICKET_C + + make + + msg "test: default with only CBC-legacy cipher use psa" + make test + + msg "test: default with only CBC-legacy cipher use psa - ssl-opt.sh (subset)" + tests/ssl-opt.sh -f "TLS 1.2" +} + +component_test_tls1_2_default_cbc_legacy_cbc_etm_cipher_only () { + msg "build: default with only CBC-legacy and CBC-EtM ciphers use psa" + + scripts/config.py set MBEDTLS_USE_PSA_CRYPTO + scripts/config.py set MBEDTLS_PSA_CRYPTO_CONFIG + # Disable AEAD (controlled by the presence of one of GCM_C, CCM_C, CHACHAPOLY_C) + scripts/config.py -f $CRYPTO_CONFIG_H unset PSA_WANT_ALG_CCM + scripts/config.py -f $CRYPTO_CONFIG_H unset PSA_WANT_ALG_CCM_STAR_NO_TAG + scripts/config.py -f $CRYPTO_CONFIG_H unset PSA_WANT_ALG_GCM + scripts/config.py -f $CRYPTO_CONFIG_H unset PSA_WANT_ALG_CHACHA20_POLY1305 + # Note: The three unsets below are to be removed for Mbed TLS 4.0 + scripts/config.py unset MBEDTLS_GCM_C + scripts/config.py unset MBEDTLS_CCM_C + scripts/config.py unset MBEDTLS_CHACHAPOLY_C + #Disable TLS 1.3 (as no AEAD) + scripts/config.py unset MBEDTLS_SSL_PROTO_TLS1_3 + # Enable CBC-legacy (controlled by MBEDTLS_CIPHER_MODE_CBC plus at least one block cipher (AES, ARIA, Camellia, DES)) + scripts/config.py -f $CRYPTO_CONFIG_H set PSA_WANT_ALG_CBC_NO_PADDING + # Enable CBC-EtM (controlled by the same as CBC-legacy plus MBEDTLS_SSL_ENCRYPT_THEN_MAC) + scripts/config.py set MBEDTLS_SSL_ENCRYPT_THEN_MAC + # Disable stream (currently that's just the NULL pseudo-cipher (controlled by MBEDTLS_CIPHER_NULL_CIPHER)) + scripts/config.py unset MBEDTLS_CIPHER_NULL_CIPHER + # Modules that depend on AEAD + scripts/config.py unset MBEDTLS_SSL_CONTEXT_SERIALIZATION + scripts/config.py unset MBEDTLS_SSL_TICKET_C + + make + + msg "test: default with only CBC-legacy and CBC-EtM ciphers use psa" + make test + + msg "test: default with only CBC-legacy and CBC-EtM ciphers use psa - ssl-opt.sh (subset)" + tests/ssl-opt.sh -f "TLS 1.2" +} + +# We're not aware of any other (open source) implementation of EC J-PAKE in TLS +# that we could use for interop testing. However, we now have sort of two +# implementations ourselves: one using PSA, the other not. At least test that +# these two interoperate with each other. + +component_test_tls1_2_ecjpake_compatibility() { + msg "build: TLS1.2 server+client w/ EC-JPAKE w/o USE_PSA" + scripts/config.py set MBEDTLS_KEY_EXCHANGE_ECJPAKE_ENABLED + # Explicitly make lib first to avoid a race condition: + # https://github.com/Mbed-TLS/mbedtls/issues/8229 + make lib + make -C programs ssl/ssl_server2 ssl/ssl_client2 + cp programs/ssl/ssl_server2 s2_no_use_psa + cp programs/ssl/ssl_client2 c2_no_use_psa + + msg "build: TLS1.2 server+client w/ EC-JPAKE w/ USE_PSA" + scripts/config.py set MBEDTLS_USE_PSA_CRYPTO + make clean + make lib + make -C programs ssl/ssl_server2 ssl/ssl_client2 + make -C programs test/udp_proxy test/query_compile_time_config + + msg "test: server w/o USE_PSA - client w/ USE_PSA, text password" + P_SRV=../s2_no_use_psa tests/ssl-opt.sh -f "ECJPAKE: working, TLS" + msg "test: server w/o USE_PSA - client w/ USE_PSA, opaque password" + P_SRV=../s2_no_use_psa tests/ssl-opt.sh -f "ECJPAKE: opaque password client only, working, TLS" + msg "test: client w/o USE_PSA - server w/ USE_PSA, text password" + P_CLI=../c2_no_use_psa tests/ssl-opt.sh -f "ECJPAKE: working, TLS" + msg "test: client w/o USE_PSA - server w/ USE_PSA, opaque password" + P_CLI=../c2_no_use_psa tests/ssl-opt.sh -f "ECJPAKE: opaque password server only, working, TLS" + + rm s2_no_use_psa c2_no_use_psa +} + +component_test_everest () { + msg "build: Everest ECDH context (ASan build)" # ~ 6 min + scripts/config.py set MBEDTLS_ECDH_VARIANT_EVEREST_ENABLED + CC=clang cmake -D CMAKE_BUILD_TYPE:String=Asan . + make + + msg "test: Everest ECDH context - main suites (inc. selftests) (ASan build)" # ~ 50s + make test + + msg "test: metatests (clang, ASan)" + tests/scripts/run-metatests.sh any asan poison + + msg "test: Everest ECDH context - ECDH-related part of ssl-opt.sh (ASan build)" # ~ 5s + tests/ssl-opt.sh -f ECDH + + msg "test: Everest ECDH context - compat.sh with some ECDH ciphersuites (ASan build)" # ~ 3 min + # Exclude some symmetric ciphers that are redundant here to gain time. + tests/compat.sh -f ECDH -V NO -e 'ARIA\|CAMELLIA\|CHACHA' +} + +component_test_everest_curve25519_only () { + msg "build: Everest ECDH context, only Curve25519" # ~ 6 min + scripts/config.py set MBEDTLS_PSA_CRYPTO_CONFIG + scripts/config.py set MBEDTLS_ECDH_VARIANT_EVEREST_ENABLED + scripts/config.py unset MBEDTLS_ECDSA_C + scripts/config.py -f $CRYPTO_CONFIG_H unset PSA_WANT_ALG_DETERMINISTIC_ECDSA + scripts/config.py -f $CRYPTO_CONFIG_H unset PSA_WANT_ALG_ECDSA + scripts/config.py -f $CRYPTO_CONFIG_H set PSA_WANT_ALG_ECDH + scripts/config.py unset MBEDTLS_KEY_EXCHANGE_ECDH_ECDSA_ENABLED + scripts/config.py unset MBEDTLS_KEY_EXCHANGE_ECDHE_ECDSA_ENABLED + scripts/config.py unset MBEDTLS_ECJPAKE_C + scripts/config.py -f $CRYPTO_CONFIG_H unset PSA_WANT_ALG_JPAKE + + # Disable all curves + scripts/config.py unset-all "MBEDTLS_ECP_DP_[0-9A-Z_a-z]*_ENABLED" + scripts/config.py -f $CRYPTO_CONFIG_H unset-all "PSA_WANT_ECC_[0-9A-Z_a-z]*$" + scripts/config.py -f $CRYPTO_CONFIG_H set PSA_WANT_ECC_MONTGOMERY_255 + + make CC=$ASAN_CC CFLAGS="$ASAN_CFLAGS" LDFLAGS="$ASAN_CFLAGS" + + msg "test: Everest ECDH context, only Curve25519" # ~ 50s + make test +} + +component_test_small_ssl_out_content_len () { + msg "build: small SSL_OUT_CONTENT_LEN (ASan build)" + scripts/config.py set MBEDTLS_SSL_IN_CONTENT_LEN 16384 + scripts/config.py set MBEDTLS_SSL_OUT_CONTENT_LEN 4096 + CC=$ASAN_CC cmake -D CMAKE_BUILD_TYPE:String=Asan . + make + + msg "test: small SSL_OUT_CONTENT_LEN - ssl-opt.sh MFL and large packet tests" + tests/ssl-opt.sh -f "Max fragment\|Large packet" +} + +component_test_small_ssl_in_content_len () { + msg "build: small SSL_IN_CONTENT_LEN (ASan build)" + scripts/config.py set MBEDTLS_SSL_IN_CONTENT_LEN 4096 + scripts/config.py set MBEDTLS_SSL_OUT_CONTENT_LEN 16384 + CC=$ASAN_CC cmake -D CMAKE_BUILD_TYPE:String=Asan . + make + + msg "test: small SSL_IN_CONTENT_LEN - ssl-opt.sh MFL tests" + tests/ssl-opt.sh -f "Max fragment" +} + +component_test_small_ssl_dtls_max_buffering () { + msg "build: small MBEDTLS_SSL_DTLS_MAX_BUFFERING #0" + scripts/config.py set MBEDTLS_SSL_DTLS_MAX_BUFFERING 1000 + CC=$ASAN_CC cmake -D CMAKE_BUILD_TYPE:String=Asan . + make + + msg "test: small MBEDTLS_SSL_DTLS_MAX_BUFFERING #0 - ssl-opt.sh specific reordering test" + tests/ssl-opt.sh -f "DTLS reordering: Buffer out-of-order hs msg before reassembling next, free buffered msg" +} + +component_test_small_mbedtls_ssl_dtls_max_buffering () { + msg "build: small MBEDTLS_SSL_DTLS_MAX_BUFFERING #1" + scripts/config.py set MBEDTLS_SSL_DTLS_MAX_BUFFERING 190 + CC=$ASAN_CC cmake -D CMAKE_BUILD_TYPE:String=Asan . + make + + msg "test: small MBEDTLS_SSL_DTLS_MAX_BUFFERING #1 - ssl-opt.sh specific reordering test" + tests/ssl-opt.sh -f "DTLS reordering: Buffer encrypted Finished message, drop for fragmented NewSessionTicket" +} + +# Common helper for component_full_without_ecdhe_ecdsa() and +# component_full_without_ecdhe_ecdsa_and_tls13() which: +# - starts from the "full" configuration minus the list of symbols passed in +# as 1st parameter +# - build +# - test only TLS (i.e. test_suite_tls and ssl-opt) +build_full_minus_something_and_test_tls () { + symbols_to_disable="$1" + + msg "build: full minus something, test TLS" + + scripts/config.py full + for sym in $symbols_to_disable; do + echo "Disabling $sym" + scripts/config.py unset $sym + done + + make + + msg "test: full minus something, test TLS" + ( cd tests; ./test_suite_ssl ) + + msg "ssl-opt: full minus something, test TLS" + tests/ssl-opt.sh +} + +component_full_without_ecdhe_ecdsa () { + build_full_minus_something_and_test_tls "MBEDTLS_KEY_EXCHANGE_ECDHE_ECDSA_ENABLED" +} + +component_full_without_ecdhe_ecdsa_and_tls13 () { + build_full_minus_something_and_test_tls "MBEDTLS_KEY_EXCHANGE_ECDHE_ECDSA_ENABLED + MBEDTLS_SSL_PROTO_TLS1_3" +} + +# This is an helper used by: +# - component_test_psa_ecc_key_pair_no_derive +# - component_test_psa_ecc_key_pair_no_generate +# The goal is to test with all PSA_WANT_KEY_TYPE_xxx_KEY_PAIR_yyy symbols +# enabled, but one. Input arguments are as follows: +# - $1 is the key type under test, i.e. ECC/RSA/DH +# - $2 is the key option to be unset (i.e. generate, derive, etc) + +component_build_no_ssl_srv () { + msg "build: full config except SSL server, make, gcc" # ~ 30s + scripts/config.py full + scripts/config.py unset MBEDTLS_SSL_SRV_C + make CC=gcc CFLAGS='-Werror -Wall -Wextra -O1' +} + +component_build_no_ssl_cli () { + msg "build: full config except SSL client, make, gcc" # ~ 30s + scripts/config.py full + scripts/config.py unset MBEDTLS_SSL_CLI_C + make CC=gcc CFLAGS='-Werror -Wall -Wextra -O1' +} + +component_test_memory_buffer_allocator_backtrace () { + msg "build: default config with memory buffer allocator and backtrace enabled" + scripts/config.py set MBEDTLS_MEMORY_BUFFER_ALLOC_C + scripts/config.py set MBEDTLS_PLATFORM_MEMORY + scripts/config.py set MBEDTLS_MEMORY_BACKTRACE + scripts/config.py set MBEDTLS_MEMORY_DEBUG + cmake -DCMAKE_BUILD_TYPE:String=Release . + make + + msg "test: MBEDTLS_MEMORY_BUFFER_ALLOC_C and MBEDTLS_MEMORY_BACKTRACE" + make test +} + +component_test_memory_buffer_allocator () { + msg "build: default config with memory buffer allocator" + scripts/config.py set MBEDTLS_MEMORY_BUFFER_ALLOC_C + scripts/config.py set MBEDTLS_PLATFORM_MEMORY + cmake -DCMAKE_BUILD_TYPE:String=Release . + make + + msg "test: MBEDTLS_MEMORY_BUFFER_ALLOC_C" + make test + + msg "test: ssl-opt.sh, MBEDTLS_MEMORY_BUFFER_ALLOC_C" + # MBEDTLS_MEMORY_BUFFER_ALLOC is slow. Skip tests that tend to time out. + tests/ssl-opt.sh -e '^DTLS proxy' +} + +component_test_no_max_fragment_length () { + # Run max fragment length tests with MFL disabled + msg "build: default config except MFL extension (ASan build)" # ~ 30s + scripts/config.py unset MBEDTLS_SSL_MAX_FRAGMENT_LENGTH + CC=$ASAN_CC cmake -D CMAKE_BUILD_TYPE:String=Asan . + make + + msg "test: ssl-opt.sh, MFL-related tests" + tests/ssl-opt.sh -f "Max fragment length" +} + +component_test_asan_remove_peer_certificate () { + msg "build: default config with MBEDTLS_SSL_KEEP_PEER_CERTIFICATE disabled (ASan build)" + scripts/config.py unset MBEDTLS_SSL_KEEP_PEER_CERTIFICATE + scripts/config.py unset MBEDTLS_SSL_PROTO_TLS1_3 + CC=$ASAN_CC cmake -D CMAKE_BUILD_TYPE:String=Asan . + make + + msg "test: !MBEDTLS_SSL_KEEP_PEER_CERTIFICATE" + make test + + msg "test: ssl-opt.sh, !MBEDTLS_SSL_KEEP_PEER_CERTIFICATE" + tests/ssl-opt.sh + + msg "test: compat.sh, !MBEDTLS_SSL_KEEP_PEER_CERTIFICATE" + tests/compat.sh + + msg "test: context-info.sh, !MBEDTLS_SSL_KEEP_PEER_CERTIFICATE" + tests/context-info.sh +} + +component_test_no_max_fragment_length_small_ssl_out_content_len () { + msg "build: no MFL extension, small SSL_OUT_CONTENT_LEN (ASan build)" + scripts/config.py unset MBEDTLS_SSL_MAX_FRAGMENT_LENGTH + scripts/config.py set MBEDTLS_SSL_IN_CONTENT_LEN 16384 + scripts/config.py set MBEDTLS_SSL_OUT_CONTENT_LEN 4096 + CC=$ASAN_CC cmake -D CMAKE_BUILD_TYPE:String=Asan . + make + + msg "test: MFL tests (disabled MFL extension case) & large packet tests" + tests/ssl-opt.sh -f "Max fragment length\|Large buffer" + + msg "test: context-info.sh (disabled MFL extension case)" + tests/context-info.sh +} + +component_test_variable_ssl_in_out_buffer_len () { + msg "build: MBEDTLS_SSL_VARIABLE_BUFFER_LENGTH enabled (ASan build)" + scripts/config.py set MBEDTLS_SSL_VARIABLE_BUFFER_LENGTH + CC=$ASAN_CC cmake -D CMAKE_BUILD_TYPE:String=Asan . + make + + msg "test: MBEDTLS_SSL_VARIABLE_BUFFER_LENGTH enabled" + make test + + msg "test: ssl-opt.sh, MBEDTLS_SSL_VARIABLE_BUFFER_LENGTH enabled" + tests/ssl-opt.sh + + msg "test: compat.sh, MBEDTLS_SSL_VARIABLE_BUFFER_LENGTH enabled" + tests/compat.sh +} + +component_test_dtls_cid_legacy () { + msg "build: MBEDTLS_SSL_DTLS_CONNECTION_ID (legacy) enabled (ASan build)" + scripts/config.py set MBEDTLS_SSL_DTLS_CONNECTION_ID_COMPAT 1 + + CC=$ASAN_CC cmake -D CMAKE_BUILD_TYPE:String=Asan . + make + + msg "test: MBEDTLS_SSL_DTLS_CONNECTION_ID (legacy)" + make test + + msg "test: ssl-opt.sh, MBEDTLS_SSL_DTLS_CONNECTION_ID (legacy) enabled" + tests/ssl-opt.sh + + msg "test: compat.sh, MBEDTLS_SSL_DTLS_CONNECTION_ID (legacy) enabled" + tests/compat.sh +} + +component_test_ssl_alloc_buffer_and_mfl () { + msg "build: default config with memory buffer allocator and MFL extension" + scripts/config.py set MBEDTLS_MEMORY_BUFFER_ALLOC_C + scripts/config.py set MBEDTLS_PLATFORM_MEMORY + scripts/config.py set MBEDTLS_MEMORY_DEBUG + scripts/config.py set MBEDTLS_SSL_MAX_FRAGMENT_LENGTH + scripts/config.py set MBEDTLS_SSL_VARIABLE_BUFFER_LENGTH + cmake -DCMAKE_BUILD_TYPE:String=Release . + make + + msg "test: MBEDTLS_SSL_VARIABLE_BUFFER_LENGTH, MBEDTLS_MEMORY_BUFFER_ALLOC_C, MBEDTLS_MEMORY_DEBUG and MBEDTLS_SSL_MAX_FRAGMENT_LENGTH" + make test + + msg "test: MBEDTLS_SSL_VARIABLE_BUFFER_LENGTH, MBEDTLS_MEMORY_BUFFER_ALLOC_C, MBEDTLS_MEMORY_DEBUG and MBEDTLS_SSL_MAX_FRAGMENT_LENGTH" + tests/ssl-opt.sh -f "Handshake memory usage" +} + +component_test_when_no_ciphersuites_have_mac () { + msg "build: when no ciphersuites have MAC" + scripts/config.py set MBEDTLS_PSA_CRYPTO_CONFIG + scripts/config.py -f "$CRYPTO_CONFIG_H" unset PSA_WANT_ALG_CBC_NO_PADDING + scripts/config.py -f "$CRYPTO_CONFIG_H" unset PSA_WANT_ALG_CBC_PKCS7 + scripts/config.py -f "$CRYPTO_CONFIG_H" unset PSA_WANT_ALG_CMAC + scripts/config.py -f "$CRYPTO_CONFIG_H" unset PSA_WANT_ALG_PBKDF2_AES_CMAC_PRF_128 + + scripts/config.py unset MBEDTLS_CIPHER_NULL_CIPHER + scripts/config.py unset MBEDTLS_CIPHER_MODE_CBC + scripts/config.py unset MBEDTLS_CMAC_C + + make + + msg "test: !MBEDTLS_SSL_SOME_SUITES_USE_MAC" + make test + + msg "test ssl-opt.sh: !MBEDTLS_SSL_SOME_SUITES_USE_MAC" + tests/ssl-opt.sh -f 'Default\|EtM' -e 'without EtM' +} + +component_test_tls12_only () { + msg "build: default config without MBEDTLS_SSL_PROTO_TLS1_3, cmake, gcc, ASan" + scripts/config.py unset MBEDTLS_SSL_PROTO_TLS1_3 + CC=gcc cmake -D CMAKE_BUILD_TYPE:String=Asan . + make + + msg "test: main suites (inc. selftests) (ASan build)" + make test + + msg "test: ssl-opt.sh (ASan build)" + tests/ssl-opt.sh + + msg "test: compat.sh (ASan build)" + tests/compat.sh +} + +component_test_tls13_only () { + msg "build: default config without MBEDTLS_SSL_PROTO_TLS1_2" + scripts/config.py set MBEDTLS_SSL_EARLY_DATA + scripts/config.py set MBEDTLS_SSL_RECORD_SIZE_LIMIT + make CFLAGS="'-DMBEDTLS_USER_CONFIG_FILE=\"../tests/configs/tls13-only.h\"'" + + msg "test: TLS 1.3 only, all key exchange modes enabled" + make test + + msg "ssl-opt.sh: TLS 1.3 only, all key exchange modes enabled" + tests/ssl-opt.sh +} + +component_test_tls13_only_psk () { + msg "build: TLS 1.3 only from default, only PSK key exchange mode" + scripts/config.py unset MBEDTLS_SSL_TLS1_3_KEY_EXCHANGE_MODE_EPHEMERAL_ENABLED + scripts/config.py unset MBEDTLS_SSL_TLS1_3_KEY_EXCHANGE_MODE_PSK_EPHEMERAL_ENABLED + scripts/config.py unset MBEDTLS_ECDH_C + scripts/config.py unset MBEDTLS_DHM_C + scripts/config.py unset MBEDTLS_X509_CRT_PARSE_C + scripts/config.py unset MBEDTLS_X509_RSASSA_PSS_SUPPORT + scripts/config.py unset MBEDTLS_SSL_SERVER_NAME_INDICATION + scripts/config.py unset MBEDTLS_ECDSA_C + scripts/config.py unset MBEDTLS_PKCS1_V21 + scripts/config.py unset MBEDTLS_PKCS7_C + scripts/config.py set MBEDTLS_SSL_EARLY_DATA + make CFLAGS="'-DMBEDTLS_USER_CONFIG_FILE=\"../tests/configs/tls13-only.h\"'" + + msg "test_suite_ssl: TLS 1.3 only, only PSK key exchange mode enabled" + cd tests; ./test_suite_ssl; cd .. + + msg "ssl-opt.sh: TLS 1.3 only, only PSK key exchange mode enabled" + tests/ssl-opt.sh +} + +component_test_tls13_only_ephemeral () { + msg "build: TLS 1.3 only from default, only ephemeral key exchange mode" + scripts/config.py unset MBEDTLS_SSL_TLS1_3_KEY_EXCHANGE_MODE_PSK_ENABLED + scripts/config.py unset MBEDTLS_SSL_TLS1_3_KEY_EXCHANGE_MODE_PSK_EPHEMERAL_ENABLED + scripts/config.py unset MBEDTLS_SSL_EARLY_DATA + make CFLAGS="'-DMBEDTLS_USER_CONFIG_FILE=\"../tests/configs/tls13-only.h\"'" + + msg "test_suite_ssl: TLS 1.3 only, only ephemeral key exchange mode" + cd tests; ./test_suite_ssl; cd .. + + msg "ssl-opt.sh: TLS 1.3 only, only ephemeral key exchange mode" + tests/ssl-opt.sh +} + +component_test_tls13_only_ephemeral_ffdh () { + msg "build: TLS 1.3 only from default, only ephemeral ffdh key exchange mode" + scripts/config.py unset MBEDTLS_SSL_TLS1_3_KEY_EXCHANGE_MODE_PSK_ENABLED + scripts/config.py unset MBEDTLS_SSL_TLS1_3_KEY_EXCHANGE_MODE_PSK_EPHEMERAL_ENABLED + scripts/config.py unset MBEDTLS_SSL_EARLY_DATA + scripts/config.py unset MBEDTLS_ECDH_C + + make CFLAGS="'-DMBEDTLS_USER_CONFIG_FILE=\"../tests/configs/tls13-only.h\"'" + + msg "test_suite_ssl: TLS 1.3 only, only ephemeral ffdh key exchange mode" + cd tests; ./test_suite_ssl; cd .. + + msg "ssl-opt.sh: TLS 1.3 only, only ephemeral ffdh key exchange mode" + tests/ssl-opt.sh +} + +component_test_tls13_only_psk_ephemeral () { + msg "build: TLS 1.3 only from default, only PSK ephemeral key exchange mode" + scripts/config.py unset MBEDTLS_SSL_TLS1_3_KEY_EXCHANGE_MODE_PSK_ENABLED + scripts/config.py unset MBEDTLS_SSL_TLS1_3_KEY_EXCHANGE_MODE_EPHEMERAL_ENABLED + scripts/config.py unset MBEDTLS_X509_CRT_PARSE_C + scripts/config.py unset MBEDTLS_X509_RSASSA_PSS_SUPPORT + scripts/config.py unset MBEDTLS_SSL_SERVER_NAME_INDICATION + scripts/config.py unset MBEDTLS_ECDSA_C + scripts/config.py unset MBEDTLS_PKCS1_V21 + scripts/config.py unset MBEDTLS_PKCS7_C + scripts/config.py set MBEDTLS_SSL_EARLY_DATA + make CFLAGS="'-DMBEDTLS_USER_CONFIG_FILE=\"../tests/configs/tls13-only.h\"'" + + msg "test_suite_ssl: TLS 1.3 only, only PSK ephemeral key exchange mode" + cd tests; ./test_suite_ssl; cd .. + + msg "ssl-opt.sh: TLS 1.3 only, only PSK ephemeral key exchange mode" + tests/ssl-opt.sh +} + +component_test_tls13_only_psk_ephemeral_ffdh () { + msg "build: TLS 1.3 only from default, only PSK ephemeral ffdh key exchange mode" + scripts/config.py unset MBEDTLS_SSL_TLS1_3_KEY_EXCHANGE_MODE_PSK_ENABLED + scripts/config.py unset MBEDTLS_SSL_TLS1_3_KEY_EXCHANGE_MODE_EPHEMERAL_ENABLED + scripts/config.py unset MBEDTLS_X509_CRT_PARSE_C + scripts/config.py unset MBEDTLS_X509_RSASSA_PSS_SUPPORT + scripts/config.py unset MBEDTLS_SSL_SERVER_NAME_INDICATION + scripts/config.py unset MBEDTLS_ECDSA_C + scripts/config.py unset MBEDTLS_PKCS1_V21 + scripts/config.py unset MBEDTLS_PKCS7_C + scripts/config.py set MBEDTLS_SSL_EARLY_DATA + scripts/config.py unset MBEDTLS_ECDH_C + make CFLAGS="'-DMBEDTLS_USER_CONFIG_FILE=\"../tests/configs/tls13-only.h\"'" + + msg "test_suite_ssl: TLS 1.3 only, only PSK ephemeral ffdh key exchange mode" + cd tests; ./test_suite_ssl; cd .. + + msg "ssl-opt.sh: TLS 1.3 only, only PSK ephemeral ffdh key exchange mode" + tests/ssl-opt.sh +} + +component_test_tls13_only_psk_all () { + msg "build: TLS 1.3 only from default, without ephemeral key exchange mode" + scripts/config.py unset MBEDTLS_SSL_TLS1_3_KEY_EXCHANGE_MODE_EPHEMERAL_ENABLED + scripts/config.py unset MBEDTLS_X509_CRT_PARSE_C + scripts/config.py unset MBEDTLS_X509_RSASSA_PSS_SUPPORT + scripts/config.py unset MBEDTLS_SSL_SERVER_NAME_INDICATION + scripts/config.py unset MBEDTLS_ECDSA_C + scripts/config.py unset MBEDTLS_PKCS1_V21 + scripts/config.py unset MBEDTLS_PKCS7_C + scripts/config.py set MBEDTLS_SSL_EARLY_DATA + make CFLAGS="'-DMBEDTLS_USER_CONFIG_FILE=\"../tests/configs/tls13-only.h\"'" + + msg "test_suite_ssl: TLS 1.3 only, PSK and PSK ephemeral key exchange modes" + cd tests; ./test_suite_ssl; cd .. + + msg "ssl-opt.sh: TLS 1.3 only, PSK and PSK ephemeral key exchange modes" + tests/ssl-opt.sh +} + +component_test_tls13_only_ephemeral_all () { + msg "build: TLS 1.3 only from default, without PSK key exchange mode" + scripts/config.py unset MBEDTLS_SSL_TLS1_3_KEY_EXCHANGE_MODE_PSK_ENABLED + scripts/config.py set MBEDTLS_SSL_EARLY_DATA + make CFLAGS="'-DMBEDTLS_USER_CONFIG_FILE=\"../tests/configs/tls13-only.h\"'" + + msg "test_suite_ssl: TLS 1.3 only, ephemeral and PSK ephemeral key exchange modes" + cd tests; ./test_suite_ssl; cd .. + + msg "ssl-opt.sh: TLS 1.3 only, ephemeral and PSK ephemeral key exchange modes" + tests/ssl-opt.sh +} + +component_test_tls13_no_padding () { + msg "build: default config plus early data minus padding" + scripts/config.py set MBEDTLS_SSL_CID_TLS1_3_PADDING_GRANULARITY 1 + scripts/config.py set MBEDTLS_SSL_EARLY_DATA + CC=$ASAN_CC cmake -D CMAKE_BUILD_TYPE:String=Asan . + make + msg "test: default config plus early data minus padding" + make test + msg "ssl-opt.sh (TLS 1.3 no padding)" + tests/ssl-opt.sh +} + +component_test_tls13_no_compatibility_mode () { + msg "build: default config plus early data minus middlebox compatibility mode" + scripts/config.py unset MBEDTLS_SSL_TLS1_3_COMPATIBILITY_MODE + scripts/config.py set MBEDTLS_SSL_EARLY_DATA + CC=$ASAN_CC cmake -D CMAKE_BUILD_TYPE:String=Asan . + make + msg "test: default config plus early data minus middlebox compatibility mode" + make test + msg "ssl-opt.sh (TLS 1.3 no compatibility mode)" + tests/ssl-opt.sh +} + +component_test_full_minus_session_tickets() { + msg "build: full config without session tickets" + scripts/config.py full + scripts/config.py unset MBEDTLS_SSL_SESSION_TICKETS + scripts/config.py unset MBEDTLS_SSL_EARLY_DATA + CC=gcc cmake -D CMAKE_BUILD_TYPE:String=Asan . + make + msg "test: full config without session tickets" + make test + msg "ssl-opt.sh (full config without session tickets)" + tests/ssl-opt.sh +} + diff --git a/tests/scripts/components.sh b/tests/scripts/components.sh index af1d32c306..a42ee6e8af 100644 --- a/tests/scripts/components.sh +++ b/tests/scripts/components.sh @@ -223,208 +223,6 @@ component_test_ref_configs () { tests/scripts/test-ref-configs.pl config-tfm.h } -component_test_no_renegotiation () { - msg "build: Default + !MBEDTLS_SSL_RENEGOTIATION (ASan build)" # ~ 6 min - scripts/config.py unset MBEDTLS_SSL_RENEGOTIATION - CC=$ASAN_CC cmake -D CMAKE_BUILD_TYPE:String=Asan . - make - - msg "test: !MBEDTLS_SSL_RENEGOTIATION - main suites (inc. selftests) (ASan build)" # ~ 50s - make test - - msg "test: !MBEDTLS_SSL_RENEGOTIATION - ssl-opt.sh (ASan build)" # ~ 6 min - tests/ssl-opt.sh -} - -component_test_no_pem_no_fs () { - msg "build: Default + !MBEDTLS_PEM_PARSE_C + !MBEDTLS_FS_IO (ASan build)" - scripts/config.py unset MBEDTLS_PEM_PARSE_C - scripts/config.py unset MBEDTLS_FS_IO - scripts/config.py unset MBEDTLS_PSA_ITS_FILE_C # requires a filesystem - scripts/config.py unset MBEDTLS_PSA_CRYPTO_STORAGE_C # requires PSA ITS - CC=$ASAN_CC cmake -D CMAKE_BUILD_TYPE:String=Asan . - make - - msg "test: !MBEDTLS_PEM_PARSE_C !MBEDTLS_FS_IO - main suites (inc. selftests) (ASan build)" # ~ 50s - make test - - msg "test: !MBEDTLS_PEM_PARSE_C !MBEDTLS_FS_IO - ssl-opt.sh (ASan build)" # ~ 6 min - tests/ssl-opt.sh -} - -component_test_rsa_no_crt () { - msg "build: Default + RSA_NO_CRT (ASan build)" # ~ 6 min - scripts/config.py set MBEDTLS_RSA_NO_CRT - CC=$ASAN_CC cmake -D CMAKE_BUILD_TYPE:String=Asan . - make - - msg "test: RSA_NO_CRT - main suites (inc. selftests) (ASan build)" # ~ 50s - make test - - msg "test: RSA_NO_CRT - RSA-related part of ssl-opt.sh (ASan build)" # ~ 5s - tests/ssl-opt.sh -f RSA - - msg "test: RSA_NO_CRT - RSA-related part of compat.sh (ASan build)" # ~ 3 min - tests/compat.sh -t RSA - - msg "test: RSA_NO_CRT - RSA-related part of context-info.sh (ASan build)" # ~ 15 sec - tests/context-info.sh -} - -component_test_no_ctr_drbg_classic () { - msg "build: Full minus CTR_DRBG, classic crypto in TLS" - scripts/config.py full - scripts/config.py unset MBEDTLS_CTR_DRBG_C - scripts/config.py unset MBEDTLS_USE_PSA_CRYPTO - scripts/config.py unset MBEDTLS_SSL_PROTO_TLS1_3 - - CC=$ASAN_CC cmake -D CMAKE_BUILD_TYPE:String=Asan . - make - - msg "test: Full minus CTR_DRBG, classic crypto - main suites" - make test - - # In this configuration, the TLS test programs use HMAC_DRBG. - # The SSL tests are slow, so run a small subset, just enough to get - # confidence that the SSL code copes with HMAC_DRBG. - msg "test: Full minus CTR_DRBG, classic crypto - ssl-opt.sh (subset)" - tests/ssl-opt.sh -f 'Default\|SSL async private.*delay=\|tickets enabled on server' - - msg "test: Full minus CTR_DRBG, classic crypto - compat.sh (subset)" - tests/compat.sh -m tls12 -t 'ECDSA PSK' -V NO -p OpenSSL -} - -component_test_no_ctr_drbg_use_psa () { - msg "build: Full minus CTR_DRBG, PSA crypto in TLS" - scripts/config.py full - scripts/config.py unset MBEDTLS_CTR_DRBG_C - scripts/config.py set MBEDTLS_USE_PSA_CRYPTO - - CC=$ASAN_CC cmake -D CMAKE_BUILD_TYPE:String=Asan . - make - - msg "test: Full minus CTR_DRBG, USE_PSA_CRYPTO - main suites" - make test - - # In this configuration, the TLS test programs use HMAC_DRBG. - # The SSL tests are slow, so run a small subset, just enough to get - # confidence that the SSL code copes with HMAC_DRBG. - msg "test: Full minus CTR_DRBG, USE_PSA_CRYPTO - ssl-opt.sh (subset)" - tests/ssl-opt.sh -f 'Default\|SSL async private.*delay=\|tickets enabled on server' - - msg "test: Full minus CTR_DRBG, USE_PSA_CRYPTO - compat.sh (subset)" - tests/compat.sh -m tls12 -t 'ECDSA PSK' -V NO -p OpenSSL -} - -component_test_no_hmac_drbg_classic () { - msg "build: Full minus HMAC_DRBG, classic crypto in TLS" - scripts/config.py full - scripts/config.py unset MBEDTLS_HMAC_DRBG_C - scripts/config.py unset MBEDTLS_ECDSA_DETERMINISTIC # requires HMAC_DRBG - scripts/config.py unset MBEDTLS_USE_PSA_CRYPTO - scripts/config.py unset MBEDTLS_SSL_PROTO_TLS1_3 - - CC=$ASAN_CC cmake -D CMAKE_BUILD_TYPE:String=Asan . - make - - msg "test: Full minus HMAC_DRBG, classic crypto - main suites" - make test - - # Normally our ECDSA implementation uses deterministic ECDSA. But since - # HMAC_DRBG is disabled in this configuration, randomized ECDSA is used - # instead. - # Test SSL with non-deterministic ECDSA. Only test features that - # might be affected by how ECDSA signature is performed. - msg "test: Full minus HMAC_DRBG, classic crypto - ssl-opt.sh (subset)" - tests/ssl-opt.sh -f 'Default\|SSL async private: sign' - - # To save time, only test one protocol version, since this part of - # the protocol is identical in (D)TLS up to 1.2. - msg "test: Full minus HMAC_DRBG, classic crypto - compat.sh (ECDSA)" - tests/compat.sh -m tls12 -t 'ECDSA' -} - -component_test_no_hmac_drbg_use_psa () { - msg "build: Full minus HMAC_DRBG, PSA crypto in TLS" - scripts/config.py full - scripts/config.py unset MBEDTLS_HMAC_DRBG_C - scripts/config.py unset MBEDTLS_ECDSA_DETERMINISTIC # requires HMAC_DRBG - scripts/config.py set MBEDTLS_USE_PSA_CRYPTO - - CC=$ASAN_CC cmake -D CMAKE_BUILD_TYPE:String=Asan . - make - - msg "test: Full minus HMAC_DRBG, USE_PSA_CRYPTO - main suites" - make test - - # Normally our ECDSA implementation uses deterministic ECDSA. But since - # HMAC_DRBG is disabled in this configuration, randomized ECDSA is used - # instead. - # Test SSL with non-deterministic ECDSA. Only test features that - # might be affected by how ECDSA signature is performed. - msg "test: Full minus HMAC_DRBG, USE_PSA_CRYPTO - ssl-opt.sh (subset)" - tests/ssl-opt.sh -f 'Default\|SSL async private: sign' - - # To save time, only test one protocol version, since this part of - # the protocol is identical in (D)TLS up to 1.2. - msg "test: Full minus HMAC_DRBG, USE_PSA_CRYPTO - compat.sh (ECDSA)" - tests/compat.sh -m tls12 -t 'ECDSA' -} - -component_test_psa_external_rng_no_drbg_classic () { - msg "build: PSA_CRYPTO_EXTERNAL_RNG minus *_DRBG, classic crypto in TLS" - scripts/config.py full - scripts/config.py unset MBEDTLS_USE_PSA_CRYPTO - scripts/config.py unset MBEDTLS_SSL_PROTO_TLS1_3 - scripts/config.py set MBEDTLS_PSA_CRYPTO_EXTERNAL_RNG - scripts/config.py unset MBEDTLS_ENTROPY_C - scripts/config.py unset MBEDTLS_ENTROPY_NV_SEED - scripts/config.py unset MBEDTLS_PLATFORM_NV_SEED_ALT - scripts/config.py unset MBEDTLS_CTR_DRBG_C - scripts/config.py unset MBEDTLS_HMAC_DRBG_C - scripts/config.py unset MBEDTLS_ECDSA_DETERMINISTIC # requires HMAC_DRBG - # When MBEDTLS_USE_PSA_CRYPTO is disabled and there is no DRBG, - # the SSL test programs don't have an RNG and can't work. Explicitly - # make them use the PSA RNG with -DMBEDTLS_TEST_USE_PSA_CRYPTO_RNG. - make CC=$ASAN_CC CFLAGS="$ASAN_CFLAGS -DMBEDTLS_TEST_USE_PSA_CRYPTO_RNG" LDFLAGS="$ASAN_CFLAGS" - - msg "test: PSA_CRYPTO_EXTERNAL_RNG minus *_DRBG, classic crypto - main suites" - make test - - msg "test: PSA_CRYPTO_EXTERNAL_RNG minus *_DRBG, classic crypto - ssl-opt.sh (subset)" - tests/ssl-opt.sh -f 'Default' -} - -component_test_psa_external_rng_no_drbg_use_psa () { - msg "build: PSA_CRYPTO_EXTERNAL_RNG minus *_DRBG, PSA crypto in TLS" - scripts/config.py full - scripts/config.py set MBEDTLS_PSA_CRYPTO_EXTERNAL_RNG - scripts/config.py unset MBEDTLS_ENTROPY_C - scripts/config.py unset MBEDTLS_ENTROPY_NV_SEED - scripts/config.py unset MBEDTLS_PLATFORM_NV_SEED_ALT - scripts/config.py unset MBEDTLS_CTR_DRBG_C - scripts/config.py unset MBEDTLS_HMAC_DRBG_C - scripts/config.py unset MBEDTLS_ECDSA_DETERMINISTIC # requires HMAC_DRBG - make CC=$ASAN_CC CFLAGS="$ASAN_CFLAGS" LDFLAGS="$ASAN_CFLAGS" - - msg "test: PSA_CRYPTO_EXTERNAL_RNG minus *_DRBG, PSA crypto - main suites" - make test - - msg "test: PSA_CRYPTO_EXTERNAL_RNG minus *_DRBG, PSA crypto - ssl-opt.sh (subset)" - tests/ssl-opt.sh -f 'Default\|opaque' -} - -component_test_sw_inet_pton () { - msg "build: default plus MBEDTLS_TEST_SW_INET_PTON" - - # MBEDTLS_TEST_HOOKS required for x509_crt_parse_cn_inet_pton - scripts/config.py set MBEDTLS_TEST_HOOKS - make CFLAGS="-DMBEDTLS_TEST_SW_INET_PTON" - - msg "test: default plus MBEDTLS_TEST_SW_INET_PTON" - make test -} - component_test_full_no_cipher () { msg "build: full no CIPHER" @@ -460,233 +258,6 @@ component_test_full_no_cipher () { make test } -component_test_tls1_2_default_stream_cipher_only () { - msg "build: default with only stream cipher use psa" - - scripts/config.py set MBEDTLS_USE_PSA_CRYPTO - scripts/config.py set MBEDTLS_PSA_CRYPTO_CONFIG - # Disable AEAD (controlled by the presence of one of GCM_C, CCM_C, CHACHAPOLY_C) - scripts/config.py -f $CRYPTO_CONFIG_H unset PSA_WANT_ALG_CCM - scripts/config.py -f $CRYPTO_CONFIG_H unset PSA_WANT_ALG_CCM_STAR_NO_TAG - scripts/config.py -f $CRYPTO_CONFIG_H unset PSA_WANT_ALG_GCM - scripts/config.py -f $CRYPTO_CONFIG_H unset PSA_WANT_ALG_CHACHA20_POLY1305 - # Note: The three unsets below are to be removed for Mbed TLS 4.0 - scripts/config.py unset MBEDTLS_GCM_C - scripts/config.py unset MBEDTLS_CCM_C - scripts/config.py unset MBEDTLS_CHACHAPOLY_C - #Disable TLS 1.3 (as no AEAD) - scripts/config.py unset MBEDTLS_SSL_PROTO_TLS1_3 - # Disable CBC. Note: When implemented, PSA_WANT_ALG_CBC_MAC will also need to be unset here to fully disable CBC - scripts/config.py -f $CRYPTO_CONFIG_H unset PSA_WANT_ALG_CBC_NO_PADDING - scripts/config.py -f $CRYPTO_CONFIG_H unset PSA_WANT_ALG_CBC_PKCS7 - # Disable CBC-legacy (controlled by MBEDTLS_CIPHER_MODE_CBC plus at least one block cipher (AES, ARIA, Camellia, DES)) - # Note: The unset below is to be removed for 4.0 - scripts/config.py unset MBEDTLS_CIPHER_MODE_CBC - # Disable CBC-EtM (controlled by the same as CBC-legacy plus MBEDTLS_SSL_ENCRYPT_THEN_MAC) - scripts/config.py unset MBEDTLS_SSL_ENCRYPT_THEN_MAC - # Enable stream (currently that's just the NULL pseudo-cipher (controlled by MBEDTLS_CIPHER_NULL_CIPHER)) - scripts/config.py set MBEDTLS_CIPHER_NULL_CIPHER - # Modules that depend on AEAD - scripts/config.py unset MBEDTLS_SSL_CONTEXT_SERIALIZATION - scripts/config.py unset MBEDTLS_SSL_TICKET_C - - make - - msg "test: default with only stream cipher use psa" - make test - - # Not running ssl-opt.sh because most tests require a non-NULL ciphersuite. -} - -component_test_tls1_2_default_cbc_legacy_cipher_only () { - msg "build: default with only CBC-legacy cipher use psa" - - scripts/config.py set MBEDTLS_USE_PSA_CRYPTO - scripts/config.py set MBEDTLS_PSA_CRYPTO_CONFIG - # Disable AEAD (controlled by the presence of one of GCM_C, CCM_C, CHACHAPOLY_C) - scripts/config.py -f $CRYPTO_CONFIG_H unset PSA_WANT_ALG_CCM - scripts/config.py -f $CRYPTO_CONFIG_H unset PSA_WANT_ALG_CCM_STAR_NO_TAG - scripts/config.py -f $CRYPTO_CONFIG_H unset PSA_WANT_ALG_GCM - scripts/config.py -f $CRYPTO_CONFIG_H unset PSA_WANT_ALG_CHACHA20_POLY1305 - # Note: The three unsets below are to be removed for Mbed TLS 4.0 - scripts/config.py unset MBEDTLS_GCM_C - scripts/config.py unset MBEDTLS_CCM_C - scripts/config.py unset MBEDTLS_CHACHAPOLY_C - #Disable TLS 1.3 (as no AEAD) - scripts/config.py unset MBEDTLS_SSL_PROTO_TLS1_3 - # Enable CBC-legacy (controlled by MBEDTLS_CIPHER_MODE_CBC plus at least one block cipher (AES, ARIA, Camellia, DES)) - scripts/config.py -f $CRYPTO_CONFIG_H set PSA_WANT_ALG_CBC_NO_PADDING - # Disable CBC-EtM (controlled by the same as CBC-legacy plus MBEDTLS_SSL_ENCRYPT_THEN_MAC) - scripts/config.py unset MBEDTLS_SSL_ENCRYPT_THEN_MAC - # Disable stream (currently that's just the NULL pseudo-cipher (controlled by MBEDTLS_CIPHER_NULL_CIPHER)) - scripts/config.py unset MBEDTLS_CIPHER_NULL_CIPHER - # Modules that depend on AEAD - scripts/config.py unset MBEDTLS_SSL_CONTEXT_SERIALIZATION - scripts/config.py unset MBEDTLS_SSL_TICKET_C - - make - - msg "test: default with only CBC-legacy cipher use psa" - make test - - msg "test: default with only CBC-legacy cipher use psa - ssl-opt.sh (subset)" - tests/ssl-opt.sh -f "TLS 1.2" -} - -component_test_tls1_2_default_cbc_legacy_cbc_etm_cipher_only () { - msg "build: default with only CBC-legacy and CBC-EtM ciphers use psa" - - scripts/config.py set MBEDTLS_USE_PSA_CRYPTO - scripts/config.py set MBEDTLS_PSA_CRYPTO_CONFIG - # Disable AEAD (controlled by the presence of one of GCM_C, CCM_C, CHACHAPOLY_C) - scripts/config.py -f $CRYPTO_CONFIG_H unset PSA_WANT_ALG_CCM - scripts/config.py -f $CRYPTO_CONFIG_H unset PSA_WANT_ALG_CCM_STAR_NO_TAG - scripts/config.py -f $CRYPTO_CONFIG_H unset PSA_WANT_ALG_GCM - scripts/config.py -f $CRYPTO_CONFIG_H unset PSA_WANT_ALG_CHACHA20_POLY1305 - # Note: The three unsets below are to be removed for Mbed TLS 4.0 - scripts/config.py unset MBEDTLS_GCM_C - scripts/config.py unset MBEDTLS_CCM_C - scripts/config.py unset MBEDTLS_CHACHAPOLY_C - #Disable TLS 1.3 (as no AEAD) - scripts/config.py unset MBEDTLS_SSL_PROTO_TLS1_3 - # Enable CBC-legacy (controlled by MBEDTLS_CIPHER_MODE_CBC plus at least one block cipher (AES, ARIA, Camellia, DES)) - scripts/config.py -f $CRYPTO_CONFIG_H set PSA_WANT_ALG_CBC_NO_PADDING - # Enable CBC-EtM (controlled by the same as CBC-legacy plus MBEDTLS_SSL_ENCRYPT_THEN_MAC) - scripts/config.py set MBEDTLS_SSL_ENCRYPT_THEN_MAC - # Disable stream (currently that's just the NULL pseudo-cipher (controlled by MBEDTLS_CIPHER_NULL_CIPHER)) - scripts/config.py unset MBEDTLS_CIPHER_NULL_CIPHER - # Modules that depend on AEAD - scripts/config.py unset MBEDTLS_SSL_CONTEXT_SERIALIZATION - scripts/config.py unset MBEDTLS_SSL_TICKET_C - - make - - msg "test: default with only CBC-legacy and CBC-EtM ciphers use psa" - make test - - msg "test: default with only CBC-legacy and CBC-EtM ciphers use psa - ssl-opt.sh (subset)" - tests/ssl-opt.sh -f "TLS 1.2" -} - -# We're not aware of any other (open source) implementation of EC J-PAKE in TLS -# that we could use for interop testing. However, we now have sort of two -# implementations ourselves: one using PSA, the other not. At least test that -# these two interoperate with each other. -component_test_tls1_2_ecjpake_compatibility() { - msg "build: TLS1.2 server+client w/ EC-JPAKE w/o USE_PSA" - scripts/config.py set MBEDTLS_KEY_EXCHANGE_ECJPAKE_ENABLED - # Explicitly make lib first to avoid a race condition: - # https://github.com/Mbed-TLS/mbedtls/issues/8229 - make lib - make -C programs ssl/ssl_server2 ssl/ssl_client2 - cp programs/ssl/ssl_server2 s2_no_use_psa - cp programs/ssl/ssl_client2 c2_no_use_psa - - msg "build: TLS1.2 server+client w/ EC-JPAKE w/ USE_PSA" - scripts/config.py set MBEDTLS_USE_PSA_CRYPTO - make clean - make lib - make -C programs ssl/ssl_server2 ssl/ssl_client2 - make -C programs test/udp_proxy test/query_compile_time_config - - msg "test: server w/o USE_PSA - client w/ USE_PSA, text password" - P_SRV=../s2_no_use_psa tests/ssl-opt.sh -f "ECJPAKE: working, TLS" - msg "test: server w/o USE_PSA - client w/ USE_PSA, opaque password" - P_SRV=../s2_no_use_psa tests/ssl-opt.sh -f "ECJPAKE: opaque password client only, working, TLS" - msg "test: client w/o USE_PSA - server w/ USE_PSA, text password" - P_CLI=../c2_no_use_psa tests/ssl-opt.sh -f "ECJPAKE: working, TLS" - msg "test: client w/o USE_PSA - server w/ USE_PSA, opaque password" - P_CLI=../c2_no_use_psa tests/ssl-opt.sh -f "ECJPAKE: opaque password server only, working, TLS" - - rm s2_no_use_psa c2_no_use_psa -} - -component_test_everest () { - msg "build: Everest ECDH context (ASan build)" # ~ 6 min - scripts/config.py set MBEDTLS_ECDH_VARIANT_EVEREST_ENABLED - CC=clang cmake -D CMAKE_BUILD_TYPE:String=Asan . - make - - msg "test: Everest ECDH context - main suites (inc. selftests) (ASan build)" # ~ 50s - make test - - msg "test: metatests (clang, ASan)" - tests/scripts/run-metatests.sh any asan poison - - msg "test: Everest ECDH context - ECDH-related part of ssl-opt.sh (ASan build)" # ~ 5s - tests/ssl-opt.sh -f ECDH - - msg "test: Everest ECDH context - compat.sh with some ECDH ciphersuites (ASan build)" # ~ 3 min - # Exclude some symmetric ciphers that are redundant here to gain time. - tests/compat.sh -f ECDH -V NO -e 'ARIA\|CAMELLIA\|CHACHA' -} - -component_test_everest_curve25519_only () { - msg "build: Everest ECDH context, only Curve25519" # ~ 6 min - scripts/config.py set MBEDTLS_PSA_CRYPTO_CONFIG - scripts/config.py set MBEDTLS_ECDH_VARIANT_EVEREST_ENABLED - scripts/config.py unset MBEDTLS_ECDSA_C - scripts/config.py -f $CRYPTO_CONFIG_H unset PSA_WANT_ALG_DETERMINISTIC_ECDSA - scripts/config.py -f $CRYPTO_CONFIG_H unset PSA_WANT_ALG_ECDSA - scripts/config.py -f $CRYPTO_CONFIG_H set PSA_WANT_ALG_ECDH - scripts/config.py unset MBEDTLS_KEY_EXCHANGE_ECDH_ECDSA_ENABLED - scripts/config.py unset MBEDTLS_KEY_EXCHANGE_ECDHE_ECDSA_ENABLED - scripts/config.py unset MBEDTLS_ECJPAKE_C - scripts/config.py -f $CRYPTO_CONFIG_H unset PSA_WANT_ALG_JPAKE - - # Disable all curves - scripts/config.py unset-all "MBEDTLS_ECP_DP_[0-9A-Z_a-z]*_ENABLED" - scripts/config.py -f $CRYPTO_CONFIG_H unset-all "PSA_WANT_ECC_[0-9A-Z_a-z]*$" - scripts/config.py -f $CRYPTO_CONFIG_H set PSA_WANT_ECC_MONTGOMERY_255 - - make CC=$ASAN_CC CFLAGS="$ASAN_CFLAGS" LDFLAGS="$ASAN_CFLAGS" - - msg "test: Everest ECDH context, only Curve25519" # ~ 50s - make test -} - -component_test_small_ssl_out_content_len () { - msg "build: small SSL_OUT_CONTENT_LEN (ASan build)" - scripts/config.py set MBEDTLS_SSL_IN_CONTENT_LEN 16384 - scripts/config.py set MBEDTLS_SSL_OUT_CONTENT_LEN 4096 - CC=$ASAN_CC cmake -D CMAKE_BUILD_TYPE:String=Asan . - make - - msg "test: small SSL_OUT_CONTENT_LEN - ssl-opt.sh MFL and large packet tests" - tests/ssl-opt.sh -f "Max fragment\|Large packet" -} - -component_test_small_ssl_in_content_len () { - msg "build: small SSL_IN_CONTENT_LEN (ASan build)" - scripts/config.py set MBEDTLS_SSL_IN_CONTENT_LEN 4096 - scripts/config.py set MBEDTLS_SSL_OUT_CONTENT_LEN 16384 - CC=$ASAN_CC cmake -D CMAKE_BUILD_TYPE:String=Asan . - make - - msg "test: small SSL_IN_CONTENT_LEN - ssl-opt.sh MFL tests" - tests/ssl-opt.sh -f "Max fragment" -} - -component_test_small_ssl_dtls_max_buffering () { - msg "build: small MBEDTLS_SSL_DTLS_MAX_BUFFERING #0" - scripts/config.py set MBEDTLS_SSL_DTLS_MAX_BUFFERING 1000 - CC=$ASAN_CC cmake -D CMAKE_BUILD_TYPE:String=Asan . - make - - msg "test: small MBEDTLS_SSL_DTLS_MAX_BUFFERING #0 - ssl-opt.sh specific reordering test" - tests/ssl-opt.sh -f "DTLS reordering: Buffer out-of-order hs msg before reassembling next, free buffered msg" -} - -component_test_small_mbedtls_ssl_dtls_max_buffering () { - msg "build: small MBEDTLS_SSL_DTLS_MAX_BUFFERING #1" - scripts/config.py set MBEDTLS_SSL_DTLS_MAX_BUFFERING 190 - CC=$ASAN_CC cmake -D CMAKE_BUILD_TYPE:String=Asan . - make - - msg "test: small MBEDTLS_SSL_DTLS_MAX_BUFFERING #1 - ssl-opt.sh specific reordering test" - tests/ssl-opt.sh -f "DTLS reordering: Buffer encrypted Finished message, drop for fragmented NewSessionTicket" -} - component_test_full_cmake_clang () { msg "build: cmake, full config, clang" # ~ 50s scripts/config.py full @@ -960,41 +531,6 @@ component_test_no_psa_crypto_full_cmake_asan() { env OPENSSL="$OPENSSL_NEXT" tests/compat.sh -e '^$' -f 'ARIA\|CHACHA' } -# Common helper for component_full_without_ecdhe_ecdsa() and -# component_full_without_ecdhe_ecdsa_and_tls13() which: -# - starts from the "full" configuration minus the list of symbols passed in -# as 1st parameter -# - build -# - test only TLS (i.e. test_suite_tls and ssl-opt) -build_full_minus_something_and_test_tls () { - symbols_to_disable="$1" - - msg "build: full minus something, test TLS" - - scripts/config.py full - for sym in $symbols_to_disable; do - echo "Disabling $sym" - scripts/config.py unset $sym - done - - make - - msg "test: full minus something, test TLS" - ( cd tests; ./test_suite_ssl ) - - msg "ssl-opt: full minus something, test TLS" - tests/ssl-opt.sh -} - -component_full_without_ecdhe_ecdsa () { - build_full_minus_something_and_test_tls "MBEDTLS_KEY_EXCHANGE_ECDHE_ECDSA_ENABLED" -} - -component_full_without_ecdhe_ecdsa_and_tls13 () { - build_full_minus_something_and_test_tls "MBEDTLS_KEY_EXCHANGE_ECDHE_ECDSA_ENABLED - MBEDTLS_SSL_PROTO_TLS1_3" -} - component_build_tfm() { # Check that the TF-M configuration can build cleanly with various # warning flags enabled. We don't build or run tests, since the @@ -1030,165 +566,6 @@ component_test_no_platform () { make CC=gcc CFLAGS='-Werror -Wall -Wextra -Os' test } -component_build_no_ssl_srv () { - msg "build: full config except SSL server, make, gcc" # ~ 30s - scripts/config.py full - scripts/config.py unset MBEDTLS_SSL_SRV_C - make CC=gcc CFLAGS='-Werror -Wall -Wextra -O1' -} - -component_build_no_ssl_cli () { - msg "build: full config except SSL client, make, gcc" # ~ 30s - scripts/config.py full - scripts/config.py unset MBEDTLS_SSL_CLI_C - make CC=gcc CFLAGS='-Werror -Wall -Wextra -O1' -} - -component_test_memory_buffer_allocator_backtrace () { - msg "build: default config with memory buffer allocator and backtrace enabled" - scripts/config.py set MBEDTLS_MEMORY_BUFFER_ALLOC_C - scripts/config.py set MBEDTLS_PLATFORM_MEMORY - scripts/config.py set MBEDTLS_MEMORY_BACKTRACE - scripts/config.py set MBEDTLS_MEMORY_DEBUG - cmake -DCMAKE_BUILD_TYPE:String=Release . - make - - msg "test: MBEDTLS_MEMORY_BUFFER_ALLOC_C and MBEDTLS_MEMORY_BACKTRACE" - make test -} - -component_test_memory_buffer_allocator () { - msg "build: default config with memory buffer allocator" - scripts/config.py set MBEDTLS_MEMORY_BUFFER_ALLOC_C - scripts/config.py set MBEDTLS_PLATFORM_MEMORY - cmake -DCMAKE_BUILD_TYPE:String=Release . - make - - msg "test: MBEDTLS_MEMORY_BUFFER_ALLOC_C" - make test - - msg "test: ssl-opt.sh, MBEDTLS_MEMORY_BUFFER_ALLOC_C" - # MBEDTLS_MEMORY_BUFFER_ALLOC is slow. Skip tests that tend to time out. - tests/ssl-opt.sh -e '^DTLS proxy' -} - -component_test_no_max_fragment_length () { - # Run max fragment length tests with MFL disabled - msg "build: default config except MFL extension (ASan build)" # ~ 30s - scripts/config.py unset MBEDTLS_SSL_MAX_FRAGMENT_LENGTH - CC=$ASAN_CC cmake -D CMAKE_BUILD_TYPE:String=Asan . - make - - msg "test: ssl-opt.sh, MFL-related tests" - tests/ssl-opt.sh -f "Max fragment length" -} - -component_test_asan_remove_peer_certificate () { - msg "build: default config with MBEDTLS_SSL_KEEP_PEER_CERTIFICATE disabled (ASan build)" - scripts/config.py unset MBEDTLS_SSL_KEEP_PEER_CERTIFICATE - scripts/config.py unset MBEDTLS_SSL_PROTO_TLS1_3 - CC=$ASAN_CC cmake -D CMAKE_BUILD_TYPE:String=Asan . - make - - msg "test: !MBEDTLS_SSL_KEEP_PEER_CERTIFICATE" - make test - - msg "test: ssl-opt.sh, !MBEDTLS_SSL_KEEP_PEER_CERTIFICATE" - tests/ssl-opt.sh - - msg "test: compat.sh, !MBEDTLS_SSL_KEEP_PEER_CERTIFICATE" - tests/compat.sh - - msg "test: context-info.sh, !MBEDTLS_SSL_KEEP_PEER_CERTIFICATE" - tests/context-info.sh -} - -component_test_no_max_fragment_length_small_ssl_out_content_len () { - msg "build: no MFL extension, small SSL_OUT_CONTENT_LEN (ASan build)" - scripts/config.py unset MBEDTLS_SSL_MAX_FRAGMENT_LENGTH - scripts/config.py set MBEDTLS_SSL_IN_CONTENT_LEN 16384 - scripts/config.py set MBEDTLS_SSL_OUT_CONTENT_LEN 4096 - CC=$ASAN_CC cmake -D CMAKE_BUILD_TYPE:String=Asan . - make - - msg "test: MFL tests (disabled MFL extension case) & large packet tests" - tests/ssl-opt.sh -f "Max fragment length\|Large buffer" - - msg "test: context-info.sh (disabled MFL extension case)" - tests/context-info.sh -} - -component_test_variable_ssl_in_out_buffer_len () { - msg "build: MBEDTLS_SSL_VARIABLE_BUFFER_LENGTH enabled (ASan build)" - scripts/config.py set MBEDTLS_SSL_VARIABLE_BUFFER_LENGTH - CC=$ASAN_CC cmake -D CMAKE_BUILD_TYPE:String=Asan . - make - - msg "test: MBEDTLS_SSL_VARIABLE_BUFFER_LENGTH enabled" - make test - - msg "test: ssl-opt.sh, MBEDTLS_SSL_VARIABLE_BUFFER_LENGTH enabled" - tests/ssl-opt.sh - - msg "test: compat.sh, MBEDTLS_SSL_VARIABLE_BUFFER_LENGTH enabled" - tests/compat.sh -} - -component_test_dtls_cid_legacy () { - msg "build: MBEDTLS_SSL_DTLS_CONNECTION_ID (legacy) enabled (ASan build)" - scripts/config.py set MBEDTLS_SSL_DTLS_CONNECTION_ID_COMPAT 1 - - CC=$ASAN_CC cmake -D CMAKE_BUILD_TYPE:String=Asan . - make - - msg "test: MBEDTLS_SSL_DTLS_CONNECTION_ID (legacy)" - make test - - msg "test: ssl-opt.sh, MBEDTLS_SSL_DTLS_CONNECTION_ID (legacy) enabled" - tests/ssl-opt.sh - - msg "test: compat.sh, MBEDTLS_SSL_DTLS_CONNECTION_ID (legacy) enabled" - tests/compat.sh -} - -component_test_ssl_alloc_buffer_and_mfl () { - msg "build: default config with memory buffer allocator and MFL extension" - scripts/config.py set MBEDTLS_MEMORY_BUFFER_ALLOC_C - scripts/config.py set MBEDTLS_PLATFORM_MEMORY - scripts/config.py set MBEDTLS_MEMORY_DEBUG - scripts/config.py set MBEDTLS_SSL_MAX_FRAGMENT_LENGTH - scripts/config.py set MBEDTLS_SSL_VARIABLE_BUFFER_LENGTH - cmake -DCMAKE_BUILD_TYPE:String=Release . - make - - msg "test: MBEDTLS_SSL_VARIABLE_BUFFER_LENGTH, MBEDTLS_MEMORY_BUFFER_ALLOC_C, MBEDTLS_MEMORY_DEBUG and MBEDTLS_SSL_MAX_FRAGMENT_LENGTH" - make test - - msg "test: MBEDTLS_SSL_VARIABLE_BUFFER_LENGTH, MBEDTLS_MEMORY_BUFFER_ALLOC_C, MBEDTLS_MEMORY_DEBUG and MBEDTLS_SSL_MAX_FRAGMENT_LENGTH" - tests/ssl-opt.sh -f "Handshake memory usage" -} - -component_test_when_no_ciphersuites_have_mac () { - msg "build: when no ciphersuites have MAC" - scripts/config.py set MBEDTLS_PSA_CRYPTO_CONFIG - scripts/config.py -f "$CRYPTO_CONFIG_H" unset PSA_WANT_ALG_CBC_NO_PADDING - scripts/config.py -f "$CRYPTO_CONFIG_H" unset PSA_WANT_ALG_CBC_PKCS7 - scripts/config.py -f "$CRYPTO_CONFIG_H" unset PSA_WANT_ALG_CMAC - scripts/config.py -f "$CRYPTO_CONFIG_H" unset PSA_WANT_ALG_PBKDF2_AES_CMAC_PRF_128 - - scripts/config.py unset MBEDTLS_CIPHER_NULL_CIPHER - scripts/config.py unset MBEDTLS_CIPHER_MODE_CBC - scripts/config.py unset MBEDTLS_CMAC_C - - make - - msg "test: !MBEDTLS_SSL_SOME_SUITES_USE_MAC" - make test - - msg "test ssl-opt.sh: !MBEDTLS_SSL_SOME_SUITES_USE_MAC" - tests/ssl-opt.sh -f 'Default\|EtM' -e 'without EtM' -} - component_test_malloc_0_null () { msg "build: malloc(0) returns NULL (ASan+UBSan build)" scripts/config.py full @@ -1323,197 +700,6 @@ component_test_no_x509_info () { tests/ssl-opt.sh } -component_test_tls12_only () { - msg "build: default config without MBEDTLS_SSL_PROTO_TLS1_3, cmake, gcc, ASan" - scripts/config.py unset MBEDTLS_SSL_PROTO_TLS1_3 - CC=gcc cmake -D CMAKE_BUILD_TYPE:String=Asan . - make - - msg "test: main suites (inc. selftests) (ASan build)" - make test - - msg "test: ssl-opt.sh (ASan build)" - tests/ssl-opt.sh - - msg "test: compat.sh (ASan build)" - tests/compat.sh -} - -component_test_tls13_only () { - msg "build: default config without MBEDTLS_SSL_PROTO_TLS1_2" - scripts/config.py set MBEDTLS_SSL_EARLY_DATA - scripts/config.py set MBEDTLS_SSL_RECORD_SIZE_LIMIT - make CFLAGS="'-DMBEDTLS_USER_CONFIG_FILE=\"../tests/configs/tls13-only.h\"'" - - msg "test: TLS 1.3 only, all key exchange modes enabled" - make test - - msg "ssl-opt.sh: TLS 1.3 only, all key exchange modes enabled" - tests/ssl-opt.sh -} - -component_test_tls13_only_psk () { - msg "build: TLS 1.3 only from default, only PSK key exchange mode" - scripts/config.py unset MBEDTLS_SSL_TLS1_3_KEY_EXCHANGE_MODE_EPHEMERAL_ENABLED - scripts/config.py unset MBEDTLS_SSL_TLS1_3_KEY_EXCHANGE_MODE_PSK_EPHEMERAL_ENABLED - scripts/config.py unset MBEDTLS_ECDH_C - scripts/config.py unset MBEDTLS_DHM_C - scripts/config.py unset MBEDTLS_X509_CRT_PARSE_C - scripts/config.py unset MBEDTLS_X509_RSASSA_PSS_SUPPORT - scripts/config.py unset MBEDTLS_SSL_SERVER_NAME_INDICATION - scripts/config.py unset MBEDTLS_ECDSA_C - scripts/config.py unset MBEDTLS_PKCS1_V21 - scripts/config.py unset MBEDTLS_PKCS7_C - scripts/config.py set MBEDTLS_SSL_EARLY_DATA - make CFLAGS="'-DMBEDTLS_USER_CONFIG_FILE=\"../tests/configs/tls13-only.h\"'" - - msg "test_suite_ssl: TLS 1.3 only, only PSK key exchange mode enabled" - cd tests; ./test_suite_ssl; cd .. - - msg "ssl-opt.sh: TLS 1.3 only, only PSK key exchange mode enabled" - tests/ssl-opt.sh -} - -component_test_tls13_only_ephemeral () { - msg "build: TLS 1.3 only from default, only ephemeral key exchange mode" - scripts/config.py unset MBEDTLS_SSL_TLS1_3_KEY_EXCHANGE_MODE_PSK_ENABLED - scripts/config.py unset MBEDTLS_SSL_TLS1_3_KEY_EXCHANGE_MODE_PSK_EPHEMERAL_ENABLED - scripts/config.py unset MBEDTLS_SSL_EARLY_DATA - make CFLAGS="'-DMBEDTLS_USER_CONFIG_FILE=\"../tests/configs/tls13-only.h\"'" - - msg "test_suite_ssl: TLS 1.3 only, only ephemeral key exchange mode" - cd tests; ./test_suite_ssl; cd .. - - msg "ssl-opt.sh: TLS 1.3 only, only ephemeral key exchange mode" - tests/ssl-opt.sh -} - -component_test_tls13_only_ephemeral_ffdh () { - msg "build: TLS 1.3 only from default, only ephemeral ffdh key exchange mode" - scripts/config.py unset MBEDTLS_SSL_TLS1_3_KEY_EXCHANGE_MODE_PSK_ENABLED - scripts/config.py unset MBEDTLS_SSL_TLS1_3_KEY_EXCHANGE_MODE_PSK_EPHEMERAL_ENABLED - scripts/config.py unset MBEDTLS_SSL_EARLY_DATA - scripts/config.py unset MBEDTLS_ECDH_C - - make CFLAGS="'-DMBEDTLS_USER_CONFIG_FILE=\"../tests/configs/tls13-only.h\"'" - - msg "test_suite_ssl: TLS 1.3 only, only ephemeral ffdh key exchange mode" - cd tests; ./test_suite_ssl; cd .. - - msg "ssl-opt.sh: TLS 1.3 only, only ephemeral ffdh key exchange mode" - tests/ssl-opt.sh -} - -component_test_tls13_only_psk_ephemeral () { - msg "build: TLS 1.3 only from default, only PSK ephemeral key exchange mode" - scripts/config.py unset MBEDTLS_SSL_TLS1_3_KEY_EXCHANGE_MODE_PSK_ENABLED - scripts/config.py unset MBEDTLS_SSL_TLS1_3_KEY_EXCHANGE_MODE_EPHEMERAL_ENABLED - scripts/config.py unset MBEDTLS_X509_CRT_PARSE_C - scripts/config.py unset MBEDTLS_X509_RSASSA_PSS_SUPPORT - scripts/config.py unset MBEDTLS_SSL_SERVER_NAME_INDICATION - scripts/config.py unset MBEDTLS_ECDSA_C - scripts/config.py unset MBEDTLS_PKCS1_V21 - scripts/config.py unset MBEDTLS_PKCS7_C - scripts/config.py set MBEDTLS_SSL_EARLY_DATA - make CFLAGS="'-DMBEDTLS_USER_CONFIG_FILE=\"../tests/configs/tls13-only.h\"'" - - msg "test_suite_ssl: TLS 1.3 only, only PSK ephemeral key exchange mode" - cd tests; ./test_suite_ssl; cd .. - - msg "ssl-opt.sh: TLS 1.3 only, only PSK ephemeral key exchange mode" - tests/ssl-opt.sh -} - -component_test_tls13_only_psk_ephemeral_ffdh () { - msg "build: TLS 1.3 only from default, only PSK ephemeral ffdh key exchange mode" - scripts/config.py unset MBEDTLS_SSL_TLS1_3_KEY_EXCHANGE_MODE_PSK_ENABLED - scripts/config.py unset MBEDTLS_SSL_TLS1_3_KEY_EXCHANGE_MODE_EPHEMERAL_ENABLED - scripts/config.py unset MBEDTLS_X509_CRT_PARSE_C - scripts/config.py unset MBEDTLS_X509_RSASSA_PSS_SUPPORT - scripts/config.py unset MBEDTLS_SSL_SERVER_NAME_INDICATION - scripts/config.py unset MBEDTLS_ECDSA_C - scripts/config.py unset MBEDTLS_PKCS1_V21 - scripts/config.py unset MBEDTLS_PKCS7_C - scripts/config.py set MBEDTLS_SSL_EARLY_DATA - scripts/config.py unset MBEDTLS_ECDH_C - make CFLAGS="'-DMBEDTLS_USER_CONFIG_FILE=\"../tests/configs/tls13-only.h\"'" - - msg "test_suite_ssl: TLS 1.3 only, only PSK ephemeral ffdh key exchange mode" - cd tests; ./test_suite_ssl; cd .. - - msg "ssl-opt.sh: TLS 1.3 only, only PSK ephemeral ffdh key exchange mode" - tests/ssl-opt.sh -} - -component_test_tls13_only_psk_all () { - msg "build: TLS 1.3 only from default, without ephemeral key exchange mode" - scripts/config.py unset MBEDTLS_SSL_TLS1_3_KEY_EXCHANGE_MODE_EPHEMERAL_ENABLED - scripts/config.py unset MBEDTLS_X509_CRT_PARSE_C - scripts/config.py unset MBEDTLS_X509_RSASSA_PSS_SUPPORT - scripts/config.py unset MBEDTLS_SSL_SERVER_NAME_INDICATION - scripts/config.py unset MBEDTLS_ECDSA_C - scripts/config.py unset MBEDTLS_PKCS1_V21 - scripts/config.py unset MBEDTLS_PKCS7_C - scripts/config.py set MBEDTLS_SSL_EARLY_DATA - make CFLAGS="'-DMBEDTLS_USER_CONFIG_FILE=\"../tests/configs/tls13-only.h\"'" - - msg "test_suite_ssl: TLS 1.3 only, PSK and PSK ephemeral key exchange modes" - cd tests; ./test_suite_ssl; cd .. - - msg "ssl-opt.sh: TLS 1.3 only, PSK and PSK ephemeral key exchange modes" - tests/ssl-opt.sh -} - -component_test_tls13_only_ephemeral_all () { - msg "build: TLS 1.3 only from default, without PSK key exchange mode" - scripts/config.py unset MBEDTLS_SSL_TLS1_3_KEY_EXCHANGE_MODE_PSK_ENABLED - scripts/config.py set MBEDTLS_SSL_EARLY_DATA - make CFLAGS="'-DMBEDTLS_USER_CONFIG_FILE=\"../tests/configs/tls13-only.h\"'" - - msg "test_suite_ssl: TLS 1.3 only, ephemeral and PSK ephemeral key exchange modes" - cd tests; ./test_suite_ssl; cd .. - - msg "ssl-opt.sh: TLS 1.3 only, ephemeral and PSK ephemeral key exchange modes" - tests/ssl-opt.sh -} - -component_test_tls13_no_padding () { - msg "build: default config plus early data minus padding" - scripts/config.py set MBEDTLS_SSL_CID_TLS1_3_PADDING_GRANULARITY 1 - scripts/config.py set MBEDTLS_SSL_EARLY_DATA - CC=$ASAN_CC cmake -D CMAKE_BUILD_TYPE:String=Asan . - make - msg "test: default config plus early data minus padding" - make test - msg "ssl-opt.sh (TLS 1.3 no padding)" - tests/ssl-opt.sh -} - -component_test_tls13_no_compatibility_mode () { - msg "build: default config plus early data minus middlebox compatibility mode" - scripts/config.py unset MBEDTLS_SSL_TLS1_3_COMPATIBILITY_MODE - scripts/config.py set MBEDTLS_SSL_EARLY_DATA - CC=$ASAN_CC cmake -D CMAKE_BUILD_TYPE:String=Asan . - make - msg "test: default config plus early data minus middlebox compatibility mode" - make test - msg "ssl-opt.sh (TLS 1.3 no compatibility mode)" - tests/ssl-opt.sh -} - -component_test_full_minus_session_tickets() { - msg "build: full config without session tickets" - scripts/config.py full - scripts/config.py unset MBEDTLS_SSL_SESSION_TICKETS - scripts/config.py unset MBEDTLS_SSL_EARLY_DATA - CC=gcc cmake -D CMAKE_BUILD_TYPE:String=Asan . - make - msg "test: full config without session tickets" - make test - msg "ssl-opt.sh (full config without session tickets)" - tests/ssl-opt.sh -} - component_test_memsan () { msg "build: MSan (clang)" # ~ 1 min 20s scripts/config.py unset MBEDTLS_AESNI_C # memsan doesn't grok asm