Merge remote-tracking branch 'public/pr/2889' into baremetal
diff --git a/configs/baremetal_test.h b/configs/baremetal_test.h
index 33b5167..7a03777 100644
--- a/configs/baremetal_test.h
+++ b/configs/baremetal_test.h
@@ -43,6 +43,9 @@
/* Use Mbed TLS' timer implementation for Linux. */
#define MBEDTLS_TIMING_C
+/* Needed for certificates in ssl_opt.sh */
+#define MBEDTLS_FS_IO
+
#undef MBEDTLS_NO_PLATFORM_ENTROPY
#undef MBEDTLS_ENTROPY_MAX_SOURCES
diff --git a/library/platform_util.c b/library/platform_util.c
index db46fe9..1a0fefa 100644
--- a/library/platform_util.c
+++ b/library/platform_util.c
@@ -142,7 +142,10 @@
uint32_t mbedtls_platform_random_in_range( size_t num )
{
-#if !defined(MBEDTLS_ENTROPY_HARDWARE_ALT)
+ /* Temporary force the dummy version - drawing directly from the HRNG
+ * seems to be causing issues, avoid doing that until we understood the
+ * issue, and perhaps we'll need to draw from a DRBG instead. */
+#if 1 || !defined(MBEDTLS_ENTROPY_HARDWARE_ALT)
(void) num;
return 0;
#else
diff --git a/tests/data_files/Readme-x509.txt b/tests/data_files/Readme-x509.txt
index 388865b..850237a 100644
--- a/tests/data_files/Readme-x509.txt
+++ b/tests/data_files/Readme-x509.txt
@@ -107,6 +107,7 @@
_int3_int-ca2_ca.crt: S10 + I3 + I2 + 1
_int3_spurious_int-ca2.crt: S10 + I3 + I1(spurious) + I2
- server11.crt: 3 E, secp256r1 curve
+ -bad.crt.der: S11 with corrupted public key and signature
Certificate revocation lists
----------------------------
diff --git a/tests/data_files/ec_256_pub.der b/tests/data_files/ec_256_pub.der
new file mode 100644
index 0000000..2ba2595
--- /dev/null
+++ b/tests/data_files/ec_256_pub.der
Binary files differ
diff --git a/tests/data_files/server11-bad.crt.der b/tests/data_files/server11-bad.crt.der
new file mode 100644
index 0000000..0a782a7
--- /dev/null
+++ b/tests/data_files/server11-bad.crt.der
Binary files differ
diff --git a/tests/ssl-opt.sh b/tests/ssl-opt.sh
index a6ad765..cd0b031 100755
--- a/tests/ssl-opt.sh
+++ b/tests/ssl-opt.sh
@@ -656,7 +656,6 @@
SKIP_NEXT="YES"
elif ( [ "$__ARG" = "tls1_2" ] || [ "$__ARG" = "dtls1_2" ] ) && \
( [ "$__VAL_MIN" != "3" ] || [ "$__VAL_MAX" != "3" ] ); then
- echo "FORCE SKIP"
SKIP_NEXT="YES"
fi
@@ -2376,6 +2375,17 @@
-C "session hash for extended master secret" \
-S "session hash for extended master secret"
+run_test "Extended Master Secret: both enabled, both enforcing, DTLS" \
+ "$P_SRV dtls=1 debug_level=3 extended_ms=1 enforce_extended_master_secret=1" \
+ "$P_CLI dtls=1 debug_level=3 extended_ms=1 enforce_extended_master_secret=1" \
+ 0 \
+ -c "client hello, adding extended_master_secret extension" \
+ -s "found extended master secret extension" \
+ -s "server hello, adding extended master secret extension" \
+ -c "found extended_master_secret extension" \
+ -c "session hash for extended master secret" \
+ -s "session hash for extended master secret"
+
# Tests for FALLBACK_SCSV
run_test "Fallback SCSV: default" \
@@ -3777,6 +3787,25 @@
-c "! Certificate verification flags"\
-c "bad server certificate (ECDH curve)" # Expect failure only at ECDH params check
+requires_config_enabled MBEDTLS_USE_TINYCRYPT
+run_test "Authentication: DTLS server ECDH p256, client required, server goodcert" \
+ "$P_SRV dtls=1 debug_level=1 key_file=data_files/server11.key.der \
+ crt_file=data_files/server11.crt.der" \
+ "$P_CLI dtls=1 debug_level=3 auth_mode=required" \
+ 0 \
+ -C "bad certificate (EC key curve)"\
+ -C "! Certificate verification flags"\
+ -C "! mbedtls_ssl_handshake returned"
+
+requires_config_enabled MBEDTLS_USE_TINYCRYPT
+run_test "Authentication: DTLS server ECDH p256, client required, server badcert" \
+ "$P_SRV dtls=1 debug_level=1 key_file=data_files/server11.key.der \
+ crt_file=data_files/server11-bad.crt.der" \
+ "$P_CLI dtls=1 debug_level=3 auth_mode=required" \
+ 1 \
+ -c "! Certificate verification flags"\
+ -c "! mbedtls_ssl_handshake returned"
+
run_test "Authentication: server badcert, client none" \
"$P_SRV crt_file=data_files/server5-badsign.crt \
key_file=data_files/server5.key" \
@@ -4825,6 +4854,12 @@
0 \
-c "Ciphersuite is TLS-ECDHE-ECDSA-WITH-"
+run_test "keyUsage srv: ECDSA, digitalSignature -> ECDHE-ECDSA p256" \
+ "$P_SRV dtls=1 key_file=data_files/server11.key.der \
+ crt_file=data_files/server11.crt.der" \
+ "$P_CLI dtls=1 ca_file=data_files/test-ca3.crt.der" \
+ 0 \
+ -c "Ciphersuite is TLS-ECDHE-ECDSA-WITH-"
run_test "keyUsage srv: ECDSA, keyAgreement -> ECDH-" \
"$P_SRV key_file=data_files/server5.key \
@@ -5641,6 +5676,13 @@
0 \
-s "Read from client: 1 bytes read"
+run_test "Small client packet DTLS, ECDHE-ECDSA" \
+ "$P_SRV dtls=1" \
+ "$P_CLI dtls=1 request_size=1 \
+ force_ciphersuite=TLS-ECDHE-ECDSA-WITH-AES-128-CCM-8" \
+ 0 \
+ -s "Read from client: 1 bytes read"
+
# Tests for small server packets
requires_config_enabled MBEDTLS_SSL_PROTO_SSL3
@@ -5922,6 +5964,13 @@
0 \
-c "Read from server: 1 bytes read"
+run_test "Small server packet DTLS, ECDHE-ECDSA" \
+ "$P_SRV dtls=1 response_size=1" \
+ "$P_CLI dtls=1 \
+ force_ciphersuite=TLS-ECDHE-ECDSA-WITH-AES-128-CCM-8" \
+ 0 \
+ -c "Read from server: 1 bytes read"
+
# A test for extensions in SSLv3
requires_config_enabled MBEDTLS_SSL_PROTO_SSL3
@@ -6957,6 +7006,24 @@
-c "found supported_point_formats extension" \
-s "server hello, supported_point_formats extension"
+requires_ciphersuite_enabled TLS-ECDHE-ECDSA-WITH-AES-128-CCM-8
+run_test "Force an ECC ciphersuite with CCM in the client side" \
+ "$P_SRV dtls=1 debug_level=3" \
+ "$P_CLI dtls=1 debug_level=3 force_ciphersuite=TLS-ECDHE-ECDSA-WITH-AES-128-CCM-8" \
+ 0 \
+ -c "client hello, adding supported_elliptic_curves extension" \
+ -c "client hello, adding supported_point_formats extension" \
+ -s "found supported elliptic curves extension" \
+ -s "found supported point formats extension"
+
+requires_ciphersuite_enabled TLS-ECDHE-ECDSA-WITH-AES-128-CCM-8
+run_test "Force an ECC ciphersuite with CCM in the server side" \
+ "$P_SRV dtls=1 debug_level=3 force_ciphersuite=TLS-ECDHE-ECDSA-WITH-AES-128-CCM-8" \
+ "$P_CLI dtls=1 debug_level=3" \
+ 0 \
+ -c "found supported_point_formats extension" \
+ -s "server hello, supported_point_formats extension"
+
# Tests for DTLS HelloVerifyRequest
run_test "DTLS cookie: enabled" \
@@ -6981,7 +7048,6 @@
-S "hello verification requested" \
-S "SSL - The requested feature is not available"
-requires_config_enabled MBEDTLS_ERROR_C
run_test "DTLS cookie: default (failing)" \
"$P_SRV dtls=1 debug_level=2 cookies=-1" \
"$P_CLI dtls=1 debug_level=2 hs_timeout=100-400" \
@@ -6990,8 +7056,7 @@
-S "cookie verification passed" \
-S "cookie verification skipped" \
-C "received hello verify request" \
- -S "hello verification requested" \
- -s "SSL - The requested feature is not available"
+ -S "hello verification requested"
requires_ipv6
run_test "DTLS cookie: enabled, IPv6" \
diff --git a/tests/suites/test_suite_pk.data b/tests/suites/test_suite_pk.data
index 5bdbea0..c8f4d70 100644
--- a/tests/suites/test_suite_pk.data
+++ b/tests/suites/test_suite_pk.data
@@ -154,7 +154,7 @@
Check pair #2 (EC, bad, TinyCrypt)
depends_on:MBEDTLS_USE_TINYCRYPT
-mbedtls_pk_check_pair:"data_files/ec_256_pub.pem":"data_files/server5.key":MBEDTLS_ERR_PK_BAD_INPUT_DATA
+mbedtls_pk_check_pair:"data_files/ec_256_pub.der":"data_files/server5.key.der":MBEDTLS_ERR_PK_BAD_INPUT_DATA
Check pair #3 (RSA, OK)
depends_on:MBEDTLS_RSA_C:MBEDTLS_PKCS1_V15