| Minos Galanakis | 6aab5b7 | 2024-07-25 14:24:37 +0100 | [diff] [blame] | 1 | # components-configuration-tls.sh | 
|  | 2 | # | 
|  | 3 | # Copyright The Mbed TLS Contributors | 
|  | 4 | # SPDX-License-Identifier: Apache-2.0 OR GPL-2.0-or-later | 
|  | 5 |  | 
| Minos Galanakis | 609f749 | 2024-07-31 16:39:28 +0100 | [diff] [blame] | 6 | # This file contains test components that are executed by all.sh | 
| Minos Galanakis | 6aab5b7 | 2024-07-25 14:24:37 +0100 | [diff] [blame] | 7 |  | 
|  | 8 | ################################################################ | 
|  | 9 | #### Configuration Testing - TLS | 
|  | 10 | ################################################################ | 
|  | 11 |  | 
| Gilles Peskine | ea5de2b | 2024-09-19 18:41:55 +0200 | [diff] [blame] | 12 | component_test_config_suite_b () { | 
|  | 13 | msg "build: configs/config-suite-b.h" | 
| Gilles Peskine | b6d4913 | 2024-09-14 11:21:29 +0200 | [diff] [blame] | 14 | cp configs/config-suite-b.h "$CONFIG_H" | 
| Gilles Peskine | b6d4913 | 2024-09-14 11:21:29 +0200 | [diff] [blame] | 15 | # test-ref-configs works by overwriting mbedtls_config.h; this makes cmake | 
|  | 16 | # want to re-generate generated files that depend on it, quite correctly. | 
|  | 17 | # However this doesn't work as the generation script expects a specific | 
|  | 18 | # format for mbedtls_config.h, which the other files don't follow. Also, | 
|  | 19 | # cmake can't know this, but re-generation is actually not necessary as | 
|  | 20 | # the generated files only depend on the list of available options, not | 
|  | 21 | # whether they're on or off. So, disable cmake's (over-sensitive here) | 
|  | 22 | # dependency resolution for generated files and just rely on them being | 
|  | 23 | # present (thanks to pre_generate_files) by turning GEN_FILES off. | 
|  | 24 | CC=$ASAN_CC cmake -D GEN_FILES=Off -D CMAKE_BUILD_TYPE:String=Asan . | 
|  | 25 | make | 
|  | 26 |  | 
| Gilles Peskine | ea5de2b | 2024-09-19 18:41:55 +0200 | [diff] [blame] | 27 | msg "test: configs/config-suite-b.h - unit tests" | 
| Gilles Peskine | b6d4913 | 2024-09-14 11:21:29 +0200 | [diff] [blame] | 28 | make test | 
|  | 29 |  | 
| Gilles Peskine | ea5de2b | 2024-09-19 18:41:55 +0200 | [diff] [blame] | 30 | msg "test: configs/config-suite-b.h - compat.sh" | 
| Gilles Peskine | b6d4913 | 2024-09-14 11:21:29 +0200 | [diff] [blame] | 31 | tests/compat.sh -m tls12 -f 'ECDHE_ECDSA.*AES.*GCM' -p mbedTLS | 
|  | 32 |  | 
| Gilles Peskine | ea5de2b | 2024-09-19 18:41:55 +0200 | [diff] [blame] | 33 | msg "build: configs/config-suite-b.h + DEBUG" | 
| Gilles Peskine | b6d4913 | 2024-09-14 11:21:29 +0200 | [diff] [blame] | 34 | MBEDTLS_TEST_CONFIGURATION="$MBEDTLS_TEST_CONFIGURATION+DEBUG" | 
|  | 35 | make clean | 
|  | 36 | scripts/config.py set MBEDTLS_DEBUG_C | 
|  | 37 | scripts/config.py set MBEDTLS_ERROR_C | 
|  | 38 | make ssl-opt | 
|  | 39 |  | 
| Gilles Peskine | ea5de2b | 2024-09-19 18:41:55 +0200 | [diff] [blame] | 40 | msg "test: configs/config-suite-b.h + DEBUG - ssl-opt.sh" | 
| Gilles Peskine | b6d4913 | 2024-09-14 11:21:29 +0200 | [diff] [blame] | 41 | tests/ssl-opt.sh | 
|  | 42 | } | 
|  | 43 |  | 
| Minos Galanakis | 7665a93 | 2024-07-26 15:45:11 +0100 | [diff] [blame] | 44 | component_test_no_renegotiation () { | 
|  | 45 | msg "build: Default + !MBEDTLS_SSL_RENEGOTIATION (ASan build)" # ~ 6 min | 
|  | 46 | scripts/config.py unset MBEDTLS_SSL_RENEGOTIATION | 
|  | 47 | CC=$ASAN_CC cmake -D CMAKE_BUILD_TYPE:String=Asan . | 
|  | 48 | make | 
|  | 49 |  | 
|  | 50 | msg "test: !MBEDTLS_SSL_RENEGOTIATION - main suites (inc. selftests) (ASan build)" # ~ 50s | 
|  | 51 | make test | 
|  | 52 |  | 
|  | 53 | msg "test: !MBEDTLS_SSL_RENEGOTIATION - ssl-opt.sh (ASan build)" # ~ 6 min | 
|  | 54 | tests/ssl-opt.sh | 
|  | 55 | } | 
|  | 56 |  | 
| Minos Galanakis | 7665a93 | 2024-07-26 15:45:11 +0100 | [diff] [blame] | 57 | component_test_tls1_2_default_stream_cipher_only () { | 
|  | 58 | msg "build: default with only stream cipher use psa" | 
|  | 59 |  | 
|  | 60 | scripts/config.py set MBEDTLS_USE_PSA_CRYPTO | 
|  | 61 | scripts/config.py set MBEDTLS_PSA_CRYPTO_CONFIG | 
|  | 62 | # Disable AEAD (controlled by the presence of one of GCM_C, CCM_C, CHACHAPOLY_C) | 
|  | 63 | scripts/config.py -f $CRYPTO_CONFIG_H unset PSA_WANT_ALG_CCM | 
|  | 64 | scripts/config.py -f $CRYPTO_CONFIG_H unset PSA_WANT_ALG_CCM_STAR_NO_TAG | 
|  | 65 | scripts/config.py -f $CRYPTO_CONFIG_H unset PSA_WANT_ALG_GCM | 
|  | 66 | scripts/config.py -f $CRYPTO_CONFIG_H unset PSA_WANT_ALG_CHACHA20_POLY1305 | 
|  | 67 | # Note: The three unsets below are to be removed for Mbed TLS 4.0 | 
|  | 68 | scripts/config.py unset MBEDTLS_GCM_C | 
|  | 69 | scripts/config.py unset MBEDTLS_CCM_C | 
|  | 70 | scripts/config.py unset MBEDTLS_CHACHAPOLY_C | 
|  | 71 | #Disable TLS 1.3 (as no AEAD) | 
|  | 72 | scripts/config.py unset MBEDTLS_SSL_PROTO_TLS1_3 | 
|  | 73 | # Disable CBC. Note: When implemented, PSA_WANT_ALG_CBC_MAC will also need to be unset here to fully disable CBC | 
|  | 74 | scripts/config.py -f $CRYPTO_CONFIG_H unset PSA_WANT_ALG_CBC_NO_PADDING | 
|  | 75 | scripts/config.py -f $CRYPTO_CONFIG_H unset PSA_WANT_ALG_CBC_PKCS7 | 
|  | 76 | # Disable CBC-legacy (controlled by MBEDTLS_CIPHER_MODE_CBC plus at least one block cipher (AES, ARIA, Camellia, DES)) | 
|  | 77 | # Note: The unset below is to be removed for 4.0 | 
|  | 78 | scripts/config.py unset MBEDTLS_CIPHER_MODE_CBC | 
|  | 79 | # Disable CBC-EtM (controlled by the same as CBC-legacy plus MBEDTLS_SSL_ENCRYPT_THEN_MAC) | 
|  | 80 | scripts/config.py unset MBEDTLS_SSL_ENCRYPT_THEN_MAC | 
|  | 81 | # Enable stream (currently that's just the NULL pseudo-cipher (controlled by MBEDTLS_CIPHER_NULL_CIPHER)) | 
|  | 82 | scripts/config.py set MBEDTLS_CIPHER_NULL_CIPHER | 
|  | 83 | # Modules that depend on AEAD | 
|  | 84 | scripts/config.py unset MBEDTLS_SSL_CONTEXT_SERIALIZATION | 
|  | 85 | scripts/config.py unset MBEDTLS_SSL_TICKET_C | 
|  | 86 |  | 
|  | 87 | make | 
|  | 88 |  | 
|  | 89 | msg "test: default with only stream cipher use psa" | 
|  | 90 | make test | 
|  | 91 |  | 
|  | 92 | # Not running ssl-opt.sh because most tests require a non-NULL ciphersuite. | 
|  | 93 | } | 
|  | 94 |  | 
|  | 95 | component_test_tls1_2_default_cbc_legacy_cipher_only () { | 
|  | 96 | msg "build: default with only CBC-legacy cipher use psa" | 
|  | 97 |  | 
|  | 98 | scripts/config.py set MBEDTLS_USE_PSA_CRYPTO | 
|  | 99 | scripts/config.py set MBEDTLS_PSA_CRYPTO_CONFIG | 
|  | 100 | # Disable AEAD (controlled by the presence of one of GCM_C, CCM_C, CHACHAPOLY_C) | 
|  | 101 | scripts/config.py -f $CRYPTO_CONFIG_H unset PSA_WANT_ALG_CCM | 
|  | 102 | scripts/config.py -f $CRYPTO_CONFIG_H unset PSA_WANT_ALG_CCM_STAR_NO_TAG | 
|  | 103 | scripts/config.py -f $CRYPTO_CONFIG_H unset PSA_WANT_ALG_GCM | 
|  | 104 | scripts/config.py -f $CRYPTO_CONFIG_H unset PSA_WANT_ALG_CHACHA20_POLY1305 | 
|  | 105 | # Note: The three unsets below are to be removed for Mbed TLS 4.0 | 
|  | 106 | scripts/config.py unset MBEDTLS_GCM_C | 
|  | 107 | scripts/config.py unset MBEDTLS_CCM_C | 
|  | 108 | scripts/config.py unset MBEDTLS_CHACHAPOLY_C | 
|  | 109 | #Disable TLS 1.3 (as no AEAD) | 
|  | 110 | scripts/config.py unset MBEDTLS_SSL_PROTO_TLS1_3 | 
|  | 111 | # Enable CBC-legacy (controlled by MBEDTLS_CIPHER_MODE_CBC plus at least one block cipher (AES, ARIA, Camellia, DES)) | 
|  | 112 | scripts/config.py -f $CRYPTO_CONFIG_H set PSA_WANT_ALG_CBC_NO_PADDING | 
|  | 113 | # Disable CBC-EtM (controlled by the same as CBC-legacy plus MBEDTLS_SSL_ENCRYPT_THEN_MAC) | 
|  | 114 | scripts/config.py unset MBEDTLS_SSL_ENCRYPT_THEN_MAC | 
|  | 115 | # Disable stream (currently that's just the NULL pseudo-cipher (controlled by MBEDTLS_CIPHER_NULL_CIPHER)) | 
|  | 116 | scripts/config.py unset MBEDTLS_CIPHER_NULL_CIPHER | 
|  | 117 | # Modules that depend on AEAD | 
|  | 118 | scripts/config.py unset MBEDTLS_SSL_CONTEXT_SERIALIZATION | 
|  | 119 | scripts/config.py unset MBEDTLS_SSL_TICKET_C | 
|  | 120 |  | 
|  | 121 | make | 
|  | 122 |  | 
|  | 123 | msg "test: default with only CBC-legacy cipher use psa" | 
|  | 124 | make test | 
|  | 125 |  | 
|  | 126 | msg "test: default with only CBC-legacy cipher use psa - ssl-opt.sh (subset)" | 
|  | 127 | tests/ssl-opt.sh -f "TLS 1.2" | 
|  | 128 | } | 
|  | 129 |  | 
|  | 130 | component_test_tls1_2_default_cbc_legacy_cbc_etm_cipher_only () { | 
|  | 131 | msg "build: default with only CBC-legacy and CBC-EtM ciphers use psa" | 
|  | 132 |  | 
|  | 133 | scripts/config.py set MBEDTLS_USE_PSA_CRYPTO | 
|  | 134 | scripts/config.py set MBEDTLS_PSA_CRYPTO_CONFIG | 
|  | 135 | # Disable AEAD (controlled by the presence of one of GCM_C, CCM_C, CHACHAPOLY_C) | 
|  | 136 | scripts/config.py -f $CRYPTO_CONFIG_H unset PSA_WANT_ALG_CCM | 
|  | 137 | scripts/config.py -f $CRYPTO_CONFIG_H unset PSA_WANT_ALG_CCM_STAR_NO_TAG | 
|  | 138 | scripts/config.py -f $CRYPTO_CONFIG_H unset PSA_WANT_ALG_GCM | 
|  | 139 | scripts/config.py -f $CRYPTO_CONFIG_H unset PSA_WANT_ALG_CHACHA20_POLY1305 | 
|  | 140 | # Note: The three unsets below are to be removed for Mbed TLS 4.0 | 
|  | 141 | scripts/config.py unset MBEDTLS_GCM_C | 
|  | 142 | scripts/config.py unset MBEDTLS_CCM_C | 
|  | 143 | scripts/config.py unset MBEDTLS_CHACHAPOLY_C | 
|  | 144 | #Disable TLS 1.3 (as no AEAD) | 
|  | 145 | scripts/config.py unset MBEDTLS_SSL_PROTO_TLS1_3 | 
|  | 146 | # Enable CBC-legacy (controlled by MBEDTLS_CIPHER_MODE_CBC plus at least one block cipher (AES, ARIA, Camellia, DES)) | 
|  | 147 | scripts/config.py -f $CRYPTO_CONFIG_H set PSA_WANT_ALG_CBC_NO_PADDING | 
|  | 148 | # Enable CBC-EtM (controlled by the same as CBC-legacy plus MBEDTLS_SSL_ENCRYPT_THEN_MAC) | 
|  | 149 | scripts/config.py set MBEDTLS_SSL_ENCRYPT_THEN_MAC | 
|  | 150 | # Disable stream (currently that's just the NULL pseudo-cipher (controlled by MBEDTLS_CIPHER_NULL_CIPHER)) | 
|  | 151 | scripts/config.py unset MBEDTLS_CIPHER_NULL_CIPHER | 
|  | 152 | # Modules that depend on AEAD | 
|  | 153 | scripts/config.py unset MBEDTLS_SSL_CONTEXT_SERIALIZATION | 
|  | 154 | scripts/config.py unset MBEDTLS_SSL_TICKET_C | 
|  | 155 |  | 
|  | 156 | make | 
|  | 157 |  | 
|  | 158 | msg "test: default with only CBC-legacy and CBC-EtM ciphers use psa" | 
|  | 159 | make test | 
|  | 160 |  | 
|  | 161 | msg "test: default with only CBC-legacy and CBC-EtM ciphers use psa - ssl-opt.sh (subset)" | 
|  | 162 | tests/ssl-opt.sh -f "TLS 1.2" | 
|  | 163 | } | 
|  | 164 |  | 
| Gilles Peskine | ea5de2b | 2024-09-19 18:41:55 +0200 | [diff] [blame] | 165 | component_test_config_thread () { | 
|  | 166 | msg "build: configs/config-thread.h" | 
| Gilles Peskine | 86ceb13 | 2024-09-14 11:24:07 +0200 | [diff] [blame] | 167 | cp configs/config-thread.h "$CONFIG_H" | 
| Gilles Peskine | 86ceb13 | 2024-09-14 11:24:07 +0200 | [diff] [blame] | 168 | # test-ref-configs works by overwriting mbedtls_config.h; this makes cmake | 
|  | 169 | # want to re-generate generated files that depend on it, quite correctly. | 
|  | 170 | # However this doesn't work as the generation script expects a specific | 
|  | 171 | # format for mbedtls_config.h, which the other files don't follow. Also, | 
|  | 172 | # cmake can't know this, but re-generation is actually not necessary as | 
|  | 173 | # the generated files only depend on the list of available options, not | 
|  | 174 | # whether they're on or off. So, disable cmake's (over-sensitive here) | 
|  | 175 | # dependency resolution for generated files and just rely on them being | 
|  | 176 | # present (thanks to pre_generate_files) by turning GEN_FILES off. | 
|  | 177 | CC=$ASAN_CC cmake -D GEN_FILES=Off -D CMAKE_BUILD_TYPE:String=Asan . | 
|  | 178 | make | 
|  | 179 |  | 
| Gilles Peskine | ea5de2b | 2024-09-19 18:41:55 +0200 | [diff] [blame] | 180 | msg "test: configs/config-thread.h - unit tests" | 
| Gilles Peskine | 86ceb13 | 2024-09-14 11:24:07 +0200 | [diff] [blame] | 181 | make test | 
|  | 182 |  | 
| Gilles Peskine | ea5de2b | 2024-09-19 18:41:55 +0200 | [diff] [blame] | 183 | msg "test: configs/config-thread.h - ssl-opt.sh" | 
| Gilles Peskine | 86ceb13 | 2024-09-14 11:24:07 +0200 | [diff] [blame] | 184 | tests/ssl-opt.sh -f 'ECJPAKE.*nolog' | 
|  | 185 | } | 
|  | 186 |  | 
| Minos Galanakis | 7665a93 | 2024-07-26 15:45:11 +0100 | [diff] [blame] | 187 | # We're not aware of any other (open source) implementation of EC J-PAKE in TLS | 
|  | 188 | # that we could use for interop testing. However, we now have sort of two | 
|  | 189 | # implementations ourselves: one using PSA, the other not. At least test that | 
|  | 190 | # these two interoperate with each other. | 
| Minos Galanakis | f78447f | 2024-07-26 20:49:51 +0100 | [diff] [blame] | 191 | component_test_tls1_2_ecjpake_compatibility () { | 
| Minos Galanakis | 7665a93 | 2024-07-26 15:45:11 +0100 | [diff] [blame] | 192 | msg "build: TLS1.2 server+client w/ EC-JPAKE w/o USE_PSA" | 
|  | 193 | scripts/config.py set MBEDTLS_KEY_EXCHANGE_ECJPAKE_ENABLED | 
|  | 194 | # Explicitly make lib first to avoid a race condition: | 
|  | 195 | # https://github.com/Mbed-TLS/mbedtls/issues/8229 | 
|  | 196 | make lib | 
|  | 197 | make -C programs ssl/ssl_server2 ssl/ssl_client2 | 
|  | 198 | cp programs/ssl/ssl_server2 s2_no_use_psa | 
|  | 199 | cp programs/ssl/ssl_client2 c2_no_use_psa | 
|  | 200 |  | 
|  | 201 | msg "build: TLS1.2 server+client w/ EC-JPAKE w/ USE_PSA" | 
|  | 202 | scripts/config.py set MBEDTLS_USE_PSA_CRYPTO | 
|  | 203 | make clean | 
|  | 204 | make lib | 
|  | 205 | make -C programs ssl/ssl_server2 ssl/ssl_client2 | 
|  | 206 | make -C programs test/udp_proxy test/query_compile_time_config | 
|  | 207 |  | 
|  | 208 | msg "test: server w/o USE_PSA - client w/ USE_PSA, text password" | 
|  | 209 | P_SRV=../s2_no_use_psa tests/ssl-opt.sh -f "ECJPAKE: working, TLS" | 
|  | 210 | msg "test: server w/o USE_PSA - client w/ USE_PSA, opaque password" | 
|  | 211 | P_SRV=../s2_no_use_psa tests/ssl-opt.sh -f "ECJPAKE: opaque password client only, working, TLS" | 
|  | 212 | msg "test: client w/o USE_PSA - server w/ USE_PSA, text password" | 
|  | 213 | P_CLI=../c2_no_use_psa tests/ssl-opt.sh -f "ECJPAKE: working, TLS" | 
|  | 214 | msg "test: client w/o USE_PSA - server w/ USE_PSA, opaque password" | 
|  | 215 | P_CLI=../c2_no_use_psa tests/ssl-opt.sh -f "ECJPAKE: opaque password server only, working, TLS" | 
|  | 216 |  | 
|  | 217 | rm s2_no_use_psa c2_no_use_psa | 
|  | 218 | } | 
|  | 219 |  | 
| Gilles Peskine | ea5de2b | 2024-09-19 18:41:55 +0200 | [diff] [blame] | 220 | component_test_tls1_2_ccm_psk () { | 
|  | 221 | msg "build: configs/config-ccm-psk-tls1_2.h" | 
| Gilles Peskine | 063fb8c | 2024-09-14 11:10:05 +0200 | [diff] [blame] | 222 | cp configs/config-ccm-psk-tls1_2.h "$CONFIG_H" | 
| Gilles Peskine | 063fb8c | 2024-09-14 11:10:05 +0200 | [diff] [blame] | 223 | # test-ref-configs works by overwriting mbedtls_config.h; this makes cmake | 
|  | 224 | # want to re-generate generated files that depend on it, quite correctly. | 
|  | 225 | # However this doesn't work as the generation script expects a specific | 
|  | 226 | # format for mbedtls_config.h, which the other files don't follow. Also, | 
|  | 227 | # cmake can't know this, but re-generation is actually not necessary as | 
|  | 228 | # the generated files only depend on the list of available options, not | 
|  | 229 | # whether they're on or off. So, disable cmake's (over-sensitive here) | 
|  | 230 | # dependency resolution for generated files and just rely on them being | 
|  | 231 | # present (thanks to pre_generate_files) by turning GEN_FILES off. | 
|  | 232 | CC=$ASAN_CC cmake -D GEN_FILES=Off -D CMAKE_BUILD_TYPE:String=Asan . | 
|  | 233 | make | 
|  | 234 |  | 
| Gilles Peskine | ea5de2b | 2024-09-19 18:41:55 +0200 | [diff] [blame] | 235 | msg "test: configs/config-ccm-psk-tls1_2.h - unit tests" | 
| Gilles Peskine | 063fb8c | 2024-09-14 11:10:05 +0200 | [diff] [blame] | 236 | make test | 
|  | 237 |  | 
| Gilles Peskine | ea5de2b | 2024-09-19 18:41:55 +0200 | [diff] [blame] | 238 | msg "test: configs/config-ccm-psk-tls1_2.h - compat.sh" | 
| Gilles Peskine | 063fb8c | 2024-09-14 11:10:05 +0200 | [diff] [blame] | 239 | tests/compat.sh -m tls12 -f '^TLS_PSK_WITH_AES_..._CCM_8' | 
|  | 240 | } | 
|  | 241 |  | 
| Gilles Peskine | ea5de2b | 2024-09-19 18:41:55 +0200 | [diff] [blame] | 242 | component_test_tls1_2_ccm_psk_dtls () { | 
|  | 243 | msg "build: configs/config-ccm-psk-dtls1_2.h" | 
| Gilles Peskine | 68f511e | 2024-09-14 11:19:31 +0200 | [diff] [blame] | 244 | cp configs/config-ccm-psk-dtls1_2.h "$CONFIG_H" | 
| Gilles Peskine | 68f511e | 2024-09-14 11:19:31 +0200 | [diff] [blame] | 245 | # test-ref-configs works by overwriting mbedtls_config.h; this makes cmake | 
|  | 246 | # want to re-generate generated files that depend on it, quite correctly. | 
|  | 247 | # However this doesn't work as the generation script expects a specific | 
|  | 248 | # format for mbedtls_config.h, which the other files don't follow. Also, | 
|  | 249 | # cmake can't know this, but re-generation is actually not necessary as | 
|  | 250 | # the generated files only depend on the list of available options, not | 
|  | 251 | # whether they're on or off. So, disable cmake's (over-sensitive here) | 
|  | 252 | # dependency resolution for generated files and just rely on them being | 
|  | 253 | # present (thanks to pre_generate_files) by turning GEN_FILES off. | 
|  | 254 | CC=$ASAN_CC cmake -D GEN_FILES=Off -D CMAKE_BUILD_TYPE:String=Asan . | 
|  | 255 | make | 
|  | 256 |  | 
| Gilles Peskine | ea5de2b | 2024-09-19 18:41:55 +0200 | [diff] [blame] | 257 | msg "test: configs/config-ccm-psk-dtls1_2.h - unit tests" | 
| Gilles Peskine | 68f511e | 2024-09-14 11:19:31 +0200 | [diff] [blame] | 258 | make test | 
|  | 259 |  | 
| Gilles Peskine | ea5de2b | 2024-09-19 18:41:55 +0200 | [diff] [blame] | 260 | msg "test: configs/config-ccm-psk-dtls1_2.h - compat.sh" | 
| Gilles Peskine | 68f511e | 2024-09-14 11:19:31 +0200 | [diff] [blame] | 261 | tests/compat.sh -m dtls12 -f '^TLS_PSK_WITH_AES_..._CCM_8' | 
|  | 262 |  | 
| Gilles Peskine | ea5de2b | 2024-09-19 18:41:55 +0200 | [diff] [blame] | 263 | msg "build: configs/config-ccm-psk-dtls1_2.h + DEBUG" | 
| Gilles Peskine | 68f511e | 2024-09-14 11:19:31 +0200 | [diff] [blame] | 264 | MBEDTLS_TEST_CONFIGURATION="$MBEDTLS_TEST_CONFIGURATION+DEBUG" | 
|  | 265 | make clean | 
|  | 266 | scripts/config.py set MBEDTLS_DEBUG_C | 
|  | 267 | scripts/config.py set MBEDTLS_ERROR_C | 
|  | 268 | make ssl-opt | 
|  | 269 |  | 
| Gilles Peskine | ea5de2b | 2024-09-19 18:41:55 +0200 | [diff] [blame] | 270 | msg "test: configs/config-ccm-psk-dtls1_2.h + DEBUG - ssl-opt.sh" | 
| Gilles Peskine | 68f511e | 2024-09-14 11:19:31 +0200 | [diff] [blame] | 271 | tests/ssl-opt.sh | 
|  | 272 | } | 
|  | 273 |  | 
| Minos Galanakis | 7665a93 | 2024-07-26 15:45:11 +0100 | [diff] [blame] | 274 | component_test_small_ssl_out_content_len () { | 
|  | 275 | msg "build: small SSL_OUT_CONTENT_LEN (ASan build)" | 
|  | 276 | scripts/config.py set MBEDTLS_SSL_IN_CONTENT_LEN 16384 | 
|  | 277 | scripts/config.py set MBEDTLS_SSL_OUT_CONTENT_LEN 4096 | 
|  | 278 | CC=$ASAN_CC cmake -D CMAKE_BUILD_TYPE:String=Asan . | 
|  | 279 | make | 
|  | 280 |  | 
|  | 281 | msg "test: small SSL_OUT_CONTENT_LEN - ssl-opt.sh MFL and large packet tests" | 
|  | 282 | tests/ssl-opt.sh -f "Max fragment\|Large packet" | 
|  | 283 | } | 
|  | 284 |  | 
|  | 285 | component_test_small_ssl_in_content_len () { | 
|  | 286 | msg "build: small SSL_IN_CONTENT_LEN (ASan build)" | 
|  | 287 | scripts/config.py set MBEDTLS_SSL_IN_CONTENT_LEN 4096 | 
|  | 288 | scripts/config.py set MBEDTLS_SSL_OUT_CONTENT_LEN 16384 | 
|  | 289 | CC=$ASAN_CC cmake -D CMAKE_BUILD_TYPE:String=Asan . | 
|  | 290 | make | 
|  | 291 |  | 
|  | 292 | msg "test: small SSL_IN_CONTENT_LEN - ssl-opt.sh MFL tests" | 
|  | 293 | tests/ssl-opt.sh -f "Max fragment" | 
|  | 294 | } | 
|  | 295 |  | 
|  | 296 | component_test_small_ssl_dtls_max_buffering () { | 
|  | 297 | msg "build: small MBEDTLS_SSL_DTLS_MAX_BUFFERING #0" | 
|  | 298 | scripts/config.py set MBEDTLS_SSL_DTLS_MAX_BUFFERING 1000 | 
|  | 299 | CC=$ASAN_CC cmake -D CMAKE_BUILD_TYPE:String=Asan . | 
|  | 300 | make | 
|  | 301 |  | 
|  | 302 | msg "test: small MBEDTLS_SSL_DTLS_MAX_BUFFERING #0 - ssl-opt.sh specific reordering test" | 
|  | 303 | tests/ssl-opt.sh -f "DTLS reordering: Buffer out-of-order hs msg before reassembling next, free buffered msg" | 
|  | 304 | } | 
|  | 305 |  | 
|  | 306 | component_test_small_mbedtls_ssl_dtls_max_buffering () { | 
|  | 307 | msg "build: small MBEDTLS_SSL_DTLS_MAX_BUFFERING #1" | 
|  | 308 | scripts/config.py set MBEDTLS_SSL_DTLS_MAX_BUFFERING 190 | 
|  | 309 | CC=$ASAN_CC cmake -D CMAKE_BUILD_TYPE:String=Asan . | 
|  | 310 | make | 
|  | 311 |  | 
|  | 312 | msg "test: small MBEDTLS_SSL_DTLS_MAX_BUFFERING #1 - ssl-opt.sh specific reordering test" | 
|  | 313 | tests/ssl-opt.sh -f "DTLS reordering: Buffer encrypted Finished message, drop for fragmented NewSessionTicket" | 
|  | 314 | } | 
|  | 315 |  | 
|  | 316 | # Common helper for component_full_without_ecdhe_ecdsa() and | 
|  | 317 | # component_full_without_ecdhe_ecdsa_and_tls13() which: | 
|  | 318 | # - starts from the "full" configuration minus the list of symbols passed in | 
|  | 319 | #   as 1st parameter | 
|  | 320 | # - build | 
|  | 321 | # - test only TLS (i.e. test_suite_tls and ssl-opt) | 
|  | 322 | build_full_minus_something_and_test_tls () { | 
|  | 323 | symbols_to_disable="$1" | 
|  | 324 |  | 
|  | 325 | msg "build: full minus something, test TLS" | 
|  | 326 |  | 
|  | 327 | scripts/config.py full | 
|  | 328 | for sym in $symbols_to_disable; do | 
|  | 329 | echo "Disabling $sym" | 
|  | 330 | scripts/config.py unset $sym | 
|  | 331 | done | 
|  | 332 |  | 
|  | 333 | make | 
|  | 334 |  | 
|  | 335 | msg "test: full minus something, test TLS" | 
|  | 336 | ( cd tests; ./test_suite_ssl ) | 
|  | 337 |  | 
|  | 338 | msg "ssl-opt: full minus something, test TLS" | 
|  | 339 | tests/ssl-opt.sh | 
|  | 340 | } | 
|  | 341 |  | 
|  | 342 | component_full_without_ecdhe_ecdsa () { | 
|  | 343 | build_full_minus_something_and_test_tls "MBEDTLS_KEY_EXCHANGE_ECDHE_ECDSA_ENABLED" | 
|  | 344 | } | 
|  | 345 |  | 
|  | 346 | component_full_without_ecdhe_ecdsa_and_tls13 () { | 
|  | 347 | build_full_minus_something_and_test_tls "MBEDTLS_KEY_EXCHANGE_ECDHE_ECDSA_ENABLED | 
|  | 348 | MBEDTLS_SSL_PROTO_TLS1_3" | 
|  | 349 | } | 
|  | 350 |  | 
| Minos Galanakis | 7665a93 | 2024-07-26 15:45:11 +0100 | [diff] [blame] | 351 | component_build_no_ssl_srv () { | 
|  | 352 | msg "build: full config except SSL server, make, gcc" # ~ 30s | 
|  | 353 | scripts/config.py full | 
|  | 354 | scripts/config.py unset MBEDTLS_SSL_SRV_C | 
| Minos Galanakis | a368c8a | 2024-08-06 12:06:51 +0100 | [diff] [blame] | 355 | make CC=gcc CFLAGS='-Werror -Wall -Wextra -O1 -Wmissing-prototypes' | 
| Minos Galanakis | 7665a93 | 2024-07-26 15:45:11 +0100 | [diff] [blame] | 356 | } | 
|  | 357 |  | 
|  | 358 | component_build_no_ssl_cli () { | 
|  | 359 | msg "build: full config except SSL client, make, gcc" # ~ 30s | 
|  | 360 | scripts/config.py full | 
|  | 361 | scripts/config.py unset MBEDTLS_SSL_CLI_C | 
| Minos Galanakis | a368c8a | 2024-08-06 12:06:51 +0100 | [diff] [blame] | 362 | make CC=gcc CFLAGS='-Werror -Wall -Wextra -O1 -Wmissing-prototypes' | 
| Minos Galanakis | 7665a93 | 2024-07-26 15:45:11 +0100 | [diff] [blame] | 363 | } | 
|  | 364 |  | 
| Minos Galanakis | 7665a93 | 2024-07-26 15:45:11 +0100 | [diff] [blame] | 365 | component_test_no_max_fragment_length () { | 
|  | 366 | # Run max fragment length tests with MFL disabled | 
|  | 367 | msg "build: default config except MFL extension (ASan build)" # ~ 30s | 
|  | 368 | scripts/config.py unset MBEDTLS_SSL_MAX_FRAGMENT_LENGTH | 
|  | 369 | CC=$ASAN_CC cmake -D CMAKE_BUILD_TYPE:String=Asan . | 
|  | 370 | make | 
|  | 371 |  | 
|  | 372 | msg "test: ssl-opt.sh, MFL-related tests" | 
|  | 373 | tests/ssl-opt.sh -f "Max fragment length" | 
|  | 374 | } | 
|  | 375 |  | 
|  | 376 | component_test_asan_remove_peer_certificate () { | 
|  | 377 | msg "build: default config with MBEDTLS_SSL_KEEP_PEER_CERTIFICATE disabled (ASan build)" | 
|  | 378 | scripts/config.py unset MBEDTLS_SSL_KEEP_PEER_CERTIFICATE | 
|  | 379 | scripts/config.py unset MBEDTLS_SSL_PROTO_TLS1_3 | 
|  | 380 | CC=$ASAN_CC cmake -D CMAKE_BUILD_TYPE:String=Asan . | 
|  | 381 | make | 
|  | 382 |  | 
|  | 383 | msg "test: !MBEDTLS_SSL_KEEP_PEER_CERTIFICATE" | 
|  | 384 | make test | 
|  | 385 |  | 
|  | 386 | msg "test: ssl-opt.sh, !MBEDTLS_SSL_KEEP_PEER_CERTIFICATE" | 
|  | 387 | tests/ssl-opt.sh | 
|  | 388 |  | 
|  | 389 | msg "test: compat.sh, !MBEDTLS_SSL_KEEP_PEER_CERTIFICATE" | 
|  | 390 | tests/compat.sh | 
|  | 391 |  | 
|  | 392 | msg "test: context-info.sh, !MBEDTLS_SSL_KEEP_PEER_CERTIFICATE" | 
|  | 393 | tests/context-info.sh | 
|  | 394 | } | 
|  | 395 |  | 
|  | 396 | component_test_no_max_fragment_length_small_ssl_out_content_len () { | 
|  | 397 | msg "build: no MFL extension, small SSL_OUT_CONTENT_LEN (ASan build)" | 
|  | 398 | scripts/config.py unset MBEDTLS_SSL_MAX_FRAGMENT_LENGTH | 
|  | 399 | scripts/config.py set MBEDTLS_SSL_IN_CONTENT_LEN 16384 | 
|  | 400 | scripts/config.py set MBEDTLS_SSL_OUT_CONTENT_LEN 4096 | 
|  | 401 | CC=$ASAN_CC cmake -D CMAKE_BUILD_TYPE:String=Asan . | 
|  | 402 | make | 
|  | 403 |  | 
|  | 404 | msg "test: MFL tests (disabled MFL extension case) & large packet tests" | 
|  | 405 | tests/ssl-opt.sh -f "Max fragment length\|Large buffer" | 
|  | 406 |  | 
|  | 407 | msg "test: context-info.sh (disabled MFL extension case)" | 
|  | 408 | tests/context-info.sh | 
|  | 409 | } | 
|  | 410 |  | 
|  | 411 | component_test_variable_ssl_in_out_buffer_len () { | 
|  | 412 | msg "build: MBEDTLS_SSL_VARIABLE_BUFFER_LENGTH enabled (ASan build)" | 
|  | 413 | scripts/config.py set MBEDTLS_SSL_VARIABLE_BUFFER_LENGTH | 
|  | 414 | CC=$ASAN_CC cmake -D CMAKE_BUILD_TYPE:String=Asan . | 
|  | 415 | make | 
|  | 416 |  | 
|  | 417 | msg "test: MBEDTLS_SSL_VARIABLE_BUFFER_LENGTH enabled" | 
|  | 418 | make test | 
|  | 419 |  | 
|  | 420 | msg "test: ssl-opt.sh, MBEDTLS_SSL_VARIABLE_BUFFER_LENGTH enabled" | 
|  | 421 | tests/ssl-opt.sh | 
|  | 422 |  | 
|  | 423 | msg "test: compat.sh, MBEDTLS_SSL_VARIABLE_BUFFER_LENGTH enabled" | 
|  | 424 | tests/compat.sh | 
|  | 425 | } | 
|  | 426 |  | 
|  | 427 | component_test_dtls_cid_legacy () { | 
|  | 428 | msg "build: MBEDTLS_SSL_DTLS_CONNECTION_ID (legacy) enabled (ASan build)" | 
|  | 429 | scripts/config.py set MBEDTLS_SSL_DTLS_CONNECTION_ID_COMPAT 1 | 
|  | 430 |  | 
|  | 431 | CC=$ASAN_CC cmake -D CMAKE_BUILD_TYPE:String=Asan . | 
|  | 432 | make | 
|  | 433 |  | 
|  | 434 | msg "test: MBEDTLS_SSL_DTLS_CONNECTION_ID (legacy)" | 
|  | 435 | make test | 
|  | 436 |  | 
|  | 437 | msg "test: ssl-opt.sh, MBEDTLS_SSL_DTLS_CONNECTION_ID (legacy) enabled" | 
|  | 438 | tests/ssl-opt.sh | 
|  | 439 |  | 
|  | 440 | msg "test: compat.sh, MBEDTLS_SSL_DTLS_CONNECTION_ID (legacy) enabled" | 
|  | 441 | tests/compat.sh | 
|  | 442 | } | 
|  | 443 |  | 
|  | 444 | component_test_ssl_alloc_buffer_and_mfl () { | 
|  | 445 | msg "build: default config with memory buffer allocator and MFL extension" | 
|  | 446 | scripts/config.py set MBEDTLS_MEMORY_BUFFER_ALLOC_C | 
|  | 447 | scripts/config.py set MBEDTLS_PLATFORM_MEMORY | 
|  | 448 | scripts/config.py set MBEDTLS_MEMORY_DEBUG | 
|  | 449 | scripts/config.py set MBEDTLS_SSL_MAX_FRAGMENT_LENGTH | 
|  | 450 | scripts/config.py set MBEDTLS_SSL_VARIABLE_BUFFER_LENGTH | 
|  | 451 | cmake -DCMAKE_BUILD_TYPE:String=Release . | 
|  | 452 | make | 
|  | 453 |  | 
|  | 454 | msg "test: MBEDTLS_SSL_VARIABLE_BUFFER_LENGTH, MBEDTLS_MEMORY_BUFFER_ALLOC_C, MBEDTLS_MEMORY_DEBUG and MBEDTLS_SSL_MAX_FRAGMENT_LENGTH" | 
|  | 455 | make test | 
|  | 456 |  | 
|  | 457 | msg "test: MBEDTLS_SSL_VARIABLE_BUFFER_LENGTH, MBEDTLS_MEMORY_BUFFER_ALLOC_C, MBEDTLS_MEMORY_DEBUG and MBEDTLS_SSL_MAX_FRAGMENT_LENGTH" | 
|  | 458 | tests/ssl-opt.sh -f "Handshake memory usage" | 
|  | 459 | } | 
|  | 460 |  | 
|  | 461 | component_test_when_no_ciphersuites_have_mac () { | 
|  | 462 | msg "build: when no ciphersuites have MAC" | 
|  | 463 | scripts/config.py set MBEDTLS_PSA_CRYPTO_CONFIG | 
|  | 464 | scripts/config.py -f "$CRYPTO_CONFIG_H" unset PSA_WANT_ALG_CBC_NO_PADDING | 
|  | 465 | scripts/config.py -f "$CRYPTO_CONFIG_H" unset PSA_WANT_ALG_CBC_PKCS7 | 
|  | 466 | scripts/config.py -f "$CRYPTO_CONFIG_H" unset PSA_WANT_ALG_CMAC | 
|  | 467 | scripts/config.py -f "$CRYPTO_CONFIG_H" unset PSA_WANT_ALG_PBKDF2_AES_CMAC_PRF_128 | 
|  | 468 |  | 
|  | 469 | scripts/config.py unset MBEDTLS_CIPHER_NULL_CIPHER | 
|  | 470 | scripts/config.py unset MBEDTLS_CIPHER_MODE_CBC | 
|  | 471 | scripts/config.py unset MBEDTLS_CMAC_C | 
|  | 472 |  | 
|  | 473 | make | 
|  | 474 |  | 
|  | 475 | msg "test: !MBEDTLS_SSL_SOME_SUITES_USE_MAC" | 
|  | 476 | make test | 
|  | 477 |  | 
|  | 478 | msg "test ssl-opt.sh: !MBEDTLS_SSL_SOME_SUITES_USE_MAC" | 
|  | 479 | tests/ssl-opt.sh -f 'Default\|EtM' -e 'without EtM' | 
|  | 480 | } | 
|  | 481 |  | 
|  | 482 | component_test_tls12_only () { | 
|  | 483 | msg "build: default config without MBEDTLS_SSL_PROTO_TLS1_3, cmake, gcc, ASan" | 
|  | 484 | scripts/config.py unset MBEDTLS_SSL_PROTO_TLS1_3 | 
|  | 485 | CC=gcc cmake -D CMAKE_BUILD_TYPE:String=Asan . | 
|  | 486 | make | 
|  | 487 |  | 
|  | 488 | msg "test: main suites (inc. selftests) (ASan build)" | 
|  | 489 | make test | 
|  | 490 |  | 
|  | 491 | msg "test: ssl-opt.sh (ASan build)" | 
|  | 492 | tests/ssl-opt.sh | 
|  | 493 |  | 
|  | 494 | msg "test: compat.sh (ASan build)" | 
|  | 495 | tests/compat.sh | 
|  | 496 | } | 
|  | 497 |  | 
|  | 498 | component_test_tls13_only () { | 
|  | 499 | msg "build: default config without MBEDTLS_SSL_PROTO_TLS1_2" | 
|  | 500 | scripts/config.py set MBEDTLS_SSL_EARLY_DATA | 
|  | 501 | scripts/config.py set MBEDTLS_SSL_RECORD_SIZE_LIMIT | 
|  | 502 | make CFLAGS="'-DMBEDTLS_USER_CONFIG_FILE=\"../tests/configs/tls13-only.h\"'" | 
|  | 503 |  | 
|  | 504 | msg "test: TLS 1.3 only, all key exchange modes enabled" | 
|  | 505 | make test | 
|  | 506 |  | 
|  | 507 | msg "ssl-opt.sh: TLS 1.3 only, all key exchange modes enabled" | 
|  | 508 | tests/ssl-opt.sh | 
|  | 509 | } | 
|  | 510 |  | 
|  | 511 | component_test_tls13_only_psk () { | 
|  | 512 | msg "build: TLS 1.3 only from default, only PSK key exchange mode" | 
|  | 513 | scripts/config.py unset MBEDTLS_SSL_TLS1_3_KEY_EXCHANGE_MODE_EPHEMERAL_ENABLED | 
|  | 514 | scripts/config.py unset MBEDTLS_SSL_TLS1_3_KEY_EXCHANGE_MODE_PSK_EPHEMERAL_ENABLED | 
| Minos Galanakis | 7665a93 | 2024-07-26 15:45:11 +0100 | [diff] [blame] | 515 | scripts/config.py unset MBEDTLS_X509_CRT_PARSE_C | 
|  | 516 | scripts/config.py unset MBEDTLS_X509_RSASSA_PSS_SUPPORT | 
|  | 517 | scripts/config.py unset MBEDTLS_SSL_SERVER_NAME_INDICATION | 
| Minos Galanakis | 7665a93 | 2024-07-26 15:45:11 +0100 | [diff] [blame] | 518 | scripts/config.py unset MBEDTLS_PKCS7_C | 
|  | 519 | scripts/config.py set   MBEDTLS_SSL_EARLY_DATA | 
| Ronald Cron | a9511bc | 2024-09-06 09:21:10 +0200 | [diff] [blame] | 520 |  | 
|  | 521 | scripts/config.py set MBEDTLS_PSA_CRYPTO_CONFIG | 
|  | 522 | scripts/config.py -f $CRYPTO_CONFIG_H unset PSA_WANT_ALG_ECDH | 
|  | 523 | scripts/config.py -f $CRYPTO_CONFIG_H unset PSA_WANT_ALG_ECDSA | 
|  | 524 | scripts/config.py -f $CRYPTO_CONFIG_H unset PSA_WANT_ALG_DETERMINISTIC_ECDSA | 
|  | 525 | scripts/config.py -f $CRYPTO_CONFIG_H unset PSA_WANT_ALG_RSA_OAEP | 
|  | 526 | scripts/config.py -f $CRYPTO_CONFIG_H unset PSA_WANT_ALG_RSA_PSS | 
|  | 527 | scripts/config.py -f $CRYPTO_CONFIG_H unset PSA_WANT_ALG_FFDH | 
|  | 528 | scripts/config.py -f $CRYPTO_CONFIG_H unset PSA_WANT_KEY_TYPE_DH_PUBLIC_KEY | 
|  | 529 | scripts/config.py -f $CRYPTO_CONFIG_H unset PSA_WANT_KEY_TYPE_DH_KEY_PAIR_BASIC | 
|  | 530 | scripts/config.py -f $CRYPTO_CONFIG_H unset PSA_WANT_KEY_TYPE_DH_KEY_PAIR_IMPORT | 
|  | 531 | scripts/config.py -f $CRYPTO_CONFIG_H unset PSA_WANT_KEY_TYPE_DH_KEY_PAIR_EXPORT | 
|  | 532 | scripts/config.py -f $CRYPTO_CONFIG_H unset PSA_WANT_KEY_TYPE_DH_KEY_PAIR_GENERATE | 
|  | 533 | scripts/config.py -f $CRYPTO_CONFIG_H unset PSA_WANT_DH_RFC7919_2048 | 
|  | 534 | scripts/config.py -f $CRYPTO_CONFIG_H unset PSA_WANT_DH_RFC7919_3072 | 
|  | 535 | scripts/config.py -f $CRYPTO_CONFIG_H unset PSA_WANT_DH_RFC7919_4096 | 
|  | 536 | scripts/config.py -f $CRYPTO_CONFIG_H unset PSA_WANT_DH_RFC7919_6144 | 
|  | 537 | scripts/config.py -f $CRYPTO_CONFIG_H unset PSA_WANT_DH_RFC7919_8192 | 
| Ronald Cron | 4153ebb | 2024-09-11 15:32:48 +0200 | [diff] [blame] | 538 | # Note: The four unsets below are to be removed for Mbed TLS 4.0 | 
| Ronald Cron | a9511bc | 2024-09-06 09:21:10 +0200 | [diff] [blame] | 539 | scripts/config.py unset MBEDTLS_ECDH_C | 
|  | 540 | scripts/config.py unset MBEDTLS_ECDSA_C | 
|  | 541 | scripts/config.py unset MBEDTLS_PKCS1_V21 | 
|  | 542 | scripts/config.py unset MBEDTLS_DHM_C | 
|  | 543 |  | 
| Minos Galanakis | 7665a93 | 2024-07-26 15:45:11 +0100 | [diff] [blame] | 544 | make CFLAGS="'-DMBEDTLS_USER_CONFIG_FILE=\"../tests/configs/tls13-only.h\"'" | 
|  | 545 |  | 
|  | 546 | msg "test_suite_ssl: TLS 1.3 only, only PSK key exchange mode enabled" | 
|  | 547 | cd tests; ./test_suite_ssl; cd .. | 
|  | 548 |  | 
|  | 549 | msg "ssl-opt.sh: TLS 1.3 only, only PSK key exchange mode enabled" | 
|  | 550 | tests/ssl-opt.sh | 
|  | 551 | } | 
|  | 552 |  | 
|  | 553 | component_test_tls13_only_ephemeral () { | 
|  | 554 | msg "build: TLS 1.3 only from default, only ephemeral key exchange mode" | 
|  | 555 | scripts/config.py unset MBEDTLS_SSL_TLS1_3_KEY_EXCHANGE_MODE_PSK_ENABLED | 
|  | 556 | scripts/config.py unset MBEDTLS_SSL_TLS1_3_KEY_EXCHANGE_MODE_PSK_EPHEMERAL_ENABLED | 
|  | 557 | scripts/config.py unset MBEDTLS_SSL_EARLY_DATA | 
|  | 558 | make CFLAGS="'-DMBEDTLS_USER_CONFIG_FILE=\"../tests/configs/tls13-only.h\"'" | 
|  | 559 |  | 
|  | 560 | msg "test_suite_ssl: TLS 1.3 only, only ephemeral key exchange mode" | 
|  | 561 | cd tests; ./test_suite_ssl; cd .. | 
|  | 562 |  | 
|  | 563 | msg "ssl-opt.sh: TLS 1.3 only, only ephemeral key exchange mode" | 
|  | 564 | tests/ssl-opt.sh | 
|  | 565 | } | 
|  | 566 |  | 
|  | 567 | component_test_tls13_only_ephemeral_ffdh () { | 
|  | 568 | msg "build: TLS 1.3 only from default, only ephemeral ffdh key exchange mode" | 
|  | 569 | scripts/config.py unset MBEDTLS_SSL_TLS1_3_KEY_EXCHANGE_MODE_PSK_ENABLED | 
|  | 570 | scripts/config.py unset MBEDTLS_SSL_TLS1_3_KEY_EXCHANGE_MODE_PSK_EPHEMERAL_ENABLED | 
|  | 571 | scripts/config.py unset MBEDTLS_SSL_EARLY_DATA | 
| Ronald Cron | a9511bc | 2024-09-06 09:21:10 +0200 | [diff] [blame] | 572 |  | 
|  | 573 | scripts/config.py set MBEDTLS_PSA_CRYPTO_CONFIG | 
|  | 574 | scripts/config.py -f $CRYPTO_CONFIG_H unset PSA_WANT_ALG_ECDH | 
| Ronald Cron | 4153ebb | 2024-09-11 15:32:48 +0200 | [diff] [blame] | 575 | # Note: The unset below is to be removed for Mbed TLS 4.0 | 
| Minos Galanakis | 7665a93 | 2024-07-26 15:45:11 +0100 | [diff] [blame] | 576 | scripts/config.py unset MBEDTLS_ECDH_C | 
|  | 577 |  | 
|  | 578 | make CFLAGS="'-DMBEDTLS_USER_CONFIG_FILE=\"../tests/configs/tls13-only.h\"'" | 
|  | 579 |  | 
|  | 580 | msg "test_suite_ssl: TLS 1.3 only, only ephemeral ffdh key exchange mode" | 
|  | 581 | cd tests; ./test_suite_ssl; cd .. | 
|  | 582 |  | 
|  | 583 | msg "ssl-opt.sh: TLS 1.3 only, only ephemeral ffdh key exchange mode" | 
|  | 584 | tests/ssl-opt.sh | 
|  | 585 | } | 
|  | 586 |  | 
|  | 587 | component_test_tls13_only_psk_ephemeral () { | 
|  | 588 | msg "build: TLS 1.3 only from default, only PSK ephemeral key exchange mode" | 
|  | 589 | scripts/config.py unset MBEDTLS_SSL_TLS1_3_KEY_EXCHANGE_MODE_PSK_ENABLED | 
|  | 590 | scripts/config.py unset MBEDTLS_SSL_TLS1_3_KEY_EXCHANGE_MODE_EPHEMERAL_ENABLED | 
|  | 591 | scripts/config.py unset MBEDTLS_X509_CRT_PARSE_C | 
|  | 592 | scripts/config.py unset MBEDTLS_X509_RSASSA_PSS_SUPPORT | 
|  | 593 | scripts/config.py unset MBEDTLS_SSL_SERVER_NAME_INDICATION | 
| Minos Galanakis | 7665a93 | 2024-07-26 15:45:11 +0100 | [diff] [blame] | 594 | scripts/config.py unset MBEDTLS_PKCS7_C | 
|  | 595 | scripts/config.py set   MBEDTLS_SSL_EARLY_DATA | 
| Ronald Cron | a9511bc | 2024-09-06 09:21:10 +0200 | [diff] [blame] | 596 |  | 
|  | 597 | scripts/config.py set MBEDTLS_PSA_CRYPTO_CONFIG | 
|  | 598 | scripts/config.py -f $CRYPTO_CONFIG_H unset PSA_WANT_ALG_ECDSA | 
|  | 599 | scripts/config.py -f $CRYPTO_CONFIG_H unset PSA_WANT_ALG_DETERMINISTIC_ECDSA | 
|  | 600 | scripts/config.py -f $CRYPTO_CONFIG_H unset PSA_WANT_ALG_RSA_OAEP | 
|  | 601 | scripts/config.py -f $CRYPTO_CONFIG_H unset PSA_WANT_ALG_RSA_PSS | 
| Ronald Cron | 4153ebb | 2024-09-11 15:32:48 +0200 | [diff] [blame] | 602 | # Note: The two unsets below are to be removed for Mbed TLS 4.0 | 
| Ronald Cron | a9511bc | 2024-09-06 09:21:10 +0200 | [diff] [blame] | 603 | scripts/config.py unset MBEDTLS_ECDSA_C | 
|  | 604 | scripts/config.py unset MBEDTLS_PKCS1_V21 | 
|  | 605 |  | 
| Minos Galanakis | 7665a93 | 2024-07-26 15:45:11 +0100 | [diff] [blame] | 606 | make CFLAGS="'-DMBEDTLS_USER_CONFIG_FILE=\"../tests/configs/tls13-only.h\"'" | 
|  | 607 |  | 
|  | 608 | msg "test_suite_ssl: TLS 1.3 only, only PSK ephemeral key exchange mode" | 
|  | 609 | cd tests; ./test_suite_ssl; cd .. | 
|  | 610 |  | 
|  | 611 | msg "ssl-opt.sh: TLS 1.3 only, only PSK ephemeral key exchange mode" | 
|  | 612 | tests/ssl-opt.sh | 
|  | 613 | } | 
|  | 614 |  | 
|  | 615 | component_test_tls13_only_psk_ephemeral_ffdh () { | 
|  | 616 | msg "build: TLS 1.3 only from default, only PSK ephemeral ffdh key exchange mode" | 
|  | 617 | scripts/config.py unset MBEDTLS_SSL_TLS1_3_KEY_EXCHANGE_MODE_PSK_ENABLED | 
|  | 618 | scripts/config.py unset MBEDTLS_SSL_TLS1_3_KEY_EXCHANGE_MODE_EPHEMERAL_ENABLED | 
|  | 619 | scripts/config.py unset MBEDTLS_X509_CRT_PARSE_C | 
|  | 620 | scripts/config.py unset MBEDTLS_X509_RSASSA_PSS_SUPPORT | 
|  | 621 | scripts/config.py unset MBEDTLS_SSL_SERVER_NAME_INDICATION | 
| Minos Galanakis | 7665a93 | 2024-07-26 15:45:11 +0100 | [diff] [blame] | 622 | scripts/config.py unset MBEDTLS_PKCS7_C | 
|  | 623 | scripts/config.py set   MBEDTLS_SSL_EARLY_DATA | 
| Ronald Cron | a9511bc | 2024-09-06 09:21:10 +0200 | [diff] [blame] | 624 |  | 
|  | 625 | scripts/config.py set MBEDTLS_PSA_CRYPTO_CONFIG | 
|  | 626 | scripts/config.py -f $CRYPTO_CONFIG_H unset PSA_WANT_ALG_ECDH | 
|  | 627 | scripts/config.py -f $CRYPTO_CONFIG_H unset PSA_WANT_ALG_ECDSA | 
|  | 628 | scripts/config.py -f $CRYPTO_CONFIG_H unset PSA_WANT_ALG_DETERMINISTIC_ECDSA | 
|  | 629 | scripts/config.py -f $CRYPTO_CONFIG_H unset PSA_WANT_ALG_RSA_OAEP | 
|  | 630 | scripts/config.py -f $CRYPTO_CONFIG_H unset PSA_WANT_ALG_RSA_PSS | 
|  | 631 | # Note: The three unsets below are to be removed for Mbed TLS 4.0 | 
| Minos Galanakis | 7665a93 | 2024-07-26 15:45:11 +0100 | [diff] [blame] | 632 | scripts/config.py unset MBEDTLS_ECDH_C | 
| Ronald Cron | a9511bc | 2024-09-06 09:21:10 +0200 | [diff] [blame] | 633 | scripts/config.py unset MBEDTLS_ECDSA_C | 
|  | 634 | scripts/config.py unset MBEDTLS_PKCS1_V21 | 
|  | 635 |  | 
| Minos Galanakis | 7665a93 | 2024-07-26 15:45:11 +0100 | [diff] [blame] | 636 | make CFLAGS="'-DMBEDTLS_USER_CONFIG_FILE=\"../tests/configs/tls13-only.h\"'" | 
|  | 637 |  | 
|  | 638 | msg "test_suite_ssl: TLS 1.3 only, only PSK ephemeral ffdh key exchange mode" | 
|  | 639 | cd tests; ./test_suite_ssl; cd .. | 
|  | 640 |  | 
|  | 641 | msg "ssl-opt.sh: TLS 1.3 only, only PSK ephemeral ffdh key exchange mode" | 
|  | 642 | tests/ssl-opt.sh | 
|  | 643 | } | 
|  | 644 |  | 
|  | 645 | component_test_tls13_only_psk_all () { | 
|  | 646 | msg "build: TLS 1.3 only from default, without ephemeral key exchange mode" | 
|  | 647 | scripts/config.py unset MBEDTLS_SSL_TLS1_3_KEY_EXCHANGE_MODE_EPHEMERAL_ENABLED | 
|  | 648 | scripts/config.py unset MBEDTLS_X509_CRT_PARSE_C | 
|  | 649 | scripts/config.py unset MBEDTLS_X509_RSASSA_PSS_SUPPORT | 
|  | 650 | scripts/config.py unset MBEDTLS_SSL_SERVER_NAME_INDICATION | 
| Minos Galanakis | 7665a93 | 2024-07-26 15:45:11 +0100 | [diff] [blame] | 651 | scripts/config.py unset MBEDTLS_PKCS7_C | 
|  | 652 | scripts/config.py set   MBEDTLS_SSL_EARLY_DATA | 
| Ronald Cron | a9511bc | 2024-09-06 09:21:10 +0200 | [diff] [blame] | 653 |  | 
|  | 654 | scripts/config.py set MBEDTLS_PSA_CRYPTO_CONFIG | 
|  | 655 | scripts/config.py -f $CRYPTO_CONFIG_H unset PSA_WANT_ALG_ECDSA | 
|  | 656 | scripts/config.py -f $CRYPTO_CONFIG_H unset PSA_WANT_ALG_DETERMINISTIC_ECDSA | 
|  | 657 | scripts/config.py -f $CRYPTO_CONFIG_H unset PSA_WANT_ALG_RSA_OAEP | 
|  | 658 | scripts/config.py -f $CRYPTO_CONFIG_H unset PSA_WANT_ALG_RSA_PSS | 
| Ronald Cron | 4153ebb | 2024-09-11 15:32:48 +0200 | [diff] [blame] | 659 | # Note: The two unsets below are to be removed for Mbed TLS 4.0 | 
| Ronald Cron | a9511bc | 2024-09-06 09:21:10 +0200 | [diff] [blame] | 660 | scripts/config.py unset MBEDTLS_ECDSA_C | 
|  | 661 | scripts/config.py unset MBEDTLS_PKCS1_V21 | 
|  | 662 |  | 
| Minos Galanakis | 7665a93 | 2024-07-26 15:45:11 +0100 | [diff] [blame] | 663 | make CFLAGS="'-DMBEDTLS_USER_CONFIG_FILE=\"../tests/configs/tls13-only.h\"'" | 
|  | 664 |  | 
|  | 665 | msg "test_suite_ssl: TLS 1.3 only, PSK and PSK ephemeral key exchange modes" | 
|  | 666 | cd tests; ./test_suite_ssl; cd .. | 
|  | 667 |  | 
|  | 668 | msg "ssl-opt.sh: TLS 1.3 only, PSK and PSK ephemeral key exchange modes" | 
|  | 669 | tests/ssl-opt.sh | 
|  | 670 | } | 
|  | 671 |  | 
|  | 672 | component_test_tls13_only_ephemeral_all () { | 
|  | 673 | msg "build: TLS 1.3 only from default, without PSK key exchange mode" | 
|  | 674 | scripts/config.py unset MBEDTLS_SSL_TLS1_3_KEY_EXCHANGE_MODE_PSK_ENABLED | 
|  | 675 | scripts/config.py set   MBEDTLS_SSL_EARLY_DATA | 
|  | 676 | make CFLAGS="'-DMBEDTLS_USER_CONFIG_FILE=\"../tests/configs/tls13-only.h\"'" | 
|  | 677 |  | 
|  | 678 | msg "test_suite_ssl: TLS 1.3 only, ephemeral and PSK ephemeral key exchange modes" | 
|  | 679 | cd tests; ./test_suite_ssl; cd .. | 
|  | 680 |  | 
|  | 681 | msg "ssl-opt.sh: TLS 1.3 only, ephemeral and PSK ephemeral key exchange modes" | 
|  | 682 | tests/ssl-opt.sh | 
|  | 683 | } | 
|  | 684 |  | 
|  | 685 | component_test_tls13_no_padding () { | 
|  | 686 | msg "build: default config plus early data minus padding" | 
|  | 687 | scripts/config.py set MBEDTLS_SSL_CID_TLS1_3_PADDING_GRANULARITY 1 | 
|  | 688 | scripts/config.py set MBEDTLS_SSL_EARLY_DATA | 
|  | 689 | CC=$ASAN_CC cmake -D CMAKE_BUILD_TYPE:String=Asan . | 
|  | 690 | make | 
|  | 691 | msg "test: default config plus early data minus padding" | 
|  | 692 | make test | 
|  | 693 | msg "ssl-opt.sh (TLS 1.3 no padding)" | 
|  | 694 | tests/ssl-opt.sh | 
|  | 695 | } | 
|  | 696 |  | 
|  | 697 | component_test_tls13_no_compatibility_mode () { | 
|  | 698 | msg "build: default config plus early data minus middlebox compatibility mode" | 
|  | 699 | scripts/config.py unset MBEDTLS_SSL_TLS1_3_COMPATIBILITY_MODE | 
|  | 700 | scripts/config.py set   MBEDTLS_SSL_EARLY_DATA | 
|  | 701 | CC=$ASAN_CC cmake -D CMAKE_BUILD_TYPE:String=Asan . | 
|  | 702 | make | 
|  | 703 | msg "test: default config plus early data minus middlebox compatibility mode" | 
|  | 704 | make test | 
|  | 705 | msg "ssl-opt.sh (TLS 1.3 no compatibility mode)" | 
|  | 706 | tests/ssl-opt.sh | 
|  | 707 | } | 
|  | 708 |  | 
| Minos Galanakis | f78447f | 2024-07-26 20:49:51 +0100 | [diff] [blame] | 709 | component_test_full_minus_session_tickets () { | 
| Minos Galanakis | 7665a93 | 2024-07-26 15:45:11 +0100 | [diff] [blame] | 710 | msg "build: full config without session tickets" | 
|  | 711 | scripts/config.py full | 
|  | 712 | scripts/config.py unset MBEDTLS_SSL_SESSION_TICKETS | 
|  | 713 | scripts/config.py unset MBEDTLS_SSL_EARLY_DATA | 
|  | 714 | CC=gcc cmake -D CMAKE_BUILD_TYPE:String=Asan . | 
|  | 715 | make | 
|  | 716 | msg "test: full config without session tickets" | 
|  | 717 | make test | 
|  | 718 | msg "ssl-opt.sh (full config without session tickets)" | 
|  | 719 | tests/ssl-opt.sh | 
|  | 720 | } | 
|  | 721 |  | 
| Minos Galanakis | 4b6ee64 | 2024-08-01 11:20:02 +0100 | [diff] [blame] | 722 | component_test_depends_py_kex () { | 
|  | 723 | msg "test/build: depends.py kex (gcc)" | 
| Minos Galanakis | 4b6ee64 | 2024-08-01 11:20:02 +0100 | [diff] [blame] | 724 | tests/scripts/depends.py kex | 
|  | 725 | } | 
|  | 726 |  | 
| Minos Galanakis | 6aab5b7 | 2024-07-25 14:24:37 +0100 | [diff] [blame] | 727 |  |