Suyu/mbedtls
1
0
Fork 0
mirror of https://git.suyu.dev/suyu/mbedtls.git synced 2026-01-04 13:45:05 +01:00
Code Issues Projects Releases Packages Wiki Activity Actions

Merge remote-tracking branch 'public/pr/1752' into development

Browse source
This commit is contained in:
Simon Butcher 2018-07-20 14:33:18 +01:00
commit 922bd1efb2
8 changed files with 275 additions and 78 deletions
Download patch file Download diff file Expand all files Collapse all files

91
tests/compat.sh
View file

@ -42,6 +42,9 @@ if ( which $GNUTLS_CLI && which $GNUTLS_SERV ) >/dev/null 2>&1; then
PEER_GNUTLS=""
else
PEER_GNUTLS=" GnuTLS"
if [ $MINOR -lt 4 ]; then
GNUTLS_MINOR_LT_FOUR='x'
fi
fi
fi
else
@ -58,7 +61,8 @@ FILTER=""
# - RC4, single-DES: requires legacy OpenSSL/GnuTLS versions
# avoid plain DES but keep 3DES-EDE-CBC (mbedTLS), DES-CBC3 (OpenSSL)
# - ARIA: not in default config.h + requires OpenSSL >= 1.1.1
EXCLUDE='NULL\|DES-CBC-\|RC4\|ARCFOUR\|ARIA'
# - ChachaPoly: requires OpenSSL >= 1.1.0
EXCLUDE='NULL\|DES-CBC-\|RC4\|ARCFOUR\|ARIA\|CHACHA20-POLY1305'
VERBOSE=""
MEMCHECK=0
PEERS="OpenSSL$PEER_GNUTLS mbedTLS"
@ -437,6 +441,9 @@ add_common_ciphersuites()
# NOTE: for some reason RSA-PSK doesn't work with OpenSSL,
# so RSA-PSK ciphersuites need to go in other sections, see
# https://github.com/ARMmbed/mbedtls/issues/1419
#
# ChachaPoly suites are here rather than in "common", as they were added in
# GnuTLS in 3.5.0 and the CI only has 3.4.x so far.
add_openssl_ciphersuites()
{
case $TYPE in
@ -468,6 +475,7 @@ add_openssl_ciphersuites()
TLS-ECDH-ECDSA-WITH-AES-256-GCM-SHA384 \
TLS-ECDHE-ECDSA-WITH-ARIA-256-GCM-SHA384 \
TLS-ECDHE-ECDSA-WITH-ARIA-128-GCM-SHA256 \
TLS-ECDHE-ECDSA-WITH-CHACHA20-POLY1305-SHA256 \
"
O_CIPHERS="$O_CIPHERS \
ECDH-ECDSA-AES128-SHA256 \
@ -476,6 +484,7 @@ add_openssl_ciphersuites()
ECDH-ECDSA-AES256-GCM-SHA384 \
ECDHE-ECDSA-ARIA256-GCM-SHA384 \
ECDHE-ECDSA-ARIA128-GCM-SHA256 \
ECDHE-ECDSA-CHACHA20-POLY1305 \
"
fi
;;
@ -498,6 +507,8 @@ add_openssl_ciphersuites()
TLS-ECDHE-RSA-WITH-ARIA-128-GCM-SHA256 \
TLS-DHE-RSA-WITH-ARIA-128-GCM-SHA256 \
TLS-RSA-WITH-ARIA-128-GCM-SHA256 \
TLS-DHE-RSA-WITH-CHACHA20-POLY1305-SHA256 \
TLS-ECDHE-RSA-WITH-CHACHA20-POLY1305-SHA256 \
"
O_CIPHERS="$O_CIPHERS \
ECDHE-ARIA256-GCM-SHA384 \
@ -506,6 +517,8 @@ add_openssl_ciphersuites()
ECDHE-ARIA128-GCM-SHA256 \
DHE-RSA-ARIA128-GCM-SHA256 \
ARIA128-GCM-SHA256 \
DHE-RSA-CHACHA20-POLY1305 \
ECDHE-RSA-CHACHA20-POLY1305 \
"
fi
;;
@ -518,12 +531,18 @@ add_openssl_ciphersuites()
TLS-DHE-PSK-WITH-ARIA-128-GCM-SHA256 \
TLS-PSK-WITH-ARIA-256-GCM-SHA384 \
TLS-PSK-WITH-ARIA-128-GCM-SHA256 \
TLS-PSK-WITH-CHACHA20-POLY1305-SHA256 \
TLS-ECDHE-PSK-WITH-CHACHA20-POLY1305-SHA256 \
TLS-DHE-PSK-WITH-CHACHA20-POLY1305-SHA256 \
"
O_CIPHERS="$O_CIPHERS \
DHE-PSK-ARIA256-GCM-SHA384 \
DHE-PSK-ARIA128-GCM-SHA256 \
PSK-ARIA256-GCM-SHA384 \
PSK-ARIA128-GCM-SHA256 \
DHE-PSK-CHACHA20-POLY1305 \
ECDHE-PSK-CHACHA20-POLY1305 \
PSK-CHACHA20-POLY1305 \
"
fi
;;
@ -545,12 +564,20 @@ add_gnutls_ciphersuites()
TLS-ECDHE-ECDSA-WITH-CAMELLIA-256-CBC-SHA384 \
TLS-ECDHE-ECDSA-WITH-CAMELLIA-128-GCM-SHA256 \
TLS-ECDHE-ECDSA-WITH-CAMELLIA-256-GCM-SHA384 \
TLS-ECDHE-ECDSA-WITH-AES-128-CCM \
TLS-ECDHE-ECDSA-WITH-AES-256-CCM \
TLS-ECDHE-ECDSA-WITH-AES-128-CCM-8 \
TLS-ECDHE-ECDSA-WITH-AES-256-CCM-8 \
"
G_CIPHERS="$G_CIPHERS \
+ECDHE-ECDSA:+CAMELLIA-128-CBC:+SHA256 \
+ECDHE-ECDSA:+CAMELLIA-256-CBC:+SHA384 \
+ECDHE-ECDSA:+CAMELLIA-128-GCM:+AEAD \
+ECDHE-ECDSA:+CAMELLIA-256-GCM:+AEAD \
+ECDHE-ECDSA:+AES-128-CCM:+AEAD \
+ECDHE-ECDSA:+AES-256-CCM:+AEAD \
+ECDHE-ECDSA:+AES-128-CCM-8:+AEAD \
+ECDHE-ECDSA:+AES-256-CCM-8:+AEAD \
"
fi
;;
@ -580,6 +607,14 @@ add_gnutls_ciphersuites()
TLS-DHE-RSA-WITH-CAMELLIA-256-GCM-SHA384 \
TLS-RSA-WITH-CAMELLIA-128-GCM-SHA256 \
TLS-RSA-WITH-CAMELLIA-256-GCM-SHA384 \
TLS-RSA-WITH-AES-128-CCM \
TLS-RSA-WITH-AES-256-CCM \
TLS-DHE-RSA-WITH-AES-128-CCM \
TLS-DHE-RSA-WITH-AES-256-CCM \
TLS-RSA-WITH-AES-128-CCM-8 \
TLS-RSA-WITH-AES-256-CCM-8 \
TLS-DHE-RSA-WITH-AES-128-CCM-8 \
TLS-DHE-RSA-WITH-AES-256-CCM-8 \
"
G_CIPHERS="$G_CIPHERS \
+ECDHE-RSA:+CAMELLIA-128-CBC:+SHA256 \
@ -594,6 +629,14 @@ add_gnutls_ciphersuites()
+DHE-RSA:+CAMELLIA-256-GCM:+AEAD \
+RSA:+CAMELLIA-128-GCM:+AEAD \
+RSA:+CAMELLIA-256-GCM:+AEAD \
+RSA:+AES-128-CCM:+AEAD \
+RSA:+AES-256-CCM:+AEAD \
+RSA:+AES-128-CCM-8:+AEAD \
+RSA:+AES-256-CCM-8:+AEAD \
+DHE-RSA:+AES-128-CCM:+AEAD \
+DHE-RSA:+AES-256-CCM:+AEAD \
+DHE-RSA:+AES-128-CCM-8:+AEAD \
+DHE-RSA:+AES-256-CCM-8:+AEAD \
"
fi
;;
@ -665,6 +708,14 @@ add_gnutls_ciphersuites()
TLS-PSK-WITH-AES-256-GCM-SHA384 \
TLS-DHE-PSK-WITH-AES-128-GCM-SHA256 \
TLS-DHE-PSK-WITH-AES-256-GCM-SHA384 \
TLS-PSK-WITH-AES-128-CCM \
TLS-PSK-WITH-AES-256-CCM \
TLS-DHE-PSK-WITH-AES-128-CCM \
TLS-DHE-PSK-WITH-AES-256-CCM \
TLS-PSK-WITH-AES-128-CCM-8 \
TLS-PSK-WITH-AES-256-CCM-8 \
TLS-DHE-PSK-WITH-AES-128-CCM-8 \
TLS-DHE-PSK-WITH-AES-256-CCM-8 \
TLS-RSA-PSK-WITH-CAMELLIA-128-GCM-SHA256 \
TLS-RSA-PSK-WITH-CAMELLIA-256-GCM-SHA384 \
TLS-PSK-WITH-CAMELLIA-128-GCM-SHA256 \
@ -695,6 +746,14 @@ add_gnutls_ciphersuites()
+PSK:+AES-256-GCM:+AEAD \
+DHE-PSK:+AES-128-GCM:+AEAD \
+DHE-PSK:+AES-256-GCM:+AEAD \
+PSK:+AES-128-CCM:+AEAD \
+PSK:+AES-256-CCM:+AEAD \
+DHE-PSK:+AES-128-CCM:+AEAD \
+DHE-PSK:+AES-256-CCM:+AEAD \
+PSK:+AES-128-CCM-8:+AEAD \
+PSK:+AES-256-CCM-8:+AEAD \
+DHE-PSK:+AES-128-CCM-8:+AEAD \
+DHE-PSK:+AES-256-CCM-8:+AEAD \
+RSA-PSK:+CAMELLIA-128-GCM:+AEAD \
+RSA-PSK:+CAMELLIA-256-GCM:+AEAD \
+PSK:+CAMELLIA-128-GCM:+AEAD \
@ -737,10 +796,6 @@ add_mbedtls_ciphersuites()
M_CIPHERS="$M_CIPHERS \
TLS-ECDH-ECDSA-WITH-CAMELLIA-128-GCM-SHA256 \
TLS-ECDH-ECDSA-WITH-CAMELLIA-256-GCM-SHA384 \
TLS-ECDHE-ECDSA-WITH-AES-128-CCM \
TLS-ECDHE-ECDSA-WITH-AES-256-CCM \
TLS-ECDHE-ECDSA-WITH-AES-128-CCM-8 \
TLS-ECDHE-ECDSA-WITH-AES-256-CCM-8 \
TLS-ECDHE-ECDSA-WITH-ARIA-256-CBC-SHA384 \
TLS-ECDHE-ECDSA-WITH-ARIA-128-CBC-SHA256 \
TLS-ECDH-ECDSA-WITH-ARIA-256-GCM-SHA384 \
@ -755,14 +810,6 @@ add_mbedtls_ciphersuites()
if [ `minor_ver "$MODE"` -ge 3 ]
then
M_CIPHERS="$M_CIPHERS \
TLS-RSA-WITH-AES-128-CCM \
TLS-RSA-WITH-AES-256-CCM \
TLS-DHE-RSA-WITH-AES-128-CCM \
TLS-DHE-RSA-WITH-AES-256-CCM \
TLS-RSA-WITH-AES-128-CCM-8 \
TLS-RSA-WITH-AES-256-CCM-8 \
TLS-DHE-RSA-WITH-AES-128-CCM-8 \
TLS-DHE-RSA-WITH-AES-256-CCM-8 \
TLS-ECDHE-RSA-WITH-ARIA-256-CBC-SHA384 \
TLS-DHE-RSA-WITH-ARIA-256-CBC-SHA384 \
TLS-ECDHE-RSA-WITH-ARIA-128-CBC-SHA256 \
@ -789,14 +836,6 @@ add_mbedtls_ciphersuites()
if [ `minor_ver "$MODE"` -ge 3 ]
then
M_CIPHERS="$M_CIPHERS \
TLS-PSK-WITH-AES-128-CCM \
TLS-PSK-WITH-AES-256-CCM \
TLS-DHE-PSK-WITH-AES-128-CCM \
TLS-DHE-PSK-WITH-AES-256-CCM \
TLS-PSK-WITH-AES-128-CCM-8 \
TLS-PSK-WITH-AES-256-CCM-8 \
TLS-DHE-PSK-WITH-AES-128-CCM-8 \
TLS-DHE-PSK-WITH-AES-256-CCM-8 \
TLS-RSA-PSK-WITH-ARIA-256-CBC-SHA384 \
TLS-RSA-PSK-WITH-ARIA-128-CBC-SHA256 \
TLS-PSK-WITH-ARIA-256-CBC-SHA384 \
@ -807,6 +846,7 @@ add_mbedtls_ciphersuites()
TLS-ECDHE-PSK-WITH-ARIA-128-CBC-SHA256 \
TLS-DHE-PSK-WITH-ARIA-256-CBC-SHA384 \
TLS-DHE-PSK-WITH-ARIA-128-CBC-SHA256 \
TLS-RSA-PSK-WITH-CHACHA20-POLY1305-SHA256 \
"
fi
;;
@ -842,10 +882,17 @@ setup_arguments()
exit 1;
esac
# GnuTLS < 3.4 will choke if we try to allow CCM-8
if [ -z "${GNUTLS_MINOR_LT_FOUR-}" ]; then
G_PRIO_CCM="+AES-256-CCM-8:+AES-128-CCM-8:"
else
G_PRIO_CCM=""
fi
M_SERVER_ARGS="server_port=$PORT server_addr=0.0.0.0 force_version=$MODE arc4=1"
O_SERVER_ARGS="-accept $PORT -cipher NULL,ALL -$MODE -dhparam data_files/dhparams.pem"
G_SERVER_ARGS="-p $PORT --http $G_MODE"
G_SERVER_PRIO="NORMAL:+ARCFOUR-128:+NULL:+MD5:+PSK:+DHE-PSK:+ECDHE-PSK:+RSA-PSK:-VERS-TLS-ALL:$G_PRIO_MODE"
G_SERVER_PRIO="NORMAL:${G_PRIO_CCM}+ARCFOUR-128:+NULL:+MD5:+PSK:+DHE-PSK:+ECDHE-PSK:+RSA-PSK:-VERS-TLS-ALL:$G_PRIO_MODE"
# with OpenSSL 1.0.1h, -www, -WWW and -HTTP break DTLS handshakes
if is_dtls "$MODE"; then

4
tests/scripts/all.sh
View file

@ -565,8 +565,8 @@ if_build_succeeded tests/ssl-opt.sh -f 'Default\|ECJPAKE\|SSL async private'
msg "test: compat.sh RC4, DES & NULL (full config)" # ~ 2 min
if_build_succeeded env OPENSSL_CMD="$OPENSSL_LEGACY" GNUTLS_CLI="$GNUTLS_LEGACY_CLI" GNUTLS_SERV="$GNUTLS_LEGACY_SERV" tests/compat.sh -e '3DES\|DES-CBC3' -f 'NULL\|DES\|RC4\|ARCFOUR'
msg "test: compat.sh ARIA"
if_build_succeeded env OPENSSL_CMD="$OPENSSL_NEXT" tests/compat.sh -e '^$' -f 'ARIA'
msg "test: compat.sh ARIA + ChachaPoly"
if_build_succeeded env OPENSSL_CMD="$OPENSSL_NEXT" tests/compat.sh -e '^$' -f 'ARIA\|CHACHA'
msg "build: make, full config + DEPRECATED_WARNING, gcc -O" # ~ 30s
cleanup

12
tests/ssl-opt.sh
View file

@ -742,7 +742,7 @@ run_test "Default" \
"$P_CLI" \
0 \
-s "Protocol is TLSv1.2" \
-s "Ciphersuite is TLS-ECDHE-ECDSA-WITH-AES-256-GCM-SHA384" \
-s "Ciphersuite is TLS-ECDHE-RSA-WITH-CHACHA20-POLY1305-SHA256" \
-s "client hello v3, signature_algorithm ext: 6" \
-s "ECDHE curve: secp521r1" \
-S "error" \
@ -753,20 +753,14 @@ run_test "Default, DTLS" \
"$P_CLI dtls=1" \
0 \
-s "Protocol is DTLSv1.2" \
-s "Ciphersuite is TLS-ECDHE-ECDSA-WITH-AES-256-GCM-SHA384"
-s "Ciphersuite is TLS-ECDHE-RSA-WITH-CHACHA20-POLY1305-SHA256"
# Test current time in ServerHello
requires_config_enabled MBEDTLS_HAVE_TIME
run_test "Default, ServerHello contains gmt_unix_time" \
run_test "ServerHello contains gmt_unix_time" \
"$P_SRV debug_level=3" \
"$P_CLI debug_level=3" \
0 \
-s "Protocol is TLSv1.2" \
-s "Ciphersuite is TLS-ECDHE-ECDSA-WITH-AES-256-GCM-SHA384" \
-s "client hello v3, signature_algorithm ext: 6" \
-s "ECDHE curve: secp521r1" \
-S "error" \
-C "error" \
-f "check_server_hello_time" \
-F "check_server_hello_time"