components-configuration-tls.sh (36222B)
1 # components-configuration-tls.sh 2 # 3 # Copyright The Mbed TLS Contributors 4 # SPDX-License-Identifier: Apache-2.0 OR GPL-2.0-or-later 5 6 # This file contains test components that are executed by all.sh 7 8 ################################################################ 9 #### Configuration Testing - TLS 10 ################################################################ 11 12 component_test_config_suite_b_legacy () { 13 msg "build: configs/config-suite-b.h" 14 cp configs/config-suite-b.h "$CONFIG_H" 15 # test-ref-configs works by overwriting mbedtls_config.h; this makes cmake 16 # want to re-generate generated files that depend on it, quite correctly. 17 # However this doesn't work as the generation script expects a specific 18 # format for mbedtls_config.h, which the other files don't follow. Also, 19 # cmake can't know this, but re-generation is actually not necessary as 20 # the generated files only depend on the list of available options, not 21 # whether they're on or off. So, disable cmake's (over-sensitive here) 22 # dependency resolution for generated files and just rely on them being 23 # present (thanks to pre_generate_files) by turning GEN_FILES off. 24 CC=$ASAN_CC cmake -D GEN_FILES=Off -D CMAKE_BUILD_TYPE:String=Asan . 25 make 26 27 msg "test: configs/config-suite-b.h - unit tests" 28 make test 29 30 msg "test: configs/config-suite-b.h - compat.sh" 31 tests/compat.sh -m tls12 -f 'ECDHE_ECDSA.*AES.*GCM' -p mbedTLS 32 33 msg "build: configs/config-suite-b.h + DEBUG" 34 MBEDTLS_TEST_CONFIGURATION="$MBEDTLS_TEST_CONFIGURATION+DEBUG" 35 make clean 36 scripts/config.py set MBEDTLS_DEBUG_C 37 scripts/config.py set MBEDTLS_ERROR_C 38 make ssl-opt 39 40 msg "test: configs/config-suite-b.h + DEBUG - ssl-opt.sh" 41 tests/ssl-opt.sh 42 } 43 44 component_test_config_suite_b_psa () { 45 msg "build: configs/config-suite-b.h + USE_PSA_CRYPTO" 46 cp configs/config-suite-b.h "$CONFIG_H" 47 scripts/config.py set MBEDTLS_PSA_CRYPTO_C 48 scripts/config.py set MBEDTLS_USE_PSA_CRYPTO 49 # test-ref-configs works by overwriting mbedtls_config.h; this makes cmake 50 # want to re-generate generated files that depend on it, quite correctly. 51 # However this doesn't work as the generation script expects a specific 52 # format for mbedtls_config.h, which the other files don't follow. Also, 53 # cmake can't know this, but re-generation is actually not necessary as 54 # the generated files only depend on the list of available options, not 55 # whether they're on or off. So, disable cmake's (over-sensitive here) 56 # dependency resolution for generated files and just rely on them being 57 # present (thanks to pre_generate_files) by turning GEN_FILES off. 58 CC=$ASAN_CC cmake -D GEN_FILES=Off -D CMAKE_BUILD_TYPE:String=Asan . 59 make 60 61 msg "test: configs/config-suite-b.h + USE_PSA_CRYPTO - unit tests" 62 make test 63 64 msg "test: configs/config-suite-b.h + USE_PSA_CRYPTO - compat.sh" 65 tests/compat.sh -m tls12 -f 'ECDHE_ECDSA.*AES.*GCM' -p mbedTLS 66 67 msg "build: configs/config-suite-b.h + USE_PSA_CRYPTO + DEBUG" 68 MBEDTLS_TEST_CONFIGURATION="$MBEDTLS_TEST_CONFIGURATION+DEBUG" 69 make clean 70 scripts/config.py set MBEDTLS_DEBUG_C 71 scripts/config.py set MBEDTLS_ERROR_C 72 make ssl-opt 73 74 msg "test: configs/config-suite-b.h + USE_PSA_CRYPTO + DEBUG - ssl-opt.sh" 75 tests/ssl-opt.sh 76 } 77 78 component_test_no_renegotiation () { 79 msg "build: Default + !MBEDTLS_SSL_RENEGOTIATION (ASan build)" # ~ 6 min 80 scripts/config.py unset MBEDTLS_SSL_RENEGOTIATION 81 CC=$ASAN_CC cmake -D CMAKE_BUILD_TYPE:String=Asan . 82 make 83 84 msg "test: !MBEDTLS_SSL_RENEGOTIATION - main suites (inc. selftests) (ASan build)" # ~ 50s 85 make test 86 87 msg "test: !MBEDTLS_SSL_RENEGOTIATION - ssl-opt.sh (ASan build)" # ~ 6 min 88 tests/ssl-opt.sh 89 } 90 91 component_test_tls1_2_default_stream_cipher_only () { 92 msg "build: default with only stream cipher" 93 94 # Disable AEAD (controlled by the presence of one of GCM_C, CCM_C, CHACHAPOLY_C 95 scripts/config.py unset MBEDTLS_GCM_C 96 scripts/config.py unset MBEDTLS_CCM_C 97 scripts/config.py unset MBEDTLS_CHACHAPOLY_C 98 #Disable TLS 1.3 (as no AEAD) 99 scripts/config.py unset MBEDTLS_SSL_PROTO_TLS1_3 100 # Disable CBC-legacy (controlled by MBEDTLS_CIPHER_MODE_CBC plus at least one block cipher (AES, ARIA, Camellia, DES)) 101 scripts/config.py unset MBEDTLS_CIPHER_MODE_CBC 102 # Disable CBC-EtM (controlled by the same as CBC-legacy plus MBEDTLS_SSL_ENCRYPT_THEN_MAC) 103 scripts/config.py unset MBEDTLS_SSL_ENCRYPT_THEN_MAC 104 # Enable stream (currently that's just the NULL pseudo-cipher (controlled by MBEDTLS_CIPHER_NULL_CIPHER)) 105 scripts/config.py set MBEDTLS_CIPHER_NULL_CIPHER 106 # Modules that depend on AEAD 107 scripts/config.py unset MBEDTLS_SSL_CONTEXT_SERIALIZATION 108 scripts/config.py unset MBEDTLS_SSL_TICKET_C 109 110 make 111 112 msg "test: default with only stream cipher" 113 make test 114 115 # Not running ssl-opt.sh because most tests require a non-NULL ciphersuite. 116 } 117 118 component_test_tls1_2_default_stream_cipher_only_use_psa () { 119 msg "build: default with only stream cipher use psa" 120 121 scripts/config.py set MBEDTLS_USE_PSA_CRYPTO 122 # Disable AEAD (controlled by the presence of one of GCM_C, CCM_C, CHACHAPOLY_C) 123 scripts/config.py unset MBEDTLS_GCM_C 124 scripts/config.py unset MBEDTLS_CCM_C 125 scripts/config.py unset MBEDTLS_CHACHAPOLY_C 126 #Disable TLS 1.3 (as no AEAD) 127 scripts/config.py unset MBEDTLS_SSL_PROTO_TLS1_3 128 # Disable CBC-legacy (controlled by MBEDTLS_CIPHER_MODE_CBC plus at least one block cipher (AES, ARIA, Camellia, DES)) 129 scripts/config.py unset MBEDTLS_CIPHER_MODE_CBC 130 # Disable CBC-EtM (controlled by the same as CBC-legacy plus MBEDTLS_SSL_ENCRYPT_THEN_MAC) 131 scripts/config.py unset MBEDTLS_SSL_ENCRYPT_THEN_MAC 132 # Enable stream (currently that's just the NULL pseudo-cipher (controlled by MBEDTLS_CIPHER_NULL_CIPHER)) 133 scripts/config.py set MBEDTLS_CIPHER_NULL_CIPHER 134 # Modules that depend on AEAD 135 scripts/config.py unset MBEDTLS_SSL_CONTEXT_SERIALIZATION 136 scripts/config.py unset MBEDTLS_SSL_TICKET_C 137 138 make 139 140 msg "test: default with only stream cipher use psa" 141 make test 142 143 # Not running ssl-opt.sh because most tests require a non-NULL ciphersuite. 144 } 145 146 component_test_tls1_2_default_cbc_legacy_cipher_only () { 147 msg "build: default with only CBC-legacy cipher" 148 149 # Disable AEAD (controlled by the presence of one of GCM_C, CCM_C, CHACHAPOLY_C) 150 scripts/config.py unset MBEDTLS_GCM_C 151 scripts/config.py unset MBEDTLS_CCM_C 152 scripts/config.py unset MBEDTLS_CHACHAPOLY_C 153 #Disable TLS 1.3 (as no AEAD) 154 scripts/config.py unset MBEDTLS_SSL_PROTO_TLS1_3 155 # Enable CBC-legacy (controlled by MBEDTLS_CIPHER_MODE_CBC plus at least one block cipher (AES, ARIA, Camellia, DES)) 156 scripts/config.py set MBEDTLS_CIPHER_MODE_CBC 157 # Disable CBC-EtM (controlled by the same as CBC-legacy plus MBEDTLS_SSL_ENCRYPT_THEN_MAC) 158 scripts/config.py unset MBEDTLS_SSL_ENCRYPT_THEN_MAC 159 # Disable stream (currently that's just the NULL pseudo-cipher (controlled by MBEDTLS_CIPHER_NULL_CIPHER)) 160 scripts/config.py unset MBEDTLS_CIPHER_NULL_CIPHER 161 # Modules that depend on AEAD 162 scripts/config.py unset MBEDTLS_SSL_CONTEXT_SERIALIZATION 163 scripts/config.py unset MBEDTLS_SSL_TICKET_C 164 165 make 166 167 msg "test: default with only CBC-legacy cipher" 168 make test 169 170 msg "test: default with only CBC-legacy cipher - ssl-opt.sh (subset)" 171 tests/ssl-opt.sh -f "TLS 1.2" 172 } 173 174 component_test_tls1_2_default_cbc_legacy_cipher_only_use_psa () { 175 msg "build: default with only CBC-legacy cipher use psa" 176 177 scripts/config.py set MBEDTLS_USE_PSA_CRYPTO 178 # Disable AEAD (controlled by the presence of one of GCM_C, CCM_C, CHACHAPOLY_C) 179 scripts/config.py unset MBEDTLS_GCM_C 180 scripts/config.py unset MBEDTLS_CCM_C 181 scripts/config.py unset MBEDTLS_CHACHAPOLY_C 182 #Disable TLS 1.3 (as no AEAD) 183 scripts/config.py unset MBEDTLS_SSL_PROTO_TLS1_3 184 # Enable CBC-legacy (controlled by MBEDTLS_CIPHER_MODE_CBC plus at least one block cipher (AES, ARIA, Camellia, DES)) 185 scripts/config.py set MBEDTLS_CIPHER_MODE_CBC 186 # Disable CBC-EtM (controlled by the same as CBC-legacy plus MBEDTLS_SSL_ENCRYPT_THEN_MAC) 187 scripts/config.py unset MBEDTLS_SSL_ENCRYPT_THEN_MAC 188 # Disable stream (currently that's just the NULL pseudo-cipher (controlled by MBEDTLS_CIPHER_NULL_CIPHER)) 189 scripts/config.py unset MBEDTLS_CIPHER_NULL_CIPHER 190 # Modules that depend on AEAD 191 scripts/config.py unset MBEDTLS_SSL_CONTEXT_SERIALIZATION 192 scripts/config.py unset MBEDTLS_SSL_TICKET_C 193 194 make 195 196 msg "test: default with only CBC-legacy cipher use psa" 197 make test 198 199 msg "test: default with only CBC-legacy cipher use psa - ssl-opt.sh (subset)" 200 tests/ssl-opt.sh -f "TLS 1.2" 201 } 202 203 component_test_tls1_2_default_cbc_legacy_cbc_etm_cipher_only () { 204 msg "build: default with only CBC-legacy and CBC-EtM ciphers" 205 206 # Disable AEAD (controlled by the presence of one of GCM_C, CCM_C, CHACHAPOLY_C) 207 scripts/config.py unset MBEDTLS_GCM_C 208 scripts/config.py unset MBEDTLS_CCM_C 209 scripts/config.py unset MBEDTLS_CHACHAPOLY_C 210 #Disable TLS 1.3 (as no AEAD) 211 scripts/config.py unset MBEDTLS_SSL_PROTO_TLS1_3 212 # Enable CBC-legacy (controlled by MBEDTLS_CIPHER_MODE_CBC plus at least one block cipher (AES, ARIA, Camellia, DES)) 213 scripts/config.py set MBEDTLS_CIPHER_MODE_CBC 214 # Enable CBC-EtM (controlled by the same as CBC-legacy plus MBEDTLS_SSL_ENCRYPT_THEN_MAC) 215 scripts/config.py set MBEDTLS_SSL_ENCRYPT_THEN_MAC 216 # Disable stream (currently that's just the NULL pseudo-cipher (controlled by MBEDTLS_CIPHER_NULL_CIPHER)) 217 scripts/config.py unset MBEDTLS_CIPHER_NULL_CIPHER 218 # Modules that depend on AEAD 219 scripts/config.py unset MBEDTLS_SSL_CONTEXT_SERIALIZATION 220 scripts/config.py unset MBEDTLS_SSL_TICKET_C 221 222 make 223 224 msg "test: default with only CBC-legacy and CBC-EtM ciphers" 225 make test 226 227 msg "test: default with only CBC-legacy and CBC-EtM ciphers - ssl-opt.sh (subset)" 228 tests/ssl-opt.sh -f "TLS 1.2" 229 } 230 231 component_test_tls1_2_default_cbc_legacy_cbc_etm_cipher_only_use_psa () { 232 msg "build: default with only CBC-legacy and CBC-EtM ciphers use psa" 233 234 scripts/config.py set MBEDTLS_USE_PSA_CRYPTO 235 # Disable AEAD (controlled by the presence of one of GCM_C, CCM_C, CHACHAPOLY_C) 236 scripts/config.py unset MBEDTLS_GCM_C 237 scripts/config.py unset MBEDTLS_CCM_C 238 scripts/config.py unset MBEDTLS_CHACHAPOLY_C 239 #Disable TLS 1.3 (as no AEAD) 240 scripts/config.py unset MBEDTLS_SSL_PROTO_TLS1_3 241 # Enable CBC-legacy (controlled by MBEDTLS_CIPHER_MODE_CBC plus at least one block cipher (AES, ARIA, Camellia, DES)) 242 scripts/config.py set MBEDTLS_CIPHER_MODE_CBC 243 # Enable CBC-EtM (controlled by the same as CBC-legacy plus MBEDTLS_SSL_ENCRYPT_THEN_MAC) 244 scripts/config.py set MBEDTLS_SSL_ENCRYPT_THEN_MAC 245 # Disable stream (currently that's just the NULL pseudo-cipher (controlled by MBEDTLS_CIPHER_NULL_CIPHER)) 246 scripts/config.py unset MBEDTLS_CIPHER_NULL_CIPHER 247 # Modules that depend on AEAD 248 scripts/config.py unset MBEDTLS_SSL_CONTEXT_SERIALIZATION 249 scripts/config.py unset MBEDTLS_SSL_TICKET_C 250 251 make 252 253 msg "test: default with only CBC-legacy and CBC-EtM ciphers use psa" 254 make test 255 256 msg "test: default with only CBC-legacy and CBC-EtM ciphers use psa - ssl-opt.sh (subset)" 257 tests/ssl-opt.sh -f "TLS 1.2" 258 } 259 260 component_test_config_thread_legacy () { 261 msg "build: configs/config-thread.h" 262 cp configs/config-thread.h "$CONFIG_H" 263 # test-ref-configs works by overwriting mbedtls_config.h; this makes cmake 264 # want to re-generate generated files that depend on it, quite correctly. 265 # However this doesn't work as the generation script expects a specific 266 # format for mbedtls_config.h, which the other files don't follow. Also, 267 # cmake can't know this, but re-generation is actually not necessary as 268 # the generated files only depend on the list of available options, not 269 # whether they're on or off. So, disable cmake's (over-sensitive here) 270 # dependency resolution for generated files and just rely on them being 271 # present (thanks to pre_generate_files) by turning GEN_FILES off. 272 CC=$ASAN_CC cmake -D GEN_FILES=Off -D CMAKE_BUILD_TYPE:String=Asan . 273 make 274 275 msg "test: configs/config-thread.h - unit tests" 276 make test 277 278 msg "test: configs/config-thread.h - ssl-opt.sh" 279 tests/ssl-opt.sh -f 'ECJPAKE.*nolog' 280 } 281 282 component_test_config_thread_psa () { 283 msg "build: configs/config-thread.h + USE_PSA_CRYPTO" 284 cp configs/config-thread.h "$CONFIG_H" 285 scripts/config.py set MBEDTLS_PSA_CRYPTO_C 286 scripts/config.py set MBEDTLS_USE_PSA_CRYPTO 287 # test-ref-configs works by overwriting mbedtls_config.h; this makes cmake 288 # want to re-generate generated files that depend on it, quite correctly. 289 # However this doesn't work as the generation script expects a specific 290 # format for mbedtls_config.h, which the other files don't follow. Also, 291 # cmake can't know this, but re-generation is actually not necessary as 292 # the generated files only depend on the list of available options, not 293 # whether they're on or off. So, disable cmake's (over-sensitive here) 294 # dependency resolution for generated files and just rely on them being 295 # present (thanks to pre_generate_files) by turning GEN_FILES off. 296 CC=$ASAN_CC cmake -D GEN_FILES=Off -D CMAKE_BUILD_TYPE:String=Asan . 297 make 298 299 msg "test: configs/config-thread.h + USE_PSA_CRYPTO - unit tests" 300 make test 301 302 msg "test: configs/config-thread.h + USE_PSA_CRYPTO - ssl-opt.sh" 303 tests/ssl-opt.sh -f 'ECJPAKE.*nolog' 304 } 305 306 # We're not aware of any other (open source) implementation of EC J-PAKE in TLS 307 # that we could use for interop testing. However, we now have sort of two 308 # implementations ourselves: one using PSA, the other not. At least test that 309 # these two interoperate with each other. 310 component_test_tls1_2_ecjpake_compatibility () { 311 msg "build: TLS1.2 server+client w/ EC-JPAKE w/o USE_PSA" 312 scripts/config.py set MBEDTLS_KEY_EXCHANGE_ECJPAKE_ENABLED 313 # Explicitly make lib first to avoid a race condition: 314 # https://github.com/Mbed-TLS/mbedtls/issues/8229 315 make lib 316 make -C programs ssl/ssl_server2 ssl/ssl_client2 317 cp programs/ssl/ssl_server2 s2_no_use_psa 318 cp programs/ssl/ssl_client2 c2_no_use_psa 319 320 msg "build: TLS1.2 server+client w/ EC-JPAKE w/ USE_PSA" 321 scripts/config.py set MBEDTLS_USE_PSA_CRYPTO 322 make clean 323 make lib 324 make -C programs ssl/ssl_server2 ssl/ssl_client2 325 make -C programs test/udp_proxy test/query_compile_time_config 326 327 msg "test: server w/o USE_PSA - client w/ USE_PSA, text password" 328 P_SRV=../s2_no_use_psa tests/ssl-opt.sh -f "ECJPAKE: working, TLS" 329 msg "test: server w/o USE_PSA - client w/ USE_PSA, opaque password" 330 P_SRV=../s2_no_use_psa tests/ssl-opt.sh -f "ECJPAKE: opaque password client only, working, TLS" 331 msg "test: client w/o USE_PSA - server w/ USE_PSA, text password" 332 P_CLI=../c2_no_use_psa tests/ssl-opt.sh -f "ECJPAKE: working, TLS" 333 msg "test: client w/o USE_PSA - server w/ USE_PSA, opaque password" 334 P_CLI=../c2_no_use_psa tests/ssl-opt.sh -f "ECJPAKE: opaque password server only, working, TLS" 335 336 rm s2_no_use_psa c2_no_use_psa 337 } 338 339 component_test_tls1_2_ccm_psk_legacy () { 340 msg "build: configs/config-ccm-psk-tls1_2.h" 341 cp configs/config-ccm-psk-tls1_2.h "$CONFIG_H" 342 # test-ref-configs works by overwriting mbedtls_config.h; this makes cmake 343 # want to re-generate generated files that depend on it, quite correctly. 344 # However this doesn't work as the generation script expects a specific 345 # format for mbedtls_config.h, which the other files don't follow. Also, 346 # cmake can't know this, but re-generation is actually not necessary as 347 # the generated files only depend on the list of available options, not 348 # whether they're on or off. So, disable cmake's (over-sensitive here) 349 # dependency resolution for generated files and just rely on them being 350 # present (thanks to pre_generate_files) by turning GEN_FILES off. 351 CC=$ASAN_CC cmake -D GEN_FILES=Off -D CMAKE_BUILD_TYPE:String=Asan . 352 make 353 354 msg "test: configs/config-ccm-psk-tls1_2.h - unit tests" 355 make test 356 357 msg "test: configs/config-ccm-psk-tls1_2.h - compat.sh" 358 tests/compat.sh -m tls12 -f '^TLS_PSK_WITH_AES_..._CCM_8' 359 } 360 361 component_test_tls1_2_ccm_psk_psa () { 362 msg "build: configs/config-ccm-psk-tls1_2.h + USE_PSA_CRYPTO" 363 cp configs/config-ccm-psk-tls1_2.h "$CONFIG_H" 364 scripts/config.py set MBEDTLS_PSA_CRYPTO_C 365 scripts/config.py set MBEDTLS_USE_PSA_CRYPTO 366 # test-ref-configs works by overwriting mbedtls_config.h; this makes cmake 367 # want to re-generate generated files that depend on it, quite correctly. 368 # However this doesn't work as the generation script expects a specific 369 # format for mbedtls_config.h, which the other files don't follow. Also, 370 # cmake can't know this, but re-generation is actually not necessary as 371 # the generated files only depend on the list of available options, not 372 # whether they're on or off. So, disable cmake's (over-sensitive here) 373 # dependency resolution for generated files and just rely on them being 374 # present (thanks to pre_generate_files) by turning GEN_FILES off. 375 CC=$ASAN_CC cmake -D GEN_FILES=Off -D CMAKE_BUILD_TYPE:String=Asan . 376 make 377 378 msg "test: configs/config-ccm-psk-tls1_2.h + USE_PSA_CRYPTO - unit tests" 379 make test 380 381 msg "test: configs/config-ccm-psk-tls1_2.h + USE_PSA_CRYPTO - compat.sh" 382 tests/compat.sh -m tls12 -f '^TLS_PSK_WITH_AES_..._CCM_8' 383 } 384 385 component_test_tls1_2_ccm_psk_dtls_legacy () { 386 msg "build: configs/config-ccm-psk-dtls1_2.h" 387 cp configs/config-ccm-psk-dtls1_2.h "$CONFIG_H" 388 # test-ref-configs works by overwriting mbedtls_config.h; this makes cmake 389 # want to re-generate generated files that depend on it, quite correctly. 390 # However this doesn't work as the generation script expects a specific 391 # format for mbedtls_config.h, which the other files don't follow. Also, 392 # cmake can't know this, but re-generation is actually not necessary as 393 # the generated files only depend on the list of available options, not 394 # whether they're on or off. So, disable cmake's (over-sensitive here) 395 # dependency resolution for generated files and just rely on them being 396 # present (thanks to pre_generate_files) by turning GEN_FILES off. 397 CC=$ASAN_CC cmake -D GEN_FILES=Off -D CMAKE_BUILD_TYPE:String=Asan . 398 make 399 400 msg "test: configs/config-ccm-psk-dtls1_2.h - unit tests" 401 make test 402 403 msg "test: configs/config-ccm-psk-dtls1_2.h - compat.sh" 404 tests/compat.sh -m dtls12 -f '^TLS_PSK_WITH_AES_..._CCM_8' 405 406 msg "build: configs/config-ccm-psk-dtls1_2.h + DEBUG" 407 MBEDTLS_TEST_CONFIGURATION="$MBEDTLS_TEST_CONFIGURATION+DEBUG" 408 make clean 409 scripts/config.py set MBEDTLS_DEBUG_C 410 scripts/config.py set MBEDTLS_ERROR_C 411 make ssl-opt 412 413 msg "test: configs/config-ccm-psk-dtls1_2.h + DEBUG - ssl-opt.sh" 414 tests/ssl-opt.sh 415 } 416 417 component_test_tls1_2_ccm_psk_dtls_psa () { 418 msg "build: configs/config-ccm-psk-dtls1_2.h + USE_PSA_CRYPTO" 419 cp configs/config-ccm-psk-dtls1_2.h "$CONFIG_H" 420 scripts/config.py set MBEDTLS_PSA_CRYPTO_C 421 scripts/config.py set MBEDTLS_USE_PSA_CRYPTO 422 # test-ref-configs works by overwriting mbedtls_config.h; this makes cmake 423 # want to re-generate generated files that depend on it, quite correctly. 424 # However this doesn't work as the generation script expects a specific 425 # format for mbedtls_config.h, which the other files don't follow. Also, 426 # cmake can't know this, but re-generation is actually not necessary as 427 # the generated files only depend on the list of available options, not 428 # whether they're on or off. So, disable cmake's (over-sensitive here) 429 # dependency resolution for generated files and just rely on them being 430 # present (thanks to pre_generate_files) by turning GEN_FILES off. 431 CC=$ASAN_CC cmake -D GEN_FILES=Off -D CMAKE_BUILD_TYPE:String=Asan . 432 make 433 434 msg "test: configs/config-ccm-psk-dtls1_2.h + USE_PSA_CRYPTO - unit tests" 435 make test 436 437 msg "test: configs/config-ccm-psk-dtls1_2.h + USE_PSA_CRYPTO - compat.sh" 438 tests/compat.sh -m dtls12 -f '^TLS_PSK_WITH_AES_..._CCM_8' 439 440 msg "build: configs/config-ccm-psk-dtls1_2.h + USE_PSA_CRYPTO + DEBUG" 441 MBEDTLS_TEST_CONFIGURATION="$MBEDTLS_TEST_CONFIGURATION+DEBUG" 442 make clean 443 scripts/config.py set MBEDTLS_DEBUG_C 444 scripts/config.py set MBEDTLS_ERROR_C 445 make ssl-opt 446 447 msg "test: configs/config-ccm-psk-dtls1_2.h + USE_PSA_CRYPTO + DEBUG - ssl-opt.sh" 448 tests/ssl-opt.sh 449 } 450 451 component_test_small_ssl_out_content_len () { 452 msg "build: small SSL_OUT_CONTENT_LEN (ASan build)" 453 scripts/config.py set MBEDTLS_SSL_IN_CONTENT_LEN 16384 454 scripts/config.py set MBEDTLS_SSL_OUT_CONTENT_LEN 4096 455 CC=$ASAN_CC cmake -D CMAKE_BUILD_TYPE:String=Asan . 456 make 457 458 msg "test: small SSL_OUT_CONTENT_LEN - ssl-opt.sh MFL and large packet tests" 459 tests/ssl-opt.sh -f "Max fragment\|Large packet" 460 } 461 462 component_test_small_ssl_in_content_len () { 463 msg "build: small SSL_IN_CONTENT_LEN (ASan build)" 464 scripts/config.py set MBEDTLS_SSL_IN_CONTENT_LEN 4096 465 scripts/config.py set MBEDTLS_SSL_OUT_CONTENT_LEN 16384 466 CC=$ASAN_CC cmake -D CMAKE_BUILD_TYPE:String=Asan . 467 make 468 469 msg "test: small SSL_IN_CONTENT_LEN - ssl-opt.sh MFL tests" 470 tests/ssl-opt.sh -f "Max fragment" 471 } 472 473 component_test_small_ssl_dtls_max_buffering () { 474 msg "build: small MBEDTLS_SSL_DTLS_MAX_BUFFERING #0" 475 scripts/config.py set MBEDTLS_SSL_DTLS_MAX_BUFFERING 1000 476 CC=$ASAN_CC cmake -D CMAKE_BUILD_TYPE:String=Asan . 477 make 478 479 msg "test: small MBEDTLS_SSL_DTLS_MAX_BUFFERING #0 - ssl-opt.sh specific reordering test" 480 tests/ssl-opt.sh -f "DTLS reordering: Buffer out-of-order hs msg before reassembling next, free buffered msg" 481 } 482 483 component_test_small_mbedtls_ssl_dtls_max_buffering () { 484 msg "build: small MBEDTLS_SSL_DTLS_MAX_BUFFERING #1" 485 scripts/config.py set MBEDTLS_SSL_DTLS_MAX_BUFFERING 190 486 CC=$ASAN_CC cmake -D CMAKE_BUILD_TYPE:String=Asan . 487 make 488 489 msg "test: small MBEDTLS_SSL_DTLS_MAX_BUFFERING #1 - ssl-opt.sh specific reordering test" 490 tests/ssl-opt.sh -f "DTLS reordering: Buffer encrypted Finished message, drop for fragmented NewSessionTicket" 491 } 492 493 component_test_depends_py_kex () { 494 msg "test/build: depends.py kex (gcc)" 495 tests/scripts/depends.py kex --unset-use-psa 496 } 497 498 component_test_depends_py_kex_psa () { 499 msg "test/build: depends.py kex (gcc) with MBEDTLS_USE_PSA_CRYPTO defined" 500 tests/scripts/depends.py kex 501 } 502 503 # Common helper for component_full_without_ecdhe_ecdsa() and 504 # component_full_without_ecdhe_ecdsa_and_tls13() which: 505 # - starts from the "full" configuration minus the list of symbols passed in 506 # as 1st parameter 507 # - build 508 # - test only TLS (i.e. test_suite_tls and ssl-opt) 509 build_full_minus_something_and_test_tls () { 510 symbols_to_disable="$1" 511 512 msg "build: full minus something, test TLS" 513 514 scripts/config.py full 515 for sym in $symbols_to_disable; do 516 echo "Disabling $sym" 517 scripts/config.py unset $sym 518 done 519 520 make 521 522 msg "test: full minus something, test TLS" 523 ( cd tests; ./test_suite_ssl ) 524 525 msg "ssl-opt: full minus something, test TLS" 526 tests/ssl-opt.sh 527 } 528 529 component_full_without_ecdhe_ecdsa () { 530 build_full_minus_something_and_test_tls "MBEDTLS_KEY_EXCHANGE_ECDHE_ECDSA_ENABLED" 531 } 532 533 component_full_without_ecdhe_ecdsa_and_tls13 () { 534 build_full_minus_something_and_test_tls "MBEDTLS_KEY_EXCHANGE_ECDHE_ECDSA_ENABLED 535 MBEDTLS_SSL_PROTO_TLS1_3" 536 } 537 538 component_build_no_ssl_srv () { 539 msg "build: full config except SSL server, make, gcc" # ~ 30s 540 scripts/config.py full 541 scripts/config.py unset MBEDTLS_SSL_SRV_C 542 make CC=gcc CFLAGS='-Werror -Wall -Wextra -O1 -Wmissing-prototypes' 543 } 544 545 component_build_no_ssl_cli () { 546 msg "build: full config except SSL client, make, gcc" # ~ 30s 547 scripts/config.py full 548 scripts/config.py unset MBEDTLS_SSL_CLI_C 549 make CC=gcc CFLAGS='-Werror -Wall -Wextra -O1 -Wmissing-prototypes' 550 } 551 552 component_test_no_max_fragment_length () { 553 # Run max fragment length tests with MFL disabled 554 msg "build: default config except MFL extension (ASan build)" # ~ 30s 555 scripts/config.py unset MBEDTLS_SSL_MAX_FRAGMENT_LENGTH 556 CC=$ASAN_CC cmake -D CMAKE_BUILD_TYPE:String=Asan . 557 make 558 559 msg "test: ssl-opt.sh, MFL-related tests" 560 tests/ssl-opt.sh -f "Max fragment length" 561 } 562 563 component_test_asan_remove_peer_certificate () { 564 msg "build: default config with MBEDTLS_SSL_KEEP_PEER_CERTIFICATE disabled (ASan build)" 565 scripts/config.py unset MBEDTLS_SSL_KEEP_PEER_CERTIFICATE 566 scripts/config.py unset MBEDTLS_SSL_PROTO_TLS1_3 567 CC=$ASAN_CC cmake -D CMAKE_BUILD_TYPE:String=Asan . 568 make 569 570 msg "test: !MBEDTLS_SSL_KEEP_PEER_CERTIFICATE" 571 make test 572 573 msg "test: ssl-opt.sh, !MBEDTLS_SSL_KEEP_PEER_CERTIFICATE" 574 tests/ssl-opt.sh 575 576 msg "test: compat.sh, !MBEDTLS_SSL_KEEP_PEER_CERTIFICATE" 577 tests/compat.sh 578 579 msg "test: context-info.sh, !MBEDTLS_SSL_KEEP_PEER_CERTIFICATE" 580 tests/context-info.sh 581 } 582 583 component_test_no_max_fragment_length_small_ssl_out_content_len () { 584 msg "build: no MFL extension, small SSL_OUT_CONTENT_LEN (ASan build)" 585 scripts/config.py unset MBEDTLS_SSL_MAX_FRAGMENT_LENGTH 586 scripts/config.py set MBEDTLS_SSL_IN_CONTENT_LEN 16384 587 scripts/config.py set MBEDTLS_SSL_OUT_CONTENT_LEN 4096 588 CC=$ASAN_CC cmake -D CMAKE_BUILD_TYPE:String=Asan . 589 make 590 591 msg "test: MFL tests (disabled MFL extension case) & large packet tests" 592 tests/ssl-opt.sh -f "Max fragment length\|Large buffer" 593 594 msg "test: context-info.sh (disabled MFL extension case)" 595 tests/context-info.sh 596 } 597 598 component_test_variable_ssl_in_out_buffer_len () { 599 msg "build: MBEDTLS_SSL_VARIABLE_BUFFER_LENGTH enabled (ASan build)" 600 scripts/config.py set MBEDTLS_SSL_VARIABLE_BUFFER_LENGTH 601 CC=$ASAN_CC cmake -D CMAKE_BUILD_TYPE:String=Asan . 602 make 603 604 msg "test: MBEDTLS_SSL_VARIABLE_BUFFER_LENGTH enabled" 605 make test 606 607 msg "test: ssl-opt.sh, MBEDTLS_SSL_VARIABLE_BUFFER_LENGTH enabled" 608 tests/ssl-opt.sh 609 610 msg "test: compat.sh, MBEDTLS_SSL_VARIABLE_BUFFER_LENGTH enabled" 611 tests/compat.sh 612 } 613 614 component_test_dtls_cid_legacy () { 615 msg "build: MBEDTLS_SSL_DTLS_CONNECTION_ID (legacy) enabled (ASan build)" 616 scripts/config.py set MBEDTLS_SSL_DTLS_CONNECTION_ID_COMPAT 1 617 618 CC=$ASAN_CC cmake -D CMAKE_BUILD_TYPE:String=Asan . 619 make 620 621 msg "test: MBEDTLS_SSL_DTLS_CONNECTION_ID (legacy)" 622 make test 623 624 msg "test: ssl-opt.sh, MBEDTLS_SSL_DTLS_CONNECTION_ID (legacy) enabled" 625 tests/ssl-opt.sh 626 627 msg "test: compat.sh, MBEDTLS_SSL_DTLS_CONNECTION_ID (legacy) enabled" 628 tests/compat.sh 629 } 630 631 component_test_ssl_alloc_buffer_and_mfl () { 632 msg "build: default config with memory buffer allocator and MFL extension" 633 scripts/config.py set MBEDTLS_MEMORY_BUFFER_ALLOC_C 634 scripts/config.py set MBEDTLS_PLATFORM_MEMORY 635 scripts/config.py set MBEDTLS_MEMORY_DEBUG 636 scripts/config.py set MBEDTLS_SSL_MAX_FRAGMENT_LENGTH 637 scripts/config.py set MBEDTLS_SSL_VARIABLE_BUFFER_LENGTH 638 cmake -DCMAKE_BUILD_TYPE:String=Release . 639 make 640 641 msg "test: MBEDTLS_SSL_VARIABLE_BUFFER_LENGTH, MBEDTLS_MEMORY_BUFFER_ALLOC_C, MBEDTLS_MEMORY_DEBUG and MBEDTLS_SSL_MAX_FRAGMENT_LENGTH" 642 make test 643 644 msg "test: MBEDTLS_SSL_VARIABLE_BUFFER_LENGTH, MBEDTLS_MEMORY_BUFFER_ALLOC_C, MBEDTLS_MEMORY_DEBUG and MBEDTLS_SSL_MAX_FRAGMENT_LENGTH" 645 tests/ssl-opt.sh -f "Handshake memory usage" 646 } 647 648 component_test_when_no_ciphersuites_have_mac () { 649 msg "build: when no ciphersuites have MAC" 650 scripts/config.py unset MBEDTLS_CIPHER_NULL_CIPHER 651 scripts/config.py unset MBEDTLS_CIPHER_MODE_CBC 652 scripts/config.py unset MBEDTLS_CMAC_C 653 make 654 655 msg "test: !MBEDTLS_SSL_SOME_SUITES_USE_MAC" 656 make test 657 658 msg "test ssl-opt.sh: !MBEDTLS_SSL_SOME_SUITES_USE_MAC" 659 tests/ssl-opt.sh -f 'Default\|EtM' -e 'without EtM' 660 } 661 662 component_test_tls12_only () { 663 msg "build: default config without MBEDTLS_SSL_PROTO_TLS1_3, cmake, gcc, ASan" 664 scripts/config.py unset MBEDTLS_SSL_PROTO_TLS1_3 665 CC=gcc cmake -D CMAKE_BUILD_TYPE:String=Asan . 666 make 667 668 msg "test: main suites (inc. selftests) (ASan build)" 669 make test 670 671 msg "test: ssl-opt.sh (ASan build)" 672 tests/ssl-opt.sh 673 674 msg "test: compat.sh (ASan build)" 675 tests/compat.sh 676 } 677 678 component_test_tls13_only () { 679 msg "build: default config without MBEDTLS_SSL_PROTO_TLS1_2" 680 scripts/config.py set MBEDTLS_SSL_EARLY_DATA 681 scripts/config.py set MBEDTLS_SSL_RECORD_SIZE_LIMIT 682 make CFLAGS="'-DMBEDTLS_USER_CONFIG_FILE=\"../tests/configs/tls13-only.h\"'" 683 684 msg "test: TLS 1.3 only, all key exchange modes enabled" 685 make test 686 687 msg "ssl-opt.sh: TLS 1.3 only, all key exchange modes enabled" 688 tests/ssl-opt.sh 689 } 690 691 component_test_tls13_only_psk () { 692 msg "build: TLS 1.3 only from default, only PSK key exchange mode" 693 scripts/config.py unset MBEDTLS_SSL_TLS1_3_KEY_EXCHANGE_MODE_EPHEMERAL_ENABLED 694 scripts/config.py unset MBEDTLS_SSL_TLS1_3_KEY_EXCHANGE_MODE_PSK_EPHEMERAL_ENABLED 695 scripts/config.py unset MBEDTLS_ECDH_C 696 scripts/config.py unset MBEDTLS_DHM_C 697 scripts/config.py unset MBEDTLS_X509_CRT_PARSE_C 698 scripts/config.py unset MBEDTLS_X509_RSASSA_PSS_SUPPORT 699 scripts/config.py unset MBEDTLS_SSL_SERVER_NAME_INDICATION 700 scripts/config.py unset MBEDTLS_ECDSA_C 701 scripts/config.py unset MBEDTLS_PKCS1_V21 702 scripts/config.py unset MBEDTLS_PKCS7_C 703 scripts/config.py set MBEDTLS_SSL_EARLY_DATA 704 make CFLAGS="'-DMBEDTLS_USER_CONFIG_FILE=\"../tests/configs/tls13-only.h\"'" 705 706 msg "test_suite_ssl: TLS 1.3 only, only PSK key exchange mode enabled" 707 cd tests; ./test_suite_ssl; cd .. 708 709 msg "ssl-opt.sh: TLS 1.3 only, only PSK key exchange mode enabled" 710 tests/ssl-opt.sh 711 } 712 713 component_test_tls13_only_ephemeral () { 714 msg "build: TLS 1.3 only from default, only ephemeral key exchange mode" 715 scripts/config.py unset MBEDTLS_SSL_TLS1_3_KEY_EXCHANGE_MODE_PSK_ENABLED 716 scripts/config.py unset MBEDTLS_SSL_TLS1_3_KEY_EXCHANGE_MODE_PSK_EPHEMERAL_ENABLED 717 scripts/config.py unset MBEDTLS_SSL_EARLY_DATA 718 make CFLAGS="'-DMBEDTLS_USER_CONFIG_FILE=\"../tests/configs/tls13-only.h\"'" 719 720 msg "test_suite_ssl: TLS 1.3 only, only ephemeral key exchange mode" 721 cd tests; ./test_suite_ssl; cd .. 722 723 msg "ssl-opt.sh: TLS 1.3 only, only ephemeral key exchange mode" 724 tests/ssl-opt.sh 725 } 726 727 component_test_tls13_only_ephemeral_ffdh () { 728 msg "build: TLS 1.3 only from default, only ephemeral ffdh key exchange mode" 729 scripts/config.py unset MBEDTLS_SSL_TLS1_3_KEY_EXCHANGE_MODE_PSK_ENABLED 730 scripts/config.py unset MBEDTLS_SSL_TLS1_3_KEY_EXCHANGE_MODE_PSK_EPHEMERAL_ENABLED 731 scripts/config.py unset MBEDTLS_SSL_EARLY_DATA 732 scripts/config.py unset MBEDTLS_ECDH_C 733 734 make CFLAGS="'-DMBEDTLS_USER_CONFIG_FILE=\"../tests/configs/tls13-only.h\"'" 735 736 msg "test_suite_ssl: TLS 1.3 only, only ephemeral ffdh key exchange mode" 737 cd tests; ./test_suite_ssl; cd .. 738 739 msg "ssl-opt.sh: TLS 1.3 only, only ephemeral ffdh key exchange mode" 740 tests/ssl-opt.sh 741 } 742 743 component_test_tls13_only_psk_ephemeral () { 744 msg "build: TLS 1.3 only from default, only PSK ephemeral key exchange mode" 745 scripts/config.py unset MBEDTLS_SSL_TLS1_3_KEY_EXCHANGE_MODE_PSK_ENABLED 746 scripts/config.py unset MBEDTLS_SSL_TLS1_3_KEY_EXCHANGE_MODE_EPHEMERAL_ENABLED 747 scripts/config.py unset MBEDTLS_X509_CRT_PARSE_C 748 scripts/config.py unset MBEDTLS_X509_RSASSA_PSS_SUPPORT 749 scripts/config.py unset MBEDTLS_SSL_SERVER_NAME_INDICATION 750 scripts/config.py unset MBEDTLS_ECDSA_C 751 scripts/config.py unset MBEDTLS_PKCS1_V21 752 scripts/config.py unset MBEDTLS_PKCS7_C 753 scripts/config.py set MBEDTLS_SSL_EARLY_DATA 754 make CFLAGS="'-DMBEDTLS_USER_CONFIG_FILE=\"../tests/configs/tls13-only.h\"'" 755 756 msg "test_suite_ssl: TLS 1.3 only, only PSK ephemeral key exchange mode" 757 cd tests; ./test_suite_ssl; cd .. 758 759 msg "ssl-opt.sh: TLS 1.3 only, only PSK ephemeral key exchange mode" 760 tests/ssl-opt.sh 761 } 762 763 component_test_tls13_only_psk_ephemeral_ffdh () { 764 msg "build: TLS 1.3 only from default, only PSK ephemeral ffdh key exchange mode" 765 scripts/config.py unset MBEDTLS_SSL_TLS1_3_KEY_EXCHANGE_MODE_PSK_ENABLED 766 scripts/config.py unset MBEDTLS_SSL_TLS1_3_KEY_EXCHANGE_MODE_EPHEMERAL_ENABLED 767 scripts/config.py unset MBEDTLS_X509_CRT_PARSE_C 768 scripts/config.py unset MBEDTLS_X509_RSASSA_PSS_SUPPORT 769 scripts/config.py unset MBEDTLS_SSL_SERVER_NAME_INDICATION 770 scripts/config.py unset MBEDTLS_ECDSA_C 771 scripts/config.py unset MBEDTLS_PKCS1_V21 772 scripts/config.py unset MBEDTLS_PKCS7_C 773 scripts/config.py set MBEDTLS_SSL_EARLY_DATA 774 scripts/config.py unset MBEDTLS_ECDH_C 775 make CFLAGS="'-DMBEDTLS_USER_CONFIG_FILE=\"../tests/configs/tls13-only.h\"'" 776 777 msg "test_suite_ssl: TLS 1.3 only, only PSK ephemeral ffdh key exchange mode" 778 cd tests; ./test_suite_ssl; cd .. 779 780 msg "ssl-opt.sh: TLS 1.3 only, only PSK ephemeral ffdh key exchange mode" 781 tests/ssl-opt.sh 782 } 783 784 component_test_tls13_only_psk_all () { 785 msg "build: TLS 1.3 only from default, without ephemeral key exchange mode" 786 scripts/config.py unset MBEDTLS_SSL_TLS1_3_KEY_EXCHANGE_MODE_EPHEMERAL_ENABLED 787 scripts/config.py unset MBEDTLS_X509_CRT_PARSE_C 788 scripts/config.py unset MBEDTLS_X509_RSASSA_PSS_SUPPORT 789 scripts/config.py unset MBEDTLS_SSL_SERVER_NAME_INDICATION 790 scripts/config.py unset MBEDTLS_ECDSA_C 791 scripts/config.py unset MBEDTLS_PKCS1_V21 792 scripts/config.py unset MBEDTLS_PKCS7_C 793 scripts/config.py set MBEDTLS_SSL_EARLY_DATA 794 make CFLAGS="'-DMBEDTLS_USER_CONFIG_FILE=\"../tests/configs/tls13-only.h\"'" 795 796 msg "test_suite_ssl: TLS 1.3 only, PSK and PSK ephemeral key exchange modes" 797 cd tests; ./test_suite_ssl; cd .. 798 799 msg "ssl-opt.sh: TLS 1.3 only, PSK and PSK ephemeral key exchange modes" 800 tests/ssl-opt.sh 801 } 802 803 component_test_tls13_only_ephemeral_all () { 804 msg "build: TLS 1.3 only from default, without PSK key exchange mode" 805 scripts/config.py unset MBEDTLS_SSL_TLS1_3_KEY_EXCHANGE_MODE_PSK_ENABLED 806 scripts/config.py set MBEDTLS_SSL_EARLY_DATA 807 make CFLAGS="'-DMBEDTLS_USER_CONFIG_FILE=\"../tests/configs/tls13-only.h\"'" 808 809 msg "test_suite_ssl: TLS 1.3 only, ephemeral and PSK ephemeral key exchange modes" 810 cd tests; ./test_suite_ssl; cd .. 811 812 msg "ssl-opt.sh: TLS 1.3 only, ephemeral and PSK ephemeral key exchange modes" 813 tests/ssl-opt.sh 814 } 815 816 component_test_tls13_no_padding () { 817 msg "build: default config plus early data minus padding" 818 scripts/config.py set MBEDTLS_SSL_CID_TLS1_3_PADDING_GRANULARITY 1 819 scripts/config.py set MBEDTLS_SSL_EARLY_DATA 820 CC=$ASAN_CC cmake -D CMAKE_BUILD_TYPE:String=Asan . 821 make 822 msg "test: default config plus early data minus padding" 823 make test 824 msg "ssl-opt.sh (TLS 1.3 no padding)" 825 tests/ssl-opt.sh 826 } 827 828 component_test_tls13_no_compatibility_mode () { 829 msg "build: default config plus early data minus middlebox compatibility mode" 830 scripts/config.py unset MBEDTLS_SSL_TLS1_3_COMPATIBILITY_MODE 831 scripts/config.py set MBEDTLS_SSL_EARLY_DATA 832 CC=$ASAN_CC cmake -D CMAKE_BUILD_TYPE:String=Asan . 833 make 834 msg "test: default config plus early data minus middlebox compatibility mode" 835 make test 836 msg "ssl-opt.sh (TLS 1.3 no compatibility mode)" 837 tests/ssl-opt.sh 838 } 839 840 component_test_full_minus_session_tickets () { 841 msg "build: full config without session tickets" 842 scripts/config.py full 843 scripts/config.py unset MBEDTLS_SSL_SESSION_TICKETS 844 scripts/config.py unset MBEDTLS_SSL_EARLY_DATA 845 CC=gcc cmake -D CMAKE_BUILD_TYPE:String=Asan . 846 make 847 msg "test: full config without session tickets" 848 make test 849 msg "ssl-opt.sh (full config without session tickets)" 850 tests/ssl-opt.sh 851 }