Merge pull request #3018 from mpg/fix-ssl-opt-gnutls-no-sha1
Fix ssl-opt.sh for GnuTLS versions rejecting SHA-1
diff --git a/ChangeLog b/ChangeLog
index e184c96..2f6480e 100644
--- a/ChangeLog
+++ b/ChangeLog
@@ -2,10 +2,17 @@
= mbed TLS X.X.X branch released XXXX-XX-XX
+New deprecations
+ * Deprecate MBEDTLS_SSL_SRV_SUPPORT_SSLV2_CLIENT_HELLO that enables parsing
+ SSLv2 ClientHello messages.
+ * Deprecate MBEDTLS_SSL_PROTO_SSL3 that enables support for SSLv3.
+
Bugfix
* Allow loading symlinked certificates. Fixes #3005. Reported and fixed
by Jonathan Bennett <JBennett@incomsystems.biz> via #3008.
* Fix an unchecked call to mbedtls_md() in the x509write module.
+ * Fix build failure with MBEDTLS_ZLIB_SUPPORT enabled. Reported by
+ Jack Lloyd in #2859. Fix submitted by jiblime in #2963.
= mbed TLS 2.20.0 branch released 2020-01-15
diff --git a/crypto b/crypto
index 1146b4e..819799c 160000
--- a/crypto
+++ b/crypto
@@ -1 +1 @@
-Subproject commit 1146b4e06011b69a6437e6b728f2af043a06ec19
+Subproject commit 819799cfc68e4c4381673a8a27af19802c8263f2
diff --git a/include/mbedtls/check_config.h b/include/mbedtls/check_config.h
index 6ebe6b7..d95b71e 100644
--- a/include/mbedtls/check_config.h
+++ b/include/mbedtls/check_config.h
@@ -774,6 +774,22 @@
#error "MBEDTLS_HAVE_INT32/MBEDTLS_HAVE_INT64 and MBEDTLS_HAVE_ASM cannot be defined simultaneously"
#endif /* (MBEDTLS_HAVE_INT32 || MBEDTLS_HAVE_INT64) && MBEDTLS_HAVE_ASM */
+#if defined(MBEDTLS_SSL_PROTO_SSL3)
+#if defined(MBEDTLS_DEPRECATED_REMOVED)
+#error "MBEDTLS_SSL_PROTO_SSL3 is deprecated and will be removed in a future version of Mbed TLS"
+#elif defined(MBEDTLS_DEPRECATED_WARNING)
+#warning "MBEDTLS_SSL_PROTO_SSL3 is deprecated and will be removed in a future version of Mbed TLS"
+#endif
+#endif /* MBEDTLS_SSL_PROTO_SSL3 */
+
+#if defined(MBEDTLS_SSL_SRV_SUPPORT_SSLV2_CLIENT_HELLO)
+#if defined(MBEDTLS_DEPRECATED_REMOVED)
+#error "MBEDTLS_SSL_SRV_SUPPORT_SSLV2_CLIENT_HELLO is deprecated and will be removed in a future version of Mbed TLS"
+#elif defined(MBEDTLS_DEPRECATED_WARNING)
+#warning "MBEDTLS_SSL_SRV_SUPPORT_SSLV2_CLIENT_HELLO is deprecated and will be removed in a future version of Mbed TLS"
+#endif
+#endif /* MBEDTLS_SSL_SRV_SUPPORT_SSLV2_CLIENT_HELLO */
+
/*
* Avoid warning from -pedantic. This is a convenient place for this
* workaround since this is included by every single file before the
diff --git a/include/mbedtls/config.h b/include/mbedtls/config.h
index 058969b..a11a4f3 100644
--- a/include/mbedtls/config.h
+++ b/include/mbedtls/config.h
@@ -233,27 +233,27 @@
/**
* \def MBEDTLS_DEPRECATED_WARNING
*
- * Mark deprecated functions so that they generate a warning if used.
- * Functions deprecated in one version will usually be removed in the next
- * version. You can enable this to help you prepare the transition to a new
- * major version by making sure your code is not using these functions.
+ * Mark deprecated functions and features so that they generate a warning if
+ * used. Functionality deprecated in one version will usually be removed in the
+ * next version. You can enable this to help you prepare the transition to a
+ * new major version by making sure your code is not using this functionality.
*
* This only works with GCC and Clang. With other compilers, you may want to
* use MBEDTLS_DEPRECATED_REMOVED
*
- * Uncomment to get warnings on using deprecated functions.
+ * Uncomment to get warnings on using deprecated functions and features.
*/
//#define MBEDTLS_DEPRECATED_WARNING
/**
* \def MBEDTLS_DEPRECATED_REMOVED
*
- * Remove deprecated functions so that they generate an error if used.
- * Functions deprecated in one version will usually be removed in the next
- * version. You can enable this to help you prepare the transition to a new
- * major version by making sure your code is not using these functions.
+ * Remove deprecated functions and features so that they generate an error if
+ * used. Functionality deprecated in one version will usually be removed in the
+ * next version. You can enable this to help you prepare the transition to a
+ * new major version by making sure your code is not using this functionality.
*
- * Uncomment to get errors on using deprecated functions.
+ * Uncomment to get errors on using deprecated functions and features.
*/
//#define MBEDTLS_DEPRECATED_REMOVED
@@ -1571,6 +1571,9 @@
* Enable support for receiving and parsing SSLv2 Client Hello messages for the
* SSL Server module (MBEDTLS_SSL_SRV_C).
*
+ * \deprecated This option is deprecated and will be removed in a future
+ * version of Mbed TLS.
+ *
* Uncomment this macro to enable support for SSLv2 Client Hello messages.
*/
//#define MBEDTLS_SSL_SRV_SUPPORT_SSLV2_CLIENT_HELLO
@@ -1602,6 +1605,9 @@
* Requires: MBEDTLS_MD5_C
* MBEDTLS_SHA1_C
*
+ * \deprecated This option is deprecated and will be removed in a future
+ * version of Mbed TLS.
+ *
* Comment this macro to disable support for SSL 3.0
*/
//#define MBEDTLS_SSL_PROTO_SSL3
diff --git a/include/mbedtls/ssl_internal.h b/include/mbedtls/ssl_internal.h
index f703da9..b8c7f0a 100644
--- a/include/mbedtls/ssl_internal.h
+++ b/include/mbedtls/ssl_internal.h
@@ -319,7 +319,8 @@
mbedtls_ecdh_context ecdh_ctx; /*!< ECDH key exchange */
#if defined(MBEDTLS_USE_PSA_CRYPTO)
- psa_ecc_curve_t ecdh_psa_curve;
+ psa_key_type_t ecdh_psa_type;
+ uint16_t ecdh_bits;
psa_key_handle_t ecdh_psa_privkey;
unsigned char ecdh_psa_peerkey[MBEDTLS_PSA_MAX_EC_PUBKEY_LENGTH];
size_t ecdh_psa_peerkey_len;
diff --git a/library/ssl_cli.c b/library/ssl_cli.c
index 1005bd9..0f6a26b 100644
--- a/library/ssl_cli.c
+++ b/library/ssl_cli.c
@@ -2244,6 +2244,7 @@
unsigned char *end )
{
uint16_t tls_id;
+ size_t ecdh_bits = 0;
uint8_t ecpoint_len;
mbedtls_ssl_handshake_params *handshake = ssl->handshake;
@@ -2264,11 +2265,14 @@
tls_id |= *(*p)++;
/* Convert EC group to PSA key type. */
- if( ( handshake->ecdh_psa_curve =
- mbedtls_psa_parse_tls_ecc_group( tls_id ) ) == 0 )
+ if( ( handshake->ecdh_psa_type =
+ mbedtls_psa_parse_tls_ecc_group( tls_id, &ecdh_bits ) ) == 0 )
{
return( MBEDTLS_ERR_SSL_BAD_HS_SERVER_KEY_EXCHANGE );
}
+ if( ecdh_bits > 0xffff )
+ return( MBEDTLS_ERR_SSL_BAD_HS_SERVER_KEY_EXCHANGE );
+ handshake->ecdh_bits = (uint16_t) ecdh_bits;
/*
* Put peer's ECDH public key in the format understood by PSA.
@@ -2278,7 +2282,7 @@
if( (size_t)( end - *p ) < ecpoint_len )
return( MBEDTLS_ERR_SSL_BAD_HS_SERVER_KEY_EXCHANGE );
- if( mbedtls_psa_tls_ecpoint_to_psa_ec( handshake->ecdh_psa_curve,
+ if( mbedtls_psa_tls_ecpoint_to_psa_ec(
*p, ecpoint_len,
handshake->ecdh_psa_peerkey,
sizeof( handshake->ecdh_psa_peerkey ),
@@ -3257,11 +3261,8 @@
key_attributes = psa_key_attributes_init();
psa_set_key_usage_flags( &key_attributes, PSA_KEY_USAGE_DERIVE );
psa_set_key_algorithm( &key_attributes, PSA_ALG_ECDH );
- psa_set_key_type( &key_attributes,
- PSA_KEY_TYPE_ECC_KEY_PAIR( handshake->ecdh_psa_curve )
- );
- psa_set_key_bits( &key_attributes,
- PSA_ECC_CURVE_BITS( handshake->ecdh_psa_curve ) );
+ psa_set_key_type( &key_attributes, handshake->ecdh_psa_type );
+ psa_set_key_bits( &key_attributes, handshake->ecdh_bits );
/* Generate ECDH private key. */
status = psa_generate_key( &key_attributes,
diff --git a/library/ssl_tls.c b/library/ssl_tls.c
index 6cf7781..4f219a3 100644
--- a/library/ssl_tls.c
+++ b/library/ssl_tls.c
@@ -1880,7 +1880,7 @@
/* Allocate compression buffer */
#if defined(MBEDTLS_ZLIB_SUPPORT)
- if( session->compression == MBEDTLS_SSL_COMPRESS_DEFLATE &&
+ if( ssl->session_negotiate->compression == MBEDTLS_SSL_COMPRESS_DEFLATE &&
ssl->compress_buf == NULL )
{
MBEDTLS_SSL_DEBUG_MSG( 3, ( "Allocating compression buffer" ) );
@@ -5446,7 +5446,7 @@
#endif /* MBEDTLS_SSL_DTLS_CLIENT_PORT_REUSE && MBEDTLS_SSL_SRV_C */
/*
- * If applicable, decrypt (and decompress) record content
+ * If applicable, decrypt record content
*/
static int ssl_prepare_record_content( mbedtls_ssl_context *ssl,
mbedtls_record *rec )
@@ -5572,18 +5572,6 @@
}
-#if defined(MBEDTLS_ZLIB_SUPPORT)
- if( ssl->transform_in != NULL &&
- ssl->session_in->compression == MBEDTLS_SSL_COMPRESS_DEFLATE )
- {
- if( ( ret = ssl_decompress_buf( ssl ) ) != 0 )
- {
- MBEDTLS_SSL_DEBUG_RET( 1, "ssl_decompress_buf", ret );
- return( ret );
- }
- }
-#endif /* MBEDTLS_ZLIB_SUPPORT */
-
#if defined(MBEDTLS_SSL_DTLS_ANTI_REPLAY)
if( ssl->conf->transport == MBEDTLS_SSL_TRANSPORT_DATAGRAM )
{
@@ -6469,6 +6457,26 @@
ssl->in_len[0] = (unsigned char)( rec.data_len >> 8 );
ssl->in_len[1] = (unsigned char)( rec.data_len );
+#if defined(MBEDTLS_ZLIB_SUPPORT)
+ if( ssl->transform_in != NULL &&
+ ssl->session_in->compression == MBEDTLS_SSL_COMPRESS_DEFLATE )
+ {
+ if( ( ret = ssl_decompress_buf( ssl ) ) != 0 )
+ {
+ MBEDTLS_SSL_DEBUG_RET( 1, "ssl_decompress_buf", ret );
+ return( ret );
+ }
+
+ /* Check actual (decompress) record content length against
+ * configured maximum. */
+ if( ssl->in_msglen > MBEDTLS_SSL_IN_CONTENT_LEN )
+ {
+ MBEDTLS_SSL_DEBUG_MSG( 1, ( "bad message length" ) );
+ return( MBEDTLS_ERR_SSL_INVALID_RECORD );
+ }
+ }
+#endif /* MBEDTLS_ZLIB_SUPPORT */
+
return( 0 );
}
diff --git a/programs/fuzz/fuzz_privkey.c b/programs/fuzz/fuzz_privkey.c
index 533a647..178d17b 100644
--- a/programs/fuzz/fuzz_privkey.c
+++ b/programs/fuzz/fuzz_privkey.c
@@ -1,4 +1,5 @@
#include <stdint.h>
+#include <stdlib.h>
#include "mbedtls/pk.h"
//4 Kb should be enough for every bug ;-)
@@ -29,8 +30,12 @@
mbedtls_mpi_init( &DQ ); mbedtls_mpi_init( &QP );
rsa = mbedtls_pk_rsa( pk );
- mbedtls_rsa_export( rsa, &N, &P, &Q, &D, &E );
- mbedtls_rsa_export_crt( rsa, &DP, &DQ, &QP );
+ if ( mbedtls_rsa_export( rsa, &N, &P, &Q, &D, &E ) != 0 ) {
+ abort();
+ }
+ if ( mbedtls_rsa_export_crt( rsa, &DP, &DQ, &QP ) != 0 ) {
+ abort();
+ }
mbedtls_mpi_free( &N ); mbedtls_mpi_free( &P ); mbedtls_mpi_free( &Q );
mbedtls_mpi_free( &D ); mbedtls_mpi_free( &E ); mbedtls_mpi_free( &DP );
diff --git a/programs/fuzz/fuzz_pubkey.c b/programs/fuzz/fuzz_pubkey.c
index df42f7d..38eacfb 100644
--- a/programs/fuzz/fuzz_pubkey.c
+++ b/programs/fuzz/fuzz_pubkey.c
@@ -1,4 +1,5 @@
#include <stdint.h>
+#include <stdlib.h>
#include "mbedtls/pk.h"
int LLVMFuzzerTestOneInput(const uint8_t *Data, size_t Size) {
@@ -20,8 +21,12 @@
mbedtls_mpi_init( &DQ ); mbedtls_mpi_init( &QP );
rsa = mbedtls_pk_rsa( pk );
- ret = mbedtls_rsa_export( rsa, &N, &P, &Q, &D, &E );
- ret = mbedtls_rsa_export_crt( rsa, &DP, &DQ, &QP );
+ if ( mbedtls_rsa_export( rsa, &N, &P, &Q, &D, &E ) != 0 ) {
+ abort();
+ }
+ if ( mbedtls_rsa_export_crt( rsa, &DP, &DQ, &QP ) != MBEDTLS_ERR_RSA_BAD_INPUT_DATA ) {
+ abort();
+ }
mbedtls_mpi_free( &N ); mbedtls_mpi_free( &P ); mbedtls_mpi_free( &Q );
mbedtls_mpi_free( &D ); mbedtls_mpi_free( &E ); mbedtls_mpi_free( &DP );
diff --git a/scripts/config.py b/scripts/config.py
index e01b9d5..e3ecfc6 100755
--- a/scripts/config.py
+++ b/scripts/config.py
@@ -183,6 +183,8 @@
'MBEDTLS_REMOVE_ARC4_CIPHERSUITES',
'MBEDTLS_RSA_NO_CRT',
'MBEDTLS_SSL_HW_RECORD_ACCEL',
+ 'MBEDTLS_SSL_PROTO_SSL3',
+ 'MBEDTLS_SSL_SRV_SUPPORT_SSLV2_CLIENT_HELLO',
'MBEDTLS_TEST_NULL_ENTROPY',
'MBEDTLS_X509_ALLOW_EXTENSIONS_NON_V3',
'MBEDTLS_X509_ALLOW_UNSUPPORTED_CRITICAL_EXTENSION',
diff --git a/tests/scripts/all.sh b/tests/scripts/all.sh
index e76b9d4..d21f1ce 100755
--- a/tests/scripts/all.sh
+++ b/tests/scripts/all.sh
@@ -697,6 +697,45 @@
if_build_succeeded tests/compat.sh
}
+component_test_zlib_make() {
+ msg "build: zlib enabled, make"
+ scripts/config.py set MBEDTLS_ZLIB_SUPPORT
+ make ZLIB=1 CFLAGS='-Werror -O1'
+
+ msg "test: main suites (zlib, make)"
+ make test
+
+ msg "test: ssl-opt.sh (zlib, make)"
+ if_build_succeeded tests/ssl-opt.sh
+}
+support_test_zlib_make () {
+ base=support_test_zlib_$$
+ cat <<'EOF' > ${base}.c
+#include "zlib.h"
+int main(void) { return 0; }
+EOF
+ gcc -o ${base}.exe ${base}.c -lz 2>/dev/null
+ ret=$?
+ rm -f ${base}.*
+ return $ret
+}
+
+component_test_zlib_cmake() {
+ msg "build: zlib enabled, cmake"
+ scripts/config.py set MBEDTLS_ZLIB_SUPPORT
+ cmake -D ENABLE_ZLIB_SUPPORT=On -D CMAKE_BUILD_TYPE:String=Check .
+ make
+
+ msg "test: main suites (zlib, cmake)"
+ make test
+
+ msg "test: ssl-opt.sh (zlib, cmake)"
+ if_build_succeeded tests/ssl-opt.sh
+}
+support_test_zlib_cmake () {
+ support_test_zlib_make "$@"
+}
+
component_test_ref_configs () {
msg "test/build: ref-configs (ASan build)" # ~ 6 min 20s
CC=gcc cmake -D CMAKE_BUILD_TYPE:String=Asan .
@@ -912,9 +951,6 @@
msg "test: compat.sh default (full minus MBEDTLS_USE_PSA_CRYPTO)"
if_build_succeeded tests/compat.sh
- msg "test: compat.sh ssl3 (full minus MBEDTLS_USE_PSA_CRYPTO)"
- if_build_succeeded env OPENSSL_CMD="$OPENSSL_LEGACY" tests/compat.sh -m 'ssl3'
-
msg "test: compat.sh RC4, DES & NULL (full minus MBEDTLS_USE_PSA_CRYPTO)"
if_build_succeeded env OPENSSL_CMD="$OPENSSL_LEGACY" GNUTLS_CLI="$GNUTLS_LEGACY_CLI" GNUTLS_SERV="$GNUTLS_LEGACY_SERV" tests/compat.sh -e '3DES\|DES-CBC3' -f 'NULL\|DES\|RC4\|ARCFOUR'
diff --git a/tests/ssl-opt.sh b/tests/ssl-opt.sh
index aa18ac4..e65b8ec 100755
--- a/tests/ssl-opt.sh
+++ b/tests/ssl-opt.sh
@@ -996,6 +996,18 @@
-s "Protocol is DTLSv1.2" \
-s "Ciphersuite is TLS-ECDHE-RSA-WITH-CHACHA20-POLY1305-SHA256"
+requires_config_enabled MBEDTLS_ZLIB_SUPPORT
+run_test "Default (compression enabled)" \
+ "$P_SRV debug_level=3" \
+ "$P_CLI debug_level=3" \
+ 0 \
+ -s "Allocating compression buffer" \
+ -c "Allocating compression buffer" \
+ -s "Record expansion is unknown (compression)" \
+ -c "Record expansion is unknown (compression)" \
+ -S "error" \
+ -C "error"
+
requires_config_enabled MBEDTLS_X509_TRUSTED_CERTIFICATE_CALLBACK
run_test "CA callback on client" \
"$P_SRV debug_level=3" \
diff --git a/tests/suites/test_suite_ssl.data b/tests/suites/test_suite_ssl.data
index 59b4769..5f4dc67 100644
--- a/tests/suites/test_suite_ssl.data
+++ b/tests/suites/test_suite_ssl.data
@@ -46,6 +46,159 @@
Test mock non-blocking TCP connection (interleaving)
ssl_mock_tcp_interleaving:0
+Message queue - sanity
+ssl_message_queue_sanity:
+
+Message queue - basic test
+ssl_message_queue_basic:
+
+Message queue - overflow/underflow
+ssl_message_queue_overflow_underflow:
+
+Message queue - interleaved
+ssl_message_queue_interleaved:
+
+Message queue - insufficient buffer
+ssl_message_queue_insufficient_buffer:
+
+Message transport mock - uninitialized structures
+ssl_message_mock_uninitialized:
+
+Message transport mock - basic test
+ssl_message_mock_basic:
+
+Message transport mock - queue overflow/underflow
+ssl_message_mock_queue_overflow_underflow:
+
+Message transport mock - socket overflow
+ssl_message_mock_socket_overflow:
+
+Message transport mock - truncated message
+ssl_message_mock_truncated:
+
+Message transport mock - socket read error
+ssl_message_mock_socket_read_error:
+
+Message transport mock - one-way interleaved sends/reads
+ssl_message_mock_interleaved_one_way:
+
+Message transport mock - two-way interleaved sends/reads
+ssl_message_mock_interleaved_two_ways:
+
+Test mbedtls_endpoint sanity for the client
+mbedtls_endpoint_sanity:MBEDTLS_SSL_IS_CLIENT
+
+Test mbedtls_endpoint sanity for the server
+mbedtls_endpoint_sanity:MBEDTLS_SSL_IS_SERVER
+
+Test moving clients handshake to state: HELLO_REQUEST
+move_handshake_to_state:MBEDTLS_SSL_IS_CLIENT:MBEDTLS_SSL_HELLO_REQUEST:1
+
+Test moving clients handshake to state: CLIENT_HELLO
+move_handshake_to_state:MBEDTLS_SSL_IS_CLIENT:MBEDTLS_SSL_CLIENT_HELLO:1
+
+Test moving clients handshake to state: SERVER_HELLO
+move_handshake_to_state:MBEDTLS_SSL_IS_CLIENT:MBEDTLS_SSL_SERVER_HELLO:1
+
+Test moving clients handshake to state: SERVER_CERTIFICATE
+move_handshake_to_state:MBEDTLS_SSL_IS_CLIENT:MBEDTLS_SSL_SERVER_CERTIFICATE:1
+
+Test moving clients handshake to state: SERVER_KEY_EXCHANGE
+move_handshake_to_state:MBEDTLS_SSL_IS_CLIENT:MBEDTLS_SSL_SERVER_KEY_EXCHANGE:1
+
+Test moving clients handshake to state: CERTIFICATE_REQUEST
+move_handshake_to_state:MBEDTLS_SSL_IS_CLIENT:MBEDTLS_SSL_CERTIFICATE_REQUEST:1
+
+Test moving clients handshake to state: SERVER_HELLO_DONE
+move_handshake_to_state:MBEDTLS_SSL_IS_CLIENT:MBEDTLS_SSL_SERVER_HELLO_DONE:1
+
+Test moving clients handshake to state: CLIENT_CERTIFICATE
+move_handshake_to_state:MBEDTLS_SSL_IS_CLIENT:MBEDTLS_SSL_CLIENT_CERTIFICATE:1
+
+Test moving clients handshake to state: CLIENT_KEY_EXCHANGE
+move_handshake_to_state:MBEDTLS_SSL_IS_CLIENT:MBEDTLS_SSL_CLIENT_KEY_EXCHANGE:1
+
+Test moving clients handshake to state: CERTIFICATE_VERIFY
+move_handshake_to_state:MBEDTLS_SSL_IS_CLIENT:MBEDTLS_SSL_CERTIFICATE_VERIFY:1
+
+Test moving clients handshake to state: CLIENT_CHANGE_CIPHER_SPEC
+move_handshake_to_state:MBEDTLS_SSL_IS_CLIENT:MBEDTLS_SSL_CLIENT_CHANGE_CIPHER_SPEC:1
+
+Test moving clients handshake to state: CLIENT_FINISHED
+move_handshake_to_state:MBEDTLS_SSL_IS_CLIENT:MBEDTLS_SSL_CLIENT_FINISHED:1
+
+Test moving clients handshake to state: SERVER_CHANGE_CIPHER_SPEC
+move_handshake_to_state:MBEDTLS_SSL_IS_CLIENT:MBEDTLS_SSL_SERVER_CHANGE_CIPHER_SPEC:1
+
+Test moving clients handshake to state: SERVER_FINISHED
+move_handshake_to_state:MBEDTLS_SSL_IS_CLIENT:MBEDTLS_SSL_SERVER_FINISHED:1
+
+Test moving clients handshake to state: FLUSH_BUFFERS
+move_handshake_to_state:MBEDTLS_SSL_IS_CLIENT:MBEDTLS_SSL_FLUSH_BUFFERS:1
+
+Test moving clients handshake to state: HANDSHAKE_WRAPUP
+move_handshake_to_state:MBEDTLS_SSL_IS_CLIENT:MBEDTLS_SSL_HANDSHAKE_WRAPUP:1
+
+Test moving clients handshake to state: HANDSHAKE_OVER
+move_handshake_to_state:MBEDTLS_SSL_IS_CLIENT:MBEDTLS_SSL_HANDSHAKE_OVER:1
+
+Test moving servers handshake to state: HELLO_REQUEST
+move_handshake_to_state:MBEDTLS_SSL_IS_SERVER:MBEDTLS_SSL_HELLO_REQUEST:1
+
+Test moving servers handshake to state: CLIENT_HELLO
+move_handshake_to_state:MBEDTLS_SSL_IS_SERVER:MBEDTLS_SSL_CLIENT_HELLO:1
+
+Test moving servers handshake to state: SERVER_HELLO
+move_handshake_to_state:MBEDTLS_SSL_IS_SERVER:MBEDTLS_SSL_SERVER_HELLO:1
+
+Test moving servers handshake to state: SERVER_CERTIFICATE
+move_handshake_to_state:MBEDTLS_SSL_IS_SERVER:MBEDTLS_SSL_SERVER_CERTIFICATE:1
+
+Test moving servers handshake to state: SERVER_KEY_EXCHANGE
+move_handshake_to_state:MBEDTLS_SSL_IS_SERVER:MBEDTLS_SSL_SERVER_KEY_EXCHANGE:1
+
+Test moving servers handshake to state: CERTIFICATE_REQUEST
+move_handshake_to_state:MBEDTLS_SSL_IS_SERVER:MBEDTLS_SSL_CERTIFICATE_REQUEST:1
+
+Test moving servers handshake to state: SERVER_HELLO_DONE
+move_handshake_to_state:MBEDTLS_SSL_IS_SERVER:MBEDTLS_SSL_SERVER_HELLO_DONE:1
+
+Test moving servers handshake to state: CLIENT_CERTIFICATE
+move_handshake_to_state:MBEDTLS_SSL_IS_SERVER:MBEDTLS_SSL_CLIENT_CERTIFICATE:1
+
+Test moving servers handshake to state: CLIENT_KEY_EXCHANGE
+move_handshake_to_state:MBEDTLS_SSL_IS_SERVER:MBEDTLS_SSL_CLIENT_KEY_EXCHANGE:1
+
+Test moving servers handshake to state: CERTIFICATE_VERIFY
+move_handshake_to_state:MBEDTLS_SSL_IS_SERVER:MBEDTLS_SSL_CERTIFICATE_VERIFY:1
+
+Test moving servers handshake to state: CLIENT_CHANGE_CIPHER_SPEC
+move_handshake_to_state:MBEDTLS_SSL_IS_SERVER:MBEDTLS_SSL_CLIENT_CHANGE_CIPHER_SPEC:1
+
+Test moving servers handshake to state: CLIENT_FINISHED
+move_handshake_to_state:MBEDTLS_SSL_IS_SERVER:MBEDTLS_SSL_CLIENT_FINISHED:1
+
+Test moving servers handshake to state: SERVER_CHANGE_CIPHER_SPEC
+move_handshake_to_state:MBEDTLS_SSL_IS_SERVER:MBEDTLS_SSL_SERVER_CHANGE_CIPHER_SPEC:1
+
+Test moving servers handshake to state: SERVER_FINISHED
+move_handshake_to_state:MBEDTLS_SSL_IS_SERVER:MBEDTLS_SSL_SERVER_FINISHED:1
+
+Test moving servers handshake to state: FLUSH_BUFFERS
+move_handshake_to_state:MBEDTLS_SSL_IS_SERVER:MBEDTLS_SSL_FLUSH_BUFFERS:1
+
+Test moving servers handshake to state: HANDSHAKE_WRAPUP
+move_handshake_to_state:MBEDTLS_SSL_IS_SERVER:MBEDTLS_SSL_HANDSHAKE_WRAPUP:1
+
+Test moving servers handshake to state: HANDSHAKE_OVER
+move_handshake_to_state:MBEDTLS_SSL_IS_SERVER:MBEDTLS_SSL_HANDSHAKE_OVER:1
+
+Negative test moving clients ssl to state: VERIFY_REQUEST_SENT
+move_handshake_to_state:MBEDTLS_SSL_IS_CLIENT:MBEDTLS_SSL_SERVER_HELLO_VERIFY_REQUEST_SENT:0
+
+Negative test moving servers ssl to state: NEW_SESSION_TICKET
+move_handshake_to_state:MBEDTLS_SSL_IS_SERVER:MBEDTLS_SSL_SERVER_NEW_SESSION_TICKET:0
+
SSL DTLS replay: initial state, seqnum 0
ssl_dtls_replay:"":"000000000000":0
diff --git a/tests/suites/test_suite_ssl.function b/tests/suites/test_suite_ssl.function
index a936d83..4fba1f1 100644
--- a/tests/suites/test_suite_ssl.function
+++ b/tests/suites/test_suite_ssl.function
@@ -1,7 +1,9 @@
/* BEGIN_HEADER */
#include <mbedtls/ssl.h>
#include <mbedtls/ssl_internal.h>
-
+#include <mbedtls/ctr_drbg.h>
+#include <mbedtls/entropy.h>
+#include <mbedtls/certs.h>
/*
* Buffer structure for custom I/O callbacks.
@@ -59,7 +61,7 @@
* zero and \p input is NULL.
*/
int mbedtls_test_buffer_put( mbedtls_test_buffer *buf,
- const unsigned char* input, size_t input_len )
+ const unsigned char *input, size_t input_len )
{
size_t overflow = 0;
@@ -108,16 +110,16 @@
}
/*
- * Gets \p output_len bytes from the \p output buffer into the ring buffer
- * \p buf.
+ * Gets \p output_len bytes from the ring buffer \p buf into the
+ * \p output buffer. The output buffer can be NULL, in this case a part of the
+ * ring buffer will be dropped, if the requested length is available.
*
* \p buf must have been initialized and set up by calling
* `mbedtls_test_buffer_init()` and `mbedtls_test_buffer_setup()`.
*
* \retval \p output_len, if the data is available.
* \retval 0 <= value < \p output_len, if the data is not available.
- * \retval -1, if \buf is NULL, it hasn't been set up or \p output_len is not
- * zero and \p output is NULL
+ * \retval -1, if \buf is NULL or it hasn't been set up.
*/
int mbedtls_test_buffer_get( mbedtls_test_buffer *buf,
unsigned char* output, size_t output_len )
@@ -127,10 +129,8 @@
if( ( buf == NULL ) || ( buf->buffer == NULL ) )
return -1;
- if( output == NULL )
- {
- return ( output_len == 0 ) ? 0 : -1;
- }
+ if( output == NULL && output_len == 0 )
+ return 0;
if( buf->content_length < output_len )
output_len = buf->content_length;
@@ -142,8 +142,12 @@
overflow = ( buf->start + output_len ) % buf->capacity;
}
- memcpy( output, buf->buffer + buf->start, output_len - overflow );
- memcpy( output + output_len - overflow, buf->buffer, overflow );
+ if( output != NULL )
+ {
+ memcpy( output, buf->buffer + buf->start, output_len - overflow );
+ memcpy( output + output_len - overflow, buf->buffer, overflow );
+ }
+
buf->content_length -= output_len;
buf->start = ( buf->start + output_len ) % buf->capacity;
@@ -151,6 +155,136 @@
}
/*
+ * Errors used in the message transport mock tests
+ */
+ #define MBEDTLS_TEST_ERROR_ARG_NULL -11
+ #define MBEDTLS_TEST_ERROR_QUEUE_FULL -22
+ #define MBEDTLS_TEST_ERROR_QUEUE_EMPTY -33
+ #define MBEDTLS_TEST_ERROR_MESSAGE_TRUNCATED -44
+
+/*
+ * Context for a message metadata queue (fifo) that is on top of the ring buffer.
+ */
+typedef struct mbedtls_test_message_queue
+{
+ size_t *messages;
+ int pos;
+ int num;
+ int capacity;
+} mbedtls_test_message_queue;
+
+/*
+ * Setup and free functions for the message metadata queue.
+ *
+ * \p capacity describes the number of message metadata chunks that can be held
+ * within the queue.
+ *
+ * \retval 0, if a metadata queue of a given length can be allocated.
+ * \retval MBEDTLS_ERR_SSL_ALLOC_FAILED, if allocation failed.
+ */
+int mbedtls_test_message_queue_setup( mbedtls_test_message_queue *queue,
+ size_t capacity )
+{
+ queue->messages = (size_t*) mbedtls_calloc( capacity, sizeof(size_t) );
+ if( NULL == queue->messages )
+ return MBEDTLS_ERR_SSL_ALLOC_FAILED;
+
+ queue->capacity = capacity;
+ queue->pos = 0;
+ queue->num = 0;
+
+ return 0;
+}
+
+void mbedtls_test_message_queue_free( mbedtls_test_message_queue *queue )
+{
+ if( queue == NULL )
+ return;
+
+ if( queue->messages != NULL )
+ mbedtls_free( queue->messages );
+
+ memset( queue, 0, sizeof( *queue ) );
+}
+
+/*
+ * Push message length information onto the message metadata queue.
+ * This will become the last element to leave it (fifo).
+ *
+ * \retval MBEDTLS_TEST_ERROR_ARG_NULL, if the queue is null.
+ * \retval MBEDTLS_TEST_ERROR_QUEUE_FULL, if the queue is full.
+ * \retval \p len, if the push was successful.
+ */
+int mbedtls_test_message_queue_push_info( mbedtls_test_message_queue *queue,
+ size_t len )
+{
+ int place;
+ if( queue == NULL )
+ return MBEDTLS_TEST_ERROR_ARG_NULL;
+
+ if( queue->num >= queue->capacity )
+ return MBEDTLS_TEST_ERROR_QUEUE_FULL;
+
+ place = ( queue->pos + queue->num ) % queue->capacity;
+ queue->messages[place] = len;
+ queue->num++;
+ return len;
+}
+
+/*
+ * Pop information about the next message length from the queue. This will be
+ * the oldest inserted message length(fifo). \p msg_len can be null, in which
+ * case the data will be popped from the queue but not copied anywhere.
+ *
+ * \retval MBEDTLS_TEST_ERROR_ARG_NULL, if the queue is null.
+ * \retval MBEDTLS_TEST_ERROR_QUEUE_EMPTY, if the queue is empty.
+ * \retval message length, if the pop was successful, up to the given
+ \p buf_len.
+ */
+int mbedtls_test_message_queue_pop_info( mbedtls_test_message_queue *queue,
+ size_t buf_len )
+{
+ size_t message_length;
+ if( queue == NULL )
+ return MBEDTLS_TEST_ERROR_ARG_NULL;
+ if( queue->num == 0 )
+ return MBEDTLS_TEST_ERROR_QUEUE_EMPTY;
+
+ message_length = queue->messages[queue->pos];
+ queue->messages[queue->pos] = 0;
+ queue->num--;
+ queue->pos++;
+ queue->pos %= queue->capacity;
+ if( queue->pos < 0 )
+ queue->pos += queue->capacity;
+
+ return ( message_length > buf_len ) ? buf_len : message_length;
+}
+
+/*
+ * Take a peek on the info about the next message length from the queue.
+ * This will be the oldest inserted message length(fifo).
+ *
+ * \retval MBEDTLS_TEST_ERROR_ARG_NULL, if the queue is null.
+ * \retval MBEDTLS_TEST_ERROR_QUEUE_EMPTY, if the queue is empty.
+ * \retval 0, if the peek was successful.
+ * \retval MBEDTLS_TEST_ERROR_MESSAGE_TRUNCATED, if the given buffer length is
+ * too small to fit the message. In this case the \p msg_len will be
+ * set to the full message length so that the
+ * caller knows what portion of the message can be dropped.
+ */
+int mbedtls_test_message_queue_peek_info( mbedtls_test_message_queue *queue,
+ size_t buf_len, size_t* msg_len )
+{
+ if( queue == NULL || msg_len == NULL )
+ return MBEDTLS_TEST_ERROR_ARG_NULL;
+ if( queue->num == 0 )
+ return MBEDTLS_TEST_ERROR_QUEUE_EMPTY;
+
+ *msg_len = queue->messages[queue->pos];
+ return ( *msg_len > buf_len ) ? MBEDTLS_TEST_ERROR_MESSAGE_TRUNCATED : 0;
+}
+/*
* Context for the I/O callbacks simulating network connection.
*/
@@ -327,6 +461,430 @@
return mbedtls_test_buffer_get( socket->input, buf, len );
}
+/* Errors used in the message socket mocks */
+
+#define MBEDTLS_TEST_ERROR_CONTEXT_ERROR -55
+#define MBEDTLS_TEST_ERROR_SEND_FAILED -66
+#define MBEDTLS_TEST_ERROR_RECV_FAILED -77
+
+/*
+ * Structure used as an addon, or a wrapper, around the mocked sockets.
+ * Contains an input queue, to which the other socket pushes metadata,
+ * and an output queue, to which this one pushes metadata. This context is
+ * considered as an owner of the input queue only, which is initialized and
+ * freed in the respective setup and free calls.
+ */
+typedef struct mbedtls_test_message_socket_context
+{
+ mbedtls_test_message_queue* queue_input;
+ mbedtls_test_message_queue* queue_output;
+ mbedtls_mock_socket* socket;
+} mbedtls_test_message_socket_context;
+
+/*
+ * Setup a given mesasge socket context including initialization of
+ * input/output queues to a chosen capacity of messages. Also set the
+ * corresponding mock socket.
+ *
+ * \retval 0, if everything succeeds.
+ * \retval MBEDTLS_ERR_SSL_ALLOC_FAILED, if allocation of a message
+ * queue failed.
+ */
+int mbedtls_message_socket_setup( mbedtls_test_message_queue* queue_input,
+ mbedtls_test_message_queue* queue_output,
+ size_t queue_capacity,
+ mbedtls_mock_socket* socket,
+ mbedtls_test_message_socket_context* ctx )
+{
+ int ret = mbedtls_test_message_queue_setup( queue_input, queue_capacity );
+ if( ret != 0 )
+ return ret;
+ ctx->queue_input = queue_input;
+ ctx->queue_output = queue_output;
+ ctx->socket = socket;
+ mbedtls_mock_socket_init( socket );
+
+ return 0;
+}
+
+/*
+ * Close a given message socket context, along with the socket itself. Free the
+ * memory allocated by the input queue.
+ */
+void mbedtls_message_socket_close( mbedtls_test_message_socket_context* ctx )
+{
+ if( ctx == NULL )
+ return;
+
+ mbedtls_test_message_queue_free( ctx->queue_input );
+ mbedtls_mock_socket_close( ctx->socket );
+ memset( ctx, 0, sizeof( *ctx ) );
+}
+
+/*
+ * Send one message through a given message socket context.
+ *
+ * \retval \p len, if everything succeeds.
+ * \retval MBEDTLS_TEST_ERROR_CONTEXT_ERROR, if any of the needed context
+ * elements or the context itself is null.
+ * \retval MBEDTLS_TEST_ERROR_SEND_FAILED if mbedtls_mock_tcp_send_b failed.
+ * \retval MBEDTLS_TEST_ERROR_QUEUE_FULL, if the output queue is full.
+ *
+ * This function will also return any error from
+ * mbedtls_test_message_queue_push_info.
+ */
+int mbedtls_mock_tcp_send_msg( void *ctx, const unsigned char *buf, size_t len )
+{
+ mbedtls_test_message_queue* queue;
+ mbedtls_mock_socket* socket;
+ mbedtls_test_message_socket_context *context = (mbedtls_test_message_socket_context*) ctx;
+
+ if( context == NULL || context->socket == NULL
+ || context->queue_output == NULL )
+ {
+ return MBEDTLS_TEST_ERROR_CONTEXT_ERROR;
+ }
+
+ queue = context->queue_output;
+ socket = context->socket;
+
+ if( queue->num >= queue->capacity )
+ return MBEDTLS_TEST_ERROR_QUEUE_FULL;
+
+ if( mbedtls_mock_tcp_send_b( socket, buf, len ) != (int) len )
+ return MBEDTLS_TEST_ERROR_SEND_FAILED;
+
+ return mbedtls_test_message_queue_push_info( queue, len );
+}
+
+/*
+ * Receive one message from a given message socket context and return message
+ * length or an error.
+ *
+ * \retval message length, if everything succeeds.
+ * \retval MBEDTLS_TEST_ERROR_CONTEXT_ERROR, if any of the needed context
+ * elements or the context itself is null.
+ * \retval MBEDTLS_TEST_ERROR_RECV_FAILED if mbedtls_mock_tcp_recv_b failed.
+ *
+ * This function will also return any error other than
+ * MBEDTLS_TEST_ERROR_MESSAGE_TRUNCATED from mbedtls_test_message_queue_peek_info.
+ */
+int mbedtls_mock_tcp_recv_msg( void *ctx, unsigned char *buf, size_t buf_len )
+{
+ mbedtls_test_message_queue* queue;
+ mbedtls_mock_socket* socket;
+ mbedtls_test_message_socket_context *context = (mbedtls_test_message_socket_context*) ctx;
+ size_t drop_len;
+ size_t msg_len;
+ int ret;
+
+ if( context == NULL || context->socket == NULL
+ || context->queue_input == NULL )
+ {
+ return MBEDTLS_TEST_ERROR_CONTEXT_ERROR;
+ }
+
+ queue = context->queue_input;
+ socket = context->socket;
+
+ /* Peek first, so that in case of a socket error the data remains in
+ * the queue. */
+ ret = mbedtls_test_message_queue_peek_info( queue, buf_len, &msg_len );
+ if( ret == MBEDTLS_TEST_ERROR_MESSAGE_TRUNCATED )
+ {
+ /* Calculate how much to drop */
+ drop_len = msg_len - buf_len;
+
+ /* Set the requested message len to be buffer length */
+ msg_len = buf_len;
+ } else if( ret != 0 )
+ {
+ return ret;
+ }
+
+ if( mbedtls_mock_tcp_recv_b( socket, buf, msg_len ) != (int) msg_len )
+ return MBEDTLS_TEST_ERROR_RECV_FAILED;
+
+ if( ret == MBEDTLS_TEST_ERROR_MESSAGE_TRUNCATED )
+ {
+ /* Drop the remaining part of the message */
+ if( mbedtls_mock_tcp_recv_b( socket, NULL, drop_len ) != (int) drop_len )
+ {
+ /* Inconsistent state - part of the message was read,
+ * and a part couldn't. Not much we can do here, but it should not
+ * happen in test environment, unless forced manually. */
+ }
+ }
+ mbedtls_test_message_queue_pop_info( queue, buf_len );
+
+ return msg_len;
+}
+
+#if defined(MBEDTLS_X509_CRT_PARSE_C)
+
+/*
+ * Structure with endpoint's certificates for SSL communication tests.
+ */
+typedef struct mbedtls_endpoint_certificate
+{
+ mbedtls_x509_crt ca_cert;
+ mbedtls_x509_crt cert;
+ mbedtls_x509_crt cert2;
+ mbedtls_pk_context pkey;
+ mbedtls_pk_context pkey2;
+} mbedtls_endpoint_certificate;
+
+/*
+ * Endpoint structure for SSL communication tests.
+ */
+typedef struct mbedtls_endpoint
+{
+ const char *name;
+ mbedtls_ssl_context ssl;
+ mbedtls_ssl_config conf;
+ mbedtls_ctr_drbg_context ctr_drbg;
+ mbedtls_entropy_context entropy;
+ mbedtls_mock_socket socket;
+ mbedtls_endpoint_certificate cert;
+} mbedtls_endpoint;
+
+/*
+ * Initializes \p ep_cert structure and assigns it to endpoint
+ * represented by \p ep.
+ *
+ * \retval 0 on success, otherwise error code.
+ */
+int mbedtls_endpoint_certificate_init( mbedtls_endpoint *ep )
+{
+ int i = 0;
+ int ret = -1;
+ mbedtls_endpoint_certificate *cert;
+
+ if( ep == NULL )
+ {
+ return MBEDTLS_ERR_SSL_BAD_INPUT_DATA;
+ }
+
+ cert = &( ep->cert );
+ mbedtls_x509_crt_init( &( cert->ca_cert ) );
+ mbedtls_x509_crt_init( &( cert->cert ) );
+ mbedtls_x509_crt_init( &( cert->cert2 ) );
+ mbedtls_pk_init( &( cert->pkey ) );
+ mbedtls_pk_init( &( cert->pkey2 ) );
+
+ /* Load the trusted CA */
+
+ for( i = 0; mbedtls_test_cas[i] != NULL; i++ )
+ {
+ ret = mbedtls_x509_crt_parse( &( cert->ca_cert ),
+ (const unsigned char *) mbedtls_test_cas[i],
+ mbedtls_test_cas_len[i] );
+ TEST_ASSERT( ret == 0 );
+ }
+
+ for( i = 0; mbedtls_test_cas_der[i] != NULL; i++ )
+ {
+ ret = mbedtls_x509_crt_parse_der( &( cert->ca_cert ),
+ (const unsigned char *) mbedtls_test_cas_der[i],
+ mbedtls_test_cas_der_len[i] );
+ TEST_ASSERT( ret == 0 );
+ }
+
+ /* Load own certificate and private key */
+
+ if( ep->conf.endpoint == MBEDTLS_SSL_IS_SERVER )
+ {
+ ret = mbedtls_x509_crt_parse( &( cert->cert ),
+ (const unsigned char *) mbedtls_test_srv_crt_rsa,
+ mbedtls_test_srv_crt_rsa_len );
+ TEST_ASSERT( ret == 0 );
+
+ ret = mbedtls_pk_parse_key( &( cert->pkey ),
+ (const unsigned char *) mbedtls_test_srv_key_rsa,
+ mbedtls_test_srv_key_rsa_len, NULL, 0 );
+ TEST_ASSERT( ret == 0 );
+
+ ret = mbedtls_x509_crt_parse( &( cert->cert2 ),
+ (const unsigned char *) mbedtls_test_srv_crt_ec,
+ mbedtls_test_srv_crt_ec_len );
+ TEST_ASSERT( ret == 0 );
+
+ ret = mbedtls_pk_parse_key( &( cert->pkey2 ),
+ (const unsigned char *) mbedtls_test_srv_key_ec,
+ mbedtls_test_srv_key_ec_len, NULL, 0 );
+ TEST_ASSERT( ret == 0 );
+ }
+ else
+ {
+ ret = mbedtls_x509_crt_parse( &( cert->cert ),
+ (const unsigned char *) mbedtls_test_cli_crt,
+ mbedtls_test_cli_crt_len );
+ TEST_ASSERT( ret == 0 );
+
+ ret = mbedtls_pk_parse_key( &( cert->pkey ),
+ (const unsigned char *) mbedtls_test_cli_key,
+ mbedtls_test_cli_key_len, NULL, 0 );
+ TEST_ASSERT( ret == 0 );
+ }
+
+ mbedtls_ssl_conf_ca_chain( &( ep->conf ), &( cert->ca_cert ), NULL );
+
+ ret = mbedtls_ssl_conf_own_cert( &( ep->conf ), &( cert->cert ), &( cert->pkey ) );
+ TEST_ASSERT( ret == 0 );
+
+ if( ep->conf.endpoint == MBEDTLS_SSL_IS_SERVER )
+ {
+ ret = mbedtls_ssl_conf_own_cert( &( ep->conf ), &( cert->cert2 ), &( cert->pkey2 ) );
+ TEST_ASSERT( ret == 0 );
+ }
+
+exit:
+ if( ret != 0 )
+ {
+ mbedtls_x509_crt_free( &( cert->ca_cert ) );
+ mbedtls_x509_crt_free( &( cert->cert ) );
+ mbedtls_x509_crt_free( &( cert->cert2 ) );
+ mbedtls_pk_free( &( cert->pkey ) );
+ mbedtls_pk_free( &( cert->pkey2 ) );
+ }
+
+ return ret;
+}
+
+/*
+ * Initializes \p ep structure. It is important to call `mbedtls_endpoint_free()`
+ * after calling this function even if it fails.
+ *
+ * \p endpoint_type must be set as MBEDTLS_SSL_IS_SERVER or
+ * MBEDTLS_SSL_IS_CLIENT.
+ *
+ * \retval 0 on success, otherwise error code.
+ */
+int mbedtls_endpoint_init( mbedtls_endpoint *ep, int endpoint_type )
+{
+ int ret = -1;
+
+ if( ep == NULL )
+ {
+ return MBEDTLS_ERR_SSL_BAD_INPUT_DATA;
+ }
+
+ memset( ep, 0, sizeof( *ep ) );
+
+ ep->name = ( endpoint_type == MBEDTLS_SSL_IS_SERVER ) ? "Server" : "Client";
+
+ mbedtls_ssl_init( &( ep->ssl ) );
+ mbedtls_ssl_config_init( &( ep->conf ) );
+ mbedtls_ctr_drbg_init( &( ep->ctr_drbg ) );
+ mbedtls_ssl_conf_rng( &( ep->conf ),
+ mbedtls_ctr_drbg_random,
+ &( ep->ctr_drbg ) );
+ mbedtls_entropy_init( &( ep->entropy ) );
+ mbedtls_mock_socket_init( &( ep->socket ) );
+
+ ret = mbedtls_ctr_drbg_seed( &( ep->ctr_drbg ), mbedtls_entropy_func,
+ &( ep->entropy ), (const unsigned char *) ( ep->name ),
+ strlen( ep->name ) );
+ TEST_ASSERT( ret == 0 );
+
+ /* Non-blocking callbacks without timeout */
+ mbedtls_ssl_set_bio( &( ep->ssl ), &( ep->socket ),
+ mbedtls_mock_tcp_send_nb,
+ mbedtls_mock_tcp_recv_nb,
+ NULL );
+
+ ret = mbedtls_ssl_setup( &( ep->ssl ), &( ep->conf ) );
+ TEST_ASSERT( ret == 0 );
+
+ ret = mbedtls_ssl_config_defaults( &( ep->conf ), endpoint_type,
+ MBEDTLS_SSL_TRANSPORT_STREAM,
+ MBEDTLS_SSL_PRESET_DEFAULT );
+ TEST_ASSERT( ret == 0 );
+
+ ret = mbedtls_endpoint_certificate_init( ep );
+ TEST_ASSERT( ret == 0 );
+
+exit:
+ return ret;
+}
+
+/*
+ * Deinitializes certificates from endpoint represented by \p ep.
+ */
+void mbedtls_endpoint_certificate_free( mbedtls_endpoint *ep )
+{
+ mbedtls_endpoint_certificate *cert = &( ep->cert );
+ mbedtls_x509_crt_free( &( cert->ca_cert ) );
+ mbedtls_x509_crt_free( &( cert->cert ) );
+ mbedtls_x509_crt_free( &( cert->cert2 ) );
+ mbedtls_pk_free( &( cert->pkey ) );
+ mbedtls_pk_free( &( cert->pkey2 ) );
+}
+
+/*
+ * Deinitializes endpoint represented by \p ep.
+ */
+void mbedtls_endpoint_free( mbedtls_endpoint *ep )
+{
+ mbedtls_endpoint_certificate_free( ep );
+
+ mbedtls_ssl_free( &( ep->ssl ) );
+ mbedtls_ssl_config_free( &( ep->conf ) );
+ mbedtls_ctr_drbg_free( &( ep->ctr_drbg ) );
+ mbedtls_entropy_free( &( ep->entropy ) );
+ mbedtls_mock_socket_close( &( ep->socket ) );
+}
+
+/*
+ * This function moves ssl handshake from \p ssl to prescribed \p state.
+ * /p second_ssl is used as second endpoint and their sockets have to be
+ * connected before calling this function.
+ *
+ * \retval 0 on success, otherwise error code.
+ */
+int mbedtls_move_handshake_to_state( mbedtls_ssl_context *ssl,
+ mbedtls_ssl_context *second_ssl,
+ int state )
+{
+ enum { BUFFSIZE = 1024 };
+ int max_steps = 1000;
+ int ret = 0;
+
+ if( ssl == NULL || second_ssl == NULL )
+ {
+ return MBEDTLS_ERR_SSL_BAD_INPUT_DATA;
+ }
+
+ /* Perform communication via connected sockets */
+ while( ( ssl->state != state ) && ( --max_steps >= 0 ) )
+ {
+ /* If /p second_ssl ends the handshake procedure before /p ssl then
+ * there is no need to call the next step */
+ if( second_ssl->state != MBEDTLS_SSL_HANDSHAKE_OVER )
+ {
+ ret = mbedtls_ssl_handshake_step( second_ssl );
+ if( ret != 0 && ret != MBEDTLS_ERR_SSL_WANT_READ &&
+ ret != MBEDTLS_ERR_SSL_WANT_WRITE )
+ {
+ return ret;
+ }
+ }
+
+ /* We only care about the \p ssl state and returns, so we call it last,
+ * to leave the iteration as soon as the state is as expected. */
+ ret = mbedtls_ssl_handshake_step( ssl );
+ if( ret != 0 && ret != MBEDTLS_ERR_SSL_WANT_READ &&
+ ret != MBEDTLS_ERR_SSL_WANT_WRITE )
+ {
+ return ret;
+ }
+ }
+
+ return ( max_steps >= 0 ) ? ret : -1;
+}
+
+#endif /* MBEDTLS_X509_CRT_PARSE_C */
+
/*
* Helper function setting up inverse record transformations
* using given cipher, hash, EtM mode, authentication tag length,
@@ -702,8 +1260,7 @@
TEST_ASSERT( mbedtls_test_buffer_get( NULL, output, sizeof( output ) )
== -1 );
TEST_ASSERT( mbedtls_test_buffer_put( NULL, NULL, sizeof( input ) ) == -1 );
- TEST_ASSERT( mbedtls_test_buffer_get( NULL, NULL, sizeof( output ) )
- == -1 );
+
TEST_ASSERT( mbedtls_test_buffer_put( NULL, NULL, 0 ) == -1 );
TEST_ASSERT( mbedtls_test_buffer_get( NULL, NULL, 0 ) == -1 );
@@ -715,19 +1272,20 @@
TEST_ASSERT( mbedtls_test_buffer_get( &buf, output, sizeof( output ) )
== -1 );
TEST_ASSERT( mbedtls_test_buffer_put( &buf, NULL, sizeof( input ) ) == -1 );
- TEST_ASSERT( mbedtls_test_buffer_get( &buf, NULL, sizeof( output ) )
- == -1 );
+
TEST_ASSERT( mbedtls_test_buffer_put( &buf, NULL, 0 ) == -1 );
TEST_ASSERT( mbedtls_test_buffer_get( &buf, NULL, 0 ) == -1 );
- /* Make sure calling put end get on NULL input and output only results in
- * error if the length is not zero. */
+ /* Make sure calling put and get on NULL input only results in
+ * error if the length is not zero, and that a NULL output is valid for data
+ * dropping.
+ */
TEST_ASSERT( mbedtls_test_buffer_setup( &buf, sizeof( input ) ) == 0 );
TEST_ASSERT( mbedtls_test_buffer_put( &buf, NULL, sizeof( input ) ) == -1 );
TEST_ASSERT( mbedtls_test_buffer_get( &buf, NULL, sizeof( output ) )
- == -1 );
+ == 0 );
TEST_ASSERT( mbedtls_test_buffer_put( &buf, NULL, 0 ) == 0 );
TEST_ASSERT( mbedtls_test_buffer_get( &buf, NULL, 0 ) == 0 );
@@ -1157,6 +1715,583 @@
}
/* END_CASE */
+/* BEGIN_CASE */
+void ssl_message_queue_sanity( )
+{
+ mbedtls_test_message_queue queue;
+
+ /* Trying to push/pull to an empty queue */
+ TEST_ASSERT( mbedtls_test_message_queue_push_info( NULL, 1 )
+ == MBEDTLS_TEST_ERROR_ARG_NULL );
+ TEST_ASSERT( mbedtls_test_message_queue_pop_info( NULL, 1 )
+ == MBEDTLS_TEST_ERROR_ARG_NULL );
+
+ mbedtls_test_message_queue_setup( &queue, 3 );
+ TEST_ASSERT( queue.capacity == 3 );
+ TEST_ASSERT( queue.num == 0 );
+
+exit:
+ mbedtls_test_message_queue_free( &queue );
+}
+/* END_CASE */
+
+/* BEGIN_CASE */
+void ssl_message_queue_basic( )
+{
+ mbedtls_test_message_queue queue;
+
+ mbedtls_test_message_queue_setup( &queue, 3 );
+
+ /* Sanity test - 3 pushes and 3 pops with sufficient space */
+ TEST_ASSERT( mbedtls_test_message_queue_push_info( &queue, 1 ) == 1 );
+ TEST_ASSERT( queue.capacity == 3 );
+ TEST_ASSERT( queue.num == 1 );
+ TEST_ASSERT( mbedtls_test_message_queue_push_info( &queue, 1 ) == 1 );
+ TEST_ASSERT( queue.capacity == 3 );
+ TEST_ASSERT( queue.num == 2 );
+ TEST_ASSERT( mbedtls_test_message_queue_push_info( &queue, 2 ) == 2 );
+ TEST_ASSERT( queue.capacity == 3 );
+ TEST_ASSERT( queue.num == 3 );
+
+ TEST_ASSERT( mbedtls_test_message_queue_pop_info( &queue, 1 ) == 1 );
+ TEST_ASSERT( mbedtls_test_message_queue_pop_info( &queue, 1 ) == 1 );
+ TEST_ASSERT( mbedtls_test_message_queue_pop_info( &queue, 2 ) == 2 );
+
+exit:
+ mbedtls_test_message_queue_free( &queue );
+}
+/* END_CASE */
+
+/* BEGIN_CASE */
+void ssl_message_queue_overflow_underflow( )
+{
+ mbedtls_test_message_queue queue;
+
+ mbedtls_test_message_queue_setup( &queue, 3 );
+
+ /* 4 pushes (last one with an error), 4 pops (last one with an error) */
+ TEST_ASSERT( mbedtls_test_message_queue_push_info( &queue, 1 ) == 1 );
+ TEST_ASSERT( mbedtls_test_message_queue_push_info( &queue, 1 ) == 1 );
+ TEST_ASSERT( mbedtls_test_message_queue_push_info( &queue, 2 ) == 2 );
+ TEST_ASSERT( mbedtls_test_message_queue_push_info( &queue, 3 )
+ == MBEDTLS_TEST_ERROR_QUEUE_FULL );
+
+ TEST_ASSERT( mbedtls_test_message_queue_pop_info( &queue, 1 ) == 1 );
+ TEST_ASSERT( mbedtls_test_message_queue_pop_info( &queue, 1 ) == 1 );
+ TEST_ASSERT( mbedtls_test_message_queue_pop_info( &queue, 2 ) == 2 );
+
+ TEST_ASSERT( mbedtls_test_message_queue_pop_info( &queue, 1 )
+ == MBEDTLS_TEST_ERROR_QUEUE_EMPTY );
+
+exit:
+ mbedtls_test_message_queue_free( &queue );
+}
+/* END_CASE */
+
+/* BEGIN_CASE */
+void ssl_message_queue_interleaved( )
+{
+ mbedtls_test_message_queue queue;
+
+ mbedtls_test_message_queue_setup( &queue, 3 );
+
+ /* Interleaved test - [2 pushes, 1 pop] twice, and then two pops
+ * (to wrap around the buffer) */
+ TEST_ASSERT( mbedtls_test_message_queue_push_info( &queue, 1 ) == 1 );
+ TEST_ASSERT( mbedtls_test_message_queue_push_info( &queue, 1 ) == 1 );
+
+ TEST_ASSERT( mbedtls_test_message_queue_pop_info( &queue, 1 ) == 1 );
+
+ TEST_ASSERT( mbedtls_test_message_queue_push_info( &queue, 2 ) == 2 );
+ TEST_ASSERT( mbedtls_test_message_queue_push_info( &queue, 3 ) == 3 );
+
+ TEST_ASSERT( mbedtls_test_message_queue_pop_info( &queue, 1 ) == 1 );
+ TEST_ASSERT( mbedtls_test_message_queue_pop_info( &queue, 2 ) == 2 );
+
+ TEST_ASSERT( mbedtls_test_message_queue_push_info( &queue, 5 ) == 5 );
+ TEST_ASSERT( mbedtls_test_message_queue_push_info( &queue, 8 ) == 8 );
+
+ TEST_ASSERT( mbedtls_test_message_queue_pop_info( &queue, 3 ) == 3 );
+
+ TEST_ASSERT( mbedtls_test_message_queue_pop_info( &queue, 5 ) == 5 );
+
+ TEST_ASSERT( mbedtls_test_message_queue_pop_info( &queue, 8 ) == 8 );
+
+exit:
+ mbedtls_test_message_queue_free( &queue );
+}
+/* END_CASE */
+
+/* BEGIN_CASE */
+void ssl_message_queue_insufficient_buffer( )
+{
+ mbedtls_test_message_queue queue;
+ size_t message_len = 10;
+ size_t buffer_len = 5;
+
+ mbedtls_test_message_queue_setup( &queue, 1 );
+
+ /* Popping without a sufficient buffer */
+ TEST_ASSERT( mbedtls_test_message_queue_push_info( &queue, message_len )
+ == (int) message_len );
+ TEST_ASSERT( mbedtls_test_message_queue_pop_info( &queue, buffer_len )
+ == (int) buffer_len );
+exit:
+ mbedtls_test_message_queue_free( &queue );
+}
+/* END_CASE */
+
+/* BEGIN_CASE */
+void ssl_message_mock_uninitialized( )
+{
+ enum { MSGLEN = 10 };
+ unsigned char message[MSGLEN], received[MSGLEN];
+ mbedtls_mock_socket client, server;
+ mbedtls_test_message_queue server_queue, client_queue;
+ mbedtls_test_message_socket_context server_context, client_context;
+
+ /* Send with a NULL context */
+ TEST_ASSERT( mbedtls_mock_tcp_send_msg( NULL, message, MSGLEN )
+ == MBEDTLS_TEST_ERROR_CONTEXT_ERROR );
+
+ TEST_ASSERT( mbedtls_mock_tcp_recv_msg( NULL, message, MSGLEN )
+ == MBEDTLS_TEST_ERROR_CONTEXT_ERROR );
+
+ TEST_ASSERT( mbedtls_message_socket_setup( &server_queue, &client_queue, 1,
+ &server,
+ &server_context ) == 0 );
+
+ TEST_ASSERT( mbedtls_message_socket_setup( &client_queue, &server_queue, 1,
+ &client,
+ &client_context ) == 0 );
+
+ TEST_ASSERT( mbedtls_mock_tcp_send_msg( &client_context, message, MSGLEN )
+ == MBEDTLS_TEST_ERROR_SEND_FAILED );
+
+ TEST_ASSERT( mbedtls_mock_tcp_recv_msg( &server_context, received, MSGLEN )
+ == MBEDTLS_TEST_ERROR_QUEUE_EMPTY );
+
+ /* Push directly to a queue to later simulate a disconnected behavior */
+ TEST_ASSERT( mbedtls_test_message_queue_push_info( &server_queue, MSGLEN )
+ == MSGLEN );
+
+ /* Test if there's an error when trying to read from a disconnected
+ * socket */
+ TEST_ASSERT( mbedtls_mock_tcp_recv_msg( &server_context, received, MSGLEN )
+ == MBEDTLS_TEST_ERROR_RECV_FAILED );
+ exit:
+ mbedtls_message_socket_close( &server_context );
+ mbedtls_message_socket_close( &client_context );
+}
+/* END_CASE */
+
+/* BEGIN_CASE */
+void ssl_message_mock_basic( )
+{
+ enum { MSGLEN = 10 };
+ unsigned char message[MSGLEN], received[MSGLEN];
+ mbedtls_mock_socket client, server;
+ unsigned i;
+ mbedtls_test_message_queue server_queue, client_queue;
+ mbedtls_test_message_socket_context server_context, client_context;
+
+ TEST_ASSERT( mbedtls_message_socket_setup( &server_queue, &client_queue, 1,
+ &server,
+ &server_context ) == 0 );
+
+ TEST_ASSERT( mbedtls_message_socket_setup( &client_queue, &server_queue, 1,
+ &client,
+ &client_context ) == 0 );
+
+ /* Fill up the buffer with structured data so that unwanted changes
+ * can be detected */
+ for( i = 0; i < MSGLEN; i++ )
+ {
+ message[i] = i & 0xFF;
+ }
+ TEST_ASSERT( 0 == mbedtls_mock_socket_connect( &client, &server,
+ MSGLEN ) );
+
+ /* Send the message to the server */
+ TEST_ASSERT( mbedtls_mock_tcp_send_msg( &client_context, message,
+ MSGLEN ) == MSGLEN );
+
+ /* Read from the server */
+ TEST_ASSERT( mbedtls_mock_tcp_recv_msg( &server_context, received, MSGLEN )
+ == MSGLEN );
+
+ TEST_ASSERT( memcmp( message, received, MSGLEN ) == 0 );
+ memset( received, 0, MSGLEN );
+
+ /* Send the message to the client */
+ TEST_ASSERT( mbedtls_mock_tcp_send_msg( &server_context, message,
+ MSGLEN ) == MSGLEN );
+
+ /* Read from the client */
+ TEST_ASSERT( mbedtls_mock_tcp_recv_msg( &client_context, received, MSGLEN )
+ == MSGLEN );
+ TEST_ASSERT( memcmp( message, received, MSGLEN ) == 0 );
+
+ exit:
+ mbedtls_message_socket_close( &server_context );
+ mbedtls_message_socket_close( &client_context );
+}
+/* END_CASE */
+
+/* BEGIN_CASE */
+void ssl_message_mock_queue_overflow_underflow( )
+{
+ enum { MSGLEN = 10 };
+ unsigned char message[MSGLEN], received[MSGLEN];
+ mbedtls_mock_socket client, server;
+ unsigned i;
+ mbedtls_test_message_queue server_queue, client_queue;
+ mbedtls_test_message_socket_context server_context, client_context;
+
+ TEST_ASSERT( mbedtls_message_socket_setup( &server_queue, &client_queue, 2,
+ &server,
+ &server_context ) == 0 );
+
+ TEST_ASSERT( mbedtls_message_socket_setup( &client_queue, &server_queue, 2,
+ &client,
+ &client_context ) == 0 );
+
+ /* Fill up the buffer with structured data so that unwanted changes
+ * can be detected */
+ for( i = 0; i < MSGLEN; i++ )
+ {
+ message[i] = i & 0xFF;
+ }
+ TEST_ASSERT( 0 == mbedtls_mock_socket_connect( &client, &server,
+ MSGLEN*2 ) );
+
+ /* Send three message to the server, last one with an error */
+ TEST_ASSERT( mbedtls_mock_tcp_send_msg( &client_context, message,
+ MSGLEN - 1 ) == MSGLEN - 1 );
+
+ TEST_ASSERT( mbedtls_mock_tcp_send_msg( &client_context, message,
+ MSGLEN ) == MSGLEN );
+
+ TEST_ASSERT( mbedtls_mock_tcp_send_msg( &client_context, message,
+ MSGLEN )
+ == MBEDTLS_TEST_ERROR_QUEUE_FULL );
+
+ /* Read three messages from the server, last one with an error */
+ TEST_ASSERT( mbedtls_mock_tcp_recv_msg( &server_context, received,
+ MSGLEN - 1 ) == MSGLEN - 1 );
+
+ TEST_ASSERT( mbedtls_mock_tcp_recv_msg( &server_context, received, MSGLEN )
+ == MSGLEN );
+
+ TEST_ASSERT( memcmp( message, received, MSGLEN ) == 0 );
+
+ TEST_ASSERT( mbedtls_mock_tcp_recv_msg( &server_context, received, MSGLEN )
+ == MBEDTLS_TEST_ERROR_QUEUE_EMPTY );
+
+ exit:
+ mbedtls_message_socket_close( &server_context );
+ mbedtls_message_socket_close( &client_context );
+}
+/* END_CASE */
+
+/* BEGIN_CASE */
+void ssl_message_mock_socket_overflow( )
+{
+ enum { MSGLEN = 10 };
+ unsigned char message[MSGLEN], received[MSGLEN];
+ mbedtls_mock_socket client, server;
+ unsigned i;
+ mbedtls_test_message_queue server_queue, client_queue;
+ mbedtls_test_message_socket_context server_context, client_context;
+
+ TEST_ASSERT( mbedtls_message_socket_setup( &server_queue, &client_queue, 2,
+ &server,
+ &server_context ) == 0 );
+
+ TEST_ASSERT( mbedtls_message_socket_setup( &client_queue, &server_queue, 2,
+ &client,
+ &client_context ) == 0 );
+
+ /* Fill up the buffer with structured data so that unwanted changes
+ * can be detected */
+ for( i = 0; i < MSGLEN; i++ )
+ {
+ message[i] = i & 0xFF;
+ }
+ TEST_ASSERT( 0 == mbedtls_mock_socket_connect( &client, &server,
+ MSGLEN ) );
+
+ /* Send two message to the server, second one with an error */
+ TEST_ASSERT( mbedtls_mock_tcp_send_msg( &client_context, message,
+ MSGLEN ) == MSGLEN );
+
+ TEST_ASSERT( mbedtls_mock_tcp_send_msg( &client_context, message,
+ MSGLEN )
+ == MBEDTLS_TEST_ERROR_SEND_FAILED );
+
+ /* Read the only message from the server */
+ TEST_ASSERT( mbedtls_mock_tcp_recv_msg( &server_context, received, MSGLEN )
+ == MSGLEN );
+
+ TEST_ASSERT( memcmp( message, received, MSGLEN ) == 0 );
+
+ exit:
+ mbedtls_message_socket_close( &server_context );
+ mbedtls_message_socket_close( &client_context );
+}
+/* END_CASE */
+
+/* BEGIN_CASE */
+void ssl_message_mock_truncated( )
+{
+ enum { MSGLEN = 10 };
+ unsigned char message[MSGLEN], received[MSGLEN];
+ mbedtls_mock_socket client, server;
+ unsigned i;
+ mbedtls_test_message_queue server_queue, client_queue;
+ mbedtls_test_message_socket_context server_context, client_context;
+
+ TEST_ASSERT( mbedtls_message_socket_setup( &server_queue, &client_queue, 2,
+ &server,
+ &server_context ) == 0 );
+
+ TEST_ASSERT( mbedtls_message_socket_setup( &client_queue, &server_queue, 2,
+ &client,
+ &client_context ) == 0 );
+
+ memset( received, 0, MSGLEN );
+ /* Fill up the buffer with structured data so that unwanted changes
+ * can be detected */
+ for( i = 0; i < MSGLEN; i++ )
+ {
+ message[i] = i & 0xFF;
+ }
+ TEST_ASSERT( 0 == mbedtls_mock_socket_connect( &client, &server,
+ 2 * MSGLEN ) );
+
+ /* Send two messages to the server, the second one small enough to fit in the
+ * receiver's buffer. */
+ TEST_ASSERT( mbedtls_mock_tcp_send_msg( &client_context, message,
+ MSGLEN ) == MSGLEN );
+ TEST_ASSERT( mbedtls_mock_tcp_send_msg( &client_context, message,
+ MSGLEN / 2 ) == MSGLEN / 2 );
+ /* Read a truncated message from the server */
+ TEST_ASSERT( mbedtls_mock_tcp_recv_msg( &server_context, received, MSGLEN/2 )
+ == MSGLEN/2 );
+
+ /* Test that the first half of the message is valid, and second one isn't */
+ TEST_ASSERT( memcmp( message, received, MSGLEN/2 ) == 0 );
+ TEST_ASSERT( memcmp( message + MSGLEN/2, received + MSGLEN/2, MSGLEN/2 )
+ != 0 );
+ memset( received, 0, MSGLEN );
+
+ /* Read a full message from the server */
+ TEST_ASSERT( mbedtls_mock_tcp_recv_msg( &server_context, received, MSGLEN/2 )
+ == MSGLEN / 2 );
+
+ /* Test that the first half of the message is valid */
+ TEST_ASSERT( memcmp( message, received, MSGLEN/2 ) == 0 );
+
+ exit:
+ mbedtls_message_socket_close( &server_context );
+ mbedtls_message_socket_close( &client_context );
+}
+/* END_CASE */
+
+/* BEGIN_CASE */
+void ssl_message_mock_socket_read_error( )
+{
+ enum { MSGLEN = 10 };
+ unsigned char message[MSGLEN], received[MSGLEN];
+ mbedtls_mock_socket client, server;
+ unsigned i;
+ mbedtls_test_message_queue server_queue, client_queue;
+ mbedtls_test_message_socket_context server_context, client_context;
+
+ TEST_ASSERT( mbedtls_message_socket_setup( &server_queue, &client_queue, 1,
+ &server,
+ &server_context ) == 0 );
+
+ TEST_ASSERT( mbedtls_message_socket_setup( &client_queue, &server_queue, 1,
+ &client,
+ &client_context ) == 0 );
+
+ /* Fill up the buffer with structured data so that unwanted changes
+ * can be detected */
+ for( i = 0; i < MSGLEN; i++ )
+ {
+ message[i] = i & 0xFF;
+ }
+ TEST_ASSERT( 0 == mbedtls_mock_socket_connect( &client, &server,
+ MSGLEN ) );
+
+ TEST_ASSERT( mbedtls_mock_tcp_send_msg( &client_context, message,
+ MSGLEN ) == MSGLEN );
+
+ /* Force a read error by disconnecting the socket by hand */
+ server.status = 0;
+ TEST_ASSERT( mbedtls_mock_tcp_recv_msg( &server_context, received, MSGLEN )
+ == MBEDTLS_TEST_ERROR_RECV_FAILED );
+ /* Return to a valid state */
+ server.status = MBEDTLS_MOCK_SOCKET_CONNECTED;
+
+ memset( received, 0, sizeof( received ) );
+
+ /* Test that even though the server tried to read once disconnected, the
+ * continuity is preserved */
+ TEST_ASSERT( mbedtls_mock_tcp_recv_msg( &server_context, received, MSGLEN )
+ == MSGLEN );
+
+ TEST_ASSERT( memcmp( message, received, MSGLEN ) == 0 );
+
+ exit:
+ mbedtls_message_socket_close( &server_context );
+ mbedtls_message_socket_close( &client_context );
+}
+/* END_CASE */
+
+/* BEGIN_CASE */
+void ssl_message_mock_interleaved_one_way( )
+{
+ enum { MSGLEN = 10 };
+ unsigned char message[MSGLEN], received[MSGLEN];
+ mbedtls_mock_socket client, server;
+ unsigned i;
+ mbedtls_test_message_queue server_queue, client_queue;
+ mbedtls_test_message_socket_context server_context, client_context;
+
+ TEST_ASSERT( mbedtls_message_socket_setup( &server_queue, &client_queue, 3,
+ &server,
+ &server_context ) == 0 );
+
+ TEST_ASSERT( mbedtls_message_socket_setup( &client_queue, &server_queue, 3,
+ &client,
+ &client_context ) == 0 );
+
+ /* Fill up the buffer with structured data so that unwanted changes
+ * can be detected */
+ for( i = 0; i < MSGLEN; i++ )
+ {
+ message[i] = i & 0xFF;
+ }
+ TEST_ASSERT( 0 == mbedtls_mock_socket_connect( &client, &server,
+ MSGLEN*3 ) );
+
+ /* Interleaved test - [2 sends, 1 read] twice, and then two reads
+ * (to wrap around the buffer) */
+ for( i = 0; i < 2; i++ )
+ {
+ TEST_ASSERT( mbedtls_mock_tcp_send_msg( &client_context, message,
+ MSGLEN ) == MSGLEN );
+
+ TEST_ASSERT( mbedtls_mock_tcp_send_msg( &client_context, message,
+ MSGLEN ) == MSGLEN );
+
+ TEST_ASSERT( mbedtls_mock_tcp_recv_msg( &server_context, received,
+ MSGLEN ) == MSGLEN );
+ TEST_ASSERT( memcmp( message, received, MSGLEN ) == 0 );
+ memset( received, 0, sizeof( received ) );
+ }
+
+ for( i = 0; i < 2; i++ )
+ {
+ TEST_ASSERT( mbedtls_mock_tcp_recv_msg( &server_context, received,
+ MSGLEN ) == MSGLEN );
+
+ TEST_ASSERT( memcmp( message, received, MSGLEN ) == 0 );
+ }
+ TEST_ASSERT( mbedtls_mock_tcp_recv_msg( &server_context, received, MSGLEN )
+ == MBEDTLS_TEST_ERROR_QUEUE_EMPTY );
+ exit:
+ mbedtls_message_socket_close( &server_context );
+ mbedtls_message_socket_close( &client_context );
+}
+/* END_CASE */
+
+/* BEGIN_CASE */
+void ssl_message_mock_interleaved_two_ways( )
+{
+ enum { MSGLEN = 10 };
+ unsigned char message[MSGLEN], received[MSGLEN];
+ mbedtls_mock_socket client, server;
+ unsigned i;
+ mbedtls_test_message_queue server_queue, client_queue;
+ mbedtls_test_message_socket_context server_context, client_context;
+
+ TEST_ASSERT( mbedtls_message_socket_setup( &server_queue, &client_queue, 3,
+ &server,
+ &server_context ) == 0 );
+
+ TEST_ASSERT( mbedtls_message_socket_setup( &client_queue, &server_queue, 3,
+ &client,
+ &client_context ) == 0 );
+
+ /* Fill up the buffer with structured data so that unwanted changes
+ * can be detected */
+ for( i = 0; i < MSGLEN; i++ )
+ {
+ message[i] = i & 0xFF;
+ }
+ TEST_ASSERT( 0 == mbedtls_mock_socket_connect( &client, &server,
+ MSGLEN*3 ) );
+
+ /* Interleaved test - [2 sends, 1 read] twice, both ways, and then two reads
+ * (to wrap around the buffer) both ways. */
+ for( i = 0; i < 2; i++ )
+ {
+ TEST_ASSERT( mbedtls_mock_tcp_send_msg( &client_context, message,
+ MSGLEN ) == MSGLEN );
+
+ TEST_ASSERT( mbedtls_mock_tcp_send_msg( &client_context, message,
+ MSGLEN ) == MSGLEN );
+
+ TEST_ASSERT( mbedtls_mock_tcp_send_msg( &server_context, message,
+ MSGLEN ) == MSGLEN );
+
+ TEST_ASSERT( mbedtls_mock_tcp_send_msg( &server_context, message,
+ MSGLEN ) == MSGLEN );
+
+ TEST_ASSERT( mbedtls_mock_tcp_recv_msg( &server_context, received,
+ MSGLEN ) == MSGLEN );
+
+ TEST_ASSERT( memcmp( message, received, MSGLEN ) == 0 );
+
+ memset( received, 0, sizeof( received ) );
+
+ TEST_ASSERT( mbedtls_mock_tcp_recv_msg( &client_context, received,
+ MSGLEN ) == MSGLEN );
+
+ TEST_ASSERT( memcmp( message, received, MSGLEN ) == 0 );
+
+ memset( received, 0, sizeof( received ) );
+ }
+
+ for( i = 0; i < 2; i++ )
+ {
+ TEST_ASSERT( mbedtls_mock_tcp_recv_msg( &server_context, received,
+ MSGLEN ) == MSGLEN );
+
+ TEST_ASSERT( memcmp( message, received, MSGLEN ) == 0 );
+ memset( received, 0, sizeof( received ) );
+
+ TEST_ASSERT( mbedtls_mock_tcp_recv_msg( &client_context, received,
+ MSGLEN ) == MSGLEN );
+
+ TEST_ASSERT( memcmp( message, received, MSGLEN ) == 0 );
+ memset( received, 0, sizeof( received ) );
+ }
+
+ TEST_ASSERT( mbedtls_mock_tcp_recv_msg( &server_context, received, MSGLEN )
+ == MBEDTLS_TEST_ERROR_QUEUE_EMPTY );
+
+ TEST_ASSERT( mbedtls_mock_tcp_recv_msg( &client_context, received, MSGLEN )
+ == MBEDTLS_TEST_ERROR_QUEUE_EMPTY );
+ exit:
+ mbedtls_message_socket_close( &server_context );
+ mbedtls_message_socket_close( &client_context );
+}
+/* END_CASE */
+
/* BEGIN_CASE depends_on:MBEDTLS_SSL_DTLS_ANTI_REPLAY */
void ssl_dtls_replay( data_t * prevs, data_t * new, int ret )
{
@@ -1780,3 +2915,64 @@
}
/* END_CASE */
+
+/* BEGIN_CASE depends_on:MBEDTLS_X509_CRT_PARSE_C:MBEDTLS_PEM_PARSE_C:MBEDTLS_RSA_C:MBEDTLS_ECDSA_C:MBEDTLS_ECP_DP_SECP256R1_ENABLED:MBEDTLS_ECP_DP_SECP384R1_ENABLED:!MBEDTLS_USE_PSA_CRYPTO */
+void mbedtls_endpoint_sanity( int endpoint_type )
+{
+ enum { BUFFSIZE = 1024 };
+ mbedtls_endpoint ep;
+ int ret = -1;
+
+ ret = mbedtls_endpoint_init( NULL, endpoint_type );
+ TEST_ASSERT( MBEDTLS_ERR_SSL_BAD_INPUT_DATA == ret );
+
+ ret = mbedtls_endpoint_certificate_init( NULL );
+ TEST_ASSERT( MBEDTLS_ERR_SSL_BAD_INPUT_DATA == ret );
+
+ ret = mbedtls_endpoint_init( &ep, endpoint_type );
+ TEST_ASSERT( ret == 0 );
+
+exit:
+ mbedtls_endpoint_free( &ep );
+}
+/* END_CASE */
+
+/* BEGIN_CASE depends_on:MBEDTLS_X509_CRT_PARSE_C:MBEDTLS_PEM_PARSE_C:MBEDTLS_RSA_C:MBEDTLS_ECDSA_C:MBEDTLS_ECP_DP_SECP256R1_ENABLED:MBEDTLS_ECP_DP_SECP384R1_ENABLED:!MBEDTLS_USE_PSA_CRYPTO */
+void move_handshake_to_state(int endpoint_type, int state, int need_pass)
+{
+ enum { BUFFSIZE = 1024 };
+ mbedtls_endpoint base_ep, second_ep;
+ int ret = -1;
+
+ ret = mbedtls_endpoint_init( &base_ep, endpoint_type );
+ TEST_ASSERT( ret == 0 );
+
+ ret = mbedtls_endpoint_init( &second_ep,
+ ( endpoint_type == MBEDTLS_SSL_IS_SERVER ) ?
+ MBEDTLS_SSL_IS_CLIENT : MBEDTLS_SSL_IS_SERVER );
+ TEST_ASSERT( ret == 0 );
+
+ ret = mbedtls_mock_socket_connect( &(base_ep.socket),
+ &(second_ep.socket),
+ BUFFSIZE );
+ TEST_ASSERT( ret == 0 );
+
+ ret = mbedtls_move_handshake_to_state( &(base_ep.ssl),
+ &(second_ep.ssl),
+ state );
+ if( need_pass )
+ {
+ TEST_ASSERT( ret == 0 );
+ TEST_ASSERT( base_ep.ssl.state == state );
+ }
+ else
+ {
+ TEST_ASSERT( ret != 0 );
+ TEST_ASSERT( base_ep.ssl.state != state );
+ }
+
+exit:
+ mbedtls_endpoint_free( &base_ep );
+ mbedtls_endpoint_free( &second_ep );
+}
+/* END_CASE */