cuberite/polarssl
1
0
Fork 0
mirror of https://github.com/cuberite/polarssl.git synced 2025-09-23 20:48:33 -04:00
Code Issues Packages Projects Releases Wiki Activity

Move more endpoint configuration into the setup function

Browse Source 
Applying SSL configuration settings recorded in the
`mbedtls_test_handshake_test_options` structure to an
`mbedtls_test_ssl_endpoint` object was split between
`mbedtls_test_ssl_endpoint_init()` and `mbedtls_test_ssl_perform_handshake()`.
This was surprising, and made it harder to use
`mbedtls_test_ssl_endpoint_init()` for custom behavior. It also meant some
code duplication in `mbedtls_test_ssl_perform_handshake()`.

Move most configuration setup from `mbedtls_test_ssl_perform_handshake()` to
`mbedtls_test_ssl_endpoint_init()`. This changes the behavior in two ways:

* `mbedtls_test_ssl_endpoint_init()` now takes some options into account
  that it previously ignored. This is ok because we don't set these options
  in any of the existing tests.
* When calling `mbedtls_test_ssl_perform_handshake()`, some SSL configuration
  settings are now set (calls to `mbedtls_ssl_conf_xxx()`) before the call
  to `mbedtls_ssl_setup()` instead of after. This should be ok since it is
  forbidden to change the configuration after `mbedtls_ssl_setup()`,
  although the previous test code was getting away with it. This commit does
  not move all configuration before `mbedtls_ssl_setup()`, that would be out
  of scope of the current series of patches.

Thus there are some internal behavior changes, but they should not affect
any relevant aspect of the tests' behavior.

Signed-off-by: Gilles Peskine <Gilles.Peskine@arm.com>
This commit is contained in:
Gilles Peskine 2025-05-28 17:01:42 +02:00
parent 7a8fd46392
commit 27586d83f0
1 changed files with 92 additions and 100 deletions
Show Stats Download Patch File Download Diff File Expand all files Collapse all files

192
tests/src/test_helpers/ssl_helpers.c
View File

@ -572,8 +572,60 @@ int mbedtls_test_mock_tcp_recv_msg(void *ctx,
return (msg_len > INT_MAX) ? INT_MAX : (int) msg_len;
}
#if defined(MBEDTLS_SSL_HANDSHAKE_WITH_CERT_ENABLED) && \
defined(MBEDTLS_SSL_HANDSHAKE_WITH_PSK_ENABLED) && \
defined(MBEDTLS_SSL_SRV_C)
static int psk_dummy_callback(void *p_info, mbedtls_ssl_context *ssl,
const unsigned char *name, size_t name_len)
{
(void) p_info;
(void) ssl;
(void) name;
(void) name_len;
return 0;
}
#endif /* MBEDTLS_SSL_HANDSHAKE_WITH_CERT_ENABLED &&
MBEDTLS_SSL_HANDSHAKE_WITH_PSK_ENABLED &&
MBEDTLS_SSL_SRV_C */
#if defined(MBEDTLS_SSL_HANDSHAKE_WITH_CERT_ENABLED)
static int set_ciphersuite(mbedtls_test_ssl_endpoint *ep,
const char *cipher)
{
if (cipher == NULL || cipher[0] == 0) {
return 1;
}
int ok = 0;
TEST_CALLOC(ep->ciphersuites, 2);
ep->ciphersuites[0] = mbedtls_ssl_get_ciphersuite_id(cipher);
ep->ciphersuites[1] = 0;
const mbedtls_ssl_ciphersuite_t *ciphersuite_info =
mbedtls_ssl_ciphersuite_from_id(ep->ciphersuites[0]);
TEST_ASSERT(ciphersuite_info != NULL);
TEST_ASSERT(ciphersuite_info->min_tls_version <= ep->conf.max_tls_version);
TEST_ASSERT(ciphersuite_info->max_tls_version >= ep->conf.min_tls_version);
if (ep->conf.max_tls_version > ciphersuite_info->max_tls_version) {
ep->conf.max_tls_version = (mbedtls_ssl_protocol_version) ciphersuite_info->max_tls_version;
}
if (ep->conf.min_tls_version < ciphersuite_info->min_tls_version) {
ep->conf.min_tls_version = (mbedtls_ssl_protocol_version) ciphersuite_info->min_tls_version;
}
mbedtls_ssl_conf_ciphersuites(&ep->conf, ep->ciphersuites);
ok = 1;
exit:
return ok;
}
/*
* Deinitializes certificates from endpoint represented by \p ep.
*/
@ -740,6 +792,9 @@ int mbedtls_test_ssl_endpoint_init(
{
int ret = -1;
uintptr_t user_data_n;
#if defined(MBEDTLS_SSL_HANDSHAKE_WITH_PSK_ENABLED)
const char *psk_identity = "foo";
#endif
if (ep == NULL) {
return MBEDTLS_ERR_SSL_BAD_INPUT_DATA;
@ -813,6 +868,10 @@ int mbedtls_test_ssl_endpoint_init(
}
}
if (MBEDTLS_SSL_IS_CLIENT == endpoint_type) {
TEST_ASSERT(set_ciphersuite(ep, options->cipher));
}
if (options->group_list != NULL) {
mbedtls_ssl_conf_groups(&(ep->conf), options->group_list);
}
@ -828,6 +887,7 @@ int mbedtls_test_ssl_endpoint_init(
options->max_early_data_size);
}
#endif
#if defined(MBEDTLS_SSL_ALPN)
/* check that alpn_list contains at least one valid entry */
if (options->alpn_list[0] != NULL) {
@ -836,6 +896,15 @@ int mbedtls_test_ssl_endpoint_init(
#endif
#endif
#if defined(MBEDTLS_SSL_RENEGOTIATION)
if (options->renegotiate) {
mbedtls_ssl_conf_renegotiation(&ep->conf,
MBEDTLS_SSL_RENEGOTIATION_ENABLED);
mbedtls_ssl_conf_legacy_renegotiation(&ep->conf,
options->legacy_renegotiation);
}
#endif /* MBEDTLS_SSL_RENEGOTIATION */
#if defined(MBEDTLS_SSL_CACHE_C) && defined(MBEDTLS_SSL_SRV_C)
if (endpoint_type == MBEDTLS_SSL_IS_SERVER && options->cache != NULL) {
mbedtls_ssl_conf_session_cache(&(ep->conf), options->cache,
@ -844,6 +913,14 @@ int mbedtls_test_ssl_endpoint_init(
}
#endif
#if defined(MBEDTLS_SSL_MAX_FRAGMENT_LENGTH)
TEST_EQUAL(mbedtls_ssl_conf_max_frag_len(&ep->conf,
(unsigned char) options->mfl),
0);
#else
TEST_EQUAL(MBEDTLS_SSL_MAX_FRAG_LEN_NONE, options->mfl);
#endif /* MBEDTLS_SSL_MAX_FRAGMENT_LENGTH */
ret = mbedtls_ssl_setup(&(ep->ssl), &(ep->conf));
TEST_EQUAL(ret, 0);
@ -881,6 +958,21 @@ int mbedtls_test_ssl_endpoint_init(
options->opaque_usage);
TEST_EQUAL(ret, 0);
#if defined(MBEDTLS_SSL_HANDSHAKE_WITH_PSK_ENABLED)
if (options->psk_str != NULL && options->psk_str->len > 0) {
TEST_EQUAL(mbedtls_ssl_conf_psk(
&ep->conf, options->psk_str->x,
options->psk_str->len,
(const unsigned char *) psk_identity,
strlen(psk_identity)), 0);
#if defined(MBEDTLS_SSL_SRV_C)
if (MBEDTLS_SSL_IS_SERVER == endpoint_type) {
mbedtls_ssl_conf_psk_cb(&ep->conf, psk_dummy_callback, NULL);
}
#endif
}
#endif
TEST_EQUAL(mbedtls_ssl_conf_get_user_data_n(&ep->conf), user_data_n);
mbedtls_ssl_conf_set_user_data_p(&ep->conf, ep);
TEST_EQUAL(mbedtls_ssl_get_user_data_n(&ep->ssl), user_data_n);
@ -1060,59 +1152,6 @@ exit:
return -1;
}
#if defined(MBEDTLS_SSL_HANDSHAKE_WITH_CERT_ENABLED)
static int set_ciphersuite(mbedtls_test_ssl_endpoint *ep,
const char *cipher)
{
if (cipher == NULL || cipher[0] == 0) {
return 1;
}
int ok = 0;
TEST_CALLOC(ep->ciphersuites, 2);
ep->ciphersuites[0] = mbedtls_ssl_get_ciphersuite_id(cipher);
ep->ciphersuites[1] = 0;
const mbedtls_ssl_ciphersuite_t *ciphersuite_info =
mbedtls_ssl_ciphersuite_from_id(ep->ciphersuites[0]);
TEST_ASSERT(ciphersuite_info != NULL);
TEST_ASSERT(ciphersuite_info->min_tls_version <= ep->conf.max_tls_version);
TEST_ASSERT(ciphersuite_info->max_tls_version >= ep->conf.min_tls_version);
if (ep->conf.max_tls_version > ciphersuite_info->max_tls_version) {
ep->conf.max_tls_version = (mbedtls_ssl_protocol_version) ciphersuite_info->max_tls_version;
}
if (ep->conf.min_tls_version < ciphersuite_info->min_tls_version) {
ep->conf.min_tls_version = (mbedtls_ssl_protocol_version) ciphersuite_info->min_tls_version;
}
mbedtls_ssl_conf_ciphersuites(&ep->conf, ep->ciphersuites);
ok = 1;
exit:
return ok;
}
#endif /* MBEDTLS_SSL_HANDSHAKE_WITH_CERT_ENABLED */
#if defined(MBEDTLS_SSL_HANDSHAKE_WITH_CERT_ENABLED) && \
defined(MBEDTLS_SSL_HANDSHAKE_WITH_PSK_ENABLED) && \
defined(MBEDTLS_SSL_SRV_C)
static int psk_dummy_callback(void *p_info, mbedtls_ssl_context *ssl,
const unsigned char *name, size_t name_len)
{
(void) p_info;
(void) ssl;
(void) name;
(void) name_len;
return 0;
}
#endif /* MBEDTLS_SSL_HANDSHAKE_WITH_CERT_ENABLED &&
MBEDTLS_SSL_HANDSHAKE_WITH_PSK_ENABLED &&
MBEDTLS_SSL_SRV_C */
#if defined(MBEDTLS_SSL_PROTO_TLS1_2) && \
defined(PSA_WANT_ALG_CBC_NO_PADDING) && defined(PSA_WANT_KEY_TYPE_AES)
int mbedtls_test_psa_cipher_encrypt_helper(mbedtls_ssl_transform *transform,
@ -2383,9 +2422,6 @@ void mbedtls_test_ssl_perform_handshake(
mbedtls_test_ssl_endpoint server_struct;
memset(&server_struct, 0, sizeof(server_struct));
mbedtls_test_ssl_endpoint *const server = &server_struct;
#if defined(MBEDTLS_SSL_HANDSHAKE_WITH_PSK_ENABLED)
const char *psk_identity = "foo";
#endif
MD_OR_USE_PSA_INIT();
@ -2399,7 +2435,6 @@ void mbedtls_test_ssl_perform_handshake(
TEST_EQUAL(mbedtls_test_ssl_endpoint_init(client,
MBEDTLS_SSL_IS_CLIENT,
options), 0);
TEST_ASSERT(set_ciphersuite(client, options->cipher));
/* Server side */
TEST_EQUAL(mbedtls_test_ssl_endpoint_init(server,
@ -2411,49 +2446,6 @@ void mbedtls_test_ssl_perform_handshake(
TEST_EQUAL(mbedtls_test_ssl_dtls_join_endpoints(client, server), 0);
}
#if defined(MBEDTLS_SSL_MAX_FRAGMENT_LENGTH)
TEST_EQUAL(mbedtls_ssl_conf_max_frag_len(&(server->conf),
(unsigned char) options->mfl),
0);
TEST_EQUAL(mbedtls_ssl_conf_max_frag_len(&(client->conf),
(unsigned char) options->mfl),
0);
#else
TEST_EQUAL(MBEDTLS_SSL_MAX_FRAG_LEN_NONE, options->mfl);
#endif /* MBEDTLS_SSL_MAX_FRAGMENT_LENGTH */
#if defined(MBEDTLS_SSL_HANDSHAKE_WITH_PSK_ENABLED)
if (options->psk_str != NULL && options->psk_str->len > 0) {
TEST_EQUAL(mbedtls_ssl_conf_psk(
&client->conf, options->psk_str->x,
options->psk_str->len,
(const unsigned char *) psk_identity,
strlen(psk_identity)), 0);
TEST_EQUAL(mbedtls_ssl_conf_psk(
&server->conf, options->psk_str->x,
options->psk_str->len,
(const unsigned char *) psk_identity,
strlen(psk_identity)), 0);
#if defined(MBEDTLS_SSL_SRV_C)
mbedtls_ssl_conf_psk_cb(&server->conf, psk_dummy_callback, NULL);
#endif
}
#endif
#if defined(MBEDTLS_SSL_RENEGOTIATION)
if (options->renegotiate) {
mbedtls_ssl_conf_renegotiation(&(server->conf),
MBEDTLS_SSL_RENEGOTIATION_ENABLED);
mbedtls_ssl_conf_renegotiation(&(client->conf),
MBEDTLS_SSL_RENEGOTIATION_ENABLED);
mbedtls_ssl_conf_legacy_renegotiation(&(server->conf),
options->legacy_renegotiation);
mbedtls_ssl_conf_legacy_renegotiation(&(client->conf),
options->legacy_renegotiation);
}
#endif /* MBEDTLS_SSL_RENEGOTIATION */
TEST_ASSERT(mbedtls_test_ssl_perform_connection(options, client, server));
TEST_ASSERT(mbedtls_ssl_conf_get_user_data_p(&client->conf) == client);