Update default configuration

Change the default settings for SSL and modify the tests accordingly.
author: Janos Follath <janos.follath@arm.com> 2016-03-14 13:40:43 +0000
committer: Janos Follath <janos.follath@arm.com> 2016-03-14 13:40:43 +0000
commit: 4dfecabb977ebf24d3cff66e43bc96aa21d2c077 (patch)
tree: 147e631b40aa3f15470488778abda62b24c73213
parent: a91d85e331098429a9c159c8dcaedbefbe0504ea (diff)
download: mbedtls-4dfecabb977ebf24d3cff66e43bc96aa21d2c077.zip
mbedtls-4dfecabb977ebf24d3cff66e43bc96aa21d2c077.tar.gz
mbedtls-4dfecabb977ebf24d3cff66e43bc96aa21d2c077.tar.bz2
5 files changed, 42 insertions, 2 deletions
diff --git a/ChangeLog b/ChangeLog
index c153a7b..f3e6d1d 100644
--- a/ChangeLog
+++ b/ChangeLog
@@ -12,6 +12,7 @@ Changes
    * On ARM platforms, when compiling with -O0 with GCC, Clang or armcc5,
      don't use the optimized assembly for bignum multiplication. This removes
      the need to pass -fomit-frame-pointer to avoid a build error with -O0.
+   * Disabled SSLv3 in the default configuration.
 
 = mbed TLS 1.3.16 released 2016-01-05
 
diff --git a/include/polarssl/config.h b/include/polarssl/config.h
index 4929aa1..8fdf36e 100644
--- a/include/polarssl/config.h
+++ b/include/polarssl/config.h
@@ -1012,7 +1012,7 @@
  *
  * Comment this macro to disable support for SSL 3.0
  */
-#define POLARSSL_SSL_PROTO_SSL3
+//#define POLARSSL_SSL_PROTO_SSL3
 
 /**
  * \def POLARSSL_SSL_PROTO_TLS1
diff --git a/tests/compat.sh b/tests/compat.sh
index 04af410..8d057af 100755
--- a/tests/compat.sh
+++ b/tests/compat.sh
@@ -45,7 +45,7 @@ else
 fi
 
 # default values for options
-MODES="ssl3 tls1 tls1_1 tls1_2"
+MODES="tls1 tls1_1 tls1_2"
 VERIFIES="NO YES"
 TYPES="ECDSA RSA PSK"
 FILTER=""
diff --git a/tests/scripts/all.sh b/tests/scripts/all.sh
index dfc0061..ae82f7b 100755
--- a/tests/scripts/all.sh
+++ b/tests/scripts/all.sh
@@ -103,6 +103,27 @@ cd tests
 ./compat.sh
 cd ..
 
+msg "build: Default + SSLv3 (ASan build)" # ~ 6 min
+cleanup
+cp "$CONFIG_H" "$CONFIG_BAK"
+scripts/config.pl set POLARSSL_SSL_PROTO_SSL3
+CC=gcc cmake -D CMAKE_BUILD_TYPE:String=Asan .
+make
+
+msg "test: SSLv3 - main suites and selftest (ASan build)" # ~ 50s
+make test
+programs/test/selftest
+
+msg "build: SSLv3 - compat.sh (ASan build)" # ~ 6 min
+cd tests
+./compat.sh -m 'ssl3 tls1 tls1_1 tls1_2'
+cd ..
+
+msg "build: SSLv3 - ssl-opt.sh (ASan build)" # ~ 6 min
+cd tests
+./ssl-opt.sh
+cd ..
+
 msg "build: cmake, full config, clang" # ~ 50s
 cleanup
 cp "$CONFIG_H" "$CONFIG_BAK"
diff --git a/tests/ssl-opt.sh b/tests/ssl-opt.sh
index e2efae9..dcf9bb1 100755
--- a/tests/ssl-opt.sh
+++ b/tests/ssl-opt.sh
@@ -66,6 +66,13 @@ get_options() {
     done
 }
 
+# skip next test if the flag is not enabled in config.h
+requires_config_enabled() {
+    if grep "^#define $1" $CONFIG_H > /dev/null; then :; else
+        SKIP_NEXT="YES"
+    fi
+}
+
 # skip next test if OpenSSL can't send SSLv2 ClientHello
 requires_openssl_with_sslv2() {
     if [ -z "${OPENSSL_HAS_SSL2:-}" ]; then
@@ -560,6 +567,7 @@ run_test    "Encrypt then MAC: client disabled, server enabled" \
             -C "using encrypt then mac" \
             -S "using encrypt then mac"
 
+requires_config_enabled POLARSSL_SSL_PROTO_SSL3
 run_test    "Encrypt then MAC: client SSLv3, server enabled" \
             "$P_SRV debug_level=3 min_version=ssl3 \
              force_ciphersuite=TLS-RSA-WITH-AES-128-CBC-SHA" \
@@ -572,6 +580,7 @@ run_test    "Encrypt then MAC: client SSLv3, server enabled" \
             -C "using encrypt then mac" \
             -S "using encrypt then mac"
 
+requires_config_enabled POLARSSL_SSL_PROTO_SSL3
 run_test    "Encrypt then MAC: client enabled, server SSLv3" \
             "$P_SRV debug_level=3 force_version=ssl3 \
              force_ciphersuite=TLS-RSA-WITH-AES-128-CBC-SHA" \
@@ -619,6 +628,7 @@ run_test    "Extended Master Secret: client disabled, server enabled" \
             -C "using extended master secret" \
             -S "using extended master secret"
 
+requires_config_enabled POLARSSL_SSL_PROTO_SSL3
 run_test    "Extended Master Secret: client SSLv3, server enabled" \
             "$P_SRV debug_level=3 min_version=ssl3" \
             "$P_CLI debug_level=3 force_version=ssl3" \
@@ -630,6 +640,7 @@ run_test    "Extended Master Secret: client SSLv3, server enabled" \
             -C "using extended master secret" \
             -S "using extended master secret"
 
+requires_config_enabled POLARSSL_SSL_PROTO_SSL3
 run_test    "Extended Master Secret: client enabled, server SSLv3" \
             "$P_SRV debug_level=3 force_version=ssl3" \
             "$P_CLI debug_level=3 min_version=ssl3" \
@@ -748,6 +759,7 @@ run_test    "CBC Record splitting: TLS 1.0, splitting" \
             -s "Read from client: 1 bytes read" \
             -s "122 bytes read"
 
+requires_config_enabled POLARSSL_SSL_PROTO_SSL3
 run_test    "CBC Record splitting: SSLv3, splitting" \
             "$P_SRV min_version=ssl3" \
             "$P_CLI force_ciphersuite=TLS-RSA-WITH-AES-128-CBC-SHA \
@@ -1454,6 +1466,7 @@ run_test    "Authentication: client no cert, openssl server optional" \
             -c "skip write certificate verify" \
             -C "! ssl_handshake returned"
 
+requires_config_enabled POLARSSL_SSL_PROTO_SSL3
 run_test    "Authentication: client no cert, ssl3" \
             "$P_SRV debug_level=3 auth_mode=optional force_version=ssl3" \
             "$P_CLI debug_level=3 crt_file=none key_file=none min_version=ssl3" \
@@ -2159,6 +2172,7 @@ run_test    "PSK callback: wrong key" \
 
 # Tests for ciphersuites per version
 
+requires_config_enabled POLARSSL_SSL_PROTO_SSL3
 run_test    "Per-version suites: SSL3" \
             "$P_SRV min_version=ssl3 version_suites=TLS-RSA-WITH-3DES-EDE-CBC-SHA,TLS-RSA-WITH-RC4-128-SHA,TLS-RSA-WITH-AES-128-CBC-SHA,TLS-RSA-WITH-AES-128-GCM-SHA256" \
             "$P_CLI force_version=ssl3" \
@@ -2199,6 +2213,7 @@ run_test    "ssl_get_bytes_avail: extra data" \
 
 # Tests for small packets
 
+requires_config_enabled POLARSSL_SSL_PROTO_SSL3
 run_test    "Small packet SSLv3 BlockCipher" \
             "$P_SRV min_version=ssl3" \
             "$P_CLI request_size=1 force_version=ssl3 \
@@ -2206,6 +2221,7 @@ run_test    "Small packet SSLv3 BlockCipher" \
             0 \
             -s "Read from client: 1 bytes read"
 
+requires_config_enabled POLARSSL_SSL_PROTO_SSL3
 run_test    "Small packet SSLv3 StreamCipher" \
             "$P_SRV min_version=ssl3 arc4=1" \
             "$P_CLI request_size=1 force_version=ssl3 \
@@ -2340,6 +2356,7 @@ run_test    "Small packet TLS 1.2 AEAD shorter tag" \
 
 # Test for large packets
 
+requires_config_enabled POLARSSL_SSL_PROTO_SSL3
 run_test    "Large packet SSLv3 BlockCipher" \
             "$P_SRV min_version=ssl3" \
             "$P_CLI request_size=16384 force_version=ssl3 recsplit=0 \
@@ -2347,6 +2364,7 @@ run_test    "Large packet SSLv3 BlockCipher" \
             0 \
             -s "Read from client: 16384 bytes read"
 
+requires_config_enabled POLARSSL_SSL_PROTO_SSL3
 run_test    "Large packet SSLv3 StreamCipher" \
             "$P_SRV min_version=ssl3 arc4=1" \
             "$P_CLI request_size=16384 force_version=ssl3 \
author	Janos Follath <janos.follath@arm.com>	2016-03-14 13:40:43 +0000
committer	Janos Follath <janos.follath@arm.com>	2016-03-14 13:40:43 +0000
commit	4dfecabb977ebf24d3cff66e43bc96aa21d2c077 (patch)
tree	147e631b40aa3f15470488778abda62b24c73213
parent	a91d85e331098429a9c159c8dcaedbefbe0504ea (diff)
download	mbedtls-4dfecabb977ebf24d3cff66e43bc96aa21d2c077.zip mbedtls-4dfecabb977ebf24d3cff66e43bc96aa21d2c077.tar.gz mbedtls-4dfecabb977ebf24d3cff66e43bc96aa21d2c077.tar.bz2