diff --git a/tests/ssl-opt.sh b/tests/ssl-opt.sh index bae9ee53f7..155719cf26 100755 --- a/tests/ssl-opt.sh +++ b/tests/ssl-opt.sh @@ -284,6 +284,12 @@ TLS1_2_KEY_EXCHANGES_WITH_CERT="MBEDTLS_KEY_EXCHANGE_RSA_ENABLED \ TLS1_2_KEY_EXCHANGES_WITH_ECDSA_CERT="MBEDTLS_KEY_EXCHANGE_ECDHE_ECDSA_ENABLED \ MBEDTLS_KEY_EXCHANGE_ECDH_ECDSA_ENABLED" +TLS1_2_KEY_EXCHANGES_WITH_CERT_WO_ECDH="MBEDTLS_KEY_EXCHANGE_RSA_ENABLED \ + MBEDTLS_KEY_EXCHANGE_DHE_RSA_ENABLED \ + MBEDTLS_KEY_EXCHANGE_ECDHE_RSA_ENABLED \ + MBEDTLS_KEY_EXCHANGE_ECDHE_ECDSA_ENABLED \ + MBEDTLS_KEY_EXCHANGE_RSA_PSK_ENABLED" + requires_key_exchange_with_cert_in_tls12_or_tls13_enabled() { if $P_QUERY -all MBEDTLS_SSL_PROTO_TLS1_2 then @@ -368,48 +374,66 @@ requires_ciphersuite_enabled() { # - $1 = command line (call to a TLS client or server program) # - $2 = client/server # - $3 = TLS version (TLS12 or TLS13) -# - $4 = run test options +# - $4 = Use an external tool without ECDH support +# - $5 = run test options detect_required_features() { - case "$1" in + CMD_LINE=$1 + ROLE=$2 + TLS_VERSION=$3 + EXT_WO_ECDH=$4 + TEST_OPTIONS=${5:-} + + case "$CMD_LINE" in *\ force_version=*) - tmp="${1##*\ force_version=}" + tmp="${CMD_LINE##*\ force_version=}" tmp="${tmp%%[!-0-9A-Z_a-z]*}" requires_protocol_version "$tmp";; esac - case "$1" in + case "$CMD_LINE" in *\ force_ciphersuite=*) - tmp="${1##*\ force_ciphersuite=}" + tmp="${CMD_LINE##*\ force_ciphersuite=}" tmp="${tmp%%[!-0-9A-Z_a-z]*}" requires_ciphersuite_enabled "$tmp";; esac - case " $1 " in + case " $CMD_LINE " in *[-_\ =]tickets=[^0]*) requires_config_enabled MBEDTLS_SSL_TICKET_C;; esac - case " $1 " in + case " $CMD_LINE " in *[-_\ =]alpn=*) requires_config_enabled MBEDTLS_SSL_ALPN;; esac - case "$1" in + case "$CMD_LINE" in *server5*|\ *server7*|\ *dir-maxpath*) - if [ "$3" = "TLS13" ]; then + if [ "$TLS_VERSION" = "TLS13" ]; then # In case of TLS13 the support for ECDSA is enough requires_pk_alg "ECDSA" else # For TLS12 requirements are different between server and client - if [ "$2" = "server" ]; then + if [ "$ROLE" = "server" ]; then # If the server uses "server5*" certificates, then an ECDSA based - # key exchange is required - requires_any_configs_enabled $TLS1_2_KEY_EXCHANGES_WITH_ECDSA_CERT - elif [ "$2" = "client" ]; then - # Otherwise for the client it is enough to have any certificate - # based authentication + support for ECDSA - requires_any_configs_enabled $TLS1_2_KEY_EXCHANGES_WITH_CERT + # key exchange is required. However gnutls also does not + # support ECDH, so this limit the choice to ECDHE-ECDSA + if [ "$EXT_WO_ECDH" = "yes" ]; then + requires_any_configs_enabled MBEDTLS_KEY_EXCHANGE_ECDHE_ECDSA_ENABLED + else + requires_any_configs_enabled $TLS1_2_KEY_EXCHANGES_WITH_ECDSA_CERT + fi + elif [ "$ROLE" = "client" ]; then + # On the client side it is enough to have any certificate + # based authentication together with support for ECDSA. + # Of course the GnuTLS limitation mentioned above applies + # also here. + if [ "$EXT_WO_ECDH" = "yes" ]; then + requires_any_configs_enabled $TLS1_2_KEY_EXCHANGES_WITH_CERT_WO_ECDH + else + requires_any_configs_enabled $TLS1_2_KEY_EXCHANGES_WITH_CERT + fi requires_pk_alg "ECDSA" fi fi @@ -1102,6 +1126,28 @@ is_gnutls() { esac } +# Some external tools (gnutls or openssl) might not have support for ECDH and +# this limit the tests that can be run with them. This function checks server +# and client command lines, given as input, to verify if the current test +# is using one of these tools. +use_ext_tool_without_ecdh_support() { + case "$1" in + *$GNUTLS_SERV*|\ + *${GNUTLS_NEXT_SERV:-"gnutls-serv-dummy"}*|\ + *${OPENSSL_NEXT:-"openssl-dummy"}*) + echo "yes" + return;; + esac + case "$2" in + *$GNUTLS_CLI*|\ + *${GNUTLS_NEXT_CLI:-"gnutls-cli-dummy"}*|\ + *${OPENSSL_NEXT:-"openssl-dummy"}*) + echo "yes" + return;; + esac + echo "no" +} + # Generate random psk_list argument for ssl_server2 get_srv_psk_list () { @@ -1528,8 +1574,12 @@ run_test() { # If the client or server requires certain features that can be detected # from their command-line arguments, check that they're enabled. TLS_VERSION=$(get_tls_version "$SRV_CMD" "$CLI_CMD") - detect_required_features "$SRV_CMD" "server" "$TLS_VERSION" "$@" - detect_required_features "$CLI_CMD" "client" "$TLS_VERSION" "$@" + + # Check if we are trying to use an external tool wich does not support ECDH + EXT_WO_ECDH=$(use_ext_tool_without_ecdh_support "$SRV_CMD" "$CLI_CMD") + + detect_required_features "$SRV_CMD" "server" "$TLS_VERSION" "$EXT_WO_ECDH" "$@" + detect_required_features "$CLI_CMD" "client" "$TLS_VERSION" "$EXT_WO_ECDH" "$@" # If we're in a PSK-only build and the test can be adapted to PSK, do that. maybe_adapt_for_psk "$@" @@ -9468,7 +9518,7 @@ run_test "DTLS reassembly: no fragmentation (openssl server)" \ requires_config_enabled MBEDTLS_SSL_PROTO_TLS1_2 run_test "DTLS reassembly: some fragmentation (openssl server)" \ - "$O_SRV -dtls -mtu 768" \ + "$O_SRV -dtls -mtu 256" \ "$P_CLI dtls=1 debug_level=2" \ 0 \ -c "found fragmented DTLS handshake message" \ @@ -11383,8 +11433,8 @@ not_with_valgrind # risk of non-mbedtls peer timing out requires_config_enabled MBEDTLS_SSL_PROTO_TLS1_2 run_test "DTLS proxy: 3d, openssl server" \ -p "$P_PXY drop=5 delay=5 duplicate=5 protect_hvr=1" \ - "$O_NEXT_SRV -dtls1_2 -mtu 2048" \ - "$P_CLI dgram_packing=0 dtls=1 hs_timeout=500-60000 tickets=0" \ + "$O_NEXT_SRV -dtls1_2 -mtu 2048 -debug -msg -state" \ + "$P_CLI dgram_packing=0 dtls=1 hs_timeout=500-60000 tickets=0 debug_level=4" \ 0 \ -c "HTTP/1.0 200 OK"