mirror/mbedtls
1
0
Fork 0
mirror of https://github.com/Mbed-TLS/mbedtls.git synced 2025-02-10 06:40:16 +00:00
Code Issues Actions Packages Projects Releases Wiki Activity

ssl-opt: solve errors in ECDH reference tests

Browse Source 
Signed-off-by: Valerio Setti <valerio.setti@nordicsemi.no>
This commit is contained in:
Valerio Setti 2023-03-14 17:13:43 +01:00
parent 53a5844abc
commit 6ba247c236
1 changed files with 71 additions and 21 deletions
Show Stats Download Patch File Download Diff File Expand all files Collapse all files

88
tests/ssl-opt.sh
View File

@ -284,6 +284,12 @@ TLS1_2_KEY_EXCHANGES_WITH_CERT="MBEDTLS_KEY_EXCHANGE_RSA_ENABLED \
TLS1_2_KEY_EXCHANGES_WITH_ECDSA_CERT="MBEDTLS_KEY_EXCHANGE_ECDHE_ECDSA_ENABLED \ TLS1_2_KEY_EXCHANGES_WITH_ECDSA_CERT="MBEDTLS_KEY_EXCHANGE_ECDHE_ECDSA_ENABLED \
MBEDTLS_KEY_EXCHANGE_ECDH_ECDSA_ENABLED" MBEDTLS_KEY_EXCHANGE_ECDH_ECDSA_ENABLED"
TLS1_2_KEY_EXCHANGES_WITH_CERT_WO_ECDH="MBEDTLS_KEY_EXCHANGE_RSA_ENABLED \
MBEDTLS_KEY_EXCHANGE_DHE_RSA_ENABLED \
MBEDTLS_KEY_EXCHANGE_ECDHE_RSA_ENABLED \
MBEDTLS_KEY_EXCHANGE_ECDHE_ECDSA_ENABLED \
MBEDTLS_KEY_EXCHANGE_RSA_PSK_ENABLED"
requires_key_exchange_with_cert_in_tls12_or_tls13_enabled() { requires_key_exchange_with_cert_in_tls12_or_tls13_enabled() {
if $P_QUERY -all MBEDTLS_SSL_PROTO_TLS1_2 if $P_QUERY -all MBEDTLS_SSL_PROTO_TLS1_2
then then
@ -368,48 +374,66 @@ requires_ciphersuite_enabled() {
# - $1 = command line (call to a TLS client or server program) # - $1 = command line (call to a TLS client or server program)
# - $2 = client/server # - $2 = client/server
# - $3 = TLS version (TLS12 or TLS13) # - $3 = TLS version (TLS12 or TLS13)
# - $4 = run test options # - $4 = Use an external tool without ECDH support
# - $5 = run test options
detect_required_features() { detect_required_features() {
case "$1" in CMD_LINE=$1
ROLE=$2
TLS_VERSION=$3
EXT_WO_ECDH=$4
TEST_OPTIONS=${5:-}
case "$CMD_LINE" in
*\ force_version=*) *\ force_version=*)
tmp="${1##*\ force_version=}" tmp="${CMD_LINE##*\ force_version=}"
tmp="${tmp%%[!-0-9A-Z_a-z]*}" tmp="${tmp%%[!-0-9A-Z_a-z]*}"
requires_protocol_version "$tmp";; requires_protocol_version "$tmp";;
esac esac
case "$1" in case "$CMD_LINE" in
*\ force_ciphersuite=*) *\ force_ciphersuite=*)
tmp="${1##*\ force_ciphersuite=}" tmp="${CMD_LINE##*\ force_ciphersuite=}"
tmp="${tmp%%[!-0-9A-Z_a-z]*}" tmp="${tmp%%[!-0-9A-Z_a-z]*}"
requires_ciphersuite_enabled "$tmp";; requires_ciphersuite_enabled "$tmp";;
esac esac
case " $1 " in case " $CMD_LINE " in
*[-_\ =]tickets=[^0]*) *[-_\ =]tickets=[^0]*)
requires_config_enabled MBEDTLS_SSL_TICKET_C;; requires_config_enabled MBEDTLS_SSL_TICKET_C;;
esac esac
case " $1 " in case " $CMD_LINE " in
*[-_\ =]alpn=*) *[-_\ =]alpn=*)
requires_config_enabled MBEDTLS_SSL_ALPN;; requires_config_enabled MBEDTLS_SSL_ALPN;;
esac esac
case "$1" in case "$CMD_LINE" in
*server5*|\ *server5*|\
*server7*|\ *server7*|\
*dir-maxpath*) *dir-maxpath*)
if [ "$3" = "TLS13" ]; then if [ "$TLS_VERSION" = "TLS13" ]; then
# In case of TLS13 the support for ECDSA is enough # In case of TLS13 the support for ECDSA is enough
requires_pk_alg "ECDSA" requires_pk_alg "ECDSA"
else else
# For TLS12 requirements are different between server and client # For TLS12 requirements are different between server and client
if [ "$2" = "server" ]; then if [ "$ROLE" = "server" ]; then
# If the server uses "server5*" certificates, then an ECDSA based # If the server uses "server5*" certificates, then an ECDSA based
# key exchange is required # key exchange is required. However gnutls also does not
# support ECDH, so this limit the choice to ECDHE-ECDSA
if [ "$EXT_WO_ECDH" = "yes" ]; then
requires_any_configs_enabled MBEDTLS_KEY_EXCHANGE_ECDHE_ECDSA_ENABLED
else
requires_any_configs_enabled $TLS1_2_KEY_EXCHANGES_WITH_ECDSA_CERT requires_any_configs_enabled $TLS1_2_KEY_EXCHANGES_WITH_ECDSA_CERT
elif [ "$2" = "client" ]; then fi
# Otherwise for the client it is enough to have any certificate elif [ "$ROLE" = "client" ]; then
# based authentication + support for ECDSA # On the client side it is enough to have any certificate
# based authentication together with support for ECDSA.
# Of course the GnuTLS limitation mentioned above applies
# also here.
if [ "$EXT_WO_ECDH" = "yes" ]; then
requires_any_configs_enabled $TLS1_2_KEY_EXCHANGES_WITH_CERT_WO_ECDH
else
requires_any_configs_enabled $TLS1_2_KEY_EXCHANGES_WITH_CERT requires_any_configs_enabled $TLS1_2_KEY_EXCHANGES_WITH_CERT
fi
requires_pk_alg "ECDSA" requires_pk_alg "ECDSA"
fi fi
fi fi
@ -1102,6 +1126,28 @@ is_gnutls() {
esac esac
} }
# Some external tools (gnutls or openssl) might not have support for ECDH and
# this limit the tests that can be run with them. This function checks server
# and client command lines, given as input, to verify if the current test
# is using one of these tools.
use_ext_tool_without_ecdh_support() {
case "$1" in
*$GNUTLS_SERV*|\
*${GNUTLS_NEXT_SERV:-"gnutls-serv-dummy"}*|\
*${OPENSSL_NEXT:-"openssl-dummy"}*)
echo "yes"
return;;
esac
case "$2" in
*$GNUTLS_CLI*|\
*${GNUTLS_NEXT_CLI:-"gnutls-cli-dummy"}*|\
*${OPENSSL_NEXT:-"openssl-dummy"}*)
echo "yes"
return;;
esac
echo "no"
}
# Generate random psk_list argument for ssl_server2 # Generate random psk_list argument for ssl_server2
get_srv_psk_list () get_srv_psk_list ()
{ {
@ -1528,8 +1574,12 @@ run_test() {
# If the client or server requires certain features that can be detected # If the client or server requires certain features that can be detected
# from their command-line arguments, check that they're enabled. # from their command-line arguments, check that they're enabled.
TLS_VERSION=$(get_tls_version "$SRV_CMD" "$CLI_CMD") TLS_VERSION=$(get_tls_version "$SRV_CMD" "$CLI_CMD")
detect_required_features "$SRV_CMD" "server" "$TLS_VERSION" "$@"
detect_required_features "$CLI_CMD" "client" "$TLS_VERSION" "$@" # Check if we are trying to use an external tool wich does not support ECDH
EXT_WO_ECDH=$(use_ext_tool_without_ecdh_support "$SRV_CMD" "$CLI_CMD")
detect_required_features "$SRV_CMD" "server" "$TLS_VERSION" "$EXT_WO_ECDH" "$@"
detect_required_features "$CLI_CMD" "client" "$TLS_VERSION" "$EXT_WO_ECDH" "$@"
# If we're in a PSK-only build and the test can be adapted to PSK, do that. # If we're in a PSK-only build and the test can be adapted to PSK, do that.
maybe_adapt_for_psk "$@" maybe_adapt_for_psk "$@"
@ -9468,7 +9518,7 @@ run_test "DTLS reassembly: no fragmentation (openssl server)" \
requires_config_enabled MBEDTLS_SSL_PROTO_TLS1_2 requires_config_enabled MBEDTLS_SSL_PROTO_TLS1_2
run_test "DTLS reassembly: some fragmentation (openssl server)" \ run_test "DTLS reassembly: some fragmentation (openssl server)" \
"$O_SRV -dtls -mtu 768" \ "$O_SRV -dtls -mtu 256" \
"$P_CLI dtls=1 debug_level=2" \ "$P_CLI dtls=1 debug_level=2" \
0 \ 0 \
-c "found fragmented DTLS handshake message" \ -c "found fragmented DTLS handshake message" \
@ -11383,8 +11433,8 @@ not_with_valgrind # risk of non-mbedtls peer timing out
requires_config_enabled MBEDTLS_SSL_PROTO_TLS1_2 requires_config_enabled MBEDTLS_SSL_PROTO_TLS1_2
run_test "DTLS proxy: 3d, openssl server" \ run_test "DTLS proxy: 3d, openssl server" \
-p "$P_PXY drop=5 delay=5 duplicate=5 protect_hvr=1" \ -p "$P_PXY drop=5 delay=5 duplicate=5 protect_hvr=1" \
"$O_NEXT_SRV -dtls1_2 -mtu 2048" \ "$O_NEXT_SRV -dtls1_2 -mtu 2048 -debug -msg -state" \
"$P_CLI dgram_packing=0 dtls=1 hs_timeout=500-60000 tickets=0" \ "$P_CLI dgram_packing=0 dtls=1 hs_timeout=500-60000 tickets=0 debug_level=4" \
0 \ 0 \
-c "HTTP/1.0 200 OK" -c "HTTP/1.0 200 OK"