From 9fece7ee91710c0d1ad5306b2cd3037c2f7b3758 Mon Sep 17 00:00:00 2001 From: =?UTF-8?q?Manuel=20P=C3=A9gouri=C3=A9-Gonnard?= Date: Mon, 18 Jun 2018 11:38:22 +0200 Subject: [PATCH] Add ChachaPoly ciphersuites to compat.sh This is disabled by default since it requires OpenSSL >= 1.1.0 and the current default version on the CI is 1.0.2. However, the CI also has 1.1.1-rc which can be used for this. --- tests/compat.sh | 19 ++++++++++++++++++- tests/scripts/all.sh | 4 ++-- 2 files changed, 20 insertions(+), 3 deletions(-) diff --git a/tests/compat.sh b/tests/compat.sh index fdef98e91f..bf65e5e61f 100755 --- a/tests/compat.sh +++ b/tests/compat.sh @@ -61,7 +61,8 @@ FILTER="" # - RC4, single-DES: requires legacy OpenSSL/GnuTLS versions # avoid plain DES but keep 3DES-EDE-CBC (mbedTLS), DES-CBC3 (OpenSSL) # - ARIA: not in default config.h + requires OpenSSL >= 1.1.1 -EXCLUDE='NULL\|DES-CBC-\|RC4\|ARCFOUR\|ARIA' +# - ChachaPoly: requires OpenSSL >= 1.1.0 +EXCLUDE='NULL\|DES-CBC-\|RC4\|ARCFOUR\|ARIA\|CHACHA20-POLY1305' VERBOSE="" MEMCHECK=0 PEERS="OpenSSL$PEER_GNUTLS mbedTLS" @@ -440,6 +441,9 @@ add_common_ciphersuites() # NOTE: for some reason RSA-PSK doesn't work with OpenSSL, # so RSA-PSK ciphersuites need to go in other sections, see # https://github.com/ARMmbed/mbedtls/issues/1419 +# +# ChachaPoly suites are here rather than in "common", as they were added in +# GnuTLS in 3.5.0 and the CI only has 3.4.x so far. add_openssl_ciphersuites() { case $TYPE in @@ -471,6 +475,7 @@ add_openssl_ciphersuites() TLS-ECDH-ECDSA-WITH-AES-256-GCM-SHA384 \ TLS-ECDHE-ECDSA-WITH-ARIA-256-GCM-SHA384 \ TLS-ECDHE-ECDSA-WITH-ARIA-128-GCM-SHA256 \ + TLS-ECDHE-ECDSA-WITH-CHACHA20-POLY1305-SHA256 \ " O_CIPHERS="$O_CIPHERS \ ECDH-ECDSA-AES128-SHA256 \ @@ -479,6 +484,7 @@ add_openssl_ciphersuites() ECDH-ECDSA-AES256-GCM-SHA384 \ ECDHE-ECDSA-ARIA256-GCM-SHA384 \ ECDHE-ECDSA-ARIA128-GCM-SHA256 \ + ECDHE-ECDSA-CHACHA20-POLY1305 \ " fi ;; @@ -501,6 +507,8 @@ add_openssl_ciphersuites() TLS-ECDHE-RSA-WITH-ARIA-128-GCM-SHA256 \ TLS-DHE-RSA-WITH-ARIA-128-GCM-SHA256 \ TLS-RSA-WITH-ARIA-128-GCM-SHA256 \ + TLS-DHE-RSA-WITH-CHACHA20-POLY1305-SHA256 \ + TLS-ECDHE-RSA-WITH-CHACHA20-POLY1305-SHA256 \ " O_CIPHERS="$O_CIPHERS \ ECDHE-ARIA256-GCM-SHA384 \ @@ -509,6 +517,8 @@ add_openssl_ciphersuites() ECDHE-ARIA128-GCM-SHA256 \ DHE-RSA-ARIA128-GCM-SHA256 \ ARIA128-GCM-SHA256 \ + DHE-RSA-CHACHA20-POLY1305 \ + ECDHE-RSA-CHACHA20-POLY1305 \ " fi ;; @@ -521,12 +531,18 @@ add_openssl_ciphersuites() TLS-DHE-PSK-WITH-ARIA-128-GCM-SHA256 \ TLS-PSK-WITH-ARIA-256-GCM-SHA384 \ TLS-PSK-WITH-ARIA-128-GCM-SHA256 \ + TLS-PSK-WITH-CHACHA20-POLY1305-SHA256 \ + TLS-ECDHE-PSK-WITH-CHACHA20-POLY1305-SHA256 \ + TLS-DHE-PSK-WITH-CHACHA20-POLY1305-SHA256 \ " O_CIPHERS="$O_CIPHERS \ DHE-PSK-ARIA256-GCM-SHA384 \ DHE-PSK-ARIA128-GCM-SHA256 \ PSK-ARIA256-GCM-SHA384 \ PSK-ARIA128-GCM-SHA256 \ + DHE-PSK-CHACHA20-POLY1305 \ + ECDHE-PSK-CHACHA20-POLY1305 \ + PSK-CHACHA20-POLY1305 \ " fi ;; @@ -830,6 +846,7 @@ add_mbedtls_ciphersuites() TLS-ECDHE-PSK-WITH-ARIA-128-CBC-SHA256 \ TLS-DHE-PSK-WITH-ARIA-256-CBC-SHA384 \ TLS-DHE-PSK-WITH-ARIA-128-CBC-SHA256 \ + TLS-RSA-PSK-WITH-CHACHA20-POLY1305-SHA256 \ " fi ;; diff --git a/tests/scripts/all.sh b/tests/scripts/all.sh index 81a26147e8..6d7bbc24f8 100755 --- a/tests/scripts/all.sh +++ b/tests/scripts/all.sh @@ -543,8 +543,8 @@ if_build_succeeded tests/ssl-opt.sh -f 'Default\|ECJPAKE\|SSL async private' msg "test: compat.sh RC4, DES & NULL (full config)" # ~ 2 min if_build_succeeded env OPENSSL_CMD="$OPENSSL_LEGACY" GNUTLS_CLI="$GNUTLS_LEGACY_CLI" GNUTLS_SERV="$GNUTLS_LEGACY_SERV" tests/compat.sh -e '3DES\|DES-CBC3' -f 'NULL\|DES\|RC4\|ARCFOUR' -msg "test: compat.sh ARIA" -if_build_succeeded env OPENSSL_CMD="$OPENSSL_NEXT" tests/compat.sh -e '^$' -f 'ARIA' +msg "test: compat.sh ARIA + ChachaPoly" +if_build_succeeded env OPENSSL_CMD="$OPENSSL_NEXT" tests/compat.sh -e '^$' -f 'ARIA\|CHACHA' msg "test/build: curves.pl (gcc)" # ~ 4 min cleanup