From de2316b8ea1c60f244ef38e6e66957622e14010f Mon Sep 17 00:00:00 2001
From: Gilles Peskine <Gilles.Peskine@arm.com>
Date: Tue, 17 Sep 2024 18:32:05 +0200
Subject: [PATCH] Add ignore list entries for TLS tests that are not executed

For each ignore list entry, link to a GitHub issue for its resolution,
except for ssl-opt Valgrind tests which we never intend to run on the CI.

Signed-off-by: Gilles Peskine <Gilles.Peskine@arm.com>
---
 tests/opt-testcases/tls13-misc.sh |  1 +
 tests/scripts/analyze_outcomes.py | 29 +++++++++++++++++++++++++++++
 2 files changed, 30 insertions(+)

diff --git a/tests/opt-testcases/tls13-misc.sh b/tests/opt-testcases/tls13-misc.sh
index 2bd47d58e1..cc6a31d795 100644
--- a/tests/opt-testcases/tls13-misc.sh
+++ b/tests/opt-testcases/tls13-misc.sh
@@ -922,6 +922,7 @@ run_test    "TLS 1.3 m->O: resumption fails, no ticket support" \
 # ephemeral then ticket based scenario we use for early data testing the first
 # handshake fails. The following skipped test is here to illustrate the kind
 # of testing we would like to do.
+# https://github.com/Mbed-TLS/mbedtls/issues/9582
 skip_next_test
 requires_openssl_tls1_3_with_compatible_ephemeral
 requires_config_enabled MBEDTLS_SSL_CLI_C
diff --git a/tests/scripts/analyze_outcomes.py b/tests/scripts/analyze_outcomes.py
index 4ee0c40cf4..8cd0c160ec 100755
--- a/tests/scripts/analyze_outcomes.py
+++ b/tests/scripts/analyze_outcomes.py
@@ -71,6 +71,27 @@ class CoverageTask(outcome_analysis.CoverageTask):
         _has_word_re(_PSA_MECHANISMS_NOT_IMPLEMENTED)
 
     IGNORED_TESTS = {
+        'ssl-opt': [
+            # We don't run ssl-opt.sh with Valgrind on the CI because
+            # it's extremely slow. We don't intend to change this.
+            'DTLS client reconnect from same port: reconnect, nbio, valgrind',
+
+            # We don't have IPv6 in our CI environment.
+            # https://github.com/Mbed-TLS/mbedtls-test/issues/176
+            'DTLS cookie: enabled, IPv6',
+            # Disabled due to OpenSSL bug.
+            # https://github.com/openssl/openssl/issues/18887
+            'DTLS fragmenting: 3d, openssl client, DTLS 1.2',
+            # We don't run ssl-opt.sh with Valgrind on the CI because
+            # it's extremely slow. We don't intend to change this.
+            'DTLS fragmenting: proxy MTU: auto-reduction (with valgrind)',
+            # It seems that we don't run `ssl-opt.sh` with
+            # `MBEDTLS_USE_PSA_CRYPTO` enabled but `MBEDTLS_SSL_ASYNC_PRIVATE`
+            # disabled.
+            # https://github.com/Mbed-TLS/mbedtls/issues/9581
+            'Opaque key for server authentication: invalid key: decrypt with ECC key, no async',
+            'Opaque key for server authentication: invalid key: ecdh with RSA key, no async',
+        ],
         'test_suite_psa_crypto_generate_key.generated': [
             # Ignore mechanisms that are not implemented, except
             # for public keys for which we always test that
@@ -139,6 +160,14 @@ class CoverageTask(outcome_analysis.CoverageTask):
         'test_suite_psa_crypto_storage_format.v0': [
             PSA_MECHANISM_NOT_IMPLEMENTED_SEARCH_RE,
         ],
+        'tls13-misc': [
+            # Disabled due to OpenSSL bug.
+            # https://github.com/openssl/openssl/issues/10714
+            'TLS 1.3 O->m: resumption',
+            # Disabled due to OpenSSL command line limitation.
+            # https://github.com/Mbed-TLS/mbedtls/issues/9582
+            'TLS 1.3 m->O: resumption with early data',
+        ],
     }