From 1c0e4c013a18ae03b7f76d3bee4c78aae75ba3fc Mon Sep 17 00:00:00 2001 From: Pengyu Lv Date: Mon, 20 Feb 2023 18:05:21 +0800 Subject: [PATCH 1/6] compat.sh: skip static ECDH cases if unsupported in openssl This commit add support to detect if openssl used for testing supports static ECDH key exchange. Skip the ciphersutes if openssl doesn't support them. Signed-off-by: Pengyu Lv --- tests/compat.sh | 15 +++++++++++++++ 1 file changed, 15 insertions(+) diff --git a/tests/compat.sh b/tests/compat.sh index 8f7d72c7b6..6c58a1befb 100755 --- a/tests/compat.sh +++ b/tests/compat.sh @@ -534,6 +534,15 @@ add_mbedtls_ciphersuites() esac } +# o_check_ciphersuite STANDARD_CIPHER_SUITE +o_check_ciphersuite() +{ + if [ "${1#*ECDH_ECDSA*}" != "$1" ] && \ + [ "X${O_SUPPORT_ECDH}" = "XNO" ]; then + SKIP_NEXT="YES" + fi +} + setup_arguments() { O_MODE="" @@ -603,6 +612,11 @@ setup_arguments() ;; esac + case $($OPENSSL ciphers ALL) in + *ECDH-ECDSA*) O_SUPPORT_ECDH="YES";; + *)O_SUPPORT_ECDH="NO";; + esac + if [ "X$VERIFY" = "XYES" ]; then M_SERVER_ARGS="$M_SERVER_ARGS ca_file=data_files/test-ca_cat12.crt auth_mode=required" @@ -1033,6 +1047,7 @@ for MODE in $MODES; do start_server "OpenSSL" translate_ciphers m $M_CIPHERS for i in $ciphers; do + o_check_ciphersuite "$i" run_client mbedTLS ${i%%=*} ${i#*=} done stop_server From 5e780df3e38043e035f698de2cc3ece164395648 Mon Sep 17 00:00:00 2001 From: Pengyu Lv Date: Tue, 21 Feb 2023 14:19:27 +0800 Subject: [PATCH 2/6] Only use standard cipher name Signed-off-by: Pengyu Lv --- tests/compat.sh | 2 +- 1 file changed, 1 insertion(+), 1 deletion(-) diff --git a/tests/compat.sh b/tests/compat.sh index 6c58a1befb..ae7c6829f8 100755 --- a/tests/compat.sh +++ b/tests/compat.sh @@ -1047,7 +1047,7 @@ for MODE in $MODES; do start_server "OpenSSL" translate_ciphers m $M_CIPHERS for i in $ciphers; do - o_check_ciphersuite "$i" + o_check_ciphersuite "${i%%=*}" run_client mbedTLS ${i%%=*} ${i#*=} done stop_server From a64c277588b070a93f88be3fcce68bbf2d986dc9 Mon Sep 17 00:00:00 2001 From: Pengyu Lv Date: Wed, 22 Feb 2023 09:30:20 +0800 Subject: [PATCH 3/6] compat.sh: Skip all *ECDH_* ciphersuites Signed-off-by: Pengyu Lv --- tests/compat.sh | 9 +++++---- 1 file changed, 5 insertions(+), 4 deletions(-) diff --git a/tests/compat.sh b/tests/compat.sh index ae7c6829f8..c6653f8727 100755 --- a/tests/compat.sh +++ b/tests/compat.sh @@ -537,9 +537,10 @@ add_mbedtls_ciphersuites() # o_check_ciphersuite STANDARD_CIPHER_SUITE o_check_ciphersuite() { - if [ "${1#*ECDH_ECDSA*}" != "$1" ] && \ - [ "X${O_SUPPORT_ECDH}" = "XNO" ]; then - SKIP_NEXT="YES" + if [ "${O_SUPPORT_ECDH}" = "NO" ]; then + case "$1" in + *ECDH_*) SKIP_NEXT="YES" + esac fi } @@ -614,7 +615,7 @@ setup_arguments() case $($OPENSSL ciphers ALL) in *ECDH-ECDSA*) O_SUPPORT_ECDH="YES";; - *)O_SUPPORT_ECDH="NO";; + *) O_SUPPORT_ECDH="NO";; esac if [ "X$VERIFY" = "XYES" ]; From f01ac3af0ea35cdce95f577cf569e7684328642f Mon Sep 17 00:00:00 2001 From: Pengyu Lv Date: Wed, 22 Feb 2023 10:07:16 +0800 Subject: [PATCH 4/6] Remove explicit ECDH exclusion for Travis CI Signed-off-by: Pengyu Lv --- .travis.yml | 2 +- 1 file changed, 1 insertion(+), 1 deletion(-) diff --git a/.travis.yml b/.travis.yml index 54df776060..39b742d414 100644 --- a/.travis.yml +++ b/.travis.yml @@ -53,7 +53,7 @@ jobs: - tests/scripts/test_psa_constant_names.py - tests/ssl-opt.sh # Modern OpenSSL does not support fixed ECDH or null ciphers. - - tests/compat.sh -p OpenSSL -e 'NULL\|ECDH_' + - tests/compat.sh -p OpenSSL -e 'NULL' - tests/scripts/travis-log-failure.sh # GnuTLS supports CAMELLIA but compat.sh doesn't properly enable it. - tests/compat.sh -p GnuTLS -e 'CAMELLIA' From 07d5085fcfd11ff460342268437838b64e336727 Mon Sep 17 00:00:00 2001 From: Pengyu Lv Date: Wed, 22 Feb 2023 12:17:26 +0800 Subject: [PATCH 5/6] Skip ECDH ciphersuites for O->m pair The mechanism of detecting unsupported ciphersuites for OpenSSL client doesn't work on a modern OpenSSL. At least, it fails on Travis CI which is installed with OpenSSL 1.1.1f. So we need to skip ECDH cipher- suites for O->m. Signed-off-by: Pengyu Lv --- tests/compat.sh | 1 + 1 file changed, 1 insertion(+) diff --git a/tests/compat.sh b/tests/compat.sh index c6653f8727..5ad48b2e8e 100755 --- a/tests/compat.sh +++ b/tests/compat.sh @@ -1058,6 +1058,7 @@ for MODE in $MODES; do start_server "mbedTLS" translate_ciphers o $O_CIPHERS for i in $ciphers; do + o_check_ciphersuite "${i%%=*}" run_client OpenSSL ${i%%=*} ${i#*=} done stop_server From 9e7bb2a92c4db6ebabedac470dcf5fc9048a8e7c Mon Sep 17 00:00:00 2001 From: Pengyu Lv Date: Thu, 23 Feb 2023 15:24:47 +0800 Subject: [PATCH 6/6] Update some comments Signed-off-by: Pengyu Lv --- .travis.yml | 2 +- tests/compat.sh | 4 ++-- 2 files changed, 3 insertions(+), 3 deletions(-) diff --git a/.travis.yml b/.travis.yml index 39b742d414..1062d9906d 100644 --- a/.travis.yml +++ b/.travis.yml @@ -52,7 +52,7 @@ jobs: - programs/test/selftest - tests/scripts/test_psa_constant_names.py - tests/ssl-opt.sh - # Modern OpenSSL does not support fixed ECDH or null ciphers. + # Modern OpenSSL does not support null ciphers. - tests/compat.sh -p OpenSSL -e 'NULL' - tests/scripts/travis-log-failure.sh # GnuTLS supports CAMELLIA but compat.sh doesn't properly enable it. diff --git a/tests/compat.sh b/tests/compat.sh index 5ad48b2e8e..12613bfe8a 100755 --- a/tests/compat.sh +++ b/tests/compat.sh @@ -614,7 +614,7 @@ setup_arguments() esac case $($OPENSSL ciphers ALL) in - *ECDH-ECDSA*) O_SUPPORT_ECDH="YES";; + *ECDH-ECDSA*|*ECDH-RSA*) O_SUPPORT_ECDH="YES";; *) O_SUPPORT_ECDH="NO";; esac @@ -834,7 +834,7 @@ run_client() { if [ $EXIT -eq 0 ]; then RESULT=0 else - # If the cipher isn't supported... + # If it is NULL cipher ... if grep 'Cipher is (NONE)' $CLI_OUT >/dev/null; then RESULT=1 else