From 02a76a507b2d1e3f0b331e5d1b91a58182f210c5 Mon Sep 17 00:00:00 2001 From: Pengyu Lv Date: Mon, 20 Feb 2023 18:05:21 +0800 Subject: [PATCH 1/4] compat.sh: skip static ECDH cases if unsupported in openssl This commit add support to detect if openssl used for testing supports static ECDH key exchange. Skip the ciphersutes if openssl doesn't support them. Signed-off-by: Pengyu Lv --- tests/compat.sh | 17 +++++++++++++++++ 1 file changed, 17 insertions(+) diff --git a/tests/compat.sh b/tests/compat.sh index f96c4e4c6..6d09b4fc9 100755 --- a/tests/compat.sh +++ b/tests/compat.sh @@ -861,6 +861,16 @@ add_mbedtls_ciphersuites() esac } +# o_check_ciphersuite CIPHER_SUITE_NAME +o_check_ciphersuite() +{ + if [ "${O_SUPPORT_ECDH}" = "NO" ]; then + case "$1" in + *ECDH-*) SKIP_NEXT="YES" + esac + fi +} + setup_arguments() { O_MODE="" @@ -947,6 +957,11 @@ setup_arguments() ;; esac + case $($OPENSSL ciphers ALL) in + *ECDH-ECDSA*|*ECDH-RSA*) O_SUPPORT_ECDH="YES";; + *) O_SUPPORT_ECDH="NO";; + esac + if [ "X$VERIFY" = "XYES" ]; then M_SERVER_ARGS="$M_SERVER_ARGS ca_file=data_files/test-ca_cat12.crt auth_mode=required" @@ -1373,6 +1388,7 @@ for MODE in $MODES; do if [ "X" != "X$M_CIPHERS" ]; then start_server "OpenSSL" for i in $M_CIPHERS; do + o_check_ciphersuite "$i" run_client mbedTLS $i done stop_server @@ -1381,6 +1397,7 @@ for MODE in $MODES; do if [ "X" != "X$O_CIPHERS" ]; then start_server "mbedTLS" for i in $O_CIPHERS; do + o_check_ciphersuite "$i" run_client OpenSSL $i done stop_server From 95167893f694e94f797a8a7bbf78b3c68256eca3 Mon Sep 17 00:00:00 2001 From: Pengyu Lv Date: Thu, 23 Feb 2023 16:40:26 +0800 Subject: [PATCH 2/4] Remove explicit ECDH exclusion for Travis CI Signed-off-by: Pengyu Lv --- .travis.yml | 4 ++-- 1 file changed, 2 insertions(+), 2 deletions(-) diff --git a/.travis.yml b/.travis.yml index cdf74c717..eb01a44ab 100644 --- a/.travis.yml +++ b/.travis.yml @@ -55,8 +55,8 @@ jobs: # Exclude a few test cases that are failing mysteriously. # https://github.com/Mbed-TLS/mbedtls/issues/6660 - tests/ssl-opt.sh -e 'Fallback SCSV:\ .*list' - # Modern OpenSSL does not support fixed ECDH, null or ancient ciphers. - - tests/compat.sh -p OpenSSL -e 'NULL\|ECDH-\|DES\|RC4' + # Modern OpenSSL does not support null or ancient ciphers. + - tests/compat.sh -p OpenSSL -e 'NULL\|DES\|RC4' - tests/scripts/travis-log-failure.sh # GnuTLS supports CAMELLIA but compat.sh doesn't properly enable it. # Modern GnuTLS does not support DES. From fef3ad0a14d8bb0fc1471b9f7fde23434f1a0684 Mon Sep 17 00:00:00 2001 From: Pengyu Lv Date: Thu, 23 Feb 2023 16:41:35 +0800 Subject: [PATCH 3/4] Update incorrect comment Signed-off-by: Pengyu Lv --- tests/compat.sh | 2 +- 1 file changed, 1 insertion(+), 1 deletion(-) diff --git a/tests/compat.sh b/tests/compat.sh index 6d09b4fc9..e520c3186 100755 --- a/tests/compat.sh +++ b/tests/compat.sh @@ -1175,7 +1175,7 @@ run_client() { if [ $EXIT -eq 0 ]; then RESULT=0 else - # If the cipher isn't supported... + # If ti is NULL cipher ... if grep 'Cipher is (NONE)' $CLI_OUT >/dev/null; then RESULT=1 else From ab1fb39d7a108aecbbf9294f84d54bb6abd23af8 Mon Sep 17 00:00:00 2001 From: Pengyu Lv Date: Thu, 23 Feb 2023 18:27:33 +0800 Subject: [PATCH 4/4] Fix typo Signed-off-by: Pengyu Lv --- tests/compat.sh | 2 +- 1 file changed, 1 insertion(+), 1 deletion(-) diff --git a/tests/compat.sh b/tests/compat.sh index e520c3186..e7f9d4981 100755 --- a/tests/compat.sh +++ b/tests/compat.sh @@ -1175,7 +1175,7 @@ run_client() { if [ $EXIT -eq 0 ]; then RESULT=0 else - # If ti is NULL cipher ... + # If it is NULL cipher ... if grep 'Cipher is (NONE)' $CLI_OUT >/dev/null; then RESULT=1 else