From 1c0e4c013a18ae03b7f76d3bee4c78aae75ba3fc Mon Sep 17 00:00:00 2001 From: Pengyu Lv Date: Mon, 20 Feb 2023 18:05:21 +0800 Subject: [PATCH 1/6] compat.sh: skip static ECDH cases if unsupported in openssl This commit add support to detect if openssl used for testing supports static ECDH key exchange. Skip the ciphersutes if openssl doesn't support them. Signed-off-by: Pengyu Lv --- tests/compat.sh | 15 +++++++++++++++ 1 file changed, 15 insertions(+) diff --git a/tests/compat.sh b/tests/compat.sh index 8f7d72c7b..6c58a1bef 100755 --- a/tests/compat.sh +++ b/tests/compat.sh @@ -534,6 +534,15 @@ add_mbedtls_ciphersuites() esac } +# o_check_ciphersuite STANDARD_CIPHER_SUITE +o_check_ciphersuite() +{ + if [ "${1#*ECDH_ECDSA*}" != "$1" ] && \ + [ "X${O_SUPPORT_ECDH}" = "XNO" ]; then + SKIP_NEXT="YES" + fi +} + setup_arguments() { O_MODE="" @@ -603,6 +612,11 @@ setup_arguments() ;; esac + case $($OPENSSL ciphers ALL) in + *ECDH-ECDSA*) O_SUPPORT_ECDH="YES";; + *)O_SUPPORT_ECDH="NO";; + esac + if [ "X$VERIFY" = "XYES" ]; then M_SERVER_ARGS="$M_SERVER_ARGS ca_file=data_files/test-ca_cat12.crt auth_mode=required" @@ -1033,6 +1047,7 @@ for MODE in $MODES; do start_server "OpenSSL" translate_ciphers m $M_CIPHERS for i in $ciphers; do + o_check_ciphersuite "$i" run_client mbedTLS ${i%%=*} ${i#*=} done stop_server From 5e780df3e38043e035f698de2cc3ece164395648 Mon Sep 17 00:00:00 2001 From: Pengyu Lv Date: Tue, 21 Feb 2023 14:19:27 +0800 Subject: [PATCH 2/6] Only use standard cipher name Signed-off-by: Pengyu Lv --- tests/compat.sh | 2 +- 1 file changed, 1 insertion(+), 1 deletion(-) diff --git a/tests/compat.sh b/tests/compat.sh index 6c58a1bef..ae7c6829f 100755 --- a/tests/compat.sh +++ b/tests/compat.sh @@ -1047,7 +1047,7 @@ for MODE in $MODES; do start_server "OpenSSL" translate_ciphers m $M_CIPHERS for i in $ciphers; do - o_check_ciphersuite "$i" + o_check_ciphersuite "${i%%=*}" run_client mbedTLS ${i%%=*} ${i#*=} done stop_server From a64c277588b070a93f88be3fcce68bbf2d986dc9 Mon Sep 17 00:00:00 2001 From: Pengyu Lv Date: Wed, 22 Feb 2023 09:30:20 +0800 Subject: [PATCH 3/6] compat.sh: Skip all *ECDH_* ciphersuites Signed-off-by: Pengyu Lv --- tests/compat.sh | 9 +++++---- 1 file changed, 5 insertions(+), 4 deletions(-) diff --git a/tests/compat.sh b/tests/compat.sh index ae7c6829f..c6653f872 100755 --- a/tests/compat.sh +++ b/tests/compat.sh @@ -537,9 +537,10 @@ add_mbedtls_ciphersuites() # o_check_ciphersuite STANDARD_CIPHER_SUITE o_check_ciphersuite() { - if [ "${1#*ECDH_ECDSA*}" != "$1" ] && \ - [ "X${O_SUPPORT_ECDH}" = "XNO" ]; then - SKIP_NEXT="YES" + if [ "${O_SUPPORT_ECDH}" = "NO" ]; then + case "$1" in + *ECDH_*) SKIP_NEXT="YES" + esac fi } @@ -614,7 +615,7 @@ setup_arguments() case $($OPENSSL ciphers ALL) in *ECDH-ECDSA*) O_SUPPORT_ECDH="YES";; - *)O_SUPPORT_ECDH="NO";; + *) O_SUPPORT_ECDH="NO";; esac if [ "X$VERIFY" = "XYES" ]; From f01ac3af0ea35cdce95f577cf569e7684328642f Mon Sep 17 00:00:00 2001 From: Pengyu Lv Date: Wed, 22 Feb 2023 10:07:16 +0800 Subject: [PATCH 4/6] Remove explicit ECDH exclusion for Travis CI Signed-off-by: Pengyu Lv --- .travis.yml | 2 +- 1 file changed, 1 insertion(+), 1 deletion(-) diff --git a/.travis.yml b/.travis.yml index 54df77606..39b742d41 100644 --- a/.travis.yml +++ b/.travis.yml @@ -53,7 +53,7 @@ jobs: - tests/scripts/test_psa_constant_names.py - tests/ssl-opt.sh # Modern OpenSSL does not support fixed ECDH or null ciphers. - - tests/compat.sh -p OpenSSL -e 'NULL\|ECDH_' + - tests/compat.sh -p OpenSSL -e 'NULL' - tests/scripts/travis-log-failure.sh # GnuTLS supports CAMELLIA but compat.sh doesn't properly enable it. - tests/compat.sh -p GnuTLS -e 'CAMELLIA' From 07d5085fcfd11ff460342268437838b64e336727 Mon Sep 17 00:00:00 2001 From: Pengyu Lv Date: Wed, 22 Feb 2023 12:17:26 +0800 Subject: [PATCH 5/6] Skip ECDH ciphersuites for O->m pair The mechanism of detecting unsupported ciphersuites for OpenSSL client doesn't work on a modern OpenSSL. At least, it fails on Travis CI which is installed with OpenSSL 1.1.1f. So we need to skip ECDH cipher- suites for O->m. Signed-off-by: Pengyu Lv --- tests/compat.sh | 1 + 1 file changed, 1 insertion(+) diff --git a/tests/compat.sh b/tests/compat.sh index c6653f872..5ad48b2e8 100755 --- a/tests/compat.sh +++ b/tests/compat.sh @@ -1058,6 +1058,7 @@ for MODE in $MODES; do start_server "mbedTLS" translate_ciphers o $O_CIPHERS for i in $ciphers; do + o_check_ciphersuite "${i%%=*}" run_client OpenSSL ${i%%=*} ${i#*=} done stop_server From 9e7bb2a92c4db6ebabedac470dcf5fc9048a8e7c Mon Sep 17 00:00:00 2001 From: Pengyu Lv Date: Thu, 23 Feb 2023 15:24:47 +0800 Subject: [PATCH 6/6] Update some comments Signed-off-by: Pengyu Lv --- .travis.yml | 2 +- tests/compat.sh | 4 ++-- 2 files changed, 3 insertions(+), 3 deletions(-) diff --git a/.travis.yml b/.travis.yml index 39b742d41..1062d9906 100644 --- a/.travis.yml +++ b/.travis.yml @@ -52,7 +52,7 @@ jobs: - programs/test/selftest - tests/scripts/test_psa_constant_names.py - tests/ssl-opt.sh - # Modern OpenSSL does not support fixed ECDH or null ciphers. + # Modern OpenSSL does not support null ciphers. - tests/compat.sh -p OpenSSL -e 'NULL' - tests/scripts/travis-log-failure.sh # GnuTLS supports CAMELLIA but compat.sh doesn't properly enable it. diff --git a/tests/compat.sh b/tests/compat.sh index 5ad48b2e8..12613bfe8 100755 --- a/tests/compat.sh +++ b/tests/compat.sh @@ -614,7 +614,7 @@ setup_arguments() esac case $($OPENSSL ciphers ALL) in - *ECDH-ECDSA*) O_SUPPORT_ECDH="YES";; + *ECDH-ECDSA*|*ECDH-RSA*) O_SUPPORT_ECDH="YES";; *) O_SUPPORT_ECDH="NO";; esac @@ -834,7 +834,7 @@ run_client() { if [ $EXIT -eq 0 ]; then RESULT=0 else - # If the cipher isn't supported... + # If it is NULL cipher ... if grep 'Cipher is (NONE)' $CLI_OUT >/dev/null; then RESULT=1 else