Merge pull request #9033 from valeriosetti/issue8871-backport
[3.6 backport] Improve test key generation in test_suite_pk
diff --git a/ChangeLog.d/asn1-missing-guard-in-rsa.txt b/ChangeLog.d/asn1-missing-guard-in-rsa.txt
new file mode 100644
index 0000000..bb5b470
--- /dev/null
+++ b/ChangeLog.d/asn1-missing-guard-in-rsa.txt
@@ -0,0 +1,3 @@
+Bugfix
+ * MBEDTLS_ASN1_PARSE_C and MBEDTLS_ASN1_WRITE_C are now automatically enabled
+ as soon as MBEDTLS_RSA_C is enabled. Fixes #9041.
diff --git a/include/mbedtls/config_adjust_legacy_crypto.h b/include/mbedtls/config_adjust_legacy_crypto.h
index 9b06041..e477c07 100644
--- a/include/mbedtls/config_adjust_legacy_crypto.h
+++ b/include/mbedtls/config_adjust_legacy_crypto.h
@@ -293,6 +293,14 @@
#define MBEDTLS_ECP_LIGHT
#endif
+/* Backward compatibility: after #8740 the RSA module offers functions to parse
+ * and write RSA private/public keys without relying on the PK one. Of course
+ * this needs ASN1 support to do so, so we enable it here. */
+#if defined(MBEDTLS_RSA_C)
+#define MBEDTLS_ASN1_PARSE_C
+#define MBEDTLS_ASN1_WRITE_C
+#endif
+
/* MBEDTLS_PK_PARSE_EC_COMPRESSED is introduced in Mbed TLS version 3.5, while
* in previous version compressed points were automatically supported as long
* as PK_PARSE_C and ECP_C were enabled. As a consequence, for backward
diff --git a/tests/compat.sh b/tests/compat.sh
index d7a91b4..20f2dbd 100755
--- a/tests/compat.sh
+++ b/tests/compat.sh
@@ -588,7 +588,18 @@
# o_check_ciphersuite STANDARD_CIPHER_SUITE
o_check_ciphersuite()
{
- if [ "${O_SUPPORT_ECDH}" = "NO" ]; then
+ # skip DTLS when lack of support was declared
+ if test "$OSSL_NO_DTLS" -gt 0 && is_dtls "$MODE"; then
+ SKIP_NEXT_="YES"
+ fi
+
+ # skip DTLS 1.2 is support was not detected
+ if [ "$O_SUPPORT_DTLS12" = "NO" -a "$MODE" = "dtls12" ]; then
+ SKIP_NEXT="YES"
+ fi
+
+ # skip static ECDH when OpenSSL doesn't support it
+ if [ "${O_SUPPORT_STATIC_ECDH}" = "NO" ]; then
case "$1" in
*ECDH_*) SKIP_NEXT="YES"
esac
@@ -665,10 +676,25 @@
esac
case $($OPENSSL ciphers ALL) in
- *ECDH-ECDSA*|*ECDH-RSA*) O_SUPPORT_ECDH="YES";;
- *) O_SUPPORT_ECDH="NO";;
+ *ECDH-ECDSA*|*ECDH-RSA*) O_SUPPORT_STATIC_ECDH="YES";;
+ *) O_SUPPORT_STATIC_ECDH="NO";;
esac
+ case $($OPENSSL ciphers ALL) in
+ *DES-CBC-*) O_SUPPORT_SINGLE_DES="YES";;
+ *) O_SUPPORT_SINGLE_DES="NO";;
+ esac
+
+ # OpenSSL <1.0.2 doesn't support DTLS 1.2. Check if OpenSSL
+ # supports -dtls1_2 from the s_server help. (The s_client
+ # help isn't accurate as of 1.0.2g: it supports DTLS 1.2
+ # but doesn't list it. But the s_server help seems to be
+ # accurate.)
+ O_SUPPORT_DTLS12="NO"
+ if $OPENSSL s_server -help 2>&1 | grep -q "^ *-dtls1_2 "; then
+ O_SUPPORT_DTLS12="YES"
+ fi
+
if [ "X$VERIFY" = "XYES" ];
then
M_SERVER_ARGS="$M_SERVER_ARGS ca_file=data_files/test-ca_cat12.crt auth_mode=required"
@@ -1109,19 +1135,6 @@
[Oo]pen*)
- if test "$OSSL_NO_DTLS" -gt 0 && is_dtls "$MODE"; then
- continue;
- fi
-
- # OpenSSL <1.0.2 doesn't support DTLS 1.2. Check if OpenSSL
- # supports $O_MODE from the s_server help. (The s_client
- # help isn't accurate as of 1.0.2g: it supports DTLS 1.2
- # but doesn't list it. But the s_server help seems to be
- # accurate.)
- if ! $OPENSSL s_server -help 2>&1 | grep -q "^ *-$O_MODE "; then
- continue;
- fi
-
reset_ciphersuites
add_common_ciphersuites
add_openssl_ciphersuites
diff --git a/tests/scripts/all.sh b/tests/scripts/all.sh
index b12a86f..b8eb3a2 100755
--- a/tests/scripts/all.sh
+++ b/tests/scripts/all.sh
@@ -1216,14 +1216,19 @@
msg "test: main suites (inc. selftests) (full config, ASan build)"
make test
- msg "test: selftest (ASan build)" # ~ 10s
+ msg "test: selftest (full config, ASan build)" # ~ 10s
programs/test/selftest
msg "test: ssl-opt.sh (full config, ASan build)"
tests/ssl-opt.sh
- msg "test: compat.sh (full config, ASan build)"
- tests/compat.sh
+ # Note: the next two invocations cover all compat.sh test cases.
+ # We should use the same here and in basic-build-test.sh.
+ msg "test: compat.sh: default version (full config, ASan build)"
+ tests/compat.sh -e 'ARIA\|CHACHA'
+
+ msg "test: compat.sh: next: ARIA, Chacha (full config, ASan build)"
+ env OPENSSL="$OPENSSL_NEXT" tests/compat.sh -e '^$' -f 'ARIA\|CHACHA'
msg "test: context-info.sh (full config, ASan build)" # ~ 15 sec
tests/context-info.sh
@@ -1237,19 +1242,24 @@
CC=gcc cmake -D CMAKE_BUILD_TYPE:String=Asan .
make
- msg "test: main suites (inc. selftests) (full config, ASan build)"
+ msg "test: main suites (inc. selftests) (full config, new bignum, ASan)"
make test
- msg "test: selftest (ASan build)" # ~ 10s
+ msg "test: selftest (full config, new bignum, ASan)" # ~ 10s
programs/test/selftest
- msg "test: ssl-opt.sh (full config, ASan build)"
+ msg "test: ssl-opt.sh (full config, new bignum, ASan)"
tests/ssl-opt.sh
- msg "test: compat.sh (full config, ASan build)"
- tests/compat.sh
+ # Note: the next two invocations cover all compat.sh test cases.
+ # We should use the same here and in basic-build-test.sh.
+ msg "test: compat.sh: default version (full config, new bignum, ASan)"
+ tests/compat.sh -e 'ARIA\|CHACHA'
- msg "test: context-info.sh (full config, ASan build)" # ~ 15 sec
+ msg "test: compat.sh: next: ARIA, Chacha (full config, new bignum, ASan)"
+ env OPENSSL="$OPENSSL_NEXT" tests/compat.sh -e '^$' -f 'ARIA\|CHACHA'
+
+ msg "test: context-info.sh (full config, new bignum, ASan)" # ~ 15 sec
tests/context-info.sh
}
@@ -2165,12 +2175,6 @@
msg "test: ssl-opt.sh default, ECJPAKE, SSL async (full config)" # ~ 1s
tests/ssl-opt.sh -f 'Default\|ECJPAKE\|SSL async private'
-
- msg "test: compat.sh NULL (full config)" # ~ 2 min
- tests/compat.sh -e '^$' -f 'NULL'
-
- msg "test: compat.sh ARIA + ChachaPoly"
- env OPENSSL="$OPENSSL_NEXT" tests/compat.sh -e '^$' -f 'ARIA\|CHACHA'
}
skip_suites_without_constant_flow () {
@@ -2614,13 +2618,12 @@
msg "test: ssl-opt.sh (full minus PSA crypto)"
tests/ssl-opt.sh
- msg "test: compat.sh default (full minus PSA crypto)"
- tests/compat.sh
+ # Note: the next two invocations cover all compat.sh test cases.
+ # We should use the same here and in basic-build-test.sh.
+ msg "test: compat.sh: default version (full minus PSA crypto)"
+ tests/compat.sh -e 'ARIA\|CHACHA'
- msg "test: compat.sh NULL (full minus PSA crypto)"
- tests/compat.sh -f 'NULL'
-
- msg "test: compat.sh ARIA + ChachaPoly (full minus PSA crypto)"
+ msg "test: compat.sh: next: ARIA, Chacha (full minus PSA crypto)"
env OPENSSL="$OPENSSL_NEXT" tests/compat.sh -e '^$' -f 'ARIA\|CHACHA'
}
diff --git a/tests/scripts/basic-build-test.sh b/tests/scripts/basic-build-test.sh
index 5261754..d2e955f 100755
--- a/tests/scripts/basic-build-test.sh
+++ b/tests/scripts/basic-build-test.sh
@@ -103,11 +103,7 @@
echo '################ compat.sh ################'
{
echo '#### compat.sh: Default versions'
- sh compat.sh
- echo
-
- echo '#### compat.sh: null cipher'
- sh compat.sh -e '^$' -f 'NULL'
+ sh compat.sh -e 'ARIA\|CHACHA'
echo
echo '#### compat.sh: next (ARIA, ChaCha)'