ssl-opt: solve errors in ECDH reference tests
Signed-off-by: Valerio Setti <valerio.setti@nordicsemi.no>
diff --git a/tests/ssl-opt.sh b/tests/ssl-opt.sh
index bae9ee5..155719c 100755
--- a/tests/ssl-opt.sh
+++ b/tests/ssl-opt.sh
@@ -284,6 +284,12 @@
TLS1_2_KEY_EXCHANGES_WITH_ECDSA_CERT="MBEDTLS_KEY_EXCHANGE_ECDHE_ECDSA_ENABLED \
MBEDTLS_KEY_EXCHANGE_ECDH_ECDSA_ENABLED"
+TLS1_2_KEY_EXCHANGES_WITH_CERT_WO_ECDH="MBEDTLS_KEY_EXCHANGE_RSA_ENABLED \
+ MBEDTLS_KEY_EXCHANGE_DHE_RSA_ENABLED \
+ MBEDTLS_KEY_EXCHANGE_ECDHE_RSA_ENABLED \
+ MBEDTLS_KEY_EXCHANGE_ECDHE_ECDSA_ENABLED \
+ MBEDTLS_KEY_EXCHANGE_RSA_PSK_ENABLED"
+
requires_key_exchange_with_cert_in_tls12_or_tls13_enabled() {
if $P_QUERY -all MBEDTLS_SSL_PROTO_TLS1_2
then
@@ -368,48 +374,66 @@
# - $1 = command line (call to a TLS client or server program)
# - $2 = client/server
# - $3 = TLS version (TLS12 or TLS13)
-# - $4 = run test options
+# - $4 = Use an external tool without ECDH support
+# - $5 = run test options
detect_required_features() {
- case "$1" in
+ CMD_LINE=$1
+ ROLE=$2
+ TLS_VERSION=$3
+ EXT_WO_ECDH=$4
+ TEST_OPTIONS=${5:-}
+
+ case "$CMD_LINE" in
*\ force_version=*)
- tmp="${1##*\ force_version=}"
+ tmp="${CMD_LINE##*\ force_version=}"
tmp="${tmp%%[!-0-9A-Z_a-z]*}"
requires_protocol_version "$tmp";;
esac
- case "$1" in
+ case "$CMD_LINE" in
*\ force_ciphersuite=*)
- tmp="${1##*\ force_ciphersuite=}"
+ tmp="${CMD_LINE##*\ force_ciphersuite=}"
tmp="${tmp%%[!-0-9A-Z_a-z]*}"
requires_ciphersuite_enabled "$tmp";;
esac
- case " $1 " in
+ case " $CMD_LINE " in
*[-_\ =]tickets=[^0]*)
requires_config_enabled MBEDTLS_SSL_TICKET_C;;
esac
- case " $1 " in
+ case " $CMD_LINE " in
*[-_\ =]alpn=*)
requires_config_enabled MBEDTLS_SSL_ALPN;;
esac
- case "$1" in
+ case "$CMD_LINE" in
*server5*|\
*server7*|\
*dir-maxpath*)
- if [ "$3" = "TLS13" ]; then
+ if [ "$TLS_VERSION" = "TLS13" ]; then
# In case of TLS13 the support for ECDSA is enough
requires_pk_alg "ECDSA"
else
# For TLS12 requirements are different between server and client
- if [ "$2" = "server" ]; then
+ if [ "$ROLE" = "server" ]; then
# If the server uses "server5*" certificates, then an ECDSA based
- # key exchange is required
- requires_any_configs_enabled $TLS1_2_KEY_EXCHANGES_WITH_ECDSA_CERT
- elif [ "$2" = "client" ]; then
- # Otherwise for the client it is enough to have any certificate
- # based authentication + support for ECDSA
- requires_any_configs_enabled $TLS1_2_KEY_EXCHANGES_WITH_CERT
+ # key exchange is required. However gnutls also does not
+ # support ECDH, so this limit the choice to ECDHE-ECDSA
+ if [ "$EXT_WO_ECDH" = "yes" ]; then
+ requires_any_configs_enabled MBEDTLS_KEY_EXCHANGE_ECDHE_ECDSA_ENABLED
+ else
+ requires_any_configs_enabled $TLS1_2_KEY_EXCHANGES_WITH_ECDSA_CERT
+ fi
+ elif [ "$ROLE" = "client" ]; then
+ # On the client side it is enough to have any certificate
+ # based authentication together with support for ECDSA.
+ # Of course the GnuTLS limitation mentioned above applies
+ # also here.
+ if [ "$EXT_WO_ECDH" = "yes" ]; then
+ requires_any_configs_enabled $TLS1_2_KEY_EXCHANGES_WITH_CERT_WO_ECDH
+ else
+ requires_any_configs_enabled $TLS1_2_KEY_EXCHANGES_WITH_CERT
+ fi
requires_pk_alg "ECDSA"
fi
fi
@@ -1102,6 +1126,28 @@
esac
}
+# Some external tools (gnutls or openssl) might not have support for ECDH and
+# this limit the tests that can be run with them. This function checks server
+# and client command lines, given as input, to verify if the current test
+# is using one of these tools.
+use_ext_tool_without_ecdh_support() {
+ case "$1" in
+ *$GNUTLS_SERV*|\
+ *${GNUTLS_NEXT_SERV:-"gnutls-serv-dummy"}*|\
+ *${OPENSSL_NEXT:-"openssl-dummy"}*)
+ echo "yes"
+ return;;
+ esac
+ case "$2" in
+ *$GNUTLS_CLI*|\
+ *${GNUTLS_NEXT_CLI:-"gnutls-cli-dummy"}*|\
+ *${OPENSSL_NEXT:-"openssl-dummy"}*)
+ echo "yes"
+ return;;
+ esac
+ echo "no"
+}
+
# Generate random psk_list argument for ssl_server2
get_srv_psk_list ()
{
@@ -1528,8 +1574,12 @@
# If the client or server requires certain features that can be detected
# from their command-line arguments, check that they're enabled.
TLS_VERSION=$(get_tls_version "$SRV_CMD" "$CLI_CMD")
- detect_required_features "$SRV_CMD" "server" "$TLS_VERSION" "$@"
- detect_required_features "$CLI_CMD" "client" "$TLS_VERSION" "$@"
+
+ # Check if we are trying to use an external tool wich does not support ECDH
+ EXT_WO_ECDH=$(use_ext_tool_without_ecdh_support "$SRV_CMD" "$CLI_CMD")
+
+ detect_required_features "$SRV_CMD" "server" "$TLS_VERSION" "$EXT_WO_ECDH" "$@"
+ detect_required_features "$CLI_CMD" "client" "$TLS_VERSION" "$EXT_WO_ECDH" "$@"
# If we're in a PSK-only build and the test can be adapted to PSK, do that.
maybe_adapt_for_psk "$@"
@@ -9468,7 +9518,7 @@
requires_config_enabled MBEDTLS_SSL_PROTO_TLS1_2
run_test "DTLS reassembly: some fragmentation (openssl server)" \
- "$O_SRV -dtls -mtu 768" \
+ "$O_SRV -dtls -mtu 256" \
"$P_CLI dtls=1 debug_level=2" \
0 \
-c "found fragmented DTLS handshake message" \
@@ -11383,8 +11433,8 @@
requires_config_enabled MBEDTLS_SSL_PROTO_TLS1_2
run_test "DTLS proxy: 3d, openssl server" \
-p "$P_PXY drop=5 delay=5 duplicate=5 protect_hvr=1" \
- "$O_NEXT_SRV -dtls1_2 -mtu 2048" \
- "$P_CLI dgram_packing=0 dtls=1 hs_timeout=500-60000 tickets=0" \
+ "$O_NEXT_SRV -dtls1_2 -mtu 2048 -debug -msg -state" \
+ "$P_CLI dgram_packing=0 dtls=1 hs_timeout=500-60000 tickets=0 debug_level=4" \
0 \
-c "HTTP/1.0 200 OK"