Fix REMOVE_ARC4 test case dependencies
When ARC4 ciphersuites are compiled in, but removed from the default list,
requires_ciphersuite_enabled does not consider them to be enabled. Therefore
test cases for MBEDTLS_REMOVE_ARC4_CIPHERSUITES, which must run in such
configurations, must not use requires_ciphersuite_enabled.
Instead, require the corresponding cryptographic mechanisms. In addition,
for the test case "RC4: both enabled", bypass the automatic ciphersuite
support detection based on force_ciphersuite= that would otherwise cause
this test case to be skipped. (This automatic detection doesn't cause the
negative tests to be skipped because it has an exception whenthe handshake
is supposed to fail.)
Signed-off-by: Gilles Peskine <Gilles.Peskine@arm.com>
diff --git a/tests/ssl-opt.sh b/tests/ssl-opt.sh
index 6d6baf4..9a4a6aa 100755
--- a/tests/ssl-opt.sh
+++ b/tests/ssl-opt.sh
@@ -1710,6 +1710,13 @@
# Tests for rc4 option
+# Manual dependencies on the ciphersuite support are necessary
+# because the automatic requirements from force_ciphersuite=... detection
+# make an exception for these test cases since they expect a handshake
+# failure.
+requires_config_enabled MBEDTLS_ARC4_C
+requires_config_enabled MBEDTLS_SHA1_C
+requires_config_enabled MBEDTLS_KEY_EXCHANGE_RSA_ENABLED
requires_config_enabled MBEDTLS_REMOVE_ARC4_CIPHERSUITES
run_test "RC4: server disabled, client enabled" \
"$P_SRV" \
@@ -1717,6 +1724,9 @@
1 \
-s "SSL - The server has no ciphersuites in common"
+requires_config_enabled MBEDTLS_ARC4_C
+requires_config_enabled MBEDTLS_SHA1_C
+requires_config_enabled MBEDTLS_KEY_EXCHANGE_RSA_ENABLED
requires_config_enabled MBEDTLS_REMOVE_ARC4_CIPHERSUITES
run_test "RC4: server half, client enabled" \
"$P_SRV arc4=1" \
@@ -1724,17 +1734,30 @@
1 \
-s "SSL - The server has no ciphersuites in common"
-requires_ciphersuite_enabled TLS-RSA-WITH-RC4-128-SHA
+requires_config_enabled MBEDTLS_ARC4_C
+requires_config_enabled MBEDTLS_SHA1_C
+requires_config_enabled MBEDTLS_KEY_EXCHANGE_RSA_ENABLED
+requires_config_enabled MBEDTLS_REMOVE_ARC4_CIPHERSUITES
run_test "RC4: server enabled, client disabled" \
"$P_SRV force_ciphersuite=TLS-RSA-WITH-RC4-128-SHA" \
"$P_CLI" \
1 \
-s "SSL - The server has no ciphersuites in common"
-requires_ciphersuite_enabled TLS-RSA-WITH-RC4-128-SHA
+# Run even if the ciphersuite is disabled by default, but only if the
+# requisite cryptographic mechanisms are present.
+# Having "force_ciphersuite=..." in the client or server arguments would
+# prevent that due to the automatic detection, so hide behind some
+# shell expansion to fool the automatic detection.
+with_rc4_ciphersuite() {
+ exec "$@" force_ciphersuite=TLS-RSA-WITH-RC4-128-SHA
+}
+requires_config_enabled MBEDTLS_ARC4_C
+requires_config_enabled MBEDTLS_SHA1_C
+requires_config_enabled MBEDTLS_KEY_EXCHANGE_RSA_ENABLED
run_test "RC4: both enabled" \
- "$P_SRV force_ciphersuite=TLS-RSA-WITH-RC4-128-SHA" \
- "$P_CLI force_ciphersuite=TLS-RSA-WITH-RC4-128-SHA" \
+ "with_rc4_ciphersuite $P_SRV" \
+ "with_rc4_ciphersuite $P_CLI" \
0 \
-S "SSL - None of the common ciphersuites is usable" \
-S "SSL - The server has no ciphersuites in common"