From 46a660a2c5768cb65b12733115dc3fefbe8808f3 Mon Sep 17 00:00:00 2001 From: Ronald Cron Date: Thu, 23 Nov 2023 17:20:19 +0100 Subject: [PATCH 1/5] ssl-opt.sh: Fix getting the list of supported ciphersuites. Signed-off-by: Ronald Cron --- tests/ssl-opt.sh | 2 +- 1 file changed, 1 insertion(+), 1 deletion(-) diff --git a/tests/ssl-opt.sh b/tests/ssl-opt.sh index 401b89dbb455..55e465ad01c9 100755 --- a/tests/ssl-opt.sh +++ b/tests/ssl-opt.sh @@ -279,7 +279,7 @@ requires_protocol_version() { # Space-separated list of ciphersuites supported by this build of # Mbed TLS. -P_CIPHERSUITES=" $($P_CLI --help 2>/dev/null | +P_CIPHERSUITES=" $($P_CLI help_ciphersuites 2>/dev/null | grep TLS- | tr -s ' \n' ' ')" requires_ciphersuite_enabled() { From a8b474f42f30f932adc709f1629b98bb181c5017 Mon Sep 17 00:00:00 2001 From: Ronald Cron Date: Tue, 28 Nov 2023 15:49:25 +0100 Subject: [PATCH 2/5] ssl-opt.sh: Add a check of the list of supported ciphersuites Signed-off-by: Ronald Cron --- tests/ssl-opt.sh | 15 ++++++++++++--- 1 file changed, 12 insertions(+), 3 deletions(-) diff --git a/tests/ssl-opt.sh b/tests/ssl-opt.sh index 55e465ad01c9..81c6c6033ca2 100755 --- a/tests/ssl-opt.sh +++ b/tests/ssl-opt.sh @@ -279,9 +279,18 @@ requires_protocol_version() { # Space-separated list of ciphersuites supported by this build of # Mbed TLS. -P_CIPHERSUITES=" $($P_CLI help_ciphersuites 2>/dev/null | - grep TLS- | - tr -s ' \n' ' ')" +P_CIPHERSUITES="" +if [ "$LIST_TESTS" -eq 0 ]; then + P_CIPHERSUITES=" $($P_CLI help_ciphersuites 2>/dev/null | + grep 'TLS-' | + tr -s ' \n' ' ')" + + if [ -z "${P_CIPHERSUITES# }" ]; then + echo >&2 "$0: fatal error: no cipher suites found!" + exit 125 + fi +fi + requires_ciphersuite_enabled() { case $P_CIPHERSUITES in *" $1 "*) :;; From 237e3f8e5311f91db745c06931342489e385b4ad Mon Sep 17 00:00:00 2001 From: Ronald Cron Date: Tue, 28 Nov 2023 15:03:57 +0100 Subject: [PATCH 3/5] ssl-opt.sh: Fix some symmetric crypto dependencies Fix some dependencies on symmetric crypto that were not correct in case of driver but not builtin support. Revealed by "Analyze driver test_psa_crypto_config_accel_cipher_aead vs reference test_psa_crypto_config_reference_cipher_aead" in analyze_outcomes.py. Signed-off-by: Ronald Cron --- tests/ssl-opt.sh | 14 +++++--------- 1 file changed, 5 insertions(+), 9 deletions(-) diff --git a/tests/ssl-opt.sh b/tests/ssl-opt.sh index 81c6c6033ca2..dca13a136420 100755 --- a/tests/ssl-opt.sh +++ b/tests/ssl-opt.sh @@ -9006,7 +9006,7 @@ requires_config_enabled MBEDTLS_ECDSA_C requires_config_enabled MBEDTLS_SHA256_C requires_config_enabled MBEDTLS_KEY_EXCHANGE_ECDHE_ECDSA_ENABLED requires_config_enabled MBEDTLS_SSL_RENEGOTIATION -requires_config_enabled MBEDTLS_CHACHAPOLY_C +requires_config_enabled PSA_WANT_ALG_CHACHA20_POLY1305 requires_max_content_len 2048 run_test "DTLS fragmenting: proxy MTU, ChachaPoly renego" \ -p "$P_PXY mtu=512" \ @@ -9038,8 +9038,7 @@ requires_config_enabled MBEDTLS_ECDSA_C requires_config_enabled MBEDTLS_SHA256_C requires_config_enabled MBEDTLS_KEY_EXCHANGE_ECDHE_ECDSA_ENABLED requires_config_enabled MBEDTLS_SSL_RENEGOTIATION -requires_config_enabled MBEDTLS_AES_C -requires_config_enabled MBEDTLS_GCM_C +requires_config_enabled PSA_WANT_ALG_GCM requires_max_content_len 2048 run_test "DTLS fragmenting: proxy MTU, AES-GCM renego" \ -p "$P_PXY mtu=512" \ @@ -9071,8 +9070,7 @@ requires_config_enabled MBEDTLS_ECDSA_C requires_config_enabled MBEDTLS_SHA256_C requires_config_enabled MBEDTLS_KEY_EXCHANGE_ECDHE_ECDSA_ENABLED requires_config_enabled MBEDTLS_SSL_RENEGOTIATION -requires_config_enabled MBEDTLS_AES_C -requires_config_enabled MBEDTLS_CCM_C +requires_config_enabled PSA_WANT_ALG_CCM requires_max_content_len 2048 run_test "DTLS fragmenting: proxy MTU, AES-CCM renego" \ -p "$P_PXY mtu=1024" \ @@ -9104,8 +9102,7 @@ requires_config_enabled MBEDTLS_ECDSA_C requires_config_enabled MBEDTLS_SHA256_C requires_config_enabled MBEDTLS_KEY_EXCHANGE_ECDHE_ECDSA_ENABLED requires_config_enabled MBEDTLS_SSL_RENEGOTIATION -requires_config_enabled MBEDTLS_AES_C -requires_config_enabled MBEDTLS_CIPHER_MODE_CBC +requires_config_enabled PSA_WANT_ALG_CBC_NO_PADDING requires_config_enabled MBEDTLS_SSL_ENCRYPT_THEN_MAC requires_max_content_len 2048 run_test "DTLS fragmenting: proxy MTU, AES-CBC EtM renego" \ @@ -9138,8 +9135,7 @@ requires_config_enabled MBEDTLS_ECDSA_C requires_config_enabled MBEDTLS_SHA256_C requires_config_enabled MBEDTLS_KEY_EXCHANGE_ECDHE_ECDSA_ENABLED requires_config_enabled MBEDTLS_SSL_RENEGOTIATION -requires_config_enabled MBEDTLS_AES_C -requires_config_enabled MBEDTLS_CIPHER_MODE_CBC +requires_config_enabled PSA_WANT_ALG_CBC_NO_PADDING requires_max_content_len 2048 run_test "DTLS fragmenting: proxy MTU, AES-CBC non-EtM renego" \ -p "$P_PXY mtu=1024" \ From 6f2183f7568b732ced98d6797dd48fb2f96e8cc5 Mon Sep 17 00:00:00 2001 From: Ronald Cron Date: Tue, 28 Nov 2023 17:43:49 +0100 Subject: [PATCH 4/5] ssl-opt.sh: Remove unnecessary symmetric crypto dependencies Same test cases as in the previous commit. Remove the redundant symmetric crypto dependency. The dependency is ensured by the fact that: 1) the test case forces a cipher suite 2) ssl-opt.sh enforces automatically that the forced ciphersuite is available. 3) The fact that the forced ciphersuite is available implies that the symmetric cipher algorithm it uses is available as well. Signed-off-by: Ronald Cron --- tests/ssl-opt.sh | 5 ----- 1 file changed, 5 deletions(-) diff --git a/tests/ssl-opt.sh b/tests/ssl-opt.sh index dca13a136420..05978cd70434 100755 --- a/tests/ssl-opt.sh +++ b/tests/ssl-opt.sh @@ -9006,7 +9006,6 @@ requires_config_enabled MBEDTLS_ECDSA_C requires_config_enabled MBEDTLS_SHA256_C requires_config_enabled MBEDTLS_KEY_EXCHANGE_ECDHE_ECDSA_ENABLED requires_config_enabled MBEDTLS_SSL_RENEGOTIATION -requires_config_enabled PSA_WANT_ALG_CHACHA20_POLY1305 requires_max_content_len 2048 run_test "DTLS fragmenting: proxy MTU, ChachaPoly renego" \ -p "$P_PXY mtu=512" \ @@ -9038,7 +9037,6 @@ requires_config_enabled MBEDTLS_ECDSA_C requires_config_enabled MBEDTLS_SHA256_C requires_config_enabled MBEDTLS_KEY_EXCHANGE_ECDHE_ECDSA_ENABLED requires_config_enabled MBEDTLS_SSL_RENEGOTIATION -requires_config_enabled PSA_WANT_ALG_GCM requires_max_content_len 2048 run_test "DTLS fragmenting: proxy MTU, AES-GCM renego" \ -p "$P_PXY mtu=512" \ @@ -9070,7 +9068,6 @@ requires_config_enabled MBEDTLS_ECDSA_C requires_config_enabled MBEDTLS_SHA256_C requires_config_enabled MBEDTLS_KEY_EXCHANGE_ECDHE_ECDSA_ENABLED requires_config_enabled MBEDTLS_SSL_RENEGOTIATION -requires_config_enabled PSA_WANT_ALG_CCM requires_max_content_len 2048 run_test "DTLS fragmenting: proxy MTU, AES-CCM renego" \ -p "$P_PXY mtu=1024" \ @@ -9102,7 +9099,6 @@ requires_config_enabled MBEDTLS_ECDSA_C requires_config_enabled MBEDTLS_SHA256_C requires_config_enabled MBEDTLS_KEY_EXCHANGE_ECDHE_ECDSA_ENABLED requires_config_enabled MBEDTLS_SSL_RENEGOTIATION -requires_config_enabled PSA_WANT_ALG_CBC_NO_PADDING requires_config_enabled MBEDTLS_SSL_ENCRYPT_THEN_MAC requires_max_content_len 2048 run_test "DTLS fragmenting: proxy MTU, AES-CBC EtM renego" \ @@ -9135,7 +9131,6 @@ requires_config_enabled MBEDTLS_ECDSA_C requires_config_enabled MBEDTLS_SHA256_C requires_config_enabled MBEDTLS_KEY_EXCHANGE_ECDHE_ECDSA_ENABLED requires_config_enabled MBEDTLS_SSL_RENEGOTIATION -requires_config_enabled PSA_WANT_ALG_CBC_NO_PADDING requires_max_content_len 2048 run_test "DTLS fragmenting: proxy MTU, AES-CBC non-EtM renego" \ -p "$P_PXY mtu=1024" \ From ba77a66475fef2dfcb0028fd16870ba19fca27c5 Mon Sep 17 00:00:00 2001 From: Ronald Cron Date: Tue, 28 Nov 2023 17:52:42 +0100 Subject: [PATCH 5/5] Align forced ciphersuite with test description Signed-off-by: Ronald Cron --- tests/ssl-opt.sh | 2 +- 1 file changed, 1 insertion(+), 1 deletion(-) diff --git a/tests/ssl-opt.sh b/tests/ssl-opt.sh index 05978cd70434..0edb62655aee 100755 --- a/tests/ssl-opt.sh +++ b/tests/ssl-opt.sh @@ -9019,7 +9019,7 @@ run_test "DTLS fragmenting: proxy MTU, ChachaPoly renego" \ crt_file=data_files/server8_int-ca2.crt \ key_file=data_files/server8.key \ exchanges=2 renegotiation=1 renegotiate=1 \ - force_ciphersuite=TLS-ECDHE-ECDSA-WITH-AES-128-GCM-SHA256 \ + force_ciphersuite=TLS-ECDHE-ECDSA-WITH-CHACHA20-POLY1305-SHA256 \ hs_timeout=10000-60000 \ mtu=512" \ 0 \