ssl-opt.sh: Fix getting the list of supported ciphersuites. #8561
Conversation
This file contains bidirectional Unicode text that may be interpreted or compiled differently than what appears below. To review, open the file in an editor that reveals hidden Unicode characters.
Learn more about bidirectional Unicode characters
Signed-off-by: Ronald Cron <[email protected]>
ronald-cron-arm
added
needs-ci
gilles-peskine-arm
previously approved these changes
Nov 23, 2023
tests/ssl-opt.sh
Outdated
| @@ -358,7 +358,7 @@ requires_protocol_version() { | |||
|
|
|||
| # Space-separated list of ciphersuites supported by this build of | |||
| # Mbed TLS. | |||
| P_CIPHERSUITES=" $($P_CLI --help 2>/dev/null | | |||
| P_CIPHERSUITES=" $($P_CLI help_ciphersuites 2>/dev/null | | |||
There was a problem hiding this comment.
ssl_client2 --help returns a nonzero status, but this did not cause the script to abort, despite using set -e, because the nonzero status is on the left-hand side of a pipe and the status of the pipeline is just the status of the right-hand side. (The rationale for that design is to ignore SIGPIPE if it happens to the left-hand side.)
We should add some other sanity check here. We do expect at least one cipher suite:
if [ "$LIST_TESTS" -eq 0 ] && [ -z "${P_CIPHERSUITES# }" ]; then
echo >&2 "$0: fatal error: no cipher suites found!"
exit 125
fi
gilles-peskine-arm
added
needs-review
This was referenced Nov 28, 2023
Signed-off-by: Ronald Cron <[email protected]>
Fix some dependencies on symmetric crypto that were not correct in case of driver but not builtin support. Revealed by "Analyze driver test_psa_crypto_config_accel_cipher_aead vs reference test_psa_crypto_config_reference_cipher_aead" in analyze_outcomes.py. Signed-off-by: Ronald Cron <[email protected]>
tests/ssl-opt.sh
Outdated
| @@ -2332,7 +2341,7 @@ run_test "Opaque key for server authentication: invalid alg: ecdh with RSA ke | |||
| requires_config_enabled MBEDTLS_USE_PSA_CRYPTO | |||
| requires_config_enabled MBEDTLS_X509_CRT_PARSE_C | |||
| requires_hash_alg SHA_256 | |||
| requires_config_enabled MBEDTLS_CCM_C | |||
| requires_config_enabled PSA_WANT_ALG_CCM | |||
There was a problem hiding this comment.
Is this line required? I thought that the automatic requirements for the cipher suite would take care of it.
There was a problem hiding this comment.
Yes not required, I have removed them.
Same test cases as in the previous commit. Remove the redundant symmetric crypto dependency. The dependency is ensured by the fact that: 1) the test case forces a cipher suite 2) ssl-opt.sh enforces automatically that the forced ciphersuite is available. 3) The fact that the forced ciphersuite is available implies that the symmetric cipher algorithm it uses is available as well. Signed-off-by: Ronald Cron <[email protected]>
Signed-off-by: Ronald Cron <[email protected]>
yuhaoth
added
approved
|
I could still see a lot of warnings of |
3 tasks
Sign up for free
to join this conversation on GitHub.
Already have an account?
Sign in to comment
Add this suggestion to a batch that can be applied as a single commit.
This suggestion is invalid because no changes were made to the code.
Suggestions cannot be applied while the pull request is closed.
Suggestions cannot be applied while viewing a subset of changes.
Only one suggestion per line can be applied in a batch.
Add this suggestion to a batch that can be applied as a single commit.
Applying suggestions on deleted lines is not supported.
You must change the existing code in this line in order to create a valid suggestion.
Outdated suggestions cannot be applied.
This suggestion has been applied or marked resolved.
Suggestions cannot be applied from pending reviews.
Suggestions cannot be applied on multi-line comments.
Suggestions cannot be applied while the pull request is queued to merge.
Suggestion cannot be applied right now. Please check back later.
Description
Since the merge of #7844 (3.5.x not impacted) the detection of the supported ciphersuites in ssl-opt.sh is broken and some test cases are not run anymore. This PR fixes this.
PR checklist
Please tick as appropriate and edit the reasons (e.g.: "backport: not needed because this is a new feature")