lib/mbedtls
1
0
Fork 0
mirror of https://github.com/Mbed-TLS/mbedtls.git synced 2025-10-26 00:37:41 +03:00
Code Activity

Remove ECDH from ssl-opt

Browse Source 
Signed-off-by: Ben Taylor <ben.taylor@linaro.org>
This commit is contained in:
Ben Taylor
2025-07-30 13:43:21 +01:00
parent 3116f2febe
commit 39280a4110
1 changed files with 7 additions and 56 deletions
Download Patch File Download Diff File Expand all files Collapse all files

63
tests/ssl-opt.sh
View File

@@ -433,14 +433,12 @@ requires_cipher_enabled() {
# - $1 = command line (call to a TLS client or server program) # - $1 = command line (call to a TLS client or server program)
# - $2 = client/server # - $2 = client/server
# - $3 = TLS version (TLS12 or TLS13) # - $3 = TLS version (TLS12 or TLS13)
# - $4 = Use an external tool without ECDH support # - $4 = run test options
# - $5 = run test options
detect_required_features() { detect_required_features() {
CMD_LINE=$1 CMD_LINE=$1
ROLE=$2 ROLE=$2
TLS_VERSION=$3 TLS_VERSION=$3
EXT_WO_ECDH=$4 TEST_OPTIONS=${4:-}
TEST_OPTIONS=${5:-}
case "$CMD_LINE" in case "$CMD_LINE" in
*\ force_version=*) *\ force_version=*)
@@ -522,24 +520,9 @@ detect_required_features() {
else else
# For TLS12 requirements are different between server and client # For TLS12 requirements are different between server and client
if [ "$ROLE" = "server" ]; then if [ "$ROLE" = "server" ]; then
# If the server uses "server5*" certificates, then an ECDSA based requires_any_configs_enabled MBEDTLS_KEY_EXCHANGE_ECDHE_ECDSA_ENABLED
# key exchange is required. However gnutls also does not
# support ECDH, so this limit the choice to ECDHE-ECDSA
if [ "$EXT_WO_ECDH" = "yes" ]; then
requires_any_configs_enabled MBEDTLS_KEY_EXCHANGE_ECDHE_ECDSA_ENABLED
else
requires_any_configs_enabled $TLS1_2_KEY_EXCHANGES_WITH_ECDSA_CERT
fi
elif [ "$ROLE" = "client" ]; then elif [ "$ROLE" = "client" ]; then
# On the client side it is enough to have any certificate requires_any_configs_enabled $TLS1_2_KEY_EXCHANGES_WITH_CERT_WO_ECDH
# based authentication together with support for ECDSA.
# Of course the GnuTLS limitation mentioned above applies
# also here.
if [ "$EXT_WO_ECDH" = "yes" ]; then
requires_any_configs_enabled $TLS1_2_KEY_EXCHANGES_WITH_CERT_WO_ECDH
else
requires_any_configs_enabled $TLS1_2_KEY_EXCHANGES_WITH_CERT
fi
requires_pk_alg "ECDSA" requires_pk_alg "ECDSA"
fi fi
fi fi
@@ -801,10 +784,6 @@ requires_openssl_tls1_3_with_ffdh() {
# skip next test if openssl cannot handle ephemeral key exchange # skip next test if openssl cannot handle ephemeral key exchange
requires_openssl_tls1_3_with_compatible_ephemeral() { requires_openssl_tls1_3_with_compatible_ephemeral() {
requires_openssl_next requires_openssl_next
if !(is_config_enabled "PSA_WANT_ALG_ECDH"); then
requires_openssl_tls1_3_with_ffdh
fi
} }
# skip next test if tls1_3 is not available # skip next test if tls1_3 is not available
@@ -1302,28 +1281,6 @@ is_gnutls() {
esac esac
} }
# Some external tools (gnutls or openssl) might not have support for static ECDH
# and this limit the tests that can be run with them. This function checks server
# and client command lines, given as input, to verify if the current test
# is using one of these tools.
use_ext_tool_without_ecdh_support() {
case "$1" in
*$GNUTLS_SERV*|\
*${GNUTLS_NEXT_SERV:-"gnutls-serv-dummy"}*|\
*${OPENSSL_NEXT:-"openssl-dummy"}*)
echo "yes"
return;;
esac
case "$2" in
*$GNUTLS_CLI*|\
*${GNUTLS_NEXT_CLI:-"gnutls-cli-dummy"}*|\
*${OPENSSL_NEXT:-"openssl-dummy"}*)
echo "yes"
return;;
esac
echo "no"
}
# Generate random psk_list argument for ssl_server2 # Generate random psk_list argument for ssl_server2
get_srv_psk_list () get_srv_psk_list ()
{ {
@@ -1810,26 +1767,20 @@ run_test() {
requires_config_enabled MBEDTLS_SSL_PROTO_DTLS requires_config_enabled MBEDTLS_SSL_PROTO_DTLS
fi fi
# Check if we are trying to use an external tool which does not support ECDH
EXT_WO_ECDH=$(use_ext_tool_without_ecdh_support "$SRV_CMD" "$CLI_CMD")
# Guess the TLS version which is going to be used. # Guess the TLS version which is going to be used.
# Note that this detection is wrong in some cases, which causes unduly # Note that this detection is wrong in some cases, which causes unduly
# skipped test cases in builds with TLS 1.3 but not TLS 1.2. # skipped test cases in builds with TLS 1.3 but not TLS 1.2.
# https://github.com/Mbed-TLS/mbedtls/issues/9560 # https://github.com/Mbed-TLS/mbedtls/issues/9560
if [ "$EXT_WO_ECDH" = "no" ]; then TLS_VERSION="TLS12"
TLS_VERSION=$(get_tls_version "$SRV_CMD" "$CLI_CMD")
else
TLS_VERSION="TLS12"
fi
# If we're in a PSK-only build and the test can be adapted to PSK, do that. # If we're in a PSK-only build and the test can be adapted to PSK, do that.
maybe_adapt_for_psk "$@" maybe_adapt_for_psk "$@"
# If the client or server requires certain features that can be detected # If the client or server requires certain features that can be detected
# from their command-line arguments, check whether they're enabled. # from their command-line arguments, check whether they're enabled.
detect_required_features "$SRV_CMD" "server" "$TLS_VERSION" "$EXT_WO_ECDH" "$@" detect_required_features "$SRV_CMD" "server" "$TLS_VERSION" "$@"
detect_required_features "$CLI_CMD" "client" "$TLS_VERSION" "$EXT_WO_ECDH" "$@" detect_required_features "$CLI_CMD" "client" "$TLS_VERSION" "$@"
# should we skip? # should we skip?
if [ "X$SKIP_NEXT" = "XYES" ]; then if [ "X$SKIP_NEXT" = "XYES" ]; then