Merge pull request #7921 from valeriosetti/issue7613

TLS: Clean up ECDSA dependencies
2025-08-08 17:42:09 +03:00 · 2023-09-20 12:47:55 +00:00
parent 452beb9076 97bb726e2d
commit eda1b1f744
9 changed files with 142 additions and 61 deletions
--- a/tests/scripts/all.sh
+++ b/tests/scripts/all.sh
@@ -2989,6 +2989,41 @@ component_test_psa_crypto_config_accel_all_curves_except_x25519 () {
    psa_crypto_config_accel_all_curves_except_one MBEDTLS_ECP_DP_CURVE25519_ENABLED
 }

+# Common helper for component_full_without_ecdhe_ecdsa() and
+# component_full_without_ecdhe_ecdsa_and_tls13() which:
+# - starts from the "full" configuration minus the list of symbols passed in
+#   as 1st parameter
+# - build
+# - test only TLS (i.e. test_suite_tls and ssl-opt)
+build_full_minus_something_and_test_tls () {
+    SYMBOLS_TO_DISABLE="$1"
+
+    msg "build: full minus something, test TLS"
+
+    scripts/config.py full
+    for SYM in $SYMBOLS_TO_DISABLE; do
+        echo "Disabling $SYM"
+        scripts/config.py unset $SYM
+    done
+
+    make
+
+    msg "test: full minus something, test TLS"
+    ( cd tests; ./test_suite_ssl )
+
+    msg "ssl-opt: full minus something, test TLS"
+    tests/ssl-opt.sh
+}
+
+component_full_without_ecdhe_ecdsa () {
+    build_full_minus_something_and_test_tls "MBEDTLS_KEY_EXCHANGE_ECDHE_ECDSA_ENABLED"
+}
+
+component_full_without_ecdhe_ecdsa_and_tls13 () {
+    build_full_minus_something_and_test_tls "MBEDTLS_KEY_EXCHANGE_ECDHE_ECDSA_ENABLED
+                                             MBEDTLS_SSL_PROTO_TLS1_3"
+}
+
 # This is an helper used by:
 # - component_test_psa_ecc_key_pair_no_derive
 # - component_test_psa_ecc_key_pair_no_generate
--- a/tests/ssl-opt.sh
+++ b/tests/ssl-opt.sh
@@ -1635,13 +1635,18 @@ run_test() {
        requires_config_enabled MBEDTLS_SSL_PROTO_DTLS
    fi

-    # If the client or server requires certain features that can be detected
-    # from their command-line arguments, check that they're enabled.
-    TLS_VERSION=$(get_tls_version "$SRV_CMD" "$CLI_CMD")
-
    # Check if we are trying to use an external tool wich does not support ECDH
    EXT_WO_ECDH=$(use_ext_tool_without_ecdh_support "$SRV_CMD" "$CLI_CMD")

+    # Guess the TLS version which is going to be used
+    if [ "$EXT_WO_ECDH" = "no" ]; then
+        TLS_VERSION=$(get_tls_version "$SRV_CMD" "$CLI_CMD")
+    else
+        TLS_VERSION="TLS12"
+    fi
+
+    # If the client or server requires certain features that can be detected
+    # from their command-line arguments, check whether they're enabled.
    detect_required_features "$SRV_CMD" "server" "$TLS_VERSION" "$EXT_WO_ECDH" "$@"
    detect_required_features "$CLI_CMD" "client" "$TLS_VERSION" "$EXT_WO_ECDH" "$@"