Merge pull request #7153 from lpy4105/issue/1785/backport-ssl-test-sc…

…ript-fail Backport 2.28: compat.sh: Skip static ECDH cases if unsupported in openssl
Mbed-TLS · Feb 28, 2023 · 440535e · 440535e
2 parents 14b6166 + ab1fb39
commit 440535e
Show file tree

Hide file tree

Showing 2 changed files with 20 additions and 3 deletions.
diff --git a/.travis.yml b/.travis.yml
@@ -55,8 +55,8 @@ jobs:
         # Exclude a few test cases that are failing mysteriously.
         # https://github.com/Mbed-TLS/mbedtls/issues/6660
         - tests/ssl-opt.sh -e 'Fallback SCSV:\ .*list'
-        # Modern OpenSSL does not support fixed ECDH, null or ancient ciphers.
-        - tests/compat.sh -p OpenSSL -e 'NULL\|ECDH-\|DES\|RC4'
+        # Modern OpenSSL does not support null or ancient ciphers.
+        - tests/compat.sh -p OpenSSL -e 'NULL\|DES\|RC4'
         - tests/scripts/travis-log-failure.sh
         # GnuTLS supports CAMELLIA but compat.sh doesn't properly enable it.
         # Modern GnuTLS does not support DES.

diff --git a/tests/compat.sh b/tests/compat.sh
@@ -861,6 +861,16 @@ add_mbedtls_ciphersuites()
     esac
 }
 
+# o_check_ciphersuite CIPHER_SUITE_NAME
+o_check_ciphersuite()
+{
+    if [ "${O_SUPPORT_ECDH}" = "NO" ]; then
+        case "$1" in
+            *ECDH-*) SKIP_NEXT="YES"
+        esac
+    fi
+}
+
 setup_arguments()
 {
     O_MODE=""
@@ -947,6 +957,11 @@ setup_arguments()
             ;;
     esac
 
+    case $($OPENSSL ciphers ALL) in
+        *ECDH-ECDSA*|*ECDH-RSA*) O_SUPPORT_ECDH="YES";;
+        *) O_SUPPORT_ECDH="NO";;
+    esac
+
     if [ "X$VERIFY" = "XYES" ];
     then
         M_SERVER_ARGS="$M_SERVER_ARGS ca_file=data_files/test-ca_cat12.crt auth_mode=required"
@@ -1160,7 +1175,7 @@ run_client() {
             if [ $EXIT -eq 0 ]; then
                 RESULT=0
             else
-                # If the cipher isn't supported...
+                # If it is NULL cipher ...
                 if grep 'Cipher is (NONE)' $CLI_OUT >/dev/null; then
                     RESULT=1
                 else
@@ -1373,6 +1388,7 @@ for MODE in $MODES; do
                     if [ "X" != "X$M_CIPHERS" ]; then
                         start_server "OpenSSL"
                         for i in $M_CIPHERS; do
+                            o_check_ciphersuite "$i"
                             run_client mbedTLS $i
                         done
                         stop_server
@@ -1381,6 +1397,7 @@ for MODE in $MODES; do
                     if [ "X" != "X$O_CIPHERS" ]; then
                         start_server "mbedTLS"
                         for i in $O_CIPHERS; do
+                            o_check_ciphersuite "$i"
                             run_client OpenSSL $i
                         done
                         stop_server