driver-only ECDSA: add ssl-opt.sh testing with testing parity #7082
Conversation
valeriosetti
added
enhancement
needs-ci
valeriosetti
force-pushed
the
issue6861
branch
from
43280d7 to
882759c
Compare
valeriosetti
force-pushed
the
issue6861
branch
from
882759c to
6d64a42
Compare
|
valeriosetti
force-pushed
the
issue6861
branch
2 times, most recently
from
a2f2469 to
8a15c4c
Compare
mpg
changed the base branch from
development
to
features/new-code-style/development
mpg
changed the base branch from
features/new-code-style/development
to
development
|
(Changed the base twice just to force-refresh github's list of commits. Now it no longer lists the commits from 7064 as being added by this PR.) |
valeriosetti
added
needs-review
valeriosetti
force-pushed
the
issue6861
branch
from
8a15c4c to
133f9b0
Compare
|
Here is the result of the |
|
I think Manuel and Przemysław are both reviewing, hence removing the needs-reviewer label. |
gilles-peskine-arm
removed
needs-ci
| @@ -2833,6 +2833,7 @@ requires_config_enabled MBEDTLS_SSL_TLS1_3_COMPATIBILITY_MODE | |||
| requires_config_enabled MBEDTLS_DEBUG_C | |||
| requires_config_enabled MBEDTLS_SSL_CLI_C | |||
| requires_config_enabled MBEDTLS_SSL_TLS1_3_KEY_EXCHANGE_MODE_EPHEMERAL_ENABLED | |||
| requires_pk_alg ECDSA | |||
There was a problem hiding this comment.
Question: I don't understand why this case needs this but the next one apparently doesn't? The only differences I can see between the command lines is that the next one has sig_algs=ecdsa_secp256r1_sha256 and this one doesn't, but that would suggest the next once needs ECDSA (too).
Can you clarify the reasoning that led to adding this here?
There was a problem hiding this comment.
You're absolutely right, this is a redundant requirement (which probably belongs to the initial steps for this PR) that now is automatically satisfied by the changes in detect_required_features().
I'll fix this and all other redundancies.
Signed-off-by: Valerio Setti <valerio.setti@nordicsemi.no>
There was a problem hiding this comment.
Looking pretty good to me. I now think all the dependencies are correct, but that (1) some of them are redundant with what detect_required_feature does thanks to your extension, and (2) some would become redundant with a simple extra extension (detect server7 too).
| @@ -2158,7 +2158,8 @@ component_test_psa_crypto_config_accel_ecdsa_use_psa () { | |||
| msg "test: MBEDTLS_PSA_CRYPTO_CONFIG with accelerated ECDSA + USE_PSA" | |||
| make test | |||
|
|
|||
| # TODO: ssl-opt.sh (currently doesn't pass) - #6861 | |||
| msg "test: ssl-opt.sh" | |||
There was a problem hiding this comment.
I understand the concern for reducing the load, but until we have a solid mechanism for selecting cases, I'd really prefer to run the whole thing. Otherwise it's very hard to be confident we didn't miss anything.
tests/ssl-opt.sh
Outdated
| @@ -3691,6 +3717,7 @@ run_test "Session resume using tickets: session copy" \ | |||
| -c "a session has been resumed" | |||
|
|
|||
| requires_config_enabled MBEDTLS_SSL_PROTO_TLS1_2 | |||
| requires_any_configs_enabled $TLS1_2_KEY_EXCHANGES_WITH_ECDSA_CERT | |||
There was a problem hiding this comment.
Ah right, I missed the things implied by $O_SRV, right. Thanks for clarifying.
Though, isn't that automatically handled by your extension to detect_required_features? (Same question for the bunch with $G_SRV below.)
tests/ssl-opt.sh
Outdated
| @@ -5535,6 +5595,7 @@ run_test "Authentication: openssl client no cert, server optional" \ | |||
|
|
|||
| requires_config_enabled MBEDTLS_SSL_PROTO_TLS1_2 | |||
| requires_any_configs_enabled $TLS1_2_KEY_EXCHANGES_WITH_CERT | |||
| requires_any_configs_enabled $TLS1_2_KEY_EXCHANGES_WITH_ECDSA_CERT | |||
There was a problem hiding this comment.
The line above becomes redundant when adding this one. (Also, it looks to me like this would be auto-detected too.)
tests/ssl-opt.sh
Outdated
| @@ -9448,7 +9521,8 @@ run_test "DTLS reassembly: fragmentation, nbio (openssl server)" \ | |||
|
|
|||
| requires_config_enabled MBEDTLS_SSL_PROTO_DTLS | |||
| requires_config_enabled MBEDTLS_RSA_C | |||
| requires_config_enabled MBEDTLS_ECDSA_C | |||
| requires_any_configs_enabled $TLS1_2_KEY_EXCHANGES_WITH_CERT | |||
| requires_pk_alg "ECDSA" | |||
There was a problem hiding this comment.
This one and the next few look like they could be auto-detected based on loading a server7 certificate.
tests/ssl-opt.sh
Outdated
| @@ -11473,6 +11557,7 @@ requires_config_enabled MBEDTLS_DEBUG_C | |||
| requires_config_enabled MBEDTLS_SSL_CLI_C | |||
| requires_all_configs_enabled MBEDTLS_SSL_TLS1_3_COMPATIBILITY_MODE \ | |||
| MBEDTLS_SSL_TLS1_3_KEY_EXCHANGE_MODE_EPHEMERAL_ENABLED | |||
| requires_pk_alg "ECDSA" | |||
There was a problem hiding this comment.
I think for this case, and probably all the other TLS 1.3 cases until the end of the files, detect_require_features already does the job so don't need this explicit declaration.
Signed-off-by: Valerio Setti <valerio.setti@nordicsemi.no>
Signed-off-by: Valerio Setti <valerio.setti@nordicsemi.no>
This was a leftover from some debug activity that unfortunately ended up in previous commits. Signed-off-by: Valerio Setti <valerio.setti@nordicsemi.no>
There were some dependencies that are now automatically satisfied by the detect_required_features() function. After this check there should be no redundant requirement for: - requires_pk_alg "ECDSA" - requires_any_configs_enabled $TLS1_2_KEY_EXCHANGES_WITH_ECDSA_CERT - requires_any_configs_enabled $TLS1_2_KEY_EXCHANGES_WITH_CERT Signed-off-by: Valerio Setti <valerio.setti@nordicsemi.no>
|
I checked
and removed all redundancies which are automatically satisfied by |
| # detect_required_features() function), it does NOT guarantee that the | ||
| # result is accurate. It does not check other conditions, such as: | ||
| # - MBEDTLS_SSL_PROTO_TLS1_x can be disabled to selectively remove | ||
| # TLS 1.2/1.3 suppport |
There was a problem hiding this comment.
Ops, sorry for this. In case this PR does not require any change, I will fix this in the following one (#7117)
mprse
added
approved
| # Note: the function "detect_required_features()" is not able to detect more than | ||
| # one "force_ciphersuite" per client/server and it only picks the 2nd one. | ||
| # Therefore the 1st one is added explicitly here |
There was a problem hiding this comment.
I don't understand this comment: detect_required_features runs independently on the client command line and on the server command line. If they have different force_ciphersuite options, this should lead to skipping the test case unless both TLS-ECDHE-ECDSA-WITH-AES-128-CBC-SHA256 and TLS-ECDHE-RSA-WITH-AES-128-CBC-SHA256 are enabled. So the explicit requirement on MBEDTLS_KEY_EXCHANGE_ECDHE_ECDSA_ENABLED should not be necessary. What am I missing?
There was a problem hiding this comment.
I just had a look and I don't think you're missing anything. @valeriosetti wdyt?
There was a problem hiding this comment.
It's been some time since I did this change, so I'm trying to remember the exact reason for it. I looked at the code and I think the problem with these tests:
SSL async private: cancel after start then fall back to transparent keySSL async private: sign, error in resume then fall back to transparent key
is that they define 2 different ciphersuites for the client (because the client is run twice).
In the scenario you described (which is the most used case) we have 1 ciphersuite for the server and 1 for the client, so detect_required_features works well. Here the problem is that we are running the client twice, with different ciphersuites in each case, but detect_required_features() only picks the 2nd one (ignoring ECDHE-ECDSA). That's why I enforced that in those tests.
I agree that a better approach would have been to extend detect_required_features() in order to support multiple ciphersuites, but it was only a matter of 2 tests, so that's why I didn't try to do so.
There was a problem hiding this comment.
Oh duh, yes, I see, it's because we run the client twice. I agree with not making the detection code more complex just for two test cases. Thanks for the explanation.
Description
The goal of this PR is to re-enable
ssl-opt.shtests when running accelerated ECDSA coverage analysis.Resolves #6861
Depends on #7064Gatekeeper checklist