From 6445912d9cc3bdc71e261ecb1ac55c65bec8dfc3 Mon Sep 17 00:00:00 2001 From: Valerio Setti Date: Wed, 22 Feb 2023 12:35:16 +0100 Subject: [PATCH 01/12] test: enable ssl-opt in test_psa_crypto_config_[accel/reference]_ecdsa_use_psa Signed-off-by: Valerio Setti --- tests/scripts/all.sh | 6 ++++-- 1 file changed, 4 insertions(+), 2 deletions(-) diff --git a/tests/scripts/all.sh b/tests/scripts/all.sh index 7d91fa27d..24b1eda00 100755 --- a/tests/scripts/all.sh +++ b/tests/scripts/all.sh @@ -2158,7 +2158,8 @@ component_test_psa_crypto_config_accel_ecdsa_use_psa () { msg "test: MBEDTLS_PSA_CRYPTO_CONFIG with accelerated ECDSA + USE_PSA" make test - # TODO: ssl-opt.sh (currently doesn't pass) - #6861 + msg "test: ssl-opt.sh" + tests/ssl-opt.sh } # Keep in sync with component_test_psa_crypto_config_accel_ecdsa_use_psa. @@ -2177,7 +2178,8 @@ component_test_psa_crypto_config_reference_ecdsa_use_psa () { msg "test: MBEDTLS_PSA_CRYPTO_CONFIG with accelerated ECDSA + USE_PSA" make test - # TODO: ssl-opt.sh (when the accel component is ready) - #6861 + msg "test: ssl-opt.sh" + tests/ssl-opt.sh } component_test_psa_crypto_config_accel_ecdh () { From 1ad9ef213206cce3a33f3c97e7bc781fcc4fb2d9 Mon Sep 17 00:00:00 2001 From: Valerio Setti Date: Wed, 22 Feb 2023 12:38:07 +0100 Subject: [PATCH 02/12] ssl: use new macros for ECDSA capabilities Signed-off-by: Valerio Setti --- library/ssl_misc.h | 7 ++++--- library/ssl_tls.c | 10 ++++++---- 2 files changed, 10 insertions(+), 7 deletions(-) diff --git a/library/ssl_misc.h b/library/ssl_misc.h index 2668a05b6..f9a47670a 100644 --- a/library/ssl_misc.h +++ b/library/ssl_misc.h @@ -55,6 +55,7 @@ #include "mbedtls/ecjpake.h" #endif +#include "pk_wrap.h" #include "common.h" /* Shorthand for restartable ECC */ @@ -2272,7 +2273,7 @@ static inline int mbedtls_ssl_tls13_sig_alg_for_cert_verify_is_supported( const uint16_t sig_alg) { switch (sig_alg) { -#if defined(MBEDTLS_ECDSA_C) +#if defined(MBEDTLS_PK_CAN_ECDSA_SOME) #if defined(PSA_WANT_ALG_SHA_256) && defined(MBEDTLS_ECP_DP_SECP256R1_ENABLED) case MBEDTLS_TLS1_3_SIG_ECDSA_SECP256R1_SHA256: break; @@ -2285,7 +2286,7 @@ static inline int mbedtls_ssl_tls13_sig_alg_for_cert_verify_is_supported( case MBEDTLS_TLS1_3_SIG_ECDSA_SECP521R1_SHA512: break; #endif /* PSA_WANT_ALG_SHA_512 && MBEDTLS_ECP_DP_SECP521R1_ENABLED */ -#endif /* MBEDTLS_ECDSA_C */ +#endif /* MBEDTLS_PK_CAN_ECDSA_SOME */ #if defined(MBEDTLS_PKCS1_V21) #if defined(PSA_WANT_ALG_SHA_256) @@ -2441,7 +2442,7 @@ static inline int mbedtls_ssl_tls12_sig_alg_is_supported( break; #endif -#if defined(MBEDTLS_ECDSA_C) +#if defined(MBEDTLS_PK_CAN_ECDSA_SOME) case MBEDTLS_SSL_SIG_ECDSA: break; #endif diff --git a/library/ssl_tls.c b/library/ssl_tls.c index 86f5c0b55..e1d944c6f 100644 --- a/library/ssl_tls.c +++ b/library/ssl_tls.c @@ -52,6 +52,8 @@ #include "mbedtls/oid.h" #endif +#include "pk_wrap.h" + #if defined(MBEDTLS_TEST_HOOKS) static mbedtls_ssl_chk_buf_ptr_args chk_buf_ptr_fail_args; @@ -5324,7 +5326,7 @@ void mbedtls_ssl_config_free(mbedtls_ssl_config *conf) } #if defined(MBEDTLS_PK_C) && \ - (defined(MBEDTLS_RSA_C) || defined(MBEDTLS_ECDSA_C)) + (defined(MBEDTLS_RSA_C) || defined(MBEDTLS_PK_CAN_ECDSA_SOME)) /* * Convert between MBEDTLS_PK_XXX and SSL_SIG_XXX */ @@ -5335,7 +5337,7 @@ unsigned char mbedtls_ssl_sig_from_pk(mbedtls_pk_context *pk) return MBEDTLS_SSL_SIG_RSA; } #endif -#if defined(MBEDTLS_ECDSA_C) +#if defined(MBEDTLS_PK_CAN_ECDSA_SOME) if (mbedtls_pk_can_do(pk, MBEDTLS_PK_ECDSA)) { return MBEDTLS_SSL_SIG_ECDSA; } @@ -5363,7 +5365,7 @@ mbedtls_pk_type_t mbedtls_ssl_pk_alg_from_sig(unsigned char sig) case MBEDTLS_SSL_SIG_RSA: return MBEDTLS_PK_RSA; #endif -#if defined(MBEDTLS_ECDSA_C) +#if defined(MBEDTLS_PK_CAN_ECDSA_SOME) case MBEDTLS_SSL_SIG_ECDSA: return MBEDTLS_PK_ECDSA; #endif @@ -5371,7 +5373,7 @@ mbedtls_pk_type_t mbedtls_ssl_pk_alg_from_sig(unsigned char sig) return MBEDTLS_PK_NONE; } } -#endif /* MBEDTLS_PK_C && ( MBEDTLS_RSA_C || MBEDTLS_ECDSA_C ) */ +#endif /* MBEDTLS_PK_C && ( MBEDTLS_RSA_C || MBEDTLS_PK_CAN_ECDSA_SOME ) */ /* * Convert from MBEDTLS_SSL_HASH_XXX to MBEDTLS_MD_XXX From 5ba1d5eb2c6e6a94b1e9aedba4ecd0e1c551c59f Mon Sep 17 00:00:00 2001 From: Valerio Setti Date: Wed, 22 Feb 2023 12:38:54 +0100 Subject: [PATCH 03/12] programs: use proper macro for ECDSA capabilities in ssl_sever2 Signed-off-by: Valerio Setti --- programs/ssl/ssl_server2.c | 6 ++++-- programs/ssl/ssl_test_common_source.c | 4 ++-- 2 files changed, 6 insertions(+), 4 deletions(-) diff --git a/programs/ssl/ssl_server2.c b/programs/ssl/ssl_server2.c index 2fa9a8133..88c2192a0 100644 --- a/programs/ssl/ssl_server2.c +++ b/programs/ssl/ssl_server2.c @@ -69,6 +69,8 @@ int main(void) #include "test/psa_crypto_helpers.h" #endif +#include "mbedtls/pk.h" + /* Size of memory to be allocated for the heap, when using the library's memory * management and MBEDTLS_MEMORY_BUFFER_ALLOC_C is enabled. */ #define MEMORY_HEAP_SIZE 120000 @@ -2652,7 +2654,7 @@ usage: } key_cert_init = 2; #endif /* MBEDTLS_RSA_C */ -#if defined(MBEDTLS_ECDSA_C) +#if defined(MBEDTLS_PK_CAN_ECDSA_SOME) if ((ret = mbedtls_x509_crt_parse(&srvcert2, (const unsigned char *) mbedtls_test_srv_crt_ec, mbedtls_test_srv_crt_ec_len)) != 0) { @@ -2669,7 +2671,7 @@ usage: goto exit; } key_cert_init2 = 2; -#endif /* MBEDTLS_ECDSA_C */ +#endif /* MBEDTLS_PK_CAN_ECDSA_SOME */ } #if defined(MBEDTLS_USE_PSA_CRYPTO) diff --git a/programs/ssl/ssl_test_common_source.c b/programs/ssl/ssl_test_common_source.c index 9115cd1b4..0ceffcc10 100644 --- a/programs/ssl/ssl_test_common_source.c +++ b/programs/ssl/ssl_test_common_source.c @@ -272,7 +272,7 @@ int send_cb(void *ctx, unsigned char const *buf, size_t len) } #if defined(MBEDTLS_X509_CRT_PARSE_C) -#if defined(MBEDTLS_ECDSA_C) && defined(MBEDTLS_RSA_C) +#if defined(MBEDTLS_PK_CAN_ECDSA_SOME) && defined(MBEDTLS_RSA_C) #if defined(MBEDTLS_SSL_PROTO_TLS1_3) /* * When GnuTLS/Openssl server is configured in TLS 1.2 mode with a certificate @@ -289,7 +289,7 @@ int send_cb(void *ctx, unsigned char const *buf, size_t len) #define MBEDTLS_SSL_SIG_ALG(hash) ((hash << 8) | MBEDTLS_SSL_SIG_ECDSA), \ ((hash << 8) | MBEDTLS_SSL_SIG_RSA), #endif -#elif defined(MBEDTLS_ECDSA_C) +#elif defined(MBEDTLS_PK_CAN_ECDSA_SOME) #define MBEDTLS_SSL_SIG_ALG(hash) ((hash << 8) | MBEDTLS_SSL_SIG_ECDSA), #elif defined(MBEDTLS_RSA_C) #if defined(MBEDTLS_SSL_PROTO_TLS1_3) From d1f991c8792263932573595bdba18883e1dc10a8 Mon Sep 17 00:00:00 2001 From: Valerio Setti Date: Wed, 22 Feb 2023 12:54:13 +0100 Subject: [PATCH 04/12] ssl-opt: fix required configs in ECDSA related tests Signed-off-by: Valerio Setti --- tests/opt-testcases/tls13-kex-modes.sh | 3 + tests/opt-testcases/tls13-misc.sh | 20 ++ tests/ssl-opt.sh | 297 +++++++++++++++++++------ 3 files changed, 254 insertions(+), 66 deletions(-) diff --git a/tests/opt-testcases/tls13-kex-modes.sh b/tests/opt-testcases/tls13-kex-modes.sh index 974d513d8..84a2c1ab8 100755 --- a/tests/opt-testcases/tls13-kex-modes.sh +++ b/tests/opt-testcases/tls13-kex-modes.sh @@ -2833,6 +2833,7 @@ requires_config_enabled MBEDTLS_SSL_TLS1_3_COMPATIBILITY_MODE requires_config_enabled MBEDTLS_DEBUG_C requires_config_enabled MBEDTLS_SSL_CLI_C requires_config_enabled MBEDTLS_SSL_TLS1_3_KEY_EXCHANGE_MODE_EPHEMERAL_ENABLED +requires_pk_alg ECDSA run_test "TLS 1.3: m->O: ephemeral/all, good" \ "$O_NEXT_SRV -msg -debug -tls1_3 -psk_identity 0a0b0c -psk 010203 -allow_no_dhe_kex" \ "$P_CLI debug_level=4 force_version=tls13 psk=010203 psk_identity=0a0b0c tls13_kex_modes=ephemeral" \ @@ -3064,6 +3065,7 @@ requires_config_enabled MBEDTLS_SSL_TLS1_3_COMPATIBILITY_MODE requires_config_enabled MBEDTLS_DEBUG_C requires_config_enabled MBEDTLS_SSL_CLI_C requires_config_enabled MBEDTLS_SSL_TLS1_3_KEY_EXCHANGE_MODE_EPHEMERAL_ENABLED +requires_pk_alg ECDSA run_test "TLS 1.3: m->G: ephemeral/all, good" \ "$G_NEXT_SRV -d 4 --priority=NORMAL:-VERS-ALL:+VERS-TLS1.3:-KX-ALL:+ECDHE-PSK:+DHE-PSK:+PSK --pskpasswd=data_files/simplepass.psk" \ "$P_CLI debug_level=4 force_version=tls13 psk=010203 psk_identity=0a0b0c tls13_kex_modes=ephemeral" \ @@ -3077,6 +3079,7 @@ requires_config_enabled MBEDTLS_SSL_TLS1_3_COMPATIBILITY_MODE requires_config_enabled MBEDTLS_DEBUG_C requires_config_enabled MBEDTLS_SSL_CLI_C requires_config_enabled MBEDTLS_SSL_TLS1_3_KEY_EXCHANGE_MODE_EPHEMERAL_ENABLED +requires_pk_alg ECDSA run_test "TLS 1.3: m->G: ephemeral/ephemeral_all, good" \ "$G_NEXT_SRV -d 4 --priority=NORMAL:-VERS-ALL:+VERS-TLS1.3:-KX-ALL:+ECDHE-PSK:+DHE-PSK:-PSK --pskpasswd=data_files/simplepass.psk" \ "$P_CLI debug_level=4 force_version=tls13 psk=010203 psk_identity=0a0b0c tls13_kex_modes=ephemeral" \ diff --git a/tests/opt-testcases/tls13-misc.sh b/tests/opt-testcases/tls13-misc.sh index 46c371fe0..a72a0f49f 100755 --- a/tests/opt-testcases/tls13-misc.sh +++ b/tests/opt-testcases/tls13-misc.sh @@ -87,6 +87,7 @@ requires_all_configs_enabled MBEDTLS_SSL_PROTO_TLS1_3 MBEDTLS_SSL_SESSION_TICKET MBEDTLS_SSL_CLI_C MBEDTLS_DEBUG_C MBEDTLS_HAVE_TIME \ MBEDTLS_SSL_TLS1_3_KEY_EXCHANGE_MODE_EPHEMERAL_ENABLED \ MBEDTLS_SSL_TLS1_3_KEY_EXCHANGE_MODE_PSK_EPHEMERAL_ENABLED +requires_pk_alg ECDSA run_test "TLS 1.3 m->m: Session resumption failure, ticket authentication failed." \ "$P_SRV debug_level=4 crt_file=data_files/server5.crt key_file=data_files/server5.key force_version=tls13 tickets=8 dummy_ticket=1" \ "$P_CLI debug_level=4 reco_mode=1 reconnect=1" \ @@ -106,6 +107,7 @@ requires_all_configs_enabled MBEDTLS_SSL_PROTO_TLS1_3 MBEDTLS_SSL_SESSION_TICKET MBEDTLS_SSL_CLI_C MBEDTLS_DEBUG_C MBEDTLS_HAVE_TIME \ MBEDTLS_SSL_TLS1_3_KEY_EXCHANGE_MODE_EPHEMERAL_ENABLED \ MBEDTLS_SSL_TLS1_3_KEY_EXCHANGE_MODE_PSK_EPHEMERAL_ENABLED +requires_pk_alg ECDSA run_test "TLS 1.3 m->m: Session resumption failure, ticket expired." \ "$P_SRV debug_level=4 crt_file=data_files/server5.crt key_file=data_files/server5.key force_version=tls13 tickets=8 dummy_ticket=2" \ "$P_CLI debug_level=4 reco_mode=1 reconnect=1" \ @@ -125,6 +127,7 @@ requires_all_configs_enabled MBEDTLS_SSL_PROTO_TLS1_3 MBEDTLS_SSL_SESSION_TICKET MBEDTLS_SSL_CLI_C MBEDTLS_DEBUG_C MBEDTLS_HAVE_TIME \ MBEDTLS_SSL_TLS1_3_KEY_EXCHANGE_MODE_EPHEMERAL_ENABLED \ MBEDTLS_SSL_TLS1_3_KEY_EXCHANGE_MODE_PSK_EPHEMERAL_ENABLED +requires_pk_alg ECDSA run_test "TLS 1.3 m->m: Session resumption failure, invalid start time." \ "$P_SRV debug_level=4 crt_file=data_files/server5.crt key_file=data_files/server5.key force_version=tls13 tickets=8 dummy_ticket=3" \ "$P_CLI debug_level=4 reco_mode=1 reconnect=1" \ @@ -144,6 +147,7 @@ requires_all_configs_enabled MBEDTLS_SSL_PROTO_TLS1_3 MBEDTLS_SSL_SESSION_TICKET MBEDTLS_SSL_CLI_C MBEDTLS_DEBUG_C MBEDTLS_HAVE_TIME \ MBEDTLS_SSL_TLS1_3_KEY_EXCHANGE_MODE_EPHEMERAL_ENABLED \ MBEDTLS_SSL_TLS1_3_KEY_EXCHANGE_MODE_PSK_EPHEMERAL_ENABLED +requires_pk_alg ECDSA run_test "TLS 1.3 m->m: Session resumption failure, ticket expired. too old" \ "$P_SRV debug_level=4 crt_file=data_files/server5.crt key_file=data_files/server5.key force_version=tls13 tickets=8 dummy_ticket=4" \ "$P_CLI debug_level=4 reco_mode=1 reconnect=1" \ @@ -163,6 +167,7 @@ requires_all_configs_enabled MBEDTLS_SSL_PROTO_TLS1_3 MBEDTLS_SSL_SESSION_TICKET MBEDTLS_SSL_CLI_C MBEDTLS_DEBUG_C MBEDTLS_HAVE_TIME \ MBEDTLS_SSL_TLS1_3_KEY_EXCHANGE_MODE_EPHEMERAL_ENABLED \ MBEDTLS_SSL_TLS1_3_KEY_EXCHANGE_MODE_PSK_EPHEMERAL_ENABLED +requires_pk_alg ECDSA run_test "TLS 1.3 m->m: Session resumption failure, age outside tolerance window, too young." \ "$P_SRV debug_level=4 crt_file=data_files/server5.crt key_file=data_files/server5.key force_version=tls13 tickets=8 dummy_ticket=5" \ "$P_CLI debug_level=4 reco_mode=1 reconnect=1" \ @@ -182,6 +187,7 @@ requires_all_configs_enabled MBEDTLS_SSL_PROTO_TLS1_3 MBEDTLS_SSL_SESSION_TICKET MBEDTLS_SSL_CLI_C MBEDTLS_DEBUG_C MBEDTLS_HAVE_TIME \ MBEDTLS_SSL_TLS1_3_KEY_EXCHANGE_MODE_EPHEMERAL_ENABLED \ MBEDTLS_SSL_TLS1_3_KEY_EXCHANGE_MODE_PSK_EPHEMERAL_ENABLED +requires_pk_alg ECDSA run_test "TLS 1.3 m->m: Session resumption failure, age outside tolerance window, too old." \ "$P_SRV debug_level=4 crt_file=data_files/server5.crt key_file=data_files/server5.key force_version=tls13 tickets=8 dummy_ticket=6" \ "$P_CLI debug_level=4 reco_mode=1 reconnect=1" \ @@ -272,6 +278,7 @@ requires_all_configs_enabled MBEDTLS_SSL_TLS1_3_COMPATIBILITY_MODE \ MBEDTLS_SSL_EARLY_DATA requires_any_configs_enabled MBEDTLS_SSL_TLS1_3_KEY_EXCHANGE_MODE_PSK_EPHEMERAL_ENABLED \ MBEDTLS_SSL_TLS1_3_KEY_EXCHANGE_MODE_PSK_ENABLED +requires_pk_alg ECDSA run_test "TLS 1.3 m->G: EarlyData: basic check, good" \ "$G_NEXT_SRV -d 10 --priority=NORMAL:-VERS-ALL:+VERS-TLS1.3:+CIPHER-ALL:+ECDHE-PSK:+PSK --earlydata --disable-client-cert" \ "$P_CLI debug_level=4 early_data=1 reco_mode=1 reconnect=1 reco_delay=900" \ @@ -295,6 +302,7 @@ requires_all_configs_enabled MBEDTLS_SSL_TLS1_3_COMPATIBILITY_MODE \ MBEDTLS_SSL_EARLY_DATA requires_any_configs_enabled MBEDTLS_SSL_TLS1_3_KEY_EXCHANGE_MODE_PSK_EPHEMERAL_ENABLED \ MBEDTLS_SSL_TLS1_3_KEY_EXCHANGE_MODE_PSK_ENABLED +requires_pk_alg ECDSA run_test "TLS 1.3 m->G: EarlyData: no early_data in NewSessionTicket, good" \ "$G_NEXT_SRV -d 10 --priority=NORMAL:-VERS-ALL:+VERS-TLS1.3:+CIPHER-ALL:+ECDHE-PSK:+PSK --disable-client-cert" \ "$P_CLI debug_level=4 early_data=1 reco_mode=1 reconnect=1" \ @@ -329,6 +337,7 @@ requires_all_configs_enabled MBEDTLS_SSL_SESSION_TICKETS \ MBEDTLS_SSL_SRV_C MBEDTLS_SSL_CLI_C MBEDTLS_DEBUG_C \ MBEDTLS_SSL_TLS1_3_KEY_EXCHANGE_MODE_EPHEMERAL_ENABLED \ MBEDTLS_SSL_TLS1_3_KEY_EXCHANGE_MODE_PSK_ENABLED +requires_pk_alg ECDSA run_test "TLS 1.3 m->m: Resumption with ticket flags, psk/none." \ "$P_SRV debug_level=4 crt_file=data_files/server5.crt key_file=data_files/server5.key force_version=tls13 dummy_ticket=7" \ "$P_CLI debug_level=4 tls13_kex_modes=psk_or_ephemeral reconnect=1" \ @@ -345,6 +354,7 @@ requires_all_configs_enabled MBEDTLS_SSL_SESSION_TICKETS \ MBEDTLS_SSL_SRV_C MBEDTLS_SSL_CLI_C MBEDTLS_DEBUG_C \ MBEDTLS_SSL_TLS1_3_KEY_EXCHANGE_MODE_EPHEMERAL_ENABLED \ MBEDTLS_SSL_TLS1_3_KEY_EXCHANGE_MODE_PSK_ENABLED +requires_pk_alg ECDSA run_test "TLS 1.3 m->m: Resumption with ticket flags, psk/psk." \ "$P_SRV debug_level=4 crt_file=data_files/server5.crt key_file=data_files/server5.key force_version=tls13 dummy_ticket=8" \ "$P_CLI debug_level=4 tls13_kex_modes=psk_or_ephemeral reconnect=1" \ @@ -357,6 +367,7 @@ requires_all_configs_enabled MBEDTLS_SSL_SESSION_TICKETS \ MBEDTLS_SSL_SRV_C MBEDTLS_SSL_CLI_C MBEDTLS_DEBUG_C \ MBEDTLS_SSL_TLS1_3_KEY_EXCHANGE_MODE_EPHEMERAL_ENABLED \ MBEDTLS_SSL_TLS1_3_KEY_EXCHANGE_MODE_PSK_ENABLED +requires_pk_alg ECDSA run_test "TLS 1.3 m->m: Resumption with ticket flags, psk/psk_ephemeral." \ "$P_SRV debug_level=4 crt_file=data_files/server5.crt key_file=data_files/server5.key force_version=tls13 dummy_ticket=9" \ "$P_CLI debug_level=4 tls13_kex_modes=psk_or_ephemeral reconnect=1" \ @@ -373,6 +384,7 @@ requires_all_configs_enabled MBEDTLS_SSL_SESSION_TICKETS \ MBEDTLS_SSL_SRV_C MBEDTLS_SSL_CLI_C MBEDTLS_DEBUG_C \ MBEDTLS_SSL_TLS1_3_KEY_EXCHANGE_MODE_EPHEMERAL_ENABLED \ MBEDTLS_SSL_TLS1_3_KEY_EXCHANGE_MODE_PSK_ENABLED +requires_pk_alg ECDSA run_test "TLS 1.3 m->m: Resumption with ticket flags, psk/psk_all." \ "$P_SRV debug_level=4 crt_file=data_files/server5.crt key_file=data_files/server5.key force_version=tls13 dummy_ticket=10" \ "$P_CLI debug_level=4 tls13_kex_modes=psk_or_ephemeral reconnect=1" \ @@ -385,6 +397,7 @@ requires_all_configs_enabled MBEDTLS_SSL_SESSION_TICKETS \ MBEDTLS_SSL_SRV_C MBEDTLS_SSL_CLI_C MBEDTLS_DEBUG_C \ MBEDTLS_SSL_TLS1_3_KEY_EXCHANGE_MODE_EPHEMERAL_ENABLED \ MBEDTLS_SSL_TLS1_3_KEY_EXCHANGE_MODE_PSK_EPHEMERAL_ENABLED +requires_pk_alg ECDSA run_test "TLS 1.3 m->m: Resumption with ticket flags, psk_ephemeral/none." \ "$P_SRV debug_level=4 crt_file=data_files/server5.crt key_file=data_files/server5.key force_version=tls13 dummy_ticket=7" \ "$P_CLI debug_level=4 tls13_kex_modes=ephemeral_all reconnect=1" \ @@ -401,6 +414,7 @@ requires_all_configs_enabled MBEDTLS_SSL_SESSION_TICKETS \ MBEDTLS_SSL_SRV_C MBEDTLS_SSL_CLI_C MBEDTLS_DEBUG_C \ MBEDTLS_SSL_TLS1_3_KEY_EXCHANGE_MODE_EPHEMERAL_ENABLED \ MBEDTLS_SSL_TLS1_3_KEY_EXCHANGE_MODE_PSK_EPHEMERAL_ENABLED +requires_pk_alg ECDSA run_test "TLS 1.3 m->m: Resumption with ticket flags, psk_ephemeral/psk." \ "$P_SRV debug_level=4 crt_file=data_files/server5.crt key_file=data_files/server5.key force_version=tls13 dummy_ticket=8" \ "$P_CLI debug_level=4 tls13_kex_modes=ephemeral_all reconnect=1" \ @@ -417,6 +431,7 @@ requires_all_configs_enabled MBEDTLS_SSL_SESSION_TICKETS \ MBEDTLS_SSL_SRV_C MBEDTLS_SSL_CLI_C MBEDTLS_DEBUG_C \ MBEDTLS_SSL_TLS1_3_KEY_EXCHANGE_MODE_EPHEMERAL_ENABLED \ MBEDTLS_SSL_TLS1_3_KEY_EXCHANGE_MODE_PSK_EPHEMERAL_ENABLED +requires_pk_alg ECDSA run_test "TLS 1.3 m->m: Resumption with ticket flags, psk_ephemeral/psk_ephemeral." \ "$P_SRV debug_level=4 crt_file=data_files/server5.crt key_file=data_files/server5.key force_version=tls13 dummy_ticket=9" \ "$P_CLI debug_level=4 tls13_kex_modes=ephemeral_all reconnect=1" \ @@ -429,6 +444,7 @@ requires_all_configs_enabled MBEDTLS_SSL_SESSION_TICKETS \ MBEDTLS_SSL_SRV_C MBEDTLS_SSL_CLI_C MBEDTLS_DEBUG_C \ MBEDTLS_SSL_TLS1_3_KEY_EXCHANGE_MODE_EPHEMERAL_ENABLED \ MBEDTLS_SSL_TLS1_3_KEY_EXCHANGE_MODE_PSK_EPHEMERAL_ENABLED +requires_pk_alg ECDSA run_test "TLS 1.3 m->m: Resumption with ticket flags, psk_ephemeral/psk_all." \ "$P_SRV debug_level=4 crt_file=data_files/server5.crt key_file=data_files/server5.key force_version=tls13 dummy_ticket=10" \ "$P_CLI debug_level=4 tls13_kex_modes=ephemeral_all reconnect=1" \ @@ -442,6 +458,7 @@ requires_all_configs_enabled MBEDTLS_SSL_SESSION_TICKETS \ MBEDTLS_SSL_TLS1_3_KEY_EXCHANGE_MODE_EPHEMERAL_ENABLED \ MBEDTLS_SSL_TLS1_3_KEY_EXCHANGE_MODE_PSK_ENABLED \ MBEDTLS_SSL_TLS1_3_KEY_EXCHANGE_MODE_PSK_EPHEMERAL_ENABLED +requires_pk_alg ECDSA run_test "TLS 1.3 m->m: Resumption with ticket flags, psk_all/none." \ "$P_SRV debug_level=4 crt_file=data_files/server5.crt key_file=data_files/server5.key force_version=tls13 dummy_ticket=7" \ "$P_CLI debug_level=4 tls13_kex_modes=all reconnect=1" \ @@ -459,6 +476,7 @@ requires_all_configs_enabled MBEDTLS_SSL_SESSION_TICKETS \ MBEDTLS_SSL_TLS1_3_KEY_EXCHANGE_MODE_EPHEMERAL_ENABLED \ MBEDTLS_SSL_TLS1_3_KEY_EXCHANGE_MODE_PSK_ENABLED \ MBEDTLS_SSL_TLS1_3_KEY_EXCHANGE_MODE_PSK_EPHEMERAL_ENABLED +requires_pk_alg ECDSA run_test "TLS 1.3 m->m: Resumption with ticket flags, psk_all/psk." \ "$P_SRV debug_level=4 crt_file=data_files/server5.crt key_file=data_files/server5.key force_version=tls13 dummy_ticket=8" \ "$P_CLI debug_level=4 tls13_kex_modes=all reconnect=1" \ @@ -472,6 +490,7 @@ requires_all_configs_enabled MBEDTLS_SSL_SESSION_TICKETS \ MBEDTLS_SSL_TLS1_3_KEY_EXCHANGE_MODE_EPHEMERAL_ENABLED \ MBEDTLS_SSL_TLS1_3_KEY_EXCHANGE_MODE_PSK_ENABLED \ MBEDTLS_SSL_TLS1_3_KEY_EXCHANGE_MODE_PSK_EPHEMERAL_ENABLED +requires_pk_alg ECDSA run_test "TLS 1.3 m->m: Resumption with ticket flags, psk_all/psk_ephemeral." \ "$P_SRV debug_level=4 crt_file=data_files/server5.crt key_file=data_files/server5.key force_version=tls13 dummy_ticket=9" \ "$P_CLI debug_level=4 tls13_kex_modes=all reconnect=1" \ @@ -485,6 +504,7 @@ requires_all_configs_enabled MBEDTLS_SSL_SESSION_TICKETS \ MBEDTLS_SSL_TLS1_3_KEY_EXCHANGE_MODE_EPHEMERAL_ENABLED \ MBEDTLS_SSL_TLS1_3_KEY_EXCHANGE_MODE_PSK_ENABLED \ MBEDTLS_SSL_TLS1_3_KEY_EXCHANGE_MODE_PSK_EPHEMERAL_ENABLED +requires_pk_alg ECDSA run_test "TLS 1.3 m->m: Resumption with ticket flags, psk_all/psk_all." \ "$P_SRV debug_level=4 crt_file=data_files/server5.crt key_file=data_files/server5.key force_version=tls13 dummy_ticket=10" \ "$P_CLI debug_level=4 tls13_kex_modes=all reconnect=1" \ diff --git a/tests/ssl-opt.sh b/tests/ssl-opt.sh index c176d0d62..5d2db9998 100755 --- a/tests/ssl-opt.sh +++ b/tests/ssl-opt.sh @@ -221,6 +221,15 @@ skip_next_test() { SKIP_NEXT="YES" } +# Check if the required configuration ($1) is enabled +is_config_enabled() +{ + case $CONFIGS_ENABLED in + *" $1"[\ =]*) return 0;; + *) return 1;; + esac +} + # skip next test if the flag is not enabled in mbedtls_config.h requires_config_enabled() { case $CONFIGS_ENABLED in @@ -272,6 +281,9 @@ TLS1_2_KEY_EXCHANGES_WITH_CERT="MBEDTLS_KEY_EXCHANGE_RSA_ENABLED \ MBEDTLS_KEY_EXCHANGE_ECDH_RSA_ENABLED \ MBEDTLS_KEY_EXCHANGE_ECDH_ECDSA_ENABLED" +TLS1_2_KEY_EXCHANGES_WITH_ECDSA_CERT="MBEDTLS_KEY_EXCHANGE_ECDHE_ECDSA_ENABLED \ + MBEDTLS_KEY_EXCHANGE_ECDH_ECDSA_ENABLED" + requires_key_exchange_with_cert_in_tls12_or_tls13_enabled() { if $P_QUERY -all MBEDTLS_SSL_PROTO_TLS1_2 then @@ -460,12 +472,9 @@ check_for_hash_alg() { CURR_ALG="INVALID"; USE_PSA="NO" - case $CONFIGS_ENABLED in - *" MBEDTLS_USE_PSA_CRYPTO"[\ =]*) - USE_PSA="YES"; - ;; - *) :;; - esac + if is_config_enabled "MBEDTLS_USE_PSA_CRYPTO"; then + USE_PSA="YES"; + fi if [ $USE_PSA = "YES" ]; then CURR_ALG=PSA_WANT_ALG_${1} else @@ -517,6 +526,23 @@ requires_hash_alg() { fi } +# Skip next test if the given pk alg is not enabled +requires_pk_alg() { + case $1 in + ECDSA) + if is_config_enabled MBEDTLS_USE_PSA_CRYPTO; then + requires_config_enabled PSA_WANT_ALG_ECDSA + else + requires_config_enabled MBEDTLS_ECDSA_C + fi + ;; + *) + echo "Unknown/unimplemented case $1 in requires_pk_alg" + exit 1 + ;; + esac +} + # skip next test if OpenSSL doesn't support FALLBACK_SCSV requires_openssl_with_fallback_scsv() { if [ -z "${OPENSSL_HAS_FBSCSV:-}" ]; then @@ -1813,7 +1839,8 @@ run_test "key size: TLS-ECDHE-ECDSA-WITH-AES-128-CCM-8" \ requires_config_enabled MBEDTLS_SSL_PROTO_TLS1_2 requires_config_enabled MBEDTLS_X509_CRT_PARSE_C -requires_config_enabled MBEDTLS_ECDSA_C +requires_any_configs_enabled $TLS1_2_KEY_EXCHANGES_WITH_CERT +requires_pk_alg "ECDSA" requires_hash_alg SHA_256 run_test "TLS: password protected client key" \ "$P_SRV auth_mode=required" \ @@ -1822,7 +1849,7 @@ run_test "TLS: password protected client key" \ requires_config_enabled MBEDTLS_SSL_PROTO_TLS1_2 requires_config_enabled MBEDTLS_X509_CRT_PARSE_C -requires_config_enabled MBEDTLS_ECDSA_C +requires_any_configs_enabled $TLS1_2_KEY_EXCHANGES_WITH_ECDSA_CERT requires_hash_alg SHA_256 run_test "TLS: password protected server key" \ "$P_SRV crt_file=data_files/server5.crt key_file=data_files/server5.key.enc key_pwd=PolarSSLTest" \ @@ -1831,7 +1858,7 @@ run_test "TLS: password protected server key" \ requires_config_enabled MBEDTLS_SSL_PROTO_TLS1_2 requires_config_enabled MBEDTLS_X509_CRT_PARSE_C -requires_config_enabled MBEDTLS_ECDSA_C +requires_any_configs_enabled $TLS1_2_KEY_EXCHANGES_WITH_ECDSA_CERT requires_config_enabled MBEDTLS_RSA_C requires_hash_alg SHA_256 run_test "TLS: password protected server key, two certificates" \ @@ -1854,7 +1881,8 @@ run_test "CA callback on client" \ requires_config_enabled MBEDTLS_SSL_PROTO_TLS1_2 requires_config_enabled MBEDTLS_X509_TRUSTED_CERTIFICATE_CALLBACK requires_config_enabled MBEDTLS_X509_CRT_PARSE_C -requires_config_enabled MBEDTLS_ECDSA_C +requires_any_configs_enabled $TLS1_2_KEY_EXCHANGES_WITH_CERT +requires_pk_alg "ECDSA" requires_hash_alg SHA_256 run_test "CA callback on server" \ "$P_SRV auth_mode=required" \ @@ -1870,7 +1898,7 @@ run_test "CA callback on server" \ requires_config_enabled MBEDTLS_SSL_PROTO_TLS1_2 requires_config_enabled MBEDTLS_USE_PSA_CRYPTO requires_config_enabled MBEDTLS_X509_CRT_PARSE_C -requires_config_enabled MBEDTLS_ECDSA_C +requires_config_enabled MBEDTLS_KEY_EXCHANGE_ECDHE_ECDSA_ENABLED requires_hash_alg SHA_256 run_test "Opaque key for client authentication: ECDHE-ECDSA" \ "$P_SRV auth_mode=required crt_file=data_files/server5.crt \ @@ -1889,7 +1917,6 @@ run_test "Opaque key for client authentication: ECDHE-ECDSA" \ requires_config_enabled MBEDTLS_SSL_PROTO_TLS1_2 requires_config_enabled MBEDTLS_USE_PSA_CRYPTO requires_config_enabled MBEDTLS_X509_CRT_PARSE_C -requires_config_enabled MBEDTLS_ECDSA_C requires_config_enabled MBEDTLS_RSA_C requires_hash_alg SHA_256 run_test "Opaque key for client authentication: ECDHE-RSA" \ @@ -1928,7 +1955,7 @@ run_test "Opaque key for client authentication: DHE-RSA" \ requires_config_enabled MBEDTLS_SSL_PROTO_TLS1_2 requires_config_enabled MBEDTLS_USE_PSA_CRYPTO requires_config_enabled MBEDTLS_X509_CRT_PARSE_C -requires_config_enabled MBEDTLS_ECDSA_C +requires_config_enabled MBEDTLS_KEY_EXCHANGE_ECDHE_ECDSA_ENABLED requires_hash_alg SHA_256 run_test "Opaque key for server authentication: ECDHE-ECDSA" \ "$P_SRV key_opaque=1 crt_file=data_files/server5.crt \ @@ -1945,7 +1972,7 @@ run_test "Opaque key for server authentication: ECDHE-ECDSA" \ requires_config_enabled MBEDTLS_SSL_PROTO_TLS1_2 requires_config_enabled MBEDTLS_USE_PSA_CRYPTO requires_config_enabled MBEDTLS_X509_CRT_PARSE_C -requires_config_enabled MBEDTLS_ECDSA_C +requires_any_configs_enabled $TLS1_2_KEY_EXCHANGES_WITH_ECDSA_CERT requires_hash_alg SHA_256 run_test "Opaque key for server authentication: ECDH-" \ "$P_SRV force_version=tls12 auth_mode=required key_opaque=1\ @@ -1963,7 +1990,7 @@ run_test "Opaque key for server authentication: ECDH-" \ requires_config_enabled MBEDTLS_SSL_PROTO_TLS1_2 requires_config_enabled MBEDTLS_USE_PSA_CRYPTO requires_config_enabled MBEDTLS_X509_CRT_PARSE_C -requires_config_enabled MBEDTLS_ECDSA_C +requires_any_configs_enabled $TLS1_2_KEY_EXCHANGES_WITH_ECDSA_CERT requires_config_disabled MBEDTLS_SSL_ASYNC_PRIVATE requires_hash_alg SHA_256 run_test "Opaque key for server authentication: invalid key: decrypt with ECC key, no async" \ @@ -1998,7 +2025,7 @@ run_test "Opaque key for server authentication: invalid key: ecdh with RSA ke requires_config_enabled MBEDTLS_SSL_PROTO_TLS1_2 requires_config_enabled MBEDTLS_USE_PSA_CRYPTO requires_config_enabled MBEDTLS_X509_CRT_PARSE_C -requires_config_enabled MBEDTLS_ECDSA_C +requires_any_configs_enabled $TLS1_2_KEY_EXCHANGES_WITH_ECDSA_CERT requires_config_enabled MBEDTLS_SSL_ASYNC_PRIVATE requires_hash_alg SHA_256 run_test "Opaque key for server authentication: invalid alg: decrypt with ECC key, async" \ @@ -2015,7 +2042,6 @@ run_test "Opaque key for server authentication: invalid alg: decrypt with ECC requires_config_enabled MBEDTLS_SSL_PROTO_TLS1_2 requires_config_enabled MBEDTLS_USE_PSA_CRYPTO requires_config_enabled MBEDTLS_X509_CRT_PARSE_C -requires_config_enabled MBEDTLS_ECDSA_C requires_config_enabled MBEDTLS_RSA_C requires_config_enabled MBEDTLS_SSL_ASYNC_PRIVATE requires_hash_alg SHA_256 @@ -2033,7 +2059,7 @@ run_test "Opaque key for server authentication: invalid alg: ecdh with RSA ke requires_config_enabled MBEDTLS_SSL_PROTO_TLS1_2 requires_config_enabled MBEDTLS_USE_PSA_CRYPTO requires_config_enabled MBEDTLS_X509_CRT_PARSE_C -requires_config_enabled MBEDTLS_ECDSA_C +requires_config_enabled MBEDTLS_KEY_EXCHANGE_ECDHE_ECDSA_ENABLED requires_hash_alg SHA_256 requires_config_enabled MBEDTLS_CCM_C run_test "Opaque key for server authentication: invalid alg: ECDHE-ECDSA with ecdh" \ @@ -2050,7 +2076,7 @@ run_test "Opaque key for server authentication: invalid alg: ECDHE-ECDSA with requires_config_enabled MBEDTLS_SSL_PROTO_TLS1_2 requires_config_enabled MBEDTLS_USE_PSA_CRYPTO requires_config_enabled MBEDTLS_X509_CRT_PARSE_C -requires_config_enabled MBEDTLS_ECDSA_C +requires_config_enabled MBEDTLS_KEY_EXCHANGE_ECDHE_ECDSA_ENABLED requires_hash_alg SHA_256 requires_config_disabled MBEDTLS_X509_REMOVE_INFO run_test "Opaque keys for server authentication: EC keys with different algs, force ECDHE-ECDSA" \ @@ -2071,7 +2097,7 @@ run_test "Opaque keys for server authentication: EC keys with different algs, requires_config_enabled MBEDTLS_SSL_PROTO_TLS1_2 requires_config_enabled MBEDTLS_USE_PSA_CRYPTO requires_config_enabled MBEDTLS_X509_CRT_PARSE_C -requires_config_enabled MBEDTLS_ECDSA_C +requires_config_enabled MBEDTLS_KEY_EXCHANGE_ECDH_ECDSA_ENABLED requires_hash_alg SHA_384 requires_config_disabled MBEDTLS_X509_REMOVE_INFO run_test "Opaque keys for server authentication: EC keys with different algs, force ECDH-ECDSA" \ @@ -2092,7 +2118,7 @@ run_test "Opaque keys for server authentication: EC keys with different algs, requires_config_enabled MBEDTLS_SSL_PROTO_TLS1_2 requires_config_enabled MBEDTLS_USE_PSA_CRYPTO requires_config_enabled MBEDTLS_X509_CRT_PARSE_C -requires_config_enabled MBEDTLS_ECDSA_C +requires_config_enabled MBEDTLS_KEY_EXCHANGE_ECDHE_ECDSA_ENABLED requires_hash_alg SHA_384 requires_config_enabled MBEDTLS_CCM_C requires_config_disabled MBEDTLS_X509_REMOVE_INFO @@ -2176,7 +2202,6 @@ run_test "TLS 1.3 opaque key: 2 keys on server, suitable algorithm found" \ requires_config_enabled MBEDTLS_SSL_PROTO_TLS1_2 requires_config_enabled MBEDTLS_USE_PSA_CRYPTO requires_config_enabled MBEDTLS_X509_CRT_PARSE_C -requires_config_enabled MBEDTLS_ECDSA_C requires_config_enabled MBEDTLS_RSA_C requires_hash_alg SHA_256 run_test "Opaque key for server authentication: ECDHE-RSA" \ @@ -2194,7 +2219,6 @@ run_test "Opaque key for server authentication: ECDHE-RSA" \ requires_config_enabled MBEDTLS_SSL_PROTO_TLS1_2 requires_config_enabled MBEDTLS_USE_PSA_CRYPTO requires_config_enabled MBEDTLS_X509_CRT_PARSE_C -requires_config_enabled MBEDTLS_ECDSA_C requires_config_enabled MBEDTLS_RSA_C requires_hash_alg SHA_256 run_test "Opaque key for server authentication: DHE-RSA" \ @@ -2246,7 +2270,6 @@ run_test "Opaque key for server authentication: RSA-" \ requires_config_enabled MBEDTLS_SSL_PROTO_TLS1_2 requires_config_enabled MBEDTLS_USE_PSA_CRYPTO requires_config_enabled MBEDTLS_X509_CRT_PARSE_C -requires_config_enabled MBEDTLS_ECDSA_C requires_config_enabled MBEDTLS_RSA_C requires_hash_alg SHA_256 run_test "Opaque key for server authentication: DHE-RSA, PSS instead of PKCS1" \ @@ -2263,7 +2286,6 @@ run_test "Opaque key for server authentication: DHE-RSA, PSS instead of PKCS1 requires_config_enabled MBEDTLS_SSL_PROTO_TLS1_2 requires_config_enabled MBEDTLS_USE_PSA_CRYPTO requires_config_enabled MBEDTLS_X509_CRT_PARSE_C -requires_config_enabled MBEDTLS_ECDSA_C requires_config_enabled MBEDTLS_RSA_C requires_hash_alg SHA_256 requires_config_disabled MBEDTLS_X509_REMOVE_INFO @@ -2285,7 +2307,6 @@ run_test "Opaque keys for server authentication: RSA keys with different algs requires_config_enabled MBEDTLS_SSL_PROTO_TLS1_2 requires_config_enabled MBEDTLS_USE_PSA_CRYPTO requires_config_enabled MBEDTLS_X509_CRT_PARSE_C -requires_config_enabled MBEDTLS_ECDSA_C requires_config_enabled MBEDTLS_RSA_C requires_hash_alg SHA_384 requires_config_enabled MBEDTLS_GCM_C @@ -2309,7 +2330,7 @@ run_test "Opaque keys for server authentication: EC + RSA, force DHE-RSA" \ requires_config_enabled MBEDTLS_SSL_PROTO_TLS1_2 requires_config_enabled MBEDTLS_USE_PSA_CRYPTO requires_config_enabled MBEDTLS_X509_CRT_PARSE_C -requires_config_enabled MBEDTLS_ECDSA_C +requires_config_enabled MBEDTLS_KEY_EXCHANGE_ECDHE_ECDSA_ENABLED requires_hash_alg SHA_256 run_test "Opaque key for client/server authentication: ECDHE-ECDSA" \ "$P_SRV auth_mode=required key_opaque=1 crt_file=data_files/server5.crt \ @@ -2330,7 +2351,6 @@ run_test "Opaque key for client/server authentication: ECDHE-ECDSA" \ requires_config_enabled MBEDTLS_SSL_PROTO_TLS1_2 requires_config_enabled MBEDTLS_USE_PSA_CRYPTO requires_config_enabled MBEDTLS_X509_CRT_PARSE_C -requires_config_enabled MBEDTLS_ECDSA_C requires_config_enabled MBEDTLS_RSA_C requires_hash_alg SHA_256 run_test "Opaque key for client/server authentication: ECDHE-RSA" \ @@ -2351,7 +2371,6 @@ run_test "Opaque key for client/server authentication: ECDHE-RSA" \ requires_config_enabled MBEDTLS_SSL_PROTO_TLS1_2 requires_config_enabled MBEDTLS_USE_PSA_CRYPTO requires_config_enabled MBEDTLS_X509_CRT_PARSE_C -requires_config_enabled MBEDTLS_ECDSA_C requires_config_enabled MBEDTLS_RSA_C requires_hash_alg SHA_256 run_test "Opaque key for client/server authentication: DHE-RSA" \ @@ -2436,7 +2455,8 @@ requires_config_enabled MBEDTLS_SSL_PROTO_TLS1_2 requires_config_enabled MBEDTLS_DEBUG_C requires_config_enabled MBEDTLS_SSL_CLI_C requires_config_enabled MBEDTLS_SSL_SRV_C -requires_config_enabled MBEDTLS_ECDSA_C +requires_any_configs_enabled $TLS1_2_KEY_EXCHANGES_WITH_CERT +requires_pk_alg "ECDSA" requires_hash_alg SHA_256 run_test "Single supported algorithm sending: mbedtls client" \ "$P_SRV sig_algs=ecdsa_secp256r1_sha256 auth_mode=required" \ @@ -2446,7 +2466,8 @@ run_test "Single supported algorithm sending: mbedtls client" \ requires_config_enabled MBEDTLS_SSL_PROTO_TLS1_2 requires_config_enabled MBEDTLS_SSL_SRV_C -requires_config_enabled MBEDTLS_ECDSA_C +requires_any_configs_enabled $TLS1_2_KEY_EXCHANGES_WITH_CERT +requires_pk_alg "ECDSA" requires_config_enabled MBEDTLS_ECP_DP_SECP256R1_ENABLED requires_hash_alg SHA_256 run_test "Single supported algorithm sending: openssl client" \ @@ -3684,6 +3705,7 @@ run_test "Session resume using tickets: session copy" \ -c "a session has been resumed" requires_config_enabled MBEDTLS_SSL_PROTO_TLS1_2 +requires_any_configs_enabled $TLS1_2_KEY_EXCHANGES_WITH_ECDSA_CERT run_test "Session resume using tickets: openssl server" \ "$O_SRV -tls1_2" \ "$P_CLI debug_level=3 tickets=1 reconnect=1" \ @@ -3994,6 +4016,7 @@ run_test "Session resume using tickets, DTLS: session copy" \ -c "a session has been resumed" requires_config_enabled MBEDTLS_SSL_PROTO_TLS1_2 +requires_any_configs_enabled $TLS1_2_KEY_EXCHANGES_WITH_ECDSA_CERT run_test "Session resume using tickets, DTLS: openssl server" \ "$O_SRV -dtls" \ "$P_CLI dtls=1 debug_level=3 tickets=1 reconnect=1" \ @@ -4135,6 +4158,7 @@ run_test "Session resume using cache: openssl client" \ requires_config_enabled MBEDTLS_SSL_PROTO_TLS1_2 requires_config_enabled MBEDTLS_SSL_CACHE_C +requires_any_configs_enabled $TLS1_2_KEY_EXCHANGES_WITH_ECDSA_CERT run_test "Session resume using cache: openssl server" \ "$O_SRV -tls1_2" \ "$P_CLI debug_level=3 tickets=0 reconnect=1" \ @@ -4285,6 +4309,7 @@ run_test "Session resume using cache, DTLS: openssl client" \ requires_config_enabled MBEDTLS_SSL_PROTO_TLS1_2 requires_config_enabled MBEDTLS_SSL_CACHE_C +requires_any_configs_enabled $TLS1_2_KEY_EXCHANGES_WITH_ECDSA_CERT run_test "Session resume using cache, DTLS: openssl server" \ "$O_SRV -dtls" \ "$P_CLI dtls=1 debug_level=3 tickets=0 reconnect=1" \ @@ -4602,6 +4627,7 @@ requires_max_content_len 4096 requires_config_enabled MBEDTLS_SSL_MAX_FRAGMENT_LENGTH requires_gnutls requires_config_enabled MBEDTLS_SSL_PROTO_TLS1_2 +requires_any_configs_enabled $TLS1_2_KEY_EXCHANGES_WITH_ECDSA_CERT run_test "Max fragment length: gnutls server" \ "$G_SRV --priority=NORMAL:-VERS-ALL:+VERS-TLS1.2" \ "$P_CLI debug_level=3 max_frag_len=4096" \ @@ -5030,6 +5056,7 @@ run_test "Renegotiation: nbio, server-initiated" \ requires_config_enabled MBEDTLS_SSL_RENEGOTIATION requires_config_enabled MBEDTLS_SSL_PROTO_TLS1_2 +requires_any_configs_enabled $TLS1_2_KEY_EXCHANGES_WITH_ECDSA_CERT run_test "Renegotiation: openssl server, client-initiated" \ "$O_SRV -www -tls1_2" \ "$P_CLI debug_level=3 exchanges=1 renegotiation=1 renegotiate=1" \ @@ -5044,6 +5071,7 @@ run_test "Renegotiation: openssl server, client-initiated" \ requires_gnutls requires_config_enabled MBEDTLS_SSL_RENEGOTIATION requires_config_enabled MBEDTLS_SSL_PROTO_TLS1_2 +requires_any_configs_enabled $TLS1_2_KEY_EXCHANGES_WITH_ECDSA_CERT run_test "Renegotiation: gnutls server strict, client-initiated" \ "$G_SRV --priority=NORMAL:-VERS-ALL:+VERS-TLS1.2:%SAFE_RENEGOTIATION" \ "$P_CLI debug_level=3 exchanges=1 renegotiation=1 renegotiate=1" \ @@ -5058,6 +5086,7 @@ run_test "Renegotiation: gnutls server strict, client-initiated" \ requires_gnutls requires_config_enabled MBEDTLS_SSL_RENEGOTIATION requires_config_enabled MBEDTLS_SSL_PROTO_TLS1_2 +requires_any_configs_enabled $TLS1_2_KEY_EXCHANGES_WITH_ECDSA_CERT run_test "Renegotiation: gnutls server unsafe, client-initiated default" \ "$G_SRV --priority=NORMAL:-VERS-ALL:+VERS-TLS1.2:%DISABLE_SAFE_RENEGOTIATION" \ "$P_CLI debug_level=3 exchanges=1 renegotiation=1 renegotiate=1" \ @@ -5072,6 +5101,7 @@ run_test "Renegotiation: gnutls server unsafe, client-initiated default" \ requires_gnutls requires_config_enabled MBEDTLS_SSL_RENEGOTIATION requires_config_enabled MBEDTLS_SSL_PROTO_TLS1_2 +requires_any_configs_enabled $TLS1_2_KEY_EXCHANGES_WITH_ECDSA_CERT run_test "Renegotiation: gnutls server unsafe, client-inititated no legacy" \ "$G_SRV --priority=NORMAL:-VERS-ALL:+VERS-TLS1.2:%DISABLE_SAFE_RENEGOTIATION" \ "$P_CLI debug_level=3 exchanges=1 renegotiation=1 renegotiate=1 \ @@ -5087,6 +5117,7 @@ run_test "Renegotiation: gnutls server unsafe, client-inititated no legacy" \ requires_gnutls requires_config_enabled MBEDTLS_SSL_RENEGOTIATION requires_config_enabled MBEDTLS_SSL_PROTO_TLS1_2 +requires_any_configs_enabled $TLS1_2_KEY_EXCHANGES_WITH_ECDSA_CERT run_test "Renegotiation: gnutls server unsafe, client-inititated legacy" \ "$G_SRV --priority=NORMAL:-VERS-ALL:+VERS-TLS1.2:%DISABLE_SAFE_RENEGOTIATION" \ "$P_CLI debug_level=3 exchanges=1 renegotiation=1 renegotiate=1 \ @@ -5148,6 +5179,7 @@ run_test "Renegotiation: DTLS, renego_period overflow" \ requires_gnutls requires_config_enabled MBEDTLS_SSL_RENEGOTIATION requires_config_enabled MBEDTLS_SSL_PROTO_TLS1_2 +requires_any_configs_enabled $TLS1_2_KEY_EXCHANGES_WITH_ECDSA_CERT run_test "Renegotiation: DTLS, gnutls server, client-initiated" \ "$G_SRV -u --mtu 4096" \ "$P_CLI debug_level=3 dtls=1 exchanges=1 renegotiation=1 renegotiate=1" \ @@ -5163,6 +5195,7 @@ run_test "Renegotiation: DTLS, gnutls server, client-initiated" \ requires_gnutls requires_config_enabled MBEDTLS_SSL_PROTO_TLS1_2 +requires_any_configs_enabled $TLS1_2_KEY_EXCHANGES_WITH_ECDSA_CERT run_test "Renego ext: gnutls server strict, client default" \ "$G_SRV --priority=NORMAL:-VERS-ALL:+VERS-TLS1.2:%SAFE_RENEGOTIATION" \ "$P_CLI debug_level=3" \ @@ -5173,6 +5206,7 @@ run_test "Renego ext: gnutls server strict, client default" \ requires_gnutls requires_config_enabled MBEDTLS_SSL_PROTO_TLS1_2 +requires_any_configs_enabled $TLS1_2_KEY_EXCHANGES_WITH_ECDSA_CERT run_test "Renego ext: gnutls server unsafe, client default" \ "$G_SRV --priority=NORMAL:-VERS-ALL:+VERS-TLS1.2:%DISABLE_SAFE_RENEGOTIATION" \ "$P_CLI debug_level=3" \ @@ -5222,6 +5256,7 @@ run_test "Renego ext: gnutls client unsafe, server break legacy" \ requires_gnutls requires_config_enabled MBEDTLS_SSL_PROTO_TLS1_2 +requires_any_configs_enabled $TLS1_2_KEY_EXCHANGES_WITH_ECDSA_CERT run_test "DER format: no trailing bytes" \ "$P_SRV crt_file=data_files/server5-der0.crt \ key_file=data_files/server5.key" \ @@ -5231,6 +5266,7 @@ run_test "DER format: no trailing bytes" \ requires_gnutls requires_config_enabled MBEDTLS_SSL_PROTO_TLS1_2 +requires_any_configs_enabled $TLS1_2_KEY_EXCHANGES_WITH_ECDSA_CERT run_test "DER format: with a trailing zero byte" \ "$P_SRV crt_file=data_files/server5-der1a.crt \ key_file=data_files/server5.key" \ @@ -5240,6 +5276,7 @@ run_test "DER format: with a trailing zero byte" \ requires_gnutls requires_config_enabled MBEDTLS_SSL_PROTO_TLS1_2 +requires_any_configs_enabled $TLS1_2_KEY_EXCHANGES_WITH_ECDSA_CERT run_test "DER format: with a trailing random byte" \ "$P_SRV crt_file=data_files/server5-der1b.crt \ key_file=data_files/server5.key" \ @@ -5249,6 +5286,7 @@ run_test "DER format: with a trailing random byte" \ requires_gnutls requires_config_enabled MBEDTLS_SSL_PROTO_TLS1_2 +requires_any_configs_enabled $TLS1_2_KEY_EXCHANGES_WITH_ECDSA_CERT run_test "DER format: with 2 trailing random bytes" \ "$P_SRV crt_file=data_files/server5-der2.crt \ key_file=data_files/server5.key" \ @@ -5258,6 +5296,7 @@ run_test "DER format: with 2 trailing random bytes" \ requires_gnutls requires_config_enabled MBEDTLS_SSL_PROTO_TLS1_2 +requires_any_configs_enabled $TLS1_2_KEY_EXCHANGES_WITH_ECDSA_CERT run_test "DER format: with 4 trailing random bytes" \ "$P_SRV crt_file=data_files/server5-der4.crt \ key_file=data_files/server5.key" \ @@ -5267,6 +5306,7 @@ run_test "DER format: with 4 trailing random bytes" \ requires_gnutls requires_config_enabled MBEDTLS_SSL_PROTO_TLS1_2 +requires_any_configs_enabled $TLS1_2_KEY_EXCHANGES_WITH_ECDSA_CERT run_test "DER format: with 8 trailing random bytes" \ "$P_SRV crt_file=data_files/server5-der8.crt \ key_file=data_files/server5.key" \ @@ -5276,6 +5316,7 @@ run_test "DER format: with 8 trailing random bytes" \ requires_gnutls requires_config_enabled MBEDTLS_SSL_PROTO_TLS1_2 +requires_any_configs_enabled $TLS1_2_KEY_EXCHANGES_WITH_ECDSA_CERT run_test "DER format: with 9 trailing random bytes" \ "$P_SRV crt_file=data_files/server5-der9.crt \ key_file=data_files/server5.key" \ @@ -5535,6 +5576,7 @@ run_test "Authentication: openssl client no cert, server optional" \ requires_config_enabled MBEDTLS_SSL_PROTO_TLS1_2 requires_any_configs_enabled $TLS1_2_KEY_EXCHANGES_WITH_CERT +requires_any_configs_enabled $TLS1_2_KEY_EXCHANGES_WITH_ECDSA_CERT run_test "Authentication: client no cert, openssl server optional" \ "$O_SRV -verify 10 -tls1_2" \ "$P_CLI debug_level=3 crt_file=none key_file=none" \ @@ -5547,6 +5589,7 @@ run_test "Authentication: client no cert, openssl server optional" \ requires_config_enabled MBEDTLS_SSL_PROTO_TLS1_2 requires_any_configs_enabled $TLS1_2_KEY_EXCHANGES_WITH_CERT +requires_any_configs_enabled $TLS1_2_KEY_EXCHANGES_WITH_ECDSA_CERT run_test "Authentication: client no cert, openssl server required" \ "$O_SRV -Verify 10 -tls1_2" \ "$P_CLI debug_level=3 crt_file=none key_file=none" \ @@ -6502,6 +6545,7 @@ run_test "Not supported version check: cli TLS 1.1" \ -C "Handshake was completed" requires_config_enabled MBEDTLS_SSL_PROTO_TLS1_2 +requires_any_configs_enabled $TLS1_2_KEY_EXCHANGES_WITH_ECDSA_CERT run_test "Not supported version check: srv max TLS 1.0" \ "$G_SRV --priority=NORMAL:-VERS-TLS-ALL:+VERS-TLS1.0" \ "$P_CLI" \ @@ -6512,6 +6556,7 @@ run_test "Not supported version check: srv max TLS 1.0" \ -C "Protocol is TLSv1.0" requires_config_enabled MBEDTLS_SSL_PROTO_TLS1_2 +requires_any_configs_enabled $TLS1_2_KEY_EXCHANGES_WITH_ECDSA_CERT run_test "Not supported version check: srv max TLS 1.1" \ "$G_SRV --priority=NORMAL:-VERS-TLS-ALL:+VERS-TLS1.1" \ "$P_CLI" \ @@ -6643,6 +6688,7 @@ run_test "keyUsage srv: RSA, keyAgreement -> fail" \ -C "Ciphersuite is " requires_config_enabled MBEDTLS_SSL_PROTO_TLS1_2 +requires_config_enabled MBEDTLS_KEY_EXCHANGE_ECDHE_ECDSA_ENABLED run_test "keyUsage srv: ECDSA, digitalSignature -> ECDHE-ECDSA" \ "$P_SRV key_file=data_files/server5.key \ crt_file=data_files/server5.ku-ds.crt" \ @@ -6799,6 +6845,7 @@ run_test "keyUsage cli 1.3: KeyAgreement, RSA: fail" \ requires_openssl_tls1_3 requires_all_configs_enabled MBEDTLS_SSL_TLS1_3_COMPATIBILITY_MODE \ MBEDTLS_SSL_TLS1_3_KEY_EXCHANGE_MODE_EPHEMERAL_ENABLED +requires_any_configs_enabled $TLS1_2_KEY_EXCHANGES_WITH_ECDSA_CERT run_test "keyUsage cli 1.3: DigitalSignature, ECDSA: OK" \ "$O_NEXT_SRV_NO_CERT -tls1_3 -num_tickets=0 -key data_files/server5.key \ -cert data_files/server5.ku-ds.crt" \ @@ -6811,6 +6858,7 @@ run_test "keyUsage cli 1.3: DigitalSignature, ECDSA: OK" \ requires_openssl_tls1_3 requires_all_configs_enabled MBEDTLS_SSL_TLS1_3_COMPATIBILITY_MODE \ MBEDTLS_SSL_TLS1_3_KEY_EXCHANGE_MODE_EPHEMERAL_ENABLED +requires_any_configs_enabled $TLS1_2_KEY_EXCHANGES_WITH_ECDSA_CERT run_test "keyUsage cli 1.3: KeyEncipherment, ECDSA: fail" \ "$O_NEXT_SRV_NO_CERT -tls1_3 -num_tickets=0 -key data_files/server5.key \ -cert data_files/server5.ku-ke.crt" \ @@ -6823,6 +6871,7 @@ run_test "keyUsage cli 1.3: KeyEncipherment, ECDSA: fail" \ requires_openssl_tls1_3 requires_all_configs_enabled MBEDTLS_SSL_TLS1_3_COMPATIBILITY_MODE \ MBEDTLS_SSL_TLS1_3_KEY_EXCHANGE_MODE_EPHEMERAL_ENABLED +requires_any_configs_enabled $TLS1_2_KEY_EXCHANGES_WITH_ECDSA_CERT run_test "keyUsage cli 1.3: KeyAgreement, ECDSA: fail" \ "$O_NEXT_SRV_NO_CERT -tls1_3 -num_tickets=0 -key data_files/server5.key \ -cert data_files/server5.ku-ka.crt" \ @@ -6864,6 +6913,8 @@ run_test "keyUsage cli-auth: RSA, KeyEncipherment: fail (hard)" \ -s "Processing of the Certificate handshake message failed" requires_config_enabled MBEDTLS_SSL_PROTO_TLS1_2 +requires_any_configs_enabled $TLS1_2_KEY_EXCHANGES_WITH_CERT +requires_pk_alg "ECDSA" run_test "keyUsage cli-auth: ECDSA, DigitalSignature: OK" \ "$P_SRV debug_level=1 auth_mode=optional" \ "$O_CLI -key data_files/server5.key \ @@ -6874,6 +6925,8 @@ run_test "keyUsage cli-auth: ECDSA, DigitalSignature: OK" \ -S "Processing of the Certificate handshake message failed" requires_config_enabled MBEDTLS_SSL_PROTO_TLS1_2 +requires_any_configs_enabled $TLS1_2_KEY_EXCHANGES_WITH_CERT +requires_pk_alg "ECDSA" run_test "keyUsage cli-auth: ECDSA, KeyAgreement: fail (soft)" \ "$P_SRV debug_level=1 auth_mode=optional" \ "$O_CLI -key data_files/server5.key \ @@ -6908,6 +6961,7 @@ run_test "keyUsage cli-auth 1.3: RSA, KeyEncipherment: fail (soft)" \ requires_openssl_tls1_3 requires_all_configs_enabled MBEDTLS_SSL_TLS1_3_COMPATIBILITY_MODE \ MBEDTLS_SSL_TLS1_3_KEY_EXCHANGE_MODE_EPHEMERAL_ENABLED +requires_pk_alg "ECDSA" run_test "keyUsage cli-auth 1.3: ECDSA, DigitalSignature: OK" \ "$P_SRV debug_level=1 force_version=tls13 auth_mode=optional" \ "$O_NEXT_CLI_NO_CERT -key data_files/server5.key \ @@ -6920,6 +6974,7 @@ run_test "keyUsage cli-auth 1.3: ECDSA, DigitalSignature: OK" \ requires_openssl_tls1_3 requires_all_configs_enabled MBEDTLS_SSL_TLS1_3_COMPATIBILITY_MODE \ MBEDTLS_SSL_TLS1_3_KEY_EXCHANGE_MODE_EPHEMERAL_ENABLED +requires_pk_alg "ECDSA" run_test "keyUsage cli-auth 1.3: ECDSA, KeyAgreement: fail (soft)" \ "$P_SRV debug_level=1 force_version=tls13 auth_mode=optional" \ "$O_NEXT_CLI_NO_CERT -key data_files/server5.key \ @@ -6961,6 +7016,7 @@ run_test "extKeyUsage srv: codeSign -> fail" \ # Tests for extendedKeyUsage, part 2: client-side checking of server cert requires_config_enabled MBEDTLS_SSL_PROTO_TLS1_2 +requires_any_configs_enabled $TLS1_2_KEY_EXCHANGES_WITH_ECDSA_CERT run_test "extKeyUsage cli: serverAuth -> OK" \ "$O_SRV -tls1_2 -key data_files/server5.key \ -cert data_files/server5.eku-srv.crt" \ @@ -6971,6 +7027,7 @@ run_test "extKeyUsage cli: serverAuth -> OK" \ -c "Ciphersuite is TLS-" requires_config_enabled MBEDTLS_SSL_PROTO_TLS1_2 +requires_any_configs_enabled $TLS1_2_KEY_EXCHANGES_WITH_ECDSA_CERT run_test "extKeyUsage cli: serverAuth,clientAuth -> OK" \ "$O_SRV -tls1_2 -key data_files/server5.key \ -cert data_files/server5.eku-srv_cli.crt" \ @@ -6981,6 +7038,7 @@ run_test "extKeyUsage cli: serverAuth,clientAuth -> OK" \ -c "Ciphersuite is TLS-" requires_config_enabled MBEDTLS_SSL_PROTO_TLS1_2 +requires_any_configs_enabled $TLS1_2_KEY_EXCHANGES_WITH_ECDSA_CERT run_test "extKeyUsage cli: codeSign,anyEKU -> OK" \ "$O_SRV -tls1_2 -key data_files/server5.key \ -cert data_files/server5.eku-cs_any.crt" \ @@ -6991,6 +7049,7 @@ run_test "extKeyUsage cli: codeSign,anyEKU -> OK" \ -c "Ciphersuite is TLS-" requires_config_enabled MBEDTLS_SSL_PROTO_TLS1_2 +requires_any_configs_enabled $TLS1_2_KEY_EXCHANGES_WITH_ECDSA_CERT run_test "extKeyUsage cli: codeSign -> fail" \ "$O_SRV -tls1_2 -key data_files/server5.key \ -cert data_files/server5.eku-cs.crt" \ @@ -7003,6 +7062,7 @@ run_test "extKeyUsage cli: codeSign -> fail" \ requires_openssl_tls1_3 requires_all_configs_enabled MBEDTLS_SSL_TLS1_3_COMPATIBILITY_MODE \ MBEDTLS_SSL_TLS1_3_KEY_EXCHANGE_MODE_EPHEMERAL_ENABLED +requires_any_configs_enabled $TLS1_2_KEY_EXCHANGES_WITH_ECDSA_CERT run_test "extKeyUsage cli 1.3: serverAuth -> OK" \ "$O_NEXT_SRV_NO_CERT -tls1_3 -num_tickets=0 -key data_files/server5.key \ -cert data_files/server5.eku-srv.crt" \ @@ -7015,6 +7075,7 @@ run_test "extKeyUsage cli 1.3: serverAuth -> OK" \ requires_openssl_tls1_3 requires_all_configs_enabled MBEDTLS_SSL_TLS1_3_COMPATIBILITY_MODE \ MBEDTLS_SSL_TLS1_3_KEY_EXCHANGE_MODE_EPHEMERAL_ENABLED +requires_any_configs_enabled $TLS1_2_KEY_EXCHANGES_WITH_ECDSA_CERT run_test "extKeyUsage cli 1.3: serverAuth,clientAuth -> OK" \ "$O_NEXT_SRV_NO_CERT -tls1_3 -num_tickets=0 -key data_files/server5.key \ -cert data_files/server5.eku-srv_cli.crt" \ @@ -7027,6 +7088,7 @@ run_test "extKeyUsage cli 1.3: serverAuth,clientAuth -> OK" \ requires_openssl_tls1_3 requires_all_configs_enabled MBEDTLS_SSL_TLS1_3_COMPATIBILITY_MODE \ MBEDTLS_SSL_TLS1_3_KEY_EXCHANGE_MODE_EPHEMERAL_ENABLED +requires_any_configs_enabled $TLS1_2_KEY_EXCHANGES_WITH_ECDSA_CERT run_test "extKeyUsage cli 1.3: codeSign,anyEKU -> OK" \ "$O_NEXT_SRV_NO_CERT -tls1_3 -num_tickets=0 -key data_files/server5.key \ -cert data_files/server5.eku-cs_any.crt" \ @@ -7039,6 +7101,7 @@ run_test "extKeyUsage cli 1.3: codeSign,anyEKU -> OK" \ requires_openssl_tls1_3 requires_all_configs_enabled MBEDTLS_SSL_TLS1_3_COMPATIBILITY_MODE \ MBEDTLS_SSL_TLS1_3_KEY_EXCHANGE_MODE_EPHEMERAL_ENABLED +requires_any_configs_enabled $TLS1_2_KEY_EXCHANGES_WITH_ECDSA_CERT run_test "extKeyUsage cli 1.3: codeSign -> fail" \ "$O_NEXT_SRV_NO_CERT -tls1_3 -num_tickets=0 -key data_files/server5.key \ -cert data_files/server5.eku-cs.crt" \ @@ -7051,6 +7114,8 @@ run_test "extKeyUsage cli 1.3: codeSign -> fail" \ # Tests for extendedKeyUsage, part 3: server-side checking of client cert requires_config_enabled MBEDTLS_SSL_PROTO_TLS1_2 +requires_any_configs_enabled $TLS1_2_KEY_EXCHANGES_WITH_CERT +requires_pk_alg "ECDSA" run_test "extKeyUsage cli-auth: clientAuth -> OK" \ "$P_SRV debug_level=1 auth_mode=optional" \ "$O_CLI -key data_files/server5.key \ @@ -7060,6 +7125,8 @@ run_test "extKeyUsage cli-auth: clientAuth -> OK" \ -S "Processing of the Certificate handshake message failed" requires_config_enabled MBEDTLS_SSL_PROTO_TLS1_2 +requires_any_configs_enabled $TLS1_2_KEY_EXCHANGES_WITH_CERT +requires_pk_alg "ECDSA" run_test "extKeyUsage cli-auth: serverAuth,clientAuth -> OK" \ "$P_SRV debug_level=1 auth_mode=optional" \ "$O_CLI -key data_files/server5.key \ @@ -7069,6 +7136,8 @@ run_test "extKeyUsage cli-auth: serverAuth,clientAuth -> OK" \ -S "Processing of the Certificate handshake message failed" requires_config_enabled MBEDTLS_SSL_PROTO_TLS1_2 +requires_any_configs_enabled $TLS1_2_KEY_EXCHANGES_WITH_CERT +requires_pk_alg "ECDSA" run_test "extKeyUsage cli-auth: codeSign,anyEKU -> OK" \ "$P_SRV debug_level=1 auth_mode=optional" \ "$O_CLI -key data_files/server5.key \ @@ -7078,6 +7147,8 @@ run_test "extKeyUsage cli-auth: codeSign,anyEKU -> OK" \ -S "Processing of the Certificate handshake message failed" requires_config_enabled MBEDTLS_SSL_PROTO_TLS1_2 +requires_any_configs_enabled $TLS1_2_KEY_EXCHANGES_WITH_CERT +requires_pk_alg "ECDSA" run_test "extKeyUsage cli-auth: codeSign -> fail (soft)" \ "$P_SRV debug_level=1 auth_mode=optional" \ "$O_CLI -key data_files/server5.key \ @@ -7087,6 +7158,8 @@ run_test "extKeyUsage cli-auth: codeSign -> fail (soft)" \ -S "Processing of the Certificate handshake message failed" requires_config_enabled MBEDTLS_SSL_PROTO_TLS1_2 +requires_any_configs_enabled $TLS1_2_KEY_EXCHANGES_WITH_CERT +requires_pk_alg "ECDSA" run_test "extKeyUsage cli-auth: codeSign -> fail (hard)" \ "$P_SRV debug_level=1 auth_mode=required" \ "$O_CLI -key data_files/server5.key \ @@ -7131,6 +7204,7 @@ run_test "extKeyUsage cli-auth 1.3: codeSign,anyEKU -> OK" \ requires_openssl_tls1_3 requires_all_configs_enabled MBEDTLS_SSL_TLS1_3_COMPATIBILITY_MODE \ MBEDTLS_SSL_TLS1_3_KEY_EXCHANGE_MODE_EPHEMERAL_ENABLED +requires_pk_alg "ECDSA" run_test "extKeyUsage cli-auth 1.3: codeSign -> fail (soft)" \ "$P_SRV debug_level=1 force_version=tls13 auth_mode=optional" \ "$O_NEXT_CLI_NO_CERT -key data_files/server5.key \ @@ -9044,6 +9118,7 @@ run_test "SSL async private: error in resume then operate correctly" \ # key1: ECDSA, key2: RSA; use key1 through async, then key2 directly requires_config_enabled MBEDTLS_SSL_ASYNC_PRIVATE requires_config_enabled MBEDTLS_SSL_PROTO_TLS1_2 +requires_config_enabled MBEDTLS_KEY_EXCHANGE_ECDHE_ECDSA_ENABLED run_test "SSL async private: cancel after start then fall back to transparent key" \ "$P_SRV \ async_operations=s async_private_delay1=1 async_private_error=-2 \ @@ -9063,6 +9138,7 @@ run_test "SSL async private: cancel after start then fall back to transparent # key1: ECDSA, key2: RSA; use key1 through async, then key2 directly requires_config_enabled MBEDTLS_SSL_ASYNC_PRIVATE requires_config_enabled MBEDTLS_SSL_PROTO_TLS1_2 +requires_config_enabled MBEDTLS_KEY_EXCHANGE_ECDHE_ECDSA_ENABLED run_test "SSL async private: sign, error in resume then fall back to transparent key" \ "$P_SRV \ async_operations=s async_private_delay1=1 async_private_error=-3 \ @@ -9338,6 +9414,7 @@ run_test "DTLS wrong PSK: badmac alert" \ requires_gnutls requires_config_enabled MBEDTLS_SSL_PROTO_TLS1_2 +requires_any_configs_enabled $TLS1_2_KEY_EXCHANGES_WITH_ECDSA_CERT run_test "DTLS reassembly: no fragmentation (gnutls server)" \ "$G_SRV -u --mtu 2048 -a" \ "$P_CLI dtls=1 debug_level=2" \ @@ -9347,6 +9424,7 @@ run_test "DTLS reassembly: no fragmentation (gnutls server)" \ requires_gnutls requires_config_enabled MBEDTLS_SSL_PROTO_TLS1_2 +requires_any_configs_enabled $TLS1_2_KEY_EXCHANGES_WITH_ECDSA_CERT run_test "DTLS reassembly: some fragmentation (gnutls server)" \ "$G_SRV -u --mtu 512" \ "$P_CLI dtls=1 debug_level=2" \ @@ -9356,6 +9434,7 @@ run_test "DTLS reassembly: some fragmentation (gnutls server)" \ requires_gnutls requires_config_enabled MBEDTLS_SSL_PROTO_TLS1_2 +requires_any_configs_enabled $TLS1_2_KEY_EXCHANGES_WITH_ECDSA_CERT run_test "DTLS reassembly: more fragmentation (gnutls server)" \ "$G_SRV -u --mtu 128" \ "$P_CLI dtls=1 debug_level=2" \ @@ -9365,6 +9444,7 @@ run_test "DTLS reassembly: more fragmentation (gnutls server)" \ requires_gnutls requires_config_enabled MBEDTLS_SSL_PROTO_TLS1_2 +requires_any_configs_enabled $TLS1_2_KEY_EXCHANGES_WITH_ECDSA_CERT run_test "DTLS reassembly: more fragmentation, nbio (gnutls server)" \ "$G_SRV -u --mtu 128" \ "$P_CLI dtls=1 nbio=2 debug_level=2" \ @@ -9375,6 +9455,7 @@ run_test "DTLS reassembly: more fragmentation, nbio (gnutls server)" \ requires_gnutls requires_config_enabled MBEDTLS_SSL_RENEGOTIATION requires_config_enabled MBEDTLS_SSL_PROTO_TLS1_2 +requires_any_configs_enabled $TLS1_2_KEY_EXCHANGES_WITH_ECDSA_CERT run_test "DTLS reassembly: fragmentation, renego (gnutls server)" \ "$G_SRV -u --mtu 256" \ "$P_CLI debug_level=3 dtls=1 renegotiation=1 renegotiate=1" \ @@ -9390,6 +9471,7 @@ run_test "DTLS reassembly: fragmentation, renego (gnutls server)" \ requires_gnutls requires_config_enabled MBEDTLS_SSL_RENEGOTIATION requires_config_enabled MBEDTLS_SSL_PROTO_TLS1_2 +requires_any_configs_enabled $TLS1_2_KEY_EXCHANGES_WITH_ECDSA_CERT run_test "DTLS reassembly: fragmentation, nbio, renego (gnutls server)" \ "$G_SRV -u --mtu 256" \ "$P_CLI debug_level=3 nbio=2 dtls=1 renegotiation=1 renegotiate=1" \ @@ -9403,6 +9485,7 @@ run_test "DTLS reassembly: fragmentation, nbio, renego (gnutls server)" \ -s "Extra-header:" requires_config_enabled MBEDTLS_SSL_PROTO_TLS1_2 +requires_any_configs_enabled $TLS1_2_KEY_EXCHANGES_WITH_ECDSA_CERT run_test "DTLS reassembly: no fragmentation (openssl server)" \ "$O_SRV -dtls -mtu 2048" \ "$P_CLI dtls=1 debug_level=2" \ @@ -9411,6 +9494,7 @@ run_test "DTLS reassembly: no fragmentation (openssl server)" \ -C "error" requires_config_enabled MBEDTLS_SSL_PROTO_TLS1_2 +requires_any_configs_enabled $TLS1_2_KEY_EXCHANGES_WITH_ECDSA_CERT run_test "DTLS reassembly: some fragmentation (openssl server)" \ "$O_SRV -dtls -mtu 768" \ "$P_CLI dtls=1 debug_level=2" \ @@ -9419,6 +9503,7 @@ run_test "DTLS reassembly: some fragmentation (openssl server)" \ -C "error" requires_config_enabled MBEDTLS_SSL_PROTO_TLS1_2 +requires_any_configs_enabled $TLS1_2_KEY_EXCHANGES_WITH_ECDSA_CERT run_test "DTLS reassembly: more fragmentation (openssl server)" \ "$O_SRV -dtls -mtu 256" \ "$P_CLI dtls=1 debug_level=2" \ @@ -9427,6 +9512,7 @@ run_test "DTLS reassembly: more fragmentation (openssl server)" \ -C "error" requires_config_enabled MBEDTLS_SSL_PROTO_TLS1_2 +requires_any_configs_enabled $TLS1_2_KEY_EXCHANGES_WITH_ECDSA_CERT run_test "DTLS reassembly: fragmentation, nbio (openssl server)" \ "$O_SRV -dtls -mtu 256" \ "$P_CLI dtls=1 nbio=2 debug_level=2" \ @@ -9448,7 +9534,8 @@ run_test "DTLS reassembly: fragmentation, nbio (openssl server)" \ requires_config_enabled MBEDTLS_SSL_PROTO_DTLS requires_config_enabled MBEDTLS_RSA_C -requires_config_enabled MBEDTLS_ECDSA_C +requires_any_configs_enabled $TLS1_2_KEY_EXCHANGES_WITH_CERT +requires_pk_alg "ECDSA" requires_config_enabled MBEDTLS_SSL_MAX_FRAGMENT_LENGTH requires_max_content_len 4096 requires_config_enabled MBEDTLS_SSL_PROTO_TLS1_2 @@ -9470,7 +9557,8 @@ run_test "DTLS fragmenting: none (for reference)" \ requires_config_enabled MBEDTLS_SSL_PROTO_DTLS requires_config_enabled MBEDTLS_RSA_C -requires_config_enabled MBEDTLS_ECDSA_C +requires_any_configs_enabled $TLS1_2_KEY_EXCHANGES_WITH_CERT +requires_pk_alg "ECDSA" requires_config_enabled MBEDTLS_SSL_MAX_FRAGMENT_LENGTH requires_max_content_len 2048 requires_config_enabled MBEDTLS_SSL_PROTO_TLS1_2 @@ -9496,7 +9584,8 @@ run_test "DTLS fragmenting: server only (max_frag_len)" \ # `client-initiated, server only (max_frag_len)` below. requires_config_enabled MBEDTLS_SSL_PROTO_DTLS requires_config_enabled MBEDTLS_RSA_C -requires_config_enabled MBEDTLS_ECDSA_C +requires_any_configs_enabled $TLS1_2_KEY_EXCHANGES_WITH_CERT +requires_pk_alg "ECDSA" requires_config_enabled MBEDTLS_SSL_MAX_FRAGMENT_LENGTH requires_max_content_len 4096 requires_config_enabled MBEDTLS_SSL_PROTO_TLS1_2 @@ -9518,7 +9607,8 @@ run_test "DTLS fragmenting: server only (more) (max_frag_len)" \ requires_config_enabled MBEDTLS_SSL_PROTO_DTLS requires_config_enabled MBEDTLS_RSA_C -requires_config_enabled MBEDTLS_ECDSA_C +requires_any_configs_enabled $TLS1_2_KEY_EXCHANGES_WITH_CERT +requires_pk_alg "ECDSA" requires_config_enabled MBEDTLS_SSL_MAX_FRAGMENT_LENGTH requires_max_content_len 2048 requires_config_enabled MBEDTLS_SSL_PROTO_TLS1_2 @@ -9547,7 +9637,8 @@ run_test "DTLS fragmenting: client-initiated, server only (max_frag_len)" \ # negotiated MFL are sent. requires_config_enabled MBEDTLS_SSL_PROTO_DTLS requires_config_enabled MBEDTLS_RSA_C -requires_config_enabled MBEDTLS_ECDSA_C +requires_any_configs_enabled $TLS1_2_KEY_EXCHANGES_WITH_CERT +requires_pk_alg "ECDSA" requires_config_enabled MBEDTLS_SSL_MAX_FRAGMENT_LENGTH requires_max_content_len 2048 requires_config_enabled MBEDTLS_SSL_PROTO_TLS1_2 @@ -9570,7 +9661,8 @@ run_test "DTLS fragmenting: client-initiated, server only (max_frag_len), pro requires_config_enabled MBEDTLS_SSL_PROTO_DTLS requires_config_enabled MBEDTLS_RSA_C -requires_config_enabled MBEDTLS_ECDSA_C +requires_any_configs_enabled $TLS1_2_KEY_EXCHANGES_WITH_CERT +requires_pk_alg "ECDSA" requires_config_enabled MBEDTLS_SSL_MAX_FRAGMENT_LENGTH requires_max_content_len 2048 requires_config_enabled MBEDTLS_SSL_PROTO_TLS1_2 @@ -9599,7 +9691,8 @@ run_test "DTLS fragmenting: client-initiated, both (max_frag_len)" \ # negotiated MFL are sent. requires_config_enabled MBEDTLS_SSL_PROTO_DTLS requires_config_enabled MBEDTLS_RSA_C -requires_config_enabled MBEDTLS_ECDSA_C +requires_any_configs_enabled $TLS1_2_KEY_EXCHANGES_WITH_CERT +requires_pk_alg "ECDSA" requires_config_enabled MBEDTLS_SSL_MAX_FRAGMENT_LENGTH requires_max_content_len 2048 requires_config_enabled MBEDTLS_SSL_PROTO_TLS1_2 @@ -9622,7 +9715,8 @@ run_test "DTLS fragmenting: client-initiated, both (max_frag_len), proxy MTU" requires_config_enabled MBEDTLS_SSL_PROTO_DTLS requires_config_enabled MBEDTLS_RSA_C -requires_config_enabled MBEDTLS_ECDSA_C +requires_any_configs_enabled $TLS1_2_KEY_EXCHANGES_WITH_CERT +requires_pk_alg "ECDSA" requires_max_content_len 4096 requires_config_enabled MBEDTLS_SSL_PROTO_TLS1_2 run_test "DTLS fragmenting: none (for reference) (MTU)" \ @@ -9643,7 +9737,8 @@ run_test "DTLS fragmenting: none (for reference) (MTU)" \ requires_config_enabled MBEDTLS_SSL_PROTO_DTLS requires_config_enabled MBEDTLS_RSA_C -requires_config_enabled MBEDTLS_ECDSA_C +requires_any_configs_enabled $TLS1_2_KEY_EXCHANGES_WITH_CERT +requires_pk_alg "ECDSA" requires_max_content_len 4096 requires_config_enabled MBEDTLS_SSL_PROTO_TLS1_2 run_test "DTLS fragmenting: client (MTU)" \ @@ -9664,7 +9759,8 @@ run_test "DTLS fragmenting: client (MTU)" \ requires_config_enabled MBEDTLS_SSL_PROTO_DTLS requires_config_enabled MBEDTLS_RSA_C -requires_config_enabled MBEDTLS_ECDSA_C +requires_any_configs_enabled $TLS1_2_KEY_EXCHANGES_WITH_CERT +requires_pk_alg "ECDSA" requires_max_content_len 2048 requires_config_enabled MBEDTLS_SSL_PROTO_TLS1_2 run_test "DTLS fragmenting: server (MTU)" \ @@ -9685,7 +9781,8 @@ run_test "DTLS fragmenting: server (MTU)" \ requires_config_enabled MBEDTLS_SSL_PROTO_DTLS requires_config_enabled MBEDTLS_RSA_C -requires_config_enabled MBEDTLS_ECDSA_C +requires_any_configs_enabled $TLS1_2_KEY_EXCHANGES_WITH_CERT +requires_pk_alg "ECDSA" requires_max_content_len 2048 requires_config_enabled MBEDTLS_SSL_PROTO_TLS1_2 run_test "DTLS fragmenting: both (MTU=1024)" \ @@ -9708,7 +9805,6 @@ run_test "DTLS fragmenting: both (MTU=1024)" \ # Forcing ciphersuite for this test to fit the MTU of 512 with full config. requires_config_enabled MBEDTLS_SSL_PROTO_DTLS requires_config_enabled MBEDTLS_RSA_C -requires_config_enabled MBEDTLS_ECDSA_C requires_hash_alg SHA_256 requires_config_enabled MBEDTLS_KEY_EXCHANGE_ECDHE_ECDSA_ENABLED requires_config_enabled MBEDTLS_AES_C @@ -9742,7 +9838,6 @@ run_test "DTLS fragmenting: both (MTU=512)" \ not_with_valgrind requires_config_enabled MBEDTLS_SSL_PROTO_DTLS requires_config_enabled MBEDTLS_RSA_C -requires_config_enabled MBEDTLS_ECDSA_C requires_config_enabled MBEDTLS_KEY_EXCHANGE_ECDHE_ECDSA_ENABLED requires_config_enabled MBEDTLS_AES_C requires_config_enabled MBEDTLS_GCM_C @@ -9768,7 +9863,6 @@ run_test "DTLS fragmenting: proxy MTU: auto-reduction (not valgrind)" \ only_with_valgrind requires_config_enabled MBEDTLS_SSL_PROTO_DTLS requires_config_enabled MBEDTLS_RSA_C -requires_config_enabled MBEDTLS_ECDSA_C requires_config_enabled MBEDTLS_KEY_EXCHANGE_ECDHE_ECDSA_ENABLED requires_config_enabled MBEDTLS_AES_C requires_config_enabled MBEDTLS_GCM_C @@ -9796,7 +9890,8 @@ run_test "DTLS fragmenting: proxy MTU: auto-reduction (with valgrind)" \ not_with_valgrind # spurious autoreduction due to timeout requires_config_enabled MBEDTLS_SSL_PROTO_DTLS requires_config_enabled MBEDTLS_RSA_C -requires_config_enabled MBEDTLS_ECDSA_C +requires_any_configs_enabled $TLS1_2_KEY_EXCHANGES_WITH_CERT +requires_pk_alg "ECDSA" requires_max_content_len 2048 requires_config_enabled MBEDTLS_SSL_PROTO_TLS1_2 run_test "DTLS fragmenting: proxy MTU, simple handshake (MTU=1024)" \ @@ -9824,7 +9919,6 @@ run_test "DTLS fragmenting: proxy MTU, simple handshake (MTU=1024)" \ not_with_valgrind # spurious autoreduction due to timeout requires_config_enabled MBEDTLS_SSL_PROTO_DTLS requires_config_enabled MBEDTLS_RSA_C -requires_config_enabled MBEDTLS_ECDSA_C requires_config_enabled MBEDTLS_KEY_EXCHANGE_ECDHE_ECDSA_ENABLED requires_config_enabled MBEDTLS_AES_C requires_config_enabled MBEDTLS_GCM_C @@ -9852,7 +9946,8 @@ run_test "DTLS fragmenting: proxy MTU, simple handshake (MTU=512)" \ not_with_valgrind # spurious autoreduction due to timeout requires_config_enabled MBEDTLS_SSL_PROTO_DTLS requires_config_enabled MBEDTLS_RSA_C -requires_config_enabled MBEDTLS_ECDSA_C +requires_any_configs_enabled $TLS1_2_KEY_EXCHANGES_WITH_CERT +requires_pk_alg "ECDSA" requires_max_content_len 2048 requires_config_enabled MBEDTLS_SSL_PROTO_TLS1_2 run_test "DTLS fragmenting: proxy MTU, simple handshake, nbio (MTU=1024)" \ @@ -9877,7 +9972,6 @@ run_test "DTLS fragmenting: proxy MTU, simple handshake, nbio (MTU=1024)" \ not_with_valgrind # spurious autoreduction due to timeout requires_config_enabled MBEDTLS_SSL_PROTO_DTLS requires_config_enabled MBEDTLS_RSA_C -requires_config_enabled MBEDTLS_ECDSA_C requires_config_enabled MBEDTLS_KEY_EXCHANGE_ECDHE_ECDSA_ENABLED requires_config_enabled MBEDTLS_AES_C requires_config_enabled MBEDTLS_GCM_C @@ -9915,7 +10009,6 @@ run_test "DTLS fragmenting: proxy MTU, simple handshake, nbio (MTU=512)" \ not_with_valgrind # spurious autoreduction due to timeout requires_config_enabled MBEDTLS_SSL_PROTO_DTLS requires_config_enabled MBEDTLS_RSA_C -requires_config_enabled MBEDTLS_ECDSA_C requires_config_enabled MBEDTLS_KEY_EXCHANGE_ECDHE_ECDSA_ENABLED requires_config_enabled MBEDTLS_AES_C requires_config_enabled MBEDTLS_GCM_C @@ -9945,7 +10038,6 @@ run_test "DTLS fragmenting: proxy MTU, resumed handshake" \ not_with_valgrind # spurious autoreduction due to timeout requires_config_enabled MBEDTLS_SSL_PROTO_DTLS requires_config_enabled MBEDTLS_RSA_C -requires_config_enabled MBEDTLS_ECDSA_C requires_hash_alg SHA_256 requires_config_enabled MBEDTLS_KEY_EXCHANGE_ECDHE_ECDSA_ENABLED requires_config_enabled MBEDTLS_SSL_RENEGOTIATION @@ -9978,7 +10070,6 @@ run_test "DTLS fragmenting: proxy MTU, ChachaPoly renego" \ not_with_valgrind # spurious autoreduction due to timeout requires_config_enabled MBEDTLS_SSL_PROTO_DTLS requires_config_enabled MBEDTLS_RSA_C -requires_config_enabled MBEDTLS_ECDSA_C requires_hash_alg SHA_256 requires_config_enabled MBEDTLS_KEY_EXCHANGE_ECDHE_ECDSA_ENABLED requires_config_enabled MBEDTLS_SSL_RENEGOTIATION @@ -10012,7 +10103,6 @@ run_test "DTLS fragmenting: proxy MTU, AES-GCM renego" \ not_with_valgrind # spurious autoreduction due to timeout requires_config_enabled MBEDTLS_SSL_PROTO_DTLS requires_config_enabled MBEDTLS_RSA_C -requires_config_enabled MBEDTLS_ECDSA_C requires_hash_alg SHA_256 requires_config_enabled MBEDTLS_KEY_EXCHANGE_ECDHE_ECDSA_ENABLED requires_config_enabled MBEDTLS_SSL_RENEGOTIATION @@ -10046,7 +10136,6 @@ run_test "DTLS fragmenting: proxy MTU, AES-CCM renego" \ not_with_valgrind # spurious autoreduction due to timeout requires_config_enabled MBEDTLS_SSL_PROTO_DTLS requires_config_enabled MBEDTLS_RSA_C -requires_config_enabled MBEDTLS_ECDSA_C requires_hash_alg SHA_256 requires_config_enabled MBEDTLS_KEY_EXCHANGE_ECDHE_ECDSA_ENABLED requires_config_enabled MBEDTLS_SSL_RENEGOTIATION @@ -10081,7 +10170,6 @@ run_test "DTLS fragmenting: proxy MTU, AES-CBC EtM renego" \ not_with_valgrind # spurious autoreduction due to timeout requires_config_enabled MBEDTLS_SSL_PROTO_DTLS requires_config_enabled MBEDTLS_RSA_C -requires_config_enabled MBEDTLS_ECDSA_C requires_hash_alg SHA_256 requires_config_enabled MBEDTLS_KEY_EXCHANGE_ECDHE_ECDSA_ENABLED requires_config_enabled MBEDTLS_SSL_RENEGOTIATION @@ -10113,7 +10201,6 @@ run_test "DTLS fragmenting: proxy MTU, AES-CBC non-EtM renego" \ # Forcing ciphersuite for this test to fit the MTU of 512 with full config. requires_config_enabled MBEDTLS_SSL_PROTO_DTLS requires_config_enabled MBEDTLS_RSA_C -requires_config_enabled MBEDTLS_ECDSA_C requires_config_enabled MBEDTLS_KEY_EXCHANGE_ECDHE_ECDSA_ENABLED requires_config_enabled MBEDTLS_AES_C requires_config_enabled MBEDTLS_GCM_C @@ -10139,7 +10226,6 @@ run_test "DTLS fragmenting: proxy MTU + 3d" \ # Forcing ciphersuite for this test to fit the MTU of 512 with full config. requires_config_enabled MBEDTLS_SSL_PROTO_DTLS requires_config_enabled MBEDTLS_RSA_C -requires_config_enabled MBEDTLS_ECDSA_C requires_config_enabled MBEDTLS_KEY_EXCHANGE_ECDHE_ECDSA_ENABLED requires_config_enabled MBEDTLS_AES_C requires_config_enabled MBEDTLS_GCM_C @@ -10168,7 +10254,7 @@ run_test "DTLS fragmenting: proxy MTU + 3d, nbio" \ # pleases other implementations, so we don't need the peer to fragment requires_config_enabled MBEDTLS_SSL_PROTO_DTLS requires_config_enabled MBEDTLS_RSA_C -requires_config_enabled MBEDTLS_ECDSA_C +requires_any_configs_enabled $TLS1_2_KEY_EXCHANGES_WITH_ECDSA_CERT requires_gnutls requires_max_content_len 2048 run_test "DTLS fragmenting: gnutls server, DTLS 1.2" \ @@ -10190,12 +10276,12 @@ run_test "DTLS fragmenting: gnutls server, DTLS 1.2" \ # GnuTLS continue the connection nonetheless. requires_config_enabled MBEDTLS_SSL_PROTO_DTLS requires_config_enabled MBEDTLS_RSA_C -requires_config_enabled MBEDTLS_ECDSA_C +requires_any_configs_enabled $TLS1_2_KEY_EXCHANGES_WITH_ECDSA_CERT requires_gnutls requires_not_i686 requires_max_content_len 2048 run_test "DTLS fragmenting: gnutls client, DTLS 1.2" \ - "$P_SRV dtls=1 debug_level=2 \ + "$P_SRV dtls=1 debug_level=4 \ crt_file=data_files/server7_int-ca.crt \ key_file=data_files/server7.key \ mtu=512 force_version=dtls12" \ @@ -10205,7 +10291,7 @@ run_test "DTLS fragmenting: gnutls client, DTLS 1.2" \ requires_config_enabled MBEDTLS_SSL_PROTO_DTLS requires_config_enabled MBEDTLS_RSA_C -requires_config_enabled MBEDTLS_ECDSA_C +requires_any_configs_enabled $TLS1_2_KEY_EXCHANGES_WITH_ECDSA_CERT requires_max_content_len 2048 run_test "DTLS fragmenting: openssl server, DTLS 1.2" \ "$O_SRV -dtls1_2 -verify 10" \ @@ -10219,7 +10305,8 @@ run_test "DTLS fragmenting: openssl server, DTLS 1.2" \ requires_config_enabled MBEDTLS_SSL_PROTO_DTLS requires_config_enabled MBEDTLS_RSA_C -requires_config_enabled MBEDTLS_ECDSA_C +requires_any_configs_enabled $TLS1_2_KEY_EXCHANGES_WITH_CERT +requires_pk_alg "ECDSA" requires_max_content_len 2048 run_test "DTLS fragmenting: openssl client, DTLS 1.2" \ "$P_SRV dtls=1 debug_level=2 \ @@ -10237,7 +10324,7 @@ run_test "DTLS fragmenting: openssl client, DTLS 1.2" \ requires_gnutls_next requires_config_enabled MBEDTLS_SSL_PROTO_DTLS requires_config_enabled MBEDTLS_RSA_C -requires_config_enabled MBEDTLS_ECDSA_C +requires_any_configs_enabled $TLS1_2_KEY_EXCHANGES_WITH_ECDSA_CERT client_needs_more_time 4 requires_max_content_len 2048 run_test "DTLS fragmenting: 3d, gnutls server, DTLS 1.2" \ @@ -10254,7 +10341,7 @@ run_test "DTLS fragmenting: 3d, gnutls server, DTLS 1.2" \ requires_gnutls_next requires_config_enabled MBEDTLS_SSL_PROTO_DTLS requires_config_enabled MBEDTLS_RSA_C -requires_config_enabled MBEDTLS_ECDSA_C +requires_any_configs_enabled $TLS1_2_KEY_EXCHANGES_WITH_ECDSA_CERT client_needs_more_time 4 requires_max_content_len 2048 run_test "DTLS fragmenting: 3d, gnutls client, DTLS 1.2" \ @@ -10272,7 +10359,7 @@ run_test "DTLS fragmenting: 3d, gnutls client, DTLS 1.2" \ requires_openssl_next requires_config_enabled MBEDTLS_SSL_PROTO_DTLS requires_config_enabled MBEDTLS_RSA_C -requires_config_enabled MBEDTLS_ECDSA_C +requires_any_configs_enabled $TLS1_2_KEY_EXCHANGES_WITH_ECDSA_CERT client_needs_more_time 4 requires_max_content_len 2048 run_test "DTLS fragmenting: 3d, openssl server, DTLS 1.2" \ @@ -10291,7 +10378,8 @@ run_test "DTLS fragmenting: 3d, openssl server, DTLS 1.2" \ skip_next_test requires_config_enabled MBEDTLS_SSL_PROTO_DTLS requires_config_enabled MBEDTLS_RSA_C -requires_config_enabled MBEDTLS_ECDSA_C +requires_any_configs_enabled $TLS1_2_KEY_EXCHANGES_WITH_CERT +requires_pk_alg "ECDSA" client_needs_more_time 4 requires_max_content_len 2048 run_test "DTLS fragmenting: 3d, openssl client, DTLS 1.2" \ @@ -10559,6 +10647,7 @@ run_test "DTLS-SRTP server doesn't support use_srtp extension. openssl client" requires_config_enabled MBEDTLS_SSL_DTLS_SRTP requires_config_enabled MBEDTLS_SSL_PROTO_TLS1_2 +requires_any_configs_enabled $TLS1_2_KEY_EXCHANGES_WITH_ECDSA_CERT run_test "DTLS-SRTP all profiles supported. openssl server" \ "$O_SRV -dtls -verify 0 -use_srtp SRTP_AES128_CM_SHA1_80:SRTP_AES128_CM_SHA1_32 -keymatexport 'EXTRACTOR-dtls_srtp' -keymatexportlen 60" \ "$P_CLI dtls=1 use_srtp=1 debug_level=3" \ @@ -10572,6 +10661,7 @@ run_test "DTLS-SRTP all profiles supported. openssl server" \ requires_config_enabled MBEDTLS_SSL_DTLS_SRTP requires_config_enabled MBEDTLS_SSL_PROTO_TLS1_2 +requires_any_configs_enabled $TLS1_2_KEY_EXCHANGES_WITH_ECDSA_CERT run_test "DTLS-SRTP server supports all profiles. Client supports all profiles, in different order. openssl server." \ "$O_SRV -dtls -verify 0 -use_srtp SRTP_AES128_CM_SHA1_32:SRTP_AES128_CM_SHA1_80 -keymatexport 'EXTRACTOR-dtls_srtp' -keymatexportlen 60" \ "$P_CLI dtls=1 use_srtp=1 debug_level=3" \ @@ -10585,6 +10675,7 @@ run_test "DTLS-SRTP server supports all profiles. Client supports all profiles, requires_config_enabled MBEDTLS_SSL_DTLS_SRTP requires_config_enabled MBEDTLS_SSL_PROTO_TLS1_2 +requires_any_configs_enabled $TLS1_2_KEY_EXCHANGES_WITH_ECDSA_CERT run_test "DTLS-SRTP server supports all profiles. Client supports one profile. openssl server." \ "$O_SRV -dtls -verify 0 -use_srtp SRTP_AES128_CM_SHA1_80:SRTP_AES128_CM_SHA1_32 -keymatexport 'EXTRACTOR-dtls_srtp' -keymatexportlen 60" \ "$P_CLI dtls=1 use_srtp=1 srtp_force_profile=2 debug_level=3" \ @@ -10598,6 +10689,7 @@ run_test "DTLS-SRTP server supports all profiles. Client supports one profile. requires_config_enabled MBEDTLS_SSL_DTLS_SRTP requires_config_enabled MBEDTLS_SSL_PROTO_TLS1_2 +requires_any_configs_enabled $TLS1_2_KEY_EXCHANGES_WITH_ECDSA_CERT run_test "DTLS-SRTP server supports one profile. Client supports all profiles. openssl server." \ "$O_SRV -dtls -verify 0 -use_srtp SRTP_AES128_CM_SHA1_32 -keymatexport 'EXTRACTOR-dtls_srtp' -keymatexportlen 60" \ "$P_CLI dtls=1 use_srtp=1 debug_level=3" \ @@ -10611,6 +10703,7 @@ run_test "DTLS-SRTP server supports one profile. Client supports all profiles. requires_config_enabled MBEDTLS_SSL_DTLS_SRTP requires_config_enabled MBEDTLS_SSL_PROTO_TLS1_2 +requires_any_configs_enabled $TLS1_2_KEY_EXCHANGES_WITH_ECDSA_CERT run_test "DTLS-SRTP server and Client support only one matching profile. openssl server." \ "$O_SRV -dtls -verify 0 -use_srtp SRTP_AES128_CM_SHA1_32 -keymatexport 'EXTRACTOR-dtls_srtp' -keymatexportlen 60" \ "$P_CLI dtls=1 use_srtp=1 srtp_force_profile=2 debug_level=3" \ @@ -10624,6 +10717,7 @@ run_test "DTLS-SRTP server and Client support only one matching profile. openss requires_config_enabled MBEDTLS_SSL_DTLS_SRTP requires_config_enabled MBEDTLS_SSL_PROTO_TLS1_2 +requires_any_configs_enabled $TLS1_2_KEY_EXCHANGES_WITH_ECDSA_CERT run_test "DTLS-SRTP server and Client support only one different profile. openssl server." \ "$O_SRV -dtls -verify 0 -use_srtp SRTP_AES128_CM_SHA1_32 -keymatexport 'EXTRACTOR-dtls_srtp' -keymatexportlen 60" \ "$P_CLI dtls=1 use_srtp=1 srtp_force_profile=6 debug_level=3" \ @@ -10637,6 +10731,7 @@ run_test "DTLS-SRTP server and Client support only one different profile. opens requires_config_enabled MBEDTLS_SSL_DTLS_SRTP requires_config_enabled MBEDTLS_SSL_PROTO_TLS1_2 +requires_any_configs_enabled $TLS1_2_KEY_EXCHANGES_WITH_ECDSA_CERT run_test "DTLS-SRTP server doesn't support use_srtp extension. openssl server" \ "$O_SRV -dtls" \ "$P_CLI dtls=1 use_srtp=1 debug_level=3" \ @@ -10650,6 +10745,7 @@ run_test "DTLS-SRTP server doesn't support use_srtp extension. openssl server" requires_config_enabled MBEDTLS_SSL_DTLS_SRTP requires_config_enabled MBEDTLS_SSL_PROTO_TLS1_2 +requires_any_configs_enabled $TLS1_2_KEY_EXCHANGES_WITH_ECDSA_CERT run_test "DTLS-SRTP all profiles supported. server doesn't support mki. openssl server." \ "$O_SRV -dtls -verify 0 -use_srtp SRTP_AES128_CM_SHA1_80:SRTP_AES128_CM_SHA1_32 -keymatexport 'EXTRACTOR-dtls_srtp' -keymatexportlen 60" \ "$P_CLI dtls=1 use_srtp=1 mki=542310ab34290481 debug_level=3" \ @@ -10763,6 +10859,7 @@ run_test "DTLS-SRTP server doesn't support use_srtp extension. gnutls client" \ requires_config_enabled MBEDTLS_SSL_DTLS_SRTP requires_gnutls requires_config_enabled MBEDTLS_SSL_PROTO_TLS1_2 +requires_any_configs_enabled $TLS1_2_KEY_EXCHANGES_WITH_ECDSA_CERT run_test "DTLS-SRTP all profiles supported. gnutls server" \ "$G_SRV -u --srtp-profiles=SRTP_AES128_CM_HMAC_SHA1_80:SRTP_AES128_CM_HMAC_SHA1_32:SRTP_NULL_HMAC_SHA1_80:SRTP_NULL_SHA1_32" \ "$P_CLI dtls=1 use_srtp=1 debug_level=3" \ @@ -10777,6 +10874,7 @@ run_test "DTLS-SRTP all profiles supported. gnutls server" \ requires_config_enabled MBEDTLS_SSL_DTLS_SRTP requires_gnutls requires_config_enabled MBEDTLS_SSL_PROTO_TLS1_2 +requires_any_configs_enabled $TLS1_2_KEY_EXCHANGES_WITH_ECDSA_CERT run_test "DTLS-SRTP server supports all profiles. Client supports all profiles, in different order. gnutls server." \ "$G_SRV -u --srtp-profiles=SRTP_NULL_SHA1_32:SRTP_AES128_CM_HMAC_SHA1_32:SRTP_AES128_CM_HMAC_SHA1_80:SRTP_NULL_HMAC_SHA1_80:SRTP_NULL_SHA1_32" \ "$P_CLI dtls=1 use_srtp=1 debug_level=3" \ @@ -10791,6 +10889,7 @@ run_test "DTLS-SRTP server supports all profiles. Client supports all profiles, requires_config_enabled MBEDTLS_SSL_DTLS_SRTP requires_gnutls requires_config_enabled MBEDTLS_SSL_PROTO_TLS1_2 +requires_any_configs_enabled $TLS1_2_KEY_EXCHANGES_WITH_ECDSA_CERT run_test "DTLS-SRTP server supports all profiles. Client supports one profile. gnutls server." \ "$G_SRV -u --srtp-profiles=SRTP_NULL_SHA1_32:SRTP_AES128_CM_HMAC_SHA1_32:SRTP_AES128_CM_HMAC_SHA1_80:SRTP_NULL_HMAC_SHA1_80:SRTP_NULL_SHA1_32" \ "$P_CLI dtls=1 use_srtp=1 srtp_force_profile=2 debug_level=3" \ @@ -10805,6 +10904,7 @@ run_test "DTLS-SRTP server supports all profiles. Client supports one profile. requires_config_enabled MBEDTLS_SSL_DTLS_SRTP requires_gnutls requires_config_enabled MBEDTLS_SSL_PROTO_TLS1_2 +requires_any_configs_enabled $TLS1_2_KEY_EXCHANGES_WITH_ECDSA_CERT run_test "DTLS-SRTP server supports one profile. Client supports all profiles. gnutls server." \ "$G_SRV -u --srtp-profiles=SRTP_NULL_HMAC_SHA1_80" \ "$P_CLI dtls=1 use_srtp=1 debug_level=3" \ @@ -10819,6 +10919,7 @@ run_test "DTLS-SRTP server supports one profile. Client supports all profiles. requires_config_enabled MBEDTLS_SSL_DTLS_SRTP requires_gnutls requires_config_enabled MBEDTLS_SSL_PROTO_TLS1_2 +requires_any_configs_enabled $TLS1_2_KEY_EXCHANGES_WITH_ECDSA_CERT run_test "DTLS-SRTP server and Client support only one matching profile. gnutls server." \ "$G_SRV -u --srtp-profiles=SRTP_AES128_CM_HMAC_SHA1_32" \ "$P_CLI dtls=1 use_srtp=1 srtp_force_profile=2 debug_level=3" \ @@ -10833,6 +10934,7 @@ run_test "DTLS-SRTP server and Client support only one matching profile. gnutls requires_config_enabled MBEDTLS_SSL_DTLS_SRTP requires_gnutls requires_config_enabled MBEDTLS_SSL_PROTO_TLS1_2 +requires_any_configs_enabled $TLS1_2_KEY_EXCHANGES_WITH_ECDSA_CERT run_test "DTLS-SRTP server and Client support only one different profile. gnutls server." \ "$G_SRV -u --srtp-profiles=SRTP_AES128_CM_HMAC_SHA1_32" \ "$P_CLI dtls=1 use_srtp=1 srtp_force_profile=6 debug_level=3" \ @@ -10847,6 +10949,7 @@ run_test "DTLS-SRTP server and Client support only one different profile. gnutl requires_config_enabled MBEDTLS_SSL_DTLS_SRTP requires_gnutls requires_config_enabled MBEDTLS_SSL_PROTO_TLS1_2 +requires_any_configs_enabled $TLS1_2_KEY_EXCHANGES_WITH_ECDSA_CERT run_test "DTLS-SRTP server doesn't support use_srtp extension. gnutls server" \ "$G_SRV -u" \ "$P_CLI dtls=1 use_srtp=1 debug_level=3" \ @@ -10861,6 +10964,7 @@ run_test "DTLS-SRTP server doesn't support use_srtp extension. gnutls server" \ requires_config_enabled MBEDTLS_SSL_DTLS_SRTP requires_gnutls requires_config_enabled MBEDTLS_SSL_PROTO_TLS1_2 +requires_any_configs_enabled $TLS1_2_KEY_EXCHANGES_WITH_ECDSA_CERT run_test "DTLS-SRTP all profiles supported. mki used. gnutls server." \ "$G_SRV -u --srtp-profiles=SRTP_AES128_CM_HMAC_SHA1_80:SRTP_AES128_CM_HMAC_SHA1_32:SRTP_NULL_HMAC_SHA1_80:SRTP_NULL_SHA1_32" \ "$P_CLI dtls=1 use_srtp=1 mki=542310ab34290481 debug_level=3" \ @@ -11372,6 +11476,7 @@ requires_openssl_next client_needs_more_time 6 not_with_valgrind # risk of non-mbedtls peer timing out requires_config_enabled MBEDTLS_SSL_PROTO_TLS1_2 +requires_any_configs_enabled $TLS1_2_KEY_EXCHANGES_WITH_ECDSA_CERT run_test "DTLS proxy: 3d, openssl server" \ -p "$P_PXY drop=5 delay=5 duplicate=5 protect_hvr=1" \ "$O_NEXT_SRV -dtls1_2 -mtu 2048" \ @@ -11383,6 +11488,7 @@ requires_openssl_next client_needs_more_time 8 not_with_valgrind # risk of non-mbedtls peer timing out requires_config_enabled MBEDTLS_SSL_PROTO_TLS1_2 +requires_any_configs_enabled $TLS1_2_KEY_EXCHANGES_WITH_ECDSA_CERT run_test "DTLS proxy: 3d, openssl server, fragmentation" \ -p "$P_PXY drop=5 delay=5 duplicate=5 protect_hvr=1" \ "$O_NEXT_SRV -dtls1_2 -mtu 768" \ @@ -11394,6 +11500,7 @@ requires_openssl_next client_needs_more_time 8 not_with_valgrind # risk of non-mbedtls peer timing out requires_config_enabled MBEDTLS_SSL_PROTO_TLS1_2 +requires_any_configs_enabled $TLS1_2_KEY_EXCHANGES_WITH_ECDSA_CERT run_test "DTLS proxy: 3d, openssl server, fragmentation, nbio" \ -p "$P_PXY drop=5 delay=5 duplicate=5 protect_hvr=1" \ "$O_NEXT_SRV -dtls1_2 -mtu 768" \ @@ -11405,6 +11512,7 @@ requires_gnutls client_needs_more_time 6 not_with_valgrind # risk of non-mbedtls peer timing out requires_config_enabled MBEDTLS_SSL_PROTO_TLS1_2 +requires_any_configs_enabled $TLS1_2_KEY_EXCHANGES_WITH_ECDSA_CERT run_test "DTLS proxy: 3d, gnutls server" \ -p "$P_PXY drop=5 delay=5 duplicate=5" \ "$G_SRV -u --mtu 2048 -a" \ @@ -11417,6 +11525,7 @@ requires_gnutls_next client_needs_more_time 8 not_with_valgrind # risk of non-mbedtls peer timing out requires_config_enabled MBEDTLS_SSL_PROTO_TLS1_2 +requires_any_configs_enabled $TLS1_2_KEY_EXCHANGES_WITH_ECDSA_CERT run_test "DTLS proxy: 3d, gnutls server, fragmentation" \ -p "$P_PXY drop=5 delay=5 duplicate=5" \ "$G_NEXT_SRV -u --mtu 512" \ @@ -11429,6 +11538,7 @@ requires_gnutls_next client_needs_more_time 8 not_with_valgrind # risk of non-mbedtls peer timing out requires_config_enabled MBEDTLS_SSL_PROTO_TLS1_2 +requires_any_configs_enabled $TLS1_2_KEY_EXCHANGES_WITH_ECDSA_CERT run_test "DTLS proxy: 3d, gnutls server, fragmentation, nbio" \ -p "$P_PXY drop=5 delay=5 duplicate=5" \ "$G_NEXT_SRV -u --mtu 512" \ @@ -11473,6 +11583,7 @@ requires_config_enabled MBEDTLS_DEBUG_C requires_config_enabled MBEDTLS_SSL_CLI_C requires_all_configs_enabled MBEDTLS_SSL_TLS1_3_COMPATIBILITY_MODE \ MBEDTLS_SSL_TLS1_3_KEY_EXCHANGE_MODE_EPHEMERAL_ENABLED +requires_pk_alg "ECDSA" run_test "TLS 1.3: minimal feature sets - openssl" \ "$O_NEXT_SRV -msg -tls1_3 -num_tickets 0 -no_resume_ephemeral -no_cache" \ "$P_CLI debug_level=3" \ @@ -11506,6 +11617,7 @@ requires_config_enabled MBEDTLS_DEBUG_C requires_config_enabled MBEDTLS_SSL_CLI_C requires_all_configs_enabled MBEDTLS_SSL_TLS1_3_COMPATIBILITY_MODE \ MBEDTLS_SSL_TLS1_3_KEY_EXCHANGE_MODE_EPHEMERAL_ENABLED +requires_pk_alg "ECDSA" run_test "TLS 1.3: minimal feature sets - gnutls" \ "$G_NEXT_SRV --debug=4 --priority=NORMAL:-VERS-ALL:+VERS-TLS1.3:+CIPHER-ALL:%NO_TICKETS --disable-client-cert" \ "$P_CLI debug_level=3" \ @@ -11540,6 +11652,7 @@ requires_config_enabled MBEDTLS_SSL_CLI_C requires_config_enabled MBEDTLS_SSL_ALPN requires_all_configs_enabled MBEDTLS_SSL_TLS1_3_COMPATIBILITY_MODE \ MBEDTLS_SSL_TLS1_3_KEY_EXCHANGE_MODE_EPHEMERAL_ENABLED +requires_pk_alg "ECDSA" run_test "TLS 1.3: alpn - openssl" \ "$O_NEXT_SRV -msg -tls1_3 -num_tickets 0 -no_resume_ephemeral -no_cache -alpn h2" \ "$P_CLI debug_level=3 alpn=h2" \ @@ -11575,6 +11688,7 @@ requires_config_enabled MBEDTLS_SSL_CLI_C requires_config_enabled MBEDTLS_SSL_ALPN requires_all_configs_enabled MBEDTLS_SSL_TLS1_3_COMPATIBILITY_MODE \ MBEDTLS_SSL_TLS1_3_KEY_EXCHANGE_MODE_EPHEMERAL_ENABLED +requires_pk_alg "ECDSA" run_test "TLS 1.3: alpn - gnutls" \ "$G_NEXT_SRV --debug=4 --priority=NORMAL:-VERS-ALL:+VERS-TLS1.3:+CIPHER-ALL:%NO_TICKETS --disable-client-cert --alpn=h2" \ "$P_CLI debug_level=3 alpn=h2" \ @@ -11609,6 +11723,7 @@ requires_config_enabled MBEDTLS_DEBUG_C requires_config_enabled MBEDTLS_SSL_SRV_C requires_config_enabled MBEDTLS_SSL_ALPN requires_config_enabled MBEDTLS_SSL_TLS1_3_KEY_EXCHANGE_MODE_EPHEMERAL_ENABLED +requires_pk_alg "ECDSA" run_test "TLS 1.3: server alpn - openssl" \ "$P_SRV debug_level=3 tickets=0 crt_file=data_files/server5.crt key_file=data_files/server5.key force_version=tls13 alpn=h2" \ "$O_NEXT_CLI -msg -tls1_3 -no_middlebox -alpn h2" \ @@ -11624,6 +11739,7 @@ requires_config_enabled MBEDTLS_DEBUG_C requires_config_enabled MBEDTLS_SSL_SRV_C requires_config_enabled MBEDTLS_SSL_ALPN requires_config_enabled MBEDTLS_SSL_TLS1_3_KEY_EXCHANGE_MODE_EPHEMERAL_ENABLED +requires_pk_alg "ECDSA" run_test "TLS 1.3: server alpn - gnutls" \ "$P_SRV debug_level=3 tickets=0 crt_file=data_files/server5.crt key_file=data_files/server5.key force_version=tls13 alpn=h2" \ "$G_NEXT_CLI localhost -d 4 --priority=NORMAL:-VERS-ALL:+VERS-TLS1.3:%NO_TICKETS:%DISABLE_TLS13_COMPAT_MODE -V --alpn h2" \ @@ -11721,6 +11837,7 @@ requires_config_enabled MBEDTLS_DEBUG_C requires_config_enabled MBEDTLS_SSL_CLI_C requires_all_configs_enabled MBEDTLS_SSL_TLS1_3_COMPATIBILITY_MODE \ MBEDTLS_SSL_TLS1_3_KEY_EXCHANGE_MODE_EPHEMERAL_ENABLED +requires_pk_alg "ECDSA" run_test "TLS 1.3: Client authentication, no client certificate - openssl" \ "$O_NEXT_SRV -msg -tls1_3 -num_tickets 0 -no_resume_ephemeral -no_cache -verify 10" \ "$P_CLI debug_level=4 crt_file=none key_file=none" \ @@ -11737,6 +11854,7 @@ requires_config_enabled MBEDTLS_DEBUG_C requires_config_enabled MBEDTLS_SSL_CLI_C requires_all_configs_enabled MBEDTLS_SSL_TLS1_3_COMPATIBILITY_MODE \ MBEDTLS_SSL_TLS1_3_KEY_EXCHANGE_MODE_EPHEMERAL_ENABLED +requires_pk_alg "ECDSA" run_test "TLS 1.3: Client authentication, no client certificate - gnutls" \ "$G_NEXT_SRV --debug=4 --priority=NORMAL:-VERS-ALL:+VERS-TLS1.3:+CIPHER-ALL:%NO_TICKETS --verify-client-cert" \ "$P_CLI debug_level=3 crt_file=none key_file=none" \ @@ -11752,6 +11870,7 @@ requires_openssl_tls1_3 requires_config_enabled MBEDTLS_DEBUG_C requires_config_enabled MBEDTLS_SSL_CLI_C requires_config_enabled MBEDTLS_SSL_TLS1_3_KEY_EXCHANGE_MODE_EPHEMERAL_ENABLED +requires_pk_alg "ECDSA" run_test "TLS 1.3: Client authentication, no server middlebox compat - openssl" \ "$O_NEXT_SRV -msg -tls1_3 -num_tickets 0 -no_resume_ephemeral -no_cache -Verify 10 -no_middlebox" \ "$P_CLI debug_level=4 crt_file=data_files/cli2.crt key_file=data_files/cli2.key" \ @@ -11766,6 +11885,7 @@ requires_gnutls_next_no_ticket requires_config_enabled MBEDTLS_DEBUG_C requires_config_enabled MBEDTLS_SSL_CLI_C requires_config_enabled MBEDTLS_SSL_TLS1_3_KEY_EXCHANGE_MODE_EPHEMERAL_ENABLED +requires_pk_alg "ECDSA" run_test "TLS 1.3: Client authentication, no server middlebox compat - gnutls" \ "$G_NEXT_SRV --debug=4 --priority=NORMAL:-VERS-ALL:+VERS-TLS1.3:+CIPHER-ALL:%NO_TICKETS:%DISABLE_TLS13_COMPAT_MODE" \ "$P_CLI debug_level=3 crt_file=data_files/cli2.crt \ @@ -11781,6 +11901,7 @@ requires_config_enabled MBEDTLS_DEBUG_C requires_config_enabled MBEDTLS_SSL_CLI_C requires_all_configs_enabled MBEDTLS_SSL_TLS1_3_COMPATIBILITY_MODE \ MBEDTLS_SSL_TLS1_3_KEY_EXCHANGE_MODE_EPHEMERAL_ENABLED +requires_pk_alg "ECDSA" run_test "TLS 1.3: Client authentication, ecdsa_secp256r1_sha256 - openssl" \ "$O_NEXT_SRV -msg -tls1_3 -num_tickets 0 -no_resume_ephemeral -no_cache -Verify 10" \ "$P_CLI debug_level=4 crt_file=data_files/ecdsa_secp256r1.crt \ @@ -11797,6 +11918,7 @@ requires_config_enabled MBEDTLS_DEBUG_C requires_config_enabled MBEDTLS_SSL_CLI_C requires_all_configs_enabled MBEDTLS_SSL_TLS1_3_COMPATIBILITY_MODE \ MBEDTLS_SSL_TLS1_3_KEY_EXCHANGE_MODE_EPHEMERAL_ENABLED +requires_pk_alg "ECDSA" run_test "TLS 1.3: Client authentication, ecdsa_secp256r1_sha256 - gnutls" \ "$G_NEXT_SRV --debug=4 --priority=NORMAL:-VERS-ALL:+VERS-TLS1.3:+CIPHER-ALL:%NO_TICKETS" \ "$P_CLI debug_level=3 crt_file=data_files/ecdsa_secp256r1.crt \ @@ -11812,6 +11934,7 @@ requires_config_enabled MBEDTLS_DEBUG_C requires_config_enabled MBEDTLS_SSL_CLI_C requires_all_configs_enabled MBEDTLS_SSL_TLS1_3_COMPATIBILITY_MODE \ MBEDTLS_SSL_TLS1_3_KEY_EXCHANGE_MODE_EPHEMERAL_ENABLED +requires_pk_alg "ECDSA" run_test "TLS 1.3: Client authentication, ecdsa_secp384r1_sha384 - openssl" \ "$O_NEXT_SRV -msg -tls1_3 -num_tickets 0 -no_resume_ephemeral -no_cache -Verify 10" \ "$P_CLI debug_level=4 crt_file=data_files/ecdsa_secp384r1.crt \ @@ -11828,6 +11951,7 @@ requires_config_enabled MBEDTLS_DEBUG_C requires_config_enabled MBEDTLS_SSL_CLI_C requires_all_configs_enabled MBEDTLS_SSL_TLS1_3_COMPATIBILITY_MODE \ MBEDTLS_SSL_TLS1_3_KEY_EXCHANGE_MODE_EPHEMERAL_ENABLED +requires_pk_alg "ECDSA" run_test "TLS 1.3: Client authentication, ecdsa_secp384r1_sha384 - gnutls" \ "$G_NEXT_SRV --debug=4 --priority=NORMAL:-VERS-ALL:+VERS-TLS1.3:+CIPHER-ALL:%NO_TICKETS" \ "$P_CLI debug_level=3 crt_file=data_files/ecdsa_secp384r1.crt \ @@ -11843,6 +11967,7 @@ requires_config_enabled MBEDTLS_DEBUG_C requires_config_enabled MBEDTLS_SSL_CLI_C requires_all_configs_enabled MBEDTLS_SSL_TLS1_3_COMPATIBILITY_MODE \ MBEDTLS_SSL_TLS1_3_KEY_EXCHANGE_MODE_EPHEMERAL_ENABLED +requires_pk_alg "ECDSA" run_test "TLS 1.3: Client authentication, ecdsa_secp521r1_sha512 - openssl" \ "$O_NEXT_SRV -msg -tls1_3 -num_tickets 0 -no_resume_ephemeral -no_cache -Verify 10" \ "$P_CLI debug_level=4 crt_file=data_files/ecdsa_secp521r1.crt \ @@ -11859,6 +11984,7 @@ requires_config_enabled MBEDTLS_DEBUG_C requires_config_enabled MBEDTLS_SSL_CLI_C requires_all_configs_enabled MBEDTLS_SSL_TLS1_3_COMPATIBILITY_MODE \ MBEDTLS_SSL_TLS1_3_KEY_EXCHANGE_MODE_EPHEMERAL_ENABLED +requires_pk_alg "ECDSA" run_test "TLS 1.3: Client authentication, ecdsa_secp521r1_sha512 - gnutls" \ "$G_NEXT_SRV --debug=4 --priority=NORMAL:-VERS-ALL:+VERS-TLS1.3:+CIPHER-ALL:%NO_TICKETS" \ "$P_CLI debug_level=3 crt_file=data_files/ecdsa_secp521r1.crt \ @@ -12010,6 +12136,7 @@ requires_config_enabled MBEDTLS_DEBUG_C requires_config_enabled MBEDTLS_SSL_CLI_C requires_config_enabled MBEDTLS_USE_PSA_CRYPTO requires_config_enabled MBEDTLS_SSL_TLS1_3_KEY_EXCHANGE_MODE_EPHEMERAL_ENABLED +requires_pk_alg "ECDSA" run_test "TLS 1.3: Client authentication - opaque key, no server middlebox compat - openssl" \ "$O_NEXT_SRV -msg -tls1_3 -num_tickets 0 -no_resume_ephemeral -no_cache -Verify 10 -no_middlebox" \ "$P_CLI debug_level=4 crt_file=data_files/cli2.crt key_file=data_files/cli2.key key_opaque=1" \ @@ -12025,6 +12152,7 @@ requires_config_enabled MBEDTLS_DEBUG_C requires_config_enabled MBEDTLS_SSL_CLI_C requires_config_enabled MBEDTLS_USE_PSA_CRYPTO requires_config_enabled MBEDTLS_SSL_TLS1_3_KEY_EXCHANGE_MODE_EPHEMERAL_ENABLED +requires_pk_alg "ECDSA" run_test "TLS 1.3: Client authentication - opaque key, no server middlebox compat - gnutls" \ "$G_NEXT_SRV --debug=4 --priority=NORMAL:-VERS-ALL:+VERS-TLS1.3:+CIPHER-ALL:%NO_TICKETS:%DISABLE_TLS13_COMPAT_MODE" \ "$P_CLI debug_level=3 crt_file=data_files/cli2.crt \ @@ -12041,6 +12169,7 @@ requires_config_enabled MBEDTLS_SSL_CLI_C requires_config_enabled MBEDTLS_USE_PSA_CRYPTO requires_all_configs_enabled MBEDTLS_SSL_TLS1_3_COMPATIBILITY_MODE \ MBEDTLS_SSL_TLS1_3_KEY_EXCHANGE_MODE_EPHEMERAL_ENABLED +requires_pk_alg "ECDSA" run_test "TLS 1.3: Client authentication - opaque key, ecdsa_secp256r1_sha256 - openssl" \ "$O_NEXT_SRV -msg -tls1_3 -num_tickets 0 -no_resume_ephemeral -no_cache -Verify 10" \ "$P_CLI debug_level=4 crt_file=data_files/ecdsa_secp256r1.crt \ @@ -12058,6 +12187,7 @@ requires_config_enabled MBEDTLS_SSL_CLI_C requires_config_enabled MBEDTLS_USE_PSA_CRYPTO requires_all_configs_enabled MBEDTLS_SSL_TLS1_3_COMPATIBILITY_MODE \ MBEDTLS_SSL_TLS1_3_KEY_EXCHANGE_MODE_EPHEMERAL_ENABLED +requires_pk_alg "ECDSA" run_test "TLS 1.3: Client authentication - opaque key, ecdsa_secp256r1_sha256 - gnutls" \ "$G_NEXT_SRV --debug=4 --priority=NORMAL:-VERS-ALL:+VERS-TLS1.3:+CIPHER-ALL:%NO_TICKETS" \ "$P_CLI debug_level=3 crt_file=data_files/ecdsa_secp256r1.crt \ @@ -12074,6 +12204,7 @@ requires_config_enabled MBEDTLS_SSL_CLI_C requires_config_enabled MBEDTLS_USE_PSA_CRYPTO requires_all_configs_enabled MBEDTLS_SSL_TLS1_3_COMPATIBILITY_MODE \ MBEDTLS_SSL_TLS1_3_KEY_EXCHANGE_MODE_EPHEMERAL_ENABLED +requires_pk_alg "ECDSA" run_test "TLS 1.3: Client authentication - opaque key, ecdsa_secp384r1_sha384 - openssl" \ "$O_NEXT_SRV -msg -tls1_3 -num_tickets 0 -no_resume_ephemeral -no_cache -Verify 10" \ "$P_CLI debug_level=4 crt_file=data_files/ecdsa_secp384r1.crt \ @@ -12091,6 +12222,7 @@ requires_config_enabled MBEDTLS_SSL_CLI_C requires_config_enabled MBEDTLS_USE_PSA_CRYPTO requires_all_configs_enabled MBEDTLS_SSL_TLS1_3_COMPATIBILITY_MODE \ MBEDTLS_SSL_TLS1_3_KEY_EXCHANGE_MODE_EPHEMERAL_ENABLED +requires_pk_alg "ECDSA" run_test "TLS 1.3: Client authentication - opaque key, ecdsa_secp384r1_sha384 - gnutls" \ "$G_NEXT_SRV --debug=4 --priority=NORMAL:-VERS-ALL:+VERS-TLS1.3:+CIPHER-ALL:%NO_TICKETS" \ "$P_CLI debug_level=3 crt_file=data_files/ecdsa_secp384r1.crt \ @@ -12107,6 +12239,7 @@ requires_config_enabled MBEDTLS_SSL_CLI_C requires_config_enabled MBEDTLS_USE_PSA_CRYPTO requires_all_configs_enabled MBEDTLS_SSL_TLS1_3_COMPATIBILITY_MODE \ MBEDTLS_SSL_TLS1_3_KEY_EXCHANGE_MODE_EPHEMERAL_ENABLED +requires_pk_alg "ECDSA" run_test "TLS 1.3: Client authentication - opaque key, ecdsa_secp521r1_sha512 - openssl" \ "$O_NEXT_SRV -msg -tls1_3 -num_tickets 0 -no_resume_ephemeral -no_cache -Verify 10" \ "$P_CLI debug_level=4 crt_file=data_files/ecdsa_secp521r1.crt \ @@ -12124,6 +12257,7 @@ requires_config_enabled MBEDTLS_SSL_CLI_C requires_config_enabled MBEDTLS_USE_PSA_CRYPTO requires_all_configs_enabled MBEDTLS_SSL_TLS1_3_COMPATIBILITY_MODE \ MBEDTLS_SSL_TLS1_3_KEY_EXCHANGE_MODE_EPHEMERAL_ENABLED +requires_pk_alg "ECDSA" run_test "TLS 1.3: Client authentication - opaque key, ecdsa_secp521r1_sha512 - gnutls" \ "$G_NEXT_SRV --debug=4 --priority=NORMAL:-VERS-ALL:+VERS-TLS1.3:+CIPHER-ALL:%NO_TICKETS" \ "$P_CLI debug_level=3 crt_file=data_files/ecdsa_secp521r1.crt \ @@ -12282,6 +12416,7 @@ requires_config_enabled MBEDTLS_DEBUG_C requires_config_enabled MBEDTLS_SSL_CLI_C requires_all_configs_enabled MBEDTLS_SSL_TLS1_3_COMPATIBILITY_MODE \ MBEDTLS_SSL_TLS1_3_KEY_EXCHANGE_MODE_EPHEMERAL_ENABLED +requires_pk_alg "ECDSA" run_test "TLS 1.3: HRR check, ciphersuite TLS_AES_128_GCM_SHA256 - openssl" \ "$O_NEXT_SRV -ciphersuites TLS_AES_128_GCM_SHA256 -sigalgs ecdsa_secp256r1_sha256 -groups P-256 -msg -tls1_3 -num_tickets 0 -no_resume_ephemeral -no_cache" \ "$P_CLI debug_level=4" \ @@ -12297,6 +12432,7 @@ requires_config_enabled MBEDTLS_DEBUG_C requires_config_enabled MBEDTLS_SSL_CLI_C requires_all_configs_enabled MBEDTLS_SSL_TLS1_3_COMPATIBILITY_MODE \ MBEDTLS_SSL_TLS1_3_KEY_EXCHANGE_MODE_EPHEMERAL_ENABLED +requires_pk_alg "ECDSA" run_test "TLS 1.3: HRR check, ciphersuite TLS_AES_256_GCM_SHA384 - openssl" \ "$O_NEXT_SRV -ciphersuites TLS_AES_256_GCM_SHA384 -sigalgs ecdsa_secp256r1_sha256 -groups P-256 -msg -tls1_3 -num_tickets 0 -no_resume_ephemeral -no_cache" \ "$P_CLI debug_level=4" \ @@ -12313,6 +12449,7 @@ requires_config_enabled MBEDTLS_DEBUG_C requires_config_enabled MBEDTLS_SSL_CLI_C requires_all_configs_enabled MBEDTLS_SSL_TLS1_3_COMPATIBILITY_MODE \ MBEDTLS_SSL_TLS1_3_KEY_EXCHANGE_MODE_EPHEMERAL_ENABLED +requires_pk_alg "ECDSA" run_test "TLS 1.3: HRR check, ciphersuite TLS_AES_128_GCM_SHA256 - gnutls" \ "$G_NEXT_SRV -d 4 --priority=NONE:+GROUP-SECP256R1:+AES-128-GCM:+SHA256:+AEAD:+SIGN-ECDSA-SECP256R1-SHA256:+VERS-TLS1.3:%NO_TICKETS --disable-client-cert" \ "$P_CLI debug_level=4" \ @@ -12329,6 +12466,7 @@ requires_config_enabled MBEDTLS_DEBUG_C requires_config_enabled MBEDTLS_SSL_CLI_C requires_all_configs_enabled MBEDTLS_SSL_TLS1_3_COMPATIBILITY_MODE \ MBEDTLS_SSL_TLS1_3_KEY_EXCHANGE_MODE_EPHEMERAL_ENABLED +requires_pk_alg "ECDSA" run_test "TLS 1.3: HRR check, ciphersuite TLS_AES_256_GCM_SHA384 - gnutls" \ "$G_NEXT_SRV -d 4 --priority=NONE:+GROUP-SECP256R1:+AES-256-GCM:+SHA384:+AEAD:+SIGN-ECDSA-SECP256R1-SHA256:+VERS-TLS1.3:%NO_TICKETS --disable-client-cert" \ "$P_CLI debug_level=4" \ @@ -12343,6 +12481,7 @@ requires_openssl_tls1_3 requires_config_enabled MBEDTLS_DEBUG_C requires_config_enabled MBEDTLS_SSL_SRV_C requires_config_enabled MBEDTLS_SSL_TLS1_3_KEY_EXCHANGE_MODE_EPHEMERAL_ENABLED +requires_pk_alg "ECDSA" run_test "TLS 1.3: Server side check - openssl" \ "$P_SRV debug_level=4 crt_file=data_files/server5.crt key_file=data_files/server5.key force_version=tls13 tickets=0" \ "$O_NEXT_CLI -msg -debug -tls1_3 -no_middlebox" \ @@ -12360,6 +12499,7 @@ requires_openssl_tls1_3 requires_config_enabled MBEDTLS_DEBUG_C requires_config_enabled MBEDTLS_SSL_SRV_C requires_config_enabled MBEDTLS_SSL_TLS1_3_KEY_EXCHANGE_MODE_EPHEMERAL_ENABLED +requires_pk_alg "ECDSA" run_test "TLS 1.3: Server side check - openssl with client authentication" \ "$P_SRV debug_level=4 auth_mode=required crt_file=data_files/server5.crt key_file=data_files/server5.key force_version=tls13 tickets=0" \ "$O_NEXT_CLI -msg -debug -cert data_files/server5.crt -key data_files/server5.key -tls1_3 -no_middlebox" \ @@ -12380,6 +12520,7 @@ requires_gnutls_next_no_ticket requires_config_enabled MBEDTLS_DEBUG_C requires_config_enabled MBEDTLS_SSL_SRV_C requires_config_enabled MBEDTLS_SSL_TLS1_3_KEY_EXCHANGE_MODE_EPHEMERAL_ENABLED +requires_pk_alg "ECDSA" run_test "TLS 1.3: Server side check - gnutls" \ "$P_SRV debug_level=4 crt_file=data_files/server5.crt key_file=data_files/server5.key force_version=tls13 tickets=0" \ "$G_NEXT_CLI localhost -d 4 --priority=NORMAL:-VERS-ALL:+VERS-TLS1.3:%NO_TICKETS:%DISABLE_TLS13_COMPAT_MODE -V" \ @@ -12399,6 +12540,7 @@ requires_gnutls_next_no_ticket requires_config_enabled MBEDTLS_DEBUG_C requires_config_enabled MBEDTLS_SSL_SRV_C requires_config_enabled MBEDTLS_SSL_TLS1_3_KEY_EXCHANGE_MODE_EPHEMERAL_ENABLED +requires_pk_alg "ECDSA" run_test "TLS 1.3: Server side check - gnutls with client authentication" \ "$P_SRV debug_level=4 auth_mode=required crt_file=data_files/server5.crt key_file=data_files/server5.key force_version=tls13 tickets=0" \ "$G_NEXT_CLI localhost -d 4 --x509certfile data_files/server5.crt --x509keyfile data_files/server5.key --priority=NORMAL:-VERS-ALL:+VERS-TLS1.3:%NO_TICKETS:%DISABLE_TLS13_COMPAT_MODE -V" \ @@ -12418,6 +12560,7 @@ requires_config_enabled MBEDTLS_DEBUG_C requires_config_enabled MBEDTLS_SSL_SRV_C requires_config_enabled MBEDTLS_SSL_CLI_C requires_config_enabled MBEDTLS_SSL_TLS1_3_KEY_EXCHANGE_MODE_EPHEMERAL_ENABLED +requires_pk_alg "ECDSA" run_test "TLS 1.3: Server side check - mbedtls" \ "$P_SRV debug_level=4 crt_file=data_files/server5.crt key_file=data_files/server5.key force_version=tls13 tickets=0" \ "$P_CLI debug_level=4 force_version=tls13" \ @@ -12437,6 +12580,7 @@ requires_config_enabled MBEDTLS_DEBUG_C requires_config_enabled MBEDTLS_SSL_SRV_C requires_config_enabled MBEDTLS_SSL_CLI_C requires_config_enabled MBEDTLS_SSL_TLS1_3_KEY_EXCHANGE_MODE_EPHEMERAL_ENABLED +requires_pk_alg "ECDSA" run_test "TLS 1.3: Server side check - mbedtls with client authentication" \ "$P_SRV debug_level=4 auth_mode=required crt_file=data_files/server5.crt key_file=data_files/server5.key force_version=tls13 tickets=0" \ "$P_CLI debug_level=4 crt_file=data_files/server5.crt key_file=data_files/server5.key force_version=tls13" \ @@ -12454,6 +12598,7 @@ requires_config_enabled MBEDTLS_DEBUG_C requires_config_enabled MBEDTLS_SSL_SRV_C requires_config_enabled MBEDTLS_SSL_CLI_C requires_config_enabled MBEDTLS_SSL_TLS1_3_KEY_EXCHANGE_MODE_EPHEMERAL_ENABLED +requires_pk_alg "ECDSA" run_test "TLS 1.3: Server side check - mbedtls with client empty certificate" \ "$P_SRV debug_level=4 auth_mode=required crt_file=data_files/server5.crt key_file=data_files/server5.key force_version=tls13 tickets=0" \ "$P_CLI debug_level=4 crt_file=none key_file=none force_version=tls13" \ @@ -12472,6 +12617,7 @@ requires_config_enabled MBEDTLS_DEBUG_C requires_config_enabled MBEDTLS_SSL_SRV_C requires_config_enabled MBEDTLS_SSL_CLI_C requires_config_enabled MBEDTLS_SSL_TLS1_3_KEY_EXCHANGE_MODE_EPHEMERAL_ENABLED +requires_pk_alg "ECDSA" run_test "TLS 1.3: Server side check - mbedtls with optional client authentication" \ "$P_SRV debug_level=4 auth_mode=optional crt_file=data_files/server5.crt key_file=data_files/server5.key force_version=tls13 tickets=0" \ "$P_CLI debug_level=4 force_version=tls13 crt_file=none key_file=none" \ @@ -12518,6 +12664,7 @@ requires_config_enabled MBEDTLS_DEBUG_C requires_config_enabled MBEDTLS_SSL_SRV_C requires_all_configs_enabled MBEDTLS_SSL_TLS1_3_COMPATIBILITY_MODE \ MBEDTLS_SSL_TLS1_3_KEY_EXCHANGE_MODE_EPHEMERAL_ENABLED +requires_pk_alg "ECDSA" run_test "TLS 1.3: Server side check - openssl with sni" \ "$P_SRV debug_level=4 auth_mode=required crt_file=data_files/server5.crt key_file=data_files/server5.key force_version=tls13 tickets=0 \ sni=localhost,data_files/server5.crt,data_files/server5.key,data_files/test-ca_cat12.crt,-,-,polarssl.example,data_files/server1-nospace.crt,data_files/server1.key,-,-,-" \ @@ -12531,6 +12678,7 @@ requires_config_enabled MBEDTLS_DEBUG_C requires_config_enabled MBEDTLS_SSL_SRV_C requires_all_configs_enabled MBEDTLS_SSL_TLS1_3_COMPATIBILITY_MODE \ MBEDTLS_SSL_TLS1_3_KEY_EXCHANGE_MODE_EPHEMERAL_ENABLED +requires_pk_alg "ECDSA" run_test "TLS 1.3: Server side check - gnutls with sni" \ "$P_SRV debug_level=4 auth_mode=required crt_file=data_files/server5.crt key_file=data_files/server5.key force_version=tls13 tickets=0 \ sni=localhost,data_files/server5.crt,data_files/server5.key,data_files/test-ca_cat12.crt,-,-,polarssl.example,data_files/server1-nospace.crt,data_files/server1.key,-,-,-" \ @@ -12544,6 +12692,7 @@ requires_config_enabled MBEDTLS_SSL_SRV_C requires_config_enabled MBEDTLS_SSL_CLI_C requires_all_configs_enabled MBEDTLS_SSL_TLS1_3_COMPATIBILITY_MODE \ MBEDTLS_SSL_TLS1_3_KEY_EXCHANGE_MODE_EPHEMERAL_ENABLED +requires_pk_alg "ECDSA" run_test "TLS 1.3: Server side check - mbedtls with sni" \ "$P_SRV debug_level=4 auth_mode=required crt_file=data_files/server5.crt key_file=data_files/server5.key force_version=tls13 tickets=0 \ sni=localhost,data_files/server2.crt,data_files/server2.key,-,-,-,polarssl.example,data_files/server1-nospace.crt,data_files/server1.key,-,-,-" \ @@ -12619,6 +12768,7 @@ requires_config_enabled MBEDTLS_DEBUG_C requires_config_enabled MBEDTLS_SSL_CLI_C requires_all_configs_enabled MBEDTLS_SSL_TLS1_3_COMPATIBILITY_MODE \ MBEDTLS_SSL_TLS1_3_KEY_EXCHANGE_MODE_EPHEMERAL_ENABLED +requires_pk_alg "ECDSA" run_test "TLS 1.3 m->O both with middlebox compat support" \ "$O_NEXT_SRV -msg -tls1_3 -num_tickets 0 -no_resume_ephemeral -no_cache" \ "$P_CLI debug_level=4" \ @@ -12659,6 +12809,7 @@ requires_config_enabled MBEDTLS_DEBUG_C requires_config_enabled MBEDTLS_SSL_CLI_C requires_all_configs_enabled MBEDTLS_SSL_TLS1_3_COMPATIBILITY_MODE \ MBEDTLS_SSL_TLS1_3_KEY_EXCHANGE_MODE_EPHEMERAL_ENABLED +requires_pk_alg "ECDSA" run_test "TLS 1.3 m->G both with middlebox compat support" \ "$G_NEXT_SRV --priority=NORMAL:-VERS-ALL:+VERS-TLS1.3:+CIPHER-ALL:%NO_TICKETS --disable-client-cert" \ "$P_CLI debug_level=4" \ @@ -12684,6 +12835,7 @@ requires_config_enabled MBEDTLS_DEBUG_C requires_config_enabled MBEDTLS_SSL_SRV_C requires_all_configs_enabled MBEDTLS_SSL_TLS1_3_COMPATIBILITY_MODE \ MBEDTLS_SSL_TLS1_3_KEY_EXCHANGE_MODE_EPHEMERAL_ENABLED +requires_pk_alg "ECDSA" run_test "TLS 1.3 O->m server with middlebox compat support, not client" \ "$P_SRV debug_level=4 crt_file=data_files/server5.crt key_file=data_files/server5.key force_version=tls13 tickets=0" \ "$O_NEXT_CLI -msg -debug -no_middlebox" \ @@ -12696,6 +12848,7 @@ requires_config_enabled MBEDTLS_DEBUG_C requires_config_enabled MBEDTLS_SSL_SRV_C requires_all_configs_enabled MBEDTLS_SSL_TLS1_3_COMPATIBILITY_MODE \ MBEDTLS_SSL_TLS1_3_KEY_EXCHANGE_MODE_EPHEMERAL_ENABLED +requires_pk_alg "ECDSA" run_test "TLS 1.3 O->m both with middlebox compat support" \ "$P_SRV debug_level=4 crt_file=data_files/server5.crt key_file=data_files/server5.key force_version=tls13 tickets=0" \ "$O_NEXT_CLI -msg -debug" \ @@ -12726,6 +12879,7 @@ requires_config_enabled MBEDTLS_DEBUG_C requires_config_enabled MBEDTLS_SSL_SRV_C requires_all_configs_enabled MBEDTLS_SSL_TLS1_3_COMPATIBILITY_MODE \ MBEDTLS_SSL_TLS1_3_KEY_EXCHANGE_MODE_EPHEMERAL_ENABLED +requires_pk_alg "ECDSA" run_test "TLS 1.3 G->m server with middlebox compat support, not client" \ "$P_SRV debug_level=4 crt_file=data_files/server5.crt key_file=data_files/server5.key force_version=tls13 tickets=0" \ "$G_NEXT_CLI localhost --debug=10 --priority=NORMAL:%NO_TICKETS:%DISABLE_TLS13_COMPAT_MODE -V" \ @@ -12742,6 +12896,7 @@ requires_config_enabled MBEDTLS_DEBUG_C requires_config_enabled MBEDTLS_SSL_SRV_C requires_all_configs_enabled MBEDTLS_SSL_TLS1_3_COMPATIBILITY_MODE \ MBEDTLS_SSL_TLS1_3_KEY_EXCHANGE_MODE_EPHEMERAL_ENABLED +requires_pk_alg "ECDSA" run_test "TLS 1.3 G->m both with middlebox compat support" \ "$P_SRV debug_level=4 crt_file=data_files/server5.crt key_file=data_files/server5.key force_version=tls13 tickets=0" \ "$G_NEXT_CLI localhost --debug=10 --priority=NORMAL:%NO_TICKETS:%DISABLE_TLS13_COMPAT_MODE -V" \ @@ -12811,6 +12966,7 @@ requires_config_enabled MBEDTLS_DEBUG_C requires_config_enabled MBEDTLS_SSL_CLI_C requires_all_configs_enabled MBEDTLS_SSL_TLS1_3_COMPATIBILITY_MODE \ MBEDTLS_SSL_TLS1_3_KEY_EXCHANGE_MODE_EPHEMERAL_ENABLED +requires_pk_alg "ECDSA" run_test "TLS 1.3 m->O HRR both with middlebox compat support" \ "$O_NEXT_SRV -msg -tls1_3 -groups P-384 -num_tickets 0 -no_resume_ephemeral -no_cache" \ "$P_CLI debug_level=4 curves=secp256r1,secp384r1" \ @@ -12853,6 +13009,7 @@ requires_config_enabled MBEDTLS_DEBUG_C requires_config_enabled MBEDTLS_SSL_CLI_C requires_all_configs_enabled MBEDTLS_SSL_TLS1_3_COMPATIBILITY_MODE \ MBEDTLS_SSL_TLS1_3_KEY_EXCHANGE_MODE_EPHEMERAL_ENABLED +requires_pk_alg "ECDSA" run_test "TLS 1.3 m->G HRR both with middlebox compat support" \ "$G_NEXT_SRV --priority=NORMAL:-GROUP-ALL:+GROUP-SECP384R1:-VERS-ALL:+VERS-TLS1.3:+CIPHER-ALL:%NO_TICKETS --disable-client-cert" \ "$P_CLI debug_level=4 curves=secp256r1,secp384r1" \ @@ -12878,6 +13035,7 @@ requires_config_enabled MBEDTLS_DEBUG_C requires_config_enabled MBEDTLS_SSL_SRV_C requires_all_configs_enabled MBEDTLS_SSL_TLS1_3_COMPATIBILITY_MODE \ MBEDTLS_SSL_TLS1_3_KEY_EXCHANGE_MODE_EPHEMERAL_ENABLED +requires_pk_alg "ECDSA" run_test "TLS 1.3 O->m HRR server with middlebox compat support, not client" \ "$P_SRV debug_level=4 crt_file=data_files/server5.crt key_file=data_files/server5.key force_version=tls13 curves=secp384r1 tickets=0" \ "$O_NEXT_CLI -msg -debug -groups P-256:P-384 -no_middlebox" \ @@ -12890,6 +13048,7 @@ requires_config_enabled MBEDTLS_DEBUG_C requires_config_enabled MBEDTLS_SSL_SRV_C requires_all_configs_enabled MBEDTLS_SSL_TLS1_3_COMPATIBILITY_MODE \ MBEDTLS_SSL_TLS1_3_KEY_EXCHANGE_MODE_EPHEMERAL_ENABLED +requires_pk_alg "ECDSA" run_test "TLS 1.3 O->m HRR both with middlebox compat support" \ "$P_SRV debug_level=4 crt_file=data_files/server5.crt key_file=data_files/server5.key force_version=tls13 curves=secp384r1 tickets=0" \ "$O_NEXT_CLI -msg -debug -groups P-256:P-384" \ @@ -12920,6 +13079,7 @@ requires_config_enabled MBEDTLS_DEBUG_C requires_config_enabled MBEDTLS_SSL_SRV_C requires_all_configs_enabled MBEDTLS_SSL_TLS1_3_COMPATIBILITY_MODE \ MBEDTLS_SSL_TLS1_3_KEY_EXCHANGE_MODE_EPHEMERAL_ENABLED +requires_pk_alg "ECDSA" run_test "TLS 1.3 G->m HRR server with middlebox compat support, not client" \ "$P_SRV debug_level=4 crt_file=data_files/server5.crt key_file=data_files/server5.key force_version=tls13 curves=secp384r1 tickets=0" \ "$G_NEXT_CLI localhost --debug=10 --priority=NORMAL:-GROUP-ALL:+GROUP-SECP256R1:+GROUP-SECP384R1:%NO_TICKETS:%DISABLE_TLS13_COMPAT_MODE -V" \ @@ -12936,6 +13096,7 @@ requires_config_enabled MBEDTLS_DEBUG_C requires_config_enabled MBEDTLS_SSL_SRV_C requires_all_configs_enabled MBEDTLS_SSL_TLS1_3_COMPATIBILITY_MODE \ MBEDTLS_SSL_TLS1_3_KEY_EXCHANGE_MODE_EPHEMERAL_ENABLED +requires_pk_alg "ECDSA" run_test "TLS 1.3 G->m HRR both with middlebox compat support" \ "$P_SRV debug_level=4 crt_file=data_files/server5.crt key_file=data_files/server5.key force_version=tls13 curves=secp384r1 tickets=0" \ "$G_NEXT_CLI localhost --debug=10 --priority=NORMAL:-GROUP-ALL:+GROUP-SECP256R1:+GROUP-SECP384R1:%NO_TICKETS:%DISABLE_TLS13_COMPAT_MODE -V" \ @@ -13170,6 +13331,7 @@ requires_config_enabled MBEDTLS_SSL_CLI_C requires_all_configs_enabled MBEDTLS_SSL_TLS1_3_COMPATIBILITY_MODE \ MBEDTLS_SSL_TLS1_3_KEY_EXCHANGE_MODE_EPHEMERAL_ENABLED \ MBEDTLS_SSL_TLS1_3_KEY_EXCHANGE_MODE_PSK_EPHEMERAL_ENABLED +requires_pk_alg "ECDSA" run_test "TLS 1.3: NewSessionTicket: Basic check, m->O" \ "$O_NEXT_SRV -msg -tls1_3 -no_resume_ephemeral -no_cache --num_tickets 4" \ "$P_CLI debug_level=1 reco_mode=1 reconnect=1" \ @@ -13186,6 +13348,7 @@ requires_config_enabled MBEDTLS_SSL_CLI_C requires_all_configs_enabled MBEDTLS_SSL_TLS1_3_COMPATIBILITY_MODE \ MBEDTLS_SSL_TLS1_3_KEY_EXCHANGE_MODE_EPHEMERAL_ENABLED \ MBEDTLS_SSL_TLS1_3_KEY_EXCHANGE_MODE_PSK_EPHEMERAL_ENABLED +requires_pk_alg "ECDSA" run_test "TLS 1.3: NewSessionTicket: Basic check, m->G" \ "$G_NEXT_SRV -d 10 --priority=NORMAL:-VERS-ALL:+VERS-TLS1.3 --disable-client-cert" \ "$P_CLI debug_level=1 reco_mode=1 reconnect=1" \ @@ -13222,6 +13385,7 @@ requires_config_enabled MBEDTLS_DEBUG_C requires_all_configs_enabled MBEDTLS_SSL_TLS1_3_COMPATIBILITY_MODE \ MBEDTLS_SSL_TLS1_3_KEY_EXCHANGE_MODE_EPHEMERAL_ENABLED \ MBEDTLS_SSL_TLS1_3_KEY_EXCHANGE_MODE_PSK_EPHEMERAL_ENABLED +requires_pk_alg "ECDSA" run_test "TLS 1.3: NewSessionTicket: Basic check, G->m" \ "$P_SRV debug_level=4 crt_file=data_files/server5.crt key_file=data_files/server5.key force_version=tls13 tickets=4" \ "$G_NEXT_CLI localhost -d 4 --priority=NORMAL:-VERS-ALL:+VERS-TLS1.3 -V -r" \ @@ -13242,6 +13406,7 @@ requires_config_enabled MBEDTLS_DEBUG_C requires_all_configs_enabled MBEDTLS_SSL_TLS1_3_COMPATIBILITY_MODE \ MBEDTLS_SSL_TLS1_3_KEY_EXCHANGE_MODE_EPHEMERAL_ENABLED \ MBEDTLS_SSL_TLS1_3_KEY_EXCHANGE_MODE_PSK_EPHEMERAL_ENABLED +requires_pk_alg "ECDSA" run_test "TLS 1.3: NewSessionTicket: Basic check, m->m" \ "$P_SRV debug_level=4 crt_file=data_files/server5.crt key_file=data_files/server5.key force_version=tls13 tickets=4" \ "$P_CLI debug_level=4 reco_mode=1 reconnect=1" \ From 3f2309fea6fda523b1f39f07410f8efd8b7b1386 Mon Sep 17 00:00:00 2001 From: Valerio Setti Date: Thu, 23 Feb 2023 13:47:30 +0100 Subject: [PATCH 05/12] ssl-opt: remove redundant requires_config_enabled when force_ciphersuite is set Signed-off-by: Valerio Setti --- tests/ssl-opt.sh | 24 ++++++------------------ 1 file changed, 6 insertions(+), 18 deletions(-) diff --git a/tests/ssl-opt.sh b/tests/ssl-opt.sh index 5d2db9998..dabfe4136 100755 --- a/tests/ssl-opt.sh +++ b/tests/ssl-opt.sh @@ -2059,7 +2059,6 @@ run_test "Opaque key for server authentication: invalid alg: ecdh with RSA ke requires_config_enabled MBEDTLS_SSL_PROTO_TLS1_2 requires_config_enabled MBEDTLS_USE_PSA_CRYPTO requires_config_enabled MBEDTLS_X509_CRT_PARSE_C -requires_config_enabled MBEDTLS_KEY_EXCHANGE_ECDHE_ECDSA_ENABLED requires_hash_alg SHA_256 requires_config_enabled MBEDTLS_CCM_C run_test "Opaque key for server authentication: invalid alg: ECDHE-ECDSA with ecdh" \ @@ -2097,7 +2096,6 @@ run_test "Opaque keys for server authentication: EC keys with different algs, requires_config_enabled MBEDTLS_SSL_PROTO_TLS1_2 requires_config_enabled MBEDTLS_USE_PSA_CRYPTO requires_config_enabled MBEDTLS_X509_CRT_PARSE_C -requires_config_enabled MBEDTLS_KEY_EXCHANGE_ECDH_ECDSA_ENABLED requires_hash_alg SHA_384 requires_config_disabled MBEDTLS_X509_REMOVE_INFO run_test "Opaque keys for server authentication: EC keys with different algs, force ECDH-ECDSA" \ @@ -2118,7 +2116,6 @@ run_test "Opaque keys for server authentication: EC keys with different algs, requires_config_enabled MBEDTLS_SSL_PROTO_TLS1_2 requires_config_enabled MBEDTLS_USE_PSA_CRYPTO requires_config_enabled MBEDTLS_X509_CRT_PARSE_C -requires_config_enabled MBEDTLS_KEY_EXCHANGE_ECDHE_ECDSA_ENABLED requires_hash_alg SHA_384 requires_config_enabled MBEDTLS_CCM_C requires_config_disabled MBEDTLS_X509_REMOVE_INFO @@ -9118,6 +9115,9 @@ run_test "SSL async private: error in resume then operate correctly" \ # key1: ECDSA, key2: RSA; use key1 through async, then key2 directly requires_config_enabled MBEDTLS_SSL_ASYNC_PRIVATE requires_config_enabled MBEDTLS_SSL_PROTO_TLS1_2 +# Note: the function "detect_required_features()" is not able to detect more than +# one "force_ciphersuite" per client/server and it only picks the 2nd one. +# Therefore the 1st one is added explicitly here requires_config_enabled MBEDTLS_KEY_EXCHANGE_ECDHE_ECDSA_ENABLED run_test "SSL async private: cancel after start then fall back to transparent key" \ "$P_SRV \ @@ -9138,6 +9138,9 @@ run_test "SSL async private: cancel after start then fall back to transparent # key1: ECDSA, key2: RSA; use key1 through async, then key2 directly requires_config_enabled MBEDTLS_SSL_ASYNC_PRIVATE requires_config_enabled MBEDTLS_SSL_PROTO_TLS1_2 +# Note: the function "detect_required_features()" is not able to detect more than +# one "force_ciphersuite" per client/server and it only picks the 2nd one. +# Therefore the 1st one is added explicitly here requires_config_enabled MBEDTLS_KEY_EXCHANGE_ECDHE_ECDSA_ENABLED run_test "SSL async private: sign, error in resume then fall back to transparent key" \ "$P_SRV \ @@ -9234,7 +9237,6 @@ run_test "Force a non ECC ciphersuite in the server side" \ requires_config_enabled MBEDTLS_AES_C requires_config_enabled MBEDTLS_CIPHER_MODE_CBC requires_hash_alg SHA_256 -requires_config_enabled MBEDTLS_KEY_EXCHANGE_ECDHE_ECDSA_ENABLED requires_config_enabled MBEDTLS_SSL_PROTO_TLS1_2 run_test "Force an ECC ciphersuite in the client side" \ "$P_SRV debug_level=3" \ @@ -9248,7 +9250,6 @@ run_test "Force an ECC ciphersuite in the client side" \ requires_config_enabled MBEDTLS_AES_C requires_config_enabled MBEDTLS_CIPHER_MODE_CBC requires_hash_alg SHA_256 -requires_config_enabled MBEDTLS_KEY_EXCHANGE_ECDHE_ECDSA_ENABLED requires_config_enabled MBEDTLS_SSL_PROTO_TLS1_2 run_test "Force an ECC ciphersuite in the server side" \ "$P_SRV debug_level=3 force_ciphersuite=TLS-ECDHE-ECDSA-WITH-AES-128-CBC-SHA256" \ @@ -9806,7 +9807,6 @@ run_test "DTLS fragmenting: both (MTU=1024)" \ requires_config_enabled MBEDTLS_SSL_PROTO_DTLS requires_config_enabled MBEDTLS_RSA_C requires_hash_alg SHA_256 -requires_config_enabled MBEDTLS_KEY_EXCHANGE_ECDHE_ECDSA_ENABLED requires_config_enabled MBEDTLS_AES_C requires_config_enabled MBEDTLS_GCM_C requires_max_content_len 2048 @@ -9838,7 +9838,6 @@ run_test "DTLS fragmenting: both (MTU=512)" \ not_with_valgrind requires_config_enabled MBEDTLS_SSL_PROTO_DTLS requires_config_enabled MBEDTLS_RSA_C -requires_config_enabled MBEDTLS_KEY_EXCHANGE_ECDHE_ECDSA_ENABLED requires_config_enabled MBEDTLS_AES_C requires_config_enabled MBEDTLS_GCM_C requires_max_content_len 2048 @@ -9863,7 +9862,6 @@ run_test "DTLS fragmenting: proxy MTU: auto-reduction (not valgrind)" \ only_with_valgrind requires_config_enabled MBEDTLS_SSL_PROTO_DTLS requires_config_enabled MBEDTLS_RSA_C -requires_config_enabled MBEDTLS_KEY_EXCHANGE_ECDHE_ECDSA_ENABLED requires_config_enabled MBEDTLS_AES_C requires_config_enabled MBEDTLS_GCM_C requires_max_content_len 2048 @@ -9919,7 +9917,6 @@ run_test "DTLS fragmenting: proxy MTU, simple handshake (MTU=1024)" \ not_with_valgrind # spurious autoreduction due to timeout requires_config_enabled MBEDTLS_SSL_PROTO_DTLS requires_config_enabled MBEDTLS_RSA_C -requires_config_enabled MBEDTLS_KEY_EXCHANGE_ECDHE_ECDSA_ENABLED requires_config_enabled MBEDTLS_AES_C requires_config_enabled MBEDTLS_GCM_C requires_max_content_len 2048 @@ -9972,7 +9969,6 @@ run_test "DTLS fragmenting: proxy MTU, simple handshake, nbio (MTU=1024)" \ not_with_valgrind # spurious autoreduction due to timeout requires_config_enabled MBEDTLS_SSL_PROTO_DTLS requires_config_enabled MBEDTLS_RSA_C -requires_config_enabled MBEDTLS_KEY_EXCHANGE_ECDHE_ECDSA_ENABLED requires_config_enabled MBEDTLS_AES_C requires_config_enabled MBEDTLS_GCM_C requires_max_content_len 2048 @@ -10009,7 +10005,6 @@ run_test "DTLS fragmenting: proxy MTU, simple handshake, nbio (MTU=512)" \ not_with_valgrind # spurious autoreduction due to timeout requires_config_enabled MBEDTLS_SSL_PROTO_DTLS requires_config_enabled MBEDTLS_RSA_C -requires_config_enabled MBEDTLS_KEY_EXCHANGE_ECDHE_ECDSA_ENABLED requires_config_enabled MBEDTLS_AES_C requires_config_enabled MBEDTLS_GCM_C requires_max_content_len 2048 @@ -10039,7 +10034,6 @@ not_with_valgrind # spurious autoreduction due to timeout requires_config_enabled MBEDTLS_SSL_PROTO_DTLS requires_config_enabled MBEDTLS_RSA_C requires_hash_alg SHA_256 -requires_config_enabled MBEDTLS_KEY_EXCHANGE_ECDHE_ECDSA_ENABLED requires_config_enabled MBEDTLS_SSL_RENEGOTIATION requires_config_enabled MBEDTLS_CHACHAPOLY_C requires_max_content_len 2048 @@ -10071,7 +10065,6 @@ not_with_valgrind # spurious autoreduction due to timeout requires_config_enabled MBEDTLS_SSL_PROTO_DTLS requires_config_enabled MBEDTLS_RSA_C requires_hash_alg SHA_256 -requires_config_enabled MBEDTLS_KEY_EXCHANGE_ECDHE_ECDSA_ENABLED requires_config_enabled MBEDTLS_SSL_RENEGOTIATION requires_config_enabled MBEDTLS_AES_C requires_config_enabled MBEDTLS_GCM_C @@ -10104,7 +10097,6 @@ not_with_valgrind # spurious autoreduction due to timeout requires_config_enabled MBEDTLS_SSL_PROTO_DTLS requires_config_enabled MBEDTLS_RSA_C requires_hash_alg SHA_256 -requires_config_enabled MBEDTLS_KEY_EXCHANGE_ECDHE_ECDSA_ENABLED requires_config_enabled MBEDTLS_SSL_RENEGOTIATION requires_config_enabled MBEDTLS_AES_C requires_config_enabled MBEDTLS_CCM_C @@ -10137,7 +10129,6 @@ not_with_valgrind # spurious autoreduction due to timeout requires_config_enabled MBEDTLS_SSL_PROTO_DTLS requires_config_enabled MBEDTLS_RSA_C requires_hash_alg SHA_256 -requires_config_enabled MBEDTLS_KEY_EXCHANGE_ECDHE_ECDSA_ENABLED requires_config_enabled MBEDTLS_SSL_RENEGOTIATION requires_config_enabled MBEDTLS_AES_C requires_config_enabled MBEDTLS_CIPHER_MODE_CBC @@ -10171,7 +10162,6 @@ not_with_valgrind # spurious autoreduction due to timeout requires_config_enabled MBEDTLS_SSL_PROTO_DTLS requires_config_enabled MBEDTLS_RSA_C requires_hash_alg SHA_256 -requires_config_enabled MBEDTLS_KEY_EXCHANGE_ECDHE_ECDSA_ENABLED requires_config_enabled MBEDTLS_SSL_RENEGOTIATION requires_config_enabled MBEDTLS_AES_C requires_config_enabled MBEDTLS_CIPHER_MODE_CBC @@ -10201,7 +10191,6 @@ run_test "DTLS fragmenting: proxy MTU, AES-CBC non-EtM renego" \ # Forcing ciphersuite for this test to fit the MTU of 512 with full config. requires_config_enabled MBEDTLS_SSL_PROTO_DTLS requires_config_enabled MBEDTLS_RSA_C -requires_config_enabled MBEDTLS_KEY_EXCHANGE_ECDHE_ECDSA_ENABLED requires_config_enabled MBEDTLS_AES_C requires_config_enabled MBEDTLS_GCM_C client_needs_more_time 2 @@ -10226,7 +10215,6 @@ run_test "DTLS fragmenting: proxy MTU + 3d" \ # Forcing ciphersuite for this test to fit the MTU of 512 with full config. requires_config_enabled MBEDTLS_SSL_PROTO_DTLS requires_config_enabled MBEDTLS_RSA_C -requires_config_enabled MBEDTLS_KEY_EXCHANGE_ECDHE_ECDSA_ENABLED requires_config_enabled MBEDTLS_AES_C requires_config_enabled MBEDTLS_GCM_C client_needs_more_time 2 From 1af76d119dd1197db8446f36ecdd2b200aa97676 Mon Sep 17 00:00:00 2001 From: Valerio Setti Date: Thu, 23 Feb 2023 15:55:10 +0100 Subject: [PATCH 06/12] ssl-opt: automatically detect requirements from the specified certificates This moslty focus on tests using "server5*" cerificate. Several cases are taken into account depending on: - TLS version (1.2 or 1.3) - server or client roles Signed-off-by: Valerio Setti --- tests/opt-testcases/tls13-misc.sh | 12 ---- tests/ssl-opt.sh | 114 ++++++++++++------------------ 2 files changed, 46 insertions(+), 80 deletions(-) diff --git a/tests/opt-testcases/tls13-misc.sh b/tests/opt-testcases/tls13-misc.sh index a72a0f49f..b5535cd3f 100755 --- a/tests/opt-testcases/tls13-misc.sh +++ b/tests/opt-testcases/tls13-misc.sh @@ -337,7 +337,6 @@ requires_all_configs_enabled MBEDTLS_SSL_SESSION_TICKETS \ MBEDTLS_SSL_SRV_C MBEDTLS_SSL_CLI_C MBEDTLS_DEBUG_C \ MBEDTLS_SSL_TLS1_3_KEY_EXCHANGE_MODE_EPHEMERAL_ENABLED \ MBEDTLS_SSL_TLS1_3_KEY_EXCHANGE_MODE_PSK_ENABLED -requires_pk_alg ECDSA run_test "TLS 1.3 m->m: Resumption with ticket flags, psk/none." \ "$P_SRV debug_level=4 crt_file=data_files/server5.crt key_file=data_files/server5.key force_version=tls13 dummy_ticket=7" \ "$P_CLI debug_level=4 tls13_kex_modes=psk_or_ephemeral reconnect=1" \ @@ -354,7 +353,6 @@ requires_all_configs_enabled MBEDTLS_SSL_SESSION_TICKETS \ MBEDTLS_SSL_SRV_C MBEDTLS_SSL_CLI_C MBEDTLS_DEBUG_C \ MBEDTLS_SSL_TLS1_3_KEY_EXCHANGE_MODE_EPHEMERAL_ENABLED \ MBEDTLS_SSL_TLS1_3_KEY_EXCHANGE_MODE_PSK_ENABLED -requires_pk_alg ECDSA run_test "TLS 1.3 m->m: Resumption with ticket flags, psk/psk." \ "$P_SRV debug_level=4 crt_file=data_files/server5.crt key_file=data_files/server5.key force_version=tls13 dummy_ticket=8" \ "$P_CLI debug_level=4 tls13_kex_modes=psk_or_ephemeral reconnect=1" \ @@ -367,7 +365,6 @@ requires_all_configs_enabled MBEDTLS_SSL_SESSION_TICKETS \ MBEDTLS_SSL_SRV_C MBEDTLS_SSL_CLI_C MBEDTLS_DEBUG_C \ MBEDTLS_SSL_TLS1_3_KEY_EXCHANGE_MODE_EPHEMERAL_ENABLED \ MBEDTLS_SSL_TLS1_3_KEY_EXCHANGE_MODE_PSK_ENABLED -requires_pk_alg ECDSA run_test "TLS 1.3 m->m: Resumption with ticket flags, psk/psk_ephemeral." \ "$P_SRV debug_level=4 crt_file=data_files/server5.crt key_file=data_files/server5.key force_version=tls13 dummy_ticket=9" \ "$P_CLI debug_level=4 tls13_kex_modes=psk_or_ephemeral reconnect=1" \ @@ -384,7 +381,6 @@ requires_all_configs_enabled MBEDTLS_SSL_SESSION_TICKETS \ MBEDTLS_SSL_SRV_C MBEDTLS_SSL_CLI_C MBEDTLS_DEBUG_C \ MBEDTLS_SSL_TLS1_3_KEY_EXCHANGE_MODE_EPHEMERAL_ENABLED \ MBEDTLS_SSL_TLS1_3_KEY_EXCHANGE_MODE_PSK_ENABLED -requires_pk_alg ECDSA run_test "TLS 1.3 m->m: Resumption with ticket flags, psk/psk_all." \ "$P_SRV debug_level=4 crt_file=data_files/server5.crt key_file=data_files/server5.key force_version=tls13 dummy_ticket=10" \ "$P_CLI debug_level=4 tls13_kex_modes=psk_or_ephemeral reconnect=1" \ @@ -397,7 +393,6 @@ requires_all_configs_enabled MBEDTLS_SSL_SESSION_TICKETS \ MBEDTLS_SSL_SRV_C MBEDTLS_SSL_CLI_C MBEDTLS_DEBUG_C \ MBEDTLS_SSL_TLS1_3_KEY_EXCHANGE_MODE_EPHEMERAL_ENABLED \ MBEDTLS_SSL_TLS1_3_KEY_EXCHANGE_MODE_PSK_EPHEMERAL_ENABLED -requires_pk_alg ECDSA run_test "TLS 1.3 m->m: Resumption with ticket flags, psk_ephemeral/none." \ "$P_SRV debug_level=4 crt_file=data_files/server5.crt key_file=data_files/server5.key force_version=tls13 dummy_ticket=7" \ "$P_CLI debug_level=4 tls13_kex_modes=ephemeral_all reconnect=1" \ @@ -414,7 +409,6 @@ requires_all_configs_enabled MBEDTLS_SSL_SESSION_TICKETS \ MBEDTLS_SSL_SRV_C MBEDTLS_SSL_CLI_C MBEDTLS_DEBUG_C \ MBEDTLS_SSL_TLS1_3_KEY_EXCHANGE_MODE_EPHEMERAL_ENABLED \ MBEDTLS_SSL_TLS1_3_KEY_EXCHANGE_MODE_PSK_EPHEMERAL_ENABLED -requires_pk_alg ECDSA run_test "TLS 1.3 m->m: Resumption with ticket flags, psk_ephemeral/psk." \ "$P_SRV debug_level=4 crt_file=data_files/server5.crt key_file=data_files/server5.key force_version=tls13 dummy_ticket=8" \ "$P_CLI debug_level=4 tls13_kex_modes=ephemeral_all reconnect=1" \ @@ -431,7 +425,6 @@ requires_all_configs_enabled MBEDTLS_SSL_SESSION_TICKETS \ MBEDTLS_SSL_SRV_C MBEDTLS_SSL_CLI_C MBEDTLS_DEBUG_C \ MBEDTLS_SSL_TLS1_3_KEY_EXCHANGE_MODE_EPHEMERAL_ENABLED \ MBEDTLS_SSL_TLS1_3_KEY_EXCHANGE_MODE_PSK_EPHEMERAL_ENABLED -requires_pk_alg ECDSA run_test "TLS 1.3 m->m: Resumption with ticket flags, psk_ephemeral/psk_ephemeral." \ "$P_SRV debug_level=4 crt_file=data_files/server5.crt key_file=data_files/server5.key force_version=tls13 dummy_ticket=9" \ "$P_CLI debug_level=4 tls13_kex_modes=ephemeral_all reconnect=1" \ @@ -444,7 +437,6 @@ requires_all_configs_enabled MBEDTLS_SSL_SESSION_TICKETS \ MBEDTLS_SSL_SRV_C MBEDTLS_SSL_CLI_C MBEDTLS_DEBUG_C \ MBEDTLS_SSL_TLS1_3_KEY_EXCHANGE_MODE_EPHEMERAL_ENABLED \ MBEDTLS_SSL_TLS1_3_KEY_EXCHANGE_MODE_PSK_EPHEMERAL_ENABLED -requires_pk_alg ECDSA run_test "TLS 1.3 m->m: Resumption with ticket flags, psk_ephemeral/psk_all." \ "$P_SRV debug_level=4 crt_file=data_files/server5.crt key_file=data_files/server5.key force_version=tls13 dummy_ticket=10" \ "$P_CLI debug_level=4 tls13_kex_modes=ephemeral_all reconnect=1" \ @@ -458,7 +450,6 @@ requires_all_configs_enabled MBEDTLS_SSL_SESSION_TICKETS \ MBEDTLS_SSL_TLS1_3_KEY_EXCHANGE_MODE_EPHEMERAL_ENABLED \ MBEDTLS_SSL_TLS1_3_KEY_EXCHANGE_MODE_PSK_ENABLED \ MBEDTLS_SSL_TLS1_3_KEY_EXCHANGE_MODE_PSK_EPHEMERAL_ENABLED -requires_pk_alg ECDSA run_test "TLS 1.3 m->m: Resumption with ticket flags, psk_all/none." \ "$P_SRV debug_level=4 crt_file=data_files/server5.crt key_file=data_files/server5.key force_version=tls13 dummy_ticket=7" \ "$P_CLI debug_level=4 tls13_kex_modes=all reconnect=1" \ @@ -476,7 +467,6 @@ requires_all_configs_enabled MBEDTLS_SSL_SESSION_TICKETS \ MBEDTLS_SSL_TLS1_3_KEY_EXCHANGE_MODE_EPHEMERAL_ENABLED \ MBEDTLS_SSL_TLS1_3_KEY_EXCHANGE_MODE_PSK_ENABLED \ MBEDTLS_SSL_TLS1_3_KEY_EXCHANGE_MODE_PSK_EPHEMERAL_ENABLED -requires_pk_alg ECDSA run_test "TLS 1.3 m->m: Resumption with ticket flags, psk_all/psk." \ "$P_SRV debug_level=4 crt_file=data_files/server5.crt key_file=data_files/server5.key force_version=tls13 dummy_ticket=8" \ "$P_CLI debug_level=4 tls13_kex_modes=all reconnect=1" \ @@ -490,7 +480,6 @@ requires_all_configs_enabled MBEDTLS_SSL_SESSION_TICKETS \ MBEDTLS_SSL_TLS1_3_KEY_EXCHANGE_MODE_EPHEMERAL_ENABLED \ MBEDTLS_SSL_TLS1_3_KEY_EXCHANGE_MODE_PSK_ENABLED \ MBEDTLS_SSL_TLS1_3_KEY_EXCHANGE_MODE_PSK_EPHEMERAL_ENABLED -requires_pk_alg ECDSA run_test "TLS 1.3 m->m: Resumption with ticket flags, psk_all/psk_ephemeral." \ "$P_SRV debug_level=4 crt_file=data_files/server5.crt key_file=data_files/server5.key force_version=tls13 dummy_ticket=9" \ "$P_CLI debug_level=4 tls13_kex_modes=all reconnect=1" \ @@ -504,7 +493,6 @@ requires_all_configs_enabled MBEDTLS_SSL_SESSION_TICKETS \ MBEDTLS_SSL_TLS1_3_KEY_EXCHANGE_MODE_EPHEMERAL_ENABLED \ MBEDTLS_SSL_TLS1_3_KEY_EXCHANGE_MODE_PSK_ENABLED \ MBEDTLS_SSL_TLS1_3_KEY_EXCHANGE_MODE_PSK_EPHEMERAL_ENABLED -requires_pk_alg ECDSA run_test "TLS 1.3 m->m: Resumption with ticket flags, psk_all/psk_all." \ "$P_SRV debug_level=4 crt_file=data_files/server5.crt key_file=data_files/server5.key force_version=tls13 dummy_ticket=10" \ "$P_CLI debug_level=4 tls13_kex_modes=all reconnect=1" \ diff --git a/tests/ssl-opt.sh b/tests/ssl-opt.sh index dabfe4136..9a27a2f54 100755 --- a/tests/ssl-opt.sh +++ b/tests/ssl-opt.sh @@ -363,9 +363,12 @@ requires_ciphersuite_enabled() { esac } -# detect_required_features CMD [RUN_TEST_OPTION...] -# If CMD (call to a TLS client or server program) requires certain features, -# arrange to only run the following test case if those features are enabled. +# Automatically detect required features based on command line parameters. +# Parameters are: +# - $1 = command line (call to a TLS client or server program) +# - $2 = client/server +# - $3 = TLS version (TLS12 or TLS13) +# - $4 = run test options detect_required_features() { case "$1" in *\ force_version=*) @@ -390,6 +393,27 @@ detect_required_features() { requires_config_enabled MBEDTLS_SSL_ALPN;; esac + case "$1" in + *server5*) + if [ "$3" = "TLS13" ]; then + # In case of TLS13 the support for ECDSA is enough + requires_pk_alg "ECDSA" + else + # For TLS12 requirements are different between server and client + if [ "$2" = "server" ]; then + # If the server uses "server5*" cerificates, then an ECDSA based + # key exchange is required + requires_any_configs_enabled $TLS1_2_KEY_EXCHANGES_WITH_ECDSA_CERT + elif [ "$2" = "client" ]; then + # Otherwise for the client it is enough to have any certificate + # based authentication + support for ECDSA + requires_any_configs_enabled $TLS1_2_KEY_EXCHANGES_WITH_CERT + requires_pk_alg "ECDSA" + fi + fi + ;; + esac + unset tmp } @@ -1416,6 +1440,22 @@ do_run_test_once() { fi } +# Detect if the current test is going to use TLS 1.3. +# $1 and $2 contains the server and client command lines, respectively. +get_tls_version() { + case $1 in + *tls1_3*|*tls13*) + echo "TLS13" + return;; + esac + case $2 in + *tls1_3*|*tls13*) + echo "TLS13" + return;; + esac + echo "TLS12" +} + # Usage: run_test name [-p proxy_cmd] srv_cmd cli_cmd cli_exit [option [...]] # Options: -s pattern pattern that must be present in server output # -c pattern pattern that must be present in client output @@ -1474,8 +1514,9 @@ run_test() { # If the client or server requires certain features that can be detected # from their command-line arguments, check that they're enabled. - detect_required_features "$SRV_CMD" "$@" - detect_required_features "$CLI_CMD" "$@" + TLS_VERSION=$(get_tls_version "$SRV_CMD" "$CLI_CMD") + detect_required_features "$SRV_CMD" "server" "$TLS_VERSION" "$@" + detect_required_features "$CLI_CMD" "client" "$TLS_VERSION" "$@" # If we're in a PSK-only build and the test can be adapted to PSK, do that. maybe_adapt_for_psk "$@" @@ -1839,8 +1880,6 @@ run_test "key size: TLS-ECDHE-ECDSA-WITH-AES-128-CCM-8" \ requires_config_enabled MBEDTLS_SSL_PROTO_TLS1_2 requires_config_enabled MBEDTLS_X509_CRT_PARSE_C -requires_any_configs_enabled $TLS1_2_KEY_EXCHANGES_WITH_CERT -requires_pk_alg "ECDSA" requires_hash_alg SHA_256 run_test "TLS: password protected client key" \ "$P_SRV auth_mode=required" \ @@ -1849,7 +1888,6 @@ run_test "TLS: password protected client key" \ requires_config_enabled MBEDTLS_SSL_PROTO_TLS1_2 requires_config_enabled MBEDTLS_X509_CRT_PARSE_C -requires_any_configs_enabled $TLS1_2_KEY_EXCHANGES_WITH_ECDSA_CERT requires_hash_alg SHA_256 run_test "TLS: password protected server key" \ "$P_SRV crt_file=data_files/server5.crt key_file=data_files/server5.key.enc key_pwd=PolarSSLTest" \ @@ -1858,7 +1896,6 @@ run_test "TLS: password protected server key" \ requires_config_enabled MBEDTLS_SSL_PROTO_TLS1_2 requires_config_enabled MBEDTLS_X509_CRT_PARSE_C -requires_any_configs_enabled $TLS1_2_KEY_EXCHANGES_WITH_ECDSA_CERT requires_config_enabled MBEDTLS_RSA_C requires_hash_alg SHA_256 run_test "TLS: password protected server key, two certificates" \ @@ -1881,8 +1918,6 @@ run_test "CA callback on client" \ requires_config_enabled MBEDTLS_SSL_PROTO_TLS1_2 requires_config_enabled MBEDTLS_X509_TRUSTED_CERTIFICATE_CALLBACK requires_config_enabled MBEDTLS_X509_CRT_PARSE_C -requires_any_configs_enabled $TLS1_2_KEY_EXCHANGES_WITH_CERT -requires_pk_alg "ECDSA" requires_hash_alg SHA_256 run_test "CA callback on server" \ "$P_SRV auth_mode=required" \ @@ -1972,7 +2007,6 @@ run_test "Opaque key for server authentication: ECDHE-ECDSA" \ requires_config_enabled MBEDTLS_SSL_PROTO_TLS1_2 requires_config_enabled MBEDTLS_USE_PSA_CRYPTO requires_config_enabled MBEDTLS_X509_CRT_PARSE_C -requires_any_configs_enabled $TLS1_2_KEY_EXCHANGES_WITH_ECDSA_CERT requires_hash_alg SHA_256 run_test "Opaque key for server authentication: ECDH-" \ "$P_SRV force_version=tls12 auth_mode=required key_opaque=1\ @@ -1990,7 +2024,6 @@ run_test "Opaque key for server authentication: ECDH-" \ requires_config_enabled MBEDTLS_SSL_PROTO_TLS1_2 requires_config_enabled MBEDTLS_USE_PSA_CRYPTO requires_config_enabled MBEDTLS_X509_CRT_PARSE_C -requires_any_configs_enabled $TLS1_2_KEY_EXCHANGES_WITH_ECDSA_CERT requires_config_disabled MBEDTLS_SSL_ASYNC_PRIVATE requires_hash_alg SHA_256 run_test "Opaque key for server authentication: invalid key: decrypt with ECC key, no async" \ @@ -2025,7 +2058,6 @@ run_test "Opaque key for server authentication: invalid key: ecdh with RSA ke requires_config_enabled MBEDTLS_SSL_PROTO_TLS1_2 requires_config_enabled MBEDTLS_USE_PSA_CRYPTO requires_config_enabled MBEDTLS_X509_CRT_PARSE_C -requires_any_configs_enabled $TLS1_2_KEY_EXCHANGES_WITH_ECDSA_CERT requires_config_enabled MBEDTLS_SSL_ASYNC_PRIVATE requires_hash_alg SHA_256 run_test "Opaque key for server authentication: invalid alg: decrypt with ECC key, async" \ @@ -5253,7 +5285,6 @@ run_test "Renego ext: gnutls client unsafe, server break legacy" \ requires_gnutls requires_config_enabled MBEDTLS_SSL_PROTO_TLS1_2 -requires_any_configs_enabled $TLS1_2_KEY_EXCHANGES_WITH_ECDSA_CERT run_test "DER format: no trailing bytes" \ "$P_SRV crt_file=data_files/server5-der0.crt \ key_file=data_files/server5.key" \ @@ -5263,7 +5294,6 @@ run_test "DER format: no trailing bytes" \ requires_gnutls requires_config_enabled MBEDTLS_SSL_PROTO_TLS1_2 -requires_any_configs_enabled $TLS1_2_KEY_EXCHANGES_WITH_ECDSA_CERT run_test "DER format: with a trailing zero byte" \ "$P_SRV crt_file=data_files/server5-der1a.crt \ key_file=data_files/server5.key" \ @@ -5273,7 +5303,6 @@ run_test "DER format: with a trailing zero byte" \ requires_gnutls requires_config_enabled MBEDTLS_SSL_PROTO_TLS1_2 -requires_any_configs_enabled $TLS1_2_KEY_EXCHANGES_WITH_ECDSA_CERT run_test "DER format: with a trailing random byte" \ "$P_SRV crt_file=data_files/server5-der1b.crt \ key_file=data_files/server5.key" \ @@ -5283,7 +5312,6 @@ run_test "DER format: with a trailing random byte" \ requires_gnutls requires_config_enabled MBEDTLS_SSL_PROTO_TLS1_2 -requires_any_configs_enabled $TLS1_2_KEY_EXCHANGES_WITH_ECDSA_CERT run_test "DER format: with 2 trailing random bytes" \ "$P_SRV crt_file=data_files/server5-der2.crt \ key_file=data_files/server5.key" \ @@ -5293,7 +5321,6 @@ run_test "DER format: with 2 trailing random bytes" \ requires_gnutls requires_config_enabled MBEDTLS_SSL_PROTO_TLS1_2 -requires_any_configs_enabled $TLS1_2_KEY_EXCHANGES_WITH_ECDSA_CERT run_test "DER format: with 4 trailing random bytes" \ "$P_SRV crt_file=data_files/server5-der4.crt \ key_file=data_files/server5.key" \ @@ -5303,7 +5330,6 @@ run_test "DER format: with 4 trailing random bytes" \ requires_gnutls requires_config_enabled MBEDTLS_SSL_PROTO_TLS1_2 -requires_any_configs_enabled $TLS1_2_KEY_EXCHANGES_WITH_ECDSA_CERT run_test "DER format: with 8 trailing random bytes" \ "$P_SRV crt_file=data_files/server5-der8.crt \ key_file=data_files/server5.key" \ @@ -5313,7 +5339,6 @@ run_test "DER format: with 8 trailing random bytes" \ requires_gnutls requires_config_enabled MBEDTLS_SSL_PROTO_TLS1_2 -requires_any_configs_enabled $TLS1_2_KEY_EXCHANGES_WITH_ECDSA_CERT run_test "DER format: with 9 trailing random bytes" \ "$P_SRV crt_file=data_files/server5-der9.crt \ key_file=data_files/server5.key" \ @@ -5380,7 +5405,6 @@ run_test "Authentication: server goodcert, client required, no trusted CA" \ requires_config_enabled MBEDTLS_ECP_C requires_config_enabled MBEDTLS_SSL_PROTO_TLS1_2 -requires_any_configs_enabled $TLS1_2_KEY_EXCHANGES_WITH_CERT run_test "Authentication: server ECDH p256v1, client required, p256v1 unsupported" \ "$P_SRV debug_level=1 key_file=data_files/server5.key \ crt_file=data_files/server5.ku-ka.crt" \ @@ -5392,7 +5416,6 @@ run_test "Authentication: server ECDH p256v1, client required, p256v1 unsuppo requires_config_enabled MBEDTLS_ECP_C requires_config_enabled MBEDTLS_SSL_PROTO_TLS1_2 -requires_any_configs_enabled $TLS1_2_KEY_EXCHANGES_WITH_CERT run_test "Authentication: server ECDH p256v1, client optional, p256v1 unsupported" \ "$P_SRV debug_level=1 key_file=data_files/server5.key \ crt_file=data_files/server5.ku-ka.crt" \ @@ -5403,7 +5426,6 @@ run_test "Authentication: server ECDH p256v1, client optional, p256v1 unsuppo -c "bad server certificate (ECDH curve)" # Expect failure only at ECDH params check requires_config_enabled MBEDTLS_SSL_PROTO_TLS1_2 -requires_any_configs_enabled $TLS1_2_KEY_EXCHANGES_WITH_CERT run_test "Authentication: server badcert, client none" \ "$P_SRV crt_file=data_files/server5-badsign.crt \ key_file=data_files/server5.key" \ @@ -5712,7 +5734,6 @@ run_test "Authentication: do not send CA list in CertificateRequest" \ -S "requested DN" requires_config_enabled MBEDTLS_SSL_PROTO_TLS1_2 -requires_any_configs_enabled $TLS1_2_KEY_EXCHANGES_WITH_CERT run_test "Authentication: send CA list in CertificateRequest, client self signed" \ "$P_SRV debug_level=3 auth_mode=required cert_req_ca_list=0" \ "$P_CLI debug_level=3 crt_file=data_files/server5-selfsigned.crt \ @@ -5766,7 +5787,6 @@ run_test "Authentication: send alt hs DN hints in CertificateRequest" \ requires_config_enabled MBEDTLS_X509_TRUSTED_CERTIFICATE_CALLBACK requires_config_enabled MBEDTLS_SSL_PROTO_TLS1_2 -requires_any_configs_enabled $TLS1_2_KEY_EXCHANGES_WITH_CERT run_test "Authentication, CA callback: server badcert, client required" \ "$P_SRV crt_file=data_files/server5-badsign.crt \ key_file=data_files/server5.key" \ @@ -5780,7 +5800,6 @@ run_test "Authentication, CA callback: server badcert, client required" \ requires_config_enabled MBEDTLS_X509_TRUSTED_CERTIFICATE_CALLBACK requires_config_enabled MBEDTLS_SSL_PROTO_TLS1_2 -requires_any_configs_enabled $TLS1_2_KEY_EXCHANGES_WITH_CERT run_test "Authentication, CA callback: server badcert, client optional" \ "$P_SRV crt_file=data_files/server5-badsign.crt \ key_file=data_files/server5.key" \ @@ -5802,7 +5821,6 @@ run_test "Authentication, CA callback: server badcert, client optional" \ requires_config_enabled MBEDTLS_ECP_C requires_config_enabled MBEDTLS_X509_TRUSTED_CERTIFICATE_CALLBACK requires_config_enabled MBEDTLS_SSL_PROTO_TLS1_2 -requires_any_configs_enabled $TLS1_2_KEY_EXCHANGES_WITH_CERT run_test "Authentication, CA callback: server ECDH p256v1, client required, p256v1 unsupported" \ "$P_SRV debug_level=1 key_file=data_files/server5.key \ crt_file=data_files/server5.ku-ka.crt" \ @@ -5816,7 +5834,6 @@ run_test "Authentication, CA callback: server ECDH p256v1, client required, p requires_config_enabled MBEDTLS_ECP_C requires_config_enabled MBEDTLS_X509_TRUSTED_CERTIFICATE_CALLBACK requires_config_enabled MBEDTLS_SSL_PROTO_TLS1_2 -requires_any_configs_enabled $TLS1_2_KEY_EXCHANGES_WITH_CERT run_test "Authentication, CA callback: server ECDH p256v1, client optional, p256v1 unsupported" \ "$P_SRV debug_level=1 key_file=data_files/server5.key \ crt_file=data_files/server5.ku-ka.crt" \ @@ -5855,7 +5872,6 @@ run_test "Authentication, CA callback: client SHA384, server required" \ requires_config_enabled MBEDTLS_X509_TRUSTED_CERTIFICATE_CALLBACK requires_config_enabled MBEDTLS_SSL_PROTO_TLS1_2 -requires_any_configs_enabled $TLS1_2_KEY_EXCHANGES_WITH_CERT run_test "Authentication, CA callback: client badcert, server required" \ "$P_SRV ca_callback=1 debug_level=3 auth_mode=required" \ "$P_CLI debug_level=3 crt_file=data_files/server5-badsign.crt \ @@ -5880,7 +5896,6 @@ run_test "Authentication, CA callback: client badcert, server required" \ requires_config_enabled MBEDTLS_X509_TRUSTED_CERTIFICATE_CALLBACK requires_config_enabled MBEDTLS_SSL_PROTO_TLS1_2 -requires_any_configs_enabled $TLS1_2_KEY_EXCHANGES_WITH_CERT run_test "Authentication, CA callback: client cert not trusted, server required" \ "$P_SRV ca_callback=1 debug_level=3 auth_mode=required" \ "$P_CLI debug_level=3 crt_file=data_files/server5-selfsigned.crt \ @@ -5901,7 +5916,6 @@ run_test "Authentication, CA callback: client cert not trusted, server requir requires_config_enabled MBEDTLS_X509_TRUSTED_CERTIFICATE_CALLBACK requires_config_enabled MBEDTLS_SSL_PROTO_TLS1_2 -requires_any_configs_enabled $TLS1_2_KEY_EXCHANGES_WITH_CERT run_test "Authentication, CA callback: client badcert, server optional" \ "$P_SRV ca_callback=1 debug_level=3 auth_mode=optional" \ "$P_CLI debug_level=3 crt_file=data_files/server5-badsign.crt \ @@ -6842,7 +6856,6 @@ run_test "keyUsage cli 1.3: KeyAgreement, RSA: fail" \ requires_openssl_tls1_3 requires_all_configs_enabled MBEDTLS_SSL_TLS1_3_COMPATIBILITY_MODE \ MBEDTLS_SSL_TLS1_3_KEY_EXCHANGE_MODE_EPHEMERAL_ENABLED -requires_any_configs_enabled $TLS1_2_KEY_EXCHANGES_WITH_ECDSA_CERT run_test "keyUsage cli 1.3: DigitalSignature, ECDSA: OK" \ "$O_NEXT_SRV_NO_CERT -tls1_3 -num_tickets=0 -key data_files/server5.key \ -cert data_files/server5.ku-ds.crt" \ @@ -6855,7 +6868,6 @@ run_test "keyUsage cli 1.3: DigitalSignature, ECDSA: OK" \ requires_openssl_tls1_3 requires_all_configs_enabled MBEDTLS_SSL_TLS1_3_COMPATIBILITY_MODE \ MBEDTLS_SSL_TLS1_3_KEY_EXCHANGE_MODE_EPHEMERAL_ENABLED -requires_any_configs_enabled $TLS1_2_KEY_EXCHANGES_WITH_ECDSA_CERT run_test "keyUsage cli 1.3: KeyEncipherment, ECDSA: fail" \ "$O_NEXT_SRV_NO_CERT -tls1_3 -num_tickets=0 -key data_files/server5.key \ -cert data_files/server5.ku-ke.crt" \ @@ -6868,7 +6880,6 @@ run_test "keyUsage cli 1.3: KeyEncipherment, ECDSA: fail" \ requires_openssl_tls1_3 requires_all_configs_enabled MBEDTLS_SSL_TLS1_3_COMPATIBILITY_MODE \ MBEDTLS_SSL_TLS1_3_KEY_EXCHANGE_MODE_EPHEMERAL_ENABLED -requires_any_configs_enabled $TLS1_2_KEY_EXCHANGES_WITH_ECDSA_CERT run_test "keyUsage cli 1.3: KeyAgreement, ECDSA: fail" \ "$O_NEXT_SRV_NO_CERT -tls1_3 -num_tickets=0 -key data_files/server5.key \ -cert data_files/server5.ku-ka.crt" \ @@ -6910,8 +6921,6 @@ run_test "keyUsage cli-auth: RSA, KeyEncipherment: fail (hard)" \ -s "Processing of the Certificate handshake message failed" requires_config_enabled MBEDTLS_SSL_PROTO_TLS1_2 -requires_any_configs_enabled $TLS1_2_KEY_EXCHANGES_WITH_CERT -requires_pk_alg "ECDSA" run_test "keyUsage cli-auth: ECDSA, DigitalSignature: OK" \ "$P_SRV debug_level=1 auth_mode=optional" \ "$O_CLI -key data_files/server5.key \ @@ -6922,8 +6931,6 @@ run_test "keyUsage cli-auth: ECDSA, DigitalSignature: OK" \ -S "Processing of the Certificate handshake message failed" requires_config_enabled MBEDTLS_SSL_PROTO_TLS1_2 -requires_any_configs_enabled $TLS1_2_KEY_EXCHANGES_WITH_CERT -requires_pk_alg "ECDSA" run_test "keyUsage cli-auth: ECDSA, KeyAgreement: fail (soft)" \ "$P_SRV debug_level=1 auth_mode=optional" \ "$O_CLI -key data_files/server5.key \ @@ -6958,7 +6965,6 @@ run_test "keyUsage cli-auth 1.3: RSA, KeyEncipherment: fail (soft)" \ requires_openssl_tls1_3 requires_all_configs_enabled MBEDTLS_SSL_TLS1_3_COMPATIBILITY_MODE \ MBEDTLS_SSL_TLS1_3_KEY_EXCHANGE_MODE_EPHEMERAL_ENABLED -requires_pk_alg "ECDSA" run_test "keyUsage cli-auth 1.3: ECDSA, DigitalSignature: OK" \ "$P_SRV debug_level=1 force_version=tls13 auth_mode=optional" \ "$O_NEXT_CLI_NO_CERT -key data_files/server5.key \ @@ -6971,7 +6977,6 @@ run_test "keyUsage cli-auth 1.3: ECDSA, DigitalSignature: OK" \ requires_openssl_tls1_3 requires_all_configs_enabled MBEDTLS_SSL_TLS1_3_COMPATIBILITY_MODE \ MBEDTLS_SSL_TLS1_3_KEY_EXCHANGE_MODE_EPHEMERAL_ENABLED -requires_pk_alg "ECDSA" run_test "keyUsage cli-auth 1.3: ECDSA, KeyAgreement: fail (soft)" \ "$P_SRV debug_level=1 force_version=tls13 auth_mode=optional" \ "$O_NEXT_CLI_NO_CERT -key data_files/server5.key \ @@ -7013,7 +7018,6 @@ run_test "extKeyUsage srv: codeSign -> fail" \ # Tests for extendedKeyUsage, part 2: client-side checking of server cert requires_config_enabled MBEDTLS_SSL_PROTO_TLS1_2 -requires_any_configs_enabled $TLS1_2_KEY_EXCHANGES_WITH_ECDSA_CERT run_test "extKeyUsage cli: serverAuth -> OK" \ "$O_SRV -tls1_2 -key data_files/server5.key \ -cert data_files/server5.eku-srv.crt" \ @@ -7024,7 +7028,6 @@ run_test "extKeyUsage cli: serverAuth -> OK" \ -c "Ciphersuite is TLS-" requires_config_enabled MBEDTLS_SSL_PROTO_TLS1_2 -requires_any_configs_enabled $TLS1_2_KEY_EXCHANGES_WITH_ECDSA_CERT run_test "extKeyUsage cli: serverAuth,clientAuth -> OK" \ "$O_SRV -tls1_2 -key data_files/server5.key \ -cert data_files/server5.eku-srv_cli.crt" \ @@ -7035,7 +7038,6 @@ run_test "extKeyUsage cli: serverAuth,clientAuth -> OK" \ -c "Ciphersuite is TLS-" requires_config_enabled MBEDTLS_SSL_PROTO_TLS1_2 -requires_any_configs_enabled $TLS1_2_KEY_EXCHANGES_WITH_ECDSA_CERT run_test "extKeyUsage cli: codeSign,anyEKU -> OK" \ "$O_SRV -tls1_2 -key data_files/server5.key \ -cert data_files/server5.eku-cs_any.crt" \ @@ -7046,7 +7048,6 @@ run_test "extKeyUsage cli: codeSign,anyEKU -> OK" \ -c "Ciphersuite is TLS-" requires_config_enabled MBEDTLS_SSL_PROTO_TLS1_2 -requires_any_configs_enabled $TLS1_2_KEY_EXCHANGES_WITH_ECDSA_CERT run_test "extKeyUsage cli: codeSign -> fail" \ "$O_SRV -tls1_2 -key data_files/server5.key \ -cert data_files/server5.eku-cs.crt" \ @@ -7059,7 +7060,6 @@ run_test "extKeyUsage cli: codeSign -> fail" \ requires_openssl_tls1_3 requires_all_configs_enabled MBEDTLS_SSL_TLS1_3_COMPATIBILITY_MODE \ MBEDTLS_SSL_TLS1_3_KEY_EXCHANGE_MODE_EPHEMERAL_ENABLED -requires_any_configs_enabled $TLS1_2_KEY_EXCHANGES_WITH_ECDSA_CERT run_test "extKeyUsage cli 1.3: serverAuth -> OK" \ "$O_NEXT_SRV_NO_CERT -tls1_3 -num_tickets=0 -key data_files/server5.key \ -cert data_files/server5.eku-srv.crt" \ @@ -7072,7 +7072,6 @@ run_test "extKeyUsage cli 1.3: serverAuth -> OK" \ requires_openssl_tls1_3 requires_all_configs_enabled MBEDTLS_SSL_TLS1_3_COMPATIBILITY_MODE \ MBEDTLS_SSL_TLS1_3_KEY_EXCHANGE_MODE_EPHEMERAL_ENABLED -requires_any_configs_enabled $TLS1_2_KEY_EXCHANGES_WITH_ECDSA_CERT run_test "extKeyUsage cli 1.3: serverAuth,clientAuth -> OK" \ "$O_NEXT_SRV_NO_CERT -tls1_3 -num_tickets=0 -key data_files/server5.key \ -cert data_files/server5.eku-srv_cli.crt" \ @@ -7085,7 +7084,6 @@ run_test "extKeyUsage cli 1.3: serverAuth,clientAuth -> OK" \ requires_openssl_tls1_3 requires_all_configs_enabled MBEDTLS_SSL_TLS1_3_COMPATIBILITY_MODE \ MBEDTLS_SSL_TLS1_3_KEY_EXCHANGE_MODE_EPHEMERAL_ENABLED -requires_any_configs_enabled $TLS1_2_KEY_EXCHANGES_WITH_ECDSA_CERT run_test "extKeyUsage cli 1.3: codeSign,anyEKU -> OK" \ "$O_NEXT_SRV_NO_CERT -tls1_3 -num_tickets=0 -key data_files/server5.key \ -cert data_files/server5.eku-cs_any.crt" \ @@ -7098,7 +7096,6 @@ run_test "extKeyUsage cli 1.3: codeSign,anyEKU -> OK" \ requires_openssl_tls1_3 requires_all_configs_enabled MBEDTLS_SSL_TLS1_3_COMPATIBILITY_MODE \ MBEDTLS_SSL_TLS1_3_KEY_EXCHANGE_MODE_EPHEMERAL_ENABLED -requires_any_configs_enabled $TLS1_2_KEY_EXCHANGES_WITH_ECDSA_CERT run_test "extKeyUsage cli 1.3: codeSign -> fail" \ "$O_NEXT_SRV_NO_CERT -tls1_3 -num_tickets=0 -key data_files/server5.key \ -cert data_files/server5.eku-cs.crt" \ @@ -7111,8 +7108,6 @@ run_test "extKeyUsage cli 1.3: codeSign -> fail" \ # Tests for extendedKeyUsage, part 3: server-side checking of client cert requires_config_enabled MBEDTLS_SSL_PROTO_TLS1_2 -requires_any_configs_enabled $TLS1_2_KEY_EXCHANGES_WITH_CERT -requires_pk_alg "ECDSA" run_test "extKeyUsage cli-auth: clientAuth -> OK" \ "$P_SRV debug_level=1 auth_mode=optional" \ "$O_CLI -key data_files/server5.key \ @@ -7122,8 +7117,6 @@ run_test "extKeyUsage cli-auth: clientAuth -> OK" \ -S "Processing of the Certificate handshake message failed" requires_config_enabled MBEDTLS_SSL_PROTO_TLS1_2 -requires_any_configs_enabled $TLS1_2_KEY_EXCHANGES_WITH_CERT -requires_pk_alg "ECDSA" run_test "extKeyUsage cli-auth: serverAuth,clientAuth -> OK" \ "$P_SRV debug_level=1 auth_mode=optional" \ "$O_CLI -key data_files/server5.key \ @@ -7133,8 +7126,6 @@ run_test "extKeyUsage cli-auth: serverAuth,clientAuth -> OK" \ -S "Processing of the Certificate handshake message failed" requires_config_enabled MBEDTLS_SSL_PROTO_TLS1_2 -requires_any_configs_enabled $TLS1_2_KEY_EXCHANGES_WITH_CERT -requires_pk_alg "ECDSA" run_test "extKeyUsage cli-auth: codeSign,anyEKU -> OK" \ "$P_SRV debug_level=1 auth_mode=optional" \ "$O_CLI -key data_files/server5.key \ @@ -7144,8 +7135,6 @@ run_test "extKeyUsage cli-auth: codeSign,anyEKU -> OK" \ -S "Processing of the Certificate handshake message failed" requires_config_enabled MBEDTLS_SSL_PROTO_TLS1_2 -requires_any_configs_enabled $TLS1_2_KEY_EXCHANGES_WITH_CERT -requires_pk_alg "ECDSA" run_test "extKeyUsage cli-auth: codeSign -> fail (soft)" \ "$P_SRV debug_level=1 auth_mode=optional" \ "$O_CLI -key data_files/server5.key \ @@ -7155,8 +7144,6 @@ run_test "extKeyUsage cli-auth: codeSign -> fail (soft)" \ -S "Processing of the Certificate handshake message failed" requires_config_enabled MBEDTLS_SSL_PROTO_TLS1_2 -requires_any_configs_enabled $TLS1_2_KEY_EXCHANGES_WITH_CERT -requires_pk_alg "ECDSA" run_test "extKeyUsage cli-auth: codeSign -> fail (hard)" \ "$P_SRV debug_level=1 auth_mode=required" \ "$O_CLI -key data_files/server5.key \ @@ -7201,7 +7188,6 @@ run_test "extKeyUsage cli-auth 1.3: codeSign,anyEKU -> OK" \ requires_openssl_tls1_3 requires_all_configs_enabled MBEDTLS_SSL_TLS1_3_COMPATIBILITY_MODE \ MBEDTLS_SSL_TLS1_3_KEY_EXCHANGE_MODE_EPHEMERAL_ENABLED -requires_pk_alg "ECDSA" run_test "extKeyUsage cli-auth 1.3: codeSign -> fail (soft)" \ "$P_SRV debug_level=1 force_version=tls13 auth_mode=optional" \ "$O_NEXT_CLI_NO_CERT -key data_files/server5.key \ @@ -12652,7 +12638,6 @@ requires_config_enabled MBEDTLS_DEBUG_C requires_config_enabled MBEDTLS_SSL_SRV_C requires_all_configs_enabled MBEDTLS_SSL_TLS1_3_COMPATIBILITY_MODE \ MBEDTLS_SSL_TLS1_3_KEY_EXCHANGE_MODE_EPHEMERAL_ENABLED -requires_pk_alg "ECDSA" run_test "TLS 1.3: Server side check - openssl with sni" \ "$P_SRV debug_level=4 auth_mode=required crt_file=data_files/server5.crt key_file=data_files/server5.key force_version=tls13 tickets=0 \ sni=localhost,data_files/server5.crt,data_files/server5.key,data_files/test-ca_cat12.crt,-,-,polarssl.example,data_files/server1-nospace.crt,data_files/server1.key,-,-,-" \ @@ -12666,7 +12651,6 @@ requires_config_enabled MBEDTLS_DEBUG_C requires_config_enabled MBEDTLS_SSL_SRV_C requires_all_configs_enabled MBEDTLS_SSL_TLS1_3_COMPATIBILITY_MODE \ MBEDTLS_SSL_TLS1_3_KEY_EXCHANGE_MODE_EPHEMERAL_ENABLED -requires_pk_alg "ECDSA" run_test "TLS 1.3: Server side check - gnutls with sni" \ "$P_SRV debug_level=4 auth_mode=required crt_file=data_files/server5.crt key_file=data_files/server5.key force_version=tls13 tickets=0 \ sni=localhost,data_files/server5.crt,data_files/server5.key,data_files/test-ca_cat12.crt,-,-,polarssl.example,data_files/server1-nospace.crt,data_files/server1.key,-,-,-" \ @@ -12680,7 +12664,6 @@ requires_config_enabled MBEDTLS_SSL_SRV_C requires_config_enabled MBEDTLS_SSL_CLI_C requires_all_configs_enabled MBEDTLS_SSL_TLS1_3_COMPATIBILITY_MODE \ MBEDTLS_SSL_TLS1_3_KEY_EXCHANGE_MODE_EPHEMERAL_ENABLED -requires_pk_alg "ECDSA" run_test "TLS 1.3: Server side check - mbedtls with sni" \ "$P_SRV debug_level=4 auth_mode=required crt_file=data_files/server5.crt key_file=data_files/server5.key force_version=tls13 tickets=0 \ sni=localhost,data_files/server2.crt,data_files/server2.key,-,-,-,polarssl.example,data_files/server1-nospace.crt,data_files/server1.key,-,-,-" \ @@ -13023,7 +13006,6 @@ requires_config_enabled MBEDTLS_DEBUG_C requires_config_enabled MBEDTLS_SSL_SRV_C requires_all_configs_enabled MBEDTLS_SSL_TLS1_3_COMPATIBILITY_MODE \ MBEDTLS_SSL_TLS1_3_KEY_EXCHANGE_MODE_EPHEMERAL_ENABLED -requires_pk_alg "ECDSA" run_test "TLS 1.3 O->m HRR server with middlebox compat support, not client" \ "$P_SRV debug_level=4 crt_file=data_files/server5.crt key_file=data_files/server5.key force_version=tls13 curves=secp384r1 tickets=0" \ "$O_NEXT_CLI -msg -debug -groups P-256:P-384 -no_middlebox" \ @@ -13036,7 +13018,6 @@ requires_config_enabled MBEDTLS_DEBUG_C requires_config_enabled MBEDTLS_SSL_SRV_C requires_all_configs_enabled MBEDTLS_SSL_TLS1_3_COMPATIBILITY_MODE \ MBEDTLS_SSL_TLS1_3_KEY_EXCHANGE_MODE_EPHEMERAL_ENABLED -requires_pk_alg "ECDSA" run_test "TLS 1.3 O->m HRR both with middlebox compat support" \ "$P_SRV debug_level=4 crt_file=data_files/server5.crt key_file=data_files/server5.key force_version=tls13 curves=secp384r1 tickets=0" \ "$O_NEXT_CLI -msg -debug -groups P-256:P-384" \ @@ -13067,7 +13048,6 @@ requires_config_enabled MBEDTLS_DEBUG_C requires_config_enabled MBEDTLS_SSL_SRV_C requires_all_configs_enabled MBEDTLS_SSL_TLS1_3_COMPATIBILITY_MODE \ MBEDTLS_SSL_TLS1_3_KEY_EXCHANGE_MODE_EPHEMERAL_ENABLED -requires_pk_alg "ECDSA" run_test "TLS 1.3 G->m HRR server with middlebox compat support, not client" \ "$P_SRV debug_level=4 crt_file=data_files/server5.crt key_file=data_files/server5.key force_version=tls13 curves=secp384r1 tickets=0" \ "$G_NEXT_CLI localhost --debug=10 --priority=NORMAL:-GROUP-ALL:+GROUP-SECP256R1:+GROUP-SECP384R1:%NO_TICKETS:%DISABLE_TLS13_COMPAT_MODE -V" \ @@ -13084,7 +13064,6 @@ requires_config_enabled MBEDTLS_DEBUG_C requires_config_enabled MBEDTLS_SSL_SRV_C requires_all_configs_enabled MBEDTLS_SSL_TLS1_3_COMPATIBILITY_MODE \ MBEDTLS_SSL_TLS1_3_KEY_EXCHANGE_MODE_EPHEMERAL_ENABLED -requires_pk_alg "ECDSA" run_test "TLS 1.3 G->m HRR both with middlebox compat support" \ "$P_SRV debug_level=4 crt_file=data_files/server5.crt key_file=data_files/server5.key force_version=tls13 curves=secp384r1 tickets=0" \ "$G_NEXT_CLI localhost --debug=10 --priority=NORMAL:-GROUP-ALL:+GROUP-SECP256R1:+GROUP-SECP384R1:%NO_TICKETS:%DISABLE_TLS13_COMPAT_MODE -V" \ @@ -13394,7 +13373,6 @@ requires_config_enabled MBEDTLS_DEBUG_C requires_all_configs_enabled MBEDTLS_SSL_TLS1_3_COMPATIBILITY_MODE \ MBEDTLS_SSL_TLS1_3_KEY_EXCHANGE_MODE_EPHEMERAL_ENABLED \ MBEDTLS_SSL_TLS1_3_KEY_EXCHANGE_MODE_PSK_EPHEMERAL_ENABLED -requires_pk_alg "ECDSA" run_test "TLS 1.3: NewSessionTicket: Basic check, m->m" \ "$P_SRV debug_level=4 crt_file=data_files/server5.crt key_file=data_files/server5.key force_version=tls13 tickets=4" \ "$P_CLI debug_level=4 reco_mode=1 reconnect=1" \ From 194e2bdb6af4fcc8edb3287227965bcb5d875105 Mon Sep 17 00:00:00 2001 From: Valerio Setti Date: Thu, 2 Mar 2023 17:18:10 +0100 Subject: [PATCH 07/12] fix typos Signed-off-by: Valerio Setti --- tests/ssl-opt.sh | 4 ++-- 1 file changed, 2 insertions(+), 2 deletions(-) diff --git a/tests/ssl-opt.sh b/tests/ssl-opt.sh index 9a27a2f54..eb0ac8645 100755 --- a/tests/ssl-opt.sh +++ b/tests/ssl-opt.sh @@ -401,7 +401,7 @@ detect_required_features() { else # For TLS12 requirements are different between server and client if [ "$2" = "server" ]; then - # If the server uses "server5*" cerificates, then an ECDSA based + # If the server uses "server5*" certificates, then an ECDSA based # key exchange is required requires_any_configs_enabled $TLS1_2_KEY_EXCHANGES_WITH_ECDSA_CERT elif [ "$2" = "client" ]; then @@ -1441,7 +1441,7 @@ do_run_test_once() { } # Detect if the current test is going to use TLS 1.3. -# $1 and $2 contains the server and client command lines, respectively. +# $1 and $2 contain the server and client command lines, respectively. get_tls_version() { case $1 in *tls1_3*|*tls13*) From 23e50b9042a9400da9032a1bab8d51516aefaace Mon Sep 17 00:00:00 2001 From: Valerio Setti Date: Mon, 6 Mar 2023 14:48:39 +0100 Subject: [PATCH 08/12] ssl-opt: remove redundant ECDSA dependencies in TLS1.3 tests Signed-off-by: Valerio Setti --- tests/opt-testcases/tls13-kex-modes.sh | 3 --- tests/opt-testcases/tls13-misc.sh | 8 -------- 2 files changed, 11 deletions(-) diff --git a/tests/opt-testcases/tls13-kex-modes.sh b/tests/opt-testcases/tls13-kex-modes.sh index 84a2c1ab8..974d513d8 100755 --- a/tests/opt-testcases/tls13-kex-modes.sh +++ b/tests/opt-testcases/tls13-kex-modes.sh @@ -2833,7 +2833,6 @@ requires_config_enabled MBEDTLS_SSL_TLS1_3_COMPATIBILITY_MODE requires_config_enabled MBEDTLS_DEBUG_C requires_config_enabled MBEDTLS_SSL_CLI_C requires_config_enabled MBEDTLS_SSL_TLS1_3_KEY_EXCHANGE_MODE_EPHEMERAL_ENABLED -requires_pk_alg ECDSA run_test "TLS 1.3: m->O: ephemeral/all, good" \ "$O_NEXT_SRV -msg -debug -tls1_3 -psk_identity 0a0b0c -psk 010203 -allow_no_dhe_kex" \ "$P_CLI debug_level=4 force_version=tls13 psk=010203 psk_identity=0a0b0c tls13_kex_modes=ephemeral" \ @@ -3065,7 +3064,6 @@ requires_config_enabled MBEDTLS_SSL_TLS1_3_COMPATIBILITY_MODE requires_config_enabled MBEDTLS_DEBUG_C requires_config_enabled MBEDTLS_SSL_CLI_C requires_config_enabled MBEDTLS_SSL_TLS1_3_KEY_EXCHANGE_MODE_EPHEMERAL_ENABLED -requires_pk_alg ECDSA run_test "TLS 1.3: m->G: ephemeral/all, good" \ "$G_NEXT_SRV -d 4 --priority=NORMAL:-VERS-ALL:+VERS-TLS1.3:-KX-ALL:+ECDHE-PSK:+DHE-PSK:+PSK --pskpasswd=data_files/simplepass.psk" \ "$P_CLI debug_level=4 force_version=tls13 psk=010203 psk_identity=0a0b0c tls13_kex_modes=ephemeral" \ @@ -3079,7 +3077,6 @@ requires_config_enabled MBEDTLS_SSL_TLS1_3_COMPATIBILITY_MODE requires_config_enabled MBEDTLS_DEBUG_C requires_config_enabled MBEDTLS_SSL_CLI_C requires_config_enabled MBEDTLS_SSL_TLS1_3_KEY_EXCHANGE_MODE_EPHEMERAL_ENABLED -requires_pk_alg ECDSA run_test "TLS 1.3: m->G: ephemeral/ephemeral_all, good" \ "$G_NEXT_SRV -d 4 --priority=NORMAL:-VERS-ALL:+VERS-TLS1.3:-KX-ALL:+ECDHE-PSK:+DHE-PSK:-PSK --pskpasswd=data_files/simplepass.psk" \ "$P_CLI debug_level=4 force_version=tls13 psk=010203 psk_identity=0a0b0c tls13_kex_modes=ephemeral" \ diff --git a/tests/opt-testcases/tls13-misc.sh b/tests/opt-testcases/tls13-misc.sh index b5535cd3f..46c371fe0 100755 --- a/tests/opt-testcases/tls13-misc.sh +++ b/tests/opt-testcases/tls13-misc.sh @@ -87,7 +87,6 @@ requires_all_configs_enabled MBEDTLS_SSL_PROTO_TLS1_3 MBEDTLS_SSL_SESSION_TICKET MBEDTLS_SSL_CLI_C MBEDTLS_DEBUG_C MBEDTLS_HAVE_TIME \ MBEDTLS_SSL_TLS1_3_KEY_EXCHANGE_MODE_EPHEMERAL_ENABLED \ MBEDTLS_SSL_TLS1_3_KEY_EXCHANGE_MODE_PSK_EPHEMERAL_ENABLED -requires_pk_alg ECDSA run_test "TLS 1.3 m->m: Session resumption failure, ticket authentication failed." \ "$P_SRV debug_level=4 crt_file=data_files/server5.crt key_file=data_files/server5.key force_version=tls13 tickets=8 dummy_ticket=1" \ "$P_CLI debug_level=4 reco_mode=1 reconnect=1" \ @@ -107,7 +106,6 @@ requires_all_configs_enabled MBEDTLS_SSL_PROTO_TLS1_3 MBEDTLS_SSL_SESSION_TICKET MBEDTLS_SSL_CLI_C MBEDTLS_DEBUG_C MBEDTLS_HAVE_TIME \ MBEDTLS_SSL_TLS1_3_KEY_EXCHANGE_MODE_EPHEMERAL_ENABLED \ MBEDTLS_SSL_TLS1_3_KEY_EXCHANGE_MODE_PSK_EPHEMERAL_ENABLED -requires_pk_alg ECDSA run_test "TLS 1.3 m->m: Session resumption failure, ticket expired." \ "$P_SRV debug_level=4 crt_file=data_files/server5.crt key_file=data_files/server5.key force_version=tls13 tickets=8 dummy_ticket=2" \ "$P_CLI debug_level=4 reco_mode=1 reconnect=1" \ @@ -127,7 +125,6 @@ requires_all_configs_enabled MBEDTLS_SSL_PROTO_TLS1_3 MBEDTLS_SSL_SESSION_TICKET MBEDTLS_SSL_CLI_C MBEDTLS_DEBUG_C MBEDTLS_HAVE_TIME \ MBEDTLS_SSL_TLS1_3_KEY_EXCHANGE_MODE_EPHEMERAL_ENABLED \ MBEDTLS_SSL_TLS1_3_KEY_EXCHANGE_MODE_PSK_EPHEMERAL_ENABLED -requires_pk_alg ECDSA run_test "TLS 1.3 m->m: Session resumption failure, invalid start time." \ "$P_SRV debug_level=4 crt_file=data_files/server5.crt key_file=data_files/server5.key force_version=tls13 tickets=8 dummy_ticket=3" \ "$P_CLI debug_level=4 reco_mode=1 reconnect=1" \ @@ -147,7 +144,6 @@ requires_all_configs_enabled MBEDTLS_SSL_PROTO_TLS1_3 MBEDTLS_SSL_SESSION_TICKET MBEDTLS_SSL_CLI_C MBEDTLS_DEBUG_C MBEDTLS_HAVE_TIME \ MBEDTLS_SSL_TLS1_3_KEY_EXCHANGE_MODE_EPHEMERAL_ENABLED \ MBEDTLS_SSL_TLS1_3_KEY_EXCHANGE_MODE_PSK_EPHEMERAL_ENABLED -requires_pk_alg ECDSA run_test "TLS 1.3 m->m: Session resumption failure, ticket expired. too old" \ "$P_SRV debug_level=4 crt_file=data_files/server5.crt key_file=data_files/server5.key force_version=tls13 tickets=8 dummy_ticket=4" \ "$P_CLI debug_level=4 reco_mode=1 reconnect=1" \ @@ -167,7 +163,6 @@ requires_all_configs_enabled MBEDTLS_SSL_PROTO_TLS1_3 MBEDTLS_SSL_SESSION_TICKET MBEDTLS_SSL_CLI_C MBEDTLS_DEBUG_C MBEDTLS_HAVE_TIME \ MBEDTLS_SSL_TLS1_3_KEY_EXCHANGE_MODE_EPHEMERAL_ENABLED \ MBEDTLS_SSL_TLS1_3_KEY_EXCHANGE_MODE_PSK_EPHEMERAL_ENABLED -requires_pk_alg ECDSA run_test "TLS 1.3 m->m: Session resumption failure, age outside tolerance window, too young." \ "$P_SRV debug_level=4 crt_file=data_files/server5.crt key_file=data_files/server5.key force_version=tls13 tickets=8 dummy_ticket=5" \ "$P_CLI debug_level=4 reco_mode=1 reconnect=1" \ @@ -187,7 +182,6 @@ requires_all_configs_enabled MBEDTLS_SSL_PROTO_TLS1_3 MBEDTLS_SSL_SESSION_TICKET MBEDTLS_SSL_CLI_C MBEDTLS_DEBUG_C MBEDTLS_HAVE_TIME \ MBEDTLS_SSL_TLS1_3_KEY_EXCHANGE_MODE_EPHEMERAL_ENABLED \ MBEDTLS_SSL_TLS1_3_KEY_EXCHANGE_MODE_PSK_EPHEMERAL_ENABLED -requires_pk_alg ECDSA run_test "TLS 1.3 m->m: Session resumption failure, age outside tolerance window, too old." \ "$P_SRV debug_level=4 crt_file=data_files/server5.crt key_file=data_files/server5.key force_version=tls13 tickets=8 dummy_ticket=6" \ "$P_CLI debug_level=4 reco_mode=1 reconnect=1" \ @@ -278,7 +272,6 @@ requires_all_configs_enabled MBEDTLS_SSL_TLS1_3_COMPATIBILITY_MODE \ MBEDTLS_SSL_EARLY_DATA requires_any_configs_enabled MBEDTLS_SSL_TLS1_3_KEY_EXCHANGE_MODE_PSK_EPHEMERAL_ENABLED \ MBEDTLS_SSL_TLS1_3_KEY_EXCHANGE_MODE_PSK_ENABLED -requires_pk_alg ECDSA run_test "TLS 1.3 m->G: EarlyData: basic check, good" \ "$G_NEXT_SRV -d 10 --priority=NORMAL:-VERS-ALL:+VERS-TLS1.3:+CIPHER-ALL:+ECDHE-PSK:+PSK --earlydata --disable-client-cert" \ "$P_CLI debug_level=4 early_data=1 reco_mode=1 reconnect=1 reco_delay=900" \ @@ -302,7 +295,6 @@ requires_all_configs_enabled MBEDTLS_SSL_TLS1_3_COMPATIBILITY_MODE \ MBEDTLS_SSL_EARLY_DATA requires_any_configs_enabled MBEDTLS_SSL_TLS1_3_KEY_EXCHANGE_MODE_PSK_EPHEMERAL_ENABLED \ MBEDTLS_SSL_TLS1_3_KEY_EXCHANGE_MODE_PSK_ENABLED -requires_pk_alg ECDSA run_test "TLS 1.3 m->G: EarlyData: no early_data in NewSessionTicket, good" \ "$G_NEXT_SRV -d 10 --priority=NORMAL:-VERS-ALL:+VERS-TLS1.3:+CIPHER-ALL:+ECDHE-PSK:+PSK --disable-client-cert" \ "$P_CLI debug_level=4 early_data=1 reco_mode=1 reconnect=1" \ From 2f1d967643b7d5cd7e408fa2f77abadb6ded08bd Mon Sep 17 00:00:00 2001 From: Valerio Setti Date: Tue, 7 Mar 2023 18:14:34 +0100 Subject: [PATCH 09/12] ssl: fix included pk header file Signed-off-by: Valerio Setti --- library/ssl_misc.h | 2 +- library/ssl_tls.c | 2 -- 2 files changed, 1 insertion(+), 3 deletions(-) diff --git a/library/ssl_misc.h b/library/ssl_misc.h index f9a47670a..549162ce9 100644 --- a/library/ssl_misc.h +++ b/library/ssl_misc.h @@ -55,7 +55,7 @@ #include "mbedtls/ecjpake.h" #endif -#include "pk_wrap.h" +#include "mbedtls/pk.h" #include "common.h" /* Shorthand for restartable ECC */ diff --git a/library/ssl_tls.c b/library/ssl_tls.c index e1d944c6f..0f7e61b7f 100644 --- a/library/ssl_tls.c +++ b/library/ssl_tls.c @@ -52,8 +52,6 @@ #include "mbedtls/oid.h" #endif -#include "pk_wrap.h" - #if defined(MBEDTLS_TEST_HOOKS) static mbedtls_ssl_chk_buf_ptr_args chk_buf_ptr_fail_args; From 213c4eae3a654f22663fa42eef1bf940a729cca6 Mon Sep 17 00:00:00 2001 From: Valerio Setti Date: Tue, 7 Mar 2023 19:29:57 +0100 Subject: [PATCH 10/12] ssl-opt: enhance comment for get_tls_version() function Signed-off-by: Valerio Setti --- tests/ssl-opt.sh | 11 +++++++++++ 1 file changed, 11 insertions(+) diff --git a/tests/ssl-opt.sh b/tests/ssl-opt.sh index eb0ac8645..08d3800b4 100755 --- a/tests/ssl-opt.sh +++ b/tests/ssl-opt.sh @@ -1442,6 +1442,17 @@ do_run_test_once() { # Detect if the current test is going to use TLS 1.3. # $1 and $2 contain the server and client command lines, respectively. +# +# Note: this function only provides some guess about TLS version by simply +# looking at the server/client command lines. Even thought this works +# for the sake of tests' filtering (especially in conjunction with the +# detect_required_features() function), it does NOT guarantee that the +# result is accurate. It does not check other conditions, such as: +# - MBEDTLS_SSL_PROTO_TLS1_x can be disabled to selectively remove +# TLS 1.2/1.3 suppport +# - we can force a ciphersuite which contains "WITH" in its name, meaning +# that we are going to use TLS 1.2 +# - etc etc get_tls_version() { case $1 in *tls1_3*|*tls13*) From 3b2c02821e723ee2e78400d9e70f8cdf3657cf7b Mon Sep 17 00:00:00 2001 From: Valerio Setti Date: Wed, 8 Mar 2023 10:22:29 +0100 Subject: [PATCH 11/12] ssl-opt: return to previous debug level in test This was a leftover from some debug activity that unfortunately ended up in previous commits. Signed-off-by: Valerio Setti --- tests/ssl-opt.sh | 2 +- 1 file changed, 1 insertion(+), 1 deletion(-) diff --git a/tests/ssl-opt.sh b/tests/ssl-opt.sh index 08d3800b4..c871dd3ef 100755 --- a/tests/ssl-opt.sh +++ b/tests/ssl-opt.sh @@ -10266,7 +10266,7 @@ requires_gnutls requires_not_i686 requires_max_content_len 2048 run_test "DTLS fragmenting: gnutls client, DTLS 1.2" \ - "$P_SRV dtls=1 debug_level=4 \ + "$P_SRV dtls=1 debug_level=2 \ crt_file=data_files/server7_int-ca.crt \ key_file=data_files/server7.key \ mtu=512 force_version=dtls12" \ From ccfad9ae0edb01f12045359cd7a459e33c7312bf Mon Sep 17 00:00:00 2001 From: Valerio Setti Date: Wed, 8 Mar 2023 10:25:05 +0100 Subject: [PATCH 12/12] ssl-opt: remove remaining redundant dependencies There were some dependencies that are now automatically satisfied by the detect_required_features() function. After this check there should be no redundant requirement for: - requires_pk_alg "ECDSA" - requires_any_configs_enabled $TLS1_2_KEY_EXCHANGES_WITH_ECDSA_CERT - requires_any_configs_enabled $TLS1_2_KEY_EXCHANGES_WITH_CERT Signed-off-by: Valerio Setti --- tests/ssl-opt.sh | 141 +---------------------------------------------- 1 file changed, 2 insertions(+), 139 deletions(-) diff --git a/tests/ssl-opt.sh b/tests/ssl-opt.sh index c871dd3ef..5ce2d03c7 100755 --- a/tests/ssl-opt.sh +++ b/tests/ssl-opt.sh @@ -394,7 +394,8 @@ detect_required_features() { esac case "$1" in - *server5*) + *server5*|\ + *server7*) if [ "$3" = "TLS13" ]; then # In case of TLS13 the support for ECDSA is enough requires_pk_alg "ECDSA" @@ -2506,8 +2507,6 @@ run_test "Single supported algorithm sending: mbedtls client" \ requires_config_enabled MBEDTLS_SSL_PROTO_TLS1_2 requires_config_enabled MBEDTLS_SSL_SRV_C -requires_any_configs_enabled $TLS1_2_KEY_EXCHANGES_WITH_CERT -requires_pk_alg "ECDSA" requires_config_enabled MBEDTLS_ECP_DP_SECP256R1_ENABLED requires_hash_alg SHA_256 run_test "Single supported algorithm sending: openssl client" \ @@ -3745,7 +3744,6 @@ run_test "Session resume using tickets: session copy" \ -c "a session has been resumed" requires_config_enabled MBEDTLS_SSL_PROTO_TLS1_2 -requires_any_configs_enabled $TLS1_2_KEY_EXCHANGES_WITH_ECDSA_CERT run_test "Session resume using tickets: openssl server" \ "$O_SRV -tls1_2" \ "$P_CLI debug_level=3 tickets=1 reconnect=1" \ @@ -4056,7 +4054,6 @@ run_test "Session resume using tickets, DTLS: session copy" \ -c "a session has been resumed" requires_config_enabled MBEDTLS_SSL_PROTO_TLS1_2 -requires_any_configs_enabled $TLS1_2_KEY_EXCHANGES_WITH_ECDSA_CERT run_test "Session resume using tickets, DTLS: openssl server" \ "$O_SRV -dtls" \ "$P_CLI dtls=1 debug_level=3 tickets=1 reconnect=1" \ @@ -4198,7 +4195,6 @@ run_test "Session resume using cache: openssl client" \ requires_config_enabled MBEDTLS_SSL_PROTO_TLS1_2 requires_config_enabled MBEDTLS_SSL_CACHE_C -requires_any_configs_enabled $TLS1_2_KEY_EXCHANGES_WITH_ECDSA_CERT run_test "Session resume using cache: openssl server" \ "$O_SRV -tls1_2" \ "$P_CLI debug_level=3 tickets=0 reconnect=1" \ @@ -4349,7 +4345,6 @@ run_test "Session resume using cache, DTLS: openssl client" \ requires_config_enabled MBEDTLS_SSL_PROTO_TLS1_2 requires_config_enabled MBEDTLS_SSL_CACHE_C -requires_any_configs_enabled $TLS1_2_KEY_EXCHANGES_WITH_ECDSA_CERT run_test "Session resume using cache, DTLS: openssl server" \ "$O_SRV -dtls" \ "$P_CLI dtls=1 debug_level=3 tickets=0 reconnect=1" \ @@ -4667,7 +4662,6 @@ requires_max_content_len 4096 requires_config_enabled MBEDTLS_SSL_MAX_FRAGMENT_LENGTH requires_gnutls requires_config_enabled MBEDTLS_SSL_PROTO_TLS1_2 -requires_any_configs_enabled $TLS1_2_KEY_EXCHANGES_WITH_ECDSA_CERT run_test "Max fragment length: gnutls server" \ "$G_SRV --priority=NORMAL:-VERS-ALL:+VERS-TLS1.2" \ "$P_CLI debug_level=3 max_frag_len=4096" \ @@ -5096,7 +5090,6 @@ run_test "Renegotiation: nbio, server-initiated" \ requires_config_enabled MBEDTLS_SSL_RENEGOTIATION requires_config_enabled MBEDTLS_SSL_PROTO_TLS1_2 -requires_any_configs_enabled $TLS1_2_KEY_EXCHANGES_WITH_ECDSA_CERT run_test "Renegotiation: openssl server, client-initiated" \ "$O_SRV -www -tls1_2" \ "$P_CLI debug_level=3 exchanges=1 renegotiation=1 renegotiate=1" \ @@ -5111,7 +5104,6 @@ run_test "Renegotiation: openssl server, client-initiated" \ requires_gnutls requires_config_enabled MBEDTLS_SSL_RENEGOTIATION requires_config_enabled MBEDTLS_SSL_PROTO_TLS1_2 -requires_any_configs_enabled $TLS1_2_KEY_EXCHANGES_WITH_ECDSA_CERT run_test "Renegotiation: gnutls server strict, client-initiated" \ "$G_SRV --priority=NORMAL:-VERS-ALL:+VERS-TLS1.2:%SAFE_RENEGOTIATION" \ "$P_CLI debug_level=3 exchanges=1 renegotiation=1 renegotiate=1" \ @@ -5126,7 +5118,6 @@ run_test "Renegotiation: gnutls server strict, client-initiated" \ requires_gnutls requires_config_enabled MBEDTLS_SSL_RENEGOTIATION requires_config_enabled MBEDTLS_SSL_PROTO_TLS1_2 -requires_any_configs_enabled $TLS1_2_KEY_EXCHANGES_WITH_ECDSA_CERT run_test "Renegotiation: gnutls server unsafe, client-initiated default" \ "$G_SRV --priority=NORMAL:-VERS-ALL:+VERS-TLS1.2:%DISABLE_SAFE_RENEGOTIATION" \ "$P_CLI debug_level=3 exchanges=1 renegotiation=1 renegotiate=1" \ @@ -5141,7 +5132,6 @@ run_test "Renegotiation: gnutls server unsafe, client-initiated default" \ requires_gnutls requires_config_enabled MBEDTLS_SSL_RENEGOTIATION requires_config_enabled MBEDTLS_SSL_PROTO_TLS1_2 -requires_any_configs_enabled $TLS1_2_KEY_EXCHANGES_WITH_ECDSA_CERT run_test "Renegotiation: gnutls server unsafe, client-inititated no legacy" \ "$G_SRV --priority=NORMAL:-VERS-ALL:+VERS-TLS1.2:%DISABLE_SAFE_RENEGOTIATION" \ "$P_CLI debug_level=3 exchanges=1 renegotiation=1 renegotiate=1 \ @@ -5157,7 +5147,6 @@ run_test "Renegotiation: gnutls server unsafe, client-inititated no legacy" \ requires_gnutls requires_config_enabled MBEDTLS_SSL_RENEGOTIATION requires_config_enabled MBEDTLS_SSL_PROTO_TLS1_2 -requires_any_configs_enabled $TLS1_2_KEY_EXCHANGES_WITH_ECDSA_CERT run_test "Renegotiation: gnutls server unsafe, client-inititated legacy" \ "$G_SRV --priority=NORMAL:-VERS-ALL:+VERS-TLS1.2:%DISABLE_SAFE_RENEGOTIATION" \ "$P_CLI debug_level=3 exchanges=1 renegotiation=1 renegotiate=1 \ @@ -5219,7 +5208,6 @@ run_test "Renegotiation: DTLS, renego_period overflow" \ requires_gnutls requires_config_enabled MBEDTLS_SSL_RENEGOTIATION requires_config_enabled MBEDTLS_SSL_PROTO_TLS1_2 -requires_any_configs_enabled $TLS1_2_KEY_EXCHANGES_WITH_ECDSA_CERT run_test "Renegotiation: DTLS, gnutls server, client-initiated" \ "$G_SRV -u --mtu 4096" \ "$P_CLI debug_level=3 dtls=1 exchanges=1 renegotiation=1 renegotiate=1" \ @@ -5235,7 +5223,6 @@ run_test "Renegotiation: DTLS, gnutls server, client-initiated" \ requires_gnutls requires_config_enabled MBEDTLS_SSL_PROTO_TLS1_2 -requires_any_configs_enabled $TLS1_2_KEY_EXCHANGES_WITH_ECDSA_CERT run_test "Renego ext: gnutls server strict, client default" \ "$G_SRV --priority=NORMAL:-VERS-ALL:+VERS-TLS1.2:%SAFE_RENEGOTIATION" \ "$P_CLI debug_level=3" \ @@ -5246,7 +5233,6 @@ run_test "Renego ext: gnutls server strict, client default" \ requires_gnutls requires_config_enabled MBEDTLS_SSL_PROTO_TLS1_2 -requires_any_configs_enabled $TLS1_2_KEY_EXCHANGES_WITH_ECDSA_CERT run_test "Renego ext: gnutls server unsafe, client default" \ "$G_SRV --priority=NORMAL:-VERS-ALL:+VERS-TLS1.2:%DISABLE_SAFE_RENEGOTIATION" \ "$P_CLI debug_level=3" \ @@ -5372,7 +5358,6 @@ run_test "Authentication: server badcert, client required" \ -c "X509 - Certificate verification failed" requires_config_enabled MBEDTLS_SSL_PROTO_TLS1_2 -requires_any_configs_enabled $TLS1_2_KEY_EXCHANGES_WITH_CERT run_test "Authentication: server badcert, client optional" \ "$P_SRV crt_file=data_files/server5-badsign.crt \ key_file=data_files/server5.key" \ @@ -5593,7 +5578,6 @@ run_test "Authentication: client no cert, server optional" \ -S "X509 - Certificate verification failed" requires_config_enabled MBEDTLS_SSL_PROTO_TLS1_2 -requires_any_configs_enabled $TLS1_2_KEY_EXCHANGES_WITH_CERT run_test "Authentication: openssl client no cert, server optional" \ "$P_SRV debug_level=3 auth_mode=optional" \ "$O_CLI" \ @@ -5605,8 +5589,6 @@ run_test "Authentication: openssl client no cert, server optional" \ -S "X509 - Certificate verification failed" requires_config_enabled MBEDTLS_SSL_PROTO_TLS1_2 -requires_any_configs_enabled $TLS1_2_KEY_EXCHANGES_WITH_CERT -requires_any_configs_enabled $TLS1_2_KEY_EXCHANGES_WITH_ECDSA_CERT run_test "Authentication: client no cert, openssl server optional" \ "$O_SRV -verify 10 -tls1_2" \ "$P_CLI debug_level=3 crt_file=none key_file=none" \ @@ -5618,8 +5600,6 @@ run_test "Authentication: client no cert, openssl server optional" \ -C "! mbedtls_ssl_handshake returned" requires_config_enabled MBEDTLS_SSL_PROTO_TLS1_2 -requires_any_configs_enabled $TLS1_2_KEY_EXCHANGES_WITH_CERT -requires_any_configs_enabled $TLS1_2_KEY_EXCHANGES_WITH_ECDSA_CERT run_test "Authentication: client no cert, openssl server required" \ "$O_SRV -Verify 10 -tls1_2" \ "$P_CLI debug_level=3 crt_file=none key_file=none" \ @@ -6567,7 +6547,6 @@ run_test "Not supported version check: cli TLS 1.1" \ -C "Handshake was completed" requires_config_enabled MBEDTLS_SSL_PROTO_TLS1_2 -requires_any_configs_enabled $TLS1_2_KEY_EXCHANGES_WITH_ECDSA_CERT run_test "Not supported version check: srv max TLS 1.0" \ "$G_SRV --priority=NORMAL:-VERS-TLS-ALL:+VERS-TLS1.0" \ "$P_CLI" \ @@ -6578,7 +6557,6 @@ run_test "Not supported version check: srv max TLS 1.0" \ -C "Protocol is TLSv1.0" requires_config_enabled MBEDTLS_SSL_PROTO_TLS1_2 -requires_any_configs_enabled $TLS1_2_KEY_EXCHANGES_WITH_ECDSA_CERT run_test "Not supported version check: srv max TLS 1.1" \ "$G_SRV --priority=NORMAL:-VERS-TLS-ALL:+VERS-TLS1.1" \ "$P_CLI" \ @@ -9412,7 +9390,6 @@ run_test "DTLS wrong PSK: badmac alert" \ requires_gnutls requires_config_enabled MBEDTLS_SSL_PROTO_TLS1_2 -requires_any_configs_enabled $TLS1_2_KEY_EXCHANGES_WITH_ECDSA_CERT run_test "DTLS reassembly: no fragmentation (gnutls server)" \ "$G_SRV -u --mtu 2048 -a" \ "$P_CLI dtls=1 debug_level=2" \ @@ -9422,7 +9399,6 @@ run_test "DTLS reassembly: no fragmentation (gnutls server)" \ requires_gnutls requires_config_enabled MBEDTLS_SSL_PROTO_TLS1_2 -requires_any_configs_enabled $TLS1_2_KEY_EXCHANGES_WITH_ECDSA_CERT run_test "DTLS reassembly: some fragmentation (gnutls server)" \ "$G_SRV -u --mtu 512" \ "$P_CLI dtls=1 debug_level=2" \ @@ -9432,7 +9408,6 @@ run_test "DTLS reassembly: some fragmentation (gnutls server)" \ requires_gnutls requires_config_enabled MBEDTLS_SSL_PROTO_TLS1_2 -requires_any_configs_enabled $TLS1_2_KEY_EXCHANGES_WITH_ECDSA_CERT run_test "DTLS reassembly: more fragmentation (gnutls server)" \ "$G_SRV -u --mtu 128" \ "$P_CLI dtls=1 debug_level=2" \ @@ -9442,7 +9417,6 @@ run_test "DTLS reassembly: more fragmentation (gnutls server)" \ requires_gnutls requires_config_enabled MBEDTLS_SSL_PROTO_TLS1_2 -requires_any_configs_enabled $TLS1_2_KEY_EXCHANGES_WITH_ECDSA_CERT run_test "DTLS reassembly: more fragmentation, nbio (gnutls server)" \ "$G_SRV -u --mtu 128" \ "$P_CLI dtls=1 nbio=2 debug_level=2" \ @@ -9453,7 +9427,6 @@ run_test "DTLS reassembly: more fragmentation, nbio (gnutls server)" \ requires_gnutls requires_config_enabled MBEDTLS_SSL_RENEGOTIATION requires_config_enabled MBEDTLS_SSL_PROTO_TLS1_2 -requires_any_configs_enabled $TLS1_2_KEY_EXCHANGES_WITH_ECDSA_CERT run_test "DTLS reassembly: fragmentation, renego (gnutls server)" \ "$G_SRV -u --mtu 256" \ "$P_CLI debug_level=3 dtls=1 renegotiation=1 renegotiate=1" \ @@ -9469,7 +9442,6 @@ run_test "DTLS reassembly: fragmentation, renego (gnutls server)" \ requires_gnutls requires_config_enabled MBEDTLS_SSL_RENEGOTIATION requires_config_enabled MBEDTLS_SSL_PROTO_TLS1_2 -requires_any_configs_enabled $TLS1_2_KEY_EXCHANGES_WITH_ECDSA_CERT run_test "DTLS reassembly: fragmentation, nbio, renego (gnutls server)" \ "$G_SRV -u --mtu 256" \ "$P_CLI debug_level=3 nbio=2 dtls=1 renegotiation=1 renegotiate=1" \ @@ -9483,7 +9455,6 @@ run_test "DTLS reassembly: fragmentation, nbio, renego (gnutls server)" \ -s "Extra-header:" requires_config_enabled MBEDTLS_SSL_PROTO_TLS1_2 -requires_any_configs_enabled $TLS1_2_KEY_EXCHANGES_WITH_ECDSA_CERT run_test "DTLS reassembly: no fragmentation (openssl server)" \ "$O_SRV -dtls -mtu 2048" \ "$P_CLI dtls=1 debug_level=2" \ @@ -9492,7 +9463,6 @@ run_test "DTLS reassembly: no fragmentation (openssl server)" \ -C "error" requires_config_enabled MBEDTLS_SSL_PROTO_TLS1_2 -requires_any_configs_enabled $TLS1_2_KEY_EXCHANGES_WITH_ECDSA_CERT run_test "DTLS reassembly: some fragmentation (openssl server)" \ "$O_SRV -dtls -mtu 768" \ "$P_CLI dtls=1 debug_level=2" \ @@ -9501,7 +9471,6 @@ run_test "DTLS reassembly: some fragmentation (openssl server)" \ -C "error" requires_config_enabled MBEDTLS_SSL_PROTO_TLS1_2 -requires_any_configs_enabled $TLS1_2_KEY_EXCHANGES_WITH_ECDSA_CERT run_test "DTLS reassembly: more fragmentation (openssl server)" \ "$O_SRV -dtls -mtu 256" \ "$P_CLI dtls=1 debug_level=2" \ @@ -9510,7 +9479,6 @@ run_test "DTLS reassembly: more fragmentation (openssl server)" \ -C "error" requires_config_enabled MBEDTLS_SSL_PROTO_TLS1_2 -requires_any_configs_enabled $TLS1_2_KEY_EXCHANGES_WITH_ECDSA_CERT run_test "DTLS reassembly: fragmentation, nbio (openssl server)" \ "$O_SRV -dtls -mtu 256" \ "$P_CLI dtls=1 nbio=2 debug_level=2" \ @@ -9532,8 +9500,6 @@ run_test "DTLS reassembly: fragmentation, nbio (openssl server)" \ requires_config_enabled MBEDTLS_SSL_PROTO_DTLS requires_config_enabled MBEDTLS_RSA_C -requires_any_configs_enabled $TLS1_2_KEY_EXCHANGES_WITH_CERT -requires_pk_alg "ECDSA" requires_config_enabled MBEDTLS_SSL_MAX_FRAGMENT_LENGTH requires_max_content_len 4096 requires_config_enabled MBEDTLS_SSL_PROTO_TLS1_2 @@ -9555,8 +9521,6 @@ run_test "DTLS fragmenting: none (for reference)" \ requires_config_enabled MBEDTLS_SSL_PROTO_DTLS requires_config_enabled MBEDTLS_RSA_C -requires_any_configs_enabled $TLS1_2_KEY_EXCHANGES_WITH_CERT -requires_pk_alg "ECDSA" requires_config_enabled MBEDTLS_SSL_MAX_FRAGMENT_LENGTH requires_max_content_len 2048 requires_config_enabled MBEDTLS_SSL_PROTO_TLS1_2 @@ -9582,8 +9546,6 @@ run_test "DTLS fragmenting: server only (max_frag_len)" \ # `client-initiated, server only (max_frag_len)` below. requires_config_enabled MBEDTLS_SSL_PROTO_DTLS requires_config_enabled MBEDTLS_RSA_C -requires_any_configs_enabled $TLS1_2_KEY_EXCHANGES_WITH_CERT -requires_pk_alg "ECDSA" requires_config_enabled MBEDTLS_SSL_MAX_FRAGMENT_LENGTH requires_max_content_len 4096 requires_config_enabled MBEDTLS_SSL_PROTO_TLS1_2 @@ -9605,8 +9567,6 @@ run_test "DTLS fragmenting: server only (more) (max_frag_len)" \ requires_config_enabled MBEDTLS_SSL_PROTO_DTLS requires_config_enabled MBEDTLS_RSA_C -requires_any_configs_enabled $TLS1_2_KEY_EXCHANGES_WITH_CERT -requires_pk_alg "ECDSA" requires_config_enabled MBEDTLS_SSL_MAX_FRAGMENT_LENGTH requires_max_content_len 2048 requires_config_enabled MBEDTLS_SSL_PROTO_TLS1_2 @@ -9635,8 +9595,6 @@ run_test "DTLS fragmenting: client-initiated, server only (max_frag_len)" \ # negotiated MFL are sent. requires_config_enabled MBEDTLS_SSL_PROTO_DTLS requires_config_enabled MBEDTLS_RSA_C -requires_any_configs_enabled $TLS1_2_KEY_EXCHANGES_WITH_CERT -requires_pk_alg "ECDSA" requires_config_enabled MBEDTLS_SSL_MAX_FRAGMENT_LENGTH requires_max_content_len 2048 requires_config_enabled MBEDTLS_SSL_PROTO_TLS1_2 @@ -9659,8 +9617,6 @@ run_test "DTLS fragmenting: client-initiated, server only (max_frag_len), pro requires_config_enabled MBEDTLS_SSL_PROTO_DTLS requires_config_enabled MBEDTLS_RSA_C -requires_any_configs_enabled $TLS1_2_KEY_EXCHANGES_WITH_CERT -requires_pk_alg "ECDSA" requires_config_enabled MBEDTLS_SSL_MAX_FRAGMENT_LENGTH requires_max_content_len 2048 requires_config_enabled MBEDTLS_SSL_PROTO_TLS1_2 @@ -9689,8 +9645,6 @@ run_test "DTLS fragmenting: client-initiated, both (max_frag_len)" \ # negotiated MFL are sent. requires_config_enabled MBEDTLS_SSL_PROTO_DTLS requires_config_enabled MBEDTLS_RSA_C -requires_any_configs_enabled $TLS1_2_KEY_EXCHANGES_WITH_CERT -requires_pk_alg "ECDSA" requires_config_enabled MBEDTLS_SSL_MAX_FRAGMENT_LENGTH requires_max_content_len 2048 requires_config_enabled MBEDTLS_SSL_PROTO_TLS1_2 @@ -9713,8 +9667,6 @@ run_test "DTLS fragmenting: client-initiated, both (max_frag_len), proxy MTU" requires_config_enabled MBEDTLS_SSL_PROTO_DTLS requires_config_enabled MBEDTLS_RSA_C -requires_any_configs_enabled $TLS1_2_KEY_EXCHANGES_WITH_CERT -requires_pk_alg "ECDSA" requires_max_content_len 4096 requires_config_enabled MBEDTLS_SSL_PROTO_TLS1_2 run_test "DTLS fragmenting: none (for reference) (MTU)" \ @@ -9735,8 +9687,6 @@ run_test "DTLS fragmenting: none (for reference) (MTU)" \ requires_config_enabled MBEDTLS_SSL_PROTO_DTLS requires_config_enabled MBEDTLS_RSA_C -requires_any_configs_enabled $TLS1_2_KEY_EXCHANGES_WITH_CERT -requires_pk_alg "ECDSA" requires_max_content_len 4096 requires_config_enabled MBEDTLS_SSL_PROTO_TLS1_2 run_test "DTLS fragmenting: client (MTU)" \ @@ -9757,8 +9707,6 @@ run_test "DTLS fragmenting: client (MTU)" \ requires_config_enabled MBEDTLS_SSL_PROTO_DTLS requires_config_enabled MBEDTLS_RSA_C -requires_any_configs_enabled $TLS1_2_KEY_EXCHANGES_WITH_CERT -requires_pk_alg "ECDSA" requires_max_content_len 2048 requires_config_enabled MBEDTLS_SSL_PROTO_TLS1_2 run_test "DTLS fragmenting: server (MTU)" \ @@ -9779,8 +9727,6 @@ run_test "DTLS fragmenting: server (MTU)" \ requires_config_enabled MBEDTLS_SSL_PROTO_DTLS requires_config_enabled MBEDTLS_RSA_C -requires_any_configs_enabled $TLS1_2_KEY_EXCHANGES_WITH_CERT -requires_pk_alg "ECDSA" requires_max_content_len 2048 requires_config_enabled MBEDTLS_SSL_PROTO_TLS1_2 run_test "DTLS fragmenting: both (MTU=1024)" \ @@ -9885,8 +9831,6 @@ run_test "DTLS fragmenting: proxy MTU: auto-reduction (with valgrind)" \ not_with_valgrind # spurious autoreduction due to timeout requires_config_enabled MBEDTLS_SSL_PROTO_DTLS requires_config_enabled MBEDTLS_RSA_C -requires_any_configs_enabled $TLS1_2_KEY_EXCHANGES_WITH_CERT -requires_pk_alg "ECDSA" requires_max_content_len 2048 requires_config_enabled MBEDTLS_SSL_PROTO_TLS1_2 run_test "DTLS fragmenting: proxy MTU, simple handshake (MTU=1024)" \ @@ -9940,8 +9884,6 @@ run_test "DTLS fragmenting: proxy MTU, simple handshake (MTU=512)" \ not_with_valgrind # spurious autoreduction due to timeout requires_config_enabled MBEDTLS_SSL_PROTO_DTLS requires_config_enabled MBEDTLS_RSA_C -requires_any_configs_enabled $TLS1_2_KEY_EXCHANGES_WITH_CERT -requires_pk_alg "ECDSA" requires_max_content_len 2048 requires_config_enabled MBEDTLS_SSL_PROTO_TLS1_2 run_test "DTLS fragmenting: proxy MTU, simple handshake, nbio (MTU=1024)" \ @@ -10239,7 +10181,6 @@ run_test "DTLS fragmenting: proxy MTU + 3d, nbio" \ # pleases other implementations, so we don't need the peer to fragment requires_config_enabled MBEDTLS_SSL_PROTO_DTLS requires_config_enabled MBEDTLS_RSA_C -requires_any_configs_enabled $TLS1_2_KEY_EXCHANGES_WITH_ECDSA_CERT requires_gnutls requires_max_content_len 2048 run_test "DTLS fragmenting: gnutls server, DTLS 1.2" \ @@ -10261,7 +10202,6 @@ run_test "DTLS fragmenting: gnutls server, DTLS 1.2" \ # GnuTLS continue the connection nonetheless. requires_config_enabled MBEDTLS_SSL_PROTO_DTLS requires_config_enabled MBEDTLS_RSA_C -requires_any_configs_enabled $TLS1_2_KEY_EXCHANGES_WITH_ECDSA_CERT requires_gnutls requires_not_i686 requires_max_content_len 2048 @@ -10276,7 +10216,6 @@ run_test "DTLS fragmenting: gnutls client, DTLS 1.2" \ requires_config_enabled MBEDTLS_SSL_PROTO_DTLS requires_config_enabled MBEDTLS_RSA_C -requires_any_configs_enabled $TLS1_2_KEY_EXCHANGES_WITH_ECDSA_CERT requires_max_content_len 2048 run_test "DTLS fragmenting: openssl server, DTLS 1.2" \ "$O_SRV -dtls1_2 -verify 10" \ @@ -10290,8 +10229,6 @@ run_test "DTLS fragmenting: openssl server, DTLS 1.2" \ requires_config_enabled MBEDTLS_SSL_PROTO_DTLS requires_config_enabled MBEDTLS_RSA_C -requires_any_configs_enabled $TLS1_2_KEY_EXCHANGES_WITH_CERT -requires_pk_alg "ECDSA" requires_max_content_len 2048 run_test "DTLS fragmenting: openssl client, DTLS 1.2" \ "$P_SRV dtls=1 debug_level=2 \ @@ -10309,7 +10246,6 @@ run_test "DTLS fragmenting: openssl client, DTLS 1.2" \ requires_gnutls_next requires_config_enabled MBEDTLS_SSL_PROTO_DTLS requires_config_enabled MBEDTLS_RSA_C -requires_any_configs_enabled $TLS1_2_KEY_EXCHANGES_WITH_ECDSA_CERT client_needs_more_time 4 requires_max_content_len 2048 run_test "DTLS fragmenting: 3d, gnutls server, DTLS 1.2" \ @@ -10326,7 +10262,6 @@ run_test "DTLS fragmenting: 3d, gnutls server, DTLS 1.2" \ requires_gnutls_next requires_config_enabled MBEDTLS_SSL_PROTO_DTLS requires_config_enabled MBEDTLS_RSA_C -requires_any_configs_enabled $TLS1_2_KEY_EXCHANGES_WITH_ECDSA_CERT client_needs_more_time 4 requires_max_content_len 2048 run_test "DTLS fragmenting: 3d, gnutls client, DTLS 1.2" \ @@ -10344,7 +10279,6 @@ run_test "DTLS fragmenting: 3d, gnutls client, DTLS 1.2" \ requires_openssl_next requires_config_enabled MBEDTLS_SSL_PROTO_DTLS requires_config_enabled MBEDTLS_RSA_C -requires_any_configs_enabled $TLS1_2_KEY_EXCHANGES_WITH_ECDSA_CERT client_needs_more_time 4 requires_max_content_len 2048 run_test "DTLS fragmenting: 3d, openssl server, DTLS 1.2" \ @@ -10363,8 +10297,6 @@ run_test "DTLS fragmenting: 3d, openssl server, DTLS 1.2" \ skip_next_test requires_config_enabled MBEDTLS_SSL_PROTO_DTLS requires_config_enabled MBEDTLS_RSA_C -requires_any_configs_enabled $TLS1_2_KEY_EXCHANGES_WITH_CERT -requires_pk_alg "ECDSA" client_needs_more_time 4 requires_max_content_len 2048 run_test "DTLS fragmenting: 3d, openssl client, DTLS 1.2" \ @@ -10632,7 +10564,6 @@ run_test "DTLS-SRTP server doesn't support use_srtp extension. openssl client" requires_config_enabled MBEDTLS_SSL_DTLS_SRTP requires_config_enabled MBEDTLS_SSL_PROTO_TLS1_2 -requires_any_configs_enabled $TLS1_2_KEY_EXCHANGES_WITH_ECDSA_CERT run_test "DTLS-SRTP all profiles supported. openssl server" \ "$O_SRV -dtls -verify 0 -use_srtp SRTP_AES128_CM_SHA1_80:SRTP_AES128_CM_SHA1_32 -keymatexport 'EXTRACTOR-dtls_srtp' -keymatexportlen 60" \ "$P_CLI dtls=1 use_srtp=1 debug_level=3" \ @@ -10646,7 +10577,6 @@ run_test "DTLS-SRTP all profiles supported. openssl server" \ requires_config_enabled MBEDTLS_SSL_DTLS_SRTP requires_config_enabled MBEDTLS_SSL_PROTO_TLS1_2 -requires_any_configs_enabled $TLS1_2_KEY_EXCHANGES_WITH_ECDSA_CERT run_test "DTLS-SRTP server supports all profiles. Client supports all profiles, in different order. openssl server." \ "$O_SRV -dtls -verify 0 -use_srtp SRTP_AES128_CM_SHA1_32:SRTP_AES128_CM_SHA1_80 -keymatexport 'EXTRACTOR-dtls_srtp' -keymatexportlen 60" \ "$P_CLI dtls=1 use_srtp=1 debug_level=3" \ @@ -10660,7 +10590,6 @@ run_test "DTLS-SRTP server supports all profiles. Client supports all profiles, requires_config_enabled MBEDTLS_SSL_DTLS_SRTP requires_config_enabled MBEDTLS_SSL_PROTO_TLS1_2 -requires_any_configs_enabled $TLS1_2_KEY_EXCHANGES_WITH_ECDSA_CERT run_test "DTLS-SRTP server supports all profiles. Client supports one profile. openssl server." \ "$O_SRV -dtls -verify 0 -use_srtp SRTP_AES128_CM_SHA1_80:SRTP_AES128_CM_SHA1_32 -keymatexport 'EXTRACTOR-dtls_srtp' -keymatexportlen 60" \ "$P_CLI dtls=1 use_srtp=1 srtp_force_profile=2 debug_level=3" \ @@ -10674,7 +10603,6 @@ run_test "DTLS-SRTP server supports all profiles. Client supports one profile. requires_config_enabled MBEDTLS_SSL_DTLS_SRTP requires_config_enabled MBEDTLS_SSL_PROTO_TLS1_2 -requires_any_configs_enabled $TLS1_2_KEY_EXCHANGES_WITH_ECDSA_CERT run_test "DTLS-SRTP server supports one profile. Client supports all profiles. openssl server." \ "$O_SRV -dtls -verify 0 -use_srtp SRTP_AES128_CM_SHA1_32 -keymatexport 'EXTRACTOR-dtls_srtp' -keymatexportlen 60" \ "$P_CLI dtls=1 use_srtp=1 debug_level=3" \ @@ -10688,7 +10616,6 @@ run_test "DTLS-SRTP server supports one profile. Client supports all profiles. requires_config_enabled MBEDTLS_SSL_DTLS_SRTP requires_config_enabled MBEDTLS_SSL_PROTO_TLS1_2 -requires_any_configs_enabled $TLS1_2_KEY_EXCHANGES_WITH_ECDSA_CERT run_test "DTLS-SRTP server and Client support only one matching profile. openssl server." \ "$O_SRV -dtls -verify 0 -use_srtp SRTP_AES128_CM_SHA1_32 -keymatexport 'EXTRACTOR-dtls_srtp' -keymatexportlen 60" \ "$P_CLI dtls=1 use_srtp=1 srtp_force_profile=2 debug_level=3" \ @@ -10702,7 +10629,6 @@ run_test "DTLS-SRTP server and Client support only one matching profile. openss requires_config_enabled MBEDTLS_SSL_DTLS_SRTP requires_config_enabled MBEDTLS_SSL_PROTO_TLS1_2 -requires_any_configs_enabled $TLS1_2_KEY_EXCHANGES_WITH_ECDSA_CERT run_test "DTLS-SRTP server and Client support only one different profile. openssl server." \ "$O_SRV -dtls -verify 0 -use_srtp SRTP_AES128_CM_SHA1_32 -keymatexport 'EXTRACTOR-dtls_srtp' -keymatexportlen 60" \ "$P_CLI dtls=1 use_srtp=1 srtp_force_profile=6 debug_level=3" \ @@ -10716,7 +10642,6 @@ run_test "DTLS-SRTP server and Client support only one different profile. opens requires_config_enabled MBEDTLS_SSL_DTLS_SRTP requires_config_enabled MBEDTLS_SSL_PROTO_TLS1_2 -requires_any_configs_enabled $TLS1_2_KEY_EXCHANGES_WITH_ECDSA_CERT run_test "DTLS-SRTP server doesn't support use_srtp extension. openssl server" \ "$O_SRV -dtls" \ "$P_CLI dtls=1 use_srtp=1 debug_level=3" \ @@ -10730,7 +10655,6 @@ run_test "DTLS-SRTP server doesn't support use_srtp extension. openssl server" requires_config_enabled MBEDTLS_SSL_DTLS_SRTP requires_config_enabled MBEDTLS_SSL_PROTO_TLS1_2 -requires_any_configs_enabled $TLS1_2_KEY_EXCHANGES_WITH_ECDSA_CERT run_test "DTLS-SRTP all profiles supported. server doesn't support mki. openssl server." \ "$O_SRV -dtls -verify 0 -use_srtp SRTP_AES128_CM_SHA1_80:SRTP_AES128_CM_SHA1_32 -keymatexport 'EXTRACTOR-dtls_srtp' -keymatexportlen 60" \ "$P_CLI dtls=1 use_srtp=1 mki=542310ab34290481 debug_level=3" \ @@ -10844,7 +10768,6 @@ run_test "DTLS-SRTP server doesn't support use_srtp extension. gnutls client" \ requires_config_enabled MBEDTLS_SSL_DTLS_SRTP requires_gnutls requires_config_enabled MBEDTLS_SSL_PROTO_TLS1_2 -requires_any_configs_enabled $TLS1_2_KEY_EXCHANGES_WITH_ECDSA_CERT run_test "DTLS-SRTP all profiles supported. gnutls server" \ "$G_SRV -u --srtp-profiles=SRTP_AES128_CM_HMAC_SHA1_80:SRTP_AES128_CM_HMAC_SHA1_32:SRTP_NULL_HMAC_SHA1_80:SRTP_NULL_SHA1_32" \ "$P_CLI dtls=1 use_srtp=1 debug_level=3" \ @@ -10859,7 +10782,6 @@ run_test "DTLS-SRTP all profiles supported. gnutls server" \ requires_config_enabled MBEDTLS_SSL_DTLS_SRTP requires_gnutls requires_config_enabled MBEDTLS_SSL_PROTO_TLS1_2 -requires_any_configs_enabled $TLS1_2_KEY_EXCHANGES_WITH_ECDSA_CERT run_test "DTLS-SRTP server supports all profiles. Client supports all profiles, in different order. gnutls server." \ "$G_SRV -u --srtp-profiles=SRTP_NULL_SHA1_32:SRTP_AES128_CM_HMAC_SHA1_32:SRTP_AES128_CM_HMAC_SHA1_80:SRTP_NULL_HMAC_SHA1_80:SRTP_NULL_SHA1_32" \ "$P_CLI dtls=1 use_srtp=1 debug_level=3" \ @@ -10874,7 +10796,6 @@ run_test "DTLS-SRTP server supports all profiles. Client supports all profiles, requires_config_enabled MBEDTLS_SSL_DTLS_SRTP requires_gnutls requires_config_enabled MBEDTLS_SSL_PROTO_TLS1_2 -requires_any_configs_enabled $TLS1_2_KEY_EXCHANGES_WITH_ECDSA_CERT run_test "DTLS-SRTP server supports all profiles. Client supports one profile. gnutls server." \ "$G_SRV -u --srtp-profiles=SRTP_NULL_SHA1_32:SRTP_AES128_CM_HMAC_SHA1_32:SRTP_AES128_CM_HMAC_SHA1_80:SRTP_NULL_HMAC_SHA1_80:SRTP_NULL_SHA1_32" \ "$P_CLI dtls=1 use_srtp=1 srtp_force_profile=2 debug_level=3" \ @@ -10889,7 +10810,6 @@ run_test "DTLS-SRTP server supports all profiles. Client supports one profile. requires_config_enabled MBEDTLS_SSL_DTLS_SRTP requires_gnutls requires_config_enabled MBEDTLS_SSL_PROTO_TLS1_2 -requires_any_configs_enabled $TLS1_2_KEY_EXCHANGES_WITH_ECDSA_CERT run_test "DTLS-SRTP server supports one profile. Client supports all profiles. gnutls server." \ "$G_SRV -u --srtp-profiles=SRTP_NULL_HMAC_SHA1_80" \ "$P_CLI dtls=1 use_srtp=1 debug_level=3" \ @@ -10904,7 +10824,6 @@ run_test "DTLS-SRTP server supports one profile. Client supports all profiles. requires_config_enabled MBEDTLS_SSL_DTLS_SRTP requires_gnutls requires_config_enabled MBEDTLS_SSL_PROTO_TLS1_2 -requires_any_configs_enabled $TLS1_2_KEY_EXCHANGES_WITH_ECDSA_CERT run_test "DTLS-SRTP server and Client support only one matching profile. gnutls server." \ "$G_SRV -u --srtp-profiles=SRTP_AES128_CM_HMAC_SHA1_32" \ "$P_CLI dtls=1 use_srtp=1 srtp_force_profile=2 debug_level=3" \ @@ -10919,7 +10838,6 @@ run_test "DTLS-SRTP server and Client support only one matching profile. gnutls requires_config_enabled MBEDTLS_SSL_DTLS_SRTP requires_gnutls requires_config_enabled MBEDTLS_SSL_PROTO_TLS1_2 -requires_any_configs_enabled $TLS1_2_KEY_EXCHANGES_WITH_ECDSA_CERT run_test "DTLS-SRTP server and Client support only one different profile. gnutls server." \ "$G_SRV -u --srtp-profiles=SRTP_AES128_CM_HMAC_SHA1_32" \ "$P_CLI dtls=1 use_srtp=1 srtp_force_profile=6 debug_level=3" \ @@ -10934,7 +10852,6 @@ run_test "DTLS-SRTP server and Client support only one different profile. gnutl requires_config_enabled MBEDTLS_SSL_DTLS_SRTP requires_gnutls requires_config_enabled MBEDTLS_SSL_PROTO_TLS1_2 -requires_any_configs_enabled $TLS1_2_KEY_EXCHANGES_WITH_ECDSA_CERT run_test "DTLS-SRTP server doesn't support use_srtp extension. gnutls server" \ "$G_SRV -u" \ "$P_CLI dtls=1 use_srtp=1 debug_level=3" \ @@ -10949,7 +10866,6 @@ run_test "DTLS-SRTP server doesn't support use_srtp extension. gnutls server" \ requires_config_enabled MBEDTLS_SSL_DTLS_SRTP requires_gnutls requires_config_enabled MBEDTLS_SSL_PROTO_TLS1_2 -requires_any_configs_enabled $TLS1_2_KEY_EXCHANGES_WITH_ECDSA_CERT run_test "DTLS-SRTP all profiles supported. mki used. gnutls server." \ "$G_SRV -u --srtp-profiles=SRTP_AES128_CM_HMAC_SHA1_80:SRTP_AES128_CM_HMAC_SHA1_32:SRTP_NULL_HMAC_SHA1_80:SRTP_NULL_SHA1_32" \ "$P_CLI dtls=1 use_srtp=1 mki=542310ab34290481 debug_level=3" \ @@ -11461,7 +11377,6 @@ requires_openssl_next client_needs_more_time 6 not_with_valgrind # risk of non-mbedtls peer timing out requires_config_enabled MBEDTLS_SSL_PROTO_TLS1_2 -requires_any_configs_enabled $TLS1_2_KEY_EXCHANGES_WITH_ECDSA_CERT run_test "DTLS proxy: 3d, openssl server" \ -p "$P_PXY drop=5 delay=5 duplicate=5 protect_hvr=1" \ "$O_NEXT_SRV -dtls1_2 -mtu 2048" \ @@ -11473,7 +11388,6 @@ requires_openssl_next client_needs_more_time 8 not_with_valgrind # risk of non-mbedtls peer timing out requires_config_enabled MBEDTLS_SSL_PROTO_TLS1_2 -requires_any_configs_enabled $TLS1_2_KEY_EXCHANGES_WITH_ECDSA_CERT run_test "DTLS proxy: 3d, openssl server, fragmentation" \ -p "$P_PXY drop=5 delay=5 duplicate=5 protect_hvr=1" \ "$O_NEXT_SRV -dtls1_2 -mtu 768" \ @@ -11485,7 +11399,6 @@ requires_openssl_next client_needs_more_time 8 not_with_valgrind # risk of non-mbedtls peer timing out requires_config_enabled MBEDTLS_SSL_PROTO_TLS1_2 -requires_any_configs_enabled $TLS1_2_KEY_EXCHANGES_WITH_ECDSA_CERT run_test "DTLS proxy: 3d, openssl server, fragmentation, nbio" \ -p "$P_PXY drop=5 delay=5 duplicate=5 protect_hvr=1" \ "$O_NEXT_SRV -dtls1_2 -mtu 768" \ @@ -11497,7 +11410,6 @@ requires_gnutls client_needs_more_time 6 not_with_valgrind # risk of non-mbedtls peer timing out requires_config_enabled MBEDTLS_SSL_PROTO_TLS1_2 -requires_any_configs_enabled $TLS1_2_KEY_EXCHANGES_WITH_ECDSA_CERT run_test "DTLS proxy: 3d, gnutls server" \ -p "$P_PXY drop=5 delay=5 duplicate=5" \ "$G_SRV -u --mtu 2048 -a" \ @@ -11510,7 +11422,6 @@ requires_gnutls_next client_needs_more_time 8 not_with_valgrind # risk of non-mbedtls peer timing out requires_config_enabled MBEDTLS_SSL_PROTO_TLS1_2 -requires_any_configs_enabled $TLS1_2_KEY_EXCHANGES_WITH_ECDSA_CERT run_test "DTLS proxy: 3d, gnutls server, fragmentation" \ -p "$P_PXY drop=5 delay=5 duplicate=5" \ "$G_NEXT_SRV -u --mtu 512" \ @@ -11523,7 +11434,6 @@ requires_gnutls_next client_needs_more_time 8 not_with_valgrind # risk of non-mbedtls peer timing out requires_config_enabled MBEDTLS_SSL_PROTO_TLS1_2 -requires_any_configs_enabled $TLS1_2_KEY_EXCHANGES_WITH_ECDSA_CERT run_test "DTLS proxy: 3d, gnutls server, fragmentation, nbio" \ -p "$P_PXY drop=5 delay=5 duplicate=5" \ "$G_NEXT_SRV -u --mtu 512" \ @@ -11568,7 +11478,6 @@ requires_config_enabled MBEDTLS_DEBUG_C requires_config_enabled MBEDTLS_SSL_CLI_C requires_all_configs_enabled MBEDTLS_SSL_TLS1_3_COMPATIBILITY_MODE \ MBEDTLS_SSL_TLS1_3_KEY_EXCHANGE_MODE_EPHEMERAL_ENABLED -requires_pk_alg "ECDSA" run_test "TLS 1.3: minimal feature sets - openssl" \ "$O_NEXT_SRV -msg -tls1_3 -num_tickets 0 -no_resume_ephemeral -no_cache" \ "$P_CLI debug_level=3" \ @@ -11602,7 +11511,6 @@ requires_config_enabled MBEDTLS_DEBUG_C requires_config_enabled MBEDTLS_SSL_CLI_C requires_all_configs_enabled MBEDTLS_SSL_TLS1_3_COMPATIBILITY_MODE \ MBEDTLS_SSL_TLS1_3_KEY_EXCHANGE_MODE_EPHEMERAL_ENABLED -requires_pk_alg "ECDSA" run_test "TLS 1.3: minimal feature sets - gnutls" \ "$G_NEXT_SRV --debug=4 --priority=NORMAL:-VERS-ALL:+VERS-TLS1.3:+CIPHER-ALL:%NO_TICKETS --disable-client-cert" \ "$P_CLI debug_level=3" \ @@ -11637,7 +11545,6 @@ requires_config_enabled MBEDTLS_SSL_CLI_C requires_config_enabled MBEDTLS_SSL_ALPN requires_all_configs_enabled MBEDTLS_SSL_TLS1_3_COMPATIBILITY_MODE \ MBEDTLS_SSL_TLS1_3_KEY_EXCHANGE_MODE_EPHEMERAL_ENABLED -requires_pk_alg "ECDSA" run_test "TLS 1.3: alpn - openssl" \ "$O_NEXT_SRV -msg -tls1_3 -num_tickets 0 -no_resume_ephemeral -no_cache -alpn h2" \ "$P_CLI debug_level=3 alpn=h2" \ @@ -11673,7 +11580,6 @@ requires_config_enabled MBEDTLS_SSL_CLI_C requires_config_enabled MBEDTLS_SSL_ALPN requires_all_configs_enabled MBEDTLS_SSL_TLS1_3_COMPATIBILITY_MODE \ MBEDTLS_SSL_TLS1_3_KEY_EXCHANGE_MODE_EPHEMERAL_ENABLED -requires_pk_alg "ECDSA" run_test "TLS 1.3: alpn - gnutls" \ "$G_NEXT_SRV --debug=4 --priority=NORMAL:-VERS-ALL:+VERS-TLS1.3:+CIPHER-ALL:%NO_TICKETS --disable-client-cert --alpn=h2" \ "$P_CLI debug_level=3 alpn=h2" \ @@ -11708,7 +11614,6 @@ requires_config_enabled MBEDTLS_DEBUG_C requires_config_enabled MBEDTLS_SSL_SRV_C requires_config_enabled MBEDTLS_SSL_ALPN requires_config_enabled MBEDTLS_SSL_TLS1_3_KEY_EXCHANGE_MODE_EPHEMERAL_ENABLED -requires_pk_alg "ECDSA" run_test "TLS 1.3: server alpn - openssl" \ "$P_SRV debug_level=3 tickets=0 crt_file=data_files/server5.crt key_file=data_files/server5.key force_version=tls13 alpn=h2" \ "$O_NEXT_CLI -msg -tls1_3 -no_middlebox -alpn h2" \ @@ -11724,7 +11629,6 @@ requires_config_enabled MBEDTLS_DEBUG_C requires_config_enabled MBEDTLS_SSL_SRV_C requires_config_enabled MBEDTLS_SSL_ALPN requires_config_enabled MBEDTLS_SSL_TLS1_3_KEY_EXCHANGE_MODE_EPHEMERAL_ENABLED -requires_pk_alg "ECDSA" run_test "TLS 1.3: server alpn - gnutls" \ "$P_SRV debug_level=3 tickets=0 crt_file=data_files/server5.crt key_file=data_files/server5.key force_version=tls13 alpn=h2" \ "$G_NEXT_CLI localhost -d 4 --priority=NORMAL:-VERS-ALL:+VERS-TLS1.3:%NO_TICKETS:%DISABLE_TLS13_COMPAT_MODE -V --alpn h2" \ @@ -11822,7 +11726,6 @@ requires_config_enabled MBEDTLS_DEBUG_C requires_config_enabled MBEDTLS_SSL_CLI_C requires_all_configs_enabled MBEDTLS_SSL_TLS1_3_COMPATIBILITY_MODE \ MBEDTLS_SSL_TLS1_3_KEY_EXCHANGE_MODE_EPHEMERAL_ENABLED -requires_pk_alg "ECDSA" run_test "TLS 1.3: Client authentication, no client certificate - openssl" \ "$O_NEXT_SRV -msg -tls1_3 -num_tickets 0 -no_resume_ephemeral -no_cache -verify 10" \ "$P_CLI debug_level=4 crt_file=none key_file=none" \ @@ -11839,7 +11742,6 @@ requires_config_enabled MBEDTLS_DEBUG_C requires_config_enabled MBEDTLS_SSL_CLI_C requires_all_configs_enabled MBEDTLS_SSL_TLS1_3_COMPATIBILITY_MODE \ MBEDTLS_SSL_TLS1_3_KEY_EXCHANGE_MODE_EPHEMERAL_ENABLED -requires_pk_alg "ECDSA" run_test "TLS 1.3: Client authentication, no client certificate - gnutls" \ "$G_NEXT_SRV --debug=4 --priority=NORMAL:-VERS-ALL:+VERS-TLS1.3:+CIPHER-ALL:%NO_TICKETS --verify-client-cert" \ "$P_CLI debug_level=3 crt_file=none key_file=none" \ @@ -11855,7 +11757,6 @@ requires_openssl_tls1_3 requires_config_enabled MBEDTLS_DEBUG_C requires_config_enabled MBEDTLS_SSL_CLI_C requires_config_enabled MBEDTLS_SSL_TLS1_3_KEY_EXCHANGE_MODE_EPHEMERAL_ENABLED -requires_pk_alg "ECDSA" run_test "TLS 1.3: Client authentication, no server middlebox compat - openssl" \ "$O_NEXT_SRV -msg -tls1_3 -num_tickets 0 -no_resume_ephemeral -no_cache -Verify 10 -no_middlebox" \ "$P_CLI debug_level=4 crt_file=data_files/cli2.crt key_file=data_files/cli2.key" \ @@ -11870,7 +11771,6 @@ requires_gnutls_next_no_ticket requires_config_enabled MBEDTLS_DEBUG_C requires_config_enabled MBEDTLS_SSL_CLI_C requires_config_enabled MBEDTLS_SSL_TLS1_3_KEY_EXCHANGE_MODE_EPHEMERAL_ENABLED -requires_pk_alg "ECDSA" run_test "TLS 1.3: Client authentication, no server middlebox compat - gnutls" \ "$G_NEXT_SRV --debug=4 --priority=NORMAL:-VERS-ALL:+VERS-TLS1.3:+CIPHER-ALL:%NO_TICKETS:%DISABLE_TLS13_COMPAT_MODE" \ "$P_CLI debug_level=3 crt_file=data_files/cli2.crt \ @@ -11886,7 +11786,6 @@ requires_config_enabled MBEDTLS_DEBUG_C requires_config_enabled MBEDTLS_SSL_CLI_C requires_all_configs_enabled MBEDTLS_SSL_TLS1_3_COMPATIBILITY_MODE \ MBEDTLS_SSL_TLS1_3_KEY_EXCHANGE_MODE_EPHEMERAL_ENABLED -requires_pk_alg "ECDSA" run_test "TLS 1.3: Client authentication, ecdsa_secp256r1_sha256 - openssl" \ "$O_NEXT_SRV -msg -tls1_3 -num_tickets 0 -no_resume_ephemeral -no_cache -Verify 10" \ "$P_CLI debug_level=4 crt_file=data_files/ecdsa_secp256r1.crt \ @@ -11903,7 +11802,6 @@ requires_config_enabled MBEDTLS_DEBUG_C requires_config_enabled MBEDTLS_SSL_CLI_C requires_all_configs_enabled MBEDTLS_SSL_TLS1_3_COMPATIBILITY_MODE \ MBEDTLS_SSL_TLS1_3_KEY_EXCHANGE_MODE_EPHEMERAL_ENABLED -requires_pk_alg "ECDSA" run_test "TLS 1.3: Client authentication, ecdsa_secp256r1_sha256 - gnutls" \ "$G_NEXT_SRV --debug=4 --priority=NORMAL:-VERS-ALL:+VERS-TLS1.3:+CIPHER-ALL:%NO_TICKETS" \ "$P_CLI debug_level=3 crt_file=data_files/ecdsa_secp256r1.crt \ @@ -11919,7 +11817,6 @@ requires_config_enabled MBEDTLS_DEBUG_C requires_config_enabled MBEDTLS_SSL_CLI_C requires_all_configs_enabled MBEDTLS_SSL_TLS1_3_COMPATIBILITY_MODE \ MBEDTLS_SSL_TLS1_3_KEY_EXCHANGE_MODE_EPHEMERAL_ENABLED -requires_pk_alg "ECDSA" run_test "TLS 1.3: Client authentication, ecdsa_secp384r1_sha384 - openssl" \ "$O_NEXT_SRV -msg -tls1_3 -num_tickets 0 -no_resume_ephemeral -no_cache -Verify 10" \ "$P_CLI debug_level=4 crt_file=data_files/ecdsa_secp384r1.crt \ @@ -11936,7 +11833,6 @@ requires_config_enabled MBEDTLS_DEBUG_C requires_config_enabled MBEDTLS_SSL_CLI_C requires_all_configs_enabled MBEDTLS_SSL_TLS1_3_COMPATIBILITY_MODE \ MBEDTLS_SSL_TLS1_3_KEY_EXCHANGE_MODE_EPHEMERAL_ENABLED -requires_pk_alg "ECDSA" run_test "TLS 1.3: Client authentication, ecdsa_secp384r1_sha384 - gnutls" \ "$G_NEXT_SRV --debug=4 --priority=NORMAL:-VERS-ALL:+VERS-TLS1.3:+CIPHER-ALL:%NO_TICKETS" \ "$P_CLI debug_level=3 crt_file=data_files/ecdsa_secp384r1.crt \ @@ -11952,7 +11848,6 @@ requires_config_enabled MBEDTLS_DEBUG_C requires_config_enabled MBEDTLS_SSL_CLI_C requires_all_configs_enabled MBEDTLS_SSL_TLS1_3_COMPATIBILITY_MODE \ MBEDTLS_SSL_TLS1_3_KEY_EXCHANGE_MODE_EPHEMERAL_ENABLED -requires_pk_alg "ECDSA" run_test "TLS 1.3: Client authentication, ecdsa_secp521r1_sha512 - openssl" \ "$O_NEXT_SRV -msg -tls1_3 -num_tickets 0 -no_resume_ephemeral -no_cache -Verify 10" \ "$P_CLI debug_level=4 crt_file=data_files/ecdsa_secp521r1.crt \ @@ -11969,7 +11864,6 @@ requires_config_enabled MBEDTLS_DEBUG_C requires_config_enabled MBEDTLS_SSL_CLI_C requires_all_configs_enabled MBEDTLS_SSL_TLS1_3_COMPATIBILITY_MODE \ MBEDTLS_SSL_TLS1_3_KEY_EXCHANGE_MODE_EPHEMERAL_ENABLED -requires_pk_alg "ECDSA" run_test "TLS 1.3: Client authentication, ecdsa_secp521r1_sha512 - gnutls" \ "$G_NEXT_SRV --debug=4 --priority=NORMAL:-VERS-ALL:+VERS-TLS1.3:+CIPHER-ALL:%NO_TICKETS" \ "$P_CLI debug_level=3 crt_file=data_files/ecdsa_secp521r1.crt \ @@ -12121,7 +12015,6 @@ requires_config_enabled MBEDTLS_DEBUG_C requires_config_enabled MBEDTLS_SSL_CLI_C requires_config_enabled MBEDTLS_USE_PSA_CRYPTO requires_config_enabled MBEDTLS_SSL_TLS1_3_KEY_EXCHANGE_MODE_EPHEMERAL_ENABLED -requires_pk_alg "ECDSA" run_test "TLS 1.3: Client authentication - opaque key, no server middlebox compat - openssl" \ "$O_NEXT_SRV -msg -tls1_3 -num_tickets 0 -no_resume_ephemeral -no_cache -Verify 10 -no_middlebox" \ "$P_CLI debug_level=4 crt_file=data_files/cli2.crt key_file=data_files/cli2.key key_opaque=1" \ @@ -12137,7 +12030,6 @@ requires_config_enabled MBEDTLS_DEBUG_C requires_config_enabled MBEDTLS_SSL_CLI_C requires_config_enabled MBEDTLS_USE_PSA_CRYPTO requires_config_enabled MBEDTLS_SSL_TLS1_3_KEY_EXCHANGE_MODE_EPHEMERAL_ENABLED -requires_pk_alg "ECDSA" run_test "TLS 1.3: Client authentication - opaque key, no server middlebox compat - gnutls" \ "$G_NEXT_SRV --debug=4 --priority=NORMAL:-VERS-ALL:+VERS-TLS1.3:+CIPHER-ALL:%NO_TICKETS:%DISABLE_TLS13_COMPAT_MODE" \ "$P_CLI debug_level=3 crt_file=data_files/cli2.crt \ @@ -12154,7 +12046,6 @@ requires_config_enabled MBEDTLS_SSL_CLI_C requires_config_enabled MBEDTLS_USE_PSA_CRYPTO requires_all_configs_enabled MBEDTLS_SSL_TLS1_3_COMPATIBILITY_MODE \ MBEDTLS_SSL_TLS1_3_KEY_EXCHANGE_MODE_EPHEMERAL_ENABLED -requires_pk_alg "ECDSA" run_test "TLS 1.3: Client authentication - opaque key, ecdsa_secp256r1_sha256 - openssl" \ "$O_NEXT_SRV -msg -tls1_3 -num_tickets 0 -no_resume_ephemeral -no_cache -Verify 10" \ "$P_CLI debug_level=4 crt_file=data_files/ecdsa_secp256r1.crt \ @@ -12172,7 +12063,6 @@ requires_config_enabled MBEDTLS_SSL_CLI_C requires_config_enabled MBEDTLS_USE_PSA_CRYPTO requires_all_configs_enabled MBEDTLS_SSL_TLS1_3_COMPATIBILITY_MODE \ MBEDTLS_SSL_TLS1_3_KEY_EXCHANGE_MODE_EPHEMERAL_ENABLED -requires_pk_alg "ECDSA" run_test "TLS 1.3: Client authentication - opaque key, ecdsa_secp256r1_sha256 - gnutls" \ "$G_NEXT_SRV --debug=4 --priority=NORMAL:-VERS-ALL:+VERS-TLS1.3:+CIPHER-ALL:%NO_TICKETS" \ "$P_CLI debug_level=3 crt_file=data_files/ecdsa_secp256r1.crt \ @@ -12189,7 +12079,6 @@ requires_config_enabled MBEDTLS_SSL_CLI_C requires_config_enabled MBEDTLS_USE_PSA_CRYPTO requires_all_configs_enabled MBEDTLS_SSL_TLS1_3_COMPATIBILITY_MODE \ MBEDTLS_SSL_TLS1_3_KEY_EXCHANGE_MODE_EPHEMERAL_ENABLED -requires_pk_alg "ECDSA" run_test "TLS 1.3: Client authentication - opaque key, ecdsa_secp384r1_sha384 - openssl" \ "$O_NEXT_SRV -msg -tls1_3 -num_tickets 0 -no_resume_ephemeral -no_cache -Verify 10" \ "$P_CLI debug_level=4 crt_file=data_files/ecdsa_secp384r1.crt \ @@ -12207,7 +12096,6 @@ requires_config_enabled MBEDTLS_SSL_CLI_C requires_config_enabled MBEDTLS_USE_PSA_CRYPTO requires_all_configs_enabled MBEDTLS_SSL_TLS1_3_COMPATIBILITY_MODE \ MBEDTLS_SSL_TLS1_3_KEY_EXCHANGE_MODE_EPHEMERAL_ENABLED -requires_pk_alg "ECDSA" run_test "TLS 1.3: Client authentication - opaque key, ecdsa_secp384r1_sha384 - gnutls" \ "$G_NEXT_SRV --debug=4 --priority=NORMAL:-VERS-ALL:+VERS-TLS1.3:+CIPHER-ALL:%NO_TICKETS" \ "$P_CLI debug_level=3 crt_file=data_files/ecdsa_secp384r1.crt \ @@ -12224,7 +12112,6 @@ requires_config_enabled MBEDTLS_SSL_CLI_C requires_config_enabled MBEDTLS_USE_PSA_CRYPTO requires_all_configs_enabled MBEDTLS_SSL_TLS1_3_COMPATIBILITY_MODE \ MBEDTLS_SSL_TLS1_3_KEY_EXCHANGE_MODE_EPHEMERAL_ENABLED -requires_pk_alg "ECDSA" run_test "TLS 1.3: Client authentication - opaque key, ecdsa_secp521r1_sha512 - openssl" \ "$O_NEXT_SRV -msg -tls1_3 -num_tickets 0 -no_resume_ephemeral -no_cache -Verify 10" \ "$P_CLI debug_level=4 crt_file=data_files/ecdsa_secp521r1.crt \ @@ -12242,7 +12129,6 @@ requires_config_enabled MBEDTLS_SSL_CLI_C requires_config_enabled MBEDTLS_USE_PSA_CRYPTO requires_all_configs_enabled MBEDTLS_SSL_TLS1_3_COMPATIBILITY_MODE \ MBEDTLS_SSL_TLS1_3_KEY_EXCHANGE_MODE_EPHEMERAL_ENABLED -requires_pk_alg "ECDSA" run_test "TLS 1.3: Client authentication - opaque key, ecdsa_secp521r1_sha512 - gnutls" \ "$G_NEXT_SRV --debug=4 --priority=NORMAL:-VERS-ALL:+VERS-TLS1.3:+CIPHER-ALL:%NO_TICKETS" \ "$P_CLI debug_level=3 crt_file=data_files/ecdsa_secp521r1.crt \ @@ -12401,7 +12287,6 @@ requires_config_enabled MBEDTLS_DEBUG_C requires_config_enabled MBEDTLS_SSL_CLI_C requires_all_configs_enabled MBEDTLS_SSL_TLS1_3_COMPATIBILITY_MODE \ MBEDTLS_SSL_TLS1_3_KEY_EXCHANGE_MODE_EPHEMERAL_ENABLED -requires_pk_alg "ECDSA" run_test "TLS 1.3: HRR check, ciphersuite TLS_AES_128_GCM_SHA256 - openssl" \ "$O_NEXT_SRV -ciphersuites TLS_AES_128_GCM_SHA256 -sigalgs ecdsa_secp256r1_sha256 -groups P-256 -msg -tls1_3 -num_tickets 0 -no_resume_ephemeral -no_cache" \ "$P_CLI debug_level=4" \ @@ -12417,7 +12302,6 @@ requires_config_enabled MBEDTLS_DEBUG_C requires_config_enabled MBEDTLS_SSL_CLI_C requires_all_configs_enabled MBEDTLS_SSL_TLS1_3_COMPATIBILITY_MODE \ MBEDTLS_SSL_TLS1_3_KEY_EXCHANGE_MODE_EPHEMERAL_ENABLED -requires_pk_alg "ECDSA" run_test "TLS 1.3: HRR check, ciphersuite TLS_AES_256_GCM_SHA384 - openssl" \ "$O_NEXT_SRV -ciphersuites TLS_AES_256_GCM_SHA384 -sigalgs ecdsa_secp256r1_sha256 -groups P-256 -msg -tls1_3 -num_tickets 0 -no_resume_ephemeral -no_cache" \ "$P_CLI debug_level=4" \ @@ -12434,7 +12318,6 @@ requires_config_enabled MBEDTLS_DEBUG_C requires_config_enabled MBEDTLS_SSL_CLI_C requires_all_configs_enabled MBEDTLS_SSL_TLS1_3_COMPATIBILITY_MODE \ MBEDTLS_SSL_TLS1_3_KEY_EXCHANGE_MODE_EPHEMERAL_ENABLED -requires_pk_alg "ECDSA" run_test "TLS 1.3: HRR check, ciphersuite TLS_AES_128_GCM_SHA256 - gnutls" \ "$G_NEXT_SRV -d 4 --priority=NONE:+GROUP-SECP256R1:+AES-128-GCM:+SHA256:+AEAD:+SIGN-ECDSA-SECP256R1-SHA256:+VERS-TLS1.3:%NO_TICKETS --disable-client-cert" \ "$P_CLI debug_level=4" \ @@ -12451,7 +12334,6 @@ requires_config_enabled MBEDTLS_DEBUG_C requires_config_enabled MBEDTLS_SSL_CLI_C requires_all_configs_enabled MBEDTLS_SSL_TLS1_3_COMPATIBILITY_MODE \ MBEDTLS_SSL_TLS1_3_KEY_EXCHANGE_MODE_EPHEMERAL_ENABLED -requires_pk_alg "ECDSA" run_test "TLS 1.3: HRR check, ciphersuite TLS_AES_256_GCM_SHA384 - gnutls" \ "$G_NEXT_SRV -d 4 --priority=NONE:+GROUP-SECP256R1:+AES-256-GCM:+SHA384:+AEAD:+SIGN-ECDSA-SECP256R1-SHA256:+VERS-TLS1.3:%NO_TICKETS --disable-client-cert" \ "$P_CLI debug_level=4" \ @@ -12466,7 +12348,6 @@ requires_openssl_tls1_3 requires_config_enabled MBEDTLS_DEBUG_C requires_config_enabled MBEDTLS_SSL_SRV_C requires_config_enabled MBEDTLS_SSL_TLS1_3_KEY_EXCHANGE_MODE_EPHEMERAL_ENABLED -requires_pk_alg "ECDSA" run_test "TLS 1.3: Server side check - openssl" \ "$P_SRV debug_level=4 crt_file=data_files/server5.crt key_file=data_files/server5.key force_version=tls13 tickets=0" \ "$O_NEXT_CLI -msg -debug -tls1_3 -no_middlebox" \ @@ -12484,7 +12365,6 @@ requires_openssl_tls1_3 requires_config_enabled MBEDTLS_DEBUG_C requires_config_enabled MBEDTLS_SSL_SRV_C requires_config_enabled MBEDTLS_SSL_TLS1_3_KEY_EXCHANGE_MODE_EPHEMERAL_ENABLED -requires_pk_alg "ECDSA" run_test "TLS 1.3: Server side check - openssl with client authentication" \ "$P_SRV debug_level=4 auth_mode=required crt_file=data_files/server5.crt key_file=data_files/server5.key force_version=tls13 tickets=0" \ "$O_NEXT_CLI -msg -debug -cert data_files/server5.crt -key data_files/server5.key -tls1_3 -no_middlebox" \ @@ -12505,7 +12385,6 @@ requires_gnutls_next_no_ticket requires_config_enabled MBEDTLS_DEBUG_C requires_config_enabled MBEDTLS_SSL_SRV_C requires_config_enabled MBEDTLS_SSL_TLS1_3_KEY_EXCHANGE_MODE_EPHEMERAL_ENABLED -requires_pk_alg "ECDSA" run_test "TLS 1.3: Server side check - gnutls" \ "$P_SRV debug_level=4 crt_file=data_files/server5.crt key_file=data_files/server5.key force_version=tls13 tickets=0" \ "$G_NEXT_CLI localhost -d 4 --priority=NORMAL:-VERS-ALL:+VERS-TLS1.3:%NO_TICKETS:%DISABLE_TLS13_COMPAT_MODE -V" \ @@ -12525,7 +12404,6 @@ requires_gnutls_next_no_ticket requires_config_enabled MBEDTLS_DEBUG_C requires_config_enabled MBEDTLS_SSL_SRV_C requires_config_enabled MBEDTLS_SSL_TLS1_3_KEY_EXCHANGE_MODE_EPHEMERAL_ENABLED -requires_pk_alg "ECDSA" run_test "TLS 1.3: Server side check - gnutls with client authentication" \ "$P_SRV debug_level=4 auth_mode=required crt_file=data_files/server5.crt key_file=data_files/server5.key force_version=tls13 tickets=0" \ "$G_NEXT_CLI localhost -d 4 --x509certfile data_files/server5.crt --x509keyfile data_files/server5.key --priority=NORMAL:-VERS-ALL:+VERS-TLS1.3:%NO_TICKETS:%DISABLE_TLS13_COMPAT_MODE -V" \ @@ -12545,7 +12423,6 @@ requires_config_enabled MBEDTLS_DEBUG_C requires_config_enabled MBEDTLS_SSL_SRV_C requires_config_enabled MBEDTLS_SSL_CLI_C requires_config_enabled MBEDTLS_SSL_TLS1_3_KEY_EXCHANGE_MODE_EPHEMERAL_ENABLED -requires_pk_alg "ECDSA" run_test "TLS 1.3: Server side check - mbedtls" \ "$P_SRV debug_level=4 crt_file=data_files/server5.crt key_file=data_files/server5.key force_version=tls13 tickets=0" \ "$P_CLI debug_level=4 force_version=tls13" \ @@ -12565,7 +12442,6 @@ requires_config_enabled MBEDTLS_DEBUG_C requires_config_enabled MBEDTLS_SSL_SRV_C requires_config_enabled MBEDTLS_SSL_CLI_C requires_config_enabled MBEDTLS_SSL_TLS1_3_KEY_EXCHANGE_MODE_EPHEMERAL_ENABLED -requires_pk_alg "ECDSA" run_test "TLS 1.3: Server side check - mbedtls with client authentication" \ "$P_SRV debug_level=4 auth_mode=required crt_file=data_files/server5.crt key_file=data_files/server5.key force_version=tls13 tickets=0" \ "$P_CLI debug_level=4 crt_file=data_files/server5.crt key_file=data_files/server5.key force_version=tls13" \ @@ -12583,7 +12459,6 @@ requires_config_enabled MBEDTLS_DEBUG_C requires_config_enabled MBEDTLS_SSL_SRV_C requires_config_enabled MBEDTLS_SSL_CLI_C requires_config_enabled MBEDTLS_SSL_TLS1_3_KEY_EXCHANGE_MODE_EPHEMERAL_ENABLED -requires_pk_alg "ECDSA" run_test "TLS 1.3: Server side check - mbedtls with client empty certificate" \ "$P_SRV debug_level=4 auth_mode=required crt_file=data_files/server5.crt key_file=data_files/server5.key force_version=tls13 tickets=0" \ "$P_CLI debug_level=4 crt_file=none key_file=none force_version=tls13" \ @@ -12602,7 +12477,6 @@ requires_config_enabled MBEDTLS_DEBUG_C requires_config_enabled MBEDTLS_SSL_SRV_C requires_config_enabled MBEDTLS_SSL_CLI_C requires_config_enabled MBEDTLS_SSL_TLS1_3_KEY_EXCHANGE_MODE_EPHEMERAL_ENABLED -requires_pk_alg "ECDSA" run_test "TLS 1.3: Server side check - mbedtls with optional client authentication" \ "$P_SRV debug_level=4 auth_mode=optional crt_file=data_files/server5.crt key_file=data_files/server5.key force_version=tls13 tickets=0" \ "$P_CLI debug_level=4 force_version=tls13 crt_file=none key_file=none" \ @@ -12750,7 +12624,6 @@ requires_config_enabled MBEDTLS_DEBUG_C requires_config_enabled MBEDTLS_SSL_CLI_C requires_all_configs_enabled MBEDTLS_SSL_TLS1_3_COMPATIBILITY_MODE \ MBEDTLS_SSL_TLS1_3_KEY_EXCHANGE_MODE_EPHEMERAL_ENABLED -requires_pk_alg "ECDSA" run_test "TLS 1.3 m->O both with middlebox compat support" \ "$O_NEXT_SRV -msg -tls1_3 -num_tickets 0 -no_resume_ephemeral -no_cache" \ "$P_CLI debug_level=4" \ @@ -12791,7 +12664,6 @@ requires_config_enabled MBEDTLS_DEBUG_C requires_config_enabled MBEDTLS_SSL_CLI_C requires_all_configs_enabled MBEDTLS_SSL_TLS1_3_COMPATIBILITY_MODE \ MBEDTLS_SSL_TLS1_3_KEY_EXCHANGE_MODE_EPHEMERAL_ENABLED -requires_pk_alg "ECDSA" run_test "TLS 1.3 m->G both with middlebox compat support" \ "$G_NEXT_SRV --priority=NORMAL:-VERS-ALL:+VERS-TLS1.3:+CIPHER-ALL:%NO_TICKETS --disable-client-cert" \ "$P_CLI debug_level=4" \ @@ -12817,7 +12689,6 @@ requires_config_enabled MBEDTLS_DEBUG_C requires_config_enabled MBEDTLS_SSL_SRV_C requires_all_configs_enabled MBEDTLS_SSL_TLS1_3_COMPATIBILITY_MODE \ MBEDTLS_SSL_TLS1_3_KEY_EXCHANGE_MODE_EPHEMERAL_ENABLED -requires_pk_alg "ECDSA" run_test "TLS 1.3 O->m server with middlebox compat support, not client" \ "$P_SRV debug_level=4 crt_file=data_files/server5.crt key_file=data_files/server5.key force_version=tls13 tickets=0" \ "$O_NEXT_CLI -msg -debug -no_middlebox" \ @@ -12830,7 +12701,6 @@ requires_config_enabled MBEDTLS_DEBUG_C requires_config_enabled MBEDTLS_SSL_SRV_C requires_all_configs_enabled MBEDTLS_SSL_TLS1_3_COMPATIBILITY_MODE \ MBEDTLS_SSL_TLS1_3_KEY_EXCHANGE_MODE_EPHEMERAL_ENABLED -requires_pk_alg "ECDSA" run_test "TLS 1.3 O->m both with middlebox compat support" \ "$P_SRV debug_level=4 crt_file=data_files/server5.crt key_file=data_files/server5.key force_version=tls13 tickets=0" \ "$O_NEXT_CLI -msg -debug" \ @@ -12861,7 +12731,6 @@ requires_config_enabled MBEDTLS_DEBUG_C requires_config_enabled MBEDTLS_SSL_SRV_C requires_all_configs_enabled MBEDTLS_SSL_TLS1_3_COMPATIBILITY_MODE \ MBEDTLS_SSL_TLS1_3_KEY_EXCHANGE_MODE_EPHEMERAL_ENABLED -requires_pk_alg "ECDSA" run_test "TLS 1.3 G->m server with middlebox compat support, not client" \ "$P_SRV debug_level=4 crt_file=data_files/server5.crt key_file=data_files/server5.key force_version=tls13 tickets=0" \ "$G_NEXT_CLI localhost --debug=10 --priority=NORMAL:%NO_TICKETS:%DISABLE_TLS13_COMPAT_MODE -V" \ @@ -12878,7 +12747,6 @@ requires_config_enabled MBEDTLS_DEBUG_C requires_config_enabled MBEDTLS_SSL_SRV_C requires_all_configs_enabled MBEDTLS_SSL_TLS1_3_COMPATIBILITY_MODE \ MBEDTLS_SSL_TLS1_3_KEY_EXCHANGE_MODE_EPHEMERAL_ENABLED -requires_pk_alg "ECDSA" run_test "TLS 1.3 G->m both with middlebox compat support" \ "$P_SRV debug_level=4 crt_file=data_files/server5.crt key_file=data_files/server5.key force_version=tls13 tickets=0" \ "$G_NEXT_CLI localhost --debug=10 --priority=NORMAL:%NO_TICKETS:%DISABLE_TLS13_COMPAT_MODE -V" \ @@ -12948,7 +12816,6 @@ requires_config_enabled MBEDTLS_DEBUG_C requires_config_enabled MBEDTLS_SSL_CLI_C requires_all_configs_enabled MBEDTLS_SSL_TLS1_3_COMPATIBILITY_MODE \ MBEDTLS_SSL_TLS1_3_KEY_EXCHANGE_MODE_EPHEMERAL_ENABLED -requires_pk_alg "ECDSA" run_test "TLS 1.3 m->O HRR both with middlebox compat support" \ "$O_NEXT_SRV -msg -tls1_3 -groups P-384 -num_tickets 0 -no_resume_ephemeral -no_cache" \ "$P_CLI debug_level=4 curves=secp256r1,secp384r1" \ @@ -12991,7 +12858,6 @@ requires_config_enabled MBEDTLS_DEBUG_C requires_config_enabled MBEDTLS_SSL_CLI_C requires_all_configs_enabled MBEDTLS_SSL_TLS1_3_COMPATIBILITY_MODE \ MBEDTLS_SSL_TLS1_3_KEY_EXCHANGE_MODE_EPHEMERAL_ENABLED -requires_pk_alg "ECDSA" run_test "TLS 1.3 m->G HRR both with middlebox compat support" \ "$G_NEXT_SRV --priority=NORMAL:-GROUP-ALL:+GROUP-SECP384R1:-VERS-ALL:+VERS-TLS1.3:+CIPHER-ALL:%NO_TICKETS --disable-client-cert" \ "$P_CLI debug_level=4 curves=secp256r1,secp384r1" \ @@ -13309,7 +13175,6 @@ requires_config_enabled MBEDTLS_SSL_CLI_C requires_all_configs_enabled MBEDTLS_SSL_TLS1_3_COMPATIBILITY_MODE \ MBEDTLS_SSL_TLS1_3_KEY_EXCHANGE_MODE_EPHEMERAL_ENABLED \ MBEDTLS_SSL_TLS1_3_KEY_EXCHANGE_MODE_PSK_EPHEMERAL_ENABLED -requires_pk_alg "ECDSA" run_test "TLS 1.3: NewSessionTicket: Basic check, m->O" \ "$O_NEXT_SRV -msg -tls1_3 -no_resume_ephemeral -no_cache --num_tickets 4" \ "$P_CLI debug_level=1 reco_mode=1 reconnect=1" \ @@ -13326,7 +13191,6 @@ requires_config_enabled MBEDTLS_SSL_CLI_C requires_all_configs_enabled MBEDTLS_SSL_TLS1_3_COMPATIBILITY_MODE \ MBEDTLS_SSL_TLS1_3_KEY_EXCHANGE_MODE_EPHEMERAL_ENABLED \ MBEDTLS_SSL_TLS1_3_KEY_EXCHANGE_MODE_PSK_EPHEMERAL_ENABLED -requires_pk_alg "ECDSA" run_test "TLS 1.3: NewSessionTicket: Basic check, m->G" \ "$G_NEXT_SRV -d 10 --priority=NORMAL:-VERS-ALL:+VERS-TLS1.3 --disable-client-cert" \ "$P_CLI debug_level=1 reco_mode=1 reconnect=1" \ @@ -13363,7 +13227,6 @@ requires_config_enabled MBEDTLS_DEBUG_C requires_all_configs_enabled MBEDTLS_SSL_TLS1_3_COMPATIBILITY_MODE \ MBEDTLS_SSL_TLS1_3_KEY_EXCHANGE_MODE_EPHEMERAL_ENABLED \ MBEDTLS_SSL_TLS1_3_KEY_EXCHANGE_MODE_PSK_EPHEMERAL_ENABLED -requires_pk_alg "ECDSA" run_test "TLS 1.3: NewSessionTicket: Basic check, G->m" \ "$P_SRV debug_level=4 crt_file=data_files/server5.crt key_file=data_files/server5.key force_version=tls13 tickets=4" \ "$G_NEXT_CLI localhost -d 4 --priority=NORMAL:-VERS-ALL:+VERS-TLS1.3 -V -r" \