Automatically detect protocol version requirement from force_version
When the client or server uses a specific protocol version, automatically
require that version to be enabled at compile time.
An explicit call is still needed in test cases that require a specific
protocol version (due to analyzing version-specific behavior, or checking
the version in logs), but do not force that specific protocol version, or that
force a specific version only on the openssl/gnutls side.
Signed-off-by: Gilles Peskine <Gilles.Peskine@arm.com>
diff --git a/tests/ssl-opt.sh b/tests/ssl-opt.sh
index 2d6a6e7..0bb8ca2 100755
--- a/tests/ssl-opt.sh
+++ b/tests/ssl-opt.sh
@@ -263,6 +263,19 @@
fi
}
+# Require Mbed TLS to support the given protocol version.
+#
+# Inputs:
+# * $1: protocol version in mbedtls syntax (argument to force_version=)
+requires_protocol_version() {
+ # Support for DTLS is detected separately in detect_dtls().
+ case "$1" in
+ tls12|dtls12) requires_config_enabled MBEDTLS_SSL_PROTO_TLS1_2;;
+ tls13|dtls13) requires_config_enabled MBEDTLS_SSL_PROTO_TLS1_3;;
+ *) echo "Unknown required protocol version: $1"; exit 1;;
+ esac
+}
+
# Space-separated list of ciphersuites supported by this build of
# Mbed TLS.
P_CIPHERSUITES=" $($P_CLI --help 2>/dev/null |
@@ -280,6 +293,13 @@
# arrange to only run the following test case if those features are enabled.
detect_required_features() {
case "$1" in
+ *\ force_version=*)
+ tmp="${1##*\ force_version=}"
+ tmp="${tmp%%[!-0-9A-Z_a-z]*}"
+ requires_protocol_version "$tmp";;
+ esac
+
+ case "$1" in
*\ force_ciphersuite=*)
tmp="${1##*\ force_ciphersuite=}"
tmp="${tmp%%[!-0-9A-Z_a-z]*}"
@@ -1313,7 +1333,6 @@
}
run_test_psa() {
- requires_config_enabled MBEDTLS_SSL_PROTO_TLS1_2
requires_config_enabled MBEDTLS_USE_PSA_CRYPTO
set_maybe_calc_verify none
run_test "PSA-supported ciphersuite: $1" \
@@ -1333,7 +1352,6 @@
}
run_test_psa_force_curve() {
- requires_config_enabled MBEDTLS_SSL_PROTO_TLS1_2
requires_config_enabled MBEDTLS_USE_PSA_CRYPTO
set_maybe_calc_verify none
run_test "PSA - ECDH with $1" \
@@ -2915,7 +2933,6 @@
# Tests for CBC 1/n-1 record splitting
-requires_config_enabled MBEDTLS_SSL_PROTO_TLS1_2
run_test "CBC Record splitting: TLS 1.2, no splitting" \
"$P_SRV" \
"$P_CLI force_ciphersuite=TLS-RSA-WITH-AES-128-CBC-SHA \
@@ -5152,7 +5169,6 @@
# Tests for certificate selection based on SHA verson
requires_config_disabled MBEDTLS_X509_REMOVE_INFO
-requires_config_enabled MBEDTLS_SSL_PROTO_TLS1_2
run_test "Certificate hash: client TLS 1.2 -> SHA-2" \
"$P_SRV crt_file=data_files/server5.crt \
key_file=data_files/server5.key \
@@ -6684,7 +6700,6 @@
# Tests for small client packets
-requires_config_enabled MBEDTLS_SSL_PROTO_TLS1_2
run_test "Small client packet TLS 1.2 BlockCipher" \
"$P_SRV" \
"$P_CLI request_size=1 force_version=tls12 \
@@ -6692,7 +6707,6 @@
0 \
-s "Read from client: 1 bytes read"
-requires_config_enabled MBEDTLS_SSL_PROTO_TLS1_2
run_test "Small client packet TLS 1.2 BlockCipher, without EtM" \
"$P_SRV" \
"$P_CLI request_size=1 force_version=tls12 \
@@ -6700,7 +6714,6 @@
0 \
-s "Read from client: 1 bytes read"
-requires_config_enabled MBEDTLS_SSL_PROTO_TLS1_2
run_test "Small client packet TLS 1.2 BlockCipher larger MAC" \
"$P_SRV" \
"$P_CLI request_size=1 force_version=tls12 \
@@ -6708,7 +6721,6 @@
0 \
-s "Read from client: 1 bytes read"
-requires_config_enabled MBEDTLS_SSL_PROTO_TLS1_2
run_test "Small client packet TLS 1.2 AEAD" \
"$P_SRV" \
"$P_CLI request_size=1 force_version=tls12 \
@@ -6716,7 +6728,6 @@
0 \
-s "Read from client: 1 bytes read"
-requires_config_enabled MBEDTLS_SSL_PROTO_TLS1_2
run_test "Small client packet TLS 1.2 AEAD shorter tag" \
"$P_SRV" \
"$P_CLI request_size=1 force_version=tls12 \
@@ -6727,7 +6738,6 @@
# Tests for small client packets in DTLS
requires_config_enabled MBEDTLS_SSL_PROTO_DTLS
-requires_config_enabled MBEDTLS_SSL_PROTO_TLS1_2
run_test "Small client packet DTLS 1.2" \
"$P_SRV dtls=1 force_version=dtls12" \
"$P_CLI dtls=1 request_size=1 \
@@ -6736,7 +6746,6 @@
-s "Read from client: 1 bytes read"
requires_config_enabled MBEDTLS_SSL_PROTO_DTLS
-requires_config_enabled MBEDTLS_SSL_PROTO_TLS1_2
run_test "Small client packet DTLS 1.2, without EtM" \
"$P_SRV dtls=1 force_version=dtls12 etm=0" \
"$P_CLI dtls=1 request_size=1 \
@@ -6746,7 +6755,6 @@
# Tests for small server packets
-requires_config_enabled MBEDTLS_SSL_PROTO_TLS1_2
run_test "Small server packet TLS 1.2 BlockCipher" \
"$P_SRV response_size=1" \
"$P_CLI force_version=tls12 \
@@ -6754,7 +6762,6 @@
0 \
-c "Read from server: 1 bytes read"
-requires_config_enabled MBEDTLS_SSL_PROTO_TLS1_2
run_test "Small server packet TLS 1.2 BlockCipher, without EtM" \
"$P_SRV response_size=1" \
"$P_CLI force_version=tls12 \
@@ -6762,7 +6769,6 @@
0 \
-c "Read from server: 1 bytes read"
-requires_config_enabled MBEDTLS_SSL_PROTO_TLS1_2
run_test "Small server packet TLS 1.2 BlockCipher larger MAC" \
"$P_SRV response_size=1" \
"$P_CLI force_version=tls12 \
@@ -6770,7 +6776,6 @@
0 \
-c "Read from server: 1 bytes read"
-requires_config_enabled MBEDTLS_SSL_PROTO_TLS1_2
run_test "Small server packet TLS 1.2 AEAD" \
"$P_SRV response_size=1" \
"$P_CLI force_version=tls12 \
@@ -6778,7 +6783,6 @@
0 \
-c "Read from server: 1 bytes read"
-requires_config_enabled MBEDTLS_SSL_PROTO_TLS1_2
run_test "Small server packet TLS 1.2 AEAD shorter tag" \
"$P_SRV response_size=1" \
"$P_CLI force_version=tls12 \
@@ -6789,7 +6793,6 @@
# Tests for small server packets in DTLS
requires_config_enabled MBEDTLS_SSL_PROTO_DTLS
-requires_config_enabled MBEDTLS_SSL_PROTO_TLS1_2
run_test "Small server packet DTLS 1.2" \
"$P_SRV dtls=1 response_size=1 force_version=dtls12" \
"$P_CLI dtls=1 \
@@ -6798,7 +6801,6 @@
-c "Read from server: 1 bytes read"
requires_config_enabled MBEDTLS_SSL_PROTO_DTLS
-requires_config_enabled MBEDTLS_SSL_PROTO_TLS1_2
run_test "Small server packet DTLS 1.2, without EtM" \
"$P_SRV dtls=1 response_size=1 force_version=dtls12 etm=0" \
"$P_CLI dtls=1 \
@@ -6813,7 +6815,6 @@
echo "$(( ( $1 + $MAX_OUT_LEN - 1 ) / $MAX_OUT_LEN ))"
}
-requires_config_enabled MBEDTLS_SSL_PROTO_TLS1_2
run_test "Large client packet TLS 1.2 BlockCipher" \
"$P_SRV" \
"$P_CLI request_size=16384 force_version=tls12 \
@@ -6822,7 +6823,6 @@
-c "16384 bytes written in $(fragments_for_write 16384) fragments" \
-s "Read from client: $MAX_CONTENT_LEN bytes read"
-requires_config_enabled MBEDTLS_SSL_PROTO_TLS1_2
run_test "Large client packet TLS 1.2 BlockCipher, without EtM" \
"$P_SRV" \
"$P_CLI request_size=16384 force_version=tls12 etm=0 \
@@ -6830,7 +6830,6 @@
0 \
-s "Read from client: $MAX_CONTENT_LEN bytes read"
-requires_config_enabled MBEDTLS_SSL_PROTO_TLS1_2
run_test "Large client packet TLS 1.2 BlockCipher larger MAC" \
"$P_SRV" \
"$P_CLI request_size=16384 force_version=tls12 \
@@ -6839,7 +6838,6 @@
-c "16384 bytes written in $(fragments_for_write 16384) fragments" \
-s "Read from client: $MAX_CONTENT_LEN bytes read"
-requires_config_enabled MBEDTLS_SSL_PROTO_TLS1_2
run_test "Large client packet TLS 1.2 AEAD" \
"$P_SRV" \
"$P_CLI request_size=16384 force_version=tls12 \
@@ -6848,7 +6846,6 @@
-c "16384 bytes written in $(fragments_for_write 16384) fragments" \
-s "Read from client: $MAX_CONTENT_LEN bytes read"
-requires_config_enabled MBEDTLS_SSL_PROTO_TLS1_2
run_test "Large client packet TLS 1.2 AEAD shorter tag" \
"$P_SRV" \
"$P_CLI request_size=16384 force_version=tls12 \
@@ -6858,7 +6855,6 @@
-s "Read from client: $MAX_CONTENT_LEN bytes read"
# The tests below fail when the server's OUT_CONTENT_LEN is less than 16384.
-requires_config_enabled MBEDTLS_SSL_PROTO_TLS1_2
run_test "Large server packet TLS 1.2 BlockCipher" \
"$P_SRV response_size=16384" \
"$P_CLI force_version=tls12 \
@@ -6866,7 +6862,6 @@
0 \
-c "Read from server: 16384 bytes read"
-requires_config_enabled MBEDTLS_SSL_PROTO_TLS1_2
run_test "Large server packet TLS 1.2 BlockCipher, without EtM" \
"$P_SRV response_size=16384" \
"$P_CLI force_version=tls12 etm=0 \
@@ -6875,7 +6870,6 @@
-s "16384 bytes written in 1 fragments" \
-c "Read from server: 16384 bytes read"
-requires_config_enabled MBEDTLS_SSL_PROTO_TLS1_2
run_test "Large server packet TLS 1.2 BlockCipher larger MAC" \
"$P_SRV response_size=16384" \
"$P_CLI force_version=tls12 \
@@ -6883,7 +6877,6 @@
0 \
-c "Read from server: 16384 bytes read"
-requires_config_enabled MBEDTLS_SSL_PROTO_TLS1_2
run_test "Large server packet TLS 1.2 BlockCipher, without EtM, truncated MAC" \
"$P_SRV response_size=16384 trunc_hmac=1" \
"$P_CLI force_version=tls12 \
@@ -6892,7 +6885,6 @@
-s "16384 bytes written in 1 fragments" \
-c "Read from server: 16384 bytes read"
-requires_config_enabled MBEDTLS_SSL_PROTO_TLS1_2
run_test "Large server packet TLS 1.2 AEAD" \
"$P_SRV response_size=16384" \
"$P_CLI force_version=tls12 \
@@ -6900,7 +6892,6 @@
0 \
-c "Read from server: 16384 bytes read"
-requires_config_enabled MBEDTLS_SSL_PROTO_TLS1_2
run_test "Large server packet TLS 1.2 AEAD shorter tag" \
"$P_SRV response_size=16384" \
"$P_CLI force_version=tls12 \
@@ -8472,10 +8463,8 @@
requires_config_enabled MBEDTLS_SSL_PROTO_DTLS
requires_config_enabled MBEDTLS_RSA_C
requires_config_enabled MBEDTLS_ECDSA_C
-requires_config_enabled MBEDTLS_SSL_PROTO_TLS1_2
requires_gnutls
requires_max_content_len 2048
-requires_config_enabled MBEDTLS_SSL_PROTO_TLS1_2
run_test "DTLS fragmenting: gnutls server, DTLS 1.2" \
"$G_SRV -u" \
"$P_CLI dtls=1 debug_level=2 \
@@ -8496,11 +8485,9 @@
requires_config_enabled MBEDTLS_SSL_PROTO_DTLS
requires_config_enabled MBEDTLS_RSA_C
requires_config_enabled MBEDTLS_ECDSA_C
-requires_config_enabled MBEDTLS_SSL_PROTO_TLS1_2
requires_gnutls
requires_not_i686
requires_max_content_len 2048
-requires_config_enabled MBEDTLS_SSL_PROTO_TLS1_2
run_test "DTLS fragmenting: gnutls client, DTLS 1.2" \
"$P_SRV dtls=1 debug_level=2 \
crt_file=data_files/server7_int-ca.crt \
@@ -8513,9 +8500,7 @@
requires_config_enabled MBEDTLS_SSL_PROTO_DTLS
requires_config_enabled MBEDTLS_RSA_C
requires_config_enabled MBEDTLS_ECDSA_C
-requires_config_enabled MBEDTLS_SSL_PROTO_TLS1_2
requires_max_content_len 2048
-requires_config_enabled MBEDTLS_SSL_PROTO_TLS1_2
run_test "DTLS fragmenting: openssl server, DTLS 1.2" \
"$O_SRV -dtls1_2 -verify 10" \
"$P_CLI dtls=1 debug_level=2 \
@@ -8529,9 +8514,7 @@
requires_config_enabled MBEDTLS_SSL_PROTO_DTLS
requires_config_enabled MBEDTLS_RSA_C
requires_config_enabled MBEDTLS_ECDSA_C
-requires_config_enabled MBEDTLS_SSL_PROTO_TLS1_2
requires_max_content_len 2048
-requires_config_enabled MBEDTLS_SSL_PROTO_TLS1_2
run_test "DTLS fragmenting: openssl client, DTLS 1.2" \
"$P_SRV dtls=1 debug_level=2 \
crt_file=data_files/server7_int-ca.crt \
@@ -8549,10 +8532,8 @@
requires_config_enabled MBEDTLS_SSL_PROTO_DTLS
requires_config_enabled MBEDTLS_RSA_C
requires_config_enabled MBEDTLS_ECDSA_C
-requires_config_enabled MBEDTLS_SSL_PROTO_TLS1_2
client_needs_more_time 4
requires_max_content_len 2048
-requires_config_enabled MBEDTLS_SSL_PROTO_TLS1_2
run_test "DTLS fragmenting: 3d, gnutls server, DTLS 1.2" \
-p "$P_PXY drop=8 delay=8 duplicate=8" \
"$G_NEXT_SRV -u" \
@@ -8568,10 +8549,8 @@
requires_config_enabled MBEDTLS_SSL_PROTO_DTLS
requires_config_enabled MBEDTLS_RSA_C
requires_config_enabled MBEDTLS_ECDSA_C
-requires_config_enabled MBEDTLS_SSL_PROTO_TLS1_2
client_needs_more_time 4
requires_max_content_len 2048
-requires_config_enabled MBEDTLS_SSL_PROTO_TLS1_2
run_test "DTLS fragmenting: 3d, gnutls client, DTLS 1.2" \
-p "$P_PXY drop=8 delay=8 duplicate=8" \
"$P_SRV dtls=1 debug_level=2 \
@@ -8591,10 +8570,8 @@
requires_config_enabled MBEDTLS_SSL_PROTO_DTLS
requires_config_enabled MBEDTLS_RSA_C
requires_config_enabled MBEDTLS_ECDSA_C
-requires_config_enabled MBEDTLS_SSL_PROTO_TLS1_2
client_needs_more_time 4
requires_max_content_len 2048
-requires_config_enabled MBEDTLS_SSL_PROTO_TLS1_2
run_test "DTLS fragmenting: 3d, openssl server, DTLS 1.2" \
-p "$P_PXY drop=8 delay=8 duplicate=8" \
"$O_SRV -dtls1_2 -verify 10" \
@@ -8610,10 +8587,8 @@
requires_config_enabled MBEDTLS_SSL_PROTO_DTLS
requires_config_enabled MBEDTLS_RSA_C
requires_config_enabled MBEDTLS_ECDSA_C
-requires_config_enabled MBEDTLS_SSL_PROTO_TLS1_2
client_needs_more_time 4
requires_max_content_len 2048
-requires_config_enabled MBEDTLS_SSL_PROTO_TLS1_2
run_test "DTLS fragmenting: 3d, openssl client, DTLS 1.2" \
-p "$P_PXY drop=8 delay=8 duplicate=8" \
"$P_SRV dtls=1 debug_level=2 \
@@ -9988,7 +9963,6 @@
-c "got a certificate request" \
-c "<= parse certificate request"
-requires_config_enabled MBEDTLS_SSL_PROTO_TLS1_3
requires_config_enabled MBEDTLS_SSL_TLS1_3_COMPATIBILITY_MODE
requires_config_enabled MBEDTLS_DEBUG_C
requires_config_enabled MBEDTLS_SSL_CLI_C
@@ -10002,7 +9976,6 @@
-c "tls13 client state: MBEDTLS_SSL_CLIENT_HELLO" \
-c "HTTP/1.0 200 ok"
-requires_config_enabled MBEDTLS_SSL_PROTO_TLS1_3
requires_config_enabled MBEDTLS_SSL_TLS1_3_COMPATIBILITY_MODE
requires_config_enabled MBEDTLS_DEBUG_C
requires_config_enabled MBEDTLS_SSL_CLI_C
@@ -10018,7 +9991,6 @@
requires_gnutls_tls1_3
requires_gnutls_next_no_ticket
-requires_config_enabled MBEDTLS_SSL_PROTO_TLS1_3
requires_config_enabled MBEDTLS_SSL_TLS1_3_COMPATIBILITY_MODE
requires_config_enabled MBEDTLS_DEBUG_C
requires_config_enabled MBEDTLS_SSL_CLI_C
@@ -10033,7 +10005,6 @@
requires_gnutls_tls1_3
requires_gnutls_next_no_ticket
-requires_config_enabled MBEDTLS_SSL_PROTO_TLS1_3
requires_config_enabled MBEDTLS_SSL_TLS1_3_COMPATIBILITY_MODE
requires_config_enabled MBEDTLS_DEBUG_C
requires_config_enabled MBEDTLS_SSL_CLI_C