Skip to content
New issue

Have a question about this project? Sign up for a free GitHub account to open an issue and contact its maintainers and the community.

Sign up for GitHub

By clicking “Sign up for GitHub”, you agree to our terms of service and privacy statement. We’ll occasionally send you account related emails.

Already on GitHub? Sign in to your account

Jump to bottom

Migrate DHE test cases to ECDHE #9916

Merged
merged 7 commits into from
Jan 29, 2025
Merged

Migrate DHE test cases to ECDHE #9916

merged 7 commits into from
Jan 29, 2025

Conversation

valeriosetti
Copy link
Contributor

@valeriosetti valeriosetti commented Jan 20, 2025
edited
Loading

Description

Resoves #9688

PR checklist

@valeriosetti valeriosetti added needs-review Every commit must be reviewed by at least two team members, needs-ci Needs to pass CI tests needs-reviewer This PR needs someone to pick it up for review size-s Estimated task size: small (~2d) priority-high High priority - will be reviewed soon labels Jan 20, 2025
@valeriosetti valeriosetti self-assigned this Jan 20, 2025
@valeriosetti valeriosetti removed the needs-ci Needs to pass CI tests label Jan 22, 2025
Harry-Ramsey
Harry-Ramsey previously approved these changes Jan 22, 2025
View reviewed changes
Copy link
Contributor

@Harry-Ramsey Harry-Ramsey left a comment
edited
Loading

Choose a reason for hiding this comment

The reason will be displayed to describe this comment to others. Learn more.

LGTM

I did notice however that these lines in test_suite_ssl.data are present althought I am not sure if they should be removed.

Test configuration of groups for DHE through mbedtls_ssl_conf_curves()
conf_curve:
Test configuration of groups for DHE through mbedtls_ssl_conf_groups()
conf_group:

@valeriosetti
Copy link
Contributor Author

valeriosetti commented Jan 22, 2025
edited
Loading

I did notice however that these lines exist in test_suite_ssl.data are present althought I am not sure if they should be removed.

Oh, good catch! IMO those tests seems to be DHE specific, so they can just be removed. I'll update the commits.
It's implemented here. All the following commits are untouched (as you can see by clicking on the "compare" button)

Harry-Ramsey
Harry-Ramsey previously approved these changes Jan 22, 2025
View reviewed changes
Copy link
Contributor

@Harry-Ramsey Harry-Ramsey left a comment

Choose a reason for hiding this comment

The reason will be displayed to describe this comment to others. Learn more.

LGTM

@valeriosetti valeriosetti mentioned this pull request Jan 22, 2025
Merged
5 tasks
@ronald-cron-arm ronald-cron-arm self-requested a review January 23, 2025 10:36
@ronald-cron-arm ronald-cron-arm removed the needs-reviewer This PR needs someone to pick it up for review label Jan 23, 2025
ronald-cron-arm
ronald-cron-arm requested changes Jan 23, 2025
View reviewed changes
Copy link
Contributor

@ronald-cron-arm ronald-cron-arm left a comment

Choose a reason for hiding this comment

The reason will be displayed to describe this comment to others. Learn more.

I've done a full review. I've some questions.

Harry-Ramsey
Harry-Ramsey previously approved these changes Jan 24, 2025
View reviewed changes
Copy link
Contributor

@Harry-Ramsey Harry-Ramsey left a comment

Choose a reason for hiding this comment

The reason will be displayed to describe this comment to others. Learn more.

LGTM

@valeriosetti
Copy link
Contributor Author

@Harry-Ramsey sorry to dismiss your review, but I had to update 61f4549 because I forgot to update analyze_outcomes.py when I changed the name of the test and that was causing a CI failure. Nothing else is changed though in the commit history as you can see from the "Compare" button

ronald-cron-arm
ronald-cron-arm requested changes Jan 27, 2025
View reviewed changes
Copy link
Contributor

@ronald-cron-arm ronald-cron-arm left a comment

Choose a reason for hiding this comment

The reason will be displayed to describe this comment to others. Learn more.

This looks almost good to me. Two last comments.

ronald-cron-arm
ronald-cron-arm previously approved these changes Jan 27, 2025
View reviewed changes
Copy link
Contributor

@ronald-cron-arm ronald-cron-arm left a comment

Choose a reason for hiding this comment

The reason will be displayed to describe this comment to others. Learn more.

LGTM, thanks. Do you plan to backport the new ECDHE-RSA tests to 3.6?

@valeriosetti
Copy link
Contributor Author

LGTM, thanks. Do you plan to backport the new ECDHE-RSA tests to 3.6?

According to the requirement from #9688, i.e.

This applies to development only. But we may want to backport the new test cases as additional tests in 3.6 for a minor but very cheap coverage improvement.

I think this is required indeed. Now that I have some approval I can start working on it (I was waiting to get to a decent point with this PR, so that I don't need to refresh the backport continuously).

@valeriosetti
Copy link
Contributor Author

But I just saw that there are also conflicts in this PR with development so I might address those ones before starting the backport.

@valeriosetti
test_suite_ssl: adapt DHE-RSA tests to ECDHE-RSA
5b7bfd8 
Signed-off-by: Valerio Setti <valerio.setti@nordicsemi.no>
@valeriosetti
test_suite_ssl: adapt handshake_fragmentation() to use ECDHE-RSA
b8ef2a4 
Use ECDHE-RSA instead of DHE-RSA.

Signed-off-by: Valerio Setti <valerio.setti@nordicsemi.no>
@valeriosetti
test_suite_ssl: remove tests specific for DHE-RSA
8638603 
These tests were specific for DHE-RSA (which is being removed on
development branch) and also for each of them there was already the
ECDHE-RSA counterpart available.

Signed-off-by: Valerio Setti <valerio.setti@nordicsemi.no>
@valeriosetti
test_suite_ssl: update description for conf_curve and conf_gruop tests
592f682 
These tests are about EC curves/groups, not DH ones, so the description
should be updated accordingly.

Signed-off-by: Valerio Setti <valerio.setti@nordicsemi.no>
@valeriosetti
ssl-opt.sh: adapt tests from DHE-RSA to ECDHE-RSA
309a7ec 
Adapted tests do not already have an ECDHE-RSA test available.

Signed-off-by: Valerio Setti <valerio.setti@nordicsemi.no>
@valeriosetti
ssl-opt.sh: remove tests which are specific for DHE-RSA
3b412e2 
For these ones there is no ECDHE alternative as they are testing
specific features of DHE.

Signed-off-by: Valerio Setti <valerio.setti@nordicsemi.no>
@valeriosetti
ssl-opt.sh: remove tests forcing DHE-RSA for which have alternatives
0ebd6de 
Remove tests which are forcing DHE-RSA, but for which an ECDHE-RSA
alternative already exists.

Signed-off-by: Valerio Setti <valerio.setti@nordicsemi.no>
valeriosetti added a commit to valeriosetti/mbedtls that referenced this pull request Jan 27, 2025
@valeriosetti
test_suite_ssl: add new ECDHE-RSA tests
f611b54 
PR Mbed-TLS#9916 adapt some DHE-RSA tests to use ECDHE-RSA instead. However,
since DHE-RSA is not deprecated in mbedtls-3.6 branch, this commit adds
these new tests alongside DHE-RSA ones intead of replacing them in order
to increase test coverage.

Signed-off-by: Valerio Setti <valerio.setti@nordicsemi.no>
@valeriosetti valeriosetti mentioned this pull request Jan 27, 2025
Merged
5 tasks
@valeriosetti
Copy link
Contributor Author

LGTM, thanks. Do you plan to backport the new ECDHE-RSA tests to 3.6?

Done here #9937

@valeriosetti valeriosetti added the needs-backports Backports are missing or are pending review and approval. label Jan 27, 2025
Harry-Ramsey
Harry-Ramsey approved these changes Jan 27, 2025
View reviewed changes
Copy link
Contributor

@Harry-Ramsey Harry-Ramsey left a comment

Choose a reason for hiding this comment

The reason will be displayed to describe this comment to others. Learn more.

LGTM

ronald-cron-arm
ronald-cron-arm approved these changes Jan 27, 2025
View reviewed changes
Copy link
Contributor

@ronald-cron-arm ronald-cron-arm left a comment

Choose a reason for hiding this comment

The reason will be displayed to describe this comment to others. Learn more.

The rebase looks good to me. Thanks.

@valeriosetti valeriosetti added the approved Design and code approved - may be waiting for CI or backports label Jan 27, 2025
valeriosetti added a commit to valeriosetti/mbedtls that referenced this pull request Jan 27, 2025
@valeriosetti
test_suite_ssl: add new ECDHE-RSA tests
4f2a74d 
PR Mbed-TLS#9916 adapt some DHE-RSA tests to use ECDHE-RSA instead. However,
since DHE-RSA is not deprecated in mbedtls-3.6 branch, this commit adds
these new tests alongside DHE-RSA ones intead of replacing them in order
to increase test coverage.

Signed-off-by: Valerio Setti <valerio.setti@nordicsemi.no>
@ronald-cron-arm ronald-cron-arm removed the needs-review Every commit must be reviewed by at least two team members, label Jan 29, 2025
@ronald-cron-arm ronald-cron-arm added this pull request to the merge queue Jan 29, 2025
Merged via the queue into Mbed-TLS:development with commit ed44508 Jan 29, 2025
5 of 6 checks passed
@ronald-cron-arm ronald-cron-arm mentioned this pull request Jan 30, 2025
Closed
Sign up for free to join this conversation on GitHub. Already have an account? Sign in to comment
Reviewers

@ronald-cron-arm ronald-cron-arm ronald-cron-arm approved these changes

@Harry-Ramsey Harry-Ramsey Harry-Ramsey approved these changes

Assignees

@valeriosetti valeriosetti

Labels
approved Design and code approved - may be waiting for CI or backports needs-backports Backports are missing or are pending review and approval. priority-high High priority - will be reviewed soon size-s Estimated task size: small (~2d)
Projects
Roadmap pull requests (new board)
Status: Done
Milestone
No milestone
Development

Successfully merging this pull request may close these issues.
3 participants
@valeriosetti @ronald-cron-arm @Harry-Ramsey