Merge pull request #7052 from yanrayw/7008-compatsh-disable-VERIFY-for-PSK

compat.sh: remove VERIFY and duplicate test cases for PSK
2025-09-29 16:32:32 -04:00 · 2023-02-10 15:07:27 +01:00 · 2023-02-10 15:07:27 +01:00 · 3196ceb2fb
commit 3196ceb2fb
parent b009559c8f 303829709d
1 changed files with 15 additions and 18 deletions
--- a/tests/compat.sh
+++ b/tests/compat.sh
@ -200,17 +200,6 @@ filter()
  echo "$NEW_LIST" | sed -e 's/[[:space:]][[:space:]]*/ /g' -e 's/^ //' -e 's/ $//'
 }

-# OpenSSL 1.0.1h with -Verify wants a ClientCertificate message even for
-# PSK ciphersuites with DTLS, which is incorrect, so disable them for now
-check_openssl_server_bug()
-{
-    if test "X$VERIFY" = "XYES" && is_dtls "$MODE" && \
-        test "$TYPE" = "PSK";
-    then
-        SKIP_NEXT="YES"
-    fi
-}
-
 filter_ciphersuites()
 {
    if [ "X" != "X$FILTER" -o "X" != "X$EXCLUDE" ];
@ -227,7 +216,7 @@ filter_ciphersuites()

    # For GnuTLS client -> mbed TLS server,
    # we need to force IPv4 by connecting to 127.0.0.1 but then auth fails
-    if [ "X$VERIFY" = "XYES" ] && is_dtls "$MODE"; then
+    if is_dtls "$MODE" && [ "X$VERIFY" = "XYES" ]; then
        G_CIPHERS=""
    fi
 }
@ -599,7 +588,6 @@ setup_arguments()
    M_CLIENT_ARGS="server_port=$PORT server_addr=127.0.0.1 force_version=$MODE"
    O_CLIENT_ARGS="-connect localhost:$PORT -$O_MODE"
    G_CLIENT_ARGS="-p $PORT --debug 3 $G_MODE"
-    G_CLIENT_PRIO="NONE:$G_PRIO_MODE:+COMP-NULL:+CURVE-ALL:+SIGN-ALL"

    # Newer versions of OpenSSL have a syntax to enable all "ciphers", even
    # low-security ones. This covers not just cipher suites but also protocol
@ -1001,10 +989,20 @@ SKIP_NEXT="NO"

 trap cleanup INT TERM HUP

-for VERIFY in $VERIFIES; do
-    VERIF=$(echo $VERIFY | tr '[:upper:]' '[:lower:]')
-    for MODE in $MODES; do
-        for TYPE in $TYPES; do
+for MODE in $MODES; do
+    for TYPE in $TYPES; do
+
+        # PSK cipher suites do not allow client certificate verification.
+        # This means PSK test cases with VERIFY=YES should be replaced by
+        # VERIFY=NO or be ignored. SUB_VERIFIES variable is used to constrain
+        # verification option for PSK test cases.
+        SUB_VERIFIES=$VERIFIES
+        if [ "$TYPE" = "PSK" ]; then
+            SUB_VERIFIES="NO"
+        fi
+
+        for VERIFY in $SUB_VERIFIES; do
+            VERIF=$(echo $VERIFY | tr '[:upper:]' '[:lower:]')
            for PEER in $PEERS; do

            setup_arguments
@ -1035,7 +1033,6 @@ for VERIFY in $VERIFIES; do
                        start_server "OpenSSL"
                        translate_ciphers m $M_CIPHERS
                        for i in $ciphers; do
-                            check_openssl_server_bug
                            run_client mbedTLS ${i%%=*} ${i#*=}
                        done
                        stop_server