From dae7057e1f15e75559554253e3517927dd76e77b Mon Sep 17 00:00:00 2001 From: Yanray Wang Date: Mon, 6 Feb 2023 18:08:54 +0800 Subject: [PATCH 1/7] compat.sh: ignore $VERIFY in PSK TYPE There is no need to provide CA file in PSK. Thus VERIFY is meaningless for PSK. This change omits the arguments passed to the client and server for $VERIFY=YES. Signed-off-by: Yanray Wang --- tests/compat.sh | 2 +- 1 file changed, 1 insertion(+), 1 deletion(-) diff --git a/tests/compat.sh b/tests/compat.sh index ef8273675..31e2b8396 100755 --- a/tests/compat.sh +++ b/tests/compat.sh @@ -615,7 +615,7 @@ setup_arguments() ;; esac - if [ "X$VERIFY" = "XYES" ]; + if [ "X$VERIFY" = "XYES" ] && [ "$TYPE" != "PSK" ]; then M_SERVER_ARGS="$M_SERVER_ARGS ca_file=data_files/test-ca_cat12.crt auth_mode=required" O_SERVER_ARGS="$O_SERVER_ARGS -CAfile data_files/test-ca_cat12.crt -Verify 10" From 35c0eadf0fed98ca8f1b4956431d29ea59ec8f49 Mon Sep 17 00:00:00 2001 From: Yanray Wang Date: Tue, 7 Feb 2023 10:41:04 +0800 Subject: [PATCH 2/7] compat.sh: avoid running duplicate test cases for PSK With the introduction of PSK_TESTS, - Either `compat.sh -V NO` or `compat.sh -V YES` runs the PSK tests - `compat.sh` or `compat.sh -V "NO YES"` runs PSK tests only once Signed-off-by: Yanray Wang --- tests/compat.sh | 16 +++++++++++++--- 1 file changed, 13 insertions(+), 3 deletions(-) diff --git a/tests/compat.sh b/tests/compat.sh index 31e2b8396..eb67da93a 100755 --- a/tests/compat.sh +++ b/tests/compat.sh @@ -1001,10 +1001,20 @@ SKIP_NEXT="NO" trap cleanup INT TERM HUP -for VERIFY in $VERIFIES; do - VERIF=$(echo $VERIFY | tr '[:upper:]' '[:lower:]') - for MODE in $MODES; do +for MODE in $MODES; do + PSK_TESTS="" + for VERIFY in $VERIFIES; do + VERIF=$(echo $VERIFY | tr '[:upper:]' '[:lower:]') for TYPE in $TYPES; do + + if [ "$TYPE" = "PSK" ]; then + if [ -z "$PSK_TESTS" ]; then + PSK_TESTS="FINISHED" + else + continue; + fi + fi + for PEER in $PEERS; do setup_arguments From c66a46f73439941e04bd3e8c7be8e4a22e37ce4b Mon Sep 17 00:00:00 2001 From: Yanray Wang Date: Tue, 7 Feb 2023 10:51:56 +0800 Subject: [PATCH 3/7] compat.sh: remove check_openssl_server_bug As there is no $VERIFY for PSK test cases, check_openssl_server_bug is not functional in compat.sh. Signed-off-by: Yanray Wang --- tests/compat.sh | 12 ------------ 1 file changed, 12 deletions(-) diff --git a/tests/compat.sh b/tests/compat.sh index eb67da93a..abf0e6468 100755 --- a/tests/compat.sh +++ b/tests/compat.sh @@ -200,17 +200,6 @@ filter() echo "$NEW_LIST" | sed -e 's/[[:space:]][[:space:]]*/ /g' -e 's/^ //' -e 's/ $//' } -# OpenSSL 1.0.1h with -Verify wants a ClientCertificate message even for -# PSK ciphersuites with DTLS, which is incorrect, so disable them for now -check_openssl_server_bug() -{ - if test "X$VERIFY" = "XYES" && is_dtls "$MODE" && \ - test "$TYPE" = "PSK"; - then - SKIP_NEXT="YES" - fi -} - filter_ciphersuites() { if [ "X" != "X$FILTER" -o "X" != "X$EXCLUDE" ]; @@ -1045,7 +1034,6 @@ for MODE in $MODES; do start_server "OpenSSL" translate_ciphers m $M_CIPHERS for i in $ciphers; do - check_openssl_server_bug run_client mbedTLS ${i%%=*} ${i#*=} done stop_server From 5d646e705dc77377bd980950e8a0ada596b08f73 Mon Sep 17 00:00:00 2001 From: Yanray Wang Date: Tue, 7 Feb 2023 11:29:11 +0800 Subject: [PATCH 4/7] compat.sh: do not filter PSK ciphersuites for GnuTLS if $VERIFY=YES Signed-off-by: Yanray Wang --- tests/compat.sh | 2 +- 1 file changed, 1 insertion(+), 1 deletion(-) diff --git a/tests/compat.sh b/tests/compat.sh index abf0e6468..f0d027738 100755 --- a/tests/compat.sh +++ b/tests/compat.sh @@ -216,7 +216,7 @@ filter_ciphersuites() # For GnuTLS client -> mbed TLS server, # we need to force IPv4 by connecting to 127.0.0.1 but then auth fails - if [ "X$VERIFY" = "XYES" ] && is_dtls "$MODE"; then + if is_dtls "$MODE" && [ "X$VERIFY" = "XYES" ] && [ "$TYPE" != "PSK" ]; then G_CIPHERS="" fi } From a89c4d51f719ab802106cef3048a25d14cad7b33 Mon Sep 17 00:00:00 2001 From: Yanray Wang Date: Tue, 7 Feb 2023 12:13:49 +0800 Subject: [PATCH 5/7] compat.sh: display "no" even if $VERIFY=YES for PSK test cases Signed-off-by: Yanray Wang --- tests/compat.sh | 1 + 1 file changed, 1 insertion(+) diff --git a/tests/compat.sh b/tests/compat.sh index f0d027738..5f24c492a 100755 --- a/tests/compat.sh +++ b/tests/compat.sh @@ -999,6 +999,7 @@ for MODE in $MODES; do if [ "$TYPE" = "PSK" ]; then if [ -z "$PSK_TESTS" ]; then PSK_TESTS="FINISHED" + VERIF="no" else continue; fi From 3f9961bfcafbb7717cf984ffef806dcdfb16678e Mon Sep 17 00:00:00 2001 From: Yanray Wang Date: Tue, 7 Feb 2023 16:34:28 +0800 Subject: [PATCH 6/7] compat.sh: remove G_CLIENT_PRIO as it's not used Signed-off-by: Yanray Wang --- tests/compat.sh | 1 - 1 file changed, 1 deletion(-) diff --git a/tests/compat.sh b/tests/compat.sh index 5f24c492a..a3c7bc84f 100755 --- a/tests/compat.sh +++ b/tests/compat.sh @@ -588,7 +588,6 @@ setup_arguments() M_CLIENT_ARGS="server_port=$PORT server_addr=127.0.0.1 force_version=$MODE" O_CLIENT_ARGS="-connect localhost:$PORT -$O_MODE" G_CLIENT_ARGS="-p $PORT --debug 3 $G_MODE" - G_CLIENT_PRIO="NONE:$G_PRIO_MODE:+COMP-NULL:+CURVE-ALL:+SIGN-ALL" # Newer versions of OpenSSL have a syntax to enable all "ciphers", even # low-security ones. This covers not just cipher suites but also protocol From 303829709dcf3b9b37674eb82cf83052620f2f0a Mon Sep 17 00:00:00 2001 From: Yanray Wang Date: Wed, 8 Feb 2023 12:38:31 +0800 Subject: [PATCH 7/7] compat.sh: simplify code of iterating on VERIFY for PSK tests Since PSK cipher suites do not allow client certificate verification, PSK test cases should be executed under VERIFY=NO. SUB_VERIFIES is used to constrain verification option for PSK tests. With aforementioned change, the latter check of $VERIFY=YES && $TYPE!=PSK is redundant so it's removed. Signed-off-by: Yanray Wang --- tests/compat.sh | 27 +++++++++++++-------------- 1 file changed, 13 insertions(+), 14 deletions(-) diff --git a/tests/compat.sh b/tests/compat.sh index a3c7bc84f..8f7d72c7b 100755 --- a/tests/compat.sh +++ b/tests/compat.sh @@ -216,7 +216,7 @@ filter_ciphersuites() # For GnuTLS client -> mbed TLS server, # we need to force IPv4 by connecting to 127.0.0.1 but then auth fails - if is_dtls "$MODE" && [ "X$VERIFY" = "XYES" ] && [ "$TYPE" != "PSK" ]; then + if is_dtls "$MODE" && [ "X$VERIFY" = "XYES" ]; then G_CIPHERS="" fi } @@ -603,7 +603,7 @@ setup_arguments() ;; esac - if [ "X$VERIFY" = "XYES" ] && [ "$TYPE" != "PSK" ]; + if [ "X$VERIFY" = "XYES" ]; then M_SERVER_ARGS="$M_SERVER_ARGS ca_file=data_files/test-ca_cat12.crt auth_mode=required" O_SERVER_ARGS="$O_SERVER_ARGS -CAfile data_files/test-ca_cat12.crt -Verify 10" @@ -990,20 +990,19 @@ SKIP_NEXT="NO" trap cleanup INT TERM HUP for MODE in $MODES; do - PSK_TESTS="" - for VERIFY in $VERIFIES; do - VERIF=$(echo $VERIFY | tr '[:upper:]' '[:lower:]') - for TYPE in $TYPES; do + for TYPE in $TYPES; do - if [ "$TYPE" = "PSK" ]; then - if [ -z "$PSK_TESTS" ]; then - PSK_TESTS="FINISHED" - VERIF="no" - else - continue; - fi - fi + # PSK cipher suites do not allow client certificate verification. + # This means PSK test cases with VERIFY=YES should be replaced by + # VERIFY=NO or be ignored. SUB_VERIFIES variable is used to constrain + # verification option for PSK test cases. + SUB_VERIFIES=$VERIFIES + if [ "$TYPE" = "PSK" ]; then + SUB_VERIFIES="NO" + fi + for VERIFY in $SUB_VERIFIES; do + VERIF=$(echo $VERIFY | tr '[:upper:]' '[:lower:]') for PEER in $PEERS; do setup_arguments