cuberite/polarssl
1
0
Fork 0
mirror of https://github.com/cuberite/polarssl.git synced 2025-10-03 02:23:32 -04:00
Code Issues Packages Projects Releases Wiki Activity

Merge pull request #7052 from yanrayw/7008-compatsh-disable-VERIFY-for-PSK

Browse Source 
compat.sh: remove VERIFY and duplicate test cases for PSK
This commit is contained in:
Gilles Peskine 2023-02-10 15:07:27 +01:00 committed by GitHub
commit 3196ceb2fb
No known key found for this signature in database
GPG Key ID: 4AEE18F83AFDEB23
1 changed files with 15 additions and 18 deletions
Show Stats Download Patch File Download Diff File Expand all files Collapse all files

33
tests/compat.sh
View File

@ -200,17 +200,6 @@ filter()
echo "$NEW_LIST" | sed -e 's/[[:space:]][[:space:]]*/ /g' -e 's/^ //' -e 's/ $//' echo "$NEW_LIST" | sed -e 's/[[:space:]][[:space:]]*/ /g' -e 's/^ //' -e 's/ $//'
} }
# OpenSSL 1.0.1h with -Verify wants a ClientCertificate message even for
# PSK ciphersuites with DTLS, which is incorrect, so disable them for now
check_openssl_server_bug()
{
if test "X$VERIFY" = "XYES" && is_dtls "$MODE" && \
test "$TYPE" = "PSK";
then
SKIP_NEXT="YES"
fi
}
filter_ciphersuites() filter_ciphersuites()
{ {
if [ "X" != "X$FILTER" -o "X" != "X$EXCLUDE" ]; if [ "X" != "X$FILTER" -o "X" != "X$EXCLUDE" ];
@ -227,7 +216,7 @@ filter_ciphersuites()
# For GnuTLS client -> mbed TLS server, # For GnuTLS client -> mbed TLS server,
# we need to force IPv4 by connecting to 127.0.0.1 but then auth fails # we need to force IPv4 by connecting to 127.0.0.1 but then auth fails
if [ "X$VERIFY" = "XYES" ] && is_dtls "$MODE"; then if is_dtls "$MODE" && [ "X$VERIFY" = "XYES" ]; then
G_CIPHERS="" G_CIPHERS=""
fi fi
} }
@ -599,7 +588,6 @@ setup_arguments()
M_CLIENT_ARGS="server_port=$PORT server_addr=127.0.0.1 force_version=$MODE" M_CLIENT_ARGS="server_port=$PORT server_addr=127.0.0.1 force_version=$MODE"
O_CLIENT_ARGS="-connect localhost:$PORT -$O_MODE" O_CLIENT_ARGS="-connect localhost:$PORT -$O_MODE"
G_CLIENT_ARGS="-p $PORT --debug 3 $G_MODE" G_CLIENT_ARGS="-p $PORT --debug 3 $G_MODE"
G_CLIENT_PRIO="NONE:$G_PRIO_MODE:+COMP-NULL:+CURVE-ALL:+SIGN-ALL"
# Newer versions of OpenSSL have a syntax to enable all "ciphers", even # Newer versions of OpenSSL have a syntax to enable all "ciphers", even
# low-security ones. This covers not just cipher suites but also protocol # low-security ones. This covers not just cipher suites but also protocol
@ -1001,10 +989,20 @@ SKIP_NEXT="NO"
trap cleanup INT TERM HUP trap cleanup INT TERM HUP
for VERIFY in $VERIFIES; do for MODE in $MODES; do
VERIF=$(echo $VERIFY | tr '[:upper:]' '[:lower:]') for TYPE in $TYPES; do
for MODE in $MODES; do
for TYPE in $TYPES; do # PSK cipher suites do not allow client certificate verification.
# This means PSK test cases with VERIFY=YES should be replaced by
# VERIFY=NO or be ignored. SUB_VERIFIES variable is used to constrain
# verification option for PSK test cases.
SUB_VERIFIES=$VERIFIES
if [ "$TYPE" = "PSK" ]; then
SUB_VERIFIES="NO"
fi
for VERIFY in $SUB_VERIFIES; do
VERIF=$(echo $VERIFY | tr '[:upper:]' '[:lower:]')
for PEER in $PEERS; do for PEER in $PEERS; do
setup_arguments setup_arguments
@ -1035,7 +1033,6 @@ for VERIFY in $VERIFIES; do
start_server "OpenSSL" start_server "OpenSSL"
translate_ciphers m $M_CIPHERS translate_ciphers m $M_CIPHERS
for i in $ciphers; do for i in $ciphers; do
check_openssl_server_bug
run_client mbedTLS ${i%%=*} ${i#*=} run_client mbedTLS ${i%%=*} ${i#*=}
done done
stop_server stop_server