From eafa35569104c993b43a04f8ea302bac05a9d07f Mon Sep 17 00:00:00 2001 From: Yanray Wang Date: Mon, 6 Feb 2023 18:08:54 +0800 Subject: [PATCH 1/7] compat.sh: ignore $VERIFY in PSK TYPE There is no need to provide CA file in PSK. Thus VERIFY is meaningless for PSK. This change omits the arguments passed to the client and server for $VERIFY=YES. Signed-off-by: Yanray Wang --- tests/compat.sh | 2 +- 1 file changed, 1 insertion(+), 1 deletion(-) diff --git a/tests/compat.sh b/tests/compat.sh index 02ffed21c..bbe681bf4 100755 --- a/tests/compat.sh +++ b/tests/compat.sh @@ -959,7 +959,7 @@ setup_arguments() ;; esac - if [ "X$VERIFY" = "XYES" ]; + if [ "X$VERIFY" = "XYES" ] && [ "$TYPE" != "PSK" ]; then M_SERVER_ARGS="$M_SERVER_ARGS ca_file=data_files/test-ca_cat12.crt auth_mode=required" O_SERVER_ARGS="$O_SERVER_ARGS -CAfile data_files/test-ca_cat12.crt -Verify 10" From 571e24b6a5a57d637a870075c7d78bcafd0ac407 Mon Sep 17 00:00:00 2001 From: Yanray Wang Date: Tue, 7 Feb 2023 10:41:04 +0800 Subject: [PATCH 2/7] compat.sh: avoid running duplicate test cases for PSK With the introduction of PSK_TESTS, - Either `compat.sh -V NO` or `compat.sh -V YES` runs the PSK tests - `compat.sh` or `compat.sh -V "NO YES"` runs PSK tests only once Signed-off-by: Yanray Wang --- tests/compat.sh | 15 +++++++++++++-- 1 file changed, 13 insertions(+), 2 deletions(-) diff --git a/tests/compat.sh b/tests/compat.sh index bbe681bf4..e1c1a978e 100755 --- a/tests/compat.sh +++ b/tests/compat.sh @@ -1343,9 +1343,20 @@ SKIP_NEXT="NO" trap cleanup INT TERM HUP -for VERIFY in $VERIFIES; do - for MODE in $MODES; do +for MODE in $MODES; do + PSK_TESTS="" + for VERIFY in $VERIFIES; do + VERIF=$(echo $VERIFY | tr '[:upper:]' '[:lower:]') for TYPE in $TYPES; do + + if [ "$TYPE" = "PSK" ]; then + if [ -z "$PSK_TESTS" ]; then + PSK_TESTS="FINISHED" + else + continue; + fi + fi + for PEER in $PEERS; do setup_arguments From b1ae735f0934b506f20213dc86c54aad9b688751 Mon Sep 17 00:00:00 2001 From: Yanray Wang Date: Tue, 7 Feb 2023 10:51:56 +0800 Subject: [PATCH 3/7] compat.sh: remove check_openssl_server_bug As there is no $VERIFY for PSK test cases, check_openssl_server_bug is not functional in compat.sh. Signed-off-by: Yanray Wang --- tests/compat.sh | 12 ------------ 1 file changed, 12 deletions(-) diff --git a/tests/compat.sh b/tests/compat.sh index e1c1a978e..0ee62fcfd 100755 --- a/tests/compat.sh +++ b/tests/compat.sh @@ -215,17 +215,6 @@ filter() echo "$NEW_LIST" | sed -e 's/[[:space:]][[:space:]]*/ /g' -e 's/^ //' -e 's/ $//' } -# OpenSSL 1.0.1h with -Verify wants a ClientCertificate message even for -# PSK ciphersuites with DTLS, which is incorrect, so disable them for now -check_openssl_server_bug() -{ - if test "X$VERIFY" = "XYES" && is_dtls "$MODE" && \ - echo "$1" | grep "^TLS-PSK" >/dev/null; - then - SKIP_NEXT="YES" - fi -} - filter_ciphersuites() { if [ "X" != "X$FILTER" -o "X" != "X$EXCLUDE" ]; @@ -1386,7 +1375,6 @@ for MODE in $MODES; do if [ "X" != "X$M_CIPHERS" ]; then start_server "OpenSSL" for i in $M_CIPHERS; do - check_openssl_server_bug $i run_client mbedTLS $i done stop_server From 89ac843941155c6fe68cc89aa00f1944630c0702 Mon Sep 17 00:00:00 2001 From: Yanray Wang Date: Tue, 7 Feb 2023 11:29:11 +0800 Subject: [PATCH 4/7] compat.sh: do not filter PSK ciphersuites for GnuTLS if $VERIFY=YES Signed-off-by: Yanray Wang --- tests/compat.sh | 2 +- 1 file changed, 1 insertion(+), 1 deletion(-) diff --git a/tests/compat.sh b/tests/compat.sh index 0ee62fcfd..081640c20 100755 --- a/tests/compat.sh +++ b/tests/compat.sh @@ -231,7 +231,7 @@ filter_ciphersuites() # For GnuTLS client -> mbed TLS server, # we need to force IPv4 by connecting to 127.0.0.1 but then auth fails - if [ "X$VERIFY" = "XYES" ] && is_dtls "$MODE"; then + if is_dtls "$MODE" && [ "X$VERIFY" = "XYES" ] && [ "$TYPE" != "PSK" ]; then G_CIPHERS="" fi } From 34ddcc969151227ae9a53a84874daf9d92f97888 Mon Sep 17 00:00:00 2001 From: Yanray Wang Date: Tue, 7 Feb 2023 12:13:49 +0800 Subject: [PATCH 5/7] compat.sh: display "no" even if $VERIFY=YES for PSK test cases Signed-off-by: Yanray Wang --- tests/compat.sh | 1 + 1 file changed, 1 insertion(+) diff --git a/tests/compat.sh b/tests/compat.sh index 081640c20..2c4d55b33 100755 --- a/tests/compat.sh +++ b/tests/compat.sh @@ -1341,6 +1341,7 @@ for MODE in $MODES; do if [ "$TYPE" = "PSK" ]; then if [ -z "$PSK_TESTS" ]; then PSK_TESTS="FINISHED" + VERIF="no" else continue; fi From 8332db92bd07f531883a057ef691a3459039e211 Mon Sep 17 00:00:00 2001 From: Yanray Wang Date: Tue, 7 Feb 2023 16:34:28 +0800 Subject: [PATCH 6/7] compat.sh: remove G_CLIENT_PRIO as it's not used Signed-off-by: Yanray Wang --- tests/compat.sh | 1 - 1 file changed, 1 deletion(-) diff --git a/tests/compat.sh b/tests/compat.sh index 2c4d55b33..578b1858c 100755 --- a/tests/compat.sh +++ b/tests/compat.sh @@ -932,7 +932,6 @@ setup_arguments() M_CLIENT_ARGS="server_port=$PORT server_addr=127.0.0.1 force_version=$MODE" O_CLIENT_ARGS="-connect localhost:$PORT -$O_MODE" G_CLIENT_ARGS="-p $PORT --debug 3 $G_MODE" - G_CLIENT_PRIO="NONE:$G_PRIO_MODE:+COMP-NULL:+CURVE-ALL:+SIGN-ALL" # Newer versions of OpenSSL have a syntax to enable all "ciphers", even # low-security ones. This covers not just cipher suites but also protocol From 21daf2930a343068e6d318d0c827839e9b276cfd Mon Sep 17 00:00:00 2001 From: Yanray Wang Date: Wed, 8 Feb 2023 12:38:31 +0800 Subject: [PATCH 7/7] compat.sh: simplify code of iterating on VERIFY for PSK tests Since PSK cipher suites do not allow client certificate verification, PSK test cases should be executed under VERIFY=NO. SUB_VERIFIES is used to constrain verification option for PSK tests. With aforementioned change, the latter check of $VERIFY=YES && $TYPE!=PSK is redundant so it's removed. Signed-off-by: Yanray Wang --- tests/compat.sh | 28 +++++++++++++--------------- 1 file changed, 13 insertions(+), 15 deletions(-) diff --git a/tests/compat.sh b/tests/compat.sh index 578b1858c..f96c4e4c6 100755 --- a/tests/compat.sh +++ b/tests/compat.sh @@ -231,7 +231,7 @@ filter_ciphersuites() # For GnuTLS client -> mbed TLS server, # we need to force IPv4 by connecting to 127.0.0.1 but then auth fails - if is_dtls "$MODE" && [ "X$VERIFY" = "XYES" ] && [ "$TYPE" != "PSK" ]; then + if is_dtls "$MODE" && [ "X$VERIFY" = "XYES" ]; then G_CIPHERS="" fi } @@ -947,7 +947,7 @@ setup_arguments() ;; esac - if [ "X$VERIFY" = "XYES" ] && [ "$TYPE" != "PSK" ]; + if [ "X$VERIFY" = "XYES" ]; then M_SERVER_ARGS="$M_SERVER_ARGS ca_file=data_files/test-ca_cat12.crt auth_mode=required" O_SERVER_ARGS="$O_SERVER_ARGS -CAfile data_files/test-ca_cat12.crt -Verify 10" @@ -1134,7 +1134,6 @@ wait_client_done() { run_client() { # announce what we're going to do TESTS=$(( $TESTS + 1 )) - VERIF=$(echo $VERIFY | tr '[:upper:]' '[:lower:]') TITLE="`echo $1 | head -c1`->`echo $SERVER_NAME | head -c1`" TITLE="$TITLE $MODE,$VERIF $2" printf "%s " "$TITLE" @@ -1332,20 +1331,19 @@ SKIP_NEXT="NO" trap cleanup INT TERM HUP for MODE in $MODES; do - PSK_TESTS="" - for VERIFY in $VERIFIES; do - VERIF=$(echo $VERIFY | tr '[:upper:]' '[:lower:]') - for TYPE in $TYPES; do + for TYPE in $TYPES; do - if [ "$TYPE" = "PSK" ]; then - if [ -z "$PSK_TESTS" ]; then - PSK_TESTS="FINISHED" - VERIF="no" - else - continue; - fi - fi + # PSK cipher suites do not allow client certificate verification. + # This means PSK test cases with VERIFY=YES should be replaced by + # VERIFY=NO or be ignored. SUB_VERIFIES variable is used to constrain + # verification option for PSK test cases. + SUB_VERIFIES=$VERIFIES + if [ "$TYPE" = "PSK" ]; then + SUB_VERIFIES="NO" + fi + for VERIFY in $SUB_VERIFIES; do + VERIF=$(echo $VERIFY | tr '[:upper:]' '[:lower:]') for PEER in $PEERS; do setup_arguments