compat.sh: properly skip single-DES and DTLS 1.2

Skipping DTLS 1.2 with old versions was already done, but now properly test support only once and use the results. Skipping single-DES with new versions is new, but helps finding the right incantation. Note that historically, this script's policy was that it's the user's job to find the right value of -e (EXCLUDE) for their version for OpenSSL & config. Now it's a weird mix of that and the script doing some detection and skipping. Signed-off-by: Manuel Pégourié-Gonnard <manuel.pegourie-gonnard@arm.com>
2025-09-14 09:36:39 -04:00 · 2024-04-10 22:11:20 +02:00 · 2024-04-10 22:11:20 +02:00 · de05197829
commit de05197829
parent 7e5d81d431
1 changed files with 28 additions and 7 deletions
--- a/tests/compat.sh
+++ b/tests/compat.sh
@ -936,13 +936,17 @@ o_check_ciphersuite()
        SKIP_NEXT_="YES"
    fi

-    # OpenSSL <1.0.2 doesn't support DTLS 1.2. Check if OpenSSL
-    # supports $O_MODE from the s_server help. (The s_client
-    # help isn't accurate as of 1.0.2g: it supports DTLS 1.2
-    # but doesn't list it. But the s_server help seems to be
-    # accurate.)
-    if ! $OPENSSL s_server -help 2>&1 | grep -q "^ *-$O_MODE "; then
-        SKIP_NEXT_="YES"
+    # skip DTLS 1.2 is support was not detected
+    if [ "$O_SUPPORT_DTLS12" = "NO" -a "$MODE" = "dtls12" ]; then
+        SKIP_NEXT="YES"
+    fi
+
+    # skip single-DES ciphersuite if no longer supported
+    if [ "$O_SUPPORT_SINGLE_DES" = "NO" ]; then
+        case "$1" in
+            # note: 3DES is DES-CBC3 for OpenSSL, 3DES for Mbed TLS
+            *-DES-CBC-*|DES-CBC-*) SKIP_NEXT="YES"
+        esac
    fi

    # skip static ECDH when OpenSSL doesn't support it
@ -951,6 +955,8 @@ o_check_ciphersuite()
            *ECDH-*) SKIP_NEXT="YES"
        esac
    fi
+
+    printf "\no_check: $MODE $1 ($O_SUPPORT_DTLS12) -> $SKIP_NEXT\n"
 }

 # g_check_ciphersuite CIPHER_SUITE_NAME
@ -1059,6 +1065,21 @@ setup_arguments()
        *) O_SUPPORT_STATIC_ECDH="NO";;
    esac

+    case $($OPENSSL ciphers ALL) in
+        *DES-CBC-*) O_SUPPORT_SINGLE_DES="YES";;
+        *) O_SUPPORT_SINGLE_DES="NO";;
+    esac
+
+    # OpenSSL <1.0.2 doesn't support DTLS 1.2. Check if OpenSSL
+    # supports -dtls1_2 from the s_server help. (The s_client
+    # help isn't accurate as of 1.0.2g: it supports DTLS 1.2
+    # but doesn't list it. But the s_server help seems to be
+    # accurate.)
+    O_SUPPORT_DTLS12="NO"
+    if $OPENSSL s_server -help 2>&1 | grep -q "^ *-dtls1_2 "; then
+        O_SUPPORT_DTLS12="YES"
+    fi
+
    if [ "X$VERIFY" = "XYES" ];
    then
        M_SERVER_ARGS="$M_SERVER_ARGS ca_file=data_files/test-ca_cat12.crt auth_mode=required"