Merge pull request #9019 from mpg/compat-not-executed-2.28
[2.28] Fix compat.sh tests (reported as) not executed
diff --git a/tests/compat.sh b/tests/compat.sh
index c2ea882..c8c7482 100755
--- a/tests/compat.sh
+++ b/tests/compat.sh
@@ -133,6 +133,14 @@
# list_test_case lists all potential test cases in compat.sh without execution
list_test_cases() {
+ # We want to call filter_ciphersuites to apply standard-defined exclusions
+ # (like "no RC4 with DTLS") but without user-defined exludes/filters.
+ EXCLUDE='^$'
+ FILTER=""
+
+ # ssl3 is excluded by default, but it's still available
+ MODES="ssl3 $MODES"
+
for MODE in $MODES; do
for TYPE in $TYPES; do
# PSK cipher suites do not allow client certificate verification.
@@ -142,16 +150,31 @@
fi
for VERIFY in $SUB_VERIFIES; do
VERIF=$(echo $VERIFY | tr '[:upper:]' '[:lower:]')
- reset_ciphersuites
- add_common_ciphersuites
- add_openssl_ciphersuites
- add_gnutls_ciphersuites
- add_mbedtls_ciphersuites
- print_test_case m O "$O_CIPHERS"
- print_test_case O m "$O_CIPHERS"
- print_test_case m G "$G_CIPHERS"
- print_test_case G m "$G_CIPHERS"
- print_test_case m m "$M_CIPHERS"
+ for PEER in $PEERS; do
+ reset_ciphersuites
+ add_common_ciphersuites
+ case "$PEER" in
+ [Oo]pen*)
+ add_openssl_ciphersuites
+ filter_ciphersuites
+ print_test_case m O "$M_CIPHERS"
+ print_test_case O m "$O_CIPHERS"
+ ;;
+ [Gg]nu*)
+ add_gnutls_ciphersuites
+ filter_ciphersuites
+ print_test_case m G "$M_CIPHERS"
+ print_test_case G m "$G_CIPHERS"
+ ;;
+ mbed*)
+ add_openssl_ciphersuites
+ add_gnutls_ciphersuites
+ add_mbedtls_ciphersuites
+ filter_ciphersuites
+ print_test_case m m "$M_CIPHERS"
+ ;;
+ esac
+ done
done
done
done
@@ -272,17 +295,9 @@
filter_ciphersuites()
{
- if [ "X" != "X$FILTER" -o "X" != "X$EXCLUDE" ];
- then
- # Ciphersuite for Mbed TLS
- M_CIPHERS=$( filter "$M_CIPHERS" )
-
- # Ciphersuite for OpenSSL
- O_CIPHERS=$( filter "$O_CIPHERS" )
-
- # Ciphersuite for GnuTLS
- G_CIPHERS=$( filter "$G_CIPHERS" )
- fi
+ M_CIPHERS=$( filter "$M_CIPHERS" )
+ O_CIPHERS=$( filter "$O_CIPHERS" )
+ G_CIPHERS=$( filter "$G_CIPHERS" )
}
reset_ciphersuites()
@@ -640,14 +655,18 @@
;;
"RSA")
- # Not actually supported with all GnuTLS versions. See
- # GNUTLS_HAS_TLS1_RSA_NULL_SHA256= below.
- M_CIPHERS="$M_CIPHERS \
- TLS-RSA-WITH-NULL-SHA256 \
- "
- G_CIPHERS="$G_CIPHERS \
- +RSA:+NULL:+SHA256 \
- "
+ if [ `minor_ver "$MODE"` -ge 1 ]
+ then
+ # Not actually supported with all GnuTLS versions. See
+ # GNUTLS_HAS_TLS1_RSA_NULL_SHA256= below.
+ M_CIPHERS="$M_CIPHERS \
+ TLS-RSA-WITH-NULL-SHA256 \
+ "
+ G_CIPHERS="$G_CIPHERS \
+ +RSA:+NULL:+SHA256 \
+ "
+ fi
+
if [ `minor_ver "$MODE"` -ge 3 ]
then
M_CIPHERS="$M_CIPHERS \
@@ -912,7 +931,26 @@
# o_check_ciphersuite CIPHER_SUITE_NAME
o_check_ciphersuite()
{
- if [ "${O_SUPPORT_ECDH}" = "NO" ]; then
+ # skip DTLS when lack of support was declared
+ if test "$OSSL_NO_DTLS" -gt 0 && is_dtls "$MODE"; then
+ SKIP_NEXT_="YES"
+ fi
+
+ # skip DTLS 1.2 is support was not detected
+ if [ "$O_SUPPORT_DTLS12" = "NO" -a "$MODE" = "dtls12" ]; then
+ SKIP_NEXT="YES"
+ fi
+
+ # skip single-DES ciphersuite if no longer supported
+ if [ "$O_SUPPORT_SINGLE_DES" = "NO" ]; then
+ case "$1" in
+ # note: 3DES is DES-CBC3 for OpenSSL, 3DES for Mbed TLS
+ *-DES-CBC-*|DES-CBC-*) SKIP_NEXT="YES"
+ esac
+ fi
+
+ # skip static ECDH when OpenSSL doesn't support it
+ if [ "${O_SUPPORT_STATIC_ECDH}" = "NO" ]; then
case "$1" in
*ECDH-*) SKIP_NEXT="YES"
esac
@@ -1021,10 +1059,25 @@
esac
case $($OPENSSL ciphers ALL) in
- *ECDH-ECDSA*|*ECDH-RSA*) O_SUPPORT_ECDH="YES";;
- *) O_SUPPORT_ECDH="NO";;
+ *ECDH-ECDSA*|*ECDH-RSA*) O_SUPPORT_STATIC_ECDH="YES";;
+ *) O_SUPPORT_STATIC_ECDH="NO";;
esac
+ case $($OPENSSL ciphers ALL) in
+ *DES-CBC-*) O_SUPPORT_SINGLE_DES="YES";;
+ *) O_SUPPORT_SINGLE_DES="NO";;
+ esac
+
+ # OpenSSL <1.0.2 doesn't support DTLS 1.2. Check if OpenSSL
+ # supports -dtls1_2 from the s_server help. (The s_client
+ # help isn't accurate as of 1.0.2g: it supports DTLS 1.2
+ # but doesn't list it. But the s_server help seems to be
+ # accurate.)
+ O_SUPPORT_DTLS12="NO"
+ if $OPENSSL s_server -help 2>&1 | grep -q "^ *-dtls1_2 "; then
+ O_SUPPORT_DTLS12="YES"
+ fi
+
if [ "X$VERIFY" = "XYES" ];
then
M_SERVER_ARGS="$M_SERVER_ARGS ca_file=data_files/test-ca_cat12.crt auth_mode=required"
@@ -1474,19 +1527,6 @@
[Oo]pen*)
- if test "$OSSL_NO_DTLS" -gt 0 && is_dtls "$MODE"; then
- continue;
- fi
-
- # OpenSSL <1.0.2 doesn't support DTLS 1.2. Check if OpenSSL
- # supports $O_MODE from the s_server help. (The s_client
- # help isn't accurate as of 1.0.2g: it supports DTLS 1.2
- # but doesn't list it. But the s_server help seems to be
- # accurate.)
- if ! $OPENSSL s_server -help 2>&1 | grep -q "^ *-$O_MODE "; then
- continue;
- fi
-
reset_ciphersuites
add_common_ciphersuites
add_openssl_ciphersuites
diff --git a/tests/scripts/all.sh b/tests/scripts/all.sh
index 6b4b4e4..7608b55 100755
--- a/tests/scripts/all.sh
+++ b/tests/scripts/all.sh
@@ -928,8 +928,18 @@
msg "test: ssl-opt.sh (full config, ASan build)"
tests/ssl-opt.sh
- msg "test: compat.sh (full config, ASan build)"
- tests/compat.sh
+ msg "test: compat.sh all except legacy/next (full config, ASan build)"
+ tests/compat.sh -e '^DES-CBC-\|-DES-CBC-\|ARIA\|CHACHA' \
+ -m 'ssl3 tls1 tls1_1 tls12 dtls1 dtls12'
+
+ msg "test: compat.sh single-DES (full config, ASan build)"
+ env OPENSSL="$OPENSSL_LEGACY" tests/compat.sh -e '^$' -f '^DES-CBC\|-DES-CBC-' \
+ -m 'ssl3 tls1 tls1_1 tls12 dtls1 dtls12'
+
+ # ARIA and ChachaPoly are both (D)TLS 1.2 only
+ msg "test: compat.sh ARIA + ChachaPoly (full config, ASan build)"
+ env OPENSSL="$OPENSSL_NEXT" tests/compat.sh -e '^$' -f 'ARIA\|CHACHA' \
+ -m 'tls12 dtls12'
msg "test: context-info.sh (full config, ASan build)" # ~ 15 sec
tests/context-info.sh
@@ -1628,15 +1638,6 @@
msg "test: ssl-opt.sh default, ECJPAKE, SSL async (full config)" # ~ 1s
tests/ssl-opt.sh -f 'Default\|ECJPAKE\|SSL async private'
-
- msg "test: compat.sh RC4, 3DES & NULL (full config)" # ~ 2min
- tests/compat.sh -e '^$' -f 'NULL\|3DES\|DES-CBC3\|RC4\|ARCFOUR'
-
- msg "test: compat.sh single-DES (full config)" # ~ 30s
- env OPENSSL="$OPENSSL_LEGACY" tests/compat.sh -e '3DES\|DES-CBC3' -f 'DES'
-
- msg "test: compat.sh ARIA + ChachaPoly"
- env OPENSSL="$OPENSSL_NEXT" tests/compat.sh -e '^$' -f 'ARIA\|CHACHA'
}
skip_suites_without_constant_flow () {
@@ -1925,17 +1926,18 @@
msg "test: ssl-opt.sh (full minus MBEDTLS_USE_PSA_CRYPTO)"
tests/ssl-opt.sh
- msg "test: compat.sh default (full minus MBEDTLS_USE_PSA_CRYPTO)"
- tests/compat.sh
-
- msg "test: compat.sh RC4, 3DES & NULL (full minus MBEDTLS_USE_PSA_CRYPTO)"
- tests/compat.sh -e '^$' -f 'NULL\|3DES\|DES-CBC3\|RC4\|ARCFOUR'
+ msg "test: compat.sh all except legacy/next (full minus MBEDTLS_USE_PSA_CRYPTO)"
+ tests/compat.sh -e '^DES-CBC-\|-DES-CBC-\|ARIA\|CHACHA' \
+ -m 'ssl3 tls1 tls1_1 tls12 dtls1 dtls12'
msg "test: compat.sh single-DES (full minus MBEDTLS_USE_PSA_CRYPTO)"
- env OPENSSL="$OPENSSL_LEGACY" tests/compat.sh -e '3DES\|DES-CBC3' -f 'DES'
+ env OPENSSL="$OPENSSL_LEGACY" tests/compat.sh -e '^$' -f '^DES-CBC\|-DES-CBC-' \
+ -m 'ssl3 tls1 tls1_1 tls12 dtls1 dtls12'
+ # ARIA and ChachaPoly are both (D)TLS 1.2 only
msg "test: compat.sh ARIA + ChachaPoly (full minus MBEDTLS_USE_PSA_CRYPTO)"
- env OPENSSL="$OPENSSL_NEXT" tests/compat.sh -e '^$' -f 'ARIA\|CHACHA'
+ env OPENSSL="$OPENSSL_NEXT" tests/compat.sh -e '^$' -f 'ARIA\|CHACHA' \
+ -m 'tls12 dtls12'
}
component_test_psa_crypto_config_accel_ecdsa () {
diff --git a/tests/scripts/analyze_outcomes.py b/tests/scripts/analyze_outcomes.py
index d50a04e..f88d799 100755
--- a/tests/scripts/analyze_outcomes.py
+++ b/tests/scripts/analyze_outcomes.py
@@ -113,6 +113,18 @@
'test_suite_psa_crypto_metadata;Asymmetric signature: pure EdDSA',
# Algorithm not supported yet
'test_suite_psa_crypto_metadata;Cipher: XTS',
+ # compat.sh tests with OpenSSL, DTLS 1.2 and singled-DES:
+ # we have no version of OpenSSL on the CI that supports both
+ # DTLS 1.2 and single-DES (1.0.2g is too recent for single-DES
+ # and 1.0.1j is too old for DTLS 1.2).
+ 'compat;O->m dtls12,no DES-CBC-SHA',
+ 'compat;O->m dtls12,no EDH-RSA-DES-CBC-SHA',
+ 'compat;O->m dtls12,yes DES-CBC-SHA',
+ 'compat;O->m dtls12,yes EDH-RSA-DES-CBC-SHA',
+ 'compat;m->O dtls12,no TLS-DHE-RSA-WITH-DES-CBC-SHA',
+ 'compat;m->O dtls12,no TLS-RSA-WITH-DES-CBC-SHA',
+ 'compat;m->O dtls12,yes TLS-DHE-RSA-WITH-DES-CBC-SHA',
+ 'compat;m->O dtls12,yes TLS-RSA-WITH-DES-CBC-SHA',
],
'full_coverage': False,
}
diff --git a/tests/scripts/basic-build-test.sh b/tests/scripts/basic-build-test.sh
index 9d9c999..37f1519 100755
--- a/tests/scripts/basic-build-test.sh
+++ b/tests/scripts/basic-build-test.sh
@@ -104,17 +104,20 @@
# Step 2c - Compatibility tests (keep going even if some tests fail)
echo '################ compat.sh ################'
{
- echo '#### compat.sh: Default ciphers'
- sh compat.sh -m 'ssl3 tls1 tls1_1 tls12 dtls1 dtls12'
+ echo '#### compat.sh: all except legacy/next'
+ sh compat.sh -e '^DES-CBC-\|-DES-CBC-\|ARIA\|CHACHA' \
+ -m 'ssl3 tls1 tls1_1 tls12 dtls1 dtls12'
echo
- echo '#### compat.sh: legacy (null, DES, RC4)'
- OPENSSL="$OPENSSL_LEGACY" \
- sh compat.sh -e '^$' -f 'NULL\|DES\|RC4\|ARCFOUR'
+ echo '#### compat.sh: legacy (single-DES)'
+ OPENSSL="$OPENSSL_LEGACY" sh compat.sh -e '^$' -f '^DES-CBC\|-DES-CBC-' \
+ -m 'ssl3 tls1 tls1_1 tls12 dtls1 dtls12'
echo
+ # ARIA and ChachaPoly are both (D)TLS 1.2 only
echo '#### compat.sh: next (ARIA, ChaCha)'
- OPENSSL="$OPENSSL_NEXT" sh compat.sh -e '^$' -f 'ARIA\|CHACHA'
+ OPENSSL="$OPENSSL_NEXT" sh compat.sh -e '^$' -f 'ARIA\|CHACHA' \
+ -m 'tls12 dtls12'
echo
} | tee compat-test-$TEST_OUTPUT
echo '^^^^^^^^^^^^^^^^ compat.sh ^^^^^^^^^^^^^^^^'