commit de05197829886f4bb878bcb70bd671143609652d
author Manuel Pégourié-Gonnard <manuel.pegourie-gonnard@arm.com> Wed Apr 10 22:11:20 2024 +0200
committer Manuel Pégourié-Gonnard <manuel.pegourie-gonnard@arm.com> Wed Apr 10 22:19:01 2024 +0200
tree fd8828352d60fff6d56613a5188658b50d217aa7
parent 7e5d81d4317cb22be6f36b0daaedf4a5ed8a9fa5

compat.sh: properly skip single-DES and DTLS 1.2

Skipping DTLS 1.2 with old versions was already done, but now properly
test support only once and use the results.

Skipping single-DES with new versions is new, but helps finding the right
incantation.

Note that historically, this script's policy was that it's the user's
job to find the right value of -e (EXCLUDE) for their version for
OpenSSL & config. Now it's a weird mix of that and the script doing some
detection and skipping.

Signed-off-by: Manuel Pégourié-Gonnard <manuel.pegourie-gonnard@arm.com>

tests/compat.sh

diff --git a/tests/compat.sh b/tests/compat.sh
index 6a43e25..3d9fed3 100755
--- a/tests/compat.sh
+++ b/tests/compat.sh
@@ -936,13 +936,17 @@
         SKIP_NEXT_="YES"
     fi
 
-    # OpenSSL <1.0.2 doesn't support DTLS 1.2. Check if OpenSSL
-    # supports $O_MODE from the s_server help. (The s_client
-    # help isn't accurate as of 1.0.2g: it supports DTLS 1.2
-    # but doesn't list it. But the s_server help seems to be
-    # accurate.)
-    if ! $OPENSSL s_server -help 2>&1 | grep -q "^ *-$O_MODE "; then
-        SKIP_NEXT_="YES"
+    # skip DTLS 1.2 is support was not detected
+    if [ "$O_SUPPORT_DTLS12" = "NO" -a "$MODE" = "dtls12" ]; then
+        SKIP_NEXT="YES"
+    fi
+
+    # skip single-DES ciphersuite if no longer supported
+    if [ "$O_SUPPORT_SINGLE_DES" = "NO" ]; then
+        case "$1" in
+            # note: 3DES is DES-CBC3 for OpenSSL, 3DES for Mbed TLS
+            *-DES-CBC-*|DES-CBC-*) SKIP_NEXT="YES"
+        esac
     fi
 
     # skip static ECDH when OpenSSL doesn't support it
@@ -951,6 +955,8 @@
             *ECDH-*) SKIP_NEXT="YES"
         esac
     fi
+
+    printf "\no_check: $MODE $1 ($O_SUPPORT_DTLS12) -> $SKIP_NEXT\n"
 }
 
 # g_check_ciphersuite CIPHER_SUITE_NAME
@@ -1059,6 +1065,21 @@
         *) O_SUPPORT_STATIC_ECDH="NO";;
     esac
 
+    case $($OPENSSL ciphers ALL) in
+        *DES-CBC-*) O_SUPPORT_SINGLE_DES="YES";;
+        *) O_SUPPORT_SINGLE_DES="NO";;
+    esac
+
+    # OpenSSL <1.0.2 doesn't support DTLS 1.2. Check if OpenSSL
+    # supports -dtls1_2 from the s_server help. (The s_client
+    # help isn't accurate as of 1.0.2g: it supports DTLS 1.2
+    # but doesn't list it. But the s_server help seems to be
+    # accurate.)
+    O_SUPPORT_DTLS12="NO"
+    if $OPENSSL s_server -help 2>&1 | grep -q "^ *-dtls1_2 "; then
+        O_SUPPORT_DTLS12="YES"
+    fi
+
     if [ "X$VERIFY" = "XYES" ];
     then
         M_SERVER_ARGS="$M_SERVER_ARGS ca_file=data_files/test-ca_cat12.crt auth_mode=required"