Adapt tests for PSK in PSK-only builds
In a PSK-only build:
* Skip tests that rely on a specific non-PSK cipher suite.
* Skip tests that exercise a certificate authentication feature.
* Pass a pre-shared key in tests that don't mind the key exchange type.
This commit only considers PSK-only builds vs builds with certificates. It
does not aim to do something useful for builds with an asymmetric key
exchange and a pre-shared key for authentication.
Signed-off-by: Gilles Peskine <Gilles.Peskine@arm.com>
diff --git a/tests/ssl-opt.sh b/tests/ssl-opt.sh
index 2a6a04f..6a01695 100755
--- a/tests/ssl-opt.sh
+++ b/tests/ssl-opt.sh
@@ -298,6 +298,69 @@
unset ciphersuite
}
+adapt_cmd_for_psk () {
+ case "$2" in
+ *openssl*) s='-psk abc123 -nocert';;
+ *gnutls-*) s='--pskkey=abc123';;
+ *) s='psk=abc123';;
+ esac
+ eval $1='"$2 $s"'
+ unset s
+}
+
+# maybe_adapt_for_psk [RUN_TEST_OPTION...]
+# If running in a PSK-only build, maybe adapt the test to use a pre-shared key.
+#
+# If not running in a PSK-only build, do nothing.
+# If the test looks like it doesn't use a pre-shared key but can run with a
+# pre-shared key, pass a pre-shared key. If the test looks like it can't run
+# with a pre-shared key, skip it. If the test looks like it's already using
+# a pre-shared key, do nothing.
+#
+# This code does not consider builds with ECDH-PSK or RSA-PSK.
+#
+# Inputs:
+# * $CLI_CMD, $SRV_CMD, $PXY_CMD: client/server/proxy commands.
+# * $PSK_ONLY: YES if running in a PSK-only build (no asymmetric key exchanges).
+# * "$@": options passed to run_test.
+#
+# Outputs:
+# * $CLI_CMD, $SRV_CMD: may be modified to add PSK-relevant arguments.
+# * $SKIP_NEXT: set to YES if the test can't run with PSK.
+maybe_adapt_for_psk() {
+ if [ "$PSK_ONLY" != "YES" ]; then
+ return
+ fi
+ if [ "$SKIP_NEXT" = "YES" ]; then
+ return
+ fi
+ case "$CLI_CMD $SRV_CMD" in
+ *[-_\ =]psk*|*[-_\ =]PSK*)
+ return;;
+ *force_ciphersuite*)
+ # The test case forces a non-PSK cipher suite. In some cases, a
+ # PSK cipher suite could be substituted, but we're not ready for
+ # that yet.
+ SKIP_NEXT="YES"
+ return;;
+ *\ auth_mode=*|*[-_\ =]crt[_=]*)
+ # The test case involves certificates. PSK won't do.
+ SKIP_NEXT="YES"
+ return;;
+ esac
+ adapt_cmd_for_psk CLI_CMD "$CLI_CMD"
+ adapt_cmd_for_psk SRV_CMD "$SRV_CMD"
+}
+
+case " $CONFIGS_ENABLED " in
+ *\ MBEDTLS_KEY_EXCHANGE_[^P]*) PSK_ONLY="NO";;
+ *\ MBEDTLS_KEY_EXCHANGE_P[^S]*) PSK_ONLY="NO";;
+ *\ MBEDTLS_KEY_EXCHANGE_PS[^K]*) PSK_ONLY="NO";;
+ *\ MBEDTLS_KEY_EXCHANGE_PSK[^_]*) PSK_ONLY="NO";;
+ *\ MBEDTLS_KEY_EXCHANGE_PSK_ENABLED\ *) PSK_ONLY="YES";;
+ *) PSK_ONLY="NO";;
+esac
+
# skip next test if OpenSSL doesn't support FALLBACK_SCSV
requires_openssl_with_fallback_scsv() {
if [ -z "${OPENSSL_HAS_FBSCSV:-}" ]; then
@@ -1084,6 +1147,9 @@
maybe_requires_ciphersuite_enabled "$SRV_CMD" "$@"
maybe_requires_ciphersuite_enabled "$CLI_CMD" "$@"
+ # If we're in a PSK-only build and the test can be adapted to PSK, do that.
+ maybe_adapt_for_psk "$@"
+
# should we skip?
if [ "X$SKIP_NEXT" = "XYES" ]; then
SKIP_NEXT="NO"