Merge pull request #7070 from yanrayw/2.28-7008-compatsh-disable-VERIFY-for-PSK
Backport 2.28: compat.sh: remove VERIFY and duplicate test cases for PSK
diff --git a/tests/compat.sh b/tests/compat.sh
index 02ffed2..f96c4e4 100755
--- a/tests/compat.sh
+++ b/tests/compat.sh
@@ -215,17 +215,6 @@
echo "$NEW_LIST" | sed -e 's/[[:space:]][[:space:]]*/ /g' -e 's/^ //' -e 's/ $//'
}
-# OpenSSL 1.0.1h with -Verify wants a ClientCertificate message even for
-# PSK ciphersuites with DTLS, which is incorrect, so disable them for now
-check_openssl_server_bug()
-{
- if test "X$VERIFY" = "XYES" && is_dtls "$MODE" && \
- echo "$1" | grep "^TLS-PSK" >/dev/null;
- then
- SKIP_NEXT="YES"
- fi
-}
-
filter_ciphersuites()
{
if [ "X" != "X$FILTER" -o "X" != "X$EXCLUDE" ];
@@ -242,7 +231,7 @@
# For GnuTLS client -> mbed TLS server,
# we need to force IPv4 by connecting to 127.0.0.1 but then auth fails
- if [ "X$VERIFY" = "XYES" ] && is_dtls "$MODE"; then
+ if is_dtls "$MODE" && [ "X$VERIFY" = "XYES" ]; then
G_CIPHERS=""
fi
}
@@ -943,7 +932,6 @@
M_CLIENT_ARGS="server_port=$PORT server_addr=127.0.0.1 force_version=$MODE"
O_CLIENT_ARGS="-connect localhost:$PORT -$O_MODE"
G_CLIENT_ARGS="-p $PORT --debug 3 $G_MODE"
- G_CLIENT_PRIO="NONE:$G_PRIO_MODE:+COMP-NULL:+CURVE-ALL:+SIGN-ALL"
# Newer versions of OpenSSL have a syntax to enable all "ciphers", even
# low-security ones. This covers not just cipher suites but also protocol
@@ -1146,7 +1134,6 @@
run_client() {
# announce what we're going to do
TESTS=$(( $TESTS + 1 ))
- VERIF=$(echo $VERIFY | tr '[:upper:]' '[:lower:]')
TITLE="`echo $1 | head -c1`->`echo $SERVER_NAME | head -c1`"
TITLE="$TITLE $MODE,$VERIF $2"
printf "%s " "$TITLE"
@@ -1343,9 +1330,20 @@
trap cleanup INT TERM HUP
-for VERIFY in $VERIFIES; do
- for MODE in $MODES; do
- for TYPE in $TYPES; do
+for MODE in $MODES; do
+ for TYPE in $TYPES; do
+
+ # PSK cipher suites do not allow client certificate verification.
+ # This means PSK test cases with VERIFY=YES should be replaced by
+ # VERIFY=NO or be ignored. SUB_VERIFIES variable is used to constrain
+ # verification option for PSK test cases.
+ SUB_VERIFIES=$VERIFIES
+ if [ "$TYPE" = "PSK" ]; then
+ SUB_VERIFIES="NO"
+ fi
+
+ for VERIFY in $SUB_VERIFIES; do
+ VERIF=$(echo $VERIFY | tr '[:upper:]' '[:lower:]')
for PEER in $PEERS; do
setup_arguments
@@ -1375,7 +1373,6 @@
if [ "X" != "X$M_CIPHERS" ]; then
start_server "OpenSSL"
for i in $M_CIPHERS; do
- check_openssl_server_bug $i
run_client mbedTLS $i
done
stop_server