yuzu/mbedtls
1
0
Fork 0
mirror of https://github.com/yuzu-emu/mbedtls.git synced 2025-03-08 10:09:54 +00:00
Code Issues Packages Projects Releases Wiki Activity

Adapt tests for PSK in PSK-only builds

Browse source 
In a PSK-only build:
* Skip tests that rely on a specific non-PSK cipher suite.
* Skip tests that exercise a certificate authentication feature.
* Pass a pre-shared key in tests that don't mind the key exchange type.

This commit only considers PSK-only builds vs builds with certificates. It
does not aim to do something useful for builds with an asymmetric key
exchange and a pre-shared key for authentication.

Signed-off-by: Gilles Peskine <Gilles.Peskine@arm.com>
This commit is contained in:
Gilles Peskine 2022-02-25 19:52:52 +01:00
parent 111fde4ce9
commit 89d892ffdd
1 changed files with 66 additions and 0 deletions
Show stats Download patch file Download diff file Expand all files Collapse all files

66
tests/ssl-opt.sh
View file

@ -298,6 +298,69 @@ maybe_requires_ciphersuite_enabled() {
unset ciphersuite unset ciphersuite
} }
adapt_cmd_for_psk () {
case "$2" in
*openssl*) s='-psk abc123 -nocert';;
*gnutls-*) s='--pskkey=abc123';;
*) s='psk=abc123';;
esac
eval $1='"$2 $s"'
unset s
}
# maybe_adapt_for_psk [RUN_TEST_OPTION...]
# If running in a PSK-only build, maybe adapt the test to use a pre-shared key.
#
# If not running in a PSK-only build, do nothing.
# If the test looks like it doesn't use a pre-shared key but can run with a
# pre-shared key, pass a pre-shared key. If the test looks like it can't run
# with a pre-shared key, skip it. If the test looks like it's already using
# a pre-shared key, do nothing.
#
# This code does not consider builds with ECDH-PSK or RSA-PSK.
#
# Inputs:
# * $CLI_CMD, $SRV_CMD, $PXY_CMD: client/server/proxy commands.
# * $PSK_ONLY: YES if running in a PSK-only build (no asymmetric key exchanges).
# * "$@": options passed to run_test.
#
# Outputs:
# * $CLI_CMD, $SRV_CMD: may be modified to add PSK-relevant arguments.
# * $SKIP_NEXT: set to YES if the test can't run with PSK.
maybe_adapt_for_psk() {
if [ "$PSK_ONLY" != "YES" ]; then
return
fi
if [ "$SKIP_NEXT" = "YES" ]; then
return
fi
case "$CLI_CMD $SRV_CMD" in
*[-_\ =]psk*|*[-_\ =]PSK*)
return;;
*force_ciphersuite*)
# The test case forces a non-PSK cipher suite. In some cases, a
# PSK cipher suite could be substituted, but we're not ready for
# that yet.
SKIP_NEXT="YES"
return;;
*\ auth_mode=*|*[-_\ =]crt[_=]*)
# The test case involves certificates. PSK won't do.
SKIP_NEXT="YES"
return;;
esac
adapt_cmd_for_psk CLI_CMD "$CLI_CMD"
adapt_cmd_for_psk SRV_CMD "$SRV_CMD"
}
case " $CONFIGS_ENABLED " in
*\ MBEDTLS_KEY_EXCHANGE_[^P]*) PSK_ONLY="NO";;
*\ MBEDTLS_KEY_EXCHANGE_P[^S]*) PSK_ONLY="NO";;
*\ MBEDTLS_KEY_EXCHANGE_PS[^K]*) PSK_ONLY="NO";;
*\ MBEDTLS_KEY_EXCHANGE_PSK[^_]*) PSK_ONLY="NO";;
*\ MBEDTLS_KEY_EXCHANGE_PSK_ENABLED\ *) PSK_ONLY="YES";;
*) PSK_ONLY="NO";;
esac
# skip next test if OpenSSL doesn't support FALLBACK_SCSV # skip next test if OpenSSL doesn't support FALLBACK_SCSV
requires_openssl_with_fallback_scsv() { requires_openssl_with_fallback_scsv() {
if [ -z "${OPENSSL_HAS_FBSCSV:-}" ]; then if [ -z "${OPENSSL_HAS_FBSCSV:-}" ]; then
@ -1084,6 +1147,9 @@ run_test() {
maybe_requires_ciphersuite_enabled "$SRV_CMD" "$@" maybe_requires_ciphersuite_enabled "$SRV_CMD" "$@"
maybe_requires_ciphersuite_enabled "$CLI_CMD" "$@" maybe_requires_ciphersuite_enabled "$CLI_CMD" "$@"
# If we're in a PSK-only build and the test can be adapted to PSK, do that.
maybe_adapt_for_psk "$@"
# should we skip? # should we skip?
if [ "X$SKIP_NEXT" = "XYES" ]; then if [ "X$SKIP_NEXT" = "XYES" ]; then
SKIP_NEXT="NO" SKIP_NEXT="NO"