ssl-opt: check for protocol version support

Skip tests that require a specific version of the protocol if that version
is disabled at compile time.

This commit only partially does the job, mostly covering tests that check
the protocol version in client or server logs. It is not intended to be
exhaustive; in particular many uses of force_version are not covered (I
think they should instead be covered automatically, but this is out of scope
of the current commit).

Signed-off-by: Gilles Peskine <Gilles.Peskine@arm.com>
This commit is contained in:
Gilles Peskine 2022-04-08 15:14:38 +02:00
parent 4502671e0b
commit df4ad90a15

View file

@ -1123,6 +1123,7 @@ run_test() {
} }
run_test_psa() { run_test_psa() {
requires_config_enabled MBEDTLS_SSL_PROTO_TLS1_2
requires_config_enabled MBEDTLS_USE_PSA_CRYPTO requires_config_enabled MBEDTLS_USE_PSA_CRYPTO
run_test "PSA-supported ciphersuite: $1" \ run_test "PSA-supported ciphersuite: $1" \
"$P_SRV debug_level=3 force_version=tls12" \ "$P_SRV debug_level=3 force_version=tls12" \
@ -1146,6 +1147,7 @@ run_test_psa() {
} }
run_test_psa_force_curve() { run_test_psa_force_curve() {
requires_config_enabled MBEDTLS_SSL_PROTO_TLS1_2
requires_config_enabled MBEDTLS_USE_PSA_CRYPTO requires_config_enabled MBEDTLS_USE_PSA_CRYPTO
run_test "PSA - ECDH with $1" \ run_test "PSA - ECDH with $1" \
"$P_SRV debug_level=4 force_version=tls12" \ "$P_SRV debug_level=4 force_version=tls12" \
@ -1382,6 +1384,7 @@ trap cleanup INT TERM HUP
# - things work with all ciphersuites active (used with config-full in all.sh) # - things work with all ciphersuites active (used with config-full in all.sh)
# - the expected (highest security) parameters are selected # - the expected (highest security) parameters are selected
# ("signature_algorithm ext: 6" means SHA-512 (highest common hash)) # ("signature_algorithm ext: 6" means SHA-512 (highest common hash))
requires_config_enabled MBEDTLS_SSL_PROTO_TLS1_2
run_test "Default" \ run_test "Default" \
"$P_SRV debug_level=3" \ "$P_SRV debug_level=3" \
"$P_CLI" \ "$P_CLI" \
@ -1393,6 +1396,7 @@ run_test "Default" \
-S "error" \ -S "error" \
-C "error" -C "error"
requires_config_enabled MBEDTLS_SSL_PROTO_TLS1_2
run_test "Default, DTLS" \ run_test "Default, DTLS" \
"$P_SRV dtls=1" \ "$P_SRV dtls=1" \
"$P_CLI dtls=1" \ "$P_CLI dtls=1" \
@ -5291,6 +5295,7 @@ run_test "Event-driven I/O, DTLS: session-id resume, UDP packing" \
# Tests for version negotiation # Tests for version negotiation
requires_config_enabled MBEDTLS_SSL_PROTO_TLS1_2
run_test "Version check: all -> 1.2" \ run_test "Version check: all -> 1.2" \
"$P_SRV" \ "$P_SRV" \
"$P_CLI" \ "$P_CLI" \
@ -5300,6 +5305,7 @@ run_test "Version check: all -> 1.2" \
-s "Protocol is TLSv1.2" \ -s "Protocol is TLSv1.2" \
-c "Protocol is TLSv1.2" -c "Protocol is TLSv1.2"
requires_config_enabled MBEDTLS_SSL_PROTO_TLS1_1
run_test "Version check: cli max 1.1 -> 1.1" \ run_test "Version check: cli max 1.1 -> 1.1" \
"$P_SRV" \ "$P_SRV" \
"$P_CLI max_version=tls1_1" \ "$P_CLI max_version=tls1_1" \
@ -5309,6 +5315,7 @@ run_test "Version check: cli max 1.1 -> 1.1" \
-s "Protocol is TLSv1.1" \ -s "Protocol is TLSv1.1" \
-c "Protocol is TLSv1.1" -c "Protocol is TLSv1.1"
requires_config_enabled MBEDTLS_SSL_PROTO_TLS1_1
run_test "Version check: srv max 1.1 -> 1.1" \ run_test "Version check: srv max 1.1 -> 1.1" \
"$P_SRV max_version=tls1_1" \ "$P_SRV max_version=tls1_1" \
"$P_CLI" \ "$P_CLI" \
@ -5318,6 +5325,7 @@ run_test "Version check: srv max 1.1 -> 1.1" \
-s "Protocol is TLSv1.1" \ -s "Protocol is TLSv1.1" \
-c "Protocol is TLSv1.1" -c "Protocol is TLSv1.1"
requires_config_enabled MBEDTLS_SSL_PROTO_TLS1_1
run_test "Version check: cli+srv max 1.1 -> 1.1" \ run_test "Version check: cli+srv max 1.1 -> 1.1" \
"$P_SRV max_version=tls1_1" \ "$P_SRV max_version=tls1_1" \
"$P_CLI max_version=tls1_1" \ "$P_CLI max_version=tls1_1" \
@ -5327,6 +5335,7 @@ run_test "Version check: cli+srv max 1.1 -> 1.1" \
-s "Protocol is TLSv1.1" \ -s "Protocol is TLSv1.1" \
-c "Protocol is TLSv1.1" -c "Protocol is TLSv1.1"
requires_config_enabled MBEDTLS_SSL_PROTO_TLS1_1
run_test "Version check: cli max 1.1, srv min 1.1 -> 1.1" \ run_test "Version check: cli max 1.1, srv min 1.1 -> 1.1" \
"$P_SRV min_version=tls1_1" \ "$P_SRV min_version=tls1_1" \
"$P_CLI max_version=tls1_1" \ "$P_CLI max_version=tls1_1" \
@ -5336,6 +5345,7 @@ run_test "Version check: cli max 1.1, srv min 1.1 -> 1.1" \
-s "Protocol is TLSv1.1" \ -s "Protocol is TLSv1.1" \
-c "Protocol is TLSv1.1" -c "Protocol is TLSv1.1"
requires_config_enabled MBEDTLS_SSL_PROTO_TLS1_1
run_test "Version check: cli min 1.1, srv max 1.1 -> 1.1" \ run_test "Version check: cli min 1.1, srv max 1.1 -> 1.1" \
"$P_SRV max_version=tls1_1" \ "$P_SRV max_version=tls1_1" \
"$P_CLI min_version=tls1_1" \ "$P_CLI min_version=tls1_1" \