Fix erroneous skip of test cases for disabled ciphersuites

Test cases that force a specific ciphersuites are only executed if
this ciphersuite is enabled. But there are test cases (for RC4) whose
goal is to check that the ciphersuite is not used. These test cases
must run even if (or only if) the ciphersuite is disable, so add an
exception for these test cases.

Signed-off-by: Gilles Peskine <Gilles.Peskine@arm.com>
This commit is contained in:
Gilles Peskine 2020-06-26 23:35:53 +02:00
parent 7eefa22fb1
commit 0d7216511f

View file

@ -241,6 +241,33 @@ requires_ciphersuite_enabled() {
fi fi
} }
# maybe_requires_ciphersuite_enabled CMD [RUN_TEST_OPTION...]
# If CMD (call to a TLS client or server program) requires a specific
# ciphersuite, arrange to only run the test case if this ciphersuite is
# enabled. As an exception, do run the test case if it expects a ciphersuite
# mismatch.
maybe_requires_ciphersuite_enabled() {
case "$1" in
*\ force_ciphersuite=*) :;;
*) return;; # No specific required ciphersuite
esac
ciphersuite="${1##*\ force_ciphersuite=}"
ciphersuite="${ciphersuite%%[!-0-9A-Z_a-z]*}"
shift
case "$*" in
*"-s SSL - The server has no ciphersuites in common"*)
# This test case expects a ciphersuite mismatch, so it doesn't
# require the ciphersuite to be enabled.
;;
*)
requires_ciphersuite_enabled "$ciphersuite"
;;
esac
unset ciphersuite
}
# skip next test if OpenSSL doesn't support FALLBACK_SCSV # skip next test if OpenSSL doesn't support FALLBACK_SCSV
requires_openssl_with_fallback_scsv() { requires_openssl_with_fallback_scsv() {
if [ -z "${OPENSSL_HAS_FBSCSV:-}" ]; then if [ -z "${OPENSSL_HAS_FBSCSV:-}" ]; then
@ -658,17 +685,9 @@ run_test() {
requires_config_enabled MBEDTLS_FS_IO requires_config_enabled MBEDTLS_FS_IO
fi fi
# Check if server forces ciphersuite # If the client or serve requires a ciphersuite, check that it's enabled.
FORCE_CIPHERSUITE=$(echo "$SRV_CMD" | sed -n 's/^.*force_ciphersuite=\([a-zA-Z0-9\-]*\).*$/\1/p') maybe_requires_ciphersuite_enabled "$SRV_CMD" "$@"
if [ ! -z "$FORCE_CIPHERSUITE" ]; then maybe_requires_ciphersuite_enabled "$CLI_CMD" "$@"
requires_ciphersuite_enabled $FORCE_CIPHERSUITE
fi
# Check if client forces ciphersuite
FORCE_CIPHERSUITE=$(echo "$CLI_CMD" | sed -n 's/^.*force_ciphersuite=\([a-zA-Z0-9\-]*\).*$/\1/p')
if [ ! -z "$FORCE_CIPHERSUITE" ]; then
requires_ciphersuite_enabled $FORCE_CIPHERSUITE
fi
# should we skip? # should we skip?
if [ "X$SKIP_NEXT" = "XYES" ]; then if [ "X$SKIP_NEXT" = "XYES" ]; then