From aeda1fd0a839ea5ee571f41639c4feb25803d3b9 Mon Sep 17 00:00:00 2001 From: =?UTF-8?q?Manuel=20P=C3=A9gouri=C3=A9-Gonnard?= Date: Mon, 12 Aug 2024 09:50:18 +0200 Subject: [PATCH] Use P_CLI when O_CLI's status is not reliable MIME-Version: 1.0 Content-Type: text/plain; charset=UTF-8 Content-Transfer-Encoding: 8bit Generally speaking, in this group of test we use O_SRV when testing our client's behaviour, and O_CLI when testing our server's behaviour. I don't think that's essential, but why not. Well, for these two tests there's a reason why not: O_CLI often exits 0, seemingly not minding that the server aborted the handshake with a fatal alert, but sometimes it exits 1. (I've observed 0 on my machine, on two runs of OpenCI and Internal CI, and 1 in some test in one run of Internal CI.) So, use our client instead, which exits non-zero consistently. Signed-off-by: Manuel Pégourié-Gonnard --- tests/ssl-opt.sh | 18 ++++++------------ 1 file changed, 6 insertions(+), 12 deletions(-) diff --git a/tests/ssl-opt.sh b/tests/ssl-opt.sh index e6e2f99553..ac6df5a7a4 100755 --- a/tests/ssl-opt.sh +++ b/tests/ssl-opt.sh @@ -8005,18 +8005,15 @@ requires_all_configs_enabled MBEDTLS_SSL_TLS1_3_COMPATIBILITY_MODE \ MBEDTLS_SSL_TLS1_3_KEY_EXCHANGE_MODE_EPHEMERAL_ENABLED run_test "keyUsage cli-auth 1.3: RSA, KeyEncipherment: fail (hard)" \ "$P_SRV debug_level=3 force_version=tls13 auth_mode=required" \ - "$O_NEXT_CLI_NO_CERT -key $DATA_FILES_PATH/server2.key \ - -cert $DATA_FILES_PATH/server2-sha256.ku-ke.crt" \ - 0 \ + "$P_CLI key_file=$DATA_FILES_PATH/server2.key \ + crt_file=$DATA_FILES_PATH/server2-sha256.ku-ke.crt" \ + 1 \ -s "bad certificate (usage extensions)" \ -s "Processing of the Certificate handshake message failed" \ -s "send alert level=2 message=43" \ -s "! Usage does not match the keyUsage extension" \ -s "! mbedtls_ssl_handshake returned" # MBEDTLS_X509_BADCERT_KEY_USAGE -> MBEDTLS_SSL_ALERT_MSG_UNSUPPORTED_CERT - # - # OpenSSL client does not seem to mind that the server aborts the - # handshake with a fatal alert and still exits 0... requires_openssl_tls1_3_with_compatible_ephemeral requires_all_configs_enabled MBEDTLS_SSL_TLS1_3_COMPATIBILITY_MODE \ @@ -8047,18 +8044,15 @@ requires_all_configs_enabled MBEDTLS_SSL_TLS1_3_COMPATIBILITY_MODE \ MBEDTLS_SSL_TLS1_3_KEY_EXCHANGE_MODE_EPHEMERAL_ENABLED run_test "keyUsage cli-auth 1.3: ECDSA, KeyAgreement: fail (hard)" \ "$P_SRV debug_level=3 force_version=tls13 auth_mode=required" \ - "$O_NEXT_CLI_NO_CERT -key $DATA_FILES_PATH/server5.key \ - -cert $DATA_FILES_PATH/server5.ku-ka.crt" \ - 0 \ + "$P_CLI key_file=$DATA_FILES_PATH/server5.key \ + crt_file=$DATA_FILES_PATH/server5.ku-ka.crt" \ + 1 \ -s "bad certificate (usage extensions)" \ -s "Processing of the Certificate handshake message failed" \ -s "send alert level=2 message=43" \ -s "! Usage does not match the keyUsage extension" \ -s "! mbedtls_ssl_handshake returned" # MBEDTLS_X509_BADCERT_KEY_USAGE -> MBEDTLS_SSL_ALERT_MSG_UNSUPPORTED_CERT - # - # OpenSSL client does not seem to mind that the server aborts the - # handshake with a fatal alert and still exits 0... # Tests for extendedKeyUsage, part 1: server-side certificate/suite selection