From cb424097be3b779cb50dfeb741b1ac0c5f2d55dd Mon Sep 17 00:00:00 2001
From: =?UTF-8?q?Manuel=20P=C3=A9gouri=C3=A9-Gonnard?=
 <manuel.pegourie-gonnard@arm.com>
Date: Wed, 10 Apr 2024 22:11:20 +0200
Subject: [PATCH] compat.sh: properly skip unsupported DTLS 1.2
MIME-Version: 1.0
Content-Type: text/plain; charset=UTF-8
Content-Transfer-Encoding: 8bit

Skipping DTLS 1.2 with old versions was already done, but now properly
test support only once and use the results.

Note that historically, this script's policy was that it's the user's
job to find the right value of -e (EXCLUDE) for their version for
OpenSSL & config. Now it's a weird mix of that and the script doing some
detection and skipping.

Signed-off-by: Manuel Pégourié-Gonnard <manuel.pegourie-gonnard@arm.com>
---
 tests/compat.sh | 25 ++++++++++++++++++-------
 1 file changed, 18 insertions(+), 7 deletions(-)

diff --git a/tests/compat.sh b/tests/compat.sh
index 320d0c57c1..20f2dbda61 100755
--- a/tests/compat.sh
+++ b/tests/compat.sh
@@ -593,13 +593,9 @@ o_check_ciphersuite()
         SKIP_NEXT_="YES"
     fi
 
-    # OpenSSL <1.0.2 doesn't support DTLS 1.2. Check if OpenSSL
-    # supports $O_MODE from the s_server help. (The s_client
-    # help isn't accurate as of 1.0.2g: it supports DTLS 1.2
-    # but doesn't list it. But the s_server help seems to be
-    # accurate.)
-    if ! $OPENSSL s_server -help 2>&1 | grep -q "^ *-$O_MODE "; then
-        SKIP_NEXT_="YES"
+    # skip DTLS 1.2 is support was not detected
+    if [ "$O_SUPPORT_DTLS12" = "NO" -a "$MODE" = "dtls12" ]; then
+        SKIP_NEXT="YES"
     fi
 
     # skip static ECDH when OpenSSL doesn't support it
@@ -684,6 +680,21 @@ setup_arguments()
         *) O_SUPPORT_STATIC_ECDH="NO";;
     esac
 
+    case $($OPENSSL ciphers ALL) in
+        *DES-CBC-*) O_SUPPORT_SINGLE_DES="YES";;
+        *) O_SUPPORT_SINGLE_DES="NO";;
+    esac
+
+    # OpenSSL <1.0.2 doesn't support DTLS 1.2. Check if OpenSSL
+    # supports -dtls1_2 from the s_server help. (The s_client
+    # help isn't accurate as of 1.0.2g: it supports DTLS 1.2
+    # but doesn't list it. But the s_server help seems to be
+    # accurate.)
+    O_SUPPORT_DTLS12="NO"
+    if $OPENSSL s_server -help 2>&1 | grep -q "^ *-dtls1_2 "; then
+        O_SUPPORT_DTLS12="YES"
+    fi
+
     if [ "X$VERIFY" = "XYES" ];
     then
         M_SERVER_ARGS="$M_SERVER_ARGS ca_file=data_files/test-ca_cat12.crt auth_mode=required"