Rework how protocol specific ciphers in 80-test_ssl_old.t are picked out

The code to do this incorrectly assumed that the protocol version could be used as a valid cipher suite for the 'openssl cipher' command. While this is true in some cases, that isn't something to be trusted. Replace that assumption with code that takes the full 'openssl ciphers' command output and parses it to find the ciphers we look for. Reviewed-by: N Emilia Käsper <emilia@openssl.org> (Merged from https://github.com/openssl/openssl/pull/2956)

Rework how protocol specific ciphers in 80-test_ssl_old.t are picked out
The code to do this incorrectly assumed that the protocol version could be used as a valid cipher suite for the 'openssl cipher' command. While this is true in some cases, that isn't something to be trusted. Replace that assumption with code that takes the full 'openssl ciphers' command output and parses it to find the ciphers we look for. Reviewed-by: N Emilia Käsper <emilia@openssl.org> (Merged from https://github.com/openssl/openssl/pull/2956)
9ea6d56d · Richard Levitte · ca2045dc · 9ea6d56d
隐藏空白更改
内联并排

Showing with 21 addition and 23 deletion

test/recipes/80-test_ssl_old.t test/recipes/80-test_ssl_old.t +21 -23

未找到文件。
--- a/test/recipes/80-test_ssl_old.t
+++ b/test/recipes/80-test_ssl_old.t
@@ -417,37 +417,35 @@ sub testssl {
        }

 	my @protocols = ();
-	# FIXME: I feel unsure about the following line, is that really just TLSv1.2, or is it all of the SSLv3/TLS protocols?
-        push(@protocols, "TLSv1.3") unless $no_tls1_3;
-        push(@protocols, "TLSv1.2") unless $no_tls1_2;
-        push(@protocols, "SSLv3") unless $no_ssl3;
-	my $protocolciphersuitcount = 0;
-	my %ciphersuites =
-	    map { my @c =
-		      map { split(/:/, $_) }
-		      run(app(["openssl", "ciphers", "${_}:$ciphers"]),
-                          capture => 1);
-		  map { s/\R//; } @c;  # chomp @c;
-		  $protocolciphersuitcount += scalar @c;
-		  $_ => [ @c ] } @protocols;
+	# We only use the flags that ssltest_old understands
+	push @protocols, "-tls1_3" unless $no_tls1_3;
+	push @protocols, "-tls1_2" unless $no_tls1_2;
+	push @protocols, "-tls1" unless $no_tls1;
+	push @protocols, "-ssl3" unless $no_ssl3;
+	my $protocolciphersuitecount = 0;
+	my %ciphersuites = ();
+	foreach my $protocol (@protocols) {
+	    $ciphersuites{$protocol} =
+		[ map { s|\R||; split(/:/, $_) }
+		  run(app(["openssl", "ciphers", "-s", $protocol,
+                           "ALL:$ciphers"]), capture => 1) ];
+	    $protocolciphersuitecount += scalar @{$ciphersuites{$protocol}};
+	}

        plan skip_all => "None of the ciphersuites to test are available in this OpenSSL build"
-            if $protocolciphersuitcount + scalar(@protocols) == 0;
+            if $protocolciphersuitecount + scalar(keys %ciphersuites) == 0;

        # The count of protocols is because in addition to the ciphersuits
        # we got above, we're running a weak DH test for each protocol
-        plan tests => $protocolciphersuitcount + scalar(@protocols);
+        plan tests => $protocolciphersuitecount + scalar(keys %ciphersuites);

-        foreach my $protocol (@protocols) {
+        foreach my $protocol (sort keys %ciphersuites) {
            note "Testing ciphersuites for $protocol";
-            my $flag = "";
-            if ($protocol eq "SSLv3") {
-                $flag = "-ssl3";
-            } elsif ($protocol eq "TLSv1.2") {
-                $flag = "-tls1_2";
-            }
+            # ssltest_old doesn't know -tls1_3, but that's fine, since that's
+            # the default choice if TLSv1.3 enabled
+            my $flag = $protocol eq "-tls1_3" ? "" : $protocol;
            foreach my $cipher (@{$ciphersuites{$protocol}}) {
-                if ($protocol eq "SSLv3" && $cipher =~ /ECDH/ ) {
+                if ($protocol eq "-ssl3" && $cipher =~ /ECDH/ ) {
                    note "*****SKIPPING $protocol $cipher";
                    ok(1);
                } else {