mirror/mbedtls
1
0
Fork 0
mirror of https://github.com/Mbed-TLS/mbedtls.git synced 2025-02-27 06:41:08 +00:00
Code Issues Actions Packages Projects Releases Wiki Activity

Merge pull request #8121 from gilles-peskine-arm/ssl-test-no-legacy

Browse Source 
Remove GNUTLS_LEGACY and OPENSSL_LEGACY
This commit is contained in:
Manuel Pégourié-Gonnard 2023-10-18 07:13:12 +00:00 committed by GitHub
commit 2e37d7b238
No known key found for this signature in database
GPG Key ID: 4AEE18F83AFDEB23
5 changed files with 30 additions and 84 deletions
Show Stats Download Patch File Download Diff File Expand all files Collapse all files

21
scripts/output_env.sh
View File

@ -170,13 +170,6 @@ echo
print_version "$OPENSSL" "version" "default" print_version "$OPENSSL" "version" "default"
echo echo
if [ -n "${OPENSSL_LEGACY+set}" ]; then
print_version "$OPENSSL_LEGACY" "version" "legacy"
else
echo " * openssl (legacy): Not configured."
fi
echo
if [ -n "${OPENSSL_NEXT+set}" ]; then if [ -n "${OPENSSL_NEXT+set}" ]; then
print_version "$OPENSSL_NEXT" "version" "next" print_version "$OPENSSL_NEXT" "version" "next"
else else
@ -192,20 +185,6 @@ echo
print_version "$GNUTLS_SERV" "--version" "default" "head -n 1" print_version "$GNUTLS_SERV" "--version" "default" "head -n 1"
echo echo
if [ -n "${GNUTLS_LEGACY_CLI+set}" ]; then
print_version "$GNUTLS_LEGACY_CLI" "--version" "legacy" "head -n 1"
else
echo " * gnutls-cli (legacy): Not configured."
fi
echo
if [ -n "${GNUTLS_LEGACY_SERV+set}" ]; then
print_version "$GNUTLS_LEGACY_SERV" "--version" "legacy" "head -n 1"
else
echo " * gnutls-serv (legacy): Not configured."
fi
echo
echo " * Installed asan versions:" echo " * Installed asan versions:"
if type dpkg-query >/dev/null 2>/dev/null; then if type dpkg-query >/dev/null 2>/dev/null; then
if ! dpkg-query -f '${Status} ${Package}: ${Version}\n' -W 'libasan*' | if ! dpkg-query -f '${Status} ${Package}: ${Version}\n' -W 'libasan*' |

18
tests/compat.sh
View File

@ -108,6 +108,7 @@ FILTER=""
EXCLUDE='NULL\|ARIA\|CHACHA20_POLY1305' EXCLUDE='NULL\|ARIA\|CHACHA20_POLY1305'
VERBOSE="" VERBOSE=""
MEMCHECK=0 MEMCHECK=0
PRESERVE_LOGS=0
PEERS="OpenSSL$PEER_GNUTLS mbedTLS" PEERS="OpenSSL$PEER_GNUTLS mbedTLS"
# hidden option: skip DTLS with OpenSSL # hidden option: skip DTLS with OpenSSL
@ -129,6 +130,7 @@ print_usage() {
printf " --list-test-case\tList all potential test cases (No Execution)\n" printf " --list-test-case\tList all potential test cases (No Execution)\n"
printf " --outcome-file\tFile where test outcomes are written\n" printf " --outcome-file\tFile where test outcomes are written\n"
printf " \t(default: \$MBEDTLS_TEST_OUTCOME_FILE, none if empty)\n" printf " \t(default: \$MBEDTLS_TEST_OUTCOME_FILE, none if empty)\n"
printf " --preserve-logs\tPreserve logs of successful tests as well\n"
} }
# print_test_case <CLIENT> <SERVER> <STANDARD_CIPHER_SUITE> # print_test_case <CLIENT> <SERVER> <STANDARD_CIPHER_SUITE>
@ -197,6 +199,9 @@ get_options() {
--outcome-file) --outcome-file)
shift; MBEDTLS_TEST_OUTCOME_FILE=$1 shift; MBEDTLS_TEST_OUTCOME_FILE=$1
;; ;;
--preserve-logs)
PRESERVE_LOGS=1
;;
-h|--help) -h|--help)
print_usage print_usage
exit 0 exit 0
@ -629,7 +634,7 @@ setup_arguments()
fi fi
M_SERVER_ARGS="server_port=$PORT server_addr=0.0.0.0 force_version=$MODE" M_SERVER_ARGS="server_port=$PORT server_addr=0.0.0.0 force_version=$MODE"
O_SERVER_ARGS="-accept $PORT -cipher NULL,ALL -$O_MODE" O_SERVER_ARGS="-accept $PORT -cipher ALL,COMPLEMENTOFALL -$O_MODE"
G_SERVER_ARGS="-p $PORT --http $G_MODE" G_SERVER_ARGS="-p $PORT --http $G_MODE"
G_SERVER_PRIO="NORMAL:${G_PRIO_CCM}+NULL:+MD5:+PSK:+DHE-PSK:+ECDHE-PSK:+SHA256:+SHA384:+RSA-PSK:-VERS-TLS-ALL:$G_PRIO_MODE" G_SERVER_PRIO="NORMAL:${G_PRIO_CCM}+NULL:+MD5:+PSK:+DHE-PSK:+ECDHE-PSK:+SHA256:+SHA384:+RSA-PSK:-VERS-TLS-ALL:$G_PRIO_MODE"
@ -887,12 +892,16 @@ record_outcome() {
fi fi
} }
save_logs() {
cp $SRV_OUT c-srv-${TESTS}.log
cp $CLI_OUT c-cli-${TESTS}.log
}
# display additional information if test case fails # display additional information if test case fails
report_fail() { report_fail() {
FAIL_PROMPT="outputs saved to c-srv-${TESTS}.log, c-cli-${TESTS}.log" FAIL_PROMPT="outputs saved to c-srv-${TESTS}.log, c-cli-${TESTS}.log"
record_outcome "FAIL" "$FAIL_PROMPT" record_outcome "FAIL" "$FAIL_PROMPT"
cp $SRV_OUT c-srv-${TESTS}.log save_logs
cp $CLI_OUT c-cli-${TESTS}.log
echo " ! $FAIL_PROMPT" echo " ! $FAIL_PROMPT"
if [ "${LOG_FAILURE_ON_STDOUT:-0}" != 0 ]; then if [ "${LOG_FAILURE_ON_STDOUT:-0}" != 0 ]; then
@ -1010,6 +1019,9 @@ run_client() {
case $RESULT in case $RESULT in
"0") "0")
record_outcome "PASS" record_outcome "PASS"
if [ "$PRESERVE_LOGS" -gt 0 ]; then
save_logs
fi
;; ;;
"1") "1")
record_outcome "SKIP" record_outcome "SKIP"

38
tests/scripts/all.sh
View File

@ -50,10 +50,13 @@
# * G++ # * G++
# * arm-gcc and mingw-gcc # * arm-gcc and mingw-gcc
# * ArmCC 5 and ArmCC 6, unless invoked with --no-armcc # * ArmCC 5 and ArmCC 6, unless invoked with --no-armcc
# * OpenSSL and GnuTLS command line tools, recent enough for the # * OpenSSL and GnuTLS command line tools, in suitable versions for the
# interoperability tests. If they don't support old features which we want # interoperability tests. The following are the official versions at the
# to test, then a legacy version of these tools must be present as well # time of writing:
# (search for LEGACY below). # * GNUTLS_{CLI,SERV} = 3.4.10
# * GNUTLS_NEXT_{CLI,SERV} = 3.7.2
# * OPENSSL = 1.0.2g (without Debian/Ubuntu patches)
# * OPENSSL_NEXT = 1.1.1a
# See the invocation of check_tools below for details. # See the invocation of check_tools below for details.
# #
# This script must be invoked from the toplevel directory of a git # This script must be invoked from the toplevel directory of a git
@ -179,12 +182,9 @@ pre_initialize_variables () {
# Default commands, can be overridden by the environment # Default commands, can be overridden by the environment
: ${OPENSSL:="openssl"} : ${OPENSSL:="openssl"}
: ${OPENSSL_LEGACY:="$OPENSSL"}
: ${OPENSSL_NEXT:="$OPENSSL"} : ${OPENSSL_NEXT:="$OPENSSL"}
: ${GNUTLS_CLI:="gnutls-cli"} : ${GNUTLS_CLI:="gnutls-cli"}
: ${GNUTLS_SERV:="gnutls-serv"} : ${GNUTLS_SERV:="gnutls-serv"}
: ${GNUTLS_LEGACY_CLI:="$GNUTLS_CLI"}
: ${GNUTLS_LEGACY_SERV:="$GNUTLS_SERV"}
: ${OUT_OF_SOURCE_DIR:=./mbedtls_out_of_source_build} : ${OUT_OF_SOURCE_DIR:=./mbedtls_out_of_source_build}
: ${ARMC5_BIN_DIR:=/usr/bin} : ${ARMC5_BIN_DIR:=/usr/bin}
: ${ARMC6_BIN_DIR:=/usr/bin} : ${ARMC6_BIN_DIR:=/usr/bin}
@ -300,10 +300,7 @@ Tool path options:
--gcc-latest=<GCC_latest_path> Latest version of GCC available --gcc-latest=<GCC_latest_path> Latest version of GCC available
--gnutls-cli=<GnuTLS_cli_path> GnuTLS client executable to use for most tests. --gnutls-cli=<GnuTLS_cli_path> GnuTLS client executable to use for most tests.
--gnutls-serv=<GnuTLS_serv_path> GnuTLS server executable to use for most tests. --gnutls-serv=<GnuTLS_serv_path> GnuTLS server executable to use for most tests.
--gnutls-legacy-cli=<GnuTLS_cli_path> GnuTLS client executable to use for legacy tests.
--gnutls-legacy-serv=<GnuTLS_serv_path> GnuTLS server executable to use for legacy tests.
--openssl=<OpenSSL_path> OpenSSL executable to use for most tests. --openssl=<OpenSSL_path> OpenSSL executable to use for most tests.
--openssl-legacy=<OpenSSL_path> OpenSSL executable to use for legacy tests..
--openssl-next=<OpenSSL_path> OpenSSL executable to use for recent things like ARIA --openssl-next=<OpenSSL_path> OpenSSL executable to use for recent things like ARIA
EOF EOF
} }
@ -474,8 +471,8 @@ pre_parse_command_line () {
--gcc-earliest) shift; GCC_EARLIEST="$1";; --gcc-earliest) shift; GCC_EARLIEST="$1";;
--gcc-latest) shift; GCC_LATEST="$1";; --gcc-latest) shift; GCC_LATEST="$1";;
--gnutls-cli) shift; GNUTLS_CLI="$1";; --gnutls-cli) shift; GNUTLS_CLI="$1";;
--gnutls-legacy-cli) shift; GNUTLS_LEGACY_CLI="$1";; --gnutls-legacy-cli) shift;; # ignored for backward compatibility
--gnutls-legacy-serv) shift; GNUTLS_LEGACY_SERV="$1";; --gnutls-legacy-serv) shift;; # ignored for backward compatibility
--gnutls-serv) shift; GNUTLS_SERV="$1";; --gnutls-serv) shift; GNUTLS_SERV="$1";;
--help|-h) usage; exit;; --help|-h) usage; exit;;
--keep-going|-k) KEEP_GOING=1;; --keep-going|-k) KEEP_GOING=1;;
@ -489,7 +486,6 @@ pre_parse_command_line () {
--no-memory) MEMORY=0;; --no-memory) MEMORY=0;;
--no-quiet) QUIET=0;; --no-quiet) QUIET=0;;
--openssl) shift; OPENSSL="$1";; --openssl) shift; OPENSSL="$1";;
--openssl-legacy) shift; OPENSSL_LEGACY="$1";;
--openssl-next) shift; OPENSSL_NEXT="$1";; --openssl-next) shift; OPENSSL_NEXT="$1";;
--outcome-file) shift; MBEDTLS_TEST_OUTCOME_FILE="$1";; --outcome-file) shift; MBEDTLS_TEST_OUTCOME_FILE="$1";;
--out-of-source-dir) shift; OUT_OF_SOURCE_DIR="$1";; --out-of-source-dir) shift; OUT_OF_SOURCE_DIR="$1";;
@ -744,12 +740,9 @@ pre_print_configuration () {
echo "SEED: ${SEED-"UNSET"}" echo "SEED: ${SEED-"UNSET"}"
echo echo
echo "OPENSSL: $OPENSSL" echo "OPENSSL: $OPENSSL"
echo "OPENSSL_LEGACY: $OPENSSL_LEGACY"
echo "OPENSSL_NEXT: $OPENSSL_NEXT" echo "OPENSSL_NEXT: $OPENSSL_NEXT"
echo "GNUTLS_CLI: $GNUTLS_CLI" echo "GNUTLS_CLI: $GNUTLS_CLI"
echo "GNUTLS_SERV: $GNUTLS_SERV" echo "GNUTLS_SERV: $GNUTLS_SERV"
echo "GNUTLS_LEGACY_CLI: $GNUTLS_LEGACY_CLI"
echo "GNUTLS_LEGACY_SERV: $GNUTLS_LEGACY_SERV"
echo "ARMC5_BIN_DIR: $ARMC5_BIN_DIR" echo "ARMC5_BIN_DIR: $ARMC5_BIN_DIR"
echo "ARMC6_BIN_DIR: $ARMC6_BIN_DIR" echo "ARMC6_BIN_DIR: $ARMC6_BIN_DIR"
} }
@ -773,13 +766,10 @@ pre_check_tools () {
if [ -n "${SEED-}" ]; then if [ -n "${SEED-}" ]; then
export SEED export SEED
fi fi
set "$@" OPENSSL="$OPENSSL" OPENSSL_LEGACY="$OPENSSL_LEGACY" set "$@" OPENSSL="$OPENSSL"
set "$@" GNUTLS_CLI="$GNUTLS_CLI" GNUTLS_SERV="$GNUTLS_SERV" set "$@" GNUTLS_CLI="$GNUTLS_CLI" GNUTLS_SERV="$GNUTLS_SERV"
set "$@" GNUTLS_LEGACY_CLI="$GNUTLS_LEGACY_CLI" check_tools "$OPENSSL" "$OPENSSL_NEXT" \
set "$@" GNUTLS_LEGACY_SERV="$GNUTLS_LEGACY_SERV" "$GNUTLS_CLI" "$GNUTLS_SERV"
check_tools "$OPENSSL" "$OPENSSL_LEGACY" "$OPENSSL_NEXT" \
"$GNUTLS_CLI" "$GNUTLS_SERV" \
"$GNUTLS_LEGACY_CLI" "$GNUTLS_LEGACY_SERV"
;; ;;
esac esac
@ -1879,7 +1869,7 @@ component_test_full_cmake_clang () {
tests/ssl-opt.sh -f 'Default\|ECJPAKE\|SSL async private' tests/ssl-opt.sh -f 'Default\|ECJPAKE\|SSL async private'
msg "test: compat.sh NULL (full config)" # ~ 2 min msg "test: compat.sh NULL (full config)" # ~ 2 min
env OPENSSL="$OPENSSL_LEGACY" GNUTLS_CLI="$GNUTLS_LEGACY_CLI" GNUTLS_SERV="$GNUTLS_LEGACY_SERV" tests/compat.sh -e '^$' -f 'NULL' tests/compat.sh -e '^$' -f 'NULL'
msg "test: compat.sh ARIA + ChachaPoly" msg "test: compat.sh ARIA + ChachaPoly"
env OPENSSL="$OPENSSL_NEXT" tests/compat.sh -e '^$' -f 'ARIA\|CHACHA' env OPENSSL="$OPENSSL_NEXT" tests/compat.sh -e '^$' -f 'ARIA\|CHACHA'
@ -2286,7 +2276,7 @@ component_test_no_use_psa_crypto_full_cmake_asan() {
tests/compat.sh tests/compat.sh
msg "test: compat.sh NULL (full minus MBEDTLS_USE_PSA_CRYPTO)" msg "test: compat.sh NULL (full minus MBEDTLS_USE_PSA_CRYPTO)"
env OPENSSL="$OPENSSL_LEGACY" GNUTLS_CLI="$GNUTLS_LEGACY_CLI" GNUTLS_SERV="$GNUTLS_LEGACY_SERV" tests/compat.sh -f 'NULL' tests/compat.sh -f 'NULL'
msg "test: compat.sh ARIA + ChachaPoly (full minus MBEDTLS_USE_PSA_CRYPTO)" msg "test: compat.sh ARIA + ChachaPoly (full minus MBEDTLS_USE_PSA_CRYPTO)"
env OPENSSL="$OPENSSL_NEXT" tests/compat.sh -e '^$' -f 'ARIA\|CHACHA' env OPENSSL="$OPENSSL_NEXT" tests/compat.sh -e '^$' -f 'ARIA\|CHACHA'

10
tests/scripts/basic-build-test.sh
View File

@ -48,11 +48,8 @@ if [ -d library -a -d include -a -d tests ]; then :; else
fi fi
: ${OPENSSL:="openssl"} : ${OPENSSL:="openssl"}
: ${OPENSSL_LEGACY:="$OPENSSL"}
: ${GNUTLS_CLI:="gnutls-cli"} : ${GNUTLS_CLI:="gnutls-cli"}
: ${GNUTLS_SERV:="gnutls-serv"} : ${GNUTLS_SERV:="gnutls-serv"}
: ${GNUTLS_LEGACY_CLI:="$GNUTLS_CLI"}
: ${GNUTLS_LEGACY_SERV:="$GNUTLS_SERV"}
# Used to make ssl-opt.sh deterministic. # Used to make ssl-opt.sh deterministic.
# #
@ -78,11 +75,8 @@ CONFIG_BAK="$CONFIG_H.bak"
# Step 0 - print build environment info # Step 0 - print build environment info
OPENSSL="$OPENSSL" \ OPENSSL="$OPENSSL" \
OPENSSL_LEGACY="$OPENSSL_LEGACY" \
GNUTLS_CLI="$GNUTLS_CLI" \ GNUTLS_CLI="$GNUTLS_CLI" \
GNUTLS_SERV="$GNUTLS_SERV" \ GNUTLS_SERV="$GNUTLS_SERV" \
GNUTLS_LEGACY_CLI="$GNUTLS_LEGACY_CLI" \
GNUTLS_LEGACY_SERV="$GNUTLS_LEGACY_SERV" \
scripts/output_env.sh scripts/output_env.sh
echo echo
@ -124,9 +118,7 @@ echo '################ compat.sh ################'
sh compat.sh sh compat.sh
echo echo
echo '#### compat.sh: legacy (null)' echo '#### compat.sh: null cipher'
OPENSSL="$OPENSSL_LEGACY" \
GNUTLS_CLI="$GNUTLS_LEGACY_CLI" GNUTLS_SERV="$GNUTLS_LEGACY_SERV" \
sh compat.sh -e '^$' -f 'NULL' sh compat.sh -e '^$' -f 'NULL'
echo echo

27
tests/ssl-opt.sh
View File

@ -81,14 +81,6 @@ TCP_CLIENT="$PERL scripts/tcp_client.pl"
# alternative versions of OpenSSL and GnuTLS (no default path) # alternative versions of OpenSSL and GnuTLS (no default path)
if [ -n "${OPENSSL_LEGACY:-}" ]; then
O_LEGACY_SRV="$OPENSSL_LEGACY s_server -www -cert data_files/server5.crt -key data_files/server5.key"
O_LEGACY_CLI="echo 'GET / HTTP/1.0' | $OPENSSL_LEGACY s_client"
else
O_LEGACY_SRV=false
O_LEGACY_CLI=false
fi
if [ -n "${OPENSSL_NEXT:-}" ]; then if [ -n "${OPENSSL_NEXT:-}" ]; then
O_NEXT_SRV="$OPENSSL_NEXT s_server -www -cert data_files/server5.crt -key data_files/server5.key" O_NEXT_SRV="$OPENSSL_NEXT s_server -www -cert data_files/server5.crt -key data_files/server5.key"
O_NEXT_SRV_EARLY_DATA="$OPENSSL_NEXT s_server -early_data -cert data_files/server5.crt -key data_files/server5.key" O_NEXT_SRV_EARLY_DATA="$OPENSSL_NEXT s_server -early_data -cert data_files/server5.crt -key data_files/server5.key"
@ -644,20 +636,6 @@ requires_gnutls_next() {
fi fi
} }
# skip next test if OpenSSL-legacy isn't available
requires_openssl_legacy() {
if [ -z "${OPENSSL_LEGACY_AVAILABLE:-}" ]; then
if which "${OPENSSL_LEGACY:-}" >/dev/null 2>&1; then
OPENSSL_LEGACY_AVAILABLE="YES"
else
OPENSSL_LEGACY_AVAILABLE="NO"
fi
fi
if [ "$OPENSSL_LEGACY_AVAILABLE" = "NO" ]; then
SKIP_NEXT="YES"
fi
}
requires_openssl_next() { requires_openssl_next() {
if [ -z "${OPENSSL_NEXT_AVAILABLE:-}" ]; then if [ -z "${OPENSSL_NEXT_AVAILABLE:-}" ]; then
if which "${OPENSSL_NEXT:-}" >/dev/null 2>&1; then if which "${OPENSSL_NEXT:-}" >/dev/null 2>&1; then
@ -1915,11 +1893,6 @@ O_CLI="$O_CLI -connect 127.0.0.1:+SRV_PORT"
G_SRV="$G_SRV -p $SRV_PORT" G_SRV="$G_SRV -p $SRV_PORT"
G_CLI="$G_CLI -p +SRV_PORT" G_CLI="$G_CLI -p +SRV_PORT"
if [ -n "${OPENSSL_LEGACY:-}" ]; then
O_LEGACY_SRV="$O_LEGACY_SRV -accept $SRV_PORT -dhparam data_files/dhparams.pem"
O_LEGACY_CLI="$O_LEGACY_CLI -connect 127.0.0.1:+SRV_PORT"
fi
# Newer versions of OpenSSL have a syntax to enable all "ciphers", even # Newer versions of OpenSSL have a syntax to enable all "ciphers", even
# low-security ones. This covers not just cipher suites but also protocol # low-security ones. This covers not just cipher suites but also protocol
# versions. It is necessary, for example, to use (D)TLS 1.0/1.1 on # versions. It is necessary, for example, to use (D)TLS 1.0/1.1 on