mirror of
https://github.com/Mbed-TLS/mbedtls.git
synced 2025-04-26 15:08:51 +03:00
Merge pull request #8122 from gilles-peskine-arm/ssl-test-no-legacy-2.28
Backport 2.28: Remove GNUTLS_LEGACY and OPENSSL_LEGACY (partly)
This commit is contained in:
Manuel Pégourié-Gonnard
GitHub
commit
0ee9dacb4d
@ -192,20 +192,6 @@ echo
|
||||
print_version "$GNUTLS_SERV" "--version" "default" "head -n 1"
|
||||
echo
|
||||
|
||||
if [ -n "${GNUTLS_LEGACY_CLI+set}" ]; then
|
||||
print_version "$GNUTLS_LEGACY_CLI" "--version" "legacy" "head -n 1"
|
||||
else
|
||||
echo " * gnutls-cli (legacy): Not configured."
|
||||
fi
|
||||
echo
|
||||
|
||||
if [ -n "${GNUTLS_LEGACY_SERV+set}" ]; then
|
||||
print_version "$GNUTLS_LEGACY_SERV" "--version" "legacy" "head -n 1"
|
||||
else
|
||||
echo " * gnutls-serv (legacy): Not configured."
|
||||
fi
|
||||
echo
|
||||
|
||||
echo " * Installed asan versions:"
|
||||
if type dpkg-query >/dev/null 2>/dev/null; then
|
||||
if ! dpkg-query -f '${Status} ${Package}: ${Version}\n' -W 'libasan*' |
|
||||
|
||||
@ -110,6 +110,7 @@ FILTER=""
|
||||
EXCLUDE='NULL\|DES\|RC4\|ARCFOUR\|ARIA\|CHACHA20-POLY1305'
|
||||
VERBOSE=""
|
||||
MEMCHECK=0
|
||||
PRESERVE_LOGS=0
|
||||
PEERS="OpenSSL$PEER_GNUTLS mbedTLS"
|
||||
|
||||
# hidden option: skip DTLS with OpenSSL
|
||||
@ -131,6 +132,7 @@ print_usage() {
|
||||
printf " --list-test-case\tList all potential test cases (No Execution)\n"
|
||||
printf " --outcome-file\tFile where test outcomes are written\n"
|
||||
printf " \t(default: \$MBEDTLS_TEST_OUTCOME_FILE, none if empty)\n"
|
||||
printf " --preserve-logs\tPreserve logs of successful tests as well\n"
|
||||
}
|
||||
|
||||
# print_test_case <CLIENT> <SERVER> <STANDARD_CIPHER_SUITE>
|
||||
@ -198,6 +200,9 @@ get_options() {
|
||||
--outcome-file)
|
||||
shift; MBEDTLS_TEST_OUTCOME_FILE=$1
|
||||
;;
|
||||
--preserve-logs)
|
||||
PRESERVE_LOGS=1
|
||||
;;
|
||||
-h|--help)
|
||||
print_usage
|
||||
exit 0
|
||||
@ -648,7 +653,16 @@ add_gnutls_ciphersuites()
|
||||
;;
|
||||
|
||||
"RSA")
|
||||
if [ `minor_ver "$MODE"` -gt 0 ]
|
||||
# TLS-RSA-WITH-NULL-SHA256 is a (D)TLS 1.2-only cipher suite,
|
||||
# like all SHA256 cipher suites. But Mbed TLS supports it with
|
||||
# (D)TLS 1.0 and 1.1 as well. So do ancient versions of GnuTLS,
|
||||
# but this was considered a bug which was fixed in GnuTLS 3.4.7.
|
||||
# Check the GnuTLS support list to see what the protocol version
|
||||
# requirement is for that cipher suite.
|
||||
if [ `minor_ver "$MODE"` -ge 3 ] || {
|
||||
[ `minor_ver "$MODE"` -gt 0 ] &&
|
||||
$GNUTLS_CLI --list | grep -q '^TLS_RSA_NULL_SHA256.*0$'
|
||||
}
|
||||
then
|
||||
M_CIPHERS="$M_CIPHERS \
|
||||
TLS-RSA-WITH-NULL-SHA256 \
|
||||
@ -972,7 +986,7 @@ setup_arguments()
|
||||
fi
|
||||
|
||||
M_SERVER_ARGS="server_port=$PORT server_addr=0.0.0.0 force_version=$MODE arc4=1"
|
||||
O_SERVER_ARGS="-accept $PORT -cipher NULL,ALL -$O_MODE"
|
||||
O_SERVER_ARGS="-accept $PORT -cipher ALL,COMPLEMENTOFALL -$O_MODE"
|
||||
G_SERVER_ARGS="-p $PORT --http $G_MODE"
|
||||
G_SERVER_PRIO="NORMAL:${G_PRIO_CCM}+ARCFOUR-128:+NULL:+MD5:+PSK:+DHE-PSK:+ECDHE-PSK:+SHA256:+SHA384:+RSA-PSK:-VERS-TLS-ALL:$G_PRIO_MODE"
|
||||
|
||||
@ -1218,12 +1232,16 @@ record_outcome() {
|
||||
fi
|
||||
}
|
||||
|
||||
save_logs() {
|
||||
cp $SRV_OUT c-srv-${TESTS}.log
|
||||
cp $CLI_OUT c-cli-${TESTS}.log
|
||||
}
|
||||
|
||||
# display additional information if test case fails
|
||||
report_fail() {
|
||||
FAIL_PROMPT="outputs saved to c-srv-${TESTS}.log, c-cli-${TESTS}.log"
|
||||
record_outcome "FAIL" "$FAIL_PROMPT"
|
||||
cp $SRV_OUT c-srv-${TESTS}.log
|
||||
cp $CLI_OUT c-cli-${TESTS}.log
|
||||
save_logs
|
||||
echo " ! $FAIL_PROMPT"
|
||||
|
||||
if [ "${LOG_FAILURE_ON_STDOUT:-0}" != 0 ]; then
|
||||
@ -1349,6 +1367,9 @@ run_client() {
|
||||
case $RESULT in
|
||||
"0")
|
||||
record_outcome "PASS"
|
||||
if [ "$PRESERVE_LOGS" -gt 0 ]; then
|
||||
save_logs
|
||||
fi
|
||||
;;
|
||||
"1")
|
||||
record_outcome "SKIP"
|
||||
|
||||
@ -50,10 +50,14 @@
|
||||
# * G++
|
||||
# * arm-gcc and mingw-gcc
|
||||
# * ArmCC 5 and ArmCC 6, unless invoked with --no-armcc
|
||||
# * OpenSSL and GnuTLS command line tools, recent enough for the
|
||||
# interoperability tests. If they don't support SSLv3 then a legacy
|
||||
# version of these tools must be present as well (search for LEGACY
|
||||
# below).
|
||||
# * OpenSSL and GnuTLS command line tools, in suitable versions for the
|
||||
# interoperability tests. The following are the official versions at the
|
||||
# time of writing:
|
||||
# * GNUTLS_{CLI,SERV} = 3.4.10
|
||||
# * GNUTLS_NEXT_{CLI,SERV} = 3.7.2
|
||||
# * OPENSSL_LEGACY = 1.0.1j
|
||||
# * OPENSSL = 1.0.2g (without Debian/Ubuntu patches)
|
||||
# * OPENSSL_NEXT = 1.1.1a
|
||||
# See the invocation of check_tools below for details.
|
||||
#
|
||||
# This script must be invoked from the toplevel directory of a git
|
||||
@ -168,8 +172,6 @@ pre_initialize_variables () {
|
||||
: ${OPENSSL_NEXT:="$OPENSSL"}
|
||||
: ${GNUTLS_CLI:="gnutls-cli"}
|
||||
: ${GNUTLS_SERV:="gnutls-serv"}
|
||||
: ${GNUTLS_LEGACY_CLI:="$GNUTLS_CLI"}
|
||||
: ${GNUTLS_LEGACY_SERV:="$GNUTLS_SERV"}
|
||||
: ${OUT_OF_SOURCE_DIR:=./mbedtls_out_of_source_build}
|
||||
: ${ARMC5_BIN_DIR:=/usr/bin}
|
||||
: ${ARMC6_BIN_DIR:=/usr/bin}
|
||||
@ -286,8 +288,6 @@ Tool path options:
|
||||
--gcc-latest=<GCC_latest_path> Latest version of GCC available
|
||||
--gnutls-cli=<GnuTLS_cli_path> GnuTLS client executable to use for most tests.
|
||||
--gnutls-serv=<GnuTLS_serv_path> GnuTLS server executable to use for most tests.
|
||||
--gnutls-legacy-cli=<GnuTLS_cli_path> GnuTLS client executable to use for legacy tests.
|
||||
--gnutls-legacy-serv=<GnuTLS_serv_path> GnuTLS server executable to use for legacy tests.
|
||||
--openssl=<OpenSSL_path> OpenSSL executable to use for most tests.
|
||||
--openssl-legacy=<OpenSSL_path> OpenSSL executable to use for legacy tests e.g. SSLv3.
|
||||
--openssl-next=<OpenSSL_path> OpenSSL executable to use for recent things like ARIA
|
||||
@ -435,8 +435,8 @@ pre_parse_command_line () {
|
||||
--gcc-earliest) shift; GCC_EARLIEST="$1";;
|
||||
--gcc-latest) shift; GCC_LATEST="$1";;
|
||||
--gnutls-cli) shift; GNUTLS_CLI="$1";;
|
||||
--gnutls-legacy-cli) shift; GNUTLS_LEGACY_CLI="$1";;
|
||||
--gnutls-legacy-serv) shift; GNUTLS_LEGACY_SERV="$1";;
|
||||
--gnutls-legacy-cli) shift;; # ignored for backward compatibility
|
||||
--gnutls-legacy-serv) shift;; # ignored for backward compatibility
|
||||
--gnutls-serv) shift; GNUTLS_SERV="$1";;
|
||||
--help|-h) usage; exit;;
|
||||
--keep-going|-k) KEEP_GOING=1;;
|
||||
@ -709,8 +709,6 @@ pre_print_configuration () {
|
||||
echo "OPENSSL_NEXT: $OPENSSL_NEXT"
|
||||
echo "GNUTLS_CLI: $GNUTLS_CLI"
|
||||
echo "GNUTLS_SERV: $GNUTLS_SERV"
|
||||
echo "GNUTLS_LEGACY_CLI: $GNUTLS_LEGACY_CLI"
|
||||
echo "GNUTLS_LEGACY_SERV: $GNUTLS_LEGACY_SERV"
|
||||
echo "ARMC5_BIN_DIR: $ARMC5_BIN_DIR"
|
||||
echo "ARMC6_BIN_DIR: $ARMC6_BIN_DIR"
|
||||
}
|
||||
@ -736,11 +734,8 @@ pre_check_tools () {
|
||||
fi
|
||||
set "$@" OPENSSL="$OPENSSL" OPENSSL_LEGACY="$OPENSSL_LEGACY"
|
||||
set "$@" GNUTLS_CLI="$GNUTLS_CLI" GNUTLS_SERV="$GNUTLS_SERV"
|
||||
set "$@" GNUTLS_LEGACY_CLI="$GNUTLS_LEGACY_CLI"
|
||||
set "$@" GNUTLS_LEGACY_SERV="$GNUTLS_LEGACY_SERV"
|
||||
check_tools "$OPENSSL" "$OPENSSL_LEGACY" "$OPENSSL_NEXT" \
|
||||
"$GNUTLS_CLI" "$GNUTLS_SERV" \
|
||||
"$GNUTLS_LEGACY_CLI" "$GNUTLS_LEGACY_SERV"
|
||||
"$GNUTLS_CLI" "$GNUTLS_SERV"
|
||||
;;
|
||||
esac
|
||||
|
||||
@ -1031,8 +1026,7 @@ component_test_sslv3 () {
|
||||
make test
|
||||
|
||||
msg "build: SSLv3 - compat.sh (ASan build)" # ~ 6 min
|
||||
tests/compat.sh -m 'tls1 tls1_1 tls12 dtls1 dtls12'
|
||||
env OPENSSL="$OPENSSL_LEGACY" tests/compat.sh -m 'ssl3'
|
||||
tests/compat.sh -m 'ssl3 tls1 tls1_1 tls12 dtls1 dtls12'
|
||||
|
||||
msg "build: SSLv3 - ssl-opt.sh (ASan build)" # ~ 6 min
|
||||
tests/ssl-opt.sh
|
||||
@ -1590,8 +1584,11 @@ component_test_full_cmake_clang () {
|
||||
msg "test: ssl-opt.sh default, ECJPAKE, SSL async (full config)" # ~ 1s
|
||||
tests/ssl-opt.sh -f 'Default\|ECJPAKE\|SSL async private'
|
||||
|
||||
msg "test: compat.sh RC4, DES, 3DES & NULL (full config)" # ~ 2 min
|
||||
env OPENSSL="$OPENSSL_LEGACY" GNUTLS_CLI="$GNUTLS_LEGACY_CLI" GNUTLS_SERV="$GNUTLS_LEGACY_SERV" tests/compat.sh -e '^$' -f 'NULL\|DES\|RC4\|ARCFOUR'
|
||||
msg "test: compat.sh RC4, 3DES & NULL (full config)" # ~ 2min
|
||||
tests/compat.sh -e '^$' -f 'NULL\|3DES\|DES-CBC3\|RC4\|ARCFOUR'
|
||||
|
||||
msg "test: compat.sh single-DES (full config)" # ~ 30s
|
||||
env OPENSSL="$OPENSSL_LEGACY" tests/compat.sh -e '3DES\|DES-CBC3' -f 'DES'
|
||||
|
||||
msg "test: compat.sh ARIA + ChachaPoly"
|
||||
env OPENSSL="$OPENSSL_NEXT" tests/compat.sh -e '^$' -f 'ARIA\|CHACHA'
|
||||
@ -1881,8 +1878,11 @@ component_test_no_use_psa_crypto_full_cmake_asan() {
|
||||
msg "test: compat.sh default (full minus MBEDTLS_USE_PSA_CRYPTO)"
|
||||
tests/compat.sh
|
||||
|
||||
msg "test: compat.sh RC4, DES & NULL (full minus MBEDTLS_USE_PSA_CRYPTO)"
|
||||
env OPENSSL="$OPENSSL_LEGACY" GNUTLS_CLI="$GNUTLS_LEGACY_CLI" GNUTLS_SERV="$GNUTLS_LEGACY_SERV" tests/compat.sh -e '3DES\|DES-CBC3' -f 'NULL\|DES\|RC4\|ARCFOUR'
|
||||
msg "test: compat.sh RC4, 3DES & NULL (full minus MBEDTLS_USE_PSA_CRYPTO)"
|
||||
tests/compat.sh -e '^$' -f 'NULL\|3DES\|DES-CBC3\|RC4\|ARCFOUR'
|
||||
|
||||
msg "test: compat.sh single-DES (full minus MBEDTLS_USE_PSA_CRYPTO)"
|
||||
env OPENSSL="$OPENSSL_LEGACY" tests/compat.sh -e '3DES\|DES-CBC3' -f 'DES'
|
||||
|
||||
msg "test: compat.sh ARIA + ChachaPoly (full minus MBEDTLS_USE_PSA_CRYPTO)"
|
||||
env OPENSSL="$OPENSSL_NEXT" tests/compat.sh -e '^$' -f 'ARIA\|CHACHA'
|
||||
|
||||
@ -51,8 +51,6 @@ fi
|
||||
: ${OPENSSL_LEGACY:="$OPENSSL"}
|
||||
: ${GNUTLS_CLI:="gnutls-cli"}
|
||||
: ${GNUTLS_SERV:="gnutls-serv"}
|
||||
: ${GNUTLS_LEGACY_CLI:="$GNUTLS_CLI"}
|
||||
: ${GNUTLS_LEGACY_SERV:="$GNUTLS_SERV"}
|
||||
|
||||
# Used to make ssl-opt.sh deterministic.
|
||||
#
|
||||
@ -81,8 +79,6 @@ OPENSSL="$OPENSSL" \
|
||||
OPENSSL_LEGACY="$OPENSSL_LEGACY" \
|
||||
GNUTLS_CLI="$GNUTLS_CLI" \
|
||||
GNUTLS_SERV="$GNUTLS_SERV" \
|
||||
GNUTLS_LEGACY_CLI="$GNUTLS_LEGACY_CLI" \
|
||||
GNUTLS_LEGACY_SERV="$GNUTLS_LEGACY_SERV" \
|
||||
scripts/output_env.sh
|
||||
echo
|
||||
|
||||
@ -120,17 +116,12 @@ echo
|
||||
# Step 2c - Compatibility tests (keep going even if some tests fail)
|
||||
echo '################ compat.sh ################'
|
||||
{
|
||||
echo '#### compat.sh: Default versions'
|
||||
sh compat.sh -m 'tls1 tls1_1 tls12 dtls1 dtls12'
|
||||
echo
|
||||
|
||||
echo '#### compat.sh: legacy (SSLv3)'
|
||||
OPENSSL="$OPENSSL_LEGACY" sh compat.sh -m 'ssl3'
|
||||
echo '#### compat.sh: Default ciphers'
|
||||
sh compat.sh -m 'ssl3 tls1 tls1_1 tls12 dtls1 dtls12'
|
||||
echo
|
||||
|
||||
echo '#### compat.sh: legacy (null, DES, RC4)'
|
||||
OPENSSL="$OPENSSL_LEGACY" \
|
||||
GNUTLS_CLI="$GNUTLS_LEGACY_CLI" GNUTLS_SERV="$GNUTLS_LEGACY_SERV" \
|
||||
sh compat.sh -e '^$' -f 'NULL\|DES\|RC4\|ARCFOUR'
|
||||
echo
|
||||
|
||||
|
||||
@ -81,14 +81,6 @@ TCP_CLIENT="$PERL scripts/tcp_client.pl"
|
||||
|
||||
# alternative versions of OpenSSL and GnuTLS (no default path)
|
||||
|
||||
if [ -n "${OPENSSL_LEGACY:-}" ]; then
|
||||
O_LEGACY_SRV="$OPENSSL_LEGACY s_server -www -cert data_files/server5.crt -key data_files/server5.key"
|
||||
O_LEGACY_CLI="echo 'GET / HTTP/1.0' | $OPENSSL_LEGACY s_client"
|
||||
else
|
||||
O_LEGACY_SRV=false
|
||||
O_LEGACY_CLI=false
|
||||
fi
|
||||
|
||||
if [ -n "${OPENSSL_NEXT:-}" ]; then
|
||||
O_NEXT_SRV="$OPENSSL_NEXT s_server -www -cert data_files/server5.crt -key data_files/server5.key"
|
||||
O_NEXT_CLI="echo 'GET / HTTP/1.0' | $OPENSSL_NEXT s_client"
|
||||
@ -456,20 +448,6 @@ requires_gnutls_next() {
|
||||
fi
|
||||
}
|
||||
|
||||
# skip next test if OpenSSL-legacy isn't available
|
||||
requires_openssl_legacy() {
|
||||
if [ -z "${OPENSSL_LEGACY_AVAILABLE:-}" ]; then
|
||||
if which "${OPENSSL_LEGACY:-}" >/dev/null 2>&1; then
|
||||
OPENSSL_LEGACY_AVAILABLE="YES"
|
||||
else
|
||||
OPENSSL_LEGACY_AVAILABLE="NO"
|
||||
fi
|
||||
fi
|
||||
if [ "$OPENSSL_LEGACY_AVAILABLE" = "NO" ]; then
|
||||
SKIP_NEXT="YES"
|
||||
fi
|
||||
}
|
||||
|
||||
requires_openssl_next() {
|
||||
if [ -z "${OPENSSL_NEXT_AVAILABLE:-}" ]; then
|
||||
if which "${OPENSSL_NEXT:-}" >/dev/null 2>&1; then
|
||||
@ -1502,11 +1480,6 @@ O_CLI="$O_CLI -connect 127.0.0.1:+SRV_PORT"
|
||||
G_SRV="$G_SRV -p $SRV_PORT"
|
||||
G_CLI="$G_CLI -p +SRV_PORT"
|
||||
|
||||
if [ -n "${OPENSSL_LEGACY:-}" ]; then
|
||||
O_LEGACY_SRV="$O_LEGACY_SRV -accept $SRV_PORT -dhparam data_files/dhparams.pem"
|
||||
O_LEGACY_CLI="$O_LEGACY_CLI -connect 127.0.0.1:+SRV_PORT"
|
||||
fi
|
||||
|
||||
# Newer versions of OpenSSL have a syntax to enable all "ciphers", even
|
||||
# low-security ones. This covers not just cipher suites but also protocol
|
||||
# versions. It is necessary, for example, to use (D)TLS 1.0/1.1 on
|
||||
|
||||
Loading…
x
Reference in New Issue
Block a user