lib/mbedtls
1
0
Fork 0
mirror of https://github.com/Mbed-TLS/mbedtls.git synced 2025-05-30 04:04:51 +03:00
Code

Merge pull request #8122 from gilles-peskine-arm/ssl-test-no-legacy-2.28

Browse Source 
Backport 2.28: Remove GNUTLS_LEGACY and OPENSSL_LEGACY (partly)
This commit is contained in:
Manuel Pégourié-Gonnard 2023-10-18 07:13:15 +00:00 committed by GitHub
commit 0ee9dacb4d
No known key found for this signature in database
GPG Key ID: 4AEE18F83AFDEB23
5 changed files with 49 additions and 78 deletions
Show Stats Download Patch File Download Diff File Expand all files Collapse all files

14
scripts/output_env.sh
View File

@ -192,20 +192,6 @@ echo
print_version "$GNUTLS_SERV" "--version" "default" "head -n 1" print_version "$GNUTLS_SERV" "--version" "default" "head -n 1"
echo echo
if [ -n "${GNUTLS_LEGACY_CLI+set}" ]; then
print_version "$GNUTLS_LEGACY_CLI" "--version" "legacy" "head -n 1"
else
echo " * gnutls-cli (legacy): Not configured."
fi
echo
if [ -n "${GNUTLS_LEGACY_SERV+set}" ]; then
print_version "$GNUTLS_LEGACY_SERV" "--version" "legacy" "head -n 1"
else
echo " * gnutls-serv (legacy): Not configured."
fi
echo
echo " * Installed asan versions:" echo " * Installed asan versions:"
if type dpkg-query >/dev/null 2>/dev/null; then if type dpkg-query >/dev/null 2>/dev/null; then
if ! dpkg-query -f '${Status} ${Package}: ${Version}\n' -W 'libasan*' | if ! dpkg-query -f '${Status} ${Package}: ${Version}\n' -W 'libasan*' |

29
tests/compat.sh
View File

@ -110,6 +110,7 @@ FILTER=""
EXCLUDE='NULL\|DES\|RC4\|ARCFOUR\|ARIA\|CHACHA20-POLY1305' EXCLUDE='NULL\|DES\|RC4\|ARCFOUR\|ARIA\|CHACHA20-POLY1305'
VERBOSE="" VERBOSE=""
MEMCHECK=0 MEMCHECK=0
PRESERVE_LOGS=0
PEERS="OpenSSL$PEER_GNUTLS mbedTLS" PEERS="OpenSSL$PEER_GNUTLS mbedTLS"
# hidden option: skip DTLS with OpenSSL # hidden option: skip DTLS with OpenSSL
@ -131,6 +132,7 @@ print_usage() {
printf " --list-test-case\tList all potential test cases (No Execution)\n" printf " --list-test-case\tList all potential test cases (No Execution)\n"
printf " --outcome-file\tFile where test outcomes are written\n" printf " --outcome-file\tFile where test outcomes are written\n"
printf " \t(default: \$MBEDTLS_TEST_OUTCOME_FILE, none if empty)\n" printf " \t(default: \$MBEDTLS_TEST_OUTCOME_FILE, none if empty)\n"
printf " --preserve-logs\tPreserve logs of successful tests as well\n"
} }
# print_test_case <CLIENT> <SERVER> <STANDARD_CIPHER_SUITE> # print_test_case <CLIENT> <SERVER> <STANDARD_CIPHER_SUITE>
@ -198,6 +200,9 @@ get_options() {
--outcome-file) --outcome-file)
shift; MBEDTLS_TEST_OUTCOME_FILE=$1 shift; MBEDTLS_TEST_OUTCOME_FILE=$1
;; ;;
--preserve-logs)
PRESERVE_LOGS=1
;;
-h|--help) -h|--help)
print_usage print_usage
exit 0 exit 0
@ -648,7 +653,16 @@ add_gnutls_ciphersuites()
;; ;;
"RSA") "RSA")
if [ `minor_ver "$MODE"` -gt 0 ] # TLS-RSA-WITH-NULL-SHA256 is a (D)TLS 1.2-only cipher suite,
# like all SHA256 cipher suites. But Mbed TLS supports it with
# (D)TLS 1.0 and 1.1 as well. So do ancient versions of GnuTLS,
# but this was considered a bug which was fixed in GnuTLS 3.4.7.
# Check the GnuTLS support list to see what the protocol version
# requirement is for that cipher suite.
if [ `minor_ver "$MODE"` -ge 3 ] || {
[ `minor_ver "$MODE"` -gt 0 ] &&
$GNUTLS_CLI --list | grep -q '^TLS_RSA_NULL_SHA256.*0$'
}
then then
M_CIPHERS="$M_CIPHERS \ M_CIPHERS="$M_CIPHERS \
TLS-RSA-WITH-NULL-SHA256 \ TLS-RSA-WITH-NULL-SHA256 \
@ -972,7 +986,7 @@ setup_arguments()
fi fi
M_SERVER_ARGS="server_port=$PORT server_addr=0.0.0.0 force_version=$MODE arc4=1" M_SERVER_ARGS="server_port=$PORT server_addr=0.0.0.0 force_version=$MODE arc4=1"
O_SERVER_ARGS="-accept $PORT -cipher NULL,ALL -$O_MODE" O_SERVER_ARGS="-accept $PORT -cipher ALL,COMPLEMENTOFALL -$O_MODE"
G_SERVER_ARGS="-p $PORT --http $G_MODE" G_SERVER_ARGS="-p $PORT --http $G_MODE"
G_SERVER_PRIO="NORMAL:${G_PRIO_CCM}+ARCFOUR-128:+NULL:+MD5:+PSK:+DHE-PSK:+ECDHE-PSK:+SHA256:+SHA384:+RSA-PSK:-VERS-TLS-ALL:$G_PRIO_MODE" G_SERVER_PRIO="NORMAL:${G_PRIO_CCM}+ARCFOUR-128:+NULL:+MD5:+PSK:+DHE-PSK:+ECDHE-PSK:+SHA256:+SHA384:+RSA-PSK:-VERS-TLS-ALL:$G_PRIO_MODE"
@ -1218,12 +1232,16 @@ record_outcome() {
fi fi
} }
save_logs() {
cp $SRV_OUT c-srv-${TESTS}.log
cp $CLI_OUT c-cli-${TESTS}.log
}
# display additional information if test case fails # display additional information if test case fails
report_fail() { report_fail() {
FAIL_PROMPT="outputs saved to c-srv-${TESTS}.log, c-cli-${TESTS}.log" FAIL_PROMPT="outputs saved to c-srv-${TESTS}.log, c-cli-${TESTS}.log"
record_outcome "FAIL" "$FAIL_PROMPT" record_outcome "FAIL" "$FAIL_PROMPT"
cp $SRV_OUT c-srv-${TESTS}.log save_logs
cp $CLI_OUT c-cli-${TESTS}.log
echo " ! $FAIL_PROMPT" echo " ! $FAIL_PROMPT"
if [ "${LOG_FAILURE_ON_STDOUT:-0}" != 0 ]; then if [ "${LOG_FAILURE_ON_STDOUT:-0}" != 0 ]; then
@ -1349,6 +1367,9 @@ run_client() {
case $RESULT in case $RESULT in
"0") "0")
record_outcome "PASS" record_outcome "PASS"
if [ "$PRESERVE_LOGS" -gt 0 ]; then
save_logs
fi
;; ;;
"1") "1")
record_outcome "SKIP" record_outcome "SKIP"

44
tests/scripts/all.sh
View File

@ -50,10 +50,14 @@
# * G++ # * G++
# * arm-gcc and mingw-gcc # * arm-gcc and mingw-gcc
# * ArmCC 5 and ArmCC 6, unless invoked with --no-armcc # * ArmCC 5 and ArmCC 6, unless invoked with --no-armcc
# * OpenSSL and GnuTLS command line tools, recent enough for the # * OpenSSL and GnuTLS command line tools, in suitable versions for the
# interoperability tests. If they don't support SSLv3 then a legacy # interoperability tests. The following are the official versions at the
# version of these tools must be present as well (search for LEGACY # time of writing:
# below). # * GNUTLS_{CLI,SERV} = 3.4.10
# * GNUTLS_NEXT_{CLI,SERV} = 3.7.2
# * OPENSSL_LEGACY = 1.0.1j
# * OPENSSL = 1.0.2g (without Debian/Ubuntu patches)
# * OPENSSL_NEXT = 1.1.1a
# See the invocation of check_tools below for details. # See the invocation of check_tools below for details.
# #
# This script must be invoked from the toplevel directory of a git # This script must be invoked from the toplevel directory of a git
@ -168,8 +172,6 @@ pre_initialize_variables () {
: ${OPENSSL_NEXT:="$OPENSSL"} : ${OPENSSL_NEXT:="$OPENSSL"}
: ${GNUTLS_CLI:="gnutls-cli"} : ${GNUTLS_CLI:="gnutls-cli"}
: ${GNUTLS_SERV:="gnutls-serv"} : ${GNUTLS_SERV:="gnutls-serv"}
: ${GNUTLS_LEGACY_CLI:="$GNUTLS_CLI"}
: ${GNUTLS_LEGACY_SERV:="$GNUTLS_SERV"}
: ${OUT_OF_SOURCE_DIR:=./mbedtls_out_of_source_build} : ${OUT_OF_SOURCE_DIR:=./mbedtls_out_of_source_build}
: ${ARMC5_BIN_DIR:=/usr/bin} : ${ARMC5_BIN_DIR:=/usr/bin}
: ${ARMC6_BIN_DIR:=/usr/bin} : ${ARMC6_BIN_DIR:=/usr/bin}
@ -286,8 +288,6 @@ Tool path options:
--gcc-latest=<GCC_latest_path> Latest version of GCC available --gcc-latest=<GCC_latest_path> Latest version of GCC available
--gnutls-cli=<GnuTLS_cli_path> GnuTLS client executable to use for most tests. --gnutls-cli=<GnuTLS_cli_path> GnuTLS client executable to use for most tests.
--gnutls-serv=<GnuTLS_serv_path> GnuTLS server executable to use for most tests. --gnutls-serv=<GnuTLS_serv_path> GnuTLS server executable to use for most tests.
--gnutls-legacy-cli=<GnuTLS_cli_path> GnuTLS client executable to use for legacy tests.
--gnutls-legacy-serv=<GnuTLS_serv_path> GnuTLS server executable to use for legacy tests.
--openssl=<OpenSSL_path> OpenSSL executable to use for most tests. --openssl=<OpenSSL_path> OpenSSL executable to use for most tests.
--openssl-legacy=<OpenSSL_path> OpenSSL executable to use for legacy tests e.g. SSLv3. --openssl-legacy=<OpenSSL_path> OpenSSL executable to use for legacy tests e.g. SSLv3.
--openssl-next=<OpenSSL_path> OpenSSL executable to use for recent things like ARIA --openssl-next=<OpenSSL_path> OpenSSL executable to use for recent things like ARIA
@ -435,8 +435,8 @@ pre_parse_command_line () {
--gcc-earliest) shift; GCC_EARLIEST="$1";; --gcc-earliest) shift; GCC_EARLIEST="$1";;
--gcc-latest) shift; GCC_LATEST="$1";; --gcc-latest) shift; GCC_LATEST="$1";;
--gnutls-cli) shift; GNUTLS_CLI="$1";; --gnutls-cli) shift; GNUTLS_CLI="$1";;
--gnutls-legacy-cli) shift; GNUTLS_LEGACY_CLI="$1";; --gnutls-legacy-cli) shift;; # ignored for backward compatibility
--gnutls-legacy-serv) shift; GNUTLS_LEGACY_SERV="$1";; --gnutls-legacy-serv) shift;; # ignored for backward compatibility
--gnutls-serv) shift; GNUTLS_SERV="$1";; --gnutls-serv) shift; GNUTLS_SERV="$1";;
--help|-h) usage; exit;; --help|-h) usage; exit;;
--keep-going|-k) KEEP_GOING=1;; --keep-going|-k) KEEP_GOING=1;;
@ -709,8 +709,6 @@ pre_print_configuration () {
echo "OPENSSL_NEXT: $OPENSSL_NEXT" echo "OPENSSL_NEXT: $OPENSSL_NEXT"
echo "GNUTLS_CLI: $GNUTLS_CLI" echo "GNUTLS_CLI: $GNUTLS_CLI"
echo "GNUTLS_SERV: $GNUTLS_SERV" echo "GNUTLS_SERV: $GNUTLS_SERV"
echo "GNUTLS_LEGACY_CLI: $GNUTLS_LEGACY_CLI"
echo "GNUTLS_LEGACY_SERV: $GNUTLS_LEGACY_SERV"
echo "ARMC5_BIN_DIR: $ARMC5_BIN_DIR" echo "ARMC5_BIN_DIR: $ARMC5_BIN_DIR"
echo "ARMC6_BIN_DIR: $ARMC6_BIN_DIR" echo "ARMC6_BIN_DIR: $ARMC6_BIN_DIR"
} }
@ -736,11 +734,8 @@ pre_check_tools () {
fi fi
set "$@" OPENSSL="$OPENSSL" OPENSSL_LEGACY="$OPENSSL_LEGACY" set "$@" OPENSSL="$OPENSSL" OPENSSL_LEGACY="$OPENSSL_LEGACY"
set "$@" GNUTLS_CLI="$GNUTLS_CLI" GNUTLS_SERV="$GNUTLS_SERV" set "$@" GNUTLS_CLI="$GNUTLS_CLI" GNUTLS_SERV="$GNUTLS_SERV"
set "$@" GNUTLS_LEGACY_CLI="$GNUTLS_LEGACY_CLI"
set "$@" GNUTLS_LEGACY_SERV="$GNUTLS_LEGACY_SERV"
check_tools "$OPENSSL" "$OPENSSL_LEGACY" "$OPENSSL_NEXT" \ check_tools "$OPENSSL" "$OPENSSL_LEGACY" "$OPENSSL_NEXT" \
"$GNUTLS_CLI" "$GNUTLS_SERV" \ "$GNUTLS_CLI" "$GNUTLS_SERV"
"$GNUTLS_LEGACY_CLI" "$GNUTLS_LEGACY_SERV"
;; ;;
esac esac
@ -1031,8 +1026,7 @@ component_test_sslv3 () {
make test make test
msg "build: SSLv3 - compat.sh (ASan build)" # ~ 6 min msg "build: SSLv3 - compat.sh (ASan build)" # ~ 6 min
tests/compat.sh -m 'tls1 tls1_1 tls12 dtls1 dtls12' tests/compat.sh -m 'ssl3 tls1 tls1_1 tls12 dtls1 dtls12'
env OPENSSL="$OPENSSL_LEGACY" tests/compat.sh -m 'ssl3'
msg "build: SSLv3 - ssl-opt.sh (ASan build)" # ~ 6 min msg "build: SSLv3 - ssl-opt.sh (ASan build)" # ~ 6 min
tests/ssl-opt.sh tests/ssl-opt.sh
@ -1590,8 +1584,11 @@ component_test_full_cmake_clang () {
msg "test: ssl-opt.sh default, ECJPAKE, SSL async (full config)" # ~ 1s msg "test: ssl-opt.sh default, ECJPAKE, SSL async (full config)" # ~ 1s
tests/ssl-opt.sh -f 'Default\|ECJPAKE\|SSL async private' tests/ssl-opt.sh -f 'Default\|ECJPAKE\|SSL async private'
msg "test: compat.sh RC4, DES, 3DES & NULL (full config)" # ~ 2 min msg "test: compat.sh RC4, 3DES & NULL (full config)" # ~ 2min
env OPENSSL="$OPENSSL_LEGACY" GNUTLS_CLI="$GNUTLS_LEGACY_CLI" GNUTLS_SERV="$GNUTLS_LEGACY_SERV" tests/compat.sh -e '^$' -f 'NULL\|DES\|RC4\|ARCFOUR' tests/compat.sh -e '^$' -f 'NULL\|3DES\|DES-CBC3\|RC4\|ARCFOUR'
msg "test: compat.sh single-DES (full config)" # ~ 30s
env OPENSSL="$OPENSSL_LEGACY" tests/compat.sh -e '3DES\|DES-CBC3' -f 'DES'
msg "test: compat.sh ARIA + ChachaPoly" msg "test: compat.sh ARIA + ChachaPoly"
env OPENSSL="$OPENSSL_NEXT" tests/compat.sh -e '^$' -f 'ARIA\|CHACHA' env OPENSSL="$OPENSSL_NEXT" tests/compat.sh -e '^$' -f 'ARIA\|CHACHA'
@ -1881,8 +1878,11 @@ component_test_no_use_psa_crypto_full_cmake_asan() {
msg "test: compat.sh default (full minus MBEDTLS_USE_PSA_CRYPTO)" msg "test: compat.sh default (full minus MBEDTLS_USE_PSA_CRYPTO)"
tests/compat.sh tests/compat.sh
msg "test: compat.sh RC4, DES & NULL (full minus MBEDTLS_USE_PSA_CRYPTO)" msg "test: compat.sh RC4, 3DES & NULL (full minus MBEDTLS_USE_PSA_CRYPTO)"
env OPENSSL="$OPENSSL_LEGACY" GNUTLS_CLI="$GNUTLS_LEGACY_CLI" GNUTLS_SERV="$GNUTLS_LEGACY_SERV" tests/compat.sh -e '3DES\|DES-CBC3' -f 'NULL\|DES\|RC4\|ARCFOUR' tests/compat.sh -e '^$' -f 'NULL\|3DES\|DES-CBC3\|RC4\|ARCFOUR'
msg "test: compat.sh single-DES (full minus MBEDTLS_USE_PSA_CRYPTO)"
env OPENSSL="$OPENSSL_LEGACY" tests/compat.sh -e '3DES\|DES-CBC3' -f 'DES'
msg "test: compat.sh ARIA + ChachaPoly (full minus MBEDTLS_USE_PSA_CRYPTO)" msg "test: compat.sh ARIA + ChachaPoly (full minus MBEDTLS_USE_PSA_CRYPTO)"
env OPENSSL="$OPENSSL_NEXT" tests/compat.sh -e '^$' -f 'ARIA\|CHACHA' env OPENSSL="$OPENSSL_NEXT" tests/compat.sh -e '^$' -f 'ARIA\|CHACHA'

13
tests/scripts/basic-build-test.sh
View File

@ -51,8 +51,6 @@ fi
: ${OPENSSL_LEGACY:="$OPENSSL"} : ${OPENSSL_LEGACY:="$OPENSSL"}
: ${GNUTLS_CLI:="gnutls-cli"} : ${GNUTLS_CLI:="gnutls-cli"}
: ${GNUTLS_SERV:="gnutls-serv"} : ${GNUTLS_SERV:="gnutls-serv"}
: ${GNUTLS_LEGACY_CLI:="$GNUTLS_CLI"}
: ${GNUTLS_LEGACY_SERV:="$GNUTLS_SERV"}
# Used to make ssl-opt.sh deterministic. # Used to make ssl-opt.sh deterministic.
# #
@ -81,8 +79,6 @@ OPENSSL="$OPENSSL" \
OPENSSL_LEGACY="$OPENSSL_LEGACY" \ OPENSSL_LEGACY="$OPENSSL_LEGACY" \
GNUTLS_CLI="$GNUTLS_CLI" \ GNUTLS_CLI="$GNUTLS_CLI" \
GNUTLS_SERV="$GNUTLS_SERV" \ GNUTLS_SERV="$GNUTLS_SERV" \
GNUTLS_LEGACY_CLI="$GNUTLS_LEGACY_CLI" \
GNUTLS_LEGACY_SERV="$GNUTLS_LEGACY_SERV" \
scripts/output_env.sh scripts/output_env.sh
echo echo
@ -120,17 +116,12 @@ echo
# Step 2c - Compatibility tests (keep going even if some tests fail) # Step 2c - Compatibility tests (keep going even if some tests fail)
echo '################ compat.sh ################' echo '################ compat.sh ################'
{ {
echo '#### compat.sh: Default versions' echo '#### compat.sh: Default ciphers'
sh compat.sh -m 'tls1 tls1_1 tls12 dtls1 dtls12' sh compat.sh -m 'ssl3 tls1 tls1_1 tls12 dtls1 dtls12'
echo
echo '#### compat.sh: legacy (SSLv3)'
OPENSSL="$OPENSSL_LEGACY" sh compat.sh -m 'ssl3'
echo echo
echo '#### compat.sh: legacy (null, DES, RC4)' echo '#### compat.sh: legacy (null, DES, RC4)'
OPENSSL="$OPENSSL_LEGACY" \ OPENSSL="$OPENSSL_LEGACY" \
GNUTLS_CLI="$GNUTLS_LEGACY_CLI" GNUTLS_SERV="$GNUTLS_LEGACY_SERV" \
sh compat.sh -e '^$' -f 'NULL\|DES\|RC4\|ARCFOUR' sh compat.sh -e '^$' -f 'NULL\|DES\|RC4\|ARCFOUR'
echo echo

27
tests/ssl-opt.sh
View File

@ -81,14 +81,6 @@ TCP_CLIENT="$PERL scripts/tcp_client.pl"
# alternative versions of OpenSSL and GnuTLS (no default path) # alternative versions of OpenSSL and GnuTLS (no default path)
if [ -n "${OPENSSL_LEGACY:-}" ]; then
O_LEGACY_SRV="$OPENSSL_LEGACY s_server -www -cert data_files/server5.crt -key data_files/server5.key"
O_LEGACY_CLI="echo 'GET / HTTP/1.0' | $OPENSSL_LEGACY s_client"
else
O_LEGACY_SRV=false
O_LEGACY_CLI=false
fi
if [ -n "${OPENSSL_NEXT:-}" ]; then if [ -n "${OPENSSL_NEXT:-}" ]; then
O_NEXT_SRV="$OPENSSL_NEXT s_server -www -cert data_files/server5.crt -key data_files/server5.key" O_NEXT_SRV="$OPENSSL_NEXT s_server -www -cert data_files/server5.crt -key data_files/server5.key"
O_NEXT_CLI="echo 'GET / HTTP/1.0' | $OPENSSL_NEXT s_client" O_NEXT_CLI="echo 'GET / HTTP/1.0' | $OPENSSL_NEXT s_client"
@ -456,20 +448,6 @@ requires_gnutls_next() {
fi fi
} }
# skip next test if OpenSSL-legacy isn't available
requires_openssl_legacy() {
if [ -z "${OPENSSL_LEGACY_AVAILABLE:-}" ]; then
if which "${OPENSSL_LEGACY:-}" >/dev/null 2>&1; then
OPENSSL_LEGACY_AVAILABLE="YES"
else
OPENSSL_LEGACY_AVAILABLE="NO"
fi
fi
if [ "$OPENSSL_LEGACY_AVAILABLE" = "NO" ]; then
SKIP_NEXT="YES"
fi
}
requires_openssl_next() { requires_openssl_next() {
if [ -z "${OPENSSL_NEXT_AVAILABLE:-}" ]; then if [ -z "${OPENSSL_NEXT_AVAILABLE:-}" ]; then
if which "${OPENSSL_NEXT:-}" >/dev/null 2>&1; then if which "${OPENSSL_NEXT:-}" >/dev/null 2>&1; then
@ -1502,11 +1480,6 @@ O_CLI="$O_CLI -connect 127.0.0.1:+SRV_PORT"
G_SRV="$G_SRV -p $SRV_PORT" G_SRV="$G_SRV -p $SRV_PORT"
G_CLI="$G_CLI -p +SRV_PORT" G_CLI="$G_CLI -p +SRV_PORT"
if [ -n "${OPENSSL_LEGACY:-}" ]; then
O_LEGACY_SRV="$O_LEGACY_SRV -accept $SRV_PORT -dhparam data_files/dhparams.pem"
O_LEGACY_CLI="$O_LEGACY_CLI -connect 127.0.0.1:+SRV_PORT"
fi
# Newer versions of OpenSSL have a syntax to enable all "ciphers", even # Newer versions of OpenSSL have a syntax to enable all "ciphers", even
# low-security ones. This covers not just cipher suites but also protocol # low-security ones. This covers not just cipher suites but also protocol
# versions. It is necessary, for example, to use (D)TLS 1.0/1.1 on # versions. It is necessary, for example, to use (D)TLS 1.0/1.1 on