From 4be89414ab99c4c76b8e6ab5f22495a63f4bdb59 Mon Sep 17 00:00:00 2001 From: =?UTF-8?q?Manuel=20P=C3=A9gouri=C3=A9-Gonnard?= Date: Tue, 9 Apr 2024 11:16:58 +0200 Subject: [PATCH 01/13] compat.sh: always filter ciphersuites MIME-Version: 1.0 Content-Type: text/plain; charset=UTF-8 Content-Transfer-Encoding: 8bit We always want to call 'filter' regardless of the values of FILTER and EXCLUDE because it also performs standard-defined filtering like removing RC4 ciphersuites with DTLS. (AFAICS, not calling 'filter' when we thought it was not needed was just a performance optimisation.) Signed-off-by: Manuel Pégourié-Gonnard --- tests/compat.sh | 14 +++----------- 1 file changed, 3 insertions(+), 11 deletions(-) diff --git a/tests/compat.sh b/tests/compat.sh index c2ea8821df..0140369513 100755 --- a/tests/compat.sh +++ b/tests/compat.sh @@ -272,17 +272,9 @@ filter() filter_ciphersuites() { - if [ "X" != "X$FILTER" -o "X" != "X$EXCLUDE" ]; - then - # Ciphersuite for Mbed TLS - M_CIPHERS=$( filter "$M_CIPHERS" ) - - # Ciphersuite for OpenSSL - O_CIPHERS=$( filter "$O_CIPHERS" ) - - # Ciphersuite for GnuTLS - G_CIPHERS=$( filter "$G_CIPHERS" ) - fi + M_CIPHERS=$( filter "$M_CIPHERS" ) + O_CIPHERS=$( filter "$O_CIPHERS" ) + G_CIPHERS=$( filter "$G_CIPHERS" ) } reset_ciphersuites() From 826f8da954c06fc568601ba8a755b7e8c8f9aacf Mon Sep 17 00:00:00 2001 From: =?UTF-8?q?Manuel=20P=C3=A9gouri=C3=A9-Gonnard?= Date: Tue, 9 Apr 2024 11:17:26 +0200 Subject: [PATCH 02/13] compat.sh: fix --list-test-cases for RC4 with DTLS MIME-Version: 1.0 Content-Type: text/plain; charset=UTF-8 Content-Transfer-Encoding: 8bit Signed-off-by: Manuel Pégourié-Gonnard --- tests/compat.sh | 6 ++++++ 1 file changed, 6 insertions(+) diff --git a/tests/compat.sh b/tests/compat.sh index 0140369513..f21619a16a 100755 --- a/tests/compat.sh +++ b/tests/compat.sh @@ -133,6 +133,11 @@ print_test_case() { # list_test_case lists all potential test cases in compat.sh without execution list_test_cases() { + # We want to call filter_ciphersuites to apply standard-defined exclusions + # (like "no RC4 with DTLS") but without user-defined exludes/filters. + EXCLUDE='^$' + FILTER="" + for MODE in $MODES; do for TYPE in $TYPES; do # PSK cipher suites do not allow client certificate verification. @@ -147,6 +152,7 @@ list_test_cases() { add_openssl_ciphersuites add_gnutls_ciphersuites add_mbedtls_ciphersuites + filter_ciphersuites print_test_case m O "$O_CIPHERS" print_test_case O m "$O_CIPHERS" print_test_case m G "$G_CIPHERS" From c1685d1c1112fa245084aca0b1c291f2c8f3593f Mon Sep 17 00:00:00 2001 From: =?UTF-8?q?Manuel=20P=C3=A9gouri=C3=A9-Gonnard?= Date: Tue, 9 Apr 2024 11:38:55 +0200 Subject: [PATCH 03/13] compat.sh: use correct names in --list-test-cases MIME-Version: 1.0 Content-Type: text/plain; charset=UTF-8 Content-Transfer-Encoding: 8bit The main fix here is that m->O and m->G should use `M_CIPHERS`. In order to apply that though, we need to change the structure with a new for loop and case statement. The new structure matches what's done when actually running tests. Note: this issue only exists in 2.28. In 3.x we now use the standard name for display everywhere, but in 2.28 we use the name as seen by the client for display. Signed-off-by: Manuel Pégourié-Gonnard --- tests/compat.sh | 36 +++++++++++++++++++++++++----------- 1 file changed, 25 insertions(+), 11 deletions(-) diff --git a/tests/compat.sh b/tests/compat.sh index f21619a16a..03e7298c93 100755 --- a/tests/compat.sh +++ b/tests/compat.sh @@ -147,17 +147,31 @@ list_test_cases() { fi for VERIFY in $SUB_VERIFIES; do VERIF=$(echo $VERIFY | tr '[:upper:]' '[:lower:]') - reset_ciphersuites - add_common_ciphersuites - add_openssl_ciphersuites - add_gnutls_ciphersuites - add_mbedtls_ciphersuites - filter_ciphersuites - print_test_case m O "$O_CIPHERS" - print_test_case O m "$O_CIPHERS" - print_test_case m G "$G_CIPHERS" - print_test_case G m "$G_CIPHERS" - print_test_case m m "$M_CIPHERS" + for PEER in $PEERS; do + reset_ciphersuites + add_common_ciphersuites + case "$PEER" in + [Oo]pen*) + add_openssl_ciphersuites + filter_ciphersuites + print_test_case m O "$M_CIPHERS" + print_test_case O m "$O_CIPHERS" + ;; + [Gg]nu*) + add_gnutls_ciphersuites + filter_ciphersuites + print_test_case m G "$M_CIPHERS" + print_test_case G m "$G_CIPHERS" + ;; + mbed*) + add_openssl_ciphersuites + add_gnutls_ciphersuites + add_mbedtls_ciphersuites + filter_ciphersuites + print_test_case m m "$M_CIPHERS" + ;; + esac + done done done done From 62910cf47d48bdc586feb9987368e85f3f196fcf Mon Sep 17 00:00:00 2001 From: =?UTF-8?q?Manuel=20P=C3=A9gouri=C3=A9-Gonnard?= Date: Tue, 9 Apr 2024 23:00:36 +0200 Subject: [PATCH 04/13] compat.sh: include ssl3 in --list-test-cases MIME-Version: 1.0 Content-Type: text/plain; charset=UTF-8 Content-Transfer-Encoding: 8bit Signed-off-by: Manuel Pégourié-Gonnard --- tests/compat.sh | 3 +++ 1 file changed, 3 insertions(+) diff --git a/tests/compat.sh b/tests/compat.sh index 03e7298c93..64c67cef04 100755 --- a/tests/compat.sh +++ b/tests/compat.sh @@ -138,6 +138,9 @@ list_test_cases() { EXCLUDE='^$' FILTER="" + # ssl3 is excluded by default, but it's still available + MODES="ssl3 $MODES" + for MODE in $MODES; do for TYPE in $TYPES; do # PSK cipher suites do not allow client certificate verification. From 2cd43a7a7817f79d811208121266e761239bea3c Mon Sep 17 00:00:00 2001 From: =?UTF-8?q?Manuel=20P=C3=A9gouri=C3=A9-Gonnard?= Date: Tue, 9 Apr 2024 23:01:09 +0200 Subject: [PATCH 05/13] Run compat.sh with non-default ciphers with ssl3 too MIME-Version: 1.0 Content-Type: text/plain; charset=UTF-8 Content-Transfer-Encoding: 8bit Signed-off-by: Manuel Pégourié-Gonnard --- tests/scripts/all.sh | 17 ++++++++++++----- tests/scripts/basic-build-test.sh | 3 ++- 2 files changed, 14 insertions(+), 6 deletions(-) diff --git a/tests/scripts/all.sh b/tests/scripts/all.sh index 6b4b4e4a3e..1256d82608 100755 --- a/tests/scripts/all.sh +++ b/tests/scripts/all.sh @@ -1629,11 +1629,16 @@ component_test_full_cmake_clang () { msg "test: ssl-opt.sh default, ECJPAKE, SSL async (full config)" # ~ 1s tests/ssl-opt.sh -f 'Default\|ECJPAKE\|SSL async private' + msg "test: compat.sh default ciphers" + tests/compat.sh -m 'ssl3 tls1 tls1_1 tls12 dtls1 dtls12' + msg "test: compat.sh RC4, 3DES & NULL (full config)" # ~ 2min - tests/compat.sh -e '^$' -f 'NULL\|3DES\|DES-CBC3\|RC4\|ARCFOUR' + tests/compat.sh -e '^$' -f 'NULL\|3DES\|DES-CBC3\|RC4\|ARCFOUR' \ + -m 'ssl3 tls1 tls1_1 tls12 dtls1 dtls12' msg "test: compat.sh single-DES (full config)" # ~ 30s - env OPENSSL="$OPENSSL_LEGACY" tests/compat.sh -e '3DES\|DES-CBC3' -f 'DES' + env OPENSSL="$OPENSSL_LEGACY" tests/compat.sh -e '3DES\|DES-CBC3' -f 'DES' \ + -m 'ssl3 tls1 tls1_1 tls12 dtls1 dtls12' msg "test: compat.sh ARIA + ChachaPoly" env OPENSSL="$OPENSSL_NEXT" tests/compat.sh -e '^$' -f 'ARIA\|CHACHA' @@ -1926,13 +1931,15 @@ component_test_no_use_psa_crypto_full_cmake_asan() { tests/ssl-opt.sh msg "test: compat.sh default (full minus MBEDTLS_USE_PSA_CRYPTO)" - tests/compat.sh + tests/compat.sh -m 'ssl3 tls1 tls1_1 tls12 dtls1 dtls12' msg "test: compat.sh RC4, 3DES & NULL (full minus MBEDTLS_USE_PSA_CRYPTO)" - tests/compat.sh -e '^$' -f 'NULL\|3DES\|DES-CBC3\|RC4\|ARCFOUR' + tests/compat.sh -e '^$' -f 'NULL\|3DES\|DES-CBC3\|RC4\|ARCFOUR' \ + -m 'ssl3 tls1 tls1_1 tls12 dtls1 dtls12' msg "test: compat.sh single-DES (full minus MBEDTLS_USE_PSA_CRYPTO)" - env OPENSSL="$OPENSSL_LEGACY" tests/compat.sh -e '3DES\|DES-CBC3' -f 'DES' + env OPENSSL="$OPENSSL_LEGACY" tests/compat.sh -e '3DES\|DES-CBC3' -f 'DES' \ + -m 'ssl3 tls1 tls1_1 tls12 dtls1 dtls12' msg "test: compat.sh ARIA + ChachaPoly (full minus MBEDTLS_USE_PSA_CRYPTO)" env OPENSSL="$OPENSSL_NEXT" tests/compat.sh -e '^$' -f 'ARIA\|CHACHA' diff --git a/tests/scripts/basic-build-test.sh b/tests/scripts/basic-build-test.sh index 9d9c999365..9202c25290 100755 --- a/tests/scripts/basic-build-test.sh +++ b/tests/scripts/basic-build-test.sh @@ -110,7 +110,8 @@ echo '################ compat.sh ################' echo '#### compat.sh: legacy (null, DES, RC4)' OPENSSL="$OPENSSL_LEGACY" \ - sh compat.sh -e '^$' -f 'NULL\|DES\|RC4\|ARCFOUR' + sh compat.sh -e '^$' -f 'NULL\|DES\|RC4\|ARCFOUR' \ + -m 'ssl3 tls1 tls1_1 tls12 dtls1 dtls12' echo echo '#### compat.sh: next (ARIA, ChaCha)' From 2e1d2fe87532c311fcc1e69818a9d30b47d4fc39 Mon Sep 17 00:00:00 2001 From: =?UTF-8?q?Manuel=20P=C3=A9gouri=C3=A9-Gonnard?= Date: Tue, 9 Apr 2024 23:13:49 +0200 Subject: [PATCH 06/13] analyze_outcomes.py: ignore OpenSSL+dtls12+DES MIME-Version: 1.0 Content-Type: text/plain; charset=UTF-8 Content-Transfer-Encoding: 8bit No sure if it'd possible to build a version of OpenSSL that supports both by tuning the config, but pretty sure improving testing for single-DES ciphersuites is not the best use of our time in 2024. Signed-off-by: Manuel Pégourié-Gonnard --- tests/scripts/analyze_outcomes.py | 12 ++++++++++++ 1 file changed, 12 insertions(+) diff --git a/tests/scripts/analyze_outcomes.py b/tests/scripts/analyze_outcomes.py index d50a04e612..f88d7992e1 100755 --- a/tests/scripts/analyze_outcomes.py +++ b/tests/scripts/analyze_outcomes.py @@ -113,6 +113,18 @@ TASKS = { 'test_suite_psa_crypto_metadata;Asymmetric signature: pure EdDSA', # Algorithm not supported yet 'test_suite_psa_crypto_metadata;Cipher: XTS', + # compat.sh tests with OpenSSL, DTLS 1.2 and singled-DES: + # we have no version of OpenSSL on the CI that supports both + # DTLS 1.2 and single-DES (1.0.2g is too recent for single-DES + # and 1.0.1j is too old for DTLS 1.2). + 'compat;O->m dtls12,no DES-CBC-SHA', + 'compat;O->m dtls12,no EDH-RSA-DES-CBC-SHA', + 'compat;O->m dtls12,yes DES-CBC-SHA', + 'compat;O->m dtls12,yes EDH-RSA-DES-CBC-SHA', + 'compat;m->O dtls12,no TLS-DHE-RSA-WITH-DES-CBC-SHA', + 'compat;m->O dtls12,no TLS-RSA-WITH-DES-CBC-SHA', + 'compat;m->O dtls12,yes TLS-DHE-RSA-WITH-DES-CBC-SHA', + 'compat;m->O dtls12,yes TLS-RSA-WITH-DES-CBC-SHA', ], 'full_coverage': False, } From e86e2bc451eb3fc43346be4f1d8913e49f0c1c94 Mon Sep 17 00:00:00 2001 From: =?UTF-8?q?Manuel=20P=C3=A9gouri=C3=A9-Gonnard?= Date: Wed, 10 Apr 2024 12:26:24 +0200 Subject: [PATCH 07/13] compat.sh: properly report skipped tests MIME-Version: 1.0 Content-Type: text/plain; charset=UTF-8 Content-Transfer-Encoding: 8bit Don't just silently continue. Signed-off-by: Manuel Pégourié-Gonnard --- tests/compat.sh | 34 ++++++++++++++++++---------------- 1 file changed, 18 insertions(+), 16 deletions(-) diff --git a/tests/compat.sh b/tests/compat.sh index 64c67cef04..43c6cfa41a 100755 --- a/tests/compat.sh +++ b/tests/compat.sh @@ -927,7 +927,22 @@ add_mbedtls_ciphersuites() # o_check_ciphersuite CIPHER_SUITE_NAME o_check_ciphersuite() { - if [ "${O_SUPPORT_ECDH}" = "NO" ]; then + # skip DTLS when lack of support was declared + if test "$OSSL_NO_DTLS" -gt 0 && is_dtls "$MODE"; then + SKIP_NEXT_="YES" + fi + + # OpenSSL <1.0.2 doesn't support DTLS 1.2. Check if OpenSSL + # supports $O_MODE from the s_server help. (The s_client + # help isn't accurate as of 1.0.2g: it supports DTLS 1.2 + # but doesn't list it. But the s_server help seems to be + # accurate.) + if ! $OPENSSL s_server -help 2>&1 | grep -q "^ *-$O_MODE "; then + SKIP_NEXT_="YES" + fi + + # skip static ECDH when OpenSSL doesn't support it + if [ "${O_SUPPORT_STATIC_ECDH}" = "NO" ]; then case "$1" in *ECDH-*) SKIP_NEXT="YES" esac @@ -1036,8 +1051,8 @@ setup_arguments() esac case $($OPENSSL ciphers ALL) in - *ECDH-ECDSA*|*ECDH-RSA*) O_SUPPORT_ECDH="YES";; - *) O_SUPPORT_ECDH="NO";; + *ECDH-ECDSA*|*ECDH-RSA*) O_SUPPORT_STATIC_ECDH="YES";; + *) O_SUPPORT_STATIC_ECDH="NO";; esac if [ "X$VERIFY" = "XYES" ]; @@ -1489,19 +1504,6 @@ for MODE in $MODES; do [Oo]pen*) - if test "$OSSL_NO_DTLS" -gt 0 && is_dtls "$MODE"; then - continue; - fi - - # OpenSSL <1.0.2 doesn't support DTLS 1.2. Check if OpenSSL - # supports $O_MODE from the s_server help. (The s_client - # help isn't accurate as of 1.0.2g: it supports DTLS 1.2 - # but doesn't list it. But the s_server help seems to be - # accurate.) - if ! $OPENSSL s_server -help 2>&1 | grep -q "^ *-$O_MODE "; then - continue; - fi - reset_ciphersuites add_common_ciphersuites add_openssl_ciphersuites From 7e5d81d4317cb22be6f36b0daaedf4a5ed8a9fa5 Mon Sep 17 00:00:00 2001 From: =?UTF-8?q?Manuel=20P=C3=A9gouri=C3=A9-Gonnard?= Date: Wed, 10 Apr 2024 12:50:40 +0200 Subject: [PATCH 08/13] compat.sh: no TLS-RSA-WITH-NULL-SHA256 with ssl3 MIME-Version: 1.0 Content-Type: text/plain; charset=UTF-8 Content-Transfer-Encoding: 8bit This is officially a 1.2-only ciphersuite, but we also support it with 1.0 and 1.1. However we don't support it with SSLv3 (see definition in ssl_ciphersuites.c: mininum minor version is 1, that is TLS 1.0). Signed-off-by: Manuel Pégourié-Gonnard --- tests/compat.sh | 20 ++++++++++++-------- 1 file changed, 12 insertions(+), 8 deletions(-) diff --git a/tests/compat.sh b/tests/compat.sh index 43c6cfa41a..6a43e25c0e 100755 --- a/tests/compat.sh +++ b/tests/compat.sh @@ -655,14 +655,18 @@ add_gnutls_ciphersuites() ;; "RSA") - # Not actually supported with all GnuTLS versions. See - # GNUTLS_HAS_TLS1_RSA_NULL_SHA256= below. - M_CIPHERS="$M_CIPHERS \ - TLS-RSA-WITH-NULL-SHA256 \ - " - G_CIPHERS="$G_CIPHERS \ - +RSA:+NULL:+SHA256 \ - " + if [ `minor_ver "$MODE"` -ge 1 ] + then + # Not actually supported with all GnuTLS versions. See + # GNUTLS_HAS_TLS1_RSA_NULL_SHA256= below. + M_CIPHERS="$M_CIPHERS \ + TLS-RSA-WITH-NULL-SHA256 \ + " + G_CIPHERS="$G_CIPHERS \ + +RSA:+NULL:+SHA256 \ + " + fi + if [ `minor_ver "$MODE"` -ge 3 ] then M_CIPHERS="$M_CIPHERS \ From de05197829886f4bb878bcb70bd671143609652d Mon Sep 17 00:00:00 2001 From: =?UTF-8?q?Manuel=20P=C3=A9gouri=C3=A9-Gonnard?= Date: Wed, 10 Apr 2024 22:11:20 +0200 Subject: [PATCH 09/13] compat.sh: properly skip single-DES and DTLS 1.2 MIME-Version: 1.0 Content-Type: text/plain; charset=UTF-8 Content-Transfer-Encoding: 8bit Skipping DTLS 1.2 with old versions was already done, but now properly test support only once and use the results. Skipping single-DES with new versions is new, but helps finding the right incantation. Note that historically, this script's policy was that it's the user's job to find the right value of -e (EXCLUDE) for their version for OpenSSL & config. Now it's a weird mix of that and the script doing some detection and skipping. Signed-off-by: Manuel Pégourié-Gonnard --- tests/compat.sh | 35 ++++++++++++++++++++++++++++------- 1 file changed, 28 insertions(+), 7 deletions(-) diff --git a/tests/compat.sh b/tests/compat.sh index 6a43e25c0e..3d9fed338b 100755 --- a/tests/compat.sh +++ b/tests/compat.sh @@ -936,13 +936,17 @@ o_check_ciphersuite() SKIP_NEXT_="YES" fi - # OpenSSL <1.0.2 doesn't support DTLS 1.2. Check if OpenSSL - # supports $O_MODE from the s_server help. (The s_client - # help isn't accurate as of 1.0.2g: it supports DTLS 1.2 - # but doesn't list it. But the s_server help seems to be - # accurate.) - if ! $OPENSSL s_server -help 2>&1 | grep -q "^ *-$O_MODE "; then - SKIP_NEXT_="YES" + # skip DTLS 1.2 is support was not detected + if [ "$O_SUPPORT_DTLS12" = "NO" -a "$MODE" = "dtls12" ]; then + SKIP_NEXT="YES" + fi + + # skip single-DES ciphersuite if no longer supported + if [ "$O_SUPPORT_SINGLE_DES" = "NO" ]; then + case "$1" in + # note: 3DES is DES-CBC3 for OpenSSL, 3DES for Mbed TLS + *-DES-CBC-*|DES-CBC-*) SKIP_NEXT="YES" + esac fi # skip static ECDH when OpenSSL doesn't support it @@ -951,6 +955,8 @@ o_check_ciphersuite() *ECDH-*) SKIP_NEXT="YES" esac fi + + printf "\no_check: $MODE $1 ($O_SUPPORT_DTLS12) -> $SKIP_NEXT\n" } # g_check_ciphersuite CIPHER_SUITE_NAME @@ -1059,6 +1065,21 @@ setup_arguments() *) O_SUPPORT_STATIC_ECDH="NO";; esac + case $($OPENSSL ciphers ALL) in + *DES-CBC-*) O_SUPPORT_SINGLE_DES="YES";; + *) O_SUPPORT_SINGLE_DES="NO";; + esac + + # OpenSSL <1.0.2 doesn't support DTLS 1.2. Check if OpenSSL + # supports -dtls1_2 from the s_server help. (The s_client + # help isn't accurate as of 1.0.2g: it supports DTLS 1.2 + # but doesn't list it. But the s_server help seems to be + # accurate.) + O_SUPPORT_DTLS12="NO" + if $OPENSSL s_server -help 2>&1 | grep -q "^ *-dtls1_2 "; then + O_SUPPORT_DTLS12="YES" + fi + if [ "X$VERIFY" = "XYES" ]; then M_SERVER_ARGS="$M_SERVER_ARGS ca_file=data_files/test-ca_cat12.crt auth_mode=required" From 9fb48dab2ddd1c096f420ffad680af11abd44245 Mon Sep 17 00:00:00 2001 From: =?UTF-8?q?Manuel=20P=C3=A9gouri=C3=A9-Gonnard?= Date: Thu, 11 Apr 2024 10:32:02 +0200 Subject: [PATCH 10/13] Remove leftover debugging printf MIME-Version: 1.0 Content-Type: text/plain; charset=UTF-8 Content-Transfer-Encoding: 8bit Signed-off-by: Manuel Pégourié-Gonnard --- tests/compat.sh | 2 -- 1 file changed, 2 deletions(-) diff --git a/tests/compat.sh b/tests/compat.sh index 3d9fed338b..c8c7482f8f 100755 --- a/tests/compat.sh +++ b/tests/compat.sh @@ -955,8 +955,6 @@ o_check_ciphersuite() *ECDH-*) SKIP_NEXT="YES" esac fi - - printf "\no_check: $MODE $1 ($O_SUPPORT_DTLS12) -> $SKIP_NEXT\n" } # g_check_ciphersuite CIPHER_SUITE_NAME From aefbb66bfb9fa4016182b587f6c8cf6eda5b2806 Mon Sep 17 00:00:00 2001 From: =?UTF-8?q?Manuel=20P=C3=A9gouri=C3=A9-Gonnard?= Date: Wed, 17 Apr 2024 11:51:13 +0200 Subject: [PATCH 11/13] Simplify full invocation of compat.sh MIME-Version: 1.0 Content-Type: text/plain; charset=UTF-8 Content-Transfer-Encoding: 8bit Now run everything we can with the default version in one go, then everything that needs legacy, then next. Don't rely on the default value of -e (EXCLUDE), use explicit values everywhere - this makes it obvious that we are running everything. Signed-off-by: Manuel Pégourié-Gonnard --- tests/scripts/all.sh | 30 ++++++++++++++---------------- tests/scripts/basic-build-test.sh | 18 ++++++++++-------- 2 files changed, 24 insertions(+), 24 deletions(-) diff --git a/tests/scripts/all.sh b/tests/scripts/all.sh index 1256d82608..e06e9434cc 100755 --- a/tests/scripts/all.sh +++ b/tests/scripts/all.sh @@ -1629,19 +1629,18 @@ component_test_full_cmake_clang () { msg "test: ssl-opt.sh default, ECJPAKE, SSL async (full config)" # ~ 1s tests/ssl-opt.sh -f 'Default\|ECJPAKE\|SSL async private' - msg "test: compat.sh default ciphers" - tests/compat.sh -m 'ssl3 tls1 tls1_1 tls12 dtls1 dtls12' - - msg "test: compat.sh RC4, 3DES & NULL (full config)" # ~ 2min - tests/compat.sh -e '^$' -f 'NULL\|3DES\|DES-CBC3\|RC4\|ARCFOUR' \ + msg "test: compat.sh all except legacy/next (full config)" + tests/compat.sh -e '^DES-CBC-\|-DES-CBC-\|ARIA\|CHACHA' \ -m 'ssl3 tls1 tls1_1 tls12 dtls1 dtls12' - msg "test: compat.sh single-DES (full config)" # ~ 30s - env OPENSSL="$OPENSSL_LEGACY" tests/compat.sh -e '3DES\|DES-CBC3' -f 'DES' \ + msg "test: compat.sh single-DES (full config)" + env OPENSSL="$OPENSSL_LEGACY" tests/compat.sh -e '^$' -f '^DES-CBC\|-DES-CBC-' \ -m 'ssl3 tls1 tls1_1 tls12 dtls1 dtls12' - msg "test: compat.sh ARIA + ChachaPoly" - env OPENSSL="$OPENSSL_NEXT" tests/compat.sh -e '^$' -f 'ARIA\|CHACHA' + # ARIA and ChachaPoly are both (D)TLS 1.2 only + msg "test: compat.sh ARIA + ChachaPoly (full config)" + env OPENSSL="$OPENSSL_NEXT" tests/compat.sh -e '^$' -f 'ARIA\|CHACHA' \ + -m 'dtls12 dtls12' } skip_suites_without_constant_flow () { @@ -1930,19 +1929,18 @@ component_test_no_use_psa_crypto_full_cmake_asan() { msg "test: ssl-opt.sh (full minus MBEDTLS_USE_PSA_CRYPTO)" tests/ssl-opt.sh - msg "test: compat.sh default (full minus MBEDTLS_USE_PSA_CRYPTO)" - tests/compat.sh -m 'ssl3 tls1 tls1_1 tls12 dtls1 dtls12' - - msg "test: compat.sh RC4, 3DES & NULL (full minus MBEDTLS_USE_PSA_CRYPTO)" - tests/compat.sh -e '^$' -f 'NULL\|3DES\|DES-CBC3\|RC4\|ARCFOUR' \ + msg "test: compat.sh all except legacy/next (full minus MBEDTLS_USE_PSA_CRYPTO)" + tests/compat.sh -e '^DES-CBC-\|-DES-CBC-\|ARIA\|CHACHA' \ -m 'ssl3 tls1 tls1_1 tls12 dtls1 dtls12' msg "test: compat.sh single-DES (full minus MBEDTLS_USE_PSA_CRYPTO)" - env OPENSSL="$OPENSSL_LEGACY" tests/compat.sh -e '3DES\|DES-CBC3' -f 'DES' \ + env OPENSSL="$OPENSSL_LEGACY" tests/compat.sh -e '^$' -f '^DES-CBC\|-DES-CBC-' \ -m 'ssl3 tls1 tls1_1 tls12 dtls1 dtls12' + # ARIA and ChachaPoly are both (D)TLS 1.2 only msg "test: compat.sh ARIA + ChachaPoly (full minus MBEDTLS_USE_PSA_CRYPTO)" - env OPENSSL="$OPENSSL_NEXT" tests/compat.sh -e '^$' -f 'ARIA\|CHACHA' + env OPENSSL="$OPENSSL_NEXT" tests/compat.sh -e '^$' -f 'ARIA\|CHACHA' \ + -m 'dtls12 dtls12' } component_test_psa_crypto_config_accel_ecdsa () { diff --git a/tests/scripts/basic-build-test.sh b/tests/scripts/basic-build-test.sh index 9202c25290..f9eb0c5ca2 100755 --- a/tests/scripts/basic-build-test.sh +++ b/tests/scripts/basic-build-test.sh @@ -104,18 +104,20 @@ echo # Step 2c - Compatibility tests (keep going even if some tests fail) echo '################ compat.sh ################' { - echo '#### compat.sh: Default ciphers' - sh compat.sh -m 'ssl3 tls1 tls1_1 tls12 dtls1 dtls12' - echo - - echo '#### compat.sh: legacy (null, DES, RC4)' - OPENSSL="$OPENSSL_LEGACY" \ - sh compat.sh -e '^$' -f 'NULL\|DES\|RC4\|ARCFOUR' \ + echo '#### compat.sh: all except legacy/next' + sh compat.sh -e '^DES-CBC-\|-DES-CBC-\|ARIA\|CHACHA' \ -m 'ssl3 tls1 tls1_1 tls12 dtls1 dtls12' echo + echo '#### compat.sh: legacy (single-DES)' + OPENSSL="$OPENSSL_LEGACY" sh compat.sh -e '^$' -f '^DES-CBC\|-DES-CBC-' \ + -m 'ssl3 tls1 tls1_1 tls12 dtls1 dtls12' + echo + + # ARIA and ChachaPoly are both (D)TLS 1.2 only echo '#### compat.sh: next (ARIA, ChaCha)' - OPENSSL="$OPENSSL_NEXT" sh compat.sh -e '^$' -f 'ARIA\|CHACHA' + OPENSSL="$OPENSSL_NEXT" sh compat.sh -e '^$' -f 'ARIA\|CHACHA' \ + -m 'dtls12 dtls12' echo } | tee compat-test-$TEST_OUTPUT echo '^^^^^^^^^^^^^^^^ compat.sh ^^^^^^^^^^^^^^^^' From b76606cc142aa5fc8d57f15b938cf598d52da126 Mon Sep 17 00:00:00 2001 From: =?UTF-8?q?Manuel=20P=C3=A9gouri=C3=A9-Gonnard?= Date: Wed, 17 Apr 2024 12:15:51 +0200 Subject: [PATCH 12/13] Run full compat.sh in ASan component only MIME-Version: 1.0 Content-Type: text/plain; charset=UTF-8 Content-Transfer-Encoding: 8bit It makes little sense to run full compat.sh in the non-ASan component but only partial compat.sh in the ASan component. Actually, the non-ASan component doesn't need compat.sh at all, it's more than covered with ssl-opt.sh and test_suite_ssl already. Signed-off-by: Manuel Pégourié-Gonnard --- tests/scripts/all.sh | 27 ++++++++++++--------------- 1 file changed, 12 insertions(+), 15 deletions(-) diff --git a/tests/scripts/all.sh b/tests/scripts/all.sh index e06e9434cc..21c8680500 100755 --- a/tests/scripts/all.sh +++ b/tests/scripts/all.sh @@ -928,8 +928,18 @@ component_test_full_cmake_gcc_asan () { msg "test: ssl-opt.sh (full config, ASan build)" tests/ssl-opt.sh - msg "test: compat.sh (full config, ASan build)" - tests/compat.sh + msg "test: compat.sh all except legacy/next (full config, ASan build)" + tests/compat.sh -e '^DES-CBC-\|-DES-CBC-\|ARIA\|CHACHA' \ + -m 'ssl3 tls1 tls1_1 tls12 dtls1 dtls12' + + msg "test: compat.sh single-DES (full config, ASan build)" + env OPENSSL="$OPENSSL_LEGACY" tests/compat.sh -e '^$' -f '^DES-CBC\|-DES-CBC-' \ + -m 'ssl3 tls1 tls1_1 tls12 dtls1 dtls12' + + # ARIA and ChachaPoly are both (D)TLS 1.2 only + msg "test: compat.sh ARIA + ChachaPoly (full config, ASan build)" + env OPENSSL="$OPENSSL_NEXT" tests/compat.sh -e '^$' -f 'ARIA\|CHACHA' \ + -m 'dtls12 dtls12' msg "test: context-info.sh (full config, ASan build)" # ~ 15 sec tests/context-info.sh @@ -1628,19 +1638,6 @@ component_test_full_cmake_clang () { msg "test: ssl-opt.sh default, ECJPAKE, SSL async (full config)" # ~ 1s tests/ssl-opt.sh -f 'Default\|ECJPAKE\|SSL async private' - - msg "test: compat.sh all except legacy/next (full config)" - tests/compat.sh -e '^DES-CBC-\|-DES-CBC-\|ARIA\|CHACHA' \ - -m 'ssl3 tls1 tls1_1 tls12 dtls1 dtls12' - - msg "test: compat.sh single-DES (full config)" - env OPENSSL="$OPENSSL_LEGACY" tests/compat.sh -e '^$' -f '^DES-CBC\|-DES-CBC-' \ - -m 'ssl3 tls1 tls1_1 tls12 dtls1 dtls12' - - # ARIA and ChachaPoly are both (D)TLS 1.2 only - msg "test: compat.sh ARIA + ChachaPoly (full config)" - env OPENSSL="$OPENSSL_NEXT" tests/compat.sh -e '^$' -f 'ARIA\|CHACHA' \ - -m 'dtls12 dtls12' } skip_suites_without_constant_flow () { From de887bad7cc0bf7e4ee5862f159c291646433d2b Mon Sep 17 00:00:00 2001 From: =?UTF-8?q?Manuel=20P=C3=A9gouri=C3=A9-Gonnard?= Date: Thu, 18 Apr 2024 10:05:04 +0200 Subject: [PATCH 13/13] Fix silly typo MIME-Version: 1.0 Content-Type: text/plain; charset=UTF-8 Content-Transfer-Encoding: 8bit Signed-off-by: Manuel Pégourié-Gonnard --- tests/scripts/all.sh | 4 ++-- tests/scripts/basic-build-test.sh | 2 +- 2 files changed, 3 insertions(+), 3 deletions(-) diff --git a/tests/scripts/all.sh b/tests/scripts/all.sh index 21c8680500..7608b55497 100755 --- a/tests/scripts/all.sh +++ b/tests/scripts/all.sh @@ -939,7 +939,7 @@ component_test_full_cmake_gcc_asan () { # ARIA and ChachaPoly are both (D)TLS 1.2 only msg "test: compat.sh ARIA + ChachaPoly (full config, ASan build)" env OPENSSL="$OPENSSL_NEXT" tests/compat.sh -e '^$' -f 'ARIA\|CHACHA' \ - -m 'dtls12 dtls12' + -m 'tls12 dtls12' msg "test: context-info.sh (full config, ASan build)" # ~ 15 sec tests/context-info.sh @@ -1937,7 +1937,7 @@ component_test_no_use_psa_crypto_full_cmake_asan() { # ARIA and ChachaPoly are both (D)TLS 1.2 only msg "test: compat.sh ARIA + ChachaPoly (full minus MBEDTLS_USE_PSA_CRYPTO)" env OPENSSL="$OPENSSL_NEXT" tests/compat.sh -e '^$' -f 'ARIA\|CHACHA' \ - -m 'dtls12 dtls12' + -m 'tls12 dtls12' } component_test_psa_crypto_config_accel_ecdsa () { diff --git a/tests/scripts/basic-build-test.sh b/tests/scripts/basic-build-test.sh index f9eb0c5ca2..37f1519cac 100755 --- a/tests/scripts/basic-build-test.sh +++ b/tests/scripts/basic-build-test.sh @@ -117,7 +117,7 @@ echo '################ compat.sh ################' # ARIA and ChachaPoly are both (D)TLS 1.2 only echo '#### compat.sh: next (ARIA, ChaCha)' OPENSSL="$OPENSSL_NEXT" sh compat.sh -e '^$' -f 'ARIA\|CHACHA' \ - -m 'dtls12 dtls12' + -m 'tls12 dtls12' echo } | tee compat-test-$TEST_OUTPUT echo '^^^^^^^^^^^^^^^^ compat.sh ^^^^^^^^^^^^^^^^'