Merge pull request #8121 from gilles-peskine-arm/ssl-test-no-legacy
Remove GNUTLS_LEGACY and OPENSSL_LEGACY
This commit is contained in:
Manuel Pégourié-Gonnard
GitHub
commit
2e37d7b238
5 changed files with 30 additions and 84 deletions
|
|
@ -170,13 +170,6 @@ echo
|
|||
print_version "$OPENSSL" "version" "default"
|
||||
echo
|
||||
|
||||
if [ -n "${OPENSSL_LEGACY+set}" ]; then
|
||||
print_version "$OPENSSL_LEGACY" "version" "legacy"
|
||||
else
|
||||
echo " * openssl (legacy): Not configured."
|
||||
fi
|
||||
echo
|
||||
|
||||
if [ -n "${OPENSSL_NEXT+set}" ]; then
|
||||
print_version "$OPENSSL_NEXT" "version" "next"
|
||||
else
|
||||
|
|
@ -192,20 +185,6 @@ echo
|
|||
print_version "$GNUTLS_SERV" "--version" "default" "head -n 1"
|
||||
echo
|
||||
|
||||
if [ -n "${GNUTLS_LEGACY_CLI+set}" ]; then
|
||||
print_version "$GNUTLS_LEGACY_CLI" "--version" "legacy" "head -n 1"
|
||||
else
|
||||
echo " * gnutls-cli (legacy): Not configured."
|
||||
fi
|
||||
echo
|
||||
|
||||
if [ -n "${GNUTLS_LEGACY_SERV+set}" ]; then
|
||||
print_version "$GNUTLS_LEGACY_SERV" "--version" "legacy" "head -n 1"
|
||||
else
|
||||
echo " * gnutls-serv (legacy): Not configured."
|
||||
fi
|
||||
echo
|
||||
|
||||
echo " * Installed asan versions:"
|
||||
if type dpkg-query >/dev/null 2>/dev/null; then
|
||||
if ! dpkg-query -f '${Status} ${Package}: ${Version}\n' -W 'libasan*' |
|
||||
|
|
|
|||
|
|
@ -108,6 +108,7 @@ FILTER=""
|
|||
EXCLUDE='NULL\|ARIA\|CHACHA20_POLY1305'
|
||||
VERBOSE=""
|
||||
MEMCHECK=0
|
||||
PRESERVE_LOGS=0
|
||||
PEERS="OpenSSL$PEER_GNUTLS mbedTLS"
|
||||
|
||||
# hidden option: skip DTLS with OpenSSL
|
||||
|
|
@ -129,6 +130,7 @@ print_usage() {
|
|||
printf " --list-test-case\tList all potential test cases (No Execution)\n"
|
||||
printf " --outcome-file\tFile where test outcomes are written\n"
|
||||
printf " \t(default: \$MBEDTLS_TEST_OUTCOME_FILE, none if empty)\n"
|
||||
printf " --preserve-logs\tPreserve logs of successful tests as well\n"
|
||||
}
|
||||
|
||||
# print_test_case <CLIENT> <SERVER> <STANDARD_CIPHER_SUITE>
|
||||
|
|
@ -197,6 +199,9 @@ get_options() {
|
|||
--outcome-file)
|
||||
shift; MBEDTLS_TEST_OUTCOME_FILE=$1
|
||||
;;
|
||||
--preserve-logs)
|
||||
PRESERVE_LOGS=1
|
||||
;;
|
||||
-h|--help)
|
||||
print_usage
|
||||
exit 0
|
||||
|
|
@ -629,7 +634,7 @@ setup_arguments()
|
|||
fi
|
||||
|
||||
M_SERVER_ARGS="server_port=$PORT server_addr=0.0.0.0 force_version=$MODE"
|
||||
O_SERVER_ARGS="-accept $PORT -cipher NULL,ALL -$O_MODE"
|
||||
O_SERVER_ARGS="-accept $PORT -cipher ALL,COMPLEMENTOFALL -$O_MODE"
|
||||
G_SERVER_ARGS="-p $PORT --http $G_MODE"
|
||||
G_SERVER_PRIO="NORMAL:${G_PRIO_CCM}+NULL:+MD5:+PSK:+DHE-PSK:+ECDHE-PSK:+SHA256:+SHA384:+RSA-PSK:-VERS-TLS-ALL:$G_PRIO_MODE"
|
||||
|
||||
|
|
@ -887,12 +892,16 @@ record_outcome() {
|
|||
fi
|
||||
}
|
||||
|
||||
save_logs() {
|
||||
cp $SRV_OUT c-srv-${TESTS}.log
|
||||
cp $CLI_OUT c-cli-${TESTS}.log
|
||||
}
|
||||
|
||||
# display additional information if test case fails
|
||||
report_fail() {
|
||||
FAIL_PROMPT="outputs saved to c-srv-${TESTS}.log, c-cli-${TESTS}.log"
|
||||
record_outcome "FAIL" "$FAIL_PROMPT"
|
||||
cp $SRV_OUT c-srv-${TESTS}.log
|
||||
cp $CLI_OUT c-cli-${TESTS}.log
|
||||
save_logs
|
||||
echo " ! $FAIL_PROMPT"
|
||||
|
||||
if [ "${LOG_FAILURE_ON_STDOUT:-0}" != 0 ]; then
|
||||
|
|
@ -1010,6 +1019,9 @@ run_client() {
|
|||
case $RESULT in
|
||||
"0")
|
||||
record_outcome "PASS"
|
||||
if [ "$PRESERVE_LOGS" -gt 0 ]; then
|
||||
save_logs
|
||||
fi
|
||||
;;
|
||||
"1")
|
||||
record_outcome "SKIP"
|
||||
|
|
|
|||
|
|
@ -50,10 +50,13 @@
|
|||
# * G++
|
||||
# * arm-gcc and mingw-gcc
|
||||
# * ArmCC 5 and ArmCC 6, unless invoked with --no-armcc
|
||||
# * OpenSSL and GnuTLS command line tools, recent enough for the
|
||||
# interoperability tests. If they don't support old features which we want
|
||||
# to test, then a legacy version of these tools must be present as well
|
||||
# (search for LEGACY below).
|
||||
# * OpenSSL and GnuTLS command line tools, in suitable versions for the
|
||||
# interoperability tests. The following are the official versions at the
|
||||
# time of writing:
|
||||
# * GNUTLS_{CLI,SERV} = 3.4.10
|
||||
# * GNUTLS_NEXT_{CLI,SERV} = 3.7.2
|
||||
# * OPENSSL = 1.0.2g (without Debian/Ubuntu patches)
|
||||
# * OPENSSL_NEXT = 1.1.1a
|
||||
# See the invocation of check_tools below for details.
|
||||
#
|
||||
# This script must be invoked from the toplevel directory of a git
|
||||
|
|
@ -179,12 +182,9 @@ pre_initialize_variables () {
|
|||
|
||||
# Default commands, can be overridden by the environment
|
||||
: ${OPENSSL:="openssl"}
|
||||
: ${OPENSSL_LEGACY:="$OPENSSL"}
|
||||
: ${OPENSSL_NEXT:="$OPENSSL"}
|
||||
: ${GNUTLS_CLI:="gnutls-cli"}
|
||||
: ${GNUTLS_SERV:="gnutls-serv"}
|
||||
: ${GNUTLS_LEGACY_CLI:="$GNUTLS_CLI"}
|
||||
: ${GNUTLS_LEGACY_SERV:="$GNUTLS_SERV"}
|
||||
: ${OUT_OF_SOURCE_DIR:=./mbedtls_out_of_source_build}
|
||||
: ${ARMC5_BIN_DIR:=/usr/bin}
|
||||
: ${ARMC6_BIN_DIR:=/usr/bin}
|
||||
|
|
@ -300,10 +300,7 @@ Tool path options:
|
|||
--gcc-latest=<GCC_latest_path> Latest version of GCC available
|
||||
--gnutls-cli=<GnuTLS_cli_path> GnuTLS client executable to use for most tests.
|
||||
--gnutls-serv=<GnuTLS_serv_path> GnuTLS server executable to use for most tests.
|
||||
--gnutls-legacy-cli=<GnuTLS_cli_path> GnuTLS client executable to use for legacy tests.
|
||||
--gnutls-legacy-serv=<GnuTLS_serv_path> GnuTLS server executable to use for legacy tests.
|
||||
--openssl=<OpenSSL_path> OpenSSL executable to use for most tests.
|
||||
--openssl-legacy=<OpenSSL_path> OpenSSL executable to use for legacy tests..
|
||||
--openssl-next=<OpenSSL_path> OpenSSL executable to use for recent things like ARIA
|
||||
EOF
|
||||
}
|
||||
|
|
@ -474,8 +471,8 @@ pre_parse_command_line () {
|
|||
--gcc-earliest) shift; GCC_EARLIEST="$1";;
|
||||
--gcc-latest) shift; GCC_LATEST="$1";;
|
||||
--gnutls-cli) shift; GNUTLS_CLI="$1";;
|
||||
--gnutls-legacy-cli) shift; GNUTLS_LEGACY_CLI="$1";;
|
||||
--gnutls-legacy-serv) shift; GNUTLS_LEGACY_SERV="$1";;
|
||||
--gnutls-legacy-cli) shift;; # ignored for backward compatibility
|
||||
--gnutls-legacy-serv) shift;; # ignored for backward compatibility
|
||||
--gnutls-serv) shift; GNUTLS_SERV="$1";;
|
||||
--help|-h) usage; exit;;
|
||||
--keep-going|-k) KEEP_GOING=1;;
|
||||
|
|
@ -489,7 +486,6 @@ pre_parse_command_line () {
|
|||
--no-memory) MEMORY=0;;
|
||||
--no-quiet) QUIET=0;;
|
||||
--openssl) shift; OPENSSL="$1";;
|
||||
--openssl-legacy) shift; OPENSSL_LEGACY="$1";;
|
||||
--openssl-next) shift; OPENSSL_NEXT="$1";;
|
||||
--outcome-file) shift; MBEDTLS_TEST_OUTCOME_FILE="$1";;
|
||||
--out-of-source-dir) shift; OUT_OF_SOURCE_DIR="$1";;
|
||||
|
|
@ -744,12 +740,9 @@ pre_print_configuration () {
|
|||
echo "SEED: ${SEED-"UNSET"}"
|
||||
echo
|
||||
echo "OPENSSL: $OPENSSL"
|
||||
echo "OPENSSL_LEGACY: $OPENSSL_LEGACY"
|
||||
echo "OPENSSL_NEXT: $OPENSSL_NEXT"
|
||||
echo "GNUTLS_CLI: $GNUTLS_CLI"
|
||||
echo "GNUTLS_SERV: $GNUTLS_SERV"
|
||||
echo "GNUTLS_LEGACY_CLI: $GNUTLS_LEGACY_CLI"
|
||||
echo "GNUTLS_LEGACY_SERV: $GNUTLS_LEGACY_SERV"
|
||||
echo "ARMC5_BIN_DIR: $ARMC5_BIN_DIR"
|
||||
echo "ARMC6_BIN_DIR: $ARMC6_BIN_DIR"
|
||||
}
|
||||
|
|
@ -773,13 +766,10 @@ pre_check_tools () {
|
|||
if [ -n "${SEED-}" ]; then
|
||||
export SEED
|
||||
fi
|
||||
set "$@" OPENSSL="$OPENSSL" OPENSSL_LEGACY="$OPENSSL_LEGACY"
|
||||
set "$@" OPENSSL="$OPENSSL"
|
||||
set "$@" GNUTLS_CLI="$GNUTLS_CLI" GNUTLS_SERV="$GNUTLS_SERV"
|
||||
set "$@" GNUTLS_LEGACY_CLI="$GNUTLS_LEGACY_CLI"
|
||||
set "$@" GNUTLS_LEGACY_SERV="$GNUTLS_LEGACY_SERV"
|
||||
check_tools "$OPENSSL" "$OPENSSL_LEGACY" "$OPENSSL_NEXT" \
|
||||
"$GNUTLS_CLI" "$GNUTLS_SERV" \
|
||||
"$GNUTLS_LEGACY_CLI" "$GNUTLS_LEGACY_SERV"
|
||||
check_tools "$OPENSSL" "$OPENSSL_NEXT" \
|
||||
"$GNUTLS_CLI" "$GNUTLS_SERV"
|
||||
;;
|
||||
esac
|
||||
|
||||
|
|
@ -1879,7 +1869,7 @@ component_test_full_cmake_clang () {
|
|||
tests/ssl-opt.sh -f 'Default\|ECJPAKE\|SSL async private'
|
||||
|
||||
msg "test: compat.sh NULL (full config)" # ~ 2 min
|
||||
env OPENSSL="$OPENSSL_LEGACY" GNUTLS_CLI="$GNUTLS_LEGACY_CLI" GNUTLS_SERV="$GNUTLS_LEGACY_SERV" tests/compat.sh -e '^$' -f 'NULL'
|
||||
tests/compat.sh -e '^$' -f 'NULL'
|
||||
|
||||
msg "test: compat.sh ARIA + ChachaPoly"
|
||||
env OPENSSL="$OPENSSL_NEXT" tests/compat.sh -e '^$' -f 'ARIA\|CHACHA'
|
||||
|
|
@ -2286,7 +2276,7 @@ component_test_no_use_psa_crypto_full_cmake_asan() {
|
|||
tests/compat.sh
|
||||
|
||||
msg "test: compat.sh NULL (full minus MBEDTLS_USE_PSA_CRYPTO)"
|
||||
env OPENSSL="$OPENSSL_LEGACY" GNUTLS_CLI="$GNUTLS_LEGACY_CLI" GNUTLS_SERV="$GNUTLS_LEGACY_SERV" tests/compat.sh -f 'NULL'
|
||||
tests/compat.sh -f 'NULL'
|
||||
|
||||
msg "test: compat.sh ARIA + ChachaPoly (full minus MBEDTLS_USE_PSA_CRYPTO)"
|
||||
env OPENSSL="$OPENSSL_NEXT" tests/compat.sh -e '^$' -f 'ARIA\|CHACHA'
|
||||
|
|
|
|||
|
|
@ -48,11 +48,8 @@ if [ -d library -a -d include -a -d tests ]; then :; else
|
|||
fi
|
||||
|
||||
: ${OPENSSL:="openssl"}
|
||||
: ${OPENSSL_LEGACY:="$OPENSSL"}
|
||||
: ${GNUTLS_CLI:="gnutls-cli"}
|
||||
: ${GNUTLS_SERV:="gnutls-serv"}
|
||||
: ${GNUTLS_LEGACY_CLI:="$GNUTLS_CLI"}
|
||||
: ${GNUTLS_LEGACY_SERV:="$GNUTLS_SERV"}
|
||||
|
||||
# Used to make ssl-opt.sh deterministic.
|
||||
#
|
||||
|
|
@ -78,11 +75,8 @@ CONFIG_BAK="$CONFIG_H.bak"
|
|||
|
||||
# Step 0 - print build environment info
|
||||
OPENSSL="$OPENSSL" \
|
||||
OPENSSL_LEGACY="$OPENSSL_LEGACY" \
|
||||
GNUTLS_CLI="$GNUTLS_CLI" \
|
||||
GNUTLS_SERV="$GNUTLS_SERV" \
|
||||
GNUTLS_LEGACY_CLI="$GNUTLS_LEGACY_CLI" \
|
||||
GNUTLS_LEGACY_SERV="$GNUTLS_LEGACY_SERV" \
|
||||
scripts/output_env.sh
|
||||
echo
|
||||
|
||||
|
|
@ -124,9 +118,7 @@ echo '################ compat.sh ################'
|
|||
sh compat.sh
|
||||
echo
|
||||
|
||||
echo '#### compat.sh: legacy (null)'
|
||||
OPENSSL="$OPENSSL_LEGACY" \
|
||||
GNUTLS_CLI="$GNUTLS_LEGACY_CLI" GNUTLS_SERV="$GNUTLS_LEGACY_SERV" \
|
||||
echo '#### compat.sh: null cipher'
|
||||
sh compat.sh -e '^$' -f 'NULL'
|
||||
echo
|
||||
|
||||
|
|
|
|||
|
|
@ -81,14 +81,6 @@ TCP_CLIENT="$PERL scripts/tcp_client.pl"
|
|||
|
||||
# alternative versions of OpenSSL and GnuTLS (no default path)
|
||||
|
||||
if [ -n "${OPENSSL_LEGACY:-}" ]; then
|
||||
O_LEGACY_SRV="$OPENSSL_LEGACY s_server -www -cert data_files/server5.crt -key data_files/server5.key"
|
||||
O_LEGACY_CLI="echo 'GET / HTTP/1.0' | $OPENSSL_LEGACY s_client"
|
||||
else
|
||||
O_LEGACY_SRV=false
|
||||
O_LEGACY_CLI=false
|
||||
fi
|
||||
|
||||
if [ -n "${OPENSSL_NEXT:-}" ]; then
|
||||
O_NEXT_SRV="$OPENSSL_NEXT s_server -www -cert data_files/server5.crt -key data_files/server5.key"
|
||||
O_NEXT_SRV_EARLY_DATA="$OPENSSL_NEXT s_server -early_data -cert data_files/server5.crt -key data_files/server5.key"
|
||||
|
|
@ -644,20 +636,6 @@ requires_gnutls_next() {
|
|||
fi
|
||||
}
|
||||
|
||||
# skip next test if OpenSSL-legacy isn't available
|
||||
requires_openssl_legacy() {
|
||||
if [ -z "${OPENSSL_LEGACY_AVAILABLE:-}" ]; then
|
||||
if which "${OPENSSL_LEGACY:-}" >/dev/null 2>&1; then
|
||||
OPENSSL_LEGACY_AVAILABLE="YES"
|
||||
else
|
||||
OPENSSL_LEGACY_AVAILABLE="NO"
|
||||
fi
|
||||
fi
|
||||
if [ "$OPENSSL_LEGACY_AVAILABLE" = "NO" ]; then
|
||||
SKIP_NEXT="YES"
|
||||
fi
|
||||
}
|
||||
|
||||
requires_openssl_next() {
|
||||
if [ -z "${OPENSSL_NEXT_AVAILABLE:-}" ]; then
|
||||
if which "${OPENSSL_NEXT:-}" >/dev/null 2>&1; then
|
||||
|
|
@ -1915,11 +1893,6 @@ O_CLI="$O_CLI -connect 127.0.0.1:+SRV_PORT"
|
|||
G_SRV="$G_SRV -p $SRV_PORT"
|
||||
G_CLI="$G_CLI -p +SRV_PORT"
|
||||
|
||||
if [ -n "${OPENSSL_LEGACY:-}" ]; then
|
||||
O_LEGACY_SRV="$O_LEGACY_SRV -accept $SRV_PORT -dhparam data_files/dhparams.pem"
|
||||
O_LEGACY_CLI="$O_LEGACY_CLI -connect 127.0.0.1:+SRV_PORT"
|
||||
fi
|
||||
|
||||
# Newer versions of OpenSSL have a syntax to enable all "ciphers", even
|
||||
# low-security ones. This covers not just cipher suites but also protocol
|
||||
# versions. It is necessary, for example, to use (D)TLS 1.0/1.1 on
|
||||
|
|
|
|||
Loading…
Reference in a new issue