Commit graph

219 commits

Author SHA1 Message Date
Manuel Pégourié-Gonnard
2e37d7b238
Merge pull request #8121 from gilles-peskine-arm/ssl-test-no-legacy
Remove GNUTLS_LEGACY and OPENSSL_LEGACY
2023-10-18 07:13:12 +00:00
Gilles Peskine
e820c0abc8 Update spelling "mbed TLS" to "Mbed TLS"
The official spelling of the trade mark changed from all-lowercase "mbed"
to normal proper noun capitalization "Mbed" a few years ago. We've been
using the new spelling in new text but still have the old spelling in a
lot of text. This commit updates most occurrences of "mbed TLS":

```
sed -i -e 's/mbed TLS/Mbed TLS/g' $(git ls-files ':!ChangeLog' ':!tests/data_files/**' ':!tests/suites/*.data' ':!programs/x509/*' ':!configs/tfm*')
```

Justification for the omissions:

* `ChangeLog`: historical text.
* `test/data_files/**`, `tests/suites/*.data`, `programs/x509/*`: many
  occurrences are significant names in certificates and such. Changing
  the spelling would invalidate many signatures and tests.
* `configs/tfm*`: this is an imported file. We'll follow the upstream
  updates.

Signed-off-by: Gilles Peskine <Gilles.Peskine@arm.com>
2023-09-12 19:18:17 +02:00
Yanray Wang
ab717b5287 Merge remote-tracking branch 'origin/development' into 7094-collect-compatsh-test-cases 2023-08-30 10:38:28 +08:00
Gilles Peskine
1783870681 compat.sh: add --preserve-logs option
Similar to ssl-opt.sh.

Signed-off-by: Gilles Peskine <Gilles.Peskine@arm.com>
2023-08-28 17:36:52 +02:00
Gilles Peskine
5f5e3886c5 Minor robustness improvement
Let openssl use any experimental or obsolete cipher that's not in ALL.

Signed-off-by: Gilles Peskine <Gilles.Peskine@arm.com>
2023-08-27 21:41:31 +02:00
Dave Rodgman
e183ecef3d
Merge pull request #7136 from yanrayw/5692-record-compatsh-test-cases
Record the outcome of each test case in compat.sh
2023-07-10 12:08:32 +01:00
Yanray Wang
14e052fd7c compat.sh: return $? in option --list-test-case to handle error case
Signed-off-by: Yanray Wang <yanray.wang@arm.com>
2023-03-06 19:37:10 +08:00
Yanray Wang
cdc0708334 check_test_cases.py: use check_output to capture error and return
This commit includes:
 - use subprocess.check_output to report error and capture return
   value
 - add comment as a reminder for option --list-test-case

Signed-off-by: Yanray Wang <yanray.wang@arm.com>
2023-03-06 11:30:29 +08:00
Yanray Wang
fb784b26d2 compat.sh: uniform TITLE format for --list-test-case and run_client
uniform_title is used to print identical format of $TITLE between
--list-test-case and run_client. In such way, no matter how $TITLE
is developed, --list-test-case will in the same format of test case
description as stored in OUTCOME.CSV.

Signed-off-by: Yanray Wang <yanray.wang@arm.com>
2023-03-03 10:27:23 +08:00
Yanray Wang
7b394da738 compat.sh: fix uncompatiable name of peers in --list-test-case
Signed-off-by: Yanray Wang <yanray.wang@arm.com>
2023-03-02 15:35:20 +08:00
Yanray Wang
ad47063002 compat.sh: add support to record outcome of test cases
If the environment variable MBEDTLS_TEST_OUTCOME_FILE is set,
the test outcome file records each test case in a single line
with the format of

 PLATFORM;CONFIGURATION;compat;TEST CASE DESCRIPTION;RESULT;[CAUSE]

- CONFIGURATION comes from MBEDTLS_TEST_CONFIGURATION to record
  configuration of each test case
- PLATFORM is either set by users or calculated from test
  platform
- RESULT is one of PASS, FAIL or SKIP. If test case fails,
  srv_out/cli_out follows as FAILURE CAUSE.

Signed-off-by: Yanray Wang <yanray.wang@arm.com>
2023-02-28 14:30:24 +08:00
Yanray Wang
f45a8eae3b compat.sh: call record_fail if test case fails
Signed-off-by: Yanray Wang <yanray.wang@arm.com>
2023-02-28 14:29:16 +08:00
Yanray Wang
3fcd3a73c9 compat.sh: uniform test description
Test case description is printed by different block of code. This
causes code maintenance harder since we need to maintain two parts
of code with same functionality. print_test_title is used to
control test case description in compat.sh

Signed-off-by: Yanray Wang <yanray.wang@arm.com>
2023-02-24 18:02:28 +08:00
Yanray Wang
d893837d01 compat.sh: add --list-test-case
The option --list-test-case lists all potential test cases without
executing them. The test case description is identical with $TITLE
during test case execution.

Signed-off-by: Yanray Wang <yanray.wang@arm.com>
2023-02-24 16:35:28 +08:00
Pengyu Lv
9e7bb2a92c Update some comments
Signed-off-by: Pengyu Lv <pengyu.lv@arm.com>
2023-02-23 16:03:56 +08:00
Pengyu Lv
07d5085fcf Skip ECDH ciphersuites for O->m pair
The mechanism of detecting unsupported ciphersuites
for OpenSSL client doesn't work on a modern OpenSSL.
At least, it fails on Travis CI which is installed
with OpenSSL 1.1.1f. So we need to skip ECDH cipher-
suites for O->m.

Signed-off-by: Pengyu Lv <pengyu.lv@arm.com>
2023-02-22 12:18:48 +08:00
Pengyu Lv
a64c277588 compat.sh: Skip all *ECDH_* ciphersuites
Signed-off-by: Pengyu Lv <pengyu.lv@arm.com>
2023-02-22 10:19:40 +08:00
Pengyu Lv
5e780df3e3 Only use standard cipher name
Signed-off-by: Pengyu Lv <pengyu.lv@arm.com>
2023-02-21 14:19:27 +08:00
Pengyu Lv
1c0e4c013a compat.sh: skip static ECDH cases if unsupported in openssl
This commit add support to detect if openssl used for testing
supports static ECDH key exchange. Skip the ciphersutes if
openssl doesn't support them.

Signed-off-by: Pengyu Lv <pengyu.lv@arm.com>
2023-02-20 18:05:21 +08:00
Yanray Wang
303829709d compat.sh: simplify code of iterating on VERIFY for PSK tests
Since PSK cipher suites do not allow client certificate verification,
PSK test cases should be executed under VERIFY=NO. SUB_VERIFIES is
used to constrain verification option for PSK tests.

With aforementioned change, the latter check of
$VERIFY=YES && $TYPE!=PSK is redundant so it's removed.

Signed-off-by: Yanray Wang <yanray.wang@arm.com>
2023-02-08 14:58:35 +08:00
Yanray Wang
3f9961bfca compat.sh: remove G_CLIENT_PRIO as it's not used
Signed-off-by: Yanray Wang <yanray.wang@arm.com>
2023-02-07 16:36:51 +08:00
Yanray Wang
a89c4d51f7 compat.sh: display "no" even if $VERIFY=YES for PSK test cases
Signed-off-by: Yanray Wang <yanray.wang@arm.com>
2023-02-07 16:36:51 +08:00
Yanray Wang
5d646e705d compat.sh: do not filter PSK ciphersuites for GnuTLS if $VERIFY=YES
Signed-off-by: Yanray Wang <yanray.wang@arm.com>
2023-02-07 16:36:51 +08:00
Yanray Wang
c66a46f734 compat.sh: remove check_openssl_server_bug
As there is no $VERIFY for PSK test cases,
check_openssl_server_bug is not functional in compat.sh.

Signed-off-by: Yanray Wang <yanray.wang@arm.com>
2023-02-07 16:36:51 +08:00
Yanray Wang
35c0eadf0f compat.sh: avoid running duplicate test cases for PSK
With the introduction of PSK_TESTS,
 - Either `compat.sh -V NO` or `compat.sh -V YES` runs the PSK tests
 - `compat.sh` or `compat.sh -V "NO YES"` runs PSK tests only once

Signed-off-by: Yanray Wang <yanray.wang@arm.com>
2023-02-07 16:36:51 +08:00
Yanray Wang
dae7057e1f compat.sh: ignore $VERIFY in PSK TYPE
There is no need to provide CA file in PSK. Thus VERIFY is
meaningless for PSK. This change omits the arguments passed to
the client and server for $VERIFY=YES.

Signed-off-by: Yanray Wang <yanray.wang@arm.com>
2023-02-07 16:36:20 +08:00
Gilles Peskine
e2db23d741
Merge pull request #6902 from yanrayw/6651-enable-cipher-suite-names-consistent
compat.sh: report and filter cipher suite names consistently
2023-02-03 11:38:31 +01:00
Yanray Wang
131ec931eb Remove the additional dot in output of compat.sh
Signed-off-by: Yanray Wang <yanray.wang@arm.com>
2023-02-03 12:13:04 +08:00
Gilles Peskine
81505e4a16
Merge pull request #6917 from yanrayw/6658-not-print-Terminated-ubuntu-22.04
Fix the problem of printing "Terminated" in compat.sh under Ubuntu-22.04
2023-01-26 21:53:33 +01:00
Gilles Peskine
b20028b3a3 Avoid using external programs in inner loops
Don't use external programs for string manipulation that the shell can do.
This makes the script a little faster (~10% when testing PSK).

For this commit, I only looked at code run in the innermost loop.

Signed-off-by: Gilles Peskine <Gilles.Peskine@arm.com>
2023-01-26 21:45:45 +01:00
Gilles Peskine
47aab850da Batch cipher translations to go faster
Python has a high startup cost, so go back to invoking it only once per
server start, rather than once per client start. This is a measurable
performance improvement (running time ~*0.5 with PSK, less dramatic with
asymmetric crypto).

Signed-off-by: Gilles Peskine <Gilles.Peskine@arm.com>
2023-01-26 21:45:45 +01:00
Gilles Peskine
292cd6f4e5 Don't use the cipher suite in check_openssl_server_bug
We can detect PSK based on $TYPE. This allows more flexibility in how cipher
suites are spelled.

Signed-off-by: Gilles Peskine <Gilles.Peskine@arm.com>
2023-01-26 21:44:26 +01:00
Yanray Wang
60f8eaa3b4 Remove third argument passed to run_client in compat.sh
The argument passed to translate_ciphers.py is calculated from $1 in
run_client instead of passed as third argument.

Signed-off-by: Yanray Wang <yanray.wang@arm.com>
2023-01-20 13:38:30 +08:00
Yanray Wang
20fa2ae220 Redesign translation of cipher suite names in compat.sh
Move translation of cipher suite names after filter_ciphersuites
so that filter is based on standard cipher suite names.
Furthermore, an additional flag is passed to run_client to
determine the type of translation of cipher suite names.
Therefore, client receives cipher suite names based on
its naming convention but the reporting output is still
the standard cipher suite names.

Signed-off-by: Yanray Wang <yanray.wang@arm.com>
2023-01-17 15:11:46 +08:00
Yanray Wang
d5f99e49e0 Change cipher suite names to standard names in compat.sh
Since there is a plan to report and filter all cipher suite names
consistently, cipher suite names in compat.sh are changed to the
standard naming convention.

Signed-off-by: Yanray Wang <yanray.wang@arm.com>
2023-01-17 14:55:58 +08:00
Tom Cosgrove
fc0e79e70f Have compat.sh and ssl-opt.sh not return success for > 255 errors
Signed-off-by: Tom Cosgrove <tom.cosgrove@arm.com>
2023-01-13 12:13:41 +00:00
Yanray Wang
128859725a Redirect stdout/stderr to SRV_OUT
Under Ubuntu-22.04, wait command prints out Terminated message.
Therefore server process is handled with identical ways like other
processes in compat.sh. In addition, PROCESS_ID is renamed as
SRV_PID to improve code readability.

Signed-off-by: Yanray Wang <yanray.wang@arm.com>
2023-01-13 11:58:11 +08:00
Yanray Wang
05f940b255 Remove Terminated message from stdout
Under Ubuntu-22.04, wait command prints out Terminated message
if the process has been killed by kill command. This messes up
the output in compat.sh

Signed-off-by: Yanray Wang <yanray.wang@arm.com>
2023-01-13 11:54:59 +08:00
Manuel Pégourié-Gonnard
6e666c2e79 Remove obsolete comment
Was explaining why we didn't use the OPENSSL name, but we are using it
now...

Signed-off-by: Manuel Pégourié-Gonnard <manuel.pegourie-gonnard@arm.com>
2023-01-10 09:38:58 +01:00
Manuel Pégourié-Gonnard
c572246fa5 Use OPENSSL everywhere, not OPENSSL_CMD
These variables were both uses to select the default version of OpenSSL
to use for tests:
- when running compat.sh or ssl-opt.sh directly, OPENSSL_CMD was used;
- when running all.sh, OPENSSL was used.

This caused surprising situations if you had one but not the other set
in your environment. For example I used to have OPENSSL_CMD set but not
OPENSSL, so ssl-opt.sh was failing in some all.sh components but passing
when I ran it manually in the same configuration and build, a rather
unpleasant experience.

The natural name would be OPENSSL, and that's what set in the Docker
images used by the CI. However back in the 1.3.x days, that name was
already used in library/Makefile, so it was preferable to pick a
different one, hence OPENSSL_CMD. However the build system has not been
using this name since at least Mbed TLS 2.0.0, so it's now free for use
again (as demonstrated by the fact that it's been set in the CI without
causing any trouble).

So, unify things and use OPENSSL everywhere. Just leave an error message
for the benefit of developers which might have OPENSSL_CMD, not OPENSSL,
set in their environment from the old days.

Signed-off-by: Manuel Pégourié-Gonnard <manuel.pegourie-gonnard@arm.com>
2022-12-19 11:42:12 +01:00
Gilles Peskine
4bdb9fbfa2 Enable all ciphers in OpenSSL >=1.1.0
OpenSSL may be configured to support features such as cipher suites or
protocol versions that are disabled by default. Enable them all: we're
testing, we don't care about enabling insecure stuff. This is not needed
with the builds of OpenSSL that we're currently using on the Jenkins CI, but
it's needed with more recent versions such as typically found on developer
machines, and with future CI additions.

The syntax to do that was only introduced in OpenSSL 1.1.0; fortunately we
don't need to do anything special with earlier versions.

With OpenSSL 1.1.1f on Ubuntu 20.04, this allows SHA-1 in certificates,
which is still needed for a few test cases in ssl-opt.sh. Curiously, this is
also needed for the cipher suite TLS-DHE-PSK-WITH-ARIA-128-GCM-SHA256 (and
no other, including other DHE-PSK or ARIA cipher suites).

Signed-off-by: Gilles Peskine <Gilles.Peskine@arm.com>
2022-11-24 22:41:55 +01:00
Manuel Pégourié-Gonnard
636b5f10da Add comment in compat.sh about callers
Signed-off-by: Manuel Pégourié-Gonnard <manuel.pegourie-gonnard@arm.com>
2022-04-14 09:21:56 +02:00
Manuel Pégourié-Gonnard
4111b73d8f Update comment and default exclude
- comments about (3)DES were inconsistent (one saying "keep 3DES" and
the other "exclude it")
- we don't have any DES or 3DES ciphersuite anyway, so no need to
exclude them or comment about it
- while at it, fix comment about ARIA: it's in the default config now

Signed-off-by: Manuel Pégourié-Gonnard <manuel.pegourie-gonnard@arm.com>
2022-04-13 10:45:10 +02:00
Joe Subbiani
32df1450f1 Order ciphersuite names alphabetically
The ciphers were originally separated by the version conditions, and the spacing
was retained in case it was required later. It has been decided it would be better
to have an unbroken list in alphabetically order to quickly locate ciphers when
necessary

Signed-off-by: Joe Subbiani <joe.subbiani@arm.com>
2022-04-13 10:45:08 +02:00
Joe Subbiani
f05fae0f7a Remove unsupported ciphersuites
Remove ciphersuites that are no longer supported.
running ./test/compat.sh -e '^$' -p mbedtls no longer skips any tests

Fixes #4818

Signed-off-by: Joe Subbiani <joe.subbiani@arm.com>
2022-04-13 10:41:43 +02:00
Joe Subbiani
9f84761c66 Removed redundant mode checks
As anything below (D)TLS 1.2 is no longer supported, checks for the
minor version will always be true, and have therefore been removed

Signed-off-by: Joe Subbiani <joe.subbiani@arm.com>
2022-04-13 10:40:49 +02:00
Dave Rodgman
017a19997a Update references to old Github organisation
Replace references to ARMmbed organisation with the new
org, Mbed-TLS, following project migration.

Signed-off-by: Dave Rodgman <dave.rodgman@arm.com>
2022-03-31 14:43:16 +01:00
Ronald Cron
618955d381 compat.sh: Fix check for OpenSSL support
If OpenSSL does not support a mode (tls12 or
dtls12 or tls13) just skip the tests involving
OpenSSL.

Signed-off-by: Ronald Cron <ronald.cron@arm.com>
2022-03-25 16:50:18 +01:00
Ronald Cron
2c74ff629d compat.sh: Restore full TLS compatibility testing
Signed-off-by: Ronald Cron <ronald.cron@arm.com>
2022-03-25 16:50:18 +01:00
Xiaofei Bai
8b5c3824ee Fix (d)tls1_2 into (d)tls12 in version options
Signed-off-by: Xiaofei Bai <xiaofei.bai@arm.com>
2021-12-02 13:22:18 +00:00