Revert "Remove tests that depend on TLS or X.509"

This reverts commit 9afb2e9.

Conflicts:
* include/CMakeLists.txt
  * "Make config.h available" comment: there has been a change
    adjacent to where it was removed. Just re-add what was removed.
* tests/CMakeLists.txt:
  * compat.sh: there has been a change immediately before where it was
    removed. Just re-add what was removed.

Author: gilles-peskine-arm

.travis.yml

@@ -16,8 +16,13 @@ script:
 - make
 - make test
 - programs/test/selftest
+- OSSL_NO_DTLS=1 tests/compat.sh
+- tests/ssl-opt.sh -e '\(DTLS\|SCSV\).*openssl' --seed 4
 - tests/scripts/test-ref-configs.pl
 - tests/scripts/curves.pl
+- tests/scripts/key-exchanges.pl
+after_failure:
+- tests/scripts/travis-log-failure.sh
 env:
   global:
     - SEED=1

CMakeLists.txt

@@ -218,6 +218,8 @@ if(ENABLE_TESTING)
         ADD_CUSTOM_TARGET(covtest
             COMMAND make test
             COMMAND programs/test/selftest
+            COMMAND tests/compat.sh
+            COMMAND tests/ssl-opt.sh
         )
 
         ADD_CUSTOM_TARGET(lcov

Makefile

@@ -101,6 +101,8 @@ ifndef WINDOWS
 covtest:
 	$(MAKE) check
 	programs/test/selftest
+	tests/compat.sh
+	tests/ssl-opt.sh
 
 lcov:
 	rm -rf Coverage

configs/config-mini-tls1_1.h

@@ -70,6 +70,9 @@
 #define MBEDTLS_CERTS_C
 #define MBEDTLS_PEM_PARSE_C
 
+/* For testing with compat.sh */
+#define MBEDTLS_FS_IO
+
 #include "mbedtls/check_config.h"
 
 #endif /* MBEDTLS_CONFIG_H */

configs/config-thread.h

@@ -75,6 +75,10 @@
 #define MBEDTLS_SSL_SRV_C
 #define MBEDTLS_SSL_TLS_C
 
+/* For tests using ssl-opt.sh */
+#define MBEDTLS_NET_C
+#define MBEDTLS_TIMING_C
+
 /* Save RAM at the expense of ROM */
 #define MBEDTLS_AES_ROM_TABLES
 

include/CMakeLists.txt

@@ -15,7 +15,7 @@ if(INSTALL_MBEDTLS_HEADERS)
 
 endif(INSTALL_MBEDTLS_HEADERS)
 
-# Make config.h available in an out-of-source build.
+# Make config.h available in an out-of-source build. ssl-opt.sh requires it.
 if (ENABLE_TESTING AND NOT ${CMAKE_CURRENT_BINARY_DIR} STREQUAL ${CMAKE_CURRENT_SOURCE_DIR})
     link_to_source(mbedtls)
     link_to_source(psa)

scripts/output_env.sh

@@ -15,6 +15,7 @@
 #   - type and version of the operating system
 #   - version of armcc, clang, gcc-arm and gcc compilers
 #   - version of libc, clang, asan and valgrind if installed
+#   - version of gnuTLS and OpenSSL
 
 print_version()
 {
@@ -73,6 +74,42 @@ echo
 print_version "valgrind" "--version" "valgrind not found!"
 echo
 
+: ${OPENSSL:=openssl}
+print_version "$OPENSSL" "version" "openssl not found!"
+echo
+
+if [ -n "${OPENSSL_LEGACY+set}" ]; then
+    print_version "$OPENSSL_LEGACY" "version" "openssl legacy version not found!"
+    echo
+fi
+
+if [ -n "${OPENSSL_NEXT+set}" ]; then
+    print_version "$OPENSSL_NEXT" "version" "openssl next version not found!"
+    echo
+fi
+
+: ${GNUTLS_CLI:=gnutls-cli}
+print_version "$GNUTLS_CLI" "--version" "gnuTLS client not found!" "head -n 1"
+echo
+
+: ${GNUTLS_SERV:=gnutls-serv}
+print_version "$GNUTLS_SERV" "--version" "gnuTLS server not found!" "head -n 1"
+echo
+
+if [ -n "${GNUTLS_LEGACY_CLI+set}" ]; then
+    print_version "$GNUTLS_LEGACY_CLI" "--version" \
+        "gnuTLS client legacy version not found!"  \
+        "head -n 1"
+    echo
+fi
+
+if [ -n "${GNUTLS_LEGACY_SERV+set}" ]; then
+    print_version "$GNUTLS_LEGACY_SERV" "--version" \
+        "gnuTLS server legacy version not found!"   \
+        "head -n 1"
+    echo
+fi
+
 if `hash dpkg > /dev/null 2>&1`; then
     echo "* asan:"
     dpkg -s libasan2 2> /dev/null | grep -i version

tests/CMakeLists.txt

@@ -99,6 +99,7 @@ add_test_suite(cipher cipher.null)
 add_test_suite(cipher cipher.padding)
 add_test_suite(cmac)
 add_test_suite(ctr_drbg)
+add_test_suite(debug)
 add_test_suite(des)
 add_test_suite(dhm)
 add_test_suite(ecdh)
@@ -145,18 +146,23 @@ add_test_suite(psa_crypto_se_driver_hal_mocks)
 add_test_suite(psa_crypto_slot_management)
 add_test_suite(psa_its)
 add_test_suite(shax)
+add_test_suite(ssl)
 add_test_suite(timing)
 add_test_suite(rsa)
 add_test_suite(version)
 add_test_suite(xtea)
+add_test_suite(x509parse)
+add_test_suite(x509write)
 
 # Make scripts and data files needed for testing available in an
 # out-of-source build.
 if (NOT ${CMAKE_CURRENT_BINARY_DIR} STREQUAL ${CMAKE_CURRENT_SOURCE_DIR})
     if(EXISTS "${CMAKE_CURRENT_SOURCE_DIR}/seedfile")
         link_to_source(seedfile)
     endif()
+    link_to_source(compat.sh)
     link_to_source(data_files)
     link_to_source(scripts)
+    link_to_source(ssl-opt.sh)
     link_to_source(suites)
 endif()

tests/Descriptions.txt

@@ -2,9 +2,21 @@ test_suites
     The various 'test_suite_XXX' programs from the 'tests' directory, executed
     using 'make check' (Unix make) or 'make test' (Cmake), include test cases
     (reference test vectors, sanity checks, malformed input for parsing
-    functions, etc.) for all modules.
+    functions, etc.) for all modules except the SSL modules.
 
 selftests
     The 'programs/test/selftest' program runs the 'XXX_self_test()' functions
     of each individual module. Most of them are included in the respective
     test suite, but some slower ones are only included here.
+
+compat
+    The 'tests/compat.sh' script checks interoperability with OpenSSL and
+    GnuTLS (and ourselves!) for every common ciphersuite, in every TLS
+    version, both ways (client/server), using client authentication or not.
+    For each ciphersuite/version/side/authmode it performs a full handshake
+    and a small data exchange.
+
+ssl_opt
+    The 'tests/ssl-opt.sh' script checks various options and/or operations not
+    covered by compat.sh: session resumption (using session cache or tickets),
+    renegotiation, SNI, other extensions, etc.