Skip to content

Commit

Permalink
Merge pull request #8122 from gilles-peskine-arm/ssl-test-no-legacy-2.28
Browse files Browse the repository at this point in the history 
Backport 2.28: Remove GNUTLS_LEGACY and OPENSSL_LEGACY (partly)
  • Loading branch information
@mpg
mpg authored Oct 18, 2023
2 parents 0190277 + 894258f commit 0ee9dac
Show file tree
Hide file tree
Showing 5 changed files with 49 additions and 78 deletions.
14 changes: 0 additions & 14 deletions scripts/output_env.sh
View file
Original file line number Diff line number Diff line change
Expand Up @@ -192,20 +192,6 @@ echo
print_version "$GNUTLS_SERV" "--version" "default" "head -n 1"
echo

if [ -n "${GNUTLS_LEGACY_CLI+set}" ]; then
print_version "$GNUTLS_LEGACY_CLI" "--version" "legacy" "head -n 1"
else
echo " * gnutls-cli (legacy): Not configured."
fi
echo

if [ -n "${GNUTLS_LEGACY_SERV+set}" ]; then
print_version "$GNUTLS_LEGACY_SERV" "--version" "legacy" "head -n 1"
else
echo " * gnutls-serv (legacy): Not configured."
fi
echo

echo " * Installed asan versions:"
if type dpkg-query >/dev/null 2>/dev/null; then
if ! dpkg-query -f '${Status} ${Package}: ${Version}\n' -W 'libasan*' |
Expand Down
29 changes: 25 additions & 4 deletions tests/compat.sh
View file
Original file line number Diff line number Diff line change
Expand Up @@ -110,6 +110,7 @@ FILTER=""
EXCLUDE='NULL\|DES\|RC4\|ARCFOUR\|ARIA\|CHACHA20-POLY1305'
VERBOSE=""
MEMCHECK=0
PRESERVE_LOGS=0
PEERS="OpenSSL$PEER_GNUTLS mbedTLS"

# hidden option: skip DTLS with OpenSSL
Expand All @@ -131,6 +132,7 @@ print_usage() {
printf " --list-test-case\tList all potential test cases (No Execution)\n"
printf " --outcome-file\tFile where test outcomes are written\n"
printf " \t(default: \$MBEDTLS_TEST_OUTCOME_FILE, none if empty)\n"
printf " --preserve-logs\tPreserve logs of successful tests as well\n"
}

# print_test_case <CLIENT> <SERVER> <STANDARD_CIPHER_SUITE>
Expand Down Expand Up @@ -198,6 +200,9 @@ get_options() {
--outcome-file)
shift; MBEDTLS_TEST_OUTCOME_FILE=$1
;;
--preserve-logs)
PRESERVE_LOGS=1
;;
-h|--help)
print_usage
exit 0
Expand Down Expand Up @@ -648,7 +653,16 @@ add_gnutls_ciphersuites()
;;

"RSA")
if [ `minor_ver "$MODE"` -gt 0 ]
# TLS-RSA-WITH-NULL-SHA256 is a (D)TLS 1.2-only cipher suite,
# like all SHA256 cipher suites. But Mbed TLS supports it with
# (D)TLS 1.0 and 1.1 as well. So do ancient versions of GnuTLS,
# but this was considered a bug which was fixed in GnuTLS 3.4.7.
# Check the GnuTLS support list to see what the protocol version
# requirement is for that cipher suite.
if [ `minor_ver "$MODE"` -ge 3 ] || {
[ `minor_ver "$MODE"` -gt 0 ] &&
$GNUTLS_CLI --list | grep -q '^TLS_RSA_NULL_SHA256.*0$'
}
then
M_CIPHERS="$M_CIPHERS \
TLS-RSA-WITH-NULL-SHA256 \
Expand Down Expand Up @@ -972,7 +986,7 @@ setup_arguments()
fi

M_SERVER_ARGS="server_port=$PORT server_addr=0.0.0.0 force_version=$MODE arc4=1"
O_SERVER_ARGS="-accept $PORT -cipher NULL,ALL -$O_MODE"
O_SERVER_ARGS="-accept $PORT -cipher ALL,COMPLEMENTOFALL -$O_MODE"
G_SERVER_ARGS="-p $PORT --http $G_MODE"
G_SERVER_PRIO="NORMAL:${G_PRIO_CCM}+ARCFOUR-128:+NULL:+MD5:+PSK:+DHE-PSK:+ECDHE-PSK:+SHA256:+SHA384:+RSA-PSK:-VERS-TLS-ALL:$G_PRIO_MODE"

Expand Down Expand Up @@ -1218,12 +1232,16 @@ record_outcome() {
fi
}

save_logs() {
cp $SRV_OUT c-srv-${TESTS}.log
cp $CLI_OUT c-cli-${TESTS}.log
}

# display additional information if test case fails
report_fail() {
FAIL_PROMPT="outputs saved to c-srv-${TESTS}.log, c-cli-${TESTS}.log"
record_outcome "FAIL" "$FAIL_PROMPT"
cp $SRV_OUT c-srv-${TESTS}.log
cp $CLI_OUT c-cli-${TESTS}.log
save_logs
echo " ! $FAIL_PROMPT"

if [ "${LOG_FAILURE_ON_STDOUT:-0}" != 0 ]; then
Expand Down Expand Up @@ -1349,6 +1367,9 @@ run_client() {
case $RESULT in
"0")
record_outcome "PASS"
if [ "$PRESERVE_LOGS" -gt 0 ]; then
save_logs
fi
;;
"1")
record_outcome "SKIP"
Expand Down
44 changes: 22 additions & 22 deletions tests/scripts/all.sh
View file
Original file line number Diff line number Diff line change
Expand Up @@ -50,10 +50,14 @@
# * G++
# * arm-gcc and mingw-gcc
# * ArmCC 5 and ArmCC 6, unless invoked with --no-armcc
# * OpenSSL and GnuTLS command line tools, recent enough for the
# interoperability tests. If they don't support SSLv3 then a legacy
# version of these tools must be present as well (search for LEGACY
# below).
# * OpenSSL and GnuTLS command line tools, in suitable versions for the
# interoperability tests. The following are the official versions at the
# time of writing:
# * GNUTLS_{CLI,SERV} = 3.4.10
# * GNUTLS_NEXT_{CLI,SERV} = 3.7.2
# * OPENSSL_LEGACY = 1.0.1j
# * OPENSSL = 1.0.2g (without Debian/Ubuntu patches)
# * OPENSSL_NEXT = 1.1.1a
# See the invocation of check_tools below for details.
#
# This script must be invoked from the toplevel directory of a git
Expand Down Expand Up @@ -168,8 +172,6 @@ pre_initialize_variables () {
: ${OPENSSL_NEXT:="$OPENSSL"}
: ${GNUTLS_CLI:="gnutls-cli"}
: ${GNUTLS_SERV:="gnutls-serv"}
: ${GNUTLS_LEGACY_CLI:="$GNUTLS_CLI"}
: ${GNUTLS_LEGACY_SERV:="$GNUTLS_SERV"}
: ${OUT_OF_SOURCE_DIR:=./mbedtls_out_of_source_build}
: ${ARMC5_BIN_DIR:=/usr/bin}
: ${ARMC6_BIN_DIR:=/usr/bin}
Expand Down Expand Up @@ -286,8 +288,6 @@ Tool path options:
--gcc-latest=<GCC_latest_path> Latest version of GCC available
--gnutls-cli=<GnuTLS_cli_path> GnuTLS client executable to use for most tests.
--gnutls-serv=<GnuTLS_serv_path> GnuTLS server executable to use for most tests.
--gnutls-legacy-cli=<GnuTLS_cli_path> GnuTLS client executable to use for legacy tests.
--gnutls-legacy-serv=<GnuTLS_serv_path> GnuTLS server executable to use for legacy tests.
--openssl=<OpenSSL_path> OpenSSL executable to use for most tests.
--openssl-legacy=<OpenSSL_path> OpenSSL executable to use for legacy tests e.g. SSLv3.
--openssl-next=<OpenSSL_path> OpenSSL executable to use for recent things like ARIA
Expand Down Expand Up @@ -435,8 +435,8 @@ pre_parse_command_line () {
--gcc-earliest) shift; GCC_EARLIEST="$1";;
--gcc-latest) shift; GCC_LATEST="$1";;
--gnutls-cli) shift; GNUTLS_CLI="$1";;
--gnutls-legacy-cli) shift; GNUTLS_LEGACY_CLI="$1";;
--gnutls-legacy-serv) shift; GNUTLS_LEGACY_SERV="$1";;
--gnutls-legacy-cli) shift;; # ignored for backward compatibility
--gnutls-legacy-serv) shift;; # ignored for backward compatibility
--gnutls-serv) shift; GNUTLS_SERV="$1";;
--help|-h) usage; exit;;
--keep-going|-k) KEEP_GOING=1;;
Expand Down Expand Up @@ -709,8 +709,6 @@ pre_print_configuration () {
echo "OPENSSL_NEXT: $OPENSSL_NEXT"
echo "GNUTLS_CLI: $GNUTLS_CLI"
echo "GNUTLS_SERV: $GNUTLS_SERV"
echo "GNUTLS_LEGACY_CLI: $GNUTLS_LEGACY_CLI"
echo "GNUTLS_LEGACY_SERV: $GNUTLS_LEGACY_SERV"
echo "ARMC5_BIN_DIR: $ARMC5_BIN_DIR"
echo "ARMC6_BIN_DIR: $ARMC6_BIN_DIR"
}
Expand All @@ -736,11 +734,8 @@ pre_check_tools () {
fi
set "$@" OPENSSL="$OPENSSL" OPENSSL_LEGACY="$OPENSSL_LEGACY"
set "$@" GNUTLS_CLI="$GNUTLS_CLI" GNUTLS_SERV="$GNUTLS_SERV"
set "$@" GNUTLS_LEGACY_CLI="$GNUTLS_LEGACY_CLI"
set "$@" GNUTLS_LEGACY_SERV="$GNUTLS_LEGACY_SERV"
check_tools "$OPENSSL" "$OPENSSL_LEGACY" "$OPENSSL_NEXT" \
"$GNUTLS_CLI" "$GNUTLS_SERV" \
"$GNUTLS_LEGACY_CLI" "$GNUTLS_LEGACY_SERV"
"$GNUTLS_CLI" "$GNUTLS_SERV"
;;
esac
Expand Down Expand Up @@ -1031,8 +1026,7 @@ component_test_sslv3 () {
make test
msg "build: SSLv3 - compat.sh (ASan build)" # ~ 6 min
tests/compat.sh -m 'tls1 tls1_1 tls12 dtls1 dtls12'
env OPENSSL="$OPENSSL_LEGACY" tests/compat.sh -m 'ssl3'
tests/compat.sh -m 'ssl3 tls1 tls1_1 tls12 dtls1 dtls12'
msg "build: SSLv3 - ssl-opt.sh (ASan build)" # ~ 6 min
tests/ssl-opt.sh
Expand Down Expand Up @@ -1590,8 +1584,11 @@ component_test_full_cmake_clang () {
msg "test: ssl-opt.sh default, ECJPAKE, SSL async (full config)" # ~ 1s
tests/ssl-opt.sh -f 'Default\|ECJPAKE\|SSL async private'
msg "test: compat.sh RC4, DES, 3DES & NULL (full config)" # ~ 2 min
env OPENSSL="$OPENSSL_LEGACY" GNUTLS_CLI="$GNUTLS_LEGACY_CLI" GNUTLS_SERV="$GNUTLS_LEGACY_SERV" tests/compat.sh -e '^$' -f 'NULL\|DES\|RC4\|ARCFOUR'
msg "test: compat.sh RC4, 3DES & NULL (full config)" # ~ 2min
tests/compat.sh -e '^$' -f 'NULL\|3DES\|DES-CBC3\|RC4\|ARCFOUR'
msg "test: compat.sh single-DES (full config)" # ~ 30s
env OPENSSL="$OPENSSL_LEGACY" tests/compat.sh -e '3DES\|DES-CBC3' -f 'DES'
msg "test: compat.sh ARIA + ChachaPoly"
env OPENSSL="$OPENSSL_NEXT" tests/compat.sh -e '^$' -f 'ARIA\|CHACHA'
Expand Down Expand Up @@ -1881,8 +1878,11 @@ component_test_no_use_psa_crypto_full_cmake_asan() {
msg "test: compat.sh default (full minus MBEDTLS_USE_PSA_CRYPTO)"
tests/compat.sh
msg "test: compat.sh RC4, DES & NULL (full minus MBEDTLS_USE_PSA_CRYPTO)"
env OPENSSL="$OPENSSL_LEGACY" GNUTLS_CLI="$GNUTLS_LEGACY_CLI" GNUTLS_SERV="$GNUTLS_LEGACY_SERV" tests/compat.sh -e '3DES\|DES-CBC3' -f 'NULL\|DES\|RC4\|ARCFOUR'
msg "test: compat.sh RC4, 3DES & NULL (full minus MBEDTLS_USE_PSA_CRYPTO)"
tests/compat.sh -e '^$' -f 'NULL\|3DES\|DES-CBC3\|RC4\|ARCFOUR'
msg "test: compat.sh single-DES (full minus MBEDTLS_USE_PSA_CRYPTO)"
env OPENSSL="$OPENSSL_LEGACY" tests/compat.sh -e '3DES\|DES-CBC3' -f 'DES'
msg "test: compat.sh ARIA + ChachaPoly (full minus MBEDTLS_USE_PSA_CRYPTO)"
env OPENSSL="$OPENSSL_NEXT" tests/compat.sh -e '^$' -f 'ARIA\|CHACHA'
Expand Down
13 changes: 2 additions & 11 deletions tests/scripts/basic-build-test.sh
View file
Original file line number Diff line number Diff line change
Expand Up @@ -51,8 +51,6 @@ fi
: ${OPENSSL_LEGACY:="$OPENSSL"}
: ${GNUTLS_CLI:="gnutls-cli"}
: ${GNUTLS_SERV:="gnutls-serv"}
: ${GNUTLS_LEGACY_CLI:="$GNUTLS_CLI"}
: ${GNUTLS_LEGACY_SERV:="$GNUTLS_SERV"}

# Used to make ssl-opt.sh deterministic.
#
Expand Down Expand Up @@ -81,8 +79,6 @@ OPENSSL="$OPENSSL" \
OPENSSL_LEGACY="$OPENSSL_LEGACY" \
GNUTLS_CLI="$GNUTLS_CLI" \
GNUTLS_SERV="$GNUTLS_SERV" \
GNUTLS_LEGACY_CLI="$GNUTLS_LEGACY_CLI" \
GNUTLS_LEGACY_SERV="$GNUTLS_LEGACY_SERV" \
scripts/output_env.sh
echo

Expand Down Expand Up @@ -120,17 +116,12 @@ echo
# Step 2c - Compatibility tests (keep going even if some tests fail)
echo '################ compat.sh ################'
{
echo '#### compat.sh: Default versions'
sh compat.sh -m 'tls1 tls1_1 tls12 dtls1 dtls12'
echo

echo '#### compat.sh: legacy (SSLv3)'
OPENSSL="$OPENSSL_LEGACY" sh compat.sh -m 'ssl3'
echo '#### compat.sh: Default ciphers'
sh compat.sh -m 'ssl3 tls1 tls1_1 tls12 dtls1 dtls12'
echo

echo '#### compat.sh: legacy (null, DES, RC4)'
OPENSSL="$OPENSSL_LEGACY" \
GNUTLS_CLI="$GNUTLS_LEGACY_CLI" GNUTLS_SERV="$GNUTLS_LEGACY_SERV" \
sh compat.sh -e '^$' -f 'NULL\|DES\|RC4\|ARCFOUR'
echo

Expand Down
27 changes: 0 additions & 27 deletions tests/ssl-opt.sh
View file
Original file line number Diff line number Diff line change
Expand Up @@ -81,14 +81,6 @@ TCP_CLIENT="$PERL scripts/tcp_client.pl"

# alternative versions of OpenSSL and GnuTLS (no default path)

if [ -n "${OPENSSL_LEGACY:-}" ]; then
O_LEGACY_SRV="$OPENSSL_LEGACY s_server -www -cert data_files/server5.crt -key data_files/server5.key"
O_LEGACY_CLI="echo 'GET / HTTP/1.0' | $OPENSSL_LEGACY s_client"
else
O_LEGACY_SRV=false
O_LEGACY_CLI=false
fi

if [ -n "${OPENSSL_NEXT:-}" ]; then
O_NEXT_SRV="$OPENSSL_NEXT s_server -www -cert data_files/server5.crt -key data_files/server5.key"
O_NEXT_CLI="echo 'GET / HTTP/1.0' | $OPENSSL_NEXT s_client"
Expand Down Expand Up @@ -456,20 +448,6 @@ requires_gnutls_next() {
fi
}

# skip next test if OpenSSL-legacy isn't available
requires_openssl_legacy() {
if [ -z "${OPENSSL_LEGACY_AVAILABLE:-}" ]; then
if which "${OPENSSL_LEGACY:-}" >/dev/null 2>&1; then
OPENSSL_LEGACY_AVAILABLE="YES"
else
OPENSSL_LEGACY_AVAILABLE="NO"
fi
fi
if [ "$OPENSSL_LEGACY_AVAILABLE" = "NO" ]; then
SKIP_NEXT="YES"
fi
}

requires_openssl_next() {
if [ -z "${OPENSSL_NEXT_AVAILABLE:-}" ]; then
if which "${OPENSSL_NEXT:-}" >/dev/null 2>&1; then
Expand Down Expand Up @@ -1502,11 +1480,6 @@ O_CLI="$O_CLI -connect 127.0.0.1:+SRV_PORT"
G_SRV="$G_SRV -p $SRV_PORT"
G_CLI="$G_CLI -p +SRV_PORT"

if [ -n "${OPENSSL_LEGACY:-}" ]; then
O_LEGACY_SRV="$O_LEGACY_SRV -accept $SRV_PORT -dhparam data_files/dhparams.pem"
O_LEGACY_CLI="$O_LEGACY_CLI -connect 127.0.0.1:+SRV_PORT"
fi

# Newer versions of OpenSSL have a syntax to enable all "ciphers", even
# low-security ones. This covers not just cipher suites but also protocol
# versions. It is necessary, for example, to use (D)TLS 1.0/1.1 on
Expand Down

0 comments on commit 0ee9dac

Please sign in to comment.