diff --git a/tests/scripts/all.sh b/tests/scripts/all.sh index 9a4788979..481665a14 100755 --- a/tests/scripts/all.sh +++ b/tests/scripts/all.sh @@ -38,6 +38,10 @@ # * G++ # * arm-gcc and mingw-gcc # * ArmCC 5 and ArmCC 6, unless invoked with --no-armcc +# * OpenSSL and GnuTLS command line tools, recent enough for the +# interoperability tests. If they don't support SSLv3 then a legacy +# version of these tools must be present as well (search for LEGACY +# below). # See the invocation of check_tools below for details. # # This script must be invoked from the toplevel directory of a git @@ -113,6 +117,7 @@ pre_initialize_variables () { CONFIG_BAK="$CONFIG_H.bak" append_outcome=0 + MEMORY=0 FORCE=0 KEEP_GOING=0 @@ -122,6 +127,13 @@ pre_initialize_variables () { export MBEDTLS_TEST_PLATFORM # Default commands, can be overridden by the environment + : ${OPENSSL:="openssl"} + : ${OPENSSL_LEGACY:="$OPENSSL"} + : ${OPENSSL_NEXT:="$OPENSSL"} + : ${GNUTLS_CLI:="gnutls-cli"} + : ${GNUTLS_SERV:="gnutls-serv"} + : ${GNUTLS_LEGACY_CLI:="$GNUTLS_CLI"} + : ${GNUTLS_LEGACY_SERV:="$GNUTLS_SERV"} : ${OUT_OF_SOURCE_DIR:=./mbedtls_out_of_source_build} : ${ARMC5_BIN_DIR:=/usr/bin} : ${ARMC6_BIN_DIR:=/usr/bin} @@ -208,6 +220,13 @@ General options: Tool path options: --armc5-bin-dir= ARM Compiler 5 bin directory. --armc6-bin-dir= ARM Compiler 6 bin directory. + --gnutls-cli= GnuTLS client executable to use for most tests. + --gnutls-serv= GnuTLS server executable to use for most tests. + --gnutls-legacy-cli= GnuTLS client executable to use for legacy tests. + --gnutls-legacy-serv= GnuTLS server executable to use for legacy tests. + --openssl= OpenSSL executable to use for most tests. + --openssl-legacy= OpenSSL executable to use for legacy tests e.g. SSLv3. + --openssl-next= OpenSSL executable to use for recent things like ARIA EOF } @@ -325,28 +344,28 @@ pre_parse_command_line () { --armc6-bin-dir) shift; ARMC6_BIN_DIR="$1";; --except) all_except=1;; --force|-f) FORCE=1;; - --gnutls-cli) shift;; - --gnutls-legacy-cli) shift;; - --gnutls-legacy-serv) shift;; - --gnutls-serv) shift;; + --gnutls-cli) shift; GNUTLS_CLI="$1";; + --gnutls-legacy-cli) shift; GNUTLS_LEGACY_CLI="$1";; + --gnutls-legacy-serv) shift; GNUTLS_LEGACY_SERV="$1";; + --gnutls-serv) shift; GNUTLS_SERV="$1";; --help|-h) usage; exit;; --keep-going|-k) KEEP_GOING=1;; --list-all-components) printf '%s\n' $ALL_COMPONENTS; exit;; --list-components) printf '%s\n' $SUPPORTED_COMPONENTS; exit;; - --memory|-m) ;; + --memory|-m) MEMORY=1;; --no-append-outcome) append_outcome=0;; --no-armcc) no_armcc=1;; --no-force) FORCE=0;; --no-keep-going) KEEP_GOING=0;; - --no-memory) ;; - --openssl) shift;; - --openssl-legacy) shift;; - --openssl-next) shift;; + --no-memory) MEMORY=0;; + --openssl) shift; OPENSSL="$1";; + --openssl-legacy) shift; OPENSSL_LEGACY="$1";; + --openssl-next) shift; OPENSSL_NEXT="$1";; --outcome-file) shift; MBEDTLS_TEST_OUTCOME_FILE="$1";; --out-of-source-dir) shift; OUT_OF_SOURCE_DIR="$1";; - --random-seed) ;; - --release-test|-r) ;; - --seed|-s) shift;; + --random-seed) unset SEED;; + --release-test|-r) SEED=1;; + --seed|-s) shift; SEED="$1";; -*) echo >&2 "Unknown option: $1" echo >&2 "Run $0 --help for usage." @@ -482,8 +501,17 @@ pre_prepare_outcome_file () { pre_print_configuration () { msg "info: $0 configuration" + echo "MEMORY: $MEMORY" echo "FORCE: $FORCE" echo "MBEDTLS_TEST_OUTCOME_FILE: ${MBEDTLS_TEST_OUTCOME_FILE:-(none)}" + echo "SEED: ${SEED-"UNSET"}" + echo "OPENSSL: $OPENSSL" + echo "OPENSSL_LEGACY: $OPENSSL_LEGACY" + echo "OPENSSL_NEXT: $OPENSSL_NEXT" + echo "GNUTLS_CLI: $GNUTLS_CLI" + echo "GNUTLS_SERV: $GNUTLS_SERV" + echo "GNUTLS_LEGACY_CLI: $GNUTLS_LEGACY_CLI" + echo "GNUTLS_LEGACY_SERV: $GNUTLS_LEGACY_SERV" echo "ARMC5_BIN_DIR: $ARMC5_BIN_DIR" echo "ARMC6_BIN_DIR: $ARMC6_BIN_DIR" } @@ -493,6 +521,30 @@ pre_check_tools () { # Build the list of variables to pass to output_env.sh. set env + case " $RUN_COMPONENTS " in + # Require OpenSSL and GnuTLS if running any tests (as opposed to + # only doing builds). Not all tests run OpenSSL and GnuTLS, but this + # is a good enough approximation in practice. + *" test_"*) + # To avoid setting OpenSSL and GnuTLS for each call to compat.sh + # and ssl-opt.sh, we just export the variables they require. + export OPENSSL_CMD="$OPENSSL" + export GNUTLS_CLI="$GNUTLS_CLI" + export GNUTLS_SERV="$GNUTLS_SERV" + # Avoid passing --seed flag in every call to ssl-opt.sh + if [ -n "${SEED-}" ]; then + export SEED + fi + set "$@" OPENSSL="$OPENSSL" OPENSSL_LEGACY="$OPENSSL_LEGACY" + set "$@" GNUTLS_CLI="$GNUTLS_CLI" GNUTLS_SERV="$GNUTLS_SERV" + set "$@" GNUTLS_LEGACY_CLI="$GNUTLS_LEGACY_CLI" + set "$@" GNUTLS_LEGACY_SERV="$GNUTLS_LEGACY_SERV" + check_tools "$OPENSSL" "$OPENSSL_LEGACY" "$OPENSSL_NEXT" \ + "$GNUTLS_CLI" "$GNUTLS_SERV" \ + "$GNUTLS_LEGACY_CLI" "$GNUTLS_LEGACY_SERV" + ;; + esac + case " $RUN_COMPONENTS " in *_doxygen[_\ ]*) check_tools "doxygen" "dot";; esac @@ -608,6 +660,12 @@ component_test_default_cmake_gcc_asan () { msg "test: main suites (inc. selftests) (ASan build)" # ~ 50s make test + + msg "test: ssl-opt.sh (ASan build)" # ~ 1 min + if_build_succeeded tests/ssl-opt.sh + + msg "test: compat.sh (ASan build)" # ~ 6 min + if_build_succeeded tests/compat.sh } component_test_full_cmake_gcc_asan () { @@ -639,6 +697,36 @@ component_test_no_pem_no_fs () { make test } +component_test_sslv3 () { + msg "build: Default + SSLv3 (ASan build)" # ~ 6 min + scripts/config.pl set MBEDTLS_SSL_PROTO_SSL3 + CC=gcc cmake -D CMAKE_BUILD_TYPE:String=Asan . + make + + msg "test: SSLv3 - main suites (inc. selftests) (ASan build)" # ~ 50s + make test + + msg "build: SSLv3 - compat.sh (ASan build)" # ~ 6 min + if_build_succeeded tests/compat.sh -m 'tls1 tls1_1 tls1_2 dtls1 dtls1_2' + if_build_succeeded env OPENSSL_CMD="$OPENSSL_LEGACY" tests/compat.sh -m 'ssl3' + + msg "build: SSLv3 - ssl-opt.sh (ASan build)" # ~ 6 min + if_build_succeeded tests/ssl-opt.sh +} + +component_test_no_renegotiation () { + msg "build: Default + !MBEDTLS_SSL_RENEGOTIATION (ASan build)" # ~ 6 min + scripts/config.pl unset MBEDTLS_SSL_RENEGOTIATION + CC=gcc cmake -D CMAKE_BUILD_TYPE:String=Asan . + make + + msg "test: !MBEDTLS_SSL_RENEGOTIATION - main suites (inc. selftests) (ASan build)" # ~ 50s + make test + + msg "test: !MBEDTLS_SSL_RENEGOTIATION - ssl-opt.sh (ASan build)" # ~ 6 min + if_build_succeeded tests/ssl-opt.sh +} + component_test_rsa_no_crt () { msg "build: Default + RSA_NO_CRT (ASan build)" # ~ 6 min scripts/config.py set MBEDTLS_RSA_NO_CRT @@ -647,6 +735,54 @@ component_test_rsa_no_crt () { msg "test: RSA_NO_CRT - main suites (inc. selftests) (ASan build)" # ~ 50s make test + + msg "test: RSA_NO_CRT - RSA-related part of ssl-opt.sh (ASan build)" # ~ 5s + if_build_succeeded tests/ssl-opt.sh -f RSA + + msg "test: RSA_NO_CRT - RSA-related part of compat.sh (ASan build)" # ~ 3 min + if_build_succeeded tests/compat.sh -t RSA +} + +component_test_small_ssl_out_content_len () { + msg "build: small SSL_OUT_CONTENT_LEN (ASan build)" + scripts/config.pl set MBEDTLS_SSL_IN_CONTENT_LEN 16384 + scripts/config.pl set MBEDTLS_SSL_OUT_CONTENT_LEN 4096 + CC=gcc cmake -D CMAKE_BUILD_TYPE:String=Asan . + make + + msg "test: small SSL_OUT_CONTENT_LEN - ssl-opt.sh MFL and large packet tests" + if_build_succeeded tests/ssl-opt.sh -f "Max fragment\|Large packet" +} + +component_test_small_ssl_in_content_len () { + msg "build: small SSL_IN_CONTENT_LEN (ASan build)" + scripts/config.pl set MBEDTLS_SSL_IN_CONTENT_LEN 4096 + scripts/config.pl set MBEDTLS_SSL_OUT_CONTENT_LEN 16384 + CC=gcc cmake -D CMAKE_BUILD_TYPE:String=Asan . + make + + msg "test: small SSL_IN_CONTENT_LEN - ssl-opt.sh MFL tests" + if_build_succeeded tests/ssl-opt.sh -f "Max fragment" +} + +component_test_small_ssl_dtls_max_buffering () { + msg "build: small MBEDTLS_SSL_DTLS_MAX_BUFFERING #0" + scripts/config.pl set MBEDTLS_SSL_DTLS_MAX_BUFFERING 1000 + CC=gcc cmake -D CMAKE_BUILD_TYPE:String=Asan . + make + + msg "test: small MBEDTLS_SSL_DTLS_MAX_BUFFERING #0 - ssl-opt.sh specific reordering test" + if_build_succeeded tests/ssl-opt.sh -f "DTLS reordering: Buffer out-of-order hs msg before reassembling next, free buffered msg" +} + +component_test_small_mbedtls_ssl_dtls_max_buffering () { + msg "build: small MBEDTLS_SSL_DTLS_MAX_BUFFERING #1" + scripts/config.pl set MBEDTLS_SSL_DTLS_MAX_BUFFERING 240 + CC=gcc cmake -D CMAKE_BUILD_TYPE:String=Asan . + make + + msg "test: small MBEDTLS_SSL_DTLS_MAX_BUFFERING #1 - ssl-opt.sh specific reordering test" + if_build_succeeded tests/ssl-opt.sh -f "DTLS reordering: Buffer encrypted Finished message, drop for fragmented NewSessionTicket" } component_test_new_ecdh_context () { @@ -690,6 +826,15 @@ component_test_full_cmake_clang () { msg "test: psa_constant_names (full config, clang)" # ~ 1s record_status tests/scripts/test_psa_constant_names.py + + msg "test: ssl-opt.sh default, ECJPAKE, SSL async (full config)" # ~ 1s + if_build_succeeded tests/ssl-opt.sh -f 'Default\|ECJPAKE\|SSL async private' + + msg "test: compat.sh RC4, DES, 3DES & NULL (full config)" # ~ 2 min + if_build_succeeded env OPENSSL_CMD="$OPENSSL_LEGACY" GNUTLS_CLI="$GNUTLS_LEGACY_CLI" GNUTLS_SERV="$GNUTLS_LEGACY_SERV" tests/compat.sh -e '^$' -f 'NULL\|DES\|RC4\|ARCFOUR' + + msg "test: compat.sh ARIA + ChachaPoly" + if_build_succeeded env OPENSSL_CMD="$OPENSSL_NEXT" tests/compat.sh -e '^$' -f 'ARIA\|CHACHA' } component_test_full_make_gcc_o0 () { @@ -738,6 +883,11 @@ component_test_depends_pkalgs () { record_status tests/scripts/depends-pkalgs.pl } +component_build_key_exchanges () { + msg "test/build: key-exchanges (gcc)" # ~ 1 min + record_status tests/scripts/key-exchanges.pl +} + component_build_default_make_gcc_and_cxx () { msg "build: Unix make, -Os (gcc)" # ~ 30s make CC=gcc CFLAGS='-Werror -Wall -Wextra -Os' @@ -763,6 +913,21 @@ component_test_no_use_psa_crypto_full_cmake_asan() { msg "test: main suites (full minus MBEDTLS_USE_PSA_CRYPTO)" make test + + msg "test: ssl-opt.sh (MBEDTLS_USE_PSA_CRYPTO)" + if_build_succeeded tests/ssl-opt.sh + + msg "test: compat.sh default (MBEDTLS_USE_PSA_CRYPTO)" + if_build_succeeded tests/compat.sh + + msg "test: compat.sh ssl3 (MBEDTLS_USE_PSA_CRYPTO)" + if_build_succeeded env OPENSSL_CMD="$OPENSSL_LEGACY" tests/compat.sh -m 'ssl3' + + msg "test: compat.sh RC4, DES & NULL (MBEDTLS_USE_PSA_CRYPTO)" + if_build_succeeded env OPENSSL_CMD="$OPENSSL_LEGACY" GNUTLS_CLI="$GNUTLS_LEGACY_CLI" GNUTLS_SERV="$GNUTLS_LEGACY_SERV" tests/compat.sh -e '3DES\|DES-CBC3' -f 'NULL\|DES\|RC4\|ARCFOUR' + + msg "test: compat.sh ARIA + ChachaPoly (MBEDTLS_USE_PSA_CRYPTO)" + if_build_succeeded env OPENSSL_CMD="$OPENSSL_NEXT" tests/compat.sh -e '^$' -f 'ARIA\|CHACHA' } component_test_check_params_functionality () { @@ -832,6 +997,30 @@ component_build_no_std_function () { make CC=gcc CFLAGS='-Werror -Wall -Wextra -O0' } +component_build_no_ssl_srv () { + msg "build: full config except ssl_srv.c, make, gcc" # ~ 30s + scripts/config.pl full + scripts/config.pl unset MBEDTLS_SSL_SRV_C + make CC=gcc CFLAGS='-Werror -Wall -Wextra -O0' +} + +component_build_no_ssl_cli () { + msg "build: full config except ssl_cli.c, make, gcc" # ~ 30s + scripts/config.pl full + scripts/config.pl unset MBEDTLS_SSL_CLI_C + make CC=gcc CFLAGS='-Werror -Wall -Wextra -O0' +} + +component_build_no_sockets () { + # Note, C99 compliance can also be tested with the sockets support disabled, + # as that requires a POSIX platform (which isn't the same as C99). + msg "build: full config except net_sockets.c, make, gcc -std=c99 -pedantic" # ~ 30s + scripts/config.pl full + scripts/config.pl unset MBEDTLS_NET_C # getaddrinfo() undeclared, etc. + scripts/config.pl set MBEDTLS_NO_PLATFORM_ENTROPY # uses syscall() on GNU/Linux + make CC=gcc CFLAGS='-Werror -Wall -Wextra -O0 -std=c99 -pedantic' lib +} + component_test_memory_buffer_allocator_backtrace () { msg "build: default config with memory buffer allocator and backtrace enabled" scripts/config.py set MBEDTLS_MEMORY_BUFFER_ALLOC_C @@ -856,6 +1045,45 @@ component_test_memory_buffer_allocator () { make test } +component_test_no_max_fragment_length () { + # Run max fragment length tests with MFL disabled + msg "build: default config except MFL extension (ASan build)" # ~ 30s + scripts/config.pl unset MBEDTLS_SSL_MAX_FRAGMENT_LENGTH + CC=gcc cmake -D CMAKE_BUILD_TYPE:String=Asan . + make + + msg "test: ssl-opt.sh, MFL-related tests" + if_build_succeeded tests/ssl-opt.sh -f "Max fragment length" +} + +component_test_asan_remove_peer_certificate () { + msg "build: default config with MBEDTLS_SSL_KEEP_PEER_CERTIFICATE disabled (ASan build)" + scripts/config.pl unset MBEDTLS_SSL_KEEP_PEER_CERTIFICATE + CC=gcc cmake -D CMAKE_BUILD_TYPE:String=Asan . + make + + msg "test: !MBEDTLS_SSL_KEEP_PEER_CERTIFICATE" + make test + + msg "test: ssl-opt.sh, !MBEDTLS_SSL_KEEP_PEER_CERTIFICATE" + if_build_succeeded tests/ssl-opt.sh + + msg "test: compat.sh, !MBEDTLS_SSL_KEEP_PEER_CERTIFICATE" + if_build_succeeded tests/compat.sh +} + +component_test_no_max_fragment_length_small_ssl_out_content_len () { + msg "build: no MFL extension, small SSL_OUT_CONTENT_LEN (ASan build)" + scripts/config.pl unset MBEDTLS_SSL_MAX_FRAGMENT_LENGTH + scripts/config.pl set MBEDTLS_SSL_IN_CONTENT_LEN 16384 + scripts/config.pl set MBEDTLS_SSL_OUT_CONTENT_LEN 4096 + CC=gcc cmake -D CMAKE_BUILD_TYPE:String=Asan . + make + + msg "test: MFL tests (disabled MFL extension case) & large packet tests" + if_build_succeeded tests/ssl-opt.sh -f "Max fragment length\|Large buffer" +} + component_test_null_entropy () { msg "build: default config with MBEDTLS_TEST_NULL_ENTROPY (ASan build)" scripts/config.py set MBEDTLS_TEST_NULL_ENTROPY @@ -1173,6 +1401,15 @@ component_build_armcc () { armc6_build_test "--target=aarch64-arm-none-eabi -march=armv8.2-a" } +component_test_allow_sha1 () { + msg "build: allow SHA1 in certificates by default" + scripts/config.pl set MBEDTLS_TLS_DEFAULT_ALLOW_SHA1_IN_CERTIFICATES + make CFLAGS='-Werror -Wall -Wextra' + msg "test: allow SHA1 in certificates by default" + make test + if_build_succeeded tests/ssl-opt.sh -f SHA-1 +} + component_build_mingw () { msg "build: Windows cross build - mingw64, make (Link Library)" # ~ 30s make CC=i686-w64-mingw32-gcc AR=i686-w64-mingw32-ar LD=i686-w64-minggw32-ld CFLAGS='-Werror -Wall -Wextra' WINDOWS_BUILD=1 lib programs @@ -1201,6 +1438,16 @@ component_test_memsan () { msg "test: main suites (MSan)" # ~ 10s make test + + msg "test: ssl-opt.sh (MSan)" # ~ 1 min + if_build_succeeded tests/ssl-opt.sh + + # Optional part(s) + + if [ "$MEMORY" -gt 0 ]; then + msg "test: compat.sh (MSan)" # ~ 6 min 20s + if_build_succeeded tests/compat.sh + fi } component_test_valgrind () { @@ -1210,6 +1457,20 @@ component_test_valgrind () { msg "test: main suites valgrind (Release)" make memcheck + + # Optional part(s) + # Currently broken, programs don't seem to receive signals + # under valgrind on OS X + + if [ "$MEMORY" -gt 0 ]; then + msg "test: ssl-opt.sh --memcheck (Release)" + if_build_succeeded tests/ssl-opt.sh --memcheck + fi + + if [ "$MEMORY" -gt 1 ]; then + msg "test: compat.sh --memcheck (Release)" + if_build_succeeded tests/compat.sh --memcheck + fi } component_test_cmake_out_of_source () { @@ -1222,7 +1483,17 @@ component_test_cmake_out_of_source () { msg "test: cmake 'out-of-source' build" make test - + # Test an SSL option that requires an auxiliary script in test/scripts/. + # Also ensure that there are no error messages such as + # "No such file or directory", which would indicate that some required + # file is missing (ssl-opt.sh tolerates the absence of some files so + # may exit with status 0 but emit errors). + if_build_succeeded ./tests/ssl-opt.sh -f 'Fallback SCSV: beginning of list' 2>ssl-opt.err + if [ -s ssl-opt.err ]; then + cat ssl-opt.err >&2 + record_status [ ! -s ssl-opt.err ] + rm ssl-opt.err + fi cd "$MBEDTLS_ROOT_DIR" rm -rf "$OUT_OF_SOURCE_DIR" unset MBEDTLS_ROOT_DIR