Run ssl-opt.sh in more reduced configurations #5582
Merged
Conversation
This file contains bidirectional Unicode text that may be interpreted or compiled differently than what appears below. To review, open the file in an editor that reveals hidden Unicode characters.
Learn more about bidirectional Unicode characters
Signed-off-by: Gilles Peskine <[email protected]>
Some of the options have been moved around, but there are no semantic changes. Signed-off-by: Gilles Peskine <[email protected]>
1. Copy config-ccm-psk-tls1_2.h 2. Add DTLS support 3. Add some TLS and DTLS features that are useful in low-bandwidth, low-reliability networks 4. Reduce the SSL buffer to a very small size Signed-off-by: Gilles Peskine <[email protected]>
Signed-off-by: Gilles Peskine <[email protected]>
Signed-off-by: Gilles Peskine <[email protected]>
These tests ensure that a certain cipher suite is in use, so they fail in builds that lack one of the corresponding algorithms. Signed-off-by: Gilles Peskine <[email protected]>
This commit is not necessarily complete, but it's a step forward. Signed-off-by: Gilles Peskine <[email protected]>
In a PSK-only build: * Skip tests that rely on a specific non-PSK cipher suite. * Skip tests that exercise a certificate authentication feature. * Pass a pre-shared key in tests that don't mind the key exchange type. This commit only considers PSK-only builds vs builds with certificates. It does not aim to do something useful for builds with an asymmetric key exchange and a pre-shared key for authentication. Signed-off-by: Gilles Peskine <[email protected]>
Many test cases in ssl-opt.sh need error messages (MBEDTLS_ERROR_C) or SSL traces (MBEDTLS_DEBUG_C). Some sample configurations don't include these options. When running ssl-opt.sh on those configurations, enable the required options. They must be listed in the config*.h file, commented out. Run ssl-opt in the following configurations with debug options: ccm-psk-tls1_2, ccm-psk-dtls1_2, suite-b. Signed-off-by: Gilles Peskine <[email protected]>
Slightly reduce the amount of data so that the test passes with 512. Signed-off-by: Gilles Peskine <[email protected]>
gilles-peskine-arm
added
enhancement
needs-work
needs-ci
User-visible changes: * With no argument, configurations are now tested in a deterministic order. * When given arguments, configurations are now tested in the order given. * When given arguments, if the same configuration is passed multiple times, it will now be tested multiple times. Signed-off-by: Gilles Peskine <[email protected]>
When doing builds with PSA enabled or with debug traces enabled, convey this in $MBEDTLS_TEST_CONFIGURATION and in the terminal logs. This fixes a bug that the outcome file did not distinguish entries from test cases run in a reference configuration with or without PSA. Signed-off-by: Gilles Peskine <[email protected]>
The message was removed in 6be9cf5 without a replacement. A failure would cause the test case to fail anyway, so this negative check is not really useful. Signed-off-by: Gilles Peskine <[email protected]>
Signed-off-by: Gilles Peskine <[email protected]>
If MBEDTLS_SSL_EXTENDED_MASTER_SECRET is disabled or the feature is disabled at runtime, and if client authentication is not used, then calc_verify is not called, so don't require the corresponding debug trace. Signed-off-by: Gilles Peskine <[email protected]>
Some DTLS reordering tests rely on certificate authentication messages. It is probably possible to adapt them to rely on different messages, but for now, skip them in PSK-only builds. Signed-off-by: Gilles Peskine <[email protected]>
gilles-peskine-arm
force-pushed
the
ssl-opt-auto-psk
branch
from
722e426 to
6f160ca
Compare
gilles-peskine-arm
added
needs-review
gilles-peskine-arm
added
the
needs-review
|
This PR and its backport are ready to review. |
component_test_CID_no_debug was added specifically to be a non-regression test for Mbed-TLS#3998. Running compat.sh in the newly introduced config-ccm-psk-dtls1_2.h is also a non-regression test for that bug. Therefore component_test_CID_no_debug is redundant for its primary purpose. Of course every configuration is different, but the additional coverage from component_test_CID_no_debug is minimal, unlike config-ccm-psk-dtls1_2.h which is a plausible real-world configuration. In mbedtls-2.28, component_test_CID_no_debug was never added, and running the unit tests in that configuration does not trigger the Mbed-TLS#3998 bug, only compat.sh does. So, rather than backport component_test_CID_no_debug to 2.28.2, I am removing it from 3.2. Signed-off-by: Gilles Peskine <[email protected]>
|
Did we check that this PR doesn't result in more tests being skipped (incorrectly, then) in the default config / full config? |
|
@mpg Good point, I did partial incremental checks but not a final comprehensive check. I'll go and dig CI logs. |
|
Well, I've been doing local runs. The last one's almost finished, I'll post the results in a moment. |
|
Full config:
Default config:
For "before" I used the merge-base which is 9a34b60 The number skipped are identical but the total number of tests reported is 2 more after this PR, which corresponds to the two |
|
On both this PR and the 2.28 backport, I went and compared logs from the latest pr-merge and the nearest nightly:
I extracted So in the PR for
Note that this analysis is imprecise: if a test case is now running in a config A but wasn't before, and was running in config B but isn't anymore, the two compensate. I also checked the |
|
Wouldn't it be nice if instead of digging through logs, there was a report from the CI containing a list of executed test cases with their outcome? 🤦 As before, comparing last night's pr-merge with last night's nightly:
So in addition to the previously analyzed SCSV and RC4 test cases, there's one more difference: This difference comes from "test-ref-configs: clarify configuration-related traces", which fixed the bug in once. So all is good. |
If the ssl-opt test case was skipped, the test was ineffective. Signed-off-by: Gilles Peskine <[email protected]>
component_test_cmake_out_of_source was running the ssl-opt.sh test case "Fallback SCSV: beginning of list", but this test case was removed in Mbed TLS 3.0, so ssl-opt.sh was running nothing, which is not an effective test. In 2.x, the test case was chosen because it uses an additional auxiliary program tests/scripts/tcp_client.pl. This auxiliary program is no longer used. So instead, run at least one test case that's sure to exist. Signed-off-by: Gilles Peskine <[email protected]>
This both simplifies parsing a little, and suppresses warnings. Suppressing warnings is both good and bad: on the one hand it resolves problems such as Mbed-TLS#5731, on the other hand it may hide clues as to why lsof wouldn't be working as expected. Signed-off-by: Gilles Peskine <[email protected]>
|
@mpg Indeed it does. I've added the magic syntax to this PR's description. |
mpg
added
approved
5 tasks
Sign up for free
to join this conversation on GitHub.
Already have an account?
Sign in to comment
Add this suggestion to a batch that can be applied as a single commit.
This suggestion is invalid because no changes were made to the code.
Suggestions cannot be applied while the pull request is closed.
Suggestions cannot be applied while viewing a subset of changes.
Only one suggestion per line can be applied in a batch.
Add this suggestion to a batch that can be applied as a single commit.
Applying suggestions on deleted lines is not supported.
You must change the existing code in this line in order to create a valid suggestion.
Outdated suggestions cannot be applied.
This suggestion has been applied or marked resolved.
Suggestions cannot be applied from pending reviews.
Suggestions cannot be applied on multi-line comments.
Suggestions cannot be applied while the pull request is queued to merge.
Suggestion cannot be applied right now. Please check back later.
This is an incremental improvement to the ability to run
tests/ssl-opt.shin reduced configurations. The main completeness goals is for it to pass onconfig/config-ccm-psk-dtls1_2.handconfig-suite-b.h, and to be roughly aligned with the 2.28 backport. Beyond that, there are a few miscellaneous improvements in automatic requirement detection.requires_xxxstatements.config-ccm-psk-dtls1_2.h, based onconfig-ccm-psk-dtls1_2.hbut with a few more DTLS options and a smaller SSL buffer, so more representative of IoT devices that don't do asymmetric crypto.test-ref-configs.pl.Note on "Automatically detect protocol version requirement from force_version": I left a spurious
requires_config_enabled MBEDTLS_SSL_PROTO_TLS1_3on "TLS 1.3: CertificateRequest check - openssl" to avoid a merge conflict.Backport: #5730