From a499233df23d35b45e0e29895d4e1925a38bacb1 Mon Sep 17 00:00:00 2001 From: Dirk Date: Wed, 22 Jan 2025 18:12:53 +0100 Subject: [PATCH 1/4] Add unittest for diffrent openssl versions MIME-Version: 1.0 Content-Type: text/plain; charset=UTF-8 Content-Transfer-Encoding: 8bit This adds a unit test to compare a run against google with the supplied openssl version vs /usr/bin/openssl . This would fix #2626. It looks like there are still points to clarify * NPN output is different (bug) * Newer openssl version claims it's ECDH 253 instead of ECDH 256. * Newer openssl version claims for 130x cipher it's ECDH 253, via sockets it´s ECDH/MLKEM. This seems a bug (@dcooper) A todo is also restricing the unit test to the one where openssl is being used. E.g. the ROBOT check and more aren't done with openssl. So there's no value checking this here. --- t/12_diff_opensslversions.t | 72 +++++++++++++++++++++++++++++++++++++ 1 file changed, 72 insertions(+) create mode 100755 t/12_diff_opensslversions.t diff --git a/t/12_diff_opensslversions.t b/t/12_diff_opensslversions.t new file mode 100755 index 0000000..883ba17 --- /dev/null +++ b/t/12_diff_opensslversions.t @@ -0,0 +1,72 @@ +#!/usr/bin/env perl + +# Baseline diff test against testssl.sh (csv output) +# +# This runs a basic test with the supplied openssl vs /usr/bin/openssl + +use strict; +use Test::More; +use Data::Dumper; +use Text::Diff; + +my $tests = 0; +my $prg="./testssl.sh"; +my $check2run="-q --ip=one --color 0 --csvfile"; +my $csvfile="tmp.csv"; +my $csvfile2="tmp2.csv"; +my $cat_csvfile=""; +my $cat_csvfile2=""; +my $uri="google.com"; +my $diff=""; +my $distro_openssl="/usr/bin/openssl"; + +die "Unable to open $prg" unless -f $prg; +die "Unable to open $distro_openssl" unless -f $distro_openssl; + +# Provide proper start conditions +unlink "tmp.csv"; +unlink "tmp2.csv"; + +#1 run +printf "\n%s\n", "Diff test IPv4 with supplied openssl against \"$uri\""; +`$prg $check2run $csvfile $uri 2>&1`; + +# 2 +printf "\n%s\n", "Diff test IPv4 with $distro_openssl against \"$uri\""; +`$prg $check2run $csvfile2 --openssl=$distro_openssl $uri 2>&1`; + +$cat_csvfile = `cat $csvfile`; +$cat_csvfile2 = `cat $csvfile2`; + +# Filter for changes that are allowed to occur +$cat_csvfile =~ s/HTTP_clock_skew.*\n//g; +$cat_csvfile2 =~ s/HTTP_clock_skew.*\n//g; + +# HTTP time +$cat_csvfile =~ s/HTTP_headerTime.*\n//g; +$cat_csvfile2 =~ s/HTTP_headerTime.*\n//g; + +#engine_problem +$cat_csvfile =~ s/"engine_problem.*\n//g; +$cat_csvfile2 =~ s/"engine_problem.*\n//g; + +# Nonce in CSP +$cat_csvfile =~ s/.nonce-.* //g; +$cat_csvfile2 =~ s/.nonce-.* //g; + +$diff = diff \$cat_csvfile, \$cat_csvfile2; + +# Compare the differences -- and print them if there were any +ok( $cat_csvfile eq $cat_csvfile2, "Check whether CSV outputs match" ) or + diag ("\n%s\n", "$diff"); + +#unlink "tmp.csv"; +#unlink "tmp2.csv"; + +$tests++; +done_testing($tests); +printf "\n"; + + +# vim:ts=5:sw=5:expandtab + From 37d987684e7f9904abc5a78efba3000a24b16654 Mon Sep 17 00:00:00 2001 From: Dirk Date: Wed, 22 Jan 2025 18:25:54 +0100 Subject: [PATCH 2/4] remove comment sign from testing --- t/12_diff_opensslversions.t | 4 ++-- 1 file changed, 2 insertions(+), 2 deletions(-) diff --git a/t/12_diff_opensslversions.t b/t/12_diff_opensslversions.t index 883ba17..a74df6a 100755 --- a/t/12_diff_opensslversions.t +++ b/t/12_diff_opensslversions.t @@ -60,8 +60,8 @@ $diff = diff \$cat_csvfile, \$cat_csvfile2; ok( $cat_csvfile eq $cat_csvfile2, "Check whether CSV outputs match" ) or diag ("\n%s\n", "$diff"); -#unlink "tmp.csv"; -#unlink "tmp2.csv"; +unlink "tmp.csv"; +unlink "tmp2.csv"; $tests++; done_testing($tests); From ba58458909fe51d84c5ad2d87e130893b328429d Mon Sep 17 00:00:00 2001 From: Dirk Date: Wed, 22 Jan 2025 18:37:48 +0100 Subject: [PATCH 3/4] Restrict tests to those which use openssl --- t/12_diff_opensslversions.t | 2 +- 1 file changed, 1 insertion(+), 1 deletion(-) diff --git a/t/12_diff_opensslversions.t b/t/12_diff_opensslversions.t index a74df6a..9c3d803 100755 --- a/t/12_diff_opensslversions.t +++ b/t/12_diff_opensslversions.t @@ -11,7 +11,7 @@ use Text::Diff; my $tests = 0; my $prg="./testssl.sh"; -my $check2run="-q --ip=one --color 0 --csvfile"; +my $check2run="--protocols --std --server-preference --fs --header --renegotiation --crime --breach --poodle --tls-fallback --sweet32 --beast --lucky13 --freak --logjam --drown --rc4 --phone-out --client-simulation -q --ip=one --color 0 --csvfile"; my $csvfile="tmp.csv"; my $csvfile2="tmp2.csv"; my $cat_csvfile=""; From ce8984706ec663c9e235755d31062222e4c1933d Mon Sep 17 00:00:00 2001 From: Dirk Date: Fri, 24 Jan 2025 20:36:59 +0100 Subject: [PATCH 4/4] Finalize unit test * pattern search + replace for tls_sockets() vs. openssl * better error handling for invocations with perl functions system + die --- t/12_diff_opensslversions.t | 13 +++++++++++-- 1 file changed, 11 insertions(+), 2 deletions(-) diff --git a/t/12_diff_opensslversions.t b/t/12_diff_opensslversions.t index 9c3d803..e88d33b 100755 --- a/t/12_diff_opensslversions.t +++ b/t/12_diff_opensslversions.t @@ -19,6 +19,7 @@ my $cat_csvfile2=""; my $uri="google.com"; my $diff=""; my $distro_openssl="/usr/bin/openssl"; +my @args=""; die "Unable to open $prg" unless -f $prg; die "Unable to open $distro_openssl" unless -f $distro_openssl; @@ -29,11 +30,15 @@ unlink "tmp2.csv"; #1 run printf "\n%s\n", "Diff test IPv4 with supplied openssl against \"$uri\""; -`$prg $check2run $csvfile $uri 2>&1`; +@args="$prg $check2run $csvfile $uri 2>&1"; +system("@args") == 0 + or die ("FAILED: \"@args\""); # 2 printf "\n%s\n", "Diff test IPv4 with $distro_openssl against \"$uri\""; -`$prg $check2run $csvfile2 --openssl=$distro_openssl $uri 2>&1`; +@args="$prg $check2run $csvfile2 --openssl=$distro_openssl $uri 2>&1"; +system("@args") == 0 + or die ("FAILED: \"@args\" "); $cat_csvfile = `cat $csvfile`; $cat_csvfile2 = `cat $csvfile2`; @@ -50,6 +55,10 @@ $cat_csvfile2 =~ s/HTTP_headerTime.*\n//g; $cat_csvfile =~ s/"engine_problem.*\n//g; $cat_csvfile2 =~ s/"engine_problem.*\n//g; +# PR #2628. TL:DR; make the kx between tls_sockets() and openssl the same for this CI run +$cat_csvfile =~ s/ECDH 256/ECDH 253/g; +$cat_csvfile =~ s/ECDH\/MLKEM/ECDH 253 /g; + # Nonce in CSP $cat_csvfile =~ s/.nonce-.* //g; $cat_csvfile2 =~ s/.nonce-.* //g;