Spicy TLS - full test suite pass

With this commit, the entire Zeek test suite passes using spicy TLS. Tests that either use a SSLv2 handshake, or DTLS are skipped, as the parser currently does not support either. Similarly, tests that rely on behavior we cannot replicate (baseline, hooks, exact error messages) are passed. Other than that, all the TLS-based tests pass with 100% the exact same baseline results. This necessitated a couple of small tweaks to the spicy file - the testcases uncovered several small problems. This commit also enables cirrus tests for Spicy SSL/TLS.
2025-10-17 14:08:20 +00:00 · 2024-08-13 14:41:37 +01:00 · 2024-08-13 14:41:37 +01:00 · 84c4d53a4e
commit 84c4d53a4e
parent 1e282989fe
16 changed files with 97 additions and 41 deletions
--- a/testing/btest/scripts/base/protocols/ssl/certificate_request.zeek
+++ b/testing/btest/scripts/base/protocols/ssl/certificate_request.zeek
@ -1,5 +1,8 @@
 # This tests the certificate_request message parsing

+# Does not work in spicy version, due to missing DTLS support
+# @TEST-REQUIRES: ! grep -q "#define ENABLE_SPICY_SSL" $BUILD/zeek-config.h
+
 # @TEST-EXEC: zeek -b -r $TRACES/tls/client-certificate.pcap %INPUT > out
 # @TEST-EXEC: zeek -C -b -r $TRACES/tls/certificate-request-failed.pcap %INPUT >> out
 # @TEST-EXEC: zeek -C -b -r $TRACES/tls/webrtc-stun.pcap %INPUT >> out
--- a/testing/btest/scripts/base/protocols/ssl/dpd.test
+++ b/testing/btest/scripts/base/protocols/ssl/dpd.test
@ -1,3 +1,6 @@
+# Does not work in spicy version, due to missing SSLv2 handshake support
+# @TEST-REQUIRES: ! grep -q "#define ENABLE_SPICY_SSL" $BUILD/zeek-config.h
+
 # @TEST-EXEC: zeek -C -b -r $TRACES/tls/ssl-v2.trace %INPUT
 # @TEST-EXEC: zeek -b -r $TRACES/tls/ssl.v3.trace %INPUT
 # @TEST-EXEC: zeek -b -r $TRACES/tls/tls1.2.trace %INPUT
--- a/testing/btest/scripts/base/protocols/ssl/dtls-13.test
+++ b/testing/btest/scripts/base/protocols/ssl/dtls-13.test
@ -1,5 +1,6 @@
 # This tests a normal SSL connection and the log it outputs.

+# @TEST-REQUIRES: ! grep -q "#define ENABLE_SPICY_SSL" $BUILD/zeek-config.h
 # @TEST-EXEC: zeek -C -r $TRACES/tls/dtls13-wolfssl.pcap %INPUT
 # @TEST-EXEC: cp ssl.log ssl-all.log
 # @TEST-EXEC: echo "start CID test"
--- a/testing/btest/scripts/base/protocols/ssl/dtls-stun-dpd.test
+++ b/testing/btest/scripts/base/protocols/ssl/dtls-stun-dpd.test
@ -1,3 +1,4 @@
+# @TEST-REQUIRES: ! grep -q "#define ENABLE_SPICY_SSL" $BUILD/zeek-config.h
 # @TEST-EXEC: zeek -b -r $TRACES/tls/webrtc-stun.pcap %INPUT
 # @TEST-EXEC: btest-diff ssl.log
 # @TEST-EXEC: touch dpd.log
--- a/testing/btest/scripts/base/protocols/ssl/dtls.test
+++ b/testing/btest/scripts/base/protocols/ssl/dtls.test
@ -1,5 +1,6 @@
 # This tests a normal SSL connection and the log it outputs.

+# @TEST-REQUIRES: ! grep -q "#define ENABLE_SPICY_SSL" $BUILD/zeek-config.h
 # @TEST-EXEC: zeek -b -r $TRACES/tls/dtls1_0.pcap %INPUT
 # @TEST-EXEC: btest-diff ssl.log
 # @TEST-EXEC: btest-diff x509.log
--- a/testing/btest/scripts/base/protocols/ssl/keyexchange.test
+++ b/testing/btest/scripts/base/protocols/ssl/keyexchange.test
@ -1,3 +1,6 @@
+# Does not work in spicy version, due to missing DTLS and SSLv2 handshake support
+# @TEST-REQUIRES: ! grep -q "#define ENABLE_SPICY_SSL" $BUILD/zeek-config.h
+
 # @TEST-EXEC: zeek -b -r $TRACES/tls/dhe.pcap %INPUT
 # @TEST-EXEC: cat ssl.log > ssl-all.log
 # @TEST-EXEC: zeek -b -r $TRACES/tls/ecdhe.pcap %INPUT