[Security - Testing] OpenSSL 1.0.2 and 1.1.1 CI Testing (#35236)
Enable OpenSSL 1.0.2 tests and add a container for 1.1.1 so that it is tested during portability testing as well.
Closes #35236
PiperOrigin-RevId: 590345568
diff --git a/templates/tools/dockerfile/test/cxx_debian11_openssl111_x64/Dockerfile.template b/templates/tools/dockerfile/test/cxx_debian11_openssl111_x64/Dockerfile.template
new file mode 100644
index 0000000..dfe3af1
--- /dev/null
+++ b/templates/tools/dockerfile/test/cxx_debian11_openssl111_x64/Dockerfile.template
@@ -0,0 +1,31 @@
+%YAML 1.2
+--- |
+ # Copyright 2023 the gRPC authors.
+ #
+ # Licensed under the Apache License, Version 2.0 (the "License");
+ # you may not use this file except in compliance with the License.
+ # You may obtain a copy of the License at
+ #
+ # http://www.apache.org/licenses/LICENSE-2.0
+ #
+ # Unless required by applicable law or agreed to in writing, software
+ # distributed under the License is distributed on an "AS IS" BASIS,
+ # WITHOUT WARRANTIES OR CONDITIONS OF ANY KIND, either express or implied.
+ # See the License for the specific language governing permissions and
+ # limitations under the License.
+
+ FROM debian:11
+
+ <%include file="../../apt_get_basic.include"/>
+ <%include file="../../run_tests_python_deps.include"/>
+ <%include file="../../cxx_test_deps.include"/>
+ <%include file="../../cxx_deps.include"/>
+ <%include file="../../cmake.include"/>
+ <%include file="../../ccache.include"/>
+ <%include file="../../run_tests_addons.include"/>
+
+ # Install openssl 1.1.1 by installing libssl-dev on debian:11
+ RUN apt-get update && apt-get install -y build-essential zlib1g-dev libssl-dev
+
+ # Define the default command.
+ CMD ["bash"]
diff --git a/test/core/end2end/h2_ssl_cert_test.cc b/test/core/end2end/h2_ssl_cert_test.cc
index 7b2d417..584bceb 100644
--- a/test/core/end2end/h2_ssl_cert_test.cc
+++ b/test/core/end2end/h2_ssl_cert_test.cc
@@ -259,8 +259,8 @@
simple_request_body(fixture_.get(), GetParam().result);
}
-// TODO(gtcooke94) SimpleRequestBodyUseEngineTest was failing on OpenSSL3.0
-// and 1.1.1 and removed. Investigate and rewrite a better test
+// TODO(b/283304471) SimpleRequestBodyUseEngineTest was failing on OpenSSL3.0
+// and 1.1.1 and removed. Investigate and rewrite a better test.
INSTANTIATE_TEST_SUITE_P(H2SslCert, H2SslCertTest,
::testing::ValuesIn(configs));
diff --git a/test/core/tsi/crl_ssl_transport_security_test.cc b/test/core/tsi/crl_ssl_transport_security_test.cc
index 88908d2..b06eead 100644
--- a/test/core/tsi/crl_ssl_transport_security_test.cc
+++ b/test/core/tsi/crl_ssl_transport_security_test.cc
@@ -201,10 +201,11 @@
// Handshake succeeds because the CRL that revokes the cert is not
// present.
bool expect_server_success = expect_server_success_;
+ bool expect_client_success = false;
#if OPENSSL_VERSION_NUMBER >= 0x10100000
- bool expect_client_success = GetParam() == tsi_tls_version::TSI_TLS1_2
- ? expect_client_success_1_2_
- : expect_client_success_1_3_;
+ expect_client_success = GetParam() == tsi_tls_version::TSI_TLS1_2
+ ? expect_client_success_1_2_
+ : expect_client_success_1_3_;
#else
// If using OpenSSL version < 1.1, the CRL revocation won't
// be enabled anyways, so we always expect the connection to
diff --git a/test/core/tsi/transport_security_test_lib.cc b/test/core/tsi/transport_security_test_lib.cc
index 8e4b287..811ecff 100644
--- a/test/core/tsi/transport_security_test_lib.cc
+++ b/test/core/tsi/transport_security_test_lib.cc
@@ -704,12 +704,20 @@
// infinite future is from RFC 5280 Section 4.1.2.5.1.
ASN1_UTCTIME* infinite_past = ASN1_UTCTIME_new();
GPR_ASSERT(ASN1_UTCTIME_set(infinite_past, /*posix_time=*/0));
+#if OPENSSL_VERSION_NUMBER < 0x10100000
+ GPR_ASSERT(X509_set_notBefore(x509, infinite_past));
+#else
GPR_ASSERT(X509_set1_notBefore(x509, infinite_past));
+#endif
ASN1_UTCTIME_free(infinite_past);
ASN1_GENERALIZEDTIME* infinite_future = ASN1_GENERALIZEDTIME_new();
GPR_ASSERT(
ASN1_GENERALIZEDTIME_set_string(infinite_future, "99991231235959Z"));
+#if OPENSSL_VERSION_NUMBER < 0x10100000
+ GPR_ASSERT(X509_set_notAfter(x509, infinite_future));
+#else
GPR_ASSERT(X509_set1_notAfter(x509, infinite_future));
+#endif
ASN1_GENERALIZEDTIME_free(infinite_future);
// Set the subject DN.
X509_NAME* subject_name = X509_NAME_new();
diff --git a/tools/bazelify_tests/dockerimage_current_versions.bzl b/tools/bazelify_tests/dockerimage_current_versions.bzl
index c56456c..a9a845e 100644
--- a/tools/bazelify_tests/dockerimage_current_versions.bzl
+++ b/tools/bazelify_tests/dockerimage_current_versions.bzl
@@ -98,6 +98,7 @@
"tools/dockerfile/test/cxx_clang_16_x64.current_version": "docker://us-docker.pkg.dev/grpc-testing/testing-images-public/cxx_clang_16_x64@sha256:7559d2743aa03e3247e6c80b412aec06b56a1a3aaa45ac174c07ea94afe62e1d",
"tools/dockerfile/test/cxx_clang_6_x64.current_version": "docker://us-docker.pkg.dev/grpc-testing/testing-images-public/cxx_clang_6_x64@sha256:8e9ddd6c0f3d04c1bf9370cc59712a4e5883f68f307643a9b6dcb2dbd678b579",
"tools/dockerfile/test/cxx_debian11_openssl102_x64.current_version": "docker://us-docker.pkg.dev/grpc-testing/testing-images-public/cxx_debian11_openssl102_x64@sha256:3bae65e56c756c491dfc4b02cff554ae3c4edd9d366d0d05d27e429b59a01b0f",
+ "tools/dockerfile/test/cxx_debian11_openssl111_x64.current_version": "docker://us-docker.pkg.dev/grpc-testing/testing-images-public/cxx_debian11_openssl111_x64@sha256:63f2cd5ae453aa2a850fc59b9ec8e8a865e63d9f99a2b796de65669f3bf21275",
"tools/dockerfile/test/cxx_debian11_x64.current_version": "docker://us-docker.pkg.dev/grpc-testing/testing-images-public/cxx_debian11_x64@sha256:ecd1fbc04423ac9c667a3fbd985a9530e9a4387db372e22229a4d9d77034f4c3",
"tools/dockerfile/test/cxx_debian11_x86.current_version": "docker://us-docker.pkg.dev/grpc-testing/testing-images-public/cxx_debian11_x86@sha256:cba4b92ff05bc51c0668bfce696d4a826728f4c61163b6d6107685cd83098b15",
"tools/dockerfile/test/cxx_debian12_openssl309_x64.current_version": "docker://us-docker.pkg.dev/grpc-testing/testing-images-public/cxx_debian12_openssl309_x64@sha256:a3f1242283eb5988e4aefede8af64db6f4bfea0d2875610cf55560abeb60563e",
diff --git a/tools/bazelify_tests/test/portability_tests.bzl b/tools/bazelify_tests/test/portability_tests.bzl
index 50c42c2..a366663 100644
--- a/tools/bazelify_tests/test/portability_tests.bzl
+++ b/tools/bazelify_tests/test/portability_tests.bzl
@@ -55,6 +55,8 @@
compiler_configs = [
["gcc_7", "", "tools/dockerfile/test/cxx_gcc_8_x64.current_version"],
["gcc_12", "--cmake_configure_extra_args=-DCMAKE_CXX_STANDARD=20", "tools/dockerfile/test/cxx_gcc_12_x64.current_version"],
+ ["gcc10.2_openssl102", "--cmake_configure_extra_args=-DgRPC_SSL_PROVIDER=package", "tools/dockerfile/test/cxx_debian11_openssl102_x64.current_version"],
+ ["gcc10.2_openssl111", "--cmake_configure_extra_args=-DgRPC_SSL_PROVIDER=package", "tools/dockerfile/test/cxx_debian11_openssl111_x64.current_version"],
["gcc_12_openssl309", "--cmake_configure_extra_args=-DgRPC_SSL_PROVIDER=package", "tools/dockerfile/test/cxx_debian12_openssl309_x64.current_version"],
["gcc_musl", "", "tools/dockerfile/test/cxx_alpine_x64.current_version"],
["clang_6", "--cmake_configure_extra_args=-DCMAKE_C_COMPILER=clang --cmake_configure_extra_args=-DCMAKE_CXX_COMPILER=clang++", "tools/dockerfile/test/cxx_clang_6_x64.current_version"],
diff --git a/tools/dockerfile/test/cxx_debian11_openssl111_x64.current_version b/tools/dockerfile/test/cxx_debian11_openssl111_x64.current_version
new file mode 100644
index 0000000..ee4ef83
--- /dev/null
+++ b/tools/dockerfile/test/cxx_debian11_openssl111_x64.current_version
@@ -0,0 +1 @@
+us-docker.pkg.dev/grpc-testing/testing-images-public/cxx_debian11_openssl111_x64:d32295b6e0b45141a49a47608734f1e057a1ec74@sha256:63f2cd5ae453aa2a850fc59b9ec8e8a865e63d9f99a2b796de65669f3bf21275
\ No newline at end of file
diff --git a/tools/dockerfile/test/cxx_debian11_openssl111_x64/Dockerfile b/tools/dockerfile/test/cxx_debian11_openssl111_x64/Dockerfile
new file mode 100644
index 0000000..19822c8
--- /dev/null
+++ b/tools/dockerfile/test/cxx_debian11_openssl111_x64/Dockerfile
@@ -0,0 +1,125 @@
+# Copyright 2023 the gRPC authors.
+#
+# Licensed under the Apache License, Version 2.0 (the "License");
+# you may not use this file except in compliance with the License.
+# You may obtain a copy of the License at
+#
+# http://www.apache.org/licenses/LICENSE-2.0
+#
+# Unless required by applicable law or agreed to in writing, software
+# distributed under the License is distributed on an "AS IS" BASIS,
+# WITHOUT WARRANTIES OR CONDITIONS OF ANY KIND, either express or implied.
+# See the License for the specific language governing permissions and
+# limitations under the License.
+
+FROM debian:11
+
+#=================
+# Basic C core dependencies
+
+# C/C++ dependencies according to https://github.com/grpc/grpc/blob/master/BUILDING.md
+RUN apt-get update && apt-get install -y \
+ build-essential \
+ autoconf \
+ libtool \
+ pkg-config \
+ && apt-get clean
+
+# GCC
+RUN apt-get update && apt-get install -y \
+ gcc \
+ g++ \
+ && apt-get clean
+
+# libc6
+RUN apt-get update && apt-get install -y \
+ libc6 \
+ libc6-dbg \
+ libc6-dev \
+ && apt-get clean
+
+# Tools
+RUN apt-get update && apt-get install -y \
+ bzip2 \
+ curl \
+ dnsutils \
+ git \
+ lcov \
+ make \
+ strace \
+ time \
+ unzip \
+ wget \
+ zip \
+ && apt-get clean
+
+#=================
+# Setup git to access working directory across docker boundary.
+# This avoids the "fatal: detected dubious ownership in repository XYZ"
+# git error.
+
+RUN git config --global --add safe.directory '*'
+RUN git config --global protocol.file.allow always
+
+
+#====================
+# run_tests.py python dependencies
+
+# Basic python dependencies to be able to run tools/run_tests python scripts
+# These dependencies are not sufficient to build gRPC Python, gRPC Python
+# deps are defined elsewhere (e.g. python_deps.include)
+RUN apt-get update && apt-get install -y \
+ python3 \
+ python3-pip \
+ python3-setuptools \
+ python3-yaml \
+ && apt-get clean
+
+# use pinned version of pip to avoid sudden breakages
+RUN python3 -m pip install --upgrade pip==19.3.1
+
+# TODO(jtattermusch): currently six is needed for tools/run_tests scripts
+# but since our python2 usage is deprecated, we should get rid of it.
+RUN python3 -m pip install six==1.16.0
+
+# Google Cloud Platform API libraries
+# These are needed for uploading test results to BigQuery (e.g. by tools/run_tests scripts)
+RUN python3 -m pip install --upgrade google-auth==1.23.0 google-api-python-client==1.12.8 oauth2client==4.1.0
+
+
+# Some cxx tests depend on the twisted package
+RUN python3 -m pip install twisted
+
+#=================
+# C++ dependencies
+RUN apt-get update && apt-get -y install libc++-dev clang && apt-get clean
+
+#=================
+# Install cmake
+# Note that this step should be only used for distributions that have new enough cmake to satisfy gRPC's cmake version requirement.
+
+RUN apt-get update && apt-get install -y cmake && apt-get clean
+
+#=================
+# Install ccache
+
+# Install ccache from source since ccache 3.x packaged with most linux distributions
+# does not support Redis backend for caching.
+RUN curl -sSL -o ccache.tar.gz https://github.com/ccache/ccache/releases/download/v4.7.5/ccache-4.7.5.tar.gz \
+ && tar -zxf ccache.tar.gz \
+ && cd ccache-4.7.5 \
+ && mkdir build && cd build \
+ && cmake -DCMAKE_BUILD_TYPE=Release -DZSTD_FROM_INTERNET=ON -DHIREDIS_FROM_INTERNET=ON .. \
+ && make -j4 && make install \
+ && cd ../.. \
+ && rm -rf ccache-4.7.5 ccache.tar.gz
+
+
+RUN mkdir /var/local/jenkins
+
+
+# Install openssl 1.1.1 by installing libssl-dev on debian:11
+RUN apt-get update && apt-get install -y build-essential zlib1g-dev libssl-dev
+
+# Define the default command.
+CMD ["bash"]
diff --git a/tools/run_tests/run_tests.py b/tools/run_tests/run_tests.py
index ea1b1b0..0d67909 100755
--- a/tools/run_tests/run_tests.py
+++ b/tools/run_tests/run_tests.py
@@ -571,6 +571,13 @@
"-DgRPC_SSL_PROVIDER=package",
],
)
+ elif compiler == "gcc10.2_openssl111":
+ return (
+ "debian11_openssl111",
+ [
+ "-DgRPC_SSL_PROVIDER=package",
+ ],
+ )
elif compiler == "gcc12":
return ("gcc_12", ["-DCMAKE_CXX_STANDARD=20"])
elif compiler == "gcc12_openssl309":
@@ -1721,6 +1728,7 @@
"gcc8",
"gcc10.2",
"gcc10.2_openssl102",
+ "gcc10.2_openssl111",
"gcc12",
"gcc12_openssl309",
"gcc_musl",
diff --git a/tools/run_tests/run_tests_matrix.py b/tools/run_tests/run_tests_matrix.py
index d858e10..cb346c9 100755
--- a/tools/run_tests/run_tests_matrix.py
+++ b/tools/run_tests/run_tests_matrix.py
@@ -355,7 +355,9 @@
# portability C and C++ on x64
for compiler in [
"gcc8",
- # 'gcc10.2_openssl102', // TODO(b/283304471): Enable this later
+ # TODO(b/283304471): Tests using OpenSSL's engine APIs were broken and removed
+ "gcc10.2_openssl102",
+ "gcc10.2_openssl111",
"gcc12",
"gcc12_openssl309",
"gcc_musl",
