[Security - Testing] OpenSSL 1.0.2 and 1.1.1 CI Testing (#35236)

Enable OpenSSL 1.0.2 tests and add a container for 1.1.1 so that it is tested during portability testing as well.

Closes #35236

PiperOrigin-RevId: 590345568

templates/tools/dockerfile/test/cxx_debian11_openssl111_x64/Dockerfile.template

@@ -0,0 +1,31 @@
+%YAML 1.2
+--- |
+  # Copyright 2023 the gRPC authors.
+  #
+  # Licensed under the Apache License, Version 2.0 (the "License");
+  # you may not use this file except in compliance with the License.
+  # You may obtain a copy of the License at
+  #
+  #     http://www.apache.org/licenses/LICENSE-2.0
+  #
+  # Unless required by applicable law or agreed to in writing, software
+  # distributed under the License is distributed on an "AS IS" BASIS,
+  # WITHOUT WARRANTIES OR CONDITIONS OF ANY KIND, either express or implied.
+  # See the License for the specific language governing permissions and
+  # limitations under the License.
+  
+  FROM debian:11
+  
+  <%include file="../../apt_get_basic.include"/>
+  <%include file="../../run_tests_python_deps.include"/>
+  <%include file="../../cxx_test_deps.include"/>
+  <%include file="../../cxx_deps.include"/>
+  <%include file="../../cmake.include"/>
+  <%include file="../../ccache.include"/>
+  <%include file="../../run_tests_addons.include"/>
+
+  # Install openssl 1.1.1 by installing libssl-dev on debian:11
+  RUN apt-get update && apt-get install -y build-essential zlib1g-dev libssl-dev
+
+  # Define the default command.
+  CMD ["bash"]

test/core/end2end/h2_ssl_cert_test.cc

@@ -259,8 +259,8 @@ TEST_P(H2SslCertTest, SimpleRequestBody) {
   simple_request_body(fixture_.get(), GetParam().result);
 }
 
-// TODO(gtcooke94) SimpleRequestBodyUseEngineTest was failing on OpenSSL3.0
-// and 1.1.1 and removed. Investigate and rewrite a better test
+// TODO(b/283304471) SimpleRequestBodyUseEngineTest was failing on OpenSSL3.0
+// and 1.1.1 and removed. Investigate and rewrite a better test.
 
 INSTANTIATE_TEST_SUITE_P(H2SslCert, H2SslCertTest,
                          ::testing::ValuesIn(configs));

test/core/tsi/crl_ssl_transport_security_test.cc

@@ -201,10 +201,11 @@ class CrlSslTransportSecurityTest
       // Handshake succeeds because the CRL that revokes the cert is not
       // present.
       bool expect_server_success = expect_server_success_;
+      bool expect_client_success = false;
 #if OPENSSL_VERSION_NUMBER >= 0x10100000
-      bool expect_client_success = GetParam() == tsi_tls_version::TSI_TLS1_2
-                                       ? expect_client_success_1_2_
-                                       : expect_client_success_1_3_;
+      expect_client_success = GetParam() == tsi_tls_version::TSI_TLS1_2
+                                  ? expect_client_success_1_2_
+                                  : expect_client_success_1_3_;
 #else
       //  If using OpenSSL version < 1.1, the CRL revocation won't
       //  be enabled anyways, so we always expect the connection to

test/core/tsi/transport_security_test_lib.cc

@@ -704,12 +704,20 @@ std::string GenerateSelfSignedCertificate(
   // infinite future is from RFC 5280 Section 4.1.2.5.1.
   ASN1_UTCTIME* infinite_past = ASN1_UTCTIME_new();
   GPR_ASSERT(ASN1_UTCTIME_set(infinite_past, /*posix_time=*/0));
+#if OPENSSL_VERSION_NUMBER < 0x10100000
+  GPR_ASSERT(X509_set_notBefore(x509, infinite_past));
+#else
   GPR_ASSERT(X509_set1_notBefore(x509, infinite_past));
+#endif
   ASN1_UTCTIME_free(infinite_past);
   ASN1_GENERALIZEDTIME* infinite_future = ASN1_GENERALIZEDTIME_new();
   GPR_ASSERT(
       ASN1_GENERALIZEDTIME_set_string(infinite_future, "99991231235959Z"));
+#if OPENSSL_VERSION_NUMBER < 0x10100000
+  GPR_ASSERT(X509_set_notAfter(x509, infinite_future));
+#else
   GPR_ASSERT(X509_set1_notAfter(x509, infinite_future));
+#endif
   ASN1_GENERALIZEDTIME_free(infinite_future);
   // Set the subject DN.
   X509_NAME* subject_name = X509_NAME_new();

tools/bazelify_tests/dockerimage_current_versions.bzl

@@ -98,6 +98,7 @@ DOCKERIMAGE_CURRENT_VERSIONS = {
     "tools/dockerfile/test/cxx_clang_16_x64.current_version": "docker://us-docker.pkg.dev/grpc-testing/testing-images-public/cxx_clang_16_x64@sha256:7559d2743aa03e3247e6c80b412aec06b56a1a3aaa45ac174c07ea94afe62e1d",
     "tools/dockerfile/test/cxx_clang_6_x64.current_version": "docker://us-docker.pkg.dev/grpc-testing/testing-images-public/cxx_clang_6_x64@sha256:8e9ddd6c0f3d04c1bf9370cc59712a4e5883f68f307643a9b6dcb2dbd678b579",
     "tools/dockerfile/test/cxx_debian11_openssl102_x64.current_version": "docker://us-docker.pkg.dev/grpc-testing/testing-images-public/cxx_debian11_openssl102_x64@sha256:3bae65e56c756c491dfc4b02cff554ae3c4edd9d366d0d05d27e429b59a01b0f",
+    "tools/dockerfile/test/cxx_debian11_openssl111_x64.current_version": "docker://us-docker.pkg.dev/grpc-testing/testing-images-public/cxx_debian11_openssl111_x64@sha256:63f2cd5ae453aa2a850fc59b9ec8e8a865e63d9f99a2b796de65669f3bf21275",
     "tools/dockerfile/test/cxx_debian11_x64.current_version": "docker://us-docker.pkg.dev/grpc-testing/testing-images-public/cxx_debian11_x64@sha256:ecd1fbc04423ac9c667a3fbd985a9530e9a4387db372e22229a4d9d77034f4c3",
     "tools/dockerfile/test/cxx_debian11_x86.current_version": "docker://us-docker.pkg.dev/grpc-testing/testing-images-public/cxx_debian11_x86@sha256:cba4b92ff05bc51c0668bfce696d4a826728f4c61163b6d6107685cd83098b15",
     "tools/dockerfile/test/cxx_debian12_openssl309_x64.current_version": "docker://us-docker.pkg.dev/grpc-testing/testing-images-public/cxx_debian12_openssl309_x64@sha256:a3f1242283eb5988e4aefede8af64db6f4bfea0d2875610cf55560abeb60563e",

tools/bazelify_tests/test/portability_tests.bzl

@@ -55,6 +55,8 @@ def generate_run_tests_portability_tests(name):
         compiler_configs = [
             ["gcc_7", "", "tools/dockerfile/test/cxx_gcc_8_x64.current_version"],
             ["gcc_12", "--cmake_configure_extra_args=-DCMAKE_CXX_STANDARD=20", "tools/dockerfile/test/cxx_gcc_12_x64.current_version"],
+            ["gcc10.2_openssl102", "--cmake_configure_extra_args=-DgRPC_SSL_PROVIDER=package", "tools/dockerfile/test/cxx_debian11_openssl102_x64.current_version"],
+            ["gcc10.2_openssl111", "--cmake_configure_extra_args=-DgRPC_SSL_PROVIDER=package", "tools/dockerfile/test/cxx_debian11_openssl111_x64.current_version"],
             ["gcc_12_openssl309", "--cmake_configure_extra_args=-DgRPC_SSL_PROVIDER=package", "tools/dockerfile/test/cxx_debian12_openssl309_x64.current_version"],
             ["gcc_musl", "", "tools/dockerfile/test/cxx_alpine_x64.current_version"],
             ["clang_6", "--cmake_configure_extra_args=-DCMAKE_C_COMPILER=clang --cmake_configure_extra_args=-DCMAKE_CXX_COMPILER=clang++", "tools/dockerfile/test/cxx_clang_6_x64.current_version"],

tools/dockerfile/test/cxx_debian11_openssl111_x64.current_version

@@ -0,0 +1 @@
+us-docker.pkg.dev/grpc-testing/testing-images-public/cxx_debian11_openssl111_x64:d32295b6e0b45141a49a47608734f1e057a1ec74@sha256:63f2cd5ae453aa2a850fc59b9ec8e8a865e63d9f99a2b796de65669f3bf21275

tools/dockerfile/test/cxx_debian11_openssl111_x64/Dockerfile

@@ -0,0 +1,125 @@
+# Copyright 2023 the gRPC authors.
+#
+# Licensed under the Apache License, Version 2.0 (the "License");
+# you may not use this file except in compliance with the License.
+# You may obtain a copy of the License at
+#
+#     http://www.apache.org/licenses/LICENSE-2.0
+#
+# Unless required by applicable law or agreed to in writing, software
+# distributed under the License is distributed on an "AS IS" BASIS,
+# WITHOUT WARRANTIES OR CONDITIONS OF ANY KIND, either express or implied.
+# See the License for the specific language governing permissions and
+# limitations under the License.
+
+FROM debian:11
+
+#=================
+# Basic C core dependencies
+
+# C/C++ dependencies according to https://github.com/grpc/grpc/blob/master/BUILDING.md
+RUN apt-get update && apt-get install -y \
+  build-essential \
+  autoconf \
+  libtool \
+  pkg-config \
+  && apt-get clean
+
+# GCC
+RUN apt-get update && apt-get install -y \
+  gcc \
+  g++ \
+  && apt-get clean
+
+# libc6
+RUN apt-get update && apt-get install -y \
+  libc6 \
+  libc6-dbg \
+  libc6-dev \
+  && apt-get clean
+
+# Tools
+RUN apt-get update && apt-get install -y \
+  bzip2 \
+  curl \
+  dnsutils \
+  git \
+  lcov \
+  make \
+  strace \
+  time \
+  unzip \
+  wget \
+  zip \
+  && apt-get clean
+
+#=================
+# Setup git to access working directory across docker boundary.
+# This avoids the "fatal: detected dubious ownership in repository XYZ"
+# git error.
+
+RUN git config --global --add safe.directory '*'
+RUN git config --global protocol.file.allow always
+
+
+#====================
+# run_tests.py python dependencies
+
+# Basic python dependencies to be able to run tools/run_tests python scripts
+# These dependencies are not sufficient to build gRPC Python, gRPC Python
+# deps are defined elsewhere (e.g. python_deps.include)
+RUN apt-get update && apt-get install -y \
+  python3 \
+  python3-pip \
+  python3-setuptools \
+  python3-yaml \
+  && apt-get clean
+
+# use pinned version of pip to avoid sudden breakages
+RUN python3 -m pip install --upgrade pip==19.3.1
+
+# TODO(jtattermusch): currently six is needed for tools/run_tests scripts
+# but since our python2 usage is deprecated, we should get rid of it.
+RUN python3 -m pip install six==1.16.0
+
+# Google Cloud Platform API libraries
+# These are needed for uploading test results to BigQuery (e.g. by tools/run_tests scripts)
+RUN python3 -m pip install --upgrade google-auth==1.23.0 google-api-python-client==1.12.8 oauth2client==4.1.0
+
+
+# Some cxx tests depend on the twisted package
+RUN python3 -m pip install twisted
+
+#=================
+# C++ dependencies
+RUN apt-get update && apt-get -y install libc++-dev clang && apt-get clean
+
+#=================
+# Install cmake
+# Note that this step should be only used for distributions that have new enough cmake to satisfy gRPC's cmake version requirement.
+
+RUN apt-get update && apt-get install -y cmake && apt-get clean
+
+#=================
+# Install ccache
+
+# Install ccache from source since ccache 3.x packaged with most linux distributions
+# does not support Redis backend for caching.
+RUN curl -sSL -o ccache.tar.gz https://github.com/ccache/ccache/releases/download/v4.7.5/ccache-4.7.5.tar.gz \
+    && tar -zxf ccache.tar.gz \
+    && cd ccache-4.7.5 \
+    && mkdir build && cd build \
+    && cmake -DCMAKE_BUILD_TYPE=Release -DZSTD_FROM_INTERNET=ON -DHIREDIS_FROM_INTERNET=ON .. \
+    && make -j4 && make install \
+    && cd ../.. \
+    && rm -rf ccache-4.7.5 ccache.tar.gz
+
+
+RUN mkdir /var/local/jenkins
+
+
+# Install openssl 1.1.1 by installing libssl-dev on debian:11
+RUN apt-get update && apt-get install -y build-essential zlib1g-dev libssl-dev
+
+# Define the default command.
+CMD ["bash"]

tools/run_tests/run_tests.py

@@ -571,6 +571,13 @@ class CLanguage(object):
                     "-DgRPC_SSL_PROVIDER=package",
                 ],
             )
+        elif compiler == "gcc10.2_openssl111":
+            return (
+                "debian11_openssl111",
+                [
+                    "-DgRPC_SSL_PROVIDER=package",
+                ],
+            )
         elif compiler == "gcc12":
             return ("gcc_12", ["-DCMAKE_CXX_STANDARD=20"])
         elif compiler == "gcc12_openssl309":
@@ -1721,6 +1728,7 @@ argp.add_argument(
         "gcc8",
         "gcc10.2",
         "gcc10.2_openssl102",
+        "gcc10.2_openssl111",
         "gcc12",
         "gcc12_openssl309",
         "gcc_musl",

tools/run_tests/run_tests_matrix.py

@@ -355,7 +355,9 @@ def _create_portability_test_jobs(
     # portability C and C++ on x64
     for compiler in [
         "gcc8",
-        # 'gcc10.2_openssl102', // TODO(b/283304471): Enable this later
+        # TODO(b/283304471): Tests using OpenSSL's engine APIs were broken and removed
+        "gcc10.2_openssl102",
+        "gcc10.2_openssl111",
         "gcc12",
         "gcc12_openssl309",
         "gcc_musl",