AuroraMiddleware/mbedtls
1
0
Fork 0
Code Issues Pull Requests Releases Wiki Activity

Merge pull request #5864 from xkqian/tls13_add_comprehensive_cases

Browse Source 
Tls13 add comprehensive cases
This commit is contained in:
Ronald Cron 2022-06-15 09:18:11 +02:00 committed by GitHub
commit 4ccd226cbf
No known key found for this signature in database
GPG Key ID: 4AEE18F83AFDEB23
4 changed files with 7871 additions and 775 deletions
Show Stats Download Patch File Download Diff File Expand all files Collapse all files

20
programs/ssl/ssl_server2.c
View File

@ -2382,6 +2382,22 @@ int main( int argc, char *argv[] )
{
sig_alg_list[i++] = MBEDTLS_TLS1_3_SIG_ECDSA_SECP521R1_SHA512;
}
else if( strcmp( q, "rsa_pss_rsae_sha256" ) == 0 )
{
sig_alg_list[i++] = MBEDTLS_TLS1_3_SIG_RSA_PSS_RSAE_SHA256;
}
else if( strcmp( q, "rsa_pss_rsae_sha384" ) == 0 )
{
sig_alg_list[i++] = MBEDTLS_TLS1_3_SIG_RSA_PSS_RSAE_SHA384;
}
else if( strcmp( q, "rsa_pss_rsae_sha512" ) == 0 )
{
sig_alg_list[i++] = MBEDTLS_TLS1_3_SIG_RSA_PSS_RSAE_SHA512;
}
else if( strcmp( q, "rsa_pkcs1_sha256" ) == 0 )
{
sig_alg_list[i++] = MBEDTLS_TLS1_3_SIG_RSA_PKCS1_SHA256;
}
else
{
mbedtls_printf( "unknown signature algorithm %s\n", q );
@ -2389,6 +2405,10 @@ int main( int argc, char *argv[] )
mbedtls_printf( "ecdsa_secp256r1_sha256 " );
mbedtls_printf( "ecdsa_secp384r1_sha384 " );
mbedtls_printf( "ecdsa_secp521r1_sha512 " );
mbedtls_printf( "rsa_pss_rsae_sha256 " );
mbedtls_printf( "rsa_pss_rsae_sha384 " );
mbedtls_printf( "rsa_pss_rsae_sha512 " );
mbedtls_printf( "rsa_pkcs1_sha256 " );
mbedtls_printf( "\n" );
goto exit;
}

8402
tests/opt-testcases/tls13-compat.sh
View File

File diff suppressed because it is too large Load Diff

218
tests/scripts/generate_tls13_compat_tests.py
View File

@ -24,7 +24,6 @@ Generate TLSv1.3 Compat test cases
import sys
import os
import abc
import argparse
import itertools
from collections import namedtuple
@ -71,10 +70,11 @@ NAMED_GROUP_IANA_VALUE = {
}
class TLSProgram(metaclass=abc.ABCMeta):
class TLSProgram:
"""
Base class for generate server/client command.
"""
# pylint: disable=too-many-arguments
def __init__(self, ciphersuite=None, signature_algorithm=None, named_group=None,
cert_sig_alg=None, compat_mode=True):
@ -112,23 +112,32 @@ class TLSProgram(metaclass=abc.ABCMeta):
self._cert_sig_algs.extend(
[sig_alg for sig_alg in signature_algorithms if sig_alg not in self._cert_sig_algs])
@abc.abstractmethod
# pylint: disable=no-self-use
def pre_checks(self):
return []
@abc.abstractmethod
# pylint: disable=no-self-use
def cmd(self):
if not self._cert_sig_algs:
self._cert_sig_algs = list(CERTIFICATES.keys())
return self.pre_cmd()
@abc.abstractmethod
# pylint: disable=no-self-use
def post_checks(self):
return []
# pylint: disable=no-self-use
def pre_cmd(self):
return ['false']
class OpenSSLServ(TLSProgram):
# pylint: disable=unused-argument,no-self-use
def hrr_post_checks(self, named_group):
return []
class OpenSSLBase(TLSProgram):
"""
Generate test commands for OpenSSL server.
Generate base test commands for OpenSSL.
"""
NAMED_GROUP = {
@ -140,11 +149,7 @@ class OpenSSLServ(TLSProgram):
}
def cmd(self):
super().cmd()
ret = ['$O_NEXT_SRV_NO_CERT']
for _, cert, key in map(lambda sig_alg: CERTIFICATES[sig_alg], self._cert_sig_algs):
ret += ['-cert {cert} -key {key}'.format(cert=cert, key=key)]
ret += ['-accept $SRV_PORT']
ret = super().cmd()
if self._ciphers:
ciphersuites = ':'.join(self._ciphers)
@ -161,22 +166,49 @@ class OpenSSLServ(TLSProgram):
map(lambda named_group: self.NAMED_GROUP[named_group], self._named_groups))
ret += ["-groups {named_groups}".format(named_groups=named_groups)]
ret += ['-msg -tls1_3 -num_tickets 0 -no_resume_ephemeral -no_cache']
ret += ['-msg -tls1_3']
if not self._compat_mode:
ret += ['-no_middlebox']
return ' '.join(ret)
return ret
def pre_checks(self):
return ["requires_openssl_tls1_3"]
class OpenSSLServ(OpenSSLBase):
"""
Generate test commands for OpenSSL server.
"""
def cmd(self):
ret = super().cmd()
ret += ['-num_tickets 0 -no_resume_ephemeral -no_cache']
return ret
def post_checks(self):
return ['-c "HTTP/1.0 200 ok"']
def pre_cmd(self):
ret = ['$O_NEXT_SRV_NO_CERT']
for _, cert, key in map(lambda sig_alg: CERTIFICATES[sig_alg], self._cert_sig_algs):
ret += ['-cert {cert} -key {key}'.format(cert=cert, key=key)]
return ret
class GnuTLSServ(TLSProgram):
class OpenSSLCli(OpenSSLBase):
"""
Generate test commands for GnuTLS server.
Generate test commands for OpenSSL client.
"""
def pre_cmd(self):
return ['$O_NEXT_CLI_NO_CERT',
'-CAfile {cafile}'.format(cafile=CERTIFICATES[self._cert_sig_algs[0]].cafile)]
class GnuTLSBase(TLSProgram):
"""
Generate base test commands for GnuTLS.
"""
CIPHER_SUITE = {
@ -220,17 +252,8 @@ class GnuTLSServ(TLSProgram):
"requires_gnutls_next_no_ticket",
"requires_gnutls_next_disable_tls13_compat", ]
def post_checks(self):
return ['-c "HTTP/1.0 200 OK"']
def cmd(self):
super().cmd()
ret = ['$G_NEXT_SRV_NO_CERT', '--http',
'--disable-client-cert', '--debug=4']
for _, cert, key in map(lambda sig_alg: CERTIFICATES[sig_alg], self._cert_sig_algs):
ret += ['--x509certfile {cert} --x509keyfile {key}'.format(
cert=cert, key=key)]
ret = super().cmd()
priority_string_list = []
@ -261,7 +284,7 @@ class GnuTLSServ(TLSProgram):
priority_string_list.append('GROUP-ALL')
priority_string_list = ['NONE'] + \
sorted(priority_string_list) + ['VERS-TLS1.3']
priority_string_list + ['VERS-TLS1.3']
priority_string = ':+'.join(priority_string_list)
priority_string += ':%NO_TICKETS'
@ -271,13 +294,38 @@ class GnuTLSServ(TLSProgram):
ret += ['--priority={priority_string}'.format(
priority_string=priority_string)]
ret = ' '.join(ret)
return ret
class MbedTLSCli(TLSProgram):
class GnuTLSServ(GnuTLSBase):
"""
Generate test commands for mbedTLS client.
Generate test commands for GnuTLS server.
"""
def pre_cmd(self):
ret = ['$G_NEXT_SRV_NO_CERT', '--http', '--disable-client-cert', '--debug=4']
for _, cert, key in map(lambda sig_alg: CERTIFICATES[sig_alg], self._cert_sig_algs):
ret += ['--x509certfile {cert} --x509keyfile {key}'.format(
cert=cert, key=key)]
return ret
def post_checks(self):
return ['-c "HTTP/1.0 200 OK"']
class GnuTLSCli(GnuTLSBase):
"""
Generate test commands for GnuTLS client.
"""
def pre_cmd(self):
return ['$G_NEXT_CLI_NO_CERT', '--debug=4', '--single-key-share',
'--x509cafile {cafile}'.format(cafile=CERTIFICATES[self._cert_sig_algs[0]].cafile)]
class MbedTLSBase(TLSProgram):
"""
Generate base test commands for mbedTLS.
"""
CIPHER_SUITE = {
@ -288,12 +336,9 @@ class MbedTLSCli(TLSProgram):
'TLS_AES_128_CCM_8_SHA256': 'TLS1-3-AES-128-CCM-8-SHA256'}
def cmd(self):
super().cmd()
ret = ['$P_CLI']
ret += ['server_addr=127.0.0.1', 'server_port=$SRV_PORT',
'debug_level=4']
ret += ['ca_file={cafile}'.format(
cafile=CERTIFICATES[self._cert_sig_algs[0]].cafile)]
ret = super().cmd()
ret += ['debug_level=4']
if self._ciphers:
ciphers = ','.join(
@ -307,13 +352,11 @@ class MbedTLSCli(TLSProgram):
if self._named_groups:
named_groups = ','.join(self._named_groups)
ret += ["curves={named_groups}".format(named_groups=named_groups)]
ret = ' '.join(ret)
ret += ['force_version=tls13']
return ret
def pre_checks(self):
ret = ['requires_config_enabled MBEDTLS_DEBUG_C',
'requires_config_enabled MBEDTLS_SSL_CLI_C',
'requires_config_enabled MBEDTLS_SSL_PROTO_TLS1_3']
if self._compat_mode:
@ -324,6 +367,67 @@ class MbedTLSCli(TLSProgram):
'requires_config_enabled MBEDTLS_X509_RSASSA_PSS_SUPPORT')
return ret
class MbedTLSServ(MbedTLSBase):
"""
Generate test commands for mbedTLS server.
"""
def cmd(self):
ret = super().cmd()
ret += ['tls13_kex_modes=ephemeral cookies=0 tickets=0']
return ret
def pre_checks(self):
return ['requires_config_enabled MBEDTLS_SSL_SRV_C'] + super().pre_checks()
def post_checks(self):
check_strings = ["Protocol is TLSv1.3"]
if self._ciphers:
check_strings.append(
"server hello, chosen ciphersuite: {} ( id={:04d} )".format(
self.CIPHER_SUITE[self._ciphers[0]],
CIPHER_SUITE_IANA_VALUE[self._ciphers[0]]))
if self._sig_algs:
check_strings.append(
"received signature algorithm: 0x{:x}".format(
SIG_ALG_IANA_VALUE[self._sig_algs[0]]))
for named_group in self._named_groups:
check_strings += ['got named group: {named_group}({iana_value:04x})'.format(
named_group=named_group,
iana_value=NAMED_GROUP_IANA_VALUE[named_group])]
check_strings.append("Verifying peer X.509 certificate... ok")
return ['-s "{}"'.format(i) for i in check_strings]
def pre_cmd(self):
ret = ['$P_SRV']
for _, cert, key in map(lambda sig_alg: CERTIFICATES[sig_alg], self._cert_sig_algs):
ret += ['crt_file={cert} key_file={key}'.format(cert=cert, key=key)]
return ret
def hrr_post_checks(self, named_group):
return ['-s "HRR selected_group: {:s}"'.format(named_group)]
class MbedTLSCli(MbedTLSBase):
"""
Generate test commands for mbedTLS client.
"""
def pre_cmd(self):
return ['$P_CLI',
'ca_file={cafile}'.format(cafile=CERTIFICATES[self._cert_sig_algs[0]].cafile)]
def pre_checks(self):
return ['requires_config_enabled MBEDTLS_SSL_CLI_C'] + super().pre_checks()
def hrr_post_checks(self, named_group):
ret = ['-c "received HelloRetryRequest message"']
ret += ['-c "selected_group ( {:d} )"'.format(NAMED_GROUP_IANA_VALUE[named_group])]
return ret
def post_checks(self):
check_strings = ["Protocol is TLSv1.3"]
if self._ciphers:
@ -345,8 +449,8 @@ class MbedTLSCli(TLSProgram):
return ['-c "{}"'.format(i) for i in check_strings]
SERVER_CLASSES = {'OpenSSL': OpenSSLServ, 'GnuTLS': GnuTLSServ}
CLIENT_CLASSES = {'mbedTLS': MbedTLSCli}
SERVER_CLASSES = {'OpenSSL': OpenSSLServ, 'GnuTLS': GnuTLSServ, 'mbedTLS': MbedTLSServ}
CLIENT_CLASSES = {'OpenSSL': OpenSSLCli, 'GnuTLS': GnuTLSCli, 'mbedTLS': MbedTLSCli}
def generate_compat_test(client=None, server=None, cipher=None, named_group=None, sig_alg=None):
@ -365,8 +469,10 @@ def generate_compat_test(client=None, server=None, cipher=None, named_group=None
signature_algorithm=sig_alg,
cert_sig_alg=sig_alg)
cmd = ['run_test "{}"'.format(name), '"{}"'.format(
server_object.cmd()), '"{}"'.format(client_object.cmd()), '0']
cmd = ['run_test "{}"'.format(name),
'"{}"'.format(' '.join(server_object.cmd())),
'"{}"'.format(' '.join(client_object.cmd())),
'0']
cmd += server_object.post_checks()
cmd += client_object.post_checks()
cmd += ['-C "received HelloRetryRequest message"']
@ -391,20 +497,20 @@ def generate_hrr_compat_test(client=None, server=None,
cert_sig_alg=cert_sig_alg)
client_object.add_named_groups(server_named_group)
cmd = ['run_test "{}"'.format(name), '"{}"'.format(
server_object.cmd()), '"{}"'.format(client_object.cmd()), '0']
cmd = ['run_test "{}"'.format(name),
'"{}"'.format(' '.join(server_object.cmd())),
'"{}"'.format(' '.join(client_object.cmd())),
'0']
cmd += server_object.post_checks()
cmd += client_object.post_checks()
cmd += ['-c "received HelloRetryRequest message"']
cmd += ['-c "selected_group ( {:d} )"'.format(
NAMED_GROUP_IANA_VALUE[server_named_group])]
cmd += server_object.hrr_post_checks(server_named_group)
cmd += client_object.hrr_post_checks(server_named_group)
prefix = ' \\\n' + (' '*9)
cmd = prefix.join(cmd)
return '\n'.join(server_object.pre_checks() +
client_object.pre_checks() +
[cmd])
SSL_OUTPUT_HEADER = '''#!/bin/sh
# {filename}
@ -487,9 +593,11 @@ def main():
CIPHER_SUITE_IANA_VALUE.keys(),
NAMED_GROUP_IANA_VALUE.keys(),
SIG_ALG_IANA_VALUE.keys()):
yield generate_compat_test(client=client, server=server,
cipher=cipher, named_group=named_group,
sig_alg=sig_alg)
if server == 'mbedTLS' or client == 'mbedTLS':
yield generate_compat_test(client=client, server=server,
cipher=cipher, named_group=named_group,
sig_alg=sig_alg)
# Generate Hello Retry Request compat test cases
for client, server, client_named_group, server_named_group in \
@ -497,7 +605,9 @@ def main():
SERVER_CLASSES.keys(),
NAMED_GROUP_IANA_VALUE.keys(),
NAMED_GROUP_IANA_VALUE.keys()):
if client_named_group != server_named_group:
if (client == 'mbedTLS' or server == 'mbedTLS') and \
client_named_group != server_named_group:
yield generate_hrr_compat_test(client=client, server=server,
client_named_group=client_named_group,
server_named_group=server_named_group,

6
tests/ssl-opt.sh
View File

@ -82,9 +82,11 @@ if [ -n "${OPENSSL_NEXT:-}" ]; then
O_NEXT_SRV="$OPENSSL_NEXT s_server -www -cert data_files/server5.crt -key data_files/server5.key"
O_NEXT_SRV_NO_CERT="$OPENSSL_NEXT s_server -www "
O_NEXT_CLI="echo 'GET / HTTP/1.0' | $OPENSSL_NEXT s_client -CAfile data_files/test-ca_cat12.crt"
O_NEXT_CLI_NO_CERT="echo 'GET / HTTP/1.0' | $OPENSSL_NEXT s_client"
else
O_NEXT_SRV=false
O_NEXT_SRV_NO_CERT=false
O_NEXT_CLI_NO_CERT=false
O_NEXT_CLI=false
fi
@ -98,8 +100,10 @@ fi
if [ -n "${GNUTLS_NEXT_CLI:-}" ]; then
G_NEXT_CLI="echo 'GET / HTTP/1.0' | $GNUTLS_NEXT_CLI --x509cafile data_files/test-ca_cat12.crt"
G_NEXT_CLI_NO_CERT="echo 'GET / HTTP/1.0' | $GNUTLS_NEXT_CLI"
else
G_NEXT_CLI=false
G_NEXT_CLI_NO_CERT=false
fi
TESTS=0
@ -1558,6 +1562,7 @@ if [ -n "${OPENSSL_NEXT:-}" ]; then
O_NEXT_SRV="$O_NEXT_SRV -accept $SRV_PORT"
O_NEXT_SRV_NO_CERT="$O_NEXT_SRV_NO_CERT -accept $SRV_PORT"
O_NEXT_CLI="$O_NEXT_CLI -connect 127.0.0.1:+SRV_PORT"
O_NEXT_CLI_NO_CERT="$O_NEXT_CLI_NO_CERT -connect 127.0.0.1:+SRV_PORT"
fi
if [ -n "${GNUTLS_NEXT_SERV:-}" ]; then
@ -1567,6 +1572,7 @@ fi
if [ -n "${GNUTLS_NEXT_CLI:-}" ]; then
G_NEXT_CLI="$G_NEXT_CLI -p +SRV_PORT"
G_NEXT_CLI_NO_CERT="$G_NEXT_CLI_NO_CERT -p +SRV_PORT localhost"
fi
# Allow SHA-1, because many of our test certificates use it