aboutsummaryrefslogtreecommitdiffstats
path: root/lib/ssl
diff options
context:
space:
mode:
authorPéter Dimitrov <[email protected]>2019-07-26 14:45:04 +0200
committerPéter Dimitrov <[email protected]>2019-07-26 16:12:41 +0200
commit96bea6b1572c3445df53cba985072f9613c73ac1 (patch)
tree71f31f749f22457a73e1aaa7655b6c2dd7c3f25c /lib/ssl
parent5fc96782a03e2fa170a8a7a3781d32b176af0548 (diff)
downloadotp-96bea6b1572c3445df53cba985072f9613c73ac1.tar.gz
otp-96bea6b1572c3445df53cba985072f9613c73ac1.tar.bz2
otp-96bea6b1572c3445df53cba985072f9613c73ac1.zip
ssl: Enable TLS 1.3 test groups in FT
Diffstat (limited to 'lib/ssl')
-rw-r--r--lib/ssl/src/ssl.erl3
-rw-r--r--lib/ssl/test/openssl_client_cert_SUITE.erl10
-rw-r--r--lib/ssl/test/openssl_server_cert_SUITE.erl60
-rw-r--r--lib/ssl/test/ssl_cert_tests.erl35
-rw-r--r--lib/ssl/test/ssl_test_lib.erl7
5 files changed, 92 insertions, 23 deletions
diff --git a/lib/ssl/src/ssl.erl b/lib/ssl/src/ssl.erl
index ce639e8fde..7ff9aed8ea 100644
--- a/lib/ssl/src/ssl.erl
+++ b/lib/ssl/src/ssl.erl
@@ -982,7 +982,8 @@ cipher_suites(all) ->
%% Description: Returns all default and all supported cipher suites for a
%% TLS/DTLS version
%%--------------------------------------------------------------------
-cipher_suites(Base, Version) when Version == 'tlsv1.2';
+cipher_suites(Base, Version) when Version == 'tlsv1.3';
+ Version == 'tlsv1.2';
Version == 'tlsv1.1';
Version == tlsv1;
Version == sslv3 ->
diff --git a/lib/ssl/test/openssl_client_cert_SUITE.erl b/lib/ssl/test/openssl_client_cert_SUITE.erl
index 08c1534eb0..4844f06672 100644
--- a/lib/ssl/test/openssl_client_cert_SUITE.erl
+++ b/lib/ssl/test/openssl_client_cert_SUITE.erl
@@ -37,7 +37,7 @@ all() ->
groups() ->
[
{openssl_client, [], protocol_groups()},
- %%{'tlsv1.3', [], tls_1_3_protocol_groups()},
+ {'tlsv1.3', [], tls_1_3_protocol_groups()},
{'tlsv1.2', [], pre_tls_1_3_protocol_groups()},
{'tlsv1.1', [], pre_tls_1_3_protocol_groups()},
{'tlsv1', [], pre_tls_1_3_protocol_groups()},
@@ -46,13 +46,13 @@ groups() ->
{'dtlsv1', [], pre_tls_1_3_protocol_groups()},
{rsa, [], all_version_tests()},
{ecdsa, [], all_version_tests()},
- {dsa, [], all_version_tests()}
- %%{rsa_1_3, [], all_version_tests() ++ tls_1_3_tests() ++ [unsupported_sign_algo_cert_client_auth]},
- %%{ecdsa_1_3, [], all_version_tests() ++ tls_1_3_tests()}
+ {dsa, [], all_version_tests()},
+ {rsa_1_3, [], all_version_tests() ++ tls_1_3_tests() ++ [unsupported_sign_algo_cert_client_auth]},
+ {ecdsa_1_3, [], all_version_tests() ++ tls_1_3_tests()}
].
protocol_groups() ->
- [%%{group, 'tlsv1.3'},
+ [{group, 'tlsv1.3'},
{group, 'tlsv1.2'},
{group, 'tlsv1.1'},
{group, 'tlsv1'},
diff --git a/lib/ssl/test/openssl_server_cert_SUITE.erl b/lib/ssl/test/openssl_server_cert_SUITE.erl
index abac2647a9..83b0884f66 100644
--- a/lib/ssl/test/openssl_server_cert_SUITE.erl
+++ b/lib/ssl/test/openssl_server_cert_SUITE.erl
@@ -36,7 +36,7 @@ all() ->
groups() ->
[
{openssl_server, [], protocol_groups()},
- %%{'tlsv1.3', [], tls_1_3_protocol_groups()},
+ {'tlsv1.3', [], tls_1_3_protocol_groups()},
{'tlsv1.2', [], pre_tls_1_3_protocol_groups()},
{'tlsv1.1', [], pre_tls_1_3_protocol_groups()},
{'tlsv1', [], pre_tls_1_3_protocol_groups()},
@@ -45,13 +45,13 @@ groups() ->
{'dtlsv1', [], pre_tls_1_3_protocol_groups()},
{rsa, [], all_version_tests()},
{ecdsa, [], all_version_tests()},
- {dsa, [], all_version_tests()}
- %%{rsa_1_3, [], all_version_tests() ++ tls_1_3_tests() ++ [unsupported_sign_algo_cert_client_auth]},
- %%{ecdsa_1_3, [], all_version_tests() ++ tls_1_3_tests()}
+ {dsa, [], all_version_tests()},
+ {rsa_1_3, [], all_version_tests() ++ tls_1_3_tests() ++ [unsupported_sign_algo_cert_client_auth]},
+ {ecdsa_1_3, [], all_version_tests() ++ tls_1_3_tests()}
].
protocol_groups() ->
- [%%{group, 'tlsv1.3'},
+ [{group, 'tlsv1.3'},
{group, 'tlsv1.2'},
{group, 'tlsv1.1'},
{group, 'tlsv1'},
@@ -108,8 +108,7 @@ end_per_suite(_Config) ->
init_per_group(openssl_server, Config0) ->
Config = proplists:delete(server_type, proplists:delete(client_type, Config0)),
[{client_type, erlang}, {server_type, openssl} | Config];
-init_per_group(Group, Config0) when Group == rsa;
- Group == rsa_1_3 ->
+init_per_group(rsa = Group, Config0) ->
Config = ssl_test_lib:make_rsa_cert(Config0),
COpts = proplists:get_value(client_rsa_opts, Config),
SOpts = proplists:get_value(server_rsa_opts, Config),
@@ -133,8 +132,25 @@ init_per_group(Group, Config0) when Group == rsa;
[] ->
{skip, {no_sup, Group, Version}}
end;
-init_per_group(Group, Config0) when Group == ecdsa;
- Group == ecdsa_1_3 ->
+init_per_group(rsa_1_3 = Group, Config0) ->
+ Config = ssl_test_lib:make_rsa_cert(Config0),
+ COpts = proplists:get_value(client_rsa_opts, Config),
+ SOpts = proplists:get_value(server_rsa_opts, Config),
+ %% Make sure _rsa* suite is choosen by ssl_test_lib:start_server
+ Version = proplists:get_value(version,Config),
+ Ciphers = ssl_cert_tests:test_ciphers(undefined, Version),
+ case Ciphers of
+ [_|_] ->
+ [{cert_key_alg, rsa} |
+ lists:delete(cert_key_alg,
+ [{client_cert_opts, [{ciphers, Ciphers} | COpts]},
+ {server_cert_opts, SOpts} |
+ lists:delete(server_cert_opts,
+ lists:delete(client_cert_opts, Config))])];
+ [] ->
+ {skip, {no_sup, Group, Version}}
+ end;
+init_per_group(ecdsa = Group, Config0) ->
PKAlg = crypto:supports(public_keys),
case lists:member(ecdsa, PKAlg) andalso (lists:member(ecdh, PKAlg) orelse
lists:member(dh, PKAlg)) of
@@ -166,6 +182,32 @@ init_per_group(Group, Config0) when Group == ecdsa;
false ->
{skip, "Missing EC crypto support"}
end;
+init_per_group(ecdsa_1_3 = Group, Config0) ->
+ PKAlg = crypto:supports(public_keys),
+ case lists:member(ecdsa, PKAlg) andalso (lists:member(ecdh, PKAlg) orelse
+ lists:member(dh, PKAlg)) of
+ true ->
+ Config = ssl_test_lib:make_ecdsa_cert(Config0),
+ COpts = proplists:get_value(client_ecdsa_opts, Config),
+ SOpts = proplists:get_value(server_ecdsa_opts, Config),
+ %% Make sure ecdh* suite is choosen by ssl_test_lib:start_server
+ Version = proplists:get_value(version,Config),
+ Ciphers = ssl_cert_tests:test_ciphers(undefined, Version),
+ case Ciphers of
+ [_|_] ->
+ [{cert_key_alg, ecdsa} |
+ lists:delete(cert_key_alg,
+ [{client_cert_opts, [{ciphers, Ciphers} | COpts]},
+ {server_cert_opts, SOpts} |
+ lists:delete(server_cert_opts,
+ lists:delete(client_cert_opts, Config))]
+ )];
+ [] ->
+ {skip, {no_sup, Group, Version}}
+ end;
+ false ->
+ {skip, "Missing EC crypto support"}
+ end;
init_per_group(Group, Config0) when Group == dsa ->
PKAlg = crypto:supports(public_keys),
case lists:member(dss, PKAlg) andalso lists:member(dh, PKAlg) of
diff --git a/lib/ssl/test/ssl_cert_tests.erl b/lib/ssl/test/ssl_cert_tests.erl
index f330c716bc..1c73dac3f9 100644
--- a/lib/ssl/test/ssl_cert_tests.erl
+++ b/lib/ssl/test/ssl_cert_tests.erl
@@ -243,9 +243,9 @@ custom_groups(Config) ->
ClientOpts0 = ssl_test_lib:ssl_options(client_cert_opts, Config),
ServerOpts0 = ssl_test_lib:ssl_options(server_cert_opts, Config),
- {ServerOpts, ClientOpts} = group_config(Config,
- [{versions, ['tlsv1.2','tlsv1.3']} | ServerOpts0],
- [{versions, ['tlsv1.2','tlsv1.3']} | ClientOpts0]),
+ {ServerOpts, ClientOpts} = group_config_custom(Config,
+ [{versions, ['tlsv1.2','tlsv1.3']} | ServerOpts0],
+ [{versions, ['tlsv1.2','tlsv1.3']} | ClientOpts0]),
ssl_test_lib:basic_test(ClientOpts, ServerOpts, Config).
@@ -278,14 +278,14 @@ hello_retry_client_auth(Config) ->
{ServerOpts, ClientOpts} = group_config(Config,
[{versions, ['tlsv1.2','tlsv1.3']},
{verify, verify_peer},
- {fail_if_no_peer_cert, false} | ServerOpts0],
+ {fail_if_no_peer_cert, true} | ServerOpts0],
[{versions, ['tlsv1.2','tlsv1.3']}, {verify, verify_peer} | ClientOpts0]),
ssl_test_lib:basic_test(ClientOpts, ServerOpts, Config).
%%--------------------------------------------------------------------
hello_retry_client_auth_empty_cert_accepted() ->
[{doc,"TLS 1.3 (HelloRetryRequest): Test client authentication when client sends an empty "
- "certificate and fail_if_no_peer_cert is set to true."}].
+ "certificate and fail_if_no_peer_cert is set to false."}].
hello_retry_client_auth_empty_cert_accepted(Config) ->
ClientOpts0 = proplists:delete(keyfile,
@@ -314,7 +314,7 @@ hello_retry_client_auth_empty_cert_rejected(Config) ->
{ServerOpts, ClientOpts} = group_config(Config,
[{versions, ['tlsv1.2','tlsv1.3']},
{verify, verify_peer},
- {fail_if_no_peer_cert, false} | ServerOpts0],
+ {fail_if_no_peer_cert, true} | ServerOpts0],
[{versions, ['tlsv1.2','tlsv1.3']}, {verify, verify_peer} | ClientOpts0]),
ssl_test_lib:basic_alert(ClientOpts, ServerOpts, Config, certificate_required).
@@ -324,16 +324,35 @@ hello_retry_client_auth_empty_cert_rejected(Config) ->
%% Internal functions -----------------------------------------------
%%--------------------------------------------------------------------
+group_config_custom(Config, ServerOpts, ClientOpts) ->
+ case proplists:get_value(client_type, Config) of
+ erlang ->
+ {[{groups,"X448:P-256:P-384"} | ServerOpts],
+ [{supported_groups, [secp384r1, secp256r1, x25519]} | ClientOpts]};
+ openssl ->
+ {[{supported_groups, [x448, secp256r1, secp384r1]} | ServerOpts],
+ [{groups,"P-384:P-256:X25519"} | ClientOpts]}
+ end.
+
group_config(Config, ServerOpts, ClientOpts) ->
case proplists:get_value(client_type, Config) of
erlang ->
- {[{groups,"P-256:X25519"} | ServerOpts],
+ {[{groups,"X448:X25519"} | ServerOpts],
[{supported_groups, [secp256r1, x25519]} | ClientOpts]};
openssl ->
{[{supported_groups, [x448, x25519]} | ServerOpts],
[{groups,"P-256:X25519"} | ClientOpts]}
end.
+test_ciphers(_, 'tlsv1.3' = Version) ->
+ Ciphers = ssl:cipher_suites(default, Version),
+ ct:log("Version ~p Testing ~p~n", [Version, Ciphers]),
+ OpenSSLCiphers = openssl_ciphers(),
+ ct:log("OpenSSLCiphers ~p~n", [OpenSSLCiphers]),
+ lists:filter(fun(C) ->
+ ct:log("Cipher ~p~n", [C]),
+ lists:member(ssl_cipher_format:suite_map_to_openssl_str(C), OpenSSLCiphers)
+ end, Ciphers);
test_ciphers(Kex, Version) ->
Ciphers = ssl:filter_cipher_suites(ssl:cipher_suites(default, Version),
[{key_exchange, Kex}]),
@@ -345,6 +364,8 @@ test_ciphers(Kex, Version) ->
lists:member(ssl_cipher_format:suite_map_to_openssl_str(C), OpenSSLCiphers)
end, Ciphers).
+
+
openssl_ciphers() ->
Str = os:cmd("openssl ciphers"),
string:split(string:strip(Str, right, $\n), ":", all).
diff --git a/lib/ssl/test/ssl_test_lib.erl b/lib/ssl/test/ssl_test_lib.erl
index 5d0d09b33a..7009a628f1 100644
--- a/lib/ssl/test/ssl_test_lib.erl
+++ b/lib/ssl/test/ssl_test_lib.erl
@@ -1363,7 +1363,7 @@ start_server(openssl, ClientOpts, ServerOpts, Config) ->
Exe = "openssl",
CertArgs = openssl_cert_options(ServerOpts),
[Cipher|_] = proplists:get_value(ciphers, ClientOpts, ssl:cipher_suites(default,Version)),
- Args = ["s_server", "-accept", integer_to_list(Port), "-cipher",
+ Args = ["s_server", "-accept", integer_to_list(Port), cipher_flag(Version),
ssl_cipher_format:suite_map_to_openssl_str(Cipher),
ssl_test_lib:version_flag(Version)] ++ CertArgs ++ ["-msg", "-debug"],
OpenSslPort = portable_open_port(Exe, Args),
@@ -1381,6 +1381,11 @@ start_server(erlang, _, ServerOpts, Config) ->
{options, [{verify, verify_peer}, {versions, Versions} | ServerOpts]}]),
{Server, inet_port(Server)}.
+cipher_flag('tlsv1.3') ->
+ "-ciphersuites";
+cipher_flag(_) ->
+ "-cipher".
+
start_server_with_raw_key(erlang, ServerOpts, Config) ->
{_, ServerNode, _} = ssl_test_lib:run_where(Config),
Server = start_server([{node, ServerNode}, {port, 0},