diff options
| author | Ingela Anderton Andin <[email protected]> | 2019-07-23 09:53:55 +0200 | 
|---|---|---|
| committer | Ingela Anderton Andin <[email protected]> | 2019-07-23 09:53:55 +0200 | 
| commit | e1b53a21573756bbfd469570b1a0352f6ee9e69c (patch) | |
| tree | 0cf517fb9a3600bc0aebbb5bf672c5df294ead47 /lib | |
| parent | bcffb7f5599efb62f13128e6feeb03a65cd9c11e (diff) | |
| parent | e01231b85d641a9b993995ad711ad21591c8b780 (diff) | |
| download | otp-e1b53a21573756bbfd469570b1a0352f6ee9e69c.tar.gz otp-e1b53a21573756bbfd469570b1a0352f6ee9e69c.tar.bz2 otp-e1b53a21573756bbfd469570b1a0352f6ee9e69c.zip | |
Merge branch 'ingela/ssl/continue-test-restructure' into maint
* ingela/ssl/continue-test-restructure:
  ssl: Move alert test to own suite
  ssl: Move der_input and rizzo tests
Diffstat (limited to 'lib')
| -rw-r--r-- | lib/ssl/test/Makefile | 1 | ||||
| -rw-r--r-- | lib/ssl/test/ssl_alert_SUITE.erl | 100 | ||||
| -rw-r--r-- | lib/ssl/test/ssl_api_SUITE.erl | 113 | ||||
| -rw-r--r-- | lib/ssl/test/ssl_basic_SUITE.erl | 469 | ||||
| -rw-r--r-- | lib/ssl/test/tls_api_SUITE.erl | 26 | 
5 files changed, 243 insertions, 466 deletions
| diff --git a/lib/ssl/test/Makefile b/lib/ssl/test/Makefile index 598b3248b7..06cafd124f 100644 --- a/lib/ssl/test/Makefile +++ b/lib/ssl/test/Makefile @@ -37,6 +37,7 @@ VSN=$(SSL_VSN)  MODULES = \  	ssl_test_lib \ +	ssl_alert_SUITE\  	ssl_bench_test_lib \  	ssl_dist_test_lib \  	ssl_api_SUITE\ diff --git a/lib/ssl/test/ssl_alert_SUITE.erl b/lib/ssl/test/ssl_alert_SUITE.erl new file mode 100644 index 0000000000..cc0b636580 --- /dev/null +++ b/lib/ssl/test/ssl_alert_SUITE.erl @@ -0,0 +1,100 @@ +%% +%% Copyright Ericsson AB 2019-2019. All Rights Reserved. +%% +%% Licensed under the Apache License, Version 2.0 (the "License"); +%% you may not use this file except in compliance with the License. +%% You may obtain a copy of the License at +%% +%%     http://www.apache.org/licenses/LICENSE-2.0 +%% +%% Unless required by applicable law or agreed to in writing, software +%% distributed under the License is distributed on an "AS IS" BASIS, +%% WITHOUT WARRANTIES OR CONDITIONS OF ANY KIND, either express or implied. +%% See the License for the specific language governing permissions and +%% limitations under the License. +%% +%% %CopyrightEnd% +%% + +%% + +-module(ssl_alert_SUITE). + +%% Note: This directive should only be used in test suites. +-compile(export_all). + +-include_lib("common_test/include/ct.hrl"). +-include_lib("public_key/include/public_key.hrl"). + +-include_lib("ssl/src/ssl_alert.hrl"). + +%%-------------------------------------------------------------------- +%% Common Test interface functions ----------------------------------- +%%-------------------------------------------------------------------- +all() ->  +    [ +     alerts, +     alert_details, +     alert_details_not_too_big +    ]. + +init_per_testcase(_TestCase, Config) -> +    ct:timetrap({seconds, 5}), +    Config. + +end_per_testcase(_TestCase, Config) ->      +    Config. + +%%-------------------------------------------------------------------- +%% Test Cases -------------------------------------------------------- +%%-------------------------------------------------------------------- +alerts() -> +    [{doc, "Test ssl_alert:alert_txt/1"}]. +alerts(Config) when is_list(Config) -> +    Descriptions = [?CLOSE_NOTIFY, ?UNEXPECTED_MESSAGE, ?BAD_RECORD_MAC, +		    ?DECRYPTION_FAILED_RESERVED, ?RECORD_OVERFLOW, ?DECOMPRESSION_FAILURE, +		    ?HANDSHAKE_FAILURE, ?BAD_CERTIFICATE, ?UNSUPPORTED_CERTIFICATE, +		    ?CERTIFICATE_REVOKED,?CERTIFICATE_EXPIRED, ?CERTIFICATE_UNKNOWN, +		    ?ILLEGAL_PARAMETER, ?UNKNOWN_CA, ?ACCESS_DENIED, ?DECODE_ERROR, +		    ?DECRYPT_ERROR, ?EXPORT_RESTRICTION, ?PROTOCOL_VERSION,  +		    ?INSUFFICIENT_SECURITY, ?INTERNAL_ERROR, ?USER_CANCELED, +		    ?NO_RENEGOTIATION, ?UNSUPPORTED_EXTENSION, ?CERTIFICATE_UNOBTAINABLE, +		    ?UNRECOGNISED_NAME, ?BAD_CERTIFICATE_STATUS_RESPONSE, +		    ?BAD_CERTIFICATE_HASH_VALUE, ?UNKNOWN_PSK_IDENTITY,  +		    255 %% Unsupported/unknow alert will result in a description too +		   ], +    Alerts = [?ALERT_REC(?WARNING, ?CLOSE_NOTIFY) |  +	      [?ALERT_REC(?FATAL, Desc) || Desc <- Descriptions]], +    lists:foreach(fun(Alert) -> +                          try ssl_alert:alert_txt(Alert) +                          catch +			    C:E:T -> +                                  ct:fail({unexpected, {C, E, T}}) +			end  +		  end, Alerts). +%%-------------------------------------------------------------------- +alert_details() -> +    [{doc, "Test that ssl_alert:alert_txt/1 result contains extendend error description"}]. +alert_details(Config) when is_list(Config) -> +    Unique = make_ref(), +    UniqueStr = lists:flatten(io_lib:format("~w", [Unique])), +    Alert = ?ALERT_REC(?WARNING, ?CLOSE_NOTIFY, Unique), +    case string:str(ssl_alert:alert_txt(Alert), UniqueStr) of +        0 -> +            ct:fail(error_details_missing); +        _ -> +            ok +    end. + +%%-------------------------------------------------------------------- +alert_details_not_too_big() -> +    [{doc, "Test that ssl_alert:alert_txt/1 limits printed depth of extended error description"}]. +alert_details_not_too_big(Config) when is_list(Config) -> +    Reason = lists:duplicate(10, lists:duplicate(10, lists:duplicate(10, {some, data}))), +    Alert = ?ALERT_REC(?WARNING, ?CLOSE_NOTIFY, Reason), +    case length(ssl_alert:alert_txt(Alert)) < 1000 of +        true -> +            ok; +        false -> +            ct:fail(ssl_alert_text_too_big) +    end. diff --git a/lib/ssl/test/ssl_api_SUITE.erl b/lib/ssl/test/ssl_api_SUITE.erl index eb6d2282ca..75075dff74 100644 --- a/lib/ssl/test/ssl_api_SUITE.erl +++ b/lib/ssl/test/ssl_api_SUITE.erl @@ -48,8 +48,8 @@ groups() ->       {'tlsv1.3', [], gen_api_tests() -- [secret_connection_info, dh_params, honor_server_cipher_order, honor_client_cipher_order]},       {'tlsv1.2', [],  gen_api_tests() ++ handshake_paus_tests()},       {'tlsv1.1', [],  gen_api_tests() ++ handshake_paus_tests()}, -     {'tlsv1', [],  gen_api_tests() ++ handshake_paus_tests()}, -     {'sslv3', [],  gen_api_tests()}, +     {'tlsv1', [],  gen_api_tests() ++ handshake_paus_tests() ++ beast_mitigation_test()}, +     {'sslv3', [],  gen_api_tests() ++ beast_mitigation_test()},       {'dtlsv1.2', [], gen_api_tests() -- [invalid_keyfile, invalid_certfile, invalid_cacertfile]  ++ handshake_paus_tests()},       {'dtlsv1', [],  gen_api_tests() -- [invalid_keyfile, invalid_certfile, invalid_cacertfile] ++ handshake_paus_tests()}      ]. @@ -82,6 +82,7 @@ gen_api_tests() ->       honor_server_cipher_order,       honor_client_cipher_order,       ipv6, +     der_input,       invalid_certfile,       invalid_cacertfile,       invalid_keyfile @@ -95,6 +96,15 @@ handshake_paus_tests() ->       hello_server_cancel      ]. +%% Only relevant for SSL 3.0 and TLS 1.1 +beast_mitigation_test() -> +    [%% Original option +     rizzo_disabled, +     %% Same effect as disable +     rizzo_zero_n,  +     %% Same as default +     rizzo_one_n_minus_one  +    ].  init_per_suite(Config0) ->      catch crypto:stop(), @@ -117,7 +127,8 @@ init_per_group(GroupName, Config) ->  	true ->  	    case ssl_test_lib:sufficient_crypto_support(GroupName) of  		true -> -		    ssl_test_lib:init_tls_version(GroupName, Config); +		    [{client_type, erlang}, +                     {server_type, erlang} | ssl_test_lib:init_tls_version(GroupName, Config)];  		false ->  		    {skip, "Missing crypto support"}  	    end; @@ -1121,8 +1132,8 @@ ipv6(Config) when is_list(Config) ->      case lists:member(list_to_atom(Hostname0), ct:get_config(ipv6_hosts)) of  	true -> -	    ClientOpts = ssl_test_lib:ssl_options(client_opts, Config), -	    ServerOpts = ssl_test_lib:ssl_options(server_opts, Config), +	    ClientOpts = ssl_test_lib:ssl_options(client_rsa_opts, Config), +	    ServerOpts = ssl_test_lib:ssl_options(server_rsa_opts, Config),  	    {ClientNode, ServerNode, Hostname} =   		ssl_test_lib:run_where(Config, ipv6),  	    Server = ssl_test_lib:start_server([{node, ServerNode},  @@ -1148,6 +1159,51 @@ ipv6(Config) when is_list(Config) ->  	false ->  	    {skip, "Host does not support IPv6"}      end. + +%%-------------------------------------------------------------------- +der_input() -> +    [{doc,"Test to input certs and key as der"}]. + +der_input(Config) when is_list(Config) -> +    DataDir = proplists:get_value(data_dir, Config), +    DHParamFile = filename:join(DataDir, "dHParam.pem"), + +    {status, _, _, StatusInfo} = sys:get_status(whereis(ssl_manager)), +    [_, _,_, _, Prop] = StatusInfo, +    State = ssl_test_lib:state(Prop), +    [CADb | _] = element(6, State), + +    Size = ets:info(CADb, size), + +    SeverVerifyOpts = ssl_test_lib:ssl_options(server_rsa_opts, Config), +    {ServerCert, ServerKey, ServerCaCerts, DHParams} = der_input_opts([{dhfile, DHParamFile} | +								       SeverVerifyOpts]), +    ClientVerifyOpts = ssl_test_lib:ssl_options(client_rsa_opts, Config), +    {ClientCert, ClientKey, ClientCaCerts, DHParams} = der_input_opts([{dhfile, DHParamFile} | +								       ClientVerifyOpts]), +    ServerOpts = [{verify, verify_peer}, {fail_if_no_peer_cert, true}, +		  {dh, DHParams}, +		  {cert, ServerCert}, {key, ServerKey}, {cacerts, ServerCaCerts}], +    ClientOpts = [{verify, verify_peer}, {fail_if_no_peer_cert, true}, +		  {dh, DHParams}, +		  {cert, ClientCert}, {key, ClientKey}, {cacerts, ClientCaCerts}], +    {ClientNode, ServerNode, Hostname} = ssl_test_lib:run_where(Config), +    Server = ssl_test_lib:start_server([{node, ServerNode}, {port, 0}, +					{from, self()}, +					{mfa, {ssl_test_lib, send_recv_result, []}}, +					{options, [{active, false} | ServerOpts]}]), +    Port = ssl_test_lib:inet_port(Server), +    Client = ssl_test_lib:start_client([{node, ClientNode}, {port, Port}, +					{host, Hostname}, +					{from, self()}, +					{mfa, {ssl_test_lib, send_recv_result, []}}, +					{options, [{active, false} | ClientOpts]}]), + +    ssl_test_lib:check_result(Server, ok, Client, ok), +    ssl_test_lib:close(Server), +    ssl_test_lib:close(Client), +    Size = ets:info(CADb, size). +  %%--------------------------------------------------------------------  invalid_certfile() ->      [{doc,"Test what happens with an invalid cert file"}]. @@ -1233,6 +1289,38 @@ invalid_cacertfile(Config) when is_list(Config) ->  			      Client1, {error, closed}),      ok. +%% Note that these test only test that the options are valid to set. As application data +%% is a stream you can not test that the send acctually splits it up as when it arrives +%% again at the user layer it may be concatenated. But COVER can show that the split up +%% code has been run. +    +rizzo_disabled() -> +     [{doc, "Test original beast mitigation disable option for SSL 3.0 and TLS 1.0"}]. + +rizzo_disabled(Config) -> +    ClientOpts = [{beast_mitigation, disabled} | ssl_test_lib:ssl_options(client_rsa_opts, Config)], +    ServerOpts =  [{beast_mitigation, disabled} | ssl_test_lib:ssl_options(server_rsa_opts, Config)], +     +    ssl_test_lib:basic_test(ClientOpts, ServerOpts, Config). + +rizzo_zero_n() -> +     [{doc, "Test zero_n beast mitigation option (same affect as original disable option) for SSL 3.0 and TLS 1.0"}]. + +rizzo_zero_n(Config) -> +    ClientOpts = [{beast_mitigation, zero_n} | ssl_test_lib:ssl_options(client_rsa_opts, Config)], +    ServerOpts =  [{beast_mitigation, zero_n} | ssl_test_lib:ssl_options(server_rsa_opts, Config)], +     +    ssl_test_lib:basic_test(ClientOpts, ServerOpts, Config). + +rizzo_one_n_minus_one () -> +     [{doc, "Test beast_mitigation option one_n_minus_one (same affect as default) for SSL 3.0 and TLS 1.0"}]. + +rizzo_one_n_minus_one (Config) -> +    ClientOpts = [{beast_mitigation, one_n_minus_one } | ssl_test_lib:ssl_options(client_rsa_opts, Config)], +    ServerOpts =  [{beast_mitigation, one_n_minus_one} | ssl_test_lib:ssl_options(server_rsa_opts, Config)], +     +    ssl_test_lib:basic_test(ClientOpts, ServerOpts, Config). +  %%--------------------------------------------------------------------  %% Internal functions ------------------------------------------------  %%-------------------------------------------------------------------- @@ -1535,3 +1623,18 @@ honor_cipher_order(Config, Honor, ServerCiphers, ClientCiphers, Expected) ->  connection_info_result(Socket) ->      {ok, Info} = ssl:connection_information(Socket, [protocol, selected_cipher_suite]),      {ok, {proplists:get_value(protocol, Info), proplists:get_value(selected_cipher_suite, Info)}}. + +der_input_opts(Opts) -> +    Certfile = proplists:get_value(certfile, Opts), +    CaCertsfile = proplists:get_value(cacertfile, Opts), +    Keyfile = proplists:get_value(keyfile, Opts), +    Dhfile = proplists:get_value(dhfile, Opts), +    [{_, Cert, _}] = ssl_test_lib:pem_to_der(Certfile), +    [{Asn1Type, Key, _}]  = ssl_test_lib:pem_to_der(Keyfile), +    [{_, DHParams, _}]  = ssl_test_lib:pem_to_der(Dhfile), +    CaCerts = +	lists:map(fun(Entry) -> +			  {_, CaCert, _} = Entry, +			  CaCert +		  end, ssl_test_lib:pem_to_der(CaCertsfile)), +    {Cert, {Asn1Type, Key}, CaCerts, DHParams}. diff --git a/lib/ssl/test/ssl_basic_SUITE.erl b/lib/ssl/test/ssl_basic_SUITE.erl index 3fd88183ea..542876a1b7 100644 --- a/lib/ssl/test/ssl_basic_SUITE.erl +++ b/lib/ssl/test/ssl_basic_SUITE.erl @@ -49,7 +49,6 @@  all() ->       [       {group, basic}, -     {group, basic_tls},       {group, options},       {group, options_tls},       {group, 'dtlsv1.2'}, @@ -63,39 +62,31 @@ all() ->  groups() ->      [{basic, [], basic_tests()}, -     {basic_tls, [], basic_tests_tls()},       {options, [], options_tests()},       {options_tls, [], options_tests_tls()},       {'dtlsv1.2', [], all_versions_groups()},       {'dtlsv1', [], all_versions_groups()},       {'tlsv1.2', [], all_versions_groups() ++ tls_versions_groups() ++ [conf_signature_algs, no_common_signature_algs]},       {'tlsv1.1', [], all_versions_groups() ++ tls_versions_groups()}, -     {'tlsv1', [], all_versions_groups() ++ tls_versions_groups() ++ rizzo_tests()}, -     {'sslv3', [], all_versions_groups() ++ tls_versions_groups() ++ rizzo_tests() -- [tls_ciphersuite_vs_version]}, +     {'tlsv1', [], all_versions_groups() ++ tls_versions_groups()}, +     {'sslv3', [], all_versions_groups() ++ tls_versions_groups() -- [tls_ciphersuite_vs_version]},       {api,[], api_tests()},       {api_tls,[], api_tests_tls()}, -     {ciphers, [], cipher_tests()}, -     {error_handling_tests, [], error_handling_tests()}, -     {error_handling_tests_tls, [], error_handling_tests_tls()} +     {ciphers, [], cipher_tests()}      ].  tls_versions_groups ()->      [ -     {group, api_tls}, -     {group, error_handling_tests_tls}]. +     {group, api_tls}].  all_versions_groups ()->      [{group, api}, -     {group, ciphers}, -     {group, error_handling_tests}]. +     {group, ciphers}].  basic_tests() ->      [app, -     appup, -     alerts, -     alert_details, -     alert_details_not_too_big, +     appup,           version_option,       connect_twice,       connect_dist, @@ -105,13 +96,8 @@ basic_tests() ->       cipher_format      ]. -basic_tests_tls() -> -    [tls_send_close -    ]. -  options_tests() ->      [ -     %%der_input, Move/remove as redundent       ssl_options_not_proplist,       raw_ssl_option,       invalid_inet_get_option, @@ -123,12 +109,10 @@ options_tests() ->       invalid_options,       protocol_versions,       empty_protocol_versions, -     ipv6,       reuseaddr,       unordered_protocol_versions_server,       unordered_protocol_versions_client, -     max_handshake_size -]. +     max_handshake_size].  options_tests_tls() ->      [tls_misc_ssl_options, @@ -154,22 +138,6 @@ cipher_tests() ->       cipher_suites_mix,            default_reject_anonymous]. -error_handling_tests()-> -    [ -    ]. - -error_handling_tests_tls()-> -    [ -    ]. - -rizzo_tests() -> -    [rizzo, -     no_rizzo_rc4, -     rizzo_one_n_minus_one, -     rizzo_zero_n, -     rizzo_disabled]. - -  %%--------------------------------------------------------------------  init_per_suite(Config0) ->      catch crypto:stop(), @@ -194,12 +162,10 @@ end_per_suite(_Config) ->  %%-------------------------------------------------------------------- -init_per_group(GroupName, Config) when GroupName == basic_tls; -                                       GroupName == options_tls; +init_per_group(GroupName, Config) when GroupName == options_tls;                                         GroupName == options;                                         GroupName == basic; -                                       GroupName == session; -                                       GroupName == error_handling_tests_tls -> +                                       GroupName == session ->      ssl_test_lib:clean_tls_version(Config);  %% Do not automatically configure TLS version for the 'tlsv1.3' group  init_per_group('tlsv1.3' = GroupName, Config) -> @@ -271,12 +237,6 @@ init_per_testcase(fallback, Config)  ->  	    {skip, "Not relevant if highest supported version is less than 3.2"}      end; -init_per_testcase(TestCase, Config) when TestCase == versions_option; -					 TestCase == tls_tcp_connect_big -> -    ssl_test_lib:ct_log_supported_protocol_versions(Config), -    ct:timetrap({seconds, 60}), -    Config; -  init_per_testcase(version_option, Config) ->      ssl_test_lib:ct_log_supported_protocol_versions(Config),      ct:timetrap({seconds, 10}), @@ -287,30 +247,6 @@ init_per_testcase(reuse_session, Config) ->      ct:timetrap({seconds, 10}),      Config; -init_per_testcase(rizzo, Config) -> -    ssl_test_lib:ct_log_supported_protocol_versions(Config), -    ct:timetrap({seconds, 60}), -    Config; - -init_per_testcase(no_rizzo_rc4, Config) -> -    ssl_test_lib:ct_log_supported_protocol_versions(Config), -    ct:timetrap({seconds, 60}), -    Config; - -init_per_testcase(rizzo_one_n_minus_one, Config) -> -    ct:log("TLS/SSL version ~p~n ", [tls_record:supported_protocol_versions()]), -    ct:timetrap({seconds, 60}), -    rizzo_add_mitigation_option(one_n_minus_one, Config); - -init_per_testcase(rizzo_zero_n, Config) -> -    ct:log("TLS/SSL version ~p~n ", [tls_record:supported_protocol_versions()]), -    ct:timetrap({seconds, 60}), -    rizzo_add_mitigation_option(zero_n, Config); - -init_per_testcase(rizzo_disabled, Config) -> -    ct:log("TLS/SSL version ~p~n ", [tls_record:supported_protocol_versions()]), -    ct:timetrap({seconds, 60}), -    rizzo_add_mitigation_option(disabled, Config);  init_per_testcase(TestCase, Config) when TestCase == clear_pem_cache;  						TestCase == der_input; @@ -392,58 +328,6 @@ appup() ->  appup(Config) when is_list(Config) ->      ok = ?t:appup_test(ssl).  %%-------------------------------------------------------------------- -alerts() -> -    [{doc, "Test ssl_alert:alert_txt/1"}]. -alerts(Config) when is_list(Config) -> -    Descriptions = [?CLOSE_NOTIFY, ?UNEXPECTED_MESSAGE, ?BAD_RECORD_MAC, -		    ?DECRYPTION_FAILED_RESERVED, ?RECORD_OVERFLOW, ?DECOMPRESSION_FAILURE, -		    ?HANDSHAKE_FAILURE, ?BAD_CERTIFICATE, ?UNSUPPORTED_CERTIFICATE, -		    ?CERTIFICATE_REVOKED,?CERTIFICATE_EXPIRED, ?CERTIFICATE_UNKNOWN, -		    ?ILLEGAL_PARAMETER, ?UNKNOWN_CA, ?ACCESS_DENIED, ?DECODE_ERROR, -		    ?DECRYPT_ERROR, ?EXPORT_RESTRICTION, ?PROTOCOL_VERSION,  -		    ?INSUFFICIENT_SECURITY, ?INTERNAL_ERROR, ?USER_CANCELED, -		    ?NO_RENEGOTIATION, ?UNSUPPORTED_EXTENSION, ?CERTIFICATE_UNOBTAINABLE, -		    ?UNRECOGNISED_NAME, ?BAD_CERTIFICATE_STATUS_RESPONSE, -		    ?BAD_CERTIFICATE_HASH_VALUE, ?UNKNOWN_PSK_IDENTITY,  -		    255 %% Unsupported/unknow alert will result in a description too -		   ], -    Alerts = [?ALERT_REC(?WARNING, ?CLOSE_NOTIFY) |  -	      [?ALERT_REC(?FATAL, Desc) || Desc <- Descriptions]], -    lists:foreach(fun(Alert) -> -                          try ssl_alert:alert_txt(Alert) -                          catch -			    C:E:T -> -                                  ct:fail({unexpected, {C, E, T}}) -			end  -		  end, Alerts). -%%-------------------------------------------------------------------- -alert_details() -> -    [{doc, "Test that ssl_alert:alert_txt/1 result contains extendend error description"}]. -alert_details(Config) when is_list(Config) -> -    Unique = make_ref(), -    UniqueStr = lists:flatten(io_lib:format("~w", [Unique])), -    Alert = ?ALERT_REC(?WARNING, ?CLOSE_NOTIFY, Unique), -    case string:str(ssl_alert:alert_txt(Alert), UniqueStr) of -        0 -> -            ct:fail(error_details_missing); -        _ -> -            ok -    end. - -%%-------------------------------------------------------------------- -alert_details_not_too_big() -> -    [{doc, "Test that ssl_alert:alert_txt/1 limits printed depth of extended error description"}]. -alert_details_not_too_big(Config) when is_list(Config) -> -    Reason = lists:duplicate(10, lists:duplicate(10, lists:duplicate(10, {some, data}))), -    Alert = ?ALERT_REC(?WARNING, ?CLOSE_NOTIFY, Reason), -    case length(ssl_alert:alert_txt(Alert)) < 1000 of -        true -> -            ok; -        false -> -            ct:fail(ssl_alert_text_too_big) -    end. - -%%--------------------------------------------------------------------  new_options_in_accept() ->      [{doc,"Test that you can set ssl options in ssl_accept/3 and not only in tcp upgrade"}].  new_options_in_accept(Config) when is_list(Config) ->  @@ -571,10 +455,6 @@ getstat(Config) when is_list(Config) ->      ok. - - - -  %%--------------------------------------------------------------------  connect_dist() ->      [{doc,"Test a simple connect as is used by distribution"}]. @@ -1173,31 +1053,6 @@ send_recv(Config) when is_list(Config) ->      ssl_test_lib:close(Client).  %%-------------------------------------------------------------------- -tls_send_close() -> -    [{doc,""}]. -tls_send_close(Config) when is_list(Config) ->  -    ClientOpts = ssl_test_lib:ssl_options(client_opts, Config), -    ServerOpts = ssl_test_lib:ssl_options(server_opts, Config), -    {ClientNode, ServerNode, Hostname} = ssl_test_lib:run_where(Config), -    Server =  -	ssl_test_lib:start_server([{node, ServerNode}, {port, 0},  -				   {from, self()},  -				   {mfa, {ssl_test_lib, send_recv_result, []}}, -				   {options,  [{active, false} | ServerOpts]}]), -    Port = ssl_test_lib:inet_port(Server), -    {ok, TcpS} = rpc:call(ClientNode, gen_tcp, connect,  -			  [Hostname,Port,[binary, {active, false}]]), -    {ok, SslS} = rpc:call(ClientNode, ssl, connect,  -			  [TcpS,[{active, false}|ClientOpts]]), -     -    ct:log("Testcase ~p, Client ~p  Server ~p ~n", -		       [self(), self(), Server]), -    ok = ssl:send(SslS, "Hello world"),       -    {ok,<<"Hello world">>} = ssl:recv(SslS, 11),     -    gen_tcp:close(TcpS),     -    {error, _} = ssl:send(SslS, "Hello world"). - -%%--------------------------------------------------------------------  version_option() ->      [{doc, "Use version option and do no specify ciphers list. Bug specified incorrect ciphers"}].  version_option(Config) when is_list(Config) -> @@ -1229,46 +1084,6 @@ internal_active_1(Config) when is_list(Config) ->      ssl_test_lib:close(Server),      ssl_test_lib:close(Client). - - -%%-------------------------------------------------------------------- -ipv6() -> -    [{require, ipv6_hosts}, -     {doc,"Test ipv6."}]. -ipv6(Config) when is_list(Config) -> -    {ok, Hostname0} = inet:gethostname(), -     -    case lists:member(list_to_atom(Hostname0), ct:get_config(ipv6_hosts)) of -	true -> -	    ClientOpts = ssl_test_lib:ssl_options(client_opts, Config), -	    ServerOpts = ssl_test_lib:ssl_options(server_opts, Config), -	    {ClientNode, ServerNode, Hostname} =  -		ssl_test_lib:run_where(Config, ipv6), -	    Server = ssl_test_lib:start_server([{node, ServerNode},  -				   {port, 0}, {from, self()},  -				   {mfa, {ssl_test_lib, send_recv_result, []}}, -				   {options,   -				    [inet6, {active, false} | ServerOpts]}]), -	    Port = ssl_test_lib:inet_port(Server),  -	    Client = ssl_test_lib:start_client([{node, ClientNode},  -				   {port, Port}, {host, Hostname}, -				   {from, self()},  -				   {mfa, {ssl_test_lib, send_recv_result, []}}, -				   {options,  -				    [inet6, {active, false} | ClientOpts]}]), -	     -	    ct:log("Testcase ~p, Client ~p  Server ~p ~n", -			       [self(), Client, Server]), -	     -	    ssl_test_lib:check_result(Server, ok, Client, ok), -	     -	    ssl_test_lib:close(Server), -	    ssl_test_lib:close(Client); -	false -> -	    {skip, "Host does not support IPv6"} -    end. - -  %%-------------------------------------------------------------------- @@ -1356,68 +1171,6 @@ default_reject_anonymous(Config) when is_list(Config) ->      ssl_test_lib:check_server_alert(Server, Client, insufficient_security). - -%%-------------------------------------------------------------------- -der_input() -> -    [{doc,"Test to input certs and key as der"}]. - -der_input(Config) when is_list(Config) -> -    DataDir = proplists:get_value(data_dir, Config), -    DHParamFile = filename:join(DataDir, "dHParam.pem"), - -    {status, _, _, StatusInfo} = sys:get_status(whereis(ssl_manager)), -    [_, _,_, _, Prop] = StatusInfo, -    State = ssl_test_lib:state(Prop), -    [CADb | _] = element(6, State), - -    Size = ets:info(CADb, size), - -    SeverVerifyOpts = ssl_test_lib:ssl_options(server_rsa_opts, Config), -    {ServerCert, ServerKey, ServerCaCerts, DHParams} = der_input_opts([{dhfile, DHParamFile} | -								       SeverVerifyOpts]), -    ClientVerifyOpts = ssl_test_lib:ssl_options(client_rsa_opts, Config), -    {ClientCert, ClientKey, ClientCaCerts, DHParams} = der_input_opts([{dhfile, DHParamFile} | -								       ClientVerifyOpts]), -    ServerOpts = [{verify, verify_peer}, {fail_if_no_peer_cert, true}, -		  {dh, DHParams}, -		  {cert, ServerCert}, {key, ServerKey}, {cacerts, ServerCaCerts}], -    ClientOpts = [{verify, verify_peer}, {fail_if_no_peer_cert, true}, -		  {dh, DHParams}, -		  {cert, ClientCert}, {key, ClientKey}, {cacerts, ClientCaCerts}], -    {ClientNode, ServerNode, Hostname} = ssl_test_lib:run_where(Config), -    Server = ssl_test_lib:start_server([{node, ServerNode}, {port, 0}, -					{from, self()}, -					{mfa, {ssl_test_lib, send_recv_result, []}}, -					{options, [{active, false} | ServerOpts]}]), -    Port = ssl_test_lib:inet_port(Server), -    Client = ssl_test_lib:start_client([{node, ClientNode}, {port, Port}, -					{host, Hostname}, -					{from, self()}, -					{mfa, {ssl_test_lib, send_recv_result, []}}, -					{options, [{active, false} | ClientOpts]}]), - -    ssl_test_lib:check_result(Server, ok, Client, ok), -    ssl_test_lib:close(Server), -    ssl_test_lib:close(Client), -    Size = ets:info(CADb, size). - -%%-------------------------------------------------------------------- -der_input_opts(Opts) -> -    Certfile = proplists:get_value(certfile, Opts), -    CaCertsfile = proplists:get_value(cacertfile, Opts), -    Keyfile = proplists:get_value(keyfile, Opts), -    Dhfile = proplists:get_value(dhfile, Opts), -    [{_, Cert, _}] = ssl_test_lib:pem_to_der(Certfile), -    [{Asn1Type, Key, _}]  = ssl_test_lib:pem_to_der(Keyfile), -    [{_, DHParams, _}]  = ssl_test_lib:pem_to_der(Dhfile), -    CaCerts = -	lists:map(fun(Entry) -> -			  {_, CaCert, _} = Entry, -			  CaCert -		  end, ssl_test_lib:pem_to_der(CaCertsfile)), -    {Cert, {Asn1Type, Key}, CaCerts, DHParams}. - -  %%--------------------------------------------------------------------  defaults(Config) when is_list(Config)->      Versions = ssl:versions(), @@ -1653,113 +1406,6 @@ connect_twice(Config) when is_list(Config) ->      ssl_test_lib:close(Client1).  %%-------------------------------------------------------------------- - -rizzo() -> -    [{doc, "Test that there is a 1/n-1-split for non RC4 in 'TLS < 1.1' as it is -    vunrable to Rizzo/Dungon attack"}]. - -rizzo(Config) when is_list(Config) -> -    Prop = proplists:get_value(tc_group_properties, Config), -    Version = proplists:get_value(name, Prop), -    NVersion = ssl_test_lib:protocol_version(Config, tuple), -    Ciphers  = ssl:filter_cipher_suites(ssl:cipher_suites(all, NVersion),   -                                        [{key_exchange,  -                                          fun(Alg) when Alg == ecdh_rsa; Alg == ecdhe_rsa->  -                                                  true; -                                             (_) ->  -                                                  false  -                                          end}, -                                         {cipher,  -                                          fun(rc4_128) ->  -                                                  false; -                                             (chacha20_poly1305) -> -                                                  false; -                                             (_) ->  -                                                  true  -                                          end}]), - -    run_send_recv_rizzo(Ciphers, Config, Version, -			 {?MODULE, send_recv_result_active_rizzo, []}). -%%-------------------------------------------------------------------- -no_rizzo_rc4() -> -    [{doc,"Test that there is no 1/n-1-split for RC4 as it is not vunrable to Rizzo/Dungon attack"}]. - -no_rizzo_rc4(Config) when is_list(Config) -> -    Prop = proplists:get_value(tc_group_properties, Config), -    Version = proplists:get_value(name, Prop), -    NVersion = ssl_test_lib:protocol_version(Config, tuple), -    %% Test uses RSA certs -    Ciphers  = ssl:filter_cipher_suites(ssl_test_lib:rc4_suites(NVersion),   -                                        [{key_exchange,  -                                          fun(Alg) when Alg == ecdh_rsa; Alg == ecdhe_rsa->  -                                                  true; -                                             (_) ->  -                                                  false  -                                          end}]), -    run_send_recv_rizzo(Ciphers, Config, Version, -			{?MODULE, send_recv_result_active_no_rizzo, []}). - -rizzo_one_n_minus_one() -> -    [{doc,"Test that the 1/n-1-split mitigation of Rizzo/Dungon attack can be explicitly selected"}]. - -rizzo_one_n_minus_one(Config) when is_list(Config) -> -    Prop = proplists:get_value(tc_group_properties, Config), -    Version = proplists:get_value(name, Prop), -    NVersion = ssl_test_lib:protocol_version(Config, tuple), -    Ciphers  = ssl:filter_cipher_suites(ssl:cipher_suites(all, NVersion), -                                        [{key_exchange,  -                                          fun(Alg) when Alg == ecdh_rsa; Alg == ecdhe_rsa->  -                                                  true; -                                             (_) ->  -                                                  false  -                                          end},  -                                         {cipher,  -                                          fun(rc4_128) -> -                                                  false; -                                             %% TODO: remove this clause when chacha is fixed! -                                             (chacha20_poly1305) -> -                                                  false; -                                             (_) ->  -                                                  true  -                                          end}]), -    run_send_recv_rizzo(Ciphers, Config, Version, -                        {?MODULE, send_recv_result_active_rizzo, []}). - -rizzo_zero_n() -> -    [{doc,"Test that the 0/n-split mitigation of Rizzo/Dungon attack can be explicitly selected"}]. - -rizzo_zero_n(Config) when is_list(Config) -> -    Prop = proplists:get_value(tc_group_properties, Config), -    Version = proplists:get_value(name, Prop), -    NVersion = ssl_test_lib:protocol_version(Config, tuple), -    Ciphers  = ssl:filter_cipher_suites(ssl:cipher_suites(default, NVersion), -                                        [{cipher,  -                                          fun(rc4_128) -> -                                                  false; -                                             (_) ->  -                                                  true  -                                          end}]), -    run_send_recv_rizzo(Ciphers, Config, Version, -			 {?MODULE, send_recv_result_active_no_rizzo, []}). - -rizzo_disabled() -> -    [{doc,"Test that the mitigation of Rizzo/Dungon attack can be explicitly disabled"}]. - -rizzo_disabled(Config) when is_list(Config) -> -    Prop = proplists:get_value(tc_group_properties, Config), -    Version = proplists:get_value(name, Prop), -    NVersion = ssl_test_lib:protocol_version(Config, tuple), -    Ciphers  = ssl:filter_cipher_suites(ssl:cipher_suites(default, NVersion), -                                        [{cipher,  -                                          fun(rc4_128) -> -                                                  false; -                                             (_) ->  -                                                  true  -                                          end}]), -    run_send_recv_rizzo(Ciphers, Config, Version, -			 {?MODULE, send_recv_result_active_no_rizzo, []}). - -%%--------------------------------------------------------------------  new_server_wants_peer_cert() ->      [{doc, "Test that server configured to do client certification does"        " not reuse session without a client certificate."}]. @@ -2027,104 +1673,9 @@ basic_test(Config) ->      ssl_test_lib:close(Server),      ssl_test_lib:close(Client). - - - - -send_recv_result_active_rizzo(Socket) -> -    ssl:send(Socket, "Hello world"), -    "Hello world" = ssl_test_lib:active_recv(Socket, 11), -    ok. - -send_recv_result_active_no_rizzo(Socket) -> -    ssl:send(Socket, "Hello world"), -    "Hello world" = ssl_test_lib:active_recv(Socket, 11), -    ok. -  result_ok(_Socket) ->      ok. -rizzo_add_mitigation_option(Value, Config) -> -    lists:foldl(fun(Opt, Acc) -> -                    case proplists:get_value(Opt, Acc) of -                      undefined -> Acc; -                      C -> -                        N = lists:keystore(beast_mitigation, 1, C, -                                           {beast_mitigation, Value}), -                        lists:keystore(Opt, 1, Acc, {Opt, N}) -                    end -                end, Config, -                [client_opts, client_dsa_opts, server_opts, server_dsa_opts, -                 server_ecdsa_opts, server_ecdh_rsa_opts]). -     - -erlang_ssl_receive(Socket, Data) -> -    case ssl_test_lib:active_recv(Socket, length(Data)) of -        Data -> -            ok; -        Other -> -            ct:fail({{expected, Data}, {got, Other}}) -    end. - - - -run_send_recv_rizzo(Ciphers, Config, Version, Mfa) -> -    Result =  lists:map(fun(Cipher) -> -				rizzo_test(Cipher, Config, Version, Mfa) end, -			Ciphers), -    case lists:flatten(Result) of -	[] -> -	    ok; -	Error -> -	    ct:log("Cipher suite errors: ~p~n", [Error]), -	    ct:fail(cipher_suite_failed_see_test_case_log) -    end. - - - -rizzo_test(Cipher, Config, Version, Mfa) -> -   {ClientOpts, ServerOpts} = client_server_opts(Cipher, Config), -    {ClientNode, ServerNode, Hostname} = ssl_test_lib:run_where(Config), -    Server = ssl_test_lib:start_server([{node, ServerNode}, {port, 0}, -					{from, self()}, -			   {mfa, Mfa}, -			   {options, [{active, true}, {ciphers, [Cipher]}, -				       {versions, [Version]} -				      | ServerOpts]}]), -    Port  = ssl_test_lib:inet_port(Server), -    Client = ssl_test_lib:start_client([{node, ClientNode}, {port, Port}, -					{host, Hostname}, -			   {from, self()}, -			   {mfa, Mfa}, -			   {options, [{active, true}, {ciphers, [Cipher]}| ClientOpts]}]), - -    Result = ssl_test_lib:check_result(Server, ok, Client, ok), -    ssl_test_lib:close(Server), -    ssl_test_lib:close(Client), -    case Result of -	ok -> -	    []; -	Error -> -	    [{Cipher, Error}] -    end. - -client_server_opts(#{key_exchange := KeyAlgo}, Config) -  when KeyAlgo == rsa orelse -       KeyAlgo == dhe_rsa orelse -       KeyAlgo == ecdhe_rsa orelse -       KeyAlgo == rsa_psk orelse -       KeyAlgo == srp_rsa -> -    {ssl_test_lib:ssl_options(client_opts, Config), -     ssl_test_lib:ssl_options(server_opts, Config)}; -client_server_opts(#{key_exchange := KeyAlgo}, Config) when KeyAlgo == dss orelse KeyAlgo == dhe_dss -> -    {ssl_test_lib:ssl_options(client_dsa_opts, Config), -     ssl_test_lib:ssl_options(server_dsa_opts, Config)}; -client_server_opts(#{key_exchange := KeyAlgo}, Config) when KeyAlgo == ecdh_ecdsa orelse KeyAlgo == ecdhe_ecdsa -> -    {ssl_test_lib:ssl_options(client_opts, Config), -     ssl_test_lib:ssl_options(server_ecdsa_opts, Config)}; -client_server_opts(#{key_exchange := KeyAlgo}, Config) when KeyAlgo == ecdh_rsa -> -    {ssl_test_lib:ssl_options(client_opts, Config), -     ssl_test_lib:ssl_options(server_ecdh_rsa_opts, Config)}.  protocol_info_result(Socket) ->      {ok, [{protocol, PVersion}]} = ssl:connection_information(Socket, [protocol]), @@ -2145,8 +1696,6 @@ connect_dist_c(S) ->      ok. - -  get_invalid_inet_option(Socket) ->      {error, {options, {socket_options, foo, _}}} = ssl:getopts(Socket, [foo]),      ok. diff --git a/lib/ssl/test/tls_api_SUITE.erl b/lib/ssl/test/tls_api_SUITE.erl index 18e17679ac..6a61e844c5 100644 --- a/lib/ssl/test/tls_api_SUITE.erl +++ b/lib/ssl/test/tls_api_SUITE.erl @@ -69,7 +69,8 @@ api_tests() ->       tls_tcp_error_propagation_in_active_mode,       peername,       sockname, -     tls_server_handshake_timeout +     tls_server_handshake_timeout, +     transport_close      ].  init_per_suite(Config0) -> @@ -575,6 +576,29 @@ tls_server_handshake_timeout(Config) ->  		    [] = supervisor:which_children(tls_connection_sup)  	    end      end. +transport_close() -> +    [{doc, "Test what happens if socket is closed on TCP level after a while of normal operation"}]. +transport_close(Config) when is_list(Config) ->  +    ClientOpts = ssl_test_lib:ssl_options(client_rsa_opts, Config), +    ServerOpts = ssl_test_lib:ssl_options(server_rsa_opts, Config), +    {ClientNode, ServerNode, Hostname} = ssl_test_lib:run_where(Config), +    Server =  +	ssl_test_lib:start_server([{node, ServerNode}, {port, 0},  +				   {from, self()},  +				   {mfa, {ssl_test_lib, send_recv_result, []}}, +				   {options,  [{active, false} | ServerOpts]}]), +    Port = ssl_test_lib:inet_port(Server), +    {ok, TcpS} = rpc:call(ClientNode, gen_tcp, connect,  +			  [Hostname,Port,[binary, {active, false}]]), +    {ok, SslS} = rpc:call(ClientNode, ssl, connect,  +			  [TcpS,[{active, false}|ClientOpts]]), +     +    ct:log("Testcase ~p, Client ~p  Server ~p ~n", +		       [self(), self(), Server]), +    ok = ssl:send(SslS, "Hello world"),       +    {ok,<<"Hello world">>} = ssl:recv(SslS, 11),     +    gen_tcp:close(TcpS),     +    {error, _} = ssl:send(SslS, "Hello world").  %%--------------------------------------------------------------------  %% Internal functions ------------------------------------------------ | 
