aboutsummaryrefslogtreecommitdiffstats
path: root/lib/ssl/test/ssl_basic_SUITE.erl
diff options
context:
space:
mode:
Diffstat (limited to 'lib/ssl/test/ssl_basic_SUITE.erl')
-rw-r--r--lib/ssl/test/ssl_basic_SUITE.erl95
1 files changed, 93 insertions, 2 deletions
diff --git a/lib/ssl/test/ssl_basic_SUITE.erl b/lib/ssl/test/ssl_basic_SUITE.erl
index d1162ab4a5..686cdc569d 100644
--- a/lib/ssl/test/ssl_basic_SUITE.erl
+++ b/lib/ssl/test/ssl_basic_SUITE.erl
@@ -96,6 +96,8 @@ basic_tests() ->
[app,
appup,
alerts,
+ alert_details,
+ alert_details_not_too_big,
version_option,
connect_twice,
connect_dist,
@@ -236,7 +238,10 @@ error_handling_tests_tls()->
rizzo_tests() ->
[rizzo,
- no_rizzo_rc4].
+ no_rizzo_rc4,
+ rizzo_one_n_minus_one,
+ rizzo_zero_n,
+ rizzo_disabled].
%%--------------------------------------------------------------------
init_per_suite(Config0) ->
@@ -346,10 +351,27 @@ init_per_testcase(TestCase, Config) when TestCase == psk_cipher_suites;
ssl_test_lib:ct_log_supported_protocol_versions(Config),
ct:timetrap({seconds, 30}),
Config;
+
init_per_testcase(rizzo, Config) ->
ssl_test_lib:ct_log_supported_protocol_versions(Config),
ct:timetrap({seconds, 40}),
Config;
+
+init_per_testcase(rizzo_one_n_minus_one, Config) ->
+ ct:log("TLS/SSL version ~p~n ", [tls_record:supported_protocol_versions()]),
+ ct:timetrap({seconds, 40}),
+ rizzo_add_mitigation_option(one_n_minus_one, Config);
+
+init_per_testcase(rizzo_zero_n, Config) ->
+ ct:log("TLS/SSL version ~p~n ", [tls_record:supported_protocol_versions()]),
+ ct:timetrap({seconds, 40}),
+ rizzo_add_mitigation_option(zero_n, Config);
+
+init_per_testcase(rizzo_disabled, Config) ->
+ ct:log("TLS/SSL version ~p~n ", [tls_record:supported_protocol_versions()]),
+ ct:timetrap({seconds, 40}),
+ rizzo_add_mitigation_option(disabled, Config);
+
init_per_testcase(prf, Config) ->
ct:log("TLS/SSL version ~p~n ", [tls_record:supported_protocol_versions()]),
ct:timetrap({seconds, 40}),
@@ -457,6 +479,33 @@ alerts(Config) when is_list(Config) ->
end
end, Alerts).
%%--------------------------------------------------------------------
+alert_details() ->
+ [{doc, "Test that ssl_alert:alert_txt/1 result contains extendend error description"}].
+alert_details(Config) when is_list(Config) ->
+ Unique = make_ref(),
+ UniqueStr = lists:flatten(io_lib:format("~w", [Unique])),
+ Alert = ?ALERT_REC(?WARNING, ?CLOSE_NOTIFY, Unique),
+ case string:str(ssl_alert:alert_txt(Alert), UniqueStr) of
+ 0 ->
+ ct:fail(error_details_missing);
+ _ ->
+ ok
+ end.
+
+%%--------------------------------------------------------------------
+alert_details_not_too_big() ->
+ [{doc, "Test that ssl_alert:alert_txt/1 limits printed depth of extended error description"}].
+alert_details_not_too_big(Config) when is_list(Config) ->
+ Reason = lists:duplicate(10, lists:duplicate(10, lists:duplicate(10, {some, data}))),
+ Alert = ?ALERT_REC(?WARNING, ?CLOSE_NOTIFY, Reason),
+ case length(ssl_alert:alert_txt(Alert)) < 1000 of
+ true ->
+ ok;
+ false ->
+ ct:fail(ssl_alert_text_too_big)
+ end.
+
+%%--------------------------------------------------------------------
new_options_in_accept() ->
[{doc,"Test that you can set ssl options in ssl_accept/3 and not only in tcp upgrade"}].
new_options_in_accept(Config) when is_list(Config) ->
@@ -2591,7 +2640,7 @@ client_no_wrap_sequence_number(Config) when is_list(Config) ->
{options, ServerOpts}]),
Port = ssl_test_lib:inet_port(Server),
- Version = ssl_test_lib:protocol_version(Config),
+ Version = ssl_test_lib:protocol_version(Config, tuple),
Client = ssl_test_lib:start_client([{node, ClientNode}, {port, Port},
{host, Hostname},
@@ -3488,6 +3537,36 @@ no_rizzo_rc4(Config) when is_list(Config) ->
run_send_recv_rizzo(Ciphers, Config, Version,
{?MODULE, send_recv_result_active_no_rizzo, []}).
+rizzo_one_n_minus_one() ->
+ [{doc,"Test that the 1/n-1-split mitigation of Rizzo/Dungon attack can be explicitly selected"}].
+
+rizzo_one_n_minus_one(Config) when is_list(Config) ->
+ Ciphers = [X || X ={_,Y,_} <- ssl:cipher_suites(), Y =/= rc4_128],
+ Prop = proplists:get_value(tc_group_properties, Config),
+ Version = proplists:get_value(name, Prop),
+ run_send_recv_rizzo(Ciphers, Config, Version,
+ {?MODULE, send_recv_result_active_rizzo, []}).
+
+rizzo_zero_n() ->
+ [{doc,"Test that the 0/n-split mitigation of Rizzo/Dungon attack can be explicitly selected"}].
+
+rizzo_zero_n(Config) when is_list(Config) ->
+ Ciphers = [X || X ={_,Y,_} <- ssl:cipher_suites(), Y =/= rc4_128],
+ Prop = proplists:get_value(tc_group_properties, Config),
+ Version = proplists:get_value(name, Prop),
+ run_send_recv_rizzo(Ciphers, Config, Version,
+ {?MODULE, send_recv_result_active_no_rizzo, []}).
+
+rizzo_disabled() ->
+ [{doc,"Test that the mitigation of Rizzo/Dungon attack can be explicitly disabled"}].
+
+rizzo_disabled(Config) when is_list(Config) ->
+ Ciphers = [X || X ={_,Y,_} <- ssl:cipher_suites(), Y =/= rc4_128],
+ Prop = proplists:get_value(tc_group_properties, Config),
+ Version = proplists:get_value(name, Prop),
+ run_send_recv_rizzo(Ciphers, Config, Version,
+ {?MODULE, send_recv_result_active_no_rizzo, []}).
+
%%--------------------------------------------------------------------
new_server_wants_peer_cert() ->
[{doc, "Test that server configured to do client certification does"
@@ -3960,6 +4039,18 @@ renegotiate_rejected(Socket) ->
ssl:send(Socket, "Hello world"),
ok.
+rizzo_add_mitigation_option(Value, Config) ->
+ lists:foldl(fun(Opt, Acc) ->
+ case proplists:get_value(Opt, Acc) of
+ undefined -> Acc;
+ C ->
+ N = lists:keystore(beast_mitigation, 1, C,
+ {beast_mitigation, Value}),
+ lists:keystore(Opt, 1, Acc, {Opt, N})
+ end
+ end, Config,
+ [client_opts, client_dsa_opts, server_opts, server_dsa_opts,
+ server_ecdsa_opts, server_ecdh_rsa_opts]).
new_config(PrivDir, ServerOpts0) ->
CaCertFile = proplists:get_value(cacertfile, ServerOpts0),
generated by cgit v1.2.3 (git 2.25.1) at 2025-10-19 23:45:04 +0000