From 317196e482c3665d5fd1f124c9b28144f84c75be Mon Sep 17 00:00:00 2001 From: =?UTF-8?q?P=C3=A9ter=20Dimitrov?= Date: Tue, 23 Jul 2019 14:03:31 +0200 Subject: ssl: Fix ssl_api_SUITE:connection_information This commit fixes the connection_information testcase with TLS 1.3 connections. --- lib/ssl/test/ssl_api_SUITE.erl | 21 +++++++++++++++++---- 1 file changed, 17 insertions(+), 4 deletions(-) (limited to 'lib/ssl/test/ssl_api_SUITE.erl') diff --git a/lib/ssl/test/ssl_api_SUITE.erl b/lib/ssl/test/ssl_api_SUITE.erl index 128832c23c..72a49bf4a9 100644 --- a/lib/ssl/test/ssl_api_SUITE.erl +++ b/lib/ssl/test/ssl_api_SUITE.erl @@ -45,7 +45,7 @@ all() -> groups() -> [ %%{'tlsv1.3', [], gen_api_tests() ++ handshake_paus_tests()}, - {'tlsv1.3', [], (gen_api_tests() -- [secret_connection_info, dh_params, honor_server_cipher_order, honor_client_cipher_order, + {'tlsv1.3', [], (gen_api_tests() -- [dh_params, honor_server_cipher_order, honor_client_cipher_order, new_options_in_handshake]) ++ (since_1_2() -- [conf_signature_algs])}, {'tlsv1.2', [], gen_api_tests() ++ since_1_2() ++ handshake_paus_tests() ++ pre_1_3()}, @@ -1618,10 +1618,23 @@ connection_information_result(Socket) -> ct:fail(no_ssl_options_returned) end. secret_connection_info_result(Socket) -> - {ok, [{client_random, ClientRand}, {server_random, ServerRand}, {master_secret, MasterSecret}]} - = ssl:connection_information(Socket, [client_random, server_random, master_secret]), - is_binary(ClientRand) andalso is_binary(ServerRand) andalso is_binary(MasterSecret). + {ok, [{protocol, Protocol}]} = ssl:connection_information(Socket, [protocol]), + {ok, ConnInfo} = ssl:connection_information(Socket, [client_random, server_random, master_secret]), + check_connection_info(Protocol, ConnInfo). + +%% In TLS 1.3 the master_secret field is used to store multiple secrets from the key schedule and it is a tuple. +%% client_random and server_random are not used in the TLS 1.3 key schedule. +check_connection_info('tlsv1.3', [{client_random, ClientRand}, {master_secret, {master_secret, MasterSecret}}]) -> + is_binary(ClientRand) andalso is_binary(MasterSecret); +check_connection_info('tlsv1.3', [{server_random, ServerRand}, {master_secret, {master_secret, MasterSecret}}]) -> + is_binary(ServerRand) andalso is_binary(MasterSecret); +check_connection_info(_, [{client_random, ClientRand}, {server_random, ServerRand}, {master_secret, MasterSecret}]) -> + is_binary(ClientRand) andalso is_binary(ServerRand) andalso is_binary(MasterSecret); +check_connection_info(_, _) -> + false. + + prf_create_plan(TlsVersions, PRFs, Results) -> lists:foldl(fun(Ver, Acc) -> A = prf_ciphers_and_expected(Ver, PRFs, Results), -- cgit v1.2.3 From b4fddea062fc13b0562bf8bf2f4cc3dc02cd193c Mon Sep 17 00:00:00 2001 From: =?UTF-8?q?P=C3=A9ter=20Dimitrov?= Date: Tue, 23 Jul 2019 16:44:05 +0200 Subject: ssl: Add test for option supported_groups --- lib/ssl/test/ssl_api_SUITE.erl | 33 ++++++++++++++++++++++++++++++++- 1 file changed, 32 insertions(+), 1 deletion(-) (limited to 'lib/ssl/test/ssl_api_SUITE.erl') diff --git a/lib/ssl/test/ssl_api_SUITE.erl b/lib/ssl/test/ssl_api_SUITE.erl index 72a49bf4a9..a7b2a71690 100644 --- a/lib/ssl/test/ssl_api_SUITE.erl +++ b/lib/ssl/test/ssl_api_SUITE.erl @@ -45,7 +45,7 @@ all() -> groups() -> [ %%{'tlsv1.3', [], gen_api_tests() ++ handshake_paus_tests()}, - {'tlsv1.3', [], (gen_api_tests() -- [dh_params, honor_server_cipher_order, honor_client_cipher_order, + {'tlsv1.3', [], ((gen_api_tests() ++ tls13_group()) -- [dh_params, honor_server_cipher_order, honor_client_cipher_order, new_options_in_handshake]) ++ (since_1_2() -- [conf_signature_algs])}, {'tlsv1.2', [], gen_api_tests() ++ since_1_2() ++ handshake_paus_tests() ++ pre_1_3()}, @@ -125,6 +125,12 @@ beast_mitigation_test() -> rizzo_one_n_minus_one ]. +tls13_group() -> + [ + supported_groups + ]. + + init_per_suite(Config0) -> catch crypto:stop(), try crypto:start() of @@ -419,7 +425,32 @@ no_common_signature_algs(Config) when is_list(Config) -> ssl_test_lib:check_server_alert(Server, Client, insufficient_security). %%-------------------------------------------------------------------- +supported_groups() -> + [{doc,"Test the supported_groups option in TLS 1.3."}]. + +supported_groups(Config) when is_list(Config) -> + ClientOpts = ssl_test_lib:ssl_options(client_rsa_opts, Config), + ServerOpts = ssl_test_lib:ssl_options(server_rsa_opts, Config), + + {ClientNode, ServerNode, Hostname} = ssl_test_lib:run_where(Config), + + Server = ssl_test_lib:start_server([{node, ServerNode}, {port, 0}, + {from, self()}, + {mfa, {ssl_test_lib, send_recv_result_active, []}}, + {options, [{supported_groups, [x448, x25519]} | ServerOpts]}]), + Port = ssl_test_lib:inet_port(Server), + Client = ssl_test_lib:start_client([{node, ClientNode}, {port, Port}, + {host, Hostname}, + {from, self()}, + {mfa, {ssl_test_lib, send_recv_result_active, []}}, + {options, [{supported_groups,[x448]} | ClientOpts]}]), + ssl_test_lib:check_result(Server, ok, Client, ok), + + ssl_test_lib:close(Server), + ssl_test_lib:close(Client). + +%%-------------------------------------------------------------------- handshake_continue() -> [{doc, "Test API function ssl:handshake_continue/3"}]. handshake_continue(Config) when is_list(Config) -> -- cgit v1.2.3 From 73b526ce765dc7ac71fdae349da44941d8201d9c Mon Sep 17 00:00:00 2001 From: =?UTF-8?q?P=C3=A9ter=20Dimitrov?= Date: Wed, 24 Jul 2019 11:11:07 +0200 Subject: ssl: Implement option honor_cipher_order in TLS 1.3 --- lib/ssl/test/ssl_api_SUITE.erl | 64 +++++++++++++++++++++++++++++++++++++----- 1 file changed, 57 insertions(+), 7 deletions(-) (limited to 'lib/ssl/test/ssl_api_SUITE.erl') diff --git a/lib/ssl/test/ssl_api_SUITE.erl b/lib/ssl/test/ssl_api_SUITE.erl index a7b2a71690..4b44b4dc3e 100644 --- a/lib/ssl/test/ssl_api_SUITE.erl +++ b/lib/ssl/test/ssl_api_SUITE.erl @@ -127,7 +127,9 @@ beast_mitigation_test() -> tls13_group() -> [ - supported_groups + supported_groups, + honor_server_cipher_order_tls13, + honor_client_cipher_order_tls13 ]. @@ -1198,11 +1200,35 @@ honor_server_cipher_order(Config) when is_list(Config) -> cipher => aes_128_cbc, mac => sha, prf => default_prf}], - honor_cipher_order(Config, true, ServerCiphers, ClientCiphers, #{key_exchange => dhe_rsa, - cipher => aes_256_cbc, + honor_cipher_order(Config, true, ServerCiphers, ClientCiphers, #{key_exchange => dhe_rsa, + cipher => aes_256_cbc, mac => sha, prf => default_prf}). %%-------------------------------------------------------------------- +honor_server_cipher_order_tls13() -> + [{doc,"Test API honor server cipher order in TLS 1.3."}]. +honor_server_cipher_order_tls13(Config) when is_list(Config) -> + ClientCiphers = [#{key_exchange => any, + cipher => aes_256_gcm, + mac => aead, + prf => sha384}, + #{key_exchange => any, + cipher => aes_128_gcm, + mac => aead, + prf => sha256}], + ServerCiphers = [#{key_exchange => any, + cipher => aes_128_gcm, + mac => aead, + prf => sha256}, + #{key_exchange => any, + cipher => aes_256_gcm, + mac => aead, + prf => sha384}], + honor_cipher_order(Config, true, ServerCiphers, ClientCiphers, #{key_exchange => any, + cipher => aes_128_gcm, + mac => aead, + prf => sha256}). +%%-------------------------------------------------------------------- honor_client_cipher_order() -> [{doc,"Test API honor server cipher order."}]. honor_client_cipher_order(Config) when is_list(Config) -> @@ -1222,10 +1248,34 @@ honor_client_cipher_order(Config) when is_list(Config) -> cipher => aes_128_cbc, mac => sha, prf => default_prf}], -honor_cipher_order(Config, false, ServerCiphers, ClientCiphers, #{key_exchange => dhe_rsa, - cipher => aes_128_cbc, - mac => sha, - prf => default_prf}). + honor_cipher_order(Config, false, ServerCiphers, ClientCiphers, #{key_exchange => dhe_rsa, + cipher => aes_128_cbc, + mac => sha, + prf => default_prf}). +%%-------------------------------------------------------------------- +honor_client_cipher_order_tls13() -> + [{doc,"Test API honor server cipher order in TLS 1.3."}]. +honor_client_cipher_order_tls13(Config) when is_list(Config) -> + ClientCiphers = [#{key_exchange => any, + cipher => aes_256_gcm, + mac => aead, + prf => sha384}, + #{key_exchange => any, + cipher => aes_128_gcm, + mac => aead, + prf => sha256}], + ServerCiphers = [#{key_exchange => any, + cipher => aes_128_gcm, + mac => aead, + prf => sha256}, + #{key_exchange => any, + cipher => aes_256_gcm, + mac => aead, + prf => sha384}], + honor_cipher_order(Config, false, ServerCiphers, ClientCiphers, #{key_exchange => any, + cipher => aes_256_gcm, + mac => aead, + prf => sha384}). %%-------------------------------------------------------------------- ipv6() -> [{require, ipv6_hosts}, -- cgit v1.2.3 From b08621c8a9bf4f8e780de8bba022ad902308cfc8 Mon Sep 17 00:00:00 2001 From: =?UTF-8?q?P=C3=A9ter=20Dimitrov?= Date: Thu, 25 Jul 2019 14:16:34 +0200 Subject: ssl: Fix handshake pause in TLS 1.3 --- lib/ssl/test/ssl_api_SUITE.erl | 2 +- 1 file changed, 1 insertion(+), 1 deletion(-) (limited to 'lib/ssl/test/ssl_api_SUITE.erl') diff --git a/lib/ssl/test/ssl_api_SUITE.erl b/lib/ssl/test/ssl_api_SUITE.erl index 4b44b4dc3e..989f36164f 100644 --- a/lib/ssl/test/ssl_api_SUITE.erl +++ b/lib/ssl/test/ssl_api_SUITE.erl @@ -45,7 +45,7 @@ all() -> groups() -> [ %%{'tlsv1.3', [], gen_api_tests() ++ handshake_paus_tests()}, - {'tlsv1.3', [], ((gen_api_tests() ++ tls13_group()) -- [dh_params, honor_server_cipher_order, honor_client_cipher_order, + {'tlsv1.3', [], ((gen_api_tests() ++ tls13_group() ++ handshake_paus_tests()) -- [dh_params, honor_server_cipher_order, honor_client_cipher_order, new_options_in_handshake]) ++ (since_1_2() -- [conf_signature_algs])}, {'tlsv1.2', [], gen_api_tests() ++ since_1_2() ++ handshake_paus_tests() ++ pre_1_3()}, -- cgit v1.2.3 From 91e7806587ac256346a4e4b1c8bd5cdd744a2934 Mon Sep 17 00:00:00 2001 From: =?UTF-8?q?P=C3=A9ter=20Dimitrov?= Date: Thu, 25 Jul 2019 14:31:39 +0200 Subject: ssl: Reorder testcases in ssl_api_SUITE --- lib/ssl/test/ssl_api_SUITE.erl | 153 +++++++++++++++++++++-------------------- 1 file changed, 78 insertions(+), 75 deletions(-) (limited to 'lib/ssl/test/ssl_api_SUITE.erl') diff --git a/lib/ssl/test/ssl_api_SUITE.erl b/lib/ssl/test/ssl_api_SUITE.erl index 989f36164f..4394d0cd2f 100644 --- a/lib/ssl/test/ssl_api_SUITE.erl +++ b/lib/ssl/test/ssl_api_SUITE.erl @@ -44,7 +44,6 @@ all() -> groups() -> [ - %%{'tlsv1.3', [], gen_api_tests() ++ handshake_paus_tests()}, {'tlsv1.3', [], ((gen_api_tests() ++ tls13_group() ++ handshake_paus_tests()) -- [dh_params, honor_server_cipher_order, honor_client_cipher_order, new_options_in_handshake]) ++ (since_1_2() -- [conf_signature_algs])}, @@ -426,32 +425,6 @@ no_common_signature_algs(Config) when is_list(Config) -> ssl_test_lib:check_server_alert(Server, Client, insufficient_security). -%%-------------------------------------------------------------------- -supported_groups() -> - [{doc,"Test the supported_groups option in TLS 1.3."}]. - -supported_groups(Config) when is_list(Config) -> - ClientOpts = ssl_test_lib:ssl_options(client_rsa_opts, Config), - ServerOpts = ssl_test_lib:ssl_options(server_rsa_opts, Config), - - {ClientNode, ServerNode, Hostname} = ssl_test_lib:run_where(Config), - - Server = ssl_test_lib:start_server([{node, ServerNode}, {port, 0}, - {from, self()}, - {mfa, {ssl_test_lib, send_recv_result_active, []}}, - {options, [{supported_groups, [x448, x25519]} | ServerOpts]}]), - Port = ssl_test_lib:inet_port(Server), - Client = ssl_test_lib:start_client([{node, ClientNode}, {port, Port}, - {host, Hostname}, - {from, self()}, - {mfa, {ssl_test_lib, send_recv_result_active, []}}, - {options, [{supported_groups,[x448]} | ClientOpts]}]), - - ssl_test_lib:check_result(Server, ok, Client, ok), - - ssl_test_lib:close(Server), - ssl_test_lib:close(Client). - %%-------------------------------------------------------------------- handshake_continue() -> [{doc, "Test API function ssl:handshake_continue/3"}]. @@ -1204,30 +1177,7 @@ honor_server_cipher_order(Config) when is_list(Config) -> cipher => aes_256_cbc, mac => sha, prf => default_prf}). -%%-------------------------------------------------------------------- -honor_server_cipher_order_tls13() -> - [{doc,"Test API honor server cipher order in TLS 1.3."}]. -honor_server_cipher_order_tls13(Config) when is_list(Config) -> - ClientCiphers = [#{key_exchange => any, - cipher => aes_256_gcm, - mac => aead, - prf => sha384}, - #{key_exchange => any, - cipher => aes_128_gcm, - mac => aead, - prf => sha256}], - ServerCiphers = [#{key_exchange => any, - cipher => aes_128_gcm, - mac => aead, - prf => sha256}, - #{key_exchange => any, - cipher => aes_256_gcm, - mac => aead, - prf => sha384}], - honor_cipher_order(Config, true, ServerCiphers, ClientCiphers, #{key_exchange => any, - cipher => aes_128_gcm, - mac => aead, - prf => sha256}). + %%-------------------------------------------------------------------- honor_client_cipher_order() -> [{doc,"Test API honor server cipher order."}]. @@ -1252,30 +1202,7 @@ honor_client_cipher_order(Config) when is_list(Config) -> cipher => aes_128_cbc, mac => sha, prf => default_prf}). -%%-------------------------------------------------------------------- -honor_client_cipher_order_tls13() -> - [{doc,"Test API honor server cipher order in TLS 1.3."}]. -honor_client_cipher_order_tls13(Config) when is_list(Config) -> - ClientCiphers = [#{key_exchange => any, - cipher => aes_256_gcm, - mac => aead, - prf => sha384}, - #{key_exchange => any, - cipher => aes_128_gcm, - mac => aead, - prf => sha256}], - ServerCiphers = [#{key_exchange => any, - cipher => aes_128_gcm, - mac => aead, - prf => sha256}, - #{key_exchange => any, - cipher => aes_256_gcm, - mac => aead, - prf => sha384}], - honor_cipher_order(Config, false, ServerCiphers, ClientCiphers, #{key_exchange => any, - cipher => aes_256_gcm, - mac => aead, - prf => sha384}). + %%-------------------------------------------------------------------- ipv6() -> [{require, ipv6_hosts}, @@ -1681,6 +1608,82 @@ rizzo_one_n_minus_one (Config) -> ssl_test_lib:basic_test(ClientOpts, ServerOpts, Config). +supported_groups() -> + [{doc,"Test the supported_groups option in TLS 1.3."}]. + +supported_groups(Config) when is_list(Config) -> + ClientOpts = ssl_test_lib:ssl_options(client_rsa_opts, Config), + ServerOpts = ssl_test_lib:ssl_options(server_rsa_opts, Config), + + {ClientNode, ServerNode, Hostname} = ssl_test_lib:run_where(Config), + + Server = ssl_test_lib:start_server([{node, ServerNode}, {port, 0}, + {from, self()}, + {mfa, {ssl_test_lib, send_recv_result_active, []}}, + {options, [{supported_groups, [x448, x25519]} | ServerOpts]}]), + Port = ssl_test_lib:inet_port(Server), + Client = ssl_test_lib:start_client([{node, ClientNode}, {port, Port}, + {host, Hostname}, + {from, self()}, + {mfa, {ssl_test_lib, send_recv_result_active, []}}, + {options, [{supported_groups,[x448]} | ClientOpts]}]), + + ssl_test_lib:check_result(Server, ok, Client, ok), + + ssl_test_lib:close(Server), + ssl_test_lib:close(Client). + +%%-------------------------------------------------------------------- +honor_client_cipher_order_tls13() -> + [{doc,"Test API honor server cipher order in TLS 1.3."}]. +honor_client_cipher_order_tls13(Config) when is_list(Config) -> + ClientCiphers = [#{key_exchange => any, + cipher => aes_256_gcm, + mac => aead, + prf => sha384}, + #{key_exchange => any, + cipher => aes_128_gcm, + mac => aead, + prf => sha256}], + ServerCiphers = [#{key_exchange => any, + cipher => aes_128_gcm, + mac => aead, + prf => sha256}, + #{key_exchange => any, + cipher => aes_256_gcm, + mac => aead, + prf => sha384}], + honor_cipher_order(Config, false, ServerCiphers, ClientCiphers, #{key_exchange => any, + cipher => aes_256_gcm, + mac => aead, + prf => sha384}). + +%%-------------------------------------------------------------------- +honor_server_cipher_order_tls13() -> + [{doc,"Test API honor server cipher order in TLS 1.3."}]. +honor_server_cipher_order_tls13(Config) when is_list(Config) -> + ClientCiphers = [#{key_exchange => any, + cipher => aes_256_gcm, + mac => aead, + prf => sha384}, + #{key_exchange => any, + cipher => aes_128_gcm, + mac => aead, + prf => sha256}], + ServerCiphers = [#{key_exchange => any, + cipher => aes_128_gcm, + mac => aead, + prf => sha256}, + #{key_exchange => any, + cipher => aes_256_gcm, + mac => aead, + prf => sha384}], + honor_cipher_order(Config, true, ServerCiphers, ClientCiphers, #{key_exchange => any, + cipher => aes_128_gcm, + mac => aead, + prf => sha256}). + + %%-------------------------------------------------------------------- %% Internal functions ------------------------------------------------ %%-------------------------------------------------------------------- -- cgit v1.2.3