From 96bea6b1572c3445df53cba985072f9613c73ac1 Mon Sep 17 00:00:00 2001 From: =?UTF-8?q?P=C3=A9ter=20Dimitrov?= Date: Fri, 26 Jul 2019 14:45:04 +0200 Subject: ssl: Enable TLS 1.3 test groups in FT --- lib/ssl/src/ssl.erl | 3 +- lib/ssl/test/openssl_client_cert_SUITE.erl | 10 ++--- lib/ssl/test/openssl_server_cert_SUITE.erl | 60 +++++++++++++++++++++++++----- lib/ssl/test/ssl_cert_tests.erl | 35 +++++++++++++---- lib/ssl/test/ssl_test_lib.erl | 7 +++- 5 files changed, 92 insertions(+), 23 deletions(-) (limited to 'lib') diff --git a/lib/ssl/src/ssl.erl b/lib/ssl/src/ssl.erl index ce639e8fde..7ff9aed8ea 100644 --- a/lib/ssl/src/ssl.erl +++ b/lib/ssl/src/ssl.erl @@ -982,7 +982,8 @@ cipher_suites(all) -> %% Description: Returns all default and all supported cipher suites for a %% TLS/DTLS version %%-------------------------------------------------------------------- -cipher_suites(Base, Version) when Version == 'tlsv1.2'; +cipher_suites(Base, Version) when Version == 'tlsv1.3'; + Version == 'tlsv1.2'; Version == 'tlsv1.1'; Version == tlsv1; Version == sslv3 -> diff --git a/lib/ssl/test/openssl_client_cert_SUITE.erl b/lib/ssl/test/openssl_client_cert_SUITE.erl index 08c1534eb0..4844f06672 100644 --- a/lib/ssl/test/openssl_client_cert_SUITE.erl +++ b/lib/ssl/test/openssl_client_cert_SUITE.erl @@ -37,7 +37,7 @@ all() -> groups() -> [ {openssl_client, [], protocol_groups()}, - %%{'tlsv1.3', [], tls_1_3_protocol_groups()}, + {'tlsv1.3', [], tls_1_3_protocol_groups()}, {'tlsv1.2', [], pre_tls_1_3_protocol_groups()}, {'tlsv1.1', [], pre_tls_1_3_protocol_groups()}, {'tlsv1', [], pre_tls_1_3_protocol_groups()}, @@ -46,13 +46,13 @@ groups() -> {'dtlsv1', [], pre_tls_1_3_protocol_groups()}, {rsa, [], all_version_tests()}, {ecdsa, [], all_version_tests()}, - {dsa, [], all_version_tests()} - %%{rsa_1_3, [], all_version_tests() ++ tls_1_3_tests() ++ [unsupported_sign_algo_cert_client_auth]}, - %%{ecdsa_1_3, [], all_version_tests() ++ tls_1_3_tests()} + {dsa, [], all_version_tests()}, + {rsa_1_3, [], all_version_tests() ++ tls_1_3_tests() ++ [unsupported_sign_algo_cert_client_auth]}, + {ecdsa_1_3, [], all_version_tests() ++ tls_1_3_tests()} ]. protocol_groups() -> - [%%{group, 'tlsv1.3'}, + [{group, 'tlsv1.3'}, {group, 'tlsv1.2'}, {group, 'tlsv1.1'}, {group, 'tlsv1'}, diff --git a/lib/ssl/test/openssl_server_cert_SUITE.erl b/lib/ssl/test/openssl_server_cert_SUITE.erl index abac2647a9..83b0884f66 100644 --- a/lib/ssl/test/openssl_server_cert_SUITE.erl +++ b/lib/ssl/test/openssl_server_cert_SUITE.erl @@ -36,7 +36,7 @@ all() -> groups() -> [ {openssl_server, [], protocol_groups()}, - %%{'tlsv1.3', [], tls_1_3_protocol_groups()}, + {'tlsv1.3', [], tls_1_3_protocol_groups()}, {'tlsv1.2', [], pre_tls_1_3_protocol_groups()}, {'tlsv1.1', [], pre_tls_1_3_protocol_groups()}, {'tlsv1', [], pre_tls_1_3_protocol_groups()}, @@ -45,13 +45,13 @@ groups() -> {'dtlsv1', [], pre_tls_1_3_protocol_groups()}, {rsa, [], all_version_tests()}, {ecdsa, [], all_version_tests()}, - {dsa, [], all_version_tests()} - %%{rsa_1_3, [], all_version_tests() ++ tls_1_3_tests() ++ [unsupported_sign_algo_cert_client_auth]}, - %%{ecdsa_1_3, [], all_version_tests() ++ tls_1_3_tests()} + {dsa, [], all_version_tests()}, + {rsa_1_3, [], all_version_tests() ++ tls_1_3_tests() ++ [unsupported_sign_algo_cert_client_auth]}, + {ecdsa_1_3, [], all_version_tests() ++ tls_1_3_tests()} ]. protocol_groups() -> - [%%{group, 'tlsv1.3'}, + [{group, 'tlsv1.3'}, {group, 'tlsv1.2'}, {group, 'tlsv1.1'}, {group, 'tlsv1'}, @@ -108,8 +108,7 @@ end_per_suite(_Config) -> init_per_group(openssl_server, Config0) -> Config = proplists:delete(server_type, proplists:delete(client_type, Config0)), [{client_type, erlang}, {server_type, openssl} | Config]; -init_per_group(Group, Config0) when Group == rsa; - Group == rsa_1_3 -> +init_per_group(rsa = Group, Config0) -> Config = ssl_test_lib:make_rsa_cert(Config0), COpts = proplists:get_value(client_rsa_opts, Config), SOpts = proplists:get_value(server_rsa_opts, Config), @@ -133,8 +132,25 @@ init_per_group(Group, Config0) when Group == rsa; [] -> {skip, {no_sup, Group, Version}} end; -init_per_group(Group, Config0) when Group == ecdsa; - Group == ecdsa_1_3 -> +init_per_group(rsa_1_3 = Group, Config0) -> + Config = ssl_test_lib:make_rsa_cert(Config0), + COpts = proplists:get_value(client_rsa_opts, Config), + SOpts = proplists:get_value(server_rsa_opts, Config), + %% Make sure _rsa* suite is choosen by ssl_test_lib:start_server + Version = proplists:get_value(version,Config), + Ciphers = ssl_cert_tests:test_ciphers(undefined, Version), + case Ciphers of + [_|_] -> + [{cert_key_alg, rsa} | + lists:delete(cert_key_alg, + [{client_cert_opts, [{ciphers, Ciphers} | COpts]}, + {server_cert_opts, SOpts} | + lists:delete(server_cert_opts, + lists:delete(client_cert_opts, Config))])]; + [] -> + {skip, {no_sup, Group, Version}} + end; +init_per_group(ecdsa = Group, Config0) -> PKAlg = crypto:supports(public_keys), case lists:member(ecdsa, PKAlg) andalso (lists:member(ecdh, PKAlg) orelse lists:member(dh, PKAlg)) of @@ -166,6 +182,32 @@ init_per_group(Group, Config0) when Group == ecdsa; false -> {skip, "Missing EC crypto support"} end; +init_per_group(ecdsa_1_3 = Group, Config0) -> + PKAlg = crypto:supports(public_keys), + case lists:member(ecdsa, PKAlg) andalso (lists:member(ecdh, PKAlg) orelse + lists:member(dh, PKAlg)) of + true -> + Config = ssl_test_lib:make_ecdsa_cert(Config0), + COpts = proplists:get_value(client_ecdsa_opts, Config), + SOpts = proplists:get_value(server_ecdsa_opts, Config), + %% Make sure ecdh* suite is choosen by ssl_test_lib:start_server + Version = proplists:get_value(version,Config), + Ciphers = ssl_cert_tests:test_ciphers(undefined, Version), + case Ciphers of + [_|_] -> + [{cert_key_alg, ecdsa} | + lists:delete(cert_key_alg, + [{client_cert_opts, [{ciphers, Ciphers} | COpts]}, + {server_cert_opts, SOpts} | + lists:delete(server_cert_opts, + lists:delete(client_cert_opts, Config))] + )]; + [] -> + {skip, {no_sup, Group, Version}} + end; + false -> + {skip, "Missing EC crypto support"} + end; init_per_group(Group, Config0) when Group == dsa -> PKAlg = crypto:supports(public_keys), case lists:member(dss, PKAlg) andalso lists:member(dh, PKAlg) of diff --git a/lib/ssl/test/ssl_cert_tests.erl b/lib/ssl/test/ssl_cert_tests.erl index f330c716bc..1c73dac3f9 100644 --- a/lib/ssl/test/ssl_cert_tests.erl +++ b/lib/ssl/test/ssl_cert_tests.erl @@ -243,9 +243,9 @@ custom_groups(Config) -> ClientOpts0 = ssl_test_lib:ssl_options(client_cert_opts, Config), ServerOpts0 = ssl_test_lib:ssl_options(server_cert_opts, Config), - {ServerOpts, ClientOpts} = group_config(Config, - [{versions, ['tlsv1.2','tlsv1.3']} | ServerOpts0], - [{versions, ['tlsv1.2','tlsv1.3']} | ClientOpts0]), + {ServerOpts, ClientOpts} = group_config_custom(Config, + [{versions, ['tlsv1.2','tlsv1.3']} | ServerOpts0], + [{versions, ['tlsv1.2','tlsv1.3']} | ClientOpts0]), ssl_test_lib:basic_test(ClientOpts, ServerOpts, Config). @@ -278,14 +278,14 @@ hello_retry_client_auth(Config) -> {ServerOpts, ClientOpts} = group_config(Config, [{versions, ['tlsv1.2','tlsv1.3']}, {verify, verify_peer}, - {fail_if_no_peer_cert, false} | ServerOpts0], + {fail_if_no_peer_cert, true} | ServerOpts0], [{versions, ['tlsv1.2','tlsv1.3']}, {verify, verify_peer} | ClientOpts0]), ssl_test_lib:basic_test(ClientOpts, ServerOpts, Config). %%-------------------------------------------------------------------- hello_retry_client_auth_empty_cert_accepted() -> [{doc,"TLS 1.3 (HelloRetryRequest): Test client authentication when client sends an empty " - "certificate and fail_if_no_peer_cert is set to true."}]. + "certificate and fail_if_no_peer_cert is set to false."}]. hello_retry_client_auth_empty_cert_accepted(Config) -> ClientOpts0 = proplists:delete(keyfile, @@ -314,7 +314,7 @@ hello_retry_client_auth_empty_cert_rejected(Config) -> {ServerOpts, ClientOpts} = group_config(Config, [{versions, ['tlsv1.2','tlsv1.3']}, {verify, verify_peer}, - {fail_if_no_peer_cert, false} | ServerOpts0], + {fail_if_no_peer_cert, true} | ServerOpts0], [{versions, ['tlsv1.2','tlsv1.3']}, {verify, verify_peer} | ClientOpts0]), ssl_test_lib:basic_alert(ClientOpts, ServerOpts, Config, certificate_required). @@ -324,16 +324,35 @@ hello_retry_client_auth_empty_cert_rejected(Config) -> %% Internal functions ----------------------------------------------- %%-------------------------------------------------------------------- +group_config_custom(Config, ServerOpts, ClientOpts) -> + case proplists:get_value(client_type, Config) of + erlang -> + {[{groups,"X448:P-256:P-384"} | ServerOpts], + [{supported_groups, [secp384r1, secp256r1, x25519]} | ClientOpts]}; + openssl -> + {[{supported_groups, [x448, secp256r1, secp384r1]} | ServerOpts], + [{groups,"P-384:P-256:X25519"} | ClientOpts]} + end. + group_config(Config, ServerOpts, ClientOpts) -> case proplists:get_value(client_type, Config) of erlang -> - {[{groups,"P-256:X25519"} | ServerOpts], + {[{groups,"X448:X25519"} | ServerOpts], [{supported_groups, [secp256r1, x25519]} | ClientOpts]}; openssl -> {[{supported_groups, [x448, x25519]} | ServerOpts], [{groups,"P-256:X25519"} | ClientOpts]} end. +test_ciphers(_, 'tlsv1.3' = Version) -> + Ciphers = ssl:cipher_suites(default, Version), + ct:log("Version ~p Testing ~p~n", [Version, Ciphers]), + OpenSSLCiphers = openssl_ciphers(), + ct:log("OpenSSLCiphers ~p~n", [OpenSSLCiphers]), + lists:filter(fun(C) -> + ct:log("Cipher ~p~n", [C]), + lists:member(ssl_cipher_format:suite_map_to_openssl_str(C), OpenSSLCiphers) + end, Ciphers); test_ciphers(Kex, Version) -> Ciphers = ssl:filter_cipher_suites(ssl:cipher_suites(default, Version), [{key_exchange, Kex}]), @@ -345,6 +364,8 @@ test_ciphers(Kex, Version) -> lists:member(ssl_cipher_format:suite_map_to_openssl_str(C), OpenSSLCiphers) end, Ciphers). + + openssl_ciphers() -> Str = os:cmd("openssl ciphers"), string:split(string:strip(Str, right, $\n), ":", all). diff --git a/lib/ssl/test/ssl_test_lib.erl b/lib/ssl/test/ssl_test_lib.erl index 5d0d09b33a..7009a628f1 100644 --- a/lib/ssl/test/ssl_test_lib.erl +++ b/lib/ssl/test/ssl_test_lib.erl @@ -1363,7 +1363,7 @@ start_server(openssl, ClientOpts, ServerOpts, Config) -> Exe = "openssl", CertArgs = openssl_cert_options(ServerOpts), [Cipher|_] = proplists:get_value(ciphers, ClientOpts, ssl:cipher_suites(default,Version)), - Args = ["s_server", "-accept", integer_to_list(Port), "-cipher", + Args = ["s_server", "-accept", integer_to_list(Port), cipher_flag(Version), ssl_cipher_format:suite_map_to_openssl_str(Cipher), ssl_test_lib:version_flag(Version)] ++ CertArgs ++ ["-msg", "-debug"], OpenSslPort = portable_open_port(Exe, Args), @@ -1381,6 +1381,11 @@ start_server(erlang, _, ServerOpts, Config) -> {options, [{verify, verify_peer}, {versions, Versions} | ServerOpts]}]), {Server, inet_port(Server)}. +cipher_flag('tlsv1.3') -> + "-ciphersuites"; +cipher_flag(_) -> + "-cipher". + start_server_with_raw_key(erlang, ServerOpts, Config) -> {_, ServerNode, _} = ssl_test_lib:run_where(Config), Server = start_server([{node, ServerNode}, {port, 0}, -- cgit v1.2.3