yuzu-emu/mbedtls
2
0
Fork 0
Code Issues Pull requests Projects Releases Packages Wiki Activity

Merge pull request #5864 from xkqian/tls13_add_comprehensive_cases

Browse source 
Tls13 add comprehensive cases
This commit is contained in:
Ronald Cron 2022-06-15 09:18:11 +02:00 committed by GitHub
commit 4ccd226cbf
No known key found for this signature in database
GPG key ID: 4AEE18F83AFDEB23
4 changed files with 7871 additions and 775 deletions
Show stats Download patch file Download diff file Expand all files Collapse all files

20
programs/ssl/ssl_server2.c
View file

@ -2382,6 +2382,22 @@ int main( int argc, char *argv[] )
{ {
sig_alg_list[i++] = MBEDTLS_TLS1_3_SIG_ECDSA_SECP521R1_SHA512; sig_alg_list[i++] = MBEDTLS_TLS1_3_SIG_ECDSA_SECP521R1_SHA512;
} }
else if( strcmp( q, "rsa_pss_rsae_sha256" ) == 0 )
{
sig_alg_list[i++] = MBEDTLS_TLS1_3_SIG_RSA_PSS_RSAE_SHA256;
}
else if( strcmp( q, "rsa_pss_rsae_sha384" ) == 0 )
{
sig_alg_list[i++] = MBEDTLS_TLS1_3_SIG_RSA_PSS_RSAE_SHA384;
}
else if( strcmp( q, "rsa_pss_rsae_sha512" ) == 0 )
{
sig_alg_list[i++] = MBEDTLS_TLS1_3_SIG_RSA_PSS_RSAE_SHA512;
}
else if( strcmp( q, "rsa_pkcs1_sha256" ) == 0 )
{
sig_alg_list[i++] = MBEDTLS_TLS1_3_SIG_RSA_PKCS1_SHA256;
}
else else
{ {
mbedtls_printf( "unknown signature algorithm %s\n", q ); mbedtls_printf( "unknown signature algorithm %s\n", q );
@ -2389,6 +2405,10 @@ int main( int argc, char *argv[] )
mbedtls_printf( "ecdsa_secp256r1_sha256 " ); mbedtls_printf( "ecdsa_secp256r1_sha256 " );
mbedtls_printf( "ecdsa_secp384r1_sha384 " ); mbedtls_printf( "ecdsa_secp384r1_sha384 " );
mbedtls_printf( "ecdsa_secp521r1_sha512 " ); mbedtls_printf( "ecdsa_secp521r1_sha512 " );
mbedtls_printf( "rsa_pss_rsae_sha256 " );
mbedtls_printf( "rsa_pss_rsae_sha384 " );
mbedtls_printf( "rsa_pss_rsae_sha512 " );
mbedtls_printf( "rsa_pkcs1_sha256 " );
mbedtls_printf( "\n" ); mbedtls_printf( "\n" );
goto exit; goto exit;
} }

8402
tests/opt-testcases/tls13-compat.sh
View file

File diff suppressed because it is too large Load diff

218
tests/scripts/generate_tls13_compat_tests.py
View file

@ -24,7 +24,6 @@ Generate TLSv1.3 Compat test cases
import sys import sys
import os import os
import abc
import argparse import argparse
import itertools import itertools
from collections import namedtuple from collections import namedtuple
@ -71,10 +70,11 @@ NAMED_GROUP_IANA_VALUE = {
} }
class TLSProgram(metaclass=abc.ABCMeta): class TLSProgram:
""" """
Base class for generate server/client command. Base class for generate server/client command.
""" """
# pylint: disable=too-many-arguments # pylint: disable=too-many-arguments
def __init__(self, ciphersuite=None, signature_algorithm=None, named_group=None, def __init__(self, ciphersuite=None, signature_algorithm=None, named_group=None,
cert_sig_alg=None, compat_mode=True): cert_sig_alg=None, compat_mode=True):
@ -112,23 +112,32 @@ class TLSProgram(metaclass=abc.ABCMeta):
self._cert_sig_algs.extend( self._cert_sig_algs.extend(
[sig_alg for sig_alg in signature_algorithms if sig_alg not in self._cert_sig_algs]) [sig_alg for sig_alg in signature_algorithms if sig_alg not in self._cert_sig_algs])
@abc.abstractmethod # pylint: disable=no-self-use
def pre_checks(self): def pre_checks(self):
return [] return []
@abc.abstractmethod # pylint: disable=no-self-use
def cmd(self): def cmd(self):
if not self._cert_sig_algs: if not self._cert_sig_algs:
self._cert_sig_algs = list(CERTIFICATES.keys()) self._cert_sig_algs = list(CERTIFICATES.keys())
return self.pre_cmd()
@abc.abstractmethod # pylint: disable=no-self-use
def post_checks(self): def post_checks(self):
return [] return []
# pylint: disable=no-self-use
def pre_cmd(self):
return ['false']
class OpenSSLServ(TLSProgram): # pylint: disable=unused-argument,no-self-use
def hrr_post_checks(self, named_group):
return []
class OpenSSLBase(TLSProgram):
""" """
Generate test commands for OpenSSL server. Generate base test commands for OpenSSL.
""" """
NAMED_GROUP = { NAMED_GROUP = {
@ -140,11 +149,7 @@ class OpenSSLServ(TLSProgram):
} }
def cmd(self): def cmd(self):
super().cmd() ret = super().cmd()
ret = ['$O_NEXT_SRV_NO_CERT']
for _, cert, key in map(lambda sig_alg: CERTIFICATES[sig_alg], self._cert_sig_algs):
ret += ['-cert {cert} -key {key}'.format(cert=cert, key=key)]
ret += ['-accept $SRV_PORT']
if self._ciphers: if self._ciphers:
ciphersuites = ':'.join(self._ciphers) ciphersuites = ':'.join(self._ciphers)
@ -161,22 +166,49 @@ class OpenSSLServ(TLSProgram):
map(lambda named_group: self.NAMED_GROUP[named_group], self._named_groups)) map(lambda named_group: self.NAMED_GROUP[named_group], self._named_groups))
ret += ["-groups {named_groups}".format(named_groups=named_groups)] ret += ["-groups {named_groups}".format(named_groups=named_groups)]
ret += ['-msg -tls1_3 -num_tickets 0 -no_resume_ephemeral -no_cache'] ret += ['-msg -tls1_3']
if not self._compat_mode: if not self._compat_mode:
ret += ['-no_middlebox'] ret += ['-no_middlebox']
return ' '.join(ret) return ret
def pre_checks(self): def pre_checks(self):
return ["requires_openssl_tls1_3"] return ["requires_openssl_tls1_3"]
class OpenSSLServ(OpenSSLBase):
"""
Generate test commands for OpenSSL server.
"""
def cmd(self):
ret = super().cmd()
ret += ['-num_tickets 0 -no_resume_ephemeral -no_cache']
return ret
def post_checks(self): def post_checks(self):
return ['-c "HTTP/1.0 200 ok"'] return ['-c "HTTP/1.0 200 ok"']
def pre_cmd(self):
ret = ['$O_NEXT_SRV_NO_CERT']
for _, cert, key in map(lambda sig_alg: CERTIFICATES[sig_alg], self._cert_sig_algs):
ret += ['-cert {cert} -key {key}'.format(cert=cert, key=key)]
return ret
class GnuTLSServ(TLSProgram):
class OpenSSLCli(OpenSSLBase):
""" """
Generate test commands for GnuTLS server. Generate test commands for OpenSSL client.
"""
def pre_cmd(self):
return ['$O_NEXT_CLI_NO_CERT',
'-CAfile {cafile}'.format(cafile=CERTIFICATES[self._cert_sig_algs[0]].cafile)]
class GnuTLSBase(TLSProgram):
"""
Generate base test commands for GnuTLS.
""" """
CIPHER_SUITE = { CIPHER_SUITE = {
@ -220,17 +252,8 @@ class GnuTLSServ(TLSProgram):
"requires_gnutls_next_no_ticket", "requires_gnutls_next_no_ticket",
"requires_gnutls_next_disable_tls13_compat", ] "requires_gnutls_next_disable_tls13_compat", ]
def post_checks(self):
return ['-c "HTTP/1.0 200 OK"']
def cmd(self): def cmd(self):
super().cmd() ret = super().cmd()
ret = ['$G_NEXT_SRV_NO_CERT', '--http',
'--disable-client-cert', '--debug=4']
for _, cert, key in map(lambda sig_alg: CERTIFICATES[sig_alg], self._cert_sig_algs):
ret += ['--x509certfile {cert} --x509keyfile {key}'.format(
cert=cert, key=key)]
priority_string_list = [] priority_string_list = []
@ -261,7 +284,7 @@ class GnuTLSServ(TLSProgram):
priority_string_list.append('GROUP-ALL') priority_string_list.append('GROUP-ALL')
priority_string_list = ['NONE'] + \ priority_string_list = ['NONE'] + \
sorted(priority_string_list) + ['VERS-TLS1.3'] priority_string_list + ['VERS-TLS1.3']
priority_string = ':+'.join(priority_string_list) priority_string = ':+'.join(priority_string_list)
priority_string += ':%NO_TICKETS' priority_string += ':%NO_TICKETS'
@ -271,13 +294,38 @@ class GnuTLSServ(TLSProgram):
ret += ['--priority={priority_string}'.format( ret += ['--priority={priority_string}'.format(
priority_string=priority_string)] priority_string=priority_string)]
ret = ' '.join(ret)
return ret return ret
class GnuTLSServ(GnuTLSBase):
class MbedTLSCli(TLSProgram):
""" """
Generate test commands for mbedTLS client. Generate test commands for GnuTLS server.
"""
def pre_cmd(self):
ret = ['$G_NEXT_SRV_NO_CERT', '--http', '--disable-client-cert', '--debug=4']
for _, cert, key in map(lambda sig_alg: CERTIFICATES[sig_alg], self._cert_sig_algs):
ret += ['--x509certfile {cert} --x509keyfile {key}'.format(
cert=cert, key=key)]
return ret
def post_checks(self):
return ['-c "HTTP/1.0 200 OK"']
class GnuTLSCli(GnuTLSBase):
"""
Generate test commands for GnuTLS client.
"""
def pre_cmd(self):
return ['$G_NEXT_CLI_NO_CERT', '--debug=4', '--single-key-share',
'--x509cafile {cafile}'.format(cafile=CERTIFICATES[self._cert_sig_algs[0]].cafile)]
class MbedTLSBase(TLSProgram):
"""
Generate base test commands for mbedTLS.
""" """
CIPHER_SUITE = { CIPHER_SUITE = {
@ -288,12 +336,9 @@ class MbedTLSCli(TLSProgram):
'TLS_AES_128_CCM_8_SHA256': 'TLS1-3-AES-128-CCM-8-SHA256'} 'TLS_AES_128_CCM_8_SHA256': 'TLS1-3-AES-128-CCM-8-SHA256'}
def cmd(self): def cmd(self):
super().cmd() ret = super().cmd()
ret = ['$P_CLI'] ret += ['debug_level=4']
ret += ['server_addr=127.0.0.1', 'server_port=$SRV_PORT',
'debug_level=4']
ret += ['ca_file={cafile}'.format(
cafile=CERTIFICATES[self._cert_sig_algs[0]].cafile)]
if self._ciphers: if self._ciphers:
ciphers = ','.join( ciphers = ','.join(
@ -307,13 +352,11 @@ class MbedTLSCli(TLSProgram):
if self._named_groups: if self._named_groups:
named_groups = ','.join(self._named_groups) named_groups = ','.join(self._named_groups)
ret += ["curves={named_groups}".format(named_groups=named_groups)] ret += ["curves={named_groups}".format(named_groups=named_groups)]
ret += ['force_version=tls13']
ret = ' '.join(ret)
return ret return ret
def pre_checks(self): def pre_checks(self):
ret = ['requires_config_enabled MBEDTLS_DEBUG_C', ret = ['requires_config_enabled MBEDTLS_DEBUG_C',
'requires_config_enabled MBEDTLS_SSL_CLI_C',
'requires_config_enabled MBEDTLS_SSL_PROTO_TLS1_3'] 'requires_config_enabled MBEDTLS_SSL_PROTO_TLS1_3']
if self._compat_mode: if self._compat_mode:
@ -324,6 +367,67 @@ class MbedTLSCli(TLSProgram):
'requires_config_enabled MBEDTLS_X509_RSASSA_PSS_SUPPORT') 'requires_config_enabled MBEDTLS_X509_RSASSA_PSS_SUPPORT')
return ret return ret
class MbedTLSServ(MbedTLSBase):
"""
Generate test commands for mbedTLS server.
"""
def cmd(self):
ret = super().cmd()
ret += ['tls13_kex_modes=ephemeral cookies=0 tickets=0']
return ret
def pre_checks(self):
return ['requires_config_enabled MBEDTLS_SSL_SRV_C'] + super().pre_checks()
def post_checks(self):
check_strings = ["Protocol is TLSv1.3"]
if self._ciphers:
check_strings.append(
"server hello, chosen ciphersuite: {} ( id={:04d} )".format(
self.CIPHER_SUITE[self._ciphers[0]],
CIPHER_SUITE_IANA_VALUE[self._ciphers[0]]))
if self._sig_algs:
check_strings.append(
"received signature algorithm: 0x{:x}".format(
SIG_ALG_IANA_VALUE[self._sig_algs[0]]))
for named_group in self._named_groups:
check_strings += ['got named group: {named_group}({iana_value:04x})'.format(
named_group=named_group,
iana_value=NAMED_GROUP_IANA_VALUE[named_group])]
check_strings.append("Verifying peer X.509 certificate... ok")
return ['-s "{}"'.format(i) for i in check_strings]
def pre_cmd(self):
ret = ['$P_SRV']
for _, cert, key in map(lambda sig_alg: CERTIFICATES[sig_alg], self._cert_sig_algs):
ret += ['crt_file={cert} key_file={key}'.format(cert=cert, key=key)]
return ret
def hrr_post_checks(self, named_group):
return ['-s "HRR selected_group: {:s}"'.format(named_group)]
class MbedTLSCli(MbedTLSBase):
"""
Generate test commands for mbedTLS client.
"""
def pre_cmd(self):
return ['$P_CLI',
'ca_file={cafile}'.format(cafile=CERTIFICATES[self._cert_sig_algs[0]].cafile)]
def pre_checks(self):
return ['requires_config_enabled MBEDTLS_SSL_CLI_C'] + super().pre_checks()
def hrr_post_checks(self, named_group):
ret = ['-c "received HelloRetryRequest message"']
ret += ['-c "selected_group ( {:d} )"'.format(NAMED_GROUP_IANA_VALUE[named_group])]
return ret
def post_checks(self): def post_checks(self):
check_strings = ["Protocol is TLSv1.3"] check_strings = ["Protocol is TLSv1.3"]
if self._ciphers: if self._ciphers:
@ -345,8 +449,8 @@ class MbedTLSCli(TLSProgram):
return ['-c "{}"'.format(i) for i in check_strings] return ['-c "{}"'.format(i) for i in check_strings]
SERVER_CLASSES = {'OpenSSL': OpenSSLServ, 'GnuTLS': GnuTLSServ} SERVER_CLASSES = {'OpenSSL': OpenSSLServ, 'GnuTLS': GnuTLSServ, 'mbedTLS': MbedTLSServ}
CLIENT_CLASSES = {'mbedTLS': MbedTLSCli} CLIENT_CLASSES = {'OpenSSL': OpenSSLCli, 'GnuTLS': GnuTLSCli, 'mbedTLS': MbedTLSCli}
def generate_compat_test(client=None, server=None, cipher=None, named_group=None, sig_alg=None): def generate_compat_test(client=None, server=None, cipher=None, named_group=None, sig_alg=None):
@ -365,8 +469,10 @@ def generate_compat_test(client=None, server=None, cipher=None, named_group=None
signature_algorithm=sig_alg, signature_algorithm=sig_alg,
cert_sig_alg=sig_alg) cert_sig_alg=sig_alg)
cmd = ['run_test "{}"'.format(name), '"{}"'.format( cmd = ['run_test "{}"'.format(name),
server_object.cmd()), '"{}"'.format(client_object.cmd()), '0'] '"{}"'.format(' '.join(server_object.cmd())),
'"{}"'.format(' '.join(client_object.cmd())),
'0']
cmd += server_object.post_checks() cmd += server_object.post_checks()
cmd += client_object.post_checks() cmd += client_object.post_checks()
cmd += ['-C "received HelloRetryRequest message"'] cmd += ['-C "received HelloRetryRequest message"']
@ -391,20 +497,20 @@ def generate_hrr_compat_test(client=None, server=None,
cert_sig_alg=cert_sig_alg) cert_sig_alg=cert_sig_alg)
client_object.add_named_groups(server_named_group) client_object.add_named_groups(server_named_group)
cmd = ['run_test "{}"'.format(name), '"{}"'.format( cmd = ['run_test "{}"'.format(name),
server_object.cmd()), '"{}"'.format(client_object.cmd()), '0'] '"{}"'.format(' '.join(server_object.cmd())),
'"{}"'.format(' '.join(client_object.cmd())),
'0']
cmd += server_object.post_checks() cmd += server_object.post_checks()
cmd += client_object.post_checks() cmd += client_object.post_checks()
cmd += ['-c "received HelloRetryRequest message"'] cmd += server_object.hrr_post_checks(server_named_group)
cmd += ['-c "selected_group ( {:d} )"'.format( cmd += client_object.hrr_post_checks(server_named_group)
NAMED_GROUP_IANA_VALUE[server_named_group])]
prefix = ' \\\n' + (' '*9) prefix = ' \\\n' + (' '*9)
cmd = prefix.join(cmd) cmd = prefix.join(cmd)
return '\n'.join(server_object.pre_checks() + return '\n'.join(server_object.pre_checks() +
client_object.pre_checks() + client_object.pre_checks() +
[cmd]) [cmd])
SSL_OUTPUT_HEADER = '''#!/bin/sh SSL_OUTPUT_HEADER = '''#!/bin/sh
# {filename} # {filename}
@ -487,9 +593,11 @@ def main():
CIPHER_SUITE_IANA_VALUE.keys(), CIPHER_SUITE_IANA_VALUE.keys(),
NAMED_GROUP_IANA_VALUE.keys(), NAMED_GROUP_IANA_VALUE.keys(),
SIG_ALG_IANA_VALUE.keys()): SIG_ALG_IANA_VALUE.keys()):
yield generate_compat_test(client=client, server=server, if server == 'mbedTLS' or client == 'mbedTLS':
cipher=cipher, named_group=named_group, yield generate_compat_test(client=client, server=server,
sig_alg=sig_alg) cipher=cipher, named_group=named_group,
sig_alg=sig_alg)
# Generate Hello Retry Request compat test cases # Generate Hello Retry Request compat test cases
for client, server, client_named_group, server_named_group in \ for client, server, client_named_group, server_named_group in \
@ -497,7 +605,9 @@ def main():
SERVER_CLASSES.keys(), SERVER_CLASSES.keys(),
NAMED_GROUP_IANA_VALUE.keys(), NAMED_GROUP_IANA_VALUE.keys(),
NAMED_GROUP_IANA_VALUE.keys()): NAMED_GROUP_IANA_VALUE.keys()):
if client_named_group != server_named_group:
if (client == 'mbedTLS' or server == 'mbedTLS') and \
client_named_group != server_named_group:
yield generate_hrr_compat_test(client=client, server=server, yield generate_hrr_compat_test(client=client, server=server,
client_named_group=client_named_group, client_named_group=client_named_group,
server_named_group=server_named_group, server_named_group=server_named_group,

6
tests/ssl-opt.sh
View file

@ -82,9 +82,11 @@ if [ -n "${OPENSSL_NEXT:-}" ]; then
O_NEXT_SRV="$OPENSSL_NEXT s_server -www -cert data_files/server5.crt -key data_files/server5.key" O_NEXT_SRV="$OPENSSL_NEXT s_server -www -cert data_files/server5.crt -key data_files/server5.key"
O_NEXT_SRV_NO_CERT="$OPENSSL_NEXT s_server -www " O_NEXT_SRV_NO_CERT="$OPENSSL_NEXT s_server -www "
O_NEXT_CLI="echo 'GET / HTTP/1.0' | $OPENSSL_NEXT s_client -CAfile data_files/test-ca_cat12.crt" O_NEXT_CLI="echo 'GET / HTTP/1.0' | $OPENSSL_NEXT s_client -CAfile data_files/test-ca_cat12.crt"
O_NEXT_CLI_NO_CERT="echo 'GET / HTTP/1.0' | $OPENSSL_NEXT s_client"
else else
O_NEXT_SRV=false O_NEXT_SRV=false
O_NEXT_SRV_NO_CERT=false O_NEXT_SRV_NO_CERT=false
O_NEXT_CLI_NO_CERT=false
O_NEXT_CLI=false O_NEXT_CLI=false
fi fi
@ -98,8 +100,10 @@ fi
if [ -n "${GNUTLS_NEXT_CLI:-}" ]; then if [ -n "${GNUTLS_NEXT_CLI:-}" ]; then
G_NEXT_CLI="echo 'GET / HTTP/1.0' | $GNUTLS_NEXT_CLI --x509cafile data_files/test-ca_cat12.crt" G_NEXT_CLI="echo 'GET / HTTP/1.0' | $GNUTLS_NEXT_CLI --x509cafile data_files/test-ca_cat12.crt"
G_NEXT_CLI_NO_CERT="echo 'GET / HTTP/1.0' | $GNUTLS_NEXT_CLI"
else else
G_NEXT_CLI=false G_NEXT_CLI=false
G_NEXT_CLI_NO_CERT=false
fi fi
TESTS=0 TESTS=0
@ -1558,6 +1562,7 @@ if [ -n "${OPENSSL_NEXT:-}" ]; then
O_NEXT_SRV="$O_NEXT_SRV -accept $SRV_PORT" O_NEXT_SRV="$O_NEXT_SRV -accept $SRV_PORT"
O_NEXT_SRV_NO_CERT="$O_NEXT_SRV_NO_CERT -accept $SRV_PORT" O_NEXT_SRV_NO_CERT="$O_NEXT_SRV_NO_CERT -accept $SRV_PORT"
O_NEXT_CLI="$O_NEXT_CLI -connect 127.0.0.1:+SRV_PORT" O_NEXT_CLI="$O_NEXT_CLI -connect 127.0.0.1:+SRV_PORT"
O_NEXT_CLI_NO_CERT="$O_NEXT_CLI_NO_CERT -connect 127.0.0.1:+SRV_PORT"
fi fi
if [ -n "${GNUTLS_NEXT_SERV:-}" ]; then if [ -n "${GNUTLS_NEXT_SERV:-}" ]; then
@ -1567,6 +1572,7 @@ fi
if [ -n "${GNUTLS_NEXT_CLI:-}" ]; then if [ -n "${GNUTLS_NEXT_CLI:-}" ]; then
G_NEXT_CLI="$G_NEXT_CLI -p +SRV_PORT" G_NEXT_CLI="$G_NEXT_CLI -p +SRV_PORT"
G_NEXT_CLI_NO_CERT="$G_NEXT_CLI_NO_CERT -p +SRV_PORT localhost"
fi fi
# Allow SHA-1, because many of our test certificates use it # Allow SHA-1, because many of our test certificates use it