Add tests for renego security enforcement

This commit is contained in:
Manuel Pégourié-Gonnard 2014-11-03 20:10:36 +01:00
parent a6c5ea2c43
commit 85d915b81d
3 changed files with 110 additions and 18 deletions

View file

@ -83,7 +83,7 @@ int main( int argc, char *argv[] )
#define DFL_PSK_IDENTITY "Client_identity" #define DFL_PSK_IDENTITY "Client_identity"
#define DFL_FORCE_CIPHER 0 #define DFL_FORCE_CIPHER 0
#define DFL_RENEGOTIATION SSL_RENEGOTIATION_DISABLED #define DFL_RENEGOTIATION SSL_RENEGOTIATION_DISABLED
#define DFL_ALLOW_LEGACY SSL_LEGACY_NO_RENEGOTIATION #define DFL_ALLOW_LEGACY -2
#define DFL_RENEGOTIATE 0 #define DFL_RENEGOTIATE 0
#define DFL_EXCHANGES 1 #define DFL_EXCHANGES 1
#define DFL_MIN_VERSION -1 #define DFL_MIN_VERSION -1
@ -304,7 +304,7 @@ static int my_verify( void *data, x509_crt *crt, int depth, int *flags )
USAGE_PSK \ USAGE_PSK \
"\n" \ "\n" \
" renegotiation=%%d default: 1 (enabled)\n" \ " renegotiation=%%d default: 1 (enabled)\n" \
" allow_legacy=%%d default: 0 (disabled)\n" \ " allow_legacy=%%d default: (library default: no)\n" \
" renegotiate=%%d default: 0 (disabled)\n" \ " renegotiate=%%d default: 0 (disabled)\n" \
" exchanges=%%d default: 1\n" \ " exchanges=%%d default: 1\n" \
" reconnect=%%d default: 0 (disabled)\n" \ " reconnect=%%d default: 0 (disabled)\n" \
@ -481,9 +481,13 @@ int main( int argc, char *argv[] )
} }
else if( strcmp( p, "allow_legacy" ) == 0 ) else if( strcmp( p, "allow_legacy" ) == 0 )
{ {
opt.allow_legacy = atoi( q ); switch( atoi( q ) )
if( opt.allow_legacy < 0 || opt.allow_legacy > 1 ) {
goto usage; case -1: opt.allow_legacy = SSL_LEGACY_BREAK_HANDSHAKE; break;
case 0: opt.allow_legacy = SSL_LEGACY_NO_RENEGOTIATION; break;
case 1: opt.allow_legacy = SSL_LEGACY_ALLOW_RENEGOTIATION; break;
default: goto usage;
}
} }
else if( strcmp( p, "renegotiate" ) == 0 ) else if( strcmp( p, "renegotiate" ) == 0 )
{ {
@ -911,7 +915,8 @@ int main( int argc, char *argv[] )
ssl_set_ciphersuites( &ssl, opt.force_ciphersuite ); ssl_set_ciphersuites( &ssl, opt.force_ciphersuite );
ssl_set_renegotiation( &ssl, opt.renegotiation ); ssl_set_renegotiation( &ssl, opt.renegotiation );
ssl_legacy_renegotiation( &ssl, opt.allow_legacy ); if( opt.allow_legacy != DFL_ALLOW_LEGACY )
ssl_legacy_renegotiation( &ssl, opt.allow_legacy );
#if defined(POLARSSL_X509_CRT_PARSE_C) #if defined(POLARSSL_X509_CRT_PARSE_C)
if( strcmp( opt.ca_path, "none" ) != 0 && if( strcmp( opt.ca_path, "none" ) != 0 &&

View file

@ -101,7 +101,7 @@ int main( int argc, char *argv[] )
#define DFL_FORCE_CIPHER 0 #define DFL_FORCE_CIPHER 0
#define DFL_VERSION_SUITES NULL #define DFL_VERSION_SUITES NULL
#define DFL_RENEGOTIATION SSL_RENEGOTIATION_DISABLED #define DFL_RENEGOTIATION SSL_RENEGOTIATION_DISABLED
#define DFL_ALLOW_LEGACY SSL_LEGACY_NO_RENEGOTIATION #define DFL_ALLOW_LEGACY -2
#define DFL_RENEGOTIATE 0 #define DFL_RENEGOTIATE 0
#define DFL_RENEGO_DELAY -2 #define DFL_RENEGO_DELAY -2
#define DFL_EXCHANGES 1 #define DFL_EXCHANGES 1
@ -316,7 +316,7 @@ static int my_send( void *ctx, const unsigned char *buf, size_t len )
USAGE_PSK \ USAGE_PSK \
"\n" \ "\n" \
" renegotiation=%%d default: 1 (enabled)\n" \ " renegotiation=%%d default: 1 (enabled)\n" \
" allow_legacy=%%d default: 0 (disabled)\n" \ " allow_legacy=%%d default: (library default: no)\n" \
" renegotiate=%%d default: 0 (disabled)\n" \ " renegotiate=%%d default: 0 (disabled)\n" \
" renego_delay=%%d default: -2 (library default)\n" \ " renego_delay=%%d default: -2 (library default)\n" \
" exchanges=%%d default: 1\n" \ " exchanges=%%d default: 1\n" \
@ -781,9 +781,13 @@ int main( int argc, char *argv[] )
} }
else if( strcmp( p, "allow_legacy" ) == 0 ) else if( strcmp( p, "allow_legacy" ) == 0 )
{ {
opt.allow_legacy = atoi( q ); switch( atoi( q ) )
if( opt.allow_legacy < 0 || opt.allow_legacy > 1 ) {
goto usage; case -1: opt.allow_legacy = SSL_LEGACY_BREAK_HANDSHAKE; break;
case 0: opt.allow_legacy = SSL_LEGACY_NO_RENEGOTIATION; break;
case 1: opt.allow_legacy = SSL_LEGACY_ALLOW_RENEGOTIATION; break;
default: goto usage;
}
} }
else if( strcmp( p, "renegotiate" ) == 0 ) else if( strcmp( p, "renegotiate" ) == 0 )
{ {
@ -1311,7 +1315,8 @@ int main( int argc, char *argv[] )
} }
ssl_set_renegotiation( &ssl, opt.renegotiation ); ssl_set_renegotiation( &ssl, opt.renegotiation );
ssl_legacy_renegotiation( &ssl, opt.allow_legacy ); if( opt.allow_legacy != DFL_ALLOW_LEGACY )
ssl_legacy_renegotiation( &ssl, opt.allow_legacy );
if( opt.renego_delay != DFL_RENEGO_DELAY ) if( opt.renego_delay != DFL_RENEGO_DELAY )
ssl_set_renegotiation_enforced( &ssl, opt.renego_delay ); ssl_set_renegotiation_enforced( &ssl, opt.renego_delay );

View file

@ -20,7 +20,7 @@ set -u
O_SRV="$OPENSSL_CMD s_server -www -cert data_files/server5.crt -key data_files/server5.key" O_SRV="$OPENSSL_CMD s_server -www -cert data_files/server5.crt -key data_files/server5.key"
O_CLI="echo 'GET / HTTP/1.0' | $OPENSSL_CMD s_client" O_CLI="echo 'GET / HTTP/1.0' | $OPENSSL_CMD s_client"
G_SRV="$GNUTLS_SERV --x509certfile data_files/server5.crt --x509keyfile data_files/server5.key" G_SRV="$GNUTLS_SERV --x509certfile data_files/server5.crt --x509keyfile data_files/server5.key"
G_CLI="$GNUTLS_CLI" G_CLI="echo 'GET / HTTP/1.0' | $GNUTLS_CLI --x509cafile data_files/test-ca_cat12.crt"
TESTS=0 TESTS=0
FAILS=0 FAILS=0
@ -364,7 +364,7 @@ P_CLI="$P_CLI server_port=$PORT"
O_SRV="$O_SRV -accept $PORT" O_SRV="$O_SRV -accept $PORT"
O_CLI="$O_CLI -connect localhost:$PORT" O_CLI="$O_CLI -connect localhost:$PORT"
G_SRV="$G_SRV -p $PORT" G_SRV="$G_SRV -p $PORT"
G_CLI="$G_CLI -p $PORT" G_CLI="$G_CLI -p $PORT localhost"
# Also pick a unique name for intermediate files # Also pick a unique name for intermediate files
SRV_OUT="srv_out.$$" SRV_OUT="srv_out.$$"
@ -803,21 +803,103 @@ run_test "Renegotiation: openssl server, client-initiated" \
-c "client hello, adding renegotiation extension" \ -c "client hello, adding renegotiation extension" \
-c "found renegotiation extension" \ -c "found renegotiation extension" \
-c "=> renegotiate" \ -c "=> renegotiate" \
-C "ssl_handshake returned" \ -C "ssl_hanshake() returned" \
-C "error" \ -C "error" \
-c "HTTP/1.0 200 [Oo][Kk]" -c "HTTP/1.0 200 [Oo][Kk]"
run_test "Renegotiation: gnutls server, client-initiated" \ run_test "Renegotiation: gnutls server strict, client-initiated" \
"$G_SRV" \ "$G_SRV --priority=NORMAL:%SAFE_RENEGOTIATION" \
"$P_CLI debug_level=3 exchanges=1 renegotiation=1 renegotiate=1" \ "$P_CLI debug_level=3 exchanges=1 renegotiation=1 renegotiate=1" \
0 \ 0 \
-c "client hello, adding renegotiation extension" \ -c "client hello, adding renegotiation extension" \
-c "found renegotiation extension" \ -c "found renegotiation extension" \
-c "=> renegotiate" \ -c "=> renegotiate" \
-C "ssl_handshake returned" \ -C "ssl_hanshake() returned" \
-C "error" \ -C "error" \
-c "HTTP/1.0 200 [Oo][Kk]" -c "HTTP/1.0 200 [Oo][Kk]"
run_test "Renegotiation: gnutls server unsafe, client-initiated default" \
"$G_SRV --priority=NORMAL:%DISABLE_SAFE_RENEGOTIATION" \
"$P_CLI debug_level=3 exchanges=1 renegotiation=1 renegotiate=1" \
1 \
-c "client hello, adding renegotiation extension" \
-C "found renegotiation extension" \
-c "=> renegotiate" \
-c "ssl_handshake() returned" \
-c "error" \
-C "HTTP/1.0 200 [Oo][Kk]"
run_test "Renegotiation: gnutls server unsafe, client-inititated no legacy" \
"$G_SRV --priority=NORMAL:%DISABLE_SAFE_RENEGOTIATION" \
"$P_CLI debug_level=3 exchanges=1 renegotiation=1 renegotiate=1 \
allow_legacy=0" \
1 \
-c "client hello, adding renegotiation extension" \
-C "found renegotiation extension" \
-c "=> renegotiate" \
-c "ssl_handshake() returned" \
-c "error" \
-C "HTTP/1.0 200 [Oo][Kk]"
run_test "Renegotiation: gnutls server unsafe, client-inititated legacy" \
"$G_SRV --priority=NORMAL:%DISABLE_SAFE_RENEGOTIATION" \
"$P_CLI debug_level=3 exchanges=1 renegotiation=1 renegotiate=1 \
allow_legacy=1" \
0 \
-c "client hello, adding renegotiation extension" \
-C "found renegotiation extension" \
-c "=> renegotiate" \
-C "ssl_hanshake() returned" \
-C "error" \
-c "HTTP/1.0 200 [Oo][Kk]"
# Test for the "secure renegotation" extension only (no actual renegotiation)
run_test "Renego ext: gnutls server strict, client default" \
"$G_SRV --priority=NORMAL:%SAFE_RENEGOTIATION" \
"$P_CLI debug_level=3" \
0 \
-c "found renegotiation extension" \
-C "error" \
-c "HTTP/1.0 200 [Oo][Kk]"
run_test "Renego ext: gnutls server unsafe, client default" \
"$G_SRV --priority=NORMAL:%DISABLE_SAFE_RENEGOTIATION" \
"$P_CLI debug_level=3" \
0 \
-C "found renegotiation extension" \
-C "error" \
-c "HTTP/1.0 200 [Oo][Kk]"
run_test "Renego ext: gnutls server unsafe, client break legacy" \
"$G_SRV --priority=NORMAL:%DISABLE_SAFE_RENEGOTIATION" \
"$P_CLI debug_level=3 allow_legacy=-1" \
1 \
-C "found renegotiation extension" \
-c "error" \
-C "HTTP/1.0 200 [Oo][Kk]"
run_test "Renego ext: gnutls client strict, server default" \
"$P_SRV debug_level=3" \
"$G_CLI --priority=NORMAL:%SAFE_RENEGOTIATION" \
0 \
-s "received TLS_EMPTY_RENEGOTIATION_INFO\|found renegotiation extension" \
-s "server hello, secure renegotiation extension"
run_test "Renego ext: gnutls client unsafe, server default" \
"$P_SRV debug_level=3" \
"$G_CLI --priority=NORMAL:%DISABLE_SAFE_RENEGOTIATION" \
0 \
-S "received TLS_EMPTY_RENEGOTIATION_INFO\|found renegotiation extension" \
-S "server hello, secure renegotiation extension"
run_test "Renego ext: gnutls client unsafe, server break legacy" \
"$P_SRV debug_level=3 allow_legacy=-1" \
"$G_CLI --priority=NORMAL:%DISABLE_SAFE_RENEGOTIATION" \
1 \
-S "received TLS_EMPTY_RENEGOTIATION_INFO\|found renegotiation extension" \
-S "server hello, secure renegotiation extension"
# Tests for auth_mode # Tests for auth_mode
run_test "Authentication: server badcert, client required" \ run_test "Authentication: server badcert, client required" \