yuzu/mbedtls
1
0
Fork 0
mirror of https://github.com/yuzu-emu/mbedtls.git synced 2025-01-22 20:01:03 +00:00
Code Issues Packages Projects Releases Wiki Activity

Add tests for enforced extended master secret flag

Browse source
This commit is contained in:
Jarno Lamsa 2019-06-10 15:51:11 +03:00
parent 18b9a491e1
commit 41b359114d
3 changed files with 82 additions and 5 deletions
Show stats Download patch file Download diff file Expand all files Collapse all files

25
programs/ssl/ssl_client2.c
View file

@ -122,6 +122,7 @@ int main( void )
#define DFL_FALLBACK -1 #define DFL_FALLBACK -1
#define DFL_EXTENDED_MS -1 #define DFL_EXTENDED_MS -1
#define DFL_ETM -1 #define DFL_ETM -1
#define DFL_EXTENDED_MS_ENFORCE -1
#define GET_REQUEST "GET %s HTTP/1.0\r\nExtra-header: " #define GET_REQUEST "GET %s HTTP/1.0\r\nExtra-header: "
#define GET_REQUEST_END "\r\n\r\n" #define GET_REQUEST_END "\r\n\r\n"
@ -243,7 +244,8 @@ int main( void )
#if defined(MBEDTLS_SSL_EXTENDED_MASTER_SECRET) #if defined(MBEDTLS_SSL_EXTENDED_MASTER_SECRET)
#define USAGE_EMS \ #define USAGE_EMS \
" extended_ms=0/1 default: (library default: on)\n" " extended_ms=0/1 default: (library default: on)\n" \
" enforce_extended_master_secret=0/1 default: (library default: off)\n"
#else #else
#define USAGE_EMS "" #define USAGE_EMS ""
#endif #endif
@ -410,6 +412,8 @@ struct options
int fallback; /* is this a fallback connection? */ int fallback; /* is this a fallback connection? */
int dgram_packing; /* allow/forbid datagram packing */ int dgram_packing; /* allow/forbid datagram packing */
int extended_ms; /* negotiate extended master secret? */ int extended_ms; /* negotiate extended master secret? */
int enforce_extended_master_secret; /* Enforce the usage of extended
* master secret */
int etm; /* negotiate encrypt then mac? */ int etm; /* negotiate encrypt then mac? */
int cid_enabled; /* whether to use the CID extension or not */ int cid_enabled; /* whether to use the CID extension or not */
int cid_enabled_renego; /* whether to use the CID extension or not int cid_enabled_renego; /* whether to use the CID extension or not
@ -825,6 +829,7 @@ int main( int argc, char *argv[] )
opt.dtls_mtu = DFL_DTLS_MTU; opt.dtls_mtu = DFL_DTLS_MTU;
opt.fallback = DFL_FALLBACK; opt.fallback = DFL_FALLBACK;
opt.extended_ms = DFL_EXTENDED_MS; opt.extended_ms = DFL_EXTENDED_MS;
opt.enforce_extended_master_secret = DFL_EXTENDED_MS_ENFORCE;
opt.etm = DFL_ETM; opt.etm = DFL_ETM;
opt.dgram_packing = DFL_DGRAM_PACKING; opt.dgram_packing = DFL_DGRAM_PACKING;
@ -1025,6 +1030,21 @@ int main( int argc, char *argv[] )
default: goto usage; default: goto usage;
} }
} }
else if( strcmp( p, "enforce_extended_master_secret" ) == 0 )
{
switch( atoi( q ) )
{
case 0:
opt.enforce_extended_master_secret =
MBEDTLS_SSL_EXTENDED_MS_ENFORCE_DISABLED;
break;
case 1:
opt.enforce_extended_master_secret =
MBEDTLS_SSL_EXTENDED_MS_ENFORCE_ENABLED;
break;
default: goto usage;
}
}
else if( strcmp( p, "curves" ) == 0 ) else if( strcmp( p, "curves" ) == 0 )
opt.curves = q; opt.curves = q;
else if( strcmp( p, "etm" ) == 0 ) else if( strcmp( p, "etm" ) == 0 )
@ -1638,6 +1658,9 @@ int main( int argc, char *argv[] )
#if defined(MBEDTLS_SSL_EXTENDED_MASTER_SECRET) #if defined(MBEDTLS_SSL_EXTENDED_MASTER_SECRET)
if( opt.extended_ms != DFL_EXTENDED_MS ) if( opt.extended_ms != DFL_EXTENDED_MS )
mbedtls_ssl_conf_extended_master_secret( &conf, opt.extended_ms ); mbedtls_ssl_conf_extended_master_secret( &conf, opt.extended_ms );
if( opt.enforce_extended_master_secret != DFL_EXTENDED_MS_ENFORCE )
mbedtls_ssl_conf_extended_master_secret_enforce( &conf,
opt.enforce_extended_master_secret );
#endif #endif
#if defined(MBEDTLS_SSL_ENCRYPT_THEN_MAC) #if defined(MBEDTLS_SSL_ENCRYPT_THEN_MAC)

25
programs/ssl/ssl_server2.c
View file

@ -163,6 +163,7 @@ int main( void )
#define DFL_DGRAM_PACKING 1 #define DFL_DGRAM_PACKING 1
#define DFL_EXTENDED_MS -1 #define DFL_EXTENDED_MS -1
#define DFL_ETM -1 #define DFL_ETM -1
#define DFL_EXTENDED_MS_ENFORCE -1
#define LONG_RESPONSE "<p>01-blah-blah-blah-blah-blah-blah-blah-blah-blah\r\n" \ #define LONG_RESPONSE "<p>01-blah-blah-blah-blah-blah-blah-blah-blah-blah\r\n" \
"02-blah-blah-blah-blah-blah-blah-blah-blah-blah-blah-blah-blah-blah\r\n" \ "02-blah-blah-blah-blah-blah-blah-blah-blah-blah-blah-blah-blah-blah\r\n" \
@ -342,7 +343,8 @@ int main( void )
#if defined(MBEDTLS_SSL_EXTENDED_MASTER_SECRET) #if defined(MBEDTLS_SSL_EXTENDED_MASTER_SECRET)
#define USAGE_EMS \ #define USAGE_EMS \
" extended_ms=0/1 default: (library default: on)\n" " extended_ms=0/1 default: (library default: on)\n" \
" enforce_extended_master_secret=0/1 default: (library default: off)\n"
#else #else
#define USAGE_EMS "" #define USAGE_EMS ""
#endif #endif
@ -525,6 +527,8 @@ struct options
const char *alpn_string; /* ALPN supported protocols */ const char *alpn_string; /* ALPN supported protocols */
const char *dhm_file; /* the file with the DH parameters */ const char *dhm_file; /* the file with the DH parameters */
int extended_ms; /* allow negotiation of extended MS? */ int extended_ms; /* allow negotiation of extended MS? */
int enforce_extended_master_secret; /* Enforce the usage of extended
* master secret */
int etm; /* allow negotiation of encrypt-then-MAC? */ int etm; /* allow negotiation of encrypt-then-MAC? */
int transport; /* TLS or DTLS? */ int transport; /* TLS or DTLS? */
int cookies; /* Use cookies for DTLS? -1 to break them */ int cookies; /* Use cookies for DTLS? -1 to break them */
@ -1494,6 +1498,7 @@ int main( int argc, char *argv[] )
opt.dgram_packing = DFL_DGRAM_PACKING; opt.dgram_packing = DFL_DGRAM_PACKING;
opt.badmac_limit = DFL_BADMAC_LIMIT; opt.badmac_limit = DFL_BADMAC_LIMIT;
opt.extended_ms = DFL_EXTENDED_MS; opt.extended_ms = DFL_EXTENDED_MS;
opt.enforce_extended_master_secret = DFL_EXTENDED_MS_ENFORCE;
opt.etm = DFL_ETM; opt.etm = DFL_ETM;
for( i = 1; i < argc; i++ ) for( i = 1; i < argc; i++ )
@ -1813,6 +1818,21 @@ int main( int argc, char *argv[] )
default: goto usage; default: goto usage;
} }
} }
else if( strcmp( p, "enforce_extended_master_secret" ) == 0 )
{
switch( atoi( q ) )
{
case 0:
opt.enforce_extended_master_secret =
MBEDTLS_SSL_EXTENDED_MS_ENFORCE_DISABLED;
break;
case 1:
opt.enforce_extended_master_secret =
MBEDTLS_SSL_EXTENDED_MS_ENFORCE_ENABLED;
break;
default: goto usage;
}
}
else if( strcmp( p, "etm" ) == 0 ) else if( strcmp( p, "etm" ) == 0 )
{ {
switch( atoi( q ) ) switch( atoi( q ) )
@ -2440,6 +2460,9 @@ int main( int argc, char *argv[] )
#if defined(MBEDTLS_SSL_EXTENDED_MASTER_SECRET) #if defined(MBEDTLS_SSL_EXTENDED_MASTER_SECRET)
if( opt.extended_ms != DFL_EXTENDED_MS ) if( opt.extended_ms != DFL_EXTENDED_MS )
mbedtls_ssl_conf_extended_master_secret( &conf, opt.extended_ms ); mbedtls_ssl_conf_extended_master_secret( &conf, opt.extended_ms );
if( opt.enforce_extended_master_secret != DFL_EXTENDED_MS_ENFORCE )
mbedtls_ssl_conf_extended_master_secret_enforce( &conf,
opt.enforce_extended_master_secret );
#endif #endif
#if defined(MBEDTLS_SSL_ENCRYPT_THEN_MAC) #if defined(MBEDTLS_SSL_ENCRYPT_THEN_MAC)

37
tests/ssl-opt.sh
View file

@ -1763,7 +1763,38 @@ run_test "Encrypt then MAC: client enabled, server SSLv3" \
# Tests for Extended Master Secret extension # Tests for Extended Master Secret extension
run_test "Extended Master Secret: default" \ run_test "Extended Master Secret enforced: default" \
"$P_SRV debug_level=3 enforce_extended_master_secret=1" \
"$P_CLI debug_level=3 enforce_extended_master_secret=1" \
0 \
-c "client hello, adding extended_master_secret extension" \
-s "found extended master secret extension" \
-s "server hello, adding extended master secret extension" \
-c "found extended_master_secret extension" \
-c "session hash for extended master secret" \
-s "session hash for extended master secret"
run_test "Extended Master Secret enforced: client enabled, server disabled" \
"$P_SRV debug_level=3 extended_ms=0 enforce_extended_master_secret=1" \
"$P_CLI debug_level=3 extended_ms=1 enforce_extended_master_secret=1" \
1 \
-c "client hello, adding extended_master_secret extension" \
-s "found extended master secret extension" \
-S "server hello, adding extended master secret extension" \
-C "found extended_master_secret extension" \
-c "Peer not offering extended master secret, while it is enforced"
run_test "Extended Master Secret enforced: client disabled, server enabled" \
"$P_SRV debug_level=3 extended_ms=1 enforce_extended_master_secret=1" \
"$P_CLI debug_level=3 extended_ms=0 enforce_extended_master_secret=1" \
1 \
-C "client hello, adding extended_master_secret extension" \
-S "found extended master secret extension" \
-S "server hello, adding extended master secret extension" \
-C "found extended_master_secret extension" \
-s "Peer not offering extended master secret, while it is enforced"
run_test "Extended Master Secret not enforced: default" \
"$P_SRV debug_level=3" \ "$P_SRV debug_level=3" \
"$P_CLI debug_level=3" \ "$P_CLI debug_level=3" \
0 \ 0 \
@ -1774,7 +1805,7 @@ run_test "Extended Master Secret: default" \
-c "session hash for extended master secret" \ -c "session hash for extended master secret" \
-s "session hash for extended master secret" -s "session hash for extended master secret"
run_test "Extended Master Secret: client enabled, server disabled" \ run_test "Extended Master Secret not enforced: client enabled, server disabled" \
"$P_SRV debug_level=3 extended_ms=0" \ "$P_SRV debug_level=3 extended_ms=0" \
"$P_CLI debug_level=3 extended_ms=1" \ "$P_CLI debug_level=3 extended_ms=1" \
0 \ 0 \
@ -1785,7 +1816,7 @@ run_test "Extended Master Secret: client enabled, server disabled" \
-C "session hash for extended master secret" \ -C "session hash for extended master secret" \
-S "session hash for extended master secret" -S "session hash for extended master secret"
run_test "Extended Master Secret: client disabled, server enabled" \ run_test "Extended Master Secret not enforced: client disabled, server enabled" \
"$P_SRV debug_level=3 extended_ms=1" \ "$P_SRV debug_level=3 extended_ms=1" \
"$P_CLI debug_level=3 extended_ms=0" \ "$P_CLI debug_level=3 extended_ms=0" \
0 \ 0 \