Add version & ciphersuite tests to ssl handshake

Add tests exercising various protocol versions and ciphersuites
in the mocked ssl handshake.
This commit is contained in:
Andrzej Kurek 2020-02-04 09:00:01 -05:00
parent b29807413e
commit f40daa3f05
2 changed files with 111 additions and 1 deletions

View file

@ -199,6 +199,42 @@ move_handshake_to_state:MBEDTLS_SSL_IS_CLIENT:MBEDTLS_SSL_SERVER_HELLO_VERIFY_RE
Negative test moving servers ssl to state: NEW_SESSION_TICKET
move_handshake_to_state:MBEDTLS_SSL_IS_SERVER:MBEDTLS_SSL_SERVER_NEW_SESSION_TICKET:0
Handshake, SSL3
depends_on:MBEDTLS_SSL_PROTO_SSL3:MBEDTLS_RSA_C:MBEDTLS_ECP_DP_SECP384R1_ENABLED
handshake:"":MBEDTLS_SSL_MINOR_VERSION_0:MBEDTLS_PK_RSA
Handshake, tls1
depends_on:MBEDTLS_SSL_PROTO_TLS1:MBEDTLS_RSA_C:MBEDTLS_ECP_DP_SECP384R1_ENABLED:MBEDTLS_CIPHER_MODE_CBC
handshake:"":MBEDTLS_SSL_MINOR_VERSION_1:MBEDTLS_PK_RSA
Handshake, tls1_1
depends_on:MBEDTLS_SSL_PROTO_TLS1_1:MBEDTLS_RSA_C:MBEDTLS_ECP_DP_SECP384R1_ENABLED:MBEDTLS_CIPHER_MODE_CBC
handshake:"":MBEDTLS_SSL_MINOR_VERSION_2:MBEDTLS_PK_RSA
Handshake, tls1_2
depends_on:MBEDTLS_SSL_PROTO_TLS1_2:MBEDTLS_RSA_C:MBEDTLS_ECP_DP_SECP384R1_ENABLED
handshake:"":MBEDTLS_SSL_MINOR_VERSION_3:MBEDTLS_PK_RSA
Handshake, ECDHE-RSA-WITH-AES-256-GCM-SHA384
depends_on:MBEDTLS_SSL_PROTO_TLS1_2:MBEDTLS_SHA512_C:MBEDTLS_AES_C:MBEDTLS_GCM_C:MBEDTLS_RSA_C:MBEDTLS_ECP_DP_SECP384R1_ENABLED:MBEDTLS_KEY_EXCHANGE_ECDHE_RSA_ENABLED
handshake:"TLS-ECDHE-RSA-WITH-AES-256-GCM-SHA384":MBEDTLS_SSL_MINOR_VERSION_3:MBEDTLS_PK_RSA
Handshake, RSA-WITH-AES-128-CCM
depends_on:MBEDTLS_SSL_PROTO_TLS1_2:MBEDTLS_CCM_C:MBEDTLS_AES_C:MBEDTLS_RSA_C:MBEDTLS_ECP_DP_SECP384R1_ENABLED
handshake:"TLS-RSA-WITH-AES-128-CCM":MBEDTLS_SSL_MINOR_VERSION_3:MBEDTLS_PK_RSA
Handshake, DHE-RSA-WITH-AES-256-CBC-SHA256
depends_on:MBEDTLS_CIPHER_MODE_CBC:MBEDTLS_AES_C:MBEDTLS_SSL_PROTO_TLS1_2:MBEDTLS_SHA256_C:MBEDTLS_RSA_C:MBEDTLS_ECP_DP_SECP384R1_ENABLED
handshake:"TLS-DHE-RSA-WITH-AES-256-CBC-SHA256":MBEDTLS_SSL_MINOR_VERSION_3:MBEDTLS_PK_RSA
Handshake, ECDHE-ECDSA-WITH-AES-256-CCM
depends_on:MBEDTLS_AES_C:MBEDTLS_SSL_PROTO_TLS1_2:MBEDTLS_CCM_C:MBEDTLS_ECDSA_C:MBEDTLS_ECP_DP_SECP256R1_ENABLED:MBEDTLS_ECP_DP_SECP384R1_ENABLED
handshake:"TLS-ECDHE-ECDSA-WITH-AES-256-CCM":MBEDTLS_SSL_MINOR_VERSION_3:MBEDTLS_PK_ECDSA
Handshake, ECDH-ECDSA-WITH-CAMELLIA-256-CBC-SHA384
depends_on:MBEDTLS_SSL_PROTO_TLS1_2:MBEDTLS_SHA512_C:MBEDTLS_CIPHER_MODE_CBC:MBEDTLS_ECDSA_C:MBEDTLS_ECP_DP_SECP256R1_ENABLED:MBEDTLS_ECP_DP_SECP384R1_ENABLED:MBEDTLS_CAMELLIA_C
handshake:"TLS-ECDH-ECDSA-WITH-CAMELLIA-256-CBC-SHA384":MBEDTLS_SSL_MINOR_VERSION_3:MBEDTLS_PK_ECDSA
SSL DTLS replay: initial state, seqnum 0
ssl_dtls_replay:"":"000000000000":0

View file

@ -908,6 +908,35 @@ int mbedtls_move_handshake_to_state( mbedtls_ssl_context *ssl,
} \
} while( 0 )
void set_ciphersuite( mbedtls_ssl_config *conf, const char *cipher,
int* forced_ciphersuite )
{
const mbedtls_ssl_ciphersuite_t *ciphersuite_info;
forced_ciphersuite[0] = mbedtls_ssl_get_ciphersuite_id( cipher );
forced_ciphersuite[1] = 0;
ciphersuite_info =
mbedtls_ssl_ciphersuite_from_id( forced_ciphersuite[0] );
TEST_ASSERT( ciphersuite_info != NULL );
TEST_ASSERT( ciphersuite_info->min_minor_ver <= conf->max_minor_ver );
TEST_ASSERT( ciphersuite_info->max_minor_ver >= conf->min_minor_ver );
if( conf->max_minor_ver > ciphersuite_info->max_minor_ver )
{
conf->max_minor_ver = ciphersuite_info->max_minor_ver;
}
if( conf->min_minor_ver < ciphersuite_info->min_minor_ver )
{
conf->min_minor_ver = ciphersuite_info->min_minor_ver;
}
mbedtls_ssl_conf_ciphersuites( conf, forced_ciphersuite );
exit:
return;
}
#if MBEDTLS_SSL_CID_OUT_LEN_MAX > MBEDTLS_SSL_CID_IN_LEN_MAX
#define SSL_CID_LEN_MIN MBEDTLS_SSL_CID_IN_LEN_MAX
#else
@ -2984,3 +3013,48 @@ exit:
mbedtls_endpoint_free( &second_ep );
}
/* END_CASE */
/* BEGIN_CASE depends_on:MBEDTLS_X509_CRT_PARSE_C:!MBEDTLS_USE_PSA_CRYPTO:MBEDTLS_PKCS1_V15 */
void handshake( const char *cipher, int version, int pk_alg )
{
/* forced_ciphersuite needs to last until the end of the handshake */
int forced_ciphersuite[2];
enum { BUFFSIZE = 1024 };
mbedtls_endpoint client, server;
/* Client side */
TEST_ASSERT( mbedtls_endpoint_init( &client, MBEDTLS_SSL_IS_CLIENT,
pk_alg ) == 0 );
mbedtls_ssl_conf_min_version( &client.conf, MBEDTLS_SSL_MAJOR_VERSION_3,
version );
mbedtls_ssl_conf_max_version( &client.conf, MBEDTLS_SSL_MAJOR_VERSION_3,
version );
if( strlen( cipher ) > 0 )
{
set_ciphersuite( &client.conf, cipher, forced_ciphersuite );
}
/* Server side */
TEST_ASSERT( mbedtls_endpoint_init( &server, MBEDTLS_SSL_IS_SERVER,
pk_alg ) == 0 );
mbedtls_ssl_conf_min_version( &server.conf, MBEDTLS_SSL_MAJOR_VERSION_3,
version );
TEST_ASSERT( mbedtls_mock_socket_connect( &(client.socket),
&(server.socket),
BUFFSIZE ) == 0 );
TEST_ASSERT( mbedtls_move_handshake_to_state( &(client.ssl),
&(server.ssl),
MBEDTLS_SSL_HANDSHAKE_OVER )
== 0 );
TEST_ASSERT( client.ssl.state == MBEDTLS_SSL_HANDSHAKE_OVER );
TEST_ASSERT( server.ssl.state == MBEDTLS_SSL_HANDSHAKE_OVER );
exit:
mbedtls_endpoint_free( &client );
mbedtls_endpoint_free( &server );
}
/* END_CASE */