diff options
| author | Ingela Anderton Andin <ingela@erlang.org> | 2020-03-04 10:16:56 +0100 |
|---|---|---|
| committer | Ingela Anderton Andin <ingela@erlang.org> | 2020-03-04 13:24:10 +0100 |
| commit | fa7c7409f42aa8577e56a81efb68044d8a13f873 (patch) | |
| tree | c10d9d6752b4e9d4e1acac75334e5e2373fccd8b | |
| parent | f7fe3ee24c3fefc94a2688d4e1dcbb068c7b7eb0 (diff) | |
| download | erlang-fa7c7409f42aa8577e56a81efb68044d8a13f873.tar.gz | |
ssl: Add TLS-1.3 group to ssl_cipher_suite_SUITE
Also fix bug discoverd with the new tests, that is
handling of algorithm AES_CCM was missing in tls_sender.
| -rw-r--r-- | lib/ssl/src/tls_sender.erl | 4 | ||||
| -rw-r--r-- | lib/ssl/test/ssl_cipher_suite_SUITE.erl | 95 |
2 files changed, 96 insertions, 3 deletions
diff --git a/lib/ssl/src/tls_sender.erl b/lib/ssl/src/tls_sender.erl index 951d4302e9..790746658e 100644 --- a/lib/ssl/src/tls_sender.erl +++ b/lib/ssl/src/tls_sender.erl @@ -540,7 +540,9 @@ key_update_at(Version, #{security_parameters := ?AES_GCM -> KeyUpdateAt; ?CHACHA20_POLY1305 -> - seq_num_wrap + seq_num_wrap; + ?AES_CCM -> + KeyUpdateAt end; key_update_at(_, _, KeyUpdateAt) -> KeyUpdateAt. diff --git a/lib/ssl/test/ssl_cipher_suite_SUITE.erl b/lib/ssl/test/ssl_cipher_suite_SUITE.erl index e598d662e9..855533cc3d 100644 --- a/lib/ssl/test/ssl_cipher_suite_SUITE.erl +++ b/lib/ssl/test/ssl_cipher_suite_SUITE.erl @@ -32,6 +32,7 @@ %%-------------------------------------------------------------------- all() -> [ + {group, 'tlsv1.3'}, {group, 'tlsv1.2'}, {group, 'tlsv1.1'}, {group, 'tlsv1'}, @@ -42,6 +43,7 @@ all() -> groups() -> [ + {'tlsv1.3', [], tls_1_3_kex()}, {'tlsv1.2', [], kex()}, {'tlsv1.1', [], kex()}, {'tlsv1', [], kex()}, @@ -60,6 +62,7 @@ groups() -> ecdhe_rsa_aes_256_gcm, ecdhe_rsa_chacha20_poly1305 ]}, + {ecdhe_1_3_rsa_cert, [], tls_1_3_cipher_suites()}, {ecdhe_ecdsa, [],[ecdhe_ecdsa_rc4_128, ecdhe_ecdsa_3des_ede_cbc, ecdhe_ecdsa_aes_128_cbc, @@ -127,6 +130,17 @@ groups() -> ]} ]. + +tls_1_3_kex() -> + [{group, ecdhe_1_3_rsa_cert}]. + +tls_1_3_cipher_suites() -> + [aes_256_gcm_sha384, + aes_128_gcm_sha256, + chacha20_poly1305_sha256, + aes_128_ccm_sha256 + ]. + kex() -> rsa() ++ ecdsa() ++ dss() ++ anonymous(). @@ -186,7 +200,13 @@ end_per_suite(_Config) -> ssl:stop(), application:stop(crypto). - +init_per_group(GroupName, Config) when GroupName == ecdhe_1_3_rsa_cert -> + case proplists:get_bool(ecdh, proplists:get_value(public_keys, crypto:supports())) of + true -> + init_certs(GroupName, Config); + false -> + {skip, "Missing EC crypto support"} + end; init_per_group(GroupName, Config) when GroupName == ecdh_anon; GroupName == ecdhe_rsa; GroupName == ecdhe_psk -> @@ -318,6 +338,53 @@ init_per_testcase(TestCase, Config) when TestCase == psk_aes_256_ccm_8; _ -> {skip, "Missing AES_256_CCM crypto support"} end; +init_per_testcase(aes_256_gcm_sha384, Config) -> + SupCiphers = proplists:get_value(ciphers, crypto:supports()), + SupHashs = proplists:get_value(hashs, crypto:supports()), + case (lists:member(aes_256_gcm, SupCiphers)) andalso + (lists:member(sha384, SupHashs)) + of + true -> + ct:timetrap({seconds, 5}), + Config; + _ -> + {skip, "Missing AES_256_GCM_SHA384 crypto support"} + end; +init_per_testcase(aes_128_gcm_sha256, Config) -> + SupCiphers = proplists:get_value(ciphers, crypto:supports()), + SupHashs = proplists:get_value(hashs, crypto:supports()), + case (lists:member(aes_256_gcm, SupCiphers)) andalso + (lists:member(sha256, SupHashs)) + of + true -> + ct:timetrap({seconds, 5}), + Config; + _ -> + {skip, "Missing AES_128_GCM_SHA256 crypto support"} + end; +init_per_testcase(chacha20_poly1305_sha256, Config) -> + SupCiphers = proplists:get_value(ciphers, crypto:supports()), + SupHashs = proplists:get_value(hashs, crypto:supports()), + case (lists:member(chacha20_poly1305, SupCiphers)) andalso + (lists:member(sha256, SupHashs)) + of + true -> + ct:timetrap({seconds, 5}), + Config; + _ -> + {skip, "Missing chacha20_poly1305_sha256 crypto support"} + end; +init_per_testcase(aes_128_ccm_sha256, Config) -> + SupCiphers = proplists:get_value(ciphers, crypto:supports()), + SupHashs = proplists:get_value(hashs, crypto:supports()), + case (lists:member(aes_128_ccm, SupCiphers)) andalso + (lists:member(sha256, SupHashs)) of + true -> + ct:timetrap({seconds, 5}), + Config; + _ -> + {skip, "Missing AES_128_CCM_SHA256 crypto support"} + end; init_per_testcase(TestCase, Config) -> Cipher = ssl_test_lib:test_cipher(TestCase, Config), SupCiphers = proplists:get_value(ciphers, crypto:supports()), @@ -335,7 +402,6 @@ end_per_testcase(_TestCase, Config) -> %%-------------------------------------------------------------------- %% Initializtion ------------------------------------------ %%-------------------------------------------------------------------- - init_certs(srp_rsa, Config) -> DefConf = ssl_test_lib:default_cert_chain_conf(), CertChainConf = ssl_test_lib:gen_conf(rsa, rsa, DefConf, DefConf), @@ -367,6 +433,14 @@ init_certs(rsa, Config) -> [{tls_config, #{server_config => ServerOpts, client_config => ClientOpts}} | proplists:delete(tls_config, Config)]; +init_certs(ecdhe_1_3_rsa_cert, Config) -> + ClientExt = x509_test:extensions([{key_usage, [digitalSignature]}]), + {ClientOpts, ServerOpts} = ssl_test_lib:make_rsa_cert_chains([{server_chain, + [[],[],[{extensions, ClientExt}]]}], + Config, "_peer_rsa_digitalsign"), + [{tls_config, #{server_config => ServerOpts, + client_config => ClientOpts}} | + proplists:delete(tls_config, Config)]; init_certs(dhe_dss, Config) -> DefConf = ssl_test_lib:default_cert_chain_conf(), CertChainConf = ssl_test_lib:gen_conf(dsa, dsa, DefConf, DefConf), @@ -427,6 +501,22 @@ init_certs(_GroupName, Config) -> %% Test Cases -------------------------------------------------------- %%-------------------------------------------------------------------- +aes_256_gcm_sha384(Config) when is_list(Config)-> + Version = ssl_test_lib:protocol_version(Config), + cipher_suite_test(ssl:str_to_suite("TLS_AES_256_GCM_SHA384"), Version, Config). + +aes_128_gcm_sha256(Config) when is_list(Config) -> + Version = ssl_test_lib:protocol_version(Config), + cipher_suite_test(ssl:str_to_suite("TLS_AES_128_GCM_SHA256"), Version, Config). + +chacha20_poly1305_sha256(Config) when is_list(Config) -> + Version = ssl_test_lib:protocol_version(Config), + cipher_suite_test(ssl:str_to_suite("TLS_CHACHA20_POLY1305_SHA256"), Version, Config). + +aes_128_ccm_sha256(Config) when is_list(Config) -> + Version = ssl_test_lib:protocol_version(Config), + cipher_suite_test(ssl:str_to_suite("TLS_AES_128_CCM_SHA256"), Version, Config). + %%-------------------------------------------------------------------- %% SRP -------------------------------------------------------- %%-------------------------------------------------------------------- @@ -775,3 +865,4 @@ test_ciphers(Kex, Cipher, Version) -> (_) -> false end}]). + |