summaryrefslogtreecommitdiff
path: root/lib/ssl/test/tls_api_SUITE.erl
diff options
context:
space:
mode:
Diffstat (limited to 'lib/ssl/test/tls_api_SUITE.erl')
-rw-r--r--lib/ssl/test/tls_api_SUITE.erl163
1 files changed, 152 insertions, 11 deletions
diff --git a/lib/ssl/test/tls_api_SUITE.erl b/lib/ssl/test/tls_api_SUITE.erl
index 4dd32ab0dc..ccba623861 100644
--- a/lib/ssl/test/tls_api_SUITE.erl
+++ b/lib/ssl/test/tls_api_SUITE.erl
@@ -28,6 +28,7 @@
-include_lib("ssl/src/ssl_api.hrl").
-include_lib("ssl/src/tls_handshake.hrl").
-include_lib("ssl/src/ssl_alert.hrl").
+-include_lib("ssl/src/ssl_cipher.hrl").
%% Common test
-export([all/0,
@@ -45,8 +46,12 @@
tls_upgrade/1,
tls_upgrade_new_opts/0,
tls_upgrade_new_opts/1,
+ tls_upgrade_new_opts_with_sni_fun/0,
+ tls_upgrade_new_opts_with_sni_fun/1,
tls_upgrade_with_timeout/0,
tls_upgrade_with_timeout/1,
+ tls_upgrade_with_client_timeout/0,
+ tls_upgrade_with_client_timeout/1,
tls_downgrade/0,
tls_downgrade/1,
tls_shutdown/0,
@@ -85,6 +90,10 @@
tls_reject_fake_warning_alert_in_initial_hs/1,
tls_app_data_in_initial_hs_state/0,
tls_app_data_in_initial_hs_state/1,
+ tls_13_reject_change_cipher_spec_as_first_msg/0,
+ tls_13_reject_change_cipher_spec_as_first_msg/1,
+ tls_13_middlebox_reject_change_cipher_spec_as_first_msg/0,
+ tls_13_middlebox_reject_change_cipher_spec_as_first_msg/1,
peername/0,
peername/1,
sockname/0,
@@ -133,7 +142,8 @@ all() ->
groups() ->
[
- {'tlsv1.3', [], api_tests() -- [sockname]},
+ {'tlsv1.3', [], (api_tests() ++ [tls_13_reject_change_cipher_spec_as_first_msg,
+ tls_13_middlebox_reject_change_cipher_spec_as_first_msg]) -- [sockname]},
{'tlsv1.2', [], api_tests()},
{'tlsv1.1', [], api_tests()},
{'tlsv1', [], api_tests()}
@@ -143,7 +153,9 @@ api_tests() ->
[
tls_upgrade,
tls_upgrade_new_opts,
+ tls_upgrade_new_opts_with_sni_fun,
tls_upgrade_with_timeout,
+ tls_upgrade_with_client_timeout,
tls_downgrade,
tls_shutdown,
tls_shutdown_write,
@@ -280,6 +292,52 @@ tls_upgrade_new_opts(Config) when is_list(Config) ->
ssl_test_lib:close(Client).
%%--------------------------------------------------------------------
+tls_upgrade_new_opts_with_sni_fun() ->
+ [{doc,"Test that you can upgrade an tcp connection to an ssl connection with new versions option provided by sni_fun"}].
+
+tls_upgrade_new_opts_with_sni_fun(Config) when is_list(Config) ->
+ ClientOpts = ssl_test_lib:ssl_options(client_rsa_opts, Config),
+ ServerOpts = ssl_test_lib:ssl_options(server_rsa_opts, Config),
+ {ClientNode, ServerNode, Hostname} = ssl_test_lib:run_where(Config),
+ TcpOpts = [binary, {reuseaddr, true}],
+ Version = ssl_test_lib:protocol_version(Config),
+ NewVersions = new_versions(Version),
+ Ciphers = ssl:filter_cipher_suites(ssl:cipher_suites(all, Version), []),
+
+ NewOpts = [{versions, NewVersions},
+ {ciphers, Ciphers},
+ {verify, verify_peer}],
+
+ Server = ssl_test_lib:start_upgrade_server([{node, ServerNode}, {port, 0},
+ {from, self()},
+ {mfa, {?MODULE,
+ upgrade_result, []}},
+ {tcp_options,
+ [{active, false} | TcpOpts]},
+ {ssl_options, [{versions, [Version |NewVersions]}, {sni_fun, fun(_SNI) -> ServerOpts ++ NewOpts end}]}]),
+ Port = ssl_test_lib:inet_port(Server),
+ Client = ssl_test_lib:start_upgrade_client([{node, ClientNode},
+ {port, Port},
+ {host, Hostname},
+ {from, self()},
+ {mfa, {?MODULE, upgrade_result, []}},
+ {tcp_options, [binary]},
+ {ssl_options, [{verify, verify_peer},
+ {versions, [Version |NewVersions]},
+ {ciphers, Ciphers},
+ {server_name_indication, Hostname} | ClientOpts]}]),
+
+ ct:log("Testcase ~p, Client ~p Server ~p ~n",
+ [self(), Client, Server]),
+
+ ssl_test_lib:check_result(Server, ok, Client, ok),
+
+ ssl_test_lib:close(Server),
+ ssl_test_lib:close(Client).
+
+
+
+%%--------------------------------------------------------------------
tls_upgrade_with_timeout() ->
[{doc,"Test handshake/3"}].
@@ -315,6 +373,37 @@ tls_upgrade_with_timeout(Config) when is_list(Config) ->
ssl_test_lib:close(Server),
ssl_test_lib:close(Client).
+tls_upgrade_with_client_timeout() ->
+ [{doc,"Test upgrade with connect/3 and a timeout value"}].
+
+tls_upgrade_with_client_timeout(Config) when is_list(Config) ->
+ ClientOpts = ssl_test_lib:ssl_options(client_rsa_opts, Config),
+ ServerOpts = ssl_test_lib:ssl_options(server_rsa_opts, Config),
+ {ClientNode, ServerNode, Hostname} = ssl_test_lib:run_where(Config),
+ TcpOpts = [binary, {reuseaddr, true}],
+
+ Server = ssl_test_lib:start_upgrade_server([{node, ServerNode}, {port, 0},
+ {from, self()},
+ {mfa, {?MODULE,
+ upgrade_result, []}},
+ {tcp_options,
+ [{active, false} | TcpOpts]},
+ {ssl_options, [{verify, verify_peer} | ServerOpts]}]),
+ Port = ssl_test_lib:inet_port(Server),
+ Client = ssl_test_lib:start_upgrade_client_error([{node, ClientNode},
+ {port, Port},
+ {host, Hostname},
+ {from, self()},
+ {timeout, 0},
+ {mfa, {?MODULE, upgrade_result, []}},
+ {tcp_options, [binary]},
+ {ssl_options, [{verify, verify_peer},
+ {server_name_indication, Hostname} | ClientOpts]}]),
+
+ ct:log("Testcase ~p, Client ~p Server ~p", [self(), Client, Server]),
+ ok = ssl_test_lib:check_result(Client, {error, timeout}),
+ ssl_test_lib:close(Server).
+
%%--------------------------------------------------------------------
tls_downgrade() ->
[{doc,"Test that you can downgarde an ssl connection to an tcp connection"}].
@@ -659,7 +748,7 @@ tls_dont_crash_on_handshake_garbage(Config) ->
% Ensure we receive an alert, not sudden disconnect
case Version of
'tlsv1.3' ->
- ssl_test_lib:check_server_alert(Server, illegal_parameter);
+ ssl_test_lib:check_server_alert(Server, protocol_version);
_ ->
ssl_test_lib:check_server_alert(Server, handshake_failure)
end.
@@ -750,7 +839,7 @@ tls_app_data_in_initial_hs_state() ->
tls_app_data_in_initial_hs_state(Config) when is_list(Config) ->
ServerOpts = ssl_test_lib:ssl_options(server_rsa_opts, Config),
{_ClientNode, ServerNode, _Hostname} = ssl_test_lib:run_where(Config),
- Version = ssl_test_lib:protocol_version(Config, tuple),
+ Version = ssl_test_lib:protocol_version(Config, tuple),
{Major, Minor} = case Version of
{3,4} ->
{3,3};
@@ -763,19 +852,61 @@ tls_app_data_in_initial_hs_state(Config) when is_list(Config) ->
{options, [{versions, [ssl_test_lib:protocol_version(Config)]} | ServerOpts]}]),
Port = ssl_test_lib:inet_port(Server),
{ok, Socket} = gen_tcp:connect("localhost", Port, [{active, false}, binary]),
- AppData = <<?BYTE(?APPLICATION_DATA), ?BYTE(Major), ?BYTE(Minor), ?UINT16(3), ?BYTE($F), ?BYTE($O), ?BYTE($O)>>,
+ AppData = case Version of
+ {3, 4} ->
+ <<?BYTE(?APPLICATION_DATA), ?BYTE(3), ?BYTE(3), ?UINT16(4), ?BYTE($F),
+ ?BYTE($O), ?BYTE($O), ?BYTE(?APPLICATION_DATA)>>;
+ _ ->
+ <<?BYTE(?APPLICATION_DATA), ?BYTE(Major), ?BYTE(Minor),
+ ?UINT16(3), ?BYTE($F), ?BYTE($O), ?BYTE($O)>>
+ end,
gen_tcp:send(Socket, AppData),
- UnexpectedMsgAlert =
- case Version of
- {_, 4} ->
- <<?BYTE(?ALERT), ?BYTE(Major), ?BYTE(Minor), ?UINT16(2), ?BYTE(?FATAL), ?BYTE(?DECODE_ERROR)>>;
- _ ->
- <<?BYTE(?ALERT), ?BYTE(Major), ?BYTE(Minor), ?UINT16(2), ?BYTE(?FATAL), ?BYTE(?UNEXPECTED_MESSAGE)>>
- end,
+ UnexpectedMsgAlert = <<?BYTE(?ALERT), ?BYTE(Major), ?BYTE(Minor), ?UINT16(2),
+ ?BYTE(?FATAL), ?BYTE(?UNEXPECTED_MESSAGE)>>,
+ {ok, UnexpectedMsgAlert} = gen_tcp:recv(Socket, 7),
+ {error, closed} = gen_tcp:recv(Socket, 0).
+%%--------------------------------------------------------------------
+tls_13_reject_change_cipher_spec_as_first_msg() ->
+ [{doc,"change_cipher_spec messages can be sent in TLS-1.3 middlebox_comp_mode, but can not be sent as first msg"}].
+tls_13_reject_change_cipher_spec_as_first_msg(Config) when is_list(Config) ->
+ ServerOpts = ssl_test_lib:ssl_options(server_rsa_opts, Config),
+ {_ClientNode, ServerNode, _Hostname} = ssl_test_lib:run_where(Config),
+ Server = ssl_test_lib:start_server([{node, ServerNode}, {port, 0},
+ {from, self()},
+ {mfa, {ssl_test_lib, no_result, []}},
+ {options, [{versions, [ssl_test_lib:protocol_version(Config)]} | ServerOpts]}]),
+ Port = ssl_test_lib:inet_port(Server),
+ {ok, Socket} = gen_tcp:connect("localhost", Port, [{active, false}, binary]),
+ ChangeCipherSpec = <<?BYTE(?CHANGE_CIPHER_SPEC), ?BYTE(3), ?BYTE(3),
+ ?UINT16(1), ?BYTE(?CHANGE_CIPHER_SPEC_PROTO)>>,
+ gen_tcp:send(Socket, ChangeCipherSpec),
+ UnexpectedMsgAlert = <<?BYTE(?ALERT), ?BYTE(3), ?BYTE(3), ?UINT16(2),
+ ?BYTE(?FATAL), ?BYTE(?UNEXPECTED_MESSAGE)>>,
{ok, UnexpectedMsgAlert} = gen_tcp:recv(Socket, 7),
{error, closed} = gen_tcp:recv(Socket, 0).
%%--------------------------------------------------------------------
+tls_13_middlebox_reject_change_cipher_spec_as_first_msg() ->
+ [{doc,"change_cipher_spec messages can be sent in TLS-1.3 middlebox_comp_mode, but can not be sent as first msg"}].
+tls_13_middlebox_reject_change_cipher_spec_as_first_msg(Config) when is_list(Config) ->
+ ServerOpts = ssl_test_lib:ssl_options(server_rsa_opts, Config),
+ {_ClientNode, ServerNode, _Hostname} = ssl_test_lib:run_where(Config),
+ Server = ssl_test_lib:start_server([{node, ServerNode}, {port, 0},
+ {from, self()},
+ {mfa, {ssl_test_lib, no_result, []}},
+ {options, [{middlebox_comp_mode, false},
+ {versions, [ssl_test_lib:protocol_version(Config)]}
+ | ServerOpts]}]),
+ Port = ssl_test_lib:inet_port(Server),
+ {ok, Socket} = gen_tcp:connect("localhost", Port, [{active, false}, binary]),
+ ChangeCipherSpec = <<?BYTE(?CHANGE_CIPHER_SPEC), ?BYTE(3), ?BYTE(3),
+ ?UINT16(1), ?BYTE(?CHANGE_CIPHER_SPEC_PROTO)>>,
+ gen_tcp:send(Socket, ChangeCipherSpec),
+ UnexpectedMsgAlert = <<?BYTE(?ALERT), ?BYTE(3), ?BYTE(3), ?UINT16(2),
+ ?BYTE(?FATAL), ?BYTE(?UNEXPECTED_MESSAGE)>>,
+ {ok, UnexpectedMsgAlert} = gen_tcp:recv(Socket, 7),
+ {error, closed} = gen_tcp:recv(Socket, 0).
+%%--------------------------------------------------------------------
peername() ->
[{doc,"Test API function peername/1"}].
@@ -1304,3 +1435,13 @@ session_info(_) ->
count_children(ChildType, SupRef) ->
proplists:get_value(ChildType, supervisor:count_children(SupRef)).
+
+
+new_versions('tlsv1.3') ->
+ ['tlsv1.2'];
+new_versions('tlsv1.2') ->
+ ['tlsv1.1'];
+new_versions('tlsv1.1') ->
+ ['tlsv1'];
+new_versions('tlsv1') ->
+ ['tlsv1'].
View Lorry Controller Status