diff options
Diffstat (limited to 'lib/ssl/test/tls_api_SUITE.erl')
-rw-r--r-- | lib/ssl/test/tls_api_SUITE.erl | 163 |
1 files changed, 152 insertions, 11 deletions
diff --git a/lib/ssl/test/tls_api_SUITE.erl b/lib/ssl/test/tls_api_SUITE.erl index 4dd32ab0dc..ccba623861 100644 --- a/lib/ssl/test/tls_api_SUITE.erl +++ b/lib/ssl/test/tls_api_SUITE.erl @@ -28,6 +28,7 @@ -include_lib("ssl/src/ssl_api.hrl"). -include_lib("ssl/src/tls_handshake.hrl"). -include_lib("ssl/src/ssl_alert.hrl"). +-include_lib("ssl/src/ssl_cipher.hrl"). %% Common test -export([all/0, @@ -45,8 +46,12 @@ tls_upgrade/1, tls_upgrade_new_opts/0, tls_upgrade_new_opts/1, + tls_upgrade_new_opts_with_sni_fun/0, + tls_upgrade_new_opts_with_sni_fun/1, tls_upgrade_with_timeout/0, tls_upgrade_with_timeout/1, + tls_upgrade_with_client_timeout/0, + tls_upgrade_with_client_timeout/1, tls_downgrade/0, tls_downgrade/1, tls_shutdown/0, @@ -85,6 +90,10 @@ tls_reject_fake_warning_alert_in_initial_hs/1, tls_app_data_in_initial_hs_state/0, tls_app_data_in_initial_hs_state/1, + tls_13_reject_change_cipher_spec_as_first_msg/0, + tls_13_reject_change_cipher_spec_as_first_msg/1, + tls_13_middlebox_reject_change_cipher_spec_as_first_msg/0, + tls_13_middlebox_reject_change_cipher_spec_as_first_msg/1, peername/0, peername/1, sockname/0, @@ -133,7 +142,8 @@ all() -> groups() -> [ - {'tlsv1.3', [], api_tests() -- [sockname]}, + {'tlsv1.3', [], (api_tests() ++ [tls_13_reject_change_cipher_spec_as_first_msg, + tls_13_middlebox_reject_change_cipher_spec_as_first_msg]) -- [sockname]}, {'tlsv1.2', [], api_tests()}, {'tlsv1.1', [], api_tests()}, {'tlsv1', [], api_tests()} @@ -143,7 +153,9 @@ api_tests() -> [ tls_upgrade, tls_upgrade_new_opts, + tls_upgrade_new_opts_with_sni_fun, tls_upgrade_with_timeout, + tls_upgrade_with_client_timeout, tls_downgrade, tls_shutdown, tls_shutdown_write, @@ -280,6 +292,52 @@ tls_upgrade_new_opts(Config) when is_list(Config) -> ssl_test_lib:close(Client). %%-------------------------------------------------------------------- +tls_upgrade_new_opts_with_sni_fun() -> + [{doc,"Test that you can upgrade an tcp connection to an ssl connection with new versions option provided by sni_fun"}]. + +tls_upgrade_new_opts_with_sni_fun(Config) when is_list(Config) -> + ClientOpts = ssl_test_lib:ssl_options(client_rsa_opts, Config), + ServerOpts = ssl_test_lib:ssl_options(server_rsa_opts, Config), + {ClientNode, ServerNode, Hostname} = ssl_test_lib:run_where(Config), + TcpOpts = [binary, {reuseaddr, true}], + Version = ssl_test_lib:protocol_version(Config), + NewVersions = new_versions(Version), + Ciphers = ssl:filter_cipher_suites(ssl:cipher_suites(all, Version), []), + + NewOpts = [{versions, NewVersions}, + {ciphers, Ciphers}, + {verify, verify_peer}], + + Server = ssl_test_lib:start_upgrade_server([{node, ServerNode}, {port, 0}, + {from, self()}, + {mfa, {?MODULE, + upgrade_result, []}}, + {tcp_options, + [{active, false} | TcpOpts]}, + {ssl_options, [{versions, [Version |NewVersions]}, {sni_fun, fun(_SNI) -> ServerOpts ++ NewOpts end}]}]), + Port = ssl_test_lib:inet_port(Server), + Client = ssl_test_lib:start_upgrade_client([{node, ClientNode}, + {port, Port}, + {host, Hostname}, + {from, self()}, + {mfa, {?MODULE, upgrade_result, []}}, + {tcp_options, [binary]}, + {ssl_options, [{verify, verify_peer}, + {versions, [Version |NewVersions]}, + {ciphers, Ciphers}, + {server_name_indication, Hostname} | ClientOpts]}]), + + ct:log("Testcase ~p, Client ~p Server ~p ~n", + [self(), Client, Server]), + + ssl_test_lib:check_result(Server, ok, Client, ok), + + ssl_test_lib:close(Server), + ssl_test_lib:close(Client). + + + +%%-------------------------------------------------------------------- tls_upgrade_with_timeout() -> [{doc,"Test handshake/3"}]. @@ -315,6 +373,37 @@ tls_upgrade_with_timeout(Config) when is_list(Config) -> ssl_test_lib:close(Server), ssl_test_lib:close(Client). +tls_upgrade_with_client_timeout() -> + [{doc,"Test upgrade with connect/3 and a timeout value"}]. + +tls_upgrade_with_client_timeout(Config) when is_list(Config) -> + ClientOpts = ssl_test_lib:ssl_options(client_rsa_opts, Config), + ServerOpts = ssl_test_lib:ssl_options(server_rsa_opts, Config), + {ClientNode, ServerNode, Hostname} = ssl_test_lib:run_where(Config), + TcpOpts = [binary, {reuseaddr, true}], + + Server = ssl_test_lib:start_upgrade_server([{node, ServerNode}, {port, 0}, + {from, self()}, + {mfa, {?MODULE, + upgrade_result, []}}, + {tcp_options, + [{active, false} | TcpOpts]}, + {ssl_options, [{verify, verify_peer} | ServerOpts]}]), + Port = ssl_test_lib:inet_port(Server), + Client = ssl_test_lib:start_upgrade_client_error([{node, ClientNode}, + {port, Port}, + {host, Hostname}, + {from, self()}, + {timeout, 0}, + {mfa, {?MODULE, upgrade_result, []}}, + {tcp_options, [binary]}, + {ssl_options, [{verify, verify_peer}, + {server_name_indication, Hostname} | ClientOpts]}]), + + ct:log("Testcase ~p, Client ~p Server ~p", [self(), Client, Server]), + ok = ssl_test_lib:check_result(Client, {error, timeout}), + ssl_test_lib:close(Server). + %%-------------------------------------------------------------------- tls_downgrade() -> [{doc,"Test that you can downgarde an ssl connection to an tcp connection"}]. @@ -659,7 +748,7 @@ tls_dont_crash_on_handshake_garbage(Config) -> % Ensure we receive an alert, not sudden disconnect case Version of 'tlsv1.3' -> - ssl_test_lib:check_server_alert(Server, illegal_parameter); + ssl_test_lib:check_server_alert(Server, protocol_version); _ -> ssl_test_lib:check_server_alert(Server, handshake_failure) end. @@ -750,7 +839,7 @@ tls_app_data_in_initial_hs_state() -> tls_app_data_in_initial_hs_state(Config) when is_list(Config) -> ServerOpts = ssl_test_lib:ssl_options(server_rsa_opts, Config), {_ClientNode, ServerNode, _Hostname} = ssl_test_lib:run_where(Config), - Version = ssl_test_lib:protocol_version(Config, tuple), + Version = ssl_test_lib:protocol_version(Config, tuple), {Major, Minor} = case Version of {3,4} -> {3,3}; @@ -763,19 +852,61 @@ tls_app_data_in_initial_hs_state(Config) when is_list(Config) -> {options, [{versions, [ssl_test_lib:protocol_version(Config)]} | ServerOpts]}]), Port = ssl_test_lib:inet_port(Server), {ok, Socket} = gen_tcp:connect("localhost", Port, [{active, false}, binary]), - AppData = <<?BYTE(?APPLICATION_DATA), ?BYTE(Major), ?BYTE(Minor), ?UINT16(3), ?BYTE($F), ?BYTE($O), ?BYTE($O)>>, + AppData = case Version of + {3, 4} -> + <<?BYTE(?APPLICATION_DATA), ?BYTE(3), ?BYTE(3), ?UINT16(4), ?BYTE($F), + ?BYTE($O), ?BYTE($O), ?BYTE(?APPLICATION_DATA)>>; + _ -> + <<?BYTE(?APPLICATION_DATA), ?BYTE(Major), ?BYTE(Minor), + ?UINT16(3), ?BYTE($F), ?BYTE($O), ?BYTE($O)>> + end, gen_tcp:send(Socket, AppData), - UnexpectedMsgAlert = - case Version of - {_, 4} -> - <<?BYTE(?ALERT), ?BYTE(Major), ?BYTE(Minor), ?UINT16(2), ?BYTE(?FATAL), ?BYTE(?DECODE_ERROR)>>; - _ -> - <<?BYTE(?ALERT), ?BYTE(Major), ?BYTE(Minor), ?UINT16(2), ?BYTE(?FATAL), ?BYTE(?UNEXPECTED_MESSAGE)>> - end, + UnexpectedMsgAlert = <<?BYTE(?ALERT), ?BYTE(Major), ?BYTE(Minor), ?UINT16(2), + ?BYTE(?FATAL), ?BYTE(?UNEXPECTED_MESSAGE)>>, + {ok, UnexpectedMsgAlert} = gen_tcp:recv(Socket, 7), + {error, closed} = gen_tcp:recv(Socket, 0). +%%-------------------------------------------------------------------- +tls_13_reject_change_cipher_spec_as_first_msg() -> + [{doc,"change_cipher_spec messages can be sent in TLS-1.3 middlebox_comp_mode, but can not be sent as first msg"}]. +tls_13_reject_change_cipher_spec_as_first_msg(Config) when is_list(Config) -> + ServerOpts = ssl_test_lib:ssl_options(server_rsa_opts, Config), + {_ClientNode, ServerNode, _Hostname} = ssl_test_lib:run_where(Config), + Server = ssl_test_lib:start_server([{node, ServerNode}, {port, 0}, + {from, self()}, + {mfa, {ssl_test_lib, no_result, []}}, + {options, [{versions, [ssl_test_lib:protocol_version(Config)]} | ServerOpts]}]), + Port = ssl_test_lib:inet_port(Server), + {ok, Socket} = gen_tcp:connect("localhost", Port, [{active, false}, binary]), + ChangeCipherSpec = <<?BYTE(?CHANGE_CIPHER_SPEC), ?BYTE(3), ?BYTE(3), + ?UINT16(1), ?BYTE(?CHANGE_CIPHER_SPEC_PROTO)>>, + gen_tcp:send(Socket, ChangeCipherSpec), + UnexpectedMsgAlert = <<?BYTE(?ALERT), ?BYTE(3), ?BYTE(3), ?UINT16(2), + ?BYTE(?FATAL), ?BYTE(?UNEXPECTED_MESSAGE)>>, {ok, UnexpectedMsgAlert} = gen_tcp:recv(Socket, 7), {error, closed} = gen_tcp:recv(Socket, 0). %%-------------------------------------------------------------------- +tls_13_middlebox_reject_change_cipher_spec_as_first_msg() -> + [{doc,"change_cipher_spec messages can be sent in TLS-1.3 middlebox_comp_mode, but can not be sent as first msg"}]. +tls_13_middlebox_reject_change_cipher_spec_as_first_msg(Config) when is_list(Config) -> + ServerOpts = ssl_test_lib:ssl_options(server_rsa_opts, Config), + {_ClientNode, ServerNode, _Hostname} = ssl_test_lib:run_where(Config), + Server = ssl_test_lib:start_server([{node, ServerNode}, {port, 0}, + {from, self()}, + {mfa, {ssl_test_lib, no_result, []}}, + {options, [{middlebox_comp_mode, false}, + {versions, [ssl_test_lib:protocol_version(Config)]} + | ServerOpts]}]), + Port = ssl_test_lib:inet_port(Server), + {ok, Socket} = gen_tcp:connect("localhost", Port, [{active, false}, binary]), + ChangeCipherSpec = <<?BYTE(?CHANGE_CIPHER_SPEC), ?BYTE(3), ?BYTE(3), + ?UINT16(1), ?BYTE(?CHANGE_CIPHER_SPEC_PROTO)>>, + gen_tcp:send(Socket, ChangeCipherSpec), + UnexpectedMsgAlert = <<?BYTE(?ALERT), ?BYTE(3), ?BYTE(3), ?UINT16(2), + ?BYTE(?FATAL), ?BYTE(?UNEXPECTED_MESSAGE)>>, + {ok, UnexpectedMsgAlert} = gen_tcp:recv(Socket, 7), + {error, closed} = gen_tcp:recv(Socket, 0). +%%-------------------------------------------------------------------- peername() -> [{doc,"Test API function peername/1"}]. @@ -1304,3 +1435,13 @@ session_info(_) -> count_children(ChildType, SupRef) -> proplists:get_value(ChildType, supervisor:count_children(SupRef)). + + +new_versions('tlsv1.3') -> + ['tlsv1.2']; +new_versions('tlsv1.2') -> + ['tlsv1.1']; +new_versions('tlsv1.1') -> + ['tlsv1']; +new_versions('tlsv1') -> + ['tlsv1']. |