diff options
Diffstat (limited to 'lib/ssl/test')
-rw-r--r-- | lib/ssl/test/Makefile | 2 | ||||
-rw-r--r-- | lib/ssl/test/openssl_key_update_SUITE.erl | 134 | ||||
-rw-r--r-- | lib/ssl/test/openssl_session_ticket_SUITE.erl | 409 | ||||
-rw-r--r-- | lib/ssl/test/ssl_cipher_suite_SUITE.erl | 95 | ||||
-rw-r--r-- | lib/ssl/test/ssl_key_update_SUITE.erl | 99 | ||||
-rw-r--r-- | lib/ssl/test/ssl_session_SUITE.erl | 184 | ||||
-rw-r--r-- | lib/ssl/test/ssl_session_ticket_SUITE.erl | 385 | ||||
-rw-r--r-- | lib/ssl/test/ssl_test_lib.erl | 37 |
8 files changed, 912 insertions, 433 deletions
diff --git a/lib/ssl/test/Makefile b/lib/ssl/test/Makefile index 1bd4c2c910..e53f54130f 100644 --- a/lib/ssl/test/Makefile +++ b/lib/ssl/test/Makefile @@ -67,6 +67,7 @@ MODULES = \ ssl_engine_SUITE\ ssl_handshake_SUITE \ ssl_key_update_SUITE \ + openssl_key_update_SUITE \ ssl_npn_hello_SUITE \ ssl_packet_SUITE \ ssl_payload_SUITE \ @@ -74,6 +75,7 @@ MODULES = \ ssl_session_SUITE \ ssl_session_cache_SUITE \ ssl_session_ticket_SUITE \ + openssl_session_ticket_SUITE \ openssl_session_SUITE \ ssl_ECC_SUITE \ ssl_ECC_openssl_SUITE \ diff --git a/lib/ssl/test/openssl_key_update_SUITE.erl b/lib/ssl/test/openssl_key_update_SUITE.erl new file mode 100644 index 0000000000..4963f0bb30 --- /dev/null +++ b/lib/ssl/test/openssl_key_update_SUITE.erl @@ -0,0 +1,134 @@ +%% +%% %CopyrightBegin% +%% +%% Copyright Ericsson AB 2020-2020. All Rights Reserved. +%% +%% Licensed under the Apache License, Version 2.0 (the "License"); +%% you may not use this file except in compliance with the License. +%% You may obtain a copy of the License at +%% +%% http://www.apache.org/licenses/LICENSE-2.0 +%% +%% Unless required by applicable law or agreed to in writing, software +%% distributed under the License is distributed on an "AS IS" BASIS, +%% WITHOUT WARRANTIES OR CONDITIONS OF ANY KIND, either express or implied. +%% See the License for the specific language governing permissions and +%% limitations under the License. +%% +%% %CopyrightEnd% +%% +-module(openssl_key_update_SUITE). + +%% Callback functions +-export([all/0, + groups/0, + init_per_suite/1, + end_per_suite/1, + init_per_group/2, + end_per_group/2, + init_per_testcase/2, + end_per_testcase/2]). + +%% Testcases +-export([openssl_client_explicit_key_update/0, + openssl_client_explicit_key_update/1, + openssl_server_explicit_key_update/0, + openssl_server_explicit_key_update/1]). + +-include_lib("common_test/include/ct.hrl"). + +all() -> + [{group, 'tlsv1.3'}]. + +groups() -> + [{'tlsv1.3', [], tls_1_3_tests()}]. + +tls_1_3_tests() -> + [openssl_client_explicit_key_update, + openssl_server_explicit_key_update]. + +init_per_suite(Config0) -> + catch crypto:stop(), + try crypto:start() of + ok -> + ssl_test_lib:clean_start(), + case proplists:get_bool(ecdh, proplists:get_value(public_keys, crypto:supports())) of + true -> + ssl_test_lib:make_ecdsa_cert(Config0); + false -> + {skip, "Missing EC crypto support"} + end + catch _:_ -> + {skip, "Crypto did not start"} + end. + +end_per_suite(_Config) -> + ssl:stop(), + application:unload(ssl), + application:stop(crypto). + +init_per_group(GroupName, Config) -> + ssl_test_lib:init_per_group_openssl(GroupName, Config). + +end_per_group(GroupName, Config) -> + ssl_test_lib:end_per_group(GroupName, Config). + +init_per_testcase(_TestCase, Config) -> + ssl_test_lib:ct_log_supported_protocol_versions(Config), + ct:timetrap({seconds, 10}), + Config. + +end_per_testcase(_TestCase, Config) -> + Config. + + +%%-------------------------------------------------------------------- +%% Test Cases -------------------------------------------------------- +%%-------------------------------------------------------------------- + +openssl_client_explicit_key_update() -> + [{doc,"Test ssl:update_key/2 between openssl s_client and erlang server."}]. + +openssl_client_explicit_key_update(Config) -> + Data = "123456789012345", %% 15 bytes + + Server = ssl_test_lib:start_server(erlang, [{log_level, debug}], Config), + Port = ssl_test_lib:inet_port(Server), + + Client = ssl_test_lib:start_client(openssl, [{port, Port}], Config), + ssl_test_lib:send_recv_result_active(Client, Server, Data), + + %% TODO s_client can hang after sending special commands e.g "k", "K" + %% ssl_test_lib:update_keys(Client, write), + %% ssl_test_lib:update_keys(Client, read_write), + ssl_test_lib:update_keys(Server, write), + ssl_test_lib:update_keys(Server, read_write), + + ssl_test_lib:send_recv_result_active(Client, Server, Data), + + ssl_test_lib:close(Client), + ssl_test_lib:close(Server). + +openssl_server_explicit_key_update() -> + [{doc,"Test ssl:update_key/2 between ssl client and s_server."}]. + +openssl_server_explicit_key_update(Config) -> + Data = "123456789012345", %% 15 bytes + + Server = ssl_test_lib:start_server(openssl, [], Config), + Port = ssl_test_lib:inet_port(Server), + + Client = ssl_test_lib:start_client(erlang, [{port, Port}, + {log_level, debug}, + {versions, ['tlsv1.2','tlsv1.3']}],Config), + ssl_test_lib:send_recv_result_active(Server, Client, Data), + + ssl_test_lib:update_keys(Client, write), + ssl_test_lib:update_keys(Client, read_write), + ssl_test_lib:update_keys(Server, write), + ssl_test_lib:update_keys(Server, read_write), + + ssl_test_lib:send_recv_result_active(Client, Server, Data), + + ssl_test_lib:close(Client), + ssl_test_lib:close(Server). diff --git a/lib/ssl/test/openssl_session_ticket_SUITE.erl b/lib/ssl/test/openssl_session_ticket_SUITE.erl new file mode 100644 index 0000000000..775048e355 --- /dev/null +++ b/lib/ssl/test/openssl_session_ticket_SUITE.erl @@ -0,0 +1,409 @@ +%% +%% %CopyrightBegin% +%% +%% Copyright Ericsson AB 2007-2020. All Rights Reserved. +%% +%% Licensed under the Apache License, Version 2.0 (the "License"); +%% you may not use this file except in compliance with the License. +%% You may obtain a copy of the License at +%% +%% http://www.apache.org/licenses/LICENSE-2.0 +%% +%% Unless required by applicable law or agreed to in writing, software +%% distributed under the License is distributed on an "AS IS" BASIS, +%% WITHOUT WARRANTIES OR CONDITIONS OF ANY KIND, either express or implied. +%% See the License for the specific language governing permissions and +%% limitations under the License. +%% +%% %CopyrightEnd% +%% + +-module(openssl_session_ticket_SUITE). + +%% Callback functions +-export([all/0, + groups/0, + init_per_suite/1, + end_per_suite/1, + init_per_group/2, + end_per_group/2, + init_per_testcase/2, + end_per_testcase/2]). + +%% Testcases +-export([openssl_server_basic/0, + openssl_server_basic/1, + openssl_server_hrr/0, + openssl_server_hrr/1, + openssl_server_hrr_multiple_tickets/0, + openssl_server_hrr_multiple_tickets/1, + openssl_client_basic/0, + openssl_client_basic/1, + openssl_client_hrr/0, + openssl_client_hrr/1]). + +-include("tls_handshake.hrl"). + +-include_lib("common_test/include/ct.hrl"). + +-define(SLEEP, 500). + +%%-------------------------------------------------------------------- +%% Common Test interface functions ----------------------------------- +%%-------------------------------------------------------------------- +all() -> + [ + {group, 'tlsv1.3'} + ]. + +groups() -> + [{'tlsv1.3', [], [{group, stateful}, + {group, stateless}, + {group, openssl_server}]}, + {openssl_server, [], [openssl_server_basic, + openssl_server_hrr, + openssl_server_hrr_multiple_tickets + ]}, + {stateful, [], session_tests()}, + {stateless, [], session_tests()}]. + +session_tests() -> + [openssl_client_basic, + openssl_client_hrr]. + +init_per_suite(Config0) -> + catch crypto:stop(), + try crypto:start() of + ok -> + ssl_test_lib:clean_start(), + ssl_test_lib:make_rsa_cert(Config0) + catch _:_ -> + {skip, "Crypto did not start"} + end. + +end_per_suite(_Config) -> + ssl:stop(), + application:stop(crypto). + +init_per_group(stateful, Config) -> + [{server_ticket_mode, stateful} | proplists:delete(server_ticket_mode, Config)]; +init_per_group(stateless, Config) -> + [{server_ticket_mode, stateless} | proplists:delete(server_ticket_mode, Config)]; +init_per_group(GroupName, Config) -> + ssl_test_lib:init_per_group_openssl(GroupName, Config). + +end_per_group(GroupName, Config) -> + ssl_test_lib:end_per_group(GroupName, Config). + +init_per_testcase(_TestCase, Config) -> + ssl:stop(), + application:load(ssl), + ssl:start(), + ct:timetrap({seconds, 15}), + Config. + +end_per_testcase(_TestCase, Config) -> + Config. + +%%-------------------------------------------------------------------- +%% Test Cases -------------------------------------------------------- +%%-------------------------------------------------------------------- + +openssl_server_basic() -> + [{doc,"Test session resumption with session tickets (erlang client - openssl server)"}]. +openssl_server_basic(Config) when is_list(Config) -> + process_flag(trap_exit, true), + ClientOpts0 = ssl_test_lib:ssl_options(client_rsa_verify_opts, Config), + ServerOpts = ssl_test_lib:ssl_options(server_rsa_verify_opts, Config), + {ClientNode, _, Hostname} = ssl_test_lib:run_where(Config), + + Version = 'tlsv1.3', + Port = ssl_test_lib:inet_port(node()), + CertFile = proplists:get_value(certfile, ServerOpts), + CACertFile = proplists:get_value(cacertfile, ServerOpts), + KeyFile = proplists:get_value(keyfile, ServerOpts), + + %% Configure session tickets + ClientOpts = [{session_tickets, auto}, {log_level, debug}, + {versions, ['tlsv1.2','tlsv1.3']}|ClientOpts0], + + Exe = "openssl", + Args = ["s_server", "-accept", integer_to_list(Port), ssl_test_lib:version_flag(Version), + "-cert", CertFile,"-key", KeyFile, "-CAfile", CACertFile, "-msg", "-debug"], + + OpensslPort = ssl_test_lib:portable_open_port(Exe, Args), + + ssl_test_lib:wait_for_openssl_server(Port, proplists:get_value(protocol, Config)), + + %% Store ticket from first connection + Client0 = ssl_test_lib:start_client([{node, ClientNode}, + {port, Port}, {host, Hostname}, + {mfa, {ssl_test_lib, + verify_active_session_resumption, + [false, no_reply]}}, + {from, self()}, {options, ClientOpts}]), + %% Wait for session ticket + ct:sleep(100), + + %% Close previous connection as s_server can only handle one at a time + ssl_test_lib:close(Client0), + + %% Use ticket + Client1 = ssl_test_lib:start_client([{node, ClientNode}, + {port, Port}, {host, Hostname}, + {mfa, {ssl_test_lib, + verify_active_session_resumption, + [true, no_reply]}}, + {from, self()}, + {options, ClientOpts}]), + process_flag(trap_exit, false), + + %% Clean close down! Server needs to be closed first !! + ssl_test_lib:close_port(OpensslPort), + ssl_test_lib:close(Client1). + +openssl_client_basic() -> + [{doc,"Test session resumption with session tickets (openssl client - erlang server)"}]. +openssl_client_basic(Config) when is_list(Config) -> + ServerOpts0 = ssl_test_lib:ssl_options(server_rsa_verify_opts, Config), + {_, ServerNode, Hostname} = ssl_test_lib:run_where(Config), + TicketFile0 = filename:join([proplists:get_value(priv_dir, Config), "session_ticket0"]), + TicketFile1 = filename:join([proplists:get_value(priv_dir, Config), "session_ticket1"]), + ServerTicketMode = proplists:get_value(server_ticket_mode, Config), + + Data = "Hello world", + + %% Configure session tickets + ServerOpts = [{session_tickets, ServerTicketMode}, {log_level, debug}, + {versions, ['tlsv1.2','tlsv1.3']}|ServerOpts0], + + Server0 = + ssl_test_lib:start_server([{node, ServerNode}, {port, 0}, + {from, self()}, + {mfa, {ssl_test_lib, + verify_active_session_resumption, + [false]}}, + {options, ServerOpts}]), + + Version = 'tlsv1.3', + Port0 = ssl_test_lib:inet_port(Server0), + + Exe = "openssl", + Args0 = ["s_client", "-connect", ssl_test_lib:hostname_format(Hostname) + ++ ":" ++ integer_to_list(Port0), + ssl_test_lib:version_flag(Version), + "-sess_out", TicketFile0], + + OpenSslPort0 = ssl_test_lib:portable_open_port(Exe, Args0), + + true = port_command(OpenSslPort0, Data), + + ssl_test_lib:check_result(Server0, ok), + + Server0 ! {listen, {mfa, {ssl_test_lib, + verify_active_session_resumption, + [true]}}}, + + %% Wait for session ticket + ct:sleep(100), + + Args1 = ["s_client", "-connect", ssl_test_lib:hostname_format(Hostname) + ++ ":" ++ integer_to_list(Port0), + ssl_test_lib:version_flag(Version), + "-sess_in", TicketFile0, + "-sess_out", TicketFile1], + + OpenSslPort1 = ssl_test_lib:portable_open_port(Exe, Args1), + + true = port_command(OpenSslPort1, Data), + + ssl_test_lib:check_result(Server0, ok), + + %% Clean close down! Server needs to be closed first !! + ssl_test_lib:close(Server0), + ssl_test_lib:close_port(OpenSslPort0), + ssl_test_lib:close_port(OpenSslPort1). + +openssl_server_hrr() -> + [{doc,"Test session resumption with session tickets and hello_retry_request (erlang client - openssl server)"}]. +openssl_server_hrr(Config) when is_list(Config) -> + process_flag(trap_exit, true), + ClientOpts0 = ssl_test_lib:ssl_options(client_rsa_verify_opts, Config), + ServerOpts = ssl_test_lib:ssl_options(server_rsa_verify_opts, Config), + {ClientNode, _, Hostname} = ssl_test_lib:run_where(Config), + + Version = 'tlsv1.3', + Port = ssl_test_lib:inet_port(node()), + CertFile = proplists:get_value(certfile, ServerOpts), + CACertFile = proplists:get_value(cacertfile, ServerOpts), + KeyFile = proplists:get_value(keyfile, ServerOpts), + + %% Configure session tickets + ClientOpts = [{session_tickets, auto}, {log_level, debug}, + {versions, ['tlsv1.2','tlsv1.3']}, + {supported_groups,[secp256r1, x25519]}|ClientOpts0], + + Exe = "openssl", + Args = ["s_server", "-accept", integer_to_list(Port), ssl_test_lib:version_flag(Version), + "-cert", CertFile, + "-key", KeyFile, + "-CAfile", CACertFile, + "-groups", "X448:X25519", + "-msg", "-debug"], + + OpensslPort = ssl_test_lib:portable_open_port(Exe, Args), + + ssl_test_lib:wait_for_openssl_server(Port, proplists:get_value(protocol, Config)), + + %% Store ticket from first connection + Client0 = ssl_test_lib:start_client([{node, ClientNode}, + {port, Port}, {host, Hostname}, + {mfa, {ssl_test_lib, + verify_active_session_resumption, + [false, no_reply]}}, + {from, self()}, {options, ClientOpts}]), + %% Wait for session ticket + ct:sleep(100), + + %% Close previous connection as s_server can only handle one at a time + ssl_test_lib:close(Client0), + + %% Use ticket + Client1 = ssl_test_lib:start_client([{node, ClientNode}, + {port, Port}, {host, Hostname}, + {mfa, {ssl_test_lib, + verify_active_session_resumption, + [true, no_reply]}}, + {from, self()}, + {options, ClientOpts}]), + process_flag(trap_exit, false), + + %% Clean close down! Server needs to be closed first !! + ssl_test_lib:close_port(OpensslPort), + ssl_test_lib:close(Client1). + +openssl_client_hrr() -> + [{doc,"Test session resumption with session tickets and hello_retry_request (openssl client - erlang server)"}]. +openssl_client_hrr(Config) when is_list(Config) -> + ServerOpts0 = ssl_test_lib:ssl_options(server_rsa_verify_opts, Config), + {_, ServerNode, Hostname} = ssl_test_lib:run_where(Config), + TicketFile0 = filename:join([proplists:get_value(priv_dir, Config), "session_ticket0"]), + TicketFile1 = filename:join([proplists:get_value(priv_dir, Config), "session_ticket1"]), + ServerTicketMode = proplists:get_value(server_ticket_mode, Config), + + Data = "Hello world", + + %% Configure session tickets + ServerOpts = [{session_tickets, ServerTicketMode}, {log_level, debug}, + {versions, ['tlsv1.2','tlsv1.3']}, + {supported_groups,[x448, x25519]}|ServerOpts0], + + Server0 = + ssl_test_lib:start_server([{node, ServerNode}, {port, 0}, + {from, self()}, + {mfa, {ssl_test_lib, + verify_active_session_resumption, + [false]}}, + {options, ServerOpts}]), + + Version = 'tlsv1.3', + Port0 = ssl_test_lib:inet_port(Server0), + + Exe = "openssl", + Args0 = ["s_client", "-connect", ssl_test_lib:hostname_format(Hostname) + ++ ":" ++ integer_to_list(Port0), + ssl_test_lib:version_flag(Version), + "-groups", "P-256:X25519", + "-sess_out", TicketFile0], + + OpenSslPort0 = ssl_test_lib:portable_open_port(Exe, Args0), + + true = port_command(OpenSslPort0, Data), + + ssl_test_lib:check_result(Server0, ok), + + Server0 ! {listen, {mfa, {ssl_test_lib, + verify_active_session_resumption, + [true]}}}, + + %% Wait for session ticket + ct:sleep(100), + + Args1 = ["s_client", "-connect", ssl_test_lib:hostname_format(Hostname) + ++ ":" ++ integer_to_list(Port0), + ssl_test_lib:version_flag(Version), + "-groups", "P-256:X25519", + "-sess_in", TicketFile0, + "-sess_out", TicketFile1], + + OpenSslPort1 = ssl_test_lib:portable_open_port(Exe, Args1), + + true = port_command(OpenSslPort1, Data), + + ssl_test_lib:check_result(Server0, ok), + + %% Clean close down! Server needs to be closed first !! + ssl_test_lib:close(Server0), + ssl_test_lib:close_port(OpenSslPort0), + ssl_test_lib:close_port(OpenSslPort1). + +openssl_server_hrr_multiple_tickets() -> + [{doc,"Test session resumption with multiple session tickets and hello_retry_request (erlang client - openssl server)"}]. +openssl_server_hrr_multiple_tickets(Config) when is_list(Config) -> + process_flag(trap_exit, true), + ClientOpts0 = ssl_test_lib:ssl_options(client_rsa_verify_opts, Config), + ServerOpts = ssl_test_lib:ssl_options(server_rsa_verify_opts, Config), + {ClientNode, _, Hostname} = ssl_test_lib:run_where(Config), + + Version = 'tlsv1.3', + Port = ssl_test_lib:inet_port(node()), + CertFile = proplists:get_value(certfile, ServerOpts), + CACertFile = proplists:get_value(cacertfile, ServerOpts), + KeyFile = proplists:get_value(keyfile, ServerOpts), + + %% Configure session tickets + ClientOpts = [{session_tickets, manual}, {log_level, debug}, + {versions, ['tlsv1.2','tlsv1.3']}, + {supported_groups,[secp256r1, x25519]}|ClientOpts0], + + Exe = "openssl", + Args = ["s_server", "-accept", integer_to_list(Port), ssl_test_lib:version_flag(Version), + "-cert", CertFile, + "-key", KeyFile, + "-CAfile", CACertFile, + "-groups", "X448:X25519", + "-msg", "-debug"], + + OpensslPort = ssl_test_lib:portable_open_port(Exe, Args), + + ssl_test_lib:wait_for_openssl_server(Port, proplists:get_value(protocol, Config)), + + %% Store ticket from first connection + Client0 = ssl_test_lib:start_client([{node, ClientNode}, + {port, Port}, {host, Hostname}, + {mfa, {ssl_test_lib, + verify_active_session_resumption, + [false, no_reply, {tickets, 2}]}}, + {from, self()}, {options, ClientOpts}]), + + Tickets0 = ssl_test_lib:check_tickets(Client0), + + ct:pal("Received tickets: ~p~n", [Tickets0]), + + %% Close previous connection as s_server can only handle one at a time + ssl_test_lib:close(Client0), + + %% Use tickets + Client1 = ssl_test_lib:start_client([{node, ClientNode}, + {port, Port}, {host, Hostname}, + {mfa, {ssl_test_lib, + verify_active_session_resumption, + [true, no_reply, no_tickets]}}, + {from, self()}, + {options, [{use_ticket, Tickets0}|ClientOpts]}]), + + process_flag(trap_exit, false), + + %% Clean close down! Server needs to be closed first !! + ssl_test_lib:close_port(OpensslPort), + ssl_test_lib:close(Client1). diff --git a/lib/ssl/test/ssl_cipher_suite_SUITE.erl b/lib/ssl/test/ssl_cipher_suite_SUITE.erl index e598d662e9..855533cc3d 100644 --- a/lib/ssl/test/ssl_cipher_suite_SUITE.erl +++ b/lib/ssl/test/ssl_cipher_suite_SUITE.erl @@ -32,6 +32,7 @@ %%-------------------------------------------------------------------- all() -> [ + {group, 'tlsv1.3'}, {group, 'tlsv1.2'}, {group, 'tlsv1.1'}, {group, 'tlsv1'}, @@ -42,6 +43,7 @@ all() -> groups() -> [ + {'tlsv1.3', [], tls_1_3_kex()}, {'tlsv1.2', [], kex()}, {'tlsv1.1', [], kex()}, {'tlsv1', [], kex()}, @@ -60,6 +62,7 @@ groups() -> ecdhe_rsa_aes_256_gcm, ecdhe_rsa_chacha20_poly1305 ]}, + {ecdhe_1_3_rsa_cert, [], tls_1_3_cipher_suites()}, {ecdhe_ecdsa, [],[ecdhe_ecdsa_rc4_128, ecdhe_ecdsa_3des_ede_cbc, ecdhe_ecdsa_aes_128_cbc, @@ -127,6 +130,17 @@ groups() -> ]} ]. + +tls_1_3_kex() -> + [{group, ecdhe_1_3_rsa_cert}]. + +tls_1_3_cipher_suites() -> + [aes_256_gcm_sha384, + aes_128_gcm_sha256, + chacha20_poly1305_sha256, + aes_128_ccm_sha256 + ]. + kex() -> rsa() ++ ecdsa() ++ dss() ++ anonymous(). @@ -186,7 +200,13 @@ end_per_suite(_Config) -> ssl:stop(), application:stop(crypto). - +init_per_group(GroupName, Config) when GroupName == ecdhe_1_3_rsa_cert -> + case proplists:get_bool(ecdh, proplists:get_value(public_keys, crypto:supports())) of + true -> + init_certs(GroupName, Config); + false -> + {skip, "Missing EC crypto support"} + end; init_per_group(GroupName, Config) when GroupName == ecdh_anon; GroupName == ecdhe_rsa; GroupName == ecdhe_psk -> @@ -318,6 +338,53 @@ init_per_testcase(TestCase, Config) when TestCase == psk_aes_256_ccm_8; _ -> {skip, "Missing AES_256_CCM crypto support"} end; +init_per_testcase(aes_256_gcm_sha384, Config) -> + SupCiphers = proplists:get_value(ciphers, crypto:supports()), + SupHashs = proplists:get_value(hashs, crypto:supports()), + case (lists:member(aes_256_gcm, SupCiphers)) andalso + (lists:member(sha384, SupHashs)) + of + true -> + ct:timetrap({seconds, 5}), + Config; + _ -> + {skip, "Missing AES_256_GCM_SHA384 crypto support"} + end; +init_per_testcase(aes_128_gcm_sha256, Config) -> + SupCiphers = proplists:get_value(ciphers, crypto:supports()), + SupHashs = proplists:get_value(hashs, crypto:supports()), + case (lists:member(aes_256_gcm, SupCiphers)) andalso + (lists:member(sha256, SupHashs)) + of + true -> + ct:timetrap({seconds, 5}), + Config; + _ -> + {skip, "Missing AES_128_GCM_SHA256 crypto support"} + end; +init_per_testcase(chacha20_poly1305_sha256, Config) -> + SupCiphers = proplists:get_value(ciphers, crypto:supports()), + SupHashs = proplists:get_value(hashs, crypto:supports()), + case (lists:member(chacha20_poly1305, SupCiphers)) andalso + (lists:member(sha256, SupHashs)) + of + true -> + ct:timetrap({seconds, 5}), + Config; + _ -> + {skip, "Missing chacha20_poly1305_sha256 crypto support"} + end; +init_per_testcase(aes_128_ccm_sha256, Config) -> + SupCiphers = proplists:get_value(ciphers, crypto:supports()), + SupHashs = proplists:get_value(hashs, crypto:supports()), + case (lists:member(aes_128_ccm, SupCiphers)) andalso + (lists:member(sha256, SupHashs)) of + true -> + ct:timetrap({seconds, 5}), + Config; + _ -> + {skip, "Missing AES_128_CCM_SHA256 crypto support"} + end; init_per_testcase(TestCase, Config) -> Cipher = ssl_test_lib:test_cipher(TestCase, Config), SupCiphers = proplists:get_value(ciphers, crypto:supports()), @@ -335,7 +402,6 @@ end_per_testcase(_TestCase, Config) -> %%-------------------------------------------------------------------- %% Initializtion ------------------------------------------ %%-------------------------------------------------------------------- - init_certs(srp_rsa, Config) -> DefConf = ssl_test_lib:default_cert_chain_conf(), CertChainConf = ssl_test_lib:gen_conf(rsa, rsa, DefConf, DefConf), @@ -367,6 +433,14 @@ init_certs(rsa, Config) -> [{tls_config, #{server_config => ServerOpts, client_config => ClientOpts}} | proplists:delete(tls_config, Config)]; +init_certs(ecdhe_1_3_rsa_cert, Config) -> + ClientExt = x509_test:extensions([{key_usage, [digitalSignature]}]), + {ClientOpts, ServerOpts} = ssl_test_lib:make_rsa_cert_chains([{server_chain, + [[],[],[{extensions, ClientExt}]]}], + Config, "_peer_rsa_digitalsign"), + [{tls_config, #{server_config => ServerOpts, + client_config => ClientOpts}} | + proplists:delete(tls_config, Config)]; init_certs(dhe_dss, Config) -> DefConf = ssl_test_lib:default_cert_chain_conf(), CertChainConf = ssl_test_lib:gen_conf(dsa, dsa, DefConf, DefConf), @@ -427,6 +501,22 @@ init_certs(_GroupName, Config) -> %% Test Cases -------------------------------------------------------- %%-------------------------------------------------------------------- +aes_256_gcm_sha384(Config) when is_list(Config)-> + Version = ssl_test_lib:protocol_version(Config), + cipher_suite_test(ssl:str_to_suite("TLS_AES_256_GCM_SHA384"), Version, Config). + +aes_128_gcm_sha256(Config) when is_list(Config) -> + Version = ssl_test_lib:protocol_version(Config), + cipher_suite_test(ssl:str_to_suite("TLS_AES_128_GCM_SHA256"), Version, Config). + +chacha20_poly1305_sha256(Config) when is_list(Config) -> + Version = ssl_test_lib:protocol_version(Config), + cipher_suite_test(ssl:str_to_suite("TLS_CHACHA20_POLY1305_SHA256"), Version, Config). + +aes_128_ccm_sha256(Config) when is_list(Config) -> + Version = ssl_test_lib:protocol_version(Config), + cipher_suite_test(ssl:str_to_suite("TLS_AES_128_CCM_SHA256"), Version, Config). + %%-------------------------------------------------------------------- %% SRP -------------------------------------------------------- %%-------------------------------------------------------------------- @@ -775,3 +865,4 @@ test_ciphers(Kex, Cipher, Version) -> (_) -> false end}]). + diff --git a/lib/ssl/test/ssl_key_update_SUITE.erl b/lib/ssl/test/ssl_key_update_SUITE.erl index 32cbe0a5a1..2816f1a39e 100644 --- a/lib/ssl/test/ssl_key_update_SUITE.erl +++ b/lib/ssl/test/ssl_key_update_SUITE.erl @@ -19,7 +19,21 @@ %% -module(ssl_key_update_SUITE). --compile(export_all). +%% Callback functions +-export([all/0, + groups/0, + init_per_suite/1, + end_per_suite/1, + init_per_group/2, + end_per_group/2, + init_per_testcase/2, + end_per_testcase/2]). + +%% Testcases +-export([key_update_at/0, + key_update_at/1, + explicit_key_update/0, + explicit_key_update/1]). -include_lib("common_test/include/ct.hrl"). @@ -30,10 +44,8 @@ groups() -> [{'tlsv1.3', [], tls_1_3_tests()}]. tls_1_3_tests() -> - [ssl_client_ssl_server_key_update_at, - ssl_client_ssl_server_explicit_key_update, - openssl_client_ssl_server_explicit_key_update, - ssl_client_openssl_server_explicit_key_update]. + [key_update_at, + explicit_key_update]. init_per_suite(Config0) -> catch crypto:stop(), @@ -56,28 +68,10 @@ end_per_suite(_Config) -> application:stop(crypto). init_per_group(GroupName, Config) -> - case ssl_test_lib:is_tls_version(GroupName) of - true -> - case ssl_test_lib:sufficient_crypto_support(GroupName) of - true -> - [{client_type, erlang}, - {server_type, erlang}, {version, GroupName} - | ssl_test_lib:init_tls_version(GroupName, Config)]; - false -> - {skip, "Missing crypto support"} - end; - _ -> - ssl:start(), - Config - end. + ssl_test_lib:init_per_group(GroupName, Config). end_per_group(GroupName, Config) -> - case ssl_test_lib:is_tls_version(GroupName) of - true -> - ssl_test_lib:clean_tls_version(Config); - false -> - Config - end. + ssl_test_lib:end_per_group(GroupName, Config). init_per_testcase(_TestCase, Config) -> ssl_test_lib:ct_log_supported_protocol_versions(Config), @@ -92,10 +86,10 @@ end_per_testcase(_TestCase, Config) -> %% Test Cases -------------------------------------------------------- %%-------------------------------------------------------------------- -ssl_client_ssl_server_key_update_at() -> +key_update_at() -> [{doc,"Test option 'key_update_at' between erlang client and erlang server."}]. -ssl_client_ssl_server_key_update_at(Config) -> +key_update_at(Config) -> %% {ClientNode, ServerNode, Hostname} = ssl_test_lib:run_where(Config), Data = "123456789012345", %% 15 bytes @@ -117,10 +111,10 @@ ssl_client_ssl_server_key_update_at(Config) -> ssl_test_lib:close(Server), ssl_test_lib:close(Client). -ssl_client_ssl_server_explicit_key_update() -> +explicit_key_update() -> [{doc,"Test ssl:update_key/2 between erlang client and erlang server."}]. -ssl_client_ssl_server_explicit_key_update(Config) -> +explicit_key_update(Config) -> Data = "123456789012345", %% 15 bytes Server = ssl_test_lib:start_server(erlang, [{log_level, debug}], Config), @@ -140,50 +134,3 @@ ssl_client_ssl_server_explicit_key_update(Config) -> ssl_test_lib:close(Server), ssl_test_lib:close(Client). - -openssl_client_ssl_server_explicit_key_update() -> - [{doc,"Test ssl:update_key/2 between openssl s_client and erlang server."}]. - -openssl_client_ssl_server_explicit_key_update(Config) -> - Data = "123456789012345", %% 15 bytes - - Server = ssl_test_lib:start_server(erlang, [{log_level, debug}], Config), - Port = ssl_test_lib:inet_port(Server), - - Client = ssl_test_lib:start_client(openssl, [{port, Port}], Config), - ssl_test_lib:send_recv_result_active(Client, Server, Data), - - %% TODO s_client can hang after sending special commands e.g "k", "K" - %% ssl_test_lib:update_keys(Client, write), - %% ssl_test_lib:update_keys(Client, read_write), - ssl_test_lib:update_keys(Server, write), - ssl_test_lib:update_keys(Server, read_write), - - ssl_test_lib:send_recv_result_active(Client, Server, Data), - - ssl_test_lib:close(Client), - ssl_test_lib:close(Server). - -ssl_client_openssl_server_explicit_key_update() -> - [{doc,"Test ssl:update_key/2 between ssl client and s_server."}]. - -ssl_client_openssl_server_explicit_key_update(Config) -> - Data = "123456789012345", %% 15 bytes - - Server = ssl_test_lib:start_server(openssl, [], Config), - Port = ssl_test_lib:inet_port(Server), - - Client = ssl_test_lib:start_client(erlang, [{port, Port}, - {log_level, debug}, - {versions, ['tlsv1.2','tlsv1.3']}],Config), - ssl_test_lib:send_recv_result_active(Server, Client, Data), - - ssl_test_lib:update_keys(Client, write), - ssl_test_lib:update_keys(Client, read_write), - ssl_test_lib:update_keys(Server, write), - ssl_test_lib:update_keys(Server, read_write), - - ssl_test_lib:send_recv_result_active(Client, Server, Data), - - ssl_test_lib:close(Client), - ssl_test_lib:close(Server). diff --git a/lib/ssl/test/ssl_session_SUITE.erl b/lib/ssl/test/ssl_session_SUITE.erl index aa79698a72..f8dd633ed4 100644 --- a/lib/ssl/test/ssl_session_SUITE.erl +++ b/lib/ssl/test/ssl_session_SUITE.erl @@ -25,6 +25,7 @@ -compile(export_all). -include("tls_handshake.hrl"). +-include("ssl_record.hrl"). -include_lib("common_test/include/ct.hrl"). -include_lib("public_key/include/public_key.hrl"). @@ -48,11 +49,11 @@ all() -> groups() -> [{'dtlsv1.2', [], session_tests()}, {'dtlsv1', [], session_tests()}, - {'tlsv1.3', [], session_tests()}, - {'tlsv1.2', [], session_tests()}, - {'tlsv1.1', [], session_tests()}, - {'tlsv1', [], session_tests()}, - {'sslv3', [], session_tests()} + {'tlsv1.3', [], session_tests() ++ tls_session_tests()}, + {'tlsv1.2', [], session_tests() ++ tls_session_tests()}, + {'tlsv1.1', [], session_tests() ++ tls_session_tests()}, + {'tlsv1', [], session_tests() ++ tls_session_tests()}, + {'sslv3', [], session_tests() ++ tls_session_tests()} ]. session_tests() -> @@ -62,6 +63,8 @@ session_tests() -> no_reuses_session_server_restart_new_cert, no_reuses_session_server_restart_new_cert_file]. +tls_session_tests() -> + [session_table_stable_size_on_tcp_close]. init_per_suite(Config0) -> catch crypto:stop(), @@ -372,6 +375,177 @@ no_reuses_session_server_restart_new_cert_file(Config) when is_list(Config) -> ssl_test_lib:close(Server1), ssl_test_lib:close(Client1). +session_table_stable_size_on_tcp_close() -> + [{doc, "Check that new sessions are cleanup when connection is closed abruptly during first handshake"}]. + +session_table_stable_size_on_tcp_close(Config) when is_list(Config)-> + ServerOpts = ssl_test_lib:ssl_options(server_rsa_verify_opts, Config), + {_, ServerNode, Hostname} = ssl_test_lib:run_where(Config), + + {status, _, _, StatusInfo} = sys:get_status(whereis(ssl_manager)), + [_, _,_, _, Prop] = StatusInfo, + State = ssl_test_lib:state(Prop), + ServerCache = element(3, State), + + N = ets:info(ServerCache, size), + + Server = ssl_test_lib:start_server_error([{node, ServerNode}, {port, 0}, + {from, self()}, + {options, [{reuseaddr, true} | ServerOpts]}]), + Port = ssl_test_lib:inet_port(Server), + faulty_client(Hostname, Port), + check_table_did_not_grow(ServerCache, N). + + %%-------------------------------------------------------------------- %% Internal functions ------------------------------------------------ %%-------------------------------------------------------------------- +check_table_did_not_grow(ServerCache, N) -> + ct:sleep(500), + check_table_did_not_grow(ServerCache, N, 10). + +check_table_did_not_grow(_, _, 0) -> + ct:fail(table_grew); +check_table_did_not_grow(ServerCache, N, Tries) -> + case ets:info(ServerCache, size) of + N -> + ok; + _ -> + ct:sleep(500), + check_table_did_not_grow(ServerCache, N, Tries -1) + end. + +faulty_client(Host, Port) -> + {ok, Sock} = gen_tcp:connect(Host, Port, [], 10000), + Random = crypto:strong_rand_bytes(32), + CH = client_hello(Random), + CHBin = encode_client_hello(CH, Random), + gen_tcp:send(Sock, CHBin), + ct:sleep(100), + gen_tcp:close(Sock). + + +server(LOpts, Port) -> + {ok, LSock} = ssl:listen(Port, LOpts), + Pid = spawn_link(?MODULE, accept_loop, [LSock]), + ssl:controlling_process(LSock, Pid), + Pid. + +accept_loop(Sock) -> + {ok, CSock} = ssl:transport_accept(Sock), + _ = ssl:handshake(CSock), + accept_loop(Sock). + + +encode_client_hello(CH, Random) -> + HSBin = tls_handshake:encode_handshake(CH, {3,3}), + CS = connection_states(Random), + {Encoded, _} = tls_record:encode_handshake(HSBin, {3,3}, CS), + Encoded. + +client_hello(Random) -> + CipherSuites = [<<0,255>>, <<"À,">>, <<"À0">>, <<"À$">>, <<"À(">>, + <<"À.">>, <<"À2">>, <<"À&">>, <<"À*">>, <<0,159>>, + <<0,163>>, <<0,107>>, <<0,106>>, <<"À+">>, <<"À/">>, + <<"À#">>, <<"À'">>, <<"À-">>, <<"À1">>, <<"À%">>, + <<"À)">>, <<0,158>>, <<0,162>>, <<0,103>>, <<0,64>>, + <<"À\n">>, <<192,20>>, <<0,57>>, <<0,56>>, <<192,5>>, + <<192,15>>, <<"À\t">>, <<192,19>>, <<0,51>>, <<0,50>>, + <<192,4>>, <<192,14>>], + Extensions = #{alpn => undefined, + ec_point_formats => + {ec_point_formats, + [0]}, + elliptic_curves => + {elliptic_curves, + [{1,3,132,0,39}, + {1,3,132,0,38}, + {1,3,132,0,35}, + {1,3,36,3,3,2, + 8,1,1,13}, + {1,3,132,0,36}, + {1,3,132,0,37}, + {1,3,36,3,3,2, + 8,1,1,11}, + {1,3,132,0,34}, + {1,3,132,0,16}, + {1,3,132,0,17}, + {1,3,36,3,3,2, + 8,1,1,7}, + {1,3,132,0,10}, + {1,2,840, + 10045,3,1,7}, + {1,3,132,0,3}, + {1,3,132,0,26}, + {1,3,132,0,27}, + {1,3,132,0,32}, + {1,3,132,0,33}, + {1,3,132,0,24}, + {1,3,132,0,25}, + {1,3,132,0,31}, + {1,2,840, + 10045,3,1,1}, + {1,3,132,0,1}, + {1,3,132,0,2}, + {1,3,132,0,15}, + {1,3,132,0,9}, + {1,3,132,0,8}, + {1,3,132,0, + 30}]}, + next_protocol_negotiation => + undefined, + renegotiation_info => + {renegotiation_info, + undefined}, + signature_algs => + {hash_sign_algos, + [{sha512,ecdsa}, + {sha512,rsa}, + {sha384,ecdsa}, + {sha384,rsa}, + {sha256,ecdsa}, + {sha256,rsa}, + {sha224,ecdsa}, + {sha224,rsa}, + {sha,ecdsa}, + {sha,rsa}, + {sha,dsa}]}, + sni => + {sni, + "localhost"}, + srp => + undefined}, + + #client_hello{client_version = {3,3}, + random = Random, + session_id = crypto:strong_rand_bytes(32), + cipher_suites = CipherSuites, + compression_methods = [0], + extensions = Extensions + }. + +connection_states(Random) -> + #{current_write => + #{beast_mitigation => one_n_minus_one,cipher_state => undefined, + client_verify_data => undefined,compression_state => undefined, + mac_secret => undefined,secure_renegotiation => undefined, + security_parameters => + #security_parameters{ + cipher_suite = <<0,0>>, + connection_end = 1, + bulk_cipher_algorithm = 0, + cipher_type = 0, + iv_size = 0, + key_size = 0, + key_material_length = 0, + expanded_key_material_length = 0, + mac_algorithm = 0, + prf_algorithm = 0, + hash_size = 0, + compression_algorithm = 0, + master_secret = undefined, + resumption_master_secret = undefined, + client_random = Random, + server_random = undefined, + exportable = undefined}, + sequence_number => 0,server_verify_data => undefined}}. diff --git a/lib/ssl/test/ssl_session_ticket_SUITE.erl b/lib/ssl/test/ssl_session_ticket_SUITE.erl index 96b0fb5c2a..3d41b59223 100644 --- a/lib/ssl/test/ssl_session_ticket_SUITE.erl +++ b/lib/ssl/test/ssl_session_ticket_SUITE.erl @@ -1,7 +1,7 @@ %% %% %CopyrightBegin% %% -%% Copyright Ericsson AB 2007-2019. All Rights Reserved. +%% Copyright Ericsson AB 2007-2020. All Rights Reserved. %% %% Licensed under the Apache License, Version 2.0 (the "License"); %% you may not use this file except in compliance with the License. @@ -18,11 +18,27 @@ %% %CopyrightEnd% %% -%% -module(ssl_session_ticket_SUITE). -%% Note: This directive should only be used in test suites. --compile(export_all). +%% Callback functions +-export([all/0, + groups/0, + init_per_suite/1, + end_per_suite/1, + init_per_group/2, + end_per_group/2, + init_per_testcase/2, + end_per_testcase/2]). + +%% Testcases +-export([basic/0, + basic/1, + hello_retry_request/0, + hello_retry_request/1, + multiple_tickets/0, + multiple_tickets/1, + multiple_tickets_2hash/0, + multiple_tickets_2hash/1]). -include("tls_handshake.hrl"). @@ -40,21 +56,15 @@ all() -> ]. groups() -> - [{'tlsv1.3', [], [{group, stateful}, {group, stateless}, {group, openssl_server}]}, - {openssl_server, [], [erlang_client_openssl_server_basic, - erlang_client_openssl_server_hrr, - erlang_client_openssl_server_hrr_multiple_tickets - ]}, + [{'tlsv1.3', [], [{group, stateful}, {group, stateless}]}, {stateful, [], session_tests()}, {stateless, [], session_tests()}]. session_tests() -> - [erlang_client_erlang_server_basic, - openssl_client_erlang_server_basic, - erlang_client_erlang_server_hrr, - openssl_client_erlang_server_hrr, - erlang_client_erlang_server_multiple_tickets, - erlang_client_erlang_server_multiple_tickets_2hash]. + [basic, + hello_retry_request, + multiple_tickets, + multiple_tickets_2hash]. init_per_suite(Config0) -> catch crypto:stop(), @@ -75,27 +85,10 @@ init_per_group(stateful, Config) -> init_per_group(stateless, Config) -> [{server_ticket_mode, stateless} | proplists:delete(server_ticket_mode, Config)]; init_per_group(GroupName, Config) -> - ssl_test_lib:clean_tls_version(Config), - case ssl_test_lib:is_tls_version(GroupName) andalso ssl_test_lib:sufficient_crypto_support(GroupName) of - true -> - ssl_test_lib:init_tls_version(GroupName, Config); - _ -> - case ssl_test_lib:sufficient_crypto_support(GroupName) of - true -> - ssl:start(), - Config; - false -> - {skip, "Missing crypto support"} - end - end. + ssl_test_lib:init_per_group(GroupName, Config). end_per_group(GroupName, Config) -> - case ssl_test_lib:is_tls_version(GroupName) of - true -> - ssl_test_lib:clean_tls_version(Config); - false -> - Config - end. + ssl_test_lib:end_per_group(GroupName, Config). init_per_testcase(_, Config) -> ssl:stop(), @@ -111,10 +104,9 @@ end_per_testcase(_TestCase, Config) -> %% Test Cases -------------------------------------------------------- %%-------------------------------------------------------------------- - -erlang_client_erlang_server_basic() -> +basic() -> [{doc,"Test session resumption with session tickets (erlang client - erlang server)"}]. -erlang_client_erlang_server_basic(Config) when is_list(Config) -> +basic(Config) when is_list(Config) -> ClientOpts0 = ssl_test_lib:ssl_options(client_rsa_verify_opts, Config), ServerOpts0 = ssl_test_lib:ssl_options(server_rsa_verify_opts, Config), {ClientNode, ServerNode, Hostname} = ssl_test_lib:run_where(Config), @@ -166,127 +158,9 @@ erlang_client_erlang_server_basic(Config) when is_list(Config) -> ssl_test_lib:close(Server0), ssl_test_lib:close(Client1). - -erlang_client_openssl_server_basic() -> - [{doc,"Test session resumption with session tickets (erlang client - openssl server)"}]. -erlang_client_openssl_server_basic(Config) when is_list(Config) -> - process_flag(trap_exit, true), - ClientOpts0 = ssl_test_lib:ssl_options(client_rsa_verify_opts, Config), - ServerOpts = ssl_test_lib:ssl_options(server_rsa_verify_opts, Config), - {ClientNode, _, Hostname} = ssl_test_lib:run_where(Config), - - Version = 'tlsv1.3', - Port = ssl_test_lib:inet_port(node()), - CertFile = proplists:get_value(certfile, ServerOpts), - CACertFile = proplists:get_value(cacertfile, ServerOpts), - KeyFile = proplists:get_value(keyfile, ServerOpts), - - %% Configure session tickets - ClientOpts = [{session_tickets, auto}, {log_level, debug}, - {versions, ['tlsv1.2','tlsv1.3']}|ClientOpts0], - - Exe = "openssl", - Args = ["s_server", "-accept", integer_to_list(Port), ssl_test_lib:version_flag(Version), - "-cert", CertFile,"-key", KeyFile, "-CAfile", CACertFile, "-msg", "-debug"], - - OpensslPort = ssl_test_lib:portable_open_port(Exe, Args), - - ssl_test_lib:wait_for_openssl_server(Port, proplists:get_value(protocol, Config)), - - %% Store ticket from first connection - Client0 = ssl_test_lib:start_client([{node, ClientNode}, - {port, Port}, {host, Hostname}, - {mfa, {ssl_test_lib, - verify_active_session_resumption, - [false, no_reply]}}, - {from, self()}, {options, ClientOpts}]), - %% Wait for session ticket - ct:sleep(100), - - %% Close previous connection as s_server can only handle one at a time - ssl_test_lib:close(Client0), - - %% Use ticket - Client1 = ssl_test_lib:start_client([{node, ClientNode}, - {port, Port}, {host, Hostname}, - {mfa, {ssl_test_lib, - verify_active_session_resumption, - [true, no_reply]}}, - {from, self()}, - {options, ClientOpts}]), - process_flag(trap_exit, false), - - %% Clean close down! Server needs to be closed first !! - ssl_test_lib:close_port(OpensslPort), - ssl_test_lib:close(Client1). - - -openssl_client_erlang_server_basic() -> - [{doc,"Test session resumption with session tickets (openssl client - erlang server)"}]. -openssl_client_erlang_server_basic(Config) when is_list(Config) -> - ServerOpts0 = ssl_test_lib:ssl_options(server_rsa_verify_opts, Config), - {_, ServerNode, Hostname} = ssl_test_lib:run_where(Config), - TicketFile0 = filename:join([proplists:get_value(priv_dir, Config), "session_ticket0"]), - TicketFile1 = filename:join([proplists:get_value(priv_dir, Config), "session_ticket1"]), - ServerTicketMode = proplists:get_value(server_ticket_mode, Config), - - Data = "Hello world", - - %% Configure session tickets - ServerOpts = [{session_tickets, ServerTicketMode}, {log_level, debug}, - {versions, ['tlsv1.2','tlsv1.3']}|ServerOpts0], - - Server0 = - ssl_test_lib:start_server([{node, ServerNode}, {port, 0}, - {from, self()}, - {mfa, {ssl_test_lib, - verify_active_session_resumption, - [false]}}, - {options, ServerOpts}]), - - Version = 'tlsv1.3', - Port0 = ssl_test_lib:inet_port(Server0), - - Exe = "openssl", - Args0 = ["s_client", "-connect", ssl_test_lib:hostname_format(Hostname) - ++ ":" ++ integer_to_list(Port0), - ssl_test_lib:version_flag(Version), - "-sess_out", TicketFile0], - - OpenSslPort0 = ssl_test_lib:portable_open_port(Exe, Args0), - - true = port_command(OpenSslPort0, Data), - - ssl_test_lib:check_result(Server0, ok), - - Server0 ! {listen, {mfa, {ssl_test_lib, - verify_active_session_resumption, - [true]}}}, - - %% Wait for session ticket - ct:sleep(100), - - Args1 = ["s_client", "-connect", ssl_test_lib:hostname_format(Hostname) - ++ ":" ++ integer_to_list(Port0), - ssl_test_lib:version_flag(Version), - "-sess_in", TicketFile0, - "-sess_out", TicketFile1], - - OpenSslPort1 = ssl_test_lib:portable_open_port(Exe, Args1), - - true = port_command(OpenSslPort1, Data), - - ssl_test_lib:check_result(Server0, ok), - - %% Clean close down! Server needs to be closed first !! - ssl_test_lib:close(Server0), - ssl_test_lib:close_port(OpenSslPort0), - ssl_test_lib:close_port(OpenSslPort1). - - -erlang_client_erlang_server_hrr() -> +hello_retry_request() -> [{doc,"Test session resumption with session tickets and hello_retry_request (erlang client - erlang server)"}]. -erlang_client_erlang_server_hrr(Config) when is_list(Config) -> +hello_retry_request(Config) when is_list(Config) -> ClientOpts0 = ssl_test_lib:ssl_options(client_rsa_verify_opts, Config), ServerOpts0 = ssl_test_lib:ssl_options(server_rsa_verify_opts, Config), {ClientNode, ServerNode, Hostname} = ssl_test_lib:run_where(Config), @@ -340,135 +214,9 @@ erlang_client_erlang_server_hrr(Config) when is_list(Config) -> ssl_test_lib:close(Server0), ssl_test_lib:close(Client1). - -erlang_client_openssl_server_hrr() -> - [{doc,"Test session resumption with session tickets and hello_retry_request (erlang client - openssl server)"}]. -erlang_client_openssl_server_hrr(Config) when is_list(Config) -> - process_flag(trap_exit, true), - ClientOpts0 = ssl_test_lib:ssl_options(client_rsa_verify_opts, Config), - ServerOpts = ssl_test_lib:ssl_options(server_rsa_verify_opts, Config), - {ClientNode, _, Hostname} = ssl_test_lib:run_where(Config), - - Version = 'tlsv1.3', - Port = ssl_test_lib:inet_port(node()), - CertFile = proplists:get_value(certfile, ServerOpts), - CACertFile = proplists:get_value(cacertfile, ServerOpts), - KeyFile = proplists:get_value(keyfile, ServerOpts), - - %% Configure session tickets - ClientOpts = [{session_tickets, auto}, {log_level, debug}, - {versions, ['tlsv1.2','tlsv1.3']}, - {supported_groups,[secp256r1, x25519]}|ClientOpts0], - - Exe = "openssl", - Args = ["s_server", "-accept", integer_to_list(Port), ssl_test_lib:version_flag(Version), - "-cert", CertFile, - "-key", KeyFile, - "-CAfile", CACertFile, - "-groups", "X448:X25519", - "-msg", "-debug"], - - OpensslPort = ssl_test_lib:portable_open_port(Exe, Args), - - ssl_test_lib:wait_for_openssl_server(Port, proplists:get_value(protocol, Config)), - - %% Store ticket from first connection - Client0 = ssl_test_lib:start_client([{node, ClientNode}, - {port, Port}, {host, Hostname}, - {mfa, {ssl_test_lib, - verify_active_session_resumption, - [false, no_reply]}}, - {from, self()}, {options, ClientOpts}]), - %% Wait for session ticket - ct:sleep(100), - - %% Close previous connection as s_server can only handle one at a time - ssl_test_lib:close(Client0), - - %% Use ticket - Client1 = ssl_test_lib:start_client([{node, ClientNode}, - {port, Port}, {host, Hostname}, - {mfa, {ssl_test_lib, - verify_active_session_resumption, - [true, no_reply]}}, - {from, self()}, - {options, ClientOpts}]), - process_flag(trap_exit, false), - - %% Clean close down! Server needs to be closed first !! - ssl_test_lib:close_port(OpensslPort), - ssl_test_lib:close(Client1). - - -openssl_client_erlang_server_hrr() -> - [{doc,"Test session resumption with session tickets and hello_retry_request (openssl client - erlang server)"}]. -openssl_client_erlang_server_hrr(Config) when is_list(Config) -> - ServerOpts0 = ssl_test_lib:ssl_options(server_rsa_verify_opts, Config), - {_, ServerNode, Hostname} = ssl_test_lib:run_where(Config), - TicketFile0 = filename:join([proplists:get_value(priv_dir, Config), "session_ticket0"]), - TicketFile1 = filename:join([proplists:get_value(priv_dir, Config), "session_ticket1"]), - ServerTicketMode = proplists:get_value(server_ticket_mode, Config), - - Data = "Hello world", - - %% Configure session tickets - ServerOpts = [{session_tickets, ServerTicketMode}, {log_level, debug}, - {versions, ['tlsv1.2','tlsv1.3']}, - {supported_groups,[x448, x25519]}|ServerOpts0], - - Server0 = - ssl_test_lib:start_server([{node, ServerNode}, {port, 0}, - {from, self()}, - {mfa, {ssl_test_lib, - verify_active_session_resumption, - [false]}}, - {options, ServerOpts}]), - - Version = 'tlsv1.3', - Port0 = ssl_test_lib:inet_port(Server0), - - Exe = "openssl", - Args0 = ["s_client", "-connect", ssl_test_lib:hostname_format(Hostname) - ++ ":" ++ integer_to_list(Port0), - ssl_test_lib:version_flag(Version), - "-groups", "P-256:X25519", - "-sess_out", TicketFile0], - - OpenSslPort0 = ssl_test_lib:portable_open_port(Exe, Args0), - - true = port_command(OpenSslPort0, Data), - - ssl_test_lib:check_result(Server0, ok), - - Server0 ! {listen, {mfa, {ssl_test_lib, - verify_active_session_resumption, - [true]}}}, - - %% Wait for session ticket - ct:sleep(100), - - Args1 = ["s_client", "-connect", ssl_test_lib:hostname_format(Hostname) - ++ ":" ++ integer_to_list(Port0), - ssl_test_lib:version_flag(Version), - "-groups", "P-256:X25519", - "-sess_in", TicketFile0, - "-sess_out", TicketFile1], - - OpenSslPort1 = ssl_test_lib:portable_open_port(Exe, Args1), - - true = port_command(OpenSslPort1, Data), - - ssl_test_lib:check_result(Server0, ok), - - %% Clean close down! Server needs to be closed first !! - ssl_test_lib:close(Server0), - ssl_test_lib:close_port(OpenSslPort0), - ssl_test_lib:close_port(OpenSslPort1). - - -erlang_client_erlang_server_multiple_tickets() -> +multiple_tickets() -> [{doc,"Test session resumption with multiple session tickets (erlang client - erlang server)"}]. -erlang_client_erlang_server_multiple_tickets(Config) when is_list(Config) -> +multiple_tickets(Config) when is_list(Config) -> ClientOpts0 = ssl_test_lib:ssl_options(client_rsa_verify_opts, Config), ServerOpts0 = ssl_test_lib:ssl_options(server_rsa_verify_opts, Config), {ClientNode, ServerNode, Hostname} = ssl_test_lib:run_where(Config), @@ -524,72 +272,9 @@ erlang_client_erlang_server_multiple_tickets(Config) when is_list(Config) -> ssl_test_lib:close(Server0), ssl_test_lib:close(Client1). - -erlang_client_openssl_server_hrr_multiple_tickets() -> - [{doc,"Test session resumption with multiple session tickets and hello_retry_request (erlang client - openssl server)"}]. -erlang_client_openssl_server_hrr_multiple_tickets(Config) when is_list(Config) -> - process_flag(trap_exit, true), - ClientOpts0 = ssl_test_lib:ssl_options(client_rsa_verify_opts, Config), - ServerOpts = ssl_test_lib:ssl_options(server_rsa_verify_opts, Config), - {ClientNode, _, Hostname} = ssl_test_lib:run_where(Config), - - Version = 'tlsv1.3', - Port = ssl_test_lib:inet_port(node()), - CertFile = proplists:get_value(certfile, ServerOpts), - CACertFile = proplists:get_value(cacertfile, ServerOpts), - KeyFile = proplists:get_value(keyfile, ServerOpts), - - %% Configure session tickets - ClientOpts = [{session_tickets, manual}, {log_level, debug}, - {versions, ['tlsv1.2','tlsv1.3']}, - {supported_groups,[secp256r1, x25519]}|ClientOpts0], - - Exe = "openssl", - Args = ["s_server", "-accept", integer_to_list(Port), ssl_test_lib:version_flag(Version), - "-cert", CertFile, - "-key", KeyFile, - "-CAfile", CACertFile, - "-groups", "X448:X25519", - "-msg", "-debug"], - - OpensslPort = ssl_test_lib:portable_open_port(Exe, Args), - - ssl_test_lib:wait_for_openssl_server(Port, proplists:get_value(protocol, Config)), - - %% Store ticket from first connection - Client0 = ssl_test_lib:start_client([{node, ClientNode}, - {port, Port}, {host, Hostname}, - {mfa, {ssl_test_lib, - verify_active_session_resumption, - [false, no_reply, {tickets, 2}]}}, - {from, self()}, {options, ClientOpts}]), - - Tickets0 = ssl_test_lib:check_tickets(Client0), - - ct:pal("Received tickets: ~p~n", [Tickets0]), - - %% Close previous connection as s_server can only handle one at a time - ssl_test_lib:close(Client0), - - %% Use tickets - Client1 = ssl_test_lib:start_client([{node, ClientNode}, - {port, Port}, {host, Hostname}, - {mfa, {ssl_test_lib, - verify_active_session_resumption, - [true, no_reply, no_tickets]}}, - {from, self()}, - {options, [{use_ticket, Tickets0}|ClientOpts]}]), - - process_flag(trap_exit, false), - - %% Clean close down! Server needs to be closed first !! - ssl_test_lib:close_port(OpensslPort), - ssl_test_lib:close(Client1). - - -erlang_client_erlang_server_multiple_tickets_2hash() -> +multiple_tickets_2hash() -> [{doc,"Test session resumption with multiple session tickets with 2 different hash algorithms (erlang client - erlang server)"}]. -erlang_client_erlang_server_multiple_tickets_2hash(Config) when is_list(Config) -> +multiple_tickets_2hash(Config) when is_list(Config) -> ClientOpts0 = ssl_test_lib:ssl_options(client_rsa_verify_opts, Config), ServerOpts0 = ssl_test_lib:ssl_options(server_rsa_verify_opts, Config), {ClientNode, ServerNode, Hostname} = ssl_test_lib:run_where(Config), diff --git a/lib/ssl/test/ssl_test_lib.erl b/lib/ssl/test/ssl_test_lib.erl index e7f5a59235..206c4c8b32 100644 --- a/lib/ssl/test/ssl_test_lib.erl +++ b/lib/ssl/test/ssl_test_lib.erl @@ -76,6 +76,43 @@ get_client_opts(Config) -> COpts = proplists:get_value(client_ecdsa_opts, Config), ssl_test_lib:ssl_options(COpts, Config). +%% Default callback functions +init_per_group(GroupName, Config) -> + clean_tls_version(Config), + case is_tls_version(GroupName) andalso sufficient_crypto_support(GroupName) of + true -> + init_tls_version(GroupName, Config); + _ -> + case sufficient_crypto_support(GroupName) of + true -> + ssl:start(), + Config; + false -> + {skip, "Missing crypto support"} + end + end. + +init_per_group_openssl(GroupName, Config) -> + case is_tls_version(GroupName) of + true -> + case check_sane_openssl_version(GroupName) of + true -> + [{version, GroupName}|init_tls_version(GroupName, Config)]; + false -> + {skip, "Missing openssl support"} + end; + _ -> + ssl:start(), + Config + end. + +end_per_group(GroupName, Config) -> + case is_tls_version(GroupName) of + true -> + clean_tls_version(Config); + false -> + Config + end. %%==================================================================== %% Internal functions |