diff options
author | Nikos Mavrogiannopoulos <nmav@gnutls.org> | 2018-11-16 21:04:49 +0100 |
---|---|---|
committer | Nikos Mavrogiannopoulos <nmav@redhat.com> | 2018-11-19 16:52:08 +0100 |
commit | 1c6629461bc534a9e6050a7334963907ceb73661 (patch) | |
tree | 70c95b50bd414f4abf209b9426c27a22c3c42969 | |
parent | 88377775a3eff679a9ec60ab9bfc6b3c683a0407 (diff) | |
download | gnutls-1c6629461bc534a9e6050a7334963907ceb73661.tar.gz |
tests: added TLS1.3 tests for PKCS#11 and external key types
Signed-off-by: Nikos Mavrogiannopoulos <nmav@gnutls.org>
-rw-r--r-- | tests/pkcs11/tls-neg-pkcs11-key.c | 53 | ||||
-rw-r--r-- | tests/tls-neg-ext4-key.c | 61 |
2 files changed, 95 insertions, 19 deletions
diff --git a/tests/pkcs11/tls-neg-pkcs11-key.c b/tests/pkcs11/tls-neg-pkcs11-key.c index 78bfc6a763..c003e762aa 100644 --- a/tests/pkcs11/tls-neg-pkcs11-key.c +++ b/tests/pkcs11/tls-neg-pkcs11-key.c @@ -316,6 +316,59 @@ static const test_st tests[] = { .cert = &server_ca3_eddsa_cert, .key = &server_ca3_eddsa_key, .exp_kx = GNUTLS_KX_ECDHE_RSA, + }, + {.name = "tls1.3: ecc key", + .pk = GNUTLS_PK_ECDSA, + .prio = "NORMAL:-KX-ALL:+ECDHE-RSA:+ECDHE-ECDSA:-VERS-TLS-ALL:+VERS-TLS1.3", + .cert = &server_ca3_localhost_ecc_cert, + .key = &server_ca3_ecc_key, + .exp_kx = GNUTLS_KX_ECDHE_RSA + }, + {.name = "tls1.3: rsa-sign key", + .pk = GNUTLS_PK_RSA, + .prio = "NORMAL:+ECDHE-RSA:+ECDHE-ECDSA:-VERS-TLS-ALL:+VERS-TLS1.3", + .cert = &server_ca3_localhost_cert, + .key = &server_ca3_key, + .exp_kx = GNUTLS_KX_ECDHE_RSA + }, + {.name = "tls1.3: rsa-sign key with rsa-pss sigs prioritized", + .pk = GNUTLS_PK_RSA, + .prio = "NORMAL:-SIGN-ALL:+SIGN-RSA-PSS-SHA256:+SIGN-RSA-PSS-SHA384:+SIGN-RSA-PSS-SHA512:+SIGN-RSA-PSS-RSAE-SHA256:+SIGN-RSA-PSS-RSAE-SHA384:+SIGN-RSA-PSS-RSAE-SHA512:-VERS-TLS-ALL:+VERS-TLS1.3", + .cert = &server_ca3_localhost_cert, + .key = &server_ca3_key, + .exp_kx = GNUTLS_KX_ECDHE_RSA + }, + {.name = "tls1.3: rsa-pss-sign key", + .pk = GNUTLS_PK_RSA_PSS, + .prio = "NORMAL:+ECDHE-RSA:+ECDHE-ECDSA:-VERS-TLS-ALL:+VERS-TLS1.3", + .cert = &server_ca3_rsa_pss2_cert, + .key = &server_ca3_rsa_pss2_key, + .exp_kx = GNUTLS_KX_ECDHE_RSA, + .requires_pkcs11_pss = 1, + }, + {.name = "tls1.3: rsa-pss cert, rsa-sign key", + .pk = GNUTLS_PK_RSA, + .prio = "NORMAL:+ECDHE-RSA:+ECDHE-ECDSA:-VERS-TLS-ALL:+VERS-TLS1.3", + .cert = &server_ca3_rsa_pss_cert, + .key = &server_ca3_rsa_pss_key, + .exp_kx = GNUTLS_KX_ECDHE_RSA, + .requires_pkcs11_pss = 1, + }, + {.name = "tls1.3: rsa-pss cert, rsa-sign key no PSS signatures", + .pk = GNUTLS_PK_RSA, + .prio = "NORMAL:+ECDHE-RSA:+ECDHE-ECDSA:-VERS-TLS-ALL:+VERS-TLS1.3:-SIGN-RSA-PSS-SHA256:-SIGN-RSA-PSS-SHA384:-SIGN-RSA-PSS-SHA512:-SIGN-RSA-PSS-RSAE-SHA256:-SIGN-RSA-PSS-RSAE-SHA384:-SIGN-RSA-PSS-RSAE-SHA512", + .cert = &server_ca3_rsa_pss_cert, + .key = &server_ca3_rsa_pss_key, + .exp_kx = GNUTLS_KX_ECDHE_RSA, + .exp_serv_err = GNUTLS_E_NO_CIPHER_SUITES + }, + {.name = "tls1.3: ed25519 cert, ed25519 key", + .needs_eddsa = 1, + .pk = GNUTLS_PK_EDDSA_ED25519, + .prio = "NORMAL:+ECDHE-RSA:+ECDHE-ECDSA", + .cert = &server_ca3_eddsa_cert, + .key = &server_ca3_eddsa_key, + .exp_kx = GNUTLS_KX_ECDHE_RSA } }; diff --git a/tests/tls-neg-ext4-key.c b/tests/tls-neg-ext4-key.c index 04365c598d..1384381d6d 100644 --- a/tests/tls-neg-ext4-key.c +++ b/tests/tls-neg-ext4-key.c @@ -48,21 +48,6 @@ static void tls_log_func(int level, const char *str) fprintf(stderr, "<%d> %s", level, str); } -/* sha1 hash of "hello" string */ -const gnutls_datum_t sha1_hash_data = { - (void *) - "\xaa\xf4\xc6\x1d\xdc\xc5\xe8\xa2\xda\xbe" - "\xde\x0f\x3b\x48\x2c\xd9\xae\xa9\x43\x4d", - 20 -}; - -const gnutls_datum_t sha256_hash_data = { - (void *) - "\x2c\xf2\x4d\xba\x5f\xb0\xa3\x0e\x26\xe8\x3b\x2a\xc5\xb9\xe2\x9e" - "\x1b\x16\x1e\x5c\x1f\xa7\x42\x5e\x73\x04\x33\x62\x93\x8b\x98\x24", - 32 -}; - const gnutls_datum_t raw_data = { (void *) "hello", 5 @@ -232,9 +217,7 @@ void try_with_key(const char *name, const char *client_prio, gnutls_credentials_set(server, GNUTLS_CRD_CERTIFICATE, s_xcred); - gnutls_priority_set_direct(server, - "NORMAL:+VERS-SSL3.0:+ANON-ECDH:+ANON-DH:+ECDHE-RSA:+DHE-RSA:+RSA:+ECDHE-ECDSA:+CURVE-X25519:+SIGN-EDDSA-ED25519", - NULL); + assert(gnutls_priority_set_direct(server, "NORMAL", NULL)>=0); gnutls_transport_set_push_function(server, server_push); gnutls_transport_set_pull_function(server, server_pull); gnutls_transport_set_ptr(server, server); @@ -406,13 +389,53 @@ static const test_st tests[] = { .exp_kx = GNUTLS_KX_ECDHE_RSA, .exp_serv_err = GNUTLS_E_NO_CIPHER_SUITES }, - {.name = "ed25519 cert, ed25519 key", /* we expect the server to refuse negotiating */ + {.name = "ed25519 cert, ed25519 key", .pk = GNUTLS_PK_EDDSA_ED25519, .prio = "NORMAL:+ECDHE-RSA:+ECDHE-ECDSA:-VERS-ALL:+VERS-TLS1.2", .cert = &server_ca3_eddsa_cert, .key = &server_ca3_eddsa_key, .sig = GNUTLS_SIGN_EDDSA_ED25519, .exp_kx = GNUTLS_KX_ECDHE_ECDSA, + }, + {.name = "tls1.3 ecc key", + .pk = GNUTLS_PK_ECDSA, + .prio = "NORMAL:-VERS-ALL:+VERS-TLS1.3", + .cert = &server_ca3_localhost_ecc_cert, + .key = &server_ca3_ecc_key, + .sig = GNUTLS_SIGN_ECDSA_SECP256R1_SHA256, + .exp_kx = GNUTLS_KX_ECDHE_RSA + }, + {.name = "tls1.3 rsa-sign key", + .pk = GNUTLS_PK_RSA, + .prio = "NORMAL:-VERS-ALL:+VERS-TLS1.3", + .cert = &server_ca3_localhost_cert, + .key = &server_ca3_key, + .sig = GNUTLS_SIGN_RSA_PSS_RSAE_SHA256, + .exp_kx = GNUTLS_KX_ECDHE_RSA + }, + {.name = "tls1.3 rsa-pss-sign key", + .pk = GNUTLS_PK_RSA_PSS, + .prio = "NORMAL:-VERS-ALL:+VERS-TLS1.3", + .cert = &server_ca3_rsa_pss2_cert, + .key = &server_ca3_rsa_pss2_key, + .sig = GNUTLS_SIGN_RSA_PSS_SHA256, + .exp_kx = GNUTLS_KX_ECDHE_RSA, + }, + {.name = "tls1.3 rsa-pss cert, rsa-sign key", /* we expect the server to refuse negotiating */ + .pk = GNUTLS_PK_RSA, + .prio = "NORMAL:-VERS-ALL:+VERS-TLS1.3", + .cert = &server_ca3_rsa_pss_cert, + .key = &server_ca3_rsa_pss_key, + .exp_kx = GNUTLS_KX_ECDHE_RSA, + .exp_serv_err = GNUTLS_E_NO_CIPHER_SUITES + }, + {.name = "tls1.3 ed25519 cert, ed25519 key", + .pk = GNUTLS_PK_EDDSA_ED25519, + .prio = "NORMAL:-VERS-ALL:+VERS-TLS1.3", + .cert = &server_ca3_eddsa_cert, + .key = &server_ca3_eddsa_key, + .sig = GNUTLS_SIGN_EDDSA_ED25519, + .exp_kx = GNUTLS_KX_ECDHE_RSA, } }; |