Add tests for TLS policy values

author: Jack Lloyd <[email protected]> 2016-11-26 20:35:22 -0500
committer: Jack Lloyd <[email protected]> 2016-11-26 20:35:22 -0500
commit: d39ab970c380154a33e5adec6f76e66c182b3d4f (patch)
tree: d851d513ebdd11be18cb22279ec03471a6e40663
parent: 5c41db5f0ca5c755215663102569f3ab38dccc54 (diff)
5 files changed, 159 insertions, 5 deletions
diff --git a/src/tests/data/tls-policy/datagram.txt b/src/tests/data/tls-policy/datagram.txt
new file mode 100644
index 000000000..e78429238
--- /dev/null
+++ b/src/tests/data/tls-policy/datagram.txt
@@ -0,0 +1,23 @@
+allow_tls10 = false
+allow_tls11 = false
+allow_tls12 = false
+allow_dtls10 = false
+allow_dtls12 = true
+ciphers = ChaCha20Poly1305 AES-256/GCM AES-128/GCM AES-256/CCM AES-128/CCM AES-256 AES-128
+macs = AEAD
+signature_hashes = SHA-512 SHA-384 SHA-256
+signature_methods = ECDSA RSA
+key_exchange_methods = CECPQ1 ECDH DH
+ecc_curves = x25519 secp256r1 secp521r1 secp384r1 brainpool256r1 brainpool384r1 brainpool512r1
+allow_insecure_renegotiation = false
+include_time_in_hello_random = true
+allow_server_initiated_renegotiation = false
+hide_unknown_users = false
+server_uses_own_ciphersuite_preferences = true
+negotiate_encrypt_then_mac = true
+session_ticket_lifetime = 86400
+dh_group = modp/ietf/2048
+minimum_dh_group_size = 1024
+minimum_ecdh_group_size = 255
+minimum_rsa_bits = 2048
+minimum_signature_strength = 110
diff --git a/src/tests/data/tls-policy/default.txt b/src/tests/data/tls-policy/default.txt
new file mode 100644
index 000000000..eb4ee245c
--- /dev/null
+++ b/src/tests/data/tls-policy/default.txt
@@ -0,0 +1,23 @@
+allow_tls10 = true
+allow_tls11 = true
+allow_tls12 = true
+allow_dtls10 = false
+allow_dtls12 = true
+ciphers = ChaCha20Poly1305 AES-256/GCM AES-128/GCM AES-256/CCM AES-128/CCM AES-256 AES-128
+macs = AEAD SHA-256 SHA-384 SHA-1
+signature_hashes = SHA-512 SHA-384 SHA-256
+signature_methods = ECDSA RSA
+key_exchange_methods = CECPQ1 ECDH DH
+ecc_curves = x25519 secp256r1 secp521r1 secp384r1 brainpool256r1 brainpool384r1 brainpool512r1
+allow_insecure_renegotiation = false
+include_time_in_hello_random = true
+allow_server_initiated_renegotiation = false
+hide_unknown_users = false
+server_uses_own_ciphersuite_preferences = true
+negotiate_encrypt_then_mac = true
+session_ticket_lifetime = 86400
+dh_group = modp/ietf/2048
+minimum_dh_group_size = 1024
+minimum_ecdh_group_size = 255
+minimum_rsa_bits = 2048
+minimum_signature_strength = 110
diff --git a/src/tests/data/tls-policy/strict.txt b/src/tests/data/tls-policy/strict.txt
new file mode 100644
index 000000000..2f8dfbb3d
--- /dev/null
+++ b/src/tests/data/tls-policy/strict.txt
@@ -0,0 +1,23 @@
+allow_tls10 = false
+allow_tls11 = false
+allow_tls12 = true
+allow_dtls10 = false
+allow_dtls12 = true
+ciphers = ChaCha20Poly1305 AES-256/GCM AES-128/GCM
+macs = AEAD
+signature_hashes = SHA-512 SHA-384
+signature_methods = ECDSA RSA
+key_exchange_methods = CECPQ1 ECDH
+ecc_curves = x25519 secp256r1 secp521r1 secp384r1 brainpool256r1 brainpool384r1 brainpool512r1
+allow_insecure_renegotiation = false
+include_time_in_hello_random = true
+allow_server_initiated_renegotiation = false
+hide_unknown_users = false
+server_uses_own_ciphersuite_preferences = true
+negotiate_encrypt_then_mac = true
+session_ticket_lifetime = 86400
+dh_group = modp/ietf/2048
+minimum_dh_group_size = 1024
+minimum_ecdh_group_size = 255
+minimum_rsa_bits = 2048
+minimum_signature_strength = 110
diff --git a/src/tests/data/tls-policy/suiteb.txt b/src/tests/data/tls-policy/suiteb.txt
new file mode 100644
index 000000000..77e7ce5a0
--- /dev/null
+++ b/src/tests/data/tls-policy/suiteb.txt
@@ -0,0 +1,23 @@
+allow_tls10 = false
+allow_tls11 = false
+allow_tls12 = true
+allow_dtls10 = false
+allow_dtls12 = false
+ciphers = AES-128/GCM
+macs = AEAD
+signature_hashes = SHA-256
+signature_methods = ECDSA
+key_exchange_methods = ECDH
+ecc_curves = secp256r1
+allow_insecure_renegotiation = false
+include_time_in_hello_random = true
+allow_server_initiated_renegotiation = false
+hide_unknown_users = false
+server_uses_own_ciphersuite_preferences = true
+negotiate_encrypt_then_mac = true
+session_ticket_lifetime = 86400
+dh_group = modp/ietf/2048
+minimum_dh_group_size = 1024
+minimum_ecdh_group_size = 255
+minimum_rsa_bits = 2048
+minimum_signature_strength = 128
diff --git a/src/tests/unit_tls.cpp b/src/tests/unit_tls.cpp
index b4ee9d983..7158fba55 100644
--- a/src/tests/unit_tls.cpp
+++ b/src/tests/unit_tls.cpp
@@ -898,6 +898,52 @@ Test::Result test_tls_alert_strings()
    return result;
    }
 
+
+std::string read_tls_policy(const std::string& policy_str)
+   {
+   const std::string fspath = Test::data_file("tls-policy/" + policy_str + ".txt");
+
+   std::ifstream is(fspath.c_str());
+   if(!is.good())
+      throw Test_Error("Missing policy file " + fspath);
+
+   Botan::TLS::Text_Policy policy(is);
+   return policy.to_string();
+   }
+
+std::string tls_policy_string(const std::string& policy_str)
+   {
+   std::unique_ptr<Botan::TLS::Policy> policy;
+   if(policy_str == "default")
+      policy.reset(new Botan::TLS::Policy);
+   else if(policy_str == "suiteb")
+      policy.reset(new Botan::TLS::NSA_Suite_B_128);
+   else if(policy_str == "strict")
+      policy.reset(new Botan::TLS::Strict_Policy);
+   else if(policy_str == "datagram")
+      policy.reset(new Botan::TLS::Datagram_Policy);
+   else
+      throw Test_Error("Unknown TLS policy type '" + policy_str + "'");
+
+   return policy->to_string();
+   }
+
+Test::Result test_tls_policy()
+   {
+   Test::Result result("TLS Policy");
+
+   const std::vector<std::string> policies = { "default", "suiteb", "strict", "datagram" };
+
+   for(std::string policy : policies)
+      {
+      result.test_eq("Values for TLS " + policy + " policy",
+                     tls_policy_string(policy),
+                     read_tls_policy(policy));
+      }
+
+   return result;
+   }
+
 class TLS_Unit_Tests : public Test
    {
    private:
@@ -934,6 +980,9 @@ class TLS_Unit_Tests : public Test
          policy.set("key_exchange_methods", kex_policy);
          policy.set("negotiate_encrypt_then_mac", etm_policy);
 
+         if(kex_policy == "RSA")
+            policy.set("signature_methods", "RSA");
+
          std::vector<Botan::TLS::Protocol_Version> versions = {
             Botan::TLS::Protocol_Version::TLS_V10,
             Botan::TLS::Protocol_Version::TLS_V11,
@@ -973,6 +1022,10 @@ class TLS_Unit_Tests : public Test
    public:
       std::vector<Test::Result> run() override
          {
+         std::vector<Test::Result> results;
+         results.push_back(test_tls_alert_strings());
+         results.push_back(test_tls_policy());
+
          Botan::RandomNumberGenerator& rng = Test::rng();
 
          std::unique_ptr<Botan::TLS::Session_Manager> client_ses;
@@ -991,7 +1044,6 @@ class TLS_Unit_Tests : public Test
 #endif
 
          std::unique_ptr<Botan::Credentials_Manager> creds(create_creds(rng));
-         std::vector<Test::Result> results;
 
 #if defined(BOTAN_HAS_TLS_CBC)
          for(std::string etm_setting : { "false", "true" })
@@ -1018,6 +1070,7 @@ class TLS_Unit_Tests : public Test
 
             server_ses->remove_all();
             }
+         client_ses->remove_all();
 
          test_modern_versions(results, *client_ses, *server_ses, *creds, "DH", "AES-128", "SHA-256");
 #endif
@@ -1026,16 +1079,25 @@ class TLS_Unit_Tests : public Test
          test_with_policy(results, *client_ses, *server_ses, *creds,
                           {Botan::TLS::Protocol_Version::TLS_V12}, strict_policy);
 
+         Botan::TLS::NSA_Suite_B_128 suiteb_128;
+         test_with_policy(results, *client_ses, *server_ses, *creds,
+                          {Botan::TLS::Protocol_Version::TLS_V12}, suiteb_128);
+
+         // Remove server sessions before client, so clients retry with session server doesn't know
+         server_ses->remove_all();
+
          test_modern_versions(results, *client_ses, *server_ses, *creds, "RSA", "AES-128/GCM");
          test_modern_versions(results, *client_ses, *server_ses, *creds, "ECDH", "AES-128/GCM");
 
-         client_ses->remove_all();
-
          test_modern_versions(results, *client_ses, *server_ses, *creds, "ECDH", "AES-128/GCM", "AEAD",
                               { { "signature_methods", "RSA" } });
 
+         client_ses->remove_all();
+
 #if defined(BOTAN_HAS_CECPQ1)
          test_modern_versions(results, *client_ses, *server_ses, *creds, "CECPQ1", "AES-256/GCM", "AEAD");
+         test_modern_versions(results, *client_ses, *server_ses, *creds, "CECPQ1", "ChaCha20Poly1305", "AEAD",
+                              { { "signature_methods", "RSA" }});
 #endif
 
          test_modern_versions(results, *client_ses, *server_ses, *creds, "ECDH", "AES-128/GCM", "AEAD",
@@ -1062,6 +1124,8 @@ class TLS_Unit_Tests : public Test
          test_modern_versions(results, *client_ses, *server_ses, *creds, "ECDH", "AES-128/OCB(12)");
 #endif
 
+         server_ses->remove_all();
+
 #if defined(BOTAN_HAS_AEAD_CHACHA20_POLY1305)
          test_modern_versions(results, *client_ses, *server_ses, *creds, "ECDH", "ChaCha20Poly1305");
 #endif
@@ -1084,8 +1148,6 @@ class TLS_Unit_Tests : public Test
                                        { { "ecc_curves", BOTAN_HOUSE_ECC_CURVE_NAME } });
 #endif
 
-         results.push_back(test_tls_alert_strings());
-
          return results;
          }
author	Jack Lloyd <[email protected]>	2016-11-26 20:35:22 -0500
committer	Jack Lloyd <[email protected]>	2016-11-26 20:35:22 -0500
commit	d39ab970c380154a33e5adec6f76e66c182b3d4f (patch)
tree	d851d513ebdd11be18cb22279ec03471a6e40663
parent	5c41db5f0ca5c755215663102569f3ab38dccc54 (diff)