diff options
author | Jack Lloyd <[email protected]> | 2016-11-26 20:35:22 -0500 |
---|---|---|
committer | Jack Lloyd <[email protected]> | 2016-11-26 20:35:22 -0500 |
commit | d39ab970c380154a33e5adec6f76e66c182b3d4f (patch) | |
tree | d851d513ebdd11be18cb22279ec03471a6e40663 /src | |
parent | 5c41db5f0ca5c755215663102569f3ab38dccc54 (diff) |
Add tests for TLS policy values
Diffstat (limited to 'src')
-rw-r--r-- | src/tests/data/tls-policy/datagram.txt | 23 | ||||
-rw-r--r-- | src/tests/data/tls-policy/default.txt | 23 | ||||
-rw-r--r-- | src/tests/data/tls-policy/strict.txt | 23 | ||||
-rw-r--r-- | src/tests/data/tls-policy/suiteb.txt | 23 | ||||
-rw-r--r-- | src/tests/unit_tls.cpp | 72 |
5 files changed, 159 insertions, 5 deletions
diff --git a/src/tests/data/tls-policy/datagram.txt b/src/tests/data/tls-policy/datagram.txt new file mode 100644 index 000000000..e78429238 --- /dev/null +++ b/src/tests/data/tls-policy/datagram.txt @@ -0,0 +1,23 @@ +allow_tls10 = false +allow_tls11 = false +allow_tls12 = false +allow_dtls10 = false +allow_dtls12 = true +ciphers = ChaCha20Poly1305 AES-256/GCM AES-128/GCM AES-256/CCM AES-128/CCM AES-256 AES-128 +macs = AEAD +signature_hashes = SHA-512 SHA-384 SHA-256 +signature_methods = ECDSA RSA +key_exchange_methods = CECPQ1 ECDH DH +ecc_curves = x25519 secp256r1 secp521r1 secp384r1 brainpool256r1 brainpool384r1 brainpool512r1 +allow_insecure_renegotiation = false +include_time_in_hello_random = true +allow_server_initiated_renegotiation = false +hide_unknown_users = false +server_uses_own_ciphersuite_preferences = true +negotiate_encrypt_then_mac = true +session_ticket_lifetime = 86400 +dh_group = modp/ietf/2048 +minimum_dh_group_size = 1024 +minimum_ecdh_group_size = 255 +minimum_rsa_bits = 2048 +minimum_signature_strength = 110 diff --git a/src/tests/data/tls-policy/default.txt b/src/tests/data/tls-policy/default.txt new file mode 100644 index 000000000..eb4ee245c --- /dev/null +++ b/src/tests/data/tls-policy/default.txt @@ -0,0 +1,23 @@ +allow_tls10 = true +allow_tls11 = true +allow_tls12 = true +allow_dtls10 = false +allow_dtls12 = true +ciphers = ChaCha20Poly1305 AES-256/GCM AES-128/GCM AES-256/CCM AES-128/CCM AES-256 AES-128 +macs = AEAD SHA-256 SHA-384 SHA-1 +signature_hashes = SHA-512 SHA-384 SHA-256 +signature_methods = ECDSA RSA +key_exchange_methods = CECPQ1 ECDH DH +ecc_curves = x25519 secp256r1 secp521r1 secp384r1 brainpool256r1 brainpool384r1 brainpool512r1 +allow_insecure_renegotiation = false +include_time_in_hello_random = true +allow_server_initiated_renegotiation = false +hide_unknown_users = false +server_uses_own_ciphersuite_preferences = true +negotiate_encrypt_then_mac = true +session_ticket_lifetime = 86400 +dh_group = modp/ietf/2048 +minimum_dh_group_size = 1024 +minimum_ecdh_group_size = 255 +minimum_rsa_bits = 2048 +minimum_signature_strength = 110 diff --git a/src/tests/data/tls-policy/strict.txt b/src/tests/data/tls-policy/strict.txt new file mode 100644 index 000000000..2f8dfbb3d --- /dev/null +++ b/src/tests/data/tls-policy/strict.txt @@ -0,0 +1,23 @@ +allow_tls10 = false +allow_tls11 = false +allow_tls12 = true +allow_dtls10 = false +allow_dtls12 = true +ciphers = ChaCha20Poly1305 AES-256/GCM AES-128/GCM +macs = AEAD +signature_hashes = SHA-512 SHA-384 +signature_methods = ECDSA RSA +key_exchange_methods = CECPQ1 ECDH +ecc_curves = x25519 secp256r1 secp521r1 secp384r1 brainpool256r1 brainpool384r1 brainpool512r1 +allow_insecure_renegotiation = false +include_time_in_hello_random = true +allow_server_initiated_renegotiation = false +hide_unknown_users = false +server_uses_own_ciphersuite_preferences = true +negotiate_encrypt_then_mac = true +session_ticket_lifetime = 86400 +dh_group = modp/ietf/2048 +minimum_dh_group_size = 1024 +minimum_ecdh_group_size = 255 +minimum_rsa_bits = 2048 +minimum_signature_strength = 110 diff --git a/src/tests/data/tls-policy/suiteb.txt b/src/tests/data/tls-policy/suiteb.txt new file mode 100644 index 000000000..77e7ce5a0 --- /dev/null +++ b/src/tests/data/tls-policy/suiteb.txt @@ -0,0 +1,23 @@ +allow_tls10 = false +allow_tls11 = false +allow_tls12 = true +allow_dtls10 = false +allow_dtls12 = false +ciphers = AES-128/GCM +macs = AEAD +signature_hashes = SHA-256 +signature_methods = ECDSA +key_exchange_methods = ECDH +ecc_curves = secp256r1 +allow_insecure_renegotiation = false +include_time_in_hello_random = true +allow_server_initiated_renegotiation = false +hide_unknown_users = false +server_uses_own_ciphersuite_preferences = true +negotiate_encrypt_then_mac = true +session_ticket_lifetime = 86400 +dh_group = modp/ietf/2048 +minimum_dh_group_size = 1024 +minimum_ecdh_group_size = 255 +minimum_rsa_bits = 2048 +minimum_signature_strength = 128 diff --git a/src/tests/unit_tls.cpp b/src/tests/unit_tls.cpp index b4ee9d983..7158fba55 100644 --- a/src/tests/unit_tls.cpp +++ b/src/tests/unit_tls.cpp @@ -898,6 +898,52 @@ Test::Result test_tls_alert_strings() return result; } + +std::string read_tls_policy(const std::string& policy_str) + { + const std::string fspath = Test::data_file("tls-policy/" + policy_str + ".txt"); + + std::ifstream is(fspath.c_str()); + if(!is.good()) + throw Test_Error("Missing policy file " + fspath); + + Botan::TLS::Text_Policy policy(is); + return policy.to_string(); + } + +std::string tls_policy_string(const std::string& policy_str) + { + std::unique_ptr<Botan::TLS::Policy> policy; + if(policy_str == "default") + policy.reset(new Botan::TLS::Policy); + else if(policy_str == "suiteb") + policy.reset(new Botan::TLS::NSA_Suite_B_128); + else if(policy_str == "strict") + policy.reset(new Botan::TLS::Strict_Policy); + else if(policy_str == "datagram") + policy.reset(new Botan::TLS::Datagram_Policy); + else + throw Test_Error("Unknown TLS policy type '" + policy_str + "'"); + + return policy->to_string(); + } + +Test::Result test_tls_policy() + { + Test::Result result("TLS Policy"); + + const std::vector<std::string> policies = { "default", "suiteb", "strict", "datagram" }; + + for(std::string policy : policies) + { + result.test_eq("Values for TLS " + policy + " policy", + tls_policy_string(policy), + read_tls_policy(policy)); + } + + return result; + } + class TLS_Unit_Tests : public Test { private: @@ -934,6 +980,9 @@ class TLS_Unit_Tests : public Test policy.set("key_exchange_methods", kex_policy); policy.set("negotiate_encrypt_then_mac", etm_policy); + if(kex_policy == "RSA") + policy.set("signature_methods", "RSA"); + std::vector<Botan::TLS::Protocol_Version> versions = { Botan::TLS::Protocol_Version::TLS_V10, Botan::TLS::Protocol_Version::TLS_V11, @@ -973,6 +1022,10 @@ class TLS_Unit_Tests : public Test public: std::vector<Test::Result> run() override { + std::vector<Test::Result> results; + results.push_back(test_tls_alert_strings()); + results.push_back(test_tls_policy()); + Botan::RandomNumberGenerator& rng = Test::rng(); std::unique_ptr<Botan::TLS::Session_Manager> client_ses; @@ -991,7 +1044,6 @@ class TLS_Unit_Tests : public Test #endif std::unique_ptr<Botan::Credentials_Manager> creds(create_creds(rng)); - std::vector<Test::Result> results; #if defined(BOTAN_HAS_TLS_CBC) for(std::string etm_setting : { "false", "true" }) @@ -1018,6 +1070,7 @@ class TLS_Unit_Tests : public Test server_ses->remove_all(); } + client_ses->remove_all(); test_modern_versions(results, *client_ses, *server_ses, *creds, "DH", "AES-128", "SHA-256"); #endif @@ -1026,16 +1079,25 @@ class TLS_Unit_Tests : public Test test_with_policy(results, *client_ses, *server_ses, *creds, {Botan::TLS::Protocol_Version::TLS_V12}, strict_policy); + Botan::TLS::NSA_Suite_B_128 suiteb_128; + test_with_policy(results, *client_ses, *server_ses, *creds, + {Botan::TLS::Protocol_Version::TLS_V12}, suiteb_128); + + // Remove server sessions before client, so clients retry with session server doesn't know + server_ses->remove_all(); + test_modern_versions(results, *client_ses, *server_ses, *creds, "RSA", "AES-128/GCM"); test_modern_versions(results, *client_ses, *server_ses, *creds, "ECDH", "AES-128/GCM"); - client_ses->remove_all(); - test_modern_versions(results, *client_ses, *server_ses, *creds, "ECDH", "AES-128/GCM", "AEAD", { { "signature_methods", "RSA" } }); + client_ses->remove_all(); + #if defined(BOTAN_HAS_CECPQ1) test_modern_versions(results, *client_ses, *server_ses, *creds, "CECPQ1", "AES-256/GCM", "AEAD"); + test_modern_versions(results, *client_ses, *server_ses, *creds, "CECPQ1", "ChaCha20Poly1305", "AEAD", + { { "signature_methods", "RSA" }}); #endif test_modern_versions(results, *client_ses, *server_ses, *creds, "ECDH", "AES-128/GCM", "AEAD", @@ -1062,6 +1124,8 @@ class TLS_Unit_Tests : public Test test_modern_versions(results, *client_ses, *server_ses, *creds, "ECDH", "AES-128/OCB(12)"); #endif + server_ses->remove_all(); + #if defined(BOTAN_HAS_AEAD_CHACHA20_POLY1305) test_modern_versions(results, *client_ses, *server_ses, *creds, "ECDH", "ChaCha20Poly1305"); #endif @@ -1084,8 +1148,6 @@ class TLS_Unit_Tests : public Test { { "ecc_curves", BOTAN_HOUSE_ECC_CURVE_NAME } }); #endif - results.push_back(test_tls_alert_strings()); - return results; } |