aboutsummaryrefslogtreecommitdiffstats
diff options
context:
space:
mode:
Diffstat
-rw-r--r--src/tests/data/tls-policy/datagram.txt23
-rw-r--r--src/tests/data/tls-policy/default.txt23
-rw-r--r--src/tests/data/tls-policy/strict.txt23
-rw-r--r--src/tests/data/tls-policy/suiteb.txt23
-rw-r--r--src/tests/unit_tls.cpp72
5 files changed, 159 insertions, 5 deletions
diff --git a/src/tests/data/tls-policy/datagram.txt b/src/tests/data/tls-policy/datagram.txt
new file mode 100644
index 000000000..e78429238
--- /dev/null
+++ b/src/tests/data/tls-policy/datagram.txt
@@ -0,0 +1,23 @@
+allow_tls10 = false
+allow_tls11 = false
+allow_tls12 = false
+allow_dtls10 = false
+allow_dtls12 = true
+ciphers = ChaCha20Poly1305 AES-256/GCM AES-128/GCM AES-256/CCM AES-128/CCM AES-256 AES-128
+macs = AEAD
+signature_hashes = SHA-512 SHA-384 SHA-256
+signature_methods = ECDSA RSA
+key_exchange_methods = CECPQ1 ECDH DH
+ecc_curves = x25519 secp256r1 secp521r1 secp384r1 brainpool256r1 brainpool384r1 brainpool512r1
+allow_insecure_renegotiation = false
+include_time_in_hello_random = true
+allow_server_initiated_renegotiation = false
+hide_unknown_users = false
+server_uses_own_ciphersuite_preferences = true
+negotiate_encrypt_then_mac = true
+session_ticket_lifetime = 86400
+dh_group = modp/ietf/2048
+minimum_dh_group_size = 1024
+minimum_ecdh_group_size = 255
+minimum_rsa_bits = 2048
+minimum_signature_strength = 110
diff --git a/src/tests/data/tls-policy/default.txt b/src/tests/data/tls-policy/default.txt
new file mode 100644
index 000000000..eb4ee245c
--- /dev/null
+++ b/src/tests/data/tls-policy/default.txt
@@ -0,0 +1,23 @@
+allow_tls10 = true
+allow_tls11 = true
+allow_tls12 = true
+allow_dtls10 = false
+allow_dtls12 = true
+ciphers = ChaCha20Poly1305 AES-256/GCM AES-128/GCM AES-256/CCM AES-128/CCM AES-256 AES-128
+macs = AEAD SHA-256 SHA-384 SHA-1
+signature_hashes = SHA-512 SHA-384 SHA-256
+signature_methods = ECDSA RSA
+key_exchange_methods = CECPQ1 ECDH DH
+ecc_curves = x25519 secp256r1 secp521r1 secp384r1 brainpool256r1 brainpool384r1 brainpool512r1
+allow_insecure_renegotiation = false
+include_time_in_hello_random = true
+allow_server_initiated_renegotiation = false
+hide_unknown_users = false
+server_uses_own_ciphersuite_preferences = true
+negotiate_encrypt_then_mac = true
+session_ticket_lifetime = 86400
+dh_group = modp/ietf/2048
+minimum_dh_group_size = 1024
+minimum_ecdh_group_size = 255
+minimum_rsa_bits = 2048
+minimum_signature_strength = 110
diff --git a/src/tests/data/tls-policy/strict.txt b/src/tests/data/tls-policy/strict.txt
new file mode 100644
index 000000000..2f8dfbb3d
--- /dev/null
+++ b/src/tests/data/tls-policy/strict.txt
@@ -0,0 +1,23 @@
+allow_tls10 = false
+allow_tls11 = false
+allow_tls12 = true
+allow_dtls10 = false
+allow_dtls12 = true
+ciphers = ChaCha20Poly1305 AES-256/GCM AES-128/GCM
+macs = AEAD
+signature_hashes = SHA-512 SHA-384
+signature_methods = ECDSA RSA
+key_exchange_methods = CECPQ1 ECDH
+ecc_curves = x25519 secp256r1 secp521r1 secp384r1 brainpool256r1 brainpool384r1 brainpool512r1
+allow_insecure_renegotiation = false
+include_time_in_hello_random = true
+allow_server_initiated_renegotiation = false
+hide_unknown_users = false
+server_uses_own_ciphersuite_preferences = true
+negotiate_encrypt_then_mac = true
+session_ticket_lifetime = 86400
+dh_group = modp/ietf/2048
+minimum_dh_group_size = 1024
+minimum_ecdh_group_size = 255
+minimum_rsa_bits = 2048
+minimum_signature_strength = 110
diff --git a/src/tests/data/tls-policy/suiteb.txt b/src/tests/data/tls-policy/suiteb.txt
new file mode 100644
index 000000000..77e7ce5a0
--- /dev/null
+++ b/src/tests/data/tls-policy/suiteb.txt
@@ -0,0 +1,23 @@
+allow_tls10 = false
+allow_tls11 = false
+allow_tls12 = true
+allow_dtls10 = false
+allow_dtls12 = false
+ciphers = AES-128/GCM
+macs = AEAD
+signature_hashes = SHA-256
+signature_methods = ECDSA
+key_exchange_methods = ECDH
+ecc_curves = secp256r1
+allow_insecure_renegotiation = false
+include_time_in_hello_random = true
+allow_server_initiated_renegotiation = false
+hide_unknown_users = false
+server_uses_own_ciphersuite_preferences = true
+negotiate_encrypt_then_mac = true
+session_ticket_lifetime = 86400
+dh_group = modp/ietf/2048
+minimum_dh_group_size = 1024
+minimum_ecdh_group_size = 255
+minimum_rsa_bits = 2048
+minimum_signature_strength = 128
diff --git a/src/tests/unit_tls.cpp b/src/tests/unit_tls.cpp
index b4ee9d983..7158fba55 100644
--- a/src/tests/unit_tls.cpp
+++ b/src/tests/unit_tls.cpp
@@ -898,6 +898,52 @@ Test::Result test_tls_alert_strings()
return result;
}
+
+std::string read_tls_policy(const std::string& policy_str)
+ {
+ const std::string fspath = Test::data_file("tls-policy/" + policy_str + ".txt");
+
+ std::ifstream is(fspath.c_str());
+ if(!is.good())
+ throw Test_Error("Missing policy file " + fspath);
+
+ Botan::TLS::Text_Policy policy(is);
+ return policy.to_string();
+ }
+
+std::string tls_policy_string(const std::string& policy_str)
+ {
+ std::unique_ptr<Botan::TLS::Policy> policy;
+ if(policy_str == "default")
+ policy.reset(new Botan::TLS::Policy);
+ else if(policy_str == "suiteb")
+ policy.reset(new Botan::TLS::NSA_Suite_B_128);
+ else if(policy_str == "strict")
+ policy.reset(new Botan::TLS::Strict_Policy);
+ else if(policy_str == "datagram")
+ policy.reset(new Botan::TLS::Datagram_Policy);
+ else
+ throw Test_Error("Unknown TLS policy type '" + policy_str + "'");
+
+ return policy->to_string();
+ }
+
+Test::Result test_tls_policy()
+ {
+ Test::Result result("TLS Policy");
+
+ const std::vector<std::string> policies = { "default", "suiteb", "strict", "datagram" };
+
+ for(std::string policy : policies)
+ {
+ result.test_eq("Values for TLS " + policy + " policy",
+ tls_policy_string(policy),
+ read_tls_policy(policy));
+ }
+
+ return result;
+ }
+
class TLS_Unit_Tests : public Test
{
private:
@@ -934,6 +980,9 @@ class TLS_Unit_Tests : public Test
policy.set("key_exchange_methods", kex_policy);
policy.set("negotiate_encrypt_then_mac", etm_policy);
+ if(kex_policy == "RSA")
+ policy.set("signature_methods", "RSA");
+
std::vector<Botan::TLS::Protocol_Version> versions = {
Botan::TLS::Protocol_Version::TLS_V10,
Botan::TLS::Protocol_Version::TLS_V11,
@@ -973,6 +1022,10 @@ class TLS_Unit_Tests : public Test
public:
std::vector<Test::Result> run() override
{
+ std::vector<Test::Result> results;
+ results.push_back(test_tls_alert_strings());
+ results.push_back(test_tls_policy());
+
Botan::RandomNumberGenerator& rng = Test::rng();
std::unique_ptr<Botan::TLS::Session_Manager> client_ses;
@@ -991,7 +1044,6 @@ class TLS_Unit_Tests : public Test
#endif
std::unique_ptr<Botan::Credentials_Manager> creds(create_creds(rng));
- std::vector<Test::Result> results;
#if defined(BOTAN_HAS_TLS_CBC)
for(std::string etm_setting : { "false", "true" })
@@ -1018,6 +1070,7 @@ class TLS_Unit_Tests : public Test
server_ses->remove_all();
}
+ client_ses->remove_all();
test_modern_versions(results, *client_ses, *server_ses, *creds, "DH", "AES-128", "SHA-256");
#endif
@@ -1026,16 +1079,25 @@ class TLS_Unit_Tests : public Test
test_with_policy(results, *client_ses, *server_ses, *creds,
{Botan::TLS::Protocol_Version::TLS_V12}, strict_policy);
+ Botan::TLS::NSA_Suite_B_128 suiteb_128;
+ test_with_policy(results, *client_ses, *server_ses, *creds,
+ {Botan::TLS::Protocol_Version::TLS_V12}, suiteb_128);
+
+ // Remove server sessions before client, so clients retry with session server doesn't know
+ server_ses->remove_all();
+
test_modern_versions(results, *client_ses, *server_ses, *creds, "RSA", "AES-128/GCM");
test_modern_versions(results, *client_ses, *server_ses, *creds, "ECDH", "AES-128/GCM");
- client_ses->remove_all();
-
test_modern_versions(results, *client_ses, *server_ses, *creds, "ECDH", "AES-128/GCM", "AEAD",
{ { "signature_methods", "RSA" } });
+ client_ses->remove_all();
+
#if defined(BOTAN_HAS_CECPQ1)
test_modern_versions(results, *client_ses, *server_ses, *creds, "CECPQ1", "AES-256/GCM", "AEAD");
+ test_modern_versions(results, *client_ses, *server_ses, *creds, "CECPQ1", "ChaCha20Poly1305", "AEAD",
+ { { "signature_methods", "RSA" }});
#endif
test_modern_versions(results, *client_ses, *server_ses, *creds, "ECDH", "AES-128/GCM", "AEAD",
@@ -1062,6 +1124,8 @@ class TLS_Unit_Tests : public Test
test_modern_versions(results, *client_ses, *server_ses, *creds, "ECDH", "AES-128/OCB(12)");
#endif
+ server_ses->remove_all();
+
#if defined(BOTAN_HAS_AEAD_CHACHA20_POLY1305)
test_modern_versions(results, *client_ses, *server_ses, *creds, "ECDH", "ChaCha20Poly1305");
#endif
@@ -1084,8 +1148,6 @@ class TLS_Unit_Tests : public Test
{ { "ecc_curves", BOTAN_HOUSE_ECC_CURVE_NAME } });
#endif
- results.push_back(test_tls_alert_strings());
-
return results;
}
generated by cgit v1.2.3 (git 2.39.1) at 2024-12-02 20:44:57 +0000