mirror/mbedtls
1
0
Fork 0
mirror of https://github.com/Mbed-TLS/mbedtls.git synced 2025-01-26 12:35:20 +00:00
Code Issues Actions Packages Projects Releases Wiki Activity

Reorganize Opaque ssl-opt tests, pass key_opaque_algs=, add less wrong negative server testings

Browse Source 
Signed-off-by: Neil Armstrong <narmstrong@baylibre.com>
This commit is contained in:
Neil Armstrong 2022-06-30 11:16:53 +02:00
parent b2c3b5be2d
commit 36b022334c
1 changed files with 84 additions and 44 deletions
Show Stats Download Patch File Download Diff File Expand all files Collapse all files

128
tests/ssl-opt.sh
View File

@ -1706,7 +1706,7 @@ run_test "TLS-ECDHE-ECDSA Opaque key for client authentication" \
"$P_SRV auth_mode=required crt_file=data_files/server5.crt \
key_file=data_files/server5.key" \
"$P_CLI key_opaque=1 crt_file=data_files/server5.crt \
key_file=data_files/server5.key" \
key_file=data_files/server5.key key_opaque_algs=ecdsa-sign,none" \
0 \
-c "key type: Opaque" \
-c "Ciphersuite is TLS-ECDHE-ECDSA" \
@ -1726,7 +1726,7 @@ run_test "TLS-ECDHE-RSA Opaque key for client authentication" \
"$P_SRV auth_mode=required crt_file=data_files/server2-sha256.crt \
key_file=data_files/server2.key" \
"$P_CLI key_opaque=1 crt_file=data_files/server2-sha256.crt \
key_file=data_files/server2.key" \
key_file=data_files/server2.key key_opaque_algs=rsa-sign-pkcs1,none" \
0 \
-c "key type: Opaque" \
-c "Ciphersuite is TLS-ECDHE-RSA" \
@ -1735,23 +1735,6 @@ run_test "TLS-ECDHE-RSA Opaque key for client authentication" \
-S "error" \
-C "error"
requires_config_enabled MBEDTLS_SSL_PROTO_TLS1_2
requires_config_enabled MBEDTLS_USE_PSA_CRYPTO
requires_config_enabled MBEDTLS_X509_CRT_PARSE_C
requires_config_enabled MBEDTLS_ECDSA_C
requires_config_enabled MBEDTLS_SHA256_C
run_test "Opaque key for server authentication: invalid alg: decrypt with ECC key" \
"$P_SRV auth_mode=required key_opaque=1 crt_file=data_files/server5.crt \
key_file=data_files/server5.key key_opaque_algs=rsa-decrypt,none \
debug_level=1" \
"$P_CLI crt_file=data_files/server5.crt \
key_file=data_files/server5.key" \
1 \
-s "key types: Opaque, none" \
-s "got ciphersuites in common, but none of them usable" \
-s "error" \
-c "error"
requires_config_enabled MBEDTLS_SSL_PROTO_TLS1_2
requires_config_enabled MBEDTLS_USE_PSA_CRYPTO
requires_config_enabled MBEDTLS_X509_CRT_PARSE_C
@ -1761,7 +1744,8 @@ run_test "TLS-DHE-RSA Opaque key for client authentication" \
"$P_SRV auth_mode=required crt_file=data_files/server2-sha256.crt \
key_file=data_files/server2.key" \
"$P_CLI key_opaque=1 crt_file=data_files/server2-sha256.crt \
key_file=data_files/server2.key force_ciphersuite=TLS-DHE-RSA-WITH-AES-128-CBC-SHA" \
key_file=data_files/server2.key force_ciphersuite=TLS-DHE-RSA-WITH-AES-128-CBC-SHA \
key_opaque_algs=rsa-sign-pkcs1,none" \
0 \
-c "key type: Opaque" \
-c "Ciphersuite is TLS-DHE-RSA" \
@ -1770,20 +1754,6 @@ run_test "TLS-DHE-RSA Opaque key for client authentication" \
-S "error" \
-C "error"
requires_config_enabled MBEDTLS_SSL_PROTO_TLS1_2
requires_config_enabled MBEDTLS_USE_PSA_CRYPTO
requires_config_enabled MBEDTLS_RSA_C
run_test "RSA opaque key on server configured for decryption" \
"$P_SRV debug_level=1 key_opaque=1 key_opaque_algs=rsa-decrypt,none" \
"$P_CLI force_ciphersuite=TLS-RSA-WITH-AES-128-CBC-SHA256" \
0 \
-c "Verifying peer X.509 certificate... ok" \
-c "Ciphersuite is TLS-RSA-" \
-s "key types: Opaque, Opaque" \
-s "Ciphersuite is TLS-RSA-" \
-S "error" \
-C "error"
requires_config_enabled MBEDTLS_SSL_PROTO_TLS1_2
requires_config_enabled MBEDTLS_USE_PSA_CRYPTO
requires_config_enabled MBEDTLS_RSA_C
@ -1808,7 +1778,7 @@ requires_config_enabled MBEDTLS_ECDSA_C
requires_config_enabled MBEDTLS_SHA256_C
run_test "TLS-ECDHE-ECDSA Opaque key for server authentication" \
"$P_SRV auth_mode=required key_opaque=1 crt_file=data_files/server5.crt \
key_file=data_files/server5.key" \
key_file=data_files/server5.key key_opaque_algs=ecdsa-sign,none" \
"$P_CLI crt_file=data_files/server5.crt \
key_file=data_files/server5.key" \
0 \
@ -1819,6 +1789,23 @@ run_test "TLS-ECDHE-ECDSA Opaque key for server authentication" \
-S "error" \
-C "error"
requires_config_enabled MBEDTLS_SSL_PROTO_TLS1_2
requires_config_enabled MBEDTLS_USE_PSA_CRYPTO
requires_config_enabled MBEDTLS_X509_CRT_PARSE_C
requires_config_enabled MBEDTLS_ECDSA_C
requires_config_enabled MBEDTLS_SHA256_C
run_test "Opaque key for server authentication: invalid alg: decrypt with ECC key" \
"$P_SRV auth_mode=required key_opaque=1 crt_file=data_files/server5.crt \
key_file=data_files/server5.key key_opaque_algs=rsa-decrypt,none \
debug_level=1" \
"$P_CLI crt_file=data_files/server5.crt \
key_file=data_files/server5.key" \
1 \
-s "key types: Opaque, none" \
-s "got ciphersuites in common, but none of them usable" \
-s "error" \
-c "error"
requires_config_enabled MBEDTLS_SSL_PROTO_TLS1_2
requires_config_enabled MBEDTLS_USE_PSA_CRYPTO
requires_config_enabled MBEDTLS_X509_CRT_PARSE_C
@ -1845,7 +1832,7 @@ requires_config_enabled MBEDTLS_SHA256_C
run_test "Opaque key for server authentication (ECDH-)" \
"$P_SRV force_version=tls12 auth_mode=required key_opaque=1\
crt_file=data_files/server5.ku-ka.crt\
key_file=data_files/server5.key" \
key_file=data_files/server5.key key_opaque_algs=ecdh,none" \
"$P_CLI" \
0 \
-c "Verifying peer X.509 certificate... ok" \
@ -1855,6 +1842,24 @@ run_test "Opaque key for server authentication (ECDH-)" \
-S "error" \
-C "error"
requires_config_enabled MBEDTLS_SSL_PROTO_TLS1_2
requires_config_enabled MBEDTLS_USE_PSA_CRYPTO
requires_config_enabled MBEDTLS_X509_CRT_PARSE_C
requires_config_enabled MBEDTLS_ECDSA_C
requires_config_enabled MBEDTLS_SHA256_C
requires_config_enabled MBEDTLS_CCM_C
run_test "Opaque key for server authentication: invalid alg: TLS-ECDHE-ECDSA with ecdh" \
"$P_SRV auth_mode=required key_opaque=1 crt_file=data_files/server5.crt \
key_file=data_files/server5.key key_opaque_algs=ecdh,none \
debug_level=1" \
"$P_CLI crt_file=data_files/server5.crt \
key_file=data_files/server5.key force_ciphersuite=TLS-ECDHE-ECDSA-WITH-AES-256-CCM" \
1 \
-s "key types: Opaque, none" \
-s "got ciphersuites in common, but none of them usable" \
-s "error" \
-c "error"
# Test using a RSA opaque private key for server authentication
requires_config_enabled MBEDTLS_SSL_PROTO_TLS1_2
requires_config_enabled MBEDTLS_USE_PSA_CRYPTO
@ -1864,7 +1869,7 @@ requires_config_enabled MBEDTLS_RSA_C
requires_config_enabled MBEDTLS_SHA256_C
run_test "TLS-ECDHE-RSA Opaque key for server authentication" \
"$P_SRV auth_mode=required key_opaque=1 crt_file=data_files/server2-sha256.crt \
key_file=data_files/server2.key" \
key_file=data_files/server2.key key_opaque_algs=rsa-sign-pkcs1,none" \
"$P_CLI crt_file=data_files/server2-sha256.crt \
key_file=data_files/server2.key" \
0 \
@ -1875,6 +1880,22 @@ run_test "TLS-ECDHE-RSA Opaque key for server authentication" \
-S "error" \
-C "error"
requires_config_enabled MBEDTLS_SSL_PROTO_TLS1_2
requires_config_enabled MBEDTLS_USE_PSA_CRYPTO
requires_config_enabled MBEDTLS_X509_CRT_PARSE_C
requires_config_enabled MBEDTLS_RSA_C
requires_config_enabled MBEDTLS_SHA256_C
run_test "RSA opaque key on server configured for decryption" \
"$P_SRV debug_level=1 key_opaque=1 key_opaque_algs=rsa-sign-pkcs1,none" \
"$P_CLI force_ciphersuite=TLS-RSA-WITH-AES-128-CBC-SHA256" \
0 \
-c "Verifying peer X.509 certificate... ok" \
-c "Ciphersuite is TLS-RSA-" \
-s "key types: Opaque, Opaque" \
-s "Ciphersuite is TLS-RSA-" \
-S "error" \
-C "error"
requires_config_enabled MBEDTLS_SSL_PROTO_TLS1_2
requires_config_enabled MBEDTLS_USE_PSA_CRYPTO
requires_config_enabled MBEDTLS_X509_CRT_PARSE_C
@ -1883,7 +1904,7 @@ requires_config_enabled MBEDTLS_RSA_C
requires_config_enabled MBEDTLS_SHA256_C
run_test "TLS-DHE-RSA Opaque key for server authentication" \
"$P_SRV auth_mode=required key_opaque=1 crt_file=data_files/server2-sha256.crt \
key_file=data_files/server2.key" \
key_file=data_files/server2.key key_opaque_algs=rsa-sign-pkcs1,none" \
"$P_CLI crt_file=data_files/server2-sha256.crt \
key_file=data_files/server2.key force_ciphersuite=TLS-DHE-RSA-WITH-AES-128-CBC-SHA" \
0 \
@ -1894,6 +1915,23 @@ run_test "TLS-DHE-RSA Opaque key for server authentication" \
-S "error" \
-C "error"
requires_config_enabled MBEDTLS_SSL_PROTO_TLS1_2
requires_config_enabled MBEDTLS_USE_PSA_CRYPTO
requires_config_enabled MBEDTLS_X509_CRT_PARSE_C
requires_config_enabled MBEDTLS_ECDSA_C
requires_config_enabled MBEDTLS_RSA_C
requires_config_enabled MBEDTLS_SHA256_C
run_test "Opaque key for server authentication: TLS-DHE-RSA, PSS instead of PKCS1" \
"$P_SRV auth_mode=required key_opaque=1 crt_file=data_files/server2-sha256.crt \
key_file=data_files/server2.key key_opaque_algs=rsa-sign-pss,none debug_level=1" \
"$P_CLI crt_file=data_files/server2-sha256.crt \
key_file=data_files/server2.key force_ciphersuite=TLS-DHE-RSA-WITH-AES-128-CBC-SHA" \
1 \
-s "key types: Opaque, none" \
-s "got ciphersuites in common, but none of them usable" \
-s "error" \
-c "error"
# Test using an EC opaque private key for client/server authentication
requires_config_enabled MBEDTLS_SSL_PROTO_TLS1_2
requires_config_enabled MBEDTLS_USE_PSA_CRYPTO
@ -1902,9 +1940,9 @@ requires_config_enabled MBEDTLS_ECDSA_C
requires_config_enabled MBEDTLS_SHA256_C
run_test "TLS-ECDHE-ECDSA Opaque key for client/server authentication" \
"$P_SRV auth_mode=required key_opaque=1 crt_file=data_files/server5.crt \
key_file=data_files/server5.key" \
key_file=data_files/server5.key key_opaque_algs=ecdsa-sign,none" \
"$P_CLI key_opaque=1 crt_file=data_files/server5.crt \
key_file=data_files/server5.key" \
key_file=data_files/server5.key key_opaque_algs=ecdsa-sign,none" \
0 \
-c "key type: Opaque" \
-c "Verifying peer X.509 certificate... ok" \
@ -1924,9 +1962,9 @@ requires_config_enabled MBEDTLS_RSA_C
requires_config_enabled MBEDTLS_SHA256_C
run_test "TLS-ECDHE-RSA Opaque key for client/server authentication" \
"$P_SRV auth_mode=required key_opaque=1 crt_file=data_files/server2-sha256.crt \
key_file=data_files/server2.key" \
key_file=data_files/server2.key key_opaque_algs=rsa-sign-pkcs1,none" \
"$P_CLI key_opaque=1 crt_file=data_files/server2-sha256.crt \
key_file=data_files/server2.key" \
key_file=data_files/server2.key key_opaque_algs=rsa-sign-pkcs1,none" \
0 \
-c "key type: Opaque" \
-c "Verifying peer X.509 certificate... ok" \
@ -1945,9 +1983,10 @@ requires_config_enabled MBEDTLS_RSA_C
requires_config_enabled MBEDTLS_SHA256_C
run_test "TLS-DHE-RSA Opaque key for client/server authentication" \
"$P_SRV auth_mode=required key_opaque=1 crt_file=data_files/server2-sha256.crt \
key_file=data_files/server2.key" \
key_file=data_files/server2.key key_opaque_algs=rsa-sign-pkcs1,none" \
"$P_CLI key_opaque=1 crt_file=data_files/server2-sha256.crt \
key_file=data_files/server2.key force_ciphersuite=TLS-DHE-RSA-WITH-AES-128-CBC-SHA" \
key_file=data_files/server2.key key_opaque_algs=rsa-sign-pkcs1,none \
force_ciphersuite=TLS-DHE-RSA-WITH-AES-128-CBC-SHA" \
0 \
-c "key type: Opaque" \
-c "Verifying peer X.509 certificate... ok" \
@ -1958,6 +1997,7 @@ run_test "TLS-DHE-RSA Opaque key for client/server authentication" \
-S "error" \
-C "error"
# Test ciphersuites which we expect to be fully supported by PSA Crypto
# and check that we don't fall back to Mbed TLS' internal crypto primitives.
run_test_psa TLS-ECDHE-ECDSA-WITH-AES-128-CCM