WolfSSL
/
wolfssl
mirror of https://github.com/wolfSSL/wolfssl.git
1
0
Fork 0
Code Issues Releases Wiki Activity

Added test for server to use the default cipher suite list using new “-U” option. This allows the InitSuites logic to be used for determining cipher suites instead of always overriding using the “-l” option. Now both versions are used, so tests are done with wolfSSL_CTX_set_cipher_list and InitSuites. Removed a few cipher suite tests from test.conf that are not valid with old TLS. These were not picked up as failures before because wolfSSL_CTX_set_cipher_list matched on name only, allowing older versions to use the suite.

pull/830/head
David Garske 2017-04-04 14:31:47 -07:00
parent b827380baf
commit 4dcad96f97
4 changed files with 181 additions and 318 deletions
Show Stats Download Patch File Download Diff File Expand all files Collapse all files

11
examples/server/server.c
View File

@ -267,6 +267,7 @@ static void Usage(void)
#endif #endif
printf("-g Return basic HTML web page\n"); printf("-g Return basic HTML web page\n");
printf("-C <num> The number of connections to accept, default: 1\n"); printf("-C <num> The number of connections to accept, default: 1\n");
printf("-U Force use of the default cipher suite list\n");
} }
THREAD_RETURN CYASSL_THREAD server_test(void* args) THREAD_RETURN CYASSL_THREAD server_test(void* args)
@ -319,6 +320,7 @@ THREAD_RETURN CYASSL_THREAD server_test(void* args)
char* alpnList = NULL; char* alpnList = NULL;
unsigned char alpn_opt = 0; unsigned char alpn_opt = 0;
char* cipherList = NULL; char* cipherList = NULL;
int useDefCipherList = 0;
const char* verifyCert = cliCertFile; const char* verifyCert = cliCertFile;
const char* ourCert = svrCertFile; const char* ourCert = svrCertFile;
const char* ourKey = svrKeyFile; const char* ourKey = svrKeyFile;
@ -391,7 +393,7 @@ THREAD_RETURN CYASSL_THREAD server_test(void* args)
useAnyAddr = 1; useAnyAddr = 1;
#else #else
while ((ch = mygetopt(argc, argv, while ((ch = mygetopt(argc, argv,
"?jdbstnNuGfrawPIR:p:v:l:A:c:k:Z:S:oO:D:L:ieB:E:q:gC:")) != -1) { "?jdbstnNuGfrawPIR:p:v:l:A:c:k:Z:S:oO:D:L:ieB:E:q:gC:U")) != -1) {
switch (ch) { switch (ch) {
case '?' : case '?' :
Usage(); Usage();
@ -475,6 +477,10 @@ THREAD_RETURN CYASSL_THREAD server_test(void* args)
cipherList = myoptarg; cipherList = myoptarg;
break; break;
case 'U' :
useDefCipherList = 1;
break;
case 'A' : case 'A' :
verifyCert = myoptarg; verifyCert = myoptarg;
break; break;
@ -716,9 +722,10 @@ THREAD_RETURN CYASSL_THREAD server_test(void* args)
wolfSSL_CTX_set_TicketEncCb(ctx, myTicketEncCb); wolfSSL_CTX_set_TicketEncCb(ctx, myTicketEncCb);
#endif #endif
if (cipherList) if (cipherList && !useDefCipherList) {
if (SSL_CTX_set_cipher_list(ctx, cipherList) != SSL_SUCCESS) if (SSL_CTX_set_cipher_list(ctx, cipherList) != SSL_SUCCESS)
err_sys("server can't set cipher list 1"); err_sys("server can't set cipher list 1");
}
#ifdef CYASSL_LEANPSK #ifdef CYASSL_LEANPSK
if (!usePsk) { if (!usePsk) {

154
tests/suites.c
View File

@ -54,6 +54,7 @@ static char flagSep[] = " ";
static char portFlag[] = "-p"; static char portFlag[] = "-p";
static char svrPort[] = "0"; static char svrPort[] = "0";
#endif #endif
static char forceDefCipherListFlag[] = "-U";
#ifndef WOLFSSL_ALLOW_SSLV3 #ifndef WOLFSSL_ALLOW_SSLV3
@ -155,7 +156,7 @@ static int IsValidCipherSuite(const char* line, char* suite)
static int execute_test_case(int svr_argc, char** svr_argv, static int execute_test_case(int svr_argc, char** svr_argv,
int cli_argc, char** cli_argv, int cli_argc, char** cli_argv,
int addNoVerify, int addNonBlocking, int addNoVerify, int addNonBlocking,
int addDisableEMS) int addDisableEMS, int forceSrvDefCipherList)
{ {
#ifdef WOLFSSL_TIRTOS #ifdef WOLFSSL_TIRTOS
func_args cliArgs = {0}; func_args cliArgs = {0};
@ -174,11 +175,14 @@ static int execute_test_case(int svr_argc, char** svr_argv,
char commandLine[MAX_COMMAND_SZ]; char commandLine[MAX_COMMAND_SZ];
char cipherSuite[MAX_SUITE_SZ+1]; char cipherSuite[MAX_SUITE_SZ+1];
int i; int i;
size_t added = 0; size_t added;
static int tests = 1; static int tests = 1;
/* Is Valid Cipher and Version Checks */
/* build command list for the Is checks below */
commandLine[0] = '\0'; commandLine[0] = '\0';
for (i = 0; i < svr_argc; i++) { added = 0;
for (i = 0; i < svrArgs.argc; i++) {
added += XSTRLEN(svr_argv[i]) + 2; added += XSTRLEN(svr_argv[i]) + 2;
if (added >= MAX_COMMAND_SZ) { if (added >= MAX_COMMAND_SZ) {
printf("server command line too long\n"); printf("server command line too long\n");
@ -187,7 +191,6 @@ static int execute_test_case(int svr_argc, char** svr_argv,
strcat(commandLine, svr_argv[i]); strcat(commandLine, svr_argv[i]);
strcat(commandLine, flagSep); strcat(commandLine, flagSep);
} }
if (IsValidCipherSuite(commandLine, cipherSuite) == 0) { if (IsValidCipherSuite(commandLine, cipherSuite) == 0) {
#ifdef DEBUG_SUITE_TESTS #ifdef DEBUG_SUITE_TESTS
printf("cipher suite %s not supported in build\n", cipherSuite); printf("cipher suite %s not supported in build\n", cipherSuite);
@ -203,7 +206,6 @@ static int execute_test_case(int svr_argc, char** svr_argv,
return VERSION_TOO_OLD; return VERSION_TOO_OLD;
} }
#endif #endif
#ifdef NO_OLD_TLS #ifdef NO_OLD_TLS
if (IsOldTlsVersion(commandLine) == 1) { if (IsOldTlsVersion(commandLine) == 1) {
#ifdef DEBUG_SUITE_TESTS #ifdef DEBUG_SUITE_TESTS
@ -213,78 +215,52 @@ static int execute_test_case(int svr_argc, char** svr_argv,
} }
#endif #endif
/* Build Client Command */
if (addNoVerify) { if (addNoVerify) {
printf("repeating test with client cert request off\n"); printf("repeating test with client cert request off\n");
added += 4; /* -d plus space plus terminator */ if (svrArgs.argc >= MAX_ARGS)
if (added >= MAX_COMMAND_SZ || svr_argc >= MAX_ARGS)
printf("server command line too long\n"); printf("server command line too long\n");
else { else
svr_argv[svr_argc++] = noVerifyFlag; svr_argv[svrArgs.argc++] = noVerifyFlag;
svrArgs.argc = svr_argc;
strcat(commandLine, noVerifyFlag);
strcat(commandLine, flagSep);
}
} }
if (addNonBlocking) { if (addNonBlocking) {
printf("repeating test with non blocking on\n"); printf("repeating test with non blocking on\n");
added += 4; /* -N plus terminator */ if (svrArgs.argc >= MAX_ARGS)
if (added >= MAX_COMMAND_SZ || svr_argc >= MAX_ARGS)
printf("server command line too long\n"); printf("server command line too long\n");
else { else
svr_argv[svr_argc++] = nonblockFlag; svr_argv[svrArgs.argc++] = nonblockFlag;
svrArgs.argc = svr_argc;
strcat(commandLine, nonblockFlag);
strcat(commandLine, flagSep);
}
} }
#if !defined(USE_WINDOWS_API) && !defined(WOLFSSL_TIRTOS) #if !defined(USE_WINDOWS_API) && !defined(WOLFSSL_TIRTOS)
/* add port 0 */ /* add port */
if (svr_argc + 2 > MAX_ARGS) if (svrArgs.argc + 2 > MAX_ARGS)
printf("cannot add the magic port number flag to server\n"); printf("cannot add the magic port number flag to server\n");
else else {
{ svr_argv[svrArgs.argc++] = portFlag;
svr_argv[svr_argc++] = portFlag; svr_argv[svrArgs.argc++] = svrPort;
svr_argv[svr_argc++] = svrPort;
svrArgs.argc = svr_argc;
} }
#endif #endif
printf("trying server command line[%d]: %s\n", tests, commandLine); if (forceSrvDefCipherList) {
if (svrArgs.argc >= MAX_ARGS)
printf("cannot add the force def cipher list flag to server\n");
else
svr_argv[svrArgs.argc++] = forceDefCipherListFlag;
}
/* update server flags list */
commandLine[0] = '\0'; commandLine[0] = '\0';
added = 0; added = 0;
for (i = 0; i < cli_argc; i++) { for (i = 0; i < svrArgs.argc; i++) {
added += XSTRLEN(cli_argv[i]) + 2; added += XSTRLEN(svr_argv[i]) + 2;
if (added >= MAX_COMMAND_SZ) { if (added >= MAX_COMMAND_SZ) {
printf("client command line too long\n"); printf("server command line too long\n");
break; break;
} }
strcat(commandLine, cli_argv[i]); strcat(commandLine, svr_argv[i]);
strcat(commandLine, flagSep); strcat(commandLine, flagSep);
} }
if (addNonBlocking) { printf("trying server command line[%d]: %s\n", tests, commandLine);
added += 4; /* -N plus space plus terminator */
if (added >= MAX_COMMAND_SZ) tests++; /* test count */
printf("client command line too long\n");
else {
cli_argv[cli_argc++] = nonblockFlag;
strcat(commandLine, nonblockFlag);
strcat(commandLine, flagSep);
cliArgs.argc = cli_argc;
}
}
if (addDisableEMS) {
printf("repeating test without extended master secret\n");
added += 4; /* -n plus terminator */
if (added >= MAX_COMMAND_SZ)
printf("client command line too long\n");
else {
cli_argv[cli_argc++] = disableEMSFlag;
strcat(commandLine, disableEMSFlag);
strcat(commandLine, flagSep);
cliArgs.argc = cli_argc;
}
}
printf("trying client command line[%d]: %s\n", tests++, commandLine);
InitTcpReady(&ready); InitTcpReady(&ready);
@ -296,20 +272,48 @@ static int execute_test_case(int svr_argc, char** svr_argv,
svrArgs.signal = &ready; svrArgs.signal = &ready;
start_thread(server_test, &svrArgs, &serverThread); start_thread(server_test, &svrArgs, &serverThread);
wait_tcp_ready(&svrArgs); wait_tcp_ready(&svrArgs);
#if !defined(USE_WINDOWS_API) && !defined(WOLFSSL_TIRTOS)
if (ready.port != 0)
{ /* Build Client Command */
if (cli_argc + 2 > MAX_ARGS) if (addNonBlocking) {
if (cliArgs.argc >= MAX_ARGS)
printf("cannot add the non block flag to client\n");
else
cli_argv[cliArgs.argc++] = nonblockFlag;
}
if (addDisableEMS) {
printf("repeating test without extended master secret\n");
if (cliArgs.argc >= MAX_ARGS)
printf("cannot add the disable EMS flag to client\n");
else
cli_argv[cliArgs.argc++] = disableEMSFlag;
}
#if !defined(USE_WINDOWS_API) && !defined(WOLFSSL_TIRTOS)
if (ready.port != 0) {
if (cliArgs.argc + 2 > MAX_ARGS)
printf("cannot add the magic port number flag to client\n"); printf("cannot add the magic port number flag to client\n");
else { else {
char portNumber[8]; char portNumber[8];
snprintf(portNumber, sizeof(portNumber), "%d", ready.port); snprintf(portNumber, sizeof(portNumber), "%d", ready.port);
cli_argv[cli_argc++] = portFlag; cli_argv[cliArgs.argc++] = portFlag;
cli_argv[cli_argc++] = portNumber; cli_argv[cliArgs.argc++] = portNumber;
cliArgs.argc = cli_argc;
} }
} }
#endif #endif
commandLine[0] = '\0';
added = 0;
for (i = 0; i < cliArgs.argc; i++) {
added += XSTRLEN(cli_argv[i]) + 2;
if (added >= MAX_COMMAND_SZ) {
printf("client command line too long\n");
break;
}
strcat(commandLine, cli_argv[i]);
strcat(commandLine, flagSep);
}
printf("trying client command line[%d]: %s\n", tests, commandLine);
/* start client */ /* start client */
client_test(&cliArgs); client_test(&cliArgs);
@ -452,24 +456,28 @@ static void test_harness(void* vargs)
if (do_it) { if (do_it) {
ret = execute_test_case(svrArgsSz, svrArgs, ret = execute_test_case(svrArgsSz, svrArgs,
cliArgsSz, cliArgs, 0, 0, 0); cliArgsSz, cliArgs, 0, 0, 0, 0);
/* don't repeat if not supported in build */ /* don't repeat if not supported in build */
if (ret == 0) { if (ret == 0) {
/* test with default cipher list on server side */
execute_test_case(svrArgsSz, svrArgs, execute_test_case(svrArgsSz, svrArgs,
cliArgsSz, cliArgs, 0, 1, 0); cliArgsSz, cliArgs, 0, 0, 0, 1);
execute_test_case(svrArgsSz, svrArgs, execute_test_case(svrArgsSz, svrArgs,
cliArgsSz, cliArgs, 1, 0, 0); cliArgsSz, cliArgs, 0, 1, 0, 0);
execute_test_case(svrArgsSz, svrArgs, execute_test_case(svrArgsSz, svrArgs,
cliArgsSz, cliArgs, 1, 1, 0); cliArgsSz, cliArgs, 1, 0, 0, 0);
execute_test_case(svrArgsSz, svrArgs,
cliArgsSz, cliArgs, 1, 1, 0, 0);
#ifdef HAVE_EXTENDED_MASTER #ifdef HAVE_EXTENDED_MASTER
execute_test_case(svrArgsSz, svrArgs, execute_test_case(svrArgsSz, svrArgs,
cliArgsSz, cliArgs, 0, 0, 1); cliArgsSz, cliArgs, 0, 0, 1, 0);
execute_test_case(svrArgsSz, svrArgs, execute_test_case(svrArgsSz, svrArgs,
cliArgsSz, cliArgs, 0, 1, 1); cliArgsSz, cliArgs, 0, 1, 1, 0);
execute_test_case(svrArgsSz, svrArgs, execute_test_case(svrArgsSz, svrArgs,
cliArgsSz, cliArgs, 1, 0, 1); cliArgsSz, cliArgs, 1, 0, 1, 0);
execute_test_case(svrArgsSz, svrArgs, execute_test_case(svrArgsSz, svrArgs,
cliArgsSz, cliArgs, 1, 1, 1); cliArgsSz, cliArgs, 1, 1, 1, 0);
#endif #endif
} }
svrArgsSz = 1; svrArgsSz = 1;

53
tests/test-dtls.conf
View File

@ -1,36 +1,3 @@
# server DTLSv1 DHE-RSA-CHACHA20-POLY1305
-u
-v 2
-l DHE-RSA-CHACHA20-POLY1305
# client DTLSv1 DHE-RSA-CHACHA20-POLY1305
-u
-v 2
-l DHE-RSA-CHACHA20-POLY1305
# server DTLSv1 ECDHE-RSA-CHACHA20-POLY1305
-u
-v 2
-l ECDHE-RSA-CHACHA20-POLY1305
# client DTLSv1 ECDHE-RSA-CHACHA20-POLY1305
-u
-v 2
-l ECDHE-RSA-CHACHA20-POLY1305
# server DTLSv1 ECDHE-EDCSA-CHACHA20-POLY1305
-u
-v 2
-l ECDHE-ECDSA-CHACHA20-POLY1305
-c ./certs/server-ecc.pem
-k ./certs/ecc-key.pem
# client DTLSv1 ECDHE-ECDSA-CHACHA20-POLY1305
-u
-v 2
-l ECDHE-ECDSA-CHACHA20-POLY1305
-A ./certs/server-ecc.pem
# server DTLSv1.2 DHE-RSA-CHACHA20-POLY1305 # server DTLSv1.2 DHE-RSA-CHACHA20-POLY1305
-u -u
-v 3 -v 3
@ -223,16 +190,6 @@
-v 3 -v 3
-l AES256-SHA -l AES256-SHA
# server DTLSv1 AES128-SHA256
-u
-v 2
-l AES128-SHA256
# client DTLSv1 AES128-SHA256
-u
-v 2
-l AES128-SHA256
# server DTLSv1.2 AES128-SHA256 # server DTLSv1.2 AES128-SHA256
-u -u
-v 3 -v 3
@ -243,16 +200,6 @@
-v 3 -v 3
-l AES128-SHA256 -l AES128-SHA256
# server DTLSv1 AES256-SHA256
-u
-v 2
-l AES256-SHA256
# client DTLSv1 AES256-SHA256
-u
-v 2
-l AES256-SHA256
# server DTLSv1.2 AES256-SHA256 # server DTLSv1.2 AES256-SHA256
-u -u
-v 3 -v 3

99
tests/test.conf
View File

@ -1,30 +1,3 @@
# server TLSv1.1 DHE-RSA-CHACHA20-POLY1305
-v 2
-l DHE-RSA-CHACHA20-POLY1305
# client TLSv1.1 DHE-RSA-CHACHA20-POLY1305
-v 2
-l DHE-RSA-CHACHA20-POLY1305
# server TLSv1.1 ECDHE-RSA-CHACHA20-POLY1305
-v 2
-l ECDHE-RSA-CHACHA20-POLY1305
# client TLSv1.1 ECDHE-RSA-CHACHA20-POLY1305
-v 2
-l ECDHE-RSA-CHACHA20-POLY1305
# server TLSv1.1 ECDHE-EDCSA-CHACHA20-POLY1305
-v 2
-l ECDHE-ECDSA-CHACHA20-POLY1305
-c ./certs/server-ecc.pem
-k ./certs/ecc-key.pem
# client TLSv1.1 ECDHE-ECDSA-CHACHA20-POLY1305
-v 2
-l ECDHE-ECDSA-CHACHA20-POLY1305
-A ./certs/server-ecc.pem
# server TLSv1.2 DHE-RSA-CHACHA20-POLY1305 # server TLSv1.2 DHE-RSA-CHACHA20-POLY1305
-v 3 -v 3
-l DHE-RSA-CHACHA20-POLY1305 -l DHE-RSA-CHACHA20-POLY1305
@ -189,22 +162,6 @@
-v 1 -v 1
-l AES256-SHA -l AES256-SHA
# server TLSv1 AES128-SHA256
-v 1
-l AES128-SHA256
# client TLSv1 AES128-SHA256
-v 1
-l AES128-SHA256
# server TLSv1 AES256-SHA256
-v 1
-l AES256-SHA256
# client TLSv1 AES256-SHA256
-v 1
-l AES256-SHA256
# server TLSv1.1 RC4-SHA # server TLSv1.1 RC4-SHA
-v 2 -v 2
-l RC4-SHA -l RC4-SHA
@ -245,30 +202,6 @@
-v 2 -v 2
-l AES128-SHA -l AES128-SHA
# server TLSv1.1 AES256-SHA
-v 2
-l AES256-SHA
# client TLSv1.1 AES256-SHA
-v 2
-l AES256-SHA
# server TLSv1.1 AES128-SHA256
-v 2
-l AES128-SHA256
# client TLSv1.1 AES128-SHA256
-v 2
-l AES128-SHA256
# server TLSv1.1 AES256-SHA256
-v 2
-l AES256-SHA256
# client TLSv1.1 AES256-SHA256
-v 2
-l AES256-SHA256
# server TLSv1.2 RC4-SHA # server TLSv1.2 RC4-SHA
-v 3 -v 3
-l RC4-SHA -l RC4-SHA
@ -1078,22 +1011,6 @@
-v 1 -v 1
-l DHE-RSA-AES256-SHA -l DHE-RSA-AES256-SHA
# server TLSv1 DHE AES128-SHA256
-v 1
-l DHE-RSA-AES128-SHA256
# client TLSv1 DHE AES128-SHA256
-v 1
-l DHE-RSA-AES128-SHA256
# server TLSv1 DHE AES256-SHA256
-v 1
-l DHE-RSA-AES256-SHA256
# client TLSv1 DHE AES256-SHA256
-v 1
-l DHE-RSA-AES256-SHA256
# server TLSv1.1 DHE AES128 # server TLSv1.1 DHE AES128
-v 2 -v 2
-l DHE-RSA-AES128-SHA -l DHE-RSA-AES128-SHA
@ -1110,22 +1027,6 @@
-v 2 -v 2
-l DHE-RSA-AES256-SHA -l DHE-RSA-AES256-SHA
# server TLSv1.1 DHE AES128-SHA256
-v 2
-l DHE-RSA-AES128-SHA256
# client TLSv1.1 DHE AES128-SHA256
-v 2
-l DHE-RSA-AES128-SHA256
# server TLSv1.1 DHE AES256-SHA256
-v 2
-l DHE-RSA-AES256-SHA256
# client TLSv1.1 DHE AES256-SHA256
-v 2
-l DHE-RSA-AES256-SHA256
# server TLSv1.1 DHE 3DES # server TLSv1.1 DHE 3DES
-v 2 -v 2
-l EDH-RSA-DES-CBC3-SHA -l EDH-RSA-DES-CBC3-SHA