WolfSSL
/
wolfssl
mirror of https://github.com/wolfSSL/wolfssl.git
1
0
Fork 0
Code Issues Releases Wiki Activity

Added test for server to use the default cipher suite list using new “-U” option. This allows the InitSuites logic to be used for determining cipher suites instead of always overriding using the “-l” option. Now both versions are used, so tests are done with wolfSSL_CTX_set_cipher_list and InitSuites. Removed a few cipher suite tests from test.conf that are not valid with old TLS. These were not picked up as failures before because wolfSSL_CTX_set_cipher_list matched on name only, allowing older versions to use the suite.

pull/830/head
David Garske 2017-04-04 14:31:47 -07:00
parent b827380baf
commit 4dcad96f97
4 changed files with 181 additions and 318 deletions
Show Stats Download Patch File Download Diff File Expand all files Collapse all files

11
examples/server/server.c
View File

@ -267,6 +267,7 @@ static void Usage(void)
#endif
printf("-g Return basic HTML web page\n");
printf("-C <num> The number of connections to accept, default: 1\n");
printf("-U Force use of the default cipher suite list\n");
}
THREAD_RETURN CYASSL_THREAD server_test(void* args)
@ -319,6 +320,7 @@ THREAD_RETURN CYASSL_THREAD server_test(void* args)
char* alpnList = NULL;
unsigned char alpn_opt = 0;
char* cipherList = NULL;
int useDefCipherList = 0;
const char* verifyCert = cliCertFile;
const char* ourCert = svrCertFile;
const char* ourKey = svrKeyFile;
@ -391,7 +393,7 @@ THREAD_RETURN CYASSL_THREAD server_test(void* args)
useAnyAddr = 1;
#else
while ((ch = mygetopt(argc, argv,
"?jdbstnNuGfrawPIR:p:v:l:A:c:k:Z:S:oO:D:L:ieB:E:q:gC:")) != -1) {
"?jdbstnNuGfrawPIR:p:v:l:A:c:k:Z:S:oO:D:L:ieB:E:q:gC:U")) != -1) {
switch (ch) {
case '?' :
Usage();
@ -475,6 +477,10 @@ THREAD_RETURN CYASSL_THREAD server_test(void* args)
cipherList = myoptarg;
break;
case 'U' :
useDefCipherList = 1;
break;
case 'A' :
verifyCert = myoptarg;
break;
@ -716,9 +722,10 @@ THREAD_RETURN CYASSL_THREAD server_test(void* args)
wolfSSL_CTX_set_TicketEncCb(ctx, myTicketEncCb);
#endif
if (cipherList)
if (cipherList && !useDefCipherList) {
if (SSL_CTX_set_cipher_list(ctx, cipherList) != SSL_SUCCESS)
err_sys("server can't set cipher list 1");
}
#ifdef CYASSL_LEANPSK
if (!usePsk) {

150
tests/suites.c
View File

@ -54,6 +54,7 @@ static char flagSep[] = " ";
static char portFlag[] = "-p";
static char svrPort[] = "0";
#endif
static char forceDefCipherListFlag[] = "-U";
#ifndef WOLFSSL_ALLOW_SSLV3
@ -155,7 +156,7 @@ static int IsValidCipherSuite(const char* line, char* suite)
static int execute_test_case(int svr_argc, char** svr_argv,
int cli_argc, char** cli_argv,
int addNoVerify, int addNonBlocking,
int addDisableEMS)
int addDisableEMS, int forceSrvDefCipherList)
{
#ifdef WOLFSSL_TIRTOS
func_args cliArgs = {0};
@ -174,11 +175,14 @@ static int execute_test_case(int svr_argc, char** svr_argv,
char commandLine[MAX_COMMAND_SZ];
char cipherSuite[MAX_SUITE_SZ+1];
int i;
size_t added = 0;
size_t added;
static int tests = 1;
/* Is Valid Cipher and Version Checks */
/* build command list for the Is checks below */
commandLine[0] = '\0';
for (i = 0; i < svr_argc; i++) {
added = 0;
for (i = 0; i < svrArgs.argc; i++) {
added += XSTRLEN(svr_argv[i]) + 2;
if (added >= MAX_COMMAND_SZ) {
printf("server command line too long\n");
@ -187,7 +191,6 @@ static int execute_test_case(int svr_argc, char** svr_argv,
strcat(commandLine, svr_argv[i]);
strcat(commandLine, flagSep);
}
if (IsValidCipherSuite(commandLine, cipherSuite) == 0) {
#ifdef DEBUG_SUITE_TESTS
printf("cipher suite %s not supported in build\n", cipherSuite);
@ -203,7 +206,6 @@ static int execute_test_case(int svr_argc, char** svr_argv,
return VERSION_TOO_OLD;
}
#endif
#ifdef NO_OLD_TLS
if (IsOldTlsVersion(commandLine) == 1) {
#ifdef DEBUG_SUITE_TESTS
@ -213,78 +215,52 @@ static int execute_test_case(int svr_argc, char** svr_argv,
}
#endif
/* Build Client Command */
if (addNoVerify) {
printf("repeating test with client cert request off\n");
added += 4; /* -d plus space plus terminator */
if (added >= MAX_COMMAND_SZ || svr_argc >= MAX_ARGS)
if (svrArgs.argc >= MAX_ARGS)
printf("server command line too long\n");
else {
svr_argv[svr_argc++] = noVerifyFlag;
svrArgs.argc = svr_argc;
strcat(commandLine, noVerifyFlag);
strcat(commandLine, flagSep);
}
else
svr_argv[svrArgs.argc++] = noVerifyFlag;
}
if (addNonBlocking) {
printf("repeating test with non blocking on\n");
added += 4; /* -N plus terminator */
if (added >= MAX_COMMAND_SZ || svr_argc >= MAX_ARGS)
if (svrArgs.argc >= MAX_ARGS)
printf("server command line too long\n");
else {
svr_argv[svr_argc++] = nonblockFlag;
svrArgs.argc = svr_argc;
strcat(commandLine, nonblockFlag);
strcat(commandLine, flagSep);
}
else
svr_argv[svrArgs.argc++] = nonblockFlag;
}
#if !defined(USE_WINDOWS_API) && !defined(WOLFSSL_TIRTOS)
/* add port 0 */
if (svr_argc + 2 > MAX_ARGS)
/* add port */
if (svrArgs.argc + 2 > MAX_ARGS)
printf("cannot add the magic port number flag to server\n");
else
{
svr_argv[svr_argc++] = portFlag;
svr_argv[svr_argc++] = svrPort;
svrArgs.argc = svr_argc;
else {
svr_argv[svrArgs.argc++] = portFlag;
svr_argv[svrArgs.argc++] = svrPort;
}
#endif
printf("trying server command line[%d]: %s\n", tests, commandLine);
if (forceSrvDefCipherList) {
if (svrArgs.argc >= MAX_ARGS)
printf("cannot add the force def cipher list flag to server\n");
else
svr_argv[svrArgs.argc++] = forceDefCipherListFlag;
}
/* update server flags list */
commandLine[0] = '\0';
added = 0;
for (i = 0; i < cli_argc; i++) {
added += XSTRLEN(cli_argv[i]) + 2;
for (i = 0; i < svrArgs.argc; i++) {
added += XSTRLEN(svr_argv[i]) + 2;
if (added >= MAX_COMMAND_SZ) {
printf("client command line too long\n");
printf("server command line too long\n");
break;
}
strcat(commandLine, cli_argv[i]);
strcat(commandLine, svr_argv[i]);
strcat(commandLine, flagSep);
}
if (addNonBlocking) {
added += 4; /* -N plus space plus terminator */
if (added >= MAX_COMMAND_SZ)
printf("client command line too long\n");
else {
cli_argv[cli_argc++] = nonblockFlag;
strcat(commandLine, nonblockFlag);
strcat(commandLine, flagSep);
cliArgs.argc = cli_argc;
}
}
if (addDisableEMS) {
printf("repeating test without extended master secret\n");
added += 4; /* -n plus terminator */
if (added >= MAX_COMMAND_SZ)
printf("client command line too long\n");
else {
cli_argv[cli_argc++] = disableEMSFlag;
strcat(commandLine, disableEMSFlag);
strcat(commandLine, flagSep);
cliArgs.argc = cli_argc;
}
}
printf("trying client command line[%d]: %s\n", tests++, commandLine);
printf("trying server command line[%d]: %s\n", tests, commandLine);
tests++; /* test count */
InitTcpReady(&ready);
@ -296,20 +272,48 @@ static int execute_test_case(int svr_argc, char** svr_argv,
svrArgs.signal = &ready;
start_thread(server_test, &svrArgs, &serverThread);
wait_tcp_ready(&svrArgs);
/* Build Client Command */
if (addNonBlocking) {
if (cliArgs.argc >= MAX_ARGS)
printf("cannot add the non block flag to client\n");
else
cli_argv[cliArgs.argc++] = nonblockFlag;
}
if (addDisableEMS) {
printf("repeating test without extended master secret\n");
if (cliArgs.argc >= MAX_ARGS)
printf("cannot add the disable EMS flag to client\n");
else
cli_argv[cliArgs.argc++] = disableEMSFlag;
}
#if !defined(USE_WINDOWS_API) && !defined(WOLFSSL_TIRTOS)
if (ready.port != 0)
{
if (cli_argc + 2 > MAX_ARGS)
if (ready.port != 0) {
if (cliArgs.argc + 2 > MAX_ARGS)
printf("cannot add the magic port number flag to client\n");
else {
char portNumber[8];
snprintf(portNumber, sizeof(portNumber), "%d", ready.port);
cli_argv[cli_argc++] = portFlag;
cli_argv[cli_argc++] = portNumber;
cliArgs.argc = cli_argc;
cli_argv[cliArgs.argc++] = portFlag;
cli_argv[cliArgs.argc++] = portNumber;
}
}
#endif
commandLine[0] = '\0';
added = 0;
for (i = 0; i < cliArgs.argc; i++) {
added += XSTRLEN(cli_argv[i]) + 2;
if (added >= MAX_COMMAND_SZ) {
printf("client command line too long\n");
break;
}
strcat(commandLine, cli_argv[i]);
strcat(commandLine, flagSep);
}
printf("trying client command line[%d]: %s\n", tests, commandLine);
/* start client */
client_test(&cliArgs);
@ -452,24 +456,28 @@ static void test_harness(void* vargs)
if (do_it) {
ret = execute_test_case(svrArgsSz, svrArgs,
cliArgsSz, cliArgs, 0, 0, 0);
cliArgsSz, cliArgs, 0, 0, 0, 0);
/* don't repeat if not supported in build */
if (ret == 0) {
/* test with default cipher list on server side */
execute_test_case(svrArgsSz, svrArgs,
cliArgsSz, cliArgs, 0, 1, 0);
cliArgsSz, cliArgs, 0, 0, 0, 1);
execute_test_case(svrArgsSz, svrArgs,
cliArgsSz, cliArgs, 1, 0, 0);
cliArgsSz, cliArgs, 0, 1, 0, 0);
execute_test_case(svrArgsSz, svrArgs,
cliArgsSz, cliArgs, 1, 1, 0);
cliArgsSz, cliArgs, 1, 0, 0, 0);
execute_test_case(svrArgsSz, svrArgs,
cliArgsSz, cliArgs, 1, 1, 0, 0);
#ifdef HAVE_EXTENDED_MASTER
execute_test_case(svrArgsSz, svrArgs,
cliArgsSz, cliArgs, 0, 0, 1);
cliArgsSz, cliArgs, 0, 0, 1, 0);
execute_test_case(svrArgsSz, svrArgs,
cliArgsSz, cliArgs, 0, 1, 1);
cliArgsSz, cliArgs, 0, 1, 1, 0);
execute_test_case(svrArgsSz, svrArgs,
cliArgsSz, cliArgs, 1, 0, 1);
cliArgsSz, cliArgs, 1, 0, 1, 0);
execute_test_case(svrArgsSz, svrArgs,
cliArgsSz, cliArgs, 1, 1, 1);
cliArgsSz, cliArgs, 1, 1, 1, 0);
#endif
}
svrArgsSz = 1;

53
tests/test-dtls.conf
View File

@ -1,36 +1,3 @@
# server DTLSv1 DHE-RSA-CHACHA20-POLY1305
-u
-v 2
-l DHE-RSA-CHACHA20-POLY1305
# client DTLSv1 DHE-RSA-CHACHA20-POLY1305
-u
-v 2
-l DHE-RSA-CHACHA20-POLY1305
# server DTLSv1 ECDHE-RSA-CHACHA20-POLY1305
-u
-v 2
-l ECDHE-RSA-CHACHA20-POLY1305
# client DTLSv1 ECDHE-RSA-CHACHA20-POLY1305
-u
-v 2
-l ECDHE-RSA-CHACHA20-POLY1305
# server DTLSv1 ECDHE-EDCSA-CHACHA20-POLY1305
-u
-v 2
-l ECDHE-ECDSA-CHACHA20-POLY1305
-c ./certs/server-ecc.pem
-k ./certs/ecc-key.pem
# client DTLSv1 ECDHE-ECDSA-CHACHA20-POLY1305
-u
-v 2
-l ECDHE-ECDSA-CHACHA20-POLY1305
-A ./certs/server-ecc.pem
# server DTLSv1.2 DHE-RSA-CHACHA20-POLY1305
-u
-v 3
@ -223,16 +190,6 @@
-v 3
-l AES256-SHA
# server DTLSv1 AES128-SHA256
-u
-v 2
-l AES128-SHA256
# client DTLSv1 AES128-SHA256
-u
-v 2
-l AES128-SHA256
# server DTLSv1.2 AES128-SHA256
-u
-v 3
@ -243,16 +200,6 @@
-v 3
-l AES128-SHA256
# server DTLSv1 AES256-SHA256
-u
-v 2
-l AES256-SHA256
# client DTLSv1 AES256-SHA256
-u
-v 2
-l AES256-SHA256
# server DTLSv1.2 AES256-SHA256
-u
-v 3

99
tests/test.conf
View File

@ -1,30 +1,3 @@
# server TLSv1.1 DHE-RSA-CHACHA20-POLY1305
-v 2
-l DHE-RSA-CHACHA20-POLY1305
# client TLSv1.1 DHE-RSA-CHACHA20-POLY1305
-v 2
-l DHE-RSA-CHACHA20-POLY1305
# server TLSv1.1 ECDHE-RSA-CHACHA20-POLY1305
-v 2
-l ECDHE-RSA-CHACHA20-POLY1305
# client TLSv1.1 ECDHE-RSA-CHACHA20-POLY1305
-v 2
-l ECDHE-RSA-CHACHA20-POLY1305
# server TLSv1.1 ECDHE-EDCSA-CHACHA20-POLY1305
-v 2
-l ECDHE-ECDSA-CHACHA20-POLY1305
-c ./certs/server-ecc.pem
-k ./certs/ecc-key.pem
# client TLSv1.1 ECDHE-ECDSA-CHACHA20-POLY1305
-v 2
-l ECDHE-ECDSA-CHACHA20-POLY1305
-A ./certs/server-ecc.pem
# server TLSv1.2 DHE-RSA-CHACHA20-POLY1305
-v 3
-l DHE-RSA-CHACHA20-POLY1305
@ -189,22 +162,6 @@
-v 1
-l AES256-SHA
# server TLSv1 AES128-SHA256
-v 1
-l AES128-SHA256
# client TLSv1 AES128-SHA256
-v 1
-l AES128-SHA256
# server TLSv1 AES256-SHA256
-v 1
-l AES256-SHA256
# client TLSv1 AES256-SHA256
-v 1
-l AES256-SHA256
# server TLSv1.1 RC4-SHA
-v 2
-l RC4-SHA
@ -245,30 +202,6 @@
-v 2
-l AES128-SHA
# server TLSv1.1 AES256-SHA
-v 2
-l AES256-SHA
# client TLSv1.1 AES256-SHA
-v 2
-l AES256-SHA
# server TLSv1.1 AES128-SHA256
-v 2
-l AES128-SHA256
# client TLSv1.1 AES128-SHA256
-v 2
-l AES128-SHA256
# server TLSv1.1 AES256-SHA256
-v 2
-l AES256-SHA256
# client TLSv1.1 AES256-SHA256
-v 2
-l AES256-SHA256
# server TLSv1.2 RC4-SHA
-v 3
-l RC4-SHA
@ -1078,22 +1011,6 @@
-v 1
-l DHE-RSA-AES256-SHA
# server TLSv1 DHE AES128-SHA256
-v 1
-l DHE-RSA-AES128-SHA256
# client TLSv1 DHE AES128-SHA256
-v 1
-l DHE-RSA-AES128-SHA256
# server TLSv1 DHE AES256-SHA256
-v 1
-l DHE-RSA-AES256-SHA256
# client TLSv1 DHE AES256-SHA256
-v 1
-l DHE-RSA-AES256-SHA256
# server TLSv1.1 DHE AES128
-v 2
-l DHE-RSA-AES128-SHA
@ -1110,22 +1027,6 @@
-v 2
-l DHE-RSA-AES256-SHA
# server TLSv1.1 DHE AES128-SHA256
-v 2
-l DHE-RSA-AES128-SHA256
# client TLSv1.1 DHE AES128-SHA256
-v 2
-l DHE-RSA-AES128-SHA256
# server TLSv1.1 DHE AES256-SHA256
-v 2
-l DHE-RSA-AES256-SHA256
# client TLSv1.1 DHE AES256-SHA256
-v 2
-l DHE-RSA-AES256-SHA256
# server TLSv1.1 DHE 3DES
-v 2
-l EDH-RSA-DES-CBC3-SHA