From 36b022334c8ed04c98e253cbb86a1917a44b36c6 Mon Sep 17 00:00:00 2001 From: Neil Armstrong Date: Thu, 30 Jun 2022 11:16:53 +0200 Subject: [PATCH] Reorganize Opaque ssl-opt tests, pass key_opaque_algs=, add less wrong negative server testings Signed-off-by: Neil Armstrong --- tests/ssl-opt.sh | 128 +++++++++++++++++++++++++++++++---------------- 1 file changed, 84 insertions(+), 44 deletions(-) diff --git a/tests/ssl-opt.sh b/tests/ssl-opt.sh index 5a1a7d60d9..91c892697b 100755 --- a/tests/ssl-opt.sh +++ b/tests/ssl-opt.sh @@ -1706,7 +1706,7 @@ run_test "TLS-ECDHE-ECDSA Opaque key for client authentication" \ "$P_SRV auth_mode=required crt_file=data_files/server5.crt \ key_file=data_files/server5.key" \ "$P_CLI key_opaque=1 crt_file=data_files/server5.crt \ - key_file=data_files/server5.key" \ + key_file=data_files/server5.key key_opaque_algs=ecdsa-sign,none" \ 0 \ -c "key type: Opaque" \ -c "Ciphersuite is TLS-ECDHE-ECDSA" \ @@ -1726,7 +1726,7 @@ run_test "TLS-ECDHE-RSA Opaque key for client authentication" \ "$P_SRV auth_mode=required crt_file=data_files/server2-sha256.crt \ key_file=data_files/server2.key" \ "$P_CLI key_opaque=1 crt_file=data_files/server2-sha256.crt \ - key_file=data_files/server2.key" \ + key_file=data_files/server2.key key_opaque_algs=rsa-sign-pkcs1,none" \ 0 \ -c "key type: Opaque" \ -c "Ciphersuite is TLS-ECDHE-RSA" \ @@ -1735,23 +1735,6 @@ run_test "TLS-ECDHE-RSA Opaque key for client authentication" \ -S "error" \ -C "error" -requires_config_enabled MBEDTLS_SSL_PROTO_TLS1_2 -requires_config_enabled MBEDTLS_USE_PSA_CRYPTO -requires_config_enabled MBEDTLS_X509_CRT_PARSE_C -requires_config_enabled MBEDTLS_ECDSA_C -requires_config_enabled MBEDTLS_SHA256_C -run_test "Opaque key for server authentication: invalid alg: decrypt with ECC key" \ - "$P_SRV auth_mode=required key_opaque=1 crt_file=data_files/server5.crt \ - key_file=data_files/server5.key key_opaque_algs=rsa-decrypt,none \ - debug_level=1" \ - "$P_CLI crt_file=data_files/server5.crt \ - key_file=data_files/server5.key" \ - 1 \ - -s "key types: Opaque, none" \ - -s "got ciphersuites in common, but none of them usable" \ - -s "error" \ - -c "error" - requires_config_enabled MBEDTLS_SSL_PROTO_TLS1_2 requires_config_enabled MBEDTLS_USE_PSA_CRYPTO requires_config_enabled MBEDTLS_X509_CRT_PARSE_C @@ -1761,7 +1744,8 @@ run_test "TLS-DHE-RSA Opaque key for client authentication" \ "$P_SRV auth_mode=required crt_file=data_files/server2-sha256.crt \ key_file=data_files/server2.key" \ "$P_CLI key_opaque=1 crt_file=data_files/server2-sha256.crt \ - key_file=data_files/server2.key force_ciphersuite=TLS-DHE-RSA-WITH-AES-128-CBC-SHA" \ + key_file=data_files/server2.key force_ciphersuite=TLS-DHE-RSA-WITH-AES-128-CBC-SHA \ + key_opaque_algs=rsa-sign-pkcs1,none" \ 0 \ -c "key type: Opaque" \ -c "Ciphersuite is TLS-DHE-RSA" \ @@ -1770,20 +1754,6 @@ run_test "TLS-DHE-RSA Opaque key for client authentication" \ -S "error" \ -C "error" -requires_config_enabled MBEDTLS_SSL_PROTO_TLS1_2 -requires_config_enabled MBEDTLS_USE_PSA_CRYPTO -requires_config_enabled MBEDTLS_RSA_C -run_test "RSA opaque key on server configured for decryption" \ - "$P_SRV debug_level=1 key_opaque=1 key_opaque_algs=rsa-decrypt,none" \ - "$P_CLI force_ciphersuite=TLS-RSA-WITH-AES-128-CBC-SHA256" \ - 0 \ - -c "Verifying peer X.509 certificate... ok" \ - -c "Ciphersuite is TLS-RSA-" \ - -s "key types: Opaque, Opaque" \ - -s "Ciphersuite is TLS-RSA-" \ - -S "error" \ - -C "error" - requires_config_enabled MBEDTLS_SSL_PROTO_TLS1_2 requires_config_enabled MBEDTLS_USE_PSA_CRYPTO requires_config_enabled MBEDTLS_RSA_C @@ -1808,7 +1778,7 @@ requires_config_enabled MBEDTLS_ECDSA_C requires_config_enabled MBEDTLS_SHA256_C run_test "TLS-ECDHE-ECDSA Opaque key for server authentication" \ "$P_SRV auth_mode=required key_opaque=1 crt_file=data_files/server5.crt \ - key_file=data_files/server5.key" \ + key_file=data_files/server5.key key_opaque_algs=ecdsa-sign,none" \ "$P_CLI crt_file=data_files/server5.crt \ key_file=data_files/server5.key" \ 0 \ @@ -1819,6 +1789,23 @@ run_test "TLS-ECDHE-ECDSA Opaque key for server authentication" \ -S "error" \ -C "error" +requires_config_enabled MBEDTLS_SSL_PROTO_TLS1_2 +requires_config_enabled MBEDTLS_USE_PSA_CRYPTO +requires_config_enabled MBEDTLS_X509_CRT_PARSE_C +requires_config_enabled MBEDTLS_ECDSA_C +requires_config_enabled MBEDTLS_SHA256_C +run_test "Opaque key for server authentication: invalid alg: decrypt with ECC key" \ + "$P_SRV auth_mode=required key_opaque=1 crt_file=data_files/server5.crt \ + key_file=data_files/server5.key key_opaque_algs=rsa-decrypt,none \ + debug_level=1" \ + "$P_CLI crt_file=data_files/server5.crt \ + key_file=data_files/server5.key" \ + 1 \ + -s "key types: Opaque, none" \ + -s "got ciphersuites in common, but none of them usable" \ + -s "error" \ + -c "error" + requires_config_enabled MBEDTLS_SSL_PROTO_TLS1_2 requires_config_enabled MBEDTLS_USE_PSA_CRYPTO requires_config_enabled MBEDTLS_X509_CRT_PARSE_C @@ -1845,7 +1832,7 @@ requires_config_enabled MBEDTLS_SHA256_C run_test "Opaque key for server authentication (ECDH-)" \ "$P_SRV force_version=tls12 auth_mode=required key_opaque=1\ crt_file=data_files/server5.ku-ka.crt\ - key_file=data_files/server5.key" \ + key_file=data_files/server5.key key_opaque_algs=ecdh,none" \ "$P_CLI" \ 0 \ -c "Verifying peer X.509 certificate... ok" \ @@ -1855,6 +1842,24 @@ run_test "Opaque key for server authentication (ECDH-)" \ -S "error" \ -C "error" +requires_config_enabled MBEDTLS_SSL_PROTO_TLS1_2 +requires_config_enabled MBEDTLS_USE_PSA_CRYPTO +requires_config_enabled MBEDTLS_X509_CRT_PARSE_C +requires_config_enabled MBEDTLS_ECDSA_C +requires_config_enabled MBEDTLS_SHA256_C +requires_config_enabled MBEDTLS_CCM_C +run_test "Opaque key for server authentication: invalid alg: TLS-ECDHE-ECDSA with ecdh" \ + "$P_SRV auth_mode=required key_opaque=1 crt_file=data_files/server5.crt \ + key_file=data_files/server5.key key_opaque_algs=ecdh,none \ + debug_level=1" \ + "$P_CLI crt_file=data_files/server5.crt \ + key_file=data_files/server5.key force_ciphersuite=TLS-ECDHE-ECDSA-WITH-AES-256-CCM" \ + 1 \ + -s "key types: Opaque, none" \ + -s "got ciphersuites in common, but none of them usable" \ + -s "error" \ + -c "error" + # Test using a RSA opaque private key for server authentication requires_config_enabled MBEDTLS_SSL_PROTO_TLS1_2 requires_config_enabled MBEDTLS_USE_PSA_CRYPTO @@ -1864,7 +1869,7 @@ requires_config_enabled MBEDTLS_RSA_C requires_config_enabled MBEDTLS_SHA256_C run_test "TLS-ECDHE-RSA Opaque key for server authentication" \ "$P_SRV auth_mode=required key_opaque=1 crt_file=data_files/server2-sha256.crt \ - key_file=data_files/server2.key" \ + key_file=data_files/server2.key key_opaque_algs=rsa-sign-pkcs1,none" \ "$P_CLI crt_file=data_files/server2-sha256.crt \ key_file=data_files/server2.key" \ 0 \ @@ -1875,6 +1880,22 @@ run_test "TLS-ECDHE-RSA Opaque key for server authentication" \ -S "error" \ -C "error" +requires_config_enabled MBEDTLS_SSL_PROTO_TLS1_2 +requires_config_enabled MBEDTLS_USE_PSA_CRYPTO +requires_config_enabled MBEDTLS_X509_CRT_PARSE_C +requires_config_enabled MBEDTLS_RSA_C +requires_config_enabled MBEDTLS_SHA256_C +run_test "RSA opaque key on server configured for decryption" \ + "$P_SRV debug_level=1 key_opaque=1 key_opaque_algs=rsa-sign-pkcs1,none" \ + "$P_CLI force_ciphersuite=TLS-RSA-WITH-AES-128-CBC-SHA256" \ + 0 \ + -c "Verifying peer X.509 certificate... ok" \ + -c "Ciphersuite is TLS-RSA-" \ + -s "key types: Opaque, Opaque" \ + -s "Ciphersuite is TLS-RSA-" \ + -S "error" \ + -C "error" + requires_config_enabled MBEDTLS_SSL_PROTO_TLS1_2 requires_config_enabled MBEDTLS_USE_PSA_CRYPTO requires_config_enabled MBEDTLS_X509_CRT_PARSE_C @@ -1883,7 +1904,7 @@ requires_config_enabled MBEDTLS_RSA_C requires_config_enabled MBEDTLS_SHA256_C run_test "TLS-DHE-RSA Opaque key for server authentication" \ "$P_SRV auth_mode=required key_opaque=1 crt_file=data_files/server2-sha256.crt \ - key_file=data_files/server2.key" \ + key_file=data_files/server2.key key_opaque_algs=rsa-sign-pkcs1,none" \ "$P_CLI crt_file=data_files/server2-sha256.crt \ key_file=data_files/server2.key force_ciphersuite=TLS-DHE-RSA-WITH-AES-128-CBC-SHA" \ 0 \ @@ -1894,6 +1915,23 @@ run_test "TLS-DHE-RSA Opaque key for server authentication" \ -S "error" \ -C "error" +requires_config_enabled MBEDTLS_SSL_PROTO_TLS1_2 +requires_config_enabled MBEDTLS_USE_PSA_CRYPTO +requires_config_enabled MBEDTLS_X509_CRT_PARSE_C +requires_config_enabled MBEDTLS_ECDSA_C +requires_config_enabled MBEDTLS_RSA_C +requires_config_enabled MBEDTLS_SHA256_C +run_test "Opaque key for server authentication: TLS-DHE-RSA, PSS instead of PKCS1" \ + "$P_SRV auth_mode=required key_opaque=1 crt_file=data_files/server2-sha256.crt \ + key_file=data_files/server2.key key_opaque_algs=rsa-sign-pss,none debug_level=1" \ + "$P_CLI crt_file=data_files/server2-sha256.crt \ + key_file=data_files/server2.key force_ciphersuite=TLS-DHE-RSA-WITH-AES-128-CBC-SHA" \ + 1 \ + -s "key types: Opaque, none" \ + -s "got ciphersuites in common, but none of them usable" \ + -s "error" \ + -c "error" + # Test using an EC opaque private key for client/server authentication requires_config_enabled MBEDTLS_SSL_PROTO_TLS1_2 requires_config_enabled MBEDTLS_USE_PSA_CRYPTO @@ -1902,9 +1940,9 @@ requires_config_enabled MBEDTLS_ECDSA_C requires_config_enabled MBEDTLS_SHA256_C run_test "TLS-ECDHE-ECDSA Opaque key for client/server authentication" \ "$P_SRV auth_mode=required key_opaque=1 crt_file=data_files/server5.crt \ - key_file=data_files/server5.key" \ + key_file=data_files/server5.key key_opaque_algs=ecdsa-sign,none" \ "$P_CLI key_opaque=1 crt_file=data_files/server5.crt \ - key_file=data_files/server5.key" \ + key_file=data_files/server5.key key_opaque_algs=ecdsa-sign,none" \ 0 \ -c "key type: Opaque" \ -c "Verifying peer X.509 certificate... ok" \ @@ -1924,9 +1962,9 @@ requires_config_enabled MBEDTLS_RSA_C requires_config_enabled MBEDTLS_SHA256_C run_test "TLS-ECDHE-RSA Opaque key for client/server authentication" \ "$P_SRV auth_mode=required key_opaque=1 crt_file=data_files/server2-sha256.crt \ - key_file=data_files/server2.key" \ + key_file=data_files/server2.key key_opaque_algs=rsa-sign-pkcs1,none" \ "$P_CLI key_opaque=1 crt_file=data_files/server2-sha256.crt \ - key_file=data_files/server2.key" \ + key_file=data_files/server2.key key_opaque_algs=rsa-sign-pkcs1,none" \ 0 \ -c "key type: Opaque" \ -c "Verifying peer X.509 certificate... ok" \ @@ -1945,9 +1983,10 @@ requires_config_enabled MBEDTLS_RSA_C requires_config_enabled MBEDTLS_SHA256_C run_test "TLS-DHE-RSA Opaque key for client/server authentication" \ "$P_SRV auth_mode=required key_opaque=1 crt_file=data_files/server2-sha256.crt \ - key_file=data_files/server2.key" \ + key_file=data_files/server2.key key_opaque_algs=rsa-sign-pkcs1,none" \ "$P_CLI key_opaque=1 crt_file=data_files/server2-sha256.crt \ - key_file=data_files/server2.key force_ciphersuite=TLS-DHE-RSA-WITH-AES-128-CBC-SHA" \ + key_file=data_files/server2.key key_opaque_algs=rsa-sign-pkcs1,none \ + force_ciphersuite=TLS-DHE-RSA-WITH-AES-128-CBC-SHA" \ 0 \ -c "key type: Opaque" \ -c "Verifying peer X.509 certificate... ok" \ @@ -1958,6 +1997,7 @@ run_test "TLS-DHE-RSA Opaque key for client/server authentication" \ -S "error" \ -C "error" + # Test ciphersuites which we expect to be fully supported by PSA Crypto # and check that we don't fall back to Mbed TLS' internal crypto primitives. run_test_psa TLS-ECDHE-ECDSA-WITH-AES-128-CCM