Merge branch 'ingela/ssl/ECC-certs-test' into maint

* ingela/ssl/ECC-certs-test: ssl: Use SHA2 for signing ECC certs if possible
victorhge · Nov 10, 2016 · 3bdf757 · 3bdf757
2 parents bbdba69 + f226cf5
commit 3bdf757
Show file tree

Hide file tree

Showing 4 changed files with 55 additions and 31 deletions.
diff --git a/lib/ssl/test/ssl_basic_SUITE.erl b/lib/ssl/test/ssl_basic_SUITE.erl
@@ -2193,7 +2193,7 @@ ciphers_dsa_signed_certs() ->
 
 ciphers_dsa_signed_certs(Config) when is_list(Config) ->
     Version = ssl_test_lib:protocol_version(Config),
-    Ciphers = ssl_test_lib:dsa_suites(),
+    Ciphers = ssl_test_lib:dsa_suites(tls_record:protocol_version(Version)),
     ct:log("~p erlang cipher suites ~p~n", [Version, Ciphers]),
     run_suites(Ciphers, Version, Config, dsa).
 %%-------------------------------------------------------------------
@@ -2334,7 +2334,7 @@ ciphers_ecdsa_signed_certs() ->
 
 ciphers_ecdsa_signed_certs(Config) when is_list(Config) ->
     Version = ssl_test_lib:protocol_version(Config),
-    Ciphers = ssl_test_lib:ecdsa_suites(),
+    Ciphers = ssl_test_lib:ecdsa_suites(tls_record:protocol_version(Version)),
     ct:log("~p erlang cipher suites ~p~n", [Version, Ciphers]),
     run_suites(Ciphers, Version, Config, ecdsa).
 %%--------------------------------------------------------------------
@@ -2352,7 +2352,7 @@ ciphers_ecdh_rsa_signed_certs() ->
 
 ciphers_ecdh_rsa_signed_certs(Config) when is_list(Config) ->
     Version = ssl_test_lib:protocol_version(Config),
-    Ciphers = ssl_test_lib:ecdh_rsa_suites(),
+    Ciphers = ssl_test_lib:ecdh_rsa_suites(tls_record:protocol_version(Version)),
     ct:log("~p erlang cipher suites ~p~n", [Version, Ciphers]),
     run_suites(Ciphers, Version, Config, ecdh_rsa).
 %%--------------------------------------------------------------------
@@ -3663,29 +3663,32 @@ no_rizzo_rc4() ->
     [{doc,"Test that there is no 1/n-1-split for RC4 as it is not vunrable to Rizzo/Dungon attack"}].
 
 no_rizzo_rc4(Config) when is_list(Config) ->
-    Ciphers = [X || X ={_,Y,_} <- ssl:cipher_suites(),Y == rc4_128],
     Prop = proplists:get_value(tc_group_properties, Config),
     Version = proplists:get_value(name, Prop),
+    Ciphers  =  [ssl_cipher:erl_suite_definition(Suite) || 
+		    Suite  <- ssl_test_lib:rc4_suites(tls_record:protocol_version(Version))],
     run_send_recv_rizzo(Ciphers, Config, Version,
 			{?MODULE, send_recv_result_active_no_rizzo, []}).
 
 rizzo_one_n_minus_one() ->
     [{doc,"Test that the 1/n-1-split mitigation of Rizzo/Dungon attack can be explicitly selected"}].
 
 rizzo_one_n_minus_one(Config) when is_list(Config) ->
-    Ciphers  = [X || X ={_,Y,_} <- ssl:cipher_suites(), Y  =/= rc4_128],
     Prop = proplists:get_value(tc_group_properties, Config),
     Version = proplists:get_value(name, Prop),
+    AllSuites = ssl_test_lib:available_suites(tls_record:protocol_version(Version)),
+    Ciphers  = [X || X ={_,Y,_} <- AllSuites, Y  =/= rc4_128],
     run_send_recv_rizzo(Ciphers, Config, Version,
 			 {?MODULE, send_recv_result_active_rizzo, []}).
 
 rizzo_zero_n() ->
     [{doc,"Test that the 0/n-split mitigation of Rizzo/Dungon attack can be explicitly selected"}].
 
 rizzo_zero_n(Config) when is_list(Config) ->
-    Ciphers  = [X || X ={_,Y,_} <- ssl:cipher_suites(), Y  =/= rc4_128],
     Prop = proplists:get_value(tc_group_properties, Config),
     Version = proplists:get_value(name, Prop),
+    AllSuites = ssl_test_lib:available_suites(tls_record:protocol_version(Version)),
+    Ciphers  = [X || X ={_,Y,_} <- AllSuites, Y  =/= rc4_128],
     run_send_recv_rizzo(Ciphers, Config, Version,
 			 {?MODULE, send_recv_result_active_no_rizzo, []}).
 
@@ -4436,7 +4439,7 @@ rizzo_test(Cipher, Config, Version, Mfa) ->
 					{host, Hostname},
 			   {from, self()},
 			   {mfa, Mfa},
-			   {options, [{active, true} | ClientOpts]}]),
+			   {options, [{active, true}, {ciphers, [Cipher]}| ClientOpts]}]),
 
     Result = ssl_test_lib:check_result(Server, ok, Client, ok),
     ssl_test_lib:close(Server),
@@ -4727,3 +4730,4 @@ first_rsa_suite([_ | Rest]) ->
 wait_for_send(Socket) ->
     %% Make sure TLS process processed send message event
     _ = ssl:connection_information(Socket).
+
diff --git a/lib/ssl/test/ssl_certificate_verify_SUITE.erl b/lib/ssl/test/ssl_certificate_verify_SUITE.erl
@@ -1097,7 +1097,8 @@ client_with_cert_cipher_suites_handshake(Config) when is_list(Config) ->
 					{mfa, {ssl_test_lib,
 					       send_recv_result_active, []}},
 					{options, [{active, true},
-						   {ciphers, ssl_test_lib:rsa_non_signed_suites()}
+						   {ciphers, 
+						    ssl_test_lib:rsa_non_signed_suites(tls_record:highest_protocol_version([]))}
 						   | ServerOpts]}]),
     Port  = ssl_test_lib:inet_port(Server),
     Client = ssl_test_lib:start_client([{node, ClientNode}, {port, Port},

diff --git a/lib/ssl/test/ssl_test_lib.erl b/lib/ssl/test/ssl_test_lib.erl
@@ -462,9 +462,10 @@ cert_options(Config) ->
 
 
 make_dsa_cert(Config) ->
-
-    {ServerCaCertFile, ServerCertFile, ServerKeyFile} = make_cert_files("server", Config, dsa, dsa, ""),
-    {ClientCaCertFile, ClientCertFile, ClientKeyFile} = make_cert_files("client", Config, dsa, dsa, ""),
+    {ServerCaCertFile, ServerCertFile, ServerKeyFile} = 
+	make_cert_files("server", Config, dsa, dsa, "", []),
+    {ClientCaCertFile, ClientCertFile, ClientKeyFile} = 
+	make_cert_files("client", Config, dsa, dsa, "", []),
     [{server_dsa_opts, [{ssl_imp, new},{reuseaddr, true}, 
 				 {cacertfile, ServerCaCertFile},
 				 {certfile, ServerCertFile}, {keyfile, ServerKeyFile}]},
@@ -490,8 +491,10 @@ make_ecdsa_cert(Config) ->
     CryptoSupport = crypto:supports(),
     case proplists:get_bool(ecdsa, proplists:get_value(public_keys, CryptoSupport)) of
 	    true ->
-	    {ServerCaCertFile, ServerCertFile, ServerKeyFile} = make_cert_files("server", Config, ec, ec, ""),
-	    {ClientCaCertFile, ClientCertFile, ClientKeyFile} = make_cert_files("client", Config, ec, ec, ""),
+	    {ServerCaCertFile, ServerCertFile, ServerKeyFile} = 
+		make_cert_files("server", Config, ec, ec, "", [{digest, appropriate_sha(CryptoSupport)}]),
+	    {ClientCaCertFile, ClientCertFile, ClientKeyFile} = 
+		make_cert_files("client", Config, ec, ec, "", [{digest, appropriate_sha(CryptoSupport)}]),
 	    [{server_ecdsa_opts, [{ssl_imp, new},{reuseaddr, true},
 				  {cacertfile, ServerCaCertFile},
 				  {certfile, ServerCertFile}, {keyfile, ServerKeyFile}]},
@@ -507,6 +510,14 @@ make_ecdsa_cert(Config) ->
 	    Config
     end.
 
+appropriate_sha(CryptoSupport) ->
+    case proplists:get_bool(sha256, CryptoSupport) of
+	true ->
+	    sha256;
+	false ->
+	    sha1
+    end.
+
 %% RFC 4492, Sect. 2.3.  ECDH_RSA
 %%
 %%    This key exchange algorithm is the same as ECDH_ECDSA except that the
@@ -515,8 +526,10 @@ make_ecdh_rsa_cert(Config) ->
     CryptoSupport = crypto:supports(),
     case proplists:get_bool(ecdh, proplists:get_value(public_keys, CryptoSupport)) of
 	true ->
-	    {ServerCaCertFile, ServerCertFile, ServerKeyFile} = make_cert_files("server", Config, rsa, ec, "rsa_"),
-	    {ClientCaCertFile, ClientCertFile, ClientKeyFile} = make_cert_files("client", Config, rsa, ec, "rsa_"),
+	    {ServerCaCertFile, ServerCertFile, ServerKeyFile} = 
+		make_cert_files("server", Config, rsa, ec, "rsa_", []),
+	    {ClientCaCertFile, ClientCertFile, ClientKeyFile} = 
+		make_cert_files("client", Config, rsa, ec, "rsa_",[]),
 	    [{server_ecdh_rsa_opts, [{ssl_imp, new},{reuseaddr, true},
 				     {cacertfile, ServerCaCertFile},
 				     {certfile, ServerCertFile}, {keyfile, ServerKeyFile}]},
@@ -534,9 +547,9 @@ make_ecdh_rsa_cert(Config) ->
 
 make_mix_cert(Config) ->
     {ServerCaCertFile, ServerCertFile, ServerKeyFile} = make_cert_files("server", Config, dsa,
-									rsa, "mix"),
+									rsa, "mix", []),
     {ClientCaCertFile, ClientCertFile, ClientKeyFile} = make_cert_files("client", Config, dsa,
-									rsa, "mix"),
+									rsa, "mix", []),
     [{server_mix_opts, [{ssl_imp, new},{reuseaddr, true},
 				 {cacertfile, ServerCaCertFile},
 				 {certfile, ServerCertFile}, {keyfile, ServerKeyFile}]},
@@ -549,11 +562,11 @@ make_mix_cert(Config) ->
 			{certfile, ClientCertFile}, {keyfile, ClientKeyFile}]}
      | Config].
 
-make_cert_files(RoleStr, Config, Alg1, Alg2, Prefix) ->
+make_cert_files(RoleStr, Config, Alg1, Alg2, Prefix, Opts) ->
     Alg1Str = atom_to_list(Alg1),
     Alg2Str = atom_to_list(Alg2),
-    CaInfo = {CaCert, _} = erl_make_certs:make_cert([{key, Alg1}]),
-    {Cert, CertKey} = erl_make_certs:make_cert([{key, Alg2}, {issuer, CaInfo}]),
+    CaInfo = {CaCert, _} = erl_make_certs:make_cert([{key, Alg1}| Opts]),
+    {Cert, CertKey} = erl_make_certs:make_cert([{key, Alg2}, {issuer, CaInfo} | Opts]),
     CaCertFile = filename:join([proplists:get_value(priv_dir, Config), 
 				RoleStr, Prefix ++ Alg1Str ++ "_cacerts.pem"]),
     CertFile = filename:join([proplists:get_value(priv_dir, Config), 
@@ -840,37 +853,42 @@ common_ciphers(openssl) ->
         lists:member(ssl_cipher:openssl_suite_name(S), OpenSslSuites)
     ].
 
-rsa_non_signed_suites() ->
+available_suites(Version) ->
+    [ssl_cipher:erl_suite_definition(Suite) || 
+	Suite  <-  ssl_cipher:filter_suites(ssl_cipher:suites(Version))].
+
+
+rsa_non_signed_suites(Version) ->
     lists:filter(fun({rsa, _, _}) ->
 			 true;
 		    (_) ->
 			 false
 		 end,
-		 ssl:cipher_suites()).
+		 available_suites(Version)).
 
-dsa_suites() ->
+dsa_suites(Version) ->
      lists:filter(fun({dhe_dss, _, _}) ->
 			 true;
 		    (_) ->
 			 false
 		 end,
-		 ssl:cipher_suites()).
+		 available_suites(Version)).
 
-ecdsa_suites() ->
+ecdsa_suites(Version) ->
      lists:filter(fun({ecdhe_ecdsa, _, _}) ->
 			 true;
 		    (_) ->
 			 false
 		 end,
-		 ssl:cipher_suites()).
+		 available_suites(Version)).
 
-ecdh_rsa_suites() ->
+ecdh_rsa_suites(Version) ->
      lists:filter(fun({ecdh_rsa, _, _}) ->
 			 true;
 		    (_) ->
 			 false
 		 end,
-		 ssl:cipher_suites()).
+		 available_suites(Version)).
 
 openssl_rsa_suites(CounterPart) ->
     Ciphers = ssl:cipher_suites(openssl),
@@ -1174,14 +1192,15 @@ is_fips(_) ->
     false.
 
 cipher_restriction(Config0) ->
+    Version = tls_record:protocol_version(protocol_version(Config0)),
     case is_sane_ecc(openssl) of
 	false ->
 	    Opts = proplists:get_value(server_opts, Config0),
 	    Config1 = proplists:delete(server_opts, Config0),
 	    VerOpts = proplists:get_value(server_verification_opts, Config1),
 	    Config = proplists:delete(server_verification_opts, Config1),
-	    Restricted0 = ssl:cipher_suites() -- ecdsa_suites(),
-            Restricted  = Restricted0 -- ecdh_rsa_suites(),
+	    Restricted0 = ssl:cipher_suites() -- ecdsa_suites(Version),
+            Restricted  = Restricted0 -- ecdh_rsa_suites(Version),
 	    [{server_opts, [{ciphers, Restricted} | Opts]}, {server_verification_opts, [{ciphers, Restricted} | VerOpts] } | Config];
 	true ->
 	    Config0

diff --git a/lib/ssl/test/ssl_to_openssl_SUITE.erl b/lib/ssl/test/ssl_to_openssl_SUITE.erl
@@ -834,7 +834,7 @@ ciphers_dsa_signed_certs() ->
     [{doc,"Test cipher suites that uses dsa certs"}].
 ciphers_dsa_signed_certs(Config) when is_list(Config) ->
     Version = ssl_test_lib:protocol_version(Config),
-    Ciphers = ssl_test_lib:dsa_suites(),
+    Ciphers = ssl_test_lib:dsa_suites(tls_record:protocol_version(Version)),
     run_suites(Ciphers, Version, Config, dsa).
 
 %%--------------------------------------------------------------------