diff options
author | Emilia Kasper <emilia@openssl.org> | 2016-11-25 17:05:30 +0100 |
---|---|---|
committer | Richard Levitte <levitte@openssl.org> | 2017-10-05 09:29:28 +0200 |
commit | c5e8bd1d8aa9dafdb515b6c055f1ac95c12f138d (patch) | |
tree | 12b0a5f55eadf43c4868cd090f073b312da86317 /test | |
parent | 619c589bdb2fc52e4f180db548222e2b7ab169d8 (diff) |
Test mac-then-encrypt
Verify that the encrypt-then-mac negotiation is handled
correctly. Additionally, when compiled with no-asm, this test ensures
coverage for the constant-time MAC copying code in
ssl3_cbc_copy_mac. The proxy-based CBC padding test covers that as
well but it's nevertheless better to have an explicit handshake test
for mac-then-encrypt.
Reviewed-by: Andy Polyakov <appro@openssl.org>
(cherry picked from commit b3618f44a7b8504bfb0a64e8a33e6b8e56d4d516)
Diffstat (limited to 'test')
-rw-r--r-- | test/recipes/80-test_ssl_new.t | 2 | ||||
-rw-r--r-- | test/ssl-tests/19-mac-then-encrypt.conf | 156 | ||||
-rw-r--r-- | test/ssl-tests/19-mac-then-encrypt.conf.in | 89 |
3 files changed, 246 insertions, 1 deletions
diff --git a/test/recipes/80-test_ssl_new.t b/test/recipes/80-test_ssl_new.t index 2f6a69a305..e986c76182 100644 --- a/test/recipes/80-test_ssl_new.t +++ b/test/recipes/80-test_ssl_new.t @@ -29,7 +29,7 @@ map { s/\^// } @conf_files if $^O eq "VMS"; # We hard-code the number of tests to double-check that the globbing above # finds all files as expected. -plan tests => 18; # = scalar @conf_srcs +plan tests => 19; # = scalar @conf_srcs # Some test results depend on the configuration of enabled protocols. We only # verify generated sources in the default configuration. diff --git a/test/ssl-tests/19-mac-then-encrypt.conf b/test/ssl-tests/19-mac-then-encrypt.conf new file mode 100644 index 0000000000..40480edbf8 --- /dev/null +++ b/test/ssl-tests/19-mac-then-encrypt.conf @@ -0,0 +1,156 @@ +# Generated with generate_ssl_tests.pl + +num_tests = 6 + +test-0 = 0-disable-encrypt-then-mac-server-sha +test-1 = 1-disable-encrypt-then-mac-client-sha +test-2 = 2-disable-encrypt-then-mac-both-sha +test-3 = 3-disable-encrypt-then-mac-server-sha2 +test-4 = 4-disable-encrypt-then-mac-client-sha2 +test-5 = 5-disable-encrypt-then-mac-both-sha2 +# =========================================================== + +[0-disable-encrypt-then-mac-server-sha] +ssl_conf = 0-disable-encrypt-then-mac-server-sha-ssl + +[0-disable-encrypt-then-mac-server-sha-ssl] +server = 0-disable-encrypt-then-mac-server-sha-server +client = 0-disable-encrypt-then-mac-server-sha-client + +[0-disable-encrypt-then-mac-server-sha-server] +Certificate = ${ENV::TEST_CERTS_DIR}/servercert.pem +CipherString = DEFAULT +Options = -EncryptThenMac +PrivateKey = ${ENV::TEST_CERTS_DIR}/serverkey.pem + +[0-disable-encrypt-then-mac-server-sha-client] +CipherString = AES128-SHA +VerifyCAFile = ${ENV::TEST_CERTS_DIR}/rootcert.pem +VerifyMode = Peer + +[test-0] +ExpectedResult = Success + + +# =========================================================== + +[1-disable-encrypt-then-mac-client-sha] +ssl_conf = 1-disable-encrypt-then-mac-client-sha-ssl + +[1-disable-encrypt-then-mac-client-sha-ssl] +server = 1-disable-encrypt-then-mac-client-sha-server +client = 1-disable-encrypt-then-mac-client-sha-client + +[1-disable-encrypt-then-mac-client-sha-server] +Certificate = ${ENV::TEST_CERTS_DIR}/servercert.pem +CipherString = DEFAULT +PrivateKey = ${ENV::TEST_CERTS_DIR}/serverkey.pem + +[1-disable-encrypt-then-mac-client-sha-client] +CipherString = AES128-SHA +Options = -EncryptThenMac +VerifyCAFile = ${ENV::TEST_CERTS_DIR}/rootcert.pem +VerifyMode = Peer + +[test-1] +ExpectedResult = Success + + +# =========================================================== + +[2-disable-encrypt-then-mac-both-sha] +ssl_conf = 2-disable-encrypt-then-mac-both-sha-ssl + +[2-disable-encrypt-then-mac-both-sha-ssl] +server = 2-disable-encrypt-then-mac-both-sha-server +client = 2-disable-encrypt-then-mac-both-sha-client + +[2-disable-encrypt-then-mac-both-sha-server] +Certificate = ${ENV::TEST_CERTS_DIR}/servercert.pem +CipherString = DEFAULT +Options = -EncryptThenMac +PrivateKey = ${ENV::TEST_CERTS_DIR}/serverkey.pem + +[2-disable-encrypt-then-mac-both-sha-client] +CipherString = AES128-SHA +Options = -EncryptThenMac +VerifyCAFile = ${ENV::TEST_CERTS_DIR}/rootcert.pem +VerifyMode = Peer + +[test-2] +ExpectedResult = Success + + +# =========================================================== + +[3-disable-encrypt-then-mac-server-sha2] +ssl_conf = 3-disable-encrypt-then-mac-server-sha2-ssl + +[3-disable-encrypt-then-mac-server-sha2-ssl] +server = 3-disable-encrypt-then-mac-server-sha2-server +client = 3-disable-encrypt-then-mac-server-sha2-client + +[3-disable-encrypt-then-mac-server-sha2-server] +Certificate = ${ENV::TEST_CERTS_DIR}/servercert.pem +CipherString = DEFAULT +Options = -EncryptThenMac +PrivateKey = ${ENV::TEST_CERTS_DIR}/serverkey.pem + +[3-disable-encrypt-then-mac-server-sha2-client] +CipherString = AES128-SHA256 +VerifyCAFile = ${ENV::TEST_CERTS_DIR}/rootcert.pem +VerifyMode = Peer + +[test-3] +ExpectedResult = Success + + +# =========================================================== + +[4-disable-encrypt-then-mac-client-sha2] +ssl_conf = 4-disable-encrypt-then-mac-client-sha2-ssl + +[4-disable-encrypt-then-mac-client-sha2-ssl] +server = 4-disable-encrypt-then-mac-client-sha2-server +client = 4-disable-encrypt-then-mac-client-sha2-client + +[4-disable-encrypt-then-mac-client-sha2-server] +Certificate = ${ENV::TEST_CERTS_DIR}/servercert.pem +CipherString = DEFAULT +PrivateKey = ${ENV::TEST_CERTS_DIR}/serverkey.pem + +[4-disable-encrypt-then-mac-client-sha2-client] +CipherString = AES128-SHA256 +Options = -EncryptThenMac +VerifyCAFile = ${ENV::TEST_CERTS_DIR}/rootcert.pem +VerifyMode = Peer + +[test-4] +ExpectedResult = Success + + +# =========================================================== + +[5-disable-encrypt-then-mac-both-sha2] +ssl_conf = 5-disable-encrypt-then-mac-both-sha2-ssl + +[5-disable-encrypt-then-mac-both-sha2-ssl] +server = 5-disable-encrypt-then-mac-both-sha2-server +client = 5-disable-encrypt-then-mac-both-sha2-client + +[5-disable-encrypt-then-mac-both-sha2-server] +Certificate = ${ENV::TEST_CERTS_DIR}/servercert.pem +CipherString = DEFAULT +Options = -EncryptThenMac +PrivateKey = ${ENV::TEST_CERTS_DIR}/serverkey.pem + +[5-disable-encrypt-then-mac-both-sha2-client] +CipherString = AES128-SHA256 +Options = -EncryptThenMac +VerifyCAFile = ${ENV::TEST_CERTS_DIR}/rootcert.pem +VerifyMode = Peer + +[test-5] +ExpectedResult = Success + + diff --git a/test/ssl-tests/19-mac-then-encrypt.conf.in b/test/ssl-tests/19-mac-then-encrypt.conf.in new file mode 100644 index 0000000000..01afe251a7 --- /dev/null +++ b/test/ssl-tests/19-mac-then-encrypt.conf.in @@ -0,0 +1,89 @@ +# -*- mode: perl; -*- +# Copyright 2016-2016 The OpenSSL Project Authors. All Rights Reserved. +# +# Licensed under the OpenSSL license (the "License"). You may not use +# this file except in compliance with the License. You can obtain a copy +# in the file LICENSE in the source distribution or at +# https://www.openssl.org/source/license.html + + +## SSL test configurations + +package ssltests; + +our @tests = ( + { + name => "disable-encrypt-then-mac-server-sha", + server => { + "Options" => "-EncryptThenMac", + }, + client => { + "CipherString" => "AES128-SHA", + }, + test => { + "ExpectedResult" => "Success", + }, + }, + { + name => "disable-encrypt-then-mac-client-sha", + server => { + }, + client => { + "CipherString" => "AES128-SHA", + "Options" => "-EncryptThenMac", + }, + test => { + "ExpectedResult" => "Success", + }, + }, + { + name => "disable-encrypt-then-mac-both-sha", + server => { + "Options" => "-EncryptThenMac", + }, + client => { + "CipherString" => "AES128-SHA", + "Options" => "-EncryptThenMac", + }, + test => { + "ExpectedResult" => "Success", + }, + }, + { + name => "disable-encrypt-then-mac-server-sha2", + server => { + "Options" => "-EncryptThenMac", + }, + client => { + "CipherString" => "AES128-SHA256", + }, + test => { + "ExpectedResult" => "Success", + }, + }, + { + name => "disable-encrypt-then-mac-client-sha2", + server => { + }, + client => { + "CipherString" => "AES128-SHA256", + "Options" => "-EncryptThenMac", + }, + test => { + "ExpectedResult" => "Success", + }, + }, + { + name => "disable-encrypt-then-mac-both-sha2", + server => { + "Options" => "-EncryptThenMac", + }, + client => { + "CipherString" => "AES128-SHA256", + "Options" => "-EncryptThenMac", + }, + test => { + "ExpectedResult" => "Success", + }, + }, +); |