diff options
| -rw-r--r-- | configure.ac | 1 | ||||
| -rw-r--r-- | scripts/tls_test.c | 4 | ||||
| -rw-r--r-- | src/libcharon/plugins/tnc_ifmap/tnc_ifmap_soap.c | 4 | ||||
| -rw-r--r-- | src/libpttls/pt_tls_client.c | 3 | ||||
| -rw-r--r-- | src/libpttls/pt_tls_server.c | 2 | ||||
| -rw-r--r-- | src/libstrongswan/tests/test_runner.c | 24 | ||||
| -rw-r--r-- | src/libstrongswan/tests/test_suite.c | 3 | ||||
| -rw-r--r-- | src/libtls/Makefile.am | 2 | ||||
| -rw-r--r-- | src/libtls/tests/.gitignore | 1 | ||||
| -rw-r--r-- | src/libtls/tests/Makefile.am | 22 | ||||
| -rw-r--r-- | src/libtls/tests/suites/test_socket.c | 524 | ||||
| -rw-r--r-- | src/libtls/tests/suites/test_suites.c | 247 | ||||
| -rw-r--r-- | src/libtls/tests/tls_tests.c | 57 | ||||
| -rw-r--r-- | src/libtls/tests/tls_tests.h | 17 | ||||
| -rw-r--r-- | src/libtls/tls.c | 1 | ||||
| -rw-r--r-- | src/libtls/tls.h | 2 | ||||
| -rw-r--r-- | src/libtls/tls_aead.c | 1 | ||||
| -rw-r--r-- | src/libtls/tls_aead_expl.c | 1 | ||||
| -rw-r--r-- | src/libtls/tls_aead_impl.c | 1 | ||||
| -rw-r--r-- | src/libtls/tls_aead_null.c | 1 | ||||
| -rw-r--r-- | src/libtls/tls_crypto.c | 78 | ||||
| -rw-r--r-- | src/libtls/tls_crypto.h | 9 | ||||
| -rw-r--r-- | src/libtls/tls_socket.c | 16 | ||||
| -rw-r--r-- | src/libtls/tls_socket.h | 5 |
24 files changed, 988 insertions, 38 deletions
diff --git a/configure.ac b/configure.ac index e8eb5a67c..f57410b62 100644 --- a/configure.ac +++ b/configure.ac @@ -1495,6 +1495,7 @@ AC_CONFIG_FILES([ src/libipsec/Makefile src/libsimaka/Makefile src/libtls/Makefile + src/libtls/tests/Makefile src/libradius/Makefile src/libtncif/Makefile src/libtnccs/Makefile diff --git a/scripts/tls_test.c b/scripts/tls_test.c index 7ec477aae..84a32f96f 100644 --- a/scripts/tls_test.c +++ b/scripts/tls_test.c @@ -105,7 +105,7 @@ static int run_client(host_t *host, identification_t *server, close(fd); return 1; } - tls = tls_socket_create(FALSE, server, client, fd, cache); + tls = tls_socket_create(FALSE, server, client, fd, cache, TLS_1_2, TRUE); if (!tls) { close(fd); @@ -162,7 +162,7 @@ static int serve(host_t *host, identification_t *server, } DBG1(DBG_TLS, "%#H connected", host); - tls = tls_socket_create(TRUE, server, NULL, cfd, cache); + tls = tls_socket_create(TRUE, server, NULL, cfd, cache, TLS_1_2, TRUE); if (!tls) { close(fd); diff --git a/src/libcharon/plugins/tnc_ifmap/tnc_ifmap_soap.c b/src/libcharon/plugins/tnc_ifmap/tnc_ifmap_soap.c index 5206ba4e7..a652e7067 100644 --- a/src/libcharon/plugins/tnc_ifmap/tnc_ifmap_soap.c +++ b/src/libcharon/plugins/tnc_ifmap/tnc_ifmap_soap.c @@ -876,7 +876,8 @@ static bool soap_init(private_tnc_ifmap_soap_t *this) } /* open TLS socket */ - this->tls = tls_socket_create(FALSE, server_id, client_id, this->fd, NULL); + this->tls = tls_socket_create(FALSE, server_id, client_id, this->fd, + NULL, TLS_1_2, FALSE); if (!this->tls) { DBG1(DBG_TNC, "creating TLS socket failed"); @@ -923,4 +924,3 @@ tnc_ifmap_soap_t *tnc_ifmap_soap_create() return &this->public; } - diff --git a/src/libpttls/pt_tls_client.c b/src/libpttls/pt_tls_client.c index 01a84cd14..315129d7e 100644 --- a/src/libpttls/pt_tls_client.c +++ b/src/libpttls/pt_tls_client.c @@ -84,7 +84,8 @@ static bool make_connection(private_pt_tls_client_t *this) return FALSE; } - this->tls = tls_socket_create(FALSE, this->server, this->client, fd, NULL); + this->tls = tls_socket_create(FALSE, this->server, this->client, fd, + NULL, TLS_1_2, FALSE); if (!this->tls) { close(fd); diff --git a/src/libpttls/pt_tls_server.c b/src/libpttls/pt_tls_server.c index 9af00e7c2..cedc2632c 100644 --- a/src/libpttls/pt_tls_server.c +++ b/src/libpttls/pt_tls_server.c @@ -532,7 +532,7 @@ pt_tls_server_t *pt_tls_server_create(identification_t *server, int fd, .destroy = _destroy, }, .state = PT_TLS_SERVER_VERSION, - .tls = tls_socket_create(TRUE, server, NULL, fd, NULL), + .tls = tls_socket_create(TRUE, server, NULL, fd, NULL, TLS_1_2, FALSE), .tnccs = (tls_t*)tnccs, .auth = auth, ); diff --git a/src/libstrongswan/tests/test_runner.c b/src/libstrongswan/tests/test_runner.c index 6bb1b290c..5ec4198e7 100644 --- a/src/libstrongswan/tests/test_runner.c +++ b/src/libstrongswan/tests/test_runner.c @@ -315,7 +315,7 @@ static void sum_leaks(report_data_t *data, int count, size_t bytes, * Do library cleanup and optionally check for memory leaks */ static bool post_test(test_runner_init_t init, bool check_leaks, - array_t *failures, char *name, int i) + array_t *failures, char *name, int i, int *leaks) { report_data_t data = { .failures = failures, @@ -325,7 +325,15 @@ static bool post_test(test_runner_init_t init, bool check_leaks, if (init) { - init(FALSE); + if (test_restore_point()) + { + init(FALSE); + } + else + { + library_deinit(); + return FALSE; + } } if (check_leaks && lib->leak_detective) { @@ -335,7 +343,8 @@ static bool post_test(test_runner_init_t init, bool check_leaks, } library_deinit(); - return data.leaks != 0; + *leaks = data.leaks; + return TRUE; } /** @@ -407,7 +416,8 @@ static bool run_case(test_case_t *tcase, test_runner_init_t init) { if (pre_test(init)) { - bool ok = FALSE, leaks = FALSE; + bool ok = FALSE; + int leaks = 0; test_setup_timeout(tcase->timeout); @@ -424,9 +434,11 @@ static bool run_case(test_case_t *tcase, test_runner_init_t init) { call_fixture(tcase, FALSE); } - } - leaks = post_test(init, ok, failures, tfun->name, i); + if (!post_test(init, ok, failures, tfun->name, i, &leaks)) + { + ok = FALSE; + } test_setup_timeout(0); diff --git a/src/libstrongswan/tests/test_suite.c b/src/libstrongswan/tests/test_suite.c index 0f2e74b7c..fb40b05c1 100644 --- a/src/libstrongswan/tests/test_suite.c +++ b/src/libstrongswan/tests/test_suite.c @@ -136,7 +136,8 @@ static inline void test_failure() else { pthread_kill(main_thread, SIGUSR1); - /* how can we stop just the thread? longjmp to a restore point? */ + /* terminate thread to prevent it from going wild */ + pthread_exit(NULL); } } diff --git a/src/libtls/Makefile.am b/src/libtls/Makefile.am index e5e3b8be9..d565a1479 100644 --- a/src/libtls/Makefile.am +++ b/src/libtls/Makefile.am @@ -21,3 +21,5 @@ nobase_tls_include_HEADERS = \ tls_crypto.h tls_prf.h tls_socket.h tls_eap.h tls_cache.h tls_peer.h \ tls_server.h tls_handshake.h tls_application.h tls_aead.h tls.h endif + +SUBDIRS = . tests diff --git a/src/libtls/tests/.gitignore b/src/libtls/tests/.gitignore new file mode 100644 index 000000000..f9c77cf4e --- /dev/null +++ b/src/libtls/tests/.gitignore @@ -0,0 +1 @@ +tls_tests diff --git a/src/libtls/tests/Makefile.am b/src/libtls/tests/Makefile.am new file mode 100644 index 000000000..1c0e2f941 --- /dev/null +++ b/src/libtls/tests/Makefile.am @@ -0,0 +1,22 @@ +TESTS = tls_tests + +check_PROGRAMS = $(TESTS) + +tls_tests_SOURCES = \ + suites/test_socket.c \ + suites/test_suites.c \ + tls_tests.h tls_tests.c + +tls_tests_CFLAGS = \ + -I$(top_srcdir)/src/libtls \ + -I$(top_srcdir)/src/libstrongswan \ + -I$(top_srcdir)/src/libstrongswan/tests \ + -DPLUGINDIR=\""$(top_builddir)/src/libstrongswan/plugins\"" \ + -DPLUGINS=\""${s_plugins}\"" \ + @COVERAGE_CFLAGS@ + +tls_tests_LDFLAGS = @COVERAGE_LDFLAGS@ +tls_tests_LDADD = \ + $(top_builddir)/src/libtls/libtls.la \ + $(top_builddir)/src/libstrongswan/libstrongswan.la \ + $(top_builddir)/src/libstrongswan/tests/libtest.la diff --git a/src/libtls/tests/suites/test_socket.c b/src/libtls/tests/suites/test_socket.c new file mode 100644 index 000000000..42a4607b7 --- /dev/null +++ b/src/libtls/tests/suites/test_socket.c @@ -0,0 +1,524 @@ +/* + * Copyright (C) 2014 Martin Willi + * Copyright (C) 2014 revosec AG + * + * This program is free software; you can redistribute it and/or modify it + * under the terms of the GNU General Public License as published by the + * Free Software Foundation; either version 2 of the License, or (at your + * option) any later version. See <http://www.fsf.org/copyleft/gpl.txt>. + * + * This program is distributed in the hope that it will be useful, but + * WITHOUT ANY WARRANTY; without even the implied warranty of MERCHANTABILITY + * or FITNESS FOR A PARTICULAR PURPOSE. See the GNU General Public License + * for more details. + */ + +#include <test_suite.h> + +#include <unistd.h> +#include <errno.h> + +#include <processing/jobs/callback_job.h> +#include <credentials/sets/mem_cred.h> + +#include "tls_socket.h" + +/** + * Credentials for authentication + */ +static mem_cred_t *creds; + +/** + * RSA private key, 2048 bit + */ +static char rsa[] = { + 0x30,0x82,0x04,0xa4,0x02,0x01,0x00,0x02,0x82,0x01,0x01,0x00,0xee,0xa3,0x28,0xcc, + 0x48,0xca,0x37,0xfc,0xb6,0xfa,0xfc,0x18,0x0d,0xa2,0x28,0x44,0xb4,0x16,0x56,0xf7, + 0x97,0x5f,0x38,0x83,0xfc,0xd4,0x30,0xea,0xf7,0x5e,0xaa,0xd4,0x21,0x0e,0x71,0x49, + 0x13,0x39,0xaf,0x89,0xa1,0x1d,0x1b,0x9a,0x08,0x44,0xff,0x0b,0xeb,0x4b,0xad,0x8e, + 0xc4,0x6d,0x1e,0x0c,0x02,0xbb,0x17,0x59,0xc7,0x66,0xc7,0xff,0x4c,0x3c,0x11,0x40, + 0x1a,0xe3,0xca,0x34,0xf8,0x41,0xe0,0x39,0x3e,0xce,0x72,0x9f,0x56,0x9e,0x69,0xad, + 0x98,0x43,0x5f,0x35,0xc2,0xd0,0xd9,0xbc,0x8b,0xed,0xc6,0xc7,0x74,0x73,0x74,0x30, + 0x92,0x86,0x39,0x26,0x3d,0xf1,0xd5,0x16,0x45,0x7d,0xcc,0x90,0x54,0xff,0x44,0x74, + 0xf3,0xba,0x41,0x5c,0x58,0xa4,0x66,0xe6,0x9d,0x58,0xbe,0x7e,0x89,0xe1,0x7c,0xf7, + 0x28,0xb0,0xde,0xe2,0x01,0x0a,0x89,0xc7,0x63,0x3f,0xef,0x2b,0xcb,0xef,0x65,0x89, + 0x82,0x23,0x32,0xa7,0xa3,0x1c,0x0d,0xc6,0x8f,0x76,0x59,0x8b,0x55,0x65,0x9c,0x91, + 0xd4,0x93,0x89,0xad,0x37,0x47,0x23,0x25,0xb3,0x53,0xea,0xef,0x73,0xeb,0x97,0xd3, + 0xd7,0x74,0x38,0x73,0x8d,0x16,0x0d,0x6f,0xae,0x59,0x33,0x4e,0x24,0xe9,0x52,0xf6, + 0x6f,0x8c,0x5c,0x13,0xcf,0x1d,0x0a,0xcc,0xb7,0x6a,0x88,0xce,0x91,0xe2,0xe0,0xcb, + 0xc6,0xd2,0xfb,0x81,0xf6,0xd2,0x9f,0x0a,0x82,0x70,0x80,0xbf,0x93,0x70,0xc0,0x57, + 0x23,0x6e,0x97,0x1c,0x9d,0x7d,0xf0,0xa3,0x54,0x86,0xec,0x40,0xae,0x09,0x20,0xed, + 0x02,0x43,0xa3,0xf8,0x7e,0x0e,0x5b,0xd0,0x22,0x7b,0x74,0x39,0x02,0x03,0x01,0x00, + 0x01,0x02,0x82,0x01,0x01,0x00,0xd9,0x5b,0x99,0x74,0x80,0xb4,0x57,0xcc,0x82,0x2a, + 0x17,0x66,0x1d,0x3c,0xde,0xea,0xbd,0x11,0x40,0x03,0x62,0x47,0xe3,0xe5,0x2c,0x6b, + 0x65,0x67,0x0f,0x0b,0x96,0x13,0x83,0x4c,0x71,0x58,0xfa,0xfe,0xe6,0xe9,0x37,0xeb, + 0x98,0x51,0x73,0x48,0xcc,0xf9,0xe1,0x46,0x5b,0xfe,0x16,0xe1,0xc0,0xa5,0x75,0xf3, + 0x4d,0x30,0x84,0x14,0x15,0x04,0x6f,0x3e,0xa3,0x03,0xbd,0xba,0x4f,0x5a,0x71,0xe9, + 0x26,0xbf,0x5d,0x7a,0x93,0x22,0x98,0xb5,0xcf,0x51,0xc3,0xc7,0x51,0xb8,0x59,0x0a, + 0xfb,0xd7,0xe5,0xa8,0x1d,0x0f,0x5c,0xfd,0x30,0x0e,0x71,0xd7,0x79,0xc4,0x60,0x55, + 0x9e,0x1e,0x1c,0x0b,0x9a,0x40,0xb8,0x7a,0x8d,0xb2,0xec,0xb0,0x70,0x8a,0x19,0x5f, + 0x1d,0x2e,0xde,0x90,0x8f,0x68,0x56,0x08,0xce,0x0c,0x08,0xde,0xc7,0xf8,0x13,0xef, + 0xd2,0xbc,0x92,0xb6,0xfb,0xec,0xb6,0x04,0xf6,0x8f,0x7d,0x95,0xe9,0xeb,0xc7,0xfb, + 0xcc,0x4f,0xad,0x41,0xf1,0x4c,0x79,0x07,0xdd,0x4b,0x40,0xb4,0x74,0x44,0x9a,0x06, + 0x0a,0x0f,0xb2,0xda,0x12,0x46,0xe5,0xee,0x01,0x64,0xe5,0xf0,0x82,0x69,0xf9,0xf1, + 0xe9,0x41,0x13,0x5a,0xee,0xc0,0x37,0x9a,0xbe,0x9a,0x9a,0x06,0x4b,0x52,0xd6,0xf3, + 0x1b,0x30,0x64,0x93,0x3a,0x97,0xe1,0xdc,0x50,0x1f,0x46,0xc4,0x81,0x6a,0x17,0x52, + 0x49,0x85,0xc6,0x85,0xb7,0x60,0xd4,0xf0,0xd1,0x6a,0xeb,0x50,0x8c,0xb7,0xeb,0x1f, + 0x17,0x0e,0xf0,0xfd,0x67,0x03,0x7c,0x74,0x1a,0xac,0x66,0x81,0x00,0x45,0x5e,0xf3, + 0xd9,0x9d,0x22,0x99,0xc4,0x11,0x02,0x81,0x81,0x00,0xfa,0x44,0x32,0x14,0xb2,0x82, + 0x28,0x02,0x46,0x05,0xdd,0x8d,0xb1,0x9f,0x9e,0x6f,0x61,0xf2,0x01,0xa0,0x2b,0x76, + 0xee,0x46,0xaa,0x2d,0x2d,0x5b,0xd2,0x67,0x90,0x36,0xbb,0xa0,0x07,0xdf,0x9b,0xad, + 0x18,0x1e,0xa7,0xe6,0x36,0xc6,0x49,0xda,0xc5,0x0d,0x52,0x29,0x5a,0x40,0xcf,0xdf, + 0x8d,0xd0,0xa3,0xc2,0x34,0x17,0x9f,0xb5,0xf1,0x67,0xac,0x29,0x10,0xc2,0x5c,0x62, + 0xe3,0xe2,0x5c,0x9f,0x93,0xcc,0xb5,0xeb,0x16,0x64,0x44,0x9f,0x6b,0x5a,0xac,0x19, + 0x09,0xff,0x4b,0x78,0x7f,0xec,0x5a,0xbd,0xe9,0xcb,0x74,0xbb,0x30,0x13,0xc5,0x25, + 0x8b,0xac,0x8d,0xf9,0xa9,0x99,0x25,0xf5,0xce,0x07,0xb6,0x2b,0x1b,0x42,0xed,0x3a, + 0x30,0x4a,0xfc,0x5f,0xf0,0xe2,0x26,0xa6,0x60,0x5d,0x02,0x81,0x81,0x00,0xf4,0x1a, + 0xc2,0x7e,0xa0,0xa0,0xad,0x20,0x65,0x04,0xe8,0xf7,0xb0,0xb1,0x76,0x79,0x08,0x18, + 0x58,0x93,0x21,0xf1,0x56,0x58,0x58,0x18,0x4a,0x5c,0x59,0x08,0x27,0x64,0x09,0xcb, + 0x0b,0x0b,0x4e,0x26,0xc8,0x0b,0x87,0x67,0x40,0xc1,0xab,0x31,0x60,0xa6,0x78,0xdd, + 0x78,0xc8,0x86,0x38,0xbd,0x19,0xde,0x0b,0x70,0x72,0xec,0x36,0x88,0x39,0x69,0x70, + 0xda,0xa6,0x2e,0xf9,0x5c,0xd8,0x17,0xc5,0xfa,0xf8,0xa5,0xc9,0x9b,0xf0,0xfe,0x03, + 0x71,0x57,0xfa,0x58,0x0f,0x33,0xc3,0xab,0xce,0xb0,0x5d,0xd0,0x40,0x07,0x9a,0x0b, + 0xff,0xb9,0xaa,0x9d,0xc5,0x33,0x7f,0x5f,0x48,0x7e,0x54,0x82,0xd1,0xdf,0x75,0x69, + 0xee,0xe5,0xf5,0x80,0x44,0xce,0x52,0x72,0x14,0x2c,0xe6,0xa7,0xd5,0x8d,0x02,0x81, + 0x81,0x00,0xb8,0xf7,0x70,0x20,0x35,0xf2,0xd6,0x89,0x1f,0xa1,0xb4,0x26,0xc6,0x51, + 0xd7,0xb2,0x30,0xac,0xc1,0xa0,0xd4,0x9e,0xf8,0xea,0x87,0x5a,0x0e,0x7d,0x1f,0xdb, + 0xe5,0x0d,0x5e,0xcc,0x9f,0x25,0x18,0x14,0xed,0x8f,0xb2,0xbe,0x06,0x5b,0xb5,0x38, + 0x18,0x8d,0x88,0xdd,0x01,0x54,0x87,0x8e,0x8d,0x6c,0xd7,0xab,0x6f,0xfe,0xc9,0xce, + 0x9a,0x15,0xea,0x7b,0x0b,0x64,0xeb,0x0d,0x37,0xaa,0x14,0x94,0xe8,0x92,0xd3,0x1d, + 0x66,0x16,0x43,0x55,0xa3,0xed,0x86,0xe6,0x96,0xa9,0xf5,0xe8,0xa0,0x7b,0x5a,0x71, + 0xa4,0x7a,0xf7,0xd2,0x65,0x6d,0x27,0x37,0x61,0xac,0xed,0xdd,0xc9,0x08,0x64,0xb2, + 0xf0,0x4c,0x68,0xca,0x21,0x42,0xec,0xbc,0x25,0xf7,0x35,0xe1,0xde,0xd1,0xf6,0x88, + 0xdf,0x0d,0x02,0x81,0x80,0x44,0xb0,0xcb,0x0e,0x6b,0x11,0x0b,0xe6,0xd3,0xc6,0x7f, + 0xf0,0x43,0x6e,0x8c,0xd2,0x1e,0x2f,0x0b,0xad,0xcb,0x9d,0x68,0x18,0xd0,0x21,0x75, + 0xbb,0x6a,0xea,0x5a,0x7b,0x52,0x2e,0x2a,0xdb,0x71,0x90,0x84,0x36,0x8a,0x51,0xc9, + 0xed,0x35,0xc9,0x5d,0x53,0x3b,0x2b,0xc7,0x73,0x56,0x21,0xdd,0x44,0xcc,0x31,0x17, + 0xe1,0x9f,0x0a,0xf1,0x66,0x86,0x7f,0x55,0x67,0xf2,0x4c,0x05,0x8e,0x61,0x92,0x3a, + 0xbf,0x81,0x97,0xac,0x24,0x32,0xb6,0xb1,0x4c,0x7a,0x8c,0x11,0x2b,0x15,0xe2,0xe0, + 0xf4,0xcc,0x51,0x6f,0xd3,0x33,0xcc,0x30,0x98,0x04,0xa5,0x04,0xfb,0x2a,0xda,0x9b, + 0x41,0xc1,0x72,0x56,0xb0,0xb5,0x0f,0xac,0x44,0x55,0xc3,0x54,0x99,0x62,0xa5,0xeb, + 0x7b,0x7f,0x24,0xb7,0x79,0x02,0x81,0x80,0x0a,0x3b,0x9b,0x91,0x1d,0x9b,0x04,0x4e, + 0xdf,0xd9,0xe6,0x47,0xf3,0x79,0xb7,0x17,0xcf,0x42,0xa5,0xde,0x94,0xf0,0xfe,0xed, + 0x46,0xf6,0xaf,0x3e,0x6c,0x91,0x01,0x89,0x79,0x81,0xea,0x2b,0x82,0x68,0x0e,0xd8, + 0x25,0xaf,0x79,0x8b,0x14,0xfd,0xf2,0x29,0x20,0x34,0x2d,0x0b,0x08,0x8c,0x3b,0x2b, + 0xfc,0x75,0xe9,0x4e,0x21,0xa6,0xb2,0x35,0x67,0x8d,0x4c,0x90,0x94,0x02,0xd5,0x32, + 0x23,0xc6,0xa0,0x92,0x2e,0xfa,0x97,0x48,0x5b,0x95,0xc3,0xf1,0xbc,0x6b,0xe8,0x4c, + 0x92,0x6f,0x5e,0x3d,0xf9,0xbd,0x2c,0xf0,0x83,0x1c,0xe6,0xb3,0x45,0x68,0x32,0x8d, + 0x85,0x20,0xcb,0x9d,0xd2,0x30,0x5a,0x57,0xa4,0x6e,0x27,0xb5,0x29,0x14,0xdb,0xf1, + 0x4b,0x9a,0xc3,0xc1,0xc5,0x37,0x6d,0x1b, +}; + +/** + * ECDSA private key + */ +static char ecdsa[] = { + 0x30,0x81,0xa4,0x02,0x01,0x01,0x04,0x30,0xc0,0x1f,0xfd,0x65,0xc6,0xc4,0x4c,0xb8, + 0xff,0x56,0x08,0xb5,0xbd,0xb8,0xf5,0x93,0xf7,0x51,0x0e,0x92,0x1f,0x06,0xbf,0xa6, + 0xd9,0x1d,0xae,0xa3,0x16,0x0d,0x0f,0xc9,0xd5,0x97,0x90,0x46,0xf1,0x98,0xa8,0x18, + 0x07,0xba,0xcf,0x91,0x8e,0x07,0xed,0x88,0xa0,0x07,0x06,0x05,0x2b,0x81,0x04,0x00, + 0x22,0xa1,0x64,0x03,0x62,0x00,0x04,0xd6,0xba,0xe1,0xf0,0x09,0x22,0x21,0x12,0x69, + 0xed,0x0e,0xd5,0x02,0x8c,0xb8,0x52,0xbb,0x57,0x68,0x0e,0xf3,0xdb,0xb9,0xb1,0xee, + 0x9c,0x67,0xa0,0xb8,0xdc,0x13,0x1e,0x5b,0x44,0x71,0x04,0xef,0x4e,0xe3,0xdd,0xf4, + 0xa6,0xc3,0xba,0x77,0x53,0xb8,0x28,0x5f,0xd2,0x97,0x05,0xa3,0x5b,0xe6,0xde,0x0a, + 0xce,0x11,0xa8,0xaf,0x02,0xbd,0xfa,0x17,0xf9,0xa7,0x38,0x3e,0x5b,0x57,0xb0,0x01, + 0xb3,0xc6,0x09,0x29,0x65,0xae,0xfb,0x87,0x92,0xa3,0xd7,0x3d,0x9a,0x1c,0x52,0x09, + 0xb1,0x47,0xc8,0xf6,0x18,0xbb,0x97, +}; + +/** + * TLS certificate for RSA key + */ +static char rsa_crt[] = { + 0x30,0x82,0x03,0x1f,0x30,0x82,0x02,0x07,0xa0,0x03,0x02,0x01,0x02,0x02,0x09,0x00, + 0xf0,0xbb,0xac,0xc3,0xa1,0x6b,0xf3,0x1c,0x30,0x0d,0x06,0x09,0x2a,0x86,0x48,0x86, + 0xf7,0x0d,0x01,0x01,0x05,0x05,0x00,0x30,0x34,0x31,0x0b,0x30,0x09,0x06,0x03,0x55, + 0x04,0x06,0x13,0x02,0x43,0x48,0x31,0x13,0x30,0x11,0x06,0x03,0x55,0x04,0x0a,0x13, + 0x0a,0x73,0x74,0x72,0x6f,0x6e,0x67,0x53,0x77,0x61,0x6e,0x31,0x10,0x30,0x0e,0x06, + 0x03,0x55,0x04,0x03,0x13,0x07,0x74,0x6c,0x73,0x2d,0x72,0x73,0x61,0x30,0x1e,0x17, + 0x0d,0x31,0x34,0x30,0x33,0x32,0x34,0x31,0x36,0x32,0x37,0x32,0x36,0x5a,0x17,0x0d, + 0x31,0x37,0x30,0x33,0x32,0x33,0x31,0x36,0x32,0x37,0x32,0x36,0x5a,0x30,0x34,0x31, + 0x0b,0x30,0x09,0x06,0x03,0x55,0x04,0x06,0x13,0x02,0x43,0x48,0x31,0x13,0x30,0x11, + 0x06,0x03,0x55,0x04,0x0a,0x13,0x0a,0x73,0x74,0x72,0x6f,0x6e,0x67,0x53,0x77,0x61, + 0x6e,0x31,0x10,0x30,0x0e,0x06,0x03,0x55,0x04,0x03,0x13,0x07,0x74,0x6c,0x73,0x2d, + 0x72,0x73,0x61,0x30,0x82,0x01,0x22,0x30,0x0d,0x06,0x09,0x2a,0x86,0x48,0x86,0xf7, + 0x0d,0x01,0x01,0x01,0x05,0x00,0x03,0x82,0x01,0x0f,0x00,0x30,0x82,0x01,0x0a,0x02, + 0x82,0x01,0x01,0x00,0xee,0xa3,0x28,0xcc,0x48,0xca,0x37,0xfc,0xb6,0xfa,0xfc,0x18, + 0x0d,0xa2,0x28,0x44,0xb4,0x16,0x56,0xf7,0x97,0x5f,0x38,0x83,0xfc,0xd4,0x30,0xea, + 0xf7,0x5e,0xaa,0xd4,0x21,0x0e,0x71,0x49,0x13,0x39,0xaf,0x89,0xa1,0x1d,0x1b,0x9a, + 0x08,0x44,0xff,0x0b,0xeb,0x4b,0xad,0x8e,0xc4,0x6d,0x1e,0x0c,0x02,0xbb,0x17,0x59, + 0xc7,0x66,0xc7,0xff,0x4c,0x3c,0x11,0x40,0x1a,0xe3,0xca,0x34,0xf8,0x41,0xe0,0x39, + 0x3e,0xce,0x72,0x9f,0x56,0x9e,0x69,0xad,0x98,0x43,0x5f,0x35,0xc2,0xd0,0xd9,0xbc, + 0x8b,0xed,0xc6,0xc7,0x74,0x73,0x74,0x30,0x92,0x86,0x39,0x26,0x3d,0xf1,0xd5,0x16, + 0x45,0x7d,0xcc,0x90,0x54,0xff,0x44,0x74,0xf3,0xba,0x41,0x5c,0x58,0xa4,0x66,0xe6, + 0x9d,0x58,0xbe,0x7e,0x89,0xe1,0x7c,0xf7,0x28,0xb0,0xde,0xe2,0x01,0x0a,0x89,0xc7, + 0x63,0x3f,0xef,0x2b,0xcb,0xef,0x65,0x89,0x82,0x23,0x32,0xa7,0xa3,0x1c,0x0d,0xc6, + 0x8f,0x76,0x59,0x8b,0x55,0x65,0x9c,0x91,0xd4,0x93,0x89,0xad,0x37,0x47,0x23,0x25, + 0xb3,0x53,0xea,0xef,0x73,0xeb,0x97,0xd3,0xd7,0x74,0x38,0x73,0x8d,0x16,0x0d,0x6f, + 0xae,0x59,0x33,0x4e,0x24,0xe9,0x52,0xf6,0x6f,0x8c,0x5c,0x13,0xcf,0x1d,0x0a,0xcc, + 0xb7,0x6a,0x88,0xce,0x91,0xe2,0xe0,0xcb,0xc6,0xd2,0xfb,0x81,0xf6,0xd2,0x9f,0x0a, + 0x82,0x70,0x80,0xbf,0x93,0x70,0xc0,0x57,0x23,0x6e,0x97,0x1c,0x9d,0x7d,0xf0,0xa3, + 0x54,0x86,0xec,0x40,0xae,0x09,0x20,0xed,0x02,0x43,0xa3,0xf8,0x7e,0x0e,0x5b,0xd0, + 0x22,0x7b,0x74,0x39,0x02,0x03,0x01,0x00,0x01,0xa3,0x34,0x30,0x32,0x30,0x1f,0x06, + 0x03,0x55,0x1d,0x23,0x04,0x18,0x30,0x16,0x80,0x14,0x96,0x0e,0xc8,0xd3,0xb3,0x3f, + 0xd1,0x11,0xb6,0x36,0x70,0xdb,0x37,0x98,0x3c,0xab,0x69,0x03,0x69,0x56,0x30,0x0f, + 0x06,0x03,0x55,0x1d,0x11,0x04,0x08,0x30,0x06,0x87,0x04,0x7f,0x00,0x00,0x01,0x30, + 0x0d,0x06,0x09,0x2a,0x86,0x48,0x86,0xf7,0x0d,0x01,0x01,0x05,0x05,0x00,0x03,0x82, + 0x01,0x01,0x00,0x94,0x1d,0x08,0xda,0x7b,0xc4,0xa3,0xf4,0x40,0x54,0xae,0x45,0x6a, + 0xb3,0x62,0xb6,0x0b,0x35,0xc7,0x5f,0xed,0xb9,0x42,0x33,0xd5,0x32,0x80,0x23,0x76, + 0x87,0xae,0x59,0xbb,0x77,0x00,0xc4,0xbf,0x60,0x3b,0x9b,0x04,0x46,0x52,0xde,0x9f, + 0x16,0xc6,0x96,0x5e,0x7a,0xb5,0xbb,0x49,0x6a,0x89,0x4a,0x60,0x0b,0x85,0x15,0xec, + 0xbb,0x83,0x79,0x01,0xfa,0x3c,0xd5,0x1e,0x6a,0x75,0xe7,0x93,0xc9,0xc4,0xbb,0xea, + 0xad,0xa2,0x23,0x32,0xc5,0x57,0x4c,0x41,0xb2,0x41,0x91,0x53,0x5e,0xaf,0x98,0x83, + 0xcb,0x6b,0xa8,0x2f,0xc8,0x06,0x16,0x18,0x5a,0x75,0xe1,0xee,0xac,0xc0,0x28,0x08, + 0x0a,0x09,0xd1,0x03,0xba,0x65,0xf1,0x89,0xcc,0x63,0x6f,0xb2,0x70,0xdc,0x46,0x2b, + 0x62,0x5b,0x64,0xd4,0x7a,0xc4,0x12,0xe2,0x88,0x3a,0x54,0x0a,0xf5,0x1e,0x1c,0x9e, + 0x9a,0xb2,0x62,0xf9,0xd3,0x02,0xf0,0xc1,0xf0,0x7b,0x4d,0xf3,0x44,0xd8,0x3c,0x13, + 0x1d,0xfc,0x78,0xa3,0x54,0x68,0xce,0x43,0x31,0x78,0x58,0x2f,0x5d,0xb8,0xa7,0xff, + 0x54,0xae,0x6e,0x25,0xd7,0x40,0x6c,0x59,0x7b,0x5f,0x18,0x31,0xe9,0xfc,0x53,0x34, + 0xb2,0xb0,0x18,0xd4,0x2c,0x85,0x9d,0xad,0x2d,0xd2,0x05,0x5d,0x2e,0x47,0xee,0x09, + 0x3d,0x05,0x2e,0x46,0x66,0xea,0x09,0xb2,0x81,0xd3,0x9b,0x28,0xbf,0xf9,0x9c,0x54, + 0x98,0xb7,0x2d,0x38,0xd8,0xae,0x03,0x70,0xae,0x1e,0xd4,0xa9,0xb7,0x2e,0xdb,0x02, + 0x6a,0x84,0x0f,0x6c,0xe8,0xb8,0x25,0x73,0x84,0x13,0x9f,0x34,0x24,0xb8,0xfc,0x96, + 0x4c,0x91,0xfa, +}; + +/** + * TLS certificate for ECDSA key + */ +static char ecdsa_crt[] = { + 0x30,0x82,0x01,0xd3,0x30,0x82,0x01,0x59,0xa0,0x03,0x02,0x01,0x02,0x02,0x09,0x00, + 0xaa,0x92,0xf5,0x39,0x85,0xf5,0xd5,0xa3,0x30,0x09,0x06,0x07,0x2a,0x86,0x48,0xce, + 0x3d,0x04,0x01,0x30,0x36,0x31,0x0b,0x30,0x09,0x06,0x03,0x55,0x04,0x06,0x13,0x02, + 0x43,0x48,0x31,0x13,0x30,0x11,0x06,0x03,0x55,0x04,0x0a,0x13,0x0a,0x73,0x74,0x72, + 0x6f,0x6e,0x67,0x53,0x77,0x61,0x6e,0x31,0x12,0x30,0x10,0x06,0x03,0x55,0x04,0x03, + 0x13,0x09,0x74,0x6c,0x73,0x2d,0x65,0x63,0x64,0x73,0x61,0x30,0x1e,0x17,0x0d,0x31, + 0x34,0x30,0x33,0x32,0x34,0x31,0x36,0x32,0x39,0x33,0x34,0x5a,0x17,0x0d,0x31,0x37, + 0x30,0x33,0x32,0x33,0x31,0x36,0x32,0x39,0x33,0x34,0x5a,0x30,0x36,0x31,0x0b,0x30, + 0x09,0x06,0x03,0x55,0x04,0x06,0x13,0x02,0x43,0x48,0x31,0x13,0x30,0x11,0x06,0x03, + 0x55,0x04,0x0a,0x13,0x0a,0x73,0x74,0x72,0x6f,0x6e,0x67,0x53,0x77,0x61,0x6e,0x31, + 0x12,0x30,0x10,0x06,0x03,0x55,0x04,0x03,0x13,0x09,0x74,0x6c,0x73,0x2d,0x65,0x63, + 0x64,0x73,0x61,0x30,0x76,0x30,0x10,0x06,0x07,0x2a,0x86,0x48,0xce,0x3d,0x02,0x01, + 0x06,0x05,0x2b,0x81,0x04,0x00,0x22,0x03,0x62,0x00,0x04,0xd6,0xba,0xe1,0xf0,0x09, + 0x22,0x21,0x12,0x69,0xed,0x0e,0xd5,0x02,0x8c,0xb8,0x52,0xbb,0x57,0x68,0x0e,0xf3, + 0xdb,0xb9,0xb1,0xee,0x9c,0x67,0xa0,0xb8,0xdc,0x13,0x1e,0x5b,0x44,0x71,0x04,0xef, + 0x4e,0xe3,0xdd,0xf4,0xa6,0xc3,0xba,0x77,0x53,0xb8,0x28,0x5f,0xd2,0x97,0x05,0xa3, + 0x5b,0xe6,0xde,0x0a,0xce,0x11,0xa8,0xaf,0x02,0xbd,0xfa,0x17,0xf9,0xa7,0x38,0x3e, + 0x5b,0x57,0xb0,0x01,0xb3,0xc6,0x09,0x29,0x65,0xae,0xfb,0x87,0x92,0xa3,0xd7,0x3d, + 0x9a,0x1c,0x52,0x09,0xb1,0x47,0xc8,0xf6,0x18,0xbb,0x97,0xa3,0x34,0x30,0x32,0x30, + 0x1f,0x06,0x03,0x55,0x1d,0x23,0x04,0x18,0x30,0x16,0x80,0x14,0x4f,0x1e,0x5d,0x94, + 0x85,0xe2,0xbc,0x86,0x0e,0x80,0xce,0x17,0x92,0x42,0xb4,0xb8,0x19,0x67,0xb8,0xfe, + 0x30,0x0f,0x06,0x03,0x55,0x1d,0x11,0x04,0x08,0x30,0x06,0x87,0x04,0x7f,0x00,0x00, + 0x01,0x30,0x09,0x06,0x07,0x2a,0x86,0x48,0xce,0x3d,0x04,0x01,0x03,0x69,0x00,0x30, + 0x66,0x02,0x31,0x00,0xdc,0x6e,0x3b,0xe4,0x9f,0x36,0xa5,0xa8,0x88,0x8d,0xcf,0x2d, + 0xa1,0x6e,0x33,0x68,0x73,0xd6,0x6a,0xd6,0x1d,0x00,0xe5,0x5c,0x76,0x09,0x5e,0xe9, + 0x7a,0x3a,0x00,0x5e,0xbc,0xef,0x0d,0x8d,0x95,0x5c,0x2b,0xfc,0xa4,0xe3,0xe3,0xcf, + 0x74,0x95,0x00,0x21,0x02,0x31,0x00,0x8f,0x40,0x3e,0xfc,0xe9,0xae,0x17,0x9b,0x36, + 0x39,0xe2,0x79,0xa5,0x7b,0x5d,0xe3,0xe0,0x84,0x68,0x7e,0x00,0x57,0xbe,0x4d,0xe3, + 0x0e,0xff,0x20,0x9c,0xce,0xd1,0x43,0x76,0x00,0x6e,0x59,0x7b,0xac,0x94,0x05,0xef, + 0xed,0xca,0x8b,0xe5,0x7f,0xa5,0xd7, +}; + +START_SETUP(setup_creds) +{ + private_key_t *key; + certificate_t *cert; + + creds = mem_cred_create(); + + key = lib->creds->create(lib->creds, CRED_PRIVATE_KEY, KEY_RSA, + BUILD_BLOB, chunk_from_thing(rsa), BUILD_END); + if (key) + { + creds->add_key(creds, key); + } + key = lib->creds->create(lib->creds, CRED_PRIVATE_KEY, KEY_ECDSA, + BUILD_BLOB, chunk_from_thing(ecdsa), BUILD_END); + if (key) + { + creds->add_key(creds, key); + } + cert = lib->creds->create(lib->creds, CRED_CERTIFICATE, CERT_X509, + BUILD_BLOB, chunk_from_thing(rsa_crt), BUILD_END); + if (cert) + { + creds->add_cert(creds, TRUE, cert); + } + cert = lib->creds->create(lib->creds, CRED_CERTIFICATE, CERT_X509, + BUILD_BLOB, chunk_from_thing(ecdsa_crt), BUILD_END); + if (cert) + { + creds->add_cert(creds, TRUE, cert); + } + + lib->credmgr->add_set(lib->credmgr, &creds->set); +} +END_SETUP + +START_TEARDOWN(teardown_creds) +{ + lib->credmgr->remove_set(lib->credmgr, &creds->set); + creds->destroy(creds); +} +END_TEARDOWN + +/** + * Configuration for an echo server + */ +typedef struct { + tls_version_t version; + u_int16_t port; + char *addr; + chunk_t data; + int fd; + bool cauth; +} echo_server_config_t; + +/** + * Run an echo server + */ +static job_requeue_t serve_echo(echo_server_config_t *config) +{ + tls_socket_t *tls; + int sfd, cfd; + identification_t *server, *client = NULL; + ssize_t len, total, done; + char buf[128]; + + server = identification_create_from_string(config->addr); + if (config->cauth) + { + client = server; + } + sfd = config->fd; + while (TRUE) + { + cfd = accept(sfd, NULL, NULL); + if (cfd < 0) + { + break; + } + + tls = tls_socket_create(TRUE, server, client, cfd, NULL, + config->version, TRUE); + ck_assert(tls != NULL); + + while (TRUE) + { + len = tls->read(tls, buf, sizeof(buf), TRUE); + if (len <= 0) + { + break; + } + total = 0; + while (total < len) + { + done = tls->write(tls, buf + total, len - total); + ck_assert_msg(done > 0, "%s", strerror(errno)); + total += done; + } + } + + tls->destroy(tls); + close(cfd); + } + server->destroy(server); + + return JOB_REQUEUE_NONE; +} + +/** + * Start a echo server using config + */ +static void start_echo_server(echo_server_config_t *config) +{ + host_t *host; + int on = 1; + + host = host_create_from_string(config->addr, config->port); + + config->fd = socket(AF_INET, SOCK_STREAM, 0); + ck_assert(config->fd != -1); + ck_assert(setsockopt(config->fd, SOL_SOCKET, SO_REUSEADDR, + (void*)&on, sizeof(on)) != -1); + ck_assert_msg(bind(config->fd, host->get_sockaddr(host), + *host->get_sockaddr_len(host)) != -1, "%s", strerror(errno)); + host->destroy(host); + ck_assert(listen(config->fd, 1) != -1); + + lib->processor->set_threads(lib->processor, 8); + + lib->processor->queue_job(lib->processor, (job_t*) + callback_job_create((void*)serve_echo, config, NULL, NULL)); +} + +/** + * Run client to perform echo test + */ +static void run_echo_client(echo_server_config_t *config) +{ + tls_socket_t *tls; + ssize_t len, rd, wr; + int fd; + host_t *host; + identification_t *server, *client = NULL; + char buf[128]; + + host = host_create_from_string(config->addr, config->port); + server = identification_create_from_string(config->addr); + if (config->cauth) + { + client = server; + } + + fd = socket(AF_INET, SOCK_STREAM, 0); + ck_assert(fd != -1); + ck_assert(connect(fd, host->get_sockaddr(host), + *host->get_sockaddr_len(host)) != -1); + tls = tls_socket_create(FALSE, server, client, fd, NULL, + config->version, TRUE); + ck_assert(tls != NULL); + + wr = rd = 0; + while (rd < config->data.len) + { + len = tls->write(tls, config->data.ptr + wr, config->data.len - wr); + ck_assert(len >= 0); + wr += len; + + len = tls->read(tls, buf, sizeof(buf), FALSE); + if (len == -1 && errno == EWOULDBLOCK) + { + continue; + } + if (len == 0) + { + ck_assert_int_eq(rd, config->data.len); + break; + } + ck_assert(len > 0); + ck_assert(rd + len <= config->data.len); + ck_assert(memeq(buf, config->data.ptr + rd, len)); + rd += len; + } + + tls->destroy(tls); + close(fd); + host->destroy(host); + server->destroy(server); +} + +/** + * Common test wrapper function for different test variants + */ +static void test_tls(tls_version_t version, u_int16_t port, bool cauth, u_int i) +{ + echo_server_config_t *config; + tls_cipher_suite_t *suites; + char suite[128]; + int count; + + INIT(config, + .version = version, + .addr = "127.0.0.1", + .port = port, + .cauth = cauth, + .data = chunk_from_chars(0x01,0x02,0x03,0x04,0x05,0x06,0x07,0x08), + ); + + start_echo_server(config); + + count = tls_crypto_get_supported_suites(TRUE, &suites); + + ck_assert(i < count); + snprintf(suite, sizeof(suite), "%N", tls_cipher_suite_names, suites[i]); + lib->settings->set_str(lib->settings, "%s.tls.suites", suite, lib->ns); + + run_echo_client(config); + + free(suites); + + shutdown(config->fd, SHUT_RDWR); + close(config->fd); + + free(config); +} + +START_TEST(test_tls12) +{ + test_tls(TLS_1_2, 5671, FALSE, _i); +} +END_TEST + +START_TEST(test_tls12_mutual) +{ + test_tls(TLS_1_2, 5672, TRUE, _i); +} +END_TEST + +START_TEST(test_tls11) +{ + test_tls(TLS_1_1, 5673, FALSE, _i); +} +END_TEST + +START_TEST(test_tls11_mutual) +{ + test_tls(TLS_1_1, 5674, TRUE, _i); +} +END_TEST + +START_TEST(test_tls10) +{ + test_tls(TLS_1_0, 5675, FALSE, _i); +} +END_TEST + +START_TEST(test_tls10_mutual) +{ + test_tls(TLS_1_0, 5676, TRUE, _i); +} +END_TEST + +Suite *socket_suite_create() +{ + Suite *s; + TCase *tc; + int count; + + count = tls_crypto_get_supported_suites(TRUE, NULL); + + s = suite_create("socket"); + + tc = tcase_create("TLS 1.2/anon"); + tcase_add_checked_fixture(tc, setup_creds, teardown_creds); + tcase_add_loop_test(tc, test_tls12, 0, count); + suite_add_tcase(s, tc); + + tc = tcase_create("TLS 1.2/mutl"); + tcase_add_checked_fixture(tc, setup_creds, teardown_creds); + tcase_add_loop_test(tc, test_tls12_mutual, 0, count); + suite_add_tcase(s, tc); + + tc = tcase_create("TLS 1.1/anon"); + tcase_add_checked_fixture(tc, setup_creds, teardown_creds); + tcase_add_loop_test(tc, test_tls11, 0, count); + suite_add_tcase(s, tc); + + tc = tcase_create("TLS 1.1/mutl"); + tcase_add_checked_fixture(tc, setup_creds, teardown_creds); + tcase_add_loop_test(tc, test_tls11_mutual, 0, count); + suite_add_tcase(s, tc); + + tc = tcase_create("TLS 1.0/anon"); + tcase_add_checked_fixture(tc, setup_creds, teardown_creds); + tcase_add_loop_test(tc, test_tls10, 0, count); + suite_add_tcase(s, tc); + + tc = tcase_create("TLS 1.0/mutl"); + tcase_add_checked_fixture(tc, setup_creds, teardown_creds); + tcase_add_loop_test(tc, test_tls10_mutual, 0, count); + suite_add_tcase(s, tc); + + return s; +} diff --git a/src/libtls/tests/suites/test_suites.c b/src/libtls/tests/suites/test_suites.c new file mode 100644 index 000000000..f8ae12eb3 --- /dev/null +++ b/src/libtls/tests/suites/test_suites.c @@ -0,0 +1,247 @@ +/* + * Copyright (C) 2014 Martin Willi + * Copyright (C) 2014 revosec AG + * + * This program is free software; you can redistribute it and/or modify it + * under the terms of the GNU General Public License as published by the + * Free Software Foundation; either version 2 of the License, or (at your + * option) any later version. See <http://www.fsf.org/copyleft/gpl.txt>. + * + * This program is distributed in the hope that it will be useful, but + * WITHOUT ANY WARRANTY; without even the implied warranty of MERCHANTABILITY + * or FITNESS FOR A PARTICULAR PURPOSE. See the GNU General Public License + * for more details. + */ + +#include <test_suite.h> + +#include <unistd.h> + +#include "tls_crypto.h" + +START_TEST(test_cipher_names) +{ + char buf[128]; + +#define CHECK_NAME(x) { \ + snprintf(buf, sizeof(buf), "%N", tls_cipher_suite_names, x); \ + ck_assert_str_eq(#x, buf); } + + CHECK_NAME(TLS_NULL_WITH_NULL_NULL); + CHECK_NAME(TLS_RSA_WITH_NULL_MD5); + CHECK_NAME(TLS_RSA_WITH_NULL_SHA); + CHECK_NAME(TLS_RSA_EXPORT_WITH_RC4_40_MD5); + CHECK_NAME(TLS_RSA_WITH_RC4_128_MD5); + CHECK_NAME(TLS_RSA_WITH_RC4_128_SHA); + CHECK_NAME(TLS_RSA_EXPORT_WITH_RC2_CBC_40_MD5); + CHECK_NAME(TLS_RSA_WITH_IDEA_CBC_SHA); + CHECK_NAME(TLS_RSA_EXPORT_WITH_DES40_CBC_SHA); + CHECK_NAME(TLS_RSA_WITH_DES_CBC_SHA); + CHECK_NAME(TLS_RSA_WITH_3DES_EDE_CBC_SHA); + CHECK_NAME(TLS_DH_DSS_EXPORT_WITH_DES40_CBC_SHA); + CHECK_NAME(TLS_DH_DSS_WITH_DES_CBC_SHA); + CHECK_NAME(TLS_DH_DSS_WITH_3DES_EDE_CBC_SHA); + CHECK_NAME(TLS_DH_RSA_EXPORT_WITH_DES40_CBC_SHA); + CHECK_NAME(TLS_DH_RSA_WITH_DES_CBC_SHA); + CHECK_NAME(TLS_DH_RSA_WITH_3DES_EDE_CBC_SHA); + CHECK_NAME(TLS_DHE_DSS_EXPORT_WITH_DES40_CBC_SHA); + CHECK_NAME(TLS_DHE_DSS_WITH_DES_CBC_SHA); + CHECK_NAME(TLS_DHE_DSS_WITH_3DES_EDE_CBC_SHA); + CHECK_NAME(TLS_DHE_RSA_EXPORT_WITH_DES40_CBC_SHA); + CHECK_NAME(TLS_DHE_RSA_WITH_DES_CBC_SHA); + CHECK_NAME(TLS_DHE_RSA_WITH_3DES_EDE_CBC_SHA); + CHECK_NAME(TLS_DH_anon_EXPORT_WITH_RC4_40_MD5); + CHECK_NAME(TLS_DH_anon_WITH_RC4_128_MD5); + CHECK_NAME(TLS_DH_anon_EXPORT_WITH_DES40_CBC_SHA); + CHECK_NAME(TLS_DH_anon_WITH_DES_CBC_SHA); + CHECK_NAME(TLS_DH_anon_WITH_3DES_EDE_CBC_SHA); + CHECK_NAME(TLS_KRB5_WITH_DES_CBC_SHA); + CHECK_NAME(TLS_KRB5_WITH_3DES_EDE_CBC_SHA); + CHECK_NAME(TLS_KRB5_WITH_RC4_128_SHA); + CHECK_NAME(TLS_KRB5_WITH_IDEA_CBC_SHA); + CHECK_NAME(TLS_KRB5_WITH_DES_CBC_MD5); + CHECK_NAME(TLS_KRB5_WITH_3DES_EDE_CBC_MD5); + CHECK_NAME(TLS_KRB5_WITH_RC4_128_MD5); + CHECK_NAME(TLS_KRB5_WITH_IDEA_CBC_MD5); + CHECK_NAME(TLS_KRB5_EXPORT_WITH_DES_CBC_40_SHA); + CHECK_NAME(TLS_KRB5_EXPORT_WITH_RC2_CBC_40_SHA); + CHECK_NAME(TLS_KRB5_EXPORT_WITH_RC4_40_SHA); + CHECK_NAME(TLS_KRB5_EXPORT_WITH_DES_CBC_40_MD5); + CHECK_NAME(TLS_KRB5_EXPORT_WITH_RC2_CBC_40_MD5); + CHECK_NAME(TLS_KRB5_EXPORT_WITH_RC4_40_MD5); + CHECK_NAME(TLS_PSK_WITH_NULL_SHA); + CHECK_NAME(TLS_DHE_PSK_WITH_NULL_SHA); + CHECK_NAME(TLS_RSA_PSK_WITH_NULL_SHA); + CHECK_NAME(TLS_RSA_WITH_AES_128_CBC_SHA); + CHECK_NAME(TLS_DH_DSS_WITH_AES_128_CBC_SHA); + CHECK_NAME(TLS_DH_RSA_WITH_AES_128_CBC_SHA); + CHECK_NAME(TLS_DHE_DSS_WITH_AES_128_CBC_SHA); + CHECK_NAME(TLS_DHE_RSA_WITH_AES_128_CBC_SHA); + CHECK_NAME(TLS_DH_anon_WITH_AES_128_CBC_SHA); + CHECK_NAME(TLS_RSA_WITH_AES_256_CBC_SHA); + CHECK_NAME(TLS_DH_DSS_WITH_AES_256_CBC_SHA); + CHECK_NAME(TLS_DH_RSA_WITH_AES_256_CBC_SHA); + CHECK_NAME(TLS_DHE_DSS_WITH_AES_256_CBC_SHA); + CHECK_NAME(TLS_DHE_RSA_WITH_AES_256_CBC_SHA); + CHECK_NAME(TLS_DH_anon_WITH_AES_256_CBC_SHA); + CHECK_NAME(TLS_RSA_WITH_NULL_SHA256); + CHECK_NAME(TLS_RSA_WITH_AES_128_CBC_SHA256); + CHECK_NAME(TLS_RSA_WITH_AES_256_CBC_SHA256); + CHECK_NAME(TLS_DH_DSS_WITH_AES_128_CBC_SHA256); + CHECK_NAME(TLS_DH_RSA_WITH_AES_128_CBC_SHA256); + CHECK_NAME(TLS_DHE_DSS_WITH_AES_128_CBC_SHA256); + CHECK_NAME(TLS_RSA_WITH_CAMELLIA_128_CBC_SHA); + CHECK_NAME(TLS_DH_DSS_WITH_CAMELLIA_128_CBC_SHA); + CHECK_NAME(TLS_DH_RSA_WITH_CAMELLIA_128_CBC_SHA); + CHECK_NAME(TLS_DHE_DSS_WITH_CAMELLIA_128_CBC_SHA); + CHECK_NAME(TLS_DHE_RSA_WITH_CAMELLIA_128_CBC_SHA); + CHECK_NAME(TLS_DH_anon_WITH_CAMELLIA_128_CBC_SHA); + CHECK_NAME(TLS_DHE_RSA_WITH_AES_128_CBC_SHA256); + CHECK_NAME(TLS_DH_DSS_WITH_AES_256_CBC_SHA256); + CHECK_NAME(TLS_DH_RSA_WITH_AES_256_CBC_SHA256); + CHECK_NAME(TLS_DHE_DSS_WITH_AES_256_CBC_SHA256); + CHECK_NAME(TLS_DHE_RSA_WITH_AES_256_CBC_SHA256); + CHECK_NAME(TLS_DH_anon_WITH_AES_128_CBC_SHA256); + CHECK_NAME(TLS_DH_anon_WITH_AES_256_CBC_SHA256); + CHECK_NAME(TLS_RSA_WITH_CAMELLIA_256_CBC_SHA); + CHECK_NAME(TLS_DH_DSS_WITH_CAMELLIA_256_CBC_SHA); + CHECK_NAME(TLS_DH_RSA_WITH_CAMELLIA_256_CBC_SHA); + CHECK_NAME(TLS_DHE_DSS_WITH_CAMELLIA_256_CBC_SHA); + CHECK_NAME(TLS_DHE_RSA_WITH_CAMELLIA_256_CBC_SHA); + CHECK_NAME(TLS_DH_anon_WITH_CAMELLIA_256_CBC_SHA); + CHECK_NAME(TLS_PSK_WITH_RC4_128_SHA); + CHECK_NAME(TLS_PSK_WITH_3DES_EDE_CBC_SHA); + CHECK_NAME(TLS_PSK_WITH_AES_128_CBC_SHA); + CHECK_NAME(TLS_PSK_WITH_AES_256_CBC_SHA); + CHECK_NAME(TLS_DHE_PSK_WITH_RC4_128_SHA); + CHECK_NAME(TLS_DHE_PSK_WITH_3DES_EDE_CBC_SHA); + CHECK_NAME(TLS_DHE_PSK_WITH_AES_128_CBC_SHA); + CHECK_NAME(TLS_DHE_PSK_WITH_AES_256_CBC_SHA); + CHECK_NAME(TLS_RSA_PSK_WITH_RC4_128_SHA); + CHECK_NAME(TLS_RSA_PSK_WITH_3DES_EDE_CBC_SHA); + CHECK_NAME(TLS_RSA_PSK_WITH_AES_128_CBC_SHA); + CHECK_NAME(TLS_RSA_PSK_WITH_AES_256_CBC_SHA); + CHECK_NAME(TLS_RSA_WITH_SEED_CBC_SHA); + CHECK_NAME(TLS_DH_DSS_WITH_SEED_CBC_SHA); + CHECK_NAME(TLS_DH_RSA_WITH_SEED_CBC_SHA); + CHECK_NAME(TLS_DHE_DSS_WITH_SEED_CBC_SHA); + CHECK_NAME(TLS_DHE_RSA_WITH_SEED_CBC_SHA); + CHECK_NAME(TLS_DH_anon_WITH_SEED_CBC_SHA); + CHECK_NAME(TLS_RSA_WITH_AES_128_GCM_SHA256); + CHECK_NAME(TLS_RSA_WITH_AES_256_GCM_SHA384); + CHECK_NAME(TLS_DHE_RSA_WITH_AES_128_GCM_SHA256); + CHECK_NAME(TLS_DHE_RSA_WITH_AES_256_GCM_SHA384); + CHECK_NAME(TLS_DH_RSA_WITH_AES_128_GCM_SHA256); + CHECK_NAME(TLS_DH_RSA_WITH_AES_256_GCM_SHA384); + CHECK_NAME(TLS_DHE_DSS_WITH_AES_128_GCM_SHA256); + CHECK_NAME(TLS_DHE_DSS_WITH_AES_256_GCM_SHA384); + CHECK_NAME(TLS_DH_DSS_WITH_AES_128_GCM_SHA256); + CHECK_NAME(TLS_DH_DSS_WITH_AES_256_GCM_SHA384); + CHECK_NAME(TLS_DH_anon_WITH_AES_128_GCM_SHA256); + CHECK_NAME(TLS_DH_anon_WITH_AES_256_GCM_SHA384); + CHECK_NAME(TLS_PSK_WITH_AES_128_GCM_SHA256); + CHECK_NAME(TLS_PSK_WITH_AES_256_GCM_SHA384); + CHECK_NAME(TLS_DHE_PSK_WITH_AES_128_GCM_SHA256); + CHECK_NAME(TLS_DHE_PSK_WITH_AES_256_GCM_SHA384); + CHECK_NAME(TLS_RSA_PSK_WITH_AES_128_GCM_SHA256); + CHECK_NAME(TLS_RSA_PSK_WITH_AES_256_GCM_SHA384); + CHECK_NAME(TLS_PSK_WITH_AES_128_CBC_SHA256); + CHECK_NAME(TLS_PSK_WITH_AES_256_CBC_SHA384); + CHECK_NAME(TLS_PSK_WITH_NULL_SHA256); + CHECK_NAME(TLS_PSK_WITH_NULL_SHA384); + CHECK_NAME(TLS_DHE_PSK_WITH_AES_128_CBC_SHA256); + CHECK_NAME(TLS_DHE_PSK_WITH_AES_256_CBC_SHA384); + CHECK_NAME(TLS_DHE_PSK_WITH_NULL_SHA256); + CHECK_NAME(TLS_DHE_PSK_WITH_NULL_SHA384); + CHECK_NAME(TLS_RSA_PSK_WITH_AES_128_CBC_SHA256); + CHECK_NAME(TLS_RSA_PSK_WITH_AES_256_CBC_SHA384); + CHECK_NAME(TLS_RSA_PSK_WITH_NULL_SHA256); + CHECK_NAME(TLS_RSA_PSK_WITH_NULL_SHA384); + CHECK_NAME(TLS_RSA_WITH_CAMELLIA_128_CBC_SHA256); + CHECK_NAME(TLS_DH_DSS_WITH_CAMELLIA_128_CBC_SHA256); + CHECK_NAME(TLS_DH_RSA_WITH_CAMELLIA_128_CBC_SHA256); + CHECK_NAME(TLS_DHE_DSS_WITH_CAMELLIA_128_CBC_SHA256); + CHECK_NAME(TLS_DHE_RSA_WITH_CAMELLIA_128_CBC_SHA256); + CHECK_NAME(TLS_DH_anon_WITH_CAMELLIA_128_CBC_SHA256); + CHECK_NAME(TLS_RSA_WITH_CAMELLIA_256_CBC_SHA256); + CHECK_NAME(TLS_DH_DSS_WITH_CAMELLIA_256_CBC_SHA256); + CHECK_NAME(TLS_DH_RSA_WITH_CAMELLIA_256_CBC_SHA256); + CHECK_NAME(TLS_DHE_DSS_WITH_CAMELLIA_256_CBC_SHA256); + CHECK_NAME(TLS_DHE_RSA_WITH_CAMELLIA_256_CBC_SHA256); + CHECK_NAME(TLS_DH_anon_WITH_CAMELLIA_256_CBC_SHA256); + CHECK_NAME(TLS_EMPTY_RENEGOTIATION_INFO_SCSV); + CHECK_NAME(TLS_ECDH_ECDSA_WITH_NULL_SHA); + CHECK_NAME(TLS_ECDH_ECDSA_WITH_RC4_128_SHA); + CHECK_NAME(TLS_ECDH_ECDSA_WITH_3DES_EDE_CBC_SHA); + CHECK_NAME(TLS_ECDH_ECDSA_WITH_AES_128_CBC_SHA); + CHECK_NAME(TLS_ECDH_ECDSA_WITH_AES_256_CBC_SHA); + CHECK_NAME(TLS_ECDHE_ECDSA_WITH_NULL_SHA); + CHECK_NAME(TLS_ECDHE_ECDSA_WITH_RC4_128_SHA); + CHECK_NAME(TLS_ECDHE_ECDSA_WITH_3DES_EDE_CBC_SHA); + CHECK_NAME(TLS_ECDHE_ECDSA_WITH_AES_128_CBC_SHA); + CHECK_NAME(TLS_ECDHE_ECDSA_WITH_AES_256_CBC_SHA); + CHECK_NAME(TLS_ECDH_RSA_WITH_NULL_SHA); + CHECK_NAME(TLS_ECDH_RSA_WITH_RC4_128_SHA); + CHECK_NAME(TLS_ECDH_RSA_WITH_3DES_EDE_CBC_SHA); + CHECK_NAME(TLS_ECDH_RSA_WITH_AES_128_CBC_SHA); + CHECK_NAME(TLS_ECDH_RSA_WITH_AES_256_CBC_SHA); + CHECK_NAME(TLS_ECDHE_RSA_WITH_NULL_SHA); + CHECK_NAME(TLS_ECDHE_RSA_WITH_RC4_128_SHA); + CHECK_NAME(TLS_ECDHE_RSA_WITH_3DES_EDE_CBC_SHA); + CHECK_NAME(TLS_ECDHE_RSA_WITH_AES_128_CBC_SHA); + CHECK_NAME(TLS_ECDHE_RSA_WITH_AES_256_CBC_SHA); + CHECK_NAME(TLS_ECDH_anon_WITH_NULL_SHA); + CHECK_NAME(TLS_ECDH_anon_WITH_RC4_128_SHA); + CHECK_NAME(TLS_ECDH_anon_WITH_3DES_EDE_CBC_SHA); + CHECK_NAME(TLS_ECDH_anon_WITH_AES_128_CBC_SHA); + CHECK_NAME(TLS_ECDH_anon_WITH_AES_256_CBC_SHA); + CHECK_NAME(TLS_SRP_SHA_WITH_3DES_EDE_CBC_SHA); + CHECK_NAME(TLS_SRP_SHA_RSA_WITH_3DES_EDE_CBC_SHA); + CHECK_NAME(TLS_SRP_SHA_DSS_WITH_3DES_EDE_CBC_SHA); + CHECK_NAME(TLS_SRP_SHA_WITH_AES_128_CBC_SHA); + CHECK_NAME(TLS_SRP_SHA_RSA_WITH_AES_128_CBC_SHA); + CHECK_NAME(TLS_SRP_SHA_DSS_WITH_AES_128_CBC_SHA); + CHECK_NAME(TLS_SRP_SHA_WITH_AES_256_CBC_SHA); + CHECK_NAME(TLS_SRP_SHA_RSA_WITH_AES_256_CBC_SHA); + CHECK_NAME(TLS_SRP_SHA_DSS_WITH_AES_256_CBC_SHA); + CHECK_NAME(TLS_ECDHE_ECDSA_WITH_AES_128_CBC_SHA256); + CHECK_NAME(TLS_ECDHE_ECDSA_WITH_AES_256_CBC_SHA384); + CHECK_NAME(TLS_ECDH_ECDSA_WITH_AES_128_CBC_SHA256); + CHECK_NAME(TLS_ECDH_ECDSA_WITH_AES_256_CBC_SHA384); + CHECK_NAME(TLS_ECDHE_RSA_WITH_AES_128_CBC_SHA256); + CHECK_NAME(TLS_ECDHE_RSA_WITH_AES_256_CBC_SHA384); + CHECK_NAME(TLS_ECDH_RSA_WITH_AES_128_CBC_SHA256); + CHECK_NAME(TLS_ECDH_RSA_WITH_AES_256_CBC_SHA384); + CHECK_NAME(TLS_ECDHE_ECDSA_WITH_AES_128_GCM_SHA256); + CHECK_NAME(TLS_ECDHE_ECDSA_WITH_AES_256_GCM_SHA384); + CHECK_NAME(TLS_ECDH_ECDSA_WITH_AES_128_GCM_SHA256); + CHECK_NAME(TLS_ECDH_ECDSA_WITH_AES_256_GCM_SHA384); + CHECK_NAME(TLS_ECDHE_RSA_WITH_AES_128_GCM_SHA256); + CHECK_NAME(TLS_ECDHE_RSA_WITH_AES_256_GCM_SHA384); + CHECK_NAME(TLS_ECDH_RSA_WITH_AES_128_GCM_SHA256); + CHECK_NAME(TLS_ECDH_RSA_WITH_AES_256_GCM_SHA384); + CHECK_NAME(TLS_ECDHE_PSK_WITH_RC4_128_SHA); + CHECK_NAME(TLS_ECDHE_PSK_WITH_3DES_EDE_CBC_SHA); + CHECK_NAME(TLS_ECDHE_PSK_WITH_AES_128_CBC_SHA); + CHECK_NAME(TLS_ECDHE_PSK_WITH_AES_256_CBC_SHA); + CHECK_NAME(TLS_ECDHE_PSK_WITH_AES_128_CBC_SHA256); + CHECK_NAME(TLS_ECDHE_PSK_WITH_AES_256_CBC_SHA384); + CHECK_NAME(TLS_ECDHE_PSK_WITH_NULL_SHA); + CHECK_NAME(TLS_ECDHE_PSK_WITH_NULL_SHA256); + CHECK_NAME(TLS_ECDHE_PSK_WITH_NULL_SHA384); +} +END_TEST + +Suite *suites_suite_create() +{ + Suite *s; + TCase *tc; + + s = suite_create("suites"); + + tc = tcase_create("cipher-names"); + tcase_add_test(tc, test_cipher_names); + suite_add_tcase(s, tc); + + return s; +} diff --git a/src/libtls/tests/tls_tests.c b/src/libtls/tests/tls_tests.c new file mode 100644 index 000000000..2c2c5bacc --- /dev/null +++ b/src/libtls/tests/tls_tests.c @@ -0,0 +1,57 @@ +/* + * Copyright (C) 2014 Martin Willi + * Copyright (C) 2014 revosec AG + * + * This program is free software; you can redistribute it and/or modify it + * under the terms of the GNU General Public License as published by the + * Free Software Foundation; either version 2 of the License, or (at your + * option) any later version. See <http://www.fsf.org/copyleft/gpl.txt>. + * + * This program is distributed in the hope that it will be useful, but + * WITHOUT ANY WARRANTY; without even the implied warranty of MERCHANTABILITY + * or FITNESS FOR A PARTICULAR PURPOSE. See the GNU General Public License + * for more details. + */ + +#include <test_runner.h> + +/* declare test suite constructors */ +#define TEST_SUITE(x) test_suite_t* x(); +#define TEST_SUITE_DEPEND(x, ...) TEST_SUITE(x) +#include "tls_tests.h" +#undef TEST_SUITE +#undef TEST_SUITE_DEPEND + +static test_configuration_t tests[] = { +#define TEST_SUITE(x) \ + { .suite = x, }, +#define TEST_SUITE_DEPEND(x, type, args) \ + { .suite = x, .feature = PLUGIN_DEPENDS(type, args) }, +#include "tls_tests.h" + { .suite = NULL, } +}; + +static bool test_runner_init(bool init) +{ + if (init) + { + plugin_loader_add_plugindirs(PLUGINDIR, PLUGINS); + if (!lib->plugins->load(lib->plugins, PLUGINS)) + { + return FALSE; + } + } + else + { + lib->credmgr->flush_cache(lib->credmgr, CERT_ANY); + lib->processor->set_threads(lib->processor, 0); + lib->processor->cancel(lib->processor); + lib->plugins->unload(lib->plugins); + } + return TRUE; +} + +int main(int argc, char *argv[]) +{ + return test_runner_run("libtls", tests, test_runner_init); +} diff --git a/src/libtls/tests/tls_tests.h b/src/libtls/tests/tls_tests.h new file mode 100644 index 000000000..489b2ddb1 --- /dev/null +++ b/src/libtls/tests/tls_tests.h @@ -0,0 +1,17 @@ +/* + * Copyright (C) 2014 Martin Willi + * Copyright (C) 2014 revosec AG + * + * This program is free software; you can redistribute it and/or modify it + * under the terms of the GNU General Public License as published by the + * Free Software Foundation; either version 2 of the License, or (at your + * option) any later version. See <http://www.fsf.org/copyleft/gpl.txt>. + * + * This program is distributed in the hope that it will be useful, but + * WITHOUT ANY WARRANTY; without even the implied warranty of MERCHANTABILITY + * or FITNESS FOR A PARTICULAR PURPOSE. See the GNU General Public License + * for more details. + */ + +TEST_SUITE(socket_suite_create) +TEST_SUITE(suites_suite_create) diff --git a/src/libtls/tls.c b/src/libtls/tls.c index 7314602b6..6e2955814 100644 --- a/src/libtls/tls.c +++ b/src/libtls/tls.c @@ -447,6 +447,7 @@ tls_t *tls_create(bool is_server, identification_t *server, case TLS_PURPOSE_EAP_TTLS: case TLS_PURPOSE_EAP_PEAP: case TLS_PURPOSE_GENERIC: + case TLS_PURPOSE_GENERIC_NULLOK: break; default: return NULL; diff --git a/src/libtls/tls.h b/src/libtls/tls.h index db332fbbf..fc1d9b9fd 100644 --- a/src/libtls/tls.h +++ b/src/libtls/tls.h @@ -107,6 +107,8 @@ enum tls_purpose_t { TLS_PURPOSE_EAP_PEAP, /** non-EAP TLS */ TLS_PURPOSE_GENERIC, + /** non-EAP TLS accepting NULL encryption */ + TLS_PURPOSE_GENERIC_NULLOK, /** EAP binding for TNC */ TLS_PURPOSE_EAP_TNC }; diff --git a/src/libtls/tls_aead.c b/src/libtls/tls_aead.c index be44cc098..1d0779dc0 100644 --- a/src/libtls/tls_aead.c +++ b/src/libtls/tls_aead.c @@ -191,7 +191,6 @@ tls_aead_t *tls_aead_create_aead(encryption_algorithm_t encr, size_t encr_size) .public = { .encrypt = _encrypt, .decrypt = _decrypt, - .get_iv_size = _get_iv_size, .get_mac_key_size = _get_mac_key_size, .get_encr_key_size = _get_encr_key_size, .get_iv_size = _get_iv_size, diff --git a/src/libtls/tls_aead_expl.c b/src/libtls/tls_aead_expl.c index f047d6584..5e4d33e14 100644 --- a/src/libtls/tls_aead_expl.c +++ b/src/libtls/tls_aead_expl.c @@ -201,7 +201,6 @@ tls_aead_t *tls_aead_create_explicit(integrity_algorithm_t mac, .public = { .encrypt = _encrypt, .decrypt = _decrypt, - .get_iv_size = _get_iv_size, .get_mac_key_size = _get_mac_key_size, .get_encr_key_size = _get_encr_key_size, .get_iv_size = _get_iv_size, diff --git a/src/libtls/tls_aead_impl.c b/src/libtls/tls_aead_impl.c index 9b259fc1d..fb14026e0 100644 --- a/src/libtls/tls_aead_impl.c +++ b/src/libtls/tls_aead_impl.c @@ -192,7 +192,6 @@ tls_aead_t *tls_aead_create_implicit(integrity_algorithm_t mac, .public = { .encrypt = _encrypt, .decrypt = _decrypt, - .get_iv_size = _get_iv_size, .get_mac_key_size = _get_mac_key_size, .get_encr_key_size = _get_encr_key_size, .get_iv_size = _get_iv_size, diff --git a/src/libtls/tls_aead_null.c b/src/libtls/tls_aead_null.c index b80a0bc54..595b64000 100644 --- a/src/libtls/tls_aead_null.c +++ b/src/libtls/tls_aead_null.c @@ -140,7 +140,6 @@ tls_aead_t *tls_aead_create_null(integrity_algorithm_t alg) .public = { .encrypt = _encrypt, .decrypt = _decrypt, - .get_iv_size = _get_iv_size, .get_mac_key_size = _get_mac_key_size, .get_encr_key_size = _get_encr_key_size, .get_iv_size = _get_iv_size, diff --git a/src/libtls/tls_crypto.c b/src/libtls/tls_crypto.c index b3f9ae9e3..4f67b20d6 100644 --- a/src/libtls/tls_crypto.c +++ b/src/libtls/tls_crypto.c @@ -648,8 +648,7 @@ static suite_algs_t *find_suite(tls_cipher_suite_t suite) /** * Filter a suite list using a transform enumerator */ -static void filter_suite(private_tls_crypto_t *this, - suite_algs_t suites[], int *count, int offset, +static void filter_suite(suite_algs_t suites[], int *count, int offset, enumerator_t*(*create_enumerator)(crypto_factory_t*)) { const char *plugin_name; @@ -721,8 +720,7 @@ static void filter_suite(private_tls_crypto_t *this, /** * Purge NULL encryption cipher suites from list */ -static void filter_null_suites(private_tls_crypto_t *this, - suite_algs_t suites[], int *count) +static void filter_null_suites(suite_algs_t suites[], int *count) { int i, remaining = 0; @@ -975,6 +973,26 @@ static void filter_specific_config_suites(private_tls_crypto_t *this, } /** + * Filter out unsupported suites on given suite array + */ +static void filter_unsupported_suites(suite_algs_t suites[], int *count) +{ + /* filter suite list by each algorithm */ + filter_suite(suites, count, offsetof(suite_algs_t, encr), + lib->crypto->create_crypter_enumerator); + filter_suite(suites, count, offsetof(suite_algs_t, encr), + lib->crypto->create_aead_enumerator); + filter_suite(suites, count, offsetof(suite_algs_t, mac), + lib->crypto->create_signer_enumerator); + filter_suite(suites, count, offsetof(suite_algs_t, prf), + lib->crypto->create_prf_enumerator); + filter_suite(suites, count, offsetof(suite_algs_t, hash), + lib->crypto->create_hasher_enumerator); + filter_suite(suites, count, offsetof(suite_algs_t, dh), + lib->crypto->create_dh_enumerator); +} + +/** * Initialize the cipher suite list */ static void build_cipher_suite_list(private_tls_crypto_t *this, @@ -988,9 +1006,10 @@ static void build_cipher_suite_list(private_tls_crypto_t *this, { suites[i] = suite_algs[i]; } + if (require_encryption) { - filter_null_suites(this, suites, &count); + filter_null_suites(suites, &count); } if (!this->rsa) { @@ -1001,19 +1020,7 @@ static void build_cipher_suite_list(private_tls_crypto_t *this, filter_key_suites(this, suites, &count, KEY_ECDSA); } - /* filter suite list by each algorithm */ - filter_suite(this, suites, &count, offsetof(suite_algs_t, encr), - lib->crypto->create_crypter_enumerator); - filter_suite(this, suites, &count, offsetof(suite_algs_t, encr), - lib->crypto->create_aead_enumerator); - filter_suite(this, suites, &count, offsetof(suite_algs_t, mac), - lib->crypto->create_signer_enumerator); - filter_suite(this, suites, &count, offsetof(suite_algs_t, prf), - lib->crypto->create_prf_enumerator); - filter_suite(this, suites, &count, offsetof(suite_algs_t, hash), - lib->crypto->create_hasher_enumerator); - filter_suite(this, suites, &count, offsetof(suite_algs_t, dh), - lib->crypto->create_dh_enumerator); + filter_unsupported_suites(suites, &count); /* filter suites with strongswan.conf options */ filter_key_exchange_config_suites(this, suites, &count); @@ -1839,8 +1846,43 @@ tls_crypto_t *tls_crypto_create(tls_t *tls, tls_cache_t *cache) case TLS_PURPOSE_GENERIC: build_cipher_suite_list(this, TRUE); break; + case TLS_PURPOSE_GENERIC_NULLOK: + build_cipher_suite_list(this, FALSE); + break; default: break; } return &this->public; } + +/** + * See header. + */ +int tls_crypto_get_supported_suites(bool null, tls_cipher_suite_t **out) +{ + suite_algs_t suites[countof(suite_algs)]; + int count = countof(suite_algs), i; + + /* initialize copy of suite list */ + for (i = 0; i < count; i++) + { + suites[i] = suite_algs[i]; + } + + filter_unsupported_suites(suites, &count); + + if (!null) + { + filter_null_suites(suites, &count); + } + + if (out) + { + *out = calloc(count, sizeof(tls_cipher_suite_t)); + for (i = 0; i < count; i++) + { + (*out)[i] = suites[i].suite; + } + } + return count; +} diff --git a/src/libtls/tls_crypto.h b/src/libtls/tls_crypto.h index 5512b1f48..a42e07bb3 100644 --- a/src/libtls/tls_crypto.h +++ b/src/libtls/tls_crypto.h @@ -572,4 +572,13 @@ struct tls_crypto_t { */ tls_crypto_t *tls_crypto_create(tls_t *tls, tls_cache_t *cache); +/** + * Get a list of all supported TLS cipher suites. + * + * @param null include supported NULL encryption suites + * @param suites pointer to allocated suites array, to free(), or NULL + * @return number of suites supported + */ +int tls_crypto_get_supported_suites(bool null, tls_cipher_suite_t **suites); + #endif /** TLS_CRYPTO_H_ @}*/ diff --git a/src/libtls/tls_socket.c b/src/libtls/tls_socket.c index 19232750b..648771e75 100644 --- a/src/libtls/tls_socket.c +++ b/src/libtls/tls_socket.c @@ -406,9 +406,11 @@ METHOD(tls_socket_t, destroy, void, * See header */ tls_socket_t *tls_socket_create(bool is_server, identification_t *server, - identification_t *peer, int fd, tls_cache_t *cache) + identification_t *peer, int fd, tls_cache_t *cache, + tls_version_t max_version, bool nullok) { private_tls_socket_t *this; + tls_purpose_t purpose; INIT(this, .public = { @@ -430,13 +432,23 @@ tls_socket_t *tls_socket_create(bool is_server, identification_t *server, .fd = fd, ); - this->tls = tls_create(is_server, server, peer, TLS_PURPOSE_GENERIC, + if (nullok) + { + purpose = TLS_PURPOSE_GENERIC_NULLOK; + } + else + { + purpose = TLS_PURPOSE_GENERIC; + } + + this->tls = tls_create(is_server, server, peer, purpose, &this->app.application, cache); if (!this->tls) { free(this); return NULL; } + this->tls->set_version(this->tls, max_version); return &this->public; } diff --git a/src/libtls/tls_socket.h b/src/libtls/tls_socket.h index 75130a4d3..0d4db3b41 100644 --- a/src/libtls/tls_socket.h +++ b/src/libtls/tls_socket.h @@ -104,9 +104,12 @@ struct tls_socket_t { * @param peer client identity, NULL for no client authentication * @param fd socket to read/write from * @param cache session cache to use, or NULL + * @param max_version maximun TLS version to negotiate + * @param nullok accept NULL encryption ciphers * @return TLS socket wrapper */ tls_socket_t *tls_socket_create(bool is_server, identification_t *server, - identification_t *peer, int fd, tls_cache_t *cache); + identification_t *peer, int fd, tls_cache_t *cache, + tls_version_t max_version, bool nullok); #endif /** TLS_SOCKET_H_ @}*/ |