diff options
Diffstat (limited to 'lib/ssl/test/ssl_cipher_suite_SUITE.erl')
-rw-r--r-- | lib/ssl/test/ssl_cipher_suite_SUITE.erl | 98 |
1 files changed, 61 insertions, 37 deletions
diff --git a/lib/ssl/test/ssl_cipher_suite_SUITE.erl b/lib/ssl/test/ssl_cipher_suite_SUITE.erl index 0ddbf59e56..04425bbb1e 100644 --- a/lib/ssl/test/ssl_cipher_suite_SUITE.erl +++ b/lib/ssl/test/ssl_cipher_suite_SUITE.erl @@ -1,7 +1,7 @@ %% %% %CopyrightBegin% %% -%% Copyright Ericsson AB 2019-2022. All Rights Reserved. +%% Copyright Ericsson AB 2019-2023. All Rights Reserved. %% %% Licensed under the Apache License, Version 2.0 (the "License"); %% you may not use this file except in compliance with the License. @@ -530,57 +530,75 @@ end_per_testcase(_TestCase, Config) -> init_certs(srp_rsa, Config) -> DefConf = ssl_test_lib:default_cert_chain_conf(), CertChainConf = ssl_test_lib:gen_conf(rsa, rsa, DefConf, DefConf), - #{server_config := ServerOpts, - client_config := ClientOpts} + #{server_config := ServerOpts0, + client_config := ClientOpts0} = public_key:pkix_test_data(CertChainConf), - [{tls_config, #{server_config => [{user_lookup_fun, {fun ssl_test_lib:user_lookup/3, undefined}} | ServerOpts], - client_config => [{srp_identity, {"Test-User", "secret"}} | ClientOpts]}} | + Version = ssl_test_lib:n_version(proplists:get_value(version, Config)), + ServerOpts = ssl_test_lib:sig_algs(rsa, Version) ++ ServerOpts0, + ClientOpts = ssl_test_lib:sig_algs(rsa, Version) ++ ClientOpts0, + [{tls_config, #{server_config => + [{user_lookup_fun, {fun ssl_test_lib:user_lookup/3, undefined}} | ServerOpts], + client_config => + [{srp_identity, {"Test-User", "secret"}}, {verify, verify_none} | ClientOpts]}} | proplists:delete(tls_config, Config)]; init_certs(srp_anon, Config) -> [{tls_config, #{server_config => [{user_lookup_fun, {fun ssl_test_lib:user_lookup/3, undefined}}], - client_config => [{srp_identity, {"Test-User", "secret"}}]}} | + client_config => [{srp_identity, {"Test-User", "secret"}}, {verify, verify_none}]}} | proplists:delete(tls_config, Config)]; init_certs(rsa_psk, Config) -> ClientExt = x509_test:extensions([{key_usage, [digitalSignature, keyEncipherment]}]), - {ClientOpts, ServerOpts} = ssl_test_lib:make_rsa_cert_chains([{server_chain, - [[],[],[{extensions, ClientExt}]]}], + {ClientOpts, ServerOpts} = ssl_test_lib:make_rsa_cert_chains([{server_chain, + [[],[],[{extensions, ClientExt}]]}], Config, "_peer_keyEncipherment"), PskSharedSecret = <<1,2,3,4,5,6,7,8,9,10,11,12,13,14,15>>, [{tls_config, #{server_config => [{user_lookup_fun, {fun ssl_test_lib:user_lookup/3, PskSharedSecret}} | ServerOpts], client_config => [{psk_identity, "Test-User"}, - {user_lookup_fun, {fun ssl_test_lib:user_lookup/3, PskSharedSecret}} | ClientOpts]}} | + {user_lookup_fun, {fun ssl_test_lib:user_lookup/3, PskSharedSecret}}, + {verify, verify_none} | ClientOpts]}} | proplists:delete(tls_config, Config)]; init_certs(rsa, Config) -> ClientExt = x509_test:extensions([{key_usage, [digitalSignature, keyEncipherment]}]), - {ClientOpts, ServerOpts} = ssl_test_lib:make_rsa_cert_chains([{server_chain, - [[],[],[{extensions, ClientExt}]]}], + {ClientOpts0, ServerOpts0} = ssl_test_lib:make_rsa_cert_chains([{server_chain, + [[],[],[{extensions, ClientExt}]]}], Config, "_peer_keyEncipherment"), + Version = ssl_test_lib:n_version(proplists:get_value(version, Config)), + ServerOpts = ssl_test_lib:sig_algs(rsa, Version) ++ ServerOpts0, + ClientOpts = ssl_test_lib:sig_algs(rsa, Version) ++ ClientOpts0, [{tls_config, #{server_config => ServerOpts, client_config => ClientOpts}} | proplists:delete(tls_config, Config)]; init_certs(ecdhe_1_3_rsa_cert, Config) -> ClientExt = x509_test:extensions([{key_usage, [digitalSignature]}]), - {ClientOpts, ServerOpts} = ssl_test_lib:make_rsa_cert_chains([{server_chain, - [[],[],[{extensions, ClientExt}]]}], + {ClientOpts0, ServerOpts0} = ssl_test_lib:make_rsa_cert_chains([{server_chain, + [[],[],[{extensions, ClientExt}]]}], Config, "_peer_rsa_digitalsign"), + Version = ssl_test_lib:n_version(proplists:get_value(version, Config)), + ServerOpts = ssl_test_lib:sig_algs(rsa, Version) ++ ServerOpts0, + ClientOpts = ssl_test_lib:sig_algs(rsa, Version) ++ ClientOpts0, [{tls_config, #{server_config => ServerOpts, client_config => ClientOpts}} | proplists:delete(tls_config, Config)]; init_certs(dhe_dss, Config) -> DefConf = ssl_test_lib:default_cert_chain_conf(), - CertChainConf = ssl_test_lib:gen_conf(dsa, dsa, DefConf, DefConf), - #{server_config := ServerOpts, - client_config := ClientOpts} + CertChainConf = ssl_test_lib:gen_conf(dsa, dsa, DefConf, DefConf), + #{server_config := ServerOpts0, + client_config := ClientOpts0} = public_key:pkix_test_data(CertChainConf), + Version = ssl_test_lib:n_version(proplists:get_value(version, Config)), + ServerOpts = ssl_test_lib:sig_algs(dsa, Version) ++ ServerOpts0, + ClientOpts = ssl_test_lib:sig_algs(dsa, Version) ++ ClientOpts0, [{tls_config, #{server_config => ServerOpts, client_config => ClientOpts}} | proplists:delete(tls_config, Config)]; init_certs(srp_dss, Config) -> DefConf = ssl_test_lib:default_cert_chain_conf(), CertChainConf = ssl_test_lib:gen_conf(dsa, dsa, DefConf, DefConf), - #{server_config := ServerOpts, - client_config := ClientOpts} + #{server_config := ServerOpts0, + client_config := ClientOpts0} = public_key:pkix_test_data(CertChainConf), + Version = ssl_test_lib:n_version(proplists:get_value(version, Config)), + ServerOpts = ssl_test_lib:sig_algs(dsa, Version) ++ ServerOpts0, + ClientOpts = ssl_test_lib:sig_algs(dsa, Version) ++ ClientOpts0, [{tls_config, #{server_config => [{user_lookup_fun, {fun ssl_test_lib:user_lookup/3, undefined}} | ServerOpts], client_config => [{srp_identity, {"Test-User", "secret"}} | ClientOpts]}} | proplists:delete(tls_config, Config)]; @@ -588,9 +606,12 @@ init_certs(GroupName, Config) when GroupName == dhe_rsa; GroupName == ecdhe_rsa -> DefConf = ssl_test_lib:default_cert_chain_conf(), CertChainConf = ssl_test_lib:gen_conf(rsa, rsa, DefConf, DefConf), - #{server_config := ServerOpts, - client_config := ClientOpts} + #{server_config := ServerOpts0, + client_config := ClientOpts0} = public_key:pkix_test_data(CertChainConf), + Version = ssl_test_lib:n_version(proplists:get_value(version, Config)), + ServerOpts = ssl_test_lib:sig_algs(rsa, Version) ++ ServerOpts0, + ClientOpts = ssl_test_lib:sig_algs(rsa, Version) ++ ClientOpts0, [{tls_config, #{server_config => ServerOpts, client_config => ClientOpts}} | proplists:delete(tls_config, Config)]; @@ -598,9 +619,12 @@ init_certs(GroupName, Config) when GroupName == dhe_ecdsa; GroupName == ecdhe_ecdsa -> DefConf = ssl_test_lib:default_cert_chain_conf(), CertChainConf = ssl_test_lib:gen_conf(ecdsa, ecdsa, DefConf, DefConf), - #{server_config := ServerOpts, - client_config := ClientOpts} + #{server_config := ServerOpts0, + client_config := ClientOpts0} = public_key:pkix_test_data(CertChainConf), + Version = ssl_test_lib:n_version(proplists:get_value(version, Config)), + ServerOpts = ssl_test_lib:sig_algs(ecdsa, Version) ++ ServerOpts0, + ClientOpts = ssl_test_lib:sig_algs(ecdsa, Version) ++ ClientOpts0, [{tls_config, #{server_config => ServerOpts, client_config => ClientOpts}} | proplists:delete(tls_config, Config)]; @@ -609,17 +633,17 @@ init_certs(GroupName, Config) when GroupName == psk; GroupName == ecdhe_psk -> PskSharedSecret = <<1,2,3,4,5,6,7,8,9,10,11,12,13,14,15>>, [{tls_config, #{server_config => [{user_lookup_fun, {fun ssl_test_lib:user_lookup/3, PskSharedSecret}}], - client_config => [{psk_identity, "Test-User"}, + client_config => [{verify, verify_none}, {psk_identity, "Test-User"}, {user_lookup_fun, {fun ssl_test_lib:user_lookup/3, PskSharedSecret}}]}} | - proplists:delete(tls_config, Config)]; -init_certs(srp, Config) -> + proplists:delete(tls_config, Config)]; +init_certs(srp, Config) -> [{tls_config, #{server_config => [{user_lookup_fun, {fun ssl_test_lib:user_lookup/3, undefined}}], - client_config => [{srp_identity, {"Test-User", "secret"}}]}} | + client_config => [{verify, verify_none},{srp_identity, {"Test-User", "secret"}}]}} | proplists:delete(tls_config, Config)]; -init_certs(_GroupName, Config) -> +init_certs(_GroupName, Config) -> %% Anonymous does not need certs - [{tls_config, #{server_config => [], - client_config => []}} | + [{tls_config, #{server_config => [{verify, verify_none}], + client_config => [{verify, verify_none}]}} | proplists:delete(tls_config, Config)]. %%-------------------------------------------------------------------- @@ -978,14 +1002,14 @@ cipher_suite_test(ErlangCipherSuite, Version, Config) -> test_ciphers(Kex, Cipher, Version) -> - ssl:filter_cipher_suites(ssl:cipher_suites(all, Version) ++ ssl:cipher_suites(anonymous, Version), - [{key_exchange, - fun(Kex0) when Kex0 == Kex -> true; - (_) -> false - end}, - {cipher, - fun(Cipher0) when Cipher0 == Cipher -> true; - (_) -> false + ssl:filter_cipher_suites(ssl:cipher_suites(all, Version) ++ ssl:cipher_suites(anonymous, Version), + [{key_exchange, + fun(Kex0) when Kex0 == Kex -> true; + (_) -> false + end}, + {cipher, + fun(Cipher0) when Cipher0 == Cipher -> true; + (_) -> false end}]). |