Add testcase for TLS1.3 FFDHE (8e63900a) · Commits · CYBER - Cyber Security / TS 103 523 MSP / TLMSP / TLMSP OpenSSL

test/sslapitest.c

+104 −0

Original line number	Diff line number	Diff line
		@@ -3735,6 +3735,109 @@ static int test_ciphersuite_change(void)
		return testresult;
		}

		/*
		* Test TLSv1.3 Key exchange
		* Test 0 = Test ECDHE Key exchange
		* Test 1 = Test FFDHE Key exchange
		* Test 2 = Test ECDHE with TLSv1.2 client and TLSv1.2 server
		* Test 3 = Test FFDHE with TLSv1.2 client and TLSv1.2 server
		*/
		static int test_tls13_key_exchange(int idx)
		{
		SSL_CTX sctx = NULL, cctx = NULL;
		SSL serverssl = NULL, clientssl = NULL;
		int testresult = 0;
		int ecdhe_kexch_groups[] = {NID_X9_62_prime256v1, NID_secp384r1, NID_secp521r1,
		NID_X25519, NID_X448};
		int ffdhe_kexch_groups[] = {NID_ffdhe2048, NID_ffdhe3072, NID_ffdhe4096,
		NID_ffdhe6144, NID_ffdhe8192};
		int *kexch_groups = NULL;
		int kexch_groups_size = 0;
		int max_version = TLS1_3_VERSION;
		int want_err = SSL_ERROR_NONE;
		int expected_err_func = 0;
		int expected_err_reason = 0;

		switch (idx) {
		case 0:
		kexch_groups = ecdhe_kexch_groups;
		kexch_groups_size = OSSL_NELEM(ecdhe_kexch_groups);
		break;
		case 1:
		kexch_groups = ffdhe_kexch_groups;
		kexch_groups_size = OSSL_NELEM(ffdhe_kexch_groups);
		break;
		case 2:
		kexch_groups = ecdhe_kexch_groups;
		kexch_groups_size = OSSL_NELEM(ecdhe_kexch_groups);
		max_version = TLS1_2_VERSION;
		expected_err_func = SSL_F_TLS_POST_PROCESS_CLIENT_HELLO;
		expected_err_reason = SSL_R_NO_SHARED_CIPHER;
		want_err = SSL_ERROR_SSL;
		break;
		case 3:
		kexch_groups = ffdhe_kexch_groups;
		kexch_groups_size = OSSL_NELEM(ffdhe_kexch_groups);
		max_version = TLS1_2_VERSION;
		want_err = SSL_ERROR_SSL;
		expected_err_func = SSL_F_TLS_CONSTRUCT_CTOS_SUPPORTED_GROUPS;
		expected_err_reason = ERR_R_INTERNAL_ERROR;
		break;
		}

		if (!TEST_true(create_ssl_ctx_pair(TLS_server_method(), TLS_client_method(),
		TLS1_VERSION, max_version,
		&sctx, &cctx, cert, privkey)))
		goto end;

		if (!TEST_true(SSL_CTX_set_ciphersuites(sctx, TLS1_3_RFC_AES_128_GCM_SHA256)))
		goto end;

		if (!TEST_true(SSL_CTX_set_ciphersuites(cctx, TLS1_3_RFC_AES_128_GCM_SHA256)))
		goto end;

		if (!TEST_true(SSL_CTX_set_cipher_list(sctx, TLS1_TXT_ECDHE_ECDSA_WITH_AES_128_CCM)))
		goto end;

		if (!TEST_true(SSL_CTX_set_cipher_list(cctx, TLS1_TXT_ECDHE_ECDSA_WITH_AES_128_CCM)))
		goto end;

		if (!TEST_true(create_ssl_objects(sctx, cctx, &serverssl, &clientssl,
		NULL, NULL)))
		goto end;

		if (!TEST_true(SSL_set1_groups(serverssl, kexch_groups, kexch_groups_size))
		\|\| !TEST_true(SSL_set1_groups(clientssl, kexch_groups, kexch_groups_size)))
		goto end;

		if (!TEST_true(create_ssl_connection(serverssl, clientssl, want_err))) {
		/* Fail only if no error is expected in handshake */
		if (expected_err_func == 0)
		goto end;
		}

		/* Fail if expected error is not happening for failure testcases */
		if (expected_err_func) {
		unsigned long err_code = ERR_get_error();
		if (TEST_int_eq(ERR_GET_FUNC(err_code), expected_err_func)
		&& TEST_int_eq(ERR_GET_REASON(err_code), expected_err_reason))
		testresult = 1;
		goto end;
		}

		/* If Handshake succeeds the negotiated kexch alg should the first one in configured */
		if (!TEST_int_eq(SSL_get_shared_group(serverssl, 0), kexch_groups[0]))
		goto end;

		testresult = 1;
		end:
		SSL_free(serverssl);
		SSL_free(clientssl);
		SSL_CTX_free(sctx);
		SSL_CTX_free(cctx);
		return testresult;
		}

		/*
		* Test TLSv1.3 PSKs
		* Test 0 = Test new style callbacks
		@@ -6536,6 +6639,7 @@ int setup_tests(void)
		#else
		ADD_ALL_TESTS(test_tls13_psk, 4);
		#endif /* OPENSSL_NO_PSK */
		ADD_ALL_TESTS(test_tls13_key_exchange, 4);
		ADD_ALL_TESTS(test_custom_exts, 5);
		ADD_TEST(test_stateless);
		ADD_TEST(test_pha_key_update);