From: Andreas Steffen Date: Wed, 24 Aug 2022 13:06:12 +0000 (+0200) Subject: libtls: the signature unit tests use scheme-specific credentials X-Git-Tag: 5.9.8dr1~2^2~1 X-Git-Url: http://git.ipfire.org/?a=commitdiff_plain;h=52a3c3662d9bdcc945798e093f3ee64ffd32ffb5;p=thirdparty%2Fstrongswan.git libtls: the signature unit tests use scheme-specific credentials --- diff --git a/src/libtls/tests/suites/test_socket.c b/src/libtls/tests/suites/test_socket.c index e410ffd28b..a9f44c07c2 100644 --- a/src/libtls/tests/suites/test_socket.c +++ b/src/libtls/tests/suites/test_socket.c @@ -112,9 +112,25 @@ static char rsa[] = { }; /** - * ECDSA private key + * ECDSA256 private key + * pki --gen --type ecdsa --size 256 */ -static char ecdsa[] = { +static char ecdsa256[] = { + 0x30,0x77,0x02,0x01,0x01,0x04,0x20,0x2d,0x01,0x7e,0x5b,0x4a,0x7d,0x78,0xe9,0x23, + 0xeb,0xb2,0xac,0x4c,0xf1,0x28,0x3b,0xfa,0x1d,0xa9,0x08,0x5c,0xd0,0x60,0x2a,0xa6, + 0x54,0xd3,0x94,0xd4,0x05,0xa1,0x04,0xa0,0x0a,0x06,0x08,0x2a,0x86,0x48,0xce,0x3d, + 0x03,0x01,0x07,0xa1,0x44,0x03,0x42,0x00,0x04,0x15,0x9c,0xbe,0xdb,0x54,0xa6,0xe7, + 0x7f,0x76,0x05,0xa6,0x9d,0xf3,0x41,0x38,0x43,0x98,0xe9,0x0b,0x2b,0x8b,0x02,0xb4, + 0x04,0x9b,0x61,0x84,0x65,0x63,0x3b,0x08,0xb2,0x4b,0x1e,0xd0,0x32,0x20,0xe9,0xfc, + 0x62,0xa7,0xd0,0x71,0x9e,0xe9,0xf9,0x2d,0x91,0xb8,0xf2,0xa3,0x4d,0x8a,0x78,0xb2, + 0x0b,0xfb,0x59,0x7c,0x40,0xbd,0xaf,0xa2,0x07 +}; + +/** + * ECDSA384 private key + * pki --gen --type ecdsa --size 384 + */ +static char ecdsa384[] = { 0x30,0x81,0xa4,0x02,0x01,0x01,0x04,0x30,0xc0,0x1f,0xfd,0x65,0xc6,0xc4,0x4c,0xb8, 0xff,0x56,0x08,0xb5,0xbd,0xb8,0xf5,0x93,0xf7,0x51,0x0e,0x92,0x1f,0x06,0xbf,0xa6, 0xd9,0x1d,0xae,0xa3,0x16,0x0d,0x0f,0xc9,0xd5,0x97,0x90,0x46,0xf1,0x98,0xa8,0x18, @@ -128,6 +144,27 @@ static char ecdsa[] = { 0xb1,0x47,0xc8,0xf6,0x18,0xbb,0x97, }; +/** + * ECDSA521 private key + * pki --gen --type ecdsa --size 521 + */ +static char ecdsa521[] = { + 0X30,0x81,0xdc,0x02,0x01,0x01,0x04,0x42,0x01,0x88,0x0f,0x17,0x00,0x2c,0x62,0x5c, + 0x3e,0xed,0xe6,0xc8,0x6a,0x12,0x8e,0x09,0x8e,0x4b,0x41,0x8f,0x1a,0xbc,0xf3,0xa4, + 0xa6,0xcb,0xd4,0xa5,0x45,0x40,0xc8,0x29,0xc8,0x72,0x49,0x0a,0x04,0x9d,0xb2,0x02, + 0xc7,0x6a,0x98,0x3c,0xc9,0x4d,0x87,0x30,0x8b,0x17,0xd8,0x94,0x3d,0x8b,0x88,0xc9, + 0xe5,0x17,0x22,0x73,0x41,0x90,0x6d,0x52,0xee,0x11,0xa0,0x07,0x06,0x05,0x2b,0x81, + 0X04,0x00,0x23,0xa1,0x81,0x89,0x03,0x81,0x86,0x00,0x04,0x01,0x9a,0x71,0x4e,0x04, + 0X42,0xa7,0xdd,0x7c,0xe6,0xdb,0x0d,0x9d,0xe9,0xde,0x21,0x42,0x0b,0x56,0x90,0x7b, + 0X5b,0xbc,0x33,0xdf,0x79,0x9a,0xb8,0xf0,0x79,0xad,0x78,0xe2,0x77,0xee,0x62,0x4b, + 0Xc5,0x18,0xb8,0x7d,0x86,0x0a,0xb9,0xb4,0x24,0x3f,0x80,0xcf,0x34,0xfd,0x68,0xd0, + 0X90,0xd0,0x66,0xe7,0x79,0x30,0x13,0xc7,0x55,0xb3,0x74,0xf7,0xd3,0x01,0x03,0x0c, + 0X46,0x89,0xbf,0x7b,0xd6,0x26,0xe9,0xf6,0x50,0x35,0x7c,0x81,0x6f,0xb7,0xa5,0x62, + 0Xa9,0xc9,0xba,0x45,0xd7,0xc2,0x09,0xfd,0xc5,0x0b,0x76,0x75,0xe7,0x47,0xa6,0x70, + 0X09,0x16,0x14,0xc0,0x7e,0x09,0x3d,0xde,0xd4,0x79,0xa3,0xb6,0x95,0x2a,0xaa,0x5b, + 0Xdc,0xd5,0xab,0xdc,0x8a,0xd9,0xf3,0x37,0x96,0xaa,0x84,0xfc,0xae,0x94,0xea +}; + /** * Ed25519 private key * pki --gen --type ed25519 @@ -207,10 +244,41 @@ static char rsa_crt[] = { }; /** - * TLS certificate for ECDSA key - * pki --self --in ecdsa.key --dn "C=CH, O=strongSwan, CN=tls-ecdsa" --san 127.0.0.1 + * TLS certificate for ECDSA256 key + * pki --self --in ecdsa256.key --dn "C=CH, O=strongSwan, CN=tls-ecdsa" --san 127.0.0.1 */ -static char ecdsa_crt[] = { +static char ecdsa256_crt[] = { + 0x30,0x82,0x01,0x74,0x30,0x82,0x01,0x1b,0xa0,0x03,0x02,0x01,0x02,0x02,0x08,0x1e, + 0x80,0xe3,0xbb,0xf4,0x6f,0xc5,0xab,0x30,0x0a,0x06,0x08,0x2a,0x86,0x48,0xce,0x3d, + 0x04,0x03,0x02,0x30,0x36,0x31,0x0b,0x30,0x09,0x06,0x03,0x55,0x04,0x06,0x13,0x02, + 0x43,0x48,0x31,0x13,0x30,0x11,0x06,0x03,0x55,0x04,0x0a,0x13,0x0a,0x73,0x74,0x72, + 0x6f,0x6e,0x67,0x53,0x77,0x61,0x6e,0x31,0x12,0x30,0x10,0x06,0x03,0x55,0x04,0x03, + 0x13,0x09,0x74,0x6c,0x73,0x2d,0x65,0x63,0x64,0x73,0x61,0x30,0x1e,0x17,0x0d,0x32, + 0x32,0x30,0x38,0x32,0x33,0x30,0x39,0x31,0x33,0x35,0x34,0x5a,0x17,0x0d,0x32,0x35, + 0x30,0x38,0x32,0x32,0x30,0x39,0x31,0x33,0x35,0x34,0x5a,0x30,0x36,0x31,0x0b,0x30, + 0x09,0x06,0x03,0x55,0x04,0x06,0x13,0x02,0x43,0x48,0x31,0x13,0x30,0x11,0x06,0x03, + 0x55,0x04,0x0a,0x13,0x0a,0x73,0x74,0x72,0x6f,0x6e,0x67,0x53,0x77,0x61,0x6e,0x31, + 0x12,0x30,0x10,0x06,0x03,0x55,0x04,0x03,0x13,0x09,0x74,0x6c,0x73,0x2d,0x65,0x63, + 0x64,0x73,0x61,0x30,0x59,0x30,0x13,0x06,0x07,0x2a,0x86,0x48,0xce,0x3d,0x02,0x01, + 0x06,0x08,0x2a,0x86,0x48,0xce,0x3d,0x03,0x01,0x07,0x03,0x42,0x00,0x04,0x15,0x9c, + 0xbe,0xdb,0x54,0xa6,0xe7,0x7f,0x76,0x05,0xa6,0x9d,0xf3,0x41,0x38,0x43,0x98,0xe9, + 0x0b,0x2b,0x8b,0x02,0xb4,0x04,0x9b,0x61,0x84,0x65,0x63,0x3b,0x08,0xb2,0x4b,0x1e, + 0xd0,0x32,0x20,0xe9,0xfc,0x62,0xa7,0xd0,0x71,0x9e,0xe9,0xf9,0x2d,0x91,0xb8,0xf2, + 0xa3,0x4d,0x8a,0x78,0xb2,0x0b,0xfb,0x59,0x7c,0x40,0xbd,0xaf,0xa2,0x07,0xa3,0x13, + 0x30,0x11,0x30,0x0f,0x06,0x03,0x55,0x1d,0x11,0x04,0x08,0x30,0x06,0x87,0x04,0x7f, + 0x00,0x00,0x01,0x30,0x0a,0x06,0x08,0x2a,0x86,0x48,0xce,0x3d,0x04,0x03,0x02,0x03, + 0x47,0x00,0x30,0x44,0x02,0x20,0x3d,0xa0,0x7e,0xff,0xfe,0x38,0xa4,0xfc,0x28,0x7b, + 0x6a,0x63,0xea,0xb9,0x04,0x11,0x63,0x98,0x25,0x1f,0x7f,0xc6,0xbc,0xe7,0x2e,0x53, + 0xbf,0x4a,0x7c,0x73,0xe9,0xe1,0x02,0x20,0x28,0xec,0x8b,0x84,0xa5,0xa3,0xd1,0xac, + 0x92,0x0b,0x9d,0xdc,0xa5,0x59,0xe8,0x64,0xb9,0xd1,0x66,0xe9,0x23,0xca,0x3b,0xee, + 0xc8,0x0e,0x08,0x4e,0x8f,0xc7,0xed,0x11 +}; + +/** + * TLS certificate for ECDSA384 key + * pki --self --in ecdsa384.key --dn "C=CH, O=strongSwan, CN=tls-ecdsa" --san 127.0.0.1 + */ +static char ecdsa384_crt[] = { 0x30,0x82,0x01,0xb1,0x30,0x82,0x01,0x38,0xa0,0x03,0x02,0x01,0x02,0x02,0x08,0x77, 0x8f,0x61,0x26,0xa2,0xae,0xe8,0x6c,0x30,0x0a,0x06,0x08,0x2a,0x86,0x48,0xce,0x3d, 0x04,0x03,0x03,0x30,0x36,0x31,0x0b,0x30,0x09,0x06,0x03,0x55,0x04,0x06,0x13,0x02, @@ -241,6 +309,46 @@ static char ecdsa_crt[] = { 0xac,0x36,0x08,0x14,0x29, }; +/** + * TLS certificate for ECDSA521 key + * pki --self --in ecdsa521.key --dn "C=CH, O=strongSwan, CN=tls-ecdsa" --san 127.0.0.1 + */ +static char ecdsa521_crt[] = { + 0x30,0x82,0x01,0xfd,0x30,0x82,0x01,0x5e,0xa0,0x03,0x02,0x01,0x02,0x02,0x08,0x6c, + 0x72,0xcb,0x98,0xc7,0x4c,0x46,0xf7,0x30,0x0a,0x06,0x08,0x2a,0x86,0x48,0xce,0x3d, + 0x04,0x03,0x04,0x30,0x36,0x31,0x0b,0x30,0x09,0x06,0x03,0x55,0x04,0x06,0x13,0x02, + 0x43,0x48,0x31,0x13,0x30,0x11,0x06,0x03,0x55,0x04,0x0a,0x13,0x0a,0x73,0x74,0x72, + 0x6f,0x6e,0x67,0x53,0x77,0x61,0x6e,0x31,0x12,0x30,0x10,0x06,0x03,0x55,0x04,0x03, + 0x13,0x09,0x74,0x6c,0x73,0x2d,0x65,0x63,0x64,0x73,0x61,0x30,0x1e,0x17,0x0d,0x32, + 0x32,0x30,0x38,0x32,0x34,0x31,0x32,0x35,0x33,0x31,0x36,0x5a,0x17,0x0d,0x32,0x35, + 0x30,0x38,0x32,0x33,0x31,0x32,0x35,0x33,0x31,0x36,0x5a,0x30,0x36,0x31,0x0b,0x30, + 0x09,0x06,0x03,0x55,0x04,0x06,0x13,0x02,0x43,0x48,0x31,0x13,0x30,0x11,0x06,0x03, + 0x55,0x04,0x0a,0x13,0x0a,0x73,0x74,0x72,0x6f,0x6e,0x67,0x53,0x77,0x61,0x6e,0x31, + 0x12,0x30,0x10,0x06,0x03,0x55,0x04,0x03,0x13,0x09,0x74,0x6c,0x73,0x2d,0x65,0x63, + 0x64,0x73,0x61,0x30,0x81,0x9b,0x30,0x10,0x06,0x07,0x2a,0x86,0x48,0xce,0x3d,0x02, + 0x01,0x06,0x05,0x2b,0x81,0x04,0x00,0x23,0x03,0x81,0x86,0x00,0x04,0x01,0x9a,0x71, + 0x4e,0x04,0x42,0xa7,0xdd,0x7c,0xe6,0xdb,0x0d,0x9d,0xe9,0xde,0x21,0x42,0x0b,0x56, + 0x90,0x7b,0x5b,0xbc,0x33,0xdf,0x79,0x9a,0xb8,0xf0,0x79,0xad,0x78,0xe2,0x77,0xee, + 0x62,0x4b,0xc5,0x18,0xb8,0x7d,0x86,0x0a,0xb9,0xb4,0x24,0x3f,0x80,0xcf,0x34,0xfd, + 0x68,0xd0,0x90,0xd0,0x66,0xe7,0x79,0x30,0x13,0xc7,0x55,0xb3,0x74,0xf7,0xd3,0x01, + 0x03,0x0c,0x46,0x89,0xbf,0x7b,0xd6,0x26,0xe9,0xf6,0x50,0x35,0x7c,0x81,0x6f,0xb7, + 0xa5,0x62,0xa9,0xc9,0xba,0x45,0xd7,0xc2,0x09,0xfd,0xc5,0x0b,0x76,0x75,0xe7,0x47, + 0xa6,0x70,0x09,0x16,0x14,0xc0,0x7e,0x09,0x3d,0xde,0xd4,0x79,0xa3,0xb6,0x95,0x2a, + 0xaa,0x5b,0xdc,0xd5,0xab,0xdc,0x8a,0xd9,0xf3,0x37,0x96,0xaa,0x84,0xfc,0xae,0x94, + 0xea,0xa3,0x13,0x30,0x11,0x30,0x0f,0x06,0x03,0x55,0x1d,0x11,0x04,0x08,0x30,0x06, + 0x87,0x04,0x7f,0x00,0x00,0x01,0x30,0x0a,0x06,0x08,0x2a,0x86,0x48,0xce,0x3d,0x04, + 0x03,0x04,0x03,0x81,0x8c,0x00,0x30,0x81,0x88,0x02,0x42,0x01,0x1f,0x37,0x05,0xa6, + 0x91,0x84,0x36,0x0f,0x63,0xf1,0x42,0x84,0xc2,0xfc,0xd2,0x4d,0x1e,0x7a,0xfe,0xe9, + 0x22,0xc7,0xcf,0x12,0x37,0xdd,0xe7,0xc1,0xce,0xb7,0x92,0x5b,0x15,0xea,0xe5,0x81, + 0x25,0x48,0x29,0x22,0xe2,0xe3,0x3f,0xbb,0xa7,0x3d,0xac,0xa7,0x29,0x0e,0xa6,0xcb, + 0xf9,0x6a,0xa8,0x3a,0x33,0x2b,0xbd,0xaa,0x7b,0x81,0x7d,0x87,0x29,0x02,0x42,0x00, + 0xcc,0x80,0xb7,0x7c,0xf3,0x04,0x1f,0x0c,0x6f,0xef,0xb3,0x4c,0x7b,0x2d,0x54,0x1f, + 0x3d,0xb4,0xdd,0x6f,0x7c,0x2a,0xdb,0xfa,0x3e,0x47,0xa9,0x3a,0xe1,0x68,0x96,0xff, + 0xc3,0x42,0xa1,0xd1,0xc3,0xe4,0x03,0xa7,0x33,0x82,0xb2,0x76,0x12,0xeb,0xaa,0xed, + 0x00,0x3f,0x1f,0x4a,0xd5,0x1c,0x63,0x50,0xd0,0xae,0xa5,0x58,0xc2,0x16,0x56,0xcd, + 0x9b +}; + /** * TLS certificate for Ed25519 key * pki --self --in ed25519.key --dn "C=CH, O=strongSwan, CN=tls-ed25519" \ @@ -313,24 +421,13 @@ static void setup_credentials(chunk_t key_data, chunk_t cert_data) lib->credmgr->add_set(lib->credmgr, &creds->set); } - key = lib->creds->create(lib->creds, CRED_PRIVATE_KEY, KEY_RSA, - BUILD_BLOB, chunk_from_thing(rsa), BUILD_END); - if (key) - { - creds->add_key(creds, key); - } key = lib->creds->create(lib->creds, CRED_PRIVATE_KEY, KEY_ANY, BUILD_BLOB, key_data, BUILD_END); if (key) { creds->add_key(creds, key); } - cert = lib->creds->create(lib->creds, CRED_CERTIFICATE, CERT_X509, - BUILD_BLOB, chunk_from_thing(rsa_crt), BUILD_END); - if (cert) - { - creds->add_cert(creds, TRUE, cert); - } + cert = lib->creds->create(lib->creds, CRED_CERTIFICATE, CERT_X509, BUILD_BLOB, cert_data, BUILD_END); if (cert) @@ -339,21 +436,31 @@ static void setup_credentials(chunk_t key_data, chunk_t cert_data) } } +START_SETUP(setup_rsa_creds) +{ + setup_credentials(chunk_from_thing(rsa), chunk_from_thing(rsa_crt)); +} +END_SETUP + START_SETUP(setup_ed25519_creds) { + setup_credentials(chunk_from_thing(rsa), chunk_from_thing(rsa_crt)); setup_credentials(chunk_from_thing(ed25519), chunk_from_thing(ed25519_crt)); } END_SETUP START_SETUP(setup_ed448_creds) { + + setup_credentials(chunk_from_thing(rsa), chunk_from_thing(rsa_crt)); setup_credentials(chunk_from_thing(ed448), chunk_from_thing(ed448_crt)); } END_SETUP START_SETUP(setup_all_creds) { - setup_credentials(chunk_from_thing(ecdsa), chunk_from_thing(ecdsa_crt)); + setup_credentials(chunk_from_thing(rsa), chunk_from_thing(rsa_crt)); + setup_credentials(chunk_from_thing(ecdsa256), chunk_from_thing(ecdsa256_crt)); setup_credentials(chunk_from_thing(ed25519), chunk_from_thing(ed25519_crt)); setup_credentials(chunk_from_thing(ed448), chunk_from_thing(ed448_crt)); } @@ -600,20 +707,57 @@ static void test_tls_ke_groups(tls_version_t version, uint16_t port, bool cauth, static void test_tls_signature_schemes(tls_version_t version, uint16_t port, bool cauth, u_int i) { + chunk_t key_data = chunk_empty, cert_data = chunk_empty; tls_signature_scheme_t *schemes; char signature[128]; int count; + /* config used for both TLS server and client */ server_config = create_config(version, port, cauth); + /* start TLS server */ start_echo_server(server_config); + /* configure signature scheme */ count = tls_crypto_get_supported_signatures(version, &schemes); ck_assert(i < count); snprintf(signature, sizeof(signature), "%N", tls_signature_scheme_names, schemes[i]); lib->settings->set_str(lib->settings, "%s.tls.signature", signature, lib->ns); + /* depending on the signature scheme load a second set of credentials */ + switch (schemes[i]) + { + case TLS_SIG_ECDSA_SHA256: + case TLS_SIG_ECDSA_SHA1: + key_data = chunk_from_thing(ecdsa256); + cert_data = chunk_from_thing(ecdsa256_crt); + break; + case TLS_SIG_ECDSA_SHA384: + key_data = chunk_from_thing(ecdsa384); + cert_data = chunk_from_thing(ecdsa384_crt); + break; + case TLS_SIG_ECDSA_SHA512: + key_data = chunk_from_thing(ecdsa521); + cert_data = chunk_from_thing(ecdsa521_crt); + break; + case TLS_SIG_ED25519: + key_data = chunk_from_thing(ed25519); + cert_data = chunk_from_thing(ed25519_crt); + break; + case TLS_SIG_ED448: + key_data = chunk_from_thing(ed448); + cert_data = chunk_from_thing(ed448_crt); + break; + default: + break; + } + if (key_data.len > 0 || cert_data.len > 0) + { + setup_credentials(key_data, cert_data); + } + + /* run TLS client */ run_echo_client(server_config); free(schemes); @@ -793,25 +937,25 @@ Suite *socket_suite_create() suite_add_tcase(s, tc); tc = tcase_create("TLS 1.3/signature schemes"); - tcase_add_checked_fixture(tc, setup_all_creds, teardown_creds); + tcase_add_checked_fixture(tc, setup_rsa_creds, teardown_creds); tcase_add_loop_test(tc, test_tls13_signature_schemes, 0, tls_crypto_get_supported_signatures(TLS_1_3, NULL)); suite_add_tcase(s, tc); tc = tcase_create("TLS 1.2/signature schemes"); - tcase_add_checked_fixture(tc, setup_all_creds, teardown_creds); + tcase_add_checked_fixture(tc, setup_rsa_creds, teardown_creds); tcase_add_loop_test(tc, test_tls12_signature_schemes, 0, tls_crypto_get_supported_signatures(TLS_1_2, NULL)); suite_add_tcase(s, tc); tc = tcase_create("TLS 1.1/signature schemes"); - tcase_add_checked_fixture(tc, setup_all_creds, teardown_creds); + tcase_add_checked_fixture(tc, setup_rsa_creds, teardown_creds); tcase_add_loop_test(tc, test_tls11_signature_schemes, 0, tls_crypto_get_supported_signatures(TLS_1_1, NULL)); suite_add_tcase(s, tc); tc = tcase_create("TLS 1.0/signature schemes"); - tcase_add_checked_fixture(tc, setup_all_creds, teardown_creds); + tcase_add_checked_fixture(tc, setup_rsa_creds, teardown_creds); tcase_add_loop_test(tc, test_tls10_signature_schemes, 0, tls_crypto_get_supported_signatures(TLS_1_0, NULL)); suite_add_tcase(s, tc);