mirror of
https://github.com/refraction-networking/utls.git
synced 2025-04-03 20:17:36 +03:00
crypto/tls: test with FIPS 140-3 TLS mode
For tests that are interested in testing the difference between TLS in FIPS 140-3 required mode or otherwise two new helpers are introduced, runWithFIPSEnabled and runWithFIPSDisabled. They take care of forcing the correct TLS FIPS 140-3 state regardless of the overal GODEBUG=fips state, and restoring it afterwards. For the tests that use features or test data not appropriate for TLS in FIPS 140-3 required mode we add skips. For some tests we can make them appropriate for both TLS FIPS 140-3 required or not by tweaking some parameters that weren't important to the subject under test, but would otherwise preclude TLS FIPS 140-3 required mode (e.g. because they used TLS 1.0 when the test could use TLS 1.2 instead). For others, switching test certificates to a RSA 2048 hierarchy is sufficient. We avoid regenerating the existing RSA 1024 certs as 2048 since it would invalidate recorded static flow data. Tests that rely on static message flows (primarily the client and server handshake) tests are skipped due to FIPS mode being non-deterministic and inappropriate for this style of testing. Change-Id: I311f3828dac890bb3ff8ebda6ed73d50f0797110 Reviewed-on: https://go-review.googlesource.com/c/go/+/629736 Reviewed-by: Roland Shoemaker <roland@golang.org> Reviewed-by: Filippo Valsorda <filippo@golang.org> LUCI-TryBot-Result: Go LUCI <golang-scoped@luci-project-accounts.iam.gserviceaccount.com> Reviewed-by: Dmitri Shuralyov <dmitshur@google.com>
This commit is contained in:
Daniel McCarney
Filippo Valsorda
parent
212bbb2c77
commit
4cb059fbbf
8 changed files with 238 additions and 118 deletions
|
|
@ -11,6 +11,7 @@ import (
|
|||
"crypto/ecdh"
|
||||
"crypto/elliptic"
|
||||
"crypto/rand"
|
||||
"crypto/tls/internal/fips140tls"
|
||||
"crypto/x509"
|
||||
"encoding/pem"
|
||||
"errors"
|
||||
|
|
@ -119,7 +120,7 @@ func TestRejectBadProtocolVersion(t *testing.T) {
|
|||
|
||||
func TestNoSuiteOverlap(t *testing.T) {
|
||||
clientHello := &clientHelloMsg{
|
||||
vers: VersionTLS10,
|
||||
vers: VersionTLS12,
|
||||
random: make([]byte, 32),
|
||||
cipherSuites: []uint16{0xff00},
|
||||
compressionMethods: []uint8{compressionNone},
|
||||
|
|
@ -129,9 +130,9 @@ func TestNoSuiteOverlap(t *testing.T) {
|
|||
|
||||
func TestNoCompressionOverlap(t *testing.T) {
|
||||
clientHello := &clientHelloMsg{
|
||||
vers: VersionTLS10,
|
||||
vers: VersionTLS12,
|
||||
random: make([]byte, 32),
|
||||
cipherSuites: []uint16{TLS_RSA_WITH_RC4_128_SHA},
|
||||
cipherSuites: []uint16{TLS_ECDHE_RSA_WITH_AES_128_GCM_SHA256},
|
||||
compressionMethods: []uint8{0xff},
|
||||
}
|
||||
testClientHelloFailure(t, testConfig, clientHello, "client does not support uncompressed connections")
|
||||
|
|
@ -139,7 +140,7 @@ func TestNoCompressionOverlap(t *testing.T) {
|
|||
|
||||
func TestNoRC4ByDefault(t *testing.T) {
|
||||
clientHello := &clientHelloMsg{
|
||||
vers: VersionTLS10,
|
||||
vers: VersionTLS12,
|
||||
random: make([]byte, 32),
|
||||
cipherSuites: []uint16{TLS_RSA_WITH_RC4_128_SHA},
|
||||
compressionMethods: []uint8{compressionNone},
|
||||
|
|
@ -163,9 +164,9 @@ func TestDontSelectECDSAWithRSAKey(t *testing.T) {
|
|||
// Test that, even when both sides support an ECDSA cipher suite, it
|
||||
// won't be selected if the server's private key doesn't support it.
|
||||
clientHello := &clientHelloMsg{
|
||||
vers: VersionTLS10,
|
||||
vers: VersionTLS12,
|
||||
random: make([]byte, 32),
|
||||
cipherSuites: []uint16{TLS_ECDHE_ECDSA_WITH_AES_256_CBC_SHA},
|
||||
cipherSuites: []uint16{TLS_ECDHE_ECDSA_WITH_AES_256_GCM_SHA384},
|
||||
compressionMethods: []uint8{compressionNone},
|
||||
supportedCurves: []CurveID{CurveP256},
|
||||
supportedPoints: []uint8{pointFormatUncompressed},
|
||||
|
|
@ -189,9 +190,9 @@ func TestDontSelectRSAWithECDSAKey(t *testing.T) {
|
|||
// Test that, even when both sides support an RSA cipher suite, it
|
||||
// won't be selected if the server's private key doesn't support it.
|
||||
clientHello := &clientHelloMsg{
|
||||
vers: VersionTLS10,
|
||||
vers: VersionTLS12,
|
||||
random: make([]byte, 32),
|
||||
cipherSuites: []uint16{TLS_ECDHE_RSA_WITH_AES_256_CBC_SHA},
|
||||
cipherSuites: []uint16{TLS_ECDHE_RSA_WITH_AES_128_GCM_SHA256},
|
||||
compressionMethods: []uint8{compressionNone},
|
||||
supportedCurves: []CurveID{CurveP256},
|
||||
supportedPoints: []uint8{pointFormatUncompressed},
|
||||
|
|
@ -211,6 +212,8 @@ func TestDontSelectRSAWithECDSAKey(t *testing.T) {
|
|||
}
|
||||
|
||||
func TestRenegotiationExtension(t *testing.T) {
|
||||
skipFIPS(t) // #70505
|
||||
|
||||
clientHello := &clientHelloMsg{
|
||||
vers: VersionTLS12,
|
||||
compressionMethods: []uint8{compressionNone},
|
||||
|
|
@ -263,6 +266,8 @@ func TestRenegotiationExtension(t *testing.T) {
|
|||
}
|
||||
|
||||
func TestTLS12OnlyCipherSuites(t *testing.T) {
|
||||
skipFIPS(t) // No TLS 1.1 in FIPS mode.
|
||||
|
||||
// Test that a Server doesn't select a TLS 1.2-only cipher suite when
|
||||
// the client negotiates TLS 1.1.
|
||||
clientHello := &clientHelloMsg{
|
||||
|
|
@ -324,13 +329,18 @@ func TestTLSPointFormats(t *testing.T) {
|
|||
supportedPoints []uint8
|
||||
wantSupportedPoints bool
|
||||
}{
|
||||
{"ECC", []uint16{TLS_ECDHE_RSA_WITH_AES_256_CBC_SHA}, []CurveID{CurveP256}, []uint8{pointFormatUncompressed}, true},
|
||||
{"ECC without ec_point_format", []uint16{TLS_ECDHE_RSA_WITH_AES_256_CBC_SHA}, []CurveID{CurveP256}, nil, false},
|
||||
{"ECC with extra values", []uint16{TLS_ECDHE_RSA_WITH_AES_256_CBC_SHA}, []CurveID{CurveP256}, []uint8{13, 37, pointFormatUncompressed, 42}, true},
|
||||
{"ECC", []uint16{TLS_ECDHE_RSA_WITH_AES_128_GCM_SHA256}, []CurveID{CurveP256}, []uint8{pointFormatUncompressed}, true},
|
||||
{"ECC without ec_point_format", []uint16{TLS_ECDHE_RSA_WITH_AES_128_GCM_SHA256}, []CurveID{CurveP256}, nil, false},
|
||||
{"ECC with extra values", []uint16{TLS_ECDHE_RSA_WITH_AES_128_GCM_SHA256}, []CurveID{CurveP256}, []uint8{13, 37, pointFormatUncompressed, 42}, true},
|
||||
{"RSA", []uint16{TLS_RSA_WITH_AES_256_GCM_SHA384}, nil, nil, false},
|
||||
{"RSA with ec_point_format", []uint16{TLS_RSA_WITH_AES_256_GCM_SHA384}, nil, []uint8{pointFormatUncompressed}, false},
|
||||
}
|
||||
for _, tt := range tests {
|
||||
// The RSA subtests should be enabled for FIPS 140 required mode: #70505
|
||||
if strings.HasPrefix(tt.name, "RSA") && fips140tls.Required() {
|
||||
t.Logf("skipping in FIPS mode.")
|
||||
continue
|
||||
}
|
||||
t.Run(tt.name, func(t *testing.T) {
|
||||
clientHello := &clientHelloMsg{
|
||||
vers: VersionTLS12,
|
||||
|
|
@ -344,7 +354,9 @@ func TestTLSPointFormats(t *testing.T) {
|
|||
c, s := localPipe(t)
|
||||
replyChan := make(chan any)
|
||||
go func() {
|
||||
cli := Client(c, testConfig)
|
||||
clientConfig := testConfig.Clone()
|
||||
clientConfig.Certificates = []Certificate{{Certificate: [][]byte{testRSA2048Certificate}, PrivateKey: testRSA2048PrivateKey}}
|
||||
cli := Client(c, clientConfig)
|
||||
cli.vers = clientHello.vers
|
||||
if _, err := cli.writeHandshakeRecord(clientHello, nil); err != nil {
|
||||
testFatal(t, err)
|
||||
|
|
@ -357,9 +369,10 @@ func TestTLSPointFormats(t *testing.T) {
|
|||
replyChan <- reply
|
||||
}
|
||||
}()
|
||||
config := testConfig.Clone()
|
||||
config.CipherSuites = clientHello.cipherSuites
|
||||
Server(s, config).Handshake()
|
||||
serverConfig := testConfig.Clone()
|
||||
serverConfig.Certificates = []Certificate{{Certificate: [][]byte{testRSA2048Certificate}, PrivateKey: testRSA2048PrivateKey}}
|
||||
serverConfig.CipherSuites = clientHello.cipherSuites
|
||||
Server(s, serverConfig).Handshake()
|
||||
s.Close()
|
||||
reply := <-replyChan
|
||||
if err, ok := reply.(error); ok {
|
||||
|
|
@ -434,6 +447,8 @@ func TestVersion(t *testing.T) {
|
|||
}
|
||||
|
||||
func TestCipherSuitePreference(t *testing.T) {
|
||||
skipFIPS(t) // No RC4 or CHACHA20_POLY1305 in FIPS mode.
|
||||
|
||||
serverConfig := &Config{
|
||||
CipherSuites: []uint16{TLS_RSA_WITH_RC4_128_SHA, TLS_AES_128_GCM_SHA256,
|
||||
TLS_ECDHE_RSA_WITH_CHACHA20_POLY1305_SHA256},
|
||||
|
|
@ -502,11 +517,11 @@ func TestCrossVersionResume(t *testing.T) {
|
|||
|
||||
func testCrossVersionResume(t *testing.T, version uint16) {
|
||||
serverConfig := &Config{
|
||||
CipherSuites: []uint16{TLS_RSA_WITH_AES_128_CBC_SHA},
|
||||
CipherSuites: []uint16{TLS_ECDHE_RSA_WITH_AES_128_GCM_SHA256},
|
||||
Certificates: testConfig.Certificates,
|
||||
}
|
||||
clientConfig := &Config{
|
||||
CipherSuites: []uint16{TLS_RSA_WITH_AES_128_CBC_SHA},
|
||||
CipherSuites: []uint16{TLS_ECDHE_RSA_WITH_AES_128_GCM_SHA256},
|
||||
InsecureSkipVerify: true,
|
||||
ClientSessionCache: NewLRUClientSessionCache(1),
|
||||
ServerName: "servername",
|
||||
|
|
@ -927,14 +942,14 @@ func TestHandshakeServerKeySharePreference(t *testing.T) {
|
|||
// TestHandshakeServerUnsupportedKeyShare tests a client that sends a key share
|
||||
// that's not in the supported groups list.
|
||||
func TestHandshakeServerUnsupportedKeyShare(t *testing.T) {
|
||||
pk, _ := ecdh.X25519().GenerateKey(rand.Reader)
|
||||
pk, _ := ecdh.P384().GenerateKey(rand.Reader)
|
||||
clientHello := &clientHelloMsg{
|
||||
vers: VersionTLS12,
|
||||
random: make([]byte, 32),
|
||||
supportedVersions: []uint16{VersionTLS13},
|
||||
cipherSuites: []uint16{TLS_CHACHA20_POLY1305_SHA256},
|
||||
cipherSuites: []uint16{TLS_AES_128_GCM_SHA256},
|
||||
compressionMethods: []uint8{compressionNone},
|
||||
keyShares: []keyShare{{group: X25519, data: pk.PublicKey().Bytes()}},
|
||||
keyShares: []keyShare{{group: CurveP384, data: pk.PublicKey().Bytes()}},
|
||||
supportedCurves: []CurveID{CurveP256},
|
||||
}
|
||||
testClientHelloFailure(t, testConfig, clientHello, "client sent key share for group it does not support")
|
||||
|
|
@ -1081,16 +1096,16 @@ func TestHandshakeServerGetCertificateExtensions(t *testing.T) {
|
|||
testVersions := []uint16{VersionTLS12, VersionTLS13}
|
||||
for _, vers := range testVersions {
|
||||
t.Run(fmt.Sprintf("TLS version %04x", vers), func(t *testing.T) {
|
||||
pk, _ := ecdh.X25519().GenerateKey(rand.Reader)
|
||||
pk, _ := ecdh.P256().GenerateKey(rand.Reader)
|
||||
clientHello := &clientHelloMsg{
|
||||
vers: vers,
|
||||
random: make([]byte, 32),
|
||||
cipherSuites: []uint16{TLS_CHACHA20_POLY1305_SHA256},
|
||||
cipherSuites: []uint16{TLS_AES_128_GCM_SHA256},
|
||||
compressionMethods: []uint8{compressionNone},
|
||||
serverName: "test",
|
||||
keyShares: []keyShare{{group: X25519, data: pk.PublicKey().Bytes()}},
|
||||
supportedCurves: []CurveID{X25519},
|
||||
supportedSignatureAlgorithms: []SignatureScheme{Ed25519},
|
||||
keyShares: []keyShare{{group: CurveP256, data: pk.PublicKey().Bytes()}},
|
||||
supportedCurves: []CurveID{CurveP256},
|
||||
supportedSignatureAlgorithms: []SignatureScheme{ECDSAWithP256AndSHA256},
|
||||
}
|
||||
|
||||
// the clientHelloMsg initialized just above is serialized with
|
||||
|
|
@ -1139,9 +1154,9 @@ func TestHandshakeServerSNIGetCertificateError(t *testing.T) {
|
|||
}
|
||||
|
||||
clientHello := &clientHelloMsg{
|
||||
vers: VersionTLS10,
|
||||
vers: VersionTLS12,
|
||||
random: make([]byte, 32),
|
||||
cipherSuites: []uint16{TLS_RSA_WITH_RC4_128_SHA},
|
||||
cipherSuites: []uint16{TLS_ECDHE_RSA_WITH_AES_128_GCM_SHA256},
|
||||
compressionMethods: []uint8{compressionNone},
|
||||
serverName: "test",
|
||||
}
|
||||
|
|
@ -1160,9 +1175,9 @@ func TestHandshakeServerEmptyCertificates(t *testing.T) {
|
|||
serverConfig.Certificates = nil
|
||||
|
||||
clientHello := &clientHelloMsg{
|
||||
vers: VersionTLS10,
|
||||
vers: VersionTLS12,
|
||||
random: make([]byte, 32),
|
||||
cipherSuites: []uint16{TLS_RSA_WITH_RC4_128_SHA},
|
||||
cipherSuites: []uint16{TLS_ECDHE_RSA_WITH_AES_128_GCM_SHA256},
|
||||
compressionMethods: []uint8{compressionNone},
|
||||
}
|
||||
testClientHelloFailure(t, serverConfig, clientHello, errMsg)
|
||||
|
|
@ -1172,9 +1187,9 @@ func TestHandshakeServerEmptyCertificates(t *testing.T) {
|
|||
serverConfig.GetCertificate = nil
|
||||
|
||||
clientHello = &clientHelloMsg{
|
||||
vers: VersionTLS10,
|
||||
vers: VersionTLS12,
|
||||
random: make([]byte, 32),
|
||||
cipherSuites: []uint16{TLS_RSA_WITH_RC4_128_SHA},
|
||||
cipherSuites: []uint16{TLS_ECDHE_RSA_WITH_AES_128_GCM_SHA256},
|
||||
compressionMethods: []uint8{compressionNone},
|
||||
}
|
||||
testClientHelloFailure(t, serverConfig, clientHello, "no certificates")
|
||||
|
|
@ -1497,9 +1512,9 @@ func TestSNIGivenOnFailure(t *testing.T) {
|
|||
const expectedServerName = "test.testing"
|
||||
|
||||
clientHello := &clientHelloMsg{
|
||||
vers: VersionTLS10,
|
||||
vers: VersionTLS12,
|
||||
random: make([]byte, 32),
|
||||
cipherSuites: []uint16{TLS_RSA_WITH_RC4_128_SHA},
|
||||
cipherSuites: []uint16{TLS_ECDHE_RSA_WITH_AES_128_GCM_SHA256},
|
||||
compressionMethods: []uint8{compressionNone},
|
||||
serverName: expectedServerName,
|
||||
}
|
||||
|
|
@ -1755,7 +1770,7 @@ T+E0J8wlH24pgwQHzy7Ko2qLwn1b5PW8ecrlvP1g
|
|||
|
||||
func TestMultipleCertificates(t *testing.T) {
|
||||
clientConfig := testConfig.Clone()
|
||||
clientConfig.CipherSuites = []uint16{TLS_RSA_WITH_AES_128_GCM_SHA256}
|
||||
clientConfig.CipherSuites = []uint16{TLS_ECDHE_RSA_WITH_AES_128_GCM_SHA256}
|
||||
clientConfig.MaxVersion = VersionTLS12
|
||||
|
||||
serverConfig := testConfig.Clone()
|
||||
|
|
@ -1777,6 +1792,8 @@ func TestMultipleCertificates(t *testing.T) {
|
|||
}
|
||||
|
||||
func TestAESCipherReordering(t *testing.T) {
|
||||
skipFIPS(t) // No CHACHA20_POLY1305 for FIPS.
|
||||
|
||||
currentAESSupport := hasAESGCMHardwareSupport
|
||||
defer func() { hasAESGCMHardwareSupport = currentAESSupport }()
|
||||
|
||||
|
|
@ -1920,6 +1937,8 @@ func TestAESCipherReordering(t *testing.T) {
|
|||
}
|
||||
|
||||
func TestAESCipherReorderingTLS13(t *testing.T) {
|
||||
skipFIPS(t) // No CHACHA20_POLY1305 for FIPS.
|
||||
|
||||
currentAESSupport := hasAESGCMHardwareSupport
|
||||
defer func() { hasAESGCMHardwareSupport = currentAESSupport }()
|
||||
|
||||
|
|
|
|||
Loading…
Add table
Add a link
Reference in a new issue