RFR: 8298874: Update TestAllSuites.java for TLS v1.2 and 1.3
Rajan Halade
rhalade at openjdk.org
Fri Jan 27 21:36:18 UTC 2023
On Fri, 27 Jan 2023 01:30:59 GMT, Matthew Donovan <duke at openjdk.org> wrote:
>> test/jdk/javax/net/ssl/SSLEngine/TestAllSuites.java line 333:
>>
>>> 331:
>>> 332: enum SupportedCipherSuites {
>>> 333: TLSv11("TLSv1.1", new String []{
>>
>> Instead of this can we not continue with old approach of using `SSLEngine.getSupportedCipherSuites` and ignore not applicable suites?
>
> The test verifies the handshake negotiation for each ciphersuite/protocol combination. The `getSupportedCipherSuites()` and `getEnabledCipherSuites()` are independent of the enabled protocols. In other words, if you called `engine.setEnabledProtocols(new String[]{"TLSv1.2"})`, the output of `engine.getEnabledCipherSuites()` would still include TLSv1.3 ciphers.
>
> So trying to run the tests by looping over the output of those methods isn't going to work. Instead of having this hard-coded set of things, I could run the test with each protocol and one or two cipher suites. How does that sound?
You will need to create SSLContext with the protocol to test in order to get usable enabled protocols. Try the patch below:
`index dfd74fa95df..2ce7e431783 100644
--- a/test/jdk/javax/net/ssl/SSLEngine/TestAllSuites.java
+++ b/test/jdk/javax/net/ssl/SSLEngine/TestAllSuites.java
@@ -1,5 +1,5 @@
/*
- * Copyright (c) 2003, 2022, Oracle and/or its affiliates. All rights reserved.
+ * Copyright (c) 2003, 2023, Oracle and/or its affiliates. All rights reserved.
* DO NOT ALTER OR REMOVE COPYRIGHT NOTICES OR THIS FILE HEADER.
*
* This code is free software; you can redistribute it and/or modify it
@@ -26,13 +26,14 @@
* @bug 4495742
* @library /test/lib
*
- * @run main/othervm/timeout=180 TestAllSuites
+ * @run main/othervm/timeout=180 TestAllSuites TLSv1.1
+ * @run main/othervm/timeout=180 TestAllSuites TLSv1.2
+ * @run main/othervm/timeout=180 TestAllSuites TLSv1.3
*
* @summary Add non-blocking SSL/TLS functionality, usable with any
* I/O abstraction
*
- * Iterate through all the suites using both TLS and SSLv3, and turn
- * SSLv2Hello off and on. Exchange some bytes and shutdown.
+ * Iterate through all the suites and exchange some bytes then shutdown.
*
* @author Brad Wetmore
*/
@@ -73,97 +74,94 @@ public class TestAllSuites {
private ByteBuffer clientToServer;
private ByteBuffer serverToClient;
+ private final String PROTOCOL;
- private void createSSLEngines() throws Exception {
+ private void createSSLEngines() {
+
clientEngine = SSL_CONTEXT.createSSLEngine("client", 1);
clientEngine.setUseClientMode(true);
serverEngine = SSL_CONTEXT.createSSLEngine("server", 2);
serverEngine.setUseClientMode(false);
+
+ clientEngine.setEnabledProtocols(new String[]{PROTOCOL});
+ serverEngine.setEnabledProtocols(new String[]{PROTOCOL});
}
private void test() throws Exception {
-
- createSSLEngines();
- List<String> supportedSuites = List.of(clientEngine.getSupportedCipherSuites());
-
- for (SupportedCipherSuites tls : SupportedCipherSuites.values()) {
- for (String cipherSuite : tls.cipherSuites) {
- if (supportedSuites.contains(cipherSuite)) {
- createSSLEngines();
- runTest(cipherSuite, tls.protocol);
- } else {
- System.out.printf("Skipping unsupported cipher suite %s with %s%n",
- tls.protocol,
- cipherSuite);
- }
- }
+ String [] suites = clientEngine.getEnabledCipherSuites();
+ System.out.println(Arrays.toString(suites));
+ for (String suite: suites){
+ // Need to recreate engines to override enabled ciphers
+ createSSLEngines();
+ runTest(suite);
}
}
- private void runTest(String suite, String protocol) throws Exception {
+ private void runTest(String suite) throws Exception {
boolean dataDone = false;
System.out.println("======================================");
- System.out.printf("Testing: %s with %s%n", protocol, suite);
+ System.out.printf("Testing: %s with %s%n", PROTOCOL, suite);
String [] suites = new String [] { suite };
+ if (suite.equals("TLS_EMPTY_RENEGOTIATION_INFO_SCSV")) {
+ System.out.println("Ignoring SCSV suite");
+ return;
+ }
+
clientEngine.setEnabledCipherSuites(suites);
serverEngine.setEnabledCipherSuites(suites);
- clientEngine.setEnabledProtocols(new String[]{protocol});
- serverEngine.setEnabledProtocols(new String[]{protocol});
-
createBuffers();
- SSLEngineResult result1; // ssle1's results from last operation
- SSLEngineResult result2; // ssle2's results from last operation
+ SSLEngineResult clientResult;
+ SSLEngineResult serverResult;
Date start = new Date();
- int counter = 0;
while (!isEngineClosed(clientEngine) || !isEngineClosed(serverEngine)) {
log("----------------");
- result1 = clientEngine.wrap(clientOut, clientToServer);
- result2 = serverEngine.wrap(serverOut, serverToClient);
+ clientResult = clientEngine.wrap(clientOut, clientToServer);
+ serverResult = serverEngine.wrap(serverOut, serverToClient);
- log("wrap1: " + result1);
+ log("Client Engine wrap result: " + clientResult);
log("clientToServer = " + clientToServer);
log("");
- log("wrap2: " + result2);
+ log("Server Engine wrap result: " + serverResult);
log("serverToClient = " + serverToClient);
- runDelegatedTasks(result1, clientEngine);
- runDelegatedTasks(result2, serverEngine);
+ runDelegatedTasks(clientResult, clientEngine);
+ runDelegatedTasks(serverResult, serverEngine);
clientToServer.flip();
serverToClient.flip();
log("----");
- result1 = clientEngine.unwrap(serverToClient, clientIn);
- result2 = serverEngine.unwrap(clientToServer, serverIn);
+ clientResult = clientEngine.unwrap(serverToClient, clientIn);
+ serverResult = serverEngine.unwrap(clientToServer, serverIn);
- log("unwrap1: " + result1);
+ log("Client Engine unwrap result: " + clientResult);
log("serverToClient = " + serverToClient);
log("");
- log("unwrap2: " + result2);
+ log("Server Engine unwrap result: " + serverResult);
log("clientToServer = " + clientToServer);
- runDelegatedTasks(result1, clientEngine);
- runDelegatedTasks(result2, serverEngine);
+ runDelegatedTasks(clientResult, clientEngine);
+ runDelegatedTasks(serverResult, serverEngine);
clientToServer.compact();
serverToClient.compact();
/*
- * If we've transfered all the data between app1 and app2,
+ * If we've transferred all the data between client and server,
* we try to close and see what that gets us.
*/
if (!dataDone && (clientOut.limit() == serverIn.position()) &&
@@ -178,6 +176,9 @@ public class TestAllSuites {
}
}
+ System.out.println("Negotiated protocol: " + clientEngine.getSession().getProtocol());
+ System.out.println("Negotiated cipher: " + clientEngine.getSession().getCipherSuite());
+
/*
* Just for grins, try closing again, make sure nothing
* strange is happening after we're closed.
@@ -192,18 +193,17 @@ public class TestAllSuites {
clientIn.clear();
clientToServer.clear();
- result1 = clientEngine.wrap(clientOut, clientToServer);
- checkResult(result1);
+ clientResult = clientEngine.wrap(clientOut, clientToServer);
+ checkResult(clientResult);
- result1 = clientEngine.unwrap(clientToServer, clientIn);
- checkResult(result1);
+ clientResult = clientEngine.unwrap(clientToServer, clientIn);
+ checkResult(clientResult);
System.out.println("Test Passed.");
System.out.println("\n======================================");
Date end = new Date();
elapsed += end.getTime() - start.getTime();
-
}
static long elapsed = 0;
@@ -219,14 +219,25 @@ public class TestAllSuites {
}
public static void main(String args[]) throws Exception {
- SecurityUtils.removeFromDisabledTlsAlgs("TLSv1.1");
- TestAllSuites tas;
-
- tas = new TestAllSuites();
+ if (args.length < 1){
+ throw new RuntimeException("Missing TLS protocol parameter");
+ }
- tas.createSSLEngines();
+ switch(args[0]){
+ case "TLSv1.1":
+ SecurityUtils.removeFromDisabledTlsAlgs("TLSv1.1");
+ break;
+ case "TLSv1.2":
+ break;
+ case "TLSv1.3":
+ SecurityUtils.addToDisabledTlsAlgs("TLSv1.2");
+ break;
+ }
- tas.test();
+ TestAllSuites testAllSuites;
+ testAllSuites = new TestAllSuites(args[0]);
+ testAllSuites.createSSLEngines();
+ testAllSuites.test();
System.out.println("All Tests Passed.");
System.out.println("Elapsed time: " + elapsed / 1000.0);
@@ -238,7 +249,8 @@ public class TestAllSuites {
* **********************************************************
*/
- public TestAllSuites() throws Exception {
+ public TestAllSuites(String protocol) throws Exception {
+ PROTOCOL = protocol;
SSL_CONTEXT = getSSLContext(KEYSTORE_PATH, TRUSTSTORE_PATH);
}
@@ -262,7 +274,7 @@ public class TestAllSuites {
TrustManagerFactory tmf = TrustManagerFactory.getInstance("SunX509");
tmf.init(ts);
- SSLContext sslCtx = SSLContext.getInstance("TLS");
+ SSLContext sslCtx = SSLContext.getInstance(PROTOCOL);
sslCtx.init(kmf.getKeyManagers(), tmf.getTrustManagers(), null);
@@ -282,8 +294,8 @@ public class TestAllSuites {
clientToServer = ByteBuffer.allocateDirect(netBufferMax);
serverToClient = ByteBuffer.allocateDirect(netBufferMax);
- clientOut = ByteBuffer.wrap("Hi Engine2, I'm SSLEngine1".getBytes());
- serverOut = ByteBuffer.wrap("Hello Engine1, I'm SSLEngine2".getBytes());
+ clientOut = ByteBuffer.wrap("Hi Server, I'm Client".getBytes());
+ serverOut = ByteBuffer.wrap("Hello Client, I'm Server".getBytes());
log("ClientOut = " + clientOut);
log("ServerOut = " + serverOut);
@@ -328,57 +340,4 @@ public class TestAllSuites {
System.out.println(str);
}
}
-
- enum SupportedCipherSuites {
- TLSv11("TLSv1.1", new String []{
- "TLS_ECDHE_ECDSA_WITH_AES_256_CBC_SHA",
- "TLS_ECDHE_ECDSA_WITH_AES_128_CBC_SHA",
- "TLS_ECDHE_RSA_WITH_AES_256_CBC_SHA",
- "TLS_ECDHE_RSA_WITH_AES_128_CBC_SHA",
- "TLS_RSA_WITH_AES_256_CBC_SHA",
- "TLS_RSA_WITH_AES_128_CBC_SHA",
- "TLS_ECDHE_ECDSA_WITH_AES_256_CBC_SHA",
- "TLS_ECDHE_ECDSA_WITH_AES_128_CBC_SHA",
- "TLS_ECDHE_RSA_WITH_AES_256_CBC_SHA",
- "TLS_ECDHE_RSA_WITH_AES_128_CBC_SHA",
- "TLS_RSA_WITH_AES_256_CBC_SHA",
- "TLS_RSA_WITH_AES_128_CBC_SHA",
- }),
-
- TLSv12("TLSv1.2", new String []{
- "TLS_ECDHE_ECDSA_WITH_AES_128_GCM_SHA256",
- "TLS_ECDHE_ECDSA_WITH_AES_256_GCM_SHA384",
- "TLS_ECDHE_ECDSA_WITH_AES_128_CBC_SHA256",
- "TLS_ECDHE_ECDSA_WITH_AES_256_CBC_SHA384",
- "TLS_ECDHE_RSA_WITH_AES_128_GCM_SHA256",
- "TLS_ECDHE_RSA_WITH_AES_256_GCM_SHA384",
- "TLS_ECDHE_RSA_WITH_AES_128_CBC_SHA256",
- "TLS_ECDHE_RSA_WITH_AES_256_CBC_SHA384",
- "TLS_ECDHE_RSA_WITH_AES_128_CBC_SHA256",
- "TLS_ECDHE_RSA_WITH_AES_256_CBC_SHA384",
- "TLS_DHE_RSA_WITH_AES_128_GCM_SHA256",
- "TLS_DHE_RSA_WITH_AES_256_GCM_SHA384",
- "TLS_DHE_RSA_WITH_AES_128_CBC_SHA",
- "TLS_DHE_RSA_WITH_AES_256_CBC_SHA",
- "TLS_DHE_RSA_WITH_AES_128_CBC_SHA256",
- "TLS_DHE_RSA_WITH_AES_256_CBC_SHA256",
- "TLS_ECDHE_ECDSA_WITH_CHACHA20_POLY1305_SHA256",
- "TLS_ECDHE_RSA_WITH_CHACHA20_POLY1305_SHA256",
- }),
-
- TLSv13("TLSv1.3", new String[] {
- "TLS_AES_128_GCM_SHA256",
- "TLS_AES_256_GCM_SHA384",
- "TLS_CHACHA20_POLY1305_SHA256"
- });
-
- final String protocol;
- final String[] cipherSuites;
-
- SupportedCipherSuites(String protocol, String [] supportedCipherSuites) {
- this.protocol = protocol;
- this.cipherSuites = Arrays.copyOf(supportedCipherSuites,
- supportedCipherSuites.length);
- }
- }
}
`
-------------
PR: https://git.openjdk.org/jdk/pull/11780
More information about the security-dev
mailing list