RFR: 8298874: Update TestAllSuites.java for TLS v1.2 and 1.3 [v2]
Matthew Donovan
duke at openjdk.org
Mon Jan 30 12:17:13 UTC 2023
On Fri, 27 Jan 2023 21:33:13 GMT, Rajan Halade <rhalade at openjdk.org> wrote:
>> The test verifies the handshake negotiation for each ciphersuite/protocol combination. The `getSupportedCipherSuites()` and `getEnabledCipherSuites()` are independent of the enabled protocols. In other words, if you called `engine.setEnabledProtocols(new String[]{"TLSv1.2"})`, the output of `engine.getEnabledCipherSuites()` would still include TLSv1.3 ciphers.
>>
>> So trying to run the tests by looping over the output of those methods isn't going to work. Instead of having this hard-coded set of things, I could run the test with each protocol and one or two cipher suites. How does that sound?
>
> You will need to create SSLContext with the protocol to test in order to get usable enabled protocols. Try the patch below:
>
>
> `index dfd74fa95df..2ce7e431783 100644
> --- a/test/jdk/javax/net/ssl/SSLEngine/TestAllSuites.java
> +++ b/test/jdk/javax/net/ssl/SSLEngine/TestAllSuites.java
> @@ -1,5 +1,5 @@
> /*
> - * Copyright (c) 2003, 2022, Oracle and/or its affiliates. All rights reserved.
> + * Copyright (c) 2003, 2023, Oracle and/or its affiliates. All rights reserved.
> * DO NOT ALTER OR REMOVE COPYRIGHT NOTICES OR THIS FILE HEADER.
> *
> * This code is free software; you can redistribute it and/or modify it
> @@ -26,13 +26,14 @@
> * @bug 4495742
> * @library /test/lib
> *
> - * @run main/othervm/timeout=180 TestAllSuites
> + * @run main/othervm/timeout=180 TestAllSuites TLSv1.1
> + * @run main/othervm/timeout=180 TestAllSuites TLSv1.2
> + * @run main/othervm/timeout=180 TestAllSuites TLSv1.3
> *
> * @summary Add non-blocking SSL/TLS functionality, usable with any
> * I/O abstraction
> *
> - * Iterate through all the suites using both TLS and SSLv3, and turn
> - * SSLv2Hello off and on. Exchange some bytes and shutdown.
> + * Iterate through all the suites and exchange some bytes then shutdown.
> *
> * @author Brad Wetmore
> */
> @@ -73,97 +74,94 @@ public class TestAllSuites {
>
> private ByteBuffer clientToServer;
> private ByteBuffer serverToClient;
> + private final String PROTOCOL;
>
>
> - private void createSSLEngines() throws Exception {
> + private void createSSLEngines() {
> +
> clientEngine = SSL_CONTEXT.createSSLEngine("client", 1);
> clientEngine.setUseClientMode(true);
>
> serverEngine = SSL_CONTEXT.createSSLEngine("server", 2);
> serverEngine.setUseClientMode(false);
> +
> + clientEngine.setEnabledProtocols(new String[]{PROTOCOL});
> + serverEngine.setEnabledProtocols(new String[]{PROTOCOL});
> }
>
> private void test() throws Exception {
> -
> - createSSLEngines();
> - List<String> supportedSuites = List.of(clientEngine.getSupportedCipherSuites());
> -
> - for (SupportedCipherSuites tls : SupportedCipherSuites.values()) {
> - for (String cipherSuite : tls.cipherSuites) {
> - if (supportedSuites.contains(cipherSuite)) {
> - createSSLEngines();
> - runTest(cipherSuite, tls.protocol);
> - } else {
> - System.out.printf("Skipping unsupported cipher suite %s with %s%n",
> - tls.protocol,
> - cipherSuite);
> - }
> - }
> + String [] suites = clientEngine.getEnabledCipherSuites();
> + System.out.println(Arrays.toString(suites));
> + for (String suite: suites){
> + // Need to recreate engines to override enabled ciphers
> + createSSLEngines();
> + runTest(suite);
> }
> }
>
> - private void runTest(String suite, String protocol) throws Exception {
> + private void runTest(String suite) throws Exception {
>
> boolean dataDone = false;
>
> System.out.println("======================================");
> - System.out.printf("Testing: %s with %s%n", protocol, suite);
> + System.out.printf("Testing: %s with %s%n", PROTOCOL, suite);
>
> String [] suites = new String [] { suite };
>
> + if (suite.equals("TLS_EMPTY_RENEGOTIATION_INFO_SCSV")) {
> + System.out.println("Ignoring SCSV suite");
> + return;
> + }
> +
> clientEngine.setEnabledCipherSuites(suites);
> serverEngine.setEnabledCipherSuites(suites);
>
> - clientEngine.setEnabledProtocols(new String[]{protocol});
> - serverEngine.setEnabledProtocols(new String[]{protocol});
> -
> createBuffers();
>
> - SSLEngineResult result1; // ssle1's results from last operation
> - SSLEngineResult result2; // ssle2's results from last operation
> + SSLEngineResult clientResult;
> + SSLEngineResult serverResult;
>
> Date start = new Date();
> - int counter = 0;
> while (!isEngineClosed(clientEngine) || !isEngineClosed(serverEngine)) {
>
> log("----------------");
>
> - result1 = clientEngine.wrap(clientOut, clientToServer);
> - result2 = serverEngine.wrap(serverOut, serverToClient);
> + clientResult = clientEngine.wrap(clientOut, clientToServer);
> + serverResult = serverEngine.wrap(serverOut, serverToClient);
>
> - log("wrap1: " + result1);
> + log("Client Engine wrap result: " + clientResult);
> log("clientToServer = " + clientToServer);
> log("");
>
> - log("wrap2: " + result2);
> + log("Server Engine wrap result: " + serverResult);
> log("serverToClient = " + serverToClient);
>
> - runDelegatedTasks(result1, clientEngine);
> - runDelegatedTasks(result2, serverEngine);
> + runDelegatedTasks(clientResult, clientEngine);
> + runDelegatedTasks(serverResult, serverEngine);
>
> clientToServer.flip();
> serverToClient.flip();
>
> log("----");
>
> - result1 = clientEngine.unwrap(serverToClient, clientIn);
> - result2 = serverEngine.unwrap(clientToServer, serverIn);
> + clientResult = clientEngine.unwrap(serverToClient, clientIn);
> + serverResult = serverEngine.unwrap(clientToServer, serverIn);
>
> - log("unwrap1: " + result1);
> + log("Client Engine unwrap result: " + clientResult);
> log("serverToClient = " + serverToClient);
> log("");
>
> - log("unwrap2: " + result2);
> + log("Server Engine unwrap result: " + serverResult);
> log("clientToServer = " + clientToServer);
>
> - runDelegatedTasks(result1, clientEngine);
> - runDelegatedTasks(result2, serverEngine);
> + runDelegatedTasks(clientResult, clientEngine);
> + runDelegatedTasks(serverResult, serverEngine);
>
> clientToServer.compact();
> serverToClient.compact();
>
> /*
> - * If we've transfered all the data between app1 and app2,
> + * If we've transferred all the data between client and server,
> * we try to close and see what that gets us.
> */
> if (!dataDone && (clientOut.limit() == serverIn.position()) &&
> @@ -178,6 +176,9 @@ public class TestAllSuites {
> }
> }
>
> + System.out.println("Negotiated protocol: " + clientEngine.getSession().getProtocol());
> + System.out.println("Negotiated cipher: " + clientEngine.getSession().getCipherSuite());
> +
> /*
> * Just for grins, try closing again, make sure nothing
> * strange is happening after we're closed.
> @@ -192,18 +193,17 @@ public class TestAllSuites {
> clientIn.clear();
> clientToServer.clear();
>
> - result1 = clientEngine.wrap(clientOut, clientToServer);
> - checkResult(result1);
> + clientResult = clientEngine.wrap(clientOut, clientToServer);
> + checkResult(clientResult);
>
> - result1 = clientEngine.unwrap(clientToServer, clientIn);
> - checkResult(result1);
> + clientResult = clientEngine.unwrap(clientToServer, clientIn);
> + checkResult(clientResult);
>
> System.out.println("Test Passed.");
> System.out.println("\n======================================");
>
> Date end = new Date();
> elapsed += end.getTime() - start.getTime();
> -
> }
>
> static long elapsed = 0;
> @@ -219,14 +219,25 @@ public class TestAllSuites {
> }
>
> public static void main(String args[]) throws Exception {
> - SecurityUtils.removeFromDisabledTlsAlgs("TLSv1.1");
> - TestAllSuites tas;
> -
> - tas = new TestAllSuites();
> + if (args.length < 1){
> + throw new RuntimeException("Missing TLS protocol parameter");
> + }
>
> - tas.createSSLEngines();
> + switch(args[0]){
> + case "TLSv1.1":
> + SecurityUtils.removeFromDisabledTlsAlgs("TLSv1.1");
> + break;
> + case "TLSv1.2":
> + break;
> + case "TLSv1.3":
> + SecurityUtils.addToDisabledTlsAlgs("TLSv1.2");
> + break;
> + }
>
> - tas.test();
> + TestAllSuites testAllSuites;
> + testAllSuites = new TestAllSuites(args[0]);
> + testAllSuites.createSSLEngines();
> + testAllSuites.test();
>
> System.out.println("All Tests Passed.");
> System.out.println("Elapsed time: " + elapsed / 1000.0);
> @@ -238,7 +249,8 @@ public class TestAllSuites {
> * **********************************************************
> */
>
> - public TestAllSuites() throws Exception {
> + public TestAllSuites(String protocol) throws Exception {
> + PROTOCOL = protocol;
> SSL_CONTEXT = getSSLContext(KEYSTORE_PATH, TRUSTSTORE_PATH);
> }
>
> @@ -262,7 +274,7 @@ public class TestAllSuites {
> TrustManagerFactory tmf = TrustManagerFactory.getInstance("SunX509");
> tmf.init(ts);
>
> - SSLContext sslCtx = SSLContext.getInstance("TLS");
> + SSLContext sslCtx = SSLContext.getInstance(PROTOCOL);
>
> sslCtx.init(kmf.getKeyManagers(), tmf.getTrustManagers(), null);
>
> @@ -282,8 +294,8 @@ public class TestAllSuites {
> clientToServer = ByteBuffer.allocateDirect(netBufferMax);
> serverToClient = ByteBuffer.allocateDirect(netBufferMax);
>
> - clientOut = ByteBuffer.wrap("Hi Engine2, I'm SSLEngine1".getBytes());
> - serverOut = ByteBuffer.wrap("Hello Engine1, I'm SSLEngine2".getBytes());
> + clientOut = ByteBuffer.wrap("Hi Server, I'm Client".getBytes());
> + serverOut = ByteBuffer.wrap("Hello Client, I'm Server".getBytes());
>
> log("ClientOut = " + clientOut);
> log("ServerOut = " + serverOut);
> @@ -328,57 +340,4 @@ public class TestAllSuites {
> System.out.println(str);
> }
> }
> -
> - enum SupportedCipherSuites {
> - TLSv11("TLSv1.1", new String []{
> - "TLS_ECDHE_ECDSA_WITH_AES_256_CBC_SHA",
> - "TLS_ECDHE_ECDSA_WITH_AES_128_CBC_SHA",
> - "TLS_ECDHE_RSA_WITH_AES_256_CBC_SHA",
> - "TLS_ECDHE_RSA_WITH_AES_128_CBC_SHA",
> - "TLS_RSA_WITH_AES_256_CBC_SHA",
> - "TLS_RSA_WITH_AES_128_CBC_SHA",
> - "TLS_ECDHE_ECDSA_WITH_AES_256_CBC_SHA",
> - "TLS_ECDHE_ECDSA_WITH_AES_128_CBC_SHA",
> - "TLS_ECDHE_RSA_WITH_AES_256_CBC_SHA",
> - "TLS_ECDHE_RSA_WITH_AES_128_CBC_SHA",
> - "TLS_RSA_WITH_AES_256_CBC_SHA",
> - "TLS_RSA_WITH_AES_128_CBC_SHA",
> - }),
> -
> - TLSv12("TLSv1.2", new String []{
> - "TLS_ECDHE_ECDSA_WITH_AES_128_GCM_SHA256",
> - "TLS_ECDHE_ECDSA_WITH_AES_256_GCM_SHA384",
> - "TLS_ECDHE_ECDSA_WITH_AES_128_CBC_SHA256",
> - "TLS_ECDHE_ECDSA_WITH_AES_256_CBC_SHA384",
> - "TLS_ECDHE_RSA_WITH_AES_128_GCM_SHA256",
> - "TLS_ECDHE_RSA_WITH_AES_256_GCM_SHA384",
> - "TLS_ECDHE_RSA_WITH_AES_128_CBC_SHA256",
> - "TLS_ECDHE_RSA_WITH_AES_256_CBC_SHA384",
> - "TLS_ECDHE_RSA_WITH_AES_128_CBC_SHA256",
> - "TLS_ECDHE_RSA_WITH_AES_256_CBC_SHA384",
> - "TLS_DHE_RSA_WITH_AES_128_GCM_SHA256",
> - "TLS_DHE_RSA_WITH_AES_256_GCM_SHA384",
> - "TLS_DHE_RSA_WITH_AES_128_CBC_SHA",
> - "TLS_DHE_RSA_WITH_AES_256_CBC_SHA",
> - "TLS_DHE_RSA_WITH_AES_128_CBC_SHA256",
> - "TLS_DHE_RSA_WITH_AES_256_CBC_SHA256",
> - "TLS_ECDHE_ECDSA_WITH_CHACHA20_POLY1305_SHA256",
> - "TLS_ECDHE_RSA_WITH_CHACHA20_POLY1305_SHA256",
> - }),
> -
> - TLSv13("TLSv1.3", new String[] {
> - "TLS_AES_128_GCM_SHA256",
> - "TLS_AES_256_GCM_SHA384",
> - "TLS_CHACHA20_POLY1305_SHA256"
> - });
> -
> - final String protocol;
> - final String[] cipherSuites;
> -
> - SupportedCipherSuites(String protocol, String [] supportedCipherSuites) {
> - this.protocol = protocol;
> - this.cipherSuites = Arrays.copyOf(supportedCipherSuites,
> - supportedCipherSuites.length);
> - }
> - }
> }
> `
That works great, thanks!
-------------
PR: https://git.openjdk.org/jdk/pull/11780
More information about the security-dev
mailing list