forked from commoncriteria/tls-cc-tools
-
Notifications
You must be signed in to change notification settings - Fork 0
/
Copy pathtests.h
356 lines (312 loc) · 13.3 KB
/
tests.h
1
2
3
4
5
6
7
8
9
10
11
12
13
14
15
16
17
18
19
20
21
22
23
24
25
26
27
28
29
30
31
32
33
34
35
36
37
38
39
40
41
42
43
44
45
46
47
48
49
50
51
52
53
54
55
56
57
58
59
60
61
62
63
64
65
66
67
68
69
70
71
72
73
74
75
76
77
78
79
80
81
82
83
84
85
86
87
88
89
90
91
92
93
94
95
96
97
98
99
100
101
102
103
104
105
106
107
108
109
110
111
112
113
114
115
116
117
118
119
120
121
122
123
124
125
126
127
128
129
130
131
132
133
134
135
136
137
138
139
140
141
142
143
144
145
146
147
148
149
150
151
152
153
154
155
156
157
158
159
160
161
162
163
164
165
166
167
168
169
170
171
172
173
174
175
176
177
178
179
180
181
182
183
184
185
186
187
188
189
190
191
192
193
194
195
196
197
198
199
200
201
202
203
204
205
206
207
208
209
210
211
212
213
214
215
216
217
218
219
220
221
222
223
224
225
226
227
228
229
230
231
232
233
234
235
236
237
238
239
240
241
242
243
244
245
246
247
248
249
250
251
252
253
254
255
256
257
258
259
260
261
262
263
264
265
266
267
268
269
270
271
272
273
274
275
276
277
278
279
280
281
282
283
284
285
286
287
288
289
290
291
292
293
294
295
296
297
298
299
300
301
302
303
304
305
306
307
308
309
310
311
312
313
314
315
316
317
318
319
320
321
322
323
324
325
326
327
328
329
330
331
332
333
334
335
336
337
338
339
340
341
342
343
344
345
346
347
348
349
350
351
352
353
354
355
356
#ifndef __TESTS_H
#define __TESTS_H
#include <openssl/ssl.h>
#include "common.h"
#include "raw_ssl.h"
#define PUBLIC_SUFFX "com"
typedef struct {
buffered_ssl_ctx bssl;
int is_restricted;
int cipher_count;
cipher_suite_info *cipher_list;
int ec_count;
ec_info *ec_list;
} handshake_cipher_state;
typedef struct {
buffered_ssl_ctx bssl;
unsigned int success;
unsigned short new_cipher;
} handshake_cipher_mod;
typedef struct {
buffered_ssl_ctx bssl;
unsigned int success;
} tls_generic_success;
typedef struct {
buffered_ssl_ctx bssl;
int weak_list_count;
cipher_suite_info *weak_list;
int success;
} handshake_enum_ciphers;
typedef struct {
buffered_ssl_ctx bssl;
int success;
} handshake_key_exch;
typedef struct {
buffered_ssl_ctx bssl;
int has_changed_cipher_spec;
} tls_change_cipher_spec;
typedef struct {
buffered_ssl_ctx bssl;
unsigned char *modulus;
unsigned int size;
} handshake_server_cert;
/*
* Establishes a TLS connection with each of the mandatory/optional
* cipher suites. It'll report if the connection was successful or
* if it was prematurely terminated.
* req_count is the number of mandatory ciphers. Ensure mandatory
* ciphers are listed first.
*
* Will also examine the ClientHello for any unsupported cipher suites
* and fail if any unsupported suites are detected.
*
* This function will only succeed if the mandatory cipher suite has
* a successful connection and there are only mandatory/optional cipher
* suites in the ClientHello message.
*/
int FCS_TLSC_EXT_1_1_TEST_1(int ssock, SSL_CTX *ssl_ctx,
cipher_suite_info *cipher_list, int cipher_count, int req_count,
ec_info *ec_list, int ec_count);
/*
* Automatically generate a non-server authentication certificate and
* serve it to the client
* I don't test the part where it requres a valid server authentication
* field, because that's tested in FCS_TLSC_EXT_1_1 Test 1. It seemed
* kind of redudant.
*/
int FCS_TLSC_EXT_1_1_TEST_2(int ssock, SSL_CTX *ssl_ctx, X509 *ca_cert,
EVP_PKEY *ca_private_key, int bits, const EVP_MD *hash,
const char *cipher_suite);
/*
* Will tell OpenSSL to serve a certificate with the specified cipher_name.
* However, the mutator on outbound data will modify the selected algorithm
* to be alt_cipher_id.
*
* For Test 3, a EC cipher is selected, but is then changed to a normal
* cipher. This will make OpenSSL send a EC certificate but with a non-EC
* cipher.
*
* For Test 4, this just enables the ability to select the NULL cipher
*
* Note we don't fix the hash for the finalization messages, because
* the connection should die before the hash of the messages are ever
* compared. If there are any other handshake messages
* from the client after the server hello, we immediately fail.
*/
int FCS_TLSC_EXT_1_1_TEST_3_4(int ssock, SSL_CTX *ssl_ctx,
const char *cipher_name, unsigned short alt_cipher_id);
/*
* Changes the TLS version number in the ServerHello message to
* FAKE_SSL_VERSION.
* Reports failure if the client decides to continue handshaking instead
* of terminating the connection.
*/
int FCS_TLSC_EXT_1_1_TEST_5__1(int ssock, SSL_CTX *ssl_ctx,
const char *cipher_name);
/*
* Changes the server's nonce and checks to see if the connection is successful.
* Reports failure if a TLS tunnel is successfully established.
*/
int FCS_TLSC_EXT_1_1_TEST_5__2(int ssock, SSL_CTX *ssl_ctx,
const char *cipher_name);
/*
* Forces OpenSSL to pick a cipher on the weak_list by replacing all the
* ciphers in the ClientHello to be the unsupported cipher. This will cause
* the Finished handshake to fail, but the handshake should terminate before
* it gets that far. The weak_cipher selected will be one that isn't in
* the ClientHello to force a mismatch. Any further handshake messages from
* the client after the ServerHello will cause a failure.
*/
int FCS_TLSC_EXT_1_1_TEST_5__3(int ssock, SSL_CTX *ssl_ctx,
int weak_list_count, cipher_suite_info * weak_list);
/*
* Changes the last byte in the ServerKeyExchange message. If the client
* decides to continue to send any handshake message, fail.
*/
int FCS_TLSC_EXT_1_1_TEST_5__4(int ssock, SSL_CTX *ssl_ctx,
const char *dh_cipher_name);
/*
* Modifies the 6th byte in the first encrypted handshake message (Server
* Finished). Fails if connection is successful.
*/
int FCS_TLSC_EXT_1_1_TEST_5__5(int ssock, SSL_CTX *ssl_ctx,
const char *cipher_name);
/*
* Overrides the next message after ChangeCipherSpec sent by the server with
* random data. The function fails if the connection succeeds.
*/
int FCS_TLSC_EXT_1_1_TEST_5__6(int ssock, SSL_CTX *ssl_ctx,
const char *cipher_name);
/*
* Generates a certificate chain that has a non-matching CN an SAN.
* Fails on successful connection.
*/
int FCS_TLSC_EXT_1_2_TEST_1(int ssock, const char *cipher_name, int depth,
X509 *root_cert, EVP_PKEY *root_pk, int bits, const char *country,
const char *org_name, const char *org_unit, const char *common_name,
const char *alt_name, int serial, int days_valid);
/*
* Generates a non-matching SAN but with a matching CN. Fails on successful
* connection.
* NOTE: This only generates a bad URI. The other SAN types are not tested.
* This does NOT match the application PP precisely.
*/
int FCS_TLSC_EXT_1_2_TEST_2(int ssock, const char *cipher_name, int depth,
X509 *root_cert, EVP_PKEY *root_pk, int bits, const char *country,
const char *org_name, const char *org_unit, const char *common_name,
const char *alt_name, int serial, int days_valid);
/*
* Generates a certificate with a matching CN but no SAN. Success on
* successful connection.
*/
int FCS_TLSC_EXT_1_2_TEST_3(int ssock, const char *cipher_name, int depth,
X509 *root_cert, EVP_PKEY *root_pk, int bits, const char *country,
const char *org_name, const char *org_unit, const char *common_name,
const char *alt_name, int serial, int days_valid);
/*
* Generates a certificate with a non-matching CN but a matching SAN.
* Success on successful connection.
*/
int FCS_TLSC_EXT_1_2_TEST_4(int ssock, const char *cipher_name, int depth,
X509 *root_cert, EVP_PKEY *root_pk, int bits, const char *country,
const char *org_name, const char *org_unit, const char *common_name,
const char *alt_name, int serial, int days_valid);
/*
* NOTE: The 1.2 Test 5.* only tests CNs which does not match the PP's
* requirement of testing all supported reference identifiers.
*
* Generates a certificate with a CN in the format of
* WILD_START.*.common_name. Fails on successful connection.
*/
int FCS_TLSC_EXT_1_2_TEST_5__1(int ssock, const char *cipher_name, int depth,
X509 *root_cert, EVP_PKEY *root_pk, int bits, const char *country,
const char *org_name, const char *org_unit, const char *common_name,
const char *alt_name, int serial, int days_valid);
/*
* Generates a certificate with a CN in the format of *.common_name.
* Success on successful connection.
*/
int FCS_TLSC_EXT_1_2_TEST_5__2a(int ssock, const char *cipher_name, int depth,
X509 *root_cert, EVP_PKEY *root_pk, int bits, const char *country,
const char *org_name, const char *org_unit, const char *common_name,
const char *alt_name, int serial, int days_valid);
/*
* Same as 2a, except it fails on a successful connection.
*/
int FCS_TLSC_EXT_1_2_TEST_5__2b(int ssock, const char *cipher_name, int depth,
X509 *root_cert, EVP_PKEY *root_pk, int bits, const char *country,
const char *org_name, const char *org_unit, const char *common_name,
const char *alt_name, int serial, int days_valid);
/*
* Generates with a CN of *.PUBLIC_SUFFX. Fails on successful connection.
*/
int FCS_TLSC_EXT_1_2_TEST_5__3(int ssock, const char *cipher_name, int depth,
X509 *root_cert, EVP_PKEY *root_pk, int bits, const char *country,
const char *org_name, const char *org_unit, const char *common_name,
const char *alt_name, int serial, int days_valid);
/*
* NOTE: FCS_TLSC_EXT.1.2 Test 6 and Test 7 are skipped.
*/
/*
* Generates a normal cert chain with 2 intermediate CAs as part of the
* cert chain. Success if successful connection.
*/
int FCS_TLSC_EXT_1_3_TEST_1a(int ssock, const char *cipher_name,
X509 *root_cert, EVP_PKEY *root_pk, int bits, const char *country,
const char *org_name, const char *org_unit, const char *common_name,
const char *alt_name, int serial, int days_valid);
/*
* Same as 1a, except fail if unsuccessful.
*/
int FCS_TLSC_EXT_1_3_TEST_1b(int ssock, const char *cipher_name,
X509 *root_cert, EVP_PKEY *root_pk, int bits, const char *country,
const char *org_name, const char *org_unit, const char *common_name,
const char *alt_name, int serial, int days_valid);
/*
* Generates a standard CA chain. When the client connects, it will require
* client authentication and will include the standard CA along with another
* CA that will be modified in transit as acceptable CAs. Produces
* a correct client CA as the file CLIENT_CERT which can be inserted into the
* browser. Fails if connection is successful.
*/
int FCS_TLSC_EXT_1_4_TEST_1(int ssock, const char *cipher_name,
X509 *root_cert, EVP_PKEY *root_pk, int bits, const char *country,
const char *org_name, const char *org_unit, const char *common_name,
const char *alt_name, int serial, int days_valid);
/*
* Generates a ECDSA certificate with the given ec_curve (should be
* unsupported). Fails on successful connection.
*/
int FCS_TLSC_EXT_1_5_TEST_1(int ssock, const char *cipher_name,
X509 *root_cert, EVP_PKEY *root_pk, const char *ec_curve,
const char *country, const char *org_name, const char *org_unit,
const char *common_name, const char *alt_name, int serial, int days_valid);
/*
* Generates an RSA cert signed with SHA1. Fails on successful connection.
*/
int FCS_TLSC_EXT_1_6_TEST_1(int ssock, const char *cipher_name,
X509 *root_cert, EVP_PKEY *root_pk, int bits, const char *country,
const char *org_name, const char *org_unit, const char *common_name,
const char *alt_name, int serial, int days_valid);
/*
* Generates a certificate chain and outputs the chain to a file. Requires
* the chain to be manually imported to the client as the server
* will not send the certificate chain. It will attempt multiple connections
* and succeed or fail according to the protection profile.
*/
int FIA_X509_EXT_1_1_TEST_1(int ssock, const char *cipher_name,
X509 *root_cert, EVP_PKEY *root_pk, int bits, const char *country,
const char *org_name, const char *org_unit, const char *common_name,
const char *alt_name, int serial, int days_valid);
/*
* Generates an expired certificate and attempts to serve it to the client.
* Fails if connection is successful.
*/
int FIA_X509_EXT_1_1_TEST_2(int ssock, const char *cipher_name,
X509 *root_cert, EVP_PKEY *root_pk, int bits, const char *country,
const char *org_name, const char *org_unit, const char *common_name,
const char *alt_name, int serial, int days_valid);
/*
* TODO: CRL stuff hasn't been implemented. It is skipped for now.
*/
/*
* Generates a certificate and modifies the first byte of the cert before
* sending it to the client. Fails on successful connection.
*/
int FIA_X509_EXT_1_1_TEST_5(int ssock, const char *cipher_name,
X509 *root_cert, EVP_PKEY *root_pk, int bits, const char *country,
const char *org_name, const char *org_unit, const char *common_name,
const char *alt_name, int serial, int days_valid);
/*
* Generates a certificate and modifies the last byte of the cert before
* sending it to the client. Fails on successful connection.
*/
int FIA_X509_EXT_1_1_TEST_6(int ssock, const char *cipher_name,
X509 *root_cert, EVP_PKEY *root_pk, int bits, const char *country,
const char *org_name, const char *org_unit, const char *common_name,
const char *alt_name, int serial, int days_valid);
/*
* Generates a certificate and modifies the public key before sending it to
* the client. Rather than parsing everything, this function just
* searches the TLS handshake for the public key, and then modifies it.
* Fails on successful connection.
*/
int FIA_X509_EXT_1_1_TEST_7(int ssock, const char *cipher_name,
X509 *root_cert, EVP_PKEY *root_pk, int bits, const char *country,
const char *org_name, const char *org_unit, const char *common_name,
const char *alt_name, int serial, int days_valid);
/*
* Generates a CA without the basicConstraints extension. Fails on successful
* connection.
*/
int FIA_X509_EXT_1_2_TEST_1(int ssock, const char *cipher_name,
X509 *root_cert, EVP_PKEY *root_pk, int bits, const char *country,
const char *org_name, const char *org_unit, const char *common_name,
const char *alt_name, int serial, int days_valid);
/*
* Generates a CA with the basicConstraints CA flag set to false. Fails on
* successful connection.
*/
int FIA_X509_EXT_1_2_TEST_2(int ssock, const char *cipher_name,
X509 *root_cert, EVP_PKEY *root_pk, int bits, const char *country,
const char *org_name, const char *org_unit, const char *common_name,
const char *alt_name, int serial, int days_valid);
/*
* Generates a CA with the basicConstraints CA flag set to true. Success
* on successful connection.
*/
int FIA_X509_EXT_1_2_TEST_3(int ssock, const char *cipher_name,
X509 *root_cert, EVP_PKEY *root_pk, int bits, const char *country,
const char *org_name, const char *org_unit, const char *common_name,
const char *alt_name, int serial, int days_valid);
#endif