Pārlūkot izejas kodu
sidh: operability tests with BoringSSL
Implements two tests for SIDH/P503-X25519 interoperability. BoringSSL initiates connection to TRIS and TRIS initiates connection to BoringSSL. SIDH server always listens on port 7443v1.2.3
3 mainītis faili ar 38 papildinājumiem un 13 dzēšanām
Apvienotais skats
Salīdzināšanas iespējas
-
+1 -1_dev/Makefile
-
+8 -0_dev/boring/server.sh
-
+29 -12_dev/interop_test_runner
+ 1
- 1
_dev/Makefile
Parādīt failu
| @@ -28,7 +28,7 @@ TARGET_TEST_COMPAT=boring picotls tstclnt | |||||
| BORINGSSL_REVISION=d451453067cd665a5c38830fbbaac9e599234a5e | BORINGSSL_REVISION=d451453067cd665a5c38830fbbaac9e599234a5e | ||||
| BOGO_DOCKER_TRIS_LOCATION=/go/src/github.com/cloudflare/tls-tris | BOGO_DOCKER_TRIS_LOCATION=/go/src/github.com/cloudflare/tls-tris | ||||
| # SIDH repository (TODO: change path) | |||||
| # SIDH repository | |||||
| SIDH_REPO ?= https://github.com/cloudflare/sidh.git | SIDH_REPO ?= https://github.com/cloudflare/sidh.git | ||||
| SIDH_REPO_TAG ?= 137b47345fe8f36df1f822a206eb97339356b21a | SIDH_REPO_TAG ?= 137b47345fe8f36df1f822a206eb97339356b21a | ||||
| # NOBS repo (SIKE depends on SHA3) | # NOBS repo (SIKE depends on SHA3) | ||||
+ 8
- 0
_dev/boring/server.sh
Parādīt failu
| @@ -21,4 +21,12 @@ bssl server \ | |||||
| -accept 6443 -loop -www \ | -accept 6443 -loop -www \ | ||||
| -require-any-client-cert -debug 2>&1 & | -require-any-client-cert -debug 2>&1 & | ||||
| # ECDSA and SIDH/P503-X25519 | |||||
| bssl server \ | |||||
| -key ecdsa.pem \ | |||||
| -curves x25519sidh503 \ | |||||
| -min-version tls1.3 -max-version tls1.3 \ | |||||
| -accept 7443 -loop -www \ | |||||
| -debug 2>&1 & | |||||
| wait | wait | ||||
+ 29
- 12
_dev/interop_test_runner
Parādīt failu
| @@ -17,6 +17,10 @@ RE_PATTERN_HELLO_0RTT = "^.*Hello TLS 1.3 .*\[resumed\] \[0-RTT\] _o/ | |||||
| RE_PATTERN_HELLO_0RTT_CONFIRMED = "^.*Hello TLS 1.3 .*\[resumed\] \[0-RTT confirmed\] _o/$" | RE_PATTERN_HELLO_0RTT_CONFIRMED = "^.*Hello TLS 1.3 .*\[resumed\] \[0-RTT confirmed\] _o/$" | ||||
| # ALPN | # ALPN | ||||
| RE_PATTERN_ALPN = "ALPN protocol: npn_proto$" | RE_PATTERN_ALPN = "ALPN protocol: npn_proto$" | ||||
| # Successful TLS establishement from TRIS | |||||
| RE_TRIS_ALL_PASSED = ".*All handshakes passed.*" | |||||
| # TLS handshake from BoringSSL with SIDH/P503-X25519 | |||||
| RE_BORINGSSL_P503 = "ECDHE curve: x25519sidh503" | |||||
| class Docker(object): | class Docker(object): | ||||
| ''' Utility class used for starting/stoping servers and clients during tests''' | ''' Utility class used for starting/stoping servers and clients during tests''' | ||||
| @@ -55,7 +59,6 @@ class RegexSelfTest(unittest.TestCase): | |||||
| LINE_HELLO_TLS_12 ="\nsomestuff\nHello TLS 1.2 (draft 23) [resumed] _o/\nsomestuff" | LINE_HELLO_TLS_12 ="\nsomestuff\nHello TLS 1.2 (draft 23) [resumed] _o/\nsomestuff" | ||||
| LINE_HELLO_TLS_13_0RTT="\nsomestuff\nHello TLS 1.3 (draft 23) [resumed] [0-RTT] _o/\nsomestuff" | LINE_HELLO_TLS_13_0RTT="\nsomestuff\nHello TLS 1.3 (draft 23) [resumed] [0-RTT] _o/\nsomestuff" | ||||
| LINE_HELLO_TLS_13_0RTT_CONFIRMED="\nsomestuff\nHello TLS 1.3 (draft 23) [resumed] [0-RTT confirmed] _o/\nsomestuff" | LINE_HELLO_TLS_13_0RTT_CONFIRMED="\nsomestuff\nHello TLS 1.3 (draft 23) [resumed] [0-RTT confirmed] _o/\nsomestuff" | ||||
| def test_regexes(self): | def test_regexes(self): | ||||
| self.assertIsNotNone( | self.assertIsNotNone( | ||||
| re.search(RE_PATTERN_HELLO_TLS_13_NORESUME, RegexSelfTest.LINE_HELLO_TLS, re.MULTILINE)) | re.search(RE_PATTERN_HELLO_TLS_13_NORESUME, RegexSelfTest.LINE_HELLO_TLS, re.MULTILINE)) | ||||
| @@ -192,7 +195,7 @@ class InteropClient(object): | |||||
| self.d = Docker() | self.d = Docker() | ||||
| self.server = self.d.run_server( | self.server = self.d.run_server( | ||||
| self.SERVER_NAME, | self.SERVER_NAME, | ||||
| ports={ '1443/tcp': 1443, '2443/tcp': 2443, '6443/tcp': 6443}, | |||||
| ports={ '1443/tcp': 1443, '2443/tcp': 2443, '6443/tcp': 6443, '7443/tcp': 7443}, | |||||
| entrypoint="/server.sh") | entrypoint="/server.sh") | ||||
| @classmethod | @classmethod | ||||
| @@ -206,7 +209,7 @@ class InteropClient(object): | |||||
| # Actual test definition | # Actual test definition | ||||
| # TRIS as a server | |||||
| # TRIS as a server, BoringSSL as a client | |||||
| class InteropServer_BoringSSL(InteropServer, ServerNominalMixin, ServerClientAuthMixin, unittest.TestCase): | class InteropServer_BoringSSL(InteropServer, ServerNominalMixin, ServerClientAuthMixin, unittest.TestCase): | ||||
| CLIENT_NAME = "tls-tris:boring" | CLIENT_NAME = "tls-tris:boring" | ||||
| @@ -220,6 +223,15 @@ class InteropServer_BoringSSL(InteropServer, ServerNominalMixin, ServerClientAut | |||||
| self.assertEqual(res[0], 0) | self.assertEqual(res[0], 0) | ||||
| self.assertIsNotNone(re.search(RE_PATTERN_ALPN, res[1], re.MULTILINE)) | self.assertIsNotNone(re.search(RE_PATTERN_ALPN, res[1], re.MULTILINE)) | ||||
| def test_SIDH(self): | |||||
| ''' | |||||
| Connects to TRIS server listening on 7443 and tries to perform key agreement with SIDH/P503-X25519 | |||||
| ''' | |||||
| res = self.d.run_client(self.CLIENT_NAME, self.server_ip+":7443 "+'-curves x25519sidh503') | |||||
| self.assertEqual(res[0], 0) | |||||
| self.assertIsNotNone(re.search(RE_BORINGSSL_P503, res[1], re.MULTILINE)) | |||||
| self.assertIsNotNone(re.search(RE_PATTERN_HELLO_TLS_13_NORESUME, res[1], re.MULTILINE)) | |||||
| # PicoTLS doesn't seem to implement draft-23 correctly. It will | # PicoTLS doesn't seem to implement draft-23 correctly. It will | ||||
| # be enabled when draft-28 is implemented. | # be enabled when draft-28 is implemented. | ||||
| # class InteropServer_PicoTLS( | # class InteropServer_PicoTLS( | ||||
| @@ -236,13 +248,18 @@ class InteropServer_NSS( | |||||
| unittest.TestCase | unittest.TestCase | ||||
| ): CLIENT_NAME = "tls-tris:tstclnt" | ): CLIENT_NAME = "tls-tris:tstclnt" | ||||
| # TRIS as a client | |||||
| class InteropClient_BoringSSL( | |||||
| InteropClient, | |||||
| ClientNominalMixin, | |||||
| ClientClientAuthMixin, | |||||
| unittest.TestCase | |||||
| ): SERVER_NAME = "boring-localserver" | |||||
| # TRIS as a client, BoringSSL as a server | |||||
| class InteropClient_BoringSSL(InteropClient, ClientNominalMixin, ClientClientAuthMixin, unittest.TestCase): | |||||
| SERVER_NAME = "boring-localserver" | |||||
| def test_SIDH(self): | |||||
| ''' | |||||
| Connects to BoringSSL server listening on 7443 and tries to perform key agreement with SIDH/P503-X25519 | |||||
| ''' | |||||
| res = self.d.run_client(self.CLIENT_NAME, '-rsa=false -ecdsa=true -qr SIDH-P503-X25519 ' + self.server_ip+":7443") | |||||
| self.assertEqual(res[0], 0) | |||||
| self.assertIsNotNone(re.search(RE_TRIS_ALL_PASSED, res[1], re.MULTILINE)) | |||||
| class InteropClient_NSS( | class InteropClient_NSS( | ||||
| InteropClient, | InteropClient, | ||||
| @@ -260,11 +277,11 @@ class InteropServer_TRIS(ClientNominalMixin, InteropServer, unittest.TestCase): | |||||
| res = self.d.run_client(self.CLIENT_NAME, '-rsa=false -ecdsa=false -cliauth '+self.server_ip+":6443") | res = self.d.run_client(self.CLIENT_NAME, '-rsa=false -ecdsa=false -cliauth '+self.server_ip+":6443") | ||||
| self.assertEqual(res[0], 0) | self.assertEqual(res[0], 0) | ||||
| def test_qr(self): | |||||
| def test_SIDH(self): | |||||
| res = self.d.run_client(self.CLIENT_NAME, '-rsa=false -ecdsa=true -qr SIDH-P503-X25519 '+self.server_ip+":7443") | res = self.d.run_client(self.CLIENT_NAME, '-rsa=false -ecdsa=true -qr SIDH-P503-X25519 '+self.server_ip+":7443") | ||||
| self.assertEqual(res[0], 0) | self.assertEqual(res[0], 0) | ||||
| def test_qrServerDoesntSupportSIDH(self): | |||||
| def test_server_doesnt_support_SIDH(self): | |||||
| ''' | ''' | ||||
| Client advertises HybridSIDH and ECDH. Server supports ECDH only. Checks weather | Client advertises HybridSIDH and ECDH. Server supports ECDH only. Checks weather | ||||
| TLS session can still be established. | TLS session can still be established. | ||||