kris/th5
1
0
Fork 0
Code Issues Pull Requests Releases Wiki Activity

sidh: operability tests with BoringSSL

Browse Source 
Implements two tests for SIDH/P503-X25519 interoperability. BoringSSL
initiates connection to TRIS and TRIS initiates connection to BoringSSL.
SIDH server always listens on port 7443
This commit is contained in:
Henry Case 2018-10-15 14:24:28 +01:00 committed by Kris Kwiatkowski
parent 96db6f14d8
commit 8da51abeca
3 changed files with 38 additions and 13 deletions
Show Stats Download Patch File Download Diff File Expand all files Collapse all files

2
_dev/Makefile
View File

@ -28,7 +28,7 @@ TARGET_TEST_COMPAT=boring picotls tstclnt
BORINGSSL_REVISION=d451453067cd665a5c38830fbbaac9e599234a5e BORINGSSL_REVISION=d451453067cd665a5c38830fbbaac9e599234a5e
BOGO_DOCKER_TRIS_LOCATION=/go/src/github.com/cloudflare/tls-tris BOGO_DOCKER_TRIS_LOCATION=/go/src/github.com/cloudflare/tls-tris
# SIDH repository (TODO: change path) # SIDH repository
SIDH_REPO ?= https://github.com/cloudflare/sidh.git SIDH_REPO ?= https://github.com/cloudflare/sidh.git
SIDH_REPO_TAG ?= 137b47345fe8f36df1f822a206eb97339356b21a SIDH_REPO_TAG ?= 137b47345fe8f36df1f822a206eb97339356b21a
# NOBS repo (SIKE depends on SHA3) # NOBS repo (SIKE depends on SHA3)

8
_dev/boring/server.sh
View File

@ -21,4 +21,12 @@ bssl server \
-accept 6443 -loop -www \ -accept 6443 -loop -www \
-require-any-client-cert -debug 2>&1 & -require-any-client-cert -debug 2>&1 &
# ECDSA and SIDH/P503-X25519
bssl server \
-key ecdsa.pem \
-curves x25519sidh503 \
-min-version tls1.3 -max-version tls1.3 \
-accept 7443 -loop -www \
-debug 2>&1 &
wait wait

41
_dev/interop_test_runner
View File

@ -17,6 +17,10 @@ RE_PATTERN_HELLO_0RTT = "^.*Hello TLS 1.3 .*\[resumed\] \[0-RTT\] _o/
RE_PATTERN_HELLO_0RTT_CONFIRMED = "^.*Hello TLS 1.3 .*\[resumed\] \[0-RTT confirmed\] _o/$" RE_PATTERN_HELLO_0RTT_CONFIRMED = "^.*Hello TLS 1.3 .*\[resumed\] \[0-RTT confirmed\] _o/$"
# ALPN # ALPN
RE_PATTERN_ALPN = "ALPN protocol: npn_proto$" RE_PATTERN_ALPN = "ALPN protocol: npn_proto$"
# Successful TLS establishement from TRIS
RE_TRIS_ALL_PASSED = ".*All handshakes passed.*"
# TLS handshake from BoringSSL with SIDH/P503-X25519
RE_BORINGSSL_P503 = "ECDHE curve: x25519sidh503"
class Docker(object): class Docker(object):
''' Utility class used for starting/stoping servers and clients during tests''' ''' Utility class used for starting/stoping servers and clients during tests'''
@ -55,7 +59,6 @@ class RegexSelfTest(unittest.TestCase):
LINE_HELLO_TLS_12 ="\nsomestuff\nHello TLS 1.2 (draft 23) [resumed] _o/\nsomestuff" LINE_HELLO_TLS_12 ="\nsomestuff\nHello TLS 1.2 (draft 23) [resumed] _o/\nsomestuff"
LINE_HELLO_TLS_13_0RTT="\nsomestuff\nHello TLS 1.3 (draft 23) [resumed] [0-RTT] _o/\nsomestuff" LINE_HELLO_TLS_13_0RTT="\nsomestuff\nHello TLS 1.3 (draft 23) [resumed] [0-RTT] _o/\nsomestuff"
LINE_HELLO_TLS_13_0RTT_CONFIRMED="\nsomestuff\nHello TLS 1.3 (draft 23) [resumed] [0-RTT confirmed] _o/\nsomestuff" LINE_HELLO_TLS_13_0RTT_CONFIRMED="\nsomestuff\nHello TLS 1.3 (draft 23) [resumed] [0-RTT confirmed] _o/\nsomestuff"
def test_regexes(self): def test_regexes(self):
self.assertIsNotNone( self.assertIsNotNone(
re.search(RE_PATTERN_HELLO_TLS_13_NORESUME, RegexSelfTest.LINE_HELLO_TLS, re.MULTILINE)) re.search(RE_PATTERN_HELLO_TLS_13_NORESUME, RegexSelfTest.LINE_HELLO_TLS, re.MULTILINE))
@ -192,7 +195,7 @@ class InteropClient(object):
self.d = Docker() self.d = Docker()
self.server = self.d.run_server( self.server = self.d.run_server(
self.SERVER_NAME, self.SERVER_NAME,
ports={ '1443/tcp': 1443, '2443/tcp': 2443, '6443/tcp': 6443}, ports={ '1443/tcp': 1443, '2443/tcp': 2443, '6443/tcp': 6443, '7443/tcp': 7443},
entrypoint="/server.sh") entrypoint="/server.sh")
@classmethod @classmethod
@ -206,7 +209,7 @@ class InteropClient(object):
# Actual test definition # Actual test definition
# TRIS as a server # TRIS as a server, BoringSSL as a client
class InteropServer_BoringSSL(InteropServer, ServerNominalMixin, ServerClientAuthMixin, unittest.TestCase): class InteropServer_BoringSSL(InteropServer, ServerNominalMixin, ServerClientAuthMixin, unittest.TestCase):
CLIENT_NAME = "tls-tris:boring" CLIENT_NAME = "tls-tris:boring"
@ -220,6 +223,15 @@ class InteropServer_BoringSSL(InteropServer, ServerNominalMixin, ServerClientAut
self.assertEqual(res[0], 0) self.assertEqual(res[0], 0)
self.assertIsNotNone(re.search(RE_PATTERN_ALPN, res[1], re.MULTILINE)) self.assertIsNotNone(re.search(RE_PATTERN_ALPN, res[1], re.MULTILINE))
def test_SIDH(self):
'''
Connects to TRIS server listening on 7443 and tries to perform key agreement with SIDH/P503-X25519
'''
res = self.d.run_client(self.CLIENT_NAME, self.server_ip+":7443 "+'-curves x25519sidh503')
self.assertEqual(res[0], 0)
self.assertIsNotNone(re.search(RE_BORINGSSL_P503, res[1], re.MULTILINE))
self.assertIsNotNone(re.search(RE_PATTERN_HELLO_TLS_13_NORESUME, res[1], re.MULTILINE))
# PicoTLS doesn't seem to implement draft-23 correctly. It will # PicoTLS doesn't seem to implement draft-23 correctly. It will
# be enabled when draft-28 is implemented. # be enabled when draft-28 is implemented.
# class InteropServer_PicoTLS( # class InteropServer_PicoTLS(
@ -236,13 +248,18 @@ class InteropServer_NSS(
unittest.TestCase unittest.TestCase
): CLIENT_NAME = "tls-tris:tstclnt" ): CLIENT_NAME = "tls-tris:tstclnt"
# TRIS as a client # TRIS as a client, BoringSSL as a server
class InteropClient_BoringSSL( class InteropClient_BoringSSL(InteropClient, ClientNominalMixin, ClientClientAuthMixin, unittest.TestCase):
InteropClient,
ClientNominalMixin, SERVER_NAME = "boring-localserver"
ClientClientAuthMixin,
unittest.TestCase def test_SIDH(self):
): SERVER_NAME = "boring-localserver" '''
Connects to BoringSSL server listening on 7443 and tries to perform key agreement with SIDH/P503-X25519
'''
res = self.d.run_client(self.CLIENT_NAME, '-rsa=false -ecdsa=true -qr SIDH-P503-X25519 ' + self.server_ip+":7443")
self.assertEqual(res[0], 0)
self.assertIsNotNone(re.search(RE_TRIS_ALL_PASSED, res[1], re.MULTILINE))
class InteropClient_NSS( class InteropClient_NSS(
InteropClient, InteropClient,
@ -260,11 +277,11 @@ class InteropServer_TRIS(ClientNominalMixin, InteropServer, unittest.TestCase):
res = self.d.run_client(self.CLIENT_NAME, '-rsa=false -ecdsa=false -cliauth '+self.server_ip+":6443") res = self.d.run_client(self.CLIENT_NAME, '-rsa=false -ecdsa=false -cliauth '+self.server_ip+":6443")
self.assertEqual(res[0], 0) self.assertEqual(res[0], 0)
def test_qr(self): def test_SIDH(self):
res = self.d.run_client(self.CLIENT_NAME, '-rsa=false -ecdsa=true -qr SIDH-P503-X25519 '+self.server_ip+":7443") res = self.d.run_client(self.CLIENT_NAME, '-rsa=false -ecdsa=true -qr SIDH-P503-X25519 '+self.server_ip+":7443")
self.assertEqual(res[0], 0) self.assertEqual(res[0], 0)
def test_qrServerDoesntSupportSIDH(self): def test_server_doesnt_support_SIDH(self):
''' '''
Client advertises HybridSIDH and ECDH. Server supports ECDH only. Checks weather Client advertises HybridSIDH and ECDH. Server supports ECDH only. Checks weather
TLS session can still be established. TLS session can still be established.