07f5fc8dee
Reviewed-by: xuelei, asmotrak, rhalade
1082 lines
45 KiB
Java
1082 lines
45 KiB
Java
/*
|
|
* Copyright (c) 2015, Oracle and/or its affiliates. All rights reserved.
|
|
* DO NOT ALTER OR REMOVE COPYRIGHT NOTICES OR THIS FILE HEADER.
|
|
*
|
|
* This code is free software; you can redistribute it and/or modify it
|
|
* under the terms of the GNU General Public License version 2 only, as
|
|
* published by the Free Software Foundation.
|
|
*
|
|
* This code is distributed in the hope that it will be useful, but WITHOUT
|
|
* ANY WARRANTY; without even the implied warranty of MERCHANTABILITY or
|
|
* FITNESS FOR A PARTICULAR PURPOSE. See the GNU General Public License
|
|
* version 2 for more details (a copy is included in the LICENSE file that
|
|
* accompanied this code).
|
|
*
|
|
* You should have received a copy of the GNU General Public License version
|
|
* 2 along with this work; if not, write to the Free Software Foundation,
|
|
* Inc., 51 Franklin St, Fifth Floor, Boston, MA 02110-1301 USA.
|
|
*
|
|
* Please contact Oracle, 500 Oracle Parkway, Redwood Shores, CA 94065 USA
|
|
* or visit www.oracle.com if you need additional information or have any
|
|
* questions.
|
|
*/
|
|
|
|
import javax.net.ssl.KeyManagerFactory;
|
|
import javax.net.ssl.SNIHostName;
|
|
import javax.net.ssl.SNIMatcher;
|
|
import javax.net.ssl.SNIServerName;
|
|
import javax.net.ssl.SSLContext;
|
|
import javax.net.ssl.SSLEngine;
|
|
import javax.net.ssl.SSLEngineResult;
|
|
import javax.net.ssl.SSLException;
|
|
import javax.net.ssl.SSLParameters;
|
|
import javax.net.ssl.TrustManagerFactory;
|
|
import java.io.File;
|
|
import java.io.FileInputStream;
|
|
import java.io.IOException;
|
|
import java.nio.ByteBuffer;
|
|
import java.security.KeyManagementException;
|
|
import java.security.KeyStore;
|
|
import java.security.KeyStoreException;
|
|
import java.security.NoSuchAlgorithmException;
|
|
import java.security.UnrecoverableKeyException;
|
|
import java.security.cert.CertificateException;
|
|
import java.util.ArrayList;
|
|
import java.util.Arrays;
|
|
import java.util.HashMap;
|
|
import java.util.LinkedList;
|
|
import java.util.List;
|
|
import java.util.Map;
|
|
|
|
/**
|
|
* Basic class to inherit SSLEngine test cases from it. Tests apply for
|
|
* the TLS or DTLS security protocols and their versions.
|
|
*/
|
|
abstract public class SSLEngineTestCase {
|
|
|
|
public enum Ciphers {
|
|
|
|
/**
|
|
* Ciphers supported by the tested SSLEngine without those with kerberos
|
|
* authentication.
|
|
*/
|
|
SUPPORTED_NON_KRB_CIPHERS(SSLEngineTestCase.SUPPORTED_NON_KRB_CIPHERS,
|
|
"Supported non kerberos"),
|
|
/**
|
|
* Ciphers supported by the tested SSLEngine without those with kerberos
|
|
* authentication and without those with SHA256 ans SHA384.
|
|
*/
|
|
SUPPORTED_NON_KRB_NON_SHA_CIPHERS(SSLEngineTestCase.SUPPORTED_NON_KRB_NON_SHA_CIPHERS,
|
|
"Supported non kerberos non SHA256 and SHA384"),
|
|
/**
|
|
* Ciphers supported by the tested SSLEngine with kerberos authentication.
|
|
*/
|
|
SUPPORTED_KRB_CIPHERS(SSLEngineTestCase.SUPPORTED_KRB_CIPHERS,
|
|
"Supported kerberos"),
|
|
/**
|
|
* Ciphers enabled by default for the tested SSLEngine without kerberos
|
|
* and anon.
|
|
*/
|
|
ENABLED_NON_KRB_NOT_ANON_CIPHERS(
|
|
SSLEngineTestCase.ENABLED_NON_KRB_NOT_ANON_CIPHERS,
|
|
"Enabled by default non kerberos not anonymous"),
|
|
/**
|
|
* Ciphers unsupported by the tested SSLEngine.
|
|
*/
|
|
UNSUPPORTED_CIPHERS(SSLEngineTestCase.UNSUPPORTED_CIPHERS,
|
|
"Unsupported");
|
|
|
|
Ciphers(String[] ciphers, String description) {
|
|
this.ciphers = ciphers;
|
|
this.description = description;
|
|
}
|
|
|
|
final String[] ciphers;
|
|
final String description;
|
|
}
|
|
|
|
/**
|
|
* Enumeration used to distinguish handshake mode in
|
|
* {@link SSLEngineTestCase#doHandshake(javax.net.ssl.SSLEngine,
|
|
* javax.net.ssl.SSLEngine, int, SSLEngineTestCase.HandshakeMode, boolean)
|
|
* SSLEngineTestCase.doHandshake} method.
|
|
*/
|
|
public enum HandshakeMode {
|
|
|
|
/**
|
|
* Initial handshake done for the first time: both engines call
|
|
* {@link SSLEngine#beginHandshake()} method.
|
|
*/
|
|
INITIAL_HANDSHAKE,
|
|
/**
|
|
* Repeated handshake done by client: client engine calls
|
|
* {@link SSLEngine#beginHandshake()} method.
|
|
*/
|
|
REHANDSHAKE_BEGIN_CLIENT,
|
|
/**
|
|
* Repeated handshake done by server: server engine calls
|
|
* {@link SSLEngine#beginHandshake()} method.
|
|
*/
|
|
REHANDSHAKE_BEGIN_SERVER;
|
|
}
|
|
/**
|
|
* Security protocol to be tested: "TLS" or "DTLS" or their versions,
|
|
* e.g. "TLSv1", "TLSv1.1", "TLSv1.2", "DTLSv1.0", "DTLSv1.2".
|
|
*/
|
|
public static final String TESTED_SECURITY_PROTOCOL
|
|
= System.getProperty("test.security.protocol", "TLS");
|
|
/**
|
|
* Test mode: "norm", "norm_sni" or "krb".
|
|
* Modes "norm" and "norm_sni" are used to run
|
|
* with all supported non-kerberos ciphers.
|
|
* Mode "krb" is used to run with kerberos ciphers.
|
|
*/
|
|
public static final String TEST_MODE
|
|
= System.getProperty("test.mode", "norm");
|
|
|
|
private static final String FS = System.getProperty("file.separator", "/");
|
|
private static final String PATH_TO_STORES = ".." + FS + "etc";
|
|
private static final String KEY_STORE_FILE = "keystore";
|
|
private static final String TRUST_STORE_FILE = "truststore";
|
|
private static final String PASSWD = "passphrase";
|
|
|
|
private static final String KEY_FILE_NAME
|
|
= System.getProperty("test.src", ".") + FS + PATH_TO_STORES
|
|
+ FS + KEY_STORE_FILE;
|
|
private static final String TRUST_FILE_NAME
|
|
= System.getProperty("test.src", ".") + FS + PATH_TO_STORES
|
|
+ FS + TRUST_STORE_FILE;
|
|
|
|
private static ByteBuffer net;
|
|
private static ByteBuffer netReplicatedClient;
|
|
private static ByteBuffer netReplicatedServer;
|
|
private static final int MAX_HANDSHAKE_LOOPS = 100;
|
|
private static final String EXCHANGE_MSG_SENT = "Hello, peer!";
|
|
private static boolean doUnwrapForNotHandshakingStatus;
|
|
private static boolean endHandshakeLoop = false;
|
|
private static final String TEST_SRC = System.getProperty("test.src", ".");
|
|
private static final String KTAB_FILENAME = "krb5.keytab.data";
|
|
private static final String KRB_REALM = "TEST.REALM";
|
|
private static final String KRBTGT_PRINCIPAL = "krbtgt/" + KRB_REALM;
|
|
private static final String KRB_USER = "USER";
|
|
private static final String KRB_USER_PASSWORD = "password";
|
|
private static final String KRB_USER_PRINCIPAL = KRB_USER + "@" + KRB_REALM;
|
|
private static final String KRB5_CONF_FILENAME = "krb5.conf";
|
|
private static final String PATH_TO_COMMON = ".." + FS + "TLSCommon";
|
|
private static final String JAAS_CONF_FILE = PATH_TO_COMMON
|
|
+ FS + "jaas.conf";
|
|
private static final int DELAY = 1000;
|
|
private static final String HOST = "localhost";
|
|
private static final String SERVER_NAME = "service.localhost";
|
|
private static final String SNI_PATTERN = ".*";
|
|
|
|
private static final String[] SUPPORTED_NON_KRB_CIPHERS;
|
|
|
|
static {
|
|
try {
|
|
String[] allSupportedCiphers = getContext()
|
|
.createSSLEngine().getSupportedCipherSuites();
|
|
List<String> supportedCiphersList = new LinkedList<>();
|
|
for (String cipher : allSupportedCiphers) {
|
|
if (!cipher.contains("KRB5")
|
|
&& !cipher.contains("TLS_EMPTY_RENEGOTIATION_INFO_SCSV")) {
|
|
supportedCiphersList.add(cipher);
|
|
}
|
|
}
|
|
SUPPORTED_NON_KRB_CIPHERS = supportedCiphersList.toArray(new String[0]);
|
|
} catch (Exception ex) {
|
|
throw new Error("Unexpected issue", ex);
|
|
}
|
|
}
|
|
|
|
private static final String[] SUPPORTED_NON_KRB_NON_SHA_CIPHERS;
|
|
|
|
static {
|
|
try {
|
|
String[] allSupportedCiphers = getContext()
|
|
.createSSLEngine().getSupportedCipherSuites();
|
|
List<String> supportedCiphersList = new LinkedList<>();
|
|
for (String cipher : allSupportedCiphers) {
|
|
if (!cipher.contains("KRB5")
|
|
&& !cipher.contains("TLS_EMPTY_RENEGOTIATION_INFO_SCSV")
|
|
&& !cipher.endsWith("_SHA256")
|
|
&& !cipher.endsWith("_SHA384")) {
|
|
supportedCiphersList.add(cipher);
|
|
}
|
|
}
|
|
SUPPORTED_NON_KRB_NON_SHA_CIPHERS
|
|
= supportedCiphersList.toArray(new String[0]);
|
|
} catch (Exception ex) {
|
|
throw new Error("Unexpected issue", ex);
|
|
}
|
|
}
|
|
|
|
private static final String[] SUPPORTED_KRB_CIPHERS;
|
|
|
|
static {
|
|
try {
|
|
String[] allSupportedCiphers = getContext()
|
|
.createSSLEngine().getSupportedCipherSuites();
|
|
List<String> supportedCiphersList = new LinkedList<>();
|
|
for (String cipher : allSupportedCiphers) {
|
|
if (cipher.contains("KRB5")
|
|
&& !cipher.contains("TLS_EMPTY_RENEGOTIATION_INFO_SCSV")) {
|
|
supportedCiphersList.add(cipher);
|
|
}
|
|
}
|
|
SUPPORTED_KRB_CIPHERS = supportedCiphersList.toArray(new String[0]);
|
|
} catch (Exception ex) {
|
|
throw new Error("Unexpected issue", ex);
|
|
}
|
|
}
|
|
|
|
private static final String[] ENABLED_NON_KRB_NOT_ANON_CIPHERS;
|
|
|
|
static {
|
|
try {
|
|
SSLEngine temporary = getContext().createSSLEngine();
|
|
temporary.setUseClientMode(true);
|
|
String[] enabledCiphers = temporary.getEnabledCipherSuites();
|
|
List<String> enabledCiphersList = new LinkedList<>();
|
|
for (String cipher : enabledCiphers) {
|
|
if (!cipher.contains("anon") && !cipher.contains("KRB5")
|
|
&& !cipher.contains("TLS_EMPTY_RENEGOTIATION_INFO_SCSV")) {
|
|
enabledCiphersList.add(cipher);
|
|
}
|
|
}
|
|
ENABLED_NON_KRB_NOT_ANON_CIPHERS = enabledCiphersList.toArray(new String[0]);
|
|
} catch (Exception ex) {
|
|
throw new Error("Unexpected issue", ex);
|
|
}
|
|
}
|
|
|
|
private static final String[] UNSUPPORTED_CIPHERS = {
|
|
"SSL_DHE_DSS_EXPORT1024_WITH_DES_CBC_SHA",
|
|
"SSL_DHE_DSS_EXPORT1024_WITH_RC4_56_SHA",
|
|
"SSL_DHE_DSS_WITH_RC4_128_SHA",
|
|
"SSL_DH_DSS_EXPORT_WITH_DES40_CBC_SHA",
|
|
"SSL_DH_DSS_WITH_3DES_EDE_CBC_SHA",
|
|
"SSL_DH_DSS_WITH_DES_CBC_SHA",
|
|
"SSL_DH_RSA_EXPORT_WITH_DES40_CBC_SHA",
|
|
"SSL_DH_RSA_WITH_3DES_EDE_CBC_SHA",
|
|
"SSL_DH_RSA_WITH_DES_CBC_SHA",
|
|
"SSL_FORTEZZA_DMS_WITH_FORTEZZA_CBC_SHA",
|
|
"SSL_FORTEZZA_DMS_WITH_NULL_SHA",
|
|
"SSL_RSA_EXPORT1024_WITH_DES_CBC_SHA",
|
|
"SSL_RSA_EXPORT1024_WITH_RC4_56_SHA",
|
|
"SSL_RSA_EXPORT_WITH_RC2_CBC_40_MD5",
|
|
"SSL_RSA_FIPS_WITH_3DES_EDE_CBC_SHA",
|
|
"SSL_RSA_FIPS_WITH_DES_CBC_SHA",
|
|
"TLS_KRB5_EXPORT_WITH_RC2_CBC_40_MD5",
|
|
"TLS_KRB5_EXPORT_WITH_RC2_CBC_40_SHA",
|
|
"TLS_KRB5_WITH_IDEA_CBC_MD5",
|
|
"TLS_KRB5_WITH_IDEA_CBC_SHA",
|
|
"SSL_RSA_WITH_IDEA_CBC_SHA",
|
|
"TLS_DH_RSA_WITH_AES_128_GCM_SHA256",
|
|
"TLS_DH_RSA_WITH_AES_256_GCM_SHA384",
|
|
"TLS_DH_DSS_WITH_AES_128_GCM_SHA256",
|
|
"TLS_DH_DSS_WITH_AES_256_GCM_SHA384"
|
|
};
|
|
|
|
private final int maxPacketSize;
|
|
|
|
/**
|
|
* Constructs test case with the given MFLN maxMacketSize.
|
|
*
|
|
* @param maxPacketSize - MLFN extension max packet size.
|
|
*/
|
|
public SSLEngineTestCase(int maxPacketSize) {
|
|
this.maxPacketSize = maxPacketSize;
|
|
}
|
|
|
|
/**
|
|
* Constructs test case with {@code maxPacketSize = 0}.
|
|
*/
|
|
public SSLEngineTestCase() {
|
|
this.maxPacketSize = 0;
|
|
}
|
|
|
|
/**
|
|
* Wraps data with the specified engine.
|
|
*
|
|
* @param engine - SSLEngine that wraps data.
|
|
* @param wrapper - Set wrapper id, e.g. "server" of "client". Used for
|
|
* logging only.
|
|
* @param maxPacketSize - Max packet size to check that MFLN extension works
|
|
* or zero for no check.
|
|
* @param app - Buffer with data to wrap.
|
|
* @return - Buffer with wrapped data.
|
|
* @throws SSLException - thrown on engine errors.
|
|
*/
|
|
public static ByteBuffer doWrap(SSLEngine engine, String wrapper,
|
|
int maxPacketSize, ByteBuffer app)
|
|
throws SSLException {
|
|
return doWrap(engine, wrapper, maxPacketSize,
|
|
app, SSLEngineResult.Status.OK, null);
|
|
}
|
|
|
|
/**
|
|
* Wraps data with the specified engine.
|
|
*
|
|
* @param engine - SSLEngine that wraps data.
|
|
* @param wrapper - Set wrapper id, e.g. "server" of "client". Used for
|
|
* logging only.
|
|
* @param maxPacketSize - Max packet size to check that MFLN extension works
|
|
* or zero for no check.
|
|
* @param app - Buffer with data to wrap.
|
|
* @param result - Array which first element will be used to output wrap
|
|
* result object.
|
|
* @return - Buffer with wrapped data.
|
|
* @throws SSLException - thrown on engine errors.
|
|
*/
|
|
public static ByteBuffer doWrap(SSLEngine engine, String wrapper,
|
|
int maxPacketSize, ByteBuffer app,
|
|
SSLEngineResult[] result)
|
|
throws SSLException {
|
|
return doWrap(engine, wrapper, maxPacketSize,
|
|
app, SSLEngineResult.Status.OK, result);
|
|
}
|
|
|
|
/**
|
|
* Wraps data with the specified engine.
|
|
*
|
|
* @param engine - SSLEngine that wraps data.
|
|
* @param wrapper - Set wrapper id, e.g. "server" of "client". Used for
|
|
* logging only.
|
|
* @param maxPacketSize - Max packet size to check that MFLN extension works
|
|
* or zero for no check.
|
|
* @param app - Buffer with data to wrap.
|
|
* @param wantedStatus - Specifies expected result status of wrapping.
|
|
* @return - Buffer with wrapped data.
|
|
* @throws SSLException - thrown on engine errors.
|
|
*/
|
|
public static ByteBuffer doWrap(SSLEngine engine, String wrapper,
|
|
int maxPacketSize, ByteBuffer app,
|
|
SSLEngineResult.Status wantedStatus)
|
|
throws SSLException {
|
|
return doWrap(engine, wrapper, maxPacketSize,
|
|
app, wantedStatus, null);
|
|
}
|
|
|
|
/**
|
|
* Wraps data with the specified engine.
|
|
*
|
|
* @param engine - SSLEngine that wraps data.
|
|
* @param wrapper - Set wrapper id, e.g. "server" of "client". Used for
|
|
* logging only.
|
|
* @param maxPacketSize - Max packet size to check that MFLN extension works
|
|
* or zero for no check.
|
|
* @param app - Buffer with data to wrap.
|
|
* @param wantedStatus - Specifies expected result status of wrapping.
|
|
* @param result - Array which first element will be used to output wrap
|
|
* result object.
|
|
* @return - Buffer with wrapped data.
|
|
* @throws SSLException - thrown on engine errors.
|
|
*/
|
|
public static ByteBuffer doWrap(SSLEngine engine, String wrapper,
|
|
int maxPacketSize, ByteBuffer app,
|
|
SSLEngineResult.Status wantedStatus,
|
|
SSLEngineResult[] result)
|
|
throws SSLException {
|
|
ByteBuffer net = ByteBuffer.allocate(engine.getSession()
|
|
.getPacketBufferSize());
|
|
SSLEngineResult r = engine.wrap(app, net);
|
|
net.flip();
|
|
int length = net.remaining();
|
|
System.out.println(wrapper + " wrapped " + length + " bytes.");
|
|
System.out.println(wrapper + " handshake status is "
|
|
+ engine.getHandshakeStatus());
|
|
if (maxPacketSize < length && maxPacketSize != 0) {
|
|
throw new AssertionError("Handshake wrapped net buffer length "
|
|
+ length + " exceeds maximum packet size "
|
|
+ maxPacketSize);
|
|
}
|
|
checkResult(r, wantedStatus);
|
|
if (result != null && result.length > 0) {
|
|
result[0] = r;
|
|
}
|
|
return net;
|
|
}
|
|
|
|
/**
|
|
* Unwraps data with the specified engine.
|
|
*
|
|
* @param engine - SSLEngine that unwraps data.
|
|
* @param unwrapper - Set unwrapper id, e.g. "server" of "client". Used for
|
|
* logging only.
|
|
* @param net - Buffer with data to unwrap.
|
|
* @return - Buffer with unwrapped data.
|
|
* @throws SSLException - thrown on engine errors.
|
|
*/
|
|
public static ByteBuffer doUnWrap(SSLEngine engine, String unwrapper,
|
|
ByteBuffer net)
|
|
throws SSLException {
|
|
return doUnWrap(engine, unwrapper, net, SSLEngineResult.Status.OK, null);
|
|
}
|
|
|
|
/**
|
|
* Unwraps data with the specified engine.
|
|
*
|
|
* @param engine - SSLEngine that unwraps data.
|
|
* @param unwrapper - Set unwrapper id, e.g. "server" of "client". Used for
|
|
* logging only.
|
|
* @param net - Buffer with data to unwrap.
|
|
* @param result - Array which first element will be used to output wrap
|
|
* result object.
|
|
* @return - Buffer with unwrapped data.
|
|
* @throws SSLException - thrown on engine errors.
|
|
*/
|
|
public static ByteBuffer doUnWrap(SSLEngine engine, String unwrapper,
|
|
ByteBuffer net, SSLEngineResult[] result)
|
|
throws SSLException {
|
|
return doUnWrap(engine, unwrapper, net, SSLEngineResult.Status.OK, result);
|
|
}
|
|
|
|
/**
|
|
* Unwraps data with the specified engine.
|
|
*
|
|
* @param engine - SSLEngine that unwraps data.
|
|
* @param unwrapper - Set unwrapper id, e.g. "server" of "client". Used for
|
|
* logging only.
|
|
* @param net - Buffer with data to unwrap.
|
|
* @param wantedStatus - Specifies expected result status of wrapping.
|
|
* @return - Buffer with unwrapped data.
|
|
* @throws SSLException - thrown on engine errors.
|
|
*/
|
|
public static ByteBuffer doUnWrap(SSLEngine engine, String unwrapper,
|
|
ByteBuffer net,
|
|
SSLEngineResult.Status wantedStatus)
|
|
throws SSLException {
|
|
return doUnWrap(engine, unwrapper, net, wantedStatus, null);
|
|
}
|
|
|
|
/**
|
|
* Unwraps data with the specified engine.
|
|
*
|
|
* @param engine - SSLEngine that unwraps data.
|
|
* @param unwrapper - Set unwrapper id, e.g. "server" of "client". Used for
|
|
* logging only.
|
|
* @param net - Buffer with data to unwrap.
|
|
* @param wantedStatus - Specifies expected result status of wrapping.
|
|
* @param result - Array which first element will be used to output wrap
|
|
* result object.
|
|
* @return - Buffer with unwrapped data.
|
|
* @throws SSLException - thrown on engine errors.
|
|
*/
|
|
public static ByteBuffer doUnWrap(SSLEngine engine, String unwrapper,
|
|
ByteBuffer net,
|
|
SSLEngineResult.Status wantedStatus,
|
|
SSLEngineResult[] result)
|
|
throws SSLException {
|
|
ByteBuffer app = ByteBuffer.allocate(engine.getSession()
|
|
.getApplicationBufferSize());
|
|
int length = net.remaining();
|
|
System.out.println(unwrapper + " unwrapping "
|
|
+ length + " bytes...");
|
|
SSLEngineResult r = engine.unwrap(net, app);
|
|
app.flip();
|
|
System.out.println(unwrapper + " handshake status is "
|
|
+ engine.getHandshakeStatus());
|
|
checkResult(r, wantedStatus);
|
|
if (result != null && result.length > 0) {
|
|
result[0] = r;
|
|
}
|
|
return app;
|
|
}
|
|
|
|
/**
|
|
* Does the handshake of the two specified engines according to the
|
|
* {@code mode} specified.
|
|
*
|
|
* @param clientEngine - Client SSLEngine.
|
|
* @param serverEngine - Server SSLEngine.
|
|
* @param maxPacketSize - Maximum packet size for MFLN of zero for no limit.
|
|
* @param mode - Handshake mode according to {@link HandshakeMode} enum.
|
|
* @throws SSLException - thrown on engine errors.
|
|
*/
|
|
public static void doHandshake(SSLEngine clientEngine,
|
|
SSLEngine serverEngine,
|
|
int maxPacketSize, HandshakeMode mode)
|
|
throws SSLException {
|
|
doHandshake(clientEngine, serverEngine, maxPacketSize, mode, false);
|
|
}
|
|
|
|
/**
|
|
* Does the handshake of the two specified engines according to the
|
|
* {@code mode} specified.
|
|
*
|
|
* @param clientEngine - Client SSLEngine.
|
|
* @param serverEngine - Server SSLEngine.
|
|
* @param maxPacketSize - Maximum packet size for MFLN of zero for no limit.
|
|
* @param mode - Handshake mode according to {@link HandshakeMode} enum.
|
|
* @param enableReplicatedPacks - Set {@code true} to enable replicated
|
|
* packet sending.
|
|
* @throws SSLException - thrown on engine errors.
|
|
*/
|
|
public static void doHandshake(SSLEngine clientEngine,
|
|
SSLEngine serverEngine, int maxPacketSize,
|
|
HandshakeMode mode,
|
|
boolean enableReplicatedPacks)
|
|
throws SSLException {
|
|
System.out.println("================================================="
|
|
+ "===========");
|
|
System.out.println("Starting handshake " + mode.name());
|
|
int loop = 0;
|
|
if (maxPacketSize < 0) {
|
|
throw new Error("Test issue: maxPacketSize is less than zero!");
|
|
}
|
|
SSLParameters params = clientEngine.getSSLParameters();
|
|
params.setMaximumPacketSize(maxPacketSize);
|
|
clientEngine.setSSLParameters(params);
|
|
params = serverEngine.getSSLParameters();
|
|
params.setMaximumPacketSize(maxPacketSize);
|
|
serverEngine.setSSLParameters(params);
|
|
SSLEngine firstEngine;
|
|
SSLEngine secondEngine;
|
|
switch (mode) {
|
|
case INITIAL_HANDSHAKE:
|
|
firstEngine = clientEngine;
|
|
secondEngine = serverEngine;
|
|
doUnwrapForNotHandshakingStatus = false;
|
|
clientEngine.beginHandshake();
|
|
serverEngine.beginHandshake();
|
|
break;
|
|
case REHANDSHAKE_BEGIN_CLIENT:
|
|
firstEngine = clientEngine;
|
|
secondEngine = serverEngine;
|
|
doUnwrapForNotHandshakingStatus = true;
|
|
clientEngine.beginHandshake();
|
|
break;
|
|
case REHANDSHAKE_BEGIN_SERVER:
|
|
firstEngine = serverEngine;
|
|
secondEngine = clientEngine;
|
|
doUnwrapForNotHandshakingStatus = true;
|
|
serverEngine.beginHandshake();
|
|
break;
|
|
default:
|
|
throw new Error("Test issue: unknown handshake mode");
|
|
}
|
|
endHandshakeLoop = false;
|
|
while (!endHandshakeLoop) {
|
|
if (++loop > MAX_HANDSHAKE_LOOPS) {
|
|
throw new Error("Too much loops for handshaking");
|
|
}
|
|
System.out.println("==============================================");
|
|
System.out.println("Handshake loop " + loop);
|
|
SSLEngineResult.HandshakeStatus clientHSStatus
|
|
= clientEngine.getHandshakeStatus();
|
|
SSLEngineResult.HandshakeStatus serverHSStatus
|
|
= serverEngine.getHandshakeStatus();
|
|
System.out.println("Client handshake status "
|
|
+ clientHSStatus.name());
|
|
System.out.println("Server handshake status "
|
|
+ serverHSStatus.name());
|
|
handshakeProcess(firstEngine, secondEngine, maxPacketSize,
|
|
enableReplicatedPacks);
|
|
handshakeProcess(secondEngine, firstEngine, maxPacketSize,
|
|
enableReplicatedPacks);
|
|
}
|
|
}
|
|
|
|
/**
|
|
* Routine to send application data from one SSLEngine to another.
|
|
*
|
|
* @param fromEngine - Sending engine.
|
|
* @param toEngine - Receiving engine.
|
|
* @return - Result of unwrap method of the receiving engine.
|
|
* @throws SSLException - thrown on engine errors.
|
|
*/
|
|
public static SSLEngineResult sendApplicationData(SSLEngine fromEngine,
|
|
SSLEngine toEngine)
|
|
throws SSLException {
|
|
String sender = null;
|
|
String reciever = null;
|
|
String excMsgSent = EXCHANGE_MSG_SENT;
|
|
if (fromEngine.getUseClientMode() && !toEngine.getUseClientMode()) {
|
|
sender = "Client";
|
|
reciever = "Server";
|
|
excMsgSent += " Client.";
|
|
} else if (toEngine.getUseClientMode() && !fromEngine.getUseClientMode()) {
|
|
sender = "Server";
|
|
reciever = "Client";
|
|
excMsgSent += " Server.";
|
|
} else {
|
|
throw new Error("Test issue: both engines are in the same mode");
|
|
}
|
|
System.out.println("================================================="
|
|
+ "===========");
|
|
System.out.println("Trying to send application data from " + sender
|
|
+ " to " + reciever);
|
|
ByteBuffer clientAppSent
|
|
= ByteBuffer.wrap(excMsgSent.getBytes());
|
|
net = doWrap(fromEngine, sender, 0, clientAppSent);
|
|
SSLEngineResult[] r = new SSLEngineResult[1];
|
|
ByteBuffer serverAppRecv = doUnWrap(toEngine, reciever, net, r);
|
|
byte[] serverAppRecvTrunc = Arrays.copyOf(serverAppRecv.array(),
|
|
serverAppRecv.limit());
|
|
String msgRecv = new String(serverAppRecvTrunc);
|
|
if (!msgRecv.equals(excMsgSent)) {
|
|
throw new AssertionError(sender + " to " + reciever
|
|
+ ": application data"
|
|
+ " has been altered while sending."
|
|
+ " Message sent: " + "\"" + excMsgSent + "\"."
|
|
+ " Message recieved: " + "\"" + msgRecv + "\".");
|
|
}
|
|
System.out.println("Successful sending application data from " + sender
|
|
+ " to " + reciever);
|
|
return r[0];
|
|
}
|
|
|
|
/**
|
|
* Close engines by sending "close outbound" message from one SSLEngine to
|
|
* another.
|
|
*
|
|
* @param fromEngine - Sending engine.
|
|
* @param toEngine - Receiving engine.
|
|
* @throws SSLException - thrown on engine errors.
|
|
*/
|
|
public static void closeEngines(SSLEngine fromEngine,
|
|
SSLEngine toEngine) throws SSLException {
|
|
String from = null;
|
|
String to = null;
|
|
ByteBuffer app;
|
|
if (fromEngine.getUseClientMode() && !toEngine.getUseClientMode()) {
|
|
from = "Client";
|
|
to = "Server";
|
|
} else if (toEngine.getUseClientMode() && !fromEngine.getUseClientMode()) {
|
|
from = "Server";
|
|
to = "Client";
|
|
} else {
|
|
throw new Error("Both engines are in the same mode");
|
|
}
|
|
System.out.println("=========================================================");
|
|
System.out.println("Trying to close engines from " + from + " to " + to);
|
|
// Sending close outbound request to peer
|
|
fromEngine.closeOutbound();
|
|
app = ByteBuffer.allocate(fromEngine.getSession().getApplicationBufferSize());
|
|
net = doWrap(fromEngine, from, 0, app, SSLEngineResult.Status.CLOSED);
|
|
doUnWrap(toEngine, to, net, SSLEngineResult.Status.CLOSED);
|
|
app = ByteBuffer.allocate(fromEngine.getSession().getApplicationBufferSize());
|
|
net = doWrap(toEngine, to, 0, app, SSLEngineResult.Status.CLOSED);
|
|
doUnWrap(fromEngine, from, net, SSLEngineResult.Status.CLOSED);
|
|
if (!toEngine.isInboundDone()) {
|
|
throw new AssertionError(from + " sent close request to " + to
|
|
+ ", but " + to + "did not close inbound.");
|
|
}
|
|
// Executing close inbound
|
|
fromEngine.closeInbound();
|
|
app = ByteBuffer.allocate(fromEngine.getSession().getApplicationBufferSize());
|
|
net = doWrap(fromEngine, from, 0, app, SSLEngineResult.Status.CLOSED);
|
|
doUnWrap(toEngine, to, net, SSLEngineResult.Status.CLOSED);
|
|
if (!toEngine.isOutboundDone()) {
|
|
throw new AssertionError(from + "sent close request to " + to
|
|
+ ", but " + to + "did not close outbound.");
|
|
}
|
|
System.out.println("Successful closing from " + from + " to " + to);
|
|
}
|
|
|
|
/**
|
|
* Runs the same test case for all given {@code ciphers}. Method counts all
|
|
* failures and throws {@code AssertionError} if one or more tests fail.
|
|
*
|
|
* @param ciphers - Ciphers that should be tested.
|
|
*/
|
|
public void runTests(Ciphers ciphers) {
|
|
int total = ciphers.ciphers.length;
|
|
int failed = testSomeCiphers(ciphers);
|
|
if (failed > 0) {
|
|
throw new AssertionError("" + failed + " of " + total
|
|
+ " tests failed!");
|
|
}
|
|
System.out.println("All tests passed!");
|
|
}
|
|
|
|
/**
|
|
* Runs test cases for ciphers defined by the test mode.
|
|
*/
|
|
public void runTests() {
|
|
switch (TEST_MODE) {
|
|
case "norm":
|
|
case "norm_sni":
|
|
switch (TESTED_SECURITY_PROTOCOL) {
|
|
case "DTLSv1.0":
|
|
case "TLSv1":
|
|
case "TLSv1.1":
|
|
runTests(Ciphers.SUPPORTED_NON_KRB_NON_SHA_CIPHERS);
|
|
break;
|
|
default:
|
|
runTests(Ciphers.SUPPORTED_NON_KRB_CIPHERS);
|
|
}
|
|
break;
|
|
case "krb":
|
|
runTests(Ciphers.SUPPORTED_KRB_CIPHERS);
|
|
break;
|
|
default:
|
|
throw new Error("Test error: unexpected test mode: " + TEST_MODE);
|
|
}
|
|
}
|
|
|
|
/**
|
|
* Returns maxPacketSize value used for MFLN extension testing
|
|
*
|
|
* @return - MLFN extension max packet size.
|
|
*/
|
|
public int getMaxPacketSize() {
|
|
return maxPacketSize;
|
|
}
|
|
|
|
/**
|
|
* Checks that status of result {@code r} is {@code wantedStatus}.
|
|
*
|
|
* @param r - Result.
|
|
* @param wantedStatus - Wanted status of the result.
|
|
* @throws AssertionError - if status or {@code r} is not
|
|
* {@code wantedStatus}.
|
|
*/
|
|
public static void checkResult(SSLEngineResult r,
|
|
SSLEngineResult.Status wantedStatus) {
|
|
SSLEngineResult.Status rs = r.getStatus();
|
|
if (!rs.equals(wantedStatus)) {
|
|
throw new AssertionError("Unexpected status " + rs.name()
|
|
+ ", should be " + wantedStatus.name());
|
|
}
|
|
}
|
|
|
|
/**
|
|
* Returns SSLContext with TESTED_SECURITY_PROTOCOL protocol and sets up keys.
|
|
*
|
|
* @return - SSLContext with a protocol specified by TESTED_SECURITY_PROTOCOL.
|
|
*/
|
|
public static SSLContext getContext() {
|
|
try {
|
|
KeyStore ks = KeyStore.getInstance("JKS");
|
|
KeyStore ts = KeyStore.getInstance("JKS");
|
|
char[] passphrase = PASSWD.toCharArray();
|
|
try (FileInputStream keyFileStream = new FileInputStream(KEY_FILE_NAME)) {
|
|
ks.load(keyFileStream, passphrase);
|
|
}
|
|
try (FileInputStream trustFileStream = new FileInputStream(TRUST_FILE_NAME)) {
|
|
ts.load(trustFileStream, passphrase);
|
|
}
|
|
KeyManagerFactory kmf = KeyManagerFactory.getInstance("SunX509");
|
|
kmf.init(ks, passphrase);
|
|
TrustManagerFactory tmf = TrustManagerFactory.getInstance("SunX509");
|
|
tmf.init(ts);
|
|
SSLContext sslCtx = SSLContext.getInstance(TESTED_SECURITY_PROTOCOL);
|
|
sslCtx.init(kmf.getKeyManagers(), tmf.getTrustManagers(), null);
|
|
return sslCtx;
|
|
} catch (KeyStoreException | IOException | NoSuchAlgorithmException |
|
|
CertificateException | UnrecoverableKeyException |
|
|
KeyManagementException ex) {
|
|
throw new Error("Unexpected exception", ex);
|
|
}
|
|
}
|
|
|
|
/**
|
|
* Sets up and starts kerberos KDC server.
|
|
*/
|
|
public static void setUpAndStartKDC() {
|
|
String servicePrincipal = "host/" + SERVER_NAME + "@" + KRB_REALM;
|
|
Map<String, String> principals = new HashMap<>();
|
|
principals.put(KRB_USER_PRINCIPAL, KRB_USER_PASSWORD);
|
|
principals.put(KRBTGT_PRINCIPAL, null);
|
|
principals.put(servicePrincipal, null);
|
|
System.setProperty("java.security.krb5.conf", KRB5_CONF_FILENAME);
|
|
startKDC(KRB_REALM, principals, KTAB_FILENAME);
|
|
System.setProperty("java.security.auth.login.config",
|
|
TEST_SRC + FS + JAAS_CONF_FILE);
|
|
System.setProperty("javax.security.auth.useSubjectCredsOnly", "false");
|
|
}
|
|
|
|
/**
|
|
* Sets up and starts kerberos KDC server if SSLEngineTestCase.TEST_MODE is "krb".
|
|
*/
|
|
public static void setUpAndStartKDCIfNeeded() {
|
|
if (TEST_MODE.equals("krb")) {
|
|
setUpAndStartKDC();
|
|
}
|
|
}
|
|
|
|
/**
|
|
* Returns client ssl engine.
|
|
*
|
|
* @param context - SSLContext to get SSLEngine from.
|
|
* @param useSNI - flag used to enable or disable using SNI extension.
|
|
* Needed for Kerberos.
|
|
*/
|
|
public static SSLEngine getClientSSLEngine(SSLContext context, boolean useSNI) {
|
|
SSLEngine clientEngine = context.createSSLEngine(HOST, 80);
|
|
clientEngine.setUseClientMode(true);
|
|
if (useSNI) {
|
|
SNIHostName serverName = new SNIHostName(SERVER_NAME);
|
|
List<SNIServerName> serverNames = new ArrayList<>();
|
|
serverNames.add(serverName);
|
|
SSLParameters params = clientEngine.getSSLParameters();
|
|
params.setServerNames(serverNames);
|
|
clientEngine.setSSLParameters(params);
|
|
}
|
|
return clientEngine;
|
|
}
|
|
|
|
/**
|
|
* Returns server ssl engine.
|
|
*
|
|
* @param context - SSLContext to get SSLEngine from.
|
|
* @param useSNI - flag used to enable or disable using SNI extension.
|
|
* Needed for Kerberos.
|
|
*/
|
|
public static SSLEngine getServerSSLEngine(SSLContext context, boolean useSNI) {
|
|
SSLEngine serverEngine = context.createSSLEngine();
|
|
serverEngine.setUseClientMode(false);
|
|
if (useSNI) {
|
|
SNIMatcher matcher = SNIHostName.createSNIMatcher(SNI_PATTERN);
|
|
List<SNIMatcher> matchers = new ArrayList<>();
|
|
matchers.add(matcher);
|
|
SSLParameters params = serverEngine.getSSLParameters();
|
|
params.setSNIMatchers(matchers);
|
|
serverEngine.setSSLParameters(params);
|
|
}
|
|
return serverEngine;
|
|
}
|
|
|
|
/**
|
|
* Runs the test case for one cipher suite.
|
|
*
|
|
* @param cipher - Cipher suite name.
|
|
* @throws SSLException - If tests fails.
|
|
*/
|
|
abstract protected void testOneCipher(String cipher)
|
|
throws SSLException;
|
|
|
|
/**
|
|
* Iterates through an array of ciphers and runs the same test case for
|
|
* every entry.
|
|
*
|
|
* @param ciphers - Array of cipher names.
|
|
* @return - Number of tests failed.
|
|
*/
|
|
protected int testSomeCiphers(Ciphers ciphers) {
|
|
int failedNum = 0;
|
|
String description = ciphers.description;
|
|
System.out.println("==================================================="
|
|
+ "=========");
|
|
System.out.println(description + " ciphers testing");
|
|
System.out.println("==================================================="
|
|
+ "=========");
|
|
for (String cs : ciphers.ciphers) {
|
|
System.out.println("-----------------------------------------------"
|
|
+ "-------------");
|
|
System.out.println("Testing cipher suite " + cs);
|
|
System.out.println("-----------------------------------------------"
|
|
+ "-------------");
|
|
Throwable error = null;
|
|
try {
|
|
testOneCipher(cs);
|
|
} catch (Throwable t) {
|
|
error = t;
|
|
}
|
|
switch (ciphers) {
|
|
case SUPPORTED_NON_KRB_CIPHERS:
|
|
case SUPPORTED_NON_KRB_NON_SHA_CIPHERS:
|
|
case SUPPORTED_KRB_CIPHERS:
|
|
case ENABLED_NON_KRB_NOT_ANON_CIPHERS:
|
|
if (error != null) {
|
|
System.out.println("Test Failed: " + cs);
|
|
System.err.println("Test Exception for " + cs);
|
|
error.printStackTrace();
|
|
failedNum++;
|
|
} else {
|
|
System.out.println("Test Passed: " + cs);
|
|
}
|
|
break;
|
|
case UNSUPPORTED_CIPHERS:
|
|
if (error == null) {
|
|
System.out.println("Test Failed: " + cs);
|
|
System.err.println("Test for " + cs + " should have thrown"
|
|
+ " IllegalArgumentException, but it has not!");
|
|
failedNum++;
|
|
} else if (!(error instanceof IllegalArgumentException)) {
|
|
System.out.println("Test Failed: " + cs);
|
|
System.err.println("Test Exception for " + cs);
|
|
error.printStackTrace();
|
|
failedNum++;
|
|
} else {
|
|
System.out.println("Test Passed: " + cs);
|
|
}
|
|
break;
|
|
default:
|
|
throw new Error("Test issue: unexpected ciphers: "
|
|
+ ciphers.name());
|
|
}
|
|
}
|
|
return failedNum;
|
|
}
|
|
|
|
/**
|
|
* Method used for the handshake routine.
|
|
*
|
|
* @param wrapingEngine - Engine that is expected to wrap data.
|
|
* @param unwrapingEngine - Engine that is expected to unwrap data.
|
|
* @param maxPacketSize - Maximum packet size for MFLN of zero for no limit.
|
|
* @param enableReplicatedPacks - Set {@code true} to enable replicated
|
|
* packet sending.
|
|
* @throws SSLException - thrown on engine errors.
|
|
*/
|
|
private static void handshakeProcess(SSLEngine wrapingEngine,
|
|
SSLEngine unwrapingEngine,
|
|
int maxPacketSize,
|
|
boolean enableReplicatedPacks)
|
|
throws SSLException {
|
|
SSLEngineResult.HandshakeStatus wrapingHSStatus = wrapingEngine
|
|
.getHandshakeStatus();
|
|
SSLEngineResult.HandshakeStatus unwrapingHSStatus = unwrapingEngine
|
|
.getHandshakeStatus();
|
|
SSLEngineResult r;
|
|
String wrapper, unwrapper;
|
|
if (wrapingEngine.getUseClientMode()
|
|
&& !unwrapingEngine.getUseClientMode()) {
|
|
wrapper = "Client";
|
|
unwrapper = "Server";
|
|
} else if (unwrapingEngine.getUseClientMode()
|
|
&& !wrapingEngine.getUseClientMode()) {
|
|
wrapper = "Server";
|
|
unwrapper = "Client";
|
|
} else {
|
|
throw new Error("Both engines are in the same mode");
|
|
}
|
|
switch (wrapingHSStatus) {
|
|
case NEED_WRAP:
|
|
if (enableReplicatedPacks) {
|
|
if (net != null) {
|
|
net.flip();
|
|
if (net.remaining() != 0) {
|
|
if (wrapingEngine.getUseClientMode()) {
|
|
netReplicatedServer = net;
|
|
} else {
|
|
netReplicatedClient = net;
|
|
}
|
|
}
|
|
}
|
|
}
|
|
ByteBuffer app = ByteBuffer.allocate(wrapingEngine.getSession()
|
|
.getApplicationBufferSize());
|
|
net = doWrap(wrapingEngine, wrapper, maxPacketSize, app);
|
|
case NOT_HANDSHAKING:
|
|
switch (unwrapingHSStatus) {
|
|
case NEED_TASK:
|
|
runDelegatedTasks(unwrapingEngine);
|
|
case NEED_UNWRAP:
|
|
doUnWrap(unwrapingEngine, unwrapper, net);
|
|
if (enableReplicatedPacks) {
|
|
System.out.println("Unwrapping replicated packet...");
|
|
if (unwrapingEngine.getHandshakeStatus()
|
|
.equals(SSLEngineResult.HandshakeStatus.NEED_TASK)) {
|
|
runDelegatedTasks(unwrapingEngine);
|
|
}
|
|
runDelegatedTasks(unwrapingEngine);
|
|
ByteBuffer netReplicated;
|
|
if (unwrapingEngine.getUseClientMode()) {
|
|
netReplicated = netReplicatedClient;
|
|
} else {
|
|
netReplicated = netReplicatedServer;
|
|
}
|
|
if (netReplicated != null) {
|
|
doUnWrap(unwrapingEngine, unwrapper, netReplicated);
|
|
} else {
|
|
net.flip();
|
|
doUnWrap(unwrapingEngine, unwrapper, net);
|
|
}
|
|
}
|
|
break;
|
|
case NEED_UNWRAP_AGAIN:
|
|
break;
|
|
case NOT_HANDSHAKING:
|
|
if (doUnwrapForNotHandshakingStatus) {
|
|
doUnWrap(unwrapingEngine, unwrapper, net);
|
|
doUnwrapForNotHandshakingStatus = false;
|
|
break;
|
|
} else {
|
|
endHandshakeLoop = true;
|
|
}
|
|
break;
|
|
default:
|
|
throw new Error("Unexpected unwraping engine handshake status "
|
|
+ unwrapingHSStatus.name());
|
|
}
|
|
break;
|
|
case NEED_UNWRAP:
|
|
break;
|
|
case NEED_UNWRAP_AGAIN:
|
|
net.flip();
|
|
doUnWrap(wrapingEngine, wrapper, net);
|
|
break;
|
|
case NEED_TASK:
|
|
runDelegatedTasks(wrapingEngine);
|
|
break;
|
|
default:
|
|
throw new Error("Unexpected wraping engine handshake status "
|
|
+ wrapingHSStatus.name());
|
|
}
|
|
}
|
|
|
|
private static void runDelegatedTasks(SSLEngine engine) {
|
|
Runnable runnable;
|
|
System.out.println("Running delegated tasks...");
|
|
while ((runnable = engine.getDelegatedTask()) != null) {
|
|
runnable.run();
|
|
}
|
|
SSLEngineResult.HandshakeStatus hs = engine.getHandshakeStatus();
|
|
if (hs == SSLEngineResult.HandshakeStatus.NEED_TASK) {
|
|
throw new Error("Handshake shouldn't need additional tasks.");
|
|
}
|
|
}
|
|
|
|
/**
|
|
* Start a KDC server:
|
|
* - create a KDC instance
|
|
* - create Kerberos principals
|
|
* - save Kerberos configuration
|
|
* - save keys to keytab file
|
|
* - no pre-auth is required
|
|
*/
|
|
private static void startKDC(String realm, Map<String, String> principals,
|
|
String ktab) {
|
|
try {
|
|
KDC kdc = KDC.create(realm, HOST, 0, true);
|
|
kdc.setOption(KDC.Option.PREAUTH_REQUIRED, Boolean.FALSE);
|
|
if (principals != null) {
|
|
principals.entrySet().stream().forEach((entry) -> {
|
|
String name = entry.getKey();
|
|
String password = entry.getValue();
|
|
if (password == null || password.isEmpty()) {
|
|
System.out.println("KDC: add a principal '" + name
|
|
+ "' with a random password");
|
|
kdc.addPrincipalRandKey(name);
|
|
} else {
|
|
System.out.println("KDC: add a principal '" + name
|
|
+ "' with '" + password + "' password");
|
|
kdc.addPrincipal(name, password.toCharArray());
|
|
}
|
|
});
|
|
}
|
|
KDC.saveConfig(KRB5_CONF_FILENAME, kdc);
|
|
if (ktab != null) {
|
|
File ktabFile = new File(ktab);
|
|
if (ktabFile.exists()) {
|
|
System.out.println("KDC: append keys to an exising "
|
|
+ "keytab file " + ktab);
|
|
kdc.appendKtab(ktab);
|
|
} else {
|
|
System.out.println("KDC: create a new keytab file "
|
|
+ ktab);
|
|
kdc.writeKtab(ktab);
|
|
}
|
|
}
|
|
System.out.println("KDC: started on " + HOST + ":" + kdc.getPort()
|
|
+ " with '" + realm + "' realm");
|
|
} catch (Exception e) {
|
|
throw new RuntimeException("KDC: unexpected exception", e);
|
|
}
|
|
}
|
|
}
|