1%%
2%% %CopyrightBegin%
3%%
4%% Copyright Ericsson AB 2019-2019. All Rights Reserved.
5%%
6%% Licensed under the Apache License, Version 2.0 (the "License");
7%% you may not use this file except in compliance with the License.
8%% You may obtain a copy of the License at
9%%
10%%     http://www.apache.org/licenses/LICENSE-2.0
11%%
12%% Unless required by applicable law or agreed to in writing, software
13%% distributed under the License is distributed on an "AS IS" BASIS,
14%% WITHOUT WARRANTIES OR CONDITIONS OF ANY KIND, either express or implied.
15%% See the License for the specific language governing permissions and
16%% limitations under the License.
17%%
18%% %CopyrightEnd%
19%%
20
21%%
22
23-module(openssl_tls_1_3_version_SUITE).
24
25%% Note: This directive should only be used in test suites.
26-compile(export_all).
27
28-include_lib("common_test/include/ct.hrl").
29-include_lib("public_key/include/public_key.hrl").
30
31%%--------------------------------------------------------------------
32%% Common Test interface functions -----------------------------------
33%%--------------------------------------------------------------------
34all() ->
35    [
36     %%{group,  openssl_server},
37     {group,  openssl_client}
38    ].
39
40groups() ->
41    [
42     %%{openssl_server, [{group, 'tlsv1.3'}]},
43     {openssl_client, [{group, 'tlsv1.3'}]},
44     {'tlsv1.3', [], cert_groups()},
45     {rsa, [], tests()},
46     {ecdsa, [], tests()}
47    ].
48
49cert_groups() ->
50    [{group, rsa},
51     {group, ecdsa}].
52
53tests() ->
54    [%%tls13_client_tls12_server, %% Not testable with current openssl s_client
55     %%tls13_client_with_ext_tls12_server,
56     tls12_client_tls13_server].
57
58init_per_suite(Config) ->
59    catch crypto:stop(),
60    try crypto:start() of
61	ok ->
62            case ssl_test_lib:check_sane_openssl_version('tlsv1.3') of
63                true ->
64                    ssl_test_lib:clean_start(),
65                    Config;
66                false ->
67                    {skip, openssl_does_not_support_version}
68            end
69    catch _:_ ->
70	    {skip, "Crypto did not start"}
71    end.
72
73end_per_suite(_Config) ->
74    ssl:stop(),
75    application:stop(crypto).
76
77init_per_group(openssl_client, Config0) ->
78    Config = proplists:delete(server_type, proplists:delete(client_type, Config0)),
79    [{client_type, openssl}, {server_type, erlang} | Config];
80init_per_group(openssl_server, Config0) ->
81    Config = proplists:delete(server_type, proplists:delete(client_type, Config0)),
82    [{client_type, erlang}, {server_type, openssl} | Config];
83init_per_group(rsa, Config0) ->
84    Config = ssl_test_lib:make_rsa_cert(Config0),
85    COpts = proplists:get_value(client_rsa_opts, Config),
86    SOpts = proplists:get_value(server_rsa_opts, Config),
87    [{client_cert_opts, COpts}, {server_cert_opts, SOpts} |
88     lists:delete(server_cert_opts, lists:delete(client_cert_opts, Config))];
89init_per_group(ecdsa, Config0) ->
90    PKAlg = crypto:supports(public_keys),
91    case lists:member(ecdsa, PKAlg) andalso
92        (lists:member(ecdh, PKAlg) orelse lists:member(dh, PKAlg)) of
93        true ->
94            Config = ssl_test_lib:make_ecdsa_cert(Config0),
95            COpts = proplists:get_value(client_ecdsa_opts, Config),
96            SOpts = proplists:get_value(server_ecdsa_opts, Config),
97            [{client_cert_opts, COpts}, {server_cert_opts, SOpts} |
98             lists:delete(server_cert_opts, lists:delete(client_cert_opts, Config))];
99        false ->
100            {skip, "Missing EC crypto support"}
101    end;
102init_per_group(GroupName, Config) ->
103    ssl_test_lib:clean_tls_version(Config),
104    case ssl_test_lib:is_tls_version(GroupName) andalso
105        ssl_test_lib:sufficient_crypto_support(GroupName) of
106	true ->
107            ssl_test_lib:init_tls_version(GroupName, Config);
108	_ ->
109	    case ssl_test_lib:sufficient_crypto_support(GroupName) of
110		true ->
111		    ssl:start(),
112		    Config;
113		false ->
114		    {skip, "Missing crypto support"}
115	    end
116    end.
117
118end_per_group(GroupName, Config) ->
119  case ssl_test_lib:is_tls_version(GroupName) of
120      true ->
121          ssl_test_lib:clean_tls_version(Config);
122      false ->
123          Config
124  end.
125
126%%--------------------------------------------------------------------
127%% Test Cases --------------------------------------------------------
128%%--------------------------------------------------------------------
129
130%% openssl s_client cannot be configured to support both TLS 1.3 and TLS 1.2.
131%% In its ClientHello the supported_versions extension contains only one element
132%% [{3,4}] that the server does not accept if it is configured to not support
133%% TLS 1.3.
134tls13_client_tls12_server() ->
135    [{doc,"Test that a TLS 1.3 client can connect to a TLS 1.2 server."}].
136
137tls13_client_tls12_server(Config) when is_list(Config) ->
138    ClientOpts = [{versions,
139                   ['tlsv1.3', 'tlsv1.2']} | ssl_test_lib:ssl_options(client_cert_opts, Config)],
140    ServerOpts =  [{versions,
141                   ['tlsv1.1', 'tlsv1.2']} | ssl_test_lib:ssl_options(server_cert_opts, Config)],
142    ssl_test_lib:basic_test(ClientOpts, ServerOpts, Config).
143
144%% tls13_client_with_ext_tls12_server() ->
145%%      [{doc,"Test basic connection between TLS 1.2 server and TLS 1.3 client when "
146%%        "client has TLS 1.3 specsific extensions"}].
147
148%% tls13_client_with_ext_tls12_server(Config) ->
149%%     ClientOpts0 = ssl_test_lib:ssl_options(client_cert_opts, Config),
150%%     ServerOpts0 = ssl_test_lib:ssl_options(server_cert_opts, Config),
151
152%%     {ServerOpts, ClientOpts} =
153%%         case proplists:get_value(client_type) of
154%%             erlang ->
155%%                 {[{versions, ['tlsv1.2']}|ServerOpts0],
156%%                  [{versions, ['tlsv1.2','tlsv1.3']},
157%%                   {signature_algs_cert, [ecdsa_secp384r1_sha384,
158%%                                          ecdsa_secp256r1_sha256,
159%%                                          rsa_pss_rsae_sha256,
160%%                                          rsa_pkcs1_sha256,
161%%                                          {sha256,rsa},{sha256,dsa}]}|ClientOpts0]};
162%%             openssl ->
163
164
165%%     ssl_test_lib:basic_test(ClientOpts, ServerOpts, Config).
166
167
168%% TODO: wrong version of TLS is configured for the client
169tls12_client_tls13_server() ->
170    [{doc,"Test that a TLS 1.2 client can connect to a TLS 1.3 server."}].
171
172tls12_client_tls13_server(Config) when is_list(Config) ->
173    ClientOpts = [{versions,
174                   ['tlsv1.1', 'tlsv1.2']} | ssl_test_lib:ssl_options(client_cert_opts, Config)],
175    ServerOpts =  [{versions,
176                   ['tlsv1.3', 'tlsv1.2']} | ssl_test_lib:ssl_options(server_cert_opts, Config)],
177    ssl_test_lib:basic_test(ClientOpts, ServerOpts, Config).
178
179