Compare commits
7 commits
master
...
tls1.3-dra
Author | SHA1 | Date | |
---|---|---|---|
|
669c623fe1 | ||
|
a889e9796b | ||
|
f315b66571 | ||
|
ae4765396f | ||
|
5d62fd7cb2 | ||
|
05a2feb684 | ||
|
2c7e64564c |
20 changed files with 285 additions and 124 deletions
|
@ -234,8 +234,10 @@ int s_time_main(int argc, char **argv)
|
|||
fmt_http_get_cmd, www_path);
|
||||
if (SSL_write(scon, buf, buf_len) <= 0)
|
||||
goto end;
|
||||
while ((i = SSL_read(scon, buf, sizeof(buf))) > 0)
|
||||
bytes_read += i;
|
||||
while ((i = SSL_read(scon, buf, sizeof(buf))) > 0 ||
|
||||
SSL_get_error(scon, i) == SSL_ERROR_WANT_READ ||
|
||||
SSL_get_error(scon, i) == SSL_ERROR_WANT_WRITE)
|
||||
if (i > 0) bytes_read += i;
|
||||
}
|
||||
#ifdef NO_SHUTDOWN
|
||||
SSL_set_shutdown(scon, SSL_SENT_SHUTDOWN | SSL_RECEIVED_SHUTDOWN);
|
||||
|
@ -292,7 +294,9 @@ int s_time_main(int argc, char **argv)
|
|||
fmt_http_get_cmd, www_path);
|
||||
if (SSL_write(scon, buf, buf_len) <= 0)
|
||||
goto end;
|
||||
while (SSL_read(scon, buf, sizeof(buf)) > 0)
|
||||
while ((i = SSL_read(scon, buf, sizeof(buf))) > 0 ||
|
||||
SSL_get_error(scon, i) == SSL_ERROR_WANT_READ ||
|
||||
SSL_get_error(scon, i) == SSL_ERROR_WANT_WRITE)
|
||||
continue;
|
||||
}
|
||||
#ifdef NO_SHUTDOWN
|
||||
|
@ -323,8 +327,10 @@ int s_time_main(int argc, char **argv)
|
|||
www_path);
|
||||
if (SSL_write(scon, buf, strlen(buf)) <= 0)
|
||||
goto end;
|
||||
while ((i = SSL_read(scon, buf, sizeof(buf))) > 0)
|
||||
bytes_read += i;
|
||||
while ((i = SSL_read(scon, buf, sizeof(buf))) > 0 ||
|
||||
SSL_get_error(scon, i) == SSL_ERROR_WANT_READ ||
|
||||
SSL_get_error(scon, i) == SSL_ERROR_WANT_WRITE)
|
||||
if (i > 0) bytes_read += i;
|
||||
}
|
||||
#ifdef NO_SHUTDOWN
|
||||
SSL_set_shutdown(scon, SSL_SENT_SHUTDOWN | SSL_RECEIVED_SHUTDOWN);
|
||||
|
|
|
@ -2169,8 +2169,7 @@ __owur int ssl_check_version_downgrade(SSL *s);
|
|||
__owur int ssl_set_version_bound(int method_version, int version, int *bound);
|
||||
__owur int ssl_choose_server_version(SSL *s, CLIENTHELLO_MSG *hello);
|
||||
__owur int ssl_choose_client_version(SSL *s, int version);
|
||||
int ssl_get_client_min_max_version(const SSL *s, int *min_version,
|
||||
int *max_version);
|
||||
int ssl_get_min_max_version(const SSL *s, int *min_version, int *max_version);
|
||||
|
||||
__owur long tls1_default_timeout(void);
|
||||
__owur int dtls1_do_write(SSL *s, int type);
|
||||
|
|
|
@ -639,7 +639,7 @@ int tls_construct_extensions(SSL *s, WPACKET *pkt, unsigned int context,
|
|||
}
|
||||
|
||||
if ((context & EXT_CLIENT_HELLO) != 0) {
|
||||
reason = ssl_get_client_min_max_version(s, &min_version, &max_version);
|
||||
reason = ssl_get_min_max_version(s, &min_version, &max_version);
|
||||
if (reason != 0) {
|
||||
SSLerr(SSL_F_TLS_CONSTRUCT_EXTENSIONS, reason);
|
||||
goto err;
|
||||
|
@ -1191,11 +1191,18 @@ int tls_psk_do_binder(SSL *s, const EVP_MD *md, const unsigned char *msgstart,
|
|||
* ClientHello - which we don't want - so we need to take that bit off.
|
||||
*/
|
||||
if (s->server) {
|
||||
if (hdatalen < s->init_num + SSL3_HM_HEADER_LENGTH) {
|
||||
PACKET hashprefix, msg;
|
||||
|
||||
/* Find how many bytes are left after the first two messages */
|
||||
if (!PACKET_buf_init(&hashprefix, hdata, hdatalen)
|
||||
|| !PACKET_forward(&hashprefix, 1)
|
||||
|| !PACKET_get_length_prefixed_3(&hashprefix, &msg)
|
||||
|| !PACKET_forward(&hashprefix, 1)
|
||||
|| !PACKET_get_length_prefixed_3(&hashprefix, &msg)) {
|
||||
SSLerr(SSL_F_TLS_PSK_DO_BINDER, ERR_R_INTERNAL_ERROR);
|
||||
goto err;
|
||||
}
|
||||
hdatalen -= s->init_num + SSL3_HM_HEADER_LENGTH;
|
||||
hdatalen -= PACKET_remaining(&hashprefix);
|
||||
}
|
||||
|
||||
if (EVP_DigestUpdate(mctx, hdata, hdatalen) <= 0) {
|
||||
|
|
|
@ -464,7 +464,7 @@ int tls_construct_ctos_supported_versions(SSL *s, WPACKET *pkt,
|
|||
return 0;
|
||||
}
|
||||
|
||||
reason = ssl_get_client_min_max_version(s, &min_version, &max_version);
|
||||
reason = ssl_get_min_max_version(s, &min_version, &max_version);
|
||||
if (reason != 0) {
|
||||
SSLerr(SSL_F_TLS_CONSTRUCT_CTOS_SUPPORTED_VERSIONS, reason);
|
||||
return 0;
|
||||
|
|
|
@ -3470,7 +3470,7 @@ int ssl_do_client_cert_cb(SSL *s, X509 **px509, EVP_PKEY **ppkey)
|
|||
int ssl_cipher_list_to_bytes(SSL *s, STACK_OF(SSL_CIPHER) *sk, WPACKET *pkt)
|
||||
{
|
||||
int i;
|
||||
size_t totlen = 0, len, maxlen;
|
||||
size_t totlen = 0, len, maxlen, maxverok = 0;
|
||||
int empty_reneg_info_scsv = !s->renegotiate;
|
||||
/* Set disabled masks for this session */
|
||||
ssl_set_client_disabled(s);
|
||||
|
@ -3512,11 +3512,29 @@ int ssl_cipher_list_to_bytes(SSL *s, STACK_OF(SSL_CIPHER) *sk, WPACKET *pkt)
|
|||
return 0;
|
||||
}
|
||||
|
||||
/* Sanity check that the maximum version we offer has ciphers enabled */
|
||||
if (!maxverok) {
|
||||
if (SSL_IS_DTLS(s)) {
|
||||
if (DTLS_VERSION_GE(c->max_dtls, s->s3->tmp.max_ver)
|
||||
&& DTLS_VERSION_LE(c->min_dtls, s->s3->tmp.max_ver))
|
||||
maxverok = 1;
|
||||
} else {
|
||||
if (c->max_tls >= s->s3->tmp.max_ver
|
||||
&& c->min_tls <= s->s3->tmp.max_ver)
|
||||
maxverok = 1;
|
||||
}
|
||||
}
|
||||
|
||||
totlen += len;
|
||||
}
|
||||
|
||||
if (totlen == 0) {
|
||||
if (totlen == 0 || !maxverok) {
|
||||
SSLerr(SSL_F_SSL_CIPHER_LIST_TO_BYTES, SSL_R_NO_CIPHERS_AVAILABLE);
|
||||
|
||||
if (!maxverok)
|
||||
ERR_add_error_data(1, "No ciphers enabled for max supported "
|
||||
"SSL/TLS version");
|
||||
|
||||
return 0;
|
||||
}
|
||||
|
||||
|
|
|
@ -78,6 +78,39 @@ int tls_setup_handshake(SSL *s)
|
|||
return 0;
|
||||
|
||||
if (s->server) {
|
||||
STACK_OF(SSL_CIPHER) *ciphers = SSL_get_ciphers(s);
|
||||
int i, ver_min, ver_max, ok = 0;
|
||||
|
||||
/*
|
||||
* Sanity check that the maximum version we accept has ciphers
|
||||
* enabled. For clients we do this check during construction of the
|
||||
* ClientHello.
|
||||
*/
|
||||
if (ssl_get_min_max_version(s, &ver_min, &ver_max) != 0) {
|
||||
SSLerr(SSL_F_TLS_SETUP_HANDSHAKE, ERR_R_INTERNAL_ERROR);
|
||||
ssl3_send_alert(s, SSL3_AL_FATAL, SSL_AD_INTERNAL_ERROR);
|
||||
return 0;
|
||||
}
|
||||
for (i = 0; i < sk_SSL_CIPHER_num(ciphers); i++) {
|
||||
const SSL_CIPHER *c = sk_SSL_CIPHER_value(ciphers, i);
|
||||
|
||||
if (SSL_IS_DTLS(s)) {
|
||||
if (DTLS_VERSION_GE(ver_max, c->min_dtls) &&
|
||||
DTLS_VERSION_LE(ver_max, c->max_dtls))
|
||||
ok = 1;
|
||||
} else if (ver_max >= c->min_tls && ver_max <= c->max_tls) {
|
||||
ok = 1;
|
||||
}
|
||||
if (ok)
|
||||
break;
|
||||
}
|
||||
if (!ok) {
|
||||
SSLerr(SSL_F_TLS_SETUP_HANDSHAKE, SSL_R_NO_CIPHERS_AVAILABLE);
|
||||
ERR_add_error_data(1, "No ciphers enabled for max supported "
|
||||
"SSL/TLS version");
|
||||
ssl3_send_alert(s, SSL3_AL_FATAL, SSL_AD_HANDSHAKE_FAILURE);
|
||||
return 0;
|
||||
}
|
||||
if (SSL_IS_FIRST_HANDSHAKE(s)) {
|
||||
s->ctx->stats.sess_accept++;
|
||||
} else if (!s->s3->send_connection_binding &&
|
||||
|
@ -1714,7 +1747,7 @@ int ssl_choose_client_version(SSL *s, int version)
|
|||
}
|
||||
|
||||
/*
|
||||
* ssl_get_client_min_max_version - get minimum and maximum client version
|
||||
* ssl_get_min_max_version - get minimum and maximum protocol version
|
||||
* @s: The SSL connection
|
||||
* @min_version: The minimum supported version
|
||||
* @max_version: The maximum supported version
|
||||
|
@ -1732,8 +1765,7 @@ int ssl_choose_client_version(SSL *s, int version)
|
|||
* Returns 0 on success or an SSL error reason number on failure. On failure
|
||||
* min_version and max_version will also be set to 0.
|
||||
*/
|
||||
int ssl_get_client_min_max_version(const SSL *s, int *min_version,
|
||||
int *max_version)
|
||||
int ssl_get_min_max_version(const SSL *s, int *min_version, int *max_version)
|
||||
{
|
||||
int version;
|
||||
int hole;
|
||||
|
@ -1827,7 +1859,7 @@ int ssl_set_client_hello_version(SSL *s)
|
|||
{
|
||||
int ver_min, ver_max, ret;
|
||||
|
||||
ret = ssl_get_client_min_max_version(s, &ver_min, &ver_max);
|
||||
ret = ssl_get_min_max_version(s, &ver_min, &ver_max);
|
||||
|
||||
if (ret != 0)
|
||||
return ret;
|
||||
|
|
|
@ -1013,7 +1013,7 @@ void ssl_set_client_disabled(SSL *s)
|
|||
s->s3->tmp.mask_a = 0;
|
||||
s->s3->tmp.mask_k = 0;
|
||||
ssl_set_sig_mask(&s->s3->tmp.mask_a, s, SSL_SECOP_SIGALG_MASK);
|
||||
ssl_get_client_min_max_version(s, &s->s3->tmp.min_ver, &s->s3->tmp.max_ver);
|
||||
ssl_get_min_max_version(s, &s->s3->tmp.min_ver, &s->s3->tmp.max_ver);
|
||||
#ifndef OPENSSL_NO_PSK
|
||||
/* with PSK there must be client callback set */
|
||||
if (!s->psk_client_callback) {
|
||||
|
|
|
@ -396,6 +396,7 @@ SKIP: {
|
|||
skip "No EC support in this OpenSSL build", 1 if disabled("ec");
|
||||
$proxy->clear();
|
||||
$proxy->clientflags("-no_tls1_3");
|
||||
$proxy->serverflags("-no_tls1_3");
|
||||
$proxy->ciphers("ECDHE-RSA-AES128-SHA");
|
||||
$proxy->start();
|
||||
checkhandshake($proxy, checkhandshake::EC_HANDSHAKE,
|
||||
|
|
|
@ -700,7 +700,7 @@ VerifyCAFile = ${ENV::TEST_CERTS_DIR}/rootcert.pem
|
|||
VerifyMode = Peer
|
||||
|
||||
[test-0]
|
||||
ExpectedResult = InternalError
|
||||
ExpectedResult = ClientFail
|
||||
|
||||
|
||||
# ===========================================================
|
||||
|
@ -850,7 +850,7 @@ VerifyCAFile = ${ENV::TEST_CERTS_DIR}/rootcert.pem
|
|||
VerifyMode = Peer
|
||||
|
||||
[test-6]
|
||||
ExpectedResult = InternalError
|
||||
ExpectedResult = ClientFail
|
||||
|
||||
|
||||
# ===========================================================
|
||||
|
@ -1314,7 +1314,7 @@ VerifyCAFile = ${ENV::TEST_CERTS_DIR}/rootcert.pem
|
|||
VerifyMode = Peer
|
||||
|
||||
[test-24]
|
||||
ExpectedResult = InternalError
|
||||
ExpectedResult = ClientFail
|
||||
|
||||
|
||||
# ===========================================================
|
||||
|
@ -1339,7 +1339,7 @@ VerifyCAFile = ${ENV::TEST_CERTS_DIR}/rootcert.pem
|
|||
VerifyMode = Peer
|
||||
|
||||
[test-25]
|
||||
ExpectedResult = InternalError
|
||||
ExpectedResult = ClientFail
|
||||
|
||||
|
||||
# ===========================================================
|
||||
|
@ -4759,7 +4759,7 @@ VerifyCAFile = ${ENV::TEST_CERTS_DIR}/rootcert.pem
|
|||
VerifyMode = Peer
|
||||
|
||||
[test-156]
|
||||
ExpectedResult = InternalError
|
||||
ExpectedResult = ClientFail
|
||||
|
||||
|
||||
# ===========================================================
|
||||
|
@ -4915,7 +4915,7 @@ VerifyCAFile = ${ENV::TEST_CERTS_DIR}/rootcert.pem
|
|||
VerifyMode = Peer
|
||||
|
||||
[test-162]
|
||||
ExpectedResult = InternalError
|
||||
ExpectedResult = ClientFail
|
||||
|
||||
|
||||
# ===========================================================
|
||||
|
@ -5397,7 +5397,7 @@ VerifyCAFile = ${ENV::TEST_CERTS_DIR}/rootcert.pem
|
|||
VerifyMode = Peer
|
||||
|
||||
[test-180]
|
||||
ExpectedResult = InternalError
|
||||
ExpectedResult = ClientFail
|
||||
|
||||
|
||||
# ===========================================================
|
||||
|
@ -5423,7 +5423,7 @@ VerifyCAFile = ${ENV::TEST_CERTS_DIR}/rootcert.pem
|
|||
VerifyMode = Peer
|
||||
|
||||
[test-181]
|
||||
ExpectedResult = InternalError
|
||||
ExpectedResult = ClientFail
|
||||
|
||||
|
||||
# ===========================================================
|
||||
|
@ -17393,7 +17393,7 @@ VerifyCAFile = ${ENV::TEST_CERTS_DIR}/rootcert.pem
|
|||
VerifyMode = Peer
|
||||
|
||||
[test-624]
|
||||
ExpectedResult = InternalError
|
||||
ExpectedResult = ClientFail
|
||||
|
||||
|
||||
# ===========================================================
|
||||
|
@ -17549,7 +17549,7 @@ VerifyCAFile = ${ENV::TEST_CERTS_DIR}/rootcert.pem
|
|||
VerifyMode = Peer
|
||||
|
||||
[test-630]
|
||||
ExpectedResult = InternalError
|
||||
ExpectedResult = ClientFail
|
||||
|
||||
|
||||
# ===========================================================
|
||||
|
@ -18031,7 +18031,7 @@ VerifyCAFile = ${ENV::TEST_CERTS_DIR}/rootcert.pem
|
|||
VerifyMode = Peer
|
||||
|
||||
[test-648]
|
||||
ExpectedResult = InternalError
|
||||
ExpectedResult = ClientFail
|
||||
|
||||
|
||||
# ===========================================================
|
||||
|
@ -18057,7 +18057,7 @@ VerifyCAFile = ${ENV::TEST_CERTS_DIR}/rootcert.pem
|
|||
VerifyMode = Peer
|
||||
|
||||
[test-649]
|
||||
ExpectedResult = InternalError
|
||||
ExpectedResult = ClientFail
|
||||
|
||||
|
||||
# ===========================================================
|
||||
|
@ -18082,7 +18082,7 @@ VerifyCAFile = ${ENV::TEST_CERTS_DIR}/rootcert.pem
|
|||
VerifyMode = Peer
|
||||
|
||||
[test-650]
|
||||
ExpectedResult = InternalError
|
||||
ExpectedResult = ClientFail
|
||||
|
||||
|
||||
# ===========================================================
|
||||
|
@ -18232,7 +18232,7 @@ VerifyCAFile = ${ENV::TEST_CERTS_DIR}/rootcert.pem
|
|||
VerifyMode = Peer
|
||||
|
||||
[test-656]
|
||||
ExpectedResult = InternalError
|
||||
ExpectedResult = ClientFail
|
||||
|
||||
|
||||
# ===========================================================
|
||||
|
@ -18696,7 +18696,7 @@ VerifyCAFile = ${ENV::TEST_CERTS_DIR}/rootcert.pem
|
|||
VerifyMode = Peer
|
||||
|
||||
[test-674]
|
||||
ExpectedResult = InternalError
|
||||
ExpectedResult = ClientFail
|
||||
|
||||
|
||||
# ===========================================================
|
||||
|
@ -18721,6 +18721,6 @@ VerifyCAFile = ${ENV::TEST_CERTS_DIR}/rootcert.pem
|
|||
VerifyMode = Peer
|
||||
|
||||
[test-675]
|
||||
ExpectedResult = InternalError
|
||||
ExpectedResult = ClientFail
|
||||
|
||||
|
||||
|
|
|
@ -50,6 +50,7 @@ PrivateKey = ${ENV::TEST_CERTS_DIR}/serverkey.pem
|
|||
[0-curve-sect163k1-client]
|
||||
CipherString = ECDHE
|
||||
Curves = sect163k1
|
||||
MaxProtocol = TLSv1.2
|
||||
VerifyCAFile = ${ENV::TEST_CERTS_DIR}/rootcert.pem
|
||||
VerifyMode = Peer
|
||||
|
||||
|
@ -77,6 +78,7 @@ PrivateKey = ${ENV::TEST_CERTS_DIR}/serverkey.pem
|
|||
[1-curve-sect163r1-client]
|
||||
CipherString = ECDHE
|
||||
Curves = sect163r1
|
||||
MaxProtocol = TLSv1.2
|
||||
VerifyCAFile = ${ENV::TEST_CERTS_DIR}/rootcert.pem
|
||||
VerifyMode = Peer
|
||||
|
||||
|
@ -104,6 +106,7 @@ PrivateKey = ${ENV::TEST_CERTS_DIR}/serverkey.pem
|
|||
[2-curve-sect163r2-client]
|
||||
CipherString = ECDHE
|
||||
Curves = sect163r2
|
||||
MaxProtocol = TLSv1.2
|
||||
VerifyCAFile = ${ENV::TEST_CERTS_DIR}/rootcert.pem
|
||||
VerifyMode = Peer
|
||||
|
||||
|
@ -131,6 +134,7 @@ PrivateKey = ${ENV::TEST_CERTS_DIR}/serverkey.pem
|
|||
[3-curve-sect193r1-client]
|
||||
CipherString = ECDHE
|
||||
Curves = sect193r1
|
||||
MaxProtocol = TLSv1.2
|
||||
VerifyCAFile = ${ENV::TEST_CERTS_DIR}/rootcert.pem
|
||||
VerifyMode = Peer
|
||||
|
||||
|
@ -158,6 +162,7 @@ PrivateKey = ${ENV::TEST_CERTS_DIR}/serverkey.pem
|
|||
[4-curve-sect193r2-client]
|
||||
CipherString = ECDHE
|
||||
Curves = sect193r2
|
||||
MaxProtocol = TLSv1.2
|
||||
VerifyCAFile = ${ENV::TEST_CERTS_DIR}/rootcert.pem
|
||||
VerifyMode = Peer
|
||||
|
||||
|
@ -185,6 +190,7 @@ PrivateKey = ${ENV::TEST_CERTS_DIR}/serverkey.pem
|
|||
[5-curve-sect233k1-client]
|
||||
CipherString = ECDHE
|
||||
Curves = sect233k1
|
||||
MaxProtocol = TLSv1.2
|
||||
VerifyCAFile = ${ENV::TEST_CERTS_DIR}/rootcert.pem
|
||||
VerifyMode = Peer
|
||||
|
||||
|
@ -212,6 +218,7 @@ PrivateKey = ${ENV::TEST_CERTS_DIR}/serverkey.pem
|
|||
[6-curve-sect233r1-client]
|
||||
CipherString = ECDHE
|
||||
Curves = sect233r1
|
||||
MaxProtocol = TLSv1.2
|
||||
VerifyCAFile = ${ENV::TEST_CERTS_DIR}/rootcert.pem
|
||||
VerifyMode = Peer
|
||||
|
||||
|
@ -239,6 +246,7 @@ PrivateKey = ${ENV::TEST_CERTS_DIR}/serverkey.pem
|
|||
[7-curve-sect239k1-client]
|
||||
CipherString = ECDHE
|
||||
Curves = sect239k1
|
||||
MaxProtocol = TLSv1.2
|
||||
VerifyCAFile = ${ENV::TEST_CERTS_DIR}/rootcert.pem
|
||||
VerifyMode = Peer
|
||||
|
||||
|
@ -266,6 +274,7 @@ PrivateKey = ${ENV::TEST_CERTS_DIR}/serverkey.pem
|
|||
[8-curve-sect283k1-client]
|
||||
CipherString = ECDHE
|
||||
Curves = sect283k1
|
||||
MaxProtocol = TLSv1.2
|
||||
VerifyCAFile = ${ENV::TEST_CERTS_DIR}/rootcert.pem
|
||||
VerifyMode = Peer
|
||||
|
||||
|
@ -293,6 +302,7 @@ PrivateKey = ${ENV::TEST_CERTS_DIR}/serverkey.pem
|
|||
[9-curve-sect283r1-client]
|
||||
CipherString = ECDHE
|
||||
Curves = sect283r1
|
||||
MaxProtocol = TLSv1.2
|
||||
VerifyCAFile = ${ENV::TEST_CERTS_DIR}/rootcert.pem
|
||||
VerifyMode = Peer
|
||||
|
||||
|
@ -320,6 +330,7 @@ PrivateKey = ${ENV::TEST_CERTS_DIR}/serverkey.pem
|
|||
[10-curve-sect409k1-client]
|
||||
CipherString = ECDHE
|
||||
Curves = sect409k1
|
||||
MaxProtocol = TLSv1.2
|
||||
VerifyCAFile = ${ENV::TEST_CERTS_DIR}/rootcert.pem
|
||||
VerifyMode = Peer
|
||||
|
||||
|
@ -347,6 +358,7 @@ PrivateKey = ${ENV::TEST_CERTS_DIR}/serverkey.pem
|
|||
[11-curve-sect409r1-client]
|
||||
CipherString = ECDHE
|
||||
Curves = sect409r1
|
||||
MaxProtocol = TLSv1.2
|
||||
VerifyCAFile = ${ENV::TEST_CERTS_DIR}/rootcert.pem
|
||||
VerifyMode = Peer
|
||||
|
||||
|
@ -374,6 +386,7 @@ PrivateKey = ${ENV::TEST_CERTS_DIR}/serverkey.pem
|
|||
[12-curve-sect571k1-client]
|
||||
CipherString = ECDHE
|
||||
Curves = sect571k1
|
||||
MaxProtocol = TLSv1.2
|
||||
VerifyCAFile = ${ENV::TEST_CERTS_DIR}/rootcert.pem
|
||||
VerifyMode = Peer
|
||||
|
||||
|
@ -401,6 +414,7 @@ PrivateKey = ${ENV::TEST_CERTS_DIR}/serverkey.pem
|
|||
[13-curve-sect571r1-client]
|
||||
CipherString = ECDHE
|
||||
Curves = sect571r1
|
||||
MaxProtocol = TLSv1.2
|
||||
VerifyCAFile = ${ENV::TEST_CERTS_DIR}/rootcert.pem
|
||||
VerifyMode = Peer
|
||||
|
||||
|
@ -428,6 +442,7 @@ PrivateKey = ${ENV::TEST_CERTS_DIR}/serverkey.pem
|
|||
[14-curve-secp160k1-client]
|
||||
CipherString = ECDHE
|
||||
Curves = secp160k1
|
||||
MaxProtocol = TLSv1.2
|
||||
VerifyCAFile = ${ENV::TEST_CERTS_DIR}/rootcert.pem
|
||||
VerifyMode = Peer
|
||||
|
||||
|
@ -455,6 +470,7 @@ PrivateKey = ${ENV::TEST_CERTS_DIR}/serverkey.pem
|
|||
[15-curve-secp160r1-client]
|
||||
CipherString = ECDHE
|
||||
Curves = secp160r1
|
||||
MaxProtocol = TLSv1.2
|
||||
VerifyCAFile = ${ENV::TEST_CERTS_DIR}/rootcert.pem
|
||||
VerifyMode = Peer
|
||||
|
||||
|
@ -482,6 +498,7 @@ PrivateKey = ${ENV::TEST_CERTS_DIR}/serverkey.pem
|
|||
[16-curve-secp160r2-client]
|
||||
CipherString = ECDHE
|
||||
Curves = secp160r2
|
||||
MaxProtocol = TLSv1.2
|
||||
VerifyCAFile = ${ENV::TEST_CERTS_DIR}/rootcert.pem
|
||||
VerifyMode = Peer
|
||||
|
||||
|
@ -509,6 +526,7 @@ PrivateKey = ${ENV::TEST_CERTS_DIR}/serverkey.pem
|
|||
[17-curve-secp192k1-client]
|
||||
CipherString = ECDHE
|
||||
Curves = secp192k1
|
||||
MaxProtocol = TLSv1.2
|
||||
VerifyCAFile = ${ENV::TEST_CERTS_DIR}/rootcert.pem
|
||||
VerifyMode = Peer
|
||||
|
||||
|
@ -536,6 +554,7 @@ PrivateKey = ${ENV::TEST_CERTS_DIR}/serverkey.pem
|
|||
[18-curve-prime192v1-client]
|
||||
CipherString = ECDHE
|
||||
Curves = prime192v1
|
||||
MaxProtocol = TLSv1.2
|
||||
VerifyCAFile = ${ENV::TEST_CERTS_DIR}/rootcert.pem
|
||||
VerifyMode = Peer
|
||||
|
||||
|
@ -563,6 +582,7 @@ PrivateKey = ${ENV::TEST_CERTS_DIR}/serverkey.pem
|
|||
[19-curve-secp224k1-client]
|
||||
CipherString = ECDHE
|
||||
Curves = secp224k1
|
||||
MaxProtocol = TLSv1.2
|
||||
VerifyCAFile = ${ENV::TEST_CERTS_DIR}/rootcert.pem
|
||||
VerifyMode = Peer
|
||||
|
||||
|
@ -590,6 +610,7 @@ PrivateKey = ${ENV::TEST_CERTS_DIR}/serverkey.pem
|
|||
[20-curve-secp224r1-client]
|
||||
CipherString = ECDHE
|
||||
Curves = secp224r1
|
||||
MaxProtocol = TLSv1.2
|
||||
VerifyCAFile = ${ENV::TEST_CERTS_DIR}/rootcert.pem
|
||||
VerifyMode = Peer
|
||||
|
||||
|
@ -617,6 +638,7 @@ PrivateKey = ${ENV::TEST_CERTS_DIR}/serverkey.pem
|
|||
[21-curve-secp256k1-client]
|
||||
CipherString = ECDHE
|
||||
Curves = secp256k1
|
||||
MaxProtocol = TLSv1.2
|
||||
VerifyCAFile = ${ENV::TEST_CERTS_DIR}/rootcert.pem
|
||||
VerifyMode = Peer
|
||||
|
||||
|
@ -644,6 +666,7 @@ PrivateKey = ${ENV::TEST_CERTS_DIR}/serverkey.pem
|
|||
[22-curve-prime256v1-client]
|
||||
CipherString = ECDHE
|
||||
Curves = prime256v1
|
||||
MaxProtocol = TLSv1.2
|
||||
VerifyCAFile = ${ENV::TEST_CERTS_DIR}/rootcert.pem
|
||||
VerifyMode = Peer
|
||||
|
||||
|
@ -671,6 +694,7 @@ PrivateKey = ${ENV::TEST_CERTS_DIR}/serverkey.pem
|
|||
[23-curve-secp384r1-client]
|
||||
CipherString = ECDHE
|
||||
Curves = secp384r1
|
||||
MaxProtocol = TLSv1.2
|
||||
VerifyCAFile = ${ENV::TEST_CERTS_DIR}/rootcert.pem
|
||||
VerifyMode = Peer
|
||||
|
||||
|
@ -698,6 +722,7 @@ PrivateKey = ${ENV::TEST_CERTS_DIR}/serverkey.pem
|
|||
[24-curve-secp521r1-client]
|
||||
CipherString = ECDHE
|
||||
Curves = secp521r1
|
||||
MaxProtocol = TLSv1.2
|
||||
VerifyCAFile = ${ENV::TEST_CERTS_DIR}/rootcert.pem
|
||||
VerifyMode = Peer
|
||||
|
||||
|
@ -725,6 +750,7 @@ PrivateKey = ${ENV::TEST_CERTS_DIR}/serverkey.pem
|
|||
[25-curve-brainpoolP256r1-client]
|
||||
CipherString = ECDHE
|
||||
Curves = brainpoolP256r1
|
||||
MaxProtocol = TLSv1.2
|
||||
VerifyCAFile = ${ENV::TEST_CERTS_DIR}/rootcert.pem
|
||||
VerifyMode = Peer
|
||||
|
||||
|
@ -752,6 +778,7 @@ PrivateKey = ${ENV::TEST_CERTS_DIR}/serverkey.pem
|
|||
[26-curve-brainpoolP384r1-client]
|
||||
CipherString = ECDHE
|
||||
Curves = brainpoolP384r1
|
||||
MaxProtocol = TLSv1.2
|
||||
VerifyCAFile = ${ENV::TEST_CERTS_DIR}/rootcert.pem
|
||||
VerifyMode = Peer
|
||||
|
||||
|
@ -779,6 +806,7 @@ PrivateKey = ${ENV::TEST_CERTS_DIR}/serverkey.pem
|
|||
[27-curve-brainpoolP512r1-client]
|
||||
CipherString = ECDHE
|
||||
Curves = brainpoolP512r1
|
||||
MaxProtocol = TLSv1.2
|
||||
VerifyCAFile = ${ENV::TEST_CERTS_DIR}/rootcert.pem
|
||||
VerifyMode = Peer
|
||||
|
||||
|
@ -806,6 +834,7 @@ PrivateKey = ${ENV::TEST_CERTS_DIR}/serverkey.pem
|
|||
[28-curve-X25519-client]
|
||||
CipherString = ECDHE
|
||||
Curves = X25519
|
||||
MaxProtocol = TLSv1.2
|
||||
VerifyCAFile = ${ENV::TEST_CERTS_DIR}/rootcert.pem
|
||||
VerifyMode = Peer
|
||||
|
||||
|
|
|
@ -33,6 +33,7 @@ sub generate_tests() {
|
|||
},
|
||||
client => {
|
||||
"CipherString" => "ECDHE",
|
||||
"MaxProtocol" => "TLSv1.2",
|
||||
"Curves" => $curve
|
||||
},
|
||||
test => {
|
||||
|
|
|
@ -198,12 +198,12 @@ client = 6-renegotiate-aead-to-non-aead-client
|
|||
[6-renegotiate-aead-to-non-aead-server]
|
||||
Certificate = ${ENV::TEST_CERTS_DIR}/servercert.pem
|
||||
CipherString = DEFAULT
|
||||
MaxProtocol = TLSv1.2
|
||||
Options = NoResumptionOnRenegotiation
|
||||
PrivateKey = ${ENV::TEST_CERTS_DIR}/serverkey.pem
|
||||
|
||||
[6-renegotiate-aead-to-non-aead-client]
|
||||
CipherString = AES128-GCM-SHA256
|
||||
MaxProtocol = TLSv1.2
|
||||
VerifyCAFile = ${ENV::TEST_CERTS_DIR}/rootcert.pem
|
||||
VerifyMode = Peer
|
||||
|
||||
|
@ -230,12 +230,12 @@ client = 7-renegotiate-non-aead-to-aead-client
|
|||
[7-renegotiate-non-aead-to-aead-server]
|
||||
Certificate = ${ENV::TEST_CERTS_DIR}/servercert.pem
|
||||
CipherString = DEFAULT
|
||||
MaxProtocol = TLSv1.2
|
||||
Options = NoResumptionOnRenegotiation
|
||||
PrivateKey = ${ENV::TEST_CERTS_DIR}/serverkey.pem
|
||||
|
||||
[7-renegotiate-non-aead-to-aead-client]
|
||||
CipherString = AES128-SHA
|
||||
MaxProtocol = TLSv1.2
|
||||
VerifyCAFile = ${ENV::TEST_CERTS_DIR}/rootcert.pem
|
||||
VerifyMode = Peer
|
||||
|
||||
|
@ -262,12 +262,12 @@ client = 8-renegotiate-non-aead-to-non-aead-client
|
|||
[8-renegotiate-non-aead-to-non-aead-server]
|
||||
Certificate = ${ENV::TEST_CERTS_DIR}/servercert.pem
|
||||
CipherString = DEFAULT
|
||||
MaxProtocol = TLSv1.2
|
||||
Options = NoResumptionOnRenegotiation
|
||||
PrivateKey = ${ENV::TEST_CERTS_DIR}/serverkey.pem
|
||||
|
||||
[8-renegotiate-non-aead-to-non-aead-client]
|
||||
CipherString = AES128-SHA
|
||||
MaxProtocol = TLSv1.2
|
||||
VerifyCAFile = ${ENV::TEST_CERTS_DIR}/rootcert.pem
|
||||
VerifyMode = Peer
|
||||
|
||||
|
@ -294,12 +294,12 @@ client = 9-renegotiate-aead-to-aead-client
|
|||
[9-renegotiate-aead-to-aead-server]
|
||||
Certificate = ${ENV::TEST_CERTS_DIR}/servercert.pem
|
||||
CipherString = DEFAULT
|
||||
MaxProtocol = TLSv1.2
|
||||
Options = NoResumptionOnRenegotiation
|
||||
PrivateKey = ${ENV::TEST_CERTS_DIR}/serverkey.pem
|
||||
|
||||
[9-renegotiate-aead-to-aead-client]
|
||||
CipherString = AES128-GCM-SHA256
|
||||
MaxProtocol = TLSv1.2
|
||||
VerifyCAFile = ${ENV::TEST_CERTS_DIR}/rootcert.pem
|
||||
VerifyMode = Peer
|
||||
|
||||
|
|
|
@ -114,10 +114,10 @@ our @tests_tls1_2 = (
|
|||
name => "renegotiate-aead-to-non-aead",
|
||||
server => {
|
||||
"Options" => "NoResumptionOnRenegotiation",
|
||||
"MaxProtocol" => "TLSv1.2"
|
||||
},
|
||||
client => {
|
||||
"CipherString" => "AES128-GCM-SHA256",
|
||||
"MaxProtocol" => "TLSv1.2",
|
||||
extra => {
|
||||
"RenegotiateCiphers" => "AES128-SHA"
|
||||
}
|
||||
|
@ -133,10 +133,10 @@ our @tests_tls1_2 = (
|
|||
name => "renegotiate-non-aead-to-aead",
|
||||
server => {
|
||||
"Options" => "NoResumptionOnRenegotiation",
|
||||
"MaxProtocol" => "TLSv1.2"
|
||||
},
|
||||
client => {
|
||||
"CipherString" => "AES128-SHA",
|
||||
"MaxProtocol" => "TLSv1.2",
|
||||
extra => {
|
||||
"RenegotiateCiphers" => "AES128-GCM-SHA256"
|
||||
}
|
||||
|
@ -152,10 +152,10 @@ our @tests_tls1_2 = (
|
|||
name => "renegotiate-non-aead-to-non-aead",
|
||||
server => {
|
||||
"Options" => "NoResumptionOnRenegotiation",
|
||||
"MaxProtocol" => "TLSv1.2"
|
||||
},
|
||||
client => {
|
||||
"CipherString" => "AES128-SHA",
|
||||
"MaxProtocol" => "TLSv1.2",
|
||||
extra => {
|
||||
"RenegotiateCiphers" => "AES256-SHA"
|
||||
}
|
||||
|
@ -171,10 +171,10 @@ our @tests_tls1_2 = (
|
|||
name => "renegotiate-aead-to-aead",
|
||||
server => {
|
||||
"Options" => "NoResumptionOnRenegotiation",
|
||||
"MaxProtocol" => "TLSv1.2"
|
||||
},
|
||||
client => {
|
||||
"CipherString" => "AES128-GCM-SHA256",
|
||||
"MaxProtocol" => "TLSv1.2",
|
||||
extra => {
|
||||
"RenegotiateCiphers" => "AES256-GCM-SHA384"
|
||||
}
|
||||
|
|
|
@ -96,12 +96,12 @@ client = 3-disable-encrypt-then-mac-server-sha2-client
|
|||
[3-disable-encrypt-then-mac-server-sha2-server]
|
||||
Certificate = ${ENV::TEST_CERTS_DIR}/servercert.pem
|
||||
CipherString = DEFAULT
|
||||
MaxProtocol = TLSv1.2
|
||||
Options = -EncryptThenMac
|
||||
PrivateKey = ${ENV::TEST_CERTS_DIR}/serverkey.pem
|
||||
|
||||
[3-disable-encrypt-then-mac-server-sha2-client]
|
||||
CipherString = AES128-SHA256
|
||||
MaxProtocol = TLSv1.2
|
||||
VerifyCAFile = ${ENV::TEST_CERTS_DIR}/rootcert.pem
|
||||
VerifyMode = Peer
|
||||
|
||||
|
|
|
@ -61,10 +61,10 @@ my @tests_tls1_2 = (
|
|||
name => "disable-encrypt-then-mac-server-sha2",
|
||||
server => {
|
||||
"Options" => "-EncryptThenMac",
|
||||
"MaxProtocol" => "TLSv1.2"
|
||||
},
|
||||
client => {
|
||||
"CipherString" => "AES128-SHA256",
|
||||
"MaxProtocol" => "TLSv1.2"
|
||||
},
|
||||
test => {
|
||||
"ExpectedResult" => "Success",
|
||||
|
|
|
@ -34,6 +34,7 @@ PrivateKey = ${ENV::TEST_CERTS_DIR}/serverkey.pem
|
|||
|
||||
[0-ECDSA CipherString Selection-client]
|
||||
CipherString = aECDSA
|
||||
MaxProtocol = TLSv1.2
|
||||
VerifyCAFile = ${ENV::TEST_CERTS_DIR}/rootcert.pem
|
||||
VerifyMode = Peer
|
||||
|
||||
|
@ -62,6 +63,7 @@ PrivateKey = ${ENV::TEST_CERTS_DIR}/serverkey.pem
|
|||
|
||||
[1-RSA CipherString Selection-client]
|
||||
CipherString = aRSA
|
||||
MaxProtocol = TLSv1.2
|
||||
VerifyCAFile = ${ENV::TEST_CERTS_DIR}/rootcert.pem
|
||||
VerifyMode = Peer
|
||||
|
||||
|
@ -88,6 +90,7 @@ PrivateKey = ${ENV::TEST_CERTS_DIR}/serverkey.pem
|
|||
|
||||
[2-ECDSA CipherString Selection, no ECDSA certificate-client]
|
||||
CipherString = aECDSA
|
||||
MaxProtocol = TLSv1.2
|
||||
VerifyCAFile = ${ENV::TEST_CERTS_DIR}/rootcert.pem
|
||||
VerifyMode = Peer
|
||||
|
||||
|
|
|
@ -21,6 +21,7 @@ our @tests = (
|
|||
server => $server,
|
||||
client => {
|
||||
"CipherString" => "aECDSA",
|
||||
"MaxProtocol" => "TLSv1.2",
|
||||
},
|
||||
test => {
|
||||
"ExpectedServerCertType" =>, "P-256",
|
||||
|
@ -33,6 +34,7 @@ our @tests = (
|
|||
server => $server,
|
||||
client => {
|
||||
"CipherString" => "aRSA",
|
||||
"MaxProtocol" => "TLSv1.2",
|
||||
},
|
||||
test => {
|
||||
"ExpectedServerCertType" =>, "RSA",
|
||||
|
@ -46,7 +48,8 @@ our @tests = (
|
|||
"MaxProtocol" => "TLSv1.2"
|
||||
},
|
||||
client => {
|
||||
"CipherString" => "aECDSA"
|
||||
"CipherString" => "aECDSA",
|
||||
"MaxProtocol" => "TLSv1.2"
|
||||
},
|
||||
test => {
|
||||
"ExpectedResult" => "ServerFail"
|
||||
|
|
|
@ -18,6 +18,7 @@ client = 0-srp-client
|
|||
[0-srp-server]
|
||||
Certificate = ${ENV::TEST_CERTS_DIR}/servercert.pem
|
||||
CipherString = SRP
|
||||
MaxProtocol = TLSv1.2
|
||||
PrivateKey = ${ENV::TEST_CERTS_DIR}/serverkey.pem
|
||||
|
||||
[0-srp-client]
|
||||
|
@ -52,6 +53,7 @@ client = 1-srp-bad-password-client
|
|||
[1-srp-bad-password-server]
|
||||
Certificate = ${ENV::TEST_CERTS_DIR}/servercert.pem
|
||||
CipherString = SRP
|
||||
MaxProtocol = TLSv1.2
|
||||
PrivateKey = ${ENV::TEST_CERTS_DIR}/serverkey.pem
|
||||
|
||||
[1-srp-bad-password-client]
|
||||
|
@ -86,6 +88,7 @@ client = 2-srp-auth-client
|
|||
[2-srp-auth-server]
|
||||
Certificate = ${ENV::TEST_CERTS_DIR}/servercert.pem
|
||||
CipherString = aSRP
|
||||
MaxProtocol = TLSv1.2
|
||||
PrivateKey = ${ENV::TEST_CERTS_DIR}/serverkey.pem
|
||||
|
||||
[2-srp-auth-client]
|
||||
|
@ -120,6 +123,7 @@ client = 3-srp-auth-bad-password-client
|
|||
[3-srp-auth-bad-password-server]
|
||||
Certificate = ${ENV::TEST_CERTS_DIR}/servercert.pem
|
||||
CipherString = aSRP
|
||||
MaxProtocol = TLSv1.2
|
||||
PrivateKey = ${ENV::TEST_CERTS_DIR}/serverkey.pem
|
||||
|
||||
[3-srp-auth-bad-password-client]
|
||||
|
|
|
@ -18,6 +18,7 @@ our @tests = (
|
|||
name => "srp",
|
||||
server => {
|
||||
"CipherString" => "SRP",
|
||||
"MaxProtocol" => "TLSv1.2",
|
||||
extra => {
|
||||
"SRPUser" => "user",
|
||||
"SRPPassword" => "password",
|
||||
|
@ -39,6 +40,7 @@ our @tests = (
|
|||
name => "srp-bad-password",
|
||||
server => {
|
||||
"CipherString" => "SRP",
|
||||
"MaxProtocol" => "TLSv1.2",
|
||||
extra => {
|
||||
"SRPUser" => "user",
|
||||
"SRPPassword" => "password",
|
||||
|
@ -61,6 +63,7 @@ our @tests = (
|
|||
name => "srp-auth",
|
||||
server => {
|
||||
"CipherString" => "aSRP",
|
||||
"MaxProtocol" => "TLSv1.2",
|
||||
extra => {
|
||||
"SRPUser" => "user",
|
||||
"SRPPassword" => "password",
|
||||
|
@ -82,6 +85,7 @@ our @tests = (
|
|||
name => "srp-auth-bad-password",
|
||||
server => {
|
||||
"CipherString" => "aSRP",
|
||||
"MaxProtocol" => "TLSv1.2",
|
||||
extra => {
|
||||
"SRPUser" => "user",
|
||||
"SRPPassword" => "password",
|
||||
|
|
|
@ -17,7 +17,7 @@ use warnings;
|
|||
use List::Util qw/max min/;
|
||||
|
||||
use OpenSSL::Test;
|
||||
use OpenSSL::Test::Utils qw/anydisabled alldisabled/;
|
||||
use OpenSSL::Test::Utils qw/anydisabled alldisabled disabled/;
|
||||
setup("no_test_here");
|
||||
|
||||
my @tls_protocols = ("SSLv3", "TLSv1", "TLSv1.1", "TLSv1.2", "TLSv1.3");
|
||||
|
@ -125,6 +125,37 @@ sub generate_version_tests {
|
|||
}
|
||||
}
|
||||
}
|
||||
return @tests if disabled("tls1_3") || disabled("tls1_2") || $dtls;
|
||||
|
||||
#Add some version/ciphersuite sanity check tests
|
||||
push @tests, {
|
||||
"name" => "ciphersuite-sanity-check-client",
|
||||
"client" => {
|
||||
#Offering only <=TLSv1.2 ciphersuites with TLSv1.3 should fail
|
||||
"CipherString" => "AES128-SHA",
|
||||
},
|
||||
"server" => {
|
||||
"MaxProtocol" => "TLSv1.2"
|
||||
},
|
||||
"test" => {
|
||||
"ExpectedResult" => "InternalError",
|
||||
}
|
||||
};
|
||||
push @tests, {
|
||||
"name" => "ciphersuite-sanity-check-server",
|
||||
"client" => {
|
||||
"CipherString" => "AES128-SHA",
|
||||
"MaxProtocol" => "TLSv1.2"
|
||||
},
|
||||
"server" => {
|
||||
#Allowing only <=TLSv1.2 ciphersuites with TLSv1.3 should fail
|
||||
"CipherString" => "AES128-SHA",
|
||||
},
|
||||
"test" => {
|
||||
"ExpectedResult" => "ServerFail",
|
||||
}
|
||||
};
|
||||
|
||||
return @tests;
|
||||
}
|
||||
|
||||
|
@ -203,6 +234,25 @@ sub generate_resumption_tests {
|
|||
}
|
||||
}
|
||||
|
||||
if (!disabled("tls1_3") && !$dtls) {
|
||||
push @client_tests, {
|
||||
"name" => "resumption-with-hrr",
|
||||
"client" => {
|
||||
},
|
||||
"server" => {
|
||||
"Curves" => "P-256"
|
||||
},
|
||||
"resume_client" => {
|
||||
},
|
||||
"test" => {
|
||||
"ExpectedProtocol" => "TLSv1.3",
|
||||
"Method" => "TLS",
|
||||
"HandshakeMode" => "Resume",
|
||||
"ResumptionExpected" => "Yes",
|
||||
}
|
||||
};
|
||||
}
|
||||
|
||||
return (@server_tests, @client_tests);
|
||||
}
|
||||
|
||||
|
@ -223,7 +273,11 @@ sub expected_result {
|
|||
$c_max = min $c_max, $max_enabled;
|
||||
$s_max = min $s_max, $max_enabled;
|
||||
|
||||
if ($c_min > $c_max) {
|
||||
if ($c_min > $c_max && $s_min > $s_max) {
|
||||
# Client will fail to send a hello and server will fail to start. The
|
||||
# client failed first so this is reported as ClientFail.
|
||||
return ("ClientFail", undef);
|
||||
} elsif ($c_min > $c_max) {
|
||||
# Client should fail to even send a hello.
|
||||
# This results in an internal error since the server will be
|
||||
# waiting for input that never arrives.
|
||||
|
|
Loading…
Reference in a new issue