[openssl-commits] [openssl] master update
Matt Caswell
matt at openssl.org
Thu Feb 16 12:04:53 UTC 2017
The branch master has been updated
via d4da1bb5ab2b8bb08ec6662262fb6b2e3fdafeef (commit)
via 2c55b28a34624c18e3d05dfd7acb78895e3a64e6 (commit)
via 28a31a0a10f41ef855cabab4e18c994c44225125 (commit)
via cc22cd546bd0b0e1b55c1835403ab564d5f30581 (commit)
from 7b3a4d610731929d4fde15411f9be9b883974980 (commit)
- Log -----------------------------------------------------------------
commit d4da1bb5ab2b8bb08ec6662262fb6b2e3fdafeef
Author: Matt Caswell <matt at openssl.org>
Date: Thu Feb 16 09:51:56 2017 +0000
Update CHANGES and NEWS for new release
Reviewed-by: Richard Levitte <levitte at openssl.org>
commit 2c55b28a34624c18e3d05dfd7acb78895e3a64e6
Author: Matt Caswell <matt at openssl.org>
Date: Fri Feb 3 14:45:49 2017 +0000
Remove an OPENSSL_assert() and replace with a soft assert and check
Following on from CVE-2017-3733, this removes the OPENSSL_assert() check
that failed and replaces it with a soft assert, and an explicit check of
value with an error return if it fails.
Reviewed-by: Richard Levitte <levitte at openssl.org>
commit 28a31a0a10f41ef855cabab4e18c994c44225125
Author: Matt Caswell <matt at openssl.org>
Date: Fri Feb 3 14:06:20 2017 +0000
Don't change the state of the ETM flags until CCS processing
In 1.1.0 changing the ciphersuite during a renegotiation can result in
a crash leading to a DoS attack. In master this does not occur with TLS
(instead you get an internal error, which is still wrong but not a security
issue) - but the problem still exists in the DTLS code.
The problem is caused by changing the flag indicating whether to use ETM
or not immediately on negotiation of ETM, rather than at CCS. Therefore,
during a renegotiation, if the ETM state is changing (usually due to a
change of ciphersuite), then an error/crash will occur.
Due to the fact that there are separate CCS messages for read and write
we actually now need two flags to determine whether to use ETM or not.
CVE-2017-3733
Reviewed-by: Richard Levitte <levitte at openssl.org>
commit cc22cd546bd0b0e1b55c1835403ab564d5f30581
Author: Matt Caswell <matt at openssl.org>
Date: Fri Feb 3 11:21:07 2017 +0000
Provide a test for the Encrypt-Then-Mac renegotiation crash
In 1.1.0 changing the ciphersuite during a renegotiation can result in
a crash leading to a DoS attack. In master this does not occur with TLS
(instead you get an internal error, which is still wrong but not a security
issue) - but the problem still exists in the DTLS code.
This commit provides a test for the issue.
CVE-2017-3733
Reviewed-by: Richard Levitte <levitte at openssl.org>
-----------------------------------------------------------------------
Summary of changes:
CHANGES | 15 +++-
NEWS | 6 +-
include/openssl/ssl3.h | 5 +-
ssl/d1_lib.c | 2 +-
ssl/record/rec_layer_d1.c | 4 +-
ssl/record/rec_layer_s3.c | 6 +-
ssl/record/ssl3_record.c | 19 ++--
ssl/ssl_locl.h | 6 +-
ssl/statem/extensions.c | 4 +-
ssl/statem/extensions_clnt.c | 2 +-
ssl/statem/extensions_srvr.c | 6 +-
ssl/t1_enc.c | 15 +++-
test/dtls_mtu_test.c | 4 +-
test/handshake_helper.c | 16 +++-
test/ssl-tests/17-renegotiate.conf | 134 ++++++++++++++++++++++++++++-
test/ssl-tests/17-renegotiate.conf.in | 78 ++++++++++++++++-
test/ssl-tests/18-dtls-renegotiate.conf | 130 +++++++++++++++++++++++++++-
test/ssl-tests/18-dtls-renegotiate.conf.in | 74 +++++++++++++++-
test/ssl_test_ctx.c | 63 ++++----------
test/ssl_test_ctx.h | 2 +
20 files changed, 510 insertions(+), 81 deletions(-)
diff --git a/CHANGES b/CHANGES
index 8b27bd5..3e91a08 100644
--- a/CHANGES
+++ b/CHANGES
@@ -2,7 +2,7 @@
OpenSSL CHANGES
_______________
- Changes between 1.1.0a and 1.1.1 [xx XXX xxxx]
+ Changes between 1.1.0e and 1.1.1 [xx XXX xxxx]
*) Add support for SipHash
[Todd Short]
@@ -24,6 +24,19 @@
*) Support for SSL_OP_NO_ENCRYPT_THEN_MAC in SSL_CONF_cmd.
[Emilia Käsper]
+ Changes between 1.1.0d and 1.1.0e [16 Feb 2017]
+
+ *) Encrypt-Then-Mac renegotiation crash
+
+ During a renegotiation handshake if the Encrypt-Then-Mac extension is
+ negotiated where it was not in the original handshake (or vice-versa) then
+ this can cause OpenSSL to crash (dependant on ciphersuite). Both clients
+ and servers are affected.
+
+ This issue was reported to OpenSSL by Joe Orton (Red Hat).
+ (CVE-2017-3733)
+ [Matt Caswell]
+
Changes between 1.1.0c and 1.1.0d [26 Jan 2017]
*) Truncated packet could crash via OOB read
diff --git a/NEWS b/NEWS
index 34312cd..0852bd3 100644
--- a/NEWS
+++ b/NEWS
@@ -5,10 +5,14 @@
This file gives a brief overview of the major changes between each OpenSSL
release. For more details please read the CHANGES file.
- Major changes between OpenSSL 1.1.0a and OpenSSL 1.1.1 [under development]
+ Major changes between OpenSSL 1.1.0e and OpenSSL 1.1.1 [under development]
o
+ Major changes between OpenSSL 1.1.0d and OpenSSL 1.1.0e [16 Feb 2017]
+
+ o Encrypt-Then-Mac renegotiation crash (CVE-2017-3733)
+
Major changes between OpenSSL 1.1.0c and OpenSSL 1.1.0d [26 Jan 2017]
o Truncated packet could crash via OOB read (CVE-2017-3731)
diff --git a/include/openssl/ssl3.h b/include/openssl/ssl3.h
index d76236a..f2f62b4 100644
--- a/include/openssl/ssl3.h
+++ b/include/openssl/ssl3.h
@@ -265,11 +265,14 @@ extern "C" {
# define TLS1_FLAGS_SKIP_CERT_VERIFY 0x0010
/* Set if we encrypt then mac instead of usual mac then encrypt */
-# define TLS1_FLAGS_ENCRYPT_THEN_MAC 0x0100
+# define TLS1_FLAGS_ENCRYPT_THEN_MAC_READ 0x0100
+# define TLS1_FLAGS_ENCRYPT_THEN_MAC TLS1_FLAGS_ENCRYPT_THEN_MAC_READ
/* Set if extended master secret extension received from peer */
# define TLS1_FLAGS_RECEIVED_EXTMS 0x0200
+# define TLS1_FLAGS_ENCRYPT_THEN_MAC_WRITE 0x0400
+
# define SSL3_MT_HELLO_REQUEST 0
# define SSL3_MT_CLIENT_HELLO 1
# define SSL3_MT_SERVER_HELLO 2
diff --git a/ssl/d1_lib.c b/ssl/d1_lib.c
index c1d160e..213fad5 100644
--- a/ssl/d1_lib.c
+++ b/ssl/d1_lib.c
@@ -937,7 +937,7 @@ size_t DTLS_get_data_mtu(const SSL *s)
&blocksize, &ext_overhead))
return 0;
- if (SSL_USE_ETM(s))
+ if (SSL_READ_ETM(s))
ext_overhead += mac_overhead;
else
int_overhead += mac_overhead;
diff --git a/ssl/record/rec_layer_d1.c b/ssl/record/rec_layer_d1.c
index 67846bd..dc10673 100644
--- a/ssl/record/rec_layer_d1.c
+++ b/ssl/record/rec_layer_d1.c
@@ -1029,7 +1029,7 @@ int do_dtls1_write(SSL *s, int type, const unsigned char *buf,
* wb->buf
*/
- if (!SSL_USE_ETM(s) && mac_size != 0) {
+ if (!SSL_WRITE_ETM(s) && mac_size != 0) {
if (!s->method->ssl3_enc->mac(s, &wr,
&(p[SSL3_RECORD_get_length(&wr) + eivlen]),
1))
@@ -1047,7 +1047,7 @@ int do_dtls1_write(SSL *s, int type, const unsigned char *buf,
if (s->method->ssl3_enc->enc(s, &wr, 1, 1) < 1)
goto err;
- if (SSL_USE_ETM(s) && mac_size != 0) {
+ if (SSL_WRITE_ETM(s) && mac_size != 0) {
if (!s->method->ssl3_enc->mac(s, &wr,
&(p[SSL3_RECORD_get_length(&wr)]), 1))
goto err;
diff --git a/ssl/record/rec_layer_s3.c b/ssl/record/rec_layer_s3.c
index 58a4716..0da91b1 100644
--- a/ssl/record/rec_layer_s3.c
+++ b/ssl/record/rec_layer_s3.c
@@ -401,7 +401,7 @@ int ssl3_write_bytes(SSL *s, int type, const void *buf_, size_t len,
if (type == SSL3_RT_APPLICATION_DATA &&
len >= 4 * (max_send_fragment = s->max_send_fragment) &&
s->compress == NULL && s->msg_callback == NULL &&
- !SSL_USE_ETM(s) && SSL_USE_EXPLICIT_IV(s) &&
+ !SSL_WRITE_ETM(s) && SSL_USE_EXPLICIT_IV(s) &&
EVP_CIPHER_flags(EVP_CIPHER_CTX_cipher(s->enc_write_ctx)) &
EVP_CIPH_FLAG_TLS1_1_MULTIBLOCK) {
unsigned char aad[13];
@@ -870,7 +870,7 @@ int do_ssl3_write(SSL *s, int type, const unsigned char *buf,
* in the wb->buf
*/
- if (!SSL_USE_ETM(s) && mac_size != 0) {
+ if (!SSL_WRITE_ETM(s) && mac_size != 0) {
unsigned char *mac;
if (!WPACKET_allocate_bytes(thispkt, mac_size, &mac)
@@ -923,7 +923,7 @@ int do_ssl3_write(SSL *s, int type, const unsigned char *buf,
SSLerr(SSL_F_DO_SSL3_WRITE, ERR_R_INTERNAL_ERROR);
goto err;
}
- if (SSL_USE_ETM(s) && mac_size != 0) {
+ if (SSL_WRITE_ETM(s) && mac_size != 0) {
unsigned char *mac;
if (!WPACKET_allocate_bytes(thispkt, mac_size, &mac)
diff --git a/ssl/record/ssl3_record.c b/ssl/record/ssl3_record.c
index fc47236..df7d012 100644
--- a/ssl/record/ssl3_record.c
+++ b/ssl/record/ssl3_record.c
@@ -7,6 +7,7 @@
* https://www.openssl.org/source/license.html
*/
+#include <assert.h>
#include "../ssl_locl.h"
#include "internal/constant_time_locl.h"
#include <openssl/rand.h>
@@ -383,17 +384,17 @@ int ssl3_get_record(SSL *s)
* If in encrypt-then-mac mode calculate mac from encrypted record. All
* the details below are public so no timing details can leak.
*/
- if (SSL_USE_ETM(s) && s->read_hash) {
+ if (SSL_READ_ETM(s) && s->read_hash) {
unsigned char *mac;
/* TODO(size_t): convert this to do size_t properly */
imac_size = EVP_MD_CTX_size(s->read_hash);
- if (imac_size < 0) {
+ assert(imac_size >= 0 && imac_size <= EVP_MAX_MD_SIZE);
+ if (imac_size < 0 || imac_size > EVP_MAX_MD_SIZE) {
al = SSL_AD_INTERNAL_ERROR;
SSLerr(SSL_F_SSL3_GET_RECORD, ERR_LIB_EVP);
goto f_err;
}
mac_size = (size_t)imac_size;
- OPENSSL_assert(mac_size <= EVP_MAX_MD_SIZE);
for (j = 0; j < num_recs; j++) {
thisrr = &rr[j];
@@ -440,7 +441,7 @@ int ssl3_get_record(SSL *s)
/* r->length is now the compressed data plus mac */
if ((sess != NULL) &&
(s->enc_read_ctx != NULL) &&
- (EVP_MD_CTX_md(s->read_hash) != NULL) && !SSL_USE_ETM(s)) {
+ (!SSL_READ_ETM(s) && EVP_MD_CTX_md(s->read_hash) != NULL)) {
/* s->read_hash != NULL => mac_size != -1 */
unsigned char *mac = NULL;
unsigned char mac_tmp[EVP_MAX_MD_SIZE];
@@ -915,7 +916,7 @@ int tls1_enc(SSL *s, SSL3_RECORD *recs, size_t n_recs, int send)
}
ret = 1;
- if (!SSL_USE_ETM(s) && EVP_MD_CTX_md(s->read_hash) != NULL) {
+ if (!SSL_READ_ETM(s) && EVP_MD_CTX_md(s->read_hash) != NULL) {
imac_size = EVP_MD_CTX_size(s->read_hash);
if (imac_size < 0)
return -1;
@@ -1092,7 +1093,7 @@ int tls1_mac(SSL *ssl, SSL3_RECORD *rec, unsigned char *md, int send)
header[11] = (unsigned char)(rec->length >> 8);
header[12] = (unsigned char)(rec->length & 0xff);
- if (!send && !SSL_USE_ETM(ssl) &&
+ if (!send && !SSL_READ_ETM(ssl) &&
EVP_CIPHER_CTX_mode(ssl->enc_read_ctx) == EVP_CIPH_CBC_MODE &&
ssl3_cbc_record_digest_supported(mac_ctx)) {
/*
@@ -1118,7 +1119,7 @@ int tls1_mac(SSL *ssl, SSL3_RECORD *rec, unsigned char *md, int send)
EVP_MD_CTX_free(hmac);
return 0;
}
- if (!send && !SSL_USE_ETM(ssl) && FIPS_mode())
+ if (!send && !SSL_READ_ETM(ssl) && FIPS_mode())
if (!tls_fips_digest_extra(ssl->enc_read_ctx,
mac_ctx, rec->input,
rec->length, rec->orig_len)) {
@@ -1408,7 +1409,7 @@ int dtls1_process_record(SSL *s, DTLS1_BITMAP *bitmap)
rr->data = rr->input;
rr->orig_len = rr->length;
- if (SSL_USE_ETM(s) && s->read_hash) {
+ if (SSL_READ_ETM(s) && s->read_hash) {
unsigned char *mac;
mac_size = EVP_MD_CTX_size(s->read_hash);
OPENSSL_assert(mac_size <= EVP_MAX_MD_SIZE);
@@ -1452,7 +1453,7 @@ int dtls1_process_record(SSL *s, DTLS1_BITMAP *bitmap)
#endif
/* r->length is now the compressed data plus mac */
- if ((sess != NULL) && !SSL_USE_ETM(s) &&
+ if ((sess != NULL) && !SSL_READ_ETM(s) &&
(s->enc_read_ctx != NULL) && (EVP_MD_CTX_md(s->read_hash) != NULL)) {
/* s->read_hash != NULL => mac_size != -1 */
unsigned char *mac = NULL;
diff --git a/ssl/ssl_locl.h b/ssl/ssl_locl.h
index 106ff69..e1bce30 100644
--- a/ssl/ssl_locl.h
+++ b/ssl/ssl_locl.h
@@ -395,7 +395,8 @@
# define SSL_CLIENT_USE_SIGALGS(s) \
SSL_CLIENT_USE_TLS1_2_CIPHERS(s)
-# define SSL_USE_ETM(s) (s->s3->flags & TLS1_FLAGS_ENCRYPT_THEN_MAC)
+# define SSL_READ_ETM(s) (s->s3->flags & TLS1_FLAGS_ENCRYPT_THEN_MAC_READ)
+# define SSL_WRITE_ETM(s) (s->s3->flags & TLS1_FLAGS_ENCRYPT_THEN_MAC_WRITE)
/* Mostly for SSLv3 */
# define SSL_PKEY_RSA 0
@@ -1132,6 +1133,9 @@ struct ssl_st {
/* The available PSK key exchange modes */
int psk_kex_mode;
+
+ /* Set to one if we have negotiated ETM */
+ int use_etm;
} ext;
/*-
diff --git a/ssl/statem/extensions.c b/ssl/statem/extensions.c
index edb674d..8e1b502 100644
--- a/ssl/statem/extensions.c
+++ b/ssl/statem/extensions.c
@@ -207,7 +207,7 @@ static const EXTENSION_DEFINITION ext_defs[] = {
#endif
{
TLSEXT_TYPE_encrypt_then_mac,
- EXT_CLIENT_HELLO | EXT_TLS1_2_SERVER_HELLO | EXT_TLS1_2_AND_BELOW_ONLY,
+ EXT_CLIENT_HELLO | EXT_TLS1_2_SERVER_HELLO | EXT_TLS1_2_AND_BELOW_ONLY | EXT_SSL3_ALLOWED,
init_etm, tls_parse_ctos_etm, tls_parse_stoc_etm,
tls_construct_stoc_etm, tls_construct_ctos_etm, NULL
},
@@ -912,7 +912,7 @@ static int init_srp(SSL *s, unsigned int context)
static int init_etm(SSL *s, unsigned int context)
{
- s->s3->flags &= ~TLS1_FLAGS_ENCRYPT_THEN_MAC;
+ s->ext.use_etm = 0;
return 1;
}
diff --git a/ssl/statem/extensions_clnt.c b/ssl/statem/extensions_clnt.c
index ea37919..09780a9 100644
--- a/ssl/statem/extensions_clnt.c
+++ b/ssl/statem/extensions_clnt.c
@@ -1172,7 +1172,7 @@ int tls_parse_stoc_etm(SSL *s, PACKET *pkt, unsigned int context, X509 *x,
if (!(s->options & SSL_OP_NO_ENCRYPT_THEN_MAC)
&& s->s3->tmp.new_cipher->algorithm_mac != SSL_AEAD
&& s->s3->tmp.new_cipher->algorithm_enc != SSL_RC4)
- s->s3->flags |= TLS1_FLAGS_ENCRYPT_THEN_MAC;
+ s->ext.use_etm = 1;
return 1;
}
diff --git a/ssl/statem/extensions_srvr.c b/ssl/statem/extensions_srvr.c
index b555d68..ecfd00b 100644
--- a/ssl/statem/extensions_srvr.c
+++ b/ssl/statem/extensions_srvr.c
@@ -451,7 +451,7 @@ int tls_parse_ctos_etm(SSL *s, PACKET *pkt, unsigned int context, X509 *x,
size_t chainidx, int *al)
{
if (!(s->options & SSL_OP_NO_ENCRYPT_THEN_MAC))
- s->s3->flags |= TLS1_FLAGS_ENCRYPT_THEN_MAC;
+ s->ext.use_etm = 1;
return 1;
}
@@ -953,7 +953,7 @@ int tls_construct_stoc_use_srtp(SSL *s, WPACKET *pkt, unsigned int context,
int tls_construct_stoc_etm(SSL *s, WPACKET *pkt, unsigned int context, X509 *x,
size_t chainidx, int *al)
{
- if ((s->s3->flags & TLS1_FLAGS_ENCRYPT_THEN_MAC) == 0)
+ if (!s->ext.use_etm)
return 1;
/*
@@ -964,7 +964,7 @@ int tls_construct_stoc_etm(SSL *s, WPACKET *pkt, unsigned int context, X509 *x,
|| s->s3->tmp.new_cipher->algorithm_enc == SSL_RC4
|| s->s3->tmp.new_cipher->algorithm_enc == SSL_eGOST2814789CNT
|| s->s3->tmp.new_cipher->algorithm_enc == SSL_eGOST2814789CNT12) {
- s->s3->flags &= ~TLS1_FLAGS_ENCRYPT_THEN_MAC;
+ s->ext.use_etm = 0;
return 1;
}
diff --git a/ssl/t1_enc.c b/ssl/t1_enc.c
index ebdc0fb..4158548 100644
--- a/ssl/t1_enc.c
+++ b/ssl/t1_enc.c
@@ -129,6 +129,11 @@ int tls1_change_cipher_state(SSL *s, int which)
#endif
if (which & SSL3_CC_READ) {
+ if (s->ext.use_etm)
+ s->s3->flags |= TLS1_FLAGS_ENCRYPT_THEN_MAC_READ;
+ else
+ s->s3->flags &= ~TLS1_FLAGS_ENCRYPT_THEN_MAC_READ;
+
if (s->s3->tmp.new_cipher->algorithm2 & TLS1_STREAM_MAC)
s->mac_flags |= SSL_MAC_FLAG_READ_MAC_STREAM;
else
@@ -167,6 +172,11 @@ int tls1_change_cipher_state(SSL *s, int which)
mac_secret = &(s->s3->read_mac_secret[0]);
mac_secret_size = &(s->s3->read_mac_secret_size);
} else {
+ if (s->ext.use_etm)
+ s->s3->flags |= TLS1_FLAGS_ENCRYPT_THEN_MAC_WRITE;
+ else
+ s->s3->flags &= ~TLS1_FLAGS_ENCRYPT_THEN_MAC_WRITE;
+
if (s->s3->tmp.new_cipher->algorithm2 & TLS1_STREAM_MAC)
s->mac_flags |= SSL_MAC_FLAG_WRITE_MAC_STREAM;
else
@@ -369,9 +379,8 @@ int tls1_setup_key_block(SSL *s)
if (s->s3->tmp.key_block_length != 0)
return (1);
- if (!ssl_cipher_get_evp
- (s->session, &c, &hash, &mac_type, &mac_secret_size, &comp,
- SSL_USE_ETM(s))) {
+ if (!ssl_cipher_get_evp(s->session, &c, &hash, &mac_type, &mac_secret_size,
+ &comp, s->ext.use_etm)) {
SSLerr(SSL_F_TLS1_SETUP_KEY_BLOCK, SSL_R_CIPHER_OR_HASH_UNAVAILABLE);
return (0);
}
diff --git a/test/dtls_mtu_test.c b/test/dtls_mtu_test.c
index da970a7..1a05c54 100644
--- a/test/dtls_mtu_test.c
+++ b/test/dtls_mtu_test.c
@@ -16,7 +16,7 @@
#include "ssltestlib.h"
-/* for SSL_USE_ETM() */
+/* for SSL_READ_ETM() */
#include "../ssl/ssl_locl.h"
static int debug = 0;
@@ -133,7 +133,7 @@ static int mtu_test(SSL_CTX *ctx, const char *cs, int no_etm)
}
}
rv = 1;
- if (SSL_USE_ETM(clnt_ssl))
+ if (SSL_READ_ETM(clnt_ssl))
rv = 2;
out:
SSL_free(clnt_ssl);
diff --git a/test/handshake_helper.c b/test/handshake_helper.c
index a789899..2b869a4 100644
--- a/test/handshake_helper.c
+++ b/test/handshake_helper.c
@@ -607,10 +607,20 @@ static void do_reneg_setup_step(const SSL_TEST_CTX *test_ctx, PEER *peer)
* session. The server may or may not resume dependant on the
* setting of SSL_OP_NO_SESSION_RESUMPTION_ON_RENEGOTIATION
*/
- if (SSL_is_server(peer->ssl))
+ if (SSL_is_server(peer->ssl)) {
ret = SSL_renegotiate(peer->ssl);
- else
- ret = SSL_renegotiate_abbreviated(peer->ssl);
+ } else {
+ if (test_ctx->extra.client.reneg_ciphers != NULL) {
+ if (!SSL_set_cipher_list(peer->ssl,
+ test_ctx->extra.client.reneg_ciphers)) {
+ peer->status = PEER_ERROR;
+ return;
+ }
+ ret = SSL_renegotiate(peer->ssl);
+ } else {
+ ret = SSL_renegotiate_abbreviated(peer->ssl);
+ }
+ }
if (!ret) {
peer->status = PEER_ERROR;
return;
diff --git a/test/ssl-tests/17-renegotiate.conf b/test/ssl-tests/17-renegotiate.conf
index 58992c0..8376eea 100644
--- a/test/ssl-tests/17-renegotiate.conf
+++ b/test/ssl-tests/17-renegotiate.conf
@@ -1,6 +1,6 @@
# Generated with generate_ssl_tests.pl
-num_tests = 6
+num_tests = 10
test-0 = 0-renegotiate-client-no-resume
test-1 = 1-renegotiate-client-resume
@@ -8,6 +8,10 @@ test-2 = 2-renegotiate-server-no-resume
test-3 = 3-renegotiate-server-resume
test-4 = 4-renegotiate-client-auth-require
test-5 = 5-renegotiate-client-auth-once
+test-6 = 6-renegotiate-aead-to-non-aead
+test-7 = 7-renegotiate-non-aead-to-aead
+test-8 = 8-renegotiate-non-aead-to-non-aead
+test-9 = 9-renegotiate-aead-to-aead
# ===========================================================
[0-renegotiate-client-no-resume]
@@ -182,3 +186,131 @@ Method = TLS
ResumptionExpected = No
+# ===========================================================
+
+[6-renegotiate-aead-to-non-aead]
+ssl_conf = 6-renegotiate-aead-to-non-aead-ssl
+
+[6-renegotiate-aead-to-non-aead-ssl]
+server = 6-renegotiate-aead-to-non-aead-server
+client = 6-renegotiate-aead-to-non-aead-client
+
+[6-renegotiate-aead-to-non-aead-server]
+Certificate = ${ENV::TEST_CERTS_DIR}/servercert.pem
+CipherString = DEFAULT
+MaxProtocol = TLSv1.2
+Options = NoResumptionOnRenegotiation
+PrivateKey = ${ENV::TEST_CERTS_DIR}/serverkey.pem
+
+[6-renegotiate-aead-to-non-aead-client]
+CipherString = AES128-GCM-SHA256
+VerifyCAFile = ${ENV::TEST_CERTS_DIR}/rootcert.pem
+VerifyMode = Peer
+
+[test-6]
+ExpectedResult = Success
+HandshakeMode = RenegotiateClient
+Method = TLS
+ResumptionExpected = No
+client = 6-renegotiate-aead-to-non-aead-client-extra
+
+[6-renegotiate-aead-to-non-aead-client-extra]
+RenegotiateCiphers = AES128-SHA
+
+
+# ===========================================================
+
+[7-renegotiate-non-aead-to-aead]
+ssl_conf = 7-renegotiate-non-aead-to-aead-ssl
+
+[7-renegotiate-non-aead-to-aead-ssl]
+server = 7-renegotiate-non-aead-to-aead-server
+client = 7-renegotiate-non-aead-to-aead-client
+
+[7-renegotiate-non-aead-to-aead-server]
+Certificate = ${ENV::TEST_CERTS_DIR}/servercert.pem
+CipherString = DEFAULT
+MaxProtocol = TLSv1.2
+Options = NoResumptionOnRenegotiation
+PrivateKey = ${ENV::TEST_CERTS_DIR}/serverkey.pem
+
+[7-renegotiate-non-aead-to-aead-client]
+CipherString = AES128-SHA
+VerifyCAFile = ${ENV::TEST_CERTS_DIR}/rootcert.pem
+VerifyMode = Peer
+
+[test-7]
+ExpectedResult = Success
+HandshakeMode = RenegotiateClient
+Method = TLS
+ResumptionExpected = No
+client = 7-renegotiate-non-aead-to-aead-client-extra
+
+[7-renegotiate-non-aead-to-aead-client-extra]
+RenegotiateCiphers = AES128-GCM-SHA256
+
+
+# ===========================================================
+
+[8-renegotiate-non-aead-to-non-aead]
+ssl_conf = 8-renegotiate-non-aead-to-non-aead-ssl
+
+[8-renegotiate-non-aead-to-non-aead-ssl]
+server = 8-renegotiate-non-aead-to-non-aead-server
+client = 8-renegotiate-non-aead-to-non-aead-client
+
+[8-renegotiate-non-aead-to-non-aead-server]
+Certificate = ${ENV::TEST_CERTS_DIR}/servercert.pem
+CipherString = DEFAULT
+MaxProtocol = TLSv1.2
+Options = NoResumptionOnRenegotiation
+PrivateKey = ${ENV::TEST_CERTS_DIR}/serverkey.pem
+
+[8-renegotiate-non-aead-to-non-aead-client]
+CipherString = AES128-SHA
+VerifyCAFile = ${ENV::TEST_CERTS_DIR}/rootcert.pem
+VerifyMode = Peer
+
+[test-8]
+ExpectedResult = Success
+HandshakeMode = RenegotiateClient
+Method = TLS
+ResumptionExpected = No
+client = 8-renegotiate-non-aead-to-non-aead-client-extra
+
+[8-renegotiate-non-aead-to-non-aead-client-extra]
+RenegotiateCiphers = AES256-SHA
+
+
+# ===========================================================
+
+[9-renegotiate-aead-to-aead]
+ssl_conf = 9-renegotiate-aead-to-aead-ssl
+
+[9-renegotiate-aead-to-aead-ssl]
+server = 9-renegotiate-aead-to-aead-server
+client = 9-renegotiate-aead-to-aead-client
+
+[9-renegotiate-aead-to-aead-server]
+Certificate = ${ENV::TEST_CERTS_DIR}/servercert.pem
+CipherString = DEFAULT
+MaxProtocol = TLSv1.2
+Options = NoResumptionOnRenegotiation
+PrivateKey = ${ENV::TEST_CERTS_DIR}/serverkey.pem
+
+[9-renegotiate-aead-to-aead-client]
+CipherString = AES128-GCM-SHA256
+VerifyCAFile = ${ENV::TEST_CERTS_DIR}/rootcert.pem
+VerifyMode = Peer
+
+[test-9]
+ExpectedResult = Success
+HandshakeMode = RenegotiateClient
+Method = TLS
+ResumptionExpected = No
+client = 9-renegotiate-aead-to-aead-client-extra
+
+[9-renegotiate-aead-to-aead-client-extra]
+RenegotiateCiphers = AES256-GCM-SHA384
+
+
diff --git a/test/ssl-tests/17-renegotiate.conf.in b/test/ssl-tests/17-renegotiate.conf.in
index 3f76cb8..77264c4 100644
--- a/test/ssl-tests/17-renegotiate.conf.in
+++ b/test/ssl-tests/17-renegotiate.conf.in
@@ -108,5 +108,81 @@ our @tests = (
"ResumptionExpected" => "No",
"ExpectedResult" => "Success"
}
- }
+ },
+ {
+ name => "renegotiate-aead-to-non-aead",
+ server => {
+ "Options" => "NoResumptionOnRenegotiation",
+ "MaxProtocol" => "TLSv1.2"
+ },
+ client => {
+ "CipherString" => "AES128-GCM-SHA256",
+ extra => {
+ "RenegotiateCiphers" => "AES128-SHA"
+ }
+ },
+ test => {
+ "Method" => "TLS",
+ "HandshakeMode" => "RenegotiateClient",
+ "ResumptionExpected" => "No",
+ "ExpectedResult" => "Success"
+ }
+ },
+ {
+ name => "renegotiate-non-aead-to-aead",
+ server => {
+ "Options" => "NoResumptionOnRenegotiation",
+ "MaxProtocol" => "TLSv1.2"
+ },
+ client => {
+ "CipherString" => "AES128-SHA",
+ extra => {
+ "RenegotiateCiphers" => "AES128-GCM-SHA256"
+ }
+ },
+ test => {
+ "Method" => "TLS",
+ "HandshakeMode" => "RenegotiateClient",
+ "ResumptionExpected" => "No",
+ "ExpectedResult" => "Success"
+ }
+ },
+ {
+ name => "renegotiate-non-aead-to-non-aead",
+ server => {
+ "Options" => "NoResumptionOnRenegotiation",
+ "MaxProtocol" => "TLSv1.2"
+ },
+ client => {
+ "CipherString" => "AES128-SHA",
+ extra => {
+ "RenegotiateCiphers" => "AES256-SHA"
+ }
+ },
+ test => {
+ "Method" => "TLS",
+ "HandshakeMode" => "RenegotiateClient",
+ "ResumptionExpected" => "No",
+ "ExpectedResult" => "Success"
+ }
+ },
+ {
+ name => "renegotiate-aead-to-aead",
+ server => {
+ "Options" => "NoResumptionOnRenegotiation",
+ "MaxProtocol" => "TLSv1.2"
+ },
+ client => {
+ "CipherString" => "AES128-GCM-SHA256",
+ extra => {
+ "RenegotiateCiphers" => "AES256-GCM-SHA384"
+ }
+ },
+ test => {
+ "Method" => "TLS",
+ "HandshakeMode" => "RenegotiateClient",
+ "ResumptionExpected" => "No",
+ "ExpectedResult" => "Success"
+ }
+ },
);
diff --git a/test/ssl-tests/18-dtls-renegotiate.conf b/test/ssl-tests/18-dtls-renegotiate.conf
index fbde68a..3d8ebd7 100644
--- a/test/ssl-tests/18-dtls-renegotiate.conf
+++ b/test/ssl-tests/18-dtls-renegotiate.conf
@@ -1,12 +1,16 @@
# Generated with generate_ssl_tests.pl
-num_tests = 5
+num_tests = 9
test-0 = 0-renegotiate-client-no-resume
test-1 = 1-renegotiate-client-resume
test-2 = 2-renegotiate-server-resume
test-3 = 3-renegotiate-client-auth-require
test-4 = 4-renegotiate-client-auth-once
+test-5 = 5-renegotiate-aead-to-non-aead
+test-6 = 6-renegotiate-non-aead-to-aead
+test-7 = 7-renegotiate-non-aead-to-non-aead
+test-8 = 8-renegotiate-aead-to-aead
# ===========================================================
[0-renegotiate-client-no-resume]
@@ -146,3 +150,127 @@ Method = DTLS
ResumptionExpected = No
+# ===========================================================
+
+[5-renegotiate-aead-to-non-aead]
+ssl_conf = 5-renegotiate-aead-to-non-aead-ssl
+
+[5-renegotiate-aead-to-non-aead-ssl]
+server = 5-renegotiate-aead-to-non-aead-server
+client = 5-renegotiate-aead-to-non-aead-client
+
+[5-renegotiate-aead-to-non-aead-server]
+Certificate = ${ENV::TEST_CERTS_DIR}/servercert.pem
+CipherString = DEFAULT
+Options = NoResumptionOnRenegotiation
+PrivateKey = ${ENV::TEST_CERTS_DIR}/serverkey.pem
+
+[5-renegotiate-aead-to-non-aead-client]
+CipherString = AES128-GCM-SHA256
+VerifyCAFile = ${ENV::TEST_CERTS_DIR}/rootcert.pem
+VerifyMode = Peer
+
+[test-5]
+ExpectedResult = Success
+HandshakeMode = RenegotiateClient
+Method = DTLS
+ResumptionExpected = No
+client = 5-renegotiate-aead-to-non-aead-client-extra
+
+[5-renegotiate-aead-to-non-aead-client-extra]
+RenegotiateCiphers = AES128-SHA
+
+
+# ===========================================================
+
+[6-renegotiate-non-aead-to-aead]
+ssl_conf = 6-renegotiate-non-aead-to-aead-ssl
+
+[6-renegotiate-non-aead-to-aead-ssl]
+server = 6-renegotiate-non-aead-to-aead-server
+client = 6-renegotiate-non-aead-to-aead-client
+
+[6-renegotiate-non-aead-to-aead-server]
+Certificate = ${ENV::TEST_CERTS_DIR}/servercert.pem
+CipherString = DEFAULT
+Options = NoResumptionOnRenegotiation
+PrivateKey = ${ENV::TEST_CERTS_DIR}/serverkey.pem
+
+[6-renegotiate-non-aead-to-aead-client]
+CipherString = AES128-SHA
+VerifyCAFile = ${ENV::TEST_CERTS_DIR}/rootcert.pem
+VerifyMode = Peer
+
+[test-6]
+ExpectedResult = Success
+HandshakeMode = RenegotiateClient
+Method = DTLS
+ResumptionExpected = No
+client = 6-renegotiate-non-aead-to-aead-client-extra
+
+[6-renegotiate-non-aead-to-aead-client-extra]
+RenegotiateCiphers = AES128-GCM-SHA256
+
+
+# ===========================================================
+
+[7-renegotiate-non-aead-to-non-aead]
+ssl_conf = 7-renegotiate-non-aead-to-non-aead-ssl
+
+[7-renegotiate-non-aead-to-non-aead-ssl]
+server = 7-renegotiate-non-aead-to-non-aead-server
+client = 7-renegotiate-non-aead-to-non-aead-client
+
+[7-renegotiate-non-aead-to-non-aead-server]
+Certificate = ${ENV::TEST_CERTS_DIR}/servercert.pem
+CipherString = DEFAULT
+Options = NoResumptionOnRenegotiation
+PrivateKey = ${ENV::TEST_CERTS_DIR}/serverkey.pem
+
+[7-renegotiate-non-aead-to-non-aead-client]
+CipherString = AES128-SHA
+VerifyCAFile = ${ENV::TEST_CERTS_DIR}/rootcert.pem
+VerifyMode = Peer
+
+[test-7]
+ExpectedResult = Success
+HandshakeMode = RenegotiateClient
+Method = DTLS
+ResumptionExpected = No
+client = 7-renegotiate-non-aead-to-non-aead-client-extra
+
+[7-renegotiate-non-aead-to-non-aead-client-extra]
+RenegotiateCiphers = AES256-SHA
+
+
+# ===========================================================
+
+[8-renegotiate-aead-to-aead]
+ssl_conf = 8-renegotiate-aead-to-aead-ssl
+
+[8-renegotiate-aead-to-aead-ssl]
+server = 8-renegotiate-aead-to-aead-server
+client = 8-renegotiate-aead-to-aead-client
+
+[8-renegotiate-aead-to-aead-server]
+Certificate = ${ENV::TEST_CERTS_DIR}/servercert.pem
+CipherString = DEFAULT
+Options = NoResumptionOnRenegotiation
+PrivateKey = ${ENV::TEST_CERTS_DIR}/serverkey.pem
+
+[8-renegotiate-aead-to-aead-client]
+CipherString = AES128-GCM-SHA256
+VerifyCAFile = ${ENV::TEST_CERTS_DIR}/rootcert.pem
+VerifyMode = Peer
+
+[test-8]
+ExpectedResult = Success
+HandshakeMode = RenegotiateClient
+Method = DTLS
+ResumptionExpected = No
+client = 8-renegotiate-aead-to-aead-client-extra
+
+[8-renegotiate-aead-to-aead-client-extra]
+RenegotiateCiphers = AES256-GCM-SHA384
+
+
diff --git a/test/ssl-tests/18-dtls-renegotiate.conf.in b/test/ssl-tests/18-dtls-renegotiate.conf.in
index 3f877f6..43046e3 100644
--- a/test/ssl-tests/18-dtls-renegotiate.conf.in
+++ b/test/ssl-tests/18-dtls-renegotiate.conf.in
@@ -94,5 +94,77 @@ our @tests = (
"ResumptionExpected" => "No",
"ExpectedResult" => "Success"
}
- }
+ },
+ {
+ name => "renegotiate-aead-to-non-aead",
+ server => {
+ "Options" => "NoResumptionOnRenegotiation"
+ },
+ client => {
+ "CipherString" => "AES128-GCM-SHA256",
+ extra => {
+ "RenegotiateCiphers" => "AES128-SHA"
+ }
+ },
+ test => {
+ "Method" => "DTLS",
+ "HandshakeMode" => "RenegotiateClient",
+ "ResumptionExpected" => "No",
+ "ExpectedResult" => "Success"
+ }
+ },
+ {
+ name => "renegotiate-non-aead-to-aead",
+ server => {
+ "Options" => "NoResumptionOnRenegotiation"
+ },
+ client => {
+ "CipherString" => "AES128-SHA",
+ extra => {
+ "RenegotiateCiphers" => "AES128-GCM-SHA256"
+ }
+ },
+ test => {
+ "Method" => "DTLS",
+ "HandshakeMode" => "RenegotiateClient",
+ "ResumptionExpected" => "No",
+ "ExpectedResult" => "Success"
+ }
+ },
+ {
+ name => "renegotiate-non-aead-to-non-aead",
+ server => {
+ "Options" => "NoResumptionOnRenegotiation"
+ },
+ client => {
+ "CipherString" => "AES128-SHA",
+ extra => {
+ "RenegotiateCiphers" => "AES256-SHA"
+ }
+ },
+ test => {
+ "Method" => "DTLS",
+ "HandshakeMode" => "RenegotiateClient",
+ "ResumptionExpected" => "No",
+ "ExpectedResult" => "Success"
+ }
+ },
+ {
+ name => "renegotiate-aead-to-aead",
+ server => {
+ "Options" => "NoResumptionOnRenegotiation"
+ },
+ client => {
+ "CipherString" => "AES128-GCM-SHA256",
+ extra => {
+ "RenegotiateCiphers" => "AES256-GCM-SHA384"
+ }
+ },
+ test => {
+ "Method" => "DTLS",
+ "HandshakeMode" => "RenegotiateClient",
+ "ResumptionExpected" => "No",
+ "ExpectedResult" => "Success"
+ }
+ },
);
diff --git a/test/ssl_test_ctx.c b/test/ssl_test_ctx.c
index e88e577..1f3495f 100644
--- a/test/ssl_test_ctx.c
+++ b/test/ssl_test_ctx.c
@@ -88,9 +88,7 @@ static const char *enum_name(const test_enum *enums, size_t num_enums,
}
-/*******************/
-/* ExpectedResult. */
-/*******************/
+/* ExpectedResult */
static const test_enum ssl_test_results[] = {
{"Success", SSL_TEST_SUCCESS},
@@ -115,9 +113,7 @@ const char *ssl_test_result_name(ssl_test_result_t result)
return enum_name(ssl_test_results, OSSL_NELEM(ssl_test_results), result);
}
-/**********************************************/
-/* ExpectedClientAlert / ExpectedServerAlert. */
-/**********************************************/
+/* ExpectedClientAlert / ExpectedServerAlert */
static const test_enum ssl_alerts[] = {
{"UnknownCA", SSL_AD_UNKNOWN_CA},
@@ -147,9 +143,7 @@ const char *ssl_alert_name(int alert)
return enum_name(ssl_alerts, OSSL_NELEM(ssl_alerts), alert);
}
-/********************/
/* ExpectedProtocol */
-/********************/
static const test_enum ssl_protocols[] = {
{"TLSv1.3", TLS1_3_VERSION},
@@ -172,9 +166,7 @@ const char *ssl_protocol_name(int protocol)
return enum_name(ssl_protocols, OSSL_NELEM(ssl_protocols), protocol);
}
-/***********************/
-/* VerifyCallback. */
-/***********************/
+/* VerifyCallback */
static const test_enum ssl_verify_callbacks[] = {
{"None", SSL_TEST_VERIFY_NONE},
@@ -200,9 +192,7 @@ const char *ssl_verify_callback_name(ssl_verify_callback_t callback)
callback);
}
-/**************/
/* ServerName */
-/**************/
static const test_enum ssl_servername[] = {
{"None", SSL_TEST_SERVERNAME_NONE},
@@ -241,9 +231,7 @@ const char *ssl_servername_name(ssl_servername_t server)
server);
}
-/**********************/
/* ServerNameCallback */
-/**********************/
static const test_enum ssl_servername_callbacks[] = {
{"None", SSL_TEST_SERVERNAME_CB_NONE},
@@ -269,9 +257,7 @@ const char *ssl_servername_callback_name(ssl_servername_callback_t callback)
OSSL_NELEM(ssl_servername_callbacks), callback);
}
-/*************************/
/* SessionTicketExpected */
-/*************************/
static const test_enum ssl_session_ticket[] = {
{"Ignore", SSL_TEST_SESSION_TICKET_IGNORE},
@@ -297,9 +283,7 @@ const char *ssl_session_ticket_name(ssl_session_ticket_t server)
server);
}
-/***********************/
-/* Method */
-/***********************/
+/* Method */
static const test_enum ssl_test_methods[] = {
{"TLS", SSL_TEST_METHOD_TLS},
@@ -322,9 +306,7 @@ const char *ssl_test_method_name(ssl_test_method_t method)
return enum_name(ssl_test_methods, OSSL_NELEM(ssl_test_methods), method);
}
-/************************************/
-/* NPN and ALPN options */
-/************************************/
+/* NPN and ALPN options */
IMPLEMENT_SSL_TEST_STRING_OPTION(SSL_TEST_CLIENT_CONF, client, npn_protocols)
IMPLEMENT_SSL_TEST_STRING_OPTION(SSL_TEST_SERVER_CONF, server, npn_protocols)
@@ -333,9 +315,7 @@ IMPLEMENT_SSL_TEST_STRING_OPTION(SSL_TEST_CLIENT_CONF, client, alpn_protocols)
IMPLEMENT_SSL_TEST_STRING_OPTION(SSL_TEST_SERVER_CONF, server, alpn_protocols)
IMPLEMENT_SSL_TEST_STRING_OPTION(SSL_TEST_CTX, test, expected_alpn_protocol)
-/***********************/
-/* Handshake mode */
-/***********************/
+/* Handshake mode */
static const test_enum ssl_handshake_modes[] = {
{"Simple", SSL_TEST_HANDSHAKE_SIMPLE},
@@ -361,9 +341,11 @@ const char *ssl_handshake_mode_name(ssl_handshake_mode_t mode)
mode);
}
-/***********************/
-/* CT Validation */
-/***********************/
+/* Renegotiation Ciphersuites */
+
+IMPLEMENT_SSL_TEST_STRING_OPTION(SSL_TEST_CLIENT_CONF, client, reneg_ciphers)
+
+/* CT Validation */
static const test_enum ssl_ct_validation_modes[] = {
{"None", SSL_TEST_CT_VALIDATION_NONE},
@@ -392,9 +374,7 @@ const char *ssl_ct_validation_name(ssl_ct_validation_t mode)
IMPLEMENT_SSL_TEST_BOOL_OPTION(SSL_TEST_CTX, test, resumption_expected)
IMPLEMENT_SSL_TEST_BOOL_OPTION(SSL_TEST_SERVER_CONF, server, broken_session_ticket)
-/**************/
/* CertStatus */
-/**************/
static const test_enum ssl_certstatus[] = {
{"None", SSL_TEST_CERT_STATUS_NONE},
@@ -420,21 +400,17 @@ const char *ssl_certstatus_name(ssl_cert_status_t cert_status)
OSSL_NELEM(ssl_certstatus), cert_status);
}
-/***********************/
-/* ApplicationData */
-/***********************/
+/* ApplicationData */
IMPLEMENT_SSL_TEST_INT_OPTION(SSL_TEST_CTX, test, app_data_size)
-/***********************/
-/* MaxFragmentSize */
-/***********************/
+
+/* MaxFragmentSize */
IMPLEMENT_SSL_TEST_INT_OPTION(SSL_TEST_CTX, test, max_fragment_size)
-/*************************************/
-/* Expected key and signature types */
-/*************************************/
+
+/* Expected key and signature types */
__owur static int parse_expected_key_type(int *ptype, const char *value)
{
@@ -494,9 +470,8 @@ __owur static int parse_expected_client_sign_type(SSL_TEST_CTX *test_ctx,
value);
}
-/*************************/
+
/* Expected signing hash */
-/*************************/
__owur static int parse_expected_sign_hash(int *ptype, const char *value)
{
@@ -527,9 +502,8 @@ __owur static int parse_expected_client_sign_hash(SSL_TEST_CTX *test_ctx,
value);
}
-/*************************************************************/
+
/* Known test options and their corresponding parse methods. */
-/*************************************************************/
/* Top-level options. */
typedef struct {
@@ -572,6 +546,7 @@ static const ssl_test_client_option ssl_test_client_options[] = {
{ "NPNProtocols", &parse_client_npn_protocols },
{ "ALPNProtocols", &parse_client_alpn_protocols },
{ "CTValidation", &parse_ct_validation },
+ { "RenegotiateCiphers", &parse_client_reneg_ciphers},
};
/* Nested server options. */
diff --git a/test/ssl_test_ctx.h b/test/ssl_test_ctx.h
index 13652b0..6036a02 100644
--- a/test/ssl_test_ctx.h
+++ b/test/ssl_test_ctx.h
@@ -84,6 +84,8 @@ typedef struct {
char *npn_protocols;
char *alpn_protocols;
ssl_ct_validation_t ct_validation;
+ /* Ciphersuites to set on a renegotiation */
+ char *reneg_ciphers;
} SSL_TEST_CLIENT_CONF;
typedef struct {
More information about the openssl-commits
mailing list