[openssl-commits] [openssl] tls1.3-draft-18 update
Matt Caswell
matt at openssl.org
Thu May 4 10:53:31 UTC 2017
The branch tls1.3-draft-18 has been updated
via f315b665715bc499b5b97b18d3a7933c7b81ee5d (commit)
via ae4765396f19f5aa8aeb6565707e8e5ada4f3e6d (commit)
via 5d62fd7cb2d7e1abc8c9a09cbc05744a7d346775 (commit)
from 05a2feb6841c786b24a104943b2765ef8bc7a61f (commit)
- Log -----------------------------------------------------------------
commit f315b665715bc499b5b97b18d3a7933c7b81ee5d
Author: Matt Caswell <matt at openssl.org>
Date: Wed Apr 26 11:43:05 2017 +0100
Add tests for version/ciphersuite sanity checks
The previous commits added sanity checks for where the max enabled protocol
version does not have any configured ciphersuites. We should check that we
fail in those circumstances.
Reviewed-by: Rich Salz <rsalz at openssl.org>
(Merged from https://github.com/openssl/openssl/pull/3334)
commit ae4765396f19f5aa8aeb6565707e8e5ada4f3e6d
Author: Matt Caswell <matt at openssl.org>
Date: Wed Apr 26 11:28:20 2017 +0100
Add a ciphersuite config sanity check for servers
Ensure that there are ciphersuites enabled for the maximum supported
version we will accept in a ClientHello.
Reviewed-by: Rich Salz <rsalz at openssl.org>
(Merged from https://github.com/openssl/openssl/pull/3334)
commit 5d62fd7cb2d7e1abc8c9a09cbc05744a7d346775
Author: Matt Caswell <matt at openssl.org>
Date: Wed Apr 26 10:38:32 2017 +0100
Add a ciphersuite config sanity check for clients
Ensure that there are ciphersuites enabled for the maximum supported
version we are claiming in the ClientHello.
Reviewed-by: Rich Salz <rsalz at openssl.org>
(Merged from https://github.com/openssl/openssl/pull/3334)
-----------------------------------------------------------------------
Summary of changes:
ssl/ssl_locl.h | 3 +-
ssl/statem/extensions.c | 2 +-
ssl/statem/extensions_clnt.c | 2 +-
ssl/statem/statem_clnt.c | 22 ++++-
ssl/statem/statem_lib.c | 40 +++++++-
ssl/t1_lib.c | 2 +-
test/recipes/70-test_sslmessages.t | 1 +
test/ssl-tests/02-protocol-version.conf | 32 +++---
test/ssl-tests/14-curves.conf | 29 ++++++
test/ssl-tests/14-curves.conf.in | 5 +-
test/ssl-tests/17-renegotiate.conf | 8 +-
test/ssl-tests/17-renegotiate.conf.in | 8 +-
test/ssl-tests/19-mac-then-encrypt.conf | 2 +-
test/ssl-tests/19-mac-then-encrypt.conf.in | 2 +-
test/ssl-tests/20-cert-select.conf | 3 +
test/ssl-tests/20-cert-select.conf.in | 5 +-
test/ssl-tests/23-srp.conf | 4 +
test/ssl-tests/23-srp.conf.in | 154 +++++++++++++++--------------
test/ssl-tests/protocol_version.pm | 37 ++++++-
19 files changed, 245 insertions(+), 116 deletions(-)
diff --git a/ssl/ssl_locl.h b/ssl/ssl_locl.h
index f4860ea..d51772f 100644
--- a/ssl/ssl_locl.h
+++ b/ssl/ssl_locl.h
@@ -2169,8 +2169,7 @@ __owur int ssl_check_version_downgrade(SSL *s);
__owur int ssl_set_version_bound(int method_version, int version, int *bound);
__owur int ssl_choose_server_version(SSL *s, CLIENTHELLO_MSG *hello);
__owur int ssl_choose_client_version(SSL *s, int version);
-int ssl_get_client_min_max_version(const SSL *s, int *min_version,
- int *max_version);
+int ssl_get_min_max_version(const SSL *s, int *min_version, int *max_version);
__owur long tls1_default_timeout(void);
__owur int dtls1_do_write(SSL *s, int type);
diff --git a/ssl/statem/extensions.c b/ssl/statem/extensions.c
index 8550dfe..cb420e8 100644
--- a/ssl/statem/extensions.c
+++ b/ssl/statem/extensions.c
@@ -639,7 +639,7 @@ int tls_construct_extensions(SSL *s, WPACKET *pkt, unsigned int context,
}
if ((context & EXT_CLIENT_HELLO) != 0) {
- reason = ssl_get_client_min_max_version(s, &min_version, &max_version);
+ reason = ssl_get_min_max_version(s, &min_version, &max_version);
if (reason != 0) {
SSLerr(SSL_F_TLS_CONSTRUCT_EXTENSIONS, reason);
goto err;
diff --git a/ssl/statem/extensions_clnt.c b/ssl/statem/extensions_clnt.c
index c6cd0ce..5f33e2c 100644
--- a/ssl/statem/extensions_clnt.c
+++ b/ssl/statem/extensions_clnt.c
@@ -464,7 +464,7 @@ int tls_construct_ctos_supported_versions(SSL *s, WPACKET *pkt,
return 0;
}
- reason = ssl_get_client_min_max_version(s, &min_version, &max_version);
+ reason = ssl_get_min_max_version(s, &min_version, &max_version);
if (reason != 0) {
SSLerr(SSL_F_TLS_CONSTRUCT_CTOS_SUPPORTED_VERSIONS, reason);
return 0;
diff --git a/ssl/statem/statem_clnt.c b/ssl/statem/statem_clnt.c
index 9f4a719..f6b6429 100644
--- a/ssl/statem/statem_clnt.c
+++ b/ssl/statem/statem_clnt.c
@@ -3470,7 +3470,7 @@ int ssl_do_client_cert_cb(SSL *s, X509 **px509, EVP_PKEY **ppkey)
int ssl_cipher_list_to_bytes(SSL *s, STACK_OF(SSL_CIPHER) *sk, WPACKET *pkt)
{
int i;
- size_t totlen = 0, len, maxlen;
+ size_t totlen = 0, len, maxlen, maxverok = 0;
int empty_reneg_info_scsv = !s->renegotiate;
/* Set disabled masks for this session */
ssl_set_client_disabled(s);
@@ -3512,11 +3512,29 @@ int ssl_cipher_list_to_bytes(SSL *s, STACK_OF(SSL_CIPHER) *sk, WPACKET *pkt)
return 0;
}
+ /* Sanity check that the maximum version we offer has ciphers enabled */
+ if (!maxverok) {
+ if (SSL_IS_DTLS(s)) {
+ if (DTLS_VERSION_GE(c->max_dtls, s->s3->tmp.max_ver)
+ && DTLS_VERSION_LE(c->min_dtls, s->s3->tmp.max_ver))
+ maxverok = 1;
+ } else {
+ if (c->max_tls >= s->s3->tmp.max_ver
+ && c->min_tls <= s->s3->tmp.max_ver)
+ maxverok = 1;
+ }
+ }
+
totlen += len;
}
- if (totlen == 0) {
+ if (totlen == 0 || !maxverok) {
SSLerr(SSL_F_SSL_CIPHER_LIST_TO_BYTES, SSL_R_NO_CIPHERS_AVAILABLE);
+
+ if (!maxverok)
+ ERR_add_error_data(1, "No ciphers enabled for max supported "
+ "SSL/TLS version");
+
return 0;
}
diff --git a/ssl/statem/statem_lib.c b/ssl/statem/statem_lib.c
index 36c96e5..ab72788 100644
--- a/ssl/statem/statem_lib.c
+++ b/ssl/statem/statem_lib.c
@@ -78,6 +78,39 @@ int tls_setup_handshake(SSL *s)
return 0;
if (s->server) {
+ STACK_OF(SSL_CIPHER) *ciphers = SSL_get_ciphers(s);
+ int i, ver_min, ver_max, ok = 0;
+
+ /*
+ * Sanity check that the maximum version we accept has ciphers
+ * enabled. For clients we do this check during construction of the
+ * ClientHello.
+ */
+ if (ssl_get_min_max_version(s, &ver_min, &ver_max) != 0) {
+ SSLerr(SSL_F_TLS_SETUP_HANDSHAKE, ERR_R_INTERNAL_ERROR);
+ ssl3_send_alert(s, SSL3_AL_FATAL, SSL_AD_INTERNAL_ERROR);
+ return 0;
+ }
+ for (i = 0; i < sk_SSL_CIPHER_num(ciphers); i++) {
+ const SSL_CIPHER *c = sk_SSL_CIPHER_value(ciphers, i);
+
+ if (SSL_IS_DTLS(s)) {
+ if (DTLS_VERSION_GE(ver_max, c->min_dtls) &&
+ DTLS_VERSION_LE(ver_max, c->max_dtls))
+ ok = 1;
+ } else if (ver_max >= c->min_tls && ver_max <= c->max_tls) {
+ ok = 1;
+ }
+ if (ok)
+ break;
+ }
+ if (!ok) {
+ SSLerr(SSL_F_TLS_SETUP_HANDSHAKE, SSL_R_NO_CIPHERS_AVAILABLE);
+ ERR_add_error_data(1, "No ciphers enabled for max supported "
+ "SSL/TLS version");
+ ssl3_send_alert(s, SSL3_AL_FATAL, SSL_AD_HANDSHAKE_FAILURE);
+ return 0;
+ }
if (SSL_IS_FIRST_HANDSHAKE(s)) {
s->ctx->stats.sess_accept++;
} else if (!s->s3->send_connection_binding &&
@@ -1714,7 +1747,7 @@ int ssl_choose_client_version(SSL *s, int version)
}
/*
- * ssl_get_client_min_max_version - get minimum and maximum client version
+ * ssl_get_min_max_version - get minimum and maximum protocol version
* @s: The SSL connection
* @min_version: The minimum supported version
* @max_version: The maximum supported version
@@ -1732,8 +1765,7 @@ int ssl_choose_client_version(SSL *s, int version)
* Returns 0 on success or an SSL error reason number on failure. On failure
* min_version and max_version will also be set to 0.
*/
-int ssl_get_client_min_max_version(const SSL *s, int *min_version,
- int *max_version)
+int ssl_get_min_max_version(const SSL *s, int *min_version, int *max_version)
{
int version;
int hole;
@@ -1827,7 +1859,7 @@ int ssl_set_client_hello_version(SSL *s)
{
int ver_min, ver_max, ret;
- ret = ssl_get_client_min_max_version(s, &ver_min, &ver_max);
+ ret = ssl_get_min_max_version(s, &ver_min, &ver_max);
if (ret != 0)
return ret;
diff --git a/ssl/t1_lib.c b/ssl/t1_lib.c
index 83e493e..6ff3363 100644
--- a/ssl/t1_lib.c
+++ b/ssl/t1_lib.c
@@ -1013,7 +1013,7 @@ void ssl_set_client_disabled(SSL *s)
s->s3->tmp.mask_a = 0;
s->s3->tmp.mask_k = 0;
ssl_set_sig_mask(&s->s3->tmp.mask_a, s, SSL_SECOP_SIGALG_MASK);
- ssl_get_client_min_max_version(s, &s->s3->tmp.min_ver, &s->s3->tmp.max_ver);
+ ssl_get_min_max_version(s, &s->s3->tmp.min_ver, &s->s3->tmp.max_ver);
#ifndef OPENSSL_NO_PSK
/* with PSK there must be client callback set */
if (!s->psk_client_callback) {
diff --git a/test/recipes/70-test_sslmessages.t b/test/recipes/70-test_sslmessages.t
index 790b3ae..a6278dc 100644
--- a/test/recipes/70-test_sslmessages.t
+++ b/test/recipes/70-test_sslmessages.t
@@ -396,6 +396,7 @@ SKIP: {
skip "No EC support in this OpenSSL build", 1 if disabled("ec");
$proxy->clear();
$proxy->clientflags("-no_tls1_3");
+ $proxy->serverflags("-no_tls1_3");
$proxy->ciphers("ECDHE-RSA-AES128-SHA");
$proxy->start();
checkhandshake($proxy, checkhandshake::EC_HANDSHAKE,
diff --git a/test/ssl-tests/02-protocol-version.conf b/test/ssl-tests/02-protocol-version.conf
index d5e0779..41fa8ca 100644
--- a/test/ssl-tests/02-protocol-version.conf
+++ b/test/ssl-tests/02-protocol-version.conf
@@ -700,7 +700,7 @@ VerifyCAFile = ${ENV::TEST_CERTS_DIR}/rootcert.pem
VerifyMode = Peer
[test-0]
-ExpectedResult = InternalError
+ExpectedResult = ClientFail
# ===========================================================
@@ -850,7 +850,7 @@ VerifyCAFile = ${ENV::TEST_CERTS_DIR}/rootcert.pem
VerifyMode = Peer
[test-6]
-ExpectedResult = InternalError
+ExpectedResult = ClientFail
# ===========================================================
@@ -1314,7 +1314,7 @@ VerifyCAFile = ${ENV::TEST_CERTS_DIR}/rootcert.pem
VerifyMode = Peer
[test-24]
-ExpectedResult = InternalError
+ExpectedResult = ClientFail
# ===========================================================
@@ -1339,7 +1339,7 @@ VerifyCAFile = ${ENV::TEST_CERTS_DIR}/rootcert.pem
VerifyMode = Peer
[test-25]
-ExpectedResult = InternalError
+ExpectedResult = ClientFail
# ===========================================================
@@ -4759,7 +4759,7 @@ VerifyCAFile = ${ENV::TEST_CERTS_DIR}/rootcert.pem
VerifyMode = Peer
[test-156]
-ExpectedResult = InternalError
+ExpectedResult = ClientFail
# ===========================================================
@@ -4915,7 +4915,7 @@ VerifyCAFile = ${ENV::TEST_CERTS_DIR}/rootcert.pem
VerifyMode = Peer
[test-162]
-ExpectedResult = InternalError
+ExpectedResult = ClientFail
# ===========================================================
@@ -5397,7 +5397,7 @@ VerifyCAFile = ${ENV::TEST_CERTS_DIR}/rootcert.pem
VerifyMode = Peer
[test-180]
-ExpectedResult = InternalError
+ExpectedResult = ClientFail
# ===========================================================
@@ -5423,7 +5423,7 @@ VerifyCAFile = ${ENV::TEST_CERTS_DIR}/rootcert.pem
VerifyMode = Peer
[test-181]
-ExpectedResult = InternalError
+ExpectedResult = ClientFail
# ===========================================================
@@ -17393,7 +17393,7 @@ VerifyCAFile = ${ENV::TEST_CERTS_DIR}/rootcert.pem
VerifyMode = Peer
[test-624]
-ExpectedResult = InternalError
+ExpectedResult = ClientFail
# ===========================================================
@@ -17549,7 +17549,7 @@ VerifyCAFile = ${ENV::TEST_CERTS_DIR}/rootcert.pem
VerifyMode = Peer
[test-630]
-ExpectedResult = InternalError
+ExpectedResult = ClientFail
# ===========================================================
@@ -18031,7 +18031,7 @@ VerifyCAFile = ${ENV::TEST_CERTS_DIR}/rootcert.pem
VerifyMode = Peer
[test-648]
-ExpectedResult = InternalError
+ExpectedResult = ClientFail
# ===========================================================
@@ -18057,7 +18057,7 @@ VerifyCAFile = ${ENV::TEST_CERTS_DIR}/rootcert.pem
VerifyMode = Peer
[test-649]
-ExpectedResult = InternalError
+ExpectedResult = ClientFail
# ===========================================================
@@ -18082,7 +18082,7 @@ VerifyCAFile = ${ENV::TEST_CERTS_DIR}/rootcert.pem
VerifyMode = Peer
[test-650]
-ExpectedResult = InternalError
+ExpectedResult = ClientFail
# ===========================================================
@@ -18232,7 +18232,7 @@ VerifyCAFile = ${ENV::TEST_CERTS_DIR}/rootcert.pem
VerifyMode = Peer
[test-656]
-ExpectedResult = InternalError
+ExpectedResult = ClientFail
# ===========================================================
@@ -18696,7 +18696,7 @@ VerifyCAFile = ${ENV::TEST_CERTS_DIR}/rootcert.pem
VerifyMode = Peer
[test-674]
-ExpectedResult = InternalError
+ExpectedResult = ClientFail
# ===========================================================
@@ -18721,6 +18721,6 @@ VerifyCAFile = ${ENV::TEST_CERTS_DIR}/rootcert.pem
VerifyMode = Peer
[test-675]
-ExpectedResult = InternalError
+ExpectedResult = ClientFail
diff --git a/test/ssl-tests/14-curves.conf b/test/ssl-tests/14-curves.conf
index 83911b0..ab04c2e 100644
--- a/test/ssl-tests/14-curves.conf
+++ b/test/ssl-tests/14-curves.conf
@@ -50,6 +50,7 @@ PrivateKey = ${ENV::TEST_CERTS_DIR}/serverkey.pem
[0-curve-sect163k1-client]
CipherString = ECDHE
Curves = sect163k1
+MaxProtocol = TLSv1.2
VerifyCAFile = ${ENV::TEST_CERTS_DIR}/rootcert.pem
VerifyMode = Peer
@@ -77,6 +78,7 @@ PrivateKey = ${ENV::TEST_CERTS_DIR}/serverkey.pem
[1-curve-sect163r1-client]
CipherString = ECDHE
Curves = sect163r1
+MaxProtocol = TLSv1.2
VerifyCAFile = ${ENV::TEST_CERTS_DIR}/rootcert.pem
VerifyMode = Peer
@@ -104,6 +106,7 @@ PrivateKey = ${ENV::TEST_CERTS_DIR}/serverkey.pem
[2-curve-sect163r2-client]
CipherString = ECDHE
Curves = sect163r2
+MaxProtocol = TLSv1.2
VerifyCAFile = ${ENV::TEST_CERTS_DIR}/rootcert.pem
VerifyMode = Peer
@@ -131,6 +134,7 @@ PrivateKey = ${ENV::TEST_CERTS_DIR}/serverkey.pem
[3-curve-sect193r1-client]
CipherString = ECDHE
Curves = sect193r1
+MaxProtocol = TLSv1.2
VerifyCAFile = ${ENV::TEST_CERTS_DIR}/rootcert.pem
VerifyMode = Peer
@@ -158,6 +162,7 @@ PrivateKey = ${ENV::TEST_CERTS_DIR}/serverkey.pem
[4-curve-sect193r2-client]
CipherString = ECDHE
Curves = sect193r2
+MaxProtocol = TLSv1.2
VerifyCAFile = ${ENV::TEST_CERTS_DIR}/rootcert.pem
VerifyMode = Peer
@@ -185,6 +190,7 @@ PrivateKey = ${ENV::TEST_CERTS_DIR}/serverkey.pem
[5-curve-sect233k1-client]
CipherString = ECDHE
Curves = sect233k1
+MaxProtocol = TLSv1.2
VerifyCAFile = ${ENV::TEST_CERTS_DIR}/rootcert.pem
VerifyMode = Peer
@@ -212,6 +218,7 @@ PrivateKey = ${ENV::TEST_CERTS_DIR}/serverkey.pem
[6-curve-sect233r1-client]
CipherString = ECDHE
Curves = sect233r1
+MaxProtocol = TLSv1.2
VerifyCAFile = ${ENV::TEST_CERTS_DIR}/rootcert.pem
VerifyMode = Peer
@@ -239,6 +246,7 @@ PrivateKey = ${ENV::TEST_CERTS_DIR}/serverkey.pem
[7-curve-sect239k1-client]
CipherString = ECDHE
Curves = sect239k1
+MaxProtocol = TLSv1.2
VerifyCAFile = ${ENV::TEST_CERTS_DIR}/rootcert.pem
VerifyMode = Peer
@@ -266,6 +274,7 @@ PrivateKey = ${ENV::TEST_CERTS_DIR}/serverkey.pem
[8-curve-sect283k1-client]
CipherString = ECDHE
Curves = sect283k1
+MaxProtocol = TLSv1.2
VerifyCAFile = ${ENV::TEST_CERTS_DIR}/rootcert.pem
VerifyMode = Peer
@@ -293,6 +302,7 @@ PrivateKey = ${ENV::TEST_CERTS_DIR}/serverkey.pem
[9-curve-sect283r1-client]
CipherString = ECDHE
Curves = sect283r1
+MaxProtocol = TLSv1.2
VerifyCAFile = ${ENV::TEST_CERTS_DIR}/rootcert.pem
VerifyMode = Peer
@@ -320,6 +330,7 @@ PrivateKey = ${ENV::TEST_CERTS_DIR}/serverkey.pem
[10-curve-sect409k1-client]
CipherString = ECDHE
Curves = sect409k1
+MaxProtocol = TLSv1.2
VerifyCAFile = ${ENV::TEST_CERTS_DIR}/rootcert.pem
VerifyMode = Peer
@@ -347,6 +358,7 @@ PrivateKey = ${ENV::TEST_CERTS_DIR}/serverkey.pem
[11-curve-sect409r1-client]
CipherString = ECDHE
Curves = sect409r1
+MaxProtocol = TLSv1.2
VerifyCAFile = ${ENV::TEST_CERTS_DIR}/rootcert.pem
VerifyMode = Peer
@@ -374,6 +386,7 @@ PrivateKey = ${ENV::TEST_CERTS_DIR}/serverkey.pem
[12-curve-sect571k1-client]
CipherString = ECDHE
Curves = sect571k1
+MaxProtocol = TLSv1.2
VerifyCAFile = ${ENV::TEST_CERTS_DIR}/rootcert.pem
VerifyMode = Peer
@@ -401,6 +414,7 @@ PrivateKey = ${ENV::TEST_CERTS_DIR}/serverkey.pem
[13-curve-sect571r1-client]
CipherString = ECDHE
Curves = sect571r1
+MaxProtocol = TLSv1.2
VerifyCAFile = ${ENV::TEST_CERTS_DIR}/rootcert.pem
VerifyMode = Peer
@@ -428,6 +442,7 @@ PrivateKey = ${ENV::TEST_CERTS_DIR}/serverkey.pem
[14-curve-secp160k1-client]
CipherString = ECDHE
Curves = secp160k1
+MaxProtocol = TLSv1.2
VerifyCAFile = ${ENV::TEST_CERTS_DIR}/rootcert.pem
VerifyMode = Peer
@@ -455,6 +470,7 @@ PrivateKey = ${ENV::TEST_CERTS_DIR}/serverkey.pem
[15-curve-secp160r1-client]
CipherString = ECDHE
Curves = secp160r1
+MaxProtocol = TLSv1.2
VerifyCAFile = ${ENV::TEST_CERTS_DIR}/rootcert.pem
VerifyMode = Peer
@@ -482,6 +498,7 @@ PrivateKey = ${ENV::TEST_CERTS_DIR}/serverkey.pem
[16-curve-secp160r2-client]
CipherString = ECDHE
Curves = secp160r2
+MaxProtocol = TLSv1.2
VerifyCAFile = ${ENV::TEST_CERTS_DIR}/rootcert.pem
VerifyMode = Peer
@@ -509,6 +526,7 @@ PrivateKey = ${ENV::TEST_CERTS_DIR}/serverkey.pem
[17-curve-secp192k1-client]
CipherString = ECDHE
Curves = secp192k1
+MaxProtocol = TLSv1.2
VerifyCAFile = ${ENV::TEST_CERTS_DIR}/rootcert.pem
VerifyMode = Peer
@@ -536,6 +554,7 @@ PrivateKey = ${ENV::TEST_CERTS_DIR}/serverkey.pem
[18-curve-prime192v1-client]
CipherString = ECDHE
Curves = prime192v1
+MaxProtocol = TLSv1.2
VerifyCAFile = ${ENV::TEST_CERTS_DIR}/rootcert.pem
VerifyMode = Peer
@@ -563,6 +582,7 @@ PrivateKey = ${ENV::TEST_CERTS_DIR}/serverkey.pem
[19-curve-secp224k1-client]
CipherString = ECDHE
Curves = secp224k1
+MaxProtocol = TLSv1.2
VerifyCAFile = ${ENV::TEST_CERTS_DIR}/rootcert.pem
VerifyMode = Peer
@@ -590,6 +610,7 @@ PrivateKey = ${ENV::TEST_CERTS_DIR}/serverkey.pem
[20-curve-secp224r1-client]
CipherString = ECDHE
Curves = secp224r1
+MaxProtocol = TLSv1.2
VerifyCAFile = ${ENV::TEST_CERTS_DIR}/rootcert.pem
VerifyMode = Peer
@@ -617,6 +638,7 @@ PrivateKey = ${ENV::TEST_CERTS_DIR}/serverkey.pem
[21-curve-secp256k1-client]
CipherString = ECDHE
Curves = secp256k1
+MaxProtocol = TLSv1.2
VerifyCAFile = ${ENV::TEST_CERTS_DIR}/rootcert.pem
VerifyMode = Peer
@@ -644,6 +666,7 @@ PrivateKey = ${ENV::TEST_CERTS_DIR}/serverkey.pem
[22-curve-prime256v1-client]
CipherString = ECDHE
Curves = prime256v1
+MaxProtocol = TLSv1.2
VerifyCAFile = ${ENV::TEST_CERTS_DIR}/rootcert.pem
VerifyMode = Peer
@@ -671,6 +694,7 @@ PrivateKey = ${ENV::TEST_CERTS_DIR}/serverkey.pem
[23-curve-secp384r1-client]
CipherString = ECDHE
Curves = secp384r1
+MaxProtocol = TLSv1.2
VerifyCAFile = ${ENV::TEST_CERTS_DIR}/rootcert.pem
VerifyMode = Peer
@@ -698,6 +722,7 @@ PrivateKey = ${ENV::TEST_CERTS_DIR}/serverkey.pem
[24-curve-secp521r1-client]
CipherString = ECDHE
Curves = secp521r1
+MaxProtocol = TLSv1.2
VerifyCAFile = ${ENV::TEST_CERTS_DIR}/rootcert.pem
VerifyMode = Peer
@@ -725,6 +750,7 @@ PrivateKey = ${ENV::TEST_CERTS_DIR}/serverkey.pem
[25-curve-brainpoolP256r1-client]
CipherString = ECDHE
Curves = brainpoolP256r1
+MaxProtocol = TLSv1.2
VerifyCAFile = ${ENV::TEST_CERTS_DIR}/rootcert.pem
VerifyMode = Peer
@@ -752,6 +778,7 @@ PrivateKey = ${ENV::TEST_CERTS_DIR}/serverkey.pem
[26-curve-brainpoolP384r1-client]
CipherString = ECDHE
Curves = brainpoolP384r1
+MaxProtocol = TLSv1.2
VerifyCAFile = ${ENV::TEST_CERTS_DIR}/rootcert.pem
VerifyMode = Peer
@@ -779,6 +806,7 @@ PrivateKey = ${ENV::TEST_CERTS_DIR}/serverkey.pem
[27-curve-brainpoolP512r1-client]
CipherString = ECDHE
Curves = brainpoolP512r1
+MaxProtocol = TLSv1.2
VerifyCAFile = ${ENV::TEST_CERTS_DIR}/rootcert.pem
VerifyMode = Peer
@@ -806,6 +834,7 @@ PrivateKey = ${ENV::TEST_CERTS_DIR}/serverkey.pem
[28-curve-X25519-client]
CipherString = ECDHE
Curves = X25519
+MaxProtocol = TLSv1.2
VerifyCAFile = ${ENV::TEST_CERTS_DIR}/rootcert.pem
VerifyMode = Peer
diff --git a/test/ssl-tests/14-curves.conf.in b/test/ssl-tests/14-curves.conf.in
index 6e98b5a..9f6e433 100644
--- a/test/ssl-tests/14-curves.conf.in
+++ b/test/ssl-tests/14-curves.conf.in
@@ -25,14 +25,15 @@ sub generate_tests() {
foreach (0..$#curves) {
my $curve = $curves[$_];
push @tests, {
- name => "curve-${curve}",
+ name => "curve-${curve}",
server => {
"Curves" => $curve,
# TODO(TLS1.3): Can we get this to work for TLSv1.3?
"MaxProtocol" => "TLSv1.2"
},
client => {
- "CipherString" => "ECDHE",
+ "CipherString" => "ECDHE",
+ "MaxProtocol" => "TLSv1.2",
"Curves" => $curve
},
test => {
diff --git a/test/ssl-tests/17-renegotiate.conf b/test/ssl-tests/17-renegotiate.conf
index 8376eea..3f3769f 100644
--- a/test/ssl-tests/17-renegotiate.conf
+++ b/test/ssl-tests/17-renegotiate.conf
@@ -198,12 +198,12 @@ client = 6-renegotiate-aead-to-non-aead-client
[6-renegotiate-aead-to-non-aead-server]
Certificate = ${ENV::TEST_CERTS_DIR}/servercert.pem
CipherString = DEFAULT
-MaxProtocol = TLSv1.2
Options = NoResumptionOnRenegotiation
PrivateKey = ${ENV::TEST_CERTS_DIR}/serverkey.pem
[6-renegotiate-aead-to-non-aead-client]
CipherString = AES128-GCM-SHA256
+MaxProtocol = TLSv1.2
VerifyCAFile = ${ENV::TEST_CERTS_DIR}/rootcert.pem
VerifyMode = Peer
@@ -230,12 +230,12 @@ client = 7-renegotiate-non-aead-to-aead-client
[7-renegotiate-non-aead-to-aead-server]
Certificate = ${ENV::TEST_CERTS_DIR}/servercert.pem
CipherString = DEFAULT
-MaxProtocol = TLSv1.2
Options = NoResumptionOnRenegotiation
PrivateKey = ${ENV::TEST_CERTS_DIR}/serverkey.pem
[7-renegotiate-non-aead-to-aead-client]
CipherString = AES128-SHA
+MaxProtocol = TLSv1.2
VerifyCAFile = ${ENV::TEST_CERTS_DIR}/rootcert.pem
VerifyMode = Peer
@@ -262,12 +262,12 @@ client = 8-renegotiate-non-aead-to-non-aead-client
[8-renegotiate-non-aead-to-non-aead-server]
Certificate = ${ENV::TEST_CERTS_DIR}/servercert.pem
CipherString = DEFAULT
-MaxProtocol = TLSv1.2
Options = NoResumptionOnRenegotiation
PrivateKey = ${ENV::TEST_CERTS_DIR}/serverkey.pem
[8-renegotiate-non-aead-to-non-aead-client]
CipherString = AES128-SHA
+MaxProtocol = TLSv1.2
VerifyCAFile = ${ENV::TEST_CERTS_DIR}/rootcert.pem
VerifyMode = Peer
@@ -294,12 +294,12 @@ client = 9-renegotiate-aead-to-aead-client
[9-renegotiate-aead-to-aead-server]
Certificate = ${ENV::TEST_CERTS_DIR}/servercert.pem
CipherString = DEFAULT
-MaxProtocol = TLSv1.2
Options = NoResumptionOnRenegotiation
PrivateKey = ${ENV::TEST_CERTS_DIR}/serverkey.pem
[9-renegotiate-aead-to-aead-client]
CipherString = AES128-GCM-SHA256
+MaxProtocol = TLSv1.2
VerifyCAFile = ${ENV::TEST_CERTS_DIR}/rootcert.pem
VerifyMode = Peer
diff --git a/test/ssl-tests/17-renegotiate.conf.in b/test/ssl-tests/17-renegotiate.conf.in
index 867a4f2..b5d07b0 100644
--- a/test/ssl-tests/17-renegotiate.conf.in
+++ b/test/ssl-tests/17-renegotiate.conf.in
@@ -114,10 +114,10 @@ our @tests_tls1_2 = (
name => "renegotiate-aead-to-non-aead",
server => {
"Options" => "NoResumptionOnRenegotiation",
- "MaxProtocol" => "TLSv1.2"
},
client => {
"CipherString" => "AES128-GCM-SHA256",
+ "MaxProtocol" => "TLSv1.2",
extra => {
"RenegotiateCiphers" => "AES128-SHA"
}
@@ -133,10 +133,10 @@ our @tests_tls1_2 = (
name => "renegotiate-non-aead-to-aead",
server => {
"Options" => "NoResumptionOnRenegotiation",
- "MaxProtocol" => "TLSv1.2"
},
client => {
"CipherString" => "AES128-SHA",
+ "MaxProtocol" => "TLSv1.2",
extra => {
"RenegotiateCiphers" => "AES128-GCM-SHA256"
}
@@ -152,10 +152,10 @@ our @tests_tls1_2 = (
name => "renegotiate-non-aead-to-non-aead",
server => {
"Options" => "NoResumptionOnRenegotiation",
- "MaxProtocol" => "TLSv1.2"
},
client => {
"CipherString" => "AES128-SHA",
+ "MaxProtocol" => "TLSv1.2",
extra => {
"RenegotiateCiphers" => "AES256-SHA"
}
@@ -171,10 +171,10 @@ our @tests_tls1_2 = (
name => "renegotiate-aead-to-aead",
server => {
"Options" => "NoResumptionOnRenegotiation",
- "MaxProtocol" => "TLSv1.2"
},
client => {
"CipherString" => "AES128-GCM-SHA256",
+ "MaxProtocol" => "TLSv1.2",
extra => {
"RenegotiateCiphers" => "AES256-GCM-SHA384"
}
diff --git a/test/ssl-tests/19-mac-then-encrypt.conf b/test/ssl-tests/19-mac-then-encrypt.conf
index bba44d1..0dd384e 100644
--- a/test/ssl-tests/19-mac-then-encrypt.conf
+++ b/test/ssl-tests/19-mac-then-encrypt.conf
@@ -96,12 +96,12 @@ client = 3-disable-encrypt-then-mac-server-sha2-client
[3-disable-encrypt-then-mac-server-sha2-server]
Certificate = ${ENV::TEST_CERTS_DIR}/servercert.pem
CipherString = DEFAULT
-MaxProtocol = TLSv1.2
Options = -EncryptThenMac
PrivateKey = ${ENV::TEST_CERTS_DIR}/serverkey.pem
[3-disable-encrypt-then-mac-server-sha2-client]
CipherString = AES128-SHA256
+MaxProtocol = TLSv1.2
VerifyCAFile = ${ENV::TEST_CERTS_DIR}/rootcert.pem
VerifyMode = Peer
diff --git a/test/ssl-tests/19-mac-then-encrypt.conf.in b/test/ssl-tests/19-mac-then-encrypt.conf.in
index d51cfa3..dfe529c 100644
--- a/test/ssl-tests/19-mac-then-encrypt.conf.in
+++ b/test/ssl-tests/19-mac-then-encrypt.conf.in
@@ -61,10 +61,10 @@ my @tests_tls1_2 = (
name => "disable-encrypt-then-mac-server-sha2",
server => {
"Options" => "-EncryptThenMac",
- "MaxProtocol" => "TLSv1.2"
},
client => {
"CipherString" => "AES128-SHA256",
+ "MaxProtocol" => "TLSv1.2"
},
test => {
"ExpectedResult" => "Success",
diff --git a/test/ssl-tests/20-cert-select.conf b/test/ssl-tests/20-cert-select.conf
index e787efc..d07a989 100644
--- a/test/ssl-tests/20-cert-select.conf
+++ b/test/ssl-tests/20-cert-select.conf
@@ -34,6 +34,7 @@ PrivateKey = ${ENV::TEST_CERTS_DIR}/serverkey.pem
[0-ECDSA CipherString Selection-client]
CipherString = aECDSA
+MaxProtocol = TLSv1.2
VerifyCAFile = ${ENV::TEST_CERTS_DIR}/rootcert.pem
VerifyMode = Peer
@@ -62,6 +63,7 @@ PrivateKey = ${ENV::TEST_CERTS_DIR}/serverkey.pem
[1-RSA CipherString Selection-client]
CipherString = aRSA
+MaxProtocol = TLSv1.2
VerifyCAFile = ${ENV::TEST_CERTS_DIR}/rootcert.pem
VerifyMode = Peer
@@ -88,6 +90,7 @@ PrivateKey = ${ENV::TEST_CERTS_DIR}/serverkey.pem
[2-ECDSA CipherString Selection, no ECDSA certificate-client]
CipherString = aECDSA
+MaxProtocol = TLSv1.2
VerifyCAFile = ${ENV::TEST_CERTS_DIR}/rootcert.pem
VerifyMode = Peer
diff --git a/test/ssl-tests/20-cert-select.conf.in b/test/ssl-tests/20-cert-select.conf.in
index 3d50f02..d333d5d 100644
--- a/test/ssl-tests/20-cert-select.conf.in
+++ b/test/ssl-tests/20-cert-select.conf.in
@@ -21,6 +21,7 @@ our @tests = (
server => $server,
client => {
"CipherString" => "aECDSA",
+ "MaxProtocol" => "TLSv1.2",
},
test => {
"ExpectedServerCertType" =>, "P-256",
@@ -33,6 +34,7 @@ our @tests = (
server => $server,
client => {
"CipherString" => "aRSA",
+ "MaxProtocol" => "TLSv1.2",
},
test => {
"ExpectedServerCertType" =>, "RSA",
@@ -46,7 +48,8 @@ our @tests = (
"MaxProtocol" => "TLSv1.2"
},
client => {
- "CipherString" => "aECDSA"
+ "CipherString" => "aECDSA",
+ "MaxProtocol" => "TLSv1.2"
},
test => {
"ExpectedResult" => "ServerFail"
diff --git a/test/ssl-tests/23-srp.conf b/test/ssl-tests/23-srp.conf
index 6ae49e6..610a0bb 100644
--- a/test/ssl-tests/23-srp.conf
+++ b/test/ssl-tests/23-srp.conf
@@ -18,6 +18,7 @@ client = 0-srp-client
[0-srp-server]
Certificate = ${ENV::TEST_CERTS_DIR}/servercert.pem
CipherString = SRP
+MaxProtocol = TLSv1.2
PrivateKey = ${ENV::TEST_CERTS_DIR}/serverkey.pem
[0-srp-client]
@@ -52,6 +53,7 @@ client = 1-srp-bad-password-client
[1-srp-bad-password-server]
Certificate = ${ENV::TEST_CERTS_DIR}/servercert.pem
CipherString = SRP
+MaxProtocol = TLSv1.2
PrivateKey = ${ENV::TEST_CERTS_DIR}/serverkey.pem
[1-srp-bad-password-client]
@@ -86,6 +88,7 @@ client = 2-srp-auth-client
[2-srp-auth-server]
Certificate = ${ENV::TEST_CERTS_DIR}/servercert.pem
CipherString = aSRP
+MaxProtocol = TLSv1.2
PrivateKey = ${ENV::TEST_CERTS_DIR}/serverkey.pem
[2-srp-auth-client]
@@ -120,6 +123,7 @@ client = 3-srp-auth-bad-password-client
[3-srp-auth-bad-password-server]
Certificate = ${ENV::TEST_CERTS_DIR}/servercert.pem
CipherString = aSRP
+MaxProtocol = TLSv1.2
PrivateKey = ${ENV::TEST_CERTS_DIR}/serverkey.pem
[3-srp-auth-bad-password-client]
diff --git a/test/ssl-tests/23-srp.conf.in b/test/ssl-tests/23-srp.conf.in
index b7601fc..dcbd9f4 100644
--- a/test/ssl-tests/23-srp.conf.in
+++ b/test/ssl-tests/23-srp.conf.in
@@ -15,89 +15,93 @@ package ssltests;
our @tests = (
{
- name => "srp",
- server => {
- "CipherString" => "SRP",
- extra => {
- "SRPUser" => "user",
- "SRPPassword" => "password",
- },
+ name => "srp",
+ server => {
+ "CipherString" => "SRP",
+ "MaxProtocol" => "TLSv1.2",
+ extra => {
+ "SRPUser" => "user",
+ "SRPPassword" => "password",
+ },
+ },
+ client => {
+ "CipherString" => "SRP",
+ "MaxProtocol" => "TLSv1.2",
+ extra => {
+ "SRPUser" => "user",
+ "SRPPassword" => "password",
+ },
+ },
+ test => {
+ "ExpectedResult" => "Success"
},
- client => {
- "CipherString" => "SRP",
- "MaxProtocol" => "TLSv1.2",
- extra => {
- "SRPUser" => "user",
- "SRPPassword" => "password",
- },
- },
- test => {
- "ExpectedResult" => "Success"
- },
},
{
- name => "srp-bad-password",
- server => {
- "CipherString" => "SRP",
- extra => {
- "SRPUser" => "user",
- "SRPPassword" => "password",
- },
+ name => "srp-bad-password",
+ server => {
+ "CipherString" => "SRP",
+ "MaxProtocol" => "TLSv1.2",
+ extra => {
+ "SRPUser" => "user",
+ "SRPPassword" => "password",
+ },
+ },
+ client => {
+ "CipherString" => "SRP",
+ "MaxProtocol" => "TLSv1.2",
+ extra => {
+ "SRPUser" => "user",
+ "SRPPassword" => "passw0rd",
+ },
+ },
+ test => {
+ # Server fails first with bad client Finished.
+ "ExpectedResult" => "ServerFail"
},
- client => {
- "CipherString" => "SRP",
- "MaxProtocol" => "TLSv1.2",
- extra => {
- "SRPUser" => "user",
- "SRPPassword" => "passw0rd",
- },
- },
- test => {
- # Server fails first with bad client Finished.
- "ExpectedResult" => "ServerFail"
- },
},
{
- name => "srp-auth",
- server => {
- "CipherString" => "aSRP",
- extra => {
- "SRPUser" => "user",
- "SRPPassword" => "password",
- },
+ name => "srp-auth",
+ server => {
+ "CipherString" => "aSRP",
+ "MaxProtocol" => "TLSv1.2",
+ extra => {
+ "SRPUser" => "user",
+ "SRPPassword" => "password",
+ },
+ },
+ client => {
+ "CipherString" => "aSRP",
+ "MaxProtocol" => "TLSv1.2",
+ extra => {
+ "SRPUser" => "user",
+ "SRPPassword" => "password",
+ },
+ },
+ test => {
+ "ExpectedResult" => "Success"
},
- client => {
- "CipherString" => "aSRP",
- "MaxProtocol" => "TLSv1.2",
- extra => {
- "SRPUser" => "user",
- "SRPPassword" => "password",
- },
- },
- test => {
- "ExpectedResult" => "Success"
- },
},
{
- name => "srp-auth-bad-password",
- server => {
- "CipherString" => "aSRP",
- extra => {
- "SRPUser" => "user",
- "SRPPassword" => "password",
- },
+ name => "srp-auth-bad-password",
+ server => {
+ "CipherString" => "aSRP",
+ "MaxProtocol" => "TLSv1.2",
+ extra => {
+ "SRPUser" => "user",
+ "SRPPassword" => "password",
+ },
+ },
+ client => {
+ "CipherString" => "aSRP",
+ "MaxProtocol" => "TLSv1.2",
+ extra => {
+ "SRPUser" => "user",
+ "SRPPassword" => "passw0rd",
+ },
+ },
+ test => {
+ # Server fails first with bad client Finished.
+ "ExpectedResult" => "ServerFail"
},
- client => {
- "CipherString" => "aSRP",
- "MaxProtocol" => "TLSv1.2",
- extra => {
- "SRPUser" => "user",
- "SRPPassword" => "passw0rd",
- },
- },
- test => {
- # Server fails first with bad client Finished.
- "ExpectedResult" => "ServerFail"
- },
},
-);
\ No newline at end of file
+);
diff --git a/test/ssl-tests/protocol_version.pm b/test/ssl-tests/protocol_version.pm
index 7c28bcf..07e180e 100644
--- a/test/ssl-tests/protocol_version.pm
+++ b/test/ssl-tests/protocol_version.pm
@@ -125,6 +125,37 @@ sub generate_version_tests {
}
}
}
+ return @tests if disabled("tls1_3") || disabled("tls1_2") || $dtls;
+
+ #Add some version/ciphersuite sanity check tests
+ push @tests, {
+ "name" => "ciphersuite-sanity-check-client",
+ "client" => {
+ #Offering only <=TLSv1.2 ciphersuites with TLSv1.3 should fail
+ "CipherString" => "AES128-SHA",
+ },
+ "server" => {
+ "MaxProtocol" => "TLSv1.2"
+ },
+ "test" => {
+ "ExpectedResult" => "InternalError",
+ }
+ };
+ push @tests, {
+ "name" => "ciphersuite-sanity-check-server",
+ "client" => {
+ "CipherString" => "AES128-SHA",
+ "MaxProtocol" => "TLSv1.2"
+ },
+ "server" => {
+ #Allowing only <=TLSv1.2 ciphersuites with TLSv1.3 should fail
+ "CipherString" => "AES128-SHA",
+ },
+ "test" => {
+ "ExpectedResult" => "ServerFail",
+ }
+ };
+
return @tests;
}
@@ -242,7 +273,11 @@ sub expected_result {
$c_max = min $c_max, $max_enabled;
$s_max = min $s_max, $max_enabled;
- if ($c_min > $c_max) {
+ if ($c_min > $c_max && $s_min > $s_max) {
+ # Client will fail to send a hello and server will fail to start. The
+ # client failed first so this is reported as ClientFail.
+ return ("ClientFail", undef);
+ } elsif ($c_min > $c_max) {
# Client should fail to even send a hello.
# This results in an internal error since the server will be
# waiting for input that never arrives.
More information about the openssl-commits
mailing list