diff options
| author | Matt Caswell <matt@openssl.org> | 2016-11-02 15:03:56 +0000 |
|---|---|---|
| committer | Matt Caswell <matt@openssl.org> | 2016-11-16 10:09:46 +0000 |
| commit | 0f1e51ea115beef8a5fdd80d5a6c13ee289f980a (patch) | |
| tree | 65060f458f52188507f0a9748ea8004bf5e50763 /test/ssl-tests | |
| parent | c87386a2cd586368a61d86ede03319f910d050f4 (diff) | |
Start using the key_share data to derive the PMS
The previous commits put in place the logic to exchange key_share data. We
now need to do something with that information. In <= TLSv1.2 the equivalent
of the key_share extension is the ServerKeyExchange and ClientKeyExchange
messages. With key_share those two messages are no longer necessary.
The commit removes the SKE and CKE messages from the TLSv1.3 state machine.
TLSv1.3 is completely different to TLSv1.2 in the messages that it sends
and the transitions that are allowed. Therefore, rather than extend the
existing <=TLS1.2 state transition functions, we create a whole new set for
TLSv1.3. Intially these are still based on the TLSv1.2 ones, but over time
they will be amended.
The new TLSv1.3 transitions remove SKE and CKE completely. There's also some
cleanup for some stuff which is not relevant to TLSv1.3 and is easy to
remove, e.g. the DTLS support (we're not doing DTLSv1.3 yet) and NPN.
I also disable EXTMS for TLSv1.3. Using it was causing some added
complexity, so rather than fix it I removed it, since eventually it will not
be needed anyway.
Reviewed-by: Rich Salz <rsalz@openssl.org>
Diffstat (limited to 'test/ssl-tests')
| -rw-r--r-- | test/ssl-tests/08-npn.conf | 22 | ||||
| -rw-r--r-- | test/ssl-tests/08-npn.conf.in | 33 |
2 files changed, 50 insertions, 5 deletions
diff --git a/test/ssl-tests/08-npn.conf b/test/ssl-tests/08-npn.conf index 9115ef458b..f38b3f6975 100644 --- a/test/ssl-tests/08-npn.conf +++ b/test/ssl-tests/08-npn.conf @@ -38,6 +38,7 @@ PrivateKey = ${ENV::TEST_CERTS_DIR}/serverkey.pem [0-npn-simple-client] CipherString = DEFAULT +MaxProtocol = TLSv1.2 VerifyCAFile = ${ENV::TEST_CERTS_DIR}/rootcert.pem VerifyMode = Peer @@ -69,6 +70,7 @@ PrivateKey = ${ENV::TEST_CERTS_DIR}/serverkey.pem [1-npn-client-finds-match-client] CipherString = DEFAULT +MaxProtocol = TLSv1.2 VerifyCAFile = ${ENV::TEST_CERTS_DIR}/rootcert.pem VerifyMode = Peer @@ -100,6 +102,7 @@ PrivateKey = ${ENV::TEST_CERTS_DIR}/serverkey.pem [2-npn-client-honours-server-pref-client] CipherString = DEFAULT +MaxProtocol = TLSv1.2 VerifyCAFile = ${ENV::TEST_CERTS_DIR}/rootcert.pem VerifyMode = Peer @@ -131,6 +134,7 @@ PrivateKey = ${ENV::TEST_CERTS_DIR}/serverkey.pem [3-npn-client-first-pref-on-mismatch-client] CipherString = DEFAULT +MaxProtocol = TLSv1.2 VerifyCAFile = ${ENV::TEST_CERTS_DIR}/rootcert.pem VerifyMode = Peer @@ -162,6 +166,7 @@ PrivateKey = ${ENV::TEST_CERTS_DIR}/serverkey.pem [4-npn-no-server-support-client] CipherString = DEFAULT +MaxProtocol = TLSv1.2 VerifyCAFile = ${ENV::TEST_CERTS_DIR}/rootcert.pem VerifyMode = Peer @@ -188,6 +193,7 @@ PrivateKey = ${ENV::TEST_CERTS_DIR}/serverkey.pem [5-npn-no-client-support-client] CipherString = DEFAULT +MaxProtocol = TLSv1.2 VerifyCAFile = ${ENV::TEST_CERTS_DIR}/rootcert.pem VerifyMode = Peer @@ -220,6 +226,7 @@ PrivateKey = ${ENV::TEST_CERTS_DIR}/serverkey.pem [6-npn-with-sni-no-context-switch-client] CipherString = DEFAULT +MaxProtocol = TLSv1.2 VerifyCAFile = ${ENV::TEST_CERTS_DIR}/rootcert.pem VerifyMode = Peer @@ -264,6 +271,7 @@ PrivateKey = ${ENV::TEST_CERTS_DIR}/serverkey.pem [7-npn-with-sni-context-switch-client] CipherString = DEFAULT +MaxProtocol = TLSv1.2 VerifyCAFile = ${ENV::TEST_CERTS_DIR}/rootcert.pem VerifyMode = Peer @@ -308,6 +316,7 @@ PrivateKey = ${ENV::TEST_CERTS_DIR}/serverkey.pem [8-npn-selected-sni-server-supports-npn-client] CipherString = DEFAULT +MaxProtocol = TLSv1.2 VerifyCAFile = ${ENV::TEST_CERTS_DIR}/rootcert.pem VerifyMode = Peer @@ -351,6 +360,7 @@ PrivateKey = ${ENV::TEST_CERTS_DIR}/serverkey.pem [9-npn-selected-sni-server-does-not-support-npn-client] CipherString = DEFAULT +MaxProtocol = TLSv1.2 VerifyCAFile = ${ENV::TEST_CERTS_DIR}/rootcert.pem VerifyMode = Peer @@ -384,6 +394,7 @@ PrivateKey = ${ENV::TEST_CERTS_DIR}/serverkey.pem [10-alpn-preferred-over-npn-client] CipherString = DEFAULT +MaxProtocol = TLSv1.2 VerifyCAFile = ${ENV::TEST_CERTS_DIR}/rootcert.pem VerifyMode = Peer @@ -423,6 +434,7 @@ PrivateKey = ${ENV::TEST_CERTS_DIR}/serverkey.pem [11-sni-npn-preferred-over-alpn-client] CipherString = DEFAULT +MaxProtocol = TLSv1.2 VerifyCAFile = ${ENV::TEST_CERTS_DIR}/rootcert.pem VerifyMode = Peer @@ -464,6 +476,7 @@ PrivateKey = ${ENV::TEST_CERTS_DIR}/serverkey.pem [12-npn-simple-resumption-client] CipherString = DEFAULT +MaxProtocol = TLSv1.2 VerifyCAFile = ${ENV::TEST_CERTS_DIR}/rootcert.pem VerifyMode = Peer @@ -506,6 +519,7 @@ PrivateKey = ${ENV::TEST_CERTS_DIR}/serverkey.pem [13-npn-server-switch-resumption-client] CipherString = DEFAULT +MaxProtocol = TLSv1.2 VerifyCAFile = ${ENV::TEST_CERTS_DIR}/rootcert.pem VerifyMode = Peer @@ -546,11 +560,13 @@ PrivateKey = ${ENV::TEST_CERTS_DIR}/serverkey.pem [14-npn-client-switch-resumption-client] CipherString = DEFAULT +MaxProtocol = TLSv1.2 VerifyCAFile = ${ENV::TEST_CERTS_DIR}/rootcert.pem VerifyMode = Peer [14-npn-client-switch-resumption-resume-client] CipherString = DEFAULT +MaxProtocol = TLSv1.2 VerifyCAFile = ${ENV::TEST_CERTS_DIR}/rootcert.pem VerifyMode = Peer @@ -596,6 +612,7 @@ PrivateKey = ${ENV::TEST_CERTS_DIR}/serverkey.pem [15-npn-client-first-pref-on-mismatch-resumption-client] CipherString = DEFAULT +MaxProtocol = TLSv1.2 VerifyCAFile = ${ENV::TEST_CERTS_DIR}/rootcert.pem VerifyMode = Peer @@ -641,6 +658,7 @@ PrivateKey = ${ENV::TEST_CERTS_DIR}/serverkey.pem [16-npn-no-server-support-resumption-client] CipherString = DEFAULT +MaxProtocol = TLSv1.2 VerifyCAFile = ${ENV::TEST_CERTS_DIR}/rootcert.pem VerifyMode = Peer @@ -676,11 +694,13 @@ PrivateKey = ${ENV::TEST_CERTS_DIR}/serverkey.pem [17-npn-no-client-support-resumption-client] CipherString = DEFAULT +MaxProtocol = TLSv1.2 VerifyCAFile = ${ENV::TEST_CERTS_DIR}/rootcert.pem VerifyMode = Peer [17-npn-no-client-support-resumption-resume-client] CipherString = DEFAULT +MaxProtocol = TLSv1.2 VerifyCAFile = ${ENV::TEST_CERTS_DIR}/rootcert.pem VerifyMode = Peer @@ -721,6 +741,7 @@ PrivateKey = ${ENV::TEST_CERTS_DIR}/serverkey.pem [18-alpn-preferred-over-npn-resumption-client] CipherString = DEFAULT +MaxProtocol = TLSv1.2 VerifyCAFile = ${ENV::TEST_CERTS_DIR}/rootcert.pem VerifyMode = Peer @@ -768,6 +789,7 @@ PrivateKey = ${ENV::TEST_CERTS_DIR}/serverkey.pem [19-npn-used-if-alpn-not-supported-resumption-client] CipherString = DEFAULT +MaxProtocol = TLSv1.2 VerifyCAFile = ${ENV::TEST_CERTS_DIR}/rootcert.pem VerifyMode = Peer diff --git a/test/ssl-tests/08-npn.conf.in b/test/ssl-tests/08-npn.conf.in index 8a1f4ec916..b5df13d5a9 100644 --- a/test/ssl-tests/08-npn.conf.in +++ b/test/ssl-tests/08-npn.conf.in @@ -7,14 +7,13 @@ # https://www.openssl.org/source/license.html -## Test version negotiation +## Test NPN. Note that NPN is only supported up to TLSv1.2 use strict; use warnings; package ssltests; - our @tests = ( { name => "npn-simple", @@ -27,6 +26,7 @@ our @tests = ( extra => { "NPNProtocols" => "foo", }, + "MaxProtocol" => "TLSv1.2" }, test => { "ExpectedNPNProtocol" => "foo", @@ -43,6 +43,7 @@ our @tests = ( extra => { "NPNProtocols" => "foo,bar", }, + "MaxProtocol" => "TLSv1.2" }, test => { "ExpectedNPNProtocol" => "bar", @@ -59,6 +60,7 @@ our @tests = ( extra => { "NPNProtocols" => "foo,bar", }, + "MaxProtocol" => "TLSv1.2" }, test => { "ExpectedNPNProtocol" => "bar", @@ -75,6 +77,7 @@ our @tests = ( extra => { "NPNProtocols" => "foo,bar", }, + "MaxProtocol" => "TLSv1.2" }, test => { "ExpectedNPNProtocol" => "foo", @@ -82,11 +85,12 @@ our @tests = ( }, { name => "npn-no-server-support", - server => { }, + server => {}, client => { extra => { "NPNProtocols" => "foo", }, + "MaxProtocol" => "TLSv1.2" }, test => { "ExpectedNPNProtocol" => undef, @@ -99,7 +103,9 @@ our @tests = ( "NPNProtocols" => "foo", }, }, - client => { }, + client => { + "MaxProtocol" => "TLSv1.2" + }, test => { "ExpectedNPNProtocol" => undef, }, @@ -122,6 +128,7 @@ our @tests = ( "NPNProtocols" => "foo,bar", "ServerName" => "server1", }, + "MaxProtocol" => "TLSv1.2" }, test => { "ExpectedServerName" => "server1", @@ -146,6 +153,7 @@ our @tests = ( "NPNProtocols" => "foo,bar", "ServerName" => "server2", }, + "MaxProtocol" => "TLSv1.2" }, test => { "ExpectedServerName" => "server2", @@ -169,6 +177,7 @@ our @tests = ( "NPNProtocols" => "foo,bar", "ServerName" => "server2", }, + "MaxProtocol" => "TLSv1.2" }, test => { "ExpectedServerName" => "server2", @@ -189,6 +198,7 @@ our @tests = ( "NPNProtocols" => "foo,bar", "ServerName" => "server2", }, + "MaxProtocol" => "TLSv1.2" }, test => { "ExpectedServerName" => "server2", @@ -208,6 +218,7 @@ our @tests = ( "ALPNProtocols" => "foo", "NPNProtocols" => "bar", }, + "MaxProtocol" => "TLSv1.2" }, test => { "ExpectedALPNProtocol" => "foo", @@ -233,6 +244,7 @@ our @tests = ( "ALPNProtocols" => "foo", "NPNProtocols" => "bar", }, + "MaxProtocol" => "TLSv1.2" }, test => { "ExpectedALPNProtocol" => undef, @@ -251,6 +263,7 @@ our @tests = ( extra => { "NPNProtocols" => "foo", }, + "MaxProtocol" => "TLSv1.2" }, test => { "HandshakeMode" => "Resume", @@ -274,6 +287,7 @@ our @tests = ( extra => { "NPNProtocols" => "foo,bar,baz", }, + "MaxProtocol" => "TLSv1.2" }, test => { "HandshakeMode" => "Resume", @@ -292,11 +306,13 @@ our @tests = ( extra => { "NPNProtocols" => "foo,baz", }, + "MaxProtocol" => "TLSv1.2" }, resume_client => { extra => { "NPNProtocols" => "bar,baz", }, + "MaxProtocol" => "TLSv1.2" }, test => { "HandshakeMode" => "Resume", @@ -320,6 +336,7 @@ our @tests = ( extra => { "NPNProtocols" => "foo,bar", }, + "MaxProtocol" => "TLSv1.2" }, test => { "HandshakeMode" => "Resume", @@ -339,6 +356,7 @@ our @tests = ( extra => { "NPNProtocols" => "foo", }, + "MaxProtocol" => "TLSv1.2" }, test => { "HandshakeMode" => "Resume", @@ -357,8 +375,11 @@ our @tests = ( extra => { "NPNProtocols" => "foo", }, + "MaxProtocol" => "TLSv1.2" + }, + resume_client => { + "MaxProtocol" => "TLSv1.2" }, - resume_client => { }, test => { "HandshakeMode" => "Resume", "ResumptionExpected" => "Yes", @@ -383,6 +404,7 @@ our @tests = ( "ALPNProtocols" => "foo", "NPNProtocols" => "bar,baz", }, + "MaxProtocol" => "TLSv1.2" }, test => { "HandshakeMode" => "Resume", @@ -409,6 +431,7 @@ our @tests = ( "ALPNProtocols" => "foo", "NPNProtocols" => "bar,baz", }, + "MaxProtocol" => "TLSv1.2" }, test => { "HandshakeMode" => "Resume", |