Send and Receive a TLSv1.3 format ServerHello

There are some minor differences in the format of a ServerHello in TLSv1.3.

Perl changes reviewed by Richard Levitte. Non-perl changes reviewed by Rich
Salz

Reviewed-by: Rich Salz <rsalz@openssl.org>
Reviewed-by: Richard Levitte <levitte@openssl.org>

7 files changed, 119 insertions, 59 deletions

diff --git a/test/recipes/70-test_tls13messages.t b/test/recipes/70-test_tls13messages.t
index 62c12c4ad3..50baf2e0fb 100755
--- a/test/recipes/70-test_tls13messages.t
+++ b/test/recipes/70-test_tls13messages.t
@@ -60,17 +60,18 @@ sub checkmessages($$);
 
 #Test 1: Check we get all the right messages for a default handshake
 (undef, my $session) = tempfile();
-$proxy->serverconnects(2);
+#$proxy->serverconnects(2);
 $proxy->clientflags("-sess_out ".$session);
 $proxy->start() or plan skip_all => "Unable to start up Proxy for tests";
-plan tests => 4;
+plan tests => 3;
 checkmessages(DEFAULT_HANDSHAKE, "Default handshake test");
 
+#TODO(TLS1.3): Test temporarily disabled until we implement TLS1.3 resumption
 #Test 2: Resumption handshake
-$proxy->clearClient();
-$proxy->clientflags("-sess_in ".$session);
-$proxy->clientstart();
-checkmessages(RESUME_HANDSHAKE, "Resumption handshake test");
+#$proxy->clearClient();
+#$proxy->clientflags("-sess_in ".$session);
+#$proxy->clientstart();
+#checkmessages(RESUME_HANDSHAKE, "Resumption handshake test");
 unlink $session;
 
 #Test 3: A default handshake, but with a CertificateStatus message
diff --git a/test/ssl-tests/09-alpn.conf b/test/ssl-tests/09-alpn.conf
index e7e6cb9534..fc3c8da154 100644
--- a/test/ssl-tests/09-alpn.conf
+++ b/test/ssl-tests/09-alpn.conf
@@ -383,6 +383,7 @@ PrivateKey = ${ENV::TEST_CERTS_DIR}/serverkey.pem
 
 [10-alpn-simple-resumption-client]
 CipherString = DEFAULT
+MaxProtocol = TLSv1.2
 VerifyCAFile = ${ENV::TEST_CERTS_DIR}/rootcert.pem
 VerifyMode = Peer
 
@@ -425,6 +426,7 @@ PrivateKey = ${ENV::TEST_CERTS_DIR}/serverkey.pem
 
 [11-alpn-server-switch-resumption-client]
 CipherString = DEFAULT
+MaxProtocol = TLSv1.2
 VerifyCAFile = ${ENV::TEST_CERTS_DIR}/rootcert.pem
 VerifyMode = Peer
 
@@ -465,11 +467,13 @@ PrivateKey = ${ENV::TEST_CERTS_DIR}/serverkey.pem
 
 [12-alpn-client-switch-resumption-client]
 CipherString = DEFAULT
+MaxProtocol = TLSv1.2
 VerifyCAFile = ${ENV::TEST_CERTS_DIR}/rootcert.pem
 VerifyMode = Peer
 
 [12-alpn-client-switch-resumption-resume-client]
 CipherString = DEFAULT
+MaxProtocol = TLSv1.2
 VerifyCAFile = ${ENV::TEST_CERTS_DIR}/rootcert.pem
 VerifyMode = Peer
 
@@ -515,6 +519,7 @@ PrivateKey = ${ENV::TEST_CERTS_DIR}/serverkey.pem
 
 [13-alpn-alert-on-mismatch-resumption-client]
 CipherString = DEFAULT
+MaxProtocol = TLSv1.2
 VerifyCAFile = ${ENV::TEST_CERTS_DIR}/rootcert.pem
 VerifyMode = Peer
 
@@ -560,6 +565,7 @@ PrivateKey = ${ENV::TEST_CERTS_DIR}/serverkey.pem
 
 [14-alpn-no-server-support-resumption-client]
 CipherString = DEFAULT
+MaxProtocol = TLSv1.2
 VerifyCAFile = ${ENV::TEST_CERTS_DIR}/rootcert.pem
 VerifyMode = Peer
 
@@ -595,11 +601,13 @@ PrivateKey = ${ENV::TEST_CERTS_DIR}/serverkey.pem
 
 [15-alpn-no-client-support-resumption-client]
 CipherString = DEFAULT
+MaxProtocol = TLSv1.2
 VerifyCAFile = ${ENV::TEST_CERTS_DIR}/rootcert.pem
 VerifyMode = Peer
 
 [15-alpn-no-client-support-resumption-resume-client]
 CipherString = DEFAULT
+MaxProtocol = TLSv1.2
 VerifyCAFile = ${ENV::TEST_CERTS_DIR}/rootcert.pem
 VerifyMode = Peer
 
diff --git a/test/ssl-tests/09-alpn.conf.in b/test/ssl-tests/09-alpn.conf.in
index 18560e1801..ff931a9425 100644
--- a/test/ssl-tests/09-alpn.conf.in
+++ b/test/ssl-tests/09-alpn.conf.in
@@ -204,6 +204,8 @@ our @tests = (
             },
         },
         client => {
+            #TODO(TLS1.3): Temporary until we support TLSv1.3 resumption
+            MaxProtocol => "TLSv1.2",
             extra => {
                 "ALPNProtocols" => "foo",
             },
@@ -227,6 +229,8 @@ our @tests = (
             },
         },
         client => {
+            #TODO(TLS1.3): Temporary until we support TLSv1.3 resumption
+            MaxProtocol => "TLSv1.2",
             extra => {
                 "ALPNProtocols" => "foo,bar,baz",
             },
@@ -245,11 +249,15 @@ our @tests = (
             },
         },
         client => {
+            #TODO(TLS1.3): Temporary until we support TLSv1.3 resumption
+            MaxProtocol => "TLSv1.2",
             extra => {
                 "ALPNProtocols" => "foo,baz",
             },
         },
         resume_client => {
+            #TODO(TLS1.3): Temporary until we support TLSv1.3 resumption
+            MaxProtocol => "TLSv1.2",
             extra => {
                 "ALPNProtocols" => "bar,baz",
             },
@@ -273,6 +281,8 @@ our @tests = (
             },
         },
         client => {
+            #TODO(TLS1.3): Temporary until we support TLSv1.3 resumption
+            MaxProtocol => "TLSv1.2",
             extra => {
                 "ALPNProtocols" => "foo,bar",
             },
@@ -292,6 +302,8 @@ our @tests = (
         },
         resume_server => { },
         client => {
+            #TODO(TLS1.3): Temporary until we support TLSv1.3 resumption
+            MaxProtocol => "TLSv1.2",
             extra => {
                 "ALPNProtocols" => "foo",
             },
@@ -310,11 +322,16 @@ our @tests = (
             },
         },
         client => {
+            #TODO(TLS1.3): Temporary until we support TLSv1.3 resumption
+            MaxProtocol => "TLSv1.2",
             extra => {
                 "ALPNProtocols" => "foo",
             },
         },
-        resume_client => { },
+        resume_client => {
+            #TODO(TLS1.3): Temporary until we support TLSv1.3 resumption
+            MaxProtocol => "TLSv1.2"
+        },
         test => {
             "HandshakeMode" => "Resume",
             "ResumptionExpected" => "Yes",
diff --git a/test/ssl-tests/12-ct.conf b/test/ssl-tests/12-ct.conf
index 22fa18dd45..14b8e938c0 100644
--- a/test/ssl-tests/12-ct.conf
+++ b/test/ssl-tests/12-ct.conf
@@ -79,6 +79,7 @@ PrivateKey = ${ENV::TEST_CERTS_DIR}/serverkey.pem
 
 [2-ct-permissive-resumption-client]
 CipherString = DEFAULT
+MaxProtocol = TLSv1.2
 VerifyCAFile = ${ENV::TEST_CERTS_DIR}/rootcert.pem
 VerifyMode = Peer
 
@@ -111,11 +112,13 @@ PrivateKey = ${ENV::TEST_CERTS_DIR}/serverkey.pem
 
 [3-ct-strict-resumption-client]
 CipherString = DEFAULT
+MaxProtocol = TLSv1.2
 VerifyCAFile = ${ENV::TEST_CERTS_DIR}/rootcert.pem
 VerifyMode = Peer
 
 [3-ct-strict-resumption-resume-client]
 CipherString = DEFAULT
+MaxProtocol = TLSv1.2
 VerifyCAFile = ${ENV::TEST_CERTS_DIR}/rootcert.pem
 VerifyMode = Peer
 
diff --git a/test/ssl-tests/12-ct.conf.in b/test/ssl-tests/12-ct.conf.in
index 9964d013c2..e7fe1b93d2 100644
--- a/test/ssl-tests/12-ct.conf.in
+++ b/test/ssl-tests/12-ct.conf.in
@@ -18,63 +18,72 @@ package ssltests;
 our @tests = (
     # Currently only have tests for certs without SCTs.
     {
-	name => "ct-permissive",
-	server => { },
-	client => {
-     	    extra => {
-	        "CTValidation" => "Permissive",
-	    },
-	},
-	test => {
-	    "ExpectedResult" => "Success",
-	},
+        name => "ct-permissive",
+        server => { },
+        client => {
+            extra => {
+                "CTValidation" => "Permissive",
+            },
+        },
+        test => {
+            "ExpectedResult" => "Success",
+        },
     }, 
     {
-	name => "ct-strict",
-	server => { },
-	client => {
-     	    extra => {
-	        "CTValidation" => "Strict",
-	    },
-	},
-	test => {
-	    "ExpectedResult" => "ClientFail",
-	    "ExpectedClientAlert" => "HandshakeFailure",
-	},
+        name => "ct-strict",
+        server => { },
+        client => {
+            extra => {
+                "CTValidation" => "Strict",
+            },
+        },
+        test => {
+            "ExpectedResult" => "ClientFail",
+            "ExpectedClientAlert" => "HandshakeFailure",
+        },
     },
     {
-	name => "ct-permissive-resumption",
-	server => { },
-	client => {
-     	    extra => {
-	        "CTValidation" => "Permissive",
-	    },
-	},
-	test => {
-	    "HandshakeMode" => "Resume",
-	    "ResumptionExpected" => "Yes",
-	    "ExpectedResult" => "Success",
-	},
+        name => "ct-permissive-resumption",
+        server => { },
+        client => {
+            #TODO(TLS1.3): Temporarily set to TLSv1.2 until we implement TLS1.3
+            #              resumption
+            MaxProtocol => "TLSv1.2",
+            extra => {
+                "CTValidation" => "Permissive",
+            },
+        },
+        test => {
+            "HandshakeMode" => "Resume",
+            "ResumptionExpected" => "Yes",
+            "ExpectedResult" => "Success",
+        },
     }, 
     {
-	name => "ct-strict-resumption",
-	server => { },
-	client => {
-     	    extra => {
-	        "CTValidation" => "Permissive",
-	    },
-	},
-	# SCTs are not present during resumption, so the resumption
-	# should succeed.
-	resume_client => {
-     	    extra => {
-	        "CTValidation" => "Strict",
-	    },
-	},
-	test => {
-	    "HandshakeMode" => "Resume",
-	    "ResumptionExpected" => "Yes",
-	    "ExpectedResult" => "Success",
-	},
+        name => "ct-strict-resumption",
+        server => { },
+        client => {
+            #TODO(TLS1.3): Temporarily set to TLSv1.2 until we implement TLS1.3
+            #              resumption
+            MaxProtocol => "TLSv1.2",
+            extra => {
+                "CTValidation" => "Permissive",
+            },
+        },
+        # SCTs are not present during resumption, so the resumption
+        # should succeed.
+        resume_client => {
+            #TODO(TLS1.3): Temporarily set to TLSv1.2 until we implement TLS1.3
+            #              resumption
+            MaxProtocol => "TLSv1.2",
+            extra => {
+                "CTValidation" => "Strict",
+            },
+        },
+        test => {
+            "HandshakeMode" => "Resume",
+            "ResumptionExpected" => "Yes",
+            "ExpectedResult" => "Success",
+        },
     },
 );
diff --git a/test/ssl-tests/protocol_version.pm b/test/ssl-tests/protocol_version.pm
index cc39c757c4..a41ffc4b7a 100644
--- a/test/ssl-tests/protocol_version.pm
+++ b/test/ssl-tests/protocol_version.pm
@@ -135,6 +135,22 @@ sub generate_resumption_tests {
     # Don't write the redundant "Method = TLS" into the configuration.
     undef $method if !$dtls;
 
+
+    #TODO(TLS1.3): This is temporary code while we do not have support for
+    #              TLS1.3 resumption. We recalculate min_tls_enabled and
+    #              max_tls_enabled, ignoring TLS1.3
+    foreach my $i (0..($#tls_protocols - 1)) {
+        if (!$is_tls_disabled[$i]) {
+            $min_tls_enabled = $i;
+            last;
+        }
+    }
+    foreach my $i (0..($#tls_protocols - 1)) {
+        if (!$is_tls_disabled[$i]) {
+            $max_tls_enabled = $i;
+        }
+    }
+
     my @protocols = $dtls ? @dtls_protocols : @tls_protocols;
     my $min_enabled  = $dtls ? $min_dtls_enabled : $min_tls_enabled;
     my $max_enabled = $dtls ? $max_dtls_enabled : $max_tls_enabled;
diff --git a/test/sslapitest.c b/test/sslapitest.c
index 1fa9a8df9b..add38cf622 100644
--- a/test/sslapitest.c
+++ b/test/sslapitest.c
@@ -430,6 +430,12 @@ static int execute_test_session(SSL_SESSION_TEST_FIXTURE fix)
     SSL_CTX_set_min_proto_version(cctx, TLS1_2_VERSION);
 #endif
 
+    /*
+     * TODO(TLS1.3): Test temporarily disabled for TLS1.3 until we've
+     * implemented session resumption.
+     */
+    SSL_CTX_set_max_proto_version(cctx, TLS1_2_VERSION);
+
     /* Set up session cache */
     if (fix.use_ext_cache) {
         SSL_CTX_sess_set_new_cb(cctx, new_session_cb);