Add option to disable Extended Master Secret

Add SSL_OP64_NO_EXTENDED_MASTER_SECRET, that can be set on either an SSL or an SSL_CTX. When processing a ClientHello, if this flag is set, do not indicate that the EMS TLS extension was received in either the ssl3 object or the SSL_SESSION. Retain most of the sanity checks between the previous and current session during session resumption, but weaken the check when the current SSL object is configured to not use EMS. Reviewed-by: Paul Dale <paul.dale@oracle.com> Reviewed-by: Matt Caswell <matt@openssl.org> (Merged from https://github.com/openssl/openssl/pull/3910)
author: Todd Short <tshort@akamai.com> 2017-07-10 13:28:35 -0400
committer: Matt Caswell <matt@openssl.org> 2019-02-15 10:11:18 +0000
commit: 088dfa133561d7613b9391a56ddbce58f32c934a (patch)
tree: 46ebb1770ded52fd84e2202d80cac0ea9121b49f /test/ssl-tests
parent: 9fc8f18f59f4a4c853466dca64a23b8af681bf1c (diff)
download: openssl-new-088dfa133561d7613b9391a56ddbce58f32c934a.tar.gz
3 files changed, 325 insertions, 0 deletions
diff --git a/test/ssl-tests/16-certstatus.conf b/test/ssl-tests/16-certstatus.conf
deleted file mode 100644
index e69de29bb2..0000000000
--- a/test/ssl-tests/16-certstatus.conf
+++ /dev/null
diff --git a/test/ssl-tests/30-extended-master-secret.conf b/test/ssl-tests/30-extended-master-secret.conf
new file mode 100644
index 0000000000..9dae431d21
--- /dev/null
+++ b/test/ssl-tests/30-extended-master-secret.conf
@@ -0,0 +1,203 @@
+# Generated with generate_ssl_tests.pl
+
+num_tests = 7
+
+test-0 = 0-disable-extended-master-secret-server-sha
+test-1 = 1-disable-extended-master-secret-client-sha
+test-2 = 2-disable-extended-master-secret-both-sha
+test-3 = 3-disable-extended-master-secret-both-resume
+test-4 = 4-disable-extended-master-secret-server-sha2
+test-5 = 5-disable-extended-master-secret-client-sha2
+test-6 = 6-disable-extended-master-secret-both-sha2
+# ===========================================================
+
+[0-disable-extended-master-secret-server-sha]
+ssl_conf = 0-disable-extended-master-secret-server-sha-ssl
+
+[0-disable-extended-master-secret-server-sha-ssl]
+server = 0-disable-extended-master-secret-server-sha-server
+client = 0-disable-extended-master-secret-server-sha-client
+
+[0-disable-extended-master-secret-server-sha-server]
+Certificate = ${ENV::TEST_CERTS_DIR}/servercert.pem
+CipherString = DEFAULT
+Options = -ExtendedMasterSecret
+PrivateKey = ${ENV::TEST_CERTS_DIR}/serverkey.pem
+
+[0-disable-extended-master-secret-server-sha-client]
+CipherString = AES128-SHA
+MaxProtocol = TLSv1.2
+VerifyCAFile = ${ENV::TEST_CERTS_DIR}/rootcert.pem
+VerifyMode = Peer
+
+[test-0]
+ExpectedResult = Success
+
+
+# ===========================================================
+
+[1-disable-extended-master-secret-client-sha]
+ssl_conf = 1-disable-extended-master-secret-client-sha-ssl
+
+[1-disable-extended-master-secret-client-sha-ssl]
+server = 1-disable-extended-master-secret-client-sha-server
+client = 1-disable-extended-master-secret-client-sha-client
+
+[1-disable-extended-master-secret-client-sha-server]
+Certificate = ${ENV::TEST_CERTS_DIR}/servercert.pem
+CipherString = DEFAULT
+PrivateKey = ${ENV::TEST_CERTS_DIR}/serverkey.pem
+
+[1-disable-extended-master-secret-client-sha-client]
+CipherString = AES128-SHA
+MaxProtocol = TLSv1.2
+Options = -ExtendedMasterSecret
+VerifyCAFile = ${ENV::TEST_CERTS_DIR}/rootcert.pem
+VerifyMode = Peer
+
+[test-1]
+ExpectedResult = Success
+
+
+# ===========================================================
+
+[2-disable-extended-master-secret-both-sha]
+ssl_conf = 2-disable-extended-master-secret-both-sha-ssl
+
+[2-disable-extended-master-secret-both-sha-ssl]
+server = 2-disable-extended-master-secret-both-sha-server
+client = 2-disable-extended-master-secret-both-sha-client
+
+[2-disable-extended-master-secret-both-sha-server]
+Certificate = ${ENV::TEST_CERTS_DIR}/servercert.pem
+CipherString = DEFAULT
+Options = -ExtendedMasterSecret
+PrivateKey = ${ENV::TEST_CERTS_DIR}/serverkey.pem
+
+[2-disable-extended-master-secret-both-sha-client]
+CipherString = AES128-SHA
+MaxProtocol = TLSv1.2
+Options = -ExtendedMasterSecret
+VerifyCAFile = ${ENV::TEST_CERTS_DIR}/rootcert.pem
+VerifyMode = Peer
+
+[test-2]
+ExpectedResult = Success
+
+
+# ===========================================================
+
+[3-disable-extended-master-secret-both-resume]
+ssl_conf = 3-disable-extended-master-secret-both-resume-ssl
+
+[3-disable-extended-master-secret-both-resume-ssl]
+server = 3-disable-extended-master-secret-both-resume-server
+client = 3-disable-extended-master-secret-both-resume-client
+resume-server = 3-disable-extended-master-secret-both-resume-resume-server
+resume-client = 3-disable-extended-master-secret-both-resume-resume-client
+
+[3-disable-extended-master-secret-both-resume-server]
+Certificate = ${ENV::TEST_CERTS_DIR}/servercert.pem
+CipherString = DEFAULT
+Options = -ExtendedMasterSecret
+PrivateKey = ${ENV::TEST_CERTS_DIR}/serverkey.pem
+
+[3-disable-extended-master-secret-both-resume-resume-server]
+Certificate = ${ENV::TEST_CERTS_DIR}/servercert.pem
+CipherString = DEFAULT
+PrivateKey = ${ENV::TEST_CERTS_DIR}/serverkey.pem
+
+[3-disable-extended-master-secret-both-resume-client]
+CipherString = AES128-SHA
+MaxProtocol = TLSv1.2
+Options = -ExtendedMasterSecret
+VerifyCAFile = ${ENV::TEST_CERTS_DIR}/rootcert.pem
+VerifyMode = Peer
+
+[3-disable-extended-master-secret-both-resume-resume-client]
+CipherString = AES128-SHA
+MaxProtocol = TLSv1.2
+VerifyCAFile = ${ENV::TEST_CERTS_DIR}/rootcert.pem
+VerifyMode = Peer
+
+[test-3]
+ExpectedResult = Success
+HandshakeMode = Resume
+
+
+# ===========================================================
+
+[4-disable-extended-master-secret-server-sha2]
+ssl_conf = 4-disable-extended-master-secret-server-sha2-ssl
+
+[4-disable-extended-master-secret-server-sha2-ssl]
+server = 4-disable-extended-master-secret-server-sha2-server
+client = 4-disable-extended-master-secret-server-sha2-client
+
+[4-disable-extended-master-secret-server-sha2-server]
+Certificate = ${ENV::TEST_CERTS_DIR}/servercert.pem
+CipherString = DEFAULT
+Options = -ExtendedMasterSecret
+PrivateKey = ${ENV::TEST_CERTS_DIR}/serverkey.pem
+
+[4-disable-extended-master-secret-server-sha2-client]
+CipherString = AES128-SHA256
+MaxProtocol = TLSv1.2
+VerifyCAFile = ${ENV::TEST_CERTS_DIR}/rootcert.pem
+VerifyMode = Peer
+
+[test-4]
+ExpectedResult = Success
+
+
+# ===========================================================
+
+[5-disable-extended-master-secret-client-sha2]
+ssl_conf = 5-disable-extended-master-secret-client-sha2-ssl
+
+[5-disable-extended-master-secret-client-sha2-ssl]
+server = 5-disable-extended-master-secret-client-sha2-server
+client = 5-disable-extended-master-secret-client-sha2-client
+
+[5-disable-extended-master-secret-client-sha2-server]
+Certificate = ${ENV::TEST_CERTS_DIR}/servercert.pem
+CipherString = DEFAULT
+PrivateKey = ${ENV::TEST_CERTS_DIR}/serverkey.pem
+
+[5-disable-extended-master-secret-client-sha2-client]
+CipherString = AES128-SHA256
+MaxProtocol = TLSv1.2
+Options = -ExtendedMasterSecret
+VerifyCAFile = ${ENV::TEST_CERTS_DIR}/rootcert.pem
+VerifyMode = Peer
+
+[test-5]
+ExpectedResult = Success
+
+
+# ===========================================================
+
+[6-disable-extended-master-secret-both-sha2]
+ssl_conf = 6-disable-extended-master-secret-both-sha2-ssl
+
+[6-disable-extended-master-secret-both-sha2-ssl]
+server = 6-disable-extended-master-secret-both-sha2-server
+client = 6-disable-extended-master-secret-both-sha2-client
+
+[6-disable-extended-master-secret-both-sha2-server]
+Certificate = ${ENV::TEST_CERTS_DIR}/servercert.pem
+CipherString = DEFAULT
+Options = -ExtendedMasterSecret
+PrivateKey = ${ENV::TEST_CERTS_DIR}/serverkey.pem
+
+[6-disable-extended-master-secret-both-sha2-client]
+CipherString = AES128-SHA256
+MaxProtocol = TLSv1.2
+Options = -ExtendedMasterSecret
+VerifyCAFile = ${ENV::TEST_CERTS_DIR}/rootcert.pem
+VerifyMode = Peer
+
+[test-6]
+ExpectedResult = Success
+
+
diff --git a/test/ssl-tests/30-extended-master-secret.conf.in b/test/ssl-tests/30-extended-master-secret.conf.in
new file mode 100644
index 0000000000..2386c98a2a
--- /dev/null
+++ b/test/ssl-tests/30-extended-master-secret.conf.in
@@ -0,0 +1,122 @@
+# -*- mode: perl; -*-
+# Copyright 2016-2016 The OpenSSL Project Authors. All Rights Reserved.
+#
+# Licensed under the OpenSSL license (the "License").  You may not use
+# this file except in compliance with the License.  You can obtain a copy
+# in the file LICENSE in the source distribution or at
+# https://www.openssl.org/source/license.html
+
+
+## SSL test configurations
+
+package ssltests;
+
+use OpenSSL::Test::Utils;
+
+our @tests = ();
+
+my @tests_tls1_2 = (
+    {
+        name => "disable-extended-master-secret-server-sha",
+        server => {
+          "Options" => "-ExtendedMasterSecret",
+        },
+        client => {
+          "CipherString" => "AES128-SHA",
+          "MaxProtocol" => "TLSv1.2"
+        },
+        test   => {
+          "ExpectedResult" => "Success",
+        },
+    },
+    {
+        name => "disable-extended-master-secret-client-sha",
+        server => {
+        },
+        client => {
+          "CipherString" => "AES128-SHA",
+          "Options" => "-ExtendedMasterSecret",
+          "MaxProtocol" => "TLSv1.2"
+        },
+        test   => {
+          "ExpectedResult" => "Success",
+        },
+    },
+    {
+        name => "disable-extended-master-secret-both-sha",
+        server => {
+          "Options" => "-ExtendedMasterSecret",
+        },
+        client => {
+          "CipherString" => "AES128-SHA",
+          "Options" => "-ExtendedMasterSecret",
+          "MaxProtocol" => "TLSv1.2"
+        },
+        test   => {
+          "ExpectedResult" => "Success",
+        },
+    },
+    {
+        name => "disable-extended-master-secret-both-resume",
+        server => {
+          "Options" => "-ExtendedMasterSecret",
+        },
+        resume_server => {
+        },
+        client => {
+          "CipherString" => "AES128-SHA",
+          "Options" => "-ExtendedMasterSecret",
+          "MaxProtocol" => "TLSv1.2"
+        },
+        resume_client => {
+          "CipherString" => "AES128-SHA",
+          "MaxProtocol" => "TLSv1.2"
+        },
+        test   => {
+	  "HandshakeMode" => "Resume",
+          "ExpectedResult" => "Success",
+        },
+    },
+    {
+        name => "disable-extended-master-secret-server-sha2",
+        server => {
+          "Options" => "-ExtendedMasterSecret",
+        },
+        client => {
+          "CipherString" => "AES128-SHA256",
+          "MaxProtocol" => "TLSv1.2"
+        },
+        test   => {
+          "ExpectedResult" => "Success",
+        },
+    },
+    {
+        name => "disable-extended-master-secret-client-sha2",
+        server => {
+        },
+        client => {
+          "CipherString" => "AES128-SHA256",
+          "Options" => "-ExtendedMasterSecret",
+          "MaxProtocol" => "TLSv1.2"
+        },
+        test   => {
+          "ExpectedResult" => "Success",
+        },
+    },
+    {
+        name => "disable-extended-master-secret-both-sha2",
+        server => {
+          "Options" => "-ExtendedMasterSecret",
+        },
+        client => {
+          "CipherString" => "AES128-SHA256",
+          "Options" => "-ExtendedMasterSecret",
+          "MaxProtocol" => "TLSv1.2"
+        },
+        test   => {
+          "ExpectedResult" => "Success",
+        },
+    },
+);
+
+push @tests, @tests_tls1_2 unless disabled("tls1_2");
author	Todd Short <tshort@akamai.com>	2017-07-10 13:28:35 -0400
committer	Matt Caswell <matt@openssl.org>	2019-02-15 10:11:18 +0000
commit	088dfa133561d7613b9391a56ddbce58f32c934a (patch)
tree	46ebb1770ded52fd84e2202d80cac0ea9121b49f /test/ssl-tests
parent	9fc8f18f59f4a4c853466dca64a23b8af681bf1c (diff)
download	openssl-new-088dfa133561d7613b9391a56ddbce58f32c934a.tar.gz