diff options
author | Todd Short <tshort@akamai.com> | 2017-07-10 13:28:35 -0400 |
---|---|---|
committer | Matt Caswell <matt@openssl.org> | 2019-02-15 10:11:18 +0000 |
commit | 088dfa133561d7613b9391a56ddbce58f32c934a (patch) | |
tree | 46ebb1770ded52fd84e2202d80cac0ea9121b49f /test/ssl-tests | |
parent | 9fc8f18f59f4a4c853466dca64a23b8af681bf1c (diff) | |
download | openssl-new-088dfa133561d7613b9391a56ddbce58f32c934a.tar.gz |
Add option to disable Extended Master Secret
Add SSL_OP64_NO_EXTENDED_MASTER_SECRET, that can be set on either
an SSL or an SSL_CTX. When processing a ClientHello, if this flag
is set, do not indicate that the EMS TLS extension was received in
either the ssl3 object or the SSL_SESSION. Retain most of the
sanity checks between the previous and current session during
session resumption, but weaken the check when the current SSL
object is configured to not use EMS.
Reviewed-by: Paul Dale <paul.dale@oracle.com>
Reviewed-by: Matt Caswell <matt@openssl.org>
(Merged from https://github.com/openssl/openssl/pull/3910)
Diffstat (limited to 'test/ssl-tests')
-rw-r--r-- | test/ssl-tests/16-certstatus.conf | 0 | ||||
-rw-r--r-- | test/ssl-tests/30-extended-master-secret.conf | 203 | ||||
-rw-r--r-- | test/ssl-tests/30-extended-master-secret.conf.in | 122 |
3 files changed, 325 insertions, 0 deletions
diff --git a/test/ssl-tests/16-certstatus.conf b/test/ssl-tests/16-certstatus.conf deleted file mode 100644 index e69de29bb2..0000000000 --- a/test/ssl-tests/16-certstatus.conf +++ /dev/null diff --git a/test/ssl-tests/30-extended-master-secret.conf b/test/ssl-tests/30-extended-master-secret.conf new file mode 100644 index 0000000000..9dae431d21 --- /dev/null +++ b/test/ssl-tests/30-extended-master-secret.conf @@ -0,0 +1,203 @@ +# Generated with generate_ssl_tests.pl + +num_tests = 7 + +test-0 = 0-disable-extended-master-secret-server-sha +test-1 = 1-disable-extended-master-secret-client-sha +test-2 = 2-disable-extended-master-secret-both-sha +test-3 = 3-disable-extended-master-secret-both-resume +test-4 = 4-disable-extended-master-secret-server-sha2 +test-5 = 5-disable-extended-master-secret-client-sha2 +test-6 = 6-disable-extended-master-secret-both-sha2 +# =========================================================== + +[0-disable-extended-master-secret-server-sha] +ssl_conf = 0-disable-extended-master-secret-server-sha-ssl + +[0-disable-extended-master-secret-server-sha-ssl] +server = 0-disable-extended-master-secret-server-sha-server +client = 0-disable-extended-master-secret-server-sha-client + +[0-disable-extended-master-secret-server-sha-server] +Certificate = ${ENV::TEST_CERTS_DIR}/servercert.pem +CipherString = DEFAULT +Options = -ExtendedMasterSecret +PrivateKey = ${ENV::TEST_CERTS_DIR}/serverkey.pem + +[0-disable-extended-master-secret-server-sha-client] +CipherString = AES128-SHA +MaxProtocol = TLSv1.2 +VerifyCAFile = ${ENV::TEST_CERTS_DIR}/rootcert.pem +VerifyMode = Peer + +[test-0] +ExpectedResult = Success + + +# =========================================================== + +[1-disable-extended-master-secret-client-sha] +ssl_conf = 1-disable-extended-master-secret-client-sha-ssl + +[1-disable-extended-master-secret-client-sha-ssl] +server = 1-disable-extended-master-secret-client-sha-server +client = 1-disable-extended-master-secret-client-sha-client + +[1-disable-extended-master-secret-client-sha-server] +Certificate = ${ENV::TEST_CERTS_DIR}/servercert.pem +CipherString = DEFAULT +PrivateKey = ${ENV::TEST_CERTS_DIR}/serverkey.pem + +[1-disable-extended-master-secret-client-sha-client] +CipherString = AES128-SHA +MaxProtocol = TLSv1.2 +Options = -ExtendedMasterSecret +VerifyCAFile = ${ENV::TEST_CERTS_DIR}/rootcert.pem +VerifyMode = Peer + +[test-1] +ExpectedResult = Success + + +# =========================================================== + +[2-disable-extended-master-secret-both-sha] +ssl_conf = 2-disable-extended-master-secret-both-sha-ssl + +[2-disable-extended-master-secret-both-sha-ssl] +server = 2-disable-extended-master-secret-both-sha-server +client = 2-disable-extended-master-secret-both-sha-client + +[2-disable-extended-master-secret-both-sha-server] +Certificate = ${ENV::TEST_CERTS_DIR}/servercert.pem +CipherString = DEFAULT +Options = -ExtendedMasterSecret +PrivateKey = ${ENV::TEST_CERTS_DIR}/serverkey.pem + +[2-disable-extended-master-secret-both-sha-client] +CipherString = AES128-SHA +MaxProtocol = TLSv1.2 +Options = -ExtendedMasterSecret +VerifyCAFile = ${ENV::TEST_CERTS_DIR}/rootcert.pem +VerifyMode = Peer + +[test-2] +ExpectedResult = Success + + +# =========================================================== + +[3-disable-extended-master-secret-both-resume] +ssl_conf = 3-disable-extended-master-secret-both-resume-ssl + +[3-disable-extended-master-secret-both-resume-ssl] +server = 3-disable-extended-master-secret-both-resume-server +client = 3-disable-extended-master-secret-both-resume-client +resume-server = 3-disable-extended-master-secret-both-resume-resume-server +resume-client = 3-disable-extended-master-secret-both-resume-resume-client + +[3-disable-extended-master-secret-both-resume-server] +Certificate = ${ENV::TEST_CERTS_DIR}/servercert.pem +CipherString = DEFAULT +Options = -ExtendedMasterSecret +PrivateKey = ${ENV::TEST_CERTS_DIR}/serverkey.pem + +[3-disable-extended-master-secret-both-resume-resume-server] +Certificate = ${ENV::TEST_CERTS_DIR}/servercert.pem +CipherString = DEFAULT +PrivateKey = ${ENV::TEST_CERTS_DIR}/serverkey.pem + +[3-disable-extended-master-secret-both-resume-client] +CipherString = AES128-SHA +MaxProtocol = TLSv1.2 +Options = -ExtendedMasterSecret +VerifyCAFile = ${ENV::TEST_CERTS_DIR}/rootcert.pem +VerifyMode = Peer + +[3-disable-extended-master-secret-both-resume-resume-client] +CipherString = AES128-SHA +MaxProtocol = TLSv1.2 +VerifyCAFile = ${ENV::TEST_CERTS_DIR}/rootcert.pem +VerifyMode = Peer + +[test-3] +ExpectedResult = Success +HandshakeMode = Resume + + +# =========================================================== + +[4-disable-extended-master-secret-server-sha2] +ssl_conf = 4-disable-extended-master-secret-server-sha2-ssl + +[4-disable-extended-master-secret-server-sha2-ssl] +server = 4-disable-extended-master-secret-server-sha2-server +client = 4-disable-extended-master-secret-server-sha2-client + +[4-disable-extended-master-secret-server-sha2-server] +Certificate = ${ENV::TEST_CERTS_DIR}/servercert.pem +CipherString = DEFAULT +Options = -ExtendedMasterSecret +PrivateKey = ${ENV::TEST_CERTS_DIR}/serverkey.pem + +[4-disable-extended-master-secret-server-sha2-client] +CipherString = AES128-SHA256 +MaxProtocol = TLSv1.2 +VerifyCAFile = ${ENV::TEST_CERTS_DIR}/rootcert.pem +VerifyMode = Peer + +[test-4] +ExpectedResult = Success + + +# =========================================================== + +[5-disable-extended-master-secret-client-sha2] +ssl_conf = 5-disable-extended-master-secret-client-sha2-ssl + +[5-disable-extended-master-secret-client-sha2-ssl] +server = 5-disable-extended-master-secret-client-sha2-server +client = 5-disable-extended-master-secret-client-sha2-client + +[5-disable-extended-master-secret-client-sha2-server] +Certificate = ${ENV::TEST_CERTS_DIR}/servercert.pem +CipherString = DEFAULT +PrivateKey = ${ENV::TEST_CERTS_DIR}/serverkey.pem + +[5-disable-extended-master-secret-client-sha2-client] +CipherString = AES128-SHA256 +MaxProtocol = TLSv1.2 +Options = -ExtendedMasterSecret +VerifyCAFile = ${ENV::TEST_CERTS_DIR}/rootcert.pem +VerifyMode = Peer + +[test-5] +ExpectedResult = Success + + +# =========================================================== + +[6-disable-extended-master-secret-both-sha2] +ssl_conf = 6-disable-extended-master-secret-both-sha2-ssl + +[6-disable-extended-master-secret-both-sha2-ssl] +server = 6-disable-extended-master-secret-both-sha2-server +client = 6-disable-extended-master-secret-both-sha2-client + +[6-disable-extended-master-secret-both-sha2-server] +Certificate = ${ENV::TEST_CERTS_DIR}/servercert.pem +CipherString = DEFAULT +Options = -ExtendedMasterSecret +PrivateKey = ${ENV::TEST_CERTS_DIR}/serverkey.pem + +[6-disable-extended-master-secret-both-sha2-client] +CipherString = AES128-SHA256 +MaxProtocol = TLSv1.2 +Options = -ExtendedMasterSecret +VerifyCAFile = ${ENV::TEST_CERTS_DIR}/rootcert.pem +VerifyMode = Peer + +[test-6] +ExpectedResult = Success + + diff --git a/test/ssl-tests/30-extended-master-secret.conf.in b/test/ssl-tests/30-extended-master-secret.conf.in new file mode 100644 index 0000000000..2386c98a2a --- /dev/null +++ b/test/ssl-tests/30-extended-master-secret.conf.in @@ -0,0 +1,122 @@ +# -*- mode: perl; -*- +# Copyright 2016-2016 The OpenSSL Project Authors. All Rights Reserved. +# +# Licensed under the OpenSSL license (the "License"). You may not use +# this file except in compliance with the License. You can obtain a copy +# in the file LICENSE in the source distribution or at +# https://www.openssl.org/source/license.html + + +## SSL test configurations + +package ssltests; + +use OpenSSL::Test::Utils; + +our @tests = (); + +my @tests_tls1_2 = ( + { + name => "disable-extended-master-secret-server-sha", + server => { + "Options" => "-ExtendedMasterSecret", + }, + client => { + "CipherString" => "AES128-SHA", + "MaxProtocol" => "TLSv1.2" + }, + test => { + "ExpectedResult" => "Success", + }, + }, + { + name => "disable-extended-master-secret-client-sha", + server => { + }, + client => { + "CipherString" => "AES128-SHA", + "Options" => "-ExtendedMasterSecret", + "MaxProtocol" => "TLSv1.2" + }, + test => { + "ExpectedResult" => "Success", + }, + }, + { + name => "disable-extended-master-secret-both-sha", + server => { + "Options" => "-ExtendedMasterSecret", + }, + client => { + "CipherString" => "AES128-SHA", + "Options" => "-ExtendedMasterSecret", + "MaxProtocol" => "TLSv1.2" + }, + test => { + "ExpectedResult" => "Success", + }, + }, + { + name => "disable-extended-master-secret-both-resume", + server => { + "Options" => "-ExtendedMasterSecret", + }, + resume_server => { + }, + client => { + "CipherString" => "AES128-SHA", + "Options" => "-ExtendedMasterSecret", + "MaxProtocol" => "TLSv1.2" + }, + resume_client => { + "CipherString" => "AES128-SHA", + "MaxProtocol" => "TLSv1.2" + }, + test => { + "HandshakeMode" => "Resume", + "ExpectedResult" => "Success", + }, + }, + { + name => "disable-extended-master-secret-server-sha2", + server => { + "Options" => "-ExtendedMasterSecret", + }, + client => { + "CipherString" => "AES128-SHA256", + "MaxProtocol" => "TLSv1.2" + }, + test => { + "ExpectedResult" => "Success", + }, + }, + { + name => "disable-extended-master-secret-client-sha2", + server => { + }, + client => { + "CipherString" => "AES128-SHA256", + "Options" => "-ExtendedMasterSecret", + "MaxProtocol" => "TLSv1.2" + }, + test => { + "ExpectedResult" => "Success", + }, + }, + { + name => "disable-extended-master-secret-both-sha2", + server => { + "Options" => "-ExtendedMasterSecret", + }, + client => { + "CipherString" => "AES128-SHA256", + "Options" => "-ExtendedMasterSecret", + "MaxProtocol" => "TLSv1.2" + }, + test => { + "ExpectedResult" => "Success", + }, + }, +); + +push @tests, @tests_tls1_2 unless disabled("tls1_2"); |