From 557139f68fb7fe77c2de60c83d1810419d981397 Mon Sep 17 00:00:00 2001 From: Frederik Wedel-Heinen Date: Tue, 3 Oct 2023 09:39:47 +0200 Subject: [PATCH 01/74] Adds initial dtls 1.3 structs and definitions Reviewed-by: Neil Horman Reviewed-by: Matt Caswell Reviewed-by: Richard Levitte (Merged from https://github.com/openssl/openssl/pull/22259) --- include/openssl/prov_ssl.h | 1 + include/openssl/ssl.h.in | 1 + ssl/d1_lib.c | 15 +++++++++++++++ ssl/methods.c | 18 ++++++++++++++++++ ssl/record/methods/recmethod_local.h | 1 + ssl/record/methods/tls13_meth.c | 21 +++++++++++++++++++++ ssl/ssl_local.h | 11 ++++++++++- 7 files changed, 67 insertions(+), 1 deletion(-) diff --git a/include/openssl/prov_ssl.h b/include/openssl/prov_ssl.h index 76d01e1eb8..9f3e8197e3 100644 --- a/include/openssl/prov_ssl.h +++ b/include/openssl/prov_ssl.h @@ -27,6 +27,7 @@ extern "C" { # define TLS1_3_VERSION 0x0304 # define DTLS1_VERSION 0xFEFF # define DTLS1_2_VERSION 0xFEFD +# define DTLS1_3_VERSION 0xFEFC # define DTLS1_BAD_VER 0x0100 /* QUIC uses a 4 byte unsigned version number */ diff --git a/include/openssl/ssl.h.in b/include/openssl/ssl.h.in index 5da1cde698..886da85e4c 100644 --- a/include/openssl/ssl.h.in +++ b/include/openssl/ssl.h.in @@ -404,6 +404,7 @@ typedef int (*SSL_async_callback_fn)(SSL *s, void *arg); # define SSL_OP_NO_TLSv1_3 SSL_OP_BIT(29) # define SSL_OP_NO_DTLSv1 SSL_OP_BIT(26) # define SSL_OP_NO_DTLSv1_2 SSL_OP_BIT(27) +# define SSL_OP_NO_DTLSv1_3 SSL_OP_BIT(29) /* Disallow all renegotiation */ # define SSL_OP_NO_RENEGOTIATION SSL_OP_BIT(30) /* diff --git a/ssl/d1_lib.c b/ssl/d1_lib.c index 9fa8606b40..04aafc42c7 100644 --- a/ssl/d1_lib.c +++ b/ssl/d1_lib.c @@ -52,6 +52,21 @@ const SSL3_ENC_METHOD DTLSv1_2_enc_data = { dtls1_handshake_write }; +const SSL3_ENC_METHOD DTLSv1_3_enc_data = { + tls13_setup_key_block, + tls13_generate_master_secret, + tls13_change_cipher_state, + tls13_final_finish_mac, + TLS_MD_CLIENT_FINISH_CONST, TLS_MD_CLIENT_FINISH_CONST_SIZE, + TLS_MD_SERVER_FINISH_CONST, TLS_MD_SERVER_FINISH_CONST_SIZE, + tls13_alert_code, + tls13_export_keying_material, + SSL_ENC_FLAG_DTLS | SSL_ENC_FLAG_SIGALGS | SSL_ENC_FLAG_SHA256_PRF, + dtls1_set_handshake_header, + dtls1_close_construct_packet, + dtls1_handshake_write +}; + OSSL_TIME dtls1_default_timeout(void) { /* diff --git a/ssl/methods.c b/ssl/methods.c index 525f59e912..836d859ec7 100644 --- a/ssl/methods.c +++ b/ssl/methods.c @@ -125,6 +125,12 @@ IMPLEMENT_dtls1_meth_func(DTLS1_2_VERSION, 0, SSL_OP_NO_DTLSv1_2, ossl_statem_accept, ossl_statem_connect, DTLSv1_2_enc_data) #endif +#ifndef OPENSSL_NO_DTLS1_3_METHOD +IMPLEMENT_dtls1_meth_func(DTLS1_3_VERSION, 0, SSL_OP_NO_DTLSv1_3, + dtlsv1_3_method, + ossl_statem_accept, + ossl_statem_connect, DTLSv1_3_enc_data) +#endif IMPLEMENT_dtls1_meth_func(DTLS_ANY_VERSION, 0, 0, DTLS_method, ossl_statem_accept, @@ -145,6 +151,12 @@ IMPLEMENT_dtls1_meth_func(DTLS1_2_VERSION, 0, SSL_OP_NO_DTLSv1_2, ossl_statem_accept, ssl_undefined_function, DTLSv1_2_enc_data) #endif +#ifndef OPENSSL_NO_DTLS1_3_METHOD +IMPLEMENT_dtls1_meth_func(DTLS1_3_VERSION, 0, SSL_OP_NO_DTLSv1_3, + dtlsv1_3_server_method, + ossl_statem_accept, + ssl_undefined_function, DTLSv1_3_enc_data) +#endif IMPLEMENT_dtls1_meth_func(DTLS_ANY_VERSION, 0, 0, DTLS_server_method, ossl_statem_accept, @@ -169,6 +181,12 @@ IMPLEMENT_dtls1_meth_func(DTLS1_2_VERSION, 0, SSL_OP_NO_DTLSv1_2, ssl_undefined_function, ossl_statem_connect, DTLSv1_2_enc_data) #endif +#ifndef OPENSSL_NO_DTLS1_3_METHOD +IMPLEMENT_dtls1_meth_func(DTLS1_3_VERSION, 0, SSL_OP_NO_DTLSv1_3, + dtlsv1_3_client_method, + ssl_undefined_function, + ossl_statem_connect, DTLSv1_3_enc_data) +#endif IMPLEMENT_dtls1_meth_func(DTLS_ANY_VERSION, 0, 0, DTLS_client_method, ssl_undefined_function, diff --git a/ssl/record/methods/recmethod_local.h b/ssl/record/methods/recmethod_local.h index 364a3a01bb..73c45436f8 100644 --- a/ssl/record/methods/recmethod_local.h +++ b/ssl/record/methods/recmethod_local.h @@ -384,6 +384,7 @@ extern const struct record_functions_st tls_1_funcs; extern const struct record_functions_st tls_1_3_funcs; extern const struct record_functions_st tls_any_funcs; extern const struct record_functions_st dtls_1_funcs; +extern const struct record_functions_st dtls_1_3_funcs; extern const struct record_functions_st dtls_any_funcs; void ossl_rlayer_fatal(OSSL_RECORD_LAYER *rl, int al, int reason, diff --git a/ssl/record/methods/tls13_meth.c b/ssl/record/methods/tls13_meth.c index 6bbba84d0d..53acb6f7a6 100644 --- a/ssl/record/methods/tls13_meth.c +++ b/ssl/record/methods/tls13_meth.c @@ -425,3 +425,24 @@ const struct record_functions_st tls_1_3_funcs = { tls_post_encryption_processing_default, NULL }; + +const struct record_functions_st dtls_1_3_funcs = { + tls13_set_crypto_state, + tls13_cipher, + NULL, + tls_default_set_protocol_version, + tls_default_read_n, + dtls_get_more_records, + NULL, + tls13_post_process_record, + NULL, + tls_write_records_default, + tls_allocate_write_buffers_default, + tls_initialise_write_packets_default, + tls13_get_record_type, + dtls_prepare_record_header, + tls13_add_record_padding, + tls_prepare_for_encryption_default, + dtls_post_encryption_processing, + NULL +}; diff --git a/ssl/ssl_local.h b/ssl/ssl_local.h index 3cb74378e5..e5a882162e 100644 --- a/ssl/ssl_local.h +++ b/ssl/ssl_local.h @@ -254,13 +254,18 @@ # define SSL_CONNECTION_IS_DTLS(s) \ (SSL_CONNECTION_GET_SSL(s)->method->ssl3_enc->enc_flags & SSL_ENC_FLAG_DTLS) +/* Check if we are using DTLSv1.3 */ +# define SSL_CONNECTION_IS_DTLS13(s) (SSL_CONNECTION_IS_DTLS(s) \ + && DTLS_VERSION_GE(SSL_CONNECTION_GET_SSL(s)->method->version, DTLS1_3_VERSION) \ + && SSL_CONNECTION_GET_SSL(s)->method->version != DTLS_ANY_VERSION) + /* Check if we are using TLSv1.3 */ # define SSL_CONNECTION_IS_TLS13(s) (!SSL_CONNECTION_IS_DTLS(s) \ && SSL_CONNECTION_GET_SSL(s)->method->version >= TLS1_3_VERSION \ && SSL_CONNECTION_GET_SSL(s)->method->version != TLS_ANY_VERSION) # define SSL_CONNECTION_TREAT_AS_TLS13(s) \ - (SSL_CONNECTION_IS_TLS13(s) \ + ((SSL_CONNECTION_IS_TLS13(s) || SSL_CONNECTION_IS_DTLS13(s)) \ || (s)->early_data_state == SSL_EARLY_DATA_CONNECTING \ || (s)->early_data_state == SSL_EARLY_DATA_CONNECT_RETRY \ || (s)->early_data_state == SSL_EARLY_DATA_WRITING \ @@ -2281,6 +2286,9 @@ __owur const SSL_METHOD *dtls_bad_ver_client_method(void); __owur const SSL_METHOD *dtlsv1_2_method(void); __owur const SSL_METHOD *dtlsv1_2_server_method(void); __owur const SSL_METHOD *dtlsv1_2_client_method(void); +__owur const SSL_METHOD *dtlsv1_3_method(void); +__owur const SSL_METHOD *dtlsv1_3_server_method(void); +__owur const SSL_METHOD *dtlsv1_3_client_method(void); extern const SSL3_ENC_METHOD TLSv1_enc_data; extern const SSL3_ENC_METHOD TLSv1_1_enc_data; @@ -2289,6 +2297,7 @@ extern const SSL3_ENC_METHOD TLSv1_3_enc_data; extern const SSL3_ENC_METHOD SSLv3_enc_data; extern const SSL3_ENC_METHOD DTLSv1_enc_data; extern const SSL3_ENC_METHOD DTLSv1_2_enc_data; +extern const SSL3_ENC_METHOD DTLSv1_3_enc_data; /* * Flags for SSL methods From 21d0d5139fdb4e0f6e71bae5d8cee1757548c509 Mon Sep 17 00:00:00 2001 From: Frederik Wedel-Heinen Date: Wed, 4 Oct 2023 09:41:14 +0200 Subject: [PATCH 02/74] Remove compile guards for dtls1.3 method implementations Reviewed-by: Neil Horman Reviewed-by: Matt Caswell Reviewed-by: Richard Levitte (Merged from https://github.com/openssl/openssl/pull/22259) --- ssl/methods.c | 6 ------ 1 file changed, 6 deletions(-) diff --git a/ssl/methods.c b/ssl/methods.c index 836d859ec7..5dd29fbbb2 100644 --- a/ssl/methods.c +++ b/ssl/methods.c @@ -125,12 +125,10 @@ IMPLEMENT_dtls1_meth_func(DTLS1_2_VERSION, 0, SSL_OP_NO_DTLSv1_2, ossl_statem_accept, ossl_statem_connect, DTLSv1_2_enc_data) #endif -#ifndef OPENSSL_NO_DTLS1_3_METHOD IMPLEMENT_dtls1_meth_func(DTLS1_3_VERSION, 0, SSL_OP_NO_DTLSv1_3, dtlsv1_3_method, ossl_statem_accept, ossl_statem_connect, DTLSv1_3_enc_data) -#endif IMPLEMENT_dtls1_meth_func(DTLS_ANY_VERSION, 0, 0, DTLS_method, ossl_statem_accept, @@ -151,12 +149,10 @@ IMPLEMENT_dtls1_meth_func(DTLS1_2_VERSION, 0, SSL_OP_NO_DTLSv1_2, ossl_statem_accept, ssl_undefined_function, DTLSv1_2_enc_data) #endif -#ifndef OPENSSL_NO_DTLS1_3_METHOD IMPLEMENT_dtls1_meth_func(DTLS1_3_VERSION, 0, SSL_OP_NO_DTLSv1_3, dtlsv1_3_server_method, ossl_statem_accept, ssl_undefined_function, DTLSv1_3_enc_data) -#endif IMPLEMENT_dtls1_meth_func(DTLS_ANY_VERSION, 0, 0, DTLS_server_method, ossl_statem_accept, @@ -181,12 +177,10 @@ IMPLEMENT_dtls1_meth_func(DTLS1_2_VERSION, 0, SSL_OP_NO_DTLSv1_2, ssl_undefined_function, ossl_statem_connect, DTLSv1_2_enc_data) #endif -#ifndef OPENSSL_NO_DTLS1_3_METHOD IMPLEMENT_dtls1_meth_func(DTLS1_3_VERSION, 0, SSL_OP_NO_DTLSv1_3, dtlsv1_3_client_method, ssl_undefined_function, ossl_statem_connect, DTLSv1_3_enc_data) -#endif IMPLEMENT_dtls1_meth_func(DTLS_ANY_VERSION, 0, 0, DTLS_client_method, ssl_undefined_function, From 62a0dfac46a615f1c863506902ca006570c3a2c5 Mon Sep 17 00:00:00 2001 From: Frederik Wedel-Heinen Date: Tue, 3 Oct 2023 12:43:19 +0200 Subject: [PATCH 03/74] Integrate dtls1.3 in s_client and s_server Reviewed-by: Tomas Mraz Reviewed-by: Matt Caswell (Merged from https://github.com/openssl/openssl/pull/22260) --- apps/include/opt.h | 6 +++--- apps/lib/s_cb.c | 6 +++++- apps/s_client.c | 23 +++++++++++++++++++---- apps/s_server.c | 24 +++++++++++++++++++----- 4 files changed, 46 insertions(+), 13 deletions(-) diff --git a/apps/include/opt.h b/apps/include/opt.h index 2bd2fb2484..3f412566d7 100644 --- a/apps/include/opt.h +++ b/apps/include/opt.h @@ -216,12 +216,12 @@ "Groups to advertise (colon-separated list)" }, \ {"named_curve", OPT_S_NAMEDCURVE, 's', \ "Elliptic curve used for ECDHE (server-side only)" }, \ - {"cipher", OPT_S_CIPHER, 's', "Specify TLSv1.2 and below cipher list to be used"}, \ - {"ciphersuites", OPT_S_CIPHERSUITES, 's', "Specify TLSv1.3 ciphersuites to be used"}, \ + {"cipher", OPT_S_CIPHER, 's', "Specify (D)TLSv1.2 and below cipher list to be used"}, \ + {"ciphersuites", OPT_S_CIPHERSUITES, 's', "Specify (D)TLSv1.3 ciphersuites to be used"}, \ {"min_protocol", OPT_S_MINPROTO, 's', "Specify the minimum protocol version to be used"}, \ {"max_protocol", OPT_S_MAXPROTO, 's', "Specify the maximum protocol version to be used"}, \ {"record_padding", OPT_S_RECORD_PADDING, 's', \ - "Block size to pad TLS 1.3 records to."}, \ + "Block size to pad (D)TLS 1.3 records to."}, \ {"debug_broken_protocol", OPT_S_DEBUGBROKE, '-', \ "Perform all sorts of protocol violations for testing purposes"}, \ {"no_middlebox", OPT_S_NO_MIDDLEBOX, '-', \ diff --git a/apps/lib/s_cb.c b/apps/lib/s_cb.c index 026315406e..dbd5768d6b 100644 --- a/apps/lib/s_cb.c +++ b/apps/lib/s_cb.c @@ -575,6 +575,8 @@ static STRINT_PAIR ssl_versions[] = { {"TLS 1.2", TLS1_2_VERSION}, {"TLS 1.3", TLS1_3_VERSION}, {"DTLS 1.0", DTLS1_VERSION}, + {"DTLS 1.2", DTLS1_2_VERSION}, + {"DTLS 1.3", DTLS1_3_VERSION}, {"DTLS 1.0 (bad)", DTLS1_BAD_VER}, {NULL} }; @@ -657,7 +659,9 @@ void msg_cb(int write_p, int version, int content_type, const void *buf, version == TLS1_1_VERSION || version == TLS1_2_VERSION || version == TLS1_3_VERSION || - version == DTLS1_VERSION || version == DTLS1_BAD_VER) { + version == DTLS1_VERSION || + version == DTLS1_2_VERSION || + version == DTLS1_3_VERSION || version == DTLS1_BAD_VER) { str_version = lookup(version, ssl_versions, "???"); switch (content_type) { case SSL3_RT_CHANGE_CIPHER_SPEC: diff --git a/apps/s_client.c b/apps/s_client.c index c922653ee7..85be1bf50f 100644 --- a/apps/s_client.c +++ b/apps/s_client.c @@ -491,9 +491,9 @@ typedef enum OPTION_choice { #endif OPT_SSL3, OPT_SSL_CONFIG, OPT_TLS1_3, OPT_TLS1_2, OPT_TLS1_1, OPT_TLS1, OPT_DTLS, OPT_DTLS1, - OPT_DTLS1_2, OPT_QUIC, OPT_SCTP, OPT_TIMEOUT, OPT_MTU, OPT_KEYFORM, - OPT_PASS, OPT_CERT_CHAIN, OPT_KEY, OPT_RECONNECT, OPT_BUILD_CHAIN, - OPT_NEXTPROTONEG, OPT_ALPN, + OPT_DTLS1_2, OPT_DTLS1_3, OPT_QUIC, OPT_SCTP, OPT_TIMEOUT, OPT_MTU, + OPT_KEYFORM, OPT_PASS, OPT_CERT_CHAIN, OPT_KEY, OPT_RECONNECT, + OPT_BUILD_CHAIN, OPT_NEXTPROTONEG, OPT_ALPN, OPT_CAPATH, OPT_NOCAPATH, OPT_CHAINCAPATH, OPT_VERIFYCAPATH, OPT_CAFILE, OPT_NOCAFILE, OPT_CHAINCAFILE, OPT_VERIFYCAFILE, OPT_CASTORE, OPT_NOCASTORE, OPT_CHAINCASTORE, OPT_VERIFYCASTORE, @@ -696,6 +696,9 @@ const OPTIONS s_client_options[] = { #ifndef OPENSSL_NO_DTLS1_2 {"dtls1_2", OPT_DTLS1_2, '-', "Just use DTLSv1.2"}, #endif +#ifndef OPENSSL_NO_DTLS1_3 + {"dtls1_3", OPT_DTLS1_3, '-', "Just use DTLSv1.3"}, +#endif #ifndef OPENSSL_NO_SCTP {"sctp", OPT_SCTP, '-', "Use SCTP"}, {"sctp_label_bug", OPT_SCTP_LABEL_BUG, '-', "Enable SCTP label length bug"}, @@ -798,7 +801,7 @@ static const OPT_PAIR services[] = { #define IS_PROT_FLAG(o) \ (o == OPT_SSL3 || o == OPT_TLS1 || o == OPT_TLS1_1 || o == OPT_TLS1_2 \ || o == OPT_TLS1_3 || o == OPT_DTLS || o == OPT_DTLS1 || o == OPT_DTLS1_2 \ - || o == OPT_QUIC) + || o == OPT_DTLS1_3 || o == OPT_QUIC) /* Free |*dest| and optionally set it to a copy of |source|. */ static void freeandcopy(char **dest, const char *source) @@ -1350,6 +1353,18 @@ int s_client_main(int argc, char **argv) socket_type = SOCK_DGRAM; isdtls = 1; isquic = 0; +#endif + break; + case OPT_DTLS1_3: +#ifndef OPENSSL_NO_DTLS1_3 + meth = DTLS_client_method(); + min_version = DTLS1_3_VERSION; + max_version = DTLS1_3_VERSION; + socket_type = SOCK_DGRAM; + isdtls = 1; +# ifndef OPENSS_NO_QUIC + isquic = 0; +# endif #endif break; case OPT_QUIC: diff --git a/apps/s_server.c b/apps/s_server.c index 888e8f62cf..f01cf8451b 100644 --- a/apps/s_server.c +++ b/apps/s_server.c @@ -57,6 +57,7 @@ typedef unsigned int u_int; #include #endif #include "internal/sockets.h" +#include "ssl/ssl_local.h" static int not_resumable_sess_cb(SSL *s, int is_forward_secure); static int sv_body(int s, int stype, int prot, unsigned char *context); @@ -137,7 +138,8 @@ static unsigned int psk_server_cb(SSL *ssl, const char *identity, if (s_debug) BIO_printf(bio_s_out, "psk_server_cb\n"); - if (!SSL_is_dtls(ssl) && SSL_version(ssl) >= TLS1_3_VERSION) { + if ((SSL_is_dtls(ssl) && DTLS_VERSION_GE(SSL_version(ssl), DTLS1_3_VERSION)) + || (!SSL_is_dtls(ssl) && SSL_version(ssl) >= TLS1_3_VERSION)) { /* * This callback is designed for use in (D)TLSv1.2 (or below). It is * possible to use a single callback for all protocol versions - but it @@ -733,8 +735,8 @@ typedef enum OPTION_choice { OPT_UPPER_WWW, OPT_HTTP, OPT_ASYNC, OPT_SSL_CONFIG, OPT_MAX_SEND_FRAG, OPT_SPLIT_SEND_FRAG, OPT_MAX_PIPELINES, OPT_READ_BUF, OPT_SSL3, OPT_TLS1_3, OPT_TLS1_2, OPT_TLS1_1, OPT_TLS1, OPT_DTLS, OPT_DTLS1, - OPT_DTLS1_2, OPT_SCTP, OPT_TIMEOUT, OPT_MTU, OPT_LISTEN, OPT_STATELESS, - OPT_ID_PREFIX, OPT_SERVERNAME, OPT_SERVERNAME_FATAL, + OPT_DTLS1_2, OPT_DTLS1_3, OPT_SCTP, OPT_TIMEOUT, OPT_MTU, OPT_LISTEN, + OPT_STATELESS, OPT_ID_PREFIX, OPT_SERVERNAME, OPT_SERVERNAME_FATAL, OPT_CERT2, OPT_KEY2, OPT_NEXTPROTONEG, OPT_ALPN, OPT_SENDFILE, OPT_SRTP_PROFILES, OPT_KEYMATEXPORT, OPT_KEYMATEXPORTLEN, OPT_KEYLOG_FILE, OPT_MAX_EARLY, OPT_RECV_MAX_EARLY, OPT_EARLY_DATA, @@ -942,7 +944,7 @@ const OPTIONS s_server_options[] = { "The maximum number of bytes of early data (hard limit)"}, {"early_data", OPT_EARLY_DATA, '-', "Attempt to read early data"}, {"num_tickets", OPT_S_NUM_TICKETS, 'n', - "The number of TLSv1.3 session tickets that a server will automatically issue" }, + "The number of (D)TLSv1.3 session tickets that a server will automatically issue" }, {"anti_replay", OPT_ANTI_REPLAY, '-', "Switch on anti-replay protection (default)"}, {"no_anti_replay", OPT_NO_ANTI_REPLAY, '-', "Switch off anti-replay protection"}, {"http_server_binmode", OPT_HTTP_SERVER_BINMODE, '-', "opening files in binary mode when acting as http server (-WWW and -HTTP)"}, @@ -975,6 +977,9 @@ const OPTIONS s_server_options[] = { #ifndef OPENSSL_NO_DTLS1_2 {"dtls1_2", OPT_DTLS1_2, '-', "Just talk DTLSv1.2"}, #endif +#ifndef OPENSSL_NO_DTLS1_3 + {"dtls1_3", OPT_DTLS1_3, '-', "Just talk DTLSv1.3"}, +#endif #ifndef OPENSSL_NO_SCTP {"sctp", OPT_SCTP, '-', "Use SCTP"}, {"sctp_label_bug", OPT_SCTP_LABEL_BUG, '-', "Enable SCTP label length bug"}, @@ -1007,7 +1012,8 @@ const OPTIONS s_server_options[] = { #define IS_PROT_FLAG(o) \ (o == OPT_SSL3 || o == OPT_TLS1 || o == OPT_TLS1_1 || o == OPT_TLS1_2 \ - || o == OPT_TLS1_3 || o == OPT_DTLS || o == OPT_DTLS1 || o == OPT_DTLS1_2) + || o == OPT_TLS1_3 || o == OPT_DTLS || o == OPT_DTLS1 || o == OPT_DTLS1_2 \ + || o == OPT_DTLS1_3) int s_server_main(int argc, char *argv[]) { @@ -1557,6 +1563,14 @@ int s_server_main(int argc, char *argv[]) min_version = DTLS1_2_VERSION; max_version = DTLS1_2_VERSION; socket_type = SOCK_DGRAM; +#endif + break; + case OPT_DTLS1_3: +#ifndef OPENSSL_NO_DTLS + meth = DTLS_server_method(); + min_version = DTLS1_3_VERSION; + max_version = DTLS1_3_VERSION; + socket_type = SOCK_DGRAM; #endif break; case OPT_SCTP: From ef6533ad684777fdd28518613245415a12213248 Mon Sep 17 00:00:00 2001 From: Frederik Wedel-Heinen Date: Fri, 24 Nov 2023 11:03:32 +0100 Subject: [PATCH 04/74] Adds DTLS 1.3 functionality to s_client and s_server documentation. Reviewed-by: Tomas Mraz Reviewed-by: Matt Caswell (Merged from https://github.com/openssl/openssl/pull/22260) --- doc/man1/openssl-s_client.pod.in | 25 +++++++++---------- doc/man1/openssl-s_server.pod.in | 41 ++++++++++++++++---------------- doc/man1/openssl.pod | 6 ++--- doc/perlvars.pm | 5 ++-- 4 files changed, 40 insertions(+), 37 deletions(-) diff --git a/doc/man1/openssl-s_client.pod.in b/doc/man1/openssl-s_client.pod.in index 8e685d3551..f79ef608d5 100644 --- a/doc/man1/openssl-s_client.pod.in +++ b/doc/man1/openssl-s_client.pod.in @@ -554,13 +554,13 @@ This option must be provided in order to use a PSK cipher. =item B<-psk_session> I Use the pem encoded SSL_SESSION data stored in I as the basis of a PSK. -Note that this will only work if TLSv1.3 is negotiated. +Note that this will only work if (D)TLSv1.3 is negotiated. =item B<-sctp> Use SCTP for the transport protocol instead of UDP in DTLS. Must be used in -conjunction with B<-dtls>, B<-dtls1> or B<-dtls1_2>. This option is only -available where OpenSSL has support for SCTP enabled. +conjunction with B<-dtls>, B<-dtls1>, B<-dtls1_2> or B<-dtls1_3>. This option +is only available where OpenSSL has support for SCTP enabled. =item B<-sctp_label_bug> @@ -630,11 +630,11 @@ option enables various workarounds. =item B<-no_tx_cert_comp> -Disables support for sending TLSv1.3 compressed certificates. +Disables support for sending (D)TLSv1.3 compressed certificates. =item B<-no_rx_cert_comp> -Disables support for receiving TLSv1.3 compressed certificate. +Disables support for receiving (D)TLSv1.3 compressed certificate. =item B<-comp> @@ -763,7 +763,8 @@ for example "http/1.1" or "spdy/3". An empty list of protocols is treated specially and will cause the client to advertise support for the TLS extension but disconnect just after receiving ServerHello with a list of server supported protocols. -The flag B<-nextprotoneg> cannot be specified if B<-tls1_3> is used. +The flag B<-nextprotoneg> cannot be specified if B<-tls1_3> or B<-dtls1_3> is +used. =item B<-ct>, B<-noct> @@ -793,8 +794,8 @@ data and when the server accepts the early data. =item B<-enable_pha> -For TLSv1.3 only, send the Post-Handshake Authentication extension. This will -happen whether or not a certificate has been provided via B<-cert>. +For (D)TLSv1.3 only, send the Post-Handshake Authentication extension. This +will happen whether or not a certificate has been provided via B<-cert>. =item B<-use_srtp> I @@ -905,7 +906,7 @@ End the current SSL connection and exit. =item B -Renegotiate the SSL session (TLSv1.2 and below only). +Renegotiate the SSL session ((D)TLSv1.2 and below only). =item B @@ -913,11 +914,11 @@ Attempt to reconnect to the server using a resumption handshake. =item B -Send a key update message to the server (TLSv1.3 only) +Send a key update message to the server ((D)TLSv1.3 only) =item B -Send a key update message to the server and request one back (TLSv1.3 only) +Send a key update message to the server and request one back ((D)TLSv1.3 only) =back @@ -958,7 +959,7 @@ Reconnect to the peer and attempt a resumption handshake =item B -Send a Key Update message. TLSv1.3 only. This command takes an optional +Send a Key Update message. (D)TLSv1.3 only. This command takes an optional argument. If the argument "req" is supplied then the peer is also requested to update its keys. Otherwise if "noreq" is supplied the peer is not requested to update its keys. The default is "req". diff --git a/doc/man1/openssl-s_server.pod.in b/doc/man1/openssl-s_server.pod.in index 0d8dd9bd0a..7f307d43a0 100644 --- a/doc/man1/openssl-s_server.pod.in +++ b/doc/man1/openssl-s_server.pod.in @@ -620,11 +620,11 @@ option enables various workarounds. =item B<-no_tx_cert_comp> -Disables support for sending TLSv1.3 compressed certificates. +Disables support for sending (D)TLSv1.3 compressed certificates. =item B<-no_rx_cert_comp> -Disables support for receiving TLSv1.3 compressed certificates. +Disables support for receiving (D)TLSv1.3 compressed certificates. =item B<-no_comp> @@ -645,14 +645,14 @@ more information. =item B<-no_ticket> -Disable RFC4507bis session ticket support. This option has no effect if TLSv1.3 -is negotiated. See B<-num_tickets>. +Disable RFC4507bis session ticket support. This option has no effect if +(D)TLSv1.3 is negotiated. See B<-num_tickets>. =item B<-num_tickets> Control the number of tickets that will be sent to the client after a full -handshake in TLSv1.3. The default number of tickets is 2. This option does not -affect the number of tickets sent after a resumption handshake. +handshake in (D)TLSv1.3. The default number of tickets is 2. This option does +not affect the number of tickets sent after a resumption handshake. =item B<-serverpref> @@ -766,8 +766,8 @@ connect to that peer and complete the handshake. =item B<-sctp> Use SCTP for the transport protocol instead of UDP in DTLS. Must be used in -conjunction with B<-dtls>, B<-dtls1> or B<-dtls1_2>. This option is only -available where OpenSSL has support for SCTP enabled. +conjunction with B<-dtls>, B<-dtls1>, B<-dtls1_2> or B<-dtls1_3>. This option +is only available where OpenSSL has support for SCTP enabled. =item B<-sctp_label_bug> @@ -795,7 +795,8 @@ The I list is a comma-separated list of supported protocol names. The list should contain the most desirable protocols first. Protocol names are printable ASCII strings, for example "http/1.1" or "spdy/3". -The flag B<-nextprotoneg> cannot be specified if B<-tls1_3> is used. +The flag B<-nextprotoneg> cannot be specified if B<-tls1_3> or B<-dtls1_3> +is used. =item B<-ktls> @@ -843,16 +844,16 @@ B<-WWW>, B<-HTTP> or B<-rev>. =item B<-stateless> -Require TLSv1.3 cookies. +Require (D)TLSv1.3 cookies. =item B<-anti_replay>, B<-no_anti_replay> Switches replay protection on or off, respectively. Replay protection is on by default unless overridden by a configuration file. When it is on, OpenSSL will -automatically detect if a session ticket has been used more than once, TLSv1.3 -has been negotiated, and early data is enabled on the server. A full handshake -is forced if a session ticket is used a second or subsequent time. Any early -data that was sent will be rejected. +automatically detect if a session ticket has been used more than once, +(D)TLSv1.3 has been negotiated, and early data is enabled on the server. A full +handshake is forced if a session ticket is used a second or subsequent time. +Any early data that was sent will be rejected. =item B<-tfo> @@ -928,12 +929,12 @@ End the current SSL connection and exit. =item B -Renegotiate the SSL session (TLSv1.2 and below only). +Renegotiate the SSL session ((D)TLSv1.2 and below only). =item B -Renegotiate the SSL session and request a client certificate (TLSv1.2 and below -only). +Renegotiate the SSL session and request a client certificate ((D)TLSv1.2 and +below only). =item B

@@ -946,15 +947,15 @@ Print out some session cache status information. =item B -Send a key update message to the client (TLSv1.3 only) +Send a key update message to the client ((D)TLSv1.3 only). =item B -Send a key update message to the client and request one back (TLSv1.3 only) +Send a key update message to the client and request one back ((D)TLSv1.3 only). =item B -Send a certificate request to the client (TLSv1.3 only) +Send a certificate request to the client ((D)TLSv1.3 only). =back diff --git a/doc/man1/openssl.pod b/doc/man1/openssl.pod index c67f8c68e7..c737bbb27e 100644 --- a/doc/man1/openssl.pod +++ b/doc/man1/openssl.pod @@ -609,12 +609,12 @@ the B options. The B options do not work with B and B commands but work with B and B commands. -=item B<-dtls>, B<-dtls1>, B<-dtls1_2> +=item B<-dtls>, B<-dtls1>, B<-dtls1_2>, B<-dtls1_3> These options specify to use DTLS instead of TLS. With B<-dtls>, clients will negotiate any supported DTLS protocol version. -Use the B<-dtls1> or B<-dtls1_2> options to support only DTLS1.0 or DTLS1.2, -respectively. +Use the B<-dtls1>, B<-dtls1_2> or B<-dtls1_3> options to support only DTLS1.0, +DTLS1.2 or DTLS1.3 respectively. =back diff --git a/doc/perlvars.pm b/doc/perlvars.pm index 06dac990cf..92d77a2bf1 100644 --- a/doc/perlvars.pm +++ b/doc/perlvars.pm @@ -162,11 +162,12 @@ $OpenSSL::safe::opt_version_synopsis = "" . "$OpenSSL::safe::opt_versiontls_synopsis\n" . "[B<-dtls>]\n" . "[B<-dtls1>]\n" -. "[B<-dtls1_2>]"; +. "[B<-dtls1_2>]\n" +. "[B<-dtls1_3>]"; $OpenSSL::safe::opt_version_item = "\n" . "$OpenSSL::safe::opt_versiontls_item\n" . "\n" -. "=item B<-dtls>, B<-dtls1>, B<-dtls1_2>\n" +. "=item B<-dtls>, B<-dtls1>, B<-dtls1_2>, B<-dtls1_3>\n" . "\n" . "These specify the use of DTLS instead of TLS.\n" . "See L."; From 1daca57fd3c0e044a97617616fa645e8ec8524a8 Mon Sep 17 00:00:00 2001 From: Frederik Wedel-Heinen Date: Tue, 23 Jan 2024 14:58:31 +0100 Subject: [PATCH 05/74] Print session ticket for dtls 1.3 as well. Reviewed-by: Tomas Mraz Reviewed-by: Matt Caswell (Merged from https://github.com/openssl/openssl/pull/22260) --- apps/s_client.c | 2 +- 1 file changed, 1 insertion(+), 1 deletion(-) diff --git a/apps/s_client.c b/apps/s_client.c index 85be1bf50f..d8ed0ff4c2 100644 --- a/apps/s_client.c +++ b/apps/s_client.c @@ -830,7 +830,7 @@ static int new_session_cb(SSL *s, SSL_SESSION *sess) * Session data gets dumped on connection for TLSv1.2 and below, and on * arrival of the NewSessionTicket for TLSv1.3. */ - if (SSL_version(s) == TLS1_3_VERSION) { + if (SSL_version(s) == TLS1_3_VERSION || SSL_version(s) == DTLS1_3_VERSION) { BIO_printf(bio_c_out, "---\nPost-Handshake New Session Ticket arrived:\n"); SSL_SESSION_print(bio_c_out, sess); From df6967ca3c1e562eb9880d038fe6c995518b8ce4 Mon Sep 17 00:00:00 2001 From: Frederik Wedel-Heinen Date: Tue, 3 Oct 2023 13:19:42 +0200 Subject: [PATCH 06/74] Support TLS1.3 extensions with DTLS1.3 Reviewed-by: Tomas Mraz Reviewed-by: Matt Caswell (Merged from https://github.com/openssl/openssl/pull/22261) --- ssl/statem/extensions.c | 66 +++++++++++++++-------------- ssl/statem/extensions_clnt.c | 80 ++++++++++++++++++++++++------------ ssl/statem/extensions_srvr.c | 46 ++++++++++++--------- 3 files changed, 115 insertions(+), 77 deletions(-) diff --git a/ssl/statem/extensions.c b/ssl/statem/extensions.c index 762c7ac0d4..375308c5f7 100644 --- a/ssl/statem/extensions.c +++ b/ssl/statem/extensions.c @@ -190,7 +190,7 @@ static const EXTENSION_DEFINITION ext_defs[] = { * to indicate to the client the complete list of groups supported * by the server, with the server instead just indicating the * selected group for this connection in the ServerKeyExchange - * message. TLS 1.3 adds a scheme for the server to indicate + * message. (D)TLS 1.3 adds a scheme for the server to indicate * to the client its list of supported groups in the * EncryptedExtensions message, but none of the relevant * specifications permit sending supported_groups in the ServerHello. @@ -200,7 +200,7 @@ static const EXTENSION_DEFINITION ext_defs[] = { * ServerHello anyway. Up to and including the 1.1.0 release, * we did not check for the presence of nonpermitted extensions, * so to avoid a regression, we must permit this extension in the - * TLS 1.2 ServerHello as well. + * (D)TLS 1.2 ServerHello as well. * * Note that there is no tls_parse_stoc_supported_groups function, * so we do not perform any additional parsing, validation, or @@ -341,7 +341,7 @@ static const EXTENSION_DEFINITION ext_defs[] = { { TLSEXT_TYPE_supported_versions, SSL_EXT_CLIENT_HELLO | SSL_EXT_TLS1_3_SERVER_HELLO - | SSL_EXT_TLS1_3_HELLO_RETRY_REQUEST | SSL_EXT_TLS_IMPLEMENTATION_ONLY, + | SSL_EXT_TLS1_3_HELLO_RETRY_REQUEST, NULL, /* Processed inline as part of version selection */ NULL, tls_parse_stoc_supported_versions, @@ -350,8 +350,7 @@ static const EXTENSION_DEFINITION ext_defs[] = { }, { TLSEXT_TYPE_psk_kex_modes, - SSL_EXT_CLIENT_HELLO | SSL_EXT_TLS_IMPLEMENTATION_ONLY - | SSL_EXT_TLS1_3_ONLY, + SSL_EXT_CLIENT_HELLO | SSL_EXT_TLS1_3_ONLY, init_psk_kex_modes, tls_parse_ctos_psk_kex_modes, NULL, NULL, tls_construct_ctos_psk_kex_modes, NULL }, @@ -362,7 +361,7 @@ static const EXTENSION_DEFINITION ext_defs[] = { */ TLSEXT_TYPE_key_share, SSL_EXT_CLIENT_HELLO | SSL_EXT_TLS1_3_SERVER_HELLO - | SSL_EXT_TLS1_3_HELLO_RETRY_REQUEST | SSL_EXT_TLS_IMPLEMENTATION_ONLY + | SSL_EXT_TLS1_3_HELLO_RETRY_REQUEST | SSL_EXT_TLS1_3_ONLY, NULL, tls_parse_ctos_key_share, tls_parse_stoc_key_share, tls_construct_stoc_key_share, tls_construct_ctos_key_share, @@ -372,7 +371,7 @@ static const EXTENSION_DEFINITION ext_defs[] = { /* Must be after key_share */ TLSEXT_TYPE_cookie, SSL_EXT_CLIENT_HELLO | SSL_EXT_TLS1_3_HELLO_RETRY_REQUEST - | SSL_EXT_TLS_IMPLEMENTATION_ONLY | SSL_EXT_TLS1_3_ONLY, + | SSL_EXT_TLS1_3_ONLY, NULL, tls_parse_ctos_cookie, tls_parse_stoc_cookie, tls_construct_stoc_cookie, tls_construct_ctos_cookie, NULL }, @@ -390,7 +389,7 @@ static const EXTENSION_DEFINITION ext_defs[] = { { TLSEXT_TYPE_compress_certificate, SSL_EXT_CLIENT_HELLO | SSL_EXT_TLS1_3_CERTIFICATE_REQUEST - | SSL_EXT_TLS_IMPLEMENTATION_ONLY | SSL_EXT_TLS1_3_ONLY, + | SSL_EXT_TLS1_3_ONLY, tls_init_compress_certificate, tls_parse_compress_certificate, tls_parse_compress_certificate, tls_construct_compress_certificate, tls_construct_compress_certificate, @@ -422,10 +421,10 @@ static const EXTENSION_DEFINITION ext_defs[] = { NULL, NULL, NULL, tls_construct_ctos_padding, NULL }, { - /* Required by the TLSv1.3 spec to always be the last extension */ + /* Required by the (D)TLSv1.3 spec to always be the last extension */ TLSEXT_TYPE_psk, SSL_EXT_CLIENT_HELLO | SSL_EXT_TLS1_3_SERVER_HELLO - | SSL_EXT_TLS_IMPLEMENTATION_ONLY | SSL_EXT_TLS1_3_ONLY, + | SSL_EXT_TLS1_3_ONLY, NULL, tls_parse_ctos_psk, tls_parse_stoc_psk, tls_construct_stoc_psk, tls_construct_ctos_psk, final_psk } @@ -556,33 +555,33 @@ static int verify_extension(SSL_CONNECTION *s, unsigned int context, int extension_is_relevant(SSL_CONNECTION *s, unsigned int extctx, unsigned int thisctx) { - int is_tls13; + int is_version13; /* * For HRR we haven't selected the version yet but we know it will be - * TLSv1.3 + * (D)TLSv1.3 */ if ((thisctx & SSL_EXT_TLS1_3_HELLO_RETRY_REQUEST) != 0) - is_tls13 = 1; + is_version13 = 1; else - is_tls13 = SSL_CONNECTION_IS_TLS13(s); + is_version13 = SSL_CONNECTION_IS_TLS13(s) || SSL_CONNECTION_IS_DTLS13(s); if ((SSL_CONNECTION_IS_DTLS(s) && (extctx & SSL_EXT_TLS_IMPLEMENTATION_ONLY) != 0) || (s->version == SSL3_VERSION && (extctx & SSL_EXT_SSL3_ALLOWED) == 0) /* - * Note that SSL_IS_TLS13() means "TLS 1.3 has been negotiated", + * Note that is_version13 means "(D)TLS 1.3 has been negotiated", * which is never true when generating the ClientHello. * However, version negotiation *has* occurred by the time the * ClientHello extensions are being parsed. - * Be careful to allow TLS 1.3-only extensions when generating + * Be careful to allow (D)TLS 1.3-only extensions when generating * the ClientHello. */ - || (is_tls13 && (extctx & SSL_EXT_TLS1_2_AND_BELOW_ONLY) != 0) - || (!is_tls13 && (extctx & SSL_EXT_TLS1_3_ONLY) != 0 + || (is_version13 && (extctx & SSL_EXT_TLS1_2_AND_BELOW_ONLY) != 0) + || (!is_version13 && (extctx & SSL_EXT_TLS1_3_ONLY) != 0 && (thisctx & SSL_EXT_CLIENT_HELLO) == 0) - || (s->server && !is_tls13 && (extctx & SSL_EXT_TLS1_3_ONLY) != 0) + || (s->server && !is_version13 && (extctx & SSL_EXT_TLS1_3_ONLY) != 0) || (s->hit && (extctx & SSL_EXT_IGNORE_ON_RESUMPTION) != 0)) return 0; return 1; @@ -833,7 +832,8 @@ int should_add_extension(SSL_CONNECTION *s, unsigned int extctx, if (!extension_is_relevant(s, extctx, thisctx) || ((extctx & SSL_EXT_TLS1_3_ONLY) != 0 && (thisctx & SSL_EXT_CLIENT_HELLO) != 0 - && (SSL_CONNECTION_IS_DTLS(s) || max_version < TLS1_3_VERSION))) + && (SSL_CONNECTION_IS_DTLS(s) ? DTLS_VERSION_LT(max_version, DTLS1_3_VERSION) + : max_version < TLS1_3_VERSION))) return 0; return 1; @@ -860,7 +860,7 @@ int tls_construct_extensions(SSL_CONNECTION *s, WPACKET *pkt, /* * If extensions are of zero length then we don't even add the * extensions length bytes to a ClientHello/ServerHello - * (for non-TLSv1.3). + * (for non-(D)TLSv1.3). */ || ((context & (SSL_EXT_CLIENT_HELLO | SSL_EXT_TLS1_2_SERVER_HELLO)) != 0 @@ -1072,8 +1072,8 @@ static int final_server_name(SSL_CONNECTION *s, unsigned int context, int sent) return 0; case SSL_TLSEXT_ERR_ALERT_WARNING: - /* TLSv1.3 doesn't have warning alerts so we suppress this */ - if (!SSL_CONNECTION_IS_TLS13(s)) + /* (D)TLSv1.3 doesn't have warning alerts so we suppress this */ + if (!(SSL_CONNECTION_IS_TLS13(s) || SSL_CONNECTION_IS_DTLS13(s))) ssl3_send_alert(s, SSL3_AL_WARNING, altmp); s->servername_done = 0; return 1; @@ -1180,15 +1180,15 @@ static int final_alpn(SSL_CONNECTION *s, unsigned int context, int sent) if (!s->server && !sent && s->session->ext.alpn_selected != NULL) s->ext.early_data_ok = 0; - if (!s->server || !SSL_CONNECTION_IS_TLS13(s)) + if (!s->server || !(SSL_CONNECTION_IS_TLS13(s) || SSL_CONNECTION_IS_DTLS13(s))) return 1; /* * Call alpn_select callback if needed. Has to be done after SNI and - * cipher negotiation (HTTP/2 restricts permitted ciphers). In TLSv1.3 + * cipher negotiation (HTTP/2 restricts permitted ciphers). In (D)TLSv1.3 * we also have to do this before we decide whether to accept early_data. - * In TLSv1.3 we've already negotiated our cipher so we do this call now. - * For < TLSv1.3 we defer it until after cipher negotiation. + * In (D)TLSv1.3 we've already negotiated our cipher so we do this call now. + * For < (D)TLSv1.3 we defer it until after cipher negotiation. * * On failure SSLfatal() already called. */ @@ -1340,7 +1340,7 @@ static int init_srtp(SSL_CONNECTION *s, unsigned int context) static int final_sig_algs(SSL_CONNECTION *s, unsigned int context, int sent) { - if (!sent && SSL_CONNECTION_IS_TLS13(s) && !s->hit) { + if (!sent && (SSL_CONNECTION_IS_TLS13(s) || SSL_CONNECTION_IS_DTLS13(s)) && !s->hit) { SSLfatal(s, TLS13_AD_MISSING_EXTENSION, SSL_R_MISSING_SIGALGS_EXTENSION); return 0; @@ -1364,7 +1364,7 @@ static int final_supported_versions(SSL_CONNECTION *s, unsigned int context, static int final_key_share(SSL_CONNECTION *s, unsigned int context, int sent) { #if !defined(OPENSSL_NO_TLS1_3) - if (!SSL_CONNECTION_IS_TLS13(s)) + if (!(SSL_CONNECTION_IS_TLS13(s) || SSL_CONNECTION_IS_DTLS13(s))) return 1; /* Nothing to do for key_share in an HRR */ @@ -1464,14 +1464,18 @@ static int final_key_share(SSL_CONNECTION *s, unsigned int context, int sent) * Find the first group we allow that is also in client's list */ for (i = 0; i < num_groups; i++) { + int version; + group_id = pgroups[i]; + version = SSL_CONNECTION_IS_DTLS(s) ? + DTLS1_3_VERSION : TLS1_3_VERSION; if (check_in_list(s, group_id, clntgroups, clnt_num_groups, 1) && tls_group_allowed(s, group_id, SSL_SECOP_CURVE_SUPPORTED) - && tls_valid_group(s, group_id, TLS1_3_VERSION, - TLS1_3_VERSION, 0, NULL)) + && tls_valid_group(s, group_id, version, + version, 0, NULL)) break; } diff --git a/ssl/statem/extensions_clnt.c b/ssl/statem/extensions_clnt.c index fb9f8796ba..2d3486ad34 100644 --- a/ssl/statem/extensions_clnt.c +++ b/ssl/statem/extensions_clnt.c @@ -218,6 +218,7 @@ EXT_RETURN tls_construct_ctos_supported_groups(SSL_CONNECTION *s, WPACKET *pkt, const uint16_t *pgroups = NULL; size_t num_groups = 0, i, tls13added = 0, added = 0; int min_version, max_version, reason; + const int isdtls = SSL_CONNECTION_IS_DTLS(s); reason = ssl_get_min_max_version(s, &min_version, &max_version, NULL); if (reason != 0) { @@ -226,12 +227,13 @@ EXT_RETURN tls_construct_ctos_supported_groups(SSL_CONNECTION *s, WPACKET *pkt, } /* - * We only support EC groups in TLSv1.2 or below, and in DTLS. Therefore + * We only support EC groups in (D)TLSv1.2 or below, and in DTLS. Therefore * if we don't have EC support then we don't send this extension. */ - if (!use_ecc(s, min_version, max_version) - && (SSL_CONNECTION_IS_DTLS(s) || max_version < TLS1_3_VERSION)) - return EXT_RETURN_NOT_SENT; + if (!use_ecc(s, min_version, max_version)) + if ((!isdtls && max_version < TLS1_3_VERSION) + || (isdtls && DTLS_VERSION_LT(max_version, DTLS1_3_VERSION))) + return EXT_RETURN_NOT_SENT; /* * Add TLS extension supported_groups to the ClientHello message @@ -257,7 +259,8 @@ EXT_RETURN tls_construct_ctos_supported_groups(SSL_CONNECTION *s, WPACKET *pkt, SSLfatal(s, SSL_AD_INTERNAL_ERROR, ERR_R_INTERNAL_ERROR); return EXT_RETURN_FAIL; } - if (okfortls13 && max_version == TLS1_3_VERSION) + if ((okfortls13 && max_version == TLS1_3_VERSION) + || (okfortls13 && max_version == DTLS1_3_VERSION)) tls13added++; added++; } @@ -271,7 +274,8 @@ EXT_RETURN tls_construct_ctos_supported_groups(SSL_CONNECTION *s, WPACKET *pkt, return EXT_RETURN_FAIL; } - if (tls13added == 0 && max_version == TLS1_3_VERSION) { + if (tls13added == 0 && (max_version == TLS1_3_VERSION + || max_version == DTLS1_3_VERSION)) { SSLfatal_data(s, SSL_AD_INTERNAL_ERROR, SSL_R_NO_SUITABLE_GROUPS, "No groups enabled for max supported SSL/TLS version"); return EXT_RETURN_FAIL; @@ -291,7 +295,8 @@ EXT_RETURN tls_construct_ctos_session_ticket(SSL_CONNECTION *s, WPACKET *pkt, if (!s->new_session && s->session != NULL && s->session->ext.tick != NULL - && s->session->ssl_version != TLS1_3_VERSION) { + && s->session->ssl_version != TLS1_3_VERSION + && s->session->ssl_version != DTLS1_3_VERSION) { ticklen = s->session->ext.ticklen; } else if (s->session && s->ext.session_ticket != NULL && s->ext.session_ticket->data != NULL) { @@ -561,6 +566,7 @@ EXT_RETURN tls_construct_ctos_supported_versions(SSL_CONNECTION *s, WPACKET *pkt size_t chainidx) { int currv, min_version, max_version, reason; + int isdtls = SSL_CONNECTION_IS_DTLS(s); reason = ssl_get_min_max_version(s, &min_version, &max_version, NULL); if (reason != 0) { @@ -569,10 +575,10 @@ EXT_RETURN tls_construct_ctos_supported_versions(SSL_CONNECTION *s, WPACKET *pkt } /* - * Don't include this if we can't negotiate TLSv1.3. We can do a straight - * comparison here because we will never be called in DTLS. + * Don't include this if we can't negotiate (D)TLSv1.3. */ - if (max_version < TLS1_3_VERSION) + if ((!isdtls && max_version < TLS1_3_VERSION) + || (isdtls && DTLS_VERSION_LT(max_version, DTLS1_3_VERSION))) return EXT_RETURN_NOT_SENT; if (!WPACKET_put_bytes_u16(pkt, TLSEXT_TYPE_supported_versions) @@ -582,10 +588,19 @@ EXT_RETURN tls_construct_ctos_supported_versions(SSL_CONNECTION *s, WPACKET *pkt return EXT_RETURN_FAIL; } - for (currv = max_version; currv >= min_version; currv--) { - if (!WPACKET_put_bytes_u16(pkt, currv)) { - SSLfatal(s, SSL_AD_INTERNAL_ERROR, ERR_R_INTERNAL_ERROR); - return EXT_RETURN_FAIL; + if (isdtls) { + for (currv = max_version; DTLS_VERSION_GE(currv, min_version); currv++) { + if (!WPACKET_put_bytes_u16(pkt, currv)) { + SSLfatal(s, SSL_AD_INTERNAL_ERROR, ERR_R_INTERNAL_ERROR); + return EXT_RETURN_FAIL; + } + } + } else { + for (currv = max_version; currv >= min_version; currv--) { + if (!WPACKET_put_bytes_u16(pkt, currv)) { + SSLfatal(s, SSL_AD_INTERNAL_ERROR, ERR_R_INTERNAL_ERROR); + return EXT_RETURN_FAIL; + } } } if (!WPACKET_close(pkt) || !WPACKET_close(pkt)) { @@ -711,10 +726,14 @@ EXT_RETURN tls_construct_ctos_key_share(SSL_CONNECTION *s, WPACKET *pkt, curve_id = s->s3.group_id; } else { for (i = 0; i < num_groups; i++) { + int version; + if (!tls_group_allowed(s, pgroups[i], SSL_SECOP_CURVE_SUPPORTED)) continue; - if (!tls_valid_group(s, pgroups[i], TLS1_3_VERSION, TLS1_3_VERSION, + version = SSL_CONNECTION_IS_DTLS(s) ? DTLS1_3_VERSION : TLS1_3_VERSION; + + if (!tls_valid_group(s, pgroups[i], version, version, 0, NULL)) continue; @@ -792,7 +811,8 @@ EXT_RETURN tls_construct_ctos_early_data(SSL_CONNECTION *s, WPACKET *pkt, if (s->psk_use_session_cb != NULL && (!s->psk_use_session_cb(ussl, handmd, &id, &idlen, &psksess) || (psksess != NULL - && psksess->ssl_version != TLS1_3_VERSION))) { + && psksess->ssl_version != TLS1_3_VERSION + && psksess->ssl_version != DTLS1_3_VERSION))) { SSL_SESSION_free(psksess); SSLfatal(s, SSL_AD_INTERNAL_ERROR, SSL_R_BAD_PSK); return EXT_RETURN_FAIL; @@ -814,6 +834,7 @@ EXT_RETURN tls_construct_ctos_early_data(SSL_CONNECTION *s, WPACKET *pkt, } else if (psklen > 0) { const unsigned char tls13_aes128gcmsha256_id[] = { 0x13, 0x01 }; const SSL_CIPHER *cipher; + int version; idlen = strlen(identity); if (idlen > PSK_MAX_IDENTITY_LEN) { @@ -824,7 +845,7 @@ EXT_RETURN tls_construct_ctos_early_data(SSL_CONNECTION *s, WPACKET *pkt, /* * We found a PSK using an old style callback. We don't know - * the digest so we default to SHA256 as per the TLSv1.3 spec + * the digest so we default to SHA256 as per the (D)TLSv1.3 spec */ cipher = SSL_CIPHER_find(SSL_CONNECTION_GET_SSL(s), tls13_aes128gcmsha256_id); @@ -834,10 +855,12 @@ EXT_RETURN tls_construct_ctos_early_data(SSL_CONNECTION *s, WPACKET *pkt, } psksess = SSL_SESSION_new(); + version = SSL_CONNECTION_IS_DTLS(s) ? DTLS1_3_VERSION : TLS1_3_VERSION; + if (psksess == NULL || !SSL_SESSION_set1_master_key(psksess, psk, psklen) || !SSL_SESSION_set_cipher(psksess, cipher) - || !SSL_SESSION_set_protocol_version(psksess, TLS1_3_VERSION)) { + || !SSL_SESSION_set_protocol_version(psksess, version)) { SSLfatal(s, SSL_AD_INTERNAL_ERROR, ERR_R_INTERNAL_ERROR); OPENSSL_cleanse(psk, psklen); return EXT_RETURN_FAIL; @@ -969,7 +992,7 @@ EXT_RETURN tls_construct_ctos_padding(SSL_CONNECTION *s, WPACKET *pkt, * If we're going to send a PSK then that will be written out after this * extension, so we need to calculate how long it is going to be. */ - if (s->session->ssl_version == TLS1_3_VERSION + if ((s->session->ssl_version == TLS1_3_VERSION || s->session->ssl_version == DTLS1_3_VERSION) && s->session->ext.ticklen != 0 && s->session->cipher != NULL) { const EVP_MD *md = ssl_md(SSL_CONNECTION_GET_CTX(s), @@ -1044,7 +1067,7 @@ EXT_RETURN tls_construct_ctos_psk(SSL_CONNECTION *s, WPACKET *pkt, * If this is an incompatible or new session then we have nothing to resume * so don't add this extension. */ - if (s->session->ssl_version != TLS1_3_VERSION + if ((s->session->ssl_version != TLS1_3_VERSION && s->session->ssl_version != DTLS1_3_VERSION) || (s->session->ext.ticklen == 0 && s->psksession == NULL)) return EXT_RETURN_NOT_SENT; @@ -1458,18 +1481,18 @@ int tls_parse_stoc_status_request(SSL_CONNECTION *s, PACKET *pkt, /* * MUST only be sent if we've requested a status - * request message. In TLS <= 1.2 it must also be empty. + * request message. In (D)TLS <= 1.2 it must also be empty. */ if (s->ext.status_type != TLSEXT_STATUSTYPE_ocsp) { SSLfatal(s, SSL_AD_UNSUPPORTED_EXTENSION, SSL_R_BAD_EXTENSION); return 0; } - if (!SSL_CONNECTION_IS_TLS13(s) && PACKET_remaining(pkt) > 0) { + if (!(SSL_CONNECTION_IS_TLS13(s) || SSL_CONNECTION_IS_DTLS13(s)) && PACKET_remaining(pkt) > 0) { SSLfatal(s, SSL_AD_DECODE_ERROR, SSL_R_BAD_EXTENSION); return 0; } - if (SSL_CONNECTION_IS_TLS13(s)) { + if (SSL_CONNECTION_IS_TLS13(s) || SSL_CONNECTION_IS_DTLS13(s)) { /* We only know how to handle this if it's for the first Certificate in * the chain. We ignore any other responses. */ @@ -1805,9 +1828,9 @@ int tls_parse_stoc_supported_versions(SSL_CONNECTION *s, PACKET *pkt, /* * The only protocol version we support which is valid in this extension in - * a ServerHello is TLSv1.3 therefore we shouldn't be getting anything else. + * a ServerHello is (D)TLSv1.3 therefore we shouldn't be getting anything else. */ - if (version != TLS1_3_VERSION) { + if (version != TLS1_3_VERSION && version != DTLS1_3_VERSION) { SSLfatal(s, SSL_AD_ILLEGAL_PARAMETER, SSL_R_BAD_PROTOCOL_VERSION_NUMBER); return 0; @@ -1851,6 +1874,7 @@ int tls_parse_stoc_key_share(SSL_CONNECTION *s, PACKET *pkt, if ((context & SSL_EXT_TLS1_3_HELLO_RETRY_REQUEST) != 0) { const uint16_t *pgroups = NULL; size_t i, num_groups; + int version; if (PACKET_remaining(pkt) != 0) { SSLfatal(s, SSL_AD_DECODE_ERROR, SSL_R_LENGTH_MISMATCH); @@ -1872,10 +1896,12 @@ int tls_parse_stoc_key_share(SSL_CONNECTION *s, PACKET *pkt, if (group_id == pgroups[i]) break; } + + version = SSL_CONNECTION_IS_DTLS(s) ? DTLS1_3_VERSION : TLS1_3_VERSION; + if (i >= num_groups || !tls_group_allowed(s, group_id, SSL_SECOP_CURVE_SUPPORTED) - || !tls_valid_group(s, group_id, TLS1_3_VERSION, TLS1_3_VERSION, - 0, NULL)) { + || !tls_valid_group(s, group_id, version, version, 0, NULL)) { SSLfatal(s, SSL_AD_ILLEGAL_PARAMETER, SSL_R_BAD_KEY_SHARE); return 0; } diff --git a/ssl/statem/extensions_srvr.c b/ssl/statem/extensions_srvr.c index 73b93048cb..fa3b8fdfdf 100644 --- a/ssl/statem/extensions_srvr.c +++ b/ssl/statem/extensions_srvr.c @@ -133,10 +133,10 @@ int tls_parse_ctos_server_name(SSL_CONNECTION *s, PACKET *pkt, } /* - * In TLSv1.2 and below the SNI is associated with the session. In TLSv1.3 + * In (D)TLSv1.2 and below the SNI is associated with the session. In (D)TLSv1.3 * we always use the SNI value from the handshake. */ - if (!s->hit || SSL_CONNECTION_IS_TLS13(s)) { + if (!s->hit || (SSL_CONNECTION_IS_TLS13(s) || SSL_CONNECTION_IS_DTLS13(s))) { if (PACKET_remaining(&hostname) > TLSEXT_MAXLEN_host_name) { SSLfatal(s, SSL_AD_UNRECOGNIZED_NAME, SSL_R_BAD_EXTENSION); return 0; @@ -161,9 +161,9 @@ int tls_parse_ctos_server_name(SSL_CONNECTION *s, PACKET *pkt, s->servername_done = 1; } else { /* - * In TLSv1.2 and below we should check if the SNI is consistent between - * the initial handshake and the resumption. In TLSv1.3 SNI is not - * associated with the session. + * In (D)TLSv1.2 and below we should check if the SNI is consistent + * between the initial handshake and the resumption. In (D)TLSv1.3 SNI + * is not associated with the session. */ s->servername_done = (s->session->ext.hostname != NULL) && PACKET_equal(&hostname, s->session->ext.hostname, @@ -652,6 +652,9 @@ int tls_parse_ctos_key_share(SSL_CONNECTION *s, PACKET *pkt, } while (PACKET_remaining(&key_share_list) > 0) { + const int version13 = SSL_CONNECTION_IS_DTLS(s) ? DTLS1_3_VERSION + : TLS1_3_VERSION; + if (!PACKET_get_net_2(&key_share_list, &group_id) || !PACKET_get_length_prefixed_2(&key_share_list, &encoded_pt) || PACKET_remaining(&encoded_pt) == 0) { @@ -688,9 +691,9 @@ int tls_parse_ctos_key_share(SSL_CONNECTION *s, PACKET *pkt, || !tls_group_allowed(s, group_id, SSL_SECOP_CURVE_SUPPORTED) /* * We tolerate but ignore a group id that we don't think is - * suitable for TLSv1.3 + * suitable for (D)TLSv1.3 */ - || !tls_valid_group(s, group_id, TLS1_3_VERSION, TLS1_3_VERSION, + || !tls_valid_group(s, group_id, version13, version13, 0, NULL)) { /* Share not suitable */ continue; @@ -808,7 +811,7 @@ int tls_parse_ctos_cookie(SSL_CONNECTION *s, PACKET *pkt, unsigned int context, SSLfatal(s, SSL_AD_DECODE_ERROR, SSL_R_LENGTH_MISMATCH); return 0; } - if (version != TLS1_3_VERSION) { + if (version != TLS1_3_VERSION && version != DTLS1_3_VERSION) { SSLfatal(s, SSL_AD_ILLEGAL_PARAMETER, SSL_R_BAD_PROTOCOL_VERSION_NUMBER); return 0; @@ -944,7 +947,7 @@ int tls_parse_ctos_supported_groups(SSL_CONNECTION *s, PACKET *pkt, return 0; } - if (!s->hit || SSL_CONNECTION_IS_TLS13(s)) { + if (!s->hit || (SSL_CONNECTION_IS_TLS13(s) || SSL_CONNECTION_IS_DTLS13(s))) { OPENSSL_free(s->ext.peer_supportedgroups); s->ext.peer_supportedgroups = NULL; s->ext.peer_supportedgroups_len = 0; @@ -1087,10 +1090,11 @@ int tls_parse_ctos_psk(SSL_CONNECTION *s, PACKET *pkt, unsigned int context, } else if (pskdatalen > 0) { const SSL_CIPHER *cipher; const unsigned char tls13_aes128gcmsha256_id[] = { 0x13, 0x01 }; + int version; /* * We found a PSK using an old style callback. We don't know - * the digest so we default to SHA256 as per the TLSv1.3 spec + * the digest so we default to SHA256 as per the (D)TLSv1.3 spec */ cipher = SSL_CIPHER_find(SSL_CONNECTION_GET_SSL(s), tls13_aes128gcmsha256_id); @@ -1101,12 +1105,14 @@ int tls_parse_ctos_psk(SSL_CONNECTION *s, PACKET *pkt, unsigned int context, } sess = SSL_SESSION_new(); + version = SSL_CONNECTION_IS_DTLS(s) ? DTLS1_3_VERSION : TLS1_3_VERSION; + if (sess == NULL || !SSL_SESSION_set1_master_key(sess, pskdata, pskdatalen) || !SSL_SESSION_set_cipher(sess, cipher) || !SSL_SESSION_set_protocol_version(sess, - TLS1_3_VERSION)) { + version)) { OPENSSL_cleanse(pskdata, pskdatalen); SSLfatal(s, SSL_AD_INTERNAL_ERROR, ERR_R_INTERNAL_ERROR); goto err; @@ -1315,10 +1321,10 @@ EXT_RETURN tls_construct_stoc_server_name(SSL_CONNECTION *s, WPACKET *pkt, return EXT_RETURN_NOT_SENT; /* - * Prior to TLSv1.3 we ignore any SNI in the current handshake if resuming. + * Prior to (D)TLSv1.3 we ignore any SNI in the current handshake if resuming. * We just use the servername from the initial handshake. */ - if (s->hit && !SSL_CONNECTION_IS_TLS13(s)) + if (s->hit && !(SSL_CONNECTION_IS_TLS13(s) || SSL_CONNECTION_IS_DTLS13(s))) return EXT_RETURN_NOT_SENT; if (!WPACKET_put_bytes_u16(pkt, TLSEXT_TYPE_server_name) @@ -1469,7 +1475,7 @@ EXT_RETURN tls_construct_stoc_status_request(SSL_CONNECTION *s, WPACKET *pkt, if (!s->ext.status_expected) return EXT_RETURN_NOT_SENT; - if (SSL_CONNECTION_IS_TLS13(s) && chainidx != 0) + if ((SSL_CONNECTION_IS_TLS13(s) || SSL_CONNECTION_IS_DTLS13(s)) && chainidx != 0) return EXT_RETURN_NOT_SENT; if (!WPACKET_put_bytes_u16(pkt, TLSEXT_TYPE_status_request) @@ -1479,11 +1485,12 @@ EXT_RETURN tls_construct_stoc_status_request(SSL_CONNECTION *s, WPACKET *pkt, } /* - * In TLSv1.3 we include the certificate status itself. In <= TLSv1.2 we + * In (D)TLSv1.3 we include the certificate status itself. In <= (D)TLSv1.2 we * send back an empty extension, with the certificate status appearing as a * separate message */ - if (SSL_CONNECTION_IS_TLS13(s) && !tls_construct_cert_status_body(s, pkt)) { + if ((SSL_CONNECTION_IS_TLS13(s) || SSL_CONNECTION_IS_DTLS13(s)) + && !tls_construct_cert_status_body(s, pkt)) { /* SSLfatal() already called */ return EXT_RETURN_FAIL; } @@ -1620,7 +1627,7 @@ EXT_RETURN tls_construct_stoc_supported_versions(SSL_CONNECTION *s, WPACKET *pkt unsigned int context, X509 *x, size_t chainidx) { - if (!ossl_assert(SSL_CONNECTION_IS_TLS13(s))) { + if (!ossl_assert((SSL_CONNECTION_IS_TLS13(s) || SSL_CONNECTION_IS_DTLS13(s)))) { SSLfatal(s, SSL_AD_INTERNAL_ERROR, ERR_R_INTERNAL_ERROR); return EXT_RETURN_FAIL; } @@ -1786,6 +1793,7 @@ EXT_RETURN tls_construct_stoc_cookie(SSL_CONNECTION *s, WPACKET *pkt, SSL_CTX *sctx = SSL_CONNECTION_GET_CTX(s); SSL *ssl = SSL_CONNECTION_GET_SSL(s); SSL *ussl = SSL_CONNECTION_GET_USER_SSL(s); + const int version = SSL_CONNECTION_IS_DTLS(s) ? DTLS1_3_VERSION : TLS1_3_VERSION; if ((s->s3.flags & TLS1_FLAGS_STATELESS) == 0) return EXT_RETURN_NOT_SENT; @@ -1801,7 +1809,7 @@ EXT_RETURN tls_construct_stoc_cookie(SSL_CONNECTION *s, WPACKET *pkt, || !WPACKET_get_total_written(pkt, &startlen) || !WPACKET_reserve_bytes(pkt, MAX_COOKIE_SIZE, &cookie) || !WPACKET_put_bytes_u16(pkt, COOKIE_STATE_FORMAT_VERSION) - || !WPACKET_put_bytes_u16(pkt, TLS1_3_VERSION) + || !WPACKET_put_bytes_u16(pkt, version) || !WPACKET_put_bytes_u16(pkt, s->s3.group_id) || !ssl->method->put_cipher_by_char(s->s3.tmp.new_cipher, pkt, &ciphlen) @@ -1997,7 +2005,7 @@ EXT_RETURN tls_construct_stoc_client_cert_type(SSL_CONNECTION *sc, WPACKET *pkt, /* * Note: only supposed to send this if we are going to do a cert request, - * but TLSv1.3 could do a PHA request if the client supports it + * but (D)TLSv1.3 could do a PHA request if the client supports it */ if ((!send_certificate_request(sc) && sc->post_handshake_auth != SSL_PHA_EXT_RECEIVED) || sc->ext.client_cert_type_ctos != OSSL_CERT_TYPE_CTOS_GOOD From 0833bcf67d02c479b96b630564f255292bbec838 Mon Sep 17 00:00:00 2001 From: Frederik Wedel-Heinen Date: Wed, 18 Oct 2023 10:02:32 +0200 Subject: [PATCH 07/74] Use dtls1.3 cryptographic label prefix as dictated by RFC 9147 section 5.9 Reviewed-by: Tomas Mraz Reviewed-by: Matt Caswell (Merged from https://github.com/openssl/openssl/pull/22416) --- ssl/tls13_enc.c | 63 ++++++++++++++++++++++++++++++++++++------------- 1 file changed, 46 insertions(+), 17 deletions(-) diff --git a/ssl/tls13_enc.c b/ssl/tls13_enc.c index 7846c73a86..80ac467da4 100644 --- a/ssl/tls13_enc.c +++ b/ssl/tls13_enc.c @@ -18,23 +18,27 @@ #define TLS13_MAX_LABEL_LEN 249 +/* ASCII: "dtls13", in hex for EBCDIC compatibility */ +static const unsigned char label_prefix_dtls13[] = "\x64\x74\x6C\x73\x31\x33"; /* ASCII: "tls13 ", in hex for EBCDIC compatibility */ -static const unsigned char label_prefix[] = "\x74\x6C\x73\x31\x33\x20"; +static const unsigned char label_prefix_tls13[] = "\x74\x6C\x73\x31\x33\x20"; /* - * Given a |secret|; a |label| of length |labellen|; and |data| of length - * |datalen| (e.g. typically a hash of the handshake messages), derive a new - * secret |outlen| bytes long and store it in the location pointed to be |out|. + * Given a |secret|; a |label_prefix| of length |label_prefix_len|; a |label| + * of length |labellen|; and |data| of length |datalen| (e.g. typically a hash + * of the handshake messages), derive a new secret |outlen| bytes long and + * store it in the location pointed to be |out|. * The |data| value may be zero length. Any errors will be treated as fatal if * |fatal| is set. Returns 1 on success 0 on failure. * If |raise_error| is set, ERR_raise is called on failure. */ -int tls13_hkdf_expand_ex(OSSL_LIB_CTX *libctx, const char *propq, - const EVP_MD *md, - const unsigned char *secret, - const unsigned char *label, size_t labellen, - const unsigned char *data, size_t datalen, - unsigned char *out, size_t outlen, int raise_error) +static int hkdf_expand(OSSL_LIB_CTX *libctx, const char *propq, + const EVP_MD *md, + const unsigned char *secret, + const unsigned char *label_prefix, size_t label_prefix_len, + const unsigned char *label, size_t labellen, + const unsigned char *data, size_t datalen, + unsigned char *out, size_t outlen, int raise_error) { EVP_KDF *kdf = EVP_KDF_fetch(libctx, OSSL_KDF_NAME_TLS1_3_KDF, propq); EVP_KDF_CTX *kctx; @@ -76,7 +80,7 @@ int tls13_hkdf_expand_ex(OSSL_LIB_CTX *libctx, const char *propq, (unsigned char *)secret, hashlen); *p++ = OSSL_PARAM_construct_octet_string(OSSL_KDF_PARAM_PREFIX, (unsigned char *)label_prefix, - sizeof(label_prefix) - 1); + label_prefix_len); *p++ = OSSL_PARAM_construct_octet_string(OSSL_KDF_PARAM_LABEL, (unsigned char *)label, labellen); if (data != NULL) @@ -96,6 +100,18 @@ int tls13_hkdf_expand_ex(OSSL_LIB_CTX *libctx, const char *propq, return ret == 0; } +int tls13_hkdf_expand_ex(OSSL_LIB_CTX *libctx, const char *propq, + const EVP_MD *md, + const unsigned char *secret, + const unsigned char *label, size_t labellen, + const unsigned char *data, size_t datalen, + unsigned char *out, size_t outlen, int raise_error) +{ + return hkdf_expand(libctx, propq, md, secret, label_prefix_tls13, sizeof(label_prefix_tls13) - 1, + label, labellen, data, datalen, out, outlen, + raise_error); +} + int tls13_hkdf_expand(SSL_CONNECTION *s, const EVP_MD *md, const unsigned char *secret, const unsigned char *label, size_t labellen, @@ -105,9 +121,16 @@ int tls13_hkdf_expand(SSL_CONNECTION *s, const EVP_MD *md, int ret; SSL_CTX *sctx = SSL_CONNECTION_GET_CTX(s); - ret = tls13_hkdf_expand_ex(sctx->libctx, sctx->propq, md, - secret, label, labellen, data, datalen, - out, outlen, !fatal); + const char *label_prefix = SSL_CONNECTION_IS_TLS13(s) ? label_prefix_tls13 + : label_prefix_dtls13; + + size_t label_prefix_len = SSL_CONNECTION_IS_TLS13(s) + ? sizeof(label_prefix_tls13) - 1 + : sizeof(label_prefix_dtls13) - 1; + + ret = hkdf_expand(sctx->libctx, sctx->propq, md, secret, label_prefix, + label_prefix_len, label, labellen, data, + datalen, out, outlen, !fatal); if (ret == 0 && fatal) SSLfatal(s, SSL_AD_INTERNAL_ERROR, ERR_R_INTERNAL_ERROR); @@ -205,9 +228,15 @@ int tls13_generate_secret(SSL_CONNECTION *s, const EVP_MD *md, if (prevsecret != NULL) *p++ = OSSL_PARAM_construct_octet_string(OSSL_KDF_PARAM_SALT, (unsigned char *)prevsecret, mdlen); - *p++ = OSSL_PARAM_construct_octet_string(OSSL_KDF_PARAM_PREFIX, - (unsigned char *)label_prefix, - sizeof(label_prefix) - 1); + if (SSL_CONNECTION_IS_TLS13(s)) + *p++ = OSSL_PARAM_construct_octet_string(OSSL_KDF_PARAM_PREFIX, + (unsigned char *)label_prefix_tls13, + sizeof(label_prefix_tls13) - 1); + else + *p++ = OSSL_PARAM_construct_octet_string(OSSL_KDF_PARAM_PREFIX, + (unsigned char *)label_prefix_dtls13, + sizeof(label_prefix_dtls13) - 1); + *p++ = OSSL_PARAM_construct_octet_string(OSSL_KDF_PARAM_LABEL, (unsigned char *)derived_secret_label, sizeof(derived_secret_label) - 1); From 62458fac1c481d50d3634db714aceac960757320 Mon Sep 17 00:00:00 2001 From: Frederik Wedel-Heinen Date: Sun, 17 Dec 2023 20:46:20 +0100 Subject: [PATCH 08/74] Determine which label prefix to use based on if the connection is dtls Reviewed-by: Tomas Mraz Reviewed-by: Matt Caswell (Merged from https://github.com/openssl/openssl/pull/22416) --- ssl/tls13_enc.c | 27 ++++++++++++++------------- 1 file changed, 14 insertions(+), 13 deletions(-) diff --git a/ssl/tls13_enc.c b/ssl/tls13_enc.c index 80ac467da4..ae76ddb3f4 100644 --- a/ssl/tls13_enc.c +++ b/ssl/tls13_enc.c @@ -107,7 +107,9 @@ int tls13_hkdf_expand_ex(OSSL_LIB_CTX *libctx, const char *propq, const unsigned char *data, size_t datalen, unsigned char *out, size_t outlen, int raise_error) { - return hkdf_expand(libctx, propq, md, secret, label_prefix_tls13, sizeof(label_prefix_tls13) - 1, + /* This function only supports TLSv1.3 and not DTLSv1.3 */ + return hkdf_expand(libctx, propq, md, secret, label_prefix_tls13, + sizeof(label_prefix_tls13) - 1, label, labellen, data, datalen, out, outlen, raise_error); } @@ -120,13 +122,11 @@ int tls13_hkdf_expand(SSL_CONNECTION *s, const EVP_MD *md, { int ret; SSL_CTX *sctx = SSL_CONNECTION_GET_CTX(s); - - const char *label_prefix = SSL_CONNECTION_IS_TLS13(s) ? label_prefix_tls13 - : label_prefix_dtls13; - - size_t label_prefix_len = SSL_CONNECTION_IS_TLS13(s) - ? sizeof(label_prefix_tls13) - 1 - : sizeof(label_prefix_dtls13) - 1; + const int isdtls = SSL_CONNECTION_IS_DTLS(s); + const unsigned char *label_prefix = isdtls ? label_prefix_dtls13 + : label_prefix_tls13; + const size_t label_prefix_len = isdtls ? sizeof(label_prefix_dtls13) - 1 + : sizeof(label_prefix_tls13) - 1; ret = hkdf_expand(sctx->libctx, sctx->propq, md, secret, label_prefix, label_prefix_len, label, labellen, data, @@ -200,6 +200,7 @@ int tls13_generate_secret(SSL_CONNECTION *s, const EVP_MD *md, /* ASCII: "derived", in hex for EBCDIC compatibility */ static const char derived_secret_label[] = "\x64\x65\x72\x69\x76\x65\x64"; SSL_CTX *sctx = SSL_CONNECTION_GET_CTX(s); + int isdtls = SSL_CONNECTION_IS_DTLS(s); kdf = EVP_KDF_fetch(sctx->libctx, OSSL_KDF_NAME_TLS1_3_KDF, sctx->propq); kctx = EVP_KDF_CTX_new(kdf); @@ -228,14 +229,14 @@ int tls13_generate_secret(SSL_CONNECTION *s, const EVP_MD *md, if (prevsecret != NULL) *p++ = OSSL_PARAM_construct_octet_string(OSSL_KDF_PARAM_SALT, (unsigned char *)prevsecret, mdlen); - if (SSL_CONNECTION_IS_TLS13(s)) - *p++ = OSSL_PARAM_construct_octet_string(OSSL_KDF_PARAM_PREFIX, - (unsigned char *)label_prefix_tls13, - sizeof(label_prefix_tls13) - 1); - else + if (isdtls) *p++ = OSSL_PARAM_construct_octet_string(OSSL_KDF_PARAM_PREFIX, (unsigned char *)label_prefix_dtls13, sizeof(label_prefix_dtls13) - 1); + else + *p++ = OSSL_PARAM_construct_octet_string(OSSL_KDF_PARAM_PREFIX, + (unsigned char *)label_prefix_tls13, + sizeof(label_prefix_tls13) - 1); *p++ = OSSL_PARAM_construct_octet_string(OSSL_KDF_PARAM_LABEL, (unsigned char *)derived_secret_label, From 719bf8d2eb0c06a39339fd1749baaae876edc766 Mon Sep 17 00:00:00 2001 From: Frederik Wedel-Heinen Date: Wed, 4 Oct 2023 10:03:45 +0200 Subject: [PATCH 09/74] Adds DTLS1.3 to ssl protocol to text structs Reviewed-by: Tomas Mraz Reviewed-by: Matt Caswell (Merged from https://github.com/openssl/openssl/pull/22273) --- ssl/ssl_conf.c | 3 ++- ssl/t1_trce.c | 1 + test/helpers/ssl_test_ctx.c | 1 + test/ssl_old_test.c | 3 ++- 4 files changed, 6 insertions(+), 2 deletions(-) diff --git a/ssl/ssl_conf.c b/ssl/ssl_conf.c index e22511b634..ab3ad6ee8a 100644 --- a/ssl/ssl_conf.c +++ b/ssl/ssl_conf.c @@ -320,7 +320,8 @@ static int protocol_from_string(const char *value) {"TLSv1.2", TLS1_2_VERSION}, {"TLSv1.3", TLS1_3_VERSION}, {"DTLSv1", DTLS1_VERSION}, - {"DTLSv1.2", DTLS1_2_VERSION} + {"DTLSv1.2", DTLS1_2_VERSION}, + {"DTLSv1.3", DTLS1_3_VERSION} }; size_t i; size_t n = OSSL_NELEM(versions); diff --git a/ssl/t1_trce.c b/ssl/t1_trce.c index 2d95f3ad3b..45d5fb0d27 100644 --- a/ssl/t1_trce.c +++ b/ssl/t1_trce.c @@ -68,6 +68,7 @@ static const ssl_trace_tbl ssl_version_tbl[] = { {TLS1_3_VERSION, "TLS 1.3"}, {DTLS1_VERSION, "DTLS 1.0"}, {DTLS1_2_VERSION, "DTLS 1.2"}, + {DTLS1_3_VERSION, "DTLS 1.3"}, {DTLS1_BAD_VER, "DTLS 1.0 (bad)"} }; diff --git a/test/helpers/ssl_test_ctx.c b/test/helpers/ssl_test_ctx.c index ec2c7885ba..10bbdc4f1b 100644 --- a/test/helpers/ssl_test_ctx.c +++ b/test/helpers/ssl_test_ctx.c @@ -156,6 +156,7 @@ static const test_enum ssl_protocols[] = { {"SSLv3", SSL3_VERSION}, {"DTLSv1", DTLS1_VERSION}, {"DTLSv1.2", DTLS1_2_VERSION}, + {"DTLSv1.3", DTLS1_3_VERSION}, }; __owur static int parse_protocol(SSL_TEST_CTX *test_ctx, const char *value) diff --git a/test/ssl_old_test.c b/test/ssl_old_test.c index 8c26f3ed2f..3c758472bf 100644 --- a/test/ssl_old_test.c +++ b/test/ssl_old_test.c @@ -826,7 +826,8 @@ static int protocol_from_string(const char *value) {"tls1.2", TLS1_2_VERSION}, {"tls1.3", TLS1_3_VERSION}, {"dtls1", DTLS1_VERSION}, - {"dtls1.2", DTLS1_2_VERSION}}; + {"dtls1.2", DTLS1_2_VERSION}, + {"dtls1.3", DTLS1_3_VERSION}}; size_t i; size_t n = OSSL_NELEM(versions); From acec6d68c1071bd696d58a4b90006830c7542603 Mon Sep 17 00:00:00 2001 From: Frederik Wedel-Heinen Date: Wed, 4 Oct 2023 11:37:10 +0200 Subject: [PATCH 10/74] Add dtls1.3 to ssl_protocol_to_string() Reviewed-by: Tomas Mraz Reviewed-by: Matt Caswell (Merged from https://github.com/openssl/openssl/pull/22273) --- ssl/ssl_lib.c | 3 +++ 1 file changed, 3 insertions(+) diff --git a/ssl/ssl_lib.c b/ssl/ssl_lib.c index 5afd89c3e9..46ecdd4f85 100644 --- a/ssl/ssl_lib.c +++ b/ssl/ssl_lib.c @@ -4970,6 +4970,9 @@ const char *ssl_protocol_to_string(int version) case DTLS1_2_VERSION: return "DTLSv1.2"; + case DTLS1_3_VERSION: + return "DTLSv1.3"; + default: return "unknown"; } From 7f95231e168f1ee7de00e80407669225b0ed807e Mon Sep 17 00:00:00 2001 From: Frederik Wedel-Heinen Date: Fri, 13 Oct 2023 11:26:35 +0200 Subject: [PATCH 11/74] Fix protocol list for cmd_Protocol() Reviewed-by: Tomas Mraz Reviewed-by: Matt Caswell (Merged from https://github.com/openssl/openssl/pull/22273) --- ssl/ssl_conf.c | 3 ++- 1 file changed, 2 insertions(+), 1 deletion(-) diff --git a/ssl/ssl_conf.c b/ssl/ssl_conf.c index ab3ad6ee8a..3c150a44c1 100644 --- a/ssl/ssl_conf.c +++ b/ssl/ssl_conf.c @@ -287,7 +287,8 @@ static int cmd_Protocol(SSL_CONF_CTX *cctx, const char *value) SSL_FLAG_TBL_INV("TLSv1.2", SSL_OP_NO_TLSv1_2), SSL_FLAG_TBL_INV("TLSv1.3", SSL_OP_NO_TLSv1_3), SSL_FLAG_TBL_INV("DTLSv1", SSL_OP_NO_DTLSv1), - SSL_FLAG_TBL_INV("DTLSv1.2", SSL_OP_NO_DTLSv1_2) + SSL_FLAG_TBL_INV("DTLSv1.2", SSL_OP_NO_DTLSv1_2), + SSL_FLAG_TBL_INV("DTLSv1.3", SSL_OP_NO_DTLSv1_3) }; cctx->tbl = ssl_protocol_list; cctx->ntbl = OSSL_NELEM(ssl_protocol_list); From ceb9e33b3f78b621754ac86df45c4672da5e20f1 Mon Sep 17 00:00:00 2001 From: Frederik Wedel-Heinen Date: Thu, 12 Oct 2023 15:01:23 +0200 Subject: [PATCH 12/74] Update tls state machine logic to support dtls1.3 alongside tls1.3 Reviewed-by: Matt Caswell Reviewed-by: Tomas Mraz (Merged from https://github.com/openssl/openssl/pull/22366) Updated the logic in ssl_cipher_list_to_bytes to take account of the changes from PR#24161 Reviewed-by: Richard Levitte Reviewed-by: Tomas Mraz (Merged from https://github.com/openssl/openssl/pull/24226) --- ssl/statem/statem.c | 2 +- ssl/statem/statem_clnt.c | 86 +++++++++++++++++++------------------- ssl/statem/statem_lib.c | 86 ++++++++++++++++++++------------------ ssl/statem/statem_srvr.c | 89 ++++++++++++++++++++-------------------- 4 files changed, 136 insertions(+), 127 deletions(-) diff --git a/ssl/statem/statem.c b/ssl/statem/statem.c index 67cb26ef46..a1c0ffbd20 100644 --- a/ssl/statem/statem.c +++ b/ssl/statem/statem.c @@ -401,7 +401,7 @@ static int state_machine(SSL_CONNECTION *s, int server) s->server = server; if (cb != NULL) { - if (SSL_IS_FIRST_HANDSHAKE(s) || !SSL_CONNECTION_IS_TLS13(s)) + if (SSL_IS_FIRST_HANDSHAKE(s) || !(SSL_CONNECTION_IS_TLS13(s) || SSL_CONNECTION_IS_DTLS13(s))) cb(ussl, SSL_CB_HANDSHAKE_START, 1); } diff --git a/ssl/statem/statem_clnt.c b/ssl/statem/statem_clnt.c index 436b397346..d2a06d0e97 100644 --- a/ssl/statem/statem_clnt.c +++ b/ssl/statem/statem_clnt.c @@ -236,7 +236,7 @@ int ossl_statem_client_read_transition(SSL_CONNECTION *s, int mt) * Note that after writing the first ClientHello we don't know what version * we are going to negotiate yet, so we don't take this branch until later. */ - if (SSL_CONNECTION_IS_TLS13(s)) { + if (SSL_CONNECTION_IS_TLS13(s) || SSL_CONNECTION_IS_DTLS13(s)) { if (!ossl_statem_client13_read_transition(s, mt)) goto err; return 1; @@ -548,7 +548,7 @@ WRITE_TRAN ossl_statem_client_write_transition(SSL_CONNECTION *s) * version we are going to negotiate yet, so we don't take this branch until * later */ - if (SSL_CONNECTION_IS_TLS13(s)) + if (SSL_CONNECTION_IS_TLS13(s) || SSL_CONNECTION_IS_DTLS13(s)) return ossl_statem_client13_write_transition(s); switch (st->hand_state) { @@ -574,7 +574,7 @@ WRITE_TRAN ossl_statem_client_write_transition(SSL_CONNECTION *s) case TLS_ST_CW_CLNT_HELLO: if (s->early_data_state == SSL_EARLY_DATA_CONNECTING) { /* - * We are assuming this is a TLSv1.3 connection, although we haven't + * We are assuming this is a (D)TLSv1.3 connection, although we haven't * actually selected a version yet. */ if ((s->options & SSL_OP_ENABLE_MIDDLEBOX_COMPAT) != 0) @@ -592,7 +592,7 @@ WRITE_TRAN ossl_statem_client_write_transition(SSL_CONNECTION *s) case TLS_ST_CR_SRVR_HELLO: /* - * We only get here in TLSv1.3. We just received an HRR, so issue a + * We only get here in (D)TLSv1.3. We just received an HRR, so issue a * CCS unless middlebox compat mode is off, or we already issued one * because we did early data. */ @@ -807,7 +807,7 @@ WORK_STATE ossl_statem_client_post_work(SSL_CONNECTION *s, WORK_STATE wst) if (s->early_data_state == SSL_EARLY_DATA_CONNECTING && s->max_early_data > 0) { /* - * We haven't selected TLSv1.3 yet so we don't call the change + * We haven't selected (D)TLSv1.3 yet so we don't call the change * cipher state function associated with the SSL_METHOD. Instead * we call tls13_change_cipher_state() directly. */ @@ -837,13 +837,13 @@ WORK_STATE ossl_statem_client_post_work(SSL_CONNECTION *s, WORK_STATE wst) break; case TLS_ST_CW_CHANGE: - if (SSL_CONNECTION_IS_TLS13(s) + if (SSL_CONNECTION_IS_TLS13(s) || SSL_CONNECTION_IS_DTLS13(s) || s->hello_retry_request == SSL_HRR_PENDING) break; if (s->early_data_state == SSL_EARLY_DATA_CONNECTING && s->max_early_data > 0) { /* - * We haven't selected TLSv1.3 yet so we don't call the change + * We haven't selected (D)TLSv1.3 yet so we don't call the change * cipher state function associated with the SSL_METHOD. Instead * we call tls13_change_cipher_state() directly. */ @@ -898,7 +898,7 @@ WORK_STATE ossl_statem_client_post_work(SSL_CONNECTION *s, WORK_STATE wst) if (statem_flush(s) != 1) return WORK_MORE_B; - if (SSL_CONNECTION_IS_TLS13(s)) { + if (SSL_CONNECTION_IS_TLS13(s) || SSL_CONNECTION_IS_DTLS13(s)) { if (!tls13_save_handshake_digest_for_pha(s)) { /* SSLfatal() already called */ return WORK_ERROR; @@ -1059,7 +1059,7 @@ size_t ossl_statem_client_max_message_size(SSL_CONNECTION *s) return CCS_MAX_LENGTH; case TLS_ST_CR_SESSION_TICKET: - return (SSL_CONNECTION_IS_TLS13(s)) ? SESSION_TICKET_MAX_LENGTH_TLS13 + return (SSL_CONNECTION_IS_TLS13(s) || SSL_CONNECTION_IS_DTLS13(s)) ? SESSION_TICKET_MAX_LENGTH_TLS13 : SESSION_TICKET_MAX_LENGTH_TLS12; case TLS_ST_CR_FINISHED: @@ -1168,6 +1168,8 @@ CON_FUNC_RETURN tls_construct_client_hello(SSL_CONNECTION *s, WPACKET *pkt) int i, protverr; #ifndef OPENSSL_NO_COMP SSL_COMP *comp; + int comp_version_limit = SSL_CONNECTION_IS_DTLS(s) ? DTLS1_3_VERSION + : TLS1_3_VERSION; #endif SSL_SESSION *sess = s->session; unsigned char *session_id; @@ -1257,8 +1259,8 @@ CON_FUNC_RETURN tls_construct_client_hello(SSL_CONNECTION *s, WPACKET *pkt) /* Session ID */ session_id = s->session->session_id; - if (s->new_session || s->session->ssl_version == TLS1_3_VERSION) { - if (s->version == TLS1_3_VERSION + if (s->new_session || s->session->ssl_version == TLS1_3_VERSION || s->session->ssl_version == DTLS1_3_VERSION) { + if ((s->version == TLS1_3_VERSION || s->version == DTLS1_3_VERSION) && (s->options & SSL_OP_ENABLE_MIDDLEBOX_COMPAT) != 0) { sess_id_len = sizeof(s->tmp_session_id); s->tmp_session_id_len = sess_id_len; @@ -1275,7 +1277,7 @@ CON_FUNC_RETURN tls_construct_client_hello(SSL_CONNECTION *s, WPACKET *pkt) } else { assert(s->session->session_id_length <= sizeof(s->session->session_id)); sess_id_len = s->session->session_id_length; - if (s->version == TLS1_3_VERSION) { + if (s->version == TLS1_3_VERSION || s->version == DTLS1_3_VERSION) { s->tmp_session_id_len = sess_id_len; memcpy(s->tmp_session_id, s->session->session_id, sess_id_len); } @@ -1322,8 +1324,7 @@ CON_FUNC_RETURN tls_construct_client_hello(SSL_CONNECTION *s, WPACKET *pkt) #ifndef OPENSSL_NO_COMP if (ssl_allow_compression(s) && sctx->comp_methods - && (SSL_CONNECTION_IS_DTLS(s) - || s->s3.tmp.max_ver < TLS1_3_VERSION)) { + && ssl_version_cmp(s, s->s3.tmp.max_ver, comp_version_limit) < 0) { int compnum = sk_SSL_COMP_num(sctx->comp_methods); for (i = 0; i < compnum; i++) { comp = sk_SSL_COMP_value(sctx->comp_methods, i); @@ -1406,7 +1407,7 @@ static int set_client_ciphersuite(SSL_CONNECTION *s, return 0; } - if (SSL_CONNECTION_IS_TLS13(s) && s->s3.tmp.new_cipher != NULL + if ((SSL_CONNECTION_IS_TLS13(s) || SSL_CONNECTION_IS_DTLS13(s)) && s->s3.tmp.new_cipher != NULL && s->s3.tmp.new_cipher->id != c->id) { /* ServerHello selected a different ciphersuite to that in the HRR */ SSLfatal(s, SSL_AD_ILLEGAL_PARAMETER, SSL_R_WRONG_CIPHER_RETURNED); @@ -1421,7 +1422,7 @@ static int set_client_ciphersuite(SSL_CONNECTION *s, if (s->session->cipher != NULL) s->session->cipher_id = s->session->cipher->id; if (s->hit && (s->session->cipher_id != c->id)) { - if (SSL_CONNECTION_IS_TLS13(s)) { + if (SSL_CONNECTION_IS_TLS13(s) || SSL_CONNECTION_IS_DTLS13(s)) { const EVP_MD *md = ssl_md(sctx, c->algorithm2); if (!ossl_assert(s->session->cipher != NULL)) { @@ -1475,8 +1476,8 @@ MSG_PROCESS_RETURN tls_process_server_hello(SSL_CONNECTION *s, PACKET *pkt) } /* load the server random */ - if (s->version == TLS1_3_VERSION - && sversion == TLS1_2_VERSION + if (((s->version == TLS1_3_VERSION && sversion == TLS1_2_VERSION) + || (s->version == DTLS1_3_VERSION && sversion == DTLS1_2_VERSION)) && PACKET_remaining(pkt) >= SSL3_RANDOM_SIZE && memcmp(hrrrandom, PACKET_data(pkt), SSL3_RANDOM_SIZE) == 0) { if (s->hello_retry_request != SSL_HRR_NONE) { @@ -1547,7 +1548,7 @@ MSG_PROCESS_RETURN tls_process_server_hello(SSL_CONNECTION *s, PACKET *pkt) } } - if (SSL_CONNECTION_IS_TLS13(s) || hrr) { + if (SSL_CONNECTION_IS_TLS13(s) || SSL_CONNECTION_IS_DTLS13(s) || hrr) { if (compression != 0) { SSLfatal(s, SSL_AD_ILLEGAL_PARAMETER, SSL_R_INVALID_COMPRESSION_ALGORITHM); @@ -1575,7 +1576,7 @@ MSG_PROCESS_RETURN tls_process_server_hello(SSL_CONNECTION *s, PACKET *pkt) * Now we have chosen the version we need to check again that the extensions * are appropriate for this version. */ - context = SSL_CONNECTION_IS_TLS13(s) ? SSL_EXT_TLS1_3_SERVER_HELLO + context = (SSL_CONNECTION_IS_TLS13(s) || SSL_CONNECTION_IS_DTLS13(s)) ? SSL_EXT_TLS1_3_SERVER_HELLO : SSL_EXT_TLS1_2_SERVER_HELLO; if (!tls_validate_all_contexts(s, context, extensions)) { SSLfatal(s, SSL_AD_ILLEGAL_PARAMETER, SSL_R_BAD_EXTENSION); @@ -1584,7 +1585,7 @@ MSG_PROCESS_RETURN tls_process_server_hello(SSL_CONNECTION *s, PACKET *pkt) s->hit = 0; - if (SSL_CONNECTION_IS_TLS13(s)) { + if (SSL_CONNECTION_IS_TLS13(s) || SSL_CONNECTION_IS_DTLS13(s)) { /* * In TLSv1.3 a ServerHello message signals a key change so the end of * the message must be on a record boundary. @@ -1677,7 +1678,7 @@ MSG_PROCESS_RETURN tls_process_server_hello(SSL_CONNECTION *s, PACKET *pkt) * echo of what we originally sent in the ClientHello and should not be * used for resumption. */ - if (!SSL_CONNECTION_IS_TLS13(s)) { + if (!(SSL_CONNECTION_IS_TLS13(s) || SSL_CONNECTION_IS_DTLS13(s))) { s->session->session_id_length = session_id_len; /* session_id_len could be 0 */ if (session_id_len > 0) @@ -1784,7 +1785,7 @@ MSG_PROCESS_RETURN tls_process_server_hello(SSL_CONNECTION *s, PACKET *pkt) * In TLSv1.3 we have some post-processing to change cipher state, otherwise * we're done with this message */ - if (SSL_CONNECTION_IS_TLS13(s)) { + if (SSL_CONNECTION_IS_TLS13(s) || SSL_CONNECTION_IS_DTLS13(s)) { if (!ssl->method->ssl3_enc->setup_key_block(s) || !ssl->method->ssl3_enc->change_cipher_state(s, SSL3_CC_HANDSHAKE | SSL3_CHANGE_CIPHER_CLIENT_READ)) { @@ -1820,6 +1821,7 @@ static MSG_PROCESS_RETURN tls_process_as_hello_retry_request(SSL_CONNECTION *s, PACKET *extpkt) { RAW_EXTENSION *extensions = NULL; + const int isdtls = SSL_CONNECTION_IS_DTLS(s); /* * If we were sending early_data then any alerts should not be sent using @@ -1827,7 +1829,7 @@ static MSG_PROCESS_RETURN tls_process_as_hello_retry_request(SSL_CONNECTION *s, */ if (s->early_data_state == SSL_EARLY_DATA_FINISHED_WRITING && !ssl_set_new_record_layer(s, - TLS_ANY_VERSION, + isdtls ? DTLS_ANY_VERSION : TLS_ANY_VERSION, OSSL_RECORD_DIRECTION_WRITE, OSSL_RECORD_PROTECTION_LEVEL_NONE, NULL, 0, NULL, 0, NULL, 0, NULL, 0, @@ -1836,7 +1838,7 @@ static MSG_PROCESS_RETURN tls_process_as_hello_retry_request(SSL_CONNECTION *s, goto err; } /* We are definitely going to be using TLSv1.3 */ - s->rlayer.wrlmethod->set_protocol_version(s->rlayer.wrl, TLS1_3_VERSION); + s->rlayer.wrlmethod->set_protocol_version(s->rlayer.wrl, isdtls ? DTLS1_3_VERSION : TLS1_3_VERSION); if (!tls_collect_extensions(s, extpkt, SSL_EXT_TLS1_3_HELLO_RETRY_REQUEST, &extensions, NULL, 1) @@ -1934,7 +1936,7 @@ static WORK_STATE tls_post_process_server_rpk(SSL_CONNECTION *sc, * skip check since TLS 1.3 ciphersuites can be used with any certificate * type. */ - if (!SSL_CONNECTION_IS_TLS13(sc)) { + if (!(SSL_CONNECTION_IS_TLS13(sc) || SSL_CONNECTION_IS_DTLS13(sc))) { if ((clu->amask & sc->s3.tmp.new_cipher->algorithm_auth) == 0) { SSLfatal(sc, SSL_AD_ILLEGAL_PARAMETER, SSL_R_WRONG_RPK_TYPE); return WORK_ERROR; @@ -1949,7 +1951,7 @@ static WORK_STATE tls_post_process_server_rpk(SSL_CONNECTION *sc, sc->session->verify_result = sc->verify_result; /* Save the current hash state for when we receive the CertificateVerify */ - if (SSL_CONNECTION_IS_TLS13(sc) + if ((SSL_CONNECTION_IS_TLS13(sc) || SSL_CONNECTION_IS_DTLS13(sc)) && !ssl_handshake_hash(sc, sc->cert_verify_hash, sizeof(sc->cert_verify_hash), &sc->cert_verify_hash_len)) { @@ -1984,7 +1986,7 @@ MSG_PROCESS_RETURN tls_process_server_certificate(SSL_CONNECTION *s, goto err; } - if ((SSL_CONNECTION_IS_TLS13(s) && !PACKET_get_1(pkt, &context)) + if (((SSL_CONNECTION_IS_TLS13(s) || SSL_CONNECTION_IS_DTLS13(s)) && !PACKET_get_1(pkt, &context)) || context != 0 || !PACKET_get_net_3(pkt, &cert_list_len) || PACKET_remaining(pkt) != cert_list_len @@ -2016,7 +2018,7 @@ MSG_PROCESS_RETURN tls_process_server_certificate(SSL_CONNECTION *s, goto err; } - if (SSL_CONNECTION_IS_TLS13(s)) { + if (SSL_CONNECTION_IS_TLS13(s) || SSL_CONNECTION_IS_DTLS13(s)) { RAW_EXTENSION *rawexts = NULL; PACKET extensions; @@ -2120,7 +2122,7 @@ WORK_STATE tls_post_process_server_certificate(SSL_CONNECTION *s, * skip check since TLS 1.3 ciphersuites can be used with any certificate * type. */ - if (!SSL_CONNECTION_IS_TLS13(s)) { + if (!(SSL_CONNECTION_IS_TLS13(s) || SSL_CONNECTION_IS_DTLS13(s))) { if ((clu->amask & s->s3.tmp.new_cipher->algorithm_auth) == 0) { SSLfatal(s, SSL_AD_ILLEGAL_PARAMETER, SSL_R_WRONG_CERTIFICATE_TYPE); return WORK_ERROR; @@ -2136,7 +2138,7 @@ WORK_STATE tls_post_process_server_certificate(SSL_CONNECTION *s, s->session->peer_rpk = NULL; /* Save the current hash state for when we receive the CertificateVerify */ - if (SSL_CONNECTION_IS_TLS13(s) + if ((SSL_CONNECTION_IS_TLS13(s) || SSL_CONNECTION_IS_DTLS13(s)) && !ssl_handshake_hash(s, s->cert_verify_hash, sizeof(s->cert_verify_hash), &s->cert_verify_hash_len)) { @@ -2570,7 +2572,7 @@ MSG_PROCESS_RETURN tls_process_certificate_request(SSL_CONNECTION *s, if (s->s3.tmp.valid_flags == NULL) return 0; - if (SSL_CONNECTION_IS_TLS13(s)) { + if (SSL_CONNECTION_IS_TLS13(s) || SSL_CONNECTION_IS_DTLS13(s)) { PACKET reqctx, extensions; RAW_EXTENSION *rawexts = NULL; @@ -2675,7 +2677,7 @@ MSG_PROCESS_RETURN tls_process_certificate_request(SSL_CONNECTION *s, * SSL_get1_peer_certificate() returns something sensible in * client_cert_cb. */ - if (SSL_CONNECTION_IS_TLS13(s) + if ((SSL_CONNECTION_IS_TLS13(s) || SSL_CONNECTION_IS_DTLS13(s)) && s->post_handshake_auth != SSL_PHA_REQUESTED) return MSG_PROCESS_CONTINUE_READING; @@ -2696,11 +2698,11 @@ MSG_PROCESS_RETURN tls_process_new_session_ticket(SSL_CONNECTION *s, PACKET_null_init(&nonce); if (!PACKET_get_net_4(pkt, &ticket_lifetime_hint) - || (SSL_CONNECTION_IS_TLS13(s) + || ((SSL_CONNECTION_IS_TLS13(s) || SSL_CONNECTION_IS_DTLS13(s)) && (!PACKET_get_net_4(pkt, &age_add) || !PACKET_get_length_prefixed_1(pkt, &nonce))) || !PACKET_get_net_2(pkt, &ticklen) - || (SSL_CONNECTION_IS_TLS13(s) ? (ticklen == 0 + || ((SSL_CONNECTION_IS_TLS13(s) || SSL_CONNECTION_IS_DTLS13(s)) ? (ticklen == 0 || PACKET_remaining(pkt) < ticklen) : PACKET_remaining(pkt) != ticklen)) { SSLfatal(s, SSL_AD_DECODE_ERROR, SSL_R_LENGTH_MISMATCH); @@ -2723,7 +2725,7 @@ MSG_PROCESS_RETURN tls_process_new_session_ticket(SSL_CONNECTION *s, * post-handshake and the session may have already gone into the session * cache. */ - if (SSL_CONNECTION_IS_TLS13(s) || s->session->session_id_length > 0) { + if (SSL_CONNECTION_IS_TLS13(s) || SSL_CONNECTION_IS_DTLS13(s) || s->session->session_id_length > 0) { SSL_SESSION *new_sess; /* @@ -2736,7 +2738,7 @@ MSG_PROCESS_RETURN tls_process_new_session_ticket(SSL_CONNECTION *s, } if ((s->session_ctx->session_cache_mode & SSL_SESS_CACHE_CLIENT) != 0 - && !SSL_CONNECTION_IS_TLS13(s)) { + && !(SSL_CONNECTION_IS_TLS13(s) || SSL_CONNECTION_IS_DTLS13(s))) { /* * In TLSv1.2 and below the arrival of a new tickets signals that * any old ticket we were using is now out of date, so we remove the @@ -2770,7 +2772,7 @@ MSG_PROCESS_RETURN tls_process_new_session_ticket(SSL_CONNECTION *s, s->session->ext.tick_age_add = age_add; s->session->ext.ticklen = ticklen; - if (SSL_CONNECTION_IS_TLS13(s)) { + if (SSL_CONNECTION_IS_TLS13(s) || SSL_CONNECTION_IS_DTLS13(s)) { PACKET extpkt; if (!PACKET_as_length_prefixed_2(pkt, &extpkt) @@ -2823,7 +2825,7 @@ MSG_PROCESS_RETURN tls_process_new_session_ticket(SSL_CONNECTION *s, s->session->not_resumable = 0; /* This is a standalone message in TLSv1.3, so there is no more to read */ - if (SSL_CONNECTION_IS_TLS13(s)) { + if (SSL_CONNECTION_IS_TLS13(s) || SSL_CONNECTION_IS_DTLS13(s)) { const EVP_MD *md = ssl_handshake_md(s); int hashleni = EVP_MD_get_size(md); size_t hashlen; @@ -3739,7 +3741,7 @@ WORK_STATE tls_prepare_client_certificate(SSL_CONNECTION *s, WORK_STATE wst) } } - if (!SSL_CONNECTION_IS_TLS13(s) + if (!(SSL_CONNECTION_IS_TLS13(s) || SSL_CONNECTION_IS_DTLS13(s)) || (s->options & SSL_OP_NO_TX_CERTIFICATE_COMPRESSION) != 0) s->ext.compress_certificate_from_peer[0] = TLSEXT_comp_cert_none; @@ -3759,7 +3761,7 @@ CON_FUNC_RETURN tls_construct_client_certificate(SSL_CONNECTION *s, CERT_PKEY *cpk = NULL; SSL *ssl = SSL_CONNECTION_GET_SSL(s); - if (SSL_CONNECTION_IS_TLS13(s)) { + if (SSL_CONNECTION_IS_TLS13(s) || SSL_CONNECTION_IS_DTLS13(s)) { if (s->pha_context == NULL) { /* no context available, add 0-length context */ if (!WPACKET_put_bytes_u8(pkt, 0)) { @@ -3796,7 +3798,7 @@ CON_FUNC_RETURN tls_construct_client_certificate(SSL_CONNECTION *s, * then we deferred changing the handshake write keys to the last possible * moment. We need to do it now. */ - if (SSL_CONNECTION_IS_TLS13(s) + if ((SSL_CONNECTION_IS_TLS13(s) || SSL_CONNECTION_IS_DTLS13(s)) && SSL_IS_FIRST_HANDSHAKE(s) && (s->early_data_state != SSL_EARLY_DATA_NONE || (s->options & SSL_OP_ENABLE_MIDDLEBOX_COMPAT) != 0) diff --git a/ssl/statem/statem_lib.c b/ssl/statem/statem_lib.c index a52b8af636..e0563084ee 100644 --- a/ssl/statem/statem_lib.c +++ b/ssl/statem/statem_lib.c @@ -262,7 +262,7 @@ static int get_cert_verify_tbs_data(SSL_CONNECTION *s, unsigned char *tls13tbs, static const char clientcontext[] = "\x54\x4c\x53\x20\x31\x2e\x33\x2c\x20\x63\x6c\x69" "\x65\x6e\x74\x20\x43\x65\x72\x74\x69\x66\x69\x63\x61\x74\x65\x56\x65\x72\x69\x66\x79"; - if (SSL_CONNECTION_IS_TLS13(s)) { + if (SSL_CONNECTION_IS_TLS13(s) || SSL_CONNECTION_IS_DTLS13(s)) { size_t hashlen; /* Set the first 64 bytes of to-be-signed data to octet 32 */ @@ -585,14 +585,14 @@ MSG_PROCESS_RETURN tls_process_cert_verify(SSL_CONNECTION *s, PACKET *pkt) } /* - * In TLSv1.3 on the client side we make sure we prepare the client + * In (D)TLSv1.3 on the client side we make sure we prepare the client * certificate after the CertVerify instead of when we get the - * CertificateRequest. This is because in TLSv1.3 the CertificateRequest - * comes *before* the Certificate message. In TLSv1.2 it comes after. We + * CertificateRequest. This is because in (D)TLSv1.3 the CertificateRequest + * comes *before* the Certificate message. In (D)TLSv1.2 it comes after. We * want to make sure that SSL_get1_peer_certificate() will return the actual * server certificate from the client_cert_cb callback. */ - if (!s->server && SSL_CONNECTION_IS_TLS13(s) && s->s3.tmp.cert_req == 1) + if (!s->server && (SSL_CONNECTION_IS_TLS13(s) || SSL_CONNECTION_IS_DTLS13(s)) && s->s3.tmp.cert_req == 1) ret = MSG_PROCESS_CONTINUE_PROCESSING; else ret = MSG_PROCESS_CONTINUE_READING; @@ -623,7 +623,7 @@ CON_FUNC_RETURN tls_construct_finished(SSL_CONNECTION *s, WPACKET *pkt) * moment. If we didn't already do this when we sent the client certificate * then we need to do it now. */ - if (SSL_CONNECTION_IS_TLS13(s) + if ((SSL_CONNECTION_IS_TLS13(s) || SSL_CONNECTION_IS_DTLS13(s)) && !s->server && (s->early_data_state != SSL_EARLY_DATA_NONE || (s->options & SSL_OP_ENABLE_MIDDLEBOX_COMPAT) != 0) @@ -659,9 +659,9 @@ CON_FUNC_RETURN tls_construct_finished(SSL_CONNECTION *s, WPACKET *pkt) /* * Log the master secret, if logging is enabled. We don't log it for - * TLSv1.3: there's a different key schedule for that. + * (D)TLSv1.3: there's a different key schedule for that. */ - if (!SSL_CONNECTION_IS_TLS13(s) + if (!(SSL_CONNECTION_IS_TLS13(s) || SSL_CONNECTION_IS_DTLS13(s)) && !ssl_log_secret(s, MASTER_SECRET_LABEL, s->session->master_key, s->session->master_key_length)) { /* SSLfatal() already called */ @@ -843,13 +843,13 @@ MSG_PROCESS_RETURN tls_process_finished(SSL_CONNECTION *s, PACKET *pkt) /* * To get this far we must have read encrypted data from the client. We * no longer tolerate unencrypted alerts. This is ignored if less than - * TLSv1.3 + * (D)TLSv1.3 */ if (s->rlayer.rrlmethod->set_plain_alerts != NULL) s->rlayer.rrlmethod->set_plain_alerts(s->rlayer.rrl, 0); if (s->post_handshake_auth != SSL_PHA_REQUESTED) s->statem.cleanuphand = 1; - if (SSL_CONNECTION_IS_TLS13(s) + if ((SSL_CONNECTION_IS_TLS13(s) || SSL_CONNECTION_IS_DTLS13(s)) && !tls13_save_handshake_digest_for_pha(s)) { /* SSLfatal() already called */ return MSG_PROCESS_ERROR; @@ -860,14 +860,14 @@ MSG_PROCESS_RETURN tls_process_finished(SSL_CONNECTION *s, PACKET *pkt) * In TLSv1.3 a Finished message signals a key change so the end of the * message must be on a record boundary. */ - if (SSL_CONNECTION_IS_TLS13(s) + if ((SSL_CONNECTION_IS_TLS13(s) || SSL_CONNECTION_IS_DTLS13(s)) && RECORD_LAYER_processed_read_pending(&s->rlayer)) { SSLfatal(s, SSL_AD_UNEXPECTED_MESSAGE, SSL_R_NOT_ON_RECORD_BOUNDARY); return MSG_PROCESS_ERROR; } /* If this occurs, we have missed a message */ - if (!SSL_CONNECTION_IS_TLS13(s) && !s->s3.change_cipher_spec) { + if (!(SSL_CONNECTION_IS_TLS13(s) || SSL_CONNECTION_IS_DTLS13(s)) && !s->s3.change_cipher_spec) { SSLfatal(s, SSL_AD_UNEXPECTED_MESSAGE, SSL_R_GOT_A_FIN_BEFORE_A_CCS); return MSG_PROCESS_ERROR; } @@ -915,7 +915,7 @@ MSG_PROCESS_RETURN tls_process_finished(SSL_CONNECTION *s, PACKET *pkt) * In TLS1.3 we also have to change cipher state and do any final processing * of the initial server flight (if we are a client) */ - if (SSL_CONNECTION_IS_TLS13(s)) { + if (SSL_CONNECTION_IS_TLS13(s) || SSL_CONNECTION_IS_DTLS13(s)) { if (s->server) { if (s->post_handshake_auth != SSL_PHA_REQUESTED && !ssl->method->ssl3_enc->change_cipher_state(s, @@ -924,7 +924,7 @@ MSG_PROCESS_RETURN tls_process_finished(SSL_CONNECTION *s, PACKET *pkt) return MSG_PROCESS_ERROR; } } else { - /* TLS 1.3 gets the secret size from the handshake md */ + /* (D)TLS 1.3 gets the secret size from the handshake md */ size_t dummy; if (!ssl->method->ssl3_enc->generate_master_secret(s, s->master_secret, s->handshake_secret, 0, @@ -986,7 +986,7 @@ static int ssl_add_cert_to_wpacket(SSL_CONNECTION *s, WPACKET *pkt, return 0; } - if ((SSL_CONNECTION_IS_TLS13(s) || for_comp) + if ((SSL_CONNECTION_IS_TLS13(s) || SSL_CONNECTION_IS_DTLS13(s) || for_comp) && !tls_construct_extensions(s, pkt, context, x, chain)) { /* SSLfatal() already called */ return 0; @@ -1118,7 +1118,7 @@ int tls_process_rpk(SSL_CONNECTION *sc, PACKET *pkt, EVP_PKEY **peer_rpk) /*- * ---------------------------- - * TLS 1.3 Certificate message: + * (D)TLS 1.3 Certificate message: * ---------------------------- * https://datatracker.ietf.org/doc/html/rfc8446#section-4.4.2 * @@ -1178,21 +1178,21 @@ int tls_process_rpk(SSL_CONNECTION *sc, PACKET *pkt, EVP_PKEY **peer_rpk) * ------------- * Consequently: * ------------- - * After the (TLS 1.3 only) context octet string (1 byte length + data) the + * After the ((D)TLS 1.3 only) context octet string (1 byte length + data) the * Certificate message has a 3-byte length that is zero in the client to * server message when the client has no RPK to send. In that case, there - * are no (TLS 1.3 only) per-certificate extensions either, because the + * are no ((D)TLS 1.3 only) per-certificate extensions either, because the * [CertificateEntry] list is empty. * * In the server to client direction, or when the client had an RPK to send, - * the TLS 1.3 message just prepends the length of the RPK+extensions, + * the (D)TLS 1.3 message just prepends the length of the RPK+extensions, * while TLS <= 1.2 sends just the RPK (octet-string). * * The context must be zero-length in the server to client direction, and * must match the value recorded in the certificate request in the client * to server direction. */ - if (SSL_CONNECTION_IS_TLS13(sc)) { + if (SSL_CONNECTION_IS_TLS13(sc) || SSL_CONNECTION_IS_DTLS13(sc)) { if (!PACKET_get_length_prefixed_1(pkt, &context)) { SSLfatal(sc, SSL_AD_DECODE_ERROR, SSL_R_INVALID_CONTEXT); goto err; @@ -1234,7 +1234,7 @@ int tls_process_rpk(SSL_CONNECTION *sc, PACKET *pkt, EVP_PKEY **peer_rpk) if (cert_len == 0) return 1; - if (SSL_CONNECTION_IS_TLS13(sc)) { + if (SSL_CONNECTION_IS_TLS13(sc) || SSL_CONNECTION_IS_DTLS13(sc)) { /* * With TLS 1.3, a non-empty explicit-length RPK octet-string followed * by a possibly empty extension block. @@ -1269,7 +1269,7 @@ int tls_process_rpk(SSL_CONNECTION *sc, PACKET *pkt, EVP_PKEY **peer_rpk) } /* Process the Extensions block */ - if (SSL_CONNECTION_IS_TLS13(sc)) { + if (SSL_CONNECTION_IS_TLS13(sc) || SSL_CONNECTION_IS_DTLS13(sc)) { if (PACKET_remaining(pkt) != (cert_len - 3 - spki_len)) { SSLfatal(sc, SSL_AD_DECODE_ERROR, SSL_R_BAD_LENGTH); goto err; @@ -1346,7 +1346,7 @@ unsigned long tls_output_rpk(SSL_CONNECTION *sc, WPACKET *pkt, CERT_PKEY *cpk) * TLSv1.2 is _just_ the raw public key * TLSv1.3 includes extensions, so there's a length wrapper */ - if (SSL_CONNECTION_IS_TLS13(sc)) { + if (SSL_CONNECTION_IS_TLS13(sc)|| SSL_CONNECTION_IS_DTLS13(sc)) { if (!WPACKET_start_sub_packet_u24(pkt)) { SSLfatal(sc, SSL_AD_INTERNAL_ERROR, ERR_R_INTERNAL_ERROR); goto err; @@ -1358,7 +1358,7 @@ unsigned long tls_output_rpk(SSL_CONNECTION *sc, WPACKET *pkt, CERT_PKEY *cpk) goto err; } - if (SSL_CONNECTION_IS_TLS13(sc)) { + if (SSL_CONNECTION_IS_TLS13(sc)|| SSL_CONNECTION_IS_DTLS13(sc)) { /* * Only send extensions relevant to raw public keys. Until such * extensions are defined, this will be an empty set of extensions. @@ -1442,7 +1442,7 @@ WORK_STATE tls_finish_handshake(SSL_CONNECTION *s, ossl_unused WORK_STATE wst, s->init_num = 0; } - if (SSL_CONNECTION_IS_TLS13(s) && !s->server + if ((SSL_CONNECTION_IS_TLS13(s) || SSL_CONNECTION_IS_DTLS13(s)) && !s->server && s->post_handshake_auth == SSL_PHA_REQUESTED) s->post_handshake_auth = SSL_PHA_EXT_SENT; @@ -1464,14 +1464,14 @@ WORK_STATE tls_finish_handshake(SSL_CONNECTION *s, ossl_unused WORK_STATE wst, * In TLSv1.3 we update the cache as part of constructing the * NewSessionTicket */ - if (!SSL_CONNECTION_IS_TLS13(s)) + if (!(SSL_CONNECTION_IS_TLS13(s))|| SSL_CONNECTION_IS_DTLS13(s)) ssl_update_cache(s, SSL_SESS_CACHE_SERVER); /* N.B. s->ctx may not equal s->session_ctx */ ssl_tsan_counter(sctx, &sctx->stats.sess_accept_good); s->handshake_func = ossl_statem_accept; } else { - if (SSL_CONNECTION_IS_TLS13(s)) { + if (SSL_CONNECTION_IS_TLS13(s) || SSL_CONNECTION_IS_DTLS13(s)) { /* * We encourage applications to only use TLSv1.3 tickets once, * so we remove this one from the cache. @@ -1514,7 +1514,7 @@ WORK_STATE tls_finish_handshake(SSL_CONNECTION *s, ossl_unused WORK_STATE wst, if (cb != NULL) { if (cleanuphand - || !SSL_CONNECTION_IS_TLS13(s) + || !(SSL_CONNECTION_IS_TLS13(s) || SSL_CONNECTION_IS_DTLS13(s)) || SSL_IS_FIRST_HANDSHAKE(s)) cb(ssl, SSL_CB_HANDSHAKE_DONE, 1); } @@ -1697,7 +1697,7 @@ int tls_get_message_body(SSL_CONNECTION *s, size_t *len) */ #define SERVER_HELLO_RANDOM_OFFSET (SSL3_HM_HEADER_LENGTH + 2) /* KeyUpdate and NewSessionTicket do not need to be added */ - if (!SSL_CONNECTION_IS_TLS13(s) + if (!(SSL_CONNECTION_IS_TLS13(s) || SSL_CONNECTION_IS_DTLS13(s)) || (s->s3.tmp.message_type != SSL3_MT_NEWSESSION_TICKET && s->s3.tmp.message_type != SSL3_MT_KEY_UPDATE)) { if (s->s3.tmp.message_type != SSL3_MT_SERVER_HELLO @@ -1991,7 +1991,7 @@ int ssl_version_supported(const SSL_CONNECTION *s, int version, && ssl_version_cmp(s, version, vent->version) == 0 && ssl_method_error(s, thismeth()) == 0 && (!s->server - || version != TLS1_3_VERSION + || (version != TLS1_3_VERSION && version != DTLS1_3_VERSION) || is_tls13_capable(s))) { if (meth != NULL) *meth = thismeth(); @@ -2156,12 +2156,14 @@ int ssl_choose_server_version(SSL_CONNECTION *s, CLIENTHELLO_MSG *hello, const version_info *table; int disabled = 0; RAW_EXTENSION *suppversions; + const int version1_3 = SSL_CONNECTION_IS_DTLS(s) ? DTLS1_3_VERSION + : TLS1_3_VERSION; s->client_version = client_version; switch (server_version) { default: - if (!SSL_CONNECTION_IS_TLS13(s)) { + if (!(SSL_CONNECTION_IS_TLS13(s) || SSL_CONNECTION_IS_DTLS13(s))) { if (ssl_version_cmp(s, client_version, s->version) < 0) return SSL_R_WRONG_SSL_VERSION; *dgrd = DOWNGRADE_NONE; @@ -2193,9 +2195,11 @@ int ssl_choose_server_version(SSL_CONNECTION *s, CLIENTHELLO_MSG *hello, if (!suppversions->present && s->hello_retry_request != SSL_HRR_NONE) return SSL_R_UNSUPPORTED_PROTOCOL; - if (suppversions->present && !SSL_CONNECTION_IS_DTLS(s)) { + if (suppversions->present) { unsigned int candidate_vers = 0; - unsigned int best_vers = 0; + const unsigned int best_vers_init = SSL_CONNECTION_IS_DTLS(s) ? UINT_MAX + : 0; + unsigned int best_vers = best_vers_init; const SSL_METHOD *best_method = NULL; PACKET versionslist; @@ -2229,13 +2233,14 @@ int ssl_choose_server_version(SSL_CONNECTION *s, CLIENTHELLO_MSG *hello, return SSL_R_LENGTH_MISMATCH; } - if (best_vers > 0) { + /* Did best_vers change from the initial value? */ + if (best_vers != best_vers_init) { if (s->hello_retry_request != SSL_HRR_NONE) { /* * This is after a HelloRetryRequest so we better check that we - * negotiated TLSv1.3 + * negotiated (D)TLSv1.3 */ - if (best_vers != TLS1_3_VERSION) + if (best_vers != TLS1_3_VERSION && best_vers != DTLS1_3_VERSION) return SSL_R_UNSUPPORTED_PROTOCOL; return 0; } @@ -2252,10 +2257,11 @@ int ssl_choose_server_version(SSL_CONNECTION *s, CLIENTHELLO_MSG *hello, /* * If the supported versions extension isn't present, then the highest - * version we can negotiate is TLSv1.2 + * version we can negotiate is (D)TLSv1.2 */ - if (ssl_version_cmp(s, client_version, TLS1_3_VERSION) >= 0) - client_version = TLS1_2_VERSION; + if (ssl_version_cmp(s, client_version, version1_3) >= 0) + client_version = SSL_CONNECTION_IS_DTLS(s) ? DTLS1_2_VERSION + : TLS1_2_VERSION; /* * No supported versions extension, so we just use the version supplied in @@ -2314,7 +2320,7 @@ int ssl_choose_client_version(SSL_CONNECTION *s, int version, } if (s->hello_retry_request != SSL_HRR_NONE - && s->version != TLS1_3_VERSION) { + && (s->version != TLS1_3_VERSION && s->version != DTLS1_3_VERSION)) { s->version = origv; SSLfatal(s, SSL_AD_PROTOCOL_VERSION, SSL_R_WRONG_SSL_VERSION); return 0; diff --git a/ssl/statem/statem_srvr.c b/ssl/statem/statem_srvr.c index 3d1cb90018..51d616f55a 100644 --- a/ssl/statem/statem_srvr.c +++ b/ssl/statem/statem_srvr.c @@ -183,7 +183,7 @@ int ossl_statem_server_read_transition(SSL_CONNECTION *s, int mt) { OSSL_STATEM *st = &s->statem; - if (SSL_CONNECTION_IS_TLS13(s)) { + if (SSL_CONNECTION_IS_TLS13(s) || SSL_CONNECTION_IS_DTLS13(s)) { if (!ossl_statem_server13_read_transition(s, mt)) goto err; return 1; @@ -418,7 +418,7 @@ int send_certificate_request(SSL_CONNECTION *s) * don't request if post-handshake-only unless doing * post-handshake in TLSv1.3: */ - && (!SSL_CONNECTION_IS_TLS13(s) + && (!(SSL_CONNECTION_IS_TLS13(s) || SSL_CONNECTION_IS_DTLS13(s)) || !(s->verify_mode & SSL_VERIFY_POST_HANDSHAKE) || s->post_handshake_auth == SSL_PHA_REQUEST_PENDING) /* @@ -612,7 +612,7 @@ WRITE_TRAN ossl_statem_server_write_transition(SSL_CONNECTION *s) * to negotiate yet, so we don't take this branch until later */ - if (SSL_CONNECTION_IS_TLS13(s)) + if (SSL_CONNECTION_IS_TLS13(s) || SSL_CONNECTION_IS_DTLS13(s)) return ossl_statem_server13_write_transition(s); switch (st->hand_state) { @@ -644,7 +644,7 @@ WRITE_TRAN ossl_statem_server_write_transition(SSL_CONNECTION *s) return WRITE_TRAN_CONTINUE; case TLS_ST_SR_CLNT_HELLO: - if (SSL_CONNECTION_IS_DTLS(s) && !s->d1->cookie_verified + if (SSL_CONNECTION_IS_DTLS(s) && !SSL_CONNECTION_IS_DTLS13(s) && !s->d1->cookie_verified && (SSL_get_options(SSL_CONNECTION_GET_SSL(s)) & SSL_OP_COOKIE_EXCHANGE)) { st->hand_state = DTLS_ST_SW_HELLO_VERIFY_REQUEST; } else if (s->renegotiate == 0 && !SSL_IS_FIRST_HANDSHAKE(s)) { @@ -788,7 +788,7 @@ WORK_STATE ossl_statem_server_pre_work(SSL_CONNECTION *s, WORK_STATE wst) return WORK_FINISHED_CONTINUE; case TLS_ST_SW_SESSION_TICKET: - if (SSL_CONNECTION_IS_TLS13(s) && s->sent_tickets == 0 + if ((SSL_CONNECTION_IS_TLS13(s) || SSL_CONNECTION_IS_DTLS13(s)) && s->sent_tickets == 0 && s->ext.extra_tickets_expected == 0) { /* * Actually this is the end of the handshake, but we're going @@ -809,7 +809,7 @@ WORK_STATE ossl_statem_server_pre_work(SSL_CONNECTION *s, WORK_STATE wst) break; case TLS_ST_SW_CHANGE: - if (SSL_CONNECTION_IS_TLS13(s)) + if (SSL_CONNECTION_IS_TLS13(s) || SSL_CONNECTION_IS_DTLS13(s)) break; /* Writes to s->session are only safe for initial handshakes */ if (s->session->cipher == NULL) { @@ -908,7 +908,7 @@ WORK_STATE ossl_statem_server_post_work(SSL_CONNECTION *s, WORK_STATE wst) break; case TLS_ST_SW_SRVR_HELLO: - if (SSL_CONNECTION_IS_TLS13(s) + if ((SSL_CONNECTION_IS_TLS13(s) || SSL_CONNECTION_IS_DTLS13(s)) && s->hello_retry_request == SSL_HRR_PENDING) { if ((s->options & SSL_OP_ENABLE_MIDDLEBOX_COMPAT) == 0 && statem_flush(s) != 1) @@ -945,7 +945,7 @@ WORK_STATE ossl_statem_server_post_work(SSL_CONNECTION *s, WORK_STATE wst) sizeof(sctpauthkey), sctpauthkey); } #endif - if (!SSL_CONNECTION_IS_TLS13(s) + if (!(SSL_CONNECTION_IS_TLS13(s) || SSL_CONNECTION_IS_DTLS13(s)) || ((s->options & SSL_OP_ENABLE_MIDDLEBOX_COMPAT) != 0 && s->hello_retry_request != SSL_HRR_COMPLETE)) break; @@ -958,7 +958,7 @@ WORK_STATE ossl_statem_server_post_work(SSL_CONNECTION *s, WORK_STATE wst) break; } - if (SSL_CONNECTION_IS_TLS13(s)) { + if (SSL_CONNECTION_IS_TLS13(s) || SSL_CONNECTION_IS_DTLS13(s)) { if (!ssl->method->ssl3_enc->setup_key_block(s) || !ssl->method->ssl3_enc->change_cipher_state(s, SSL3_CC_HANDSHAKE | SSL3_CHANGE_CIPHER_SERVER_WRITE)) { @@ -1017,8 +1017,8 @@ WORK_STATE ossl_statem_server_post_work(SSL_CONNECTION *s, WORK_STATE wst) 0, NULL); } #endif - if (SSL_CONNECTION_IS_TLS13(s)) { - /* TLS 1.3 gets the secret size from the handshake md */ + if (SSL_CONNECTION_IS_TLS13(s) || SSL_CONNECTION_IS_DTLS13(s)) { + /* (D)TLS 1.3 gets the secret size from the handshake md */ size_t dummy; if (!ssl->method->ssl3_enc->generate_master_secret(s, s->master_secret, s->handshake_secret, 0, @@ -1035,7 +1035,7 @@ WORK_STATE ossl_statem_server_post_work(SSL_CONNECTION *s, WORK_STATE wst) if (statem_flush(s) != 1) return WORK_MORE_A; } else { - if (!SSL_CONNECTION_IS_TLS13(s) + if (!(SSL_CONNECTION_IS_TLS13(s) || SSL_CONNECTION_IS_DTLS13(s)) || (s->options & SSL_OP_NO_TX_CERTIFICATE_COMPRESSION) != 0) s->ext.compress_certificate_from_peer[0] = TLSEXT_comp_cert_none; } @@ -1043,7 +1043,7 @@ WORK_STATE ossl_statem_server_post_work(SSL_CONNECTION *s, WORK_STATE wst) case TLS_ST_SW_ENCRYPTED_EXTENSIONS: if (!s->hit && !send_certificate_request(s)) { - if (!SSL_CONNECTION_IS_TLS13(s) + if (!(SSL_CONNECTION_IS_TLS13(s) || SSL_CONNECTION_IS_DTLS13(s)) || (s->options & SSL_OP_NO_TX_CERTIFICATE_COMPRESSION) != 0) s->ext.compress_certificate_from_peer[0] = TLSEXT_comp_cert_none; } @@ -1060,7 +1060,7 @@ WORK_STATE ossl_statem_server_post_work(SSL_CONNECTION *s, WORK_STATE wst) case TLS_ST_SW_SESSION_TICKET: clear_sys_error(); - if (SSL_CONNECTION_IS_TLS13(s) && statem_flush(s) != 1) { + if ((SSL_CONNECTION_IS_TLS13(s) || SSL_CONNECTION_IS_DTLS13(s)) && statem_flush(s) != 1) { if (SSL_get_error(ssl, 0) == SSL_ERROR_SYSCALL && conn_is_closed()) { /* @@ -1477,7 +1477,7 @@ MSG_PROCESS_RETURN tls_process_client_hello(SSL_CONNECTION *s, PACKET *pkt) /* Check if this is actually an unexpected renegotiation ClientHello */ if (s->renegotiate == 0 && !SSL_IS_FIRST_HANDSHAKE(s)) { - if (!ossl_assert(!SSL_CONNECTION_IS_TLS13(s))) { + if (!ossl_assert(!(SSL_CONNECTION_IS_TLS13(s) || SSL_CONNECTION_IS_DTLS13(s)))) { SSLfatal(s, SSL_AD_INTERNAL_ERROR, ERR_R_INTERNAL_ERROR); goto err; } @@ -1748,7 +1748,7 @@ static int tls_early_post_process_client_hello(SSL_CONNECTION *s) } /* TLSv1.3 specifies that a ClientHello must end on a record boundary */ - if (SSL_CONNECTION_IS_TLS13(s) + if ((SSL_CONNECTION_IS_TLS13(s) || SSL_CONNECTION_IS_DTLS13(s)) && RECORD_LAYER_processed_read_pending(&s->rlayer)) { SSLfatal(s, SSL_AD_UNEXPECTED_MESSAGE, SSL_R_NOT_ON_RECORD_BOUNDARY); goto err; @@ -1816,7 +1816,7 @@ static int tls_early_post_process_client_hello(SSL_CONNECTION *s) } /* For TLSv1.3 we must select the ciphersuite *before* session resumption */ - if (SSL_CONNECTION_IS_TLS13(s)) { + if ((SSL_CONNECTION_IS_TLS13(s) || SSL_CONNECTION_IS_DTLS13(s))) { const SSL_CIPHER *cipher = ssl3_choose_cipher(s, ciphers, SSL_get_ciphers(ssl)); @@ -1885,7 +1885,7 @@ static int tls_early_post_process_client_hello(SSL_CONNECTION *s) } } - if (SSL_CONNECTION_IS_TLS13(s)) { + if ((SSL_CONNECTION_IS_TLS13(s) || SSL_CONNECTION_IS_DTLS13(s))) { memcpy(s->tmp_session_id, s->clienthello->session_id, s->clienthello->session_id_len); s->tmp_session_id_len = s->clienthello->session_id_len; @@ -1895,7 +1895,7 @@ static int tls_early_post_process_client_hello(SSL_CONNECTION *s) * If it is a hit, check that the cipher is in the list. In TLSv1.3 we check * ciphersuite compatibility with the session as part of resumption. */ - if (!SSL_CONNECTION_IS_TLS13(s) && s->hit) { + if (!(SSL_CONNECTION_IS_TLS13(s) || SSL_CONNECTION_IS_DTLS13(s)) && s->hit) { j = 0; id = s->session->cipher->id; @@ -1970,9 +1970,8 @@ static int tls_early_post_process_client_hello(SSL_CONNECTION *s) } if (!s->hit - && s->version >= TLS1_VERSION - && !SSL_CONNECTION_IS_TLS13(s) - && !SSL_CONNECTION_IS_DTLS(s) + && ssl_version_cmp(s, s->version, SSL_CONNECTION_IS_DTLS(s) ? DTLS1_VERSION : TLS1_VERSION) >= 0 + && !(SSL_CONNECTION_IS_TLS13(s) || SSL_CONNECTION_IS_DTLS13(s)) && s->ext.session_secret_cb != NULL) { const SSL_CIPHER *pref_cipher = NULL; /* @@ -2017,7 +2016,7 @@ static int tls_early_post_process_client_hello(SSL_CONNECTION *s) * algorithms from the client, starting at q. */ s->s3.tmp.new_compression = NULL; - if (SSL_CONNECTION_IS_TLS13(s)) { + if ((SSL_CONNECTION_IS_TLS13(s) || SSL_CONNECTION_IS_DTLS13(s))) { /* * We already checked above that the NULL compression method appears in * the list. Now we check there aren't any others (which is illegal in @@ -2104,7 +2103,7 @@ static int tls_early_post_process_client_hello(SSL_CONNECTION *s) * Given s->peer_ciphers and SSL_get_ciphers, we must pick a cipher */ - if (!s->hit || SSL_CONNECTION_IS_TLS13(s)) { + if (!s->hit || (SSL_CONNECTION_IS_TLS13(s) || SSL_CONNECTION_IS_DTLS13(s))) { sk_SSL_CIPHER_free(s->peer_ciphers); s->peer_ciphers = ciphers; if (ciphers == NULL) { @@ -2288,7 +2287,7 @@ WORK_STATE tls_post_process_client_hello(SSL_CONNECTION *s, WORK_STATE wst) wst = WORK_MORE_B; } if (wst == WORK_MORE_B) { - if (!s->hit || SSL_CONNECTION_IS_TLS13(s)) { + if (!s->hit || (SSL_CONNECTION_IS_TLS13(s) || SSL_CONNECTION_IS_DTLS13(s))) { /* Let cert callback update server certificates if required */ if (!s->hit && s->cert->cert_cb != NULL) { int rv = s->cert->cert_cb(ussl, s->cert->cert_cb_arg); @@ -2305,7 +2304,7 @@ WORK_STATE tls_post_process_client_hello(SSL_CONNECTION *s, WORK_STATE wst) } /* In TLSv1.3 we selected the ciphersuite before resumption */ - if (!SSL_CONNECTION_IS_TLS13(s)) { + if (!(SSL_CONNECTION_IS_TLS13(s) || SSL_CONNECTION_IS_DTLS13(s))) { cipher = ssl3_choose_cipher(s, s->peer_ciphers, SSL_get_ciphers(ssl)); @@ -2363,7 +2362,7 @@ WORK_STATE tls_post_process_client_hello(SSL_CONNECTION *s, WORK_STATE wst) * we already did this because cipher negotiation happens earlier, and * we must handle ALPN before we decide whether to accept early_data. */ - if (!SSL_CONNECTION_IS_TLS13(s) && !tls_handle_alpn(s)) { + if (!(SSL_CONNECTION_IS_TLS13(s) || SSL_CONNECTION_IS_DTLS13(s)) && !tls_handle_alpn(s)) { /* SSLfatal() already called */ goto err; } @@ -2400,8 +2399,10 @@ CON_FUNC_RETURN tls_construct_server_hello(SSL_CONNECTION *s, WPACKET *pkt) unsigned char *session_id; int usetls13 = SSL_CONNECTION_IS_TLS13(s) || s->hello_retry_request == SSL_HRR_PENDING; + int usedtls13 = SSL_CONNECTION_IS_DTLS13(s) + || s->hello_retry_request == SSL_HRR_PENDING; - version = usetls13 ? TLS1_2_VERSION : s->version; + version = usetls13 ? TLS1_2_VERSION : (usedtls13 ? DTLS1_2_VERSION : s->version); if (!WPACKET_put_bytes_u16(pkt, version) /* * Random stuff. Filling of the server_random takes place in @@ -2437,7 +2438,7 @@ CON_FUNC_RETURN tls_construct_server_hello(SSL_CONNECTION *s, WPACKET *pkt) && !s->hit) s->session->session_id_length = 0; - if (usetls13) { + if (usetls13 || usedtls13) { sl = s->tmp_session_id_len; session_id = s->tmp_session_id; } else { @@ -2454,7 +2455,7 @@ CON_FUNC_RETURN tls_construct_server_hello(SSL_CONNECTION *s, WPACKET *pkt) #ifdef OPENSSL_NO_COMP compm = 0; #else - if (usetls13 || s->s3.tmp.new_compression == NULL) + if (usetls13 || usedtls13 || s->s3.tmp.new_compression == NULL) compm = 0; else compm = s->s3.tmp.new_compression->id; @@ -2471,7 +2472,7 @@ CON_FUNC_RETURN tls_construct_server_hello(SSL_CONNECTION *s, WPACKET *pkt) if (!tls_construct_extensions(s, pkt, s->hello_retry_request == SSL_HRR_PENDING ? SSL_EXT_TLS1_3_HELLO_RETRY_REQUEST - : (SSL_CONNECTION_IS_TLS13(s) + : ((SSL_CONNECTION_IS_TLS13(s) || SSL_CONNECTION_IS_DTLS13(s)) ? SSL_EXT_TLS1_3_SERVER_HELLO : SSL_EXT_TLS1_2_SERVER_HELLO), NULL, 0)) { @@ -2827,7 +2828,7 @@ CON_FUNC_RETURN tls_construct_server_key_exchange(SSL_CONNECTION *s, CON_FUNC_RETURN tls_construct_certificate_request(SSL_CONNECTION *s, WPACKET *pkt) { - if (SSL_CONNECTION_IS_TLS13(s)) { + if (SSL_CONNECTION_IS_TLS13(s) || SSL_CONNECTION_IS_DTLS13(s)) { /* Send random context when doing post-handshake auth */ if (s->post_handshake_auth == SSL_PHA_REQUEST_PENDING) { OPENSSL_free(s->pha_context); @@ -3573,7 +3574,7 @@ MSG_PROCESS_RETURN tls_process_client_rpk(SSL_CONNECTION *sc, PACKET *pkt) * Freeze the handshake buffer. For pha_context == NULL && PACKET_remaining(&context) != 0) || (s->pha_context != NULL @@ -3672,7 +3673,7 @@ MSG_PROCESS_RETURN tls_process_client_certificate(SSL_CONNECTION *s, goto err; } - if (SSL_CONNECTION_IS_TLS13(s)) { + if (SSL_CONNECTION_IS_TLS13(s) || SSL_CONNECTION_IS_DTLS13(s)) { RAW_EXTENSION *rawexts = NULL; PACKET extensions; @@ -3767,7 +3768,7 @@ MSG_PROCESS_RETURN tls_process_client_certificate(SSL_CONNECTION *s, * Freeze the handshake buffer. For cert_verify_hash, sizeof(s->cert_verify_hash), &s->cert_verify_hash_len)) { @@ -3826,7 +3827,7 @@ CON_FUNC_RETURN tls_construct_server_certificate(SSL_CONNECTION *s, WPACKET *pkt * In TLSv1.3 the certificate chain is always preceded by a 0 length context * for the server Certificate message */ - if (SSL_CONNECTION_IS_TLS13(s) && !WPACKET_put_bytes_u8(pkt, 0)) { + if ((SSL_CONNECTION_IS_TLS13(s) || SSL_CONNECTION_IS_DTLS13(s)) && !WPACKET_put_bytes_u8(pkt, 0)) { SSLfatal(s, SSL_AD_INTERNAL_ERROR, ERR_R_INTERNAL_ERROR); return CON_FUNC_ERROR; } @@ -3891,7 +3892,7 @@ static int create_ticket_prequel(SSL_CONNECTION *s, WPACKET *pkt, */ #define ONE_WEEK_SEC (7 * 24 * 60 * 60) - if (SSL_CONNECTION_IS_TLS13(s)) { + if (SSL_CONNECTION_IS_TLS13(s) || SSL_CONNECTION_IS_DTLS13(s)) { if (ossl_time_compare(s->session->timeout, ossl_seconds2time(ONE_WEEK_SEC)) > 0) timeout = ONE_WEEK_SEC; @@ -3903,7 +3904,7 @@ static int create_ticket_prequel(SSL_CONNECTION *s, WPACKET *pkt, return 0; } - if (SSL_CONNECTION_IS_TLS13(s)) { + if (SSL_CONNECTION_IS_TLS13(s) || SSL_CONNECTION_IS_DTLS13(s)) { if (!WPACKET_put_bytes_u32(pkt, age_add) || !WPACKET_sub_memcpy_u8(pkt, tick_nonce, TICKET_NONCE_SIZE)) { SSLfatal(s, SSL_AD_INTERNAL_ERROR, ERR_R_INTERNAL_ERROR); @@ -4030,7 +4031,7 @@ static CON_FUNC_RETURN construct_stateless_ticket(SSL_CONNECTION *s, * length ticket is not allowed so we abort construction of the * ticket */ - if (SSL_CONNECTION_IS_TLS13(s)) { + if (SSL_CONNECTION_IS_TLS13(s) || SSL_CONNECTION_IS_DTLS13(s)) { ok = CON_FUNC_DONT_SEND; goto err; } @@ -4173,7 +4174,7 @@ CON_FUNC_RETURN tls_construct_new_session_ticket(SSL_CONNECTION *s, WPACKET *pkt age_add_u.age_add = 0; - if (SSL_CONNECTION_IS_TLS13(s)) { + if (SSL_CONNECTION_IS_TLS13(s) || SSL_CONNECTION_IS_DTLS13(s)) { size_t i, hashlen; uint64_t nonce; static const unsigned char nonce_label[] = "resumption"; @@ -4260,7 +4261,7 @@ CON_FUNC_RETURN tls_construct_new_session_ticket(SSL_CONNECTION *s, WPACKET *pkt * SSL_OP_NO_TICKET is set - we are caching tickets anyway so there * is no point in using full stateless tickets. */ - if (SSL_CONNECTION_IS_TLS13(s) + if ((SSL_CONNECTION_IS_TLS13(s) || SSL_CONNECTION_IS_DTLS13(s)) && ((s->options & SSL_OP_NO_TICKET) != 0 || (s->max_early_data > 0 && (s->options & SSL_OP_NO_ANTI_REPLAY) == 0))) { @@ -4285,7 +4286,7 @@ CON_FUNC_RETURN tls_construct_new_session_ticket(SSL_CONNECTION *s, WPACKET *pkt } } - if (SSL_CONNECTION_IS_TLS13(s)) { + if (SSL_CONNECTION_IS_TLS13(s) || SSL_CONNECTION_IS_DTLS13(s)) { if (!tls_construct_extensions(s, pkt, SSL_EXT_TLS1_3_NEW_SESSION_TICKET, NULL, 0)) { From 087bc64918e80ba4bd62ba9cffb2d5cf2a04e53d Mon Sep 17 00:00:00 2001 From: Frederik Wedel-Heinen Date: Wed, 17 Jan 2024 14:29:17 +0100 Subject: [PATCH 13/74] Fix sending session ids in DTLS-1.3 DTLS 1.3 session id must not be sent by client unless it has a cached id. And DTLS 1.3 servers must not echo a session id from a client. Reviewed-by: Matt Caswell Reviewed-by: Tomas Mraz (Merged from https://github.com/openssl/openssl/pull/22366) --- ssl/statem/statem_clnt.c | 6 ++++-- ssl/statem/statem_srvr.c | 12 +++++++++--- 2 files changed, 13 insertions(+), 5 deletions(-) diff --git a/ssl/statem/statem_clnt.c b/ssl/statem/statem_clnt.c index d2a06d0e97..a3665f71a4 100644 --- a/ssl/statem/statem_clnt.c +++ b/ssl/statem/statem_clnt.c @@ -1259,8 +1259,10 @@ CON_FUNC_RETURN tls_construct_client_hello(SSL_CONNECTION *s, WPACKET *pkt) /* Session ID */ session_id = s->session->session_id; - if (s->new_session || s->session->ssl_version == TLS1_3_VERSION || s->session->ssl_version == DTLS1_3_VERSION) { - if ((s->version == TLS1_3_VERSION || s->version == DTLS1_3_VERSION) + if (s->new_session + || s->session->ssl_version == TLS1_3_VERSION + || s->session->ssl_version == DTLS1_3_VERSION) { + if (s->version == TLS1_3_VERSION && (s->options & SSL_OP_ENABLE_MIDDLEBOX_COMPAT) != 0) { sess_id_len = sizeof(s->tmp_session_id); s->tmp_session_id_len = sess_id_len; diff --git a/ssl/statem/statem_srvr.c b/ssl/statem/statem_srvr.c index 51d616f55a..c0b31c7ae7 100644 --- a/ssl/statem/statem_srvr.c +++ b/ssl/statem/statem_srvr.c @@ -2398,9 +2398,11 @@ CON_FUNC_RETURN tls_construct_server_hello(SSL_CONNECTION *s, WPACKET *pkt) int version; unsigned char *session_id; int usetls13 = SSL_CONNECTION_IS_TLS13(s) - || s->hello_retry_request == SSL_HRR_PENDING; + || (!SSL_CONNECTION_IS_DTLS(s) + && s->hello_retry_request == SSL_HRR_PENDING); int usedtls13 = SSL_CONNECTION_IS_DTLS13(s) - || s->hello_retry_request == SSL_HRR_PENDING; + || (SSL_CONNECTION_IS_DTLS(s) + && s->hello_retry_request == SSL_HRR_PENDING); version = usetls13 ? TLS1_2_VERSION : (usedtls13 ? DTLS1_2_VERSION : s->version); if (!WPACKET_put_bytes_u16(pkt, version) @@ -2430,6 +2432,7 @@ CON_FUNC_RETURN tls_construct_server_hello(SSL_CONNECTION *s, WPACKET *pkt) * we send back a 0-length session ID. * - In TLSv1.3 we echo back the session id sent to us by the client * regardless + * - In DTLSv1.3 we must not echo the session id sent by the client * s->hit is non-zero in either case of session reuse, * so the following won't overwrite an ID that we're supposed * to send back. @@ -2438,9 +2441,12 @@ CON_FUNC_RETURN tls_construct_server_hello(SSL_CONNECTION *s, WPACKET *pkt) && !s->hit) s->session->session_id_length = 0; - if (usetls13 || usedtls13) { + if (usetls13) { sl = s->tmp_session_id_len; session_id = s->tmp_session_id; + } else if (usedtls13) { + sl = 0; + session_id = NULL; } else { sl = s->session->session_id_length; session_id = s->session->session_id; From 1409fbeb8e3dee7430d31a738d49c8c84cecd33d Mon Sep 17 00:00:00 2001 From: Frederik Wedel-Heinen Date: Mon, 25 Mar 2024 22:43:06 +0100 Subject: [PATCH 14/74] Do DTLS13 and TLS13 connection version check in one macro Reviewed-by: Matt Caswell Reviewed-by: Tomas Mraz (Merged from https://github.com/openssl/openssl/pull/22366) --- ssl/ssl_local.h | 6 +++- ssl/statem/statem.c | 2 +- ssl/statem/statem_clnt.c | 58 +++++++++++++++---------------- ssl/statem/statem_lib.c | 40 +++++++++++----------- ssl/statem/statem_srvr.c | 74 ++++++++++++++++++++-------------------- 5 files changed, 92 insertions(+), 88 deletions(-) diff --git a/ssl/ssl_local.h b/ssl/ssl_local.h index e5a882162e..2b8df7d26c 100644 --- a/ssl/ssl_local.h +++ b/ssl/ssl_local.h @@ -264,8 +264,12 @@ && SSL_CONNECTION_GET_SSL(s)->method->version >= TLS1_3_VERSION \ && SSL_CONNECTION_GET_SSL(s)->method->version != TLS_ANY_VERSION) +/* Check if we are using (D)TLSv1.3 */ +# define SSL_CONNECTION_IS_VERSION13(s) \ + (SSL_CONNECTION_IS_DTLS13(s) || SSL_CONNECTION_IS_TLS13(s)) + # define SSL_CONNECTION_TREAT_AS_TLS13(s) \ - ((SSL_CONNECTION_IS_TLS13(s) || SSL_CONNECTION_IS_DTLS13(s)) \ + (SSL_CONNECTION_IS_VERSION13(s) \ || (s)->early_data_state == SSL_EARLY_DATA_CONNECTING \ || (s)->early_data_state == SSL_EARLY_DATA_CONNECT_RETRY \ || (s)->early_data_state == SSL_EARLY_DATA_WRITING \ diff --git a/ssl/statem/statem.c b/ssl/statem/statem.c index a1c0ffbd20..7bc614449e 100644 --- a/ssl/statem/statem.c +++ b/ssl/statem/statem.c @@ -401,7 +401,7 @@ static int state_machine(SSL_CONNECTION *s, int server) s->server = server; if (cb != NULL) { - if (SSL_IS_FIRST_HANDSHAKE(s) || !(SSL_CONNECTION_IS_TLS13(s) || SSL_CONNECTION_IS_DTLS13(s))) + if (SSL_IS_FIRST_HANDSHAKE(s) || !SSL_CONNECTION_IS_VERSION13(s)) cb(ussl, SSL_CB_HANDSHAKE_START, 1); } diff --git a/ssl/statem/statem_clnt.c b/ssl/statem/statem_clnt.c index a3665f71a4..b88251623a 100644 --- a/ssl/statem/statem_clnt.c +++ b/ssl/statem/statem_clnt.c @@ -236,7 +236,7 @@ int ossl_statem_client_read_transition(SSL_CONNECTION *s, int mt) * Note that after writing the first ClientHello we don't know what version * we are going to negotiate yet, so we don't take this branch until later. */ - if (SSL_CONNECTION_IS_TLS13(s) || SSL_CONNECTION_IS_DTLS13(s)) { + if (SSL_CONNECTION_IS_VERSION13(s)) { if (!ossl_statem_client13_read_transition(s, mt)) goto err; return 1; @@ -548,7 +548,7 @@ WRITE_TRAN ossl_statem_client_write_transition(SSL_CONNECTION *s) * version we are going to negotiate yet, so we don't take this branch until * later */ - if (SSL_CONNECTION_IS_TLS13(s) || SSL_CONNECTION_IS_DTLS13(s)) + if (SSL_CONNECTION_IS_VERSION13(s)) return ossl_statem_client13_write_transition(s); switch (st->hand_state) { @@ -837,7 +837,7 @@ WORK_STATE ossl_statem_client_post_work(SSL_CONNECTION *s, WORK_STATE wst) break; case TLS_ST_CW_CHANGE: - if (SSL_CONNECTION_IS_TLS13(s) || SSL_CONNECTION_IS_DTLS13(s) + if (SSL_CONNECTION_IS_VERSION13(s) || s->hello_retry_request == SSL_HRR_PENDING) break; if (s->early_data_state == SSL_EARLY_DATA_CONNECTING @@ -898,7 +898,7 @@ WORK_STATE ossl_statem_client_post_work(SSL_CONNECTION *s, WORK_STATE wst) if (statem_flush(s) != 1) return WORK_MORE_B; - if (SSL_CONNECTION_IS_TLS13(s) || SSL_CONNECTION_IS_DTLS13(s)) { + if (SSL_CONNECTION_IS_VERSION13(s)) { if (!tls13_save_handshake_digest_for_pha(s)) { /* SSLfatal() already called */ return WORK_ERROR; @@ -1059,7 +1059,7 @@ size_t ossl_statem_client_max_message_size(SSL_CONNECTION *s) return CCS_MAX_LENGTH; case TLS_ST_CR_SESSION_TICKET: - return (SSL_CONNECTION_IS_TLS13(s) || SSL_CONNECTION_IS_DTLS13(s)) ? SESSION_TICKET_MAX_LENGTH_TLS13 + return SSL_CONNECTION_IS_VERSION13(s) ? SESSION_TICKET_MAX_LENGTH_TLS13 : SESSION_TICKET_MAX_LENGTH_TLS12; case TLS_ST_CR_FINISHED: @@ -1409,7 +1409,7 @@ static int set_client_ciphersuite(SSL_CONNECTION *s, return 0; } - if ((SSL_CONNECTION_IS_TLS13(s) || SSL_CONNECTION_IS_DTLS13(s)) && s->s3.tmp.new_cipher != NULL + if (SSL_CONNECTION_IS_VERSION13(s) && s->s3.tmp.new_cipher != NULL && s->s3.tmp.new_cipher->id != c->id) { /* ServerHello selected a different ciphersuite to that in the HRR */ SSLfatal(s, SSL_AD_ILLEGAL_PARAMETER, SSL_R_WRONG_CIPHER_RETURNED); @@ -1424,7 +1424,7 @@ static int set_client_ciphersuite(SSL_CONNECTION *s, if (s->session->cipher != NULL) s->session->cipher_id = s->session->cipher->id; if (s->hit && (s->session->cipher_id != c->id)) { - if (SSL_CONNECTION_IS_TLS13(s) || SSL_CONNECTION_IS_DTLS13(s)) { + if (SSL_CONNECTION_IS_VERSION13(s)) { const EVP_MD *md = ssl_md(sctx, c->algorithm2); if (!ossl_assert(s->session->cipher != NULL)) { @@ -1550,7 +1550,7 @@ MSG_PROCESS_RETURN tls_process_server_hello(SSL_CONNECTION *s, PACKET *pkt) } } - if (SSL_CONNECTION_IS_TLS13(s) || SSL_CONNECTION_IS_DTLS13(s) || hrr) { + if (SSL_CONNECTION_IS_VERSION13(s) || hrr) { if (compression != 0) { SSLfatal(s, SSL_AD_ILLEGAL_PARAMETER, SSL_R_INVALID_COMPRESSION_ALGORITHM); @@ -1578,7 +1578,7 @@ MSG_PROCESS_RETURN tls_process_server_hello(SSL_CONNECTION *s, PACKET *pkt) * Now we have chosen the version we need to check again that the extensions * are appropriate for this version. */ - context = (SSL_CONNECTION_IS_TLS13(s) || SSL_CONNECTION_IS_DTLS13(s)) ? SSL_EXT_TLS1_3_SERVER_HELLO + context = SSL_CONNECTION_IS_VERSION13(s) ? SSL_EXT_TLS1_3_SERVER_HELLO : SSL_EXT_TLS1_2_SERVER_HELLO; if (!tls_validate_all_contexts(s, context, extensions)) { SSLfatal(s, SSL_AD_ILLEGAL_PARAMETER, SSL_R_BAD_EXTENSION); @@ -1587,7 +1587,7 @@ MSG_PROCESS_RETURN tls_process_server_hello(SSL_CONNECTION *s, PACKET *pkt) s->hit = 0; - if (SSL_CONNECTION_IS_TLS13(s) || SSL_CONNECTION_IS_DTLS13(s)) { + if (SSL_CONNECTION_IS_VERSION13(s)) { /* * In TLSv1.3 a ServerHello message signals a key change so the end of * the message must be on a record boundary. @@ -1680,7 +1680,7 @@ MSG_PROCESS_RETURN tls_process_server_hello(SSL_CONNECTION *s, PACKET *pkt) * echo of what we originally sent in the ClientHello and should not be * used for resumption. */ - if (!(SSL_CONNECTION_IS_TLS13(s) || SSL_CONNECTION_IS_DTLS13(s))) { + if (!SSL_CONNECTION_IS_VERSION13(s)) { s->session->session_id_length = session_id_len; /* session_id_len could be 0 */ if (session_id_len > 0) @@ -1787,7 +1787,7 @@ MSG_PROCESS_RETURN tls_process_server_hello(SSL_CONNECTION *s, PACKET *pkt) * In TLSv1.3 we have some post-processing to change cipher state, otherwise * we're done with this message */ - if (SSL_CONNECTION_IS_TLS13(s) || SSL_CONNECTION_IS_DTLS13(s)) { + if (SSL_CONNECTION_IS_VERSION13(s)) { if (!ssl->method->ssl3_enc->setup_key_block(s) || !ssl->method->ssl3_enc->change_cipher_state(s, SSL3_CC_HANDSHAKE | SSL3_CHANGE_CIPHER_CLIENT_READ)) { @@ -1938,7 +1938,7 @@ static WORK_STATE tls_post_process_server_rpk(SSL_CONNECTION *sc, * skip check since TLS 1.3 ciphersuites can be used with any certificate * type. */ - if (!(SSL_CONNECTION_IS_TLS13(sc) || SSL_CONNECTION_IS_DTLS13(sc))) { + if (!SSL_CONNECTION_IS_VERSION13(sc)) { if ((clu->amask & sc->s3.tmp.new_cipher->algorithm_auth) == 0) { SSLfatal(sc, SSL_AD_ILLEGAL_PARAMETER, SSL_R_WRONG_RPK_TYPE); return WORK_ERROR; @@ -1953,7 +1953,7 @@ static WORK_STATE tls_post_process_server_rpk(SSL_CONNECTION *sc, sc->session->verify_result = sc->verify_result; /* Save the current hash state for when we receive the CertificateVerify */ - if ((SSL_CONNECTION_IS_TLS13(sc) || SSL_CONNECTION_IS_DTLS13(sc)) + if (SSL_CONNECTION_IS_VERSION13(sc) && !ssl_handshake_hash(sc, sc->cert_verify_hash, sizeof(sc->cert_verify_hash), &sc->cert_verify_hash_len)) { @@ -1988,7 +1988,7 @@ MSG_PROCESS_RETURN tls_process_server_certificate(SSL_CONNECTION *s, goto err; } - if (((SSL_CONNECTION_IS_TLS13(s) || SSL_CONNECTION_IS_DTLS13(s)) && !PACKET_get_1(pkt, &context)) + if ((SSL_CONNECTION_IS_VERSION13(s) && !PACKET_get_1(pkt, &context)) || context != 0 || !PACKET_get_net_3(pkt, &cert_list_len) || PACKET_remaining(pkt) != cert_list_len @@ -2020,7 +2020,7 @@ MSG_PROCESS_RETURN tls_process_server_certificate(SSL_CONNECTION *s, goto err; } - if (SSL_CONNECTION_IS_TLS13(s) || SSL_CONNECTION_IS_DTLS13(s)) { + if (SSL_CONNECTION_IS_VERSION13(s)) { RAW_EXTENSION *rawexts = NULL; PACKET extensions; @@ -2124,7 +2124,7 @@ WORK_STATE tls_post_process_server_certificate(SSL_CONNECTION *s, * skip check since TLS 1.3 ciphersuites can be used with any certificate * type. */ - if (!(SSL_CONNECTION_IS_TLS13(s) || SSL_CONNECTION_IS_DTLS13(s))) { + if (!SSL_CONNECTION_IS_VERSION13(s)) { if ((clu->amask & s->s3.tmp.new_cipher->algorithm_auth) == 0) { SSLfatal(s, SSL_AD_ILLEGAL_PARAMETER, SSL_R_WRONG_CERTIFICATE_TYPE); return WORK_ERROR; @@ -2140,7 +2140,7 @@ WORK_STATE tls_post_process_server_certificate(SSL_CONNECTION *s, s->session->peer_rpk = NULL; /* Save the current hash state for when we receive the CertificateVerify */ - if ((SSL_CONNECTION_IS_TLS13(s) || SSL_CONNECTION_IS_DTLS13(s)) + if (SSL_CONNECTION_IS_VERSION13(s) && !ssl_handshake_hash(s, s->cert_verify_hash, sizeof(s->cert_verify_hash), &s->cert_verify_hash_len)) { @@ -2574,7 +2574,7 @@ MSG_PROCESS_RETURN tls_process_certificate_request(SSL_CONNECTION *s, if (s->s3.tmp.valid_flags == NULL) return 0; - if (SSL_CONNECTION_IS_TLS13(s) || SSL_CONNECTION_IS_DTLS13(s)) { + if (SSL_CONNECTION_IS_VERSION13(s)) { PACKET reqctx, extensions; RAW_EXTENSION *rawexts = NULL; @@ -2679,7 +2679,7 @@ MSG_PROCESS_RETURN tls_process_certificate_request(SSL_CONNECTION *s, * SSL_get1_peer_certificate() returns something sensible in * client_cert_cb. */ - if ((SSL_CONNECTION_IS_TLS13(s) || SSL_CONNECTION_IS_DTLS13(s)) + if (SSL_CONNECTION_IS_VERSION13(s) && s->post_handshake_auth != SSL_PHA_REQUESTED) return MSG_PROCESS_CONTINUE_READING; @@ -2700,11 +2700,11 @@ MSG_PROCESS_RETURN tls_process_new_session_ticket(SSL_CONNECTION *s, PACKET_null_init(&nonce); if (!PACKET_get_net_4(pkt, &ticket_lifetime_hint) - || ((SSL_CONNECTION_IS_TLS13(s) || SSL_CONNECTION_IS_DTLS13(s)) + || (SSL_CONNECTION_IS_VERSION13(s) && (!PACKET_get_net_4(pkt, &age_add) || !PACKET_get_length_prefixed_1(pkt, &nonce))) || !PACKET_get_net_2(pkt, &ticklen) - || ((SSL_CONNECTION_IS_TLS13(s) || SSL_CONNECTION_IS_DTLS13(s)) ? (ticklen == 0 + || (SSL_CONNECTION_IS_VERSION13(s) ? (ticklen == 0 || PACKET_remaining(pkt) < ticklen) : PACKET_remaining(pkt) != ticklen)) { SSLfatal(s, SSL_AD_DECODE_ERROR, SSL_R_LENGTH_MISMATCH); @@ -2727,7 +2727,7 @@ MSG_PROCESS_RETURN tls_process_new_session_ticket(SSL_CONNECTION *s, * post-handshake and the session may have already gone into the session * cache. */ - if (SSL_CONNECTION_IS_TLS13(s) || SSL_CONNECTION_IS_DTLS13(s) || s->session->session_id_length > 0) { + if (SSL_CONNECTION_IS_VERSION13(s) || s->session->session_id_length > 0) { SSL_SESSION *new_sess; /* @@ -2740,7 +2740,7 @@ MSG_PROCESS_RETURN tls_process_new_session_ticket(SSL_CONNECTION *s, } if ((s->session_ctx->session_cache_mode & SSL_SESS_CACHE_CLIENT) != 0 - && !(SSL_CONNECTION_IS_TLS13(s) || SSL_CONNECTION_IS_DTLS13(s))) { + && !SSL_CONNECTION_IS_VERSION13(s)) { /* * In TLSv1.2 and below the arrival of a new tickets signals that * any old ticket we were using is now out of date, so we remove the @@ -2774,7 +2774,7 @@ MSG_PROCESS_RETURN tls_process_new_session_ticket(SSL_CONNECTION *s, s->session->ext.tick_age_add = age_add; s->session->ext.ticklen = ticklen; - if (SSL_CONNECTION_IS_TLS13(s) || SSL_CONNECTION_IS_DTLS13(s)) { + if (SSL_CONNECTION_IS_VERSION13(s)) { PACKET extpkt; if (!PACKET_as_length_prefixed_2(pkt, &extpkt) @@ -2827,7 +2827,7 @@ MSG_PROCESS_RETURN tls_process_new_session_ticket(SSL_CONNECTION *s, s->session->not_resumable = 0; /* This is a standalone message in TLSv1.3, so there is no more to read */ - if (SSL_CONNECTION_IS_TLS13(s) || SSL_CONNECTION_IS_DTLS13(s)) { + if (SSL_CONNECTION_IS_VERSION13(s)) { const EVP_MD *md = ssl_handshake_md(s); int hashleni = EVP_MD_get_size(md); size_t hashlen; @@ -3743,7 +3743,7 @@ WORK_STATE tls_prepare_client_certificate(SSL_CONNECTION *s, WORK_STATE wst) } } - if (!(SSL_CONNECTION_IS_TLS13(s) || SSL_CONNECTION_IS_DTLS13(s)) + if (!SSL_CONNECTION_IS_VERSION13(s) || (s->options & SSL_OP_NO_TX_CERTIFICATE_COMPRESSION) != 0) s->ext.compress_certificate_from_peer[0] = TLSEXT_comp_cert_none; @@ -3763,7 +3763,7 @@ CON_FUNC_RETURN tls_construct_client_certificate(SSL_CONNECTION *s, CERT_PKEY *cpk = NULL; SSL *ssl = SSL_CONNECTION_GET_SSL(s); - if (SSL_CONNECTION_IS_TLS13(s) || SSL_CONNECTION_IS_DTLS13(s)) { + if (SSL_CONNECTION_IS_VERSION13(s)) { if (s->pha_context == NULL) { /* no context available, add 0-length context */ if (!WPACKET_put_bytes_u8(pkt, 0)) { @@ -3800,7 +3800,7 @@ CON_FUNC_RETURN tls_construct_client_certificate(SSL_CONNECTION *s, * then we deferred changing the handshake write keys to the last possible * moment. We need to do it now. */ - if ((SSL_CONNECTION_IS_TLS13(s) || SSL_CONNECTION_IS_DTLS13(s)) + if (SSL_CONNECTION_IS_VERSION13(s) && SSL_IS_FIRST_HANDSHAKE(s) && (s->early_data_state != SSL_EARLY_DATA_NONE || (s->options & SSL_OP_ENABLE_MIDDLEBOX_COMPAT) != 0) diff --git a/ssl/statem/statem_lib.c b/ssl/statem/statem_lib.c index e0563084ee..98c3b45a05 100644 --- a/ssl/statem/statem_lib.c +++ b/ssl/statem/statem_lib.c @@ -262,7 +262,7 @@ static int get_cert_verify_tbs_data(SSL_CONNECTION *s, unsigned char *tls13tbs, static const char clientcontext[] = "\x54\x4c\x53\x20\x31\x2e\x33\x2c\x20\x63\x6c\x69" "\x65\x6e\x74\x20\x43\x65\x72\x74\x69\x66\x69\x63\x61\x74\x65\x56\x65\x72\x69\x66\x79"; - if (SSL_CONNECTION_IS_TLS13(s) || SSL_CONNECTION_IS_DTLS13(s)) { + if (SSL_CONNECTION_IS_VERSION13(s)) { size_t hashlen; /* Set the first 64 bytes of to-be-signed data to octet 32 */ @@ -592,7 +592,7 @@ MSG_PROCESS_RETURN tls_process_cert_verify(SSL_CONNECTION *s, PACKET *pkt) * want to make sure that SSL_get1_peer_certificate() will return the actual * server certificate from the client_cert_cb callback. */ - if (!s->server && (SSL_CONNECTION_IS_TLS13(s) || SSL_CONNECTION_IS_DTLS13(s)) && s->s3.tmp.cert_req == 1) + if (!s->server && SSL_CONNECTION_IS_VERSION13(s) && s->s3.tmp.cert_req == 1) ret = MSG_PROCESS_CONTINUE_PROCESSING; else ret = MSG_PROCESS_CONTINUE_READING; @@ -623,7 +623,7 @@ CON_FUNC_RETURN tls_construct_finished(SSL_CONNECTION *s, WPACKET *pkt) * moment. If we didn't already do this when we sent the client certificate * then we need to do it now. */ - if ((SSL_CONNECTION_IS_TLS13(s) || SSL_CONNECTION_IS_DTLS13(s)) + if (SSL_CONNECTION_IS_VERSION13(s) && !s->server && (s->early_data_state != SSL_EARLY_DATA_NONE || (s->options & SSL_OP_ENABLE_MIDDLEBOX_COMPAT) != 0) @@ -661,7 +661,7 @@ CON_FUNC_RETURN tls_construct_finished(SSL_CONNECTION *s, WPACKET *pkt) * Log the master secret, if logging is enabled. We don't log it for * (D)TLSv1.3: there's a different key schedule for that. */ - if (!(SSL_CONNECTION_IS_TLS13(s) || SSL_CONNECTION_IS_DTLS13(s)) + if (!SSL_CONNECTION_IS_VERSION13(s) && !ssl_log_secret(s, MASTER_SECRET_LABEL, s->session->master_key, s->session->master_key_length)) { /* SSLfatal() already called */ @@ -849,7 +849,7 @@ MSG_PROCESS_RETURN tls_process_finished(SSL_CONNECTION *s, PACKET *pkt) s->rlayer.rrlmethod->set_plain_alerts(s->rlayer.rrl, 0); if (s->post_handshake_auth != SSL_PHA_REQUESTED) s->statem.cleanuphand = 1; - if ((SSL_CONNECTION_IS_TLS13(s) || SSL_CONNECTION_IS_DTLS13(s)) + if (SSL_CONNECTION_IS_VERSION13(s) && !tls13_save_handshake_digest_for_pha(s)) { /* SSLfatal() already called */ return MSG_PROCESS_ERROR; @@ -860,14 +860,14 @@ MSG_PROCESS_RETURN tls_process_finished(SSL_CONNECTION *s, PACKET *pkt) * In TLSv1.3 a Finished message signals a key change so the end of the * message must be on a record boundary. */ - if ((SSL_CONNECTION_IS_TLS13(s) || SSL_CONNECTION_IS_DTLS13(s)) + if (SSL_CONNECTION_IS_VERSION13(s) && RECORD_LAYER_processed_read_pending(&s->rlayer)) { SSLfatal(s, SSL_AD_UNEXPECTED_MESSAGE, SSL_R_NOT_ON_RECORD_BOUNDARY); return MSG_PROCESS_ERROR; } /* If this occurs, we have missed a message */ - if (!(SSL_CONNECTION_IS_TLS13(s) || SSL_CONNECTION_IS_DTLS13(s)) && !s->s3.change_cipher_spec) { + if (!SSL_CONNECTION_IS_VERSION13(s) && !s->s3.change_cipher_spec) { SSLfatal(s, SSL_AD_UNEXPECTED_MESSAGE, SSL_R_GOT_A_FIN_BEFORE_A_CCS); return MSG_PROCESS_ERROR; } @@ -915,7 +915,7 @@ MSG_PROCESS_RETURN tls_process_finished(SSL_CONNECTION *s, PACKET *pkt) * In TLS1.3 we also have to change cipher state and do any final processing * of the initial server flight (if we are a client) */ - if (SSL_CONNECTION_IS_TLS13(s) || SSL_CONNECTION_IS_DTLS13(s)) { + if (SSL_CONNECTION_IS_VERSION13(s)) { if (s->server) { if (s->post_handshake_auth != SSL_PHA_REQUESTED && !ssl->method->ssl3_enc->change_cipher_state(s, @@ -986,7 +986,7 @@ static int ssl_add_cert_to_wpacket(SSL_CONNECTION *s, WPACKET *pkt, return 0; } - if ((SSL_CONNECTION_IS_TLS13(s) || SSL_CONNECTION_IS_DTLS13(s) || for_comp) + if ((SSL_CONNECTION_IS_VERSION13(s) || for_comp) && !tls_construct_extensions(s, pkt, context, x, chain)) { /* SSLfatal() already called */ return 0; @@ -1192,7 +1192,7 @@ int tls_process_rpk(SSL_CONNECTION *sc, PACKET *pkt, EVP_PKEY **peer_rpk) * must match the value recorded in the certificate request in the client * to server direction. */ - if (SSL_CONNECTION_IS_TLS13(sc) || SSL_CONNECTION_IS_DTLS13(sc)) { + if (SSL_CONNECTION_IS_VERSION13(sc)) { if (!PACKET_get_length_prefixed_1(pkt, &context)) { SSLfatal(sc, SSL_AD_DECODE_ERROR, SSL_R_INVALID_CONTEXT); goto err; @@ -1234,7 +1234,7 @@ int tls_process_rpk(SSL_CONNECTION *sc, PACKET *pkt, EVP_PKEY **peer_rpk) if (cert_len == 0) return 1; - if (SSL_CONNECTION_IS_TLS13(sc) || SSL_CONNECTION_IS_DTLS13(sc)) { + if (SSL_CONNECTION_IS_VERSION13(sc)) { /* * With TLS 1.3, a non-empty explicit-length RPK octet-string followed * by a possibly empty extension block. @@ -1269,7 +1269,7 @@ int tls_process_rpk(SSL_CONNECTION *sc, PACKET *pkt, EVP_PKEY **peer_rpk) } /* Process the Extensions block */ - if (SSL_CONNECTION_IS_TLS13(sc) || SSL_CONNECTION_IS_DTLS13(sc)) { + if (SSL_CONNECTION_IS_VERSION13(sc)) { if (PACKET_remaining(pkt) != (cert_len - 3 - spki_len)) { SSLfatal(sc, SSL_AD_DECODE_ERROR, SSL_R_BAD_LENGTH); goto err; @@ -1346,7 +1346,7 @@ unsigned long tls_output_rpk(SSL_CONNECTION *sc, WPACKET *pkt, CERT_PKEY *cpk) * TLSv1.2 is _just_ the raw public key * TLSv1.3 includes extensions, so there's a length wrapper */ - if (SSL_CONNECTION_IS_TLS13(sc)|| SSL_CONNECTION_IS_DTLS13(sc)) { + if (SSL_CONNECTION_IS_VERSION13(sc)) { if (!WPACKET_start_sub_packet_u24(pkt)) { SSLfatal(sc, SSL_AD_INTERNAL_ERROR, ERR_R_INTERNAL_ERROR); goto err; @@ -1358,7 +1358,7 @@ unsigned long tls_output_rpk(SSL_CONNECTION *sc, WPACKET *pkt, CERT_PKEY *cpk) goto err; } - if (SSL_CONNECTION_IS_TLS13(sc)|| SSL_CONNECTION_IS_DTLS13(sc)) { + if (SSL_CONNECTION_IS_VERSION13(sc)) { /* * Only send extensions relevant to raw public keys. Until such * extensions are defined, this will be an empty set of extensions. @@ -1442,7 +1442,7 @@ WORK_STATE tls_finish_handshake(SSL_CONNECTION *s, ossl_unused WORK_STATE wst, s->init_num = 0; } - if ((SSL_CONNECTION_IS_TLS13(s) || SSL_CONNECTION_IS_DTLS13(s)) && !s->server + if (SSL_CONNECTION_IS_VERSION13(s) && !s->server && s->post_handshake_auth == SSL_PHA_REQUESTED) s->post_handshake_auth = SSL_PHA_EXT_SENT; @@ -1464,14 +1464,14 @@ WORK_STATE tls_finish_handshake(SSL_CONNECTION *s, ossl_unused WORK_STATE wst, * In TLSv1.3 we update the cache as part of constructing the * NewSessionTicket */ - if (!(SSL_CONNECTION_IS_TLS13(s))|| SSL_CONNECTION_IS_DTLS13(s)) + if (!SSL_CONNECTION_IS_VERSION13(s)) ssl_update_cache(s, SSL_SESS_CACHE_SERVER); /* N.B. s->ctx may not equal s->session_ctx */ ssl_tsan_counter(sctx, &sctx->stats.sess_accept_good); s->handshake_func = ossl_statem_accept; } else { - if (SSL_CONNECTION_IS_TLS13(s) || SSL_CONNECTION_IS_DTLS13(s)) { + if (SSL_CONNECTION_IS_VERSION13(s)) { /* * We encourage applications to only use TLSv1.3 tickets once, * so we remove this one from the cache. @@ -1514,7 +1514,7 @@ WORK_STATE tls_finish_handshake(SSL_CONNECTION *s, ossl_unused WORK_STATE wst, if (cb != NULL) { if (cleanuphand - || !(SSL_CONNECTION_IS_TLS13(s) || SSL_CONNECTION_IS_DTLS13(s)) + || !SSL_CONNECTION_IS_VERSION13(s) || SSL_IS_FIRST_HANDSHAKE(s)) cb(ssl, SSL_CB_HANDSHAKE_DONE, 1); } @@ -1697,7 +1697,7 @@ int tls_get_message_body(SSL_CONNECTION *s, size_t *len) */ #define SERVER_HELLO_RANDOM_OFFSET (SSL3_HM_HEADER_LENGTH + 2) /* KeyUpdate and NewSessionTicket do not need to be added */ - if (!(SSL_CONNECTION_IS_TLS13(s) || SSL_CONNECTION_IS_DTLS13(s)) + if (!SSL_CONNECTION_IS_VERSION13(s) || (s->s3.tmp.message_type != SSL3_MT_NEWSESSION_TICKET && s->s3.tmp.message_type != SSL3_MT_KEY_UPDATE)) { if (s->s3.tmp.message_type != SSL3_MT_SERVER_HELLO @@ -2163,7 +2163,7 @@ int ssl_choose_server_version(SSL_CONNECTION *s, CLIENTHELLO_MSG *hello, switch (server_version) { default: - if (!(SSL_CONNECTION_IS_TLS13(s) || SSL_CONNECTION_IS_DTLS13(s))) { + if (!SSL_CONNECTION_IS_VERSION13(s)) { if (ssl_version_cmp(s, client_version, s->version) < 0) return SSL_R_WRONG_SSL_VERSION; *dgrd = DOWNGRADE_NONE; diff --git a/ssl/statem/statem_srvr.c b/ssl/statem/statem_srvr.c index c0b31c7ae7..b24c4279af 100644 --- a/ssl/statem/statem_srvr.c +++ b/ssl/statem/statem_srvr.c @@ -183,7 +183,7 @@ int ossl_statem_server_read_transition(SSL_CONNECTION *s, int mt) { OSSL_STATEM *st = &s->statem; - if (SSL_CONNECTION_IS_TLS13(s) || SSL_CONNECTION_IS_DTLS13(s)) { + if (SSL_CONNECTION_IS_VERSION13(s)) { if (!ossl_statem_server13_read_transition(s, mt)) goto err; return 1; @@ -418,7 +418,7 @@ int send_certificate_request(SSL_CONNECTION *s) * don't request if post-handshake-only unless doing * post-handshake in TLSv1.3: */ - && (!(SSL_CONNECTION_IS_TLS13(s) || SSL_CONNECTION_IS_DTLS13(s)) + && (!SSL_CONNECTION_IS_VERSION13(s) || !(s->verify_mode & SSL_VERIFY_POST_HANDSHAKE) || s->post_handshake_auth == SSL_PHA_REQUEST_PENDING) /* @@ -612,7 +612,7 @@ WRITE_TRAN ossl_statem_server_write_transition(SSL_CONNECTION *s) * to negotiate yet, so we don't take this branch until later */ - if (SSL_CONNECTION_IS_TLS13(s) || SSL_CONNECTION_IS_DTLS13(s)) + if (SSL_CONNECTION_IS_VERSION13(s)) return ossl_statem_server13_write_transition(s); switch (st->hand_state) { @@ -788,7 +788,7 @@ WORK_STATE ossl_statem_server_pre_work(SSL_CONNECTION *s, WORK_STATE wst) return WORK_FINISHED_CONTINUE; case TLS_ST_SW_SESSION_TICKET: - if ((SSL_CONNECTION_IS_TLS13(s) || SSL_CONNECTION_IS_DTLS13(s)) && s->sent_tickets == 0 + if (SSL_CONNECTION_IS_VERSION13(s) && s->sent_tickets == 0 && s->ext.extra_tickets_expected == 0) { /* * Actually this is the end of the handshake, but we're going @@ -809,7 +809,7 @@ WORK_STATE ossl_statem_server_pre_work(SSL_CONNECTION *s, WORK_STATE wst) break; case TLS_ST_SW_CHANGE: - if (SSL_CONNECTION_IS_TLS13(s) || SSL_CONNECTION_IS_DTLS13(s)) + if (SSL_CONNECTION_IS_VERSION13(s)) break; /* Writes to s->session are only safe for initial handshakes */ if (s->session->cipher == NULL) { @@ -908,7 +908,7 @@ WORK_STATE ossl_statem_server_post_work(SSL_CONNECTION *s, WORK_STATE wst) break; case TLS_ST_SW_SRVR_HELLO: - if ((SSL_CONNECTION_IS_TLS13(s) || SSL_CONNECTION_IS_DTLS13(s)) + if (SSL_CONNECTION_IS_VERSION13(s) && s->hello_retry_request == SSL_HRR_PENDING) { if ((s->options & SSL_OP_ENABLE_MIDDLEBOX_COMPAT) == 0 && statem_flush(s) != 1) @@ -945,7 +945,7 @@ WORK_STATE ossl_statem_server_post_work(SSL_CONNECTION *s, WORK_STATE wst) sizeof(sctpauthkey), sctpauthkey); } #endif - if (!(SSL_CONNECTION_IS_TLS13(s) || SSL_CONNECTION_IS_DTLS13(s)) + if (!SSL_CONNECTION_IS_VERSION13(s) || ((s->options & SSL_OP_ENABLE_MIDDLEBOX_COMPAT) != 0 && s->hello_retry_request != SSL_HRR_COMPLETE)) break; @@ -958,7 +958,7 @@ WORK_STATE ossl_statem_server_post_work(SSL_CONNECTION *s, WORK_STATE wst) break; } - if (SSL_CONNECTION_IS_TLS13(s) || SSL_CONNECTION_IS_DTLS13(s)) { + if (SSL_CONNECTION_IS_VERSION13(s)) { if (!ssl->method->ssl3_enc->setup_key_block(s) || !ssl->method->ssl3_enc->change_cipher_state(s, SSL3_CC_HANDSHAKE | SSL3_CHANGE_CIPHER_SERVER_WRITE)) { @@ -1017,7 +1017,7 @@ WORK_STATE ossl_statem_server_post_work(SSL_CONNECTION *s, WORK_STATE wst) 0, NULL); } #endif - if (SSL_CONNECTION_IS_TLS13(s) || SSL_CONNECTION_IS_DTLS13(s)) { + if (SSL_CONNECTION_IS_VERSION13(s)) { /* (D)TLS 1.3 gets the secret size from the handshake md */ size_t dummy; if (!ssl->method->ssl3_enc->generate_master_secret(s, @@ -1035,7 +1035,7 @@ WORK_STATE ossl_statem_server_post_work(SSL_CONNECTION *s, WORK_STATE wst) if (statem_flush(s) != 1) return WORK_MORE_A; } else { - if (!(SSL_CONNECTION_IS_TLS13(s) || SSL_CONNECTION_IS_DTLS13(s)) + if (!SSL_CONNECTION_IS_VERSION13(s) || (s->options & SSL_OP_NO_TX_CERTIFICATE_COMPRESSION) != 0) s->ext.compress_certificate_from_peer[0] = TLSEXT_comp_cert_none; } @@ -1043,7 +1043,7 @@ WORK_STATE ossl_statem_server_post_work(SSL_CONNECTION *s, WORK_STATE wst) case TLS_ST_SW_ENCRYPTED_EXTENSIONS: if (!s->hit && !send_certificate_request(s)) { - if (!(SSL_CONNECTION_IS_TLS13(s) || SSL_CONNECTION_IS_DTLS13(s)) + if (!SSL_CONNECTION_IS_VERSION13(s) || (s->options & SSL_OP_NO_TX_CERTIFICATE_COMPRESSION) != 0) s->ext.compress_certificate_from_peer[0] = TLSEXT_comp_cert_none; } @@ -1060,7 +1060,7 @@ WORK_STATE ossl_statem_server_post_work(SSL_CONNECTION *s, WORK_STATE wst) case TLS_ST_SW_SESSION_TICKET: clear_sys_error(); - if ((SSL_CONNECTION_IS_TLS13(s) || SSL_CONNECTION_IS_DTLS13(s)) && statem_flush(s) != 1) { + if (SSL_CONNECTION_IS_VERSION13(s) && statem_flush(s) != 1) { if (SSL_get_error(ssl, 0) == SSL_ERROR_SYSCALL && conn_is_closed()) { /* @@ -1477,7 +1477,7 @@ MSG_PROCESS_RETURN tls_process_client_hello(SSL_CONNECTION *s, PACKET *pkt) /* Check if this is actually an unexpected renegotiation ClientHello */ if (s->renegotiate == 0 && !SSL_IS_FIRST_HANDSHAKE(s)) { - if (!ossl_assert(!(SSL_CONNECTION_IS_TLS13(s) || SSL_CONNECTION_IS_DTLS13(s)))) { + if (!ossl_assert(!SSL_CONNECTION_IS_VERSION13(s))) { SSLfatal(s, SSL_AD_INTERNAL_ERROR, ERR_R_INTERNAL_ERROR); goto err; } @@ -1748,7 +1748,7 @@ static int tls_early_post_process_client_hello(SSL_CONNECTION *s) } /* TLSv1.3 specifies that a ClientHello must end on a record boundary */ - if ((SSL_CONNECTION_IS_TLS13(s) || SSL_CONNECTION_IS_DTLS13(s)) + if (SSL_CONNECTION_IS_VERSION13(s) && RECORD_LAYER_processed_read_pending(&s->rlayer)) { SSLfatal(s, SSL_AD_UNEXPECTED_MESSAGE, SSL_R_NOT_ON_RECORD_BOUNDARY); goto err; @@ -1816,7 +1816,7 @@ static int tls_early_post_process_client_hello(SSL_CONNECTION *s) } /* For TLSv1.3 we must select the ciphersuite *before* session resumption */ - if ((SSL_CONNECTION_IS_TLS13(s) || SSL_CONNECTION_IS_DTLS13(s))) { + if (SSL_CONNECTION_IS_VERSION13(s)) { const SSL_CIPHER *cipher = ssl3_choose_cipher(s, ciphers, SSL_get_ciphers(ssl)); @@ -1885,7 +1885,7 @@ static int tls_early_post_process_client_hello(SSL_CONNECTION *s) } } - if ((SSL_CONNECTION_IS_TLS13(s) || SSL_CONNECTION_IS_DTLS13(s))) { + if (SSL_CONNECTION_IS_VERSION13(s)) { memcpy(s->tmp_session_id, s->clienthello->session_id, s->clienthello->session_id_len); s->tmp_session_id_len = s->clienthello->session_id_len; @@ -1895,7 +1895,7 @@ static int tls_early_post_process_client_hello(SSL_CONNECTION *s) * If it is a hit, check that the cipher is in the list. In TLSv1.3 we check * ciphersuite compatibility with the session as part of resumption. */ - if (!(SSL_CONNECTION_IS_TLS13(s) || SSL_CONNECTION_IS_DTLS13(s)) && s->hit) { + if (!SSL_CONNECTION_IS_VERSION13(s) && s->hit) { j = 0; id = s->session->cipher->id; @@ -1971,7 +1971,7 @@ static int tls_early_post_process_client_hello(SSL_CONNECTION *s) if (!s->hit && ssl_version_cmp(s, s->version, SSL_CONNECTION_IS_DTLS(s) ? DTLS1_VERSION : TLS1_VERSION) >= 0 - && !(SSL_CONNECTION_IS_TLS13(s) || SSL_CONNECTION_IS_DTLS13(s)) + && !SSL_CONNECTION_IS_VERSION13(s) && s->ext.session_secret_cb != NULL) { const SSL_CIPHER *pref_cipher = NULL; /* @@ -2016,7 +2016,7 @@ static int tls_early_post_process_client_hello(SSL_CONNECTION *s) * algorithms from the client, starting at q. */ s->s3.tmp.new_compression = NULL; - if ((SSL_CONNECTION_IS_TLS13(s) || SSL_CONNECTION_IS_DTLS13(s))) { + if (SSL_CONNECTION_IS_VERSION13(s)) { /* * We already checked above that the NULL compression method appears in * the list. Now we check there aren't any others (which is illegal in @@ -2103,7 +2103,7 @@ static int tls_early_post_process_client_hello(SSL_CONNECTION *s) * Given s->peer_ciphers and SSL_get_ciphers, we must pick a cipher */ - if (!s->hit || (SSL_CONNECTION_IS_TLS13(s) || SSL_CONNECTION_IS_DTLS13(s))) { + if (!s->hit || SSL_CONNECTION_IS_VERSION13(s)) { sk_SSL_CIPHER_free(s->peer_ciphers); s->peer_ciphers = ciphers; if (ciphers == NULL) { @@ -2287,7 +2287,7 @@ WORK_STATE tls_post_process_client_hello(SSL_CONNECTION *s, WORK_STATE wst) wst = WORK_MORE_B; } if (wst == WORK_MORE_B) { - if (!s->hit || (SSL_CONNECTION_IS_TLS13(s) || SSL_CONNECTION_IS_DTLS13(s))) { + if (!s->hit || SSL_CONNECTION_IS_VERSION13(s)) { /* Let cert callback update server certificates if required */ if (!s->hit && s->cert->cert_cb != NULL) { int rv = s->cert->cert_cb(ussl, s->cert->cert_cb_arg); @@ -2304,7 +2304,7 @@ WORK_STATE tls_post_process_client_hello(SSL_CONNECTION *s, WORK_STATE wst) } /* In TLSv1.3 we selected the ciphersuite before resumption */ - if (!(SSL_CONNECTION_IS_TLS13(s) || SSL_CONNECTION_IS_DTLS13(s))) { + if (!SSL_CONNECTION_IS_VERSION13(s)) { cipher = ssl3_choose_cipher(s, s->peer_ciphers, SSL_get_ciphers(ssl)); @@ -2362,7 +2362,7 @@ WORK_STATE tls_post_process_client_hello(SSL_CONNECTION *s, WORK_STATE wst) * we already did this because cipher negotiation happens earlier, and * we must handle ALPN before we decide whether to accept early_data. */ - if (!(SSL_CONNECTION_IS_TLS13(s) || SSL_CONNECTION_IS_DTLS13(s)) && !tls_handle_alpn(s)) { + if (!SSL_CONNECTION_IS_VERSION13(s) && !tls_handle_alpn(s)) { /* SSLfatal() already called */ goto err; } @@ -2478,7 +2478,7 @@ CON_FUNC_RETURN tls_construct_server_hello(SSL_CONNECTION *s, WPACKET *pkt) if (!tls_construct_extensions(s, pkt, s->hello_retry_request == SSL_HRR_PENDING ? SSL_EXT_TLS1_3_HELLO_RETRY_REQUEST - : ((SSL_CONNECTION_IS_TLS13(s) || SSL_CONNECTION_IS_DTLS13(s)) + : (SSL_CONNECTION_IS_VERSION13(s) ? SSL_EXT_TLS1_3_SERVER_HELLO : SSL_EXT_TLS1_2_SERVER_HELLO), NULL, 0)) { @@ -2834,7 +2834,7 @@ CON_FUNC_RETURN tls_construct_server_key_exchange(SSL_CONNECTION *s, CON_FUNC_RETURN tls_construct_certificate_request(SSL_CONNECTION *s, WPACKET *pkt) { - if (SSL_CONNECTION_IS_TLS13(s) || SSL_CONNECTION_IS_DTLS13(s)) { + if (SSL_CONNECTION_IS_VERSION13(s)) { /* Send random context when doing post-handshake auth */ if (s->post_handshake_auth == SSL_PHA_REQUEST_PENDING) { OPENSSL_free(s->pha_context); @@ -3580,7 +3580,7 @@ MSG_PROCESS_RETURN tls_process_client_rpk(SSL_CONNECTION *sc, PACKET *pkt) * Freeze the handshake buffer. For pha_context == NULL && PACKET_remaining(&context) != 0) || (s->pha_context != NULL @@ -3679,7 +3679,7 @@ MSG_PROCESS_RETURN tls_process_client_certificate(SSL_CONNECTION *s, goto err; } - if (SSL_CONNECTION_IS_TLS13(s) || SSL_CONNECTION_IS_DTLS13(s)) { + if (SSL_CONNECTION_IS_VERSION13(s)) { RAW_EXTENSION *rawexts = NULL; PACKET extensions; @@ -3774,7 +3774,7 @@ MSG_PROCESS_RETURN tls_process_client_certificate(SSL_CONNECTION *s, * Freeze the handshake buffer. For cert_verify_hash, sizeof(s->cert_verify_hash), &s->cert_verify_hash_len)) { @@ -3833,7 +3833,7 @@ CON_FUNC_RETURN tls_construct_server_certificate(SSL_CONNECTION *s, WPACKET *pkt * In TLSv1.3 the certificate chain is always preceded by a 0 length context * for the server Certificate message */ - if ((SSL_CONNECTION_IS_TLS13(s) || SSL_CONNECTION_IS_DTLS13(s)) && !WPACKET_put_bytes_u8(pkt, 0)) { + if (SSL_CONNECTION_IS_VERSION13(s) && !WPACKET_put_bytes_u8(pkt, 0)) { SSLfatal(s, SSL_AD_INTERNAL_ERROR, ERR_R_INTERNAL_ERROR); return CON_FUNC_ERROR; } @@ -3898,7 +3898,7 @@ static int create_ticket_prequel(SSL_CONNECTION *s, WPACKET *pkt, */ #define ONE_WEEK_SEC (7 * 24 * 60 * 60) - if (SSL_CONNECTION_IS_TLS13(s) || SSL_CONNECTION_IS_DTLS13(s)) { + if (SSL_CONNECTION_IS_VERSION13(s)) { if (ossl_time_compare(s->session->timeout, ossl_seconds2time(ONE_WEEK_SEC)) > 0) timeout = ONE_WEEK_SEC; @@ -3910,7 +3910,7 @@ static int create_ticket_prequel(SSL_CONNECTION *s, WPACKET *pkt, return 0; } - if (SSL_CONNECTION_IS_TLS13(s) || SSL_CONNECTION_IS_DTLS13(s)) { + if (SSL_CONNECTION_IS_VERSION13(s)) { if (!WPACKET_put_bytes_u32(pkt, age_add) || !WPACKET_sub_memcpy_u8(pkt, tick_nonce, TICKET_NONCE_SIZE)) { SSLfatal(s, SSL_AD_INTERNAL_ERROR, ERR_R_INTERNAL_ERROR); @@ -4037,7 +4037,7 @@ static CON_FUNC_RETURN construct_stateless_ticket(SSL_CONNECTION *s, * length ticket is not allowed so we abort construction of the * ticket */ - if (SSL_CONNECTION_IS_TLS13(s) || SSL_CONNECTION_IS_DTLS13(s)) { + if (SSL_CONNECTION_IS_VERSION13(s)) { ok = CON_FUNC_DONT_SEND; goto err; } @@ -4180,7 +4180,7 @@ CON_FUNC_RETURN tls_construct_new_session_ticket(SSL_CONNECTION *s, WPACKET *pkt age_add_u.age_add = 0; - if (SSL_CONNECTION_IS_TLS13(s) || SSL_CONNECTION_IS_DTLS13(s)) { + if (SSL_CONNECTION_IS_VERSION13(s)) { size_t i, hashlen; uint64_t nonce; static const unsigned char nonce_label[] = "resumption"; @@ -4267,7 +4267,7 @@ CON_FUNC_RETURN tls_construct_new_session_ticket(SSL_CONNECTION *s, WPACKET *pkt * SSL_OP_NO_TICKET is set - we are caching tickets anyway so there * is no point in using full stateless tickets. */ - if ((SSL_CONNECTION_IS_TLS13(s) || SSL_CONNECTION_IS_DTLS13(s)) + if (SSL_CONNECTION_IS_VERSION13(s) && ((s->options & SSL_OP_NO_TICKET) != 0 || (s->max_early_data > 0 && (s->options & SSL_OP_NO_ANTI_REPLAY) == 0))) { @@ -4292,7 +4292,7 @@ CON_FUNC_RETURN tls_construct_new_session_ticket(SSL_CONNECTION *s, WPACKET *pkt } } - if (SSL_CONNECTION_IS_TLS13(s) || SSL_CONNECTION_IS_DTLS13(s)) { + if (SSL_CONNECTION_IS_VERSION13(s)) { if (!tls_construct_extensions(s, pkt, SSL_EXT_TLS1_3_NEW_SESSION_TICKET, NULL, 0)) { From 44bfb6aa784a63c64ad4b1373c70d9c4ae156776 Mon Sep 17 00:00:00 2001 From: Frederik Wedel-Heinen Date: Tue, 26 Mar 2024 19:39:30 +0100 Subject: [PATCH 15/74] Fix wrong dtls 1 and 1.2 version check Reviewed-by: Matt Caswell Reviewed-by: Tomas Mraz (Merged from https://github.com/openssl/openssl/pull/22366) --- ssl/statem/statem_srvr.c | 3 ++- 1 file changed, 2 insertions(+), 1 deletion(-) diff --git a/ssl/statem/statem_srvr.c b/ssl/statem/statem_srvr.c index b24c4279af..2fdb2eebf1 100644 --- a/ssl/statem/statem_srvr.c +++ b/ssl/statem/statem_srvr.c @@ -1970,8 +1970,9 @@ static int tls_early_post_process_client_hello(SSL_CONNECTION *s) } if (!s->hit - && ssl_version_cmp(s, s->version, SSL_CONNECTION_IS_DTLS(s) ? DTLS1_VERSION : TLS1_VERSION) >= 0 + && s->version >= TLS1_VERSION && !SSL_CONNECTION_IS_VERSION13(s) + && !SSL_CONNECTION_IS_DTLS(s) && s->ext.session_secret_cb != NULL) { const SSL_CIPHER *pref_cipher = NULL; /* From 33c96b2dc632b51026a970337c4737d7611fecc1 Mon Sep 17 00:00:00 2001 From: Frederik Wedel-Heinen Date: Thu, 12 Oct 2023 14:35:37 +0200 Subject: [PATCH 16/74] Support TLS 1.3 kexs and groups with DTLS 1.3 SSL_CONNECTION_IS_VERSION13 macro is used where appropriate. Reviewed-by: Matt Caswell Reviewed-by: Tomas Mraz (Merged from https://github.com/openssl/openssl/pull/22364) --- providers/common/capabilities.c | 16 ++++++++-------- ssl/s3_lib.c | 22 +++++++++++----------- ssl/statem/extensions.c | 10 +++++----- ssl/statem/extensions_clnt.c | 4 ++-- ssl/statem/extensions_srvr.c | 12 ++++++------ ssl/t1_lib.c | 11 +++++------ 6 files changed, 37 insertions(+), 38 deletions(-) diff --git a/providers/common/capabilities.c b/providers/common/capabilities.c index 550eca1af7..2a8fca4693 100644 --- a/providers/common/capabilities.c +++ b/providers/common/capabilities.c @@ -86,15 +86,15 @@ static const TLS_GROUP_CONSTANTS group_list[] = { DTLS1_VERSION, DTLS1_2_VERSION }, { OSSL_TLS_GROUP_ID_x25519, 128, TLS1_VERSION, 0, DTLS1_VERSION, 0 }, { OSSL_TLS_GROUP_ID_x448, 224, TLS1_VERSION, 0, DTLS1_VERSION, 0 }, - { OSSL_TLS_GROUP_ID_brainpoolP256r1_tls13, 128, TLS1_3_VERSION, 0, -1, -1 }, - { OSSL_TLS_GROUP_ID_brainpoolP384r1_tls13, 192, TLS1_3_VERSION, 0, -1, -1 }, - { OSSL_TLS_GROUP_ID_brainpoolP512r1_tls13, 256, TLS1_3_VERSION, 0, -1, -1 }, + { OSSL_TLS_GROUP_ID_brainpoolP256r1_tls13, 128, TLS1_3_VERSION, 0, DTLS1_3_VERSION, 0 }, + { OSSL_TLS_GROUP_ID_brainpoolP384r1_tls13, 192, TLS1_3_VERSION, 0, DTLS1_3_VERSION, 0 }, + { OSSL_TLS_GROUP_ID_brainpoolP512r1_tls13, 256, TLS1_3_VERSION, 0, DTLS1_3_VERSION, 0 }, /* Security bit values as given by BN_security_bits() */ - { OSSL_TLS_GROUP_ID_ffdhe2048, 112, TLS1_3_VERSION, 0, -1, -1 }, - { OSSL_TLS_GROUP_ID_ffdhe3072, 128, TLS1_3_VERSION, 0, -1, -1 }, - { OSSL_TLS_GROUP_ID_ffdhe4096, 128, TLS1_3_VERSION, 0, -1, -1 }, - { OSSL_TLS_GROUP_ID_ffdhe6144, 128, TLS1_3_VERSION, 0, -1, -1 }, - { OSSL_TLS_GROUP_ID_ffdhe8192, 192, TLS1_3_VERSION, 0, -1, -1 }, + { OSSL_TLS_GROUP_ID_ffdhe2048, 112, TLS1_3_VERSION, 0, DTLS1_3_VERSION, 0 }, + { OSSL_TLS_GROUP_ID_ffdhe3072, 128, TLS1_3_VERSION, 0, DTLS1_3_VERSION, 0 }, + { OSSL_TLS_GROUP_ID_ffdhe4096, 128, TLS1_3_VERSION, 0, DTLS1_3_VERSION, 0 }, + { OSSL_TLS_GROUP_ID_ffdhe6144, 128, TLS1_3_VERSION, 0, DTLS1_3_VERSION, 0 }, + { OSSL_TLS_GROUP_ID_ffdhe8192, 192, TLS1_3_VERSION, 0, DTLS1_3_VERSION, 0 }, }; #define TLS_GROUP_ENTRY(tlsname, realname, algorithm, idx) \ diff --git a/ssl/s3_lib.c b/ssl/s3_lib.c index b98464256e..a10d350f92 100644 --- a/ssl/s3_lib.c +++ b/ssl/s3_lib.c @@ -46,7 +46,7 @@ static SSL_CIPHER tls13_ciphers[] = { SSL_AES128GCM, SSL_AEAD, TLS1_3_VERSION, TLS1_3_VERSION, - 0, 0, + DTLS1_3_VERSION, DTLS1_3_VERSION, SSL_HIGH, SSL_HANDSHAKE_MAC_SHA256 | SSL_QUIC, 128, @@ -61,7 +61,7 @@ static SSL_CIPHER tls13_ciphers[] = { SSL_AES256GCM, SSL_AEAD, TLS1_3_VERSION, TLS1_3_VERSION, - 0, 0, + DTLS1_3_VERSION, DTLS1_3_VERSION, SSL_HIGH, SSL_HANDSHAKE_MAC_SHA384 | SSL_QUIC, 256, @@ -77,7 +77,7 @@ static SSL_CIPHER tls13_ciphers[] = { SSL_CHACHA20POLY1305, SSL_AEAD, TLS1_3_VERSION, TLS1_3_VERSION, - 0, 0, + DTLS1_3_VERSION, DTLS1_3_VERSION, SSL_HIGH, SSL_HANDSHAKE_MAC_SHA256 | SSL_QUIC, 256, @@ -93,7 +93,7 @@ static SSL_CIPHER tls13_ciphers[] = { SSL_AES128CCM, SSL_AEAD, TLS1_3_VERSION, TLS1_3_VERSION, - 0, 0, + DTLS1_3_VERSION, DTLS1_3_VERSION, SSL_NOT_DEFAULT | SSL_HIGH, SSL_HANDSHAKE_MAC_SHA256, 128, @@ -108,7 +108,7 @@ static SSL_CIPHER tls13_ciphers[] = { SSL_AES128CCM8, SSL_AEAD, TLS1_3_VERSION, TLS1_3_VERSION, - 0, 0, + DTLS1_3_VERSION, DTLS1_3_VERSION, SSL_NOT_DEFAULT | SSL_MEDIUM, SSL_HANDSHAKE_MAC_SHA256, 64, /* CCM8 uses a short tag, so we have a low security strength */ @@ -3731,7 +3731,7 @@ long ssl3_ctrl(SSL *s, int cmd, long larg, void *parg) { unsigned int id; - if (SSL_CONNECTION_IS_TLS13(sc) && sc->s3.did_kex) + if (SSL_CONNECTION_IS_VERSION13(sc) && sc->s3.did_kex) id = sc->s3.group_id; else id = sc->session->kex_group; @@ -4319,7 +4319,7 @@ const SSL_CIPHER *ssl3_choose_cipher(SSL_CONNECTION *s, STACK_OF(SSL_CIPHER) *cl allow = srvr; } - if (SSL_CONNECTION_IS_TLS13(s)) { + if (SSL_CONNECTION_IS_VERSION13(s)) { #ifndef OPENSSL_NO_PSK size_t j; @@ -4359,7 +4359,7 @@ const SSL_CIPHER *ssl3_choose_cipher(SSL_CONNECTION *s, STACK_OF(SSL_CIPHER) *cl * Since TLS 1.3 ciphersuites can be used with any auth or * key exchange scheme skip tests. */ - if (!SSL_CONNECTION_IS_TLS13(s)) { + if (!SSL_CONNECTION_IS_VERSION13(s)) { mask_k = s->s3.tmp.mask_k; mask_a = s->s3.tmp.mask_a; #ifndef OPENSSL_NO_SRP @@ -4902,7 +4902,7 @@ int ssl_gensecret(SSL_CONNECTION *s, unsigned char *pms, size_t pmslen) int rv = 0; /* SSLfatal() called as appropriate in the below functions */ - if (SSL_CONNECTION_IS_TLS13(s)) { + if (SSL_CONNECTION_IS_VERSION13(s)) { /* * If we are resuming then we already generated the early secret * when we created the ClientHello, so don't recreate it. @@ -4945,7 +4945,7 @@ int ssl_derive(SSL_CONNECTION *s, EVP_PKEY *privkey, EVP_PKEY *pubkey, int gense goto err; } - if (SSL_CONNECTION_IS_TLS13(s) && EVP_PKEY_is_a(privkey, "DH")) + if (SSL_CONNECTION_IS_VERSION13(s) && EVP_PKEY_is_a(privkey, "DH")) EVP_PKEY_CTX_set_dh_pad(pctx, 1); pms = OPENSSL_malloc(pmslen); @@ -5097,7 +5097,7 @@ const char *SSL_get0_group_name(SSL *s) if (sc == NULL) return NULL; - if (SSL_CONNECTION_IS_TLS13(sc) && sc->s3.did_kex) + if (SSL_CONNECTION_IS_VERSION13(sc) && sc->s3.did_kex) id = sc->s3.group_id; else id = sc->session->kex_group; diff --git a/ssl/statem/extensions.c b/ssl/statem/extensions.c index 375308c5f7..4d5ea66974 100644 --- a/ssl/statem/extensions.c +++ b/ssl/statem/extensions.c @@ -564,7 +564,7 @@ int extension_is_relevant(SSL_CONNECTION *s, unsigned int extctx, if ((thisctx & SSL_EXT_TLS1_3_HELLO_RETRY_REQUEST) != 0) is_version13 = 1; else - is_version13 = SSL_CONNECTION_IS_TLS13(s) || SSL_CONNECTION_IS_DTLS13(s); + is_version13 = SSL_CONNECTION_IS_VERSION13(s); if ((SSL_CONNECTION_IS_DTLS(s) && (extctx & SSL_EXT_TLS_IMPLEMENTATION_ONLY) != 0) @@ -1073,7 +1073,7 @@ static int final_server_name(SSL_CONNECTION *s, unsigned int context, int sent) case SSL_TLSEXT_ERR_ALERT_WARNING: /* (D)TLSv1.3 doesn't have warning alerts so we suppress this */ - if (!(SSL_CONNECTION_IS_TLS13(s) || SSL_CONNECTION_IS_DTLS13(s))) + if (!SSL_CONNECTION_IS_VERSION13(s)) ssl3_send_alert(s, SSL3_AL_WARNING, altmp); s->servername_done = 0; return 1; @@ -1180,7 +1180,7 @@ static int final_alpn(SSL_CONNECTION *s, unsigned int context, int sent) if (!s->server && !sent && s->session->ext.alpn_selected != NULL) s->ext.early_data_ok = 0; - if (!s->server || !(SSL_CONNECTION_IS_TLS13(s) || SSL_CONNECTION_IS_DTLS13(s))) + if (!s->server || !SSL_CONNECTION_IS_VERSION13(s)) return 1; /* @@ -1340,7 +1340,7 @@ static int init_srtp(SSL_CONNECTION *s, unsigned int context) static int final_sig_algs(SSL_CONNECTION *s, unsigned int context, int sent) { - if (!sent && (SSL_CONNECTION_IS_TLS13(s) || SSL_CONNECTION_IS_DTLS13(s)) && !s->hit) { + if (!sent && SSL_CONNECTION_IS_VERSION13(s) && !s->hit) { SSLfatal(s, TLS13_AD_MISSING_EXTENSION, SSL_R_MISSING_SIGALGS_EXTENSION); return 0; @@ -1364,7 +1364,7 @@ static int final_supported_versions(SSL_CONNECTION *s, unsigned int context, static int final_key_share(SSL_CONNECTION *s, unsigned int context, int sent) { #if !defined(OPENSSL_NO_TLS1_3) - if (!(SSL_CONNECTION_IS_TLS13(s) || SSL_CONNECTION_IS_DTLS13(s))) + if (!SSL_CONNECTION_IS_VERSION13(s)) return 1; /* Nothing to do for key_share in an HRR */ diff --git a/ssl/statem/extensions_clnt.c b/ssl/statem/extensions_clnt.c index 2d3486ad34..5b0144187d 100644 --- a/ssl/statem/extensions_clnt.c +++ b/ssl/statem/extensions_clnt.c @@ -1487,12 +1487,12 @@ int tls_parse_stoc_status_request(SSL_CONNECTION *s, PACKET *pkt, SSLfatal(s, SSL_AD_UNSUPPORTED_EXTENSION, SSL_R_BAD_EXTENSION); return 0; } - if (!(SSL_CONNECTION_IS_TLS13(s) || SSL_CONNECTION_IS_DTLS13(s)) && PACKET_remaining(pkt) > 0) { + if (!SSL_CONNECTION_IS_VERSION13(s) && PACKET_remaining(pkt) > 0) { SSLfatal(s, SSL_AD_DECODE_ERROR, SSL_R_BAD_EXTENSION); return 0; } - if (SSL_CONNECTION_IS_TLS13(s) || SSL_CONNECTION_IS_DTLS13(s)) { + if (SSL_CONNECTION_IS_VERSION13(s)) { /* We only know how to handle this if it's for the first Certificate in * the chain. We ignore any other responses. */ diff --git a/ssl/statem/extensions_srvr.c b/ssl/statem/extensions_srvr.c index fa3b8fdfdf..f90e584364 100644 --- a/ssl/statem/extensions_srvr.c +++ b/ssl/statem/extensions_srvr.c @@ -136,7 +136,7 @@ int tls_parse_ctos_server_name(SSL_CONNECTION *s, PACKET *pkt, * In (D)TLSv1.2 and below the SNI is associated with the session. In (D)TLSv1.3 * we always use the SNI value from the handshake. */ - if (!s->hit || (SSL_CONNECTION_IS_TLS13(s) || SSL_CONNECTION_IS_DTLS13(s))) { + if (!s->hit || SSL_CONNECTION_IS_VERSION13(s)) { if (PACKET_remaining(&hostname) > TLSEXT_MAXLEN_host_name) { SSLfatal(s, SSL_AD_UNRECOGNIZED_NAME, SSL_R_BAD_EXTENSION); return 0; @@ -947,7 +947,7 @@ int tls_parse_ctos_supported_groups(SSL_CONNECTION *s, PACKET *pkt, return 0; } - if (!s->hit || (SSL_CONNECTION_IS_TLS13(s) || SSL_CONNECTION_IS_DTLS13(s))) { + if (!s->hit || SSL_CONNECTION_IS_VERSION13(s)) { OPENSSL_free(s->ext.peer_supportedgroups); s->ext.peer_supportedgroups = NULL; s->ext.peer_supportedgroups_len = 0; @@ -1324,7 +1324,7 @@ EXT_RETURN tls_construct_stoc_server_name(SSL_CONNECTION *s, WPACKET *pkt, * Prior to (D)TLSv1.3 we ignore any SNI in the current handshake if resuming. * We just use the servername from the initial handshake. */ - if (s->hit && !(SSL_CONNECTION_IS_TLS13(s) || SSL_CONNECTION_IS_DTLS13(s))) + if (s->hit && !SSL_CONNECTION_IS_VERSION13(s)) return EXT_RETURN_NOT_SENT; if (!WPACKET_put_bytes_u16(pkt, TLSEXT_TYPE_server_name) @@ -1475,7 +1475,7 @@ EXT_RETURN tls_construct_stoc_status_request(SSL_CONNECTION *s, WPACKET *pkt, if (!s->ext.status_expected) return EXT_RETURN_NOT_SENT; - if ((SSL_CONNECTION_IS_TLS13(s) || SSL_CONNECTION_IS_DTLS13(s)) && chainidx != 0) + if (SSL_CONNECTION_IS_VERSION13(s) && chainidx != 0) return EXT_RETURN_NOT_SENT; if (!WPACKET_put_bytes_u16(pkt, TLSEXT_TYPE_status_request) @@ -1489,7 +1489,7 @@ EXT_RETURN tls_construct_stoc_status_request(SSL_CONNECTION *s, WPACKET *pkt, * send back an empty extension, with the certificate status appearing as a * separate message */ - if ((SSL_CONNECTION_IS_TLS13(s) || SSL_CONNECTION_IS_DTLS13(s)) + if (SSL_CONNECTION_IS_VERSION13(s) && !tls_construct_cert_status_body(s, pkt)) { /* SSLfatal() already called */ return EXT_RETURN_FAIL; @@ -1627,7 +1627,7 @@ EXT_RETURN tls_construct_stoc_supported_versions(SSL_CONNECTION *s, WPACKET *pkt unsigned int context, X509 *x, size_t chainidx) { - if (!ossl_assert((SSL_CONNECTION_IS_TLS13(s) || SSL_CONNECTION_IS_DTLS13(s)))) { + if (!ossl_assert(SSL_CONNECTION_IS_VERSION13(s))) { SSLfatal(s, SSL_AD_INTERNAL_ERROR, ERR_R_INTERNAL_ERROR); return EXT_RETURN_FAIL; } diff --git a/ssl/t1_lib.c b/ssl/t1_lib.c index 982f327508..ff45863a58 100644 --- a/ssl/t1_lib.c +++ b/ssl/t1_lib.c @@ -870,11 +870,10 @@ int tls_valid_group(SSL_CONNECTION *s, uint16_t group_id, if (group_minversion > 0) ret &= (ssl_version_cmp(s, maxversion, group_minversion) >= 0); - if (!SSL_CONNECTION_IS_DTLS(s)) { - if (ret && okfortls13 != NULL && maxversion == TLS1_3_VERSION) - *okfortls13 = (group_maxversion == 0) - || (group_maxversion >= TLS1_3_VERSION); - } + if (ret && okfortls13 != NULL && (maxversion == DTLS1_3_VERSION + || maxversion == TLS1_3_VERSION)) + *okfortls13 = (group_maxversion == 0) + || (ssl_version_cmp(s, group_maxversion, maxversion) >= 0); ret &= !isec || strcmp(ginfo->algorithm, "EC") == 0 || strcmp(ginfo->algorithm, "X25519") == 0 @@ -1276,7 +1275,7 @@ static int tls1_check_pkey_comp(SSL_CONNECTION *s, EVP_PKEY *pkey) return 0; if (point_conv == POINT_CONVERSION_UNCOMPRESSED) { comp_id = TLSEXT_ECPOINTFORMAT_uncompressed; - } else if (SSL_CONNECTION_IS_TLS13(s)) { + } else if (SSL_CONNECTION_IS_VERSION13(s)) { /* * ec_point_formats extension is not used in TLSv1.3 so we ignore * this check. From 031697cf690aa076cac3e5908b90dce084c9535f Mon Sep 17 00:00:00 2001 From: Frederik Wedel-Heinen Date: Tue, 23 Jan 2024 15:11:03 +0100 Subject: [PATCH 17/74] Adds dtls 1.3 support in TLS::Proxy Reviewed-by: Matt Caswell Reviewed-by: Tomas Mraz (Merged from https://github.com/openssl/openssl/pull/23375) --- util/perl/TLSProxy/Record.pm | 16 +++++++--------- util/perl/TLSProxy/ServerHello.pm | 3 ++- 2 files changed, 9 insertions(+), 10 deletions(-) diff --git a/util/perl/TLSProxy/Record.pm b/util/perl/TLSProxy/Record.pm index 460991e8aa..f55e4ac3a4 100644 --- a/util/perl/TLSProxy/Record.pm +++ b/util/perl/TLSProxy/Record.pm @@ -36,6 +36,7 @@ my %record_type = ( ); use constant { + VERS_DTLS_1_3 => 0xfefc, VERS_DTLS_1_2 => 0xfefd, VERS_DTLS_1 => 0xfeff, VERS_TLS_1_4 => 0x0305, @@ -48,6 +49,7 @@ use constant { }; our %tls_version = ( + VERS_DTLS_1_3, "DTLS1.3", VERS_DTLS_1_2, "DTLS1.2", VERS_DTLS_1, "DTLS1", VERS_TLS_1_3, "TLS1.3", @@ -391,21 +393,17 @@ sub reconstruct_record if ($self->sslv2) { $data = pack('n', $self->len | 0x8000); } else { + my $content_type = (TLSProxy::Proxy->is_tls13() && $self->encrypted) + ? $self->outer_content_type : $self->content_type; if($self->{isdtls}) { my $seqhi = ($self->seq >> 32) & 0xffff; my $seqmi = ($self->seq >> 16) & 0xffff; my $seqlo = ($self->seq >> 0) & 0xffff; - $data = pack('Cnnnnnn', $self->content_type, $self->version, + $data = pack('Cnnnnnn', $content_type, $self->version, $self->epoch, $seqhi, $seqmi, $seqlo, $self->len); } else { - if (TLSProxy::Proxy->is_tls13() && $self->encrypted) { - $data = pack('Cnn', $self->outer_content_type, $self->version, - $self->len); - } - else { - $data = pack('Cnn', $self->content_type, $self->version, - $self->len); - } + $data = pack('Cnn', $content_type, $self->version, + $self->len); } } diff --git a/util/perl/TLSProxy/ServerHello.pm b/util/perl/TLSProxy/ServerHello.pm index a1dabaa2b3..3741898a3e 100644 --- a/util/perl/TLSProxy/ServerHello.pm +++ b/util/perl/TLSProxy/ServerHello.pm @@ -111,7 +111,8 @@ sub parse if ($random eq $hrrrandom) { TLSProxy::Proxy->is_tls13(1); - } elsif ($neg_version == TLSProxy::Record::VERS_TLS_1_3) { + } elsif ($neg_version == TLSProxy::Record::VERS_TLS_1_3 + || $neg_version == TLSProxy::Record::VERS_DTLS_1_3) { TLSProxy::Proxy->is_tls13(1); TLSProxy::Record->server_encrypting(1); From 3165d63294945b3d8a119248e7ecb4ada4f85179 Mon Sep 17 00:00:00 2001 From: Frederik Wedel-Heinen Date: Thu, 12 Oct 2023 13:55:32 +0200 Subject: [PATCH 18/74] Don't allow renegotiation for DTLS 1.3 Reviewed-by: Matt Caswell Reviewed-by: Tomas Mraz (Merged from https://github.com/openssl/openssl/pull/22362) --- apps/include/s_apps.h | 4 +++- 1 file changed, 3 insertions(+), 1 deletion(-) diff --git a/apps/include/s_apps.h b/apps/include/s_apps.h index 33c3b6278c..85eb6dcf36 100644 --- a/apps/include/s_apps.h +++ b/apps/include/s_apps.h @@ -16,7 +16,9 @@ #define PROTOCOL "tcp" #define SSL_VERSION_ALLOWS_RENEGOTIATION(s) \ - (SSL_is_dtls(s) || (SSL_version(s) < TLS1_3_VERSION)) + ((SSL_is_dtls(s) && (SSL_version(s) > DTLS1_3_VERSION \ + || SSL_version(s) == DTLS1_BAD_VER)) \ + || (!SSL_is_dtls(s) && SSL_version(s) < TLS1_3_VERSION)) typedef int (*do_server_cb)(int s, int stype, int prot, unsigned char *context); void get_sock_info_address(int asock, char **hostname, char **service); From 50da738ed1998999522ade855686aa5c3697ccb3 Mon Sep 17 00:00:00 2001 From: Frederik Wedel-Heinen Date: Thu, 12 Oct 2023 13:19:50 +0200 Subject: [PATCH 19/74] Make dtls1.3 changes to dtls1_read_bytes and do_dtls1_write which matches ssl3_read_bytes and ssl3_write_bytes Reviewed-by: Tomas Mraz Reviewed-by: Matt Caswell (Merged from https://github.com/openssl/openssl/pull/22360) --- ssl/record/rec_layer_d1.c | 25 +++++++++++++++++++------ 1 file changed, 19 insertions(+), 6 deletions(-) diff --git a/ssl/record/rec_layer_d1.c b/ssl/record/rec_layer_d1.c index d55887d9aa..1fb51d27e9 100644 --- a/ssl/record/rec_layer_d1.c +++ b/ssl/record/rec_layer_d1.c @@ -204,10 +204,13 @@ int dtls1_read_bytes(SSL *s, uint8_t type, uint8_t *recvd_type, TLS_RECORD *rr; void (*cb) (const SSL *ssl, int type2, int val) = NULL; SSL_CONNECTION *sc = SSL_CONNECTION_FROM_SSL(s); + int is_dtls13; if (sc == NULL) return -1; + is_dtls13 = SSL_CONNECTION_IS_DTLS13(sc); + if ((type && (type != SSL3_RT_APPLICATION_DATA) && (type != SSL3_RT_HANDSHAKE)) || (peek && (type != SSL3_RT_APPLICATION_DATA))) { @@ -312,7 +315,8 @@ int dtls1_read_bytes(SSL *s, uint8_t type, uint8_t *recvd_type, if (type == rr->type || (rr->type == SSL3_RT_CHANGE_CIPHER_SPEC - && type == SSL3_RT_HANDSHAKE && recvd_type != NULL)) { + && type == SSL3_RT_HANDSHAKE && recvd_type != NULL + && !is_dtls13)) { /* * SSL3_RT_APPLICATION_DATA or * SSL3_RT_HANDSHAKE or @@ -405,7 +409,8 @@ int dtls1_read_bytes(SSL *s, uint8_t type, uint8_t *recvd_type, cb(s, SSL_CB_READ_ALERT, j); } - if (alert_level == SSL3_AL_WARNING) { + if ((!is_dtls13 && alert_level == SSL3_AL_WARNING) + || (is_dtls13 && alert_descr == SSL_AD_USER_CANCELLED)) { sc->s3.warn_alert = alert_descr; if (!ssl_release_record(sc, rr, 0)) return -1; @@ -417,7 +422,13 @@ int dtls1_read_bytes(SSL *s, uint8_t type, uint8_t *recvd_type, return -1; } - if (alert_descr == SSL_AD_CLOSE_NOTIFY) { + /* + * Apart from close_notify the only other warning alert in DTLSv1.3 + * is user_cancelled - which we just ignore. + */ + if (is_dtls13 && alert_descr == SSL_AD_USER_CANCELLED) { + goto start; + } else if (alert_descr == SSL_AD_CLOSE_NOTIFY) { #ifndef OPENSSL_NO_SCTP /* * With SCTP and streams the socket may deliver app data @@ -436,7 +447,7 @@ int dtls1_read_bytes(SSL *s, uint8_t type, uint8_t *recvd_type, sc->shutdown |= SSL_RECEIVED_SHUTDOWN; return 0; } - } else if (alert_level == SSL3_AL_FATAL) { + } else if (alert_level == SSL3_AL_FATAL || is_dtls13) { sc->rwstate = SSL_NOTHING; sc->s3.fatal_alert = alert_descr; SSLfatal_data(sc, SSL_AD_NO_ALERT, @@ -643,13 +654,15 @@ int do_dtls1_write(SSL_CONNECTION *sc, uint8_t type, const unsigned char *buf, } tmpl.type = type; + if (sc->version == DTLS1_3_VERSION) + tmpl.version = DTLS1_2_VERSION; /* * Special case: for hello verify request, client version 1.0 and we * haven't decided which version to use yet send back using version 1.0 * header: otherwise some clients will ignore it. */ - if (s->method->version == DTLS_ANY_VERSION - && sc->max_proto_version != DTLS1_BAD_VER) + else if (s->method->version == DTLS_ANY_VERSION + && sc->max_proto_version != DTLS1_BAD_VER) tmpl.version = DTLS1_VERSION; else tmpl.version = sc->version; From c967dc7a5c22ca1fd092ec99f3e6a0cef197199f Mon Sep 17 00:00:00 2001 From: Frederik Wedel-Heinen Date: Mon, 16 Oct 2023 10:02:32 +0200 Subject: [PATCH 20/74] Adds some more changes dtls specific functions to make them more in sync with their tls counterparts. Reviewed-by: Tomas Mraz Reviewed-by: Matt Caswell (Merged from https://github.com/openssl/openssl/pull/22360) --- ssl/record/methods/dtls_meth.c | 10 ++++++++-- 1 file changed, 8 insertions(+), 2 deletions(-) diff --git a/ssl/record/methods/dtls_meth.c b/ssl/record/methods/dtls_meth.c index a69629b07b..6cda9f582f 100644 --- a/ssl/record/methods/dtls_meth.c +++ b/ssl/record/methods/dtls_meth.c @@ -449,7 +449,10 @@ int dtls_get_more_records(OSSL_RECORD_LAYER *rl) * Lets check the version. We tolerate alerts that don't have the exact * version number (e.g. because of protocol version errors) */ - if (!rl->is_first_record && rr->type != SSL3_RT_ALERT) { + if (!rl->is_first_record && rr->type != SSL3_RT_ALERT + /* DTLSv1.3 records sets the legacy version field to DTLSv1.2 */ + && !(rr->rec_version == DTLS1_2_VERSION + && rl->version == DTLS1_3_VERSION)) { if (rr->rec_version != rl->version) { /* unexpected version, silently discard */ rr->length = 0; @@ -665,6 +668,9 @@ dtls_new_record_layer(OSSL_LIB_CTX *libctx, const char *propq, int vers, case DTLS_ANY_VERSION: (*retrl)->funcs = &dtls_any_funcs; break; + case DTLS1_3_VERSION: + (*retrl)->funcs = &dtls_1_3_funcs; + break; case DTLS1_2_VERSION: case DTLS1_VERSION: case DTLS1_BAD_VER: @@ -782,7 +788,7 @@ const OSSL_RECORD_METHOD ossl_dtls_record_method = { tls_get_alert_code, tls_set1_bio, tls_set_protocol_version, - NULL, + tls_set_plain_alerts, tls_set_first_handshake, tls_set_max_pipelines, dtls_set_in_init, From b83a25638e5dfc43f1f00058b0822e79c18e3ef7 Mon Sep 17 00:00:00 2001 From: Frederik Wedel-Heinen Date: Mon, 16 Oct 2023 10:43:17 +0200 Subject: [PATCH 21/74] Make similar changes to dtls1_do_write() for dtls1.3 as in ssl3_do_write() for tls1.3 Reviewed-by: Tomas Mraz Reviewed-by: Matt Caswell (Merged from https://github.com/openssl/openssl/pull/22360) --- ssl/statem/statem_dtls.c | 16 +++++++++++++--- 1 file changed, 13 insertions(+), 3 deletions(-) diff --git a/ssl/statem/statem_dtls.c b/ssl/statem/statem_dtls.c index b583e312d9..ccffe02c22 100644 --- a/ssl/statem/statem_dtls.c +++ b/ssl/statem/statem_dtls.c @@ -288,9 +288,19 @@ int dtls1_do_write(SSL_CONNECTION *s, uint8_t type) p += DTLS1_HM_HEADER_LENGTH; xlen = written - DTLS1_HM_HEADER_LENGTH; } - - if (!ssl3_finish_mac(s, p, xlen)) - return -1; + /* + * should not be done for 'Hello Request's, but in that case we'll + * ignore the result anyway + * DTLS1.3 KeyUpdate and NewSessionTicket do not need to be added + */ + if (!SSL_CONNECTION_IS_DTLS13(s) + || (s->statem.hand_state != TLS_ST_SW_SESSION_TICKET + && s->statem.hand_state != TLS_ST_CW_KEY_UPDATE + && s->statem.hand_state != TLS_ST_SW_KEY_UPDATE)) { + if (!ssl3_finish_mac(s, p, xlen)) { + return -1; + } + } } if (written == s->init_num) { From 8c90f9b8c233089bb3ac24f96d24088f152bc758 Mon Sep 17 00:00:00 2001 From: Frederik Wedel-Heinen Date: Tue, 19 Dec 2023 10:37:53 +0100 Subject: [PATCH 22/74] Handle alerts similarly in dtls1_read_bytes() as done in ssl3_read_bytes() Reviewed-by: Tomas Mraz Reviewed-by: Matt Caswell (Merged from https://github.com/openssl/openssl/pull/22360) --- ssl/record/rec_layer_d1.c | 56 ++++++++++++++++++++------------------- 1 file changed, 29 insertions(+), 27 deletions(-) diff --git a/ssl/record/rec_layer_d1.c b/ssl/record/rec_layer_d1.c index 1fb51d27e9..22f537f005 100644 --- a/ssl/record/rec_layer_d1.c +++ b/ssl/record/rec_layer_d1.c @@ -421,32 +421,33 @@ int dtls1_read_bytes(SSL *s, uint8_t type, uint8_t *recvd_type, SSL_R_TOO_MANY_WARN_ALERTS); return -1; } + } - /* - * Apart from close_notify the only other warning alert in DTLSv1.3 - * is user_cancelled - which we just ignore. - */ - if (is_dtls13 && alert_descr == SSL_AD_USER_CANCELLED) { - goto start; - } else if (alert_descr == SSL_AD_CLOSE_NOTIFY) { + /* + * Apart from close_notify the only other warning alert in DTLSv1.3 + * is user_cancelled - which we just ignore. + */ + if (is_dtls13 && alert_descr == SSL_AD_USER_CANCELLED) { + goto start; + } else if (alert_descr == SSL_AD_CLOSE_NOTIFY + && (is_dtls13 || alert_level == SSL3_AL_WARNING)) { #ifndef OPENSSL_NO_SCTP - /* - * With SCTP and streams the socket may deliver app data - * after a close_notify alert. We have to check this first so - * that nothing gets discarded. - */ - if (BIO_dgram_is_sctp(SSL_get_rbio(s)) && - BIO_dgram_sctp_msg_waiting(SSL_get_rbio(s)) > 0) { - sc->d1->shutdown_received = 1; - sc->rwstate = SSL_READING; - BIO_clear_retry_flags(SSL_get_rbio(s)); - BIO_set_retry_read(SSL_get_rbio(s)); - return -1; - } -#endif - sc->shutdown |= SSL_RECEIVED_SHUTDOWN; - return 0; + /* + * With SCTP and streams the socket may deliver app data + * after a close_notify alert. We have to check this first so + * that nothing gets discarded. + */ + if (BIO_dgram_is_sctp(SSL_get_rbio(s)) && + BIO_dgram_sctp_msg_waiting(SSL_get_rbio(s)) > 0) { + sc->d1->shutdown_received = 1; + sc->rwstate = SSL_READING; + BIO_clear_retry_flags(SSL_get_rbio(s)); + BIO_set_retry_read(SSL_get_rbio(s)); + return -1; } +#endif + sc->shutdown |= SSL_RECEIVED_SHUTDOWN; + return 0; } else if (alert_level == SSL3_AL_FATAL || is_dtls13) { sc->rwstate = SSL_NOTHING; sc->s3.fatal_alert = alert_descr; @@ -458,12 +459,13 @@ int dtls1_read_bytes(SSL *s, uint8_t type, uint8_t *recvd_type, return -1; SSL_CTX_remove_session(sc->session_ctx, sc->session); return 0; - } else { - SSLfatal(sc, SSL_AD_ILLEGAL_PARAMETER, SSL_R_UNKNOWN_ALERT_TYPE); - return -1; + } else if (alert_level == SSL3_AL_WARNING) { + /* We ignore any other warning alert in (D)TLSv1.2 and below */ + goto start; } - goto start; + SSLfatal(sc, SSL_AD_ILLEGAL_PARAMETER, SSL_R_UNKNOWN_ALERT_TYPE); + return -1; } if (sc->shutdown & SSL_SENT_SHUTDOWN) { /* but we have not received a From f29cf02239b463a1fab49b7531e54d6b07c54033 Mon Sep 17 00:00:00 2001 From: Frederik Wedel-Heinen Date: Fri, 13 Oct 2023 13:08:42 +0200 Subject: [PATCH 23/74] Support TLS1.3 sigalg logic in DTLS1.3 Reviewed-by: Tomas Mraz Reviewed-by: Matt Caswell (Merged from https://github.com/openssl/openssl/pull/22380) --- ssl/t1_lib.c | 54 ++++++++++++++++++++++++++++------------------------ 1 file changed, 29 insertions(+), 25 deletions(-) diff --git a/ssl/t1_lib.c b/ssl/t1_lib.c index ff45863a58..3083d6d499 100644 --- a/ssl/t1_lib.c +++ b/ssl/t1_lib.c @@ -2021,13 +2021,13 @@ int tls12_check_peer_sigalg(SSL_CONNECTION *s, uint16_t sig, EVP_PKEY *pkey) pkeyid = EVP_PKEY_get_id(pkey); - if (SSL_CONNECTION_IS_TLS13(s)) { - /* Disallow DSA for TLS 1.3 */ + if (SSL_CONNECTION_IS_VERSION13(s)) { + /* Disallow DSA for (D)TLS 1.3 */ if (pkeyid == EVP_PKEY_DSA) { SSLfatal(s, SSL_AD_ILLEGAL_PARAMETER, SSL_R_WRONG_SIGNATURE_TYPE); return 0; } - /* Only allow PSS for TLS 1.3 */ + /* Only allow PSS for (D)TLS 1.3 */ if (pkeyid == EVP_PKEY_RSA) pkeyid = EVP_PKEY_RSA_PSS; } @@ -2041,11 +2041,11 @@ int tls12_check_peer_sigalg(SSL_CONNECTION *s, uint16_t sig, EVP_PKEY *pkey) return -1; /* - * Check sigalgs is known. Disallow SHA1/SHA224 with TLS 1.3. Check key type + * Check sigalgs is known. Disallow SHA1/SHA224 with (D)TLS 1.3. Check key type * is consistent with signature: RSA keys can be used for RSA-PSS */ if (lu == NULL - || (SSL_CONNECTION_IS_TLS13(s) + || (SSL_CONNECTION_IS_VERSION13(s) && (lu->hash == NID_sha1 || lu->hash == NID_sha224)) || (pkeyid != lu->sig && (lu->sig != EVP_PKEY_RSA_PSS || pkeyid != EVP_PKEY_RSA))) { @@ -2070,8 +2070,8 @@ int tls12_check_peer_sigalg(SSL_CONNECTION *s, uint16_t sig, EVP_PKEY *pkey) return 0; } - /* For TLS 1.3 or Suite B check curve matches signature algorithm */ - if (SSL_CONNECTION_IS_TLS13(s) || tls1_suiteb(s)) { + /* For (D)TLS 1.3 or Suite B check curve matches signature algorithm */ + if (SSL_CONNECTION_IS_VERSION13(s) || tls1_suiteb(s)) { int curve = ssl_get_EC_curve_nid(pkey); if (lu->curve != NID_undef && curve != lu->curve) { @@ -2079,7 +2079,7 @@ int tls12_check_peer_sigalg(SSL_CONNECTION *s, uint16_t sig, EVP_PKEY *pkey) return 0; } } - if (!SSL_CONNECTION_IS_TLS13(s)) { + if (!SSL_CONNECTION_IS_VERSION13(s)) { /* Check curve matches extensions */ if (!tls1_check_group_id(s, tls1_get_group_id(pkey), 1)) { SSLfatal(s, SSL_AD_ILLEGAL_PARAMETER, SSL_R_WRONG_CURVE); @@ -2640,18 +2640,19 @@ static int tls12_sigalg_allowed(const SSL_CONNECTION *s, int op, { unsigned char sigalgstr[2]; int secbits; + int dsa_version_limit; if (lu == NULL || !lu->enabled) return 0; - /* DSA is not allowed in TLS 1.3 */ - if (SSL_CONNECTION_IS_TLS13(s) && lu->sig == EVP_PKEY_DSA) + /* DSA is not allowed in (D)TLSv1.3 */ + if (SSL_CONNECTION_IS_VERSION13(s) && lu->sig == EVP_PKEY_DSA) return 0; /* - * At some point we should fully axe DSA/etc. in ClientHello as per TLS 1.3 + * At some point we should fully axe DSA/etc. in ClientHello as per (D)TLSv1.3 * spec */ - if (!s->server && !SSL_CONNECTION_IS_DTLS(s) - && s->s3.tmp.min_ver >= TLS1_3_VERSION + dsa_version_limit = SSL_CONNECTION_IS_DTLS(s) ? DTLS1_3_VERSION : TLS1_3_VERSION; + if (!s->server && ssl_version_cmp(s, s->s3.tmp.min_ver, dsa_version_limit) >= 0 && (lu->sig == EVP_PKEY_DSA || lu->hash_idx == SSL_MD_SHA1_IDX || lu->hash_idx == SSL_MD_MD5_IDX || lu->hash_idx == SSL_MD_SHA224_IDX)) @@ -2664,22 +2665,25 @@ static int tls12_sigalg_allowed(const SSL_CONNECTION *s, int op, if (lu->sig == NID_id_GostR3410_2012_256 || lu->sig == NID_id_GostR3410_2012_512 || lu->sig == NID_id_GostR3410_2001) { - /* We never allow GOST sig algs on the server with TLSv1.3 */ - if (s->server && SSL_CONNECTION_IS_TLS13(s)) + int any_version = SSL_CONNECTION_IS_DTLS(s) ? DTLS_ANY_VERSION : TLS_ANY_VERSION; + int gost_version_limit = SSL_CONNECTION_IS_DTLS(s) ? DTLS1_3_VERSION : TLS1_3_VERSION; + + /* We never allow GOST sig algs on the server with (D)TLSv1.3 */ + if (s->server && SSL_CONNECTION_IS_VERSION13(s)) return 0; if (!s->server - && SSL_CONNECTION_GET_SSL(s)->method->version == TLS_ANY_VERSION - && s->s3.tmp.max_ver >= TLS1_3_VERSION) { + && SSL_CONNECTION_GET_SSL(s)->method->version == any_version + && ssl_version_cmp(s, s->s3.tmp.max_ver, gost_version_limit) >= 0) { int i, num; STACK_OF(SSL_CIPHER) *sk; /* - * We're a client that could negotiate TLSv1.3. We only allow GOST - * sig algs if we could negotiate TLSv1.2 or below and we have GOST + * We're a client that could negotiate (D)TLSv1.3. We only allow GOST + * sig algs if we could negotiate (D)TLSv1.2 or below and we have GOST * ciphersuites enabled. */ - if (s->s3.tmp.min_ver >= TLS1_3_VERSION) + if (ssl_version_cmp(s, s->s3.tmp.min_ver, gost_version_limit) >= 0) return 0; sk = SSL_get_ciphers(SSL_CONNECTION_GET_SSL(s)); @@ -2761,7 +2765,7 @@ int tls12_copy_sigalgs(SSL_CONNECTION *s, WPACKET *pkt, * If TLS 1.3 must have at least one valid TLS 1.3 message * signing algorithm: i.e. neither RSA nor SHA1/SHA224 */ - if (rv == 0 && (!SSL_CONNECTION_IS_TLS13(s) + if (rv == 0 && (!SSL_CONNECTION_IS_VERSION13(s) || (lu->sig != EVP_PKEY_RSA && lu->hash != NID_sha1 && lu->hash != NID_sha224))) @@ -2912,7 +2916,7 @@ int tls1_process_sigalgs(SSL_CONNECTION *s) int idx = sigptr->sig_idx; /* Ignore PKCS1 based sig algs in TLSv1.3 */ - if (SSL_CONNECTION_IS_TLS13(s) && sigptr->sig == EVP_PKEY_RSA) + if (SSL_CONNECTION_IS_VERSION13(s) && sigptr->sig == EVP_PKEY_RSA) continue; /* If not disabled indicate we can explicitly sign */ if (pvalid[idx] == 0 @@ -3214,7 +3218,7 @@ static int tls1_check_sig_alg(SSL_CONNECTION *s, X509 *x, int default_nid) if (default_nid) return sig_nid == default_nid ? 1 : 0; - if (SSL_CONNECTION_IS_TLS13(s) && s->s3.tmp.peer_cert_sigalgs != NULL) { + if (SSL_CONNECTION_IS_VERSION13(s) && s->s3.tmp.peer_cert_sigalgs != NULL) { /* * If we're in TLSv1.3 then we only get here if we're checking the * chain. If the peer has specified peer_cert_sigalgs then we use them @@ -3404,7 +3408,7 @@ int tls1_check_chain(SSL_CONNECTION *s, X509 *x, EVP_PKEY *pk, } } /* Check signature algorithm of each cert in chain */ - if (SSL_CONNECTION_IS_TLS13(s)) { + if (SSL_CONNECTION_IS_VERSION13(s)) { /* * We only get here if the application has called SSL_check_chain(), * so check_flags is always set. @@ -3901,7 +3905,7 @@ int tls_choose_sigalg(SSL_CONNECTION *s, int fatalerrs) s->s3.tmp.cert = NULL; s->s3.tmp.sigalg = NULL; - if (SSL_CONNECTION_IS_TLS13(s)) { + if (SSL_CONNECTION_IS_VERSION13(s)) { lu = find_sig_alg(s, NULL, NULL); if (lu == NULL) { if (!fatalerrs) From 30386820fb095a4dd7735fa75203e90d600119bb Mon Sep 17 00:00:00 2001 From: Frederik Wedel-Heinen Date: Mon, 16 Oct 2023 14:34:36 +0200 Subject: [PATCH 24/74] Removes an mtu assertion that fails Reviewed-by: Tomas Mraz Reviewed-by: Matt Caswell (Merged from https://github.com/openssl/openssl/pull/22401) --- ssl/statem/statem_dtls.c | 4 +++- 1 file changed, 3 insertions(+), 1 deletion(-) diff --git a/ssl/statem/statem_dtls.c b/ssl/statem/statem_dtls.c index ccffe02c22..819d41d3f6 100644 --- a/ssl/statem/statem_dtls.c +++ b/ssl/statem/statem_dtls.c @@ -259,9 +259,11 @@ int dtls1_do_write(SSL_CONNECTION *s, uint8_t type) * because in a production build, if this assert were ever to fail, * then the best thing to do is probably carry on regardless. */ +#if 0 + /* TODO(DTLS-1.3): Re-enable this assert. */ assert(s->s3.tmp.new_compression != NULL || BIO_wpending(s->wbio) <= (int)s->d1->mtu); - +#endif if (type == SSL3_RT_HANDSHAKE && !s->d1->retransmitting) { /* * should not be done for 'Hello Request's, but in that case From 73d1d24c0cf314e2c933eb6552af48d6c6a96aa7 Mon Sep 17 00:00:00 2001 From: Frederik Wedel-Heinen Date: Fri, 13 Oct 2023 13:57:43 +0200 Subject: [PATCH 25/74] Update session id and ticket logic for dtls13 Reviewed-by: Tomas Mraz Reviewed-by: Matt Caswell (Merged from https://github.com/openssl/openssl/pull/22936) --- ssl/ssl_sess.c | 13 +++++++------ ssl/t1_lib.c | 8 ++++---- ssl/t1_trce.c | 4 ++-- 3 files changed, 13 insertions(+), 12 deletions(-) diff --git a/ssl/ssl_sess.c b/ssl/ssl_sess.c index 69149de050..4414b679f2 100644 --- a/ssl/ssl_sess.c +++ b/ssl/ssl_sess.c @@ -362,6 +362,7 @@ int ssl_generate_session_id(SSL_CONNECTION *s, SSL_SESSION *ss) case DTLS1_BAD_VER: case DTLS1_VERSION: case DTLS1_2_VERSION: + case DTLS1_3_VERSION: ss->session_id_length = SSL3_SSL_SESSION_ID_LENGTH; break; default: @@ -456,7 +457,7 @@ int ssl_get_new_session(SSL_CONNECTION *s, int session) s->session = NULL; if (session) { - if (SSL_CONNECTION_IS_TLS13(s)) { + if (SSL_CONNECTION_IS_VERSION13(s)) { /* * We generate the session id while constructing the * NewSessionTicket in TLSv1.3. @@ -590,7 +591,7 @@ int ssl_get_prev_session(SSL_CONNECTION *s, CLIENTHELLO_MSG *hello) int try_session_cache = 0; SSL_TICKET_STATUS r; - if (SSL_CONNECTION_IS_TLS13(s)) { + if (SSL_CONNECTION_IS_VERSION13(s)) { /* * By default we will send a new ticket. This can be overridden in the * ticket processing. @@ -685,8 +686,8 @@ int ssl_get_prev_session(SSL_CONNECTION *s, CLIENTHELLO_MSG *hello) goto err; } - if (!SSL_CONNECTION_IS_TLS13(s)) { - /* We already did this for TLS1.3 */ + if (!SSL_CONNECTION_IS_VERSION13(s)) { + /* We already did this for (D)TLS1.3 */ SSL_SESSION_free(s->session); s->session = ret; } @@ -698,8 +699,8 @@ int ssl_get_prev_session(SSL_CONNECTION *s, CLIENTHELLO_MSG *hello) err: if (ret != NULL) { SSL_SESSION_free(ret); - /* In TLSv1.3 s->session was already set to ret, so we NULL it out */ - if (SSL_CONNECTION_IS_TLS13(s)) + /* In (D)TLSv1.3 s->session was already set to ret, so we NULL it out */ + if (SSL_CONNECTION_IS_VERSION13(s)) s->session = NULL; if (!try_session_cache) { diff --git a/ssl/t1_lib.c b/ssl/t1_lib.c index 3083d6d499..96570e3dd9 100644 --- a/ssl/t1_lib.c +++ b/ssl/t1_lib.c @@ -2323,7 +2323,7 @@ SSL_TICKET_STATUS tls_get_ticket_from_client(SSL_CONNECTION *s, s->ext.ticket_expected = 0; /* - * If tickets disabled or not supported by the protocol version + * If tickets are disabled or not supported by the protocol version * (e.g. TLSv1.3) behave as if no ticket present to permit stateful * resumption. */ @@ -2389,7 +2389,7 @@ SSL_TICKET_STATUS tls_decrypt_ticket(SSL_CONNECTION *s, ret = SSL_TICKET_EMPTY; goto end; } - if (!SSL_CONNECTION_IS_TLS13(s) && s->ext.session_secret_cb) { + if (!SSL_CONNECTION_IS_VERSION13(s) && s->ext.session_secret_cb) { /* * Indicate that the ticket couldn't be decrypted rather than * generating the session from ticket now, trigger @@ -2474,7 +2474,7 @@ SSL_TICKET_STATUS tls_decrypt_ticket(SSL_CONNECTION *s, goto end; } EVP_CIPHER_free(aes256cbc); - if (SSL_CONNECTION_IS_TLS13(s)) + if (SSL_CONNECTION_IS_VERSION13(s)) renew_ticket = 1; } /* @@ -2620,7 +2620,7 @@ SSL_TICKET_STATUS tls_decrypt_ticket(SSL_CONNECTION *s, } } - if (s->ext.session_secret_cb == NULL || SSL_CONNECTION_IS_TLS13(s)) { + if (s->ext.session_secret_cb == NULL || SSL_CONNECTION_IS_VERSION13(s)) { switch (ret) { case SSL_TICKET_NO_DECRYPT: case SSL_TICKET_SUCCESS_RENEW: diff --git a/ssl/t1_trce.c b/ssl/t1_trce.c index 45d5fb0d27..87a16f3698 100644 --- a/ssl/t1_trce.c +++ b/ssl/t1_trce.c @@ -1565,7 +1565,7 @@ static int ssl_print_ticket(BIO *bio, int indent, const SSL_CONNECTION *sc, msg += 4; BIO_indent(bio, indent + 2, 80); BIO_printf(bio, "ticket_lifetime_hint=%u\n", tick_life); - if (SSL_CONNECTION_IS_TLS13(sc)) { + if (SSL_CONNECTION_IS_VERSION13(sc)) { unsigned int ticket_age_add; if (msglen < 4) @@ -1585,7 +1585,7 @@ static int ssl_print_ticket(BIO *bio, int indent, const SSL_CONNECTION *sc, } if (!ssl_print_hexbuf(bio, indent + 2, "ticket", 2, &msg, &msglen)) return 0; - if (SSL_CONNECTION_IS_TLS13(sc) + if (SSL_CONNECTION_IS_VERSION13(sc) && !ssl_print_extensions(bio, indent + 2, 0, SSL3_MT_NEWSESSION_TICKET, &msg, &msglen)) return 0; From 61039932505414bbef6947b5b97ecd42ff046b31 Mon Sep 17 00:00:00 2001 From: Frederik Wedel-Heinen Date: Mon, 16 Oct 2023 09:57:00 +0200 Subject: [PATCH 26/74] Fix session print for dtls1.3 Reviewed-by: Tomas Mraz Reviewed-by: Matt Caswell (Merged from https://github.com/openssl/openssl/pull/22936) --- ssl/ssl_txt.c | 9 +++++---- 1 file changed, 5 insertions(+), 4 deletions(-) diff --git a/ssl/ssl_txt.c b/ssl/ssl_txt.c index d928cb9bbd..7f7af8a53a 100644 --- a/ssl/ssl_txt.c +++ b/ssl/ssl_txt.c @@ -35,11 +35,12 @@ int SSL_SESSION_print(BIO *bp, const SSL_SESSION *x) { size_t i; const char *s; - int istls13; + int isversion13; if (x == NULL) goto err; - istls13 = (x->ssl_version == TLS1_3_VERSION); + isversion13 = (x->ssl_version == TLS1_3_VERSION) + || (x->ssl_version == DTLS1_3_VERSION); if (BIO_puts(bp, "SSL-Session:\n") <= 0) goto err; s = ssl_protocol_to_string(x->ssl_version); @@ -74,7 +75,7 @@ int SSL_SESSION_print(BIO *bp, const SSL_SESSION *x) if (BIO_printf(bp, "%02X", x->sid_ctx[i]) <= 0) goto err; } - if (istls13) { + if (isversion13) { if (BIO_puts(bp, "\n Resumption PSK: ") <= 0) goto err; } else if (BIO_puts(bp, "\n Master-Key: ") <= 0) @@ -153,7 +154,7 @@ int SSL_SESSION_print(BIO *bp, const SSL_SESSION *x) x->flags & SSL_SESS_FLAG_EXTMS ? "yes" : "no") <= 0) goto err; - if (istls13) { + if (isversion13) { if (BIO_printf(bp, " Max Early Data: %u\n", (unsigned int)x->ext.max_early_data) <= 0) goto err; From e41c916a229cb4f981bc6a8314a5cfe2849a4c40 Mon Sep 17 00:00:00 2001 From: Frederik Wedel-Heinen Date: Fri, 13 Oct 2023 10:06:06 +0200 Subject: [PATCH 27/74] tls_post_encryption_processing_default() and tls_validate_record_header() Reviewed-by: Matt Caswell Reviewed-by: Tomas Mraz (Merged from https://github.com/openssl/openssl/pull/22376) --- ssl/record/methods/tls_common.c | 3 ++- ssl/record/methods/tlsany_meth.c | 4 +++- 2 files changed, 5 insertions(+), 2 deletions(-) diff --git a/ssl/record/methods/tls_common.c b/ssl/record/methods/tls_common.c index 80d4477bd0..427655d1c2 100644 --- a/ssl/record/methods/tls_common.c +++ b/ssl/record/methods/tls_common.c @@ -1721,12 +1721,13 @@ int tls_post_encryption_processing_default(OSSL_RECORD_LAYER *rl, if (rl->msg_callback != NULL) { unsigned char *recordstart; + const int version1_3 = rl->isdtls ? DTLS1_3_VERSION : TLS1_3_VERSION; recordstart = WPACKET_get_curr(thispkt) - len - headerlen; rl->msg_callback(1, thiswr->rec_version, SSL3_RT_HEADER, recordstart, headerlen, rl->cbarg); - if (rl->version == TLS1_3_VERSION && rl->enc_ctx != NULL) { + if (rl->version == version1_3 && rl->enc_ctx != NULL) { unsigned char ctype = thistempl->type; rl->msg_callback(1, thiswr->rec_version, SSL3_RT_INNER_CONTENT_TYPE, diff --git a/ssl/record/methods/tlsany_meth.c b/ssl/record/methods/tlsany_meth.c index 3f73f9ebdd..0cf04d7fa7 100644 --- a/ssl/record/methods/tlsany_meth.c +++ b/ssl/record/methods/tlsany_meth.c @@ -54,6 +54,8 @@ static int tls_validate_record_header(OSSL_RECORD_LAYER *rl, TLS_RL_RECORD *rec) return 0; } } else { + const int version1_3 = rl->isdtls ? DTLS1_3_VERSION : TLS1_3_VERSION; + if (rl->version == TLS_ANY_VERSION) { if ((rec->rec_version >> 8) != SSL3_VERSION_MAJOR) { if (rl->is_first_record) { @@ -86,7 +88,7 @@ static int tls_validate_record_header(OSSL_RECORD_LAYER *rl, TLS_RL_RECORD *rec) return 0; } } - } else if (rl->version == TLS1_3_VERSION) { + } else if (rl->version == version1_3) { /* * In this case we know we are going to negotiate TLSv1.3, but we've * had an HRR, so we haven't actually done so yet. In TLSv1.3 we From 34538ecc51c309e2b363ff15a5df42b6c3909d99 Mon Sep 17 00:00:00 2001 From: Frederik Wedel-Heinen Date: Fri, 13 Oct 2023 11:33:02 +0200 Subject: [PATCH 28/74] Fix ssl_lib functions for dtls 1.3 Reviewed-by: Matt Caswell Reviewed-by: Tomas Mraz (Merged from https://github.com/openssl/openssl/pull/22378) --- ssl/ssl_lib.c | 40 +++++++++++++++++++++++----------------- 1 file changed, 23 insertions(+), 17 deletions(-) diff --git a/ssl/ssl_lib.c b/ssl/ssl_lib.c index 46ecdd4f85..0e133bdded 100644 --- a/ssl/ssl_lib.c +++ b/ssl/ssl_lib.c @@ -2785,7 +2785,7 @@ int SSL_key_update(SSL *s, int updatetype) if (sc == NULL) return 0; - if (!SSL_CONNECTION_IS_TLS13(sc)) { + if (!SSL_CONNECTION_IS_VERSION13(sc)) { ERR_raise(ERR_LIB_SSL, SSL_R_WRONG_SSL_VERSION); return 0; } @@ -2832,7 +2832,7 @@ int SSL_get_key_update_type(const SSL *s) */ static int can_renegotiate(const SSL_CONNECTION *sc) { - if (SSL_CONNECTION_IS_TLS13(sc)) { + if (SSL_CONNECTION_IS_VERSION13(sc)) { ERR_raise(ERR_LIB_SSL, SSL_R_WRONG_SSL_VERSION); return 0; } @@ -2899,7 +2899,7 @@ int SSL_new_session_ticket(SSL *s) /* If we are in init because we're sending tickets, okay to send more. */ if ((SSL_in_init(s) && sc->ext.extra_tickets_expected == 0) || SSL_IS_FIRST_HANDSHAKE(sc) || !sc->server - || !SSL_CONNECTION_IS_TLS13(sc)) + || !SSL_CONNECTION_IS_VERSION13(sc)) return 0; sc->ext.extra_tickets_expected++; if (!RECORD_LAYER_write_pending(&sc->rlayer) && !SSL_in_init(s)) @@ -3457,21 +3457,21 @@ const char *SSL_get_servername(const SSL *s, const int type) if (server) { /** * Server side - * In TLSv1.3 on the server SNI is not associated with the session - * but in TLSv1.2 or below it is. + * In (D)TLSv1.3 on the server SNI is not associated with the session + * but in (D)TLSv1.2 or below it is. * * Before the handshake: * - return NULL * - * During/after the handshake (TLSv1.2 or below resumption occurred): + * During/after the handshake ((D)TLSv1.2 or below resumption occurred): * - If a servername was accepted by the server in the original * handshake then it will return that servername, or NULL otherwise. * - * During/after the handshake (TLSv1.2 or below resumption did not occur): + * During/after the handshake ((D)TLSv1.2 or below resumption did not occur): * - The function will return the servername requested by the client in * this handshake or NULL if none was requested. */ - if (sc->hit && !SSL_CONNECTION_IS_TLS13(sc)) + if (sc->hit && !SSL_CONNECTION_IS_VERSION13(sc)) return sc->session->ext.hostname; } else { /** @@ -3480,29 +3480,32 @@ const char *SSL_get_servername(const SSL *s, const int type) * Before the handshake: * - If a servername has been set via a call to * SSL_set_tlsext_host_name() then it will return that servername - * - If one has not been set, but a TLSv1.2 resumption is being + * - If one has not been set, but a (D)TLSv1.2 resumption is being * attempted and the session from the original handshake had a * servername accepted by the server then it will return that * servername * - Otherwise it returns NULL * - * During/after the handshake (TLSv1.2 or below resumption occurred): + * During/after the handshake ((D)TLSv1.2 or below resumption occurred): * - If the session from the original handshake had a servername accepted * by the server then it will return that servername. * - Otherwise it returns the servername set via * SSL_set_tlsext_host_name() (or NULL if it was not called). * - * During/after the handshake (TLSv1.2 or below resumption did not occur): + * During/after the handshake ((D)TLSv1.2 or below resumption did not occur): * - It will return the servername set via SSL_set_tlsext_host_name() * (or NULL if it was not called). */ if (SSL_in_before(s)) { + const int version1_3 = SSL_CONNECTION_IS_DTLS(sc) ? DTLS1_3_VERSION + : TLS1_3_VERSION; + if (sc->ext.hostname == NULL && sc->session != NULL - && sc->session->ssl_version != TLS1_3_VERSION) + && sc->session->ssl_version != version1_3) return sc->session->ext.hostname; } else { - if (!SSL_CONNECTION_IS_TLS13(sc) && sc->hit + if (!SSL_CONNECTION_IS_VERSION13(sc) && sc->hit && sc->session->ext.hostname != NULL) return sc->session->ext.hostname; } @@ -3807,12 +3810,15 @@ int SSL_export_keying_material_early(SSL *s, unsigned char *out, size_t olen, const unsigned char *context, size_t contextlen) { + int version1_3; SSL_CONNECTION *sc = SSL_CONNECTION_FROM_SSL(s); if (sc == NULL) return -1; - if (sc->version != TLS1_3_VERSION) + version1_3 = SSL_CONNECTION_IS_DTLS(sc) ? DTLS1_3_VERSION : TLS1_3_VERSION; + + if (sc->version != version1_3) return 0; return tls13_export_keying_material_early(sc, out, olen, label, llen, @@ -4649,7 +4655,7 @@ void ssl_update_cache(SSL_CONNECTION *s, int mode) i = s->session_ctx->session_cache_mode; if ((i & mode) != 0 - && (!s->hit || SSL_CONNECTION_IS_TLS13(s))) { + && (!s->hit || SSL_CONNECTION_IS_VERSION13(s))) { /* * Add the session to the internal cache. In server side TLSv1.3 we * normally don't do this because by default it's a full stateless ticket @@ -4662,7 +4668,7 @@ void ssl_update_cache(SSL_CONNECTION *s, int mode) * - SSL_OP_NO_TICKET is set in which case it is a stateful ticket */ if ((i & SSL_SESS_CACHE_NO_INTERNAL_STORE) == 0 - && (!SSL_CONNECTION_IS_TLS13(s) + && (!SSL_CONNECTION_IS_VERSION13(s) || !s->server || (s->max_early_data > 0 && (s->options & SSL_OP_NO_ANTI_REPLAY) == 0) @@ -7275,7 +7281,7 @@ int SSL_verify_client_post_handshake(SSL *ssl) if (sc == NULL) return 0; - if (!SSL_CONNECTION_IS_TLS13(sc)) { + if (!SSL_CONNECTION_IS_VERSION13(sc)) { ERR_raise(ERR_LIB_SSL, SSL_R_WRONG_SSL_VERSION); return 0; } From 2af74c5a163295e114a522792798667864d808b0 Mon Sep 17 00:00:00 2001 From: Frederik Wedel-Heinen Date: Fri, 26 Apr 2024 10:44:01 +0200 Subject: [PATCH 29/74] Sanity tests of inputs to ssl_version_cmp Reviewed-by: Matt Caswell Reviewed-by: Tomas Mraz (Merged from https://github.com/openssl/openssl/pull/24293) --- ssl/s3_lib.c | 5 +++-- ssl/statem/statem_clnt.c | 3 ++- ssl/statem/statem_lib.c | 28 ++++++++++++++++++---------- ssl/t1_lib.c | 5 +++-- 4 files changed, 26 insertions(+), 15 deletions(-) diff --git a/ssl/s3_lib.c b/ssl/s3_lib.c index a10d350f92..8f85ef9d33 100644 --- a/ssl/s3_lib.c +++ b/ssl/s3_lib.c @@ -4351,8 +4351,9 @@ const SSL_CIPHER *ssl3_choose_cipher(SSL_CONNECTION *s, STACK_OF(SSL_CIPHER) *cl maxversion = SSL_CONNECTION_IS_DTLS(s) ? c->max_dtls : c->max_tls; /* Skip ciphers not supported by the protocol version */ - if (ssl_version_cmp(s, s->version, minversion) < 0 - || ssl_version_cmp(s, s->version, maxversion) > 0) + if (minversion <= 0 || maxversion <= 0 + || ssl_version_cmp(s, s->version, minversion) < 0 + || ssl_version_cmp(s, s->version, maxversion) > 0) continue; /* diff --git a/ssl/statem/statem_clnt.c b/ssl/statem/statem_clnt.c index b88251623a..00a4359bc9 100644 --- a/ssl/statem/statem_clnt.c +++ b/ssl/statem/statem_clnt.c @@ -4125,7 +4125,8 @@ int ssl_cipher_list_to_bytes(SSL_CONNECTION *s, STACK_OF(SSL_CIPHER) *sk, int minproto = SSL_CONNECTION_IS_DTLS(s) ? c->min_dtls : c->min_tls; int maxproto = SSL_CONNECTION_IS_DTLS(s) ? c->max_dtls : c->max_tls; - if (ssl_version_cmp(s, maxproto, s->s3.tmp.max_ver) >= 0 + if (maxproto > 0 && minproto > 0 + && ssl_version_cmp(s, maxproto, s->s3.tmp.max_ver) >= 0 && ssl_version_cmp(s, minproto, s->s3.tmp.max_ver) <= 0) maxverok = 1; } diff --git a/ssl/statem/statem_lib.c b/ssl/statem/statem_lib.c index 98c3b45a05..88b252a323 100644 --- a/ssl/statem/statem_lib.c +++ b/ssl/statem/statem_lib.c @@ -157,12 +157,13 @@ int tls_setup_handshake(SSL_CONNECTION *s) /* Sanity check that we have MD5-SHA1 if we need it */ if (sctx->ssl_digest_methods[SSL_MD_MD5_SHA1_IDX] == NULL) { - int negotiated_minversion; - int md5sha1_needed_maxversion = SSL_CONNECTION_IS_DTLS(s) - ? DTLS1_VERSION : TLS1_1_VERSION; + const int version1_2 = SSL_CONNECTION_IS_DTLS(s) ? DTLS1_2_VERSION + : TLS1_2_VERSION; + const int version1_1 = SSL_CONNECTION_IS_DTLS(s) ? DTLS1_VERSION + : TLS1_1_VERSION; /* We don't have MD5-SHA1 - do we need it? */ - if (ssl_version_cmp(s, ver_max, md5sha1_needed_maxversion) <= 0) { + if (ssl_version_cmp(s, ver_max, version1_1) <= 0) { SSLfatal_data(s, SSL_AD_HANDSHAKE_FAILURE, SSL_R_NO_SUITABLE_DIGEST_ALGORITHM, "The max supported SSL/TLS version needs the" @@ -175,10 +176,8 @@ int tls_setup_handshake(SSL_CONNECTION *s) ok = 1; /* Don't allow TLSv1.1 or below to be negotiated */ - negotiated_minversion = SSL_CONNECTION_IS_DTLS(s) ? - DTLS1_2_VERSION : TLS1_2_VERSION; - if (ssl_version_cmp(s, ver_min, negotiated_minversion) < 0) - ok = SSL_set_min_proto_version(ssl, negotiated_minversion); + if (ssl_version_cmp(s, ver_min, version1_2) < 0) + ok = SSL_set_min_proto_version(ssl, version1_2); if (!ok) { /* Shouldn't happen */ SSLfatal(s, SSL_AD_HANDSHAKE_FAILURE, ERR_R_INTERNAL_ERROR); @@ -203,7 +202,8 @@ int tls_setup_handshake(SSL_CONNECTION *s) int cipher_maxprotover = SSL_CONNECTION_IS_DTLS(s) ? c->max_dtls : c->max_tls; - if (ssl_version_cmp(s, ver_max, cipher_minprotover) >= 0 + if (cipher_minprotover > 0 && cipher_maxprotover > 0 + && ssl_version_cmp(s, ver_max, cipher_minprotover) >= 0 && ssl_version_cmp(s, ver_max, cipher_maxprotover) <= 0) { ok = 1; break; @@ -1798,6 +1798,9 @@ int ssl_version_cmp(const SSL_CONNECTION *s, int versiona, int versionb) { int dtls = SSL_CONNECTION_IS_DTLS(s); + if (!ossl_assert(versiona > 0) || !ossl_assert(versionb > 0)) + return 0; + if (versiona == versionb) return 0; if (!dtls) @@ -2159,6 +2162,9 @@ int ssl_choose_server_version(SSL_CONNECTION *s, CLIENTHELLO_MSG *hello, const int version1_3 = SSL_CONNECTION_IS_DTLS(s) ? DTLS1_3_VERSION : TLS1_3_VERSION; + if (client_version <= 0) + return SSL_R_WRONG_SSL_VERSION; + s->client_version = client_version; switch (server_version) { @@ -2223,7 +2229,9 @@ int ssl_choose_server_version(SSL_CONNECTION *s, CLIENTHELLO_MSG *hello, return SSL_R_BAD_LEGACY_VERSION; while (PACKET_get_net_2(&versionslist, &candidate_vers)) { - if (ssl_version_cmp(s, candidate_vers, best_vers) <= 0) + if (candidate_vers <= 0 + || (best_vers != 0 + && ssl_version_cmp(s, candidate_vers, best_vers) <= 0)) continue; if (ssl_version_supported(s, candidate_vers, &best_method)) best_vers = candidate_vers; diff --git a/ssl/t1_lib.c b/ssl/t1_lib.c index 96570e3dd9..8e0795553b 100644 --- a/ssl/t1_lib.c +++ b/ssl/t1_lib.c @@ -2236,8 +2236,9 @@ int ssl_cipher_disabled(const SSL_CONNECTION *s, const SSL_CIPHER *c, && (c->algorithm_mkey & (SSL_kECDHE | SSL_kECDHEPSK)) != 0) minversion = SSL3_VERSION; - if (ssl_version_cmp(s, minversion, s->s3.tmp.max_ver) > 0 - || ssl_version_cmp(s, maxversion, s->s3.tmp.min_ver) < 0) + if (minversion <= 0 || maxversion <= 0 + || ssl_version_cmp(s, minversion, s->s3.tmp.max_ver) > 0 + || ssl_version_cmp(s, maxversion, s->s3.tmp.min_ver) < 0) return 1; return !ssl_security(s, op, c->strength_bits, 0, (void *)c); From 652e4506cfa6cff634bf1edd3937b5b2727ce456 Mon Sep 17 00:00:00 2001 From: Frederik Wedel-Heinen Date: Fri, 26 Apr 2024 21:25:39 +0200 Subject: [PATCH 30/74] Fix sanity tests for ssl_version_cmp for dtls 1.3 branch Reviewed-by: Matt Caswell Reviewed-by: Tomas Mraz (Merged from https://github.com/openssl/openssl/pull/24293) --- ssl/statem/statem_lib.c | 12 ++++++------ ssl/t1_lib.c | 14 ++++++++------ 2 files changed, 14 insertions(+), 12 deletions(-) diff --git a/ssl/statem/statem_lib.c b/ssl/statem/statem_lib.c index 88b252a323..2424c93484 100644 --- a/ssl/statem/statem_lib.c +++ b/ssl/statem/statem_lib.c @@ -2202,10 +2202,10 @@ int ssl_choose_server_version(SSL_CONNECTION *s, CLIENTHELLO_MSG *hello, return SSL_R_UNSUPPORTED_PROTOCOL; if (suppversions->present) { - unsigned int candidate_vers = 0; - const unsigned int best_vers_init = SSL_CONNECTION_IS_DTLS(s) ? UINT_MAX - : 0; - unsigned int best_vers = best_vers_init; + int candidate_vers = 0; + const int best_vers_init = SSL_CONNECTION_IS_DTLS(s) ? INT_MAX + : 0; + int best_vers = best_vers_init; const SSL_METHOD *best_method = NULL; PACKET versionslist; @@ -2228,9 +2228,9 @@ int ssl_choose_server_version(SSL_CONNECTION *s, CLIENTHELLO_MSG *hello, if (client_version <= SSL3_VERSION) return SSL_R_BAD_LEGACY_VERSION; - while (PACKET_get_net_2(&versionslist, &candidate_vers)) { + while (PACKET_get_net_2(&versionslist, (unsigned int*)&candidate_vers)) { if (candidate_vers <= 0 - || (best_vers != 0 + || (best_vers != best_vers_init && ssl_version_cmp(s, candidate_vers, best_vers) <= 0)) continue; if (ssl_version_supported(s, candidate_vers, &best_method)) diff --git a/ssl/t1_lib.c b/ssl/t1_lib.c index 8e0795553b..18a7f9c6e0 100644 --- a/ssl/t1_lib.c +++ b/ssl/t1_lib.c @@ -2641,7 +2641,8 @@ static int tls12_sigalg_allowed(const SSL_CONNECTION *s, int op, { unsigned char sigalgstr[2]; int secbits; - int dsa_version_limit; + const int version1_3 = SSL_CONNECTION_IS_DTLS(s) ? DTLS1_3_VERSION + : TLS1_3_VERSION; if (lu == NULL || !lu->enabled) return 0; @@ -2652,8 +2653,8 @@ static int tls12_sigalg_allowed(const SSL_CONNECTION *s, int op, * At some point we should fully axe DSA/etc. in ClientHello as per (D)TLSv1.3 * spec */ - dsa_version_limit = SSL_CONNECTION_IS_DTLS(s) ? DTLS1_3_VERSION : TLS1_3_VERSION; - if (!s->server && ssl_version_cmp(s, s->s3.tmp.min_ver, dsa_version_limit) >= 0 + if (!s->server && s->s3.tmp.min_ver > 0 + && ssl_version_cmp(s, s->s3.tmp.min_ver, version1_3) >= 0 && (lu->sig == EVP_PKEY_DSA || lu->hash_idx == SSL_MD_SHA1_IDX || lu->hash_idx == SSL_MD_MD5_IDX || lu->hash_idx == SSL_MD_SHA224_IDX)) @@ -2667,14 +2668,14 @@ static int tls12_sigalg_allowed(const SSL_CONNECTION *s, int op, || lu->sig == NID_id_GostR3410_2012_512 || lu->sig == NID_id_GostR3410_2001) { int any_version = SSL_CONNECTION_IS_DTLS(s) ? DTLS_ANY_VERSION : TLS_ANY_VERSION; - int gost_version_limit = SSL_CONNECTION_IS_DTLS(s) ? DTLS1_3_VERSION : TLS1_3_VERSION; /* We never allow GOST sig algs on the server with (D)TLSv1.3 */ if (s->server && SSL_CONNECTION_IS_VERSION13(s)) return 0; if (!s->server && SSL_CONNECTION_GET_SSL(s)->method->version == any_version - && ssl_version_cmp(s, s->s3.tmp.max_ver, gost_version_limit) >= 0) { + && s->s3.tmp.max_ver > 0 + && ssl_version_cmp(s, s->s3.tmp.max_ver, version1_3) >= 0) { int i, num; STACK_OF(SSL_CIPHER) *sk; @@ -2684,7 +2685,8 @@ static int tls12_sigalg_allowed(const SSL_CONNECTION *s, int op, * ciphersuites enabled. */ - if (ssl_version_cmp(s, s->s3.tmp.min_ver, gost_version_limit) >= 0) + if (s->s3.tmp.min_ver > 0 + && ssl_version_cmp(s, s->s3.tmp.min_ver, version1_3) >= 0) return 0; sk = SSL_get_ciphers(SSL_CONNECTION_GET_SSL(s)); From 9ca8f6653c355af527d5be2e8ce4e5c80b55f070 Mon Sep 17 00:00:00 2001 From: Frederik Wedel-Heinen Date: Wed, 4 Oct 2023 11:58:06 +0200 Subject: [PATCH 31/74] Update dtls max version Reviewed-by: Tomas Mraz Reviewed-by: Matt Caswell (Merged from https://github.com/openssl/openssl/pull/22275) --- include/openssl/dtls1.h | 2 +- ssl/ssl_local.h | 2 +- ssl/statem/statem_clnt.c | 2 +- ssl/statem/statem_lib.c | 5 +++-- 4 files changed, 6 insertions(+), 5 deletions(-) diff --git a/include/openssl/dtls1.h b/include/openssl/dtls1.h index 5dc6b5419c..024584f426 100644 --- a/include/openssl/dtls1.h +++ b/include/openssl/dtls1.h @@ -27,7 +27,7 @@ extern "C" { /* DTLS*_VERSION constants are defined in prov_ssl.h */ # ifndef OPENSSL_NO_DEPRECATED_3_0 # define DTLS_MIN_VERSION DTLS1_VERSION -# define DTLS_MAX_VERSION DTLS1_2_VERSION +# define DTLS_MAX_VERSION DTLS1_3_VERSION # endif # define DTLS1_VERSION_MAJOR 0xFE diff --git a/ssl/ssl_local.h b/ssl/ssl_local.h index 2b8df7d26c..701145438c 100644 --- a/ssl/ssl_local.h +++ b/ssl/ssl_local.h @@ -45,7 +45,7 @@ # endif # define TLS_MAX_VERSION_INTERNAL TLS1_3_VERSION -# define DTLS_MAX_VERSION_INTERNAL DTLS1_2_VERSION +# define DTLS_MAX_VERSION_INTERNAL DTLS1_3_VERSION /* * DTLS version numbers are strange because they're inverted. Except for diff --git a/ssl/statem/statem_clnt.c b/ssl/statem/statem_clnt.c index 00a4359bc9..5a6fed1c44 100644 --- a/ssl/statem/statem_clnt.c +++ b/ssl/statem/statem_clnt.c @@ -192,7 +192,7 @@ static int ossl_statem_client13_read_transition(SSL_CONNECTION *s, int mt) if (mt == SSL3_MT_CERTIFICATE_REQUEST) { #if DTLS_MAX_VERSION_INTERNAL != DTLS1_2_VERSION /* Restore digest for PHA before adding message.*/ -# error Internal DTLS version error +# warning Internal DTLS version error #endif if (!SSL_CONNECTION_IS_DTLS(s) && s->post_handshake_auth == SSL_PHA_EXT_SENT) { diff --git a/ssl/statem/statem_lib.c b/ssl/statem/statem_lib.c index 2424c93484..123c5b01c6 100644 --- a/ssl/statem/statem_lib.c +++ b/ssl/statem/statem_lib.c @@ -1848,12 +1848,13 @@ static const version_info tls_version_table[] = { {0, NULL, NULL}, }; -#if DTLS_MAX_VERSION_INTERNAL != DTLS1_2_VERSION -# error Code needs update for DTLS_method() support beyond DTLS1_2_VERSION. +#if DTLS_MAX_VERSION_INTERNAL != DTLS1_3_VERSION +# error Code needs update for DTLS_method() support beyond DTLS1_3_VERSION. #endif /* Must be in order high to low */ static const version_info dtls_version_table[] = { + {DTLS1_3_VERSION, dtlsv1_3_client_method, dtlsv1_3_server_method}, #ifndef OPENSSL_NO_DTLS1_2 {DTLS1_2_VERSION, dtlsv1_2_client_method, dtlsv1_2_server_method}, #else From bc86e5b81eef00ae610a39c56f1d0810ee2143e8 Mon Sep 17 00:00:00 2001 From: Frederik Wedel-Heinen Date: Wed, 29 Nov 2023 10:05:13 +0100 Subject: [PATCH 32/74] Remove obsolete TODO and guards for post handshake authentication in DTLS 1.3 Reviewed-by: Tomas Mraz Reviewed-by: Matt Caswell (Merged from https://github.com/openssl/openssl/pull/22275) --- ssl/statem/statem_clnt.c | 13 +------------ 1 file changed, 1 insertion(+), 12 deletions(-) diff --git a/ssl/statem/statem_clnt.c b/ssl/statem/statem_clnt.c index 5a6fed1c44..69db475056 100644 --- a/ssl/statem/statem_clnt.c +++ b/ssl/statem/statem_clnt.c @@ -190,19 +190,8 @@ static int ossl_statem_client13_read_transition(SSL_CONNECTION *s, int mt) return 1; } if (mt == SSL3_MT_CERTIFICATE_REQUEST) { -#if DTLS_MAX_VERSION_INTERNAL != DTLS1_2_VERSION - /* Restore digest for PHA before adding message.*/ -# warning Internal DTLS version error -#endif - if (!SSL_CONNECTION_IS_DTLS(s) - && s->post_handshake_auth == SSL_PHA_EXT_SENT) { + if (s->post_handshake_auth == SSL_PHA_EXT_SENT) { s->post_handshake_auth = SSL_PHA_REQUESTED; - /* - * In TLS, this is called before the message is added to the - * digest. In DTLS, this is expected to be called after adding - * to the digest. Either move the digest restore, or add the - * message here after the swap, or do it after the clientFinished? - */ if (!tls13_restore_handshake_digest_for_pha(s)) { /* SSLfatal() already called */ return 0; From 5fc85f277ef82036bfb453781da560e966e2c4f9 Mon Sep 17 00:00:00 2001 From: Frederik Wedel-Heinen Date: Tue, 19 Dec 2023 12:51:18 +0100 Subject: [PATCH 33/74] Update DTLS version tests Reviewed-by: Tomas Mraz Reviewed-by: Matt Caswell (Merged from https://github.com/openssl/openssl/pull/22275) --- ssl/ssl_lib.c | 2 +- test/ssl_ctx_test.c | 9 ++++++--- 2 files changed, 7 insertions(+), 4 deletions(-) diff --git a/ssl/ssl_lib.c b/ssl/ssl_lib.c index 0e133bdded..3c3b6a2904 100644 --- a/ssl/ssl_lib.c +++ b/ssl/ssl_lib.c @@ -472,7 +472,7 @@ static int ssl_check_allowed_versions(int min_version, int max_version) /* Ignore DTLS1_BAD_VER */ min_version = DTLS1_VERSION; if (max_version == 0) - max_version = DTLS1_2_VERSION; + max_version = DTLS1_3_VERSION; #ifdef OPENSSL_NO_DTLS1_2 if (max_version == DTLS1_2_VERSION) max_version = DTLS1_VERSION; diff --git a/test/ssl_ctx_test.c b/test/ssl_ctx_test.c index 16da838dea..6390de6a0b 100644 --- a/test/ssl_ctx_test.c +++ b/test/ssl_ctx_test.c @@ -47,6 +47,9 @@ static const version_test version_testdata[] = { {PROTO_TLS, 7, 42, 0, 0, 0, 0}, {PROTO_DTLS, 0, 0, 1, 1, 0, 0}, {PROTO_DTLS, DTLS1_VERSION, DTLS1_2_VERSION, 1, 1, DTLS1_VERSION, DTLS1_2_VERSION}, + {PROTO_DTLS, DTLS1_VERSION, DTLS1_3_VERSION, 1, 1, DTLS1_VERSION, DTLS1_3_VERSION}, + {PROTO_DTLS, DTLS1_2_VERSION, DTLS1_3_VERSION, 1, 1, DTLS1_2_VERSION, DTLS1_3_VERSION}, + {PROTO_DTLS, DTLS1_3_VERSION, DTLS1_3_VERSION, 1, 1, DTLS1_3_VERSION, DTLS1_3_VERSION}, #ifndef OPENSSL_NO_DTLS1_2 {PROTO_DTLS, DTLS1_2_VERSION, DTLS1_2_VERSION, 1, 1, DTLS1_2_VERSION, DTLS1_2_VERSION}, #endif @@ -56,8 +59,8 @@ static const version_test version_testdata[] = { #if !defined(OPENSSL_NO_DTLS1) && !defined(OPENSSL_NO_DTLS1_2) {PROTO_DTLS, DTLS1_2_VERSION, DTLS1_VERSION, 1, 1, DTLS1_2_VERSION, DTLS1_VERSION}, #endif - {PROTO_DTLS, DTLS1_VERSION + 1, DTLS1_2_VERSION, 0, 1, 0, DTLS1_2_VERSION}, - {PROTO_DTLS, DTLS1_VERSION, DTLS1_2_VERSION - 1, 1, 0, DTLS1_VERSION, 0}, + {PROTO_DTLS, DTLS1_VERSION + 1, DTLS1_3_VERSION, 0, 1, 0, DTLS1_3_VERSION}, + {PROTO_DTLS, DTLS1_VERSION, DTLS1_3_VERSION - 1, 1, 0, DTLS1_VERSION, 0}, {PROTO_DTLS, TLS1_VERSION, TLS1_3_VERSION, 1, 1, 0, 0}, {PROTO_DTLS, OSSL_QUIC1_VERSION, OSSL_QUIC1_VERSION, 0, 0, 0, 0}, /* These functions never have an effect when called on a QUIC object */ @@ -66,7 +69,7 @@ static const version_test version_testdata[] = { {PROTO_QUIC, OSSL_QUIC1_VERSION, OSSL_QUIC1_VERSION + 1, 0, 0, 0, 0}, {PROTO_QUIC, TLS1_VERSION, TLS1_3_VERSION, 1, 1, 0, 0}, #ifndef OPENSSL_NO_DTLS - {PROTO_QUIC, DTLS1_VERSION, DTLS1_2_VERSION, 1, 1, 0, 0}, + {PROTO_QUIC, DTLS1_VERSION, DTLS1_3_VERSION, 1, 1, 0, 0}, #endif }; From eda3b4b93a0364aa519ce0ce92713a72f810d8d5 Mon Sep 17 00:00:00 2001 From: Frederik Wedel-Heinen Date: Tue, 9 Apr 2024 12:57:12 +0200 Subject: [PATCH 34/74] Fix version check to avoid unsupported protocol error in ssl_choose_server_version() Reviewed-by: Tomas Mraz Reviewed-by: Matt Caswell (Merged from https://github.com/openssl/openssl/pull/22275) --- ssl/statem/statem_lib.c | 12 +++++++----- 1 file changed, 7 insertions(+), 5 deletions(-) diff --git a/ssl/statem/statem_lib.c b/ssl/statem/statem_lib.c index 123c5b01c6..7b819f715d 100644 --- a/ssl/statem/statem_lib.c +++ b/ssl/statem/statem_lib.c @@ -2162,6 +2162,8 @@ int ssl_choose_server_version(SSL_CONNECTION *s, CLIENTHELLO_MSG *hello, RAW_EXTENSION *suppversions; const int version1_3 = SSL_CONNECTION_IS_DTLS(s) ? DTLS1_3_VERSION : TLS1_3_VERSION; + const int version1_2 = SSL_CONNECTION_IS_DTLS(s) ? DTLS1_2_VERSION + : TLS1_2_VERSION; if (client_version <= 0) return SSL_R_WRONG_SSL_VERSION; @@ -2249,7 +2251,7 @@ int ssl_choose_server_version(SSL_CONNECTION *s, CLIENTHELLO_MSG *hello, * This is after a HelloRetryRequest so we better check that we * negotiated (D)TLSv1.3 */ - if (best_vers != TLS1_3_VERSION && best_vers != DTLS1_3_VERSION) + if (best_vers != version1_3) return SSL_R_UNSUPPORTED_PROTOCOL; return 0; } @@ -2269,8 +2271,7 @@ int ssl_choose_server_version(SSL_CONNECTION *s, CLIENTHELLO_MSG *hello, * version we can negotiate is (D)TLSv1.2 */ if (ssl_version_cmp(s, client_version, version1_3) >= 0) - client_version = SSL_CONNECTION_IS_DTLS(s) ? DTLS1_2_VERSION - : TLS1_2_VERSION; + client_version = version1_2; /* * No supported versions extension, so we just use the version supplied in @@ -2315,6 +2316,8 @@ int ssl_choose_client_version(SSL_CONNECTION *s, int version, const version_info *table; int ret, ver_min, ver_max, real_max, origv; SSL *ssl = SSL_CONNECTION_GET_SSL(s); + const int version1_3 = SSL_CONNECTION_IS_DTLS(s) ? DTLS1_3_VERSION + : TLS1_3_VERSION; origv = s->version; s->version = version; @@ -2328,8 +2331,7 @@ int ssl_choose_client_version(SSL_CONNECTION *s, int version, return 0; } - if (s->hello_retry_request != SSL_HRR_NONE - && (s->version != TLS1_3_VERSION && s->version != DTLS1_3_VERSION)) { + if (s->hello_retry_request != SSL_HRR_NONE && s->version != version1_3) { s->version = origv; SSLfatal(s, SSL_AD_PROTOCOL_VERSION, SSL_R_WRONG_SSL_VERSION); return 0; From 86b4c0a05f14fcbfe088c873b71d647258dd6dc6 Mon Sep 17 00:00:00 2001 From: Frederik Wedel-Heinen Date: Wed, 24 Apr 2024 12:03:32 +0200 Subject: [PATCH 35/74] Fix renegotiation check that was added in https://github.com/openssl/openssl/pull/24161 Reviewed-by: Tomas Mraz Reviewed-by: Matt Caswell (Merged from https://github.com/openssl/openssl/pull/22275) --- ssl/statem/extensions_clnt.c | 17 ++++++++--------- 1 file changed, 8 insertions(+), 9 deletions(-) diff --git a/ssl/statem/extensions_clnt.c b/ssl/statem/extensions_clnt.c index 5b0144187d..d07d2ee187 100644 --- a/ssl/statem/extensions_clnt.c +++ b/ssl/statem/extensions_clnt.c @@ -17,16 +17,15 @@ EXT_RETURN tls_construct_ctos_renegotiate(SSL_CONNECTION *s, WPACKET *pkt, size_t chainidx) { if (!s->renegotiate) { + const int version1_3 = SSL_CONNECTION_IS_DTLS(s) ? DTLS1_3_VERSION + : TLS1_3_VERSION; + /* If not renegotiating, send an empty RI extension to indicate support */ - -#if DTLS_MAX_VERSION_INTERNAL != DTLS1_2_VERSION -# error Internal DTLS version error -#endif - - if (!SSL_CONNECTION_IS_DTLS(s) - && (s->min_proto_version >= TLS1_3_VERSION - || (ssl_security(s, SSL_SECOP_VERSION, 0, TLS1_VERSION, NULL) - && s->min_proto_version <= TLS1_VERSION))) { + if ((s->min_proto_version != 0 + && ssl_version_cmp(s, s->min_proto_version, version1_3) >= 0) + || (!SSL_CONNECTION_IS_DTLS(s) + && ssl_security(s, SSL_SECOP_VERSION, 0, TLS1_VERSION, NULL) + && s->min_proto_version <= TLS1_VERSION)) { /* * For TLS <= 1.0 SCSV is used instead, and for TLS 1.3 this * extension isn't used at all. From d888cb864677aef68752fe10c37d268cf2eb6126 Mon Sep 17 00:00:00 2001 From: Frederik Wedel-Heinen Date: Mon, 22 Apr 2024 19:59:27 +0200 Subject: [PATCH 36/74] Run some failing tests with DTLS1.2 Reviewed-by: Tomas Mraz Reviewed-by: Matt Caswell (Merged from https://github.com/openssl/openssl/pull/22275) --- fuzz/dtlsclient.c | 6 +++ test/dtls_mtu_test.c | 14 +++++++ test/dtlstest.c | 42 ++++++++++++++++---- test/ssl-tests/29-dtls-sctp-label-bug.cnf | 2 + test/ssl-tests/29-dtls-sctp-label-bug.cnf.in | 8 +++- 5 files changed, 63 insertions(+), 9 deletions(-) diff --git a/fuzz/dtlsclient.c b/fuzz/dtlsclient.c index 0e239d991d..85fb1144d6 100644 --- a/fuzz/dtlsclient.c +++ b/fuzz/dtlsclient.c @@ -72,6 +72,12 @@ int FuzzerTestOneInput(const uint8_t *buf, size_t len) if (client == NULL) goto end; OPENSSL_assert(SSL_set_min_proto_version(client, 0) == 1); + /** + * TODO(DTLSv1.3): Fuzzing fails with + * ssl/statem/extensions_clnt.c:624: OpenSSL internal error: + * Assertion failed: s->hello_retry_request == SSL_HRR_PENDING + */ + OPENSSL_assert(SSL_set_max_proto_version(client, DTLS1_2_VERSION) == 1); OPENSSL_assert(SSL_set_cipher_list(client, "ALL:eNULL:@SECLEVEL=0") == 1); SSL_set_tlsext_host_name(client, "localhost"); in = BIO_new(BIO_s_mem()); diff --git a/test/dtls_mtu_test.c b/test/dtls_mtu_test.c index b11d5e3461..740c7fa6a9 100644 --- a/test/dtls_mtu_test.c +++ b/test/dtls_mtu_test.c @@ -66,6 +66,13 @@ static int mtu_test(SSL_CTX *ctx, const char *cs, int no_etm) if (no_etm) SSL_set_options(srvr_ssl, SSL_OP_NO_ENCRYPT_THEN_MAC); + /** + * TODO(DTLSv1.3): Tests fails with + * SSL routines:tls_psk_do_binder:binder does not verify: + * ../ssl/statem/extensions.c:1690: + */ + OPENSSL_assert(SSL_set_max_proto_version(clnt_ssl, DTLS1_2_VERSION) == 1); + if (!TEST_true(SSL_set_cipher_list(srvr_ssl, cs)) || !TEST_true(SSL_set_cipher_list(clnt_ssl, cs)) || !TEST_ptr(sc_bio = SSL_get_rbio(srvr_ssl)) @@ -212,6 +219,13 @@ static int test_server_mtu_larger_than_max_fragment_length(void) NULL, NULL))) goto end; + /** + * TODO(DTLSv1.3): Test fails with + * SSL routines:tls_psk_do_binder:binder does not verify: + * ../ssl/statem/extensions.c:1690: + */ + OPENSSL_assert(SSL_set_max_proto_version(clnt_ssl, DTLS1_2_VERSION) == 1); + SSL_set_options(srvr_ssl, SSL_OP_NO_QUERY_MTU); if (!TEST_true(DTLS_set_link_mtu(srvr_ssl, 1500))) goto end; diff --git a/test/dtlstest.c b/test/dtlstest.c index 011d8775c1..15aae92df9 100644 --- a/test/dtlstest.c +++ b/test/dtlstest.c @@ -77,9 +77,15 @@ static int test_dtls_unprocessed(int testidx) timer_cb_count = 0; + /** + * TODO(DTLSv1.3): Tests fails with + * # No progress made + * # ERROR: (bool) 'create_bare_ssl_connection(serverssl1, clientssl1, + * SSL_ERROR_NONE, 0, 0) == true' failed @ ../test/dtlstest.c:128 + */ if (!TEST_true(create_ssl_ctx_pair(NULL, DTLS_server_method(), DTLS_client_method(), - DTLS1_VERSION, 0, + DTLS1_VERSION, DTLS1_2_VERSION, &sctx, &cctx, cert, privkey))) return 0; @@ -199,9 +205,14 @@ static int test_dtls_drop_records(int idx) int cli_to_srv_cookie, cli_to_srv_epoch0, cli_to_srv_epoch1; int srv_to_cli_epoch0; + /** + * TODO(DTLSv1.3): Tests fails with + * ssl/statem/extensions_clnt.c:624: OpenSSL internal error: + * Assertion failed: s->hello_retry_request == SSL_HRR_PENDING + */ if (!TEST_true(create_ssl_ctx_pair(NULL, DTLS_server_method(), DTLS_client_method(), - DTLS1_VERSION, 0, + DTLS1_VERSION, DTLS1_2_VERSION, &sctx, &cctx, cert, privkey))) return 0; @@ -312,9 +323,14 @@ static int test_cookie(void) SSL *serverssl = NULL, *clientssl = NULL; int testresult = 0; - if (!TEST_true(create_ssl_ctx_pair(NULL, DTLS_server_method(), + /** + * TODO(DTLSv1.3): Tests fails with + * ssl/statem/extensions_clnt.c:624: OpenSSL internal error: + * Assertion failed: s->hello_retry_request == SSL_HRR_PENDING + */ + if (!TEST_true(create_ssl_ctx_pair(NULL, DTLS_server_method(), DTLS_client_method(), - DTLS1_VERSION, 0, + DTLS1_VERSION, DTLS1_2_VERSION, &sctx, &cctx, cert, privkey))) return 0; @@ -352,9 +368,13 @@ static int test_dtls_duplicate_records(void) SSL *serverssl = NULL, *clientssl = NULL; int testresult = 0; + /** + * TODO(DTLSv1.3): Tests fails with + * dtls1_read_bytes:unexpected record:../ssl/record/rec_layer_d1.c:609: + */ if (!TEST_true(create_ssl_ctx_pair(NULL, DTLS_server_method(), DTLS_client_method(), - DTLS1_VERSION, 0, + DTLS1_VERSION, DTLS1_2_VERSION, &sctx, &cctx, cert, privkey))) return 0; @@ -484,9 +504,12 @@ static int test_swap_records(int idx) char msg[] = { 0x00, 0x01, 0x02, 0x03 }; char buf[10]; + /** + * TODO(DTLSv1.3): Tests fails + */ if (!TEST_true(create_ssl_ctx_pair(NULL, DTLS_server_method(), DTLS_client_method(), - DTLS1_VERSION, 0, + DTLS1_VERSION, DTLS1_2_VERSION, &sctx, &cctx, cert, privkey))) return 0; @@ -594,9 +617,14 @@ static int test_listen(void) SSL *serverssl = NULL, *clientssl = NULL; int testresult = 0; + /** + * TODO(DTLSv1.3): Tests fails with + * ssl/statem/extensions_clnt.c:624: OpenSSL internal error: + * Assertion failed: s->hello_retry_request == SSL_HRR_PENDING + */ if (!TEST_true(create_ssl_ctx_pair(NULL, DTLS_server_method(), DTLS_client_method(), - DTLS1_VERSION, 0, + DTLS1_VERSION, DTLS1_2_VERSION, &sctx, &cctx, cert, privkey))) return 0; diff --git a/test/ssl-tests/29-dtls-sctp-label-bug.cnf b/test/ssl-tests/29-dtls-sctp-label-bug.cnf index 24f9e04f16..d0b306cef4 100644 --- a/test/ssl-tests/29-dtls-sctp-label-bug.cnf +++ b/test/ssl-tests/29-dtls-sctp-label-bug.cnf @@ -72,6 +72,7 @@ client = 2-SCTPLabelBug-bad1-client [2-SCTPLabelBug-bad1-server] Certificate = ${ENV::TEST_CERTS_DIR}/servercert.pem CipherString = DEFAULT +MaxProtocol = DTLSv1.2 PrivateKey = ${ENV::TEST_CERTS_DIR}/serverkey.pem [2-SCTPLabelBug-bad1-client] @@ -99,6 +100,7 @@ client = 3-SCTPLabelBug-bad2-client [3-SCTPLabelBug-bad2-server] Certificate = ${ENV::TEST_CERTS_DIR}/servercert.pem CipherString = DEFAULT +MaxProtocol = DTLSv1.2 PrivateKey = ${ENV::TEST_CERTS_DIR}/serverkey.pem [3-SCTPLabelBug-bad2-client] diff --git a/test/ssl-tests/29-dtls-sctp-label-bug.cnf.in b/test/ssl-tests/29-dtls-sctp-label-bug.cnf.in index f14e68139d..a28ab8c4a4 100644 --- a/test/ssl-tests/29-dtls-sctp-label-bug.cnf.in +++ b/test/ssl-tests/29-dtls-sctp-label-bug.cnf.in @@ -42,7 +42,9 @@ our @tests = ( }, { name => "SCTPLabelBug-bad1", - server => {}, + server => { + MaxProtocol => "DTLSv1.2" + }, client => {}, test => { "Method" => "DTLS", @@ -54,7 +56,9 @@ our @tests = ( }, { name => "SCTPLabelBug-bad2", - server => {}, + server => { + MaxProtocol => "DTLSv1.2" + }, client => {}, test => { "Method" => "DTLS", From d2526d8f351cc27eb924398abb82894ab804576d Mon Sep 17 00:00:00 2001 From: Frederik Wedel-Heinen Date: Mon, 22 Apr 2024 20:14:07 +0200 Subject: [PATCH 37/74] Fix test_ssl_new tests Reviewed-by: Tomas Mraz Reviewed-by: Matt Caswell (Merged from https://github.com/openssl/openssl/pull/22275) --- test/ssl-tests/07-dtls-protocol-version.cnf | 3384 ++++++++++++++++++- test/ssl-tests/11-dtls_resumption.cnf | 618 +--- test/ssl-tests/protocol_version.pm | 35 +- 3 files changed, 3223 insertions(+), 814 deletions(-) diff --git a/test/ssl-tests/07-dtls-protocol-version.cnf b/test/ssl-tests/07-dtls-protocol-version.cnf index 100036b3d1..16621d8964 100644 --- a/test/ssl-tests/07-dtls-protocol-version.cnf +++ b/test/ssl-tests/07-dtls-protocol-version.cnf @@ -1,6 +1,6 @@ # Generated with generate_ssl_tests.pl -num_tests = 64 +num_tests = 169 test-0 = 0-version-negotiation test-1 = 1-version-negotiation @@ -66,6 +66,111 @@ test-60 = 60-version-negotiation test-61 = 61-version-negotiation test-62 = 62-version-negotiation test-63 = 63-version-negotiation +test-64 = 64-version-negotiation +test-65 = 65-version-negotiation +test-66 = 66-version-negotiation +test-67 = 67-version-negotiation +test-68 = 68-version-negotiation +test-69 = 69-version-negotiation +test-70 = 70-version-negotiation +test-71 = 71-version-negotiation +test-72 = 72-version-negotiation +test-73 = 73-version-negotiation +test-74 = 74-version-negotiation +test-75 = 75-version-negotiation +test-76 = 76-version-negotiation +test-77 = 77-version-negotiation +test-78 = 78-version-negotiation +test-79 = 79-version-negotiation +test-80 = 80-version-negotiation +test-81 = 81-version-negotiation +test-82 = 82-version-negotiation +test-83 = 83-version-negotiation +test-84 = 84-version-negotiation +test-85 = 85-version-negotiation +test-86 = 86-version-negotiation +test-87 = 87-version-negotiation +test-88 = 88-version-negotiation +test-89 = 89-version-negotiation +test-90 = 90-version-negotiation +test-91 = 91-version-negotiation +test-92 = 92-version-negotiation +test-93 = 93-version-negotiation +test-94 = 94-version-negotiation +test-95 = 95-version-negotiation +test-96 = 96-version-negotiation +test-97 = 97-version-negotiation +test-98 = 98-version-negotiation +test-99 = 99-version-negotiation +test-100 = 100-version-negotiation +test-101 = 101-version-negotiation +test-102 = 102-version-negotiation +test-103 = 103-version-negotiation +test-104 = 104-version-negotiation +test-105 = 105-version-negotiation +test-106 = 106-version-negotiation +test-107 = 107-version-negotiation +test-108 = 108-version-negotiation +test-109 = 109-version-negotiation +test-110 = 110-version-negotiation +test-111 = 111-version-negotiation +test-112 = 112-version-negotiation +test-113 = 113-version-negotiation +test-114 = 114-version-negotiation +test-115 = 115-version-negotiation +test-116 = 116-version-negotiation +test-117 = 117-version-negotiation +test-118 = 118-version-negotiation +test-119 = 119-version-negotiation +test-120 = 120-version-negotiation +test-121 = 121-version-negotiation +test-122 = 122-version-negotiation +test-123 = 123-version-negotiation +test-124 = 124-version-negotiation +test-125 = 125-version-negotiation +test-126 = 126-version-negotiation +test-127 = 127-version-negotiation +test-128 = 128-version-negotiation +test-129 = 129-version-negotiation +test-130 = 130-version-negotiation +test-131 = 131-version-negotiation +test-132 = 132-version-negotiation +test-133 = 133-version-negotiation +test-134 = 134-version-negotiation +test-135 = 135-version-negotiation +test-136 = 136-version-negotiation +test-137 = 137-version-negotiation +test-138 = 138-version-negotiation +test-139 = 139-version-negotiation +test-140 = 140-version-negotiation +test-141 = 141-version-negotiation +test-142 = 142-version-negotiation +test-143 = 143-version-negotiation +test-144 = 144-version-negotiation +test-145 = 145-version-negotiation +test-146 = 146-version-negotiation +test-147 = 147-version-negotiation +test-148 = 148-version-negotiation +test-149 = 149-version-negotiation +test-150 = 150-version-negotiation +test-151 = 151-version-negotiation +test-152 = 152-version-negotiation +test-153 = 153-version-negotiation +test-154 = 154-version-negotiation +test-155 = 155-version-negotiation +test-156 = 156-version-negotiation +test-157 = 157-version-negotiation +test-158 = 158-version-negotiation +test-159 = 159-version-negotiation +test-160 = 160-version-negotiation +test-161 = 161-version-negotiation +test-162 = 162-version-negotiation +test-163 = 163-version-negotiation +test-164 = 164-version-negotiation +test-165 = 165-version-negotiation +test-166 = 166-version-negotiation +test-167 = 167-version-negotiation +test-168 = 168-version-negotiation # =========================================================== [0-version-negotiation] @@ -132,6 +237,7 @@ client = 2-version-negotiation-client [2-version-negotiation-server] Certificate = ${ENV::TEST_CERTS_DIR}/servercert.pem CipherString = DEFAULT:@SECLEVEL=0 +MaxProtocol = DTLSv1.3 PrivateKey = ${ENV::TEST_CERTS_DIR}/serverkey.pem [2-version-negotiation-client] @@ -158,8 +264,6 @@ client = 3-version-negotiation-client [3-version-negotiation-server] Certificate = ${ENV::TEST_CERTS_DIR}/servercert.pem CipherString = DEFAULT:@SECLEVEL=0 -MaxProtocol = DTLSv1 -MinProtocol = DTLSv1 PrivateKey = ${ENV::TEST_CERTS_DIR}/serverkey.pem [3-version-negotiation-client] @@ -186,7 +290,7 @@ client = 4-version-negotiation-client [4-version-negotiation-server] Certificate = ${ENV::TEST_CERTS_DIR}/servercert.pem CipherString = DEFAULT:@SECLEVEL=0 -MaxProtocol = DTLSv1.2 +MaxProtocol = DTLSv1 MinProtocol = DTLSv1 PrivateKey = ${ENV::TEST_CERTS_DIR}/serverkey.pem @@ -214,6 +318,7 @@ client = 5-version-negotiation-client [5-version-negotiation-server] Certificate = ${ENV::TEST_CERTS_DIR}/servercert.pem CipherString = DEFAULT:@SECLEVEL=0 +MaxProtocol = DTLSv1.2 MinProtocol = DTLSv1 PrivateKey = ${ENV::TEST_CERTS_DIR}/serverkey.pem @@ -241,8 +346,8 @@ client = 6-version-negotiation-client [6-version-negotiation-server] Certificate = ${ENV::TEST_CERTS_DIR}/servercert.pem CipherString = DEFAULT:@SECLEVEL=0 -MaxProtocol = DTLSv1.2 -MinProtocol = DTLSv1.2 +MaxProtocol = DTLSv1.3 +MinProtocol = DTLSv1 PrivateKey = ${ENV::TEST_CERTS_DIR}/serverkey.pem [6-version-negotiation-client] @@ -252,7 +357,8 @@ VerifyCAFile = ${ENV::TEST_CERTS_DIR}/rootcert.pem VerifyMode = Peer [test-6] -ExpectedResult = ServerFail +ExpectedProtocol = DTLSv1 +ExpectedResult = Success Method = DTLS @@ -268,7 +374,7 @@ client = 7-version-negotiation-client [7-version-negotiation-server] Certificate = ${ENV::TEST_CERTS_DIR}/servercert.pem CipherString = DEFAULT:@SECLEVEL=0 -MinProtocol = DTLSv1.2 +MinProtocol = DTLSv1 PrivateKey = ${ENV::TEST_CERTS_DIR}/serverkey.pem [7-version-negotiation-client] @@ -278,7 +384,8 @@ VerifyCAFile = ${ENV::TEST_CERTS_DIR}/rootcert.pem VerifyMode = Peer [test-7] -ExpectedResult = ServerFail +ExpectedProtocol = DTLSv1 +ExpectedResult = Success Method = DTLS @@ -294,18 +401,18 @@ client = 8-version-negotiation-client [8-version-negotiation-server] Certificate = ${ENV::TEST_CERTS_DIR}/servercert.pem CipherString = DEFAULT:@SECLEVEL=0 -MaxProtocol = DTLSv1 +MaxProtocol = DTLSv1.2 +MinProtocol = DTLSv1.2 PrivateKey = ${ENV::TEST_CERTS_DIR}/serverkey.pem [8-version-negotiation-client] CipherString = DEFAULT:@SECLEVEL=0 -MaxProtocol = DTLSv1.2 +MaxProtocol = DTLSv1 VerifyCAFile = ${ENV::TEST_CERTS_DIR}/rootcert.pem VerifyMode = Peer [test-8] -ExpectedProtocol = DTLSv1 -ExpectedResult = Success +ExpectedResult = ServerFail Method = DTLS @@ -321,18 +428,18 @@ client = 9-version-negotiation-client [9-version-negotiation-server] Certificate = ${ENV::TEST_CERTS_DIR}/servercert.pem CipherString = DEFAULT:@SECLEVEL=0 -MaxProtocol = DTLSv1.2 +MaxProtocol = DTLSv1.3 +MinProtocol = DTLSv1.2 PrivateKey = ${ENV::TEST_CERTS_DIR}/serverkey.pem [9-version-negotiation-client] CipherString = DEFAULT:@SECLEVEL=0 -MaxProtocol = DTLSv1.2 +MaxProtocol = DTLSv1 VerifyCAFile = ${ENV::TEST_CERTS_DIR}/rootcert.pem VerifyMode = Peer [test-9] -ExpectedProtocol = DTLSv1.2 -ExpectedResult = Success +ExpectedResult = ServerFail Method = DTLS @@ -348,17 +455,17 @@ client = 10-version-negotiation-client [10-version-negotiation-server] Certificate = ${ENV::TEST_CERTS_DIR}/servercert.pem CipherString = DEFAULT:@SECLEVEL=0 +MinProtocol = DTLSv1.2 PrivateKey = ${ENV::TEST_CERTS_DIR}/serverkey.pem [10-version-negotiation-client] CipherString = DEFAULT:@SECLEVEL=0 -MaxProtocol = DTLSv1.2 +MaxProtocol = DTLSv1 VerifyCAFile = ${ENV::TEST_CERTS_DIR}/rootcert.pem VerifyMode = Peer [test-10] -ExpectedProtocol = DTLSv1.2 -ExpectedResult = Success +ExpectedResult = ServerFail Method = DTLS @@ -374,19 +481,18 @@ client = 11-version-negotiation-client [11-version-negotiation-server] Certificate = ${ENV::TEST_CERTS_DIR}/servercert.pem CipherString = DEFAULT:@SECLEVEL=0 -MaxProtocol = DTLSv1 -MinProtocol = DTLSv1 +MaxProtocol = DTLSv1.3 +MinProtocol = DTLSv1.3 PrivateKey = ${ENV::TEST_CERTS_DIR}/serverkey.pem [11-version-negotiation-client] CipherString = DEFAULT:@SECLEVEL=0 -MaxProtocol = DTLSv1.2 +MaxProtocol = DTLSv1 VerifyCAFile = ${ENV::TEST_CERTS_DIR}/rootcert.pem VerifyMode = Peer [test-11] -ExpectedProtocol = DTLSv1 -ExpectedResult = Success +ExpectedResult = ServerFail Method = DTLS @@ -402,19 +508,17 @@ client = 12-version-negotiation-client [12-version-negotiation-server] Certificate = ${ENV::TEST_CERTS_DIR}/servercert.pem CipherString = DEFAULT:@SECLEVEL=0 -MaxProtocol = DTLSv1.2 -MinProtocol = DTLSv1 +MinProtocol = DTLSv1.3 PrivateKey = ${ENV::TEST_CERTS_DIR}/serverkey.pem [12-version-negotiation-client] CipherString = DEFAULT:@SECLEVEL=0 -MaxProtocol = DTLSv1.2 +MaxProtocol = DTLSv1 VerifyCAFile = ${ENV::TEST_CERTS_DIR}/rootcert.pem VerifyMode = Peer [test-12] -ExpectedProtocol = DTLSv1.2 -ExpectedResult = Success +ExpectedResult = ServerFail Method = DTLS @@ -430,7 +534,7 @@ client = 13-version-negotiation-client [13-version-negotiation-server] Certificate = ${ENV::TEST_CERTS_DIR}/servercert.pem CipherString = DEFAULT:@SECLEVEL=0 -MinProtocol = DTLSv1 +MaxProtocol = DTLSv1 PrivateKey = ${ENV::TEST_CERTS_DIR}/serverkey.pem [13-version-negotiation-client] @@ -440,7 +544,7 @@ VerifyCAFile = ${ENV::TEST_CERTS_DIR}/rootcert.pem VerifyMode = Peer [test-13] -ExpectedProtocol = DTLSv1.2 +ExpectedProtocol = DTLSv1 ExpectedResult = Success Method = DTLS @@ -458,7 +562,6 @@ client = 14-version-negotiation-client Certificate = ${ENV::TEST_CERTS_DIR}/servercert.pem CipherString = DEFAULT:@SECLEVEL=0 MaxProtocol = DTLSv1.2 -MinProtocol = DTLSv1.2 PrivateKey = ${ENV::TEST_CERTS_DIR}/serverkey.pem [14-version-negotiation-client] @@ -485,7 +588,7 @@ client = 15-version-negotiation-client [15-version-negotiation-server] Certificate = ${ENV::TEST_CERTS_DIR}/servercert.pem CipherString = DEFAULT:@SECLEVEL=0 -MinProtocol = DTLSv1.2 +MaxProtocol = DTLSv1.3 PrivateKey = ${ENV::TEST_CERTS_DIR}/serverkey.pem [15-version-negotiation-client] @@ -512,16 +615,16 @@ client = 16-version-negotiation-client [16-version-negotiation-server] Certificate = ${ENV::TEST_CERTS_DIR}/servercert.pem CipherString = DEFAULT:@SECLEVEL=0 -MaxProtocol = DTLSv1 PrivateKey = ${ENV::TEST_CERTS_DIR}/serverkey.pem [16-version-negotiation-client] CipherString = DEFAULT:@SECLEVEL=0 +MaxProtocol = DTLSv1.2 VerifyCAFile = ${ENV::TEST_CERTS_DIR}/rootcert.pem VerifyMode = Peer [test-16] -ExpectedProtocol = DTLSv1 +ExpectedProtocol = DTLSv1.2 ExpectedResult = Success Method = DTLS @@ -538,16 +641,18 @@ client = 17-version-negotiation-client [17-version-negotiation-server] Certificate = ${ENV::TEST_CERTS_DIR}/servercert.pem CipherString = DEFAULT:@SECLEVEL=0 -MaxProtocol = DTLSv1.2 +MaxProtocol = DTLSv1 +MinProtocol = DTLSv1 PrivateKey = ${ENV::TEST_CERTS_DIR}/serverkey.pem [17-version-negotiation-client] CipherString = DEFAULT:@SECLEVEL=0 +MaxProtocol = DTLSv1.2 VerifyCAFile = ${ENV::TEST_CERTS_DIR}/rootcert.pem VerifyMode = Peer [test-17] -ExpectedProtocol = DTLSv1.2 +ExpectedProtocol = DTLSv1 ExpectedResult = Success Method = DTLS @@ -564,10 +669,13 @@ client = 18-version-negotiation-client [18-version-negotiation-server] Certificate = ${ENV::TEST_CERTS_DIR}/servercert.pem CipherString = DEFAULT:@SECLEVEL=0 +MaxProtocol = DTLSv1.2 +MinProtocol = DTLSv1 PrivateKey = ${ENV::TEST_CERTS_DIR}/serverkey.pem [18-version-negotiation-client] CipherString = DEFAULT:@SECLEVEL=0 +MaxProtocol = DTLSv1.2 VerifyCAFile = ${ENV::TEST_CERTS_DIR}/rootcert.pem VerifyMode = Peer @@ -589,17 +697,18 @@ client = 19-version-negotiation-client [19-version-negotiation-server] Certificate = ${ENV::TEST_CERTS_DIR}/servercert.pem CipherString = DEFAULT:@SECLEVEL=0 -MaxProtocol = DTLSv1 +MaxProtocol = DTLSv1.3 MinProtocol = DTLSv1 PrivateKey = ${ENV::TEST_CERTS_DIR}/serverkey.pem [19-version-negotiation-client] CipherString = DEFAULT:@SECLEVEL=0 +MaxProtocol = DTLSv1.2 VerifyCAFile = ${ENV::TEST_CERTS_DIR}/rootcert.pem VerifyMode = Peer [test-19] -ExpectedProtocol = DTLSv1 +ExpectedProtocol = DTLSv1.2 ExpectedResult = Success Method = DTLS @@ -616,12 +725,12 @@ client = 20-version-negotiation-client [20-version-negotiation-server] Certificate = ${ENV::TEST_CERTS_DIR}/servercert.pem CipherString = DEFAULT:@SECLEVEL=0 -MaxProtocol = DTLSv1.2 MinProtocol = DTLSv1 PrivateKey = ${ENV::TEST_CERTS_DIR}/serverkey.pem [20-version-negotiation-client] CipherString = DEFAULT:@SECLEVEL=0 +MaxProtocol = DTLSv1.2 VerifyCAFile = ${ENV::TEST_CERTS_DIR}/rootcert.pem VerifyMode = Peer @@ -643,11 +752,13 @@ client = 21-version-negotiation-client [21-version-negotiation-server] Certificate = ${ENV::TEST_CERTS_DIR}/servercert.pem CipherString = DEFAULT:@SECLEVEL=0 -MinProtocol = DTLSv1 +MaxProtocol = DTLSv1.2 +MinProtocol = DTLSv1.2 PrivateKey = ${ENV::TEST_CERTS_DIR}/serverkey.pem [21-version-negotiation-client] CipherString = DEFAULT:@SECLEVEL=0 +MaxProtocol = DTLSv1.2 VerifyCAFile = ${ENV::TEST_CERTS_DIR}/rootcert.pem VerifyMode = Peer @@ -669,12 +780,13 @@ client = 22-version-negotiation-client [22-version-negotiation-server] Certificate = ${ENV::TEST_CERTS_DIR}/servercert.pem CipherString = DEFAULT:@SECLEVEL=0 -MaxProtocol = DTLSv1.2 +MaxProtocol = DTLSv1.3 MinProtocol = DTLSv1.2 PrivateKey = ${ENV::TEST_CERTS_DIR}/serverkey.pem [22-version-negotiation-client] CipherString = DEFAULT:@SECLEVEL=0 +MaxProtocol = DTLSv1.2 VerifyCAFile = ${ENV::TEST_CERTS_DIR}/rootcert.pem VerifyMode = Peer @@ -701,6 +813,7 @@ PrivateKey = ${ENV::TEST_CERTS_DIR}/serverkey.pem [23-version-negotiation-client] CipherString = DEFAULT:@SECLEVEL=0 +MaxProtocol = DTLSv1.2 VerifyCAFile = ${ENV::TEST_CERTS_DIR}/rootcert.pem VerifyMode = Peer @@ -722,19 +835,18 @@ client = 24-version-negotiation-client [24-version-negotiation-server] Certificate = ${ENV::TEST_CERTS_DIR}/servercert.pem CipherString = DEFAULT:@SECLEVEL=0 -MaxProtocol = DTLSv1 +MaxProtocol = DTLSv1.3 +MinProtocol = DTLSv1.3 PrivateKey = ${ENV::TEST_CERTS_DIR}/serverkey.pem [24-version-negotiation-client] CipherString = DEFAULT:@SECLEVEL=0 -MaxProtocol = DTLSv1 -MinProtocol = DTLSv1 +MaxProtocol = DTLSv1.2 VerifyCAFile = ${ENV::TEST_CERTS_DIR}/rootcert.pem VerifyMode = Peer [test-24] -ExpectedProtocol = DTLSv1 -ExpectedResult = Success +ExpectedResult = ServerFail Method = DTLS @@ -750,19 +862,17 @@ client = 25-version-negotiation-client [25-version-negotiation-server] Certificate = ${ENV::TEST_CERTS_DIR}/servercert.pem CipherString = DEFAULT:@SECLEVEL=0 -MaxProtocol = DTLSv1.2 +MinProtocol = DTLSv1.3 PrivateKey = ${ENV::TEST_CERTS_DIR}/serverkey.pem [25-version-negotiation-client] CipherString = DEFAULT:@SECLEVEL=0 -MaxProtocol = DTLSv1 -MinProtocol = DTLSv1 +MaxProtocol = DTLSv1.2 VerifyCAFile = ${ENV::TEST_CERTS_DIR}/rootcert.pem VerifyMode = Peer [test-25] -ExpectedProtocol = DTLSv1 -ExpectedResult = Success +ExpectedResult = ServerFail Method = DTLS @@ -778,12 +888,12 @@ client = 26-version-negotiation-client [26-version-negotiation-server] Certificate = ${ENV::TEST_CERTS_DIR}/servercert.pem CipherString = DEFAULT:@SECLEVEL=0 +MaxProtocol = DTLSv1 PrivateKey = ${ENV::TEST_CERTS_DIR}/serverkey.pem [26-version-negotiation-client] CipherString = DEFAULT:@SECLEVEL=0 -MaxProtocol = DTLSv1 -MinProtocol = DTLSv1 +MaxProtocol = DTLSv1.3 VerifyCAFile = ${ENV::TEST_CERTS_DIR}/rootcert.pem VerifyMode = Peer @@ -805,19 +915,17 @@ client = 27-version-negotiation-client [27-version-negotiation-server] Certificate = ${ENV::TEST_CERTS_DIR}/servercert.pem CipherString = DEFAULT:@SECLEVEL=0 -MaxProtocol = DTLSv1 -MinProtocol = DTLSv1 +MaxProtocol = DTLSv1.2 PrivateKey = ${ENV::TEST_CERTS_DIR}/serverkey.pem [27-version-negotiation-client] CipherString = DEFAULT:@SECLEVEL=0 -MaxProtocol = DTLSv1 -MinProtocol = DTLSv1 +MaxProtocol = DTLSv1.3 VerifyCAFile = ${ENV::TEST_CERTS_DIR}/rootcert.pem VerifyMode = Peer [test-27] -ExpectedProtocol = DTLSv1 +ExpectedProtocol = DTLSv1.2 ExpectedResult = Success Method = DTLS @@ -834,19 +942,17 @@ client = 28-version-negotiation-client [28-version-negotiation-server] Certificate = ${ENV::TEST_CERTS_DIR}/servercert.pem CipherString = DEFAULT:@SECLEVEL=0 -MaxProtocol = DTLSv1.2 -MinProtocol = DTLSv1 +MaxProtocol = DTLSv1.3 PrivateKey = ${ENV::TEST_CERTS_DIR}/serverkey.pem [28-version-negotiation-client] CipherString = DEFAULT:@SECLEVEL=0 -MaxProtocol = DTLSv1 -MinProtocol = DTLSv1 +MaxProtocol = DTLSv1.3 VerifyCAFile = ${ENV::TEST_CERTS_DIR}/rootcert.pem VerifyMode = Peer [test-28] -ExpectedProtocol = DTLSv1 +ExpectedProtocol = DTLSv1.3 ExpectedResult = Success Method = DTLS @@ -863,18 +969,16 @@ client = 29-version-negotiation-client [29-version-negotiation-server] Certificate = ${ENV::TEST_CERTS_DIR}/servercert.pem CipherString = DEFAULT:@SECLEVEL=0 -MinProtocol = DTLSv1 PrivateKey = ${ENV::TEST_CERTS_DIR}/serverkey.pem [29-version-negotiation-client] CipherString = DEFAULT:@SECLEVEL=0 -MaxProtocol = DTLSv1 -MinProtocol = DTLSv1 +MaxProtocol = DTLSv1.3 VerifyCAFile = ${ENV::TEST_CERTS_DIR}/rootcert.pem VerifyMode = Peer [test-29] -ExpectedProtocol = DTLSv1 +ExpectedProtocol = DTLSv1.3 ExpectedResult = Success Method = DTLS @@ -891,19 +995,19 @@ client = 30-version-negotiation-client [30-version-negotiation-server] Certificate = ${ENV::TEST_CERTS_DIR}/servercert.pem CipherString = DEFAULT:@SECLEVEL=0 -MaxProtocol = DTLSv1.2 -MinProtocol = DTLSv1.2 +MaxProtocol = DTLSv1 +MinProtocol = DTLSv1 PrivateKey = ${ENV::TEST_CERTS_DIR}/serverkey.pem [30-version-negotiation-client] CipherString = DEFAULT:@SECLEVEL=0 -MaxProtocol = DTLSv1 -MinProtocol = DTLSv1 +MaxProtocol = DTLSv1.3 VerifyCAFile = ${ENV::TEST_CERTS_DIR}/rootcert.pem VerifyMode = Peer [test-30] -ExpectedResult = ServerFail +ExpectedProtocol = DTLSv1 +ExpectedResult = Success Method = DTLS @@ -919,18 +1023,19 @@ client = 31-version-negotiation-client [31-version-negotiation-server] Certificate = ${ENV::TEST_CERTS_DIR}/servercert.pem CipherString = DEFAULT:@SECLEVEL=0 -MinProtocol = DTLSv1.2 +MaxProtocol = DTLSv1.2 +MinProtocol = DTLSv1 PrivateKey = ${ENV::TEST_CERTS_DIR}/serverkey.pem [31-version-negotiation-client] CipherString = DEFAULT:@SECLEVEL=0 -MaxProtocol = DTLSv1 -MinProtocol = DTLSv1 +MaxProtocol = DTLSv1.3 VerifyCAFile = ${ENV::TEST_CERTS_DIR}/rootcert.pem VerifyMode = Peer [test-31] -ExpectedResult = ServerFail +ExpectedProtocol = DTLSv1.2 +ExpectedResult = Success Method = DTLS @@ -946,18 +1051,18 @@ client = 32-version-negotiation-client [32-version-negotiation-server] Certificate = ${ENV::TEST_CERTS_DIR}/servercert.pem CipherString = DEFAULT:@SECLEVEL=0 -MaxProtocol = DTLSv1 +MaxProtocol = DTLSv1.3 +MinProtocol = DTLSv1 PrivateKey = ${ENV::TEST_CERTS_DIR}/serverkey.pem [32-version-negotiation-client] CipherString = DEFAULT:@SECLEVEL=0 -MaxProtocol = DTLSv1.2 -MinProtocol = DTLSv1 +MaxProtocol = DTLSv1.3 VerifyCAFile = ${ENV::TEST_CERTS_DIR}/rootcert.pem VerifyMode = Peer [test-32] -ExpectedProtocol = DTLSv1 +ExpectedProtocol = DTLSv1.3 ExpectedResult = Success Method = DTLS @@ -974,18 +1079,17 @@ client = 33-version-negotiation-client [33-version-negotiation-server] Certificate = ${ENV::TEST_CERTS_DIR}/servercert.pem CipherString = DEFAULT:@SECLEVEL=0 -MaxProtocol = DTLSv1.2 +MinProtocol = DTLSv1 PrivateKey = ${ENV::TEST_CERTS_DIR}/serverkey.pem [33-version-negotiation-client] CipherString = DEFAULT:@SECLEVEL=0 -MaxProtocol = DTLSv1.2 -MinProtocol = DTLSv1 +MaxProtocol = DTLSv1.3 VerifyCAFile = ${ENV::TEST_CERTS_DIR}/rootcert.pem VerifyMode = Peer [test-33] -ExpectedProtocol = DTLSv1.2 +ExpectedProtocol = DTLSv1.3 ExpectedResult = Success Method = DTLS @@ -1002,12 +1106,13 @@ client = 34-version-negotiation-client [34-version-negotiation-server] Certificate = ${ENV::TEST_CERTS_DIR}/servercert.pem CipherString = DEFAULT:@SECLEVEL=0 +MaxProtocol = DTLSv1.2 +MinProtocol = DTLSv1.2 PrivateKey = ${ENV::TEST_CERTS_DIR}/serverkey.pem [34-version-negotiation-client] CipherString = DEFAULT:@SECLEVEL=0 -MaxProtocol = DTLSv1.2 -MinProtocol = DTLSv1 +MaxProtocol = DTLSv1.3 VerifyCAFile = ${ENV::TEST_CERTS_DIR}/rootcert.pem VerifyMode = Peer @@ -1029,19 +1134,18 @@ client = 35-version-negotiation-client [35-version-negotiation-server] Certificate = ${ENV::TEST_CERTS_DIR}/servercert.pem CipherString = DEFAULT:@SECLEVEL=0 -MaxProtocol = DTLSv1 -MinProtocol = DTLSv1 +MaxProtocol = DTLSv1.3 +MinProtocol = DTLSv1.2 PrivateKey = ${ENV::TEST_CERTS_DIR}/serverkey.pem [35-version-negotiation-client] CipherString = DEFAULT:@SECLEVEL=0 -MaxProtocol = DTLSv1.2 -MinProtocol = DTLSv1 +MaxProtocol = DTLSv1.3 VerifyCAFile = ${ENV::TEST_CERTS_DIR}/rootcert.pem VerifyMode = Peer [test-35] -ExpectedProtocol = DTLSv1 +ExpectedProtocol = DTLSv1.3 ExpectedResult = Success Method = DTLS @@ -1058,19 +1162,17 @@ client = 36-version-negotiation-client [36-version-negotiation-server] Certificate = ${ENV::TEST_CERTS_DIR}/servercert.pem CipherString = DEFAULT:@SECLEVEL=0 -MaxProtocol = DTLSv1.2 -MinProtocol = DTLSv1 +MinProtocol = DTLSv1.2 PrivateKey = ${ENV::TEST_CERTS_DIR}/serverkey.pem [36-version-negotiation-client] CipherString = DEFAULT:@SECLEVEL=0 -MaxProtocol = DTLSv1.2 -MinProtocol = DTLSv1 +MaxProtocol = DTLSv1.3 VerifyCAFile = ${ENV::TEST_CERTS_DIR}/rootcert.pem VerifyMode = Peer [test-36] -ExpectedProtocol = DTLSv1.2 +ExpectedProtocol = DTLSv1.3 ExpectedResult = Success Method = DTLS @@ -1087,18 +1189,18 @@ client = 37-version-negotiation-client [37-version-negotiation-server] Certificate = ${ENV::TEST_CERTS_DIR}/servercert.pem CipherString = DEFAULT:@SECLEVEL=0 -MinProtocol = DTLSv1 +MaxProtocol = DTLSv1.3 +MinProtocol = DTLSv1.3 PrivateKey = ${ENV::TEST_CERTS_DIR}/serverkey.pem [37-version-negotiation-client] CipherString = DEFAULT:@SECLEVEL=0 -MaxProtocol = DTLSv1.2 -MinProtocol = DTLSv1 +MaxProtocol = DTLSv1.3 VerifyCAFile = ${ENV::TEST_CERTS_DIR}/rootcert.pem VerifyMode = Peer [test-37] -ExpectedProtocol = DTLSv1.2 +ExpectedProtocol = DTLSv1.3 ExpectedResult = Success Method = DTLS @@ -1115,19 +1217,17 @@ client = 38-version-negotiation-client [38-version-negotiation-server] Certificate = ${ENV::TEST_CERTS_DIR}/servercert.pem CipherString = DEFAULT:@SECLEVEL=0 -MaxProtocol = DTLSv1.2 -MinProtocol = DTLSv1.2 +MinProtocol = DTLSv1.3 PrivateKey = ${ENV::TEST_CERTS_DIR}/serverkey.pem [38-version-negotiation-client] CipherString = DEFAULT:@SECLEVEL=0 -MaxProtocol = DTLSv1.2 -MinProtocol = DTLSv1 +MaxProtocol = DTLSv1.3 VerifyCAFile = ${ENV::TEST_CERTS_DIR}/rootcert.pem VerifyMode = Peer [test-38] -ExpectedProtocol = DTLSv1.2 +ExpectedProtocol = DTLSv1.3 ExpectedResult = Success Method = DTLS @@ -1144,18 +1244,16 @@ client = 39-version-negotiation-client [39-version-negotiation-server] Certificate = ${ENV::TEST_CERTS_DIR}/servercert.pem CipherString = DEFAULT:@SECLEVEL=0 -MinProtocol = DTLSv1.2 +MaxProtocol = DTLSv1 PrivateKey = ${ENV::TEST_CERTS_DIR}/serverkey.pem [39-version-negotiation-client] CipherString = DEFAULT:@SECLEVEL=0 -MaxProtocol = DTLSv1.2 -MinProtocol = DTLSv1 VerifyCAFile = ${ENV::TEST_CERTS_DIR}/rootcert.pem VerifyMode = Peer [test-39] -ExpectedProtocol = DTLSv1.2 +ExpectedProtocol = DTLSv1 ExpectedResult = Success Method = DTLS @@ -1172,17 +1270,16 @@ client = 40-version-negotiation-client [40-version-negotiation-server] Certificate = ${ENV::TEST_CERTS_DIR}/servercert.pem CipherString = DEFAULT:@SECLEVEL=0 -MaxProtocol = DTLSv1 +MaxProtocol = DTLSv1.2 PrivateKey = ${ENV::TEST_CERTS_DIR}/serverkey.pem [40-version-negotiation-client] CipherString = DEFAULT:@SECLEVEL=0 -MinProtocol = DTLSv1 VerifyCAFile = ${ENV::TEST_CERTS_DIR}/rootcert.pem VerifyMode = Peer [test-40] -ExpectedProtocol = DTLSv1 +ExpectedProtocol = DTLSv1.2 ExpectedResult = Success Method = DTLS @@ -1199,17 +1296,16 @@ client = 41-version-negotiation-client [41-version-negotiation-server] Certificate = ${ENV::TEST_CERTS_DIR}/servercert.pem CipherString = DEFAULT:@SECLEVEL=0 -MaxProtocol = DTLSv1.2 +MaxProtocol = DTLSv1.3 PrivateKey = ${ENV::TEST_CERTS_DIR}/serverkey.pem [41-version-negotiation-client] CipherString = DEFAULT:@SECLEVEL=0 -MinProtocol = DTLSv1 VerifyCAFile = ${ENV::TEST_CERTS_DIR}/rootcert.pem VerifyMode = Peer [test-41] -ExpectedProtocol = DTLSv1.2 +ExpectedProtocol = DTLSv1.3 ExpectedResult = Success Method = DTLS @@ -1230,12 +1326,11 @@ PrivateKey = ${ENV::TEST_CERTS_DIR}/serverkey.pem [42-version-negotiation-client] CipherString = DEFAULT:@SECLEVEL=0 -MinProtocol = DTLSv1 VerifyCAFile = ${ENV::TEST_CERTS_DIR}/rootcert.pem VerifyMode = Peer [test-42] -ExpectedProtocol = DTLSv1.2 +ExpectedProtocol = DTLSv1.3 ExpectedResult = Success Method = DTLS @@ -1258,7 +1353,6 @@ PrivateKey = ${ENV::TEST_CERTS_DIR}/serverkey.pem [43-version-negotiation-client] CipherString = DEFAULT:@SECLEVEL=0 -MinProtocol = DTLSv1 VerifyCAFile = ${ENV::TEST_CERTS_DIR}/rootcert.pem VerifyMode = Peer @@ -1286,7 +1380,6 @@ PrivateKey = ${ENV::TEST_CERTS_DIR}/serverkey.pem [44-version-negotiation-client] CipherString = DEFAULT:@SECLEVEL=0 -MinProtocol = DTLSv1 VerifyCAFile = ${ENV::TEST_CERTS_DIR}/rootcert.pem VerifyMode = Peer @@ -1308,17 +1401,17 @@ client = 45-version-negotiation-client [45-version-negotiation-server] Certificate = ${ENV::TEST_CERTS_DIR}/servercert.pem CipherString = DEFAULT:@SECLEVEL=0 +MaxProtocol = DTLSv1.3 MinProtocol = DTLSv1 PrivateKey = ${ENV::TEST_CERTS_DIR}/serverkey.pem [45-version-negotiation-client] CipherString = DEFAULT:@SECLEVEL=0 -MinProtocol = DTLSv1 VerifyCAFile = ${ENV::TEST_CERTS_DIR}/rootcert.pem VerifyMode = Peer [test-45] -ExpectedProtocol = DTLSv1.2 +ExpectedProtocol = DTLSv1.3 ExpectedResult = Success Method = DTLS @@ -1335,18 +1428,16 @@ client = 46-version-negotiation-client [46-version-negotiation-server] Certificate = ${ENV::TEST_CERTS_DIR}/servercert.pem CipherString = DEFAULT:@SECLEVEL=0 -MaxProtocol = DTLSv1.2 -MinProtocol = DTLSv1.2 +MinProtocol = DTLSv1 PrivateKey = ${ENV::TEST_CERTS_DIR}/serverkey.pem [46-version-negotiation-client] CipherString = DEFAULT:@SECLEVEL=0 -MinProtocol = DTLSv1 VerifyCAFile = ${ENV::TEST_CERTS_DIR}/rootcert.pem VerifyMode = Peer [test-46] -ExpectedProtocol = DTLSv1.2 +ExpectedProtocol = DTLSv1.3 ExpectedResult = Success Method = DTLS @@ -1363,12 +1454,12 @@ client = 47-version-negotiation-client [47-version-negotiation-server] Certificate = ${ENV::TEST_CERTS_DIR}/servercert.pem CipherString = DEFAULT:@SECLEVEL=0 +MaxProtocol = DTLSv1.2 MinProtocol = DTLSv1.2 PrivateKey = ${ENV::TEST_CERTS_DIR}/serverkey.pem [47-version-negotiation-client] CipherString = DEFAULT:@SECLEVEL=0 -MinProtocol = DTLSv1 VerifyCAFile = ${ENV::TEST_CERTS_DIR}/rootcert.pem VerifyMode = Peer @@ -1390,18 +1481,18 @@ client = 48-version-negotiation-client [48-version-negotiation-server] Certificate = ${ENV::TEST_CERTS_DIR}/servercert.pem CipherString = DEFAULT:@SECLEVEL=0 -MaxProtocol = DTLSv1 +MaxProtocol = DTLSv1.3 +MinProtocol = DTLSv1.2 PrivateKey = ${ENV::TEST_CERTS_DIR}/serverkey.pem [48-version-negotiation-client] CipherString = DEFAULT:@SECLEVEL=0 -MaxProtocol = DTLSv1.2 -MinProtocol = DTLSv1.2 VerifyCAFile = ${ENV::TEST_CERTS_DIR}/rootcert.pem VerifyMode = Peer [test-48] -ExpectedResult = ClientFail +ExpectedProtocol = DTLSv1.3 +ExpectedResult = Success Method = DTLS @@ -1417,18 +1508,16 @@ client = 49-version-negotiation-client [49-version-negotiation-server] Certificate = ${ENV::TEST_CERTS_DIR}/servercert.pem CipherString = DEFAULT:@SECLEVEL=0 -MaxProtocol = DTLSv1.2 +MinProtocol = DTLSv1.2 PrivateKey = ${ENV::TEST_CERTS_DIR}/serverkey.pem [49-version-negotiation-client] CipherString = DEFAULT:@SECLEVEL=0 -MaxProtocol = DTLSv1.2 -MinProtocol = DTLSv1.2 VerifyCAFile = ${ENV::TEST_CERTS_DIR}/rootcert.pem VerifyMode = Peer [test-49] -ExpectedProtocol = DTLSv1.2 +ExpectedProtocol = DTLSv1.3 ExpectedResult = Success Method = DTLS @@ -1445,17 +1534,17 @@ client = 50-version-negotiation-client [50-version-negotiation-server] Certificate = ${ENV::TEST_CERTS_DIR}/servercert.pem CipherString = DEFAULT:@SECLEVEL=0 +MaxProtocol = DTLSv1.3 +MinProtocol = DTLSv1.3 PrivateKey = ${ENV::TEST_CERTS_DIR}/serverkey.pem [50-version-negotiation-client] CipherString = DEFAULT:@SECLEVEL=0 -MaxProtocol = DTLSv1.2 -MinProtocol = DTLSv1.2 VerifyCAFile = ${ENV::TEST_CERTS_DIR}/rootcert.pem VerifyMode = Peer [test-50] -ExpectedProtocol = DTLSv1.2 +ExpectedProtocol = DTLSv1.3 ExpectedResult = Success Method = DTLS @@ -1472,19 +1561,17 @@ client = 51-version-negotiation-client [51-version-negotiation-server] Certificate = ${ENV::TEST_CERTS_DIR}/servercert.pem CipherString = DEFAULT:@SECLEVEL=0 -MaxProtocol = DTLSv1 -MinProtocol = DTLSv1 +MinProtocol = DTLSv1.3 PrivateKey = ${ENV::TEST_CERTS_DIR}/serverkey.pem [51-version-negotiation-client] CipherString = DEFAULT:@SECLEVEL=0 -MaxProtocol = DTLSv1.2 -MinProtocol = DTLSv1.2 VerifyCAFile = ${ENV::TEST_CERTS_DIR}/rootcert.pem VerifyMode = Peer [test-51] -ExpectedResult = ClientFail +ExpectedProtocol = DTLSv1.3 +ExpectedResult = Success Method = DTLS @@ -1500,19 +1587,18 @@ client = 52-version-negotiation-client [52-version-negotiation-server] Certificate = ${ENV::TEST_CERTS_DIR}/servercert.pem CipherString = DEFAULT:@SECLEVEL=0 -MaxProtocol = DTLSv1.2 -MinProtocol = DTLSv1 +MaxProtocol = DTLSv1 PrivateKey = ${ENV::TEST_CERTS_DIR}/serverkey.pem [52-version-negotiation-client] CipherString = DEFAULT:@SECLEVEL=0 -MaxProtocol = DTLSv1.2 -MinProtocol = DTLSv1.2 +MaxProtocol = DTLSv1 +MinProtocol = DTLSv1 VerifyCAFile = ${ENV::TEST_CERTS_DIR}/rootcert.pem VerifyMode = Peer [test-52] -ExpectedProtocol = DTLSv1.2 +ExpectedProtocol = DTLSv1 ExpectedResult = Success Method = DTLS @@ -1529,18 +1615,18 @@ client = 53-version-negotiation-client [53-version-negotiation-server] Certificate = ${ENV::TEST_CERTS_DIR}/servercert.pem CipherString = DEFAULT:@SECLEVEL=0 -MinProtocol = DTLSv1 +MaxProtocol = DTLSv1.2 PrivateKey = ${ENV::TEST_CERTS_DIR}/serverkey.pem [53-version-negotiation-client] CipherString = DEFAULT:@SECLEVEL=0 -MaxProtocol = DTLSv1.2 -MinProtocol = DTLSv1.2 +MaxProtocol = DTLSv1 +MinProtocol = DTLSv1 VerifyCAFile = ${ENV::TEST_CERTS_DIR}/rootcert.pem VerifyMode = Peer [test-53] -ExpectedProtocol = DTLSv1.2 +ExpectedProtocol = DTLSv1 ExpectedResult = Success Method = DTLS @@ -1557,19 +1643,18 @@ client = 54-version-negotiation-client [54-version-negotiation-server] Certificate = ${ENV::TEST_CERTS_DIR}/servercert.pem CipherString = DEFAULT:@SECLEVEL=0 -MaxProtocol = DTLSv1.2 -MinProtocol = DTLSv1.2 +MaxProtocol = DTLSv1.3 PrivateKey = ${ENV::TEST_CERTS_DIR}/serverkey.pem [54-version-negotiation-client] CipherString = DEFAULT:@SECLEVEL=0 -MaxProtocol = DTLSv1.2 -MinProtocol = DTLSv1.2 +MaxProtocol = DTLSv1 +MinProtocol = DTLSv1 VerifyCAFile = ${ENV::TEST_CERTS_DIR}/rootcert.pem VerifyMode = Peer [test-54] -ExpectedProtocol = DTLSv1.2 +ExpectedProtocol = DTLSv1 ExpectedResult = Success Method = DTLS @@ -1586,18 +1671,17 @@ client = 55-version-negotiation-client [55-version-negotiation-server] Certificate = ${ENV::TEST_CERTS_DIR}/servercert.pem CipherString = DEFAULT:@SECLEVEL=0 -MinProtocol = DTLSv1.2 PrivateKey = ${ENV::TEST_CERTS_DIR}/serverkey.pem [55-version-negotiation-client] CipherString = DEFAULT:@SECLEVEL=0 -MaxProtocol = DTLSv1.2 -MinProtocol = DTLSv1.2 +MaxProtocol = DTLSv1 +MinProtocol = DTLSv1 VerifyCAFile = ${ENV::TEST_CERTS_DIR}/rootcert.pem VerifyMode = Peer [test-55] -ExpectedProtocol = DTLSv1.2 +ExpectedProtocol = DTLSv1 ExpectedResult = Success Method = DTLS @@ -1615,16 +1699,19 @@ client = 56-version-negotiation-client Certificate = ${ENV::TEST_CERTS_DIR}/servercert.pem CipherString = DEFAULT:@SECLEVEL=0 MaxProtocol = DTLSv1 +MinProtocol = DTLSv1 PrivateKey = ${ENV::TEST_CERTS_DIR}/serverkey.pem [56-version-negotiation-client] CipherString = DEFAULT:@SECLEVEL=0 -MinProtocol = DTLSv1.2 +MaxProtocol = DTLSv1 +MinProtocol = DTLSv1 VerifyCAFile = ${ENV::TEST_CERTS_DIR}/rootcert.pem VerifyMode = Peer [test-56] -ExpectedResult = ClientFail +ExpectedProtocol = DTLSv1 +ExpectedResult = Success Method = DTLS @@ -1641,16 +1728,18 @@ client = 57-version-negotiation-client Certificate = ${ENV::TEST_CERTS_DIR}/servercert.pem CipherString = DEFAULT:@SECLEVEL=0 MaxProtocol = DTLSv1.2 +MinProtocol = DTLSv1 PrivateKey = ${ENV::TEST_CERTS_DIR}/serverkey.pem [57-version-negotiation-client] CipherString = DEFAULT:@SECLEVEL=0 -MinProtocol = DTLSv1.2 +MaxProtocol = DTLSv1 +MinProtocol = DTLSv1 VerifyCAFile = ${ENV::TEST_CERTS_DIR}/rootcert.pem VerifyMode = Peer [test-57] -ExpectedProtocol = DTLSv1.2 +ExpectedProtocol = DTLSv1 ExpectedResult = Success Method = DTLS @@ -1667,16 +1756,19 @@ client = 58-version-negotiation-client [58-version-negotiation-server] Certificate = ${ENV::TEST_CERTS_DIR}/servercert.pem CipherString = DEFAULT:@SECLEVEL=0 +MaxProtocol = DTLSv1.3 +MinProtocol = DTLSv1 PrivateKey = ${ENV::TEST_CERTS_DIR}/serverkey.pem [58-version-negotiation-client] CipherString = DEFAULT:@SECLEVEL=0 -MinProtocol = DTLSv1.2 +MaxProtocol = DTLSv1 +MinProtocol = DTLSv1 VerifyCAFile = ${ENV::TEST_CERTS_DIR}/rootcert.pem VerifyMode = Peer [test-58] -ExpectedProtocol = DTLSv1.2 +ExpectedProtocol = DTLSv1 ExpectedResult = Success Method = DTLS @@ -1693,18 +1785,19 @@ client = 59-version-negotiation-client [59-version-negotiation-server] Certificate = ${ENV::TEST_CERTS_DIR}/servercert.pem CipherString = DEFAULT:@SECLEVEL=0 -MaxProtocol = DTLSv1 MinProtocol = DTLSv1 PrivateKey = ${ENV::TEST_CERTS_DIR}/serverkey.pem [59-version-negotiation-client] CipherString = DEFAULT:@SECLEVEL=0 -MinProtocol = DTLSv1.2 +MaxProtocol = DTLSv1 +MinProtocol = DTLSv1 VerifyCAFile = ${ENV::TEST_CERTS_DIR}/rootcert.pem VerifyMode = Peer [test-59] -ExpectedResult = ClientFail +ExpectedProtocol = DTLSv1 +ExpectedResult = Success Method = DTLS @@ -1721,18 +1814,18 @@ client = 60-version-negotiation-client Certificate = ${ENV::TEST_CERTS_DIR}/servercert.pem CipherString = DEFAULT:@SECLEVEL=0 MaxProtocol = DTLSv1.2 -MinProtocol = DTLSv1 +MinProtocol = DTLSv1.2 PrivateKey = ${ENV::TEST_CERTS_DIR}/serverkey.pem [60-version-negotiation-client] CipherString = DEFAULT:@SECLEVEL=0 -MinProtocol = DTLSv1.2 +MaxProtocol = DTLSv1 +MinProtocol = DTLSv1 VerifyCAFile = ${ENV::TEST_CERTS_DIR}/rootcert.pem VerifyMode = Peer [test-60] -ExpectedProtocol = DTLSv1.2 -ExpectedResult = Success +ExpectedResult = ServerFail Method = DTLS @@ -1748,18 +1841,19 @@ client = 61-version-negotiation-client [61-version-negotiation-server] Certificate = ${ENV::TEST_CERTS_DIR}/servercert.pem CipherString = DEFAULT:@SECLEVEL=0 -MinProtocol = DTLSv1 +MaxProtocol = DTLSv1.3 +MinProtocol = DTLSv1.2 PrivateKey = ${ENV::TEST_CERTS_DIR}/serverkey.pem [61-version-negotiation-client] CipherString = DEFAULT:@SECLEVEL=0 -MinProtocol = DTLSv1.2 +MaxProtocol = DTLSv1 +MinProtocol = DTLSv1 VerifyCAFile = ${ENV::TEST_CERTS_DIR}/rootcert.pem VerifyMode = Peer [test-61] -ExpectedProtocol = DTLSv1.2 -ExpectedResult = Success +ExpectedResult = ServerFail Method = DTLS @@ -1775,19 +1869,18 @@ client = 62-version-negotiation-client [62-version-negotiation-server] Certificate = ${ENV::TEST_CERTS_DIR}/servercert.pem CipherString = DEFAULT:@SECLEVEL=0 -MaxProtocol = DTLSv1.2 MinProtocol = DTLSv1.2 PrivateKey = ${ENV::TEST_CERTS_DIR}/serverkey.pem [62-version-negotiation-client] CipherString = DEFAULT:@SECLEVEL=0 -MinProtocol = DTLSv1.2 +MaxProtocol = DTLSv1 +MinProtocol = DTLSv1 VerifyCAFile = ${ENV::TEST_CERTS_DIR}/rootcert.pem VerifyMode = Peer [test-62] -ExpectedProtocol = DTLSv1.2 -ExpectedResult = Success +ExpectedResult = ServerFail Method = DTLS @@ -1803,18 +1896,2939 @@ client = 63-version-negotiation-client [63-version-negotiation-server] Certificate = ${ENV::TEST_CERTS_DIR}/servercert.pem CipherString = DEFAULT:@SECLEVEL=0 -MinProtocol = DTLSv1.2 +MaxProtocol = DTLSv1.3 +MinProtocol = DTLSv1.3 PrivateKey = ${ENV::TEST_CERTS_DIR}/serverkey.pem [63-version-negotiation-client] CipherString = DEFAULT:@SECLEVEL=0 -MinProtocol = DTLSv1.2 +MaxProtocol = DTLSv1 +MinProtocol = DTLSv1 VerifyCAFile = ${ENV::TEST_CERTS_DIR}/rootcert.pem VerifyMode = Peer [test-63] +ExpectedResult = ServerFail +Method = DTLS + + +# =========================================================== + +[64-version-negotiation] +ssl_conf = 64-version-negotiation-ssl + +[64-version-negotiation-ssl] +server = 64-version-negotiation-server +client = 64-version-negotiation-client + +[64-version-negotiation-server] +Certificate = ${ENV::TEST_CERTS_DIR}/servercert.pem +CipherString = DEFAULT:@SECLEVEL=0 +MinProtocol = DTLSv1.3 +PrivateKey = ${ENV::TEST_CERTS_DIR}/serverkey.pem + +[64-version-negotiation-client] +CipherString = DEFAULT:@SECLEVEL=0 +MaxProtocol = DTLSv1 +MinProtocol = DTLSv1 +VerifyCAFile = ${ENV::TEST_CERTS_DIR}/rootcert.pem +VerifyMode = Peer + +[test-64] +ExpectedResult = ServerFail +Method = DTLS + + +# =========================================================== + +[65-version-negotiation] +ssl_conf = 65-version-negotiation-ssl + +[65-version-negotiation-ssl] +server = 65-version-negotiation-server +client = 65-version-negotiation-client + +[65-version-negotiation-server] +Certificate = ${ENV::TEST_CERTS_DIR}/servercert.pem +CipherString = DEFAULT:@SECLEVEL=0 +MaxProtocol = DTLSv1 +PrivateKey = ${ENV::TEST_CERTS_DIR}/serverkey.pem + +[65-version-negotiation-client] +CipherString = DEFAULT:@SECLEVEL=0 +MaxProtocol = DTLSv1.2 +MinProtocol = DTLSv1 +VerifyCAFile = ${ENV::TEST_CERTS_DIR}/rootcert.pem +VerifyMode = Peer + +[test-65] +ExpectedProtocol = DTLSv1 +ExpectedResult = Success +Method = DTLS + + +# =========================================================== + +[66-version-negotiation] +ssl_conf = 66-version-negotiation-ssl + +[66-version-negotiation-ssl] +server = 66-version-negotiation-server +client = 66-version-negotiation-client + +[66-version-negotiation-server] +Certificate = ${ENV::TEST_CERTS_DIR}/servercert.pem +CipherString = DEFAULT:@SECLEVEL=0 +MaxProtocol = DTLSv1.2 +PrivateKey = ${ENV::TEST_CERTS_DIR}/serverkey.pem + +[66-version-negotiation-client] +CipherString = DEFAULT:@SECLEVEL=0 +MaxProtocol = DTLSv1.2 +MinProtocol = DTLSv1 +VerifyCAFile = ${ENV::TEST_CERTS_DIR}/rootcert.pem +VerifyMode = Peer + +[test-66] ExpectedProtocol = DTLSv1.2 ExpectedResult = Success Method = DTLS +# =========================================================== + +[67-version-negotiation] +ssl_conf = 67-version-negotiation-ssl + +[67-version-negotiation-ssl] +server = 67-version-negotiation-server +client = 67-version-negotiation-client + +[67-version-negotiation-server] +Certificate = ${ENV::TEST_CERTS_DIR}/servercert.pem +CipherString = DEFAULT:@SECLEVEL=0 +MaxProtocol = DTLSv1.3 +PrivateKey = ${ENV::TEST_CERTS_DIR}/serverkey.pem + +[67-version-negotiation-client] +CipherString = DEFAULT:@SECLEVEL=0 +MaxProtocol = DTLSv1.2 +MinProtocol = DTLSv1 +VerifyCAFile = ${ENV::TEST_CERTS_DIR}/rootcert.pem +VerifyMode = Peer + +[test-67] +ExpectedProtocol = DTLSv1.2 +ExpectedResult = Success +Method = DTLS + + +# =========================================================== + +[68-version-negotiation] +ssl_conf = 68-version-negotiation-ssl + +[68-version-negotiation-ssl] +server = 68-version-negotiation-server +client = 68-version-negotiation-client + +[68-version-negotiation-server] +Certificate = ${ENV::TEST_CERTS_DIR}/servercert.pem +CipherString = DEFAULT:@SECLEVEL=0 +PrivateKey = ${ENV::TEST_CERTS_DIR}/serverkey.pem + +[68-version-negotiation-client] +CipherString = DEFAULT:@SECLEVEL=0 +MaxProtocol = DTLSv1.2 +MinProtocol = DTLSv1 +VerifyCAFile = ${ENV::TEST_CERTS_DIR}/rootcert.pem +VerifyMode = Peer + +[test-68] +ExpectedProtocol = DTLSv1.2 +ExpectedResult = Success +Method = DTLS + + +# =========================================================== + +[69-version-negotiation] +ssl_conf = 69-version-negotiation-ssl + +[69-version-negotiation-ssl] +server = 69-version-negotiation-server +client = 69-version-negotiation-client + +[69-version-negotiation-server] +Certificate = ${ENV::TEST_CERTS_DIR}/servercert.pem +CipherString = DEFAULT:@SECLEVEL=0 +MaxProtocol = DTLSv1 +MinProtocol = DTLSv1 +PrivateKey = ${ENV::TEST_CERTS_DIR}/serverkey.pem + +[69-version-negotiation-client] +CipherString = DEFAULT:@SECLEVEL=0 +MaxProtocol = DTLSv1.2 +MinProtocol = DTLSv1 +VerifyCAFile = ${ENV::TEST_CERTS_DIR}/rootcert.pem +VerifyMode = Peer + +[test-69] +ExpectedProtocol = DTLSv1 +ExpectedResult = Success +Method = DTLS + + +# =========================================================== + +[70-version-negotiation] +ssl_conf = 70-version-negotiation-ssl + +[70-version-negotiation-ssl] +server = 70-version-negotiation-server +client = 70-version-negotiation-client + +[70-version-negotiation-server] +Certificate = ${ENV::TEST_CERTS_DIR}/servercert.pem +CipherString = DEFAULT:@SECLEVEL=0 +MaxProtocol = DTLSv1.2 +MinProtocol = DTLSv1 +PrivateKey = ${ENV::TEST_CERTS_DIR}/serverkey.pem + +[70-version-negotiation-client] +CipherString = DEFAULT:@SECLEVEL=0 +MaxProtocol = DTLSv1.2 +MinProtocol = DTLSv1 +VerifyCAFile = ${ENV::TEST_CERTS_DIR}/rootcert.pem +VerifyMode = Peer + +[test-70] +ExpectedProtocol = DTLSv1.2 +ExpectedResult = Success +Method = DTLS + + +# =========================================================== + +[71-version-negotiation] +ssl_conf = 71-version-negotiation-ssl + +[71-version-negotiation-ssl] +server = 71-version-negotiation-server +client = 71-version-negotiation-client + +[71-version-negotiation-server] +Certificate = ${ENV::TEST_CERTS_DIR}/servercert.pem +CipherString = DEFAULT:@SECLEVEL=0 +MaxProtocol = DTLSv1.3 +MinProtocol = DTLSv1 +PrivateKey = ${ENV::TEST_CERTS_DIR}/serverkey.pem + +[71-version-negotiation-client] +CipherString = DEFAULT:@SECLEVEL=0 +MaxProtocol = DTLSv1.2 +MinProtocol = DTLSv1 +VerifyCAFile = ${ENV::TEST_CERTS_DIR}/rootcert.pem +VerifyMode = Peer + +[test-71] +ExpectedProtocol = DTLSv1.2 +ExpectedResult = Success +Method = DTLS + + +# =========================================================== + +[72-version-negotiation] +ssl_conf = 72-version-negotiation-ssl + +[72-version-negotiation-ssl] +server = 72-version-negotiation-server +client = 72-version-negotiation-client + +[72-version-negotiation-server] +Certificate = ${ENV::TEST_CERTS_DIR}/servercert.pem +CipherString = DEFAULT:@SECLEVEL=0 +MinProtocol = DTLSv1 +PrivateKey = ${ENV::TEST_CERTS_DIR}/serverkey.pem + +[72-version-negotiation-client] +CipherString = DEFAULT:@SECLEVEL=0 +MaxProtocol = DTLSv1.2 +MinProtocol = DTLSv1 +VerifyCAFile = ${ENV::TEST_CERTS_DIR}/rootcert.pem +VerifyMode = Peer + +[test-72] +ExpectedProtocol = DTLSv1.2 +ExpectedResult = Success +Method = DTLS + + +# =========================================================== + +[73-version-negotiation] +ssl_conf = 73-version-negotiation-ssl + +[73-version-negotiation-ssl] +server = 73-version-negotiation-server +client = 73-version-negotiation-client + +[73-version-negotiation-server] +Certificate = ${ENV::TEST_CERTS_DIR}/servercert.pem +CipherString = DEFAULT:@SECLEVEL=0 +MaxProtocol = DTLSv1.2 +MinProtocol = DTLSv1.2 +PrivateKey = ${ENV::TEST_CERTS_DIR}/serverkey.pem + +[73-version-negotiation-client] +CipherString = DEFAULT:@SECLEVEL=0 +MaxProtocol = DTLSv1.2 +MinProtocol = DTLSv1 +VerifyCAFile = ${ENV::TEST_CERTS_DIR}/rootcert.pem +VerifyMode = Peer + +[test-73] +ExpectedProtocol = DTLSv1.2 +ExpectedResult = Success +Method = DTLS + + +# =========================================================== + +[74-version-negotiation] +ssl_conf = 74-version-negotiation-ssl + +[74-version-negotiation-ssl] +server = 74-version-negotiation-server +client = 74-version-negotiation-client + +[74-version-negotiation-server] +Certificate = ${ENV::TEST_CERTS_DIR}/servercert.pem +CipherString = DEFAULT:@SECLEVEL=0 +MaxProtocol = DTLSv1.3 +MinProtocol = DTLSv1.2 +PrivateKey = ${ENV::TEST_CERTS_DIR}/serverkey.pem + +[74-version-negotiation-client] +CipherString = DEFAULT:@SECLEVEL=0 +MaxProtocol = DTLSv1.2 +MinProtocol = DTLSv1 +VerifyCAFile = ${ENV::TEST_CERTS_DIR}/rootcert.pem +VerifyMode = Peer + +[test-74] +ExpectedProtocol = DTLSv1.2 +ExpectedResult = Success +Method = DTLS + + +# =========================================================== + +[75-version-negotiation] +ssl_conf = 75-version-negotiation-ssl + +[75-version-negotiation-ssl] +server = 75-version-negotiation-server +client = 75-version-negotiation-client + +[75-version-negotiation-server] +Certificate = ${ENV::TEST_CERTS_DIR}/servercert.pem +CipherString = DEFAULT:@SECLEVEL=0 +MinProtocol = DTLSv1.2 +PrivateKey = ${ENV::TEST_CERTS_DIR}/serverkey.pem + +[75-version-negotiation-client] +CipherString = DEFAULT:@SECLEVEL=0 +MaxProtocol = DTLSv1.2 +MinProtocol = DTLSv1 +VerifyCAFile = ${ENV::TEST_CERTS_DIR}/rootcert.pem +VerifyMode = Peer + +[test-75] +ExpectedProtocol = DTLSv1.2 +ExpectedResult = Success +Method = DTLS + + +# =========================================================== + +[76-version-negotiation] +ssl_conf = 76-version-negotiation-ssl + +[76-version-negotiation-ssl] +server = 76-version-negotiation-server +client = 76-version-negotiation-client + +[76-version-negotiation-server] +Certificate = ${ENV::TEST_CERTS_DIR}/servercert.pem +CipherString = DEFAULT:@SECLEVEL=0 +MaxProtocol = DTLSv1.3 +MinProtocol = DTLSv1.3 +PrivateKey = ${ENV::TEST_CERTS_DIR}/serverkey.pem + +[76-version-negotiation-client] +CipherString = DEFAULT:@SECLEVEL=0 +MaxProtocol = DTLSv1.2 +MinProtocol = DTLSv1 +VerifyCAFile = ${ENV::TEST_CERTS_DIR}/rootcert.pem +VerifyMode = Peer + +[test-76] +ExpectedResult = ServerFail +Method = DTLS + + +# =========================================================== + +[77-version-negotiation] +ssl_conf = 77-version-negotiation-ssl + +[77-version-negotiation-ssl] +server = 77-version-negotiation-server +client = 77-version-negotiation-client + +[77-version-negotiation-server] +Certificate = ${ENV::TEST_CERTS_DIR}/servercert.pem +CipherString = DEFAULT:@SECLEVEL=0 +MinProtocol = DTLSv1.3 +PrivateKey = ${ENV::TEST_CERTS_DIR}/serverkey.pem + +[77-version-negotiation-client] +CipherString = DEFAULT:@SECLEVEL=0 +MaxProtocol = DTLSv1.2 +MinProtocol = DTLSv1 +VerifyCAFile = ${ENV::TEST_CERTS_DIR}/rootcert.pem +VerifyMode = Peer + +[test-77] +ExpectedResult = ServerFail +Method = DTLS + + +# =========================================================== + +[78-version-negotiation] +ssl_conf = 78-version-negotiation-ssl + +[78-version-negotiation-ssl] +server = 78-version-negotiation-server +client = 78-version-negotiation-client + +[78-version-negotiation-server] +Certificate = ${ENV::TEST_CERTS_DIR}/servercert.pem +CipherString = DEFAULT:@SECLEVEL=0 +MaxProtocol = DTLSv1 +PrivateKey = ${ENV::TEST_CERTS_DIR}/serverkey.pem + +[78-version-negotiation-client] +CipherString = DEFAULT:@SECLEVEL=0 +MaxProtocol = DTLSv1.3 +MinProtocol = DTLSv1 +VerifyCAFile = ${ENV::TEST_CERTS_DIR}/rootcert.pem +VerifyMode = Peer + +[test-78] +ExpectedProtocol = DTLSv1 +ExpectedResult = Success +Method = DTLS + + +# =========================================================== + +[79-version-negotiation] +ssl_conf = 79-version-negotiation-ssl + +[79-version-negotiation-ssl] +server = 79-version-negotiation-server +client = 79-version-negotiation-client + +[79-version-negotiation-server] +Certificate = ${ENV::TEST_CERTS_DIR}/servercert.pem +CipherString = DEFAULT:@SECLEVEL=0 +MaxProtocol = DTLSv1.2 +PrivateKey = ${ENV::TEST_CERTS_DIR}/serverkey.pem + +[79-version-negotiation-client] +CipherString = DEFAULT:@SECLEVEL=0 +MaxProtocol = DTLSv1.3 +MinProtocol = DTLSv1 +VerifyCAFile = ${ENV::TEST_CERTS_DIR}/rootcert.pem +VerifyMode = Peer + +[test-79] +ExpectedProtocol = DTLSv1.2 +ExpectedResult = Success +Method = DTLS + + +# =========================================================== + +[80-version-negotiation] +ssl_conf = 80-version-negotiation-ssl + +[80-version-negotiation-ssl] +server = 80-version-negotiation-server +client = 80-version-negotiation-client + +[80-version-negotiation-server] +Certificate = ${ENV::TEST_CERTS_DIR}/servercert.pem +CipherString = DEFAULT:@SECLEVEL=0 +MaxProtocol = DTLSv1.3 +PrivateKey = ${ENV::TEST_CERTS_DIR}/serverkey.pem + +[80-version-negotiation-client] +CipherString = DEFAULT:@SECLEVEL=0 +MaxProtocol = DTLSv1.3 +MinProtocol = DTLSv1 +VerifyCAFile = ${ENV::TEST_CERTS_DIR}/rootcert.pem +VerifyMode = Peer + +[test-80] +ExpectedProtocol = DTLSv1.3 +ExpectedResult = Success +Method = DTLS + + +# =========================================================== + +[81-version-negotiation] +ssl_conf = 81-version-negotiation-ssl + +[81-version-negotiation-ssl] +server = 81-version-negotiation-server +client = 81-version-negotiation-client + +[81-version-negotiation-server] +Certificate = ${ENV::TEST_CERTS_DIR}/servercert.pem +CipherString = DEFAULT:@SECLEVEL=0 +PrivateKey = ${ENV::TEST_CERTS_DIR}/serverkey.pem + +[81-version-negotiation-client] +CipherString = DEFAULT:@SECLEVEL=0 +MaxProtocol = DTLSv1.3 +MinProtocol = DTLSv1 +VerifyCAFile = ${ENV::TEST_CERTS_DIR}/rootcert.pem +VerifyMode = Peer + +[test-81] +ExpectedProtocol = DTLSv1.3 +ExpectedResult = Success +Method = DTLS + + +# =========================================================== + +[82-version-negotiation] +ssl_conf = 82-version-negotiation-ssl + +[82-version-negotiation-ssl] +server = 82-version-negotiation-server +client = 82-version-negotiation-client + +[82-version-negotiation-server] +Certificate = ${ENV::TEST_CERTS_DIR}/servercert.pem +CipherString = DEFAULT:@SECLEVEL=0 +MaxProtocol = DTLSv1 +MinProtocol = DTLSv1 +PrivateKey = ${ENV::TEST_CERTS_DIR}/serverkey.pem + +[82-version-negotiation-client] +CipherString = DEFAULT:@SECLEVEL=0 +MaxProtocol = DTLSv1.3 +MinProtocol = DTLSv1 +VerifyCAFile = ${ENV::TEST_CERTS_DIR}/rootcert.pem +VerifyMode = Peer + +[test-82] +ExpectedProtocol = DTLSv1 +ExpectedResult = Success +Method = DTLS + + +# =========================================================== + +[83-version-negotiation] +ssl_conf = 83-version-negotiation-ssl + +[83-version-negotiation-ssl] +server = 83-version-negotiation-server +client = 83-version-negotiation-client + +[83-version-negotiation-server] +Certificate = ${ENV::TEST_CERTS_DIR}/servercert.pem +CipherString = DEFAULT:@SECLEVEL=0 +MaxProtocol = DTLSv1.2 +MinProtocol = DTLSv1 +PrivateKey = ${ENV::TEST_CERTS_DIR}/serverkey.pem + +[83-version-negotiation-client] +CipherString = DEFAULT:@SECLEVEL=0 +MaxProtocol = DTLSv1.3 +MinProtocol = DTLSv1 +VerifyCAFile = ${ENV::TEST_CERTS_DIR}/rootcert.pem +VerifyMode = Peer + +[test-83] +ExpectedProtocol = DTLSv1.2 +ExpectedResult = Success +Method = DTLS + + +# =========================================================== + +[84-version-negotiation] +ssl_conf = 84-version-negotiation-ssl + +[84-version-negotiation-ssl] +server = 84-version-negotiation-server +client = 84-version-negotiation-client + +[84-version-negotiation-server] +Certificate = ${ENV::TEST_CERTS_DIR}/servercert.pem +CipherString = DEFAULT:@SECLEVEL=0 +MaxProtocol = DTLSv1.3 +MinProtocol = DTLSv1 +PrivateKey = ${ENV::TEST_CERTS_DIR}/serverkey.pem + +[84-version-negotiation-client] +CipherString = DEFAULT:@SECLEVEL=0 +MaxProtocol = DTLSv1.3 +MinProtocol = DTLSv1 +VerifyCAFile = ${ENV::TEST_CERTS_DIR}/rootcert.pem +VerifyMode = Peer + +[test-84] +ExpectedProtocol = DTLSv1.3 +ExpectedResult = Success +Method = DTLS + + +# =========================================================== + +[85-version-negotiation] +ssl_conf = 85-version-negotiation-ssl + +[85-version-negotiation-ssl] +server = 85-version-negotiation-server +client = 85-version-negotiation-client + +[85-version-negotiation-server] +Certificate = ${ENV::TEST_CERTS_DIR}/servercert.pem +CipherString = DEFAULT:@SECLEVEL=0 +MinProtocol = DTLSv1 +PrivateKey = ${ENV::TEST_CERTS_DIR}/serverkey.pem + +[85-version-negotiation-client] +CipherString = DEFAULT:@SECLEVEL=0 +MaxProtocol = DTLSv1.3 +MinProtocol = DTLSv1 +VerifyCAFile = ${ENV::TEST_CERTS_DIR}/rootcert.pem +VerifyMode = Peer + +[test-85] +ExpectedProtocol = DTLSv1.3 +ExpectedResult = Success +Method = DTLS + + +# =========================================================== + +[86-version-negotiation] +ssl_conf = 86-version-negotiation-ssl + +[86-version-negotiation-ssl] +server = 86-version-negotiation-server +client = 86-version-negotiation-client + +[86-version-negotiation-server] +Certificate = ${ENV::TEST_CERTS_DIR}/servercert.pem +CipherString = DEFAULT:@SECLEVEL=0 +MaxProtocol = DTLSv1.2 +MinProtocol = DTLSv1.2 +PrivateKey = ${ENV::TEST_CERTS_DIR}/serverkey.pem + +[86-version-negotiation-client] +CipherString = DEFAULT:@SECLEVEL=0 +MaxProtocol = DTLSv1.3 +MinProtocol = DTLSv1 +VerifyCAFile = ${ENV::TEST_CERTS_DIR}/rootcert.pem +VerifyMode = Peer + +[test-86] +ExpectedProtocol = DTLSv1.2 +ExpectedResult = Success +Method = DTLS + + +# =========================================================== + +[87-version-negotiation] +ssl_conf = 87-version-negotiation-ssl + +[87-version-negotiation-ssl] +server = 87-version-negotiation-server +client = 87-version-negotiation-client + +[87-version-negotiation-server] +Certificate = ${ENV::TEST_CERTS_DIR}/servercert.pem +CipherString = DEFAULT:@SECLEVEL=0 +MaxProtocol = DTLSv1.3 +MinProtocol = DTLSv1.2 +PrivateKey = ${ENV::TEST_CERTS_DIR}/serverkey.pem + +[87-version-negotiation-client] +CipherString = DEFAULT:@SECLEVEL=0 +MaxProtocol = DTLSv1.3 +MinProtocol = DTLSv1 +VerifyCAFile = ${ENV::TEST_CERTS_DIR}/rootcert.pem +VerifyMode = Peer + +[test-87] +ExpectedProtocol = DTLSv1.3 +ExpectedResult = Success +Method = DTLS + + +# =========================================================== + +[88-version-negotiation] +ssl_conf = 88-version-negotiation-ssl + +[88-version-negotiation-ssl] +server = 88-version-negotiation-server +client = 88-version-negotiation-client + +[88-version-negotiation-server] +Certificate = ${ENV::TEST_CERTS_DIR}/servercert.pem +CipherString = DEFAULT:@SECLEVEL=0 +MinProtocol = DTLSv1.2 +PrivateKey = ${ENV::TEST_CERTS_DIR}/serverkey.pem + +[88-version-negotiation-client] +CipherString = DEFAULT:@SECLEVEL=0 +MaxProtocol = DTLSv1.3 +MinProtocol = DTLSv1 +VerifyCAFile = ${ENV::TEST_CERTS_DIR}/rootcert.pem +VerifyMode = Peer + +[test-88] +ExpectedProtocol = DTLSv1.3 +ExpectedResult = Success +Method = DTLS + + +# =========================================================== + +[89-version-negotiation] +ssl_conf = 89-version-negotiation-ssl + +[89-version-negotiation-ssl] +server = 89-version-negotiation-server +client = 89-version-negotiation-client + +[89-version-negotiation-server] +Certificate = ${ENV::TEST_CERTS_DIR}/servercert.pem +CipherString = DEFAULT:@SECLEVEL=0 +MaxProtocol = DTLSv1.3 +MinProtocol = DTLSv1.3 +PrivateKey = ${ENV::TEST_CERTS_DIR}/serverkey.pem + +[89-version-negotiation-client] +CipherString = DEFAULT:@SECLEVEL=0 +MaxProtocol = DTLSv1.3 +MinProtocol = DTLSv1 +VerifyCAFile = ${ENV::TEST_CERTS_DIR}/rootcert.pem +VerifyMode = Peer + +[test-89] +ExpectedProtocol = DTLSv1.3 +ExpectedResult = Success +Method = DTLS + + +# =========================================================== + +[90-version-negotiation] +ssl_conf = 90-version-negotiation-ssl + +[90-version-negotiation-ssl] +server = 90-version-negotiation-server +client = 90-version-negotiation-client + +[90-version-negotiation-server] +Certificate = ${ENV::TEST_CERTS_DIR}/servercert.pem +CipherString = DEFAULT:@SECLEVEL=0 +MinProtocol = DTLSv1.3 +PrivateKey = ${ENV::TEST_CERTS_DIR}/serverkey.pem + +[90-version-negotiation-client] +CipherString = DEFAULT:@SECLEVEL=0 +MaxProtocol = DTLSv1.3 +MinProtocol = DTLSv1 +VerifyCAFile = ${ENV::TEST_CERTS_DIR}/rootcert.pem +VerifyMode = Peer + +[test-90] +ExpectedProtocol = DTLSv1.3 +ExpectedResult = Success +Method = DTLS + + +# =========================================================== + +[91-version-negotiation] +ssl_conf = 91-version-negotiation-ssl + +[91-version-negotiation-ssl] +server = 91-version-negotiation-server +client = 91-version-negotiation-client + +[91-version-negotiation-server] +Certificate = ${ENV::TEST_CERTS_DIR}/servercert.pem +CipherString = DEFAULT:@SECLEVEL=0 +MaxProtocol = DTLSv1 +PrivateKey = ${ENV::TEST_CERTS_DIR}/serverkey.pem + +[91-version-negotiation-client] +CipherString = DEFAULT:@SECLEVEL=0 +MinProtocol = DTLSv1 +VerifyCAFile = ${ENV::TEST_CERTS_DIR}/rootcert.pem +VerifyMode = Peer + +[test-91] +ExpectedProtocol = DTLSv1 +ExpectedResult = Success +Method = DTLS + + +# =========================================================== + +[92-version-negotiation] +ssl_conf = 92-version-negotiation-ssl + +[92-version-negotiation-ssl] +server = 92-version-negotiation-server +client = 92-version-negotiation-client + +[92-version-negotiation-server] +Certificate = ${ENV::TEST_CERTS_DIR}/servercert.pem +CipherString = DEFAULT:@SECLEVEL=0 +MaxProtocol = DTLSv1.2 +PrivateKey = ${ENV::TEST_CERTS_DIR}/serverkey.pem + +[92-version-negotiation-client] +CipherString = DEFAULT:@SECLEVEL=0 +MinProtocol = DTLSv1 +VerifyCAFile = ${ENV::TEST_CERTS_DIR}/rootcert.pem +VerifyMode = Peer + +[test-92] +ExpectedProtocol = DTLSv1.2 +ExpectedResult = Success +Method = DTLS + + +# =========================================================== + +[93-version-negotiation] +ssl_conf = 93-version-negotiation-ssl + +[93-version-negotiation-ssl] +server = 93-version-negotiation-server +client = 93-version-negotiation-client + +[93-version-negotiation-server] +Certificate = ${ENV::TEST_CERTS_DIR}/servercert.pem +CipherString = DEFAULT:@SECLEVEL=0 +MaxProtocol = DTLSv1.3 +PrivateKey = ${ENV::TEST_CERTS_DIR}/serverkey.pem + +[93-version-negotiation-client] +CipherString = DEFAULT:@SECLEVEL=0 +MinProtocol = DTLSv1 +VerifyCAFile = ${ENV::TEST_CERTS_DIR}/rootcert.pem +VerifyMode = Peer + +[test-93] +ExpectedProtocol = DTLSv1.3 +ExpectedResult = Success +Method = DTLS + + +# =========================================================== + +[94-version-negotiation] +ssl_conf = 94-version-negotiation-ssl + +[94-version-negotiation-ssl] +server = 94-version-negotiation-server +client = 94-version-negotiation-client + +[94-version-negotiation-server] +Certificate = ${ENV::TEST_CERTS_DIR}/servercert.pem +CipherString = DEFAULT:@SECLEVEL=0 +PrivateKey = ${ENV::TEST_CERTS_DIR}/serverkey.pem + +[94-version-negotiation-client] +CipherString = DEFAULT:@SECLEVEL=0 +MinProtocol = DTLSv1 +VerifyCAFile = ${ENV::TEST_CERTS_DIR}/rootcert.pem +VerifyMode = Peer + +[test-94] +ExpectedProtocol = DTLSv1.3 +ExpectedResult = Success +Method = DTLS + + +# =========================================================== + +[95-version-negotiation] +ssl_conf = 95-version-negotiation-ssl + +[95-version-negotiation-ssl] +server = 95-version-negotiation-server +client = 95-version-negotiation-client + +[95-version-negotiation-server] +Certificate = ${ENV::TEST_CERTS_DIR}/servercert.pem +CipherString = DEFAULT:@SECLEVEL=0 +MaxProtocol = DTLSv1 +MinProtocol = DTLSv1 +PrivateKey = ${ENV::TEST_CERTS_DIR}/serverkey.pem + +[95-version-negotiation-client] +CipherString = DEFAULT:@SECLEVEL=0 +MinProtocol = DTLSv1 +VerifyCAFile = ${ENV::TEST_CERTS_DIR}/rootcert.pem +VerifyMode = Peer + +[test-95] +ExpectedProtocol = DTLSv1 +ExpectedResult = Success +Method = DTLS + + +# =========================================================== + +[96-version-negotiation] +ssl_conf = 96-version-negotiation-ssl + +[96-version-negotiation-ssl] +server = 96-version-negotiation-server +client = 96-version-negotiation-client + +[96-version-negotiation-server] +Certificate = ${ENV::TEST_CERTS_DIR}/servercert.pem +CipherString = DEFAULT:@SECLEVEL=0 +MaxProtocol = DTLSv1.2 +MinProtocol = DTLSv1 +PrivateKey = ${ENV::TEST_CERTS_DIR}/serverkey.pem + +[96-version-negotiation-client] +CipherString = DEFAULT:@SECLEVEL=0 +MinProtocol = DTLSv1 +VerifyCAFile = ${ENV::TEST_CERTS_DIR}/rootcert.pem +VerifyMode = Peer + +[test-96] +ExpectedProtocol = DTLSv1.2 +ExpectedResult = Success +Method = DTLS + + +# =========================================================== + +[97-version-negotiation] +ssl_conf = 97-version-negotiation-ssl + +[97-version-negotiation-ssl] +server = 97-version-negotiation-server +client = 97-version-negotiation-client + +[97-version-negotiation-server] +Certificate = ${ENV::TEST_CERTS_DIR}/servercert.pem +CipherString = DEFAULT:@SECLEVEL=0 +MaxProtocol = DTLSv1.3 +MinProtocol = DTLSv1 +PrivateKey = ${ENV::TEST_CERTS_DIR}/serverkey.pem + +[97-version-negotiation-client] +CipherString = DEFAULT:@SECLEVEL=0 +MinProtocol = DTLSv1 +VerifyCAFile = ${ENV::TEST_CERTS_DIR}/rootcert.pem +VerifyMode = Peer + +[test-97] +ExpectedProtocol = DTLSv1.3 +ExpectedResult = Success +Method = DTLS + + +# =========================================================== + +[98-version-negotiation] +ssl_conf = 98-version-negotiation-ssl + +[98-version-negotiation-ssl] +server = 98-version-negotiation-server +client = 98-version-negotiation-client + +[98-version-negotiation-server] +Certificate = ${ENV::TEST_CERTS_DIR}/servercert.pem +CipherString = DEFAULT:@SECLEVEL=0 +MinProtocol = DTLSv1 +PrivateKey = ${ENV::TEST_CERTS_DIR}/serverkey.pem + +[98-version-negotiation-client] +CipherString = DEFAULT:@SECLEVEL=0 +MinProtocol = DTLSv1 +VerifyCAFile = ${ENV::TEST_CERTS_DIR}/rootcert.pem +VerifyMode = Peer + +[test-98] +ExpectedProtocol = DTLSv1.3 +ExpectedResult = Success +Method = DTLS + + +# =========================================================== + +[99-version-negotiation] +ssl_conf = 99-version-negotiation-ssl + +[99-version-negotiation-ssl] +server = 99-version-negotiation-server +client = 99-version-negotiation-client + +[99-version-negotiation-server] +Certificate = ${ENV::TEST_CERTS_DIR}/servercert.pem +CipherString = DEFAULT:@SECLEVEL=0 +MaxProtocol = DTLSv1.2 +MinProtocol = DTLSv1.2 +PrivateKey = ${ENV::TEST_CERTS_DIR}/serverkey.pem + +[99-version-negotiation-client] +CipherString = DEFAULT:@SECLEVEL=0 +MinProtocol = DTLSv1 +VerifyCAFile = ${ENV::TEST_CERTS_DIR}/rootcert.pem +VerifyMode = Peer + +[test-99] +ExpectedProtocol = DTLSv1.2 +ExpectedResult = Success +Method = DTLS + + +# =========================================================== + +[100-version-negotiation] +ssl_conf = 100-version-negotiation-ssl + +[100-version-negotiation-ssl] +server = 100-version-negotiation-server +client = 100-version-negotiation-client + +[100-version-negotiation-server] +Certificate = ${ENV::TEST_CERTS_DIR}/servercert.pem +CipherString = DEFAULT:@SECLEVEL=0 +MaxProtocol = DTLSv1.3 +MinProtocol = DTLSv1.2 +PrivateKey = ${ENV::TEST_CERTS_DIR}/serverkey.pem + +[100-version-negotiation-client] +CipherString = DEFAULT:@SECLEVEL=0 +MinProtocol = DTLSv1 +VerifyCAFile = ${ENV::TEST_CERTS_DIR}/rootcert.pem +VerifyMode = Peer + +[test-100] +ExpectedProtocol = DTLSv1.3 +ExpectedResult = Success +Method = DTLS + + +# =========================================================== + +[101-version-negotiation] +ssl_conf = 101-version-negotiation-ssl + +[101-version-negotiation-ssl] +server = 101-version-negotiation-server +client = 101-version-negotiation-client + +[101-version-negotiation-server] +Certificate = ${ENV::TEST_CERTS_DIR}/servercert.pem +CipherString = DEFAULT:@SECLEVEL=0 +MinProtocol = DTLSv1.2 +PrivateKey = ${ENV::TEST_CERTS_DIR}/serverkey.pem + +[101-version-negotiation-client] +CipherString = DEFAULT:@SECLEVEL=0 +MinProtocol = DTLSv1 +VerifyCAFile = ${ENV::TEST_CERTS_DIR}/rootcert.pem +VerifyMode = Peer + +[test-101] +ExpectedProtocol = DTLSv1.3 +ExpectedResult = Success +Method = DTLS + + +# =========================================================== + +[102-version-negotiation] +ssl_conf = 102-version-negotiation-ssl + +[102-version-negotiation-ssl] +server = 102-version-negotiation-server +client = 102-version-negotiation-client + +[102-version-negotiation-server] +Certificate = ${ENV::TEST_CERTS_DIR}/servercert.pem +CipherString = DEFAULT:@SECLEVEL=0 +MaxProtocol = DTLSv1.3 +MinProtocol = DTLSv1.3 +PrivateKey = ${ENV::TEST_CERTS_DIR}/serverkey.pem + +[102-version-negotiation-client] +CipherString = DEFAULT:@SECLEVEL=0 +MinProtocol = DTLSv1 +VerifyCAFile = ${ENV::TEST_CERTS_DIR}/rootcert.pem +VerifyMode = Peer + +[test-102] +ExpectedProtocol = DTLSv1.3 +ExpectedResult = Success +Method = DTLS + + +# =========================================================== + +[103-version-negotiation] +ssl_conf = 103-version-negotiation-ssl + +[103-version-negotiation-ssl] +server = 103-version-negotiation-server +client = 103-version-negotiation-client + +[103-version-negotiation-server] +Certificate = ${ENV::TEST_CERTS_DIR}/servercert.pem +CipherString = DEFAULT:@SECLEVEL=0 +MinProtocol = DTLSv1.3 +PrivateKey = ${ENV::TEST_CERTS_DIR}/serverkey.pem + +[103-version-negotiation-client] +CipherString = DEFAULT:@SECLEVEL=0 +MinProtocol = DTLSv1 +VerifyCAFile = ${ENV::TEST_CERTS_DIR}/rootcert.pem +VerifyMode = Peer + +[test-103] +ExpectedProtocol = DTLSv1.3 +ExpectedResult = Success +Method = DTLS + + +# =========================================================== + +[104-version-negotiation] +ssl_conf = 104-version-negotiation-ssl + +[104-version-negotiation-ssl] +server = 104-version-negotiation-server +client = 104-version-negotiation-client + +[104-version-negotiation-server] +Certificate = ${ENV::TEST_CERTS_DIR}/servercert.pem +CipherString = DEFAULT:@SECLEVEL=0 +MaxProtocol = DTLSv1 +PrivateKey = ${ENV::TEST_CERTS_DIR}/serverkey.pem + +[104-version-negotiation-client] +CipherString = DEFAULT:@SECLEVEL=0 +MaxProtocol = DTLSv1.2 +MinProtocol = DTLSv1.2 +VerifyCAFile = ${ENV::TEST_CERTS_DIR}/rootcert.pem +VerifyMode = Peer + +[test-104] +ExpectedResult = ClientFail +Method = DTLS + + +# =========================================================== + +[105-version-negotiation] +ssl_conf = 105-version-negotiation-ssl + +[105-version-negotiation-ssl] +server = 105-version-negotiation-server +client = 105-version-negotiation-client + +[105-version-negotiation-server] +Certificate = ${ENV::TEST_CERTS_DIR}/servercert.pem +CipherString = DEFAULT:@SECLEVEL=0 +MaxProtocol = DTLSv1.2 +PrivateKey = ${ENV::TEST_CERTS_DIR}/serverkey.pem + +[105-version-negotiation-client] +CipherString = DEFAULT:@SECLEVEL=0 +MaxProtocol = DTLSv1.2 +MinProtocol = DTLSv1.2 +VerifyCAFile = ${ENV::TEST_CERTS_DIR}/rootcert.pem +VerifyMode = Peer + +[test-105] +ExpectedProtocol = DTLSv1.2 +ExpectedResult = Success +Method = DTLS + + +# =========================================================== + +[106-version-negotiation] +ssl_conf = 106-version-negotiation-ssl + +[106-version-negotiation-ssl] +server = 106-version-negotiation-server +client = 106-version-negotiation-client + +[106-version-negotiation-server] +Certificate = ${ENV::TEST_CERTS_DIR}/servercert.pem +CipherString = DEFAULT:@SECLEVEL=0 +MaxProtocol = DTLSv1.3 +PrivateKey = ${ENV::TEST_CERTS_DIR}/serverkey.pem + +[106-version-negotiation-client] +CipherString = DEFAULT:@SECLEVEL=0 +MaxProtocol = DTLSv1.2 +MinProtocol = DTLSv1.2 +VerifyCAFile = ${ENV::TEST_CERTS_DIR}/rootcert.pem +VerifyMode = Peer + +[test-106] +ExpectedProtocol = DTLSv1.2 +ExpectedResult = Success +Method = DTLS + + +# =========================================================== + +[107-version-negotiation] +ssl_conf = 107-version-negotiation-ssl + +[107-version-negotiation-ssl] +server = 107-version-negotiation-server +client = 107-version-negotiation-client + +[107-version-negotiation-server] +Certificate = ${ENV::TEST_CERTS_DIR}/servercert.pem +CipherString = DEFAULT:@SECLEVEL=0 +PrivateKey = ${ENV::TEST_CERTS_DIR}/serverkey.pem + +[107-version-negotiation-client] +CipherString = DEFAULT:@SECLEVEL=0 +MaxProtocol = DTLSv1.2 +MinProtocol = DTLSv1.2 +VerifyCAFile = ${ENV::TEST_CERTS_DIR}/rootcert.pem +VerifyMode = Peer + +[test-107] +ExpectedProtocol = DTLSv1.2 +ExpectedResult = Success +Method = DTLS + + +# =========================================================== + +[108-version-negotiation] +ssl_conf = 108-version-negotiation-ssl + +[108-version-negotiation-ssl] +server = 108-version-negotiation-server +client = 108-version-negotiation-client + +[108-version-negotiation-server] +Certificate = ${ENV::TEST_CERTS_DIR}/servercert.pem +CipherString = DEFAULT:@SECLEVEL=0 +MaxProtocol = DTLSv1 +MinProtocol = DTLSv1 +PrivateKey = ${ENV::TEST_CERTS_DIR}/serverkey.pem + +[108-version-negotiation-client] +CipherString = DEFAULT:@SECLEVEL=0 +MaxProtocol = DTLSv1.2 +MinProtocol = DTLSv1.2 +VerifyCAFile = ${ENV::TEST_CERTS_DIR}/rootcert.pem +VerifyMode = Peer + +[test-108] +ExpectedResult = ClientFail +Method = DTLS + + +# =========================================================== + +[109-version-negotiation] +ssl_conf = 109-version-negotiation-ssl + +[109-version-negotiation-ssl] +server = 109-version-negotiation-server +client = 109-version-negotiation-client + +[109-version-negotiation-server] +Certificate = ${ENV::TEST_CERTS_DIR}/servercert.pem +CipherString = DEFAULT:@SECLEVEL=0 +MaxProtocol = DTLSv1.2 +MinProtocol = DTLSv1 +PrivateKey = ${ENV::TEST_CERTS_DIR}/serverkey.pem + +[109-version-negotiation-client] +CipherString = DEFAULT:@SECLEVEL=0 +MaxProtocol = DTLSv1.2 +MinProtocol = DTLSv1.2 +VerifyCAFile = ${ENV::TEST_CERTS_DIR}/rootcert.pem +VerifyMode = Peer + +[test-109] +ExpectedProtocol = DTLSv1.2 +ExpectedResult = Success +Method = DTLS + + +# =========================================================== + +[110-version-negotiation] +ssl_conf = 110-version-negotiation-ssl + +[110-version-negotiation-ssl] +server = 110-version-negotiation-server +client = 110-version-negotiation-client + +[110-version-negotiation-server] +Certificate = ${ENV::TEST_CERTS_DIR}/servercert.pem +CipherString = DEFAULT:@SECLEVEL=0 +MaxProtocol = DTLSv1.3 +MinProtocol = DTLSv1 +PrivateKey = ${ENV::TEST_CERTS_DIR}/serverkey.pem + +[110-version-negotiation-client] +CipherString = DEFAULT:@SECLEVEL=0 +MaxProtocol = DTLSv1.2 +MinProtocol = DTLSv1.2 +VerifyCAFile = ${ENV::TEST_CERTS_DIR}/rootcert.pem +VerifyMode = Peer + +[test-110] +ExpectedProtocol = DTLSv1.2 +ExpectedResult = Success +Method = DTLS + + +# =========================================================== + +[111-version-negotiation] +ssl_conf = 111-version-negotiation-ssl + +[111-version-negotiation-ssl] +server = 111-version-negotiation-server +client = 111-version-negotiation-client + +[111-version-negotiation-server] +Certificate = ${ENV::TEST_CERTS_DIR}/servercert.pem +CipherString = DEFAULT:@SECLEVEL=0 +MinProtocol = DTLSv1 +PrivateKey = ${ENV::TEST_CERTS_DIR}/serverkey.pem + +[111-version-negotiation-client] +CipherString = DEFAULT:@SECLEVEL=0 +MaxProtocol = DTLSv1.2 +MinProtocol = DTLSv1.2 +VerifyCAFile = ${ENV::TEST_CERTS_DIR}/rootcert.pem +VerifyMode = Peer + +[test-111] +ExpectedProtocol = DTLSv1.2 +ExpectedResult = Success +Method = DTLS + + +# =========================================================== + +[112-version-negotiation] +ssl_conf = 112-version-negotiation-ssl + +[112-version-negotiation-ssl] +server = 112-version-negotiation-server +client = 112-version-negotiation-client + +[112-version-negotiation-server] +Certificate = ${ENV::TEST_CERTS_DIR}/servercert.pem +CipherString = DEFAULT:@SECLEVEL=0 +MaxProtocol = DTLSv1.2 +MinProtocol = DTLSv1.2 +PrivateKey = ${ENV::TEST_CERTS_DIR}/serverkey.pem + +[112-version-negotiation-client] +CipherString = DEFAULT:@SECLEVEL=0 +MaxProtocol = DTLSv1.2 +MinProtocol = DTLSv1.2 +VerifyCAFile = ${ENV::TEST_CERTS_DIR}/rootcert.pem +VerifyMode = Peer + +[test-112] +ExpectedProtocol = DTLSv1.2 +ExpectedResult = Success +Method = DTLS + + +# =========================================================== + +[113-version-negotiation] +ssl_conf = 113-version-negotiation-ssl + +[113-version-negotiation-ssl] +server = 113-version-negotiation-server +client = 113-version-negotiation-client + +[113-version-negotiation-server] +Certificate = ${ENV::TEST_CERTS_DIR}/servercert.pem +CipherString = DEFAULT:@SECLEVEL=0 +MaxProtocol = DTLSv1.3 +MinProtocol = DTLSv1.2 +PrivateKey = ${ENV::TEST_CERTS_DIR}/serverkey.pem + +[113-version-negotiation-client] +CipherString = DEFAULT:@SECLEVEL=0 +MaxProtocol = DTLSv1.2 +MinProtocol = DTLSv1.2 +VerifyCAFile = ${ENV::TEST_CERTS_DIR}/rootcert.pem +VerifyMode = Peer + +[test-113] +ExpectedProtocol = DTLSv1.2 +ExpectedResult = Success +Method = DTLS + + +# =========================================================== + +[114-version-negotiation] +ssl_conf = 114-version-negotiation-ssl + +[114-version-negotiation-ssl] +server = 114-version-negotiation-server +client = 114-version-negotiation-client + +[114-version-negotiation-server] +Certificate = ${ENV::TEST_CERTS_DIR}/servercert.pem +CipherString = DEFAULT:@SECLEVEL=0 +MinProtocol = DTLSv1.2 +PrivateKey = ${ENV::TEST_CERTS_DIR}/serverkey.pem + +[114-version-negotiation-client] +CipherString = DEFAULT:@SECLEVEL=0 +MaxProtocol = DTLSv1.2 +MinProtocol = DTLSv1.2 +VerifyCAFile = ${ENV::TEST_CERTS_DIR}/rootcert.pem +VerifyMode = Peer + +[test-114] +ExpectedProtocol = DTLSv1.2 +ExpectedResult = Success +Method = DTLS + + +# =========================================================== + +[115-version-negotiation] +ssl_conf = 115-version-negotiation-ssl + +[115-version-negotiation-ssl] +server = 115-version-negotiation-server +client = 115-version-negotiation-client + +[115-version-negotiation-server] +Certificate = ${ENV::TEST_CERTS_DIR}/servercert.pem +CipherString = DEFAULT:@SECLEVEL=0 +MaxProtocol = DTLSv1.3 +MinProtocol = DTLSv1.3 +PrivateKey = ${ENV::TEST_CERTS_DIR}/serverkey.pem + +[115-version-negotiation-client] +CipherString = DEFAULT:@SECLEVEL=0 +MaxProtocol = DTLSv1.2 +MinProtocol = DTLSv1.2 +VerifyCAFile = ${ENV::TEST_CERTS_DIR}/rootcert.pem +VerifyMode = Peer + +[test-115] +ExpectedResult = ServerFail +Method = DTLS + + +# =========================================================== + +[116-version-negotiation] +ssl_conf = 116-version-negotiation-ssl + +[116-version-negotiation-ssl] +server = 116-version-negotiation-server +client = 116-version-negotiation-client + +[116-version-negotiation-server] +Certificate = ${ENV::TEST_CERTS_DIR}/servercert.pem +CipherString = DEFAULT:@SECLEVEL=0 +MinProtocol = DTLSv1.3 +PrivateKey = ${ENV::TEST_CERTS_DIR}/serverkey.pem + +[116-version-negotiation-client] +CipherString = DEFAULT:@SECLEVEL=0 +MaxProtocol = DTLSv1.2 +MinProtocol = DTLSv1.2 +VerifyCAFile = ${ENV::TEST_CERTS_DIR}/rootcert.pem +VerifyMode = Peer + +[test-116] +ExpectedResult = ServerFail +Method = DTLS + + +# =========================================================== + +[117-version-negotiation] +ssl_conf = 117-version-negotiation-ssl + +[117-version-negotiation-ssl] +server = 117-version-negotiation-server +client = 117-version-negotiation-client + +[117-version-negotiation-server] +Certificate = ${ENV::TEST_CERTS_DIR}/servercert.pem +CipherString = DEFAULT:@SECLEVEL=0 +MaxProtocol = DTLSv1 +PrivateKey = ${ENV::TEST_CERTS_DIR}/serverkey.pem + +[117-version-negotiation-client] +CipherString = DEFAULT:@SECLEVEL=0 +MaxProtocol = DTLSv1.3 +MinProtocol = DTLSv1.2 +VerifyCAFile = ${ENV::TEST_CERTS_DIR}/rootcert.pem +VerifyMode = Peer + +[test-117] +ExpectedResult = ServerFail +Method = DTLS + + +# =========================================================== + +[118-version-negotiation] +ssl_conf = 118-version-negotiation-ssl + +[118-version-negotiation-ssl] +server = 118-version-negotiation-server +client = 118-version-negotiation-client + +[118-version-negotiation-server] +Certificate = ${ENV::TEST_CERTS_DIR}/servercert.pem +CipherString = DEFAULT:@SECLEVEL=0 +MaxProtocol = DTLSv1.2 +PrivateKey = ${ENV::TEST_CERTS_DIR}/serverkey.pem + +[118-version-negotiation-client] +CipherString = DEFAULT:@SECLEVEL=0 +MaxProtocol = DTLSv1.3 +MinProtocol = DTLSv1.2 +VerifyCAFile = ${ENV::TEST_CERTS_DIR}/rootcert.pem +VerifyMode = Peer + +[test-118] +ExpectedProtocol = DTLSv1.2 +ExpectedResult = Success +Method = DTLS + + +# =========================================================== + +[119-version-negotiation] +ssl_conf = 119-version-negotiation-ssl + +[119-version-negotiation-ssl] +server = 119-version-negotiation-server +client = 119-version-negotiation-client + +[119-version-negotiation-server] +Certificate = ${ENV::TEST_CERTS_DIR}/servercert.pem +CipherString = DEFAULT:@SECLEVEL=0 +MaxProtocol = DTLSv1.3 +PrivateKey = ${ENV::TEST_CERTS_DIR}/serverkey.pem + +[119-version-negotiation-client] +CipherString = DEFAULT:@SECLEVEL=0 +MaxProtocol = DTLSv1.3 +MinProtocol = DTLSv1.2 +VerifyCAFile = ${ENV::TEST_CERTS_DIR}/rootcert.pem +VerifyMode = Peer + +[test-119] +ExpectedProtocol = DTLSv1.3 +ExpectedResult = Success +Method = DTLS + + +# =========================================================== + +[120-version-negotiation] +ssl_conf = 120-version-negotiation-ssl + +[120-version-negotiation-ssl] +server = 120-version-negotiation-server +client = 120-version-negotiation-client + +[120-version-negotiation-server] +Certificate = ${ENV::TEST_CERTS_DIR}/servercert.pem +CipherString = DEFAULT:@SECLEVEL=0 +PrivateKey = ${ENV::TEST_CERTS_DIR}/serverkey.pem + +[120-version-negotiation-client] +CipherString = DEFAULT:@SECLEVEL=0 +MaxProtocol = DTLSv1.3 +MinProtocol = DTLSv1.2 +VerifyCAFile = ${ENV::TEST_CERTS_DIR}/rootcert.pem +VerifyMode = Peer + +[test-120] +ExpectedProtocol = DTLSv1.3 +ExpectedResult = Success +Method = DTLS + + +# =========================================================== + +[121-version-negotiation] +ssl_conf = 121-version-negotiation-ssl + +[121-version-negotiation-ssl] +server = 121-version-negotiation-server +client = 121-version-negotiation-client + +[121-version-negotiation-server] +Certificate = ${ENV::TEST_CERTS_DIR}/servercert.pem +CipherString = DEFAULT:@SECLEVEL=0 +MaxProtocol = DTLSv1 +MinProtocol = DTLSv1 +PrivateKey = ${ENV::TEST_CERTS_DIR}/serverkey.pem + +[121-version-negotiation-client] +CipherString = DEFAULT:@SECLEVEL=0 +MaxProtocol = DTLSv1.3 +MinProtocol = DTLSv1.2 +VerifyCAFile = ${ENV::TEST_CERTS_DIR}/rootcert.pem +VerifyMode = Peer + +[test-121] +ExpectedResult = ServerFail +Method = DTLS + + +# =========================================================== + +[122-version-negotiation] +ssl_conf = 122-version-negotiation-ssl + +[122-version-negotiation-ssl] +server = 122-version-negotiation-server +client = 122-version-negotiation-client + +[122-version-negotiation-server] +Certificate = ${ENV::TEST_CERTS_DIR}/servercert.pem +CipherString = DEFAULT:@SECLEVEL=0 +MaxProtocol = DTLSv1.2 +MinProtocol = DTLSv1 +PrivateKey = ${ENV::TEST_CERTS_DIR}/serverkey.pem + +[122-version-negotiation-client] +CipherString = DEFAULT:@SECLEVEL=0 +MaxProtocol = DTLSv1.3 +MinProtocol = DTLSv1.2 +VerifyCAFile = ${ENV::TEST_CERTS_DIR}/rootcert.pem +VerifyMode = Peer + +[test-122] +ExpectedProtocol = DTLSv1.2 +ExpectedResult = Success +Method = DTLS + + +# =========================================================== + +[123-version-negotiation] +ssl_conf = 123-version-negotiation-ssl + +[123-version-negotiation-ssl] +server = 123-version-negotiation-server +client = 123-version-negotiation-client + +[123-version-negotiation-server] +Certificate = ${ENV::TEST_CERTS_DIR}/servercert.pem +CipherString = DEFAULT:@SECLEVEL=0 +MaxProtocol = DTLSv1.3 +MinProtocol = DTLSv1 +PrivateKey = ${ENV::TEST_CERTS_DIR}/serverkey.pem + +[123-version-negotiation-client] +CipherString = DEFAULT:@SECLEVEL=0 +MaxProtocol = DTLSv1.3 +MinProtocol = DTLSv1.2 +VerifyCAFile = ${ENV::TEST_CERTS_DIR}/rootcert.pem +VerifyMode = Peer + +[test-123] +ExpectedProtocol = DTLSv1.3 +ExpectedResult = Success +Method = DTLS + + +# =========================================================== + +[124-version-negotiation] +ssl_conf = 124-version-negotiation-ssl + +[124-version-negotiation-ssl] +server = 124-version-negotiation-server +client = 124-version-negotiation-client + +[124-version-negotiation-server] +Certificate = ${ENV::TEST_CERTS_DIR}/servercert.pem +CipherString = DEFAULT:@SECLEVEL=0 +MinProtocol = DTLSv1 +PrivateKey = ${ENV::TEST_CERTS_DIR}/serverkey.pem + +[124-version-negotiation-client] +CipherString = DEFAULT:@SECLEVEL=0 +MaxProtocol = DTLSv1.3 +MinProtocol = DTLSv1.2 +VerifyCAFile = ${ENV::TEST_CERTS_DIR}/rootcert.pem +VerifyMode = Peer + +[test-124] +ExpectedProtocol = DTLSv1.3 +ExpectedResult = Success +Method = DTLS + + +# =========================================================== + +[125-version-negotiation] +ssl_conf = 125-version-negotiation-ssl + +[125-version-negotiation-ssl] +server = 125-version-negotiation-server +client = 125-version-negotiation-client + +[125-version-negotiation-server] +Certificate = ${ENV::TEST_CERTS_DIR}/servercert.pem +CipherString = DEFAULT:@SECLEVEL=0 +MaxProtocol = DTLSv1.2 +MinProtocol = DTLSv1.2 +PrivateKey = ${ENV::TEST_CERTS_DIR}/serverkey.pem + +[125-version-negotiation-client] +CipherString = DEFAULT:@SECLEVEL=0 +MaxProtocol = DTLSv1.3 +MinProtocol = DTLSv1.2 +VerifyCAFile = ${ENV::TEST_CERTS_DIR}/rootcert.pem +VerifyMode = Peer + +[test-125] +ExpectedProtocol = DTLSv1.2 +ExpectedResult = Success +Method = DTLS + + +# =========================================================== + +[126-version-negotiation] +ssl_conf = 126-version-negotiation-ssl + +[126-version-negotiation-ssl] +server = 126-version-negotiation-server +client = 126-version-negotiation-client + +[126-version-negotiation-server] +Certificate = ${ENV::TEST_CERTS_DIR}/servercert.pem +CipherString = DEFAULT:@SECLEVEL=0 +MaxProtocol = DTLSv1.3 +MinProtocol = DTLSv1.2 +PrivateKey = ${ENV::TEST_CERTS_DIR}/serverkey.pem + +[126-version-negotiation-client] +CipherString = DEFAULT:@SECLEVEL=0 +MaxProtocol = DTLSv1.3 +MinProtocol = DTLSv1.2 +VerifyCAFile = ${ENV::TEST_CERTS_DIR}/rootcert.pem +VerifyMode = Peer + +[test-126] +ExpectedProtocol = DTLSv1.3 +ExpectedResult = Success +Method = DTLS + + +# =========================================================== + +[127-version-negotiation] +ssl_conf = 127-version-negotiation-ssl + +[127-version-negotiation-ssl] +server = 127-version-negotiation-server +client = 127-version-negotiation-client + +[127-version-negotiation-server] +Certificate = ${ENV::TEST_CERTS_DIR}/servercert.pem +CipherString = DEFAULT:@SECLEVEL=0 +MinProtocol = DTLSv1.2 +PrivateKey = ${ENV::TEST_CERTS_DIR}/serverkey.pem + +[127-version-negotiation-client] +CipherString = DEFAULT:@SECLEVEL=0 +MaxProtocol = DTLSv1.3 +MinProtocol = DTLSv1.2 +VerifyCAFile = ${ENV::TEST_CERTS_DIR}/rootcert.pem +VerifyMode = Peer + +[test-127] +ExpectedProtocol = DTLSv1.3 +ExpectedResult = Success +Method = DTLS + + +# =========================================================== + +[128-version-negotiation] +ssl_conf = 128-version-negotiation-ssl + +[128-version-negotiation-ssl] +server = 128-version-negotiation-server +client = 128-version-negotiation-client + +[128-version-negotiation-server] +Certificate = ${ENV::TEST_CERTS_DIR}/servercert.pem +CipherString = DEFAULT:@SECLEVEL=0 +MaxProtocol = DTLSv1.3 +MinProtocol = DTLSv1.3 +PrivateKey = ${ENV::TEST_CERTS_DIR}/serverkey.pem + +[128-version-negotiation-client] +CipherString = DEFAULT:@SECLEVEL=0 +MaxProtocol = DTLSv1.3 +MinProtocol = DTLSv1.2 +VerifyCAFile = ${ENV::TEST_CERTS_DIR}/rootcert.pem +VerifyMode = Peer + +[test-128] +ExpectedProtocol = DTLSv1.3 +ExpectedResult = Success +Method = DTLS + + +# =========================================================== + +[129-version-negotiation] +ssl_conf = 129-version-negotiation-ssl + +[129-version-negotiation-ssl] +server = 129-version-negotiation-server +client = 129-version-negotiation-client + +[129-version-negotiation-server] +Certificate = ${ENV::TEST_CERTS_DIR}/servercert.pem +CipherString = DEFAULT:@SECLEVEL=0 +MinProtocol = DTLSv1.3 +PrivateKey = ${ENV::TEST_CERTS_DIR}/serverkey.pem + +[129-version-negotiation-client] +CipherString = DEFAULT:@SECLEVEL=0 +MaxProtocol = DTLSv1.3 +MinProtocol = DTLSv1.2 +VerifyCAFile = ${ENV::TEST_CERTS_DIR}/rootcert.pem +VerifyMode = Peer + +[test-129] +ExpectedProtocol = DTLSv1.3 +ExpectedResult = Success +Method = DTLS + + +# =========================================================== + +[130-version-negotiation] +ssl_conf = 130-version-negotiation-ssl + +[130-version-negotiation-ssl] +server = 130-version-negotiation-server +client = 130-version-negotiation-client + +[130-version-negotiation-server] +Certificate = ${ENV::TEST_CERTS_DIR}/servercert.pem +CipherString = DEFAULT:@SECLEVEL=0 +MaxProtocol = DTLSv1 +PrivateKey = ${ENV::TEST_CERTS_DIR}/serverkey.pem + +[130-version-negotiation-client] +CipherString = DEFAULT:@SECLEVEL=0 +MinProtocol = DTLSv1.2 +VerifyCAFile = ${ENV::TEST_CERTS_DIR}/rootcert.pem +VerifyMode = Peer + +[test-130] +ExpectedResult = ServerFail +Method = DTLS + + +# =========================================================== + +[131-version-negotiation] +ssl_conf = 131-version-negotiation-ssl + +[131-version-negotiation-ssl] +server = 131-version-negotiation-server +client = 131-version-negotiation-client + +[131-version-negotiation-server] +Certificate = ${ENV::TEST_CERTS_DIR}/servercert.pem +CipherString = DEFAULT:@SECLEVEL=0 +MaxProtocol = DTLSv1.2 +PrivateKey = ${ENV::TEST_CERTS_DIR}/serverkey.pem + +[131-version-negotiation-client] +CipherString = DEFAULT:@SECLEVEL=0 +MinProtocol = DTLSv1.2 +VerifyCAFile = ${ENV::TEST_CERTS_DIR}/rootcert.pem +VerifyMode = Peer + +[test-131] +ExpectedProtocol = DTLSv1.2 +ExpectedResult = Success +Method = DTLS + + +# =========================================================== + +[132-version-negotiation] +ssl_conf = 132-version-negotiation-ssl + +[132-version-negotiation-ssl] +server = 132-version-negotiation-server +client = 132-version-negotiation-client + +[132-version-negotiation-server] +Certificate = ${ENV::TEST_CERTS_DIR}/servercert.pem +CipherString = DEFAULT:@SECLEVEL=0 +MaxProtocol = DTLSv1.3 +PrivateKey = ${ENV::TEST_CERTS_DIR}/serverkey.pem + +[132-version-negotiation-client] +CipherString = DEFAULT:@SECLEVEL=0 +MinProtocol = DTLSv1.2 +VerifyCAFile = ${ENV::TEST_CERTS_DIR}/rootcert.pem +VerifyMode = Peer + +[test-132] +ExpectedProtocol = DTLSv1.3 +ExpectedResult = Success +Method = DTLS + + +# =========================================================== + +[133-version-negotiation] +ssl_conf = 133-version-negotiation-ssl + +[133-version-negotiation-ssl] +server = 133-version-negotiation-server +client = 133-version-negotiation-client + +[133-version-negotiation-server] +Certificate = ${ENV::TEST_CERTS_DIR}/servercert.pem +CipherString = DEFAULT:@SECLEVEL=0 +PrivateKey = ${ENV::TEST_CERTS_DIR}/serverkey.pem + +[133-version-negotiation-client] +CipherString = DEFAULT:@SECLEVEL=0 +MinProtocol = DTLSv1.2 +VerifyCAFile = ${ENV::TEST_CERTS_DIR}/rootcert.pem +VerifyMode = Peer + +[test-133] +ExpectedProtocol = DTLSv1.3 +ExpectedResult = Success +Method = DTLS + + +# =========================================================== + +[134-version-negotiation] +ssl_conf = 134-version-negotiation-ssl + +[134-version-negotiation-ssl] +server = 134-version-negotiation-server +client = 134-version-negotiation-client + +[134-version-negotiation-server] +Certificate = ${ENV::TEST_CERTS_DIR}/servercert.pem +CipherString = DEFAULT:@SECLEVEL=0 +MaxProtocol = DTLSv1 +MinProtocol = DTLSv1 +PrivateKey = ${ENV::TEST_CERTS_DIR}/serverkey.pem + +[134-version-negotiation-client] +CipherString = DEFAULT:@SECLEVEL=0 +MinProtocol = DTLSv1.2 +VerifyCAFile = ${ENV::TEST_CERTS_DIR}/rootcert.pem +VerifyMode = Peer + +[test-134] +ExpectedResult = ServerFail +Method = DTLS + + +# =========================================================== + +[135-version-negotiation] +ssl_conf = 135-version-negotiation-ssl + +[135-version-negotiation-ssl] +server = 135-version-negotiation-server +client = 135-version-negotiation-client + +[135-version-negotiation-server] +Certificate = ${ENV::TEST_CERTS_DIR}/servercert.pem +CipherString = DEFAULT:@SECLEVEL=0 +MaxProtocol = DTLSv1.2 +MinProtocol = DTLSv1 +PrivateKey = ${ENV::TEST_CERTS_DIR}/serverkey.pem + +[135-version-negotiation-client] +CipherString = DEFAULT:@SECLEVEL=0 +MinProtocol = DTLSv1.2 +VerifyCAFile = ${ENV::TEST_CERTS_DIR}/rootcert.pem +VerifyMode = Peer + +[test-135] +ExpectedProtocol = DTLSv1.2 +ExpectedResult = Success +Method = DTLS + + +# =========================================================== + +[136-version-negotiation] +ssl_conf = 136-version-negotiation-ssl + +[136-version-negotiation-ssl] +server = 136-version-negotiation-server +client = 136-version-negotiation-client + +[136-version-negotiation-server] +Certificate = ${ENV::TEST_CERTS_DIR}/servercert.pem +CipherString = DEFAULT:@SECLEVEL=0 +MaxProtocol = DTLSv1.3 +MinProtocol = DTLSv1 +PrivateKey = ${ENV::TEST_CERTS_DIR}/serverkey.pem + +[136-version-negotiation-client] +CipherString = DEFAULT:@SECLEVEL=0 +MinProtocol = DTLSv1.2 +VerifyCAFile = ${ENV::TEST_CERTS_DIR}/rootcert.pem +VerifyMode = Peer + +[test-136] +ExpectedProtocol = DTLSv1.3 +ExpectedResult = Success +Method = DTLS + + +# =========================================================== + +[137-version-negotiation] +ssl_conf = 137-version-negotiation-ssl + +[137-version-negotiation-ssl] +server = 137-version-negotiation-server +client = 137-version-negotiation-client + +[137-version-negotiation-server] +Certificate = ${ENV::TEST_CERTS_DIR}/servercert.pem +CipherString = DEFAULT:@SECLEVEL=0 +MinProtocol = DTLSv1 +PrivateKey = ${ENV::TEST_CERTS_DIR}/serverkey.pem + +[137-version-negotiation-client] +CipherString = DEFAULT:@SECLEVEL=0 +MinProtocol = DTLSv1.2 +VerifyCAFile = ${ENV::TEST_CERTS_DIR}/rootcert.pem +VerifyMode = Peer + +[test-137] +ExpectedProtocol = DTLSv1.3 +ExpectedResult = Success +Method = DTLS + + +# =========================================================== + +[138-version-negotiation] +ssl_conf = 138-version-negotiation-ssl + +[138-version-negotiation-ssl] +server = 138-version-negotiation-server +client = 138-version-negotiation-client + +[138-version-negotiation-server] +Certificate = ${ENV::TEST_CERTS_DIR}/servercert.pem +CipherString = DEFAULT:@SECLEVEL=0 +MaxProtocol = DTLSv1.2 +MinProtocol = DTLSv1.2 +PrivateKey = ${ENV::TEST_CERTS_DIR}/serverkey.pem + +[138-version-negotiation-client] +CipherString = DEFAULT:@SECLEVEL=0 +MinProtocol = DTLSv1.2 +VerifyCAFile = ${ENV::TEST_CERTS_DIR}/rootcert.pem +VerifyMode = Peer + +[test-138] +ExpectedProtocol = DTLSv1.2 +ExpectedResult = Success +Method = DTLS + + +# =========================================================== + +[139-version-negotiation] +ssl_conf = 139-version-negotiation-ssl + +[139-version-negotiation-ssl] +server = 139-version-negotiation-server +client = 139-version-negotiation-client + +[139-version-negotiation-server] +Certificate = ${ENV::TEST_CERTS_DIR}/servercert.pem +CipherString = DEFAULT:@SECLEVEL=0 +MaxProtocol = DTLSv1.3 +MinProtocol = DTLSv1.2 +PrivateKey = ${ENV::TEST_CERTS_DIR}/serverkey.pem + +[139-version-negotiation-client] +CipherString = DEFAULT:@SECLEVEL=0 +MinProtocol = DTLSv1.2 +VerifyCAFile = ${ENV::TEST_CERTS_DIR}/rootcert.pem +VerifyMode = Peer + +[test-139] +ExpectedProtocol = DTLSv1.3 +ExpectedResult = Success +Method = DTLS + + +# =========================================================== + +[140-version-negotiation] +ssl_conf = 140-version-negotiation-ssl + +[140-version-negotiation-ssl] +server = 140-version-negotiation-server +client = 140-version-negotiation-client + +[140-version-negotiation-server] +Certificate = ${ENV::TEST_CERTS_DIR}/servercert.pem +CipherString = DEFAULT:@SECLEVEL=0 +MinProtocol = DTLSv1.2 +PrivateKey = ${ENV::TEST_CERTS_DIR}/serverkey.pem + +[140-version-negotiation-client] +CipherString = DEFAULT:@SECLEVEL=0 +MinProtocol = DTLSv1.2 +VerifyCAFile = ${ENV::TEST_CERTS_DIR}/rootcert.pem +VerifyMode = Peer + +[test-140] +ExpectedProtocol = DTLSv1.3 +ExpectedResult = Success +Method = DTLS + + +# =========================================================== + +[141-version-negotiation] +ssl_conf = 141-version-negotiation-ssl + +[141-version-negotiation-ssl] +server = 141-version-negotiation-server +client = 141-version-negotiation-client + +[141-version-negotiation-server] +Certificate = ${ENV::TEST_CERTS_DIR}/servercert.pem +CipherString = DEFAULT:@SECLEVEL=0 +MaxProtocol = DTLSv1.3 +MinProtocol = DTLSv1.3 +PrivateKey = ${ENV::TEST_CERTS_DIR}/serverkey.pem + +[141-version-negotiation-client] +CipherString = DEFAULT:@SECLEVEL=0 +MinProtocol = DTLSv1.2 +VerifyCAFile = ${ENV::TEST_CERTS_DIR}/rootcert.pem +VerifyMode = Peer + +[test-141] +ExpectedProtocol = DTLSv1.3 +ExpectedResult = Success +Method = DTLS + + +# =========================================================== + +[142-version-negotiation] +ssl_conf = 142-version-negotiation-ssl + +[142-version-negotiation-ssl] +server = 142-version-negotiation-server +client = 142-version-negotiation-client + +[142-version-negotiation-server] +Certificate = ${ENV::TEST_CERTS_DIR}/servercert.pem +CipherString = DEFAULT:@SECLEVEL=0 +MinProtocol = DTLSv1.3 +PrivateKey = ${ENV::TEST_CERTS_DIR}/serverkey.pem + +[142-version-negotiation-client] +CipherString = DEFAULT:@SECLEVEL=0 +MinProtocol = DTLSv1.2 +VerifyCAFile = ${ENV::TEST_CERTS_DIR}/rootcert.pem +VerifyMode = Peer + +[test-142] +ExpectedProtocol = DTLSv1.3 +ExpectedResult = Success +Method = DTLS + + +# =========================================================== + +[143-version-negotiation] +ssl_conf = 143-version-negotiation-ssl + +[143-version-negotiation-ssl] +server = 143-version-negotiation-server +client = 143-version-negotiation-client + +[143-version-negotiation-server] +Certificate = ${ENV::TEST_CERTS_DIR}/servercert.pem +CipherString = DEFAULT:@SECLEVEL=0 +MaxProtocol = DTLSv1 +PrivateKey = ${ENV::TEST_CERTS_DIR}/serverkey.pem + +[143-version-negotiation-client] +CipherString = DEFAULT:@SECLEVEL=0 +MaxProtocol = DTLSv1.3 +MinProtocol = DTLSv1.3 +VerifyCAFile = ${ENV::TEST_CERTS_DIR}/rootcert.pem +VerifyMode = Peer + +[test-143] +ExpectedResult = ServerFail +Method = DTLS + + +# =========================================================== + +[144-version-negotiation] +ssl_conf = 144-version-negotiation-ssl + +[144-version-negotiation-ssl] +server = 144-version-negotiation-server +client = 144-version-negotiation-client + +[144-version-negotiation-server] +Certificate = ${ENV::TEST_CERTS_DIR}/servercert.pem +CipherString = DEFAULT:@SECLEVEL=0 +MaxProtocol = DTLSv1.2 +PrivateKey = ${ENV::TEST_CERTS_DIR}/serverkey.pem + +[144-version-negotiation-client] +CipherString = DEFAULT:@SECLEVEL=0 +MaxProtocol = DTLSv1.3 +MinProtocol = DTLSv1.3 +VerifyCAFile = ${ENV::TEST_CERTS_DIR}/rootcert.pem +VerifyMode = Peer + +[test-144] +ExpectedResult = ServerFail +Method = DTLS + + +# =========================================================== + +[145-version-negotiation] +ssl_conf = 145-version-negotiation-ssl + +[145-version-negotiation-ssl] +server = 145-version-negotiation-server +client = 145-version-negotiation-client + +[145-version-negotiation-server] +Certificate = ${ENV::TEST_CERTS_DIR}/servercert.pem +CipherString = DEFAULT:@SECLEVEL=0 +MaxProtocol = DTLSv1.3 +PrivateKey = ${ENV::TEST_CERTS_DIR}/serverkey.pem + +[145-version-negotiation-client] +CipherString = DEFAULT:@SECLEVEL=0 +MaxProtocol = DTLSv1.3 +MinProtocol = DTLSv1.3 +VerifyCAFile = ${ENV::TEST_CERTS_DIR}/rootcert.pem +VerifyMode = Peer + +[test-145] +ExpectedProtocol = DTLSv1.3 +ExpectedResult = Success +Method = DTLS + + +# =========================================================== + +[146-version-negotiation] +ssl_conf = 146-version-negotiation-ssl + +[146-version-negotiation-ssl] +server = 146-version-negotiation-server +client = 146-version-negotiation-client + +[146-version-negotiation-server] +Certificate = ${ENV::TEST_CERTS_DIR}/servercert.pem +CipherString = DEFAULT:@SECLEVEL=0 +PrivateKey = ${ENV::TEST_CERTS_DIR}/serverkey.pem + +[146-version-negotiation-client] +CipherString = DEFAULT:@SECLEVEL=0 +MaxProtocol = DTLSv1.3 +MinProtocol = DTLSv1.3 +VerifyCAFile = ${ENV::TEST_CERTS_DIR}/rootcert.pem +VerifyMode = Peer + +[test-146] +ExpectedProtocol = DTLSv1.3 +ExpectedResult = Success +Method = DTLS + + +# =========================================================== + +[147-version-negotiation] +ssl_conf = 147-version-negotiation-ssl + +[147-version-negotiation-ssl] +server = 147-version-negotiation-server +client = 147-version-negotiation-client + +[147-version-negotiation-server] +Certificate = ${ENV::TEST_CERTS_DIR}/servercert.pem +CipherString = DEFAULT:@SECLEVEL=0 +MaxProtocol = DTLSv1 +MinProtocol = DTLSv1 +PrivateKey = ${ENV::TEST_CERTS_DIR}/serverkey.pem + +[147-version-negotiation-client] +CipherString = DEFAULT:@SECLEVEL=0 +MaxProtocol = DTLSv1.3 +MinProtocol = DTLSv1.3 +VerifyCAFile = ${ENV::TEST_CERTS_DIR}/rootcert.pem +VerifyMode = Peer + +[test-147] +ExpectedResult = ServerFail +Method = DTLS + + +# =========================================================== + +[148-version-negotiation] +ssl_conf = 148-version-negotiation-ssl + +[148-version-negotiation-ssl] +server = 148-version-negotiation-server +client = 148-version-negotiation-client + +[148-version-negotiation-server] +Certificate = ${ENV::TEST_CERTS_DIR}/servercert.pem +CipherString = DEFAULT:@SECLEVEL=0 +MaxProtocol = DTLSv1.2 +MinProtocol = DTLSv1 +PrivateKey = ${ENV::TEST_CERTS_DIR}/serverkey.pem + +[148-version-negotiation-client] +CipherString = DEFAULT:@SECLEVEL=0 +MaxProtocol = DTLSv1.3 +MinProtocol = DTLSv1.3 +VerifyCAFile = ${ENV::TEST_CERTS_DIR}/rootcert.pem +VerifyMode = Peer + +[test-148] +ExpectedResult = ServerFail +Method = DTLS + + +# =========================================================== + +[149-version-negotiation] +ssl_conf = 149-version-negotiation-ssl + +[149-version-negotiation-ssl] +server = 149-version-negotiation-server +client = 149-version-negotiation-client + +[149-version-negotiation-server] +Certificate = ${ENV::TEST_CERTS_DIR}/servercert.pem +CipherString = DEFAULT:@SECLEVEL=0 +MaxProtocol = DTLSv1.3 +MinProtocol = DTLSv1 +PrivateKey = ${ENV::TEST_CERTS_DIR}/serverkey.pem + +[149-version-negotiation-client] +CipherString = DEFAULT:@SECLEVEL=0 +MaxProtocol = DTLSv1.3 +MinProtocol = DTLSv1.3 +VerifyCAFile = ${ENV::TEST_CERTS_DIR}/rootcert.pem +VerifyMode = Peer + +[test-149] +ExpectedProtocol = DTLSv1.3 +ExpectedResult = Success +Method = DTLS + + +# =========================================================== + +[150-version-negotiation] +ssl_conf = 150-version-negotiation-ssl + +[150-version-negotiation-ssl] +server = 150-version-negotiation-server +client = 150-version-negotiation-client + +[150-version-negotiation-server] +Certificate = ${ENV::TEST_CERTS_DIR}/servercert.pem +CipherString = DEFAULT:@SECLEVEL=0 +MinProtocol = DTLSv1 +PrivateKey = ${ENV::TEST_CERTS_DIR}/serverkey.pem + +[150-version-negotiation-client] +CipherString = DEFAULT:@SECLEVEL=0 +MaxProtocol = DTLSv1.3 +MinProtocol = DTLSv1.3 +VerifyCAFile = ${ENV::TEST_CERTS_DIR}/rootcert.pem +VerifyMode = Peer + +[test-150] +ExpectedProtocol = DTLSv1.3 +ExpectedResult = Success +Method = DTLS + + +# =========================================================== + +[151-version-negotiation] +ssl_conf = 151-version-negotiation-ssl + +[151-version-negotiation-ssl] +server = 151-version-negotiation-server +client = 151-version-negotiation-client + +[151-version-negotiation-server] +Certificate = ${ENV::TEST_CERTS_DIR}/servercert.pem +CipherString = DEFAULT:@SECLEVEL=0 +MaxProtocol = DTLSv1.2 +MinProtocol = DTLSv1.2 +PrivateKey = ${ENV::TEST_CERTS_DIR}/serverkey.pem + +[151-version-negotiation-client] +CipherString = DEFAULT:@SECLEVEL=0 +MaxProtocol = DTLSv1.3 +MinProtocol = DTLSv1.3 +VerifyCAFile = ${ENV::TEST_CERTS_DIR}/rootcert.pem +VerifyMode = Peer + +[test-151] +ExpectedResult = ServerFail +Method = DTLS + + +# =========================================================== + +[152-version-negotiation] +ssl_conf = 152-version-negotiation-ssl + +[152-version-negotiation-ssl] +server = 152-version-negotiation-server +client = 152-version-negotiation-client + +[152-version-negotiation-server] +Certificate = ${ENV::TEST_CERTS_DIR}/servercert.pem +CipherString = DEFAULT:@SECLEVEL=0 +MaxProtocol = DTLSv1.3 +MinProtocol = DTLSv1.2 +PrivateKey = ${ENV::TEST_CERTS_DIR}/serverkey.pem + +[152-version-negotiation-client] +CipherString = DEFAULT:@SECLEVEL=0 +MaxProtocol = DTLSv1.3 +MinProtocol = DTLSv1.3 +VerifyCAFile = ${ENV::TEST_CERTS_DIR}/rootcert.pem +VerifyMode = Peer + +[test-152] +ExpectedProtocol = DTLSv1.3 +ExpectedResult = Success +Method = DTLS + + +# =========================================================== + +[153-version-negotiation] +ssl_conf = 153-version-negotiation-ssl + +[153-version-negotiation-ssl] +server = 153-version-negotiation-server +client = 153-version-negotiation-client + +[153-version-negotiation-server] +Certificate = ${ENV::TEST_CERTS_DIR}/servercert.pem +CipherString = DEFAULT:@SECLEVEL=0 +MinProtocol = DTLSv1.2 +PrivateKey = ${ENV::TEST_CERTS_DIR}/serverkey.pem + +[153-version-negotiation-client] +CipherString = DEFAULT:@SECLEVEL=0 +MaxProtocol = DTLSv1.3 +MinProtocol = DTLSv1.3 +VerifyCAFile = ${ENV::TEST_CERTS_DIR}/rootcert.pem +VerifyMode = Peer + +[test-153] +ExpectedProtocol = DTLSv1.3 +ExpectedResult = Success +Method = DTLS + + +# =========================================================== + +[154-version-negotiation] +ssl_conf = 154-version-negotiation-ssl + +[154-version-negotiation-ssl] +server = 154-version-negotiation-server +client = 154-version-negotiation-client + +[154-version-negotiation-server] +Certificate = ${ENV::TEST_CERTS_DIR}/servercert.pem +CipherString = DEFAULT:@SECLEVEL=0 +MaxProtocol = DTLSv1.3 +MinProtocol = DTLSv1.3 +PrivateKey = ${ENV::TEST_CERTS_DIR}/serverkey.pem + +[154-version-negotiation-client] +CipherString = DEFAULT:@SECLEVEL=0 +MaxProtocol = DTLSv1.3 +MinProtocol = DTLSv1.3 +VerifyCAFile = ${ENV::TEST_CERTS_DIR}/rootcert.pem +VerifyMode = Peer + +[test-154] +ExpectedProtocol = DTLSv1.3 +ExpectedResult = Success +Method = DTLS + + +# =========================================================== + +[155-version-negotiation] +ssl_conf = 155-version-negotiation-ssl + +[155-version-negotiation-ssl] +server = 155-version-negotiation-server +client = 155-version-negotiation-client + +[155-version-negotiation-server] +Certificate = ${ENV::TEST_CERTS_DIR}/servercert.pem +CipherString = DEFAULT:@SECLEVEL=0 +MinProtocol = DTLSv1.3 +PrivateKey = ${ENV::TEST_CERTS_DIR}/serverkey.pem + +[155-version-negotiation-client] +CipherString = DEFAULT:@SECLEVEL=0 +MaxProtocol = DTLSv1.3 +MinProtocol = DTLSv1.3 +VerifyCAFile = ${ENV::TEST_CERTS_DIR}/rootcert.pem +VerifyMode = Peer + +[test-155] +ExpectedProtocol = DTLSv1.3 +ExpectedResult = Success +Method = DTLS + + +# =========================================================== + +[156-version-negotiation] +ssl_conf = 156-version-negotiation-ssl + +[156-version-negotiation-ssl] +server = 156-version-negotiation-server +client = 156-version-negotiation-client + +[156-version-negotiation-server] +Certificate = ${ENV::TEST_CERTS_DIR}/servercert.pem +CipherString = DEFAULT:@SECLEVEL=0 +MaxProtocol = DTLSv1 +PrivateKey = ${ENV::TEST_CERTS_DIR}/serverkey.pem + +[156-version-negotiation-client] +CipherString = DEFAULT:@SECLEVEL=0 +MinProtocol = DTLSv1.3 +VerifyCAFile = ${ENV::TEST_CERTS_DIR}/rootcert.pem +VerifyMode = Peer + +[test-156] +ExpectedResult = ServerFail +Method = DTLS + + +# =========================================================== + +[157-version-negotiation] +ssl_conf = 157-version-negotiation-ssl + +[157-version-negotiation-ssl] +server = 157-version-negotiation-server +client = 157-version-negotiation-client + +[157-version-negotiation-server] +Certificate = ${ENV::TEST_CERTS_DIR}/servercert.pem +CipherString = DEFAULT:@SECLEVEL=0 +MaxProtocol = DTLSv1.2 +PrivateKey = ${ENV::TEST_CERTS_DIR}/serverkey.pem + +[157-version-negotiation-client] +CipherString = DEFAULT:@SECLEVEL=0 +MinProtocol = DTLSv1.3 +VerifyCAFile = ${ENV::TEST_CERTS_DIR}/rootcert.pem +VerifyMode = Peer + +[test-157] +ExpectedResult = ServerFail +Method = DTLS + + +# =========================================================== + +[158-version-negotiation] +ssl_conf = 158-version-negotiation-ssl + +[158-version-negotiation-ssl] +server = 158-version-negotiation-server +client = 158-version-negotiation-client + +[158-version-negotiation-server] +Certificate = ${ENV::TEST_CERTS_DIR}/servercert.pem +CipherString = DEFAULT:@SECLEVEL=0 +MaxProtocol = DTLSv1.3 +PrivateKey = ${ENV::TEST_CERTS_DIR}/serverkey.pem + +[158-version-negotiation-client] +CipherString = DEFAULT:@SECLEVEL=0 +MinProtocol = DTLSv1.3 +VerifyCAFile = ${ENV::TEST_CERTS_DIR}/rootcert.pem +VerifyMode = Peer + +[test-158] +ExpectedProtocol = DTLSv1.3 +ExpectedResult = Success +Method = DTLS + + +# =========================================================== + +[159-version-negotiation] +ssl_conf = 159-version-negotiation-ssl + +[159-version-negotiation-ssl] +server = 159-version-negotiation-server +client = 159-version-negotiation-client + +[159-version-negotiation-server] +Certificate = ${ENV::TEST_CERTS_DIR}/servercert.pem +CipherString = DEFAULT:@SECLEVEL=0 +PrivateKey = ${ENV::TEST_CERTS_DIR}/serverkey.pem + +[159-version-negotiation-client] +CipherString = DEFAULT:@SECLEVEL=0 +MinProtocol = DTLSv1.3 +VerifyCAFile = ${ENV::TEST_CERTS_DIR}/rootcert.pem +VerifyMode = Peer + +[test-159] +ExpectedProtocol = DTLSv1.3 +ExpectedResult = Success +Method = DTLS + + +# =========================================================== + +[160-version-negotiation] +ssl_conf = 160-version-negotiation-ssl + +[160-version-negotiation-ssl] +server = 160-version-negotiation-server +client = 160-version-negotiation-client + +[160-version-negotiation-server] +Certificate = ${ENV::TEST_CERTS_DIR}/servercert.pem +CipherString = DEFAULT:@SECLEVEL=0 +MaxProtocol = DTLSv1 +MinProtocol = DTLSv1 +PrivateKey = ${ENV::TEST_CERTS_DIR}/serverkey.pem + +[160-version-negotiation-client] +CipherString = DEFAULT:@SECLEVEL=0 +MinProtocol = DTLSv1.3 +VerifyCAFile = ${ENV::TEST_CERTS_DIR}/rootcert.pem +VerifyMode = Peer + +[test-160] +ExpectedResult = ServerFail +Method = DTLS + + +# =========================================================== + +[161-version-negotiation] +ssl_conf = 161-version-negotiation-ssl + +[161-version-negotiation-ssl] +server = 161-version-negotiation-server +client = 161-version-negotiation-client + +[161-version-negotiation-server] +Certificate = ${ENV::TEST_CERTS_DIR}/servercert.pem +CipherString = DEFAULT:@SECLEVEL=0 +MaxProtocol = DTLSv1.2 +MinProtocol = DTLSv1 +PrivateKey = ${ENV::TEST_CERTS_DIR}/serverkey.pem + +[161-version-negotiation-client] +CipherString = DEFAULT:@SECLEVEL=0 +MinProtocol = DTLSv1.3 +VerifyCAFile = ${ENV::TEST_CERTS_DIR}/rootcert.pem +VerifyMode = Peer + +[test-161] +ExpectedResult = ServerFail +Method = DTLS + + +# =========================================================== + +[162-version-negotiation] +ssl_conf = 162-version-negotiation-ssl + +[162-version-negotiation-ssl] +server = 162-version-negotiation-server +client = 162-version-negotiation-client + +[162-version-negotiation-server] +Certificate = ${ENV::TEST_CERTS_DIR}/servercert.pem +CipherString = DEFAULT:@SECLEVEL=0 +MaxProtocol = DTLSv1.3 +MinProtocol = DTLSv1 +PrivateKey = ${ENV::TEST_CERTS_DIR}/serverkey.pem + +[162-version-negotiation-client] +CipherString = DEFAULT:@SECLEVEL=0 +MinProtocol = DTLSv1.3 +VerifyCAFile = ${ENV::TEST_CERTS_DIR}/rootcert.pem +VerifyMode = Peer + +[test-162] +ExpectedProtocol = DTLSv1.3 +ExpectedResult = Success +Method = DTLS + + +# =========================================================== + +[163-version-negotiation] +ssl_conf = 163-version-negotiation-ssl + +[163-version-negotiation-ssl] +server = 163-version-negotiation-server +client = 163-version-negotiation-client + +[163-version-negotiation-server] +Certificate = ${ENV::TEST_CERTS_DIR}/servercert.pem +CipherString = DEFAULT:@SECLEVEL=0 +MinProtocol = DTLSv1 +PrivateKey = ${ENV::TEST_CERTS_DIR}/serverkey.pem + +[163-version-negotiation-client] +CipherString = DEFAULT:@SECLEVEL=0 +MinProtocol = DTLSv1.3 +VerifyCAFile = ${ENV::TEST_CERTS_DIR}/rootcert.pem +VerifyMode = Peer + +[test-163] +ExpectedProtocol = DTLSv1.3 +ExpectedResult = Success +Method = DTLS + + +# =========================================================== + +[164-version-negotiation] +ssl_conf = 164-version-negotiation-ssl + +[164-version-negotiation-ssl] +server = 164-version-negotiation-server +client = 164-version-negotiation-client + +[164-version-negotiation-server] +Certificate = ${ENV::TEST_CERTS_DIR}/servercert.pem +CipherString = DEFAULT:@SECLEVEL=0 +MaxProtocol = DTLSv1.2 +MinProtocol = DTLSv1.2 +PrivateKey = ${ENV::TEST_CERTS_DIR}/serverkey.pem + +[164-version-negotiation-client] +CipherString = DEFAULT:@SECLEVEL=0 +MinProtocol = DTLSv1.3 +VerifyCAFile = ${ENV::TEST_CERTS_DIR}/rootcert.pem +VerifyMode = Peer + +[test-164] +ExpectedResult = ServerFail +Method = DTLS + + +# =========================================================== + +[165-version-negotiation] +ssl_conf = 165-version-negotiation-ssl + +[165-version-negotiation-ssl] +server = 165-version-negotiation-server +client = 165-version-negotiation-client + +[165-version-negotiation-server] +Certificate = ${ENV::TEST_CERTS_DIR}/servercert.pem +CipherString = DEFAULT:@SECLEVEL=0 +MaxProtocol = DTLSv1.3 +MinProtocol = DTLSv1.2 +PrivateKey = ${ENV::TEST_CERTS_DIR}/serverkey.pem + +[165-version-negotiation-client] +CipherString = DEFAULT:@SECLEVEL=0 +MinProtocol = DTLSv1.3 +VerifyCAFile = ${ENV::TEST_CERTS_DIR}/rootcert.pem +VerifyMode = Peer + +[test-165] +ExpectedProtocol = DTLSv1.3 +ExpectedResult = Success +Method = DTLS + + +# =========================================================== + +[166-version-negotiation] +ssl_conf = 166-version-negotiation-ssl + +[166-version-negotiation-ssl] +server = 166-version-negotiation-server +client = 166-version-negotiation-client + +[166-version-negotiation-server] +Certificate = ${ENV::TEST_CERTS_DIR}/servercert.pem +CipherString = DEFAULT:@SECLEVEL=0 +MinProtocol = DTLSv1.2 +PrivateKey = ${ENV::TEST_CERTS_DIR}/serverkey.pem + +[166-version-negotiation-client] +CipherString = DEFAULT:@SECLEVEL=0 +MinProtocol = DTLSv1.3 +VerifyCAFile = ${ENV::TEST_CERTS_DIR}/rootcert.pem +VerifyMode = Peer + +[test-166] +ExpectedProtocol = DTLSv1.3 +ExpectedResult = Success +Method = DTLS + + +# =========================================================== + +[167-version-negotiation] +ssl_conf = 167-version-negotiation-ssl + +[167-version-negotiation-ssl] +server = 167-version-negotiation-server +client = 167-version-negotiation-client + +[167-version-negotiation-server] +Certificate = ${ENV::TEST_CERTS_DIR}/servercert.pem +CipherString = DEFAULT:@SECLEVEL=0 +MaxProtocol = DTLSv1.3 +MinProtocol = DTLSv1.3 +PrivateKey = ${ENV::TEST_CERTS_DIR}/serverkey.pem + +[167-version-negotiation-client] +CipherString = DEFAULT:@SECLEVEL=0 +MinProtocol = DTLSv1.3 +VerifyCAFile = ${ENV::TEST_CERTS_DIR}/rootcert.pem +VerifyMode = Peer + +[test-167] +ExpectedProtocol = DTLSv1.3 +ExpectedResult = Success +Method = DTLS + + +# =========================================================== + +[168-version-negotiation] +ssl_conf = 168-version-negotiation-ssl + +[168-version-negotiation-ssl] +server = 168-version-negotiation-server +client = 168-version-negotiation-client + +[168-version-negotiation-server] +Certificate = ${ENV::TEST_CERTS_DIR}/servercert.pem +CipherString = DEFAULT:@SECLEVEL=0 +MinProtocol = DTLSv1.3 +PrivateKey = ${ENV::TEST_CERTS_DIR}/serverkey.pem + +[168-version-negotiation-client] +CipherString = DEFAULT:@SECLEVEL=0 +MinProtocol = DTLSv1.3 +VerifyCAFile = ${ENV::TEST_CERTS_DIR}/rootcert.pem +VerifyMode = Peer + +[test-168] +ExpectedProtocol = DTLSv1.3 +ExpectedResult = Success +Method = DTLS + + diff --git a/test/ssl-tests/11-dtls_resumption.cnf b/test/ssl-tests/11-dtls_resumption.cnf index 424e3d425b..7aa7866499 100644 --- a/test/ssl-tests/11-dtls_resumption.cnf +++ b/test/ssl-tests/11-dtls_resumption.cnf @@ -1,620 +1,4 @@ # Generated with generate_ssl_tests.pl -num_tests = 16 - -test-0 = 0-resumption -test-1 = 1-resumption -test-2 = 2-resumption -test-3 = 3-resumption -test-4 = 4-resumption -test-5 = 5-resumption -test-6 = 6-resumption -test-7 = 7-resumption -test-8 = 8-resumption -test-9 = 9-resumption -test-10 = 10-resumption -test-11 = 11-resumption -test-12 = 12-resumption -test-13 = 13-resumption -test-14 = 14-resumption -test-15 = 15-resumption -# =========================================================== - -[0-resumption] -ssl_conf = 0-resumption-ssl - -[0-resumption-ssl] -server = 0-resumption-server -client = 0-resumption-client -resume-server = 0-resumption-resume-server -resume-client = 0-resumption-client - -[0-resumption-server] -Certificate = ${ENV::TEST_CERTS_DIR}/servercert.pem -CipherString = DEFAULT:@SECLEVEL=0 -MaxProtocol = DTLSv1 -MinProtocol = DTLSv1 -Options = SessionTicket -PrivateKey = ${ENV::TEST_CERTS_DIR}/serverkey.pem - -[0-resumption-resume-server] -Certificate = ${ENV::TEST_CERTS_DIR}/servercert.pem -CipherString = DEFAULT:@SECLEVEL=0 -MaxProtocol = DTLSv1 -Options = SessionTicket -PrivateKey = ${ENV::TEST_CERTS_DIR}/serverkey.pem - -[0-resumption-client] -CipherString = DEFAULT:@SECLEVEL=0 -VerifyCAFile = ${ENV::TEST_CERTS_DIR}/rootcert.pem -VerifyMode = Peer - -[test-0] -ExpectedProtocol = DTLSv1 -HandshakeMode = Resume -Method = DTLS -ResumptionExpected = Yes - - -# =========================================================== - -[1-resumption] -ssl_conf = 1-resumption-ssl - -[1-resumption-ssl] -server = 1-resumption-server -client = 1-resumption-client -resume-server = 1-resumption-resume-server -resume-client = 1-resumption-client - -[1-resumption-server] -Certificate = ${ENV::TEST_CERTS_DIR}/servercert.pem -CipherString = DEFAULT:@SECLEVEL=0 -MaxProtocol = DTLSv1 -MinProtocol = DTLSv1 -Options = -SessionTicket -PrivateKey = ${ENV::TEST_CERTS_DIR}/serverkey.pem - -[1-resumption-resume-server] -Certificate = ${ENV::TEST_CERTS_DIR}/servercert.pem -CipherString = DEFAULT:@SECLEVEL=0 -MaxProtocol = DTLSv1 -Options = -SessionTicket -PrivateKey = ${ENV::TEST_CERTS_DIR}/serverkey.pem - -[1-resumption-client] -CipherString = DEFAULT:@SECLEVEL=0 -VerifyCAFile = ${ENV::TEST_CERTS_DIR}/rootcert.pem -VerifyMode = Peer - -[test-1] -ExpectedProtocol = DTLSv1 -HandshakeMode = Resume -Method = DTLS -ResumptionExpected = Yes - - -# =========================================================== - -[2-resumption] -ssl_conf = 2-resumption-ssl - -[2-resumption-ssl] -server = 2-resumption-server -client = 2-resumption-client -resume-server = 2-resumption-resume-server -resume-client = 2-resumption-client - -[2-resumption-server] -Certificate = ${ENV::TEST_CERTS_DIR}/servercert.pem -CipherString = DEFAULT:@SECLEVEL=0 -MaxProtocol = DTLSv1 -MinProtocol = DTLSv1 -Options = SessionTicket -PrivateKey = ${ENV::TEST_CERTS_DIR}/serverkey.pem - -[2-resumption-resume-server] -Certificate = ${ENV::TEST_CERTS_DIR}/servercert.pem -CipherString = DEFAULT:@SECLEVEL=0 -MaxProtocol = DTLSv1.2 -Options = SessionTicket -PrivateKey = ${ENV::TEST_CERTS_DIR}/serverkey.pem - -[2-resumption-client] -CipherString = DEFAULT:@SECLEVEL=0 -VerifyCAFile = ${ENV::TEST_CERTS_DIR}/rootcert.pem -VerifyMode = Peer - -[test-2] -ExpectedProtocol = DTLSv1.2 -HandshakeMode = Resume -Method = DTLS -ResumptionExpected = No - - -# =========================================================== - -[3-resumption] -ssl_conf = 3-resumption-ssl - -[3-resumption-ssl] -server = 3-resumption-server -client = 3-resumption-client -resume-server = 3-resumption-resume-server -resume-client = 3-resumption-client - -[3-resumption-server] -Certificate = ${ENV::TEST_CERTS_DIR}/servercert.pem -CipherString = DEFAULT:@SECLEVEL=0 -MaxProtocol = DTLSv1 -MinProtocol = DTLSv1 -Options = -SessionTicket -PrivateKey = ${ENV::TEST_CERTS_DIR}/serverkey.pem - -[3-resumption-resume-server] -Certificate = ${ENV::TEST_CERTS_DIR}/servercert.pem -CipherString = DEFAULT:@SECLEVEL=0 -MaxProtocol = DTLSv1.2 -Options = -SessionTicket -PrivateKey = ${ENV::TEST_CERTS_DIR}/serverkey.pem - -[3-resumption-client] -CipherString = DEFAULT:@SECLEVEL=0 -VerifyCAFile = ${ENV::TEST_CERTS_DIR}/rootcert.pem -VerifyMode = Peer - -[test-3] -ExpectedProtocol = DTLSv1.2 -HandshakeMode = Resume -Method = DTLS -ResumptionExpected = No - - -# =========================================================== - -[4-resumption] -ssl_conf = 4-resumption-ssl - -[4-resumption-ssl] -server = 4-resumption-server -client = 4-resumption-client -resume-server = 4-resumption-resume-server -resume-client = 4-resumption-client - -[4-resumption-server] -Certificate = ${ENV::TEST_CERTS_DIR}/servercert.pem -CipherString = DEFAULT:@SECLEVEL=0 -MaxProtocol = DTLSv1.2 -MinProtocol = DTLSv1.2 -Options = SessionTicket -PrivateKey = ${ENV::TEST_CERTS_DIR}/serverkey.pem - -[4-resumption-resume-server] -Certificate = ${ENV::TEST_CERTS_DIR}/servercert.pem -CipherString = DEFAULT:@SECLEVEL=0 -MaxProtocol = DTLSv1 -Options = SessionTicket -PrivateKey = ${ENV::TEST_CERTS_DIR}/serverkey.pem - -[4-resumption-client] -CipherString = DEFAULT:@SECLEVEL=0 -VerifyCAFile = ${ENV::TEST_CERTS_DIR}/rootcert.pem -VerifyMode = Peer - -[test-4] -ExpectedProtocol = DTLSv1 -HandshakeMode = Resume -Method = DTLS -ResumptionExpected = No - - -# =========================================================== - -[5-resumption] -ssl_conf = 5-resumption-ssl - -[5-resumption-ssl] -server = 5-resumption-server -client = 5-resumption-client -resume-server = 5-resumption-resume-server -resume-client = 5-resumption-client - -[5-resumption-server] -Certificate = ${ENV::TEST_CERTS_DIR}/servercert.pem -CipherString = DEFAULT:@SECLEVEL=0 -MaxProtocol = DTLSv1.2 -MinProtocol = DTLSv1.2 -Options = -SessionTicket -PrivateKey = ${ENV::TEST_CERTS_DIR}/serverkey.pem - -[5-resumption-resume-server] -Certificate = ${ENV::TEST_CERTS_DIR}/servercert.pem -CipherString = DEFAULT:@SECLEVEL=0 -MaxProtocol = DTLSv1 -Options = -SessionTicket -PrivateKey = ${ENV::TEST_CERTS_DIR}/serverkey.pem - -[5-resumption-client] -CipherString = DEFAULT:@SECLEVEL=0 -VerifyCAFile = ${ENV::TEST_CERTS_DIR}/rootcert.pem -VerifyMode = Peer - -[test-5] -ExpectedProtocol = DTLSv1 -HandshakeMode = Resume -Method = DTLS -ResumptionExpected = No - - -# =========================================================== - -[6-resumption] -ssl_conf = 6-resumption-ssl - -[6-resumption-ssl] -server = 6-resumption-server -client = 6-resumption-client -resume-server = 6-resumption-resume-server -resume-client = 6-resumption-client - -[6-resumption-server] -Certificate = ${ENV::TEST_CERTS_DIR}/servercert.pem -CipherString = DEFAULT:@SECLEVEL=0 -MaxProtocol = DTLSv1.2 -MinProtocol = DTLSv1.2 -Options = SessionTicket -PrivateKey = ${ENV::TEST_CERTS_DIR}/serverkey.pem - -[6-resumption-resume-server] -Certificate = ${ENV::TEST_CERTS_DIR}/servercert.pem -CipherString = DEFAULT:@SECLEVEL=0 -MaxProtocol = DTLSv1.2 -Options = SessionTicket -PrivateKey = ${ENV::TEST_CERTS_DIR}/serverkey.pem - -[6-resumption-client] -CipherString = DEFAULT:@SECLEVEL=0 -VerifyCAFile = ${ENV::TEST_CERTS_DIR}/rootcert.pem -VerifyMode = Peer - -[test-6] -ExpectedProtocol = DTLSv1.2 -HandshakeMode = Resume -Method = DTLS -ResumptionExpected = Yes - - -# =========================================================== - -[7-resumption] -ssl_conf = 7-resumption-ssl - -[7-resumption-ssl] -server = 7-resumption-server -client = 7-resumption-client -resume-server = 7-resumption-resume-server -resume-client = 7-resumption-client - -[7-resumption-server] -Certificate = ${ENV::TEST_CERTS_DIR}/servercert.pem -CipherString = DEFAULT:@SECLEVEL=0 -MaxProtocol = DTLSv1.2 -MinProtocol = DTLSv1.2 -Options = -SessionTicket -PrivateKey = ${ENV::TEST_CERTS_DIR}/serverkey.pem - -[7-resumption-resume-server] -Certificate = ${ENV::TEST_CERTS_DIR}/servercert.pem -CipherString = DEFAULT:@SECLEVEL=0 -MaxProtocol = DTLSv1.2 -Options = -SessionTicket -PrivateKey = ${ENV::TEST_CERTS_DIR}/serverkey.pem - -[7-resumption-client] -CipherString = DEFAULT:@SECLEVEL=0 -VerifyCAFile = ${ENV::TEST_CERTS_DIR}/rootcert.pem -VerifyMode = Peer - -[test-7] -ExpectedProtocol = DTLSv1.2 -HandshakeMode = Resume -Method = DTLS -ResumptionExpected = Yes - - -# =========================================================== - -[8-resumption] -ssl_conf = 8-resumption-ssl - -[8-resumption-ssl] -server = 8-resumption-server -client = 8-resumption-client -resume-server = 8-resumption-server -resume-client = 8-resumption-resume-client - -[8-resumption-server] -Certificate = ${ENV::TEST_CERTS_DIR}/servercert.pem -CipherString = DEFAULT:@SECLEVEL=0 -Options = SessionTicket -PrivateKey = ${ENV::TEST_CERTS_DIR}/serverkey.pem - -[8-resumption-client] -CipherString = DEFAULT:@SECLEVEL=0 -MaxProtocol = DTLSv1 -MinProtocol = DTLSv1 -VerifyCAFile = ${ENV::TEST_CERTS_DIR}/rootcert.pem -VerifyMode = Peer - -[8-resumption-resume-client] -CipherString = DEFAULT:@SECLEVEL=0 -MaxProtocol = DTLSv1 -VerifyCAFile = ${ENV::TEST_CERTS_DIR}/rootcert.pem -VerifyMode = Peer - -[test-8] -ExpectedProtocol = DTLSv1 -HandshakeMode = Resume -Method = DTLS -ResumptionExpected = Yes - - -# =========================================================== - -[9-resumption] -ssl_conf = 9-resumption-ssl - -[9-resumption-ssl] -server = 9-resumption-server -client = 9-resumption-client -resume-server = 9-resumption-server -resume-client = 9-resumption-resume-client - -[9-resumption-server] -Certificate = ${ENV::TEST_CERTS_DIR}/servercert.pem -CipherString = DEFAULT:@SECLEVEL=0 -Options = -SessionTicket -PrivateKey = ${ENV::TEST_CERTS_DIR}/serverkey.pem - -[9-resumption-client] -CipherString = DEFAULT:@SECLEVEL=0 -MaxProtocol = DTLSv1 -MinProtocol = DTLSv1 -VerifyCAFile = ${ENV::TEST_CERTS_DIR}/rootcert.pem -VerifyMode = Peer - -[9-resumption-resume-client] -CipherString = DEFAULT:@SECLEVEL=0 -MaxProtocol = DTLSv1 -VerifyCAFile = ${ENV::TEST_CERTS_DIR}/rootcert.pem -VerifyMode = Peer - -[test-9] -ExpectedProtocol = DTLSv1 -HandshakeMode = Resume -Method = DTLS -ResumptionExpected = Yes - - -# =========================================================== - -[10-resumption] -ssl_conf = 10-resumption-ssl - -[10-resumption-ssl] -server = 10-resumption-server -client = 10-resumption-client -resume-server = 10-resumption-server -resume-client = 10-resumption-resume-client - -[10-resumption-server] -Certificate = ${ENV::TEST_CERTS_DIR}/servercert.pem -CipherString = DEFAULT:@SECLEVEL=0 -Options = SessionTicket -PrivateKey = ${ENV::TEST_CERTS_DIR}/serverkey.pem - -[10-resumption-client] -CipherString = DEFAULT:@SECLEVEL=0 -MaxProtocol = DTLSv1 -MinProtocol = DTLSv1 -VerifyCAFile = ${ENV::TEST_CERTS_DIR}/rootcert.pem -VerifyMode = Peer - -[10-resumption-resume-client] -CipherString = DEFAULT:@SECLEVEL=0 -MaxProtocol = DTLSv1.2 -VerifyCAFile = ${ENV::TEST_CERTS_DIR}/rootcert.pem -VerifyMode = Peer - -[test-10] -ExpectedProtocol = DTLSv1.2 -HandshakeMode = Resume -Method = DTLS -ResumptionExpected = No - - -# =========================================================== - -[11-resumption] -ssl_conf = 11-resumption-ssl - -[11-resumption-ssl] -server = 11-resumption-server -client = 11-resumption-client -resume-server = 11-resumption-server -resume-client = 11-resumption-resume-client - -[11-resumption-server] -Certificate = ${ENV::TEST_CERTS_DIR}/servercert.pem -CipherString = DEFAULT:@SECLEVEL=0 -Options = -SessionTicket -PrivateKey = ${ENV::TEST_CERTS_DIR}/serverkey.pem - -[11-resumption-client] -CipherString = DEFAULT:@SECLEVEL=0 -MaxProtocol = DTLSv1 -MinProtocol = DTLSv1 -VerifyCAFile = ${ENV::TEST_CERTS_DIR}/rootcert.pem -VerifyMode = Peer - -[11-resumption-resume-client] -CipherString = DEFAULT:@SECLEVEL=0 -MaxProtocol = DTLSv1.2 -VerifyCAFile = ${ENV::TEST_CERTS_DIR}/rootcert.pem -VerifyMode = Peer - -[test-11] -ExpectedProtocol = DTLSv1.2 -HandshakeMode = Resume -Method = DTLS -ResumptionExpected = No - - -# =========================================================== - -[12-resumption] -ssl_conf = 12-resumption-ssl - -[12-resumption-ssl] -server = 12-resumption-server -client = 12-resumption-client -resume-server = 12-resumption-server -resume-client = 12-resumption-resume-client - -[12-resumption-server] -Certificate = ${ENV::TEST_CERTS_DIR}/servercert.pem -CipherString = DEFAULT:@SECLEVEL=0 -Options = SessionTicket -PrivateKey = ${ENV::TEST_CERTS_DIR}/serverkey.pem - -[12-resumption-client] -CipherString = DEFAULT:@SECLEVEL=0 -MaxProtocol = DTLSv1.2 -MinProtocol = DTLSv1.2 -VerifyCAFile = ${ENV::TEST_CERTS_DIR}/rootcert.pem -VerifyMode = Peer - -[12-resumption-resume-client] -CipherString = DEFAULT:@SECLEVEL=0 -MaxProtocol = DTLSv1 -VerifyCAFile = ${ENV::TEST_CERTS_DIR}/rootcert.pem -VerifyMode = Peer - -[test-12] -ExpectedProtocol = DTLSv1 -HandshakeMode = Resume -Method = DTLS -ResumptionExpected = No - - -# =========================================================== - -[13-resumption] -ssl_conf = 13-resumption-ssl - -[13-resumption-ssl] -server = 13-resumption-server -client = 13-resumption-client -resume-server = 13-resumption-server -resume-client = 13-resumption-resume-client - -[13-resumption-server] -Certificate = ${ENV::TEST_CERTS_DIR}/servercert.pem -CipherString = DEFAULT:@SECLEVEL=0 -Options = -SessionTicket -PrivateKey = ${ENV::TEST_CERTS_DIR}/serverkey.pem - -[13-resumption-client] -CipherString = DEFAULT:@SECLEVEL=0 -MaxProtocol = DTLSv1.2 -MinProtocol = DTLSv1.2 -VerifyCAFile = ${ENV::TEST_CERTS_DIR}/rootcert.pem -VerifyMode = Peer - -[13-resumption-resume-client] -CipherString = DEFAULT:@SECLEVEL=0 -MaxProtocol = DTLSv1 -VerifyCAFile = ${ENV::TEST_CERTS_DIR}/rootcert.pem -VerifyMode = Peer - -[test-13] -ExpectedProtocol = DTLSv1 -HandshakeMode = Resume -Method = DTLS -ResumptionExpected = No - - -# =========================================================== - -[14-resumption] -ssl_conf = 14-resumption-ssl - -[14-resumption-ssl] -server = 14-resumption-server -client = 14-resumption-client -resume-server = 14-resumption-server -resume-client = 14-resumption-resume-client - -[14-resumption-server] -Certificate = ${ENV::TEST_CERTS_DIR}/servercert.pem -CipherString = DEFAULT:@SECLEVEL=0 -Options = SessionTicket -PrivateKey = ${ENV::TEST_CERTS_DIR}/serverkey.pem - -[14-resumption-client] -CipherString = DEFAULT:@SECLEVEL=0 -MaxProtocol = DTLSv1.2 -MinProtocol = DTLSv1.2 -VerifyCAFile = ${ENV::TEST_CERTS_DIR}/rootcert.pem -VerifyMode = Peer - -[14-resumption-resume-client] -CipherString = DEFAULT:@SECLEVEL=0 -MaxProtocol = DTLSv1.2 -VerifyCAFile = ${ENV::TEST_CERTS_DIR}/rootcert.pem -VerifyMode = Peer - -[test-14] -ExpectedProtocol = DTLSv1.2 -HandshakeMode = Resume -Method = DTLS -ResumptionExpected = Yes - - -# =========================================================== - -[15-resumption] -ssl_conf = 15-resumption-ssl - -[15-resumption-ssl] -server = 15-resumption-server -client = 15-resumption-client -resume-server = 15-resumption-server -resume-client = 15-resumption-resume-client - -[15-resumption-server] -Certificate = ${ENV::TEST_CERTS_DIR}/servercert.pem -CipherString = DEFAULT:@SECLEVEL=0 -Options = -SessionTicket -PrivateKey = ${ENV::TEST_CERTS_DIR}/serverkey.pem - -[15-resumption-client] -CipherString = DEFAULT:@SECLEVEL=0 -MaxProtocol = DTLSv1.2 -MinProtocol = DTLSv1.2 -VerifyCAFile = ${ENV::TEST_CERTS_DIR}/rootcert.pem -VerifyMode = Peer - -[15-resumption-resume-client] -CipherString = DEFAULT:@SECLEVEL=0 -MaxProtocol = DTLSv1.2 -VerifyCAFile = ${ENV::TEST_CERTS_DIR}/rootcert.pem -VerifyMode = Peer - -[test-15] -ExpectedProtocol = DTLSv1.2 -HandshakeMode = Resume -Method = DTLS -ResumptionExpected = Yes - +num_tests = 0 diff --git a/test/ssl-tests/protocol_version.pm b/test/ssl-tests/protocol_version.pm index 4e4ce365d6..c51cca42dc 100644 --- a/test/ssl-tests/protocol_version.pm +++ b/test/ssl-tests/protocol_version.pm @@ -66,6 +66,9 @@ sub max_prot_enabled { foreach my $i (0..$#protocols) { if (!$is_disabled[$i] && ($protocols[$i] ne "TLSv1.3" + || !disabled("ec") + || !disabled("dh")) + && ($protocols[$i] ne "DTLSv1.3" || !disabled("ec") || !disabled("dh"))) { $max_enabled = $i; @@ -80,16 +83,16 @@ $min_tls_enabled_fips = min_prot_enabled(\@tls_protocols_fips, \@is_tls_disabled $max_tls_enabled_fips = max_prot_enabled(\@tls_protocols_fips, \@is_tls_disabled_fips); -my @dtls_protocols = ("DTLSv1", "DTLSv1.2"); -my @dtls_protocols_fips = ("DTLSv1.2"); +my @dtls_protocols = ("DTLSv1", "DTLSv1.2", "DTLSv1.3"); +my @dtls_protocols_fips = ("DTLSv1.2", "DTLSv1.3"); # undef stands for "no limit". -my @min_dtls_protocols = (undef, "DTLSv1", "DTLSv1.2"); -my @min_dtls_protocols_fips = (undef, "DTLSv1.2"); -my @max_dtls_protocols = ("DTLSv1", "DTLSv1.2", undef); -my @max_dtls_protocols_fips = ("DTLSv1.2", undef); +my @min_dtls_protocols = (undef, "DTLSv1", "DTLSv1.2", "DTLSv1.3"); +my @min_dtls_protocols_fips = (undef, "DTLSv1.2", "DTLSv1.3"); +my @max_dtls_protocols = ("DTLSv1", "DTLSv1.2", "DTLSv1.3", undef); +my @max_dtls_protocols_fips = ("DTLSv1.2", "DTLSv1.3", undef); -my @is_dtls_disabled = anydisabled("dtls1", "dtls1_2"); -my @is_dtls_disabled_fips = anydisabled("dtls1_2"); +my @is_dtls_disabled = anydisabled("dtls1", "dtls1_2", "dtls1_3"); +my @is_dtls_disabled_fips = anydisabled("dtls1_2", "dtls1_3"); my $min_dtls_enabled; my $max_dtls_enabled; my $min_dtls_enabled_fips; my $max_dtls_enabled_fips; @@ -104,9 +107,9 @@ $max_dtls_enabled_fips = max_prot_enabled(\@dtls_protocols_fips, \@is_dtls_disab sub no_tests { my ($dtls, $fips) = @_; if ($dtls && $fips) { - return disabled("dtls1_2"); + return disabled("dtls1_2", "dtls1_3"); } - return $dtls ? alldisabled("dtls1", "dtls1_2") : + return $dtls ? alldisabled("dtls1", "dtls1_2", "dtls1_3") : alldisabled("ssl3", "tls1", "tls1_1", "tls1_2", "tls1_3"); } @@ -240,6 +243,9 @@ sub generate_resumption_tests { $max_enabled = $dtls ? $max_dtls_enabled : $max_tls_enabled; } + # TODO(DTLSv1.3): Resumption tests fails + return if($dtls == 1); + if (no_tests($dtls)) { return; } @@ -362,7 +368,11 @@ sub expected_result { || ($orig_c_max != scalar @$protocols && $prots[$orig_c_max] eq "TLSv1.3" && $c_max != $orig_c_max - && !disabled("tls1_3"))) { + && !disabled("tls1_3")) + || ($orig_c_max != scalar @$protocols + && $prots[$orig_c_max] eq "DTLSv1.3" + && $c_max != $orig_c_max + && !disabled("dtls1_3"))) { # Client should fail to even send a hello. return ("ClientFail", undef); } elsif ($s_min > $s_max) { @@ -372,7 +382,8 @@ sub expected_result { # Server doesn't support the client range. return ("ServerFail", undef); } elsif ($c_min > $s_max) { - if ($prots[$c_max] eq "TLSv1.3") { + if ($prots[$c_max] eq "TLSv1.3" + || $prots[$c_max] eq "DTLSv1.3") { # Client will have sent supported_versions, so server will know # that there are no overlapping versions. return ("ServerFail", undef); From 36561a2aa0be08ff4955ecd73e3279469d86de75 Mon Sep 17 00:00:00 2001 From: Frederik Wedel-Heinen Date: Thu, 2 May 2024 16:21:44 +0200 Subject: [PATCH 38/74] Check that both tls1.3 and dtls1.3 is disabled before removing code from compilation path. Reviewed-by: Tomas Mraz Reviewed-by: Matt Caswell (Merged from https://github.com/openssl/openssl/pull/22275) --- ssl/statem/extensions.c | 4 ++-- ssl/statem/extensions_clnt.c | 14 +++++++------- ssl/statem/extensions_srvr.c | 12 +++++++----- 3 files changed, 16 insertions(+), 14 deletions(-) diff --git a/ssl/statem/extensions.c b/ssl/statem/extensions.c index 4d5ea66974..70053c57a1 100644 --- a/ssl/statem/extensions.c +++ b/ssl/statem/extensions.c @@ -1363,7 +1363,7 @@ static int final_supported_versions(SSL_CONNECTION *s, unsigned int context, static int final_key_share(SSL_CONNECTION *s, unsigned int context, int sent) { -#if !defined(OPENSSL_NO_TLS1_3) +#if !(defined(OPENSSL_NO_TLS1_3) && defined(OPENSSL_NO_DTLS1_3)) if (!SSL_CONNECTION_IS_VERSION13(s)) return 1; @@ -1528,7 +1528,7 @@ static int final_key_share(SSL_CONNECTION *s, unsigned int context, int sent) return 0; } } -#endif /* !defined(OPENSSL_NO_TLS1_3) */ +#endif /* !defined(OPENSSL_NO_TLS1_3) && !defined(OPENSSL_NO_DTLS1_3) */ return 1; } diff --git a/ssl/statem/extensions_clnt.c b/ssl/statem/extensions_clnt.c index d07d2ee187..ea8812beca 100644 --- a/ssl/statem/extensions_clnt.c +++ b/ssl/statem/extensions_clnt.c @@ -617,7 +617,7 @@ EXT_RETURN tls_construct_ctos_psk_kex_modes(SSL_CONNECTION *s, WPACKET *pkt, unsigned int context, X509 *x, size_t chainidx) { -#ifndef OPENSSL_NO_TLS1_3 +#if !(defined(OPENSSL_NO_TLS1_3) && defined(OPENSSL_NO_DTLS1_3)) int nodhe = s->options & SSL_OP_ALLOW_NO_DHE_KEX; if (!WPACKET_put_bytes_u16(pkt, TLSEXT_TYPE_psk_kex_modes) @@ -639,7 +639,7 @@ EXT_RETURN tls_construct_ctos_psk_kex_modes(SSL_CONNECTION *s, WPACKET *pkt, return EXT_RETURN_SENT; } -#ifndef OPENSSL_NO_TLS1_3 +#if !(defined(OPENSSL_NO_TLS1_3) && defined(OPENSSL_NO_DTLS1_3)) static int add_key_share(SSL_CONNECTION *s, WPACKET *pkt, unsigned int curve_id) { unsigned char *encoded_point = NULL; @@ -700,7 +700,7 @@ EXT_RETURN tls_construct_ctos_key_share(SSL_CONNECTION *s, WPACKET *pkt, unsigned int context, X509 *x, size_t chainidx) { -#ifndef OPENSSL_NO_TLS1_3 +#if !(defined(OPENSSL_NO_TLS1_3) && defined(OPENSSL_NO_DTLS1_3)) size_t i, num_groups = 0; const uint16_t *pgroups = NULL; uint16_t curve_id = 0; @@ -1044,7 +1044,7 @@ EXT_RETURN tls_construct_ctos_psk(SSL_CONNECTION *s, WPACKET *pkt, unsigned int context, X509 *x, size_t chainidx) { -#ifndef OPENSSL_NO_TLS1_3 +#if !(defined(OPENSSL_NO_TLS1_3) && defined(OPENSSL_NO_DTLS1_3)) uint32_t agesec, agems = 0; size_t binderoffset, msglen; int reshashsize = 0, pskhashsize = 0; @@ -1253,7 +1253,7 @@ EXT_RETURN tls_construct_ctos_post_handshake_auth(SSL_CONNECTION *s, WPACKET *pk ossl_unused X509 *x, ossl_unused size_t chainidx) { -#ifndef OPENSSL_NO_TLS1_3 +#if !(defined(OPENSSL_NO_TLS1_3) && defined(OPENSSL_NO_DTLS1_3)) if (!s->pha_enabled) return EXT_RETURN_NOT_SENT; @@ -1853,7 +1853,7 @@ int tls_parse_stoc_key_share(SSL_CONNECTION *s, PACKET *pkt, unsigned int context, X509 *x, size_t chainidx) { -#ifndef OPENSSL_NO_TLS1_3 +#if !(defined(OPENSSL_NO_TLS1_3) && defined(OPENSSL_NO_DTLS1_3)) unsigned int group_id; PACKET encoded_pt; EVP_PKEY *ckey = s->s3.tmp.pkey, *skey = NULL; @@ -2066,7 +2066,7 @@ int tls_parse_stoc_psk(SSL_CONNECTION *s, PACKET *pkt, unsigned int context, X509 *x, size_t chainidx) { -#ifndef OPENSSL_NO_TLS1_3 +#if !(defined(OPENSSL_NO_TLS1_3) && defined(OPENSSL_NO_DTLS1_3)) unsigned int identity; if (!PACKET_get_net_2(pkt, &identity) || PACKET_remaining(pkt) != 0) { diff --git a/ssl/statem/extensions_srvr.c b/ssl/statem/extensions_srvr.c index f90e584364..fb4275419a 100644 --- a/ssl/statem/extensions_srvr.c +++ b/ssl/statem/extensions_srvr.c @@ -561,7 +561,7 @@ int tls_parse_ctos_psk_kex_modes(SSL_CONNECTION *s, PACKET *pkt, unsigned int context, X509 *x, size_t chainidx) { -#ifndef OPENSSL_NO_TLS1_3 +#if !(defined(OPENSSL_NO_TLS1_3) && defined(OPENSSL_NO_DTLS1_3)) PACKET psk_kex_modes; unsigned int mode; @@ -605,7 +605,7 @@ int tls_parse_ctos_psk_kex_modes(SSL_CONNECTION *s, PACKET *pkt, int tls_parse_ctos_key_share(SSL_CONNECTION *s, PACKET *pkt, unsigned int context, X509 *x, size_t chainidx) { -#ifndef OPENSSL_NO_TLS1_3 +#if !(defined(OPENSSL_NO_TLS1_3) && defined(OPENSSL_NO_DTLS1_3)) unsigned int group_id; PACKET key_share_list, encoded_pt; const uint16_t *clntgroups, *srvrgroups; @@ -726,7 +726,7 @@ int tls_parse_ctos_key_share(SSL_CONNECTION *s, PACKET *pkt, int tls_parse_ctos_cookie(SSL_CONNECTION *s, PACKET *pkt, unsigned int context, X509 *x, size_t chainidx) { -#ifndef OPENSSL_NO_TLS1_3 +#if !(defined(OPENSSL_NO_TLS1_3) && defined(OPENSSL_NO_DTLS1_3)) unsigned int format, version, key_share, group_id; EVP_MD_CTX *hctx; EVP_PKEY *pkey; @@ -1647,7 +1647,7 @@ EXT_RETURN tls_construct_stoc_key_share(SSL_CONNECTION *s, WPACKET *pkt, unsigned int context, X509 *x, size_t chainidx) { -#ifndef OPENSSL_NO_TLS1_3 +#if !(defined(OPENSSL_NO_TLS1_3) && defined(OPENSSL_NO_DTLS1_3)) unsigned char *encodedPoint; size_t encoded_pt_len = 0; EVP_PKEY *ckey = s->s3.peer_tmp, *skey = NULL; @@ -1775,6 +1775,7 @@ EXT_RETURN tls_construct_stoc_key_share(SSL_CONNECTION *s, WPACKET *pkt, s->s3.did_kex = 1; return EXT_RETURN_SENT; #else + SSLfatal(s, SSL_AD_INTERNAL_ERROR, ERR_R_INTERNAL_ERROR); return EXT_RETURN_FAIL; #endif } @@ -1783,7 +1784,7 @@ EXT_RETURN tls_construct_stoc_cookie(SSL_CONNECTION *s, WPACKET *pkt, unsigned int context, X509 *x, size_t chainidx) { -#ifndef OPENSSL_NO_TLS1_3 +#if !(defined(OPENSSL_NO_TLS1_3) && defined(OPENSSL_NO_DTLS1_3)) unsigned char *hashval1, *hashval2, *appcookie1, *appcookie2, *cookie; unsigned char *hmac, *hmac2; size_t startlen, ciphlen, totcookielen, hashlen, hmaclen, appcookielen; @@ -1905,6 +1906,7 @@ EXT_RETURN tls_construct_stoc_cookie(SSL_CONNECTION *s, WPACKET *pkt, EVP_PKEY_free(pkey); return ret; #else + SSLfatal(s, SSL_AD_INTERNAL_ERROR, ERR_R_INTERNAL_ERROR); return EXT_RETURN_FAIL; #endif } From fef39854246cfb0cf959443a0e59cedb9a3b882d Mon Sep 17 00:00:00 2001 From: Frederik Wedel-Heinen Date: Fri, 3 May 2024 14:01:45 +0200 Subject: [PATCH 39/74] Disable middlebox for dtls Reviewed-by: Tomas Mraz Reviewed-by: Matt Caswell (Merged from https://github.com/openssl/openssl/pull/22275) --- ssl/ssl_local.h | 5 +++++ ssl/statem/statem_clnt.c | 14 +++++++------- ssl/statem/statem_lib.c | 2 +- ssl/statem/statem_srvr.c | 6 +++--- 4 files changed, 16 insertions(+), 11 deletions(-) diff --git a/ssl/ssl_local.h b/ssl/ssl_local.h index 701145438c..ff5f2f3ce2 100644 --- a/ssl/ssl_local.h +++ b/ssl/ssl_local.h @@ -254,6 +254,11 @@ # define SSL_CONNECTION_IS_DTLS(s) \ (SSL_CONNECTION_GET_SSL(s)->method->ssl3_enc->enc_flags & SSL_ENC_FLAG_DTLS) +/* Check if an SSL structure is using DTLS */ +# define SSL_CONNECTION_MIDDLEBOX_IS_ENABLED(s) \ + ((s->options & SSL_OP_ENABLE_MIDDLEBOX_COMPAT) != 0 \ + && !SSL_CONNECTION_IS_DTLS(s)) + /* Check if we are using DTLSv1.3 */ # define SSL_CONNECTION_IS_DTLS13(s) (SSL_CONNECTION_IS_DTLS(s) \ && DTLS_VERSION_GE(SSL_CONNECTION_GET_SSL(s)->method->version, DTLS1_3_VERSION) \ diff --git a/ssl/statem/statem_clnt.c b/ssl/statem/statem_clnt.c index 69db475056..4b94dd8c1d 100644 --- a/ssl/statem/statem_clnt.c +++ b/ssl/statem/statem_clnt.c @@ -465,7 +465,7 @@ static WRITE_TRAN ossl_statem_client13_write_transition(SSL_CONNECTION *s) if (s->early_data_state == SSL_EARLY_DATA_WRITE_RETRY || s->early_data_state == SSL_EARLY_DATA_FINISHED_WRITING) st->hand_state = TLS_ST_PENDING_EARLY_DATA_END; - else if ((s->options & SSL_OP_ENABLE_MIDDLEBOX_COMPAT) != 0 + else if (SSL_CONNECTION_MIDDLEBOX_IS_ENABLED(s) && s->hello_retry_request == SSL_HRR_NONE) st->hand_state = TLS_ST_CW_CHANGE; else if (s->s3.tmp.cert_req == 0) @@ -566,7 +566,7 @@ WRITE_TRAN ossl_statem_client_write_transition(SSL_CONNECTION *s) * We are assuming this is a (D)TLSv1.3 connection, although we haven't * actually selected a version yet. */ - if ((s->options & SSL_OP_ENABLE_MIDDLEBOX_COMPAT) != 0) + if (SSL_CONNECTION_MIDDLEBOX_IS_ENABLED(s)) st->hand_state = TLS_ST_CW_CHANGE; else st->hand_state = TLS_ST_EARLY_DATA; @@ -585,7 +585,7 @@ WRITE_TRAN ossl_statem_client_write_transition(SSL_CONNECTION *s) * CCS unless middlebox compat mode is off, or we already issued one * because we did early data. */ - if ((s->options & SSL_OP_ENABLE_MIDDLEBOX_COMPAT) != 0 + if (SSL_CONNECTION_MIDDLEBOX_IS_ENABLED(s) && s->early_data_state != SSL_EARLY_DATA_FINISHED_WRITING) st->hand_state = TLS_ST_CW_CHANGE; else @@ -800,7 +800,7 @@ WORK_STATE ossl_statem_client_post_work(SSL_CONNECTION *s, WORK_STATE wst) * cipher state function associated with the SSL_METHOD. Instead * we call tls13_change_cipher_state() directly. */ - if ((s->options & SSL_OP_ENABLE_MIDDLEBOX_COMPAT) == 0) { + if (!SSL_CONNECTION_MIDDLEBOX_IS_ENABLED(s)) { if (!tls13_change_cipher_state(s, SSL3_CC_EARLY | SSL3_CHANGE_CIPHER_CLIENT_WRITE)) { /* SSLfatal() already called */ @@ -1252,7 +1252,7 @@ CON_FUNC_RETURN tls_construct_client_hello(SSL_CONNECTION *s, WPACKET *pkt) || s->session->ssl_version == TLS1_3_VERSION || s->session->ssl_version == DTLS1_3_VERSION) { if (s->version == TLS1_3_VERSION - && (s->options & SSL_OP_ENABLE_MIDDLEBOX_COMPAT) != 0) { + && SSL_CONNECTION_MIDDLEBOX_IS_ENABLED(s)) { sess_id_len = sizeof(s->tmp_session_id); s->tmp_session_id_len = sess_id_len; session_id = s->tmp_session_id; @@ -1793,7 +1793,7 @@ MSG_PROCESS_RETURN tls_process_server_hello(SSL_CONNECTION *s, PACKET *pkt) * compat this doesn't cause a problem. */ if (s->early_data_state == SSL_EARLY_DATA_NONE - && (s->options & SSL_OP_ENABLE_MIDDLEBOX_COMPAT) == 0 + && !SSL_CONNECTION_MIDDLEBOX_IS_ENABLED(s) && !ssl->method->ssl3_enc->change_cipher_state(s, SSL3_CC_HANDSHAKE | SSL3_CHANGE_CIPHER_CLIENT_WRITE)) { /* SSLfatal() already called */ @@ -3792,7 +3792,7 @@ CON_FUNC_RETURN tls_construct_client_certificate(SSL_CONNECTION *s, if (SSL_CONNECTION_IS_VERSION13(s) && SSL_IS_FIRST_HANDSHAKE(s) && (s->early_data_state != SSL_EARLY_DATA_NONE - || (s->options & SSL_OP_ENABLE_MIDDLEBOX_COMPAT) != 0) + || SSL_CONNECTION_MIDDLEBOX_IS_ENABLED(s)) && (!ssl->method->ssl3_enc->change_cipher_state(s, SSL3_CC_HANDSHAKE | SSL3_CHANGE_CIPHER_CLIENT_WRITE))) { /* diff --git a/ssl/statem/statem_lib.c b/ssl/statem/statem_lib.c index 7b819f715d..4a83ee3c55 100644 --- a/ssl/statem/statem_lib.c +++ b/ssl/statem/statem_lib.c @@ -626,7 +626,7 @@ CON_FUNC_RETURN tls_construct_finished(SSL_CONNECTION *s, WPACKET *pkt) if (SSL_CONNECTION_IS_VERSION13(s) && !s->server && (s->early_data_state != SSL_EARLY_DATA_NONE - || (s->options & SSL_OP_ENABLE_MIDDLEBOX_COMPAT) != 0) + || SSL_CONNECTION_MIDDLEBOX_IS_ENABLED(s)) && s->s3.tmp.cert_req == 0 && (!ssl->method->ssl3_enc->change_cipher_state(s, SSL3_CC_HANDSHAKE | SSL3_CHANGE_CIPHER_CLIENT_WRITE))) {; diff --git a/ssl/statem/statem_srvr.c b/ssl/statem/statem_srvr.c index 2fdb2eebf1..547c1328e3 100644 --- a/ssl/statem/statem_srvr.c +++ b/ssl/statem/statem_srvr.c @@ -500,7 +500,7 @@ static WRITE_TRAN ossl_statem_server13_write_transition(SSL_CONNECTION *s) return WRITE_TRAN_CONTINUE; case TLS_ST_SW_SRVR_HELLO: - if ((s->options & SSL_OP_ENABLE_MIDDLEBOX_COMPAT) != 0 + if (SSL_CONNECTION_MIDDLEBOX_IS_ENABLED(s) && s->hello_retry_request != SSL_HRR_COMPLETE) st->hand_state = TLS_ST_SW_CHANGE; else if (s->hello_retry_request == SSL_HRR_PENDING) @@ -910,7 +910,7 @@ WORK_STATE ossl_statem_server_post_work(SSL_CONNECTION *s, WORK_STATE wst) case TLS_ST_SW_SRVR_HELLO: if (SSL_CONNECTION_IS_VERSION13(s) && s->hello_retry_request == SSL_HRR_PENDING) { - if ((s->options & SSL_OP_ENABLE_MIDDLEBOX_COMPAT) == 0 + if (!SSL_CONNECTION_MIDDLEBOX_IS_ENABLED(s) && statem_flush(s) != 1) return WORK_MORE_A; break; @@ -946,7 +946,7 @@ WORK_STATE ossl_statem_server_post_work(SSL_CONNECTION *s, WORK_STATE wst) } #endif if (!SSL_CONNECTION_IS_VERSION13(s) - || ((s->options & SSL_OP_ENABLE_MIDDLEBOX_COMPAT) != 0 + || (SSL_CONNECTION_MIDDLEBOX_IS_ENABLED(s) && s->hello_retry_request != SSL_HRR_COMPLETE)) break; /* Fall through */ From a4461dba43f7cb86e02f4ef9538345c4dd3f2176 Mon Sep 17 00:00:00 2001 From: Frederik Wedel-Heinen Date: Tue, 7 May 2024 21:18:44 +0200 Subject: [PATCH 40/74] Clear old messages from queues in order to avoid leaks of record layer objects. Reviewed-by: Tomas Mraz Reviewed-by: Matt Caswell (Merged from https://github.com/openssl/openssl/pull/22275) --- ssl/tls13_enc.c | 8 ++++++++ test/tls13secretstest.c | 8 ++++++++ 2 files changed, 16 insertions(+) diff --git a/ssl/tls13_enc.c b/ssl/tls13_enc.c index ae76ddb3f4..e17154d952 100644 --- a/ssl/tls13_enc.c +++ b/ssl/tls13_enc.c @@ -758,6 +758,14 @@ int tls13_change_cipher_state(SSL_CONNECTION *s, int which) ? OSSL_RECORD_PROTECTION_LEVEL_HANDSHAKE : OSSL_RECORD_PROTECTION_LEVEL_APPLICATION); + if (SSL_CONNECTION_IS_DTLS(s)) { + /* We have moved to the next flight lets clear out old messages */ + if (direction == OSSL_RECORD_DIRECTION_READ) + dtls1_clear_received_buffer(s); + else + dtls1_clear_sent_buffer(s); + } + if (!ssl_set_new_record_layer(s, s->version, direction, level, secret, hashlen, key, keylen, iv, diff --git a/test/tls13secretstest.c b/test/tls13secretstest.c index 2cbc452130..5109857ec3 100644 --- a/test/tls13secretstest.c +++ b/test/tls13secretstest.c @@ -236,6 +236,14 @@ int ssl_set_new_record_layer(SSL_CONNECTION *s, int version, int direction, return 0; } +void dtls1_clear_received_buffer(SSL_CONNECTION *s) +{ +} + +void dtls1_clear_sent_buffer(SSL_CONNECTION *s) +{ +} + /* End of mocked out code */ static int test_secret(SSL_CONNECTION *s, unsigned char *prk, From 7f4e2b3890615a9be67bddc10ca75dd581aeffe8 Mon Sep 17 00:00:00 2001 From: Frederik Wedel-Heinen Date: Fri, 13 Oct 2023 12:21:47 +0200 Subject: [PATCH 41/74] Correct traces for certificates in dtls13 Reviewed-by: Matt Caswell Reviewed-by: Tomas Mraz (Merged from https://github.com/openssl/openssl/pull/22935) --- ssl/t1_trce.c | 10 +++++----- 1 file changed, 5 insertions(+), 5 deletions(-) diff --git a/ssl/t1_trce.c b/ssl/t1_trce.c index 87a16f3698..35e8ede063 100644 --- a/ssl/t1_trce.c +++ b/ssl/t1_trce.c @@ -1351,7 +1351,7 @@ static int ssl_print_certificates(BIO *bio, const SSL_CONNECTION *sc, int server { size_t clen; - if (SSL_CONNECTION_IS_TLS13(sc) + if (SSL_CONNECTION_IS_VERSION13(sc) && !ssl_print_hexbuf(bio, indent, "context", 1, &msg, &msglen)) return 0; @@ -1365,7 +1365,7 @@ static int ssl_print_certificates(BIO *bio, const SSL_CONNECTION *sc, int server || (!server && sc->ext.client_cert_type == TLSEXT_cert_type_rpk)) { if (!ssl_print_raw_public_key(bio, &sc->ssl, server, indent, &msg, &clen)) return 0; - if (SSL_CONNECTION_IS_TLS13(sc) + if (SSL_CONNECTION_IS_VERSION13(sc) && !ssl_print_extensions(bio, indent + 2, server, SSL3_MT_CERTIFICATE, &msg, &clen)) return 0; @@ -1376,7 +1376,7 @@ static int ssl_print_certificates(BIO *bio, const SSL_CONNECTION *sc, int server while (clen > 0) { if (!ssl_print_certificate(bio, sc, indent + 2, &msg, &clen)) return 0; - if (SSL_CONNECTION_IS_TLS13(sc) + if (SSL_CONNECTION_IS_VERSION13(sc) && !ssl_print_extensions(bio, indent + 2, server, SSL3_MT_CERTIFICATE, &msg, &clen)) return 0; @@ -1462,7 +1462,7 @@ static int ssl_print_cert_request(BIO *bio, int indent, const SSL_CONNECTION *sc size_t xlen; unsigned int sigalg; - if (SSL_CONNECTION_IS_TLS13(sc)) { + if (SSL_CONNECTION_IS_VERSION13(sc)) { if (!ssl_print_hexbuf(bio, indent, "request_context", 1, &msg, &msglen)) return 0; if (!ssl_print_extensions(bio, indent, 1, @@ -1537,7 +1537,7 @@ static int ssl_print_cert_request(BIO *bio, int indent, const SSL_CONNECTION *sc xlen -= dlen + 2; msg += dlen; } - if (SSL_CONNECTION_IS_TLS13(sc)) { + if (SSL_CONNECTION_IS_VERSION13(sc)) { if (!ssl_print_hexbuf(bio, indent, "request_extensions", 2, &msg, &msglen)) return 0; From 5ae98099308ff3bb3fe24b145b7239964f269dcd Mon Sep 17 00:00:00 2001 From: Frederik Wedel-Heinen Date: Thu, 12 Oct 2023 14:22:40 +0200 Subject: [PATCH 42/74] Update documentation for DTLS1.3 Reviewed-by: Matt Caswell Reviewed-by: Tomas Mraz (Merged from https://github.com/openssl/openssl/pull/22363) --- doc/man1/openssl-s_client.pod.in | 2 +- doc/man3/SSL_CIPHER_get_name.pod | 4 ++-- doc/man3/SSL_CONF_cmd.pod | 2 +- doc/man3/SSL_CTX_set0_CA_list.pod | 2 +- doc/man3/SSL_CTX_set1_sigalgs.pod | 4 ++-- doc/man3/SSL_CTX_set_min_proto_version.pod | 2 +- doc/man3/SSL_CTX_set_num_tickets.pod | 2 +- doc/man3/SSL_CTX_set_options.pod | 5 +++-- doc/man3/SSL_check_chain.pod | 4 ++-- doc/man3/SSL_export_keying_material.pod | 2 +- doc/man3/SSL_get_shared_sigalgs.pod | 2 +- doc/man3/SSL_get_version.pod | 4 ++++ 12 files changed, 20 insertions(+), 15 deletions(-) diff --git a/doc/man1/openssl-s_client.pod.in b/doc/man1/openssl-s_client.pod.in index f79ef608d5..cafa9718ae 100644 --- a/doc/man1/openssl-s_client.pod.in +++ b/doc/man1/openssl-s_client.pod.in @@ -365,7 +365,7 @@ See L for more information on the C scheme. A file containing a list of certificates whose subject names will be sent to the server in the B extension. Only supported -for TLS 1.3 +for TLS 1.3 and DTLS 1.3 =item B<-dane_tlsa_domain> I diff --git a/doc/man3/SSL_CIPHER_get_name.pod b/doc/man3/SSL_CIPHER_get_name.pod index 09b7280bdd..cfd7ea5d50 100644 --- a/doc/man3/SSL_CIPHER_get_name.pod +++ b/doc/man3/SSL_CIPHER_get_name.pod @@ -74,7 +74,7 @@ different to the digest used to calculate the MAC for encrypted records. SSL_CIPHER_get_kx_nid() returns the key exchange NID corresponding to the method used by B. If there is no key exchange, then B is returned. -If any appropriate key exchange algorithm can be used (as in the case of TLS 1.3 +If any appropriate key exchange algorithm can be used (as in the case of (D)TLS 1.3 cipher suites) B is returned. Examples (not comprehensive): NID_kx_rsa @@ -85,7 +85,7 @@ cipher suites) B is returned. Examples (not comprehensive): SSL_CIPHER_get_auth_nid() returns the authentication NID corresponding to the method used by B. If there is no authentication, then B is returned. If any appropriate authentication algorithm can be used (as in the case of -TLS 1.3 cipher suites) B is returned. Examples (not comprehensive): +(D)TLS 1.3 cipher suites) B is returned. Examples (not comprehensive): NID_auth_rsa NID_auth_ecdsa diff --git a/doc/man3/SSL_CONF_cmd.pod b/doc/man3/SSL_CONF_cmd.pod index 32d10c3a5b..5bd78b10ac 100644 --- a/doc/man3/SSL_CONF_cmd.pod +++ b/doc/man3/SSL_CONF_cmd.pod @@ -351,7 +351,7 @@ if certificate operations are permitted. This option indicates a file containing a set of certificates in PEM form. The subject names of the certificates are sent to the peer in the -B extension for TLS 1.3 (in ClientHello or +B extension for (D)TLS 1.3 (in ClientHello or CertificateRequest) or in a certificate request for previous versions or TLS. diff --git a/doc/man3/SSL_CTX_set0_CA_list.pod b/doc/man3/SSL_CTX_set0_CA_list.pod index 64e8117f92..ce7ed0e658 100644 --- a/doc/man3/SSL_CTX_set0_CA_list.pod +++ b/doc/man3/SSL_CTX_set0_CA_list.pod @@ -47,7 +47,7 @@ server to the client when requesting a client certificate. So any list of CA names set is never sent from client to server and the list of CA names retrieved by SSL_get0_peer_CA_list() is always B. -For TLS 1.3 the list of CA names is sent using the B +For (D)TLS 1.3 the list of CA names is sent using the B extension and may be sent by a client (in the ClientHello message) or by a server (when requesting a certificate). diff --git a/doc/man3/SSL_CTX_set1_sigalgs.pod b/doc/man3/SSL_CTX_set1_sigalgs.pod index c384065bfc..468edebf9f 100644 --- a/doc/man3/SSL_CTX_set1_sigalgs.pod +++ b/doc/man3/SSL_CTX_set1_sigalgs.pod @@ -32,7 +32,7 @@ SSL_CTX_set1_sigalgs_list() and SSL_set1_sigalgs_list() set the supported signature algorithms for B or B. The B parameter must be a null terminated string consisting of a colon separated list of elements, where each element is either a combination of a public key -algorithm and a digest separated by B<+>, or a TLS 1.3-style named +algorithm and a digest separated by B<+>, or a (D)TLS 1.3-style named SignatureScheme such as rsa_pss_pss_sha256. If a list entry is preceded with the C character, it will be ignored if an implementation is missing. @@ -80,7 +80,7 @@ The short or long name values for digests can be used in a string (for example "MD5", "SHA1", "SHA224", "SHA256", "SHA384", "SHA512") and the public key algorithm strings "RSA", "RSA-PSS", "DSA" or "ECDSA". -The TLS 1.3 signature scheme names (such as "rsa_pss_pss_sha256") can also +The (D)TLS 1.3 signature scheme names (such as "rsa_pss_pss_sha256") can also be used with the B<_list> forms of the API. The use of MD5 as a digest is strongly discouraged due to security weaknesses. diff --git a/doc/man3/SSL_CTX_set_min_proto_version.pod b/doc/man3/SSL_CTX_set_min_proto_version.pod index 9a2da37ab7..34b7a40cf3 100644 --- a/doc/man3/SSL_CTX_set_min_proto_version.pod +++ b/doc/man3/SSL_CTX_set_min_proto_version.pod @@ -40,7 +40,7 @@ automatically use the lowest or highest version supported by the library. Currently supported versions are B, B, B, B, B for TLS and -B, B for DTLS. +B, B, B for DTLS. In the current version of OpenSSL only QUICv1 is supported in conjunction with TLSv1.3. Calling these functions on a QUIC object has no effect. diff --git a/doc/man3/SSL_CTX_set_num_tickets.pod b/doc/man3/SSL_CTX_set_num_tickets.pod index 0c7331bc6d..e81679e609 100644 --- a/doc/man3/SSL_CTX_set_num_tickets.pod +++ b/doc/man3/SSL_CTX_set_num_tickets.pod @@ -46,7 +46,7 @@ To issue tickets after other events (such as application-layer changes), SSL_new_session_ticket() is used by a server application to request that a new ticket be sent when it is safe to do so. New tickets are only allowed to be sent in this manner after the initial handshake has completed, and only for -TLS 1.3 connections. By default, the ticket generation and transmission are +(D)TLS 1.3 connections. By default, the ticket generation and transmission are delayed until the server is starting a new write operation, so that it is bundled with other application data being written and properly aligned to a record boundary. If the connection was at a record boundary when diff --git a/doc/man3/SSL_CTX_set_options.pod b/doc/man3/SSL_CTX_set_options.pod index a6c922ecf9..dfe139065b 100644 --- a/doc/man3/SSL_CTX_set_options.pod +++ b/doc/man3/SSL_CTX_set_options.pod @@ -296,10 +296,11 @@ When performing renegotiation as a server, always start a new session handshake). This option is not needed for clients. =item SSL_OP_NO_SSLv3, SSL_OP_NO_TLSv1, SSL_OP_NO_TLSv1_1, -SSL_OP_NO_TLSv1_2, SSL_OP_NO_TLSv1_3, SSL_OP_NO_DTLSv1, SSL_OP_NO_DTLSv1_2 +SSL_OP_NO_TLSv1_2, SSL_OP_NO_TLSv1_3, +SSL_OP_NO_DTLSv1, SSL_OP_NO_DTLSv1_2, SSL_OP_NO_DTLSv1_3 These options turn off the SSLv3, TLSv1, TLSv1.1, TLSv1.2 or TLSv1.3 protocol -versions with TLS or the DTLSv1, DTLSv1.2 versions with DTLS, +versions with TLS or the DTLSv1, DTLSv1.2, DTLSv1.3 versions with DTLS, respectively. As of OpenSSL 1.1.0, these options are deprecated, use L and diff --git a/doc/man3/SSL_check_chain.pod b/doc/man3/SSL_check_chain.pod index d00badbd75..e90ab0dd6f 100644 --- a/doc/man3/SSL_check_chain.pod +++ b/doc/man3/SSL_check_chain.pod @@ -72,8 +72,8 @@ The validity of a chain is determined by checking if it matches a supported signature algorithm, supported curves and in the case of client authentication certificate types and issuer names. -Since the supported signature algorithms extension is only used in TLS 1.2, -TLS 1.3 and DTLS 1.2 the results for earlier versions of TLS and DTLS may not +Since the supported signature algorithms extension is only used in (D)TLS 1.2 +and (D)TLS 1.3 the results for earlier versions of TLS and DTLS may not be very useful. Applications may wish to specify a different "legacy" chain for earlier versions of TLS or DTLS. diff --git a/doc/man3/SSL_export_keying_material.pod b/doc/man3/SSL_export_keying_material.pod index c7c5320295..a0b54d70da 100644 --- a/doc/man3/SSL_export_keying_material.pod +++ b/doc/man3/SSL_export_keying_material.pod @@ -31,7 +31,7 @@ accordance with RFC5705 (for TLSv1.2 and below) or RFC8446 (for TLSv1.3). SSL_export_keying_material() derives keying material using the F established in the handshake. -SSL_export_keying_material_early() is only usable with TLSv1.3, and derives +SSL_export_keying_material_early() is only usable with (D)TLSv1.3, and derives keying material using the F (as defined in the TLS 1.3 RFC). For the client, the F is only available when the client attempts to send 0-RTT data. For the server, it is diff --git a/doc/man3/SSL_get_shared_sigalgs.pod b/doc/man3/SSL_get_shared_sigalgs.pod index cb9ce02500..1dbf422652 100644 --- a/doc/man3/SSL_get_shared_sigalgs.pod +++ b/doc/man3/SSL_get_shared_sigalgs.pod @@ -54,7 +54,7 @@ signature algorithms: after a client hello (for servers) or a certificate request (for clients). They can (for example) be called in the certificate callback. -Only TLS 1.2, TLS 1.3 and DTLS 1.2 currently support signature algorithms. +Only (D)TLS 1.2 and (D)TLS 1.3 currently support signature algorithms. If these functions are called on an earlier version of TLS or DTLS zero is returned. diff --git a/doc/man3/SSL_get_version.pod b/doc/man3/SSL_get_version.pod index b8a0f5e3b1..a6f5e7fb84 100644 --- a/doc/man3/SSL_get_version.pod +++ b/doc/man3/SSL_get_version.pod @@ -125,6 +125,10 @@ The connection uses the DTLSv1 protocol The connection uses the DTLSv1.2 protocol +=item DTLS1_3_VERSION + +The connection uses the DTLSv1.3 protocol + =item OSSL_QUIC1_VERSION The connection uses the QUICv1 protocol. From f7553c08cadc6d0db34ad08bc11040d0396758b5 Mon Sep 17 00:00:00 2001 From: Frederik Wedel-Heinen Date: Wed, 29 Nov 2023 10:47:31 +0100 Subject: [PATCH 43/74] Updates SSL_CONF_cmd.pod to be explicit when features are for both TLS and DTLS Reviewed-by: Matt Caswell Reviewed-by: Tomas Mraz (Merged from https://github.com/openssl/openssl/pull/22363) --- doc/man3/SSL_CONF_cmd.pod | 124 ++++++++++++++++++-------------------- 1 file changed, 58 insertions(+), 66 deletions(-) diff --git a/doc/man3/SSL_CONF_cmd.pod b/doc/man3/SSL_CONF_cmd.pod index 5bd78b10ac..5d18c34bc5 100644 --- a/doc/man3/SSL_CONF_cmd.pod +++ b/doc/man3/SSL_CONF_cmd.pod @@ -74,7 +74,7 @@ B. =item B<-no_renegotiation> -Disables all attempts at renegotiation in TLSv1.2 and earlier, same as setting +Disables all attempts at renegotiation in (D)TLSv1.2 and earlier, same as setting B. =item B<-no_resumption_on_reneg> @@ -95,8 +95,8 @@ Only used by servers. Requires B<-serverpref>. =item B<-allow_no_dhe_kex> -In TLSv1.3 allow a non-(ec)dhe based key exchange mode on resumption. This means -that there will be no forward secrecy for the resumed session. +In (D)TLSv1.3 allow a non-(ec)dhe based key exchange mode on resumption. This +means that there will be no forward secrecy for the resumed session. =item B<-prefer_no_dhe_kex> @@ -111,7 +111,7 @@ B. =item B<-sigalgs> I -This sets the supported signature algorithms for TLSv1.2 and TLSv1.3. +This sets the supported signature algorithms for (D)TLSv1.2 and (D)TLSv1.3. For clients this value is used directly for the supported signature algorithms extension. For servers it is used to determine which signature algorithms to support. @@ -123,7 +123,7 @@ B is one of B, B or B and B is a supported algorithm OID short name such as B, B, B, B or B. Note: algorithm and hash names are case sensitive. B is one of the signature schemes defined in -TLSv1.3, specified using the IETF name, e.g., B, +(D)TLSv1.3, specified using the IETF name, e.g., B, B, or B. Additional providers may make available further algorithms via the TLS-SIGALG capability. See L. @@ -133,12 +133,12 @@ activated providers are permissible. Note: algorithms which specify a PKCS#1 v1.5 signature scheme (either by using B as the B or by using one of the B -identifiers) are ignored in TLSv1.3 and will not be negotiated. +identifiers) are ignored in (D)TLSv1.3 and will not be negotiated. =item B<-client_sigalgs> I This sets the supported signature algorithms associated with client -authentication for TLSv1.2 and TLSv1.3. For servers the B is used +authentication for (D)TLSv1.2 and (D)TLSv1.3. For servers the B is used in the B field of a B message. For clients it is used to determine which signature algorithm to use with the client certificate. If a server does not request a certificate this @@ -151,9 +151,9 @@ value set for B<-sigalgs> will be used instead. This sets the supported groups. For clients, the groups are sent using the supported groups extension. For servers, it is used to determine which -group to use. This setting affects groups used for signatures (in TLSv1.2 +group to use. This setting affects groups used for signatures (in (D)TLSv1.2 and earlier) and key exchange. The first group listed will also be used -for the B sent by a client in a TLSv1.3 B. +for the B sent by a client in a (D)TLSv1.3 B. The B argument is a colon separated list of groups. The group can be either the B name (e.g. B), some other commonly used name @@ -161,7 +161,7 @@ where applicable (e.g. B, B) or an OpenSSL OID name (e.g. B). Group names are case sensitive. The list should be in order of preference with the most preferred group first. -Groups for B in the default provider are B, B, +Groups for B and B in the default provider are B, B, B, B, B, B, B, B, B, B, B, B and B. @@ -179,19 +179,19 @@ by servers. =item B<-tx_cert_comp> -Enables support for sending TLSv1.3 compressed certificates. +Enables support for sending (D)TLSv1.3 compressed certificates. =item B<-no_tx_cert_comp> -Disables support for sending TLSv1.3 compressed certificates. +Disables support for sending (D)TLSv1.3 compressed certificates. =item B<-rx_cert_comp> -Enables support for receiving TLSv1.3 compressed certificates. +Enables support for receiving (D)TLSv1.3 compressed certificates. =item B<-no_rx_cert_comp> -Disables support for receiving TLSv1.3 compressed certificates. +Disables support for receiving (D)TLSv1.3 compressed certificates. =item B<-comp> @@ -202,24 +202,24 @@ curve can be either the B name (e.g. B) or an OpenSSL OID name =item B<-cipher> I -Sets the TLSv1.2 and below ciphersuite list to B. This list will be -combined with any configured TLSv1.3 ciphersuites. Note: syntax checking +Sets the (D)TLSv1.2 and below ciphersuite list to B. This list will be +combined with any configured (D)TLSv1.3 ciphersuites. Note: syntax checking of B is currently not performed unless a B or B structure is associated with B. =item B<-ciphersuites> I<1.3ciphers> -Sets the available ciphersuites for TLSv1.3 to value. This is a -colon-separated list of TLSv1.3 ciphersuite names in order of preference. This -list will be combined any configured TLSv1.2 and below ciphersuites. +Sets the available ciphersuites for (D)TLSv1.3 to value. This is a +colon-separated list of (D)TLSv1.3 ciphersuite names in order of preference. +This list will be combined any configured (D)TLSv1.2 and below ciphersuites. See L for more information. =item B<-min_protocol> I, B<-max_protocol> I Sets the minimum and maximum supported protocol. Currently supported protocol values are B, B, B, -B, B for TLS; B, B for DTLS, and B -for no limit. +B, B for TLS; B, B, B for DTLS, +and B for no limit. If either the lower or upper bound is not specified then only the other bound applies, if specified. If your application supports both TLS and DTLS you can specify any of these @@ -230,15 +230,11 @@ deprecated alternative commands below. =item B<-record_padding> I -Controls use of TLSv1.3 record layer padding. B is a string of the -form "number[,number]" where the (required) first number is the padding block -size (in octets) for application data, and the optional second number is the -padding block size for handshake and alert messages. If the optional second -number is omitted, the same padding will be applied to all messages. - -Padding attempts to pad TLSv1.3 records so that they are a multiple of the set -length on send. A value of 0 or 1 turns off padding as relevant. Otherwise, the -values must be >1 or <=16384. +==== BASE ==== +Attempts to pad TLSv1.3 records so that they are a multiple of B +in length on send. A B of 0 or 1 turns off padding. Otherwise, +the B must be >1 or <=16384. +==== BASE ==== =item B<-debug_broken_protocol> @@ -290,11 +286,11 @@ B<-max_protocol> instead. Switches replay protection, on or off respectively. With replay protection on, OpenSSL will automatically detect if a session ticket has been used more than -once, TLSv1.3 has been negotiated, and early data is enabled on the server. A -full handshake is forced if a session ticket is used a second or subsequent +once, (D)TLSv1.3 has been negotiated, and early data is enabled on the server. +A full handshake is forced if a session ticket is used a second or subsequent time. Anti-Replay is on by default unless overridden by a configuration file and is only used by servers. Anti-replay measures are required for compliance with -the TLSv1.3 specification. Some applications may be able to mitigate the replay +the (D)TLSv1.3 specification. Some applications may be able to mitigate the replay risks in other ways and in such cases the built-in OpenSSL functionality is not required. Switching off anti-replay is equivalent to B. @@ -314,16 +310,16 @@ Note: the command prefix (if set) alters the recognised B