mirror/openssl
2
0
Fork 0
mirror of https://github.com/openssl/openssl.git synced 2024-12-03 05:41:46 +08:00
Code Issues Packages Projects Releases Wiki Activity
9d75dce3e1
openssl/test/recipes
History
Todd Short 9d75dce3e1 Add TLSv1.3 post-handshake authentication (PHA) 
Add SSL_verify_client_post_handshake() for servers to initiate PHA

Add SSL_force_post_handshake_auth() for clients that don't have certificates
initially configured, but use a certificate callback.

Update SSL_CTX_set_verify()/SSL_set_verify() mode:

* Add SSL_VERIFY_POST_HANDSHAKE to postpone client authentication until after
the initial handshake.

* Update SSL_VERIFY_CLIENT_ONCE now only sends out one CertRequest regardless
of when the certificate authentication takes place; either initial handshake,
re-negotiation, or post-handshake authentication.

Add 'RequestPostHandshake' and 'RequirePostHandshake' SSL_CONF options that
add the SSL_VERIFY_POST_HANDSHAKE to the 'Request' and 'Require' options

Add support to s_client:
* Enabled automatically when cert is configured
* Can be forced enabled via -force_pha

Add support to s_server:
* Use 'c' to invoke PHA in s_server
* Remove some dead code

Update documentation

Update unit tests:
* Illegal use of PHA extension
* TLSv1.3 certificate tests

DTLS and TLS behave ever-so-slightly differently. So, when DTLS1.3 is
implemented, it's PHA support state machine may need to be different.
Add a TODO and a #error

Update handshake context to deal with PHA.

The handshake context for TLSv1.3 post-handshake auth is up through the
ClientFinish message, plus the CertificateRequest message. Subsequent
Certificate, CertificateVerify, and Finish messages are based on this
handshake context (not the Certificate message per se, but it's included
after the hash). KeyUpdate, NewSessionTicket, and prior Certificate
Request messages are not included in post-handshake authentication.

After the ClientFinished message is processed, save off the digest state
for future post-handshake authentication. When post-handshake auth occurs,
copy over the saved handshake context into the "main" handshake digest.
This effectively discards the any KeyUpdate or NewSessionTicket messages
and any prior post-handshake authentication.

This, of course, assumes that the ID-22 did not mean to include any
previous post-handshake authentication into the new handshake transcript.
This is implied by section 4.4.1 that lists messages only up to the
first ClientFinished.

Reviewed-by: Ben Kaduk <kaduk@mit.edu>
Reviewed-by: Matt Caswell <matt@openssl.org>
(Merged from https://github.com/openssl/openssl/pull/4964)
2018-02-01 17:07:56 +00:00
..
04-test_pem_data Add AGL's "beer mug" PEM file as another test input 2017-02-28 21:23:26 +01:00
10-test_bn_data Move bn and evp test programs input data to their respective data dir 2017-06-15 19:46:24 +02:00
15-test_ecparam_data Improve testing of elliptic curve validation 2017-03-20 06:40:16 +01:00
15-test_mp_rsa_data Support multi-prime RSA (RFC 8017) 2017-11-21 14:38:42 +08:00
30-test_evp_data SHA512/224 and SHA512/256 2018-01-24 07:09:46 +10:00
80-test_ocsp_data Add OCSP API test executable 2017-11-11 20:03:49 -06:00
90-test_store_data STORE tests: add PKCS#12 tests 2017-06-29 11:55:31 +02:00
95-test_external_krb5_data Add external krb5 test support 2017-04-18 19:10:25 +02:00
95-test_external_pyca_data Correct Oracle copyrights & clarify. 2017-06-15 15:50:50 +10:00
01-test_abort.t tests: Shut the shell up unless verbose 2016-06-06 10:03:01 +02:00
01-test_sanity.t Platform sanity test 2016-07-08 15:56:55 -04:00
01-test_symbol_presence.t Correct detection of group end in map file when testing symbol presence 2016-09-06 00:48:13 +02:00
01-test_test.t Correct Oracle copyrights & clarify. 2017-06-15 15:50:50 +10:00
02-test_internal_ctype.t This has been added to avoid the situation where some host ctype.h functions 2017-08-22 09:45:25 +10:00
02-test_lhash.t Correct Oracle copyrights & clarify. 2017-06-15 15:50:50 +10:00
02-test_ordinals.t Reset executable bits on files where not needed. 2017-03-03 09:13:40 +01:00
02-test_stack.t Correct Oracle copyrights & clarify. 2017-06-15 15:50:50 +10:00
03-test_exdata.t Exdata test was never enabled. 2017-02-28 13:50:40 -05:00
03-test_internal_asn1.t test/recipes/03-test_internal_*: call setup() first. 2017-03-15 12:16:48 +01:00
03-test_internal_chacha.t Fix a few internals tests 2017-03-20 11:24:33 +01:00
03-test_internal_mdc2.t Split test/recipes/03_test_internal.t into individual tests 2017-03-10 20:18:56 +01:00
03-test_internal_modes.t test/recipes/03-test_internal_*: call setup() first. 2017-03-15 12:16:48 +01:00
03-test_internal_poly1305.t Fix a few internals tests 2017-03-20 11:24:33 +01:00
03-test_internal_siphash.t Fix a few internals tests 2017-03-20 11:24:33 +01:00
03-test_internal_sm4.t SM4: Add SM4 block cipher to EVP 2017-10-31 15:19:14 +10:00
03-test_internal_ssl_cert_table.t Add sanity test for certificate table 2017-07-13 12:38:42 +01:00
03-test_internal_x509.t test/recipes/03-test_internal_*: call setup() first. 2017-03-15 12:16:48 +01:00
03-test_ui.t Add a test "uitest" 2017-01-11 18:27:27 +01:00
04-test_asn1_encode.t Add a test of encoding and decoding LONG, INT32, UINT32, INT64 and UINT64 2017-04-04 11:29:23 +02:00
04-test_asn1_string_table.t Add test cases and docs for ASN1_STRING_TABLE_* functions 2017-07-26 20:06:51 +02:00
04-test_bioprint.t Convert more tests to framework 2017-04-18 14:50:00 -04:00
04-test_pem.t Avoid unnecessary MSYS2 conversion of some arguments 2017-11-22 00:37:34 +01:00
05-test_bf.t Unified copyright for test recipes 2016-04-22 07:58:47 -04:00
05-test_cast.t Unified copyright for test recipes 2016-04-22 07:58:47 -04:00
05-test_des.t Unified copyright for test recipes 2016-04-22 07:58:47 -04:00
05-test_hmac.t Unified copyright for test recipes 2016-04-22 07:58:47 -04:00
05-test_idea.t Unified copyright for test recipes 2016-04-22 07:58:47 -04:00
05-test_md2.t Unified copyright for test recipes 2016-04-22 07:58:47 -04:00
05-test_mdc2.t Unified copyright for test recipes 2016-04-22 07:58:47 -04:00
05-test_rand.t Switch from ossl_rand to DRBG rand 2017-08-03 09:23:28 -04:00
05-test_rc2.t Unified copyright for test recipes 2016-04-22 07:58:47 -04:00
05-test_rc4.t Revert rc4test removal, it performs additional tests not in evptests.txt 2017-02-28 16:08:42 +00:00
05-test_rc5.t Unified copyright for test recipes 2016-04-22 07:58:47 -04:00
10-test_bn.t Move bn and evp test programs input data to their respective data dir 2017-06-15 19:46:24 +02:00
10-test_exp.t Unified copyright for test recipes 2016-04-22 07:58:47 -04:00
15-test_dh.t Unified copyright for test recipes 2016-04-22 07:58:47 -04:00
15-test_dsa.t Fix tests of TEST tests, as it were 2017-05-04 12:08:48 -04:00
15-test_ec.t Unified copyright for test recipes 2016-04-22 07:58:47 -04:00
15-test_ecdsa.t Unified copyright for test recipes 2016-04-22 07:58:47 -04:00
15-test_ecparam.t File::Glob option ':bsd_glob' doesn't work everywhere, replace w/ a wrapper 2017-08-15 11:31:18 +02:00
15-test_genrsa.t rsa: Do not allow less than 512 bit RSA keys 2017-12-11 12:53:07 +01:00
15-test_mp_rsa.t rsa/rsa_gen.c: harmonize keygen's ability with RSA_security_bits. 2017-11-28 20:05:48 +01:00
15-test_rsa.t Don't run MSBLOB conversion tests when RSA or DSA are disabled 2017-01-04 15:29:03 +01:00
15-test_rsapss.t Rather use -out parameter than redirect stdout 2017-03-14 17:21:24 +01:00
20-test_enc_more.t Correct Oracle copyrights & clarify. 2017-06-15 15:50:50 +10:00
20-test_enc.t Adapt 20-test_enc.t and 20-test_enc_more.t to use statusvar 2017-03-21 16:12:29 +01:00
20-test_passwd.t 'openssl passwd' command can now compute AIX MD5-based passwords hashes. 2017-01-21 10:44:23 -05:00
25-test_crl.t Switch command-line utils to new nameopt API. 2017-04-25 12:37:17 -04:00
25-test_d2i.t Fix no-cms (CVE-2016-7053) 2016-11-10 13:04:11 +00:00
25-test_pkcs7.t Unified copyright for test recipes 2016-04-22 07:58:47 -04:00
25-test_req.t Use randomness not entropy 2017-06-27 12:14:49 -04:00
25-test_sid.t Add needed module in 25-test_sid.t 2017-02-09 11:12:06 +01:00
25-test_verify.t Many spelling fixes/typo's corrected. 2017-11-11 19:03:10 -05:00
25-test_x509.t Add test for -nameout output 2017-03-14 15:18:07 -04:00
30-test_afalg.t Unified copyright for test recipes 2016-04-22 07:58:47 -04:00
30-test_engine.t Unified copyright for test recipes 2016-04-22 07:58:47 -04:00
30-test_evp_extra.t Unified copyright for test recipes 2016-04-22 07:58:47 -04:00
30-test_evp.t Move bn and evp test programs input data to their respective data dir 2017-06-15 19:46:24 +02:00
30-test_pbelu.t Unified copyright for test recipes 2016-04-22 07:58:47 -04:00
30-test_pkey_meth_kdf.t Add PKEY_METHOD macro tests 2017-08-08 15:44:49 +01:00
30-test_pkey_meth.t Add test to check EVP_PKEY method ordering. 2016-11-20 00:22:02 +00:00
40-test_rehash.t Don't break testing when runnins as root 2018-01-29 12:51:22 +01:00
60-test_x509_check_cert_pkey.t Fix no-dsa build again 2017-06-24 21:46:36 -05:00
60-test_x509_dup_cert.t Correct Oracle copyrights & clarify. 2017-06-15 15:50:50 +10:00
60-test_x509_store.t Fix test_x509_store 2017-02-17 14:59:44 +01:00
60-test_x509_time.t X509 time: tighten validation per RFC 5280 2017-02-24 17:37:08 +01:00
70-test_asyncio.t Test recipes: remove duplicate OpenSSL::Test usage 2016-11-02 18:14:04 +01:00
70-test_bad_dtls.t Add basic test for Cisco DTLS1_BAD_VER and record replay handling 2016-08-04 20:56:24 +01:00
70-test_clienthello.t Add tests for the padding extension 2017-03-16 15:37:41 +00:00
70-test_comp.t Enable TLSProxy tests on Windows 2018-01-20 09:22:20 +01:00
70-test_key_share.t Enable TLSProxy tests on Windows 2018-01-20 09:22:20 +01:00
70-test_packet.t Unified copyright for test recipes 2016-04-22 07:58:47 -04:00
70-test_recordlen.t Add a test to check that we correctly handle record overflows 2017-03-06 20:07:40 +00:00
70-test_renegotiation.t Enable TLSProxy tests on Windows 2018-01-20 09:22:20 +01:00
70-test_servername.t Make SSL_set_tlsext_host_name no effect from server side 2017-07-28 11:51:59 -04:00
70-test_sslcbcpadding.t Enable TLSProxy tests on Windows 2018-01-20 09:22:20 +01:00
70-test_sslcertstatus.t Enable TLSProxy tests on Windows 2018-01-20 09:22:20 +01:00
70-test_sslextension.t Enable TLSProxy tests on Windows 2018-01-20 09:22:20 +01:00
70-test_sslmessages.t Enable TLSProxy tests on Windows 2018-01-20 09:22:20 +01:00
70-test_sslrecords.t Enable TLSProxy tests on Windows 2018-01-20 09:22:20 +01:00
70-test_sslsessiontick.t Enable TLSProxy tests on Windows 2018-01-20 09:22:20 +01:00
70-test_sslsigalgs.t Catch some more old sigalg names in comments 2018-01-26 09:23:57 -06:00
70-test_sslsignature.t Enable TLSProxy tests on Windows 2018-01-20 09:22:20 +01:00
70-test_sslskewith0p.t Enable TLSProxy tests on Windows 2018-01-20 09:22:20 +01:00
70-test_sslversions.t Enable TLSProxy tests on Windows 2018-01-20 09:22:20 +01:00
70-test_sslvertol.t Enable TLSProxy tests on Windows 2018-01-20 09:22:20 +01:00
70-test_tls13cookie.t Enable TLSProxy tests on Windows 2018-01-20 09:22:20 +01:00
70-test_tls13downgrade.t Enable TLSProxy tests on Windows 2018-01-20 09:22:20 +01:00
70-test_tls13hrr.t Enable TLSProxy tests on Windows 2018-01-20 09:22:20 +01:00
70-test_tls13kexmodes.t Enable TLSProxy tests on Windows 2018-01-20 09:22:20 +01:00
70-test_tls13messages.t Add TLSv1.3 post-handshake authentication (PHA) 2018-02-01 17:07:56 +00:00
70-test_tls13psk.t Enable TLSProxy tests on Windows 2018-01-20 09:22:20 +01:00
70-test_tlsextms.t Enable TLSProxy tests on Windows 2018-01-20 09:22:20 +01:00
70-test_verify_extra.t Unified copyright for test recipes 2016-04-22 07:58:47 -04:00
70-test_wpacket.t Enable wpacket test on shared builds 2017-01-30 10:18:24 +00:00
80-test_ca.t Add random serial# support. 2017-08-22 09:00:04 -04:00
80-test_cipherbytes.t Tests for SSL_bytes_to_cipher_list() 2017-02-23 19:40:25 +01:00
80-test_cipherlist.t Add final(?) set of copyrights. 2016-06-01 11:27:25 -04:00
80-test_ciphername.t Support converting cipher name to RFC name and vice versa 2017-07-21 07:20:14 +10:00
80-test_cms.t no-ec2m fixes 2017-08-10 16:48:47 +01:00
80-test_ct.t Unified copyright for test recipes 2016-04-22 07:58:47 -04:00
80-test_dane.t Unified copyright for test recipes 2016-04-22 07:58:47 -04:00
80-test_dtls_mtu.t Add test cases for DTLS_get_data_mtu() 2016-11-02 14:00:11 +00:00
80-test_dtls.t Test recipes: remove duplicate OpenSSL::Test usage 2016-11-02 18:14:04 +01:00
80-test_dtlsv1listen.t Unified copyright for test recipes 2016-04-22 07:58:47 -04:00
80-test_ocsp.t Add OCSP API test executable 2017-11-11 20:03:49 -06:00
80-test_pkcs12.t Many spelling fixes/typo's corrected. 2017-11-11 19:03:10 -05:00
80-test_ssl_new.t Add TLSv1.3 post-handshake authentication (PHA) 2018-02-01 17:07:56 +00:00
80-test_ssl_old.t Copyright update of more files that have changed this year 2018-01-19 13:34:03 +01:00
80-test_ssl_test_ctx.t Unified copyright for test recipes 2016-04-22 07:58:47 -04:00
80-test_sslcorrupt.t Fix the no-tls option 2016-11-10 13:04:11 +00:00
80-test_tsa.t test/recipes/80-test_tsa.t: Don't trust 'OPENSSL_CONF' 2017-07-24 11:50:46 +02:00
80-test_x509aux.t Fix i2d_X509_AUX, update docs and add tests 2016-05-11 01:46:06 -04:00
90-test_asn1_time.t Consolidate to a single asn1_time_from_tm() function 2017-08-04 11:24:03 +10:00
90-test_async.t Unified copyright for test recipes 2016-04-22 07:58:47 -04:00
90-test_bio_enc.t Add test/bio_enc_test.c. 2016-08-21 23:34:26 +02:00
90-test_constant_time.t Unified copyright for test recipes 2016-04-22 07:58:47 -04:00
90-test_fatalerr.t Add a test for CVE-2017-3737 2017-12-06 15:37:49 +00:00
90-test_gmdiff.t Unified copyright for test recipes 2016-04-22 07:58:47 -04:00
90-test_ige.t Unified copyright for test recipes 2016-04-22 07:58:47 -04:00
90-test_memleak.t Unified copyright for test recipes 2016-04-22 07:58:47 -04:00
90-test_overhead.t Add unit test for ssl_cipher_get_overhead() 2016-11-02 14:00:11 +00:00
90-test_secmem.t Unified copyright for test recipes 2016-04-22 07:58:47 -04:00
90-test_shlibload.t test/recipes/90-test_shlibload.t: Make sure to handle library renames 2017-07-07 11:31:03 +02:00
90-test_srp.t Unified copyright for test recipes 2016-04-22 07:58:47 -04:00
90-test_sslapi.t Test recipes: remove duplicate OpenSSL::Test usage 2016-11-02 18:14:04 +01:00
90-test_sslbuffers.t Add support to free/allocate SSL buffers 2017-07-26 11:42:17 -04:00
90-test_store.t Avoid unnecessary MSYS2 conversion of some arguments 2017-11-22 00:37:34 +01:00
90-test_threads.t Reset executable bits on files where not needed. 2017-03-03 09:13:40 +01:00
90-test_time_offset.t Fix time offset calculation. 2017-05-02 10:38:54 +02:00
90-test_tls13ccs.t Don't run the TLSv1.3 CCS tests if TLSv1.3 is not enabled 2017-12-14 15:06:38 +00:00
90-test_tls13encryption.t Add a test for TLSv1.3 encryption using the new nonce construction 2016-11-29 23:31:10 +00:00
90-test_tls13secrets.t Add a test for the TLS1.3 secret generation 2016-11-09 14:08:14 +00:00
90-test_v3name.t Unified copyright for test recipes 2016-04-22 07:58:47 -04:00
95-test_external_boringssl.t Rearrange test/recipes/95-test_*.t to use skip_all 2017-05-05 23:10:41 +02:00
95-test_external_krb5.t test/recipes/95-test_*.t : correct skip_all syntax 2017-05-06 10:29:16 +02:00
95-test_external_pyca.t test/recipes/95-test_*.t : correct skip_all syntax 2017-05-06 10:29:16 +02:00
99-test_ecstress.t Add ecstress test 2017-06-21 09:24:01 -04:00
99-test_fuzz.t File::Glob option ':bsd_glob' doesn't work everywhere, replace w/ a wrapper 2017-08-15 11:31:18 +02:00
ocsp-response.der Extend test_tls13messages 2016-11-23 15:31:21 +00:00
tconversion.pl Consolidate the locations where we have our internal perl modules 2017-08-15 11:30:47 +02:00