They can be restored by compiling with -DBORINGSSL_ENABLE_DHE_TLS.
This is similar to 9c8c4188
for RC4 ciphers.
Change-Id: I7cd3421b108a024f1ee11f13a6df881c2d0de3c3
Reviewed-on: https://boringssl-review.googlesource.com/14284
Commit-Queue: Matt Braithwaite <mab@google.com>
Commit-Queue: David Benjamin <davidben@google.com>
Reviewed-by: David Benjamin <davidben@google.com>
CQ-Verified: CQ bot account: commit-bot@chromium.org <commit-bot@chromium.org>
kris/onging/CECPQ3_patch15
@@ -193,6 +193,7 @@ static const SSL_CIPHER kCiphers[] = { | |||
SSL_HANDSHAKE_MAC_DEFAULT, | |||
}, | |||
#ifdef BORINGSSL_ENABLE_DHE_TLS | |||
/* Cipher 33 */ | |||
{ | |||
TLS1_TXT_DHE_RSA_WITH_AES_128_SHA, | |||
@@ -203,6 +204,7 @@ static const SSL_CIPHER kCiphers[] = { | |||
SSL_SHA1, | |||
SSL_HANDSHAKE_MAC_DEFAULT, | |||
}, | |||
#endif | |||
/* Cipher 35 */ | |||
{ | |||
@@ -215,6 +217,7 @@ static const SSL_CIPHER kCiphers[] = { | |||
SSL_HANDSHAKE_MAC_DEFAULT, | |||
}, | |||
#ifdef BORINGSSL_ENABLE_DHE_TLS | |||
/* Cipher 39 */ | |||
{ | |||
TLS1_TXT_DHE_RSA_WITH_AES_256_SHA, | |||
@@ -225,6 +228,7 @@ static const SSL_CIPHER kCiphers[] = { | |||
SSL_SHA1, | |||
SSL_HANDSHAKE_MAC_DEFAULT, | |||
}, | |||
#endif | |||
/* TLS v1.2 ciphersuites */ | |||
@@ -251,6 +255,7 @@ static const SSL_CIPHER kCiphers[] = { | |||
SSL_HANDSHAKE_MAC_SHA256, | |||
}, | |||
#ifdef BORINGSSL_ENABLE_DHE_TLS | |||
/* Cipher 67 */ | |||
{ | |||
TLS1_TXT_DHE_RSA_WITH_AES_128_SHA256, | |||
@@ -272,6 +277,7 @@ static const SSL_CIPHER kCiphers[] = { | |||
SSL_SHA256, | |||
SSL_HANDSHAKE_MAC_SHA256, | |||
}, | |||
#endif | |||
/* PSK cipher suites. */ | |||
@@ -321,6 +327,7 @@ static const SSL_CIPHER kCiphers[] = { | |||
SSL_HANDSHAKE_MAC_SHA384, | |||
}, | |||
#ifdef BORINGSSL_ENABLE_DHE_TLS | |||
/* Cipher 9E */ | |||
{ | |||
TLS1_TXT_DHE_RSA_WITH_AES_128_GCM_SHA256, | |||
@@ -342,6 +349,7 @@ static const SSL_CIPHER kCiphers[] = { | |||
SSL_AEAD, | |||
SSL_HANDSHAKE_MAC_SHA384, | |||
}, | |||
#endif | |||
/* TLS 1.3 suites. */ | |||
@@ -622,9 +630,11 @@ static const CIPHER_ALIAS kCipherAliases[] = { | |||
* e.g. kEDH combines DHE_DSS and DHE_RSA) */ | |||
{"kRSA", SSL_kRSA, ~0u, ~0u, ~0u, 0}, | |||
#ifdef BORINGSSL_ENABLE_DHE_TLS | |||
{"kDHE", SSL_kDHE, ~0u, ~0u, ~0u, 0}, | |||
{"kEDH", SSL_kDHE, ~0u, ~0u, ~0u, 0}, | |||
{"DH", SSL_kDHE, ~0u, ~0u, ~0u, 0}, | |||
#endif | |||
{"kECDHE", SSL_kECDHE, ~0u, ~0u, ~0u, 0}, | |||
{"kEECDH", SSL_kECDHE, ~0u, ~0u, ~0u, 0}, | |||
@@ -639,8 +649,10 @@ static const CIPHER_ALIAS kCipherAliases[] = { | |||
{"aPSK", ~0u, SSL_aPSK, ~0u, ~0u, 0}, | |||
/* aliases combining key exchange and server authentication */ | |||
#ifdef BORINGSSL_ENABLE_DHE_TLS | |||
{"DHE", SSL_kDHE, ~0u, ~0u, ~0u, 0}, | |||
{"EDH", SSL_kDHE, ~0u, ~0u, ~0u, 0}, | |||
#endif | |||
{"ECDHE", SSL_kECDHE, ~0u, ~0u, ~0u, 0}, | |||
{"EECDH", SSL_kECDHE, ~0u, ~0u, ~0u, 0}, | |||
{"RSA", SSL_kRSA, SSL_aRSA, ~SSL_eNULL, ~0u, 0}, | |||
@@ -122,14 +122,20 @@ static const CipherTest kCipherTests[] = { | |||
false, | |||
}, | |||
// - removes selected ciphers, but preserves their order for future | |||
// selections. Select AES_128_GCM, but order the key exchanges RSA, DHE_RSA, | |||
// selections. Select AES_128_GCM, but order the key exchanges RSA, | |||
// ECDHE_RSA. | |||
{ | |||
"ALL:-kECDHE:-kDHE:-kRSA:-ALL:" | |||
"ALL:-kECDHE:" | |||
#ifdef BORINGSSL_ENABLE_DHE_TLS | |||
"-kDHE:" | |||
#endif | |||
"-kRSA:-ALL:" | |||
"AESGCM+AES128+aRSA", | |||
{ | |||
{TLS1_CK_RSA_WITH_AES_128_GCM_SHA256, 0}, | |||
#ifdef BORINGSSL_ENABLE_DHE_TLS | |||
{TLS1_CK_DHE_RSA_WITH_AES_128_GCM_SHA256, 0}, | |||
#endif | |||
{TLS1_CK_ECDHE_RSA_WITH_AES_128_GCM_SHA256, 0}, | |||
}, | |||
false, | |||
@@ -182,7 +188,10 @@ static const CipherTest kCipherTests[] = { | |||
{ | |||
// To simplify things, banish all but {ECDHE_RSA,RSA} x | |||
// {CHACHA20,AES_256_CBC,AES_128_CBC} x SHA1. | |||
"!kEDH:!AESGCM:!3DES:!SHA256:!SHA384:" | |||
#ifdef BORINGSSL_ENABLE_DHE_TLS | |||
"!kEDH:" | |||
#endif | |||
"!AESGCM:!3DES:!SHA256:!SHA384:" | |||
// Order some ciphers backwards by strength. | |||
"ALL:-CHACHA20:-AES256:-AES128:-ALL:" | |||
// Select ECDHE ones and sort them by strength. Ties should resolve | |||
@@ -791,9 +800,11 @@ typedef struct { | |||
static const CIPHER_RFC_NAME_TEST kCipherRFCNameTests[] = { | |||
{SSL3_CK_RSA_DES_192_CBC3_SHA, "TLS_RSA_WITH_3DES_EDE_CBC_SHA"}, | |||
{TLS1_CK_RSA_WITH_AES_128_SHA, "TLS_RSA_WITH_AES_128_CBC_SHA"}, | |||
#ifdef BORINGSSL_ENABLE_DHE_TLS | |||
{TLS1_CK_DHE_RSA_WITH_AES_256_SHA, "TLS_DHE_RSA_WITH_AES_256_CBC_SHA"}, | |||
{TLS1_CK_DHE_RSA_WITH_AES_256_SHA256, | |||
"TLS_DHE_RSA_WITH_AES_256_CBC_SHA256"}, | |||
#endif | |||
{TLS1_CK_ECDHE_RSA_WITH_AES_128_SHA256, | |||
"TLS_ECDHE_RSA_WITH_AES_128_CBC_SHA256"}, | |||
{TLS1_CK_ECDHE_RSA_WITH_AES_256_SHA384, | |||
@@ -1837,11 +1848,17 @@ static bool TestRetainOnlySHA256OfCerts(bool is_dtls, const SSL_METHOD *method, | |||
static bool ClientHelloMatches(uint16_t version, const uint8_t *expected, | |||
size_t expected_len) { | |||
bssl::UniquePtr<SSL_CTX> ctx(SSL_CTX_new(TLS_method())); | |||
// Our default cipher list varies by CPU capabilities, so manually place the | |||
// ChaCha20 ciphers in front. | |||
const char* cipher_list = | |||
#ifdef BORINGSSL_ENABLE_DHE_TLS | |||
"!DHE:CHACHA20:ALL"; | |||
#else | |||
"CHACHA20:ALL"; | |||
#endif | |||
if (!ctx || | |||
!SSL_CTX_set_max_proto_version(ctx.get(), version) || | |||
// Our default cipher list varies by CPU capabilities, so manually place | |||
// the ChaCha20 ciphers in front. | |||
!SSL_CTX_set_strict_cipher_list(ctx.get(), "CHACHA20:ALL")) { | |||
!SSL_CTX_set_strict_cipher_list(ctx.get(), cipher_list)) { | |||
return false; | |||
} | |||
@@ -1887,22 +1904,20 @@ static bool TestClientHello() { | |||
static const uint8_t kSSL3ClientHello[] = { | |||
0x16, | |||
0x03, 0x00, | |||
0x00, 0x3f, | |||
0x00, 0x3b, | |||
0x01, | |||
0x00, 0x00, 0x3b, | |||
0x00, 0x00, 0x37, | |||
0x03, 0x00, | |||
0x00, 0x00, 0x00, 0x00, 0x00, 0x00, 0x00, 0x00, | |||
0x00, 0x00, 0x00, 0x00, 0x00, 0x00, 0x00, 0x00, | |||
0x00, 0x00, 0x00, 0x00, 0x00, 0x00, 0x00, 0x00, | |||
0x00, 0x00, 0x00, 0x00, 0x00, 0x00, 0x00, 0x00, | |||
0x00, | |||
0x00, 0x14, | |||
0x00, 0x10, | |||
0xc0, 0x09, | |||
0xc0, 0x13, | |||
0x00, 0x33, | |||
0xc0, 0x0a, | |||
0xc0, 0x14, | |||
0x00, 0x39, | |||
0x00, 0x2f, | |||
0x00, 0x35, | |||
0x00, 0x0a, | |||
@@ -1916,22 +1931,20 @@ static bool TestClientHello() { | |||
static const uint8_t kTLS1ClientHello[] = { | |||
0x16, | |||
0x03, 0x01, | |||
0x00, 0x5e, | |||
0x00, 0x5a, | |||
0x01, | |||
0x00, 0x00, 0x5a, | |||
0x00, 0x00, 0x56, | |||
0x03, 0x01, | |||
0x00, 0x00, 0x00, 0x00, 0x00, 0x00, 0x00, 0x00, | |||
0x00, 0x00, 0x00, 0x00, 0x00, 0x00, 0x00, 0x00, | |||
0x00, 0x00, 0x00, 0x00, 0x00, 0x00, 0x00, 0x00, | |||
0x00, 0x00, 0x00, 0x00, 0x00, 0x00, 0x00, 0x00, | |||
0x00, | |||
0x00, 0x12, | |||
0x00, 0x0e, | |||
0xc0, 0x09, | |||
0xc0, 0x13, | |||
0x00, 0x33, | |||
0xc0, 0x0a, | |||
0xc0, 0x14, | |||
0x00, 0x39, | |||
0x00, 0x2f, | |||
0x00, 0x35, | |||
0x00, 0x0a, | |||
@@ -1947,22 +1960,20 @@ static bool TestClientHello() { | |||
static const uint8_t kTLS11ClientHello[] = { | |||
0x16, | |||
0x03, 0x01, | |||
0x00, 0x5e, | |||
0x00, 0x5a, | |||
0x01, | |||
0x00, 0x00, 0x5a, | |||
0x00, 0x00, 0x56, | |||
0x03, 0x02, | |||
0x00, 0x00, 0x00, 0x00, 0x00, 0x00, 0x00, 0x00, | |||
0x00, 0x00, 0x00, 0x00, 0x00, 0x00, 0x00, 0x00, | |||
0x00, 0x00, 0x00, 0x00, 0x00, 0x00, 0x00, 0x00, | |||
0x00, 0x00, 0x00, 0x00, 0x00, 0x00, 0x00, 0x00, | |||
0x00, | |||
0x00, 0x12, | |||
0x00, 0x0e, | |||
0xc0, 0x09, | |||
0xc0, 0x13, | |||
0x00, 0x33, | |||
0xc0, 0x0a, | |||
0xc0, 0x14, | |||
0x00, 0x39, | |||
0x00, 0x2f, | |||
0x00, 0x35, | |||
0x00, 0x0a, | |||
@@ -1982,20 +1993,42 @@ static bool TestClientHello() { | |||
#endif | |||
static const uint8_t kTLS12ClientHello[] = { | |||
0x16, 0x03, 0x01, 0x00, 0x9a, 0x01, 0x00, 0x00, 0x96, 0x03, 0x03, 0x00, | |||
0x16, | |||
0x03, 0x01, | |||
0x00, 0x8e, | |||
0x01, | |||
0x00, 0x00, 0x8a, | |||
0x03, 0x03, | |||
0x00, 0x00, 0x00, 0x00, 0x00, 0x00, 0x00, 0x00, 0x00, 0x00, 0x00, 0x00, | |||
0x00, 0x00, 0x00, 0x00, 0x00, 0x00, 0x00, 0x00, 0x00, 0x00, 0x00, 0x00, | |||
0x00, 0x00, 0x00, 0x00, 0x00, 0x00, 0x00, 0x00, 0x00, 0x36, 0xcc, 0xa9, | |||
0xcc, 0xa8, 0xc0, 0x2b, 0xc0, 0x2f, 0x00, 0x9e, 0xc0, 0x2c, 0xc0, 0x30, | |||
0x00, 0x9f, 0xc0, 0x09, 0xc0, 0x23, 0xc0, 0x13, 0xc0, 0x27, 0x00, 0x33, | |||
0x00, 0x67, 0xc0, 0x0a, 0xc0, 0x24, 0xc0, 0x14, 0xc0, 0x28, 0x00, 0x39, | |||
0x00, 0x6b, 0x00, 0x9c, 0x00, 0x9d, 0x00, 0x2f, 0x00, 0x3c, 0x00, 0x35, | |||
0x00, 0x3d, 0x00, 0x0a, 0x01, 0x00, 0x00, 0x37, 0xff, 0x01, 0x00, 0x01, | |||
0x00, 0x00, 0x17, 0x00, 0x00, 0x00, 0x23, 0x00, 0x00, 0x00, 0x0d, 0x00, | |||
0x14, 0x00, 0x12, 0x04, 0x03, 0x08, 0x04, 0x04, 0x01, 0x05, 0x03, 0x08, | |||
0x05, 0x05, 0x01, 0x08, 0x06, 0x06, 0x01, 0x02, 0x01, 0x00, 0x0b, 0x00, | |||
0x02, 0x01, 0x00, 0x00, 0x0a, 0x00, 0x08, 0x00, 0x06, 0x00, 0x1d, 0x00, | |||
0x17, 0x00, 0x18, | |||
0x00, 0x00, 0x00, 0x00, 0x00, 0x00, 0x00, 0x00, 0x00, | |||
0x00, 0x2a, | |||
0xcc, 0xa9, | |||
0xcc, 0xa8, | |||
0xc0, 0x2b, | |||
0xc0, 0x2f, | |||
0xc0, 0x2c, | |||
0xc0, 0x30, | |||
0xc0, 0x09, | |||
0xc0, 0x23, | |||
0xc0, 0x13, | |||
0xc0, 0x27, | |||
0xc0, 0x0a, | |||
0xc0, 0x24, | |||
0xc0, 0x14, | |||
0xc0, 0x28, | |||
0x00, 0x9c, | |||
0x00, 0x9d, | |||
0x00, 0x2f, | |||
0x00, 0x3c, | |||
0x00, 0x35, | |||
0x00, 0x3d, | |||
0x00, 0x0a, | |||
0x01, 0x00, 0x00, 0x37, 0xff, 0x01, 0x00, 0x01, 0x00, 0x00, 0x17, 0x00, | |||
0x00, 0x00, 0x23, 0x00, 0x00, 0x00, 0x0d, 0x00, 0x14, 0x00, 0x12, 0x04, | |||
0x03, 0x08, 0x04, 0x04, 0x01, 0x05, 0x03, 0x08, 0x05, 0x05, 0x01, 0x08, | |||
0x06, 0x06, 0x01, 0x02, 0x01, 0x00, 0x0b, 0x00, 0x02, 0x01, 0x00, 0x00, | |||
0x0a, 0x00, 0x08, 0x00, 0x06, 0x00, 0x1d, 0x00, 0x17, 0x00, 0x18, | |||
}; | |||
if (!ClientHelloMatches(TLS1_2_VERSION, kTLS12ClientHello, | |||
sizeof(kTLS12ClientHello))) { | |||
@@ -48,6 +48,8 @@ const ( | |||
// client indicates that it supports ECC with a curve and point format | |||
// that we're happy with. | |||
suiteECDHE = 1 << iota | |||
// suiteDHE indicates that the cipher suite involves Diffie-Hellman. | |||
suiteDHE | |||
// suiteECDSA indicates that the cipher suite involves an ECDSA | |||
// signature and therefore may only be selected when the server's | |||
// certificate is ECDSA. If this is not set then the cipher suite is | |||
@@ -120,12 +122,12 @@ var cipherSuites = []*cipherSuite{ | |||
{TLS_ECDHE_ECDSA_WITH_AES_256_CBC_SHA384, 32, 48, ivLenAES, ecdheECDSAKA, suiteECDHE | suiteECDSA | suiteTLS12 | suiteSHA384, cipherAES, macSHA384, nil}, | |||
{TLS_ECDHE_RSA_WITH_AES_256_CBC_SHA, 32, 20, ivLenAES, ecdheRSAKA, suiteECDHE, cipherAES, macSHA1, nil}, | |||
{TLS_ECDHE_ECDSA_WITH_AES_256_CBC_SHA, 32, 20, ivLenAES, ecdheECDSAKA, suiteECDHE | suiteECDSA, cipherAES, macSHA1, nil}, | |||
{TLS_DHE_RSA_WITH_AES_128_GCM_SHA256, 16, 0, ivLenAESGCM, dheRSAKA, suiteTLS12, nil, nil, aeadAESGCM}, | |||
{TLS_DHE_RSA_WITH_AES_256_GCM_SHA384, 32, 0, ivLenAESGCM, dheRSAKA, suiteTLS12 | suiteSHA384, nil, nil, aeadAESGCM}, | |||
{TLS_DHE_RSA_WITH_AES_128_CBC_SHA256, 16, 32, ivLenAES, dheRSAKA, suiteTLS12, cipherAES, macSHA256, nil}, | |||
{TLS_DHE_RSA_WITH_AES_256_CBC_SHA256, 32, 32, ivLenAES, dheRSAKA, suiteTLS12, cipherAES, macSHA256, nil}, | |||
{TLS_DHE_RSA_WITH_AES_128_CBC_SHA, 16, 20, ivLenAES, dheRSAKA, 0, cipherAES, macSHA1, nil}, | |||
{TLS_DHE_RSA_WITH_AES_256_CBC_SHA, 32, 20, ivLenAES, dheRSAKA, 0, cipherAES, macSHA1, nil}, | |||
{TLS_DHE_RSA_WITH_AES_128_GCM_SHA256, 16, 0, ivLenAESGCM, dheRSAKA, suiteTLS12 | suiteDHE, nil, nil, aeadAESGCM}, | |||
{TLS_DHE_RSA_WITH_AES_256_GCM_SHA384, 32, 0, ivLenAESGCM, dheRSAKA, suiteTLS12 | suiteSHA384 | suiteDHE, nil, nil, aeadAESGCM}, | |||
{TLS_DHE_RSA_WITH_AES_128_CBC_SHA256, 16, 32, ivLenAES, dheRSAKA, suiteTLS12 | suiteDHE, cipherAES, macSHA256, nil}, | |||
{TLS_DHE_RSA_WITH_AES_256_CBC_SHA256, 32, 32, ivLenAES, dheRSAKA, suiteTLS12 | suiteDHE, cipherAES, macSHA256, nil}, | |||
{TLS_DHE_RSA_WITH_AES_128_CBC_SHA, 16, 20, ivLenAES, dheRSAKA, suiteDHE, cipherAES, macSHA1, nil}, | |||
{TLS_DHE_RSA_WITH_AES_256_CBC_SHA, 32, 20, ivLenAES, dheRSAKA, suiteDHE, cipherAES, macSHA1, nil}, | |||
{TLS_RSA_WITH_AES_128_GCM_SHA256, 16, 0, ivLenAESGCM, rsaKA, suiteTLS12, nil, nil, aeadAESGCM}, | |||
{TLS_RSA_WITH_AES_256_GCM_SHA384, 32, 0, ivLenAESGCM, rsaKA, suiteTLS12 | suiteSHA384, nil, nil, aeadAESGCM}, | |||
{TLS_RSA_WITH_RC4_128_SHA, 16, 20, noIV, rsaKA, suiteNoDTLS, cipherRC4, macSHA1, nil}, | |||
@@ -135,7 +137,7 @@ var cipherSuites = []*cipherSuite{ | |||
{TLS_RSA_WITH_AES_128_CBC_SHA, 16, 20, ivLenAES, rsaKA, 0, cipherAES, macSHA1, nil}, | |||
{TLS_RSA_WITH_AES_256_CBC_SHA, 32, 20, ivLenAES, rsaKA, 0, cipherAES, macSHA1, nil}, | |||
{TLS_ECDHE_RSA_WITH_3DES_EDE_CBC_SHA, 24, 20, ivLen3DES, ecdheRSAKA, suiteECDHE, cipher3DES, macSHA1, nil}, | |||
{TLS_DHE_RSA_WITH_3DES_EDE_CBC_SHA, 24, 20, ivLen3DES, dheRSAKA, 0, cipher3DES, macSHA1, nil}, | |||
{TLS_DHE_RSA_WITH_3DES_EDE_CBC_SHA, 24, 20, ivLen3DES, dheRSAKA, suiteDHE, cipher3DES, macSHA1, nil}, | |||
{TLS_RSA_WITH_3DES_EDE_CBC_SHA, 24, 20, ivLen3DES, rsaKA, 0, cipher3DES, macSHA1, nil}, | |||
{TLS_ECDHE_PSK_WITH_CHACHA20_POLY1305_SHA256, 32, 0, ivLenChaCha20Poly1305, ecdhePSKKA, suiteECDHE | suitePSK | suiteTLS12, nil, nil, aeadCHACHA20POLY1305}, | |||
{TLS_ECDHE_PSK_WITH_AES_128_CBC_SHA, 16, 20, ivLenAES, ecdhePSKKA, suiteECDHE | suitePSK, cipherAES, macSHA1, nil}, | |||
@@ -65,6 +65,7 @@ var ( | |||
looseErrors = flag.Bool("loose-errors", false, "If true, allow shims to report an untranslated error code.") | |||
shimConfigFile = flag.String("shim-config", "", "A config file to use to configure the tests for this shim.") | |||
includeDisabled = flag.Bool("include-disabled", false, "If true, also runs disabled tests.") | |||
includeDHE = flag.Bool("include-dhe", false, "If true, test DHE ciphersuites.") | |||
repeatUntilFailure = flag.Bool("repeat-until-failure", false, "If true, the first selected test will be run repeatedly until failure.") | |||
) | |||
@@ -1108,12 +1109,6 @@ var testCipherSuites = []testCipherSuite{ | |||
{"AES256-GCM", TLS_RSA_WITH_AES_256_GCM_SHA384}, | |||
{"AES256-SHA", TLS_RSA_WITH_AES_256_CBC_SHA}, | |||
{"AES256-SHA256", TLS_RSA_WITH_AES_256_CBC_SHA256}, | |||
{"DHE-RSA-AES128-GCM", TLS_DHE_RSA_WITH_AES_128_GCM_SHA256}, | |||
{"DHE-RSA-AES128-SHA", TLS_DHE_RSA_WITH_AES_128_CBC_SHA}, | |||
{"DHE-RSA-AES128-SHA256", TLS_DHE_RSA_WITH_AES_128_CBC_SHA256}, | |||
{"DHE-RSA-AES256-GCM", TLS_DHE_RSA_WITH_AES_256_GCM_SHA384}, | |||
{"DHE-RSA-AES256-SHA", TLS_DHE_RSA_WITH_AES_256_CBC_SHA}, | |||
{"DHE-RSA-AES256-SHA256", TLS_DHE_RSA_WITH_AES_256_CBC_SHA256}, | |||
{"ECDHE-ECDSA-AES128-GCM", TLS_ECDHE_ECDSA_WITH_AES_128_GCM_SHA256}, | |||
{"ECDHE-ECDSA-AES128-SHA", TLS_ECDHE_ECDSA_WITH_AES_128_CBC_SHA}, | |||
{"ECDHE-ECDSA-AES128-SHA256", TLS_ECDHE_ECDSA_WITH_AES_128_CBC_SHA256}, | |||
@@ -1981,26 +1976,6 @@ func addBasicTests() { | |||
expectedError: ":TLSV1_ALERT_ACCESS_DENIED:", | |||
expectedLocalError: "tls: peer did not false start: EOF", | |||
}, | |||
{ | |||
name: "NoFalseStart-DHE_RSA", | |||
config: Config{ | |||
MaxVersion: VersionTLS12, | |||
CipherSuites: []uint16{TLS_DHE_RSA_WITH_AES_128_GCM_SHA256}, | |||
NextProtos: []string{"foo"}, | |||
Bugs: ProtocolBugs{ | |||
ExpectFalseStart: true, | |||
AlertBeforeFalseStartTest: alertAccessDenied, | |||
}, | |||
}, | |||
flags: []string{ | |||
"-false-start", | |||
"-advertise-alpn", "\x03foo", | |||
}, | |||
shimWritesFirst: true, | |||
shouldFail: true, | |||
expectedError: ":TLSV1_ALERT_ACCESS_DENIED:", | |||
expectedLocalError: "tls: peer did not false start: EOF", | |||
}, | |||
{ | |||
protocol: dtls, | |||
name: "SendSplitAlert-Sync", | |||
@@ -2465,6 +2440,29 @@ func addBasicTests() { | |||
} | |||
testCases = append(testCases, basicTests...) | |||
if *includeDHE { | |||
testCases = append(testCases, testCase{ | |||
name: "NoFalseStart-DHE_RSA", | |||
config: Config{ | |||
MaxVersion: VersionTLS12, | |||
CipherSuites: []uint16{TLS_DHE_RSA_WITH_AES_128_GCM_SHA256}, | |||
NextProtos: []string{"foo"}, | |||
Bugs: ProtocolBugs{ | |||
ExpectFalseStart: true, | |||
AlertBeforeFalseStartTest: alertAccessDenied, | |||
}, | |||
}, | |||
flags: []string{ | |||
"-false-start", | |||
"-advertise-alpn", "\x03foo", | |||
}, | |||
shimWritesFirst: true, | |||
shouldFail: true, | |||
expectedError: ":TLSV1_ALERT_ACCESS_DENIED:", | |||
expectedLocalError: "tls: peer did not false start: EOF", | |||
}) | |||
} | |||
// Test that very large messages can be received. | |||
cert := rsaCertificate | |||
for i := 0; i < 50; i++ { | |||
@@ -2685,6 +2683,17 @@ func addTestForCipherSuite(suite testCipherSuite, ver tlsVersion, protocol proto | |||
func addCipherSuiteTests() { | |||
const bogusCipher = 0xfe00 | |||
if *includeDHE { | |||
testCipherSuites = append(testCipherSuites, []testCipherSuite{ | |||
{"DHE-RSA-AES128-GCM", TLS_DHE_RSA_WITH_AES_128_GCM_SHA256}, | |||
{"DHE-RSA-AES128-SHA", TLS_DHE_RSA_WITH_AES_128_CBC_SHA}, | |||
{"DHE-RSA-AES128-SHA256", TLS_DHE_RSA_WITH_AES_128_CBC_SHA256}, | |||
{"DHE-RSA-AES256-GCM", TLS_DHE_RSA_WITH_AES_256_GCM_SHA384}, | |||
{"DHE-RSA-AES256-SHA", TLS_DHE_RSA_WITH_AES_256_CBC_SHA}, | |||
{"DHE-RSA-AES256-SHA256", TLS_DHE_RSA_WITH_AES_256_CBC_SHA256}, | |||
}...) | |||
} | |||
for _, suite := range testCipherSuites { | |||
for _, ver := range tlsVersions { | |||
for _, protocol := range []protocol{tls, dtls} { | |||
@@ -2750,53 +2759,55 @@ func addCipherSuiteTests() { | |||
expectedError: ":UNKNOWN_CIPHER_RETURNED:", | |||
}) | |||
testCases = append(testCases, testCase{ | |||
name: "WeakDH", | |||
config: Config{ | |||
MaxVersion: VersionTLS12, | |||
CipherSuites: []uint16{TLS_DHE_RSA_WITH_AES_128_GCM_SHA256}, | |||
Bugs: ProtocolBugs{ | |||
// This is a 1023-bit prime number, generated | |||
// with: | |||
// openssl gendh 1023 | openssl asn1parse -i | |||
DHGroupPrime: bigFromHex("518E9B7930CE61C6E445C8360584E5FC78D9137C0FFDC880B495D5338ADF7689951A6821C17A76B3ACB8E0156AEA607B7EC406EBEDBB84D8376EB8FE8F8BA1433488BEE0C3EDDFD3A32DBB9481980A7AF6C96BFCF490A094CFFB2B8192C1BB5510B77B658436E27C2D4D023FE3718222AB0CA1273995B51F6D625A4944D0DD4B"), | |||
if *includeDHE { | |||
testCases = append(testCases, testCase{ | |||
name: "WeakDH", | |||
config: Config{ | |||
MaxVersion: VersionTLS12, | |||
CipherSuites: []uint16{TLS_DHE_RSA_WITH_AES_128_GCM_SHA256}, | |||
Bugs: ProtocolBugs{ | |||
// This is a 1023-bit prime number, generated | |||
// with: | |||
// openssl gendh 1023 | openssl asn1parse -i | |||
DHGroupPrime: bigFromHex("518E9B7930CE61C6E445C8360584E5FC78D9137C0FFDC880B495D5338ADF7689951A6821C17A76B3ACB8E0156AEA607B7EC406EBEDBB84D8376EB8FE8F8BA1433488BEE0C3EDDFD3A32DBB9481980A7AF6C96BFCF490A094CFFB2B8192C1BB5510B77B658436E27C2D4D023FE3718222AB0CA1273995B51F6D625A4944D0DD4B"), | |||
}, | |||
}, | |||
}, | |||
shouldFail: true, | |||
expectedError: ":BAD_DH_P_LENGTH:", | |||
}) | |||
shouldFail: true, | |||
expectedError: ":BAD_DH_P_LENGTH:", | |||
}) | |||
testCases = append(testCases, testCase{ | |||
name: "SillyDH", | |||
config: Config{ | |||
MaxVersion: VersionTLS12, | |||
CipherSuites: []uint16{TLS_DHE_RSA_WITH_AES_128_GCM_SHA256}, | |||
Bugs: ProtocolBugs{ | |||
// This is a 4097-bit prime number, generated | |||
// with: | |||
// openssl gendh 4097 | openssl asn1parse -i | |||
DHGroupPrime: bigFromHex("01D366FA64A47419B0CD4A45918E8D8C8430F674621956A9F52B0CA592BC104C6E38D60C58F2CA66792A2B7EBDC6F8FFE75AB7D6862C261F34E96A2AEEF53AB7C21365C2E8FB0582F71EB57B1C227C0E55AE859E9904A25EFECD7B435C4D4357BD840B03649D4A1F8037D89EA4E1967DBEEF1CC17A6111C48F12E9615FFF336D3F07064CB17C0B765A012C850B9E3AA7A6984B96D8C867DDC6D0F4AB52042572244796B7ECFF681CD3B3E2E29AAECA391A775BEE94E502FB15881B0F4AC60314EA947C0C82541C3D16FD8C0E09BB7F8F786582032859D9C13187CE6C0CB6F2D3EE6C3C9727C15F14B21D3CD2E02BDB9D119959B0E03DC9E5A91E2578762300B1517D2352FC1D0BB934A4C3E1B20CE9327DB102E89A6C64A8C3148EDFC5A94913933853442FA84451B31FD21E492F92DD5488E0D871AEBFE335A4B92431DEC69591548010E76A5B365D346786E9A2D3E589867D796AA5E25211201D757560D318A87DFB27F3E625BC373DB48BF94A63161C674C3D4265CB737418441B7650EABC209CF675A439BEB3E9D1AA1B79F67198A40CEFD1C89144F7D8BAF61D6AD36F466DA546B4174A0E0CAF5BD788C8243C7C2DDDCC3DB6FC89F12F17D19FBD9B0BC76FE92891CD6BA07BEA3B66EF12D0D85E788FD58675C1B0FBD16029DCC4D34E7A1A41471BDEDF78BF591A8B4E96D88BEC8EDC093E616292BFC096E69A916E8D624B"), | |||
testCases = append(testCases, testCase{ | |||
name: "SillyDH", | |||
config: Config{ | |||
MaxVersion: VersionTLS12, | |||
CipherSuites: []uint16{TLS_DHE_RSA_WITH_AES_128_GCM_SHA256}, | |||
Bugs: ProtocolBugs{ | |||
// This is a 4097-bit prime number, generated | |||
// with: | |||
// openssl gendh 4097 | openssl asn1parse -i | |||
DHGroupPrime: bigFromHex("01D366FA64A47419B0CD4A45918E8D8C8430F674621956A9F52B0CA592BC104C6E38D60C58F2CA66792A2B7EBDC6F8FFE75AB7D6862C261F34E96A2AEEF53AB7C21365C2E8FB0582F71EB57B1C227C0E55AE859E9904A25EFECD7B435C4D4357BD840B03649D4A1F8037D89EA4E1967DBEEF1CC17A6111C48F12E9615FFF336D3F07064CB17C0B765A012C850B9E3AA7A6984B96D8C867DDC6D0F4AB52042572244796B7ECFF681CD3B3E2E29AAECA391A775BEE94E502FB15881B0F4AC60314EA947C0C82541C3D16FD8C0E09BB7F8F786582032859D9C13187CE6C0CB6F2D3EE6C3C9727C15F14B21D3CD2E02BDB9D119959B0E03DC9E5A91E2578762300B1517D2352FC1D0BB934A4C3E1B20CE9327DB102E89A6C64A8C3148EDFC5A94913933853442FA84451B31FD21E492F92DD5488E0D871AEBFE335A4B92431DEC69591548010E76A5B365D346786E9A2D3E589867D796AA5E25211201D757560D318A87DFB27F3E625BC373DB48BF94A63161C674C3D4265CB737418441B7650EABC209CF675A439BEB3E9D1AA1B79F67198A40CEFD1C89144F7D8BAF61D6AD36F466DA546B4174A0E0CAF5BD788C8243C7C2DDDCC3DB6FC89F12F17D19FBD9B0BC76FE92891CD6BA07BEA3B66EF12D0D85E788FD58675C1B0FBD16029DCC4D34E7A1A41471BDEDF78BF591A8B4E96D88BEC8EDC093E616292BFC096E69A916E8D624B"), | |||
}, | |||
}, | |||
}, | |||
shouldFail: true, | |||
expectedError: ":DH_P_TOO_LONG:", | |||
}) | |||
shouldFail: true, | |||
expectedError: ":DH_P_TOO_LONG:", | |||
}) | |||
// This test ensures that Diffie-Hellman public values are padded with | |||
// zeros so that they're the same length as the prime. This is to avoid | |||
// hitting a bug in yaSSL. | |||
testCases = append(testCases, testCase{ | |||
testType: serverTest, | |||
name: "DHPublicValuePadded", | |||
config: Config{ | |||
MaxVersion: VersionTLS12, | |||
CipherSuites: []uint16{TLS_DHE_RSA_WITH_AES_128_GCM_SHA256}, | |||
Bugs: ProtocolBugs{ | |||
RequireDHPublicValueLen: (1025 + 7) / 8, | |||
// This test ensures that Diffie-Hellman public values are padded with | |||
// zeros so that they're the same length as the prime. This is to avoid | |||
// hitting a bug in yaSSL. | |||
testCases = append(testCases, testCase{ | |||
testType: serverTest, | |||
name: "DHPublicValuePadded", | |||
config: Config{ | |||
MaxVersion: VersionTLS12, | |||
CipherSuites: []uint16{TLS_DHE_RSA_WITH_AES_128_GCM_SHA256}, | |||
Bugs: ProtocolBugs{ | |||
RequireDHPublicValueLen: (1025 + 7) / 8, | |||
}, | |||
}, | |||
}, | |||
flags: []string{"-use-sparse-dh-prime"}, | |||
}) | |||
flags: []string{"-use-sparse-dh-prime"}, | |||
}) | |||
} | |||
// The server must be tolerant to bogus ciphers. | |||
testCases = append(testCases, testCase{ | |||
@@ -6624,7 +6635,9 @@ func addSignatureAlgorithmTests() { | |||
TLS_ECDHE_RSA_WITH_AES_128_GCM_SHA256, | |||
TLS_ECDHE_ECDSA_WITH_AES_128_CBC_SHA, | |||
TLS_ECDHE_RSA_WITH_AES_128_CBC_SHA, | |||
TLS_DHE_RSA_WITH_AES_128_CBC_SHA, | |||
} | |||
if *includeDHE { | |||
signingCiphers = append(signingCiphers, TLS_DHE_RSA_WITH_AES_128_CBC_SHA) | |||
} | |||
var allAlgorithms []signatureAlgorithm | |||
@@ -6724,27 +6737,30 @@ func addSignatureAlgorithmTests() { | |||
expectedError: verifyError, | |||
}) | |||
testCases = append(testCases, testCase{ | |||
testType: serverTest, | |||
name: "ServerAuth-Sign" + suffix, | |||
config: Config{ | |||
MaxVersion: ver.version, | |||
CipherSuites: signingCiphers, | |||
VerifySignatureAlgorithms: []signatureAlgorithm{ | |||
fakeSigAlg1, | |||
alg.id, | |||
fakeSigAlg2, | |||
// No signing cipher for SSL 3.0. | |||
if *includeDHE || ver.version > VersionSSL30 { | |||
testCases = append(testCases, testCase{ | |||
testType: serverTest, | |||
name: "ServerAuth-Sign" + suffix, | |||
config: Config{ | |||
MaxVersion: ver.version, | |||
CipherSuites: signingCiphers, | |||
VerifySignatureAlgorithms: []signatureAlgorithm{ | |||
fakeSigAlg1, | |||
alg.id, | |||
fakeSigAlg2, | |||
}, | |||
}, | |||
}, | |||
flags: []string{ | |||
"-cert-file", path.Join(*resourceDir, getShimCertificate(alg.cert)), | |||
"-key-file", path.Join(*resourceDir, getShimKey(alg.cert)), | |||
"-enable-all-curves", | |||
}, | |||
shouldFail: shouldSignFail, | |||
expectedError: signError, | |||
expectedPeerSignatureAlgorithm: alg.id, | |||
}) | |||
flags: []string{ | |||
"-cert-file", path.Join(*resourceDir, getShimCertificate(alg.cert)), | |||
"-key-file", path.Join(*resourceDir, getShimKey(alg.cert)), | |||
"-enable-all-curves", | |||
}, | |||
shouldFail: shouldSignFail, | |||
expectedError: signError, | |||
expectedPeerSignatureAlgorithm: alg.id, | |||
}) | |||
} | |||
testCases = append(testCases, testCase{ | |||
name: "ServerAuth-Verify" + suffix, | |||
@@ -8186,11 +8202,11 @@ func addCurveTests() { | |||
MaxVersion: VersionTLS12, | |||
CipherSuites: []uint16{ | |||
TLS_ECDHE_RSA_WITH_AES_128_GCM_SHA256, | |||
TLS_DHE_RSA_WITH_AES_128_GCM_SHA256, | |||
TLS_RSA_WITH_AES_128_GCM_SHA256, | |||
}, | |||
CurvePreferences: []CurveID{CurveP224}, | |||
}, | |||
expectedCipher: TLS_DHE_RSA_WITH_AES_128_GCM_SHA256, | |||
expectedCipher: TLS_RSA_WITH_AES_128_GCM_SHA256, | |||
}) | |||
// The client must reject bogus curves and disabled curves. | |||