serverHandshakeState::readClientHello was setting selected ALPN protocol
always on hs.hello.alpnProtocol, which is specific to TLS 1.2 and older.
Because of that server was marshalling ALPN to SH instead of EE.
* includes AD in authentication check of TLS records
As per 5.2 of TLS 1.3 draft-28, the additional data is record header.
* tests: Update tests in order to support draft-28
* Interoperability: Updates NSS and BoringSSL versions to the
one supporting draft-28
* Bogo: Updates revision number to use tests for draft-28
* FIX: makefile was using test-compat target instead of
test-interop
* DC test: constify
* Use binary interface to encode in big-endian
* Changes tests so that they pass with draft-23
* BoringSSL interoperability: uses code at most recent commit. It uses
"-tls13-variant draft23" flag to indicate compatibility with draft23
* NSS interoperability: Uses release 3.35
* PicoTLS interoperability: blocked. Doesn't seem to implement draft23
* Uses updated bogo from
https://github.com/henrydcase/crypto-tls-bogo-shim
Goal of this PR is to rework testing script so that actual testing is
easy to extend and perform during development cycle.
* For interoperability testing I use python script and test framework,
instead of complicated bsah scripts. Script itself is not yet perfect
but it makes it much easier to extend tests and work with them during
development time
* Makefile has been extended and now includes all steps needed to build
the library and run tests. It's now possible to run any kind of tests
without exporting environment variables. Thanks to this change it is
stupid-easy to run any kind of tests.
* There are 3 kinds of tests implemented in the library - unittests,
interoperability tests and bogo. Travis has been changed and now
dashbord will show only results for those 3 targets.
D19 added an additional pre-extract Derive-Secret stage. D20 shortened
labels. Bump from D18 to D21 with no backwards compat option for now
since older drafts are considered undeployable.
The default version (TLS 1.2) is no longer overridden with TLS 1.3 so
the server must explicitly set it.
Fixes: ("crypto/tls: allow client to pick TLS 1.3, do not enable it by default.")
