feedc0de/wolfssl
1
0
Fork 0
forked from wolfSSL/wolfssl
Code Pull Requests Activity

Merge pull request #1946 from ejohnstown/dh-speedup

Browse Source 
DHE Speed Up
This commit is contained in:
toddouska
2018-12-05 12:22:21 -08:00
committed by GitHub
parent dfcfbc885d a47e08c49e
commit 74eadf556e
22 changed files with 1829 additions and 59 deletions
Download Patch File Download Diff File Expand all files Collapse all files

32
examples/client/client.c
View File

@@ -1232,6 +1232,10 @@ static void Usage(void)
#ifdef WOLFSSL_EARLY_DATA
printf("%s", msg[++msgid]); /* -0 */
#endif
#if !defined(NO_DH) && !defined(HAVE_FIPS) && \
!defined(HAVE_SELFTEST) && !defined(WOLFSSL_OLD_PRIME_CHECK)
printf("-2 Disable DH Prime check\n");
#endif
#ifdef WOLFSSL_MULTICAST
printf("%s", msg[++msgid]); /* -3 */
#endif
@@ -1351,6 +1355,10 @@ THREAD_RETURN WOLFSSL_THREAD client_test(void* args)
#ifdef WOLFSSL_MULTICAST
byte mcastID = 0;
#endif
#if !defined(NO_DH) && !defined(HAVE_FIPS) && \
!defined(HAVE_SELFTEST) && !defined(WOLFSSL_OLD_PRIME_CHECK)
int doDhKeyCheck = 1;
#endif
#ifdef HAVE_OCSP
int useOcsp = 0;
@@ -1428,7 +1436,7 @@ THREAD_RETURN WOLFSSL_THREAD client_test(void* args)
while ((ch = mygetopt(argc, argv, "?:"
"ab:c:defgh:ijk:l:mnop:q:rstuv:wxyz"
"A:B:CDE:F:GH:IJKL:M:NO:PQRS:TUVW:XYZ:"
"01:3:")) != -1) {
"01:23:")) != -1) {
switch (ch) {
case '?' :
if(myoptarg!=NULL) {
@@ -1816,12 +1824,21 @@ THREAD_RETURN WOLFSSL_THREAD client_test(void* args)
earlyData = 1;
#endif
break;
case '1' :
lng_index = atoi(myoptarg);
if(lng_index<0||lng_index>1){
lng_index = 0;
}
break;
case '2' :
#if !defined(NO_DH) && !defined(HAVE_FIPS) && \
!defined(HAVE_SELFTEST) && !defined(WOLFSSL_OLD_PRIME_CHECK)
doDhKeyCheck = 0;
#endif
break;
case '3' :
#ifdef WOLFSSL_MULTICAST
doMcast = 1;
@@ -2558,6 +2575,13 @@ THREAD_RETURN WOLFSSL_THREAD client_test(void* args)
}
#endif
#if !defined(NO_DH) && !defined(WOLFSSL_OLD_PRIME_CHECK) && \
!defined(HAVE_FIPS) && !defined(HAVE_SELFTEST)
if (!doDhKeyCheck)
wolfSSL_SetEnableDhKeyTest(ssl, 0);
#endif
tcp_connect(&sockfd, host, port, dtlsUDP, dtlsSCTP, ssl);
if (wolfSSL_set_fd(ssl, sockfd) != WOLFSSL_SUCCESS) {
wolfSSL_free(ssl); ssl = NULL;
@@ -2841,6 +2865,12 @@ THREAD_RETURN WOLFSSL_THREAD client_test(void* args)
err_sys("unable to get SSL object");
}
#if !defined(NO_DH) && !defined(WOLFSSL_OLD_PRIME_CHECK) && \
!defined(HAVE_FIPS) && !defined(HAVE_SELFTEST)
if (!doDhKeyCheck)
wolfSSL_SetEnableDhKeyTest(sslResume, 0);
#endif
if (dtlsUDP) {
#ifdef USE_WINDOWS_API
Sleep(500);

24
examples/server/server.c
View File

@@ -670,6 +670,10 @@ static void Usage(void)
#ifdef WOLFSSL_EARLY_DATA
printf("%s", msg[++msgId]); /* -0 */
#endif
#if !defined(NO_DH) && !defined(HAVE_FIPS) && \
!defined(HAVE_SELFTEST) && !defined(WOLFSSL_OLD_PRIME_CHECK)
printf("-2 Disable DH Prime check\n");
#endif
#ifdef WOLFSSL_MULTICAST
printf("%s", msg[++msgId]); /* -3 */
#endif
@@ -780,6 +784,10 @@ THREAD_RETURN WOLFSSL_THREAD server_test(void* args)
int hrrCookie = 0;
#endif
byte mcastID = 0;
#if !defined(NO_DH) && !defined(HAVE_FIPS) && \
!defined(HAVE_SELFTEST) && !defined(WOLFSSL_OLD_PRIME_CHECK)
int doDhKeyCheck = 1;
#endif
#ifdef WOLFSSL_STATIC_MEMORY
#if (defined(HAVE_ECC) && !defined(ALT_ECC_SIZE)) \
@@ -847,7 +855,7 @@ THREAD_RETURN WOLFSSL_THREAD server_test(void* args)
while ((ch = mygetopt(argc, argv, "?:"
"abc:defgijk:l:nop:q:rstuv:wxy"
"A:B:C:D:E:GH:IJKL:NO:PQR:S:TUVYZ:"
"01:3:")) != -1) {
"01:23:")) != -1) {
switch (ch) {
case '?' :
if(myoptarg!=NULL) {
@@ -1158,12 +1166,21 @@ THREAD_RETURN WOLFSSL_THREAD server_test(void* args)
earlyData = 1;
#endif
break;
case '1' :
lng_index = atoi(myoptarg);
if(lng_index<0||lng_index>1){
lng_index = 0;
}
break;
case '2' :
#if !defined(NO_DH) && !defined(HAVE_FIPS) && \
!defined(HAVE_SELFTEST) && !defined(WOLFSSL_OLD_PRIME_CHECK)
doDhKeyCheck = 0;
#endif
break;
case '3' :
#ifdef WOLFSSL_MULTICAST
doMcast = 1;
@@ -1765,6 +1782,11 @@ THREAD_RETURN WOLFSSL_THREAD server_test(void* args)
#elif !defined(NO_DH)
SetDH(ssl); /* repick suites with DHE, higher priority than PSK */
#endif
#if !defined(NO_DH) && !defined(WOLFSSL_OLD_PRIME_CHECK) && \
!defined(HAVE_FIPS) && !defined(HAVE_SELFTEST)
if (!doDhKeyCheck)
wolfSSL_SetEnableDhKeyTest(ssl, 0);
#endif
}
#ifndef WOLFSSL_CALLBACKS

134
src/internal.c
View File

@@ -4392,6 +4392,10 @@ int SetSSL_CTX(WOLFSSL* ssl, WOLFSSL_CTX* ctx, int writeDup)
ssl->options.groupMessages = ctx->groupMessages;
#ifndef NO_DH
#if !defined(WOLFSSL_OLD_PRIME_CHECK) && !defined(HAVE_FIPS) && \
!defined(HAVE_SELFTEST)
ssl->options.dhKeyTested = ctx->dhKeyTested;
#endif
ssl->buffers.serverDH_P = ctx->serverDH_P;
ssl->buffers.serverDH_G = ctx->serverDH_G;
#endif
@@ -4689,6 +4693,12 @@ int InitSSL(WOLFSSL* ssl, WOLFSSL_CTX* ctx, int writeDup)
ssl->options.buildMsgState = BUILD_MSG_BEGIN;
ssl->encrypt.state = CIPHER_STATE_BEGIN;
ssl->decrypt.state = CIPHER_STATE_BEGIN;
#ifndef NO_DH
#if !defined(WOLFSSL_OLD_PRIME_CHECK) && !defined(HAVE_FIPS) && \
!defined(HAVE_SELFTEST)
ssl->options.dhDoKeyTest = 1;
#endif
#endif
#ifdef WOLFSSL_DTLS
#ifdef WOLFSSL_SCTP
@@ -19588,23 +19598,33 @@ int SendClientKeyExchange(WOLFSSL* ssl)
goto exit_scke;
}
#if !defined(HAVE_FIPS) && !defined(HAVE_SELFTEST) && \
!defined(WOLFSSL_OLD_PRIME_CHECK)
ret = wc_DhSetCheckKey(ssl->buffers.serverDH_Key,
ssl->buffers.serverDH_P.buffer,
ssl->buffers.serverDH_P.length,
ssl->buffers.serverDH_G.buffer,
ssl->buffers.serverDH_G.length,
NULL, 0, 0, ssl->rng);
#else
ret = wc_DhSetKey(ssl->buffers.serverDH_Key,
ssl->buffers.serverDH_P.buffer,
ssl->buffers.serverDH_P.length,
ssl->buffers.serverDH_G.buffer,
ssl->buffers.serverDH_G.length);
#endif
if (ret != 0) {
goto exit_scke;
#if !defined(HAVE_FIPS) && !defined(HAVE_SELFTEST) && \
!defined(WOLFSSL_OLD_PRIME_CHECK)
if (ssl->options.dhDoKeyTest &&
!ssl->options.dhKeyTested)
{
ret = wc_DhSetCheckKey(ssl->buffers.serverDH_Key,
ssl->buffers.serverDH_P.buffer,
ssl->buffers.serverDH_P.length,
ssl->buffers.serverDH_G.buffer,
ssl->buffers.serverDH_G.length,
NULL, 0, 0, ssl->rng);
if (ret != 0) {
goto exit_scke;
}
ssl->options.dhKeyTested = 1;
}
else
#endif
{
ret = wc_DhSetKey(ssl->buffers.serverDH_Key,
ssl->buffers.serverDH_P.buffer,
ssl->buffers.serverDH_P.length,
ssl->buffers.serverDH_G.buffer,
ssl->buffers.serverDH_G.length);
if (ret != 0) {
goto exit_scke;
}
}
/* for DH, encSecret is Yc, agree is pre-master */
@@ -19693,23 +19713,33 @@ int SendClientKeyExchange(WOLFSSL* ssl)
goto exit_scke;
}
#if !defined(HAVE_FIPS) && !defined(HAVE_SELFTEST) && \
!defined(WOLFSSL_OLD_PRIME_CHECK)
ret = wc_DhSetCheckKey(ssl->buffers.serverDH_Key,
ssl->buffers.serverDH_P.buffer,
ssl->buffers.serverDH_P.length,
ssl->buffers.serverDH_G.buffer,
ssl->buffers.serverDH_G.length,
NULL, 0, 0, ssl->rng);
#else
ret = wc_DhSetKey(ssl->buffers.serverDH_Key,
ssl->buffers.serverDH_P.buffer,
ssl->buffers.serverDH_P.length,
ssl->buffers.serverDH_G.buffer,
ssl->buffers.serverDH_G.length);
#endif
if (ret != 0) {
goto exit_scke;
#if !defined(HAVE_FIPS) && !defined(HAVE_SELFTEST) && \
!defined(WOLFSSL_OLD_PRIME_CHECK)
if (ssl->options.dhDoKeyTest &&
!ssl->options.dhKeyTested)
{
ret = wc_DhSetCheckKey(ssl->buffers.serverDH_Key,
ssl->buffers.serverDH_P.buffer,
ssl->buffers.serverDH_P.length,
ssl->buffers.serverDH_G.buffer,
ssl->buffers.serverDH_G.length,
NULL, 0, 0, ssl->rng);
if (ret != 0) {
goto exit_scke;
}
ssl->options.dhKeyTested = 1;
}
else
#endif
{
ret = wc_DhSetKey(ssl->buffers.serverDH_Key,
ssl->buffers.serverDH_P.buffer,
ssl->buffers.serverDH_P.length,
ssl->buffers.serverDH_G.buffer,
ssl->buffers.serverDH_G.length);
if (ret != 0) {
goto exit_scke;
}
}
/* for DH, encSecret is Yc, agree is pre-master */
@@ -21431,13 +21461,35 @@ static int DoSessionTicket(WOLFSSL* ssl, const byte* input, word32* inOutIdx,
goto exit_sske;
}
ret = wc_DhSetKey(ssl->buffers.serverDH_Key,
ssl->buffers.serverDH_P.buffer,
ssl->buffers.serverDH_P.length,
ssl->buffers.serverDH_G.buffer,
ssl->buffers.serverDH_G.length);
if (ret != 0) {
goto exit_sske;
#if !defined(WOLFSSL_OLD_PRIME_CHECK) && \
!defined(HAVE_FIPS) && \
!defined(HAVE_SELFTEST)
if (ssl->options.dhDoKeyTest &&
!ssl->options.dhKeyTested)
{
ret = wc_DhSetCheckKey(
ssl->buffers.serverDH_Key,
ssl->buffers.serverDH_P.buffer,
ssl->buffers.serverDH_P.length,
ssl->buffers.serverDH_G.buffer,
ssl->buffers.serverDH_G.length,
NULL, 0, 0, ssl->rng);
if (ret != 0) {
goto exit_sske;
}
ssl->options.dhKeyTested = 1;
}
else
#endif
{
ret = wc_DhSetKey(ssl->buffers.serverDH_Key,
ssl->buffers.serverDH_P.buffer,
ssl->buffers.serverDH_P.length,
ssl->buffers.serverDH_G.buffer,
ssl->buffers.serverDH_G.length);
if (ret != 0) {
goto exit_sske;
}
}
ret = DhGenKeyPair(ssl, ssl->buffers.serverDH_Key,

41
src/ssl.c
View File

@@ -1482,21 +1482,8 @@ int wolfSSL_SetTmpDH(WOLFSSL* ssl, const unsigned char* p, int pSz,
#if !defined(WOLFSSL_OLD_PRIME_CHECK) && !defined(HAVE_FIPS) && \
!defined(HAVE_SELFTEST)
{
DhKey checkKey;
int error, freeKey = 0;
error = wc_InitDhKey(&checkKey);
if (!error) {
freeKey = 1;
error = wc_DhSetCheckKey(&checkKey,
p, pSz, g, gSz, NULL, 0, 0, ssl->rng);
}
if (freeKey)
wc_FreeDhKey(&checkKey);
if (error)
return error;
}
ssl->options.dhKeyTested = 0;
ssl->options.dhDoKeyTest = 1;
#endif
if (ssl->buffers.serverDH_P.buffer && ssl->buffers.weOwnDH) {
@@ -1555,6 +1542,28 @@ int wolfSSL_SetTmpDH(WOLFSSL* ssl, const unsigned char* p, int pSz,
return WOLFSSL_SUCCESS;
}
#if !defined(WOLFSSL_OLD_PRIME_CHECK) && !defined(HAVE_FIPS) && \
!defined(HAVE_SELFTEST)
/* Enables or disables the session's DH key prime test. */
int wolfSSL_SetEnableDhKeyTest(WOLFSSL* ssl, int enable)
{
WOLFSSL_ENTER("wolfSSL_SetEnableDhKeyTest");
if (ssl == NULL)
return BAD_FUNC_ARG;
if (!enable)
ssl->options.dhDoKeyTest = 0;
else
ssl->options.dhDoKeyTest = 1;
WOLFSSL_LEAVE("wolfSSL_SetEnableDhKeyTest", WOLFSSL_SUCCESS);
return WOLFSSL_SUCCESS;
}
#endif
/* server ctx Diffie-Hellman parameters, WOLFSSL_SUCCESS on ok */
int wolfSSL_CTX_SetTmpDH(WOLFSSL_CTX* ctx, const unsigned char* p, int pSz,
const unsigned char* g, int gSz)
@@ -1587,6 +1596,8 @@ int wolfSSL_CTX_SetTmpDH(WOLFSSL_CTX* ctx, const unsigned char* p, int pSz,
wc_FreeRng(&rng);
if (error)
return error;
ctx->dhKeyTested = 1;
}
#endif

164
tests/test-dtls.conf
View File

File diff suppressed because it is too large Load Diff

8
tests/test-ed25519.conf
View File

@@ -3,12 +3,14 @@
-l ECDHE-ECDSA-AES128-GCM-SHA256
-c ./certs/ed25519/server-ed25519.pem
-k ./certs/ed25519/server-ed25519-key.pem
-2
# client TLSv1.2 ECDHE-ECDSA-AES128-GCM-SHA256
-v 3
-l ECDHE-ECDSA-AES128-GCM-SHA256
-A ./certs/ed25519/root-ed25519.pem
-C
-2
# server TLSv1.2 ECDHE-ECDSA-AES128-GCM-SHA256
-v 3
@@ -18,6 +20,7 @@
-A ./certs/ed25519/client-ed25519.pem
-V
# Remove -V when CRL for ED25519 certificates available.
-2
# client TLSv1.2 ECDHE-ECDSA-AES128-GCM-SHA256
-v 3
@@ -26,18 +29,21 @@
-k ./certs/ed25519/client-ed25519-key.pem
-A ./certs/ed25519/root-ed25519.pem
-C
-2
# server TLSv1.3 TLS13-AES128-GCM-SHA256
-v 4
-l TLS13-AES128-GCM-SHA256
-c ./certs/ed25519/server-ed25519.pem
-k ./certs/ed25519/server-ed25519-key.pem
-2
# client TLSv1.3 TLS13-AES128-GCM-SHA256
-v 4
-l TLS13-AES128-GCM-SHA256
-A ./certs/ed25519/root-ed25519.pem
-C
-2
# Enable when CRL for ED25519 certificates available.
# server TLSv1.3 TLS13-AES128-GCM-SHA256
@@ -48,6 +54,7 @@
-A ./certs/ed25519/client-ed25519.pem
-V
# Remove -V when CRL for ED25519 certificates available.
-2
# client TLSv1.3 TLS13-AES128-GCM-SHA256
-v 4
@@ -56,4 +63,5 @@
-k ./certs/ed25519/client-ed25519-key.pem
-A ./certs/ed25519/root-ed25519.pem
-C
-2

10
tests/test-enckeys.conf
View File

@@ -1,42 +1,52 @@
# server RSA encrypted key
-v 3
-k ./certs/server-keyEnc.pem
-2
# client RSA encrypted key
-v 3
-k ./certs/client-keyEnc.pem
-2
# server RSA encrypted key PKCS8
-v 3
-k ./certs/server-keyPkcs8Enc.pem
-2
# client RSA encrypted key
-v 3
-k ./certs/client-keyEnc.pem
-2
# server RSA encrypted key PKCS8 2
-v 3
-k ./certs/server-keyPkcs8Enc2.pem
-2
# client RSA encrypted key
-v 3
-k ./certs/client-keyEnc.pem
-2
# server RSA encrypted key PKCS8 12
-v 3
-k ./certs/server-keyPkcs8Enc12.pem
-2
# client RSA encrypted key
-v 3
-k ./certs/client-keyEnc.pem
-2
# server TLSv1.2 ECDHE-ECDSA-AES128-SHA256 PKCS8 encrypted key
-v 3
-l ECDHE-ECDSA-AES128-SHA256
-c ./certs/server-ecc.pem
-k ./certs/ecc-keyPkcs8Enc.pem
-2
# client TLSv1.2 ECDHE-ECDSA-AES128-SHA256
-v 3
-l ECDHE-ECDSA-AES128-SHA256
-A ./certs/ca-ecc-cert.pem
-2

30
tests/test-fails.conf
View File

@@ -5,6 +5,7 @@
-k ./certs/server-key.pem
-c ./certs/test/server-badcnnull.pem
-d
-2
# client bad certificate common name has null
-v 3
@@ -13,6 +14,7 @@
-A ./certs/test/server-badcnnull.pem
-m
-x
-2
# server bad certificate alternate name has null
-v 3
@@ -20,6 +22,7 @@
-k ./certs/server-key.pem
-c ./certs/test/server-badaltnull.pem
-d
-2
# client bad certificate alternate name has null
-v 3
@@ -28,6 +31,7 @@
-A ./certs/test/server-badaltnull.pem
-m
-x
-2
# server nomatch common name
-v 3
@@ -35,6 +39,7 @@
-k ./certs/server-key.pem
-c ./certs/test/server-badcn.pem
-d
-2
# client nomatch common name
-v 3
@@ -43,6 +48,7 @@
-A ./certs/test/server-badcn.pem
-m
-x
-2
# server nomatch alternate name
-v 3
@@ -50,6 +56,7 @@
-k ./certs/server-key.pem
-c ./certs/test/server-badaltname.pem
-d
-2
# client nomatch alternate name
-v 3
@@ -58,47 +65,57 @@
-A ./certs/test/server-badaltname.pem
-m
-x
-2
# server RSA no signer error
-v 3
-l ECDHE-RSA-AES128-GCM-SHA256
-2
# client RSA no signer error
-v 3
-l ECDHE-RSA-AES128-GCM-SHA256
-A ./certs/client-cert.pem
-2
# server ECC no signer error
-v 3
-l ECDHE-ECDSA-AES128-GCM-SHA256
-2
# client ECC no signer error
-v 3
-l ECDHE-ECDSA-AES128-GCM-SHA256
-A ./certs/client-ecc-cert.pem
-2
# server RSA bad sig error
-v 3
-l ECDHE-RSA-AES128-GCM-SHA256
-c ./certs/test/server-cert-rsa-badsig.pem
-2
# client RSA bad sig error
-v 3
-l ECDHE-RSA-AES128-GCM-SHA256
-2
# server ECC bad sig error
-v 3
-l ECDHE-ECDSA-AES128-GCM-SHA256
-c ./certs/test/server-cert-ecc-badsig.pem
-2
# client ECC bad sig error
-v 3
-l ECDHE-ECDSA-AES128-GCM-SHA256
-2
# server missing CN from alternate names list
-v 3
-l ECDHE-RSA-AES128-GCM-SHA256
-c ./certs/test/server-garbage.pem
-2
# client missing CN from alternate names list
-v 3
@@ -106,44 +123,53 @@
-h localhost
-A ./certs/test/server-garbage.pem
-m
-2
# Verify Callback Failure Tests
# no error going into callback, return error
# server
-v 3
-l ECDHE-RSA-AES128-GCM-SHA256
-2
# client verify should fail
-v 3
-l ECDHE-RSA-AES128-GCM-SHA256
-H verifyFail
-2
# server verify should fail
-v 3
-l ECDHE-RSA-AES128-GCM-SHA256
-H verifyFail
-2
# client
-v 3
-l ECDHE-RSA-AES128-GCM-SHA256
-2
# server
-v 3
-l ECDHE-ECDSA-AES128-GCM-SHA256
-2
# client verify should fail
-v 3
-l ECDHE-ECDSA-AES128-GCM-SHA256
-H verifyFail
-2
# server verify should fail
-v 3
-l ECDHE-ECDSA-AES128-GCM-SHA256
-H verifyFail
-2
# client
-v 3
-l ECDHE-ECDSA-AES128-GCM-SHA256
-2
# error going into callback, return error
# server
@@ -151,19 +177,23 @@
-l ECDHE-RSA-AES128-GCM-SHA256
-c ./certs/test/server-cert-rsa-badsig.pem
-k ./certs/server-key.pem
-2
# client verify should fail
-v 3
-l ECDHE-RSA-AES128-GCM-SHA256
-H verifyFail
-2
# server
-v 3
-l ECDHE-ECDSA-AES128-GCM-SHA256
-c ./certs/test/server-cert-ecc-badsig.pem
-k ./certs/ecc-key.pem
-2
# client verify should fail
-v 3
-l ECDHE-ECDSA-AES128-GCM-SHA256
-H verifyFail
-2

36
tests/test-maxfrag-dtls.conf
View File

@@ -4,6 +4,7 @@
-l ECDHE-ECDSA-AES256-GCM-SHA384
-c ./certs/server-ecc.pem
-k ./certs/ecc-key.pem
-2
# client DTLSv1.2 ECDHE-ECDSA-AES256-GCM-SHA384
-u
@@ -11,28 +12,33 @@
-l ECDHE-ECDSA-AES256-GCM-SHA384
-A ./certs/ca-ecc-cert.pem
-F 1
-2
# server DTLSv1.2 ECDHE-RSA-AES256-GCM-SHA384
-u
-v 3
-l ECDHE-RSA-AES256-GCM-SHA384
-2
# client DTLSv1.2 ECDHE-RSA-AES256-GCM-SHA384
-u
-v 3
-l ECDHE-RSA-AES256-GCM-SHA384
-F 1
-2
# server DTLSv1.2 DHE-RSA-AES256-GCM-SHA384
-u
-v 3
-l DHE-RSA-AES256-GCM-SHA384
-2
# client DTLSv1.2 DHE-RSA-AES256-GCM-SHA384
-u
-v 3
-l DHE-RSA-AES256-GCM-SHA384
-F 1
-2
# server DTLSv1.2 ECDHE-ECDSA-AES256-GCM-SHA384
-u
@@ -40,6 +46,7 @@
-l ECDHE-ECDSA-AES256-GCM-SHA384
-c ./certs/server-ecc.pem
-k ./certs/ecc-key.pem
-2
# client DTLSv1.2 ECDHE-ECDSA-AES256-GCM-SHA384
-u
@@ -47,28 +54,33 @@
-l ECDHE-ECDSA-AES256-GCM-SHA384
-A ./certs/ca-ecc-cert.pem
-F 2
-2
# server DTLSv1.2 ECDHE-RSA-AES256-GCM-SHA384
-u
-v 3
-l ECDHE-RSA-AES256-GCM-SHA384
-2
# client DTLSv1.2 ECDHE-RSA-AES256-GCM-SHA384
-u
-v 3
-l ECDHE-RSA-AES256-GCM-SHA384
-F 2
-2
# server DTLSv1.2 DHE-RSA-AES256-GCM-SHA384
-u
-v 3
-l DHE-RSA-AES256-GCM-SHA384
-2
# client DTLSv1.2 DHE-RSA-AES256-GCM-SHA384
-u
-v 3
-l DHE-RSA-AES256-GCM-SHA384
-F 2
-2
# server DTLSv1.2 ECDHE-ECDSA-AES256-GCM-SHA384
-u
@@ -76,6 +88,7 @@
-l ECDHE-ECDSA-AES256-GCM-SHA384
-c ./certs/server-ecc.pem
-k ./certs/ecc-key.pem
-2
# client DTLSv1.2 ECDHE-ECDSA-AES256-GCM-SHA384
-u
@@ -83,28 +96,33 @@
-l ECDHE-ECDSA-AES256-GCM-SHA384
-A ./certs/ca-ecc-cert.pem
-F 3
-2
# server DTLSv1.2 ECDHE-RSA-AES256-GCM-SHA384
-u
-v 3
-l ECDHE-RSA-AES256-GCM-SHA384
-2
# client DTLSv1.2 ECDHE-RSA-AES256-GCM-SHA384
-u
-v 3
-l ECDHE-RSA-AES256-GCM-SHA384
-F 3
-2
# server DTLSv1.2 DHE-RSA-AES256-GCM-SHA384
-u
-v 3
-l DHE-RSA-AES256-GCM-SHA384
-2
# client DTLSv1.2 DHE-RSA-AES256-GCM-SHA384
-u
-v 3
-l DHE-RSA-AES256-GCM-SHA384
-F 3
-2
# server DTLSv1.2 ECDHE-ECDSA-AES256-GCM-SHA384
-u
@@ -112,6 +130,7 @@
-l ECDHE-ECDSA-AES256-GCM-SHA384
-c ./certs/server-ecc.pem
-k ./certs/ecc-key.pem
-2
# client DTLSv1.2 ECDHE-ECDSA-AES256-GCM-SHA384
-u
@@ -119,28 +138,33 @@
-l ECDHE-ECDSA-AES256-GCM-SHA384
-A ./certs/ca-ecc-cert.pem
-F 4
-2
# server DTLSv1.2 ECDHE-RSA-AES256-GCM-SHA384
-u
-v 3
-l ECDHE-RSA-AES256-GCM-SHA384
-2
# client DTLSv1.2 ECDHE-RSA-AES256-GCM-SHA384
-u
-v 3
-l ECDHE-RSA-AES256-GCM-SHA384
-F 4
-2
# server DTLSv1.2 DHE-RSA-AES256-GCM-SHA384
-u
-v 3
-l DHE-RSA-AES256-GCM-SHA384
-2
# client DTLSv1.2 DHE-RSA-AES256-GCM-SHA384
-u
-v 3
-l DHE-RSA-AES256-GCM-SHA384
-F 4
-2
# server DTLSv1.2 ECDHE-ECDSA-AES256-GCM-SHA384
-u
@@ -148,6 +172,7 @@
-l ECDHE-ECDSA-AES256-GCM-SHA384
-c ./certs/server-ecc.pem
-k ./certs/ecc-key.pem
-2
# client DTLSv1.2 ECDHE-ECDSA-AES256-GCM-SHA384
-u
@@ -155,28 +180,33 @@
-l ECDHE-ECDSA-AES256-GCM-SHA384
-A ./certs/ca-ecc-cert.pem
-F 5
-2
# server DTLSv1.2 ECDHE-RSA-AES256-GCM-SHA384
-u
-v 3
-l ECDHE-RSA-AES256-GCM-SHA384
-2
# client DTLSv1.2 ECDHE-RSA-AES256-GCM-SHA384
-u
-v 3
-l ECDHE-RSA-AES256-GCM-SHA384
-F 5
-2
# server DTLSv1.2 DHE-RSA-AES256-GCM-SHA384
-u
-v 3
-l DHE-RSA-AES256-GCM-SHA384
-2
# client DTLSv1.2 DHE-RSA-AES256-GCM-SHA384
-u
-v 3
-l DHE-RSA-AES256-GCM-SHA384
-F 5
-2
# server DTLSv1.2 ECDHE-ECDSA-AES256-GCM-SHA384
-u
@@ -184,6 +214,7 @@
-l ECDHE-ECDSA-AES256-GCM-SHA384
-c ./certs/server-ecc.pem
-k ./certs/ecc-key.pem
-2
# client DTLSv1.2 ECDHE-ECDSA-AES256-GCM-SHA384
-u
@@ -191,25 +222,30 @@
-l ECDHE-ECDSA-AES256-GCM-SHA384
-A ./certs/ca-ecc-cert.pem
-F 6
-2
# server DTLSv1.2 ECDHE-RSA-AES256-GCM-SHA384
-u
-v 3
-l ECDHE-RSA-AES256-GCM-SHA384
-2
# client DTLSv1.2 ECDHE-RSA-AES256-GCM-SHA384
-u
-v 3
-l ECDHE-RSA-AES256-GCM-SHA384
-F 6
-2
# server DTLSv1.2 DHE-RSA-AES256-GCM-SHA384
-u
-v 3
-l DHE-RSA-AES256-GCM-SHA384
-2
# client DTLSv1.2 DHE-RSA-AES256-GCM-SHA384
-u
-v 3
-l DHE-RSA-AES256-GCM-SHA384
-F 6
-2

36
tests/test-maxfrag.conf
View File

@@ -3,177 +3,213 @@
-l ECDHE-ECDSA-AES256-GCM-SHA384
-c ./certs/server-ecc.pem
-k ./certs/ecc-key.pem
-2
# client TLSv1.2 ECDHE-ECDSA-AES256-GCM-SHA384
-v 3
-l ECDHE-ECDSA-AES256-GCM-SHA384
-A ./certs/ca-ecc-cert.pem
-F 1
-2
# server TLSv1.2 ECDHE-RSA-AES256-GCM-SHA384
-v 3
-l ECDHE-RSA-AES256-GCM-SHA384
-2
# client TLSv1.2 ECDHE-RSA-AES256-GCM-SHA384
-v 3
-l ECDHE-RSA-AES256-GCM-SHA384
-F 1
-2
# server TLSv1.2 DHE-RSA-AES256-GCM-SHA384
-v 3
-l DHE-RSA-AES256-GCM-SHA384
-2
# client TLSv1.2 DHE-RSA-AES256-GCM-SHA384
-v 3
-l DHE-RSA-AES256-GCM-SHA384
-F 1
-2
# server TLSv1.2 ECDHE-ECDSA-AES256-GCM-SHA384
-v 3
-l ECDHE-ECDSA-AES256-GCM-SHA384
-c ./certs/server-ecc.pem
-k ./certs/ecc-key.pem
-2
# client TLSv1.2 ECDHE-ECDSA-AES256-GCM-SHA384
-v 3
-l ECDHE-ECDSA-AES256-GCM-SHA384
-A ./certs/ca-ecc-cert.pem
-F 2
-2
# server TLSv1.2 ECDHE-RSA-AES256-GCM-SHA384
-v 3
-l ECDHE-RSA-AES256-GCM-SHA384
-2
# client TLSv1.2 ECDHE-RSA-AES256-GCM-SHA384
-v 3
-l ECDHE-RSA-AES256-GCM-SHA384
-F 2
-2
# server TLSv1.2 DHE-RSA-AES256-GCM-SHA384
-v 3
-l DHE-RSA-AES256-GCM-SHA384
-2
# client TLSv1.2 DHE-RSA-AES256-GCM-SHA384
-v 3
-l DHE-RSA-AES256-GCM-SHA384
-F 2
-2
# server TLSv1.2 ECDHE-ECDSA-AES256-GCM-SHA384
-v 3
-l ECDHE-ECDSA-AES256-GCM-SHA384
-c ./certs/server-ecc.pem
-k ./certs/ecc-key.pem
-2
# client TLSv1.2 ECDHE-ECDSA-AES256-GCM-SHA384
-v 3
-l ECDHE-ECDSA-AES256-GCM-SHA384
-A ./certs/ca-ecc-cert.pem
-F 3
-2
# server TLSv1.2 ECDHE-RSA-AES256-GCM-SHA384
-v 3
-l ECDHE-RSA-AES256-GCM-SHA384
-2
# client TLSv1.2 ECDHE-RSA-AES256-GCM-SHA384
-v 3
-l ECDHE-RSA-AES256-GCM-SHA384
-F 3
-2
# server TLSv1.2 DHE-RSA-AES256-GCM-SHA384
-v 3
-l DHE-RSA-AES256-GCM-SHA384
-2
# client TLSv1.2 DHE-RSA-AES256-GCM-SHA384
-v 3
-l DHE-RSA-AES256-GCM-SHA384
-F 3
-2
# server TLSv1.2 ECDHE-ECDSA-AES256-GCM-SHA384
-v 3
-l ECDHE-ECDSA-AES256-GCM-SHA384
-c ./certs/server-ecc.pem
-k ./certs/ecc-key.pem
-2
# client TLSv1.2 ECDHE-ECDSA-AES256-GCM-SHA384
-v 3
-l ECDHE-ECDSA-AES256-GCM-SHA384
-A ./certs/ca-ecc-cert.pem
-F 4
-2
# server TLSv1.2 ECDHE-RSA-AES256-GCM-SHA384
-v 3
-l ECDHE-RSA-AES256-GCM-SHA384
-2
# client TLSv1.2 ECDHE-RSA-AES256-GCM-SHA384
-v 3
-l ECDHE-RSA-AES256-GCM-SHA384
-F 4
-2
# server TLSv1.2 DHE-RSA-AES256-GCM-SHA384
-v 3
-l DHE-RSA-AES256-GCM-SHA384
-2
# client TLSv1.2 DHE-RSA-AES256-GCM-SHA384
-v 3
-l DHE-RSA-AES256-GCM-SHA384
-F 4
-2
# server TLSv1.2 ECDHE-ECDSA-AES256-GCM-SHA384
-v 3
-l ECDHE-ECDSA-AES256-GCM-SHA384
-c ./certs/server-ecc.pem
-k ./certs/ecc-key.pem
-2
# client TLSv1.2 ECDHE-ECDSA-AES256-GCM-SHA384
-v 3
-l ECDHE-ECDSA-AES256-GCM-SHA384
-A ./certs/ca-ecc-cert.pem
-F 5
-2
# server TLSv1.2 ECDHE-RSA-AES256-GCM-SHA384
-v 3
-l ECDHE-RSA-AES256-GCM-SHA384
-2
# client TLSv1.2 ECDHE-RSA-AES256-GCM-SHA384
-v 3
-l ECDHE-RSA-AES256-GCM-SHA384
-F 5
-2
# server TLSv1.2 DHE-RSA-AES256-GCM-SHA384
-v 3
-l DHE-RSA-AES256-GCM-SHA384
-2
# client TLSv1.2 DHE-RSA-AES256-GCM-SHA384
-v 3
-l DHE-RSA-AES256-GCM-SHA384
-F 5
-2
# server TLSv1.2 ECDHE-ECDSA-AES256-GCM-SHA384
-v 3
-l ECDHE-ECDSA-AES256-GCM-SHA384
-c ./certs/server-ecc.pem
-k ./certs/ecc-key.pem
-2
# client TLSv1.2 ECDHE-ECDSA-AES256-GCM-SHA384
-v 3
-l ECDHE-ECDSA-AES256-GCM-SHA384
-A ./certs/ca-ecc-cert.pem
-F 6
-2
# server TLSv1.2 ECDHE-RSA-AES256-GCM-SHA384
-v 3
-l ECDHE-RSA-AES256-GCM-SHA384
-2
# client TLSv1.2 ECDHE-RSA-AES256-GCM-SHA384
-v 3
-l ECDHE-RSA-AES256-GCM-SHA384
-F 6
-2
# server TLSv1.2 DHE-RSA-AES256-GCM-SHA384
-v 3
-l DHE-RSA-AES256-GCM-SHA384
-2
# client TLSv1.2 DHE-RSA-AES256-GCM-SHA384
-v 3
-l DHE-RSA-AES256-GCM-SHA384
-F 6
-2

54
tests/test-psk-no-id.conf
View File

@@ -3,263 +3,311 @@
-I
-v 3
-l PSK-CHACHA20-POLY1305
-2
# No Hint client TLSv1.2 PSK-CHACHA20-POLY1305
-s
-v 3
-l PSK-CHACHA20-POLY1305
-2
# No Hint server TLSv1.2 DHE-PSK-CHACHA20-POLY1305
-s
-I
-v 3
-l DHE-PSK-CHACHA20-POLY1305
-2
# No Hint client TLSv1.2 DHE-PSK-CHACHA20-POLY1305
-s
-v 3
-l DHE-PSK-CHACHA20-POLY1305
-2
# No Hint server TLSv1.2 ECDHE-PSK-CHACHA20-POLY1305
-s
-I
-v 3
-l ECDHE-PSK-CHACHA20-POLY1305
-2
# No Hint client TLSv1.2 ECDHE-PSK-CHACHA20-POLY1305
-s
-v 3
-l ECDHE-PSK-CHACHA20-POLY1305
-2
# No Hint server TLSv1 ECDHE-PSK-AES128-SHA256
-s
-I
-v 1
-l ECDHE-PSK-AES128-SHA256
-2
# No Hint client TLSv1 ECDHE-PSK-AES128-SHA256
-s
-v 1
-l ECDHE-PSK-AES128-SHA256
-2
# No Hint server TLSv1.1 ECDHE-PSK-AES128-SHA256
-s
-I
-v 2
-l ECDHE-PSK-AES128-SHA256
-2
# No Hint client TLSv1.1 ECDHE-PSK-AES128-SHA256
-s
-v 2
-l ECDHE-PSK-AES128-SHA256
-2
# No Hint server TLSv1.2 ECDHE-PSK-AES128-SHA256
-s
-I
-v 3
-l ECDHE-PSK-AES128-SHA256
-2
# No Hint client TLSv1.2 ECDHE-PSK-AES128-SHA256
-s
-v 3
-l ECDHE-PSK-AES128-SHA256
-2
# No Hint server TLSv1 ECDHE-PSK-NULL-SHA256
-s
-I
-v 1
-l ECDHE-PSK-NULL-SHA256
-2
# No Hint client TLSv1 ECDHE-PSK-NULL-SHA256
-s
-v 1
-l ECDHE-PSK-NULL-SHA256
-2
# No Hint server TLSv1.1 ECDHE-PSK-NULL-SHA256
-s
-I
-v 2
-l ECDHE-PSK-NULL-SHA256
-2
# No Hint client TLSv1.1 ECDHE-PSK-NULL-SHA256
-s
-v 2
-l ECDHE-PSK-NULL-SHA256
-2
# No Hint server TLSv1.2 ECDHE-PSK-NULL-SHA256
-s
-I
-v 3
-l ECDHE-PSK-NULL-SHA256
-2
# No Hint client TLSv1.2 ECDHE-PSK-NULL-SHA256
-s
-v 3
-l ECDHE-PSK-NULL-SHA256
-2
# No Hint server TLSv1 PSK-AES128
-s
-I
-v 1
-l PSK-AES128-CBC-SHA
-2
# No Hint client TLSv1 PSK-AES128
-s
-v 1
-l PSK-AES128-CBC-SHA
-2
# No Hint server TLSv1 PSK-AES256
-s
-I
-v 1
-l PSK-AES256-CBC-SHA
-2
# No Hint client TLSv1 PSK-AES256
-s
-v 1
-l PSK-AES256-CBC-SHA
-2
# No Hint server TLSv1.1 PSK-AES128
-s
-I
-v 2
-l PSK-AES128-CBC-SHA
-2
# No Hint client TLSv1.1 PSK-AES128
-s
-v 2
-l PSK-AES128-CBC-SHA
-2
# No Hint server TLSv1.1 PSK-AES256
-s
-I
-v 2
-l PSK-AES256-CBC-SHA
-2
# No Hint client TLSv1.1 PSK-AES256
-s
-v 2
-l PSK-AES256-CBC-SHA
-2
# No Hint server TLSv1.2 PSK-AES128
-s
-I
-v 3
-l PSK-AES128-CBC-SHA
-2
# No Hint client TLSv1.2 PSK-AES128
-s
-v 3
-l PSK-AES128-CBC-SHA
-2
# No Hint server TLSv1.2 PSK-AES256
-s
-I
-v 3
-l PSK-AES256-CBC-SHA
-2
# No Hint client TLSv1.2 PSK-AES256
-s
-v 3
-l PSK-AES256-CBC-SHA
-2
# No Hint server TLSv1.0 PSK-AES128-SHA256
-s
-I
-v 1
-l PSK-AES128-CBC-SHA256
-2
# No Hint client TLSv1.0 PSK-AES128-SHA256
-s
-v 1
-l PSK-AES128-CBC-SHA256
-2
# No Hint server TLSv1.1 PSK-AES128-SHA256
-s
-I
-v 2
-l PSK-AES128-CBC-SHA256
-2
# No Hint client TLSv1.1 PSK-AES128-SHA256
-s
-v 2
-l PSK-AES128-CBC-SHA256
-2
# No Hint server TLSv1.2 PSK-AES128-SHA256
-s
-I
-v 3
-l PSK-AES128-CBC-SHA256
-2
# No Hint client TLSv1.2 PSK-AES128-SHA256
-s
-v 3
-l PSK-AES128-CBC-SHA256
-2
# No Hint server TLSv1.0 PSK-AES256-SHA384
-s
-I
-v 1
-l PSK-AES256-CBC-SHA384
-2
# No Hint client TLSv1.0 PSK-AES256-SHA384
-s
-v 1
-l PSK-AES256-CBC-SHA384
-2
# No Hint server TLSv1.1 PSK-AES256-SHA384
-s
-I
-v 2
-l PSK-AES256-CBC-SHA384
-2
# No Hint client TLSv1.1 PSK-AES256-SHA384
-s
-v 2
-l PSK-AES256-CBC-SHA384
-2
# No Hint server TLSv1.2 PSK-AES256-SHA384
-s
-I
-v 3
-l PSK-AES256-CBC-SHA384
-2
# No Hint client TLSv1.2 PSK-AES256-SHA384
-s
-v 3
-l PSK-AES256-CBC-SHA384
-2
# server TLSv1.2 PSK-AES128-GCM-SHA256
-s
-I
-v 3
-l PSK-AES128-GCM-SHA256
-2
# client TLSv1.2 PSK-AES128-GCM-SHA256
-s
-v 3
-l PSK-AES128-GCM-SHA256
-2
# server TLSv1.2 PSK-AES256-GCM-SHA384
-s
-I
-v 3
-l PSK-AES256-GCM-SHA384
-2
# client TLSv1.2 PSK-AES256-GCM-SHA384
-s
-v 3
-l PSK-AES256-GCM-SHA384
-2
# server TLSv1.3 AES128-GCM-SHA256
-s
-v 4
-l TLS13-AES128-GCM-SHA256
-2
# client TLSv1.3 AES128-GCM-SHA256
-s
-v 4
-l TLS13-AES128-GCM-SHA256
-2
# server TLSv1.3 accepting EarlyData using PSK
-v 4
@@ -267,6 +315,7 @@
-r
-s
-0
-2
# client TLSv1.3 sending EarlyData using PSK
-v 4
@@ -274,12 +323,14 @@
-r
-s
-0
-2
# server TLSv1.3 not accepting EarlyData using PSK
-v 4
-l TLS13-AES128-GCM-SHA256
-r
-s
-2
# client TLSv1.3 sending EarlyData using PSK
-v 4
@@ -287,6 +338,7 @@
-r
-s
-0
-2
# server TLSv1.3 accepting EarlyData using PSK
-v 4
@@ -294,9 +346,11 @@
-r
-s
-0
-2
# client TLSv1.3 not sending EarlyData using PSK
-v 4
-l TLS13-AES128-GCM-SHA256
-r
-s
-2

2
tests/test-psk.conf
View File

@@ -1,7 +1,9 @@
# server - PSK plus certificates
-j
-l PSK-CHACHA20-POLY1305
-2
# client- standard PSK
-s
-l PSK-CHACHA20-POLY1305
-2

466
tests/test-qsh.conf
View File

File diff suppressed because it is too large Load Diff

190
tests/test-sctp.conf
View File

File diff suppressed because it is too large Load Diff

40
tests/test-sig.conf
View File

@@ -3,217 +3,257 @@
-l ECDHE-ECDSA-DES-CBC3-SHA
-c ./certs/server-ecc-rsa.pem
-k ./certs/ecc-key.pem
-2
# client TLSv1 ECDHE-ECDSA-DES3
-v 1
-l ECDHE-ECDSA-DES-CBC3-SHA
-A ./certs/ca-cert.pem
-2
# server TLSv1 ECDHE-ECDSA-AES128
-v 1
-l ECDHE-ECDSA-AES128-SHA
-c ./certs/server-ecc.pem
-k ./certs/ecc-key.pem
-2
# client TLSv1 ECDHE-ECDSA-AES128
-v 1
-l ECDHE-ECDSA-AES128-SHA
-A ./certs/ca-ecc-cert.pem
-2
# server TLSv1 ECDHE-ECDSA-AES128
-v 1
-l ECDHE-ECDSA-AES128-SHA
-c ./certs/server-ecc-rsa.pem
-k ./certs/ecc-key.pem
-2
# client TLSv1 ECDHE-ECDSA-AES128
-v 1
-l ECDHE-ECDSA-AES128-SHA
-A ./certs/ca-cert.pem
-2
# server TLSv1 ECDHE-ECDSA-AES256
-v 1
-l ECDHE-ECDSA-AES256-SHA
-c ./certs/server-ecc-rsa.pem
-k ./certs/ecc-key.pem
-2
# client TLSv1 ECDHE-ECDSA-AES256
-v 1
-l ECDHE-ECDSA-AES256-SHA
-A ./certs/ca-cert.pem
-2
# server TLSv1.1 ECDHE-ECDSA-DES3
-v 2
-l ECDHE-ECDSA-DES-CBC3-SHA
-c ./certs/server-ecc-rsa.pem
-k ./certs/ecc-key.pem
-2
# client TLSv1.1 ECDHE-ECDSA-DES3
-v 2
-l ECDHE-ECDSA-DES-CBC3-SHA
-A ./certs/ca-cert.pem
-2
# server TLSv1.1 ECDHE-ECDSA-AES128
-v 2
-l ECDHE-ECDSA-AES128-SHA
-c ./certs/server-ecc.pem
-k ./certs/ecc-key.pem
-2
# client TLSv1.1 ECDHE-ECDSA-AES128
-v 2
-l ECDHE-ECDSA-AES128-SHA
-A ./certs/ca-ecc-cert.pem
-2
# server TLSv1.1 ECDHE-ECDSA-AES128
-v 2
-l ECDHE-ECDSA-AES128-SHA
-c ./certs/server-ecc-rsa.pem
-k ./certs/ecc-key.pem
-2
# client TLSv1.1 ECDHE-ECDSA-AES128
-v 2
-l ECDHE-ECDSA-AES128-SHA
-A ./certs/ca-cert.pem
-2
# server TLSv1.1 ECDHE-ECDSA-AES256
-v 2
-l ECDHE-ECDSA-AES256-SHA
-c ./certs/server-ecc-rsa.pem
-k ./certs/ecc-key.pem
-2
# client TLSv1.1 ECDHE-ECDSA-AES256
-v 2
-l ECDHE-ECDSA-AES256-SHA
-A ./certs/ca-cert.pem
-2
# server TLSv1.2 ECDHE-ECDSA-DES3
-v 3
-l ECDHE-ECDSA-DES-CBC3-SHA
-c ./certs/server-ecc-rsa.pem
-k ./certs/ecc-key.pem
-2
# client TLSv1.2 ECDHE-ECDSA-DES3
-v 3
-l ECDHE-ECDSA-DES-CBC3-SHA
-A ./certs/ca-cert.pem
-2
# server TLSv1.2 ECDHE-ECDSA-AES128
-v 3
-l ECDHE-ECDSA-AES128-SHA
-c ./certs/server-ecc.pem
-k ./certs/ecc-key.pem
-2
# client TLSv1.2 ECDHE-ECDSA-AES128
-v 3
-l ECDHE-ECDSA-AES128-SHA
-A ./certs/ca-ecc-cert.pem
-2
# server TLSv1.2 ECDHE-ECDSA-AES128-SHA256
-v 3
-l ECDHE-ECDSA-AES128-SHA256
-c ./certs/server-ecc-rsa.pem
-k ./certs/ecc-key.pem
-2
# client TLSv1.2 ECDHE-ECDSA-AES128-SHA256
-v 3
-l ECDHE-ECDSA-AES128-SHA256
-A ./certs/ca-cert.pem
-2
# server TLSv1.2 ECDHE-ECDSA-AES256
-v 3
-l ECDHE-ECDSA-AES256-SHA
-c ./certs/server-ecc-rsa.pem
-k ./certs/ecc-key.pem
-2
# client TLSv1.2 ECDHE-ECDSA-AES256
-v 3
-l ECDHE-ECDSA-AES256-SHA
-A ./certs/ca-cert.pem
-2
# server TLSv1.2 ECDHE-EDCSA-CHACHA20-POLY1305
-v 3
-l ECDHE-ECDSA-CHACHA20-POLY1305
-c ./certs/server-ecc-rsa.pem
-k ./certs/ecc-key.pem
-2
# client TLSv1.2 ECDHE-ECDSA-CHACHA20-POLY1305
-v 3
-l ECDHE-ECDSA-CHACHA20-POLY1305
-A ./certs/ca-cert.pem
-2
# server TLSv1.2 ECDH-ECDSA-AES128-SHA256
-v 3
-l ECDH-ECDSA-AES128-SHA256
-c ./certs/server-ecc-rsa.pem
-k ./certs/ecc-key.pem
-2
# client TLSv1.2 ECDH-ECDSA-AES128-SHA256
-v 3
-l ECDH-ECDSA-AES128-SHA256
-A ./certs/ca-cert.pem
-2
# server TLSv1.2 ECDH-ECDSA-AES256
-v 3
-l ECDH-ECDSA-AES256-SHA
-c ./certs/server-ecc-rsa.pem
-k ./certs/ecc-key.pem
-2
# client TLSv1.2 ECDH-ECDSA-AES256
-v 3
-l ECDH-ECDSA-AES256-SHA
-A ./certs/ca-cert.pem
-2
# server TLSv1.2 ECDHE-ECDSA-AES128-GCM-SHA256
-v 3
-l ECDHE-ECDSA-AES128-GCM-SHA256
-c ./certs/server-ecc-rsa.pem
-k ./certs/ecc-key.pem
-2
# client TLSv1.2 ECDHE-ECDSA-AES128-GCM-SHA256
-v 3
-l ECDHE-ECDSA-AES128-GCM-SHA256
-A ./certs/ca-cert.pem
-2
# server TLSv1.2 ECDHE-ECDSA-AES128-GCM-SHA256
-v 3
-l ECDHE-ECDSA-AES128-GCM-SHA256
-c ./certs/server-ecc-rsa.pem
-k ./certs/ecc-privkey.pem
-2
# client TLSv1.2 ECDHE-ECDSA-AES128-GCM-SHA256
-v 3
-l ECDHE-ECDSA-AES128-GCM-SHA256
-A ./certs/ca-cert.pem
-2
# server TLSv1.2 ECDHE-ECDSA-AES256-GCM-SHA384
-v 3
-l ECDHE-ECDSA-AES256-GCM-SHA384
-c ./certs/server-ecc-rsa.pem
-k ./certs/ecc-key.pem
-2
# client TLSv1.2 ECDHE-ECDSA-AES256-GCM-SHA384
-v 3
-l ECDHE-ECDSA-AES256-GCM-SHA384
-A ./certs/ca-cert.pem
-2
# server TLSv1.2 ECDHE-ECDSA-AES128-CCM
-v 3
-l ECDHE-ECDSA-AES128-CCM
-c ./certs/server-ecc-rsa.pem
-k ./certs/ecc-key.pem
-2
# client TLSv1.2 ECDHE-ECDSA-AES128-CCM
-v 3
-l ECDHE-ECDSA-AES128-CCM
-A ./certs/ca-cert.pem
-2
# server TLSv1.2 ECDHE-ECDSA-AES128-CCM-8
-v 3
-l ECDHE-ECDSA-AES128-CCM-8
-c ./certs/server-ecc-rsa.pem
-k ./certs/ecc-key.pem
-2
# client TLSv1.2 ECDHE-ECDSA-AES128-CCM-8
-v 3
-l ECDHE-ECDSA-AES128-CCM-8
-A ./certs/ca-cert.pem
-2

12
tests/test-tls13-down.conf
View File

@@ -2,43 +2,55 @@
# server TLSv1.3 downgrade
#-v d
#-l TLS13-CHACHA20-POLY1305-SHA256
-2
# client TLSv1.2
#-v 3
-2
# server TLSv1.2
-v 3
-2
# client TLSv1.3 downgrade
-v d
-2
# server TLSv1.3 downgrade
-v d
-2
# client TLSv1.3 downgrade
-v d
-2
# server TLSv1.3 downgrade but don't and resume
-v d
-r
-2
# client TLSv1.3 downgrade but don't and resume
-v d
-r
-2
# server TLSv1.3 downgrade and resume
-v d
-r
-2
# client TLSv1.2 and resume
-v 3
-r
-2
# server TLSv1.2 and resume
-v d
-r
-2
# lcient TLSv1.3 downgrade and resume
-v 3
-r
-2

14
tests/test-tls13-ecc.conf
View File

@@ -3,55 +3,65 @@
-l TLS13-CHACHA20-POLY1305-SHA256
-c ./certs/server-ecc.pem
-k ./certs/ecc-key.pem
-2
# client TLSv1.3 TLS13-CHACHA20-POLY1305-SHA256
-v 4
-l TLS13-CHACHA20-POLY1305-SHA256
-A ./certs/ca-ecc-cert.pem
-2
# server TLSv1.3 TLS13-AES128-GCM-SHA256
-v 4
-l TLS13-AES128-GCM-SHA256
-c ./certs/server-ecc.pem
-k ./certs/ecc-key.pem
-2
# client TLSv1.3 TLS13-AES128-GCM-SHA256
-v 4
-l TLS13-AES128-GCM-SHA256
-A ./certs/ca-ecc-cert.pem
-2
# server TLSv1.3 TLS13-AES256-GCM-SHA384
-v 4
-l TLS13-AES256-GCM-SHA384
-c ./certs/server-ecc.pem
-k ./certs/ecc-key.pem
-2
# client TLSv1.3 TLS13-AES256-GCM-SHA384
-v 4
-l TLS13-AES256-GCM-SHA384
-A ./certs/ca-ecc-cert.pem
-2
# server TLSv1.3 TLS13-AES128-CCM-SHA256
-v 4
-l TLS13-AES128-CCM-SHA256
-c ./certs/server-ecc.pem
-k ./certs/ecc-key.pem
-2
# client TLSv1.3 TLS13-AES128-CCM-SHA256
-v 4
-l TLS13-AES128-CCM-SHA256
-A ./certs/ca-ecc-cert.pem
-2
# server TLSv1.3 TLS13-AES128-CCM-8-SHA256
-v 4
-l TLS13-AES128-CCM-8-SHA256
-c ./certs/server-ecc.pem
-k ./certs/ecc-key.pem
-2
# client TLSv1.3 TLS13-AES128-CCM-8-SHA256
-v 4
-l TLS13-AES128-CCM-8-SHA256
-A ./certs/ca-ecc-cert.pem
-2
# server TLSv1.3 TLS13-AES128-GCM-SHA256
-v 4
@@ -59,12 +69,14 @@
-c ./certs/server-ecc.pem
-k ./certs/ecc-key.pem
-t
-2
# client TLSv1.3 TLS13-AES128-GCM-SHA256
-v 4
-l TLS13-AES128-GCM-SHA256
-A ./certs/ca-ecc-cert.pem
-t
-2
# server TLSv1.3 TLS13-AES128-GCM-SHA256
-v 4
@@ -72,9 +84,11 @@
-c ./certs/server-ecc.pem
-k ./certs/ecc-key.pem
-Y
-2
# client TLSv1.3 TLS13-AES128-GCM-SHA256
-v 4
-l TLS13-AES128-GCM-SHA256
-A ./certs/ca-ecc-cert.pem
-y
-2

6
tests/test-tls13-psk.conf
View File

@@ -3,29 +3,35 @@
-s
-l TLS13-AES128-GCM-SHA256
-d
-2
# client TLSv1.3 PSK
-v 4
-s
-l TLS13-AES128-GCM-SHA256
-2
# server TLSv1.3 PSK
-v 4
-j
-l TLS13-AES128-GCM-SHA256
-d
-2
# client TLSv1.3 PSK
-v 4
-s
-l TLS13-AES128-GCM-SHA256
-2
# server TLSv1.3 PSK
-v 4
-j
-l TLS13-AES128-GCM-SHA256
-d
-2
# client TLSv1.3 not-PSK
-v 4
-l TLS13-AES128-GCM-SHA256
-2

42
tests/test-tls13.conf
View File

@@ -1,195 +1,237 @@
# server TLSv1.3 TLS13-CHACHA20-POLY1305-SHA256
-v 4
-l TLS13-CHACHA20-POLY1305-SHA256
-2
# client TLSv1.3 TLS13-CHACHA20-POLY1305-SHA256
-v 4
-l TLS13-CHACHA20-POLY1305-SHA256
-2
# server TLSv1.3 TLS13-AES128-GCM-SHA256
-v 4
-l TLS13-AES128-GCM-SHA256
-2
# client TLSv1.3 TLS13-AES128-GCM-SHA256
-v 4
-l TLS13-AES128-GCM-SHA256
-2
# server TLSv1.3 TLS13-AES256-GCM-SHA384
-v 4
-l TLS13-AES256-GCM-SHA384
-2
# client TLSv1.3 TLS13-AES256-GCM-SHA384
-v 4
-l TLS13-AES256-GCM-SHA384
-2
# server TLSv1.3 TLS13-AES128-CCM-SHA256
-v 4
-l TLS13-AES128-CCM-SHA256
-2
# client TLSv1.3 TLS13-AES128-CCM-SHA256
-v 4
-l TLS13-AES128-CCM-SHA256
-2
# server TLSv1.3 TLS13-AES128-CCM-8-SHA256
-v 4
-l TLS13-AES128-CCM-8-SHA256
-2
# client TLSv1.3 TLS13-AES128-CCM-8-SHA256
-v 4
-l TLS13-AES128-CCM-8-SHA256
-2
# server TLSv1.3 resumption
-v 4
-l TLS13-AES128-GCM-SHA256
-r
-2
# client TLSv1.3 resumption
-v 4
-l TLS13-AES128-GCM-SHA256
-r
-2
# server TLSv1.3 resumption - SHA384
-v 4
-l TLS13-AES256-GCM-SHA384
-r
-2
# client TLSv1.3 resumption - SHA384
-v 4
-l TLS13-AES256-GCM-SHA384
-r
-2
# server TLSv1.3 PSK without (EC)DHE
-v 4
-l TLS13-AES128-GCM-SHA256
-r
-2
# client TLSv1.3 PSK without (EC)DHE
-v 4
-l TLS13-AES128-GCM-SHA256
-r
-K
-2
# server TLSv1.3 accepting EarlyData
-v 4
-l TLS13-AES128-GCM-SHA256
-r
-0
-2
# client TLSv1.3 sending EarlyData
-v 4
-l TLS13-AES128-GCM-SHA256
-r
-0
-2
# server TLSv1.3 not accepting EarlyData
-v 4
-l TLS13-AES128-GCM-SHA256
-r
-2
# client TLSv1.3 sending EarlyData
-v 4
-l TLS13-AES128-GCM-SHA256
-r
-0
-2
# server TLSv1.3 accepting EarlyData
-v 4
-l TLS13-AES128-GCM-SHA256
-r
-0
-2
# client TLSv1.3 not sending EarlyData
-v 4
-l TLS13-AES128-GCM-SHA256
-r
-2
# server TLSv1.3
-v 4
-l TLS13-AES128-GCM-SHA256
-2
# client TLSv1.3 Fragments
-v 4
-l TLS13-AES128-GCM-SHA256
-F 1
-2
# server TLSv1.3
-v 4
-l TLS13-AES128-GCM-SHA256
-2
# client TLSv1.3 HelloRetryRequest to negotiate Key Exchange algorithm
-v 4
-l TLS13-AES128-GCM-SHA256
-J
-2
# server TLSv1.3
-v 4
-l TLS13-AES128-GCM-SHA256
-J
-2
# client TLSv1.3 HelloRetryRequest with cookie
-v 4
-l TLS13-AES128-GCM-SHA256
-J
-2
# server TLSv1.3
-v 4
-l TLS13-AES128-GCM-SHA256
-2
# client TLSv1.3 no client certificate
-v 4
-l TLS13-AES128-GCM-SHA256
-x
-2
# server TLSv1.3
-v 4
-l TLS13-AES128-GCM-SHA256
-2
# client TLSv1.3 DH key exchange
-v 4
-l TLS13-AES128-GCM-SHA256
-y
-2
# server TLSv1.3
-v 4
-l TLS13-AES128-GCM-SHA256
-2
# client TLSv1.3 ECC key exchange
-v 4
-l TLS13-AES128-GCM-SHA256
-Y
-2
# server TLSv1.3
-v 4
-l TLS13-AES128-GCM-SHA256
-2
# client TLSv1.3 ECC key exchange
-v 4
-l TLS13-AES128-GCM-SHA256
-Y
-2
# server TLSv1.3 multiple cipher suites
-v 4
-l TLS13-AES128-GCM-SHA256:TLS13-AES256-GCM-SHA384:TLS13-CHACHA20-POLY1305-SHA256:TLS13-AES128-CCM-SHA256:TLS13-AES128-CCM-8-SHA256
-2
# client TLSv1.3
-v 4
-2
# server TLSv1.3 KeyUpdate
-v 4
-l TLS13-AES128-GCM-SHA256
-U
-2
# client TLSv1.3 KeyUpdate
-v 4
-l TLS13-AES128-GCM-SHA256
-I
-2
# server TLSv1.3 Post-Handshake Authentication
-v 4
-l TLS13-AES128-GCM-SHA256
-Q
-2
# client TLSv1.3 Post-Handshake Authentication
-v 4
-l TLS13-AES128-GCM-SHA256
-Q
-2

532
tests/test.conf
View File

File diff suppressed because it is too large Load Diff

14
wolfssl/internal.h
View File

@@ -2531,6 +2531,12 @@ struct WOLFSSL_CTX {
#if defined(WOLFSSL_TLS13) && defined(WOLFSSL_POST_HANDSHAKE_AUTH)
byte postHandshakeAuth:1; /* Post-handshake auth supported. */
#endif
#ifndef NO_DH
#if !defined(WOLFSSL_OLD_PRIME_CHECK) && !defined(HAVE_FIPS) && \
!defined(HAVE_SELFTEST)
byte dhKeyTested:1; /* Set when key has been tested. */
#endif
#endif
#ifdef WOLFSSL_MULTICAST
byte haveMcast; /* multicast requested */
byte mcastID; /* multicast group ID */
@@ -3240,7 +3246,13 @@ typedef struct Options {
!defined(NO_ED25519_CLIENT_AUTH)
word16 cacheMessages:1; /* Cache messages for sign/verify */
#endif
#ifndef NO_DH
#if !defined(WOLFSSL_OLD_PRIME_CHECK) && \
!defined(HAVE_FIPS) && !defined(HAVE_SELFTEST)
word16 dhDoKeyTest:1; /* Need to do the DH Key prime test */
word16 dhKeyTested:1; /* Set when key has been tested. */
#endif
#endif
/* need full byte values for this section */
byte processReply; /* nonblocking resume */
byte cipherSuite0; /* first byte, normally 0 */

1
wolfssl/ssl.h
View File

@@ -1649,6 +1649,7 @@ WOLFSSL_API int wolfSSL_SetTmpDH(WOLFSSL*, const unsigned char* p, int pSz,
const unsigned char* g, int gSz);
WOLFSSL_API int wolfSSL_SetTmpDH_buffer(WOLFSSL*, const unsigned char* b, long sz,
int format);
WOLFSSL_API int wolfSSL_SetEnableDhKeyTest(WOLFSSL*, int);
#ifndef NO_FILESYSTEM
WOLFSSL_API int wolfSSL_SetTmpDH_file(WOLFSSL*, const char* f, int format);
#endif