Test mac-then-encrypt

  *) Heartbeat support has been removed; the ABI is changed for now.

     [Richard Levitte, Rich Salz]

  *) Support for SSL_OP_NO_ENCRYPT_THEN_MAC in SSL_CONF_cmd.

     [Emilia Käsper]

 Changes between 1.1.0b and 1.1.0c [xx XXX xxxx]

  *) ChaCha20/Poly1305 heap-buffer-overflow

for OpenSSL clients only. Equivalent to B<SSL_OP_LEGACY_SERVER_CONNECT>.

Set by default.

B<EncryptThenMac>: use encrypt-then-mac extension, enabled by

default. Inverse of B<SSL_OP_NO_ENCRYPT_THEN_MAC>: that is,

B<-EncryptThenMac> is the same as setting B<SSL_OP_NO_ENCRYPT_THEN_MAC>.

=item B<VerifyMode>

The B<value> argument is a comma separated list of flags to set.

        SSL_FLAG_TBL_SRV("ECDHSingle", SSL_OP_SINGLE_ECDH_USE),

        SSL_FLAG_TBL("UnsafeLegacyRenegotiation",

                     SSL_OP_ALLOW_UNSAFE_LEGACY_RENEGOTIATION),

        SSL_FLAG_TBL_INV("EncryptThenMac", SSL_OP_NO_ENCRYPT_THEN_MAC),

    };

    if (value == NULL)

        return -3;

# We hard-code the number of tests to double-check that the globbing above

# finds all files as expected.

plan tests => 18;  # = scalar @conf_srcs

plan tests => 19;  # = scalar @conf_srcs

# Some test results depend on the configuration of enabled protocols. We only

# verify generated sources in the default configuration.

# Generated with generate_ssl_tests.pl

num_tests = 6

test-0 = 0-disable-encrypt-then-mac-server-sha

test-1 = 1-disable-encrypt-then-mac-client-sha

test-2 = 2-disable-encrypt-then-mac-both-sha

test-3 = 3-disable-encrypt-then-mac-server-sha2

test-4 = 4-disable-encrypt-then-mac-client-sha2

test-5 = 5-disable-encrypt-then-mac-both-sha2

# ===========================================================

[0-disable-encrypt-then-mac-server-sha]

ssl_conf = 0-disable-encrypt-then-mac-server-sha-ssl

[0-disable-encrypt-then-mac-server-sha-ssl]

server = 0-disable-encrypt-then-mac-server-sha-server

client = 0-disable-encrypt-then-mac-server-sha-client

[0-disable-encrypt-then-mac-server-sha-server]

Certificate = ${ENV::TEST_CERTS_DIR}/servercert.pem

CipherString = DEFAULT

Options = -EncryptThenMac

PrivateKey = ${ENV::TEST_CERTS_DIR}/serverkey.pem

[0-disable-encrypt-then-mac-server-sha-client]

CipherString = AES128-SHA

VerifyCAFile = ${ENV::TEST_CERTS_DIR}/rootcert.pem

VerifyMode = Peer

[test-0]

ExpectedResult = Success

# ===========================================================

[1-disable-encrypt-then-mac-client-sha]

ssl_conf = 1-disable-encrypt-then-mac-client-sha-ssl

[1-disable-encrypt-then-mac-client-sha-ssl]

server = 1-disable-encrypt-then-mac-client-sha-server

client = 1-disable-encrypt-then-mac-client-sha-client

[1-disable-encrypt-then-mac-client-sha-server]

Certificate = ${ENV::TEST_CERTS_DIR}/servercert.pem

CipherString = DEFAULT

PrivateKey = ${ENV::TEST_CERTS_DIR}/serverkey.pem

[1-disable-encrypt-then-mac-client-sha-client]

CipherString = AES128-SHA

Options = -EncryptThenMac

VerifyCAFile = ${ENV::TEST_CERTS_DIR}/rootcert.pem

VerifyMode = Peer

[test-1]

ExpectedResult = Success

# ===========================================================

[2-disable-encrypt-then-mac-both-sha]

ssl_conf = 2-disable-encrypt-then-mac-both-sha-ssl

[2-disable-encrypt-then-mac-both-sha-ssl]

server = 2-disable-encrypt-then-mac-both-sha-server

client = 2-disable-encrypt-then-mac-both-sha-client

[2-disable-encrypt-then-mac-both-sha-server]

Certificate = ${ENV::TEST_CERTS_DIR}/servercert.pem

CipherString = DEFAULT

Options = -EncryptThenMac

PrivateKey = ${ENV::TEST_CERTS_DIR}/serverkey.pem

[2-disable-encrypt-then-mac-both-sha-client]

CipherString = AES128-SHA

Options = -EncryptThenMac

VerifyCAFile = ${ENV::TEST_CERTS_DIR}/rootcert.pem

VerifyMode = Peer

[test-2]

ExpectedResult = Success

# ===========================================================

[3-disable-encrypt-then-mac-server-sha2]

ssl_conf = 3-disable-encrypt-then-mac-server-sha2-ssl

[3-disable-encrypt-then-mac-server-sha2-ssl]

server = 3-disable-encrypt-then-mac-server-sha2-server

client = 3-disable-encrypt-then-mac-server-sha2-client

[3-disable-encrypt-then-mac-server-sha2-server]

Certificate = ${ENV::TEST_CERTS_DIR}/servercert.pem

CipherString = DEFAULT

Options = -EncryptThenMac

PrivateKey = ${ENV::TEST_CERTS_DIR}/serverkey.pem

[3-disable-encrypt-then-mac-server-sha2-client]

CipherString = AES128-SHA256

VerifyCAFile = ${ENV::TEST_CERTS_DIR}/rootcert.pem

VerifyMode = Peer

[test-3]

ExpectedResult = Success

# ===========================================================

[4-disable-encrypt-then-mac-client-sha2]

ssl_conf = 4-disable-encrypt-then-mac-client-sha2-ssl

[4-disable-encrypt-then-mac-client-sha2-ssl]

server = 4-disable-encrypt-then-mac-client-sha2-server

client = 4-disable-encrypt-then-mac-client-sha2-client

[4-disable-encrypt-then-mac-client-sha2-server]

Certificate = ${ENV::TEST_CERTS_DIR}/servercert.pem

CipherString = DEFAULT

PrivateKey = ${ENV::TEST_CERTS_DIR}/serverkey.pem

[4-disable-encrypt-then-mac-client-sha2-client]

CipherString = AES128-SHA256

Options = -EncryptThenMac

VerifyCAFile = ${ENV::TEST_CERTS_DIR}/rootcert.pem

VerifyMode = Peer

[test-4]

ExpectedResult = Success

# ===========================================================

[5-disable-encrypt-then-mac-both-sha2]

ssl_conf = 5-disable-encrypt-then-mac-both-sha2-ssl

[5-disable-encrypt-then-mac-both-sha2-ssl]

server = 5-disable-encrypt-then-mac-both-sha2-server

client = 5-disable-encrypt-then-mac-both-sha2-client

[5-disable-encrypt-then-mac-both-sha2-server]

Certificate = ${ENV::TEST_CERTS_DIR}/servercert.pem

CipherString = DEFAULT

Options = -EncryptThenMac

PrivateKey = ${ENV::TEST_CERTS_DIR}/serverkey.pem

[5-disable-encrypt-then-mac-both-sha2-client]

CipherString = AES128-SHA256

Options = -EncryptThenMac

VerifyCAFile = ${ENV::TEST_CERTS_DIR}/rootcert.pem

VerifyMode = Peer

[test-5]

ExpectedResult = Success