TLSv1.3 has a NewSessionTicket message, but it is *completely* different to
the TLSv1.2 one and may as well have been called something else. This commit
removes the old style NewSessionTicket from TLSv1.3. We will have to add the
new style one back in later.
Reviewed-by: NRich Salz <rsalz@openssl.org>

The previous commits put in place the logic to exchange key_share data. We
now need to do something with that information. In <= TLSv1.2 the equivalent
of the key_share extension is the ServerKeyExchange and ClientKeyExchange
messages. With key_share those two messages are no longer necessary.

The commit removes the SKE and CKE messages from the TLSv1.3 state machine.
TLSv1.3 is completely different to TLSv1.2 in the messages that it sends
and the transitions that are allowed. Therefore, rather than extend the
existing <=TLS1.2 state transition functions, we create a whole new set for
TLSv1.3. Intially these are still based on the TLSv1.2 ones, but over time
they will be amended.

The new TLSv1.3 transitions remove SKE and CKE completely. There's also some
cleanup for some stuff which is not relevant to TLSv1.3 and is easy to
remove, e.g. the DTLS support (we're not doing DTLSv1.3 yet) and NPN.

I also disable EXTMS for TLSv1.3. Using it was causing some added
complexity, so rather than fix it I removed it, since eventually it will not
be needed anyway.
Reviewed-by: NRich Salz <rsalz@openssl.org>

If supported_versions is present it takes precedence.
Reviewed-by: NRich Salz <rsalz@openssl.org>

Reviewed-by: NRich Salz <rsalz@openssl.org>

Also we disable TLS1.3 by default (use enable-tls1_3 to re-enable). This is
because this is a WIP and will not be interoperable with any other TLS1.3
implementation.

Finally, we fix some tests that started failing when TLS1.3 was disabled by
default.
Reviewed-by: NRich Salz <rsalz@openssl.org>

Includes addition of the various options to s_server/s_client. Also adds
one of the new TLS1.3 ciphersuites.

This isn't "real" TLS1.3!! It's identical to TLS1.2 apart from the protocol
and the ciphersuite...and the ciphersuite is just a renamed TLS1.2 one (not
a "real" TLS1.3 ciphersuite).
Reviewed-by: NRich Salz <rsalz@openssl.org>

Reviewed-by: NRich Salz <rsalz@openssl.org>

Add the ability to test both server initiated and client initiated reneg.
Reviewed-by: NRich Salz <rsalz@openssl.org>

Reviewed-by: NRich Salz <rsalz@openssl.org>

The previous commit revealed a long standing problem where CertStatus
processing was broken in DTLS. This would have been revealed by better
testing - so add some!
Reviewed-by: NRich Salz <rsalz@openssl.org>

Reviewed-by: NRich Salz <rsalz@openssl.org>
GH: #1472

Make maximum fragment length configurable and add various fragmentation
tests, in addition to the existing multi-buffer tests.
Reviewed-by: NRich Salz <rsalz@openssl.org>

This commit only ports existing tests, and adds some coverage for
resumption. We don't appear to have any handshake tests that cover SCT
validation success, and this commit doesn't change that.
Reviewed-by: NRich Salz <rsalz@openssl.org>

In NPN and ALPN, the protocol is renegotiated upon resumption. Test that
resumption picks up changes to the extension.
Reviewed-by: NRich Salz <rsalz@openssl.org>

Move custom server and client options from the test dictionary to an
"extra" section of each server/client. Rename test expectations to say
"Expected".

This is a big but straightforward change. Primarily, this allows us to
specify multiple server and client contexts without redefining the
custom options for each of them. For example, instead of
"ServerNPNProtocols", "Server2NPNProtocols", "ResumeServerNPNProtocols",
we now have, "NPNProtocols".

This simplifies writing resumption and SNI tests. The first application
will be resumption tests for NPN and ALPN.

Regrouping the options also makes it clearer which options apply to the
server, which apply to the client, which configure the test, and which
are test expectations.
Reviewed-by: NRichard Levitte <levitte@openssl.org>

Don't emit duplicate server/client sections when they are
identical. Instead, just point to the same section.
Reviewed-by: NRich Salz <rsalz@openssl.org>

Add tests for resuming with a different client version.

This happens in reality when clients persist sessions on disk through
upgrades.
Reviewed-by: NRich Salz <rsalz@openssl.org>

Systematically test every server-side version downgrade or upgrade.

Client version upgrade or downgrade could be tested analogously but will
be done in a later change.
Reviewed-by: NRich Salz <rsalz@openssl.org>
Reviewed-by: NMatt Caswell <matt@openssl.org>

Reviewed-by: NRich Salz <rsalz@openssl.org>

In TLS during ClientAuth if the CA is not recognised you should get an
UnknownCA alert. In SSLv3 this does not exist and you should get a
BadCertificate alert.
Reviewed-by: NEmilia Käsper <emilia@openssl.org>

The Client Auth tests were not correctly setting the Protocol, so that this
aspect had no effect. It was testing the same thing lots of times for
TLSv1.2 every time.
Reviewed-by: NEmilia Käsper <emilia@openssl.org>

Observe that the old tests were partly ill-defined:
setting sn_server1 but not sn_server2 in ssltest_old.c does not enable
the SNI callback.

Fix this, and also explicitly test both flavours of SNI mismatch (ignore
/ fatal alert). Tests still pass.
Reviewed-by: NRich Salz <rsalz@openssl.org>

The SNI tests introduced a redundant "server2" section into every test
configuration. Copy this automatically from "server" unless testing SNI,
to reduce noise in the generated confs.

Also remove duplicate SSL_TEST_CTX_create (merge conflict error).
Reviewed-by: NRich Salz <rsalz@openssl.org>

Reviewed-by: NRich Salz <rsalz@openssl.org>

When session tickets are used, it's possible that SNI might swtich the
SSL_CTX on an SSL. Normally, this is not a problem, because the
initial_ctx/session_ctx are used for all session ticket/id processes.

However, when the SNI callback occurs, it's possible that the callback
may update the options in the SSL from the SSL_CTX, and this could
cause SSL_OP_NO_TICKET to be set. If this occurs, then two bad things
can happen:

1. The session ticket TLSEXT may not be written when the ticket expected
flag is set. The state machine transistions to writing the ticket, and
the client responds with an error as its not expecting a ticket.
2. When creating the session ticket, if the ticket key cb returns 0
the crypto/hmac contexts are not initialized, and the code crashes when
trying to encrypt the session ticket.

To fix 1, if the ticket TLSEXT is not written out, clear the expected
ticket flag.
To fix 2, consider a return of 0 from the ticket key cb a recoverable
error, and write a 0 length ticket and continue. The client-side code
can explicitly handle this case.

Fix these two cases, and add unit test code to validate ticket behavior.
Reviewed-by: NEmilia Käsper <emilia@openssl.org>
Reviewed-by: NRich Salz <rsalz@openssl.org>
(Merged from https://github.com/openssl/openssl/pull/1098)

Port client auth tests to the new framework, add coverage. The old tests
were only testing success, and only for some protocol versions; the new
tests add all protocol versions and various failure modes.
Reviewed-by: NRich Salz <rsalz@openssl.org>

Add copyright to missing assembler files.
Add copyrights to missing test/* files.
Add copyrights
Various source and misc files.
Reviewed-by: NRichard Levitte <levitte@openssl.org>

The old proxy tests test the implementation of an application proxy
policy callback defined in the test itself, which is not particularly
useful.

It is, however, useful to test cert verify overrides in
general. Therefore, replace these tests with tests for cert verify
callback behaviour.

Also glob the ssl test inputs on the .in files to catch missing
generated files.
Reviewed-by: NRich Salz <rsalz@openssl.org>

Reviewed-by: NRichard Levitte <levitte@openssl.org>

Don't add / in file specs on VMS.  The directory "separator" is part
of the directory spec.
Reviewed-by: NEmilia Käsper <emilia@openssl.org>

Currently, SSL tests are configured via command-line switches to
ssltest.c. This results in a lot of duplication between ssltest.c and
apps, and a complex setup. ssltest.c is also simply old and needs
maintenance.

Instead, we already have a way to configure SSL servers and clients, so
we leverage that. SSL tests can now be configured from a configuration
file. Test servers and clients are configured using the standard
ssl_conf module. Additional test settings are configured via a test
configuration.

Moreover, since the CONF language involves unnecessary boilerplate, the
test conf itself is generated from a shorter Perl syntax.

The generated testcase files are checked in to the repo to make
it easier to verify that the intended test cases are in fact run; and to
simplify debugging failures.

To demonstrate the approach, min/max protocol tests are converted to the
new format. This change also fixes MinProtocol and MaxProtocol
handling. It was previously requested that an SSL_CTX have both the
server and client flags set for these commands; this clearly can never work.

Guide to this PR:
 - test/ssl_test.c - test framework
 - test/ssl_test_ctx.* - test configuration structure
 - test/handshake_helper.* - new SSL test handshaking code
 - test/ssl-tests/ - test configurations
 - test/generate_ssl_tests.pl - script for generating CONF-style test
   configurations from perl inputs
Reviewed-by: NRichard Levitte <levitte@openssl.org>