Add checks for SH downgrade sentinel and HRR hash in appstest.sh

1 files changed, 27 insertions, 1 deletions

diff --git a/src/regress/usr.bin/openssl/appstest.sh b/src/regress/usr.bin/openssl/appstest.sh
index e4d2e2c5af..47229de053 100755
--- a/src/regress/usr.bin/openssl/appstest.sh
+++ b/src/regress/usr.bin/openssl/appstest.sh
@@ -1,6 +1,6 @@
 #!/bin/sh
 #
-# $OpenBSD: appstest.sh,v 1.44 2020/05/19 13:50:09 inoguchi Exp $
+# $OpenBSD: appstest.sh,v 1.45 2020/05/29 14:26:01 inoguchi Exp $
 #
 # Copyright (c) 2016 Kinichiro Inoguchi <inoguchi@openbsd.org>
 #
@@ -1448,6 +1448,32 @@ function test_sc_by_protocol_version {
                 -msg -tlsextdebug < /dev/null > $s_client_out 2>&1
         check_exit_status $?
         
+        # check downgrade bits in SH
+        if [ $ver = "tls1" -o $ver = "tls1_1" ] ; then
+                perl -0ne \
+                    'exit (!/ServerHello\n.*\n.*44 4f\n.*57 4e 47 52 44 00/m)' \
+                    $s_client_out
+                check_exit_status $?
+        elif [ $ver = "tls1_2" ] ; then
+                perl -0ne \
+                    'exit (!/ServerHello\n.*\n.*44 4f\n.*57 4e 47 52 44 01/m)' \
+                    $s_client_out
+                check_exit_status $?
+        elif [ $ver = "tls1_3" ] ; then
+                perl -0ne \
+                    'exit (/ServerHello\n.*\n.*44 4f\n.*57 4e 47 52 44/m)' \
+                    $s_client_out
+                check_exit_status $?
+        fi
+
+        # check HRR hash
+        if [ $ver = "tls1_3" ] ; then
+                perl -0ne \
+                    'exit (!/ServerHello\n.*cf 21 ad 74 e5 9a 61 11 be 1d\n.*8c 02 1e 65 b8 91 c2 a2 11 16 7a bb 8c 5e 07 9e\n.*09 e2 c8 a8 33 9c/m)' \
+                    $s_client_out
+                check_exit_status $?
+        fi
+
         if [ $ver = "tls1_3" ] ; then
                 grep 'Server Temp Key: ECDH, P-384, 384 bits' $s_client_out \
                         > /dev/null