Add TLS versioning tests.

This ensures that a TLSv1.0, TLSv1.1, TLSv1.2 or TLSv1.3 client can talk with an appropriately configured server and vice versa.
author: jsing <> 2020-05-13 17:57:27 +0000
committer: jsing <> 2020-05-13 17:57:27 +0000
commit: c5b1d4b675fcd2431b6972f66ffe1459d8d5dbcb (patch)
tree: 72870b8f653b415ccd2248af382d8f1b0162067d
parent: e50b18a4b934535f5e81040e460b82ad9a92e645 (diff)
download: openbsd-c5b1d4b675fcd2431b6972f66ffe1459d8d5dbcb.tar.gz
openbsd-c5b1d4b675fcd2431b6972f66ffe1459d8d5dbcb.tar.bz2
openbsd-c5b1d4b675fcd2431b6972f66ffe1459d8d5dbcb.zip
1 files changed, 96 insertions, 2 deletions
diff --git a/src/regress/lib/libtls/tls/tlstest.c b/src/regress/lib/libtls/tls/tlstest.c
index 8a4d5dbb38..c386e91610 100644
--- a/src/regress/lib/libtls/tls/tlstest.c
+++ b/src/regress/lib/libtls/tls/tlstest.c
@@ -1,4 +1,4 @@
-/* $OpenBSD: tlstest.c,v 1.10 2018/03/19 16:36:12 jsing Exp $ */
+/* $OpenBSD: tlstest.c,v 1.11 2020/05/13 17:57:27 jsing Exp $ */
 /*
 * Copyright (c) 2017 Joel Sing <jsing@openbsd.org>
 *
@@ -292,12 +292,58 @@ test_tls_socket(struct tls *client, struct tls *server)
 }
 static int
+test_tls(char *client_protocols, char *server_protocols, char *ciphers)
+{
+        struct tls_config *client_cfg, *server_cfg;
+        struct tls *client, *server;
+        uint32_t protocols;
+        if ((client = tls_client()) == NULL)
+                errx(1, "failed to create tls client");
+        if ((client_cfg = tls_config_new()) == NULL)
+                errx(1, "failed to create tls client config");
+        tls_config_insecure_noverifyname(client_cfg);
+        if (tls_config_parse_protocols(&protocols, client_protocols) == -1)
+                errx(1, "failed to parse protocols: %s", tls_config_error(client_cfg));
+        if (tls_config_set_protocols(client_cfg, protocols) == -1)
+                errx(1, "failed to set protocols: %s", tls_config_error(client_cfg));
+        if (tls_config_set_ciphers(client_cfg, ciphers) == -1)
+                errx(1, "failed to set ciphers: %s", tls_config_error(client_cfg));
+        if (tls_config_set_ca_file(client_cfg, cafile) == -1)
+                errx(1, "failed to set ca: %s", tls_config_error(client_cfg));
+        if ((server = tls_server()) == NULL)
+                errx(1, "failed to create tls server");
+        if ((server_cfg = tls_config_new()) == NULL)
+                errx(1, "failed to create tls server config");
+        if (tls_config_parse_protocols(&protocols, server_protocols) == -1)
+                errx(1, "failed to parse protocols: %s", tls_config_error(server_cfg));
+        if (tls_config_set_protocols(server_cfg, protocols) == -1)
+                errx(1, "failed to set protocols: %s", tls_config_error(server_cfg));
+        if (tls_config_set_ciphers(server_cfg, ciphers) == -1)
+                errx(1, "failed to set ciphers: %s", tls_config_error(server_cfg));
+        if (tls_config_set_keypair_file(server_cfg, certfile, keyfile) == -1)
+                errx(1, "failed to set keypair: %s",
+                    tls_config_error(server_cfg));
+        if (tls_configure(client, client_cfg) == -1)
+                errx(1, "failed to configure client: %s", tls_error(client));
+        tls_reset(server);
+        if (tls_configure(server, server_cfg) == -1)
+                errx(1, "failed to configure server: %s", tls_error(server));
+        return test_tls_cbs(client, server);
+}
+static int
 do_tls_tests(void)
 {
        struct tls_config *client_cfg, *server_cfg;
        struct tls *client, *server;
        int failure = 0;
+        printf("== TLS tests ==\n");
        if ((client = tls_client()) == NULL)
                errx(1, "failed to create tls client");
        if ((client_cfg = tls_config_new()) == NULL)
@@ -347,6 +393,8 @@ do_tls_tests(void)
        tls_free(client);
        tls_free(server);
+        printf("\n");
        return (failure);
 }
@@ -357,7 +405,7 @@ do_tls_ordering_tests(void)
        struct tls_config *client_cfg, *server_cfg;
        int failure = 0;
-        circular_init();
+        printf("== TLS ordering tests ==\n");
        if ((client = tls_client()) == NULL)
                errx(1, "failed to create tls client");
@@ -425,9 +473,54 @@ do_tls_ordering_tests(void)
        tls_free(server);
        tls_free(server_cctx);
+        printf("\n");
        return (failure);
 }
+struct test_versions {
+        char *client;
+        char *server;
+};
+static struct test_versions tls_test_versions[] = {
+        {"tlsv1.3", "all"},
+        {"tlsv1.2", "all"},
+        {"tlsv1.1", "all"},
+        {"tlsv1.0", "all"},
+        {"all", "tlsv1.3"},
+        {"all", "tlsv1.2"},
+        {"all", "tlsv1.1"},
+        {"all", "tlsv1.0"},
+        {"tlsv1.3", "tlsv1.3"},
+        {"tlsv1.2", "tlsv1.2"},
+        {"tlsv1.1", "tlsv1.1"},
+        {"tlsv1.0", "tlsv1.0"},
+};
+#define N_TLS_VERSION_TESTS \
+    (sizeof(tls_test_versions) / sizeof(*tls_test_versions))
+static int
+do_tls_version_tests(void)
+{
+        struct test_versions *tv;
+        int failure = 0;
+        size_t i;
+        printf("== TLS version tests ==\n");
+        for (i = 0; i < N_TLS_VERSION_TESTS; i++) {
+                tv = &tls_test_versions[i];
+                printf("INFO: version test %zu - client versions '%s' "
+                    "and server versions '%s'\n", i, tv->client, tv->server);
+                failure |= test_tls(tv->client, tv->server, "legacy");
+                printf("\n");
+        }
+        return failure;
+}
 int
 main(int argc, char **argv)
 {
@@ -445,6 +538,7 @@ main(int argc, char **argv)
        failure |= do_tls_tests();
        failure |= do_tls_ordering_tests();
+        failure |= do_tls_version_tests();
        return (failure);
 }
author	jsing <>	2020-05-13 17:57:27 +0000
committer	jsing <>	2020-05-13 17:57:27 +0000
commit	c5b1d4b675fcd2431b6972f66ffe1459d8d5dbcb (patch)
tree	72870b8f653b415ccd2248af382d8f1b0162067d
parent	e50b18a4b934535f5e81040e460b82ad9a92e645 (diff)
download	openbsd-c5b1d4b675fcd2431b6972f66ffe1459d8d5dbcb.tar.gz openbsd-c5b1d4b675fcd2431b6972f66ffe1459d8d5dbcb.tar.bz2 openbsd-c5b1d4b675fcd2431b6972f66ffe1459d8d5dbcb.zip

diff --git a/src/regress/lib/libtls/tls/tlstest.c b/src/regress/lib/libtls/tls/tlstest.c index 8a4d5dbb38..c386e91610 100644 --- a/src/regress/lib/libtls/tls/tlstest.c +++ b/src/regress/lib/libtls/tls/tlstest.c
@@ -1,4 +1,4 @@
1	/* $OpenBSD: tlstest.c,v 1.10 2018/03/19 16:36:12 jsing Exp $ */	1	/* $OpenBSD: tlstest.c,v 1.11 2020/05/13 17:57:27 jsing Exp $ */
2	/*	2	/*
3	* Copyright (c) 2017 Joel Sing <jsing@openbsd.org>	3	* Copyright (c) 2017 Joel Sing <jsing@openbsd.org>
4	*	4	*
@@ -292,12 +292,58 @@ test_tls_socket(struct tls client, struct tls server)
292	}	292	}
293		293
294	static int	294	static int
		295	test_tls(char client_protocols, char server_protocols, char *ciphers)
		296	{
		297	struct tls_config client_cfg, server_cfg;
		298	struct tls client, server;
		299	uint32_t protocols;
		300
		301	if ((client = tls_client()) == NULL)
		302	errx(1, "failed to create tls client");
		303	if ((client_cfg = tls_config_new()) == NULL)
		304	errx(1, "failed to create tls client config");
		305	tls_config_insecure_noverifyname(client_cfg);
		306	if (tls_config_parse_protocols(&protocols, client_protocols) == -1)
		307	errx(1, "failed to parse protocols: %s", tls_config_error(client_cfg));
		308	if (tls_config_set_protocols(client_cfg, protocols) == -1)
		309	errx(1, "failed to set protocols: %s", tls_config_error(client_cfg));
		310	if (tls_config_set_ciphers(client_cfg, ciphers) == -1)
		311	errx(1, "failed to set ciphers: %s", tls_config_error(client_cfg));
		312	if (tls_config_set_ca_file(client_cfg, cafile) == -1)
		313	errx(1, "failed to set ca: %s", tls_config_error(client_cfg));
		314
		315	if ((server = tls_server()) == NULL)
		316	errx(1, "failed to create tls server");
		317	if ((server_cfg = tls_config_new()) == NULL)
		318	errx(1, "failed to create tls server config");
		319	if (tls_config_parse_protocols(&protocols, server_protocols) == -1)
		320	errx(1, "failed to parse protocols: %s", tls_config_error(server_cfg));
		321	if (tls_config_set_protocols(server_cfg, protocols) == -1)
		322	errx(1, "failed to set protocols: %s", tls_config_error(server_cfg));
		323	if (tls_config_set_ciphers(server_cfg, ciphers) == -1)
		324	errx(1, "failed to set ciphers: %s", tls_config_error(server_cfg));
		325	if (tls_config_set_keypair_file(server_cfg, certfile, keyfile) == -1)
		326	errx(1, "failed to set keypair: %s",
		327	tls_config_error(server_cfg));
		328
		329	if (tls_configure(client, client_cfg) == -1)
		330	errx(1, "failed to configure client: %s", tls_error(client));
		331	tls_reset(server);
		332	if (tls_configure(server, server_cfg) == -1)
		333	errx(1, "failed to configure server: %s", tls_error(server));
		334
		335	return test_tls_cbs(client, server);
		336	}
		337
		338	static int
295	do_tls_tests(void)	339	do_tls_tests(void)
296	{	340	{
297	struct tls_config client_cfg, server_cfg;	341	struct tls_config client_cfg, server_cfg;
298	struct tls client, server;	342	struct tls client, server;
299	int failure = 0;	343	int failure = 0;
300		344
		345	printf("== TLS tests ==\n");
		346
301	if ((client = tls_client()) == NULL)	347	if ((client = tls_client()) == NULL)
302	errx(1, "failed to create tls client");	348	errx(1, "failed to create tls client");
303	if ((client_cfg = tls_config_new()) == NULL)	349	if ((client_cfg = tls_config_new()) == NULL)
@@ -347,6 +393,8 @@ do_tls_tests(void)
347	tls_free(client);	393	tls_free(client);
348	tls_free(server);	394	tls_free(server);
349		395
		396	printf("\n");
		397
350	return (failure);	398	return (failure);
351	}	399	}
352		400
@@ -357,7 +405,7 @@ do_tls_ordering_tests(void)
357	struct tls_config client_cfg, server_cfg;	405	struct tls_config client_cfg, server_cfg;
358	int failure = 0;	406	int failure = 0;
359		407
360	circular_init();	408	printf("== TLS ordering tests ==\n");
361		409
362	if ((client = tls_client()) == NULL)	410	if ((client = tls_client()) == NULL)
363	errx(1, "failed to create tls client");	411	errx(1, "failed to create tls client");
@@ -425,9 +473,54 @@ do_tls_ordering_tests(void)
425	tls_free(server);	473	tls_free(server);
426	tls_free(server_cctx);	474	tls_free(server_cctx);
427		475
		476	printf("\n");
		477
428	return (failure);	478	return (failure);
429	}	479	}
430		480
		481	struct test_versions {
		482	char *client;
		483	char *server;
		484	};
		485
		486	static struct test_versions tls_test_versions[] = {
		487	{"tlsv1.3", "all"},
		488	{"tlsv1.2", "all"},
		489	{"tlsv1.1", "all"},
		490	{"tlsv1.0", "all"},
		491	{"all", "tlsv1.3"},
		492	{"all", "tlsv1.2"},
		493	{"all", "tlsv1.1"},
		494	{"all", "tlsv1.0"},
		495	{"tlsv1.3", "tlsv1.3"},
		496	{"tlsv1.2", "tlsv1.2"},
		497	{"tlsv1.1", "tlsv1.1"},
		498	{"tlsv1.0", "tlsv1.0"},
		499	};
		500
		501	#define N_TLS_VERSION_TESTS \
		502	(sizeof(tls_test_versions) / sizeof(*tls_test_versions))
		503
		504	static int
		505	do_tls_version_tests(void)
		506	{
		507	struct test_versions *tv;
		508	int failure = 0;
		509	size_t i;
		510
		511	printf("== TLS version tests ==\n");
		512
		513	for (i = 0; i < N_TLS_VERSION_TESTS; i++) {
		514	tv = &tls_test_versions[i];
		515	printf("INFO: version test %zu - client versions '%s' "
		516	"and server versions '%s'\n", i, tv->client, tv->server);
		517	failure \|= test_tls(tv->client, tv->server, "legacy");
		518	printf("\n");
		519	}
		520
		521	return failure;
		522	}
		523
431	int	524	int
432	main(int argc, char **argv)	525	main(int argc, char **argv)
433	{	526	{
@@ -445,6 +538,7 @@ main(int argc, char **argv)
445		538
446	failure \|= do_tls_tests();	539	failure \|= do_tls_tests();
447	failure \|= do_tls_ordering_tests();	540	failure \|= do_tls_ordering_tests();
		541	failure \|= do_tls_version_tests();
448		542
449	return (failure);	543	return (failure);
450	}	544	}