diff options
| author | jsing <> | 2021-03-10 18:28:01 +0000 |
|---|---|---|
| committer | jsing <> | 2021-03-10 18:28:01 +0000 |
| commit | b326c1132769dfe25e6d64ec5ea394f654db1a8e (patch) | |
| tree | f098ad15a4ad0300e8601dbd46ce6f1bc7413319 /src/regress/lib | |
| parent | bec282ffa4cbd669be0dc9e8fab07c4c21ebcb66 (diff) | |
| download | openbsd-b326c1132769dfe25e6d64ec5ea394f654db1a8e.tar.gz openbsd-b326c1132769dfe25e6d64ec5ea394f654db1a8e.tar.bz2 openbsd-b326c1132769dfe25e6d64ec5ea394f654db1a8e.zip | |
Revise TLS extension regress to match version handling changes.
Diffstat (limited to 'src/regress/lib')
| -rw-r--r-- | src/regress/lib/libssl/tlsext/tlsexttest.c | 82 |
1 files changed, 25 insertions, 57 deletions
diff --git a/src/regress/lib/libssl/tlsext/tlsexttest.c b/src/regress/lib/libssl/tlsext/tlsexttest.c index 51b7020c1d..e0cba55d8f 100644 --- a/src/regress/lib/libssl/tlsext/tlsexttest.c +++ b/src/regress/lib/libssl/tlsext/tlsexttest.c | |||
| @@ -1,4 +1,4 @@ | |||
| 1 | /* $OpenBSD: tlsexttest.c,v 1.45 2020/10/11 02:45:49 tb Exp $ */ | 1 | /* $OpenBSD: tlsexttest.c,v 1.46 2021/03/10 18:28:01 jsing Exp $ */ |
| 2 | /* | 2 | /* |
| 3 | * Copyright (c) 2017 Joel Sing <jsing@openbsd.org> | 3 | * Copyright (c) 2017 Joel Sing <jsing@openbsd.org> |
| 4 | * Copyright (c) 2017 Doug Hogan <doug@openbsd.org> | 4 | * Copyright (c) 2017 Doug Hogan <doug@openbsd.org> |
| @@ -1531,7 +1531,7 @@ test_tlsext_sigalgs_client(void) | |||
| 1531 | if ((ssl = SSL_new(ssl_ctx)) == NULL) | 1531 | if ((ssl = SSL_new(ssl_ctx)) == NULL) |
| 1532 | errx(1, "failed to create SSL"); | 1532 | errx(1, "failed to create SSL"); |
| 1533 | 1533 | ||
| 1534 | ssl->client_version = TLS1_1_VERSION; | 1534 | S3I(ssl)->hs.our_max_tls_version = TLS1_1_VERSION; |
| 1535 | 1535 | ||
| 1536 | if (tlsext_sigalgs_client_needs(ssl, SSL_TLSEXT_MSG_CH)) { | 1536 | if (tlsext_sigalgs_client_needs(ssl, SSL_TLSEXT_MSG_CH)) { |
| 1537 | fprintf(stderr, "FAIL: client should not need sigalgs\n"); | 1537 | fprintf(stderr, "FAIL: client should not need sigalgs\n"); |
| @@ -1539,7 +1539,7 @@ test_tlsext_sigalgs_client(void) | |||
| 1539 | goto done; | 1539 | goto done; |
| 1540 | } | 1540 | } |
| 1541 | 1541 | ||
| 1542 | ssl->client_version = TLS1_2_VERSION; | 1542 | S3I(ssl)->hs.our_max_tls_version = TLS1_2_VERSION; |
| 1543 | 1543 | ||
| 1544 | if (!tlsext_sigalgs_client_needs(ssl, SSL_TLSEXT_MSG_CH)) { | 1544 | if (!tlsext_sigalgs_client_needs(ssl, SSL_TLSEXT_MSG_CH)) { |
| 1545 | fprintf(stderr, "FAIL: client should need sigalgs\n"); | 1545 | fprintf(stderr, "FAIL: client should need sigalgs\n"); |
| @@ -2745,6 +2745,9 @@ test_tlsext_clienthello_build(void) | |||
| 2745 | if ((ssl = SSL_new(ssl_ctx)) == NULL) | 2745 | if ((ssl = SSL_new(ssl_ctx)) == NULL) |
| 2746 | errx(1, "failed to create SSL"); | 2746 | errx(1, "failed to create SSL"); |
| 2747 | 2747 | ||
| 2748 | S3I(ssl)->hs.our_min_tls_version = TLS1_VERSION; | ||
| 2749 | S3I(ssl)->hs.our_max_tls_version = TLS1_2_VERSION; | ||
| 2750 | |||
| 2748 | if (!tlsext_client_build(ssl, SSL_TLSEXT_MSG_CH, &cbb)) { | 2751 | if (!tlsext_client_build(ssl, SSL_TLSEXT_MSG_CH, &cbb)) { |
| 2749 | FAIL("failed to build clienthello extensions\n"); | 2752 | FAIL("failed to build clienthello extensions\n"); |
| 2750 | goto err; | 2753 | goto err; |
| @@ -2771,7 +2774,7 @@ test_tlsext_clienthello_build(void) | |||
| 2771 | CBB_init(&cbb, 0); | 2774 | CBB_init(&cbb, 0); |
| 2772 | 2775 | ||
| 2773 | /* Switch to TLSv1.1, disable EC ciphers and session tickets. */ | 2776 | /* Switch to TLSv1.1, disable EC ciphers and session tickets. */ |
| 2774 | ssl->client_version = TLS1_1_VERSION; | 2777 | S3I(ssl)->hs.our_max_tls_version = TLS1_1_VERSION; |
| 2775 | if (!SSL_set_cipher_list(ssl, "TLSv1.2:!ECDHE:!ECDSA")) { | 2778 | if (!SSL_set_cipher_list(ssl, "TLSv1.2:!ECDHE:!ECDSA")) { |
| 2776 | FAIL("failed to set cipher list\n"); | 2779 | FAIL("failed to set cipher list\n"); |
| 2777 | goto err; | 2780 | goto err; |
| @@ -2846,6 +2849,8 @@ test_tlsext_serverhello_build(void) | |||
| 2846 | if ((ssl->session = SSL_SESSION_new()) == NULL) | 2849 | if ((ssl->session = SSL_SESSION_new()) == NULL) |
| 2847 | errx(1, "failed to create session"); | 2850 | errx(1, "failed to create session"); |
| 2848 | 2851 | ||
| 2852 | S3I(ssl)->hs.our_max_tls_version = TLS1_3_VERSION; | ||
| 2853 | S3I(ssl)->hs.negotiated_tls_version = TLS1_3_VERSION; | ||
| 2849 | S3I(ssl)->hs.new_cipher = | 2854 | S3I(ssl)->hs.new_cipher = |
| 2850 | ssl3_get_cipher_by_id(TLS1_CK_RSA_WITH_AES_128_SHA256); | 2855 | ssl3_get_cipher_by_id(TLS1_CK_RSA_WITH_AES_128_SHA256); |
| 2851 | 2856 | ||
| @@ -2947,7 +2952,7 @@ test_tlsext_versions_client(void) | |||
| 2947 | if ((ssl = SSL_new(ssl_ctx)) == NULL) | 2952 | if ((ssl = SSL_new(ssl_ctx)) == NULL) |
| 2948 | errx(1, "failed to create SSL"); | 2953 | errx(1, "failed to create SSL"); |
| 2949 | 2954 | ||
| 2950 | S3I(ssl)->hs_tls13.max_version = 0; | 2955 | S3I(ssl)->hs.our_max_tls_version = TLS1_1_VERSION; |
| 2951 | 2956 | ||
| 2952 | if (tlsext_versions_client_needs(ssl, SSL_TLSEXT_MSG_CH)) { | 2957 | if (tlsext_versions_client_needs(ssl, SSL_TLSEXT_MSG_CH)) { |
| 2953 | FAIL("client should not need versions\n"); | 2958 | FAIL("client should not need versions\n"); |
| @@ -2955,7 +2960,7 @@ test_tlsext_versions_client(void) | |||
| 2955 | goto done; | 2960 | goto done; |
| 2956 | } | 2961 | } |
| 2957 | 2962 | ||
| 2958 | S3I(ssl)->hs_tls13.max_version = TLS1_2_VERSION; | 2963 | S3I(ssl)->hs.our_max_tls_version = TLS1_2_VERSION; |
| 2959 | 2964 | ||
| 2960 | if (tlsext_versions_client_needs(ssl, SSL_TLSEXT_MSG_CH)) { | 2965 | if (tlsext_versions_client_needs(ssl, SSL_TLSEXT_MSG_CH)) { |
| 2961 | FAIL("client should not need versions\n"); | 2966 | FAIL("client should not need versions\n"); |
| @@ -2963,7 +2968,7 @@ test_tlsext_versions_client(void) | |||
| 2963 | goto done; | 2968 | goto done; |
| 2964 | } | 2969 | } |
| 2965 | 2970 | ||
| 2966 | S3I(ssl)->hs_tls13.max_version = TLS1_3_VERSION; | 2971 | S3I(ssl)->hs.our_max_tls_version = TLS1_3_VERSION; |
| 2967 | 2972 | ||
| 2968 | if (!tlsext_versions_client_needs(ssl, SSL_TLSEXT_MSG_CH)) { | 2973 | if (!tlsext_versions_client_needs(ssl, SSL_TLSEXT_MSG_CH)) { |
| 2969 | FAIL("client should need versions\n"); | 2974 | FAIL("client should need versions\n"); |
| @@ -2971,16 +2976,9 @@ test_tlsext_versions_client(void) | |||
| 2971 | goto done; | 2976 | goto done; |
| 2972 | } | 2977 | } |
| 2973 | 2978 | ||
| 2974 | S3I(ssl)->hs_tls13.max_version = TLS1_3_VERSION; | 2979 | S3I(ssl)->hs.our_min_tls_version = TLS1_VERSION; |
| 2975 | S3I(ssl)->hs_tls13.min_version = 0; | 2980 | S3I(ssl)->hs.our_max_tls_version = TLS1_3_VERSION; |
| 2976 | if (tlsext_versions_client_build(ssl, SSL_TLSEXT_MSG_CH, &cbb)) { | ||
| 2977 | FAIL("client should not have built versions\n"); | ||
| 2978 | failure = 1; | ||
| 2979 | goto done; | ||
| 2980 | } | ||
| 2981 | 2981 | ||
| 2982 | S3I(ssl)->hs_tls13.max_version = TLS1_3_VERSION; | ||
| 2983 | S3I(ssl)->hs_tls13.min_version = TLS1_VERSION; | ||
| 2984 | if (!tlsext_versions_client_build(ssl, SSL_TLSEXT_MSG_CH, &cbb)) { | 2982 | if (!tlsext_versions_client_build(ssl, SSL_TLSEXT_MSG_CH, &cbb)) { |
| 2985 | FAIL("client should have built versions\n"); | 2983 | FAIL("client should have built versions\n"); |
| 2986 | failure = 1; | 2984 | failure = 1; |
| @@ -3040,7 +3038,7 @@ test_tlsext_versions_server(void) | |||
| 3040 | if ((ssl = SSL_new(ssl_ctx)) == NULL) | 3038 | if ((ssl = SSL_new(ssl_ctx)) == NULL) |
| 3041 | errx(1, "failed to create SSL"); | 3039 | errx(1, "failed to create SSL"); |
| 3042 | 3040 | ||
| 3043 | ssl->version = TLS1_2_VERSION; | 3041 | S3I(ssl)->hs.negotiated_tls_version = TLS1_2_VERSION; |
| 3044 | 3042 | ||
| 3045 | if (tlsext_versions_server_needs(ssl, SSL_TLSEXT_MSG_SH)) { | 3043 | if (tlsext_versions_server_needs(ssl, SSL_TLSEXT_MSG_SH)) { |
| 3046 | FAIL("server should not need versions\n"); | 3044 | FAIL("server should not need versions\n"); |
| @@ -3048,7 +3046,7 @@ test_tlsext_versions_server(void) | |||
| 3048 | goto done; | 3046 | goto done; |
| 3049 | } | 3047 | } |
| 3050 | 3048 | ||
| 3051 | ssl->version = TLS1_3_VERSION; | 3049 | S3I(ssl)->hs.negotiated_tls_version = TLS1_3_VERSION; |
| 3052 | 3050 | ||
| 3053 | if (!tlsext_versions_server_needs(ssl, SSL_TLSEXT_MSG_SH)) { | 3051 | if (!tlsext_versions_server_needs(ssl, SSL_TLSEXT_MSG_SH)) { |
| 3054 | FAIL("server should need versions\n"); | 3052 | FAIL("server should need versions\n"); |
| @@ -3136,29 +3134,21 @@ test_tlsext_keyshare_client(void) | |||
| 3136 | if (!tls13_key_share_generate(S3I(ssl)->hs_tls13.key_share)) | 3134 | if (!tls13_key_share_generate(S3I(ssl)->hs_tls13.key_share)) |
| 3137 | errx(1, "failed to generate key share"); | 3135 | errx(1, "failed to generate key share"); |
| 3138 | 3136 | ||
| 3139 | S3I(ssl)->hs_tls13.max_version = 0; | 3137 | S3I(ssl)->hs.our_max_tls_version = TLS1_2_VERSION; |
| 3140 | |||
| 3141 | if (tlsext_keyshare_client_needs(ssl, SSL_TLSEXT_MSG_CH)) { | ||
| 3142 | FAIL("client should not need keyshare\n"); | ||
| 3143 | failure = 1; | ||
| 3144 | goto done; | ||
| 3145 | } | ||
| 3146 | |||
| 3147 | S3I(ssl)->hs_tls13.max_version = TLS1_2_VERSION; | ||
| 3148 | if (tlsext_keyshare_client_needs(ssl, SSL_TLSEXT_MSG_CH)) { | 3138 | if (tlsext_keyshare_client_needs(ssl, SSL_TLSEXT_MSG_CH)) { |
| 3149 | FAIL("client should not need keyshare\n"); | 3139 | FAIL("client should not need keyshare\n"); |
| 3150 | failure = 1; | 3140 | failure = 1; |
| 3151 | goto done; | 3141 | goto done; |
| 3152 | } | 3142 | } |
| 3153 | 3143 | ||
| 3154 | S3I(ssl)->hs_tls13.max_version = TLS1_3_VERSION; | 3144 | S3I(ssl)->hs.our_max_tls_version = TLS1_3_VERSION; |
| 3155 | if (!tlsext_keyshare_client_needs(ssl, SSL_TLSEXT_MSG_CH)) { | 3145 | if (!tlsext_keyshare_client_needs(ssl, SSL_TLSEXT_MSG_CH)) { |
| 3156 | FAIL("client should need keyshare\n"); | 3146 | FAIL("client should need keyshare\n"); |
| 3157 | failure = 1; | 3147 | failure = 1; |
| 3158 | goto done; | 3148 | goto done; |
| 3159 | } | 3149 | } |
| 3160 | 3150 | ||
| 3161 | S3I(ssl)->hs_tls13.max_version = TLS1_3_VERSION; | 3151 | S3I(ssl)->hs.our_max_tls_version = TLS1_3_VERSION; |
| 3162 | if (!tlsext_keyshare_client_build(ssl, SSL_TLSEXT_MSG_CH, &cbb)) { | 3152 | if (!tlsext_keyshare_client_build(ssl, SSL_TLSEXT_MSG_CH, &cbb)) { |
| 3163 | FAIL("client should have built keyshare\n"); | 3153 | FAIL("client should have built keyshare\n"); |
| 3164 | failure = 1; | 3154 | failure = 1; |
| @@ -3228,21 +3218,14 @@ test_tlsext_keyshare_server(void) | |||
| 3228 | if ((ssl = SSL_new(ssl_ctx)) == NULL) | 3218 | if ((ssl = SSL_new(ssl_ctx)) == NULL) |
| 3229 | errx(1, "failed to create SSL"); | 3219 | errx(1, "failed to create SSL"); |
| 3230 | 3220 | ||
| 3231 | (ssl)->version = 0; | 3221 | S3I(ssl)->hs.negotiated_tls_version = TLS1_2_VERSION; |
| 3232 | if (tlsext_keyshare_server_needs(ssl, SSL_TLSEXT_MSG_SH)) { | 3222 | if (tlsext_keyshare_server_needs(ssl, SSL_TLSEXT_MSG_SH)) { |
| 3233 | FAIL("server should not need keyshare\n"); | 3223 | FAIL("server should not need keyshare\n"); |
| 3234 | failure = 1; | 3224 | failure = 1; |
| 3235 | goto done; | 3225 | goto done; |
| 3236 | } | 3226 | } |
| 3237 | 3227 | ||
| 3238 | (ssl)->version = TLS1_2_VERSION; | 3228 | S3I(ssl)->hs.negotiated_tls_version = TLS1_3_VERSION; |
| 3239 | if (tlsext_keyshare_server_needs(ssl, SSL_TLSEXT_MSG_SH)) { | ||
| 3240 | FAIL("server should not need keyshare\n"); | ||
| 3241 | failure = 1; | ||
| 3242 | goto done; | ||
| 3243 | } | ||
| 3244 | |||
| 3245 | ssl->version = TLS1_3_VERSION; | ||
| 3246 | if (tlsext_keyshare_server_needs(ssl, SSL_TLSEXT_MSG_SH)) { | 3229 | if (tlsext_keyshare_server_needs(ssl, SSL_TLSEXT_MSG_SH)) { |
| 3247 | FAIL("client should not need keyshare\n"); | 3230 | FAIL("client should not need keyshare\n"); |
| 3248 | failure = 1; | 3231 | failure = 1; |
| @@ -3358,14 +3341,7 @@ test_tlsext_cookie_client(void) | |||
| 3358 | if ((ssl = SSL_new(ssl_ctx)) == NULL) | 3341 | if ((ssl = SSL_new(ssl_ctx)) == NULL) |
| 3359 | errx(1, "failed to create SSL"); | 3342 | errx(1, "failed to create SSL"); |
| 3360 | 3343 | ||
| 3361 | S3I(ssl)->hs_tls13.max_version = 0; | 3344 | S3I(ssl)->hs.our_max_tls_version = TLS1_2_VERSION; |
| 3362 | if (tlsext_cookie_client_needs(ssl, SSL_TLSEXT_MSG_CH)) { | ||
| 3363 | FAIL("client should not need cookie\n"); | ||
| 3364 | failure = 1; | ||
| 3365 | goto done; | ||
| 3366 | } | ||
| 3367 | |||
| 3368 | S3I(ssl)->hs_tls13.max_version = TLS1_2_VERSION; | ||
| 3369 | if (tlsext_cookie_client_needs(ssl, SSL_TLSEXT_MSG_CH)) { | 3345 | if (tlsext_cookie_client_needs(ssl, SSL_TLSEXT_MSG_CH)) { |
| 3370 | FAIL("client should not need cookie\n"); | 3346 | FAIL("client should not need cookie\n"); |
| 3371 | failure = 1; | 3347 | failure = 1; |
| @@ -3373,7 +3349,7 @@ test_tlsext_cookie_client(void) | |||
| 3373 | } | 3349 | } |
| 3374 | 3350 | ||
| 3375 | 3351 | ||
| 3376 | S3I(ssl)->hs_tls13.max_version = TLS1_3_VERSION; | 3352 | S3I(ssl)->hs.our_max_tls_version = TLS1_3_VERSION; |
| 3377 | if (tlsext_cookie_client_needs(ssl, SSL_TLSEXT_MSG_CH)) { | 3353 | if (tlsext_cookie_client_needs(ssl, SSL_TLSEXT_MSG_CH)) { |
| 3378 | FAIL("client should not need cookie\n"); | 3354 | FAIL("client should not need cookie\n"); |
| 3379 | failure = 1; | 3355 | failure = 1; |
| @@ -3453,22 +3429,14 @@ test_tlsext_cookie_server(void) | |||
| 3453 | if ((ssl = SSL_new(ssl_ctx)) == NULL) | 3429 | if ((ssl = SSL_new(ssl_ctx)) == NULL) |
| 3454 | errx(1, "failed to create SSL"); | 3430 | errx(1, "failed to create SSL"); |
| 3455 | 3431 | ||
| 3456 | S3I(ssl)->hs_tls13.max_version = 0; | 3432 | S3I(ssl)->hs.our_max_tls_version = TLS1_2_VERSION; |
| 3457 | if (tlsext_cookie_server_needs(ssl, SSL_TLSEXT_MSG_SH)) { | 3433 | if (tlsext_cookie_server_needs(ssl, SSL_TLSEXT_MSG_SH)) { |
| 3458 | FAIL("server should not need cookie\n"); | 3434 | FAIL("server should not need cookie\n"); |
| 3459 | failure = 1; | 3435 | failure = 1; |
| 3460 | goto done; | 3436 | goto done; |
| 3461 | } | 3437 | } |
| 3462 | 3438 | ||
| 3463 | S3I(ssl)->hs_tls13.max_version = TLS1_2_VERSION; | 3439 | S3I(ssl)->hs.our_max_tls_version = TLS1_3_VERSION; |
| 3464 | if (tlsext_cookie_server_needs(ssl, SSL_TLSEXT_MSG_SH)) { | ||
| 3465 | FAIL("server should not need cookie\n"); | ||
| 3466 | failure = 1; | ||
| 3467 | goto done; | ||
| 3468 | } | ||
| 3469 | |||
| 3470 | |||
| 3471 | S3I(ssl)->hs_tls13.max_version = TLS1_3_VERSION; | ||
| 3472 | if (tlsext_cookie_server_needs(ssl, SSL_TLSEXT_MSG_SH)) { | 3440 | if (tlsext_cookie_server_needs(ssl, SSL_TLSEXT_MSG_SH)) { |
| 3473 | FAIL("server should not need cookie\n"); | 3441 | FAIL("server should not need cookie\n"); |
| 3474 | failure = 1; | 3442 | failure = 1; |