summaryrefslogtreecommitdiff
path: root/src
diff options
context:
space:
mode:
Diffstat (limited to 'src')
-rw-r--r--src/regress/lib/libssl/tlsext/tlsexttest.c630
1 files changed, 440 insertions, 190 deletions
diff --git a/src/regress/lib/libssl/tlsext/tlsexttest.c b/src/regress/lib/libssl/tlsext/tlsexttest.c
index 1a707a8404..3e90eab384 100644
--- a/src/regress/lib/libssl/tlsext/tlsexttest.c
+++ b/src/regress/lib/libssl/tlsext/tlsexttest.c
@@ -1,4 +1,4 @@
1/* $OpenBSD: tlsexttest.c,v 1.66 2022/07/17 14:57:05 jsing Exp $ */ 1/* $OpenBSD: tlsexttest.c,v 1.67 2022/08/04 09:28:31 tb Exp $ */
2/* 2/*
3 * Copyright (c) 2017 Joel Sing <jsing@openbsd.org> 3 * Copyright (c) 2017 Joel Sing <jsing@openbsd.org>
4 * Copyright (c) 2017 Doug Hogan <doug@openbsd.org> 4 * Copyright (c) 2017 Doug Hogan <doug@openbsd.org>
@@ -20,11 +20,119 @@
20 20
21#include <err.h> 21#include <err.h>
22 22
23#include <openssl/tls1.h>
24
23#include "ssl_locl.h" 25#include "ssl_locl.h"
24 26
25#include "bytestring.h" 27#include "bytestring.h"
26#include "ssl_tlsext.h" 28#include "ssl_tlsext.h"
27 29
30struct tls_extension_funcs {
31 int (*needs)(SSL *s, uint16_t msg_type);
32 int (*build)(SSL *s, uint16_t msg_type, CBB *cbb);
33 int (*parse)(SSL *s, uint16_t msg_type, CBS *cbs, int *alert);
34};
35
36const struct tls_extension *tls_extension_find(uint16_t, size_t *);
37const struct tls_extension_funcs *tlsext_funcs(const struct tls_extension *,
38 int);
39
40static const struct tls_extension_funcs *
41tls_extension_funcs(int type, int is_server)
42{
43 const struct tls_extension *ext;
44 size_t idx;
45
46 if ((ext = tls_extension_find(type, &idx)) == NULL)
47 return NULL;
48
49 return tlsext_funcs(ext, is_server);
50}
51
52static const struct tls_extension_funcs *
53tls_extension_client_funcs(int type)
54{
55 int is_server = 0;
56
57 return tls_extension_funcs(type, is_server);
58}
59
60static const struct tls_extension_funcs *
61tls_extension_server_funcs(int type)
62{
63 int is_server = 1;
64
65 return tls_extension_funcs(type, is_server);
66}
67
68static int
69tls_extension_client_needs(int type, SSL *s, uint16_t msg_type)
70{
71 const struct tls_extension_funcs *funcs;
72
73 if ((funcs = tls_extension_client_funcs(type)) == NULL)
74 return 0;
75
76 return funcs->needs(s, msg_type);
77}
78
79static int
80tls_extension_client_build(int type, SSL *s, uint16_t msg_type, CBB *cbb)
81{
82 const struct tls_extension_funcs *funcs;
83
84 if ((funcs = tls_extension_client_funcs(type)) == NULL)
85 return 0;
86
87 return funcs->build(s, msg_type, cbb);
88}
89
90static int
91tls_extension_client_parse(int type, SSL *s, uint16_t msg_type, CBS *cbs,
92 int *alert)
93{
94 const struct tls_extension_funcs *funcs;
95
96 if ((funcs = tls_extension_client_funcs(type)) == NULL)
97 return 0;
98
99 return funcs->parse(s, msg_type, cbs, alert);
100}
101
102static int
103tls_extension_server_needs(int type, SSL *s, uint16_t msg_type)
104{
105 const struct tls_extension_funcs *funcs;
106
107 if ((funcs = tls_extension_server_funcs(type)) == NULL)
108 return 0;
109
110 return funcs->needs(s, msg_type);
111}
112
113static int
114tls_extension_server_build(int type, SSL *s, uint16_t msg_type, CBB *cbb)
115{
116 const struct tls_extension_funcs *funcs;
117
118 if ((funcs = tls_extension_server_funcs(type)) == NULL)
119 return 0;
120
121 return funcs->build(s, msg_type, cbb);
122}
123
124static int
125tls_extension_server_parse(int type, SSL *s, uint16_t msg_type, CBS *cbs,
126 int *alert)
127{
128 const struct tls_extension_funcs *funcs;
129
130 if ((funcs = tls_extension_server_funcs(type)) == NULL)
131 return 0;
132
133 return funcs->parse(s, msg_type, cbs, alert);
134}
135
28static void 136static void
29hexdump(const unsigned char *buf, size_t len) 137hexdump(const unsigned char *buf, size_t len)
30{ 138{
@@ -120,6 +228,8 @@ const uint8_t tlsext_alpn_single_proto[] = {
120 0x68, 0x74, 0x74, 0x70, 0x2f, 0x31, 0x2e, 0x31 228 0x68, 0x74, 0x74, 0x70, 0x2f, 0x31, 0x2e, 0x31
121}; 229};
122 230
231#define TLSEXT_TYPE_alpn TLSEXT_TYPE_application_layer_protocol_negotiation
232
123static int 233static int
124test_tlsext_alpn_client(void) 234test_tlsext_alpn_client(void)
125{ 235{
@@ -141,7 +251,8 @@ test_tlsext_alpn_client(void)
141 errx(1, "failed to create SSL"); 251 errx(1, "failed to create SSL");
142 252
143 /* By default, we don't need this */ 253 /* By default, we don't need this */
144 if (tlsext_alpn_client_needs(ssl, SSL_TLSEXT_MSG_CH)) { 254 if (tls_extension_client_needs(TLSEXT_TYPE_alpn, ssl,
255 SSL_TLSEXT_MSG_CH)) {
145 FAIL("client should not need ALPN by default\n"); 256 FAIL("client should not need ALPN by default\n");
146 goto err; 257 goto err;
147 } 258 }
@@ -158,14 +269,16 @@ test_tlsext_alpn_client(void)
158 FAIL("should be able to set ALPN to http/1.1\n"); 269 FAIL("should be able to set ALPN to http/1.1\n");
159 goto err; 270 goto err;
160 } 271 }
161 if (!tlsext_alpn_client_needs(ssl, SSL_TLSEXT_MSG_CH)) { 272 if (!tls_extension_client_needs(TLSEXT_TYPE_alpn, ssl,
162 FAIL("client should need ALPN by now\n"); 273 SSL_TLSEXT_MSG_CH)) {
274 FAIL("client should need ALPN by default\n");
163 goto err; 275 goto err;
164 } 276 }
165 277
166 /* Make sure we can build the client with a single proto. */ 278 /* Make sure we can build the client with a single proto. */
167 279
168 if (!tlsext_alpn_client_build(ssl, SSL_TLSEXT_MSG_CH, &cbb)) { 280 if (!tls_extension_client_build(TLSEXT_TYPE_alpn, ssl,
281 SSL_TLSEXT_MSG_CH, &cbb)) {
169 FAIL("client failed to build ALPN\n"); 282 FAIL("client failed to build ALPN\n");
170 goto err; 283 goto err;
171 } 284 }
@@ -196,7 +309,8 @@ test_tlsext_alpn_client(void)
196 309
197 CBS_init(&cbs, tlsext_alpn_single_proto, 310 CBS_init(&cbs, tlsext_alpn_single_proto,
198 sizeof(tlsext_alpn_single_proto)); 311 sizeof(tlsext_alpn_single_proto));
199 if (!tlsext_alpn_server_parse(ssl, SSL_TLSEXT_MSG_CH, &cbs, &alert)) { 312 if (!tls_extension_server_parse(TLSEXT_TYPE_alpn, ssl,
313 SSL_TLSEXT_MSG_CH, &cbs, &alert)) {
200 FAIL("failed to parse ALPN\n"); 314 FAIL("failed to parse ALPN\n");
201 goto err; 315 goto err;
202 } 316 }
@@ -232,12 +346,14 @@ test_tlsext_alpn_client(void)
232 FAIL("should be able to set ALPN to http/1.1\n"); 346 FAIL("should be able to set ALPN to http/1.1\n");
233 goto err; 347 goto err;
234 } 348 }
235 if (!tlsext_alpn_client_needs(ssl, SSL_TLSEXT_MSG_CH)) { 349 if (!tls_extension_client_needs(TLSEXT_TYPE_alpn, ssl,
350 SSL_TLSEXT_MSG_CH)) {
236 FAIL("client should need ALPN by now\n"); 351 FAIL("client should need ALPN by now\n");
237 goto err; 352 goto err;
238 } 353 }
239 354
240 if (!tlsext_alpn_client_build(ssl, SSL_TLSEXT_MSG_CH, &cbb)) { 355 if (!tls_extension_client_build(TLSEXT_TYPE_alpn, ssl,
356 SSL_TLSEXT_MSG_CH, &cbb)) {
241 FAIL("client failed to build ALPN\n"); 357 FAIL("client failed to build ALPN\n");
242 goto err; 358 goto err;
243 } 359 }
@@ -263,7 +379,8 @@ test_tlsext_alpn_client(void)
263 379
264 CBS_init(&cbs, tlsext_alpn_multiple_protos, 380 CBS_init(&cbs, tlsext_alpn_multiple_protos,
265 sizeof(tlsext_alpn_multiple_protos)); 381 sizeof(tlsext_alpn_multiple_protos));
266 if (!tlsext_alpn_server_parse(ssl, SSL_TLSEXT_MSG_CH, &cbs, &alert)) { 382 if (!tls_extension_server_parse(TLSEXT_TYPE_alpn, ssl,
383 SSL_TLSEXT_MSG_CH, &cbs, &alert)) {
267 FAIL("failed to parse ALPN\n"); 384 FAIL("failed to parse ALPN\n");
268 goto err; 385 goto err;
269 } 386 }
@@ -298,7 +415,8 @@ test_tlsext_alpn_client(void)
298 ssl->internal->alpn_client_proto_list = NULL; 415 ssl->internal->alpn_client_proto_list = NULL;
299 ssl->internal->alpn_client_proto_list_len = 0; 416 ssl->internal->alpn_client_proto_list_len = 0;
300 417
301 if (tlsext_alpn_client_needs(ssl, SSL_TLSEXT_MSG_CH)) { 418 if (tls_extension_client_needs(TLSEXT_TYPE_alpn, ssl,
419 SSL_TLSEXT_MSG_CH)) {
302 FAIL("client should need ALPN by default\n"); 420 FAIL("client should need ALPN by default\n");
303 goto err; 421 goto err;
304 } 422 }
@@ -335,7 +453,8 @@ test_tlsext_alpn_server(void)
335 errx(1, "failed to create SSL"); 453 errx(1, "failed to create SSL");
336 454
337 /* By default, ALPN isn't needed. */ 455 /* By default, ALPN isn't needed. */
338 if (tlsext_alpn_server_needs(ssl, SSL_TLSEXT_MSG_SH)) { 456 if (tls_extension_server_needs(TLSEXT_TYPE_alpn, ssl,
457 SSL_TLSEXT_MSG_SH)) {
339 FAIL("server should not need ALPN by default\n"); 458 FAIL("server should not need ALPN by default\n");
340 goto err; 459 goto err;
341 } 460 }
@@ -353,14 +472,16 @@ test_tlsext_alpn_server(void)
353 sizeof(tlsext_alpn_single_proto_name)); 472 sizeof(tlsext_alpn_single_proto_name));
354 ssl->s3->alpn_selected_len = sizeof(tlsext_alpn_single_proto_name); 473 ssl->s3->alpn_selected_len = sizeof(tlsext_alpn_single_proto_name);
355 474
356 if (!tlsext_alpn_server_needs(ssl, SSL_TLSEXT_MSG_SH)) { 475 if (!tls_extension_server_needs(TLSEXT_TYPE_alpn, ssl,
476 SSL_TLSEXT_MSG_SH)) {
357 FAIL("server should need ALPN after a protocol is selected\n"); 477 FAIL("server should need ALPN after a protocol is selected\n");
358 goto err; 478 goto err;
359 } 479 }
360 480
361 /* Make sure we can build a server with one protocol */ 481 /* Make sure we can build a server with one protocol */
362 482
363 if (!tlsext_alpn_server_build(ssl, SSL_TLSEXT_MSG_SH, &cbb)) { 483 if (!tls_extension_server_build(TLSEXT_TYPE_alpn, ssl,
484 SSL_TLSEXT_MSG_SH, &cbb)) {
364 FAIL("server should be able to build a response\n"); 485 FAIL("server should be able to build a response\n");
365 goto err; 486 goto err;
366 } 487 }
@@ -393,7 +514,8 @@ test_tlsext_alpn_server(void)
393 sizeof(tlsext_alpn_single_proto)); 514 sizeof(tlsext_alpn_single_proto));
394 515
395 /* Shouldn't be able to parse without requesting */ 516 /* Shouldn't be able to parse without requesting */
396 if (tlsext_alpn_client_parse(ssl, SSL_TLSEXT_MSG_SH, &cbs, &alert)) { 517 if (tls_extension_client_parse(TLSEXT_TYPE_alpn, ssl, SSL_TLSEXT_MSG_SH,
518 &cbs, &alert)) {
397 FAIL("Should only parse server if we requested it\n"); 519 FAIL("Should only parse server if we requested it\n");
398 goto err; 520 goto err;
399 } 521 }
@@ -404,7 +526,8 @@ test_tlsext_alpn_server(void)
404 FAIL("should be able to set ALPN to http/1.1\n"); 526 FAIL("should be able to set ALPN to http/1.1\n");
405 goto err; 527 goto err;
406 } 528 }
407 if (!tlsext_alpn_server_parse(ssl, SSL_TLSEXT_MSG_SH, &cbs, &alert)) { 529 if (!tls_extension_server_parse(TLSEXT_TYPE_alpn, ssl,
530 SSL_TLSEXT_MSG_SH, &cbs, &alert)) {
408 FAIL("Should be able to parse server when we request it\n"); 531 FAIL("Should be able to parse server when we request it\n");
409 goto err; 532 goto err;
410 } 533 }
@@ -447,7 +570,8 @@ test_tlsext_alpn_server(void)
447 ssl->s3->alpn_selected = NULL; 570 ssl->s3->alpn_selected = NULL;
448 ssl->s3->alpn_selected_len = 0; 571 ssl->s3->alpn_selected_len = 0;
449 572
450 if (tlsext_alpn_server_needs(ssl, SSL_TLSEXT_MSG_SH)) { 573 if (tls_extension_server_needs(TLSEXT_TYPE_alpn, ssl,
574 SSL_TLSEXT_MSG_SH)) {
451 FAIL("server should need ALPN by default\n"); 575 FAIL("server should need ALPN by default\n");
452 goto err; 576 goto err;
453 } 577 }
@@ -521,7 +645,8 @@ test_tlsext_supportedgroups_client(void)
521 /* 645 /*
522 * Default ciphers include EC so we need it by default. 646 * Default ciphers include EC so we need it by default.
523 */ 647 */
524 if (!tlsext_supportedgroups_client_needs(ssl, SSL_TLSEXT_MSG_CH)) { 648 if (!tls_extension_client_needs(TLSEXT_TYPE_supported_groups, ssl,
649 SSL_TLSEXT_MSG_CH)) {
525 FAIL("client should need Ellipticcurves for default " 650 FAIL("client should need Ellipticcurves for default "
526 "ciphers\n"); 651 "ciphers\n");
527 goto err; 652 goto err;
@@ -534,7 +659,8 @@ test_tlsext_supportedgroups_client(void)
534 FAIL("client should be able to set cipher list\n"); 659 FAIL("client should be able to set cipher list\n");
535 goto err; 660 goto err;
536 } 661 }
537 if (tlsext_supportedgroups_client_needs(ssl, SSL_TLSEXT_MSG_CH)) { 662 if (tls_extension_client_needs(TLSEXT_TYPE_supported_groups, ssl,
663 SSL_TLSEXT_MSG_CH)) {
538 FAIL("client should not need Ellipticcurves\n"); 664 FAIL("client should not need Ellipticcurves\n");
539 goto err; 665 goto err;
540 } 666 }
@@ -546,7 +672,8 @@ test_tlsext_supportedgroups_client(void)
546 FAIL("client should be able to set cipher list\n"); 672 FAIL("client should be able to set cipher list\n");
547 goto err; 673 goto err;
548 } 674 }
549 if (!tlsext_supportedgroups_client_needs(ssl, SSL_TLSEXT_MSG_CH)) { 675 if (!tls_extension_client_needs(TLSEXT_TYPE_supported_groups, ssl,
676 SSL_TLSEXT_MSG_CH)) {
550 FAIL("client should need Ellipticcurves\n"); 677 FAIL("client should need Ellipticcurves\n");
551 goto err; 678 goto err;
552 } 679 }
@@ -567,12 +694,14 @@ test_tlsext_supportedgroups_client(void)
567 goto err; 694 goto err;
568 ssl->session->tlsext_supportedgroups_length = 1; 695 ssl->session->tlsext_supportedgroups_length = 1;
569 696
570 if (!tlsext_supportedgroups_client_needs(ssl, SSL_TLSEXT_MSG_CH)) { 697 if (!tls_extension_client_needs(TLSEXT_TYPE_supported_groups, ssl,
698 SSL_TLSEXT_MSG_CH)) {
571 FAIL("client should need Ellipticcurves\n"); 699 FAIL("client should need Ellipticcurves\n");
572 goto err; 700 goto err;
573 } 701 }
574 702
575 if (!tlsext_supportedgroups_client_build(ssl, SSL_TLSEXT_MSG_CH, &cbb)) { 703 if (!tls_extension_client_build(TLSEXT_TYPE_supported_groups, ssl,
704 SSL_TLSEXT_MSG_CH, &cbb)) {
576 FAIL("client failed to build Ellipticcurves\n"); 705 FAIL("client failed to build Ellipticcurves\n");
577 goto err; 706 goto err;
578 } 707 }
@@ -610,7 +739,8 @@ test_tlsext_supportedgroups_client(void)
610 739
611 CBS_init(&cbs, tlsext_supportedgroups_client_secp384r1, 740 CBS_init(&cbs, tlsext_supportedgroups_client_secp384r1,
612 sizeof(tlsext_supportedgroups_client_secp384r1)); 741 sizeof(tlsext_supportedgroups_client_secp384r1));
613 if (!tlsext_supportedgroups_server_parse(ssl, SSL_TLSEXT_MSG_CH, &cbs, &alert)) { 742 if (!tls_extension_server_parse(TLSEXT_TYPE_supported_groups, ssl,
743 SSL_TLSEXT_MSG_CH, &cbs, &alert)) {
614 FAIL("failed to parse client Ellipticcurves\n"); 744 FAIL("failed to parse client Ellipticcurves\n");
615 goto err; 745 goto err;
616 } 746 }
@@ -660,12 +790,14 @@ test_tlsext_supportedgroups_client(void)
660 goto err; 790 goto err;
661 ssl->internal->tlsext_supportedgroups_length = 2; 791 ssl->internal->tlsext_supportedgroups_length = 2;
662 792
663 if (!tlsext_supportedgroups_client_needs(ssl, SSL_TLSEXT_MSG_CH)) { 793 if (!tls_extension_client_needs(TLSEXT_TYPE_supported_groups, ssl,
794 SSL_TLSEXT_MSG_CH)) {
664 FAIL("client should need Ellipticcurves\n"); 795 FAIL("client should need Ellipticcurves\n");
665 goto err; 796 goto err;
666 } 797 }
667 798
668 if (!tlsext_supportedgroups_client_build(ssl, SSL_TLSEXT_MSG_CH, &cbb)) { 799 if (!tls_extension_client_build(TLSEXT_TYPE_supported_groups, ssl,
800 SSL_TLSEXT_MSG_CH, &cbb)) {
669 FAIL("client failed to build Ellipticcurves\n"); 801 FAIL("client failed to build Ellipticcurves\n");
670 goto err; 802 goto err;
671 } 803 }
@@ -714,7 +846,8 @@ test_tlsext_supportedgroups_client(void)
714 846
715 CBS_init(&cbs, tlsext_supportedgroups_client_nistp192and224, 847 CBS_init(&cbs, tlsext_supportedgroups_client_nistp192and224,
716 sizeof(tlsext_supportedgroups_client_nistp192and224)); 848 sizeof(tlsext_supportedgroups_client_nistp192and224));
717 if (!tlsext_supportedgroups_server_parse(ssl, SSL_TLSEXT_MSG_CH, &cbs, &alert)) { 849 if (!tls_extension_server_parse(TLSEXT_TYPE_supported_groups, ssl,
850 SSL_TLSEXT_MSG_CH, &cbs, &alert)) {
718 FAIL("failed to parse client Ellipticcurves\n"); 851 FAIL("failed to parse client Ellipticcurves\n");
719 goto err; 852 goto err;
720 } 853 }
@@ -767,7 +900,8 @@ test_tlsext_supportedgroups_server(void)
767 if ((ssl = SSL_new(ssl_ctx)) == NULL) 900 if ((ssl = SSL_new(ssl_ctx)) == NULL)
768 errx(1, "failed to create SSL"); 901 errx(1, "failed to create SSL");
769 902
770 if (tlsext_supportedgroups_server_needs(ssl, SSL_TLSEXT_MSG_SH)) { 903 if (tls_extension_server_needs(TLSEXT_TYPE_supported_groups, ssl,
904 SSL_TLSEXT_MSG_SH)) {
771 FAIL("server should not need elliptic_curves\n"); 905 FAIL("server should not need elliptic_curves\n");
772 goto err; 906 goto err;
773 } 907 }
@@ -775,7 +909,8 @@ test_tlsext_supportedgroups_server(void)
775 if ((ssl->session = SSL_SESSION_new()) == NULL) 909 if ((ssl->session = SSL_SESSION_new()) == NULL)
776 errx(1, "failed to create session"); 910 errx(1, "failed to create session");
777 911
778 if (tlsext_supportedgroups_server_needs(ssl, SSL_TLSEXT_MSG_SH)) { 912 if (tls_extension_server_needs(TLSEXT_TYPE_supported_groups, ssl,
913 SSL_TLSEXT_MSG_SH)) {
779 FAIL("server should not need elliptic_curves\n"); 914 FAIL("server should not need elliptic_curves\n");
780 goto err; 915 goto err;
781 } 916 }
@@ -845,7 +980,8 @@ test_tlsext_ecpf_client(void)
845 /* 980 /*
846 * Default ciphers include EC so we need it by default. 981 * Default ciphers include EC so we need it by default.
847 */ 982 */
848 if (!tlsext_ecpf_client_needs(ssl, SSL_TLSEXT_MSG_CH)) { 983 if (!tls_extension_client_needs(TLSEXT_TYPE_ec_point_formats, ssl,
984 SSL_TLSEXT_MSG_CH)) {
849 FAIL("client should need ECPointFormats for default " 985 FAIL("client should need ECPointFormats for default "
850 "ciphers\n"); 986 "ciphers\n");
851 goto err; 987 goto err;
@@ -858,7 +994,8 @@ test_tlsext_ecpf_client(void)
858 FAIL("client should be able to set cipher list\n"); 994 FAIL("client should be able to set cipher list\n");
859 goto err; 995 goto err;
860 } 996 }
861 if (tlsext_ecpf_client_needs(ssl, SSL_TLSEXT_MSG_CH)) { 997 if (tls_extension_client_needs(TLSEXT_TYPE_ec_point_formats, ssl,
998 SSL_TLSEXT_MSG_CH)) {
862 FAIL("client should not need ECPointFormats\n"); 999 FAIL("client should not need ECPointFormats\n");
863 goto err; 1000 goto err;
864 } 1001 }
@@ -870,7 +1007,8 @@ test_tlsext_ecpf_client(void)
870 FAIL("client should be able to set cipher list\n"); 1007 FAIL("client should be able to set cipher list\n");
871 goto err; 1008 goto err;
872 } 1009 }
873 if (!tlsext_ecpf_client_needs(ssl, SSL_TLSEXT_MSG_CH)) { 1010 if (!tls_extension_client_needs(TLSEXT_TYPE_ec_point_formats, ssl,
1011 SSL_TLSEXT_MSG_CH)) {
874 FAIL("client should need ECPointFormats\n"); 1012 FAIL("client should need ECPointFormats\n");
875 goto err; 1013 goto err;
876 } 1014 }
@@ -881,7 +1019,8 @@ test_tlsext_ecpf_client(void)
881 if ((ssl->session = SSL_SESSION_new()) == NULL) 1019 if ((ssl->session = SSL_SESSION_new()) == NULL)
882 errx(1, "failed to create session"); 1020 errx(1, "failed to create session");
883 1021
884 if (!tlsext_ecpf_client_build(ssl, SSL_TLSEXT_MSG_CH, &cbb)) { 1022 if (!tls_extension_client_build(TLSEXT_TYPE_ec_point_formats, ssl,
1023 SSL_TLSEXT_MSG_CH, &cbb)) {
885 FAIL("client failed to build ECPointFormats\n"); 1024 FAIL("client failed to build ECPointFormats\n");
886 goto err; 1025 goto err;
887 } 1026 }
@@ -919,7 +1058,8 @@ test_tlsext_ecpf_client(void)
919 1058
920 CBS_init(&cbs, tlsext_ecpf_hello_uncompressed, 1059 CBS_init(&cbs, tlsext_ecpf_hello_uncompressed,
921 sizeof(tlsext_ecpf_hello_uncompressed)); 1060 sizeof(tlsext_ecpf_hello_uncompressed));
922 if (!tlsext_ecpf_server_parse(ssl, SSL_TLSEXT_MSG_CH, &cbs, &alert)) { 1061 if (!tls_extension_server_parse(TLSEXT_TYPE_ec_point_formats, ssl,
1062 SSL_TLSEXT_MSG_CH, &cbs, &alert)) {
923 FAIL("failed to parse client ECPointFormats\n"); 1063 FAIL("failed to parse client ECPointFormats\n");
924 goto err; 1064 goto err;
925 } 1065 }
@@ -963,13 +1103,15 @@ test_tlsext_ecpf_client(void)
963 ssl->internal->tlsext_ecpointformatlist[2] = TLSEXT_ECPOINTFORMAT_ansiX962_compressed_char2; 1103 ssl->internal->tlsext_ecpointformatlist[2] = TLSEXT_ECPOINTFORMAT_ansiX962_compressed_char2;
964 ssl->internal->tlsext_ecpointformatlist_length = 3; 1104 ssl->internal->tlsext_ecpointformatlist_length = 3;
965 1105
966 if (!tlsext_ecpf_client_needs(ssl, SSL_TLSEXT_MSG_CH)) { 1106 if (!tls_extension_client_needs(TLSEXT_TYPE_ec_point_formats, ssl,
1107 SSL_TLSEXT_MSG_CH)) {
967 FAIL("client should need ECPointFormats with a custom " 1108 FAIL("client should need ECPointFormats with a custom "
968 "format\n"); 1109 "format\n");
969 goto err; 1110 goto err;
970 } 1111 }
971 1112
972 if (!tlsext_ecpf_client_build(ssl, SSL_TLSEXT_MSG_CH, &cbb)) { 1113 if (!tls_extension_client_build(TLSEXT_TYPE_ec_point_formats, ssl,
1114 SSL_TLSEXT_MSG_CH, &cbb)) {
973 FAIL("client failed to build ECPointFormats\n"); 1115 FAIL("client failed to build ECPointFormats\n");
974 goto err; 1116 goto err;
975 } 1117 }
@@ -1012,7 +1154,8 @@ test_tlsext_ecpf_client(void)
1012 1154
1013 CBS_init(&cbs, tlsext_ecpf_hello_prefer_order, 1155 CBS_init(&cbs, tlsext_ecpf_hello_prefer_order,
1014 sizeof(tlsext_ecpf_hello_prefer_order)); 1156 sizeof(tlsext_ecpf_hello_prefer_order));
1015 if (!tlsext_ecpf_server_parse(ssl, SSL_TLSEXT_MSG_CH, &cbs, &alert)) { 1157 if (!tls_extension_server_parse(TLSEXT_TYPE_ec_point_formats, ssl,
1158 SSL_TLSEXT_MSG_CH, &cbs, &alert)) {
1016 FAIL("failed to parse client ECPointFormats\n"); 1159 FAIL("failed to parse client ECPointFormats\n");
1017 goto err; 1160 goto err;
1018 } 1161 }
@@ -1085,7 +1228,7 @@ test_tlsext_ecpf_server(void)
1085 ssl->session->tlsext_ecpointformatlist[0] = TLSEXT_ECPOINTFORMAT_ansiX962_compressed_prime; 1228 ssl->session->tlsext_ecpointformatlist[0] = TLSEXT_ECPOINTFORMAT_ansiX962_compressed_prime;
1086 ssl->session->tlsext_ecpointformatlist_length = 1; 1229 ssl->session->tlsext_ecpointformatlist_length = 1;
1087 1230
1088 if (!tlsext_ecpf_server_needs(ssl, SSL_TLSEXT_MSG_SH)) { 1231 if (!tls_extension_server_needs(TLSEXT_TYPE_ec_point_formats, ssl, SSL_TLSEXT_MSG_SH)) {
1089 FAIL("server should need ECPointFormats now\n"); 1232 FAIL("server should need ECPointFormats now\n");
1090 goto err; 1233 goto err;
1091 } 1234 }
@@ -1094,7 +1237,8 @@ test_tlsext_ecpf_server(void)
1094 * The server will ignore the session list and use either a custom 1237 * The server will ignore the session list and use either a custom
1095 * list or the default (uncompressed). 1238 * list or the default (uncompressed).
1096 */ 1239 */
1097 if (!tlsext_ecpf_server_build(ssl, SSL_TLSEXT_MSG_SH, &cbb)) { 1240 if (!tls_extension_server_build(TLSEXT_TYPE_ec_point_formats, ssl,
1241 SSL_TLSEXT_MSG_SH, &cbb)) {
1098 FAIL("server failed to build ECPointFormats\n"); 1242 FAIL("server failed to build ECPointFormats\n");
1099 goto err; 1243 goto err;
1100 } 1244 }
@@ -1132,7 +1276,8 @@ test_tlsext_ecpf_server(void)
1132 1276
1133 CBS_init(&cbs, tlsext_ecpf_hello_prime, 1277 CBS_init(&cbs, tlsext_ecpf_hello_prime,
1134 sizeof(tlsext_ecpf_hello_prime)); 1278 sizeof(tlsext_ecpf_hello_prime));
1135 if (tlsext_ecpf_client_parse(ssl, SSL_TLSEXT_MSG_SH, &cbs, &alert)) { 1279 if (tls_extension_client_parse(TLSEXT_TYPE_ec_point_formats, ssl,
1280 SSL_TLSEXT_MSG_SH, &cbs, &alert)) {
1136 FAIL("must include uncompressed in server ECPointFormats\n"); 1281 FAIL("must include uncompressed in server ECPointFormats\n");
1137 goto err; 1282 goto err;
1138 } 1283 }
@@ -1172,12 +1317,13 @@ test_tlsext_ecpf_server(void)
1172 ssl->internal->tlsext_ecpointformatlist[2] = TLSEXT_ECPOINTFORMAT_ansiX962_compressed_char2; 1317 ssl->internal->tlsext_ecpointformatlist[2] = TLSEXT_ECPOINTFORMAT_ansiX962_compressed_char2;
1173 ssl->internal->tlsext_ecpointformatlist_length = 3; 1318 ssl->internal->tlsext_ecpointformatlist_length = 3;
1174 1319
1175 if (!tlsext_ecpf_server_needs(ssl, SSL_TLSEXT_MSG_SH)) { 1320 if (!tls_extension_server_needs(TLSEXT_TYPE_ec_point_formats, ssl, SSL_TLSEXT_MSG_SH)) {
1176 FAIL("server should need ECPointFormats\n"); 1321 FAIL("server should need ECPointFormats\n");
1177 goto err; 1322 goto err;
1178 } 1323 }
1179 1324
1180 if (!tlsext_ecpf_server_build(ssl, SSL_TLSEXT_MSG_SH, &cbb)) { 1325 if (!tls_extension_server_build(TLSEXT_TYPE_ec_point_formats, ssl,
1326 SSL_TLSEXT_MSG_SH, &cbb)) {
1181 FAIL("server failed to build ECPointFormats\n"); 1327 FAIL("server failed to build ECPointFormats\n");
1182 goto err; 1328 goto err;
1183 } 1329 }
@@ -1220,7 +1366,8 @@ test_tlsext_ecpf_server(void)
1220 1366
1221 CBS_init(&cbs, tlsext_ecpf_hello_prefer_order, 1367 CBS_init(&cbs, tlsext_ecpf_hello_prefer_order,
1222 sizeof(tlsext_ecpf_hello_prefer_order)); 1368 sizeof(tlsext_ecpf_hello_prefer_order));
1223 if (!tlsext_ecpf_client_parse(ssl, SSL_TLSEXT_MSG_SH, &cbs, &alert)) { 1369 if (!tls_extension_client_parse(TLSEXT_TYPE_ec_point_formats, ssl,
1370 SSL_TLSEXT_MSG_SH, &cbs, &alert)) {
1224 FAIL("failed to parse server ECPointFormats\n"); 1371 FAIL("failed to parse server ECPointFormats\n");
1225 goto err; 1372 goto err;
1226 } 1373 }
@@ -1303,7 +1450,8 @@ test_tlsext_ri_client(void)
1303 if ((ssl = SSL_new(ssl_ctx)) == NULL) 1450 if ((ssl = SSL_new(ssl_ctx)) == NULL)
1304 errx(1, "failed to create SSL"); 1451 errx(1, "failed to create SSL");
1305 1452
1306 if (tlsext_ri_client_needs(ssl, SSL_TLSEXT_MSG_CH)) { 1453 if (tls_extension_client_needs(TLSEXT_TYPE_renegotiate, ssl,
1454 SSL_TLSEXT_MSG_CH)) {
1307 FAIL("client should not need RI\n"); 1455 FAIL("client should not need RI\n");
1308 goto err; 1456 goto err;
1309 } 1457 }
@@ -1313,7 +1461,8 @@ test_tlsext_ri_client(void)
1313 goto err; 1461 goto err;
1314 } 1462 }
1315 1463
1316 if (!tlsext_ri_client_needs(ssl, SSL_TLSEXT_MSG_CH)) { 1464 if (!tls_extension_client_needs(TLSEXT_TYPE_renegotiate, ssl,
1465 SSL_TLSEXT_MSG_CH)) {
1317 FAIL("client should need RI\n"); 1466 FAIL("client should need RI\n");
1318 goto err; 1467 goto err;
1319 } 1468 }
@@ -1324,7 +1473,8 @@ test_tlsext_ri_client(void)
1324 1473
1325 ssl->s3->renegotiate_seen = 0; 1474 ssl->s3->renegotiate_seen = 0;
1326 1475
1327 if (!tlsext_ri_client_build(ssl, SSL_TLSEXT_MSG_CH, &cbb)) { 1476 if (!tls_extension_client_build(TLSEXT_TYPE_renegotiate, ssl,
1477 SSL_TLSEXT_MSG_CH, &cbb)) {
1328 FAIL("client failed to build RI\n"); 1478 FAIL("client failed to build RI\n");
1329 goto err; 1479 goto err;
1330 } 1480 }
@@ -1348,7 +1498,8 @@ test_tlsext_ri_client(void)
1348 } 1498 }
1349 1499
1350 CBS_init(&cbs, tlsext_ri_client, sizeof(tlsext_ri_client)); 1500 CBS_init(&cbs, tlsext_ri_client, sizeof(tlsext_ri_client));
1351 if (!tlsext_ri_server_parse(ssl, SSL_TLSEXT_MSG_CH, &cbs, &alert)) { 1501 if (!tls_extension_server_parse(TLSEXT_TYPE_renegotiate, ssl,
1502 SSL_TLSEXT_MSG_CH, &cbs, &alert)) {
1352 FAIL("failed to parse client RI\n"); 1503 FAIL("failed to parse client RI\n");
1353 goto err; 1504 goto err;
1354 } 1505 }
@@ -1372,7 +1523,8 @@ test_tlsext_ri_client(void)
1372 ssl->s3->renegotiate_seen = 0; 1523 ssl->s3->renegotiate_seen = 0;
1373 1524
1374 CBS_init(&cbs, tlsext_ri_client, sizeof(tlsext_ri_client)); 1525 CBS_init(&cbs, tlsext_ri_client, sizeof(tlsext_ri_client));
1375 if (tlsext_ri_server_parse(ssl, SSL_TLSEXT_MSG_CH, &cbs, &alert)) { 1526 if (tls_extension_server_parse(TLSEXT_TYPE_renegotiate, ssl,
1527 SSL_TLSEXT_MSG_CH, &cbs, &alert)) {
1376 FAIL("parsed invalid client RI\n"); 1528 FAIL("parsed invalid client RI\n");
1377 failure = 1; 1529 failure = 1;
1378 goto err; 1530 goto err;
@@ -1416,14 +1568,16 @@ test_tlsext_ri_server(void)
1416 errx(1, "failed to create SSL"); 1568 errx(1, "failed to create SSL");
1417 1569
1418 ssl->version = TLS1_2_VERSION; 1570 ssl->version = TLS1_2_VERSION;
1419 if (tlsext_ri_server_needs(ssl, SSL_TLSEXT_MSG_SH)) { 1571 if (tls_extension_server_needs(TLSEXT_TYPE_renegotiate, ssl,
1572 SSL_TLSEXT_MSG_SH)) {
1420 FAIL("server should not need RI\n"); 1573 FAIL("server should not need RI\n");
1421 goto err; 1574 goto err;
1422 } 1575 }
1423 1576
1424 ssl->s3->send_connection_binding = 1; 1577 ssl->s3->send_connection_binding = 1;
1425 1578
1426 if (!tlsext_ri_server_needs(ssl, SSL_TLSEXT_MSG_SH)) { 1579 if (!tls_extension_server_needs(TLSEXT_TYPE_renegotiate, ssl,
1580 SSL_TLSEXT_MSG_SH)) {
1427 FAIL("server should need RI\n"); 1581 FAIL("server should need RI\n");
1428 goto err; 1582 goto err;
1429 } 1583 }
@@ -1438,7 +1592,8 @@ test_tlsext_ri_server(void)
1438 1592
1439 ssl->s3->renegotiate_seen = 0; 1593 ssl->s3->renegotiate_seen = 0;
1440 1594
1441 if (!tlsext_ri_server_build(ssl, SSL_TLSEXT_MSG_SH, &cbb)) { 1595 if (!tls_extension_server_build(TLSEXT_TYPE_renegotiate, ssl,
1596 SSL_TLSEXT_MSG_SH, &cbb)) {
1442 FAIL("server failed to build RI\n"); 1597 FAIL("server failed to build RI\n");
1443 goto err; 1598 goto err;
1444 } 1599 }
@@ -1462,7 +1617,8 @@ test_tlsext_ri_server(void)
1462 } 1617 }
1463 1618
1464 CBS_init(&cbs, tlsext_ri_server, sizeof(tlsext_ri_server)); 1619 CBS_init(&cbs, tlsext_ri_server, sizeof(tlsext_ri_server));
1465 if (!tlsext_ri_client_parse(ssl, SSL_TLSEXT_MSG_SH, &cbs, &alert)) { 1620 if (!tls_extension_client_parse(TLSEXT_TYPE_renegotiate, ssl,
1621 SSL_TLSEXT_MSG_SH, &cbs, &alert)) {
1466 FAIL("failed to parse server RI\n"); 1622 FAIL("failed to parse server RI\n");
1467 goto err; 1623 goto err;
1468 } 1624 }
@@ -1488,7 +1644,8 @@ test_tlsext_ri_server(void)
1488 ssl->s3->renegotiate_seen = 0; 1644 ssl->s3->renegotiate_seen = 0;
1489 1645
1490 CBS_init(&cbs, tlsext_ri_server, sizeof(tlsext_ri_server)); 1646 CBS_init(&cbs, tlsext_ri_server, sizeof(tlsext_ri_server));
1491 if (tlsext_ri_client_parse(ssl, SSL_TLSEXT_MSG_SH, &cbs, &alert)) { 1647 if (tls_extension_client_parse(TLSEXT_TYPE_renegotiate, ssl,
1648 SSL_TLSEXT_MSG_SH, &cbs, &alert)) {
1492 FAIL("parsed invalid server RI\n"); 1649 FAIL("parsed invalid server RI\n");
1493 goto err; 1650 goto err;
1494 } 1651 }
@@ -1540,7 +1697,8 @@ test_tlsext_sigalgs_client(void)
1540 1697
1541 ssl->s3->hs.our_max_tls_version = TLS1_1_VERSION; 1698 ssl->s3->hs.our_max_tls_version = TLS1_1_VERSION;
1542 1699
1543 if (tlsext_sigalgs_client_needs(ssl, SSL_TLSEXT_MSG_CH)) { 1700 if (tls_extension_client_needs(TLSEXT_TYPE_signature_algorithms, ssl,
1701 SSL_TLSEXT_MSG_CH)) {
1544 fprintf(stderr, "FAIL: client should not need sigalgs\n"); 1702 fprintf(stderr, "FAIL: client should not need sigalgs\n");
1545 failure = 1; 1703 failure = 1;
1546 goto done; 1704 goto done;
@@ -1548,14 +1706,16 @@ test_tlsext_sigalgs_client(void)
1548 1706
1549 ssl->s3->hs.our_max_tls_version = TLS1_2_VERSION; 1707 ssl->s3->hs.our_max_tls_version = TLS1_2_VERSION;
1550 1708
1551 if (!tlsext_sigalgs_client_needs(ssl, SSL_TLSEXT_MSG_CH)) { 1709 if (!tls_extension_client_needs(TLSEXT_TYPE_signature_algorithms, ssl,
1552 fprintf(stderr, "FAIL: client should need sigalgs\n"); 1710 SSL_TLSEXT_MSG_CH)) {
1711 fprintf(stderr, "FAIL: client should need sigalgsn");
1553 failure = 1; 1712 failure = 1;
1554 goto done; 1713 goto done;
1555 } 1714 }
1556 1715
1557 if (!tlsext_sigalgs_client_build(ssl, SSL_TLSEXT_MSG_CH, &cbb)) { 1716 if (!tls_extension_client_build(TLSEXT_TYPE_signature_algorithms, ssl,
1558 fprintf(stderr, "FAIL: client failed to build sigalgs\n"); 1717 SSL_TLSEXT_MSG_CH, &cbb)) {
1718 fprintf(stderr, "FAIL: client failed to build sigalgsn");
1559 failure = 1; 1719 failure = 1;
1560 goto done; 1720 goto done;
1561 } 1721 }
@@ -1564,7 +1724,7 @@ test_tlsext_sigalgs_client(void)
1564 errx(1, "failed to finish CBB"); 1724 errx(1, "failed to finish CBB");
1565 1725
1566 if (dlen != sizeof(tlsext_sigalgs_client)) { 1726 if (dlen != sizeof(tlsext_sigalgs_client)) {
1567 fprintf(stderr, "FAIL: got client sigalgs with length %zu, " 1727 fprintf(stderr, "FAIL: got client sigalgs length %zu, "
1568 "want length %zu\n", dlen, sizeof(tlsext_sigalgs_client)); 1728 "want length %zu\n", dlen, sizeof(tlsext_sigalgs_client));
1569 failure = 1; 1729 failure = 1;
1570 goto done; 1730 goto done;
@@ -1581,7 +1741,8 @@ test_tlsext_sigalgs_client(void)
1581 } 1741 }
1582 1742
1583 CBS_init(&cbs, tlsext_sigalgs_client, sizeof(tlsext_sigalgs_client)); 1743 CBS_init(&cbs, tlsext_sigalgs_client, sizeof(tlsext_sigalgs_client));
1584 if (!tlsext_sigalgs_server_parse(ssl, SSL_TLSEXT_MSG_CH, &cbs, &alert)) { 1744 if (!tls_extension_server_parse(TLSEXT_TYPE_signature_algorithms, ssl,
1745 SSL_TLSEXT_MSG_CH, &cbs, &alert)) {
1585 fprintf(stderr, "FAIL: failed to parse client SNI\n"); 1746 fprintf(stderr, "FAIL: failed to parse client SNI\n");
1586 failure = 1; 1747 failure = 1;
1587 goto done; 1748 goto done;
@@ -1620,13 +1781,13 @@ test_tlsext_sigalgs_server(void)
1620 if ((ssl = SSL_new(ssl_ctx)) == NULL) 1781 if ((ssl = SSL_new(ssl_ctx)) == NULL)
1621 errx(1, "failed to create SSL"); 1782 errx(1, "failed to create SSL");
1622 1783
1623 if (tlsext_sigalgs_server_needs(ssl, SSL_TLSEXT_MSG_SH)) { 1784 if (tls_extension_server_needs(sigalgs, ssl, SSL_TLSEXT_MSG_SH)) {
1624 fprintf(stderr, "FAIL: server should not need sigalgs\n"); 1785 fprintf(stderr, "FAIL: server should not need sigalgs\n");
1625 failure = 1; 1786 failure = 1;
1626 goto done; 1787 goto done;
1627 } 1788 }
1628 1789
1629 if (tlsext_sigalgs_server_build(ssl, SSL_TLSEXT_MSG_SH, &cbb)) { 1790 if (tls_extension_server_build(sigalgs, ssl, SSL_TLSEXT_MSG_SH, &cbb)) {
1630 fprintf(stderr, "FAIL: server should not build sigalgs\n"); 1791 fprintf(stderr, "FAIL: server should not build sigalgs\n");
1631 failure = 1; 1792 failure = 1;
1632 goto done; 1793 goto done;
@@ -1636,7 +1797,8 @@ test_tlsext_sigalgs_server(void)
1636 errx(1, "failed to finish CBB"); 1797 errx(1, "failed to finish CBB");
1637 1798
1638 CBS_init(&cbs, tlsext_sigalgs_client, sizeof(tlsext_sigalgs_client)); 1799 CBS_init(&cbs, tlsext_sigalgs_client, sizeof(tlsext_sigalgs_client));
1639 if (tlsext_sigalgs_client_parse(ssl, SSL_TLSEXT_MSG_SH, &cbs, &alert)) { 1800 if (tls_extension_client_parse(sigalgs, ssl, SSL_TLSEXT_MSG_SH, &cbs,
1801 &alert)) {
1640 fprintf(stderr, "FAIL: server should not parse sigalgs\n"); 1802 fprintf(stderr, "FAIL: server should not parse sigalgs\n");
1641 failure = 1; 1803 failure = 1;
1642 goto done; 1804 goto done;
@@ -1689,7 +1851,8 @@ test_tlsext_sni_client(void)
1689 1851
1690 CBB_init(&cbb, 0); 1852 CBB_init(&cbb, 0);
1691 1853
1692 if (tlsext_sni_client_needs(ssl, SSL_TLSEXT_MSG_CH)) { 1854 if (tls_extension_client_needs(TLSEXT_TYPE_server_name, ssl,
1855 SSL_TLSEXT_MSG_CH)) {
1693 FAIL("client should not need SNI\n"); 1856 FAIL("client should not need SNI\n");
1694 goto err; 1857 goto err;
1695 } 1858 }
@@ -1699,12 +1862,14 @@ test_tlsext_sni_client(void)
1699 goto err; 1862 goto err;
1700 } 1863 }
1701 1864
1702 if (!tlsext_sni_client_needs(ssl, SSL_TLSEXT_MSG_CH)) { 1865 if (!tls_extension_client_needs(TLSEXT_TYPE_server_name, ssl,
1866 SSL_TLSEXT_MSG_CH)) {
1703 FAIL("client should need SNI\n"); 1867 FAIL("client should need SNI\n");
1704 goto err; 1868 goto err;
1705 } 1869 }
1706 1870
1707 if (!tlsext_sni_client_build(ssl, SSL_TLSEXT_MSG_CH, &cbb)) { 1871 if (!tls_extension_client_build(TLSEXT_TYPE_server_name, ssl,
1872 SSL_TLSEXT_MSG_CH, &cbb)) {
1708 FAIL("client failed to build SNI\n"); 1873 FAIL("client failed to build SNI\n");
1709 goto err; 1874 goto err;
1710 } 1875 }
@@ -1738,7 +1903,8 @@ test_tlsext_sni_client(void)
1738 goto err; 1903 goto err;
1739 } 1904 }
1740 1905
1741 if (tlsext_sni_client_needs(ssl, SSL_TLSEXT_MSG_CH)) { 1906 if (tls_extension_client_needs(TLSEXT_TYPE_server_name, ssl,
1907 SSL_TLSEXT_MSG_CH)) {
1742 FAIL("client should not need SNI\n"); 1908 FAIL("client should not need SNI\n");
1743 goto err; 1909 goto err;
1744 } 1910 }
@@ -1751,7 +1917,8 @@ test_tlsext_sni_client(void)
1751 ssl->internal->hit = 0; 1917 ssl->internal->hit = 0;
1752 1918
1753 CBS_init(&cbs, tlsext_sni_client, sizeof(tlsext_sni_client)); 1919 CBS_init(&cbs, tlsext_sni_client, sizeof(tlsext_sni_client));
1754 if (!tlsext_sni_server_parse(ssl, SSL_TLSEXT_MSG_CH, &cbs, &alert)) { 1920 if (!tls_extension_server_parse(TLSEXT_TYPE_server_name, ssl,
1921 SSL_TLSEXT_MSG_CH, &cbs, &alert)) {
1755 FAIL("failed to parse client SNI\n"); 1922 FAIL("failed to parse client SNI\n");
1756 goto err; 1923 goto err;
1757 } 1924 }
@@ -1783,7 +1950,8 @@ test_tlsext_sni_client(void)
1783 } 1950 }
1784 1951
1785 CBS_init(&cbs, tlsext_sni_client, sizeof(tlsext_sni_client)); 1952 CBS_init(&cbs, tlsext_sni_client, sizeof(tlsext_sni_client));
1786 if (tlsext_sni_server_parse(ssl, SSL_TLSEXT_MSG_CH, &cbs, &alert)) { 1953 if (tls_extension_server_parse(TLSEXT_TYPE_server_name, ssl,
1954 SSL_TLSEXT_MSG_CH, &cbs, &alert)) {
1787 FAIL("parsed client with mismatched SNI\n"); 1955 FAIL("parsed client with mismatched SNI\n");
1788 goto err; 1956 goto err;
1789 } 1957 }
@@ -1823,7 +1991,8 @@ test_tlsext_sni_server(void)
1823 if ((ssl->session = SSL_SESSION_new()) == NULL) 1991 if ((ssl->session = SSL_SESSION_new()) == NULL)
1824 errx(1, "failed to create session"); 1992 errx(1, "failed to create session");
1825 1993
1826 if (tlsext_sni_server_needs(ssl, SSL_TLSEXT_MSG_SH)) { 1994 if (tls_extension_server_needs(TLSEXT_TYPE_server_name, ssl,
1995 SSL_TLSEXT_MSG_SH)) {
1827 FAIL("server should not need SNI\n"); 1996 FAIL("server should not need SNI\n");
1828 goto err; 1997 goto err;
1829 } 1998 }
@@ -1837,12 +2006,14 @@ test_tlsext_sni_server(void)
1837 NULL) 2006 NULL)
1838 errx(1, "failed to strdup tlsext_hostname"); 2007 errx(1, "failed to strdup tlsext_hostname");
1839 2008
1840 if (!tlsext_sni_server_needs(ssl, SSL_TLSEXT_MSG_SH)) { 2009 if (!tls_extension_server_needs(TLSEXT_TYPE_server_name, ssl,
2010 SSL_TLSEXT_MSG_SH)) {
1841 FAIL("server should need SNI\n"); 2011 FAIL("server should need SNI\n");
1842 goto err; 2012 goto err;
1843 } 2013 }
1844 2014
1845 if (!tlsext_sni_server_build(ssl, SSL_TLSEXT_MSG_SH, &cbb)) { 2015 if (!tls_extension_server_build(TLSEXT_TYPE_server_name, ssl,
2016 SSL_TLSEXT_MSG_SH, &cbb)) {
1846 FAIL("server failed to build SNI\n"); 2017 FAIL("server failed to build SNI\n");
1847 goto err; 2018 goto err;
1848 } 2019 }
@@ -1869,7 +2040,8 @@ test_tlsext_sni_server(void)
1869 ssl->session->tlsext_hostname = NULL; 2040 ssl->session->tlsext_hostname = NULL;
1870 2041
1871 CBS_init(&cbs, tlsext_sni_server, sizeof(tlsext_sni_server)); 2042 CBS_init(&cbs, tlsext_sni_server, sizeof(tlsext_sni_server));
1872 if (!tlsext_sni_client_parse(ssl, SSL_TLSEXT_MSG_SH, &cbs, &alert)) { 2043 if (!tls_extension_client_parse(TLSEXT_TYPE_server_name, ssl,
2044 SSL_TLSEXT_MSG_SH, &cbs, &alert)) {
1873 FAIL("failed to parse server SNI\n"); 2045 FAIL("failed to parse server SNI\n");
1874 goto err; 2046 goto err;
1875 } 2047 }
@@ -1937,8 +2109,8 @@ test_tlsext_quic_transport_parameters_client(void)
1937 2109
1938 CBB_init(&cbb, 0); 2110 CBB_init(&cbb, 0);
1939 2111
1940 if (tlsext_quic_transport_parameters_client_needs(ssl, 2112 if (tls_extension_client_needs(TLSEXT_TYPE_quic_transport_parameters,
1941 SSL_TLSEXT_MSG_CH)) { 2113 ssl, SSL_TLSEXT_MSG_CH)) {
1942 FAIL("client should not need QUIC\n"); 2114 FAIL("client should not need QUIC\n");
1943 goto err; 2115 goto err;
1944 } 2116 }
@@ -1949,8 +2121,8 @@ test_tlsext_quic_transport_parameters_client(void)
1949 goto err; 2121 goto err;
1950 } 2122 }
1951 2123
1952 if (tlsext_quic_transport_parameters_client_needs(ssl, 2124 if (tls_extension_client_needs(TLSEXT_TYPE_quic_transport_parameters,
1953 SSL_TLSEXT_MSG_CH)) { 2125 ssl, SSL_TLSEXT_MSG_CH)) {
1954 FAIL("client should not need QUIC\n"); 2126 FAIL("client should not need QUIC\n");
1955 goto err; 2127 goto err;
1956 } 2128 }
@@ -1958,22 +2130,22 @@ test_tlsext_quic_transport_parameters_client(void)
1958 ssl->s3->hs.our_max_tls_version = TLS1_3_VERSION; 2130 ssl->s3->hs.our_max_tls_version = TLS1_3_VERSION;
1959 ssl->s3->hs.negotiated_tls_version = TLS1_3_VERSION; 2131 ssl->s3->hs.negotiated_tls_version = TLS1_3_VERSION;
1960 2132
1961 if (tlsext_quic_transport_parameters_client_needs(ssl, 2133 if (tls_extension_client_needs(TLSEXT_TYPE_quic_transport_parameters,
1962 SSL_TLSEXT_MSG_CH)) { 2134 ssl, SSL_TLSEXT_MSG_CH)) {
1963 FAIL("client should not need QUIC\n"); 2135 FAIL("client should not need QUIC\n");
1964 goto err; 2136 goto err;
1965 } 2137 }
1966 2138
1967 ssl->quic_method = ssl->method; /* XXX */ 2139 ssl->quic_method = ssl->method; /* XXX */
1968 2140
1969 if (!tlsext_quic_transport_parameters_client_needs(ssl, 2141 if (!tls_extension_client_needs(TLSEXT_TYPE_quic_transport_parameters,
1970 SSL_TLSEXT_MSG_CH)) { 2142 ssl, SSL_TLSEXT_MSG_CH)) {
1971 FAIL("client should need QUIC\n"); 2143 FAIL("client should need QUIC\n");
1972 goto err; 2144 goto err;
1973 } 2145 }
1974 2146
1975 if (!tlsext_quic_transport_parameters_client_build(ssl, 2147 if (!tls_extension_client_build(TLSEXT_TYPE_quic_transport_parameters,
1976 SSL_TLSEXT_MSG_CH, &cbb)) { 2148 ssl, SSL_TLSEXT_MSG_CH, &cbb)) {
1977 FAIL("client failed to build QUIC\n"); 2149 FAIL("client failed to build QUIC\n");
1978 goto err; 2150 goto err;
1979 } 2151 }
@@ -2003,8 +2175,8 @@ test_tlsext_quic_transport_parameters_client(void)
2003 CBS_init(&cbs, tlsext_quic_transport_data, 2175 CBS_init(&cbs, tlsext_quic_transport_data,
2004 sizeof(tlsext_quic_transport_data)); 2176 sizeof(tlsext_quic_transport_data));
2005 2177
2006 if (!tlsext_quic_transport_parameters_server_parse(ssl, 2178 if (!tls_extension_server_parse(TLSEXT_TYPE_quic_transport_parameters,
2007 SSL_TLSEXT_MSG_SH, &cbs, &alert)) { 2179 ssl, SSL_TLSEXT_MSG_SH, &cbs, &alert)) {
2008 FAIL("server_parse of QUIC from server failed\n"); 2180 FAIL("server_parse of QUIC from server failed\n");
2009 goto err; 2181 goto err;
2010 } 2182 }
@@ -2067,8 +2239,8 @@ test_tlsext_quic_transport_parameters_server(void)
2067 if ((ssl = SSL_new(ssl_ctx)) == NULL) 2239 if ((ssl = SSL_new(ssl_ctx)) == NULL)
2068 errx(1, "failed to create SSL"); 2240 errx(1, "failed to create SSL");
2069 2241
2070 if (tlsext_quic_transport_parameters_server_needs(ssl, 2242 if (tls_extension_server_needs(TLSEXT_TYPE_quic_transport_parameters,
2071 SSL_TLSEXT_MSG_SH)) { 2243 ssl, SSL_TLSEXT_MSG_SH)) {
2072 FAIL("server should not need QUIC\n"); 2244 FAIL("server should not need QUIC\n");
2073 goto err; 2245 goto err;
2074 } 2246 }
@@ -2079,22 +2251,22 @@ test_tlsext_quic_transport_parameters_server(void)
2079 goto err; 2251 goto err;
2080 } 2252 }
2081 2253
2082 if (tlsext_quic_transport_parameters_server_needs(ssl, 2254 if (tls_extension_server_needs(TLSEXT_TYPE_quic_transport_parameters,
2083 SSL_TLSEXT_MSG_EE)) { 2255 ssl, SSL_TLSEXT_MSG_EE)) {
2084 FAIL("server should not need QUIC\n"); 2256 FAIL("server should not need QUIC\n");
2085 goto err; 2257 goto err;
2086 } 2258 }
2087 2259
2088 ssl->quic_method = ssl->method; /* XXX */ 2260 ssl->quic_method = ssl->method; /* XXX */
2089 2261
2090 if (!tlsext_quic_transport_parameters_server_needs(ssl, 2262 if (!tls_extension_server_needs(TLSEXT_TYPE_quic_transport_parameters,
2091 SSL_TLSEXT_MSG_EE)) { 2263 ssl, SSL_TLSEXT_MSG_EE)) {
2092 FAIL("server should need QUIC\n"); 2264 FAIL("server should need QUIC\n");
2093 goto err; 2265 goto err;
2094 } 2266 }
2095 2267
2096 if (!tlsext_quic_transport_parameters_server_build(ssl, 2268 if (!tls_extension_server_build(TLSEXT_TYPE_quic_transport_parameters,
2097 SSL_TLSEXT_MSG_EE, &cbb)) { 2269 ssl, SSL_TLSEXT_MSG_EE, &cbb)) {
2098 FAIL("server failed to build QUIC\n"); 2270 FAIL("server failed to build QUIC\n");
2099 goto err; 2271 goto err;
2100 } 2272 }
@@ -2123,16 +2295,16 @@ test_tlsext_quic_transport_parameters_server(void)
2123 2295
2124 ssl->quic_method = NULL; 2296 ssl->quic_method = NULL;
2125 2297
2126 if (tlsext_quic_transport_parameters_client_parse(ssl, 2298 if (tls_extension_client_parse(TLSEXT_TYPE_quic_transport_parameters,
2127 SSL_TLSEXT_MSG_EE, &cbs, &alert)) { 2299 ssl, SSL_TLSEXT_MSG_EE, &cbs, &alert)) {
2128 FAIL("QUIC parse should have failed!\n"); 2300 FAIL("QUIC parse should have failed!\n");
2129 goto err; 2301 goto err;
2130 } 2302 }
2131 2303
2132 ssl->quic_method = ssl->method; /* XXX */ 2304 ssl->quic_method = ssl->method; /* XXX */
2133 2305
2134 if (!tlsext_quic_transport_parameters_client_parse(ssl, 2306 if (!tls_extension_client_parse(TLSEXT_TYPE_quic_transport_parameters,
2135 SSL_TLSEXT_MSG_SH, &cbs, &alert)) { 2307 ssl, SSL_TLSEXT_MSG_SH, &cbs, &alert)) {
2136 FAIL("client_parse of QUIC from server failed\n"); 2308 FAIL("client_parse of QUIC from server failed\n");
2137 goto err; 2309 goto err;
2138 } 2310 }
@@ -2150,8 +2322,7 @@ test_tlsext_quic_transport_parameters_server(void)
2150 goto err; 2322 goto err;
2151 } 2323 }
2152 2324
2153 if (memcmp(out_bytes, TEST_QUIC_TRANSPORT_DATA, 2325 if (memcmp(out_bytes, TEST_QUIC_TRANSPORT_DATA, out_bytes_len) != 0) {
2154 out_bytes_len) != 0) {
2155 FAIL("client QUIC differs from sent:\n"); 2326 FAIL("client QUIC differs from sent:\n");
2156 fprintf(stderr, "received:\n"); 2327 fprintf(stderr, "received:\n");
2157 hexdump(data, dlen); 2328 hexdump(data, dlen);
@@ -2197,17 +2368,20 @@ test_tlsext_ocsp_client(void)
2197 if ((ssl = SSL_new(ssl_ctx)) == NULL) 2368 if ((ssl = SSL_new(ssl_ctx)) == NULL)
2198 errx(1, "failed to create SSL"); 2369 errx(1, "failed to create SSL");
2199 2370
2200 if (tlsext_ocsp_client_needs(ssl, SSL_TLSEXT_MSG_CH)) { 2371 if (tls_extension_client_needs(TLSEXT_TYPE_status_request, ssl,
2201 FAIL("client should not need ocsp\n"); 2372 SSL_TLSEXT_MSG_CH)) {
2373 FAIL("client should not need TLSEXT_TYPE_status_request\n");
2202 goto err; 2374 goto err;
2203 } 2375 }
2204 SSL_set_tlsext_status_type(ssl, TLSEXT_STATUSTYPE_ocsp); 2376 SSL_set_tlsext_status_type(ssl, TLSEXT_STATUSTYPE_ocsp);
2205 2377
2206 if (!tlsext_ocsp_client_needs(ssl, SSL_TLSEXT_MSG_CH)) { 2378 if (!tls_extension_client_needs(TLSEXT_TYPE_status_request, ssl,
2207 FAIL("client should need ocsp\n"); 2379 SSL_TLSEXT_MSG_CH)) {
2380 FAIL("client should need TLSEXT_TYPE_status_request\n");
2208 goto err; 2381 goto err;
2209 } 2382 }
2210 if (!tlsext_ocsp_client_build(ssl, SSL_TLSEXT_MSG_CH, &cbb)) { 2383 if (!tls_extension_client_build(TLSEXT_TYPE_status_request, ssl,
2384 SSL_TLSEXT_MSG_CH, &cbb)) {
2211 FAIL("client failed to build SNI\n"); 2385 FAIL("client failed to build SNI\n");
2212 goto err; 2386 goto err;
2213 } 2387 }
@@ -2215,13 +2389,13 @@ test_tlsext_ocsp_client(void)
2215 errx(1, "failed to finish CBB"); 2389 errx(1, "failed to finish CBB");
2216 2390
2217 if (dlen != sizeof(tls_ocsp_client_default)) { 2391 if (dlen != sizeof(tls_ocsp_client_default)) {
2218 FAIL("got ocsp client with length %zu, " 2392 FAIL("got TLSEXT_TYPE_status_request client with length %zu, "
2219 "want length %zu\n", dlen, 2393 "want length %zu\n", dlen,
2220 sizeof(tls_ocsp_client_default)); 2394 sizeof(tls_ocsp_client_default));
2221 goto err; 2395 goto err;
2222 } 2396 }
2223 if (memcmp(data, tls_ocsp_client_default, dlen) != 0) { 2397 if (memcmp(data, tls_ocsp_client_default, dlen) != 0) {
2224 FAIL("ocsp client differs:\n"); 2398 FAIL("TLSEXT_TYPE_status_request client differs:\n");
2225 fprintf(stderr, "received:\n"); 2399 fprintf(stderr, "received:\n");
2226 hexdump(data, dlen); 2400 hexdump(data, dlen);
2227 fprintf(stderr, "test data:\n"); 2401 fprintf(stderr, "test data:\n");
@@ -2231,8 +2405,9 @@ test_tlsext_ocsp_client(void)
2231 } 2405 }
2232 CBS_init(&cbs, tls_ocsp_client_default, 2406 CBS_init(&cbs, tls_ocsp_client_default,
2233 sizeof(tls_ocsp_client_default)); 2407 sizeof(tls_ocsp_client_default));
2234 if (!tlsext_ocsp_server_parse(ssl, SSL_TLSEXT_MSG_CH, &cbs, &alert)) { 2408 if (!tls_extension_server_parse(TLSEXT_TYPE_status_request, ssl,
2235 FAIL("failed to parse ocsp client\n"); 2409 SSL_TLSEXT_MSG_CH, &cbs, &alert)) {
2410 FAIL("failed to parse TLSEXT_TYPE_status_request client\n");
2236 goto err; 2411 goto err;
2237 } 2412 }
2238 if (CBS_len(&cbs) != 0) { 2413 if (CBS_len(&cbs) != 0) {
@@ -2270,19 +2445,22 @@ test_tlsext_ocsp_server(void)
2270 if ((ssl = SSL_new(ssl_ctx)) == NULL) 2445 if ((ssl = SSL_new(ssl_ctx)) == NULL)
2271 errx(1, "failed to create SSL"); 2446 errx(1, "failed to create SSL");
2272 2447
2273 if (tlsext_ocsp_server_needs(ssl, SSL_TLSEXT_MSG_SH)) { 2448 if (tls_extension_server_needs(TLSEXT_TYPE_status_request, ssl,
2274 FAIL("server should not need ocsp\n"); 2449 SSL_TLSEXT_MSG_SH)) {
2450 FAIL("server should not need TLSEXT_TYPE_status_request\n");
2275 goto err; 2451 goto err;
2276 } 2452 }
2277 2453
2278 ssl->internal->tlsext_status_expected = 1; 2454 ssl->internal->tlsext_status_expected = 1;
2279 2455
2280 if (!tlsext_ocsp_server_needs(ssl, SSL_TLSEXT_MSG_SH)) { 2456 if (!tls_extension_server_needs(TLSEXT_TYPE_status_request, ssl,
2281 FAIL("server should need ocsp\n"); 2457 SSL_TLSEXT_MSG_SH)) {
2458 FAIL("server should need TLSEXT_TYPE_status_request\n");
2282 goto err; 2459 goto err;
2283 } 2460 }
2284 if (!tlsext_ocsp_server_build(ssl, SSL_TLSEXT_MSG_SH, &cbb)) { 2461 if (!tls_extension_server_build(TLSEXT_TYPE_status_request, ssl,
2285 FAIL("server failed to build ocsp\n"); 2462 SSL_TLSEXT_MSG_SH, &cbb)) {
2463 FAIL("server failed to build TLSEXT_TYPE_status_request\n");
2286 goto err; 2464 goto err;
2287 } 2465 }
2288 2466
@@ -2337,7 +2515,8 @@ test_tlsext_sessionticket_client(void)
2337 errx(1, "failed to create SSL"); 2515 errx(1, "failed to create SSL");
2338 2516
2339 /* Should need a ticket by default. */ 2517 /* Should need a ticket by default. */
2340 if (!tlsext_sessionticket_client_needs(ssl, SSL_TLSEXT_MSG_CH)) { 2518 if (!tls_extension_client_needs(TLSEXT_TYPE_session_ticket, ssl,
2519 SSL_TLSEXT_MSG_CH)) {
2341 FAIL("client should need Sessionticket for default " 2520 FAIL("client should need Sessionticket for default "
2342 "ciphers\n"); 2521 "ciphers\n");
2343 goto err; 2522 goto err;
@@ -2348,7 +2527,8 @@ test_tlsext_sessionticket_client(void)
2348 FAIL("Cannot disable tickets in the TLS connection\n"); 2527 FAIL("Cannot disable tickets in the TLS connection\n");
2349 goto err; 2528 goto err;
2350 } 2529 }
2351 if (tlsext_sessionticket_client_needs(ssl, SSL_TLSEXT_MSG_CH)) { 2530 if (tls_extension_client_needs(TLSEXT_TYPE_session_ticket, ssl,
2531 SSL_TLSEXT_MSG_CH)) {
2352 FAIL("client should not need SessionTicket if it was disabled\n"); 2532 FAIL("client should not need SessionTicket if it was disabled\n");
2353 goto err; 2533 goto err;
2354 } 2534 }
@@ -2358,13 +2538,15 @@ test_tlsext_sessionticket_client(void)
2358 FAIL("Cannot re-enable tickets in the TLS connection\n"); 2538 FAIL("Cannot re-enable tickets in the TLS connection\n");
2359 goto err; 2539 goto err;
2360 } 2540 }
2361 if (!tlsext_sessionticket_client_needs(ssl, SSL_TLSEXT_MSG_CH)) { 2541 if (!tls_extension_client_needs(TLSEXT_TYPE_session_ticket, ssl,
2542 SSL_TLSEXT_MSG_CH)) {
2362 FAIL("client should need SessionTicket if it was disabled\n"); 2543 FAIL("client should need SessionTicket if it was disabled\n");
2363 goto err; 2544 goto err;
2364 } 2545 }
2365 2546
2366 /* Since we don't have a session, we should build an empty ticket. */ 2547 /* Since we don't have a session, we should build an empty ticket. */
2367 if (!tlsext_sessionticket_client_build(ssl, SSL_TLSEXT_MSG_CH, &cbb)) { 2548 if (!tls_extension_client_build(TLSEXT_TYPE_session_ticket, ssl,
2549 SSL_TLSEXT_MSG_CH, &cbb)) {
2368 FAIL("Cannot build a ticket\n"); 2550 FAIL("Cannot build a ticket\n");
2369 goto err; 2551 goto err;
2370 } 2552 }
@@ -2385,11 +2567,13 @@ test_tlsext_sessionticket_client(void)
2385 /* With a new session (but no ticket), we should still have 0 length */ 2567 /* With a new session (but no ticket), we should still have 0 length */
2386 if ((ssl->session = SSL_SESSION_new()) == NULL) 2568 if ((ssl->session = SSL_SESSION_new()) == NULL)
2387 errx(1, "failed to create session"); 2569 errx(1, "failed to create session");
2388 if (!tlsext_sessionticket_client_needs(ssl, SSL_TLSEXT_MSG_CH)) { 2570 if (!tls_extension_client_needs(TLSEXT_TYPE_session_ticket, ssl,
2571 SSL_TLSEXT_MSG_CH)) {
2389 FAIL("Should still want a session ticket with a new session\n"); 2572 FAIL("Should still want a session ticket with a new session\n");
2390 goto err; 2573 goto err;
2391 } 2574 }
2392 if (!tlsext_sessionticket_client_build(ssl, SSL_TLSEXT_MSG_CH, &cbb)) { 2575 if (!tls_extension_client_build(TLSEXT_TYPE_session_ticket, ssl,
2576 SSL_TLSEXT_MSG_CH, &cbb)) {
2393 FAIL("Cannot build a ticket\n"); 2577 FAIL("Cannot build a ticket\n");
2394 goto err; 2578 goto err;
2395 } 2579 }
@@ -2419,11 +2603,13 @@ test_tlsext_sessionticket_client(void)
2419 memcpy(ssl->session->tlsext_tick, dummy, sizeof(dummy)); 2603 memcpy(ssl->session->tlsext_tick, dummy, sizeof(dummy));
2420 ssl->session->tlsext_ticklen = sizeof(dummy); 2604 ssl->session->tlsext_ticklen = sizeof(dummy);
2421 2605
2422 if (!tlsext_sessionticket_client_needs(ssl, SSL_TLSEXT_MSG_CH)) { 2606 if (!tls_extension_client_needs(TLSEXT_TYPE_session_ticket, ssl,
2607 SSL_TLSEXT_MSG_CH)) {
2423 FAIL("Should still want a session ticket with a new session\n"); 2608 FAIL("Should still want a session ticket with a new session\n");
2424 goto err; 2609 goto err;
2425 } 2610 }
2426 if (!tlsext_sessionticket_client_build(ssl, SSL_TLSEXT_MSG_CH, &cbb)) { 2611 if (!tls_extension_client_build(TLSEXT_TYPE_session_ticket, ssl,
2612 SSL_TLSEXT_MSG_CH, &cbb)) {
2427 FAIL("Cannot build a ticket\n"); 2613 FAIL("Cannot build a ticket\n");
2428 goto err; 2614 goto err;
2429 } 2615 }
@@ -2459,7 +2645,8 @@ test_tlsext_sessionticket_client(void)
2459 goto err; 2645 goto err;
2460 } 2646 }
2461 /* Should not need a ticket in this case */ 2647 /* Should not need a ticket in this case */
2462 if (tlsext_sessionticket_client_needs(ssl, SSL_TLSEXT_MSG_CH)) { 2648 if (tls_extension_client_needs(TLSEXT_TYPE_session_ticket, ssl,
2649 SSL_TLSEXT_MSG_CH)) {
2463 FAIL("Should not want to use session tickets with a NULL custom\n"); 2650 FAIL("Should not want to use session tickets with a NULL custom\n");
2464 goto err; 2651 goto err;
2465 } 2652 }
@@ -2471,7 +2658,8 @@ test_tlsext_sessionticket_client(void)
2471 free(ssl->internal->tlsext_session_ticket); 2658 free(ssl->internal->tlsext_session_ticket);
2472 ssl->internal->tlsext_session_ticket = NULL; 2659 ssl->internal->tlsext_session_ticket = NULL;
2473 2660
2474 if (!tlsext_sessionticket_client_needs(ssl, SSL_TLSEXT_MSG_CH)) { 2661 if (!tls_extension_client_needs(TLSEXT_TYPE_session_ticket, ssl,
2662 SSL_TLSEXT_MSG_CH)) {
2475 FAIL("Should need a session ticket again when the custom one is removed\n"); 2663 FAIL("Should need a session ticket again when the custom one is removed\n");
2476 goto err; 2664 goto err;
2477 } 2665 }
@@ -2482,11 +2670,13 @@ test_tlsext_sessionticket_client(void)
2482 FAIL("Should be able to set a custom ticket\n"); 2670 FAIL("Should be able to set a custom ticket\n");
2483 goto err; 2671 goto err;
2484 } 2672 }
2485 if (!tlsext_sessionticket_client_needs(ssl, SSL_TLSEXT_MSG_CH)) { 2673 if (!tls_extension_client_needs(TLSEXT_TYPE_session_ticket, ssl,
2674 SSL_TLSEXT_MSG_CH)) {
2486 FAIL("Should need a session ticket again when the custom one is not empty\n"); 2675 FAIL("Should need a session ticket again when the custom one is not empty\n");
2487 goto err; 2676 goto err;
2488 } 2677 }
2489 if (!tlsext_sessionticket_client_build(ssl, SSL_TLSEXT_MSG_CH, &cbb)) { 2678 if (!tls_extension_client_build(TLSEXT_TYPE_session_ticket, ssl,
2679 SSL_TLSEXT_MSG_CH, &cbb)) {
2490 FAIL("Cannot build a ticket with a max length random payload\n"); 2680 FAIL("Cannot build a ticket with a max length random payload\n");
2491 goto err; 2681 goto err;
2492 } 2682 }
@@ -2543,7 +2733,8 @@ test_tlsext_sessionticket_server(void)
2543 * By default, should not need a session ticket since the ticket 2733 * By default, should not need a session ticket since the ticket
2544 * is not yet expected. 2734 * is not yet expected.
2545 */ 2735 */
2546 if (tlsext_sessionticket_server_needs(ssl, SSL_TLSEXT_MSG_SH)) { 2736 if (tls_extension_server_needs(TLSEXT_TYPE_session_ticket, ssl,
2737 SSL_TLSEXT_MSG_SH)) {
2547 FAIL("server should not need SessionTicket by default\n"); 2738 FAIL("server should not need SessionTicket by default\n");
2548 goto err; 2739 goto err;
2549 } 2740 }
@@ -2553,7 +2744,8 @@ test_tlsext_sessionticket_server(void)
2553 FAIL("Cannot disable tickets in the TLS connection\n"); 2744 FAIL("Cannot disable tickets in the TLS connection\n");
2554 goto err; 2745 goto err;
2555 } 2746 }
2556 if (tlsext_sessionticket_server_needs(ssl, SSL_TLSEXT_MSG_SH)) { 2747 if (tls_extension_server_needs(TLSEXT_TYPE_session_ticket, ssl,
2748 SSL_TLSEXT_MSG_SH)) {
2557 FAIL("server should not need SessionTicket if it was disabled\n"); 2749 FAIL("server should not need SessionTicket if it was disabled\n");
2558 goto err; 2750 goto err;
2559 } 2751 }
@@ -2563,20 +2755,23 @@ test_tlsext_sessionticket_server(void)
2563 FAIL("Cannot re-enable tickets in the TLS connection\n"); 2755 FAIL("Cannot re-enable tickets in the TLS connection\n");
2564 goto err; 2756 goto err;
2565 } 2757 }
2566 if (tlsext_sessionticket_server_needs(ssl, SSL_TLSEXT_MSG_SH)) { 2758 if (tls_extension_server_needs(TLSEXT_TYPE_session_ticket, ssl,
2759 SSL_TLSEXT_MSG_SH)) {
2567 FAIL("server should not need SessionTicket yet\n"); 2760 FAIL("server should not need SessionTicket yet\n");
2568 goto err; 2761 goto err;
2569 } 2762 }
2570 2763
2571 /* Set expected to require it. */ 2764 /* Set expected to require it. */
2572 ssl->internal->tlsext_ticket_expected = 1; 2765 ssl->internal->tlsext_ticket_expected = 1;
2573 if (!tlsext_sessionticket_server_needs(ssl, SSL_TLSEXT_MSG_SH)) { 2766 if (!tls_extension_server_needs(TLSEXT_TYPE_session_ticket, ssl,
2767 SSL_TLSEXT_MSG_SH)) {
2574 FAIL("server should now be required for SessionTicket\n"); 2768 FAIL("server should now be required for SessionTicket\n");
2575 goto err; 2769 goto err;
2576 } 2770 }
2577 2771
2578 /* server hello's session ticket should always be 0 length payload. */ 2772 /* server hello's session ticket should always be 0 length payload. */
2579 if (!tlsext_sessionticket_server_build(ssl, SSL_TLSEXT_MSG_SH, &cbb)) { 2773 if (!tls_extension_server_build(TLSEXT_TYPE_session_ticket, ssl,
2774 SSL_TLSEXT_MSG_SH, &cbb)) {
2580 FAIL("Cannot build a ticket with a max length random payload\n"); 2775 FAIL("Cannot build a ticket with a max length random payload\n");
2581 goto err; 2776 goto err;
2582 } 2777 }
@@ -2673,7 +2868,8 @@ test_tlsext_srtp_client(void)
2673 errx(1, "failed to create SSL"); 2868 errx(1, "failed to create SSL");
2674 2869
2675 /* By default, we don't need this */ 2870 /* By default, we don't need this */
2676 if (tlsext_srtp_client_needs(ssl, SSL_TLSEXT_MSG_CH)) { 2871 if (tls_extension_client_needs(TLSEXT_TYPE_use_srtp, ssl,
2872 SSL_TLSEXT_MSG_CH)) {
2677 FAIL("client should not need SRTP by default\n"); 2873 FAIL("client should not need SRTP by default\n");
2678 goto err; 2874 goto err;
2679 } 2875 }
@@ -2682,14 +2878,16 @@ test_tlsext_srtp_client(void)
2682 FAIL("should be able to set a single SRTP\n"); 2878 FAIL("should be able to set a single SRTP\n");
2683 goto err; 2879 goto err;
2684 } 2880 }
2685 if (!tlsext_srtp_client_needs(ssl, SSL_TLSEXT_MSG_CH)) { 2881 if (!tls_extension_client_needs(TLSEXT_TYPE_use_srtp, ssl,
2882 SSL_TLSEXT_MSG_CH)) {
2686 FAIL("client should need SRTP\n"); 2883 FAIL("client should need SRTP\n");
2687 goto err; 2884 goto err;
2688 } 2885 }
2689 2886
2690 /* Make sure we can build the client with a single profile. */ 2887 /* Make sure we can build the client with a single profile. */
2691 2888
2692 if (!tlsext_srtp_client_build(ssl, SSL_TLSEXT_MSG_CH, &cbb)) { 2889 if (!tls_extension_client_build(TLSEXT_TYPE_use_srtp, ssl,
2890 SSL_TLSEXT_MSG_CH, &cbb)) {
2693 FAIL("client failed to build SRTP\n"); 2891 FAIL("client failed to build SRTP\n");
2694 goto err; 2892 goto err;
2695 } 2893 }
@@ -2724,7 +2922,8 @@ test_tlsext_srtp_client(void)
2724 } 2922 }
2725 2923
2726 CBS_init(&cbs, tlsext_srtp_single, sizeof(tlsext_srtp_single)); 2924 CBS_init(&cbs, tlsext_srtp_single, sizeof(tlsext_srtp_single));
2727 if (!tlsext_srtp_server_parse(ssl, SSL_TLSEXT_MSG_CH, &cbs, &alert)) { 2925 if (!tls_extension_server_parse(TLSEXT_TYPE_use_srtp, ssl,
2926 SSL_TLSEXT_MSG_CH, &cbs, &alert)) {
2728 FAIL("failed to parse SRTP\n"); 2927 FAIL("failed to parse SRTP\n");
2729 goto err; 2928 goto err;
2730 } 2929 }
@@ -2742,7 +2941,8 @@ test_tlsext_srtp_client(void)
2742 goto err; 2941 goto err;
2743 } 2942 }
2744 2943
2745 if (!tlsext_srtp_server_needs(ssl, SSL_TLSEXT_MSG_CH)) { 2944 if (!tls_extension_server_needs(TLSEXT_TYPE_use_srtp, ssl,
2945 SSL_TLSEXT_MSG_CH)) {
2746 FAIL("should send server extension when profile selected\n"); 2946 FAIL("should send server extension when profile selected\n");
2747 goto err; 2947 goto err;
2748 } 2948 }
@@ -2753,12 +2953,14 @@ test_tlsext_srtp_client(void)
2753 FAIL("should be able to set SRTP to multiple profiles\n"); 2953 FAIL("should be able to set SRTP to multiple profiles\n");
2754 goto err; 2954 goto err;
2755 } 2955 }
2756 if (!tlsext_srtp_client_needs(ssl, SSL_TLSEXT_MSG_CH)) { 2956 if (!tls_extension_client_needs(TLSEXT_TYPE_use_srtp, ssl,
2957 SSL_TLSEXT_MSG_CH)) {
2757 FAIL("client should need SRTP by now\n"); 2958 FAIL("client should need SRTP by now\n");
2758 goto err; 2959 goto err;
2759 } 2960 }
2760 2961
2761 if (!tlsext_srtp_client_build(ssl, SSL_TLSEXT_MSG_CH, &cbb)) { 2962 if (!tls_extension_client_build(TLSEXT_TYPE_use_srtp, ssl,
2963 SSL_TLSEXT_MSG_CH, &cbb)) {
2762 FAIL("client failed to build SRTP\n"); 2964 FAIL("client failed to build SRTP\n");
2763 goto err; 2965 goto err;
2764 } 2966 }
@@ -2791,7 +2993,8 @@ test_tlsext_srtp_client(void)
2791 2993
2792 CBS_init(&cbs, tlsext_srtp_multiple, 2994 CBS_init(&cbs, tlsext_srtp_multiple,
2793 sizeof(tlsext_srtp_multiple)); 2995 sizeof(tlsext_srtp_multiple));
2794 if (!tlsext_srtp_server_parse(ssl, SSL_TLSEXT_MSG_CH, &cbs, &alert)) { 2996 if (!tls_extension_server_parse(TLSEXT_TYPE_use_srtp, ssl,
2997 SSL_TLSEXT_MSG_CH, &cbs, &alert)) {
2795 FAIL("failed to parse SRTP\n"); 2998 FAIL("failed to parse SRTP\n");
2796 goto err; 2999 goto err;
2797 } 3000 }
@@ -2809,7 +3012,8 @@ test_tlsext_srtp_client(void)
2809 goto err; 3012 goto err;
2810 } 3013 }
2811 3014
2812 if (!tlsext_srtp_server_needs(ssl, SSL_TLSEXT_MSG_CH)) { 3015 if (!tls_extension_server_needs(TLSEXT_TYPE_use_srtp, ssl,
3016 SSL_TLSEXT_MSG_CH)) {
2813 FAIL("should send server extension when profile selected\n"); 3017 FAIL("should send server extension when profile selected\n");
2814 goto err; 3018 goto err;
2815 } 3019 }
@@ -2822,7 +3026,8 @@ test_tlsext_srtp_client(void)
2822 3026
2823 CBS_init(&cbs, tlsext_srtp_multiple_one_valid, 3027 CBS_init(&cbs, tlsext_srtp_multiple_one_valid,
2824 sizeof(tlsext_srtp_multiple_one_valid)); 3028 sizeof(tlsext_srtp_multiple_one_valid));
2825 if (!tlsext_srtp_server_parse(ssl, SSL_TLSEXT_MSG_CH, &cbs, &alert)) { 3029 if (!tls_extension_server_parse(TLSEXT_TYPE_use_srtp, ssl,
3030 SSL_TLSEXT_MSG_CH, &cbs, &alert)) {
2826 FAIL("failed to parse SRTP\n"); 3031 FAIL("failed to parse SRTP\n");
2827 goto err; 3032 goto err;
2828 } 3033 }
@@ -2840,7 +3045,8 @@ test_tlsext_srtp_client(void)
2840 goto err; 3045 goto err;
2841 } 3046 }
2842 3047
2843 if (!tlsext_srtp_server_needs(ssl, SSL_TLSEXT_MSG_CH)) { 3048 if (!tls_extension_server_needs(TLSEXT_TYPE_use_srtp, ssl,
3049 SSL_TLSEXT_MSG_CH)) {
2844 FAIL("should send server extension when profile selected\n"); 3050 FAIL("should send server extension when profile selected\n");
2845 goto err; 3051 goto err;
2846 } 3052 }
@@ -2851,7 +3057,8 @@ test_tlsext_srtp_client(void)
2851 3057
2852 CBS_init(&cbs, tlsext_srtp_multiple_invalid, 3058 CBS_init(&cbs, tlsext_srtp_multiple_invalid,
2853 sizeof(tlsext_srtp_multiple_invalid)); 3059 sizeof(tlsext_srtp_multiple_invalid));
2854 if (!tlsext_srtp_server_parse(ssl, SSL_TLSEXT_MSG_CH, &cbs, &alert)) { 3060 if (!tls_extension_server_parse(TLSEXT_TYPE_use_srtp, ssl,
3061 SSL_TLSEXT_MSG_CH, &cbs, &alert)) {
2855 FAIL("should be able to fall back to negotiated\n"); 3062 FAIL("should be able to fall back to negotiated\n");
2856 goto err; 3063 goto err;
2857 } 3064 }
@@ -2865,7 +3072,8 @@ test_tlsext_srtp_client(void)
2865 FAIL("should not have selected a profile when none found\n"); 3072 FAIL("should not have selected a profile when none found\n");
2866 goto err; 3073 goto err;
2867 } 3074 }
2868 if (tlsext_srtp_server_needs(ssl, SSL_TLSEXT_MSG_CH)) { 3075 if (tls_extension_server_needs(TLSEXT_TYPE_use_srtp, ssl,
3076 SSL_TLSEXT_MSG_CH)) {
2869 FAIL("should not send server tlsext when no profile found\n"); 3077 FAIL("should not send server tlsext when no profile found\n");
2870 goto err; 3078 goto err;
2871 } 3079 }
@@ -2904,7 +3112,8 @@ test_tlsext_srtp_server(void)
2904 errx(1, "failed to create SSL"); 3112 errx(1, "failed to create SSL");
2905 3113
2906 /* By default, we don't need this */ 3114 /* By default, we don't need this */
2907 if (tlsext_srtp_server_needs(ssl, SSL_TLSEXT_MSG_SH)) { 3115 if (tls_extension_server_needs(TLSEXT_TYPE_use_srtp, ssl,
3116 SSL_TLSEXT_MSG_SH)) {
2908 FAIL("server should not need SRTP by default\n"); 3117 FAIL("server should not need SRTP by default\n");
2909 goto err; 3118 goto err;
2910 } 3119 }
@@ -2915,14 +3124,16 @@ test_tlsext_srtp_server(void)
2915 goto err; 3124 goto err;
2916 } 3125 }
2917 ssl->internal->srtp_profile = prof; 3126 ssl->internal->srtp_profile = prof;
2918 if (!tlsext_srtp_server_needs(ssl, SSL_TLSEXT_MSG_SH)) { 3127 if (!tls_extension_server_needs(TLSEXT_TYPE_use_srtp, ssl,
3128 SSL_TLSEXT_MSG_SH)) {
2919 FAIL("server should need SRTP by now\n"); 3129 FAIL("server should need SRTP by now\n");
2920 goto err; 3130 goto err;
2921 } 3131 }
2922 3132
2923 /* Make sure we can build the server with a single profile. */ 3133 /* Make sure we can build the server with a single profile. */
2924 3134
2925 if (!tlsext_srtp_server_build(ssl, SSL_TLSEXT_MSG_SH, &cbb)) { 3135 if (!tls_extension_server_build(TLSEXT_TYPE_use_srtp, ssl,
3136 SSL_TLSEXT_MSG_SH, &cbb)) {
2926 FAIL("server failed to build SRTP\n"); 3137 FAIL("server failed to build SRTP\n");
2927 goto err; 3138 goto err;
2928 } 3139 }
@@ -2964,7 +3175,8 @@ test_tlsext_srtp_server(void)
2964 } 3175 }
2965 3176
2966 CBS_init(&cbs, tlsext_srtp_single, sizeof(tlsext_srtp_single)); 3177 CBS_init(&cbs, tlsext_srtp_single, sizeof(tlsext_srtp_single));
2967 if (!tlsext_srtp_client_parse(ssl, SSL_TLSEXT_MSG_SH, &cbs, &alert)) { 3178 if (!tls_extension_client_parse(TLSEXT_TYPE_use_srtp, ssl,
3179 SSL_TLSEXT_MSG_SH, &cbs, &alert)) {
2968 FAIL("failed to parse SRTP\n"); 3180 FAIL("failed to parse SRTP\n");
2969 goto err; 3181 goto err;
2970 } 3182 }
@@ -2987,7 +3199,8 @@ test_tlsext_srtp_server(void)
2987 3199
2988 CBS_init(&cbs, tlsext_srtp_multiple, 3200 CBS_init(&cbs, tlsext_srtp_multiple,
2989 sizeof(tlsext_srtp_multiple)); 3201 sizeof(tlsext_srtp_multiple));
2990 if (tlsext_srtp_client_parse(ssl, SSL_TLSEXT_MSG_SH, &cbs, &alert)) { 3202 if (tls_extension_client_parse(TLSEXT_TYPE_use_srtp, ssl,
3203 SSL_TLSEXT_MSG_SH, &cbs, &alert)) {
2991 FAIL("should not find multiple entries from the server\n"); 3204 FAIL("should not find multiple entries from the server\n");
2992 goto err; 3205 goto err;
2993 } 3206 }
@@ -2997,7 +3210,8 @@ test_tlsext_srtp_server(void)
2997 3210
2998 CBS_init(&cbs, tlsext_srtp_single_invalid, 3211 CBS_init(&cbs, tlsext_srtp_single_invalid,
2999 sizeof(tlsext_srtp_single_invalid)); 3212 sizeof(tlsext_srtp_single_invalid));
3000 if (tlsext_srtp_client_parse(ssl, SSL_TLSEXT_MSG_SH, &cbs, &alert)) { 3213 if (tls_extension_client_parse(TLSEXT_TYPE_use_srtp, ssl,
3214 SSL_TLSEXT_MSG_SH, &cbs, &alert)) {
3001 FAIL("should not be able to parse this\n"); 3215 FAIL("should not be able to parse this\n");
3002 goto err; 3216 goto err;
3003 } 3217 }
@@ -3280,7 +3494,8 @@ test_tlsext_versions_client(void)
3280 3494
3281 ssl->s3->hs.our_max_tls_version = TLS1_1_VERSION; 3495 ssl->s3->hs.our_max_tls_version = TLS1_1_VERSION;
3282 3496
3283 if (tlsext_versions_client_needs(ssl, SSL_TLSEXT_MSG_CH)) { 3497 if (tls_extension_client_needs(TLSEXT_TYPE_supported_versions, ssl,
3498 SSL_TLSEXT_MSG_CH)) {
3284 FAIL("client should not need versions\n"); 3499 FAIL("client should not need versions\n");
3285 failure = 1; 3500 failure = 1;
3286 goto done; 3501 goto done;
@@ -3288,7 +3503,8 @@ test_tlsext_versions_client(void)
3288 3503
3289 ssl->s3->hs.our_max_tls_version = TLS1_2_VERSION; 3504 ssl->s3->hs.our_max_tls_version = TLS1_2_VERSION;
3290 3505
3291 if (tlsext_versions_client_needs(ssl, SSL_TLSEXT_MSG_CH)) { 3506 if (tls_extension_client_needs(TLSEXT_TYPE_supported_versions, ssl,
3507 SSL_TLSEXT_MSG_CH)) {
3292 FAIL("client should not need versions\n"); 3508 FAIL("client should not need versions\n");
3293 failure = 1; 3509 failure = 1;
3294 goto done; 3510 goto done;
@@ -3296,7 +3512,8 @@ test_tlsext_versions_client(void)
3296 3512
3297 ssl->s3->hs.our_max_tls_version = TLS1_3_VERSION; 3513 ssl->s3->hs.our_max_tls_version = TLS1_3_VERSION;
3298 3514
3299 if (!tlsext_versions_client_needs(ssl, SSL_TLSEXT_MSG_CH)) { 3515 if (!tls_extension_client_needs(TLSEXT_TYPE_supported_versions, ssl,
3516 SSL_TLSEXT_MSG_CH)) {
3300 FAIL("client should need versions\n"); 3517 FAIL("client should need versions\n");
3301 failure = 1; 3518 failure = 1;
3302 goto done; 3519 goto done;
@@ -3305,7 +3522,8 @@ test_tlsext_versions_client(void)
3305 ssl->s3->hs.our_min_tls_version = TLS1_VERSION; 3522 ssl->s3->hs.our_min_tls_version = TLS1_VERSION;
3306 ssl->s3->hs.our_max_tls_version = TLS1_3_VERSION; 3523 ssl->s3->hs.our_max_tls_version = TLS1_3_VERSION;
3307 3524
3308 if (!tlsext_versions_client_build(ssl, SSL_TLSEXT_MSG_CH, &cbb)) { 3525 if (!tls_extension_client_build(TLSEXT_TYPE_supported_versions, ssl,
3526 SSL_TLSEXT_MSG_CH, &cbb)) {
3309 FAIL("client should have built versions\n"); 3527 FAIL("client should have built versions\n");
3310 failure = 1; 3528 failure = 1;
3311 goto done; 3529 goto done;
@@ -3325,7 +3543,8 @@ test_tlsext_versions_client(void)
3325 } 3543 }
3326 3544
3327 CBS_init(&cbs, data, dlen); 3545 CBS_init(&cbs, data, dlen);
3328 if (!tlsext_versions_server_parse(ssl, SSL_TLSEXT_MSG_CH, &cbs, &alert)) { 3546 if (!tls_extension_server_parse(TLSEXT_TYPE_supported_versions, ssl,
3547 SSL_TLSEXT_MSG_CH, &cbs, &alert)) {
3329 FAIL("failed to parse client versions\n"); 3548 FAIL("failed to parse client versions\n");
3330 failure = 1; 3549 failure = 1;
3331 goto done; 3550 goto done;
@@ -3365,7 +3584,8 @@ test_tlsext_versions_server(void)
3365 3584
3366 ssl->s3->hs.negotiated_tls_version = TLS1_2_VERSION; 3585 ssl->s3->hs.negotiated_tls_version = TLS1_2_VERSION;
3367 3586
3368 if (tlsext_versions_server_needs(ssl, SSL_TLSEXT_MSG_SH)) { 3587 if (tls_extension_server_needs(TLSEXT_TYPE_supported_versions, ssl,
3588 SSL_TLSEXT_MSG_SH)) {
3369 FAIL("server should not need versions\n"); 3589 FAIL("server should not need versions\n");
3370 failure = 1; 3590 failure = 1;
3371 goto done; 3591 goto done;
@@ -3373,13 +3593,15 @@ test_tlsext_versions_server(void)
3373 3593
3374 ssl->s3->hs.negotiated_tls_version = TLS1_3_VERSION; 3594 ssl->s3->hs.negotiated_tls_version = TLS1_3_VERSION;
3375 3595
3376 if (!tlsext_versions_server_needs(ssl, SSL_TLSEXT_MSG_SH)) { 3596 if (!tls_extension_server_needs(TLSEXT_TYPE_supported_versions, ssl,
3597 SSL_TLSEXT_MSG_SH)) {
3377 FAIL("server should need versions\n"); 3598 FAIL("server should need versions\n");
3378 failure = 1; 3599 failure = 1;
3379 goto done; 3600 goto done;
3380 } 3601 }
3381 3602
3382 if (!tlsext_versions_server_build(ssl, SSL_TLSEXT_MSG_SH, &cbb)) { 3603 if (!tls_extension_server_build(TLSEXT_TYPE_supported_versions, ssl,
3604 SSL_TLSEXT_MSG_SH, &cbb)) {
3383 FAIL("server should have built versions\n"); 3605 FAIL("server should have built versions\n");
3384 failure = 1; 3606 failure = 1;
3385 goto done; 3607 goto done;
@@ -3399,7 +3621,8 @@ test_tlsext_versions_server(void)
3399 } 3621 }
3400 3622
3401 CBS_init(&cbs, data, dlen); 3623 CBS_init(&cbs, data, dlen);
3402 if (!tlsext_versions_client_parse(ssl, SSL_TLSEXT_MSG_SH, &cbs, &alert)) { 3624 if (!tls_extension_client_parse(TLSEXT_TYPE_supported_versions, ssl,
3625 SSL_TLSEXT_MSG_SH, &cbs, &alert)) {
3403 FAIL("failed to parse client versions\n"); 3626 FAIL("failed to parse client versions\n");
3404 failure = 1; 3627 failure = 1;
3405 goto done; 3628 goto done;
@@ -3460,21 +3683,24 @@ test_tlsext_keyshare_client(void)
3460 errx(1, "failed to generate key share"); 3683 errx(1, "failed to generate key share");
3461 3684
3462 ssl->s3->hs.our_max_tls_version = TLS1_2_VERSION; 3685 ssl->s3->hs.our_max_tls_version = TLS1_2_VERSION;
3463 if (tlsext_keyshare_client_needs(ssl, SSL_TLSEXT_MSG_CH)) { 3686 if (tls_extension_client_needs(TLSEXT_TYPE_key_share, ssl,
3687 SSL_TLSEXT_MSG_CH)) {
3464 FAIL("client should not need keyshare\n"); 3688 FAIL("client should not need keyshare\n");
3465 failure = 1; 3689 failure = 1;
3466 goto done; 3690 goto done;
3467 } 3691 }
3468 3692
3469 ssl->s3->hs.our_max_tls_version = TLS1_3_VERSION; 3693 ssl->s3->hs.our_max_tls_version = TLS1_3_VERSION;
3470 if (!tlsext_keyshare_client_needs(ssl, SSL_TLSEXT_MSG_CH)) { 3694 if (!tls_extension_client_needs(TLSEXT_TYPE_key_share, ssl,
3695 SSL_TLSEXT_MSG_CH)) {
3471 FAIL("client should need keyshare\n"); 3696 FAIL("client should need keyshare\n");
3472 failure = 1; 3697 failure = 1;
3473 goto done; 3698 goto done;
3474 } 3699 }
3475 3700
3476 ssl->s3->hs.our_max_tls_version = TLS1_3_VERSION; 3701 ssl->s3->hs.our_max_tls_version = TLS1_3_VERSION;
3477 if (!tlsext_keyshare_client_build(ssl, SSL_TLSEXT_MSG_CH, &cbb)) { 3702 if (!tls_extension_client_build(TLSEXT_TYPE_key_share, ssl,
3703 SSL_TLSEXT_MSG_CH, &cbb)) {
3478 FAIL("client should have built keyshare\n"); 3704 FAIL("client should have built keyshare\n");
3479 failure = 1; 3705 failure = 1;
3480 goto done; 3706 goto done;
@@ -3496,7 +3722,8 @@ test_tlsext_keyshare_client(void)
3496 (ssl)->version = TLS1_3_VERSION; 3722 (ssl)->version = TLS1_3_VERSION;
3497 CBS_init(&cbs, data, dlen); 3723 CBS_init(&cbs, data, dlen);
3498 3724
3499 if (!tlsext_keyshare_server_parse(ssl, SSL_TLSEXT_MSG_CH, &cbs, &alert)) { 3725 if (!tls_extension_server_parse(TLSEXT_TYPE_key_share, ssl,
3726 SSL_TLSEXT_MSG_CH, &cbs, &alert)) {
3500 FAIL("failed to parse client keyshare\n"); 3727 FAIL("failed to parse client keyshare\n");
3501 failure = 1; 3728 failure = 1;
3502 goto done; 3729 goto done;
@@ -3545,13 +3772,15 @@ test_tlsext_keyshare_server(void)
3545 CBB_init(&cbb, 0); 3772 CBB_init(&cbb, 0);
3546 3773
3547 ssl->s3->hs.negotiated_tls_version = TLS1_2_VERSION; 3774 ssl->s3->hs.negotiated_tls_version = TLS1_2_VERSION;
3548 if (tlsext_keyshare_server_needs(ssl, SSL_TLSEXT_MSG_SH)) { 3775 if (tls_extension_server_needs(TLSEXT_TYPE_key_share, ssl,
3776 SSL_TLSEXT_MSG_SH)) {
3549 FAIL("server should not need keyshare\n"); 3777 FAIL("server should not need keyshare\n");
3550 goto done; 3778 goto done;
3551 } 3779 }
3552 3780
3553 ssl->s3->hs.negotiated_tls_version = TLS1_3_VERSION; 3781 ssl->s3->hs.negotiated_tls_version = TLS1_3_VERSION;
3554 if (tlsext_keyshare_server_needs(ssl, SSL_TLSEXT_MSG_SH)) { 3782 if (tls_extension_server_needs(TLSEXT_TYPE_key_share, ssl,
3783 SSL_TLSEXT_MSG_SH)) {
3555 FAIL("client should not need keyshare\n"); 3784 FAIL("client should not need keyshare\n");
3556 goto done; 3785 goto done;
3557 } 3786 }
@@ -3562,12 +3791,14 @@ test_tlsext_keyshare_server(void)
3562 } 3791 }
3563 ssl->s3->hs.extensions_seen |= (1 << idx); 3792 ssl->s3->hs.extensions_seen |= (1 << idx);
3564 3793
3565 if (!tlsext_keyshare_server_needs(ssl, SSL_TLSEXT_MSG_SH)) { 3794 if (!tls_extension_server_needs(TLSEXT_TYPE_key_share, ssl,
3795 SSL_TLSEXT_MSG_SH)) {
3566 FAIL("server should need keyshare\n"); 3796 FAIL("server should need keyshare\n");
3567 goto done; 3797 goto done;
3568 } 3798 }
3569 3799
3570 if (tlsext_keyshare_server_build(ssl, SSL_TLSEXT_MSG_SH, &cbb)) { 3800 if (tls_extension_server_build(TLSEXT_TYPE_key_share, ssl,
3801 SSL_TLSEXT_MSG_SH, &cbb)) {
3571 FAIL("server should not have built a keyshare response\n"); 3802 FAIL("server should not have built a keyshare response\n");
3572 goto done; 3803 goto done;
3573 } 3804 }
@@ -3591,7 +3822,8 @@ test_tlsext_keyshare_server(void)
3591 goto done; 3822 goto done;
3592 } 3823 }
3593 3824
3594 if (!tlsext_keyshare_server_build(ssl, SSL_TLSEXT_MSG_SH, &cbb)) { 3825 if (!tls_extension_server_build(TLSEXT_TYPE_key_share, ssl,
3826 SSL_TLSEXT_MSG_SH, &cbb)) {
3595 FAIL("server should be able to build a keyshare response\n"); 3827 FAIL("server should be able to build a keyshare response\n");
3596 goto done; 3828 goto done;
3597 } 3829 }
@@ -3621,7 +3853,8 @@ test_tlsext_keyshare_server(void)
3621 3853
3622 CBS_init(&cbs, data, dlen); 3854 CBS_init(&cbs, data, dlen);
3623 3855
3624 if (!tlsext_keyshare_client_parse(ssl, SSL_TLSEXT_MSG_SH, &cbs, &alert)) { 3856 if (!tls_extension_client_parse(TLSEXT_TYPE_key_share, ssl,
3857 SSL_TLSEXT_MSG_SH, &cbs, &alert)) {
3625 FAIL("failed to parse server keyshare\n"); 3858 FAIL("failed to parse server keyshare\n");
3626 goto done; 3859 goto done;
3627 } 3860 }
@@ -3670,7 +3903,8 @@ test_tlsext_cookie_client(void)
3670 errx(1, "failed to create SSL"); 3903 errx(1, "failed to create SSL");
3671 3904
3672 ssl->s3->hs.our_max_tls_version = TLS1_2_VERSION; 3905 ssl->s3->hs.our_max_tls_version = TLS1_2_VERSION;
3673 if (tlsext_cookie_client_needs(ssl, SSL_TLSEXT_MSG_CH)) { 3906 if (tls_extension_client_needs(TLSEXT_TYPE_cookie, ssl,
3907 SSL_TLSEXT_MSG_CH)) {
3674 FAIL("client should not need cookie\n"); 3908 FAIL("client should not need cookie\n");
3675 failure = 1; 3909 failure = 1;
3676 goto done; 3910 goto done;
@@ -3678,7 +3912,8 @@ test_tlsext_cookie_client(void)
3678 3912
3679 3913
3680 ssl->s3->hs.our_max_tls_version = TLS1_3_VERSION; 3914 ssl->s3->hs.our_max_tls_version = TLS1_3_VERSION;
3681 if (tlsext_cookie_client_needs(ssl, SSL_TLSEXT_MSG_CH)) { 3915 if (tls_extension_client_needs(TLSEXT_TYPE_cookie, ssl,
3916 SSL_TLSEXT_MSG_CH)) {
3682 FAIL("client should not need cookie\n"); 3917 FAIL("client should not need cookie\n");
3683 failure = 1; 3918 failure = 1;
3684 goto done; 3919 goto done;
@@ -3688,13 +3923,15 @@ test_tlsext_cookie_client(void)
3688 ssl->s3->hs.tls13.cookie = strdup(cookie); 3923 ssl->s3->hs.tls13.cookie = strdup(cookie);
3689 ssl->s3->hs.tls13.cookie_len = strlen(cookie); 3924 ssl->s3->hs.tls13.cookie_len = strlen(cookie);
3690 3925
3691 if (!tlsext_cookie_client_needs(ssl, SSL_TLSEXT_MSG_CH)) { 3926 if (!tls_extension_client_needs(TLSEXT_TYPE_cookie, ssl,
3927 SSL_TLSEXT_MSG_CH)) {
3692 FAIL("client should need cookie\n"); 3928 FAIL("client should need cookie\n");
3693 failure = 1; 3929 failure = 1;
3694 goto done; 3930 goto done;
3695 } 3931 }
3696 3932
3697 if (!tlsext_cookie_client_build(ssl, SSL_TLSEXT_MSG_CH, &cbb)) { 3933 if (!tls_extension_client_build(TLSEXT_TYPE_cookie, ssl,
3934 SSL_TLSEXT_MSG_CH, &cbb)) {
3698 FAIL("client should have built a cookie response\n"); 3935 FAIL("client should have built a cookie response\n");
3699 failure = 1; 3936 failure = 1;
3700 goto done; 3937 goto done;
@@ -3717,7 +3954,8 @@ test_tlsext_cookie_client(void)
3717 CBS_init(&cbs, data, dlen); 3954 CBS_init(&cbs, data, dlen);
3718 3955
3719 /* Checks cookie against what's in the hs.tls13 */ 3956 /* Checks cookie against what's in the hs.tls13 */
3720 if (!tlsext_cookie_server_parse(ssl, SSL_TLSEXT_MSG_CH, &cbs, &alert)) { 3957 if (!tls_extension_server_parse(TLSEXT_TYPE_cookie, ssl,
3958 SSL_TLSEXT_MSG_CH, &cbs, &alert)) {
3721 FAIL("failed to parse client cookie\n"); 3959 FAIL("failed to parse client cookie\n");
3722 failure = 1; 3960 failure = 1;
3723 goto done; 3961 goto done;
@@ -3758,14 +3996,16 @@ test_tlsext_cookie_server(void)
3758 errx(1, "failed to create SSL"); 3996 errx(1, "failed to create SSL");
3759 3997
3760 ssl->s3->hs.our_max_tls_version = TLS1_2_VERSION; 3998 ssl->s3->hs.our_max_tls_version = TLS1_2_VERSION;
3761 if (tlsext_cookie_server_needs(ssl, SSL_TLSEXT_MSG_SH)) { 3999 if (tls_extension_server_needs(TLSEXT_TYPE_cookie, ssl,
4000 SSL_TLSEXT_MSG_SH)) {
3762 FAIL("server should not need cookie\n"); 4001 FAIL("server should not need cookie\n");
3763 failure = 1; 4002 failure = 1;
3764 goto done; 4003 goto done;
3765 } 4004 }
3766 4005
3767 ssl->s3->hs.our_max_tls_version = TLS1_3_VERSION; 4006 ssl->s3->hs.our_max_tls_version = TLS1_3_VERSION;
3768 if (tlsext_cookie_server_needs(ssl, SSL_TLSEXT_MSG_SH)) { 4007 if (tls_extension_server_needs(TLSEXT_TYPE_cookie, ssl,
4008 SSL_TLSEXT_MSG_SH)) {
3769 FAIL("server should not need cookie\n"); 4009 FAIL("server should not need cookie\n");
3770 failure = 1; 4010 failure = 1;
3771 goto done; 4011 goto done;
@@ -3775,13 +4015,15 @@ test_tlsext_cookie_server(void)
3775 ssl->s3->hs.tls13.cookie = strdup(cookie); 4015 ssl->s3->hs.tls13.cookie = strdup(cookie);
3776 ssl->s3->hs.tls13.cookie_len = strlen(cookie); 4016 ssl->s3->hs.tls13.cookie_len = strlen(cookie);
3777 4017
3778 if (!tlsext_cookie_server_needs(ssl, SSL_TLSEXT_MSG_HRR)) { 4018 if (!tls_extension_server_needs(TLSEXT_TYPE_cookie, ssl,
4019 SSL_TLSEXT_MSG_HRR)) {
3779 FAIL("server should need cookie\n"); 4020 FAIL("server should need cookie\n");
3780 failure = 1; 4021 failure = 1;
3781 goto done; 4022 goto done;
3782 } 4023 }
3783 4024
3784 if (!tlsext_cookie_server_build(ssl, SSL_TLSEXT_MSG_HRR, &cbb)) { 4025 if (!tls_extension_server_build(TLSEXT_TYPE_cookie, ssl,
4026 SSL_TLSEXT_MSG_HRR, &cbb)) {
3785 FAIL("server should have built a cookie response\n"); 4027 FAIL("server should have built a cookie response\n");
3786 failure = 1; 4028 failure = 1;
3787 goto done; 4029 goto done;
@@ -3803,7 +4045,8 @@ test_tlsext_cookie_server(void)
3803 4045
3804 CBS_init(&cbs, data, dlen); 4046 CBS_init(&cbs, data, dlen);
3805 4047
3806 if (tlsext_cookie_client_parse(ssl, SSL_TLSEXT_MSG_SH, &cbs, &alert)) { 4048 if (tls_extension_client_parse(TLSEXT_TYPE_cookie, ssl,
4049 SSL_TLSEXT_MSG_SH, &cbs, &alert)) {
3807 FAIL("client should not have parsed server cookie\n"); 4050 FAIL("client should not have parsed server cookie\n");
3808 failure = 1; 4051 failure = 1;
3809 goto done; 4052 goto done;
@@ -3813,7 +4056,8 @@ test_tlsext_cookie_server(void)
3813 ssl->s3->hs.tls13.cookie = NULL; 4056 ssl->s3->hs.tls13.cookie = NULL;
3814 ssl->s3->hs.tls13.cookie_len = 0; 4057 ssl->s3->hs.tls13.cookie_len = 0;
3815 4058
3816 if (!tlsext_cookie_client_parse(ssl, SSL_TLSEXT_MSG_SH, &cbs, &alert)) { 4059 if (!tls_extension_client_parse(TLSEXT_TYPE_cookie, ssl,
4060 SSL_TLSEXT_MSG_SH, &cbs, &alert)) {
3817 FAIL("failed to parse server cookie\n"); 4061 FAIL("failed to parse server cookie\n");
3818 failure = 1; 4062 failure = 1;
3819 goto done; 4063 goto done;
@@ -3875,7 +4119,8 @@ test_tlsext_psk_modes_client(void)
3875 errx(1, "failed to create SSL"); 4119 errx(1, "failed to create SSL");
3876 4120
3877 /* Disabled by default. */ 4121 /* Disabled by default. */
3878 if (tlsext_psk_kex_modes_client_needs(ssl, SSL_TLSEXT_MSG_CH)) { 4122 if (tls_extension_client_needs(TLSEXT_TYPE_psk_kex_modes, ssl,
4123 SSL_TLSEXT_MSG_CH)) {
3879 FAIL("client should not need psk kex modes by default\n"); 4124 FAIL("client should not need psk kex modes by default\n");
3880 goto err; 4125 goto err;
3881 } 4126 }
@@ -3888,7 +4133,8 @@ test_tlsext_psk_modes_client(void)
3888 ssl->s3->hs.tls13.use_psk_dhe_ke = 1; 4133 ssl->s3->hs.tls13.use_psk_dhe_ke = 1;
3889 ssl->s3->hs.our_max_tls_version = TLS1_2_VERSION; 4134 ssl->s3->hs.our_max_tls_version = TLS1_2_VERSION;
3890 4135
3891 if (tlsext_psk_kex_modes_client_needs(ssl, SSL_TLSEXT_MSG_CH)) { 4136 if (tls_extension_client_needs(TLSEXT_TYPE_psk_kex_modes, ssl,
4137 SSL_TLSEXT_MSG_CH)) {
3892 FAIL("client should not need psk kex modes with TLSv1.2\n"); 4138 FAIL("client should not need psk kex modes with TLSv1.2\n");
3893 goto err; 4139 goto err;
3894 } 4140 }
@@ -3896,7 +4142,8 @@ test_tlsext_psk_modes_client(void)
3896 ssl->s3->hs.tls13.use_psk_dhe_ke = 0; 4142 ssl->s3->hs.tls13.use_psk_dhe_ke = 0;
3897 ssl->s3->hs.our_max_tls_version = TLS1_3_VERSION; 4143 ssl->s3->hs.our_max_tls_version = TLS1_3_VERSION;
3898 4144
3899 if (tlsext_psk_kex_modes_client_needs(ssl, SSL_TLSEXT_MSG_CH)) { 4145 if (tls_extension_client_needs(TLSEXT_TYPE_psk_kex_modes, ssl,
4146 SSL_TLSEXT_MSG_CH)) {
3900 FAIL("client should not need psk kex modes without " 4147 FAIL("client should not need psk kex modes without "
3901 "use_psk_dhe_ke\n"); 4148 "use_psk_dhe_ke\n");
3902 goto err; 4149 goto err;
@@ -3905,14 +4152,16 @@ test_tlsext_psk_modes_client(void)
3905 ssl->s3->hs.tls13.use_psk_dhe_ke = 1; 4152 ssl->s3->hs.tls13.use_psk_dhe_ke = 1;
3906 ssl->s3->hs.our_max_tls_version = TLS1_3_VERSION; 4153 ssl->s3->hs.our_max_tls_version = TLS1_3_VERSION;
3907 4154
3908 if (!tlsext_psk_kex_modes_client_needs(ssl, SSL_TLSEXT_MSG_CH)) { 4155 if (!tls_extension_client_needs(TLSEXT_TYPE_psk_kex_modes, ssl,
4156 SSL_TLSEXT_MSG_CH)) {
3909 FAIL("client should need psk kex modes with TLSv1.3\n"); 4157 FAIL("client should need psk kex modes with TLSv1.3\n");
3910 goto err; 4158 goto err;
3911 } 4159 }
3912 4160
3913 /* Make sure we can build psk modes with DHE key establishment. */ 4161 /* Make sure we can build psk modes with DHE key establishment. */
3914 4162
3915 if (!tlsext_psk_kex_modes_client_build(ssl, SSL_TLSEXT_MSG_CH, &cbb)) { 4163 if (!tls_extension_client_build(TLSEXT_TYPE_psk_kex_modes, ssl,
4164 SSL_TLSEXT_MSG_CH, &cbb)) {
3916 FAIL("client failed to build psk kex modes\n"); 4165 FAIL("client failed to build psk kex modes\n");
3917 goto err; 4166 goto err;
3918 } 4167 }
@@ -3948,8 +4197,8 @@ test_tlsext_psk_modes_client(void)
3948 4197
3949 CBS_init(&cbs, tlsext_default_psk_modes, 4198 CBS_init(&cbs, tlsext_default_psk_modes,
3950 sizeof(tlsext_default_psk_modes)); 4199 sizeof(tlsext_default_psk_modes));
3951 if (!tlsext_psk_kex_modes_server_parse(ssl, SSL_TLSEXT_MSG_CH, &cbs, 4200 if (!tls_extension_server_parse(TLSEXT_TYPE_psk_kex_modes, ssl,
3952 &alert)) { 4201 SSL_TLSEXT_MSG_CH, &cbs, &alert)) {
3953 FAIL("failed to parse psk kex modes\n"); 4202 FAIL("failed to parse psk kex modes\n");
3954 goto err; 4203 goto err;
3955 } 4204 }
@@ -3971,8 +4220,8 @@ test_tlsext_psk_modes_client(void)
3971 ssl->s3->hs.tls13.use_psk_dhe_ke = 0; 4220 ssl->s3->hs.tls13.use_psk_dhe_ke = 0;
3972 4221
3973 CBS_init(&cbs, tlsext_psk_only_mode, sizeof(tlsext_psk_only_mode)); 4222 CBS_init(&cbs, tlsext_psk_only_mode, sizeof(tlsext_psk_only_mode));
3974 if (!tlsext_psk_kex_modes_server_parse(ssl, SSL_TLSEXT_MSG_CH, &cbs, 4223 if (!tls_extension_server_parse(TLSEXT_TYPE_psk_kex_modes, ssl,
3975 &alert)) { 4224 SSL_TLSEXT_MSG_CH, &cbs, &alert)) {
3976 FAIL("failed to parse psk kex modes\n"); 4225 FAIL("failed to parse psk kex modes\n");
3977 goto err; 4226 goto err;
3978 } 4227 }
@@ -3994,8 +4243,8 @@ test_tlsext_psk_modes_client(void)
3994 ssl->s3->hs.tls13.use_psk_dhe_ke = 0; 4243 ssl->s3->hs.tls13.use_psk_dhe_ke = 0;
3995 4244
3996 CBS_init(&cbs, tlsext_psk_both_modes, sizeof(tlsext_psk_both_modes)); 4245 CBS_init(&cbs, tlsext_psk_both_modes, sizeof(tlsext_psk_both_modes));
3997 if (!tlsext_psk_kex_modes_server_parse(ssl, SSL_TLSEXT_MSG_CH, &cbs, 4246 if (!tls_extension_server_parse(TLSEXT_TYPE_psk_kex_modes, ssl,
3998 &alert)) { 4247 SSL_TLSEXT_MSG_CH, &cbs, &alert)) {
3999 FAIL("failed to parse psk kex modes\n"); 4248 FAIL("failed to parse psk kex modes\n");
4000 goto err; 4249 goto err;
4001 } 4250 }
@@ -4033,7 +4282,8 @@ test_tlsext_psk_modes_server(void)
4033 if ((ssl = SSL_new(ssl_ctx)) == NULL) 4282 if ((ssl = SSL_new(ssl_ctx)) == NULL)
4034 errx(1, "failed to create SSL"); 4283 errx(1, "failed to create SSL");
4035 4284
4036 if (tlsext_psk_kex_modes_server_needs(ssl, SSL_TLSEXT_MSG_SH)) { 4285 if (tls_extension_server_needs(TLSEXT_TYPE_psk_kex_modes, ssl,
4286 SSL_TLSEXT_MSG_SH)) {
4037 FAIL("server should not need psk kex modes\n"); 4287 FAIL("server should not need psk kex modes\n");
4038 goto err; 4288 goto err;
4039 } 4289 }
generated by cgit v1.2.3-55-g6feb (git 2.39.1) at 2025-11-29 21:38:57 +0000