Adds DTLSv1.3 to protocol_version.pm for additional protocol version tests.

Reviewed-by: Matt Caswell <matt@openssl.org>
Reviewed-by: Tomas Mraz <tomas@openssl.org>
(Merged from https://github.com/openssl/openssl/pull/23242)

diff --git a/test/ssl-tests/02-protocol-version.cnf b/test/ssl-tests/02-protocol-version.cnf
index ef5e9942779677497125a02ceaf9938e316082da..e951a9fa0db6f443dd77b0ea7a28f16e62b5f47b 100644 (file)
--- a/test/ssl-tests/02-protocol-version.cnf
+++ b/test/ssl-tests/02-protocol-version.cnf
@@ -678,8 +678,8 @@ test-672 = 672-version-negotiation
 test-673 = 673-version-negotiation
 test-674 = 674-version-negotiation
 test-675 = 675-version-negotiation
-test-676 = 676-ciphersuite-sanity-check-client
-test-677 = 677-ciphersuite-sanity-check-server
+test-676 = 676-ciphersuite-sanity-check-tls-client
+test-677 = 677-ciphersuite-sanity-check-tls-server
 # ===========================================================
 
 [0-version-negotiation]
@@ -18772,20 +18772,20 @@ ExpectedResult = Success
 
 # ===========================================================
 
-[676-ciphersuite-sanity-check-client]
-ssl_conf = 676-ciphersuite-sanity-check-client-ssl
+[676-ciphersuite-sanity-check-tls-client]
+ssl_conf = 676-ciphersuite-sanity-check-tls-client-ssl
 
-[676-ciphersuite-sanity-check-client-ssl]
-server = 676-ciphersuite-sanity-check-client-server
-client = 676-ciphersuite-sanity-check-client-client
+[676-ciphersuite-sanity-check-tls-client-ssl]
+server = 676-ciphersuite-sanity-check-tls-client-server
+client = 676-ciphersuite-sanity-check-tls-client-client
 
-[676-ciphersuite-sanity-check-client-server]
+[676-ciphersuite-sanity-check-tls-client-server]
 Certificate = ${ENV::TEST_CERTS_DIR}/servercert.pem
 CipherString = DEFAULT
 MaxProtocol = TLSv1.2
 PrivateKey = ${ENV::TEST_CERTS_DIR}/serverkey.pem
 
-[676-ciphersuite-sanity-check-client-client]
+[676-ciphersuite-sanity-check-tls-client-client]
 CipherString = AES128-SHA
 Ciphersuites = 
 VerifyCAFile = ${ENV::TEST_CERTS_DIR}/rootcert.pem
@@ -18793,24 +18793,25 @@ VerifyMode = Peer
 
 [test-676]
 ExpectedResult = ClientFail
+Method = TLS
 
 
 # ===========================================================
 
-[677-ciphersuite-sanity-check-server]
-ssl_conf = 677-ciphersuite-sanity-check-server-ssl
+[677-ciphersuite-sanity-check-tls-server]
+ssl_conf = 677-ciphersuite-sanity-check-tls-server-ssl
 
-[677-ciphersuite-sanity-check-server-ssl]
-server = 677-ciphersuite-sanity-check-server-server
-client = 677-ciphersuite-sanity-check-server-client
+[677-ciphersuite-sanity-check-tls-server-ssl]
+server = 677-ciphersuite-sanity-check-tls-server-server
+client = 677-ciphersuite-sanity-check-tls-server-client
 
-[677-ciphersuite-sanity-check-server-server]
+[677-ciphersuite-sanity-check-tls-server-server]
 Certificate = ${ENV::TEST_CERTS_DIR}/servercert.pem
 CipherString = AES128-SHA
 Ciphersuites = 
 PrivateKey = ${ENV::TEST_CERTS_DIR}/serverkey.pem
 
-[677-ciphersuite-sanity-check-server-client]
+[677-ciphersuite-sanity-check-tls-server-client]
 CipherString = AES128-SHA
 MaxProtocol = TLSv1.2
 VerifyCAFile = ${ENV::TEST_CERTS_DIR}/rootcert.pem
@@ -18818,5 +18819,6 @@ VerifyMode = Peer
 
 [test-677]
 ExpectedResult = ServerFail
+Method = TLS
 
 

diff --git a/test/ssl-tests/07-dtls-protocol-version.cnf b/test/ssl-tests/07-dtls-protocol-version.cnf
index 16621d8964295b73998dd345208e562e2f8bd1f9..2980db64e98e887b59e8bb8d9fb6980c48067452 100644 (file)
--- a/test/ssl-tests/07-dtls-protocol-version.cnf
+++ b/test/ssl-tests/07-dtls-protocol-version.cnf
@@ -1,6 +1,6 @@
 # Generated with generate_ssl_tests.pl
 
-num_tests = 169
+num_tests = 171
 
 test-0 = 0-version-negotiation
 test-1 = 1-version-negotiation
@@ -171,6 +171,8 @@ test-165 = 165-version-negotiation
 test-166 = 166-version-negotiation
 test-167 = 167-version-negotiation
 test-168 = 168-version-negotiation
+test-169 = 169-ciphersuite-sanity-check-dtls-client
+test-170 = 170-ciphersuite-sanity-check-dtls-server
 # ===========================================================
 
 [0-version-negotiation]
@@ -4832,3 +4834,55 @@ ExpectedResult = Success
 Method = DTLS
 
 
+# ===========================================================
+
+[169-ciphersuite-sanity-check-dtls-client]
+ssl_conf = 169-ciphersuite-sanity-check-dtls-client-ssl
+
+[169-ciphersuite-sanity-check-dtls-client-ssl]
+server = 169-ciphersuite-sanity-check-dtls-client-server
+client = 169-ciphersuite-sanity-check-dtls-client-client
+
+[169-ciphersuite-sanity-check-dtls-client-server]
+Certificate = ${ENV::TEST_CERTS_DIR}/servercert.pem
+CipherString = DEFAULT
+MaxProtocol = DTLSv1.2
+PrivateKey = ${ENV::TEST_CERTS_DIR}/serverkey.pem
+
+[169-ciphersuite-sanity-check-dtls-client-client]
+CipherString = AES128-SHA
+Ciphersuites = 
+VerifyCAFile = ${ENV::TEST_CERTS_DIR}/rootcert.pem
+VerifyMode = Peer
+
+[test-169]
+ExpectedResult = ClientFail
+Method = DTLS
+
+
+# ===========================================================
+
+[170-ciphersuite-sanity-check-dtls-server]
+ssl_conf = 170-ciphersuite-sanity-check-dtls-server-ssl
+
+[170-ciphersuite-sanity-check-dtls-server-ssl]
+server = 170-ciphersuite-sanity-check-dtls-server-server
+client = 170-ciphersuite-sanity-check-dtls-server-client
+
+[170-ciphersuite-sanity-check-dtls-server-server]
+Certificate = ${ENV::TEST_CERTS_DIR}/servercert.pem
+CipherString = AES128-SHA
+Ciphersuites = 
+PrivateKey = ${ENV::TEST_CERTS_DIR}/serverkey.pem
+
+[170-ciphersuite-sanity-check-dtls-server-client]
+CipherString = AES128-SHA
+MaxProtocol = DTLSv1.2
+VerifyCAFile = ${ENV::TEST_CERTS_DIR}/rootcert.pem
+VerifyMode = Peer
+
+[test-170]
+ExpectedResult = ServerFail
+Method = DTLS
+
+

diff --git a/test/ssl-tests/10-resumption.cnf b/test/ssl-tests/10-resumption.cnf
index ca1f39a139da2f6d0e1b8a68c03057e5b858f823..e016f498d81097b4dad54dd82060503258b5b57b 100644 (file)
--- a/test/ssl-tests/10-resumption.cnf
+++ b/test/ssl-tests/10-resumption.cnf
@@ -66,7 +66,7 @@ test-60 = 60-resumption
 test-61 = 61-resumption
 test-62 = 62-resumption
 test-63 = 63-resumption
-test-64 = 64-resumption-with-hrr
+test-64 = 64-tls13-resumption-with-hrr
 # ===========================================================
 
 [0-resumption]
@@ -2405,27 +2405,27 @@ ResumptionExpected = Yes
 
 # ===========================================================
 
-[64-resumption-with-hrr]
-ssl_conf = 64-resumption-with-hrr-ssl
+[64-tls13-resumption-with-hrr]
+ssl_conf = 64-tls13-resumption-with-hrr-ssl
 
-[64-resumption-with-hrr-ssl]
-server = 64-resumption-with-hrr-server
-client = 64-resumption-with-hrr-client
-resume-server = 64-resumption-with-hrr-server
-resume-client = 64-resumption-with-hrr-resume-client
+[64-tls13-resumption-with-hrr-ssl]
+server = 64-tls13-resumption-with-hrr-server
+client = 64-tls13-resumption-with-hrr-client
+resume-server = 64-tls13-resumption-with-hrr-server
+resume-client = 64-tls13-resumption-with-hrr-resume-client
 
-[64-resumption-with-hrr-server]
+[64-tls13-resumption-with-hrr-server]
 Certificate = ${ENV::TEST_CERTS_DIR}/servercert.pem
 CipherString = DEFAULT
 Curves = P-256
 PrivateKey = ${ENV::TEST_CERTS_DIR}/serverkey.pem
 
-[64-resumption-with-hrr-client]
+[64-tls13-resumption-with-hrr-client]
 CipherString = DEFAULT
 VerifyCAFile = ${ENV::TEST_CERTS_DIR}/rootcert.pem
 VerifyMode = Peer
 
-[64-resumption-with-hrr-resume-client]
+[64-tls13-resumption-with-hrr-resume-client]
 CipherString = DEFAULT
 VerifyCAFile = ${ENV::TEST_CERTS_DIR}/rootcert.pem
 VerifyMode = Peer

diff --git a/test/ssl-tests/protocol_version.pm b/test/ssl-tests/protocol_version.pm
index c51cca42dcb66c6406d7aee0806e354b30a44149..acea0135fb9dd6394b7bc69a362c2d830525ab9b 100644 (file)
--- a/test/ssl-tests/protocol_version.pm
+++ b/test/ssl-tests/protocol_version.pm
@@ -107,7 +107,7 @@ $max_dtls_enabled_fips = max_prot_enabled(\@dtls_protocols_fips, \@is_dtls_disab
 sub no_tests {
     my ($dtls, $fips) = @_;
     if ($dtls && $fips) {
-        return disabled("dtls1_2", "dtls1_3");
+        return alldisabled("dtls1_2", "dtls1_3");
     }
     return $dtls ? alldisabled("dtls1", "dtls1_2", "dtls1_3") :
       alldisabled("ssl3", "tls1", "tls1_1", "tls1_2", "tls1_3");
@@ -181,42 +181,82 @@ sub generate_version_tests {
             }
         }
     }
-    return @tests
-        if disabled("tls1_3")
-           || disabled("tls1_2")
-           || (disabled("ec") && disabled("dh"))
-           || $dtls;
-
-    #Add some version/ciphersuite sanity check tests
-    push @tests, {
-        "name" => "ciphersuite-sanity-check-client",
-        "client" => {
-            #Offering only <=TLSv1.2 ciphersuites with TLSv1.3 should fail
-            "CipherString" => "AES128-SHA",
-            "Ciphersuites" => "",
-        },
-        "server" => {
-            "MaxProtocol" => "TLSv1.2"
-        },
-        "test" => {
-            "ExpectedResult" => "ClientFail",
-        }
-    };
-    push @tests, {
-        "name" => "ciphersuite-sanity-check-server",
-        "client" => {
-            "CipherString" => "AES128-SHA",
-            "MaxProtocol" => "TLSv1.2"
-        },
-        "server" => {
-            #Allowing only <=TLSv1.2 ciphersuites with TLSv1.3 should fail
-            "CipherString" => "AES128-SHA",
-            "Ciphersuites" => "",
-        },
-        "test" => {
-            "ExpectedResult" => "ServerFail",
-        }
-    };
+
+    if (!$dtls && !(disabled("tls1_3")
+                    || disabled("tls1_2")
+                    || (disabled("ec") && disabled("dh"))))
+    {
+        #Add some version/ciphersuite sanity check tests
+        push @tests, {
+            "name"   => "ciphersuite-sanity-check-tls-client",
+            "client" => {
+                #Offering only <=TLSv1.2 ciphersuites with TLSv1.3 should fail
+                "CipherString" => "AES128-SHA",
+                "Ciphersuites" => "",
+            },
+            "server" => {
+                "MaxProtocol" => "TLSv1.2"
+            },
+            "test"   => {
+                "Method"         => "TLS",
+                "ExpectedResult" => "ClientFail",
+            }
+        };
+        push @tests, {
+            "name"   => "ciphersuite-sanity-check-tls-server",
+            "client" => {
+                "CipherString" => "AES128-SHA",
+                "MaxProtocol"  => "TLSv1.2"
+            },
+            "server" => {
+                #Allowing only <=TLSv1.2 ciphersuites with TLSv1.3 should fail
+                "CipherString" => "AES128-SHA",
+                "Ciphersuites" => "",
+            },
+            "test"   => {
+                "Method"         => "TLS",
+                "ExpectedResult" => "ServerFail",
+            }
+        };
+    }
+
+    if ($dtls && !(disabled("dtls1_3")
+                   || disabled("dtls1_2")
+                   || (disabled("ec") && disabled("dh"))))
+    {
+        #Add some version/ciphersuite sanity check tests
+        push @tests, {
+            "name"   => "ciphersuite-sanity-check-dtls-client",
+            "client" => {
+                #Offering only <=DTLSv1.2 ciphersuites with DTLSv1.3 should fail
+                "CipherString" => "AES128-SHA",
+                "Ciphersuites" => "",
+            },
+            "server" => {
+                "MaxProtocol" => "DTLSv1.2"
+            },
+            "test"   => {
+                "Method"         => "DTLS",
+                "ExpectedResult" => "ClientFail",
+            }
+        };
+        push @tests, {
+            "name"   => "ciphersuite-sanity-check-dtls-server",
+            "client" => {
+                "CipherString" => "AES128-SHA",
+                "MaxProtocol"  => "DTLSv1.2"
+            },
+            "server" => {
+                #Allowing only <=DTLSv1.2 ciphersuites with DTLSv1.3 should fail
+                "CipherString" => "AES128-SHA",
+                "Ciphersuites" => "",
+            },
+            "test"   => {
+                "Method"         => "DTLS",
+                "ExpectedResult" => "ServerFail",
+            }
+        };
+    }
 
     return @tests;
 }
@@ -325,7 +365,7 @@ sub generate_resumption_tests {
 
     if (!disabled("tls1_3") && (!disabled("ec") || !disabled("dh")) && !$dtls) {
         push @client_tests, {
-            "name" => "resumption-with-hrr",
+            "name" => "tls13-resumption-with-hrr",
             "client" => {
             },
             "server" => {
@@ -342,6 +382,25 @@ sub generate_resumption_tests {
         };
     }
 
+    if (!disabled("dtls1_3") && (!disabled("ec") || !disabled("dh")) && $dtls) {
+        push @client_tests, {
+            "name" => "dtls13-resumption-with-hrr",
+            "client" => {
+            },
+            "server" => {
+                "Curves" => disabled("ec") ? "ffdhe3072" : "P-256"
+            },
+            "resume_client" => {
+            },
+            "test" => {
+                "ExpectedProtocol" => "DTLSv1.3",
+                "Method" => "DTLS",
+                "HandshakeMode" => "Resume",
+                "ResumptionExpected" => "Yes",
+            }
+        };
+    }
+
     return (@server_tests, @client_tests);
 }