Run some failing tests with DTLS1.2

Reviewed-by: Tomas Mraz <tomas@openssl.org>
Reviewed-by: Matt Caswell <matt@openssl.org>
(Merged from https://github.com/openssl/openssl/pull/22275)

diff --git a/fuzz/dtlsclient.c b/fuzz/dtlsclient.c
index 0e239d991d80c2c41969dbfea2b28a58c04a5180..85fb1144d6d9defedee94d3f6d4ad4d483207050 100644 (file)
--- a/fuzz/dtlsclient.c
+++ b/fuzz/dtlsclient.c
@@ -72,6 +72,12 @@ int FuzzerTestOneInput(const uint8_t *buf, size_t len)
     if (client == NULL)
         goto end;
     OPENSSL_assert(SSL_set_min_proto_version(client, 0) == 1);
+    /**
+     * TODO(DTLSv1.3): Fuzzing fails with
+     * ssl/statem/extensions_clnt.c:624: OpenSSL internal error:
+     *      Assertion failed: s->hello_retry_request == SSL_HRR_PENDING
+     */
+    OPENSSL_assert(SSL_set_max_proto_version(client, DTLS1_2_VERSION) == 1);
     OPENSSL_assert(SSL_set_cipher_list(client, "ALL:eNULL:@SECLEVEL=0") == 1);
     SSL_set_tlsext_host_name(client, "localhost");
     in = BIO_new(BIO_s_mem());

diff --git a/test/dtls_mtu_test.c b/test/dtls_mtu_test.c
index b11d5e3461315effece525d646225414525e856e..740c7fa6a9684ce436784be55a0e0e049576835e 100644 (file)
--- a/test/dtls_mtu_test.c
+++ b/test/dtls_mtu_test.c
@@ -66,6 +66,13 @@ static int mtu_test(SSL_CTX *ctx, const char *cs, int no_etm)
     if (no_etm)
         SSL_set_options(srvr_ssl, SSL_OP_NO_ENCRYPT_THEN_MAC);
 
+    /**
+     * TODO(DTLSv1.3): Tests fails with
+     * SSL routines:tls_psk_do_binder:binder does not verify:
+     *      ../ssl/statem/extensions.c:1690:
+     */
+    OPENSSL_assert(SSL_set_max_proto_version(clnt_ssl, DTLS1_2_VERSION) == 1);
+
     if (!TEST_true(SSL_set_cipher_list(srvr_ssl, cs))
             || !TEST_true(SSL_set_cipher_list(clnt_ssl, cs))
             || !TEST_ptr(sc_bio = SSL_get_rbio(srvr_ssl))
@@ -212,6 +219,13 @@ static int test_server_mtu_larger_than_max_fragment_length(void)
                                       NULL, NULL)))
         goto end;
 
+    /**
+     * TODO(DTLSv1.3): Test fails with
+     * SSL routines:tls_psk_do_binder:binder does not verify:
+     *      ../ssl/statem/extensions.c:1690:
+     */
+    OPENSSL_assert(SSL_set_max_proto_version(clnt_ssl, DTLS1_2_VERSION) == 1);
+
     SSL_set_options(srvr_ssl, SSL_OP_NO_QUERY_MTU);
     if (!TEST_true(DTLS_set_link_mtu(srvr_ssl, 1500)))
         goto end;

diff --git a/test/dtlstest.c b/test/dtlstest.c
index 011d8775c15788c2b8594fd5bfbfe8179adfd926..15aae92df9f91f1e39cccfb9acea9ac6460542cf 100644 (file)
--- a/test/dtlstest.c
+++ b/test/dtlstest.c
@@ -77,9 +77,15 @@ static int test_dtls_unprocessed(int testidx)
 
     timer_cb_count = 0;
 
+    /**
+     * TODO(DTLSv1.3): Tests fails with
+     *  # No progress made
+     *  # ERROR: (bool) 'create_bare_ssl_connection(serverssl1, clientssl1,
+     *      SSL_ERROR_NONE, 0, 0) == true' failed @ ../test/dtlstest.c:128
+     */
     if (!TEST_true(create_ssl_ctx_pair(NULL, DTLS_server_method(),
                                        DTLS_client_method(),
-                                       DTLS1_VERSION, 0,
+                                       DTLS1_VERSION, DTLS1_2_VERSION,
                                        &sctx, &cctx, cert, privkey)))
         return 0;
 
@@ -199,9 +205,14 @@ static int test_dtls_drop_records(int idx)
     int cli_to_srv_cookie, cli_to_srv_epoch0, cli_to_srv_epoch1;
     int srv_to_cli_epoch0;
 
+    /**
+     * TODO(DTLSv1.3): Tests fails with
+     *  ssl/statem/extensions_clnt.c:624: OpenSSL internal error:
+     *      Assertion failed: s->hello_retry_request == SSL_HRR_PENDING
+     */
     if (!TEST_true(create_ssl_ctx_pair(NULL, DTLS_server_method(),
                                        DTLS_client_method(),
-                                       DTLS1_VERSION, 0,
+                                       DTLS1_VERSION, DTLS1_2_VERSION,
                                        &sctx, &cctx, cert, privkey)))
         return 0;
 
@@ -312,9 +323,14 @@ static int test_cookie(void)
     SSL *serverssl = NULL, *clientssl = NULL;
     int testresult = 0;
 
-    if (!TEST_true(create_ssl_ctx_pair(NULL, DTLS_server_method(),
+    /**
+     * TODO(DTLSv1.3): Tests fails with
+     *  ssl/statem/extensions_clnt.c:624: OpenSSL internal error:
+     *      Assertion failed: s->hello_retry_request == SSL_HRR_PENDING
+     */
+     if (!TEST_true(create_ssl_ctx_pair(NULL, DTLS_server_method(),
                                        DTLS_client_method(),
-                                       DTLS1_VERSION, 0,
+                                       DTLS1_VERSION, DTLS1_2_VERSION,
                                        &sctx, &cctx, cert, privkey)))
         return 0;
 
@@ -352,9 +368,13 @@ static int test_dtls_duplicate_records(void)
     SSL *serverssl = NULL, *clientssl = NULL;
     int testresult = 0;
 
+    /**
+     * TODO(DTLSv1.3): Tests fails with
+     *  dtls1_read_bytes:unexpected record:../ssl/record/rec_layer_d1.c:609:
+     */
     if (!TEST_true(create_ssl_ctx_pair(NULL, DTLS_server_method(),
                                        DTLS_client_method(),
-                                       DTLS1_VERSION, 0,
+                                       DTLS1_VERSION, DTLS1_2_VERSION,
                                        &sctx, &cctx, cert, privkey)))
         return 0;
 
@@ -484,9 +504,12 @@ static int test_swap_records(int idx)
     char msg[] = { 0x00, 0x01, 0x02, 0x03 };
     char buf[10];
 
+    /**
+     * TODO(DTLSv1.3): Tests fails
+     */
     if (!TEST_true(create_ssl_ctx_pair(NULL, DTLS_server_method(),
                                        DTLS_client_method(),
-                                       DTLS1_VERSION, 0,
+                                       DTLS1_VERSION, DTLS1_2_VERSION,
                                        &sctx, &cctx, cert, privkey)))
         return 0;
 
@@ -594,9 +617,14 @@ static int test_listen(void)
     SSL *serverssl = NULL, *clientssl = NULL;
     int testresult = 0;
 
+    /**
+     * TODO(DTLSv1.3): Tests fails with
+     *  ssl/statem/extensions_clnt.c:624: OpenSSL internal error:
+     *      Assertion failed: s->hello_retry_request == SSL_HRR_PENDING
+     */
     if (!TEST_true(create_ssl_ctx_pair(NULL, DTLS_server_method(),
                                        DTLS_client_method(),
-                                       DTLS1_VERSION, 0,
+                                       DTLS1_VERSION, DTLS1_2_VERSION,
                                        &sctx, &cctx, cert, privkey)))
         return 0;
 

diff --git a/test/ssl-tests/29-dtls-sctp-label-bug.cnf b/test/ssl-tests/29-dtls-sctp-label-bug.cnf
index 24f9e04f16d9356dbb5898e7e4a9e05b37be27b8..d0b306cef40e3d9971f2ec6f80efd21f8da6eaa7 100644 (file)
--- a/test/ssl-tests/29-dtls-sctp-label-bug.cnf
+++ b/test/ssl-tests/29-dtls-sctp-label-bug.cnf
@@ -72,6 +72,7 @@ client = 2-SCTPLabelBug-bad1-client
 [2-SCTPLabelBug-bad1-server]
 Certificate = ${ENV::TEST_CERTS_DIR}/servercert.pem
 CipherString = DEFAULT
+MaxProtocol = DTLSv1.2
 PrivateKey = ${ENV::TEST_CERTS_DIR}/serverkey.pem
 
 [2-SCTPLabelBug-bad1-client]
@@ -99,6 +100,7 @@ client = 3-SCTPLabelBug-bad2-client
 [3-SCTPLabelBug-bad2-server]
 Certificate = ${ENV::TEST_CERTS_DIR}/servercert.pem
 CipherString = DEFAULT
+MaxProtocol = DTLSv1.2
 PrivateKey = ${ENV::TEST_CERTS_DIR}/serverkey.pem
 
 [3-SCTPLabelBug-bad2-client]

diff --git a/test/ssl-tests/29-dtls-sctp-label-bug.cnf.in b/test/ssl-tests/29-dtls-sctp-label-bug.cnf.in
index f14e68139d3eb9b46706a60b0ac0b3a5946be998..a28ab8c4a4432613cd0b7d34282f15b9b497f64c 100644 (file)
--- a/test/ssl-tests/29-dtls-sctp-label-bug.cnf.in
+++ b/test/ssl-tests/29-dtls-sctp-label-bug.cnf.in
@@ -42,7 +42,9 @@ our @tests = (
     },
     {
         name => "SCTPLabelBug-bad1",
-        server => {},
+        server => {
+            MaxProtocol => "DTLSv1.2"
+        },
         client => {},
         test => {
             "Method" => "DTLS",
@@ -54,7 +56,9 @@ our @tests = (
     },
     {
         name => "SCTPLabelBug-bad2",
-        server => {},
+        server => {
+            MaxProtocol => "DTLSv1.2"
+        },
         client => {},
         test => {
             "Method" => "DTLS",