From: Frederik Wedel-Heinen Date: Tue, 9 Jan 2024 06:20:42 +0000 (+0100) Subject: Adds DTLSv1.3 to protocol_version.pm for additional protocol version tests. X-Git-Url: http://git.ipfire.org/cgi-bin/gitweb.cgi?a=commitdiff_plain;h=66001419626ebfe0e86d2aee1e59ccab71842849;p=thirdparty%2Fopenssl.git Adds DTLSv1.3 to protocol_version.pm for additional protocol version tests. Reviewed-by: Matt Caswell Reviewed-by: Tomas Mraz (Merged from https://github.com/openssl/openssl/pull/23242) --- diff --git a/test/ssl-tests/02-protocol-version.cnf b/test/ssl-tests/02-protocol-version.cnf index ef5e9942779..e951a9fa0db 100644 --- a/test/ssl-tests/02-protocol-version.cnf +++ b/test/ssl-tests/02-protocol-version.cnf @@ -678,8 +678,8 @@ test-672 = 672-version-negotiation test-673 = 673-version-negotiation test-674 = 674-version-negotiation test-675 = 675-version-negotiation -test-676 = 676-ciphersuite-sanity-check-client -test-677 = 677-ciphersuite-sanity-check-server +test-676 = 676-ciphersuite-sanity-check-tls-client +test-677 = 677-ciphersuite-sanity-check-tls-server # =========================================================== [0-version-negotiation] @@ -18772,20 +18772,20 @@ ExpectedResult = Success # =========================================================== -[676-ciphersuite-sanity-check-client] -ssl_conf = 676-ciphersuite-sanity-check-client-ssl +[676-ciphersuite-sanity-check-tls-client] +ssl_conf = 676-ciphersuite-sanity-check-tls-client-ssl -[676-ciphersuite-sanity-check-client-ssl] -server = 676-ciphersuite-sanity-check-client-server -client = 676-ciphersuite-sanity-check-client-client +[676-ciphersuite-sanity-check-tls-client-ssl] +server = 676-ciphersuite-sanity-check-tls-client-server +client = 676-ciphersuite-sanity-check-tls-client-client -[676-ciphersuite-sanity-check-client-server] +[676-ciphersuite-sanity-check-tls-client-server] Certificate = ${ENV::TEST_CERTS_DIR}/servercert.pem CipherString = DEFAULT MaxProtocol = TLSv1.2 PrivateKey = ${ENV::TEST_CERTS_DIR}/serverkey.pem -[676-ciphersuite-sanity-check-client-client] +[676-ciphersuite-sanity-check-tls-client-client] CipherString = AES128-SHA Ciphersuites = VerifyCAFile = ${ENV::TEST_CERTS_DIR}/rootcert.pem @@ -18793,24 +18793,25 @@ VerifyMode = Peer [test-676] ExpectedResult = ClientFail +Method = TLS # =========================================================== -[677-ciphersuite-sanity-check-server] -ssl_conf = 677-ciphersuite-sanity-check-server-ssl +[677-ciphersuite-sanity-check-tls-server] +ssl_conf = 677-ciphersuite-sanity-check-tls-server-ssl -[677-ciphersuite-sanity-check-server-ssl] -server = 677-ciphersuite-sanity-check-server-server -client = 677-ciphersuite-sanity-check-server-client +[677-ciphersuite-sanity-check-tls-server-ssl] +server = 677-ciphersuite-sanity-check-tls-server-server +client = 677-ciphersuite-sanity-check-tls-server-client -[677-ciphersuite-sanity-check-server-server] +[677-ciphersuite-sanity-check-tls-server-server] Certificate = ${ENV::TEST_CERTS_DIR}/servercert.pem CipherString = AES128-SHA Ciphersuites = PrivateKey = ${ENV::TEST_CERTS_DIR}/serverkey.pem -[677-ciphersuite-sanity-check-server-client] +[677-ciphersuite-sanity-check-tls-server-client] CipherString = AES128-SHA MaxProtocol = TLSv1.2 VerifyCAFile = ${ENV::TEST_CERTS_DIR}/rootcert.pem @@ -18818,5 +18819,6 @@ VerifyMode = Peer [test-677] ExpectedResult = ServerFail +Method = TLS diff --git a/test/ssl-tests/07-dtls-protocol-version.cnf b/test/ssl-tests/07-dtls-protocol-version.cnf index 16621d89642..2980db64e98 100644 --- a/test/ssl-tests/07-dtls-protocol-version.cnf +++ b/test/ssl-tests/07-dtls-protocol-version.cnf @@ -1,6 +1,6 @@ # Generated with generate_ssl_tests.pl -num_tests = 169 +num_tests = 171 test-0 = 0-version-negotiation test-1 = 1-version-negotiation @@ -171,6 +171,8 @@ test-165 = 165-version-negotiation test-166 = 166-version-negotiation test-167 = 167-version-negotiation test-168 = 168-version-negotiation +test-169 = 169-ciphersuite-sanity-check-dtls-client +test-170 = 170-ciphersuite-sanity-check-dtls-server # =========================================================== [0-version-negotiation] @@ -4832,3 +4834,55 @@ ExpectedResult = Success Method = DTLS +# =========================================================== + +[169-ciphersuite-sanity-check-dtls-client] +ssl_conf = 169-ciphersuite-sanity-check-dtls-client-ssl + +[169-ciphersuite-sanity-check-dtls-client-ssl] +server = 169-ciphersuite-sanity-check-dtls-client-server +client = 169-ciphersuite-sanity-check-dtls-client-client + +[169-ciphersuite-sanity-check-dtls-client-server] +Certificate = ${ENV::TEST_CERTS_DIR}/servercert.pem +CipherString = DEFAULT +MaxProtocol = DTLSv1.2 +PrivateKey = ${ENV::TEST_CERTS_DIR}/serverkey.pem + +[169-ciphersuite-sanity-check-dtls-client-client] +CipherString = AES128-SHA +Ciphersuites = +VerifyCAFile = ${ENV::TEST_CERTS_DIR}/rootcert.pem +VerifyMode = Peer + +[test-169] +ExpectedResult = ClientFail +Method = DTLS + + +# =========================================================== + +[170-ciphersuite-sanity-check-dtls-server] +ssl_conf = 170-ciphersuite-sanity-check-dtls-server-ssl + +[170-ciphersuite-sanity-check-dtls-server-ssl] +server = 170-ciphersuite-sanity-check-dtls-server-server +client = 170-ciphersuite-sanity-check-dtls-server-client + +[170-ciphersuite-sanity-check-dtls-server-server] +Certificate = ${ENV::TEST_CERTS_DIR}/servercert.pem +CipherString = AES128-SHA +Ciphersuites = +PrivateKey = ${ENV::TEST_CERTS_DIR}/serverkey.pem + +[170-ciphersuite-sanity-check-dtls-server-client] +CipherString = AES128-SHA +MaxProtocol = DTLSv1.2 +VerifyCAFile = ${ENV::TEST_CERTS_DIR}/rootcert.pem +VerifyMode = Peer + +[test-170] +ExpectedResult = ServerFail +Method = DTLS + + diff --git a/test/ssl-tests/10-resumption.cnf b/test/ssl-tests/10-resumption.cnf index ca1f39a139d..e016f498d81 100644 --- a/test/ssl-tests/10-resumption.cnf +++ b/test/ssl-tests/10-resumption.cnf @@ -66,7 +66,7 @@ test-60 = 60-resumption test-61 = 61-resumption test-62 = 62-resumption test-63 = 63-resumption -test-64 = 64-resumption-with-hrr +test-64 = 64-tls13-resumption-with-hrr # =========================================================== [0-resumption] @@ -2405,27 +2405,27 @@ ResumptionExpected = Yes # =========================================================== -[64-resumption-with-hrr] -ssl_conf = 64-resumption-with-hrr-ssl +[64-tls13-resumption-with-hrr] +ssl_conf = 64-tls13-resumption-with-hrr-ssl -[64-resumption-with-hrr-ssl] -server = 64-resumption-with-hrr-server -client = 64-resumption-with-hrr-client -resume-server = 64-resumption-with-hrr-server -resume-client = 64-resumption-with-hrr-resume-client +[64-tls13-resumption-with-hrr-ssl] +server = 64-tls13-resumption-with-hrr-server +client = 64-tls13-resumption-with-hrr-client +resume-server = 64-tls13-resumption-with-hrr-server +resume-client = 64-tls13-resumption-with-hrr-resume-client -[64-resumption-with-hrr-server] +[64-tls13-resumption-with-hrr-server] Certificate = ${ENV::TEST_CERTS_DIR}/servercert.pem CipherString = DEFAULT Curves = P-256 PrivateKey = ${ENV::TEST_CERTS_DIR}/serverkey.pem -[64-resumption-with-hrr-client] +[64-tls13-resumption-with-hrr-client] CipherString = DEFAULT VerifyCAFile = ${ENV::TEST_CERTS_DIR}/rootcert.pem VerifyMode = Peer -[64-resumption-with-hrr-resume-client] +[64-tls13-resumption-with-hrr-resume-client] CipherString = DEFAULT VerifyCAFile = ${ENV::TEST_CERTS_DIR}/rootcert.pem VerifyMode = Peer diff --git a/test/ssl-tests/protocol_version.pm b/test/ssl-tests/protocol_version.pm index c51cca42dcb..acea0135fb9 100644 --- a/test/ssl-tests/protocol_version.pm +++ b/test/ssl-tests/protocol_version.pm @@ -107,7 +107,7 @@ $max_dtls_enabled_fips = max_prot_enabled(\@dtls_protocols_fips, \@is_dtls_disab sub no_tests { my ($dtls, $fips) = @_; if ($dtls && $fips) { - return disabled("dtls1_2", "dtls1_3"); + return alldisabled("dtls1_2", "dtls1_3"); } return $dtls ? alldisabled("dtls1", "dtls1_2", "dtls1_3") : alldisabled("ssl3", "tls1", "tls1_1", "tls1_2", "tls1_3"); @@ -181,42 +181,82 @@ sub generate_version_tests { } } } - return @tests - if disabled("tls1_3") - || disabled("tls1_2") - || (disabled("ec") && disabled("dh")) - || $dtls; - - #Add some version/ciphersuite sanity check tests - push @tests, { - "name" => "ciphersuite-sanity-check-client", - "client" => { - #Offering only <=TLSv1.2 ciphersuites with TLSv1.3 should fail - "CipherString" => "AES128-SHA", - "Ciphersuites" => "", - }, - "server" => { - "MaxProtocol" => "TLSv1.2" - }, - "test" => { - "ExpectedResult" => "ClientFail", - } - }; - push @tests, { - "name" => "ciphersuite-sanity-check-server", - "client" => { - "CipherString" => "AES128-SHA", - "MaxProtocol" => "TLSv1.2" - }, - "server" => { - #Allowing only <=TLSv1.2 ciphersuites with TLSv1.3 should fail - "CipherString" => "AES128-SHA", - "Ciphersuites" => "", - }, - "test" => { - "ExpectedResult" => "ServerFail", - } - }; + + if (!$dtls && !(disabled("tls1_3") + || disabled("tls1_2") + || (disabled("ec") && disabled("dh")))) + { + #Add some version/ciphersuite sanity check tests + push @tests, { + "name" => "ciphersuite-sanity-check-tls-client", + "client" => { + #Offering only <=TLSv1.2 ciphersuites with TLSv1.3 should fail + "CipherString" => "AES128-SHA", + "Ciphersuites" => "", + }, + "server" => { + "MaxProtocol" => "TLSv1.2" + }, + "test" => { + "Method" => "TLS", + "ExpectedResult" => "ClientFail", + } + }; + push @tests, { + "name" => "ciphersuite-sanity-check-tls-server", + "client" => { + "CipherString" => "AES128-SHA", + "MaxProtocol" => "TLSv1.2" + }, + "server" => { + #Allowing only <=TLSv1.2 ciphersuites with TLSv1.3 should fail + "CipherString" => "AES128-SHA", + "Ciphersuites" => "", + }, + "test" => { + "Method" => "TLS", + "ExpectedResult" => "ServerFail", + } + }; + } + + if ($dtls && !(disabled("dtls1_3") + || disabled("dtls1_2") + || (disabled("ec") && disabled("dh")))) + { + #Add some version/ciphersuite sanity check tests + push @tests, { + "name" => "ciphersuite-sanity-check-dtls-client", + "client" => { + #Offering only <=DTLSv1.2 ciphersuites with DTLSv1.3 should fail + "CipherString" => "AES128-SHA", + "Ciphersuites" => "", + }, + "server" => { + "MaxProtocol" => "DTLSv1.2" + }, + "test" => { + "Method" => "DTLS", + "ExpectedResult" => "ClientFail", + } + }; + push @tests, { + "name" => "ciphersuite-sanity-check-dtls-server", + "client" => { + "CipherString" => "AES128-SHA", + "MaxProtocol" => "DTLSv1.2" + }, + "server" => { + #Allowing only <=DTLSv1.2 ciphersuites with DTLSv1.3 should fail + "CipherString" => "AES128-SHA", + "Ciphersuites" => "", + }, + "test" => { + "Method" => "DTLS", + "ExpectedResult" => "ServerFail", + } + }; + } return @tests; } @@ -325,7 +365,7 @@ sub generate_resumption_tests { if (!disabled("tls1_3") && (!disabled("ec") || !disabled("dh")) && !$dtls) { push @client_tests, { - "name" => "resumption-with-hrr", + "name" => "tls13-resumption-with-hrr", "client" => { }, "server" => { @@ -342,6 +382,25 @@ sub generate_resumption_tests { }; } + if (!disabled("dtls1_3") && (!disabled("ec") || !disabled("dh")) && $dtls) { + push @client_tests, { + "name" => "dtls13-resumption-with-hrr", + "client" => { + }, + "server" => { + "Curves" => disabled("ec") ? "ffdhe3072" : "P-256" + }, + "resume_client" => { + }, + "test" => { + "ExpectedProtocol" => "DTLSv1.3", + "Method" => "DTLS", + "HandshakeMode" => "Resume", + "ResumptionExpected" => "Yes", + } + }; + } + return (@server_tests, @client_tests); }