From: Frederik Wedel-Heinen <frederik.wedel-heinen@dencrypt.dk>
Date: Mon, 22 Apr 2024 17:59:27 +0000 (+0200)
Subject: Run some failing tests with DTLS1.2
X-Git-Url: http://git.ipfire.org/cgi-bin/gitweb.cgi?a=commitdiff_plain;h=d888cb864677aef68752fe10c37d268cf2eb6126;p=thirdparty%2Fopenssl.git

Run some failing tests with DTLS1.2

Reviewed-by: Tomas Mraz <tomas@openssl.org>
Reviewed-by: Matt Caswell <matt@openssl.org>
(Merged from https://github.com/openssl/openssl/pull/22275)
---

diff --git a/fuzz/dtlsclient.c b/fuzz/dtlsclient.c
index 0e239d991d8..85fb1144d6d 100644
--- a/fuzz/dtlsclient.c
+++ b/fuzz/dtlsclient.c
@@ -72,6 +72,12 @@ int FuzzerTestOneInput(const uint8_t *buf, size_t len)
     if (client == NULL)
         goto end;
     OPENSSL_assert(SSL_set_min_proto_version(client, 0) == 1);
+    /**
+     * TODO(DTLSv1.3): Fuzzing fails with
+     * ssl/statem/extensions_clnt.c:624: OpenSSL internal error:
+     *      Assertion failed: s->hello_retry_request == SSL_HRR_PENDING
+     */
+    OPENSSL_assert(SSL_set_max_proto_version(client, DTLS1_2_VERSION) == 1);
     OPENSSL_assert(SSL_set_cipher_list(client, "ALL:eNULL:@SECLEVEL=0") == 1);
     SSL_set_tlsext_host_name(client, "localhost");
     in = BIO_new(BIO_s_mem());
diff --git a/test/dtls_mtu_test.c b/test/dtls_mtu_test.c
index b11d5e34613..740c7fa6a96 100644
--- a/test/dtls_mtu_test.c
+++ b/test/dtls_mtu_test.c
@@ -66,6 +66,13 @@ static int mtu_test(SSL_CTX *ctx, const char *cs, int no_etm)
     if (no_etm)
         SSL_set_options(srvr_ssl, SSL_OP_NO_ENCRYPT_THEN_MAC);
 
+    /**
+     * TODO(DTLSv1.3): Tests fails with
+     * SSL routines:tls_psk_do_binder:binder does not verify:
+     *      ../ssl/statem/extensions.c:1690:
+     */
+    OPENSSL_assert(SSL_set_max_proto_version(clnt_ssl, DTLS1_2_VERSION) == 1);
+
     if (!TEST_true(SSL_set_cipher_list(srvr_ssl, cs))
             || !TEST_true(SSL_set_cipher_list(clnt_ssl, cs))
             || !TEST_ptr(sc_bio = SSL_get_rbio(srvr_ssl))
@@ -212,6 +219,13 @@ static int test_server_mtu_larger_than_max_fragment_length(void)
                                       NULL, NULL)))
         goto end;
 
+    /**
+     * TODO(DTLSv1.3): Test fails with
+     * SSL routines:tls_psk_do_binder:binder does not verify:
+     *      ../ssl/statem/extensions.c:1690:
+     */
+    OPENSSL_assert(SSL_set_max_proto_version(clnt_ssl, DTLS1_2_VERSION) == 1);
+
     SSL_set_options(srvr_ssl, SSL_OP_NO_QUERY_MTU);
     if (!TEST_true(DTLS_set_link_mtu(srvr_ssl, 1500)))
         goto end;
diff --git a/test/dtlstest.c b/test/dtlstest.c
index 011d8775c15..15aae92df9f 100644
--- a/test/dtlstest.c
+++ b/test/dtlstest.c
@@ -77,9 +77,15 @@ static int test_dtls_unprocessed(int testidx)
 
     timer_cb_count = 0;
 
+    /**
+     * TODO(DTLSv1.3): Tests fails with
+     *  # No progress made
+     *  # ERROR: (bool) 'create_bare_ssl_connection(serverssl1, clientssl1,
+     *      SSL_ERROR_NONE, 0, 0) == true' failed @ ../test/dtlstest.c:128
+     */
     if (!TEST_true(create_ssl_ctx_pair(NULL, DTLS_server_method(),
                                        DTLS_client_method(),
-                                       DTLS1_VERSION, 0,
+                                       DTLS1_VERSION, DTLS1_2_VERSION,
                                        &sctx, &cctx, cert, privkey)))
         return 0;
 
@@ -199,9 +205,14 @@ static int test_dtls_drop_records(int idx)
     int cli_to_srv_cookie, cli_to_srv_epoch0, cli_to_srv_epoch1;
     int srv_to_cli_epoch0;
 
+    /**
+     * TODO(DTLSv1.3): Tests fails with
+     *  ssl/statem/extensions_clnt.c:624: OpenSSL internal error:
+     *      Assertion failed: s->hello_retry_request == SSL_HRR_PENDING
+     */
     if (!TEST_true(create_ssl_ctx_pair(NULL, DTLS_server_method(),
                                        DTLS_client_method(),
-                                       DTLS1_VERSION, 0,
+                                       DTLS1_VERSION, DTLS1_2_VERSION,
                                        &sctx, &cctx, cert, privkey)))
         return 0;
 
@@ -312,9 +323,14 @@ static int test_cookie(void)
     SSL *serverssl = NULL, *clientssl = NULL;
     int testresult = 0;
 
-    if (!TEST_true(create_ssl_ctx_pair(NULL, DTLS_server_method(),
+    /**
+     * TODO(DTLSv1.3): Tests fails with
+     *  ssl/statem/extensions_clnt.c:624: OpenSSL internal error:
+     *      Assertion failed: s->hello_retry_request == SSL_HRR_PENDING
+     */
+     if (!TEST_true(create_ssl_ctx_pair(NULL, DTLS_server_method(),
                                        DTLS_client_method(),
-                                       DTLS1_VERSION, 0,
+                                       DTLS1_VERSION, DTLS1_2_VERSION,
                                        &sctx, &cctx, cert, privkey)))
         return 0;
 
@@ -352,9 +368,13 @@ static int test_dtls_duplicate_records(void)
     SSL *serverssl = NULL, *clientssl = NULL;
     int testresult = 0;
 
+    /**
+     * TODO(DTLSv1.3): Tests fails with
+     *  dtls1_read_bytes:unexpected record:../ssl/record/rec_layer_d1.c:609:
+     */
     if (!TEST_true(create_ssl_ctx_pair(NULL, DTLS_server_method(),
                                        DTLS_client_method(),
-                                       DTLS1_VERSION, 0,
+                                       DTLS1_VERSION, DTLS1_2_VERSION,
                                        &sctx, &cctx, cert, privkey)))
         return 0;
 
@@ -484,9 +504,12 @@ static int test_swap_records(int idx)
     char msg[] = { 0x00, 0x01, 0x02, 0x03 };
     char buf[10];
 
+    /**
+     * TODO(DTLSv1.3): Tests fails
+     */
     if (!TEST_true(create_ssl_ctx_pair(NULL, DTLS_server_method(),
                                        DTLS_client_method(),
-                                       DTLS1_VERSION, 0,
+                                       DTLS1_VERSION, DTLS1_2_VERSION,
                                        &sctx, &cctx, cert, privkey)))
         return 0;
 
@@ -594,9 +617,14 @@ static int test_listen(void)
     SSL *serverssl = NULL, *clientssl = NULL;
     int testresult = 0;
 
+    /**
+     * TODO(DTLSv1.3): Tests fails with
+     *  ssl/statem/extensions_clnt.c:624: OpenSSL internal error:
+     *      Assertion failed: s->hello_retry_request == SSL_HRR_PENDING
+     */
     if (!TEST_true(create_ssl_ctx_pair(NULL, DTLS_server_method(),
                                        DTLS_client_method(),
-                                       DTLS1_VERSION, 0,
+                                       DTLS1_VERSION, DTLS1_2_VERSION,
                                        &sctx, &cctx, cert, privkey)))
         return 0;
 
diff --git a/test/ssl-tests/29-dtls-sctp-label-bug.cnf b/test/ssl-tests/29-dtls-sctp-label-bug.cnf
index 24f9e04f16d..d0b306cef40 100644
--- a/test/ssl-tests/29-dtls-sctp-label-bug.cnf
+++ b/test/ssl-tests/29-dtls-sctp-label-bug.cnf
@@ -72,6 +72,7 @@ client = 2-SCTPLabelBug-bad1-client
 [2-SCTPLabelBug-bad1-server]
 Certificate = ${ENV::TEST_CERTS_DIR}/servercert.pem
 CipherString = DEFAULT
+MaxProtocol = DTLSv1.2
 PrivateKey = ${ENV::TEST_CERTS_DIR}/serverkey.pem
 
 [2-SCTPLabelBug-bad1-client]
@@ -99,6 +100,7 @@ client = 3-SCTPLabelBug-bad2-client
 [3-SCTPLabelBug-bad2-server]
 Certificate = ${ENV::TEST_CERTS_DIR}/servercert.pem
 CipherString = DEFAULT
+MaxProtocol = DTLSv1.2
 PrivateKey = ${ENV::TEST_CERTS_DIR}/serverkey.pem
 
 [3-SCTPLabelBug-bad2-client]
diff --git a/test/ssl-tests/29-dtls-sctp-label-bug.cnf.in b/test/ssl-tests/29-dtls-sctp-label-bug.cnf.in
index f14e68139d3..a28ab8c4a44 100644
--- a/test/ssl-tests/29-dtls-sctp-label-bug.cnf.in
+++ b/test/ssl-tests/29-dtls-sctp-label-bug.cnf.in
@@ -42,7 +42,9 @@ our @tests = (
     },
     {
         name => "SCTPLabelBug-bad1",
-        server => {},
+        server => {
+            MaxProtocol => "DTLSv1.2"
+        },
         client => {},
         test => {
             "Method" => "DTLS",
@@ -54,7 +56,9 @@ our @tests = (
     },
     {
         name => "SCTPLabelBug-bad2",
-        server => {},
+        server => {
+            MaxProtocol => "DTLSv1.2"
+        },
         client => {},
         test => {
             "Method" => "DTLS",