Fixes for no-tls1_2 and no-tls1_2-method

The no-tls1_2 option does not work properly in conjunction with TLSv1.3
being enabled (which is now the default). This commit fixes the issues.

Reviewed-by: Richard Levitte <levitte@openssl.org>
(Merged from https://github.com/openssl/openssl/pull/5301)

6 files changed, 64 insertions, 47 deletions

diff --git a/test/recipes/70-test_key_share.t b/test/recipes/70-test_key_share.t
index f4cc764be2..512a3bc807 100644
--- a/test/recipes/70-test_key_share.t
+++ b/test/recipes/70-test_key_share.t
@@ -199,26 +199,30 @@ $testtype = TRAILING_DATA;
 $proxy->start();
 ok(TLSProxy::Message->fail(), "key_share trailing data in ServerHello");
 
-#Test 20: key_share should not be sent if the client is not capable of
-#         negotiating TLSv1.3
-$proxy->clear();
-$proxy->filter(undef);
-$proxy->clientflags("-no_tls1_3");
-$proxy->start();
-my $clienthello = $proxy->message_list->[0];
-ok(TLSProxy::Message->success()
-   && !defined $clienthello->extension_data->{TLSProxy::Message::EXT_KEY_SHARE},
-   "No key_share for TLS<=1.2 client");
-$proxy->filter(\&modify_key_shares_filter);
-
-#Test 21: A server not capable of negotiating TLSv1.3 should not attempt to
-#         process a key_share
-$proxy->clear();
-$direction = CLIENT_TO_SERVER;
-$testtype = NO_ACCEPTABLE_KEY_SHARES;
-$proxy->serverflags("-no_tls1_3");
-$proxy->start();
-ok(TLSProxy::Message->success(), "Ignore key_share for TLS<=1.2 server");
+SKIP: {
+    skip "No TLSv1.2 support in this OpenSSL build", 2 if disabled("tls1_2");
+
+    #Test 20: key_share should not be sent if the client is not capable of
+    #         negotiating TLSv1.3
+    $proxy->clear();
+    $proxy->filter(undef);
+    $proxy->clientflags("-no_tls1_3");
+    $proxy->start();
+    my $clienthello = $proxy->message_list->[0];
+    ok(TLSProxy::Message->success()
+       && !defined $clienthello->extension_data->{TLSProxy::Message::EXT_KEY_SHARE},
+       "No key_share for TLS<=1.2 client");
+    $proxy->filter(\&modify_key_shares_filter);
+
+    #Test 21: A server not capable of negotiating TLSv1.3 should not attempt to
+    #         process a key_share
+    $proxy->clear();
+    $direction = CLIENT_TO_SERVER;
+    $testtype = NO_ACCEPTABLE_KEY_SHARES;
+    $proxy->serverflags("-no_tls1_3");
+    $proxy->start();
+    ok(TLSProxy::Message->success(), "Ignore key_share for TLS<=1.2 server");
+}
 
 #Test 22: The server sending an HRR but not requesting a new key_share should
 #         fail
diff --git a/test/recipes/70-test_sslcertstatus.t b/test/recipes/70-test_sslcertstatus.t
index da8a3e51e5..96a46ce5f4 100644
--- a/test/recipes/70-test_sslcertstatus.t
+++ b/test/recipes/70-test_sslcertstatus.t
@@ -27,7 +27,8 @@ plan skip_all => "$test_name needs the ocsp feature enabled"
     if disabled("ocsp");
 
 plan skip_all => "$test_name needs TLS enabled"
-    if alldisabled(available_protocols("tls"));
+    if alldisabled(available_protocols("tls"))
+       || (!disabled("tls1_3") && disabled("tls1_2"));
 
 $ENV{OPENSSL_ia32cap} = '~0x200000200000000';
 my $proxy = TLSProxy::Proxy->new(
diff --git a/test/recipes/70-test_sslextension.t b/test/recipes/70-test_sslextension.t
index d185bda78b..142ce0e64d 100644
--- a/test/recipes/70-test_sslextension.t
+++ b/test/recipes/70-test_sslextension.t
@@ -26,6 +26,9 @@ plan skip_all => "$test_name needs the sock feature enabled"
 plan skip_all => "$test_name needs TLS enabled"
     if alldisabled(available_protocols("tls"));
 
+my $no_below_tls13 = alldisabled(("tls1", "tls1_1", "tls1_2"))
+                     || (!disabled("tls1_3") && disabled("tls1_2"));
+
 use constant {
     UNSOLICITED_SERVER_NAME => 0,
     UNSOLICITED_SERVER_NAME_TLS13 => 1,
@@ -37,16 +40,12 @@ my $testtype;
 
 $ENV{OPENSSL_ia32cap} = '~0x200000200000000';
 my $proxy = TLSProxy::Proxy->new(
-    \&extension_filter,
+    \&inject_duplicate_extension_clienthello,
     cmdstr(app(["openssl"]), display => 1),
     srctop_file("apps", "server.pem"),
     (!$ENV{HARNESS_ACTIVE} || $ENV{HARNESS_VERBOSE})
 );
 
-# Test 1: Sending a zero length extension block should pass
-$proxy->start() or plan skip_all => "Unable to start up Proxy for tests";
-plan tests => 7;
-ok(TLSProxy::Message->success, "Zero extension length test");
 
 sub extension_filter
 {
@@ -79,7 +78,6 @@ sub extension_filter
     }
 }
 
-# Test 2-3: Sending a duplicate extension should fail.
 sub inject_duplicate_extension
 {
   my ($proxy, $message_type) = @_;
@@ -119,16 +117,6 @@ sub inject_duplicate_extension_serverhello
     inject_duplicate_extension($proxy, TLSProxy::Message::MT_SERVER_HELLO);
 }
 
-$proxy->clear();
-$proxy->filter(\&inject_duplicate_extension_clienthello);
-$proxy->start();
-ok(TLSProxy::Message->fail(), "Duplicate ClientHello extension");
-
-$proxy->clear();
-$proxy->filter(\&inject_duplicate_extension_serverhello);
-$proxy->start();
-ok(TLSProxy::Message->fail(), "Duplicate ServerHello extension");
-
 sub inject_unsolicited_extension
 {
     my $proxy = shift;
@@ -162,8 +150,25 @@ sub inject_unsolicited_extension
     $message->repack();
 }
 
+# Test 1-2: Sending a duplicate extension should fail.
+$proxy->start() or plan skip_all => "Unable to start up Proxy for tests";
+plan tests => 7;
+ok(TLSProxy::Message->fail(), "Duplicate ClientHello extension");
+
+$proxy->clear();
+$proxy->filter(\&inject_duplicate_extension_serverhello);
+$proxy->start();
+ok(TLSProxy::Message->fail(), "Duplicate ServerHello extension");
+
 SKIP: {
-    skip "TLS <= 1.2 disabled", 2 if alldisabled(("tls1", "tls1_1", "tls1_2"));
+    skip "TLS <= 1.2 disabled", 3 if $no_below_tls13;
+
+    #Test 3: Sending a zero length extension block should pass
+    $proxy->clear();
+    $proxy->filter(\&extension_filter);
+    $proxy->start();
+    ok(TLSProxy::Message->success, "Zero extension length test");
+
     #Test 4: Inject an unsolicited extension (<= TLSv1.2)
     $proxy->clear();
     $proxy->filter(\&inject_unsolicited_extension);
@@ -183,7 +188,7 @@ SKIP: {
 
 SKIP: {
     skip "TLS <= 1.2 or CT disabled", 1
-        if alldisabled(("tls1", "tls1_1", "tls1_2")) || disabled("ct");
+        if $no_below_tls13 || disabled("ct");
     #Test 6: Same as above for the SCT extension which has special handling
     $proxy->clear();
     $testtype = UNSOLICITED_SCT;
diff --git a/test/recipes/70-test_sslmessages.t b/test/recipes/70-test_sslmessages.t
index abd6cc7d87..78d9737e54 100644
--- a/test/recipes/70-test_sslmessages.t
+++ b/test/recipes/70-test_sslmessages.t
@@ -26,7 +26,8 @@ plan skip_all => "$test_name needs the sock feature enabled"
     if disabled("sock");
 
 plan skip_all => "$test_name needs TLS enabled"
-    if alldisabled(available_protocols("tls"));
+    if alldisabled(available_protocols("tls"))
+       || (!disabled("tls1_3") && disabled("tls1_2"));
 
 $ENV{OPENSSL_ia32cap} = '~0x200000200000000';
 $ENV{CTLOG_FILE} = srctop_file("test", "ct", "log_list.conf");
diff --git a/test/recipes/70-test_sslsigalgs.t b/test/recipes/70-test_sslsigalgs.t
index 35531c634b..fca53aca25 100644
--- a/test/recipes/70-test_sslsigalgs.t
+++ b/test/recipes/70-test_sslsigalgs.t
@@ -216,13 +216,16 @@ SKIP: {
        "DSA/SHA2 sigalg sent for 1.3-only ClientHello");
 
     #Test 18: signature_algorithms with backwards compatible ClientHello
-    $testtype = COMPAT_SIGALGS;
-    $dsa_status = $sha1_status = $sha224_status = 0;
-    $proxy->clear();
-    $proxy->filter(\&modify_sigalgs_filter);
-    $proxy->start();
-    ok($dsa_status && $sha1_status && $sha224_status,
-       "DSA sigalg not sent for compat ClientHello");
+    SKIP: {
+        skip "TLSv1.2 disabled", 1 if disabled("tls1_2");
+        $testtype = COMPAT_SIGALGS;
+        $dsa_status = $sha1_status = $sha224_status = 0;
+        $proxy->clear();
+        $proxy->filter(\&modify_sigalgs_filter);
+        $proxy->start();
+        ok($dsa_status && $sha1_status && $sha224_status,
+           "DSA sigalg not sent for compat ClientHello");
+   }
 }
 
 SKIP: {
diff --git a/test/recipes/80-test_ssl_new.t b/test/recipes/80-test_ssl_new.t
index 26bcb39c7b..bb60168993 100644
--- a/test/recipes/80-test_ssl_new.t
+++ b/test/recipes/80-test_ssl_new.t
@@ -40,6 +40,7 @@ my $is_default_dtls = (!disabled("dtls1") && !disabled("dtls1_2"));
 
 my @all_pre_tls1_3 = ("ssl3", "tls1", "tls1_1", "tls1_2");
 my $no_tls = alldisabled(available_protocols("tls"));
+my $no_tls_below1_3 = $no_tls || (disabled("tls1_2") && !disabled("tls1_3"));
 my $no_pre_tls1_3 = alldisabled(@all_pre_tls1_3);
 my $no_dtls = alldisabled(available_protocols("dtls"));
 my $no_npn = disabled("nextprotoneg");
@@ -73,6 +74,7 @@ my %conf_dependent_tests = (
 # configurations. Default is $no_tls but some tests have different skip
 # conditions.
 my %skip = (
+  "06-sni-ticket.conf" => $no_tls_below1_3,
   "07-dtls-protocol-version.conf" => $no_dtls,
   "08-npn.conf" => (disabled("tls1") && disabled("tls1_1")
                     && disabled("tls1_2")) || $no_npn,
@@ -87,6 +89,7 @@ my %skip = (
   "14-curves.conf" => disabled("tls1_2") || $no_ec || $no_ec2m,
   "15-certstatus.conf" => $no_tls || $no_ocsp,
   "16-dtls-certstatus.conf" => $no_dtls || $no_ocsp,
+  "17-renegotiate.conf" => $no_tls_below1_3,
   "18-dtls-renegotiate.conf" => $no_dtls,
   "19-mac-then-encrypt.conf" => $no_pre_tls1_3,
   "20-cert-select.conf" => disabled("tls1_2") || $no_ec,