From c423ecaa7f6d0cc77c4f121c6de7d585439bca8f Mon Sep 17 00:00:00 2001 From: Matt Caswell Date: Fri, 9 Feb 2018 10:19:14 +0000 Subject: Fixes for no-tls1_2 and no-tls1_2-method The no-tls1_2 option does not work properly in conjunction with TLSv1.3 being enabled (which is now the default). This commit fixes the issues. Reviewed-by: Richard Levitte (Merged from https://github.com/openssl/openssl/pull/5301) --- test/recipes/70-test_key_share.t | 44 ++++++++++++++++++++---------------- test/recipes/70-test_sslcertstatus.t | 3 ++- test/recipes/70-test_sslextension.t | 41 ++++++++++++++++++--------------- test/recipes/70-test_sslmessages.t | 3 ++- test/recipes/70-test_sslsigalgs.t | 17 ++++++++------ test/recipes/80-test_ssl_new.t | 3 +++ 6 files changed, 64 insertions(+), 47 deletions(-) (limited to 'test/recipes') diff --git a/test/recipes/70-test_key_share.t b/test/recipes/70-test_key_share.t index f4cc764be2..512a3bc807 100644 --- a/test/recipes/70-test_key_share.t +++ b/test/recipes/70-test_key_share.t @@ -199,26 +199,30 @@ $testtype = TRAILING_DATA; $proxy->start(); ok(TLSProxy::Message->fail(), "key_share trailing data in ServerHello"); -#Test 20: key_share should not be sent if the client is not capable of -# negotiating TLSv1.3 -$proxy->clear(); -$proxy->filter(undef); -$proxy->clientflags("-no_tls1_3"); -$proxy->start(); -my $clienthello = $proxy->message_list->[0]; -ok(TLSProxy::Message->success() - && !defined $clienthello->extension_data->{TLSProxy::Message::EXT_KEY_SHARE}, - "No key_share for TLS<=1.2 client"); -$proxy->filter(\&modify_key_shares_filter); - -#Test 21: A server not capable of negotiating TLSv1.3 should not attempt to -# process a key_share -$proxy->clear(); -$direction = CLIENT_TO_SERVER; -$testtype = NO_ACCEPTABLE_KEY_SHARES; -$proxy->serverflags("-no_tls1_3"); -$proxy->start(); -ok(TLSProxy::Message->success(), "Ignore key_share for TLS<=1.2 server"); +SKIP: { + skip "No TLSv1.2 support in this OpenSSL build", 2 if disabled("tls1_2"); + + #Test 20: key_share should not be sent if the client is not capable of + # negotiating TLSv1.3 + $proxy->clear(); + $proxy->filter(undef); + $proxy->clientflags("-no_tls1_3"); + $proxy->start(); + my $clienthello = $proxy->message_list->[0]; + ok(TLSProxy::Message->success() + && !defined $clienthello->extension_data->{TLSProxy::Message::EXT_KEY_SHARE}, + "No key_share for TLS<=1.2 client"); + $proxy->filter(\&modify_key_shares_filter); + + #Test 21: A server not capable of negotiating TLSv1.3 should not attempt to + # process a key_share + $proxy->clear(); + $direction = CLIENT_TO_SERVER; + $testtype = NO_ACCEPTABLE_KEY_SHARES; + $proxy->serverflags("-no_tls1_3"); + $proxy->start(); + ok(TLSProxy::Message->success(), "Ignore key_share for TLS<=1.2 server"); +} #Test 22: The server sending an HRR but not requesting a new key_share should # fail diff --git a/test/recipes/70-test_sslcertstatus.t b/test/recipes/70-test_sslcertstatus.t index da8a3e51e5..96a46ce5f4 100644 --- a/test/recipes/70-test_sslcertstatus.t +++ b/test/recipes/70-test_sslcertstatus.t @@ -27,7 +27,8 @@ plan skip_all => "$test_name needs the ocsp feature enabled" if disabled("ocsp"); plan skip_all => "$test_name needs TLS enabled" - if alldisabled(available_protocols("tls")); + if alldisabled(available_protocols("tls")) + || (!disabled("tls1_3") && disabled("tls1_2")); $ENV{OPENSSL_ia32cap} = '~0x200000200000000'; my $proxy = TLSProxy::Proxy->new( diff --git a/test/recipes/70-test_sslextension.t b/test/recipes/70-test_sslextension.t index d185bda78b..142ce0e64d 100644 --- a/test/recipes/70-test_sslextension.t +++ b/test/recipes/70-test_sslextension.t @@ -26,6 +26,9 @@ plan skip_all => "$test_name needs the sock feature enabled" plan skip_all => "$test_name needs TLS enabled" if alldisabled(available_protocols("tls")); +my $no_below_tls13 = alldisabled(("tls1", "tls1_1", "tls1_2")) + || (!disabled("tls1_3") && disabled("tls1_2")); + use constant { UNSOLICITED_SERVER_NAME => 0, UNSOLICITED_SERVER_NAME_TLS13 => 1, @@ -37,16 +40,12 @@ my $testtype; $ENV{OPENSSL_ia32cap} = '~0x200000200000000'; my $proxy = TLSProxy::Proxy->new( - \&extension_filter, + \&inject_duplicate_extension_clienthello, cmdstr(app(["openssl"]), display => 1), srctop_file("apps", "server.pem"), (!$ENV{HARNESS_ACTIVE} || $ENV{HARNESS_VERBOSE}) ); -# Test 1: Sending a zero length extension block should pass -$proxy->start() or plan skip_all => "Unable to start up Proxy for tests"; -plan tests => 7; -ok(TLSProxy::Message->success, "Zero extension length test"); sub extension_filter { @@ -79,7 +78,6 @@ sub extension_filter } } -# Test 2-3: Sending a duplicate extension should fail. sub inject_duplicate_extension { my ($proxy, $message_type) = @_; @@ -119,16 +117,6 @@ sub inject_duplicate_extension_serverhello inject_duplicate_extension($proxy, TLSProxy::Message::MT_SERVER_HELLO); } -$proxy->clear(); -$proxy->filter(\&inject_duplicate_extension_clienthello); -$proxy->start(); -ok(TLSProxy::Message->fail(), "Duplicate ClientHello extension"); - -$proxy->clear(); -$proxy->filter(\&inject_duplicate_extension_serverhello); -$proxy->start(); -ok(TLSProxy::Message->fail(), "Duplicate ServerHello extension"); - sub inject_unsolicited_extension { my $proxy = shift; @@ -162,8 +150,25 @@ sub inject_unsolicited_extension $message->repack(); } +# Test 1-2: Sending a duplicate extension should fail. +$proxy->start() or plan skip_all => "Unable to start up Proxy for tests"; +plan tests => 7; +ok(TLSProxy::Message->fail(), "Duplicate ClientHello extension"); + +$proxy->clear(); +$proxy->filter(\&inject_duplicate_extension_serverhello); +$proxy->start(); +ok(TLSProxy::Message->fail(), "Duplicate ServerHello extension"); + SKIP: { - skip "TLS <= 1.2 disabled", 2 if alldisabled(("tls1", "tls1_1", "tls1_2")); + skip "TLS <= 1.2 disabled", 3 if $no_below_tls13; + + #Test 3: Sending a zero length extension block should pass + $proxy->clear(); + $proxy->filter(\&extension_filter); + $proxy->start(); + ok(TLSProxy::Message->success, "Zero extension length test"); + #Test 4: Inject an unsolicited extension (<= TLSv1.2) $proxy->clear(); $proxy->filter(\&inject_unsolicited_extension); @@ -183,7 +188,7 @@ SKIP: { SKIP: { skip "TLS <= 1.2 or CT disabled", 1 - if alldisabled(("tls1", "tls1_1", "tls1_2")) || disabled("ct"); + if $no_below_tls13 || disabled("ct"); #Test 6: Same as above for the SCT extension which has special handling $proxy->clear(); $testtype = UNSOLICITED_SCT; diff --git a/test/recipes/70-test_sslmessages.t b/test/recipes/70-test_sslmessages.t index abd6cc7d87..78d9737e54 100644 --- a/test/recipes/70-test_sslmessages.t +++ b/test/recipes/70-test_sslmessages.t @@ -26,7 +26,8 @@ plan skip_all => "$test_name needs the sock feature enabled" if disabled("sock"); plan skip_all => "$test_name needs TLS enabled" - if alldisabled(available_protocols("tls")); + if alldisabled(available_protocols("tls")) + || (!disabled("tls1_3") && disabled("tls1_2")); $ENV{OPENSSL_ia32cap} = '~0x200000200000000'; $ENV{CTLOG_FILE} = srctop_file("test", "ct", "log_list.conf"); diff --git a/test/recipes/70-test_sslsigalgs.t b/test/recipes/70-test_sslsigalgs.t index 35531c634b..fca53aca25 100644 --- a/test/recipes/70-test_sslsigalgs.t +++ b/test/recipes/70-test_sslsigalgs.t @@ -216,13 +216,16 @@ SKIP: { "DSA/SHA2 sigalg sent for 1.3-only ClientHello"); #Test 18: signature_algorithms with backwards compatible ClientHello - $testtype = COMPAT_SIGALGS; - $dsa_status = $sha1_status = $sha224_status = 0; - $proxy->clear(); - $proxy->filter(\&modify_sigalgs_filter); - $proxy->start(); - ok($dsa_status && $sha1_status && $sha224_status, - "DSA sigalg not sent for compat ClientHello"); + SKIP: { + skip "TLSv1.2 disabled", 1 if disabled("tls1_2"); + $testtype = COMPAT_SIGALGS; + $dsa_status = $sha1_status = $sha224_status = 0; + $proxy->clear(); + $proxy->filter(\&modify_sigalgs_filter); + $proxy->start(); + ok($dsa_status && $sha1_status && $sha224_status, + "DSA sigalg not sent for compat ClientHello"); + } } SKIP: { diff --git a/test/recipes/80-test_ssl_new.t b/test/recipes/80-test_ssl_new.t index 26bcb39c7b..bb60168993 100644 --- a/test/recipes/80-test_ssl_new.t +++ b/test/recipes/80-test_ssl_new.t @@ -40,6 +40,7 @@ my $is_default_dtls = (!disabled("dtls1") && !disabled("dtls1_2")); my @all_pre_tls1_3 = ("ssl3", "tls1", "tls1_1", "tls1_2"); my $no_tls = alldisabled(available_protocols("tls")); +my $no_tls_below1_3 = $no_tls || (disabled("tls1_2") && !disabled("tls1_3")); my $no_pre_tls1_3 = alldisabled(@all_pre_tls1_3); my $no_dtls = alldisabled(available_protocols("dtls")); my $no_npn = disabled("nextprotoneg"); @@ -73,6 +74,7 @@ my %conf_dependent_tests = ( # configurations. Default is $no_tls but some tests have different skip # conditions. my %skip = ( + "06-sni-ticket.conf" => $no_tls_below1_3, "07-dtls-protocol-version.conf" => $no_dtls, "08-npn.conf" => (disabled("tls1") && disabled("tls1_1") && disabled("tls1_2")) || $no_npn, @@ -87,6 +89,7 @@ my %skip = ( "14-curves.conf" => disabled("tls1_2") || $no_ec || $no_ec2m, "15-certstatus.conf" => $no_tls || $no_ocsp, "16-dtls-certstatus.conf" => $no_dtls || $no_ocsp, + "17-renegotiate.conf" => $no_tls_below1_3, "18-dtls-renegotiate.conf" => $no_dtls, "19-mac-then-encrypt.conf" => $no_pre_tls1_3, "20-cert-select.conf" => disabled("tls1_2") || $no_ec, -- cgit v1.2.3