sync
This commit is contained in:
parent
f1b2576417
commit
2a351e0cdc
347 changed files with 9596 additions and 5486 deletions
|
@ -1,11 +1,11 @@
|
|||
# $OpenBSD: Makefile,v 1.51 2022/11/05 21:58:24 jsing Exp $
|
||||
# $OpenBSD: Makefile,v 1.52 2023/07/02 17:21:32 beck Exp $
|
||||
|
||||
SUBDIR += api
|
||||
SUBDIR += asn1
|
||||
SUBDIR += buffer
|
||||
SUBDIR += bytestring
|
||||
SUBDIR += ciphers
|
||||
SUBDIR += client
|
||||
#SUBDIR += client
|
||||
SUBDIR += dtls
|
||||
SUBDIR += exporter
|
||||
SUBDIR += handshake
|
||||
|
@ -13,7 +13,7 @@ SUBDIR += pqueue
|
|||
SUBDIR += quic
|
||||
SUBDIR += record
|
||||
SUBDIR += record_layer
|
||||
SUBDIR += server
|
||||
#SUBDIR += server
|
||||
SUBDIR += ssl
|
||||
SUBDIR += tls
|
||||
SUBDIR += tlsext
|
||||
|
|
|
@ -1,4 +1,4 @@
|
|||
# $OpenBSD: Makefile,v 1.6 2023/04/19 15:34:23 tb Exp $
|
||||
# $OpenBSD: Makefile,v 1.7 2023/07/02 17:21:32 beck Exp $
|
||||
|
||||
# Connect a client to a server. Both can be current libressl, or
|
||||
# openssl 1.1 or openssl 3.0. Pin client or server to a fixed TLS
|
||||
|
@ -14,7 +14,7 @@ LIBRARIES += openssl11
|
|||
LIBRARIES += openssl30
|
||||
.endif
|
||||
|
||||
VERSIONS = any TLS1 TLS1_1 TLS1_2 TLS1_3
|
||||
VERSIONS = any TLS1_2 TLS1_3
|
||||
|
||||
.for cver in ${VERSIONS}
|
||||
.for sver in ${VERSIONS}
|
||||
|
|
|
@ -1,4 +1,4 @@
|
|||
/* $OpenBSD: ssltest.c,v 1.39 2023/04/15 16:50:05 tb Exp $ */
|
||||
/* $OpenBSD: ssltest.c,v 1.41 2023/07/04 08:47:01 tb Exp $ */
|
||||
/* Copyright (C) 1995-1998 Eric Young (eay@cryptsoft.com)
|
||||
* All rights reserved.
|
||||
*
|
||||
|
@ -254,6 +254,7 @@ cb_server_alpn(SSL *s, const unsigned char **out, unsigned char *outlen,
|
|||
* Make a copy of the selected protocol which will be freed in
|
||||
* verify_alpn.
|
||||
*/
|
||||
free(alpn_selected);
|
||||
if ((alpn_selected = malloc(*outlen)) == NULL) {
|
||||
fprintf(stderr, "malloc failed\n");
|
||||
abort();
|
||||
|
@ -336,7 +337,7 @@ sv_usage(void)
|
|||
fprintf(stderr, " -dhe1024dsa - use 1024 bit key (with 160-bit subprime) for DHE\n");
|
||||
fprintf(stderr, " -no_dhe - disable DHE\n");
|
||||
fprintf(stderr, " -no_ecdhe - disable ECDHE\n");
|
||||
fprintf(stderr, " -dtls1 - use DTLSv1\n");
|
||||
fprintf(stderr, " -dtls1_2 - use DTLSv1.2\n");
|
||||
fprintf(stderr, " -tls1 - use TLSv1\n");
|
||||
fprintf(stderr, " -tls1_2 - use TLSv1.2\n");
|
||||
fprintf(stderr, " -CApath arg - PEM format directory of CA's\n");
|
||||
|
@ -409,7 +410,7 @@ main(int argc, char *argv[])
|
|||
int badop = 0;
|
||||
int bio_pair = 0;
|
||||
int force = 0;
|
||||
int tls1 = 0, tls1_2 = 0, dtls1 = 0, ret = 1;
|
||||
int tls1 = 0, tls1_2 = 0, dtls1_2 = 0, ret = 1;
|
||||
int client_auth = 0;
|
||||
int server_auth = 0, i;
|
||||
char *app_verify_arg = "Test Callback Argument";
|
||||
|
@ -464,8 +465,8 @@ main(int argc, char *argv[])
|
|||
no_dhe = 1;
|
||||
else if (strcmp(*argv, "-no_ecdhe") == 0)
|
||||
no_ecdhe = 1;
|
||||
else if (strcmp(*argv, "-dtls1") == 0)
|
||||
dtls1 = 1;
|
||||
else if (strcmp(*argv, "-dtls1_2") == 0)
|
||||
dtls1_2 = 1;
|
||||
else if (strcmp(*argv, "-tls1") == 0)
|
||||
tls1 = 1;
|
||||
else if (strcmp(*argv, "-tls1_2") == 0)
|
||||
|
@ -565,7 +566,7 @@ bad:
|
|||
goto end;
|
||||
}
|
||||
|
||||
if (!dtls1 && !tls1 && !tls1_2 && number > 1 && !reuse && !force) {
|
||||
if (!dtls1_2 && !tls1 && !tls1_2 && number > 1 && !reuse && !force) {
|
||||
fprintf(stderr,
|
||||
"This case cannot work. Use -f to perform "
|
||||
"the test anyway (and\n-d to see what happens), "
|
||||
|
@ -588,8 +589,8 @@ bad:
|
|||
SSL_library_init();
|
||||
SSL_load_error_strings();
|
||||
|
||||
if (dtls1)
|
||||
meth = DTLSv1_method();
|
||||
if (dtls1_2)
|
||||
meth = DTLSv1_2_method();
|
||||
else if (tls1)
|
||||
meth = TLSv1_method();
|
||||
else if (tls1_2)
|
||||
|
|
|
@ -95,8 +95,7 @@ done
|
|||
if $openssl no-dh; then
|
||||
echo skipping anonymous DH tests
|
||||
else
|
||||
echo test tls1 with 1024bit anonymous DH, multiple handshakes
|
||||
$ssltest -v -bio_pair -tls1 -cipher ADH -dhe1024dsa -num 10 -f -time $extra || exit 1
|
||||
echo skipping tls1 tests.
|
||||
fi
|
||||
|
||||
#if $openssl no-rsa; then
|
||||
|
@ -117,17 +116,16 @@ fi
|
|||
# DTLS tests
|
||||
#
|
||||
|
||||
echo test dtlsv1
|
||||
$ssltest -dtls1 $extra || exit 1
|
||||
$ssltest -dtls1_2 $extra || exit 1
|
||||
|
||||
echo test dtlsv1 with server authentication
|
||||
$ssltest -dtls1 -server_auth $CA $extra || exit 1
|
||||
echo test dtlsv1_2 with server authentication
|
||||
$ssltest -dtls1_2 -server_auth $CA $extra || exit 1
|
||||
|
||||
echo test dtlsv1 with client authentication
|
||||
$ssltest -dtls1 -client_auth $CA $extra || exit 1
|
||||
echo test dtlsv1_2 with client authentication
|
||||
$ssltest -dtls1_2 -client_auth $CA $extra || exit 1
|
||||
|
||||
echo test dtlsv1 with both client and server authentication
|
||||
$ssltest -dtls1 -server_auth -client_auth $CA $extra || exit 1
|
||||
echo test dtlsv1_2 with both client and server authentication
|
||||
$ssltest -dtls1_2 -server_auth -client_auth $CA $extra || exit 1
|
||||
|
||||
echo "Testing DTLS ciphersuites"
|
||||
for protocol in SSLv3; do
|
||||
|
@ -136,7 +134,7 @@ for protocol in SSLv3; do
|
|||
awk "/ $protocol / { print \\$1 }" |
|
||||
grep -v RC4`; do
|
||||
echo "Testing $cipher"
|
||||
$ssltest -cipher $cipher -dtls1
|
||||
$ssltest -cipher $cipher -dtls1_2
|
||||
if [ $? -ne 0 ] ; then
|
||||
echo "Failed $cipher"
|
||||
exit 1
|
||||
|
@ -148,17 +146,17 @@ done
|
|||
# ALPN tests
|
||||
#
|
||||
echo "Testing ALPN..."
|
||||
$ssltest -bio_pair -tls1 -alpn_client foo -alpn_server bar || exit 1
|
||||
$ssltest -bio_pair -tls1 -alpn_client foo -alpn_server foo \
|
||||
$ssltest -bio_pair -alpn_client foo -alpn_server bar || exit 1
|
||||
$ssltest -bio_pair -alpn_client foo -alpn_server foo \
|
||||
-alpn_expected foo || exit 1
|
||||
$ssltest -bio_pair -tls1 -alpn_client foo,bar -alpn_server foo \
|
||||
$ssltest -bio_pair -alpn_client foo,bar -alpn_server foo \
|
||||
-alpn_expected foo || exit 1
|
||||
$ssltest -bio_pair -tls1 -alpn_client bar,foo -alpn_server foo \
|
||||
$ssltest -bio_pair -alpn_client bar,foo -alpn_server foo \
|
||||
-alpn_expected foo || exit 1
|
||||
$ssltest -bio_pair -tls1 -alpn_client bar,foo -alpn_server foo,bar \
|
||||
$ssltest -bio_pair -alpn_client bar,foo -alpn_server foo,bar \
|
||||
-alpn_expected foo || exit 1
|
||||
$ssltest -bio_pair -tls1 -alpn_client bar,foo -alpn_server bar,foo \
|
||||
$ssltest -bio_pair -alpn_client bar,foo -alpn_server bar,foo \
|
||||
-alpn_expected bar || exit 1
|
||||
$ssltest -bio_pair -tls1 -alpn_client foo,bar -alpn_server bar,foo \
|
||||
$ssltest -bio_pair -alpn_client foo,bar -alpn_server bar,foo \
|
||||
-alpn_expected bar || exit 1
|
||||
$ssltest -bio_pair -tls1 -alpn_client baz -alpn_server bar,foo || exit 1
|
||||
$ssltest -bio_pair -alpn_client baz -alpn_server bar,foo || exit 1
|
||||
|
|
|
@ -1,4 +1,4 @@
|
|||
/* $OpenBSD: tlstest.c,v 1.1 2021/10/23 14:34:10 jsing Exp $ */
|
||||
/* $OpenBSD: tlstest.c,v 1.2 2023/07/02 17:21:33 beck Exp $ */
|
||||
/*
|
||||
* Copyright (c) 2020, 2021 Joel Sing <jsing@openbsd.org>
|
||||
*
|
||||
|
@ -244,14 +244,6 @@ static const struct tls_test tls_tests[] = {
|
|||
.desc = "Default client and TLSv1.2 server",
|
||||
.server_max_version = TLS1_2_VERSION,
|
||||
},
|
||||
{
|
||||
.desc = "Default client and TLSv1.1 server",
|
||||
.server_max_version = TLS1_1_VERSION,
|
||||
},
|
||||
{
|
||||
.desc = "Default client and TLSv1.0 server",
|
||||
.server_max_version = TLS1_VERSION,
|
||||
},
|
||||
{
|
||||
.desc = "Default client and default server with ECDHE KEX",
|
||||
.server_ciphers = "ECDHE-RSA-AES128-SHA",
|
||||
|
@ -261,16 +253,6 @@ static const struct tls_test tls_tests[] = {
|
|||
.server_max_version = TLS1_2_VERSION,
|
||||
.server_ciphers = "ECDHE-RSA-AES128-SHA",
|
||||
},
|
||||
{
|
||||
.desc = "Default client and TLSv1.1 server with ECDHE KEX",
|
||||
.server_max_version = TLS1_1_VERSION,
|
||||
.server_ciphers = "ECDHE-RSA-AES128-SHA",
|
||||
},
|
||||
{
|
||||
.desc = "Default client and TLSv1.0 server with ECDHE KEX",
|
||||
.server_max_version = TLS1_VERSION,
|
||||
.server_ciphers = "ECDHE-RSA-AES128-SHA",
|
||||
},
|
||||
{
|
||||
.desc = "Default client and default server with DHE KEX",
|
||||
.server_ciphers = "DHE-RSA-AES128-SHA",
|
||||
|
@ -280,16 +262,6 @@ static const struct tls_test tls_tests[] = {
|
|||
.server_max_version = TLS1_2_VERSION,
|
||||
.server_ciphers = "DHE-RSA-AES128-SHA",
|
||||
},
|
||||
{
|
||||
.desc = "Default client and TLSv1.1 server with DHE KEX",
|
||||
.server_max_version = TLS1_1_VERSION,
|
||||
.server_ciphers = "DHE-RSA-AES128-SHA",
|
||||
},
|
||||
{
|
||||
.desc = "Default client and TLSv1.0 server with DHE KEX",
|
||||
.server_max_version = TLS1_VERSION,
|
||||
.server_ciphers = "DHE-RSA-AES128-SHA",
|
||||
},
|
||||
{
|
||||
.desc = "Default client and default server with RSA KEX",
|
||||
.server_ciphers = "AES128-SHA",
|
||||
|
@ -299,73 +271,25 @@ static const struct tls_test tls_tests[] = {
|
|||
.server_max_version = TLS1_2_VERSION,
|
||||
.server_ciphers = "AES128-SHA",
|
||||
},
|
||||
{
|
||||
.desc = "Default client and TLSv1.1 server with RSA KEX",
|
||||
.server_max_version = TLS1_1_VERSION,
|
||||
.server_ciphers = "AES128-SHA",
|
||||
},
|
||||
{
|
||||
.desc = "Default client and TLSv1.0 server with RSA KEX",
|
||||
.server_max_version = TLS1_VERSION,
|
||||
.server_ciphers = "AES128-SHA",
|
||||
},
|
||||
{
|
||||
.desc = "TLSv1.2 client and default server",
|
||||
.client_max_version = TLS1_2_VERSION,
|
||||
},
|
||||
{
|
||||
.desc = "TLSv1.1 client and default server",
|
||||
.client_max_version = TLS1_1_VERSION,
|
||||
},
|
||||
{
|
||||
.desc = "TLSv1.0 client and default server",
|
||||
.client_max_version = TLS1_VERSION,
|
||||
},
|
||||
{
|
||||
.desc = "TLSv1.2 client and default server with ECDHE KEX",
|
||||
.client_max_version = TLS1_2_VERSION,
|
||||
.client_ciphers = "ECDHE-RSA-AES128-SHA",
|
||||
},
|
||||
{
|
||||
.desc = "TLSv1.1 client and default server with ECDHE KEX",
|
||||
.client_max_version = TLS1_1_VERSION,
|
||||
.client_ciphers = "ECDHE-RSA-AES128-SHA",
|
||||
},
|
||||
{
|
||||
.desc = "TLSv1.0 client and default server with ECDHE KEX",
|
||||
.client_max_version = TLS1_VERSION,
|
||||
.client_ciphers = "ECDHE-RSA-AES128-SHA",
|
||||
},
|
||||
{
|
||||
.desc = "TLSv1.2 client and default server with DHE KEX",
|
||||
.server_max_version = TLS1_2_VERSION,
|
||||
.client_ciphers = "DHE-RSA-AES128-SHA",
|
||||
},
|
||||
{
|
||||
.desc = "TLSv1.1 client and default server with DHE KEX",
|
||||
.client_max_version = TLS1_1_VERSION,
|
||||
.client_ciphers = "DHE-RSA-AES128-SHA",
|
||||
},
|
||||
{
|
||||
.desc = "TLSv1.0 client and default server with DHE KEX",
|
||||
.client_max_version = TLS1_VERSION,
|
||||
.client_ciphers = "DHE-RSA-AES128-SHA",
|
||||
},
|
||||
{
|
||||
.desc = "TLSv1.2 client and default server with RSA KEX",
|
||||
.client_max_version = TLS1_2_VERSION,
|
||||
.client_ciphers = "AES128-SHA",
|
||||
},
|
||||
{
|
||||
.desc = "TLSv1.1 client and default server with RSA KEX",
|
||||
.client_max_version = TLS1_1_VERSION,
|
||||
.client_ciphers = "AES128-SHA",
|
||||
},
|
||||
{
|
||||
.desc = "TLSv1.0 client and default server with RSA KEX",
|
||||
.client_max_version = TLS1_VERSION,
|
||||
.client_ciphers = "AES128-SHA",
|
||||
},
|
||||
};
|
||||
|
||||
#define N_TLS_TESTS (sizeof(tls_tests) / sizeof(*tls_tests))
|
||||
|
|
|
@ -1,4 +1,4 @@
|
|||
/* $OpenBSD: tlsexttest.c,v 1.81 2023/04/27 10:53:58 tb Exp $ */
|
||||
/* $OpenBSD: tlsexttest.c,v 1.82 2023/07/05 17:30:14 tb Exp $ */
|
||||
/*
|
||||
* Copyright (c) 2017 Joel Sing <jsing@openbsd.org>
|
||||
* Copyright (c) 2017 Doug Hogan <doug@openbsd.org>
|
||||
|
@ -1774,8 +1774,11 @@ static const unsigned char tlsext_sni_client[] = {
|
|||
0x6c, 0x2e, 0x6f, 0x72, 0x67,
|
||||
};
|
||||
|
||||
/* An empty array is an incomplete type and sizeof() is undefined. */
|
||||
static const unsigned char tlsext_sni_server[] = {
|
||||
0x00,
|
||||
};
|
||||
static size_t tlsext_sni_server_len = 0;
|
||||
|
||||
static int
|
||||
test_tlsext_sni_client(void)
|
||||
|
@ -1973,9 +1976,9 @@ test_tlsext_sni_server(void)
|
|||
if (!CBB_finish(&cbb, &data, &dlen))
|
||||
errx(1, "failed to finish CBB");
|
||||
|
||||
if (dlen != sizeof(tlsext_sni_server)) {
|
||||
if (dlen != tlsext_sni_server_len) {
|
||||
FAIL("got server SNI with length %zu, "
|
||||
"want length %zu\n", dlen, sizeof(tlsext_sni_server));
|
||||
"want length %zu\n", dlen, tlsext_sni_server_len);
|
||||
goto err;
|
||||
}
|
||||
|
||||
|
@ -1984,14 +1987,14 @@ test_tlsext_sni_server(void)
|
|||
fprintf(stderr, "received:\n");
|
||||
hexdump(data, dlen);
|
||||
fprintf(stderr, "test data:\n");
|
||||
hexdump(tlsext_sni_server, sizeof(tlsext_sni_server));
|
||||
hexdump(tlsext_sni_server, tlsext_sni_server_len);
|
||||
goto err;
|
||||
}
|
||||
|
||||
free(ssl->session->tlsext_hostname);
|
||||
ssl->session->tlsext_hostname = NULL;
|
||||
|
||||
CBS_init(&cbs, tlsext_sni_server, sizeof(tlsext_sni_server));
|
||||
CBS_init(&cbs, tlsext_sni_server, tlsext_sni_server_len);
|
||||
if (!client_funcs->parse(ssl, SSL_TLSEXT_MSG_SH, &cbs, &alert)) {
|
||||
FAIL("failed to parse server SNI\n");
|
||||
goto err;
|
||||
|
@ -3186,7 +3189,7 @@ test_tlsext_srtp_server(void)
|
|||
}
|
||||
#endif /* OPENSSL_NO_SRTP */
|
||||
|
||||
unsigned char tlsext_clienthello_default[] = {
|
||||
static const unsigned char tlsext_clienthello_default[] = {
|
||||
0x00, 0x34, 0x00, 0x0b, 0x00, 0x02, 0x01, 0x00,
|
||||
0x00, 0x0a, 0x00, 0x0a, 0x00, 0x08, 0x00, 0x1d,
|
||||
0x00, 0x17, 0x00, 0x18, 0x00, 0x19, 0x00, 0x23,
|
||||
|
@ -3196,7 +3199,11 @@ unsigned char tlsext_clienthello_default[] = {
|
|||
0x04, 0x03, 0x02, 0x01, 0x02, 0x03,
|
||||
};
|
||||
|
||||
unsigned char tlsext_clienthello_disabled[] = {};
|
||||
/* An empty array is an incomplete type and sizeof() is undefined. */
|
||||
static const unsigned char tlsext_clienthello_disabled[] = {
|
||||
0x00,
|
||||
};
|
||||
static size_t tlsext_clienthello_disabled_len = 0;
|
||||
|
||||
static int
|
||||
test_tlsext_clienthello_build(void)
|
||||
|
@ -3287,18 +3294,18 @@ test_tlsext_clienthello_build(void)
|
|||
goto err;
|
||||
}
|
||||
|
||||
if (dlen != sizeof(tlsext_clienthello_disabled)) {
|
||||
if (dlen != tlsext_clienthello_disabled_len) {
|
||||
FAIL("got clienthello extensions with length %zu, "
|
||||
"want length %zu\n", dlen,
|
||||
sizeof(tlsext_clienthello_disabled));
|
||||
tlsext_clienthello_disabled_len);
|
||||
compare_data(data, dlen, tlsext_clienthello_disabled,
|
||||
sizeof(tlsext_clienthello_disabled));
|
||||
tlsext_clienthello_disabled_len);
|
||||
goto err;
|
||||
}
|
||||
if (memcmp(data, tlsext_clienthello_disabled, dlen) != 0) {
|
||||
FAIL("clienthello extensions differs:\n");
|
||||
compare_data(data, dlen, tlsext_clienthello_disabled,
|
||||
sizeof(tlsext_clienthello_disabled));
|
||||
tlsext_clienthello_disabled_len);
|
||||
goto err;
|
||||
}
|
||||
|
||||
|
|
|
@ -1,4 +1,4 @@
|
|||
# $OpenBSD: tlsfuzzer.py,v 1.49 2023/06/10 05:00:58 tb Exp $
|
||||
# $OpenBSD: tlsfuzzer.py,v 1.50 2023/07/02 17:21:33 beck Exp $
|
||||
#
|
||||
# Copyright (c) 2020 Theo Buehler <tb@openbsd.org>
|
||||
#
|
||||
|
@ -323,6 +323,8 @@ tls13_unsupported_tests = TestGroup("TLSv1.3 tests for unsupported features", [
|
|||
tls12_exclude_legacy_protocols = [
|
||||
# all these have BIO_read timeouts against TLSv1.3
|
||||
"-e", "Protocol (3, 0)",
|
||||
"-e", "Protocol (3, 1)",
|
||||
"-e", "Protocol (3, 2)",
|
||||
"-e", "Protocol (3, 0) in SSLv2 compatible ClientHello",
|
||||
# the following only fail with TLSv1.3
|
||||
"-e", "Protocol (3, 1) in SSLv2 compatible ClientHello",
|
||||
|
@ -331,13 +333,20 @@ tls12_exclude_legacy_protocols = [
|
|||
"-e", "Protocol (3, 1) with x448 group",
|
||||
"-e", "Protocol (3, 2) with x448 group",
|
||||
"-e", "Protocol (3, 3) with x448 group",
|
||||
# These don't work without TLSv1.0 and TLSv1.1
|
||||
"-e", "Protocol (3, 1) with secp256r1 group",
|
||||
"-e", "Protocol (3, 1) with secp384r1 group",
|
||||
"-e", "Protocol (3, 1) with secp521r1 group",
|
||||
"-e", "Protocol (3, 1) with x25519 group",
|
||||
"-e", "Protocol (3, 2) with secp256r1 group",
|
||||
"-e", "Protocol (3, 2) with secp384r1 group",
|
||||
"-e", "Protocol (3, 2) with secp521r1 group",
|
||||
"-e", "Protocol (3, 2) with x25519 group",
|
||||
]
|
||||
|
||||
tls12_tests = TestGroup("TLSv1.2 tests", [
|
||||
# Tests that pass as they are.
|
||||
Test("test-TLSv1_2-rejected-without-TLSv1_2.py"),
|
||||
Test("test-aes-gcm-nonces.py"),
|
||||
Test("test-chacha20.py"),
|
||||
Test("test-connection-abort.py"),
|
||||
Test("test-conversation.py"),
|
||||
Test("test-cve-2016-2107.py"),
|
||||
|
@ -386,13 +395,30 @@ tls12_tests = TestGroup("TLSv1.2 tests", [
|
|||
]
|
||||
),
|
||||
Test("test-dhe-key-share-random.py", tls12_exclude_legacy_protocols),
|
||||
Test("test-export-ciphers-rejected.py", ["--min-ver", "TLSv1.0"]),
|
||||
Test("test-export-ciphers-rejected.py", ["--min-ver", "TLSv1.2"]),
|
||||
Test(
|
||||
"test-downgrade-protection.py",
|
||||
tls12_args = ["--server-max-protocol", "TLSv1.2"],
|
||||
tls13_args = ["--server-max-protocol", "TLSv1.3"],
|
||||
tls13_args = [
|
||||
"--server-max-protocol", "TLSv1.3",
|
||||
"-e", "TLS 1.3 downgrade check for Protocol (3, 1)",
|
||||
"-e", "TLS 1.3 downgrade check for Protocol (3, 2)",
|
||||
]
|
||||
),
|
||||
Test(
|
||||
"test-fallback-scsv.py",
|
||||
tls13_args = [
|
||||
"--tls-1.3",
|
||||
"-e", "FALLBACK - hello TLSv1.1 - pos 0",
|
||||
"-e", "FALLBACK - hello TLSv1.1 - pos 1",
|
||||
"-e", "FALLBACK - hello TLSv1.1 - pos 2",
|
||||
"-e", "FALLBACK - record TLSv1.1 hello TLSv1.1 - pos 0",
|
||||
"-e", "FALLBACK - record TLSv1.1 hello TLSv1.1 - pos 1",
|
||||
"-e", "FALLBACK - record TLSv1.1 hello TLSv1.1 - pos 2",
|
||||
"-e", "record TLSv1.1 hello TLSv1.1",
|
||||
"-e", "sanity - TLSv1.1",
|
||||
]
|
||||
),
|
||||
Test("test-fallback-scsv.py", tls13_args = ["--tls-1.3"] ),
|
||||
|
||||
Test("test-invalid-compression-methods.py", [
|
||||
"-x", "invalid compression methods",
|
||||
|
@ -412,6 +438,8 @@ tls12_tests = TestGroup("TLSv1.2 tests", [
|
|||
Test("test-sig-algs-renegotiation-resumption.py", ["--sig-algs-drop-ok"]),
|
||||
|
||||
Test("test-serverhello-random.py", args = tls12_exclude_legacy_protocols),
|
||||
|
||||
Test("test-chacha20.py", [ "-e", "Chacha20 in TLS1.1" ]),
|
||||
])
|
||||
|
||||
tls12_slow_tests = TestGroup("slow TLSv1.2 tests", [
|
||||
|
@ -549,6 +577,9 @@ tls12_failing_tests = TestGroup("failing TLSv1.2 tests", [
|
|||
|
||||
# x448 tests need disabling plus x25519 corner cases need sorting out
|
||||
Test("test-x25519.py"),
|
||||
|
||||
# Needs TLS 1.0 or 1.1
|
||||
Test("test-TLSv1_2-rejected-without-TLSv1_2.py"),
|
||||
])
|
||||
|
||||
tls12_unsupported_tests = TestGroup("TLSv1.2 for unsupported features", [
|
||||
|
|
|
@ -1,4 +1,4 @@
|
|||
/* $OpenBSD: ssl_versions.c,v 1.19 2022/11/26 16:08:57 tb Exp $ */
|
||||
/* $OpenBSD: ssl_versions.c,v 1.20 2023/07/02 17:21:33 beck Exp $ */
|
||||
/*
|
||||
* Copyright (c) 2016, 2017 Joel Sing <jsing@openbsd.org>
|
||||
*
|
||||
|
@ -32,43 +32,43 @@ static struct version_range_test version_range_tests[] = {
|
|||
.options = 0,
|
||||
.minver = TLS1_VERSION,
|
||||
.maxver = TLS1_3_VERSION,
|
||||
.want_minver = TLS1_VERSION,
|
||||
.want_minver = TLS1_2_VERSION,
|
||||
.want_maxver = TLS1_3_VERSION,
|
||||
},
|
||||
{
|
||||
.options = 0,
|
||||
.minver = TLS1_VERSION,
|
||||
.maxver = TLS1_2_VERSION,
|
||||
.want_minver = TLS1_VERSION,
|
||||
.want_minver = TLS1_2_VERSION,
|
||||
.want_maxver = TLS1_2_VERSION,
|
||||
},
|
||||
{
|
||||
.options = SSL_OP_NO_TLSv1,
|
||||
.minver = TLS1_VERSION,
|
||||
.maxver = TLS1_2_VERSION,
|
||||
.want_minver = TLS1_1_VERSION,
|
||||
.want_minver = TLS1_2_VERSION,
|
||||
.want_maxver = TLS1_2_VERSION,
|
||||
},
|
||||
{
|
||||
.options = SSL_OP_NO_TLSv1_3,
|
||||
.minver = TLS1_VERSION,
|
||||
.maxver = TLS1_3_VERSION,
|
||||
.want_minver = TLS1_VERSION,
|
||||
.want_minver = TLS1_2_VERSION,
|
||||
.want_maxver = TLS1_2_VERSION,
|
||||
},
|
||||
{
|
||||
.options = SSL_OP_NO_TLSv1_2,
|
||||
.minver = TLS1_VERSION,
|
||||
.maxver = TLS1_2_VERSION,
|
||||
.want_minver = TLS1_VERSION,
|
||||
.want_maxver = TLS1_1_VERSION,
|
||||
.want_minver = 0,
|
||||
.want_maxver = 0,
|
||||
},
|
||||
{
|
||||
.options = SSL_OP_NO_TLSv1_1,
|
||||
.minver = TLS1_VERSION,
|
||||
.maxver = TLS1_2_VERSION,
|
||||
.want_minver = TLS1_VERSION,
|
||||
.want_maxver = TLS1_VERSION,
|
||||
.want_minver = TLS1_2_VERSION,
|
||||
.want_maxver = TLS1_2_VERSION,
|
||||
},
|
||||
{
|
||||
.options = SSL_OP_NO_TLSv1 | SSL_OP_NO_TLSv1_1,
|
||||
|
@ -81,15 +81,15 @@ static struct version_range_test version_range_tests[] = {
|
|||
.options = SSL_OP_NO_TLSv1_1 | SSL_OP_NO_TLSv1_2,
|
||||
.minver = TLS1_VERSION,
|
||||
.maxver = TLS1_2_VERSION,
|
||||
.want_minver = TLS1_VERSION,
|
||||
.want_maxver = TLS1_VERSION,
|
||||
.want_minver = 0,
|
||||
.want_maxver = 0,
|
||||
},
|
||||
{
|
||||
.options = SSL_OP_NO_TLSv1 | SSL_OP_NO_TLSv1_2,
|
||||
.minver = TLS1_VERSION,
|
||||
.maxver = TLS1_2_VERSION,
|
||||
.want_minver = TLS1_1_VERSION,
|
||||
.want_maxver = TLS1_1_VERSION,
|
||||
.want_minver = 0,
|
||||
.want_maxver = 0,
|
||||
},
|
||||
{
|
||||
.options = SSL_OP_NO_TLSv1 | SSL_OP_NO_TLSv1_1 |
|
||||
|
@ -119,14 +119,14 @@ static struct version_range_test version_range_tests[] = {
|
|||
.options = 0,
|
||||
.minver = TLS1_VERSION,
|
||||
.maxver = TLS1_2_VERSION,
|
||||
.want_minver = TLS1_VERSION,
|
||||
.want_minver = TLS1_2_VERSION,
|
||||
.want_maxver = TLS1_2_VERSION,
|
||||
},
|
||||
{
|
||||
.options = 0,
|
||||
.minver = TLS1_1_VERSION,
|
||||
.maxver = TLS1_2_VERSION,
|
||||
.want_minver = TLS1_1_VERSION,
|
||||
.want_minver = TLS1_2_VERSION,
|
||||
.want_maxver = TLS1_2_VERSION,
|
||||
},
|
||||
{
|
||||
|
@ -140,14 +140,14 @@ static struct version_range_test version_range_tests[] = {
|
|||
.options = 0,
|
||||
.minver = TLS1_VERSION,
|
||||
.maxver = TLS1_3_VERSION,
|
||||
.want_minver = TLS1_VERSION,
|
||||
.want_minver = TLS1_2_VERSION,
|
||||
.want_maxver = TLS1_3_VERSION,
|
||||
},
|
||||
{
|
||||
.options = 0,
|
||||
.minver = TLS1_1_VERSION,
|
||||
.maxver = TLS1_3_VERSION,
|
||||
.want_minver = TLS1_1_VERSION,
|
||||
.want_minver = TLS1_2_VERSION,
|
||||
.want_maxver = TLS1_3_VERSION,
|
||||
},
|
||||
{
|
||||
|
@ -168,15 +168,15 @@ static struct version_range_test version_range_tests[] = {
|
|||
.options = 0,
|
||||
.minver = TLS1_VERSION,
|
||||
.maxver = TLS1_1_VERSION,
|
||||
.want_minver = TLS1_VERSION,
|
||||
.want_maxver = TLS1_1_VERSION,
|
||||
.want_minver = 0,
|
||||
.want_maxver = 0,
|
||||
},
|
||||
{
|
||||
.options = 0,
|
||||
.minver = TLS1_VERSION,
|
||||
.maxver = TLS1_VERSION,
|
||||
.want_minver = TLS1_VERSION,
|
||||
.want_maxver = TLS1_VERSION,
|
||||
.want_minver = 0,
|
||||
.want_maxver = 0,
|
||||
},
|
||||
};
|
||||
|
||||
|
@ -276,7 +276,7 @@ static struct shared_version_test shared_version_tests[] = {
|
|||
.minver = TLS1_VERSION,
|
||||
.maxver = TLS1_2_VERSION,
|
||||
.peerver = TLS1_VERSION,
|
||||
.want_maxver = TLS1_VERSION,
|
||||
.want_maxver = 0,
|
||||
},
|
||||
{
|
||||
.ssl_method = TLS_method,
|
||||
|
@ -284,7 +284,7 @@ static struct shared_version_test shared_version_tests[] = {
|
|||
.minver = TLS1_VERSION,
|
||||
.maxver = TLS1_2_VERSION,
|
||||
.peerver = TLS1_1_VERSION,
|
||||
.want_maxver = TLS1_1_VERSION,
|
||||
.want_maxver = 0,
|
||||
},
|
||||
{
|
||||
.ssl_method = TLS_method,
|
||||
|
@ -316,7 +316,7 @@ static struct shared_version_test shared_version_tests[] = {
|
|||
.minver = TLS1_VERSION,
|
||||
.maxver = TLS1_2_VERSION,
|
||||
.peerver = TLS1_2_VERSION,
|
||||
.want_maxver = TLS1_1_VERSION,
|
||||
.want_maxver = 0,
|
||||
},
|
||||
{
|
||||
.ssl_method = TLS_method,
|
||||
|
@ -324,7 +324,7 @@ static struct shared_version_test shared_version_tests[] = {
|
|||
.minver = TLS1_VERSION,
|
||||
.maxver = TLS1_2_VERSION,
|
||||
.peerver = TLS1_2_VERSION,
|
||||
.want_maxver = TLS1_VERSION,
|
||||
.want_maxver = 0,
|
||||
},
|
||||
{
|
||||
.ssl_method = TLS_method,
|
||||
|
@ -340,7 +340,7 @@ static struct shared_version_test shared_version_tests[] = {
|
|||
.minver = TLS1_VERSION,
|
||||
.maxver = TLS1_2_VERSION,
|
||||
.peerver = TLS1_1_VERSION,
|
||||
.want_maxver = TLS1_1_VERSION,
|
||||
.want_maxver = 0,
|
||||
},
|
||||
{
|
||||
.ssl_method = TLS_method,
|
||||
|
@ -356,7 +356,7 @@ static struct shared_version_test shared_version_tests[] = {
|
|||
.minver = TLS1_VERSION,
|
||||
.maxver = TLS1_2_VERSION,
|
||||
.peerver = TLS1_1_VERSION,
|
||||
.want_maxver = TLS1_VERSION,
|
||||
.want_maxver = 0,
|
||||
},
|
||||
{
|
||||
.ssl_method = TLS_method,
|
||||
|
@ -372,7 +372,7 @@ static struct shared_version_test shared_version_tests[] = {
|
|||
.minver = TLS1_VERSION,
|
||||
.maxver = TLS1_1_VERSION,
|
||||
.peerver = TLS1_2_VERSION,
|
||||
.want_maxver = TLS1_1_VERSION,
|
||||
.want_maxver = 0,
|
||||
},
|
||||
{
|
||||
.ssl_method = TLS_method,
|
||||
|
@ -380,7 +380,7 @@ static struct shared_version_test shared_version_tests[] = {
|
|||
.minver = TLS1_VERSION,
|
||||
.maxver = TLS1_VERSION,
|
||||
.peerver = TLS1_2_VERSION,
|
||||
.want_maxver = TLS1_VERSION,
|
||||
.want_maxver = 0,
|
||||
},
|
||||
{
|
||||
.ssl_method = TLSv1_method,
|
||||
|
@ -388,7 +388,7 @@ static struct shared_version_test shared_version_tests[] = {
|
|||
.minver = TLS1_VERSION,
|
||||
.maxver = TLS1_2_VERSION,
|
||||
.peerver = TLS1_VERSION,
|
||||
.want_maxver = TLS1_VERSION,
|
||||
.want_maxver = 0,
|
||||
},
|
||||
{
|
||||
.ssl_method = TLSv1_method,
|
||||
|
@ -404,7 +404,7 @@ static struct shared_version_test shared_version_tests[] = {
|
|||
.minver = TLS1_VERSION,
|
||||
.maxver = TLS1_2_VERSION,
|
||||
.peerver = TLS1_1_VERSION,
|
||||
.want_maxver = TLS1_1_VERSION,
|
||||
.want_maxver = 0,
|
||||
},
|
||||
{
|
||||
.ssl_method = DTLS_method,
|
||||
|
@ -412,7 +412,7 @@ static struct shared_version_test shared_version_tests[] = {
|
|||
.minver = TLS1_1_VERSION,
|
||||
.maxver = TLS1_2_VERSION,
|
||||
.peerver = DTLS1_VERSION,
|
||||
.want_maxver = DTLS1_VERSION,
|
||||
.want_maxver = 0,
|
||||
},
|
||||
{
|
||||
.ssl_method = DTLS_method,
|
||||
|
@ -436,7 +436,7 @@ static struct shared_version_test shared_version_tests[] = {
|
|||
.minver = TLS1_1_VERSION,
|
||||
.maxver = TLS1_1_VERSION,
|
||||
.peerver = DTLS1_2_VERSION,
|
||||
.want_maxver = DTLS1_VERSION,
|
||||
.want_maxver = 0,
|
||||
},
|
||||
{
|
||||
.ssl_method = DTLSv1_2_method,
|
||||
|
@ -476,7 +476,7 @@ static struct shared_version_test shared_version_tests[] = {
|
|||
.minver = TLS1_1_VERSION,
|
||||
.maxver = TLS1_2_VERSION,
|
||||
.peerver = DTLS1_2_VERSION,
|
||||
.want_maxver = DTLS1_VERSION,
|
||||
.want_maxver = 0,
|
||||
},
|
||||
};
|
||||
|
||||
|
|
Loading…
Add table
Add a link
Reference in a new issue