Fixes for no-tls1_2 and no-tls1_2-method (c423ecaa) · Commits · CYBER - Cyber Security / TS 103 523 MSP / ETS / ETS OpenSSL

test/cipherlist_test.c

+14 −8

Original line number	Diff line number	Diff line
		@@ -105,6 +105,8 @@ static const uint32_t default_ciphers_in_order[] = {
		# endif
		#endif /* !OPENSSL_NO_TLS1_2 */

		#if !defined(OPENSSL_NO_TLS1_2) \|\| defined(OPENSSL_NO_TLS1_3)
		/* These won't be usable if TLSv1.3 is available but TLSv1.2 isn't */
		# ifndef OPENSSL_NO_EC
		TLS1_CK_ECDHE_ECDSA_WITH_AES_256_CBC_SHA,
		TLS1_CK_ECDHE_RSA_WITH_AES_256_CBC_SHA,
		@@ -119,6 +121,7 @@ static const uint32_t default_ciphers_in_order[] = {
		# ifndef OPENSSL_NO_DH
		TLS1_CK_DHE_RSA_WITH_AES_128_SHA,
		# endif
		#endif /* !defined(OPENSSL_NO_TLS1_2) \|\| defined(OPENSSL_NO_TLS1_3) */

		#ifndef OPENSSL_NO_TLS1_2
		TLS1_CK_RSA_WITH_AES_256_GCM_SHA384,
		@@ -135,8 +138,11 @@ static const uint32_t default_ciphers_in_order[] = {
		TLS1_CK_RSA_WITH_AES_256_SHA256,
		TLS1_CK_RSA_WITH_AES_128_SHA256,
		#endif
		#if !defined(OPENSSL_NO_TLS1_2) \|\| defined(OPENSSL_NO_TLS1_3)
		/* These won't be usable if TLSv1.3 is available but TLSv1.2 isn't */
		TLS1_CK_RSA_WITH_AES_256_SHA,
		TLS1_CK_RSA_WITH_AES_128_SHA,
		#endif
		};

		static int test_default_cipherlist(SSL_CTX *ctx)

test/clienthellotest.c

+5 −0

Original line number	Diff line number	Diff line
		@@ -81,9 +81,14 @@ static int test_client_hello(int currtest)

		switch(currtest) {
		case TEST_SET_SESSION_TICK_DATA_VER_NEG:
		#if !defined(OPENSSL_NO_TLS1_3) && defined(OPENSSL_NO_TLS1_2)
		/* TLSv1.3 is enabled and TLSv1.2 is disabled so can't do this test */
		return 1;
		#else
		/* Testing for session tickets <= TLS1.2; not relevant for 1.3 */
		if (!TEST_true(SSL_CTX_set_max_proto_version(ctx, TLS1_2_VERSION)))
		goto end;
		#endif
		break;

		case TEST_ADD_PADDING_AND_PSK:

test/recipes/70-test_key_share.t

+24 −20

Original line number	Diff line number	Diff line
		@@ -199,6 +199,9 @@ $testtype = TRAILING_DATA;
		$proxy->start();
		ok(TLSProxy::Message->fail(), "key_share trailing data in ServerHello");

		SKIP: {
		skip "No TLSv1.2 support in this OpenSSL build", 2 if disabled("tls1_2");

		#Test 20: key_share should not be sent if the client is not capable of
		# negotiating TLSv1.3
		$proxy->clear();
		@@ -219,6 +222,7 @@ $testtype = NO_ACCEPTABLE_KEY_SHARES;
		$proxy->serverflags("-no_tls1_3");
		$proxy->start();
		ok(TLSProxy::Message->success(), "Ignore key_share for TLS<=1.2 server");
		}

		#Test 22: The server sending an HRR but not requesting a new key_share should
		# fail

test/recipes/70-test_sslcertstatus.t

+2 −1

Original line number	Diff line number	Diff line
		@@ -27,7 +27,8 @@ plan skip_all => "$test_name needs the ocsp feature enabled"
		if disabled("ocsp");

		plan skip_all => "$test_name needs TLS enabled"
		if alldisabled(available_protocols("tls"));
		if alldisabled(available_protocols("tls"))
		\|\| (!disabled("tls1_3") && disabled("tls1_2"));

		$ENV{OPENSSL_ia32cap} = '~0x200000200000000';
		my $proxy = TLSProxy::Proxy->new(

test/recipes/70-test_sslextension.t

+23 −18

Original line number	Diff line number	Diff line
		@@ -26,6 +26,9 @@ plan skip_all => "$test_name needs the sock feature enabled"
		plan skip_all => "$test_name needs TLS enabled"
		if alldisabled(available_protocols("tls"));

		my $no_below_tls13 = alldisabled(("tls1", "tls1_1", "tls1_2"))
		\|\| (!disabled("tls1_3") && disabled("tls1_2"));

		use constant {
		UNSOLICITED_SERVER_NAME => 0,
		UNSOLICITED_SERVER_NAME_TLS13 => 1,
		@@ -37,16 +40,12 @@ my $testtype;

		$ENV{OPENSSL_ia32cap} = '~0x200000200000000';
		my $proxy = TLSProxy::Proxy->new(
		\&extension_filter,
		\&inject_duplicate_extension_clienthello,
		cmdstr(app(["openssl"]), display => 1),
		srctop_file("apps", "server.pem"),
		(!$ENV{HARNESS_ACTIVE} \|\| $ENV{HARNESS_VERBOSE})
		);

		# Test 1: Sending a zero length extension block should pass
		$proxy->start() or plan skip_all => "Unable to start up Proxy for tests";
		plan tests => 7;
		ok(TLSProxy::Message->success, "Zero extension length test");

		sub extension_filter
		{
		@@ -79,7 +78,6 @@ sub extension_filter
		}
		}

		# Test 2-3: Sending a duplicate extension should fail.
		sub inject_duplicate_extension
		{
		my ($proxy, $message_type) = @_;
		@@ -119,16 +117,6 @@ sub inject_duplicate_extension_serverhello
		inject_duplicate_extension($proxy, TLSProxy::Message::MT_SERVER_HELLO);
		}

		$proxy->clear();
		$proxy->filter(\&inject_duplicate_extension_clienthello);
		$proxy->start();
		ok(TLSProxy::Message->fail(), "Duplicate ClientHello extension");

		$proxy->clear();
		$proxy->filter(\&inject_duplicate_extension_serverhello);
		$proxy->start();
		ok(TLSProxy::Message->fail(), "Duplicate ServerHello extension");

		sub inject_unsolicited_extension
		{
		my $proxy = shift;
		@@ -162,8 +150,25 @@ sub inject_unsolicited_extension
		$message->repack();
		}

		# Test 1-2: Sending a duplicate extension should fail.
		$proxy->start() or plan skip_all => "Unable to start up Proxy for tests";
		plan tests => 7;
		ok(TLSProxy::Message->fail(), "Duplicate ClientHello extension");

		$proxy->clear();
		$proxy->filter(\&inject_duplicate_extension_serverhello);
		$proxy->start();
		ok(TLSProxy::Message->fail(), "Duplicate ServerHello extension");

		SKIP: {
		skip "TLS <= 1.2 disabled", 2 if alldisabled(("tls1", "tls1_1", "tls1_2"));
		skip "TLS <= 1.2 disabled", 3 if $no_below_tls13;

		#Test 3: Sending a zero length extension block should pass
		$proxy->clear();
		$proxy->filter(\&extension_filter);
		$proxy->start();
		ok(TLSProxy::Message->success, "Zero extension length test");

		#Test 4: Inject an unsolicited extension (<= TLSv1.2)
		$proxy->clear();
		$proxy->filter(\&inject_unsolicited_extension);
		@@ -183,7 +188,7 @@ SKIP: {

		SKIP: {
		skip "TLS <= 1.2 or CT disabled", 1
		if alldisabled(("tls1", "tls1_1", "tls1_2")) \|\| disabled("ct");
		if $no_below_tls13 \|\| disabled("ct");
		#Test 6: Same as above for the SCT extension which has special handling
		$proxy->clear();
		$testtype = UNSOLICITED_SCT;