From 98bdcc4f29e776e2d898a11bb9761bf9a977ab51 Mon Sep 17 00:00:00 2001 From: Ronald Cron Date: Wed, 6 Mar 2024 15:00:42 +0100 Subject: [PATCH] ssl-opt.sh: Change G->m server version selection tests Change description and dependencies before to expand G->m server version selection tests. Signed-off-by: Ronald Cron --- tests/ssl-opt.sh | 81 ++++++++++++++++++++---------------------------- 1 file changed, 33 insertions(+), 48 deletions(-) diff --git a/tests/ssl-opt.sh b/tests/ssl-opt.sh index 8ca2312593..24ff82d474 100755 --- a/tests/ssl-opt.sh +++ b/tests/ssl-opt.sh @@ -6884,43 +6884,35 @@ run_test "Version check: all -> 1.2" \ # Tests of version negotiation on server side against GnuTLS client -requires_gnutls_tls1_3 -requires_config_enabled MBEDTLS_DEBUG_C requires_config_enabled MBEDTLS_SSL_SRV_C -requires_config_enabled MBEDTLS_SSL_PROTO_TLS1_2 requires_config_disabled MBEDTLS_SSL_PROTO_TLS1_3 -requires_config_enabled MBEDTLS_KEY_EXCHANGE_ECDHE_ECDSA_ENABLED -run_test "Server selecting TLS 1.2" \ - "$P_SRV crt_file=data_files/server5.crt key_file=data_files/server5.key" \ - "$G_NEXT_CLI localhost --priority=NORMAL:-VERS-ALL:+VERS-TLS1.2:+VERS-TLS1.3" \ +requires_any_configs_enabled $TLS1_2_KEY_EXCHANGES_WITH_CERT +run_test "Server version nego check G->m: 1.2+1.3 / 1.2 -> 1.2" \ + "$P_SRV" \ + "$G_NEXT_CLI localhost --priority=NORMAL" \ 0 \ - -s "Protocol is TLSv1.2" \ - -c "HTTP/1.0 200 OK" + -S "mbedtls_ssl_handshake returned" \ + -s "Protocol is TLSv1.2" -requires_gnutls_tls1_3 -requires_config_enabled MBEDTLS_DEBUG_C -requires_config_enabled MBEDTLS_SSL_SRV_C -requires_config_enabled MBEDTLS_SSL_PROTO_TLS1_3 -requires_config_enabled MBEDTLS_SSL_TLS1_3_KEY_EXCHANGE_MODE_EPHEMERAL_ENABLED -requires_config_enabled MBEDTLS_SSL_TLS1_3_COMPATIBILITY_MODE -run_test "Server selecting TLS 1.3, over TLS 1.2 if supported - compat mode enabled" \ - "$P_SRV crt_file=data_files/server5.crt key_file=data_files/server5.key" \ - "$G_NEXT_CLI localhost --priority=NORMAL:-VERS-ALL:+VERS-TLS1.3:+VERS-TLS1.2" \ +requires_all_configs_enabled MBEDTLS_SSL_SRV_C MBEDTLS_SSL_PROTO_TLS1_3 \ + MBEDTLS_SSL_TLS1_3_KEY_EXCHANGE_MODE_EPHEMERAL_ENABLED \ + MBEDTLS_SSL_TLS1_3_COMPATIBILITY_MODE +run_test "Server version nego check G->m: 1.2+1.3 / (1.2)+1.3 -> 1.3" \ + "$P_SRV" \ + "$G_NEXT_CLI localhost --priority=NORMAL" \ 0 \ - -s "Protocol is TLSv1.3" \ - -c "HTTP/1.0 200 OK" + -S "mbedtls_ssl_handshake returned" \ + -s "Protocol is TLSv1.3" -requires_gnutls_tls1_3 -requires_config_enabled MBEDTLS_DEBUG_C -requires_config_enabled MBEDTLS_SSL_SRV_C -requires_config_enabled MBEDTLS_SSL_PROTO_TLS1_3 -requires_config_enabled MBEDTLS_SSL_TLS1_3_KEY_EXCHANGE_MODE_EPHEMERAL_ENABLED -run_test "Server selecting TLS 1.3, over TLS 1.2 if supported" \ - "$P_SRV crt_file=data_files/server5.crt key_file=data_files/server5.key" \ - "$G_NEXT_CLI localhost --priority=NORMAL:-VERS-ALL:+VERS-TLS1.3:+VERS-TLS1.2:%DISABLE_TLS13_COMPAT_MODE" \ +requires_gnutls_next_disable_tls13_compat +requires_all_configs_enabled MBEDTLS_SSL_SRV_C MBEDTLS_SSL_PROTO_TLS1_3 \ + MBEDTLS_SSL_TLS1_3_KEY_EXCHANGE_MODE_EPHEMERAL_ENABLED +run_test "Server version nego check G->m (no compat): 1.2+1.3 / (1.2)+1.3 -> 1.3" \ + "$P_SRV" \ + "$G_NEXT_CLI localhost --priority=NORMAL:%DISABLE_TLS13_COMPAT_MODE" \ 0 \ - -s "Protocol is TLSv1.3" \ - -c "HTTP/1.0 200 OK" + -S "mbedtls_ssl_handshake returned" \ + -s "Protocol is TLSv1.3" # GnuTLS can be setup to send a ClientHello containing a supported versions # extension proposing TLS 1.2 (preferred) and then TLS 1.3. In that case, @@ -6930,37 +6922,30 @@ run_test "Server selecting TLS 1.3, over TLS 1.2 if supported" \ # if TLS 1.2 was its preferred version. Keeping the test even if the # handshake fails eventually as it exercices parts of the Mbed TLS # implementation that are otherwise not exercised. -requires_gnutls_tls1_3 -requires_config_enabled MBEDTLS_DEBUG_C -requires_config_enabled MBEDTLS_SSL_SRV_C -requires_config_enabled MBEDTLS_SSL_PROTO_TLS1_2 -requires_config_enabled MBEDTLS_SSL_PROTO_TLS1_3 -requires_config_enabled MBEDTLS_KEY_EXCHANGE_ECDHE_ECDSA_ENABLED -run_test "Server selecting TLS 1.2 over TLS 1.3" \ - "$P_SRV crt_file=data_files/server5.crt key_file=data_files/server5.key" \ +requires_all_configs_enabled MBEDTLS_SSL_SRV_C \ + MBEDTLS_SSL_PROTO_TLS1_2 MBEDTLS_SSL_PROTO_TLS1_3 \ + MBEDTLS_SSL_TLS1_3_COMPATIBILITY_MODE +run_test "Server version nego check G->m: [1.2]+1.3 / 1.2+1.3 -> 1.2" \ + "$P_SRV" \ "$G_NEXT_CLI localhost --priority=NORMAL:-VERS-ALL:+VERS-TLS1.2:+VERS-TLS1.3" \ 1 \ -c "Detected downgrade to TLS 1.2 from TLS 1.3" -requires_config_enabled MBEDTLS_SSL_PROTO_TLS1_2 -run_test "Not supported version check: cli TLS 1.0" \ +requires_config_enabled MBEDTLS_SSL_SRV_C +run_test "Not supported version check G->m: 1.0 / (1.2)+(1.3)" \ "$P_SRV" \ "$G_CLI localhost --priority=NORMAL:-VERS-ALL:+VERS-TLS1.0" \ 1 \ -s "Handshake protocol not within min/max boundaries" \ - -c "Error in protocol version" \ - -S "Protocol is TLSv1.0" \ - -C "Handshake was completed" + -S "Protocol is TLSv1.0" -requires_config_enabled MBEDTLS_SSL_PROTO_TLS1_2 -run_test "Not supported version check: cli TLS 1.1" \ +requires_config_enabled MBEDTLS_SSL_SRV_C +run_test "Not supported version check G->m: 1.1 / (1.2)+(1.3)" \ "$P_SRV" \ "$G_CLI localhost --priority=NORMAL:-VERS-ALL:+VERS-TLS1.1" \ 1 \ -s "Handshake protocol not within min/max boundaries" \ - -c "Error in protocol version" \ - -S "Protocol is TLSv1.1" \ - -C "Handshake was completed" + -S "Protocol is TLSv1.1" requires_config_enabled MBEDTLS_SSL_PROTO_TLS1_2 run_test "Not supported version check: srv max TLS 1.0" \