-/* $OpenBSD: tlsexttest.c,v 1.66 2022/07/17 14:57:05 jsing Exp $ */
+/* $OpenBSD: tlsexttest.c,v 1.67 2022/08/04 09:28:31 tb Exp $ */
/*
* Copyright (c) 2017 Joel Sing <jsing@openbsd.org>
* Copyright (c) 2017 Doug Hogan <doug@openbsd.org>
#include <err.h>
+#include <openssl/tls1.h>
+
#include "ssl_locl.h"
#include "bytestring.h"
#include "ssl_tlsext.h"
+struct tls_extension_funcs {
+ int (*needs)(SSL *s, uint16_t msg_type);
+ int (*build)(SSL *s, uint16_t msg_type, CBB *cbb);
+ int (*parse)(SSL *s, uint16_t msg_type, CBS *cbs, int *alert);
+};
+
+const struct tls_extension *tls_extension_find(uint16_t, size_t *);
+const struct tls_extension_funcs *tlsext_funcs(const struct tls_extension *,
+ int);
+
+static const struct tls_extension_funcs *
+tls_extension_funcs(int type, int is_server)
+{
+ const struct tls_extension *ext;
+ size_t idx;
+
+ if ((ext = tls_extension_find(type, &idx)) == NULL)
+ return NULL;
+
+ return tlsext_funcs(ext, is_server);
+}
+
+static const struct tls_extension_funcs *
+tls_extension_client_funcs(int type)
+{
+ int is_server = 0;
+
+ return tls_extension_funcs(type, is_server);
+}
+
+static const struct tls_extension_funcs *
+tls_extension_server_funcs(int type)
+{
+ int is_server = 1;
+
+ return tls_extension_funcs(type, is_server);
+}
+
+static int
+tls_extension_client_needs(int type, SSL *s, uint16_t msg_type)
+{
+ const struct tls_extension_funcs *funcs;
+
+ if ((funcs = tls_extension_client_funcs(type)) == NULL)
+ return 0;
+
+ return funcs->needs(s, msg_type);
+}
+
+static int
+tls_extension_client_build(int type, SSL *s, uint16_t msg_type, CBB *cbb)
+{
+ const struct tls_extension_funcs *funcs;
+
+ if ((funcs = tls_extension_client_funcs(type)) == NULL)
+ return 0;
+
+ return funcs->build(s, msg_type, cbb);
+}
+
+static int
+tls_extension_client_parse(int type, SSL *s, uint16_t msg_type, CBS *cbs,
+ int *alert)
+{
+ const struct tls_extension_funcs *funcs;
+
+ if ((funcs = tls_extension_client_funcs(type)) == NULL)
+ return 0;
+
+ return funcs->parse(s, msg_type, cbs, alert);
+}
+
+static int
+tls_extension_server_needs(int type, SSL *s, uint16_t msg_type)
+{
+ const struct tls_extension_funcs *funcs;
+
+ if ((funcs = tls_extension_server_funcs(type)) == NULL)
+ return 0;
+
+ return funcs->needs(s, msg_type);
+}
+
+static int
+tls_extension_server_build(int type, SSL *s, uint16_t msg_type, CBB *cbb)
+{
+ const struct tls_extension_funcs *funcs;
+
+ if ((funcs = tls_extension_server_funcs(type)) == NULL)
+ return 0;
+
+ return funcs->build(s, msg_type, cbb);
+}
+
+static int
+tls_extension_server_parse(int type, SSL *s, uint16_t msg_type, CBS *cbs,
+ int *alert)
+{
+ const struct tls_extension_funcs *funcs;
+
+ if ((funcs = tls_extension_server_funcs(type)) == NULL)
+ return 0;
+
+ return funcs->parse(s, msg_type, cbs, alert);
+}
+
static void
hexdump(const unsigned char *buf, size_t len)
{
0x68, 0x74, 0x74, 0x70, 0x2f, 0x31, 0x2e, 0x31
};
+#define TLSEXT_TYPE_alpn TLSEXT_TYPE_application_layer_protocol_negotiation
+
static int
test_tlsext_alpn_client(void)
{
errx(1, "failed to create SSL");
/* By default, we don't need this */
- if (tlsext_alpn_client_needs(ssl, SSL_TLSEXT_MSG_CH)) {
+ if (tls_extension_client_needs(TLSEXT_TYPE_alpn, ssl,
+ SSL_TLSEXT_MSG_CH)) {
FAIL("client should not need ALPN by default\n");
goto err;
}
FAIL("should be able to set ALPN to http/1.1\n");
goto err;
}
- if (!tlsext_alpn_client_needs(ssl, SSL_TLSEXT_MSG_CH)) {
- FAIL("client should need ALPN by now\n");
+ if (!tls_extension_client_needs(TLSEXT_TYPE_alpn, ssl,
+ SSL_TLSEXT_MSG_CH)) {
+ FAIL("client should need ALPN by default\n");
goto err;
}
/* Make sure we can build the client with a single proto. */
- if (!tlsext_alpn_client_build(ssl, SSL_TLSEXT_MSG_CH, &cbb)) {
+ if (!tls_extension_client_build(TLSEXT_TYPE_alpn, ssl,
+ SSL_TLSEXT_MSG_CH, &cbb)) {
FAIL("client failed to build ALPN\n");
goto err;
}
CBS_init(&cbs, tlsext_alpn_single_proto,
sizeof(tlsext_alpn_single_proto));
- if (!tlsext_alpn_server_parse(ssl, SSL_TLSEXT_MSG_CH, &cbs, &alert)) {
+ if (!tls_extension_server_parse(TLSEXT_TYPE_alpn, ssl,
+ SSL_TLSEXT_MSG_CH, &cbs, &alert)) {
FAIL("failed to parse ALPN\n");
goto err;
}
FAIL("should be able to set ALPN to http/1.1\n");
goto err;
}
- if (!tlsext_alpn_client_needs(ssl, SSL_TLSEXT_MSG_CH)) {
+ if (!tls_extension_client_needs(TLSEXT_TYPE_alpn, ssl,
+ SSL_TLSEXT_MSG_CH)) {
FAIL("client should need ALPN by now\n");
goto err;
}
- if (!tlsext_alpn_client_build(ssl, SSL_TLSEXT_MSG_CH, &cbb)) {
+ if (!tls_extension_client_build(TLSEXT_TYPE_alpn, ssl,
+ SSL_TLSEXT_MSG_CH, &cbb)) {
FAIL("client failed to build ALPN\n");
goto err;
}
CBS_init(&cbs, tlsext_alpn_multiple_protos,
sizeof(tlsext_alpn_multiple_protos));
- if (!tlsext_alpn_server_parse(ssl, SSL_TLSEXT_MSG_CH, &cbs, &alert)) {
+ if (!tls_extension_server_parse(TLSEXT_TYPE_alpn, ssl,
+ SSL_TLSEXT_MSG_CH, &cbs, &alert)) {
FAIL("failed to parse ALPN\n");
goto err;
}
ssl->internal->alpn_client_proto_list = NULL;
ssl->internal->alpn_client_proto_list_len = 0;
- if (tlsext_alpn_client_needs(ssl, SSL_TLSEXT_MSG_CH)) {
+ if (tls_extension_client_needs(TLSEXT_TYPE_alpn, ssl,
+ SSL_TLSEXT_MSG_CH)) {
FAIL("client should need ALPN by default\n");
goto err;
}
errx(1, "failed to create SSL");
/* By default, ALPN isn't needed. */
- if (tlsext_alpn_server_needs(ssl, SSL_TLSEXT_MSG_SH)) {
+ if (tls_extension_server_needs(TLSEXT_TYPE_alpn, ssl,
+ SSL_TLSEXT_MSG_SH)) {
FAIL("server should not need ALPN by default\n");
goto err;
}
sizeof(tlsext_alpn_single_proto_name));
ssl->s3->alpn_selected_len = sizeof(tlsext_alpn_single_proto_name);
- if (!tlsext_alpn_server_needs(ssl, SSL_TLSEXT_MSG_SH)) {
+ if (!tls_extension_server_needs(TLSEXT_TYPE_alpn, ssl,
+ SSL_TLSEXT_MSG_SH)) {
FAIL("server should need ALPN after a protocol is selected\n");
goto err;
}
/* Make sure we can build a server with one protocol */
- if (!tlsext_alpn_server_build(ssl, SSL_TLSEXT_MSG_SH, &cbb)) {
+ if (!tls_extension_server_build(TLSEXT_TYPE_alpn, ssl,
+ SSL_TLSEXT_MSG_SH, &cbb)) {
FAIL("server should be able to build a response\n");
goto err;
}
sizeof(tlsext_alpn_single_proto));
/* Shouldn't be able to parse without requesting */
- if (tlsext_alpn_client_parse(ssl, SSL_TLSEXT_MSG_SH, &cbs, &alert)) {
+ if (tls_extension_client_parse(TLSEXT_TYPE_alpn, ssl, SSL_TLSEXT_MSG_SH,
+ &cbs, &alert)) {
FAIL("Should only parse server if we requested it\n");
goto err;
}
FAIL("should be able to set ALPN to http/1.1\n");
goto err;
}
- if (!tlsext_alpn_server_parse(ssl, SSL_TLSEXT_MSG_SH, &cbs, &alert)) {
+ if (!tls_extension_server_parse(TLSEXT_TYPE_alpn, ssl,
+ SSL_TLSEXT_MSG_SH, &cbs, &alert)) {
FAIL("Should be able to parse server when we request it\n");
goto err;
}
ssl->s3->alpn_selected = NULL;
ssl->s3->alpn_selected_len = 0;
- if (tlsext_alpn_server_needs(ssl, SSL_TLSEXT_MSG_SH)) {
+ if (tls_extension_server_needs(TLSEXT_TYPE_alpn, ssl,
+ SSL_TLSEXT_MSG_SH)) {
FAIL("server should need ALPN by default\n");
goto err;
}
/*
* Default ciphers include EC so we need it by default.
*/
- if (!tlsext_supportedgroups_client_needs(ssl, SSL_TLSEXT_MSG_CH)) {
+ if (!tls_extension_client_needs(TLSEXT_TYPE_supported_groups, ssl,
+ SSL_TLSEXT_MSG_CH)) {
FAIL("client should need Ellipticcurves for default "
"ciphers\n");
goto err;
FAIL("client should be able to set cipher list\n");
goto err;
}
- if (tlsext_supportedgroups_client_needs(ssl, SSL_TLSEXT_MSG_CH)) {
+ if (tls_extension_client_needs(TLSEXT_TYPE_supported_groups, ssl,
+ SSL_TLSEXT_MSG_CH)) {
FAIL("client should not need Ellipticcurves\n");
goto err;
}
FAIL("client should be able to set cipher list\n");
goto err;
}
- if (!tlsext_supportedgroups_client_needs(ssl, SSL_TLSEXT_MSG_CH)) {
+ if (!tls_extension_client_needs(TLSEXT_TYPE_supported_groups, ssl,
+ SSL_TLSEXT_MSG_CH)) {
FAIL("client should need Ellipticcurves\n");
goto err;
}
goto err;
ssl->session->tlsext_supportedgroups_length = 1;
- if (!tlsext_supportedgroups_client_needs(ssl, SSL_TLSEXT_MSG_CH)) {
+ if (!tls_extension_client_needs(TLSEXT_TYPE_supported_groups, ssl,
+ SSL_TLSEXT_MSG_CH)) {
FAIL("client should need Ellipticcurves\n");
goto err;
}
- if (!tlsext_supportedgroups_client_build(ssl, SSL_TLSEXT_MSG_CH, &cbb)) {
+ if (!tls_extension_client_build(TLSEXT_TYPE_supported_groups, ssl,
+ SSL_TLSEXT_MSG_CH, &cbb)) {
FAIL("client failed to build Ellipticcurves\n");
goto err;
}
CBS_init(&cbs, tlsext_supportedgroups_client_secp384r1,
sizeof(tlsext_supportedgroups_client_secp384r1));
- if (!tlsext_supportedgroups_server_parse(ssl, SSL_TLSEXT_MSG_CH, &cbs, &alert)) {
+ if (!tls_extension_server_parse(TLSEXT_TYPE_supported_groups, ssl,
+ SSL_TLSEXT_MSG_CH, &cbs, &alert)) {
FAIL("failed to parse client Ellipticcurves\n");
goto err;
}
goto err;
ssl->internal->tlsext_supportedgroups_length = 2;
- if (!tlsext_supportedgroups_client_needs(ssl, SSL_TLSEXT_MSG_CH)) {
+ if (!tls_extension_client_needs(TLSEXT_TYPE_supported_groups, ssl,
+ SSL_TLSEXT_MSG_CH)) {
FAIL("client should need Ellipticcurves\n");
goto err;
}
- if (!tlsext_supportedgroups_client_build(ssl, SSL_TLSEXT_MSG_CH, &cbb)) {
+ if (!tls_extension_client_build(TLSEXT_TYPE_supported_groups, ssl,
+ SSL_TLSEXT_MSG_CH, &cbb)) {
FAIL("client failed to build Ellipticcurves\n");
goto err;
}
CBS_init(&cbs, tlsext_supportedgroups_client_nistp192and224,
sizeof(tlsext_supportedgroups_client_nistp192and224));
- if (!tlsext_supportedgroups_server_parse(ssl, SSL_TLSEXT_MSG_CH, &cbs, &alert)) {
+ if (!tls_extension_server_parse(TLSEXT_TYPE_supported_groups, ssl,
+ SSL_TLSEXT_MSG_CH, &cbs, &alert)) {
FAIL("failed to parse client Ellipticcurves\n");
goto err;
}
if ((ssl = SSL_new(ssl_ctx)) == NULL)
errx(1, "failed to create SSL");
- if (tlsext_supportedgroups_server_needs(ssl, SSL_TLSEXT_MSG_SH)) {
+ if (tls_extension_server_needs(TLSEXT_TYPE_supported_groups, ssl,
+ SSL_TLSEXT_MSG_SH)) {
FAIL("server should not need elliptic_curves\n");
goto err;
}
if ((ssl->session = SSL_SESSION_new()) == NULL)
errx(1, "failed to create session");
- if (tlsext_supportedgroups_server_needs(ssl, SSL_TLSEXT_MSG_SH)) {
+ if (tls_extension_server_needs(TLSEXT_TYPE_supported_groups, ssl,
+ SSL_TLSEXT_MSG_SH)) {
FAIL("server should not need elliptic_curves\n");
goto err;
}
/*
* Default ciphers include EC so we need it by default.
*/
- if (!tlsext_ecpf_client_needs(ssl, SSL_TLSEXT_MSG_CH)) {
+ if (!tls_extension_client_needs(TLSEXT_TYPE_ec_point_formats, ssl,
+ SSL_TLSEXT_MSG_CH)) {
FAIL("client should need ECPointFormats for default "
"ciphers\n");
goto err;
FAIL("client should be able to set cipher list\n");
goto err;
}
- if (tlsext_ecpf_client_needs(ssl, SSL_TLSEXT_MSG_CH)) {
+ if (tls_extension_client_needs(TLSEXT_TYPE_ec_point_formats, ssl,
+ SSL_TLSEXT_MSG_CH)) {
FAIL("client should not need ECPointFormats\n");
goto err;
}
FAIL("client should be able to set cipher list\n");
goto err;
}
- if (!tlsext_ecpf_client_needs(ssl, SSL_TLSEXT_MSG_CH)) {
+ if (!tls_extension_client_needs(TLSEXT_TYPE_ec_point_formats, ssl,
+ SSL_TLSEXT_MSG_CH)) {
FAIL("client should need ECPointFormats\n");
goto err;
}
if ((ssl->session = SSL_SESSION_new()) == NULL)
errx(1, "failed to create session");
- if (!tlsext_ecpf_client_build(ssl, SSL_TLSEXT_MSG_CH, &cbb)) {
+ if (!tls_extension_client_build(TLSEXT_TYPE_ec_point_formats, ssl,
+ SSL_TLSEXT_MSG_CH, &cbb)) {
FAIL("client failed to build ECPointFormats\n");
goto err;
}
CBS_init(&cbs, tlsext_ecpf_hello_uncompressed,
sizeof(tlsext_ecpf_hello_uncompressed));
- if (!tlsext_ecpf_server_parse(ssl, SSL_TLSEXT_MSG_CH, &cbs, &alert)) {
+ if (!tls_extension_server_parse(TLSEXT_TYPE_ec_point_formats, ssl,
+ SSL_TLSEXT_MSG_CH, &cbs, &alert)) {
FAIL("failed to parse client ECPointFormats\n");
goto err;
}
ssl->internal->tlsext_ecpointformatlist[2] = TLSEXT_ECPOINTFORMAT_ansiX962_compressed_char2;
ssl->internal->tlsext_ecpointformatlist_length = 3;
- if (!tlsext_ecpf_client_needs(ssl, SSL_TLSEXT_MSG_CH)) {
+ if (!tls_extension_client_needs(TLSEXT_TYPE_ec_point_formats, ssl,
+ SSL_TLSEXT_MSG_CH)) {
FAIL("client should need ECPointFormats with a custom "
"format\n");
goto err;
}
- if (!tlsext_ecpf_client_build(ssl, SSL_TLSEXT_MSG_CH, &cbb)) {
+ if (!tls_extension_client_build(TLSEXT_TYPE_ec_point_formats, ssl,
+ SSL_TLSEXT_MSG_CH, &cbb)) {
FAIL("client failed to build ECPointFormats\n");
goto err;
}
CBS_init(&cbs, tlsext_ecpf_hello_prefer_order,
sizeof(tlsext_ecpf_hello_prefer_order));
- if (!tlsext_ecpf_server_parse(ssl, SSL_TLSEXT_MSG_CH, &cbs, &alert)) {
+ if (!tls_extension_server_parse(TLSEXT_TYPE_ec_point_formats, ssl,
+ SSL_TLSEXT_MSG_CH, &cbs, &alert)) {
FAIL("failed to parse client ECPointFormats\n");
goto err;
}
ssl->session->tlsext_ecpointformatlist[0] = TLSEXT_ECPOINTFORMAT_ansiX962_compressed_prime;
ssl->session->tlsext_ecpointformatlist_length = 1;
- if (!tlsext_ecpf_server_needs(ssl, SSL_TLSEXT_MSG_SH)) {
+ if (!tls_extension_server_needs(TLSEXT_TYPE_ec_point_formats, ssl, SSL_TLSEXT_MSG_SH)) {
FAIL("server should need ECPointFormats now\n");
goto err;
}
* The server will ignore the session list and use either a custom
* list or the default (uncompressed).
*/
- if (!tlsext_ecpf_server_build(ssl, SSL_TLSEXT_MSG_SH, &cbb)) {
+ if (!tls_extension_server_build(TLSEXT_TYPE_ec_point_formats, ssl,
+ SSL_TLSEXT_MSG_SH, &cbb)) {
FAIL("server failed to build ECPointFormats\n");
goto err;
}
CBS_init(&cbs, tlsext_ecpf_hello_prime,
sizeof(tlsext_ecpf_hello_prime));
- if (tlsext_ecpf_client_parse(ssl, SSL_TLSEXT_MSG_SH, &cbs, &alert)) {
+ if (tls_extension_client_parse(TLSEXT_TYPE_ec_point_formats, ssl,
+ SSL_TLSEXT_MSG_SH, &cbs, &alert)) {
FAIL("must include uncompressed in server ECPointFormats\n");
goto err;
}
ssl->internal->tlsext_ecpointformatlist[2] = TLSEXT_ECPOINTFORMAT_ansiX962_compressed_char2;
ssl->internal->tlsext_ecpointformatlist_length = 3;
- if (!tlsext_ecpf_server_needs(ssl, SSL_TLSEXT_MSG_SH)) {
+ if (!tls_extension_server_needs(TLSEXT_TYPE_ec_point_formats, ssl, SSL_TLSEXT_MSG_SH)) {
FAIL("server should need ECPointFormats\n");
goto err;
}
- if (!tlsext_ecpf_server_build(ssl, SSL_TLSEXT_MSG_SH, &cbb)) {
+ if (!tls_extension_server_build(TLSEXT_TYPE_ec_point_formats, ssl,
+ SSL_TLSEXT_MSG_SH, &cbb)) {
FAIL("server failed to build ECPointFormats\n");
goto err;
}
CBS_init(&cbs, tlsext_ecpf_hello_prefer_order,
sizeof(tlsext_ecpf_hello_prefer_order));
- if (!tlsext_ecpf_client_parse(ssl, SSL_TLSEXT_MSG_SH, &cbs, &alert)) {
+ if (!tls_extension_client_parse(TLSEXT_TYPE_ec_point_formats, ssl,
+ SSL_TLSEXT_MSG_SH, &cbs, &alert)) {
FAIL("failed to parse server ECPointFormats\n");
goto err;
}
if ((ssl = SSL_new(ssl_ctx)) == NULL)
errx(1, "failed to create SSL");
- if (tlsext_ri_client_needs(ssl, SSL_TLSEXT_MSG_CH)) {
+ if (tls_extension_client_needs(TLSEXT_TYPE_renegotiate, ssl,
+ SSL_TLSEXT_MSG_CH)) {
FAIL("client should not need RI\n");
goto err;
}
goto err;
}
- if (!tlsext_ri_client_needs(ssl, SSL_TLSEXT_MSG_CH)) {
+ if (!tls_extension_client_needs(TLSEXT_TYPE_renegotiate, ssl,
+ SSL_TLSEXT_MSG_CH)) {
FAIL("client should need RI\n");
goto err;
}
ssl->s3->renegotiate_seen = 0;
- if (!tlsext_ri_client_build(ssl, SSL_TLSEXT_MSG_CH, &cbb)) {
+ if (!tls_extension_client_build(TLSEXT_TYPE_renegotiate, ssl,
+ SSL_TLSEXT_MSG_CH, &cbb)) {
FAIL("client failed to build RI\n");
goto err;
}
}
CBS_init(&cbs, tlsext_ri_client, sizeof(tlsext_ri_client));
- if (!tlsext_ri_server_parse(ssl, SSL_TLSEXT_MSG_CH, &cbs, &alert)) {
+ if (!tls_extension_server_parse(TLSEXT_TYPE_renegotiate, ssl,
+ SSL_TLSEXT_MSG_CH, &cbs, &alert)) {
FAIL("failed to parse client RI\n");
goto err;
}
ssl->s3->renegotiate_seen = 0;
CBS_init(&cbs, tlsext_ri_client, sizeof(tlsext_ri_client));
- if (tlsext_ri_server_parse(ssl, SSL_TLSEXT_MSG_CH, &cbs, &alert)) {
+ if (tls_extension_server_parse(TLSEXT_TYPE_renegotiate, ssl,
+ SSL_TLSEXT_MSG_CH, &cbs, &alert)) {
FAIL("parsed invalid client RI\n");
failure = 1;
goto err;
errx(1, "failed to create SSL");
ssl->version = TLS1_2_VERSION;
- if (tlsext_ri_server_needs(ssl, SSL_TLSEXT_MSG_SH)) {
+ if (tls_extension_server_needs(TLSEXT_TYPE_renegotiate, ssl,
+ SSL_TLSEXT_MSG_SH)) {
FAIL("server should not need RI\n");
goto err;
}
ssl->s3->send_connection_binding = 1;
- if (!tlsext_ri_server_needs(ssl, SSL_TLSEXT_MSG_SH)) {
+ if (!tls_extension_server_needs(TLSEXT_TYPE_renegotiate, ssl,
+ SSL_TLSEXT_MSG_SH)) {
FAIL("server should need RI\n");
goto err;
}
ssl->s3->renegotiate_seen = 0;
- if (!tlsext_ri_server_build(ssl, SSL_TLSEXT_MSG_SH, &cbb)) {
+ if (!tls_extension_server_build(TLSEXT_TYPE_renegotiate, ssl,
+ SSL_TLSEXT_MSG_SH, &cbb)) {
FAIL("server failed to build RI\n");
goto err;
}
}
CBS_init(&cbs, tlsext_ri_server, sizeof(tlsext_ri_server));
- if (!tlsext_ri_client_parse(ssl, SSL_TLSEXT_MSG_SH, &cbs, &alert)) {
+ if (!tls_extension_client_parse(TLSEXT_TYPE_renegotiate, ssl,
+ SSL_TLSEXT_MSG_SH, &cbs, &alert)) {
FAIL("failed to parse server RI\n");
goto err;
}
ssl->s3->renegotiate_seen = 0;
CBS_init(&cbs, tlsext_ri_server, sizeof(tlsext_ri_server));
- if (tlsext_ri_client_parse(ssl, SSL_TLSEXT_MSG_SH, &cbs, &alert)) {
+ if (tls_extension_client_parse(TLSEXT_TYPE_renegotiate, ssl,
+ SSL_TLSEXT_MSG_SH, &cbs, &alert)) {
FAIL("parsed invalid server RI\n");
goto err;
}
ssl->s3->hs.our_max_tls_version = TLS1_1_VERSION;
- if (tlsext_sigalgs_client_needs(ssl, SSL_TLSEXT_MSG_CH)) {
+ if (tls_extension_client_needs(TLSEXT_TYPE_signature_algorithms, ssl,
+ SSL_TLSEXT_MSG_CH)) {
fprintf(stderr, "FAIL: client should not need sigalgs\n");
failure = 1;
goto done;
ssl->s3->hs.our_max_tls_version = TLS1_2_VERSION;
- if (!tlsext_sigalgs_client_needs(ssl, SSL_TLSEXT_MSG_CH)) {
- fprintf(stderr, "FAIL: client should need sigalgs\n");
+ if (!tls_extension_client_needs(TLSEXT_TYPE_signature_algorithms, ssl,
+ SSL_TLSEXT_MSG_CH)) {
+ fprintf(stderr, "FAIL: client should need sigalgsn");
failure = 1;
goto done;
}
- if (!tlsext_sigalgs_client_build(ssl, SSL_TLSEXT_MSG_CH, &cbb)) {
- fprintf(stderr, "FAIL: client failed to build sigalgs\n");
+ if (!tls_extension_client_build(TLSEXT_TYPE_signature_algorithms, ssl,
+ SSL_TLSEXT_MSG_CH, &cbb)) {
+ fprintf(stderr, "FAIL: client failed to build sigalgsn");
failure = 1;
goto done;
}
errx(1, "failed to finish CBB");
if (dlen != sizeof(tlsext_sigalgs_client)) {
- fprintf(stderr, "FAIL: got client sigalgs with length %zu, "
+ fprintf(stderr, "FAIL: got client sigalgs length %zu, "
"want length %zu\n", dlen, sizeof(tlsext_sigalgs_client));
failure = 1;
goto done;
}
CBS_init(&cbs, tlsext_sigalgs_client, sizeof(tlsext_sigalgs_client));
- if (!tlsext_sigalgs_server_parse(ssl, SSL_TLSEXT_MSG_CH, &cbs, &alert)) {
+ if (!tls_extension_server_parse(TLSEXT_TYPE_signature_algorithms, ssl,
+ SSL_TLSEXT_MSG_CH, &cbs, &alert)) {
fprintf(stderr, "FAIL: failed to parse client SNI\n");
failure = 1;
goto done;
if ((ssl = SSL_new(ssl_ctx)) == NULL)
errx(1, "failed to create SSL");
- if (tlsext_sigalgs_server_needs(ssl, SSL_TLSEXT_MSG_SH)) {
+ if (tls_extension_server_needs(sigalgs, ssl, SSL_TLSEXT_MSG_SH)) {
fprintf(stderr, "FAIL: server should not need sigalgs\n");
failure = 1;
goto done;
}
- if (tlsext_sigalgs_server_build(ssl, SSL_TLSEXT_MSG_SH, &cbb)) {
+ if (tls_extension_server_build(sigalgs, ssl, SSL_TLSEXT_MSG_SH, &cbb)) {
fprintf(stderr, "FAIL: server should not build sigalgs\n");
failure = 1;
goto done;
errx(1, "failed to finish CBB");
CBS_init(&cbs, tlsext_sigalgs_client, sizeof(tlsext_sigalgs_client));
- if (tlsext_sigalgs_client_parse(ssl, SSL_TLSEXT_MSG_SH, &cbs, &alert)) {
+ if (tls_extension_client_parse(sigalgs, ssl, SSL_TLSEXT_MSG_SH, &cbs,
+ &alert)) {
fprintf(stderr, "FAIL: server should not parse sigalgs\n");
failure = 1;
goto done;
CBB_init(&cbb, 0);
- if (tlsext_sni_client_needs(ssl, SSL_TLSEXT_MSG_CH)) {
+ if (tls_extension_client_needs(TLSEXT_TYPE_server_name, ssl,
+ SSL_TLSEXT_MSG_CH)) {
FAIL("client should not need SNI\n");
goto err;
}
goto err;
}
- if (!tlsext_sni_client_needs(ssl, SSL_TLSEXT_MSG_CH)) {
+ if (!tls_extension_client_needs(TLSEXT_TYPE_server_name, ssl,
+ SSL_TLSEXT_MSG_CH)) {
FAIL("client should need SNI\n");
goto err;
}
- if (!tlsext_sni_client_build(ssl, SSL_TLSEXT_MSG_CH, &cbb)) {
+ if (!tls_extension_client_build(TLSEXT_TYPE_server_name, ssl,
+ SSL_TLSEXT_MSG_CH, &cbb)) {
FAIL("client failed to build SNI\n");
goto err;
}
goto err;
}
- if (tlsext_sni_client_needs(ssl, SSL_TLSEXT_MSG_CH)) {
+ if (tls_extension_client_needs(TLSEXT_TYPE_server_name, ssl,
+ SSL_TLSEXT_MSG_CH)) {
FAIL("client should not need SNI\n");
goto err;
}
ssl->internal->hit = 0;
CBS_init(&cbs, tlsext_sni_client, sizeof(tlsext_sni_client));
- if (!tlsext_sni_server_parse(ssl, SSL_TLSEXT_MSG_CH, &cbs, &alert)) {
+ if (!tls_extension_server_parse(TLSEXT_TYPE_server_name, ssl,
+ SSL_TLSEXT_MSG_CH, &cbs, &alert)) {
FAIL("failed to parse client SNI\n");
goto err;
}
}
CBS_init(&cbs, tlsext_sni_client, sizeof(tlsext_sni_client));
- if (tlsext_sni_server_parse(ssl, SSL_TLSEXT_MSG_CH, &cbs, &alert)) {
+ if (tls_extension_server_parse(TLSEXT_TYPE_server_name, ssl,
+ SSL_TLSEXT_MSG_CH, &cbs, &alert)) {
FAIL("parsed client with mismatched SNI\n");
goto err;
}
if ((ssl->session = SSL_SESSION_new()) == NULL)
errx(1, "failed to create session");
- if (tlsext_sni_server_needs(ssl, SSL_TLSEXT_MSG_SH)) {
+ if (tls_extension_server_needs(TLSEXT_TYPE_server_name, ssl,
+ SSL_TLSEXT_MSG_SH)) {
FAIL("server should not need SNI\n");
goto err;
}
NULL)
errx(1, "failed to strdup tlsext_hostname");
- if (!tlsext_sni_server_needs(ssl, SSL_TLSEXT_MSG_SH)) {
+ if (!tls_extension_server_needs(TLSEXT_TYPE_server_name, ssl,
+ SSL_TLSEXT_MSG_SH)) {
FAIL("server should need SNI\n");
goto err;
}
- if (!tlsext_sni_server_build(ssl, SSL_TLSEXT_MSG_SH, &cbb)) {
+ if (!tls_extension_server_build(TLSEXT_TYPE_server_name, ssl,
+ SSL_TLSEXT_MSG_SH, &cbb)) {
FAIL("server failed to build SNI\n");
goto err;
}
ssl->session->tlsext_hostname = NULL;
CBS_init(&cbs, tlsext_sni_server, sizeof(tlsext_sni_server));
- if (!tlsext_sni_client_parse(ssl, SSL_TLSEXT_MSG_SH, &cbs, &alert)) {
+ if (!tls_extension_client_parse(TLSEXT_TYPE_server_name, ssl,
+ SSL_TLSEXT_MSG_SH, &cbs, &alert)) {
FAIL("failed to parse server SNI\n");
goto err;
}
CBB_init(&cbb, 0);
- if (tlsext_quic_transport_parameters_client_needs(ssl,
- SSL_TLSEXT_MSG_CH)) {
+ if (tls_extension_client_needs(TLSEXT_TYPE_quic_transport_parameters,
+ ssl, SSL_TLSEXT_MSG_CH)) {
FAIL("client should not need QUIC\n");
goto err;
}
goto err;
}
- if (tlsext_quic_transport_parameters_client_needs(ssl,
- SSL_TLSEXT_MSG_CH)) {
+ if (tls_extension_client_needs(TLSEXT_TYPE_quic_transport_parameters,
+ ssl, SSL_TLSEXT_MSG_CH)) {
FAIL("client should not need QUIC\n");
goto err;
}
ssl->s3->hs.our_max_tls_version = TLS1_3_VERSION;
ssl->s3->hs.negotiated_tls_version = TLS1_3_VERSION;
- if (tlsext_quic_transport_parameters_client_needs(ssl,
- SSL_TLSEXT_MSG_CH)) {
+ if (tls_extension_client_needs(TLSEXT_TYPE_quic_transport_parameters,
+ ssl, SSL_TLSEXT_MSG_CH)) {
FAIL("client should not need QUIC\n");
goto err;
}
ssl->quic_method = ssl->method; /* XXX */
- if (!tlsext_quic_transport_parameters_client_needs(ssl,
- SSL_TLSEXT_MSG_CH)) {
+ if (!tls_extension_client_needs(TLSEXT_TYPE_quic_transport_parameters,
+ ssl, SSL_TLSEXT_MSG_CH)) {
FAIL("client should need QUIC\n");
goto err;
}
- if (!tlsext_quic_transport_parameters_client_build(ssl,
- SSL_TLSEXT_MSG_CH, &cbb)) {
+ if (!tls_extension_client_build(TLSEXT_TYPE_quic_transport_parameters,
+ ssl, SSL_TLSEXT_MSG_CH, &cbb)) {
FAIL("client failed to build QUIC\n");
goto err;
}
CBS_init(&cbs, tlsext_quic_transport_data,
sizeof(tlsext_quic_transport_data));
- if (!tlsext_quic_transport_parameters_server_parse(ssl,
- SSL_TLSEXT_MSG_SH, &cbs, &alert)) {
+ if (!tls_extension_server_parse(TLSEXT_TYPE_quic_transport_parameters,
+ ssl, SSL_TLSEXT_MSG_SH, &cbs, &alert)) {
FAIL("server_parse of QUIC from server failed\n");
goto err;
}
if ((ssl = SSL_new(ssl_ctx)) == NULL)
errx(1, "failed to create SSL");
- if (tlsext_quic_transport_parameters_server_needs(ssl,
- SSL_TLSEXT_MSG_SH)) {
+ if (tls_extension_server_needs(TLSEXT_TYPE_quic_transport_parameters,
+ ssl, SSL_TLSEXT_MSG_SH)) {
FAIL("server should not need QUIC\n");
goto err;
}
goto err;
}
- if (tlsext_quic_transport_parameters_server_needs(ssl,
- SSL_TLSEXT_MSG_EE)) {
+ if (tls_extension_server_needs(TLSEXT_TYPE_quic_transport_parameters,
+ ssl, SSL_TLSEXT_MSG_EE)) {
FAIL("server should not need QUIC\n");
goto err;
}
ssl->quic_method = ssl->method; /* XXX */
- if (!tlsext_quic_transport_parameters_server_needs(ssl,
- SSL_TLSEXT_MSG_EE)) {
+ if (!tls_extension_server_needs(TLSEXT_TYPE_quic_transport_parameters,
+ ssl, SSL_TLSEXT_MSG_EE)) {
FAIL("server should need QUIC\n");
goto err;
}
- if (!tlsext_quic_transport_parameters_server_build(ssl,
- SSL_TLSEXT_MSG_EE, &cbb)) {
+ if (!tls_extension_server_build(TLSEXT_TYPE_quic_transport_parameters,
+ ssl, SSL_TLSEXT_MSG_EE, &cbb)) {
FAIL("server failed to build QUIC\n");
goto err;
}
ssl->quic_method = NULL;
- if (tlsext_quic_transport_parameters_client_parse(ssl,
- SSL_TLSEXT_MSG_EE, &cbs, &alert)) {
+ if (tls_extension_client_parse(TLSEXT_TYPE_quic_transport_parameters,
+ ssl, SSL_TLSEXT_MSG_EE, &cbs, &alert)) {
FAIL("QUIC parse should have failed!\n");
goto err;
}
ssl->quic_method = ssl->method; /* XXX */
- if (!tlsext_quic_transport_parameters_client_parse(ssl,
- SSL_TLSEXT_MSG_SH, &cbs, &alert)) {
+ if (!tls_extension_client_parse(TLSEXT_TYPE_quic_transport_parameters,
+ ssl, SSL_TLSEXT_MSG_SH, &cbs, &alert)) {
FAIL("client_parse of QUIC from server failed\n");
goto err;
}
goto err;
}
- if (memcmp(out_bytes, TEST_QUIC_TRANSPORT_DATA,
- out_bytes_len) != 0) {
+ if (memcmp(out_bytes, TEST_QUIC_TRANSPORT_DATA, out_bytes_len) != 0) {
FAIL("client QUIC differs from sent:\n");
fprintf(stderr, "received:\n");
hexdump(data, dlen);
if ((ssl = SSL_new(ssl_ctx)) == NULL)
errx(1, "failed to create SSL");
- if (tlsext_ocsp_client_needs(ssl, SSL_TLSEXT_MSG_CH)) {
- FAIL("client should not need ocsp\n");
+ if (tls_extension_client_needs(TLSEXT_TYPE_status_request, ssl,
+ SSL_TLSEXT_MSG_CH)) {
+ FAIL("client should not need TLSEXT_TYPE_status_request\n");
goto err;
}
SSL_set_tlsext_status_type(ssl, TLSEXT_STATUSTYPE_ocsp);
- if (!tlsext_ocsp_client_needs(ssl, SSL_TLSEXT_MSG_CH)) {
- FAIL("client should need ocsp\n");
+ if (!tls_extension_client_needs(TLSEXT_TYPE_status_request, ssl,
+ SSL_TLSEXT_MSG_CH)) {
+ FAIL("client should need TLSEXT_TYPE_status_request\n");
goto err;
}
- if (!tlsext_ocsp_client_build(ssl, SSL_TLSEXT_MSG_CH, &cbb)) {
+ if (!tls_extension_client_build(TLSEXT_TYPE_status_request, ssl,
+ SSL_TLSEXT_MSG_CH, &cbb)) {
FAIL("client failed to build SNI\n");
goto err;
}
errx(1, "failed to finish CBB");
if (dlen != sizeof(tls_ocsp_client_default)) {
- FAIL("got ocsp client with length %zu, "
+ FAIL("got TLSEXT_TYPE_status_request client with length %zu, "
"want length %zu\n", dlen,
sizeof(tls_ocsp_client_default));
goto err;
}
if (memcmp(data, tls_ocsp_client_default, dlen) != 0) {
- FAIL("ocsp client differs:\n");
+ FAIL("TLSEXT_TYPE_status_request client differs:\n");
fprintf(stderr, "received:\n");
hexdump(data, dlen);
fprintf(stderr, "test data:\n");
}
CBS_init(&cbs, tls_ocsp_client_default,
sizeof(tls_ocsp_client_default));
- if (!tlsext_ocsp_server_parse(ssl, SSL_TLSEXT_MSG_CH, &cbs, &alert)) {
- FAIL("failed to parse ocsp client\n");
+ if (!tls_extension_server_parse(TLSEXT_TYPE_status_request, ssl,
+ SSL_TLSEXT_MSG_CH, &cbs, &alert)) {
+ FAIL("failed to parse TLSEXT_TYPE_status_request client\n");
goto err;
}
if (CBS_len(&cbs) != 0) {
if ((ssl = SSL_new(ssl_ctx)) == NULL)
errx(1, "failed to create SSL");
- if (tlsext_ocsp_server_needs(ssl, SSL_TLSEXT_MSG_SH)) {
- FAIL("server should not need ocsp\n");
+ if (tls_extension_server_needs(TLSEXT_TYPE_status_request, ssl,
+ SSL_TLSEXT_MSG_SH)) {
+ FAIL("server should not need TLSEXT_TYPE_status_request\n");
goto err;
}
ssl->internal->tlsext_status_expected = 1;
- if (!tlsext_ocsp_server_needs(ssl, SSL_TLSEXT_MSG_SH)) {
- FAIL("server should need ocsp\n");
+ if (!tls_extension_server_needs(TLSEXT_TYPE_status_request, ssl,
+ SSL_TLSEXT_MSG_SH)) {
+ FAIL("server should need TLSEXT_TYPE_status_request\n");
goto err;
}
- if (!tlsext_ocsp_server_build(ssl, SSL_TLSEXT_MSG_SH, &cbb)) {
- FAIL("server failed to build ocsp\n");
+ if (!tls_extension_server_build(TLSEXT_TYPE_status_request, ssl,
+ SSL_TLSEXT_MSG_SH, &cbb)) {
+ FAIL("server failed to build TLSEXT_TYPE_status_request\n");
goto err;
}
errx(1, "failed to create SSL");
/* Should need a ticket by default. */
- if (!tlsext_sessionticket_client_needs(ssl, SSL_TLSEXT_MSG_CH)) {
+ if (!tls_extension_client_needs(TLSEXT_TYPE_session_ticket, ssl,
+ SSL_TLSEXT_MSG_CH)) {
FAIL("client should need Sessionticket for default "
"ciphers\n");
goto err;
FAIL("Cannot disable tickets in the TLS connection\n");
goto err;
}
- if (tlsext_sessionticket_client_needs(ssl, SSL_TLSEXT_MSG_CH)) {
+ if (tls_extension_client_needs(TLSEXT_TYPE_session_ticket, ssl,
+ SSL_TLSEXT_MSG_CH)) {
FAIL("client should not need SessionTicket if it was disabled\n");
goto err;
}
FAIL("Cannot re-enable tickets in the TLS connection\n");
goto err;
}
- if (!tlsext_sessionticket_client_needs(ssl, SSL_TLSEXT_MSG_CH)) {
+ if (!tls_extension_client_needs(TLSEXT_TYPE_session_ticket, ssl,
+ SSL_TLSEXT_MSG_CH)) {
FAIL("client should need SessionTicket if it was disabled\n");
goto err;
}
/* Since we don't have a session, we should build an empty ticket. */
- if (!tlsext_sessionticket_client_build(ssl, SSL_TLSEXT_MSG_CH, &cbb)) {
+ if (!tls_extension_client_build(TLSEXT_TYPE_session_ticket, ssl,
+ SSL_TLSEXT_MSG_CH, &cbb)) {
FAIL("Cannot build a ticket\n");
goto err;
}
/* With a new session (but no ticket), we should still have 0 length */
if ((ssl->session = SSL_SESSION_new()) == NULL)
errx(1, "failed to create session");
- if (!tlsext_sessionticket_client_needs(ssl, SSL_TLSEXT_MSG_CH)) {
+ if (!tls_extension_client_needs(TLSEXT_TYPE_session_ticket, ssl,
+ SSL_TLSEXT_MSG_CH)) {
FAIL("Should still want a session ticket with a new session\n");
goto err;
}
- if (!tlsext_sessionticket_client_build(ssl, SSL_TLSEXT_MSG_CH, &cbb)) {
+ if (!tls_extension_client_build(TLSEXT_TYPE_session_ticket, ssl,
+ SSL_TLSEXT_MSG_CH, &cbb)) {
FAIL("Cannot build a ticket\n");
goto err;
}
memcpy(ssl->session->tlsext_tick, dummy, sizeof(dummy));
ssl->session->tlsext_ticklen = sizeof(dummy);
- if (!tlsext_sessionticket_client_needs(ssl, SSL_TLSEXT_MSG_CH)) {
+ if (!tls_extension_client_needs(TLSEXT_TYPE_session_ticket, ssl,
+ SSL_TLSEXT_MSG_CH)) {
FAIL("Should still want a session ticket with a new session\n");
goto err;
}
- if (!tlsext_sessionticket_client_build(ssl, SSL_TLSEXT_MSG_CH, &cbb)) {
+ if (!tls_extension_client_build(TLSEXT_TYPE_session_ticket, ssl,
+ SSL_TLSEXT_MSG_CH, &cbb)) {
FAIL("Cannot build a ticket\n");
goto err;
}
goto err;
}
/* Should not need a ticket in this case */
- if (tlsext_sessionticket_client_needs(ssl, SSL_TLSEXT_MSG_CH)) {
+ if (tls_extension_client_needs(TLSEXT_TYPE_session_ticket, ssl,
+ SSL_TLSEXT_MSG_CH)) {
FAIL("Should not want to use session tickets with a NULL custom\n");
goto err;
}
free(ssl->internal->tlsext_session_ticket);
ssl->internal->tlsext_session_ticket = NULL;
- if (!tlsext_sessionticket_client_needs(ssl, SSL_TLSEXT_MSG_CH)) {
+ if (!tls_extension_client_needs(TLSEXT_TYPE_session_ticket, ssl,
+ SSL_TLSEXT_MSG_CH)) {
FAIL("Should need a session ticket again when the custom one is removed\n");
goto err;
}
FAIL("Should be able to set a custom ticket\n");
goto err;
}
- if (!tlsext_sessionticket_client_needs(ssl, SSL_TLSEXT_MSG_CH)) {
+ if (!tls_extension_client_needs(TLSEXT_TYPE_session_ticket, ssl,
+ SSL_TLSEXT_MSG_CH)) {
FAIL("Should need a session ticket again when the custom one is not empty\n");
goto err;
}
- if (!tlsext_sessionticket_client_build(ssl, SSL_TLSEXT_MSG_CH, &cbb)) {
+ if (!tls_extension_client_build(TLSEXT_TYPE_session_ticket, ssl,
+ SSL_TLSEXT_MSG_CH, &cbb)) {
FAIL("Cannot build a ticket with a max length random payload\n");
goto err;
}
* By default, should not need a session ticket since the ticket
* is not yet expected.
*/
- if (tlsext_sessionticket_server_needs(ssl, SSL_TLSEXT_MSG_SH)) {
+ if (tls_extension_server_needs(TLSEXT_TYPE_session_ticket, ssl,
+ SSL_TLSEXT_MSG_SH)) {
FAIL("server should not need SessionTicket by default\n");
goto err;
}
FAIL("Cannot disable tickets in the TLS connection\n");
goto err;
}
- if (tlsext_sessionticket_server_needs(ssl, SSL_TLSEXT_MSG_SH)) {
+ if (tls_extension_server_needs(TLSEXT_TYPE_session_ticket, ssl,
+ SSL_TLSEXT_MSG_SH)) {
FAIL("server should not need SessionTicket if it was disabled\n");
goto err;
}
FAIL("Cannot re-enable tickets in the TLS connection\n");
goto err;
}
- if (tlsext_sessionticket_server_needs(ssl, SSL_TLSEXT_MSG_SH)) {
+ if (tls_extension_server_needs(TLSEXT_TYPE_session_ticket, ssl,
+ SSL_TLSEXT_MSG_SH)) {
FAIL("server should not need SessionTicket yet\n");
goto err;
}
/* Set expected to require it. */
ssl->internal->tlsext_ticket_expected = 1;
- if (!tlsext_sessionticket_server_needs(ssl, SSL_TLSEXT_MSG_SH)) {
+ if (!tls_extension_server_needs(TLSEXT_TYPE_session_ticket, ssl,
+ SSL_TLSEXT_MSG_SH)) {
FAIL("server should now be required for SessionTicket\n");
goto err;
}
/* server hello's session ticket should always be 0 length payload. */
- if (!tlsext_sessionticket_server_build(ssl, SSL_TLSEXT_MSG_SH, &cbb)) {
+ if (!tls_extension_server_build(TLSEXT_TYPE_session_ticket, ssl,
+ SSL_TLSEXT_MSG_SH, &cbb)) {
FAIL("Cannot build a ticket with a max length random payload\n");
goto err;
}
errx(1, "failed to create SSL");
/* By default, we don't need this */
- if (tlsext_srtp_client_needs(ssl, SSL_TLSEXT_MSG_CH)) {
+ if (tls_extension_client_needs(TLSEXT_TYPE_use_srtp, ssl,
+ SSL_TLSEXT_MSG_CH)) {
FAIL("client should not need SRTP by default\n");
goto err;
}
FAIL("should be able to set a single SRTP\n");
goto err;
}
- if (!tlsext_srtp_client_needs(ssl, SSL_TLSEXT_MSG_CH)) {
+ if (!tls_extension_client_needs(TLSEXT_TYPE_use_srtp, ssl,
+ SSL_TLSEXT_MSG_CH)) {
FAIL("client should need SRTP\n");
goto err;
}
/* Make sure we can build the client with a single profile. */
- if (!tlsext_srtp_client_build(ssl, SSL_TLSEXT_MSG_CH, &cbb)) {
+ if (!tls_extension_client_build(TLSEXT_TYPE_use_srtp, ssl,
+ SSL_TLSEXT_MSG_CH, &cbb)) {
FAIL("client failed to build SRTP\n");
goto err;
}
}
CBS_init(&cbs, tlsext_srtp_single, sizeof(tlsext_srtp_single));
- if (!tlsext_srtp_server_parse(ssl, SSL_TLSEXT_MSG_CH, &cbs, &alert)) {
+ if (!tls_extension_server_parse(TLSEXT_TYPE_use_srtp, ssl,
+ SSL_TLSEXT_MSG_CH, &cbs, &alert)) {
FAIL("failed to parse SRTP\n");
goto err;
}
goto err;
}
- if (!tlsext_srtp_server_needs(ssl, SSL_TLSEXT_MSG_CH)) {
+ if (!tls_extension_server_needs(TLSEXT_TYPE_use_srtp, ssl,
+ SSL_TLSEXT_MSG_CH)) {
FAIL("should send server extension when profile selected\n");
goto err;
}
FAIL("should be able to set SRTP to multiple profiles\n");
goto err;
}
- if (!tlsext_srtp_client_needs(ssl, SSL_TLSEXT_MSG_CH)) {
+ if (!tls_extension_client_needs(TLSEXT_TYPE_use_srtp, ssl,
+ SSL_TLSEXT_MSG_CH)) {
FAIL("client should need SRTP by now\n");
goto err;
}
- if (!tlsext_srtp_client_build(ssl, SSL_TLSEXT_MSG_CH, &cbb)) {
+ if (!tls_extension_client_build(TLSEXT_TYPE_use_srtp, ssl,
+ SSL_TLSEXT_MSG_CH, &cbb)) {
FAIL("client failed to build SRTP\n");
goto err;
}
CBS_init(&cbs, tlsext_srtp_multiple,
sizeof(tlsext_srtp_multiple));
- if (!tlsext_srtp_server_parse(ssl, SSL_TLSEXT_MSG_CH, &cbs, &alert)) {
+ if (!tls_extension_server_parse(TLSEXT_TYPE_use_srtp, ssl,
+ SSL_TLSEXT_MSG_CH, &cbs, &alert)) {
FAIL("failed to parse SRTP\n");
goto err;
}
goto err;
}
- if (!tlsext_srtp_server_needs(ssl, SSL_TLSEXT_MSG_CH)) {
+ if (!tls_extension_server_needs(TLSEXT_TYPE_use_srtp, ssl,
+ SSL_TLSEXT_MSG_CH)) {
FAIL("should send server extension when profile selected\n");
goto err;
}
CBS_init(&cbs, tlsext_srtp_multiple_one_valid,
sizeof(tlsext_srtp_multiple_one_valid));
- if (!tlsext_srtp_server_parse(ssl, SSL_TLSEXT_MSG_CH, &cbs, &alert)) {
+ if (!tls_extension_server_parse(TLSEXT_TYPE_use_srtp, ssl,
+ SSL_TLSEXT_MSG_CH, &cbs, &alert)) {
FAIL("failed to parse SRTP\n");
goto err;
}
goto err;
}
- if (!tlsext_srtp_server_needs(ssl, SSL_TLSEXT_MSG_CH)) {
+ if (!tls_extension_server_needs(TLSEXT_TYPE_use_srtp, ssl,
+ SSL_TLSEXT_MSG_CH)) {
FAIL("should send server extension when profile selected\n");
goto err;
}
CBS_init(&cbs, tlsext_srtp_multiple_invalid,
sizeof(tlsext_srtp_multiple_invalid));
- if (!tlsext_srtp_server_parse(ssl, SSL_TLSEXT_MSG_CH, &cbs, &alert)) {
+ if (!tls_extension_server_parse(TLSEXT_TYPE_use_srtp, ssl,
+ SSL_TLSEXT_MSG_CH, &cbs, &alert)) {
FAIL("should be able to fall back to negotiated\n");
goto err;
}
FAIL("should not have selected a profile when none found\n");
goto err;
}
- if (tlsext_srtp_server_needs(ssl, SSL_TLSEXT_MSG_CH)) {
+ if (tls_extension_server_needs(TLSEXT_TYPE_use_srtp, ssl,
+ SSL_TLSEXT_MSG_CH)) {
FAIL("should not send server tlsext when no profile found\n");
goto err;
}
errx(1, "failed to create SSL");
/* By default, we don't need this */
- if (tlsext_srtp_server_needs(ssl, SSL_TLSEXT_MSG_SH)) {
+ if (tls_extension_server_needs(TLSEXT_TYPE_use_srtp, ssl,
+ SSL_TLSEXT_MSG_SH)) {
FAIL("server should not need SRTP by default\n");
goto err;
}
goto err;
}
ssl->internal->srtp_profile = prof;
- if (!tlsext_srtp_server_needs(ssl, SSL_TLSEXT_MSG_SH)) {
+ if (!tls_extension_server_needs(TLSEXT_TYPE_use_srtp, ssl,
+ SSL_TLSEXT_MSG_SH)) {
FAIL("server should need SRTP by now\n");
goto err;
}
/* Make sure we can build the server with a single profile. */
- if (!tlsext_srtp_server_build(ssl, SSL_TLSEXT_MSG_SH, &cbb)) {
+ if (!tls_extension_server_build(TLSEXT_TYPE_use_srtp, ssl,
+ SSL_TLSEXT_MSG_SH, &cbb)) {
FAIL("server failed to build SRTP\n");
goto err;
}
}
CBS_init(&cbs, tlsext_srtp_single, sizeof(tlsext_srtp_single));
- if (!tlsext_srtp_client_parse(ssl, SSL_TLSEXT_MSG_SH, &cbs, &alert)) {
+ if (!tls_extension_client_parse(TLSEXT_TYPE_use_srtp, ssl,
+ SSL_TLSEXT_MSG_SH, &cbs, &alert)) {
FAIL("failed to parse SRTP\n");
goto err;
}
CBS_init(&cbs, tlsext_srtp_multiple,
sizeof(tlsext_srtp_multiple));
- if (tlsext_srtp_client_parse(ssl, SSL_TLSEXT_MSG_SH, &cbs, &alert)) {
+ if (tls_extension_client_parse(TLSEXT_TYPE_use_srtp, ssl,
+ SSL_TLSEXT_MSG_SH, &cbs, &alert)) {
FAIL("should not find multiple entries from the server\n");
goto err;
}
CBS_init(&cbs, tlsext_srtp_single_invalid,
sizeof(tlsext_srtp_single_invalid));
- if (tlsext_srtp_client_parse(ssl, SSL_TLSEXT_MSG_SH, &cbs, &alert)) {
+ if (tls_extension_client_parse(TLSEXT_TYPE_use_srtp, ssl,
+ SSL_TLSEXT_MSG_SH, &cbs, &alert)) {
FAIL("should not be able to parse this\n");
goto err;
}
ssl->s3->hs.our_max_tls_version = TLS1_1_VERSION;
- if (tlsext_versions_client_needs(ssl, SSL_TLSEXT_MSG_CH)) {
+ if (tls_extension_client_needs(TLSEXT_TYPE_supported_versions, ssl,
+ SSL_TLSEXT_MSG_CH)) {
FAIL("client should not need versions\n");
failure = 1;
goto done;
ssl->s3->hs.our_max_tls_version = TLS1_2_VERSION;
- if (tlsext_versions_client_needs(ssl, SSL_TLSEXT_MSG_CH)) {
+ if (tls_extension_client_needs(TLSEXT_TYPE_supported_versions, ssl,
+ SSL_TLSEXT_MSG_CH)) {
FAIL("client should not need versions\n");
failure = 1;
goto done;
ssl->s3->hs.our_max_tls_version = TLS1_3_VERSION;
- if (!tlsext_versions_client_needs(ssl, SSL_TLSEXT_MSG_CH)) {
+ if (!tls_extension_client_needs(TLSEXT_TYPE_supported_versions, ssl,
+ SSL_TLSEXT_MSG_CH)) {
FAIL("client should need versions\n");
failure = 1;
goto done;
ssl->s3->hs.our_min_tls_version = TLS1_VERSION;
ssl->s3->hs.our_max_tls_version = TLS1_3_VERSION;
- if (!tlsext_versions_client_build(ssl, SSL_TLSEXT_MSG_CH, &cbb)) {
+ if (!tls_extension_client_build(TLSEXT_TYPE_supported_versions, ssl,
+ SSL_TLSEXT_MSG_CH, &cbb)) {
FAIL("client should have built versions\n");
failure = 1;
goto done;
}
CBS_init(&cbs, data, dlen);
- if (!tlsext_versions_server_parse(ssl, SSL_TLSEXT_MSG_CH, &cbs, &alert)) {
+ if (!tls_extension_server_parse(TLSEXT_TYPE_supported_versions, ssl,
+ SSL_TLSEXT_MSG_CH, &cbs, &alert)) {
FAIL("failed to parse client versions\n");
failure = 1;
goto done;
ssl->s3->hs.negotiated_tls_version = TLS1_2_VERSION;
- if (tlsext_versions_server_needs(ssl, SSL_TLSEXT_MSG_SH)) {
+ if (tls_extension_server_needs(TLSEXT_TYPE_supported_versions, ssl,
+ SSL_TLSEXT_MSG_SH)) {
FAIL("server should not need versions\n");
failure = 1;
goto done;
ssl->s3->hs.negotiated_tls_version = TLS1_3_VERSION;
- if (!tlsext_versions_server_needs(ssl, SSL_TLSEXT_MSG_SH)) {
+ if (!tls_extension_server_needs(TLSEXT_TYPE_supported_versions, ssl,
+ SSL_TLSEXT_MSG_SH)) {
FAIL("server should need versions\n");
failure = 1;
goto done;
}
- if (!tlsext_versions_server_build(ssl, SSL_TLSEXT_MSG_SH, &cbb)) {
+ if (!tls_extension_server_build(TLSEXT_TYPE_supported_versions, ssl,
+ SSL_TLSEXT_MSG_SH, &cbb)) {
FAIL("server should have built versions\n");
failure = 1;
goto done;
}
CBS_init(&cbs, data, dlen);
- if (!tlsext_versions_client_parse(ssl, SSL_TLSEXT_MSG_SH, &cbs, &alert)) {
+ if (!tls_extension_client_parse(TLSEXT_TYPE_supported_versions, ssl,
+ SSL_TLSEXT_MSG_SH, &cbs, &alert)) {
FAIL("failed to parse client versions\n");
failure = 1;
goto done;
errx(1, "failed to generate key share");
ssl->s3->hs.our_max_tls_version = TLS1_2_VERSION;
- if (tlsext_keyshare_client_needs(ssl, SSL_TLSEXT_MSG_CH)) {
+ if (tls_extension_client_needs(TLSEXT_TYPE_key_share, ssl,
+ SSL_TLSEXT_MSG_CH)) {
FAIL("client should not need keyshare\n");
failure = 1;
goto done;
}
ssl->s3->hs.our_max_tls_version = TLS1_3_VERSION;
- if (!tlsext_keyshare_client_needs(ssl, SSL_TLSEXT_MSG_CH)) {
+ if (!tls_extension_client_needs(TLSEXT_TYPE_key_share, ssl,
+ SSL_TLSEXT_MSG_CH)) {
FAIL("client should need keyshare\n");
failure = 1;
goto done;
}
ssl->s3->hs.our_max_tls_version = TLS1_3_VERSION;
- if (!tlsext_keyshare_client_build(ssl, SSL_TLSEXT_MSG_CH, &cbb)) {
+ if (!tls_extension_client_build(TLSEXT_TYPE_key_share, ssl,
+ SSL_TLSEXT_MSG_CH, &cbb)) {
FAIL("client should have built keyshare\n");
failure = 1;
goto done;
(ssl)->version = TLS1_3_VERSION;
CBS_init(&cbs, data, dlen);
- if (!tlsext_keyshare_server_parse(ssl, SSL_TLSEXT_MSG_CH, &cbs, &alert)) {
+ if (!tls_extension_server_parse(TLSEXT_TYPE_key_share, ssl,
+ SSL_TLSEXT_MSG_CH, &cbs, &alert)) {
FAIL("failed to parse client keyshare\n");
failure = 1;
goto done;
CBB_init(&cbb, 0);
ssl->s3->hs.negotiated_tls_version = TLS1_2_VERSION;
- if (tlsext_keyshare_server_needs(ssl, SSL_TLSEXT_MSG_SH)) {
+ if (tls_extension_server_needs(TLSEXT_TYPE_key_share, ssl,
+ SSL_TLSEXT_MSG_SH)) {
FAIL("server should not need keyshare\n");
goto done;
}
ssl->s3->hs.negotiated_tls_version = TLS1_3_VERSION;
- if (tlsext_keyshare_server_needs(ssl, SSL_TLSEXT_MSG_SH)) {
+ if (tls_extension_server_needs(TLSEXT_TYPE_key_share, ssl,
+ SSL_TLSEXT_MSG_SH)) {
FAIL("client should not need keyshare\n");
goto done;
}
}
ssl->s3->hs.extensions_seen |= (1 << idx);
- if (!tlsext_keyshare_server_needs(ssl, SSL_TLSEXT_MSG_SH)) {
+ if (!tls_extension_server_needs(TLSEXT_TYPE_key_share, ssl,
+ SSL_TLSEXT_MSG_SH)) {
FAIL("server should need keyshare\n");
goto done;
}
- if (tlsext_keyshare_server_build(ssl, SSL_TLSEXT_MSG_SH, &cbb)) {
+ if (tls_extension_server_build(TLSEXT_TYPE_key_share, ssl,
+ SSL_TLSEXT_MSG_SH, &cbb)) {
FAIL("server should not have built a keyshare response\n");
goto done;
}
goto done;
}
- if (!tlsext_keyshare_server_build(ssl, SSL_TLSEXT_MSG_SH, &cbb)) {
+ if (!tls_extension_server_build(TLSEXT_TYPE_key_share, ssl,
+ SSL_TLSEXT_MSG_SH, &cbb)) {
FAIL("server should be able to build a keyshare response\n");
goto done;
}
CBS_init(&cbs, data, dlen);
- if (!tlsext_keyshare_client_parse(ssl, SSL_TLSEXT_MSG_SH, &cbs, &alert)) {
+ if (!tls_extension_client_parse(TLSEXT_TYPE_key_share, ssl,
+ SSL_TLSEXT_MSG_SH, &cbs, &alert)) {
FAIL("failed to parse server keyshare\n");
goto done;
}
errx(1, "failed to create SSL");
ssl->s3->hs.our_max_tls_version = TLS1_2_VERSION;
- if (tlsext_cookie_client_needs(ssl, SSL_TLSEXT_MSG_CH)) {
+ if (tls_extension_client_needs(TLSEXT_TYPE_cookie, ssl,
+ SSL_TLSEXT_MSG_CH)) {
FAIL("client should not need cookie\n");
failure = 1;
goto done;
ssl->s3->hs.our_max_tls_version = TLS1_3_VERSION;
- if (tlsext_cookie_client_needs(ssl, SSL_TLSEXT_MSG_CH)) {
+ if (tls_extension_client_needs(TLSEXT_TYPE_cookie, ssl,
+ SSL_TLSEXT_MSG_CH)) {
FAIL("client should not need cookie\n");
failure = 1;
goto done;
ssl->s3->hs.tls13.cookie = strdup(cookie);
ssl->s3->hs.tls13.cookie_len = strlen(cookie);
- if (!tlsext_cookie_client_needs(ssl, SSL_TLSEXT_MSG_CH)) {
+ if (!tls_extension_client_needs(TLSEXT_TYPE_cookie, ssl,
+ SSL_TLSEXT_MSG_CH)) {
FAIL("client should need cookie\n");
failure = 1;
goto done;
}
- if (!tlsext_cookie_client_build(ssl, SSL_TLSEXT_MSG_CH, &cbb)) {
+ if (!tls_extension_client_build(TLSEXT_TYPE_cookie, ssl,
+ SSL_TLSEXT_MSG_CH, &cbb)) {
FAIL("client should have built a cookie response\n");
failure = 1;
goto done;
CBS_init(&cbs, data, dlen);
/* Checks cookie against what's in the hs.tls13 */
- if (!tlsext_cookie_server_parse(ssl, SSL_TLSEXT_MSG_CH, &cbs, &alert)) {
+ if (!tls_extension_server_parse(TLSEXT_TYPE_cookie, ssl,
+ SSL_TLSEXT_MSG_CH, &cbs, &alert)) {
FAIL("failed to parse client cookie\n");
failure = 1;
goto done;
errx(1, "failed to create SSL");
ssl->s3->hs.our_max_tls_version = TLS1_2_VERSION;
- if (tlsext_cookie_server_needs(ssl, SSL_TLSEXT_MSG_SH)) {
+ if (tls_extension_server_needs(TLSEXT_TYPE_cookie, ssl,
+ SSL_TLSEXT_MSG_SH)) {
FAIL("server should not need cookie\n");
failure = 1;
goto done;
}
ssl->s3->hs.our_max_tls_version = TLS1_3_VERSION;
- if (tlsext_cookie_server_needs(ssl, SSL_TLSEXT_MSG_SH)) {
+ if (tls_extension_server_needs(TLSEXT_TYPE_cookie, ssl,
+ SSL_TLSEXT_MSG_SH)) {
FAIL("server should not need cookie\n");
failure = 1;
goto done;
ssl->s3->hs.tls13.cookie = strdup(cookie);
ssl->s3->hs.tls13.cookie_len = strlen(cookie);
- if (!tlsext_cookie_server_needs(ssl, SSL_TLSEXT_MSG_HRR)) {
+ if (!tls_extension_server_needs(TLSEXT_TYPE_cookie, ssl,
+ SSL_TLSEXT_MSG_HRR)) {
FAIL("server should need cookie\n");
failure = 1;
goto done;
}
- if (!tlsext_cookie_server_build(ssl, SSL_TLSEXT_MSG_HRR, &cbb)) {
+ if (!tls_extension_server_build(TLSEXT_TYPE_cookie, ssl,
+ SSL_TLSEXT_MSG_HRR, &cbb)) {
FAIL("server should have built a cookie response\n");
failure = 1;
goto done;
CBS_init(&cbs, data, dlen);
- if (tlsext_cookie_client_parse(ssl, SSL_TLSEXT_MSG_SH, &cbs, &alert)) {
+ if (tls_extension_client_parse(TLSEXT_TYPE_cookie, ssl,
+ SSL_TLSEXT_MSG_SH, &cbs, &alert)) {
FAIL("client should not have parsed server cookie\n");
failure = 1;
goto done;
ssl->s3->hs.tls13.cookie = NULL;
ssl->s3->hs.tls13.cookie_len = 0;
- if (!tlsext_cookie_client_parse(ssl, SSL_TLSEXT_MSG_SH, &cbs, &alert)) {
+ if (!tls_extension_client_parse(TLSEXT_TYPE_cookie, ssl,
+ SSL_TLSEXT_MSG_SH, &cbs, &alert)) {
FAIL("failed to parse server cookie\n");
failure = 1;
goto done;
errx(1, "failed to create SSL");
/* Disabled by default. */
- if (tlsext_psk_kex_modes_client_needs(ssl, SSL_TLSEXT_MSG_CH)) {
+ if (tls_extension_client_needs(TLSEXT_TYPE_psk_kex_modes, ssl,
+ SSL_TLSEXT_MSG_CH)) {
FAIL("client should not need psk kex modes by default\n");
goto err;
}
ssl->s3->hs.tls13.use_psk_dhe_ke = 1;
ssl->s3->hs.our_max_tls_version = TLS1_2_VERSION;
- if (tlsext_psk_kex_modes_client_needs(ssl, SSL_TLSEXT_MSG_CH)) {
+ if (tls_extension_client_needs(TLSEXT_TYPE_psk_kex_modes, ssl,
+ SSL_TLSEXT_MSG_CH)) {
FAIL("client should not need psk kex modes with TLSv1.2\n");
goto err;
}
ssl->s3->hs.tls13.use_psk_dhe_ke = 0;
ssl->s3->hs.our_max_tls_version = TLS1_3_VERSION;
- if (tlsext_psk_kex_modes_client_needs(ssl, SSL_TLSEXT_MSG_CH)) {
+ if (tls_extension_client_needs(TLSEXT_TYPE_psk_kex_modes, ssl,
+ SSL_TLSEXT_MSG_CH)) {
FAIL("client should not need psk kex modes without "
"use_psk_dhe_ke\n");
goto err;
ssl->s3->hs.tls13.use_psk_dhe_ke = 1;
ssl->s3->hs.our_max_tls_version = TLS1_3_VERSION;
- if (!tlsext_psk_kex_modes_client_needs(ssl, SSL_TLSEXT_MSG_CH)) {
+ if (!tls_extension_client_needs(TLSEXT_TYPE_psk_kex_modes, ssl,
+ SSL_TLSEXT_MSG_CH)) {
FAIL("client should need psk kex modes with TLSv1.3\n");
goto err;
}
/* Make sure we can build psk modes with DHE key establishment. */
- if (!tlsext_psk_kex_modes_client_build(ssl, SSL_TLSEXT_MSG_CH, &cbb)) {
+ if (!tls_extension_client_build(TLSEXT_TYPE_psk_kex_modes, ssl,
+ SSL_TLSEXT_MSG_CH, &cbb)) {
FAIL("client failed to build psk kex modes\n");
goto err;
}
CBS_init(&cbs, tlsext_default_psk_modes,
sizeof(tlsext_default_psk_modes));
- if (!tlsext_psk_kex_modes_server_parse(ssl, SSL_TLSEXT_MSG_CH, &cbs,
- &alert)) {
+ if (!tls_extension_server_parse(TLSEXT_TYPE_psk_kex_modes, ssl,
+ SSL_TLSEXT_MSG_CH, &cbs, &alert)) {
FAIL("failed to parse psk kex modes\n");
goto err;
}
ssl->s3->hs.tls13.use_psk_dhe_ke = 0;
CBS_init(&cbs, tlsext_psk_only_mode, sizeof(tlsext_psk_only_mode));
- if (!tlsext_psk_kex_modes_server_parse(ssl, SSL_TLSEXT_MSG_CH, &cbs,
- &alert)) {
+ if (!tls_extension_server_parse(TLSEXT_TYPE_psk_kex_modes, ssl,
+ SSL_TLSEXT_MSG_CH, &cbs, &alert)) {
FAIL("failed to parse psk kex modes\n");
goto err;
}
ssl->s3->hs.tls13.use_psk_dhe_ke = 0;
CBS_init(&cbs, tlsext_psk_both_modes, sizeof(tlsext_psk_both_modes));
- if (!tlsext_psk_kex_modes_server_parse(ssl, SSL_TLSEXT_MSG_CH, &cbs,
- &alert)) {
+ if (!tls_extension_server_parse(TLSEXT_TYPE_psk_kex_modes, ssl,
+ SSL_TLSEXT_MSG_CH, &cbs, &alert)) {
FAIL("failed to parse psk kex modes\n");
goto err;
}
if ((ssl = SSL_new(ssl_ctx)) == NULL)
errx(1, "failed to create SSL");
- if (tlsext_psk_kex_modes_server_needs(ssl, SSL_TLSEXT_MSG_SH)) {
+ if (tls_extension_server_needs(TLSEXT_TYPE_psk_kex_modes, ssl,
+ SSL_TLSEXT_MSG_SH)) {
FAIL("server should not need psk kex modes\n");
goto err;
}
projects / openbsd / commitdiff