From: Matt Caswell <matt@openssl.org>
Date: Wed, 26 Apr 2017 10:43:05 +0000 (+0100)
Subject: Add tests for version/ciphersuite sanity checks
X-Git-Tag: OpenSSL_1_1_1-pre1~1664
X-Git-Url: https://git.openssl.org/?p=openssl.git;a=commitdiff_plain;h=975922fd0c6a3089a49b9bcdcd77c672d97e36b2

Add tests for version/ciphersuite sanity checks

The previous commits added sanity checks for where the max enabled protocol
version does not have any configured ciphersuites. We should check that we
fail in those circumstances.

Reviewed-by: Richard Levitte <levitte@openssl.org>
(Merged from https://github.com/openssl/openssl/pull/3316)
---

diff --git a/test/ssl-tests/protocol_version.pm b/test/ssl-tests/protocol_version.pm
index f0b3030342..edc0dd2962 100644
--- a/test/ssl-tests/protocol_version.pm
+++ b/test/ssl-tests/protocol_version.pm
@@ -129,6 +129,37 @@ sub generate_version_tests {
             }
         }
     }
+    return @tests if disabled("tls1_3") || disabled("tls1_2") || $dtls;
+
+    #Add some version/ciphersuite sanity check tests
+    push @tests, {
+        "name" => "ciphersuite-sanity-check-client",
+        "client" => {
+            #Offering only <=TLSv1.2 ciphersuites with TLSv1.3 should fail
+            "CipherString" => "AES128-SHA",
+        },
+        "server" => {
+            "MaxProtocol" => "TLSv1.2"
+        },
+        "test" => {
+            "ExpectedResult" => "ClientFail",
+        }
+    };
+    push @tests, {
+        "name" => "ciphersuite-sanity-check-server",
+        "client" => {
+            "CipherString" => "AES128-SHA",
+            "MaxProtocol" => "TLSv1.2"
+        },
+        "server" => {
+            #Allowing only <=TLSv1.2 ciphersuites with TLSv1.3 should fail
+            "CipherString" => "AES128-SHA",
+        },
+        "test" => {
+            "ExpectedResult" => "ServerFail",
+        }
+    };
+
     return @tests;
 }