### Changes between 1.1.1 and 3.0 [xx XXX xxxx]
+ * Combining the Configure options no-ec and no-dh no longer disables TLSv1.3.
+ Typically if OpenSSL has no EC or DH algorithms then it cannot support
+ connections with TLSv1.3. However OpenSSL now supports "pluggable" groups
+ through providers. Therefore third party providers may supply group
+ implementations even where there are no built-in ones. Attempting to create
+ TLS connections in such a build without also disabling TLSv1.3 at run time or
+ using third party provider groups may result in handshake failures. TLSv1.3
+ can be disabled at compile time using the "no-tls1_3" Configure option.
+
+ *Matt Caswell*
+
* The undocumented function X509_certificate_type() has been deprecated;
applications can use X509_get0_pubkey() and X509_get0_signature() to
get the same information.
"zlib" => [ "zlib-dynamic" ],
"des" => [ "mdc2" ],
"ec" => [ "ec2m", "ecdsa", "ecdh", "sm2", "gost" ],
- sub { $disabled{"ec"} && $disabled{"dh"} }
- => [ "tls1_3" ],
"dgram" => [ "dtls", "sctp" ],
"sock" => [ "dgram" ],
"dtls" => [ @dtls ],
}
int create_ssl_ctx_pair(OSSL_LIB_CTX *libctx, const SSL_METHOD *sm,
-const SSL_METHOD *cm,
- int min_proto_version, int max_proto_version,
- SSL_CTX **sctx, SSL_CTX **cctx, char *certfile,
- char *privkeyfile)
+ const SSL_METHOD *cm, int min_proto_version,
+ int max_proto_version, SSL_CTX **sctx, SSL_CTX **cctx,
+ char *certfile, char *privkeyfile)
{
SSL_CTX *serverctx = NULL;
SSL_CTX *clientctx = NULL;
- if (*sctx != NULL)
- serverctx = *sctx;
- else if (!TEST_ptr(serverctx = SSL_CTX_new_ex(libctx, NULL, sm)))
- goto err;
+ if (sctx != NULL) {
+ if (*sctx != NULL)
+ serverctx = *sctx;
+ else if (!TEST_ptr(serverctx = SSL_CTX_new_ex(libctx, NULL, sm)))
+ goto err;
+ }
if (cctx != NULL) {
if (*cctx != NULL)
goto err;
}
- if ((min_proto_version > 0
- && !TEST_true(SSL_CTX_set_min_proto_version(serverctx,
- min_proto_version)))
- || (max_proto_version > 0
- && !TEST_true(SSL_CTX_set_max_proto_version(serverctx,
- max_proto_version))))
+#if !defined(OPENSSL_NO_TLS1_3) \
+ && defined(OPENSSL_NO_EC) \
+ && defined(OPENSSL_NO_DH)
+ /*
+ * There are no usable built-in TLSv1.3 groups if ec and dh are both
+ * disabled
+ */
+ if (max_proto_version == 0
+ && (sm == TLS_server_method() || cm == TLS_client_method()))
+ max_proto_version = TLS1_2_VERSION;
+#endif
+
+ if (serverctx != NULL
+ && ((min_proto_version > 0
+ && !TEST_true(SSL_CTX_set_min_proto_version(serverctx,
+ min_proto_version)))
+ || (max_proto_version > 0
+ && !TEST_true(SSL_CTX_set_max_proto_version(serverctx,
+ max_proto_version)))))
goto err;
if (clientctx != NULL
&& ((min_proto_version > 0
max_proto_version)))))
goto err;
- if (certfile != NULL && privkeyfile != NULL) {
+ if (serverctx != NULL && certfile != NULL && privkeyfile != NULL) {
if (!TEST_int_eq(SSL_CTX_use_certificate_file(serverctx, certfile,
SSL_FILETYPE_PEM), 1)
|| !TEST_int_eq(SSL_CTX_use_PrivateKey_file(serverctx,
goto err;
}
- *sctx = serverctx;
+ if (sctx != NULL)
+ *sctx = serverctx;
if (cctx != NULL)
*cctx = clientctx;
return 1;
err:
- if (*sctx == NULL)
+ if (sctx != NULL && *sctx == NULL)
SSL_CTX_free(serverctx);
if (cctx != NULL && *cctx == NULL)
SSL_CTX_free(clientctx);
}
SKIP: {
- skip "TLSv1.3 disabled", 2 if disabled("tls1_3");
+ skip "TLSv1.3 disabled", 2
+ if disabled("tls1_3") || (disabled("ec") && disabled("dh"));
#Test 3: Check that sending multiple compression methods in a TLSv1.3
# ClientHello fails
$proxy->clear();
plan skip_all => "$test_name needs TLS1.3 enabled"
if disabled("tls1_3");
+plan skip_all => "$test_name needs EC or DH enabled"
+ if disabled("ec") && disabled("dh");
+
$ENV{OPENSSL_ia32cap} = '~0x200000200000000';
my $proxy = TLSProxy::Proxy->new(
# Test that maximally-padded records are accepted.
my $bad_padding_offset = -1;
$proxy->serverflags("-tls1_2");
+$proxy->clientflags("-no_tls1_3");
$proxy->serverconnects(1 + scalar(@test_offsets));
$proxy->start() or plan skip_all => "Unable to start up Proxy for tests";
plan tests => 1 + scalar(@test_offsets);
$bad_padding_offset = $offset;
$fatal_alert = 0;
$proxy->clearClient();
+ $proxy->clientflags("-no_tls1_3");
$proxy->clientstart();
ok($fatal_alert, "Invalid padding byte $bad_padding_offset");
}
$fatal_alert = 0;
$proxy->clear();
$proxy->filter(\&inject_duplicate_extension_serverhello);
+$proxy->clientflags("-no_tls1_3");
$proxy->start();
ok($fatal_alert, "Duplicate ServerHello extension");
$proxy->clear();
$proxy->filter(\&extension_filter);
$proxy->ciphers("AES128-SHA:\@SECLEVEL=0");
+ $proxy->clientflags("-no_tls1_3");
$proxy->start();
ok(TLSProxy::Message->success, "Zero extension length test");
}
SKIP: {
- skip "TLS 1.3 disabled", 1 if disabled("tls1_3");
+ skip "TLS 1.3 disabled", 1
+ if disabled("tls1_3") || (disabled("ec") && disabled("dh"));
#Test 7: Inject an unsolicited extension (TLSv1.3)
$fatal_alert = 0;
$proxy->clear();
# ignore it in a ClientHello
$proxy->clear();
$proxy->filter(\&inject_cryptopro_extension);
+$proxy->clientflags("-no_tls1_3");
$proxy->start();
ok(TLSProxy::Message->success(), "Cryptopro extension in ClientHello");
my $content_type = TLSProxy::Record::RT_APPLICATION_DATA;
my $inject_recs_num = 1;
$proxy->serverflags("-tls1_2");
+$proxy->clientflags("-no_tls1_3");
$proxy->start() or plan skip_all => "Unable to start up Proxy for tests";
plan tests => 20;
ok($fatal_alert, "Out of context empty records test");
$proxy->clear();
$content_type = TLSProxy::Record::RT_HANDSHAKE;
$proxy->serverflags("-tls1_2");
+$proxy->clientflags("-no_tls1_3");
$proxy->start();
ok(TLSProxy::Message->success(), "In context empty records test");
#We allow 32 consecutive in context empty records
$inject_recs_num = 33;
$proxy->serverflags("-tls1_2");
+$proxy->clientflags("-no_tls1_3");
$proxy->start();
ok($fatal_alert, "Too many in context empty records test");
$proxy->clear();
$proxy->filter(\&add_frag_alert_filter);
$proxy->serverflags("-tls1_2");
+$proxy->clientflags("-no_tls1_3");
$proxy->start();
ok($fatal_alert, "Fragmented alert records test");
$proxy->clear();
$proxy->filter(\&add_sslv2_filter);
$proxy->serverflags("-tls1_2");
+$proxy->clientflags("-no_tls1_3");
$proxy->ciphers("AES128-SHA:\@SECLEVEL=0");
$proxy->start();
ok(TLSProxy::Message->success(), "TLSv1.2 in SSLv2 ClientHello test");
$sslv2testtype = SSLV2_IN_SSLV2;
$proxy->clear();
$proxy->serverflags("-tls1_2");
+$proxy->clientflags("-no_tls1_3");
$proxy->ciphers("AES128-SHA:\@SECLEVEL=0");
$proxy->start();
ok(TLSProxy::Message->fail(), "SSLv2 in SSLv2 ClientHello test");
$sslv2testtype = FRAGMENTED_IN_TLSV1_2;
$proxy->clear();
$proxy->serverflags("-tls1_2");
+$proxy->clientflags("-no_tls1_3");
$proxy->ciphers("AES128-SHA:\@SECLEVEL=0");
$proxy->start();
ok(TLSProxy::Message->success(), "Fragmented ClientHello in TLSv1.2 test");
$sslv2testtype = FRAGMENTED_IN_SSLV2;
$proxy->clear();
$proxy->serverflags("-tls1_2");
+$proxy->clientflags("-no_tls1_3");
$proxy->ciphers("AES128-SHA:\@SECLEVEL=0");
$proxy->start();
ok(TLSProxy::Message->fail(), "Fragmented ClientHello in TLSv1.2/SSLv2 test");
$sslv2testtype = ALERT_BEFORE_SSLV2;
$proxy->clear();
$proxy->serverflags("-tls1_2");
+$proxy->clientflags("-no_tls1_3");
$proxy->ciphers("AES128-SHA:\@SECLEVEL=0");
$proxy->start();
ok(TLSProxy::Message->fail(), "Alert before SSLv2 ClientHello test");
$fatal_alert = 0;
$proxy->clear();
$proxy->serverflags("-tls1_2");
+$proxy->clientflags("-no_tls1_3");
$proxy->filter(\&add_unknown_record_type);
$proxy->start();
ok($fatal_alert, "Unrecognised record type in TLS1.2");
#TLS1.3 specific tests
SKIP: {
- skip "TLSv1.3 disabled", 8 if disabled("tls1_3");
+ skip "TLSv1.3 disabled", 8
+ if disabled("tls1_3") || (disabled("ec") && disabled("dh"));
#Test 13: Sending a different record version in TLS1.3 should fail
$proxy->clear();
# the sigalgs
#Test 1: Default sig algs should succeed
+$proxy->clientflags("-no_tls1_3") if disabled("ec") && disabled("dh");
$proxy->start() or plan skip_all => "Unable to start up Proxy for tests";
plan tests => 26;
ok(TLSProxy::Message->success, "Default sigalgs");
my $testtype;
SKIP: {
- skip "TLSv1.3 disabled", 6 if disabled("tls1_3");
+ skip "TLSv1.3 disabled", 6
+ if disabled("tls1_3") || (disabled("ec") && disabled("dh"));
$proxy->filter(\&sigalgs_filter);
my ($dsa_status, $sha1_status, $sha224_status);
SKIP: {
- skip "TLSv1.3 disabled", 2 if disabled("tls1_3") || disabled("dsa");
+ skip "TLSv1.3 disabled", 2
+ if disabled("tls1_3")
+ || disabled("dsa")
+ || (disabled("ec") && disabled("dh"));
#Test 20: signature_algorithms with 1.3-only ClientHello
$testtype = PURE_SIGALGS;
$dsa_status = $sha1_status = $sha224_status = 0;
}
SKIP: {
- skip "TLSv1.3 disabled", 3 if disabled("tls1_3");
+ skip "TLSv1.3 disabled", 5
+ if disabled("tls1_3") || (disabled("ec") && disabled("dh"));
#Test 22: Insert signature_algorithms_cert that match normal sigalgs
$testtype = SIGALGS_CERT_ALL;
$proxy->clear();
$proxy->filter(\&modify_sigalgs_cert_filter);
$proxy->start();
ok(TLSProxy::Message->fail, "No matching certificate for sigalgs_cert");
-}
-SKIP: {
- skip "TLS 1.3 disabled", 2 if disabled("tls1_3");
#Test 25: Send an unrecognized signature_algorithms_cert
# We should be able to skip over the unrecognized value and use a
# valid one that appears later in the list.
#Test 1: No corruption should succeed
my $testtype = NO_CORRUPTION;
+$proxy->clientflags("-no_tls1_3") if disabled("ec") && disabled("dh");
$proxy->start() or plan skip_all => "Unable to start up Proxy for tests";
plan tests => 4;
ok(TLSProxy::Message->success, "No corruption");
SKIP: {
- skip "TLSv1.3 disabled", 1 if disabled("tls1_3");
+ skip "TLSv1.3 disabled", 1
+ if disabled("tls1_3") || (disabled("ec") && disabled("dh"));
#Test 2: Corrupting a server CertVerify signature in TLSv1.3 should fail
$proxy->clear();
if disabled("sock");
plan skip_all => "$test_name needs TLS1.3, TLS1.2 and TLS1.1 enabled"
- if disabled("tls1_3") || disabled("tls1_2") || disabled("tls1_1");
+ if disabled("tls1_3")
+ || (disabled("ec") && disabled("dh"))
+ || disabled("tls1_2")
+ || disabled("tls1_1");
$ENV{OPENSSL_ia32cap} = '~0x200000200000000';
if disabled("sock");
plan skip_all => "$test_name needs TLS1.3 enabled"
- if disabled("tls1_3");
+ if disabled("tls1_3") || (disabled("ec") && disabled("dh"));
$ENV{OPENSSL_ia32cap} = '~0x200000200000000';
if disabled("sock");
plan skip_all => "$test_name needs TLS1.3 enabled"
- if disabled("tls1_3");
+ if disabled("tls1_3") || (disabled("ec") && disabled("dh"));
$ENV{OPENSSL_ia32cap} = '~0x200000200000000';
if disabled("sock");
plan skip_all => "$test_name needs TLS1.3 and TLS1.2 enabled"
- if disabled("tls1_3") || disabled("tls1_2");
+ if disabled("tls1_3")
+ || (disabled("ec") && disabled("dh"))
+ || disabled("tls1_2");
$ENV{OPENSSL_ia32cap} = '~0x200000200000000';
if disabled("sock");
plan skip_all => "$test_name needs TLS1.3 enabled"
- if disabled("tls1_3");
+ if disabled("tls1_3") || (disabled("ec") && disabled("dh"));
$ENV{OPENSSL_ia32cap} = '~0x200000200000000';
if disabled("sock");
plan skip_all => "$test_name needs TLSv1.3 enabled"
- if disabled("tls1_3");
+ if disabled("tls1_3") || (disabled("ec") && disabled("dh"));
plan skip_all => "$test_name needs EC enabled"
if disabled("ec");
if disabled("sock");
plan skip_all => "$test_name needs TLSv1.3 enabled"
- if disabled("tls1_3");
+ if disabled("tls1_3") || (disabled("ec") && disabled("dh"));
$ENV{OPENSSL_ia32cap} = '~0x200000200000000';
setrmextms(0, 0);
$proxy->clientflags("-no_tls1_3");
$proxy->start() or plan skip_all => "Unable to start up Proxy for tests";
-my $numtests = 9;
-$numtests++ if (!disabled("tls1_3"));
-plan tests => $numtests;
+plan tests => 10;
checkmessages(1, "Default extended master secret test", 1, 1, 1);
#Test 2: If client omits extended master secret extension, server should too.
ok(TLSProxy::Message->fail(), "Server inconsistent session resumption 2");
unlink $session;
-#Test 10: In TLS1.3 we should not negotiate extended master secret
-#Expected result: ClientHello extension seen; ServerHello extension not seen
-# TLS1.3 handshake (will appear as abbreviated handshake
-# because of no CKE message)
-if (!disabled("tls1_3")) {
+SKIP: {
+ skip "TLS 1.3 disabled", 1
+ if disabled("tls1_3") || (disabled("ec") && disabled("dh"));
+
+ #Test 10: In TLS1.3 we should not negotiate extended master secret
+ #Expected result: ClientHello extension seen; ServerHello extension not seen
+ # TLS1.3 handshake (will appear as abbreviated handshake
+ # because of no CKE message)
clearall();
setrmextms(0, 0);
$proxy->start();
# verify generated sources in the default configuration.
my $is_default_tls = (disabled("ssl3") && !disabled("tls1") &&
!disabled("tls1_1") && !disabled("tls1_2") &&
- !disabled("tls1_3"));
+ !disabled("tls1_3") && (!disabled("ec") || !disabled("dh")));
my $is_default_dtls = (!disabled("dtls1") && !disabled("dtls1_2"));
my @all_pre_tls1_3 = ("ssl3", "tls1", "tls1_1", "tls1_2");
my $no_tls = alldisabled(available_protocols("tls"));
my $no_tls_below1_3 = $no_tls || (disabled("tls1_2") && !disabled("tls1_3"));
+if (!$no_tls && $no_tls_below1_3 && disabled("ec") && disabled("dh")) {
+ $no_tls = 1;
+}
my $no_pre_tls1_3 = alldisabled(@all_pre_tls1_3);
my $no_dtls = alldisabled(available_protocols("dtls"));
my $no_npn = disabled("nextprotoneg");
"18-dtls-renegotiate.cnf" => $no_dtls,
"19-mac-then-encrypt.cnf" => $no_pre_tls1_3,
"20-cert-select.cnf" => disabled("tls1_2") || $no_ec,
- "21-key-update.cnf" => disabled("tls1_3"),
+ "21-key-update.cnf" => disabled("tls1_3") || ($no_ec && $no_dh),
"22-compression.cnf" => disabled("zlib") || $no_tls,
"23-srp.cnf" => (disabled("tls1") && disabled ("tls1_1")
&& disabled("tls1_2")) || disabled("srp"),
- "24-padding.cnf" => disabled("tls1_3"),
+ "24-padding.cnf" => disabled("tls1_3") || ($no_ec && $no_dh),
"25-cipher.cnf" => disabled("ec") || disabled("tls1_2"),
- "26-tls13_client_auth.cnf" => disabled("tls1_3"),
+ "26-tls13_client_auth.cnf" => disabled("tls1_3") || ($no_ec && $no_dh),
"29-dtls-sctp-label-bug.cnf" => disabled("sctp") || disabled("sock"),
);
anydisabled qw/rsa dsa dh ec psk
ssl3 tls1 tls1_1 tls1_2 tls1_3
dtls dtls1 dtls1_2 ct/;
+#If ec and dh are disabled then don't use TLSv1.3
+$no_tls1_3 = 1 if (!$no_tls1_3 && $no_ec && $no_dh);
my $no_anytls = alldisabled(available_protocols("tls"));
my $no_anydtls = alldisabled(available_protocols("dtls"));
setup($test_name);
plan skip_all => "$test_name is not supported in this build"
- if disabled("tls1_3");
+ if disabled("tls1_3") || (disabled("ec") && disabled("dh"));
plan tests => 1;
setup($test_name);
plan skip_all => "$test_name is not supported in this build"
- if disabled("tls1_3");
+ if disabled("tls1_3") || (disabled("ec") && disabled("dh"));
plan tests => 1;
setup($test_name);
plan skip_all => "$test_name is not supported in this build"
- if disabled("tls1_3") || disabled("shared");
+ if disabled("tls1_3")
+ || disabled("shared")
+ || (disabled("ec") && disabled("dh"));
plan tests => 1;
|| idx == TEST_ENCRYPTED_OVERFLOW_TLS1_2_NOT_OK)
return 1;
#endif
-#ifdef OPENSSL_NO_TLS1_3
+#if defined(OPENSSL_NO_TLS1_3) \
+ || (defined(OPENSSL_NO_EC) && defined(OPENSSL_NO_DH))
if (idx == TEST_ENCRYPTED_OVERFLOW_TLS1_3_OK
|| idx == TEST_ENCRYPTED_OVERFLOW_TLS1_3_NOT_OK)
return 1;
static char *cert = NULL;
static char *privkey = NULL;
+#if defined(OPENSSL_NO_TLS1_3) || \
+ (defined(OPENSSL_NO_EC) && defined(OPENSSL_NO_DH))
+static int maxversion = TLS1_2_VERSION;
+#else
+static int maxversion = 0;
+#endif
+
static int get_sni_from_client_hello(BIO *bio, char **sni)
{
long len;
if (!TEST_ptr(ctx))
goto end;
+ if (maxversion > 0
+ && !TEST_true(SSL_CTX_set_max_proto_version(ctx, maxversion)))
+ goto end;
+
con = SSL_new(ctx);
if (!TEST_ptr(con))
goto end;
if (!TEST_ptr(ctx))
goto end;
+ if (maxversion > 0
+ && !TEST_true(SSL_CTX_set_max_proto_version(ctx, maxversion)))
+ goto end;
+
con = SSL_new(ctx);
if (!TEST_ptr(con))
goto end;
test => {
"ExpectedResult" => "ServerFail",
"ExpectedServerAlert" =>
- ($protocol_name eq "flex" && !disabled("tls1_3"))
+ ($protocol_name eq "flex"
+ && !disabled("tls1_3")
+ && (!disabled("ec") || !disabled("dh")))
? "CertificateRequired" : "HandshakeFailure",
"Method" => $method,
},
our @tests = ();
push @tests, @tests12 unless disabled("tls1_2");
-push @tests, @tests13 unless disabled("tls1_3");
+push @tests, @tests13 unless disabled("tls1_3")
+ || (disabled("ec") && disabled("dh"));
my $max_enabled;
foreach my $i (0..$#protocols) {
- if (!$is_disabled[$i]) {
+ if (!$is_disabled[$i]
+ && ($protocols[$i] ne "TLSv1.3"
+ || !disabled("ec")
+ || !disabled("dh"))) {
$max_enabled = $i;
}
}
}
}
}
- return @tests if disabled("tls1_3") || disabled("tls1_2") || $dtls;
+ return @tests
+ if disabled("tls1_3")
+ || disabled("tls1_2")
+ || (disabled("ec") && disabled("dh"))
+ || $dtls;
#Add some version/ciphersuite sanity check tests
push @tests, {
}
}
- if (!disabled("tls1_3") && !$dtls) {
+ if (!disabled("tls1_3") && (!disabled("ec") || !disabled("dh")) && !$dtls) {
push @client_tests, {
"name" => "resumption-with-hrr",
"client" => {
sub expected_result {
my ($c_min, $c_max, $s_min, $s_max, $min_enabled, $max_enabled,
$protocols) = @_;
+ my @prots = @$protocols;
+ my $orig_c_max = $c_max;
# Adjust for "undef" (no limit).
$c_min = $c_min == 0 ? 0 : $c_min - 1;
$c_max = $c_max == scalar @$protocols ? $c_max - 1 : $c_max;
$c_max = min $c_max, $max_enabled;
$s_max = min $s_max, $max_enabled;
- if ($c_min > $c_max) {
+ if ($c_min > $c_max
+ || ($orig_c_max != scalar @$protocols
+ && $prots[$orig_c_max] eq "TLSv1.3"
+ && $c_max != $orig_c_max
+ && !disabled("tls1_3"))) {
# Client should fail to even send a hello.
return ("ClientFail", undef);
} elsif ($s_min > $s_max) {
# Server doesn't support the client range.
return ("ServerFail", undef);
} elsif ($c_min > $s_max) {
- my @prots = @$protocols;
if ($prots[$c_max] eq "TLSv1.3") {
# Client will have sent supported_versions, so server will know
# that there are no overlapping versions.
max_version = TLS1_2_VERSION;
} else {
min_version = 0;
+# if defined(OPENSSL_NO_EC) && defined(OPENSSL_NO_DH)
+ /* We only have ec and dh based built-in groups for TLSv1.3 */
+ max_version = TLS1_2_VERSION;
+# else
max_version = 0;
+# endif
}
#endif
#ifndef OPENSSL_NO_DTLS
}
#endif
if (test_ctx->method == SSL_TEST_METHOD_TLS) {
+#if !defined(OPENSSL_NO_TLS1_3) \
+ && defined(OPENSSL_NO_EC) \
+ && defined(OPENSSL_NO_DH)
+ /* Without ec or dh there are no built-in groups for TLSv1.3 */
+ int maxversion = TLS1_2_VERSION;
+#else
+ int maxversion = 0;
+#endif
+
server_ctx = SSL_CTX_new_ex(libctx, NULL, TLS_server_method());
- if (!TEST_true(SSL_CTX_set_max_proto_version(server_ctx, 0)))
+ if (!TEST_true(SSL_CTX_set_max_proto_version(server_ctx, maxversion)))
goto err;
/* SNI on resumption isn't supported/tested yet. */
if (test_ctx->extra.server.servername_callback !=
if (!TEST_ptr(server2_ctx =
SSL_CTX_new_ex(libctx, NULL, TLS_server_method())))
goto err;
- if (!TEST_true(SSL_CTX_set_max_proto_version(server2_ctx, 0)))
+ if (!TEST_true(SSL_CTX_set_max_proto_version(server2_ctx,
+ maxversion)))
goto err;
}
client_ctx = SSL_CTX_new_ex(libctx, NULL, TLS_client_method());
- if (!TEST_true(SSL_CTX_set_max_proto_version(client_ctx, 0)))
+ if (!TEST_true(SSL_CTX_set_max_proto_version(client_ctx, maxversion)))
goto err;
if (test_ctx->handshake_mode == SSL_TEST_HANDSHAKE_RESUME) {
resume_server_ctx = SSL_CTX_new_ex(libctx, NULL,
TLS_server_method());
- if (!TEST_true(SSL_CTX_set_max_proto_version(resume_server_ctx, 0)))
+ if (!TEST_true(SSL_CTX_set_max_proto_version(resume_server_ctx,
+ maxversion)))
goto err;
resume_client_ctx = SSL_CTX_new_ex(libctx, NULL,
TLS_client_method());
- if (!TEST_true(SSL_CTX_set_max_proto_version(resume_client_ctx, 0)))
+ if (!TEST_true(SSL_CTX_set_max_proto_version(resume_client_ctx,
+ maxversion)))
goto err;
if (!TEST_ptr(resume_server_ctx)
|| !TEST_ptr(resume_client_ctx))
#include "internal/ktls.h"
#include "../ssl/ssl_local.h"
+#undef OSSL_NO_USABLE_TLS1_3
+#if defined(OPENSSL_NO_TLS1_3) \
+ || (defined(OPENSSL_NO_EC) && defined(OPENSSL_NO_DH))
+/*
+ * If we don't have ec or dh then there are no built-in groups that are usable
+ * with TLSv1.3
+ */
+# define OSSL_NO_USABLE_TLS1_3
+#endif
+
/* Defined in filterprov.c */
OSSL_provider_init_fn filter_provider_init;
int filter_provider_set_filter(int operation, const char *name);
static OSSL_LIB_CTX *libctx = NULL;
static OSSL_PROVIDER *defctxnull = NULL;
-#ifndef OPENSSL_NO_TLS1_3
+#ifndef OSSL_NO_USABLE_TLS1_3
static SSL_SESSION *clientpsk = NULL;
static SSL_SESSION *serverpsk = NULL;
return 1;
}
-#if !defined(OPENSSL_NO_TLS1_2) || defined(OPENSSL_NO_TLS1_3)
+#if !defined(OPENSSL_NO_TLS1_2) || defined(OSSL_NO_USABLE_TLS1_3)
static int test_keylog(void)
{
SSL_CTX *cctx = NULL, *sctx = NULL;
}
#endif
-#ifndef OPENSSL_NO_TLS1_3
+#ifndef OSSL_NO_USABLE_TLS1_3
static int test_keylog_no_master_key(void)
{
SSL_CTX *cctx = NULL, *sctx = NULL;
}
#if !defined(OPENSSL_NO_SOCK) && !defined(OPENSSL_NO_KTLS) && \
- !(defined(OPENSSL_NO_TLS1_3) && defined(OPENSSL_NO_TLS1_2))
+ !(defined(OSSL_NO_USABLE_TLS1_3) && defined(OPENSSL_NO_TLS1_2))
#define TLS_CIPHER_MAX_REC_SEQ_SIZE 8
/* sock must be connected */
static int ktls_chk_platform(int sock)
return testresult;
}
-#if !defined(OPENSSL_NO_TLS1_2) || !defined(OPENSSL_NO_TLS1_3)
+#if !defined(OPENSSL_NO_TLS1_2) || !defined(OSSL_NO_USABLE_TLS1_3)
static int test_ktls(int test)
{
int cis_ktls_tx, cis_ktls_rx, sis_ktls_tx, sis_ktls_rx;
int tlsver, testresult;
if (test > 15) {
-#if defined(OPENSSL_NO_TLS1_3)
+#if defined(OSSL_NO_USABLE_TLS1_3)
return 1;
#else
test -= 16;
if (cis_ktls_rx || sis_ktls_rx)
return 1;
#endif
-#if !defined(OPENSSL_NO_TLS1_3)
+#if !defined(OSSL_NO_USABLE_TLS1_3)
if (tlsver == TLS1_3_VERSION && (cis_ktls_rx || sis_ktls_rx))
return 1;
#endif
int tlsver;
if (tst > 2) {
-#if defined(OPENSSL_NO_TLS1_3)
+#if defined(OSSL_NO_USABLE_TLS1_3)
return 1;
#else
tst -= 3;
#endif
-#if !defined(OPENSSL_NO_TLS1_3)
+#if !defined(OSSL_NO_USABLE_TLS1_3)
if (!TEST_true(execute_cleanse_plaintext(TLS_server_method(),
TLS_client_method(),
TLS1_3_VERSION,
}
#endif
-#if !defined(OPENSSL_NO_TLS1_3) || !defined(OPENSSL_NO_TLS1_2)
+#if !defined(OSSL_NO_USABLE_TLS1_3) || !defined(OPENSSL_NO_TLS1_2)
static int new_called, remove_called, get_called;
static int new_session_cb(SSL *ssl, SSL_SESSION *sess)
return testresult;
}
-#endif /* !defined(OPENSSL_NO_TLS1_3) || !defined(OPENSSL_NO_TLS1_2) */
+#endif /* !defined(OSSL_NO_USABLE_TLS1_3) || !defined(OPENSSL_NO_TLS1_2) */
static int test_session_with_only_int_cache(void)
{
-#ifndef OPENSSL_NO_TLS1_3
+#ifndef OSSL_NO_USABLE_TLS1_3
if (!execute_test_session(TLS1_3_VERSION, 1, 0, 0))
return 0;
#endif
static int test_session_with_only_ext_cache(void)
{
-#ifndef OPENSSL_NO_TLS1_3
+#ifndef OSSL_NO_USABLE_TLS1_3
if (!execute_test_session(TLS1_3_VERSION, 0, 1, 0))
return 0;
#endif
static int test_session_with_both_cache(void)
{
-#ifndef OPENSSL_NO_TLS1_3
+#ifndef OSSL_NO_USABLE_TLS1_3
if (!execute_test_session(TLS1_3_VERSION, 1, 1, 0))
return 0;
#endif
static int test_session_wo_ca_names(void)
{
-#ifndef OPENSSL_NO_TLS1_3
+#ifndef OSSL_NO_USABLE_TLS1_3
if (!execute_test_session(TLS1_3_VERSION, 1, 0, SSL_OP_DISABLE_TLSEXT_CA_NAMES))
return 0;
#endif
}
-#ifndef OPENSSL_NO_TLS1_3
+#ifndef OSSL_NO_USABLE_TLS1_3
static SSL_SESSION *sesscache[6];
static int do_cache;
#define TOTAL_NO_CONN_SSL_SET_BIO_TESTS (3 * 3 * 3 * 3)
#define TOTAL_CONN_SUCCESS_SSL_SET_BIO_TESTS (2 * 2)
-#if !defined(OPENSSL_NO_TLS1_3) && !defined(OPENSSL_NO_TLS1_2)
+#if !defined(OSSL_NO_USABLE_TLS1_3) && !defined(OPENSSL_NO_TLS1_2)
# define TOTAL_CONN_FAIL_SSL_SET_BIO_TESTS (2 * 2)
#else
# define TOTAL_CONN_FAIL_SSL_SET_BIO_TESTS 0
return execute_test_ssl_bio(0, CHANGE_WBIO);
}
-#if !defined(OPENSSL_NO_TLS1_2) || defined(OPENSSL_NO_TLS1_3)
+#if !defined(OPENSSL_NO_TLS1_2) || defined(OSSL_NO_USABLE_TLS1_3)
typedef struct {
/* The list of sig algs */
const int *list;
}
#endif
-#ifndef OPENSSL_NO_TLS1_3
+#ifndef OSSL_NO_USABLE_TLS1_3
static int psk_client_cb_cnt = 0;
static int psk_server_cb_cnt = 0;
return testresult;
}
-#endif /* OPENSSL_NO_TLS1_3 */
+#endif /* OSSL_NO_USABLE_TLS1_3 */
static int clntaddoldcb = 0;
static int clntparseoldcb = 0;
SSL_SESSION *sess = NULL;
unsigned int context;
-#if defined(OPENSSL_NO_TLS1_2) && !defined(OPENSSL_NO_TLS1_3)
+#if defined(OPENSSL_NO_TLS1_2) && !defined(OSSL_NO_USABLE_TLS1_3)
/* Skip tests for TLSv1.2 and below in this case */
if (tst < 3)
return 1;
if (tst == 2)
return 1;
#endif
-#ifdef OPENSSL_NO_TLS1_3
+#ifdef OSSL_NO_USABLE_TLS1_3
if (tst >= 3)
return 1;
#endif
return testresult;
}
-#ifndef OPENSSL_NO_TLS1_3
+#ifndef OSSL_NO_USABLE_TLS1_3
/*
* Test that SSL_export_keying_material_early() produces expected
* results. There are no test vectors so all we do is test that both
return testresult;
}
-#endif /* OPENSSL_NO_TLS1_3 */
+#endif /* OSSL_NO_USABLE_TLS1_3 */
static int test_ssl_clear(int idx)
{
static int test_max_fragment_len_ext(int idx_tst)
{
- SSL_CTX *ctx;
+ SSL_CTX *ctx = NULL;
SSL *con = NULL;
int testresult = 0, MFL_mode = 0;
BIO *rbio, *wbio;
- ctx = SSL_CTX_new_ex(libctx, NULL, TLS_method());
- if (!TEST_ptr(ctx))
- goto end;
+ if (!TEST_true(create_ssl_ctx_pair(libctx, NULL, TLS_client_method(),
+ TLS1_VERSION, 0, NULL, &ctx, NULL,
+ NULL)))
+ return 0;
if (!TEST_true(SSL_CTX_set_tlsext_max_fragment_length(
ctx, max_fragment_len_test[idx_tst])))
}
SSL_set_bio(con, rbio, wbio);
- SSL_set_connect_state(con);
if (!TEST_int_le(SSL_connect(con), 0)) {
/* This shouldn't succeed because we don't have a server! */
return testresult;
}
-#ifndef OPENSSL_NO_TLS1_3
+#ifndef OSSL_NO_USABLE_TLS1_3
static int test_pha_key_update(void)
{
SSL_CTX *cctx = NULL, *sctx = NULL;
return 1;
#endif
} else {
-#ifndef OPENSSL_NO_TLS1_3
+#ifndef OSSL_NO_USABLE_TLS1_3
tlsvers = TLS1_3_VERSION;
#else
return 1;
info_cb_this_state = -1;
info_cb_offset = tst;
-#ifndef OPENSSL_NO_TLS1_3
+#ifndef OSSL_NO_USABLE_TLS1_3
if (tst >= 4) {
SSL_SESSION *sess = NULL;
size_t written, readbytes;
* We can't establish a connection (even in TLSv1.1) with these ciphersuites if
* TLSv1.3 is enabled but TLSv1.2 is disabled.
*/
-#if defined(OPENSSL_NO_TLS1_3) || !defined(OPENSSL_NO_TLS1_2)
+#if defined(OSSL_NO_USABLE_TLS1_3) || !defined(OPENSSL_NO_TLS1_2)
{
TLS1_2_VERSION,
"AES128-SHA:AES256-SHA",
* This test combines TLSv1.3 and TLSv1.2 ciphersuites so they must both be
* enabled.
*/
-#if !defined(OPENSSL_NO_TLS1_3) && !defined(OPENSSL_NO_TLS1_2) \
+#if !defined(OSSL_NO_USABLE_TLS1_3) && !defined(OPENSSL_NO_TLS1_2) \
&& !defined(OPENSSL_NO_CHACHA) && !defined(OPENSSL_NO_POLY1305)
{
TLS1_3_VERSION,
"TLS_AES_256_GCM_SHA384:TLS_AES_128_GCM_SHA256:AES256-SHA"
},
#endif
-#ifndef OPENSSL_NO_TLS1_3
+#ifndef OSSL_NO_USABLE_TLS1_3
{
TLS1_3_VERSION,
"AES128-SHA",
if (tst % 2 == 0)
return 1;
#endif
-#ifdef OPENSSL_NO_TLS1_3
+#ifdef OSSL_NO_USABLE_TLS1_3
if (tst % 2 == 1)
return 1;
#endif
if (tst <= 1)
return 1;
#endif
-#ifdef OPENSSL_NO_TLS1_3
+#ifdef OSSL_NO_USABLE_TLS1_3
if (tst >= 2)
return 1;
#endif
return testresult;
}
-#if !defined(OPENSSL_NO_TLS1_2) || !defined(OPENSSL_NO_TLS1_3)
+#if !defined(OPENSSL_NO_TLS1_2) || !defined(OSSL_NO_USABLE_TLS1_3)
static int cert_cb_cnt;
static int cert_cb(SSL *s, void *arg)
#ifndef OPENSSL_NO_TLS1_2
testresult &= test_cert_cb_int(TLS1_2_VERSION, tst);
#endif
-#ifndef OPENSSL_NO_TLS1_3
+#ifndef OSSL_NO_USABLE_TLS1_3
testresult &= test_cert_cb_int(TLS1_3_VERSION, tst);
#endif
if (tst == 0)
return 1;
#endif
-#ifdef OPENSSL_NO_TLS1_3
+#ifdef OSSL_NO_USABLE_TLS1_3
if (tst == 1)
return 1;
#endif
return testresult;
}
-#if !defined(OPENSSL_NO_TLS1_2) || !defined(OPENSSL_NO_TLS1_3)
+#if !defined(OPENSSL_NO_TLS1_2) || !defined(OSSL_NO_USABLE_TLS1_3)
/*
* Test setting certificate authorities on both client and server.
*
#ifndef OPENSSL_NO_TLS1_2
testresult &= test_ca_names_int(TLS1_2_VERSION, tst);
#endif
-#ifndef OPENSSL_NO_TLS1_3
+#ifndef OSSL_NO_USABLE_TLS1_3
testresult &= test_ca_names_int(TLS1_3_VERSION, tst);
#endif
if (tst <= 4)
return 1;
#endif
-#ifdef OPENSSL_NO_TLS1_3
+#ifdef OSSL_NO_USABLE_TLS1_3
if (tst >= 5)
return 1;
#endif
}
#if !defined(OPENSSL_NO_EC) \
- && (!defined(OPENSSL_NO_TLS1_3) || !defined(OPENSSL_NO_TLS1_2))
+ && (!defined(OSSL_NO_USABLE_TLS1_3) || !defined(OPENSSL_NO_TLS1_2))
/*
* Test that if signature algorithms are not available, then we do not offer or
* accept them.
}
#endif /*
* !defined(OPENSSL_NO_EC) \
- * && (!defined(OPENSSL_NO_TLS1_3) || !defined(OPENSSL_NO_TLS1_2))
+ * && (!defined(OSSL_NO_USABLE_TLS1_3) || !defined(OPENSSL_NO_TLS1_2))
*/
#ifndef OPENSSL_NO_TLS1_3
+/* This test can run in TLSv1.3 even if ec and dh are disabled */
static int test_pluggable_group(int idx)
{
SSL_CTX *cctx = NULL, *sctx = NULL;
# endif /* OPENSSL_NO_DH */
#endif /* OPENSSL_NO_TLS1_2 */
-#ifndef OPENSSL_NO_TLS1_3
+#ifndef OSSL_NO_USABLE_TLS1_3
/*
* Test that setting an SNI callback works with TLSv1.3. Specifically we check
* that it works even without a certificate configured for the original
goto err;
#if !defined(OPENSSL_NO_KTLS) && !defined(OPENSSL_NO_SOCK)
-# if !defined(OPENSSL_NO_TLS1_2) || !defined(OPENSSL_NO_TLS1_3)
+# if !defined(OPENSSL_NO_TLS1_2) || !defined(OSSL_NO_USABLE_TLS1_3)
ADD_ALL_TESTS(test_ktls, 32);
ADD_ALL_TESTS(test_ktls_sendfile_anytls, 6);
# endif
ADD_TEST(test_session_with_only_ext_cache);
ADD_TEST(test_session_with_both_cache);
ADD_TEST(test_session_wo_ca_names);
-#ifndef OPENSSL_NO_TLS1_3
+#ifndef OSSL_NO_USABLE_TLS1_3
ADD_ALL_TESTS(test_stateful_tickets, 3);
ADD_ALL_TESTS(test_stateless_tickets, 3);
ADD_TEST(test_psk_tickets);
ADD_TEST(test_ssl_bio_pop_ssl_bio);
ADD_TEST(test_ssl_bio_change_rbio);
ADD_TEST(test_ssl_bio_change_wbio);
-#if !defined(OPENSSL_NO_TLS1_2) || defined(OPENSSL_NO_TLS1_3)
+#if !defined(OPENSSL_NO_TLS1_2) || defined(OSSL_NO_USABLE_TLS1_3)
ADD_ALL_TESTS(test_set_sigalgs, OSSL_NELEM(testsigalgs) * 2);
ADD_TEST(test_keylog);
#endif
-#ifndef OPENSSL_NO_TLS1_3
+#ifndef OSSL_NO_USABLE_TLS1_3
ADD_TEST(test_keylog_no_master_key);
#endif
ADD_TEST(test_client_cert_verify_cb);
ADD_TEST(test_no_ems);
ADD_TEST(test_ccs_change_cipher);
#endif
-#ifndef OPENSSL_NO_TLS1_3
+#ifndef OSSL_NO_USABLE_TLS1_3
ADD_ALL_TESTS(test_early_data_read_write, 3);
/*
* We don't do replay tests for external PSK. Replay protection isn't used
ADD_ALL_TESTS(test_early_data_tls1_2, 3);
# endif
#endif
-#ifndef OPENSSL_NO_TLS1_3
+#ifndef OSSL_NO_USABLE_TLS1_3
ADD_ALL_TESTS(test_set_ciphersuite, 10);
ADD_TEST(test_ciphersuite_change);
ADD_ALL_TESTS(test_tls13_ciphersuite, 4);
#endif
ADD_ALL_TESTS(test_serverinfo, 8);
ADD_ALL_TESTS(test_export_key_mat, 6);
-#ifndef OPENSSL_NO_TLS1_3
+#ifndef OSSL_NO_USABLE_TLS1_3
ADD_ALL_TESTS(test_export_key_mat_early, 3);
ADD_TEST(test_key_update);
ADD_ALL_TESTS(test_key_update_in_write, 2);
#endif
ADD_ALL_TESTS(test_servername, 10);
#if !defined(OPENSSL_NO_EC) \
- && (!defined(OPENSSL_NO_TLS1_3) || !defined(OPENSSL_NO_TLS1_2))
+ && (!defined(OSSL_NO_USABLE_TLS1_3) || !defined(OPENSSL_NO_TLS1_2))
ADD_ALL_TESTS(test_sigalgs_available, 6);
#endif
#ifndef OPENSSL_NO_TLS1_3
ADD_ALL_TESTS(test_dh_auto, 7);
# endif
#endif
-#ifndef OPENSSL_NO_TLS1_3
+#ifndef OSSL_NO_USABLE_TLS1_3
ADD_TEST(test_sni_tls13);
#endif
return 1;
projects / openssl.git / commitdiff