/*
- * Copyright 2016-2017 The OpenSSL Project Authors. All Rights Reserved.
+ * Copyright 2016-2018 The OpenSSL Project Authors. All Rights Reserved.
*
* Licensed under the OpenSSL license (the "License"). You may not use
* this file except in compliance with the License. You can obtain a copy
#include <openssl/srp.h>
#endif
+#include "../ssl/ssl_locl.h"
#include "internal/sockets.h"
#include "internal/nelem.h"
#include "handshake_helper.h"
OPENSSL_free(result->server_alpn_negotiated);
sk_X509_NAME_pop_free(result->server_ca_names, X509_NAME_free);
sk_X509_NAME_pop_free(result->client_ca_names, X509_NAME_free);
+ OPENSSL_free(result->cipher);
OPENSSL_free(result);
}
if ((*out)[i] == ',') {
if (!TEST_int_gt(i - 1, prefix))
goto err;
- (*out)[prefix] = i - 1 - prefix;
+ (*out)[prefix] = (unsigned char)(i - 1 - prefix);
prefix = i;
}
i++;
}
if (!TEST_int_gt(len, prefix))
goto err;
- (*out)[prefix] = len - prefix;
+ (*out)[prefix] = (unsigned char)(len - prefix);
return 1;
err:
break;
}
+ switch (extra->client.max_fragment_len_mode) {
+ case TLSEXT_max_fragment_length_512:
+ case TLSEXT_max_fragment_length_1024:
+ case TLSEXT_max_fragment_length_2048:
+ case TLSEXT_max_fragment_length_4096:
+ case TLSEXT_max_fragment_length_DISABLED:
+ SSL_CTX_set_tlsext_max_fragment_length(
+ client_ctx, extra->client.max_fragment_len_mode);
+ break;
+ }
+
/*
* Link the two contexts for SNI purposes.
* Also do ClientHello callbacks here, as setting both ClientHello and SNI
if (extra->client.servername != SSL_TEST_SERVERNAME_NONE)
SSL_set_tlsext_host_name(client,
ssl_servername_name(extra->client.servername));
+ if (extra->client.force_pha)
+ SSL_force_post_handshake_auth(client);
}
/* The status for each connection phase. */
|| test_ctx->handshake_mode
== SSL_TEST_HANDSHAKE_KEY_UPDATE_SERVER
|| test_ctx->handshake_mode
- == SSL_TEST_HANDSHAKE_KEY_UPDATE_CLIENT)) {
+ == SSL_TEST_HANDSHAKE_KEY_UPDATE_CLIENT
+ || test_ctx->handshake_mode
+ == SSL_TEST_HANDSHAKE_POST_HANDSHAKE_AUTH)) {
peer->status = PEER_TEST_FAILURE;
return;
}
if (peer->status != PEER_SUCCESS)
peer->status = PEER_ERROR;
return;
+ } else if (test_ctx->handshake_mode == SSL_TEST_HANDSHAKE_POST_HANDSHAKE_AUTH) {
+ if (SSL_is_server(peer->ssl)) {
+ /* Make the server believe it's received the extension */
+ if (test_ctx->extra.server.force_pha)
+ peer->ssl->post_handshake_auth = SSL_PHA_EXT_RECEIVED;
+ ret = SSL_verify_client_post_handshake(peer->ssl);
+ if (!ret) {
+ peer->status = PEER_ERROR;
+ return;
+ }
+ }
+ do_handshake_step(peer);
+ /*
+ * This is a one step handshake. We shouldn't get anything other than
+ * PEER_SUCCESS
+ */
+ if (peer->status != PEER_SUCCESS)
+ peer->status = PEER_ERROR;
+ return;
}
/*
CONNECTION_DONE
} connect_phase_t;
+
+static int renegotiate_op(const SSL_TEST_CTX *test_ctx)
+{
+ switch (test_ctx->handshake_mode) {
+ case SSL_TEST_HANDSHAKE_RENEG_SERVER:
+ case SSL_TEST_HANDSHAKE_RENEG_CLIENT:
+ return 1;
+ default:
+ return 0;
+ }
+}
+static int post_handshake_op(const SSL_TEST_CTX *test_ctx)
+{
+ switch (test_ctx->handshake_mode) {
+ case SSL_TEST_HANDSHAKE_KEY_UPDATE_CLIENT:
+ case SSL_TEST_HANDSHAKE_KEY_UPDATE_SERVER:
+ case SSL_TEST_HANDSHAKE_POST_HANDSHAKE_AUTH:
+ return 1;
+ default:
+ return 0;
+ }
+}
+
static connect_phase_t next_phase(const SSL_TEST_CTX *test_ctx,
connect_phase_t phase)
{
switch (phase) {
case HANDSHAKE:
- if (test_ctx->handshake_mode == SSL_TEST_HANDSHAKE_RENEG_SERVER
- || test_ctx->handshake_mode == SSL_TEST_HANDSHAKE_RENEG_CLIENT
- || test_ctx->handshake_mode
- == SSL_TEST_HANDSHAKE_KEY_UPDATE_CLIENT
- || test_ctx->handshake_mode
- == SSL_TEST_HANDSHAKE_KEY_UPDATE_SERVER)
+ if (renegotiate_op(test_ctx) || post_handshake_op(test_ctx))
return RENEG_APPLICATION_DATA;
return APPLICATION_DATA;
case RENEG_APPLICATION_DATA:
return RENEG_SETUP;
case RENEG_SETUP:
- if (test_ctx->handshake_mode == SSL_TEST_HANDSHAKE_KEY_UPDATE_SERVER
- || test_ctx->handshake_mode
- == SSL_TEST_HANDSHAKE_KEY_UPDATE_CLIENT)
+ if (post_handshake_op(test_ctx))
return APPLICATION_DATA;
return RENEG_HANDSHAKE;
case RENEG_HANDSHAKE:
*/
return INTERNAL_ERROR;
}
+ break;
case PEER_RETRY:
return HANDSHAKE_RETRY;
handshake_status_t status = HANDSHAKE_RETRY;
const unsigned char* tick = NULL;
size_t tick_len = 0;
+ const unsigned char* sess_id = NULL;
+ unsigned int sess_id_len = 0;
SSL_SESSION* sess = NULL;
const unsigned char *proto = NULL;
/* API dictates unsigned int rather than size_t. */
EVP_PKEY *tmp_key;
const STACK_OF(X509_NAME) *names;
time_t start;
+ const char* cipher;
if (ret == NULL)
return NULL;
ret->server_protocol = SSL_version(server.ssl);
ret->client_protocol = SSL_version(client.ssl);
ret->servername = server_ex_data.servername;
- if ((sess = SSL_get0_session(client.ssl)) != NULL)
+ if ((sess = SSL_get0_session(client.ssl)) != NULL) {
SSL_SESSION_get0_ticket(sess, &tick, &tick_len);
+ sess_id = SSL_SESSION_get_id(sess, &sess_id_len);
+ }
if (tick == NULL || tick_len == 0)
ret->session_ticket = SSL_TEST_SESSION_TICKET_NO;
else
ret->compression = (SSL_get_current_compression(client.ssl) == NULL)
? SSL_TEST_COMPRESSION_NO
: SSL_TEST_COMPRESSION_YES;
+ if (sess_id == NULL || sess_id_len == 0)
+ ret->session_id = SSL_TEST_SESSION_ID_NO;
+ else
+ ret->session_id = SSL_TEST_SESSION_ID_YES;
ret->session_ticket_do_not_call = server_ex_data.session_ticket_do_not_call;
#ifndef OPENSSL_NO_NEXTPROTONEG
ret->client_resumed = SSL_session_reused(client.ssl);
ret->server_resumed = SSL_session_reused(server.ssl);
+ cipher = SSL_CIPHER_get_name(SSL_get_current_cipher(client.ssl));
+ ret->cipher = dup_str((const unsigned char*)cipher, strlen(cipher));
+
if (session_out != NULL)
*session_out = SSL_get1_session(client.ssl);