if (!TEST_true(create_ssl_ctx_pair(TLS_server_method(),
TLS_client_method(),
+ TLS1_VERSION, TLS_MAX_VERSION,
&sctx, &cctx, cert, privkey)))
return 0;
server_log_buffer_index = 0;
error_writing_log = 0;
- if (!TEST_true(create_ssl_ctx_pair(TLS_server_method(),
- TLS_client_method(), &sctx,
- &cctx, cert, privkey)))
+ if (!TEST_true(create_ssl_ctx_pair(TLS_server_method(), TLS_client_method(),
+ TLS1_VERSION, TLS_MAX_VERSION,
+ &sctx, &cctx, cert, privkey)))
return 0;
if (!TEST_true(SSL_CTX_get_keylog_callback(cctx) == NULL)
SSL *clientssl = NULL, *serverssl = NULL;
int testctr = 0, testresult = 0;
- if (!TEST_true(create_ssl_ctx_pair(TLS_server_method(),
- TLS_client_method(), &sctx,
- &cctx, cert, privkey)))
+ if (!TEST_true(create_ssl_ctx_pair(TLS_server_method(), TLS_client_method(),
+ TLS1_VERSION, TLS_MAX_VERSION,
+ &sctx, &cctx, cert, privkey)))
goto end;
SSL_CTX_set_client_hello_cb(sctx, full_client_hello_callback, &testctr);
#endif
static int execute_test_large_message(const SSL_METHOD *smeth,
- const SSL_METHOD *cmeth, int read_ahead)
+ const SSL_METHOD *cmeth,
+ int min_version, int max_version,
+ int read_ahead)
{
SSL_CTX *cctx = NULL, *sctx = NULL;
SSL *clientssl = NULL, *serverssl = NULL;
if (!TEST_ptr(chaincert))
goto end;
- if (!TEST_true(create_ssl_ctx_pair(smeth, cmeth, &sctx,
- &cctx, cert, privkey)))
+ if (!TEST_true(create_ssl_ctx_pair(smeth, cmeth, min_version, max_version,
+ &sctx, &cctx, cert, privkey)))
goto end;
if (read_ahead) {
static int test_large_message_tls(void)
{
return execute_test_large_message(TLS_server_method(), TLS_client_method(),
+ TLS1_VERSION, TLS_MAX_VERSION,
0);
}
static int test_large_message_tls_read_ahead(void)
{
return execute_test_large_message(TLS_server_method(), TLS_client_method(),
+ TLS1_VERSION, TLS_MAX_VERSION,
1);
}
* read_ahead is set.
*/
return execute_test_large_message(DTLS_server_method(),
- DTLS_client_method(), 0);
+ DTLS_client_method(),
+ DTLS1_VERSION, DTLS_MAX_VERSION,
+ 0);
}
#endif
OCSP_RESPID *id = NULL;
BIO *certbio = NULL;
- if (!create_ssl_ctx_pair(TLS_server_method(), TLS_client_method(), &sctx,
- &cctx, cert, privkey))
+ if (!create_ssl_ctx_pair(TLS_server_method(), TLS_client_method(),
+ TLS1_VERSION, TLS_MAX_VERSION,
+ &sctx, &cctx, cert, privkey))
return 0;
if (SSL_CTX_get_tlsext_status_type(cctx) != -1)
new_called = remove_called = 0;
- if (!TEST_true(create_ssl_ctx_pair(TLS_server_method(),
- TLS_client_method(), &sctx,
- &cctx, cert, privkey)))
+ if (!TEST_true(create_ssl_ctx_pair(TLS_server_method(), TLS_client_method(),
+ TLS1_VERSION, TLS_MAX_VERSION,
+ &sctx, &cctx, cert, privkey)))
return 0;
/*
goto end;
if (use_ext_cache) {
- if (!TEST_int_eq(new_called, 0)
- || !TEST_int_eq(remove_called, 0))
+ if (!TEST_int_eq(remove_called, 0))
goto end;
if (maxprot == TLS1_3_VERSION) {
- if (!TEST_int_eq(get_called, 0))
+ /*
+ * Every time we issue a NewSessionTicket we are creating a new
+ * session for next time in TLSv1.3
+ */
+ if (!TEST_int_eq(new_called, 1)
+ || !TEST_int_eq(get_called, 0))
goto end;
} else {
- if (!TEST_int_eq(get_called, 1))
+ if (!TEST_int_eq(new_called, 0)
+ || !TEST_int_eq(get_called, 1))
goto end;
}
}
curr = testctx ? &testsigalgs[idx]
: &testsigalgs[idx - OSSL_NELEM(testsigalgs)];
- if (!TEST_true(create_ssl_ctx_pair(TLS_server_method(),
- TLS_client_method(), &sctx,
- &cctx, cert, privkey)))
+ if (!TEST_true(create_ssl_ctx_pair(TLS_server_method(), TLS_client_method(),
+ TLS1_VERSION, TLS_MAX_VERSION,
+ &sctx, &cctx, cert, privkey)))
return 0;
/*
return 1;
}
+#ifndef OPENSSL_NO_PSK
static unsigned int psk_client_cb(SSL *ssl, const char *hint, char *id,
unsigned int max_id_len,
unsigned char *psk,
return psklen;
}
+#endif /* OPENSSL_NO_PSK */
static int find_session_cb(SSL *ssl, const unsigned char *identity,
size_t identity_len, SSL_SESSION **sess)
return 1;
}
+#ifndef OPENSSL_NO_PSK
static unsigned int psk_server_cb(SSL *ssl, const char *identity,
unsigned char *psk, unsigned int max_psk_len)
{
return psklen;
}
+#endif /* OPENSSL_NO_PSK */
#define MSG1 "Hello"
#define MSG2 "World."
static int setupearly_data_test(SSL_CTX **cctx, SSL_CTX **sctx, SSL **clientssl,
SSL **serverssl, SSL_SESSION **sess, int idx)
{
- if (!TEST_true(create_ssl_ctx_pair(TLS_server_method(),
- TLS_client_method(), sctx,
- cctx, cert, privkey))
+ if (!TEST_true(create_ssl_ctx_pair(TLS_server_method(), TLS_client_method(),
+ TLS1_VERSION, TLS_MAX_VERSION,
+ sctx, cctx, cert, privkey))
|| !TEST_true(SSL_CTX_set_max_early_data(*sctx,
SSL3_RT_MAX_PLAIN_LENGTH))
|| !TEST_true(SSL_CTX_set_max_early_data(*cctx,
return testresult;
}
+static int test_early_data_replay(int idx)
+{
+ SSL_CTX *cctx = NULL, *sctx = NULL;
+ SSL *clientssl = NULL, *serverssl = NULL;
+ int testresult = 0;
+ SSL_SESSION *sess = NULL;
+
+ if (!TEST_true(setupearly_data_test(&cctx, &sctx, &clientssl,
+ &serverssl, &sess, idx)))
+ goto end;
+
+ /*
+ * The server is configured to accept early data. Create a connection to
+ * "use up" the ticket
+ */
+ if (!TEST_true(create_ssl_connection(serverssl, clientssl, SSL_ERROR_NONE))
+ || !TEST_true(SSL_session_reused(clientssl)))
+ goto end;
+
+ SSL_shutdown(clientssl);
+ SSL_shutdown(serverssl);
+ SSL_free(serverssl);
+ SSL_free(clientssl);
+ serverssl = clientssl = NULL;
+
+ if (!TEST_true(create_ssl_objects(sctx, cctx, &serverssl,
+ &clientssl, NULL, NULL))
+ || !TEST_true(SSL_set_session(clientssl, sess))
+ || !TEST_true(create_ssl_connection(serverssl, clientssl,
+ SSL_ERROR_NONE))
+ /*
+ * This time we should not have resumed the session because we
+ * already used it once.
+ */
+ || !TEST_false(SSL_session_reused(clientssl)))
+ goto end;
+
+ testresult = 1;
+
+ end:
+ if (sess != clientpsk)
+ SSL_SESSION_free(sess);
+ SSL_SESSION_free(clientpsk);
+ SSL_SESSION_free(serverpsk);
+ clientpsk = serverpsk = NULL;
+ SSL_free(serverssl);
+ SSL_free(clientssl);
+ SSL_CTX_free(sctx);
+ SSL_CTX_free(cctx);
+ return testresult;
+}
+
/*
* Helper function to test that a server attempting to read early data can
* handle a connection from a client where the early data should be skipped.
const SSL_CIPHER *aes_128_gcm_sha256 = NULL;
/* Create a session based on SHA-256 */
- if (!TEST_true(create_ssl_ctx_pair(TLS_server_method(),
- TLS_client_method(), &sctx,
- &cctx, cert, privkey))
+ if (!TEST_true(create_ssl_ctx_pair(TLS_server_method(), TLS_client_method(),
+ TLS1_VERSION, TLS_MAX_VERSION,
+ &sctx, &cctx, cert, privkey))
|| !TEST_true(SSL_CTX_set_ciphersuites(cctx,
"TLS_AES_128_GCM_SHA256"))
|| !TEST_true(create_ssl_objects(sctx, cctx, &serverssl,
};
int testresult = 0;
- if (!TEST_true(create_ssl_ctx_pair(TLS_server_method(),
- TLS_client_method(), &sctx,
- &cctx, cert, privkey)))
+ if (!TEST_true(create_ssl_ctx_pair(TLS_server_method(), TLS_client_method(),
+ TLS1_VERSION, TLS_MAX_VERSION,
+ &sctx, &cctx, cert, privkey)))
goto end;
/*
SSL_CTX_set_psk_use_session_callback(cctx, use_session_cb);
SSL_CTX_set_psk_find_session_callback(sctx, find_session_cb);
}
+#ifndef OPENSSL_NO_PSK
if (idx == 1 || idx == 2) {
SSL_CTX_set_psk_client_callback(cctx, psk_client_cb);
SSL_CTX_set_psk_server_callback(sctx, psk_server_cb);
}
+#endif
srvid = pskid;
use_session_cb_cnt = 0;
find_session_cb_cnt = 0;
SSL *serverssl = NULL, *clientssl = NULL;
int testresult = 0;
- if (!TEST_true(create_ssl_ctx_pair(TLS_server_method(),
- TLS_client_method(), &sctx,
- &cctx, cert, privkey)))
+ if (!TEST_true(create_ssl_ctx_pair(TLS_server_method(), TLS_client_method(),
+ TLS1_VERSION, TLS_MAX_VERSION,
+ &sctx, &cctx, cert, privkey)))
goto end;
/* The arrival of CCS messages can confuse the test */
clntaddnewcb = clntparsenewcb = srvaddnewcb = srvparsenewcb = 0;
snicb = 0;
- if (!TEST_true(create_ssl_ctx_pair(TLS_server_method(),
- TLS_client_method(), &sctx,
- &cctx, cert, privkey)))
+ if (!TEST_true(create_ssl_ctx_pair(TLS_server_method(), TLS_client_method(),
+ TLS1_VERSION, TLS_MAX_VERSION,
+ &sctx, &cctx, cert, privkey)))
goto end;
if (tst == 2
- && !TEST_true(create_ssl_ctx_pair(TLS_server_method(), NULL, &sctx2,
- NULL, cert, privkey)))
+ && !TEST_true(create_ssl_ctx_pair(TLS_server_method(), NULL,
+ TLS1_VERSION, TLS_MAX_VERSION,
+ &sctx2, NULL, cert, privkey)))
goto end;
if (tst == 3)
return 1;
#endif
- if (!TEST_true(create_ssl_ctx_pair(TLS_server_method(),
- TLS_client_method(), &sctx,
- &cctx, cert, privkey)))
+ if (!TEST_true(create_ssl_ctx_pair(TLS_server_method(), TLS_client_method(),
+ TLS1_VERSION, TLS_MAX_VERSION,
+ &sctx, &cctx, cert, privkey)))
goto end;
OPENSSL_assert(tst >= 0 && (size_t)tst < OSSL_NELEM(protocols));
#endif
/* Create an initial connection */
- if (!TEST_true(create_ssl_ctx_pair(TLS_server_method(),
- TLS_client_method(), &sctx,
- &cctx, cert, privkey))
+ if (!TEST_true(create_ssl_ctx_pair(TLS_server_method(), TLS_client_method(),
+ TLS1_VERSION, TLS_MAX_VERSION,
+ &sctx, &cctx, cert, privkey))
|| (idx == 1
&& !TEST_true(SSL_CTX_set_max_proto_version(cctx,
TLS1_2_VERSION)))
SSL *clientssl = NULL, *serverssl = NULL;
int testresult = 0;
- if (!TEST_true(create_ssl_ctx_pair(TLS_server_method(),
- TLS_client_method(),
+ if (!TEST_true(create_ssl_ctx_pair(TLS_server_method(), TLS_client_method(),
+ TLS1_VERSION, TLS_MAX_VERSION,
&sctx, &cctx, cert, privkey)))
return 0;
#endif
#ifndef OPENSSL_NO_TLS1_3
ADD_ALL_TESTS(test_early_data_read_write, 3);
+ /*
+ * We don't do replay tests for external PSK. Replay protection isn't used
+ * in that scenario.
+ */
+ ADD_ALL_TESTS(test_early_data_replay, 2);
ADD_ALL_TESTS(test_early_data_skip, 3);
ADD_ALL_TESTS(test_early_data_skip_hrr, 3);
ADD_ALL_TESTS(test_early_data_not_sent, 3);
#endif
#ifndef OPENSSL_NO_TLS1_3
ADD_TEST(test_ciphersuite_change);
+#ifdef OPENSSL_NO_PSK
+ ADD_ALL_TESTS(test_tls13_psk, 1);
+#else
ADD_ALL_TESTS(test_tls13_psk, 3);
+#endif /* OPENSSL_NO_PSK */
ADD_ALL_TESTS(test_custom_exts, 5);
ADD_TEST(test_stateless);
ADD_TEST(test_pha_key_update);
projects / openssl.git / blobdiff