Test that we can negotiate TLSv1.3 if we have an SNI callback

If an SNI callback has been set then we may have no certificuates suitable for TLSv1.3 use configured for the current SSL_CTX. This should not prevent us from negotiating TLSv1.3, since we may change the SSL_CTX by the time we need a suitable certificate. Reviewed-by: Tomas Mraz <tmraz@fedoraproject.org> (Merged from https://github.com/openssl/openssl/pull/13305)
author: Matt Caswell <matt@openssl.org> 2020-11-03 15:51:23 +0000
committer: Matt Caswell <matt@openssl.org> 2020-12-10 11:34:23 +0000
commit: ad8e83cf11187388c71cfbdb70880d9e7ed26e0e (patch)
tree: d5f6e53dbf3cf25e4299a3f6e4dd6812f647f743
parent: e0b139b845341b62a18b7f285d34921340dc4ab9 (diff)
download: openssl-new-ad8e83cf11187388c71cfbdb70880d9e7ed26e0e.tar.gz
1 files changed, 59 insertions, 0 deletions
diff --git a/test/sslapitest.c b/test/sslapitest.c
index ad1824c68d..4a27ee1ba2 100644
--- a/test/sslapitest.c
+++ b/test/sslapitest.c
@@ -6658,6 +6658,62 @@ static int test_ssl_dup(void)
 }
 #endif
 
+#ifndef OPENSSL_NO_TLS1_3
+/*
+ * Test that setting an SNI callback works with TLSv1.3. Specifically we check
+ * that it works even without a certificate configured for the original
+ * SSL_CTX
+ */
+static int test_sni_tls13(void)
+{
+    SSL_CTX *cctx = NULL, *sctx = NULL, *sctx2 = NULL;
+    SSL *clientssl = NULL, *serverssl = NULL;
+    int testresult = 0;
+
+    /* Reset callback counter */
+    snicb = 0;
+
+    /* Create an initial SSL_CTX with no certificate configured */
+    sctx = SSL_CTX_new(TLS_server_method());
+    if (!TEST_ptr(sctx))
+        goto end;
+    /* Require TLSv1.3 as a minimum */
+    if (!TEST_true(create_ssl_ctx_pair(TLS_server_method(), TLS_client_method(),
+                                       TLS1_3_VERSION, 0, &sctx2, &cctx, cert,
+                                       privkey)))
+        goto end;
+
+    /* Set up SNI */
+    if (!TEST_true(SSL_CTX_set_tlsext_servername_callback(sctx, sni_cb))
+            || !TEST_true(SSL_CTX_set_tlsext_servername_arg(sctx, sctx2)))
+        goto end;
+
+    /*
+     * Connection should still succeed because the final SSL_CTX has the right
+     * certificates configured.
+     */
+    if (!TEST_true(create_ssl_objects(sctx, cctx, &serverssl,
+                                      &clientssl, NULL, NULL))
+            || !TEST_true(create_ssl_connection(serverssl, clientssl,
+                                                SSL_ERROR_NONE)))
+        goto end;
+
+    /* We should have had the SNI callback called exactly once */
+    if (!TEST_int_eq(snicb, 1))
+        goto end;
+
+    testresult = 1;
+
+end:
+    SSL_free(serverssl);
+    SSL_free(clientssl);
+    SSL_CTX_free(sctx2);
+    SSL_CTX_free(sctx);
+    SSL_CTX_free(cctx);
+    return testresult;
+}
+#endif
+
 int setup_tests(void)
 {
     if (!TEST_ptr(certsdir = test_get_argument(0))
@@ -6781,6 +6837,9 @@ int setup_tests(void)
 #ifndef OPENSSL_NO_TLS1_2
     ADD_TEST(test_ssl_dup);
 #endif
+#ifndef OPENSSL_NO_TLS1_3
+    ADD_TEST(test_sni_tls13);
+#endif
     return 1;
 }
author	Matt Caswell <matt@openssl.org>	2020-11-03 15:51:23 +0000
committer	Matt Caswell <matt@openssl.org>	2020-12-10 11:34:23 +0000
commit	ad8e83cf11187388c71cfbdb70880d9e7ed26e0e (patch)
tree	d5f6e53dbf3cf25e4299a3f6e4dd6812f647f743
parent	e0b139b845341b62a18b7f285d34921340dc4ab9 (diff)
download	openssl-new-ad8e83cf11187388c71cfbdb70880d9e7ed26e0e.tar.gz