diff options
author | Matt Caswell <matt@openssl.org> | 2020-11-03 15:51:23 +0000 |
---|---|---|
committer | Matt Caswell <matt@openssl.org> | 2020-12-10 11:34:23 +0000 |
commit | ad8e83cf11187388c71cfbdb70880d9e7ed26e0e (patch) | |
tree | d5f6e53dbf3cf25e4299a3f6e4dd6812f647f743 | |
parent | e0b139b845341b62a18b7f285d34921340dc4ab9 (diff) | |
download | openssl-new-ad8e83cf11187388c71cfbdb70880d9e7ed26e0e.tar.gz |
Test that we can negotiate TLSv1.3 if we have an SNI callback
If an SNI callback has been set then we may have no certificuates suitable
for TLSv1.3 use configured for the current SSL_CTX. This should not prevent
us from negotiating TLSv1.3, since we may change the SSL_CTX by the time we
need a suitable certificate.
Reviewed-by: Tomas Mraz <tmraz@fedoraproject.org>
(Merged from https://github.com/openssl/openssl/pull/13305)
-rw-r--r-- | test/sslapitest.c | 59 |
1 files changed, 59 insertions, 0 deletions
diff --git a/test/sslapitest.c b/test/sslapitest.c index ad1824c68d..4a27ee1ba2 100644 --- a/test/sslapitest.c +++ b/test/sslapitest.c @@ -6658,6 +6658,62 @@ static int test_ssl_dup(void) } #endif +#ifndef OPENSSL_NO_TLS1_3 +/* + * Test that setting an SNI callback works with TLSv1.3. Specifically we check + * that it works even without a certificate configured for the original + * SSL_CTX + */ +static int test_sni_tls13(void) +{ + SSL_CTX *cctx = NULL, *sctx = NULL, *sctx2 = NULL; + SSL *clientssl = NULL, *serverssl = NULL; + int testresult = 0; + + /* Reset callback counter */ + snicb = 0; + + /* Create an initial SSL_CTX with no certificate configured */ + sctx = SSL_CTX_new(TLS_server_method()); + if (!TEST_ptr(sctx)) + goto end; + /* Require TLSv1.3 as a minimum */ + if (!TEST_true(create_ssl_ctx_pair(TLS_server_method(), TLS_client_method(), + TLS1_3_VERSION, 0, &sctx2, &cctx, cert, + privkey))) + goto end; + + /* Set up SNI */ + if (!TEST_true(SSL_CTX_set_tlsext_servername_callback(sctx, sni_cb)) + || !TEST_true(SSL_CTX_set_tlsext_servername_arg(sctx, sctx2))) + goto end; + + /* + * Connection should still succeed because the final SSL_CTX has the right + * certificates configured. + */ + if (!TEST_true(create_ssl_objects(sctx, cctx, &serverssl, + &clientssl, NULL, NULL)) + || !TEST_true(create_ssl_connection(serverssl, clientssl, + SSL_ERROR_NONE))) + goto end; + + /* We should have had the SNI callback called exactly once */ + if (!TEST_int_eq(snicb, 1)) + goto end; + + testresult = 1; + +end: + SSL_free(serverssl); + SSL_free(clientssl); + SSL_CTX_free(sctx2); + SSL_CTX_free(sctx); + SSL_CTX_free(cctx); + return testresult; +} +#endif + int setup_tests(void) { if (!TEST_ptr(certsdir = test_get_argument(0)) @@ -6781,6 +6837,9 @@ int setup_tests(void) #ifndef OPENSSL_NO_TLS1_2 ADD_TEST(test_ssl_dup); #endif +#ifndef OPENSSL_NO_TLS1_3 + ADD_TEST(test_sni_tls13); +#endif return 1; } |