diff options
| author | Matt Caswell <matt@openssl.org> | 2021-01-14 15:50:20 +0000 |
|---|---|---|
| committer | Matt Caswell <matt@openssl.org> | 2021-02-05 15:22:40 +0000 |
| commit | a763ca11777ce01a286751f3f3dd9b106ef74f30 (patch) | |
| tree | 7ad54dd22661b8373f57ffefdee897b6282dc225 | |
| parent | 8b1db5d329740bd5363fd1763d4030d0e015b521 (diff) | |
| download | openssl-new-a763ca11777ce01a286751f3f3dd9b106ef74f30.tar.gz | |
Stop disabling TLSv1.3 if ec and dh are disabled
Even if EC and DH are disabled then we may still be able to use TLSv1.3
if we have groups that have been plugged in by an external provider.
Fixes #13767
Reviewed-by: Tomas Mraz <tomas@openssl.org>
(Merged from https://github.com/openssl/openssl/pull/13916)
31 files changed, 241 insertions, 119 deletions
diff --git a/CHANGES.md b/CHANGES.md index d80016560e..7c934935eb 100644 --- a/CHANGES.md +++ b/CHANGES.md @@ -23,6 +23,17 @@ OpenSSL 3.0 ### Changes between 1.1.1 and 3.0 [xx XXX xxxx] + * Combining the Configure options no-ec and no-dh no longer disables TLSv1.3. + Typically if OpenSSL has no EC or DH algorithms then it cannot support + connections with TLSv1.3. However OpenSSL now supports "pluggable" groups + through providers. Therefore third party providers may supply group + implementations even where there are no built-in ones. Attempting to create + TLS connections in such a build without also disabling TLSv1.3 at run time or + using third party provider groups may result in handshake failures. TLSv1.3 + can be disabled at compile time using the "no-tls1_3" Configure option. + + *Matt Caswell* + * The undocumented function X509_certificate_type() has been deprecated; applications can use X509_get0_pubkey() and X509_get0_signature() to get the same information. @@ -563,8 +563,6 @@ my @disable_cascades = ( "zlib" => [ "zlib-dynamic" ], "des" => [ "mdc2" ], "ec" => [ "ec2m", "ecdsa", "ecdh", "sm2", "gost" ], - sub { $disabled{"ec"} && $disabled{"dh"} } - => [ "tls1_3" ], "dgram" => [ "dtls", "sctp" ], "sock" => [ "dgram" ], "dtls" => [ @dtls ], diff --git a/test/helpers/ssltestlib.c b/test/helpers/ssltestlib.c index 2366c3db4d..e339d7972c 100644 --- a/test/helpers/ssltestlib.c +++ b/test/helpers/ssltestlib.c @@ -685,18 +685,19 @@ static int always_retry_puts(BIO *bio, const char *str) } int create_ssl_ctx_pair(OSSL_LIB_CTX *libctx, const SSL_METHOD *sm, -const SSL_METHOD *cm, - int min_proto_version, int max_proto_version, - SSL_CTX **sctx, SSL_CTX **cctx, char *certfile, - char *privkeyfile) + const SSL_METHOD *cm, int min_proto_version, + int max_proto_version, SSL_CTX **sctx, SSL_CTX **cctx, + char *certfile, char *privkeyfile) { SSL_CTX *serverctx = NULL; SSL_CTX *clientctx = NULL; - if (*sctx != NULL) - serverctx = *sctx; - else if (!TEST_ptr(serverctx = SSL_CTX_new_ex(libctx, NULL, sm))) - goto err; + if (sctx != NULL) { + if (*sctx != NULL) + serverctx = *sctx; + else if (!TEST_ptr(serverctx = SSL_CTX_new_ex(libctx, NULL, sm))) + goto err; + } if (cctx != NULL) { if (*cctx != NULL) @@ -705,12 +706,25 @@ const SSL_METHOD *cm, goto err; } - if ((min_proto_version > 0 - && !TEST_true(SSL_CTX_set_min_proto_version(serverctx, - min_proto_version))) - || (max_proto_version > 0 - && !TEST_true(SSL_CTX_set_max_proto_version(serverctx, - max_proto_version)))) +#if !defined(OPENSSL_NO_TLS1_3) \ + && defined(OPENSSL_NO_EC) \ + && defined(OPENSSL_NO_DH) + /* + * There are no usable built-in TLSv1.3 groups if ec and dh are both + * disabled + */ + if (max_proto_version == 0 + && (sm == TLS_server_method() || cm == TLS_client_method())) + max_proto_version = TLS1_2_VERSION; +#endif + + if (serverctx != NULL + && ((min_proto_version > 0 + && !TEST_true(SSL_CTX_set_min_proto_version(serverctx, + min_proto_version))) + || (max_proto_version > 0 + && !TEST_true(SSL_CTX_set_max_proto_version(serverctx, + max_proto_version))))) goto err; if (clientctx != NULL && ((min_proto_version > 0 @@ -721,7 +735,7 @@ const SSL_METHOD *cm, max_proto_version))))) goto err; - if (certfile != NULL && privkeyfile != NULL) { + if (serverctx != NULL && certfile != NULL && privkeyfile != NULL) { if (!TEST_int_eq(SSL_CTX_use_certificate_file(serverctx, certfile, SSL_FILETYPE_PEM), 1) || !TEST_int_eq(SSL_CTX_use_PrivateKey_file(serverctx, @@ -731,13 +745,14 @@ const SSL_METHOD *cm, goto err; } - *sctx = serverctx; + if (sctx != NULL) + *sctx = serverctx; if (cctx != NULL) *cctx = clientctx; return 1; err: - if (*sctx == NULL) + if (sctx != NULL && *sctx == NULL) SSL_CTX_free(serverctx); if (cctx != NULL && *cctx == NULL) SSL_CTX_free(clientctx); diff --git a/test/recipes/70-test_comp.t b/test/recipes/70-test_comp.t index 2ac168c252..abd41d756c 100644 --- a/test/recipes/70-test_comp.t +++ b/test/recipes/70-test_comp.t @@ -65,7 +65,8 @@ SKIP: { } SKIP: { - skip "TLSv1.3 disabled", 2 if disabled("tls1_3"); + skip "TLSv1.3 disabled", 2 + if disabled("tls1_3") || (disabled("ec") && disabled("dh")); #Test 3: Check that sending multiple compression methods in a TLSv1.3 # ClientHello fails $proxy->clear(); diff --git a/test/recipes/70-test_key_share.t b/test/recipes/70-test_key_share.t index b5b01907c6..7ecba99ee8 100644 --- a/test/recipes/70-test_key_share.t +++ b/test/recipes/70-test_key_share.t @@ -60,6 +60,9 @@ plan skip_all => "$test_name needs the sock feature enabled" plan skip_all => "$test_name needs TLS1.3 enabled" if disabled("tls1_3"); +plan skip_all => "$test_name needs EC or DH enabled" + if disabled("ec") && disabled("dh"); + $ENV{OPENSSL_ia32cap} = '~0x200000200000000'; my $proxy = TLSProxy::Proxy->new( diff --git a/test/recipes/70-test_sslcbcpadding.t b/test/recipes/70-test_sslcbcpadding.t index a293ab1e8d..273093244c 100644 --- a/test/recipes/70-test_sslcbcpadding.t +++ b/test/recipes/70-test_sslcbcpadding.t @@ -43,6 +43,7 @@ my @test_offsets = (0, 128, 254, 255); # Test that maximally-padded records are accepted. my $bad_padding_offset = -1; $proxy->serverflags("-tls1_2"); +$proxy->clientflags("-no_tls1_3"); $proxy->serverconnects(1 + scalar(@test_offsets)); $proxy->start() or plan skip_all => "Unable to start up Proxy for tests"; plan tests => 1 + scalar(@test_offsets); @@ -55,6 +56,7 @@ foreach my $offset (@test_offsets) { $bad_padding_offset = $offset; $fatal_alert = 0; $proxy->clearClient(); + $proxy->clientflags("-no_tls1_3"); $proxy->clientstart(); ok($fatal_alert, "Invalid padding byte $bad_padding_offset"); } diff --git a/test/recipes/70-test_sslextension.t b/test/recipes/70-test_sslextension.t index 9be001edc2..2d6262f2d4 100644 --- a/test/recipes/70-test_sslextension.t +++ b/test/recipes/70-test_sslextension.t @@ -197,6 +197,7 @@ ok($fatal_alert, "Duplicate ClientHello extension"); $fatal_alert = 0; $proxy->clear(); $proxy->filter(\&inject_duplicate_extension_serverhello); +$proxy->clientflags("-no_tls1_3"); $proxy->start(); ok($fatal_alert, "Duplicate ServerHello extension"); @@ -207,6 +208,7 @@ SKIP: { $proxy->clear(); $proxy->filter(\&extension_filter); $proxy->ciphers("AES128-SHA:\@SECLEVEL=0"); + $proxy->clientflags("-no_tls1_3"); $proxy->start(); ok(TLSProxy::Message->success, "Zero extension length test"); @@ -244,7 +246,8 @@ SKIP: { } SKIP: { - skip "TLS 1.3 disabled", 1 if disabled("tls1_3"); + skip "TLS 1.3 disabled", 1 + if disabled("tls1_3") || (disabled("ec") && disabled("dh")); #Test 7: Inject an unsolicited extension (TLSv1.3) $fatal_alert = 0; $proxy->clear(); @@ -260,5 +263,6 @@ SKIP: { # ignore it in a ClientHello $proxy->clear(); $proxy->filter(\&inject_cryptopro_extension); +$proxy->clientflags("-no_tls1_3"); $proxy->start(); ok(TLSProxy::Message->success(), "Cryptopro extension in ClientHello"); diff --git a/test/recipes/70-test_sslrecords.t b/test/recipes/70-test_sslrecords.t index 151216c57d..4a0e3e6b78 100644 --- a/test/recipes/70-test_sslrecords.t +++ b/test/recipes/70-test_sslrecords.t @@ -43,6 +43,7 @@ my $fatal_alert = 0; # set by filters at expected fatal alerts my $content_type = TLSProxy::Record::RT_APPLICATION_DATA; my $inject_recs_num = 1; $proxy->serverflags("-tls1_2"); +$proxy->clientflags("-no_tls1_3"); $proxy->start() or plan skip_all => "Unable to start up Proxy for tests"; plan tests => 20; ok($fatal_alert, "Out of context empty records test"); @@ -51,6 +52,7 @@ ok($fatal_alert, "Out of context empty records test"); $proxy->clear(); $content_type = TLSProxy::Record::RT_HANDSHAKE; $proxy->serverflags("-tls1_2"); +$proxy->clientflags("-no_tls1_3"); $proxy->start(); ok(TLSProxy::Message->success(), "In context empty records test"); @@ -60,6 +62,7 @@ $proxy->clear(); #We allow 32 consecutive in context empty records $inject_recs_num = 33; $proxy->serverflags("-tls1_2"); +$proxy->clientflags("-no_tls1_3"); $proxy->start(); ok($fatal_alert, "Too many in context empty records test"); @@ -70,6 +73,7 @@ $fatal_alert = 0; $proxy->clear(); $proxy->filter(\&add_frag_alert_filter); $proxy->serverflags("-tls1_2"); +$proxy->clientflags("-no_tls1_3"); $proxy->start(); ok($fatal_alert, "Fragmented alert records test"); @@ -92,6 +96,7 @@ my $sslv2testtype = TLSV1_2_IN_SSLV2; $proxy->clear(); $proxy->filter(\&add_sslv2_filter); $proxy->serverflags("-tls1_2"); +$proxy->clientflags("-no_tls1_3"); $proxy->ciphers("AES128-SHA:\@SECLEVEL=0"); $proxy->start(); ok(TLSProxy::Message->success(), "TLSv1.2 in SSLv2 ClientHello test"); @@ -102,6 +107,7 @@ ok(TLSProxy::Message->success(), "TLSv1.2 in SSLv2 ClientHello test"); $sslv2testtype = SSLV2_IN_SSLV2; $proxy->clear(); $proxy->serverflags("-tls1_2"); +$proxy->clientflags("-no_tls1_3"); $proxy->ciphers("AES128-SHA:\@SECLEVEL=0"); $proxy->start(); ok(TLSProxy::Message->fail(), "SSLv2 in SSLv2 ClientHello test"); @@ -112,6 +118,7 @@ ok(TLSProxy::Message->fail(), "SSLv2 in SSLv2 ClientHello test"); $sslv2testtype = FRAGMENTED_IN_TLSV1_2; $proxy->clear(); $proxy->serverflags("-tls1_2"); +$proxy->clientflags("-no_tls1_3"); $proxy->ciphers("AES128-SHA:\@SECLEVEL=0"); $proxy->start(); ok(TLSProxy::Message->success(), "Fragmented ClientHello in TLSv1.2 test"); @@ -121,6 +128,7 @@ ok(TLSProxy::Message->success(), "Fragmented ClientHello in TLSv1.2 test"); $sslv2testtype = FRAGMENTED_IN_SSLV2; $proxy->clear(); $proxy->serverflags("-tls1_2"); +$proxy->clientflags("-no_tls1_3"); $proxy->ciphers("AES128-SHA:\@SECLEVEL=0"); $proxy->start(); ok(TLSProxy::Message->fail(), "Fragmented ClientHello in TLSv1.2/SSLv2 test"); @@ -130,6 +138,7 @@ ok(TLSProxy::Message->fail(), "Fragmented ClientHello in TLSv1.2/SSLv2 test"); $sslv2testtype = ALERT_BEFORE_SSLV2; $proxy->clear(); $proxy->serverflags("-tls1_2"); +$proxy->clientflags("-no_tls1_3"); $proxy->ciphers("AES128-SHA:\@SECLEVEL=0"); $proxy->start(); ok(TLSProxy::Message->fail(), "Alert before SSLv2 ClientHello test"); @@ -140,6 +149,7 @@ ok(TLSProxy::Message->fail(), "Alert before SSLv2 ClientHello test"); $fatal_alert = 0; $proxy->clear(); $proxy->serverflags("-tls1_2"); +$proxy->clientflags("-no_tls1_3"); $proxy->filter(\&add_unknown_record_type); $proxy->start(); ok($fatal_alert, "Unrecognised record type in TLS1.2"); @@ -166,7 +176,8 @@ ok($fatal_alert, "Changed record version in TLS1.2"); #TLS1.3 specific tests SKIP: { - skip "TLSv1.3 disabled", 8 if disabled("tls1_3"); + skip "TLSv1.3 disabled", 8 + if disabled("tls1_3") || (disabled("ec") && disabled("dh")); #Test 13: Sending a different record version in TLS1.3 should fail $proxy->clear(); diff --git a/test/recipes/70-test_sslsigalgs.t b/test/recipes/70-test_sslsigalgs.t index 3548704138..609c88e716 100644 --- a/test/recipes/70-test_sslsigalgs.t +++ b/test/recipes/70-test_sslsigalgs.t @@ -54,13 +54,15 @@ use constant { # the sigalgs #Test 1: Default sig algs should succeed +$proxy->clientflags("-no_tls1_3") if disabled("ec") && disabled("dh"); $proxy->start() or plan skip_all => "Unable to start up Proxy for tests"; plan tests => 26; ok(TLSProxy::Message->success, "Default sigalgs"); my $testtype; SKIP: { - skip "TLSv1.3 disabled", 6 if disabled("tls1_3"); + skip "TLSv1.3 disabled", 6 + if disabled("tls1_3") || (disabled("ec") && disabled("dh")); $proxy->filter(\&sigalgs_filter); @@ -237,7 +239,10 @@ SKIP: { my ($dsa_status, $sha1_status, $sha224_status); SKIP: { - skip "TLSv1.3 disabled", 2 if disabled("tls1_3") || disabled("dsa"); + skip "TLSv1.3 disabled", 2 + if disabled("tls1_3") + || disabled("dsa") + || (disabled("ec") && disabled("dh")); #Test 20: signature_algorithms with 1.3-only ClientHello $testtype = PURE_SIGALGS; $dsa_status = $sha1_status = $sha224_status = 0; @@ -263,7 +268,8 @@ SKIP: { } SKIP: { - skip "TLSv1.3 disabled", 3 if disabled("tls1_3"); + skip "TLSv1.3 disabled", 5 + if disabled("tls1_3") || (disabled("ec") && disabled("dh")); #Test 22: Insert signature_algorithms_cert that match normal sigalgs $testtype = SIGALGS_CERT_ALL; $proxy->clear(); @@ -284,10 +290,7 @@ SKIP: { $proxy->filter(\&modify_sigalgs_cert_filter); $proxy->start(); ok(TLSProxy::Message->fail, "No matching certificate for sigalgs_cert"); -} -SKIP: { - skip "TLS 1.3 disabled", 2 if disabled("tls1_3"); #Test 25: Send an unrecognized signature_algorithms_cert # We should be able to skip over the unrecognized value and use a # valid one that appears later in the list. diff --git a/test/recipes/70-test_sslsignature.t b/test/recipes/70-test_sslsignature.t index a7d33503ed..147dd38bf2 100644 --- a/test/recipes/70-test_sslsignature.t +++ b/test/recipes/70-test_sslsignature.t @@ -45,12 +45,14 @@ $proxy->filter(\&signature_filter); #Test 1: No corruption should succeed my $testtype = NO_CORRUPTION; +$proxy->clientflags("-no_tls1_3") if disabled("ec") && disabled("dh"); $proxy->start() or plan skip_all => "Unable to start up Proxy for tests"; plan tests => 4; ok(TLSProxy::Message->success, "No corruption"); SKIP: { - skip "TLSv1.3 disabled", 1 if disabled("tls1_3"); + skip "TLSv1.3 disabled", 1 + if disabled("tls1_3") || (disabled("ec") && disabled("dh")); #Test 2: Corrupting a server CertVerify signature in TLSv1.3 should fail $proxy->clear(); diff --git a/test/recipes/70-test_sslversions.t b/test/recipes/70-test_sslversions.t index 864f4f5283..0a67fe1006 100644 --- a/test/recipes/70-test_sslversions.t +++ b/test/recipes/70-test_sslversions.t @@ -37,7 +37,10 @@ plan skip_all => "$test_name needs the sock feature enabled" if disabled("sock"); plan skip_all => "$test_name needs TLS1.3, TLS1.2 and TLS1.1 enabled" - if disabled("tls1_3") || disabled("tls1_2") || disabled("tls1_1"); + if disabled("tls1_3") + || (disabled("ec") && disabled("dh")) + || disabled("tls1_2") + || disabled("tls1_1"); $ENV{OPENSSL_ia32cap} = '~0x200000200000000'; diff --git a/test/recipes/70-test_tls13alerts.t b/test/recipes/70-test_tls13alerts.t index 205955fad8..c6c9d25f8d 100644 --- a/test/recipes/70-test_tls13alerts.t +++ b/test/recipes/70-test_tls13alerts.t @@ -24,7 +24,7 @@ plan skip_all => "$test_name needs the sock feature enabled" if disabled("sock"); plan skip_all => "$test_name needs TLS1.3 enabled" - if disabled("tls1_3"); + if disabled("tls1_3") || (disabled("ec") && disabled("dh")); $ENV{OPENSSL_ia32cap} = '~0x200000200000000'; diff --git a/test/recipes/70-test_tls13cookie.t b/test/recipes/70-test_tls13cookie.t index aef2cf8848..2036583fda 100644 --- a/test/recipes/70-test_tls13cookie.t +++ b/test/recipes/70-test_tls13cookie.t @@ -24,7 +24,7 @@ plan skip_all => "$test_name needs the sock feature enabled" if disabled("sock"); plan skip_all => "$test_name needs TLS1.3 enabled" - if disabled("tls1_3"); + if disabled("tls1_3") || (disabled("ec") && disabled("dh")); $ENV{OPENSSL_ia32cap} = '~0x200000200000000'; diff --git a/test/recipes/70-test_tls13downgrade.t b/test/recipes/70-test_tls13downgrade.t index f8dc8543be..63902a58e6 100644 --- a/test/recipes/70-test_tls13downgrade.t +++ b/test/recipes/70-test_tls13downgrade.t @@ -24,7 +24,9 @@ plan skip_all => "$test_name needs the sock feature enabled" if disabled("sock"); plan skip_all => "$test_name needs TLS1.3 and TLS1.2 enabled" - if disabled("tls1_3") || disabled("tls1_2"); + if disabled("tls1_3") + || (disabled("ec") && disabled("dh")) + || disabled("tls1_2"); $ENV{OPENSSL_ia32cap} = '~0x200000200000000'; diff --git a/test/recipes/70-test_tls13hrr.t b/test/recipes/70-test_tls13hrr.t index 8f6e54e235..0423bc3c36 100644 --- a/test/recipes/70-test_tls13hrr.t +++ b/test/recipes/70-test_tls13hrr.t @@ -24,7 +24,7 @@ plan skip_all => "$test_name needs the sock feature enabled" if disabled("sock"); plan skip_all => "$test_name needs TLS1.3 enabled" - if disabled("tls1_3"); + if disabled("tls1_3") || (disabled("ec") && disabled("dh")); $ENV{OPENSSL_ia32cap} = '~0x200000200000000'; diff --git a/test/recipes/70-test_tls13kexmodes.t b/test/recipes/70-test_tls13kexmodes.t index 6648376c0c..da4f3f3865 100644 --- a/test/recipes/70-test_tls13kexmodes.t +++ b/test/recipes/70-test_tls13kexmodes.t @@ -26,7 +26,7 @@ plan skip_all => "$test_name needs the sock feature enabled" if disabled("sock"); plan skip_all => "$test_name needs TLSv1.3 enabled" - if disabled("tls1_3"); + if disabled("tls1_3") || (disabled("ec") && disabled("dh")); plan skip_all => "$test_name needs EC enabled" if disabled("ec"); diff --git a/test/recipes/70-test_tls13psk.t b/test/recipes/70-test_tls13psk.t index 66582b7d8e..2f750d858b 100644 --- a/test/recipes/70-test_tls13psk.t +++ b/test/recipes/70-test_tls13psk.t @@ -25,7 +25,7 @@ plan skip_all => "$test_name needs the sock feature enabled" if disabled("sock"); plan skip_all => "$test_name needs TLSv1.3 enabled" - if disabled("tls1_3"); + if disabled("tls1_3") || (disabled("ec") && disabled("dh")); $ENV{OPENSSL_ia32cap} = '~0x200000200000000'; diff --git a/test/recipes/70-test_tlsextms.t b/test/recipes/70-test_tlsextms.t index 55ef58e202..d567b15552 100644 --- a/test/recipes/70-test_tlsextms.t +++ b/test/recipes/70-test_tlsextms.t @@ -56,9 +56,7 @@ my $proxy = TLSProxy::Proxy->new( setrmextms(0, 0); $proxy->clientflags("-no_tls1_3"); $proxy->start() or plan skip_all => "Unable to start up Proxy for tests"; -my $numtests = 9; -$numtests++ if (!disabled("tls1_3")); -plan tests => $numtests; +plan tests => 10; checkmessages(1, "Default extended master secret test", 1, 1, 1); #Test 2: If client omits extended master secret extension, server should too. @@ -175,11 +173,14 @@ $proxy->clientstart(); ok(TLSProxy::Message->fail(), "Server inconsistent session resumption 2"); unlink $session; -#Test 10: In TLS1.3 we should not negotiate extended master secret -#Expected result: ClientHello extension seen; ServerHello extension not seen -# TLS1.3 handshake (will appear as abbreviated handshake -# because of no CKE message) -if (!disabled("tls1_3")) { +SKIP: { + skip "TLS 1.3 disabled", 1 + if disabled("tls1_3") || (disabled("ec") && disabled("dh")); + + #Test 10: In TLS1.3 we should not negotiate extended master secret + #Expected result: ClientHello extension seen; ServerHello extension not seen + # TLS1.3 handshake (will appear as abbreviated handshake + # because of no CKE message) clearall(); setrmextms(0, 0); $proxy->start(); diff --git a/test/recipes/80-test_ssl_new.t b/test/recipes/80-test_ssl_new.t index 24e75ae1c9..99dbdea1bb 100644 --- a/test/recipes/80-test_ssl_new.t +++ b/test/recipes/80-test_ssl_new.t @@ -43,13 +43,16 @@ plan tests => 30 # = scalar @conf_srcs # verify generated sources in the default configuration. my $is_default_tls = (disabled("ssl3") && !disabled("tls1") && !disabled("tls1_1") && !disabled("tls1_2") && - !disabled("tls1_3")); + !disabled("tls1_3") && (!disabled("ec") || !disabled("dh"))); my $is_default_dtls = (!disabled("dtls1") && !disabled("dtls1_2")); my @all_pre_tls1_3 = ("ssl3", "tls1", "tls1_1", "tls1_2"); my $no_tls = alldisabled(available_protocols("tls")); my $no_tls_below1_3 = $no_tls || (disabled("tls1_2") && !disabled("tls1_3")); +if (!$no_tls && $no_tls_below1_3 && disabled("ec") && disabled("dh")) { + $no_tls = 1; +} my $no_pre_tls1_3 = alldisabled(@all_pre_tls1_3); my $no_dtls = alldisabled(available_protocols("dtls")); my $no_npn = disabled("nextprotoneg"); @@ -105,13 +108,13 @@ my %skip = ( "18-dtls-renegotiate.cnf" => $no_dtls, "19-mac-then-encrypt.cnf" => $no_pre_tls1_3, "20-cert-select.cnf" => disabled("tls1_2") || $no_ec, - "21-key-update.cnf" => disabled("tls1_3"), + "21-key-update.cnf" => disabled("tls1_3") || ($no_ec && $no_dh), "22-compression.cnf" => disabled("zlib") || $no_tls, "23-srp.cnf" => (disabled("tls1") && disabled ("tls1_1") && disabled("tls1_2")) || disabled("srp"), - "24-padding.cnf" => disabled("tls1_3"), + "24-padding.cnf" => disabled("tls1_3") || ($no_ec && $no_dh), "25-cipher.cnf" => disabled("ec") || disabled("tls1_2"), - "26-tls13_client_auth.cnf" => disabled("tls1_3"), + "26-tls13_client_auth.cnf" => disabled("tls1_3") || ($no_ec && $no_dh), "29-dtls-sctp-label-bug.cnf" => disabled("sctp") || disabled("sock"), ); diff --git a/test/recipes/80-test_ssl_old.t b/test/recipes/80-test_ssl_old.t index 975d1a9fd6..2f3d5d1c8c 100644 --- a/test/recipes/80-test_ssl_old.t +++ b/test/recipes/80-test_ssl_old.t @@ -33,6 +33,8 @@ my ($no_rsa, $no_dsa, $no_dh, $no_ec, $no_psk, anydisabled qw/rsa dsa dh ec psk ssl3 tls1 tls1_1 tls1_2 tls1_3 dtls dtls1 dtls1_2 ct/; +#If ec and dh are disabled then don't use TLSv1.3 +$no_tls1_3 = 1 if (!$no_tls1_3 && $no_ec && $no_dh); my $no_anytls = alldisabled(available_protocols("tls")); my $no_anydtls = alldisabled(available_protocols("dtls")); diff --git a/test/recipes/90-test_tls13ccs.t b/test/recipes/90-test_tls13ccs.t index 1281c362d6..3bd65b8ba0 100644 --- a/test/recipes/90-test_tls13ccs.t +++ b/test/recipes/90-test_tls13ccs.t @@ -14,7 +14,7 @@ my $test_name = "test_tls13ccs"; setup($test_name); plan skip_all => "$test_name is not supported in this build" - if disabled("tls1_3"); + if disabled("tls1_3") || (disabled("ec") && disabled("dh")); plan tests => 1; diff --git a/test/recipes/90-test_tls13encryption.t b/test/recipes/90-test_tls13encryption.t index 145e1b9f8c..45b7b8a9aa 100644 --- a/test/recipes/90-test_tls13encryption.t +++ b/test/recipes/90-test_tls13encryption.t @@ -13,7 +13,7 @@ my $test_name = "tls13encryption"; setup($test_name); plan skip_all => "$test_name is not supported in this build" - if disabled("tls1_3"); + if disabled("tls1_3") || (disabled("ec") && disabled("dh")); plan tests => 1; diff --git a/test/recipes/90-test_tls13secrets.t b/test/recipes/90-test_tls13secrets.t index ba437f59b8..13af681bf0 100644 --- a/test/recipes/90-test_tls13secrets.t +++ b/test/recipes/90-test_tls13secrets.t @@ -13,7 +13,9 @@ my $test_name = "tls13secrets"; setup($test_name); plan skip_all => "$test_name is not supported in this build" - if disabled("tls1_3") || disabled("shared"); + if disabled("tls1_3") + || disabled("shared") + || (disabled("ec") && disabled("dh")); plan tests => 1; diff --git a/test/recordlentest.c b/test/recordlentest.c index 5388db7ddd..daf19bb8f3 100644 --- a/test/recordlentest.c +++ b/test/recordlentest.c @@ -94,7 +94,8 @@ static int test_record_overflow(int idx) || idx == TEST_ENCRYPTED_OVERFLOW_TLS1_2_NOT_OK) return 1; #endif -#ifdef OPENSSL_NO_TLS1_3 +#if defined(OPENSSL_NO_TLS1_3) \ + || (defined(OPENSSL_NO_EC) && defined(OPENSSL_NO_DH)) if (idx == TEST_ENCRYPTED_OVERFLOW_TLS1_3_OK || idx == TEST_ENCRYPTED_OVERFLOW_TLS1_3_NOT_OK) return 1; diff --git a/test/servername_test.c b/test/servername_test.c index 14088211c9..d6fb7b5bb6 100644 --- a/test/servername_test.c +++ b/test/servername_test.c @@ -31,6 +31,13 @@ static const char *host = "dummy-host"; static char *cert = NULL; static char *privkey = NULL; +#if defined(OPENSSL_NO_TLS1_3) || \ + (defined(OPENSSL_NO_EC) && defined(OPENSSL_NO_DH)) +static int maxversion = TLS1_2_VERSION; +#else +static int maxversion = 0; +#endif + static int get_sni_from_client_hello(BIO *bio, char **sni) { long len; @@ -101,6 +108,10 @@ static int client_setup_sni_before_state(void) if (!TEST_ptr(ctx)) goto end; + if (maxversion > 0 + && !TEST_true(SSL_CTX_set_max_proto_version(ctx, maxversion))) + goto end; + con = SSL_new(ctx); if (!TEST_ptr(con)) goto end; @@ -149,6 +160,10 @@ static int client_setup_sni_after_state(void) if (!TEST_ptr(ctx)) goto end; + if (maxversion > 0 + && !TEST_true(SSL_CTX_set_max_proto_version(ctx, maxversion))) + goto end; + con = SSL_new(ctx); if (!TEST_ptr(con)) goto end; diff --git a/test/ssl-tests/04-client_auth.cnf.in b/test/ssl-tests/04-client_auth.cnf.in index ad0ae7ae18..d908ad1c7d 100644 --- a/test/ssl-tests/04-client_auth.cnf.in +++ b/test/ssl-tests/04-client_auth.cnf.in @@ -116,7 +116,9 @@ sub generate_tests() { test => { "ExpectedResult" => "ServerFail", "ExpectedServerAlert" => - ($protocol_name eq "flex" && !disabled("tls1_3")) + ($protocol_name eq "flex" + && !disabled("tls1_3") + && (!disabled("ec") || !disabled("dh"))) ? "CertificateRequired" : "HandshakeFailure", "Method" => $method, }, diff --git a/test/ssl-tests/27-ticket-appdata.cnf.in b/test/ssl-tests/27-ticket-appdata.cnf.in index 719c98a107..d9e861933f 100644 --- a/test/ssl-tests/27-ticket-appdata.cnf.in +++ b/test/ssl-tests/27-ticket-appdata.cnf.in @@ -96,4 +96,5 @@ our @tests13 = ( our @tests = (); push @tests, @tests12 unless disabled("tls1_2"); -push @tests, @tests13 unless disabled("tls1_3"); +push @tests, @tests13 unless disabled("tls1_3") + || (disabled("ec") && disabled("dh")); diff --git a/test/ssl-tests/protocol_version.pm b/test/ssl-tests/protocol_version.pm index 0f0bd2e7cc..70c5722469 100644 --- a/test/ssl-tests/protocol_version.pm +++ b/test/ssl-tests/protocol_version.pm @@ -64,7 +64,10 @@ sub max_prot_enabled { my $max_enabled; foreach my $i (0..$#protocols) { - if (!$is_disabled[$i]) { + if (!$is_disabled[$i] + && ($protocols[$i] ne "TLSv1.3" + || !disabled("ec") + || !disabled("dh"))) { $max_enabled = $i; } } @@ -172,7 +175,11 @@ sub generate_version_tests { } } } - return @tests if disabled("tls1_3") || disabled("tls1_2") || $dtls; + return @tests + if disabled("tls1_3") + || disabled("tls1_2") + || (disabled("ec") && disabled("dh")) + || $dtls; #Add some version/ciphersuite sanity check tests push @tests, { @@ -307,7 +314,7 @@ sub generate_resumption_tests { } } - if (!disabled("tls1_3") && !$dtls) { + if (!disabled("tls1_3") && (!disabled("ec") || !disabled("dh")) && !$dtls) { push @client_tests, { "name" => "resumption-with-hrr", "client" => { @@ -332,7 +339,9 @@ sub generate_resumption_tests { sub expected_result { my ($c_min, $c_max, $s_min, $s_max, $min_enabled, $max_enabled, $protocols) = @_; + my @prots = @$protocols; + my $orig_c_max = $c_max; # Adjust for "undef" (no limit). $c_min = $c_min == 0 ? 0 : $c_min - 1; $c_max = $c_max == scalar @$protocols ? $c_max - 1 : $c_max; @@ -346,7 +355,11 @@ sub expected_result { $c_max = min $c_max, $max_enabled; $s_max = min $s_max, $max_enabled; - if ($c_min > $c_max) { + if ($c_min > $c_max + || ($orig_c_max != scalar @$protocols + && $prots[$orig_c_max] eq "TLSv1.3" + && $c_max != $orig_c_max + && !disabled("tls1_3"))) { # Client should fail to even send a hello. return ("ClientFail", undef); } elsif ($s_min > $s_max) { @@ -356,7 +369,6 @@ sub expected_result { # Server doesn't support the client range. return ("ServerFail", undef); } elsif ($c_min > $s_max) { - my @prots = @$protocols; if ($prots[$c_max] eq "TLSv1.3") { # Client will have sent supported_versions, so server will know # that there are no overlapping versions. diff --git a/test/ssl_old_test.c b/test/ssl_old_test.c index 48f0e8dae7..ad9a4a256c 100644 --- a/test/ssl_old_test.c +++ b/test/ssl_old_test.c @@ -1321,7 +1321,12 @@ int main(int argc, char *argv[]) max_version = TLS1_2_VERSION; } else { min_version = 0; +# if defined(OPENSSL_NO_EC) && defined(OPENSSL_NO_DH) + /* We only have ec and dh based built-in groups for TLSv1.3 */ + max_version = TLS1_2_VERSION; +# else max_version = 0; +# endif } #endif #ifndef OPENSSL_NO_DTLS diff --git a/test/ssl_test.c b/test/ssl_test.c index 042a05e453..cefcfb569f 100644 --- a/test/ssl_test.c +++ b/test/ssl_test.c @@ -436,8 +436,17 @@ static int test_handshake(int idx) } #endif if (test_ctx->method == SSL_TEST_METHOD_TLS) { +#if !defined(OPENSSL_NO_TLS1_3) \ + && defined(OPENSSL_NO_EC) \ + && defined(OPENSSL_NO_DH) + /* Without ec or dh there are no built-in groups for TLSv1.3 */ + int maxversion = TLS1_2_VERSION; +#else + int maxversion = 0; +#endif + server_ctx = SSL_CTX_new_ex(libctx, NULL, TLS_server_method()); - if (!TEST_true(SSL_CTX_set_max_proto_version(server_ctx, 0))) + if (!TEST_true(SSL_CTX_set_max_proto_version(server_ctx, maxversion))) goto err; /* SNI on resumption isn't supported/tested yet. */ if (test_ctx->extra.server.servername_callback != @@ -445,21 +454,24 @@ static int test_handshake(int idx) if (!TEST_ptr(server2_ctx = SSL_CTX_new_ex(libctx, NULL, TLS_server_method()))) goto err; - if (!TEST_true(SSL_CTX_set_max_proto_version(server2_ctx, 0))) + if (!TEST_true(SSL_CTX_set_max_proto_version(server2_ctx, + maxversion))) goto err; } client_ctx = SSL_CTX_new_ex(libctx, NULL, TLS_client_method()); - if (!TEST_true(SSL_CTX_set_max_proto_version(client_ctx, 0))) + if (!TEST_true(SSL_CTX_set_max_proto_version(client_ctx, maxversion))) goto err; if (test_ctx->handshake_mode == SSL_TEST_HANDSHAKE_RESUME) { resume_server_ctx = SSL_CTX_new_ex(libctx, NULL, TLS_server_method()); - if (!TEST_true(SSL_CTX_set_max_proto_version(resume_server_ctx, 0))) + if (!TEST_true(SSL_CTX_set_max_proto_version(resume_server_ctx, + maxversion))) goto err; resume_client_ctx = SSL_CTX_new_ex(libctx, NULL, TLS_client_method()); - if (!TEST_true(SSL_CTX_set_max_proto_version(resume_client_ctx, 0))) + if (!TEST_true(SSL_CTX_set_max_proto_version(resume_client_ctx, + maxversion))) goto err; if (!TEST_ptr(resume_server_ctx) || !TEST_ptr(resume_client_ctx)) diff --git a/test/sslapitest.c b/test/sslapitest.c index 51d1bdd8de..7cae297a17 100644 --- a/test/sslapitest.c +++ b/test/sslapitest.c @@ -39,6 +39,16 @@ #include "internal/ktls.h" #include "../ssl/ssl_local.h" +#undef OSSL_NO_USABLE_TLS1_3 +#if defined(OPENSSL_NO_TLS1_3) \ + || (defined(OPENSSL_NO_EC) && defined(OPENSSL_NO_DH)) +/* + * If we don't have ec or dh then there are no built-in groups that are usable + * with TLSv1.3 + */ +# define OSSL_NO_USABLE_TLS1_3 +#endif + /* Defined in filterprov.c */ OSSL_provider_init_fn filter_provider_init; int filter_provider_set_filter(int operation, const char *name); @@ -52,7 +62,7 @@ int tls_provider_init(const OSSL_CORE_HANDLE *handle, static OSSL_LIB_CTX *libctx = NULL; static OSSL_PROVIDER *defctxnull = NULL; -#ifndef OPENSSL_NO_TLS1_3 +#ifndef OSSL_NO_USABLE_TLS1_3 static SSL_SESSION *clientpsk = NULL; static SSL_SESSION *serverpsk = NULL; @@ -351,7 +361,7 @@ static int test_keylog_output(char *buffer, const SSL *ssl, return 1; } -#if !defined(OPENSSL_NO_TLS1_2) || defined(OPENSSL_NO_TLS1_3) +#if !defined(OPENSSL_NO_TLS1_2) || defined(OSSL_NO_USABLE_TLS1_3) static int test_keylog(void) { SSL_CTX *cctx = NULL, *sctx = NULL; @@ -432,7 +442,7 @@ end: } #endif -#ifndef OPENSSL_NO_TLS1_3 +#ifndef OSSL_NO_USABLE_TLS1_3 static int test_keylog_no_master_key(void) { SSL_CTX *cctx = NULL, *sctx = NULL; @@ -957,7 +967,7 @@ static int execute_test_large_message(const SSL_METHOD *smeth, } #if !defined(OPENSSL_NO_SOCK) && !defined(OPENSSL_NO_KTLS) && \ - !(defined(OPENSSL_NO_TLS1_3) && defined(OPENSSL_NO_TLS1_2)) + !(defined(OSSL_NO_USABLE_TLS1_3) && defined(OPENSSL_NO_TLS1_2)) #define TLS_CIPHER_MAX_REC_SEQ_SIZE 8 /* sock must be connected */ static int ktls_chk_platform(int sock) @@ -1272,14 +1282,14 @@ end: return testresult; } -#if !defined(OPENSSL_NO_TLS1_2) || !defined(OPENSSL_NO_TLS1_3) +#if !defined(OPENSSL_NO_TLS1_2) || !defined(OSSL_NO_USABLE_TLS1_3) static int test_ktls(int test) { int cis_ktls_tx, cis_ktls_rx, sis_ktls_tx, sis_ktls_rx; int tlsver, testresult; if (test > 15) { -#if defined(OPENSSL_NO_TLS1_3) +#if defined(OSSL_NO_USABLE_TLS1_3) return 1; #else test -= 16; @@ -1302,7 +1312,7 @@ static int test_ktls(int test) if (cis_ktls_rx || sis_ktls_rx) return 1; #endif -#if !defined(OPENSSL_NO_TLS1_3) +#if !defined(OSSL_NO_USABLE_TLS1_3) if (tlsver == TLS1_3_VERSION && (cis_ktls_rx || sis_ktls_rx)) return 1; #endif @@ -1332,7 +1342,7 @@ static int test_ktls_sendfile_anytls(int tst) int tlsver; if (tst > 2) { -#if defined(OPENSSL_NO_TLS1_3) +#if defined(OSSL_NO_USABLE_TLS1_3) return 1; #else tst -= 3; @@ -1481,7 +1491,7 @@ static int test_cleanse_plaintext(void) #endif -#if !defined(OPENSSL_NO_TLS1_3) +#if !defined(OSSL_NO_USABLE_TLS1_3) if (!TEST_true(execute_cleanse_plaintext(TLS_server_method(), TLS_client_method(), TLS1_3_VERSION, @@ -1676,7 +1686,7 @@ static int test_tlsext_status_type(void) } #endif -#if !defined(OPENSSL_NO_TLS1_3) || !defined(OPENSSL_NO_TLS1_2) +#if !defined(OSSL_NO_USABLE_TLS1_3) || !defined(OPENSSL_NO_TLS1_2) static int new_called, remove_called, get_called; static int new_session_cb(SSL *ssl, SSL_SESSION *sess) @@ -1992,11 +2002,11 @@ static int execute_test_session(int maxprot, int use_int_cache, return testresult; } -#endif /* !defined(OPENSSL_NO_TLS1_3) || !defined(OPENSSL_NO_TLS1_2) */ +#endif /* !defined(OSSL_NO_USABLE_TLS1_3) || !defined(OPENSSL_NO_TLS1_2) */ static int test_session_with_only_int_cache(void) { -#ifndef OPENSSL_NO_TLS1_3 +#ifndef OSSL_NO_USABLE_TLS1_3 if (!execute_test_session(TLS1_3_VERSION, 1, 0, 0)) return 0; #endif @@ -2010,7 +2020,7 @@ static int test_session_with_only_int_cache(void) static int test_session_with_only_ext_cache(void) { -#ifndef OPENSSL_NO_TLS1_3 +#ifndef OSSL_NO_USABLE_TLS1_3 if (!execute_test_session(TLS1_3_VERSION, 0, 1, 0)) return 0; #endif @@ -2024,7 +2034,7 @@ static int test_session_with_only_ext_cache(void) static int test_session_with_both_cache(void) { -#ifndef OPENSSL_NO_TLS1_3 +#ifndef OSSL_NO_USABLE_TLS1_3 if (!execute_test_session(TLS1_3_VERSION, 1, 1, 0)) return 0; #endif @@ -2038,7 +2048,7 @@ static int test_session_with_both_cache(void) static int test_session_wo_ca_names(void) { -#ifndef OPENSSL_NO_TLS1_3 +#ifndef OSSL_NO_USABLE_TLS1_3 if (!execute_test_session(TLS1_3_VERSION, 1, 0, SSL_OP_DISABLE_TLSEXT_CA_NAMES)) return 0; #endif @@ -2051,7 +2061,7 @@ static int test_session_wo_ca_names(void) } -#ifndef OPENSSL_NO_TLS1_3 +#ifndef OSSL_NO_USABLE_TLS1_3 static SSL_SESSION *sesscache[6]; static int do_cache; @@ -2492,7 +2502,7 @@ static int test_extra_tickets(int idx) #define TOTAL_NO_CONN_SSL_SET_BIO_TESTS (3 * 3 * 3 * 3) #define TOTAL_CONN_SUCCESS_SSL_SET_BIO_TESTS (2 * 2) -#if !defined(OPENSSL_NO_TLS1_3) && !defined(OPENSSL_NO_TLS1_2) +#if !defined(OSSL_NO_USABLE_TLS1_3) && !defined(OPENSSL_NO_TLS1_2) # define TOTAL_CONN_FAIL_SSL_SET_BIO_TESTS (2 * 2) #else # define TOTAL_CONN_FAIL_SSL_SET_BIO_TESTS 0 @@ -2721,7 +2731,7 @@ static int test_ssl_bio_change_wbio(void) return execute_test_ssl_bio(0, CHANGE_WBIO); } -#if !defined(OPENSSL_NO_TLS1_2) || defined(OPENSSL_NO_TLS1_3) +#if !defined(OPENSSL_NO_TLS1_2) || defined(OSSL_NO_USABLE_TLS1_3) typedef struct { /* The list of sig algs */ const int *list; @@ -2852,7 +2862,7 @@ static int test_set_sigalgs(int idx) } #endif -#ifndef OPENSSL_NO_TLS1_3 +#ifndef OSSL_NO_USABLE_TLS1_3 static int psk_client_cb_cnt = 0; static int psk_server_cb_cnt = 0; @@ -5048,7 +5058,7 @@ static int test_stateless(void) return testresult; } -#endif /* OPENSSL_NO_TLS1_3 */ +#endif /* OSSL_NO_USABLE_TLS1_3 */ static int clntaddoldcb = 0; static int clntparseoldcb = 0; @@ -5183,7 +5193,7 @@ static int test_custom_exts(int tst) SSL_SESSION *sess = NULL; unsigned int context; -#if defined(OPENSSL_NO_TLS1_2) && !defined(OPENSSL_NO_TLS1_3) +#if defined(OPENSSL_NO_TLS1_2) && !defined(OSSL_NO_USABLE_TLS1_3) /* Skip tests for TLSv1.2 and below in this case */ if (tst < 3) return 1; @@ -5478,7 +5488,7 @@ static int test_export_key_mat(int tst) if (tst == 2) return 1; #endif -#ifdef OPENSSL_NO_TLS1_3 +#ifdef OSSL_NO_USABLE_TLS1_3 if (tst >= 3) return 1; #endif @@ -5604,7 +5614,7 @@ static int test_export_key_mat(int tst) return testresult; } -#ifndef OPENSSL_NO_TLS1_3 +#ifndef OSSL_NO_USABLE_TLS1_3 /* * Test that SSL_export_keying_material_early() produces expected * results. There are no test vectors so all we do is test that both @@ -5823,7 +5833,7 @@ static int test_key_update_in_write(int tst) return testresult; } -#endif /* OPENSSL_NO_TLS1_3 */ +#endif /* OSSL_NO_USABLE_TLS1_3 */ static int test_ssl_clear(int idx) { @@ -5942,14 +5952,15 @@ static const unsigned char max_fragment_len_test[] = { static int test_max_fragment_len_ext(int idx_tst) { - SSL_CTX *ctx; + SSL_CTX *ctx = NULL; SSL *con = NULL; int testresult = 0, MFL_mode = 0; BIO *rbio, *wbio; - ctx = SSL_CTX_new_ex(libctx, NULL, TLS_method()); - if (!TEST_ptr(ctx)) - goto end; + if (!TEST_true(create_ssl_ctx_pair(libctx, NULL, TLS_client_method(), + TLS1_VERSION, 0, NULL, &ctx, NULL, + NULL))) + return 0; if (!TEST_true(SSL_CTX_set_tlsext_max_fragment_length( ctx, max_fragment_len_test[idx_tst]))) @@ -5968,7 +5979,6 @@ static int test_max_fragment_len_ext(int idx_tst) } SSL_set_bio(con, rbio, wbio); - SSL_set_connect_state(con); if (!TEST_int_le(SSL_connect(con), 0)) { /* This shouldn't succeed because we don't have a server! */ @@ -5990,7 +6000,7 @@ end: return testresult; } -#ifndef OPENSSL_NO_TLS1_3 +#ifndef OSSL_NO_USABLE_TLS1_3 static int test_pha_key_update(void) { SSL_CTX *cctx = NULL, *sctx = NULL; @@ -6432,7 +6442,7 @@ static int test_info_callback(int tst) return 1; #endif } else { -#ifndef OPENSSL_NO_TLS1_3 +#ifndef OSSL_NO_USABLE_TLS1_3 tlsvers = TLS1_3_VERSION; #else return 1; @@ -6444,7 +6454,7 @@ static int test_info_callback(int tst) info_cb_this_state = -1; info_cb_offset = tst; -#ifndef OPENSSL_NO_TLS1_3 +#ifndef OSSL_NO_USABLE_TLS1_3 if (tst >= 4) { SSL_SESSION *sess = NULL; size_t written, readbytes; @@ -6603,7 +6613,7 @@ static struct { * We can't establish a connection (even in TLSv1.1) with these ciphersuites if * TLSv1.3 is enabled but TLSv1.2 is disabled. */ -#if defined(OPENSSL_NO_TLS1_3) || !defined(OPENSSL_NO_TLS1_2) +#if defined(OSSL_NO_USABLE_TLS1_3) || !defined(OPENSSL_NO_TLS1_2) { TLS1_2_VERSION, "AES128-SHA:AES256-SHA", @@ -6649,7 +6659,7 @@ static struct { * This test combines TLSv1.3 and TLSv1.2 ciphersuites so they must both be * enabled. */ -#if !defined(OPENSSL_NO_TLS1_3) && !defined(OPENSSL_NO_TLS1_2) \ +#if !defined(OSSL_NO_USABLE_TLS1_3) && !defined(OPENSSL_NO_TLS1_2) \ && !defined(OPENSSL_NO_CHACHA) && !defined(OPENSSL_NO_POLY1305) { TLS1_3_VERSION, @@ -6662,7 +6672,7 @@ static struct { "TLS_AES_256_GCM_SHA384:TLS_AES_128_GCM_SHA256:AES256-SHA" }, #endif -#ifndef OPENSSL_NO_TLS1_3 +#ifndef OSSL_NO_USABLE_TLS1_3 { TLS1_3_VERSION, "AES128-SHA", @@ -6907,7 +6917,7 @@ static int test_ticket_callbacks(int tst) if (tst % 2 == 0) return 1; #endif -#ifdef OPENSSL_NO_TLS1_3 +#ifdef OSSL_NO_USABLE_TLS1_3 if (tst % 2 == 1) return 1; #endif @@ -7124,7 +7134,7 @@ static int test_shutdown(int tst) if (tst <= 1) return 1; #endif -#ifdef OPENSSL_NO_TLS1_3 +#ifdef OSSL_NO_USABLE_TLS1_3 if (tst >= 2) return 1; #endif @@ -7259,7 +7269,7 @@ static int test_shutdown(int tst) return testresult; } -#if !defined(OPENSSL_NO_TLS1_2) || !defined(OPENSSL_NO_TLS1_3) +#if !defined(OPENSSL_NO_TLS1_2) || !defined(OSSL_NO_USABLE_TLS1_3) static int cert_cb_cnt; static int cert_cb(SSL *s, void *arg) @@ -7440,7 +7450,7 @@ static int test_cert_cb(int tst) #ifndef OPENSSL_NO_TLS1_2 testresult &= test_cert_cb_int(TLS1_2_VERSION, tst); #endif -#ifndef OPENSSL_NO_TLS1_3 +#ifndef OSSL_NO_USABLE_TLS1_3 testresult &= test_cert_cb_int(TLS1_3_VERSION, tst); #endif @@ -7498,7 +7508,7 @@ static int test_client_cert_cb(int tst) if (tst == 0) return 1; #endif -#ifdef OPENSSL_NO_TLS1_3 +#ifdef OSSL_NO_USABLE_TLS1_3 if (tst == 1) return 1; #endif @@ -7537,7 +7547,7 @@ static int test_client_cert_cb(int tst) return testresult; } -#if !defined(OPENSSL_NO_TLS1_2) || !defined(OPENSSL_NO_TLS1_3) +#if !defined(OPENSSL_NO_TLS1_2) || !defined(OSSL_NO_USABLE_TLS1_3) /* * Test setting certificate authorities on both client and server. * @@ -7664,7 +7674,7 @@ static int test_ca_names(int tst) #ifndef OPENSSL_NO_TLS1_2 testresult &= test_ca_names_int(TLS1_2_VERSION, tst); #endif -#ifndef OPENSSL_NO_TLS1_3 +#ifndef OSSL_NO_USABLE_TLS1_3 testresult &= test_ca_names_int(TLS1_3_VERSION, tst); #endif @@ -7794,7 +7804,7 @@ static int test_servername(int tst) if (tst <= 4) return 1; #endif -#ifdef OPENSSL_NO_TLS1_3 +#ifdef OSSL_NO_USABLE_TLS1_3 if (tst >= 5) return 1; #endif @@ -7925,7 +7935,7 @@ static int test_servername(int tst) } #if !defined(OPENSSL_NO_EC) \ - && (!defined(OPENSSL_NO_TLS1_3) || !defined(OPENSSL_NO_TLS1_2)) + && (!defined(OSSL_NO_USABLE_TLS1_3) || !defined(OPENSSL_NO_TLS1_2)) /* * Test that if signature algorithms are not available, then we do not offer or * accept them. @@ -8062,10 +8072,11 @@ static int test_sigalgs_available(int idx) } #endif /* * !defined(OPENSSL_NO_EC) \ - * && (!defined(OPENSSL_NO_TLS1_3) || !defined(OPENSSL_NO_TLS1_2)) + * && (!defined(OSSL_NO_USABLE_TLS1_3) || !defined(OPENSSL_NO_TLS1_2)) */ #ifndef OPENSSL_NO_TLS1_3 +/* This test can run in TLSv1.3 even if ec and dh are disabled */ static int test_pluggable_group(int idx) { SSL_CTX *cctx = NULL, *sctx = NULL; @@ -8489,7 +8500,7 @@ static int test_dh_auto(int idx) # endif /* OPENSSL_NO_DH */ #endif /* OPENSSL_NO_TLS1_2 */ -#ifndef OPENSSL_NO_TLS1_3 +#ifndef OSSL_NO_USABLE_TLS1_3 /* * Test that setting an SNI callback works with TLSv1.3. Specifically we check * that it works even without a certificate configured for the original @@ -8667,7 +8678,7 @@ int setup_tests(void) goto err; #if !defined(OPENSSL_NO_KTLS) && !defined(OPENSSL_NO_SOCK) -# if !defined(OPENSSL_NO_TLS1_2) || !defined(OPENSSL_NO_TLS1_3) +# if !defined(OPENSSL_NO_TLS1_2) || !defined(OSSL_NO_USABLE_TLS1_3) ADD_ALL_TESTS(test_ktls, 32); ADD_ALL_TESTS(test_ktls_sendfile_anytls, 6); # endif @@ -8685,7 +8696,7 @@ int setup_tests(void) ADD_TEST(test_session_with_only_ext_cache); ADD_TEST(test_session_with_both_cache); ADD_TEST(test_session_wo_ca_names); -#ifndef OPENSSL_NO_TLS1_3 +#ifndef OSSL_NO_USABLE_TLS1_3 ADD_ALL_TESTS(test_stateful_tickets, 3); ADD_ALL_TESTS(test_stateless_tickets, 3); ADD_TEST(test_psk_tickets); @@ -8696,11 +8707,11 @@ int setup_tests(void) ADD_TEST(test_ssl_bio_pop_ssl_bio); ADD_TEST(test_ssl_bio_change_rbio); ADD_TEST(test_ssl_bio_change_wbio); -#if !defined(OPENSSL_NO_TLS1_2) || defined(OPENSSL_NO_TLS1_3) +#if !defined(OPENSSL_NO_TLS1_2) || defined(OSSL_NO_USABLE_TLS1_3) ADD_ALL_TESTS(test_set_sigalgs, OSSL_NELEM(testsigalgs) * 2); ADD_TEST(test_keylog); #endif -#ifndef OPENSSL_NO_TLS1_3 +#ifndef OSSL_NO_USABLE_TLS1_3 ADD_TEST(test_keylog_no_master_key); #endif ADD_TEST(test_client_cert_verify_cb); @@ -8709,7 +8720,7 @@ int setup_tests(void) ADD_TEST(test_no_ems); ADD_TEST(test_ccs_change_cipher); #endif -#ifndef OPENSSL_NO_TLS1_3 +#ifndef OSSL_NO_USABLE_TLS1_3 ADD_ALL_TESTS(test_early_data_read_write, 3); /* * We don't do replay tests for external PSK. Replay protection isn't used @@ -8728,7 +8739,7 @@ int setup_tests(void) ADD_ALL_TESTS(test_early_data_tls1_2, 3); # endif #endif -#ifndef OPENSSL_NO_TLS1_3 +#ifndef OSSL_NO_USABLE_TLS1_3 ADD_ALL_TESTS(test_set_ciphersuite, 10); ADD_TEST(test_ciphersuite_change); ADD_ALL_TESTS(test_tls13_ciphersuite, 4); @@ -8752,7 +8763,7 @@ int setup_tests(void) #endif ADD_ALL_TESTS(test_serverinfo, 8); ADD_ALL_TESTS(test_export_key_mat, 6); -#ifndef OPENSSL_NO_TLS1_3 +#ifndef OSSL_NO_USABLE_TLS1_3 ADD_ALL_TESTS(test_export_key_mat_early, 3); ADD_TEST(test_key_update); ADD_ALL_TESTS(test_key_update_in_write, 2); @@ -8776,7 +8787,7 @@ int setup_tests(void) #endif ADD_ALL_TESTS(test_servername, 10); #if !defined(OPENSSL_NO_EC) \ - && (!defined(OPENSSL_NO_TLS1_3) || !defined(OPENSSL_NO_TLS1_2)) + && (!defined(OSSL_NO_USABLE_TLS1_3) || !defined(OPENSSL_NO_TLS1_2)) ADD_ALL_TESTS(test_sigalgs_available, 6); #endif #ifndef OPENSSL_NO_TLS1_3 @@ -8789,7 +8800,7 @@ int setup_tests(void) ADD_ALL_TESTS(test_dh_auto, 7); # endif #endif -#ifndef OPENSSL_NO_TLS1_3 +#ifndef OSSL_NO_USABLE_TLS1_3 ADD_TEST(test_sni_tls13); #endif return 1; |