diff options
31 files changed, 241 insertions, 119 deletions
diff --git a/CHANGES.md b/CHANGES.md index d80016560e..7c934935eb 100644 --- a/CHANGES.md +++ b/CHANGES.md @@ -23,6 +23,17 @@ OpenSSL 3.0 ### Changes between 1.1.1 and 3.0 [xx XXX xxxx] + * Combining the Configure options no-ec and no-dh no longer disables TLSv1.3. + Typically if OpenSSL has no EC or DH algorithms then it cannot support + connections with TLSv1.3. However OpenSSL now supports "pluggable" groups + through providers. Therefore third party providers may supply group + implementations even where there are no built-in ones. Attempting to create + TLS connections in such a build without also disabling TLSv1.3 at run time or + using third party provider groups may result in handshake failures. TLSv1.3 + can be disabled at compile time using the "no-tls1_3" Configure option. + + *Matt Caswell* + * The undocumented function X509_certificate_type() has been deprecated; applications can use X509_get0_pubkey() and X509_get0_signature() to get the same information. @@ -563,8 +563,6 @@ my @disable_cascades = ( "zlib" => [ "zlib-dynamic" ], "des" => [ "mdc2" ], "ec" => [ "ec2m", "ecdsa", "ecdh", "sm2", "gost" ], - sub { $disabled{"ec"} && $disabled{"dh"} } - => [ "tls1_3" ], "dgram" => [ "dtls", "sctp" ], "sock" => [ "dgram" ], "dtls" => [ @dtls ], diff --git a/test/helpers/ssltestlib.c b/test/helpers/ssltestlib.c index 2366c3db4d..e339d7972c 100644 --- a/test/helpers/ssltestlib.c +++ b/test/helpers/ssltestlib.c @@ -685,18 +685,19 @@ static int always_retry_puts(BIO *bio, const char *str) } int create_ssl_ctx_pair(OSSL_LIB_CTX *libctx, const SSL_METHOD *sm, -const SSL_METHOD *cm, - int min_proto_version, int max_proto_version, - SSL_CTX **sctx, SSL_CTX **cctx, char *certfile, - char *privkeyfile) + const SSL_METHOD *cm, int min_proto_version, + int max_proto_version, SSL_CTX **sctx, SSL_CTX **cctx, + char *certfile, char *privkeyfile) { SSL_CTX *serverctx = NULL; SSL_CTX *clientctx = NULL; - if (*sctx != NULL) - serverctx = *sctx; - else if (!TEST_ptr(serverctx = SSL_CTX_new_ex(libctx, NULL, sm))) - goto err; + if (sctx != NULL) { + if (*sctx != NULL) + serverctx = *sctx; + else if (!TEST_ptr(serverctx = SSL_CTX_new_ex(libctx, NULL, sm))) + goto err; + } if (cctx != NULL) { if (*cctx != NULL) @@ -705,12 +706,25 @@ const SSL_METHOD *cm, goto err; } - if ((min_proto_version > 0 - && !TEST_true(SSL_CTX_set_min_proto_version(serverctx, - min_proto_version))) - || (max_proto_version > 0 - && !TEST_true(SSL_CTX_set_max_proto_version(serverctx, - max_proto_version)))) +#if !defined(OPENSSL_NO_TLS1_3) \ + && defined(OPENSSL_NO_EC) \ + && defined(OPENSSL_NO_DH) + /* + * There are no usable built-in TLSv1.3 groups if ec and dh are both + * disabled + */ + if (max_proto_version == 0 + && (sm == TLS_server_method() || cm == TLS_client_method())) + max_proto_version = TLS1_2_VERSION; +#endif + + if (serverctx != NULL + && ((min_proto_version > 0 + && !TEST_true(SSL_CTX_set_min_proto_version(serverctx, + min_proto_version))) + || (max_proto_version > 0 + && !TEST_true(SSL_CTX_set_max_proto_version(serverctx, + max_proto_version))))) goto err; if (clientctx != NULL && ((min_proto_version > 0 @@ -721,7 +735,7 @@ const SSL_METHOD *cm, max_proto_version))))) goto err; - if (certfile != NULL && privkeyfile != NULL) { + if (serverctx != NULL && certfile != NULL && privkeyfile != NULL) { if (!TEST_int_eq(SSL_CTX_use_certificate_file(serverctx, certfile, SSL_FILETYPE_PEM), 1) || !TEST_int_eq(SSL_CTX_use_PrivateKey_file(serverctx, @@ -731,13 +745,14 @@ const SSL_METHOD *cm, goto err; } - *sctx = serverctx; + if (sctx != NULL) + *sctx = serverctx; if (cctx != NULL) *cctx = clientctx; return 1; err: - if (*sctx == NULL) + if (sctx != NULL && *sctx == NULL) SSL_CTX_free(serverctx); if (cctx != NULL && *cctx == NULL) SSL_CTX_free(clientctx); diff --git a/test/recipes/70-test_comp.t b/test/recipes/70-test_comp.t index 2ac168c252..abd41d756c 100644 --- a/test/recipes/70-test_comp.t +++ b/test/recipes/70-test_comp.t @@ -65,7 +65,8 @@ SKIP: { } SKIP: { - skip "TLSv1.3 disabled", 2 if disabled("tls1_3"); + skip "TLSv1.3 disabled", 2 + if disabled("tls1_3") || (disabled("ec") && disabled("dh")); #Test 3: Check that sending multiple compression methods in a TLSv1.3 # ClientHello fails $proxy->clear(); diff --git a/test/recipes/70-test_key_share.t b/test/recipes/70-test_key_share.t index b5b01907c6..7ecba99ee8 100644 --- a/test/recipes/70-test_key_share.t +++ b/test/recipes/70-test_key_share.t @@ -60,6 +60,9 @@ plan skip_all => "$test_name needs the sock feature enabled" plan skip_all => "$test_name needs TLS1.3 enabled" if disabled("tls1_3"); +plan skip_all => "$test_name needs EC or DH enabled" + if disabled("ec") && disabled("dh"); + $ENV{OPENSSL_ia32cap} = '~0x200000200000000'; my $proxy = TLSProxy::Proxy->new( diff --git a/test/recipes/70-test_sslcbcpadding.t b/test/recipes/70-test_sslcbcpadding.t index a293ab1e8d..273093244c 100644 --- a/test/recipes/70-test_sslcbcpadding.t +++ b/test/recipes/70-test_sslcbcpadding.t @@ -43,6 +43,7 @@ my @test_offsets = (0, 128, 254, 255); # Test that maximally-padded records are accepted. my $bad_padding_offset = -1; $proxy->serverflags("-tls1_2"); +$proxy->clientflags("-no_tls1_3"); $proxy->serverconnects(1 + scalar(@test_offsets)); $proxy->start() or plan skip_all => "Unable to start up Proxy for tests"; plan tests => 1 + scalar(@test_offsets); @@ -55,6 +56,7 @@ foreach my $offset (@test_offsets) { $bad_padding_offset = $offset; $fatal_alert = 0; $proxy->clearClient(); + $proxy->clientflags("-no_tls1_3"); $proxy->clientstart(); ok($fatal_alert, "Invalid padding byte $bad_padding_offset"); } diff --git a/test/recipes/70-test_sslextension.t b/test/recipes/70-test_sslextension.t index 9be001edc2..2d6262f2d4 100644 --- a/test/recipes/70-test_sslextension.t +++ b/test/recipes/70-test_sslextension.t @@ -197,6 +197,7 @@ ok($fatal_alert, "Duplicate ClientHello extension"); $fatal_alert = 0; $proxy->clear(); $proxy->filter(\&inject_duplicate_extension_serverhello); +$proxy->clientflags("-no_tls1_3"); $proxy->start(); ok($fatal_alert, "Duplicate ServerHello extension"); @@ -207,6 +208,7 @@ SKIP: { $proxy->clear(); $proxy->filter(\&extension_filter); $proxy->ciphers("AES128-SHA:\@SECLEVEL=0"); + $proxy->clientflags("-no_tls1_3"); $proxy->start(); ok(TLSProxy::Message->success, "Zero extension length test"); @@ -244,7 +246,8 @@ SKIP: { } SKIP: { - skip "TLS 1.3 disabled", 1 if disabled("tls1_3"); + skip "TLS 1.3 disabled", 1 + if disabled("tls1_3") || (disabled("ec") && disabled("dh")); #Test 7: Inject an unsolicited extension (TLSv1.3) $fatal_alert = 0; $proxy->clear(); @@ -260,5 +263,6 @@ SKIP: { # ignore it in a ClientHello $proxy->clear(); $proxy->filter(\&inject_cryptopro_extension); +$proxy->clientflags("-no_tls1_3"); $proxy->start(); ok(TLSProxy::Message->success(), "Cryptopro extension in ClientHello"); diff --git a/test/recipes/70-test_sslrecords.t b/test/recipes/70-test_sslrecords.t index 151216c57d..4a0e3e6b78 100644 --- a/test/recipes/70-test_sslrecords.t +++ b/test/recipes/70-test_sslrecords.t @@ -43,6 +43,7 @@ my $fatal_alert = 0; # set by filters at expected fatal alerts my $content_type = TLSProxy::Record::RT_APPLICATION_DATA; my $inject_recs_num = 1; $proxy->serverflags("-tls1_2"); +$proxy->clientflags("-no_tls1_3"); $proxy->start() or plan skip_all => "Unable to start up Proxy for tests"; plan tests => 20; ok($fatal_alert, "Out of context empty records test"); @@ -51,6 +52,7 @@ ok($fatal_alert, "Out of context empty records test"); $proxy->clear(); $content_type = TLSProxy::Record::RT_HANDSHAKE; $proxy->serverflags("-tls1_2"); +$proxy->clientflags("-no_tls1_3"); $proxy->start(); ok(TLSProxy::Message->success(), "In context empty records test"); @@ -60,6 +62,7 @@ $proxy->clear(); #We allow 32 consecutive in context empty records $inject_recs_num = 33; $proxy->serverflags("-tls1_2"); +$proxy->clientflags("-no_tls1_3"); $proxy->start(); ok($fatal_alert, "Too many in context empty records test"); @@ -70,6 +73,7 @@ $fatal_alert = 0; $proxy->clear(); $proxy->filter(\&add_frag_alert_filter); $proxy->serverflags("-tls1_2"); +$proxy->clientflags("-no_tls1_3"); $proxy->start(); ok($fatal_alert, "Fragmented alert records test"); @@ -92,6 +96,7 @@ my $sslv2testtype = TLSV1_2_IN_SSLV2; $proxy->clear(); $proxy->filter(\&add_sslv2_filter); $proxy->serverflags("-tls1_2"); +$proxy->clientflags("-no_tls1_3"); $proxy->ciphers("AES128-SHA:\@SECLEVEL=0"); $proxy->start(); ok(TLSProxy::Message->success(), "TLSv1.2 in SSLv2 ClientHello test"); @@ -102,6 +107,7 @@ ok(TLSProxy::Message->success(), "TLSv1.2 in SSLv2 ClientHello test"); $sslv2testtype = SSLV2_IN_SSLV2; $proxy->clear(); $proxy->serverflags("-tls1_2"); +$proxy->clientflags("-no_tls1_3"); $proxy->ciphers("AES128-SHA:\@SECLEVEL=0"); $proxy->start(); ok(TLSProxy::Message->fail(), "SSLv2 in SSLv2 ClientHello test"); @@ -112,6 +118,7 @@ ok(TLSProxy::Message->fail(), "SSLv2 in SSLv2 ClientHello test"); $sslv2testtype = FRAGMENTED_IN_TLSV1_2; $proxy->clear(); $proxy->serverflags("-tls1_2"); +$proxy->clientflags("-no_tls1_3"); $proxy->ciphers("AES128-SHA:\@SECLEVEL=0"); $proxy->start(); ok(TLSProxy::Message->success(), "Fragmented ClientHello in TLSv1.2 test"); @@ -121,6 +128,7 @@ ok(TLSProxy::Message->success(), "Fragmented ClientHello in TLSv1.2 test"); $sslv2testtype = FRAGMENTED_IN_SSLV2; $proxy->clear(); $proxy->serverflags("-tls1_2"); +$proxy->clientflags("-no_tls1_3"); $proxy->ciphers("AES128-SHA:\@SECLEVEL=0"); $proxy->start(); ok(TLSProxy::Message->fail(), "Fragmented ClientHello in TLSv1.2/SSLv2 test"); @@ -130,6 +138,7 @@ ok(TLSProxy::Message->fail(), "Fragmented ClientHello in TLSv1.2/SSLv2 test"); $sslv2testtype = ALERT_BEFORE_SSLV2; $proxy->clear(); $proxy->serverflags("-tls1_2"); +$proxy->clientflags("-no_tls1_3"); $proxy->ciphers("AES128-SHA:\@SECLEVEL=0"); $proxy->start(); ok(TLSProxy::Message->fail(), "Alert before SSLv2 ClientHello test"); @@ -140,6 +149,7 @@ ok(TLSProxy::Message->fail(), "Alert before SSLv2 ClientHello test"); $fatal_alert = 0; $proxy->clear(); $proxy->serverflags("-tls1_2"); +$proxy->clientflags("-no_tls1_3"); $proxy->filter(\&add_unknown_record_type); $proxy->start(); ok($fatal_alert, "Unrecognised record type in TLS1.2"); @@ -166,7 +176,8 @@ ok($fatal_alert, "Changed record version in TLS1.2"); #TLS1.3 specific tests SKIP: { - skip "TLSv1.3 disabled", 8 if disabled("tls1_3"); + skip "TLSv1.3 disabled", 8 + if disabled("tls1_3") || (disabled("ec") && disabled("dh")); #Test 13: Sending a different record version in TLS1.3 should fail $proxy->clear(); diff --git a/test/recipes/70-test_sslsigalgs.t b/test/recipes/70-test_sslsigalgs.t index 3548704138..609c88e716 100644 --- a/test/recipes/70-test_sslsigalgs.t +++ b/test/recipes/70-test_sslsigalgs.t @@ -54,13 +54,15 @@ use constant { # the sigalgs #Test 1: Default sig algs should succeed +$proxy->clientflags("-no_tls1_3") if disabled("ec") && disabled("dh"); $proxy->start() or plan skip_all => "Unable to start up Proxy for tests"; plan tests => 26; ok(TLSProxy::Message->success, "Default sigalgs"); my $testtype; SKIP: { - skip "TLSv1.3 disabled", 6 if disabled("tls1_3"); + skip "TLSv1.3 disabled", 6 + if disabled("tls1_3") || (disabled("ec") && disabled("dh")); $proxy->filter(\&sigalgs_filter); @@ -237,7 +239,10 @@ SKIP: { my ($dsa_status, $sha1_status, $sha224_status); SKIP: { - skip "TLSv1.3 disabled", 2 if disabled("tls1_3") || disabled("dsa"); + skip "TLSv1.3 disabled", 2 + if disabled("tls1_3") + || disabled("dsa") + || (disabled("ec") && disabled("dh")); #Test 20: signature_algorithms with 1.3-only ClientHello $testtype = PURE_SIGALGS; $dsa_status = $sha1_status = $sha224_status = 0; @@ -263,7 +268,8 @@ SKIP: { } SKIP: { - skip "TLSv1.3 disabled", 3 if disabled("tls1_3"); + skip "TLSv1.3 disabled", 5 + if disabled("tls1_3") || (disabled("ec") && disabled("dh")); #Test 22: Insert signature_algorithms_cert that match normal sigalgs $testtype = SIGALGS_CERT_ALL; $proxy->clear(); @@ -284,10 +290,7 @@ SKIP: { $proxy->filter(\&modify_sigalgs_cert_filter); $proxy->start(); ok(TLSProxy::Message->fail, "No matching certificate for sigalgs_cert"); -} -SKIP: { - skip "TLS 1.3 disabled", 2 if disabled("tls1_3"); #Test 25: Send an unrecognized signature_algorithms_cert # We should be able to skip over the unrecognized value and use a # valid one that appears later in the list. diff --git a/test/recipes/70-test_sslsignature.t b/test/recipes/70-test_sslsignature.t index a7d33503ed..147dd38bf2 100644 --- a/test/recipes/70-test_sslsignature.t +++ b/test/recipes/70-test_sslsignature.t @@ -45,12 +45,14 @@ $proxy->filter(\&signature_filter); #Test 1: No corruption should succeed my $testtype = NO_CORRUPTION; +$proxy->clientflags("-no_tls1_3") if disabled("ec") && disabled("dh"); $proxy->start() or plan skip_all => "Unable to start up Proxy for tests"; plan tests => 4; ok(TLSProxy::Message->success, "No corruption"); SKIP: { - skip "TLSv1.3 disabled", 1 if disabled("tls1_3"); + skip "TLSv1.3 disabled", 1 + if disabled("tls1_3") || (disabled("ec") && disabled("dh")); #Test 2: Corrupting a server CertVerify signature in TLSv1.3 should fail $proxy->clear(); diff --git a/test/recipes/70-test_sslversions.t b/test/recipes/70-test_sslversions.t index 864f4f5283..0a67fe1006 100644 --- a/test/recipes/70-test_sslversions.t +++ b/test/recipes/70-test_sslversions.t @@ -37,7 +37,10 @@ plan skip_all => "$test_name needs the sock feature enabled" if disabled("sock"); plan skip_all => "$test_name needs TLS1.3, TLS1.2 and TLS1.1 enabled" - if disabled("tls1_3") || disabled("tls1_2") || disabled("tls1_1"); + if disabled("tls1_3") + || (disabled("ec") && disabled("dh")) + || disabled("tls1_2") + || disabled("tls1_1"); $ENV{OPENSSL_ia32cap} = '~0x200000200000000'; diff --git a/test/recipes/70-test_tls13alerts.t b/test/recipes/70-test_tls13alerts.t index 205955fad8..c6c9d25f8d 100644 --- a/test/recipes/70-test_tls13alerts.t +++ b/test/recipes/70-test_tls13alerts.t @@ -24,7 +24,7 @@ plan skip_all => "$test_name needs the sock feature enabled" if disabled("sock"); plan skip_all => "$test_name needs TLS1.3 enabled" - if disabled("tls1_3"); + if disabled("tls1_3") || (disabled("ec") && disabled("dh")); $ENV{OPENSSL_ia32cap} = '~0x200000200000000'; diff --git a/test/recipes/70-test_tls13cookie.t b/test/recipes/70-test_tls13cookie.t index aef2cf8848..2036583fda 100644 --- a/test/recipes/70-test_tls13cookie.t +++ b/test/recipes/70-test_tls13cookie.t @@ -24,7 +24,7 @@ plan skip_all => "$test_name needs the sock feature enabled" if disabled("sock"); plan skip_all => "$test_name needs TLS1.3 enabled" - if disabled("tls1_3"); + if disabled("tls1_3") || (disabled("ec") && disabled("dh")); $ENV{OPENSSL_ia32cap} = '~0x200000200000000'; diff --git a/test/recipes/70-test_tls13downgrade.t b/test/recipes/70-test_tls13downgrade.t index f8dc8543be..63902a58e6 100644 --- a/test/recipes/70-test_tls13downgrade.t +++ b/test/recipes/70-test_tls13downgrade.t @@ -24,7 +24,9 @@ plan skip_all => "$test_name needs the sock feature enabled" if disabled("sock"); plan skip_all => "$test_name needs TLS1.3 and TLS1.2 enabled" - if disabled("tls1_3") || disabled("tls1_2"); + if disabled("tls1_3") + || (disabled("ec") && disabled("dh")) + || disabled("tls1_2"); $ENV{OPENSSL_ia32cap} = '~0x200000200000000'; diff --git a/test/recipes/70-test_tls13hrr.t b/test/recipes/70-test_tls13hrr.t index 8f6e54e235..0423bc3c36 100644 --- a/test/recipes/70-test_tls13hrr.t +++ b/test/recipes/70-test_tls13hrr.t @@ -24,7 +24,7 @@ plan skip_all => "$test_name needs the sock feature enabled" if disabled("sock"); plan skip_all => "$test_name needs TLS1.3 enabled" - if disabled("tls1_3"); + if disabled("tls1_3") || (disabled("ec") && disabled("dh")); $ENV{OPENSSL_ia32cap} = '~0x200000200000000'; diff --git a/test/recipes/70-test_tls13kexmodes.t b/test/recipes/70-test_tls13kexmodes.t index 6648376c0c..da4f3f3865 100644 --- a/test/recipes/70-test_tls13kexmodes.t +++ b/test/recipes/70-test_tls13kexmodes.t @@ -26,7 +26,7 @@ plan skip_all => "$test_name needs the sock feature enabled" if disabled("sock"); plan skip_all => "$test_name needs TLSv1.3 enabled" - if disabled("tls1_3"); + if disabled("tls1_3") || (disabled("ec") && disabled("dh")); plan skip_all => "$test_name needs EC enabled" if disabled("ec"); diff --git a/test/recipes/70-test_tls13psk.t b/test/recipes/70-test_tls13psk.t index 66582b7d8e..2f750d858b 100644 --- a/test/recipes/70-test_tls13psk.t +++ b/test/recipes/70-test_tls13psk.t @@ -25,7 +25,7 @@ plan skip_all => "$test_name needs the sock feature enabled" if disabled("sock"); plan skip_all => "$test_name needs TLSv1.3 enabled" - if disabled("tls1_3"); + if disabled("tls1_3") || (disabled("ec") && disabled("dh")); $ENV{OPENSSL_ia32cap} = '~0x200000200000000'; diff --git a/test/recipes/70-test_tlsextms.t b/test/recipes/70-test_tlsextms.t index 55ef58e202..d567b15552 100644 --- a/test/recipes/70-test_tlsextms.t +++ b/test/recipes/70-test_tlsextms.t @@ -56,9 +56,7 @@ my $proxy = TLSProxy::Proxy->new( setrmextms(0, 0); $proxy->clientflags("-no_tls1_3"); $proxy->start() or plan skip_all => "Unable to start up Proxy for tests"; -my $numtests = 9; -$numtests++ if (!disabled("tls1_3")); -plan tests => $numtests; +plan tests => 10; checkmessages(1, "Default extended master secret test", 1, 1, 1); #Test 2: If client omits extended master secret extension, server should too. @@ -175,11 +173,14 @@ $proxy->clientstart(); ok(TLSProxy::Message->fail(), "Server inconsistent session resumption 2"); unlink $session; -#Test 10: In TLS1.3 we should not negotiate extended master secret -#Expected result: ClientHello extension seen; ServerHello extension not seen -# TLS1.3 handshake (will appear as abbreviated handshake -# because of no CKE message) -if (!disabled("tls1_3")) { +SKIP: { + skip "TLS 1.3 disabled", 1 + if disabled("tls1_3") || (disabled("ec") && disabled("dh")); + + #Test 10: In TLS1.3 we should not negotiate extended master secret + #Expected result: ClientHello extension seen; ServerHello extension not seen + # TLS1.3 handshake (will appear as abbreviated handshake + # because of no CKE message) clearall(); setrmextms(0, 0); $proxy->start(); diff --git a/test/recipes/80-test_ssl_new.t b/test/recipes/80-test_ssl_new.t index 24e75ae1c9..99dbdea1bb 100644 --- a/test/recipes/80-test_ssl_new.t +++ b/test/recipes/80-test_ssl_new.t @@ -43,13 +43,16 @@ plan tests => 30 # = scalar @conf_srcs # verify generated sources in the default configuration. my $is_default_tls = (disabled("ssl3") && !disabled("tls1") && !disabled("tls1_1") && !disabled("tls1_2") && - !disabled("tls1_3")); + !disabled("tls1_3") && (!disabled("ec") || !disabled("dh"))); my $is_default_dtls = (!disabled("dtls1") && !disabled("dtls1_2")); my @all_pre_tls1_3 = ("ssl3", "tls1", "tls1_1", "tls1_2"); my $no_tls = alldisabled(available_protocols("tls")); my $no_tls_below1_3 = $no_tls || (disabled("tls1_2") && !disabled("tls1_3")); +if (!$no_tls && $no_tls_below1_3 && disabled("ec") && disabled("dh")) { + $no_tls = 1; +} my $no_pre_tls1_3 = alldisabled(@all_pre_tls1_3); my $no_dtls = alldisabled(available_protocols("dtls")); my $no_npn = disabled("nextprotoneg"); @@ -105,13 +108,13 @@ my %skip = ( "18-dtls-renegotiate.cnf" => $no_dtls, "19-mac-then-encrypt.cnf" => $no_pre_tls1_3, "20-cert-select.cnf" => disabled("tls1_2") || $no_ec, - "21-key-update.cnf" => disabled("tls1_3"), + "21-key-update.cnf" => disabled("tls1_3") || ($no_ec && $no_dh), "22-compression.cnf" => disabled("zlib") || $no_tls, "23-srp.cnf" => (disabled("tls1") && disabled ("tls1_1") && disabled("tls1_2")) || disabled("srp"), - "24-padding.cnf" => disabled("tls1_3"), + "24-padding.cnf" => disabled("tls1_3") || ($no_ec && $no_dh), "25-cipher.cnf" => disabled("ec") || disabled("tls1_2"), - "26-tls13_client_auth.cnf" => disabled("tls1_3"), + "26-tls13_client_auth.cnf" => disabled("tls1_3") || ($no_ec && $no_dh), "29-dtls-sctp-label-bug.cnf" => disabled("sctp") || disabled("sock"), ); diff --git a/test/recipes/80-test_ssl_old.t b/test/recipes/80-test_ssl_old.t index 975d1a9fd6..2f3d5d1c8c 100644 --- a/test/recipes/80-test_ssl_old.t +++ b/test/recipes/80-test_ssl_old.t @@ -33,6 +33,8 @@ my ($no_rsa, $no_dsa, $no_dh, $no_ec, $no_psk, anydisabled qw/rsa dsa dh ec psk ssl3 tls1 tls1_1 tls1_2 tls1_3 dtls dtls1 dtls1_2 ct/; +#If ec and dh are disabled then don't use TLSv1.3 +$no_tls1_3 = 1 if (!$no_tls1_3 && $no_ec && $no_dh); my $no_anytls = alldisabled(available_protocols("tls")); my $no_anydtls = alldisabled(available_protocols("dtls")); diff --git a/test/recipes/90-test_tls13ccs.t b/test/recipes/90-test_tls13ccs.t index 1281c362d6..3bd65b8ba0 100644 --- a/test/recipes/90-test_tls13ccs.t +++ b/test/recipes/90-test_tls13ccs.t @@ -14,7 +14,7 @@ my $test_name = "test_tls13ccs"; setup($test_name); plan skip_all => "$test_name is not supported in this build" - if disabled("tls1_3"); + if disabled("tls1_3") || (disabled("ec") && disabled("dh")); plan tests => 1; diff --git a/test/recipes/90-test_tls13encryption.t b/test/recipes/90-test_tls13encryption.t index 145e1b9f8c..45b7b8a9aa 100644 --- a/test/recipes/90-test_tls13encryption.t +++ b/test/recipes/90-test_tls13encryption.t @@ -13,7 +13,7 @@ my $test_name = "tls13encryption"; setup($test_name); plan skip_all => "$test_name is not supported in this build" - if disabled("tls1_3"); + if disabled("tls1_3") || (disabled("ec") && disabled("dh")); plan tests => 1; diff --git a/test/recipes/90-test_tls13secrets.t b/test/recipes/90-test_tls13secrets.t index ba437f59b8..13af681bf0 100644 --- a/test/recipes/90-test_tls13secrets.t +++ b/test/recipes/90-test_tls13secrets.t @@ -13,7 +13,9 @@ my $test_name = "tls13secrets"; setup($test_name); plan skip_all => "$test_name is not supported in this build" - if disabled("tls1_3") || disabled("shared"); + if disabled("tls1_3") + || disabled("shared") + || (disabled("ec") && disabled("dh")); plan tests => 1; diff --git a/test/recordlentest.c b/test/recordlentest.c index 5388db7ddd..daf19bb8f3 100644 --- a/test/recordlentest.c +++ b/test/recordlentest.c @@ -94,7 +94,8 @@ static int test_record_overflow(int idx) || idx == TEST_ENCRYPTED_OVERFLOW_TLS1_2_NOT_OK) return 1; #endif -#ifdef OPENSSL_NO_TLS1_3 +#if defined(OPENSSL_NO_TLS1_3) \ + || (defined(OPENSSL_NO_EC) && defined(OPENSSL_NO_DH)) if (idx == TEST_ENCRYPTED_OVERFLOW_TLS1_3_OK || idx == TEST_ENCRYPTED_OVERFLOW_TLS1_3_NOT_OK) return 1; diff --git a/test/servername_test.c b/test/servername_test.c index 14088211c9..d6fb7b5bb6 100644 --- a/test/servername_test.c +++ b/test/servername_test.c @@ -31,6 +31,13 @@ static const char *host = "dummy-host"; static char *cert = NULL; static char *privkey = NULL; +#if defined(OPENSSL_NO_TLS1_3) || \ + (defined(OPENSSL_NO_EC) && defined(OPENSSL_NO_DH)) +static int maxversion = TLS1_2_VERSION; +#else +static int maxversion = 0; +#endif + static int get_sni_from_client_hello(BIO *bio, char **sni) { long len; @@ -101,6 +108,10 @@ static int client_setup_sni_before_state(void) if (!TEST_ptr(ctx)) goto end; + if (maxversion > 0 + && !TEST_true(SSL_CTX_set_max_proto_version(ctx, maxversion))) + goto end; + con = SSL_new(ctx); if (!TEST_ptr(con)) goto end; @@ -149,6 +160,10 @@ static int client_setup_sni_after_state(void) if (!TEST_ptr(ctx)) goto end; + if (maxversion > 0 + && !TEST_true(SSL_CTX_set_max_proto_version(ctx, maxversion))) + goto end; + con = SSL_new(ctx); if (!TEST_ptr(con)) goto end; diff --git a/test/ssl-tests/04-client_auth.cnf.in b/test/ssl-tests/04-client_auth.cnf.in index ad0ae7ae18..d908ad1c7d 100644 --- a/test/ssl-tests/04-client_auth.cnf.in +++ b/test/ssl-tests/04-client_auth.cnf.in @@ -116,7 +116,9 @@ sub generate_tests() { test => { "ExpectedResult" => "ServerFail", "ExpectedServerAlert" => - ($protocol_name eq "flex" && !disabled("tls1_3")) + ($protocol_name eq "flex" + && !disabled("tls1_3") + && (!disabled("ec") || !disabled("dh"))) ? "CertificateRequired" : "HandshakeFailure", "Method" => $method, }, diff --git a/test/ssl-tests/27-ticket-appdata.cnf.in b/test/ssl-tests/27-ticket-appdata.cnf.in index 719c98a107..d9e861933f 100644 --- a/test/ssl-tests/27-ticket-appdata.cnf.in +++ b/test/ssl-tests/27-ticket-appdata.cnf.in @@ -96,4 +96,5 @@ our @tests13 = ( our @tests = (); push @tests, @tests12 unless disabled("tls1_2"); -push @tests, @tests13 unless disabled("tls1_3"); +push @tests, @tests13 unless disabled("tls1_3") + || (disabled("ec") && disabled("dh")); diff --git a/test/ssl-tests/protocol_version.pm b/test/ssl-tests/protocol_version.pm index 0f0bd2e7cc..70c5722469 100644 --- a/test/ssl-tests/protocol_version.pm +++ b/test/ssl-tests/protocol_version.pm @@ -64,7 +64,10 @@ sub max_prot_enabled { my $max_enabled; foreach my $i (0..$#protocols) { - if (!$is_disabled[$i]) { + if (!$is_disabled[$i] + && ($protocols[$i] ne "TLSv1.3" + || !disabled("ec") + || !disabled("dh"))) { $max_enabled = $i; } } @@ -172,7 +175,11 @@ sub generate_version_tests { } } } - return @tests if disabled("tls1_3") || disabled("tls1_2") || $dtls; + return @tests + if disabled("tls1_3") + || disabled("tls1_2") + || (disabled("ec") && disabled("dh")) + || $dtls; #Add some version/ciphersuite sanity check tests push @tests, { @@ -307,7 +314,7 @@ sub generate_resumption_tests { } } - if (!disabled("tls1_3") && !$dtls) { + if (!disabled("tls1_3") && (!disabled("ec") || !disabled("dh")) && !$dtls) { push @client_tests, { "name" => "resumption-with-hrr", "client" => { @@ -332,7 +339,9 @@ sub generate_resumption_tests { sub expected_result { my ($c_min, $c_max, $s_min, $s_max, $min_enabled, $max_enabled, $protocols) = @_; + my @prots = @$protocols; + my $orig_c_max = $c_max; # Adjust for "undef" (no limit). $c_min = $c_min == 0 ? 0 : $c_min - 1; $c_max = $c_max == scalar @$protocols ? $c_max - 1 : $c_max; @@ -346,7 +355,11 @@ sub expected_result { $c_max = min $c_max, $max_enabled; $s_max = min $s_max, $max_enabled; - if ($c_min > $c_max) { + if ($c_min > $c_max + || ($orig_c_max != scalar @$protocols + && $prots[$orig_c_max] eq "TLSv1.3" + && $c_max != $orig_c_max + && !disabled("tls1_3"))) { # Client should fail to even send a hello. return ("ClientFail", undef); } elsif ($s_min > $s_max) { @@ -356,7 +369,6 @@ sub expected_result { # Server doesn't support the client range. return ("ServerFail", undef); } elsif ($c_min > $s_max) { - my @prots = @$protocols; if ($prots[$c_max] eq "TLSv1.3") { # Client will have sent supported_versions, so server will know # that there are no overlapping versions. diff --git a/test/ssl_old_test.c b/test/ssl_old_test.c index 48f0e8dae7..ad9a4a256c 100644 --- a/test/ssl_old_test.c +++ b/test/ssl_old_test.c @@ -1321,7 +1321,12 @@ int main(int argc, char *argv[]) max_version = TLS1_2_VERSION; } else { min_version = 0; +# if defined(OPENSSL_NO_EC) && defined(OPENSSL_NO_DH) + /* We only have ec and dh based built-in groups for TLSv1.3 */ + max_version = TLS1_2_VERSION; +# else max_version = 0; +# endif } #endif #ifndef OPENSSL_NO_DTLS diff --git a/test/ssl_test.c b/test/ssl_test.c index 042a05e453..cefcfb569f 100644 --- a/test/ssl_test.c +++ b/test/ssl_test.c @@ -436,8 +436,17 @@ static int test_handshake(int idx) } #endif if (test_ctx->method == SSL_TEST_METHOD_TLS) { +#if !defined(OPENSSL_NO_TLS1_3) \ + && defined(OPENSSL_NO_EC) \ + && defined(OPENSSL_NO_DH) + /* Without ec or dh there are no built-in groups for TLSv1.3 */ + int maxversion = TLS1_2_VERSION; +#else + int maxversion = 0; +#endif + server_ctx = SSL_CTX_new_ex(libctx, NULL, TLS_server_method()); - if (!TEST_true(SSL_CTX_set_max_proto_version(server_ctx, 0))) + if (!TEST_true(SSL_CTX_set_max_proto_version(server_ctx, maxversion))) goto err; /* SNI on resumption isn't supported/tested yet. */ if (test_ctx->extra.server.servername_callback != @@ -445,21 +454,24 @@ static int test_handshake(int idx) if (!TEST_ptr(server2_ctx = SSL_CTX_new_ex(libctx, NULL, TLS_server_method()))) goto err; - if (!TEST_true(SSL_CTX_set_max_proto_version(server2_ctx, 0))) + if (!TEST_true(SSL_CTX_set_max_proto_version(server2_ctx, + maxversion))) goto err; } client_ctx = SSL_CTX_new_ex(libctx, NULL, TLS_client_method()); - if (!TEST_true(SSL_CTX_set_max_proto_version(client_ctx, 0))) + if (!TEST_true(SSL_CTX_set_max_proto_version(client_ctx, maxversion))) goto err; if (test_ctx->handshake_mode == SSL_TEST_HANDSHAKE_RESUME) { resume_server_ctx = SSL_CTX_new_ex(libctx, NULL, TLS_server_method()); - if (!TEST_true(SSL_CTX_set_max_proto_version(resume_server_ctx, 0))) + if (!TEST_true(SSL_CTX_set_max_proto_version(resume_server_ctx, + maxversion))) goto err; resume_client_ctx = SSL_CTX_new_ex(libctx, NULL, TLS_client_method()); - if (!TEST_true(SSL_CTX_set_max_proto_version(resume_client_ctx, 0))) + if (!TEST_true(SSL_CTX_set_max_proto_version(resume_client_ctx, + maxversion))) goto err; if (!TEST_ptr(resume_server_ctx) || !TEST_ptr(resume_client_ctx)) diff --git a/test/sslapitest.c b/test/sslapitest.c index 51d1bdd8de..7cae297a17 100644 --- a/test/sslapitest.c +++ b/test/sslapitest.c @@ -39,6 +39,16 @@ #include "internal/ktls.h" #include "../ssl/ssl_local.h" +#undef OSSL_NO_USABLE_TLS1_3 +#if defined(OPENSSL_NO_TLS1_3) \ + || (defined(OPENSSL_NO_EC) && defined(OPENSSL_NO_DH)) +/* + * If we don't have ec or dh then there are no built-in groups that are usable + * with TLSv1.3 + */ +# define OSSL_NO_USABLE_TLS1_3 +#endif + /* Defined in filterprov.c */ OSSL_provider_init_fn filter_provider_init; int filter_provider_set_filter(int operation, const char *name); @@ -52,7 +62,7 @@ int tls_provider_init(const OSSL_CORE_HANDLE *handle, static OSSL_LIB_CTX *libctx = NULL; static OSSL_PROVIDER *defctxnull = NULL; -#ifndef OPENSSL_NO_TLS1_3 +#ifndef OSSL_NO_USABLE_TLS1_3 static SSL_SESSION *clientpsk = NULL; static SSL_SESSION *serverpsk = NULL; @@ -351,7 +361,7 @@ static int test_keylog_output(char *buffer, const SSL *ssl, return 1; } -#if !defined(OPENSSL_NO_TLS1_2) || defined(OPENSSL_NO_TLS1_3) +#if !defined(OPENSSL_NO_TLS1_2) || defined(OSSL_NO_USABLE_TLS1_3) static int test_keylog(void) { SSL_CTX *cctx = NULL, *sctx = NULL; @@ -432,7 +442,7 @@ end: } #endif -#ifndef OPENSSL_NO_TLS1_3 +#ifndef OSSL_NO_USABLE_TLS1_3 static int test_keylog_no_master_key(void) { SSL_CTX *cctx = NULL, *sctx = NULL; @@ -957,7 +967,7 @@ static int execute_test_large_message(const SSL_METHOD *smeth, } #if !defined(OPENSSL_NO_SOCK) && !defined(OPENSSL_NO_KTLS) && \ - !(defined(OPENSSL_NO_TLS1_3) && defined(OPENSSL_NO_TLS1_2)) + !(defined(OSSL_NO_USABLE_TLS1_3) && defined(OPENSSL_NO_TLS1_2)) #define TLS_CIPHER_MAX_REC_SEQ_SIZE 8 /* sock must be connected */ static int ktls_chk_platform(int sock) @@ -1272,14 +1282,14 @@ end: return testresult; } -#if !defined(OPENSSL_NO_TLS1_2) || !defined(OPENSSL_NO_TLS1_3) +#if !defined(OPENSSL_NO_TLS1_2) || !defined(OSSL_NO_USABLE_TLS1_3) static int test_ktls(int test) { int cis_ktls_tx, cis_ktls_rx, sis_ktls_tx, sis_ktls_rx; int tlsver, testresult; if (test > 15) { -#if defined(OPENSSL_NO_TLS1_3) +#if defined(OSSL_NO_USABLE_TLS1_3) return 1; #else test -= 16; @@ -1302,7 +1312,7 @@ static int test_ktls(int test) if (cis_ktls_rx || sis_ktls_rx) return 1; #endif -#if !defined(OPENSSL_NO_TLS1_3) +#if !defined(OSSL_NO_USABLE_TLS1_3) if (tlsver == TLS1_3_VERSION && (cis_ktls_rx || sis_ktls_rx)) return 1; #endif @@ -1332,7 +1342,7 @@ static int test_ktls_sendfile_anytls(int tst) int tlsver; if (tst > 2) { -#if defined(OPENSSL_NO_TLS1_3) +#if defined(OSSL_NO_USABLE_TLS1_3) return 1; #else tst -= 3; @@ -1481,7 +1491,7 @@ static int test_cleanse_plaintext(void) #endif -#if !defined(OPENSSL_NO_TLS1_3) +#if !defined(OSSL_NO_USABLE_TLS1_3) if (!TEST_true(execute_cleanse_plaintext(TLS_server_method(), TLS_client_method(), TLS1_3_VERSION, @@ -1676,7 +1686,7 @@ static int test_tlsext_status_type(void) } #endif -#if !defined(OPENSSL_NO_TLS1_3) || !defined(OPENSSL_NO_TLS1_2) +#if !defined(OSSL_NO_USABLE_TLS1_3) || !defined(OPENSSL_NO_TLS1_2) static int new_called, remove_called, get_called; static int new_session_cb(SSL *ssl, SSL_SESSION *sess) @@ -1992,11 +2002,11 @@ static int execute_test_session(int maxprot, int use_int_cache, return testresult; } -#endif /* !defined(OPENSSL_NO_TLS1_3) || !defined(OPENSSL_NO_TLS1_2) */ +#endif /* !defined(OSSL_NO_USABLE_TLS1_3) || !defined(OPENSSL_NO_TLS1_2) */ static int test_session_with_only_int_cache(void) { -#ifndef OPENSSL_NO_TLS1_3 +#ifndef OSSL_NO_USABLE_TLS1_3 if (!execute_test_session(TLS1_3_VERSION, 1, 0, 0)) return 0; #endif @@ -2010,7 +2020,7 @@ static int test_session_with_only_int_cache(void) static int test_session_with_only_ext_cache(void) { -#ifndef OPENSSL_NO_TLS1_3 +#ifndef OSSL_NO_USABLE_TLS1_3 if (!execute_test_session(TLS1_3_VERSION, 0, 1, 0)) return 0; #endif @@ -2024,7 +2034,7 @@ static int test_session_with_only_ext_cache(void) static int test_session_with_both_cache(void) { -#ifndef OPENSSL_NO_TLS1_3 +#ifndef OSSL_NO_USABLE_TLS1_3 if (!execute_test_session(TLS1_3_VERSION, 1, 1, 0)) return 0; #endif @@ -2038,7 +2048,7 @@ static int test_session_with_both_cache(void) static int test_session_wo_ca_names(void) { -#ifndef OPENSSL_NO_TLS1_3 +#ifndef OSSL_NO_USABLE_TLS1_3 if (!execute_test_session(TLS1_3_VERSION, 1, 0, SSL_OP_DISABLE_TLSEXT_CA_NAMES)) return 0; #endif @@ -2051,7 +2061,7 @@ static int test_session_wo_ca_names(void) } -#ifndef OPENSSL_NO_TLS1_3 +#ifndef OSSL_NO_USABLE_TLS1_3 static SSL_SESSION *sesscache[6]; static int do_cache; @@ -2492,7 +2502,7 @@ static int test_extra_tickets(int idx) #define TOTAL_NO_CONN_SSL_SET_BIO_TESTS (3 * 3 * 3 * 3) #define TOTAL_CONN_SUCCESS_SSL_SET_BIO_TESTS (2 * 2) -#if !defined(OPENSSL_NO_TLS1_3) && !defined(OPENSSL_NO_TLS1_2) +#if !defined(OSSL_NO_USABLE_TLS1_3) && !defined(OPENSSL_NO_TLS1_2) # define TOTAL_CONN_FAIL_SSL_SET_BIO_TESTS (2 * 2) #else # define TOTAL_CONN_FAIL_SSL_SET_BIO_TESTS 0 @@ -2721,7 +2731,7 @@ static int test_ssl_bio_change_wbio(void) return execute_test_ssl_bio(0, CHANGE_WBIO); } -#if !defined(OPENSSL_NO_TLS1_2) || defined(OPENSSL_NO_TLS1_3) +#if !defined(OPENSSL_NO_TLS1_2) || defined(OSSL_NO_USABLE_TLS1_3) typedef struct { /* The list of sig algs */ const int *list; @@ -2852,7 +2862,7 @@ static int test_set_sigalgs(int idx) } #endif -#ifndef OPENSSL_NO_TLS1_3 +#ifndef OSSL_NO_USABLE_TLS1_3 static int psk_client_cb_cnt = 0; static int psk_server_cb_cnt = 0; @@ -5048,7 +5058,7 @@ static int test_stateless(void) return testresult; } -#endif /* OPENSSL_NO_TLS1_3 */ +#endif /* OSSL_NO_USABLE_TLS1_3 */ static int clntaddoldcb = 0; static int clntparseoldcb = 0; @@ -5183,7 +5193,7 @@ static int test_custom_exts(int tst) SSL_SESSION *sess = NULL; unsigned int context; -#if defined(OPENSSL_NO_TLS1_2) && !defined(OPENSSL_NO_TLS1_3) +#if defined(OPENSSL_NO_TLS1_2) && !defined(OSSL_NO_USABLE_TLS1_3) /* Skip tests for TLSv1.2 and below in this case */ if (tst < 3) return 1; @@ -5478,7 +5488,7 @@ static int test_export_key_mat(int tst) if (tst == 2) return 1; #endif -#ifdef OPENSSL_NO_TLS1_3 +#ifdef OSSL_NO_USABLE_TLS1_3 if (tst >= 3) return 1; #endif @@ -5604,7 +5614,7 @@ static int test_export_key_mat(int tst) return testresult; } -#ifndef OPENSSL_NO_TLS1_3 +#ifndef OSSL_NO_USABLE_TLS1_3 /* * Test that SSL_export_keying_material_early() produces expected * results. There are no test vectors so all we do is test that both @@ -5823,7 +5833,7 @@ static int test_key_update_in_write(int tst) return testresult; } -#endif /* OPENSSL_NO_TLS1_3 */ +#endif /* OSSL_NO_USABLE_TLS1_3 */ static int test_ssl_clear(int idx) { @@ -5942,14 +5952,15 @@ static const unsigned char max_fragment_len_test[] = { static int test_max_fragment_len_ext(int idx_tst) { - SSL_CTX *ctx; + SSL_CTX *ctx = NULL; SSL *con = NULL; int testresult = 0, MFL_mode = 0; BIO *rbio, *wbio; - ctx = SSL_CTX_new_ex(libctx, NULL, TLS_method()); - if (!TEST_ptr(ctx)) - goto end; + if (!TEST_true(create_ssl_ctx_pair(libctx, NULL, TLS_client_method(), + TLS1_VERSION, 0, NULL, &ctx, NULL, + NULL))) + return 0; if (!TEST_true(SSL_CTX_set_tlsext_max_fragment_length( ctx, max_fragment_len_test[idx_tst]))) @@ -5968,7 +5979,6 @@ static int test_max_fragment_len_ext(int idx_tst) } SSL_set_bio(con, rbio, wbio); - SSL_set_connect_state(con); if (!TEST_int_le(SSL_connect(con), 0)) { /* This shouldn't succeed because we don't have a server! */ @@ -5990,7 +6000,7 @@ end: return testresult; } -#ifndef OPENSSL_NO_TLS1_3 +#ifndef OSSL_NO_USABLE_TLS1_3 static int test_pha_key_update(void) { SSL_CTX *cctx = NULL, *sctx = NULL; @@ -6432,7 +6442,7 @@ static int test_info_callback(int tst) return 1; #endif } else { -#ifndef OPENSSL_NO_TLS1_3 +#ifndef OSSL_NO_USABLE_TLS1_3 tlsvers = TLS1_3_VERSION; #else return 1; @@ -6444,7 +6454,7 @@ static int test_info_callback(int tst) info_cb_this_state = -1; info_cb_offset = tst; -#ifndef OPENSSL_NO_TLS1_3 +#ifndef OSSL_NO_USABLE_TLS1_3 if (tst >= 4) { SSL_SESSION *sess = NULL; size_t written, readbytes; @@ -6603,7 +6613,7 @@ static struct { * We can't establish a connection (even in TLSv1.1) with these ciphersuites if * TLSv1.3 is enabled but TLSv1.2 is disabled. */ -#if defined(OPENSSL_NO_TLS1_3) || !defined(OPENSSL_NO_TLS1_2) +#if defined(OSSL_NO_USABLE_TLS1_3) || !defined(OPENSSL_NO_TLS1_2) { TLS1_2_VERSION, "AES128-SHA:AES256-SHA", @@ -6649,7 +6659,7 @@ static struct { * This test combines TLSv1.3 and TLSv1.2 ciphersuites so they must both be * enabled. */ -#if !defined(OPENSSL_NO_TLS1_3) && !defined(OPENSSL_NO_TLS1_2) \ +#if !defined(OSSL_NO_USABLE_TLS1_3) && !defined(OPENSSL_NO_TLS1_2) \ && !defined(OPENSSL_NO_CHACHA) && !defined(OPENSSL_NO_POLY1305) { TLS1_3_VERSION, @@ -6662,7 +6672,7 @@ static struct { "TLS_AES_256_GCM_SHA384:TLS_AES_128_GCM_SHA256:AES256-SHA" }, #endif -#ifndef OPENSSL_NO_TLS1_3 +#ifndef OSSL_NO_USABLE_TLS1_3 { TLS1_3_VERSION, "AES128-SHA", @@ -6907,7 +6917,7 @@ static int test_ticket_callbacks(int tst) if (tst % 2 == 0) return 1; #endif -#ifdef OPENSSL_NO_TLS1_3 +#ifdef OSSL_NO_USABLE_TLS1_3 if (tst % 2 == 1) return 1; #endif @@ -7124,7 +7134,7 @@ static int test_shutdown(int tst) if (tst <= 1) return 1; #endif -#ifdef OPENSSL_NO_TLS1_3 +#ifdef OSSL_NO_USABLE_TLS1_3 if (tst >= 2) return 1; #endif @@ -7259,7 +7269,7 @@ static int test_shutdown(int tst) return testresult; } -#if !defined(OPENSSL_NO_TLS1_2) || !defined(OPENSSL_NO_TLS1_3) +#if !defined(OPENSSL_NO_TLS1_2) || !defined(OSSL_NO_USABLE_TLS1_3) static int cert_cb_cnt; static int cert_cb(SSL *s, void *arg) @@ -7440,7 +7450,7 @@ static int test_cert_cb(int tst) #ifndef OPENSSL_NO_TLS1_2 testresult &= test_cert_cb_int(TLS1_2_VERSION, tst); #endif -#ifndef OPENSSL_NO_TLS1_3 +#ifndef OSSL_NO_USABLE_TLS1_3 testresult &= test_cert_cb_int(TLS1_3_VERSION, tst); #endif @@ -7498,7 +7508,7 @@ static int test_client_cert_cb(int tst) if (tst == 0) return 1; #endif -#ifdef OPENSSL_NO_TLS1_3 +#ifdef OSSL_NO_USABLE_TLS1_3 if (tst == 1) return 1; #endif @@ -7537,7 +7547,7 @@ static int test_client_cert_cb(int tst) return testresult; } -#if !defined(OPENSSL_NO_TLS1_2) || !defined(OPENSSL_NO_TLS1_3) +#if !defined(OPENSSL_NO_TLS1_2) || !defined(OSSL_NO_USABLE_TLS1_3) /* * Test setting certificate authorities on both client and server. * @@ -7664,7 +7674,7 @@ static int test_ca_names(int tst) #ifndef OPENSSL_NO_TLS1_2 testresult &= test_ca_names_int(TLS1_2_VERSION, tst); #endif -#ifndef OPENSSL_NO_TLS1_3 +#ifndef OSSL_NO_USABLE_TLS1_3 testresult &= test_ca_names_int(TLS1_3_VERSION, tst); #endif @@ -7794,7 +7804,7 @@ static int test_servername(int tst) if (tst <= 4) return 1; #endif -#ifdef OPENSSL_NO_TLS1_3 +#ifdef OSSL_NO_USABLE_TLS1_3 if (tst >= 5) return 1; #endif @@ -7925,7 +7935,7 @@ static int test_servername(int tst) } #if !defined(OPENSSL_NO_EC) \ - && (!defined(OPENSSL_NO_TLS1_3) || !defined(OPENSSL_NO_TLS1_2)) + && (!defined(OSSL_NO_USABLE_TLS1_3) || !defined(OPENSSL_NO_TLS1_2)) /* * Test that if signature algorithms are not available, then we do not offer or * accept them. @@ -8062,10 +8072,11 @@ static int test_sigalgs_available(int idx) } #endif /* * !defined(OPENSSL_NO_EC) \ - * && (!defined(OPENSSL_NO_TLS1_3) || !defined(OPENSSL_NO_TLS1_2)) + * && (!defined(OSSL_NO_USABLE_TLS1_3) || !defined(OPENSSL_NO_TLS1_2)) */ #ifndef OPENSSL_NO_TLS1_3 +/* This test can run in TLSv1.3 even if ec and dh are disabled */ static int test_pluggable_group(int idx) { SSL_CTX *cctx = NULL, *sctx = NULL; @@ -8489,7 +8500,7 @@ static int test_dh_auto(int idx) # endif /* OPENSSL_NO_DH */ #endif /* OPENSSL_NO_TLS1_2 */ -#ifndef OPENSSL_NO_TLS1_3 +#ifndef OSSL_NO_USABLE_TLS1_3 /* * Test that setting an SNI callback works with TLSv1.3. Specifically we check * that it works even without a certificate configured for the original @@ -8667,7 +8678,7 @@ int setup_tests(void) goto err; #if !defined(OPENSSL_NO_KTLS) && !defined(OPENSSL_NO_SOCK) -# if !defined(OPENSSL_NO_TLS1_2) || !defined(OPENSSL_NO_TLS1_3) +# if !defined(OPENSSL_NO_TLS1_2) || !defined(OSSL_NO_USABLE_TLS1_3) ADD_ALL_TESTS(test_ktls, 32); ADD_ALL_TESTS(test_ktls_sendfile_anytls, 6); # endif @@ -8685,7 +8696,7 @@ int setup_tests(void) ADD_TEST(test_session_with_only_ext_cache); ADD_TEST(test_session_with_both_cache); ADD_TEST(test_session_wo_ca_names); -#ifndef OPENSSL_NO_TLS1_3 +#ifndef OSSL_NO_USABLE_TLS1_3 ADD_ALL_TESTS(test_stateful_tickets, 3); ADD_ALL_TESTS(test_stateless_tickets, 3); ADD_TEST(test_psk_tickets); @@ -8696,11 +8707,11 @@ int setup_tests(void) ADD_TEST(test_ssl_bio_pop_ssl_bio); ADD_TEST(test_ssl_bio_change_rbio); ADD_TEST(test_ssl_bio_change_wbio); -#if !defined(OPENSSL_NO_TLS1_2) || defined(OPENSSL_NO_TLS1_3) +#if !defined(OPENSSL_NO_TLS1_2) || defined(OSSL_NO_USABLE_TLS1_3) ADD_ALL_TESTS(test_set_sigalgs, OSSL_NELEM(testsigalgs) * 2); ADD_TEST(test_keylog); #endif -#ifndef OPENSSL_NO_TLS1_3 +#ifndef OSSL_NO_USABLE_TLS1_3 ADD_TEST(test_keylog_no_master_key); #endif ADD_TEST(test_client_cert_verify_cb); @@ -8709,7 +8720,7 @@ int setup_tests(void) ADD_TEST(test_no_ems); ADD_TEST(test_ccs_change_cipher); #endif -#ifndef OPENSSL_NO_TLS1_3 +#ifndef OSSL_NO_USABLE_TLS1_3 ADD_ALL_TESTS(test_early_data_read_write, 3); /* * We don't do replay tests for external PSK. Replay protection isn't used @@ -8728,7 +8739,7 @@ int setup_tests(void) ADD_ALL_TESTS(test_early_data_tls1_2, 3); # endif #endif -#ifndef OPENSSL_NO_TLS1_3 +#ifndef OSSL_NO_USABLE_TLS1_3 ADD_ALL_TESTS(test_set_ciphersuite, 10); ADD_TEST(test_ciphersuite_change); ADD_ALL_TESTS(test_tls13_ciphersuite, 4); @@ -8752,7 +8763,7 @@ int setup_tests(void) #endif ADD_ALL_TESTS(test_serverinfo, 8); ADD_ALL_TESTS(test_export_key_mat, 6); -#ifndef OPENSSL_NO_TLS1_3 +#ifndef OSSL_NO_USABLE_TLS1_3 ADD_ALL_TESTS(test_export_key_mat_early, 3); ADD_TEST(test_key_update); ADD_ALL_TESTS(test_key_update_in_write, 2); @@ -8776,7 +8787,7 @@ int setup_tests(void) #endif ADD_ALL_TESTS(test_servername, 10); #if !defined(OPENSSL_NO_EC) \ - && (!defined(OPENSSL_NO_TLS1_3) || !defined(OPENSSL_NO_TLS1_2)) + && (!defined(OSSL_NO_USABLE_TLS1_3) || !defined(OPENSSL_NO_TLS1_2)) ADD_ALL_TESTS(test_sigalgs_available, 6); #endif #ifndef OPENSSL_NO_TLS1_3 @@ -8789,7 +8800,7 @@ int setup_tests(void) ADD_ALL_TESTS(test_dh_auto, 7); # endif #endif -#ifndef OPENSSL_NO_TLS1_3 +#ifndef OSSL_NO_USABLE_TLS1_3 ADD_TEST(test_sni_tls13); #endif return 1; |