Test an old style PSK callback with no cert will prefer SHA-256
If using an old style PSK callback and no certificate is configured for the server, we should prefer ciphersuites based on SHA-256, because that is the default hash for those callbacks as specified in the TLSv1.3 spec. Reviewed-by: Rich Salz <rsalz@openssl.org> (Merged from https://github.com/openssl/openssl/pull/6215)
This commit is contained in:
parent
9e064bc170
commit
0d8da77908
2 changed files with 97 additions and 74 deletions
|
@ -2781,6 +2781,13 @@ static int test_ciphersuite_change(void)
|
||||||
return testresult;
|
return testresult;
|
||||||
}
|
}
|
||||||
|
|
||||||
|
/*
|
||||||
|
* Test TLSv1.3 PSKs
|
||||||
|
* Test 0 = Test new style callbacks
|
||||||
|
* Test 1 = Test both new and old style callbacks
|
||||||
|
* Test 2 = Test old style callbacks
|
||||||
|
* Test 3 = Test old style callbacks with no certificate
|
||||||
|
*/
|
||||||
static int test_tls13_psk(int idx)
|
static int test_tls13_psk(int idx)
|
||||||
{
|
{
|
||||||
SSL_CTX *sctx = NULL, *cctx = NULL;
|
SSL_CTX *sctx = NULL, *cctx = NULL;
|
||||||
|
@ -2796,15 +2803,21 @@ static int test_tls13_psk(int idx)
|
||||||
|
|
||||||
if (!TEST_true(create_ssl_ctx_pair(TLS_server_method(), TLS_client_method(),
|
if (!TEST_true(create_ssl_ctx_pair(TLS_server_method(), TLS_client_method(),
|
||||||
TLS1_VERSION, TLS_MAX_VERSION,
|
TLS1_VERSION, TLS_MAX_VERSION,
|
||||||
&sctx, &cctx, cert, privkey)))
|
&sctx, &cctx, idx == 3 ? NULL : cert,
|
||||||
|
idx == 3 ? NULL : privkey)))
|
||||||
goto end;
|
goto end;
|
||||||
|
|
||||||
/*
|
if (idx != 3) {
|
||||||
* We use a ciphersuite with SHA256 to ease testing old style PSK callbacks
|
/*
|
||||||
* which will always default to SHA256
|
* We use a ciphersuite with SHA256 to ease testing old style PSK
|
||||||
*/
|
* callbacks which will always default to SHA256. This should not be
|
||||||
if (!TEST_true(SSL_CTX_set_ciphersuites(cctx, "TLS_AES_128_GCM_SHA256")))
|
* necessary if we have no cert/priv key. In that case the server should
|
||||||
goto end;
|
* prefer SHA256 automatically.
|
||||||
|
*/
|
||||||
|
if (!TEST_true(SSL_CTX_set_ciphersuites(cctx,
|
||||||
|
"TLS_AES_128_GCM_SHA256")))
|
||||||
|
goto end;
|
||||||
|
}
|
||||||
|
|
||||||
/*
|
/*
|
||||||
* Test 0: New style callbacks only
|
* Test 0: New style callbacks only
|
||||||
|
@ -2816,7 +2829,7 @@ static int test_tls13_psk(int idx)
|
||||||
SSL_CTX_set_psk_find_session_callback(sctx, find_session_cb);
|
SSL_CTX_set_psk_find_session_callback(sctx, find_session_cb);
|
||||||
}
|
}
|
||||||
#ifndef OPENSSL_NO_PSK
|
#ifndef OPENSSL_NO_PSK
|
||||||
if (idx == 1 || idx == 2) {
|
if (idx >= 1) {
|
||||||
SSL_CTX_set_psk_client_callback(cctx, psk_client_cb);
|
SSL_CTX_set_psk_client_callback(cctx, psk_client_cb);
|
||||||
SSL_CTX_set_psk_server_callback(sctx, psk_server_cb);
|
SSL_CTX_set_psk_server_callback(sctx, psk_server_cb);
|
||||||
}
|
}
|
||||||
|
@ -2827,37 +2840,42 @@ static int test_tls13_psk(int idx)
|
||||||
psk_client_cb_cnt = 0;
|
psk_client_cb_cnt = 0;
|
||||||
psk_server_cb_cnt = 0;
|
psk_server_cb_cnt = 0;
|
||||||
|
|
||||||
/* Check we can create a connection if callback decides not to send a PSK */
|
if (idx != 3) {
|
||||||
if (!TEST_true(create_ssl_objects(sctx, cctx, &serverssl, &clientssl,
|
/*
|
||||||
NULL, NULL))
|
* Check we can create a connection if callback decides not to send a
|
||||||
|| !TEST_true(create_ssl_connection(serverssl, clientssl,
|
* PSK
|
||||||
SSL_ERROR_NONE))
|
*/
|
||||||
|| !TEST_false(SSL_session_reused(clientssl))
|
if (!TEST_true(create_ssl_objects(sctx, cctx, &serverssl, &clientssl,
|
||||||
|| !TEST_false(SSL_session_reused(serverssl)))
|
NULL, NULL))
|
||||||
goto end;
|
|| !TEST_true(create_ssl_connection(serverssl, clientssl,
|
||||||
|
SSL_ERROR_NONE))
|
||||||
|
|| !TEST_false(SSL_session_reused(clientssl))
|
||||||
|
|| !TEST_false(SSL_session_reused(serverssl)))
|
||||||
|
goto end;
|
||||||
|
|
||||||
if (idx == 0 || idx == 1) {
|
if (idx == 0 || idx == 1) {
|
||||||
if (!TEST_true(use_session_cb_cnt == 1)
|
if (!TEST_true(use_session_cb_cnt == 1)
|
||||||
|| !TEST_true(find_session_cb_cnt == 0)
|
|| !TEST_true(find_session_cb_cnt == 0)
|
||||||
/*
|
/*
|
||||||
* If no old style callback then below should be 0
|
* If no old style callback then below should be 0
|
||||||
* otherwise 1
|
* otherwise 1
|
||||||
*/
|
*/
|
||||||
|| !TEST_true(psk_client_cb_cnt == idx)
|
|| !TEST_true(psk_client_cb_cnt == idx)
|
||||||
|| !TEST_true(psk_server_cb_cnt == 0))
|
|| !TEST_true(psk_server_cb_cnt == 0))
|
||||||
goto end;
|
goto end;
|
||||||
} else {
|
} else {
|
||||||
if (!TEST_true(use_session_cb_cnt == 0)
|
if (!TEST_true(use_session_cb_cnt == 0)
|
||||||
|| !TEST_true(find_session_cb_cnt == 0)
|
|| !TEST_true(find_session_cb_cnt == 0)
|
||||||
|| !TEST_true(psk_client_cb_cnt == 1)
|
|| !TEST_true(psk_client_cb_cnt == 1)
|
||||||
|| !TEST_true(psk_server_cb_cnt == 0))
|
|| !TEST_true(psk_server_cb_cnt == 0))
|
||||||
goto end;
|
goto end;
|
||||||
|
}
|
||||||
|
|
||||||
|
shutdown_ssl_connection(serverssl, clientssl);
|
||||||
|
serverssl = clientssl = NULL;
|
||||||
|
use_session_cb_cnt = psk_client_cb_cnt = 0;
|
||||||
}
|
}
|
||||||
|
|
||||||
shutdown_ssl_connection(serverssl, clientssl);
|
|
||||||
serverssl = clientssl = NULL;
|
|
||||||
use_session_cb_cnt = psk_client_cb_cnt = 0;
|
|
||||||
|
|
||||||
if (!TEST_true(create_ssl_objects(sctx, cctx, &serverssl, &clientssl,
|
if (!TEST_true(create_ssl_objects(sctx, cctx, &serverssl, &clientssl,
|
||||||
NULL, NULL)))
|
NULL, NULL)))
|
||||||
goto end;
|
goto end;
|
||||||
|
@ -2937,39 +2955,41 @@ static int test_tls13_psk(int idx)
|
||||||
use_session_cb_cnt = find_session_cb_cnt = 0;
|
use_session_cb_cnt = find_session_cb_cnt = 0;
|
||||||
psk_client_cb_cnt = psk_server_cb_cnt = 0;
|
psk_client_cb_cnt = psk_server_cb_cnt = 0;
|
||||||
|
|
||||||
/*
|
if (idx != 3) {
|
||||||
* Check that if the server rejects the PSK we can still connect, but with
|
/*
|
||||||
* a full handshake
|
* Check that if the server rejects the PSK we can still connect, but with
|
||||||
*/
|
* a full handshake
|
||||||
srvid = "Dummy Identity";
|
*/
|
||||||
if (!TEST_true(create_ssl_objects(sctx, cctx, &serverssl, &clientssl,
|
srvid = "Dummy Identity";
|
||||||
NULL, NULL))
|
if (!TEST_true(create_ssl_objects(sctx, cctx, &serverssl, &clientssl,
|
||||||
|| !TEST_true(create_ssl_connection(serverssl, clientssl,
|
NULL, NULL))
|
||||||
SSL_ERROR_NONE))
|
|| !TEST_true(create_ssl_connection(serverssl, clientssl,
|
||||||
|| !TEST_false(SSL_session_reused(clientssl))
|
SSL_ERROR_NONE))
|
||||||
|| !TEST_false(SSL_session_reused(serverssl)))
|
|| !TEST_false(SSL_session_reused(clientssl))
|
||||||
goto end;
|
|| !TEST_false(SSL_session_reused(serverssl)))
|
||||||
|
goto end;
|
||||||
|
|
||||||
if (idx == 0 || idx == 1) {
|
if (idx == 0 || idx == 1) {
|
||||||
if (!TEST_true(use_session_cb_cnt == 1)
|
if (!TEST_true(use_session_cb_cnt == 1)
|
||||||
|| !TEST_true(find_session_cb_cnt == 1)
|
|| !TEST_true(find_session_cb_cnt == 1)
|
||||||
|| !TEST_true(psk_client_cb_cnt == 0)
|
|| !TEST_true(psk_client_cb_cnt == 0)
|
||||||
/*
|
/*
|
||||||
* If no old style callback then below should be 0
|
* If no old style callback then below should be 0
|
||||||
* otherwise 1
|
* otherwise 1
|
||||||
*/
|
*/
|
||||||
|| !TEST_true(psk_server_cb_cnt == idx))
|
|| !TEST_true(psk_server_cb_cnt == idx))
|
||||||
goto end;
|
goto end;
|
||||||
} else {
|
} else {
|
||||||
if (!TEST_true(use_session_cb_cnt == 0)
|
if (!TEST_true(use_session_cb_cnt == 0)
|
||||||
|| !TEST_true(find_session_cb_cnt == 0)
|
|| !TEST_true(find_session_cb_cnt == 0)
|
||||||
|| !TEST_true(psk_client_cb_cnt == 1)
|
|| !TEST_true(psk_client_cb_cnt == 1)
|
||||||
|| !TEST_true(psk_server_cb_cnt == 1))
|
|| !TEST_true(psk_server_cb_cnt == 1))
|
||||||
goto end;
|
goto end;
|
||||||
|
}
|
||||||
|
|
||||||
|
shutdown_ssl_connection(serverssl, clientssl);
|
||||||
|
serverssl = clientssl = NULL;
|
||||||
}
|
}
|
||||||
|
|
||||||
shutdown_ssl_connection(serverssl, clientssl);
|
|
||||||
serverssl = clientssl = NULL;
|
|
||||||
testresult = 1;
|
testresult = 1;
|
||||||
|
|
||||||
end:
|
end:
|
||||||
|
@ -4640,7 +4660,7 @@ int setup_tests(void)
|
||||||
#ifdef OPENSSL_NO_PSK
|
#ifdef OPENSSL_NO_PSK
|
||||||
ADD_ALL_TESTS(test_tls13_psk, 1);
|
ADD_ALL_TESTS(test_tls13_psk, 1);
|
||||||
#else
|
#else
|
||||||
ADD_ALL_TESTS(test_tls13_psk, 3);
|
ADD_ALL_TESTS(test_tls13_psk, 4);
|
||||||
#endif /* OPENSSL_NO_PSK */
|
#endif /* OPENSSL_NO_PSK */
|
||||||
ADD_ALL_TESTS(test_custom_exts, 5);
|
ADD_ALL_TESTS(test_custom_exts, 5);
|
||||||
ADD_TEST(test_stateless);
|
ADD_TEST(test_stateless);
|
||||||
|
|
|
@ -594,12 +594,15 @@ int create_ssl_ctx_pair(const SSL_METHOD *sm, const SSL_METHOD *cm,
|
||||||
max_proto_version)))))
|
max_proto_version)))))
|
||||||
goto err;
|
goto err;
|
||||||
|
|
||||||
if (!TEST_int_eq(SSL_CTX_use_certificate_file(serverctx, certfile,
|
if (certfile != NULL && privkeyfile != NULL) {
|
||||||
SSL_FILETYPE_PEM), 1)
|
if (!TEST_int_eq(SSL_CTX_use_certificate_file(serverctx, certfile,
|
||||||
|| !TEST_int_eq(SSL_CTX_use_PrivateKey_file(serverctx, privkeyfile,
|
SSL_FILETYPE_PEM), 1)
|
||||||
SSL_FILETYPE_PEM), 1)
|
|| !TEST_int_eq(SSL_CTX_use_PrivateKey_file(serverctx,
|
||||||
|| !TEST_int_eq(SSL_CTX_check_private_key(serverctx), 1))
|
privkeyfile,
|
||||||
goto err;
|
SSL_FILETYPE_PEM), 1)
|
||||||
|
|| !TEST_int_eq(SSL_CTX_check_private_key(serverctx), 1))
|
||||||
|
goto err;
|
||||||
|
}
|
||||||
|
|
||||||
#ifndef OPENSSL_NO_DH
|
#ifndef OPENSSL_NO_DH
|
||||||
SSL_CTX_set_dh_auto(serverctx, 1);
|
SSL_CTX_set_dh_auto(serverctx, 1);
|
||||||
|
|
Loading…
Reference in a new issue