Clean up following new SNI tests

- Only send SNI in SNI tests. This allows us to test handshakes without the SNI extension as well. - Move all handshake-specific machinery to handshake_helper.c - Use enum types to represent the enum everywhere (Resorting to plain ints can end in sign mismatch when the enum is represented by an unsigned type.) Reviewed-by: Rich Salz <rsalz@openssl.org>
author: Emilia Kasper <emilia@openssl.org> 2016-06-10 00:39:22 +0200
committer: Emilia Kasper <emilia@openssl.org> 2016-06-13 16:03:06 +0200
commit: 81fc33c951b645f31727dc811e02200bde4a0982 (patch)
tree: 7b14f860635eb488254815300aecdf1792f46584 /test/handshake_helper.c
parent: a7be5759cf9d8e2bf7c1ecd0efa2d53aae9ab706 (diff)
1 files changed, 40 insertions, 7 deletions
diff --git a/test/handshake_helper.c b/test/handshake_helper.c
index f7ab841f57..22ba1ce0f9 100644
--- a/test/handshake_helper.c
+++ b/test/handshake_helper.c
@@ -41,6 +41,23 @@ static void info_callback(const SSL *s, int where, int ret)
     }
 }
 
+static int servername_callback(SSL *s, int *ad, void *arg)
+{
+    const char *servername = SSL_get_servername(s, TLSEXT_NAMETYPE_host_name);
+    if (servername != NULL && !strcmp(servername, "server2")) {
+        SSL_CTX *new_ctx = (SSL_CTX*)arg;
+        SSL_set_SSL_CTX(s, new_ctx);
+        /*
+         * Copy over all the SSL_CTX options - reasonable behavior
+         * allows testing of cases where the options between two
+         * contexts differ/conflict
+         */
+        SSL_clear_options(s, 0xFFFFFFFFL);
+        SSL_set_options(s, SSL_CTX_get_options(new_ctx));
+    }
+    return SSL_TLSEXT_ERR_OK;
+}
+
 static int verify_reject_callback(X509_STORE_CTX *ctx, void *arg) {
     X509_STORE_CTX_set_error(ctx, X509_V_ERR_APPLICATION_VERIFICATION);
     return 0;
@@ -56,8 +73,10 @@ static int broken_session_ticket_callback(SSL* s, unsigned char* key_name, unsig
     return 0;
 }
 
-int do_not_call_session_ticket_callback(SSL* s, unsigned char* key_name, unsigned char *iv,
-                                        EVP_CIPHER_CTX *ctx, HMAC_CTX *hctx, int enc)
+static int do_not_call_session_ticket_callback(SSL* s, unsigned char* key_name,
+                                               unsigned char *iv,
+                                               EVP_CIPHER_CTX *ctx,
+                                               HMAC_CTX *hctx, int enc)
 {
     HANDSHAKE_EX_DATA *ex_data =
         (HANDSHAKE_EX_DATA*)(SSL_get_ex_data(s, ex_data_idx));
@@ -69,7 +88,8 @@ int do_not_call_session_ticket_callback(SSL* s, unsigned char* key_name, unsigne
  * Configure callbacks and other properties that can't be set directly
  * in the server/client CONF.
  */
-static void configure_handshake_ctx(SSL_CTX *server_ctx, SSL_CTX *client_ctx,
+static void configure_handshake_ctx(SSL_CTX *server_ctx, SSL_CTX *server2_ctx,
+                                    SSL_CTX *client_ctx,
                                     const SSL_TEST_CTX *test_ctx)
 {
     switch (test_ctx->client_verify_callback) {
@@ -84,6 +104,17 @@ static void configure_handshake_ctx(SSL_CTX *server_ctx, SSL_CTX *client_ctx,
     default:
         break;
     }
+
+    /* link the two contexts for SNI purposes */
+    SSL_CTX_set_tlsext_servername_callback(server_ctx, servername_callback);
+    SSL_CTX_set_tlsext_servername_arg(server_ctx, server2_ctx);
+    /*
+     * The initial_ctx/session_ctx always handles the encrypt/decrypt of the
+     * session ticket. This ticket_key callback is assigned to the second
+     * session (assigned via SNI), and should never be invoked
+     */
+    SSL_CTX_set_tlsext_ticket_key_cb(server2_ctx, do_not_call_session_ticket_callback);
+
     if (test_ctx->session_ticket_expected == SSL_TEST_SESSION_TICKET_BROKEN) {
         SSL_CTX_set_tlsext_ticket_key_cb(server_ctx, broken_session_ticket_callback);
     }
@@ -96,7 +127,9 @@ static void configure_handshake_ctx(SSL_CTX *server_ctx, SSL_CTX *client_ctx,
 static void configure_handshake_ssl(SSL *server, SSL *client,
                                     const SSL_TEST_CTX *test_ctx)
 {
-    SSL_set_tlsext_host_name(client, ssl_servername_name(test_ctx->servername));
+    if (test_ctx->servername != SSL_TEST_SERVERNAME_NONE)
+        SSL_set_tlsext_host_name(client,
+                                 ssl_servername_name(test_ctx->servername));
 }
 
 
@@ -199,8 +232,8 @@ static handshake_status_t handshake_status(peer_status_t last_status,
     return INTERNAL_ERROR;
 }
 
-HANDSHAKE_RESULT do_handshake(SSL_CTX *server_ctx, SSL_CTX *client_ctx,
-                              const SSL_TEST_CTX *test_ctx)
+HANDSHAKE_RESULT do_handshake(SSL_CTX *server_ctx, SSL_CTX *server2_ctx,
+                              SSL_CTX *client_ctx, const SSL_TEST_CTX *test_ctx)
 {
     SSL *server, *client;
     BIO *client_to_server, *server_to_client;
@@ -213,7 +246,7 @@ HANDSHAKE_RESULT do_handshake(SSL_CTX *server_ctx, SSL_CTX *client_ctx,
     size_t len = 0;
     SSL_SESSION* sess = NULL;
 
-    configure_handshake_ctx(server_ctx, client_ctx, test_ctx);
+    configure_handshake_ctx(server_ctx, server2_ctx, client_ctx, test_ctx);
 
     server = SSL_new(server_ctx);
     client = SSL_new(client_ctx);
author	Emilia Kasper <emilia@openssl.org>	2016-06-10 00:39:22 +0200
committer	Emilia Kasper <emilia@openssl.org>	2016-06-13 16:03:06 +0200
commit	81fc33c951b645f31727dc811e02200bde4a0982 (patch)
tree	7b14f860635eb488254815300aecdf1792f46584 /test/handshake_helper.c
parent	a7be5759cf9d8e2bf7c1ecd0efa2d53aae9ab706 (diff)