Stop disabling TLSv1.3 if ec and dh are disabled

Even if EC and DH are disabled then we may still be able to use TLSv1.3
if we have groups that have been plugged in by an external provider.

Fixes #13767

Reviewed-by: Tomas Mraz <tomas@openssl.org>
(Merged from https://github.com/openssl/openssl/pull/13916)

1 files changed, 66 insertions, 55 deletions

diff --git a/test/sslapitest.c b/test/sslapitest.c
index 51d1bdd8de..7cae297a17 100644
--- a/test/sslapitest.c
+++ b/test/sslapitest.c
@@ -39,6 +39,16 @@
 #include "internal/ktls.h"
 #include "../ssl/ssl_local.h"
 
+#undef OSSL_NO_USABLE_TLS1_3
+#if defined(OPENSSL_NO_TLS1_3) \
+    || (defined(OPENSSL_NO_EC) && defined(OPENSSL_NO_DH))
+/*
+ * If we don't have ec or dh then there are no built-in groups that are usable
+ * with TLSv1.3
+ */
+# define OSSL_NO_USABLE_TLS1_3
+#endif
+
 /* Defined in filterprov.c */
 OSSL_provider_init_fn filter_provider_init;
 int filter_provider_set_filter(int operation, const char *name);
@@ -52,7 +62,7 @@ int tls_provider_init(const OSSL_CORE_HANDLE *handle,
 static OSSL_LIB_CTX *libctx = NULL;
 static OSSL_PROVIDER *defctxnull = NULL;
 
-#ifndef OPENSSL_NO_TLS1_3
+#ifndef OSSL_NO_USABLE_TLS1_3
 
 static SSL_SESSION *clientpsk = NULL;
 static SSL_SESSION *serverpsk = NULL;
@@ -351,7 +361,7 @@ static int test_keylog_output(char *buffer, const SSL *ssl,
     return 1;
 }
 
-#if !defined(OPENSSL_NO_TLS1_2) || defined(OPENSSL_NO_TLS1_3)
+#if !defined(OPENSSL_NO_TLS1_2) || defined(OSSL_NO_USABLE_TLS1_3)
 static int test_keylog(void)
 {
     SSL_CTX *cctx = NULL, *sctx = NULL;
@@ -432,7 +442,7 @@ end:
 }
 #endif
 
-#ifndef OPENSSL_NO_TLS1_3
+#ifndef OSSL_NO_USABLE_TLS1_3
 static int test_keylog_no_master_key(void)
 {
     SSL_CTX *cctx = NULL, *sctx = NULL;
@@ -957,7 +967,7 @@ static int execute_test_large_message(const SSL_METHOD *smeth,
 }
 
 #if !defined(OPENSSL_NO_SOCK) && !defined(OPENSSL_NO_KTLS) && \
-    !(defined(OPENSSL_NO_TLS1_3) && defined(OPENSSL_NO_TLS1_2))
+    !(defined(OSSL_NO_USABLE_TLS1_3) && defined(OPENSSL_NO_TLS1_2))
 #define TLS_CIPHER_MAX_REC_SEQ_SIZE 8
 /* sock must be connected */
 static int ktls_chk_platform(int sock)
@@ -1272,14 +1282,14 @@ end:
     return testresult;
 }
 
-#if !defined(OPENSSL_NO_TLS1_2) || !defined(OPENSSL_NO_TLS1_3)
+#if !defined(OPENSSL_NO_TLS1_2) || !defined(OSSL_NO_USABLE_TLS1_3)
 static int test_ktls(int test)
 {
     int cis_ktls_tx, cis_ktls_rx, sis_ktls_tx, sis_ktls_rx;
     int tlsver, testresult;
 
     if (test > 15) {
-#if defined(OPENSSL_NO_TLS1_3)
+#if defined(OSSL_NO_USABLE_TLS1_3)
         return 1;
 #else
         test -= 16;
@@ -1302,7 +1312,7 @@ static int test_ktls(int test)
     if (cis_ktls_rx || sis_ktls_rx)
         return 1;
 #endif
-#if !defined(OPENSSL_NO_TLS1_3)
+#if !defined(OSSL_NO_USABLE_TLS1_3)
     if (tlsver == TLS1_3_VERSION && (cis_ktls_rx || sis_ktls_rx))
         return 1;
 #endif
@@ -1332,7 +1342,7 @@ static int test_ktls_sendfile_anytls(int tst)
     int tlsver;
 
     if (tst > 2) {
-#if defined(OPENSSL_NO_TLS1_3)
+#if defined(OSSL_NO_USABLE_TLS1_3)
         return 1;
 #else
         tst -= 3;
@@ -1481,7 +1491,7 @@ static int test_cleanse_plaintext(void)
 
 #endif
 
-#if !defined(OPENSSL_NO_TLS1_3)
+#if !defined(OSSL_NO_USABLE_TLS1_3)
     if (!TEST_true(execute_cleanse_plaintext(TLS_server_method(),
                                              TLS_client_method(),
                                              TLS1_3_VERSION,
@@ -1676,7 +1686,7 @@ static int test_tlsext_status_type(void)
 }
 #endif
 
-#if !defined(OPENSSL_NO_TLS1_3) || !defined(OPENSSL_NO_TLS1_2)
+#if !defined(OSSL_NO_USABLE_TLS1_3) || !defined(OPENSSL_NO_TLS1_2)
 static int new_called, remove_called, get_called;
 
 static int new_session_cb(SSL *ssl, SSL_SESSION *sess)
@@ -1992,11 +2002,11 @@ static int execute_test_session(int maxprot, int use_int_cache,
 
     return testresult;
 }
-#endif /* !defined(OPENSSL_NO_TLS1_3) || !defined(OPENSSL_NO_TLS1_2) */
+#endif /* !defined(OSSL_NO_USABLE_TLS1_3) || !defined(OPENSSL_NO_TLS1_2) */
 
 static int test_session_with_only_int_cache(void)
 {
-#ifndef OPENSSL_NO_TLS1_3
+#ifndef OSSL_NO_USABLE_TLS1_3
     if (!execute_test_session(TLS1_3_VERSION, 1, 0, 0))
         return 0;
 #endif
@@ -2010,7 +2020,7 @@ static int test_session_with_only_int_cache(void)
 
 static int test_session_with_only_ext_cache(void)
 {
-#ifndef OPENSSL_NO_TLS1_3
+#ifndef OSSL_NO_USABLE_TLS1_3
     if (!execute_test_session(TLS1_3_VERSION, 0, 1, 0))
         return 0;
 #endif
@@ -2024,7 +2034,7 @@ static int test_session_with_only_ext_cache(void)
 
 static int test_session_with_both_cache(void)
 {
-#ifndef OPENSSL_NO_TLS1_3
+#ifndef OSSL_NO_USABLE_TLS1_3
     if (!execute_test_session(TLS1_3_VERSION, 1, 1, 0))
         return 0;
 #endif
@@ -2038,7 +2048,7 @@ static int test_session_with_both_cache(void)
 
 static int test_session_wo_ca_names(void)
 {
-#ifndef OPENSSL_NO_TLS1_3
+#ifndef OSSL_NO_USABLE_TLS1_3
     if (!execute_test_session(TLS1_3_VERSION, 1, 0, SSL_OP_DISABLE_TLSEXT_CA_NAMES))
         return 0;
 #endif
@@ -2051,7 +2061,7 @@ static int test_session_wo_ca_names(void)
 }
 
 
-#ifndef OPENSSL_NO_TLS1_3
+#ifndef OSSL_NO_USABLE_TLS1_3
 static SSL_SESSION *sesscache[6];
 static int do_cache;
 
@@ -2492,7 +2502,7 @@ static int test_extra_tickets(int idx)
 
 #define TOTAL_NO_CONN_SSL_SET_BIO_TESTS         (3 * 3 * 3 * 3)
 #define TOTAL_CONN_SUCCESS_SSL_SET_BIO_TESTS    (2 * 2)
-#if !defined(OPENSSL_NO_TLS1_3) && !defined(OPENSSL_NO_TLS1_2)
+#if !defined(OSSL_NO_USABLE_TLS1_3) && !defined(OPENSSL_NO_TLS1_2)
 # define TOTAL_CONN_FAIL_SSL_SET_BIO_TESTS       (2 * 2)
 #else
 # define TOTAL_CONN_FAIL_SSL_SET_BIO_TESTS       0
@@ -2721,7 +2731,7 @@ static int test_ssl_bio_change_wbio(void)
     return execute_test_ssl_bio(0, CHANGE_WBIO);
 }
 
-#if !defined(OPENSSL_NO_TLS1_2) || defined(OPENSSL_NO_TLS1_3)
+#if !defined(OPENSSL_NO_TLS1_2) || defined(OSSL_NO_USABLE_TLS1_3)
 typedef struct {
     /* The list of sig algs */
     const int *list;
@@ -2852,7 +2862,7 @@ static int test_set_sigalgs(int idx)
 }
 #endif
 
-#ifndef OPENSSL_NO_TLS1_3
+#ifndef OSSL_NO_USABLE_TLS1_3
 static int psk_client_cb_cnt = 0;
 static int psk_server_cb_cnt = 0;
 
@@ -5048,7 +5058,7 @@ static int test_stateless(void)
     return testresult;
 
 }
-#endif /* OPENSSL_NO_TLS1_3 */
+#endif /* OSSL_NO_USABLE_TLS1_3 */
 
 static int clntaddoldcb = 0;
 static int clntparseoldcb = 0;
@@ -5183,7 +5193,7 @@ static int test_custom_exts(int tst)
     SSL_SESSION *sess = NULL;
     unsigned int context;
 
-#if defined(OPENSSL_NO_TLS1_2) && !defined(OPENSSL_NO_TLS1_3)
+#if defined(OPENSSL_NO_TLS1_2) && !defined(OSSL_NO_USABLE_TLS1_3)
     /* Skip tests for TLSv1.2 and below in this case */
     if (tst < 3)
         return 1;
@@ -5478,7 +5488,7 @@ static int test_export_key_mat(int tst)
     if (tst == 2)
         return 1;
 #endif
-#ifdef OPENSSL_NO_TLS1_3
+#ifdef OSSL_NO_USABLE_TLS1_3
     if (tst >= 3)
         return 1;
 #endif
@@ -5604,7 +5614,7 @@ static int test_export_key_mat(int tst)
     return testresult;
 }
 
-#ifndef OPENSSL_NO_TLS1_3
+#ifndef OSSL_NO_USABLE_TLS1_3
 /*
  * Test that SSL_export_keying_material_early() produces expected
  * results. There are no test vectors so all we do is test that both
@@ -5823,7 +5833,7 @@ static int test_key_update_in_write(int tst)
 
     return testresult;
 }
-#endif /* OPENSSL_NO_TLS1_3 */
+#endif /* OSSL_NO_USABLE_TLS1_3 */
 
 static int test_ssl_clear(int idx)
 {
@@ -5942,14 +5952,15 @@ static const unsigned char max_fragment_len_test[] = {
 
 static int test_max_fragment_len_ext(int idx_tst)
 {
-    SSL_CTX *ctx;
+    SSL_CTX *ctx = NULL;
     SSL *con = NULL;
     int testresult = 0, MFL_mode = 0;
     BIO *rbio, *wbio;
 
-    ctx = SSL_CTX_new_ex(libctx, NULL, TLS_method());
-    if (!TEST_ptr(ctx))
-        goto end;
+    if (!TEST_true(create_ssl_ctx_pair(libctx, NULL, TLS_client_method(),
+                                       TLS1_VERSION, 0, NULL, &ctx, NULL,
+                                       NULL)))
+        return 0;
 
     if (!TEST_true(SSL_CTX_set_tlsext_max_fragment_length(
                    ctx, max_fragment_len_test[idx_tst])))
@@ -5968,7 +5979,6 @@ static int test_max_fragment_len_ext(int idx_tst)
     }
 
     SSL_set_bio(con, rbio, wbio);
-    SSL_set_connect_state(con);
 
     if (!TEST_int_le(SSL_connect(con), 0)) {
         /* This shouldn't succeed because we don't have a server! */
@@ -5990,7 +6000,7 @@ end:
     return testresult;
 }
 
-#ifndef OPENSSL_NO_TLS1_3
+#ifndef OSSL_NO_USABLE_TLS1_3
 static int test_pha_key_update(void)
 {
     SSL_CTX *cctx = NULL, *sctx = NULL;
@@ -6432,7 +6442,7 @@ static int test_info_callback(int tst)
         return 1;
 #endif
     } else {
-#ifndef OPENSSL_NO_TLS1_3
+#ifndef OSSL_NO_USABLE_TLS1_3
         tlsvers = TLS1_3_VERSION;
 #else
         return 1;
@@ -6444,7 +6454,7 @@ static int test_info_callback(int tst)
     info_cb_this_state = -1;
     info_cb_offset = tst;
 
-#ifndef OPENSSL_NO_TLS1_3
+#ifndef OSSL_NO_USABLE_TLS1_3
     if (tst >= 4) {
         SSL_SESSION *sess = NULL;
         size_t written, readbytes;
@@ -6603,7 +6613,7 @@ static struct {
  * We can't establish a connection (even in TLSv1.1) with these ciphersuites if
  * TLSv1.3 is enabled but TLSv1.2 is disabled.
  */
-#if defined(OPENSSL_NO_TLS1_3) || !defined(OPENSSL_NO_TLS1_2)
+#if defined(OSSL_NO_USABLE_TLS1_3) || !defined(OPENSSL_NO_TLS1_2)
     {
         TLS1_2_VERSION,
         "AES128-SHA:AES256-SHA",
@@ -6649,7 +6659,7 @@ static struct {
  * This test combines TLSv1.3 and TLSv1.2 ciphersuites so they must both be
  * enabled.
  */
-#if !defined(OPENSSL_NO_TLS1_3) && !defined(OPENSSL_NO_TLS1_2) \
+#if !defined(OSSL_NO_USABLE_TLS1_3) && !defined(OPENSSL_NO_TLS1_2) \
     && !defined(OPENSSL_NO_CHACHA) && !defined(OPENSSL_NO_POLY1305)
     {
         TLS1_3_VERSION,
@@ -6662,7 +6672,7 @@ static struct {
         "TLS_AES_256_GCM_SHA384:TLS_AES_128_GCM_SHA256:AES256-SHA"
     },
 #endif
-#ifndef OPENSSL_NO_TLS1_3
+#ifndef OSSL_NO_USABLE_TLS1_3
     {
         TLS1_3_VERSION,
         "AES128-SHA",
@@ -6907,7 +6917,7 @@ static int test_ticket_callbacks(int tst)
     if (tst % 2 == 0)
         return 1;
 #endif
-#ifdef OPENSSL_NO_TLS1_3
+#ifdef OSSL_NO_USABLE_TLS1_3
     if (tst % 2 == 1)
         return 1;
 #endif
@@ -7124,7 +7134,7 @@ static int test_shutdown(int tst)
     if (tst <= 1)
         return 1;
 #endif
-#ifdef OPENSSL_NO_TLS1_3
+#ifdef OSSL_NO_USABLE_TLS1_3
     if (tst >= 2)
         return 1;
 #endif
@@ -7259,7 +7269,7 @@ static int test_shutdown(int tst)
     return testresult;
 }
 
-#if !defined(OPENSSL_NO_TLS1_2) || !defined(OPENSSL_NO_TLS1_3)
+#if !defined(OPENSSL_NO_TLS1_2) || !defined(OSSL_NO_USABLE_TLS1_3)
 static int cert_cb_cnt;
 
 static int cert_cb(SSL *s, void *arg)
@@ -7440,7 +7450,7 @@ static int test_cert_cb(int tst)
 #ifndef OPENSSL_NO_TLS1_2
     testresult &= test_cert_cb_int(TLS1_2_VERSION, tst);
 #endif
-#ifndef OPENSSL_NO_TLS1_3
+#ifndef OSSL_NO_USABLE_TLS1_3
     testresult &= test_cert_cb_int(TLS1_3_VERSION, tst);
 #endif
 
@@ -7498,7 +7508,7 @@ static int test_client_cert_cb(int tst)
     if (tst == 0)
         return 1;
 #endif
-#ifdef OPENSSL_NO_TLS1_3
+#ifdef OSSL_NO_USABLE_TLS1_3
     if (tst == 1)
         return 1;
 #endif
@@ -7537,7 +7547,7 @@ static int test_client_cert_cb(int tst)
     return testresult;
 }
 
-#if !defined(OPENSSL_NO_TLS1_2) || !defined(OPENSSL_NO_TLS1_3)
+#if !defined(OPENSSL_NO_TLS1_2) || !defined(OSSL_NO_USABLE_TLS1_3)
 /*
  * Test setting certificate authorities on both client and server.
  *
@@ -7664,7 +7674,7 @@ static int test_ca_names(int tst)
 #ifndef OPENSSL_NO_TLS1_2
     testresult &= test_ca_names_int(TLS1_2_VERSION, tst);
 #endif
-#ifndef OPENSSL_NO_TLS1_3
+#ifndef OSSL_NO_USABLE_TLS1_3
     testresult &= test_ca_names_int(TLS1_3_VERSION, tst);
 #endif
 
@@ -7794,7 +7804,7 @@ static int test_servername(int tst)
     if (tst <= 4)
         return 1;
 #endif
-#ifdef OPENSSL_NO_TLS1_3
+#ifdef OSSL_NO_USABLE_TLS1_3
     if (tst >= 5)
         return 1;
 #endif
@@ -7925,7 +7935,7 @@ static int test_servername(int tst)
 }
 
 #if !defined(OPENSSL_NO_EC) \
-    && (!defined(OPENSSL_NO_TLS1_3) || !defined(OPENSSL_NO_TLS1_2))
+    && (!defined(OSSL_NO_USABLE_TLS1_3) || !defined(OPENSSL_NO_TLS1_2))
 /*
  * Test that if signature algorithms are not available, then we do not offer or
  * accept them.
@@ -8062,10 +8072,11 @@ static int test_sigalgs_available(int idx)
 }
 #endif /*
         * !defined(OPENSSL_NO_EC) \
-        * && (!defined(OPENSSL_NO_TLS1_3) || !defined(OPENSSL_NO_TLS1_2))
+        * && (!defined(OSSL_NO_USABLE_TLS1_3) || !defined(OPENSSL_NO_TLS1_2))
         */
 
 #ifndef OPENSSL_NO_TLS1_3
+/* This test can run in TLSv1.3 even if ec and dh are disabled */
 static int test_pluggable_group(int idx)
 {
     SSL_CTX *cctx = NULL, *sctx = NULL;
@@ -8489,7 +8500,7 @@ static int test_dh_auto(int idx)
 # endif /* OPENSSL_NO_DH */
 #endif /* OPENSSL_NO_TLS1_2 */
 
-#ifndef OPENSSL_NO_TLS1_3
+#ifndef OSSL_NO_USABLE_TLS1_3
 /*
  * Test that setting an SNI callback works with TLSv1.3. Specifically we check
  * that it works even without a certificate configured for the original
@@ -8667,7 +8678,7 @@ int setup_tests(void)
         goto err;
 
 #if !defined(OPENSSL_NO_KTLS) && !defined(OPENSSL_NO_SOCK)
-# if !defined(OPENSSL_NO_TLS1_2) || !defined(OPENSSL_NO_TLS1_3)
+# if !defined(OPENSSL_NO_TLS1_2) || !defined(OSSL_NO_USABLE_TLS1_3)
     ADD_ALL_TESTS(test_ktls, 32);
     ADD_ALL_TESTS(test_ktls_sendfile_anytls, 6);
 # endif
@@ -8685,7 +8696,7 @@ int setup_tests(void)
     ADD_TEST(test_session_with_only_ext_cache);
     ADD_TEST(test_session_with_both_cache);
     ADD_TEST(test_session_wo_ca_names);
-#ifndef OPENSSL_NO_TLS1_3
+#ifndef OSSL_NO_USABLE_TLS1_3
     ADD_ALL_TESTS(test_stateful_tickets, 3);
     ADD_ALL_TESTS(test_stateless_tickets, 3);
     ADD_TEST(test_psk_tickets);
@@ -8696,11 +8707,11 @@ int setup_tests(void)
     ADD_TEST(test_ssl_bio_pop_ssl_bio);
     ADD_TEST(test_ssl_bio_change_rbio);
     ADD_TEST(test_ssl_bio_change_wbio);
-#if !defined(OPENSSL_NO_TLS1_2) || defined(OPENSSL_NO_TLS1_3)
+#if !defined(OPENSSL_NO_TLS1_2) || defined(OSSL_NO_USABLE_TLS1_3)
     ADD_ALL_TESTS(test_set_sigalgs, OSSL_NELEM(testsigalgs) * 2);
     ADD_TEST(test_keylog);
 #endif
-#ifndef OPENSSL_NO_TLS1_3
+#ifndef OSSL_NO_USABLE_TLS1_3
     ADD_TEST(test_keylog_no_master_key);
 #endif
     ADD_TEST(test_client_cert_verify_cb);
@@ -8709,7 +8720,7 @@ int setup_tests(void)
     ADD_TEST(test_no_ems);
     ADD_TEST(test_ccs_change_cipher);
 #endif
-#ifndef OPENSSL_NO_TLS1_3
+#ifndef OSSL_NO_USABLE_TLS1_3
     ADD_ALL_TESTS(test_early_data_read_write, 3);
     /*
      * We don't do replay tests for external PSK. Replay protection isn't used
@@ -8728,7 +8739,7 @@ int setup_tests(void)
     ADD_ALL_TESTS(test_early_data_tls1_2, 3);
 # endif
 #endif
-#ifndef OPENSSL_NO_TLS1_3
+#ifndef OSSL_NO_USABLE_TLS1_3
     ADD_ALL_TESTS(test_set_ciphersuite, 10);
     ADD_TEST(test_ciphersuite_change);
     ADD_ALL_TESTS(test_tls13_ciphersuite, 4);
@@ -8752,7 +8763,7 @@ int setup_tests(void)
 #endif
     ADD_ALL_TESTS(test_serverinfo, 8);
     ADD_ALL_TESTS(test_export_key_mat, 6);
-#ifndef OPENSSL_NO_TLS1_3
+#ifndef OSSL_NO_USABLE_TLS1_3
     ADD_ALL_TESTS(test_export_key_mat_early, 3);
     ADD_TEST(test_key_update);
     ADD_ALL_TESTS(test_key_update_in_write, 2);
@@ -8776,7 +8787,7 @@ int setup_tests(void)
 #endif
     ADD_ALL_TESTS(test_servername, 10);
 #if !defined(OPENSSL_NO_EC) \
-    && (!defined(OPENSSL_NO_TLS1_3) || !defined(OPENSSL_NO_TLS1_2))
+    && (!defined(OSSL_NO_USABLE_TLS1_3) || !defined(OPENSSL_NO_TLS1_2))
     ADD_ALL_TESTS(test_sigalgs_available, 6);
 #endif
 #ifndef OPENSSL_NO_TLS1_3
@@ -8789,7 +8800,7 @@ int setup_tests(void)
     ADD_ALL_TESTS(test_dh_auto, 7);
 # endif
 #endif
-#ifndef OPENSSL_NO_TLS1_3
+#ifndef OSSL_NO_USABLE_TLS1_3
     ADD_TEST(test_sni_tls13);
 #endif
     return 1;