diff options
| author | Matt Caswell <matt@openssl.org> | 2021-01-14 15:50:20 +0000 |
|---|---|---|
| committer | Matt Caswell <matt@openssl.org> | 2021-02-05 15:22:40 +0000 |
| commit | a763ca11777ce01a286751f3f3dd9b106ef74f30 (patch) | |
| tree | 7ad54dd22661b8373f57ffefdee897b6282dc225 /test | |
| parent | 8b1db5d329740bd5363fd1763d4030d0e015b521 (diff) | |
Stop disabling TLSv1.3 if ec and dh are disabled
Even if EC and DH are disabled then we may still be able to use TLSv1.3
if we have groups that have been plugged in by an external provider.
Fixes #13767
Reviewed-by: Tomas Mraz <tomas@openssl.org>
(Merged from https://github.com/openssl/openssl/pull/13916)
Diffstat (limited to 'test')
29 files changed, 230 insertions, 117 deletions
diff --git a/test/helpers/ssltestlib.c b/test/helpers/ssltestlib.c index 2366c3db4d..e339d7972c 100644 --- a/test/helpers/ssltestlib.c +++ b/test/helpers/ssltestlib.c @@ -685,18 +685,19 @@ static int always_retry_puts(BIO *bio, const char *str) } int create_ssl_ctx_pair(OSSL_LIB_CTX *libctx, const SSL_METHOD *sm, -const SSL_METHOD *cm, - int min_proto_version, int max_proto_version, - SSL_CTX **sctx, SSL_CTX **cctx, char *certfile, - char *privkeyfile) + const SSL_METHOD *cm, int min_proto_version, + int max_proto_version, SSL_CTX **sctx, SSL_CTX **cctx, + char *certfile, char *privkeyfile) { SSL_CTX *serverctx = NULL; SSL_CTX *clientctx = NULL; - if (*sctx != NULL) - serverctx = *sctx; - else if (!TEST_ptr(serverctx = SSL_CTX_new_ex(libctx, NULL, sm))) - goto err; + if (sctx != NULL) { + if (*sctx != NULL) + serverctx = *sctx; + else if (!TEST_ptr(serverctx = SSL_CTX_new_ex(libctx, NULL, sm))) + goto err; + } if (cctx != NULL) { if (*cctx != NULL) @@ -705,12 +706,25 @@ const SSL_METHOD *cm, goto err; } - if ((min_proto_version > 0 - && !TEST_true(SSL_CTX_set_min_proto_version(serverctx, - min_proto_version))) - || (max_proto_version > 0 - && !TEST_true(SSL_CTX_set_max_proto_version(serverctx, - max_proto_version)))) +#if !defined(OPENSSL_NO_TLS1_3) \ + && defined(OPENSSL_NO_EC) \ + && defined(OPENSSL_NO_DH) + /* + * There are no usable built-in TLSv1.3 groups if ec and dh are both + * disabled + */ + if (max_proto_version == 0 + && (sm == TLS_server_method() || cm == TLS_client_method())) + max_proto_version = TLS1_2_VERSION; +#endif + + if (serverctx != NULL + && ((min_proto_version > 0 + && !TEST_true(SSL_CTX_set_min_proto_version(serverctx, + min_proto_version))) + || (max_proto_version > 0 + && !TEST_true(SSL_CTX_set_max_proto_version(serverctx, + max_proto_version))))) goto err; if (clientctx != NULL && ((min_proto_version > 0 @@ -721,7 +735,7 @@ const SSL_METHOD *cm, max_proto_version))))) goto err; - if (certfile != NULL && privkeyfile != NULL) { + if (serverctx != NULL && certfile != NULL && privkeyfile != NULL) { if (!TEST_int_eq(SSL_CTX_use_certificate_file(serverctx, certfile, SSL_FILETYPE_PEM), 1) || !TEST_int_eq(SSL_CTX_use_PrivateKey_file(serverctx, @@ -731,13 +745,14 @@ const SSL_METHOD *cm, goto err; } - *sctx = serverctx; + if (sctx != NULL) + *sctx = serverctx; if (cctx != NULL) *cctx = clientctx; return 1; err: - if (*sctx == NULL) + if (sctx != NULL && *sctx == NULL) SSL_CTX_free(serverctx); if (cctx != NULL && *cctx == NULL) SSL_CTX_free(clientctx); diff --git a/test/recipes/70-test_comp.t b/test/recipes/70-test_comp.t index 2ac168c252..abd41d756c 100644 --- a/test/recipes/70-test_comp.t +++ b/test/recipes/70-test_comp.t @@ -65,7 +65,8 @@ SKIP: { } SKIP: { - skip "TLSv1.3 disabled", 2 if disabled("tls1_3"); + skip "TLSv1.3 disabled", 2 + if disabled("tls1_3") || (disabled("ec") && disabled("dh")); #Test 3: Check that sending multiple compression methods in a TLSv1.3 # ClientHello fails $proxy->clear(); diff --git a/test/recipes/70-test_key_share.t b/test/recipes/70-test_key_share.t index b5b01907c6..7ecba99ee8 100644 --- a/test/recipes/70-test_key_share.t +++ b/test/recipes/70-test_key_share.t @@ -60,6 +60,9 @@ plan skip_all => "$test_name needs the sock feature enabled" plan skip_all => "$test_name needs TLS1.3 enabled" if disabled("tls1_3"); +plan skip_all => "$test_name needs EC or DH enabled" + if disabled("ec") && disabled("dh"); + $ENV{OPENSSL_ia32cap} = '~0x200000200000000'; my $proxy = TLSProxy::Proxy->new( diff --git a/test/recipes/70-test_sslcbcpadding.t b/test/recipes/70-test_sslcbcpadding.t index a293ab1e8d..273093244c 100644 --- a/test/recipes/70-test_sslcbcpadding.t +++ b/test/recipes/70-test_sslcbcpadding.t @@ -43,6 +43,7 @@ my @test_offsets = (0, 128, 254, 255); # Test that maximally-padded records are accepted. my $bad_padding_offset = -1; $proxy->serverflags("-tls1_2"); +$proxy->clientflags("-no_tls1_3"); $proxy->serverconnects(1 + scalar(@test_offsets)); $proxy->start() or plan skip_all => "Unable to start up Proxy for tests"; plan tests => 1 + scalar(@test_offsets); @@ -55,6 +56,7 @@ foreach my $offset (@test_offsets) { $bad_padding_offset = $offset; $fatal_alert = 0; $proxy->clearClient(); + $proxy->clientflags("-no_tls1_3"); $proxy->clientstart(); ok($fatal_alert, "Invalid padding byte $bad_padding_offset"); } diff --git a/test/recipes/70-test_sslextension.t b/test/recipes/70-test_sslextension.t index 9be001edc2..2d6262f2d4 100644 --- a/test/recipes/70-test_sslextension.t +++ b/test/recipes/70-test_sslextension.t @@ -197,6 +197,7 @@ ok($fatal_alert, "Duplicate ClientHello extension"); $fatal_alert = 0; $proxy->clear(); $proxy->filter(\&inject_duplicate_extension_serverhello); +$proxy->clientflags("-no_tls1_3"); $proxy->start(); ok($fatal_alert, "Duplicate ServerHello extension"); @@ -207,6 +208,7 @@ SKIP: { $proxy->clear(); $proxy->filter(\&extension_filter); $proxy->ciphers("AES128-SHA:\@SECLEVEL=0"); + $proxy->clientflags("-no_tls1_3"); $proxy->start(); ok(TLSProxy::Message->success, "Zero extension length test"); @@ -244,7 +246,8 @@ SKIP: { } SKIP: { - skip "TLS 1.3 disabled", 1 if disabled("tls1_3"); + skip "TLS 1.3 disabled", 1 + if disabled("tls1_3") || (disabled("ec") && disabled("dh")); #Test 7: Inject an unsolicited extension (TLSv1.3) $fatal_alert = 0; $proxy->clear(); @@ -260,5 +263,6 @@ SKIP: { # ignore it in a ClientHello $proxy->clear(); $proxy->filter(\&inject_cryptopro_extension); +$proxy->clientflags("-no_tls1_3"); $proxy->start(); ok(TLSProxy::Message->success(), "Cryptopro extension in ClientHello"); diff --git a/test/recipes/70-test_sslrecords.t b/test/recipes/70-test_sslrecords.t index 151216c57d..4a0e3e6b78 100644 --- a/test/recipes/70-test_sslrecords.t +++ b/test/recipes/70-test_sslrecords.t @@ -43,6 +43,7 @@ my $fatal_alert = 0; # set by filters at expected fatal alerts my $content_type = TLSProxy::Record::RT_APPLICATION_DATA; my $inject_recs_num = 1; $proxy->serverflags("-tls1_2"); +$proxy->clientflags("-no_tls1_3"); $proxy->start() or plan skip_all => "Unable to start up Proxy for tests"; plan tests => 20; ok($fatal_alert, "Out of context empty records test"); @@ -51,6 +52,7 @@ ok($fatal_alert, "Out of context empty records test"); $proxy->clear(); $content_type = TLSProxy::Record::RT_HANDSHAKE; $proxy->serverflags("-tls1_2"); +$proxy->clientflags("-no_tls1_3"); $proxy->start(); ok(TLSProxy::Message->success(), "In context empty records test"); @@ -60,6 +62,7 @@ $proxy->clear(); #We allow 32 consecutive in context empty records $inject_recs_num = 33; $proxy->serverflags("-tls1_2"); +$proxy->clientflags("-no_tls1_3"); $proxy->start(); ok($fatal_alert, "Too many in context empty records test"); @@ -70,6 +73,7 @@ $fatal_alert = 0; $proxy->clear(); $proxy->filter(\&add_frag_alert_filter); $proxy->serverflags("-tls1_2"); +$proxy->clientflags("-no_tls1_3"); $proxy->start(); ok($fatal_alert, "Fragmented alert records test"); @@ -92,6 +96,7 @@ my $sslv2testtype = TLSV1_2_IN_SSLV2; $proxy->clear(); $proxy->filter(\&add_sslv2_filter); $proxy->serverflags("-tls1_2"); +$proxy->clientflags("-no_tls1_3"); $proxy->ciphers("AES128-SHA:\@SECLEVEL=0"); $proxy->start(); ok(TLSProxy::Message->success(), "TLSv1.2 in SSLv2 ClientHello test"); @@ -102,6 +107,7 @@ ok(TLSProxy::Message->success(), "TLSv1.2 in SSLv2 ClientHello test"); $sslv2testtype = SSLV2_IN_SSLV2; $proxy->clear(); $proxy->serverflags("-tls1_2"); +$proxy->clientflags("-no_tls1_3"); $proxy->ciphers("AES128-SHA:\@SECLEVEL=0"); $proxy->start(); ok(TLSProxy::Message->fail(), "SSLv2 in SSLv2 ClientHello test"); @@ -112,6 +118,7 @@ ok(TLSProxy::Message->fail(), "SSLv2 in SSLv2 ClientHello test"); $sslv2testtype = FRAGMENTED_IN_TLSV1_2; $proxy->clear(); $proxy->serverflags("-tls1_2"); +$proxy->clientflags("-no_tls1_3"); $proxy->ciphers("AES128-SHA:\@SECLEVEL=0"); $proxy->start(); ok(TLSProxy::Message->success(), "Fragmented ClientHello in TLSv1.2 test"); @@ -121,6 +128,7 @@ ok(TLSProxy::Message->success(), "Fragmented ClientHello in TLSv1.2 test"); $sslv2testtype = FRAGMENTED_IN_SSLV2; $proxy->clear(); $proxy->serverflags("-tls1_2"); +$proxy->clientflags("-no_tls1_3"); $proxy->ciphers("AES128-SHA:\@SECLEVEL=0"); $proxy->start(); ok(TLSProxy::Message->fail(), "Fragmented ClientHello in TLSv1.2/SSLv2 test"); @@ -130,6 +138,7 @@ ok(TLSProxy::Message->fail(), "Fragmented ClientHello in TLSv1.2/SSLv2 test"); $sslv2testtype = ALERT_BEFORE_SSLV2; $proxy->clear(); $proxy->serverflags("-tls1_2"); +$proxy->clientflags("-no_tls1_3"); $proxy->ciphers("AES128-SHA:\@SECLEVEL=0"); $proxy->start(); ok(TLSProxy::Message->fail(), "Alert before SSLv2 ClientHello test"); @@ -140,6 +149,7 @@ ok(TLSProxy::Message->fail(), "Alert before SSLv2 ClientHello test"); $fatal_alert = 0; $proxy->clear(); $proxy->serverflags("-tls1_2"); +$proxy->clientflags("-no_tls1_3"); $proxy->filter(\&add_unknown_record_type); $proxy->start(); ok($fatal_alert, "Unrecognised record type in TLS1.2"); @@ -166,7 +176,8 @@ ok($fatal_alert, "Changed record version in TLS1.2"); #TLS1.3 specific tests SKIP: { - skip "TLSv1.3 disabled", 8 if disabled("tls1_3"); + skip "TLSv1.3 disabled", 8 + if disabled("tls1_3") || (disabled("ec") && disabled("dh")); #Test 13: Sending a different record version in TLS1.3 should fail $proxy->clear(); diff --git a/test/recipes/70-test_sslsigalgs.t b/test/recipes/70-test_sslsigalgs.t index 3548704138..609c88e716 100644 --- a/test/recipes/70-test_sslsigalgs.t +++ b/test/recipes/70-test_sslsigalgs.t @@ -54,13 +54,15 @@ use constant { # the sigalgs #Test 1: Default sig algs should succeed +$proxy->clientflags("-no_tls1_3") if disabled("ec") && disabled("dh"); $proxy->start() or plan skip_all => "Unable to start up Proxy for tests"; plan tests => 26; ok(TLSProxy::Message->success, "Default sigalgs"); my $testtype; SKIP: { - skip "TLSv1.3 disabled", 6 if disabled("tls1_3"); + skip "TLSv1.3 disabled", 6 + if disabled("tls1_3") || (disabled("ec") && disabled("dh")); $proxy->filter(\&sigalgs_filter); @@ -237,7 +239,10 @@ SKIP: { my ($dsa_status, $sha1_status, $sha224_status); SKIP: { - skip "TLSv1.3 disabled", 2 if disabled("tls1_3") || disabled("dsa"); + skip "TLSv1.3 disabled", 2 + if disabled("tls1_3") + || disabled("dsa") + || (disabled("ec") && disabled("dh")); #Test 20: signature_algorithms with 1.3-only ClientHello $testtype = PURE_SIGALGS; $dsa_status = $sha1_status = $sha224_status = 0; @@ -263,7 +268,8 @@ SKIP: { } SKIP: { - skip "TLSv1.3 disabled", 3 if disabled("tls1_3"); + skip "TLSv1.3 disabled", 5 + if disabled("tls1_3") || (disabled("ec") && disabled("dh")); #Test 22: Insert signature_algorithms_cert that match normal sigalgs $testtype = SIGALGS_CERT_ALL; $proxy->clear(); @@ -284,10 +290,7 @@ SKIP: { $proxy->filter(\&modify_sigalgs_cert_filter); $proxy->start(); ok(TLSProxy::Message->fail, "No matching certificate for sigalgs_cert"); -} -SKIP: { - skip "TLS 1.3 disabled", 2 if disabled("tls1_3"); #Test 25: Send an unrecognized signature_algorithms_cert # We should be able to skip over the unrecognized value and use a # valid one that appears later in the list. diff --git a/test/recipes/70-test_sslsignature.t b/test/recipes/70-test_sslsignature.t index a7d33503ed..147dd38bf2 100644 --- a/test/recipes/70-test_sslsignature.t +++ b/test/recipes/70-test_sslsignature.t @@ -45,12 +45,14 @@ $proxy->filter(\&signature_filter); #Test 1: No corruption should succeed my $testtype = NO_CORRUPTION; +$proxy->clientflags("-no_tls1_3") if disabled("ec") && disabled("dh"); $proxy->start() or plan skip_all => "Unable to start up Proxy for tests"; plan tests => 4; ok(TLSProxy::Message->success, "No corruption"); SKIP: { - skip "TLSv1.3 disabled", 1 if disabled("tls1_3"); + skip "TLSv1.3 disabled", 1 + if disabled("tls1_3") || (disabled("ec") && disabled("dh")); #Test 2: Corrupting a server CertVerify signature in TLSv1.3 should fail $proxy->clear(); diff --git a/test/recipes/70-test_sslversions.t b/test/recipes/70-test_sslversions.t index 864f4f5283..0a67fe1006 100644 --- a/test/recipes/70-test_sslversions.t +++ b/test/recipes/70-test_sslversions.t @@ -37,7 +37,10 @@ plan skip_all => "$test_name needs the sock feature enabled" if disabled("sock"); plan skip_all => "$test_name needs TLS1.3, TLS1.2 and TLS1.1 enabled" - if disabled("tls1_3") || disabled("tls1_2") || disabled("tls1_1"); + if disabled("tls1_3") + || (disabled("ec") && disabled("dh")) + || disabled("tls1_2") + || disabled("tls1_1"); $ENV{OPENSSL_ia32cap} = '~0x200000200000000'; diff --git a/test/recipes/70-test_tls13alerts.t b/test/recipes/70-test_tls13alerts.t index 205955fad8..c6c9d25f8d 100644 --- a/test/recipes/70-test_tls13alerts.t +++ b/test/recipes/70-test_tls13alerts.t @@ -24,7 +24,7 @@ plan skip_all => "$test_name needs the sock feature enabled" if disabled("sock"); plan skip_all => "$test_name needs TLS1.3 enabled" - if disabled("tls1_3"); + if disabled("tls1_3") || (disabled("ec") && disabled("dh")); $ENV{OPENSSL_ia32cap} = '~0x200000200000000'; diff --git a/test/recipes/70-test_tls13cookie.t b/test/recipes/70-test_tls13cookie.t index aef2cf8848..2036583fda 100644 --- a/test/recipes/70-test_tls13cookie.t +++ b/test/recipes/70-test_tls13cookie.t @@ -24,7 +24,7 @@ plan skip_all => "$test_name needs the sock feature enabled" if disabled("sock"); plan skip_all => "$test_name needs TLS1.3 enabled" - if disabled("tls1_3"); + if disabled("tls1_3") || (disabled("ec") && disabled("dh")); $ENV{OPENSSL_ia32cap} = '~0x200000200000000'; diff --git a/test/recipes/70-test_tls13downgrade.t b/test/recipes/70-test_tls13downgrade.t index f8dc8543be..63902a58e6 100644 --- a/test/recipes/70-test_tls13downgrade.t +++ b/test/recipes/70-test_tls13downgrade.t @@ -24,7 +24,9 @@ plan skip_all => "$test_name needs the sock feature enabled" if disabled("sock"); plan skip_all => "$test_name needs TLS1.3 and TLS1.2 enabled" - if disabled("tls1_3") || disabled("tls1_2"); + if disabled("tls1_3") + || (disabled("ec") && disabled("dh")) + || disabled("tls1_2"); $ENV{OPENSSL_ia32cap} = '~0x200000200000000'; diff --git a/test/recipes/70-test_tls13hrr.t b/test/recipes/70-test_tls13hrr.t index 8f6e54e235..0423bc3c36 100644 --- a/test/recipes/70-test_tls13hrr.t +++ b/test/recipes/70-test_tls13hrr.t @@ -24,7 +24,7 @@ plan skip_all => "$test_name needs the sock feature enabled" if disabled("sock"); plan skip_all => "$test_name needs TLS1.3 enabled" - if disabled("tls1_3"); + if disabled("tls1_3") || (disabled("ec") && disabled("dh")); $ENV{OPENSSL_ia32cap} = '~0x200000200000000'; diff --git a/test/recipes/70-test_tls13kexmodes.t b/test/recipes/70-test_tls13kexmodes.t index 6648376c0c..da4f3f3865 100644 --- a/test/recipes/70-test_tls13kexmodes.t +++ b/test/recipes/70-test_tls13kexmodes.t @@ -26,7 +26,7 @@ plan skip_all => "$test_name needs the sock feature enabled" if disabled("sock"); plan skip_all => "$test_name needs TLSv1.3 enabled" - if disabled("tls1_3"); + if disabled("tls1_3") || (disabled("ec") && disabled("dh")); plan skip_all => "$test_name needs EC enabled" if disabled("ec"); diff --git a/test/recipes/70-test_tls13psk.t b/test/recipes/70-test_tls13psk.t index 66582b7d8e..2f750d858b 100644 --- a/test/recipes/70-test_tls13psk.t +++ b/test/recipes/70-test_tls13psk.t @@ -25,7 +25,7 @@ plan skip_all => "$test_name needs the sock feature enabled" if disabled("sock"); plan skip_all => "$test_name needs TLSv1.3 enabled" - if disabled("tls1_3"); + if disabled("tls1_3") || (disabled("ec") && disabled("dh")); $ENV{OPENSSL_ia32cap} = '~0x200000200000000'; diff --git a/test/recipes/70-test_tlsextms.t b/test/recipes/70-test_tlsextms.t index 55ef58e202..d567b15552 100644 --- a/test/recipes/70-test_tlsextms.t +++ b/test/recipes/70-test_tlsextms.t @@ -56,9 +56,7 @@ my $proxy = TLSProxy::Proxy->new( setrmextms(0, 0); $proxy->clientflags("-no_tls1_3"); $proxy->start() or plan skip_all => "Unable to start up Proxy for tests"; -my $numtests = 9; -$numtests++ if (!disabled("tls1_3")); -plan tests => $numtests; +plan tests => 10; checkmessages(1, "Default extended master secret test", 1, 1, 1); #Test 2: If client omits extended master secret extension, server should too. @@ -175,11 +173,14 @@ $proxy->clientstart(); ok(TLSProxy::Message->fail(), "Server inconsistent session resumption 2"); unlink $session; -#Test 10: In TLS1.3 we should not negotiate extended master secret -#Expected result: ClientHello extension seen; ServerHello extension not seen -# TLS1.3 handshake (will appear as abbreviated handshake -# because of no CKE message) -if (!disabled("tls1_3")) { +SKIP: { + skip "TLS 1.3 disabled", 1 + if disabled("tls1_3") || (disabled("ec") && disabled("dh")); + + #Test 10: In TLS1.3 we should not negotiate extended master secret + #Expected result: ClientHello extension seen; ServerHello extension not seen + # TLS1.3 handshake (will appear as abbreviated handshake + # because of no CKE message) clearall(); setrmextms(0, 0); $proxy->start(); diff --git a/test/recipes/80-test_ssl_new.t b/test/recipes/80-test_ssl_new.t index 24e75ae1c9..99dbdea1bb 100644 --- a/test/recipes/80-test_ssl_new.t +++ b/test/recipes/80-test_ssl_new.t @@ -43,13 +43,16 @@ plan tests => 30 # = scalar @conf_srcs # verify generated sources in the default configuration. my $is_default_tls = (disabled("ssl3") && !disabled("tls1") && !disabled("tls1_1") && !disabled("tls1_2") && - !disabled("tls1_3")); + !disabled("tls1_3") && (!disabled("ec") || !disabled("dh"))); my $is_default_dtls = (!disabled("dtls1") && !disabled("dtls1_2")); my @all_pre_tls1_3 = ("ssl3", "tls1", "tls1_1", "tls1_2"); my $no_tls = alldisabled(available_protocols("tls")); my $no_tls_below1_3 = $no_tls || (disabled("tls1_2") && !disabled("tls1_3")); +if (!$no_tls && $no_tls_below1_3 && disabled("ec") && disabled("dh")) { + $no_tls = 1; +} my $no_pre_tls1_3 = alldisabled(@all_pre_tls1_3); my $no_dtls = alldisabled(available_protocols("dtls")); my $no_npn = disabled("nextprotoneg"); @@ -105,13 +108,13 @@ my %skip = ( "18-dtls-renegotiate.cnf" => $no_dtls, "19-mac-then-encrypt.cnf" => $no_pre_tls1_3, "20-cert-select.cnf" => disabled("tls1_2") || $no_ec, - "21-key-update.cnf" => disabled("tls1_3"), + "21-key-update.cnf" => disabled("tls1_3") || ($no_ec && $no_dh), "22-compression.cnf" => disabled("zlib") || $no_tls, "23-srp.cnf" => (disabled("tls1") && disabled ("tls1_1") && disabled("tls1_2")) || disabled("srp"), - "24-padding.cnf" => disabled("tls1_3"), + "24-padding.cnf" => disabled("tls1_3") || ($no_ec && $no_dh), "25-cipher.cnf" => disabled("ec") || disabled("tls1_2"), - "26-tls13_client_auth.cnf" => disabled("tls1_3"), + "26-tls13_client_auth.cnf" => disabled("tls1_3") || ($no_ec && $no_dh), "29-dtls-sctp-label-bug.cnf" => disabled("sctp") || disabled("sock"), ); diff --git a/test/recipes/80-test_ssl_old.t b/test/recipes/80-test_ssl_old.t index 975d1a9fd6..2f3d5d1c8c 100644 --- a/test/recipes/80-test_ssl_old.t +++ b/test/recipes/80-test_ssl_old.t @@ -33,6 +33,8 @@ my ($no_rsa, $no_dsa, $no_dh, $no_ec, $no_psk, anydisabled qw/rsa dsa dh ec psk ssl3 tls1 tls1_1 tls1_2 tls1_3 dtls dtls1 dtls1_2 ct/; +#If ec and dh are disabled then don't use TLSv1.3 +$no_tls1_3 = 1 if (!$no_tls1_3 && $no_ec && $no_dh); my $no_anytls = alldisabled(available_protocols("tls")); my $no_anydtls = alldisabled(available_protocols("dtls")); diff --git a/test/recipes/90-test_tls13ccs.t b/test/recipes/90-test_tls13ccs.t index 1281c362d6..3bd65b8ba0 100644 --- a/test/recipes/90-test_tls13ccs.t +++ b/test/recipes/90-test_tls13ccs.t @@ -14,7 +14,7 @@ my $test_name = "test_tls13ccs"; setup($test_name); plan skip_all => "$test_name is not supported in this build" - if disabled("tls1_3"); + if disabled("tls1_3") || (disabled("ec") && disabled("dh")); plan tests => 1; diff --git a/test/recipes/90-test_tls13encryption.t b/test/recipes/90-test_tls13encryption.t index 145e1b9f8c..45b7b8a9aa 100644 --- a/test/recipes/90-test_tls13encryption.t +++ b/test/recipes/90-test_tls13encryption.t @@ -13,7 +13,7 @@ my $test_name = "tls13encryption"; setup($test_name); plan skip_all => "$test_name is not supported in this build" - if disabled("tls1_3"); + if disabled("tls1_3") || (disabled("ec") && disabled("dh")); plan tests => 1; diff --git a/test/recipes/90-test_tls13secrets.t b/test/recipes/90-test_tls13secrets.t index ba437f59b8..13af681bf0 100644 --- a/test/recipes/90-test_tls13secrets.t +++ b/test/recipes/90-test_tls13secrets.t @@ -13,7 +13,9 @@ my $test_name = "tls13secrets"; setup($test_name); plan skip_all => "$test_name is not supported in this build" - if disabled("tls1_3") || disabled("shared"); + if disabled("tls1_3") + || disabled("shared") + || (disabled("ec") && disabled("dh")); plan tests => 1; diff --git a/test/recordlentest.c b/test/recordlentest.c index 5388db7ddd..daf19bb8f3 100644 --- a/test/recordlentest.c +++ b/test/recordlentest.c @@ -94,7 +94,8 @@ static int test_record_overflow(int idx) || idx == TEST_ENCRYPTED_OVERFLOW_TLS1_2_NOT_OK) return 1; #endif -#ifdef OPENSSL_NO_TLS1_3 +#if defined(OPENSSL_NO_TLS1_3) \ + || (defined(OPENSSL_NO_EC) && defined(OPENSSL_NO_DH)) if (idx == TEST_ENCRYPTED_OVERFLOW_TLS1_3_OK || idx == TEST_ENCRYPTED_OVERFLOW_TLS1_3_NOT_OK) return 1; diff --git a/test/servername_test.c b/test/servername_test.c index 14088211c9..d6fb7b5bb6 100644 --- a/test/servername_test.c +++ b/test/servername_test.c @@ -31,6 +31,13 @@ static const char *host = "dummy-host"; static char *cert = NULL; static char *privkey = NULL; +#if defined(OPENSSL_NO_TLS1_3) || \ + (defined(OPENSSL_NO_EC) && defined(OPENSSL_NO_DH)) +static int maxversion = TLS1_2_VERSION; +#else +static int maxversion = 0; +#endif + static int get_sni_from_client_hello(BIO *bio, char **sni) { long len; @@ -101,6 +108,10 @@ static int client_setup_sni_before_state(void) if (!TEST_ptr(ctx)) goto end; + if (maxversion > 0 + && !TEST_true(SSL_CTX_set_max_proto_version(ctx, maxversion))) + goto end; + con = SSL_new(ctx); if (!TEST_ptr(con)) goto end; @@ -149,6 +160,10 @@ static int client_setup_sni_after_state(void) if (!TEST_ptr(ctx)) goto end; + if (maxversion > 0 + && !TEST_true(SSL_CTX_set_max_proto_version(ctx, maxversion))) + goto end; + con = SSL_new(ctx); if (!TEST_ptr(con)) goto end; diff --git a/test/ssl-tests/04-client_auth.cnf.in b/test/ssl-tests/04-client_auth.cnf.in index ad0ae7ae18..d908ad1c7d 100644 --- a/test/ssl-tests/04-client_auth.cnf.in +++ b/test/ssl-tests/04-client_auth.cnf.in @@ -116,7 +116,9 @@ sub generate_tests() { test => { "ExpectedResult" => "ServerFail", "ExpectedServerAlert" => - ($protocol_name eq "flex" && !disabled("tls1_3")) + ($protocol_name eq "flex" + && !disabled("tls1_3") + && (!disabled("ec") || !disabled("dh"))) ? "CertificateRequired" : "HandshakeFailure", "Method" => $method, }, diff --git a/test/ssl-tests/27-ticket-appdata.cnf.in b/test/ssl-tests/27-ticket-appdata.cnf.in index 719c98a107..d9e861933f 100644 --- a/ |