2016-03-17 22:14:30 +08:00
|
|
|
/*
|
2023-09-07 16:59:15 +08:00
|
|
|
* Copyright 2016-2023 The OpenSSL Project Authors. All Rights Reserved.
|
2016-03-17 22:14:30 +08:00
|
|
|
*
|
2018-12-06 20:05:25 +08:00
|
|
|
* Licensed under the Apache License 2.0 (the "License"). You may not use
|
2016-05-18 02:20:24 +08:00
|
|
|
* this file except in compliance with the License. You can obtain a copy
|
|
|
|
* in the file LICENSE in the source distribution or at
|
2016-03-17 22:14:30 +08:00
|
|
|
* https://www.openssl.org/source/license.html
|
|
|
|
*/
|
|
|
|
|
2019-09-28 06:45:57 +08:00
|
|
|
#ifndef OSSL_TEST_SSL_TEST_CTX_H
|
|
|
|
#define OSSL_TEST_SSL_TEST_CTX_H
|
2016-03-17 22:14:30 +08:00
|
|
|
|
|
|
|
#include <openssl/conf.h>
|
|
|
|
#include <openssl/ssl.h>
|
|
|
|
|
|
|
|
typedef enum {
|
2016-04-08 01:07:50 +08:00
|
|
|
SSL_TEST_SUCCESS = 0, /* Default */
|
2016-03-17 22:14:30 +08:00
|
|
|
SSL_TEST_SERVER_FAIL,
|
|
|
|
SSL_TEST_CLIENT_FAIL,
|
2016-07-06 01:06:23 +08:00
|
|
|
SSL_TEST_INTERNAL_ERROR,
|
|
|
|
/* Couldn't test resumption/renegotiation: original handshake failed. */
|
|
|
|
SSL_TEST_FIRST_HANDSHAKE_FAILED
|
2016-03-17 22:14:30 +08:00
|
|
|
} ssl_test_result_t;
|
|
|
|
|
2016-04-08 01:07:50 +08:00
|
|
|
typedef enum {
|
|
|
|
SSL_TEST_VERIFY_NONE = 0, /* Default */
|
|
|
|
SSL_TEST_VERIFY_ACCEPT_ALL,
|
2021-01-17 03:43:00 +08:00
|
|
|
SSL_TEST_VERIFY_RETRY_ONCE,
|
2016-04-08 01:07:50 +08:00
|
|
|
SSL_TEST_VERIFY_REJECT_ALL
|
|
|
|
} ssl_verify_callback_t;
|
|
|
|
|
Fix session ticket and SNI
When session tickets are used, it's possible that SNI might swtich the
SSL_CTX on an SSL. Normally, this is not a problem, because the
initial_ctx/session_ctx are used for all session ticket/id processes.
However, when the SNI callback occurs, it's possible that the callback
may update the options in the SSL from the SSL_CTX, and this could
cause SSL_OP_NO_TICKET to be set. If this occurs, then two bad things
can happen:
1. The session ticket TLSEXT may not be written when the ticket expected
flag is set. The state machine transistions to writing the ticket, and
the client responds with an error as its not expecting a ticket.
2. When creating the session ticket, if the ticket key cb returns 0
the crypto/hmac contexts are not initialized, and the code crashes when
trying to encrypt the session ticket.
To fix 1, if the ticket TLSEXT is not written out, clear the expected
ticket flag.
To fix 2, consider a return of 0 from the ticket key cb a recoverable
error, and write a 0 length ticket and continue. The client-side code
can explicitly handle this case.
Fix these two cases, and add unit test code to validate ticket behavior.
Reviewed-by: Emilia Käsper <emilia@openssl.org>
Reviewed-by: Rich Salz <rsalz@openssl.org>
(Merged from https://github.com/openssl/openssl/pull/1098)
2016-05-13 06:16:52 +08:00
|
|
|
typedef enum {
|
2016-06-10 06:39:22 +08:00
|
|
|
SSL_TEST_SERVERNAME_NONE = 0, /* Default */
|
|
|
|
SSL_TEST_SERVERNAME_SERVER1,
|
2016-06-20 23:20:25 +08:00
|
|
|
SSL_TEST_SERVERNAME_SERVER2,
|
|
|
|
SSL_TEST_SERVERNAME_INVALID
|
Fix session ticket and SNI
When session tickets are used, it's possible that SNI might swtich the
SSL_CTX on an SSL. Normally, this is not a problem, because the
initial_ctx/session_ctx are used for all session ticket/id processes.
However, when the SNI callback occurs, it's possible that the callback
may update the options in the SSL from the SSL_CTX, and this could
cause SSL_OP_NO_TICKET to be set. If this occurs, then two bad things
can happen:
1. The session ticket TLSEXT may not be written when the ticket expected
flag is set. The state machine transistions to writing the ticket, and
the client responds with an error as its not expecting a ticket.
2. When creating the session ticket, if the ticket key cb returns 0
the crypto/hmac contexts are not initialized, and the code crashes when
trying to encrypt the session ticket.
To fix 1, if the ticket TLSEXT is not written out, clear the expected
ticket flag.
To fix 2, consider a return of 0 from the ticket key cb a recoverable
error, and write a 0 length ticket and continue. The client-side code
can explicitly handle this case.
Fix these two cases, and add unit test code to validate ticket behavior.
Reviewed-by: Emilia Käsper <emilia@openssl.org>
Reviewed-by: Rich Salz <rsalz@openssl.org>
(Merged from https://github.com/openssl/openssl/pull/1098)
2016-05-13 06:16:52 +08:00
|
|
|
} ssl_servername_t;
|
|
|
|
|
2016-06-20 23:20:25 +08:00
|
|
|
typedef enum {
|
|
|
|
SSL_TEST_SERVERNAME_CB_NONE = 0, /* Default */
|
|
|
|
SSL_TEST_SERVERNAME_IGNORE_MISMATCH,
|
2017-02-01 06:06:30 +08:00
|
|
|
SSL_TEST_SERVERNAME_REJECT_MISMATCH,
|
2017-09-08 06:39:40 +08:00
|
|
|
SSL_TEST_SERVERNAME_CLIENT_HELLO_IGNORE_MISMATCH,
|
|
|
|
SSL_TEST_SERVERNAME_CLIENT_HELLO_REJECT_MISMATCH,
|
|
|
|
SSL_TEST_SERVERNAME_CLIENT_HELLO_NO_V12
|
2016-06-20 23:20:25 +08:00
|
|
|
} ssl_servername_callback_t;
|
|
|
|
|
Fix session ticket and SNI
When session tickets are used, it's possible that SNI might swtich the
SSL_CTX on an SSL. Normally, this is not a problem, because the
initial_ctx/session_ctx are used for all session ticket/id processes.
However, when the SNI callback occurs, it's possible that the callback
may update the options in the SSL from the SSL_CTX, and this could
cause SSL_OP_NO_TICKET to be set. If this occurs, then two bad things
can happen:
1. The session ticket TLSEXT may not be written when the ticket expected
flag is set. The state machine transistions to writing the ticket, and
the client responds with an error as its not expecting a ticket.
2. When creating the session ticket, if the ticket key cb returns 0
the crypto/hmac contexts are not initialized, and the code crashes when
trying to encrypt the session ticket.
To fix 1, if the ticket TLSEXT is not written out, clear the expected
ticket flag.
To fix 2, consider a return of 0 from the ticket key cb a recoverable
error, and write a 0 length ticket and continue. The client-side code
can explicitly handle this case.
Fix these two cases, and add unit test code to validate ticket behavior.
Reviewed-by: Emilia Käsper <emilia@openssl.org>
Reviewed-by: Rich Salz <rsalz@openssl.org>
(Merged from https://github.com/openssl/openssl/pull/1098)
2016-05-13 06:16:52 +08:00
|
|
|
typedef enum {
|
|
|
|
SSL_TEST_SESSION_TICKET_IGNORE = 0, /* Default */
|
|
|
|
SSL_TEST_SESSION_TICKET_YES,
|
|
|
|
SSL_TEST_SESSION_TICKET_NO,
|
2016-06-17 02:49:37 +08:00
|
|
|
SSL_TEST_SESSION_TICKET_BROKEN /* Special test */
|
2016-06-10 06:39:22 +08:00
|
|
|
} ssl_session_ticket_t;
|
Fix session ticket and SNI
When session tickets are used, it's possible that SNI might swtich the
SSL_CTX on an SSL. Normally, this is not a problem, because the
initial_ctx/session_ctx are used for all session ticket/id processes.
However, when the SNI callback occurs, it's possible that the callback
may update the options in the SSL from the SSL_CTX, and this could
cause SSL_OP_NO_TICKET to be set. If this occurs, then two bad things
can happen:
1. The session ticket TLSEXT may not be written when the ticket expected
flag is set. The state machine transistions to writing the ticket, and
the client responds with an error as its not expecting a ticket.
2. When creating the session ticket, if the ticket key cb returns 0
the crypto/hmac contexts are not initialized, and the code crashes when
trying to encrypt the session ticket.
To fix 1, if the ticket TLSEXT is not written out, clear the expected
ticket flag.
To fix 2, consider a return of 0 from the ticket key cb a recoverable
error, and write a 0 length ticket and continue. The client-side code
can explicitly handle this case.
Fix these two cases, and add unit test code to validate ticket behavior.
Reviewed-by: Emilia Käsper <emilia@openssl.org>
Reviewed-by: Rich Salz <rsalz@openssl.org>
(Merged from https://github.com/openssl/openssl/pull/1098)
2016-05-13 06:16:52 +08:00
|
|
|
|
2017-03-01 20:11:51 +08:00
|
|
|
typedef enum {
|
|
|
|
SSL_TEST_COMPRESSION_NO = 0, /* Default */
|
|
|
|
SSL_TEST_COMPRESSION_YES
|
|
|
|
} ssl_compression_t;
|
|
|
|
|
Session resume broken switching contexts
When an SSL's context is swtiched from a ticket-enabled context to
a ticket-disabled context in the servername callback, no session-id
is generated, so the session can't be resumed.
If a servername callback changes the SSL_OP_NO_TICKET option, check
to see if it's changed to disable, and whether a session ticket is
expected (i.e. the client indicated ticket support and the SSL had
tickets enabled at the time), and whether we already have a previous
session (i.e. s->hit is set).
In this case, clear the ticket-expected flag, remove any ticket data
and generate a session-id in the session.
If the SSL hit (resumed) and switched to a ticket-disabled context,
assume that the resumption was via session-id, and don't bother to
update the session.
Before this fix, the updated unit-tests in 06-sni-ticket.conf would
fail test #4 (server1 = SNI, server2 = no SNI).
Reviewed-by: Rich Salz <rsalz@openssl.org>
Reviewed-by: Richard Levitte <levitte@openssl.org>
Reviewed-by: Matt Caswell <matt@openssl.org>
Reviewed-by: Paul Dale <paul.dale@oracle.com>
(Merged from https://github.com/openssl/openssl/pull/1529)
2016-09-01 20:40:54 +08:00
|
|
|
typedef enum {
|
|
|
|
SSL_TEST_SESSION_ID_IGNORE = 0, /* Default */
|
|
|
|
SSL_TEST_SESSION_ID_YES,
|
|
|
|
SSL_TEST_SESSION_ID_NO
|
|
|
|
} ssl_session_id_t;
|
|
|
|
|
2016-06-03 23:49:04 +08:00
|
|
|
typedef enum {
|
|
|
|
SSL_TEST_METHOD_TLS = 0, /* Default */
|
2022-05-17 00:08:54 +08:00
|
|
|
SSL_TEST_METHOD_DTLS,
|
|
|
|
SSL_TEST_METHOD_QUIC
|
2016-06-03 23:49:04 +08:00
|
|
|
} ssl_test_method_t;
|
|
|
|
|
2016-07-06 01:06:23 +08:00
|
|
|
typedef enum {
|
|
|
|
SSL_TEST_HANDSHAKE_SIMPLE = 0, /* Default */
|
|
|
|
SSL_TEST_HANDSHAKE_RESUME,
|
2016-09-27 18:50:43 +08:00
|
|
|
SSL_TEST_HANDSHAKE_RENEG_SERVER,
|
2017-02-15 17:25:52 +08:00
|
|
|
SSL_TEST_HANDSHAKE_RENEG_CLIENT,
|
|
|
|
SSL_TEST_HANDSHAKE_KEY_UPDATE_SERVER,
|
Add TLSv1.3 post-handshake authentication (PHA)
Add SSL_verify_client_post_handshake() for servers to initiate PHA
Add SSL_force_post_handshake_auth() for clients that don't have certificates
initially configured, but use a certificate callback.
Update SSL_CTX_set_verify()/SSL_set_verify() mode:
* Add SSL_VERIFY_POST_HANDSHAKE to postpone client authentication until after
the initial handshake.
* Update SSL_VERIFY_CLIENT_ONCE now only sends out one CertRequest regardless
of when the certificate authentication takes place; either initial handshake,
re-negotiation, or post-handshake authentication.
Add 'RequestPostHandshake' and 'RequirePostHandshake' SSL_CONF options that
add the SSL_VERIFY_POST_HANDSHAKE to the 'Request' and 'Require' options
Add support to s_client:
* Enabled automatically when cert is configured
* Can be forced enabled via -force_pha
Add support to s_server:
* Use 'c' to invoke PHA in s_server
* Remove some dead code
Update documentation
Update unit tests:
* Illegal use of PHA extension
* TLSv1.3 certificate tests
DTLS and TLS behave ever-so-slightly differently. So, when DTLS1.3 is
implemented, it's PHA support state machine may need to be different.
Add a TODO and a #error
Update handshake context to deal with PHA.
The handshake context for TLSv1.3 post-handshake auth is up through the
ClientFinish message, plus the CertificateRequest message. Subsequent
Certificate, CertificateVerify, and Finish messages are based on this
handshake context (not the Certificate message per se, but it's included
after the hash). KeyUpdate, NewSessionTicket, and prior Certificate
Request messages are not included in post-handshake authentication.
After the ClientFinished message is processed, save off the digest state
for future post-handshake authentication. When post-handshake auth occurs,
copy over the saved handshake context into the "main" handshake digest.
This effectively discards the any KeyUpdate or NewSessionTicket messages
and any prior post-handshake authentication.
This, of course, assumes that the ID-22 did not mean to include any
previous post-handshake authentication into the new handshake transcript.
This is implied by section 4.4.1 that lists messages only up to the
first ClientFinished.
Reviewed-by: Ben Kaduk <kaduk@mit.edu>
Reviewed-by: Matt Caswell <matt@openssl.org>
(Merged from https://github.com/openssl/openssl/pull/4964)
2017-12-19 05:52:28 +08:00
|
|
|
SSL_TEST_HANDSHAKE_KEY_UPDATE_CLIENT,
|
|
|
|
SSL_TEST_HANDSHAKE_POST_HANDSHAKE_AUTH
|
2016-07-06 01:06:23 +08:00
|
|
|
} ssl_handshake_mode_t;
|
|
|
|
|
2016-08-09 22:47:26 +08:00
|
|
|
typedef enum {
|
|
|
|
SSL_TEST_CT_VALIDATION_NONE = 0, /* Default */
|
|
|
|
SSL_TEST_CT_VALIDATION_PERMISSIVE,
|
|
|
|
SSL_TEST_CT_VALIDATION_STRICT
|
|
|
|
} ssl_ct_validation_t;
|
2016-08-30 21:20:18 +08:00
|
|
|
|
|
|
|
typedef enum {
|
|
|
|
SSL_TEST_CERT_STATUS_NONE = 0, /* Default */
|
|
|
|
SSL_TEST_CERT_STATUS_GOOD_RESPONSE,
|
|
|
|
SSL_TEST_CERT_STATUS_BAD_RESPONSE
|
|
|
|
} ssl_cert_status_t;
|
2017-03-14 20:48:54 +08:00
|
|
|
|
2016-07-21 22:29:48 +08:00
|
|
|
/*
|
|
|
|
* Server/client settings that aren't supported by the SSL CONF library,
|
|
|
|
* such as callbacks.
|
|
|
|
*/
|
|
|
|
typedef struct {
|
|
|
|
/* One of a number of predefined custom callbacks. */
|
|
|
|
ssl_verify_callback_t verify_callback;
|
|
|
|
/* One of a number of predefined server names use by the client */
|
|
|
|
ssl_servername_t servername;
|
2017-11-06 00:46:48 +08:00
|
|
|
/* Maximum Fragment Length extension mode */
|
|
|
|
int max_fragment_len_mode;
|
2016-07-21 22:29:48 +08:00
|
|
|
/* Supported NPN and ALPN protocols. A comma-separated list. */
|
|
|
|
char *npn_protocols;
|
|
|
|
char *alpn_protocols;
|
2016-08-09 22:47:26 +08:00
|
|
|
ssl_ct_validation_t ct_validation;
|
2017-02-03 19:21:07 +08:00
|
|
|
/* Ciphersuites to set on a renegotiation */
|
|
|
|
char *reneg_ciphers;
|
2017-03-14 20:48:54 +08:00
|
|
|
char *srp_user;
|
|
|
|
char *srp_password;
|
2018-08-13 22:23:27 +08:00
|
|
|
/* PHA enabled */
|
|
|
|
int enable_pha;
|
2020-06-05 16:50:25 +08:00
|
|
|
/* Do not send extms on renegotiation */
|
|
|
|
int no_extms_on_reneg;
|
2016-07-21 22:29:48 +08:00
|
|
|
} SSL_TEST_CLIENT_CONF;
|
|
|
|
|
|
|
|
typedef struct {
|
|
|
|
/* SNI callback (server-side). */
|
|
|
|
ssl_servername_callback_t servername_callback;
|
|
|
|
/* Supported NPN and ALPN protocols. A comma-separated list. */
|
|
|
|
char *npn_protocols;
|
|
|
|
char *alpn_protocols;
|
|
|
|
/* Whether to set a broken session ticket callback. */
|
|
|
|
int broken_session_ticket;
|
2016-08-30 21:20:18 +08:00
|
|
|
/* Should we send a CertStatus message? */
|
|
|
|
ssl_cert_status_t cert_status;
|
2017-03-14 20:48:54 +08:00
|
|
|
/* An SRP user known to the server. */
|
|
|
|
char *srp_user;
|
|
|
|
char *srp_password;
|
Add TLSv1.3 post-handshake authentication (PHA)
Add SSL_verify_client_post_handshake() for servers to initiate PHA
Add SSL_force_post_handshake_auth() for clients that don't have certificates
initially configured, but use a certificate callback.
Update SSL_CTX_set_verify()/SSL_set_verify() mode:
* Add SSL_VERIFY_POST_HANDSHAKE to postpone client authentication until after
the initial handshake.
* Update SSL_VERIFY_CLIENT_ONCE now only sends out one CertRequest regardless
of when the certificate authentication takes place; either initial handshake,
re-negotiation, or post-handshake authentication.
Add 'RequestPostHandshake' and 'RequirePostHandshake' SSL_CONF options that
add the SSL_VERIFY_POST_HANDSHAKE to the 'Request' and 'Require' options
Add support to s_client:
* Enabled automatically when cert is configured
* Can be forced enabled via -force_pha
Add support to s_server:
* Use 'c' to invoke PHA in s_server
* Remove some dead code
Update documentation
Update unit tests:
* Illegal use of PHA extension
* TLSv1.3 certificate tests
DTLS and TLS behave ever-so-slightly differently. So, when DTLS1.3 is
implemented, it's PHA support state machine may need to be different.
Add a TODO and a #error
Update handshake context to deal with PHA.
The handshake context for TLSv1.3 post-handshake auth is up through the
ClientFinish message, plus the CertificateRequest message. Subsequent
Certificate, CertificateVerify, and Finish messages are based on this
handshake context (not the Certificate message per se, but it's included
after the hash). KeyUpdate, NewSessionTicket, and prior Certificate
Request messages are not included in post-handshake authentication.
After the ClientFinished message is processed, save off the digest state
for future post-handshake authentication. When post-handshake auth occurs,
copy over the saved handshake context into the "main" handshake digest.
This effectively discards the any KeyUpdate or NewSessionTicket messages
and any prior post-handshake authentication.
This, of course, assumes that the ID-22 did not mean to include any
previous post-handshake authentication into the new handshake transcript.
This is implied by section 4.4.1 that lists messages only up to the
first ClientFinished.
Reviewed-by: Ben Kaduk <kaduk@mit.edu>
Reviewed-by: Matt Caswell <matt@openssl.org>
(Merged from https://github.com/openssl/openssl/pull/4964)
2017-12-19 05:52:28 +08:00
|
|
|
/* Forced PHA */
|
|
|
|
int force_pha;
|
2017-03-16 01:25:55 +08:00
|
|
|
char *session_ticket_app_data;
|
2016-07-21 22:29:48 +08:00
|
|
|
} SSL_TEST_SERVER_CONF;
|
|
|
|
|
|
|
|
typedef struct {
|
|
|
|
SSL_TEST_CLIENT_CONF client;
|
|
|
|
SSL_TEST_SERVER_CONF server;
|
|
|
|
SSL_TEST_SERVER_CONF server2;
|
|
|
|
} SSL_TEST_EXTRA_CONF;
|
|
|
|
|
|
|
|
typedef struct {
|
|
|
|
/*
|
|
|
|
* Global test configuration. Does not change between handshakes.
|
|
|
|
*/
|
|
|
|
/* Whether the server/client CTX should use DTLS or TLS. */
|
|
|
|
ssl_test_method_t method;
|
|
|
|
/* Whether to test a resumed/renegotiated handshake. */
|
|
|
|
ssl_handshake_mode_t handshake_mode;
|
2016-08-12 02:51:57 +08:00
|
|
|
/*
|
|
|
|
* How much application data to exchange (default is 256 bytes).
|
|
|
|
* Both peers will send |app_data_size| bytes interleaved.
|
|
|
|
*/
|
|
|
|
int app_data_size;
|
2016-08-16 21:11:08 +08:00
|
|
|
/* Maximum send fragment size. */
|
|
|
|
int max_fragment_size;
|
2017-02-15 17:25:52 +08:00
|
|
|
/* KeyUpdate type */
|
2017-02-17 01:04:40 +08:00
|
|
|
int key_update_type;
|
2016-07-21 22:29:48 +08:00
|
|
|
|
|
|
|
/*
|
|
|
|
* Extra server/client configurations. Per-handshake.
|
|
|
|
*/
|
|
|
|
/* First handshake. */
|
|
|
|
SSL_TEST_EXTRA_CONF extra;
|
|
|
|
/* Resumed handshake. */
|
|
|
|
SSL_TEST_EXTRA_CONF resume_extra;
|
|
|
|
|
|
|
|
/*
|
|
|
|
* Test expectations. These apply to the LAST handshake.
|
|
|
|
*/
|
2016-03-17 22:14:30 +08:00
|
|
|
/* Defaults to SUCCESS. */
|
|
|
|
ssl_test_result_t expected_result;
|
|
|
|
/* Alerts. 0 if no expectation. */
|
|
|
|
/* See ssl.h for alert codes. */
|
|
|
|
/* Alert sent by the client / received by the server. */
|
2016-07-21 22:29:48 +08:00
|
|
|
int expected_client_alert;
|
2016-03-17 22:14:30 +08:00
|
|
|
/* Alert sent by the server / received by the client. */
|
2016-07-21 22:29:48 +08:00
|
|
|
int expected_server_alert;
|
2016-03-17 22:14:30 +08:00
|
|
|
/* Negotiated protocol version. 0 if no expectation. */
|
|
|
|
/* See ssl.h for protocol versions. */
|
2016-07-21 22:29:48 +08:00
|
|
|
int expected_protocol;
|
2016-06-20 23:20:25 +08:00
|
|
|
/*
|
|
|
|
* The expected SNI context to use.
|
|
|
|
* We test server-side that the server switched to the expected context.
|
|
|
|
* Set by the callback upon success, so if the callback wasn't called or
|
|
|
|
* terminated with an alert, the servername will match with
|
|
|
|
* SSL_TEST_SERVERNAME_NONE.
|
|
|
|
* Note: in the event that the servername was accepted, the client should
|
|
|
|
* also receive an empty SNI extension back but we have no way of probing
|
|
|
|
* client-side via the API that this was the case.
|
|
|
|
*/
|
|
|
|
ssl_servername_t expected_servername;
|
2016-06-10 06:39:22 +08:00
|
|
|
ssl_session_ticket_t session_ticket_expected;
|
2017-03-02 21:41:10 +08:00
|
|
|
int compression_expected;
|
2016-07-21 22:29:48 +08:00
|
|
|
/* The expected NPN/ALPN protocol to negotiate. */
|
2016-07-05 02:16:14 +08:00
|
|
|
char *expected_npn_protocol;
|
|
|
|
char *expected_alpn_protocol;
|
2016-07-06 01:06:23 +08:00
|
|
|
/* Whether the second handshake is resumed or a full handshake (boolean). */
|
|
|
|
int resumption_expected;
|
2017-01-08 08:09:08 +08:00
|
|
|
/* Expected temporary key type */
|
|
|
|
int expected_tmp_key_type;
|
2017-01-09 03:30:41 +08:00
|
|
|
/* Expected server certificate key type */
|
|
|
|
int expected_server_cert_type;
|
2017-01-13 23:20:42 +08:00
|
|
|
/* Expected server signing hash */
|
|
|
|
int expected_server_sign_hash;
|
2017-01-27 23:06:16 +08:00
|
|
|
/* Expected server signature type */
|
|
|
|
int expected_server_sign_type;
|
2017-04-01 05:35:28 +08:00
|
|
|
/* Expected server CA names */
|
|
|
|
STACK_OF(X509_NAME) *expected_server_ca_names;
|
2017-01-09 03:30:41 +08:00
|
|
|
/* Expected client certificate key type */
|
|
|
|
int expected_client_cert_type;
|
2017-01-13 23:20:42 +08:00
|
|
|
/* Expected client signing hash */
|
|
|
|
int expected_client_sign_hash;
|
2017-01-27 23:06:16 +08:00
|
|
|
/* Expected client signature type */
|
|
|
|
int expected_client_sign_type;
|
2017-03-16 00:07:07 +08:00
|
|
|
/* Expected CA names for client auth */
|
|
|
|
STACK_OF(X509_NAME) *expected_client_ca_names;
|
2017-04-24 16:42:28 +08:00
|
|
|
/* Whether to use SCTP for the transport */
|
|
|
|
int use_sctp;
|
2021-08-10 04:56:50 +08:00
|
|
|
/* Whether to pre-compress server certificates */
|
|
|
|
int compress_certificates;
|
2018-12-26 19:44:53 +08:00
|
|
|
/* Enable SSL_MODE_DTLS_SCTP_LABEL_LENGTH_BUG on client side */
|
|
|
|
int enable_client_sctp_label_bug;
|
|
|
|
/* Enable SSL_MODE_DTLS_SCTP_LABEL_LENGTH_BUG on server side */
|
|
|
|
int enable_server_sctp_label_bug;
|
Session resume broken switching contexts
When an SSL's context is swtiched from a ticket-enabled context to
a ticket-disabled context in the servername callback, no session-id
is generated, so the session can't be resumed.
If a servername callback changes the SSL_OP_NO_TICKET option, check
to see if it's changed to disable, and whether a session ticket is
expected (i.e. the client indicated ticket support and the SSL had
tickets enabled at the time), and whether we already have a previous
session (i.e. s->hit is set).
In this case, clear the ticket-expected flag, remove any ticket data
and generate a session-id in the session.
If the SSL hit (resumed) and switched to a ticket-disabled context,
assume that the resumption was via session-id, and don't bother to
update the session.
Before this fix, the updated unit-tests in 06-sni-ticket.conf would
fail test #4 (server1 = SNI, server2 = no SNI).
Reviewed-by: Rich Salz <rsalz@openssl.org>
Reviewed-by: Richard Levitte <levitte@openssl.org>
Reviewed-by: Matt Caswell <matt@openssl.org>
Reviewed-by: Paul Dale <paul.dale@oracle.com>
(Merged from https://github.com/openssl/openssl/pull/1529)
2016-09-01 20:40:54 +08:00
|
|
|
/* Whether to expect a session id from the server */
|
|
|
|
ssl_session_id_t session_id_expected;
|
2015-12-22 04:19:29 +08:00
|
|
|
char *expected_cipher;
|
2017-03-16 01:25:55 +08:00
|
|
|
/* Expected Session Ticket Application Data */
|
|
|
|
char *expected_session_ticket_app_data;
|
2020-07-24 20:53:27 +08:00
|
|
|
|
2020-10-15 17:55:50 +08:00
|
|
|
OSSL_LIB_CTX *libctx;
|
2023-04-18 12:41:17 +08:00
|
|
|
|
|
|
|
/* FIPS version string to check for compatibility */
|
|
|
|
char *fips_version;
|
2016-03-17 22:14:30 +08:00
|
|
|
} SSL_TEST_CTX;
|
|
|
|
|
2016-04-08 01:07:50 +08:00
|
|
|
const char *ssl_test_result_name(ssl_test_result_t result);
|
2016-03-17 22:14:30 +08:00
|
|
|
const char *ssl_alert_name(int alert);
|
|
|
|
const char *ssl_protocol_name(int protocol);
|
2016-04-08 01:07:50 +08:00
|
|
|
const char *ssl_verify_callback_name(ssl_verify_callback_t verify_callback);
|
Fix session ticket and SNI
When session tickets are used, it's possible that SNI might swtich the
SSL_CTX on an SSL. Normally, this is not a problem, because the
initial_ctx/session_ctx are used for all session ticket/id processes.
However, when the SNI callback occurs, it's possible that the callback
may update the options in the SSL from the SSL_CTX, and this could
cause SSL_OP_NO_TICKET to be set. If this occurs, then two bad things
can happen:
1. The session ticket TLSEXT may not be written when the ticket expected
flag is set. The state machine transistions to writing the ticket, and
the client responds with an error as its not expecting a ticket.
2. When creating the session ticket, if the ticket key cb returns 0
the crypto/hmac contexts are not initialized, and the code crashes when
trying to encrypt the session ticket.
To fix 1, if the ticket TLSEXT is not written out, clear the expected
ticket flag.
To fix 2, consider a return of 0 from the ticket key cb a recoverable
error, and write a 0 length ticket and continue. The client-side code
can explicitly handle this case.
Fix these two cases, and add unit test code to validate ticket behavior.
Reviewed-by: Emilia Käsper <emilia@openssl.org>
Reviewed-by: Rich Salz <rsalz@openssl.org>
(Merged from https://github.com/openssl/openssl/pull/1098)
2016-05-13 06:16:52 +08:00
|
|
|
const char *ssl_servername_name(ssl_servername_t server);
|
2016-06-20 23:20:25 +08:00
|
|
|
const char *ssl_servername_callback_name(ssl_servername_callback_t
|
|
|
|
servername_callback);
|
2016-06-10 06:39:22 +08:00
|
|
|
const char *ssl_session_ticket_name(ssl_session_ticket_t server);
|
Session resume broken switching contexts
When an SSL's context is swtiched from a ticket-enabled context to
a ticket-disabled context in the servername callback, no session-id
is generated, so the session can't be resumed.
If a servername callback changes the SSL_OP_NO_TICKET option, check
to see if it's changed to disable, and whether a session ticket is
expected (i.e. the client indicated ticket support and the SSL had
tickets enabled at the time), and whether we already have a previous
session (i.e. s->hit is set).
In this case, clear the ticket-expected flag, remove any ticket data
and generate a session-id in the session.
If the SSL hit (resumed) and switched to a ticket-disabled context,
assume that the resumption was via session-id, and don't bother to
update the session.
Before this fix, the updated unit-tests in 06-sni-ticket.conf would
fail test #4 (server1 = SNI, server2 = no SNI).
Reviewed-by: Rich Salz <rsalz@openssl.org>
Reviewed-by: Richard Levitte <levitte@openssl.org>
Reviewed-by: Matt Caswell <matt@openssl.org>
Reviewed-by: Paul Dale <paul.dale@oracle.com>
(Merged from https://github.com/openssl/openssl/pull/1529)
2016-09-01 20:40:54 +08:00
|
|
|
const char *ssl_session_id_name(ssl_session_id_t server);
|
2016-06-03 23:49:04 +08:00
|
|
|
const char *ssl_test_method_name(ssl_test_method_t method);
|
2016-07-06 01:06:23 +08:00
|
|
|
const char *ssl_handshake_mode_name(ssl_handshake_mode_t mode);
|
2016-08-09 22:47:26 +08:00
|
|
|
const char *ssl_ct_validation_name(ssl_ct_validation_t mode);
|
2016-08-30 21:20:18 +08:00
|
|
|
const char *ssl_certstatus_name(ssl_cert_status_t cert_status);
|
2017-11-06 00:46:48 +08:00
|
|
|
const char *ssl_max_fragment_len_name(int MFL_mode);
|
2016-03-17 22:14:30 +08:00
|
|
|
|
|
|
|
/*
|
|
|
|
* Load the test case context from |conf|.
|
2016-07-21 22:29:48 +08:00
|
|
|
* See test/README.ssltest.md for details on the conf file format.
|
2016-03-17 22:14:30 +08:00
|
|
|
*/
|
2020-07-24 20:53:27 +08:00
|
|
|
SSL_TEST_CTX *SSL_TEST_CTX_create(const CONF *conf, const char *test_section,
|
2020-10-15 17:55:50 +08:00
|
|
|
OSSL_LIB_CTX *libctx);
|
2016-03-17 22:14:30 +08:00
|
|
|
|
2020-10-15 17:55:50 +08:00
|
|
|
SSL_TEST_CTX *SSL_TEST_CTX_new(OSSL_LIB_CTX *libctx);
|
2016-03-17 22:14:30 +08:00
|
|
|
|
|
|
|
void SSL_TEST_CTX_free(SSL_TEST_CTX *ctx);
|
|
|
|
|
2019-09-28 06:45:57 +08:00
|
|
|
#endif /* OSSL_TEST_SSL_TEST_CTX_H */
|